diff --git a/auditbeat/docs/auditbeat-filtering.asciidoc b/auditbeat/docs/auditbeat-filtering.asciidoc
deleted file mode 100644
index 6919965ac540..000000000000
--- a/auditbeat/docs/auditbeat-filtering.asciidoc
+++ /dev/null
@@ -1,10 +0,0 @@
-[[filtering-and-enhancing-data]]
-== Filter and enhance data with processors
-
-++++
-<titleabbrev>Processors</titleabbrev>
-++++
-
-include::{libbeat-dir}/processors.asciidoc[]
-
-include::{libbeat-dir}/processors-using.asciidoc[]
diff --git a/auditbeat/docs/auditbeat-general-options.asciidoc b/auditbeat/docs/auditbeat-general-options.asciidoc
deleted file mode 100644
index 7aec17cd6095..000000000000
--- a/auditbeat/docs/auditbeat-general-options.asciidoc
+++ /dev/null
@@ -1,11 +0,0 @@
-[[configuration-general-options]]
-== Configure general settings
-
-++++
-<titleabbrev>General settings</titleabbrev>
-++++
-
-You can specify settings in the +{beatname_lc}.yml+ config file to control the
-general behavior of {beatname_uc}.
-
-include::{libbeat-dir}/generalconfig.asciidoc[]
diff --git a/auditbeat/docs/auditbeat-modules-config.asciidoc b/auditbeat/docs/auditbeat-modules-config.asciidoc
deleted file mode 100644
index 2071f156b922..000000000000
--- a/auditbeat/docs/auditbeat-modules-config.asciidoc
+++ /dev/null
@@ -1,35 +0,0 @@
-[id="configuration-{beatname_lc}"]
-== Configure modules
-
-++++
-<titleabbrev>Modules</titleabbrev>
-++++
-
-To enable specific modules you add entries to the `auditbeat.modules` list in
-the +{beatname_lc}.yml+ config file. Each entry in the list begins with a dash
-(-) and is followed by settings for that module.
-
-The following example shows a configuration that runs the `auditd` and
-`file_integrity` modules.
-
-[source,yaml]
-----
-auditbeat.modules:
-
-- module: auditd
-  audit_rules: |
-    -w /etc/passwd -p wa -k identity
-    -a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access
-
-- module: file_integrity
-  paths:
-  - /bin
-  - /usr/bin
-  - /sbin
-  - /usr/sbin
-  - /etc
-----
-
-The configuration details vary by module. See the
-<<{beatname_lc}-modules,module documentation>> for more detail about configuring
-the available modules.
diff --git a/auditbeat/docs/auditbeat-options.asciidoc b/auditbeat/docs/auditbeat-options.asciidoc
deleted file mode 100644
index 8233f79cee1e..000000000000
--- a/auditbeat/docs/auditbeat-options.asciidoc
+++ /dev/null
@@ -1,56 +0,0 @@
-//////////////////////////////////////////////////////////////////////////
-//// This content is shared by all Auditbeat modules. Make sure you keep the
-//// descriptions generic enough to work for all modules. To include
-//// this file, use:
-////
-//// include::{docdir}/auditbeat-options.asciidoc[]
-////
-//////////////////////////////////////////////////////////////////////////
-
-[id="module-standard-options-{modulename}"]
-[float]
-==== Standard configuration options
-
-You can specify the following options for any {beatname_uc} module. 
-
-*`module`*:: The name of the module to run.
-
-ifeval::["{modulename}"=="system"]
-*`datasets`*:: A list of datasets to execute.
-endif::[]
-
-*`enabled`*:: A Boolean value that specifies whether the module is enabled.
-
-ifeval::["{modulename}"=="system"]
-*`period`*:: The frequency at which the datasets check for changes. If a system
-is not reachable, {beatname_uc} returns an error for each period. This setting
-is required. For most datasets, especially `process` and `socket`, a shorter
-period is recommended.
-endif::[]
-
-*`fields`*:: A dictionary of fields that will be sent with the dataset event. This setting
-is optional.
-
-*`tags`*:: A list of tags that will be sent with the dataset event. This setting is
-optional.
-
-*`processors`*:: A list of processors to apply to the data generated by the dataset.
-+
-See <<filtering-and-enhancing-data>> for information about specifying
-processors in your config.
-
-*`index`*:: If present, this formatted string overrides the index for events from this
-module (for elasticsearch outputs), or sets the `raw_index` field of the event's
-metadata (for other outputs). This string can only refer to the agent name and
-version and the event timestamp; for access to dynamic fields, use
-`output.elasticsearch.index` or a processor.
-+
-Example value: `"%{[agent.name]}-myindex-%{+yyyy.MM.dd}"` might
-expand to +"{beatname_lc}-myindex-2019.12.13"+.
-
-*`keep_null`*:: If this option is set to true, fields with `null` values will be published in
-the output document. By default, `keep_null` is set to `false`.
-
-*`service.name`*:: A name given by the user to the service the data is collected from. It can be
-used for example to identify information collected from nodes of different
-clusters with the same `service.type`.
diff --git a/auditbeat/docs/configuring-howto.asciidoc b/auditbeat/docs/configuring-howto.asciidoc
deleted file mode 100644
index a2de4ee5ed61..000000000000
--- a/auditbeat/docs/configuring-howto.asciidoc
+++ /dev/null
@@ -1,70 +0,0 @@
-[id="configuring-howto-{beatname_lc}"]
-= Configure {beatname_uc}
-
-[partintro]
---
-++++
-<titleabbrev>Configure</titleabbrev>
-++++
-
-include::{libbeat-dir}/shared/configuring-intro.asciidoc[]
-
-* <<configuration-{beatname_lc}>>
-* <<configuration-general-options>>
-* <<configuration-path>>
-* <<auditbeat-configuration-reloading>>
-* <<configuring-output>>
-* <<configuration-ssl>>
-* <<ilm>>
-* <<configuration-template>>
-* <<setup-kibana-endpoint>>
-* <<configuration-dashboards>>
-* <<filtering-and-enhancing-data>>
-* <<configuring-internal-queue>>
-* <<configuration-logging>>
-* <<http-endpoint>>
-* <<regexp-support>>
-* <<configuration-instrumentation>>
-* <<configuration-feature-flags>>
-* <<{beatname_lc}-reference-yml>>
-
-After changing configuration settings, you need to restart {beatname_uc} to
-pick up the changes.
-
---
-
-include::./auditbeat-modules-config.asciidoc[]
-
-include::./auditbeat-general-options.asciidoc[]
-
-include::{libbeat-dir}/shared-path-config.asciidoc[]
-
-include::./reload-configuration.asciidoc[]
-
-include::{libbeat-dir}/outputconfig.asciidoc[]
-
-ifndef::no_kerberos[]
-include::{libbeat-dir}/shared-kerberos-config.asciidoc[]
-endif::[]
-
-include::{libbeat-dir}/shared-ssl-config.asciidoc[]
-
-include::{libbeat-dir}/shared-ilm.asciidoc[]
-
-include::{libbeat-dir}/setup-config.asciidoc[]
-
-include::./auditbeat-filtering.asciidoc[]
-
-include::{libbeat-dir}/queueconfig.asciidoc[]
-
-include::{libbeat-dir}/loggingconfig.asciidoc[]
-
-include::{libbeat-dir}/http-endpoint.asciidoc[]
-
-include::{libbeat-dir}/regexp.asciidoc[]
-
-include::{libbeat-dir}/shared-instrumentation.asciidoc[]
-
-include::{libbeat-dir}/shared-feature-flags.asciidoc[]
-
-include::{libbeat-dir}/reference-yml.asciidoc[]
diff --git a/auditbeat/docs/faq-ulimit.asciidoc b/auditbeat/docs/faq-ulimit.asciidoc
deleted file mode 100644
index e234d1c9d958..000000000000
--- a/auditbeat/docs/faq-ulimit.asciidoc
+++ /dev/null
@@ -1,28 +0,0 @@
-[[ulimit]]
-=== {beatname_uc} fails to watch folders because too many files are open
-
-Because of the way file monitoring is implemented on macOS, you may see a
-warning similar to the following:
-
-[source,shell]
-----
-eventreader_fsnotify.go:42: WARN [audit.file] Failed to watch /usr/bin: too many
-open files (check the max number of open files allowed with 'ulimit -a')
-----
-
-To resolve this issue, run {beatname_uc} with the `ulimit` set to a larger
-value, for example:
-
-["source","sh",subs="attributes"]
-----
-sudo sh -c 'ulimit -n 8192 && ./{beatname_uc} -e
-----
-
-Or:
-
-["source","sh",subs="attributes"]
-----
-sudo su
-ulimit -n 8192
-./{beatname_lc} -e
-----
diff --git a/auditbeat/docs/faq.asciidoc b/auditbeat/docs/faq.asciidoc
deleted file mode 100644
index d0f4fbe8235e..000000000000
--- a/auditbeat/docs/faq.asciidoc
+++ /dev/null
@@ -1,12 +0,0 @@
-[[faq]]
-== Common problems
-
-This section describes common problems you might encounter with
-{beatname_uc}. Also check out the
-https://discuss.elastic.co/c/beats/{beatname_lc}[{beatname_uc} discussion forum].
-
-include::./faq-ulimit.asciidoc[]
-
-include::{libbeat-dir}/faq-limit-bandwidth.asciidoc[]
-
-include::{libbeat-dir}/shared-faq.asciidoc[]
diff --git a/auditbeat/docs/fields.asciidoc b/auditbeat/docs/fields.asciidoc
deleted file mode 100644
index 9eee5f008fc1..000000000000
--- a/auditbeat/docs/fields.asciidoc
+++ /dev/null
@@ -1,19467 +0,0 @@
-
-////
-This file is generated! See _meta/fields.yml and scripts/generate_fields_docs.py
-////
-
-:edit_url:
-
-[[exported-fields]]
-= Exported fields
-
-[partintro]
-
---
-This document describes the fields that are exported by Auditbeat. They are
-grouped in the following categories:
-
-* <<exported-fields-auditd>>
-* <<exported-fields-beat-common>>
-* <<exported-fields-cloud>>
-* <<exported-fields-common>>
-* <<exported-fields-docker-processor>>
-* <<exported-fields-ecs>>
-* <<exported-fields-file_integrity>>
-* <<exported-fields-host-processor>>
-* <<exported-fields-jolokia-autodiscover>>
-* <<exported-fields-kubernetes-processor>>
-* <<exported-fields-process>>
-* <<exported-fields-system>>
-
---
-[[exported-fields-auditd]]
-== Auditd fields
-
-These are the fields generated by the auditd module.
-
-
-
-*`user.auid`*::
-+
---
-type: alias
-
-alias to: user.audit.id
-
---
-
-*`user.uid`*::
-+
---
-type: alias
-
-alias to: user.id
-
---
-
-*`user.fsuid`*::
-+
---
-type: alias
-
-alias to: user.filesystem.id
-
---
-
-*`user.suid`*::
-+
---
-type: alias
-
-alias to: user.saved.id
-
---
-
-*`user.gid`*::
-+
---
-type: alias
-
-alias to: user.group.id
-
---
-
-*`user.sgid`*::
-+
---
-type: alias
-
-alias to: user.saved.group.id
-
---
-
-*`user.fsgid`*::
-+
---
-type: alias
-
-alias to: user.filesystem.group.id
-
---
-
-[float]
-=== name_map
-
-If `resolve_ids` is set to true in the configuration then `name_map` will contain a mapping of uid field names to the resolved name (e.g. auid -> root).
-
-
-
-*`user.name_map.auid`*::
-+
---
-type: alias
-
-alias to: user.audit.name
-
---
-
-*`user.name_map.uid`*::
-+
---
-type: alias
-
-alias to: user.name
-
---
-
-*`user.name_map.fsuid`*::
-+
---
-type: alias
-
-alias to: user.filesystem.name
-
---
-
-*`user.name_map.suid`*::
-+
---
-type: alias
-
-alias to: user.saved.name
-
---
-
-*`user.name_map.gid`*::
-+
---
-type: alias
-
-alias to: user.group.name
-
---
-
-*`user.name_map.sgid`*::
-+
---
-type: alias
-
-alias to: user.saved.group.name
-
---
-
-*`user.name_map.fsgid`*::
-+
---
-type: alias
-
-alias to: user.filesystem.group.name
-
---
-
-[float]
-=== selinux
-
-The SELinux identity of the actor.
-
-
-*`user.selinux.user`*::
-+
---
-account submitted for authentication
-
-type: keyword
-
---
-
-*`user.selinux.role`*::
-+
---
-user's SELinux role
-
-type: keyword
-
---
-
-*`user.selinux.domain`*::
-+
---
-The actor's SELinux domain or type.
-
-type: keyword
-
---
-
-*`user.selinux.level`*::
-+
---
-The actor's SELinux level.
-
-type: keyword
-
-example: s0
-
---
-
-*`user.selinux.category`*::
-+
---
-The actor's SELinux category or compartments.
-
-type: keyword
-
---
-
-[float]
-=== process
-
-Process attributes.
-
-
-*`process.cwd`*::
-+
---
-The current working directory.
-
-type: alias
-
-alias to: process.working_directory
-
---
-
-[float]
-=== source
-
-Source that triggered the event.
-
-
-*`source.path`*::
-+
---
-This is the path associated with a unix socket.
-
-type: keyword
-
---
-
-[float]
-=== destination
-
-Destination address that triggered the event.
-
-
-*`destination.path`*::
-+
---
-This is the path associated with a unix socket.
-
-type: keyword
-
---
-
-
-*`auditd.message_type`*::
-+
---
-The audit message type (e.g. syscall or apparmor_denied).
-
-
-type: keyword
-
-example: syscall
-
---
-
-*`auditd.sequence`*::
-+
---
-The sequence number of the event as assigned by the kernel. Sequence numbers are stored as a uint32 in the kernel and can rollover.
-
-
-type: long
-
---
-
-*`auditd.session`*::
-+
---
-The session ID assigned to a login. All events related to a login session will have the same value.
-
-
-type: keyword
-
---
-
-*`auditd.result`*::
-+
---
-The result of the audited operation (success/fail).
-
-type: keyword
-
-example: success or fail
-
---
-
-
-[float]
-=== actor
-
-The actor is the user that triggered the audit event.
-
-
-*`auditd.summary.actor.primary`*::
-+
---
-The primary identity of the actor. This is the actor's original login ID. It will not change even if the user changes to another account.
-
-
-type: keyword
-
---
-
-*`auditd.summary.actor.secondary`*::
-+
---
-The secondary identity of the actor. This is typically the same as the primary, except for when the user has used `su`.
-
-type: keyword
-
---
-
-[float]
-=== object
-
-This is the thing or object being acted upon in the event.
-
-
-
-*`auditd.summary.object.type`*::
-+
---
-A description of the what the "thing" is (e.g. file, socket, user-session).
-
-
-type: keyword
-
---
-
-*`auditd.summary.object.primary`*::
-+
---
-
-
-type: keyword
-
---
-
-*`auditd.summary.object.secondary`*::
-+
---
-
-
-type: keyword
-
---
-
-*`auditd.summary.how`*::
-+
---
-This describes how the action was performed. Usually this is the exe or command that was being executed that triggered the event.
-
-
-type: keyword
-
---
-
-[float]
-=== paths
-
-List of paths associated with the event.
-
-
-*`auditd.paths.inode`*::
-+
---
-inode number
-
-type: keyword
-
---
-
-*`auditd.paths.dev`*::
-+
---
-device name as found in /dev
-
-type: keyword
-
---
-
-*`auditd.paths.obj_user`*::
-+
---
-
-
-type: keyword
-
---
-
-*`auditd.paths.obj_role`*::
-+
---
-
-
-type: keyword
-
---
-
-*`auditd.paths.obj_domain`*::
-+
---
-
-
-type: keyword
-
---
-
-*`auditd.paths.obj_level`*::
-+
---
-
-
-type: keyword
-
---
-
-*`auditd.paths.objtype`*::
-+
---
-
-
-type: keyword
-
---
-
-*`auditd.paths.ouid`*::
-+
---
-file owner user ID
-
-type: keyword
-
---
-
-*`auditd.paths.rdev`*::
-+
---
-the device identifier (special files only)
-
-type: keyword
-
---
-
-*`auditd.paths.nametype`*::
-+
---
-kind of file operation being referenced
-
-type: keyword
-
---
-
-*`auditd.paths.ogid`*::
-+
---
-file owner group ID
-
-type: keyword
-
---
-
-*`auditd.paths.item`*::
-+
---
-which item is being recorded
-
-type: keyword
-
---
-
-*`auditd.paths.mode`*::
-+
---
-mode flags on a file
-
-type: keyword
-
---
-
-*`auditd.paths.name`*::
-+
---
-file name in avcs
-
-type: keyword
-
---
-
-[float]
-=== data
-
-The data from the audit messages.
-
-
-*`auditd.data.action`*::
-+
---
-netfilter packet disposition
-
-type: keyword
-
---
-
-*`auditd.data.minor`*::
-+
---
-device minor number
-
-type: keyword
-
---
-
-*`auditd.data.acct`*::
-+
---
-a user's account name
-
-type: keyword
-
---
-
-*`auditd.data.addr`*::
-+
---
-the remote address that the user is connecting from
-
-type: keyword
-
---
-
-*`auditd.data.cipher`*::
-+
---
-name of crypto cipher selected
-
-type: keyword
-
---
-
-*`auditd.data.id`*::
-+
---
-during account changes
-
-type: keyword
-
---
-
-*`auditd.data.entries`*::
-+
---
-number of entries in the netfilter table
-
-type: keyword
-
---
-
-*`auditd.data.kind`*::
-+
---
-server or client in crypto operation
-
-type: keyword
-
---
-
-*`auditd.data.ksize`*::
-+
---
-key size for crypto operation
-
-type: keyword
-
---
-
-*`auditd.data.spid`*::
-+
---
-sent process ID
-
-type: keyword
-
---
-
-*`auditd.data.arch`*::
-+
---
-the elf architecture flags
-
-type: keyword
-
---
-
-*`auditd.data.argc`*::
-+
---
-the number of arguments to an execve syscall
-
-type: keyword
-
---
-
-*`auditd.data.major`*::
-+
---
-device major number
-
-type: keyword
-
---
-
-*`auditd.data.unit`*::
-+
---
-systemd unit
-
-type: keyword
-
---
-
-*`auditd.data.table`*::
-+
---
-netfilter table name
-
-type: keyword
-
---
-
-*`auditd.data.terminal`*::
-+
---
-terminal name the user is running programs on
-
-type: keyword
-
---
-
-*`auditd.data.grantors`*::
-+
---
-pam modules approving the action
-
-type: keyword
-
---
-
-*`auditd.data.direction`*::
-+
---
-direction of crypto operation
-
-type: keyword
-
---
-
-*`auditd.data.op`*::
-+
---
-the operation being performed that is audited
-
-type: keyword
-
---
-
-*`auditd.data.tty`*::
-+
---
-tty udevice the user is running programs on
-
-type: keyword
-
---
-
-*`auditd.data.syscall`*::
-+
---
-syscall number in effect when the event occurred
-
-type: keyword
-
---
-
-*`auditd.data.data`*::
-+
---
-TTY text
-
-type: keyword
-
---
-
-*`auditd.data.family`*::
-+
---
-netfilter protocol
-
-type: keyword
-
---
-
-*`auditd.data.mac`*::
-+
---
-crypto MAC algorithm selected
-
-type: keyword
-
---
-
-*`auditd.data.pfs`*::
-+
---
-perfect forward secrecy method
-
-type: keyword
-
---
-
-*`auditd.data.items`*::
-+
---
-the number of path records in the event
-
-type: keyword
-
---
-
-*`auditd.data.a0`*::
-+
---
-
-
-type: keyword
-
---
-
-*`auditd.data.a1`*::
-+
---
-
-
-type: keyword
-
---
-
-*`auditd.data.a2`*::
-+
---
-
-
-type: keyword
-
---
-
-*`auditd.data.a3`*::
-+
---
-
-
-type: keyword
-
---
-
-*`auditd.data.hostname`*::
-+
---
-the hostname that the user is connecting from
-
-type: keyword
-
---
-
-*`auditd.data.lport`*::
-+
---
-local network port
-
-type: keyword
-
---
-
-*`auditd.data.rport`*::
-+
---
-remote port number
-
-type: keyword
-
---
-
-*`auditd.data.exit`*::
-+
---
-syscall exit code
-
-type: keyword
-
---
-
-*`auditd.data.fp`*::
-+
---
-crypto key finger print
-
-type: keyword
-
---
-
-*`auditd.data.laddr`*::
-+
---
-local network address
-
-type: keyword
-
---
-
-*`auditd.data.sport`*::
-+
---
-local port number
-
-type: keyword
-
---
-
-*`auditd.data.capability`*::
-+
---
-posix capabilities
-
-type: keyword
-
---
-
-*`auditd.data.nargs`*::
-+
---
-the number of arguments to a socket call
-
-type: keyword
-
---
-
-*`auditd.data.new-enabled`*::
-+
---
-new TTY audit enabled setting
-
-type: keyword
-
---
-
-*`auditd.data.audit_backlog_limit`*::
-+
---
-audit system's backlog queue size
-
-type: keyword
-
---
-
-*`auditd.data.dir`*::
-+
---
-directory name
-
-type: keyword
-
---
-
-*`auditd.data.cap_pe`*::
-+
---
-process effective capability map
-
-type: keyword
-
---
-
-*`auditd.data.model`*::
-+
---
-security model being used for virt
-
-type: keyword
-
---
-
-*`auditd.data.new_pp`*::
-+
---
-new process permitted capability map
-
-type: keyword
-
---
-
-*`auditd.data.old-enabled`*::
-+
---
-present TTY audit enabled setting
-
-type: keyword
-
---
-
-*`auditd.data.oauid`*::
-+
---
-object's login user ID
-
-type: keyword
-
---
-
-*`auditd.data.old`*::
-+
---
-old value
-
-type: keyword
-
---
-
-*`auditd.data.banners`*::
-+
---
-banners used on printed page
-
-type: keyword
-
---
-
-*`auditd.data.feature`*::
-+
---
-kernel feature being changed
-
-type: keyword
-
---
-
-*`auditd.data.vm-ctx`*::
-+
---
-the vm's context string
-
-type: keyword
-
---
-
-*`auditd.data.opid`*::
-+
---
-object's process ID
-
-type: keyword
-
---
-
-*`auditd.data.seperms`*::
-+
---
-SELinux permissions being used
-
-type: keyword
-
---
-
-*`auditd.data.seresult`*::
-+
---
-SELinux AVC decision granted/denied
-
-type: keyword
-
---
-
-*`auditd.data.new-rng`*::
-+
---
-device name of rng being added from a vm
-
-type: keyword
-
---
-
-*`auditd.data.old-net`*::
-+
---
-present MAC address assigned to vm
-
-type: keyword
-
---
-
-*`auditd.data.sigev_signo`*::
-+
---
-signal number
-
-type: keyword
-
---
-
-*`auditd.data.ino`*::
-+
---
-inode number
-
-type: keyword
-
---
-
-*`auditd.data.old_enforcing`*::
-+
---
-old MAC enforcement status
-
-type: keyword
-
---
-
-*`auditd.data.old-vcpu`*::
-+
---
-present number of CPU cores
-
-type: keyword
-
---
-
-*`auditd.data.range`*::
-+
---
-user's SE Linux range
-
-type: keyword
-
---
-
-*`auditd.data.res`*::
-+
---
-result of the audited operation(success/fail)
-
-type: keyword
-
---
-
-*`auditd.data.added`*::
-+
---
-number of new files detected
-
-type: keyword
-
---
-
-*`auditd.data.fam`*::
-+
---
-socket address family
-
-type: keyword
-
---
-
-*`auditd.data.nlnk-pid`*::
-+
---
-pid of netlink packet sender
-
-type: keyword
-
---
-
-*`auditd.data.subj`*::
-+
---
-lspp subject's context string
-
-type: keyword
-
---
-
-*`auditd.data.a[0-3]`*::
-+
---
-the arguments to a syscall
-
-type: keyword
-
---
-
-*`auditd.data.cgroup`*::
-+
---
-path to cgroup in sysfs
-
-type: keyword
-
---
-
-*`auditd.data.kernel`*::
-+
---
-kernel's version number
-
-type: keyword
-
---
-
-*`auditd.data.ocomm`*::
-+
---
-object's command line name
-
-type: keyword
-
---
-
-*`auditd.data.new-net`*::
-+
---
-MAC address being assigned to vm
-
-type: keyword
-
---
-
-*`auditd.data.permissive`*::
-+
---
-SELinux is in permissive mode
-
-type: keyword
-
---
-
-*`auditd.data.class`*::
-+
---
-resource class assigned to vm
-
-type: keyword
-
---
-
-*`auditd.data.compat`*::
-+
---
-is_compat_task result
-
-type: keyword
-
---
-
-*`auditd.data.fi`*::
-+
---
-file assigned inherited capability map
-
-type: keyword
-
---
-
-*`auditd.data.changed`*::
-+
---
-number of changed files
-
-type: keyword
-
---
-
-*`auditd.data.msg`*::
-+
---
-the payload of the audit record
-
-type: keyword
-
---
-
-*`auditd.data.dport`*::
-+
---
-remote port number
-
-type: keyword
-
---
-
-*`auditd.data.new-seuser`*::
-+
---
-new SELinux user
-
-type: keyword
-
---
-
-*`auditd.data.invalid_context`*::
-+
---
-SELinux context
-
-type: keyword
-
---
-
-*`auditd.data.dmac`*::
-+
---
-remote MAC address
-
-type: keyword
-
---
-
-*`auditd.data.ipx-net`*::
-+
---
-IPX network number
-
-type: keyword
-
---
-
-*`auditd.data.iuid`*::
-+
---
-ipc object's user ID
-
-type: keyword
-
---
-
-*`auditd.data.macproto`*::
-+
---
-ethernet packet type ID field
-
-type: keyword
-
---
-
-*`auditd.data.obj`*::
-+
---
-lspp object context string
-
-type: keyword
-
---
-
-*`auditd.data.ipid`*::
-+
---
-IP datagram fragment identifier
-
-type: keyword
-
---
-
-*`auditd.data.new-fs`*::
-+
---
-file system being added to vm
-
-type: keyword
-
---
-
-*`auditd.data.vm-pid`*::
-+
---
-vm's process ID
-
-type: keyword
-
---
-
-*`auditd.data.cap_pi`*::
-+
---
-process inherited capability map
-
-type: keyword
-
---
-
-*`auditd.data.old-auid`*::
-+
---
-previous auid value
-
-type: keyword
-
---
-
-*`auditd.data.oses`*::
-+
---
-object's session ID
-
-type: keyword
-
---
-
-*`auditd.data.fd`*::
-+
---
-file descriptor number
-
-type: keyword
-
---
-
-*`auditd.data.igid`*::
-+
---
-ipc object's group ID
-
-type: keyword
-
---
-
-*`auditd.data.new-disk`*::
-+
---
-disk being added to vm
-
-type: keyword
-
---
-
-*`auditd.data.parent`*::
-+
---
-the inode number of the parent file
-
-type: keyword
-
---
-
-*`auditd.data.len`*::
-+
---
-length
-
-type: keyword
-
---
-
-*`auditd.data.oflag`*::
-+
---
-open syscall flags
-
-type: keyword
-
---
-
-*`auditd.data.uuid`*::
-+
---
-a UUID
-
-type: keyword
-
---
-
-*`auditd.data.code`*::
-+
---
-seccomp action code
-
-type: keyword
-
---
-
-*`auditd.data.nlnk-grp`*::
-+
---
-netlink group number
-
-type: keyword
-
---
-
-*`auditd.data.cap_fp`*::
-+
---
-file permitted capability map
-
-type: keyword
-
---
-
-*`auditd.data.new-mem`*::
-+
---
-new amount of memory in KB
-
-type: keyword
-
---
-
-*`auditd.data.seperm`*::
-+
---
-SELinux permission being decided on
-
-type: keyword
-
---
-
-*`auditd.data.enforcing`*::
-+
---
-new MAC enforcement status
-
-type: keyword
-
---
-
-*`auditd.data.new-chardev`*::
-+
---
-new character device being assigned to vm
-
-type: keyword
-
---
-
-*`auditd.data.old-rng`*::
-+
---
-device name of rng being removed from a vm
-
-type: keyword
-
---
-
-*`auditd.data.outif`*::
-+
---
-out interface number
-
-type: keyword
-
---
-
-*`auditd.data.cmd`*::
-+
---
-command being executed
-
-type: keyword
-
---
-
-*`auditd.data.hook`*::
-+
---
-netfilter hook that packet came from
-
-type: keyword
-
---
-
-*`auditd.data.new-level`*::
-+
---
-new run level
-
-type: keyword
-
---
-
-*`auditd.data.sauid`*::
-+
---
-sent login user ID
-
-type: keyword
-
---
-
-*`auditd.data.sig`*::
-+
---
-signal number
-
-type: keyword
-
---
-
-*`auditd.data.audit_backlog_wait_time`*::
-+
---
-audit system's backlog wait time
-
-type: keyword
-
---
-
-*`auditd.data.printer`*::
-+
---
-printer name
-
-type: keyword
-
---
-
-*`auditd.data.old-mem`*::
-+
---
-present amount of memory in KB
-
-type: keyword
-
---
-
-*`auditd.data.perm`*::
-+
---
-the file permission being used
-
-type: keyword
-
---
-
-*`auditd.data.old_pi`*::
-+
---
-old process inherited capability map
-
-type: keyword
-
---
-
-*`auditd.data.state`*::
-+
---
-audit daemon configuration resulting state
-
-type: keyword
-
---
-
-*`auditd.data.format`*::
-+
---
-audit log's format
-
-type: keyword
-
---
-
-*`auditd.data.new_gid`*::
-+
---
-new group ID being assigned
-
-type: keyword
-
---
-
-*`auditd.data.tcontext`*::
-+
---
-the target's or object's context string
-
-type: keyword
-
---
-
-*`auditd.data.maj`*::
-+
---
-device major number
-
-type: keyword
-
---
-
-*`auditd.data.watch`*::
-+
---
-file name in a watch record
-
-type: keyword
-
---
-
-*`auditd.data.device`*::
-+
---
-device name
-
-type: keyword
-
---
-
-*`auditd.data.grp`*::
-+
---
-group name
-
-type: keyword
-
---
-
-*`auditd.data.bool`*::
-+
---
-name of SELinux boolean
-
-type: keyword
-
---
-
-*`auditd.data.icmp_type`*::
-+
---
-type of icmp message
-
-type: keyword
-
---
-
-*`auditd.data.new_lock`*::
-+
---
-new value of feature lock
-
-type: keyword
-
---
-
-*`auditd.data.old_prom`*::
-+
---
-network promiscuity flag
-
-type: keyword
-
---
-
-*`auditd.data.acl`*::
-+
---
-access mode of resource assigned to vm
-
-type: keyword
-
---
-
-*`auditd.data.ip`*::
-+
---
-network address of a printer
-
-type: keyword
-
---
-
-*`auditd.data.new_pi`*::
-+
---
-new process inherited capability map
-
-type: keyword
-
---
-
-*`auditd.data.default-context`*::
-+
---
-default MAC context
-
-type: keyword
-
---
-
-*`auditd.data.inode_gid`*::
-+
---
-group ID of the inode's owner
-
-type: keyword
-
---
-
-*`auditd.data.new-log_passwd`*::
-+
---
-new value for TTY password logging
-
-type: keyword
-
---
-
-*`auditd.data.new_pe`*::
-+
---
-new process effective capability map
-
-type: keyword
-
---
-
-*`auditd.data.selected-context`*::
-+
---
-new MAC context assigned to session
-
-type: keyword
-
---
-
-*`auditd.data.cap_fver`*::
-+
---
-file system capabilities version number
-
-type: keyword
-
---
-
-*`auditd.data.file`*::
-+
---
-file name
-
-type: keyword
-
---
-
-*`auditd.data.net`*::
-+
---
-network MAC address
-
-type: keyword
-
---
-
-*`auditd.data.virt`*::
-+
---
-kind of virtualization being referenced
-
-type: keyword
-
---
-
-*`auditd.data.cap_pp`*::
-+
---
-process permitted capability map
-
-type: keyword
-
---
-
-*`auditd.data.old-range`*::
-+
---
-present SELinux range
-
-type: keyword
-
---
-
-*`auditd.data.resrc`*::
-+
---
-resource being assigned
-
-type: keyword
-
---
-
-*`auditd.data.new-range`*::
-+
---
-new SELinux range
-
-type: keyword
-
---
-
-*`auditd.data.obj_gid`*::
-+
---
-group ID of object
-
-type: keyword
-
---
-
-*`auditd.data.proto`*::
-+
---
-network protocol
-
-type: keyword
-
---
-
-*`auditd.data.old-disk`*::
-+
---
-disk being removed from vm
-
-type: keyword
-
---
-
-*`auditd.data.audit_failure`*::
-+
---
-audit system's failure mode
-
-type: keyword
-
---
-
-*`auditd.data.inif`*::
-+
---
-in interface number
-
-type: keyword
-
---
-
-*`auditd.data.vm`*::
-+
---
-virtual machine name
-
-type: keyword
-
---
-
-*`auditd.data.flags`*::
-+
---
-mmap syscall flags
-
-type: keyword
-
---
-
-*`auditd.data.nlnk-fam`*::
-+
---
-netlink protocol number
-
-type: keyword
-
---
-
-*`auditd.data.old-fs`*::
-+
---
-file system being removed from vm
-
-type: keyword
-
---
-
-*`auditd.data.old-ses`*::
-+
---
-previous ses value
-
-type: keyword
-
---
-
-*`auditd.data.seqno`*::
-+
---
-sequence number
-
-type: keyword
-
---
-
-*`auditd.data.fver`*::
-+
---
-file system capabilities version number
-
-type: keyword
-
---
-
-*`auditd.data.qbytes`*::
-+
---
-ipc objects quantity of bytes
-
-type: keyword
-
---
-
-*`auditd.data.seuser`*::
-+
---
-user's SE Linux user acct
-
-type: keyword
-
---
-
-*`auditd.data.cap_fe`*::
-+
---
-file assigned effective capability map
-
-type: keyword
-
---
-
-*`auditd.data.new-vcpu`*::
-+
---
-new number of CPU cores
-
-type: keyword
-
---
-
-*`auditd.data.old-level`*::
-+
---
-old run level
-
-type: keyword
-
---
-
-*`auditd.data.old_pp`*::
-+
---
-old process permitted capability map
-
-type: keyword
-
---
-
-*`auditd.data.daddr`*::
-+
---
-remote IP address
-
-type: keyword
-
---
-
-*`auditd.data.old-role`*::
-+
---
-present SELinux role
-
-type: keyword
-
---
-
-*`auditd.data.ioctlcmd`*::
-+
---
-The request argument to the ioctl syscall
-
-type: keyword
-
---
-
-*`auditd.data.smac`*::
-+
---
-local MAC address
-
-type: keyword
-
---
-
-*`auditd.data.apparmor`*::
-+
---
-apparmor event information
-
-type: keyword
-
---
-
-*`auditd.data.fe`*::
-+
---
-file assigned effective capability map
-
-type: keyword
-
---
-
-*`auditd.data.perm_mask`*::
-+
---
-file permission mask that triggered a watch event
-
-type: keyword
-
---
-
-*`auditd.data.ses`*::
-+
---
-login session ID
-
-type: keyword
-
---
-
-*`auditd.data.cap_fi`*::
-+
---
-file inherited capability map
-
-type: keyword
-
---
-
-*`auditd.data.obj_uid`*::
-+
---
-user ID of object
-
-type: keyword
-
---
-
-*`auditd.data.reason`*::
-+
---
-text string denoting a reason for the action
-
-type: keyword
-
---
-
-*`auditd.data.list`*::
-+
---
-the audit system's filter list number
-
-type: keyword
-
---
-
-*`auditd.data.old_lock`*::
-+
---
-present value of feature lock
-
-type: keyword
-
---
-
-*`auditd.data.bus`*::
-+
---
-name of subsystem bus a vm resource belongs to
-
-type: keyword
-
---
-
-*`auditd.data.old_pe`*::
-+
---
-old process effective capability map
-
-type: keyword
-
---
-
-*`auditd.data.new-role`*::
-+
---
-new SELinux role
-
-type: keyword
-
---
-
-*`auditd.data.prom`*::
-+
---
-network promiscuity flag
-
-type: keyword
-
---
-
-*`auditd.data.uri`*::
-+
---
-URI pointing to a printer
-
-type: keyword
-
---
-
-*`auditd.data.audit_enabled`*::
-+
---
-audit systems's enable/disable status
-
-type: keyword
-
---
-
-*`auditd.data.old-log_passwd`*::
-+
---
-present value for TTY password logging
-
-type: keyword
-
---
-
-*`auditd.data.old-seuser`*::
-+
---
-present SELinux user
-
-type: keyword
-
---
-
-*`auditd.data.per`*::
-+
---
-linux personality
-
-type: keyword
-
---
-
-*`auditd.data.scontext`*::
-+
---
-the subject's context string
-
-type: keyword
-
---
-
-*`auditd.data.tclass`*::
-+
---
-target's object classification
-
-type: keyword
-
---
-
-*`auditd.data.ver`*::
-+
---
-audit daemon's version number
-
-type: keyword
-
---
-
-*`auditd.data.new`*::
-+
---
-value being set in feature
-
-type: keyword
-
---
-
-*`auditd.data.val`*::
-+
---
-generic value associated with the operation
-
-type: keyword
-
---
-
-*`auditd.data.img-ctx`*::
-+
---
-the vm's disk image context string
-
-type: keyword
-
---
-
-*`auditd.data.old-chardev`*::
-+
---
-present character device assigned to vm
-
-type: keyword
-
---
-
-*`auditd.data.old_val`*::
-+
---
-current value of SELinux boolean
-
-type: keyword
-
---
-
-*`auditd.data.success`*::
-+
---
-whether the syscall was successful or not
-
-type: keyword
-
---
-
-*`auditd.data.inode_uid`*::
-+
---
-user ID of the inode's owner
-
-type: keyword
-
---
-
-*`auditd.data.removed`*::
-+
---
-number of deleted files
-
-type: keyword
-
---
-
-
-*`auditd.data.socket.port`*::
-+
---
-The port number.
-
-type: keyword
-
---
-
-*`auditd.data.socket.saddr`*::
-+
---
-The raw socket address structure.
-
-type: keyword
-
---
-
-*`auditd.data.socket.addr`*::
-+
---
-The remote address.
-
-type: keyword
-
---
-
-*`auditd.data.socket.family`*::
-+
---
-The socket family (unix, ipv4, ipv6, netlink).
-
-type: keyword
-
-example: unix
-
---
-
-*`auditd.data.socket.path`*::
-+
---
-This is the path associated with a unix socket.
-
-type: keyword
-
---
-
-*`auditd.messages`*::
-+
---
-An ordered list of the raw messages received from the kernel that were used to construct this document. This field is present if an error occurred processing the data or if `include_raw_message` is set in the config.
-
-
-type: alias
-
-alias to: event.original
-
---
-
-*`auditd.warnings`*::
-+
---
-The warnings generated by the Beat during the construction of the event. These are disabled by default and are used for development and debug purposes only.
-
-
-type: alias
-
-alias to: error.message
-
---
-
-[float]
-=== geoip
-
-The geoip fields are defined as a convenience in case you decide to enrich the data using a geoip filter in Logstash or an Elasticsearch geoip ingest processor.
-
-
-
-*`geoip.continent_name`*::
-+
---
-The name of the continent.
-
-
-type: keyword
-
---
-
-*`geoip.city_name`*::
-+
---
-The name of the city.
-
-
-type: keyword
-
---
-
-*`geoip.region_name`*::
-+
---
-The name of the region.
-
-
-type: keyword
-
---
-
-*`geoip.country_iso_code`*::
-+
---
-Country ISO code.
-
-
-type: keyword
-
---
-
-*`geoip.location`*::
-+
---
-The longitude and latitude.
-
-
-type: geo_point
-
---
-
-[[exported-fields-beat-common]]
-== Beat fields
-
-Contains common beat fields available in all event types.
-
-
-
-*`agent.hostname`*::
-+
---
-Deprecated - use agent.name or agent.id to identify an agent.
-
-
-type: alias
-
-alias to: agent.name
-
---
-
-*`beat.timezone`*::
-+
---
-type: alias
-
-alias to: event.timezone
-
---
-
-*`fields`*::
-+
---
-Contains user configurable fields.
-
-
-type: object
-
---
-
-*`beat.name`*::
-+
---
-type: alias
-
-alias to: host.name
-
---
-
-*`beat.hostname`*::
-+
---
-type: alias
-
-alias to: agent.name
-
---
-
-*`timeseries.instance`*::
-+
---
-Time series instance id
-
-type: keyword
-
---
-
-[[exported-fields-cloud]]
-== Cloud provider metadata fields
-
-Metadata from cloud providers added by the add_cloud_metadata processor.
-
-
-
-*`cloud.image.id`*::
-+
---
-Image ID for the cloud instance.
-
-
-example: ami-abcd1234
-
---
-
-*`meta.cloud.provider`*::
-+
---
-type: alias
-
-alias to: cloud.provider
-
---
-
-*`meta.cloud.instance_id`*::
-+
---
-type: alias
-
-alias to: cloud.instance.id
-
---
-
-*`meta.cloud.instance_name`*::
-+
---
-type: alias
-
-alias to: cloud.instance.name
-
---
-
-*`meta.cloud.machine_type`*::
-+
---
-type: alias
-
-alias to: cloud.machine.type
-
---
-
-*`meta.cloud.availability_zone`*::
-+
---
-type: alias
-
-alias to: cloud.availability_zone
-
---
-
-*`meta.cloud.project_id`*::
-+
---
-type: alias
-
-alias to: cloud.project.id
-
---
-
-*`meta.cloud.region`*::
-+
---
-type: alias
-
-alias to: cloud.region
-
---
-
-[[exported-fields-common]]
-== Common fields
-
-Contains common fields available in all event types.
-
-
-
-[float]
-=== file
-
-File attributes.
-
-
-*`file.setuid`*::
-+
---
-Set if the file has the `setuid` bit set. Omitted otherwise.
-
-type: boolean
-
-example: True
-
---
-
-*`file.setgid`*::
-+
---
-Set if the file has the `setgid` bit set. Omitted otherwise.
-
-type: boolean
-
-example: True
-
---
-
-*`file.origin`*::
-+
---
-An array of strings describing a possible external origin for this file. For example, the URL it was downloaded from. Only supported in macOS, via the kMDItemWhereFroms attribute. Omitted if origin information is not available.
-
-
-type: keyword
-
---
-
-*`file.origin.text`*::
-+
---
-This is an analyzed field that is useful for full text search on the origin data.
-
-
-type: text
-
---
-
-[float]
-=== selinux
-
-The SELinux identity of the file.
-
-
-*`file.selinux.user`*::
-+
---
-The owner of the object.
-
-type: keyword
-
---
-
-*`file.selinux.role`*::
-+
---
-The object's SELinux role.
-
-type: keyword
-
---
-
-*`file.selinux.domain`*::
-+
---
-The object's SELinux domain or type.
-
-type: keyword
-
---
-
-*`file.selinux.level`*::
-+
---
-The object's SELinux level.
-
-type: keyword
-
-example: s0
-
---
-
-[float]
-=== user
-
-User information.
-
-
-[float]
-=== audit
-
-Audit user information.
-
-
-*`user.audit.id`*::
-+
---
-Audit user ID.
-
-type: keyword
-
---
-
-*`user.audit.name`*::
-+
---
-Audit user name.
-
-type: keyword
-
---
-
-[float]
-=== filesystem
-
-Filesystem user information.
-
-
-*`user.filesystem.id`*::
-+
---
-Filesystem user ID.
-
-type: keyword
-
---
-
-*`user.filesystem.name`*::
-+
---
-Filesystem user name.
-
-type: keyword
-
---
-
-[float]
-=== group
-
-Filesystem group information.
-
-
-*`user.filesystem.group.id`*::
-+
---
-Filesystem group ID.
-
-type: keyword
-
---
-
-*`user.filesystem.group.name`*::
-+
---
-Filesystem group name.
-
-type: keyword
-
---
-
-[float]
-=== saved
-
-Saved user information.
-
-
-*`user.saved.id`*::
-+
---
-Saved user ID.
-
-type: keyword
-
---
-
-*`user.saved.name`*::
-+
---
-Saved user name.
-
-type: keyword
-
---
-
-[float]
-=== group
-
-Saved group information.
-
-
-*`user.saved.group.id`*::
-+
---
-Saved group ID.
-
-type: keyword
-
---
-
-*`user.saved.group.name`*::
-+
---
-Saved group name.
-
-type: keyword
-
---
-
-[[exported-fields-docker-processor]]
-== Docker fields
-
-Docker stats collected from Docker.
-
-
-
-
-*`docker.container.id`*::
-+
---
-type: alias
-
-alias to: container.id
-
---
-
-*`docker.container.image`*::
-+
---
-type: alias
-
-alias to: container.image.name
-
---
-
-*`docker.container.name`*::
-+
---
-type: alias
-
-alias to: container.name
-
---
-
-*`docker.container.labels`*::
-+
---
-Image labels.
-
-
-type: object
-
---
-
-[[exported-fields-ecs]]
-== ECS fields
-
-
-This section defines Elastic Common Schema (ECS) fields—a common set of fields
-to be used when storing event data in {es}.
-
-This is an exhaustive list, and fields listed here are not necessarily used by {beatname_uc}.
-The goal of ECS is to enable and encourage users of {es} to normalize their event data,
-so that they can better analyze, visualize, and correlate the data represented in their events.
-
-See the {ecs-ref}[ECS reference] for more information.
-
-*`@timestamp`*::
-+
---
-Date/time when the event originated.
-This is the date/time extracted from the event, typically representing when the event was generated by the source.
-If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline.
-Required field for all events.
-
-type: date
-
-example: 2016-05-23T08:05:34.853Z
-
-required: True
-
---
-
-*`labels`*::
-+
---
-Custom key/value pairs.
-Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword.
-Example: `docker` and `k8s` labels.
-
-type: object
-
-example: {"application": "foo-bar", "env": "production"}
-
---
-
-*`message`*::
-+
---
-For log events the message field contains the log message, optimized for viewing in a log viewer.
-For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event.
-If multiple messages exist, they can be combined into one message.
-
-type: match_only_text
-
-example: Hello World
-
---
-
-*`tags`*::
-+
---
-List of keywords used to tag each event.
-
-type: keyword
-
-example: ["production", "env2"]
-
---
-
-[float]
-=== agent
-
-The agent fields contain the data about the software entity, if any, that collects, detects, or observes events on a host, or takes measurements on a host.
-Examples include Beats. Agents may also run on observers. ECS agent.* fields shall be populated with details of the agent running on the host or observer where the event happened or the measurement was taken.
-
-
-*`agent.build.original`*::
-+
---
-Extended build information for the agent.
-This field is intended to contain any build information that a data source may provide, no specific formatting is required.
-
-type: keyword
-
-example: metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]
-
---
-
-*`agent.ephemeral_id`*::
-+
---
-Ephemeral identifier of this agent (if one exists).
-This id normally changes across restarts, but `agent.id` does not.
-
-type: keyword
-
-example: 8a4f500f
-
---
-
-*`agent.id`*::
-+
---
-Unique identifier of this agent (if one exists).
-Example: For Beats this would be beat.id.
-
-type: keyword
-
-example: 8a4f500d
-
---
-
-*`agent.name`*::
-+
---
-Custom name of the agent.
-This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from.
-If no name is given, the name is often left empty.
-
-type: keyword
-
-example: foo
-
---
-
-*`agent.type`*::
-+
---
-Type of the agent.
-The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine.
-
-type: keyword
-
-example: filebeat
-
---
-
-*`agent.version`*::
-+
---
-Version of the agent.
-
-type: keyword
-
-example: 6.0.0-rc2
-
---
-
-[float]
-=== as
-
-An autonomous system (AS) is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators on behalf of a single administrative entity or domain that presents a common, clearly defined routing policy to the internet.
-
-
-*`as.number`*::
-+
---
-Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
-
-type: long
-
-example: 15169
-
---
-
-*`as.organization.name`*::
-+
---
-Organization name.
-
-type: keyword
-
-example: Google LLC
-
---
-
-*`as.organization.name.text`*::
-+
---
-type: match_only_text
-
---
-
-[float]
-=== client
-
-A client is defined as the initiator of a network connection for events regarding sessions, connections, or bidirectional flow records.
-For TCP events, the client is the initiator of the TCP connection that sends the SYN packet(s). For other protocols, the client is generally the initiator or requestor in the network transaction. Some systems use the term "originator" to refer the client in TCP connections. The client fields describe details about the system acting as the client in the network event. Client fields are usually populated in conjunction with server fields. Client fields are generally not populated for packet-level events.
-Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately.
-
-
-*`client.address`*::
-+
---
-Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field.
-Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
-
-type: keyword
-
---
-
-*`client.as.number`*::
-+
---
-Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
-
-type: long
-
-example: 15169
-
---
-
-*`client.as.organization.name`*::
-+
---
-Organization name.
-
-type: keyword
-
-example: Google LLC
-
---
-
-*`client.as.organization.name.text`*::
-+
---
-type: match_only_text
-
---
-
-*`client.bytes`*::
-+
---
-Bytes sent from the client to the server.
-
-type: long
-
-example: 184
-
-format: bytes
-
---
-
-*`client.domain`*::
-+
---
-The domain name of the client system.
-This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.
-
-type: keyword
-
-example: foo.example.com
-
---
-
-*`client.geo.city_name`*::
-+
---
-City name.
-
-type: keyword
-
-example: Montreal
-
---
-
-*`client.geo.continent_code`*::
-+
---
-Two-letter code representing continent's name.
-
-type: keyword
-
-example: NA
-
---
-
-*`client.geo.continent_name`*::
-+
---
-Name of the continent.
-
-type: keyword
-
-example: North America
-
---
-
-*`client.geo.country_iso_code`*::
-+
---
-Country ISO code.
-
-type: keyword
-
-example: CA
-
---
-
-*`client.geo.country_name`*::
-+
---
-Country name.
-
-type: keyword
-
-example: Canada
-
---
-
-*`client.geo.location`*::
-+
---
-Longitude and latitude.
-
-type: geo_point
-
-example: { "lon": -73.614830, "lat": 45.505918 }
-
---
-
-*`client.geo.name`*::
-+
---
-User-defined description of a location, at the level of granularity they care about.
-Could be the name of their data centers, the floor number, if this describes a local physical entity, city names.
-Not typically used in automated geolocation.
-
-type: keyword
-
-example: boston-dc
-
---
-
-*`client.geo.postal_code`*::
-+
---
-Postal code associated with the location.
-Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.
-
-type: keyword
-
-example: 94040
-
---
-
-*`client.geo.region_iso_code`*::
-+
---
-Region ISO code.
-
-type: keyword
-
-example: CA-QC
-
---
-
-*`client.geo.region_name`*::
-+
---
-Region name.
-
-type: keyword
-
-example: Quebec
-
---
-
-*`client.geo.timezone`*::
-+
---
-The time zone of the location, such as IANA time zone name.
-
-type: keyword
-
-example: America/Argentina/Buenos_Aires
-
---
-
-*`client.ip`*::
-+
---
-IP address of the client (IPv4 or IPv6).
-
-type: ip
-
---
-
-*`client.mac`*::
-+
---
-MAC address of the client.
-The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.
-
-type: keyword
-
-example: 00-00-5E-00-53-23
-
---
-
-*`client.nat.ip`*::
-+
---
-Translated IP of source based NAT sessions (e.g. internal client to internet).
-Typically connections traversing load balancers, firewalls, or routers.
-
-type: ip
-
---
-
-*`client.nat.port`*::
-+
---
-Translated port of source based NAT sessions (e.g. internal client to internet).
-Typically connections traversing load balancers, firewalls, or routers.
-
-type: long
-
-format: string
-
---
-
-*`client.packets`*::
-+
---
-Packets sent from the client to the server.
-
-type: long
-
-example: 12
-
---
-
-*`client.port`*::
-+
---
-Port of the client.
-
-type: long
-
-format: string
-
---
-
-*`client.registered_domain`*::
-+
---
-The highest registered client domain, stripped of the subdomain.
-For example, the registered domain for "foo.example.com" is "example.com".
-This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
-
-type: keyword
-
-example: example.com
-
---
-
-*`client.subdomain`*::
-+
---
-The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain.
-For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
-
-type: keyword
-
-example: east
-
---
-
-*`client.top_level_domain`*::
-+
---
-The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com".
-This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".
-
-type: keyword
-
-example: co.uk
-
---
-
-*`client.user.domain`*::
-+
---
-Name of the directory the user is a member of.
-For example, an LDAP or Active Directory domain name.
-
-type: keyword
-
---
-
-*`client.user.email`*::
-+
---
-User email address.
-
-type: keyword
-
---
-
-*`client.user.full_name`*::
-+
---
-User's full name, if available.
-
-type: keyword
-
-example: Albert Einstein
-
---
-
-*`client.user.full_name.text`*::
-+
---
-type: match_only_text
-
---
-
-*`client.user.group.domain`*::
-+
---
-Name of the directory the group is a member of.
-For example, an LDAP or Active Directory domain name.
-
-type: keyword
-
---
-
-*`client.user.group.id`*::
-+
---
-Unique identifier for the group on the system/platform.
-
-type: keyword
-
---
-
-*`client.user.group.name`*::
-+
---
-Name of the group.
-
-type: keyword
-
---
-
-*`client.user.hash`*::
-+
---
-Unique user hash to correlate information for a user in anonymized form.
-Useful if `user.id` or `user.name` contain confidential information and cannot be used.
-
-type: keyword
-
---
-
-*`client.user.id`*::
-+
---
-Unique identifier of the user.
-
-type: keyword
-
-example: S-1-5-21-202424912787-2692429404-2351956786-1000
-
---
-
-*`client.user.name`*::
-+
---
-Short name or login of the user.
-
-type: keyword
-
-example: a.einstein
-
---
-
-*`client.user.name.text`*::
-+
---
-type: match_only_text
-
---
-
-*`client.user.roles`*::
-+
---
-Array of user roles at the time of the event.
-
-type: keyword
-
-example: ["kibana_admin", "reporting_user"]
-
---
-
-[float]
-=== cloud
-
-Fields related to the cloud or infrastructure the events are coming from.
-
-
-*`cloud.account.id`*::
-+
---
-The cloud account or organization id used to identify different entities in a multi-tenant environment.
-Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.
-
-type: keyword
-
-example: 666777888999
-
---
-
-*`cloud.account.name`*::
-+
---
-The cloud account name or alias used to identify different entities in a multi-tenant environment.
-Examples: AWS account name, Google Cloud ORG display name.
-
-type: keyword
-
-example: elastic-dev
-
---
-
-*`cloud.availability_zone`*::
-+
---
-Availability zone in which this host, resource, or service is located.
-
-type: keyword
-
-example: us-east-1c
-
---
-
-*`cloud.instance.id`*::
-+
---
-Instance ID of the host machine.
-
-type: keyword
-
-example: i-1234567890abcdef0
-
---
-
-*`cloud.instance.name`*::
-+
---
-Instance name of the host machine.
-
-type: keyword
-
---
-
-*`cloud.machine.type`*::
-+
---
-Machine type of the host machine.
-
-type: keyword
-
-example: t2.medium
-
---
-
-*`cloud.origin.account.id`*::
-+
---
-The cloud account or organization id used to identify different entities in a multi-tenant environment.
-Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.
-
-type: keyword
-
-example: 666777888999
-
---
-
-*`cloud.origin.account.name`*::
-+
---
-The cloud account name or alias used to identify different entities in a multi-tenant environment.
-Examples: AWS account name, Google Cloud ORG display name.
-
-type: keyword
-
-example: elastic-dev
-
---
-
-*`cloud.origin.availability_zone`*::
-+
---
-Availability zone in which this host, resource, or service is located.
-
-type: keyword
-
-example: us-east-1c
-
---
-
-*`cloud.origin.instance.id`*::
-+
---
-Instance ID of the host machine.
-
-type: keyword
-
-example: i-1234567890abcdef0
-
---
-
-*`cloud.origin.instance.name`*::
-+
---
-Instance name of the host machine.
-
-type: keyword
-
---
-
-*`cloud.origin.machine.type`*::
-+
---
-Machine type of the host machine.
-
-type: keyword
-
-example: t2.medium
-
---
-
-*`cloud.origin.project.id`*::
-+
---
-The cloud project identifier.
-Examples: Google Cloud Project id, Azure Project id.
-
-type: keyword
-
-example: my-project
-
---
-
-*`cloud.origin.project.name`*::
-+
---
-The cloud project name.
-Examples: Google Cloud Project name, Azure Project name.
-
-type: keyword
-
-example: my project
-
---
-
-*`cloud.origin.provider`*::
-+
---
-Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
-
-type: keyword
-
-example: aws
-
---
-
-*`cloud.origin.region`*::
-+
---
-Region in which this host, resource, or service is located.
-
-type: keyword
-
-example: us-east-1
-
---
-
-*`cloud.origin.service.name`*::
-+
---
-The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server.
-Examples: app engine, app service, cloud run, fargate, lambda.
-
-type: keyword
-
-example: lambda
-
---
-
-*`cloud.project.id`*::
-+
---
-The cloud project identifier.
-Examples: Google Cloud Project id, Azure Project id.
-
-type: keyword
-
-example: my-project
-
---
-
-*`cloud.project.name`*::
-+
---
-The cloud project name.
-Examples: Google Cloud Project name, Azure Project name.
-
-type: keyword
-
-example: my project
-
---
-
-*`cloud.provider`*::
-+
---
-Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
-
-type: keyword
-
-example: aws
-
---
-
-*`cloud.region`*::
-+
---
-Region in which this host, resource, or service is located.
-
-type: keyword
-
-example: us-east-1
-
---
-
-*`cloud.service.name`*::
-+
---
-The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server.
-Examples: app engine, app service, cloud run, fargate, lambda.
-
-type: keyword
-
-example: lambda
-
---
-
-*`cloud.target.account.id`*::
-+
---
-The cloud account or organization id used to identify different entities in a multi-tenant environment.
-Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.
-
-type: keyword
-
-example: 666777888999
-
---
-
-*`cloud.target.account.name`*::
-+
---
-The cloud account name or alias used to identify different entities in a multi-tenant environment.
-Examples: AWS account name, Google Cloud ORG display name.
-
-type: keyword
-
-example: elastic-dev
-
---
-
-*`cloud.target.availability_zone`*::
-+
---
-Availability zone in which this host, resource, or service is located.
-
-type: keyword
-
-example: us-east-1c
-
---
-
-*`cloud.target.instance.id`*::
-+
---
-Instance ID of the host machine.
-
-type: keyword
-
-example: i-1234567890abcdef0
-
---
-
-*`cloud.target.instance.name`*::
-+
---
-Instance name of the host machine.
-
-type: keyword
-
---
-
-*`cloud.target.machine.type`*::
-+
---
-Machine type of the host machine.
-
-type: keyword
-
-example: t2.medium
-
---
-
-*`cloud.target.project.id`*::
-+
---
-The cloud project identifier.
-Examples: Google Cloud Project id, Azure Project id.
-
-type: keyword
-
-example: my-project
-
---
-
-*`cloud.target.project.name`*::
-+
---
-The cloud project name.
-Examples: Google Cloud Project name, Azure Project name.
-
-type: keyword
-
-example: my project
-
---
-
-*`cloud.target.provider`*::
-+
---
-Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
-
-type: keyword
-
-example: aws
-
---
-
-*`cloud.target.region`*::
-+
---
-Region in which this host, resource, or service is located.
-
-type: keyword
-
-example: us-east-1
-
---
-
-*`cloud.target.service.name`*::
-+
---
-The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server.
-Examples: app engine, app service, cloud run, fargate, lambda.
-
-type: keyword
-
-example: lambda
-
---
-
-[float]
-=== code_signature
-
-These fields contain information about binary code signatures.
-
-
-*`code_signature.digest_algorithm`*::
-+
---
-The hashing algorithm used to sign the process.
-This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm.
-
-type: keyword
-
-example: sha256
-
---
-
-*`code_signature.exists`*::
-+
---
-Boolean to capture if a signature is present.
-
-type: boolean
-
-example: true
-
---
-
-*`code_signature.signing_id`*::
-+
---
-The identifier used to sign the process.
-This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.
-
-type: keyword
-
-example: com.apple.xpc.proxy
-
---
-
-*`code_signature.status`*::
-+
---
-Additional information about the certificate status.
-This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.
-
-type: keyword
-
-example: ERROR_UNTRUSTED_ROOT
-
---
-
-*`code_signature.subject_name`*::
-+
---
-Subject name of the code signer
-
-type: keyword
-
-example: Microsoft Corporation
-
---
-
-*`code_signature.team_id`*::
-+
---
-The team identifier used to sign the process.
-This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.
-
-type: keyword
-
-example: EQHXZ8M8AV
-
---
-
-*`code_signature.timestamp`*::
-+
---
-Date and time when the code signature was generated and signed.
-
-type: date
-
-example: 2021-01-01T12:10:30Z
-
---
-
-*`code_signature.trusted`*::
-+
---
-Stores the trust status of the certificate chain.
-Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.
-
-type: boolean
-
-example: true
-
---
-
-*`code_signature.valid`*::
-+
---
-Boolean to capture if the digital signature is verified against the binary content.
-Leave unpopulated if a certificate was unchecked.
-
-type: boolean
-
-example: true
-
---
-
-[float]
-=== container
-
-Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.
-
-
-*`container.cpu.usage`*::
-+
---
-Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000.
-
-type: scaled_float
-
---
-
-*`container.disk.read.bytes`*::
-+
---
-The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection.
-
-type: long
-
---
-
-*`container.disk.write.bytes`*::
-+
---
-The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection.
-
-type: long
-
---
-
-*`container.id`*::
-+
---
-Unique container id.
-
-type: keyword
-
---
-
-*`container.image.name`*::
-+
---
-Name of the image the container was built on.
-
-type: keyword
-
---
-
-*`container.image.tag`*::
-+
---
-Container image tags.
-
-type: keyword
-
---
-
-*`container.labels`*::
-+
---
-Image labels.
-
-type: object
-
---
-
-*`container.memory.usage`*::
-+
---
-Memory usage percentage and it ranges from 0 to 1. Scaling factor: 1000.
-
-type: scaled_float
-
---
-
-*`container.name`*::
-+
---
-Container name.
-
-type: keyword
-
---
-
-*`container.network.egress.bytes`*::
-+
---
-The number of bytes (gauge) sent out on all network interfaces by the container since the last metric collection.
-
-type: long
-
---
-
-*`container.network.ingress.bytes`*::
-+
---
-The number of bytes received (gauge) on all network interfaces by the container since the last metric collection.
-
-type: long
-
---
-
-*`container.runtime`*::
-+
---
-Runtime managing this container.
-
-type: keyword
-
-example: docker
-
---
-
-[float]
-=== data_stream
-
-The data_stream fields take part in defining the new data stream naming scheme.
-In the new data stream naming scheme the value of the data stream fields combine to the name of the actual data stream in the following manner: `{data_stream.type}-{data_stream.dataset}-{data_stream.namespace}`. This means the fields can only contain characters that are valid as part of names of data streams. More details about this can be found in this https://www.elastic.co/blog/an-introduction-to-the-elastic-data-stream-naming-scheme[blog post].
-An Elasticsearch data stream consists of one or more backing indices, and a data stream name forms part of the backing indices names. Due to this convention, data streams must also follow index naming restrictions. For example, data stream names cannot include `\`, `/`, `*`, `?`, `"`, `<`, `>`, `|`, ` ` (space character), `,`, or `#`. Please see the Elasticsearch reference for additional https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-create-index.html#indices-create-api-path-params[restrictions].
-
-
-*`data_stream.dataset`*::
-+
---
-The field can contain anything that makes sense to signify the source of the data.
-Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`.
-Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions:
-  * Must not contain `-`
-  * No longer than 100 characters
-
-type: constant_keyword
-
-example: nginx.access
-
---
-
-*`data_stream.namespace`*::
-+
---
-A user defined namespace. Namespaces are useful to allow grouping of data.
-Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`.
-Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions:
-  * Must not contain `-`
-  * No longer than 100 characters
-
-type: constant_keyword
-
-example: production
-
---
-
-*`data_stream.type`*::
-+
---
-An overarching type for the data stream.
-Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future.
-
-type: constant_keyword
-
-example: logs
-
---
-
-[float]
-=== destination
-
-Destination fields capture details about the receiver of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction.
-Destination fields are usually populated in conjunction with source fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated.
-
-
-*`destination.address`*::
-+
---
-Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field.
-Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
-
-type: keyword
-
---
-
-*`destination.as.number`*::
-+
---
-Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
-
-type: long
-
-example: 15169
-
---
-
-*`destination.as.organization.name`*::
-+
---
-Organization name.
-
-type: keyword
-
-example: Google LLC
-
---
-
-*`destination.as.organization.name.text`*::
-+
---
-type: match_only_text
-
---
-
-*`destination.bytes`*::
-+
---
-Bytes sent from the destination to the source.
-
-type: long
-
-example: 184
-
-format: bytes
-
---
-
-*`destination.domain`*::
-+
---
-The domain name of the destination system.
-This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.
-
-type: keyword
-
-example: foo.example.com
-
---
-
-*`destination.geo.city_name`*::
-+
---
-City name.
-
-type: keyword
-
-example: Montreal
-
---
-
-*`destination.geo.continent_code`*::
-+
---
-Two-letter code representing continent's name.
-
-type: keyword
-
-example: NA
-
---
-
-*`destination.geo.continent_name`*::
-+
---
-Name of the continent.
-
-type: keyword
-
-example: North America
-
---
-
-*`destination.geo.country_iso_code`*::
-+
---
-Country ISO code.
-
-type: keyword
-
-example: CA
-
---
-
-*`destination.geo.country_name`*::
-+
---
-Country name.
-
-type: keyword
-
-example: Canada
-
---
-
-*`destination.geo.location`*::
-+
---
-Longitude and latitude.
-
-type: geo_point
-
-example: { "lon": -73.614830, "lat": 45.505918 }
-
---
-
-*`destination.geo.name`*::
-+
---
-User-defined description of a location, at the level of granularity they care about.
-Could be the name of their data centers, the floor number, if this describes a local physical entity, city names.
-Not typically used in automated geolocation.
-
-type: keyword
-
-example: boston-dc
-
---
-
-*`destination.geo.postal_code`*::
-+
---
-Postal code associated with the location.
-Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.
-
-type: keyword
-
-example: 94040
-
---
-
-*`destination.geo.region_iso_code`*::
-+
---
-Region ISO code.
-
-type: keyword
-
-example: CA-QC
-
---
-
-*`destination.geo.region_name`*::
-+
---
-Region name.
-
-type: keyword
-
-example: Quebec
-
---
-
-*`destination.geo.timezone`*::
-+
---
-The time zone of the location, such as IANA time zone name.
-
-type: keyword
-
-example: America/Argentina/Buenos_Aires
-
---
-
-*`destination.ip`*::
-+
---
-IP address of the destination (IPv4 or IPv6).
-
-type: ip
-
---
-
-*`destination.mac`*::
-+
---
-MAC address of the destination.
-The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.
-
-type: keyword
-
-example: 00-00-5E-00-53-23
-
---
-
-*`destination.nat.ip`*::
-+
---
-Translated ip of destination based NAT sessions (e.g. internet to private DMZ)
-Typically used with load balancers, firewalls, or routers.
-
-type: ip
-
---
-
-*`destination.nat.port`*::
-+
---
-Port the source session is translated to by NAT Device.
-Typically used with load balancers, firewalls, or routers.
-
-type: long
-
-format: string
-
---
-
-*`destination.packets`*::
-+
---
-Packets sent from the destination to the source.
-
-type: long
-
-example: 12
-
---
-
-*`destination.port`*::
-+
---
-Port of the destination.
-
-type: long
-
-format: string
-
---
-
-*`destination.registered_domain`*::
-+
---
-The highest registered destination domain, stripped of the subdomain.
-For example, the registered domain for "foo.example.com" is "example.com".
-This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
-
-type: keyword
-
-example: example.com
-
---
-
-*`destination.subdomain`*::
-+
---
-The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain.
-For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
-
-type: keyword
-
-example: east
-
---
-
-*`destination.top_level_domain`*::
-+
---
-The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com".
-This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".
-
-type: keyword
-
-example: co.uk
-
---
-
-*`destination.user.domain`*::
-+
---
-Name of the directory the user is a member of.
-For example, an LDAP or Active Directory domain name.
-
-type: keyword
-
---
-
-*`destination.user.email`*::
-+
---
-User email address.
-
-type: keyword
-
---
-
-*`destination.user.full_name`*::
-+
---
-User's full name, if available.
-
-type: keyword
-
-example: Albert Einstein
-
---
-
-*`destination.user.full_name.text`*::
-+
---
-type: match_only_text
-
---
-
-*`destination.user.group.domain`*::
-+
---
-Name of the directory the group is a member of.
-For example, an LDAP or Active Directory domain name.
-
-type: keyword
-
---
-
-*`destination.user.group.id`*::
-+
---
-Unique identifier for the group on the system/platform.
-
-type: keyword
-
---
-
-*`destination.user.group.name`*::
-+
---
-Name of the group.
-
-type: keyword
-
---
-
-*`destination.user.hash`*::
-+
---
-Unique user hash to correlate information for a user in anonymized form.
-Useful if `user.id` or `user.name` contain confidential information and cannot be used.
-
-type: keyword
-
---
-
-*`destination.user.id`*::
-+
---
-Unique identifier of the user.
-
-type: keyword
-
-example: S-1-5-21-202424912787-2692429404-2351956786-1000
-
---
-
-*`destination.user.name`*::
-+
---
-Short name or login of the user.
-
-type: keyword
-
-example: a.einstein
-
---
-
-*`destination.user.name.text`*::
-+
---
-type: match_only_text
-
---
-
-*`destination.user.roles`*::
-+
---
-Array of user roles at the time of the event.
-
-type: keyword
-
-example: ["kibana_admin", "reporting_user"]
-
---
-
-[float]
-=== dll
-
-These fields contain information about code libraries dynamically loaded into processes.
-
-Many operating systems refer to "shared code libraries" with different names, but this field set refers to all of the following:
-* Dynamic-link library (`.dll`) commonly used on Windows
-* Shared Object (`.so`) commonly used on Unix-like operating systems
-* Dynamic library (`.dylib`) commonly used on macOS
-
-
-*`dll.code_signature.digest_algorithm`*::
-+
---
-The hashing algorithm used to sign the process.
-This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm.
-
-type: keyword
-
-example: sha256
-
---
-
-*`dll.code_signature.exists`*::
-+
---
-Boolean to capture if a signature is present.
-
-type: boolean
-
-example: true
-
---
-
-*`dll.code_signature.signing_id`*::
-+
---
-The identifier used to sign the process.
-This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.
-
-type: keyword
-
-example: com.apple.xpc.proxy
-
---
-
-*`dll.code_signature.status`*::
-+
---
-Additional information about the certificate status.
-This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.
-
-type: keyword
-
-example: ERROR_UNTRUSTED_ROOT
-
---
-
-*`dll.code_signature.subject_name`*::
-+
---
-Subject name of the code signer
-
-type: keyword
-
-example: Microsoft Corporation
-
---
-
-*`dll.code_signature.team_id`*::
-+
---
-The team identifier used to sign the process.
-This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.
-
-type: keyword
-
-example: EQHXZ8M8AV
-
---
-
-*`dll.code_signature.timestamp`*::
-+
---
-Date and time when the code signature was generated and signed.
-
-type: date
-
-example: 2021-01-01T12:10:30Z
-
---
-
-*`dll.code_signature.trusted`*::
-+
---
-Stores the trust status of the certificate chain.
-Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.
-
-type: boolean
-
-example: true
-
---
-
-*`dll.code_signature.valid`*::
-+
---
-Boolean to capture if the digital signature is verified against the binary content.
-Leave unpopulated if a certificate was unchecked.
-
-type: boolean
-
-example: true
-
---
-
-*`dll.hash.md5`*::
-+
---
-MD5 hash.
-
-type: keyword
-
---
-
-*`dll.hash.sha1`*::
-+
---
-SHA1 hash.
-
-type: keyword
-
---
-
-*`dll.hash.sha256`*::
-+
---
-SHA256 hash.
-
-type: keyword
-
---
-
-*`dll.hash.sha512`*::
-+
---
-SHA512 hash.
-
-type: keyword
-
---
-
-*`dll.hash.ssdeep`*::
-+
---
-SSDEEP hash.
-
-type: keyword
-
---
-
-*`dll.name`*::
-+
---
-Name of the library.
-This generally maps to the name of the file on disk.
-
-type: keyword
-
-example: kernel32.dll
-
---
-
-*`dll.path`*::
-+
---
-Full file path of the library.
-
-type: keyword
-
-example: C:\Windows\System32\kernel32.dll
-
---
-
-*`dll.pe.architecture`*::
-+
---
-CPU architecture target for the file.
-
-type: keyword
-
-example: x64
-
---
-
-*`dll.pe.company`*::
-+
---
-Internal company name of the file, provided at compile-time.
-
-type: keyword
-
-example: Microsoft Corporation
-
---
-
-*`dll.pe.description`*::
-+
---
-Internal description of the file, provided at compile-time.
-
-type: keyword
-
-example: Paint
-
---
-
-*`dll.pe.file_version`*::
-+
---
-Internal version of the file, provided at compile-time.
-
-type: keyword
-
-example: 6.3.9600.17415
-
---
-
-*`dll.pe.imphash`*::
-+
---
-A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.
-Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.
-
-type: keyword
-
-example: 0c6803c4e922103c4dca5963aad36ddf
-
---
-
-*`dll.pe.original_file_name`*::
-+
---
-Internal name of the file, provided at compile-time.
-
-type: keyword
-
-example: MSPAINT.EXE
-
---
-
-*`dll.pe.product`*::
-+
---
-Internal product name of the file, provided at compile-time.
-
-type: keyword
-
-example: Microsoft® Windows® Operating System
-
---
-
-[float]
-=== dns
-
-Fields describing DNS queries and answers.
-DNS events should either represent a single DNS query prior to getting answers (`dns.type:query`) or they should represent a full exchange and contain the query details as well as all of the answers that were provided for this query (`dns.type:answer`).
-
-
-*`dns.answers`*::
-+
---
-An array containing an object for each answer section returned by the server.
-The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines.
-Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields.
-
-type: object
-
---
-
-*`dns.answers.class`*::
-+
---
-The class of DNS data contained in this resource record.
-
-type: keyword
-
-example: IN
-
---
-
-*`dns.answers.data`*::
-+
---
-The data describing the resource.
-The meaning of this data depends on the type and class of the resource record.
-
-type: keyword
-
-example: 10.10.10.10
-
---
-
-*`dns.answers.name`*::
-+
---
-The domain name to which this resource record pertains.
-If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated.
-
-type: keyword
-
-example: www.example.com
-
---
-
-*`dns.answers.ttl`*::
-+
---
-The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached.
-
-type: long
-
-example: 180
-
---
-
-*`dns.answers.type`*::
-+
---
-The type of data contained in this resource record.
-
-type: keyword
-
-example: CNAME
-
---
-
-*`dns.header_flags`*::
-+
---
-Array of 2 letter DNS header flags.
-Expected values are: AA, TC, RD, RA, AD, CD, DO.
-
-type: keyword
-
-example: ["RD", "RA"]
-
---
-
-*`dns.id`*::
-+
---
-The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.
-
-type: keyword
-
-example: 62111
-
---
-
-*`dns.op_code`*::
-+
---
-The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response.
-
-type: keyword
-
-example: QUERY
-
---
-
-*`dns.question.class`*::
-+
---
-The class of records being queried.
-
-type: keyword
-
-example: IN
-
---
-
-*`dns.question.name`*::
-+
---
-The name being queried.
-If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively.
-
-type: keyword
-
-example: www.example.com
-
---
-
-*`dns.question.registered_domain`*::
-+
---
-The highest registered domain, stripped of the subdomain.
-For example, the registered domain for "foo.example.com" is "example.com".
-This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
-
-type: keyword
-
-example: example.com
-
---
-
-*`dns.question.subdomain`*::
-+
---
-The subdomain is all of the labels under the registered_domain.
-If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
-
-type: keyword
-
-example: www
-
---
-
-*`dns.question.top_level_domain`*::
-+
---
-The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com".
-This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".
-
-type: keyword
-
-example: co.uk
-
---
-
-*`dns.question.type`*::
-+
---
-The type of record being queried.
-
-type: keyword
-
-example: AAAA
-
---
-
-*`dns.resolved_ip`*::
-+
---
-Array containing all IPs seen in `answers.data`.
-The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for.
-
-type: ip
-
-example: ["10.10.10.10", "10.10.10.11"]
-
---
-
-*`dns.response_code`*::
-+
---
-The DNS response code.
-
-type: keyword
-
-example: NOERROR
-
---
-
-*`dns.type`*::
-+
---
-The type of DNS event captured, query or answer.
-If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`.
-If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers.
-
-type: keyword
-
-example: answer
-
---
-
-[float]
-=== ecs
-
-Meta-information specific to ECS.
-
-
-*`ecs.version`*::
-+
---
-ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.
-When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
-
-type: keyword
-
-example: 1.0.0
-
-required: True
-
---
-
-[float]
-=== elf
-
-These fields contain Linux Executable Linkable Format (ELF) metadata.
-
-
-*`elf.architecture`*::
-+
---
-Machine architecture of the ELF file.
-
-type: keyword
-
-example: x86-64
-
---
-
-*`elf.byte_order`*::
-+
---
-Byte sequence of ELF file.
-
-type: keyword
-
-example: Little Endian
-
---
-
-*`elf.cpu_type`*::
-+
---
-CPU type of the ELF file.
-
-type: keyword
-
-example: Intel
-
---
-
-*`elf.creation_date`*::
-+
---
-Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators.
-
-type: date
-
---
-
-*`elf.exports`*::
-+
---
-List of exported element names and types.
-
-type: flattened
-
---
-
-*`elf.header.abi_version`*::
-+
---
-Version of the ELF Application Binary Interface (ABI).
-
-type: keyword
-
---
-
-*`elf.header.class`*::
-+
---
-Header class of the ELF file.
-
-type: keyword
-
---
-
-*`elf.header.data`*::
-+
---
-Data table of the ELF header.
-
-type: keyword
-
---
-
-*`elf.header.entrypoint`*::
-+
---
-Header entrypoint of the ELF file.
-
-type: long
-
-format: string
-
---
-
-*`elf.header.object_version`*::
-+
---
-"0x1" for original ELF files.
-
-type: keyword
-
---
-
-*`elf.header.os_abi`*::
-+
---
-Application Binary Interface (ABI) of the Linux OS.
-
-type: keyword
-
---
-
-*`elf.header.type`*::
-+
---
-Header type of the ELF file.
-
-type: keyword
-
---
-
-*`elf.header.version`*::
-+
---
-Version of the ELF header.
-
-type: keyword
-
---
-
-*`elf.imports`*::
-+
---
-List of imported element names and types.
-
-type: flattened
-
---
-
-*`elf.sections`*::
-+
---
-An array containing an object for each section of the ELF file.
-The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`.
-
-type: nested
-
---
-
-*`elf.sections.chi2`*::
-+
---
-Chi-square probability distribution of the section.
-
-type: long
-
-format: number
-
---
-
-*`elf.sections.entropy`*::
-+
---
-Shannon entropy calculation from the section.
-
-type: long
-
-format: number
-
---
-
-*`elf.sections.flags`*::
-+
---
-ELF Section List flags.
-
-type: keyword
-
---
-
-*`elf.sections.name`*::
-+
---
-ELF Section List name.
-
-type: keyword
-
---
-
-*`elf.sections.physical_offset`*::
-+
---
-ELF Section List offset.
-
-type: keyword
-
---
-
-*`elf.sections.physical_size`*::
-+
---
-ELF Section List physical size.
-
-type: long
-
-format: bytes
-
---
-
-*`elf.sections.type`*::
-+
---
-ELF Section List type.
-
-type: keyword
-
---
-
-*`elf.sections.virtual_address`*::
-+
---
-ELF Section List virtual address.
-
-type: long
-
-format: string
-
---
-
-*`elf.sections.virtual_size`*::
-+
---
-ELF Section List virtual size.
-
-type: long
-
-format: string
-
---
-
-*`elf.segments`*::
-+
---
-An array containing an object for each segment of the ELF file.
-The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`.
-
-type: nested
-
---
-
-*`elf.segments.sections`*::
-+
---
-ELF object segment sections.
-
-type: keyword
-
---
-
-*`elf.segments.type`*::
-+
---
-ELF object segment type.
-
-type: keyword
-
---
-
-*`elf.shared_libraries`*::
-+
---
-List of shared libraries used by this ELF object.
-
-type: keyword
-
---
-
-*`elf.telfhash`*::
-+
---
-telfhash symbol hash for ELF file.
-
-type: keyword
-
---
-
-[float]
-=== error
-
-These fields can represent errors of any kind.
-Use them for errors that happen while fetching events or in cases where the event itself contains an error.
-
-
-*`error.code`*::
-+
---
-Error code describing the error.
-
-type: keyword
-
---
-
-*`error.id`*::
-+
---
-Unique identifier for the error.
-
-type: keyword
-
---
-
-*`error.message`*::
-+
---
-Error message.
-
-type: match_only_text
-
---
-
-*`error.stack_trace`*::
-+
---
-The stack trace of this error in plain text.
-
-type: wildcard
-
---
-
-*`error.stack_trace.text`*::
-+
---
-type: match_only_text
-
---
-
-*`error.type`*::
-+
---
-The type of the error, for example the class name of the exception.
-
-type: keyword
-
-example: java.lang.NullPointerException
-
---
-
-[float]
-=== event
-
-The event fields are used for context information about the log or metric event itself.
-A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host and device temperature. See the `event.kind` definition in this section for additional details about metric and state events.
-
-
-*`event.action`*::
-+
---
-The action captured by the event.
-This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer.
-
-type: keyword
-
-example: user-password-change
-
---
-
-*`event.agent_id_status`*::
-+
---
-Agents are normally responsible for populating the `agent.id` field value. If the system receiving events is capable of validating the value based on authentication information for the client then this field can be used to reflect the outcome of that validation.
-For example if the agent's connection is authenticated with mTLS and the client cert contains the ID of the agent to which the cert was issued then the `agent.id` value in events can be checked against the certificate. If the values match then `event.agent_id_status: verified` is added to the event, otherwise one of the other allowed values should be used.
-If no validation is performed then the field should be omitted.
-The allowed values are:
-`verified` - The `agent.id` field value matches expected value obtained from auth metadata.
-`mismatch` - The `agent.id` field value does not match the expected value obtained from auth metadata.
-`missing` - There was no `agent.id` field in the event to validate.
-`auth_metadata_missing` - There was no auth metadata or it was missing information about the agent ID.
-
-type: keyword
-
-example: verified
-
---
-
-*`event.category`*::
-+
---
-This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy.
-`event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory.
-This field is an array. This will allow proper categorization of some events that fall in multiple categories.
-
-type: keyword
-
-example: authentication
-
---
-
-*`event.code`*::
-+
---
-Identification code for this event, if one exists.
-Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID.
-
-type: keyword
-
-example: 4648
-
---
-
-*`event.created`*::
-+
---
-event.created contains the date/time when the event was first read by an agent, or by your pipeline.
-This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event.
-In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source.
-In case the two timestamps are identical, @timestamp should be used.
-
-type: date
-
-example: 2016-05-23T08:05:34.857Z
-
---
-
-*`event.dataset`*::
-+
---
-Name of the dataset.
-If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from.
-It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name.
-
-type: keyword
-
-example: apache.access
-
---
-
-*`event.duration`*::
-+
---
-Duration of the event in nanoseconds.
-If event.start and event.end are known this value should be the difference between the end and start time.
-
-type: long
-
-format: duration
-
---
-
-*`event.end`*::
-+
---
-event.end contains the date when the event ended or when the activity was last observed.
-
-type: date
-
---
-
-*`event.hash`*::
-+
---
-Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity.
-
-type: keyword
-
-example: 123456789012345678901234567890ABCD
-
---
-
-*`event.id`*::
-+
---
-Unique ID to describe the event.
-
-type: keyword
-
-example: 8a4f500d
-
---
-
-*`event.ingested`*::
-+
---
-Timestamp when an event arrived in the central data store.
-This is different from `@timestamp`, which is when the event originally occurred.  It's also different from `event.created`, which is meant to capture the first time an agent saw the event.
-In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`.
-
-type: date
-
-example: 2016-05-23T08:05:35.101Z
-
---
-
-*`event.kind`*::
-+
---
-This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy.
-`event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events.
-The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not.
-
-type: keyword
-
-example: alert
-
---
-
-*`event.module`*::
-+
---
-Name of the module this data is coming from.
-If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module.
-
-type: keyword
-
-example: apache
-
---
-
-*`event.original`*::
-+
---
-Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex.
-This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`.
-
-type: keyword
-
-example: Sep 19 08:26:10 host CEF:0&#124;Security&#124; threatmanager&#124;1.0&#124;100&#124; worm successfully stopped&#124;10&#124;src=10.0.0.1 dst=2.1.2.2spt=1232
-
-Field is not indexed.
-
---
-
-*`event.outcome`*::
-+
---
-This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy.
-`event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event.
-Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective.
-Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer.
-Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense.
-
-type: keyword
-
-example: success
-
---
-
-*`event.provider`*::
-+
---
-Source of the event.
-Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing).
-
-type: keyword
-
-example: kernel
-
---
-
-*`event.reason`*::
-+
---
-Reason why this event happened, according to the source.
-This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`).
-
-type: keyword
-
-example: Terminated an unexpected process
-
---
-
-*`event.reference`*::
-+
---
-Reference URL linking to additional information about this event.
-This URL links to a static definition of this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field.
-
-type: keyword
-
-example: https://system.example.com/event/#0001234
-
---
-
-*`event.risk_score`*::
-+
---
-Risk score or priority of the event (e.g. security solutions). Use your system's original value here.
-
-type: float
-
---
-
-*`event.risk_score_norm`*::
-+
---
-Normalized risk score or priority of the event, on a scale of 0 to 100.
-This is mainly useful if you use more than one system that assigns risk scores, and you want to see a normalized value across all systems.
-
-type: float
-
---
-
-*`event.sequence`*::
-+
---
-Sequence number of the event.
-The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision.
-
-type: long
-
-format: string
-
---
-
-*`event.severity`*::
-+
---
-The numeric severity of the event according to your event source.
-What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source.
-The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`.
-
-type: long
-
-example: 7
-
-format: string
-
---
-
-*`event.start`*::
-+
---
-event.start contains the date when the event started or when the activity was first observed.
-
-type: date
-
---
-
-*`event.timezone`*::
-+
---
-This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise.
-Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00").
-
-type: keyword
-
---
-
-*`event.type`*::
-+
---
-This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy.
-`event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization.
-This field is an array. This will allow proper categorization of some events that fall in multiple event types.
-
-type: keyword
-
---
-
-*`event.url`*::
-+
---
-URL linking to an external system to continue investigation of this event.
-This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field.
-
-type: keyword
-
-example: https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe
-
---
-
-[float]
-=== faas
-
-The user fields describe information about the function as a service that is relevant to the event.
-
-
-*`faas.coldstart`*::
-+
---
-Boolean value indicating a cold start of a function.
-
-type: boolean
-
---
-
-*`faas.execution`*::
-+
---
-The execution ID of the current function execution.
-
-type: keyword
-
-example: af9d5aa4-a685-4c5f-a22b-444f80b3cc28
-
---
-
-*`faas.trigger`*::
-+
---
-Details about the function trigger.
-
-type: nested
-
---
-
-*`faas.trigger.request_id`*::
-+
---
-The ID of the trigger request , message, event, etc.
-
-type: keyword
-
-example: 123456789
-
---
-
-*`faas.trigger.type`*::
-+
---
-The trigger for the function execution.
-Expected values are:
-  * http
-  * pubsub
-  * datasource
-  * timer
-  * other
-
-type: keyword
-
-example: http
-
---
-
-[float]
-=== file
-
-A file is defined as a set of information that has been created on, or has existed on a filesystem.
-File objects can be associated with host events, network events, and/or file events (e.g., those produced by File Integrity Monitoring [FIM] products or services). File fields provide details about the affected file associated with the event or metric.
-
-
-*`file.accessed`*::
-+
---
-Last time the file was accessed.
-Note that not all filesystems keep track of access time.
-
-type: date
-
---
-
-*`file.attributes`*::
-+
---
-Array of file attributes.
-Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write.
-
-type: keyword
-
-example: ["readonly", "system"]
-
---
-
-*`file.code_signature.digest_algorithm`*::
-+
---
-The hashing algorithm used to sign the process.
-This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm.
-
-type: keyword
-
-example: sha256
-
---
-
-*`file.code_signature.exists`*::
-+
---
-Boolean to capture if a signature is present.
-
-type: boolean
-
-example: true
-
---
-
-*`file.code_signature.signing_id`*::
-+
---
-The identifier used to sign the process.
-This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.
-
-type: keyword
-
-example: com.apple.xpc.proxy
-
---
-
-*`file.code_signature.status`*::
-+
---
-Additional information about the certificate status.
-This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.
-
-type: keyword
-
-example: ERROR_UNTRUSTED_ROOT
-
---
-
-*`file.code_signature.subject_name`*::
-+
---
-Subject name of the code signer
-
-type: keyword
-
-example: Microsoft Corporation
-
---
-
-*`file.code_signature.team_id`*::
-+
---
-The team identifier used to sign the process.
-This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.
-
-type: keyword
-
-example: EQHXZ8M8AV
-
---
-
-*`file.code_signature.timestamp`*::
-+
---
-Date and time when the code signature was generated and signed.
-
-type: date
-
-example: 2021-01-01T12:10:30Z
-
---
-
-*`file.code_signature.trusted`*::
-+
---
-Stores the trust status of the certificate chain.
-Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.
-
-type: boolean
-
-example: true
-
---
-
-*`file.code_signature.valid`*::
-+
---
-Boolean to capture if the digital signature is verified against the binary content.
-Leave unpopulated if a certificate was unchecked.
-
-type: boolean
-
-example: true
-
---
-
-*`file.created`*::
-+
---
-File creation time.
-Note that not all filesystems store the creation time.
-
-type: date
-
---
-
-*`file.ctime`*::
-+
---
-Last time the file attributes or metadata changed.
-Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file.
-
-type: date
-
---
-
-*`file.device`*::
-+
---
-Device that is the source of the file.
-
-type: keyword
-
-example: sda
-
---
-
-*`file.directory`*::
-+
---
-Directory where the file is located. It should include the drive letter, when appropriate.
-
-type: keyword
-
-example: /home/alice
-
---
-
-*`file.drive_letter`*::
-+
---
-Drive letter where the file is located. This field is only relevant on Windows.
-The value should be uppercase, and not include the colon.
-
-type: keyword
-
-example: C
-
---
-
-*`file.elf.architecture`*::
-+
---
-Machine architecture of the ELF file.
-
-type: keyword
-
-example: x86-64
-
---
-
-*`file.elf.byte_order`*::
-+
---
-Byte sequence of ELF file.
-
-type: keyword
-
-example: Little Endian
-
---
-
-*`file.elf.cpu_type`*::
-+
---
-CPU type of the ELF file.
-
-type: keyword
-
-example: Intel
-
---
-
-*`file.elf.creation_date`*::
-+
---
-Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators.
-
-type: date
-
---
-
-*`file.elf.exports`*::
-+
---
-List of exported element names and types.
-
-type: flattened
-
---
-
-*`file.elf.header.abi_version`*::
-+
---
-Version of the ELF Application Binary Interface (ABI).
-
-type: keyword
-
---
-
-*`file.elf.header.class`*::
-+
---
-Header class of the ELF file.
-
-type: keyword
-
---
-
-*`file.elf.header.data`*::
-+
---
-Data table of the ELF header.
-
-type: keyword
-
---
-
-*`file.elf.header.entrypoint`*::
-+
---
-Header entrypoint of the ELF file.
-
-type: long
-
-format: string
-
---
-
-*`file.elf.header.object_version`*::
-+
---
-"0x1" for original ELF files.
-
-type: keyword
-
---
-
-*`file.elf.header.os_abi`*::
-+
---
-Application Binary Interface (ABI) of the Linux OS.
-
-type: keyword
-
---
-
-*`file.elf.header.type`*::
-+
---
-Header type of the ELF file.
-
-type: keyword
-
---
-
-*`file.elf.header.version`*::
-+
---
-Version of the ELF header.
-
-type: keyword
-
---
-
-*`file.elf.imports`*::
-+
---
-List of imported element names and types.
-
-type: flattened
-
---
-
-*`file.elf.sections`*::
-+
---
-An array containing an object for each section of the ELF file.
-The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`.
-
-type: nested
-
---
-
-*`file.elf.sections.chi2`*::
-+
---
-Chi-square probability distribution of the section.
-
-type: long
-
-format: number
-
---
-
-*`file.elf.sections.entropy`*::
-+
---
-Shannon entropy calculation from the section.
-
-type: long
-
-format: number
-
---
-
-*`file.elf.sections.flags`*::
-+
---
-ELF Section List flags.
-
-type: keyword
-
---
-
-*`file.elf.sections.name`*::
-+
---
-ELF Section List name.
-
-type: keyword
-
---
-
-*`file.elf.sections.physical_offset`*::
-+
---
-ELF Section List offset.
-
-type: keyword
-
---
-
-*`file.elf.sections.physical_size`*::
-+
---
-ELF Section List physical size.
-
-type: long
-
-format: bytes
-
---
-
-*`file.elf.sections.type`*::
-+
---
-ELF Section List type.
-
-type: keyword
-
---
-
-*`file.elf.sections.virtual_address`*::
-+
---
-ELF Section List virtual address.
-
-type: long
-
-format: string
-
---
-
-*`file.elf.sections.virtual_size`*::
-+
---
-ELF Section List virtual size.
-
-type: long
-
-format: string
-
---
-
-*`file.elf.segments`*::
-+
---
-An array containing an object for each segment of the ELF file.
-The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`.
-
-type: nested
-
---
-
-*`file.elf.segments.sections`*::
-+
---
-ELF object segment sections.
-
-type: keyword
-
---
-
-*`file.elf.segments.type`*::
-+
---
-ELF object segment type.
-
-type: keyword
-
---
-
-*`file.elf.shared_libraries`*::
-+
---
-List of shared libraries used by this ELF object.
-
-type: keyword
-
---
-
-*`file.elf.telfhash`*::
-+
---
-telfhash symbol hash for ELF file.
-
-type: keyword
-
---
-
-*`file.extension`*::
-+
---
-File extension, excluding the leading dot.
-Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").
-
-type: keyword
-
-example: png
-
---
-
-*`file.fork_name`*::
-+
---
-A fork is additional data associated with a filesystem object.
-On Linux, a resource fork is used to store additional data with a filesystem object. A file always has at least one fork for the data portion, and additional forks may exist.
-On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default data stream for a file is just called $DATA. Zone.Identifier is commonly used by Windows to track contents downloaded from the Internet. An ADS is typically of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name` is the value that should populate `fork_name`. `filename.extension` should populate `file.name`, and `extension` should populate `file.extension`. The full path, `file.path`, will include the fork name.
-
-type: keyword
-
-example: Zone.Identifer
-
---
-
-*`file.gid`*::
-+
---
-Primary group ID (GID) of the file.
-
-type: keyword
-
-example: 1001
-
---
-
-*`file.group`*::
-+
---
-Primary group name of the file.
-
-type: keyword
-
-example: alice
-
---
-
-*`file.hash.md5`*::
-+
---
-MD5 hash.
-
-type: keyword
-
---
-
-*`file.hash.sha1`*::
-+
---
-SHA1 hash.
-
-type: keyword
-
---
-
-*`file.hash.sha256`*::
-+
---
-SHA256 hash.
-
-type: keyword
-
---
-
-*`file.hash.sha512`*::
-+
---
-SHA512 hash.
-
-type: keyword
-
---
-
-*`file.hash.ssdeep`*::
-+
---
-SSDEEP hash.
-
-type: keyword
-
---
-
-*`file.inode`*::
-+
---
-Inode representing the file in the filesystem.
-
-type: keyword
-
-example: 256383
-
---
-
-*`file.mime_type`*::
-+
---
-MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used.
-
-type: keyword
-
---
-
-*`file.mode`*::
-+
---
-Mode of the file in octal representation.
-
-type: keyword
-
-example: 0640
-
---
-
-*`file.mtime`*::
-+
---
-Last time the file content was modified.
-
-type: date
-
---
-
-*`file.name`*::
-+
---
-Name of the file including the extension, without the directory.
-
-type: keyword
-
-example: example.png
-
---
-
-*`file.owner`*::
-+
---
-File owner's username.
-
-type: keyword
-
-example: alice
-
---
-
-*`file.path`*::
-+
---
-Full path to the file, including the file name. It should include the drive letter, when appropriate.
-
-type: keyword
-
-example: /home/alice/example.png
-
---
-
-*`file.path.text`*::
-+
---
-type: match_only_text
-
---
-
-*`file.pe.architecture`*::
-+
---
-CPU architecture target for the file.
-
-type: keyword
-
-example: x64
-
---
-
-*`file.pe.company`*::
-+
---
-Internal company name of the file, provided at compile-time.
-
-type: keyword
-
-example: Microsoft Corporation
-
---
-
-*`file.pe.description`*::
-+
---
-Internal description of the file, provided at compile-time.
-
-type: keyword
-
-example: Paint
-
---
-
-*`file.pe.file_version`*::
-+
---
-Internal version of the file, provided at compile-time.
-
-type: keyword
-
-example: 6.3.9600.17415
-
---
-
-*`file.pe.imphash`*::
-+
---
-A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.
-Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.
-
-type: keyword
-
-example: 0c6803c4e922103c4dca5963aad36ddf
-
---
-
-*`file.pe.original_file_name`*::
-+
---
-Internal name of the file, provided at compile-time.
-
-type: keyword
-
-example: MSPAINT.EXE
-
---
-
-*`file.pe.product`*::
-+
---
-Internal product name of the file, provided at compile-time.
-
-type: keyword
-
-example: Microsoft® Windows® Operating System
-
---
-
-*`file.size`*::
-+
---
-File size in bytes.
-Only relevant when `file.type` is "file".
-
-type: long
-
-example: 16384
-
---
-
-*`file.target_path`*::
-+
---
-Target path for symlinks.
-
-type: keyword
-
---
-
-*`file.target_path.text`*::
-+
---
-type: match_only_text
-
---
-
-*`file.type`*::
-+
---
-File type (file, dir, or symlink).
-
-type: keyword
-
-example: file
-
---
-
-*`file.uid`*::
-+
---
-The user ID (UID) or security identifier (SID) of the file owner.
-
-type: keyword
-
-example: 1001
-
---
-
-*`file.x509.alternative_names`*::
-+
---
-List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.
-
-type: keyword
-
-example: *.elastic.co
-
---
-
-*`file.x509.issuer.common_name`*::
-+
---
-List of common name (CN) of issuing certificate authority.
-
-type: keyword
-
-example: Example SHA2 High Assurance Server CA
-
---
-
-*`file.x509.issuer.country`*::
-+
---
-List of country (C) codes
-
-type: keyword
-
-example: US
-
---
-
-*`file.x509.issuer.distinguished_name`*::
-+
---
-Distinguished name (DN) of issuing certificate authority.
-
-type: keyword
-
-example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA
-
---
-
-*`file.x509.issuer.locality`*::
-+
---
-List of locality names (L)
-
-type: keyword
-
-example: Mountain View
-
---
-
-*`file.x509.issuer.organization`*::
-+
---
-List of organizations (O) of issuing certificate authority.
-
-type: keyword
-
-example: Example Inc
-
---
-
-*`file.x509.issuer.organizational_unit`*::
-+
---
-List of organizational units (OU) of issuing certificate authority.
-
-type: keyword
-
-example: www.example.com
-
---
-
-*`file.x509.issuer.state_or_province`*::
-+
---
-List of state or province names (ST, S, or P)
-
-type: keyword
-
-example: California
-
---
-
-*`file.x509.not_after`*::
-+
---
-Time at which the certificate is no longer considered valid.
-
-type: date
-
-example: 2020-07-16 03:15:39+00:00
-
---
-
-*`file.x509.not_before`*::
-+
---
-Time at which the certificate is first considered valid.
-
-type: date
-
-example: 2019-08-16 01:40:25+00:00
-
---
-
-*`file.x509.public_key_algorithm`*::
-+
---
-Algorithm used to generate the public key.
-
-type: keyword
-
-example: RSA
-
---
-
-*`file.x509.public_key_curve`*::
-+
---
-The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-
-type: keyword
-
-example: nistp521
-
---
-
-*`file.x509.public_key_exponent`*::
-+
---
-Exponent used to derive the public key. This is algorithm specific.
-
-type: long
-
-example: 65537
-
-Field is not indexed.
-
---
-
-*`file.x509.public_key_size`*::
-+
---
-The size of the public key space in bits.
-
-type: long
-
-example: 2048
-
---
-
-*`file.x509.serial_number`*::
-+
---
-Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.
-
-type: keyword
-
-example: 55FBB9C7DEBF09809D12CCAA
-
---
-
-*`file.x509.signature_algorithm`*::
-+
---
-Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
-
-type: keyword
-
-example: SHA256-RSA
-
---
-
-*`file.x509.subject.common_name`*::
-+
---
-List of common names (CN) of subject.
-
-type: keyword
-
-example: shared.global.example.net
-
---
-
-*`file.x509.subject.country`*::
-+
---
-List of country (C) code
-
-type: keyword
-
-example: US
-
---
-
-*`file.x509.subject.distinguished_name`*::
-+
---
-Distinguished name (DN) of the certificate subject entity.
-
-type: keyword
-
-example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
-
---
-
-*`file.x509.subject.locality`*::
-+
---
-List of locality names (L)
-
-type: keyword
-
-example: San Francisco
-
---
-
-*`file.x509.subject.organization`*::
-+
---
-List of organizations (O) of subject.
-
-type: keyword
-
-example: Example, Inc.
-
---
-
-*`file.x509.subject.organizational_unit`*::
-+
---
-List of organizational units (OU) of subject.
-
-type: keyword
-
---
-
-*`file.x509.subject.state_or_province`*::
-+
---
-List of state or province names (ST, S, or P)
-
-type: keyword
-
-example: California
-
---
-
-*`file.x509.version_number`*::
-+
---
-Version of x509 format.
-
-type: keyword
-
-example: 3
-
---
-
-[float]
-=== geo
-
-Geo fields can carry data about a specific location related to an event.
-This geolocation information can be derived from techniques such as Geo IP, or be user-supplied.
-
-
-*`geo.city_name`*::
-+
---
-City name.
-
-type: keyword
-
-example: Montreal
-
---
-
-*`geo.continent_code`*::
-+
---
-Two-letter code representing continent's name.
-
-type: keyword
-
-example: NA
-
---
-
-*`geo.continent_name`*::
-+
---
-Name of the continent.
-
-type: keyword
-
-example: North America
-
---
-
-*`geo.country_iso_code`*::
-+
---
-Country ISO code.
-
-type: keyword
-
-example: CA
-
---
-
-*`geo.country_name`*::
-+
---
-Country name.
-
-type: keyword
-
-example: Canada
-
---
-
-*`geo.location`*::
-+
---
-Longitude and latitude.
-
-type: geo_point
-
-example: { "lon": -73.614830, "lat": 45.505918 }
-
---
-
-*`geo.name`*::
-+
---
-User-defined description of a location, at the level of granularity they care about.
-Could be the name of their data centers, the floor number, if this describes a local physical entity, city names.
-Not typically used in automated geolocation.
-
-type: keyword
-
-example: boston-dc
-
---
-
-*`geo.postal_code`*::
-+
---
-Postal code associated with the location.
-Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.
-
-type: keyword
-
-example: 94040
-
---
-
-*`geo.region_iso_code`*::
-+
---
-Region ISO code.
-
-type: keyword
-
-example: CA-QC
-
---
-
-*`geo.region_name`*::
-+
---
-Region name.
-
-type: keyword
-
-example: Quebec
-
---
-
-*`geo.timezone`*::
-+
---
-The time zone of the location, such as IANA time zone name.
-
-type: keyword
-
-example: America/Argentina/Buenos_Aires
-
---
-
-[float]
-=== group
-
-The group fields are meant to represent groups that are relevant to the event.
-
-
-*`group.domain`*::
-+
---
-Name of the directory the group is a member of.
-For example, an LDAP or Active Directory domain name.
-
-type: keyword
-
---
-
-*`group.id`*::
-+
---
-Unique identifier for the group on the system/platform.
-
-type: keyword
-
---
-
-*`group.name`*::
-+
---
-Name of the group.
-
-type: keyword
-
---
-
-[float]
-=== hash
-
-The hash fields represent different bitwise hash algorithms and their values.
-Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for other hashes by lowercasing the hash algorithm name and using underscore separators as appropriate (snake case, e.g. sha3_512).
-Note that this fieldset is used for common hashes that may be computed over a range of generic bytes. Entity-specific hashes such as ja3 or imphash are placed in the fieldsets to which they relate (tls and pe, respectively).
-
-
-*`hash.md5`*::
-+
---
-MD5 hash.
-
-type: keyword
-
---
-
-*`hash.sha1`*::
-+
---
-SHA1 hash.
-
-type: keyword
-
---
-
-*`hash.sha256`*::
-+
---
-SHA256 hash.
-
-type: keyword
-
---
-
-*`hash.sha512`*::
-+
---
-SHA512 hash.
-
-type: keyword
-
---
-
-*`hash.ssdeep`*::
-+
---
-SSDEEP hash.
-
-type: keyword
-
---
-
-[float]
-=== host
-
-A host is defined as a general computing instance.
-ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.
-
-
-*`host.architecture`*::
-+
---
-Operating system architecture.
-
-type: keyword
-
-example: x86_64
-
---
-
-*`host.cpu.usage`*::
-+
---
-Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1.
-Scaling factor: 1000.
-For example: For a two core host, this value should be the average of the two cores, between 0 and 1.
-
-type: scaled_float
-
---
-
-*`host.disk.read.bytes`*::
-+
---
-The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection.
-
-type: long
-
---
-
-*`host.disk.write.bytes`*::
-+
---
-The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection.
-
-type: long
-
---
-
-*`host.domain`*::
-+
---
-Name of the domain of which the host is a member.
-For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider.
-
-type: keyword
-
-example: CONTOSO
-
---
-
-*`host.geo.city_name`*::
-+
---
-City name.
-
-type: keyword
-
-example: Montreal
-
---
-
-*`host.geo.continent_code`*::
-+
---
-Two-letter code representing continent's name.
-
-type: keyword
-
-example: NA
-
---
-
-*`host.geo.continent_name`*::
-+
---
-Name of the continent.
-
-type: keyword
-
-example: North America
-
---
-
-*`host.geo.country_iso_code`*::
-+
---
-Country ISO code.
-
-type: keyword
-
-example: CA
-
---
-
-*`host.geo.country_name`*::
-+
---
-Country name.
-
-type: keyword
-
-example: Canada
-
---
-
-*`host.geo.location`*::
-+
---
-Longitude and latitude.
-
-type: geo_point
-
-example: { "lon": -73.614830, "lat": 45.505918 }
-
---
-
-*`host.geo.name`*::
-+
---
-User-defined description of a location, at the level of granularity they care about.
-Could be the name of their data centers, the floor number, if this describes a local physical entity, city names.
-Not typically used in automated geolocation.
-
-type: keyword
-
-example: boston-dc
-
---
-
-*`host.geo.postal_code`*::
-+
---
-Postal code associated with the location.
-Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.
-
-type: keyword
-
-example: 94040
-
---
-
-*`host.geo.region_iso_code`*::
-+
---
-Region ISO code.
-
-type: keyword
-
-example: CA-QC
-
---
-
-*`host.geo.region_name`*::
-+
---
-Region name.
-
-type: keyword
-
-example: Quebec
-
---
-
-*`host.geo.timezone`*::
-+
---
-The time zone of the location, such as IANA time zone name.
-
-type: keyword
-
-example: America/Argentina/Buenos_Aires
-
---
-
-*`host.hostname`*::
-+
---
-Hostname of the host.
-It normally contains what the `hostname` command returns on the host machine.
-
-type: keyword
-
---
-
-*`host.id`*::
-+
---
-Unique host id.
-As hostname is not always unique, use values that are meaningful in your environment.
-Example: The current usage of `beat.name`.
-
-type: keyword
-
---
-
-*`host.ip`*::
-+
---
-Host ip addresses.
-
-type: ip
-
---
-
-*`host.mac`*::
-+
---
-Host MAC addresses.
-The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.
-
-type: keyword
-
-example: ["00-00-5E-00-53-23", "00-00-5E-00-53-24"]
-
---
-
-*`host.name`*::
-+
---
-Name of the host.
-It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.
-
-type: keyword
-
---
-
-*`host.network.egress.bytes`*::
-+
---
-The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection.
-
-type: long
-
---
-
-*`host.network.egress.packets`*::
-+
---
-The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection.
-
-type: long
-
---
-
-*`host.network.ingress.bytes`*::
-+
---
-The number of bytes received (gauge) on all network interfaces by the host since the last metric collection.
-
-type: long
-
---
-
-*`host.network.ingress.packets`*::
-+
---
-The number of packets (gauge) received on all network interfaces by the host since the last metric collection.
-
-type: long
-
---
-
-*`host.os.family`*::
-+
---
-OS family (such as redhat, debian, freebsd, windows).
-
-type: keyword
-
-example: debian
-
---
-
-*`host.os.full`*::
-+
---
-Operating system name, including the version or code name.
-
-type: keyword
-
-example: Mac OS Mojave
-
---
-
-*`host.os.full.text`*::
-+
---
-type: match_only_text
-
---
-
-*`host.os.kernel`*::
-+
---
-Operating system kernel version as a raw string.
-
-type: keyword
-
-example: 4.4.0-112-generic
-
---
-
-*`host.os.name`*::
-+
---
-Operating system name, without the version.
-
-type: keyword
-
-example: Mac OS X
-
---
-
-*`host.os.name.text`*::
-+
---
-type: match_only_text
-
---
-
-*`host.os.platform`*::
-+
---
-Operating system platform (such centos, ubuntu, windows).
-
-type: keyword
-
-example: darwin
-
---
-
-*`host.os.type`*::
-+
---
-Use the `os.type` field to categorize the operating system into one of the broad commercial families.
-One of these following values should be used (lowercase): linux, macos, unix, windows.
-If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.
-
-type: keyword
-
-example: macos
-
---
-
-*`host.os.version`*::
-+
---
-Operating system version as a raw string.
-
-type: keyword
-
-example: 10.14.1
-
---
-
-*`host.type`*::
-+
---
-Type of host.
-For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.
-
-type: keyword
-
---
-
-*`host.uptime`*::
-+
---
-Seconds the host has been up.
-
-type: long
-
-example: 1325
-
---
-
-[float]
-=== http
-
-Fields related to HTTP activity. Use the `url` field set to store the url of the request.
-
-
-*`http.request.body.bytes`*::
-+
---
-Size in bytes of the request body.
-
-type: long
-
-example: 887
-
-format: bytes
-
---
-
-*`http.request.body.content`*::
-+
---
-The full HTTP request body.
-
-type: wildcard
-
-example: Hello world
-
---
-
-*`http.request.body.content.text`*::
-+
---
-type: match_only_text
-
---
-
-*`http.request.bytes`*::
-+
---
-Total size in bytes of the request (body and headers).
-
-type: long
-
-example: 1437
-
-format: bytes
-
---
-
-*`http.request.id`*::
-+
---
-A unique identifier for each HTTP request to correlate logs between clients and servers in transactions.
-The id may be contained in a non-standard HTTP header, such as `X-Request-ID` or `X-Correlation-ID`.
-
-type: keyword
-
-example: 123e4567-e89b-12d3-a456-426614174000
-
---
-
-*`http.request.method`*::
-+
---
-HTTP request method.
-The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field.
-
-type: keyword
-
-example: POST
-
---
-
-*`http.request.mime_type`*::
-+
---
-Mime type of the body of the request.
-This value must only be populated based on the content of the request body, not on the `Content-Type` header. Comparing the mime type of a request with the request's Content-Type header can be helpful in detecting threats or misconfigured clients.
-
-type: keyword
-
-example: image/gif
-
---
-
-*`http.request.referrer`*::
-+
---
-Referrer for this HTTP request.
-
-type: keyword
-
-example: https://blog.example.com/
-
---
-
-*`http.response.body.bytes`*::
-+
---
-Size in bytes of the response body.
-
-type: long
-
-example: 887
-
-format: bytes
-
---
-
-*`http.response.body.content`*::
-+
---
-The full HTTP response body.
-
-type: wildcard
-
-example: Hello world
-
---
-
-*`http.response.body.content.text`*::
-+
---
-type: match_only_text
-
---
-
-*`http.response.bytes`*::
-+
---
-Total size in bytes of the response (body and headers).
-
-type: long
-
-example: 1437
-
-format: bytes
-
---
-
-*`http.response.mime_type`*::
-+
---
-Mime type of the body of the response.
-This value must only be populated based on the content of the response body, not on the `Content-Type` header. Comparing the mime type of a response with the response's Content-Type header can be helpful in detecting misconfigured servers.
-
-type: keyword
-
-example: image/gif
-
---
-
-*`http.response.status_code`*::
-+
---
-HTTP response status code.
-
-type: long
-
-example: 404
-
-format: string
-
---
-
-*`http.version`*::
-+
---
-HTTP version.
-
-type: keyword
-
-example: 1.1
-
---
-
-[float]
-=== interface
-
-The interface fields are used to record ingress and egress interface information when reported by an observer (e.g. firewall, router, load balancer) in the context of the observer handling a network connection.  In the case of a single observer interface (e.g. network sensor on a span port) only the observer.ingress information should be populated.
-
-
-*`interface.alias`*::
-+
---
-Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming.
-
-type: keyword
-
-example: outside
-
---
-
-*`interface.id`*::
-+
---
-Interface ID as reported by an observer (typically SNMP interface ID).
-
-type: keyword
-
-example: 10
-
---
-
-*`interface.name`*::
-+
---
-Interface name as reported by the system.
-
-type: keyword
-
-example: eth0
-
---
-
-[float]
-=== log
-
-Details about the event's logging mechanism or logging transport.
-The log.* fields are typically populated with details about the logging mechanism used to create and/or transport the event. For example, syslog details belong under `log.syslog.*`.
-The details specific to your event source are typically not logged under `log.*`, but rather in `event.*` or in other ECS fields.
-
-
-*`log.file.path`*::
-+
---
-Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate.
-If the event wasn't read from a log file, do not populate this field.
-
-type: keyword
-
-example: /var/log/fun-times.log
-
---
-
-*`log.level`*::
-+
---
-Original log level of the log event.
-If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity).
-Some examples are `warn`, `err`, `i`, `informational`.
-
-type: keyword
-
-example: error
-
---
-
-*`log.logger`*::
-+
---
-The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name.
-
-type: keyword
-
-example: org.elasticsearch.bootstrap.Bootstrap
-
---
-
-*`log.origin.file.line`*::
-+
---
-The line number of the file containing the source code which originated the log event.
-
-type: long
-
-example: 42
-
---
-
-*`log.origin.file.name`*::
-+
---
-The name of the file containing the source code which originated the log event.
-Note that this field is not meant to capture the log file. The correct field to capture the log file is `log.file.path`.
-
-type: keyword
-
-example: Bootstrap.java
-
---
-
-*`log.origin.function`*::
-+
---
-The name of the function or method which originated the log event.
-
-type: keyword
-
-example: init
-
---
-
-*`log.syslog`*::
-+
---
-The Syslog metadata of the event, if the event was transmitted via Syslog. Please see RFCs 5424 or 3164.
-
-type: object
-
---
-
-*`log.syslog.facility.code`*::
-+
---
-The Syslog numeric facility of the log event, if available.
-According to RFCs 5424 and 3164, this value should be an integer between 0 and 23.
-
-type: long
-
-example: 23
-
-format: string
-
---
-
-*`log.syslog.facility.name`*::
-+
---
-The Syslog text-based facility of the log event, if available.
-
-type: keyword
-
-example: local7
-
---
-
-*`log.syslog.priority`*::
-+
---
-Syslog numeric priority of the event, if available.
-According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191.
-
-type: long
-
-example: 135
-
-format: string
-
---
-
-*`log.syslog.severity.code`*::
-+
---
-The Syslog numeric severity of the log event, if available.
-If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`.
-
-type: long
-
-example: 3
-
---
-
-*`log.syslog.severity.name`*::
-+
---
-The Syslog numeric severity of the log event, if available.
-If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`.
-
-type: keyword
-
-example: Error
-
---
-
-[float]
-=== network
-
-The network is defined as the communication path over which a host or network event happens.
-The network.* fields should be populated with details about the network activity associated with an event.
-
-
-*`network.application`*::
-+
---
-When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name.
-For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`.
-The field value must be normalized to lowercase for querying.
-
-type: keyword
-
-example: aim
-
---
-
-*`network.bytes`*::
-+
---
-Total bytes transferred in both directions.
-If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum.
-
-type: long
-
-example: 368
-
-format: bytes
-
---
-
-*`network.community_id`*::
-+
---
-A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows.
-Learn more at https://github.com/corelight/community-id-spec.
-
-type: keyword
-
-example: 1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=
-
---
-
-*`network.direction`*::
-+
---
-Direction of the network traffic.
-Recommended values are:
-  * ingress
-  * egress
-  * inbound
-  * outbound
-  * internal
-  * external
-  * unknown
-
-When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress".
-When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external".
-Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers.
-
-type: keyword
-
-example: inbound
-
---
-
-*`network.forwarded_ip`*::
-+
---
-Host IP address when the source IP address is the proxy.
-
-type: ip
-
-example: 192.1.1.2
-
---
-
-*`network.iana_number`*::
-+
---
-IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number.
-
-type: keyword
-
-example: 6
-
---
-
-*`network.inner`*::
-+
---
-Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.)
-
-type: object
-
---
-
-*`network.inner.vlan.id`*::
-+
---
-VLAN ID as reported by the observer.
-
-type: keyword
-
-example: 10
-
---
-
-*`network.inner.vlan.name`*::
-+
---
-Optional VLAN name as reported by the observer.
-
-type: keyword
-
-example: outside
-
---
-
-*`network.name`*::
-+
---
-Name given by operators to sections of their network.
-
-type: keyword
-
-example: Guest Wifi
-
---
-
-*`network.packets`*::
-+
---
-Total packets transferred in both directions.
-If `source.packets` and `destination.packets` are known, `network.packets` is their sum.
-
-type: long
-
-example: 24
-
---
-
-*`network.protocol`*::
-+
---
-In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`.
-The field value must be normalized to lowercase for querying.
-
-type: keyword
-
-example: http
-
---
-
-*`network.transport`*::
-+
---
-Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.)
-The field value must be normalized to lowercase for querying.
-
-type: keyword
-
-example: tcp
-
---
-
-*`network.type`*::
-+
---
-In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc
-The field value must be normalized to lowercase for querying.
-
-type: keyword
-
-example: ipv4
-
---
-
-*`network.vlan.id`*::
-+
---
-VLAN ID as reported by the observer.
-
-type: keyword
-
-example: 10
-
---
-
-*`network.vlan.name`*::
-+
---
-Optional VLAN name as reported by the observer.
-
-type: keyword
-
-example: outside
-
---
-
-[float]
-=== observer
-
-An observer is defined as a special network, security, or application device used to detect, observe, or create network, security, or application-related events and metrics.
-This could be a custom hardware appliance or a server that has been configured to run special network, security, or application software. Examples include firewalls, web proxies, intrusion detection/prevention systems, network monitoring sensors, web application firewalls, data loss prevention systems, and APM servers. The observer.* fields shall be populated with details of the system, if any, that detects, observes and/or creates a network, security, or application event or metric. Message queues and ETL components used in processing events or metrics are not considered observers in ECS.
-
-
-*`observer.egress`*::
-+
---
-Observer.egress holds information like interface number and name, vlan, and zone information to classify egress traffic.  Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic.
-
-type: object
-
---
-
-*`observer.egress.interface.alias`*::
-+
---
-Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming.
-
-type: keyword
-
-example: outside
-
---
-
-*`observer.egress.interface.id`*::
-+
---
-Interface ID as reported by an observer (typically SNMP interface ID).
-
-type: keyword
-
-example: 10
-
---
-
-*`observer.egress.interface.name`*::
-+
---
-Interface name as reported by the system.
-
-type: keyword
-
-example: eth0
-
---
-
-*`observer.egress.vlan.id`*::
-+
---
-VLAN ID as reported by the observer.
-
-type: keyword
-
-example: 10
-
---
-
-*`observer.egress.vlan.name`*::
-+
---
-Optional VLAN name as reported by the observer.
-
-type: keyword
-
-example: outside
-
---
-
-*`observer.egress.zone`*::
-+
---
-Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc.
-
-type: keyword
-
-example: Public_Internet
-
---
-
-*`observer.geo.city_name`*::
-+
---
-City name.
-
-type: keyword
-
-example: Montreal
-
---
-
-*`observer.geo.continent_code`*::
-+
---
-Two-letter code representing continent's name.
-
-type: keyword
-
-example: NA
-
---
-
-*`observer.geo.continent_name`*::
-+
---
-Name of the continent.
-
-type: keyword
-
-example: North America
-
---
-
-*`observer.geo.country_iso_code`*::
-+
---
-Country ISO code.
-
-type: keyword
-
-example: CA
-
---
-
-*`observer.geo.country_name`*::
-+
---
-Country name.
-
-type: keyword
-
-example: Canada
-
---
-
-*`observer.geo.location`*::
-+
---
-Longitude and latitude.
-
-type: geo_point
-
-example: { "lon": -73.614830, "lat": 45.505918 }
-
---
-
-*`observer.geo.name`*::
-+
---
-User-defined description of a location, at the level of granularity they care about.
-Could be the name of their data centers, the floor number, if this describes a local physical entity, city names.
-Not typically used in automated geolocation.
-
-type: keyword
-
-example: boston-dc
-
---
-
-*`observer.geo.postal_code`*::
-+
---
-Postal code associated with the location.
-Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.
-
-type: keyword
-
-example: 94040
-
---
-
-*`observer.geo.region_iso_code`*::
-+
---
-Region ISO code.
-
-type: keyword
-
-example: CA-QC
-
---
-
-*`observer.geo.region_name`*::
-+
---
-Region name.
-
-type: keyword
-
-example: Quebec
-
---
-
-*`observer.geo.timezone`*::
-+
---
-The time zone of the location, such as IANA time zone name.
-
-type: keyword
-
-example: America/Argentina/Buenos_Aires
-
---
-
-*`observer.hostname`*::
-+
---
-Hostname of the observer.
-
-type: keyword
-
---
-
-*`observer.ingress`*::
-+
---
-Observer.ingress holds information like interface number and name, vlan, and zone information to classify ingress traffic.  Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic.
-
-type: object
-
---
-
-*`observer.ingress.interface.alias`*::
-+
---
-Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming.
-
-type: keyword
-
-example: outside
-
---
-
-*`observer.ingress.interface.id`*::
-+
---
-Interface ID as reported by an observer (typically SNMP interface ID).
-
-type: keyword
-
-example: 10
-
---
-
-*`observer.ingress.interface.name`*::
-+
---
-Interface name as reported by the system.
-
-type: keyword
-
-example: eth0
-
---
-
-*`observer.ingress.vlan.id`*::
-+
---
-VLAN ID as reported by the observer.
-
-type: keyword
-
-example: 10
-
---
-
-*`observer.ingress.vlan.name`*::
-+
---
-Optional VLAN name as reported by the observer.
-
-type: keyword
-
-example: outside
-
---
-
-*`observer.ingress.zone`*::
-+
---
-Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc.
-
-type: keyword
-
-example: DMZ
-
---
-
-*`observer.ip`*::
-+
---
-IP addresses of the observer.
-
-type: ip
-
---
-
-*`observer.mac`*::
-+
---
-MAC addresses of the observer.
-The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.
-
-type: keyword
-
-example: ["00-00-5E-00-53-23", "00-00-5E-00-53-24"]
-
---
-
-*`observer.name`*::
-+
---
-Custom name of the observer.
-This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization.
-If no custom name is needed, the field can be left empty.
-
-type: keyword
-
-example: 1_proxySG
-
---
-
-*`observer.os.family`*::
-+
---
-OS family (such as redhat, debian, freebsd, windows).
-
-type: keyword
-
-example: debian
-
---
-
-*`observer.os.full`*::
-+
---
-Operating system name, including the version or code name.
-
-type: keyword
-
-example: Mac OS Mojave
-
---
-
-*`observer.os.full.text`*::
-+
---
-type: match_only_text
-
---
-
-*`observer.os.kernel`*::
-+
---
-Operating system kernel version as a raw string.
-
-type: keyword
-
-example: 4.4.0-112-generic
-
---
-
-*`observer.os.name`*::
-+
---
-Operating system name, without the version.
-
-type: keyword
-
-example: Mac OS X
-
---
-
-*`observer.os.name.text`*::
-+
---
-type: match_only_text
-
---
-
-*`observer.os.platform`*::
-+
---
-Operating system platform (such centos, ubuntu, windows).
-
-type: keyword
-
-example: darwin
-
---
-
-*`observer.os.type`*::
-+
---
-Use the `os.type` field to categorize the operating system into one of the broad commercial families.
-One of these following values should be used (lowercase): linux, macos, unix, windows.
-If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.
-
-type: keyword
-
-example: macos
-
---
-
-*`observer.os.version`*::
-+
---
-Operating system version as a raw string.
-
-type: keyword
-
-example: 10.14.1
-
---
-
-*`observer.product`*::
-+
---
-The product name of the observer.
-
-type: keyword
-
-example: s200
-
---
-
-*`observer.serial_number`*::
-+
---
-Observer serial number.
-
-type: keyword
-
---
-
-*`observer.type`*::
-+
---
-The type of the observer the data is coming from.
-There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`.
-
-type: keyword
-
-example: firewall
-
---
-
-*`observer.vendor`*::
-+
---
-Vendor name of the observer.
-
-type: keyword
-
-example: Symantec
-
---
-
-*`observer.version`*::
-+
---
-Observer version.
-
-type: keyword
-
---
-
-[float]
-=== orchestrator
-
-Fields that describe the resources which container orchestrators manage or act upon.
-
-
-*`orchestrator.api_version`*::
-+
---
-API version being used to carry out the action
-
-type: keyword
-
-example: v1beta1
-
---
-
-*`orchestrator.cluster.name`*::
-+
---
-Name of the cluster.
-
-type: keyword
-
---
-
-*`orchestrator.cluster.url`*::
-+
---
-URL of the API used to manage the cluster.
-
-type: keyword
-
---
-
-*`orchestrator.cluster.version`*::
-+
---
-The version of the cluster.
-
-type: keyword
-
---
-
-*`orchestrator.namespace`*::
-+
---
-Namespace in which the action is taking place.
-
-type: keyword
-
-example: kube-system
-
---
-
-*`orchestrator.organization`*::
-+
---
-Organization affected by the event (for multi-tenant orchestrator setups).
-
-type: keyword
-
-example: elastic
-
---
-
-*`orchestrator.resource.name`*::
-+
---
-Name of the resource being acted upon.
-
-type: keyword
-
-example: test-pod-cdcws
-
---
-
-*`orchestrator.resource.type`*::
-+
---
-Type of resource being acted upon.
-
-type: keyword
-
-example: service
-
---
-
-*`orchestrator.type`*::
-+
---
-Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry).
-
-type: keyword
-
-example: kubernetes
-
---
-
-[float]
-=== organization
-
-The organization fields enrich data with information about the company or entity the data is associated with.
-These fields help you arrange or filter data stored in an index by one or multiple organizations.
-
-
-*`organization.id`*::
-+
---
-Unique identifier for the organization.
-
-type: keyword
-
---
-
-*`organization.name`*::
-+
---
-Organization name.
-
-type: keyword
-
---
-
-*`organization.name.text`*::
-+
---
-type: match_only_text
-
---
-
-[float]
-=== os
-
-The OS fields contain information about the operating system.
-
-
-*`os.family`*::
-+
---
-OS family (such as redhat, debian, freebsd, windows).
-
-type: keyword
-
-example: debian
-
---
-
-*`os.full`*::
-+
---
-Operating system name, including the version or code name.
-
-type: keyword
-
-example: Mac OS Mojave
-
---
-
-*`os.full.text`*::
-+
---
-type: match_only_text
-
---
-
-*`os.kernel`*::
-+
---
-Operating system kernel version as a raw string.
-
-type: keyword
-
-example: 4.4.0-112-generic
-
---
-
-*`os.name`*::
-+
---
-Operating system name, without the version.
-
-type: keyword
-
-example: Mac OS X
-
---
-
-*`os.name.text`*::
-+
---
-type: match_only_text
-
---
-
-*`os.platform`*::
-+
---
-Operating system platform (such centos, ubuntu, windows).
-
-type: keyword
-
-example: darwin
-
---
-
-*`os.type`*::
-+
---
-Use the `os.type` field to categorize the operating system into one of the broad commercial families.
-One of these following values should be used (lowercase): linux, macos, unix, windows.
-If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.
-
-type: keyword
-
-example: macos
-
---
-
-*`os.version`*::
-+
---
-Operating system version as a raw string.
-
-type: keyword
-
-example: 10.14.1
-
---
-
-[float]
-=== package
-
-These fields contain information about an installed software package. It contains general information about a package, such as name, version or size. It also contains installation details, such as time or location.
-
-
-*`package.architecture`*::
-+
---
-Package architecture.
-
-type: keyword
-
-example: x86_64
-
---
-
-*`package.build_version`*::
-+
---
-Additional information about the build version of the installed package.
-For example use the commit SHA of a non-released package.
-
-type: keyword
-
-example: 36f4f7e89dd61b0988b12ee000b98966867710cd
-
---
-
-*`package.checksum`*::
-+
---
-Checksum of the installed package for verification.
-
-type: keyword
-
-example: 68b329da9893e34099c7d8ad5cb9c940
-
---
-
-*`package.description`*::
-+
---
-Description of the package.
-
-type: keyword
-
-example: Open source programming language to build simple/reliable/efficient software.
-
---
-
-*`package.install_scope`*::
-+
---
-Indicating how the package was installed, e.g. user-local, global.
-
-type: keyword
-
-example: global
-
---
-
-*`package.installed`*::
-+
---
-Time when package was installed.
-
-type: date
-
---
-
-*`package.license`*::
-+
---
-License under which the package was released.
-Use a short name, e.g. the license identifier from SPDX License List where possible (https://spdx.org/licenses/).
-
-type: keyword
-
-example: Apache License 2.0
-
---
-
-*`package.name`*::
-+
---
-Package name
-
-type: keyword
-
-example: go
-
---
-
-*`package.path`*::
-+
---
-Path where the package is installed.
-
-type: keyword
-
-example: /usr/local/Cellar/go/1.12.9/
-
---
-
-*`package.reference`*::
-+
---
-Home page or reference URL of the software in this package, if available.
-
-type: keyword
-
-example: https://golang.org
-
---
-
-*`package.size`*::
-+
---
-Package size in bytes.
-
-type: long
-
-example: 62231
-
-format: string
-
---
-
-*`package.type`*::
-+
---
-Type of package.
-This should contain the package file type, rather than the package manager name. Examples: rpm, dpkg, brew, npm, gem, nupkg, jar.
-
-type: keyword
-
-example: rpm
-
---
-
-*`package.version`*::
-+
---
-Package version
-
-type: keyword
-
-example: 1.12.9
-
---
-
-[float]
-=== pe
-
-These fields contain Windows Portable Executable (PE) metadata.
-
-
-*`pe.architecture`*::
-+
---
-CPU architecture target for the file.
-
-type: keyword
-
-example: x64
-
---
-
-*`pe.company`*::
-+
---
-Internal company name of the file, provided at compile-time.
-
-type: keyword
-
-example: Microsoft Corporation
-
---
-
-*`pe.description`*::
-+
---
-Internal description of the file, provided at compile-time.
-
-type: keyword
-
-example: Paint
-
---
-
-*`pe.file_version`*::
-+
---
-Internal version of the file, provided at compile-time.
-
-type: keyword
-
-example: 6.3.9600.17415
-
---
-
-*`pe.imphash`*::
-+
---
-A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.
-Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.
-
-type: keyword
-
-example: 0c6803c4e922103c4dca5963aad36ddf
-
---
-
-*`pe.original_file_name`*::
-+
---
-Internal name of the file, provided at compile-time.
-
-type: keyword
-
-example: MSPAINT.EXE
-
---
-
-*`pe.product`*::
-+
---
-Internal product name of the file, provided at compile-time.
-
-type: keyword
-
-example: Microsoft® Windows® Operating System
-
---
-
-[float]
-=== process
-
-These fields contain information about a process.
-These fields can help you correlate metrics information with a process id/name from a log message.  The `process.pid` often stays in the metric itself and is copied to the global field for correlation.
-
-
-*`process.args`*::
-+
---
-Array of process arguments, starting with the absolute path to the executable.
-May be filtered to protect sensitive information.
-
-type: keyword
-
-example: ["/usr/bin/ssh", "-l", "user", "10.0.0.16"]
-
---
-
-*`process.args_count`*::
-+
---
-Length of the process.args array.
-This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity.
-
-type: long
-
-example: 4
-
---
-
-*`process.code_signature.digest_algorithm`*::
-+
---
-The hashing algorithm used to sign the process.
-This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm.
-
-type: keyword
-
-example: sha256
-
---
-
-*`process.code_signature.exists`*::
-+
---
-Boolean to capture if a signature is present.
-
-type: boolean
-
-example: true
-
---
-
-*`process.code_signature.signing_id`*::
-+
---
-The identifier used to sign the process.
-This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.
-
-type: keyword
-
-example: com.apple.xpc.proxy
-
---
-
-*`process.code_signature.status`*::
-+
---
-Additional information about the certificate status.
-This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.
-
-type: keyword
-
-example: ERROR_UNTRUSTED_ROOT
-
---
-
-*`process.code_signature.subject_name`*::
-+
---
-Subject name of the code signer
-
-type: keyword
-
-example: Microsoft Corporation
-
---
-
-*`process.code_signature.team_id`*::
-+
---
-The team identifier used to sign the process.
-This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.
-
-type: keyword
-
-example: EQHXZ8M8AV
-
---
-
-*`process.code_signature.timestamp`*::
-+
---
-Date and time when the code signature was generated and signed.
-
-type: date
-
-example: 2021-01-01T12:10:30Z
-
---
-
-*`process.code_signature.trusted`*::
-+
---
-Stores the trust status of the certificate chain.
-Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.
-
-type: boolean
-
-example: true
-
---
-
-*`process.code_signature.valid`*::
-+
---
-Boolean to capture if the digital signature is verified against the binary content.
-Leave unpopulated if a certificate was unchecked.
-
-type: boolean
-
-example: true
-
---
-
-*`process.command_line`*::
-+
---
-Full command line that started the process, including the absolute path to the executable, and all arguments.
-Some arguments may be filtered to protect sensitive information.
-
-type: wildcard
-
-example: /usr/bin/ssh -l user 10.0.0.16
-
---
-
-*`process.command_line.text`*::
-+
---
-type: match_only_text
-
---
-
-*`process.elf.architecture`*::
-+
---
-Machine architecture of the ELF file.
-
-type: keyword
-
-example: x86-64
-
---
-
-*`process.elf.byte_order`*::
-+
---
-Byte sequence of ELF file.
-
-type: keyword
-
-example: Little Endian
-
---
-
-*`process.elf.cpu_type`*::
-+
---
-CPU type of the ELF file.
-
-type: keyword
-
-example: Intel
-
---
-
-*`process.elf.creation_date`*::
-+
---
-Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators.
-
-type: date
-
---
-
-*`process.elf.exports`*::
-+
---
-List of exported element names and types.
-
-type: flattened
-
---
-
-*`process.elf.header.abi_version`*::
-+
---
-Version of the ELF Application Binary Interface (ABI).
-
-type: keyword
-
---
-
-*`process.elf.header.class`*::
-+
---
-Header class of the ELF file.
-
-type: keyword
-
---
-
-*`process.elf.header.data`*::
-+
---
-Data table of the ELF header.
-
-type: keyword
-
---
-
-*`process.elf.header.entrypoint`*::
-+
---
-Header entrypoint of the ELF file.
-
-type: long
-
-format: string
-
---
-
-*`process.elf.header.object_version`*::
-+
---
-"0x1" for original ELF files.
-
-type: keyword
-
---
-
-*`process.elf.header.os_abi`*::
-+
---
-Application Binary Interface (ABI) of the Linux OS.
-
-type: keyword
-
---
-
-*`process.elf.header.type`*::
-+
---
-Header type of the ELF file.
-
-type: keyword
-
---
-
-*`process.elf.header.version`*::
-+
---
-Version of the ELF header.
-
-type: keyword
-
---
-
-*`process.elf.imports`*::
-+
---
-List of imported element names and types.
-
-type: flattened
-
---
-
-*`process.elf.sections`*::
-+
---
-An array containing an object for each section of the ELF file.
-The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`.
-
-type: nested
-
---
-
-*`process.elf.sections.chi2`*::
-+
---
-Chi-square probability distribution of the section.
-
-type: long
-
-format: number
-
---
-
-*`process.elf.sections.entropy`*::
-+
---
-Shannon entropy calculation from the section.
-
-type: long
-
-format: number
-
---
-
-*`process.elf.sections.flags`*::
-+
---
-ELF Section List flags.
-
-type: keyword
-
---
-
-*`process.elf.sections.name`*::
-+
---
-ELF Section List name.
-
-type: keyword
-
---
-
-*`process.elf.sections.physical_offset`*::
-+
---
-ELF Section List offset.
-
-type: keyword
-
---
-
-*`process.elf.sections.physical_size`*::
-+
---
-ELF Section List physical size.
-
-type: long
-
-format: bytes
-
---
-
-*`process.elf.sections.type`*::
-+
---
-ELF Section List type.
-
-type: keyword
-
---
-
-*`process.elf.sections.virtual_address`*::
-+
---
-ELF Section List virtual address.
-
-type: long
-
-format: string
-
---
-
-*`process.elf.sections.virtual_size`*::
-+
---
-ELF Section List virtual size.
-
-type: long
-
-format: string
-
---
-
-*`process.elf.segments`*::
-+
---
-An array containing an object for each segment of the ELF file.
-The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`.
-
-type: nested
-
---
-
-*`process.elf.segments.sections`*::
-+
---
-ELF object segment sections.
-
-type: keyword
-
---
-
-*`process.elf.segments.type`*::
-+
---
-ELF object segment type.
-
-type: keyword
-
---
-
-*`process.elf.shared_libraries`*::
-+
---
-List of shared libraries used by this ELF object.
-
-type: keyword
-
---
-
-*`process.elf.telfhash`*::
-+
---
-telfhash symbol hash for ELF file.
-
-type: keyword
-
---
-
-*`process.end`*::
-+
---
-The time the process ended.
-
-type: date
-
-example: 2016-05-23T08:05:34.853Z
-
---
-
-*`process.entity_id`*::
-+
---
-Unique identifier for the process.
-The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process.
-Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.
-
-type: keyword
-
-example: c2c455d9f99375d
-
---
-
-*`process.executable`*::
-+
---
-Absolute path to the process executable.
-
-type: keyword
-
-example: /usr/bin/ssh
-
---
-
-*`process.executable.text`*::
-+
---
-type: match_only_text
-
---
-
-*`process.exit_code`*::
-+
---
-The exit code of the process, if this is a termination event.
-The field should be absent if there is no exit code for the event (e.g. process start).
-
-type: long
-
-example: 137
-
---
-
-*`process.hash.md5`*::
-+
---
-MD5 hash.
-
-type: keyword
-
---
-
-*`process.hash.sha1`*::
-+
---
-SHA1 hash.
-
-type: keyword
-
---
-
-*`process.hash.sha256`*::
-+
---
-SHA256 hash.
-
-type: keyword
-
---
-
-*`process.hash.sha512`*::
-+
---
-SHA512 hash.
-
-type: keyword
-
---
-
-*`process.hash.ssdeep`*::
-+
---
-SSDEEP hash.
-
-type: keyword
-
---
-
-*`process.name`*::
-+
---
-Process name.
-Sometimes called program name or similar.
-
-type: keyword
-
-example: ssh
-
---
-
-*`process.name.text`*::
-+
---
-type: match_only_text
-
---
-
-*`process.parent.args`*::
-+
---
-Array of process arguments, starting with the absolute path to the executable.
-May be filtered to protect sensitive information.
-
-type: keyword
-
-example: ["/usr/bin/ssh", "-l", "user", "10.0.0.16"]
-
---
-
-*`process.parent.args_count`*::
-+
---
-Length of the process.args array.
-This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity.
-
-type: long
-
-example: 4
-
---
-
-*`process.parent.code_signature.digest_algorithm`*::
-+
---
-The hashing algorithm used to sign the process.
-This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm.
-
-type: keyword
-
-example: sha256
-
---
-
-*`process.parent.code_signature.exists`*::
-+
---
-Boolean to capture if a signature is present.
-
-type: boolean
-
-example: true
-
---
-
-*`process.parent.code_signature.signing_id`*::
-+
---
-The identifier used to sign the process.
-This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.
-
-type: keyword
-
-example: com.apple.xpc.proxy
-
---
-
-*`process.parent.code_signature.status`*::
-+
---
-Additional information about the certificate status.
-This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.
-
-type: keyword
-
-example: ERROR_UNTRUSTED_ROOT
-
---
-
-*`process.parent.code_signature.subject_name`*::
-+
---
-Subject name of the code signer
-
-type: keyword
-
-example: Microsoft Corporation
-
---
-
-*`process.parent.code_signature.team_id`*::
-+
---
-The team identifier used to sign the process.
-This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.
-
-type: keyword
-
-example: EQHXZ8M8AV
-
---
-
-*`process.parent.code_signature.timestamp`*::
-+
---
-Date and time when the code signature was generated and signed.
-
-type: date
-
-example: 2021-01-01T12:10:30Z
-
---
-
-*`process.parent.code_signature.trusted`*::
-+
---
-Stores the trust status of the certificate chain.
-Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.
-
-type: boolean
-
-example: true
-
---
-
-*`process.parent.code_signature.valid`*::
-+
---
-Boolean to capture if the digital signature is verified against the binary content.
-Leave unpopulated if a certificate was unchecked.
-
-type: boolean
-
-example: true
-
---
-
-*`process.parent.command_line`*::
-+
---
-Full command line that started the process, including the absolute path to the executable, and all arguments.
-Some arguments may be filtered to protect sensitive information.
-
-type: wildcard
-
-example: /usr/bin/ssh -l user 10.0.0.16
-
---
-
-*`process.parent.command_line.text`*::
-+
---
-type: match_only_text
-
---
-
-*`process.parent.elf.architecture`*::
-+
---
-Machine architecture of the ELF file.
-
-type: keyword
-
-example: x86-64
-
---
-
-*`process.parent.elf.byte_order`*::
-+
---
-Byte sequence of ELF file.
-
-type: keyword
-
-example: Little Endian
-
---
-
-*`process.parent.elf.cpu_type`*::
-+
---
-CPU type of the ELF file.
-
-type: keyword
-
-example: Intel
-
---
-
-*`process.parent.elf.creation_date`*::
-+
---
-Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators.
-
-type: date
-
---
-
-*`process.parent.elf.exports`*::
-+
---
-List of exported element names and types.
-
-type: flattened
-
---
-
-*`process.parent.elf.header.abi_version`*::
-+
---
-Version of the ELF Application Binary Interface (ABI).
-
-type: keyword
-
---
-
-*`process.parent.elf.header.class`*::
-+
---
-Header class of the ELF file.
-
-type: keyword
-
---
-
-*`process.parent.elf.header.data`*::
-+
---
-Data table of the ELF header.
-
-type: keyword
-
---
-
-*`process.parent.elf.header.entrypoint`*::
-+
---
-Header entrypoint of the ELF file.
-
-type: long
-
-format: string
-
---
-
-*`process.parent.elf.header.object_version`*::
-+
---
-"0x1" for original ELF files.
-
-type: keyword
-
---
-
-*`process.parent.elf.header.os_abi`*::
-+
---
-Application Binary Interface (ABI) of the Linux OS.
-
-type: keyword
-
---
-
-*`process.parent.elf.header.type`*::
-+
---
-Header type of the ELF file.
-
-type: keyword
-
---
-
-*`process.parent.elf.header.version`*::
-+
---
-Version of the ELF header.
-
-type: keyword
-
---
-
-*`process.parent.elf.imports`*::
-+
---
-List of imported element names and types.
-
-type: flattened
-
---
-
-*`process.parent.elf.sections`*::
-+
---
-An array containing an object for each section of the ELF file.
-The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`.
-
-type: nested
-
---
-
-*`process.parent.elf.sections.chi2`*::
-+
---
-Chi-square probability distribution of the section.
-
-type: long
-
-format: number
-
---
-
-*`process.parent.elf.sections.entropy`*::
-+
---
-Shannon entropy calculation from the section.
-
-type: long
-
-format: number
-
---
-
-*`process.parent.elf.sections.flags`*::
-+
---
-ELF Section List flags.
-
-type: keyword
-
---
-
-*`process.parent.elf.sections.name`*::
-+
---
-ELF Section List name.
-
-type: keyword
-
---
-
-*`process.parent.elf.sections.physical_offset`*::
-+
---
-ELF Section List offset.
-
-type: keyword
-
---
-
-*`process.parent.elf.sections.physical_size`*::
-+
---
-ELF Section List physical size.
-
-type: long
-
-format: bytes
-
---
-
-*`process.parent.elf.sections.type`*::
-+
---
-ELF Section List type.
-
-type: keyword
-
---
-
-*`process.parent.elf.sections.virtual_address`*::
-+
---
-ELF Section List virtual address.
-
-type: long
-
-format: string
-
---
-
-*`process.parent.elf.sections.virtual_size`*::
-+
---
-ELF Section List virtual size.
-
-type: long
-
-format: string
-
---
-
-*`process.parent.elf.segments`*::
-+
---
-An array containing an object for each segment of the ELF file.
-The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`.
-
-type: nested
-
---
-
-*`process.parent.elf.segments.sections`*::
-+
---
-ELF object segment sections.
-
-type: keyword
-
---
-
-*`process.parent.elf.segments.type`*::
-+
---
-ELF object segment type.
-
-type: keyword
-
---
-
-*`process.parent.elf.shared_libraries`*::
-+
---
-List of shared libraries used by this ELF object.
-
-type: keyword
-
---
-
-*`process.parent.elf.telfhash`*::
-+
---
-telfhash symbol hash for ELF file.
-
-type: keyword
-
---
-
-*`process.parent.end`*::
-+
---
-The time the process ended.
-
-type: date
-
-example: 2016-05-23T08:05:34.853Z
-
---
-
-*`process.parent.entity_id`*::
-+
---
-Unique identifier for the process.
-The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process.
-Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.
-
-type: keyword
-
-example: c2c455d9f99375d
-
---
-
-*`process.parent.executable`*::
-+
---
-Absolute path to the process executable.
-
-type: keyword
-
-example: /usr/bin/ssh
-
---
-
-*`process.parent.executable.text`*::
-+
---
-type: match_only_text
-
---
-
-*`process.parent.exit_code`*::
-+
---
-The exit code of the process, if this is a termination event.
-The field should be absent if there is no exit code for the event (e.g. process start).
-
-type: long
-
-example: 137
-
---
-
-*`process.parent.hash.md5`*::
-+
---
-MD5 hash.
-
-type: keyword
-
---
-
-*`process.parent.hash.sha1`*::
-+
---
-SHA1 hash.
-
-type: keyword
-
---
-
-*`process.parent.hash.sha256`*::
-+
---
-SHA256 hash.
-
-type: keyword
-
---
-
-*`process.parent.hash.sha512`*::
-+
---
-SHA512 hash.
-
-type: keyword
-
---
-
-*`process.parent.hash.ssdeep`*::
-+
---
-SSDEEP hash.
-
-type: keyword
-
---
-
-*`process.parent.name`*::
-+
---
-Process name.
-Sometimes called program name or similar.
-
-type: keyword
-
-example: ssh
-
---
-
-*`process.parent.name.text`*::
-+
---
-type: match_only_text
-
---
-
-*`process.parent.pe.architecture`*::
-+
---
-CPU architecture target for the file.
-
-type: keyword
-
-example: x64
-
---
-
-*`process.parent.pe.company`*::
-+
---
-Internal company name of the file, provided at compile-time.
-
-type: keyword
-
-example: Microsoft Corporation
-
---
-
-*`process.parent.pe.description`*::
-+
---
-Internal description of the file, provided at compile-time.
-
-type: keyword
-
-example: Paint
-
---
-
-*`process.parent.pe.file_version`*::
-+
---
-Internal version of the file, provided at compile-time.
-
-type: keyword
-
-example: 6.3.9600.17415
-
---
-
-*`process.parent.pe.imphash`*::
-+
---
-A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.
-Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.
-
-type: keyword
-
-example: 0c6803c4e922103c4dca5963aad36ddf
-
---
-
-*`process.parent.pe.original_file_name`*::
-+
---
-Internal name of the file, provided at compile-time.
-
-type: keyword
-
-example: MSPAINT.EXE
-
---
-
-*`process.parent.pe.product`*::
-+
---
-Internal product name of the file, provided at compile-time.
-
-type: keyword
-
-example: Microsoft® Windows® Operating System
-
---
-
-*`process.parent.pgid`*::
-+
---
-Identifier of the group of processes the process belongs to.
-
-type: long
-
-format: string
-
---
-
-*`process.parent.pid`*::
-+
---
-Process id.
-
-type: long
-
-example: 4242
-
-format: string
-
---
-
-*`process.parent.start`*::
-+
---
-The time the process started.
-
-type: date
-
-example: 2016-05-23T08:05:34.853Z
-
---
-
-*`process.parent.thread.id`*::
-+
---
-Thread ID.
-
-type: long
-
-example: 4242
-
-format: string
-
---
-
-*`process.parent.thread.name`*::
-+
---
-Thread name.
-
-type: keyword
-
-example: thread-0
-
---
-
-*`process.parent.title`*::
-+
---
-Process title.
-The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened.
-
-type: keyword
-
---
-
-*`process.parent.title.text`*::
-+
---
-type: match_only_text
-
---
-
-*`process.parent.uptime`*::
-+
---
-Seconds the process has been up.
-
-type: long
-
-example: 1325
-
---
-
-*`process.parent.working_directory`*::
-+
---
-The working directory of the process.
-
-type: keyword
-
-example: /home/alice
-
---
-
-*`process.parent.working_directory.text`*::
-+
---
-type: match_only_text
-
---
-
-*`process.pe.architecture`*::
-+
---
-CPU architecture target for the file.
-
-type: keyword
-
-example: x64
-
---
-
-*`process.pe.company`*::
-+
---
-Internal company name of the file, provided at compile-time.
-
-type: keyword
-
-example: Microsoft Corporation
-
---
-
-*`process.pe.description`*::
-+
---
-Internal description of the file, provided at compile-time.
-
-type: keyword
-
-example: Paint
-
---
-
-*`process.pe.file_version`*::
-+
---
-Internal version of the file, provided at compile-time.
-
-type: keyword
-
-example: 6.3.9600.17415
-
---
-
-*`process.pe.imphash`*::
-+
---
-A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.
-Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.
-
-type: keyword
-
-example: 0c6803c4e922103c4dca5963aad36ddf
-
---
-
-*`process.pe.original_file_name`*::
-+
---
-Internal name of the file, provided at compile-time.
-
-type: keyword
-
-example: MSPAINT.EXE
-
---
-
-*`process.pe.product`*::
-+
---
-Internal product name of the file, provided at compile-time.
-
-type: keyword
-
-example: Microsoft® Windows® Operating System
-
---
-
-*`process.pgid`*::
-+
---
-Identifier of the group of processes the process belongs to.
-
-type: long
-
-format: string
-
---
-
-*`process.pid`*::
-+
---
-Process id.
-
-type: long
-
-example: 4242
-
-format: string
-
---
-
-*`process.start`*::
-+
---
-The time the process started.
-
-type: date
-
-example: 2016-05-23T08:05:34.853Z
-
---
-
-*`process.thread.id`*::
-+
---
-Thread ID.
-
-type: long
-
-example: 4242
-
-format: string
-
---
-
-*`process.thread.name`*::
-+
---
-Thread name.
-
-type: keyword
-
-example: thread-0
-
---
-
-*`process.title`*::
-+
---
-Process title.
-The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened.
-
-type: keyword
-
---
-
-*`process.title.text`*::
-+
---
-type: match_only_text
-
---
-
-*`process.uptime`*::
-+
---
-Seconds the process has been up.
-
-type: long
-
-example: 1325
-
---
-
-*`process.working_directory`*::
-+
---
-The working directory of the process.
-
-type: keyword
-
-example: /home/alice
-
---
-
-*`process.working_directory.text`*::
-+
---
-type: match_only_text
-
---
-
-[float]
-=== registry
-
-Fields related to Windows Registry operations.
-
-
-*`registry.data.bytes`*::
-+
---
-Original bytes written with base64 encoding.
-For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values.
-
-type: keyword
-
-example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA=
-
---
-
-*`registry.data.strings`*::
-+
---
-Content when writing string types.
-Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`).
-
-type: wildcard
-
-example: ["C:\rta\red_ttp\bin\myapp.exe"]
-
---
-
-*`registry.data.type`*::
-+
---
-Standard registry type for encoding contents
-
-type: keyword
-
-example: REG_SZ
-
---
-
-*`registry.hive`*::
-+
---
-Abbreviated name for the hive.
-
-type: keyword
-
-example: HKLM
-
---
-
-*`registry.key`*::
-+
---
-Hive-relative path of keys.
-
-type: keyword
-
-example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe
-
---
-
-*`registry.path`*::
-+
---
-Full path, including hive, key and value
-
-type: keyword
-
-example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger
-
---
-
-*`registry.value`*::
-+
---
-Name of the value written.
-
-type: keyword
-
-example: Debugger
-
---
-
-[float]
-=== related
-
-This field set is meant to facilitate pivoting around a piece of data.
-Some pieces of information can be seen in many places in an ECS event. To facilitate searching for them, store an array of all seen values to their corresponding field in `related.`.
-A concrete example is IP addresses, which can be under host, observer, source, destination, client, server, and network.forwarded_ip. If you append all IPs to `related.ip`, you can then search for a given IP trivially, no matter where it appeared, by querying `related.ip:192.0.2.15`.
-
-
-*`related.hash`*::
-+
---
-All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search).
-
-type: keyword
-
---
-
-*`related.hosts`*::
-+
---
-All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases.
-
-type: keyword
-
---
-
-*`related.ip`*::
-+
---
-All of the IPs seen on your event.
-
-type: ip
-
---
-
-*`related.user`*::
-+
---
-All the user names or other user identifiers seen on the event.
-
-type: keyword
-
---
-
-[float]
-=== rule
-
-Rule fields are used to capture the specifics of any observer or agent rules that generate alerts or other notable events.
-Examples of data sources that would populate the rule fields include: network admission control platforms, network or host IDS/IPS, network firewalls, web application firewalls, url filters, endpoint detection and response (EDR) systems, etc.
-
-
-*`rule.author`*::
-+
---
-Name, organization, or pseudonym of the author or authors who created the rule used to generate this event.
-
-type: keyword
-
-example: ["Star-Lord"]
-
---
-
-*`rule.category`*::
-+
---
-A categorization value keyword used by the entity using the rule for detection of this event.
-
-type: keyword
-
-example: Attempted Information Leak
-
---
-
-*`rule.description`*::
-+
---
-The description of the rule generating the event.
-
-type: keyword
-
-example: Block requests to public DNS over HTTPS / TLS protocols
-
---
-
-*`rule.id`*::
-+
---
-A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event.
-
-type: keyword
-
-example: 101
-
---
-
-*`rule.license`*::
-+
---
-Name of the license under which the rule used to generate this event is made available.
-
-type: keyword
-
-example: Apache 2.0
-
---
-
-*`rule.name`*::
-+
---
-The name of the rule or signature generating the event.
-
-type: keyword
-
-example: BLOCK_DNS_over_TLS
-
---
-
-*`rule.reference`*::
-+
---
-Reference URL to additional information about the rule used to generate this event.
-The URL can point to the vendor's documentation about the rule. If that's not available, it can also be a link to a more general page describing this type of alert.
-
-type: keyword
-
-example: https://en.wikipedia.org/wiki/DNS_over_TLS
-
---
-
-*`rule.ruleset`*::
-+
---
-Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member.
-
-type: keyword
-
-example: Standard_Protocol_Filters
-
---
-
-*`rule.uuid`*::
-+
---
-A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event.
-
-type: keyword
-
-example: 1100110011
-
---
-
-*`rule.version`*::
-+
---
-The version / revision of the rule being used for analysis.
-
-type: keyword
-
-example: 1.1
-
---
-
-[float]
-=== server
-
-A Server is defined as the responder in a network connection for events regarding sessions, connections, or bidirectional flow records.
-For TCP events, the server is the receiver of the initial SYN packet(s) of the TCP connection. For other protocols, the server is generally the responder in the network transaction. Some systems actually use the term "responder" to refer the server in TCP connections. The server fields describe details about the system acting as the server in the network event. Server fields are usually populated in conjunction with client fields. Server fields are generally not populated for packet-level events.
-Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately.
-
-
-*`server.address`*::
-+
---
-Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field.
-Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
-
-type: keyword
-
---
-
-*`server.as.number`*::
-+
---
-Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
-
-type: long
-
-example: 15169
-
---
-
-*`server.as.organization.name`*::
-+
---
-Organization name.
-
-type: keyword
-
-example: Google LLC
-
---
-
-*`server.as.organization.name.text`*::
-+
---
-type: match_only_text
-
---
-
-*`server.bytes`*::
-+
---
-Bytes sent from the server to the client.
-
-type: long
-
-example: 184
-
-format: bytes
-
---
-
-*`server.domain`*::
-+
---
-The domain name of the server system.
-This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.
-
-type: keyword
-
-example: foo.example.com
-
---
-
-*`server.geo.city_name`*::
-+
---
-City name.
-
-type: keyword
-
-example: Montreal
-
---
-
-*`server.geo.continent_code`*::
-+
---
-Two-letter code representing continent's name.
-
-type: keyword
-
-example: NA
-
---
-
-*`server.geo.continent_name`*::
-+
---
-Name of the continent.
-
-type: keyword
-
-example: North America
-
---
-
-*`server.geo.country_iso_code`*::
-+
---
-Country ISO code.
-
-type: keyword
-
-example: CA
-
---
-
-*`server.geo.country_name`*::
-+
---
-Country name.
-
-type: keyword
-
-example: Canada
-
---
-
-*`server.geo.location`*::
-+
---
-Longitude and latitude.
-
-type: geo_point
-
-example: { "lon": -73.614830, "lat": 45.505918 }
-
---
-
-*`server.geo.name`*::
-+
---
-User-defined description of a location, at the level of granularity they care about.
-Could be the name of their data centers, the floor number, if this describes a local physical entity, city names.
-Not typically used in automated geolocation.
-
-type: keyword
-
-example: boston-dc
-
---
-
-*`server.geo.postal_code`*::
-+
---
-Postal code associated with the location.
-Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.
-
-type: keyword
-
-example: 94040
-
---
-
-*`server.geo.region_iso_code`*::
-+
---
-Region ISO code.
-
-type: keyword
-
-example: CA-QC
-
---
-
-*`server.geo.region_name`*::
-+
---
-Region name.
-
-type: keyword
-
-example: Quebec
-
---
-
-*`server.geo.timezone`*::
-+
---
-The time zone of the location, such as IANA time zone name.
-
-type: keyword
-
-example: America/Argentina/Buenos_Aires
-
---
-
-*`server.ip`*::
-+
---
-IP address of the server (IPv4 or IPv6).
-
-type: ip
-
---
-
-*`server.mac`*::
-+
---
-MAC address of the server.
-The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.
-
-type: keyword
-
-example: 00-00-5E-00-53-23
-
---
-
-*`server.nat.ip`*::
-+
---
-Translated ip of destination based NAT sessions (e.g. internet to private DMZ)
-Typically used with load balancers, firewalls, or routers.
-
-type: ip
-
---
-
-*`server.nat.port`*::
-+
---
-Translated port of destination based NAT sessions (e.g. internet to private DMZ)
-Typically used with load balancers, firewalls, or routers.
-
-type: long
-
-format: string
-
---
-
-*`server.packets`*::
-+
---
-Packets sent from the server to the client.
-
-type: long
-
-example: 12
-
---
-
-*`server.port`*::
-+
---
-Port of the server.
-
-type: long
-
-format: string
-
---
-
-*`server.registered_domain`*::
-+
---
-The highest registered server domain, stripped of the subdomain.
-For example, the registered domain for "foo.example.com" is "example.com".
-This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
-
-type: keyword
-
-example: example.com
-
---
-
-*`server.subdomain`*::
-+
---
-The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain.
-For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
-
-type: keyword
-
-example: east
-
---
-
-*`server.top_level_domain`*::
-+
---
-The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com".
-This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".
-
-type: keyword
-
-example: co.uk
-
---
-
-*`server.user.domain`*::
-+
---
-Name of the directory the user is a member of.
-For example, an LDAP or Active Directory domain name.
-
-type: keyword
-
---
-
-*`server.user.email`*::
-+
---
-User email address.
-
-type: keyword
-
---
-
-*`server.user.full_name`*::
-+
---
-User's full name, if available.
-
-type: keyword
-
-example: Albert Einstein
-
---
-
-*`server.user.full_name.text`*::
-+
---
-type: match_only_text
-
---
-
-*`server.user.group.domain`*::
-+
---
-Name of the directory the group is a member of.
-For example, an LDAP or Active Directory domain name.
-
-type: keyword
-
---
-
-*`server.user.group.id`*::
-+
---
-Unique identifier for the group on the system/platform.
-
-type: keyword
-
---
-
-*`server.user.group.name`*::
-+
---
-Name of the group.
-
-type: keyword
-
---
-
-*`server.user.hash`*::
-+
---
-Unique user hash to correlate information for a user in anonymized form.
-Useful if `user.id` or `user.name` contain confidential information and cannot be used.
-
-type: keyword
-
---
-
-*`server.user.id`*::
-+
---
-Unique identifier of the user.
-
-type: keyword
-
-example: S-1-5-21-202424912787-2692429404-2351956786-1000
-
---
-
-*`server.user.name`*::
-+
---
-Short name or login of the user.
-
-type: keyword
-
-example: a.einstein
-
---
-
-*`server.user.name.text`*::
-+
---
-type: match_only_text
-
---
-
-*`server.user.roles`*::
-+
---
-Array of user roles at the time of the event.
-
-type: keyword
-
-example: ["kibana_admin", "reporting_user"]
-
---
-
-[float]
-=== service
-
-The service fields describe the service for or from which the data was collected.
-These fields help you find and correlate logs for a specific service and version.
-
-
-*`service.address`*::
-+
---
-Address where data about this service was collected from.
-This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets).
-
-type: keyword
-
-example: 172.26.0.2:5432
-
---
-
-*`service.environment`*::
-+
---
-Identifies the environment where the service is running.
-If the same service runs in different environments (production, staging, QA, development, etc.), the environment can identify other instances of the same service. Can also group services and applications from the same environment.
-
-type: keyword
-
-example: production
-
---
-
-*`service.ephemeral_id`*::
-+
---
-Ephemeral identifier of this service (if one exists).
-This id normally changes across restarts, but `service.id` does not.
-
-type: keyword
-
-example: 8a4f500f
-
---
-
-*`service.id`*::
-+
---
-Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes.
-This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event.
-Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead.
-
-type: keyword
-
-example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6
-
---
-
-*`service.name`*::
-+
---
-Name of the service data is collected from.
-The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name.
-In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified.
-
-type: keyword
-
-example: elasticsearch-metrics
-
---
-
-*`service.node.name`*::
-+
---
-Name of a service node.
-This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service.
-In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn't have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set.
-
-type: keyword
-
-example: instance-0000000016
-
---
-
-*`service.origin.address`*::
-+
---
-Address where data about this service was collected from.
-This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets).
-
-type: keyword
-
-example: 172.26.0.2:5432
-
---
-
-*`service.origin.environment`*::
-+
---
-Identifies the environment where the service is running.
-If the same service runs in different environments (production, staging, QA, development, etc.), the environment can identify other instances of the same service. Can also group services and applications from the same environment.
-
-type: keyword
-
-example: production
-
---
-
-*`service.origin.ephemeral_id`*::
-+
---
-Ephemeral identifier of this service (if one exists).
-This id normally changes across restarts, but `service.id` does not.
-
-type: keyword
-
-example: 8a4f500f
-
---
-
-*`service.origin.id`*::
-+
---
-Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes.
-This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event.
-Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead.
-
-type: keyword
-
-example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6
-
---
-
-*`service.origin.name`*::
-+
---
-Name of the service data is collected from.
-The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name.
-In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified.
-
-type: keyword
-
-example: elasticsearch-metrics
-
---
-
-*`service.origin.node.name`*::
-+
---
-Name of a service node.
-This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service.
-In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn't have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set.
-
-type: keyword
-
-example: instance-0000000016
-
---
-
-*`service.origin.state`*::
-+
---
-Current state of the service.
-
-type: keyword
-
---
-
-*`service.origin.type`*::
-+
---
-The type of the service data is collected from.
-The type can be used to group and correlate logs and metrics from one service type.
-Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`.
-
-type: keyword
-
-example: elasticsearch
-
---
-
-*`service.origin.version`*::
-+
---
-Version of the service the data was collected from.
-This allows to look at a data set only for a specific version of a service.
-
-type: keyword
-
-example: 3.2.4
-
---
-
-*`service.state`*::
-+
---
-Current state of the service.
-
-type: keyword
-
---
-
-*`service.target.address`*::
-+
---
-Address where data about this service was collected from.
-This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets).
-
-type: keyword
-
-example: 172.26.0.2:5432
-
---
-
-*`service.target.environment`*::
-+
---
-Identifies the environment where the service is running.
-If the same service runs in different environments (production, staging, QA, development, etc.), the environment can identify other instances of the same service. Can also group services and applications from the same environment.
-
-type: keyword
-
-example: production
-
---
-
-*`service.target.ephemeral_id`*::
-+
---
-Ephemeral identifier of this service (if one exists).
-This id normally changes across restarts, but `service.id` does not.
-
-type: keyword
-
-example: 8a4f500f
-
---
-
-*`service.target.id`*::
-+
---
-Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes.
-This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event.
-Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead.
-
-type: keyword
-
-example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6
-
---
-
-*`service.target.name`*::
-+
---
-Name of the service data is collected from.
-The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name.
-In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified.
-
-type: keyword
-
-example: elasticsearch-metrics
-
---
-
-*`service.target.node.name`*::
-+
---
-Name of a service node.
-This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service.
-In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn't have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set.
-
-type: keyword
-
-example: instance-0000000016
-
---
-
-*`service.target.state`*::
-+
---
-Current state of the service.
-
-type: keyword
-
---
-
-*`service.target.type`*::
-+
---
-The type of the service data is collected from.
-The type can be used to group and correlate logs and metrics from one service type.
-Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`.
-
-type: keyword
-
-example: elasticsearch
-
---
-
-*`service.target.version`*::
-+
---
-Version of the service the data was collected from.
-This allows to look at a data set only for a specific version of a service.
-
-type: keyword
-
-example: 3.2.4
-
---
-
-*`service.type`*::
-+
---
-The type of the service data is collected from.
-The type can be used to group and correlate logs and metrics from one service type.
-Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`.
-
-type: keyword
-
-example: elasticsearch
-
---
-
-*`service.version`*::
-+
---
-Version of the service the data was collected from.
-This allows to look at a data set only for a specific version of a service.
-
-type: keyword
-
-example: 3.2.4
-
---
-
-[float]
-=== source
-
-Source fields capture details about the sender of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction.
-Source fields are usually populated in conjunction with destination fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated.
-
-
-*`source.address`*::
-+
---
-Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field.
-Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
-
-type: keyword
-
---
-
-*`source.as.number`*::
-+
---
-Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
-
-type: long
-
-example: 15169
-
---
-
-*`source.as.organization.name`*::
-+
---
-Organization name.
-
-type: keyword
-
-example: Google LLC
-
---
-
-*`source.as.organization.name.text`*::
-+
---
-type: match_only_text
-
---
-
-*`source.bytes`*::
-+
---
-Bytes sent from the source to the destination.
-
-type: long
-
-example: 184
-
-format: bytes
-
---
-
-*`source.domain`*::
-+
---
-The domain name of the source system.
-This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.
-
-type: keyword
-
-example: foo.example.com
-
---
-
-*`source.geo.city_name`*::
-+
---
-City name.
-
-type: keyword
-
-example: Montreal
-
---
-
-*`source.geo.continent_code`*::
-+
---
-Two-letter code representing continent's name.
-
-type: keyword
-
-example: NA
-
---
-
-*`source.geo.continent_name`*::
-+
---
-Name of the continent.
-
-type: keyword
-
-example: North America
-
---
-
-*`source.geo.country_iso_code`*::
-+
---
-Country ISO code.
-
-type: keyword
-
-example: CA
-
---
-
-*`source.geo.country_name`*::
-+
---
-Country name.
-
-type: keyword
-
-example: Canada
-
---
-
-*`source.geo.location`*::
-+
---
-Longitude and latitude.
-
-type: geo_point
-
-example: { "lon": -73.614830, "lat": 45.505918 }
-
---
-
-*`source.geo.name`*::
-+
---
-User-defined description of a location, at the level of granularity they care about.
-Could be the name of their data centers, the floor number, if this describes a local physical entity, city names.
-Not typically used in automated geolocation.
-
-type: keyword
-
-example: boston-dc
-
---
-
-*`source.geo.postal_code`*::
-+
---
-Postal code associated with the location.
-Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.
-
-type: keyword
-
-example: 94040
-
---
-
-*`source.geo.region_iso_code`*::
-+
---
-Region ISO code.
-
-type: keyword
-
-example: CA-QC
-
---
-
-*`source.geo.region_name`*::
-+
---
-Region name.
-
-type: keyword
-
-example: Quebec
-
---
-
-*`source.geo.timezone`*::
-+
---
-The time zone of the location, such as IANA time zone name.
-
-type: keyword
-
-example: America/Argentina/Buenos_Aires
-
---
-
-*`source.ip`*::
-+
---
-IP address of the source (IPv4 or IPv6).
-
-type: ip
-
---
-
-*`source.mac`*::
-+
---
-MAC address of the source.
-The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.
-
-type: keyword
-
-example: 00-00-5E-00-53-23
-
---
-
-*`source.nat.ip`*::
-+
---
-Translated ip of source based NAT sessions (e.g. internal client to internet)
-Typically connections traversing load balancers, firewalls, or routers.
-
-type: ip
-
---
-
-*`source.nat.port`*::
-+
---
-Translated port of source based NAT sessions. (e.g. internal client to internet)
-Typically used with load balancers, firewalls, or routers.
-
-type: long
-
-format: string
-
---
-
-*`source.packets`*::
-+
---
-Packets sent from the source to the destination.
-
-type: long
-
-example: 12
-
---
-
-*`source.port`*::
-+
---
-Port of the source.
-
-type: long
-
-format: string
-
---
-
-*`source.registered_domain`*::
-+
---
-The highest registered source domain, stripped of the subdomain.
-For example, the registered domain for "foo.example.com" is "example.com".
-This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
-
-type: keyword
-
-example: example.com
-
---
-
-*`source.subdomain`*::
-+
---
-The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain.
-For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
-
-type: keyword
-
-example: east
-
---
-
-*`source.top_level_domain`*::
-+
---
-The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com".
-This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".
-
-type: keyword
-
-example: co.uk
-
---
-
-*`source.user.domain`*::
-+
---
-Name of the directory the user is a member of.
-For example, an LDAP or Active Directory domain name.
-
-type: keyword
-
---
-
-*`source.user.email`*::
-+
---
-User email address.
-
-type: keyword
-
---
-
-*`source.user.full_name`*::
-+
---
-User's full name, if available.
-
-type: keyword
-
-example: Albert Einstein
-
---
-
-*`source.user.full_name.text`*::
-+
---
-type: match_only_text
-
---
-
-*`source.user.group.domain`*::
-+
---
-Name of the directory the group is a member of.
-For example, an LDAP or Active Directory domain name.
-
-type: keyword
-
---
-
-*`source.user.group.id`*::
-+
---
-Unique identifier for the group on the system/platform.
-
-type: keyword
-
---
-
-*`source.user.group.name`*::
-+
---
-Name of the group.
-
-type: keyword
-
---
-
-*`source.user.hash`*::
-+
---
-Unique user hash to correlate information for a user in anonymized form.
-Useful if `user.id` or `user.name` contain confidential information and cannot be used.
-
-type: keyword
-
---
-
-*`source.user.id`*::
-+
---
-Unique identifier of the user.
-
-type: keyword
-
-example: S-1-5-21-202424912787-2692429404-2351956786-1000
-
---
-
-*`source.user.name`*::
-+
---
-Short name or login of the user.
-
-type: keyword
-
-example: a.einstein
-
---
-
-*`source.user.name.text`*::
-+
---
-type: match_only_text
-
---
-
-*`source.user.roles`*::
-+
---
-Array of user roles at the time of the event.
-
-type: keyword
-
-example: ["kibana_admin", "reporting_user"]
-
---
-
-[float]
-=== threat
-
-Fields to classify events and alerts according to a threat taxonomy such as the MITRE ATT&CK® framework.
-These fields are for users to classify alerts from all of their sources (e.g. IDS, NGFW, etc.) within a common taxonomy. The threat.tactic.* fields are meant to capture the high level category of the threat (e.g. "impact"). The threat.technique.* fields are meant to capture which kind of approach is used by this detected threat, to accomplish the goal (e.g. "endpoint denial of service").
-
-
-*`threat.enrichments`*::
-+
---
-A list of associated indicators objects enriching the event, and the context of that association/enrichment.
-
-type: nested
-
---
-
-*`threat.enrichments.indicator`*::
-+
---
-Object containing associated indicators enriching the event.
-
-type: object
-
---
-
-*`threat.enrichments.indicator.as.number`*::
-+
---
-Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
-
-type: long
-
-example: 15169
-
---
-
-*`threat.enrichments.indicator.as.organization.name`*::
-+
---
-Organization name.
-
-type: keyword
-
-example: Google LLC
-
---
-
-*`threat.enrichments.indicator.as.organization.name.text`*::
-+
---
-type: match_only_text
-
---
-
-*`threat.enrichments.indicator.confidence`*::
-+
---
-Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields.
-Expected values are:
-  * Not Specified
-  * None
-  * Low
-  * Medium
-  * High
-
-type: keyword
-
-example: Medium
-
---
-
-*`threat.enrichments.indicator.description`*::
-+
---
-Describes the type of action conducted by the threat.
-
-type: keyword
-
-example: IP x.x.x.x was observed delivering the Angler EK.
-
---
-
-*`threat.enrichments.indicator.email.address`*::
-+
---
-Identifies a threat indicator as an email address (irrespective of direction).
-
-type: keyword
-
-example: phish@example.com
-
---
-
-*`threat.enrichments.indicator.file.accessed`*::
-+
---
-Last time the file was accessed.
-Note that not all filesystems keep track of access time.
-
-type: date
-
---
-
-*`threat.enrichments.indicator.file.attributes`*::
-+
---
-Array of file attributes.
-Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write.
-
-type: keyword
-
-example: ["readonly", "system"]
-
---
-
-*`threat.enrichments.indicator.file.code_signature.digest_algorithm`*::
-+
---
-The hashing algorithm used to sign the process.
-This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm.
-
-type: keyword
-
-example: sha256
-
---
-
-*`threat.enrichments.indicator.file.code_signature.exists`*::
-+
---
-Boolean to capture if a signature is present.
-
-type: boolean
-
-example: true
-
---
-
-*`threat.enrichments.indicator.file.code_signature.signing_id`*::
-+
---
-The identifier used to sign the process.
-This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.
-
-type: keyword
-
-example: com.apple.xpc.proxy
-
---
-
-*`threat.enrichments.indicator.file.code_signature.status`*::
-+
---
-Additional information about the certificate status.
-This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.
-
-type: keyword
-
-example: ERROR_UNTRUSTED_ROOT
-
---
-
-*`threat.enrichments.indicator.file.code_signature.subject_name`*::
-+
---
-Subject name of the code signer
-
-type: keyword
-
-example: Microsoft Corporation
-
---
-
-*`threat.enrichments.indicator.file.code_signature.team_id`*::
-+
---
-The team identifier used to sign the process.
-This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.
-
-type: keyword
-
-example: EQHXZ8M8AV
-
---
-
-*`threat.enrichments.indicator.file.code_signature.timestamp`*::
-+
---
-Date and time when the code signature was generated and signed.
-
-type: date
-
-example: 2021-01-01T12:10:30Z
-
---
-
-*`threat.enrichments.indicator.file.code_signature.trusted`*::
-+
---
-Stores the trust status of the certificate chain.
-Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.
-
-type: boolean
-
-example: true
-
---
-
-*`threat.enrichments.indicator.file.code_signature.valid`*::
-+
---
-Boolean to capture if the digital signature is verified against the binary content.
-Leave unpopulated if a certificate was unchecked.
-
-type: boolean
-
-example: true
-
---
-
-*`threat.enrichments.indicator.file.created`*::
-+
---
-File creation time.
-Note that not all filesystems store the creation time.
-
-type: date
-
---
-
-*`threat.enrichments.indicator.file.ctime`*::
-+
---
-Last time the file attributes or metadata changed.
-Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file.
-
-type: date
-
---
-
-*`threat.enrichments.indicator.file.device`*::
-+
---
-Device that is the source of the file.
-
-type: keyword
-
-example: sda
-
---
-
-*`threat.enrichments.indicator.file.directory`*::
-+
---
-Directory where the file is located. It should include the drive letter, when appropriate.
-
-type: keyword
-
-example: /home/alice
-
---
-
-*`threat.enrichments.indicator.file.drive_letter`*::
-+
---
-Drive letter where the file is located. This field is only relevant on Windows.
-The value should be uppercase, and not include the colon.
-
-type: keyword
-
-example: C
-
---
-
-*`threat.enrichments.indicator.file.elf.architecture`*::
-+
---
-Machine architecture of the ELF file.
-
-type: keyword
-
-example: x86-64
-
---
-
-*`threat.enrichments.indicator.file.elf.byte_order`*::
-+
---
-Byte sequence of ELF file.
-
-type: keyword
-
-example: Little Endian
-
---
-
-*`threat.enrichments.indicator.file.elf.cpu_type`*::
-+
---
-CPU type of the ELF file.
-
-type: keyword
-
-example: Intel
-
---
-
-*`threat.enrichments.indicator.file.elf.creation_date`*::
-+
---
-Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators.
-
-type: date
-
---
-
-*`threat.enrichments.indicator.file.elf.exports`*::
-+
---
-List of exported element names and types.
-
-type: flattened
-
---
-
-*`threat.enrichments.indicator.file.elf.header.abi_version`*::
-+
---
-Version of the ELF Application Binary Interface (ABI).
-
-type: keyword
-
---
-
-*`threat.enrichments.indicator.file.elf.header.class`*::
-+
---
-Header class of the ELF file.
-
-type: keyword
-
---
-
-*`threat.enrichments.indicator.file.elf.header.data`*::
-+
---
-Data table of the ELF header.
-
-type: keyword
-
---
-
-*`threat.enrichments.indicator.file.elf.header.entrypoint`*::
-+
---
-Header entrypoint of the ELF file.
-
-type: long
-
-format: string
-
---
-
-*`threat.enrichments.indicator.file.elf.header.object_version`*::
-+
---
-"0x1" for original ELF files.
-
-type: keyword
-
---
-
-*`threat.enrichments.indicator.file.elf.header.os_abi`*::
-+
---
-Application Binary Interface (ABI) of the Linux OS.
-
-type: keyword
-
---
-
-*`threat.enrichments.indicator.file.elf.header.type`*::
-+
---
-Header type of the ELF file.
-
-type: keyword
-
---
-
-*`threat.enrichments.indicator.file.elf.header.version`*::
-+
---
-Version of the ELF header.
-
-type: keyword
-
---
-
-*`threat.enrichments.indicator.file.elf.imports`*::
-+
---
-List of imported element names and types.
-
-type: flattened
-
---
-
-*`threat.enrichments.indicator.file.elf.sections`*::
-+
---
-An array containing an object for each section of the ELF file.
-The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`.
-
-type: nested
-
---
-
-*`threat.enrichments.indicator.file.elf.sections.chi2`*::
-+
---
-Chi-square probability distribution of the section.
-
-type: long
-
-format: number
-
---
-
-*`threat.enrichments.indicator.file.elf.sections.entropy`*::
-+
---
-Shannon entropy calculation from the section.
-
-type: long
-
-format: number
-
---
-
-*`threat.enrichments.indicator.file.elf.sections.flags`*::
-+
---
-ELF Section List flags.
-
-type: keyword
-
---
-
-*`threat.enrichments.indicator.file.elf.sections.name`*::
-+
---
-ELF Section List name.
-
-type: keyword
-
---
-
-*`threat.enrichments.indicator.file.elf.sections.physical_offset`*::
-+
---
-ELF Section List offset.
-
-type: keyword
-
---
-
-*`threat.enrichments.indicator.file.elf.sections.physical_size`*::
-+
---
-ELF Section List physical size.
-
-type: long
-
-format: bytes
-
---
-
-*`threat.enrichments.indicator.file.elf.sections.type`*::
-+
---
-ELF Section List type.
-
-type: keyword
-
---
-
-*`threat.enrichments.indicator.file.elf.sections.virtual_address`*::
-+
---
-ELF Section List virtual address.
-
-type: long
-
-format: string
-
---
-
-*`threat.enrichments.indicator.file.elf.sections.virtual_size`*::
-+
---
-ELF Section List virtual size.
-
-type: long
-
-format: string
-
---
-
-*`threat.enrichments.indicator.file.elf.segments`*::
-+
---
-An array containing an object for each segment of the ELF file.
-The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`.
-
-type: nested
-
---
-
-*`threat.enrichments.indicator.file.elf.segments.sections`*::
-+
---
-ELF object segment sections.
-
-type: keyword
-
---
-
-*`threat.enrichments.indicator.file.elf.segments.type`*::
-+
---
-ELF object segment type.
-
-type: keyword
-
---
-
-*`threat.enrichments.indicator.file.elf.shared_libraries`*::
-+
---
-List of shared libraries used by this ELF object.
-
-type: keyword
-
---
-
-*`threat.enrichments.indicator.file.elf.telfhash`*::
-+
---
-telfhash symbol hash for ELF file.
-
-type: keyword
-
---
-
-*`threat.enrichments.indicator.file.extension`*::
-+
---
-File extension, excluding the leading dot.
-Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").
-
-type: keyword
-
-example: png
-
---
-
-*`threat.enrichments.indicator.file.fork_name`*::
-+
---
-A fork is additional data associated with a filesystem object.
-On Linux, a resource fork is used to store additional data with a filesystem object. A file always has at least one fork for the data portion, and additional forks may exist.
-On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default data stream for a file is just called $DATA. Zone.Identifier is commonly used by Windows to track contents downloaded from the Internet. An ADS is typically of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name` is the value that should populate `fork_name`. `filename.extension` should populate `file.name`, and `extension` should populate `file.extension`. The full path, `file.path`, will include the fork name.
-
-type: keyword
-
-example: Zone.Identifer
-
---
-
-*`threat.enrichments.indicator.file.gid`*::
-+
---
-Primary group ID (GID) of the file.
-
-type: keyword
-
-example: 1001
-
---
-
-*`threat.enrichments.indicator.file.group`*::
-+
---
-Primary group name of the file.
-
-type: keyword
-
-example: alice
-
---
-
-*`threat.enrichments.indicator.file.hash.md5`*::
-+
---
-MD5 hash.
-
-type: keyword
-
---
-
-*`threat.enrichments.indicator.file.hash.sha1`*::
-+
---
-SHA1 hash.
-
-type: keyword
-
---
-
-*`threat.enrichments.indicator.file.hash.sha256`*::
-+
---
-SHA256 hash.
-
-type: keyword
-
---
-
-*`threat.enrichments.indicator.file.hash.sha512`*::
-+
---
-SHA512 hash.
-
-type: keyword
-
---
-
-*`threat.enrichments.indicator.file.hash.ssdeep`*::
-+
---
-SSDEEP hash.
-
-type: keyword
-
---
-
-*`threat.enrichments.indicator.file.inode`*::
-+
---
-Inode representing the file in the filesystem.
-
-type: keyword
-
-example: 256383
-
---
-
-*`threat.enrichments.indicator.file.mime_type`*::
-+
---
-MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used.
-
-type: keyword
-
---
-
-*`threat.enrichments.indicator.file.mode`*::
-+
---
-Mode of the file in octal representation.
-
-type: keyword
-
-example: 0640
-
---
-
-*`threat.enrichments.indicator.file.mtime`*::
-+
---
-Last time the file content was modified.
-
-type: date
-
---
-
-*`threat.enrichments.indicator.file.name`*::
-+
---
-Name of the file including the extension, without the directory.
-
-type: keyword
-
-example: example.png
-
---
-
-*`threat.enrichments.indicator.file.owner`*::
-+
---
-File owner's username.
-
-type: keyword
-
-example: alice
-
---
-
-*`threat.enrichments.indicator.file.path`*::
-+
---
-Full path to the file, including the file name. It should include the drive letter, when appropriate.
-
-type: keyword
-
-example: /home/alice/example.png
-
---
-
-*`threat.enrichments.indicator.file.path.text`*::
-+
---
-type: match_only_text
-
---
-
-*`threat.enrichments.indicator.file.pe.architecture`*::
-+
---
-CPU architecture target for the file.
-
-type: keyword
-
-example: x64
-
---
-
-*`threat.enrichments.indicator.file.pe.company`*::
-+
---
-Internal company name of the file, provided at compile-time.
-
-type: keyword
-
-example: Microsoft Corporation
-
---
-
-*`threat.enrichments.indicator.file.pe.description`*::
-+
---
-Internal description of the file, provided at compile-time.
-
-type: keyword
-
-example: Paint
-
---
-
-*`threat.enrichments.indicator.file.pe.file_version`*::
-+
---
-Internal version of the file, provided at compile-time.
-
-type: keyword
-
-example: 6.3.9600.17415
-
---
-
-*`threat.enrichments.indicator.file.pe.imphash`*::
-+
---
-A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.
-Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.
-
-type: keyword
-
-example: 0c6803c4e922103c4dca5963aad36ddf
-
---
-
-*`threat.enrichments.indicator.file.pe.original_file_name`*::
-+
---
-Internal name of the file, provided at compile-time.
-
-type: keyword
-
-example: MSPAINT.EXE
-
---
-
-*`threat.enrichments.indicator.file.pe.product`*::
-+
---
-Internal product name of the file, provided at compile-time.
-
-type: keyword
-
-example: Microsoft® Windows® Operating System
-
---
-
-*`threat.enrichments.indicator.file.size`*::
-+
---
-File size in bytes.
-Only relevant when `file.type` is "file".
-
-type: long
-
-example: 16384
-
---
-
-*`threat.enrichments.indicator.file.target_path`*::
-+
---
-Target path for symlinks.
-
-type: keyword
-
---
-
-*`threat.enrichments.indicator.file.target_path.text`*::
-+
---
-type: match_only_text
-
---
-
-*`threat.enrichments.indicator.file.type`*::
-+
---
-File type (file, dir, or symlink).
-
-type: keyword
-
-example: file
-
---
-
-*`threat.enrichments.indicator.file.uid`*::
-+
---
-The user ID (UID) or security identifier (SID) of the file owner.
-
-type: keyword
-
-example: 1001
-
---
-
-*`threat.enrichments.indicator.file.x509.alternative_names`*::
-+
---
-List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.
-
-type: keyword
-
-example: *.elastic.co
-
---
-
-*`threat.enrichments.indicator.file.x509.issuer.common_name`*::
-+
---
-List of common name (CN) of issuing certificate authority.
-
-type: keyword
-
-example: Example SHA2 High Assurance Server CA
-
---
-
-*`threat.enrichments.indicator.file.x509.issuer.country`*::
-+
---
-List of country (C) codes
-
-type: keyword
-
-example: US
-
---
-
-*`threat.enrichments.indicator.file.x509.issuer.distinguished_name`*::
-+
---
-Distinguished name (DN) of issuing certificate authority.
-
-type: keyword
-
-example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA
-
---
-
-*`threat.enrichments.indicator.file.x509.issuer.locality`*::
-+
---
-List of locality names (L)
-
-type: keyword
-
-example: Mountain View
-
---
-
-*`threat.enrichments.indicator.file.x509.issuer.organization`*::
-+
---
-List of organizations (O) of issuing certificate authority.
-
-type: keyword
-
-example: Example Inc
-
---
-
-*`threat.enrichments.indicator.file.x509.issuer.organizational_unit`*::
-+
---
-List of organizational units (OU) of issuing certificate authority.
-
-type: keyword
-
-example: www.example.com
-
---
-
-*`threat.enrichments.indicator.file.x509.issuer.state_or_province`*::
-+
---
-List of state or province names (ST, S, or P)
-
-type: keyword
-
-example: California
-
---
-
-*`threat.enrichments.indicator.file.x509.not_after`*::
-+
---
-Time at which the certificate is no longer considered valid.
-
-type: date
-
-example: 2020-07-16 03:15:39+00:00
-
---
-
-*`threat.enrichments.indicator.file.x509.not_before`*::
-+
---
-Time at which the certificate is first considered valid.
-
-type: date
-
-example: 2019-08-16 01:40:25+00:00
-
---
-
-*`threat.enrichments.indicator.file.x509.public_key_algorithm`*::
-+
---
-Algorithm used to generate the public key.
-
-type: keyword
-
-example: RSA
-
---
-
-*`threat.enrichments.indicator.file.x509.public_key_curve`*::
-+
---
-The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-
-type: keyword
-
-example: nistp521
-
---
-
-*`threat.enrichments.indicator.file.x509.public_key_exponent`*::
-+
---
-Exponent used to derive the public key. This is algorithm specific.
-
-type: long
-
-example: 65537
-
-Field is not indexed.
-
---
-
-*`threat.enrichments.indicator.file.x509.public_key_size`*::
-+
---
-The size of the public key space in bits.
-
-type: long
-
-example: 2048
-
---
-
-*`threat.enrichments.indicator.file.x509.serial_number`*::
-+
---
-Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.
-
-type: keyword
-
-example: 55FBB9C7DEBF09809D12CCAA
-
---
-
-*`threat.enrichments.indicator.file.x509.signature_algorithm`*::
-+
---
-Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
-
-type: keyword
-
-example: SHA256-RSA
-
---
-
-*`threat.enrichments.indicator.file.x509.subject.common_name`*::
-+
---
-List of common names (CN) of subject.
-
-type: keyword
-
-example: shared.global.example.net
-
---
-
-*`threat.enrichments.indicator.file.x509.subject.country`*::
-+
---
-List of country (C) code
-
-type: keyword
-
-example: US
-
---
-
-*`threat.enrichments.indicator.file.x509.subject.distinguished_name`*::
-+
---
-Distinguished name (DN) of the certificate subject entity.
-
-type: keyword
-
-example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
-
---
-
-*`threat.enrichments.indicator.file.x509.subject.locality`*::
-+
---
-List of locality names (L)
-
-type: keyword
-
-example: San Francisco
-
---
-
-*`threat.enrichments.indicator.file.x509.subject.organization`*::
-+
---
-List of organizations (O) of subject.
-
-type: keyword
-
-example: Example, Inc.
-
---
-
-*`threat.enrichments.indicator.file.x509.subject.organizational_unit`*::
-+
---
-List of organizational units (OU) of subject.
-
-type: keyword
-
---
-
-*`threat.enrichments.indicator.file.x509.subject.state_or_province`*::
-+
---
-List of state or province names (ST, S, or P)
-
-type: keyword
-
-example: California
-
---
-
-*`threat.enrichments.indicator.file.x509.version_number`*::
-+
---
-Version of x509 format.
-
-type: keyword
-
-example: 3
-
---
-
-*`threat.enrichments.indicator.first_seen`*::
-+
---
-The date and time when intelligence source first reported sighting this indicator.
-
-type: date
-
-example: 2020-11-05T17:25:47.000Z
-
---
-
-*`threat.enrichments.indicator.geo.city_name`*::
-+
---
-City name.
-
-type: keyword
-
-example: Montreal
-
---
-
-*`threat.enrichments.indicator.geo.continent_code`*::
-+
---
-Two-letter code representing continent's name.
-
-type: keyword
-
-example: NA
-
---
-
-*`threat.enrichments.indicator.geo.continent_name`*::
-+
---
-Name of the continent.
-
-type: keyword
-
-example: North America
-
---
-
-*`threat.enrichments.indicator.geo.country_iso_code`*::
-+
---
-Country ISO code.
-
-type: keyword
-
-example: CA
-
---
-
-*`threat.enrichments.indicator.geo.country_name`*::
-+
---
-Country name.
-
-type: keyword
-
-example: Canada
-
---
-
-*`threat.enrichments.indicator.geo.location`*::
-+
---
-Longitude and latitude.
-
-type: geo_point
-
-example: { "lon": -73.614830, "lat": 45.505918 }
-
---
-
-*`threat.enrichments.indicator.geo.name`*::
-+
---
-User-defined description of a location, at the level of granularity they care about.
-Could be the name of their data centers, the floor number, if this describes a local physical entity, city names.
-Not typically used in automated geolocation.
-
-type: keyword
-
-example: boston-dc
-
---
-
-*`threat.enrichments.indicator.geo.postal_code`*::
-+
---
-Postal code associated with the location.
-Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.
-
-type: keyword
-
-example: 94040
-
---
-
-*`threat.enrichments.indicator.geo.region_iso_code`*::
-+
---
-Region ISO code.
-
-type: keyword
-
-example: CA-QC
-
---
-
-*`threat.enrichments.indicator.geo.region_name`*::
-+
---
-Region name.
-
-type: keyword
-
-example: Quebec
-
---
-
-*`threat.enrichments.indicator.geo.timezone`*::
-+
---
-The time zone of the location, such as IANA time zone name.
-
-type: keyword
-
-example: America/Argentina/Buenos_Aires
-
---
-
-*`threat.enrichments.indicator.ip`*::
-+
---
-Identifies a threat indicator as an IP address (irrespective of direction).
-
-type: ip
-
-example: 1.2.3.4
-
---
-
-*`threat.enrichments.indicator.last_seen`*::
-+
---
-The date and time when intelligence source last reported sighting this indicator.
-
-type: date
-
-example: 2020-11-05T17:25:47.000Z
-
---
-
-*`threat.enrichments.indicator.marking.tlp`*::
-+
---
-Traffic Light Protocol sharing markings. Recommended values are:
-  * WHITE
-  * GREEN
-  * AMBER
-  * RED
-
-type: keyword
-
-example: White
-
---
-
-*`threat.enrichments.indicator.modified_at`*::
-+
---
-The date and time when intelligence source last modified information for this indicator.
-
-type: date
-
-example: 2020-11-05T17:25:47.000Z
-
---
-
-*`threat.enrichments.indicator.port`*::
-+
---
-Identifies a threat indicator as a port number (irrespective of direction).
-
-type: long
-
-example: 443
-
---
-
-*`threat.enrichments.indicator.provider`*::
-+
---
-The name of the indicator's provider.
-
-type: keyword
-
-example: lrz_urlhaus
-
---
-
-*`threat.enrichments.indicator.reference`*::
-+
---
-Reference URL linking to additional information about this indicator.
-
-type: keyword
-
-example: https://system.example.com/indicator/0001234
-
---
-
-*`threat.enrichments.indicator.registry.data.bytes`*::
-+
---
-Original bytes written with base64 encoding.
-For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values.
-
-type: keyword
-
-example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA=
-
---
-
-*`threat.enrichments.indicator.registry.data.strings`*::
-+
---
-Content when writing string types.
-Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`).
-
-type: wildcard
-
-example: ["C:\rta\red_ttp\bin\myapp.exe"]
-
---
-
-*`threat.enrichments.indicator.registry.data.type`*::
-+
---
-Standard registry type for encoding contents
-
-type: keyword
-
-example: REG_SZ
-
---
-
-*`threat.enrichments.indicator.registry.hive`*::
-+
---
-Abbreviated name for the hive.
-
-type: keyword
-
-example: HKLM
-
---
-
-*`threat.enrichments.indicator.registry.key`*::
-+
---
-Hive-relative path of keys.
-
-type: keyword
-
-example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe
-
---
-
-*`threat.enrichments.indicator.registry.path`*::
-+
---
-Full path, including hive, key and value
-
-type: keyword
-
-example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger
-
---
-
-*`threat.enrichments.indicator.registry.value`*::
-+
---
-Name of the value written.
-
-type: keyword
-
-example: Debugger
-
---
-
-*`threat.enrichments.indicator.scanner_stats`*::
-+
---
-Count of AV/EDR vendors that successfully detected malicious file or URL.
-
-type: long
-
-example: 4
-
---
-
-*`threat.enrichments.indicator.sightings`*::
-+
---
-Number of times this indicator was observed conducting threat activity.
-
-type: long
-
-example: 20
-
---
-
-*`threat.enrichments.indicator.type`*::
-+
---
-Type of indicator as represented by Cyber Observable in STIX 2.0. Recommended values:
-  * autonomous-system
-  * artifact
-  * directory
-  * domain-name
-  * email-addr
-  * file
-  * ipv4-addr
-  * ipv6-addr
-  * mac-addr
-  * mutex
-  * port
-  * process
-  * software
-  * url
-  * user-account
-  * windows-registry-key
-  * x509-certificate
-
-type: keyword
-
-example: ipv4-addr
-
---
-
-*`threat.enrichments.indicator.url.domain`*::
-+
---
-Domain of the url, such as "www.elastic.co".
-In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field.
-If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field.
-
-type: keyword
-
-example: www.elastic.co
-
---
-
-*`threat.enrichments.indicator.url.extension`*::
-+
---
-The field contains the file extension from the original request url, excluding the leading dot.
-The file extension is only set if it exists, as not every url has a file extension.
-The leading period must not be included. For example, the value must be "png", not ".png".
-Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").
-
-type: keyword
-
-example: png
-
---
-
-*`threat.enrichments.indicator.url.fragment`*::
-+
---
-Portion of the url after the `#`, such as "top".
-The `#` is not part of the fragment.
-
-type: keyword
-
---
-
-*`threat.enrichments.indicator.url.full`*::
-+
---
-If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source.
-
-type: wildcard
-
-example: https://www.elastic.co:443/search?q=elasticsearch#top
-
---
-
-*`threat.enrichments.indicator.url.full.text`*::
-+
---
-type: match_only_text
-
---
-
-*`threat.enrichments.indicator.url.original`*::
-+
---
-Unmodified original url as seen in the event source.
-Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path.
-This field is meant to represent the URL as it was observed, complete or not.
-
-type: wildcard
-
-example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch
-
---
-
-*`threat.enrichments.indicator.url.original.text`*::
-+
---
-type: match_only_text
-
---
-
-*`threat.enrichments.indicator.url.password`*::
-+
---
-Password of the request.
-
-type: keyword
-
---
-
-*`threat.enrichments.indicator.url.path`*::
-+
---
-Path of the request, such as "/search".
-
-type: wildcard
-
---
-
-*`threat.enrichments.indicator.url.port`*::
-+
---
-Port of the request, such as 443.
-
-type: long
-
-example: 443
-
-format: string
-
---
-
-*`threat.enrichments.indicator.url.query`*::
-+
---
-The query field describes the query string of the request, such as "q=elasticsearch".
-The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.
-
-type: keyword
-
---
-
-*`threat.enrichments.indicator.url.registered_domain`*::
-+
---
-The highest registered url domain, stripped of the subdomain.
-For example, the registered domain for "foo.example.com" is "example.com".
-This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
-
-type: keyword
-
-example: example.com
-
---
-
-*`threat.enrichments.indicator.url.scheme`*::
-+
---
-Scheme of the request, such as "https".
-Note: The `:` is not part of the scheme.
-
-type: keyword
-
-example: https
-
---
-
-*`threat.enrichments.indicator.url.subdomain`*::
-+
---
-The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain.
-For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
-
-type: keyword
-
-example: east
-
---
-
-*`threat.enrichments.indicator.url.top_level_domain`*::
-+
---
-The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com".
-This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".
-
-type: keyword
-
-example: co.uk
-
---
-
-*`threat.enrichments.indicator.url.username`*::
-+
---
-Username of the request.
-
-type: keyword
-
---
-
-*`threat.enrichments.indicator.x509.alternative_names`*::
-+
---
-List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.
-
-type: keyword
-
-example: *.elastic.co
-
---
-
-*`threat.enrichments.indicator.x509.issuer.common_name`*::
-+
---
-List of common name (CN) of issuing certificate authority.
-
-type: keyword
-
-example: Example SHA2 High Assurance Server CA
-
---
-
-*`threat.enrichments.indicator.x509.issuer.country`*::
-+
---
-List of country (C) codes
-
-type: keyword
-
-example: US
-
---
-
-*`threat.enrichments.indicator.x509.issuer.distinguished_name`*::
-+
---
-Distinguished name (DN) of issuing certificate authority.
-
-type: keyword
-
-example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA
-
---
-
-*`threat.enrichments.indicator.x509.issuer.locality`*::
-+
---
-List of locality names (L)
-
-type: keyword
-
-example: Mountain View
-
---
-
-*`threat.enrichments.indicator.x509.issuer.organization`*::
-+
---
-List of organizations (O) of issuing certificate authority.
-
-type: keyword
-
-example: Example Inc
-
---
-
-*`threat.enrichments.indicator.x509.issuer.organizational_unit`*::
-+
---
-List of organizational units (OU) of issuing certificate authority.
-
-type: keyword
-
-example: www.example.com
-
---
-
-*`threat.enrichments.indicator.x509.issuer.state_or_province`*::
-+
---
-List of state or province names (ST, S, or P)
-
-type: keyword
-
-example: California
-
---
-
-*`threat.enrichments.indicator.x509.not_after`*::
-+
---
-Time at which the certificate is no longer considered valid.
-
-type: date
-
-example: 2020-07-16 03:15:39+00:00
-
---
-
-*`threat.enrichments.indicator.x509.not_before`*::
-+
---
-Time at which the certificate is first considered valid.
-
-type: date
-
-example: 2019-08-16 01:40:25+00:00
-
---
-
-*`threat.enrichments.indicator.x509.public_key_algorithm`*::
-+
---
-Algorithm used to generate the public key.
-
-type: keyword
-
-example: RSA
-
---
-
-*`threat.enrichments.indicator.x509.public_key_curve`*::
-+
---
-The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-
-type: keyword
-
-example: nistp521
-
---
-
-*`threat.enrichments.indicator.x509.public_key_exponent`*::
-+
---
-Exponent used to derive the public key. This is algorithm specific.
-
-type: long
-
-example: 65537
-
-Field is not indexed.
-
---
-
-*`threat.enrichments.indicator.x509.public_key_size`*::
-+
---
-The size of the public key space in bits.
-
-type: long
-
-example: 2048
-
---
-
-*`threat.enrichments.indicator.x509.serial_number`*::
-+
---
-Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.
-
-type: keyword
-
-example: 55FBB9C7DEBF09809D12CCAA
-
---
-
-*`threat.enrichments.indicator.x509.signature_algorithm`*::
-+
---
-Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
-
-type: keyword
-
-example: SHA256-RSA
-
---
-
-*`threat.enrichments.indicator.x509.subject.common_name`*::
-+
---
-List of common names (CN) of subject.
-
-type: keyword
-
-example: shared.global.example.net
-
---
-
-*`threat.enrichments.indicator.x509.subject.country`*::
-+
---
-List of country (C) code
-
-type: keyword
-
-example: US
-
---
-
-*`threat.enrichments.indicator.x509.subject.distinguished_name`*::
-+
---
-Distinguished name (DN) of the certificate subject entity.
-
-type: keyword
-
-example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
-
---
-
-*`threat.enrichments.indicator.x509.subject.locality`*::
-+
---
-List of locality names (L)
-
-type: keyword
-
-example: San Francisco
-
---
-
-*`threat.enrichments.indicator.x509.subject.organization`*::
-+
---
-List of organizations (O) of subject.
-
-type: keyword
-
-example: Example, Inc.
-
---
-
-*`threat.enrichments.indicator.x509.subject.organizational_unit`*::
-+
---
-List of organizational units (OU) of subject.
-
-type: keyword
-
---
-
-*`threat.enrichments.indicator.x509.subject.state_or_province`*::
-+
---
-List of state or province names (ST, S, or P)
-
-type: keyword
-
-example: California
-
---
-
-*`threat.enrichments.indicator.x509.version_number`*::
-+
---
-Version of x509 format.
-
-type: keyword
-
-example: 3
-
---
-
-*`threat.enrichments.matched.atomic`*::
-+
---
-Identifies the atomic indicator value that matched a local environment endpoint or network event.
-
-type: keyword
-
-example: bad-domain.com
-
---
-
-*`threat.enrichments.matched.field`*::
-+
---
-Identifies the field of the atomic indicator that matched a local environment endpoint or network event.
-
-type: keyword
-
-example: file.hash.sha256
-
---
-
-*`threat.enrichments.matched.id`*::
-+
---
-Identifies the _id of the indicator document enriching the event.
-
-type: keyword
-
-example: ff93aee5-86a1-4a61-b0e6-0cdc313d01b5
-
---
-
-*`threat.enrichments.matched.index`*::
-+
---
-Identifies the _index of the indicator document enriching the event.
-
-type: keyword
-
-example: filebeat-8.0.0-2021.05.23-000011
-
---
-
-*`threat.enrichments.matched.type`*::
-+
---
-Identifies the type of match that caused the event to be enriched with the given indicator
-
-type: keyword
-
-example: indicator_match_rule
-
---
-
-*`threat.framework`*::
-+
---
-Name of the threat framework used to further categorize and classify the tactic and technique of the reported threat. Framework classification can be provided by detecting systems, evaluated at ingest time, or retrospectively tagged to events.
-
-type: keyword
-
-example: MITRE ATT&CK
-
---
-
-*`threat.group.alias`*::
-+
---
-The alias(es) of the group for a set of related intrusion activity that are tracked by a common name in the security community.
-While not required, you can use a MITRE ATT&CK® group alias(es).
-
-type: keyword
-
-example: [ "Magecart Group 6" ]
-
---
-
-*`threat.group.id`*::
-+
---
-The id of the group for a set of related intrusion activity that are tracked by a common name in the security community.
-While not required, you can use a MITRE ATT&CK® group id.
-
-type: keyword
-
-example: G0037
-
---
-
-*`threat.group.name`*::
-+
---
-The name of the group for a set of related intrusion activity that are tracked by a common name in the security community.
-While not required, you can use a MITRE ATT&CK® group name.
-
-type: keyword
-
-example: FIN6
-
---
-
-*`threat.group.reference`*::
-+
---
-The reference URL of the group for a set of related intrusion activity that are tracked by a common name in the security community.
-While not required, you can use a MITRE ATT&CK® group reference URL.
-
-type: keyword
-
-example: https://attack.mitre.org/groups/G0037/
-
---
-
-*`threat.indicator.as.number`*::
-+
---
-Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
-
-type: long
-
-example: 15169
-
---
-
-*`threat.indicator.as.organization.name`*::
-+
---
-Organization name.
-
-type: keyword
-
-example: Google LLC
-
---
-
-*`threat.indicator.as.organization.name.text`*::
-+
---
-type: match_only_text
-
---
-
-*`threat.indicator.confidence`*::
-+
---
-Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields.
-Expected values are:
-  * Not Specified
-  * None
-  * Low
-  * Medium
-  * High
-
-type: keyword
-
-example: Medium
-
---
-
-*`threat.indicator.description`*::
-+
---
-Describes the type of action conducted by the threat.
-
-type: keyword
-
-example: IP x.x.x.x was observed delivering the Angler EK.
-
---
-
-*`threat.indicator.email.address`*::
-+
---
-Identifies a threat indicator as an email address (irrespective of direction).
-
-type: keyword
-
-example: phish@example.com
-
---
-
-*`threat.indicator.file.accessed`*::
-+
---
-Last time the file was accessed.
-Note that not all filesystems keep track of access time.
-
-type: date
-
---
-
-*`threat.indicator.file.attributes`*::
-+
---
-Array of file attributes.
-Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write.
-
-type: keyword
-
-example: ["readonly", "system"]
-
---
-
-*`threat.indicator.file.code_signature.digest_algorithm`*::
-+
---
-The hashing algorithm used to sign the process.
-This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm.
-
-type: keyword
-
-example: sha256
-
---
-
-*`threat.indicator.file.code_signature.exists`*::
-+
---
-Boolean to capture if a signature is present.
-
-type: boolean
-
-example: true
-
---
-
-*`threat.indicator.file.code_signature.signing_id`*::
-+
---
-The identifier used to sign the process.
-This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.
-
-type: keyword
-
-example: com.apple.xpc.proxy
-
---
-
-*`threat.indicator.file.code_signature.status`*::
-+
---
-Additional information about the certificate status.
-This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.
-
-type: keyword
-
-example: ERROR_UNTRUSTED_ROOT
-
---
-
-*`threat.indicator.file.code_signature.subject_name`*::
-+
---
-Subject name of the code signer
-
-type: keyword
-
-example: Microsoft Corporation
-
---
-
-*`threat.indicator.file.code_signature.team_id`*::
-+
---
-The team identifier used to sign the process.
-This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.
-
-type: keyword
-
-example: EQHXZ8M8AV
-
---
-
-*`threat.indicator.file.code_signature.timestamp`*::
-+
---
-Date and time when the code signature was generated and signed.
-
-type: date
-
-example: 2021-01-01T12:10:30Z
-
---
-
-*`threat.indicator.file.code_signature.trusted`*::
-+
---
-Stores the trust status of the certificate chain.
-Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.
-
-type: boolean
-
-example: true
-
---
-
-*`threat.indicator.file.code_signature.valid`*::
-+
---
-Boolean to capture if the digital signature is verified against the binary content.
-Leave unpopulated if a certificate was unchecked.
-
-type: boolean
-
-example: true
-
---
-
-*`threat.indicator.file.created`*::
-+
---
-File creation time.
-Note that not all filesystems store the creation time.
-
-type: date
-
---
-
-*`threat.indicator.file.ctime`*::
-+
---
-Last time the file attributes or metadata changed.
-Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file.
-
-type: date
-
---
-
-*`threat.indicator.file.device`*::
-+
---
-Device that is the source of the file.
-
-type: keyword
-
-example: sda
-
---
-
-*`threat.indicator.file.directory`*::
-+
---
-Directory where the file is located. It should include the drive letter, when appropriate.
-
-type: keyword
-
-example: /home/alice
-
---
-
-*`threat.indicator.file.drive_letter`*::
-+
---
-Drive letter where the file is located. This field is only relevant on Windows.
-The value should be uppercase, and not include the colon.
-
-type: keyword
-
-example: C
-
---
-
-*`threat.indicator.file.elf.architecture`*::
-+
---
-Machine architecture of the ELF file.
-
-type: keyword
-
-example: x86-64
-
---
-
-*`threat.indicator.file.elf.byte_order`*::
-+
---
-Byte sequence of ELF file.
-
-type: keyword
-
-example: Little Endian
-
---
-
-*`threat.indicator.file.elf.cpu_type`*::
-+
---
-CPU type of the ELF file.
-
-type: keyword
-
-example: Intel
-
---
-
-*`threat.indicator.file.elf.creation_date`*::
-+
---
-Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators.
-
-type: date
-
---
-
-*`threat.indicator.file.elf.exports`*::
-+
---
-List of exported element names and types.
-
-type: flattened
-
---
-
-*`threat.indicator.file.elf.header.abi_version`*::
-+
---
-Version of the ELF Application Binary Interface (ABI).
-
-type: keyword
-
---
-
-*`threat.indicator.file.elf.header.class`*::
-+
---
-Header class of the ELF file.
-
-type: keyword
-
---
-
-*`threat.indicator.file.elf.header.data`*::
-+
---
-Data table of the ELF header.
-
-type: keyword
-
---
-
-*`threat.indicator.file.elf.header.entrypoint`*::
-+
---
-Header entrypoint of the ELF file.
-
-type: long
-
-format: string
-
---
-
-*`threat.indicator.file.elf.header.object_version`*::
-+
---
-"0x1" for original ELF files.
-
-type: keyword
-
---
-
-*`threat.indicator.file.elf.header.os_abi`*::
-+
---
-Application Binary Interface (ABI) of the Linux OS.
-
-type: keyword
-
---
-
-*`threat.indicator.file.elf.header.type`*::
-+
---
-Header type of the ELF file.
-
-type: keyword
-
---
-
-*`threat.indicator.file.elf.header.version`*::
-+
---
-Version of the ELF header.
-
-type: keyword
-
---
-
-*`threat.indicator.file.elf.imports`*::
-+
---
-List of imported element names and types.
-
-type: flattened
-
---
-
-*`threat.indicator.file.elf.sections`*::
-+
---
-An array containing an object for each section of the ELF file.
-The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`.
-
-type: nested
-
---
-
-*`threat.indicator.file.elf.sections.chi2`*::
-+
---
-Chi-square probability distribution of the section.
-
-type: long
-
-format: number
-
---
-
-*`threat.indicator.file.elf.sections.entropy`*::
-+
---
-Shannon entropy calculation from the section.
-
-type: long
-
-format: number
-
---
-
-*`threat.indicator.file.elf.sections.flags`*::
-+
---
-ELF Section List flags.
-
-type: keyword
-
---
-
-*`threat.indicator.file.elf.sections.name`*::
-+
---
-ELF Section List name.
-
-type: keyword
-
---
-
-*`threat.indicator.file.elf.sections.physical_offset`*::
-+
---
-ELF Section List offset.
-
-type: keyword
-
---
-
-*`threat.indicator.file.elf.sections.physical_size`*::
-+
---
-ELF Section List physical size.
-
-type: long
-
-format: bytes
-
---
-
-*`threat.indicator.file.elf.sections.type`*::
-+
---
-ELF Section List type.
-
-type: keyword
-
---
-
-*`threat.indicator.file.elf.sections.virtual_address`*::
-+
---
-ELF Section List virtual address.
-
-type: long
-
-format: string
-
---
-
-*`threat.indicator.file.elf.sections.virtual_size`*::
-+
---
-ELF Section List virtual size.
-
-type: long
-
-format: string
-
---
-
-*`threat.indicator.file.elf.segments`*::
-+
---
-An array containing an object for each segment of the ELF file.
-The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`.
-
-type: nested
-
---
-
-*`threat.indicator.file.elf.segments.sections`*::
-+
---
-ELF object segment sections.
-
-type: keyword
-
---
-
-*`threat.indicator.file.elf.segments.type`*::
-+
---
-ELF object segment type.
-
-type: keyword
-
---
-
-*`threat.indicator.file.elf.shared_libraries`*::
-+
---
-List of shared libraries used by this ELF object.
-
-type: keyword
-
---
-
-*`threat.indicator.file.elf.telfhash`*::
-+
---
-telfhash symbol hash for ELF file.
-
-type: keyword
-
---
-
-*`threat.indicator.file.extension`*::
-+
---
-File extension, excluding the leading dot.
-Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").
-
-type: keyword
-
-example: png
-
---
-
-*`threat.indicator.file.fork_name`*::
-+
---
-A fork is additional data associated with a filesystem object.
-On Linux, a resource fork is used to store additional data with a filesystem object. A file always has at least one fork for the data portion, and additional forks may exist.
-On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default data stream for a file is just called $DATA. Zone.Identifier is commonly used by Windows to track contents downloaded from the Internet. An ADS is typically of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name` is the value that should populate `fork_name`. `filename.extension` should populate `file.name`, and `extension` should populate `file.extension`. The full path, `file.path`, will include the fork name.
-
-type: keyword
-
-example: Zone.Identifer
-
---
-
-*`threat.indicator.file.gid`*::
-+
---
-Primary group ID (GID) of the file.
-
-type: keyword
-
-example: 1001
-
---
-
-*`threat.indicator.file.group`*::
-+
---
-Primary group name of the file.
-
-type: keyword
-
-example: alice
-
---
-
-*`threat.indicator.file.hash.md5`*::
-+
---
-MD5 hash.
-
-type: keyword
-
---
-
-*`threat.indicator.file.hash.sha1`*::
-+
---
-SHA1 hash.
-
-type: keyword
-
---
-
-*`threat.indicator.file.hash.sha256`*::
-+
---
-SHA256 hash.
-
-type: keyword
-
---
-
-*`threat.indicator.file.hash.sha512`*::
-+
---
-SHA512 hash.
-
-type: keyword
-
---
-
-*`threat.indicator.file.hash.ssdeep`*::
-+
---
-SSDEEP hash.
-
-type: keyword
-
---
-
-*`threat.indicator.file.inode`*::
-+
---
-Inode representing the file in the filesystem.
-
-type: keyword
-
-example: 256383
-
---
-
-*`threat.indicator.file.mime_type`*::
-+
---
-MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used.
-
-type: keyword
-
---
-
-*`threat.indicator.file.mode`*::
-+
---
-Mode of the file in octal representation.
-
-type: keyword
-
-example: 0640
-
---
-
-*`threat.indicator.file.mtime`*::
-+
---
-Last time the file content was modified.
-
-type: date
-
---
-
-*`threat.indicator.file.name`*::
-+
---
-Name of the file including the extension, without the directory.
-
-type: keyword
-
-example: example.png
-
---
-
-*`threat.indicator.file.owner`*::
-+
---
-File owner's username.
-
-type: keyword
-
-example: alice
-
---
-
-*`threat.indicator.file.path`*::
-+
---
-Full path to the file, including the file name. It should include the drive letter, when appropriate.
-
-type: keyword
-
-example: /home/alice/example.png
-
---
-
-*`threat.indicator.file.path.text`*::
-+
---
-type: match_only_text
-
---
-
-*`threat.indicator.file.pe.architecture`*::
-+
---
-CPU architecture target for the file.
-
-type: keyword
-
-example: x64
-
---
-
-*`threat.indicator.file.pe.company`*::
-+
---
-Internal company name of the file, provided at compile-time.
-
-type: keyword
-
-example: Microsoft Corporation
-
---
-
-*`threat.indicator.file.pe.description`*::
-+
---
-Internal description of the file, provided at compile-time.
-
-type: keyword
-
-example: Paint
-
---
-
-*`threat.indicator.file.pe.file_version`*::
-+
---
-Internal version of the file, provided at compile-time.
-
-type: keyword
-
-example: 6.3.9600.17415
-
---
-
-*`threat.indicator.file.pe.imphash`*::
-+
---
-A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.
-Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.
-
-type: keyword
-
-example: 0c6803c4e922103c4dca5963aad36ddf
-
---
-
-*`threat.indicator.file.pe.original_file_name`*::
-+
---
-Internal name of the file, provided at compile-time.
-
-type: keyword
-
-example: MSPAINT.EXE
-
---
-
-*`threat.indicator.file.pe.product`*::
-+
---
-Internal product name of the file, provided at compile-time.
-
-type: keyword
-
-example: Microsoft® Windows® Operating System
-
---
-
-*`threat.indicator.file.size`*::
-+
---
-File size in bytes.
-Only relevant when `file.type` is "file".
-
-type: long
-
-example: 16384
-
---
-
-*`threat.indicator.file.target_path`*::
-+
---
-Target path for symlinks.
-
-type: keyword
-
---
-
-*`threat.indicator.file.target_path.text`*::
-+
---
-type: match_only_text
-
---
-
-*`threat.indicator.file.type`*::
-+
---
-File type (file, dir, or symlink).
-
-type: keyword
-
-example: file
-
---
-
-*`threat.indicator.file.uid`*::
-+
---
-The user ID (UID) or security identifier (SID) of the file owner.
-
-type: keyword
-
-example: 1001
-
---
-
-*`threat.indicator.file.x509.alternative_names`*::
-+
---
-List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.
-
-type: keyword
-
-example: *.elastic.co
-
---
-
-*`threat.indicator.file.x509.issuer.common_name`*::
-+
---
-List of common name (CN) of issuing certificate authority.
-
-type: keyword
-
-example: Example SHA2 High Assurance Server CA
-
---
-
-*`threat.indicator.file.x509.issuer.country`*::
-+
---
-List of country (C) codes
-
-type: keyword
-
-example: US
-
---
-
-*`threat.indicator.file.x509.issuer.distinguished_name`*::
-+
---
-Distinguished name (DN) of issuing certificate authority.
-
-type: keyword
-
-example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA
-
---
-
-*`threat.indicator.file.x509.issuer.locality`*::
-+
---
-List of locality names (L)
-
-type: keyword
-
-example: Mountain View
-
---
-
-*`threat.indicator.file.x509.issuer.organization`*::
-+
---
-List of organizations (O) of issuing certificate authority.
-
-type: keyword
-
-example: Example Inc
-
---
-
-*`threat.indicator.file.x509.issuer.organizational_unit`*::
-+
---
-List of organizational units (OU) of issuing certificate authority.
-
-type: keyword
-
-example: www.example.com
-
---
-
-*`threat.indicator.file.x509.issuer.state_or_province`*::
-+
---
-List of state or province names (ST, S, or P)
-
-type: keyword
-
-example: California
-
---
-
-*`threat.indicator.file.x509.not_after`*::
-+
---
-Time at which the certificate is no longer considered valid.
-
-type: date
-
-example: 2020-07-16 03:15:39+00:00
-
---
-
-*`threat.indicator.file.x509.not_before`*::
-+
---
-Time at which the certificate is first considered valid.
-
-type: date
-
-example: 2019-08-16 01:40:25+00:00
-
---
-
-*`threat.indicator.file.x509.public_key_algorithm`*::
-+
---
-Algorithm used to generate the public key.
-
-type: keyword
-
-example: RSA
-
---
-
-*`threat.indicator.file.x509.public_key_curve`*::
-+
---
-The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-
-type: keyword
-
-example: nistp521
-
---
-
-*`threat.indicator.file.x509.public_key_exponent`*::
-+
---
-Exponent used to derive the public key. This is algorithm specific.
-
-type: long
-
-example: 65537
-
-Field is not indexed.
-
---
-
-*`threat.indicator.file.x509.public_key_size`*::
-+
---
-The size of the public key space in bits.
-
-type: long
-
-example: 2048
-
---
-
-*`threat.indicator.file.x509.serial_number`*::
-+
---
-Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.
-
-type: keyword
-
-example: 55FBB9C7DEBF09809D12CCAA
-
---
-
-*`threat.indicator.file.x509.signature_algorithm`*::
-+
---
-Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
-
-type: keyword
-
-example: SHA256-RSA
-
---
-
-*`threat.indicator.file.x509.subject.common_name`*::
-+
---
-List of common names (CN) of subject.
-
-type: keyword
-
-example: shared.global.example.net
-
---
-
-*`threat.indicator.file.x509.subject.country`*::
-+
---
-List of country (C) code
-
-type: keyword
-
-example: US
-
---
-
-*`threat.indicator.file.x509.subject.distinguished_name`*::
-+
---
-Distinguished name (DN) of the certificate subject entity.
-
-type: keyword
-
-example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
-
---
-
-*`threat.indicator.file.x509.subject.locality`*::
-+
---
-List of locality names (L)
-
-type: keyword
-
-example: San Francisco
-
---
-
-*`threat.indicator.file.x509.subject.organization`*::
-+
---
-List of organizations (O) of subject.
-
-type: keyword
-
-example: Example, Inc.
-
---
-
-*`threat.indicator.file.x509.subject.organizational_unit`*::
-+
---
-List of organizational units (OU) of subject.
-
-type: keyword
-
---
-
-*`threat.indicator.file.x509.subject.state_or_province`*::
-+
---
-List of state or province names (ST, S, or P)
-
-type: keyword
-
-example: California
-
---
-
-*`threat.indicator.file.x509.version_number`*::
-+
---
-Version of x509 format.
-
-type: keyword
-
-example: 3
-
---
-
-*`threat.indicator.first_seen`*::
-+
---
-The date and time when intelligence source first reported sighting this indicator.
-
-type: date
-
-example: 2020-11-05T17:25:47.000Z
-
---
-
-*`threat.indicator.geo.city_name`*::
-+
---
-City name.
-
-type: keyword
-
-example: Montreal
-
---
-
-*`threat.indicator.geo.continent_code`*::
-+
---
-Two-letter code representing continent's name.
-
-type: keyword
-
-example: NA
-
---
-
-*`threat.indicator.geo.continent_name`*::
-+
---
-Name of the continent.
-
-type: keyword
-
-example: North America
-
---
-
-*`threat.indicator.geo.country_iso_code`*::
-+
---
-Country ISO code.
-
-type: keyword
-
-example: CA
-
---
-
-*`threat.indicator.geo.country_name`*::
-+
---
-Country name.
-
-type: keyword
-
-example: Canada
-
---
-
-*`threat.indicator.geo.location`*::
-+
---
-Longitude and latitude.
-
-type: geo_point
-
-example: { "lon": -73.614830, "lat": 45.505918 }
-
---
-
-*`threat.indicator.geo.name`*::
-+
---
-User-defined description of a location, at the level of granularity they care about.
-Could be the name of their data centers, the floor number, if this describes a local physical entity, city names.
-Not typically used in automated geolocation.
-
-type: keyword
-
-example: boston-dc
-
---
-
-*`threat.indicator.geo.postal_code`*::
-+
---
-Postal code associated with the location.
-Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.
-
-type: keyword
-
-example: 94040
-
---
-
-*`threat.indicator.geo.region_iso_code`*::
-+
---
-Region ISO code.
-
-type: keyword
-
-example: CA-QC
-
---
-
-*`threat.indicator.geo.region_name`*::
-+
---
-Region name.
-
-type: keyword
-
-example: Quebec
-
---
-
-*`threat.indicator.geo.timezone`*::
-+
---
-The time zone of the location, such as IANA time zone name.
-
-type: keyword
-
-example: America/Argentina/Buenos_Aires
-
---
-
-*`threat.indicator.ip`*::
-+
---
-Identifies a threat indicator as an IP address (irrespective of direction).
-
-type: ip
-
-example: 1.2.3.4
-
---
-
-*`threat.indicator.last_seen`*::
-+
---
-The date and time when intelligence source last reported sighting this indicator.
-
-type: date
-
-example: 2020-11-05T17:25:47.000Z
-
---
-
-*`threat.indicator.marking.tlp`*::
-+
---
-Traffic Light Protocol sharing markings.
-Recommended values are:
-  * WHITE
-  * GREEN
-  * AMBER
-  * RED
-
-type: keyword
-
-example: WHITE
-
---
-
-*`threat.indicator.modified_at`*::
-+
---
-The date and time when intelligence source last modified information for this indicator.
-
-type: date
-
-example: 2020-11-05T17:25:47.000Z
-
---
-
-*`threat.indicator.port`*::
-+
---
-Identifies a threat indicator as a port number (irrespective of direction).
-
-type: long
-
-example: 443
-
---
-
-*`threat.indicator.provider`*::
-+
---
-The name of the indicator's provider.
-
-type: keyword
-
-example: lrz_urlhaus
-
---
-
-*`threat.indicator.reference`*::
-+
---
-Reference URL linking to additional information about this indicator.
-
-type: keyword
-
-example: https://system.example.com/indicator/0001234
-
---
-
-*`threat.indicator.registry.data.bytes`*::
-+
---
-Original bytes written with base64 encoding.
-For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values.
-
-type: keyword
-
-example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA=
-
---
-
-*`threat.indicator.registry.data.strings`*::
-+
---
-Content when writing string types.
-Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`).
-
-type: wildcard
-
-example: ["C:\rta\red_ttp\bin\myapp.exe"]
-
---
-
-*`threat.indicator.registry.data.type`*::
-+
---
-Standard registry type for encoding contents
-
-type: keyword
-
-example: REG_SZ
-
---
-
-*`threat.indicator.registry.hive`*::
-+
---
-Abbreviated name for the hive.
-
-type: keyword
-
-example: HKLM
-
---
-
-*`threat.indicator.registry.key`*::
-+
---
-Hive-relative path of keys.
-
-type: keyword
-
-example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe
-
---
-
-*`threat.indicator.registry.path`*::
-+
---
-Full path, including hive, key and value
-
-type: keyword
-
-example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger
-
---
-
-*`threat.indicator.registry.value`*::
-+
---
-Name of the value written.
-
-type: keyword
-
-example: Debugger
-
---
-
-*`threat.indicator.scanner_stats`*::
-+
---
-Count of AV/EDR vendors that successfully detected malicious file or URL.
-
-type: long
-
-example: 4
-
---
-
-*`threat.indicator.sightings`*::
-+
---
-Number of times this indicator was observed conducting threat activity.
-
-type: long
-
-example: 20
-
---
-
-*`threat.indicator.type`*::
-+
---
-Type of indicator as represented by Cyber Observable in STIX 2.0.
-Recommended values:
-  * autonomous-system
-  * artifact
-  * directory
-  * domain-name
-  * email-addr
-  * file
-  * ipv4-addr
-  * ipv6-addr
-  * mac-addr
-  * mutex
-  * port
-  * process
-  * software
-  * url
-  * user-account
-  * windows-registry-key
-  * x509-certificate
-
-type: keyword
-
-example: ipv4-addr
-
---
-
-*`threat.indicator.url.domain`*::
-+
---
-Domain of the url, such as "www.elastic.co".
-In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field.
-If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field.
-
-type: keyword
-
-example: www.elastic.co
-
---
-
-*`threat.indicator.url.extension`*::
-+
---
-The field contains the file extension from the original request url, excluding the leading dot.
-The file extension is only set if it exists, as not every url has a file extension.
-The leading period must not be included. For example, the value must be "png", not ".png".
-Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").
-
-type: keyword
-
-example: png
-
---
-
-*`threat.indicator.url.fragment`*::
-+
---
-Portion of the url after the `#`, such as "top".
-The `#` is not part of the fragment.
-
-type: keyword
-
---
-
-*`threat.indicator.url.full`*::
-+
---
-If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source.
-
-type: wildcard
-
-example: https://www.elastic.co:443/search?q=elasticsearch#top
-
---
-
-*`threat.indicator.url.full.text`*::
-+
---
-type: match_only_text
-
---
-
-*`threat.indicator.url.original`*::
-+
---
-Unmodified original url as seen in the event source.
-Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path.
-This field is meant to represent the URL as it was observed, complete or not.
-
-type: wildcard
-
-example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch
-
---
-
-*`threat.indicator.url.original.text`*::
-+
---
-type: match_only_text
-
---
-
-*`threat.indicator.url.password`*::
-+
---
-Password of the request.
-
-type: keyword
-
---
-
-*`threat.indicator.url.path`*::
-+
---
-Path of the request, such as "/search".
-
-type: wildcard
-
---
-
-*`threat.indicator.url.port`*::
-+
---
-Port of the request, such as 443.
-
-type: long
-
-example: 443
-
-format: string
-
---
-
-*`threat.indicator.url.query`*::
-+
---
-The query field describes the query string of the request, such as "q=elasticsearch".
-The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.
-
-type: keyword
-
---
-
-*`threat.indicator.url.registered_domain`*::
-+
---
-The highest registered url domain, stripped of the subdomain.
-For example, the registered domain for "foo.example.com" is "example.com".
-This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
-
-type: keyword
-
-example: example.com
-
---
-
-*`threat.indicator.url.scheme`*::
-+
---
-Scheme of the request, such as "https".
-Note: The `:` is not part of the scheme.
-
-type: keyword
-
-example: https
-
---
-
-*`threat.indicator.url.subdomain`*::
-+
---
-The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain.
-For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
-
-type: keyword
-
-example: east
-
---
-
-*`threat.indicator.url.top_level_domain`*::
-+
---
-The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com".
-This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".
-
-type: keyword
-
-example: co.uk
-
---
-
-*`threat.indicator.url.username`*::
-+
---
-Username of the request.
-
-type: keyword
-
---
-
-*`threat.indicator.x509.alternative_names`*::
-+
---
-List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.
-
-type: keyword
-
-example: *.elastic.co
-
---
-
-*`threat.indicator.x509.issuer.common_name`*::
-+
---
-List of common name (CN) of issuing certificate authority.
-
-type: keyword
-
-example: Example SHA2 High Assurance Server CA
-
---
-
-*`threat.indicator.x509.issuer.country`*::
-+
---
-List of country (C) codes
-
-type: keyword
-
-example: US
-
---
-
-*`threat.indicator.x509.issuer.distinguished_name`*::
-+
---
-Distinguished name (DN) of issuing certificate authority.
-
-type: keyword
-
-example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA
-
---
-
-*`threat.indicator.x509.issuer.locality`*::
-+
---
-List of locality names (L)
-
-type: keyword
-
-example: Mountain View
-
---
-
-*`threat.indicator.x509.issuer.organization`*::
-+
---
-List of organizations (O) of issuing certificate authority.
-
-type: keyword
-
-example: Example Inc
-
---
-
-*`threat.indicator.x509.issuer.organizational_unit`*::
-+
---
-List of organizational units (OU) of issuing certificate authority.
-
-type: keyword
-
-example: www.example.com
-
---
-
-*`threat.indicator.x509.issuer.state_or_province`*::
-+
---
-List of state or province names (ST, S, or P)
-
-type: keyword
-
-example: California
-
---
-
-*`threat.indicator.x509.not_after`*::
-+
---
-Time at which the certificate is no longer considered valid.
-
-type: date
-
-example: 2020-07-16 03:15:39+00:00
-
---
-
-*`threat.indicator.x509.not_before`*::
-+
---
-Time at which the certificate is first considered valid.
-
-type: date
-
-example: 2019-08-16 01:40:25+00:00
-
---
-
-*`threat.indicator.x509.public_key_algorithm`*::
-+
---
-Algorithm used to generate the public key.
-
-type: keyword
-
-example: RSA
-
---
-
-*`threat.indicator.x509.public_key_curve`*::
-+
---
-The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-
-type: keyword
-
-example: nistp521
-
---
-
-*`threat.indicator.x509.public_key_exponent`*::
-+
---
-Exponent used to derive the public key. This is algorithm specific.
-
-type: long
-
-example: 65537
-
-Field is not indexed.
-
---
-
-*`threat.indicator.x509.public_key_size`*::
-+
---
-The size of the public key space in bits.
-
-type: long
-
-example: 2048
-
---
-
-*`threat.indicator.x509.serial_number`*::
-+
---
-Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.
-
-type: keyword
-
-example: 55FBB9C7DEBF09809D12CCAA
-
---
-
-*`threat.indicator.x509.signature_algorithm`*::
-+
---
-Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
-
-type: keyword
-
-example: SHA256-RSA
-
---
-
-*`threat.indicator.x509.subject.common_name`*::
-+
---
-List of common names (CN) of subject.
-
-type: keyword
-
-example: shared.global.example.net
-
---
-
-*`threat.indicator.x509.subject.country`*::
-+
---
-List of country (C) code
-
-type: keyword
-
-example: US
-
---
-
-*`threat.indicator.x509.subject.distinguished_name`*::
-+
---
-Distinguished name (DN) of the certificate subject entity.
-
-type: keyword
-
-example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
-
---
-
-*`threat.indicator.x509.subject.locality`*::
-+
---
-List of locality names (L)
-
-type: keyword
-
-example: San Francisco
-
---
-
-*`threat.indicator.x509.subject.organization`*::
-+
---
-List of organizations (O) of subject.
-
-type: keyword
-
-example: Example, Inc.
-
---
-
-*`threat.indicator.x509.subject.organizational_unit`*::
-+
---
-List of organizational units (OU) of subject.
-
-type: keyword
-
---
-
-*`threat.indicator.x509.subject.state_or_province`*::
-+
---
-List of state or province names (ST, S, or P)
-
-type: keyword
-
-example: California
-
---
-
-*`threat.indicator.x509.version_number`*::
-+
---
-Version of x509 format.
-
-type: keyword
-
-example: 3
-
---
-
-*`threat.software.alias`*::
-+
---
-The alias(es) of the software for a set of related intrusion activity that are tracked by a common name in the security community.
-While not required, you can use a MITRE ATT&CK® associated software description.
-
-type: keyword
-
-example: [ "X-Agent" ]
-
---
-
-*`threat.software.id`*::
-+
---
-The id of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®.
-While not required, you can use a MITRE ATT&CK® software id.
-
-type: keyword
-
-example: S0552
-
---
-
-*`threat.software.name`*::
-+
---
-The name of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®.
-While not required, you can use a MITRE ATT&CK® software name.
-
-type: keyword
-
-example: AdFind
-
---
-
-*`threat.software.platforms`*::
-+
---
-The platforms of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®.
-Recommended Values:
-  * AWS
-  * Azure
-  * Azure AD
-  * GCP
-  * Linux
-  * macOS
-  * Network
-  * Office 365
-  * SaaS
-  * Windows
-
-While not required, you can use a MITRE ATT&CK® software platforms.
-
-type: keyword
-
-example: [ "Windows" ]
-
---
-
-*`threat.software.reference`*::
-+
---
-The reference URL of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®.
-While not required, you can use a MITRE ATT&CK® software reference URL.
-
-type: keyword
-
-example: https://attack.mitre.org/software/S0552/
-
---
-
-*`threat.software.type`*::
-+
---
-The type of software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®.
-Recommended values
-  * Malware
-  * Tool
-
- While not required, you can use a MITRE ATT&CK® software type.
-
-type: keyword
-
-example: Tool
-
---
-
-*`threat.tactic.id`*::
-+
---
-The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ )
-
-type: keyword
-
-example: TA0002
-
---
-
-*`threat.tactic.name`*::
-+
---
-Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/)
-
-type: keyword
-
-example: Execution
-
---
-
-*`threat.tactic.reference`*::
-+
---
-The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ )
-
-type: keyword
-
-example: https://attack.mitre.org/tactics/TA0002/
-
---
-
-*`threat.technique.id`*::
-+
---
-The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)
-
-type: keyword
-
-example: T1059
-
---
-
-*`threat.technique.name`*::
-+
---
-The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)
-
-type: keyword
-
-example: Command and Scripting Interpreter
-
---
-
-*`threat.technique.name.text`*::
-+
---
-type: match_only_text
-
---
-
-*`threat.technique.reference`*::
-+
---
-The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)
-
-type: keyword
-
-example: https://attack.mitre.org/techniques/T1059/
-
---
-
-*`threat.technique.subtechnique.id`*::
-+
---
-The full id of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)
-
-type: keyword
-
-example: T1059.001
-
---
-
-*`threat.technique.subtechnique.name`*::
-+
---
-The name of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)
-
-type: keyword
-
-example: PowerShell
-
---
-
-*`threat.technique.subtechnique.name.text`*::
-+
---
-type: match_only_text
-
---
-
-*`threat.technique.subtechnique.reference`*::
-+
---
-The reference url of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)
-
-type: keyword
-
-example: https://attack.mitre.org/techniques/T1059/001/
-
---
-
-[float]
-=== tls
-
-Fields related to a TLS connection. These fields focus on the TLS protocol itself and intentionally avoids in-depth analysis of the related x.509 certificate files.
-
-
-*`tls.cipher`*::
-+
---
-String indicating the cipher used during the current connection.
-
-type: keyword
-
-example: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
-
---
-
-*`tls.client.certificate`*::
-+
---
-PEM-encoded stand-alone certificate offered by the client. This is usually mutually-exclusive of `client.certificate_chain` since this value also exists in that list.
-
-type: keyword
-
-example: MII...
-
---
-
-*`tls.client.certificate_chain`*::
-+
---
-Array of PEM-encoded certificates that make up the certificate chain offered by the client. This is usually mutually-exclusive of `client.certificate` since that value should be the first certificate in the chain.
-
-type: keyword
-
-example: ["MII...", "MII..."]
-
---
-
-*`tls.client.hash.md5`*::
-+
---
-Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash.
-
-type: keyword
-
-example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC
-
---
-
-*`tls.client.hash.sha1`*::
-+
---
-Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash.
-
-type: keyword
-
-example: 9E393D93138888D288266C2D915214D1D1CCEB2A
-
---
-
-*`tls.client.hash.sha256`*::
-+
---
-Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash.
-
-type: keyword
-
-example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0
-
---
-
-*`tls.client.issuer`*::
-+
---
-Distinguished name of subject of the issuer of the x.509 certificate presented by the client.
-
-type: keyword
-
-example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com
-
---
-
-*`tls.client.ja3`*::
-+
---
-A hash that identifies clients based on how they perform an SSL/TLS handshake.
-
-type: keyword
-
-example: d4e5b18d6b55c71272893221c96ba240
-
---
-
-*`tls.client.not_after`*::
-+
---
-Date/Time indicating when client certificate is no longer considered valid.
-
-type: date
-
-example: 2021-01-01T00:00:00.000Z
-
---
-
-*`tls.client.not_before`*::
-+
---
-Date/Time indicating when client certificate is first considered valid.
-
-type: date
-
-example: 1970-01-01T00:00:00.000Z
-
---
-
-*`tls.client.server_name`*::
-+
---
-Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`.
-
-type: keyword
-
-example: www.elastic.co
-
---
-
-*`tls.client.subject`*::
-+
---
-Distinguished name of subject of the x.509 certificate presented by the client.
-
-type: keyword
-
-example: CN=myclient, OU=Documentation Team, DC=example, DC=com
-
---
-
-*`tls.client.supported_ciphers`*::
-+
---
-Array of ciphers offered by the client during the client hello.
-
-type: keyword
-
-example: ["TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "..."]
-
---
-
-*`tls.client.x509.alternative_names`*::
-+
---
-List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.
-
-type: keyword
-
-example: *.elastic.co
-
---
-
-*`tls.client.x509.issuer.common_name`*::
-+
---
-List of common name (CN) of issuing certificate authority.
-
-type: keyword
-
-example: Example SHA2 High Assurance Server CA
-
---
-
-*`tls.client.x509.issuer.country`*::
-+
---
-List of country (C) codes
-
-type: keyword
-
-example: US
-
---
-
-*`tls.client.x509.issuer.distinguished_name`*::
-+
---
-Distinguished name (DN) of issuing certificate authority.
-
-type: keyword
-
-example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA
-
---
-
-*`tls.client.x509.issuer.locality`*::
-+
---
-List of locality names (L)
-
-type: keyword
-
-example: Mountain View
-
---
-
-*`tls.client.x509.issuer.organization`*::
-+
---
-List of organizations (O) of issuing certificate authority.
-
-type: keyword
-
-example: Example Inc
-
---
-
-*`tls.client.x509.issuer.organizational_unit`*::
-+
---
-List of organizational units (OU) of issuing certificate authority.
-
-type: keyword
-
-example: www.example.com
-
---
-
-*`tls.client.x509.issuer.state_or_province`*::
-+
---
-List of state or province names (ST, S, or P)
-
-type: keyword
-
-example: California
-
---
-
-*`tls.client.x509.not_after`*::
-+
---
-Time at which the certificate is no longer considered valid.
-
-type: date
-
-example: 2020-07-16 03:15:39+00:00
-
---
-
-*`tls.client.x509.not_before`*::
-+
---
-Time at which the certificate is first considered valid.
-
-type: date
-
-example: 2019-08-16 01:40:25+00:00
-
---
-
-*`tls.client.x509.public_key_algorithm`*::
-+
---
-Algorithm used to generate the public key.
-
-type: keyword
-
-example: RSA
-
---
-
-*`tls.client.x509.public_key_curve`*::
-+
---
-The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-
-type: keyword
-
-example: nistp521
-
---
-
-*`tls.client.x509.public_key_exponent`*::
-+
---
-Exponent used to derive the public key. This is algorithm specific.
-
-type: long
-
-example: 65537
-
-Field is not indexed.
-
---
-
-*`tls.client.x509.public_key_size`*::
-+
---
-The size of the public key space in bits.
-
-type: long
-
-example: 2048
-
---
-
-*`tls.client.x509.serial_number`*::
-+
---
-Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.
-
-type: keyword
-
-example: 55FBB9C7DEBF09809D12CCAA
-
---
-
-*`tls.client.x509.signature_algorithm`*::
-+
---
-Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
-
-type: keyword
-
-example: SHA256-RSA
-
---
-
-*`tls.client.x509.subject.common_name`*::
-+
---
-List of common names (CN) of subject.
-
-type: keyword
-
-example: shared.global.example.net
-
---
-
-*`tls.client.x509.subject.country`*::
-+
---
-List of country (C) code
-
-type: keyword
-
-example: US
-
---
-
-*`tls.client.x509.subject.distinguished_name`*::
-+
---
-Distinguished name (DN) of the certificate subject entity.
-
-type: keyword
-
-example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
-
---
-
-*`tls.client.x509.subject.locality`*::
-+
---
-List of locality names (L)
-
-type: keyword
-
-example: San Francisco
-
---
-
-*`tls.client.x509.subject.organization`*::
-+
---
-List of organizations (O) of subject.
-
-type: keyword
-
-example: Example, Inc.
-
---
-
-*`tls.client.x509.subject.organizational_unit`*::
-+
---
-List of organizational units (OU) of subject.
-
-type: keyword
-
---
-
-*`tls.client.x509.subject.state_or_province`*::
-+
---
-List of state or province names (ST, S, or P)
-
-type: keyword
-
-example: California
-
---
-
-*`tls.client.x509.version_number`*::
-+
---
-Version of x509 format.
-
-type: keyword
-
-example: 3
-
---
-
-*`tls.curve`*::
-+
---
-String indicating the curve used for the given cipher, when applicable.
-
-type: keyword
-
-example: secp256r1
-
---
-
-*`tls.established`*::
-+
---
-Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel.
-
-type: boolean
-
---
-
-*`tls.next_protocol`*::
-+
---
-String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case.
-
-type: keyword
-
-example: http/1.1
-
---
-
-*`tls.resumed`*::
-+
---
-Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation.
-
-type: boolean
-
---
-
-*`tls.server.certificate`*::
-+
---
-PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list.
-
-type: keyword
-
-example: MII...
-
---
-
-*`tls.server.certificate_chain`*::
-+
---
-Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain.
-
-type: keyword
-
-example: ["MII...", "MII..."]
-
---
-
-*`tls.server.hash.md5`*::
-+
---
-Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash.
-
-type: keyword
-
-example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC
-
---
-
-*`tls.server.hash.sha1`*::
-+
---
-Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash.
-
-type: keyword
-
-example: 9E393D93138888D288266C2D915214D1D1CCEB2A
-
---
-
-*`tls.server.hash.sha256`*::
-+
---
-Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash.
-
-type: keyword
-
-example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0
-
---
-
-*`tls.server.issuer`*::
-+
---
-Subject of the issuer of the x.509 certificate presented by the server.
-
-type: keyword
-
-example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com
-
---
-
-*`tls.server.ja3s`*::
-+
---
-A hash that identifies servers based on how they perform an SSL/TLS handshake.
-
-type: keyword
-
-example: 394441ab65754e2207b1e1b457b3641d
-
---
-
-*`tls.server.not_after`*::
-+
---
-Timestamp indicating when server certificate is no longer considered valid.
-
-type: date
-
-example: 2021-01-01T00:00:00.000Z
-
---
-
-*`tls.server.not_before`*::
-+
---
-Timestamp indicating when server certificate is first considered valid.
-
-type: date
-
-example: 1970-01-01T00:00:00.000Z
-
---
-
-*`tls.server.subject`*::
-+
---
-Subject of the x.509 certificate presented by the server.
-
-type: keyword
-
-example: CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com
-
---
-
-*`tls.server.x509.alternative_names`*::
-+
---
-List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.
-
-type: keyword
-
-example: *.elastic.co
-
---
-
-*`tls.server.x509.issuer.common_name`*::
-+
---
-List of common name (CN) of issuing certificate authority.
-
-type: keyword
-
-example: Example SHA2 High Assurance Server CA
-
---
-
-*`tls.server.x509.issuer.country`*::
-+
---
-List of country (C) codes
-
-type: keyword
-
-example: US
-
---
-
-*`tls.server.x509.issuer.distinguished_name`*::
-+
---
-Distinguished name (DN) of issuing certificate authority.
-
-type: keyword
-
-example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA
-
---
-
-*`tls.server.x509.issuer.locality`*::
-+
---
-List of locality names (L)
-
-type: keyword
-
-example: Mountain View
-
---
-
-*`tls.server.x509.issuer.organization`*::
-+
---
-List of organizations (O) of issuing certificate authority.
-
-type: keyword
-
-example: Example Inc
-
---
-
-*`tls.server.x509.issuer.organizational_unit`*::
-+
---
-List of organizational units (OU) of issuing certificate authority.
-
-type: keyword
-
-example: www.example.com
-
---
-
-*`tls.server.x509.issuer.state_or_province`*::
-+
---
-List of state or province names (ST, S, or P)
-
-type: keyword
-
-example: California
-
---
-
-*`tls.server.x509.not_after`*::
-+
---
-Time at which the certificate is no longer considered valid.
-
-type: date
-
-example: 2020-07-16 03:15:39+00:00
-
---
-
-*`tls.server.x509.not_before`*::
-+
---
-Time at which the certificate is first considered valid.
-
-type: date
-
-example: 2019-08-16 01:40:25+00:00
-
---
-
-*`tls.server.x509.public_key_algorithm`*::
-+
---
-Algorithm used to generate the public key.
-
-type: keyword
-
-example: RSA
-
---
-
-*`tls.server.x509.public_key_curve`*::
-+
---
-The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-
-type: keyword
-
-example: nistp521
-
---
-
-*`tls.server.x509.public_key_exponent`*::
-+
---
-Exponent used to derive the public key. This is algorithm specific.
-
-type: long
-
-example: 65537
-
-Field is not indexed.
-
---
-
-*`tls.server.x509.public_key_size`*::
-+
---
-The size of the public key space in bits.
-
-type: long
-
-example: 2048
-
---
-
-*`tls.server.x509.serial_number`*::
-+
---
-Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.
-
-type: keyword
-
-example: 55FBB9C7DEBF09809D12CCAA
-
---
-
-*`tls.server.x509.signature_algorithm`*::
-+
---
-Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
-
-type: keyword
-
-example: SHA256-RSA
-
---
-
-*`tls.server.x509.subject.common_name`*::
-+
---
-List of common names (CN) of subject.
-
-type: keyword
-
-example: shared.global.example.net
-
---
-
-*`tls.server.x509.subject.country`*::
-+
---
-List of country (C) code
-
-type: keyword
-
-example: US
-
---
-
-*`tls.server.x509.subject.distinguished_name`*::
-+
---
-Distinguished name (DN) of the certificate subject entity.
-
-type: keyword
-
-example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
-
---
-
-*`tls.server.x509.subject.locality`*::
-+
---
-List of locality names (L)
-
-type: keyword
-
-example: San Francisco
-
---
-
-*`tls.server.x509.subject.organization`*::
-+
---
-List of organizations (O) of subject.
-
-type: keyword
-
-example: Example, Inc.
-
---
-
-*`tls.server.x509.subject.organizational_unit`*::
-+
---
-List of organizational units (OU) of subject.
-
-type: keyword
-
---
-
-*`tls.server.x509.subject.state_or_province`*::
-+
---
-List of state or province names (ST, S, or P)
-
-type: keyword
-
-example: California
-
---
-
-*`tls.server.x509.version_number`*::
-+
---
-Version of x509 format.
-
-type: keyword
-
-example: 3
-
---
-
-*`tls.version`*::
-+
---
-Numeric part of the version parsed from the original string.
-
-type: keyword
-
-example: 1.2
-
---
-
-*`tls.version_protocol`*::
-+
---
-Normalized lowercase protocol name parsed from original string.
-
-type: keyword
-
-example: tls
-
---
-
-*`span.id`*::
-+
---
-Unique identifier of the span within the scope of its trace.
-A span represents an operation within a transaction, such as a request to another service, or a database query.
-
-type: keyword
-
-example: 3ff9a8981b7ccd5a
-
---
-
-*`trace.id`*::
-+
---
-Unique identifier of the trace.
-A trace groups multiple events like transactions that belong together. For example, a user request handled by multiple inter-connected services.
-
-type: keyword
-
-example: 4bf92f3577b34da6a3ce929d0e0e4736
-
---
-
-*`transaction.id`*::
-+
---
-Unique identifier of the transaction within the scope of its trace.
-A transaction is the highest level of work measured within a service, such as a request to a server.
-
-type: keyword
-
-example: 00f067aa0ba902b7
-
---
-
-[float]
-=== url
-
-URL fields provide support for complete or partial URLs, and supports the breaking down into scheme, domain, path, and so on.
-
-
-*`url.domain`*::
-+
---
-Domain of the url, such as "www.elastic.co".
-In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field.
-If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field.
-
-type: keyword
-
-example: www.elastic.co
-
---
-
-*`url.extension`*::
-+
---
-The field contains the file extension from the original request url, excluding the leading dot.
-The file extension is only set if it exists, as not every url has a file extension.
-The leading period must not be included. For example, the value must be "png", not ".png".
-Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").
-
-type: keyword
-
-example: png
-
---
-
-*`url.fragment`*::
-+
---
-Portion of the url after the `#`, such as "top".
-The `#` is not part of the fragment.
-
-type: keyword
-
---
-
-*`url.full`*::
-+
---
-If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source.
-
-type: wildcard
-
-example: https://www.elastic.co:443/search?q=elasticsearch#top
-
---
-
-*`url.full.text`*::
-+
---
-type: match_only_text
-
---
-
-*`url.original`*::
-+
---
-Unmodified original url as seen in the event source.
-Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path.
-This field is meant to represent the URL as it was observed, complete or not.
-
-type: wildcard
-
-example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch
-
---
-
-*`url.original.text`*::
-+
---
-type: match_only_text
-
---
-
-*`url.password`*::
-+
---
-Password of the request.
-
-type: keyword
-
---
-
-*`url.path`*::
-+
---
-Path of the request, such as "/search".
-
-type: wildcard
-
---
-
-*`url.port`*::
-+
---
-Port of the request, such as 443.
-
-type: long
-
-example: 443
-
-format: string
-
---
-
-*`url.query`*::
-+
---
-The query field describes the query string of the request, such as "q=elasticsearch".
-The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.
-
-type: keyword
-
---
-
-*`url.registered_domain`*::
-+
---
-The highest registered url domain, stripped of the subdomain.
-For example, the registered domain for "foo.example.com" is "example.com".
-This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
-
-type: keyword
-
-example: example.com
-
---
-
-*`url.scheme`*::
-+
---
-Scheme of the request, such as "https".
-Note: The `:` is not part of the scheme.
-
-type: keyword
-
-example: https
-
---
-
-*`url.subdomain`*::
-+
---
-The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain.
-For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
-
-type: keyword
-
-example: east
-
---
-
-*`url.top_level_domain`*::
-+
---
-The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com".
-This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".
-
-type: keyword
-
-example: co.uk
-
---
-
-*`url.username`*::
-+
---
-Username of the request.
-
-type: keyword
-
---
-
-[float]
-=== user
-
-The user fields describe information about the user that is relevant to the event.
-Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them.
-
-
-*`user.changes.domain`*::
-+
---
-Name of the directory the user is a member of.
-For example, an LDAP or Active Directory domain name.
-
-type: keyword
-
---
-
-*`user.changes.email`*::
-+
---
-User email address.
-
-type: keyword
-
---
-
-*`user.changes.full_name`*::
-+
---
-User's full name, if available.
-
-type: keyword
-
-example: Albert Einstein
-
---
-
-*`user.changes.full_name.text`*::
-+
---
-type: match_only_text
-
---
-
-*`user.changes.group.domain`*::
-+
---
-Name of the directory the group is a member of.
-For example, an LDAP or Active Directory domain name.
-
-type: keyword
-
---
-
-*`user.changes.group.id`*::
-+
---
-Unique identifier for the group on the system/platform.
-
-type: keyword
-
---
-
-*`user.changes.group.name`*::
-+
---
-Name of the group.
-
-type: keyword
-
---
-
-*`user.changes.hash`*::
-+
---
-Unique user hash to correlate information for a user in anonymized form.
-Useful if `user.id` or `user.name` contain confidential information and cannot be used.
-
-type: keyword
-
---
-
-*`user.changes.id`*::
-+
---
-Unique identifier of the user.
-
-type: keyword
-
-example: S-1-5-21-202424912787-2692429404-2351956786-1000
-
---
-
-*`user.changes.name`*::
-+
---
-Short name or login of the user.
-
-type: keyword
-
-example: a.einstein
-
---
-
-*`user.changes.name.text`*::
-+
---
-type: match_only_text
-
---
-
-*`user.changes.roles`*::
-+
---
-Array of user roles at the time of the event.
-
-type: keyword
-
-example: ["kibana_admin", "reporting_user"]
-
---
-
-*`user.domain`*::
-+
---
-Name of the directory the user is a member of.
-For example, an LDAP or Active Directory domain name.
-
-type: keyword
-
---
-
-*`user.effective.domain`*::
-+
---
-Name of the directory the user is a member of.
-For example, an LDAP or Active Directory domain name.
-
-type: keyword
-
---
-
-*`user.effective.email`*::
-+
---
-User email address.
-
-type: keyword
-
---
-
-*`user.effective.full_name`*::
-+
---
-User's full name, if available.
-
-type: keyword
-
-example: Albert Einstein
-
---
-
-*`user.effective.full_name.text`*::
-+
---
-type: match_only_text
-
---
-
-*`user.effective.group.domain`*::
-+
---
-Name of the directory the group is a member of.
-For example, an LDAP or Active Directory domain name.
-
-type: keyword
-
---
-
-*`user.effective.group.id`*::
-+
---
-Unique identifier for the group on the system/platform.
-
-type: keyword
-
---
-
-*`user.effective.group.name`*::
-+
---
-Name of the group.
-
-type: keyword
-
---
-
-*`user.effective.hash`*::
-+
---
-Unique user hash to correlate information for a user in anonymized form.
-Useful if `user.id` or `user.name` contain confidential information and cannot be used.
-
-type: keyword
-
---
-
-*`user.effective.id`*::
-+
---
-Unique identifier of the user.
-
-type: keyword
-
-example: S-1-5-21-202424912787-2692429404-2351956786-1000
-
---
-
-*`user.effective.name`*::
-+
---
-Short name or login of the user.
-
-type: keyword
-
-example: a.einstein
-
---
-
-*`user.effective.name.text`*::
-+
---
-type: match_only_text
-
---
-
-*`user.effective.roles`*::
-+
---
-Array of user roles at the time of the event.
-
-type: keyword
-
-example: ["kibana_admin", "reporting_user"]
-
---
-
-*`user.email`*::
-+
---
-User email address.
-
-type: keyword
-
---
-
-*`user.full_name`*::
-+
---
-User's full name, if available.
-
-type: keyword
-
-example: Albert Einstein
-
---
-
-*`user.full_name.text`*::
-+
---
-type: match_only_text
-
---
-
-*`user.group.domain`*::
-+
---
-Name of the directory the group is a member of.
-For example, an LDAP or Active Directory domain name.
-
-type: keyword
-
---
-
-*`user.group.id`*::
-+
---
-Unique identifier for the group on the system/platform.
-
-type: keyword
-
---
-
-*`user.group.name`*::
-+
---
-Name of the group.
-
-type: keyword
-
---
-
-*`user.hash`*::
-+
---
-Unique user hash to correlate information for a user in anonymized form.
-Useful if `user.id` or `user.name` contain confidential information and cannot be used.
-
-type: keyword
-
---
-
-*`user.id`*::
-+
---
-Unique identifier of the user.
-
-type: keyword
-
-example: S-1-5-21-202424912787-2692429404-2351956786-1000
-
---
-
-*`user.name`*::
-+
---
-Short name or login of the user.
-
-type: keyword
-
-example: a.einstein
-
---
-
-*`user.name.text`*::
-+
---
-type: match_only_text
-
---
-
-*`user.roles`*::
-+
---
-Array of user roles at the time of the event.
-
-type: keyword
-
-example: ["kibana_admin", "reporting_user"]
-
---
-
-*`user.target.domain`*::
-+
---
-Name of the directory the user is a member of.
-For example, an LDAP or Active Directory domain name.
-
-type: keyword
-
---
-
-*`user.target.email`*::
-+
---
-User email address.
-
-type: keyword
-
---
-
-*`user.target.full_name`*::
-+
---
-User's full name, if available.
-
-type: keyword
-
-example: Albert Einstein
-
---
-
-*`user.target.full_name.text`*::
-+
---
-type: match_only_text
-
---
-
-*`user.target.group.domain`*::
-+
---
-Name of the directory the group is a member of.
-For example, an LDAP or Active Directory domain name.
-
-type: keyword
-
---
-
-*`user.target.group.id`*::
-+
---
-Unique identifier for the group on the system/platform.
-
-type: keyword
-
---
-
-*`user.target.group.name`*::
-+
---
-Name of the group.
-
-type: keyword
-
---
-
-*`user.target.hash`*::
-+
---
-Unique user hash to correlate information for a user in anonymized form.
-Useful if `user.id` or `user.name` contain confidential information and cannot be used.
-
-type: keyword
-
---
-
-*`user.target.id`*::
-+
---
-Unique identifier of the user.
-
-type: keyword
-
-example: S-1-5-21-202424912787-2692429404-2351956786-1000
-
---
-
-*`user.target.name`*::
-+
---
-Short name or login of the user.
-
-type: keyword
-
-example: a.einstein
-
---
-
-*`user.target.name.text`*::
-+
---
-type: match_only_text
-
---
-
-*`user.target.roles`*::
-+
---
-Array of user roles at the time of the event.
-
-type: keyword
-
-example: ["kibana_admin", "reporting_user"]
-
---
-
-[float]
-=== user_agent
-
-The user_agent fields normally come from a browser request.
-They often show up in web service logs coming from the parsed user agent string.
-
-
-*`user_agent.device.name`*::
-+
---
-Name of the device.
-
-type: keyword
-
-example: iPhone
-
---
-
-*`user_agent.name`*::
-+
---
-Name of the user agent.
-
-type: keyword
-
-example: Safari
-
---
-
-*`user_agent.original`*::
-+
---
-Unparsed user_agent string.
-
-type: keyword
-
-example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1
-
---
-
-*`user_agent.original.text`*::
-+
---
-type: match_only_text
-
---
-
-*`user_agent.os.family`*::
-+
---
-OS family (such as redhat, debian, freebsd, windows).
-
-type: keyword
-
-example: debian
-
---
-
-*`user_agent.os.full`*::
-+
---
-Operating system name, including the version or code name.
-
-type: keyword
-
-example: Mac OS Mojave
-
---
-
-*`user_agent.os.full.text`*::
-+
---
-type: match_only_text
-
---
-
-*`user_agent.os.kernel`*::
-+
---
-Operating system kernel version as a raw string.
-
-type: keyword
-
-example: 4.4.0-112-generic
-
---
-
-*`user_agent.os.name`*::
-+
---
-Operating system name, without the version.
-
-type: keyword
-
-example: Mac OS X
-
---
-
-*`user_agent.os.name.text`*::
-+
---
-type: match_only_text
-
---
-
-*`user_agent.os.platform`*::
-+
---
-Operating system platform (such centos, ubuntu, windows).
-
-type: keyword
-
-example: darwin
-
---
-
-*`user_agent.os.type`*::
-+
---
-Use the `os.type` field to categorize the operating system into one of the broad commercial families.
-One of these following values should be used (lowercase): linux, macos, unix, windows.
-If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.
-
-type: keyword
-
-example: macos
-
---
-
-*`user_agent.os.version`*::
-+
---
-Operating system version as a raw string.
-
-type: keyword
-
-example: 10.14.1
-
---
-
-*`user_agent.version`*::
-+
---
-Version of the user agent.
-
-type: keyword
-
-example: 12.0
-
---
-
-[float]
-=== vlan
-
-The VLAN fields are used to identify 802.1q tag(s) of a packet, as well as ingress and egress VLAN associations of an observer in relation to a specific packet or connection.
-Network.vlan fields are used to record a single VLAN tag, or the outer tag in the case of q-in-q encapsulations, for a packet or connection as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic.
-Network.inner VLAN fields are used to report inner q-in-q 802.1q tags (multiple 802.1q encapsulations) as observed, typically provided by a network sensor  (e.g. Zeek, Wireshark) passively reporting on traffic. Network.inner VLAN fields should only be used in addition to network.vlan fields to indicate q-in-q tagging.
-Observer.ingress and observer.egress VLAN values are used to record observer specific information when observer events contain discrete ingress and egress VLAN information, typically provided by firewalls, routers, or load balancers.
-
-
-*`vlan.id`*::
-+
---
-VLAN ID as reported by the observer.
-
-type: keyword
-
-example: 10
-
---
-
-*`vlan.name`*::
-+
---
-Optional VLAN name as reported by the observer.
-
-type: keyword
-
-example: outside
-
---
-
-[float]
-=== vulnerability
-
-The vulnerability fields describe information about a vulnerability that is relevant to an event.
-
-
-*`vulnerability.category`*::
-+
---
-The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm[Qualys vulnerability categories])
-This field must be an array.
-
-type: keyword
-
-example: ["Firewall"]
-
---
-
-*`vulnerability.classification`*::
-+
---
-The classification of the vulnerability scoring system. For example (https://www.first.org/cvss/)
-
-type: keyword
-
-example: CVSS
-
---
-
-*`vulnerability.description`*::
-+
---
-The description of the vulnerability that provides additional context of the vulnerability. For example (https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created[Common Vulnerabilities and Exposure CVE description])
-
-type: keyword
-
-example: In macOS before 2.12.6, there is a vulnerability in the RPC...
-
---
-
-*`vulnerability.description.text`*::
-+
---
-type: match_only_text
-
---
-
-*`vulnerability.enumeration`*::
-+
---
-The type of identifier used for this vulnerability. For example (https://cve.mitre.org/about/)
-
-type: keyword
-
-example: CVE
-
---
-
-*`vulnerability.id`*::
-+
---
-The identification (ID) is the number portion of a vulnerability entry. It includes a unique identification number for the vulnerability. For example (https://cve.mitre.org/about/faqs.html#what_is_cve_id)[Common Vulnerabilities and Exposure CVE ID]
-
-type: keyword
-
-example: CVE-2019-00001
-
---
-
-*`vulnerability.reference`*::
-+
---
-A resource that provides additional information, context, and mitigations for the identified vulnerability.
-
-type: keyword
-
-example: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111
-
---
-
-*`vulnerability.report_id`*::
-+
---
-The report or scan identification number.
-
-type: keyword
-
-example: 20191018.0001
-
---
-
-*`vulnerability.scanner.vendor`*::
-+
---
-The name of the vulnerability scanner vendor.
-
-type: keyword
-
-example: Tenable
-
---
-
-*`vulnerability.score.base`*::
-+
---
-Scores can range from 0.0 to 10.0, with 10.0 being the most severe.
-Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentiality, integrity, and availability), and scope. For example (https://www.first.org/cvss/specification-document)
-
-type: float
-
-example: 5.5
-
---
-
-*`vulnerability.score.environmental`*::
-+
---
-Scores can range from 0.0 to 10.0, with 10.0 being the most severe.
-Environmental scores cover an assessment for any modified Base metrics, confidentiality, integrity, and availability requirements. For example (https://www.first.org/cvss/specification-document)
-
-type: float
-
-example: 5.5
-
---
-
-*`vulnerability.score.temporal`*::
-+
---
-Scores can range from 0.0 to 10.0, with 10.0 being the most severe.
-Temporal scores cover an assessment for code maturity, remediation level, and confidence. For example (https://www.first.org/cvss/specification-document)
-
-type: float
-
---
-
-*`vulnerability.score.version`*::
-+
---
-The National Vulnerability Database (NVD) provides qualitative severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges in addition to the severity ratings for CVSS v3.0 as they are defined in the CVSS v3.0 specification.
-CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit organization, whose mission is to help computer security incident response teams across the world. For example (https://nvd.nist.gov/vuln-metrics/cvss)
-
-type: keyword
-
-example: 2.0
-
---
-
-*`vulnerability.severity`*::
-+
---
-The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss)
-
-type: keyword
-
-example: Critical
-
---
-
-[float]
-=== x509
-
-This implements the common core fields for x509 certificates. This information is likely logged with TLS sessions, digital signatures found in executable binaries, S/MIME information in email bodies, or analysis of files on disk.
-When the certificate relates to a file, use the fields at `file.x509`. When hashes of the DER-encoded certificate are available, the `hash` data set should be populated as well (e.g. `file.hash.sha256`).
-Events that contain certificate information about network connections, should use the x509 fields under the relevant TLS fields: `tls.server.x509` and/or `tls.client.x509`.
-
-
-*`x509.alternative_names`*::
-+
---
-List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.
-
-type: keyword
-
-example: *.elastic.co
-
---
-
-*`x509.issuer.common_name`*::
-+
---
-List of common name (CN) of issuing certificate authority.
-
-type: keyword
-
-example: Example SHA2 High Assurance Server CA
-
---
-
-*`x509.issuer.country`*::
-+
---
-List of country (C) codes
-
-type: keyword
-
-example: US
-
---
-
-*`x509.issuer.distinguished_name`*::
-+
---
-Distinguished name (DN) of issuing certificate authority.
-
-type: keyword
-
-example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA
-
---
-
-*`x509.issuer.locality`*::
-+
---
-List of locality names (L)
-
-type: keyword
-
-example: Mountain View
-
---
-
-*`x509.issuer.organization`*::
-+
---
-List of organizations (O) of issuing certificate authority.
-
-type: keyword
-
-example: Example Inc
-
---
-
-*`x509.issuer.organizational_unit`*::
-+
---
-List of organizational units (OU) of issuing certificate authority.
-
-type: keyword
-
-example: www.example.com
-
---
-
-*`x509.issuer.state_or_province`*::
-+
---
-List of state or province names (ST, S, or P)
-
-type: keyword
-
-example: California
-
---
-
-*`x509.not_after`*::
-+
---
-Time at which the certificate is no longer considered valid.
-
-type: date
-
-example: 2020-07-16 03:15:39+00:00
-
---
-
-*`x509.not_before`*::
-+
---
-Time at which the certificate is first considered valid.
-
-type: date
-
-example: 2019-08-16 01:40:25+00:00
-
---
-
-*`x509.public_key_algorithm`*::
-+
---
-Algorithm used to generate the public key.
-
-type: keyword
-
-example: RSA
-
---
-
-*`x509.public_key_curve`*::
-+
---
-The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-
-type: keyword
-
-example: nistp521
-
---
-
-*`x509.public_key_exponent`*::
-+
---
-Exponent used to derive the public key. This is algorithm specific.
-
-type: long
-
-example: 65537
-
-Field is not indexed.
-
---
-
-*`x509.public_key_size`*::
-+
---
-The size of the public key space in bits.
-
-type: long
-
-example: 2048
-
---
-
-*`x509.serial_number`*::
-+
---
-Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.
-
-type: keyword
-
-example: 55FBB9C7DEBF09809D12CCAA
-
---
-
-*`x509.signature_algorithm`*::
-+
---
-Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
-
-type: keyword
-
-example: SHA256-RSA
-
---
-
-*`x509.subject.common_name`*::
-+
---
-List of common names (CN) of subject.
-
-type: keyword
-
-example: shared.global.example.net
-
---
-
-*`x509.subject.country`*::
-+
---
-List of country (C) code
-
-type: keyword
-
-example: US
-
---
-
-*`x509.subject.distinguished_name`*::
-+
---
-Distinguished name (DN) of the certificate subject entity.
-
-type: keyword
-
-example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
-
---
-
-*`x509.subject.locality`*::
-+
---
-List of locality names (L)
-
-type: keyword
-
-example: San Francisco
-
---
-
-*`x509.subject.organization`*::
-+
---
-List of organizations (O) of subject.
-
-type: keyword
-
-example: Example, Inc.
-
---
-
-*`x509.subject.organizational_unit`*::
-+
---
-List of organizational units (OU) of subject.
-
-type: keyword
-
---
-
-*`x509.subject.state_or_province`*::
-+
---
-List of state or province names (ST, S, or P)
-
-type: keyword
-
-example: California
-
---
-
-*`x509.version_number`*::
-+
---
-Version of x509 format.
-
-type: keyword
-
-example: 3
-
---
-
-[[exported-fields-file_integrity]]
-== File Integrity fields
-
-These are the fields generated by the file_integrity module.
-
-
-[float]
-=== file
-
-File attributes.
-
-
-[float]
-=== elf
-
-These fields contain Linux Executable Linkable Format (ELF) metadata.
-
-
-*`file.elf.go_imports`*::
-+
---
-List of imported Go language element names and types.
-
-type: flattened
-
---
-
-*`file.elf.go_imports_names_entropy`*::
-+
---
-Shannon entropy calculation from the list of Go imports.
-
-type: long
-
-format: number
-
---
-
-*`file.elf.go_imports_names_var_entropy`*::
-+
---
-Variance for Shannon entropy calculation from the list of Go imports.
-
-type: long
-
-format: number
-
---
-
-*`file.elf.go_import_hash`*::
-+
---
-A hash of the Go language imports in an ELF file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.
-The algorithm used to calculate the Go symbol hash and a reference implementation are available [here](https://github.com/elastic/toutoumomoma).
-
-type: keyword
-
-example: 10bddcb4cee42080f76c88d9ff964491
-
---
-
-*`file.elf.go_stripped`*::
-+
---
-Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable.
-
-type: boolean
-
---
-
-*`file.elf.imports_names_entropy`*::
-+
---
-Shannon entropy calculation from the list of imported element names and types.
-
-type: long
-
-format: number
-
---
-
-*`file.elf.imports_names_var_entropy`*::
-+
---
-Variance for Shannon entropy calculation from the list of imported element names and types.
-
-type: long
-
-format: number
-
---
-
-*`file.elf.import_hash`*::
-+
---
-A hash of the imports in an ELF file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.
-This is an ELF implementation of the Windows PE imphash.
-
-type: keyword
-
-example: d41d8cd98f00b204e9800998ecf8427e
-
---
-
-*`file.elf.sections.var_entropy`*::
-+
---
-Variance for Shannon entropy calculation from the section.
-
-type: long
-
-format: number
-
---
-
-[float]
-=== macho
-
-These fields contain Mach object file Format (Mach-O) metadata.
-
-
-*`file.macho.go_imports`*::
-+
---
-List of imported Go language element names and types.
-
-type: flattened
-
---
-
-*`file.macho.go_imports_names_entropy`*::
-+
---
-Shannon entropy calculation from the list of Go imports.
-
-type: long
-
-format: number
-
---
-
-*`file.macho.go_imports_names_var_entropy`*::
-+
---
-Variance for Shannon entropy calculation from the list of Go imports.
-
-type: long
-
-format: number
-
---
-
-*`file.macho.go_import_hash`*::
-+
---
-A hash of the Go language imports in a Mach-O file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.
-The algorithm used to calculate the Go symbol hash and a reference implementation are available [here](https://github.com/elastic/toutoumomoma).
-
-type: keyword
-
-example: 10bddcb4cee42080f76c88d9ff964491
-
---
-
-*`file.macho.go_stripped`*::
-+
---
-Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable.
-
-type: boolean
-
---
-
-*`file.macho.imports`*::
-+
---
-List of imported element names and types.
-
-type: flattened
-
---
-
-*`file.macho.imports_names_entropy`*::
-+
---
-Shannon entropy calculation from the list of imported element names and types.
-
-type: long
-
-format: number
-
---
-
-*`file.macho.imports_names_var_entropy`*::
-+
---
-Variance for Shannon entropy calculation from the list of imported element names and types.
-
-type: long
-
-format: number
-
---
-
-*`file.macho.import_hash`*::
-+
---
-A hash of the imports in a Mach-O file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.
-This is a synonym for symhash.
-
-type: keyword
-
-example: d3ccf195b62a9279c3c19af1080497ec
-
---
-
-*`file.macho.sections`*::
-+
---
-An array containing an object for each section of the Mach-O file.
-The keys that should be present in these objects are defined by sub-fields underneath `macho.sections.*`.
-
-type: nested
-
---
-
-*`file.macho.sections.entropy`*::
-+
---
-Shannon entropy calculation from the section.
-
-type: long
-
-format: number
-
---
-
-*`file.macho.sections.var_entropy`*::
-+
---
-Variance for Shannon entropy calculation from the section.
-
-type: long
-
-format: number
-
---
-
-*`file.macho.sections.name`*::
-+
---
-Mach-O Section List name.
-
-type: keyword
-
---
-
-*`file.macho.sections.physical_size`*::
-+
---
-Mach-O Section List physical size.
-
-type: long
-
-format: string
-
---
-
-*`file.macho.sections.virtual_size`*::
-+
---
-Mach-O Section List virtual size.
-
-type: long
-
-format: string
-
---
-
-*`file.macho.symhash`*::
-+
---
-A hash of the imports in a Mach-O file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.
-
-type: keyword
-
-example: d3ccf195b62a9279c3c19af1080497ec
-
---
-
-[float]
-=== pe
-
-These fields contain Windows Portable Executable (PE) metadata.
-
-
-*`file.pe.go_imports`*::
-+
---
-List of imported Go language element names and types.
-
-type: flattened
-
---
-
-*`file.pe.go_imports_names_entropy`*::
-+
---
-Shannon entropy calculation from the list of Go imports.
-
-type: long
-
-format: number
-
---
-
-*`file.pe.go_imports_names_var_entropy`*::
-+
---
-Variance for Shannon entropy calculation from the list of Go imports.
-
-type: long
-
-format: number
-
---
-
-*`file.pe.go_import_hash`*::
-+
---
-A hash of the Go language imports in a PE file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.
-The algorithm used to calculate the Go symbol hash and a reference implementation are available [here](https://github.com/elastic/toutoumomoma).
-
-type: keyword
-
-example: 10bddcb4cee42080f76c88d9ff964491
-
---
-
-*`file.pe.go_stripped`*::
-+
---
-Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable.
-
-type: boolean
-
---
-
-*`file.pe.imports`*::
-+
---
-List of imported element names and types.
-
-type: flattened
-
---
-
-*`file.pe.imports_names_entropy`*::
-+
---
-Shannon entropy calculation from the list of imported element names and types.
-
-type: long
-
-format: number
-
---
-
-*`file.pe.imports_names_var_entropy`*::
-+
---
-Variance for Shannon entropy calculation from the list of imported element names and types.
-
-type: long
-
-format: number
-
---
-
-*`file.pe.import_hash`*::
-+
---
-A hash of the imports in a PE file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.
-This is a synonym for imphash.
-
-type: keyword
-
---
-
-*`file.pe.sections`*::
-+
---
-An array containing an object for each section of the ELF file.
-The keys that should be present in these objects are defined by sub-fields underneath `pe.sections.*`.
-
-type: nested
-
---
-
-*`file.pe.sections.entropy`*::
-+
---
-Shannon entropy calculation from the section.
-
-type: long
-
-format: number
-
---
-
-*`file.pe.sections.var_entropy`*::
-+
---
-Variance for Shannon entropy calculation from the section.
-
-type: long
-
-format: number
-
---
-
-*`file.pe.sections.name`*::
-+
---
-PE Section List name.
-
-type: keyword
-
---
-
-*`file.pe.sections.physical_size`*::
-+
---
-PE Section List physical size.
-
-type: long
-
-format: string
-
---
-
-*`file.pe.sections.virtual_size`*::
-+
---
-PE Section List virtual size.
-
-type: long
-
-format: string
-
---
-
-[float]
-=== hash
-
-Hashes of the file. The keys are algorithm names and the values are the hex encoded digest values.
-
-
-
-*`hash.blake2b_256`*::
-+
---
-BLAKE2b-256 hash of the file.
-
-type: keyword
-
---
-
-*`hash.blake2b_384`*::
-+
---
-BLAKE2b-384 hash of the file.
-
-type: keyword
-
---
-
-*`hash.blake2b_512`*::
-+
---
-BLAKE2b-512 hash of the file.
-
-type: keyword
-
---
-
-*`hash.md5`*::
-+
---
-MD5 hash of the file.
-
-type: keyword
-
---
-
-*`hash.sha1`*::
-+
---
-SHA1 hash of the file.
-
-type: keyword
-
---
-
-*`hash.sha224`*::
-+
---
-SHA224 hash of the file.
-
-type: keyword
-
---
-
-*`hash.sha256`*::
-+
---
-SHA256 hash of the file.
-
-type: keyword
-
---
-
-*`hash.sha384`*::
-+
---
-SHA384 hash of the file.
-
-type: keyword
-
---
-
-*`hash.sha3_224`*::
-+
---
-SHA3_224 hash of the file.
-
-type: keyword
-
---
-
-*`hash.sha3_256`*::
-+
---
-SHA3_256 hash of the file.
-
-type: keyword
-
---
-
-*`hash.sha3_384`*::
-+
---
-SHA3_384 hash of the file.
-
-type: keyword
-
---
-
-*`hash.sha3_512`*::
-+
---
-SHA3_512 hash of the file.
-
-type: keyword
-
---
-
-*`hash.sha512`*::
-+
---
-SHA512 hash of the file.
-
-type: keyword
-
---
-
-*`hash.sha512_224`*::
-+
---
-SHA512/224 hash of the file.
-
-type: keyword
-
---
-
-*`hash.sha512_256`*::
-+
---
-SHA512/256 hash of the file.
-
-type: keyword
-
---
-
-*`hash.xxh64`*::
-+
---
-XX64 hash of the file.
-
-type: keyword
-
---
-
-[[exported-fields-host-processor]]
-== Host fields
-
-Info collected for the host machine.
-
-
-
-
-*`host.containerized`*::
-+
---
-If the host is a container.
-
-
-type: boolean
-
---
-
-*`host.os.build`*::
-+
---
-OS build information.
-
-
-type: keyword
-
-example: 18D109
-
---
-
-*`host.os.codename`*::
-+
---
-OS codename, if any.
-
-
-type: keyword
-
-example: stretch
-
---
-
-[[exported-fields-jolokia-autodiscover]]
-== Jolokia Discovery autodiscover provider fields
-
-Metadata from Jolokia Discovery added by the jolokia provider.
-
-
-
-*`jolokia.agent.version`*::
-+
---
-Version number of jolokia agent.
-
-
-type: keyword
-
---
-
-*`jolokia.agent.id`*::
-+
---
-Each agent has a unique id which can be either provided during startup of the agent in form of a configuration parameter or being autodetected. If autodected, the id has several parts: The IP, the process id, hashcode of the agent and its type.
-
-
-type: keyword
-
---
-
-*`jolokia.server.product`*::
-+
---
-The container product if detected.
-
-
-type: keyword
-
---
-
-*`jolokia.server.version`*::
-+
---
-The container's version (if detected).
-
-
-type: keyword
-
---
-
-*`jolokia.server.vendor`*::
-+
---
-The vendor of the container the agent is running in.
-
-
-type: keyword
-
---
-
-*`jolokia.url`*::
-+
---
-The URL how this agent can be contacted.
-
-
-type: keyword
-
---
-
-*`jolokia.secured`*::
-+
---
-Whether the agent was configured for authentication or not.
-
-
-type: boolean
-
---
-
-[[exported-fields-kubernetes-processor]]
-== Kubernetes fields
-
-Kubernetes metadata added by the kubernetes processor
-
-
-
-
-*`kubernetes.pod.name`*::
-+
---
-Kubernetes pod name
-
-
-type: keyword
-
---
-
-*`kubernetes.pod.uid`*::
-+
---
-Kubernetes Pod UID
-
-
-type: keyword
-
---
-
-*`kubernetes.pod.ip`*::
-+
---
-Kubernetes Pod IP
-
-
-type: ip
-
---
-
-*`kubernetes.namespace`*::
-+
---
-Kubernetes namespace
-
-
-type: keyword
-
---
-
-*`kubernetes.node.name`*::
-+
---
-Kubernetes node name
-
-
-type: keyword
-
---
-
-*`kubernetes.node.hostname`*::
-+
---
-Kubernetes hostname as reported by the node’s kernel
-
-
-type: keyword
-
---
-
-*`kubernetes.labels.*`*::
-+
---
-Kubernetes labels map
-
-
-type: object
-
---
-
-*`kubernetes.annotations.*`*::
-+
---
-Kubernetes annotations map
-
-
-type: object
-
---
-
-*`kubernetes.selectors.*`*::
-+
---
-Kubernetes selectors map
-
-
-type: object
-
---
-
-*`kubernetes.replicaset.name`*::
-+
---
-Kubernetes replicaset name
-
-
-type: keyword
-
---
-
-*`kubernetes.deployment.name`*::
-+
---
-Kubernetes deployment name
-
-
-type: keyword
-
---
-
-*`kubernetes.statefulset.name`*::
-+
---
-Kubernetes statefulset name
-
-
-type: keyword
-
---
-
-*`kubernetes.container.name`*::
-+
---
-Kubernetes container name (different than the name from the runtime)
-
-
-type: keyword
-
---
-
-[[exported-fields-process]]
-== Process fields
-
-Process metadata fields
-
-
-
-
-*`process.exe`*::
-+
---
-type: alias
-
-alias to: process.executable
-
---
-
-[float]
-=== owner
-
-Process owner information.
-
-
-*`process.owner.id`*::
-+
---
-Unique identifier of the user.
-
-type: keyword
-
---
-
-*`process.owner.name`*::
-+
---
-Short name or login of the user.
-
-type: keyword
-
-example: albert
-
---
-
-*`process.owner.name.text`*::
-+
---
-type: text
-
---
-
-[[exported-fields-system]]
-== System fields
-
-These are the fields generated by the system module.
-
-
-
-
-*`event.origin`*::
-+
---
-Origin of the event. This can be a file path (e.g. `/var/log/log.1`), or the name of the system component that supplied the data (e.g. `netlink`).
-
-
-type: keyword
-
---
-
-
-*`user.entity_id`*::
-+
---
-ID uniquely identifying the user on a host. It is computed as a SHA-256 hash of the host ID, user ID, and user name.
-
-
-type: keyword
-
---
-
-*`user.terminal`*::
-+
---
-Terminal of the user.
-
-
-type: keyword
-
---
-
-
-*`process.thread.capabilities.effective`*::
-+
---
-This is the set of capabilities used by the kernel to perform permission checks for the thread.
-
-type: keyword
-
-example: ["CAP_BPF", "CAP_SYS_ADMIN"]
-
---
-
-*`process.thread.capabilities.permitted`*::
-+
---
-This is a limiting superset for the effective capabilities that the thread may assume.
-
-type: keyword
-
-example: ["CAP_BPF", "CAP_SYS_ADMIN"]
-
---
-
-[float]
-=== hash
-
-Hashes of the executable. The keys are algorithm names and the values are the hex encoded digest values.
-
-
-
-*`process.hash.blake2b_256`*::
-+
---
-BLAKE2b-256 hash of the executable.
-
-type: keyword
-
---
-
-*`process.hash.blake2b_384`*::
-+
---
-BLAKE2b-384 hash of the executable.
-
-type: keyword
-
---
-
-*`process.hash.blake2b_512`*::
-+
---
-BLAKE2b-512 hash of the executable.
-
-type: keyword
-
---
-
-*`process.hash.sha224`*::
-+
---
-SHA224 hash of the executable.
-
-type: keyword
-
---
-
-*`process.hash.sha384`*::
-+
---
-SHA384 hash of the executable.
-
-type: keyword
-
---
-
-*`process.hash.sha3_224`*::
-+
---
-SHA3_224 hash of the executable.
-
-type: keyword
-
---
-
-*`process.hash.sha3_256`*::
-+
---
-SHA3_256 hash of the executable.
-
-type: keyword
-
---
-
-*`process.hash.sha3_384`*::
-+
---
-SHA3_384 hash of the executable.
-
-type: keyword
-
---
-
-*`process.hash.sha3_512`*::
-+
---
-SHA3_512 hash of the executable.
-
-type: keyword
-
---
-
-*`process.hash.sha512_224`*::
-+
---
-SHA512/224 hash of the executable.
-
-type: keyword
-
---
-
-*`process.hash.sha512_256`*::
-+
---
-SHA512/256 hash of the executable.
-
-type: keyword
-
---
-
-*`process.hash.xxh64`*::
-+
---
-XX64 hash of the executable.
-
-type: keyword
-
---
-
-[float]
-=== system.audit
-
-
-
-
-[float]
-=== host
-
-`host` contains general host information.
-
-
-
-*`system.audit.host.uptime`*::
-+
---
-Uptime in nanoseconds.
-
-
-type: long
-
-format: duration
-
---
-
-*`system.audit.host.boottime`*::
-+
---
-Boot time.
-
-
-type: date
-
---
-
-*`system.audit.host.containerized`*::
-+
---
-Set if host is a container.
-
-
-type: boolean
-
---
-
-*`system.audit.host.timezone.name`*::
-+
---
-Name of the timezone of the host, e.g. BST.
-
-
-type: keyword
-
---
-
-*`system.audit.host.timezone.offset.sec`*::
-+
---
-Timezone offset in seconds.
-
-
-type: long
-
---
-
-*`system.audit.host.hostname`*::
-+
---
-Hostname.
-
-
-type: keyword
-
---
-
-*`system.audit.host.id`*::
-+
---
-Host ID.
-
-
-type: keyword
-
---
-
-*`system.audit.host.architecture`*::
-+
---
-Host architecture (e.g. x86_64).
-
-
-type: keyword
-
---
-
-*`system.audit.host.mac`*::
-+
---
-MAC addresses.
-
-
-type: keyword
-
---
-
-*`system.audit.host.ip`*::
-+
---
-IP addresses.
-
-
-type: ip
-
---
-
-[float]
-=== os
-
-`os` contains information about the operating system.
-
-
-
-*`system.audit.host.os.codename`*::
-+
---
-OS codename, if any (e.g. stretch).
-
-
-type: keyword
-
---
-
-*`system.audit.host.os.platform`*::
-+
---
-OS platform (e.g. centos, ubuntu, windows).
-
-
-type: keyword
-
---
-
-*`system.audit.host.os.name`*::
-+
---
-OS name (e.g. Mac OS X).
-
-
-type: keyword
-
---
-
-*`system.audit.host.os.family`*::
-+
---
-OS family (e.g. redhat, debian, freebsd, windows).
-
-
-type: keyword
-
---
-
-*`system.audit.host.os.version`*::
-+
---
-OS version.
-
-
-type: keyword
-
---
-
-*`system.audit.host.os.kernel`*::
-+
---
-The operating system's kernel version.
-
-
-type: keyword
-
---
-
-*`system.audit.host.os.type`*::
-+
---
-OS type (see ECS os.type).
-
-
-type: keyword
-
---
-
-[float]
-=== package
-
-`package` contains information about an installed or removed package.
-
-
-
-*`system.audit.package.entity_id`*::
-+
---
-ID uniquely identifying the package. It is computed as a SHA-256 hash of the
-  host ID, package name, and package version.
-
-
-type: keyword
-
---
-
-*`system.audit.package.name`*::
-+
---
-Package name.
-
-
-type: keyword
-
---
-
-*`system.audit.package.version`*::
-+
---
-Package version.
-
-
-type: keyword
-
---
-
-*`system.audit.package.release`*::
-+
---
-Package release.
-
-
-type: keyword
-
---
-
-*`system.audit.package.arch`*::
-+
---
-Package architecture.
-
-
-type: keyword
-
---
-
-*`system.audit.package.license`*::
-+
---
-Package license.
-
-
-type: keyword
-
---
-
-*`system.audit.package.installtime`*::
-+
---
-Package install time.
-
-
-type: date
-
---
-
-*`system.audit.package.size`*::
-+
---
-Package size.
-
-
-type: long
-
---
-
-*`system.audit.package.summary`*::
-+
---
-Package summary.
-
-
---
-
-*`system.audit.package.url`*::
-+
---
-Package URL.
-
-
-type: keyword
-
---
-
-[float]
-=== user
-
-`user` contains information about the users on a system.
-
-
-
-*`system.audit.user.name`*::
-+
---
-User name.
-
-
-type: keyword
-
---
-
-*`system.audit.user.uid`*::
-+
---
-User ID.
-
-
-type: keyword
-
---
-
-*`system.audit.user.gid`*::
-+
---
-Group ID.
-
-
-type: keyword
-
---
-
-*`system.audit.user.dir`*::
-+
---
-User's home directory.
-
-
-type: keyword
-
---
-
-*`system.audit.user.shell`*::
-+
---
-Program to run at login.
-
-
-type: keyword
-
---
-
-*`system.audit.user.user_information`*::
-+
---
-General user information. On Linux, this is the gecos field.
-
-
-type: keyword
-
---
-
-*`system.audit.user.group`*::
-+
---
-`group` contains information about any groups the user is part of (beyond the user's primary group).
-
-
-type: object
-
---
-
-[float]
-=== password
-
-`password` contains information about a user's password (not the password itself).
-
-
-
-*`system.audit.user.password.type`*::
-+
---
-A user's password type. Possible values are `shadow_password` (the password hash is in the shadow file), `password_disabled`, `no_password` (this is dangerous as anyone can log in), and `crypt_password` (when the password field in /etc/passwd seems to contain an encrypted password).
-
-
-type: keyword
-
---
-
-*`system.audit.user.password.last_changed`*::
-+
---
-The day the user's password was last changed.
-
-
-type: date
-
---
-
-:edit_url!:
\ No newline at end of file
diff --git a/auditbeat/docs/getting-started.asciidoc b/auditbeat/docs/getting-started.asciidoc
deleted file mode 100644
index 0e7cb1d38da8..000000000000
--- a/auditbeat/docs/getting-started.asciidoc
+++ /dev/null
@@ -1,151 +0,0 @@
-[id="{beatname_lc}-installation-configuration"]
-== {beatname_uc} quick start: installation and configuration
-
-++++
-<titleabbrev>Quick start: installation and configuration</titleabbrev>
-++++
-
-This guide describes how to get started quickly with audit data collection.
-You'll learn how to:
-
-* install {beatname_uc} on each system you want to monitor
-* specify the location of your audit data
-* parse log data into fields and send it to {es}
-* visualize the log data in {kib}
-
-[role="screenshot"]
-image::./images/auditbeat-auditd-dashboard.png[{beatname_uc} Auditd dashboard]
-
-[float]
-=== Before you begin
-
-You need {es} for storing and searching your data, and {kib} for visualizing and
-managing it.
-
-include::{libbeat-dir}/tab-widgets/spinup-stack-widget.asciidoc[]
-
-[float]
-[[install]]
-=== Step 1: Install {beatname_uc}
-
-Install {beatname_uc} on all the servers you want to monitor.
-
-To download and install {beatname_uc}, use the commands that work with your
-system:
-
-include::{libbeat-dir}/tab-widgets/install-widget.asciidoc[]
-
-The commands shown are for AMD platforms, but ARM packages are also available.
-Refer to the https://www.elastic.co/downloads/beats/{beatname_lc}[download page]
-for the full list of available packages.
-
-[float]
-[[other-installation-options]]
-==== Other installation options
-
-* <<setup-repositories,APT or YUM>>
-* https://www.elastic.co/downloads/beats/{beatname_lc}[Download page]
-* <<running-on-docker,Docker>>
-* <<running-on-kubernetes,Kubernetes>>
-
-[float]
-[[set-connection]]
-=== Step 2: Connect to the {stack}
-
-include::{libbeat-dir}/shared/connecting-to-es.asciidoc[]
-
-[float]
-[[enable-modules]]
-=== Step 3: Configure data collection modules
-
-{beatname_uc} uses <<auditbeat-modules,modules>> to collect audit information.
-
-By default, {beatname_uc} uses a configuration that's tailored to the operating
-system where {beatname_uc} is running.
-
-To use a different configuration, change the module settings in
-+{beatname_lc}.yml+.
-
-The following example shows the `file_integrity` module configured to generate
-events whenever a file in one of the specified paths changes on disk:
-
-["source","sh",subs="attributes"]
--------------------------------------
-auditbeat.modules:
-
-- module: file_integrity
-  paths:
-  - /bin
-  - /usr/bin
-  - /sbin
-  - /usr/sbin
-  - /etc
--------------------------------------
-
-
-include::{libbeat-dir}/shared/config-check.asciidoc[]
-
-[float]
-[[setup-assets]]
-=== Step 4: Set up assets
-
-{beatname_uc} comes with predefined assets for parsing, indexing, and
-visualizing your data. To load these assets:
-
-. Make sure the user specified in +{beatname_lc}.yml+ is
-<<privileges-to-setup-beats,authorized to set up {beatname_uc}>>.
-
-. From the installation directory, run:
-+
---
-include::{libbeat-dir}/tab-widgets/setup-widget.asciidoc[]
---
-+
-`-e` is optional and sends output to standard error instead of the configured log output.
-
-This step loads the recommended {ref}/index-templates.html[index template] for writing to {es}
-and deploys the sample dashboards for visualizing the data in {kib}.
-
-[TIP]
-=====
-A connection to {es} (or {ess}) is required to set up the initial
-environment. If you're using a different output, such as {ls}, see
-<<load-template-manually>> and <<load-kibana-dashboards>>.
-=====
-
-[float]
-[[start]]
-=== Step 5: Start {beatname_uc}
-
-Before starting {beatname_uc}, modify the user credentials in
-+{beatname_lc}.yml+ and specify a user who is
-<<privileges-to-publish-events,authorized to publish events>>.
-
-To start {beatname_uc}, run:
-
-// tag::start-step[]
-include::{libbeat-dir}/tab-widgets/start-widget.asciidoc[]
-// end::start-step[]
-
-{beatname_uc} should begin streaming events to {es}.
-
-If you see a warning about too many open files, you need to increase the
-`ulimit`. See the <<ulimit,FAQ>> for more details.
-
-[float]
-[[view-data]]
-=== Step 6: View your data in {kib}
-
-To make it easier for you to start auditing the activities of users and
-processes on your system, {beatname_uc} comes with pre-built {kib} dashboards
-and UIs for visualizing your data.
-
-include::{libbeat-dir}/shared/opendashboards.asciidoc[tag=open-dashboards]
-
-[float]
-=== What's next?
-
-Now that you have audit data streaming into {es}, learn how to unify your logs,
-metrics, uptime, and application performance data.
-
-include::{libbeat-dir}/shared/obs-apps.asciidoc[]
diff --git a/auditbeat/docs/howto/howto.asciidoc b/auditbeat/docs/howto/howto.asciidoc
deleted file mode 100644
index 0c0334f29021..000000000000
--- a/auditbeat/docs/howto/howto.asciidoc
+++ /dev/null
@@ -1,39 +0,0 @@
-[[howto-guides]]
-= How to guides
-
-[partintro]
---
-Learn how to perform common {beatname_uc} configuration tasks.
-
-* <<{beatname_lc}-template>>
-* <<change-index-name>>
-* <<load-kibana-dashboards>>
-* <<{beatname_lc}-geoip>>
-* <<using-environ-vars>>
-* <<configuring-ingest-node>>
-* <<using-environ-vars>>
-* <<yaml-tips>>
-
-
---
-
-include::{libbeat-dir}/howto/load-index-templates.asciidoc[]
-
-include::{libbeat-dir}/howto/change-index-name.asciidoc[]
-
-include::{libbeat-dir}/howto/load-dashboards.asciidoc[]
-
-include::{libbeat-dir}/shared-geoip.asciidoc[]
-
-include::{libbeat-dir}/shared-config-ingest.asciidoc[]
-
-:standalone:
-include::{libbeat-dir}/shared-env-vars.asciidoc[]
-:standalone!:
-
-:standalone:
-include::{libbeat-dir}/yaml.asciidoc[]
-:standalone!:
-
-
-
diff --git a/auditbeat/docs/images/auditbeat-kernel-executions-dashboard.png b/auditbeat/docs/images/auditbeat-kernel-executions-dashboard.png
deleted file mode 100644
index 855bbc5eb37e..000000000000
Binary files a/auditbeat/docs/images/auditbeat-kernel-executions-dashboard.png and /dev/null differ
diff --git a/auditbeat/docs/images/auditbeat-kernel-overview-dashboard.png b/auditbeat/docs/images/auditbeat-kernel-overview-dashboard.png
deleted file mode 100644
index 2f08cdcddbef..000000000000
Binary files a/auditbeat/docs/images/auditbeat-kernel-overview-dashboard.png and /dev/null differ
diff --git a/auditbeat/docs/images/auditbeat-kernel-sockets-dashboard.png b/auditbeat/docs/images/auditbeat-kernel-sockets-dashboard.png
deleted file mode 100644
index 156c3f38f526..000000000000
Binary files a/auditbeat/docs/images/auditbeat-kernel-sockets-dashboard.png and /dev/null differ
diff --git a/auditbeat/docs/index.asciidoc b/auditbeat/docs/index.asciidoc
deleted file mode 100644
index bf2db3607ce7..000000000000
--- a/auditbeat/docs/index.asciidoc
+++ /dev/null
@@ -1,58 +0,0 @@
-= Auditbeat Reference
-
-:libbeat-dir: {docdir}/../../libbeat/docs
-
-include::{libbeat-dir}/version.asciidoc[]
-
-include::{asciidoc-dir}/../../shared/versions/stack/{source_branch}.asciidoc[]
-
-include::{asciidoc-dir}/../../shared/attributes.asciidoc[]
-
-:beatname_lc: auditbeat
-:beatname_uc: Auditbeat
-:beatname_pkg: {beatname_lc}
-:github_repo_name: beats
-:discuss_forum: beats/{beatname_lc}
-:beat_default_index_prefix: {beatname_lc}
-:deb_os:
-:rpm_os:
-:mac_os:
-:docker_platform:
-:win_os:
-:linux_os:
-:no_cache_processor:
-:no_decode_cef_processor:
-:no_decode_csv_fields_processor:
-:no_parse_aws_vpc_flow_log_processor:
-:no_script_processor:
-:no_timestamp_processor:
-
-include::{libbeat-dir}/shared-beats-attributes.asciidoc[]
-
-include::./overview.asciidoc[]
-
-include::./getting-started.asciidoc[]
-
-include::./setting-up-running.asciidoc[]
-
-include::./upgrading.asciidoc[]
-
-include::./configuring-howto.asciidoc[]
-
-include::{docdir}/howto/howto.asciidoc[]
-
-include::./modules.asciidoc[]
-
-include::./fields.asciidoc[]
-
-include::{libbeat-dir}/monitoring/monitoring-beats.asciidoc[]
-
-include::{libbeat-dir}/shared-securing-beat.asciidoc[]
-
-include::./troubleshooting.asciidoc[]
-
-include::./faq.asciidoc[]
-
-include::{libbeat-dir}/contributing-to-beats.asciidoc[]
-
-
diff --git a/auditbeat/docs/modules.asciidoc b/auditbeat/docs/modules.asciidoc
deleted file mode 100644
index d94daa75bad1..000000000000
--- a/auditbeat/docs/modules.asciidoc
+++ /dev/null
@@ -1,10 +0,0 @@
-[id="{beatname_lc}-modules"]
-= Modules
-
-[partintro]
---
-This section contains detailed information about the metric collecting modules
-contained in {beatname_uc}. More details about each module can be found under
-the links below.
-
-include::modules_list.asciidoc[]
diff --git a/auditbeat/docs/modules/auditd.asciidoc b/auditbeat/docs/modules/auditd.asciidoc
deleted file mode 100644
index 0361dc56097e..000000000000
--- a/auditbeat/docs/modules/auditd.asciidoc
+++ /dev/null
@@ -1,327 +0,0 @@
-////
-This file is generated! See scripts/docs_collector.py
-////
-
-:modulename: auditd
-
-[id="{beatname_lc}-module-auditd"]
-== Auditd Module
-
-The `auditd` module receives audit events from the Linux Audit Framework that
-is a part of the Linux kernel.
-
-This module is available only for Linux.
-
-[float]
-=== How it works
-
-This module establishes a subscription to the kernel to receive the events
-as they occur. So unlike most other modules, the `period` configuration
-option is unused because it is not implemented using polling.
-
-The Linux Audit Framework can send multiple messages for a single auditable
-event. For example, a `rename` syscall causes the kernel to send eight separate
-messages. Each message describes a different aspect of the activity that is
-occurring (the syscall itself, file paths, current working directory, process
-title). This module will combine all of the data from each of the messages
-into a single event.
-
-Messages for one event can be interleaved with messages from another event. This
-module will buffer the messages in order to combine related messages into a
-single event even if they arrive interleaved or out of order.
-
-[float]
-=== Useful commands
-
-When running {beatname_uc} with the `auditd` module enabled, you might find
-that other monitoring tools interfere with {beatname_uc}.
-
-For example, you might encounter errors if another process, such as `auditd`, is
-registered to receive data from the Linux Audit Framework. You can use these
-commands to see if the `auditd` service is running and stop it:
-
-* See if `auditd` is running:
-+
-[source,shell]
------
-service auditd status
------
-
-* Stop the `auditd` service:
-+
-[source,shell]
------
-service auditd stop
------
-
-* Disable `auditd` from starting on boot:
-+
-[source,shell]
------
-chkconfig auditd off
------
-
-To save CPU usage and disk space, you can use this command to stop `journald`
-from listening to audit messages:
-
-[source,shell]
------
-systemctl mask systemd-journald-audit.socket
------
-
-[float]
-=== Inspect the kernel audit system status
-
-{beatname_uc} provides useful commands to query the state of the audit system
-in the Linux kernel.
-
-* See the list of installed audit rules:
-+
-[source,shell]
------
-auditbeat show auditd-rules
------
-+
-Prints the list of loaded rules, similar to `auditctl -l`:
-+
-[source,shell]
------
--a never,exit -S all -F pid=26253
--a always,exit -F arch=b32 -S all -F key=32bit-abi
--a always,exit -F arch=b64 -S execve,execveat -F key=exec
--a always,exit -F arch=b64 -S connect,accept,bind -F key=external-access
--w /etc/group -p wa -k identity
--w /etc/passwd -p wa -k identity
--w /etc/gshadow -p wa -k identity
--a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EACCES -F key=access
--a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EPERM -F key=access
------
-
-* See the status of the audit system:
-+
-[source,shell]
------
-auditbeat show auditd-status
------
-+
-Prints the status of the kernel audit system, similar to `auditctl -s`:
-+
-[source,shell]
------
-enabled 1
-failure 0
-pid 0
-rate_limit 0
-backlog_limit 8192
-lost 14407
-backlog 0
-backlog_wait_time 0
-features 0xf
------
-
-[float]
-=== Configuration options
-
-This module has some configuration options for tuning its behavior. The
-following example shows all configuration options with their default values.
-
-[source,yaml]
-----
-- module: auditd
-  resolve_ids: true
-  failure_mode: silent
-  backlog_limit: 8192
-  rate_limit: 0
-  include_raw_message: false
-  include_warnings: false
-  backpressure_strategy: auto
-  immutable: false
-----
-
-This module also supports the
-<<module-standard-options-{modulename},standard configuration options>>
-described later.
-
-*`socket_type`*:: This optional setting controls the type of
-socket that {beatname_uc} uses to receive events from the kernel. The two
-options are `unicast` and `multicast`.
-+
-`unicast` should be used when {beatname_uc} is the primary userspace daemon for
-receiving audit events and managing the rules. Only a single process can receive
-audit events through the "unicast" connection so any other daemons should be
-stopped (e.g. stop `auditd`).
-+
-`multicast` can be used in kernel versions 3.16 and newer. By using `multicast`
-{beatname_uc} will receive an audit event broadcast that is not exclusive to a
-a single process. This is ideal for situations where `auditd` is running and
-managing the rules.
-+
-By default {beatname_uc} will use `multicast` if the kernel version is 3.16 or
-newer and no rules have been defined. Otherwise `unicast` will be used.
-
-*`immutable`*:: This boolean setting sets the audit config as immutable (`-e 2`).
-This option can only be used with the `socket_type: unicast` since {beatname_uc}
-needs to manage the rules to be able to set it.
-+
-It is important to note that with this setting enabled, if {beatname_uc} is
-stopped and resumed events will continue to be processed but the
-configuration won't be updated until the system is restarted entirely.
-
-*`resolve_ids`*:: This boolean setting enables the resolution of UIDs and
-GIDs to their associated names. The default value is true.
-
-*`failure_mode`*:: This determines the kernel's behavior on critical
-failures such as errors sending events to {beatname_uc}, the backlog limit was
-exceeded, the kernel ran out of memory, or the rate limit was exceeded. The
-options are `silent`, `log`, or `panic`. `silent` basically makes the kernel
-ignore the errors, `log` makes the kernel write the audit messages using
-`printk` so they show up in system's syslog, and `panic` causes the kernel to
-panic to prevent use of the machine. {beatname_uc}'s default is `silent`.
-
-*`backlog_limit`*:: This controls the maximum number of audit messages
-that will be buffered by the kernel.
-
-*`rate_limit`*:: This sets a rate limit on the number of messages/sec
-delivered by the kernel. The default is 0, which disables rate limiting.
-Changing this value to anything other than zero can cause messages to be lost.
-The preferred approach to reduce the messaging rate is be more selective in the
-audit ruleset.
-
-*`include_raw_message`*:: This boolean setting causes {beatname_uc} to
-include each of the raw messages that contributed to the event in the document
-as a field called `event.original`. The default value is false. This setting is
-primarily used for development and debugging purposes.
-
-*`include_warnings`*:: This boolean setting causes {beatname_uc} to
-include as warnings any issues that were encountered while parsing the raw
-messages. The messages are written to the `error.message` field. The default
-value is false. When this setting is enabled the raw messages will be included
-in the event regardless of the `include_raw_message` config setting. This
-setting is primarily used for development and debugging purposes.
-
-*`audit_rules`*:: A string containing the audit rules that should be
-installed to the kernel. There should be one rule per line. Comments can be
-embedded in the string using `#` as a prefix. The format for rules is the same
-used by the Linux `auditctl` utility. {beatname_uc} supports adding file watches
-(`-w`) and syscall rules (`-a` or `-A`). For more information, see
-<<audit-rules>>.
-
-*`audit_rule_files`*:: A list of files to load audit rules from. This files are
-loaded after the rules declared in `audit_rules` are loaded. Wildcards are
-supported and will expand in lexicographical order. The format is the same as
-that of the `audit_rules` field.
-
-*`ignore_errors`*:: This setting allows errors during rule loading and parsing
-to be ignored, but logged as warnings.
-
-*`backpressure_strategy`*:: Specifies the strategy that {beatname_uc} uses to
-prevent backpressure from propagating to the kernel and impacting audited
-processes.
-+
---
-The possible values are:
-
-- `auto` (default): {beatname_uc} uses the `kernel` strategy, if supported, or
-falls back to the `userspace` strategy.
-- `kernel`: {beatname_uc} sets the `backlog_wait_time` in the kernel's
-audit framework to 0. This causes events to be discarded in the kernel if
-the audit backlog queue fills to capacity. Requires a 3.14 kernel or
-newer.
-- `userspace`: {beatname_uc} drops events when there is backpressure
-from the publishing pipeline. If no `rate_limit` is set, {beatname_uc} sets a rate
-limit of 5000. Users should test their setup and adjust the `rate_limit`
-option accordingly.
-- `both`: {beatname_uc} uses the `kernel` and `userspace` strategies at the same
-time.
-- `none`: No backpressure mitigation measures are enabled.
---
-
-include::{docdir}/auditbeat-options.asciidoc[]
-
-[float]
-[[audit-rules]]
-=== Audit rules
-
-The audit rules are where you configure the activities that are audited. These
-rules are configured as either syscalls or files that should be monitored. For
-example you can track all `connect` syscalls or file system writes to
-`/etc/passwd`.
-
-Auditing a large number of syscalls can place a heavy load on the system so
-consider carefully the rules you define and try to apply filters in the rules
-themselves to be as selective as possible.
-
-The kernel evaluates the rules in the order in which they were defined so place
-the most active rules first in order to speed up evaluation.
-
-You can assign keys to each rule for better identification of the rule that
-triggered an event and easier filtering later in Elasticsearch.
-
-Defining any audit rules in the config causes {beatname_uc} to purge all
-existing audit rules prior to adding the rules specified in the config.
-Therefore it is unnecessary and unsupported to include a `-D` (delete all) rule.
-
-["source","sh",subs="attributes"]
-----
-{beatname_lc}.modules:
-- module: auditd
-  audit_rules: |
-    # Things that affect identity.
-    -w /etc/group -p wa -k identity
-    -w /etc/passwd -p wa -k identity
-    -w /etc/gshadow -p wa -k identity
-    -w /etc/shadow -p wa -k identity
-
-    # Unauthorized access attempts to files (unsuccessful).
-    -a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-    -a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
-    -a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-    -a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
-----
-
-
-[float]
-=== Example configuration
-
-The Auditd module supports the common configuration options that are
-described under <<configuration-{beatname_lc},configuring {beatname_uc}>>. Here
-is an example configuration:
-
-[source,yaml]
-----
-auditbeat.modules:
-- module: auditd
-  # Load audit rules from separate files. Same format as audit.rules(7).
-  audit_rule_files: [ '${path.config}/audit.rules.d/*.conf' ]
-  audit_rules: |
-    ## Define audit rules here.
-    ## Create file watches (-w) or syscall audits (-a or -A). Uncomment these
-    ## examples or add your own rules.
-
-    ## If you are on a 64 bit platform, everything should be running
-    ## in 64 bit mode. This rule will detect any use of the 32 bit syscalls
-    ## because this might be a sign of someone exploiting a hole in the 32
-    ## bit API.
-    #-a always,exit -F arch=b32 -S all -F key=32bit-abi
-
-    ## Executions.
-    #-a always,exit -F arch=b64 -S execve,execveat -k exec
-
-    ## External access (warning: these can be expensive to audit).
-    #-a always,exit -F arch=b64 -S accept,bind,connect -F key=external-access
-
-    ## Identity changes.
-    #-w /etc/group -p wa -k identity
-    #-w /etc/passwd -p wa -k identity
-    #-w /etc/gshadow -p wa -k identity
-
-    ## Unauthorized access attempts.
-    #-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access
-    #-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access
-
-
-----
-
-
-:modulename!:
-
diff --git a/auditbeat/docs/modules/file_integrity.asciidoc b/auditbeat/docs/modules/file_integrity.asciidoc
deleted file mode 100644
index 872ba5189255..000000000000
--- a/auditbeat/docs/modules/file_integrity.asciidoc
+++ /dev/null
@@ -1,183 +0,0 @@
-////
-This file is generated! See scripts/docs_collector.py
-////
-
-:modulename: file_integrity
-
-[id="{beatname_lc}-module-file_integrity"]
-== File Integrity Module
-
-The `file_integrity` module sends events when a file is changed (created,
-updated, or deleted) on disk. The events contain file metadata and hashes.
-
-The module is implemented for Linux, macOS (Darwin), and Windows.
-
-[float]
-=== How it works
-
-This module uses features of the operating system to monitor file changes in
-realtime. When the module starts it creates a subscription with the OS to
-receive notifications of changes to the specified files or directories. Upon
-receiving notification of a change the module will read the file's metadata
-and then compute a hash of the file's contents.
-
-At startup this module will perform an initial scan of the configured files
-and directories to generate baseline data for the monitored paths and detect
-changes since the last time it was run. It uses locally persisted data in order
-to only send events for new or modified files.
-
-The operating system features that power this feature are as follows.
-
-* Linux - Multiple backends are supported: `auto`, `fsnotify`, `kprobes`, `ebpf`.
-By default, `fsnotify` is used, and therefore the kernel must have inotify support.
-Inotify was initially merged into the 2.6.13 Linux kernel.
-The eBPF backend uses modern eBPF features and supports 5.10.16+ kernels.
-The `Kprobes` backend uses tracefs and supports 3.10+ kernels.
-FSNotify doesn't have the ability to associate user data to file events.
-The preferred backend can be selected by specifying the `backend` config option.
-Since eBPF and Kprobes are in technical preview, `auto` will default to `fsnotify`.
-* macOS (Darwin) - Uses the `FSEvents` API, present since macOS 10.5. This API
-coalesces multiple changes to a file into a single event. {beatname_uc} translates
-this coalesced changes into a meaningful sequence of actions. However,
-in rare situations the reported events may have a different ordering than what
-actually happened.
-* Windows - `ReadDirectoryChangesW` is used.
-
-The file integrity module should not be used to monitor paths on network file
-systems.
-
-[float]
-=== Configuration options
-
-This module has some configuration options for tuning its behavior. The
-following example shows all configuration options with their default values for
-Linux.
-
-[source,yaml]
-----
-- module: file_integrity
-  paths:
-  - /bin
-  - /usr/bin
-  - /sbin
-  - /usr/sbin
-  - /etc
-  recursive: false
-  exclude_files:
-  - '(?i)\.sw[nop]$'
-  - '~$'
-  - '/\.git($|/)'
-  include_files: []
-  scan_at_start: true
-  scan_rate_per_sec: 50 MiB
-  max_file_size: 100 MiB
-  hash_types: [sha1]
-----
-
-This module also supports the
-<<module-standard-options-{modulename},standard configuration options>>
-described later.
-
-*`paths`*:: A list of paths (directories or files) to watch. Globs are
-not supported. The specified paths should exist when the metricset is started.
-Paths should be absolute, although the file integrity module will attempt to
-resolve relative path events to their absolute file path. Symbolic links will
-be resolved on module start and the link target will be watched if link resolution
-is successful. Changes to the symbolic link after module start will not change
-the watch target. If the link does not resolve to a valid target, the symbolic
-link itself will be watched; if the symlink target becomes valid after module
-start up this will not be picked up by the file system watches.
-
-*`recursive`*:: By default, the watches set to the paths specified in
-`paths` are not recursive. This means that only changes to the contents
-of this directories are watched. If `recursive` is set to `true`, the
-`file_integrity` module will watch for changes on this directory and all
-its subdirectories.
-
-*`exclude_files`*:: A list of regular expressions used to filter out events
-for unwanted files. The expressions are matched against the full path of every
-file and directory. When used in conjunction with `include_files`, file paths need
-to match both `include_files` and not match `exclude_files` to be selected.
-By default, no files are excluded. See <<regexp-support>>
-for a list of supported regexp patterns. It is recommended to wrap regular
-expressions in single quotation marks to avoid issues with YAML escaping
-rules.
-If `recursive` is set to true, subdirectories can also be excluded here by
-specifying them.
-
-*`include_files`*:: A list of regular expressions used to specify which files to
-select. When configured, only files matching the pattern will be monitored.
-The expressions are matched against the full path of every file and directory.
-When used in conjunction with `exclude_files`, file paths need
-to match both `include_files` and not match `exclude_files` to be selected.
-By default, all files are selected. See <<regexp-support>>
-for a list of supported regexp patterns. It is recommended to wrap regular
-expressions in single quotation marks to avoid issues with YAML escaping
-rules.
-
-*`scan_at_start`*:: A boolean value that controls if {beatname_uc} scans
-over the configured file paths at startup and send events for the files
-that have been modified since the last time {beatname_uc} was running. The
-default value is true.
-+
-This feature depends on data stored locally in `path.data` in order to determine
-if a file has changed. The first time {beatname_uc} runs it will send an event
-for each file it encounters.
-
-*`scan_rate_per_sec`*:: When `scan_at_start` is enabled this sets an
-average read rate defined in bytes per second for the initial scan. This
-throttles the amount of CPU and I/O that {beatname_uc} consumes at startup.
-The default value is "50 MiB". Setting the value to "0" disables throttling.
-For convenience units can be specified as a suffix to the value. The supported
-units are `b` (default), `kib`, `kb`, `mib`, `mb`, `gib`, `gb`, `tib`, `tb`,
-`pib`, `pb`, `eib`, and `eb`.
-
-*`max_file_size`*:: The maximum size of a file in bytes for which
-{beatname_uc} will compute hashes and run file parsers. Files larger than this
-size will not be hashed or analysed by configured file parsers. The default
-value is 100 MiB. For convenience, units can be specified as a suffix to the
-value. The supported units are `b` (default), `kib`, `kb`, `mib`, `mb`, `gib`,
-`gb`, `tib`, `tb`, `pib`, `pb`, `eib`, and `eb`.
-
-*`hash_types`*:: A list of hash types to compute when the file changes.
-The supported hash types are `blake2b_256`, `blake2b_384`, `blake2b_512`, `md5`,
-`sha1`, `sha224`, `sha256`, `sha384`, `sha512`, `sha512_224`, `sha512_256`,
-`sha3_224`, `sha3_256`, `sha3_384`, `sha3_512`, and `xxh64`. The default value is `sha1`.
-
-*`file_parsers`*:: A list of `file_integrity` fields under `file` that will be
-populated by file format parsers. The available fields that can be analysed
-are listed in the auditbeat.reference.yml file. File parsers are run on all
-files within the `max_file_size` limit in the configured paths during a scan or
-when a file event involves the file. Files that are not targets of the specific
-file parser are only sniffed to examine whether analysis should proceed. This will
-usually only involve reading a small number of bytes.
-
-*`backend`*:: (*Linux only*) Select the backend which will be used to
-source events. Valid values: `auto`, `fsnotify`, `kprobes`, `ebpf`. Default: `fsnotify`.
-
-include::{docdir}/auditbeat-options.asciidoc[]
-
-
-[float]
-=== Example configuration
-
-The File Integrity module supports the common configuration options that are
-described under <<configuration-{beatname_lc},configuring {beatname_uc}>>. Here
-is an example configuration:
-
-[source,yaml]
-----
-auditbeat.modules:
-- module: file_integrity
-  paths:
-  - /bin
-  - /usr/bin
-  - /sbin
-  - /usr/sbin
-  - /etc
-
-----
-
-
-:modulename!:
-
diff --git a/auditbeat/docs/modules_list.asciidoc b/auditbeat/docs/modules_list.asciidoc
deleted file mode 100644
index ed367bac1d09..000000000000
--- a/auditbeat/docs/modules_list.asciidoc
+++ /dev/null
@@ -1,14 +0,0 @@
-////
-This file is generated! See scripts/docs_collector.py
-////
-
-  * <<{beatname_lc}-module-auditd,Auditd>>
-  * <<{beatname_lc}-module-file_integrity,File Integrity>>
-  * <<{beatname_lc}-module-system,System>>
-
-
---
-
-include::./modules/auditd.asciidoc[]
-include::./modules/file_integrity.asciidoc[]
-include::../../x-pack/auditbeat/docs/modules/system.asciidoc[]
diff --git a/auditbeat/docs/overview.asciidoc b/auditbeat/docs/overview.asciidoc
deleted file mode 100644
index 547638ff509f..000000000000
--- a/auditbeat/docs/overview.asciidoc
+++ /dev/null
@@ -1,11 +0,0 @@
-[id="{beatname_lc}-overview"]
-== {beatname_uc} overview
-
-{beatname_uc} is a lightweight shipper that you can install on your servers to
-audit the activities of users and processes on your systems. For example, you
-can use {beatname_uc} to collect and centralize audit events from the Linux
-Audit Framework. You can also use {beatname_uc} to detect changes to critical
-files, like binaries and configuration files, and identify potential security
-policy violations.
-
-include::{libbeat-dir}/shared-libbeat-description.asciidoc[]
diff --git a/auditbeat/docs/reload-configuration.asciidoc b/auditbeat/docs/reload-configuration.asciidoc
deleted file mode 100644
index dab510164d89..000000000000
--- a/auditbeat/docs/reload-configuration.asciidoc
+++ /dev/null
@@ -1,51 +0,0 @@
-[id="{beatname_lc}-configuration-reloading"]
-== Reload the configuration dynamically
-
-++++
-<titleabbrev>Config file reloading</titleabbrev>
-++++
-
-beta[]
-
-You can configure {beatname_uc} to dynamically reload configuration files when
-there are changes. To do this, you specify a path
-(https://golang.org/pkg/path/filepath/#Glob[glob]) to watch for module
-configuration changes. When the files found by the glob change, new modules are
-started/stopped according to changes in the configuration files.
-
-To enable dynamic config reloading, you specify the `path` and `reload` options
-in the main +{beatname_lc}.yml+ config file. For example:
-
-["source","sh"]
-------------------------------------------------------------------------------
-auditbeat.config.modules:
-  path: ${path.config}/conf.d/*.yml
-  reload.enabled: true
-  reload.period: 10s
-------------------------------------------------------------------------------
-
-*`path`*:: A glob that defines the files to check for changes.
-
-*`reload.enabled`*:: When set to `true`, enables dynamic config reload.
-
-*`reload.period`*:: Specifies how often the files are checked for changes. Do not
-set the `period` to less than 1s because the modification time of files is often
-stored in seconds. Setting the `period` to less than 1s will result in
-unnecessary overhead.
-
-Each file found by the glob must contain a list of one or more module
-definitions. For example:
-
-[source,yaml]
-------------------------------------------------------------------------------
-- module: file_integrity
-  paths:
-  - /www/wordpress
-  - /www/wordpress/wp-admin
-  - /www/wordpress/wp-content
-  - /www/wordpress/wp-includes
-------------------------------------------------------------------------------
-
-NOTE: On systems with POSIX file permissions, all Beats configuration files are
-subject to ownership and file permission checks. If you encounter config loading
-errors related to file ownership, see {beats-ref}/config-file-permissions.html.
diff --git a/auditbeat/docs/running-on-docker.asciidoc b/auditbeat/docs/running-on-docker.asciidoc
deleted file mode 100644
index dee50fa254a3..000000000000
--- a/auditbeat/docs/running-on-docker.asciidoc
+++ /dev/null
@@ -1,14 +0,0 @@
-include::{libbeat-dir}/shared-docker.asciidoc[]
-
-==== Special requirements
-
-Under Docker, {beatname_uc} runs as a non-root user, but requires some privileged
-capabilities to operate correctly. Ensure that the +AUDIT_CONTROL+ and +AUDIT_READ+
-capabilities are available to the container.
-
-It is also essential to run {beatname_uc} in the host PID namespace.
-
-["source","sh",subs="attributes"]
-----
-docker run --cap-add=AUDIT_CONTROL --cap-add=AUDIT_READ --user=root --pid=host {dockerimage}
-----
diff --git a/auditbeat/docs/running-on-kubernetes.asciidoc b/auditbeat/docs/running-on-kubernetes.asciidoc
deleted file mode 100644
index f5f4f0f4715e..000000000000
--- a/auditbeat/docs/running-on-kubernetes.asciidoc
+++ /dev/null
@@ -1,101 +0,0 @@
-[[running-on-kubernetes]]
-=== Running {beatname_uc} on Kubernetes
-
-{beatname_uc} <<running-on-docker,Docker images>> can be used on Kubernetes to
-check files integrity.
-
-TIP: Running {ecloud} on Kubernetes? See {eck-ref}/k8s-beat.html[Run {beats} on ECK].
-
-ifeval::["{release-state}"=="unreleased"]
-
-However, version {version} of {beatname_uc} has not yet been
-released, so no Docker image is currently available for this version.
-
-endif::[]
-
-
-[float]
-==== Kubernetes deploy manifests
-
-By deploying {beatname_uc} as a https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/[DaemonSet]
-we ensure we get a running instance on each node of the cluster.
-
-Everything is deployed under `kube-system` namespace, you can change that by
-updating the YAML file.
-
-To get the manifests just run:
-
-["source", "sh", subs="attributes"]
-------------------------------------------------
-curl -L -O https://raw.githubusercontent.com/elastic/beats/{branch}/deploy/kubernetes/{beatname_lc}-kubernetes.yaml
-------------------------------------------------
-
-[WARNING]
-=======================================
-If you are using Kubernetes 1.7 or earlier: {beatname_uc} uses a hostPath volume to persist internal data, it's located
-under /var/lib/{beatname_lc}-data. The manifest uses folder autocreation (`DirectoryOrCreate`), which was introduced in
-Kubernetes 1.8. You will need to remove `type: DirectoryOrCreate` from the manifest and create the host folder yourself.
-=======================================
-
-[float]
-==== Settings
-
-Some parameters are exposed in the manifest to configure logs destination, by
-default they will use an existing Elasticsearch deploy if it's present, but you
-may want to change that behavior, so just edit the YAML file and modify them:
-
-["source", "yaml", subs="attributes"]
-------------------------------------------------
-- name: ELASTICSEARCH_HOST
-  value: elasticsearch
-- name: ELASTICSEARCH_PORT
-  value: "9200"
-- name: ELASTICSEARCH_USERNAME
-  value: elastic
-- name: ELASTICSEARCH_PASSWORD
-  value: changeme
-------------------------------------------------
-
-[float]
-===== Running {beatname_uc} on control plane nodes
-
-Kubernetes control plane nodes can use https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/[taints]
-to limit the workloads that can run on them. To run {beatname_uc} on control plane nodes you may need to
-update the Daemonset spec to include proper tolerations:
-
-[source,yaml]
-------------------------------------------------
-spec:
- tolerations:
- - key: node-role.kubernetes.io/control-plane
-   effect: NoSchedule
-------------------------------------------------
-
-[float]
-==== Deploy
-
-To deploy {beatname_uc} to Kubernetes just run:
-
-["source", "sh", subs="attributes"]
-------------------------------------------------
-kubectl create -f {beatname_lc}-kubernetes.yaml
-------------------------------------------------
-
-Then you should be able to check the status by running:
-
-["source", "sh", subs="attributes"]
-------------------------------------------------
-$ kubectl --namespace=kube-system get ds/{beatname_lc}
-
-NAME       DESIRED   CURRENT   READY     UP-TO-DATE   AVAILABLE   NODE-SELECTOR   AGE
-{beatname_lc}   32        32        0         32           0           <none>          1m
-------------------------------------------------
-
-[WARNING]
-=======================================
-{beatname_uc} is able to monitor the file integrity of files in pods,
-to do that, the directories with the container root file systems have to be
-mounted as volumes in the {beatname_uc} container. For example, containers
-executed with containerd have their root file systems under `/run/containerd`.
-The https://raw.githubusercontent.com/elastic/beats/{branch}/deploy/kubernetes/{beatname_lc}-kubernetes.yaml[reference manifest] contains an example of this.
-=======================================
diff --git a/auditbeat/docs/setting-up-running.asciidoc b/auditbeat/docs/setting-up-running.asciidoc
deleted file mode 100644
index 4e2bd8265f90..000000000000
--- a/auditbeat/docs/setting-up-running.asciidoc
+++ /dev/null
@@ -1,58 +0,0 @@
-/////
-// NOTE:
-// Each beat has its own setup overview to allow for the addition of content
-// that is unique to each beat.
-/////
-
-[[setting-up-and-running]]
-== Set up and run {beatname_uc}
-
-++++
-<titleabbrev>Set up and run</titleabbrev>
-++++
-
-Before reading this section, see
-<<{beatname_lc}-installation-configuration>> for basic
-installation instructions to get you started.
-
-This section includes additional information on how to install, set up, and run
-{beatname_uc}, including:
-
-* <<directory-layout>>
-
-* <<keystore>>
-
-* <<command-line-options>>
-
-* <<setup-repositories>>
-
-* <<running-on-docker>>
-
-* <<running-on-kubernetes>>
-
-* <<running-with-systemd>>
-
-* <<{beatname_lc}-starting>>
-
-* <<shutdown>>
-
-
-//MAINTAINERS: If you add a new file to this section, make sure you update the bulleted list ^^ too.
-
-include::{libbeat-dir}/shared-directory-layout.asciidoc[]
-
-include::{libbeat-dir}/keystore.asciidoc[]
-
-include::{libbeat-dir}/command-reference.asciidoc[]
-
-include::{libbeat-dir}/repositories.asciidoc[]
-
-include::./running-on-docker.asciidoc[]
-
-include::./running-on-kubernetes.asciidoc[]
-
-include::{libbeat-dir}/shared-systemd.asciidoc[]
-
-include::{libbeat-dir}/shared/start-beat.asciidoc[]
-
-include::{libbeat-dir}/shared/shutdown.asciidoc[]
diff --git a/auditbeat/docs/troubleshooting.asciidoc b/auditbeat/docs/troubleshooting.asciidoc
deleted file mode 100644
index 19eb279272b4..000000000000
--- a/auditbeat/docs/troubleshooting.asciidoc
+++ /dev/null
@@ -1,41 +0,0 @@
-[[troubleshooting]]
-= Troubleshoot
-
-[partintro]
---
-If you have issues installing or running {beatname_uc}, read the
-following tips:
-
-* <<getting-help>>
-* <<enable-{beatname_lc}-debugging>>
-* <<understand-{beatname_lc}-logs>>
-* <<faq>>
-
-//sets block macro for getting-help.asciidoc included in next section
-
---
-
-[[getting-help]]
-== Get Help
-
-include::{libbeat-dir}/getting-help.asciidoc[]
-
-//sets block macro for debugging.asciidoc included in next section
-
-[id="enable-{beatname_lc}-debugging"]
-== Debug
-
-include::{libbeat-dir}/debugging.asciidoc[]
-
-//sets block macro for metrics-in-logs.asciidoc included in next section
-
-[id="understand-{beatname_lc}-logs"]
-[role="xpack"]
-== Understand metrics in {beatname_uc} logs
-
-++++
-<titleabbrev>Understand logged metrics</titleabbrev>
-++++
-
-include::{libbeat-dir}/metrics-in-logs.asciidoc[]
-
diff --git a/auditbeat/docs/upgrading.asciidoc b/auditbeat/docs/upgrading.asciidoc
deleted file mode 100644
index 132cb1db8434..000000000000
--- a/auditbeat/docs/upgrading.asciidoc
+++ /dev/null
@@ -1,7 +0,0 @@
-[[upgrading-auditbeat]]
-== Upgrade Auditbeat
-
-For information about upgrading to a new version, see:
-
-* {beats-ref}/breaking-changes.html[Breaking Changes]
-* {beats-ref}/upgrading.html[Upgrade]
diff --git a/docs/devguide/contributing.asciidoc b/docs/devguide/contributing.asciidoc
deleted file mode 100644
index 0637052b96c7..000000000000
--- a/docs/devguide/contributing.asciidoc
+++ /dev/null
@@ -1,245 +0,0 @@
-[[beats-contributing]]
-== Contributing to Beats
-
-If you have a bugfix or new feature that you would like to contribute, please
-start by opening a topic on the https://discuss.elastic.co/c/beats[forums].
-It may be that somebody is already working on it, or that there are particular
-issues that you should know about before implementing the change.
-
-We enjoy working with contributors to get their code accepted. There are many
-approaches to fixing a problem and it is important to find the best approach
-before writing too much code. After committing your code, check out the
-https://www.elastic.co/community/contributor[Elastic Contributor Program]
-where you can earn points and rewards for your contributions.
-
-The process for contributing to any of the Elastic repositories is similar.
-
-[float]
-[[contribution-steps]]
-=== Contribution Steps
-
-. Please make sure you have signed our
-https://www.elastic.co/contributor-agreement/[Contributor License Agreement]. We
-are not asking you to assign copyright to us, but to give us the right to
-distribute your code without restriction. We ask this of all contributors in
-order to assure our users of the origin and continuing existence of the code.
-You only need to sign the CLA once.
-
-. Send a pull request! Push your changes to your fork of the repository and
-https://help.github.com/articles/using-pull-requests[submit a pull request] using our
-<<pr-review,pull request guidelines>>. New PRs go to the main branch. The Beats
-core team will backport your PR if it is necessary.
-
-
-In the pull request, describe what your changes do and mention
-any bugs/issues related to the pull request. Please also add a changelog entry to
-https://github.com/elastic/beats/blob/main/CHANGELOG.next.asciidoc[CHANGELOG.next.asciidoc].
-
-[float]
-[[setting-up-dev-environment]]
-=== Setting Up Your Dev Environment
-
-The Beats are Go programs, so install the {go-version} version of
-http://golang.org/[Go] which is being used for Beats development.
-
-After https://golang.org/doc/install[installing Go], set the
-https://golang.org/doc/code.html#GOPATH[GOPATH] environment variable to point to
-your workspace location, and make sure `$GOPATH/bin` is in your PATH.
-
-NOTE: One deterministic manner to install the proper Go version to work with Beats is to use the
-https://github.com/andrewkroh/gvm[GVM] Go version manager. An example for Mac users would be:
-
-[source,shell,subs=attributes+]
-----------------------------------------------------------------------
-gvm use {go-version}
-eval $(gvm {go-version})
-----------------------------------------------------------------------
-
-Then you can clone Beats git repository:
-
-[source,shell]
-----------------------------------------------------------------------
-mkdir -p ${GOPATH}/src/github.com/elastic
-git clone https://github.com/elastic/beats ${GOPATH}/src/github.com/elastic/beats
-----------------------------------------------------------------------
-
-NOTE: If you have multiple go paths, use `${GOPATH%%:*}` instead of `${GOPATH}`.
-
-Beats developers primarily use https://github.com/magefile/mage[Mage] for development.
-You can install mage using a make target:
-
-[source,shell]
---------------------------------------------------------------------------------
-make mage
---------------------------------------------------------------------------------
-
-Then you can compile a particular Beat by using Mage. For example, for Filebeat:
-
-[source,shell]
---------------------------------------------------------------------------------
-cd beats/filebeat
-mage build
---------------------------------------------------------------------------------
-
-You can list all available mage targets with:
-
-[source,shell]
---------------------------------------------------------------------------------
-mage -l
---------------------------------------------------------------------------------
-
-Some of the Beats might have extra development requirements, in which case
-you'll find a CONTRIBUTING.md file in the Beat directory.
-
-We use an http://editorconfig.org/[EditorConfig] file in the beats repository
-to standardise how different editors handle whitespace, line endings, and other
-coding styles in our files. Most popular editors have a
-http://editorconfig.org/#download[plugin] for EditorConfig and we strongly
-recommend that you install it.
-
-[float]
-[[update-scripts]]
-=== Update scripts
-
-The Beats use a variety of scripts based on Python, make and mage to generate configuration files
-and documentation. Ensure to use the version of python listed in the https://github.com/elastic/beats/blob/main/.python-version[.python-version] file. 
-
-The primary command for updating generated files is:
-
-[source,shell]
---------------------------------------------------------------------------------
-make update
---------------------------------------------------------------------------------
-Each Beat has its own `update` target (for both `make` and `mage`), as well as a master `update` in the repository root.
-If a PR adds or removes a dependency, run `make update` in the root `beats` directory.
-
-Another command properly formats go source files and adds a copyright header:
-
-[source,shell]
---------------------------------------------------------------------------------
-make fmt
---------------------------------------------------------------------------------
-
-Both of these commands should be run before submitting a PR. You can view all
-the available make targets with `make help`.
-
-These commands have the following dependencies:
-
-* Python >= {python}
-* Python https://docs.python.org/3/library/venv.html[venv module]
-* https://github.com/magefile/mage[Mage]
-
-Python venv module is included in the standard library in Python 3. On Debian/Ubuntu
-systems it also requires to install the `python3-venv` package, that includes
-additional support scripts:
-
-[source,shell]
---------------------------------------------------------------------------------
-sudo apt-get install python3-venv
---------------------------------------------------------------------------------
-
-[float]
-[[build-target-env-vars]]
-=== Selecting Build Targets
-
-Beats is built using the `make release` target. By default, make will select from a limited number of preset build targets:
-
-- darwin/amd64
-- darwin/arm64
-- linux/amd64
-- windows/amd64
-
-You can change build targets using the `PLATFORMS` environment variable. Targets set with the `PLATFORMS` variable can either be a GOOS value, or a GOOS/arch pair.
-For example, `linux` and `linux/amd64` are both valid targets. You can select multiple targets, and the `PLATFORMS` list is space delimited, for example `darwin windows` will build on all supported darwin and windows architectures.
-In addition, you can add or remove from the list of build targets by prepending `+` or `-` to a given target. For example: `+bsd` or `-darwin`.
-
-You can find the complete list of supported build targets with `go tool dist list`.
-
-[float]
-[[running-linter]]
-=== Linting
-
-Beats uses https://golangci-lint.run/[golangci-lint]. You can run the pre-configured linter against your change:
-
-[source,shell]
---------------------------------------------------------------------------------
-mage llc
---------------------------------------------------------------------------------
-
-`llc` stands for `Lint Last Change` which includes all the Go files that were changed in either the last commit (if you're on the `main` branch) or in a difference between your feature branch and the `main` branch.
-
-It's expected that sometimes a contributor will be asked to fix linter issues unrelated to their contribution since the linter was introduced later than changes in some of the files.
-
-You can also run the linter against an individual package, for example the filbeat command package:
-
-[source,shell]
---------------------------------------------------------------------------------
-golangci-lint run ./filebeat/cmd/...
---------------------------------------------------------------------------------
-
-[float]
-[[running-testsuite]]
-=== Testing
-
-You can run the whole testsuite with the following command:
-
-[source,shell]
---------------------------------------------------------------------------------
-make testsuite
---------------------------------------------------------------------------------
-
-Running the testsuite has the following requirements:
-
-* Python >= {python}
-* Docker >= {docker}
-* Docker-compose >= {docker-compose}
-
-For more details, refer to the <<testing>> guide.
-
-[float]
-[[documentation]]
-=== Documentation
-
-The main documentation for each Beat is located under `<beatname>/docs` and is
-based on https://docs.asciidoctor.org/asciidoc/latest/[AsciiDoc]. The Beats
-documentation also makes extensive use of conditionals and content reuse to
-ensure consistency and accuracy. Before contributing to the documentation, read
-the following resources:
-
-* https://github.com/elastic/docs/blob/master/README.asciidoc[Docs HOWTO]
-* <<contributing-docs>>
-
-[float]
-[[dependencies]]
-=== Dependencies
-
-In order to create Beats we rely on Golang libraries and other
-external tools.
-
-[float]
-==== Other dependencies
-
-Besides Go libraries, we are using development tools to generate parsers for inputs and processors.
-
-The following packages are required to run `go generate`:
-
-[float]
-===== Auditbeat
-
-* FlatBuffers >= 1.9
-
-[float]
-===== Filebeat
-
-* Graphviz >= 2.43.0
-* Ragel >= 6.10
-
-
-[float]
-[[changelog]]
-=== Changelog
-
-To keep up to date with changes to the official Beats for community developers,
-follow the developer changelog
-https://github.com/elastic/beats/blob/main/CHANGELOG-developer.next.asciidoc[here].
-
diff --git a/docs/devguide/create-metricset.asciidoc b/docs/devguide/create-metricset.asciidoc
deleted file mode 100644
index 2c2d798086b1..000000000000
--- a/docs/devguide/create-metricset.asciidoc
+++ /dev/null
@@ -1,320 +0,0 @@
-[[creating-metricsets]]
-=== Creating a Metricset
-
-include::generator-support-note.asciidoc[tag=metricset-generator]
-
-A metricset is the part of a Metricbeat module that fetches and structures the
-data from the remote service. Each module can have multiple metricsets. In this guide, you learn how to create your own metricset.
-
-When creating a metricset for the first time, it generally helps to look at the
-implementation of existing metricsets for inspiration.
-
-To create a new metricset:
-
-. Run the following command inside the metricbeat beat directory:
-+
-[source,bash]
-----
-make create-metricset
-----
-+
-You need Python to run this command, then, you'll be prompted to enter a module and metricset name. Remember that a module represents the service you want to retrieve metrics from (like Redis) and a metricset is a specific set of grouped metrics (like `info` on Redis). Only use characters `[a-z]`
-and, if required, underscores (`_`). No other characters are allowed.
-+
-When you run `make create-metricset`, it creates all the basic files for your metricset, along with the required module
-files if the module does not already exist. See <<creating-metricbeat-module>> for more details about the module files.
-+
-NOTE: We use `{metricset}`, `{module}`, and `{beat}` in this guide as placeholders. You need to replace these with
-the actual names of your metricset, module, and beat.
-+
-The metricset that you created is already a functioning metricset and can be compiled.
-+
-. Compile your new metricset by running the following command:
-+
-[source,bash]
-----
-mage update
-mage build
-----
-+
-The first command, `mage update`, updates all generated files with the most recent files, data, and meta information from the metricset. The second command,
-`mage build`, compiles your source code and provides you with a binary called metricbeat in the same folder. You can run the
-binary in debug mode with the following command:
-+
-[source,bash]
-----
-./metricbeat -e -d "*"
-----
-
-After running the mage commands, you'll find the metricset, along with its generated files, under `module/{module}/{metricset}`. This directory
-contains the following files:
-
-* `\{metricset}.go`
-* `_meta/docs.asciidoc`
-* `_meta/data.json`
-* `_meta/fields.yml`
-
-Let's look at the files in more detail next.
-
-[float]
-==== \{metricset}.go File
-
-The first file is `{metricset}.go`. It contains the logic on how to fetch data from the service and convert it for sending to the output.
-
-The generated file looks like this:
-
-https://github.com/elastic/beats/blob/main/metricbeat/scripts/module/metricset/metricset.go.tmpl
-
-[source,go]
-----
-include::../../metricbeat/scripts/module/metricset/metricset.go.tmpl[]
-----
-
-The `package` clause and `import` declaration are part of the base structure of each Go file. You should only
-modify this part of the file if your implementation requires more imports.
-
-[float]
-===== Initialisation
-
-The init method registers the metricset with the central registry. In Go the `init()` function is called
-before the execution of all other code. This means the module will be automatically registered with the global registry.
-
-The `New` method, which is passed to `MustAddMetricSet`, will be called after the setup of the module and before starting to fetch data. You normally don't need to change this part of the file.
-
-[source,go]
-----
-func init() {
-	mb.Registry.MustAddMetricSet("{module}", "{metricset}", New)
-}
-----
-
-[float]
-===== Definition
-
-The MetricSet type defines all fields of the metricset. As a minimum it must be composed of the `mb.BaseMetricSet` fields,
-but can be extended with additional entries. These variables can be used to persist data or configuration between
-multiple fetch calls.
-
-You can add more fields to the MetricSet type, as you can see in the following example where the `username` and `password` string fields are added:
-
-[source,go]
-----
-type MetricSet struct {
-	mb.BaseMetricSet
-	username    string
-	password    string
-}
-----
-
-
-[float]
-===== Creation
-
-The `New` function creates a new instance of the MetricSet. The setup process
-of the MetricSet is also part of `New`. This method will be called before `Fetch`
-is called the first time.
-
-
-The `New` function also sets up the configuration by processing additional
-configuration entries, if needed.
-
-[source,go]
-----
-
-func New(base mb.BaseMetricSet) (mb.MetricSet, error) {
-
-	config := struct{}{}
-
-	if err := base.Module().UnpackConfig(&config); err != nil {
-		return nil, err
-	}
-
-	return &MetricSet{
-		BaseMetricSet: base,
-	}, nil
-}
-----
-
-[float]
-===== Fetching
-
-The `Fetch` method is the central part of the metricset. `Fetch` is called every
-time new data is retrieved. If more than one host is defined, `Fetch` is
-called once for each host. The frequency of calling `Fetch` is based on the `period`
-defined in the configuration file.
-
-`Fetch` must publish the event using the `mb.ReporterV2.Event` method. If an error
-happens, `Fetch` can return an error, or if `Event` is being called in a loop,
-published using the `mb.ReporterV2.Error` method. This means
-that Metricbeat always sends an event, even on failure. You must make sure that the
-error message helps to identify the actual error.
-
-The following example shows a metricset `Fetch` method with a counter that is
-incremented for each `Fetch` call:
-
-[source,go]
-----
-func (m *MetricSet) Fetch(report mb.ReporterV2) error {
-
-	report.Event(mb.Event{
-		MetricSetFields: common.MapStr{
-			"counter": m.counter,
-		}
-	})
-	m.counter++
-
-	return nil
-}
-----
-
-The JSON output derived from the reported event will be identical to the naming and
-structure you use in `common.MapStr`. For more details about `MapStr` and its functions, see the
-https://godoc.org/github.com/elastic/beats/libbeat/common#MapStr[MapStr API docs].
-
-
-[float]
-===== Multi Fetching
-
-`Event` can be called multiple times inside of the `Fetch` method for metricsets that might expose multiple events.
-`Event` returns a bool that indicates if the metricset is already closed and no further events can be processed,
-in which case `Fetch` should return immediately. If there is an error while processing one of many events,
-it can be published using the `mb.ReporterV2.Error` method, as opposed to returning an error value.
-
-[float]
-===== Parsing and Normalizing Fields
-
-In Metricbeat we aim to normalize the metric names from all metricsets to
-respect a common <<event-conventions,set of conventions>>. This
-makes it easy for users to find and interpret metrics. To simplify parsing,
-converting, renaming, and restructuring of the object read from the monitored
-system to the Metricbeat format, we have created the
-https://godoc.org/github.com/elastic/beats/libbeat/common/schema[schema] package
-that allows you to declaratively define transformations.
-
-For example, assuming this input object:
-
-[source,go]
-----
-input := map[string]interface{}{
-	"testString":     "hello",
-	"testInt":        "42",
-	"testBool":       "true",
-	"testFloat":      "42.1",
-	"testObjString":  "hello, object",
-}
-----
-
-And the requirement to transform it into this one:
-
-[source,go]
-----
-common.MapStr{
-	"test_string": "hello",
-	"test_int":    int64(42),
-	"test_bool":   true,
-	"test_float":  42.1,
-	"test_obj": common.MapStr{
-		"test_obj_string": "hello, object",
-	},
-}
-----
-
-You can use the schema package to transform the data, and optionally mark some fields in a schema as required or not. For example:
-
-[source,go]
-----
-import (
-	s "github.com/elastic/beats/libbeat/common/schema"
-	c "github.com/elastic/beats/libbeat/common/schema/mapstrstr"
-)
-
-var (
-	schema = s.Schema{
-		"test_string": c.Str("testString", s.Required), <1>
-		"test_int":    c.Int("testInt"), <2>
-		"test_bool":   c.Bool("testBool", s.Optional), <3>
-		"test_float":  c.Float("testFloat"),
-		"test_obj": s.Object{
-			"test_obj_string": c.Str("testObjString", s.IgnoreAllErrors), <4>
-		},
-	}
-)
-
-func eventMapping(input map[string]interface{}) common.MapStr {
-	return schema.Apply(input) <5>
-}
-----
-<1> Marks a field as required.
-<2> If a field has no schema option set, it is equivalent to `Required`.
-<3> Marks the field as optional.
-<4> Ignore any value conversion error
-<5> By default, `Apply` will fail and return an error if any required field is missing. Using the optional second argument, you can specify how `Apply` handles different fields of the  schema. The possible values are:
-- `AllRequired` is the default behavior. Returns an error if any required field is missing, including fields that are required because no schema option is set.
-- `FailOnRequired`  will fail if a field explicitly marked as `required` is missing.
-- `NotFoundKeys(cb func([]string))` takes a callback function that will be called with a list of missing keys, allowing for finer-grained error handling.
-
-In the above example, note that it is possible to create the schema object once
-and apply it to all events. You can also use `ApplyTo` to add additional data to an existing `MapStr` object:
-[source,go]
-----
-
-var (
-	schema = s.Schema{
-		"test_string": c.Str("testString"),
-		"test_int":    c.Int("testInt"),
-		"test_bool":   c.Bool("testBool"),
-		"test_float":  c.Float("testFloat"),
-		"test_obj": s.Object{
-			"test_obj_string": c.Str("testObjString"),
-		},
-	}
-
-	additionalSchema = s.Schema{
-		"second_string": c.Str("secondString"),
-		"second_int": c.Int("secondInt"),
-	}
-)
-
-	data, err := schema.Apply(input)
-	if err != nil {
-		return err
-	}
-
-	if m.parseMoreData{
-		_, err := additionalSchema.ApplyTo(data, input)
-		if len(err) > 0 { <1>
-			return err.Err()
-		}
-	}
-
-----
-<1> `ApplyTo` returns a raw MultiError object, making it suitable for finer-grained error handling.
-
-
-[float]
-==== Configuration File
-The configuration file for a metricset is handled by the module. If there are
-multiple metricsets in one module, make sure you add all metricsets to the configuration.
-For example:
-
-[source,go]
-----
-metricbeat:
-  modules:
-    - module: {module-name}
-      metricsets: ["{metricset1}", "{metricset2}"]
-----
-
-NOTE: Make sure that you run `make collect` after updating the config file
-so that your changes are also applied to the global configuration file and the docs.
-
-For more details about the Metricbeat configuration file, see the topic about
-{metricbeat-ref}/configuration-metricbeat.html[Modules] in the Metricbeat
-documentation.
-
-
-[float]
-==== What to Do Next
-This topic provides basic steps for creating a metricset. For more details about metricsets
-and how to extend your metricset further, see <<metricset-details>>.
-
diff --git a/docs/devguide/create-module.asciidoc b/docs/devguide/create-module.asciidoc
deleted file mode 100644
index 002ec717364b..000000000000
--- a/docs/devguide/create-module.asciidoc
+++ /dev/null
@@ -1,185 +0,0 @@
-[[creating-metricbeat-module]]
-=== Creating a Metricbeat Module
-
-Metricbeat modules are used to group multiple metricsets together and to implement shared functionality
-of the metricsets. In most cases, no implementation of the module is needed and the default module
-implementation is automatically picked.
-
-It's important to complete the configuration and documentation files for a module. When you create a new
-metricset by running `make create-metricset`, default versions of these files are generated in the `_meta` directory.
-
-[float]
-==== Module Files
-
-* `config.yml` and `config.reference.yml`
-* `docs.asciidoc`
-* `fields.yml`
-
-After updating any of these files, make sure you run `make update` in your beat directory so all generated
-files are updated.
-
-
-[float]
-===== config.yml and config.reference.yml
-
-The `config.yml` file contains the basic configuration options and looks like this:
-
-[source,yaml]
-----
-include::../../metricbeat/scripts/module/config.yml[]
-----
-
-It contains the module name, your metricset, and the default period. If you have multiple
-metricsets in your module, make sure that you extend the metricset array:
-
-[source,yaml]
-----
-  metricsets: ["{metricset1}", "{metricset2}"]
-----
-
-The `full.config.yml` file is optional and by default has the same content as the `config.yml`. It is used
-to add and document more advanced configuration options that should not be part of the minimal
-config file shipped by default.
-
-[float]
-===== docs.asciidoc
-
-The `docs.asciidoc` file contains the documentation about your module. During generation of the
-documentation, the default config file will be appended to the docs. Use this file to describe your
-module in more detail and to document specific configuration options.
-
-[source,asciidoc]
-----
-include::../../metricbeat/scripts/module/docs.asciidoc[]
-----
-
-[float]
-===== fields.yml
-
-The `fields.yml` file contains the top level structure for the fields in your metricset. It's used in combination with
-the `fields.yml` file in each metricset to generate the template and documentation for the fields.
-
-The default file looks like this:
-
-[source,yaml]
-----
-include::../../metricbeat/scripts/module/fields.yml[]
-----
-
-Make sure that you update at least the description of the module.
-
-
-[float]
-==== Testing
-
-It's a common pattern to use a `testing.go` file in the module package to share some testing functionality among
-the metricsets. This file does not have `_test.go` in the name because otherwise it would not be compiled for sub packages.
-
-To see an example of the `testing.go` file, look at the https://github.com/elastic/beats/tree/{branch}/metricbeat/module/mysql[mysql module].
-
-[float]
-===== Test a Metricbeat module manually
-
-To test a Metricbeat module manually, follow the steps below.
-
-First we have to build the Docker image which is available for the modules. The Dockerfile is located inside a `_meta` folder within each module folder. As an example let's take MySQL module.
-
-This steps assume you have checked out the Beats repository from Github and are inside `beats` directory. First, we have to enter in the `_meta` folder mentioned above and build the Docker image called `metricbeat-mysql`:
-
-[source,bash]
-----
-$ cd metricbeat/module/mysql/_meta/
-$ docker build -t metricbeat-mysql .
-...
-Removing intermediate container 0e58cfb7b197
- ---> 9492074840ea
-Step 5/5 : COPY test.cnf /etc/mysql/conf.d/test.cnf
- ---> 002969e1d810
-Successfully built 002969e1d810
-Successfully tagged metricbeat-mysql:latest
-----
-
-Before we run the container we have just created, we also need to know which port to expose. The port is listed in the `metricbeat/{module}/_meta/env` file:
-
-[source,bash]
-----
-$ cat env
-MYSQL_DSN=root:test@tcp(mysql:3306)/
-MYSQL_HOST=mysql
-MYSQL_PORT=3306
-----
-
-As we see, the port is 3306. We now have all the information to start our MySQL service locally:
-
-[source,bash]
-----
-$ docker run -p 3306:3306 -e MYSQL_ROOT_PASSWORD=secret metricbeat-mysql
-----
-
-This starts the container and you can now use it for testing the MySQL module.
-
-To run Metricbeat with the module we need to build the binary, enable the module first. The assumption is now that you are back in the `beats` folder path:
-
-[source,bash]
-----
-$ cd metricbeat
-$ mage build
-$ ./metricbeat modules enable mysql
-----
-
-This will enable the module and rename file `metricbeat/modules.d/mysql.yml.disabled` to `metricbeat/modules.d/mysql.yml`. According to our {metricbeat-ref}/metricbeat-module-mysql.html[documentation] we should specify username and password to user MySQL. It's always a good idea to take a look at the docs to see also that a pre-built dashboard is also available. So tweaking the config a bit, this is how it looks like:
-
-[source,yaml]
-----
-$ cat modules.d/mysql.yml
-
-# Module: mysql
-# Docs: https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-module-mysql.html
-
-- module: mysql
-  metricsets:
-    - status
-  #  - galera_status
-  period: 10s
-
-  # Host DSN should be defined as "user:pass@tcp(127.0.0.1:3306)/"
-  # or "unix(/var/lib/mysql/mysql.sock)/",
-  # or another DSN format supported by <https://github.com/Go-SQL-Driver/MySQL/>.
-  # The username and password can either be set in the DSN or using the username
-  # and password config options. Those specified in the DSN take precedence.
-  hosts: ["tcp(127.0.0.1:3306)/"]
-
-  # Username of hosts. Empty by default.
-  username: root
-
-  # Password of hosts. Empty by default.
-  password: secret
-----
-
-It's now sending data to your local Elasticsearch instance. If you need to modify the mysql config, adjust `modules.d/mysql.yml` and restart Metricbeat.
-
-
-
-
-[float]
-===== Run Environment tests for one module
-
-All the environments are setup with docker. `make integration-tests-environment` and `make system-tests-environment` can be used to run tests for all modules. In case you are developing a module it is convenient to run the tests only for one module and directly run it on your machine.
-
-First you need to start the environment for your module to test and expose the port to your local machine. For this you can run the following command inside the metricbeat directory:
-
-[source,bash]
-----
-MODULE=apache PORT=80 make run-module
-----
-
-Note: The apache module with port 80 is taken here as an example. You must put the name and port for your own module here.
-
-This will start the environment and you must wait until the service is completely started. After that you can run the test which require an environment:
-
-[source,bash]
-----
-MODULE=apache make test-module
-----
-
-This will run the integration and system tests connecting to the environment in your docker container.
diff --git a/docs/devguide/documentation.asciidoc b/docs/devguide/documentation.asciidoc
deleted file mode 100644
index 82e12a2721bb..000000000000
--- a/docs/devguide/documentation.asciidoc
+++ /dev/null
@@ -1,114 +0,0 @@
-[[contributing-docs]]
-=== Contributing to the docs
-
-The Beats documentation follows the tagging guidelines described in the
-https://github.com/elastic/docs/blob/master/README.asciidoc[Docs HOWTO]. However
-it extends these capabilities in a couple ways:
-
-* The documentation makes extensive use of
-https://docs.asciidoctor.org/asciidoc/latest/directives/conditionals/[AsciiDoc conditionals]
-to provide content that is reused across multiple books. This means that there
-might not be a single source file for each published HTML page. Some files are
-shared across multiple books, either as complete pages or snippets. For more
-details, refer to <<where-to-find-files>>.
-
-* The documentation includes some files that are generated from YAML source or
-pieced together from content that lives in `_meta` directories under the code
-(for example, the module and exported fields documentation). For more details,
-refer to <<generated-docs>>.
-
-[float]
-[[where-to-find-files]]
-==== Where to find the Beats docs source
-
-Because the Beats documentation makes use of shared content, doc generation
-scripts, and componentization, the source files are located in several places:
-
-|===
-| Documentation | Location of source files
-
-| Main docs for the Beat, including index files
-| `<beatname>/docs`
-
-| Shared docs and Beats Platform Reference
-| `libbeat/docs`
-
-| Processor docs
-| `docs` folders under processors in `libbeat/processors/`,
-`x-pack/<beatname>/processors/`, and `x-pack/libbeat/processors/`
-
-| Output docs
-| `docs` folders under outputs in `libbeat/outputs/`
-
-| Module docs
-| `_meta` folders under modules and datasets in `libbeat/module/`,
-`<beatname>/module/`, and `x-pack/<beatname>/module/`
-|===
-
-The https://github.com/elastic/docs/blob/master/conf.yaml[conf.yaml] file in the
-`docs` repo shows all the resources used to build each book. This file is used
-to drive the classic docs build and is the source of truth for file locations.
-
-TIP: If you can't find the source for a page you want to update, go to the
-published page at www.elastic.co and click the Edit link to navigate to the
-source.
-
-The Beats documentation build also has dependencies on the following files in
-the https://github.com/elastic/docs[docs] repo:
-
-* `shared/versions/stack/<version>.asciidoc`
-* `shared/attributes.asciidoc`
-
-[float]
-[[generated-docs]]
-==== Generated docs
-
-After updating `docs.asciidoc` files in `_meta` directories, you must run the
-doc collector scripts to regenerate the docs.
-
-Make sure you
-<<setting-up-dev-environment,set up your Beats development environment>> and use
-the correct Go version. The Go version is listed in the `version.asciidoc` file
-for the branch you want to update.
-
-To run the docs collector scripts, change to the beats directory and run:
-
-`make update`
-
-WARNING: The `make update` command overwrites files in the `docs` directories
-**without warning**. If you accidentally update a generated file and run
-`make update`, your changes will be overwritten.
-
-To format your files, you might also need to run this command:
-
-`make fmt`
-
-The make command calls the following scripts to generate the docs:
-
-https://github.com/elastic/beats/blob/main/auditbeat/scripts/docs_collector.py[auditbeat/scripts/docs_collector.py]
-generates:
-
-* `auditbeat/docs/modules_list.asciidoc`
-* `auditbeat/docs/modules/*.asciidoc`
-
-https://github.com/elastic/beats/blob/main/filebeat/scripts/docs_collector.py[filebeat/scripts/docs_collector.py]
-generates:
-
-* `filebeat/docs/modules_list.asciidoc`
-* `filebeat/docs/modules/*.asciidoc`
-
-https://github.com/elastic/beats/blob/main/metricbeat/scripts/mage/docs_collector.go[metricbeat/scripts/mage/docs_collector.go]
-generates:
-
-* `metricbeat/docs/modules_list.asciidoc`
-* `metricbeat/docs/modules/*.asciidoc`
-
-https://github.com/elastic/beats/blob/main/libbeat/scripts/generate_fields_docs.py[libbeat/scripts/generate_fields_docs.py]
-generates
-
-* `auditbeat/docs/fields.asciidoc`
-* `filebeat/docs/fields.asciidoc`
-* `heartbeat/docs/fields.asciidoc`
-* `metricbeat/docs/fields.asciidoc`
-* `packetbeat/docs/fields.asciidoc`
-* `winlogbeat/docs/fields.asciidoc`
diff --git a/docs/devguide/event-conventions.asciidoc b/docs/devguide/event-conventions.asciidoc
deleted file mode 100644
index 3d2c09513272..000000000000
--- a/docs/devguide/event-conventions.asciidoc
+++ /dev/null
@@ -1,75 +0,0 @@
-[[event-conventions]]
-=== Naming Conventions
-
-When creating events, use the following conventions for field names and abbreviations.
-
-[[field-names]]
-==== Field Names
-
-Use the following naming conventions for field names:
-
-- All fields must be lower case.
-- Use snake case (underscores) for combining words.
-- Group related fields into subdocuments by using dot (.) notation. Groups typically have common prefixes. For example, if you have fields called `CPULoad` and `CPUSystem` in a service, you would convert
-them into `cpu.load` and `cpu.system` in the event. 
-- Avoid repeating the namespace in field names. If a word or abbreviation appears in the namespace, it's not needed in the field name. For example, instead of `cpu.cpu_load`, use `cpu.load`.
-- Use <<units,units suffix>> when the metric matches one of the known units.
-- Use <<abbreviations,standardised names>> and avoid using abbreviations that aren't commonly known.
-- Organise the documents from general to specific to allow for namespacing. The type, such as `.pct`, should always be last. For example, `system.core.user.pct`.
-- If two fields are the same, but with different units, remove the less granular one. For example, include `timeout.sec`, but don't include `timeout.min`. If a less granular value is required, you can calculate it later.
-- If a field name matches the namespace used for nested fields, add `.value` to the field name. For example, instead of:
-+
-[source,yaml]
-----------
-workers
-workers.busy
-workers.idle
-----------
-+
-Use:
-+
-[source,yaml]
-----------
-workers.value
-workers.busy
-workers.idle
-----------
-- Do not use dots (.) in individual field names. Dots are reserved for grouping related fields into subdocuments. 
-- Use singular and plural names properly to reflect the field content. For example, use `requests_per_sec` rather than `request_per_sec`. 
-
-[[units]]
-==== Units
-
-These are well-known suffixes to represent units of stored values, use them as a dotted suffix when
-possible. For example `system.memory.used.bytes` or `system.diskio.read.count`:
-
-[options="header"]
-|=======================
-|Suffix     |Units
-|count      |item count
-|pct        |percentage
-|day        |days
-|sec        |seconds
-|ms         |millisecond
-|us         |microseconds
-|ns         |nanoseconds
-|bytes      |bytes
-|mb         |megabytes
-|=======================
-
-
-[[abbreviations]]
-==== Standardised Names
-
-Here is a list of standardised names and units that are used across all Beats:
-
-[options="header"]
-|=======================
-|Use...     |Instead of... 
-|avg        |average
-|connection |conn
-|max        |maximum
-|min        |minimum
-|request    |req
-|msg        |message
-|=======================
diff --git a/docs/devguide/faq.asciidoc b/docs/devguide/faq.asciidoc
deleted file mode 100644
index 2f37bf0553dd..000000000000
--- a/docs/devguide/faq.asciidoc
+++ /dev/null
@@ -1,21 +0,0 @@
-[[dev-faq]]
-=== Metricbeat Developer FAQ
-
-This is a list of common questions when creating a metricset and the potential answers.
-
-[float]
-==== Metricset is not compiled
-
-You are compiling your Beat, but the newly created metricset is not compiled?
-
-Make sure that the path to your module and metricset are added as an import path either in your `main.go`
-file or your `include/list.go` file. You can do this manually or by running `make imports`.
-
-[float]
-==== Metricset is not started
-
-The metricset is compiled, but not started when starting Metricbeat?
-
-After creating your metricset, make sure you run `make collect`. This command adds the configuration
-of your metricset to the default configuration. If the metricset still doesn't start, check your
-default configuration file to see if the metricset is listed there.
diff --git a/docs/devguide/fields-yml.asciidoc b/docs/devguide/fields-yml.asciidoc
deleted file mode 100644
index 87197fc2fe91..000000000000
--- a/docs/devguide/fields-yml.asciidoc
+++ /dev/null
@@ -1,163 +0,0 @@
-[[event-fields-yml]]
-=== Defining field mappings
-
-You must define the fields used by your Beat, along with their mapping details,
-in `_meta/fields.yml`. After editing this file, run `make update`.
-
-Define the field mappings in the `fields` array:
-
-[source,yaml]
-----------------------------------------------------------------------
-- key: mybeat
-  title: mybeat
-  description: These are the fields used by mybeat.
-  fields:
-    - name: last_name <1>
-      type: keyword <2>
-      required: true <3>
-      description: > <4>
-        The last name.
-    - name: first_name
-      type: keyword
-      required: true
-      description: >
-        The first name.
-    - name: comment
-      type: text
-      required: false
-      description: >
-        Comment made by the user.
-----------------------------------------------------------------------
-
-<1> `name`: The field name
-<2> `type`: The field type. The value of `type` can be any datatype {ref}/mapping-types.html[available in {es}]. If no value is specified, the default type is `keyword`.
-<3> `required`: Whether or not a field value is required
-<4> `description`: Some information about the field contents
-
-==== Mapping parameters
-
-You can specify other mapping parameters for each field. See the
-{ref}/mapping-params.html[{es} Reference] for more details about each
-parameter.
-
-[horizontal]
-`format`:: Specify a custom date format used by the field.
-`multi_fields`:: For `text` or `keyword` fields, use `multi_fields` to define
-multi-field mappings.
-`enabled`:: Whether or not the field is enabled.
-`analyzer`:: Which analyzer to use when indexing.
-`search_analyzer`:: Which analyzer to use when searching.
-`norms`:: Applies to `text` and `keyword` fields. Default is `false`.
-`dynamic`:: Dynamic field control. Can be one of `true` (default), `false`, or
-`strict`.
-`index`:: Whether or not the field should be indexed.
-`doc_values`:: Whether or not the field should have doc values generated.
-`copy_to`:: Which field to copy the field value into.
-`ignore_above`:: {es} ignores (does not index) strings that are longer than the
-specified value. When this property value is missing or `0`, the `libbeat`
-default value of `1024` characters is used. If the value is `-1`, the {es}
-default value is used.
-
-For example, you can use the `copy_to` mapping parameter to copy the
-`last_name` and `first_name` fields into the `full_name` field at index time:
-
-[source,yaml]
-----------------------------------------------------------------------
-- key: mybeat
-  title: mybeat
-  description: These are the fields used by mybeat.
-  fields:
-    - name: last_name
-      type: text
-      required: true
-      copy_to: full_name <1>
-      description: >
-        The last name.
-    - name: first_name
-      type: text
-      required: true
-      copy_to: full_name <2>
-      description: >
-        The first name.
-    - name: full_name
-      type: text
-      required: false
-      description: >
-        The last_name and first_name combined into one field for easy searchability.
-----------------------------------------------------------------------
-<1> Copy the value of `last_name` into `full_name`
-<2> Copy the value of `first_name` into `full_name`
-
-There are also some {kib}-specific properties, not detailed here. These are:
-`analyzed`, `count`, `searchable`, `aggregatable`, and `script`. {kib}
-parameters can also be described using `pattern`, `input_format`,
-`output_format`, `output_precision`, `label_template`, `url_template`, and
-`open_link_in_current_tab`.
-
-==== Defining text multi-fields
-
-There are various options that you can apply when using text fields. You can
-define a simple text field using the default analyzer without any other options,
-as in the example shown earlier.
-
-To keep the original keyword value when using `text` mappings, for instance to
-use in aggregations or ordering, you can use a multi-field mapping:
-
-[source,yaml]
-----------------------------------------------------------------------
-- key: mybeat
-  title: mybeat
-  description: These are the fields used by mybeat.
-  fields:
-    - name: city
-      type: text
-      multi_fields: <1>
-        - name: keyword <2>
-          type: keyword <3>
-----------------------------------------------------------------------
-<1> `multi_fields`: Define the `multi_fields` mapping parameter.
-<2> `name`: This is a conventional name for a multi-field. It can be anything (`raw` is another common option) but the convention is to use `keyword`.
-<3> `type`: Specify the `keyword` type to use the field in aggregations or to order documents.
-
-For more information, see the {ref}/multi-fields.html[{es} documentation about
-multi-fields].
-
-==== Defining a text analyzer in-line
-
-It is possible to define a new text analyzer or search analyzer in-line with
-the field definition in the field's mapping parameters.
-
-For example, you can define a new text analyzer that does not break hyphenated names:
-
-[source,yaml]
-----------------------------------------------------------------------
-- key: mybeat
-  title: mybeat
-  description: These are the fields used by mybeat.
-  fields:
-    - name: last_name
-      type: text
-      required: true
-      description: >
-        The last name.
-      analyzer:
-        mybeat_hyphenated_name: <1>
-          type: pattern <2>
-          pattern: "[\\W&&[^-]]+" <3>
-      search_analyzer:
-        mybeat_hyphenated_name: <4>
-          type: pattern
-          pattern: "[\\W&&[^-]]+"
-----------------------------------------------------------------------
-<1> Use a newly defined text analyzer
-<2> Define the custome analyzer type
-<3> Specify the analyzer behaviour
-<4> Use the same analyzer for the search
-
-The names of custom analyzers that are defined in-line may not be reused for a different
-text analyzer. If a text analyzer name is reused it is checked for matching existing
-instances of the analyzer. It is recommended that the analyzer name is prefixed with the
-beat name to avoid name clashes.
-
-For more information, see {ref}/analysis-custom-analyzer.html[{es} documentation about
-defining custom text analyzers].
diff --git a/docs/devguide/generator-support-note.asciidoc b/docs/devguide/generator-support-note.asciidoc
deleted file mode 100644
index 25579798ed28..000000000000
--- a/docs/devguide/generator-support-note.asciidoc
+++ /dev/null
@@ -1,13 +0,0 @@
-// tag::metricset-generator[]
-IMPORTANT: Elastic provides no warranty or support for the code used to generate
-metricsets. The generator is mainly offered as guidance for developers who want
-to create their own data shippers.
-
-// end::metricset-generator[]
-
-// tag::filebeat-generator[]
-IMPORTANT: Elastic provides no warranty or support for the code used to generate
-modules and filesets. The generator is mainly offered as guidance for developers
-who want to create their own data shippers.
-
-// end::filebeat-generator[]
\ No newline at end of file
diff --git a/docs/devguide/images/beat_overview.png b/docs/devguide/images/beat_overview.png
deleted file mode 100644
index 55621249ec6a..000000000000
Binary files a/docs/devguide/images/beat_overview.png and /dev/null differ
diff --git a/docs/devguide/index.asciidoc b/docs/devguide/index.asciidoc
deleted file mode 100644
index 3f554ee45540..000000000000
--- a/docs/devguide/index.asciidoc
+++ /dev/null
@@ -1,42 +0,0 @@
-[[beats-reference]]
-= Beats Developer Guide
-
-:libbeat-dir: {docdir}/../../libbeat/docs
-
-include::{libbeat-dir}/version.asciidoc[]
-
-include::{asciidoc-dir}/../../shared/versions/stack/{source_branch}.asciidoc[]
-
-:dev-guide: true
-:beatname_lc: beatname
-:beatname_uc: a Beat
-
-include::{asciidoc-dir}/../../shared/attributes.asciidoc[]
-
-include::{libbeat-dir}/shared-beats-attributes.asciidoc[]
-
-include::./pull-request-guidelines.asciidoc[]
-
-include::./contributing.asciidoc[]
-
-include::./documentation.asciidoc[]
-
-include::./testing.asciidoc[]
-
-include::{libbeat-dir}/communitybeats.asciidoc[]
-
-include::./fields-yml.asciidoc[]
-
-include::./event-conventions.asciidoc[]
-
-include::./python.asciidoc[]
-
-include::./newdashboards.asciidoc[]
-
-include::./new_protocol.asciidoc[]
-
-include::./metricbeat-devguide.asciidoc[]
-
-include::./modules-dev-guide.asciidoc[]
-
-include::./migrate-dashboards.asciidoc[]
diff --git a/docs/devguide/metricbeat-devguide.asciidoc b/docs/devguide/metricbeat-devguide.asciidoc
deleted file mode 100644
index 265bef2b8dd6..000000000000
--- a/docs/devguide/metricbeat-devguide.asciidoc
+++ /dev/null
@@ -1,61 +0,0 @@
-
-[[metricbeat-developer-guide]]
-== Extending Metricbeat
-
-Metricbeat periodically interrogates other services to fetch key metrics
-information. As a developer, you can use Metricbeat in two different ways:
-
-* Extend Metricbeat directly
-* Create your own Beat and use Metricbeat as a library
-
-We recommend that you start by creating your own Beat to keep the development of your own module or metricset
-independent of Metricbeat. At a later stage, if you decide to add a module to Metricbeat, you can reuse
-the code without making additional changes.
-
-This following topics describe how to contribute to Metricbeat by adding metricsets, modules, and new Beats based on Metricbeat:
-
-* <<metricbeat-dev-overview>>
-* <<creating-metricsets>>
-* <<metricset-details>>
-* <<creating-metricbeat-module>>
-* <<dev-faq>>
-
-If you would like to contribute to Metricbeat or the Beats project, also see
-<<beats-contributing>>.
-
-[[metricbeat-dev-overview]]
-=== Overview
-
-Metricbeat consists of modules and metricsets. A Metricbeat module is typically
-named after the service the metrics are fetched from, such as redis,
-mysql, and so on. Each module can contain multiple metricsets. A metricset represents
-multiple metrics that are normally retrieved with one request from the remote
-system. For example, the Redis `info` metricset retrieves info that you get when you
-run the Redis `INFO` command, and the MySQL `status` metricset retrieves
-info that you get when you issue the MySQL `SHOW GLOBAL STATUS` query.
-
-[float]
-==== Module and Metricsets Requirements
-
-To guarantee the best user experience, it's important to us that only high quality
-modules are part of Metricbeat. The modules and metricsets that are contributed
-must meet the following requirements:
-
-* Complete `fields.yml` file to generate docs and Elasticsearch templates
-* Documentation files
-* Integration tests
-* 80% test coverage (unit, integration, and system tests combined)
-
-Metricbeat allows you to build a wide variety of modules and metricsets on top of it.
-For a module to be accepted, it should focus on fetching service metrics
-directly from the service itself and not via a third-party tool. The goal is to
-have as few movable parts as possible and for Metricbeat to run as close as
-possible to the service that it needs to monitor.
-
-include::./create-metricset.asciidoc[]
-
-include::./metricset-details.asciidoc[]
-
-include::./create-module.asciidoc[]
-
-include::./faq.asciidoc[]
diff --git a/docs/devguide/metricset-details.asciidoc b/docs/devguide/metricset-details.asciidoc
deleted file mode 100644
index acb7209d0e82..000000000000
--- a/docs/devguide/metricset-details.asciidoc
+++ /dev/null
@@ -1,326 +0,0 @@
-[[metricset-details]]
-=== Metricset Details
-
-This topic provides additional details about creating metricsets.
-
-[float]
-=== Adding Special Configuration Options
-
-Each metricset can have its own configuration variables defined. To make use of
-these variables, you must extend the `New` method. For example, let's assume that
-you want to add a `password` config option to the metricset. You would extend
-`beat.yml` in the following way:
-
-[source,yaml]
-----
-metricbeat.modules:
-- module: {module}
-  metricsets: ["{metricset}"]
-  password: "test1234"
-----
-
-To read in the new `password` config option, you need to modify the `New` method. First you define a config
-struct that contains the value types to be read. You can set default values, as needed. Then you pass the config to
-the `UnpackConfig` method for loading the configuration.
-
-Your implementation should look something like this:
-
-[source,go]
-----
-type MetricSet struct {
-	mb.BaseMetricSet
-	password string
-}
-
-func New(base mb.BaseMetricSet) (mb.MetricSet, error) {
-
-	// Unpack additional configuration options.
-	config := struct {
-		Password string `config:"password"`
-	}{
-		Password: "",
-	}
-	err := base.Module().UnpackConfig(&config)
-	if err != nil {
-		return nil, err
-	}
-
-	return &MetricSet{
-		BaseMetricSet: base,
-		password:      config.Password,
-	}, nil
-}
-----
-
-
-[float]
-==== Timeout Connections to Services
-
-Each time the `Fetch` method is called, it makes a request to the service, so it's
-important to handle the connections correctly. We recommended that you set up the
-connections in the `New` method and persist them in the `MetricSet` object. This allows
-connections to be reused.
-
-One very important point is that connections must respect the timeout variable:
-`base.Module().Config().Timeout`. If the timeout elapses before the request completes,
-the request must be ended and an error must be returned to make sure the next request
-can be started on time. By default the Timeout is set to Period, so one request gets
-ended before a new request is made.
-
-If a request must be ended or has an error, make sure that you return a useful error
-message. This error message is also sent to Elasticsearch, making it possible to not
-only fetch metrics from the service, but also report potential problems or errors with
-the metricset.
-
-
-[float]
-==== Data Transformation
-
-If the data transformation that has to happen in the `Fetch` method is
-extensive, we recommend that you create a second file called `data.go` in the same package
-as the metricset. The `data.go` file should contain a function called `eventMapping(...)`.
-A separate file is not required, but is currently a best practice because it isolates the
-functionality of the metricset and `Fetch` method from the data mapping.
-
-
-
-[float]
-==== fields.yml
-
-You can find up to 3 different types of files named `fields.yml` in the beats repository for each metricbeat module:
-
-* `metricbeat/fields.yml`: Contains the definitions to create the Elasticsearch template, the Kibana index pattern configuration and the exported fields documentation for metricsets. To make sure the Elasticsearch template is correct, it's important to keep this file up-to-date with all the changes. Generally, you shouldn't touch this file manually because it's generated by some commands in the build environment.
-* `metricbeat/module/{module}/_meta/fields.yml`: Contains the general top level structure for all metricsets in a module.
-Normally you only need to modify the description in this file. Here is an example for the `fields.yml` file from the MySQL module.
-+
-[source,yaml]
-----
-include::../../metricbeat/module/mysql/_meta/fields.yml[]
-----
-+
-* `metricbeat/module/{module}/{metricset}/_meta/fields.yml`: Contains all fields definitions retrieved by the metricset.
-As field types, each field must have a core data type
-{ref}/mapping-types.html#_core_datatypes[supported by elasticsearch]. Here's a very basic example that shows one group from the MySQL `status` metricset:
-+
-[source,yaml]
-----
-- name: status
-  type: group
-  description: >
-    `status` contains the metrics that were obtained by the status SQL query.
-  fields:
-    - name: aborted
-      type: group
-      description: Aborted status fields.
-      fields:
-        - name: clients
-          type: integer
-          description: >
-            The number of connections that were aborted because the client died without closing the connection properly.
-
-        - name: connects
-          type: integer
-          description: >
-            The number of failed attempts to connect to the MySQL server.
-----
-+
-
-// TODO: Add link to general fields.yml developer guide
-
-[float]
-==== Testing
-
-It's important to also add tests for your metricset. There are three different types of tests that you need for testing a Beat:
-
-* unit tests
-* integration tests
-* system tests
-
-We recommend that you use all three when you create a metricset. Unit tests are
-written in Go and have no dependencies. Integration tests are also written
-in Go but require the service from which the module collects metrics to also be running.
-System tests for Metricbeat also require the service to be running in most cases and are
-written in Python {python_major_version} based on our small Python test framework.
-We use https://docs.python.org/3/library/venv.html[venv] to deal with Python dependencies.
-You can simply run the command `make python-env`  and then `. build/python-env/bin/activate` .
-
-You should use a combination of the three test types to test your metricsets because
-each method has advantages and disadvantages. To get started with your own tests, it's best
-to look at the existing tests. You'll find the unit and integration tests
-in the `_test.go` files under existing modules and metricsets.
-Integration tests usually take the form of `TestFetch` and `TestData`.
-The system tests are under `tests/systems`.
-
-
-[float]
-===== Adding a Test Environment
-
-Integration and system tests need an environment that's running the service. You
-can create this environment by using Docker and a docker-compose file. If you add a
-module that requires a service, you must add the service to the virtual environment.
-To do this, you:
-
-* Update the `docker-compose.yml` file with your environment
-* Update the `docker-entrypoint.sh` script
-
-The `docker-compose.yml` file is at the root of Metricbeat. Most services have
-existing Docker modules and can be added as simply as Redis:
-
-[source,yaml]
-----
-redis:
-  image: redis:3.2.3
-----
-
-To allow the Beat to access your service, make sure that you define the environment
-variables in the docker-compose file and add the link to the container:
-
-[source,yaml]
-----
-beat:
-  links:
-    - redis
-  environment:
-    - REDIS_HOST=redis
-    - REDIS_PORT=6379
-----
-
-To make sure the service is running before the tests are started, modify the
-`docker-entrypoint.sh` script to add a check that verifies your service is
-running. For example, the check for Redis looks like this:
-
-[source,shell]
-----
-waitFor ${REDIS_HOST} ${REDIS_PORT} Redis
-----
-
-The environment expects your service to be available as soon as it receives a response from
-the given address and port.
-
-[float]
-===== Adding the standard metricset integration tests
-
-There are normally two integration tests that are part of every metricset: `TestFetch` and `TestData`.
-Both tests will start up a new instance of your metricset and fetch an event. In order to start a metricset, you need to create a configuration object:
-
-[source,go]
-----
-func getConfig() map[string]interface{} {
-    return map[string]interface{}{
-    "module":           "{module}",
-    "metricsets":       []string{"{metricset}"},
-    "hosts":      []string{GetEnvHost() + ":" + GetEnvPort()}, <1>
-  }
-}
-
-func GetEnvHost() string { <2>
-    host := os.Getenv("{module}_HOST")
-    if len(host) == 0 {
-    host = "127.0.0.1"
-  }
-  return host
-}
-
-func GetEnvPort() string { <2>
-    port := os.Getenv("{module}_PORT")
-
-    if len(port) == 0 {
-      port = "1234"
-    }
-  return port
-}
-
-----
-<1> Add any additional config options your metricset needs here.
-<2> The endpoint used by the metricset needs to be configurable for manual and automated testing.
-Environment variables should be defined in the module under `_meta/env` and included in the `docker-compose.yml` file.
-
-The `TestFetch` integration test will return a single event from your metricset, which you can use to test the validity of the data.
-`TestData` will (re)generate the `_meta/data.json` file that documents the data reported by the metricset.
-
-[source,go]
-----
-import (
-	"os"
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-
-	"github.com/elastic/beats/libbeat/tests/compose"
-	mbtest "github.com/elastic/beats/metricbeat/mb/testing"
-)
-
-func TestFetch(t *testing.T) {
-	compose.EnsureUp(t, "{module}") <1>
-
-	f := mbtest.NewReportingMetricSetV2Error(t, getConfig())
-
-	events, errs := mbtest.ReportingFetchV2Error(f)
-	if len(errs) > 0 {
-		t.Fatalf("Expected 0 errord, had %d. %v\n", len(errs), errs)
-	}
-
-	assert.NotEmpty(t, events) <2>
-
-}
-
-func TestData(t *testing.T) {
-
-	f := mbtest.NewReportingMetricSetV2Error(t, getConfig())
-
-	err := mbtest.WriteEventsReporterV2Error(f, t, "") <3>
-	if !assert.NoError(t, err) {
-		t.FailNow()
-	}
-}
-----
-<1> Use this to start the docker service associated with your metricset.
-<2> Add any further validity checks to verify the metricset is working.
-<3> `WriteEventsReporterV2Error` will take the first valid event from the metricset and write it to `_meta/data.json`
-
-[float]
-===== Running the Tests
-
-To run all the tests, run `make testsuite`. To only run unit tests, run
-`mage unitTest`, or for integration tests `mage integTest`.
-Be aware that a running Docker environment is needed for integration and system
-tests.
-
-To run `TestData` and generate the `data.json` file, run
-`go test -tags=integration -data -run TestData` in the directory where your test is located.
-
-To run the integration tests for a single module, set the `MODULE` environment
-variable to the name of the directory of the module. For example you can run the
-following command to run integration tests for `apache` module:
-
-[source,shell]
-----
-MODULE=apache mage integTest
-----
-
-
-[float]
-=== Documentation
-
-Each module must be documented. The documentation is based on asciidoc and is in
-the file `module/{module}/_meta/docs.asciidoc` for the module and in `module/{module}/{metricset}/_meta/docs.asciidoc`
- for the metricset. Basic documentation with the config file and an example output is automatically
- generated. Use these files to document specific configuration options or usage examples.
-
-
-
-
-////
-TODO: The following parts should be added as soon as the content exists or the implementation is completed.
-
-[float]
-== Field naming
-https://github.com/elastic/beats/blob/main/metricbeat/module/doc.go
-
-[float]
-== Dashboards
-
-Dashboards are an important part of each metricset. Data gets much more useful
-when visualized. To create dashboards for the metricset, follow the guide here
-(link to dashboard guide).
-////
diff --git a/docs/devguide/migrate-dashboards.asciidoc b/docs/devguide/migrate-dashboards.asciidoc
deleted file mode 100644
index 453b065c90e2..000000000000
--- a/docs/devguide/migrate-dashboards.asciidoc
+++ /dev/null
@@ -1,98 +0,0 @@
-== Migrating dashboards from Kibana 5.x to 6.x
-
-This section is useful for the community Beats to migrate the Kibana 5.x dashboards to 6.x dashboards.
-
-In the Kibana 5.x, the saved dashboards consist of multiple JSON files, one for each dashboard, search, visualization
-and index-pattern. To import a dashboard in Kibana, you need to load not only the JSON file containing the dashboard, but
-also all its dependencies (searches, visualizations).
-
-Starting with Kibana 6.0, the dashboards are loaded by default via the Kibana API. In this case, the saved dashboard
-consist of a single JSON file that includes not only the dashboard content, but also all its dependencies.
-
-As the format of the dashboards and index-pattern for Kibana 5.x is different than the ones for Kibana 6.x, they are placed in different
-directories. Depending on the Kibana version, the 5.x or 6.x dashboards are loaded.
-
-The Kibana 5.x dashboards are placed under the 5.x directory that contains the following directories:
-- search
-- visualization
-- dashboard
-- index-pattern
-
-The Kibana 6.x dashboards and later are placed under the default directory that contains the following directories:
-- dashboard
-- index-pattern
-
-NOTE:: Please make sure the 5.x and default directories are created before running the following commands.
-
-To migrate your Kibana 5.x dashboards to Kibana 6.0 and above, you can import the dashboards into Kibana 5.6 and then
-export them using Beats 6.0 version.
-
-* Start Kibana 5.6
-* Import Kibana 5.x dashboards using Beats 6.0 version.
-
-Before importing the dashboards, make sure you run `make update` in the Beat directory, that updates the `_meta/kibana` directory. It generates the index-pattern from
-the `fields.yml` file, and places it under the `5.x/index-pattern` and `default/index-pattern` directories. In case of Metricbeat, Filebeat and Auditbeat,
-it collects the dashboards from all the modules to the `_meta/kibana` directory.
-
-[source,shell]
------------------
-make update
------------------
-
-Then load all the Beat's dashboards. For example, to load the Metricbeat rabbitmq dashboards together with the Metricbeat index-pattern into Kibana 5.6,
-using the Kibana API:
-
-[source,shell]
------------------
-make update
-./metricbeat setup -E setup.dashboards.directory=_meta/kibana
------------------
-
-* Export the dashboards using Beats 6.0 version.
-
-You can export the dashboards via the Kibana API by using the
-https://github.com/elastic/beats/blob/main/dev-tools/cmd/dashboards/export_dashboards.go[export_dashboards.go]
-application.
-
-For example, to export the Metricbeat rabbitmq dashboard:
-
-[source,shell]
------------------
-cd beats/metricbeat
-go run ../dev-tools/cmd/dashboards/export_dashboards.go -dashboards Metricbeat-Rabbitmq -output
-module/rabbitmq/_meta/kibana/default/Metricbeat-Rabbitmq.json <1>
------------------
-<1> `Metricbeat-Rabbitmq` is the ID of the dashboard that you want to export.
-
-Note: You can get the dashboard ID from the URL of the dashboard in Kibana. Depending on the Kibana version the
-dashboard was created, the ID consists of a name or random characters that can be separated by `-`.
-
-This command creates a single JSON file (Metricbeat-Rabbitmq.JSON) that contains the dashboard and all the dependencies like searches,
-visualizations. The name of the output file has the format: <Beat name>-<module name>.json.
-
-Starting with Beats 6.0.0, you can create an `yml` file for each module or for the entire Beat with all the dashboards.
-Below is an example of the `module.yml` file for the system module in Metricbeat.
-
-[source,yaml]
-----------------
-dashboards:
-    - id: Metricbeat-system-overview <1>
-      file: Metricbeat-system-overview.json <2>
-
-    - id: 79ffd6e0-faa0-11e6-947f-177f697178b8
-      file: Metricbeat-host-overview.json
-
-    - id: CPU-slash-Memory-per-container
-      file: Metricbeat-docker-overview.json
-----------------
-<1> Dashboard ID.
-<2> The JSON file where the dashboard is saved on disk.
-
-Using the yml file, you can export all the dashboards for a single module or for the entire Beat using a single command:
-
-[source,shell]
-----
-cd metricbeat/module/system
-go run ../../../dev-tools/cmd/dashboards/export_dashboards.go -yml module.yml
-----
-
diff --git a/docs/devguide/modules-dev-guide.asciidoc b/docs/devguide/modules-dev-guide.asciidoc
deleted file mode 100644
index 7e5178cd651c..000000000000
--- a/docs/devguide/modules-dev-guide.asciidoc
+++ /dev/null
@@ -1,530 +0,0 @@
-[[filebeat-modules-devguide]]
-== Creating a New Filebeat Module
-
-include::generator-support-note.asciidoc[tag=filebeat-generator]
-
-This guide will walk you through creating a new Filebeat module.
-
-All Filebeat modules currently live in the main
-https://github.com/elastic/beats[Beats] repository. To clone the repository and
-build Filebeat (which you will need for testing), please follow the general
-instructions in <<beats-contributing>>.
-
-[float]
-=== Overview
-
-Each Filebeat module is composed of one or more "filesets". We usually create a
-module for each service that we support (`nginx` for Nginx, `mysql` for Mysql,
-and so on) and a fileset for each type of log that the service creates. For
-example, the Nginx module has `access` and `error` filesets. You can contribute
-a new module (with at least one fileset), or a new fileset for an existing
-module.
-
-NOTE: In this guide we use `{module}` and `{fileset}` as placeholders for the
-module and fileset names. You need to replace these with the actual names you
-entered when your created the module and fileset. Only use characters `[a-z]` and, if required, underscores (`_`). No other characters are allowed.
-
-[float]
-=== Creating a new module
-
-Run the following command in the `filebeat` folder:
-
-[source,bash]
-----
-make create-module MODULE={module}
-----
-
-After running the `make create-module` command, you'll find the module,
-along with its generated files, under `module/{module}`. This
-directory contains the following files:
-
-[source,bash]
-----
-module/{module}
-├── module.yml
-└── _meta
-    └── docs.asciidoc
-    └── fields.yml
-    └── kibana
-----
-
-Let's look at these files one by one.
-
-[float]
-==== module.yml
-
-This file contains list of all the dashboards available for the module and used by `export_dashboards.go` script for exporting dashboards.
-Each dashboard is defined by an id and the name of json file where the dashboard is saved locally.
-At generation new fileset this file will be automatically updated with "default" dashboard settings for new fileset.
-Please ensure that this settings are correct.
-
-[float]
-==== _meta/docs.asciidoc
-
-This file contains module-specific documentation. You should include information
-about which versions of the service were tested and the variables that are
-defined in each fileset.
-
-[float]
-==== _meta/fields.yml
-
-The module level `fields.yml` contains descriptions for the module-level fields.
-Please review and update the title and the descriptions in this file. The title
-is used as a title in the docs, so it's best to capitalize it.
-
-[float]
-==== _meta/kibana
-
-This folder contains the sample Kibana dashboards for this module. To create
-them, you can build them visually in Kibana and then export them with `export_dashboards`.
-
-The tool will export all of the dashboard dependencies (visualizations,
-saved searches) automatically.
-
-You can see various ways of using `export_dashboards` at <<export-dashboards>>.
-The recommended way to export them is to list your dashboards in your module's
-`module.yml` file:
-
-[source,yaml]
-----
-dashboards:
-- id: 69f5ae20-eb02-11e7-8f04-beef1daadb05
-  file: mymodule-overview.json
-- id: c0a7ce90-cafe-4242-8647-534bb4c21040
-  file: mymodule-errors.json
-----
-
-Then run `export_dashboards` like this:
-
-[source,shell]
-----
-$ cd dev-tools/cmd/dashboards
-$ make # if export_dashboard is not built yet
-$ ./export_dashboards --yml '../../../filebeat/module/{module}/module.yml'
-----
-
-New Filebeat modules might not be compatible with Kibana 5.x. To export dashboards
-that are compatible with 5.x, run the following command inside the developer
-virtual environment:
-
-[source,shell]
-----
-$ cd filebeat
-$ make python-env
-$ cd module/{module}/
-$ python ../../../dev-tools/export_5x_dashboards.py --regex {module} --dir _meta/kibana/5.x
-----
-
-Where the `--regex` parameter should match the dashboard you want to export.
-
-Please note that dashboards exported from Kibana 5.x are not compatible with Kibana 6.x.
-
-You can find more details about the process of creating and exporting the Kibana
-dashboards by reading {beatsdevguide}/new-dashboards.html[this guide].
-
-[float]
-=== Creating a new fileset
-
-Run the following command in the `filebeat` folder:
-
-[source,bash]
-----
-make create-fileset MODULE={module} FILESET={fileset}
-----
-
-After running the `make create-fileset` command, you'll find the fileset,
-along with its generated files, under `module/{module}/{fileset}`. This
-directory contains the following files:
-
-[source,bash]
-----
-module/{module}/{fileset}
-├── manifest.yml
-├── config
-│   └── {fileset}.yml
-├── ingest
-│   └── pipeline.json
-├── _meta
-│   └── fields.yml
-│   └── kibana
-│       └── default
-└── test
-----
-
-Let's look at these files one by one.
-
-[float]
-==== manifest.yml
-
-The `manifest.yml` is the control file for the module, where variables are
-defined and the other files are referenced. It is a YAML file, but in many
-places in the file, you can use built-in or defined variables by using the
-`{{.variable}}` syntax.
-
-The `var` section of the file defines the fileset variables and their default
-values. The module variables can be referenced in other configuration files,
-and their value can be overridden at runtime by the Filebeat configuration.
-
-As the fileset creator, you can use any names for the variables you define. Each
-variable must have a default value. So in it's simplest form, this is how you
-can define a new variable:
-
-[source,yaml]
-----
-var:
-  - name: pipeline
-    default: with_plugins
-----
-
-Most fileset should have a `paths` variable defined, which sets the default
-paths where the log files are located:
-
-[source,yaml]
-----
-var:
-  - name: paths
-    default:
-      - /example/test.log*
-    os.darwin:
-      - /usr/local/example/test.log*
-      - /example/test.log*
-    os.windows:
-      - c:/programdata/example/logs/test.log*
-----
-
-There's quite a lot going on in this file, so let's break it down:
-
-* The name of the variable is `paths` and the default value is an array with one
-  element: `"/example/test.log*"`.
-* Note that variable values don't have to be strings.
-  They can be also numbers, objects, or as shown in this example, arrays.
-* We will use the `paths` variable to set the input `paths`
-  setting, so "glob" values can be used here.
-* Besides the `default` value, the file defines values for particular
-  operating systems: a default for darwin/OS X/macOS systems and a default for
-  Windows systems. These are introduced via the `os.darwin` and `os.windows`
-  keywords. The values under these keys become the default for the variable, if
-  Filebeat is executed on the respective OS.
-
-Besides the variable definition, the `manifest.yml` file also contains
-references to the ingest pipeline and input configuration to use (see next
-sections):
-
-[source,yaml]
-----
-ingest_pipeline: ingest/pipeline.json
-input: config/testfileset.yml
-----
-
-These should point to the respective files from the fileset.
-
-Note that when evaluating the contents of these files, the variables are
-expanded, which enables you to select one file or the other depending on the
-value of a variable. For example:
-
-[source,yaml]
-----
-ingest_pipeline: ingest/{{.pipeline}}.json
-----
-
-This example selects the ingest pipeline file based on the value of the
-`pipeline` variable. For the `pipeline` variable shown earlier, the path would
-resolve to `ingest/with_plugins.json` (assuming the variable value isn't
-overridden at runtime.)
-
-In 6.6 and later, you can specify multiple ingest pipelines.
-
-[source,yaml]
-----
-ingest_pipeline:
-  - ingest/main.json
-  - ingest/plain_logs.json
-  - ingest/json_logs.json
-----
-
-When multiple ingest pipelines are specified the first one in the list is
-considered to be the entry point pipeline.
-
-One reason for using multiple pipelines might be to send all logs harvested
-by this fileset to the entry point pipeline and have it delegate different parts of
-the processing to other pipelines. You can read details about setting
-this up in <<ingest-json-entry-point-pipeline, the `ingest/*.json` section>>.
-
-[float]
-==== config/*.yml
-
-The `config/` folder contains template files that generate Filebeat input
-configurations. The Filebeat inputs are primarily responsible for tailing
-files, filtering, and multi-line stitching, so that's what you configure in the
-template files.
-
-A typical example looks like this:
-
-[source,yaml]
-----
-type: log
-paths:
-{{ range $i, $path := .paths }}
- - {{$path}}
-{{ end }}
-exclude_files: [".gz$"]
-----
-
-You'll find this example in the template file that gets generated automatically
-when you run `make create-fileset`. In this example, the `paths` variable is
-used to construct the `paths` list for the input `paths` option.
-
-Any template files that you add to the `config/` folder need to generate a valid
-Filebeat input configuration in YAML format. The options accepted by the
-input configuration are documented in the
-{filebeat-ref}/configuration-filebeat-options.html[Filebeat Inputs] section of
-the Filebeat documentation.
-
-The template files use the templating language defined by the
-https://golang.org/pkg/text/template/[Go standard library].
-
-Here is another example that also configures multiline stitching:
-
-[source,yaml]
-----
-type: log
-paths:
-{{ range $i, $path := .paths }}
- - {{$path}}
-{{ end }}
-exclude_files: [".gz$"]
-multiline:
-  pattern: "^# User@Host: "
-  negate: true
-  match: after
-----
-
-Although you can add multiple configuration files under the `config/` folder,
-only the file indicated by the `manifest.yml` file will be loaded. You can use
-variables to dynamically switch between configurations.
-
-[float]
-==== ingest/*.json
-
-The `ingest/` folder contains {es} {ref}/ingest.html[ingest pipeline]
-configurations. Ingest pipelines are responsible for parsing the log lines and
-doing other manipulations on the data.
-
-The files in this folder are JSON or YAML documents representing
-{ref}/pipeline.html[pipeline definitions]. Just like with the `config/`
-folder, you can define multiple pipelines, but a single one is loaded at runtime
-based on the information from `manifest.yml`.
-
-The generator creates a JSON object similar to this one:
-
-[source,json]
-----
-{
-  "description": "Pipeline for parsing {module} {fileset} logs",
-  "processors": [
-    ],
-  "on_failure" : [{
-    "set" : {
-      "field" : "error.message",
-      "value" : "{{ _ingest.on_failure_message }}"
-    }
-  }]
-}
-----
-
-Alternatively, you can use YAML formatted pipelines, which uses a simpler syntax:
-
-[source,yaml]
-----
-description: "Pipeline for parsing {module} {fileset} logs"
-processors:
-on_failure:
- - set:
-     field: error.message
-     value: "{{ _ingest.on_failure_message }}"
-----
-
-From here, you would typically add processors to the `processors` array to do
-the actual parsing. For information about available ingest processors, see the
-{ref}/processors.html[processor reference documentation]. In
-particular, you will likely find the
-{ref}/grok-processor.html[grok processor] to be useful for parsing.
-Here is an example for parsing the Nginx access logs.
-
-[source,json]
-----
-{
-  "grok": {
-    "field": "message",
-    "patterns":[
-      "%{IPORHOST:nginx.access.remote_ip} - %{DATA:nginx.access.user_name} \\[%{HTTPDATE:nginx.access.time}\\] \"%{WORD:nginx.access.method} %{DATA:nginx.access.url} HTTP/%{NUMBER:nginx.access.http_version}\" %{NUMBER:nginx.access.response_code} %{NUMBER:nginx.access.body_sent.bytes} \"%{DATA:nginx.access.referrer}\" \"%{DATA:nginx.access.agent}\""
-      ],
-    "ignore_missing": true
-  }
-}
-----
-
-Note that you should follow the convention of naming of fields prefixed with the
-module and fileset name: `{module}.{fileset}.field`, e.g.
-`nginx.access.remote_ip`. Also, please review our <<event-conventions>>.
-
-[[ingest-json-entry-point-pipeline]]
-In 6.6 and later, ingest pipelines can use the
-{ref}/conditionals-with-multiple-pipelines.html[`pipeline` processor] to delegate
-parts of the processings to other pipelines.
-
-This can be useful if you want a fileset to ingest the same _logical_ information
-presented in different formats, e.g. csv vs. json versions of the same log files.
-Imagine an entry point ingest pipeline that detects the format of a log entry and then conditionally
-delegates further processing of that log entry, depending on the format, to another
-pipeline.
-
-["source","json",subs="callouts"]
-----
-{
-  "processors": [
-    {
-      "grok": {
-        "field": "message",
-        "patterns": [
-          "^%{CHAR:first_char}"
-        ],
-        "pattern_definitions": {
-          "CHAR": "."
-        }
-      }
-    },
-    {
-      "pipeline": {
-        "if": "ctx.first_char == '{'",
-        "name": "{< IngestPipeline "json-log-processing-pipeline" >}" <1>
-      }
-    },
-    {
-      "pipeline": {
-        "if": "ctx.first_char != '{'",
-        "name": "{< IngestPipeline "plain-log-processing-pipeline" >}"
-      }
-    }
-  ]
-}
-----
-<1>  Use the `IngestPipeline` template function to resolve the name. This function converts the
-specified name into the fully qualified pipeline ID that is stored in Elasticsearch.
-
-In order for the above pipeline to work, Filebeat must load the entry point pipeline
-as well as any sub-pipelines into Elasticsearch. You can tell Filebeat to do
-so by specifying all the necessary pipelines for the fileset in its `manifest.yml`
-file. The first pipeline in the list is considered to be the entry point pipeline.
-
-[source,yaml]
-----
-ingest_pipeline:
-  - ingest/main.json
-  - ingest/plain_logs.yml
-  - ingest/json_logs.json
-----
-
-While developing the pipeline definition, we recommend making use of the
-{ref}/simulate-pipeline-api.html[Simulate Pipeline API] for testing
-and quick iteration.
-
-By default Filebeat does not update Ingest pipelines if already loaded. If you
-want to force updating your pipeline during development, use
-`./filebeat setup --pipelines` command. This uploads pipelines even if they
-are already available on the node.
-
-[float]
-==== _meta/fields.yml
-
-The `fields.yml` file contains the top-level structure for the fields in your
-fileset. It is used as the source of truth for:
-
-* the generated Elasticsearch mapping template
-* the generated Kibana index pattern
-* the generated documentation for the exported fields
-
-Besides the `fields.yml` file in the fileset, there is also a `fields.yml` file
-at the module level, placed under `module/{module}/_meta/fields.yml`, which
-should contain the fields defined at the module level, and the description of
-the module itself. In most cases, you should add the fields at the fileset
-level.
-
-After `pipeline.json` is created, it is possible to generate a base `field.yml`.
-
-[source,bash]
-----
-make create-fields MODULE={module} FILESET={fileset}
-----
-
-Please, always check the generated file and make sure the fields are correct.
-You must add field documentation manually.
-
-If the fields are correct, it is time to generate documentation, configuration
-and Kibana index patterns.
-
-[source,bash]
-----
-make update
-----
-
-[float]
-==== test
-
-In the `test/` directory, you should place sample log files generated by the
-service. We have integration tests, automatically executed by CI, that will run
-Filebeat on each of the log files under the `test/` folder and check that there
-are no parsing errors and that all fields are documented.
-
-In addition, assuming you have a `test.log` file, you can add a
-`test.log-expected.json` file in the same directory that contains the expected
-documents as they are found via an Elasticsearch search. In this case, the
-integration tests will automatically check that the result is the same on each
-run.
-
-In order to test the filesets with the sample logs and/or generate the expected output one should run the tests
-locally for a specific module, using the following procedure under Filebeat directory:
-
-. Start an Elasticsearch instance locally. For example, using Docker:
-+
-[source,bash]
-----
-docker run \
-  --name elasticsearch \
-  -p 9200:9200 -p 9300:9300 \
-  -e "xpack.security.http.ssl.enabled=false"  -e "ELASTIC_PASSWORD=changeme" \
-  -e "discovery.type=single-node" \
-  --pull always --rm --detach \
-  docker.elastic.co/elasticsearch/elasticsearch:master-SNAPSHOT
-----
-. Create an "admin" user on that Elasticsearch instance:
-+
-[source,bash]
-----
-curl -u elastic:changeme \
-  http://localhost:9200/_security/user/admin \
-  -X POST -H 'Content-Type: application/json' \
-  -d '{"password": "changeme", "roles": ["superuser"]}'
-----
-. Create the testing binary: `make filebeat.test`
-. Update fields yaml: `make update`
-. Create python env: `make python-env`
-. Source python env: `source ./build/python-env/bin/activate`
-. Run a test, for example to check nginx access log parsing:
-+
-[source,bash]
-----
-INTEGRATION_TESTS=1 BEAT_STRICT_PERMS=false ES_PASS=changeme \
-TESTING_FILEBEAT_MODULES=nginx \
-pytest tests/system/test_modules.py -v --full-trace
-----
-. Add and remove option env vars as required. Here are some useful ones:
-* `TESTING_FILEBEAT_ALLOW_OLDER`: if set to 1, allow connecting older versions of Elasticsearch
-* `TESTING_FILEBEAT_MODULES`: comma separated list of modules to test.
-* `TESTING_FILEBEAT_FILESETS`: comma separated list of filesets to test.
-* `TESTING_FILEBEAT_FILEPATTERN`: glob pattern for log files within the fileset to test.
-* `GENERATE`: if set to 1, the expected documents will be generated.
-
-The filebeat logs are writen to the `build` directory. It may be useful to tail them in another terminal using `tail -F build/system-tests/run/test_modules.Test.*/output.log`.
-
-For example if there's a syntax error in an ingest pipeline, the test will probably just hang. The filebeat log output will contain the error message from elasticsearch.
diff --git a/docs/devguide/new_protocol.asciidoc b/docs/devguide/new_protocol.asciidoc
deleted file mode 100644
index defd50c0bc3f..000000000000
--- a/docs/devguide/new_protocol.asciidoc
+++ /dev/null
@@ -1,101 +0,0 @@
-[[new-protocol]]
-== Adding a New Protocol to Packetbeat
-
-The following topics describe how to add a new protocol to Packetbeat:
-
-* <<getting-ready-new-protocol>>
-* <<protocol-modules>>
-* <<protocol-testing>>
-
-[[getting-ready-new-protocol]]
-=== Getting Ready
-
-Packetbeat is written in http://golang.org/[Go], so having Go installed and knowing the basics are prerequisites for understanding this guide. But don't worry if you aren't a Go expert. Go is a relatively new language, and very few people are experts in it. In fact, several people learned Go by contributing to Packetbeat and libbeat, including the original Packetbeat authors.
-
-You will also need a good understanding of the wire protocol that you want to
-add support for. For standard protocols or protocols used in open source
-projects, you can usually find detailed specifications and example source code.
-Wireshark is a very useful tool for understanding the inner workings of the
-protocols it supports.
-
-In some cases you can even make use of existing libraries for doing the actual
-parsing and decoding of the protocol. If the particular protocol has a Go
-implementation with a liberal enough license, you might be able to use it to
-parse and decode individual messages instead of writing your own parser.
-
-Before starting, please also read the <<beats-contributing>>.
-
-[float]
-==== Cloning and Compiling
-
-After you have https://golang.org/doc/install[installed Go] and set up the
-https://golang.org/doc/code.html#GOPATH[GOPATH] environment variable to point to
-your preferred workspace location, you can clone Packetbeat with the
-following commands:
-
-[source,shell]
-----------------------------------------------------------------------
-$ mkdir -p ${GOPATH}/src/github.com/elastic
-$ cd ${GOPATH}/src/github.com/elastic
-$ git clone https://github.com/elastic/beats.git
-----------------------------------------------------------------------
-
-Note: If you have multiple go paths use `${GOPATH%%:*}`instead of `${GOPATH}`.
-
-Then you can compile it with:
-
-[source,shell]
-----------------------------------------------------------------------
-$ cd beats
-$ make
-----------------------------------------------------------------------
-
-Note that the location where you clone is important. If you prefer working
-outside of the `GOPATH` environment, you can clone to another directory and only
-create a symlink to the `$GOPATH/src/github.com/elastic/` directory.
-
-[float]
-=== Forking and Branching
-
-We recommend the following work flow for contributing to Packetbeat:
-
-* Fork Beats in GitHub to your own account
-
-* In the `$GOPATH/src/github.com/elastic/beats` folder, add your fork
-  as a new remote. For example (replace `tsg` with your GitHub account):
-
-[source,shell]
-----------------------------------------------------------------------
-$ git remote add tsg git@github.com:tsg/beats.git
-----------------------------------------------------------------------
-
-* Create a new branch for your work:
-
-[source,shell]
-----------------------------------------------------------------------
-$ git checkout -b cool_new_protocol
-----------------------------------------------------------------------
-
-* Commit as often as you like, and then push to your private fork with:
-
-[source,shell]
-----------------------------------------------------------------------
-$ git push --set-upstream tsg cool_new_protocol
-----------------------------------------------------------------------
-
-* When you are ready to submit your PR, simply do so from the GitHub web
-  interface. Feel free to submit your PR early. You can still add commits to
-  the branch after creating the PR. Submitting the PR early gives us more time to
-  provide feedback and perhaps help you with it.
-
-[[protocol-modules]]
-=== Protocol Modules
-
-We are working on updating this section. While you're waiting for updates, you
-might want to try out the TCP protocol generator at
-https://github.com/elastic/beats/tree/master/packetbeat/scripts/tcp-protocol.
-
-[[protocol-testing]]
-=== Testing
-
-We are working on updating this section.
diff --git a/docs/devguide/newdashboards.asciidoc b/docs/devguide/newdashboards.asciidoc
deleted file mode 100644
index 9e540abb025a..000000000000
--- a/docs/devguide/newdashboards.asciidoc
+++ /dev/null
@@ -1,389 +0,0 @@
-[[new-dashboards]]
-== Creating New Kibana Dashboards for a Beat or a Beat module
-
-++++
-<titleabbrev>Creating New Kibana Dashboards</titleabbrev>
-++++
-
-
-When contributing to Beats development, you may want to add new dashboards or
-customize the existing ones. To get started, you can
-<<import-dashboards,import the Kibana dashboards>> that come with the official
-Beats and use them as a starting point for your own dashboards. When you're done
-making changes to the dashboards in Kibana, you can use the `export_dashboards`
-script to <<export-dashboards,export the dashboards>>, along with all
-dependencies, to a local directory.
-
-To make sure the dashboards are compatible with the latest version of Kibana and Elasticsearch, we
-recommend that you use the virtual environment under
-https://github.com/elastic/beats/tree/master/testing/environments[beats/testing/environments] to import, create, and
-export the Kibana dashboards.
-
-The following topics provide more detail about importing and working with Beats dashboards:
-
-* <<import-dashboards>>
-* <<build-dashboards>>
-* <<generate-index-pattern>>
-* <<export-dashboards>>
-* <<archive-dashboards>>
-* <<share-beat-dashboards>>
-
-[[import-dashboards]]
-=== Importing Existing Beat Dashboards
-
-The official Beats come with Kibana dashboards, and starting with 6.0.0, they
-are part of every Beat package. 
-
-You can use the Beat executable to import all the dashboards and the index pattern for a Beat, including the dependencies such as visualizations and searches.
-
-To import the dashboards, run the `setup` command.
-
-
-[source,shell]
--------------------------
-./metricbeat setup
--------------------------
-
-The `setup` phase loads several dependencies, such as:
-
-- Index mapping template in Elasticsearch
-- Kibana dashboards
-- Ingest pipelines
-- ILM policy
-
-The dependencies vary depending on the Beat you're setting up.
-
-For more details about the `setup` command, see the command-line help. For example:
-
-[source,shell]
-----
-./metricbeat help setup
-
-This command does initial setup of the environment:
-
- * Index mapping template in Elasticsearch to ensure fields are mapped.
- * Kibana dashboards (where available).
- * ML jobs (where available).
- * Ingest pipelines (where available).
- * ILM policy (for Elasticsearch 6.5 and newer).
-
-Usage:
-  metricbeat setup [flags]
-
-Flags:
-      --dashboards         Setup dashboards
-  -h, --help               help for setup
-      --index-management   Setup all components related to Elasticsearch index management, including template, ilm policy and rollover alias
-      --pipelines          Setup Ingest pipelines
-----
-
-The flags are useful when you don't want to load everything. For example, to
-import only the dashboards, use the `--dashboards` flag:
-
-[source,shell]
-----
-./metricbeat setup --dashboards
-----
-
-Starting with Beats 6.0.0, the dashboards are no longer loaded directly into Elasticsearch. Instead, they are imported directly into Kibana.
-Thus, if your Kibana instance is not listening on localhost, or you enabled
-{xpack} for Kibana, you need to either configure the Kibana endpoint in
-the config for the Beat, or pass the Kibana host and credentials as
-arguments to the `setup` command. For example:
-
-[source,shell]
-----
-./metricbeat setup -E setup.kibana.host=192.168.3.206:5601 -E setup.kibana.username=elastic -E setup.kibana.password=secret
-----
-
-By default, the `setup` command imports the dashboards from the `kibana`
-directory, which is available in the Beat package.
-
-NOTE: The format of the saved dashboards is not compatible between Kibana 5.x and 6.x. Thus, the Kibana 5.x dashboards are available in
-the `5.x` directory, and the Kibana 6.0 dashboards, and older are in the `default` directory.
-
-In case you are using customized dashboards, you can import them:
-
-- from a local directory:
-+
-[source,shell]
-----------------------------------------------------------------------
-./metricbeat setup -E setup.dashboards.directory=kibana
-----------------------------------------------------------------------
-
-- from a local zip archive:
-+
-[source,shell]
-----------------------------------------------------------------------
-./metricbeat setup -E setup.dashboards.file=metricbeat-dashboards-6.0.zip
-----------------------------------------------------------------------
-
-- from a zip archive available online:
-+
-[source,shell]
-----------------------------------------------------------------------
-./metricbeat setup -E setup.dashboards.url=path/to/url
-----------------------------------------------------------------------
-+
-
-See <<import-dashboard-options>> for a description of the `setup.dashboards` configuration options.
-
-
-[[import-dashboards-for-development]]
-==== Import Dashboards for Development
-
-You can make use of the Magefile from the Beat GitHub repository to import the
-dashboards. If Kibana is running on localhost, then you can run the following command
-from the root of the Beat:
-
-[source,shell]
---------------------------------
-mage dashboards
---------------------------------
-
-[[import-dashboard-options]]
-==== Kibana dashboards configuration
-
-The configuration file (`*.reference.yml`) of each Beat contains the `setup.dashboards` section for configuring from where to get the Kibana dashboards, as well as the name of the index pattern.
-Each of these configuration options can be overwritten with the command line options by using `-E` flag.
-
-
-*`setup.dashboards.directory=<local_dir>`*::
-Local directory that contains the saved dashboards and their dependencies.
-The default value is the `kibana` directory available in the Beat package.
-
-*`setup.dashboards.file=<local_archive>`*::
-Local zip archive with the dashboards. The archive can contain Kibana dashboards for a single Beat or for multiple Beats. The dashboards of each Beat are placed under a separate directory with the name of the Beat.
-
-*`setup.dashboards.url=<zip_url>`*::
-Zip archive with the dashboards, available online. The archive can contain Kibana dashboards for a single Beat or for
-multiple Beats. The dashboards for each Beat are placed under a separate directory with the name of the Beat.
-
-*`setup.dashboards.index <elasticsearch_index>`*::
-You should only use this option if you want to change the index pattern name that's used by default. For example, if the
-default is `metricbeat-*`, you can change it to `custombeat-*`.
-
-
-[[build-dashboards]]
-=== Building Your Own Beat Dashboards
-
-NOTE: If you want to modify a dashboard that comes with a Beat, it's better to modify a copy of the dashboard because the Beat overwrites the dashboards during the setup phase in order to have the latest version. For duplicating a dashboard, just use the `Clone` button from the top of the page.
-
-
-Before building your own dashboards or customizing the existing ones, you need to load:
-
-* the Beat index pattern, which specifies how Kibana should display the Beat fields
-* the Beat dashboards that you want to customize
-
-For the Elastic Beats, the index pattern is available in the Beat package under
-`kibana/*/index-pattern`. The index-pattern is automatically generated from the `fields.yml` file, available in the Beat package. For more details
-check the <<generate-index-pattern,generate index pattern>> section.
-
-All Beats dashboards, visualizations and saved searches must follow common naming conventions:
-
-* Dashboard names have prefix `[BeatName Module]`, e.g. `[Filebeat Nginx] Access logs`
-* Visualizations and searches have suffix `[BeatName Module]`, e.g. `Top processes [Filebeat Nginx]`
-
-NOTE: You can set a custom name (skip suffix) for visualization placed on a dashboard. The original visualization will
-stay intact.
-
-The naming convention rules can be verified with the the tool `mage check`. The command fails if it detects:
-
-* empty description on a dashboard
-* unexpected dashboard title format (missing prefix `[BeatName ModuleName]`)
-* unexpected visualization title format (missing suffix `[BeatName Module]`)
-
-After creating your own dashboards in Kibana, you can <<export-dashboards,export the Kibana dashboards>> to a local
-directory, and then <<archive-dashboards,archive the dashboards>> in order to be able to share the dashboards with the community.
-
-[[generate-index-pattern]]
-=== Generating the Beat Index Pattern
-
-The index-pattern defines the format of each field, and it's used by Kibana to know how to display the field.
-If you change the fields exported by the Beat, you need to generate a new index pattern for your Beat. Otherwise, you can just use the index pattern available under the `kibana/*/index-pattern` directory.
-
-The Beat index pattern is generated from the `fields.yml`, which contains all
-the fields exported by the Beat. For each field, besides the `type`, you can configure the
-`format` field. The format informs Kibana about how to display a certain field. A good example is `percentage` or `bytes`
-to display fields as `50%` or `5MB`.
-
-To generate the index pattern from the `fields.yml`, you need to run the following command in the Beat repository:
-
-[source,shell]
----------------
-make update
----------------
-
-[[export-dashboards]]
-=== Exporting New and Modified Beat Dashboards
-
-To export all the dashboards for any Elastic Beat or any community Beat, including any new or modified dashboards and all dependencies such as
-visualizations, searches, you can use the Go script `export_dashboards.go` from
-https://github.com/elastic/beats/tree/master/dev-tools/cmd/dashboards[dev-tools].  
-See the dev-tools https://github.com/elastic/beats/tree/master/dev-tools/README.md[readme] for more info.
-
-Alternatively, if the scripts above are not available, you can use your Beat binary to export Kibana 6.0 dashboards or later.
-
-==== Exporting from Kibana 6.0 to 7.14
-
-The `dev-tools/cmd/export_dashboards.go` script helps you export your customized Kibana dashboards until the v7.14.x release.
-You might need to export a single dashboard or all the dashboards available for a module or Beat.
-
-It is also possible to use a Beat binary to export.
-
-==== Exporting from Kibana 7.15 or newer
-
-From 7.15, your Beats version must be the same as your Kibana version
-to make sure the export API required is available.
-
-===== Migrate legacy dashboards made with Kibana 7.14 or older
-
-After you updated your Kibana instance to at least 7.15, you have to
-export your dashboards again with either `export_dashboards.go` tool or
-with your Beat.
-
-===== Export a single Kibana dashboard
-
-To export a single dashboard for a module you can use the following command inside a Beat with modules:
-
-[source,shell]
----------------
-MODULE=redis ID=AV4REOpp5NkDleZmzKkE mage exportDashboard
----------------
-
-[source,shell]
----------------
-./filebeat export dashboard --id 7fea2930-478e-11e7-b1f0-cb29bac6bf8b --folder module/redis
----------------
-
-This generates an appropriate folder under module/redis for the dashboard, separating assets into dashboards, searches, vizualizations, etc.
-Each exported file is a JSON and their names are the IDs of the assets.
-
-NOTE: The dashboard ID is available in the dashboard URL. For example, in case the dashboard URL is
-`app/kibana#/dashboard/AV4REOpp5NkDleZmzKkE?_g=()&_a=(description:'Overview%2...`, the dashboard ID is `AV4REOpp5NkDleZmzKkE`.
-
-===== Export all module/Beat dashboards
-
-Each module should contain a `module.yml` file with a list of all the dashboards available for the module. For the Beats that don't have support for modules (e.g. Packetbeat),
-there is a `dashboards.yml` file that defines all the Packetbeat dashboards.
-
-Below, it's an example of the `module.yml` file for the system module in Metricbeat:
-
-[source,shell]
----------------
-dashboards:
-- id: Metricbeat-system-overview
-  file: Metricbeat-system-overview.ndjson
-
-- id: 79ffd6e0-faa0-11e6-947f-177f697178b8
-  file: Metricbeat-host-overview.ndjson
-
-- id: CPU-slash-Memory-per-container
-  file: Metricbeat-containers-overview.ndjson
----------------
-
-
-Each dashboard is defined by an `id` and the name of ndjson `file` where the dashboard is saved locally.
-
-By passing the yml file to the `export_dashboards.go` script or to the Beat, you can export all the dashboards defined:
-
-[source,shell]
--------------------
-go run dev-tools/cmd/dashboards/export_dashboards.go --yml filebeat/module/system/module.yml --folder dashboards
--------------------
-
-[source,shell]
--------------------
-./filebeat export dashboard --yml filebeat/module/system/module.yml
--------------------
-
-
-===== Export dashboards from a Kibana Space
-
-If you are using the Kibana Spaces feature and want to export dashboards from a specific Space, pass the Space ID to the `export_dashboards.go` script:
-
-[source,shell]
--------------------
-go run dev-tools/cmd/dashboards/export_dashboards.go -space-id my-space [other-options]
--------------------
-
-In case of running `export dashboard` of a Beat, you need to set the Space ID in `setup.kibana.space.id`.
-
-
-==== Exporting Kibana 5.x dashboards
-
-To export only some Kibana dashboards for an Elastic Beat or community Beat, you can simply pass a regular expression to
-the `export_dashboards.py` script to match the selected Kibana dashboards.
-
-Before running the `export_dashboards.py` script for the first time, you
-need to create an environment that contains all the required Python packages.
-
-[source,shell]
--------------------------
-make python-env
--------------------------
-
-For example, to export all Kibana dashboards that start with the **Packetbeat** name:
-
-[source,shell]
-----------------------------------------------------------------------
-python ../dev-tools/cmd/dashboards/export_dashboards.py --regex Packetbeat*
-----------------------------------------------------------------------
-
-To see all the available options, read the descriptions below or run:
-
-[source,shell]
-----------------------------------------------------------------------
-python ../dev-tools/cmd/dashboards/export_dashboards.py -h
-----------------------------------------------------------------------
-
-*`--url <elasticsearch_url>`*::
-The Elasticsearch URL. The default value is http://localhost:9200.
-
-*`--regex <regular_expression>`*::
-Regular expression to match all the Kibana dashboards to be exported. This argument is required.
-
-*`--kibana <kibana_index>`*::
-The Elasticsearch index pattern where Kibana saves its configuration. The default value is `.kibana`.
-
-*`--dir <output_dir>`*::
-The output directory where the dashboards and all dependencies will be saved. The default value is `output`.
-
-The output directory has the following structure:
-
-[source,shell]
---------------
-output/
-    index-pattern/
-    dashboard/
-    visualization/
-    search/
---------------
-
-[[archive-dashboards]]
-=== Archiving Your Beat Dashboards
-
-The Kibana dashboards for the Elastic Beats are saved under the `kibana` directory. To create a zip archive with the
-dashboards, including visualizations and searches and the index pattern, you can run the following command in the Beat
-repository:
-
-[source,shell]
---------------
-make package-dashboards
---------------
-
-The Makefile is part of libbeat, which means that community Beats contributors can use the commands shown here to
-archive dashboards. The dashboards must be available under the `kibana` directory.
-
-Another option would be to create a repository only with the dashboards, and use the GitHub release functionality to
-create a zip archive.
-
-Share the Kibana dashboards archive with the community, so other users can use your cool Kibana visualizations!
-
-
-
-[[share-beat-dashboards]]
-=== Sharing Your Beat Dashboards
-
-When you're done with your own Beat dashboards, how about letting everyone know? You can create a topic on the https://discuss.elastic.co/c/beats[Beats
-forum], and provide the link to the zip archive together with a short description.
diff --git a/docs/devguide/pull-request-guidelines.asciidoc b/docs/devguide/pull-request-guidelines.asciidoc
deleted file mode 100644
index 113c8aa5d53a..000000000000
--- a/docs/devguide/pull-request-guidelines.asciidoc
+++ /dev/null
@@ -1,18 +0,0 @@
-[[pr-review]]
-== Pull request review guidelines
-
-Every change made to Beats must be held to a high standard, and while the responsibility for quality in a pull request ultimately lies with the author, Beats team members have the responsibility as reviewers to verify during their review process. Where this document is unclear or inappropriate let common sense and consensus override it.
-
-[float]
-=== Code Style
-
-Everyone's got an opinion on style. To avoid spending time on this issue we rely almost exclusively on `go fmt` and https://houndci.com/[hound] to police style. If neither of these tools complain the code is almost certainly fine. There may be exceptions to this, but they should be extremely rare. Only override the judgement of these tools in the most unusual of situations.
-
-[float]
-=== Flaky Tests
-
-As software projects grow so does the complexity of their test cases and with that the probability of some tests becoming 'flaky'. It is everyone's responsibility to handle flaky tests. If you notice a pull request build failing for a reason that is unrelated to the pushed code follow the procedure below:
-
-1. Create an issue using the "Flaky Test" github issue template with the "Flaky Test" label attached.
-2. Create a PR to mute or fix the flaky test.
-3. Merge that PR and rebase off of it before continuing with the normal PR process for your original PR.
diff --git a/docs/devguide/python.asciidoc b/docs/devguide/python.asciidoc
deleted file mode 100644
index 8f86e81fcc39..000000000000
--- a/docs/devguide/python.asciidoc
+++ /dev/null
@@ -1,90 +0,0 @@
-[[python-beats]]
-=== Python in Beats
-
-Python is used for Beats development, it is the language used to implement
-system tests and some other tools. Python dependencies are managed by the use of
-virtual environments, supported by
-https://docs.python.org/3/library/venv.html[venv].
-
-Beats development requires Python >= {python}.
-
-[[installing-python]]
-==== Installing Python and venv
-
-Python uses to be installed in many operating systems. If it is not installed in
-your system you can follow the instructions available in https://www.python.org/downloads/
-
-In Ubuntu/Debian systems, Python 3 can be installed with:
-
-["source","sh"]
-----
-sudo apt-get install python3 python3-venv
-----
-
-There are packages for specific minor versions, so for example if Python 3.7
-wants to be used, it can be installed with the following command:
-
-["source","sh"]
-----
-sudo apt-get install python3.7 python3.7-venv
-----
-
-It is recommended to use Python >= {python}.
-
-[[python-virtual-environments]]
-==== Working with virtual environments
-
-All `make` and `mage` targets manage their own virtual environments in a transparent
-way, so for the most common operations required when contributing to beats,
-nothing special needs to be done.
-
-Virtual environments used by `make` can be found in most Beats directories under
-`build/python-env`, they are created by targets that need it, or can be
-explicitly created by running `make python-env`. The ones used by `mage` are
-created when required under `build/ve`.
-
-There are some environment variables that can be used to customize the creation
-of these virtual environments:
-
-* `PYTHON_EXE`: Python executable to be used in the virtual environment. It has
-  to exist in the path.
-* `PYTHON_ENV`: Path to the virtual environment to use. If it doesn't exist, it
-  is created by `make` or `mage` targets when needed.  
-
-Virtual environments can also be used without `make` or `mage`, this is usual
-for example when running individual system tests with `pytest`. There are two
-ways to run commands from the virtual environment:
-
-* "Activating" the virtual environment in your current terminal running
-  `source ./build/python-env/bin/activate`. Virtual environment can be
-  deactivated by running `deactivate`.
-* Directly running commands from the virtual environment path. For example
-  `pytest` can be executed as `./build/python-env/bin/pytest`.
-
-To recreate a virtual environment, remove its directory. All virtual
-environments are also removed with `make clean`.
-
-[[python-older-versions]]
-==== Working with older versions
-
-Older versions of Beats were not compatible with Python 3, if you need to
-temporary work on one of these versions of Beats, and you don't want to remove
-your current virtual environments, you can use environment variables to run
-commands in a temporary virtual environment.
-
-For example you can run `make update` with Python 2.7 with the following
-command:
-
-["source","sh"]
------
-PYTHON_EXE=python2.7 PYTHON_ENV=/tmp/venv2 make update
------
-
-If you need to run tests you can also create a virtual environment and then
-activate it to run commands from there:
-["source","sh"]
------
-PYTHON_EXE=python2.7 PYTHON_ENV=/tmp/venv2 make python-env
-source /tmp/venv2/bin/activate
-...
------
diff --git a/docs/devguide/terraform.asciidoc b/docs/devguide/terraform.asciidoc
deleted file mode 100644
index 0cdd0198f214..000000000000
--- a/docs/devguide/terraform.asciidoc
+++ /dev/null
@@ -1,81 +0,0 @@
-[[terraform-beats]]
-== Terraform in Beats
-
-Terraform is used to provision scenarios for integration testing of some cloud
-features. Features implementing integration tests that require the presence of
-cloud resources should have their own Terraform configuration, this configuration
-can be used when developing locally to create (and destroy) resources that allow
-to test these features.
-
-Tests requiring access to cloud providers should be disabled by default with the
-use of build tags.
-
-[[installing-terraform]]
-=== Installing Terraform
-
-Terraform is available in https://www.terraform.io/downloads.html
-
-Download it and place it in some directory in your PATH.
-
-`terraform` is the main command for Terraform and the only one that is usually
-needed to manage configurations. Terraform will also download other plugins that
-implement the specific functionality for each provider. These plugins are
-automatically managed and stored in the working copy, if you want to share the
-plugins between multiple working copies you can manually install them in the
-user the user plugins directory located at `~/.terraform.d/plugins`,
-or `%APPDATA%\terraform.d\plugins on Windows`.
-
-Plugins are available in https://registry.terraform.io/
-
-[[using-terraform]]
-=== Using Terraform
-
-The most important commands when using Terraform are:
-* `terraform init` to do some initial checks and install the required plugins.
-* `terraform apply` to create the resources defined in the configuration.
-* `terraform destroy` to destroy resources previously created.
-
-Cloud providers use to require credentials, they can be provided with the usual
-methods supported by these providers, using environment variables and/or
-credential files.
-
-Terraform stores the last known state of the resources managed by a
-configuration in a `terraform.tfstate` file. It is important to keep this file
-as it is used as input by `terraform destroy`. This file is created in the same
-directory where `terraform apply` is executed.
-
-Please take a look to Terraform documentation for more details: https://www.terraform.io/intro/index.html
-
-[[terraform-configurations]]
-=== Terraform configuration guidelines
-
-The main purpouse of Terraform in Beats is to create and destroy cloud resources
-required by integration tests. For these configurations there are some things to
-take into account:
-* Apply should work without additional inputs or files. Only input will be the
-  required for specific providers, using environment variables or credential
-  files.
-* You must be able to apply the same configuration multiple times in the same
-  account. This will allow to have multiple builds using the same configuration
-  but with different instances of the resources. Some resources are already
-  created with unique identifiers (as EC2 instances), some others have to be
-  explicitly created with unique names (e.g. S3 buckets). For these cases random
-  suffixes can be added to identifiers.
-* Destroy must work without additional input, and should be able to destroy all
-  the resources created by the configuration. There are some resources that need
-  specific flags to be destroyed by `terraform destroy`. For example S3 buckets
-  need a flag to force to empty the bucket before deleting it, or RDS instances
-  need a flag to disable snapshots on deletion.
-
-[[terraform-in-ci]]
-=== Terraform in CI
-
-Integration tests that need the presence of certain resources to work can be
-executed in CI if they provide a Terraform configuration to start these
-resources. These tests are disabled by default in CI.
-
-Terraform states are archived as artifacrs of builds, this allows to manually
-destroy resources created by builds that were not able to do a proper cleanup.
-
-
-
diff --git a/docs/devguide/testing.asciidoc b/docs/devguide/testing.asciidoc
deleted file mode 100644
index 07f2ae21025c..000000000000
--- a/docs/devguide/testing.asciidoc
+++ /dev/null
@@ -1,110 +0,0 @@
-[[testing]]
-=== Testing
-
-Beats has a various sets of tests. This guide should help to understand how the different test suites work, how they are used and new tests are added.
-
-In general there are two major test suites:
-
-* Tests written in Go
-* Tests written in Python
-
-The tests written in Go use the https://golang.org/pkg/testing/[Go Testing
-package]. The tests written in Python depend on https://docs.pytest.org/en/latest/[pytest] and require a compiled and executable binary from the Go code. The python test run a beat with a specific config and params and either check if the output is as expected or if the correct things show up in the logs.
-
-For both of the above test suites so called integration tests exists. Integration tests in Beats are tests which require an external system like Elasticsearch to test if the integration with this service works as expected. Beats provides in its testsuite docker containers and docker-compose files to start these environments but a developer can run the required services also locally.
-
-==== Running Go Tests
-
-The Go tests can be executed in each Go package by running `go test .`. This will execute all tests which don't don't require an external service to be running. To run all non integration tests for a beat run `mage unitTest`.
-
-All Go tests are in the same package as the tested code itself and have the suffix `_test` in the file name. Most of the tests are in the same package as the rest of the code. Some of the tests which should be separate from the rest of the code or should not use private variables go under `{packagename}_test`.
-
-===== Running Go Integration Tests
-
-Integration tests are labelled with the `//go:build integration` build tag and use the `_integration_test.go` suffix.
-
-To run the integration tests use the `mage goIntegTest` target, which will start the required services using https://docs.docker.com/compose/[docker-compose] and run all integration tests.
-
-It is also possible to run module specific integration tests. For example, to run kafka only tests use `MODULE=kafka mage integTest -v`
-
-It is possible to start the `docker-compose` services manually to allow selecting which specific tests should be run. An example follows for filebeat:
-
-[source,bash]
-----
-cd filebeat
-# Pull and build the containers. Only needs to be done once unless you change the containers.
-mage docker:composeBuild
-# Bring up all containers, wait until they are healthy, and put them in the background.
-mage docker:composeUp
-# Run all integration tests.
-go test ./filebeat/...  -tags integration
-# Stop all started containers.
-mage docker:composeDown
-----
-
-===== Generate sample events
-
-Go tests support generating sample events to be used as fixtures.
-
-This generation can be perfomed running `go test --data`. This functionality is supported by packetbeat and Metricbeat.
-
-In Metricbeat, run the command from within a module like this: `go test --tags integration,azure --data --run "TestData"`. Make sure to add the relevant tags (`integration` is common then add module and metricset specific tags).
-
-A note about tags: the `--data` flag is a custom flag added by Metricbeat and Packetbeat frameworks. It will not be present in case tags do not match, as the relevant code will not be run and silently skipped (without the tag the test file is ignored by Go compiler so the framework doesn't load). This may happen if there are different tags in the build tags of the metricset under test (i.e. the GCP billing metricset requires the `billing` tag too).
-
-==== Running System (integration) Tests (Python and Go)
-
-The system tests are defined in the `tests/system` (for legacy Python test) and on `tests/integration` (for Go tests) directory. They require a testing binary to be available and the python environment to be set up.
-
-To create the testing binary run `mage buildSystemTestBinary`. This will create the test binary in the beat directory. To set up the Python testing environment run `mage pythonVirtualEnv` which will create a virtual environment with all test dependencies and print its location. To activate it, the instructions depend on your operating system. See the https://packaging.python.org/en/latest/guides/installing-using-pip-and-virtual-environments/#activating-a-virtual-environment[virtualenv documentation].
-
-To run the system and integration tests use the `mage pythonIntegTest` target, which will start the required services using https://docs.docker.com/compose/[docker-compose] and run all integration tests. Similar to Go integration tests, the individual steps can be done manually to allow selecting which tests should be run:
-
-[source,bash]
-----
-# Create and activate the system test virtual environment (assumes a Unix system).
-source $(mage pythonVirtualEnv)/bin/activate
-
-# Pull and build the containers. Only needs to be done once unless you change the containers.
-mage docker:composeBuild
-
-# Bring up all containers, wait until they are healthy, and put them in the background.
-mage docker:composeUp
-
-# Run all system and integration tests.
-INTEGRATION_TESTS=1 pytest ./tests/system
-
-# Stop all started containers.
-mage docker:composeDown
-----
-
-Filebeat's module python tests have additional documentation found in the <<filebeat-modules-devguide,Filebeat module>> guide.
-
-==== Test commands
-
-To list all mage commands run `mage -l`. A quick summary of the available test Make commands is:
-
-* `unit`: Go tests
-* `unit-tests`: Go tests with coverage reports
-* `integration-tests`: Go tests with services in local docker
-* `integration-tests-environment`: Go tests inside docker with service in docker
-* `fast-system-tests`: Python tests
-* `system-tests`: Python tests with coverage report
-* `INTEGRATION_TESTS=1 system-tests`: Python tests with local services
-* `system-tests-environment`: Python tests inside docker with service in docker
-* `testsuite`: Complete test suite in docker environment is run
-* `test`: Runs testsuite without environment
-
-There are two experimental test commands:
-
-* `benchmark-tests`: Running Go tests with `-bench` flag
-* `load-tests`: Running system tests with `LOAD_TESTS=1` flag
-
-
-==== Coverage report
-
-If the tests were run to create a test coverage, the coverage report files can be found under `build/docs`. To create a more human readable file out of the `.cov` file `make coverage-report` can be used. It creates a `.html` file for each report and a `full.html` as summary of all reports together in the directory `build/coverage`.
-
-==== Race detection
-
-All tests can be run with the Go race detector enabled by setting the environment variable `RACE_DETECTOR=1`. This applies to tests in Go and Python. For Python the test binary has to be recompile when the flag is changed. Having the race detection enabled will slow down the tests.
diff --git a/docs/docset.yml b/docs/docset.yml
new file mode 100644
index 000000000000..48aef0b01f44
--- /dev/null
+++ b/docs/docset.yml
@@ -0,0 +1,491 @@
+project: 'Beats docs'
+cross_links:
+  - docs-content
+  - ecs
+  - elasticsearch
+  - integration-docs
+  - logstash
+toc:
+  - toc: reference
+  - toc: release-notes
+  - toc: extend
+subs:
+  ref:   "https://www.elastic.co/guide/en/elasticsearch/reference/current"
+  ref-bare:   "https://www.elastic.co/guide/en/elasticsearch/reference"
+  ref-8x:   "https://www.elastic.co/guide/en/elasticsearch/reference/8.1"
+  ref-80:   "https://www.elastic.co/guide/en/elasticsearch/reference/8.0"
+  ref-7x:   "https://www.elastic.co/guide/en/elasticsearch/reference/7.17"
+  ref-70:   "https://www.elastic.co/guide/en/elasticsearch/reference/7.0"
+  ref-60:   "https://www.elastic.co/guide/en/elasticsearch/reference/6.0"
+  ref-64:   "https://www.elastic.co/guide/en/elasticsearch/reference/6.4"
+  xpack-ref:   "https://www.elastic.co/guide/en/x-pack/6.2"
+  logstash-ref:   "https://www.elastic.co/guide/en/logstash/current"
+  kibana-ref:   "https://www.elastic.co/guide/en/kibana/current"
+  kibana-ref-all:   "https://www.elastic.co/guide/en/kibana"
+  beats-ref-root:   "https://www.elastic.co/guide/en/beats"
+  beats-ref:   "https://www.elastic.co/guide/en/beats/libbeat/current"
+  beats-ref-60:   "https://www.elastic.co/guide/en/beats/libbeat/6.0"
+  beats-ref-63:   "https://www.elastic.co/guide/en/beats/libbeat/6.3"
+  beats-devguide:   "https://www.elastic.co/guide/en/beats/devguide/current"
+  auditbeat-ref:   "https://www.elastic.co/guide/en/beats/auditbeat/current"
+  packetbeat-ref:   "https://www.elastic.co/guide/en/beats/packetbeat/current"
+  metricbeat-ref:   "https://www.elastic.co/guide/en/beats/metricbeat/current"
+  filebeat-ref:   "https://www.elastic.co/guide/en/beats/filebeat/current"
+  functionbeat-ref:   "https://www.elastic.co/guide/en/beats/functionbeat/current"
+  winlogbeat-ref:   "https://www.elastic.co/guide/en/beats/winlogbeat/current"
+  heartbeat-ref:   "https://www.elastic.co/guide/en/beats/heartbeat/current"
+  journalbeat-ref:   "https://www.elastic.co/guide/en/beats/journalbeat/current"
+  ingest-guide:   "https://www.elastic.co/guide/en/ingest/current"
+  fleet-guide:   "https://www.elastic.co/guide/en/fleet/current"
+  apm-guide-ref:   "https://www.elastic.co/guide/en/apm/guide/current"
+  apm-guide-7x:   "https://www.elastic.co/guide/en/apm/guide/7.17"
+  apm-app-ref:   "https://www.elastic.co/guide/en/kibana/current"
+  apm-agents-ref:   "https://www.elastic.co/guide/en/apm/agent"
+  apm-android-ref:   "https://www.elastic.co/guide/en/apm/agent/android/current"
+  apm-py-ref:   "https://www.elastic.co/guide/en/apm/agent/python/current"
+  apm-py-ref-3x:   "https://www.elastic.co/guide/en/apm/agent/python/3.x"
+  apm-node-ref-index:   "https://www.elastic.co/guide/en/apm/agent/nodejs"
+  apm-node-ref:   "https://www.elastic.co/guide/en/apm/agent/nodejs/current"
+  apm-node-ref-1x:   "https://www.elastic.co/guide/en/apm/agent/nodejs/1.x"
+  apm-rum-ref:   "https://www.elastic.co/guide/en/apm/agent/rum-js/current"
+  apm-ruby-ref:   "https://www.elastic.co/guide/en/apm/agent/ruby/current"
+  apm-java-ref:   "https://www.elastic.co/guide/en/apm/agent/java/current"
+  apm-go-ref:   "https://www.elastic.co/guide/en/apm/agent/go/current"
+  apm-dotnet-ref:   "https://www.elastic.co/guide/en/apm/agent/dotnet/current"
+  apm-php-ref:   "https://www.elastic.co/guide/en/apm/agent/php/current"
+  apm-ios-ref:   "https://www.elastic.co/guide/en/apm/agent/swift/current"
+  apm-lambda-ref:   "https://www.elastic.co/guide/en/apm/lambda/current"
+  apm-attacher-ref:   "https://www.elastic.co/guide/en/apm/attacher/current"
+  docker-logging-ref:   "https://www.elastic.co/guide/en/beats/loggingplugin/current"
+  esf-ref:   "https://www.elastic.co/guide/en/esf/current"
+  kinesis-firehose-ref:   "https://www.elastic.co/guide/en/kinesis/{{kinesis_version}}"
+  estc-welcome-current:   "https://www.elastic.co/guide/en/starting-with-the-elasticsearch-platform-and-its-solutions/current"
+  estc-welcome:   "https://www.elastic.co/guide/en/starting-with-the-elasticsearch-platform-and-its-solutions/current"
+  estc-welcome-all:   "https://www.elastic.co/guide/en/starting-with-the-elasticsearch-platform-and-its-solutions"
+  hadoop-ref:   "https://www.elastic.co/guide/en/elasticsearch/hadoop/current"
+  stack-ref:   "https://www.elastic.co/guide/en/elastic-stack/current"
+  stack-ref-67:   "https://www.elastic.co/guide/en/elastic-stack/6.7"
+  stack-ref-68:   "https://www.elastic.co/guide/en/elastic-stack/6.8"
+  stack-ref-70:   "https://www.elastic.co/guide/en/elastic-stack/7.0"
+  stack-ref-80:   "https://www.elastic.co/guide/en/elastic-stack/8.0"
+  stack-ov:   "https://www.elastic.co/guide/en/elastic-stack-overview/current"
+  stack-gs:   "https://www.elastic.co/guide/en/elastic-stack-get-started/current"
+  stack-gs-current:   "https://www.elastic.co/guide/en/elastic-stack-get-started/current"
+  javaclient:   "https://www.elastic.co/guide/en/elasticsearch/client/java-api/current"
+  java-api-client:   "https://www.elastic.co/guide/en/elasticsearch/client/java-api-client/current"
+  java-rest:   "https://www.elastic.co/guide/en/elasticsearch/client/java-rest/current"
+  jsclient:   "https://www.elastic.co/guide/en/elasticsearch/client/javascript-api/current"
+  jsclient-current:   "https://www.elastic.co/guide/en/elasticsearch/client/javascript-api/current"
+  es-ruby-client:   "https://www.elastic.co/guide/en/elasticsearch/client/ruby-api/current"
+  es-dotnet-client:   "https://www.elastic.co/guide/en/elasticsearch/client/net-api/current"
+  es-php-client:   "https://www.elastic.co/guide/en/elasticsearch/client/php-api/current"
+  es-python-client:   "https://www.elastic.co/guide/en/elasticsearch/client/python-api/current"
+  defguide:   "https://www.elastic.co/guide/en/elasticsearch/guide/2.x"
+  painless:   "https://www.elastic.co/guide/en/elasticsearch/painless/current"
+  plugins:   "https://www.elastic.co/guide/en/elasticsearch/plugins/current"
+  plugins-8x:   "https://www.elastic.co/guide/en/elasticsearch/plugins/8.1"
+  plugins-7x:   "https://www.elastic.co/guide/en/elasticsearch/plugins/7.17"
+  plugins-6x:   "https://www.elastic.co/guide/en/elasticsearch/plugins/6.8"
+  glossary:   "https://www.elastic.co/guide/en/elastic-stack-glossary/current"
+  upgrade_guide:   "https://www.elastic.co/products/upgrade_guide"
+  blog-ref:   "https://www.elastic.co/blog/"
+  curator-ref:   "https://www.elastic.co/guide/en/elasticsearch/client/curator/current"
+  curator-ref-current:   "https://www.elastic.co/guide/en/elasticsearch/client/curator/current"
+  metrics-ref:   "https://www.elastic.co/guide/en/metrics/current"
+  metrics-guide:   "https://www.elastic.co/guide/en/metrics/guide/current"
+  logs-ref:   "https://www.elastic.co/guide/en/logs/current"
+  logs-guide:   "https://www.elastic.co/guide/en/logs/guide/current"
+  uptime-guide:   "https://www.elastic.co/guide/en/uptime/current"
+  observability-guide:   "https://www.elastic.co/guide/en/observability/current"
+  observability-guide-all:   "https://www.elastic.co/guide/en/observability"
+  siem-guide:   "https://www.elastic.co/guide/en/siem/guide/current"
+  security-guide:   "https://www.elastic.co/guide/en/security/current"
+  security-guide-all:   "https://www.elastic.co/guide/en/security"
+  endpoint-guide:   "https://www.elastic.co/guide/en/endpoint/current"
+  sql-odbc:   "https://www.elastic.co/guide/en/elasticsearch/sql-odbc/current"
+  ecs-ref:   "https://www.elastic.co/guide/en/ecs/current"
+  ecs-logging-ref:   "https://www.elastic.co/guide/en/ecs-logging/overview/current"
+  ecs-logging-go-logrus-ref:   "https://www.elastic.co/guide/en/ecs-logging/go-logrus/current"
+  ecs-logging-go-zap-ref:   "https://www.elastic.co/guide/en/ecs-logging/go-zap/current"
+  ecs-logging-go-zerolog-ref:   "https://www.elastic.co/guide/en/ecs-logging/go-zap/current"
+  ecs-logging-java-ref:   "https://www.elastic.co/guide/en/ecs-logging/java/current"
+  ecs-logging-dotnet-ref:   "https://www.elastic.co/guide/en/ecs-logging/dotnet/current"
+  ecs-logging-nodejs-ref:   "https://www.elastic.co/guide/en/ecs-logging/nodejs/current"
+  ecs-logging-php-ref:   "https://www.elastic.co/guide/en/ecs-logging/php/current"
+  ecs-logging-python-ref:   "https://www.elastic.co/guide/en/ecs-logging/python/current"
+  ecs-logging-ruby-ref:   "https://www.elastic.co/guide/en/ecs-logging/ruby/current"
+  ml-docs:   "https://www.elastic.co/guide/en/machine-learning/current"
+  eland-docs:   "https://www.elastic.co/guide/en/elasticsearch/client/eland/current"
+  eql-ref:   "https://eql.readthedocs.io/en/latest/query-guide"
+  extendtrial:   "https://www.elastic.co/trialextension"
+  wikipedia:   "https://en.wikipedia.org/wiki"
+  forum:   "https://discuss.elastic.co/"
+  xpack-forum:   "https://discuss.elastic.co/c/50-x-pack"
+  security-forum:   "https://discuss.elastic.co/c/x-pack/shield"
+  watcher-forum:   "https://discuss.elastic.co/c/x-pack/watcher"
+  monitoring-forum:   "https://discuss.elastic.co/c/x-pack/marvel"
+  graph-forum:   "https://discuss.elastic.co/c/x-pack/graph"
+  apm-forum:   "https://discuss.elastic.co/c/apm"
+  enterprise-search-ref:   "https://www.elastic.co/guide/en/enterprise-search/current"
+  app-search-ref:   "https://www.elastic.co/guide/en/app-search/current"
+  workplace-search-ref:   "https://www.elastic.co/guide/en/workplace-search/current"
+  enterprise-search-node-ref:   "https://www.elastic.co/guide/en/enterprise-search-clients/enterprise-search-node/current"
+  enterprise-search-php-ref:   "https://www.elastic.co/guide/en/enterprise-search-clients/php/current"
+  enterprise-search-python-ref:   "https://www.elastic.co/guide/en/enterprise-search-clients/python/current"
+  enterprise-search-ruby-ref:   "https://www.elastic.co/guide/en/enterprise-search-clients/ruby/current"
+  elastic-maps-service:   "https://maps.elastic.co"
+  integrations-docs:   "https://docs.elastic.co/en/integrations"
+  integrations-devguide:   "https://www.elastic.co/guide/en/integrations-developer/current"
+  time-units:   "https://www.elastic.co/guide/en/elasticsearch/reference/current/api-conventions.html#time-units"
+  byte-units:   "https://www.elastic.co/guide/en/elasticsearch/reference/current/api-conventions.html#byte-units"
+  apm-py-ref-v:   "https://www.elastic.co/guide/en/apm/agent/python/current"
+  apm-node-ref-v:   "https://www.elastic.co/guide/en/apm/agent/nodejs/current"
+  apm-rum-ref-v:   "https://www.elastic.co/guide/en/apm/agent/rum-js/current"
+  apm-ruby-ref-v:   "https://www.elastic.co/guide/en/apm/agent/ruby/current"
+  apm-java-ref-v:   "https://www.elastic.co/guide/en/apm/agent/java/current"
+  apm-go-ref-v:   "https://www.elastic.co/guide/en/apm/agent/go/current"
+  apm-ios-ref-v:   "https://www.elastic.co/guide/en/apm/agent/swift/current"
+  apm-dotnet-ref-v:   "https://www.elastic.co/guide/en/apm/agent/dotnet/current"
+  apm-php-ref-v:   "https://www.elastic.co/guide/en/apm/agent/php/current"
+  ecloud:   "Elastic Cloud"
+  esf:   "Elastic Serverless Forwarder"
+  ess:   "Elasticsearch Service"
+  ece:   "Elastic Cloud Enterprise"
+  eck:   "Elastic Cloud on Kubernetes"
+  serverless-full:   "Elastic Cloud Serverless"
+  serverless-short:   "Serverless"
+  es-serverless:   "Elasticsearch Serverless"
+  es3:   "Elasticsearch Serverless"
+  obs-serverless:   "Elastic Observability Serverless"
+  sec-serverless:   "Elastic Security Serverless"
+  serverless-docs:   "https://docs.elastic.co/serverless"
+  cloud:   "https://www.elastic.co/guide/en/cloud/current"
+  ess-utm-params:   "?page=docs&placement=docs-body"
+  ess-baymax:   "?page=docs&placement=docs-body"
+  ess-trial:   "https://cloud.elastic.co/registration?page=docs&placement=docs-body"
+  ess-product:   "https://www.elastic.co/cloud/elasticsearch-service?page=docs&placement=docs-body"
+  ess-console:   "https://cloud.elastic.co?page=docs&placement=docs-body"
+  ess-console-name:   "Elasticsearch Service Console"
+  ess-deployments:   "https://cloud.elastic.co/deployments?page=docs&placement=docs-body"
+  ece-ref:   "https://www.elastic.co/guide/en/cloud-enterprise/current"
+  eck-ref:   "https://www.elastic.co/guide/en/cloud-on-k8s/current"
+  ess-leadin:   "You can run Elasticsearch on your own hardware or use our hosted Elasticsearch Service that is available on AWS, GCP, and Azure. https://cloud.elastic.co/registration{ess-utm-params}[Try the Elasticsearch Service for free]."
+  ess-leadin-short:   "Our hosted Elasticsearch Service is available on AWS, GCP, and Azure, and you can https://cloud.elastic.co/registration{ess-utm-params}[try it for free]."
+  ess-icon:   "image:https://doc-icons.s3.us-east-2.amazonaws.com/logo_cloud.svg[link=\"https://cloud.elastic.co/registration{ess-utm-params}\", title=\"Supported on Elasticsearch Service\"]"
+  ece-icon:   "image:https://doc-icons.s3.us-east-2.amazonaws.com/logo_cloud_ece.svg[link=\"https://cloud.elastic.co/registration{ess-utm-params}\", title=\"Supported on Elastic Cloud Enterprise\"]"
+  cloud-only:   "This feature is designed for indirect use by https://cloud.elastic.co/registration{ess-utm-params}[Elasticsearch Service], https://www.elastic.co/guide/en/cloud-enterprise/{ece-version-link}[Elastic Cloud Enterprise], and https://www.elastic.co/guide/en/cloud-on-k8s/current[Elastic Cloud on Kubernetes]. Direct use is not supported."
+  ess-setting-change:   "image:https://doc-icons.s3.us-east-2.amazonaws.com/logo_cloud.svg[link=\"{ess-trial}\", title=\"Supported on {ess}\"] indicates a change to a supported https://www.elastic.co/guide/en/cloud/current/ec-add-user-settings.html[user setting] for Elasticsearch Service."
+  ess-skip-section:   "If you use Elasticsearch Service, skip this section. Elasticsearch Service handles these changes for you."
+  api-cloud:   "https://www.elastic.co/docs/api/doc/cloud"
+  api-ece:   "https://www.elastic.co/docs/api/doc/cloud-enterprise"
+  api-kibana-serverless:   "https://www.elastic.co/docs/api/doc/serverless"
+  es-feature-flag:   "This feature is in development and not yet available for use. This documentation is provided for informational purposes only."
+  es-ref-dir:   "'{{elasticsearch-root}}/docs/reference'"
+  apm-app:   "APM app"
+  uptime-app:   "Uptime app"
+  synthetics-app:   "Synthetics app"
+  logs-app:   "Logs app"
+  metrics-app:   "Metrics app"
+  infrastructure-app:   "Infrastructure app"
+  siem-app:   "SIEM app"
+  security-app:   "Elastic Security app"
+  ml-app:   "Machine Learning"
+  dev-tools-app:   "Dev Tools"
+  ingest-manager-app:   "Ingest Manager"
+  stack-manage-app:   "Stack Management"
+  stack-monitor-app:   "Stack Monitoring"
+  alerts-ui:   "Alerts and Actions"
+  rules-ui:   "Rules"
+  rac-ui:   "Rules and Connectors"
+  connectors-ui:   "Connectors"
+  connectors-feature:   "Actions and Connectors"
+  stack-rules-feature:   "Stack Rules"
+  user-experience:   "User Experience"
+  ems:   "Elastic Maps Service"
+  ems-init:   "EMS"
+  hosted-ems:   "Elastic Maps Server"
+  ipm-app:   "Index Pattern Management"
+  ingest-pipelines:   "ingest pipelines"
+  ingest-pipelines-app:   "Ingest Pipelines"
+  ingest-pipelines-cap:   "Ingest pipelines"
+  ls-pipelines:   "Logstash pipelines"
+  ls-pipelines-app:   "Logstash Pipelines"
+  maint-windows:   "maintenance windows"
+  maint-windows-app:   "Maintenance Windows"
+  maint-windows-cap:   "Maintenance windows"
+  custom-roles-app:   "Custom Roles"
+  data-source:   "data view"
+  data-sources:   "data views"
+  data-source-caps:   "Data View"
+  data-sources-caps:   "Data Views"
+  data-source-cap:   "Data view"
+  data-sources-cap:   "Data views"
+  project-settings:   "Project settings"
+  manage-app:   "Management"
+  index-manage-app:   "Index Management"
+  data-views-app:   "Data Views"
+  rules-app:   "Rules"
+  saved-objects-app:   "Saved Objects"
+  tags-app:   "Tags"
+  api-keys-app:   "API keys"
+  transforms-app:   "Transforms"
+  connectors-app:   "Connectors"
+  files-app:   "Files"
+  reports-app:   "Reports"
+  maps-app:   "Maps"
+  alerts-app:   "Alerts"
+  crawler:   "Enterprise Search web crawler"
+  ents:   "Enterprise Search"
+  app-search-crawler:   "App Search web crawler"
+  agent:   "Elastic Agent"
+  agents:   "Elastic Agents"
+  fleet:   "Fleet"
+  fleet-server:   "Fleet Server"
+  integrations-server:   "Integrations Server"
+  ingest-manager:   "Ingest Manager"
+  ingest-management:   "ingest management"
+  package-manager:   "Elastic Package Manager"
+  integrations:   "Integrations"
+  package-registry:   "Elastic Package Registry"
+  artifact-registry:   "Elastic Artifact Registry"
+  aws:   "AWS"
+  stack:   "Elastic Stack"
+  xpack:   "X-Pack"
+  es:   "Elasticsearch"
+  kib:   "Kibana"
+  esms:   "Elastic Stack Monitoring Service"
+  esms-init:   "ESMS"
+  ls:   "Logstash"
+  beats:   "Beats"
+  auditbeat:   "Auditbeat"
+  filebeat:   "Filebeat"
+  heartbeat:   "Heartbeat"
+  metricbeat:   "Metricbeat"
+  packetbeat:   "Packetbeat"
+  winlogbeat:   "Winlogbeat"
+  functionbeat:   "Functionbeat"
+  journalbeat:   "Journalbeat"
+  es-sql:   "Elasticsearch SQL"
+  esql:   "ES|QL"
+  elastic-agent:   "Elastic Agent"
+  k8s:   "Kubernetes"
+  log-driver-long:   "Elastic Logging Plugin for Docker"
+  security:   "X-Pack security"
+  security-features:   "security features"
+  operator-feature:   "operator privileges feature"
+  es-security-features:   "Elasticsearch security features"
+  stack-security-features:   "Elastic Stack security features"
+  endpoint-sec:   "Endpoint Security"
+  endpoint-cloud-sec:   "Endpoint and Cloud Security"
+  elastic-defend:   "Elastic Defend"
+  elastic-sec:   "Elastic Security"
+  elastic-endpoint:   "Elastic Endpoint"
+  swimlane:   "Swimlane"
+  sn:   "ServiceNow"
+  sn-itsm:   "ServiceNow ITSM"
+  sn-itom:   "ServiceNow ITOM"
+  sn-sir:   "ServiceNow SecOps"
+  jira:   "Jira"
+  ibm-r:   "IBM Resilient"
+  webhook:   "Webhook"
+  webhook-cm:   "Webhook - Case Management"
+  opsgenie:   "Opsgenie"
+  bedrock:   "Amazon Bedrock"
+  gemini:   "Google Gemini"
+  hive:   "TheHive"
+  monitoring:   "X-Pack monitoring"
+  monitor-features:   "monitoring features"
+  stack-monitor-features:   "Elastic Stack monitoring features"
+  watcher:   "Watcher"
+  alert-features:   "alerting features"
+  reporting:   "X-Pack reporting"
+  report-features:   "reporting features"
+  graph:   "X-Pack graph"
+  graph-features:   "graph analytics features"
+  searchprofiler:   "Search Profiler"
+  xpackml:   "X-Pack machine learning"
+  ml:   "machine learning"
+  ml-cap:   "Machine learning"
+  ml-init:   "ML"
+  ml-features:   "machine learning features"
+  stack-ml-features:   "Elastic Stack machine learning features"
+  ccr:   "cross-cluster replication"
+  ccr-cap:   "Cross-cluster replication"
+  ccr-init:   "CCR"
+  ccs:   "cross-cluster search"
+  ccs-cap:   "Cross-cluster search"
+  ccs-init:   "CCS"
+  ilm:   "index lifecycle management"
+  ilm-cap:   "Index lifecycle management"
+  ilm-init:   "ILM"
+  dlm:   "data lifecycle management"
+  dlm-cap:   "Data lifecycle management"
+  dlm-init:   "DLM"
+  search-snap:   "searchable snapshot"
+  search-snaps:   "searchable snapshots"
+  search-snaps-cap:   "Searchable snapshots"
+  slm:   "snapshot lifecycle management"
+  slm-cap:   "Snapshot lifecycle management"
+  slm-init:   "SLM"
+  rollup-features:   "data rollup features"
+  ipm:   "index pattern management"
+  ipm-cap:   "Index pattern"
+  rollup:   "rollup"
+  rollup-cap:   "Rollup"
+  rollups:   "rollups"
+  rollups-cap:   "Rollups"
+  rollup-job:   "rollup job"
+  rollup-jobs:   "rollup jobs"
+  rollup-jobs-cap:   "Rollup jobs"
+  dfeed:   "datafeed"
+  dfeeds:   "datafeeds"
+  dfeed-cap:   "Datafeed"
+  dfeeds-cap:   "Datafeeds"
+  ml-jobs:   "machine learning jobs"
+  ml-jobs-cap:   "Machine learning jobs"
+  anomaly-detect:   "anomaly detection"
+  anomaly-detect-cap:   "Anomaly detection"
+  anomaly-job:   "anomaly detection job"
+  anomaly-jobs:   "anomaly detection jobs"
+  anomaly-jobs-cap:   "Anomaly detection jobs"
+  dataframe:   "data frame"
+  dataframes:   "data frames"
+  dataframe-cap:   "Data frame"
+  dataframes-cap:   "Data frames"
+  watcher-transform:   "payload transform"
+  watcher-transforms:   "payload transforms"
+  watcher-transform-cap:   "Payload transform"
+  watcher-transforms-cap:   "Payload transforms"
+  transform:   "transform"
+  transforms:   "transforms"
+  transform-cap:   "Transform"
+  transforms-cap:   "Transforms"
+  dataframe-transform:   "transform"
+  dataframe-transform-cap:   "Transform"
+  dataframe-transforms:   "transforms"
+  dataframe-transforms-cap:   "Transforms"
+  dfanalytics-cap:   "Data frame analytics"
+  dfanalytics:   "data frame analytics"
+  dataframe-analytics-config:   "'{dataframe} analytics config'"
+  dfanalytics-job:   "'{dataframe} analytics job'"
+  dfanalytics-jobs:   "'{dataframe} analytics jobs'"
+  dfanalytics-jobs-cap:   "'{dataframe-cap} analytics jobs'"
+  cdataframe:   "continuous data frame"
+  cdataframes:   "continuous data frames"
+  cdataframe-cap:   "Continuous data frame"
+  cdataframes-cap:   "Continuous data frames"
+  cdataframe-transform:   "continuous transform"
+  cdataframe-transforms:   "continuous transforms"
+  cdataframe-transforms-cap:   "Continuous transforms"
+  ctransform:   "continuous transform"
+  ctransform-cap:   "Continuous transform"
+  ctransforms:   "continuous transforms"
+  ctransforms-cap:   "Continuous transforms"
+  oldetection:   "outlier detection"
+  oldetection-cap:   "Outlier detection"
+  olscore:   "outlier score"
+  olscores:   "outlier scores"
+  fiscore:   "feature influence score"
+  evaluatedf-api:   "evaluate {dataframe} analytics API"
+  evaluatedf-api-cap:   "Evaluate {dataframe} analytics API"
+  binarysc:   "binary soft classification"
+  binarysc-cap:   "Binary soft classification"
+  regression:   "regression"
+  regression-cap:   "Regression"
+  reganalysis:   "regression analysis"
+  reganalysis-cap:   "Regression analysis"
+  depvar:   "dependent variable"
+  feature-var:   "feature variable"
+  feature-vars:   "feature variables"
+  feature-vars-cap:   "Feature variables"
+  classification:   "classification"
+  classification-cap:   "Classification"
+  classanalysis:   "classification analysis"
+  classanalysis-cap:   "Classification analysis"
+  infer-cap:   "Inference"
+  infer:   "inference"
+  lang-ident-cap:   "Language identification"
+  lang-ident:   "language identification"
+  data-viz:   "Data Visualizer"
+  file-data-viz:   "File Data Visualizer"
+  feat-imp:   "feature importance"
+  feat-imp-cap:   "Feature importance"
+  nlp:   "natural language processing"
+  nlp-cap:   "Natural language processing"
+  apm-agent:   "APM agent"
+  apm-go-agent:   "Elastic APM Go agent"
+  apm-go-agents:   "Elastic APM Go agents"
+  apm-ios-agent:   "Elastic APM iOS agent"
+  apm-ios-agents:   "Elastic APM iOS agents"
+  apm-java-agent:   "Elastic APM Java agent"
+  apm-java-agents:   "Elastic APM Java agents"
+  apm-dotnet-agent:   "Elastic APM .NET agent"
+  apm-dotnet-agents:   "Elastic APM .NET agents"
+  apm-node-agent:   "Elastic APM Node.js agent"
+  apm-node-agents:   "Elastic APM Node.js agents"
+  apm-php-agent:   "Elastic APM PHP agent"
+  apm-php-agents:   "Elastic APM PHP agents"
+  apm-py-agent:   "Elastic APM Python agent"
+  apm-py-agents:   "Elastic APM Python agents"
+  apm-ruby-agent:   "Elastic APM Ruby agent"
+  apm-ruby-agents:   "Elastic APM Ruby agents"
+  apm-rum-agent:   "Elastic APM Real User Monitoring (RUM) JavaScript agent"
+  apm-rum-agents:   "Elastic APM RUM JavaScript agents"
+  apm-lambda-ext:   "Elastic APM AWS Lambda extension"
+  project-monitors:   "project monitors"
+  project-monitors-cap:   "Project monitors"
+  private-location:   "Private Location"
+  private-locations:   "Private Locations"
+  pwd:   "YOUR_PASSWORD"
+  esh:   "ES-Hadoop"
+  default-dist:   "default distribution"
+  oss-dist:   "OSS-only distribution"
+  observability:   "Observability"
+  api-request-title:   "Request"
+  api-prereq-title:   "Prerequisites"
+  api-description-title:   "Description"
+  api-path-parms-title:   "Path parameters"
+  api-query-parms-title:   "Query parameters"
+  api-request-body-title:   "Request body"
+  api-response-codes-title:   "Response codes"
+  api-response-body-title:   "Response body"
+  api-example-title:   "Example"
+  api-examples-title:   "Examples"
+  api-definitions-title:   "Properties"
+  multi-arg:   "†footnoteref:[multi-arg,This parameter accepts multiple arguments.]"
+  multi-arg-ref:   "†footnoteref:[multi-arg]"
+  yes-icon:   "image:https://doc-icons.s3.us-east-2.amazonaws.com/icon-yes.png[Yes,20,15]"
+  no-icon:   "image:https://doc-icons.s3.us-east-2.amazonaws.com/icon-no.png[No,20,15]"
+  es-repo:   "https://github.com/elastic/elasticsearch/"
+  es-issue:   "https://github.com/elastic/elasticsearch/issues/"
+  es-pull:   "https://github.com/elastic/elasticsearch/pull/"
+  es-commit:   "https://github.com/elastic/elasticsearch/commit/"
+  kib-repo:   "https://github.com/elastic/kibana/"
+  kib-issue:   "https://github.com/elastic/kibana/issues/"
+  kibana-issue:   "'{kib-repo}issues/'"
+  kib-pull:   "https://github.com/elastic/kibana/pull/"
+  kibana-pull:   "'{kib-repo}pull/'"
+  kib-commit:   "https://github.com/elastic/kibana/commit/"
+  ml-repo:   "https://github.com/elastic/ml-cpp/"
+  ml-issue:   "https://github.com/elastic/ml-cpp/issues/"
+  ml-pull:   "https://github.com/elastic/ml-cpp/pull/"
+  ml-commit:   "https://github.com/elastic/ml-cpp/commit/"
+  apm-repo:   "https://github.com/elastic/apm-server/"
+  apm-issue:   "https://github.com/elastic/apm-server/issues/"
+  apm-pull:   "https://github.com/elastic/apm-server/pull/"
+  kibana-blob:   "https://github.com/elastic/kibana/blob/current/"
+  apm-get-started-ref:   "https://www.elastic.co/guide/en/apm/get-started/current"
+  apm-server-ref:   "https://www.elastic.co/guide/en/apm/server/current"
+  apm-server-ref-v:   "https://www.elastic.co/guide/en/apm/server/current"
+  apm-server-ref-m:   "https://www.elastic.co/guide/en/apm/server/master"
+  apm-server-ref-62:   "https://www.elastic.co/guide/en/apm/server/6.2"
+  apm-server-ref-64:   "https://www.elastic.co/guide/en/apm/server/6.4"
+  apm-server-ref-70:   "https://www.elastic.co/guide/en/apm/server/7.0"
+  apm-overview-ref-v:   "https://www.elastic.co/guide/en/apm/get-started/current"
+  apm-overview-ref-70:   "https://www.elastic.co/guide/en/apm/get-started/7.0"
+  apm-overview-ref-m:   "https://www.elastic.co/guide/en/apm/get-started/master"
+  infra-guide:   "https://www.elastic.co/guide/en/infrastructure/guide/current"
+  a-data-source:   "a data view"
+  icon-bug:   "pass:[<span class=\"eui-icon icon-bug\"></span>]"
+  icon-checkInCircleFilled:   "pass:[<span class=\"eui-icon icon-checkInCircleFilled\"></span>]"
+  icon-warningFilled:   "pass:[<span class=\"eui-icon icon-warningFilled\"></span>]"
diff --git a/docs/extend/_migrating_dashboards_from_kibana_5_x_to_6_x.md b/docs/extend/_migrating_dashboards_from_kibana_5_x_to_6_x.md
new file mode 100644
index 000000000000..fdc6a7b93fe2
--- /dev/null
+++ b/docs/extend/_migrating_dashboards_from_kibana_5_x_to_6_x.md
@@ -0,0 +1,84 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/devguide/current/_migrating_dashboards_from_kibana_5_x_to_6_x.html
+---
+
+# Migrating dashboards from Kibana 5.x to 6.x [_migrating_dashboards_from_kibana_5_x_to_6_x]
+
+This section is useful for the community Beats to migrate the Kibana 5.x dashboards to 6.x dashboards.
+
+In the Kibana 5.x, the saved dashboards consist of multiple JSON files, one for each dashboard, search, visualization and index-pattern. To import a dashboard in Kibana, you need to load not only the JSON file containing the dashboard, but also all its dependencies (searches, visualizations).
+
+Starting with Kibana 6.0, the dashboards are loaded by default via the Kibana API. In this case, the saved dashboard consist of a single JSON file that includes not only the dashboard content, but also all its dependencies.
+
+As the format of the dashboards and index-pattern for Kibana 5.x is different than the ones for Kibana 6.x, they are placed in different directories. Depending on the Kibana version, the 5.x or 6.x dashboards are loaded.
+
+The Kibana 5.x dashboards are placed under the 5.x directory that contains the following directories: - search - visualization - dashboard - index-pattern
+
+The Kibana 6.x dashboards and later are placed under the default directory that contains the following directories: - dashboard - index-pattern
+
+NOTE
+:   Please make sure the 5.x and default directories are created before running the following commands.
+
+To migrate your Kibana 5.x dashboards to Kibana 6.0 and above, you can import the dashboards into Kibana 5.6 and then export them using Beats 6.0 version.
+
+* Start Kibana 5.6
+* Import Kibana 5.x dashboards using Beats 6.0 version.
+
+Before importing the dashboards, make sure you run `make update` in the Beat directory, that updates the `_meta/kibana` directory. It generates the index-pattern from the `fields.yml` file, and places it under the `5.x/index-pattern` and `default/index-pattern` directories. In case of Metricbeat, Filebeat and Auditbeat, it collects the dashboards from all the modules to the `_meta/kibana` directory.
+
+```shell
+make update
+```
+
+Then load all the Beat’s dashboards. For example, to load the Metricbeat rabbitmq dashboards together with the Metricbeat index-pattern into Kibana 5.6, using the Kibana API:
+
+```shell
+make update
+./metricbeat setup -E setup.dashboards.directory=_meta/kibana
+```
+
+* Export the dashboards using Beats 6.0 version.
+
+You can export the dashboards via the Kibana API by using the [export_dashboards.go](https://github.com/elastic/beats/blob/main/dev-tools/cmd/dashboards/export_dashboards.go) application.
+
+For example, to export the Metricbeat rabbitmq dashboard:
+
+```shell
+cd beats/metricbeat
+go run ../dev-tools/cmd/dashboards/export_dashboards.go -dashboards Metricbeat-Rabbitmq -output
+module/rabbitmq/_meta/kibana/default/Metricbeat-Rabbitmq.json <1>
+```
+
+1. `Metricbeat-Rabbitmq` is the ID of the dashboard that you want to export.
+
+
+Note: You can get the dashboard ID from the URL of the dashboard in Kibana. Depending on the Kibana version the dashboard was created, the ID consists of a name or random characters that can be separated by `-`.
+
+This command creates a single JSON file (Metricbeat-Rabbitmq.JSON) that contains the dashboard and all the dependencies like searches, visualizations. The name of the output file has the format: <Beat name>-<module name>.json.
+
+Starting with Beats 6.0.0, you can create an `yml` file for each module or for the entire Beat with all the dashboards. Below is an example of the `module.yml` file for the system module in Metricbeat.
+
+```yaml
+dashboards:
+    - id: Metricbeat-system-overview <1>
+      file: Metricbeat-system-overview.json <2>
+
+    - id: 79ffd6e0-faa0-11e6-947f-177f697178b8
+      file: Metricbeat-host-overview.json
+
+    - id: CPU-slash-Memory-per-container
+      file: Metricbeat-docker-overview.json
+```
+
+1. Dashboard ID.
+2. The JSON file where the dashboard is saved on disk.
+
+
+Using the yml file, you can export all the dashboards for a single module or for the entire Beat using a single command:
+
+```shell
+cd metricbeat/module/system
+go run ../../../dev-tools/cmd/dashboards/export_dashboards.go -yml module.yml
+```
+
diff --git a/docs/extend/archive-dashboards.md b/docs/extend/archive-dashboards.md
new file mode 100644
index 000000000000..09b36e0606e6
--- /dev/null
+++ b/docs/extend/archive-dashboards.md
@@ -0,0 +1,19 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/devguide/current/archive-dashboards.html
+---
+
+# Archiving Your Beat Dashboards [archive-dashboards]
+
+The Kibana dashboards for the Elastic Beats are saved under the `kibana` directory. To create a zip archive with the dashboards, including visualizations and searches and the index pattern, you can run the following command in the Beat repository:
+
+```shell
+make package-dashboards
+```
+
+The Makefile is part of libbeat, which means that community Beats contributors can use the commands shown here to archive dashboards. The dashboards must be available under the `kibana` directory.
+
+Another option would be to create a repository only with the dashboards, and use the GitHub release functionality to create a zip archive.
+
+Share the Kibana dashboards archive with the community, so other users can use your cool Kibana visualizations!
+
diff --git a/docs/extend/build-dashboards.md b/docs/extend/build-dashboards.md
new file mode 100644
index 000000000000..be67376a072b
--- /dev/null
+++ b/docs/extend/build-dashboards.md
@@ -0,0 +1,37 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/devguide/current/build-dashboards.html
+---
+
+# Building Your Own Beat Dashboards [build-dashboards]
+
+::::{note}
+If you want to modify a dashboard that comes with a Beat, it’s better to modify a copy of the dashboard because the Beat overwrites the dashboards during the setup phase in order to have the latest version. For duplicating a dashboard, just use the `Clone` button from the top of the page.
+::::
+
+
+Before building your own dashboards or customizing the existing ones, you need to load:
+
+* the Beat index pattern, which specifies how Kibana should display the Beat fields
+* the Beat dashboards that you want to customize
+
+For the Elastic Beats, the index pattern is available in the Beat package under `kibana/*/index-pattern`. The index-pattern is automatically generated from the `fields.yml` file, available in the Beat package. For more details check the [generate index pattern](/extend/generate-index-pattern.md) section.
+
+All Beats dashboards, visualizations and saved searches must follow common naming conventions:
+
+* Dashboard names have prefix `[BeatName Module]`, e.g. `[Filebeat Nginx] Access logs`
+* Visualizations and searches have suffix `[BeatName Module]`, e.g. `Top processes [Filebeat Nginx]`
+
+::::{note}
+You can set a custom name (skip suffix) for visualization placed on a dashboard. The original visualization will stay intact.
+::::
+
+
+The naming convention rules can be verified with the the tool `mage check`. The command fails if it detects:
+
+* empty description on a dashboard
+* unexpected dashboard title format (missing prefix `[BeatName ModuleName]`)
+* unexpected visualization title format (missing suffix `[BeatName Module]`)
+
+After creating your own dashboards in Kibana, you can [export the Kibana dashboards](/extend/export-dashboards.md) to a local directory, and then [archive the dashboards](/extend/archive-dashboards.md) in order to be able to share the dashboards with the community.
+
diff --git a/docs/extend/community-beats.md b/docs/extend/community-beats.md
new file mode 100644
index 000000000000..279a8e5df5e5
--- /dev/null
+++ b/docs/extend/community-beats.md
@@ -0,0 +1,336 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/devguide/current/community-beats.html
+---
+
+# Community {{beats}} [community-beats]
+
+::::{admonition}
+**Custom Beat generator code no longer available in 8.0 and later**
+
+The custom Beat generator was a helper tool that allowed developers to bootstrap their custom {{beats}}. This tool was deprecated in 7.16 and is no longer available starting in 8.0.
+
+Developers can continue to create custom {{beats}} to address specific and targeted use cases. If you need to create a Beat from scratch, you can use the custom Beat generator tool available in version 7.16 or 7.17 to generate the custom Beat, then upgrade its various components to the 8.x release.
+
+::::
+
+
+This page lists some of the {{beats}} developed by the open source community.
+
+Have a question about developing a community Beat? You can post questions and discuss issues in the [{{beats}} discussion forum](https://discuss.elastic.co/tags/c/elastic-stack/beats/28/beats-development).
+
+Have you created a Beat that’s not listed? Add the name and description of your Beat to the source document for [Community {{beats}}](https://github.com/elastic/beats/blob/main/libbeat/docs/communitybeats.asciidoc) and [open a pull request](https://help.github.com/articles/using-pull-requests) in the [{{beats}} GitHub repository](https://github.com/elastic/beats) to get your change merged. When you’re ready, go ahead and [announce](https://discuss.elastic.co/c/announcements) your new Beat in the Elastic discussion forum.
+
+::::{note}
+Elastic provides no warranty or support for community-sourced {{beats}}.
+::::
+
+
+[amazonbeat](https://github.com/awormuth/amazonbeat)
+:   Reads data from a specified Amazon product.
+
+[apachebeat](https://github.com/radoondas/apachebeat)
+:   Reads status from Apache HTTPD server-status.
+
+[apexbeat](https://github.com/verticle-io/apexbeat)
+:   Extracts configurable contextual data and metrics from Java applications via the  [APEX](http://toolkits.verticle.io) toolkit.
+
+[browserbeat](https://github.com/MelonSmasher/browserbeat)
+:   Reads and ships browser history (Chrome, Firefox, & Safari) to an Elastic output.
+
+[cborbeat](https://github.com/toravir/cborbeat)
+:   Reads from cbor encoded files (specifically log files). More: [CBOR Encoding](https://cbor.io) [Decoder](https://github.com/toravir/csd)
+
+[cloudflarebeat](https://github.com/hartfordfive/cloudflarebeat)
+:   Indexes log entries from the Cloudflare Enterprise Log Share API.
+
+[cloudfrontbeat](https://github.com/jarl-tornroos/cloudfrontbeat)
+:   Reads log events from Amazon Web Services [CloudFront](https://aws.amazon.com/cloudfront/).
+
+[cloudtrailbeat](https://github.com/aidan-/cloudtrailbeat)
+:   Reads events from Amazon Web Services' [CloudTrail](https://aws.amazon.com/cloudtrail/).
+
+[cloudwatchmetricbeat](https://github.com/narmitech/cloudwatchmetricbeat)
+:   A beat for Amazon Web Services' [CloudWatch Metrics](https://aws.amazon.com/cloudwatch/details/#other-aws-resource-monitoring).
+
+[cloudwatchlogsbeat](https://github.com/e-travel/cloudwatchlogsbeat)
+:   Reads log events from Amazon Web Services' [CloudWatch Logs](https://aws.amazon.com/cloudwatch/details/#log-monitoring).
+
+[collectbeat](https://github.com/eBay/collectbeat)
+:   Adds discovery on top of Filebeat and Metricbeat in environments like Kubernetes.
+
+[connbeat](https://github.com/raboof/connbeat)
+:   Exposes metadata about TCP connections.
+
+[consulbeat](https://github.com/Pravoru/consulbeat)
+:   Reads services health checks from consul and pushes them to Elastic.
+
+[discobeat](https://github.com/hellmouthengine/discobeat)
+:   Reads messages from Discord and indexes them in Elasticsearch
+
+[dockbeat](https://github.com/Ingensi/dockbeat)
+:   Reads Docker container statistics and indexes them in Elasticsearch.
+
+[earthquakebeat](https://github.com/radoondas/earthquakebeat)
+:   Pulls data from [USGS](https://earthquake.usgs.gov/fdsnws/event/1/) earthquake API.
+
+[elasticbeat](https://github.com/radoondas/elasticbeat)
+:   Reads status from an Elasticsearch cluster and indexes them in Elasticsearch.
+
+[envoyproxybeat](https://github.com/berfinsari/envoyproxybeat)
+:   Reads stats from the Envoy Proxy and indexes them into Elasticsearch.
+
+[etcdbeat](https://github.com/gamegos/etcdbeat)
+:   Reads stats from the Etcd v2 API and indexes them into Elasticsearch.
+
+[etherbeat](https://gitlab.com/hatricker/etherbeat)
+:   Reads blocks from Ethereum compatible blockchain and indexes them into Elasticsearch.
+
+[execbeat](https://github.com/christiangalsterer/execbeat)
+:   Periodically executes shell commands and sends the standard output and standard error to Logstash or Elasticsearch.
+
+[factbeat](https://github.com/jarpy/factbeat)
+:   Collects facts from [Facter](https://github.com/puppetlabs/facter).
+
+[fastcombeat](https://github.com/ctindel/fastcombeat)
+:   Periodically gather internet download speed from  [fast.com](https://fast.com).
+
+[fileoccurencebeat](https://github.com/cloudronics/fileoccurancebeat)
+:   Checks for file existence recurssively under a given directory, handy while handling queues/pipeline buffers.
+
+[flowbeat](https://github.com/FStelzer/flowbeat)
+:   Collects, parses, and indexes [sflow](http://www.sflow.org/index.php) samples.
+
+[gabeat](https://github.com/GeneralElectric/GABeat)
+:   Collects data from Google Analytics Realtime API.
+
+[gcsbeat](https://github.com/GoogleCloudPlatform/gcsbeat)
+:   Reads data from [Google Cloud Storage](https://cloud.google.com/storage/) buckets.
+
+[gelfbeat](https://github.com/threatstack/gelfbeat)
+:   Collects and parses GELF-encoded UDP messages.
+
+[githubbeat](https://github.com/josephlewis42/githubbeat)
+:   Easily monitors GitHub repository activity.
+
+[gpfsbeat](https://github.com/hpcugent/gpfsbeat)
+:   Collects GPFS metric and quota information.
+
+[hackerbeat](https://github.com/ullaakut/hackerbeat)
+:   Indexes the top stories of HackerNews into an ElasticSearch instance.
+
+[hsbeat](https://github.com/YaSuenag/hsbeat)
+:   Reads all performance counters in Java HotSpot VM.
+
+[httpbeat](https://github.com/christiangalsterer/httpbeat)
+:   Polls multiple HTTP(S) endpoints and sends the data to Logstash or Elasticsearch. Supports all HTTP methods and proxies.
+
+[hsnburrowbeat](https://github.com/hsngerami/hsnburrowbeat)
+:   Monitors Kafka consumer lag for Burrow V1.0.0(API V3).
+
+[hwsensorsbeat](https://github.com/jasperla/hwsensorsbeat)
+:   Reads sensors information from OpenBSD.
+
+[icingabeat](https://github.com/icinga/icingabeat)
+:   Icingabeat ships events and states from Icinga 2 to Elasticsearch or Logstash.
+
+[IIBBeat](https://github.com/visasimbu/IIBBeat)
+:   Periodically executes shell commands or batch commands to collect IBM Integration node, Integration server, app status, bar file deployment time and bar file location to Logstash or Elasticsearch.
+
+[iobeat](https://github.com/devopsmakers/iobeat)
+:   Reads IO stats from /proc/diskstats on Linux.
+
+[jmxproxybeat](https://github.com/radoondas/jmxproxybeat)
+:   Reads Tomcat JMX metrics exposed over *JMX Proxy Servlet* to HTTP.
+
+[journalbeat](https://github.com/mheese/journalbeat)
+:   Used for log shipping from systemd/journald based Linux systems.
+
+[kafkabeat](https://github.com/justsocialapps/kafkabeat)
+:   Reads data from Kafka topics.
+
+[kafkabeat2](https://github.com/arkady-emelyanov/kafkabeat)
+:   Reads data (json or plain) from Kafka topics.
+
+[krakenbeat](https://github.com/PPACI/krakenbeat)
+:   Collect information on each transaction on the Kraken crypto platform.
+
+[lmsensorsbeat](https://github.com/eskibars/lmsensorsbeat)
+:   Collects data from lm-sensors (such as CPU temperatures, fan speeds, and voltages from i2c and smbus).
+
+[logstashbeat](https://github.com/consulthys/logstashbeat)
+:   Collects data from Logstash monitoring API (v5 onwards) and indexes them in Elasticsearch.
+
+[macwifibeat](https://github.com/bozdag/macwifibeat)
+:   Reads various indicators for a MacBook’s WiFi Signal Strength
+
+[mcqbeat](https://github.com/yedamao/mcqbeat)
+:   Reads the status of queues from memcacheq.
+
+[merakibeat](https://developer.cisco.com/codeexchange/github/repo/CiscoDevNet/merakibeat)
+:   Collects [wireless health](https://dashboard.meraki.com/api_docs#wireless-health) and users [location analytics](https://documentation.meraki.com/MR/Monitoring_and_Reporting/Scanning_API) data using Cisco  Meraki APIs.
+
+[mesosbeat](https://github.com/berfinsari/mesosbeat)
+:   Reads stats from the Mesos API and indexes them into Elasticsearch.
+
+[mongobeat](https://github.com/scottcrespo/mongobeat)
+:   Monitors MongoDB instances and can be configured to send multiple document types to Elasticsearch.
+
+[mqttbeat](https://github.com/nathan-K-/mqttbeat)
+:   Add messages from mqtt topics to Elasticsearch.
+
+[mysqlbeat](https://github.com/adibendahan/mysqlbeat)
+:   Run any query on MySQL and send results to Elasticsearch.
+
+[nagioscheckbeat](https://github.com/PhaedrusTheGreek/nagioscheckbeat)
+:   For Nagios checks and performance data.
+
+[natsbeat](https://github.com/nfvsap/natsbeat)
+:   Collects data from NATS monitoring endpoints
+
+[netatmobeat](https://github.com/radoondas/netatmobeat)
+:   Reads data from Netatmo weather station.
+
+[netbeat](https://github.com/hmschreck/netbeat)
+:   Reads configurable data from SNMP-enabled devices.
+
+[nginxbeat](https://github.com/mrkschan/nginxbeat)
+:   Reads status from Nginx.
+
+[nginxupstreambeat](https://github.com/2Fast2BCn/nginxupstreambeat)
+:   Reads upstream status from nginx upstream module.
+
+[nsqbeat](https://github.com/mschneider82/nsqbeat)
+:   Reads data from a NSQ topic.
+
+[nvidiagpubeat](https://github.com/eBay/nvidiagpubeat)
+:   Uses nvidia-smi to grab metrics of NVIDIA GPUs.
+
+[o365beat](https://github.com/counteractive/o365beat)
+:   Ships Office 365 logs from the O365 Management Activities API
+
+[openconfigbeat](https://github.com/aristanetworks/openconfigbeat)
+:   Streams data from [OpenConfig](http://openconfig.net)-enabled network devices
+
+[openvpnbeat](https://github.com/nabeel-shakeel/openvpnbeat)
+:   Collects OpenVPN connection metrics
+
+[owmbeat](https://github.com/radoondas/owmbeat)
+:   Open Weather Map beat to pull weather data from all around the world and store and visualize them in Elastic Stack
+
+[packagebeat](https://github.com/joehillen/packagebeat)
+:   Collects information about system packages from package managers.
+
+[perfstatbeat](https://github.com/WuerthIT/perfstatbeat)
+:   Collects performance metrics on the AIX operating system.
+
+[phishbeat](https://github.com/stric-co/phishbeat)
+:   Monitors Certificate Transparency logs for phishing and defamatory domains.
+
+[phpfpmbeat](https://github.com/kozlice/phpfpmbeat)
+:   Reads status from PHP-FPM.
+
+[pingbeat](https://github.com/joshuar/pingbeat)
+:   Sends ICMP pings to a list of targets and stores the round trip time (RTT) in Elasticsearch.
+
+[powermaxbeat](https://github.com/kckecheng/powermaxbeat)
+:   Collects performance metrics from Dell EMC PowerMax storage array.
+
+[processbeat](https://github.com/pawankt/processbeat)
+:   Collects process health status and performance.
+
+[prombeat](https://github.com/carlpett/prombeat)
+:   Indexes [Prometheus](https://prometheus.io) metrics.
+
+[prometheusbeat](https://github.com/infonova/prometheusbeat)
+:   Send Prometheus metrics to Elasticsearch via the remote write feature.
+
+[protologbeat](https://github.com/hartfordfive/protologbeat)
+:   Accepts structured and unstructured logs via UDP or TCP.  Can also be used to receive syslog messages or GELF formatted messages. (To be used as a successor to udplogbeat)
+
+[pubsubbeat](https://github.com/GoogleCloudPlatform/pubsubbeat)
+:   Reads data from [Google Cloud Pub/Sub](https://cloud.google.com/pubsub/).
+
+[redditbeat](https://github.com/voigt/redditbeat)
+:   Collects new Reddit Submissions of one or multiple Subreddits.
+
+[redisbeat](https://github.com/chrsblck/redisbeat)
+:   Used for Redis monitoring.
+
+[retsbeat](https://github.com/consulthys/retsbeat)
+:   Collects counts of [RETS](http://www.reso.org) resource/class records from [Multiple Listing Service](https://en.wikipedia.org/wiki/Multiple_listing_service) (MLS) servers.
+
+[rsbeat](https://github.com/yourdream/rsbeat)
+:   Ships redis slow logs to elasticsearch and analyze by Kibana.
+
+[safecastbeat](https://github.com/radoondas/safecastbeat)
+:   Pulls data from Safecast API and store them in Elasticsearch.
+
+[saltbeat](https://github.com/martinhoefling/saltbeat)
+:   Reads events from salt master event bus.
+
+[serialbeat](https://github.com/benben/serialbeat)
+:   Reads from a serial device.
+
+[servicebeat](https://github.com/Corwind/servicebeat)
+:   Send services status to Elasticsearch
+
+[springbeat](https://github.com/consulthys/springbeat)
+:   Collects health and metrics data from Spring Boot applications running with the actuator module.
+
+[springboot2beat](https://github.com/philkra/springboot2beat)
+:   Query and accumulate all metrics endpoints of a Spring Boot 2 web app via the web channel, leveraging the [mircometer.io](http://micrometer.io/) metrics facade.
+
+[statsdbeat](https://github.com/sentient/statsdbeat)
+:   Receives UDP [statsd](https://github.com/etsy/statsd/wiki) events from a statsd client.
+
+[supervisorctlbeat](https://github.com/Corwind/supervisorctlbeat.git)
+:   This beat aims to parse the supervisorctl status command output and send it to elasticsearch for indexation
+
+[terminalbeat](https://github.com/live-wire/terminalbeat)
+:   Runs an external command and forwards the [stdout](https://www.computerhope.com/jargon/s/stdout.htm) for the same to Elasticsearch/Logstash.
+
+[timebeat](https://timebeat.app/download.php)
+:   NTP and PTP clock synchonisation beat that reports accuracy metrics to elastic. Includes Kibana dashboards.
+
+[tracebeat](https://github.com/berfinsari/tracebeat)
+:   Reads traceroute output and indexes them into Elasticsearch.
+
+[trivybeat](https://github.com/DmitryZ-outten/trivybeat)
+:   Fetches Docker containers which are running on the same machine, scan CVEs of those containers using Trivy server and index them into Elasticsearch.
+
+[twitterbeat](https://github.com/buehler/go-elastic-twitterbeat)
+:   Reads tweets for specified screen names.
+
+[udpbeat](https://github.com/gravitational/udpbeat)
+:   Ships structured logs via UDP.
+
+[udplogbeat](https://github.com/hartfordfive/udplogbeat)
+:   Accept events via local UDP socket (in plain-text or JSON with ability to enforce schemas).  Can also be used for applications only supporting syslog logging.
+
+[unifiedbeat](https://github.com/cleesmith/unifiedbeat)
+:   Reads records from Unified2 binary files generated by network intrusion detection software and indexes the records in Elasticsearch.
+
+[unitybeat](https://github.com/kckecheng/unitybeat)
+:   Collects performance metrics from Dell EMC Unity storage array.
+
+[uwsgibeat](https://github.com/mrkschan/uwsgibeat)
+:   Reads stats from uWSGI.
+
+[varnishlogbeat](https://github.com/phenomenes/varnishlogbeat)
+:   Reads log data from a Varnish instance and ships it to Elasticsearch.
+
+[varnishstatbeat](https://github.com/phenomenes/varnishstatbeat)
+:   Reads stats data from a Varnish instance and ships it to Elasticsearch.
+
+[vaultbeat](https://gitlab.com/msvechla/vaultbeat)
+:   Collects performance metrics and statistics from Hashicorp’s Vault.
+
+[wmibeat](https://github.com/eskibars/wmibeat)
+:   Uses WMI to grab your favorite, configurable Windows metrics.
+
+[yarnbeat](https://github.com/IBM/yarnbeat)
+:   Polls YARN and MapReduce APIs for cluster and application metrics.
+
+[zfsbeat](https://github.com/maireanu/zfsbeat)
+:   Querying ZFS Storage and Pool Status
diff --git a/docs/extend/contributing-docs.md b/docs/extend/contributing-docs.md
new file mode 100644
index 000000000000..c8201b2335c4
--- /dev/null
+++ b/docs/extend/contributing-docs.md
@@ -0,0 +1,84 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/devguide/current/contributing-docs.html
+applies_to:
+  stack: discontinued 8.18
+---
+
+# Contributing to the docs [contributing-docs]
+
+The Beats documentation follows the tagging guidelines described in the [Docs HOWTO](https://github.com/elastic/docs/blob/master/README.asciidoc). However it extends these capabilities in a couple ways:
+
+* The documentation makes extensive use of [AsciiDoc conditionals](https://docs.asciidoctor.org/asciidoc/latest/directives/conditionals/) to provide content that is reused across multiple books. This means that there might not be a single source file for each published HTML page. Some files are shared across multiple books, either as complete pages or snippets. For more details, refer to [Where to find the Beats docs source](#where-to-find-files).
+* The documentation includes some files that are generated from YAML source or pieced together from content that lives in `_meta` directories under the code (for example, the module and exported fields documentation). For more details, refer to [Generated docs](#generated-docs).
+
+
+## Where to find the Beats docs source [where-to-find-files]
+
+Because the Beats documentation makes use of shared content, doc generation scripts, and componentization, the source files are located in several places:
+
+| Documentation | Location of source files |
+| --- | --- |
+| Main docs for the Beat, including index files | `<beatname>/docs` |
+| Shared docs and Beats Platform Reference | `libbeat/docs` |
+| Processor docs | `docs` folders under processors in `libbeat/processors/`,`x-pack/<beatname>/processors/`, and `x-pack/libbeat/processors/` |
+| Output docs | `docs` folders under outputs in `libbeat/outputs/` |
+| Module docs | `_meta` folders under modules and datasets in `libbeat/module/`,`<beatname>/module/`, and `x-pack/<beatname>/module/` |
+
+The [conf.yaml](https://github.com/elastic/docs/blob/master/conf.yaml) file in the `docs` repo shows all the resources used to build each book. This file is used to drive the classic docs build and is the source of truth for file locations.
+
+::::{tip}
+If you can’t find the source for a page you want to update, go to the published page at www.elastic.co and click the Edit link to navigate to the source.
+::::
+
+
+The Beats documentation build also has dependencies on the following files in the [docs](https://github.com/elastic/docs) repo:
+
+* `shared/versions/stack/<version>.asciidoc`
+* `shared/attributes.asciidoc`
+
+
+## Generated docs [generated-docs]
+
+After updating `docs.asciidoc` files in `_meta` directories, you must run the doc collector scripts to regenerate the docs.
+
+Make sure you [set up your Beats development environment](./index.md#setting-up-dev-environment) and use the correct Go version. The Go version is listed in the `version.asciidoc` file for the branch you want to update.
+
+To run the docs collector scripts, change to the beats directory and run:
+
+`make update`
+
+::::{warning}
+The `make update` command overwrites files in the `docs` directories **without warning**. If you accidentally update a generated file and run `make update`, your changes will be overwritten.
+::::
+
+
+To format your files, you might also need to run this command:
+
+`make fmt`
+
+The make command calls the following scripts to generate the docs:
+
+[auditbeat/scripts/docs_collector.py](https://github.com/elastic/beats/blob/main/auditbeat/scripts/docs_collector.py) generates:
+
+* `auditbeat/docs/modules_list.asciidoc`
+* `auditbeat/docs/modules/*.asciidoc`
+
+[filebeat/scripts/docs_collector.py](https://github.com/elastic/beats/blob/main/filebeat/scripts/docs_collector.py) generates:
+
+* `filebeat/docs/modules_list.asciidoc`
+* `filebeat/docs/modules/*.asciidoc`
+
+[metricbeat/scripts/mage/docs_collector.go](https://github.com/elastic/beats/blob/main/metricbeat/scripts/mage/docs_collector.go) generates:
+
+* `metricbeat/docs/modules_list.asciidoc`
+* `metricbeat/docs/modules/*.asciidoc`
+
+[libbeat/scripts/generate_fields_docs.py](https://github.com/elastic/beats/blob/main/libbeat/scripts/generate_fields_docs.py) generates
+
+* `auditbeat/docs/fields.asciidoc`
+* `filebeat/docs/fields.asciidoc`
+* `heartbeat/docs/fields.asciidoc`
+* `metricbeat/docs/fields.asciidoc`
+* `packetbeat/docs/fields.asciidoc`
+* `winlogbeat/docs/fields.asciidoc`
diff --git a/docs/extend/creating-metricbeat-module.md b/docs/extend/creating-metricbeat-module.md
new file mode 100644
index 000000000000..69accfff000c
--- /dev/null
+++ b/docs/extend/creating-metricbeat-module.md
@@ -0,0 +1,176 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/devguide/current/creating-metricbeat-module.html
+---
+
+# Creating a Metricbeat Module [creating-metricbeat-module]
+
+Metricbeat modules are used to group multiple metricsets together and to implement shared functionality of the metricsets. In most cases, no implementation of the module is needed and the default module implementation is automatically picked.
+
+It’s important to complete the configuration and documentation files for a module. When you create a new metricset by running `make create-metricset`, default versions of these files are generated in the `_meta` directory.
+
+
+## Module Files [_module_files]
+
+* `config.yml` and `config.reference.yml`
+* `docs.asciidoc`
+* `fields.yml`
+
+After updating any of these files, make sure you run `make update` in your beat directory so all generated files are updated.
+
+
+### config.yml and config.reference.yml [_config_yml_and_config_reference_yml]
+
+The `config.yml` file contains the basic configuration options and looks like this:
+
+```yaml
+- module: {module}
+  metricsets: ["{metricset}"]
+  enabled: false
+  period: 10s
+  hosts: ["localhost"]
+```
+
+It contains the module name, your metricset, and the default period. If you have multiple metricsets in your module, make sure that you extend the metricset array:
+
+```yaml
+  metricsets: ["{metricset1}", "{metricset2}"]
+```
+
+The `full.config.yml` file is optional and by default has the same content as the `config.yml`. It is used to add and document more advanced configuration options that should not be part of the minimal config file shipped by default.
+
+
+### docs.asciidoc [_docs_asciidoc]
+
+The `docs.asciidoc` file contains the documentation about your module. During generation of the documentation, the default config file will be appended to the docs. Use this file to describe your module in more detail and to document specific configuration options.
+
+```asciidoc
+This is the {module} module.
+```
+
+
+### fields.yml [_fields_yml_2]
+
+The `fields.yml` file contains the top level structure for the fields in your metricset. It’s used in combination with the `fields.yml` file in each metricset to generate the template and documentation for the fields.
+
+The default file looks like this:
+
+```yaml
+- key: {module}
+  title: "{module}"
+  release: beta
+  description: >
+    {module} module
+  fields:
+    - name: {module}
+      type: group
+      description: >
+      fields:
+```
+
+Make sure that you update at least the description of the module.
+
+
+## Testing [_testing_2]
+
+It’s a common pattern to use a `testing.go` file in the module package to share some testing functionality among the metricsets. This file does not have `_test.go` in the name because otherwise it would not be compiled for sub packages.
+
+To see an example of the `testing.go` file, look at the [mysql module](https://github.com/elastic/beats/tree/master/metricbeat/module/mysql).
+
+
+### Test a Metricbeat module manually [_test_a_metricbeat_module_manually]
+
+To test a Metricbeat module manually, follow the steps below.
+
+First we have to build the Docker image which is available for the modules. The Dockerfile is located inside a `_meta` folder within each module folder. As an example let’s take MySQL module.
+
+This steps assume you have checked out the Beats repository from Github and are inside `beats` directory. First, we have to enter in the `_meta` folder mentioned above and build the Docker image called `metricbeat-mysql`:
+
+```bash
+$ cd metricbeat/module/mysql/_meta/
+$ docker build -t metricbeat-mysql .
+...
+Removing intermediate container 0e58cfb7b197
+ ---> 9492074840ea
+Step 5/5 : COPY test.cnf /etc/mysql/conf.d/test.cnf
+ ---> 002969e1d810
+Successfully built 002969e1d810
+Successfully tagged metricbeat-mysql:latest
+```
+
+Before we run the container we have just created, we also need to know which port to expose. The port is listed in the `metricbeat/{{module}}/_meta/env` file:
+
+```bash
+$ cat env
+MYSQL_DSN=root:test@tcp(mysql:3306)/
+MYSQL_HOST=mysql
+MYSQL_PORT=3306
+```
+
+As we see, the port is 3306. We now have all the information to start our MySQL service locally:
+
+```bash
+$ docker run -p 3306:3306 -e MYSQL_ROOT_PASSWORD=secret metricbeat-mysql
+```
+
+This starts the container and you can now use it for testing the MySQL module.
+
+To run Metricbeat with the module we need to build the binary, enable the module first. The assumption is now that you are back in the `beats` folder path:
+
+```bash
+$ cd metricbeat
+$ mage build
+$ ./metricbeat modules enable mysql
+```
+
+This will enable the module and rename file `metricbeat/modules.d/mysql.yml.disabled` to `metricbeat/modules.d/mysql.yml`. According to our [documentation](/reference/metricbeat/metricbeat-module-mysql.md) we should specify username and password to user MySQL. It’s always a good idea to take a look at the docs to see also that a pre-built dashboard is also available. So tweaking the config a bit, this is how it looks like:
+
+```yaml
+$ cat modules.d/mysql.yml
+
+# Module: mysql
+# Docs: /beats/docs/reference/ingestion-tools/beats-metricbeat/metricbeat-module-mysql.md
+
+- module: mysql
+  metricsets:
+    - status
+  #  - galera_status
+  period: 10s
+
+  # Host DSN should be defined as "user:pass@tcp(127.0.0.1:3306)/"
+  # or "unix(/var/lib/mysql/mysql.sock)/",
+  # or another DSN format supported by <https://github.com/Go-SQL-Driver/MySQL/>.
+  # The username and password can either be set in the DSN or using the username
+  # and password config options. Those specified in the DSN take precedence.
+  hosts: ["tcp(127.0.0.1:3306)/"]
+
+  # Username of hosts. Empty by default.
+  username: root
+
+  # Password of hosts. Empty by default.
+  password: secret
+```
+
+It’s now sending data to your local Elasticsearch instance. If you need to modify the mysql config, adjust `modules.d/mysql.yml` and restart Metricbeat.
+
+
+### Run Environment tests for one module [_run_environment_tests_for_one_module]
+
+All the environments are setup with docker. `make integration-tests-environment` and `make system-tests-environment` can be used to run tests for all modules. In case you are developing a module it is convenient to run the tests only for one module and directly run it on your machine.
+
+First you need to start the environment for your module to test and expose the port to your local machine. For this you can run the following command inside the metricbeat directory:
+
+```bash
+MODULE=apache PORT=80 make run-module
+```
+
+Note: The apache module with port 80 is taken here as an example. You must put the name and port for your own module here.
+
+This will start the environment and you must wait until the service is completely started. After that you can run the test which require an environment:
+
+```bash
+MODULE=apache make test-module
+```
+
+This will run the integration and system tests connecting to the environment in your docker container.
+
diff --git a/docs/extend/creating-metricsets.md b/docs/extend/creating-metricsets.md
new file mode 100644
index 000000000000..134078c4b929
--- /dev/null
+++ b/docs/extend/creating-metricsets.md
@@ -0,0 +1,332 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/devguide/current/creating-metricsets.html
+---
+
+# Creating a Metricset [creating-metricsets]
+
+::::{important}
+Elastic provides no warranty or support for the code used to generate metricsets. The generator is mainly offered as guidance for developers who want to create their own data shippers.
+::::
+
+
+A metricset is the part of a Metricbeat module that fetches and structures the data from the remote service. Each module can have multiple metricsets. In this guide, you learn how to create your own metricset.
+
+When creating a metricset for the first time, it generally helps to look at the implementation of existing metricsets for inspiration.
+
+To create a new metricset:
+
+1. Run the following command inside the metricbeat beat directory:
+
+    ```bash
+    make create-metricset
+    ```
+
+    You need Python to run this command, then, you’ll be prompted to enter a module and metricset name. Remember that a module represents the service you want to retrieve metrics from (like Redis) and a metricset is a specific set of grouped metrics (like `info` on Redis). Only use characters `[a-z]` and, if required, underscores (`_`). No other characters are allowed.
+
+    When you run `make create-metricset`, it creates all the basic files for your metricset, along with the required module files if the module does not already exist. See [Creating a Metricbeat Module](/extend/creating-metricbeat-module.md) for more details about the module files.
+
+    ::::{note}
+    We use `{{metricset}}`, `{{module}}`, and `{{beat}}` in this guide as placeholders. You need to replace these with the actual names of your metricset, module, and beat.
+    ::::
+
+
+    The metricset that you created is already a functioning metricset and can be compiled.
+
+2. Compile your new metricset by running the following command:
+
+    ```bash
+    mage update
+    mage build
+    ```
+
+    The first command, `mage update`, updates all generated files with the most recent files, data, and meta information from the metricset. The second command, `mage build`, compiles your source code and provides you with a binary called metricbeat in the same folder. You can run the binary in debug mode with the following command:
+
+    ```bash
+    ./metricbeat -e -d "*"
+    ```
+
+
+After running the mage commands, you’ll find the metricset, along with its generated files, under `module/{{module}}/{metricset}`. This directory contains the following files:
+
+* `\{{metricset}}.go`
+* `_meta/docs.asciidoc`
+* `_meta/data.json`
+* `_meta/fields.yml`
+
+Let’s look at the files in more detail next.
+
+
+## `{{metricset}}.go` File [_metricset_go_file]
+
+The first file is `{{metricset}}.go`. It contains the logic on how to fetch data from the service and convert it for sending to the output.
+
+The generated file looks like this:
+
+[https://github.com/elastic/beats/blob/main/metricbeat/scripts/module/metricset/metricset.go.tmpl](https://github.com/elastic/beats/blob/main/metricbeat/scripts/module/metricset/metricset.go.tmpl)
+
+```go
+package {metricset}
+
+import (
+    "github.com/elastic/elastic-agent-libs/mapstr"
+	"github.com/elastic/beats/v7/libbeat/common/cfgwarn"
+	"github.com/elastic/beats/v7/metricbeat/mb"
+)
+
+// init registers the MetricSet with the central registry as soon as the program
+// starts. The New function will be called later to instantiate an instance of
+// the MetricSet for each host is defined in the module's configuration. After the
+// MetricSet has been created then Fetch will begin to be called periodically.
+func init() {
+	mb.Registry.MustAddMetricSet("{module}", "{metricset}", New)
+}
+
+// MetricSet holds any configuration or state information. It must implement
+// the mb.MetricSet interface. And this is best achieved by embedding
+// mb.BaseMetricSet because it implements all of the required mb.MetricSet
+// interface methods except for Fetch.
+type MetricSet struct {
+	mb.BaseMetricSet
+	counter int
+}
+
+// New creates a new instance of the MetricSet. New is responsible for unpacking
+// any MetricSet specific configuration options if there are any.
+func New(base mb.BaseMetricSet) (mb.MetricSet, error) {
+	cfgwarn.Beta("The {module} {metricset} metricset is beta.")
+
+	config := struct{}{}
+	if err := base.Module().UnpackConfig(&config); err != nil {
+		return nil, err
+	}
+
+	return &MetricSet{
+		BaseMetricSet: base,
+		counter:       1,
+	}, nil
+}
+
+// Fetch method implements the data gathering and data conversion to the right
+// format. It publishes the event which is then forwarded to the output. In case
+// of an error set the Error field of mb.Event or simply call report.Error().
+func (m *MetricSet) Fetch(report mb.ReporterV2) error {
+	report.Event(mb.Event{
+		MetricSetFields: mapstr.M{
+			"counter": m.counter,
+		},
+	})
+	m.counter++
+
+	return nil
+}
+```
+
+The `package` clause and `import` declaration are part of the base structure of each Go file. You should only modify this part of the file if your implementation requires more imports.
+
+
+### Initialisation [_initialisation]
+
+The init method registers the metricset with the central registry. In Go the `init()` function is called before the execution of all other code. This means the module will be automatically registered with the global registry.
+
+The `New` method, which is passed to `MustAddMetricSet`, will be called after the setup of the module and before starting to fetch data. You normally don’t need to change this part of the file.
+
+```go
+func init() {
+	mb.Registry.MustAddMetricSet("{module}", "{metricset}", New)
+}
+```
+
+
+### Definition [_definition]
+
+The MetricSet type defines all fields of the metricset. As a minimum it must be composed of the `mb.BaseMetricSet` fields, but can be extended with additional entries. These variables can be used to persist data or configuration between multiple fetch calls.
+
+You can add more fields to the MetricSet type, as you can see in the following example where the `username` and `password` string fields are added:
+
+```go
+type MetricSet struct {
+	mb.BaseMetricSet
+	username    string
+	password    string
+}
+```
+
+
+### Creation [_creation]
+
+The `New` function creates a new instance of the MetricSet. The setup process of the MetricSet is also part of `New`. This method will be called before `Fetch` is called the first time.
+
+The `New` function also sets up the configuration by processing additional configuration entries, if needed.
+
+```go
+func New(base mb.BaseMetricSet) (mb.MetricSet, error) {
+
+	config := struct{}{}
+
+	if err := base.Module().UnpackConfig(&config); err != nil {
+		return nil, err
+	}
+
+	return &MetricSet{
+		BaseMetricSet: base,
+	}, nil
+}
+```
+
+
+### Fetching [_fetching]
+
+The `Fetch` method is the central part of the metricset. `Fetch` is called every time new data is retrieved. If more than one host is defined, `Fetch` is called once for each host. The frequency of calling `Fetch` is based on the `period` defined in the configuration file.
+
+`Fetch` must publish the event using the `mb.ReporterV2.Event` method. If an error happens, `Fetch` can return an error, or if `Event` is being called in a loop, published using the `mb.ReporterV2.Error` method. This means that Metricbeat always sends an event, even on failure. You must make sure that the error message helps to identify the actual error.
+
+The following example shows a metricset `Fetch` method with a counter that is incremented for each `Fetch` call:
+
+```go
+func (m *MetricSet) Fetch(report mb.ReporterV2) error {
+
+	report.Event(mb.Event{
+		MetricSetFields: common.MapStr{
+			"counter": m.counter,
+		}
+	})
+	m.counter++
+
+	return nil
+}
+```
+
+The JSON output derived from the reported event will be identical to the naming and structure you use in `common.MapStr`. For more details about `MapStr` and its functions, see the [MapStr API docs](https://godoc.org/github.com/elastic/beats/libbeat/common#MapStr).
+
+
+### Multi Fetching [_multi_fetching]
+
+`Event` can be called multiple times inside of the `Fetch` method for metricsets that might expose multiple events. `Event` returns a bool that indicates if the metricset is already closed and no further events can be processed, in which case `Fetch` should return immediately. If there is an error while processing one of many events, it can be published using the `mb.ReporterV2.Error` method, as opposed to returning an error value.
+
+
+### Parsing and Normalizing Fields [_parsing_and_normalizing_fields]
+
+In Metricbeat we aim to normalize the metric names from all metricsets to respect a common [set of conventions](/extend/event-conventions.md). This makes it easy for users to find and interpret metrics. To simplify parsing, converting, renaming, and restructuring of the object read from the monitored system to the Metricbeat format, we have created the [schema](https://godoc.org/github.com/elastic/beats/libbeat/common/schema) package that allows you to declaratively define transformations.
+
+For example, assuming this input object:
+
+```go
+input := map[string]interface{}{
+	"testString":     "hello",
+	"testInt":        "42",
+	"testBool":       "true",
+	"testFloat":      "42.1",
+	"testObjString":  "hello, object",
+}
+```
+
+And the requirement to transform it into this one:
+
+```go
+common.MapStr{
+	"test_string": "hello",
+	"test_int":    int64(42),
+	"test_bool":   true,
+	"test_float":  42.1,
+	"test_obj": common.MapStr{
+		"test_obj_string": "hello, object",
+	},
+}
+```
+
+You can use the schema package to transform the data, and optionally mark some fields in a schema as required or not. For example:
+
+```go
+import (
+	s "github.com/elastic/beats/libbeat/common/schema"
+	c "github.com/elastic/beats/libbeat/common/schema/mapstrstr"
+)
+
+var (
+	schema = s.Schema{
+		"test_string": c.Str("testString", s.Required), <1>
+		"test_int":    c.Int("testInt"), <2>
+		"test_bool":   c.Bool("testBool", s.Optional), <3>
+		"test_float":  c.Float("testFloat"),
+		"test_obj": s.Object{
+			"test_obj_string": c.Str("testObjString", s.IgnoreAllErrors), <4>
+		},
+	}
+)
+
+func eventMapping(input map[string]interface{}) common.MapStr {
+	return schema.Apply(input) <5>
+}
+```
+
+1. Marks a field as required.
+2. If a field has no schema option set, it is equivalent to `Required`.
+3. Marks the field as optional.
+4. Ignore any value conversion error
+5. By default, `Apply` will fail and return an error if any required field is missing. Using the optional second argument, you can specify how `Apply` handles different fields of the  schema. The possible values are:* `AllRequired` is the default behavior. Returns an error if any required field is missing, including fields that are required because no schema option is set.
+* `FailOnRequired`  will fail if a field explicitly marked as `required` is missing.
+* `NotFoundKeys(cb func([]string))` takes a callback function that will be called with a list of missing keys, allowing for finer-grained error handling.
+
+
+
+In the above example, note that it is possible to create the schema object once and apply it to all events. You can also use `ApplyTo` to add additional data to an existing `MapStr` object:
+
+```go
+var (
+	schema = s.Schema{
+		"test_string": c.Str("testString"),
+		"test_int":    c.Int("testInt"),
+		"test_bool":   c.Bool("testBool"),
+		"test_float":  c.Float("testFloat"),
+		"test_obj": s.Object{
+			"test_obj_string": c.Str("testObjString"),
+		},
+	}
+
+	additionalSchema = s.Schema{
+		"second_string": c.Str("secondString"),
+		"second_int": c.Int("secondInt"),
+	}
+)
+
+	data, err := schema.Apply(input)
+	if err != nil {
+		return err
+	}
+
+	if m.parseMoreData{
+		_, err := additionalSchema.ApplyTo(data, input)
+		if len(err) > 0 { <1>
+			return err.Err()
+		}
+	}
+```
+
+1. `ApplyTo` returns a raw MultiError object, making it suitable for finer-grained error handling.
+
+
+
+## Configuration File [_configuration_file]
+
+The configuration file for a metricset is handled by the module. If there are multiple metricsets in one module, make sure you add all metricsets to the configuration. For example:
+
+```go
+metricbeat:
+  modules:
+    - module: {module-name}
+      metricsets: ["{metricset1}", "{metricset2}"]
+```
+
+::::{note}
+Make sure that you run `make collect` after updating the config file so that your changes are also applied to the global configuration file and the docs.
+::::
+
+
+For more details about the Metricbeat configuration file, see the topic about [Modules](/reference/metricbeat/configuration-metricbeat.md) in the Metricbeat documentation.
+
+
+## What to Do Next [_what_to_do_next]
+
+This topic provides basic steps for creating a metricset. For more details about metricsets and how to extend your metricset further, see [Metricset Details](/extend/metricset-details.md).
+
diff --git a/docs/extend/dev-faq.md b/docs/extend/dev-faq.md
new file mode 100644
index 000000000000..c51349b7abdc
--- /dev/null
+++ b/docs/extend/dev-faq.md
@@ -0,0 +1,23 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/devguide/current/dev-faq.html
+---
+
+# Metricbeat Developer FAQ [dev-faq]
+
+This is a list of common questions when creating a metricset and the potential answers.
+
+
+## Metricset is not compiled [_metricset_is_not_compiled]
+
+You are compiling your Beat, but the newly created metricset is not compiled?
+
+Make sure that the path to your module and metricset are added as an import path either in your `main.go` file or your `include/list.go` file. You can do this manually or by running `make imports`.
+
+
+## Metricset is not started [_metricset_is_not_started]
+
+The metricset is compiled, but not started when starting Metricbeat?
+
+After creating your metricset, make sure you run `make collect`. This command adds the configuration of your metricset to the default configuration. If the metricset still doesn’t start, check your default configuration file to see if the metricset is listed there.
+
diff --git a/docs/extend/event-conventions.md b/docs/extend/event-conventions.md
new file mode 100644
index 000000000000..add697dc01f6
--- /dev/null
+++ b/docs/extend/event-conventions.md
@@ -0,0 +1,72 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/devguide/current/event-conventions.html
+---
+
+# Naming Conventions [event-conventions]
+
+When creating events, use the following conventions for field names and abbreviations.
+
+## Field Names [field-names]
+
+Use the following naming conventions for field names:
+
+* All fields must be lower case.
+* Use snake case (underscores) for combining words.
+* Group related fields into subdocuments by using dot (.) notation. Groups typically have common prefixes. For example, if you have fields called `CPULoad` and `CPUSystem` in a service, you would convert them into `cpu.load` and `cpu.system` in the event.
+* Avoid repeating the namespace in field names. If a word or abbreviation appears in the namespace, it’s not needed in the field name. For example, instead of `cpu.cpu_load`, use `cpu.load`.
+* Use [units suffix](#units) when the metric matches one of the known units.
+* Use [standardised names](#abbreviations) and avoid using abbreviations that aren’t commonly known.
+* Organise the documents from general to specific to allow for namespacing. The type, such as `.pct`, should always be last. For example, `system.core.user.pct`.
+* If two fields are the same, but with different units, remove the less granular one. For example, include `timeout.sec`, but don’t include `timeout.min`. If a less granular value is required, you can calculate it later.
+* If a field name matches the namespace used for nested fields, add `.value` to the field name. For example, instead of:
+
+    ```yaml
+    workers
+    workers.busy
+    workers.idle
+    ```
+
+    Use:
+
+    ```yaml
+    workers.value
+    workers.busy
+    workers.idle
+    ```
+
+* Do not use dots (.) in individual field names. Dots are reserved for grouping related fields into subdocuments.
+* Use singular and plural names properly to reflect the field content. For example, use `requests_per_sec` rather than `request_per_sec`.
+
+
+## Units [units]
+
+These are well-known suffixes to represent units of stored values, use them as a dotted suffix when possible. For example `system.memory.used.bytes` or `system.diskio.read.count`:
+
+| Suffix | Units |
+| --- | --- |
+| count | item count |
+| pct | percentage |
+| day | days |
+| sec | seconds |
+| ms | millisecond |
+| us | microseconds |
+| ns | nanoseconds |
+| bytes | bytes |
+| mb | megabytes |
+
+
+## Standardised Names [abbreviations]
+
+Here is a list of standardised names and units that are used across all Beats:
+
+| Use…​ | Instead of…​ |
+| --- | --- |
+| avg | average |
+| connection | conn |
+| max | maximum |
+| min | minimum |
+| request | req |
+| msg | message |
+
+
diff --git a/docs/extend/event-fields-yml.md b/docs/extend/event-fields-yml.md
new file mode 100644
index 000000000000..9d58a112cb52
--- /dev/null
+++ b/docs/extend/event-fields-yml.md
@@ -0,0 +1,172 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/devguide/current/event-fields-yml.html
+---
+
+# Defining field mappings [event-fields-yml]
+
+You must define the fields used by your Beat, along with their mapping details, in `_meta/fields.yml`. After editing this file, run `make update`.
+
+Define the field mappings in the `fields` array:
+
+```yaml
+- key: mybeat
+  title: mybeat
+  description: These are the fields used by mybeat.
+  fields:
+    - name: last_name <1>
+      type: keyword <2>
+      required: true <3>
+      description: > <4>
+        The last name.
+    - name: first_name
+      type: keyword
+      required: true
+      description: >
+        The first name.
+    - name: comment
+      type: text
+      required: false
+      description: >
+        Comment made by the user.
+```
+
+1. `name`: The field name
+2. `type`: The field type. The value of `type` can be any datatype [available in {{es}}](elasticsearch://reference/elasticsearch/mapping-reference/field-data-types.md). If no value is specified, the default type is `keyword`.
+3. `required`: Whether or not a field value is required
+4. `description`: Some information about the field contents
+
+
+## Mapping parameters [_mapping_parameters]
+
+You can specify other mapping parameters for each field. See the [{{es}} Reference](elasticsearch://reference/elasticsearch/mapping-reference/mapping-parameters.md) for more details about each parameter.
+
+`format`
+:   Specify a custom date format used by the field.
+
+`multi_fields`
+:   For `text` or `keyword` fields, use `multi_fields` to define multi-field mappings.
+
+`enabled`
+:   Whether or not the field is enabled.
+
+`analyzer`
+:   Which analyzer to use when indexing.
+
+`search_analyzer`
+:   Which analyzer to use when searching.
+
+`norms`
+:   Applies to `text` and `keyword` fields. Default is `false`.
+
+`dynamic`
+:   Dynamic field control. Can be one of `true` (default), `false`, or `strict`.
+
+`index`
+:   Whether or not the field should be indexed.
+
+`doc_values`
+:   Whether or not the field should have doc values generated.
+
+`copy_to`
+:   Which field to copy the field value into.
+
+`ignore_above`
+:   {{es}} ignores (does not index) strings that are longer than the specified value. When this property value is missing or `0`, the `libbeat` default value of `1024` characters is used. If the value is `-1`, the {{es}} default value is used.
+
+For example, you can use the `copy_to` mapping parameter to copy the `last_name` and `first_name` fields into the `full_name` field at index time:
+
+```yaml
+- key: mybeat
+  title: mybeat
+  description: These are the fields used by mybeat.
+  fields:
+    - name: last_name
+      type: text
+      required: true
+      copy_to: full_name <1>
+      description: >
+        The last name.
+    - name: first_name
+      type: text
+      required: true
+      copy_to: full_name <2>
+      description: >
+        The first name.
+    - name: full_name
+      type: text
+      required: false
+      description: >
+        The last_name and first_name combined into one field for easy searchability.
+```
+
+1. Copy the value of `last_name` into `full_name`
+2. Copy the value of `first_name` into `full_name`
+
+
+There are also some {{kib}}-specific properties, not detailed here. These are: `analyzed`, `count`, `searchable`, `aggregatable`, and `script`. {{kib}} parameters can also be described using `pattern`, `input_format`, `output_format`, `output_precision`, `label_template`, `url_template`, and `open_link_in_current_tab`.
+
+
+## Defining text multi-fields [_defining_text_multi_fields]
+
+There are various options that you can apply when using text fields. You can define a simple text field using the default analyzer without any other options, as in the example shown earlier.
+
+To keep the original keyword value when using `text` mappings, for instance to use in aggregations or ordering, you can use a multi-field mapping:
+
+```yaml
+- key: mybeat
+  title: mybeat
+  description: These are the fields used by mybeat.
+  fields:
+    - name: city
+      type: text
+      multi_fields: <1>
+        - name: keyword <2>
+          type: keyword <3>
+```
+
+1. `multi_fields`: Define the `multi_fields` mapping parameter.
+2. `name`: This is a conventional name for a multi-field. It can be anything (`raw` is another common option) but the convention is to use `keyword`.
+3. `type`: Specify the `keyword` type to use the field in aggregations or to order documents.
+
+
+For more information, see the [{{es}} documentation about multi-fields](elasticsearch://reference/elasticsearch/mapping-reference/multi-fields.md).
+
+
+## Defining a text analyzer in-line [_defining_a_text_analyzer_in_line]
+
+It is possible to define a new text analyzer or search analyzer in-line with the field definition in the field’s mapping parameters.
+
+For example, you can define a new text analyzer that does not break hyphenated names:
+
+```yaml
+- key: mybeat
+  title: mybeat
+  description: These are the fields used by mybeat.
+  fields:
+    - name: last_name
+      type: text
+      required: true
+      description: >
+        The last name.
+      analyzer:
+        mybeat_hyphenated_name: <1>
+          type: pattern <2>
+          pattern: "[\\W&&[^-]]+" <3>
+      search_analyzer:
+        mybeat_hyphenated_name: <4>
+          type: pattern
+          pattern: "[\\W&&[^-]]+"
+```
+
+1. Use a newly defined text analyzer
+2. Define the custome analyzer type
+3. Specify the analyzer behaviour
+4. Use the same analyzer for the search
+
+
+The names of custom analyzers that are defined in-line may not be reused for a different text analyzer. If a text analyzer name is reused it is checked for matching existing instances of the analyzer. It is recommended that the analyzer name is prefixed with the beat name to avoid name clashes.
+
+For more information, see [{{es}} documentation about defining custom text analyzers](docs-content://manage-data/data-store/text-analysis/create-custom-analyzer.md).
+
+
diff --git a/docs/extend/export-dashboards.md b/docs/extend/export-dashboards.md
new file mode 100644
index 000000000000..e5f339aded7f
--- /dev/null
+++ b/docs/extend/export-dashboards.md
@@ -0,0 +1,133 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/devguide/current/export-dashboards.html
+---
+
+# Exporting New and Modified Beat Dashboards [export-dashboards]
+
+To export all the dashboards for any Elastic Beat or any community Beat, including any new or modified dashboards and all dependencies such as visualizations, searches, you can use the Go script `export_dashboards.go` from [dev-tools](https://github.com/elastic/beats/tree/master/dev-tools/cmd/dashboards). See the dev-tools [readme](https://github.com/elastic/beats/tree/master/dev-tools/README.md) for more info.
+
+Alternatively, if the scripts above are not available, you can use your Beat binary to export Kibana 6.0 dashboards or later.
+
+## Exporting from Kibana 6.0 to 7.14 [_exporting_from_kibana_6_0_to_7_14]
+
+The `dev-tools/cmd/export_dashboards.go` script helps you export your customized Kibana dashboards until the v7.14.x release. You might need to export a single dashboard or all the dashboards available for a module or Beat.
+
+It is also possible to use a Beat binary to export.
+
+
+## Exporting from Kibana 7.15 or newer [_exporting_from_kibana_7_15_or_newer]
+
+From 7.15, your Beats version must be the same as your Kibana version to make sure the export API required is available.
+
+### Migrate legacy dashboards made with Kibana 7.14 or older [_migrate_legacy_dashboards_made_with_kibana_7_14_or_older]
+
+After you updated your Kibana instance to at least 7.15, you have to export your dashboards again with either `export_dashboards.go` tool or with your Beat.
+
+
+### Export a single Kibana dashboard [_export_a_single_kibana_dashboard]
+
+To export a single dashboard for a module you can use the following command inside a Beat with modules:
+
+```shell
+MODULE=redis ID=AV4REOpp5NkDleZmzKkE mage exportDashboard
+```
+
+```shell
+./filebeat export dashboard --id 7fea2930-478e-11e7-b1f0-cb29bac6bf8b --folder module/redis
+```
+
+This generates an appropriate folder under module/redis for the dashboard, separating assets into dashboards, searches, vizualizations, etc. Each exported file is a JSON and their names are the IDs of the assets.
+
+::::{note}
+The dashboard ID is available in the dashboard URL. For example, in case the dashboard URL is `app/kibana#/dashboard/AV4REOpp5NkDleZmzKkE?_g=()&_a=(description:'Overview%2...`, the dashboard ID is `AV4REOpp5NkDleZmzKkE`.
+::::
+
+
+
+### Export all module/Beat dashboards [_export_all_modulebeat_dashboards]
+
+Each module should contain a `module.yml` file with a list of all the dashboards available for the module. For the Beats that don’t have support for modules (e.g. Packetbeat), there is a `dashboards.yml` file that defines all the Packetbeat dashboards.
+
+Below, it’s an example of the `module.yml` file for the system module in Metricbeat:
+
+```shell
+dashboards:
+- id: Metricbeat-system-overview
+  file: Metricbeat-system-overview.ndjson
+
+- id: 79ffd6e0-faa0-11e6-947f-177f697178b8
+  file: Metricbeat-host-overview.ndjson
+
+- id: CPU-slash-Memory-per-container
+  file: Metricbeat-containers-overview.ndjson
+```
+
+Each dashboard is defined by an `id` and the name of ndjson `file` where the dashboard is saved locally.
+
+By passing the yml file to the `export_dashboards.go` script or to the Beat, you can export all the dashboards defined:
+
+```shell
+go run dev-tools/cmd/dashboards/export_dashboards.go --yml filebeat/module/system/module.yml --folder dashboards
+```
+
+```shell
+./filebeat export dashboard --yml filebeat/module/system/module.yml
+```
+
+
+### Export dashboards from a Kibana Space [_export_dashboards_from_a_kibana_space]
+
+If you are using the Kibana Spaces feature and want to export dashboards from a specific Space, pass the Space ID to the `export_dashboards.go` script:
+
+```shell
+go run dev-tools/cmd/dashboards/export_dashboards.go -space-id my-space [other-options]
+```
+
+In case of running `export dashboard` of a Beat, you need to set the Space ID in `setup.kibana.space.id`.
+
+
+
+## Exporting Kibana 5.x dashboards [_exporting_kibana_5_x_dashboards]
+
+To export only some Kibana dashboards for an Elastic Beat or community Beat, you can simply pass a regular expression to the `export_dashboards.py` script to match the selected Kibana dashboards.
+
+Before running the `export_dashboards.py` script for the first time, you need to create an environment that contains all the required Python packages.
+
+```shell
+make python-env
+```
+
+For example, to export all Kibana dashboards that start with the **Packetbeat** name:
+
+```shell
+python ../dev-tools/cmd/dashboards/export_dashboards.py --regex Packetbeat*
+```
+
+To see all the available options, read the descriptions below or run:
+
+```shell
+python ../dev-tools/cmd/dashboards/export_dashboards.py -h
+```
+
+**`--url <elasticsearch_url>`**
+:   The Elasticsearch URL. The default value is [http://localhost:9200](http://localhost:9200).
+
+**`--regex <regular_expression>`**
+:   Regular expression to match all the Kibana dashboards to be exported. This argument is required.
+
+**`--kibana <kibana_index>`**
+:   The Elasticsearch index pattern where Kibana saves its configuration. The default value is `.kibana`.
+
+**`--dir <output_dir>`**
+:   The output directory where the dashboards and all dependencies will be saved. The default value is `output`.
+
+The output directory has the following structure:
+
+```shell
+output/
+    index-pattern/
+    dashboard/
+    visualization/
+    search/
+```
diff --git a/docs/extend/filebeat-modules-devguide.md b/docs/extend/filebeat-modules-devguide.md
new file mode 100644
index 000000000000..46b158280d2d
--- /dev/null
+++ b/docs/extend/filebeat-modules-devguide.md
@@ -0,0 +1,416 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/devguide/current/filebeat-modules-devguide.html
+---
+
+# Creating a New Filebeat Module [filebeat-modules-devguide]
+
+::::{important}
+Elastic provides no warranty or support for the code used to generate modules and filesets. The generator is mainly offered as guidance for developers who want to create their own data shippers.
+::::
+
+
+This guide will walk you through creating a new Filebeat module.
+
+All Filebeat modules currently live in the main [Beats](https://github.com/elastic/beats) repository. To clone the repository and build Filebeat (which you will need for testing), please follow the general instructions in [*Contributing to Beats*](./index.md).
+
+
+## Overview [_overview]
+
+Each Filebeat module is composed of one or more "filesets". We usually create a module for each service that we support (`nginx` for Nginx, `mysql` for Mysql, and so on) and a fileset for each type of log that the service creates. For example, the Nginx module has `access` and `error` filesets. You can contribute a new module (with at least one fileset), or a new fileset for an existing module.
+
+::::{note}
+In this guide we use `{{module}}` and `{{fileset}}` as placeholders for the module and fileset names. You need to replace these with the actual names you entered when your created the module and fileset. Only use characters `[a-z]` and, if required, underscores (`_`). No other characters are allowed.
+::::
+
+
+
+## Creating a new module [_creating_a_new_module]
+
+Run the following command in the `filebeat` folder:
+
+```bash
+make create-module MODULE={module}
+```
+
+After running the `make create-module` command, you’ll find the module, along with its generated files, under `module/{{module}}`. This directory contains the following files:
+
+```bash
+module/{module}
+├── module.yml
+└── _meta
+    └── docs.asciidoc
+    └── fields.yml
+    └── kibana
+```
+
+Let’s look at these files one by one.
+
+
+### module.yml [_module_yml]
+
+This file contains list of all the dashboards available for the module and used by `export_dashboards.go` script for exporting dashboards. Each dashboard is defined by an id and the name of json file where the dashboard is saved locally. At generation new fileset this file will be automatically updated with "default" dashboard settings for new fileset. Please ensure that this settings are correct.
+
+
+### _meta/docs.asciidoc [_metadocs_asciidoc]
+
+This file contains module-specific documentation. You should include information about which versions of the service were tested and the variables that are defined in each fileset.
+
+
+### _meta/fields.yml [_metafields_yml]
+
+The module level `fields.yml` contains descriptions for the module-level fields. Please review and update the title and the descriptions in this file. The title is used as a title in the docs, so it’s best to capitalize it.
+
+
+### _meta/kibana [_metakibana]
+
+This folder contains the sample Kibana dashboards for this module. To create them, you can build them visually in Kibana and then export them with `export_dashboards`.
+
+The tool will export all of the dashboard dependencies (visualizations, saved searches) automatically.
+
+You can see various ways of using `export_dashboards` at [Exporting New and Modified Beat Dashboards](/extend/export-dashboards.md). The recommended way to export them is to list your dashboards in your module’s `module.yml` file:
+
+```yaml
+dashboards:
+- id: 69f5ae20-eb02-11e7-8f04-beef1daadb05
+  file: mymodule-overview.json
+- id: c0a7ce90-cafe-4242-8647-534bb4c21040
+  file: mymodule-errors.json
+```
+
+Then run `export_dashboards` like this:
+
+```shell
+$ cd dev-tools/cmd/dashboards
+$ make # if export_dashboard is not built yet
+$ ./export_dashboards --yml '../../../filebeat/module/{module}/module.yml'
+```
+
+New Filebeat modules might not be compatible with Kibana 5.x. To export dashboards that are compatible with 5.x, run the following command inside the developer virtual environment:
+
+```shell
+$ cd filebeat
+$ make python-env
+$ cd module/{module}/
+$ python ../../../dev-tools/export_5x_dashboards.py --regex {module} --dir _meta/kibana/5.x
+```
+
+Where the `--regex` parameter should match the dashboard you want to export.
+
+Please note that dashboards exported from Kibana 5.x are not compatible with Kibana 6.x.
+
+You can find more details about the process of creating and exporting the Kibana dashboards by reading [this guide](http://www.elastic.co/guide/en/beats/devguide/master/new-dashboards.md).
+
+
+## Creating a new fileset [_creating_a_new_fileset]
+
+Run the following command in the `filebeat` folder:
+
+```bash
+make create-fileset MODULE={module} FILESET={fileset}
+```
+
+After running the `make create-fileset` command, you’ll find the fileset, along with its generated files, under `module/{{module}}/{fileset}`. This directory contains the following files:
+
+```bash
+module/{module}/{fileset}
+├── manifest.yml
+├── config
+│   └── {fileset}.yml
+├── ingest
+│   └── pipeline.json
+├── _meta
+│   └── fields.yml
+│   └── kibana
+│       └── default
+└── test
+```
+
+Let’s look at these files one by one.
+
+
+### manifest.yml [_manifest_yml]
+
+The `manifest.yml` is the control file for the module, where variables are defined and the other files are referenced. It is a YAML file, but in many places in the file, you can use built-in or defined variables by using the `{{.variable}}` syntax.
+
+The `var` section of the file defines the fileset variables and their default values. The module variables can be referenced in other configuration files, and their value can be overridden at runtime by the Filebeat configuration.
+
+As the fileset creator, you can use any names for the variables you define. Each variable must have a default value. So in it’s simplest form, this is how you can define a new variable:
+
+```yaml
+var:
+  - name: pipeline
+    default: with_plugins
+```
+
+Most fileset should have a `paths` variable defined, which sets the default paths where the log files are located:
+
+```yaml
+var:
+  - name: paths
+    default:
+      - /example/test.log*
+    os.darwin:
+      - /usr/local/example/test.log*
+      - /example/test.log*
+    os.windows:
+      - c:/programdata/example/logs/test.log*
+```
+
+There’s quite a lot going on in this file, so let’s break it down:
+
+* The name of the variable is `paths` and the default value is an array with one element: `"/example/test.log*"`.
+* Note that variable values don’t have to be strings. They can be also numbers, objects, or as shown in this example, arrays.
+* We will use the `paths` variable to set the input `paths` setting, so "glob" values can be used here.
+* Besides the `default` value, the file defines values for particular operating systems: a default for darwin/OS X/macOS systems and a default for Windows systems. These are introduced via the `os.darwin` and `os.windows` keywords. The values under these keys become the default for the variable, if Filebeat is executed on the respective OS.
+
+Besides the variable definition, the `manifest.yml` file also contains references to the ingest pipeline and input configuration to use (see next sections):
+
+```yaml
+ingest_pipeline: ingest/pipeline.json
+input: config/testfileset.yml
+```
+
+These should point to the respective files from the fileset.
+
+Note that when evaluating the contents of these files, the variables are expanded, which enables you to select one file or the other depending on the value of a variable. For example:
+
+```yaml
+ingest_pipeline: ingest/{{.pipeline}}.json
+```
+
+This example selects the ingest pipeline file based on the value of the `pipeline` variable. For the `pipeline` variable shown earlier, the path would resolve to `ingest/with_plugins.json` (assuming the variable value isn’t overridden at runtime.)
+
+In 6.6 and later, you can specify multiple ingest pipelines.
+
+```yaml
+ingest_pipeline:
+  - ingest/main.json
+  - ingest/plain_logs.json
+  - ingest/json_logs.json
+```
+
+When multiple ingest pipelines are specified the first one in the list is considered to be the entry point pipeline.
+
+One reason for using multiple pipelines might be to send all logs harvested by this fileset to the entry point pipeline and have it delegate different parts of the processing to other pipelines. You can read details about setting this up in [the `ingest/*.json` section](#ingest-json-entry-point-pipeline).
+
+
+### config/*.yml [_config_yml]
+
+The `config/` folder contains template files that generate Filebeat input configurations. The Filebeat inputs are primarily responsible for tailing files, filtering, and multi-line stitching, so that’s what you configure in the template files.
+
+A typical example looks like this:
+
+```yaml
+type: log
+paths:
+{{ range $i, $path := .paths }}
+ - {{$path}}
+{{ end }}
+exclude_files: [".gz$"]
+```
+
+You’ll find this example in the template file that gets generated automatically when you run `make create-fileset`. In this example, the `paths` variable is used to construct the `paths` list for the input `paths` option.
+
+Any template files that you add to the `config/` folder need to generate a valid Filebeat input configuration in YAML format. The options accepted by the input configuration are documented in the [Filebeat Inputs](/reference/filebeat/configuration-filebeat-options.md) section of the Filebeat documentation.
+
+The template files use the templating language defined by the [Go standard library](https://golang.org/pkg/text/template/).
+
+Here is another example that also configures multiline stitching:
+
+```yaml
+type: log
+paths:
+{{ range $i, $path := .paths }}
+ - {{$path}}
+{{ end }}
+exclude_files: [".gz$"]
+multiline:
+  pattern: "^# User@Host: "
+  negate: true
+  match: after
+```
+
+Although you can add multiple configuration files under the `config/` folder, only the file indicated by the `manifest.yml` file will be loaded. You can use variables to dynamically switch between configurations.
+
+
+### ingest/*.json [_ingest_json]
+
+The `ingest/` folder contains {{es}} [ingest pipeline](docs-content://manage-data/ingest/transform-enrich/ingest-pipelines.md) configurations. Ingest pipelines are responsible for parsing the log lines and doing other manipulations on the data.
+
+The files in this folder are JSON or YAML documents representing [pipeline definitions](docs-content://manage-data/ingest/transform-enrich/ingest-pipelines.md). Just like with the `config/` folder, you can define multiple pipelines, but a single one is loaded at runtime based on the information from `manifest.yml`.
+
+The generator creates a JSON object similar to this one:
+
+```json
+{
+  "description": "Pipeline for parsing {module} {fileset} logs",
+  "processors": [
+    ],
+  "on_failure" : [{
+    "set" : {
+      "field" : "error.message",
+      "value" : "{{ _ingest.on_failure_message }}"
+    }
+  }]
+}
+```
+
+Alternatively, you can use YAML formatted pipelines, which uses a simpler syntax:
+
+```yaml
+description: "Pipeline for parsing {module} {fileset} logs"
+processors:
+on_failure:
+ - set:
+     field: error.message
+     value: "{{ _ingest.on_failure_message }}"
+```
+
+From here, you would typically add processors to the `processors` array to do the actual parsing. For information about available ingest processors, see the [processor reference documentation](elasticsearch://reference/ingestion-tools/enrich-processor/index.md). In particular, you will likely find the [grok processor](elasticsearch://reference/ingestion-tools/enrich-processor/grok-processor.md) to be useful for parsing. Here is an example for parsing the Nginx access logs.
+
+```json
+{
+  "grok": {
+    "field": "message",
+    "patterns":[
+      "%{IPORHOST:nginx.access.remote_ip} - %{DATA:nginx.access.user_name} \\[%{HTTPDATE:nginx.access.time}\\] \"%{WORD:nginx.access.method} %{DATA:nginx.access.url} HTTP/%{NUMBER:nginx.access.http_version}\" %{NUMBER:nginx.access.response_code} %{NUMBER:nginx.access.body_sent.bytes} \"%{DATA:nginx.access.referrer}\" \"%{DATA:nginx.access.agent}\""
+      ],
+    "ignore_missing": true
+  }
+}
+```
+
+Note that you should follow the convention of naming of fields prefixed with the module and fileset name: `{{module}}.{fileset}.field`, e.g. `nginx.access.remote_ip`. Also, please review our [Naming Conventions](/extend/event-conventions.md).
+
+$$$ingest-json-entry-point-pipeline$$$
+In 6.6 and later, ingest pipelines can use the [`pipeline` processor](docs-content://manage-data/ingest/transform-enrich/ingest-pipelines.md) to delegate parts of the processings to other pipelines.
+
+This can be useful if you want a fileset to ingest the same *logical* information presented in different formats, e.g. csv vs. json versions of the same log files. Imagine an entry point ingest pipeline that detects the format of a log entry and then conditionally delegates further processing of that log entry, depending on the format, to another pipeline.
+
+```json
+{
+  "processors": [
+    {
+      "grok": {
+        "field": "message",
+        "patterns": [
+          "^%{CHAR:first_char}"
+        ],
+        "pattern_definitions": {
+          "CHAR": "."
+        }
+      }
+    },
+    {
+      "pipeline": {
+        "if": "ctx.first_char == '{'",
+        "name": "{< IngestPipeline "json-log-processing-pipeline" >}" <1>
+      }
+    },
+    {
+      "pipeline": {
+        "if": "ctx.first_char != '{'",
+        "name": "{< IngestPipeline "plain-log-processing-pipeline" >}"
+      }
+    }
+  ]
+}
+```
+
+1. Use the `IngestPipeline` template function to resolve the name. This function converts the specified name into the fully qualified pipeline ID that is stored in Elasticsearch.
+
+
+In order for the above pipeline to work, Filebeat must load the entry point pipeline as well as any sub-pipelines into Elasticsearch. You can tell Filebeat to do so by specifying all the necessary pipelines for the fileset in its `manifest.yml` file. The first pipeline in the list is considered to be the entry point pipeline.
+
+```yaml
+ingest_pipeline:
+  - ingest/main.json
+  - ingest/plain_logs.yml
+  - ingest/json_logs.json
+```
+
+While developing the pipeline definition, we recommend making use of the [Simulate Pipeline API](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-ingest-simulate) for testing and quick iteration.
+
+By default Filebeat does not update Ingest pipelines if already loaded. If you want to force updating your pipeline during development, use `./filebeat setup --pipelines` command. This uploads pipelines even if they are already available on the node.
+
+
+### _meta/fields.yml [_metafields_yml_2]
+
+The `fields.yml` file contains the top-level structure for the fields in your fileset. It is used as the source of truth for:
+
+* the generated Elasticsearch mapping template
+* the generated Kibana index pattern
+* the generated documentation for the exported fields
+
+Besides the `fields.yml` file in the fileset, there is also a `fields.yml` file at the module level, placed under `module/{{module}}/_meta/fields.yml`, which should contain the fields defined at the module level, and the description of the module itself. In most cases, you should add the fields at the fileset level.
+
+After `pipeline.json` is created, it is possible to generate a base `field.yml`.
+
+```bash
+make create-fields MODULE={module} FILESET={fileset}
+```
+
+Please, always check the generated file and make sure the fields are correct. You must add field documentation manually.
+
+If the fields are correct, it is time to generate documentation, configuration and Kibana index patterns.
+
+```bash
+make update
+```
+
+
+### test [_test]
+
+In the `test/` directory, you should place sample log files generated by the service. We have integration tests, automatically executed by CI, that will run Filebeat on each of the log files under the `test/` folder and check that there are no parsing errors and that all fields are documented.
+
+In addition, assuming you have a `test.log` file, you can add a `test.log-expected.json` file in the same directory that contains the expected documents as they are found via an Elasticsearch search. In this case, the integration tests will automatically check that the result is the same on each run.
+
+In order to test the filesets with the sample logs and/or generate the expected output one should run the tests locally for a specific module, using the following procedure under Filebeat directory:
+
+1. Start an Elasticsearch instance locally. For example, using Docker:
+
+    ```bash
+    docker run \
+      --name elasticsearch \
+      -p 9200:9200 -p 9300:9300 \
+      -e "xpack.security.http.ssl.enabled=false"  -e "ELASTIC_PASSWORD=changeme" \
+      -e "discovery.type=single-node" \
+      --pull always --rm --detach \
+      docker.elastic.co/elasticsearch/elasticsearch:master-SNAPSHOT
+    ```
+
+2. Create an "admin" user on that Elasticsearch instance:
+
+    ```bash
+    curl -u elastic:changeme \
+      http://localhost:9200/_security/user/admin \
+      -X POST -H 'Content-Type: application/json' \
+      -d '{"password": "changeme", "roles": ["superuser"]}'
+    ```
+
+3. Create the testing binary: `make filebeat.test`
+4. Update fields yaml: `make update`
+5. Create python env: `make python-env`
+6. Source python env: `source ./build/python-env/bin/activate`
+7. Run a test, for example to check nginx access log parsing:
+
+    ```bash
+    INTEGRATION_TESTS=1 BEAT_STRICT_PERMS=false ES_PASS=changeme \
+    TESTING_FILEBEAT_MODULES=nginx \
+    pytest tests/system/test_modules.py -v --full-trace
+    ```
+
+8. Add and remove option env vars as required. Here are some useful ones:
+
+    * `TESTING_FILEBEAT_ALLOW_OLDER`: if set to 1, allow connecting older versions of Elasticsearch
+    * `TESTING_FILEBEAT_MODULES`: comma separated list of modules to test.
+    * `TESTING_FILEBEAT_FILESETS`: comma separated list of filesets to test.
+    * `TESTING_FILEBEAT_FILEPATTERN`: glob pattern for log files within the fileset to test.
+    * `GENERATE`: if set to 1, the expected documents will be generated.
+
+
+The filebeat logs are writen to the `build` directory. It may be useful to tail them in another terminal using `tail -F build/system-tests/run/test_modules.Test.*/output.log`.
+
+For example if there’s a syntax error in an ingest pipeline, the test will probably just hang. The filebeat log output will contain the error message from elasticsearch.
+
diff --git a/docs/extend/generate-index-pattern.md b/docs/extend/generate-index-pattern.md
new file mode 100644
index 000000000000..ac1b7cc795e1
--- /dev/null
+++ b/docs/extend/generate-index-pattern.md
@@ -0,0 +1,17 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/devguide/current/generate-index-pattern.html
+---
+
+# Generating the Beat Index Pattern [generate-index-pattern]
+
+The index-pattern defines the format of each field, and it’s used by Kibana to know how to display the field. If you change the fields exported by the Beat, you need to generate a new index pattern for your Beat. Otherwise, you can just use the index pattern available under the `kibana/*/index-pattern` directory.
+
+The Beat index pattern is generated from the `fields.yml`, which contains all the fields exported by the Beat. For each field, besides the `type`, you can configure the `format` field. The format informs Kibana about how to display a certain field. A good example is `percentage` or `bytes` to display fields as `50%` or `5MB`.
+
+To generate the index pattern from the `fields.yml`, you need to run the following command in the Beat repository:
+
+```shell
+make update
+```
+
diff --git a/docs/extend/getting-ready-new-protocol.md b/docs/extend/getting-ready-new-protocol.md
new file mode 100644
index 000000000000..1a427bccbccb
--- /dev/null
+++ b/docs/extend/getting-ready-new-protocol.md
@@ -0,0 +1,63 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/devguide/current/getting-ready-new-protocol.html
+---
+
+# Getting Ready [getting-ready-new-protocol]
+
+Packetbeat is written in [Go](http://golang.org/), so having Go installed and knowing the basics are prerequisites for understanding this guide. But don’t worry if you aren’t a Go expert. Go is a relatively new language, and very few people are experts in it. In fact, several people learned Go by contributing to Packetbeat and libbeat, including the original Packetbeat authors.
+
+You will also need a good understanding of the wire protocol that you want to add support for. For standard protocols or protocols used in open source projects, you can usually find detailed specifications and example source code. Wireshark is a very useful tool for understanding the inner workings of the protocols it supports.
+
+In some cases you can even make use of existing libraries for doing the actual parsing and decoding of the protocol. If the particular protocol has a Go implementation with a liberal enough license, you might be able to use it to parse and decode individual messages instead of writing your own parser.
+
+Before starting, please also read the [*Contributing to Beats*](./index.md).
+
+
+### Cloning and Compiling [_cloning_and_compiling]
+
+After you have [installed Go](https://golang.org/doc/install) and set up the [GOPATH](https://golang.org/doc/code.md#GOPATH) environment variable to point to your preferred workspace location, you can clone Packetbeat with the following commands:
+
+```shell
+$ mkdir -p ${GOPATH}/src/github.com/elastic
+$ cd ${GOPATH}/src/github.com/elastic
+$ git clone https://github.com/elastic/beats.git
+```
+
+Note: If you have multiple go paths use `${GOPATH%%:*}`instead of `${GOPATH}`.
+
+Then you can compile it with:
+
+```shell
+$ cd beats
+$ make
+```
+
+Note that the location where you clone is important. If you prefer working outside of the `GOPATH` environment, you can clone to another directory and only create a symlink to the `$GOPATH/src/github.com/elastic/` directory.
+
+
+## Forking and Branching [_forking_and_branching]
+
+We recommend the following work flow for contributing to Packetbeat:
+
+* Fork Beats in GitHub to your own account
+* In the `$GOPATH/src/github.com/elastic/beats` folder, add your fork as a new remote. For example (replace `tsg` with your GitHub account):
+
+```shell
+$ git remote add tsg git@github.com:tsg/beats.git
+```
+
+* Create a new branch for your work:
+
+```shell
+$ git checkout -b cool_new_protocol
+```
+
+* Commit as often as you like, and then push to your private fork with:
+
+```shell
+$ git push --set-upstream tsg cool_new_protocol
+```
+
+* When you are ready to submit your PR, simply do so from the GitHub web interface. Feel free to submit your PR early. You can still add commits to the branch after creating the PR. Submitting the PR early gives us more time to provide feedback and perhaps help you with it.
+
diff --git a/docs/extend/import-dashboards.md b/docs/extend/import-dashboards.md
new file mode 100644
index 000000000000..2f4bff91c611
--- /dev/null
+++ b/docs/extend/import-dashboards.md
@@ -0,0 +1,117 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/devguide/current/import-dashboards.html
+---
+
+# Importing Existing Beat Dashboards [import-dashboards]
+
+The official Beats come with Kibana dashboards, and starting with 6.0.0, they are part of every Beat package.
+
+You can use the Beat executable to import all the dashboards and the index pattern for a Beat, including the dependencies such as visualizations and searches.
+
+To import the dashboards, run the `setup` command.
+
+```shell
+./metricbeat setup
+```
+
+The `setup` phase loads several dependencies, such as:
+
+* Index mapping template in Elasticsearch
+* Kibana dashboards
+* Ingest pipelines
+* ILM policy
+
+The dependencies vary depending on the Beat you’re setting up.
+
+For more details about the `setup` command, see the command-line help. For example:
+
+```shell
+./metricbeat help setup
+
+This command does initial setup of the environment:
+
+ * Index mapping template in Elasticsearch to ensure fields are mapped.
+ * Kibana dashboards (where available).
+ * ML jobs (where available).
+ * Ingest pipelines (where available).
+ * ILM policy (for Elasticsearch 6.5 and newer).
+
+Usage:
+  metricbeat setup [flags]
+
+Flags:
+      --dashboards         Setup dashboards
+  -h, --help               help for setup
+      --index-management   Setup all components related to Elasticsearch index management, including template, ilm policy and rollover alias
+      --pipelines          Setup Ingest pipelines
+```
+
+The flags are useful when you don’t want to load everything. For example, to import only the dashboards, use the `--dashboards` flag:
+
+```shell
+./metricbeat setup --dashboards
+```
+
+Starting with Beats 6.0.0, the dashboards are no longer loaded directly into Elasticsearch. Instead, they are imported directly into Kibana. Thus, if your Kibana instance is not listening on localhost, or you enabled {{xpack}} for Kibana, you need to either configure the Kibana endpoint in the config for the Beat, or pass the Kibana host and credentials as arguments to the `setup` command. For example:
+
+```shell
+./metricbeat setup -E setup.kibana.host=192.168.3.206:5601 -E setup.kibana.username=elastic -E setup.kibana.password=secret
+```
+
+By default, the `setup` command imports the dashboards from the `kibana` directory, which is available in the Beat package.
+
+::::{note}
+The format of the saved dashboards is not compatible between Kibana 5.x and 6.x. Thus, the Kibana 5.x dashboards are available in the `5.x` directory, and the Kibana 6.0 dashboards, and older are in the `default` directory.
+::::
+
+
+In case you are using customized dashboards, you can import them:
+
+* from a local directory:
+
+    ```shell
+    ./metricbeat setup -E setup.dashboards.directory=kibana
+    ```
+
+* from a local zip archive:
+
+    ```shell
+    ./metricbeat setup -E setup.dashboards.file=metricbeat-dashboards-6.0.zip
+    ```
+
+* from a zip archive available online:
+
+    ```shell
+    ./metricbeat setup -E setup.dashboards.url=path/to/url
+    ```
+
+    See [Kibana dashboards configuration](#import-dashboard-options) for a description of the `setup.dashboards` configuration options.
+
+
+## Import Dashboards for Development [import-dashboards-for-development]
+
+You can make use of the Magefile from the Beat GitHub repository to import the dashboards. If Kibana is running on localhost, then you can run the following command from the root of the Beat:
+
+```shell
+mage dashboards
+```
+
+
+## Kibana dashboards configuration [import-dashboard-options]
+
+The configuration file (`*.reference.yml`) of each Beat contains the `setup.dashboards` section for configuring from where to get the Kibana dashboards, as well as the name of the index pattern. Each of these configuration options can be overwritten with the command line options by using `-E` flag.
+
+**`setup.dashboards.directory=<local_dir>`**
+:   Local directory that contains the saved dashboards and their dependencies. The default value is the `kibana` directory available in the Beat package.
+
+**`setup.dashboards.file=<local_archive>`**
+:   Local zip archive with the dashboards. The archive can contain Kibana dashboards for a single Beat or for multiple Beats. The dashboards of each Beat are placed under a separate directory with the name of the Beat.
+
+**`setup.dashboards.url=<zip_url>`**
+:   Zip archive with the dashboards, available online. The archive can contain Kibana dashboards for a single Beat or for multiple Beats. The dashboards for each Beat are placed under a separate directory with the name of the Beat.
+
+**`setup.dashboards.index <elasticsearch_index>`**
+:   You should only use this option if you want to change the index pattern name that’s used by default. For example, if the default is `metricbeat-*`, you can change it to `custombeat-*`.
+
+
diff --git a/docs/extend/index.md b/docs/extend/index.md
new file mode 100644
index 000000000000..9d1fc2d86f7b
--- /dev/null
+++ b/docs/extend/index.md
@@ -0,0 +1,194 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/devguide/current/beats-contributing.html
+---
+
+# Contribute to Beats [beats-contributing]
+
+If you have a bugfix or new feature that you would like to contribute, please start by opening a topic on the [forums](https://discuss.elastic.co/c/beats). It may be that somebody is already working on it, or that there are particular issues that you should know about before implementing the change.
+
+We enjoy working with contributors to get their code accepted. There are many approaches to fixing a problem and it is important to find the best approach before writing too much code. After committing your code, check out the [Elastic Contributor Program](https://www.elastic.co/community/contributor) where you can earn points and rewards for your contributions.
+
+The process for contributing to any of the Elastic repositories is similar.
+
+
+## Contribution Steps [contribution-steps]
+
+1. Please make sure you have signed our [Contributor License Agreement](https://www.elastic.co/contributor-agreement/). We are not asking you to assign copyright to us, but to give us the right to distribute your code without restriction. We ask this of all contributors in order to assure our users of the origin and continuing existence of the code. You only need to sign the CLA once.
+2. Send a pull request! Push your changes to your fork of the repository and [submit a pull request](https://help.github.com/articles/using-pull-requests) using our [pull request guidelines](/extend/pr-review.md). New PRs go to the main branch. The Beats core team will backport your PR if it is necessary.
+
+In the pull request, describe what your changes do and mention any bugs/issues related to the pull request. Please also add a changelog entry to [CHANGELOG.next.asciidoc](https://github.com/elastic/beats/blob/main/CHANGELOG.next.asciidoc).
+
+
+## Setting Up Your Dev Environment [setting-up-dev-environment]
+
+The Beats are Go programs, so install the 1.22.10 version of [Go](http://golang.org/) which is being used for Beats development.
+
+After [installing Go](https://golang.org/doc/install), set the [GOPATH](https://golang.org/doc/code.md#GOPATH) environment variable to point to your workspace location, and make sure `$GOPATH/bin` is in your PATH.
+
+::::{note}
+One deterministic manner to install the proper Go version to work with Beats is to use the [GVM](https://github.com/andrewkroh/gvm) Go version manager. An example for Mac users would be:
+::::
+
+
+```shell
+gvm use 1.22.10
+eval $(gvm 1.22.10)
+```
+
+Then you can clone Beats git repository:
+
+```shell
+mkdir -p ${GOPATH}/src/github.com/elastic
+git clone https://github.com/elastic/beats ${GOPATH}/src/github.com/elastic/beats
+```
+
+::::{note}
+If you have multiple go paths, use `${GOPATH%%:*}` instead of `${GOPATH}`.
+::::
+
+
+Beats developers primarily use [Mage](https://github.com/magefile/mage) for development. You can install mage using a make target:
+
+```shell
+make mage
+```
+
+Then you can compile a particular Beat by using Mage. For example, for Filebeat:
+
+```shell
+cd beats/filebeat
+mage build
+```
+
+You can list all available mage targets with:
+
+```shell
+mage -l
+```
+
+Some of the Beats might have extra development requirements, in which case you’ll find a CONTRIBUTING.md file in the Beat directory.
+
+We use an [EditorConfig](http://editorconfig.org/) file in the beats repository to standardise how different editors handle whitespace, line endings, and other coding styles in our files. Most popular editors have a [plugin](http://editorconfig.org/#download) for EditorConfig and we strongly recommend that you install it.
+
+
+## Update scripts [update-scripts]
+
+The Beats use a variety of scripts based on Python, make and mage to generate configuration files and documentation. Ensure to use the version of python listed in the [.python-version](https://github.com/elastic/beats/blob/main/.python-version) file.
+
+The primary command for updating generated files is:
+
+```shell
+make update
+```
+
+Each Beat has its own `update` target (for both `make` and `mage`), as well as a master `update` in the repository root. If a PR adds or removes a dependency, run `make update` in the root `beats` directory.
+
+Another command properly formats go source files and adds a copyright header:
+
+```shell
+make fmt
+```
+
+Both of these commands should be run before submitting a PR. You can view all the available make targets with `make help`.
+
+These commands have the following dependencies:
+
+* Python >= 3.7
+* Python [venv module](https://docs.python.org/3/library/venv.html)
+* [Mage](https://github.com/magefile/mage)
+
+Python venv module is included in the standard library in Python 3. On Debian/Ubuntu systems it also requires to install the `python3-venv` package, that includes additional support scripts:
+
+```shell
+sudo apt-get install python3-venv
+```
+
+
+## Selecting Build Targets [build-target-env-vars]
+
+Beats is built using the `make release` target. By default, make will select from a limited number of preset build targets:
+
+* darwin/amd64
+* darwin/arm64
+* linux/amd64
+* windows/amd64
+
+You can change build targets using the `PLATFORMS` environment variable. Targets set with the `PLATFORMS` variable can either be a GOOS value, or a GOOS/arch pair. For example, `linux` and `linux/amd64` are both valid targets. You can select multiple targets, and the `PLATFORMS` list is space delimited, for example `darwin windows` will build on all supported darwin and windows architectures. In addition, you can add or remove from the list of build targets by prepending `+` or `-` to a given target. For example: `+bsd` or `-darwin`.
+
+You can find the complete list of supported build targets with `go tool dist list`.
+
+
+## Linting [running-linter]
+
+Beats uses [golangci-lint](https://golangci-lint.run/). You can run the pre-configured linter against your change:
+
+```shell
+mage llc
+```
+
+`llc` stands for `Lint Last Change` which includes all the Go files that were changed in either the last commit (if you’re on the `main` branch) or in a difference between your feature branch and the `main` branch.
+
+It’s expected that sometimes a contributor will be asked to fix linter issues unrelated to their contribution since the linter was introduced later than changes in some of the files.
+
+You can also run the linter against an individual package, for example the filbeat command package:
+
+```shell
+golangci-lint run ./filebeat/cmd/...
+```
+
+
+## Testing [running-testsuite]
+
+You can run the whole testsuite with the following command:
+
+```shell
+make testsuite
+```
+
+Running the testsuite has the following requirements:
+
+* Python >= 3.7
+* Docker >= 1.12
+* Docker-compose >= 1.11
+
+For more details, refer to the [Testing](/extend/testing.md) guide.
+
+
+## Documentation [documentation]
+
+The main documentation for each Beat is located under `<beatname>/docs` and is based on [AsciiDoc](https://docs.asciidoctor.org/asciidoc/latest/). The Beats documentation also makes extensive use of conditionals and content reuse to ensure consistency and accuracy. Before contributing to the documentation, read the following resources:
+
+* [Docs HOWTO](https://github.com/elastic/docs/blob/master/README.asciidoc)
+* [Contributing to the docs](/extend/contributing-docs.md)
+
+
+## Dependencies [dependencies]
+
+In order to create Beats we rely on Golang libraries and other external tools.
+
+
+### Other dependencies [_other_dependencies]
+
+Besides Go libraries, we are using development tools to generate parsers for inputs and processors.
+
+The following packages are required to run `go generate`:
+
+
+#### Auditbeat [_auditbeat]
+
+* FlatBuffers >= 1.9
+
+
+#### Filebeat [_filebeat]
+
+* Graphviz >= 2.43.0
+* Ragel >= 6.10
+
+
+## Changelog [changelog]
+
+To keep up to date with changes to the official Beats for community developers, follow the developer changelog [here](https://github.com/elastic/beats/blob/main/CHANGELOG-developer.next.asciidoc).
+
+
+
diff --git a/docs/extend/metricbeat-dev-overview.md b/docs/extend/metricbeat-dev-overview.md
new file mode 100644
index 000000000000..bcd6d25c472e
--- /dev/null
+++ b/docs/extend/metricbeat-dev-overview.md
@@ -0,0 +1,21 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/devguide/current/metricbeat-dev-overview.html
+---
+
+# Overview [metricbeat-dev-overview]
+
+Metricbeat consists of modules and metricsets. A Metricbeat module is typically named after the service the metrics are fetched from, such as redis, mysql, and so on. Each module can contain multiple metricsets. A metricset represents multiple metrics that are normally retrieved with one request from the remote system. For example, the Redis `info` metricset retrieves info that you get when you run the Redis `INFO` command, and the MySQL `status` metricset retrieves info that you get when you issue the MySQL `SHOW GLOBAL STATUS` query.
+
+
+## Module and Metricsets Requirements [_module_and_metricsets_requirements]
+
+To guarantee the best user experience, it’s important to us that only high quality modules are part of Metricbeat. The modules and metricsets that are contributed must meet the following requirements:
+
+* Complete `fields.yml` file to generate docs and Elasticsearch templates
+* Documentation files
+* Integration tests
+* 80% test coverage (unit, integration, and system tests combined)
+
+Metricbeat allows you to build a wide variety of modules and metricsets on top of it. For a module to be accepted, it should focus on fetching service metrics directly from the service itself and not via a third-party tool. The goal is to have as few movable parts as possible and for Metricbeat to run as close as possible to the service that it needs to monitor.
+
diff --git a/docs/extend/metricbeat-developer-guide.md b/docs/extend/metricbeat-developer-guide.md
new file mode 100644
index 000000000000..264f1d0b8916
--- /dev/null
+++ b/docs/extend/metricbeat-developer-guide.md
@@ -0,0 +1,29 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/devguide/current/metricbeat-developer-guide.html
+---
+
+# Extending Metricbeat [metricbeat-developer-guide]
+
+Metricbeat periodically interrogates other services to fetch key metrics information. As a developer, you can use Metricbeat in two different ways:
+
+* Extend Metricbeat directly
+* Create your own Beat and use Metricbeat as a library
+
+We recommend that you start by creating your own Beat to keep the development of your own module or metricset independent of Metricbeat. At a later stage, if you decide to add a module to Metricbeat, you can reuse the code without making additional changes.
+
+This following topics describe how to contribute to Metricbeat by adding metricsets, modules, and new Beats based on Metricbeat:
+
+* [Overview](./metricbeat-dev-overview.md)
+* [Creating a Metricset](./creating-metricsets.md)
+* [Metricset Details](./metricset-details.md)
+* [Creating a Metricbeat Module](./creating-metricbeat-module.md)
+* [Metricbeat Developer FAQ](./dev-faq.md)
+
+If you would like to contribute to Metricbeat or the Beats project, also see [*Contributing to Beats*](./index.md).
+
+
+
+
+
+
diff --git a/docs/extend/metricset-details.md b/docs/extend/metricset-details.md
new file mode 100644
index 000000000000..c1831564bb95
--- /dev/null
+++ b/docs/extend/metricset-details.md
@@ -0,0 +1,257 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/devguide/current/metricset-details.html
+---
+
+# Metricset Details [metricset-details]
+
+This topic provides additional details about creating metricsets.
+
+
+## Adding Special Configuration Options [_adding_special_configuration_options]
+
+Each metricset can have its own configuration variables defined. To make use of these variables, you must extend the `New` method. For example, let’s assume that you want to add a `password` config option to the metricset. You would extend `beat.yml` in the following way:
+
+```yaml
+metricbeat.modules:
+- module: {module}
+  metricsets: ["{metricset}"]
+  password: "test1234"
+```
+
+To read in the new `password` config option, you need to modify the `New` method. First you define a config struct that contains the value types to be read. You can set default values, as needed. Then you pass the config to the `UnpackConfig` method for loading the configuration.
+
+Your implementation should look something like this:
+
+```go
+type MetricSet struct {
+	mb.BaseMetricSet
+	password string
+}
+
+func New(base mb.BaseMetricSet) (mb.MetricSet, error) {
+
+	// Unpack additional configuration options.
+	config := struct {
+		Password string `config:"password"`
+	}{
+		Password: "",
+	}
+	err := base.Module().UnpackConfig(&config)
+	if err != nil {
+		return nil, err
+	}
+
+	return &MetricSet{
+		BaseMetricSet: base,
+		password:      config.Password,
+	}, nil
+}
+```
+
+
+### Timeout Connections to Services [_timeout_connections_to_services]
+
+Each time the `Fetch` method is called, it makes a request to the service, so it’s important to handle the connections correctly. We recommended that you set up the connections in the `New` method and persist them in the `MetricSet` object. This allows connections to be reused.
+
+One very important point is that connections must respect the timeout variable: `base.Module().Config().Timeout`. If the timeout elapses before the request completes, the request must be ended and an error must be returned to make sure the next request can be started on time. By default the Timeout is set to Period, so one request gets ended before a new request is made.
+
+If a request must be ended or has an error, make sure that you return a useful error message. This error message is also sent to Elasticsearch, making it possible to not only fetch metrics from the service, but also report potential problems or errors with the metricset.
+
+
+### Data Transformation [_data_transformation]
+
+If the data transformation that has to happen in the `Fetch` method is extensive, we recommend that you create a second file called `data.go` in the same package as the metricset. The `data.go` file should contain a function called `eventMapping(...)`. A separate file is not required, but is currently a best practice because it isolates the functionality of the metricset and `Fetch` method from the data mapping.
+
+
+### fields.yml [_fields_yml]
+
+You can find up to 3 different types of files named `fields.yml` in the beats repository for each metricbeat module:
+
+* `metricbeat/fields.yml`: Contains the definitions to create the Elasticsearch template, the Kibana index pattern configuration and the exported fields documentation for metricsets. To make sure the Elasticsearch template is correct, it’s important to keep this file up-to-date with all the changes. Generally, you shouldn’t touch this file manually because it’s generated by some commands in the build environment.
+* `metricbeat/module/{{module}}/_meta/fields.yml`: Contains the general top level structure for all metricsets in a module. Normally you only need to modify the description in this file. Here is an example for the `fields.yml` file from the MySQL module.
+
+    ```yaml
+    - key: mysql
+      title: "MySQL"
+      description: >
+        MySQL server status metrics collected from MySQL.
+      short_config: false
+      release: ga
+      fields:
+        - name: mysql
+          type: group
+          description: >
+            `mysql` contains the metrics that were obtained from MySQL
+            query.
+          fields:
+    ```
+
+* `metricbeat/module/{{module}}/{metricset}/_meta/fields.yml`: Contains all fields definitions retrieved by the metricset. As field types, each field must have a core data type [supported by elasticsearch](elasticsearch://reference/elasticsearch/mapping-reference/field-data-types.md#_core_datatypes). Here’s a very basic example that shows one group from the MySQL `status` metricset:
+
+    ```yaml
+    - name: status
+      type: group
+      description: >
+        `status` contains the metrics that were obtained by the status SQL query.
+      fields:
+        - name: aborted
+          type: group
+          description: Aborted status fields.
+          fields:
+            - name: clients
+              type: integer
+              description: >
+                The number of connections that were aborted because the client died without closing the connection properly.
+
+            - name: connects
+              type: integer
+              description: >
+                The number of failed attempts to connect to the MySQL server.
+    ```
+
+
+
+### Testing [_testing]
+
+It’s important to also add tests for your metricset. There are three different types of tests that you need for testing a Beat:
+
+* unit tests
+* integration tests
+* system tests
+
+We recommend that you use all three when you create a metricset. Unit tests are written in Go and have no dependencies. Integration tests are also written in Go but require the service from which the module collects metrics to also be running. System tests for Metricbeat also require the service to be running in most cases and are written in Python based on our small Python test framework. We use [venv](https://docs.python.org/3/library/venv.html) to deal with Python dependencies. You can simply run the command `make python-env`  and then `. build/python-env/bin/activate` .
+
+You should use a combination of the three test types to test your metricsets because each method has advantages and disadvantages. To get started with your own tests, it’s best to look at the existing tests. You’ll find the unit and integration tests in the `_test.go` files under existing modules and metricsets. Integration tests usually take the form of `TestFetch` and `TestData`. The system tests are under `tests/systems`.
+
+
+#### Adding a Test Environment [_adding_a_test_environment]
+
+Integration and system tests need an environment that’s running the service. You can create this environment by using Docker and a docker-compose file. If you add a module that requires a service, you must add the service to the virtual environment. To do this, you:
+
+* Update the `docker-compose.yml` file with your environment
+* Update the `docker-entrypoint.sh` script
+
+The `docker-compose.yml` file is at the root of Metricbeat. Most services have existing Docker modules and can be added as simply as Redis:
+
+```yaml
+redis:
+  image: redis:3.2.3
+```
+
+To allow the Beat to access your service, make sure that you define the environment variables in the docker-compose file and add the link to the container:
+
+```yaml
+beat:
+  links:
+    - redis
+  environment:
+    - REDIS_HOST=redis
+    - REDIS_PORT=6379
+```
+
+To make sure the service is running before the tests are started, modify the `docker-entrypoint.sh` script to add a check that verifies your service is running. For example, the check for Redis looks like this:
+
+```shell
+waitFor ${REDIS_HOST} ${REDIS_PORT} Redis
+```
+
+The environment expects your service to be available as soon as it receives a response from the given address and port.
+
+
+#### Adding the standard metricset integration tests [_adding_the_standard_metricset_integration_tests]
+
+There are normally two integration tests that are part of every metricset: `TestFetch` and `TestData`. Both tests will start up a new instance of your metricset and fetch an event. In order to start a metricset, you need to create a configuration object:
+
+```go
+func getConfig() map[string]interface{} {
+    return map[string]interface{}{
+    "module":           "{module}",
+    "metricsets":       []string{"{metricset}"},
+    "hosts":      []string{GetEnvHost() + ":" + GetEnvPort()}, <1>
+  }
+}
+
+func GetEnvHost() string { <2>
+    host := os.Getenv("{module}_HOST")
+    if len(host) == 0 {
+    host = "127.0.0.1"
+  }
+  return host
+}
+
+func GetEnvPort() string { <2>
+    port := os.Getenv("{module}_PORT")
+
+    if len(port) == 0 {
+      port = "1234"
+    }
+  return port
+}
+```
+
+1. Add any additional config options your metricset needs here.
+2. The endpoint used by the metricset needs to be configurable for manual and automated testing. Environment variables should be defined in the module under `_meta/env` and included in the `docker-compose.yml` file.
+
+
+The `TestFetch` integration test will return a single event from your metricset, which you can use to test the validity of the data. `TestData` will (re)generate the `_meta/data.json` file that documents the data reported by the metricset.
+
+```go
+import (
+	"os"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+
+	"github.com/elastic/beats/libbeat/tests/compose"
+	mbtest "github.com/elastic/beats/metricbeat/mb/testing"
+)
+
+func TestFetch(t *testing.T) {
+	compose.EnsureUp(t, "{module}") <1>
+
+	f := mbtest.NewReportingMetricSetV2Error(t, getConfig())
+
+	events, errs := mbtest.ReportingFetchV2Error(f)
+	if len(errs) > 0 {
+		t.Fatalf("Expected 0 errord, had %d. %v\n", len(errs), errs)
+	}
+
+	assert.NotEmpty(t, events) <2>
+
+}
+
+func TestData(t *testing.T) {
+
+	f := mbtest.NewReportingMetricSetV2Error(t, getConfig())
+
+	err := mbtest.WriteEventsReporterV2Error(f, t, "") <3>
+	if !assert.NoError(t, err) {
+		t.FailNow()
+	}
+}
+```
+
+1. Use this to start the docker service associated with your metricset.
+2. Add any further validity checks to verify the metricset is working.
+3. `WriteEventsReporterV2Error` will take the first valid event from the metricset and write it to `_meta/data.json`
+
+
+
+#### Running the Tests [_running_the_tests]
+
+To run all the tests, run `make testsuite`. To only run unit tests, run `mage unitTest`, or for integration tests `mage integTest`. Be aware that a running Docker environment is needed for integration and system tests.
+
+To run `TestData` and generate the `data.json` file, run `go test -tags=integration -data -run TestData` in the directory where your test is located.
+
+To run the integration tests for a single module, set the `MODULE` environment variable to the name of the directory of the module. For example you can run the following command to run integration tests for `apache` module:
+
+```shell
+MODULE=apache mage integTest
+```
+
+
+## Documentation [_documentation]
+
+Each module must be documented. The documentation is based on asciidoc and is in the file `module/{{module}}/_meta/docs.asciidoc` for the module and in `module/{{module}}/{metricset}/_meta/docs.asciidoc` for the metricset. Basic documentation with the config file and an example output is automatically generated. Use these files to document specific configuration options or usage examples.
+
diff --git a/docs/extend/new-dashboards.md b/docs/extend/new-dashboards.md
new file mode 100644
index 000000000000..912c383ae4a6
--- /dev/null
+++ b/docs/extend/new-dashboards.md
@@ -0,0 +1,28 @@
+---
+navigation_title: "Creating New Kibana Dashboards"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/devguide/current/new-dashboards.html
+---
+
+# Creating New Kibana Dashboards for a Beat or a Beat module [new-dashboards]
+
+
+When contributing to Beats development, you may want to add new dashboards or customize the existing ones. To get started, you can [import the Kibana dashboards](/extend/import-dashboards.md) that come with the official Beats and use them as a starting point for your own dashboards. When you’re done making changes to the dashboards in Kibana, you can use the `export_dashboards` script to [export the dashboards](/extend/export-dashboards.md), along with all dependencies, to a local directory.
+
+To make sure the dashboards are compatible with the latest version of Kibana and Elasticsearch, we recommend that you use the virtual environment under [beats/testing/environments](https://github.com/elastic/beats/tree/master/testing/environments) to import, create, and export the Kibana dashboards.
+
+The following topics provide more detail about importing and working with Beats dashboards:
+
+* [Importing Existing Beat Dashboards](/extend/import-dashboards.md)
+* [Building Your Own Beat Dashboards](/extend/build-dashboards.md)
+* [Generating the Beat Index Pattern](/extend/generate-index-pattern.md)
+* [Exporting New and Modified Beat Dashboards](/extend/export-dashboards.md)
+* [Archiving Your Beat Dashboards](/extend/archive-dashboards.md)
+* [Sharing Your Beat Dashboards](/extend/share-beat-dashboards.md)
+
+
+
+
+
+
+
diff --git a/docs/extend/new-protocol.md b/docs/extend/new-protocol.md
new file mode 100644
index 000000000000..1ad4793aae66
--- /dev/null
+++ b/docs/extend/new-protocol.md
@@ -0,0 +1,16 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/devguide/current/new-protocol.html
+---
+
+# Adding a New Protocol to Packetbeat [new-protocol]
+
+The following topics describe how to add a new protocol to Packetbeat:
+
+* [Getting Ready](/extend/getting-ready-new-protocol.md)
+* [Protocol Modules](/extend/protocol-modules.md)
+* [Testing](/extend/protocol-testing.md)
+
+
+
+
diff --git a/docs/extend/pr-review.md b/docs/extend/pr-review.md
new file mode 100644
index 000000000000..c764b9fff0b2
--- /dev/null
+++ b/docs/extend/pr-review.md
@@ -0,0 +1,23 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/devguide/current/pr-review.html
+---
+
+# Pull request review guidelines [pr-review]
+
+Every change made to Beats must be held to a high standard, and while the responsibility for quality in a pull request ultimately lies with the author, Beats team members have the responsibility as reviewers to verify during their review process. Where this document is unclear or inappropriate let common sense and consensus override it.
+
+
+## Code Style [_code_style]
+
+Everyone’s got an opinion on style. To avoid spending time on this issue we rely almost exclusively on `go fmt` and [hound](https://houndci.com/) to police style. If neither of these tools complain the code is almost certainly fine. There may be exceptions to this, but they should be extremely rare. Only override the judgement of these tools in the most unusual of situations.
+
+
+## Flaky Tests [_flaky_tests]
+
+As software projects grow so does the complexity of their test cases and with that the probability of some tests becoming *flaky*. It is everyone’s responsibility to handle flaky tests. If you notice a pull request build failing for a reason that is unrelated to the pushed code follow the procedure below:
+
+1. Create an issue using the "Flaky Test" github issue template with the "Flaky Test" label attached.
+2. Create a PR to mute or fix the flaky test.
+3. Merge that PR and rebase off of it before continuing with the normal PR process for your original PR.
+
diff --git a/docs/extend/protocol-modules.md b/docs/extend/protocol-modules.md
new file mode 100644
index 000000000000..fde1f19979fc
--- /dev/null
+++ b/docs/extend/protocol-modules.md
@@ -0,0 +1,9 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/devguide/current/protocol-modules.html
+---
+
+# Protocol Modules [protocol-modules]
+
+We are working on updating this section. While you’re waiting for updates, you might want to try out the TCP protocol generator at [https://github.com/elastic/beats/tree/master/packetbeat/scripts/tcp-protocol](https://github.com/elastic/beats/tree/master/packetbeat/scripts/tcp-protocol).
+
diff --git a/docs/extend/protocol-testing.md b/docs/extend/protocol-testing.md
new file mode 100644
index 000000000000..9b48102bf0e0
--- /dev/null
+++ b/docs/extend/protocol-testing.md
@@ -0,0 +1,9 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/devguide/current/protocol-testing.html
+---
+
+# Testing [protocol-testing]
+
+We are working on updating this section.
+
diff --git a/docs/extend/python-beats.md b/docs/extend/python-beats.md
new file mode 100644
index 000000000000..b04754cc8dcb
--- /dev/null
+++ b/docs/extend/python-beats.md
@@ -0,0 +1,68 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/devguide/current/python-beats.html
+---
+
+# Python in Beats [python-beats]
+
+Python is used for Beats development, it is the language used to implement system tests and some other tools. Python dependencies are managed by the use of virtual environments, supported by [venv](https://docs.python.org/3/library/venv.html).
+
+Beats development requires Python >= 3.7.
+
+## Installing Python and venv [installing-python]
+
+Python uses to be installed in many operating systems. If it is not installed in your system you can follow the instructions available in [https://www.python.org/downloads/](https://www.python.org/downloads/)
+
+In Ubuntu/Debian systems, Python 3 can be installed with:
+
+```sh
+sudo apt-get install python3 python3-venv
+```
+
+There are packages for specific minor versions, so for example if Python 3.7 wants to be used, it can be installed with the following command:
+
+```sh
+sudo apt-get install python3.7 python3.7-venv
+```
+
+It is recommended to use Python >= 3.7.
+
+
+## Working with virtual environments [python-virtual-environments]
+
+All `make` and `mage` targets manage their own virtual environments in a transparent way, so for the most common operations required when contributing to beats, nothing special needs to be done.
+
+Virtual environments used by `make` can be found in most Beats directories under `build/python-env`, they are created by targets that need it, or can be explicitly created by running `make python-env`. The ones used by `mage` are created when required under `build/ve`.
+
+There are some environment variables that can be used to customize the creation of these virtual environments:
+
+* `PYTHON_EXE`: Python executable to be used in the virtual environment. It has to exist in the path.
+* `PYTHON_ENV`: Path to the virtual environment to use. If it doesn’t exist, it is created by `make` or `mage` targets when needed.
+
+Virtual environments can also be used without `make` or `mage`, this is usual for example when running individual system tests with `pytest`. There are two ways to run commands from the virtual environment:
+
+* "Activating" the virtual environment in your current terminal running `source ./build/python-env/bin/activate`. Virtual environment can be deactivated by running `deactivate`.
+* Directly running commands from the virtual environment path. For example `pytest` can be executed as `./build/python-env/bin/pytest`.
+
+To recreate a virtual environment, remove its directory. All virtual environments are also removed with `make clean`.
+
+
+## Working with older versions [python-older-versions]
+
+Older versions of Beats were not compatible with Python 3, if you need to temporary work on one of these versions of Beats, and you don’t want to remove your current virtual environments, you can use environment variables to run commands in a temporary virtual environment.
+
+For example you can run `make update` with Python 2.7 with the following command:
+
+```sh
+PYTHON_EXE=python2.7 PYTHON_ENV=/tmp/venv2 make update
+```
+
+If you need to run tests you can also create a virtual environment and then activate it to run commands from there:
+
+```sh
+PYTHON_EXE=python2.7 PYTHON_ENV=/tmp/venv2 make python-env
+source /tmp/venv2/bin/activate
+...
+```
+
+
diff --git a/docs/extend/share-beat-dashboards.md b/docs/extend/share-beat-dashboards.md
new file mode 100644
index 000000000000..782cb21a22c3
--- /dev/null
+++ b/docs/extend/share-beat-dashboards.md
@@ -0,0 +1,9 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/devguide/current/share-beat-dashboards.html
+---
+
+# Sharing Your Beat Dashboards [share-beat-dashboards]
+
+When you’re done with your own Beat dashboards, how about letting everyone know? You can create a topic on the [Beats forum](https://discuss.elastic.co/c/beats), and provide the link to the zip archive together with a short description.
+
diff --git a/docs/extend/testing.md b/docs/extend/testing.md
new file mode 100644
index 000000000000..ed288f78f817
--- /dev/null
+++ b/docs/extend/testing.md
@@ -0,0 +1,118 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/devguide/current/testing.html
+---
+
+# Testing [testing]
+
+Beats has a various sets of tests. This guide should help to understand how the different test suites work, how they are used and new tests are added.
+
+In general there are two major test suites:
+
+* Tests written in Go
+* Tests written in Python
+
+The tests written in Go use the [Go Testing package](https://golang.org/pkg/testing/). The tests written in Python depend on [pytest](https://docs.pytest.org/en/latest/) and require a compiled and executable binary from the Go code. The python test run a beat with a specific config and params and either check if the output is as expected or if the correct things show up in the logs.
+
+For both of the above test suites so called integration tests exists. Integration tests in Beats are tests which require an external system like Elasticsearch to test if the integration with this service works as expected. Beats provides in its testsuite docker containers and docker-compose files to start these environments but a developer can run the required services also locally.
+
+## Running Go Tests [_running_go_tests]
+
+The Go tests can be executed in each Go package by running `go test .`. This will execute all tests which don’t don’t require an external service to be running. To run all non integration tests for a beat run `mage unitTest`.
+
+All Go tests are in the same package as the tested code itself and have the suffix `_test` in the file name. Most of the tests are in the same package as the rest of the code. Some of the tests which should be separate from the rest of the code or should not use private variables go under `{{packagename}}_test`.
+
+### Running Go Integration Tests [_running_go_integration_tests]
+
+Integration tests are labelled with the `//go:build integration` build tag and use the `_integration_test.go` suffix.
+
+To run the integration tests use the `mage goIntegTest` target, which will start the required services using [docker-compose](https://docs.docker.com/compose/) and run all integration tests.
+
+It is also possible to run module specific integration tests. For example, to run kafka only tests use `MODULE=kafka mage integTest -v`
+
+It is possible to start the `docker-compose` services manually to allow selecting which specific tests should be run. An example follows for filebeat:
+
+```bash
+cd filebeat
+# Pull and build the containers. Only needs to be done once unless you change the containers.
+mage docker:composeBuild
+# Bring up all containers, wait until they are healthy, and put them in the background.
+mage docker:composeUp
+# Run all integration tests.
+go test ./filebeat/...  -tags integration
+# Stop all started containers.
+mage docker:composeDown
+```
+
+
+### Generate sample events [_generate_sample_events]
+
+Go tests support generating sample events to be used as fixtures.
+
+This generation can be perfomed running `go test --data`. This functionality is supported by packetbeat and Metricbeat.
+
+In Metricbeat, run the command from within a module like this: `go test --tags integration,azure --data --run "TestData"`. Make sure to add the relevant tags (`integration` is common then add module and metricset specific tags).
+
+A note about tags: the `--data` flag is a custom flag added by Metricbeat and Packetbeat frameworks. It will not be present in case tags do not match, as the relevant code will not be run and silently skipped (without the tag the test file is ignored by Go compiler so the framework doesn’t load). This may happen if there are different tags in the build tags of the metricset under test (i.e. the GCP billing metricset requires the `billing` tag too).
+
+
+
+## Running System (integration) Tests (Python and Go) [_running_system_integration_tests_python_and_go]
+
+The system tests are defined in the `tests/system` (for legacy Python test) and on `tests/integration` (for Go tests) directory. They require a testing binary to be available and the python environment to be set up.
+
+To create the testing binary run `mage buildSystemTestBinary`. This will create the test binary in the beat directory. To set up the Python testing environment run `mage pythonVirtualEnv` which will create a virtual environment with all test dependencies and print its location. To activate it, the instructions depend on your operating system. See the [virtualenv documentation](https://packaging.python.org/en/latest/guides/installing-using-pip-and-virtual-environments/#activating-a-virtual-environment).
+
+To run the system and integration tests use the `mage pythonIntegTest` target, which will start the required services using [docker-compose](https://docs.docker.com/compose/) and run all integration tests. Similar to Go integration tests, the individual steps can be done manually to allow selecting which tests should be run:
+
+```bash
+# Create and activate the system test virtual environment (assumes a Unix system).
+source $(mage pythonVirtualEnv)/bin/activate
+
+# Pull and build the containers. Only needs to be done once unless you change the containers.
+mage docker:composeBuild
+
+# Bring up all containers, wait until they are healthy, and put them in the background.
+mage docker:composeUp
+
+# Run all system and integration tests.
+INTEGRATION_TESTS=1 pytest ./tests/system
+
+# Stop all started containers.
+mage docker:composeDown
+```
+
+Filebeat’s module python tests have additional documentation found in the [Filebeat module](/extend/filebeat-modules-devguide.md) guide.
+
+
+## Test commands [_test_commands]
+
+To list all mage commands run `mage -l`. A quick summary of the available test Make commands is:
+
+* `unit`: Go tests
+* `unit-tests`: Go tests with coverage reports
+* `integration-tests`: Go tests with services in local docker
+* `integration-tests-environment`: Go tests inside docker with service in docker
+* `fast-system-tests`: Python tests
+* `system-tests`: Python tests with coverage report
+* `INTEGRATION_TESTS=1 system-tests`: Python tests with local services
+* `system-tests-environment`: Python tests inside docker with service in docker
+* `testsuite`: Complete test suite in docker environment is run
+* `test`: Runs testsuite without environment
+
+There are two experimental test commands:
+
+* `benchmark-tests`: Running Go tests with `-bench` flag
+* `load-tests`: Running system tests with `LOAD_TESTS=1` flag
+
+
+## Coverage report [_coverage_report]
+
+If the tests were run to create a test coverage, the coverage report files can be found under `build/docs`. To create a more human readable file out of the `.cov` file `make coverage-report` can be used. It creates a `.html` file for each report and a `full.html` as summary of all reports together in the directory `build/coverage`.
+
+
+## Race detection [_race_detection]
+
+All tests can be run with the Go race detector enabled by setting the environment variable `RACE_DETECTOR=1`. This applies to tests in Go and Python. For Python the test binary has to be recompile when the flag is changed. Having the race detection enabled will slow down the tests.
+
+
diff --git a/docs/extend/toc.yml b/docs/extend/toc.yml
new file mode 100644
index 000000000000..1774ca5cf8da
--- /dev/null
+++ b/docs/extend/toc.yml
@@ -0,0 +1,32 @@
+toc:
+  - file: index.md
+  - file: pr-review.md
+  - file: contributing-docs.md
+  - file: testing.md
+  - file: community-beats.md
+    children:
+      - file: event-fields-yml.md
+      - file: event-conventions.md
+      - file: python-beats.md
+  - file: new-dashboards.md
+    children:
+      - file: import-dashboards.md
+      - file: build-dashboards.md
+      - file: generate-index-pattern.md
+      - file: export-dashboards.md
+      - file: archive-dashboards.md
+      - file: share-beat-dashboards.md
+  - file: new-protocol.md
+    children:
+      - file: getting-ready-new-protocol.md
+      - file: protocol-modules.md
+      - file: protocol-testing.md
+  - file: metricbeat-developer-guide.md
+    children:
+      - file: metricbeat-dev-overview.md
+      - file: creating-metricsets.md
+      - file: metricset-details.md
+      - file: creating-metricbeat-module.md
+      - file: dev-faq.md
+  - file: filebeat-modules-devguide.md
+  - file: _migrating_dashboards_from_kibana_5_x_to_6_x.md
diff --git a/docs/reference/auditbeat/add-cloud-metadata.md b/docs/reference/auditbeat/add-cloud-metadata.md
new file mode 100644
index 000000000000..32b1a459cb05
--- /dev/null
+++ b/docs/reference/auditbeat/add-cloud-metadata.md
@@ -0,0 +1,205 @@
+---
+navigation_title: "add_cloud_metadata"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/add-cloud-metadata.html
+---
+
+# Add cloud metadata [add-cloud-metadata]
+
+
+The `add_cloud_metadata` processor enriches each event with instance metadata from the machine’s hosting provider. At startup it will query a list of hosting providers and cache the instance metadata.
+
+The following cloud providers are supported:
+
+* Amazon Web Services (AWS)
+* Digital Ocean
+* Google Compute Engine (GCE)
+* [Tencent Cloud](https://www.qcloud.com/?lang=en) (QCloud)
+* Alibaba Cloud (ECS)
+* Huawei Cloud (ECS)
+* Azure Virtual Machine
+* Openstack Nova
+* Hetzner Cloud
+
+
+## Special notes [_special_notes]
+
+`huawei` is an alias for `openstack`. Huawei cloud runs on OpenStack platform, and when viewed from a metadata API standpoint, it is impossible to differentiate it from OpenStack. If you know that your deployments run on Huawei Cloud exclusively, and you wish to have `cloud.provider` value as `huawei`, you can achieve this by overwriting the value using an `add_fields` processor.
+
+The Alibaba Cloud and Tencent cloud providers are disabled by default, because they require to access a remote host. The `providers` setting allows users to select a list of default providers to query.
+
+Cloud providers tend to maintain metadata services compliant with other cloud providers. For example, Openstack supports [EC2 compliant metadat service](https://docs.openstack.org/nova/latest/user/metadata.html#ec2-compatible-metadata). This makes it impossible to differentiate cloud provider (`cloud.provider` property) with auto discovery (when `providers` configuration is omitted). The processor implementation incorporates a priority mechanism where priority is given to some providers over others when there are multiple successful metadata results. Currently, `aws/ec2` and `azure` have priority over any other provider as their metadata retrival rely on SDKs. The expectation here is that SDK methods should fail if run in an environment not configured accordingly (ex:- missing configurations or credentials).
+
+
+## Configurations [_configurations]
+
+The simple configuration below enables the processor.
+
+```yaml
+processors:
+  - add_cloud_metadata: ~
+```
+
+The `add_cloud_metadata` processor has three optional configuration settings. The first one is `timeout` which specifies the maximum amount of time to wait for a successful response when detecting the hosting provider. The default timeout value is `3s`.
+
+If a timeout occurs then no instance metadata will be added to the events. This makes it possible to enable this processor for all your deployments (in the cloud or on-premise).
+
+The second optional setting is `providers`. The `providers` settings accepts a list of cloud provider names to be used. If `providers` is not configured, then all providers that do not access a remote endpoint are enabled by default. The list of providers may alternatively be configured with the environment variable `BEATS_ADD_CLOUD_METADATA_PROVIDERS`, by setting it to a comma-separated list of provider names.
+
+List of names the `providers` setting supports:
+
+* "alibaba", or "ecs" for the Alibaba Cloud provider (disabled by default).
+* "azure" for Azure Virtual Machine (enabled by default). If the virtual machine is part of an AKS managed cluster, the fields `orchestrator.cluster.name` and `orchestrator.cluster.id` can also be retrieved. "TENANT_ID", "CLIENT_ID" and "CLIENT_SECRET" environment variables need to be set for authentication purposes. If not set we fallback to [DefaultAzureCredential](https://learn.microsoft.com/en-us/azure/developer/go/azure-sdk-authentication?tabs=bash#2-authenticate-with-azure) and user can choose different authentication methods (e.g. workload identity).
+* "digitalocean" for Digital Ocean (enabled by default).
+* "aws", or "ec2" for Amazon Web Services (enabled by default).
+* "gcp" for Google Copmute Enging (enabled by default).
+* "openstack", "nova", or "huawei" for Openstack Nova (enabled by default).
+* "openstack-ssl", or "nova-ssl" for Openstack Nova when SSL metadata APIs are enabled (enabled by default).
+* "tencent", or "qcloud" for Tencent Cloud (disabled by default).
+* "hetzner" for Hetzner Cloud (enabled by default).
+
+For example, configuration below only utilize `aws` metadata retrival mechanism,
+
+```yaml
+processors:
+  - add_cloud_metadata:
+      providers:
+        aws
+```
+
+The third optional configuration setting is `overwrite`. When `overwrite` is `true`, `add_cloud_metadata` overwrites existing `cloud.*` fields (`false` by default).
+
+The `add_cloud_metadata` processor supports SSL options to configure the http client used to query cloud metadata. See [SSL](/reference/auditbeat/configuration-ssl.md) for more information.
+
+
+## Provided metadata [_provided_metadata]
+
+The metadata that is added to events varies by hosting provider. Below are examples for each of the supported providers.
+
+*AWS*
+
+Metadata given below are extracted from [instance identity document](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-identity-documents.html),
+
+```json
+{
+  "cloud": {
+    "account.id": "123456789012",
+    "availability_zone": "us-east-1c",
+    "instance.id": "i-4e123456",
+    "machine.type": "t2.medium",
+    "image.id": "ami-abcd1234",
+    "provider": "aws",
+    "region": "us-east-1"
+  }
+}
+```
+
+If the EC2 instance has IMDS enabled and if tags are allowed through IMDS endpoint, the processor will further append tags in metadata. Please refer official documentation on [IMDS endpoint](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html) for further details.
+
+```json
+{
+  "aws": {
+    "tags": {
+      "org" : "myOrg",
+      "owner": "userID"
+    }
+  }
+}
+```
+
+*Digital Ocean*
+
+```json
+{
+  "cloud": {
+    "instance.id": "1234567",
+    "provider": "digitalocean",
+    "region": "nyc2"
+  }
+}
+```
+
+*GCP*
+
+```json
+{
+  "cloud": {
+    "availability_zone": "us-east1-b",
+    "instance.id": "1234556778987654321",
+    "machine.type": "f1-micro",
+    "project.id": "my-dev",
+    "provider": "gcp"
+  }
+}
+```
+
+*Tencent Cloud*
+
+```json
+{
+  "cloud": {
+    "availability_zone": "gz-azone2",
+    "instance.id": "ins-qcloudv5",
+    "provider": "qcloud",
+    "region": "china-south-gz"
+  }
+}
+```
+
+*Alibaba Cloud*
+
+This metadata is only available when VPC is selected as the network type of the ECS instance.
+
+```json
+{
+  "cloud": {
+    "availability_zone": "cn-shenzhen",
+    "instance.id": "i-wz9g2hqiikg0aliyun2b",
+    "provider": "ecs",
+    "region": "cn-shenzhen-a"
+  }
+}
+```
+
+*Azure Virtual Machine*
+
+```json
+{
+  "cloud": {
+    "provider": "azure",
+    "instance.id": "04ab04c3-63de-4709-a9f9-9ab8c0411d5e",
+    "instance.name": "test-az-vm",
+    "machine.type": "Standard_D3_v2",
+    "region": "eastus2"
+  }
+}
+```
+
+*Openstack Nova*
+
+```json
+{
+  "cloud": {
+    "instance.name": "test-998d932195.mycloud.tld",
+    "instance.id": "i-00011a84",
+    "availability_zone": "xxxx-az-c",
+    "provider": "openstack",
+    "machine.type": "m2.large"
+  }
+}
+```
+
+*Hetzner Cloud*
+
+```json
+{
+  "cloud": {
+    "availability_zone": "hel1-dc2",
+    "instance.name": "my-hetzner-instance",
+    "instance.id": "111111",
+    "provider": "hetzner",
+    "region": "eu-central"
+  }
+}
+```
+
diff --git a/docs/reference/auditbeat/add-cloudfoundry-metadata.md b/docs/reference/auditbeat/add-cloudfoundry-metadata.md
new file mode 100644
index 000000000000..92dd2afbdc54
--- /dev/null
+++ b/docs/reference/auditbeat/add-cloudfoundry-metadata.md
@@ -0,0 +1,70 @@
+---
+navigation_title: "add_cloudfoundry_metadata"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/add-cloudfoundry-metadata.html
+---
+
+# Add Cloud Foundry metadata [add-cloudfoundry-metadata]
+
+
+The `add_cloudfoundry_metadata` processor annotates each event with relevant metadata from Cloud Foundry applications. The events are annotated with Cloud Foundry metadata, only if the event contains a reference to a Cloud Foundry application (using field `cloudfoundry.app.id`) and the configured Cloud Foundry client is able to retrieve information for the application.
+
+Each event is annotated with:
+
+* Application Name
+* Space ID
+* Space Name
+* Organization ID
+* Organization Name
+
+::::{note}
+Pivotal Application Service and Tanzu Application Service include this metadata in all events from the firehose since version 2.8. In these cases the metadata in the events is used, and `add_cloudfoundry_metadata` processor doesn’t modify these fields.
+::::
+
+
+For efficient annotation, application metadata retrieved by the Cloud Foundry client is stored in a persistent cache on the filesystem under the `path.data` directory. This is done so the metadata can persist across restarts of Auditbeat. For control over this cache, use the `cache_duration` and `cache_retry_delay` settings.
+
+```yaml
+processors:
+  - add_cloudfoundry_metadata:
+      api_address: https://api.dev.cfdev.sh
+      client_id: uaa-filebeat
+      client_secret: verysecret
+      ssl:
+        verification_mode: none
+      # To connect to Cloud Foundry over verified TLS you can specify a client and CA certificate.
+      #ssl:
+      #  certificate_authorities: ["/etc/pki/cf/ca.pem"]
+      #  certificate:              "/etc/pki/cf/cert.pem"
+      #  key:                      "/etc/pki/cf/cert.key"
+```
+
+It has the following settings:
+
+`api_address`
+:   (Optional) The URL of the Cloud Foundry API. It uses `http://api.bosh-lite.com` by default.
+
+`doppler_address`
+:   (Optional) The URL of the Cloud Foundry Doppler Websocket. It uses value from ${api_address}/v2/info by default.
+
+`uaa_address`
+:   (Optional) The URL of the Cloud Foundry UAA API. It uses value from ${api_address}/v2/info by default.
+
+`rlp_address`
+:   (Optional) The URL of the Cloud Foundry RLP Gateway. It uses value from ${api_address}/v2/info by default.
+
+`client_id`
+:   Client ID to authenticate with Cloud Foundry.
+
+`client_secret`
+:   Client Secret to authenticate with Cloud Foundry.
+
+`cache_duration`
+:   (Optional) Maximum amount of time to cache an application’s metadata. Defaults to 120 seconds.
+
+`cache_retry_delay`
+:   (Optional) Time to wait before trying to obtain an application’s metadata again in case of error. Defaults to 20 seconds.
+
+`ssl`
+:   (Optional) SSL configuration to use when connecting to Cloud Foundry.
+
diff --git a/docs/reference/auditbeat/add-docker-metadata.md b/docs/reference/auditbeat/add-docker-metadata.md
new file mode 100644
index 000000000000..fe9b442b5765
--- /dev/null
+++ b/docs/reference/auditbeat/add-docker-metadata.md
@@ -0,0 +1,80 @@
+---
+navigation_title: "add_docker_metadata"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/add-docker-metadata.html
+---
+
+# Add Docker metadata [add-docker-metadata]
+
+
+The `add_docker_metadata` processor annotates each event with relevant metadata from Docker containers. At startup it detects a docker environment and caches the metadata. The events are annotated with Docker metadata, only if a valid configuration is detected and the processor is able to reach Docker API.
+
+Each event is annotated with:
+
+* Container ID
+* Name
+* Image
+* Labels
+
+::::{note}
+When running Auditbeat in a container, you need to provide access to Docker’s unix socket in order for the `add_docker_metadata` processor to work. You can do this by mounting the socket inside the container. For example:
+
+`docker run -v /var/run/docker.sock:/var/run/docker.sock ...`
+
+To avoid privilege issues, you may also need to add `--user=root` to the `docker run` flags. Because the user must be part of the docker group in order to access `/var/run/docker.sock`, root access is required if Auditbeat is running as non-root inside the container.
+
+If Docker daemon is restarted the mounted socket will become invalid and metadata will stop working, in these situations there are two options:
+
+* Restart Auditbeat every time Docker is restarted
+* Mount the entire `/var/run` directory (instead of just the socket)
+
+::::
+
+
+```yaml
+processors:
+  - add_docker_metadata:
+      host: "unix:///var/run/docker.sock"
+      #match_fields: ["system.process.cgroup.id"]
+      #match_pids: ["process.pid", "process.parent.pid"]
+      #match_source: true
+      #match_source_index: 4
+      #match_short_id: true
+      #cleanup_timeout: 60
+      #labels.dedot: false
+      # To connect to Docker over TLS you must specify a client and CA certificate.
+      #ssl:
+      #  certificate_authority: "/etc/pki/root/ca.pem"
+      #  certificate:           "/etc/pki/client/cert.pem"
+      #  key:                   "/etc/pki/client/cert.key"
+```
+
+It has the following settings:
+
+`host`
+:   (Optional) Docker socket (UNIX or TCP socket). It uses `unix:///var/run/docker.sock` by default.
+
+`ssl`
+:   (Optional) SSL configuration to use when connecting to the Docker socket.
+
+`match_fields`
+:   (Optional) A list of fields to match a container ID, at least one of them should hold a container ID to get the event enriched.
+
+`match_pids`
+:   (Optional) A list of fields that contain process IDs. If the process is running in Docker then the event will be enriched. The default value is `["process.pid", "process.parent.pid"]`.
+
+`match_source`
+:   (Optional) Match container ID from a log path present in the `log.file.path` field. Enabled by default.
+
+`match_short_id`
+:   (Optional) Match container short ID from a log path present in the `log.file.path` field. Disabled by default. This allows to match directories names that have the first 12 characters of the container ID. For example, `/var/log/containers/b7e3460e2b21/*.log`.
+
+`match_source_index`
+:   (Optional) Index in the source path split by `/` to look for container ID. It defaults to 4 to match `/var/lib/docker/containers/<container_id>/*.log`
+
+`cleanup_timeout`
+:   (Optional) Time of inactivity to consider we can clean and forget metadata for a container, 60s by default.
+
+`labels.dedot`
+:   (Optional) Default to be false. If set to true, replace dots in labels with `_`.
+
diff --git a/docs/reference/auditbeat/add-fields.md b/docs/reference/auditbeat/add-fields.md
new file mode 100644
index 000000000000..7430ad82e2ef
--- /dev/null
+++ b/docs/reference/auditbeat/add-fields.md
@@ -0,0 +1,51 @@
+---
+navigation_title: "add_fields"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/add-fields.html
+---
+
+# Add fields [add-fields]
+
+
+The `add_fields` processor adds additional fields to the event.  Fields can be scalar values, arrays, dictionaries, or any nested combination of these. The `add_fields` processor will overwrite the target field if it already exists. By default the fields that you specify will be grouped under the `fields` sub-dictionary in the event. To group the fields under a different sub-dictionary, use the `target` setting. To store the fields as top-level fields, set `target: ''`.
+
+`target`
+:   (Optional) Sub-dictionary to put all fields into. Defaults to `fields`. Setting this to `@metadata` will add values to the event metadata instead of fields.
+
+`fields`
+:   Fields to be added.
+
+For example, this configuration:
+
+```yaml
+processors:
+  - add_fields:
+      target: project
+      fields:
+        name: myproject
+        id: '574734885120952459'
+```
+
+Adds these fields to any event:
+
+```json
+{
+  "project": {
+    "name": "myproject",
+    "id": "574734885120952459"
+  }
+}
+```
+
+This configuration will alter the event metadata:
+
+```yaml
+processors:
+  - add_fields:
+      target: '@metadata'
+      fields:
+        op_type: "index"
+```
+
+When the event is ingested (e.g. by Elastisearch) the document will have `op_type: "index"` set as a metadata field.
+
diff --git a/docs/reference/auditbeat/add-host-metadata.md b/docs/reference/auditbeat/add-host-metadata.md
new file mode 100644
index 000000000000..bad0295d7310
--- /dev/null
+++ b/docs/reference/auditbeat/add-host-metadata.md
@@ -0,0 +1,92 @@
+---
+navigation_title: "add_host_metadata"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/add-host-metadata.html
+---
+
+# Add Host metadata [add-host-metadata]
+
+
+```yaml
+processors:
+  - add_host_metadata:
+      cache.ttl: 5m
+      geo:
+        name: nyc-dc1-rack1
+        location: 40.7128, -74.0060
+        continent_name: North America
+        country_iso_code: US
+        region_name: New York
+        region_iso_code: NY
+        city_name: New York
+```
+
+It has the following settings:
+
+`netinfo.enabled`
+:   (Optional) Default true. Include IP addresses and MAC addresses as fields host.ip and host.mac
+
+`cache.ttl`
+:   (Optional) The processor uses an internal cache for the host metadata. This sets the cache expiration time. The default is 5m, negative values disable caching altogether.
+
+`geo.name`
+:   (Optional) User definable token to be used for identifying a discrete location. Frequently a datacenter, rack, or similar.
+
+`geo.location`
+:   (Optional) Longitude and latitude in comma separated format.
+
+`geo.continent_name`
+:   (Optional) Name of the continent.
+
+`geo.country_name`
+:   (Optional) Name of the country.
+
+`geo.region_name`
+:   (Optional) Name of the region.
+
+`geo.city_name`
+:   (Optional) Name of the city.
+
+`geo.country_iso_code`
+:   (Optional) ISO country code.
+
+`geo.region_iso_code`
+:   (Optional) ISO region code.
+
+`replace_fields`
+:   (Optional) Default true. If set to false, original host fields from the event will not be replaced by host fields from `add_host_metadata`.
+
+The `add_host_metadata` processor annotates each event with relevant metadata from the host machine. The fields added to the event look like the following:
+
+```json
+{
+   "host":{
+      "architecture":"x86_64",
+      "name":"example-host",
+      "id":"",
+      "os":{
+         "family":"darwin",
+         "type":"macos",
+         "build":"16G1212",
+         "platform":"darwin",
+         "version":"10.12.6",
+         "kernel":"16.7.0",
+         "name":"Mac OS X"
+      },
+      "ip": ["192.168.0.1", "10.0.0.1"],
+      "mac": ["00:25:96:12:34:56", "72:00:06:ff:79:f1"],
+      "geo": {
+          "continent_name": "North America",
+          "country_iso_code": "US",
+          "region_name": "New York",
+          "region_iso_code": "NY",
+          "city_name": "New York",
+          "name": "nyc-dc1-rack1",
+          "location": "40.7128, -74.0060"
+        }
+   }
+}
+```
+
+Note: `add_host_metadata` processor will overwrite host fields if `host.*` fields already exist in the event from Beats by default with `replace_fields` equals to `true`. Please use `add_observer_metadata` if the beat is being used to monitor external systems.
+
diff --git a/docs/reference/auditbeat/add-id.md b/docs/reference/auditbeat/add-id.md
new file mode 100644
index 000000000000..10e2f87ba69f
--- /dev/null
+++ b/docs/reference/auditbeat/add-id.md
@@ -0,0 +1,24 @@
+---
+navigation_title: "add_id"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/add-id.html
+---
+
+# Generate an ID for an event [add-id]
+
+
+The `add_id` processor generates a unique ID for an event.
+
+```yaml
+processors:
+  - add_id: ~
+```
+
+The following settings are supported:
+
+`target_field`
+:   (Optional) Field where the generated ID will be stored. Default is `@metadata._id`.
+
+`type`
+:   (Optional) Type of ID to generate. Currently only `elasticsearch` is supported and is the default. The `elasticsearch` type generates IDs using the same algorithm that Elasticsearch uses for auto-generating document IDs.
+
diff --git a/docs/reference/auditbeat/add-kubernetes-metadata.md b/docs/reference/auditbeat/add-kubernetes-metadata.md
new file mode 100644
index 000000000000..bbdc594cbef6
--- /dev/null
+++ b/docs/reference/auditbeat/add-kubernetes-metadata.md
@@ -0,0 +1,244 @@
+---
+navigation_title: "add_kubernetes_metadata"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/add-kubernetes-metadata.html
+---
+
+# Add Kubernetes metadata [add-kubernetes-metadata]
+
+
+The `add_kubernetes_metadata` processor annotates each event with relevant metadata based on which Kubernetes pod the event originated from. This processor only adds metadata to the events that do not have it yet present.
+
+At startup, it detects an `in_cluster` environment and caches the Kubernetes-related metadata. Events are only annotated if a valid configuration is detected. If it’s not able to detect a valid Kubernetes configuration, the events are not annotated with Kubernetes-related metadata.
+
+Each event is annotated with:
+
+* Pod Name
+* Pod UID
+* Namespace
+* Labels
+
+In addition, the node and namespace metadata are added to the pod metadata.
+
+The `add_kubernetes_metadata` processor has two basic building blocks:
+
+* Indexers
+* Matchers
+
+Indexers use pod metadata to create unique identifiers for each one of the pods. These identifiers help to correlate the metadata of the observed pods with actual events. For example, the `ip_port` indexer can take a Kubernetes pod and create identifiers for it based on all its `pod_ip:container_port` combinations.
+
+Matchers use information in events to construct lookup keys that match the identifiers created by the indexers. For example, when the `fields` matcher takes `["metricset.host"]` as a lookup field, it would construct a lookup key with the value of the field `metricset.host`. When one of these lookup keys matches with one of the identifiers, the event is enriched with the metadata of the identified pod.
+
+Each Beat can define its own default indexers and matchers which are enabled by default. For example, Filebeat enables the `container` indexer, which identifies pod metadata based on all container IDs, and a `logs_path` matcher, which takes the `log.file.path` field, extracts the container ID, and uses it to retrieve metadata.
+
+You can find more information about the available indexers and matchers, and some examples in [Indexers and matchers](#kubernetes-indexers-and-matchers).
+
+The configuration below enables the processor when auditbeat is run as a pod in Kubernetes.
+
+```yaml
+processors:
+  - add_kubernetes_metadata:
+      # Defining indexers and matchers manually is required for auditbeat, for instance:
+      #indexers:
+      #  - ip_port:
+      #matchers:
+      #  - fields:
+      #      lookup_fields: ["metricset.host"]
+      #labels.dedot: true
+      #annotations.dedot: true
+```
+
+The configuration below enables the processor on a Beat running as a process on the Kubernetes node.
+
+```yaml
+processors:
+  - add_kubernetes_metadata:
+      host: <hostname>
+      # If kube_config is not set, KUBECONFIG environment variable will be checked
+      # and if not present it will fall back to InCluster
+      kube_config: $Auditbeat Reference/.kube/config
+      # Defining indexers and matchers manually is required for auditbeat, for instance:
+      #indexers:
+      #  - ip_port:
+      #matchers:
+      #  - fields:
+      #      lookup_fields: ["metricset.host"]
+      #labels.dedot: true
+      #annotations.dedot: true
+```
+
+The configuration below has the default indexers and matchers disabled and enables ones that the user is interested in.
+
+```yaml
+processors:
+  - add_kubernetes_metadata:
+      host: <hostname>
+      # If kube_config is not set, KUBECONFIG environment variable will be checked
+      # and if not present it will fall back to InCluster
+      kube_config: ~/.kube/config
+      default_indexers.enabled: false
+      default_matchers.enabled: false
+      indexers:
+        - ip_port:
+      matchers:
+        - fields:
+            lookup_fields: ["metricset.host"]
+      #labels.dedot: true
+      #annotations.dedot: true
+```
+
+The `add_kubernetes_metadata` processor has the following configuration settings:
+
+`host`
+:   (Optional) Specify the node to scope auditbeat to in case it cannot be accurately detected, as when running auditbeat in host network mode.
+
+`scope`
+:   (Optional) Specify if the processor should have visibility at the node level or at the entire cluster level. Possible values are `node` and `cluster`. Scope is `node` by default.
+
+`namespace`
+:   (Optional) Select the namespace from which to collect the metadata. If it is not set, the processor collects metadata from all namespaces. It is unset by default.
+
+`add_resource_metadata`
+:   (Optional) Specify filters and configuration for the extra metadata, that will be added to the event. Configuration parameters:
+
+    * `node` or `namespace`: Specify labels and annotations filters for the extra metadata coming from node and namespace. By default all labels are included while annotations are not. To change default behaviour `include_labels`, `exclude_labels` and `include_annotations` can be defined. Those settings are useful when storing labels and annotations that require special handling to avoid overloading the storage output. Note: wildcards are not supported for those settings. The enrichment of `node` or `namespace` metadata can be individually disabled by setting `enabled: false`.
+    * `deployment`: If resource is `pod` and it is created from a `deployment`, by default the deployment name is added, this can be disabled by setting `deployment: false`.
+    * `cronjob`: If resource is `pod` and it is created from a `cronjob`, by default the cronjob name is added, this can be disabled by setting `cronjob: false`.
+
+        Example:
+
+
+```yaml
+      add_resource_metadata:
+        namespace:
+          include_labels: ["namespacelabel1"]
+          #labels.dedot: true
+          #annotations.dedot: true
+        node:
+          include_labels: ["nodelabel2"]
+          include_annotations: ["nodeannotation1"]
+          #labels.dedot: true
+          #annotations.dedot: true
+        deployment: false
+        cronjob: false
+```
+
+`kube_config`
+:   (Optional) Use given config file as configuration for Kubernetes client. It defaults to `KUBECONFIG` environment variable if present.
+
+`use_kubeadm`
+:   (Optional) Default true. By default requests to kubeadm config map are made in order to enrich cluster name by requesting /api/v1/namespaces/kube-system/configmaps/kubeadm-config API endpoint.
+
+`kube_client_options`
+:   (Optional) Additional options can be configured for Kubernetes client. Currently client QPS and burst are supported, if not set Kubernetes client’s [default QPS and burst](https://pkg.go.dev/k8s.io/client-go/rest#pkg-constants) will be used. Example:
+
+```yaml
+      kube_client_options:
+        qps: 5
+        burst: 10
+```
+
+`cleanup_timeout`
+:   (Optional) Specify the time of inactivity before stopping the running configuration for a container. This is `60s` by default.
+
+`sync_period`
+:   (Optional) Specify the timeout for listing historical resources.
+
+`default_indexers.enabled`
+:   (Optional) Enable or disable default pod indexers when you want to specify your own.
+
+`default_matchers.enabled`
+:   (Optional) Enable or disable default pod matchers when you want to specify your own.
+
+`labels.dedot`
+:   (Optional) Default to be true. If set to true, then `.` in labels will be replaced with `_`.
+
+`annotations.dedot`
+:   (Optional) Default to be true. If set to true, then `.` in labels will be replaced with `_`.
+
+
+## Indexers and matchers [kubernetes-indexers-and-matchers]
+
+## Indexers [_indexers]
+
+Indexers use pods metadata to create unique identifiers for each one of the pods.
+
+Available indexers are:
+
+`container`
+:   Identifies the pod metadata using the IDs of its containers.
+
+`ip_port`
+:   Identifies the pod metadata using combinations of its IP and its exposed ports. When using this indexer metadata is identified using the IP of the pods, and the combination if `ip:port` for each one of the ports exposed by its containers.
+
+`pod_name`
+:   Identifies the pod metadata using its namespace and its name as `namespace/pod_name`.
+
+`pod_uid`
+:   Identifies the pod metadata using the UID of the pod.
+
+
+## Matchers [_matchers]
+
+Matchers are used to construct the lookup keys that match with the identifiers created by indexes.
+
+### `field_format` [_field_format]
+
+Looks up pod metadata using a key created with a string format that can include event fields.
+
+This matcher has an option `format` to define the string format. This string format can contain placeholders for any field in the event.
+
+For example, the following configuration uses the `ip_port` indexer to identify the pod metadata by combinations of the pod IP and its exposed ports, and uses the destination IP and port in events as match keys:
+
+```yaml
+processors:
+- add_kubernetes_metadata:
+    ...
+    default_indexers.enabled: false
+    default_matchers.enabled: false
+    indexers:
+      - ip_port:
+    matchers:
+      - field_format:
+          format: '%{[destination.ip]}:%{[destination.port]}'
+```
+
+
+### `fields` [_fields]
+
+Looks up pod metadata using as key the value of some specific fields. When multiple fields are defined, the first one included in the event is used.
+
+This matcher has an option `lookup_fields` to define the files whose value will be used for lookup.
+
+For example, the following configuration uses the `ip_port` indexer to identify pods, and defines a matcher that uses the destination IP or the server IP for the lookup, the first it finds in the event:
+
+```yaml
+processors:
+- add_kubernetes_metadata:
+    ...
+    default_indexers.enabled: false
+    default_matchers.enabled: false
+    indexers:
+      - ip_port:
+    matchers:
+      - fields:
+          lookup_fields: ['destination.ip', 'server.ip']
+```
+
+It’s also possible to extract the matching key from fields using a regex pattern. The optional `regex_pattern` field can be used to set the pattern. The pattern **must** contain a capture group named `key`, whose value will be used as the matching key.
+
+For example, the following configuration uses the `container` indexer to identify containers by their id, and extracts the matching key from the cgroup id field added to system process metrics. This field has the form `cri-containerd-<id>.scope`, so we need a regex pattern to obtain the container id.
+
+```yaml
+processors:
+  - add_kubernetes_metadata:
+      indexers:
+        - container:
+      matchers:
+        - fields:
+            lookup_fields: ['system.process.cgroup.id']
+            regex_pattern: 'cri-containerd-(?P<key>[0-9a-z]+)\.scope'
+```
+
+
+
diff --git a/docs/reference/auditbeat/add-labels.md b/docs/reference/auditbeat/add-labels.md
new file mode 100644
index 000000000000..54494150390b
--- /dev/null
+++ b/docs/reference/auditbeat/add-labels.md
@@ -0,0 +1,45 @@
+---
+navigation_title: "add_labels"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/add-labels.html
+---
+
+# Add labels [add-labels]
+
+
+The `add_labels` processors adds a set of key-value pairs to an event. The processor will flatten nested configuration objects like arrays or dictionaries into a fully qualified name by merging nested names with a `.`. Array entries create numeric names starting with 0.  Labels are always stored under the Elastic Common Schema compliant `labels` sub-dictionary.
+
+`labels`
+:   dictionaries of labels to be added.
+
+For example, this configuration:
+
+```yaml
+processors:
+  - add_labels:
+      labels:
+        number: 1
+        with.dots: test
+        nested:
+          with.dots: nested
+        array:
+          - do
+          - re
+          - with.field: mi
+```
+
+Adds these fields to every event:
+
+```json
+{
+  "labels": {
+    "number": 1,
+    "with.dots": "test",
+    "nested.with.dots": "nested",
+    "array.0": "do",
+    "array.1": "re",
+    "array.2.with.field": "mi"
+  }
+}
+```
+
diff --git a/docs/reference/auditbeat/add-locale.md b/docs/reference/auditbeat/add-locale.md
new file mode 100644
index 000000000000..a2c61f897003
--- /dev/null
+++ b/docs/reference/auditbeat/add-locale.md
@@ -0,0 +1,31 @@
+---
+navigation_title: "add_locale"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/add-locale.html
+---
+
+# Add the local time zone [add-locale]
+
+
+The `add_locale` processor enriches each event with the machine’s time zone offset from UTC or with the name of the time zone. It supports one configuration option named `format` that controls whether an offset or time zone abbreviation is added to the event. The default format is `offset`. The processor adds the a `event.timezone` value to each event.
+
+The configuration below enables the processor with the default settings.
+
+```yaml
+processors:
+  - add_locale: ~
+```
+
+This configuration enables the processor and configures it to add the time zone abbreviation to events.
+
+```yaml
+processors:
+  - add_locale:
+      format: abbreviation
+```
+
+::::{note}
+Please note that `add_locale` differentiates between daylight savings time (DST) and regular time. For example `CEST` indicates DST and and `CET` is regular time.
+::::
+
+
diff --git a/docs/reference/auditbeat/add-network-direction.md b/docs/reference/auditbeat/add-network-direction.md
new file mode 100644
index 000000000000..64b6a9d4614f
--- /dev/null
+++ b/docs/reference/auditbeat/add-network-direction.md
@@ -0,0 +1,22 @@
+---
+navigation_title: "add_network_direction"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/add-network-direction.html
+---
+
+# Add network direction [add-network-direction]
+
+
+The `add_network_direction` processor attempts to compute the perimeter-based network direction given an a source and destination ip address and list of internal networks. The key `internal_networks` can contain either CIDR blocks or a list of special values enumerated in the network section of [Conditions](/reference/auditbeat/defining-processors.md#conditions).
+
+```yaml
+processors:
+  - add_network_direction:
+      source: source.ip
+      destination: destination.ip
+      target: network.direction
+      internal_networks: [ private ]
+```
+
+See [Conditions](/reference/auditbeat/defining-processors.md#conditions) for a list of supported conditions.
+
diff --git a/docs/reference/auditbeat/add-nomad-metadata.md b/docs/reference/auditbeat/add-nomad-metadata.md
new file mode 100644
index 000000000000..cd1f670065fd
--- /dev/null
+++ b/docs/reference/auditbeat/add-nomad-metadata.md
@@ -0,0 +1,137 @@
+---
+navigation_title: "add_nomad_metadata"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/add-nomad-metadata.html
+---
+
+# Add Nomad metadata [add-nomad-metadata]
+
+
+::::{warning}
+This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
+::::
+
+
+The `add_nomad_metadata` processor adds fields with relevant metadata for applications deployed in Nomad.
+
+Each event is annotated with the following information:
+
+* Allocation name, identifier and status.
+* Job name and type.
+* Namespace where the job is deployed.
+* Datacenter and region where the agent running the allocation is located.
+
+```yaml
+processors:
+  - add_nomad_metadata: ~
+```
+
+It has the following settings to configure the connection:
+
+`address`
+:   (Optional) The URL of the agent API used to request the metadata. It uses `http://127.0.0.1:4646` by default.
+
+`namespace`
+:   (Optional) Namespace to watch. If set, only events for allocations in this namespace will be annotated.
+
+`region`
+:   (Optional) Region to watch. If set, only events for allocations in this region will be annotated.
+
+`secret_id`
+:   (Optional) SecretID to use when connecting with the agent API. This is an example ACL policy to apply to the token.
+
+```json
+namespace "*" {
+  policy = "read"
+}
+node {
+  policy = "read"
+}
+agent {
+  policy = "read"
+}
+```
+
+`refresh_interval`
+:   (Optional) Interval used to update the cached metadata. It defaults to 30 seconds.
+
+`cleanup_timeout`
+:   (Optional) After an allocation has been removed, time to wait before cleaning up their associated resources. This is useful if you expect to receive events after an allocation has been removed, which can happen when collecting logs. It defaults to 60 seconds.
+
+You can decide if Auditbeat should annotate events related to allocations in local node or on the whole cluster configuring the scope with the following settings:
+
+`scope`
+:   (Optional) Scope of the resources to watch. It can be `node` to get metadata only for the allocations in a single agent, or `global`, to get metadata for allocations running on any agent. It defaults to `node`.
+
+`node`
+:   (Optional) When using `scope: node`, use `node` to specify the name of the local node if it cannot be discovered automatically.
+
+For example the following configuration could be used if Auditbeat is collecting events from all the allocations in the cluster:
+
+```yaml
+processors:
+  - add_nomad_metadata:
+      scope: global
+```
+
+## Indexers and matchers [_indexers_and_matchers]
+
+Indexers and matchers are used to correlate fields in events with actual metadata. Auditbeat uses this information to know what metadata to include in each event.
+
+### Indexers [_indexers_2]
+
+Indexers use allocation metadata to create unique identifiers for each one of the pods.
+
+Avaliable indexers are: `allocation_name`:: Identifies allocations by its name and namespace (as `<namespace>/<name>`) `allocation_uuid`:: Identifies allocations by its unique identifier.
+
+
+### Matchers [_matchers_2]
+
+Matchers are used to construct the lookup keys that match with the identifiers created by indexes.
+
+
+### `field_format` [_field_format_2]
+
+Looks up allocation metadata using a key created with a string format that can include event fields.
+
+This matcher has an option `format` to define the string format. This string format can contain placeholders for any field in the event.
+
+For example, the following configuration uses the `allocation_name` indexer to identify the allocation metadata by its name and namespace, and uses custom fields existing in the event as match keys:
+
+```yaml
+processors:
+- add_nomad_metadata:
+    ...
+    default_indexers.enabled: false
+    default_matchers.enabled: false
+    indexers:
+      - allocation_name:
+    matchers:
+      - field_format:
+          format: '%{[labels.nomad_namespace]}/%{[fields.nomad_alloc_name]}'
+```
+
+
+### `fields` [_fields_2]
+
+Looks up allocation metadata using as key the value of some specific fields. When multiple fields are defined, the first one included in the event is used.
+
+This matcher has an option `lookup_fields` to define the fields whose value will be used for lookup.
+
+For example, the following configuration uses the `allocation_uuid` indexer to identify allocations, and defines a matcher that uses some fields where the allocation UUID can be found for lookup, the first it finds in the event:
+
+```yaml
+processors:
+- add_nomad_metadata:
+    ...
+    default_indexers.enabled: false
+    default_matchers.enabled: false
+    indexers:
+      - allocation_uuid:
+    matchers:
+      - fields:
+          lookup_fields: ['host.name', 'fields.nomad_alloc_uuid']
+```
+
+
+
diff --git a/docs/reference/auditbeat/add-observer-metadata.md b/docs/reference/auditbeat/add-observer-metadata.md
new file mode 100644
index 000000000000..68ea963b0359
--- /dev/null
+++ b/docs/reference/auditbeat/add-observer-metadata.md
@@ -0,0 +1,88 @@
+---
+navigation_title: "add_observer_metadata"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/add-observer-metadata.html
+---
+
+# Add Observer metadata [add-observer-metadata]
+
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+```yaml
+processors:
+  - add_observer_metadata:
+      cache.ttl: 5m
+      geo:
+        name: nyc-dc1-rack1
+        location: 40.7128, -74.0060
+        continent_name: North America
+        country_iso_code: US
+        region_name: New York
+        region_iso_code: NY
+        city_name: New York
+```
+
+It has the following settings:
+
+`netinfo.enabled`
+:   (Optional) Default true. Include IP addresses and MAC addresses as fields observer.ip and observer.mac
+
+`cache.ttl`
+:   (Optional) The processor uses an internal cache for the observer metadata. This sets the cache expiration time. The default is 5m, negative values disable caching altogether.
+
+`geo.name`
+:   (Optional) User definable token to be used for identifying a discrete location. Frequently a datacenter, rack, or similar.
+
+`geo.location`
+:   (Optional) Longitude and latitude in comma separated format.
+
+`geo.continent_name`
+:   (Optional) Name of the continent.
+
+`geo.country_name`
+:   (Optional) Name of the country.
+
+`geo.region_name`
+:   (Optional) Name of the region.
+
+`geo.city_name`
+:   (Optional) Name of the city.
+
+`geo.country_iso_code`
+:   (Optional) ISO country code.
+
+`geo.region_iso_code`
+:   (Optional) ISO region code.
+
+The `add_observer_metadata` processor annotates each event with relevant metadata from the observer machine. The fields added to the event look like the following:
+
+```json
+{
+  "observer" : {
+    "hostname" : "avce",
+    "type" : "heartbeat",
+    "vendor" : "elastic",
+    "ip" : [
+      "192.168.1.251",
+      "fe80::64b2:c3ff:fe5b:b974",
+    ],
+    "mac" : [
+      "dc:c1:02:6f:1b:ed",
+    ],
+    "geo": {
+      "continent_name": "North America",
+      "country_iso_code": "US",
+      "region_name": "New York",
+      "region_iso_code": "NY",
+      "city_name": "New York",
+      "name": "nyc-dc1-rack1",
+      "location": "40.7128, -74.0060"
+    }
+  }
+}
+```
+
diff --git a/docs/reference/auditbeat/add-process-metadata.md b/docs/reference/auditbeat/add-process-metadata.md
new file mode 100644
index 000000000000..c79193bfe66c
--- /dev/null
+++ b/docs/reference/auditbeat/add-process-metadata.md
@@ -0,0 +1,94 @@
+---
+navigation_title: "add_process_metadata"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/add-process-metadata.html
+---
+
+# Add process metadata [add-process-metadata]
+
+
+The `add_process_metadata` processor enriches events with information from running processes, identified by their process ID (PID).
+
+```yaml
+processors:
+  - add_process_metadata:
+      match_pids:
+        - process.pid
+```
+
+The fields added to the event look as follows:
+
+```json
+{
+  "container": {
+    "id": "b5285682fba7449c86452b89a800609440ecc88a7ba5f2d38bedfb85409b30b1"
+  },
+  "process": {
+    "args": [
+      "/usr/lib/systemd/systemd",
+      "--switched-root",
+      "--system",
+      "--deserialize",
+      "22"
+    ],
+    "executable": "/usr/lib/systemd/systemd",
+    "name": "systemd",
+    "owner": {
+      "id": "0",
+      "name": "root"
+    },
+    "parent": {
+      "pid": 0
+    },
+    "pid": 1,
+    "start_time": "2018-08-22T08:44:50.684Z",
+    "title": "/usr/lib/systemd/systemd --switched-root --system --deserialize 22"
+  }
+}
+```
+
+Optionally, the process environment can be included, too:
+
+```json
+  ...
+  "env": {
+    "HOME":       "/",
+    "TERM":       "linux",
+    "BOOT_IMAGE": "/boot/vmlinuz-4.11.8-300.fc26.x86_64",
+    "LANG":       "en_US.UTF-8",
+  }
+  ...
+```
+
+It has the following settings:
+
+`match_pids`
+:   List of fields to lookup for a PID. The processor will search the list sequentially until the field is found in the current event, and the PID lookup will be applied to the value of this field.
+
+`target`
+:   (Optional) Destination prefix where the `process` object will be created. The default is the event’s root.
+
+`include_fields`
+:   (Optional) List of fields to add. By default, the processor will add all the available fields except `process.env`.
+
+`ignore_missing`
+:   (Optional) When set to `false`, events that don’t contain any of the fields in match_pids will be discarded and an error will be generated. By default, this condition is ignored.
+
+`overwrite_keys`
+:   (Optional) By default, if a target field already exists, it will not be overwritten, and an error will be logged. If `overwrite_keys` is set to `true`, this condition will be ignored.
+
+`restricted_fields`
+:   (Optional) By default, the `process.env` field is not output, to avoid leaking sensitive data. If `restricted_fields` is `true`, the field will be present in the output.
+
+`host_path`
+:   (Optional) By default, the `host_path` field is set to the root directory of the host `/`. This is the path where `/proc` is mounted. For different runtime configurations of Kubernetes or Docker, the `host_path` can be set to overwrite the default.
+
+`cgroup_prefixes`
+:   (Optional) List of prefixes that will be matched against cgroup paths. When a cgroup path begins with a prefix in the list, then the last element of the path is returned as the container ID. Only one of `cgroup_prefixes` and `cgroup_rexex` should be configured. If neither are configured then a default `cgroup_regex` value is used that matches cgroup paths containing 64-character container IDs (like those from Docker, Kubernetes, and Podman).
+
+`cgroup_regex`
+:   (Optional) A regular expression that will be matched against cgroup paths. It must contain one capturing group. When a cgroup path matches the regular expression then the value of the capturing group is returned as the container ID.  Only one of `cgroup_prefixes` and `cgroup_rexex` should be configured. If neither are configured then a default `cgroup_regex` value is used that matches cgroup paths containing 64-character container IDs (like those from Docker, Kubernetes, and Podman).
+
+`cgroup_cache_expire_time`
+:   (Optional) By default, the `cgroup_cache_expire_time` is set to 30 seconds. This is the length of time before cgroup cache elements expire in seconds. It can be set to 0 to disable the cgroup cache. In some container runtimes technology like runc, the container’s process is also process in the host kernel, and will be affected by PID rollover/reuse. The expire time needs to set smaller than the PIDs wrap around time to avoid wrong container id.
+
diff --git a/docs/reference/auditbeat/add-session-metadata.md b/docs/reference/auditbeat/add-session-metadata.md
new file mode 100644
index 000000000000..771521fcc5b7
--- /dev/null
+++ b/docs/reference/auditbeat/add-session-metadata.md
@@ -0,0 +1,89 @@
+---
+navigation_title: "add_session_metadata"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/add-session-metadata.html
+---
+
+# Add session metadata [add-session-metadata]
+
+
+The `add_session_metadata` processor enriches process events with additional information that users can see using the [Session View](docs-content://solutions/security/investigate/session-view.md) tool in the {{elastic-sec}} platform.
+
+::::{note}
+The current release of `add_session_metadata` processor for {{auditbeat}} is limited to virtual machines (VMs) and bare metal environments.
+::::
+
+
+Here’s an example using the `add_session_metadata` processor to enhance process events generated by the `auditd` module of {{auditbeat}}.
+
+```yaml
+auditbeat.modules:
+- module: auditd
+  processors:
+    - add_session_metadata:
+       backend: "auto"
+```
+
+## How the `add_session_metadata` processor works [add-session-metadata-explained]
+
+Using the available Linux kernel technology, the processor collects comprehensive information on all running system processes, compiling this data into a process database. When processing an event (such as those generated by the {{auditbeat}} `auditd` module), the processor queries this database to retrieve information about related processes, including the parent process, session leader, process group leader, and entry leader. It then enriches the original event with this metadata, providing a more complete picture of process relationships and system activities.
+
+This enhanced data enables the powerful [Session View](docs-content://solutions/security/investigate/session-view.md) tool in the {{elastic-sec}} platform, offering users deeper insights for analysis and investigation.
+
+### Backends [add-session-metadata-backends]
+
+The `add_session_metadata` processor operates using various backend options.
+
+* `auto` is the recommended setting. It attempts to use `kernel_tracing` first, falling back to `procfs` if necessary, ensuring compatibility even on systems without `kernel_tracing` support.
+* `kernel_tracing` gathers information about processes using either eBPF or kprobes. It will use eBPF if available, but if not, it will fall back to kprobes. eBPF requires a system with kernel support for eBPF enabled, support for eBPF ring buffer, and auditbeat running as superuser. Kprobe support requires Linux kernel 3.10.0 or above, and auditbeat running as a superuser.
+* `procfs` collects process information with the proc filesystem. This is compatible with older systems that may not support ebpf. To gather complete process info, auditbeat requires permissions to read all process data in procfs; for example, run as a superuser or have the `SYS_PTRACE` capability.
+
+
+### Containers [add-session-metadata-containers]
+
+If you are running {{auditbeat}} in a container, the container must run in the host’s PID namespace. With the `auto` or `kernel_tracing` backend, these host directories must also be mounted to the same path within the container: `/sys/kernel/debug`, `/sys/fs/bpf`.
+
+
+
+## Enable and configure Session View in {{auditbeat}} [add-session-metadata-enable]
+
+To configure and enable [Session View](docs-content://solutions/security/investigate/session-view.md) functionality, you’ll:
+
+* Add the `add_sessions_metadata` processor to your `auditbeat.yml` file.
+* Configure audit rules in your `auditbeat.yml` file.
+* Restart {{auditbeat}}.
+
+We’ll walk you through these steps in more detail.
+
+1. Edit your `auditbeat.yml` file and add this info to the modules configuration section:
+
+    ```yaml
+    auditbeat.modules:
+    - module: auditd
+      processors:
+        - add_session_metadata:
+           backend: "auto"
+    ```
+
+2. Add audit rules in the modules configuration section of `auditbeat.yml` or the `audit.rules.d` config file, depending on your configuration:
+
+    ```yaml
+    auditbeat.modules:
+    - module: auditd
+      audit_rules: |
+        ## executions
+        -a always,exit -F arch=b64 -S execve,execveat -k exec
+        -a always,exit -F arch=b64 -S exit_group
+        ## set_sid
+        -a always,exit -F arch=b64 -S setsid
+    ```
+
+3. Save your configuration changes.
+4. Restart {{auditbeat}}:
+
+    ```sh
+    sudo systemctl restart auditbeat
+    ```
+
+
+
diff --git a/docs/reference/auditbeat/add-tags.md b/docs/reference/auditbeat/add-tags.md
new file mode 100644
index 000000000000..91b45734da0b
--- /dev/null
+++ b/docs/reference/auditbeat/add-tags.md
@@ -0,0 +1,34 @@
+---
+navigation_title: "add_tags"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/add-tags.html
+---
+
+# Add tags [add-tags]
+
+
+The `add_tags` processor adds tags to a list of tags. If the target field already exists, the tags are appended to the existing list of tags.
+
+`tags`
+:   List of tags to add.
+
+`target`
+:   (Optional) Field the tags will be added to. Defaults to `tags`. Setting tags in `@metadata` is not supported.
+
+For example, this configuration:
+
+```yaml
+processors:
+  - add_tags:
+      tags: [web, production]
+      target: "environment"
+```
+
+Adds the environment field to every event:
+
+```json
+{
+  "environment": ["web", "production"]
+}
+```
+
diff --git a/docs/reference/auditbeat/append.md b/docs/reference/auditbeat/append.md
new file mode 100644
index 000000000000..8ef7a1c1f7f2
--- /dev/null
+++ b/docs/reference/auditbeat/append.md
@@ -0,0 +1,73 @@
+---
+navigation_title: "append"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/append.html
+---
+
+# Append Processor [append]
+
+
+The `append` processor appends one or more values to an existing array if the target field already exists and it is an array. Converts a scaler to an array and appends one or more values to it if the field exists and it is a scaler. Here the values can either be one or more static values or one or more values from the fields listed under *fields* key.
+
+`target_field`
+:   The field in which you want to append the data.
+
+`fields`
+:   (Optional) List of fields from which you want to copy data from. If the value is of a concrete type it will be appended directly to the target. However, if the value is an array, all the elements of the array are pushed individually to the target field.
+
+`values`
+:   (Optional) List of static values you want to append to target field.
+
+`ignore_empty_values`
+:   (Optional) If set to `true`, all the `""` and `nil` are omitted from being appended to the target field.
+
+`fail_on_error`
+:   (Optional) If set to `true` and an error occurs, the changes are reverted and the original is returned. If set to `false`, processing continues if an error occurs. Default is `true`.
+
+`allow_duplicate`
+:   (Optional) If set to `false`, the processor does not append values already present in the field. The default is `true`, which will append duplicate values in the array.
+
+`ignore_missing`
+:   (Optional) Indicates whether to ignore events that lack the source field. The default is `false`, which will fail processing of an event if a field is missing.
+
+note: If you want to use `fields` parameter with fields under `message`, make sure you use `decode_json_fields` first with `target: ""`.
+
+For example, this configuration:
+
+```yaml
+processors:
+  - decode_json_fields:
+      fields: message
+      target: ""
+  - append:
+      target_field: target-field
+      fields:
+        - concrete.field
+        - array.one
+      values:
+        - static-value
+        - ""
+      ignore_missing: true
+      fail_on_error: true
+      ignore_empty_values: true
+```
+
+Copies the values of `concrete.field`, `array.one` response fields and the static values to `target-field`:
+
+```json
+{
+  "concrete": {
+    "field": "val0"
+  },
+  "array": {
+      "one": [ "val1", "val2" ]
+  },
+  "target-field": [
+    "val0",
+    "val1",
+    "val2",
+    "static-value"
+  ]
+}
+```
+
diff --git a/docs/reference/auditbeat/auditbeat-configuration-reloading.md b/docs/reference/auditbeat/auditbeat-configuration-reloading.md
new file mode 100644
index 000000000000..4b7af2a8d589
--- /dev/null
+++ b/docs/reference/auditbeat/auditbeat-configuration-reloading.md
@@ -0,0 +1,50 @@
+---
+navigation_title: "Config file reloading"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-configuration-reloading.html
+---
+
+# Reload the configuration dynamically [auditbeat-configuration-reloading]
+
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+You can configure Auditbeat to dynamically reload configuration files when there are changes. To do this, you specify a path ([glob](https://golang.org/pkg/path/filepath/#Glob)) to watch for module configuration changes. When the files found by the glob change, new modules are started/stopped according to changes in the configuration files.
+
+To enable dynamic config reloading, you specify the `path` and `reload` options in the main `auditbeat.yml` config file. For example:
+
+```sh
+auditbeat.config.modules:
+  path: ${path.config}/conf.d/*.yml
+  reload.enabled: true
+  reload.period: 10s
+```
+
+**`path`**
+:   A glob that defines the files to check for changes.
+
+**`reload.enabled`**
+:   When set to `true`, enables dynamic config reload.
+
+**`reload.period`**
+:   Specifies how often the files are checked for changes. Do not set the `period` to less than 1s because the modification time of files is often stored in seconds. Setting the `period` to less than 1s will result in unnecessary overhead.
+
+Each file found by the glob must contain a list of one or more module definitions. For example:
+
+```yaml
+- module: file_integrity
+  paths:
+  - /www/wordpress
+  - /www/wordpress/wp-admin
+  - /www/wordpress/wp-content
+  - /www/wordpress/wp-includes
+```
+
+::::{note}
+On systems with POSIX file permissions, all Beats configuration files are subject to ownership and file permission checks. If you encounter config loading errors related to file ownership, see {{beats-ref}}/config-file-permissions.html.
+::::
+
+
diff --git a/docs/reference/auditbeat/auditbeat-dataset-system-host.md b/docs/reference/auditbeat/auditbeat-dataset-system-host.md
new file mode 100644
index 000000000000..d1abb1df5020
--- /dev/null
+++ b/docs/reference/auditbeat/auditbeat-dataset-system-host.md
@@ -0,0 +1,91 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-dataset-system-host.html
+---
+
+# System host dataset [auditbeat-dataset-system-host]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+This is the `host` dataset of the system module.
+
+It is implemented for Linux, macOS (Darwin), and Windows.
+
+
+### Example dashboard [_example_dashboard_2]
+
+This dataset comes with a sample dashboard:
+
+:::{image} images/auditbeat-system-host-dashboard.png
+:alt: Auditbeat System Host Dashboard
+:class: screenshot
+:::
+
+## Fields [_fields_3]
+
+For a description of each field in the dataset, see the [exported fields](/reference/auditbeat/exported-fields-system.md) section.
+
+Here is an example document generated by this dataset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "agent": {
+        "hostname": "host.example.com",
+        "name": "host.example.com"
+    },
+    "event": {
+        "action": "host",
+        "dataset": "host",
+        "module": "system",
+        "kind": "state"
+    },
+    "message": "Ubuntu host ubuntu-bionic (IP: 10.0.2.15) is up for 0 days, 5 hours, 11 minutes",
+    "service": {
+        "type": "system"
+    },
+    "system": {
+        "audit": {
+            "host": {
+                "architecture": "x86_64",
+                "boottime": "2018-12-10T15:48:44Z",
+                "containerized": false,
+                "hostname": "ubuntu-bionic",
+                "id": "6f7be6fb33e6c77f057266415c094408",
+                "ip": [
+                    "10.0.2.15",
+                    "fe80::2d:fdff:fe81:e747",
+                    "172.28.128.3",
+                    "fe80::a00:27ff:fe1f:7160",
+                    "172.17.0.1",
+                    "fe80::42:83ff:febe:1a3a",
+                    "172.18.0.1",
+                    "fe80::42:9eff:fed3:d888"
+                ],
+                "mac": [
+                    "02-2D-FD-81-E7-47",
+                    "08-00-27-1F-71-60",
+                    "02-42-83-BE-1A-3A",
+                    "02-42-9E-D3-D8-88"
+                ],
+                "os": {
+                    "family": "debian",
+                    "kernel": "4.15.0-42-generic",
+                    "name": "Ubuntu",
+                    "platform": "ubuntu",
+                    "version": "18.04.1 LTS (Bionic Beaver)"
+                },
+                "timezone.name": "UTC",
+                "timezone.offset.sec": 0,
+                "type": "linux",
+                "uptime": 18661357350265
+            }
+        }
+    }
+}
+```
+
+
diff --git a/docs/reference/auditbeat/auditbeat-dataset-system-login.md b/docs/reference/auditbeat/auditbeat-dataset-system-login.md
new file mode 100644
index 000000000000..e786ccd3fb00
--- /dev/null
+++ b/docs/reference/auditbeat/auditbeat-dataset-system-login.md
@@ -0,0 +1,73 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-dataset-system-login.html
+---
+
+# System login dataset [auditbeat-dataset-system-login]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+This is the `login` dataset of the system module.
+
+
+## Implementation [_implementation]
+
+The `login` dataset is implemented for Linux only.
+
+On Linux, the dataset reads the [utmp](https://en.wikipedia.org/wiki/Utmp) files that keep track of logins and logouts to the system. They are usually located at `/var/log/wtmp` (successful logins) and `/var/log/btmp` (failed logins).
+
+The file patterns used to locate the files can be configured using `login.wtmp_file_pattern` and `login.btmp_file_pattern`. By default, both the current files and any rotated files (e.g. `wtmp.1`, `wtmp.2`) are read.
+
+utmp files are binary, but you can display their contents using the `utmpdump` utility.
+
+
+### Example dashboard [_example_dashboard_3]
+
+The dataset comes with a sample dashboard:
+
+:::{image} images/auditbeat-system-login-dashboard.png
+:alt: Auditbeat System Login Dashboard
+:class: screenshot
+:::
+
+## Fields [_fields_4]
+
+For a description of each field in the dataset, see the [exported fields](/reference/auditbeat/exported-fields-system.md) section.
+
+Here is an example document generated by this dataset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "event": {
+        "action": "user_login",
+        "category": "authentication",
+        "dataset": "login",
+        "kind": "event",
+        "module": "system",
+        "origin": "/var/log/wtmp",
+        "outcome": "success",
+        "type": "authentication_success"
+    },
+    "message": "Login by user vagrant (UID: 1000) on pts/2 (PID: 14962) from 10.0.2.2 (IP: 10.0.2.2)",
+    "process": {
+        "pid": 14962
+    },
+    "service": {
+        "type": "system"
+    },
+    "source": {
+        "ip": "10.0.2.2"
+    },
+    "user": {
+        "id": 1000,
+        "name": "vagrant",
+        "terminal": "pts/2"
+    }
+}
+```
+
+
diff --git a/docs/reference/auditbeat/auditbeat-dataset-system-package.md b/docs/reference/auditbeat/auditbeat-dataset-system-package.md
new file mode 100644
index 000000000000..1b4ed1d06266
--- /dev/null
+++ b/docs/reference/auditbeat/auditbeat-dataset-system-package.md
@@ -0,0 +1,71 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-dataset-system-package.html
+---
+
+# System package dataset [auditbeat-dataset-system-package]
+
+This is the `package` dataset of the system module.
+
+It is implemented for Linux distributions using dpkg or rpm as their package manager, and for Homebrew on macOS (Darwin).
+
+
+### Example dashboard [_example_dashboard_4]
+
+The dataset comes with a sample dashboard:
+
+:::{image} images/auditbeat-system-package-dashboard.png
+:alt: Auditbeat System Package Dashboard
+:class: screenshot
+:::
+
+## Fields [_fields_5]
+
+For a description of each field in the dataset, see the [exported fields](/reference/auditbeat/exported-fields-system.md) section.
+
+Here is an example document generated by this dataset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "event": {
+        "action": "existing_package",
+        "category": [
+            "package"
+        ],
+        "dataset": "package",
+        "id": "6bed65c5-9797-4fb7-9ec7-2d1873c54371",
+        "kind": "state",
+        "module": "system",
+        "type": [
+            "info"
+        ]
+    },
+    "message": "Package zstd (1.5.4) is already installed",
+    "package": {
+        "description": "Zstandard is a real-time compression algorithm",
+        "installed": "2023-02-15T20:40:24.390086982-05:00",
+        "name": "zstd",
+        "reference": "https://facebook.github.io/zstd/",
+        "type": "brew",
+        "version": "1.5.4"
+    },
+    "service": {
+        "type": "system"
+    },
+    "system": {
+        "audit": {
+            "package": {
+                "entity_id": "SxYD3ZMh/Ym0lBIk",
+                "installtime": "2023-02-15T20:40:24.390086982-05:00",
+                "name": "zstd",
+                "summary": "Zstandard is a real-time compression algorithm",
+                "url": "https://facebook.github.io/zstd/",
+                "version": "1.5.4"
+            }
+        }
+    }
+}
+```
+
+
diff --git a/docs/reference/auditbeat/auditbeat-dataset-system-process.md b/docs/reference/auditbeat/auditbeat-dataset-system-process.md
new file mode 100644
index 000000000000..265851b885b0
--- /dev/null
+++ b/docs/reference/auditbeat/auditbeat-dataset-system-process.md
@@ -0,0 +1,96 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-dataset-system-process.html
+---
+
+# System process dataset [auditbeat-dataset-system-process]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+This is the `process` dataset of the system module. It generates an event when a process starts and stops.
+
+It is implemented for Linux, macOS (Darwin), and Windows.
+
+
+## Configuration options [_configuration_options_20]
+
+**`process.state.period`**
+:   The interval at which the dataset sends full state information. If set this will take precedence over `state.period`. The default value is `12h`.
+
+**`process.hash.max_file_size`**
+:   The maximum size of a file in bytes for which Auditbeat will compute hashes. Files larger than this size will not be hashed. The default value is 100 MiB. For convenience units can be specified as a suffix to the value. The supported units are `b` (default), `kib`, `kb`, `mib`, `mb`, `gib`, `gb`, `tib`, `tb`, `pib`, `pb`, `eib`, and `eb`.
+
+**`process.hash.hash_types`**
+:   A list of hash types to compute when the file changes. The supported hash types are `blake2b_256`, `blake2b_384`, `blake2b_512`, `md5`, `sha1`, `sha224`, `sha256`, `sha384`, `sha512`, `sha512_224`, `sha512_256`, `sha3_224`, `sha3_256`, `sha3_384`, `sha3_512`, and `xxh64`. The default value is `sha1`.
+
+
+### Example dashboard [_example_dashboard_5]
+
+The dataset comes with a sample dashboard:
+
+:::{image} images/auditbeat-system-process-dashboard.png
+:alt: Auditbeat System Process Dashboard
+:class: screenshot
+:::
+
+## Fields [_fields_6]
+
+For a description of each field in the dataset, see the [exported fields](/reference/auditbeat/exported-fields-system.md) section.
+
+Here is an example document generated by this dataset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "event": {
+        "action": "process_stopped",
+        "dataset": "process",
+        "kind": "event",
+        "module": "system"
+    },
+    "message": "Process zsh (PID: 9086) by user elastic STOPPED",
+    "process": {
+        "args": [
+            "zsh"
+        ],
+        "entity_id": "+fYshazplsMYlr0y",
+        "executable": "/bin/zsh",
+        "hash": {
+            "sha1": "33646536613061316366353134643135613631643363383733653261373130393737633131303364"
+        },
+        "name": "zsh",
+        "pid": 9086,
+        "ppid": 9085,
+        "start": "2019-01-01T00:00:01Z",
+        "working_directory": "/home/elastic"
+    },
+    "service": {
+        "type": "system"
+    },
+    "user": {
+        "effective": {
+            "group": {
+                "id": "1000"
+            },
+            "id": "1000"
+        },
+        "group": {
+            "id": "1000",
+            "name": "elastic"
+        },
+        "id": "1000",
+        "name": "elastic",
+        "saved": {
+            "group": {
+                "id": "1000"
+            },
+            "id": "1000"
+        }
+    }
+}
+```
+
+
diff --git a/docs/reference/auditbeat/auditbeat-dataset-system-socket.md b/docs/reference/auditbeat/auditbeat-dataset-system-socket.md
new file mode 100644
index 000000000000..8bb4566bcf2e
--- /dev/null
+++ b/docs/reference/auditbeat/auditbeat-dataset-system-socket.md
@@ -0,0 +1,267 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-dataset-system-socket.html
+---
+
+# System socket dataset [auditbeat-dataset-system-socket]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+This is the `socket` dataset of the system module. It allows to monitor network traffic to and from running processes. It’s main features are:
+
+* Supports TCP and UDP sockets over IPv4 and IPv6.
+* Outputs per-flow bytes and packets counters.
+* Enriches the flows with [process](ecs://reference/ecs-process.md) and [user](ecs://reference/ecs-user.md) information.
+* Provides information similar to Packetbeat’s flow monitoring with reduced CPU and memory usage.
+* Works on stock kernels without the need of custom modules, external libraries or development headers.
+* Correlates IP addresses with DNS requests.
+
+This dataset does not analyze application-layer protocols nor provide any other advanced features present in Packetbeat: - Monitor network traffic whose destination is not a local process, as is the case with traffic forwarding. - Monitor layer 2 traffic, ICMP or raw sockets.
+
+
+## Implementation [_implementation_2]
+
+It is implemented for Linux only and currently supports x86 (32 and 64 bit) architectures.
+
+The dataset uses [KProbe-based event tracing](https://www.kernel.org/doc/Documentation/trace/kprobetrace.txt) to monitor TCP and UDP sockets over IPv4 and IPv6, providing flow monitoring that includes byte and packet counters, as well as the local process and user involved in the flow. It does so by plugin into the TCP/IP stack to generate custom tracing events avoiding the need to copy network traffic to user space.
+
+By not relying on periodic polling, this approach enables the dataset to perform near real-time monitoring of the system without the risk of missing short lived connections or processes.
+
+
+## Requirements [_requirements]
+
+Features used by the `socket` dataset require a minimum Linux kernel version of 3.12 (vanilla). However, some distributions have backported those features to older kernels. The following (non-exhaustive) lists the different distributions under which the dataset is known to work:
+
+| Distribution | kernel version | Works? |
+| --- | --- | --- |
+| CentOS 6.5 | 2.6.32-431.el6 | NO[[1]](#anchor-1) |
+| CentOS 6.9 | 2.6.32-696.30.1.el6 | ✓ |
+| CentOS 7.6 | 3.10.0-957.1.3.el7 | ✓ |
+| RHEL 8 | 4.18.0-80.rhel8 | ✓ |
+| Debian 8 | 3.16.0-6 | ✓ |
+| Debian 9 | 4.9.0-8 | ✓ |
+| Debian 10 | 4.19.0-5 | ✓ |
+| SLES 12 | 4.4.73-5 | ✓ |
+| Ubuntu 12.04 | 3.2.0-126 | NO[[1]](#anchor-1) |
+| Ubuntu 14.04.6 | 3.13.0-170 | ✓ |
+| Ubuntu 16.04.3 | 4.4.0-97 | ✓ |
+| AWS Linux 2 | 4.14.138-114.102 | ✓ |
+
+$$$anchor-1$$$
+[[1]](#anchor-1): These systems lack [PERF_EVENT_IOC_ID ioctl.](https://lore.kernel.org/patchwork/patch/399251/) Support might be added in a future release.
+
+The dataset needs CAP_SYS_ADMIN and CAP_NET_ADMIN in order to work.
+
+
+### Kernel configuration [_kernel_configuration]
+
+A kernel built with the following configuration options enabled is required:
+
+* `CONFIG_KPROBE_EVENTS`: Enables the KProbes subsystem.
+* `CONFIG_DEBUG_FS`: For kernels laking `tracefs` support (<4.1).
+* `CONFIG_IPV6`: IPv6 support in the kernel is needed even if disabled with `socket.enable_ipv6: false`.
+
+These settings are enabled by default in most distributions.
+
+The following configuration settings can prevent the dataset from starting:
+
+* `/sys/kernel/debug/kprobes/enabled` must be 1.
+* `/proc/sys/net/ipv6/conf/lo/disable_ipv6` (IPv6 enabled in loopback device) is required when running with IPv6 enabled.
+
+
+### Running on docker [_running_on_docker]
+
+The dataset can monitor the Docker host when running inside a container. However it needs to run on a `privileged` container with `CAP_NET_ADMIN`. The docker container running Auditbeat needs access to the host’s tracefs or debugfs directory. This is achieved by bind-mounting `/sys`.
+
+
+## Configuration [_configuration_2]
+
+The following options are available for the `socket` dataset:
+
+* `socket.tracefs_path` (default: none)
+
+Must point to the mount-point of `tracefs` or the `tracing` directory inside `debugfs`. If this option is not specified, Auditbeat will look for the default locations: `/sys/kernel/tracing` and `/sys/kernel/debug/tracing`. If not found, it will attempt to mount `tracefs` and `debugfs` at their default locations.
+
+* `socket.enable_ipv6` (default: unset)
+
+Determines whether IPv6 must be monitored. When unset (default), IPv6 support is automatically detected. Even when IPv6 is disabled, in order to run the dataset you still need a kernel with IPv6 support (the `ipv6` module must be loaded if compiled as a module).
+
+* `socket.flow_inactive_timeout` (default: 30s)
+
+Determines how long a flow has to be inactive to be considered closed.
+
+* `socket.flow_termination_timeout` (default: 5s)
+
+Determines how long to wait after a socket has been closed for out of order packets. With TCP, some packets can be received shortly after a socket is closed. If set too low, additional flows will be generated for those packets.
+
+* `socket.socket_inactive_timeout` (default: 1m)
+
+How long a socket can be inactive to be evicted from the internal cache. A lower value reduces memory usage at the expense of some flows being reported as multiple partial flows.
+
+* `socket.perf_queue_size` (default: 4096)
+
+The number of tracing samples that can be queued for processing. A larger value uses more memory but reduces the chances of samples being lost when the system is under heavy load.
+
+* `socket.lost_queue_size` (default: 128)
+
+The number of lost samples notifications that can be queued.
+
+* `socket.ring_size_exponent` (default: 7)
+
+Controls the number of memory pages allocated for the per-CPU ring-buffer used to receive samples from the kernel. The actual amount of memory used is Number_of_CPUs x Page_Size(4KB) x 2ring_size_exponent. That is 0.5 MiB of RAM per CPU with the default value.
+
+* `socket.clock_max_drift` (default: 100ms)
+
+Defines the maximum difference between the kernel internal clock and the reference time used to timestamp events.
+
+* `socket.clock_sync_period` (default: 10s)
+
+Controls how often clock synchronization events are generated to measure drift between the kernel clock and the dataset’s reference clock.
+
+* `socket.guess_timeout` (default: 15s)
+
+The maximum time an individual guess is allowed to run.
+
+* `socket.dns.enabled` (default: true)
+
+If DNS traffic must be monitored to enrich network flows with DNS information.
+
+* `socket.dns.type` (default: af_packet)
+
+The method used to monitor DNS traffic. Currently, only `af_packet` is supported.
+
+* `socket.dns.af_packet.interface` (default: any)
+
+The network interface where DNS will be monitored.
+
+* `socket.dns.af_packet.snaplen` (default: 1024)
+
+Maximum number of bytes to copy for each captured packet.
+
+## Fields [_fields_7]
+
+For a description of each field in the dataset, see the [exported fields](/reference/auditbeat/exported-fields-system.md) section.
+
+Here is an example document generated by this dataset:
+
+```json
+{
+    "@timestamp":"2019-08-22T20:46:40.173Z",
+    "@metadata":{
+        "beat":"auditbeat",
+        "type":"_doc",
+        "version":"7.4.0"
+    },
+    "server":{
+        "ip":"151.101.66.217",
+        "port":80,
+        "packets":5,
+        "bytes":437
+    },
+    "user":{
+        "name":"vagrant",
+        "id":"1000"
+    },
+    "network":{
+        "packets":10,
+        "bytes":731,
+        "community_id":"1:jdjL1TkdpF1v1GM0+JxRRp+V7KI=",
+        "direction":"outbound",
+        "type":"ipv4",
+        "transport":"tcp"
+    },
+    "group":{
+        "id":"1000",
+        "name":"vagrant"
+    },
+    "client":{
+        "ip":"10.0.2.15",
+        "port":40192,
+        "packets":5,
+        "bytes":294
+    },
+    "event":{
+        "duration":30728600,
+        "module":"system",
+        "dataset":"socket",
+        "kind":"event",
+        "action":"network_flow",
+        "category":"network",
+        "start":"2019-08-22T20:46:35.001Z",
+        "end":"2019-08-22T20:46:35.032Z"
+    },
+    "ecs":{
+        "version":"1.0.1"
+    },
+    "host":{
+        "name":"stretch",
+        "containerized":false,
+        "hostname":"stretch",
+        "architecture":"x86_64",
+        "os":{
+            "name":"Debian GNU/Linux",
+            "kernel":"4.9.0-8-amd64",
+            "codename":"stretch",
+            "platform":"debian",
+            "version":"9 (stretch)",
+            "family":"debian"
+        },
+        "id":"b3531219b5b4449eadbec59d47945649"
+    },
+    "agent":{
+        "version":"7.4.0",
+        "type":"auditbeat",
+        "ephemeral_id":"f7b0ab1a-da9e-4525-9252-59ecb68139f8",
+        "hostname":"stretch",
+        "id":"88862e07-b13a-4166-b1ef-b3e55b4a0cf2"
+    },
+    "process":{
+        "pid":4970,
+        "name":"curl",
+        "args":[
+            "curl",
+            "http://elastic.co/",
+            "-o",
+            "/dev/null"
+        ],
+        "executable":"/usr/bin/curl",
+        "created":"2019-08-22T20:46:34.928Z"
+    },
+    "system":{
+        "audit":{
+            "socket":{
+                "kernel_sock_address":"0xffff8de29d337000",
+                "internal_version":"1.0.3",
+                "uid":1000,
+                "gid":1000,
+                "euid":1000,
+                "egid":1000
+            }
+        }
+    },
+    "destination":{
+        "ip":"151.101.66.217",
+        "port":80,
+        "packets":5,
+        "bytes":437
+    },
+    "source":{
+        "port":40192,
+        "packets":5,
+        "bytes":294,
+        "ip":"10.0.2.15"
+    },
+    "flow":{
+        "final":true,
+        "complete":true
+    },
+    "service":{
+        "type":"system"
+    }
+}
+```
+
+
diff --git a/docs/reference/auditbeat/auditbeat-dataset-system-user.md b/docs/reference/auditbeat/auditbeat-dataset-system-user.md
new file mode 100644
index 000000000000..f509d11d0cdc
--- /dev/null
+++ b/docs/reference/auditbeat/auditbeat-dataset-system-user.md
@@ -0,0 +1,75 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-dataset-system-user.html
+---
+
+# System user dataset [auditbeat-dataset-system-user]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+This is the `user` dataset of the system module.
+
+It is implemented for Linux only.
+
+
+### Example dashboard [_example_dashboard_6]
+
+The dataset comes with a sample dashboard:
+
+:::{image} images/auditbeat-system-user-dashboard.png
+:alt: Auditbeat System User Dashboard
+:class: screenshot
+:::
+
+## Fields [_fields_8]
+
+For a description of each field in the dataset, see the [exported fields](/reference/auditbeat/exported-fields-system.md) section.
+
+Here is an example document generated by this dataset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "event": {
+        "action": "user_added",
+        "dataset": "user",
+        "kind": "event",
+        "module": "system"
+    },
+    "message": "New user elastic (UID: 1001, Groups: elastic,docker)",
+    "service": {
+        "type": "system"
+    },
+    "system": {
+        "audit": {
+            "user": {
+                "dir": "/home/elastic",
+                "gid": "1001",
+                "group": [
+                    {
+                        "gid": "1001",
+                        "name": "elastic"
+                    },
+                    {
+                        "gid": "1002",
+                        "name": "docker"
+                    }
+                ],
+                "name": "elastic",
+                "shell": "/bin/bash",
+                "uid": "1001"
+            }
+        }
+    },
+    "user": {
+        "entity_id": "FgDfgeDptvvfdX+L",
+        "id": "1001",
+        "name": "elastic"
+    }
+}
+```
+
+
diff --git a/docs/reference/auditbeat/auditbeat-geoip.md b/docs/reference/auditbeat/auditbeat-geoip.md
new file mode 100644
index 000000000000..f9789f920159
--- /dev/null
+++ b/docs/reference/auditbeat/auditbeat-geoip.md
@@ -0,0 +1,206 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-geoip.html
+---
+
+# Enrich events with geoIP information [auditbeat-geoip]
+
+You can use Auditbeat along with the [GeoIP Processor](elasticsearch://reference/ingestion-tools/enrich-processor/geoip-processor.md) in {{es}} to export geographic location information based on IP addresses. Then you can use this information to visualize the location of IP addresses on a map in {{kib}}.
+
+The `geoip` processor adds information about the geographical location of IP addresses, based on data from the Maxmind GeoLite2 City Database. Because the processor uses a geoIP database that’s installed on {{es}}, you don’t need to install a geoIP database on the machines running Auditbeat.
+
+::::{note}
+If your use case involves using {{ls}}, you can use the [GeoIP filter](logstash://reference/plugins-filters-geoip.md) available in {{ls}} instead of using the `geoip` processor. However, using the `geoip` processor is the simplest approach when you don’t require the additional processing power of {{ls}}.
+::::
+
+
+
+## Configure the `geoip` processor [auditbeat-configuring-geoip]
+
+To configure Auditbeat and the `geoip` processor:
+
+1. Define an ingest pipeline that uses one or more `geoip` processors to add location information to the event. For example, you can use the Console in {{kib}} to create the following pipeline:
+
+    ```console
+    PUT _ingest/pipeline/geoip-info
+    {
+      "description": "Add geoip info",
+      "processors": [
+        {
+          "geoip": {
+            "field": "client.ip",
+            "target_field": "client.geo",
+            "ignore_missing": true
+          }
+        },
+        {
+          "geoip": {
+            "database_file": "GeoLite2-ASN.mmdb",
+            "field": "client.ip",
+            "target_field": "client.as",
+            "properties": [
+              "asn",
+              "organization_name"
+            ],
+            "ignore_missing": true
+          }
+        },
+        {
+          "geoip": {
+            "field": "source.ip",
+            "target_field": "source.geo",
+            "ignore_missing": true
+          }
+        },
+        {
+          "geoip": {
+            "database_file": "GeoLite2-ASN.mmdb",
+            "field": "source.ip",
+            "target_field": "source.as",
+            "properties": [
+              "asn",
+              "organization_name"
+            ],
+            "ignore_missing": true
+          }
+        },
+        {
+          "geoip": {
+            "field": "destination.ip",
+            "target_field": "destination.geo",
+            "ignore_missing": true
+          }
+        },
+        {
+          "geoip": {
+            "database_file": "GeoLite2-ASN.mmdb",
+            "field": "destination.ip",
+            "target_field": "destination.as",
+            "properties": [
+              "asn",
+              "organization_name"
+            ],
+            "ignore_missing": true
+          }
+        },
+        {
+          "geoip": {
+            "field": "server.ip",
+            "target_field": "server.geo",
+            "ignore_missing": true
+          }
+        },
+        {
+          "geoip": {
+            "database_file": "GeoLite2-ASN.mmdb",
+            "field": "server.ip",
+            "target_field": "server.as",
+            "properties": [
+              "asn",
+              "organization_name"
+            ],
+            "ignore_missing": true
+          }
+        },
+        {
+          "geoip": {
+            "field": "host.ip",
+            "target_field": "host.geo",
+            "ignore_missing": true
+          }
+        },
+        {
+          "rename": {
+            "field": "server.as.asn",
+            "target_field": "server.as.number",
+            "ignore_missing": true
+          }
+        },
+        {
+          "rename": {
+            "field": "server.as.organization_name",
+            "target_field": "server.as.organization.name",
+            "ignore_missing": true
+          }
+        },
+        {
+          "rename": {
+            "field": "client.as.asn",
+            "target_field": "client.as.number",
+            "ignore_missing": true
+          }
+        },
+        {
+          "rename": {
+            "field": "client.as.organization_name",
+            "target_field": "client.as.organization.name",
+            "ignore_missing": true
+          }
+        },
+        {
+          "rename": {
+            "field": "source.as.asn",
+            "target_field": "source.as.number",
+            "ignore_missing": true
+          }
+        },
+        {
+          "rename": {
+            "field": "source.as.organization_name",
+            "target_field": "source.as.organization.name",
+            "ignore_missing": true
+          }
+        },
+        {
+          "rename": {
+            "field": "destination.as.asn",
+            "target_field": "destination.as.number",
+            "ignore_missing": true
+          }
+        },
+        {
+          "rename": {
+            "field": "destination.as.organization_name",
+            "target_field": "destination.as.organization.name",
+            "ignore_missing": true
+          }
+        }
+      ]
+    }
+    ```
+
+    In this example, the pipeline ID is `geoip-info`. `field` specifies the field that contains the IP address to use for the geographical lookup, and `target_field` is the field that will hold the geographical information. `"ignore_missing": true` configures the pipeline to continue processing when it encounters an event that doesn’t have the specified field.
+
+    See [GeoIP Processor](elasticsearch://reference/ingestion-tools/enrich-processor/geoip-processor.md) for more options.
+
+    To learn more about adding host information to an event, see [add_host_metadata](/reference/auditbeat/add-host-metadata.md).
+
+2. In the Auditbeat config file, configure the {{es}} output to use the pipeline. Specify the pipeline ID in the `pipeline` option under `output.elasticsearch`. For example:
+
+    ```yaml
+    output.elasticsearch:
+      hosts: ["localhost:9200"]
+      pipeline: geoip-info
+    ```
+
+3. Run Auditbeat. Remember to use `sudo` if the config file is owned by root.
+
+    ```sh
+    ./auditbeat -e
+    ```
+
+    If the lookups succeed, the events are enriched with `geo_point` fields, such as `client.geo.location` and `host.geo.location`, that you can use to populate visualizations in {{kib}}.
+
+
+If you add a field that’s not already defined as a `geo_point` in the index template, add a mapping so the field gets indexed correctly.
+
+
+## Visualize locations [auditbeat-visualizing-location]
+
+To visualize the location of IP addresses, you can create a new [coordinate map](docs-content://explore-analyze/visualize/maps.md) in {{kib}} and select the location field, for example `client.geo.location` or `host.geo.location`, as the Geohash.
+
+:::{image} images/coordinate-map.png
+:alt: Coordinate map in {kib}
+:class: screenshot
+:::
+
diff --git a/docs/reference/auditbeat/auditbeat-installation-configuration.md b/docs/reference/auditbeat/auditbeat-installation-configuration.md
new file mode 100644
index 000000000000..84822a639fb7
--- /dev/null
+++ b/docs/reference/auditbeat/auditbeat-installation-configuration.md
@@ -0,0 +1,345 @@
+---
+navigation_title: "Quick start"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-installation-configuration.html
+---
+
+# Auditbeat quick start: installation and configuration [auditbeat-installation-configuration]
+
+
+This guide describes how to get started quickly with audit data collection. You’ll learn how to:
+
+* install Auditbeat on each system you want to monitor
+* specify the location of your audit data
+* parse log data into fields and send it to {es}
+* visualize the log data in {kib}
+
+:::{image} images/auditbeat-auditd-dashboard.png
+:alt: Auditbeat Auditd dashboard
+:class: screenshot
+:::
+
+
+## Before you begin [_before_you_begin]
+
+You need {{es}} for storing and searching your data, and {{kib}} for visualizing and managing it.
+
+:::::::{tab-set}
+
+::::::{tab-item} Elasticsearch Service
+To get started quickly, spin up a deployment of our [hosted {{ess}}](https://www.elastic.co/cloud/elasticsearch-service). The {{ess}} is available on AWS, GCP, and Azure. [Try it out for free](https://cloud.elastic.co/registration?page=docs&placement=docs-body).
+::::::
+
+::::::{tab-item} Self-managed
+To install and run {{es}} and {{kib}}, see [Installing the {{stack}}](docs-content://deploy-manage/deploy/self-managed/deploy-cluster.md).
+::::::
+
+:::::::
+
+## Step 1: Install Auditbeat [install]
+
+Install Auditbeat on all the servers you want to monitor.
+
+To download and install Auditbeat, use the commands that work with your system:
+
+:::::::{tab-set}
+
+::::::{tab-item} DEB
+Version 9.0.0-beta1 of Auditbeat has not yet been released.
+::::::
+
+::::::{tab-item} RPM
+Version 9.0.0-beta1 of Auditbeat has not yet been released.
+::::::
+
+::::::{tab-item} MacOS
+Version 9.0.0-beta1 of Auditbeat has not yet been released.
+::::::
+
+::::::{tab-item} Linux
+Version 9.0.0-beta1 of Auditbeat has not yet been released.
+::::::
+
+::::::{tab-item} Windows
+Version 9.0.0-beta1 of Auditbeat has not yet been released.
+::::::
+
+:::::::
+The commands shown are for AMD platforms, but ARM packages are also available. Refer to the [download page](https://www.elastic.co/downloads/beats/auditbeat) for the full list of available packages.
+
+
+### Other installation options [other-installation-options]
+
+* [APT or YUM](/reference/auditbeat/setup-repositories.md)
+* [Download page](https://www.elastic.co/downloads/beats/auditbeat)
+* [Docker](/reference/auditbeat/running-on-docker.md)
+* [Kubernetes](/reference/auditbeat/running-on-kubernetes.md)
+
+
+## Step 2: Connect to the {{stack}} [set-connection]
+
+Connections to {{es}} and {{kib}} are required to set up Auditbeat.
+
+Set the connection information in `auditbeat.yml`. To locate this configuration file, see [Directory layout](/reference/auditbeat/directory-layout.md).
+
+:::::::{tab-set}
+
+::::::{tab-item} Elasticsearch Service
+Specify the [cloud.id](/reference/auditbeat/configure-cloud-id.md) of your {{ess}}, and set [cloud.auth](/reference/auditbeat/configure-cloud-id.md) to a user who is authorized to set up Auditbeat. For example:
+
+```yaml
+cloud.id: "staging:dXMtZWFzdC0xLmF3cy5mb3VuZC5pbyRjZWM2ZjI2MWE3NGJmMjRjZTMzYmI4ODExYjg0Mjk0ZiRjNmMyY2E2ZDA0MjI0OWFmMGNjN2Q3YTllOTYyNTc0Mw=="
+cloud.auth: "auditbeat_setup:{pwd}" <1>
+```
+
+1. This examples shows a hard-coded password, but you should store sensitive values in the [secrets keystore](/reference/auditbeat/keystore.md).
+::::::
+
+::::::{tab-item} Self-managed
+1. Set the host and port where Auditbeat can find the {{es}} installation, and set the username and password of a user who is authorized to set up Auditbeat. For example:
+
+    ```yaml
+    output.elasticsearch:
+      hosts: ["https://myEShost:9200"]
+      username: "auditbeat_internal"
+      password: "{pwd}" <1>
+      ssl:
+        enabled: true
+        ca_trusted_fingerprint: "b9a10bbe64ee9826abeda6546fc988c8bf798b41957c33d05db736716513dc9c" <2>
+    ```
+
+    1. This example shows a hard-coded password, but you should store sensitive values in the [secrets keystore](/reference/auditbeat/keystore.md).
+    2. This example shows a hard-coded fingerprint, but you should store sensitive values in the [secrets keystore](/reference/auditbeat/keystore.md). The fingerprint is a HEX encoded SHA-256 of a CA certificate, when you start {{es}} for the first time, security features such as network encryption (TLS) for {{es}} are enabled by default. If you are using the self-signed certificate generated by {{es}} when it is started for the first time, you will need to add its fingerprint here. The fingerprint is printed on {{es}} start up logs, or you can refer to [connect clients to {{es}} documentation](docs-content://deploy-manage/security/security-certificates-keys.md#_connect_clients_to_es_5) for other options on retrieving it. If you are providing your own SSL certificate to {{es}} refer to [Auditbeat documentation on how to setup SSL](/reference/auditbeat/configuration-ssl.md#ssl-client-config).
+
+2. If you plan to use our pre-built {{kib}} dashboards, configure the {{kib}} endpoint. Skip this step if {{kib}} is running on the same host as {{es}}.
+
+    ```yaml
+      setup.kibana:
+        host: "mykibanahost:5601" <1>
+        username: "my_kibana_user" <2> <3>
+        password: "{pwd}"
+    ```
+
+    1. The hostname and port of the machine where {{kib}} is running, for example, `mykibanahost:5601`. If you specify a path after the port number, include the scheme and port: `http://mykibanahost:5601/path`.
+    2. The `username` and `password` settings for {{kib}} are optional. If you don’t specify credentials for {{kib}}, Auditbeat uses the `username` and `password` specified for the {{es}} output.
+    3. To use the pre-built {{kib}} dashboards, this user must be authorized to view dashboards or have the `kibana_admin` [built-in role](elasticsearch://reference/elasticsearch/roles.md).
+::::::
+
+:::::::
+To learn more about required roles and privileges, see [*Grant users access to secured resources*](/reference/auditbeat/feature-roles.md).
+
+::::{note}
+You can send data to other [outputs](/reference/auditbeat/configuring-output.md), such as {{ls}}, but that requires additional configuration and setup.
+::::
+
+
+
+## Step 3: Configure data collection modules [enable-modules]
+
+Auditbeat uses [modules](/reference/auditbeat/auditbeat-modules.md) to collect audit information.
+
+By default, Auditbeat uses a configuration that’s tailored to the operating system where Auditbeat is running.
+
+To use a different configuration, change the module settings in `auditbeat.yml`.
+
+The following example shows the `file_integrity` module configured to generate events whenever a file in one of the specified paths changes on disk:
+
+```sh
+auditbeat.modules:
+
+- module: file_integrity
+  paths:
+  - /bin
+  - /usr/bin
+  - /sbin
+  - /usr/sbin
+  - /etc
+```
+
+::::{tip}
+To test your configuration file, change to the directory where the Auditbeat binary is installed, and run Auditbeat in the foreground with the following options specified: `./auditbeat test config -e`. Make sure your config files are in the path expected by Auditbeat (see [Directory layout](/reference/auditbeat/directory-layout.md)), or use the `-c` flag to specify the path to the config file.
+::::
+
+
+For more information about configuring Auditbeat, also see:
+
+* [Configure Auditbeat](/reference/auditbeat/configuring-howto-auditbeat.md)
+* [Config file format](/reference/libbeat/config-file-format.md)
+* [`auditbeat.reference.yml`](/reference/auditbeat/auditbeat-reference-yml.md): This reference configuration file shows all non-deprecated options. You’ll find it in the same location as `auditbeat.yml`.
+
+
+## Step 4: Set up assets [setup-assets]
+
+Auditbeat comes with predefined assets for parsing, indexing, and visualizing your data. To load these assets:
+
+1. Make sure the user specified in `auditbeat.yml` is [authorized to set up Auditbeat](/reference/auditbeat/privileges-to-setup-beats.md).
+2. From the installation directory, run:
+
+    :::::::{tab-set}
+
+::::::{tab-item} DEB
+```sh
+    auditbeat setup -e
+    ```
+::::::
+
+::::::{tab-item} RPM
+```sh
+    auditbeat setup -e
+    ```
+::::::
+
+::::::{tab-item} MacOS
+```sh
+    ./auditbeat setup -e
+    ```
+::::::
+
+::::::{tab-item} Linux
+```sh
+    ./auditbeat setup -e
+    ```
+::::::
+
+::::::{tab-item} Windows
+```sh
+    PS > .\auditbeat.exe setup -e
+    ```
+::::::
+
+::::::{tab-item} DEB
+```sh
+sudo service auditbeat start
+```
+
+::::{note}
+If you use an `init.d` script to start Auditbeat, you can’t specify command line flags (see [Command reference](/reference/auditbeat/command-line-options.md)). To specify flags, start Auditbeat in the foreground.
+::::
+
+
+Also see [Auditbeat and systemd](/reference/auditbeat/running-with-systemd.md).
+::::::
+
+::::::{tab-item} RPM
+```sh
+sudo service auditbeat start
+```
+
+::::{note}
+If you use an `init.d` script to start Auditbeat, you can’t specify command line flags (see [Command reference](/reference/auditbeat/command-line-options.md)). To specify flags, start Auditbeat in the foreground.
+::::
+
+
+Also see [Auditbeat and systemd](/reference/auditbeat/running-with-systemd.md).
+::::::
+
+::::::{tab-item} MacOS
+```sh
+sudo chown root auditbeat.yml <1>
+sudo ./auditbeat -e
+```
+
+1. You’ll be running Auditbeat as root, so you need to change ownership of the configuration file, or run Auditbeat with `--strict.perms=false` specified. See [Config File Ownership and Permissions](/reference/libbeat/config-file-permissions.md).
+::::::
+
+::::::{tab-item} Linux
+```sh
+sudo chown root auditbeat.yml <1>
+sudo ./auditbeat -e
+```
+
+1. You’ll be running Auditbeat as root, so you need to change ownership of the configuration file, or run Auditbeat with `--strict.perms=false` specified. See [Config File Ownership and Permissions](/reference/libbeat/config-file-permissions.md).
+::::::
+
+::::::{tab-item} Windows
+```sh
+PS C:\Program Files\auditbeat> Start-Service auditbeat
+```
+
+By default, Windows log files are stored in `C:\ProgramData\auditbeat\Logs`.
+::::::
+
+:::::::
+Auditbeat should begin streaming events to {{es}}.
+
+If you see a warning about too many open files, you need to increase the `ulimit`. See the [FAQ](/reference/auditbeat/ulimit.md) for more details.
+
+
+## Step 6: View your data in {{kib}} [view-data]
+
+To make it easier for you to start auditing the activities of users and processes on your system, Auditbeat comes with pre-built {{kib}} dashboards and UIs for visualizing your data.
+
+To open the dashboards:
+
+1. Launch {{kib}}:
+
+    <div class="tabs" data-tab-group="host">
+      <div role="tablist" aria-label="Open Kibana">
+        <button role="tab"
+                aria-selected="true"
+                aria-controls="cloud-tab-open-kibana"
+                id="cloud-open-kibana">
+          Elasticsearch Service
+        </button>
+        <button role="tab"
+                aria-selected="false"
+                aria-controls="self-managed-tab-open-kibana"
+                id="self-managed-open-kibana"
+                tabindex="-1">
+          Self-managed
+        </button>
+      </div>
+      <div tabindex="0"
+           role="tabpanel"
+           id="cloud-tab-open-kibana"
+           aria-labelledby="cloud-open-kibana">
+    1. [Log in](https://cloud.elastic.co/) to your {{ecloud}} account.
+    2. Navigate to the {{kib}} endpoint in your deployment.
+
+      </div>
+      <div tabindex="0"
+           role="tabpanel"
+           id="self-managed-tab-open-kibana"
+           aria-labelledby="self-managed-open-kibana"
+           hidden="">
+    Point your browser to [http://localhost:5601](http://localhost:5601), replacing `localhost` with the name of the {{kib}} host.
+
+      </div>
+    </div>
+
+2. In the side navigation, click **Discover**. To see Auditbeat data, make sure the predefined `auditbeat-*` data view is selected.
+
+    ::::{tip}
+    If you don’t see data in {{kib}}, try changing the time filter to a larger range. By default, {{kib}} shows the last 15 minutes.
+    ::::
+
+3. In the side navigation, click **Dashboard**, then select the dashboard that you want to open.
+
+The dashboards are provided as examples. We recommend that you [customize](docs-content://explore-analyze/dashboards.md) them to meet your needs.
+
+
+## What’s next? [_whats_next]
+
+Now that you have audit data streaming into {{es}}, learn how to unify your logs, metrics, uptime, and application performance data.
+
+1. Ingest data from other sources by installing and configuring other Elastic {{beats}}:
+
+    | Elastic {{beats}} | To capture |
+    | --- | --- |
+    | [{{metricbeat}}](/reference/metricbeat/metricbeat-installation-configuration.md) | Infrastructure metrics |
+    | [{{filebeat}}](/reference/filebeat/filebeat-installation-configuration.md) | Logs |
+    | [{{winlogbeat}}](/reference/winlogbeat/winlogbeat-installation-configuration.md) | Windows event logs |
+    | [{{heartbeat}}](/reference/heartbeat/heartbeat-installation-configuration.md) | Uptime information |
+    | [APM](docs-content://solutions/observability/apps/application-performance-monitoring-apm.md) | Application performance metrics |
+
+2. Use the Observability apps in {{kib}} to search across all your data:
+
+    | Elastic apps | Use to |
+    | --- | --- |
+    | [{{metrics-app}}](docs-content://solutions/observability/infra-and-hosts/analyze-infrastructure-host-metrics.md) | Explore metrics about systems and services across your ecosystem |
+    | [{{logs-app}}](docs-content://solutions/observability/logs/explore-logs.md) | Tail related log data in real time |
+    | [{{uptime-app}}](docs-content://solutions/observability/apps/synthetic-monitoring.md#monitoring-uptime) | Monitor availability issues across your apps and services |
+    | [APM app](docs-content://solutions/observability/apps/overviews.md) | Monitor application performance |
+    | [{{siem-app}}](docs-content://solutions/security.md) | Analyze security events |
+
+
diff --git a/docs/reference/auditbeat/auditbeat-module-auditd.md b/docs/reference/auditbeat/auditbeat-module-auditd.md
new file mode 100644
index 000000000000..b71154b756ae
--- /dev/null
+++ b/docs/reference/auditbeat/auditbeat-module-auditd.md
@@ -0,0 +1,274 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-module-auditd.html
+---
+
+# Auditd Module [auditbeat-module-auditd]
+
+The `auditd` module receives audit events from the Linux Audit Framework that is a part of the Linux kernel.
+
+This module is available only for Linux.
+
+
+## How it works [_how_it_works]
+
+This module establishes a subscription to the kernel to receive the events as they occur. So unlike most other modules, the `period` configuration option is unused because it is not implemented using polling.
+
+The Linux Audit Framework can send multiple messages for a single auditable event. For example, a `rename` syscall causes the kernel to send eight separate messages. Each message describes a different aspect of the activity that is occurring (the syscall itself, file paths, current working directory, process title). This module will combine all of the data from each of the messages into a single event.
+
+Messages for one event can be interleaved with messages from another event. This module will buffer the messages in order to combine related messages into a single event even if they arrive interleaved or out of order.
+
+
+## Useful commands [_useful_commands]
+
+When running Auditbeat with the `auditd` module enabled, you might find that other monitoring tools interfere with Auditbeat.
+
+For example, you might encounter errors if another process, such as `auditd`, is registered to receive data from the Linux Audit Framework. You can use these commands to see if the `auditd` service is running and stop it:
+
+* See if `auditd` is running:
+
+    ```shell
+    service auditd status
+    ```
+
+* Stop the `auditd` service:
+
+    ```shell
+    service auditd stop
+    ```
+
+* Disable `auditd` from starting on boot:
+
+    ```shell
+    chkconfig auditd off
+    ```
+
+
+To save CPU usage and disk space, you can use this command to stop `journald` from listening to audit messages:
+
+```shell
+systemctl mask systemd-journald-audit.socket
+```
+
+
+## Inspect the kernel audit system status [_inspect_the_kernel_audit_system_status]
+
+Auditbeat provides useful commands to query the state of the audit system in the Linux kernel.
+
+* See the list of installed audit rules:
+
+    ```shell
+    auditbeat show auditd-rules
+    ```
+
+    Prints the list of loaded rules, similar to `auditctl -l`:
+
+    ```shell
+    -a never,exit -S all -F pid=26253
+    -a always,exit -F arch=b32 -S all -F key=32bit-abi
+    -a always,exit -F arch=b64 -S execve,execveat -F key=exec
+    -a always,exit -F arch=b64 -S connect,accept,bind -F key=external-access
+    -w /etc/group -p wa -k identity
+    -w /etc/passwd -p wa -k identity
+    -w /etc/gshadow -p wa -k identity
+    -a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EACCES -F key=access
+    -a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EPERM -F key=access
+    ```
+
+* See the status of the audit system:
+
+    ```shell
+    auditbeat show auditd-status
+    ```
+
+    Prints the status of the kernel audit system, similar to `auditctl -s`:
+
+    ```shell
+    enabled 1
+    failure 0
+    pid 0
+    rate_limit 0
+    backlog_limit 8192
+    lost 14407
+    backlog 0
+    backlog_wait_time 0
+    features 0xf
+    ```
+
+
+
+## Configuration options [_configuration_options_17]
+
+This module has some configuration options for tuning its behavior. The following example shows all configuration options with their default values.
+
+```yaml
+- module: auditd
+  resolve_ids: true
+  failure_mode: silent
+  backlog_limit: 8192
+  rate_limit: 0
+  include_raw_message: false
+  include_warnings: false
+  backpressure_strategy: auto
+  immutable: false
+```
+
+This module also supports the [standard configuration options](#module-standard-options-auditd) described later.
+
+**`socket_type`**
+:   This optional setting controls the type of socket that Auditbeat uses to receive events from the kernel. The two options are `unicast` and `multicast`.
+
+    `unicast` should be used when Auditbeat is the primary userspace daemon for receiving audit events and managing the rules. Only a single process can receive audit events through the "unicast" connection so any other daemons should be stopped (e.g. stop `auditd`).
+
+    `multicast` can be used in kernel versions 3.16 and newer. By using `multicast` Auditbeat will receive an audit event broadcast that is not exclusive to a a single process. This is ideal for situations where `auditd` is running and managing the rules.
+
+    By default Auditbeat will use `multicast` if the kernel version is 3.16 or newer and no rules have been defined. Otherwise `unicast` will be used.
+
+
+**`immutable`**
+:   This boolean setting sets the audit config as immutable (`-e 2`). This option can only be used with the `socket_type: unicast` since Auditbeat needs to manage the rules to be able to set it.
+
+    It is important to note that with this setting enabled, if Auditbeat is stopped and resumed events will continue to be processed but the configuration won’t be updated until the system is restarted entirely.
+
+
+**`resolve_ids`**
+:   This boolean setting enables the resolution of UIDs and GIDs to their associated names. The default value is true.
+
+**`failure_mode`**
+:   This determines the kernel’s behavior on critical failures such as errors sending events to Auditbeat, the backlog limit was exceeded, the kernel ran out of memory, or the rate limit was exceeded. The options are `silent`, `log`, or `panic`. `silent` basically makes the kernel ignore the errors, `log` makes the kernel write the audit messages using `printk` so they show up in system’s syslog, and `panic` causes the kernel to panic to prevent use of the machine. Auditbeat’s default is `silent`.
+
+**`backlog_limit`**
+:   This controls the maximum number of audit messages that will be buffered by the kernel.
+
+**`rate_limit`**
+:   This sets a rate limit on the number of messages/sec delivered by the kernel. The default is 0, which disables rate limiting. Changing this value to anything other than zero can cause messages to be lost. The preferred approach to reduce the messaging rate is be more selective in the audit ruleset.
+
+**`include_raw_message`**
+:   This boolean setting causes Auditbeat to include each of the raw messages that contributed to the event in the document as a field called `event.original`. The default value is false. This setting is primarily used for development and debugging purposes.
+
+**`include_warnings`**
+:   This boolean setting causes Auditbeat to include as warnings any issues that were encountered while parsing the raw messages. The messages are written to the `error.message` field. The default value is false. When this setting is enabled the raw messages will be included in the event regardless of the `include_raw_message` config setting. This setting is primarily used for development and debugging purposes.
+
+**`audit_rules`**
+:   A string containing the audit rules that should be installed to the kernel. There should be one rule per line. Comments can be embedded in the string using `#` as a prefix. The format for rules is the same used by the Linux `auditctl` utility. Auditbeat supports adding file watches (`-w`) and syscall rules (`-a` or `-A`). For more information, see [Audit rules](#audit-rules).
+
+**`audit_rule_files`**
+:   A list of files to load audit rules from. This files are loaded after the rules declared in `audit_rules` are loaded. Wildcards are supported and will expand in lexicographical order. The format is the same as that of the `audit_rules` field.
+
+**`ignore_errors`**
+:   This setting allows errors during rule loading and parsing to be ignored, but logged as warnings.
+
+**`backpressure_strategy`**
+:   Specifies the strategy that Auditbeat uses to prevent backpressure from propagating to the kernel and impacting audited processes.
+
+    The possible values are:
+
+    * `auto` (default): Auditbeat uses the `kernel` strategy, if supported, or falls back to the `userspace` strategy.
+    * `kernel`: Auditbeat sets the `backlog_wait_time` in the kernel’s audit framework to 0. This causes events to be discarded in the kernel if the audit backlog queue fills to capacity. Requires a 3.14 kernel or newer.
+    * `userspace`: Auditbeat drops events when there is backpressure from the publishing pipeline. If no `rate_limit` is set, Auditbeat sets a rate limit of 5000. Users should test their setup and adjust the `rate_limit` option accordingly.
+    * `both`: Auditbeat uses the `kernel` and `userspace` strategies at the same time.
+    * `none`: No backpressure mitigation measures are enabled.
+
+
+
+### Standard configuration options [module-standard-options-auditd]
+
+You can specify the following options for any Auditbeat module.
+
+**`module`**
+:   The name of the module to run.
+
+**`enabled`**
+:   A Boolean value that specifies whether the module is enabled.
+
+**`fields`**
+:   A dictionary of fields that will be sent with the dataset event. This setting is optional.
+
+**`tags`**
+:   A list of tags that will be sent with the dataset event. This setting is optional.
+
+**`processors`**
+:   A list of processors to apply to the data generated by the dataset.
+
+    See [Processors](/reference/auditbeat/filtering-enhancing-data.md) for information about specifying processors in your config.
+
+
+**`index`**
+:   If present, this formatted string overrides the index for events from this module (for elasticsearch outputs), or sets the `raw_index` field of the event’s metadata (for other outputs). This string can only refer to the agent name and version and the event timestamp; for access to dynamic fields, use `output.elasticsearch.index` or a processor.
+
+    Example value: `"%{[agent.name]}-myindex-%{+yyyy.MM.dd}"` might expand to `"auditbeat-myindex-2019.12.13"`.
+
+
+**`keep_null`**
+:   If this option is set to true, fields with `null` values will be published in the output document. By default, `keep_null` is set to `false`.
+
+**`service.name`**
+:   A name given by the user to the service the data is collected from. It can be used for example to identify information collected from nodes of different clusters with the same `service.type`.
+
+
+## Audit rules [audit-rules]
+
+The audit rules are where you configure the activities that are audited. These rules are configured as either syscalls or files that should be monitored. For example you can track all `connect` syscalls or file system writes to `/etc/passwd`.
+
+Auditing a large number of syscalls can place a heavy load on the system so consider carefully the rules you define and try to apply filters in the rules themselves to be as selective as possible.
+
+The kernel evaluates the rules in the order in which they were defined so place the most active rules first in order to speed up evaluation.
+
+You can assign keys to each rule for better identification of the rule that triggered an event and easier filtering later in Elasticsearch.
+
+Defining any audit rules in the config causes Auditbeat to purge all existing audit rules prior to adding the rules specified in the config. Therefore it is unnecessary and unsupported to include a `-D` (delete all) rule.
+
+```sh
+auditbeat.modules:
+- module: auditd
+  audit_rules: |
+    # Things that affect identity.
+    -w /etc/group -p wa -k identity
+    -w /etc/passwd -p wa -k identity
+    -w /etc/gshadow -p wa -k identity
+    -w /etc/shadow -p wa -k identity
+
+    # Unauthorized access attempts to files (unsuccessful).
+    -a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
+    -a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
+    -a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
+    -a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
+```
+
+
+## Example configuration [_example_configuration]
+
+The Auditd module supports the common configuration options that are described under [configuring Auditbeat](/reference/auditbeat/configuration-auditbeat.md). Here is an example configuration:
+
+```yaml
+auditbeat.modules:
+- module: auditd
+  # Load audit rules from separate files. Same format as audit.rules(7).
+  audit_rule_files: [ '${path.config}/audit.rules.d/*.conf' ]
+  audit_rules: |
+    ## Define audit rules here.
+    ## Create file watches (-w) or syscall audits (-a or -A). Uncomment these
+    ## examples or add your own rules.
+
+    ## If you are on a 64 bit platform, everything should be running
+    ## in 64 bit mode. This rule will detect any use of the 32 bit syscalls
+    ## because this might be a sign of someone exploiting a hole in the 32
+    ## bit API.
+    #-a always,exit -F arch=b32 -S all -F key=32bit-abi
+
+    ## Executions.
+    #-a always,exit -F arch=b64 -S execve,execveat -k exec
+
+    ## External access (warning: these can be expensive to audit).
+    #-a always,exit -F arch=b64 -S accept,bind,connect -F key=external-access
+
+    ## Identity changes.
+    #-w /etc/group -p wa -k identity
+    #-w /etc/passwd -p wa -k identity
+    #-w /etc/gshadow -p wa -k identity
+
+    ## Unauthorized access attempts.
+    #-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access
+    #-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access
+```
+
diff --git a/docs/reference/auditbeat/auditbeat-module-file_integrity.md b/docs/reference/auditbeat/auditbeat-module-file_integrity.md
new file mode 100644
index 000000000000..77009058d5c2
--- /dev/null
+++ b/docs/reference/auditbeat/auditbeat-module-file_integrity.md
@@ -0,0 +1,137 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-module-file_integrity.html
+---
+
+# File Integrity Module [auditbeat-module-file_integrity]
+
+The `file_integrity` module sends events when a file is changed (created, updated, or deleted) on disk. The events contain file metadata and hashes.
+
+The module is implemented for Linux, macOS (Darwin), and Windows.
+
+
+## How it works [_how_it_works_2]
+
+This module uses features of the operating system to monitor file changes in realtime. When the module starts it creates a subscription with the OS to receive notifications of changes to the specified files or directories. Upon receiving notification of a change the module will read the file’s metadata and the compute a hash of the file’s contents.
+
+At startup this module will perform an initial scan of the configured files and directories to generate baseline data for the monitored paths and detect changes since the last time it was run. It uses locally persisted data in order to only send events for new or modified files.
+
+The operating system features that power this feature are as follows.
+
+* Linux - Multiple backends are supported: `auto`, `fsnotify`, `kprobes`, `ebpf`. By default, `fsnotify` is used, and therefore the kernel must have inotify support. Inotify was initially merged into the 2.6.13 Linux kernel. The eBPF backend uses modern eBPF features and supports 5.10.16+ kernels. The `Kprobes` backend uses tracefs and supports 3.10+ kernels. FSNotify doesn’t have the ability to associate user data to file events. The preferred backend can be selected by specifying the `backend` config option. Since eBPF and Kprobes are in technical preview, `auto` will default to `fsnotify`.
+* macOS (Darwin) - Uses the `FSEvents` API, present since macOS 10.5. This API coalesces multiple changes to a file into a single event. Auditbeat translates this coalesced changes into a meaningful sequence of actions. However, in rare situations the reported events may have a different ordering than what actually happened.
+* Windows - `ReadDirectoryChangesW` is used.
+
+The file integrity module should not be used to monitor paths on network file systems.
+
+
+## Configuration options [_configuration_options_18]
+
+This module has some configuration options for tuning its behavior. The following example shows all configuration options with their default values for Linux.
+
+```yaml
+- module: file_integrity
+  paths:
+  - /bin
+  - /usr/bin
+  - /sbin
+  - /usr/sbin
+  - /etc
+  exclude_files:
+  - '(?i)\.sw[nop]$'
+  - '~$'
+  - '/\.git($|/)'
+  include_files: []
+  scan_at_start: true
+  scan_rate_per_sec: 50 MiB
+  max_file_size: 100 MiB
+  hash_types: [sha1]
+  recursive: false
+```
+
+This module also supports the [standard configuration options](#module-standard-options-file_integrity) described later.
+
+**`paths`**
+:   A list of paths (directories or files) to watch. Globs are not supported. The specified paths should exist when the metricset is started. Paths should be absolute, although the file integrity module will attempt to resolve relative path events to their absolute file path. Symbolic links will be resolved on module start and the link target will be watched if link resolution is successful. Changes to the symbolic link after module start will not change the watch target. If the link does not resolve to a valid target, the symbolic link itself will be watched; if the symlink target becomes valid after module start up this will not be picked up by the file system watches.
+
+**`exclude_files`**
+:   A list of regular expressions used to filter out events for unwanted files. The expressions are matched against the full path of every file and directory. When used in conjunction with `include_files`, file paths need to match both `include_files` and not match `exclude_files` to be selected. By default, no files are excluded. See [*Regular expression support*](/reference/auditbeat/regexp-support.md) for a list of supported regexp patterns. It is recommended to wrap regular expressions in single quotation marks to avoid issues with YAML escaping rules.
+
+**`include_files`**
+:   A list of regular expressions used to specify which files to select. When configured, only files matching the pattern will be monitored. The expressions are matched against the full path of every file and directory. When used in conjunction with `exclude_files`, file paths need to match both `include_files` and not match `exclude_files` to be selected. By default, all files are selected. See [*Regular expression support*](/reference/auditbeat/regexp-support.md) for a list of supported regexp patterns. It is recommended to wrap regular expressions in single quotation marks to avoid issues with YAML escaping rules.
+
+**`scan_at_start`**
+:   A boolean value that controls if Auditbeat scans over the configured file paths at startup and send events for the files that have been modified since the last time Auditbeat was running. The default value is true.
+
+    This feature depends on data stored locally in `path.data` in order to determine if a file has changed. The first time Auditbeat runs it will send an event for each file it encounters.
+
+
+**`scan_rate_per_sec`**
+:   When `scan_at_start` is enabled this sets an average read rate defined in bytes per second for the initial scan. This throttles the amount of CPU and I/O that Auditbeat consumes at startup. The default value is "50 MiB". Setting the value to "0" disables throttling. For convenience units can be specified as a suffix to the value. The supported units are `b` (default), `kib`, `kb`, `mib`, `mb`, `gib`, `gb`, `tib`, `tb`, `pib`, `pb`, `eib`, and `eb`.
+
+**`max_file_size`**
+:   The maximum size of a file in bytes for which Auditbeat will compute hashes and run file parsers. Files larger than this size will not be hashed or analysed by configured file parsers. The default value is 100 MiB. For convenience, units can be specified as a suffix to the value. The supported units are `b` (default), `kib`, `kb`, `mib`, `mb`, `gib`, `gb`, `tib`, `tb`, `pib`, `pb`, `eib`, and `eb`.
+
+**`hash_types`**
+:   A list of hash types to compute when the file changes. The supported hash types are `blake2b_256`, `blake2b_384`, `blake2b_512`, `md5`, `sha1`, `sha224`, `sha256`, `sha384`, `sha512`, `sha512_224`, `sha512_256`, `sha3_224`, `sha3_256`, `sha3_384`, `sha3_512`, and `xxh64`. The default value is `sha1`.
+
+**`file_parsers`**
+:   A list of `file_integrity` fields under `file` that will be populated by file format parsers. The available fields that can be analysed are listed in the auditbeat.reference.yml file. File parsers are run on all files within the `max_file_size` limit in the configured paths during a scan or when a file event involves the file. Files that are not targets of the specific file parser are only sniffed to examine whether analysis should proceed. This will usually only involve reading a small number of bytes.
+
+**`recursive`**
+:   By default, the watches set to the paths specified in `paths` are not recursive. This means that only changes to the contents of this directories are watched. If `recursive` is set to `true`, the `file_integrity` module will watch for changes on this directories and all their subdirectories.
+
+**`backend`**
+:   (**Linux only**) Select the backend which will be used to source events. Valid values: `auto`, `fsnotify`, `kprobes`, `ebpf`. Default: `fsnotify`.
+
+
+### Standard configuration options [module-standard-options-file_integrity]
+
+You can specify the following options for any Auditbeat module.
+
+**`module`**
+:   The name of the module to run.
+
+**`enabled`**
+:   A Boolean value that specifies whether the module is enabled.
+
+**`fields`**
+:   A dictionary of fields that will be sent with the dataset event. This setting is optional.
+
+**`tags`**
+:   A list of tags that will be sent with the dataset event. This setting is optional.
+
+**`processors`**
+:   A list of processors to apply to the data generated by the dataset.
+
+    See [Processors](/reference/auditbeat/filtering-enhancing-data.md) for information about specifying processors in your config.
+
+
+**`index`**
+:   If present, this formatted string overrides the index for events from this module (for elasticsearch outputs), or sets the `raw_index` field of the event’s metadata (for other outputs). This string can only refer to the agent name and version and the event timestamp; for access to dynamic fields, use `output.elasticsearch.index` or a processor.
+
+    Example value: `"%{[agent.name]}-myindex-%{+yyyy.MM.dd}"` might expand to `"auditbeat-myindex-2019.12.13"`.
+
+
+**`keep_null`**
+:   If this option is set to true, fields with `null` values will be published in the output document. By default, `keep_null` is set to `false`.
+
+**`service.name`**
+:   A name given by the user to the service the data is collected from. It can be used for example to identify information collected from nodes of different clusters with the same `service.type`.
+
+
+## Example configuration [_example_configuration_2]
+
+The File Integrity module supports the common configuration options that are described under [configuring Auditbeat](/reference/auditbeat/configuration-auditbeat.md). Here is an example configuration:
+
+```yaml
+auditbeat.modules:
+- module: file_integrity
+  paths:
+  - /bin
+  - /usr/bin
+  - /sbin
+  - /usr/sbin
+  - /etc
+```
+
diff --git a/docs/reference/auditbeat/auditbeat-module-system.md b/docs/reference/auditbeat/auditbeat-module-system.md
new file mode 100644
index 000000000000..0240d427d794
--- /dev/null
+++ b/docs/reference/auditbeat/auditbeat-module-system.md
@@ -0,0 +1,211 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-module-system.html
+---
+
+# System Module [auditbeat-module-system]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+The `system` module collects various security related information about a system. All datasets send both periodic state information (e.g. all currently running processes) and real-time changes (e.g. when a new process starts or stops).
+
+The module is fully implemented for Linux on x86. Currently, the `socket` module is not available on ARM. Some datasets are also available for macOS (Darwin) and Windows.
+
+
+## How it works [_how_it_works_3]
+
+Each dataset sends two kinds of information: state and events.
+
+State information is sent periodically and (for some datasets) on startup. A state update will consist of one event per object that is currently active on the system (e.g. a process). All events belonging to the same state update will share the same UUID in `event.id`.
+
+The frequency of state updates can be controlled for all datasets using the `state.period` configuration option. Overrides are available per dataset. The default is `12h`.
+
+Event information is sent as the events occur (e.g. a process starts or stops). All datasets are currently using a poll model to retrieve their data. The frequency of these polls is controlled by the `period` configuration parameter.
+
+
+### Entity IDs [_entity_ids]
+
+This module populates `entity_id` fields to uniquely identify entities (users, packages, processes…​) within a host. This requires Auditbeat to obtain a unique identifier for the host:
+
+* Windows: Uses the `HKLM\Software\Microsoft\Cryptography\MachineGuid` registry key.
+* macOS: Uses the value returned by `gethostuuid(2)` system call.
+* Linux: Uses the content of one of the following files, created by either `systemd` or `dbus`:
+
+    * /etc/machine-id
+    * /var/lib/dbus/machine-id
+    * /var/db/dbus/machine-id
+
+
+::::{note}
+Under CentOS 6.x, it’s possible that none of the files above exist. In that case, running `dbus-uuidgen --ensure` (provided by the `dbus` package) will generate one for you.
+::::
+
+
+
+### Example dashboard [_example_dashboard]
+
+The module comes with a sample dashboard:
+
+:::{image} images/auditbeat-system-overview-dashboard.png
+:alt: Auditbeat System Overview Dashboard
+:class: screenshot
+:::
+
+
+## Configuration options [_configuration_options_19]
+
+This module has some configuration options for controlling its behavior. The following example shows all configuration options with their default values for Linux.
+
+::::{note}
+It is recommended to configure some datasets separately. See below for a sample suggested configuration.
+::::
+
+
+```yaml
+- module: system
+  datasets:
+    - host
+    - login
+    - package
+    - process
+    - socket
+    - user
+  period: 10s
+  state.period: 12h
+
+  socket.include_localhost: false
+
+  user.detect_password_changes: true
+```
+
+This module also supports the [standard configuration options](#module-standard-options-system) described later.
+
+**`state.period`**
+:   The interval at which the datasets send full state information. This option can be overridden per dataset using `{{dataset}}.state.period`.
+
+**`user.detect_password_changes`**
+:   If the `user` dataset is configured and this option is set to `true`, Auditbeat will read password information in `/etc/passwd` and `/etc/shadow` to detect password changes. A hash will be kept locally in the `beat.db` file to detect changes between Auditbeat restarts. The `beat.db` file should be readable only by the root user and be treated similar to the shadow file itself.
+
+
+### Standard configuration options [module-standard-options-system]
+
+You can specify the following options for any Auditbeat module.
+
+**`module`**
+:   The name of the module to run.
+
+**`datasets`**
+:   A list of datasets to execute.
+
+**`enabled`**
+:   A Boolean value that specifies whether the module is enabled.
+
+**`period`**
+:   The frequency at which the datasets check for changes. If a system is not reachable, Auditbeat returns an error for each period. This setting is required. For most datasets, especially `process` and `socket`, a shorter period is recommended.
+
+**`fields`**
+:   A dictionary of fields that will be sent with the dataset event. This setting is optional.
+
+**`tags`**
+:   A list of tags that will be sent with the dataset event. This setting is optional.
+
+**`processors`**
+:   A list of processors to apply to the data generated by the dataset.
+
+    See [Processors](/reference/auditbeat/filtering-enhancing-data.md) for information about specifying processors in your config.
+
+
+**`index`**
+:   If present, this formatted string overrides the index for events from this module (for elasticsearch outputs), or sets the `raw_index` field of the event’s metadata (for other outputs). This string can only refer to the agent name and version and the event timestamp; for access to dynamic fields, use `output.elasticsearch.index` or a processor.
+
+    Example value: `"%{[agent.name]}-myindex-%{+yyyy.MM.dd}"` might expand to `"auditbeat-myindex-2019.12.13"`.
+
+
+**`keep_null`**
+:   If this option is set to true, fields with `null` values will be published in the output document. By default, `keep_null` is set to `false`.
+
+**`service.name`**
+:   A name given by the user to the service the data is collected from. It can be used for example to identify information collected from nodes of different clusters with the same `service.type`.
+
+
+## Suggested configuration [_suggested_configuration]
+
+Processes and sockets can be short-lived, so the chance of missing an update increases if the polling interval is too large.
+
+On the other hand, host and user information is unlikely to change frequently, so a longer polling interval can be used.
+
+```yaml
+- module: system
+  datasets:
+    - host
+    - login
+    - package
+    - user
+  period: 1m
+
+  user.detect_password_changes: true
+
+- module: system
+  datasets:
+    - process
+    - socket
+  period: 1s
+```
+
+
+## Example configuration [_example_configuration_3]
+
+The System module supports the common configuration options that are described under [configuring Auditbeat](/reference/auditbeat/configuration-auditbeat.md). Here is an example configuration:
+
+```yaml
+auditbeat.modules:
+- module: system
+  datasets:
+    - package # Installed, updated, and removed packages
+
+  period: 2m # The frequency at which the datasets check for changes
+
+- module: system
+  datasets:
+    - host    # General host information, e.g. uptime, IPs
+    - login   # User logins, logouts, and system boots.
+    - process # Started and stopped processes
+    - socket  # Opened and closed sockets
+    - user    # User information
+
+  # How often datasets send state updates with the
+  # current state of the system (e.g. all currently
+  # running processes, all open sockets).
+  state.period: 12h
+
+  # Enabled by default. Auditbeat will read password fields in
+  # /etc/passwd and /etc/shadow and store a hash locally to
+  # detect any changes.
+  user.detect_password_changes: true
+
+  # File patterns of the login record files.
+  login.wtmp_file_pattern: /var/log/wtmp*
+  login.btmp_file_pattern: /var/log/btmp*
+```
+
+
+## Datasets [_datasets]
+
+The following datasets are available:
+
+* [host](/reference/auditbeat/auditbeat-dataset-system-host.md)
+* [login](/reference/auditbeat/auditbeat-dataset-system-login.md)
+* [package](/reference/auditbeat/auditbeat-dataset-system-package.md)
+* [process](/reference/auditbeat/auditbeat-dataset-system-process.md)
+* [socket](/reference/auditbeat/auditbeat-dataset-system-socket.md)
+* [user](/reference/auditbeat/auditbeat-dataset-system-user.md)
+
+
+
+
+
+
+
diff --git a/docs/reference/auditbeat/auditbeat-modules.md b/docs/reference/auditbeat/auditbeat-modules.md
new file mode 100644
index 000000000000..a4d87b1fb4f0
--- /dev/null
+++ b/docs/reference/auditbeat/auditbeat-modules.md
@@ -0,0 +1,13 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-modules.html
+---
+
+# Modules [auditbeat-modules]
+
+This section contains detailed information about the metric collecting modules contained in Auditbeat. More details about each module can be found under the links below.
+
+* [Auditd](/reference/auditbeat/auditbeat-module-auditd.md)
+* [File Integrity](/reference/auditbeat/auditbeat-module-file_integrity.md)
+* [System](/reference/auditbeat/auditbeat-module-system.md)
+
diff --git a/docs/reference/auditbeat/auditbeat-overview.md b/docs/reference/auditbeat/auditbeat-overview.md
new file mode 100644
index 000000000000..7fb6f4754fa4
--- /dev/null
+++ b/docs/reference/auditbeat/auditbeat-overview.md
@@ -0,0 +1,12 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-overview.html
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/index.html
+---
+
+# Auditbeat overview [auditbeat-overview]
+
+Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.
+
+Auditbeat is an Elastic [Beat](https://www.elastic.co/beats). It’s based on the `libbeat` framework. For more information, see the [Beats Platform Reference](/reference/index.md).
+
diff --git a/docs/reference/auditbeat/auditbeat-reference-yml.md b/docs/reference/auditbeat/auditbeat-reference-yml.md
new file mode 100644
index 000000000000..b62983d5bcba
--- /dev/null
+++ b/docs/reference/auditbeat/auditbeat-reference-yml.md
@@ -0,0 +1,1876 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-reference-yml.html
+---
+
+# auditbeat.reference.yml [auditbeat-reference-yml]
+
+The following reference file is available with your Auditbeat installation. It shows all non-deprecated Auditbeat options. You can copy from this file and paste configurations into the `auditbeat.yml` file to customize it.
+
+::::{tip}
+The reference file is located in the same directory as the `auditbeat.yml` file. To locate the file, see [Directory layout](/reference/auditbeat/directory-layout.md).
+::::
+
+
+The contents of the file are included here for your convenience.
+
+```yaml
+## Auditbeat Configuration #############################
+
+# This is a reference configuration file documenting all non-deprecated options
+# in comments. For a shorter configuration example that contains only the most
+# common options, please see auditbeat.yml in the same directory.
+#
+# You can find the full configuration reference here:
+# https://www.elastic.co/guide/en/beats/auditbeat/index.html
+
+# ============================== Config Reloading ==============================
+
+# Config reloading allows to dynamically load modules. Each file that is
+# monitored must contain one or multiple modules as a list.
+auditbeat.config.modules:
+
+  # Glob pattern for configuration reloading
+  path: ${path.config}/modules.d/*.yml
+
+  # Period on which files under path should be checked for changes
+  reload.period: 10s
+
+  # Set to true to enable config reloading
+  reload.enabled: false
+
+# Maximum amount of time to randomly delay the start of a dataset. Use 0 to
+# disable startup delay.
+auditbeat.max_start_delay: 10s
+
+# =========================== Modules configuration ============================
+auditbeat.modules:
+
+# The auditd module collects events from the audit framework in the Linux
+# kernel. You need to specify audit rules for the events that you want to audit.
+- module: auditd
+  resolve_ids: true
+  failure_mode: silent
+  backlog_limit: 8196
+  rate_limit: 0
+  include_raw_message: false
+  include_warnings: false
+
+  # Set to true to publish fields with null values in events.
+  #keep_null: false
+
+  # Load audit rules from separate files. Same format as audit.rules(7).
+  audit_rule_files: [ '${path.config}/audit.rules.d/*.conf' ]
+  audit_rules: |
+    ## Define audit rules here.
+    ## Create file watches (-w) or syscall audits (-a or -A). Uncomment these
+    ## examples or add your own rules.
+
+    ## If you are on a 64 bit platform, everything should be running
+    ## in 64 bit mode. This rule will detect any use of the 32 bit syscalls
+    ## because this might be a sign of someone exploiting a hole in the 32
+    ## bit API.
+    #-a always,exit -F arch=b32 -S all -F key=32bit-abi
+
+    ## Executions.
+    #-a always,exit -F arch=b64 -S execve,execveat -k exec
+
+    ## External access (warning: these can be expensive to audit).
+    #-a always,exit -F arch=b64 -S accept,bind,connect -F key=external-access
+
+    ## Identity changes.
+    #-w /etc/group -p wa -k identity
+    #-w /etc/passwd -p wa -k identity
+    #-w /etc/gshadow -p wa -k identity
+
+    ## Unauthorized access attempts.
+    #-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access
+    #-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access
+
+# The file integrity module sends events when files are changed (created,
+# updated, deleted). The events contain file metadata and hashes.
+- module: file_integrity
+  paths:
+  - /bin
+  - /usr/bin
+  - /sbin
+  - /usr/sbin
+  - /etc
+
+  # List of regular expressions to filter out notifications for unwanted files.
+  # Wrap in single quotes to workaround YAML escaping rules. By default no files
+  # are ignored.
+  exclude_files:
+  - '(?i)\.sw[nop]$'
+  - '~$'
+  - '/\.git($|/)'
+
+  # List of regular expressions used to explicitly include files. When configured,
+  # Auditbeat will ignore files unless they match a pattern.
+  #include_files:
+  #- '/\.ssh($|/)'
+  # Select the backend which will be used to source events.
+  # "fsnotify" doesn't have the ability to associate user data to file events.
+  # Valid values: auto, fsnotify, kprobes, ebpf.
+  # Default: fsnotify.
+  backend: fsnotify
+
+  # Scan over the configured file paths at startup and send events for new or
+  # modified files since the last time Auditbeat was running.
+  scan_at_start: true
+
+  # Average scan rate. This throttles the amount of CPU and I/O that Auditbeat
+  # consumes at startup while scanning. Default is "50 MiB".
+  scan_rate_per_sec: 50 MiB
+
+  # Limit on the size of files that will be hashed. Default is "100 MiB".
+  max_file_size: 100 MiB
+
+  # Hash types to compute when the file changes. Supported types are
+  # blake2b_256, blake2b_384, blake2b_512, md5, sha1, sha224, sha256, sha384,
+  # sha512, sha512_224, sha512_256, sha3_224, sha3_256, sha3_384, sha3_512, and xxh64.
+  # Default is sha1.
+  hash_types: [sha1]
+
+  # Detect changes to files included in subdirectories. Disabled by default.
+  recursive: false
+
+  # Set to true to publish fields with null values in events.
+  #keep_null: false
+
+  # Parse detailed information for the listed fields. Field paths in the list below
+  # that are a prefix of other field paths imply the longer field path. A set of
+  # fields may be specified using an RE2 regular expression quoted in //. For example
+  # /^file\.pe\./ will match all file.pe.* fields. Note that the expression is not
+  # implicitly anchored, so the empty expression will match all fields.
+  # file_parsers:
+  # - file.elf.sections
+  # - file.elf.sections.name
+  # - file.elf.sections.physical_size
+  # - file.elf.sections.virtual_size
+  # - file.elf.sections.entropy
+  # - file.elf.sections.var_entropy
+  # - file.elf.import_hash
+  # - file.elf.imports
+  # - file.elf.imports_names_entropy
+  # - file.elf.imports_names_var_entropy
+  # - file.elf.go_import_hash
+  # - file.elf.go_imports
+  # - file.elf.go_imports_names_entropy
+  # - file.elf.go_imports_names_var_entropy
+  # - file.elf.go_stripped
+  # - file.macho.sections
+  # - file.macho.sections.name
+  # - file.macho.sections.physical_size
+  # - file.macho.sections.virtual_size
+  # - file.macho.sections.entropy
+  # - file.macho.sections.var_entropy
+  # - file.macho.import_hash
+  # - file.macho.symhash
+  # - file.macho.imports
+  # - file.macho.imports_names_entropy
+  # - file.macho.imports_names_var_entropy
+  # - file.macho.go_import_hash
+  # - file.macho.go_imports
+  # - file.macho.go_imports_names_entropy
+  # - file.macho.go_imports_names_var_entropy
+  # - file.macho.go_stripped
+  # - file.pe.sections
+  # - file.pe.sections.name
+  # - file.pe.sections.physical_size
+  # - file.pe.sections.virtual_size
+  # - file.pe.sections.entropy
+  # - file.pe.sections.var_entropy
+  # - file.pe.import_hash
+  # - file.pe.imphash
+  # - file.pe.imports
+  # - file.pe.imports_names_entropy
+  # - file.pe.imports_names_var_entropy
+  # - file.pe.go_import_hash
+  # - file.pe.go_imports
+  # - file.pe.go_imports_names_entropy
+  # - file.pe.go_imports_names_var_entropy
+  # - file.pe.go_stripped
+
+
+
+# ================================== General ===================================
+
+# The name of the shipper that publishes the network data. It can be used to group
+# all the transactions sent by a single shipper in the web interface.
+# If this option is not defined, the hostname is used.
+#name:
+
+# The tags of the shipper are included in their field with each
+# transaction published. Tags make it easy to group servers by different
+# logical properties.
+#tags: ["service-X", "web-tier"]
+
+# Optional fields that you can specify to add additional information to the
+# output. Fields can be scalar values, arrays, dictionaries, or any nested
+# combination of these.
+#fields:
+#  env: staging
+
+# If this option is set to true, the custom fields are stored as top-level
+# fields in the output document instead of being grouped under a field
+# sub-dictionary. Default is false.
+#fields_under_root: false
+
+# Configure the precision of all timestamps in Auditbeat.
+# Available options: millisecond, microsecond, nanosecond
+#timestamp.precision: millisecond
+
+# Internal queue configuration for buffering events to be published.
+# Queue settings may be overridden by performance presets in the
+# Elasticsearch output. To configure them manually use "preset: custom".
+#queue:
+  # Queue type by name (default 'mem')
+  # The memory queue will present all available events (up to the outputs
+  # bulk_max_size) to the output, the moment the output is ready to serve
+  # another batch of events.
+  #mem:
+    # Max number of events the queue can buffer.
+    #events: 3200
+
+    # Hints the minimum number of events stored in the queue,
+    # before providing a batch of events to the outputs.
+    # The default value is set to 2048.
+    # A value of 0 ensures events are immediately available
+    # to be sent to the outputs.
+    #flush.min_events: 1600
+
+    # Maximum duration after which events are available to the outputs,
+    # if the number of events stored in the queue is < `flush.min_events`.
+    #flush.timeout: 10s
+
+  # The disk queue stores incoming events on disk until the output is
+  # ready for them. This allows a higher event limit than the memory-only
+  # queue and lets pending events persist through a restart.
+  #disk:
+    # The directory path to store the queue's data.
+    #path: "${path.data}/diskqueue"
+
+    # The maximum space the queue should occupy on disk. Depending on
+    # input settings, events that exceed this limit are delayed or discarded.
+    #max_size: 10GB
+
+    # The maximum size of a single queue data file. Data in the queue is
+    # stored in smaller segments that are deleted after all their events
+    # have been processed.
+    #segment_size: 1GB
+
+    # The number of events to read from disk to memory while waiting for
+    # the output to request them.
+    #read_ahead: 512
+
+    # The number of events to accept from inputs while waiting for them
+    # to be written to disk. If event data arrives faster than it
+    # can be written to disk, this setting prevents it from overflowing
+    # main memory.
+    #write_ahead: 2048
+
+    # The duration to wait before retrying when the queue encounters a disk
+    # write error.
+    #retry_interval: 1s
+
+    # The maximum length of time to wait before retrying on a disk write
+    # error. If the queue encounters repeated errors, it will double the
+    # length of its retry interval each time, up to this maximum.
+    #max_retry_interval: 30s
+
+# Sets the maximum number of CPUs that can be executed simultaneously. The
+# default is the number of logical CPUs available in the system.
+#max_procs:
+
+# ================================= Processors =================================
+
+# Processors are used to reduce the number of fields in the exported event or to
+# enhance the event with external metadata. This section defines a list of
+# processors that are applied one by one and the first one receives the initial
+# event:
+#
+#   event -> filter1 -> event1 -> filter2 ->event2 ...
+#
+# The supported processors are drop_fields, drop_event, include_fields,
+# decode_json_fields, and add_cloud_metadata.
+#
+# For example, you can use the following processors to keep the fields that
+# contain CPU load percentages, but remove the fields that contain CPU ticks
+# values:
+#
+#processors:
+#  - include_fields:
+#      fields: ["cpu"]
+#  - drop_fields:
+#      fields: ["cpu.user", "cpu.system"]
+#
+# The following example drops the events that have the HTTP response code 200:
+#
+#processors:
+#  - drop_event:
+#      when:
+#        equals:
+#          http.code: 200
+#
+# The following example renames the field a to b:
+#
+#processors:
+#  - rename:
+#      fields:
+#        - from: "a"
+#          to: "b"
+#
+# The following example tokenizes the string into fields:
+#
+#processors:
+#  - dissect:
+#      tokenizer: "%{key1} - %{key2}"
+#      field: "message"
+#      target_prefix: "dissect"
+#
+# The following example enriches each event with metadata from the cloud
+# provider about the host machine. It works on EC2, GCE, DigitalOcean,
+# Tencent Cloud, and Alibaba Cloud.
+#
+#processors:
+#  - add_cloud_metadata: ~
+#
+# The following example enriches each event with the machine's local time zone
+# offset from UTC.
+#
+#processors:
+#  - add_locale:
+#      format: offset
+#
+# The following example enriches each event with docker metadata, it matches
+# given fields to an existing container id and adds info from that container:
+#
+#processors:
+#  - add_docker_metadata:
+#      host: "unix:///var/run/docker.sock"
+#      match_fields: ["system.process.cgroup.id"]
+#      match_pids: ["process.pid", "process.parent.pid"]
+#      match_source: true
+#      match_source_index: 4
+#      match_short_id: false
+#      cleanup_timeout: 60
+#      labels.dedot: false
+#      # To connect to Docker over TLS you must specify a client and CA certificate.
+#      #ssl:
+#      #  certificate_authority: "/etc/pki/root/ca.pem"
+#      #  certificate:           "/etc/pki/client/cert.pem"
+#      #  key:                   "/etc/pki/client/cert.key"
+#
+# The following example enriches each event with docker metadata, it matches
+# container id from log path available in `source` field (by default it expects
+# it to be /var/lib/docker/containers/*/*.log).
+#
+#processors:
+#  - add_docker_metadata: ~
+#
+# The following example enriches each event with host metadata.
+#
+#processors:
+#  - add_host_metadata: ~
+#
+# The following example enriches each event with process metadata using
+# process IDs included in the event.
+#
+#processors:
+#  - add_process_metadata:
+#      match_pids: ["system.process.ppid"]
+#      target: system.process.parent
+#
+# The following example decodes fields containing JSON strings
+# and replaces the strings with valid JSON objects.
+#
+#processors:
+#  - decode_json_fields:
+#      fields: ["field1", "field2", ...]
+#      process_array: false
+#      max_depth: 1
+#      target: ""
+#      overwrite_keys: false
+#
+#processors:
+#  - decompress_gzip_field:
+#      from: "field1"
+#      to: "field2"
+#      ignore_missing: false
+#      fail_on_error: true
+#
+# The following example copies the value of the message to message_copied
+#
+#processors:
+#  - copy_fields:
+#      fields:
+#        - from: message
+#          to: message_copied
+#      fail_on_error: true
+#      ignore_missing: false
+#
+# The following example truncates the value of the message to 1024 bytes
+#
+#processors:
+#  - truncate_fields:
+#      fields:
+#        - message
+#      max_bytes: 1024
+#      fail_on_error: false
+#      ignore_missing: true
+#
+# The following example preserves the raw message under event.original
+#
+#processors:
+#  - copy_fields:
+#      fields:
+#        - from: message
+#          to: event.original
+#      fail_on_error: false
+#      ignore_missing: true
+#  - truncate_fields:
+#      fields:
+#        - event.original
+#      max_bytes: 1024
+#      fail_on_error: false
+#      ignore_missing: true
+#
+# The following example URL-decodes the value of field1 to field2
+#
+#processors:
+#  - urldecode:
+#      fields:
+#        - from: "field1"
+#          to: "field2"
+#      ignore_missing: false
+#      fail_on_error: true
+
+# =============================== Elastic Cloud ================================
+
+# These settings simplify using Auditbeat with the Elastic Cloud (https://cloud.elastic.co/).
+
+# The cloud.id setting overwrites the `output.elasticsearch.hosts` and
+# `setup.kibana.host` options.
+# You can find the `cloud.id` in the Elastic Cloud web UI.
+#cloud.id:
+
+# The cloud.auth setting overwrites the `output.elasticsearch.username` and
+# `output.elasticsearch.password` settings. The format is `<user>:<pass>`.
+#cloud.auth:
+
+# ================================== Outputs ===================================
+
+# Configure what output to use when sending the data collected by the beat.
+
+# ---------------------------- Elasticsearch Output ----------------------------
+output.elasticsearch:
+  # Boolean flag to enable or disable the output module.
+  #enabled: true
+
+  # Array of hosts to connect to.
+  # Scheme and port can be left out and will be set to the default (http and 9200)
+  # In case you specify and additional path, the scheme is required: http://localhost:9200/path
+  # IPv6 addresses should always be defined as: https://[2001:db8::1]:9200
+  hosts: ["localhost:9200"]
+
+  # Performance presets configure other output fields to recommended values
+  # based on a performance priority.
+  # Options are "balanced", "throughput", "scale", "latency" and "custom".
+  # Default if unspecified: "custom"
+  preset: balanced
+
+  # Set gzip compression level. Set to 0 to disable compression.
+  # This field may conflict with performance presets. To set it
+  # manually use "preset: custom".
+  # The default is 1.
+  #compression_level: 1
+
+  # Configure escaping HTML symbols in strings.
+  #escape_html: false
+
+  # Protocol - either `http` (default) or `https`.
+  #protocol: "https"
+
+  # Authentication credentials - either API key or username/password.
+  #api_key: "id:api_key"
+  #username: "elastic"
+  #password: "changeme"
+
+  # Dictionary of HTTP parameters to pass within the URL with index operations.
+  #parameters:
+    #param1: value1
+    #param2: value2
+
+  # Number of workers per Elasticsearch host.
+  # This field may conflict with performance presets. To set it
+  # manually use "preset: custom".
+  #worker: 1
+
+  # If set to true and multiple hosts are configured, the output plugin load
+  # balances published events onto all Elasticsearch hosts. If set to false,
+  # the output plugin sends all events to only one host (determined at random)
+  # and will switch to another host if the currently selected one becomes
+  # unreachable. The default value is true.
+  #loadbalance: true
+
+  # Optional data stream or index name. The default is "auditbeat-%{[agent.version]}".
+  # In case you modify this pattern you must update setup.template.name and setup.template.pattern accordingly.
+  #index: "auditbeat-%{[agent.version]}"
+
+  # Optional ingest pipeline. By default, no pipeline will be used.
+  #pipeline: ""
+
+  # Optional HTTP path
+  #path: "/elasticsearch"
+
+  # Custom HTTP headers to add to each request
+  #headers:
+  #  X-My-Header: Contents of the header
+
+  # Proxy server URL
+  #proxy_url: http://proxy:3128
+
+  # Whether to disable proxy settings for outgoing connections. If true, this
+  # takes precedence over both the proxy_url field and any environment settings
+  # (HTTP_PROXY, HTTPS_PROXY). The default is false.
+  #proxy_disable: false
+
+  # The number of times a particular Elasticsearch index operation is attempted. If
+  # the indexing operation doesn't succeed after this many retries, the events are
+  # dropped. The default is 3.
+  #max_retries: 3
+
+  # The maximum number of events to bulk in a single Elasticsearch bulk API index request.
+  # This field may conflict with performance presets. To set it
+  # manually use "preset: custom".
+  # The default is 1600.
+  #bulk_max_size: 1600
+
+  # The number of seconds to wait before trying to reconnect to Elasticsearch
+  # after a network error. After waiting backoff.init seconds, the Beat
+  # tries to reconnect. If the attempt fails, the backoff timer is increased
+  # exponentially up to backoff.max. After a successful connection, the backoff
+  # timer is reset. The default is 1s.
+  #backoff.init: 1s
+
+  # The maximum number of seconds to wait before attempting to connect to
+  # Elasticsearch after a network error. The default is 60s.
+  #backoff.max: 60s
+
+  # The maximum amount of time an idle connection will remain idle
+  # before closing itself.  Zero means use the default of 60s. The
+  # format is a Go language duration (example 60s is 60 seconds).
+  # This field may conflict with performance presets. To set it
+  # manually use "preset: custom".
+  # The default is 3s.
+  # idle_connection_timeout: 3s
+
+  # Configure HTTP request timeout before failing a request to Elasticsearch.
+  #timeout: 90
+
+  # Prevents auditbeat from connecting to older Elasticsearch versions when set to `false`
+  #allow_older_versions: true
+
+  # Use SSL settings for HTTPS.
+  #ssl.enabled: true
+
+  # Controls the verification of certificates. Valid values are:
+  # * full, which verifies that the provided certificate is signed by a trusted
+  # authority (CA) and also verifies that the server's hostname (or IP address)
+  # matches the names identified within the certificate.
+  # * strict, which verifies that the provided certificate is signed by a trusted
+  # authority (CA) and also verifies that the server's hostname (or IP address)
+  # matches the names identified within the certificate. If the Subject Alternative
+  # Name is empty, it returns an error.
+  # * certificate, which verifies that the provided certificate is signed by a
+  # trusted authority (CA), but does not perform any hostname verification.
+  #  * none, which performs no verification of the server's certificate. This
+  # mode disables many of the security benefits of SSL/TLS and should only be used
+  # after very careful consideration. It is primarily intended as a temporary
+  # diagnostic mechanism when attempting to resolve TLS errors; its use in
+  # production environments is strongly discouraged.
+  # The default value is full.
+  #ssl.verification_mode: full
+
+  # List of supported/valid TLS versions. By default all TLS versions from 1.1
+  # up to 1.3 are enabled.
+  #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3]
+
+  # List of root certificates for HTTPS server verifications
+  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
+
+  # Certificate for SSL client authentication
+  #ssl.certificate: "/etc/pki/client/cert.pem"
+
+  # Client certificate key
+  #ssl.key: "/etc/pki/client/cert.key"
+
+  # Optional passphrase for decrypting the certificate key.
+  #ssl.key_passphrase: ''
+
+  # Configure cipher suites to be used for SSL connections
+  #ssl.cipher_suites: []
+
+  # Configure curve types for ECDHE-based cipher suites
+  #ssl.curve_types: []
+
+  # Configure what types of renegotiation are supported. Valid options are
+  # never, once, and freely. Default is never.
+  #ssl.renegotiation: never
+
+  # Configure a pin that can be used to do extra validation of the verified certificate chain,
+  # this allow you to ensure that a specific certificate is used to validate the chain of trust.
+  #
+  # The pin is a base64 encoded string of the SHA-256 fingerprint.
+  #ssl.ca_sha256: ""
+
+  # A root CA HEX encoded fingerprint. During the SSL handshake if the
+  # fingerprint matches the root CA certificate, it will be added to
+  # the provided list of root CAs (`certificate_authorities`), if the
+  # list is empty or not defined, the matching certificate will be the
+  # only one in the list. Then the normal SSL validation happens.
+  #ssl.ca_trusted_fingerprint: ""
+
+
+  # Enables restarting auditbeat if any file listed by `key`,
+  # `certificate`, or `certificate_authorities` is modified.
+  # This feature IS NOT supported on Windows.
+  #ssl.restart_on_cert_change.enabled: false
+
+  # Period to scan for changes on CA certificate files
+  #ssl.restart_on_cert_change.period: 1m
+
+  # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set.
+  #kerberos.enabled: true
+
+  # Authentication type to use with Kerberos. Available options: keytab, password.
+  #kerberos.auth_type: password
+
+  # Path to the keytab file. It is used when auth_type is set to keytab.
+  #kerberos.keytab: /etc/elastic.keytab
+
+  # Path to the Kerberos configuration.
+  #kerberos.config_path: /etc/krb5.conf
+
+  # Name of the Kerberos user.
+  #kerberos.username: elastic
+
+  # Password of the Kerberos user. It is used when auth_type is set to password.
+  #kerberos.password: changeme
+
+  # Kerberos realm.
+  #kerberos.realm: ELASTIC
+
+
+# ------------------------------ Logstash Output -------------------------------
+#output.logstash:
+  # Boolean flag to enable or disable the output module.
+  #enabled: true
+
+  # The Logstash hosts
+  #hosts: ["localhost:5044"]
+
+  # Number of workers per Logstash host.
+  #worker: 1
+
+  # Set gzip compression level.
+  #compression_level: 3
+
+  # Configure escaping HTML symbols in strings.
+  #escape_html: false
+
+  # Optional maximum time to live for a connection to Logstash, after which the
+  # connection will be re-established.  A value of `0s` (the default) will
+  # disable this feature.
+  #
+  # Not yet supported for async connections (i.e. with the "pipelining" option set)
+  #ttl: 30s
+
+  # Optionally load-balance events between Logstash hosts. Default is false.
+  #loadbalance: false
+
+  # Number of batches to be sent asynchronously to Logstash while processing
+  # new batches.
+  #pipelining: 2
+
+  # If enabled only a subset of events in a batch of events is transferred per
+  # transaction.  The number of events to be sent increases up to `bulk_max_size`
+  # if no error is encountered.
+  #slow_start: false
+
+  # The number of seconds to wait before trying to reconnect to Logstash
+  # after a network error. After waiting backoff.init seconds, the Beat
+  # tries to reconnect. If the attempt fails, the backoff timer is increased
+  # exponentially up to backoff.max. After a successful connection, the backoff
+  # timer is reset. The default is 1s.
+  #backoff.init: 1s
+
+  # The maximum number of seconds to wait before attempting to connect to
+  # Logstash after a network error. The default is 60s.
+  #backoff.max: 60s
+
+  # Optional index name. The default index name is set to auditbeat
+  # in all lowercase.
+  #index: 'auditbeat'
+
+  # SOCKS5 proxy server URL
+  #proxy_url: socks5://user:password@socks5-server:2233
+
+  # Resolve names locally when using a proxy server. Defaults to false.
+  #proxy_use_local_resolver: false
+
+  # Use SSL settings for HTTPS.
+  #ssl.enabled: true
+
+  # Controls the verification of certificates. Valid values are:
+  # * full, which verifies that the provided certificate is signed by a trusted
+  # authority (CA) and also verifies that the server's hostname (or IP address)
+  # matches the names identified within the certificate.
+  # * strict, which verifies that the provided certificate is signed by a trusted
+  # authority (CA) and also verifies that the server's hostname (or IP address)
+  # matches the names identified within the certificate. If the Subject Alternative
+  # Name is empty, it returns an error.
+  # * certificate, which verifies that the provided certificate is signed by a
+  # trusted authority (CA), but does not perform any hostname verification.
+  #  * none, which performs no verification of the server's certificate. This
+  # mode disables many of the security benefits of SSL/TLS and should only be used
+  # after very careful consideration. It is primarily intended as a temporary
+  # diagnostic mechanism when attempting to resolve TLS errors; its use in
+  # production environments is strongly discouraged.
+  # The default value is full.
+  #ssl.verification_mode: full
+
+  # List of supported/valid TLS versions. By default all TLS versions from 1.1
+  # up to 1.3 are enabled.
+  #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3]
+
+  # List of root certificates for HTTPS server verifications
+  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
+
+  # Certificate for SSL client authentication
+  #ssl.certificate: "/etc/pki/client/cert.pem"
+
+  # Client certificate key
+  #ssl.key: "/etc/pki/client/cert.key"
+
+  # Optional passphrase for decrypting the certificate key.
+  #ssl.key_passphrase: ''
+
+  # Configure cipher suites to be used for SSL connections
+  #ssl.cipher_suites: []
+
+  # Configure curve types for ECDHE-based cipher suites
+  #ssl.curve_types: []
+
+  # Configure what types of renegotiation are supported. Valid options are
+  # never, once, and freely. Default is never.
+  #ssl.renegotiation: never
+
+  # Configure a pin that can be used to do extra validation of the verified certificate chain,
+  # this allow you to ensure that a specific certificate is used to validate the chain of trust.
+  #
+  # The pin is a base64 encoded string of the SHA-256 fingerprint.
+  #ssl.ca_sha256: ""
+
+  # A root CA HEX encoded fingerprint. During the SSL handshake if the
+  # fingerprint matches the root CA certificate, it will be added to
+  # the provided list of root CAs (`certificate_authorities`), if the
+  # list is empty or not defined, the matching certificate will be the
+  # only one in the list. Then the normal SSL validation happens.
+  #ssl.ca_trusted_fingerprint: ""
+
+  # Enables restarting auditbeat if any file listed by `key`,
+  # `certificate`, or `certificate_authorities` is modified.
+  # This feature IS NOT supported on Windows.
+  #ssl.restart_on_cert_change.enabled: false
+
+  # Period to scan for changes on CA certificate files
+  #ssl.restart_on_cert_change.period: 1m
+
+  # The number of times to retry publishing an event after a publishing failure.
+  # After the specified number of retries, the events are typically dropped.
+  # Some Beats, such as Filebeat and Winlogbeat, ignore the max_retries setting
+  # and retry until all events are published.  Set max_retries to a value less
+  # than 0 to retry until all events are published. The default is 3.
+  #max_retries: 3
+
+  # The maximum number of events to bulk in a single Logstash request. The
+  # default is 2048.
+  #bulk_max_size: 2048
+
+  # The number of seconds to wait for responses from the Logstash server before
+  # timing out. The default is 30s.
+  #timeout: 30s
+
+# -------------------------------- Kafka Output --------------------------------
+#output.kafka:
+  # Boolean flag to enable or disable the output module.
+  #enabled: true
+
+  # The list of Kafka broker addresses from which to fetch the cluster metadata.
+  # The cluster metadata contain the actual Kafka brokers events are published
+  # to.
+  #hosts: ["localhost:9092"]
+
+  # The Kafka topic used for produced events. The setting can be a format string
+  # using any event field. To set the topic from document type use `%{[type]}`.
+  #topic: beats
+
+  # The Kafka event key setting. Use format string to create a unique event key.
+  # By default no event key will be generated.
+  #key: ''
+
+  # The Kafka event partitioning strategy. Default hashing strategy is `hash`
+  # using the `output.kafka.key` setting or randomly distributes events if
+  # `output.kafka.key` is not configured.
+  #partition.hash:
+    # If enabled, events will only be published to partitions with reachable
+    # leaders. Default is false.
+    #reachable_only: false
+
+    # Configure alternative event field names used to compute the hash value.
+    # If empty `output.kafka.key` setting will be used.
+    # Default value is empty list.
+    #hash: []
+
+  # Authentication details. Password is required if username is set.
+  #username: ''
+  #password: ''
+
+  # SASL authentication mechanism used. Can be one of PLAIN, SCRAM-SHA-256 or SCRAM-SHA-512.
+  # Defaults to PLAIN when `username` and `password` are configured.
+  #sasl.mechanism: ''
+
+  # Kafka version Auditbeat is assumed to run against. Defaults to the "1.0.0".
+  #version: '1.0.0'
+
+  # Configure JSON encoding
+  #codec.json:
+    # Pretty-print JSON event
+    #pretty: false
+
+    # Configure escaping HTML symbols in strings.
+    #escape_html: false
+
+  # Metadata update configuration. Metadata contains leader information
+  # used to decide which broker to use when publishing.
+  #metadata:
+    # Max metadata request retry attempts when cluster is in middle of leader
+    # election. Defaults to 3 retries.
+    #retry.max: 3
+
+    # Wait time between retries during leader elections. Default is 250ms.
+    #retry.backoff: 250ms
+
+    # Refresh metadata interval. Defaults to every 10 minutes.
+    #refresh_frequency: 10m
+
+    # Strategy for fetching the topics metadata from the broker. Default is false.
+    #full: false
+
+  # The number of times to retry publishing an event after a publishing failure.
+  # After the specified number of retries, events are typically dropped.
+  # Some Beats, such as Filebeat, ignore the max_retries setting and retry until
+  # all events are published.  Set max_retries to a value less than 0 to retry
+  # until all events are published. The default is 3.
+  #max_retries: 3
+
+  # The number of seconds to wait before trying to republish to Kafka
+  # after a network error. After waiting backoff.init seconds, the Beat
+  # tries to republish. If the attempt fails, the backoff timer is increased
+  # exponentially up to backoff.max. After a successful publish, the backoff
+  # timer is reset. The default is 1s.
+  #backoff.init: 1s
+
+  # The maximum number of seconds to wait before attempting to republish to
+  # Kafka after a network error. The default is 60s.
+  #backoff.max: 60s
+
+  # The maximum number of events to bulk in a single Kafka request. The default
+  # is 2048.
+  #bulk_max_size: 2048
+
+  # Duration to wait before sending bulk Kafka request. 0 is no delay. The default
+  # is 0.
+  #bulk_flush_frequency: 0s
+
+  # The number of seconds to wait for responses from the Kafka brokers before
+  # timing out. The default is 30s.
+  #timeout: 30s
+
+  # The maximum duration a broker will wait for number of required ACKs. The
+  # default is 10s.
+  #broker_timeout: 10s
+
+  # The number of messages buffered for each Kafka broker. The default is 256.
+  #channel_buffer_size: 256
+
+  # The keep-alive period for an active network connection. If 0s, keep-alives
+  # are disabled. The default is 0 seconds.
+  #keep_alive: 0
+
+  # Sets the output compression codec. Must be one of none, snappy and gzip. The
+  # default is gzip.
+  #compression: gzip
+
+  # Set the compression level. Currently only gzip provides a compression level
+  # between 0 and 9. The default value is chosen by the compression algorithm.
+  #compression_level: 4
+
+  # The maximum permitted size of JSON-encoded messages. Bigger messages will be
+  # dropped. The default value is 1000000 (bytes). This value should be equal to
+  # or less than the broker's message.max.bytes.
+  #max_message_bytes: 1000000
+
+  # The ACK reliability level required from broker. 0=no response, 1=wait for
+  # local commit, -1=wait for all replicas to commit. The default is 1.  Note:
+  # If set to 0, no ACKs are returned by Kafka. Messages might be lost silently
+  # on error.
+  #required_acks: 1
+
+  # The configurable ClientID used for logging, debugging, and auditing
+  # purposes.  The default is "beats".
+  #client_id: beats
+
+  # Use SSL settings for HTTPS.
+  #ssl.enabled: true
+
+  # Controls the verification of certificates. Valid values are:
+  # * full, which verifies that the provided certificate is signed by a trusted
+  # authority (CA) and also verifies that the server's hostname (or IP address)
+  # matches the names identified within the certificate.
+  # * strict, which verifies that the provided certificate is signed by a trusted
+  # authority (CA) and also verifies that the server's hostname (or IP address)
+  # matches the names identified within the certificate. If the Subject Alternative
+  # Name is empty, it returns an error.
+  # * certificate, which verifies that the provided certificate is signed by a
+  # trusted authority (CA), but does not perform any hostname verification.
+  #  * none, which performs no verification of the server's certificate. This
+  # mode disables many of the security benefits of SSL/TLS and should only be used
+  # after very careful consideration. It is primarily intended as a temporary
+  # diagnostic mechanism when attempting to resolve TLS errors; its use in
+  # production environments is strongly discouraged.
+  # The default value is full.
+  #ssl.verification_mode: full
+
+  # List of supported/valid TLS versions. By default all TLS versions from 1.1
+  # up to 1.3 are enabled.
+  #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3]
+
+  # List of root certificates for HTTPS server verifications
+  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
+
+  # Certificate for SSL client authentication
+  #ssl.certificate: "/etc/pki/client/cert.pem"
+
+  # Client certificate key
+  #ssl.key: "/etc/pki/client/cert.key"
+
+  # Optional passphrase for decrypting the certificate key.
+  #ssl.key_passphrase: ''
+
+  # Configure cipher suites to be used for SSL connections
+  #ssl.cipher_suites: []
+
+  # Configure curve types for ECDHE-based cipher suites
+  #ssl.curve_types: []
+
+  # Configure what types of renegotiation are supported. Valid options are
+  # never, once, and freely. Default is never.
+  #ssl.renegotiation: never
+
+  # Configure a pin that can be used to do extra validation of the verified certificate chain,
+  # this allow you to ensure that a specific certificate is used to validate the chain of trust.
+  #
+  # The pin is a base64 encoded string of the SHA-256 fingerprint.
+  #ssl.ca_sha256: ""
+
+  # A root CA HEX encoded fingerprint. During the SSL handshake if the
+  # fingerprint matches the root CA certificate, it will be added to
+  # the provided list of root CAs (`certificate_authorities`), if the
+  # list is empty or not defined, the matching certificate will be the
+  # only one in the list. Then the normal SSL validation happens.
+  #ssl.ca_trusted_fingerprint: ""
+
+  # Enables restarting auditbeat if any file listed by `key`,
+  # `certificate`, or `certificate_authorities` is modified.
+  # This feature IS NOT supported on Windows.
+  #ssl.restart_on_cert_change.enabled: false
+
+  # Period to scan for changes on CA certificate files
+  #ssl.restart_on_cert_change.period: 1m
+
+  # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set.
+  #kerberos.enabled: true
+
+  # Authentication type to use with Kerberos. Available options: keytab, password.
+  #kerberos.auth_type: password
+
+  # Path to the keytab file. It is used when auth_type is set to keytab.
+  #kerberos.keytab: /etc/security/keytabs/kafka.keytab
+
+  # Path to the Kerberos configuration.
+  #kerberos.config_path: /etc/krb5.conf
+
+  # The service name. Service principal name is contructed from
+  # service_name/hostname@realm.
+  #kerberos.service_name: kafka
+
+  # Name of the Kerberos user.
+  #kerberos.username: elastic
+
+  # Password of the Kerberos user. It is used when auth_type is set to password.
+  #kerberos.password: changeme
+
+  # Kerberos realm.
+  #kerberos.realm: ELASTIC
+
+  # Enables Kerberos FAST authentication. This may
+  # conflict with certain Active Directory configurations.
+  #kerberos.enable_krb5_fast: false
+
+# -------------------------------- Redis Output --------------------------------
+#output.redis:
+  # Boolean flag to enable or disable the output module.
+  #enabled: true
+
+  # Configure JSON encoding
+  #codec.json:
+    # Pretty print json event
+    #pretty: false
+
+    # Configure escaping HTML symbols in strings.
+    #escape_html: false
+
+  # The list of Redis servers to connect to. If load-balancing is enabled, the
+  # events are distributed to the servers in the list. If one server becomes
+  # unreachable, the events are distributed to the reachable servers only.
+  # The hosts setting supports redis and rediss urls with custom password like
+  # redis://:password@localhost:6379.
+  #hosts: ["localhost:6379"]
+
+  # The name of the Redis list or channel the events are published to. The
+  # default is auditbeat.
+  #key: auditbeat
+
+  # The password to authenticate to Redis with. The default is no authentication.
+  #password:
+
+  # The Redis database number where the events are published. The default is 0.
+  #db: 0
+
+  # The Redis data type to use for publishing events. If the data type is list,
+  # the Redis RPUSH command is used. If the data type is channel, the Redis
+  # PUBLISH command is used. The default value is list.
+  #datatype: list
+
+  # The number of workers to use for each host configured to publish events to
+  # Redis. Use this setting along with the loadbalance option. For example, if
+  # you have 2 hosts and 3 workers, in total 6 workers are started (3 for each
+  # host).
+  #worker: 1
+
+  # If set to true and multiple hosts or workers are configured, the output
+  # plugin load balances published events onto all Redis hosts. If set to false,
+  # the output plugin sends all events to only one host (determined at random)
+  # and will switch to another host if the currently selected one becomes
+  # unreachable. The default value is true.
+  #loadbalance: true
+
+  # The Redis connection timeout in seconds. The default is 5 seconds.
+  #timeout: 5s
+
+  # The number of times to retry publishing an event after a publishing failure.
+  # After the specified number of retries, the events are typically dropped.
+  # Some Beats, such as Filebeat, ignore the max_retries setting and retry until
+  # all events are published. Set max_retries to a value less than 0 to retry
+  # until all events are published. The default is 3.
+  #max_retries: 3
+
+  # The number of seconds to wait before trying to reconnect to Redis
+  # after a network error. After waiting backoff.init seconds, the Beat
+  # tries to reconnect. If the attempt fails, the backoff timer is increased
+  # exponentially up to backoff.max. After a successful connection, the backoff
+  # timer is reset. The default is 1s.
+  #backoff.init: 1s
+
+  # The maximum number of seconds to wait before attempting to connect to
+  # Redis after a network error. The default is 60s.
+  #backoff.max: 60s
+
+  # The maximum number of events to bulk in a single Redis request or pipeline.
+  # The default is 2048.
+  #bulk_max_size: 2048
+
+  # The URL of the SOCKS5 proxy to use when connecting to the Redis servers. The
+  # value must be a URL with a scheme of socks5://.
+  #proxy_url:
+
+  # This option determines whether Redis hostnames are resolved locally when
+  # using a proxy. The default value is false, which means that name resolution
+  # occurs on the proxy server.
+  #proxy_use_local_resolver: false
+
+  # Use SSL settings for HTTPS.
+  #ssl.enabled: true
+
+  # Controls the verification of certificates. Valid values are:
+  # * full, which verifies that the provided certificate is signed by a trusted
+  # authority (CA) and also verifies that the server's hostname (or IP address)
+  # matches the names identified within the certificate.
+  # * strict, which verifies that the provided certificate is signed by a trusted
+  # authority (CA) and also verifies that the server's hostname (or IP address)
+  # matches the names identified within the certificate. If the Subject Alternative
+  # Name is empty, it returns an error.
+  # * certificate, which verifies that the provided certificate is signed by a
+  # trusted authority (CA), but does not perform any hostname verification.
+  #  * none, which performs no verification of the server's certificate. This
+  # mode disables many of the security benefits of SSL/TLS and should only be used
+  # after very careful consideration. It is primarily intended as a temporary
+  # diagnostic mechanism when attempting to resolve TLS errors; its use in
+  # production environments is strongly discouraged.
+  # The default value is full.
+  #ssl.verification_mode: full
+
+  # List of supported/valid TLS versions. By default all TLS versions from 1.1
+  # up to 1.3 are enabled.
+  #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3]
+
+  # List of root certificates for HTTPS server verifications
+  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
+
+  # Certificate for SSL client authentication
+  #ssl.certificate: "/etc/pki/client/cert.pem"
+
+  # Client certificate key
+  #ssl.key: "/etc/pki/client/cert.key"
+
+  # Optional passphrase for decrypting the certificate key.
+  #ssl.key_passphrase: ''
+
+  # Configure cipher suites to be used for SSL connections
+  #ssl.cipher_suites: []
+
+  # Configure curve types for ECDHE-based cipher suites
+  #ssl.curve_types: []
+
+  # Configure what types of renegotiation are supported. Valid options are
+  # never, once, and freely. Default is never.
+  #ssl.renegotiation: never
+
+  # Configure a pin that can be used to do extra validation of the verified certificate chain,
+  # this allow you to ensure that a specific certificate is used to validate the chain of trust.
+  #
+  # The pin is a base64 encoded string of the SHA-256 fingerprint.
+  #ssl.ca_sha256: ""
+
+  # A root CA HEX encoded fingerprint. During the SSL handshake if the
+  # fingerprint matches the root CA certificate, it will be added to
+  # the provided list of root CAs (`certificate_authorities`), if the
+  # list is empty or not defined, the matching certificate will be the
+  # only one in the list. Then the normal SSL validation happens.
+  #ssl.ca_trusted_fingerprint: ""
+
+
+# -------------------------------- File Output ---------------------------------
+#output.file:
+  # Boolean flag to enable or disable the output module.
+  #enabled: true
+
+  # Configure JSON encoding
+  #codec.json:
+    # Pretty-print JSON event
+    #pretty: false
+
+    # Configure escaping HTML symbols in strings.
+    #escape_html: false
+
+  # Path to the directory where to save the generated files. The option is
+  # mandatory.
+  #path: "/tmp/auditbeat"
+
+  # Name of the generated files. The default is `auditbeat` and it generates
+  # files: `auditbeat-{datetime}.ndjson`, `auditbeat-{datetime}-1.ndjson`, etc.
+  #filename: auditbeat
+
+  # Maximum size in kilobytes of each file. When this size is reached, and on
+  # every Auditbeat restart, the files are rotated. The default value is 10240
+  # kB.
+  #rotate_every_kb: 10000
+
+  # Maximum number of files under path. When this number of files is reached,
+  # the oldest file is deleted and the rest are shifted from last to first. The
+  # default is 7 files.
+  #number_of_files: 7
+
+  # Permissions to use for file creation. The default is 0600.
+  #permissions: 0600
+
+  # Configure automatic file rotation on every startup. The default is true.
+  #rotate_on_startup: true
+
+# ------------------------------- Console Output -------------------------------
+#output.console:
+  # Boolean flag to enable or disable the output module.
+  #enabled: true
+
+  # Configure JSON encoding
+  #codec.json:
+    # Pretty-print JSON event
+    #pretty: false
+
+    # Configure escaping HTML symbols in strings.
+    #escape_html: false
+
+# =================================== Paths ====================================
+
+# The home path for the Auditbeat installation. This is the default base path
+# for all other path settings and for miscellaneous files that come with the
+# distribution (for example, the sample dashboards).
+# If not set by a CLI flag or in the configuration file, the default for the
+# home path is the location of the binary.
+#path.home:
+
+# The configuration path for the Auditbeat installation. This is the default
+# base path for configuration files, including the main YAML configuration file
+# and the Elasticsearch template file. If not set by a CLI flag or in the
+# configuration file, the default for the configuration path is the home path.
+#path.config: ${path.home}
+
+# The data path for the Auditbeat installation. This is the default base path
+# for all the files in which Auditbeat needs to store its data. If not set by a
+# CLI flag or in the configuration file, the default for the data path is a data
+# subdirectory inside the home path.
+#path.data: ${path.home}/data
+
+# The logs path for a Auditbeat installation. This is the default location for
+# the Beat's log files. If not set by a CLI flag or in the configuration file,
+# the default for the logs path is a logs subdirectory inside the home path.
+#path.logs: ${path.home}/logs
+
+# ================================== Keystore ==================================
+
+# Location of the Keystore containing the keys and their sensitive values.
+#keystore.path: "${path.config}/beats.keystore"
+
+# ================================= Dashboards =================================
+
+# These settings control loading the sample dashboards to the Kibana index. Loading
+# the dashboards are disabled by default and can be enabled either by setting the
+# options here or by using the `-setup` CLI flag or the `setup` command.
+#setup.dashboards.enabled: false
+
+# The directory from where to read the dashboards. The default is the `kibana`
+# folder in the home path.
+#setup.dashboards.directory: ${path.home}/kibana
+
+# The URL from where to download the dashboard archive. It is used instead of
+# the directory if it has a value.
+#setup.dashboards.url:
+
+# The file archive (zip file) from where to read the dashboards. It is used instead
+# of the directory when it has a value.
+#setup.dashboards.file:
+
+# In case the archive contains the dashboards from multiple Beats, this lets you
+# select which one to load. You can load all the dashboards in the archive by
+# setting this to the empty string.
+#setup.dashboards.beat: auditbeat
+
+# The name of the Kibana index to use for setting the configuration. Default is ".kibana"
+#setup.dashboards.kibana_index: .kibana
+
+# The Elasticsearch index name. This overwrites the index name defined in the
+# dashboards and index pattern. Example: testbeat-*
+#setup.dashboards.index:
+
+# Always use the Kibana API for loading the dashboards instead of autodetecting
+# how to install the dashboards by first querying Elasticsearch.
+#setup.dashboards.always_kibana: false
+
+# If true and Kibana is not reachable at the time when dashboards are loaded,
+# it will retry to reconnect to Kibana instead of exiting with an error.
+#setup.dashboards.retry.enabled: false
+
+# Duration interval between Kibana connection retries.
+#setup.dashboards.retry.interval: 1s
+
+# Maximum number of retries before exiting with an error, 0 for unlimited retrying.
+#setup.dashboards.retry.maximum: 0
+
+# ================================== Template ==================================
+
+# A template is used to set the mapping in Elasticsearch
+# By default template loading is enabled and the template is loaded.
+# These settings can be adjusted to load your own template or overwrite existing ones.
+
+# Set to false to disable template loading.
+#setup.template.enabled: true
+
+# Template name. By default the template name is "auditbeat-%{[agent.version]}"
+# The template name and pattern has to be set in case the Elasticsearch index pattern is modified.
+#setup.template.name: "auditbeat-%{[agent.version]}"
+
+# Template pattern. By default the template pattern is "auditbeat-%{[agent.version]}" to apply to the default index settings.
+# The template name and pattern has to be set in case the Elasticsearch index pattern is modified.
+#setup.template.pattern: "auditbeat-%{[agent.version]}"
+
+# Path to fields.yml file to generate the template
+#setup.template.fields: "${path.config}/fields.yml"
+
+# A list of fields to be added to the template and Kibana index pattern. Also
+# specify setup.template.overwrite: true to overwrite the existing template.
+#setup.template.append_fields:
+#- name: field_name
+#  type: field_type
+
+# Enable JSON template loading. If this is enabled, the fields.yml is ignored.
+#setup.template.json.enabled: false
+
+# Path to the JSON template file
+#setup.template.json.path: "${path.config}/template.json"
+
+# Name under which the template is stored in Elasticsearch
+#setup.template.json.name: ""
+
+# Set this option if the JSON template is a data stream.
+#setup.template.json.data_stream: false
+
+# Overwrite existing template
+# Do not enable this option for more than one instance of auditbeat as it might
+# overload your Elasticsearch with too many update requests.
+#setup.template.overwrite: false
+
+# Elasticsearch template settings
+setup.template.settings:
+
+  # A dictionary of settings to place into the settings.index dictionary
+  # of the Elasticsearch template. For more details, please check
+  # https://www.elastic.co/guide/en/elasticsearch/reference/current/mapping.html
+  #index:
+    #number_of_shards: 1
+    #codec: best_compression
+
+  # A dictionary of settings for the _source field. For more details, please check
+  # https://www.elastic.co/guide/en/elasticsearch/reference/current/mapping-source-field.html
+  #_source:
+    #enabled: false
+
+# ====================== Index Lifecycle Management (ILM) ======================
+
+# Configure index lifecycle management (ILM) to manage the backing indices
+# of your data streams.
+
+# Enable ILM support. Valid values are true, or false.
+#setup.ilm.enabled: true
+
+# Set the lifecycle policy name. The default policy name is
+# 'beatname'.
+#setup.ilm.policy_name: "mypolicy"
+
+# The path to a JSON file that contains a lifecycle policy configuration. Used
+# to load your own lifecycle policy.
+#setup.ilm.policy_file:
+
+# Disable the check for an existing lifecycle policy. The default is true.
+# If you set this option to false, lifecycle policy will not be installed,
+# even if setup.ilm.overwrite is set to true.
+#setup.ilm.check_exists: true
+
+# Overwrite the lifecycle policy at startup. The default is false.
+#setup.ilm.overwrite: false
+
+# ======================== Data Stream Lifecycle (DSL) =========================
+
+# Configure Data Stream Lifecycle to manage data streams while connected to Serverless elasticsearch.
+# These settings are mutually exclusive with ILM settings which are not supported in Serverless projects.
+
+# Enable DSL support. Valid values are true, or false.
+#setup.dsl.enabled: true
+
+# Set the lifecycle policy name or pattern. For DSL, this name must match the data stream that the lifecycle is for.
+# The default data stream pattern is auditbeat-%{[agent.version]}"
+# The template string `%{[agent.version]}` will resolve to the current stack version.
+# The other possible template value is `%{[beat.name]}`.
+#setup.dsl.data_stream_pattern: "auditbeat-%{[agent.version]}"
+
+# The path to a JSON file that contains a lifecycle policy configuration. Used
+# to load your own lifecycle policy.
+# If no custom policy is specified, a default policy with a lifetime of 7 days will be created.
+#setup.dsl.policy_file:
+
+# Disable the check for an existing lifecycle policy. The default is true. If
+# you disable this check, set setup.dsl.overwrite: true so the lifecycle policy
+# can be installed.
+#setup.dsl.check_exists: true
+
+# Overwrite the lifecycle policy at startup. The default is false.
+#setup.dsl.overwrite: false
+
+# =================================== Kibana ===================================
+
+# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
+# This requires a Kibana endpoint configuration.
+setup.kibana:
+
+  # Kibana Host
+  # Scheme and port can be left out and will be set to the default (http and 5601)
+  # In case you specify and additional path, the scheme is required: http://localhost:5601/path
+  # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601
+  #host: "localhost:5601"
+
+  # Optional protocol and basic auth credentials.
+  #protocol: "https"
+  #username: "elastic"
+  #password: "changeme"
+
+  # Optional HTTP path
+  #path: ""
+
+  # Optional Kibana space ID.
+  #space.id: ""
+
+  # Custom HTTP headers to add to each request
+  #headers:
+  #  X-My-Header: Contents of the header
+
+  # Use SSL settings for HTTPS.
+  #ssl.enabled: true
+
+  # Controls the verification of certificates. Valid values are:
+  # * full, which verifies that the provided certificate is signed by a trusted
+  # authority (CA) and also verifies that the server's hostname (or IP address)
+  # matches the names identified within the certificate.
+  # * strict, which verifies that the provided certificate is signed by a trusted
+  # authority (CA) and also verifies that the server's hostname (or IP address)
+  # matches the names identified within the certificate. If the Subject Alternative
+  # Name is empty, it returns an error.
+  # * certificate, which verifies that the provided certificate is signed by a
+  # trusted authority (CA), but does not perform any hostname verification.
+  #  * none, which performs no verification of the server's certificate. This
+  # mode disables many of the security benefits of SSL/TLS and should only be used
+  # after very careful consideration. It is primarily intended as a temporary
+  # diagnostic mechanism when attempting to resolve TLS errors; its use in
+  # production environments is strongly discouraged.
+  # The default value is full.
+  #ssl.verification_mode: full
+
+  # List of supported/valid TLS versions. By default all TLS versions from 1.1
+  # up to 1.3 are enabled.
+  #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3]
+
+  # List of root certificates for HTTPS server verifications
+  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
+
+  # Certificate for SSL client authentication
+  #ssl.certificate: "/etc/pki/client/cert.pem"
+
+  # Client certificate key
+  #ssl.key: "/etc/pki/client/cert.key"
+
+  # Optional passphrase for decrypting the certificate key.
+  #ssl.key_passphrase: ''
+
+  # Configure cipher suites to be used for SSL connections
+  #ssl.cipher_suites: []
+
+  # Configure curve types for ECDHE-based cipher suites
+  #ssl.curve_types: []
+
+  # Configure what types of renegotiation are supported. Valid options are
+  # never, once, and freely. Default is never.
+  #ssl.renegotiation: never
+
+  # Configure a pin that can be used to do extra validation of the verified certificate chain,
+  # this allow you to ensure that a specific certificate is used to validate the chain of trust.
+  #
+  # The pin is a base64 encoded string of the SHA-256 fingerprint.
+  #ssl.ca_sha256: ""
+
+  # A root CA HEX encoded fingerprint. During the SSL handshake if the
+  # fingerprint matches the root CA certificate, it will be added to
+  # the provided list of root CAs (`certificate_authorities`), if the
+  # list is empty or not defined, the matching certificate will be the
+  # only one in the list. Then the normal SSL validation happens.
+  #ssl.ca_trusted_fingerprint: ""
+
+
+# ================================== Logging ===================================
+
+# There are four options for the log output: file, stderr, syslog, eventlog
+# The file output is the default.
+
+# Sets log level. The default log level is info.
+# Available log levels are: error, warning, info, debug
+#logging.level: info
+
+# Enable debug output for selected components. To enable all selectors use ["*"]
+# Other available selectors are "beat", "publisher", "service"
+# Multiple selectors can be chained.
+#logging.selectors: [ ]
+
+# Send all logging output to stderr. The default is false.
+#logging.to_stderr: false
+
+# Send all logging output to syslog. The default is false.
+#logging.to_syslog: false
+
+# Send all logging output to Windows Event Logs. The default is false.
+#logging.to_eventlog: false
+
+# If enabled, Auditbeat periodically logs its internal metrics that have changed
+# in the last period. For each metric that changed, the delta from the value at
+# the beginning of the period is logged. Also, the total values for
+# all non-zero internal metrics are logged on shutdown. The default is true.
+#logging.metrics.enabled: true
+
+# The period after which to log the internal metrics. The default is 30s.
+#logging.metrics.period: 30s
+
+# A list of metrics namespaces to report in the logs. Defaults to [stats].
+# `stats` contains general Beat metrics. `dataset` may be present in some
+# Beats and contains module or input metrics.
+#logging.metrics.namespaces: [stats]
+
+# Logging to rotating files. Set logging.to_files to false to disable logging to
+# files.
+logging.to_files: true
+logging.files:
+  # Configure the path where the logs are written. The default is the logs directory
+  # under the home path (the binary location).
+  #path: /var/log/auditbeat
+
+  # The name of the files where the logs are written to.
+  #name: auditbeat
+
+  # Configure log file size limit. If the limit is reached, log file will be
+  # automatically rotated.
+  #rotateeverybytes: 10485760 # = 10MB
+
+  # Number of rotated log files to keep. The oldest files will be deleted first.
+  #keepfiles: 7
+
+  # The permissions mask to apply when rotating log files. The default value is 0600.
+  # Must be a valid Unix-style file permissions mask expressed in octal notation.
+  #permissions: 0600
+
+  # Enable log file rotation on time intervals in addition to the size-based rotation.
+  # Intervals must be at least 1s. Values of 1m, 1h, 24h, 7*24h, 30*24h, and 365*24h
+  # are boundary-aligned with minutes, hours, days, weeks, months, and years as
+  # reported by the local system clock. All other intervals are calculated from the
+  # Unix epoch. Defaults to disabled.
+  #interval: 0
+
+  # Rotate existing logs on startup rather than appending them to the existing
+  # file. Defaults to true.
+  # rotateonstartup: true
+
+#=============================== Events Logging ===============================
+# Some outputs will log raw events on errors like indexing errors in the
+# Elasticsearch output, to prevent logging raw events (that may contain
+# sensitive information) together with other log messages, a different
+# log file, only for log entries containing raw events, is used. It will
+# use the same level, selectors and all other configurations from the
+# default logger, but it will have it's own file configuration.
+#
+# Having a different log file for raw events also prevents event data
+# from drowning out the regular log files.
+#
+# IMPORTANT: No matter the default logger output configuration, raw events
+# will **always** be logged to a file configured by `logging.event_data.files`.
+
+# logging.event_data:
+# Logging to rotating files. Set logging.to_files to false to disable logging to
+# files.
+#logging.event_data.to_files: true
+#logging.event_data:
+  # Configure the path where the logs are written. The default is the logs directory
+  # under the home path (the binary location).
+  #path: /var/log/auditbeat
+
+  # The name of the files where the logs are written to.
+  #name: auditbeat-events-data
+
+  # Configure log file size limit. If the limit is reached, log file will be
+  # automatically rotated.
+  #rotateeverybytes: 5242880 # = 5MB
+
+  # Number of rotated log files to keep. The oldest files will be deleted first.
+  #keepfiles: 2
+
+  # The permissions mask to apply when rotating log files. The default value is 0600.
+  # Must be a valid Unix-style file permissions mask expressed in octal notation.
+  #permissions: 0600
+
+  # Enable log file rotation on time intervals in addition to the size-based rotation.
+  # Intervals must be at least 1s. Values of 1m, 1h, 24h, 7*24h, 30*24h, and 365*24h
+  # are boundary-aligned with minutes, hours, days, weeks, months, and years as
+  # reported by the local system clock. All other intervals are calculated from the
+  # Unix epoch. Defaults to disabled.
+  #interval: 0
+
+  # Rotate existing logs on startup rather than appending them to the existing
+  # file. Defaults to false.
+  # rotateonstartup: false
+
+# ============================= X-Pack Monitoring ==============================
+# Auditbeat can export internal metrics to a central Elasticsearch monitoring
+# cluster.  This requires xpack monitoring to be enabled in Elasticsearch.  The
+# reporting is disabled by default.
+
+# Set to true to enable the monitoring reporter.
+#monitoring.enabled: false
+
+# Sets the UUID of the Elasticsearch cluster under which monitoring data for this
+# Auditbeat instance will appear in the Stack Monitoring UI. If output.elasticsearch
+# is enabled, the UUID is derived from the Elasticsearch cluster referenced by output.elasticsearch.
+#monitoring.cluster_uuid:
+
+# Uncomment to send the metrics to Elasticsearch. Most settings from the
+# Elasticsearch output are accepted here as well.
+# Note that the settings should point to your Elasticsearch *monitoring* cluster.
+# Any setting that is not set is automatically inherited from the Elasticsearch
+# output configuration, so if you have the Elasticsearch output configured such
+# that it is pointing to your Elasticsearch monitoring cluster, you can simply
+# uncomment the following line.
+#monitoring.elasticsearch:
+
+  # Array of hosts to connect to.
+  # Scheme and port can be left out and will be set to the default (http and 9200)
+  # In case you specify an additional path, the scheme is required: http://localhost:9200/path
+  # IPv6 addresses should always be defined as: https://[2001:db8::1]:9200
+  #hosts: ["localhost:9200"]
+
+  # Set gzip compression level.
+  #compression_level: 0
+
+  # Protocol - either `http` (default) or `https`.
+  #protocol: "https"
+
+  # Authentication credentials - either API key or username/password.
+  #api_key: "id:api_key"
+  #username: "beats_system"
+  #password: "changeme"
+
+  # Dictionary of HTTP parameters to pass within the URL with index operations.
+  #parameters:
+    #param1: value1
+    #param2: value2
+
+  # Custom HTTP headers to add to each request
+  #headers:
+  #  X-My-Header: Contents of the header
+
+  # Proxy server url
+  #proxy_url: http://proxy:3128
+
+  # The number of times a particular Elasticsearch index operation is attempted. If
+  # the indexing operation doesn't succeed after this many retries, the events are
+  # dropped. The default is 3.
+  #max_retries: 3
+
+  # The maximum number of events to bulk in a single Elasticsearch bulk API index request.
+  # The default is 50.
+  #bulk_max_size: 50
+
+  # The number of seconds to wait before trying to reconnect to Elasticsearch
+  # after a network error. After waiting backoff.init seconds, the Beat
+  # tries to reconnect. If the attempt fails, the backoff timer is increased
+  # exponentially up to backoff.max. After a successful connection, the backoff
+  # timer is reset. The default is 1s.
+  #backoff.init: 1s
+
+  # The maximum number of seconds to wait before attempting to connect to
+  # Elasticsearch after a network error. The default is 60s.
+  #backoff.max: 60s
+
+  # Configure HTTP request timeout before failing a request to Elasticsearch.
+  #timeout: 90
+
+  # Use SSL settings for HTTPS.
+  #ssl.enabled: true
+
+  # Controls the verification of certificates. Valid values are:
+  # * full, which verifies that the provided certificate is signed by a trusted
+  # authority (CA) and also verifies that the server's hostname (or IP address)
+  # matches the names identified within the certificate.
+  # * strict, which verifies that the provided certificate is signed by a trusted
+  # authority (CA) and also verifies that the server's hostname (or IP address)
+  # matches the names identified within the certificate. If the Subject Alternative
+  # Name is empty, it returns an error.
+  # * certificate, which verifies that the provided certificate is signed by a
+  # trusted authority (CA), but does not perform any hostname verification.
+  #  * none, which performs no verification of the server's certificate. This
+  # mode disables many of the security benefits of SSL/TLS and should only be used
+  # after very careful consideration. It is primarily intended as a temporary
+  # diagnostic mechanism when attempting to resolve TLS errors; its use in
+  # production environments is strongly discouraged.
+  # The default value is full.
+  #ssl.verification_mode: full
+
+  # List of supported/valid TLS versions. By default all TLS versions from 1.1
+  # up to 1.3 are enabled.
+  #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3]
+
+  # List of root certificates for HTTPS server verifications
+  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
+
+  # Certificate for SSL client authentication
+  #ssl.certificate: "/etc/pki/client/cert.pem"
+
+  # Client certificate key
+  #ssl.key: "/etc/pki/client/cert.key"
+
+  # Optional passphrase for decrypting the certificate key.
+  #ssl.key_passphrase: ''
+
+  # Configure cipher suites to be used for SSL connections
+  #ssl.cipher_suites: []
+
+  # Configure curve types for ECDHE-based cipher suites
+  #ssl.curve_types: []
+
+  # Configure what types of renegotiation are supported. Valid options are
+  # never, once, and freely. Default is never.
+  #ssl.renegotiation: never
+
+  # Configure a pin that can be used to do extra validation of the verified certificate chain,
+  # this allow you to ensure that a specific certificate is used to validate the chain of trust.
+  #
+  # The pin is a base64 encoded string of the SHA-256 fingerprint.
+  #ssl.ca_sha256: ""
+
+  # A root CA HEX encoded fingerprint. During the SSL handshake if the
+  # fingerprint matches the root CA certificate, it will be added to
+  # the provided list of root CAs (`certificate_authorities`), if the
+  # list is empty or not defined, the matching certificate will be the
+  # only one in the list. Then the normal SSL validation happens.
+  #ssl.ca_trusted_fingerprint: ""
+
+  # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set.
+  #kerberos.enabled: true
+
+  # Authentication type to use with Kerberos. Available options: keytab, password.
+  #kerberos.auth_type: password
+
+  # Path to the keytab file. It is used when auth_type is set to keytab.
+  #kerberos.keytab: /etc/elastic.keytab
+
+  # Path to the Kerberos configuration.
+  #kerberos.config_path: /etc/krb5.conf
+
+  # Name of the Kerberos user.
+  #kerberos.username: elastic
+
+  # Password of the Kerberos user. It is used when auth_type is set to password.
+  #kerberos.password: changeme
+
+  # Kerberos realm.
+  #kerberos.realm: ELASTIC
+
+  #metrics.period: 10s
+  #state.period: 1m
+
+# The `monitoring.cloud.id` setting overwrites the `monitoring.elasticsearch.hosts`
+# setting. You can find the value for this setting in the Elastic Cloud web UI.
+#monitoring.cloud.id:
+
+# The `monitoring.cloud.auth` setting overwrites the `monitoring.elasticsearch.username`
+# and `monitoring.elasticsearch.password` settings. The format is `<user>:<pass>`.
+#monitoring.cloud.auth:
+
+# =============================== HTTP Endpoint ================================
+
+# Each beat can expose internal metrics through an HTTP endpoint. For security
+# reasons the endpoint is disabled by default. This feature is currently experimental.
+# Stats can be accessed through http://localhost:5066/stats. For pretty JSON output
+# append ?pretty to the URL.
+
+# Defines if the HTTP endpoint is enabled.
+#http.enabled: false
+
+# The HTTP endpoint will bind to this hostname, IP address, unix socket, or named pipe.
+# When using IP addresses, it is recommended to only use localhost.
+#http.host: localhost
+
+# Port on which the HTTP endpoint will bind. Default is 5066.
+#http.port: 5066
+
+# Define which user should be owning the named pipe.
+#http.named_pipe.user:
+
+# Define which permissions should be applied to the named pipe, use the Security
+# Descriptor Definition Language (SDDL) to define the permission. This option cannot be used with
+# `http.user`.
+#http.named_pipe.security_descriptor:
+
+# Defines if the HTTP pprof endpoints are enabled.
+# It is recommended that this is only enabled on localhost as these endpoints may leak data.
+#http.pprof.enabled: false
+
+# Controls the fraction of goroutine blocking events that are reported in the
+# blocking profile.
+#http.pprof.block_profile_rate: 0
+
+# Controls the fraction of memory allocations that are recorded and reported in
+# the memory profile.
+#http.pprof.mem_profile_rate: 524288
+
+# Controls the fraction of mutex contention events that are reported in the
+# mutex profile.
+#http.pprof.mutex_profile_rate: 0
+
+# ============================== Process Security ==============================
+
+# Enable or disable seccomp system call filtering on Linux. Default is enabled.
+#seccomp.enabled: true
+
+# ============================== Instrumentation ===============================
+
+# Instrumentation support for the auditbeat.
+#instrumentation:
+    # Set to true to enable instrumentation of auditbeat.
+    #enabled: false
+
+    # Environment in which auditbeat is running on (eg: staging, production, etc.)
+    #environment: ""
+
+    # APM Server hosts to report instrumentation results to.
+    #hosts:
+    #  - http://localhost:8200
+
+    # API Key for the APM Server(s).
+    # If api_key is set then secret_token will be ignored.
+    #api_key:
+
+    # Secret token for the APM Server(s).
+    #secret_token:
+
+    # Enable profiling of the server, recording profile samples as events.
+    #
+    # This feature is experimental.
+    #profiling:
+        #cpu:
+            # Set to true to enable CPU profiling.
+            #enabled: false
+            #interval: 60s
+            #duration: 10s
+        #heap:
+            # Set to true to enable heap profiling.
+            #enabled: false
+            #interval: 60s
+
+# ================================= Migration ==================================
+
+# This allows to enable 6.7 migration aliases
+#migration.6_to_7.enabled: false
+
+# =============================== Feature Flags ================================
+
+# Enable and configure feature flags.
+#features:
+#  fqdn:
+#    enabled: true
+```
+
diff --git a/docs/reference/auditbeat/auditbeat-starting.md b/docs/reference/auditbeat/auditbeat-starting.md
new file mode 100644
index 000000000000..2ff51fec383d
--- /dev/null
+++ b/docs/reference/auditbeat/auditbeat-starting.md
@@ -0,0 +1,70 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-starting.html
+---
+
+# Start Auditbeat [auditbeat-starting]
+
+Before starting Auditbeat:
+
+* Follow the steps in [Quick start: installation and configuration](/reference/auditbeat/auditbeat-installation-configuration.md) to install, configure, and set up the Auditbeat environment.
+* Make sure {{kib}} and {{es}} are running.
+* Make sure the user specified in `auditbeat.yml` is [authorized to publish events](/reference/auditbeat/privileges-to-publish-events.md).
+
+To start Auditbeat, run:
+
+:::::::{tab-set}
+
+::::::{tab-item} DEB
+```sh
+sudo service auditbeat start
+```
+
+::::{note}
+If you use an `init.d` script to start Auditbeat, you can’t specify command line flags (see [Command reference](/reference/auditbeat/command-line-options.md)). To specify flags, start Auditbeat in the foreground.
+::::
+
+
+Also see [Auditbeat and systemd](/reference/auditbeat/running-with-systemd.md).
+::::::
+
+::::::{tab-item} RPM
+```sh
+sudo service auditbeat start
+```
+
+::::{note}
+If you use an `init.d` script to start Auditbeat, you can’t specify command line flags (see [Command reference](/reference/auditbeat/command-line-options.md)). To specify flags, start Auditbeat in the foreground.
+::::
+
+
+Also see [Auditbeat and systemd](/reference/auditbeat/running-with-systemd.md).
+::::::
+
+::::::{tab-item} MacOS
+```sh
+sudo chown root auditbeat.yml <1>
+sudo ./auditbeat -e
+```
+
+1. You’ll be running Auditbeat as root, so you need to change ownership of the configuration file, or run Auditbeat with `--strict.perms=false` specified. See [Config File Ownership and Permissions](/reference/libbeat/config-file-permissions.md).
+::::::
+
+::::::{tab-item} Linux
+```sh
+sudo chown root auditbeat.yml <1>
+sudo ./auditbeat -e
+```
+
+1. You’ll be running Auditbeat as root, so you need to change ownership of the configuration file, or run Auditbeat with `--strict.perms=false` specified. See [Config File Ownership and Permissions](/reference/libbeat/config-file-permissions.md).
+::::::
+
+::::::{tab-item} Windows
+```sh
+PS C:\Program Files\auditbeat> Start-Service auditbeat
+```
+
+By default, Windows log files are stored in `C:\ProgramData\auditbeat\Logs`.
+::::::
+
+:::::::
diff --git a/docs/reference/auditbeat/auditbeat-template.md b/docs/reference/auditbeat/auditbeat-template.md
new file mode 100644
index 000000000000..78188f074945
--- /dev/null
+++ b/docs/reference/auditbeat/auditbeat-template.md
@@ -0,0 +1,228 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-template.html
+---
+
+# Load the Elasticsearch index template [auditbeat-template]
+
+{{es}} uses [index templates](docs-content://manage-data/data-store/templates.md) to define:
+
+* Settings that control the behavior of your data stream and backing indices. The settings include the lifecycle policy used to manage backing indices as they grow and age.
+* Mappings that determine how fields are analyzed. Each mapping sets the [{{es}} datatype](elasticsearch://reference/elasticsearch/mapping-reference/field-data-types.md) to use for a specific data field.
+
+The recommended index template file for Auditbeat is installed by the Auditbeat packages. If you accept the default configuration in the `auditbeat.yml` config file, Auditbeat loads the template automatically after successfully connecting to {{es}}. If the template already exists, it’s not overwritten unless you configure Auditbeat to do so.
+
+::::{note}
+A connection to {{es}} is required to load the index template. If the output is not {{es}} (or {{ess}}), you must [load the template manually](#load-template-manually).
+::::
+
+
+This page shows how to change the default template loading behavior to:
+
+* [Load your own index template](#load-custom-template)
+* [Overwrite an existing index template](#overwrite-template)
+* [Disable automatic index template loading](#disable-template-loading)
+* [Load the index template manually](#load-template-manually)
+
+For a full list of template setup options, see [Elasticsearch index template](/reference/auditbeat/configuration-template.md).
+
+
+## Load your own index template [load-custom-template]
+
+To load your own index template, set the following options:
+
+```yaml
+setup.template.name: "your_template_name"
+setup.template.fields: "path/to/fields.yml"
+```
+
+If the template already exists, it’s not overwritten unless you configure Auditbeat to do so.
+
+You can load templates for both data streams and indices.
+
+
+## Overwrite an existing index template [overwrite-template]
+
+::::{warning}
+Do not enable this option for more than one instance of Auditbeat. If you start multiple instances at the same time, it can overload your {{es}} with too many template update requests.
+::::
+
+
+To overwrite a template that’s already loaded into {{es}}, set:
+
+```yaml
+setup.template.overwrite: true
+```
+
+
+## Disable automatic index template loading [disable-template-loading]
+
+You may want to disable automatic template loading if you’re using an output other than {{es}} and need to load the template manually. To disable automatic template loading, set:
+
+```yaml
+setup.template.enabled: false
+```
+
+If you disable automatic template loading, you must load the index template manually.
+
+
+## Load the index template manually [load-template-manually]
+
+To load the index template manually, run the [`setup`](/reference/auditbeat/command-line-options.md#setup-command) command. A connection to {{es}} is required.  If another output is enabled, you need to temporarily disable that output and enable {{es}} by using the `-E` option. The examples here assume that Logstash output is enabled. You can omit the `-E` flags if {{es}} output is already enabled.
+
+If you are connecting to a secured {{es}} cluster, make sure you’ve configured credentials as described in the [Quick start: installation and configuration](/reference/auditbeat/auditbeat-installation-configuration.md).
+
+If the host running Auditbeat does not have direct connectivity to {{es}}, see [Load the index template manually (alternate method)](#load-template-manually-alternate).
+
+To load the template, use the appropriate command for your system.
+
+**deb and rpm:**
+
+```sh
+auditbeat setup --index-management -E output.logstash.enabled=false -E 'output.elasticsearch.hosts=["localhost:9200"]'
+```
+
+**mac:**
+
+```sh
+./auditbeat setup --index-management -E output.logstash.enabled=false -E 'output.elasticsearch.hosts=["localhost:9200"]'
+```
+
+**linux:**
+
+```sh
+./auditbeat setup --index-management -E output.logstash.enabled=false -E 'output.elasticsearch.hosts=["localhost:9200"]'
+```
+
+**docker:**
+
+```sh
+docker run --rm docker.elastic.co/beats/auditbeat:9.0.0-beta1 setup --index-management -E output.logstash.enabled=false -E 'output.elasticsearch.hosts=["localhost:9200"]'
+```
+
+**win:**
+
+Open a PowerShell prompt as an Administrator (right-click the PowerShell icon and select **Run As Administrator**).
+
+From the PowerShell prompt, change to the directory where you installed Auditbeat, and run:
+
+```sh
+PS > .\auditbeat.exe setup --index-management -E output.logstash.enabled=false -E 'output.elasticsearch.hosts=["localhost:9200"]'
+```
+
+
+### Force Kibana to look at newest documents [force-kibana-new]
+
+If you’ve already used Auditbeat to index data into {{es}}, the index may contain old documents. After you load the index template, you can delete the old documents from `auditbeat-*` to force Kibana to look at the newest documents.
+
+Use this command:
+
+**deb and rpm:**
+
+```sh
+curl -XDELETE 'http://localhost:9200/auditbeat-*'
+```
+
+**mac:**
+
+```sh
+curl -XDELETE 'http://localhost:9200/auditbeat-*'
+```
+
+**linux:**
+
+```sh
+curl -XDELETE 'http://localhost:9200/auditbeat-*'
+```
+
+**win:**
+
+```sh
+PS > Invoke-RestMethod -Method Delete "http://localhost:9200/auditbeat-*"
+```
+
+This command deletes all indices that match the pattern `auditbeat`. Before running this command, make sure you want to delete all indices that match the pattern.
+
+
+## Load the index template manually (alternate method) [load-template-manually-alternate]
+
+If the host running Auditbeat does not have direct connectivity to {{es}}, you can export the index template to a file, move it to a machine that does have connectivity, and then install the template manually.
+
+To export the index template, run:
+
+**deb and rpm:**
+
+```sh
+auditbeat export template > auditbeat.template.json
+```
+
+**mac:**
+
+```sh
+./auditbeat export template > auditbeat.template.json
+```
+
+**linux:**
+
+```sh
+./auditbeat export template > auditbeat.template.json
+```
+
+**win:**
+
+```sh
+PS > .\auditbeat.exe export template --es.version 9.0.0-beta1 | Out-File -Encoding UTF8 auditbeat.template.json
+```
+
+To install the template, run:
+
+**deb and rpm:**
+
+```sh
+curl -XPUT -H 'Content-Type: application/json' http://localhost:9200/_index_template/auditbeat-9.0.0-beta1 -d@auditbeat.template.json
+```
+
+**mac:**
+
+```sh
+curl -XPUT -H 'Content-Type: application/json' http://localhost:9200/_index_template/auditbeat-9.0.0-beta1 -d@auditbeat.template.json
+```
+
+**linux:**
+
+```sh
+curl -XPUT -H 'Content-Type: application/json' http://localhost:9200/_index_template/auditbeat-9.0.0-beta1 -d@auditbeat.template.json
+```
+
+**win:**
+
+```sh
+PS > Invoke-RestMethod -Method Put -ContentType "application/json" -InFile auditbeat.template.json -Uri http://localhost:9200/_index_template/auditbeat-9.0.0-beta1
+```
+
+Once you have loaded the index template, load the data stream as well. If you do not load it, you have to give the publisher user `manage` permission on auditbeat-9.0.0-beta1 index.
+
+**deb and rpm:**
+
+```sh
+curl -XPUT http://localhost:9200/_data_stream/auditbeat-9.0.0-beta1
+```
+
+**mac:**
+
+```sh
+curl -XPUT http://localhost:9200/_data_stream/auditbeat-9.0.0-beta1
+```
+
+**linux:**
+
+```sh
+curl -XPUT http://localhost:9200/_data_stream/auditbeat-9.0.0-beta1
+```
+
+**win:**
+
+```sh
+PS > Invoke-RestMethod -Method Put -Uri http://localhost:9200/_data_stream/auditbeat-9.0.0-beta1
+```
+
diff --git a/docs/reference/auditbeat/auditbeat.md b/docs/reference/auditbeat/auditbeat.md
new file mode 100644
index 000000000000..0be0c0096c02
--- /dev/null
+++ b/docs/reference/auditbeat/auditbeat.md
@@ -0,0 +1,8 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/index.html
+---
+
+# Auditbeat
+
+Just a placeholder for a top index page.
diff --git a/docs/reference/auditbeat/bandwidth-throttling.md b/docs/reference/auditbeat/bandwidth-throttling.md
new file mode 100644
index 000000000000..8c8b2961fdc5
--- /dev/null
+++ b/docs/reference/auditbeat/bandwidth-throttling.md
@@ -0,0 +1,20 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/bandwidth-throttling.html
+---
+
+# Auditbeat uses too much bandwidth [bandwidth-throttling]
+
+If you need to limit bandwidth usage, we recommend that you configure the network stack on your OS to perform bandwidth throttling.
+
+For example, the following Linux commands cap the connection between Auditbeat and Logstash by setting a limit of 50 kbps on TCP connections over port 5044:
+
+```shell
+tc qdisc add dev $DEV root handle 1: htb
+tc class add dev $DEV parent 1:1 classid 1:10 htb rate 50kbps ceil 50kbps
+tc filter add dev $DEV parent 1:0 prio 1 protocol ip handle 10 fw flowid 1:10
+iptables -A OUTPUT -t mangle -p tcp --dport 5044 -j MARK --set-mark 10
+```
+
+Using OS tools to perform bandwidth throttling gives you better control over policies. For example, you can use OS tools to cap bandwidth during the day, but not at night. Or you can leave the bandwidth uncapped, but assign a low priority to the traffic.
+
diff --git a/docs/reference/auditbeat/beats-api-keys.md b/docs/reference/auditbeat/beats-api-keys.md
new file mode 100644
index 000000000000..2772c23eadd0
--- /dev/null
+++ b/docs/reference/auditbeat/beats-api-keys.md
@@ -0,0 +1,142 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/beats-api-keys.html
+---
+
+# Grant access using API keys [beats-api-keys]
+
+Instead of using usernames and passwords, you can use API keys to grant access to {{es}} resources. You can set API keys to expire at a certain time, and you can explicitly invalidate them. Any user with the `manage_api_key` or `manage_own_api_key` cluster privilege can create API keys.
+
+Auditbeat instances typically send both collected data and monitoring information to {{es}}. If you are sending both to the same cluster, you can use the same API key. For different clusters, you need to use an API key per cluster.
+
+::::{note}
+For security reasons, we recommend using a unique API key per Auditbeat instance. You can create as many API keys per user as necessary.
+::::
+
+
+::::{important}
+Review [*Grant users access to secured resources*](/reference/auditbeat/feature-roles.md) before creating API keys for Auditbeat.
+::::
+
+
+
+## Create an API key for publishing [beats-api-key-publish]
+
+To create an API key to use for writing data to {{es}}, use the [Create API key API](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-create-api-key), for example:
+
+```console
+POST /_security/api_key
+{
+  "name": "auditbeat_host001", <1>
+  "role_descriptors": {
+    "auditbeat_writer": { <2>
+      "cluster": ["monitor", "read_ilm", "read_pipeline"],
+      "index": [
+        {
+          "names": ["auditbeat-*"],
+          "privileges": ["view_index_metadata", "create_doc", "auto_configure"]
+        }
+      ]
+    }
+  }
+}
+```
+
+1. Name of the API key
+2. Granted privileges, see [*Grant users access to secured resources*](/reference/auditbeat/feature-roles.md)
+
+
+::::{note}
+See [Create a *publishing* user](/reference/auditbeat/privileges-to-publish-events.md) for the list of privileges required to publish events.
+::::
+
+
+The return value will look something like this:
+
+```console-result
+{
+  "id":"TiNAGG4BaaMdaH1tRfuU", <1>
+  "name":"auditbeat_host001",
+  "api_key":"KnR6yE41RrSowb0kQ0HWoA" <2>
+}
+```
+
+1. Unique id for this API key
+2. Generated API key
+
+
+You can now use this API key in your `auditbeat.yml` configuration file like this:
+
+```yaml
+output.elasticsearch:
+  api_key: TiNAGG4BaaMdaH1tRfuU:KnR6yE41RrSowb0kQ0HWoA <1>
+```
+
+1. Format is `id:api_key` (as returned by [Create API key](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-create-api-key))
+
+
+
+## Create an API key for monitoring [beats-api-key-monitor]
+
+To create an API key to use for sending monitoring data to {{es}}, use the [Create API key API](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-create-api-key), for example:
+
+```console
+POST /_security/api_key
+{
+  "name": "auditbeat_host001", <1>
+  "role_descriptors": {
+    "auditbeat_monitoring": { <2>
+      "cluster": ["monitor"],
+      "index": [
+        {
+          "names": [".monitoring-beats-*"],
+          "privileges": ["create_index", "create"]
+        }
+      ]
+    }
+  }
+}
+```
+
+1. Name of the API key
+2. Granted privileges, see [*Grant users access to secured resources*](/reference/auditbeat/feature-roles.md)
+
+
+::::{note}
+See [Create a *monitoring* user](/reference/auditbeat/privileges-to-publish-monitoring.md) for the list of privileges required to send monitoring data.
+::::
+
+
+The return value will look something like this:
+
+```console-result
+{
+  "id":"TiNAGG4BaaMdaH1tRfuU", <1>
+  "name":"auditbeat_host001",
+  "api_key":"KnR6yE41RrSowb0kQ0HWoA" <2>
+}
+```
+
+1. Unique id for this API key
+2. Generated API key
+
+
+You can now use this API key in your `auditbeat.yml` configuration file like this:
+
+```yaml
+monitoring.elasticsearch:
+  api_key: TiNAGG4BaaMdaH1tRfuU:KnR6yE41RrSowb0kQ0HWoA <1>
+```
+
+1. Format is `id:api_key` (as returned by [Create API key](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-create-api-key))
+
+
+
+## Learn more about API keys [learn-more-api-keys]
+
+See the {{es}} API key documentation for more information:
+
+* [Create API key](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-create-api-key)
+* [Get API key information](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-get-api-key)
+* [Invalidate API key](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-invalidate-api-key)
+
diff --git a/docs/reference/auditbeat/change-index-name.md b/docs/reference/auditbeat/change-index-name.md
new file mode 100644
index 000000000000..468db6c9284c
--- /dev/null
+++ b/docs/reference/auditbeat/change-index-name.md
@@ -0,0 +1,23 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/change-index-name.html
+---
+
+# Change the index name [change-index-name]
+
+Auditbeat uses data streams named `auditbeat-9.0.0-beta1`. To use a different name, set the [`index`](/reference/auditbeat/elasticsearch-output.md#index-option-es) option in the {{es}} output. You also need to configure the `setup.template.name` and `setup.template.pattern` options to match the new name. For example:
+
+```sh
+output.elasticsearch.index: "customname-%{[agent.version]}"
+setup.template.name: "customname-%{[agent.version]}"
+setup.template.pattern: "customname-%{[agent.version]}"
+```
+
+If you’re using pre-built Kibana dashboards, also set the `setup.dashboards.index` option. For example:
+
+```yaml
+setup.dashboards.index: "customname-*"
+```
+
+For a full list of template setup options, see [Elasticsearch index template](/reference/auditbeat/configuration-template.md).
+
diff --git a/docs/reference/auditbeat/command-line-options.md b/docs/reference/auditbeat/command-line-options.md
new file mode 100644
index 000000000000..ae37d5282d90
--- /dev/null
+++ b/docs/reference/auditbeat/command-line-options.md
@@ -0,0 +1,362 @@
+---
+navigation_title: "Command reference"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/command-line-options.html
+---
+
+# Auditbeat command reference [command-line-options]
+
+
+Auditbeat provides a command-line interface for starting Auditbeat and performing common tasks, like testing configuration files and loading dashboards.
+
+The command-line also supports [global flags](#global-flags) for controlling global behaviors.
+
+::::{tip}
+Use `sudo` to run the following commands if:
+
+* the config file is owned by `root`, or
+* Auditbeat is configured to capture data that requires `root` access
+
+::::
+
+
+Some of the features described here require an Elastic license. For more information, see [https://www.elastic.co/subscriptions](https://www.elastic.co/subscriptions) and [License Management](docs-content://deploy-manage/license/manage-your-license-in-self-managed-cluster.md).
+
+| Commands |  |
+| --- | --- |
+| [`export`](#export-command) | Exports the configuration, index template, ILM policy, or a dashboard to stdout. |
+| [`help`](#help-command) | Shows help for any command. |
+| [`keystore`](#keystore-command) | Manages the [secrets keystore](/reference/auditbeat/keystore.md). |
+| [`run`](#run-command) | Runs Auditbeat. This command is used by default if you start Auditbeat without specifying a command. |
+| [`setup`](#setup-command) | Sets up the initial environment, including the index template, ILM policy and write alias, and {{kib}} dashboards (when available). |
+| [`test`](#test-command) | Tests the configuration. |
+| [`version`](#version-command) | Shows information about the current version. |
+
+Also see [Global flags](#global-flags).
+
+## `export` command [export-command]
+
+Exports the configuration, index template, ILM policy, or a dashboard to stdout. You can use this command to quickly view your configuration, see the contents of the index template and the ILM policy, or export a dashboard from {{kib}}.
+
+**SYNOPSIS**
+
+```sh
+auditbeat export SUBCOMMAND [FLAGS]
+```
+
+**SUBCOMMANDS**
+
+**`config`**
+:   Exports the current configuration to stdout. If you use the `-c` flag, this command exports the configuration that’s defined in the specified file.
+
+$$$dashboard-subcommand$$$**`dashboard`**
+:   Exports a dashboard. You can use this option to store a dashboard on disk in a module and load it automatically. For example, to export the dashboard to a JSON file, run:
+
+    ```shell
+    auditbeat export dashboard --id="DASHBOARD_ID" > dashboard.json
+    ```
+
+    To find the `DASHBOARD_ID`, look at the URL for the dashboard in {{kib}}. By default, `export dashboard` writes the dashboard to stdout. The example shows how to write the dashboard to a JSON file so that you can import it later. The JSON file will contain the dashboard with all visualizations and searches. You must load the index pattern separately for Auditbeat.
+
+    To load the dashboard, copy the generated `dashboard.json` file into the `kibana/6/dashboard` directory of Auditbeat, and run `auditbeat setup --dashboards` to import the dashboard.
+
+    If {{kib}} is not running on `localhost:5061`, you must also adjust the Auditbeat configuration under `setup.kibana`.
+
+
+$$$template-subcommand$$$**`template`**
+:   Exports the index template to stdout. You can specify the `--es.version` flag to further define what gets exported. Furthermore you can export the template to a file instead of `stdout` by defining a directory via `--dir`.
+
+$$$ilm-policy-subcommand$$$
+
+**`ilm-policy`**
+:   Exports the index lifecycle management policy to stdout. You can specify the `--es.version` and a `--dir` to which the policy should be exported as a file rather than exporting to `stdout`.
+
+**FLAGS**
+
+**`--es.version VERSION`**
+:   When used with [`template`](#template-subcommand), exports an index template that is compatible with the specified version.  When used with [`ilm-policy`](#ilm-policy-subcommand), exports the ILM policy if the specified ES version is enabled for ILM.
+
+**`-h, --help`**
+:   Shows help for the `export` command.
+
+**`--dir DIRNAME`**
+:   Define a directory to which the template, pipelines, and ILM policy should be exported to as files instead of printing them to `stdout`.
+
+**`--id DASHBOARD_ID`**
+:   When used with [`dashboard`](#dashboard-subcommand), specifies the dashboard ID.
+
+Also see [Global flags](#global-flags).
+
+**EXAMPLES**
+
+```sh
+auditbeat export config
+auditbeat export template --es.version 9.0.0-beta1
+auditbeat export dashboard --id="a7b35890-8baa-11e8-9676-ef67484126fb" > dashboard.json
+```
+
+
+## `help` command [help-command]
+
+Shows help for any command. If no command is specified, shows help for the `run` command.
+
+**SYNOPSIS**
+
+```sh
+auditbeat help COMMAND_NAME [FLAGS]
+```
+
+**`COMMAND_NAME`**
+:   Specifies the name of the command to show help for.
+
+**FLAGS**
+
+**`-h, --help`**
+:   Shows help for the `help` command.
+
+Also see [Global flags](#global-flags).
+
+**EXAMPLE**
+
+```sh
+auditbeat help export
+```
+
+
+## `keystore` command [keystore-command]
+
+Manages the [secrets keystore](/reference/auditbeat/keystore.md).
+
+**SYNOPSIS**
+
+```sh
+auditbeat keystore SUBCOMMAND [FLAGS]
+```
+
+**SUBCOMMANDS**
+
+**`add KEY`**
+:   Adds the specified key to the keystore. Use the `--force` flag to overwrite an existing key. Use the `--stdin` flag to pass the value through `stdin`.
+
+**`create`**
+:   Creates a keystore to hold secrets. Use the `--force` flag to overwrite the existing keystore.
+
+**`list`**
+:   Lists the keys in the keystore.
+
+**`remove KEY`**
+:   Removes the specified key from the keystore.
+
+**FLAGS**
+
+**`--force`**
+:   Valid with the `add` and `create` subcommands. When used with `add`, overwrites the specified key. When used with `create`, overwrites the keystore.
+
+**`--stdin`**
+:   When used with `add`, uses the stdin as the source of the key’s value.
+
+**`-h, --help`**
+:   Shows help for the `keystore` command.
+
+Also see [Global flags](#global-flags).
+
+**EXAMPLES**
+
+```sh
+auditbeat keystore create
+auditbeat keystore add ES_PWD
+auditbeat keystore remove ES_PWD
+auditbeat keystore list
+```
+
+See [Secrets keystore](/reference/auditbeat/keystore.md) for more examples.
+
+
+## `run` command [run-command]
+
+Runs Auditbeat. This command is used by default if you start Auditbeat without specifying a command.
+
+**SYNOPSIS**
+
+```sh
+auditbeat run [FLAGS]
+```
+
+Or:
+
+```sh
+auditbeat [FLAGS]
+```
+
+**FLAGS**
+
+**`-N, --N`**
+:   Disables publishing for testing purposes. This option disables all outputs except the [File output](/reference/auditbeat/file-output.md).
+
+**`--cpuprofile FILE`**
+:   Writes CPU profile data to the specified file. This option is useful for troubleshooting Auditbeat.
+
+**`-h, --help`**
+:   Shows help for the `run` command.
+
+**`--httpprof [HOST]:PORT`**
+:   Starts an http server for profiling. This option is useful for troubleshooting and profiling Auditbeat.
+
+**`--memprofile FILE`**
+:   Writes memory profile data to the specified output file. This option is useful for troubleshooting Auditbeat.
+
+**`--system.hostfs MOUNT_POINT`**
+:   Specifies the mount point of the host’s filesystem for use in monitoring a host. This flag is depricated, and an alternate hostfs should be specified via the `hostfs` module config value.
+
+Also see [Global flags](#global-flags).
+
+**EXAMPLE**
+
+```sh
+auditbeat run -e
+```
+
+Or:
+
+```sh
+auditbeat -e
+```
+
+
+## `setup` command [setup-command]
+
+Sets up the initial environment, including the index template, ILM policy and write alias, and {{kib}} dashboards (when available)
+
+* The index template ensures that fields are mapped correctly in Elasticsearch. If index lifecycle management is enabled it also ensures that the defined ILM policy and write alias are connected to the indices matching the index template. The ILM policy takes care of the lifecycle of an index, when to do a rollover, when to move an index from the hot phase to the next phase, etc.
+* The {{kib}} dashboards make it easier for you to visualize Auditbeat data in {{kib}}.
+
+This command sets up the environment without actually running Auditbeat and ingesting data. Specify optional flags to set up a subset of assets.
+
+**SYNOPSIS**
+
+```sh
+auditbeat setup [FLAGS]
+```
+
+**FLAGS**
+
+**`--dashboards`**
+:   Sets up the {{kib}} dashboards (when available). This option loads the dashboards from the Auditbeat package. For more options, such as loading customized dashboards, see [Importing Existing Beat Dashboards](http://www.elastic.co/guide/en/beats/devguide/master/import-dashboards.md) in the *Beats Developer Guide*.
+
+**`-h, --help`**
+:   Shows help for the `setup` command.
+
+**`--index-management`**
+:   Sets up components related to Elasticsearch index management including template, ILM policy, and write alias (if supported and configured).
+
+Also see [Global flags](#global-flags).
+
+**EXAMPLES**
+
+```sh
+auditbeat setup --dashboards
+auditbeat setup --index-management
+```
+
+
+## `test` command [test-command]
+
+Tests the configuration.
+
+**SYNOPSIS**
+
+```sh
+auditbeat test SUBCOMMAND [FLAGS]
+```
+
+**SUBCOMMANDS**
+
+**`config`**
+:   Tests the configuration settings.
+
+**`output`**
+:   Tests that Auditbeat can connect to the output by using the current settings.
+
+**FLAGS**
+
+**`-h, --help`**
+:   Shows help for the `test` command.
+
+Also see [Global flags](#global-flags).
+
+**EXAMPLE**
+
+```sh
+auditbeat test config
+```
+
+
+## `version` command [version-command]
+
+Shows information about the current version.
+
+**SYNOPSIS**
+
+```sh
+auditbeat version [FLAGS]
+```
+
+**FLAGS**
+
+**`-h, --help`**
+:   Shows help for the `version` command.
+
+Also see [Global flags](#global-flags).
+
+**EXAMPLE**
+
+```sh
+auditbeat version
+```
+
+
+## Global flags [global-flags]
+
+These global flags are available whenever you run Auditbeat.
+
+**`-E, --E "SETTING_NAME=VALUE"`**
+:   Overrides a specific configuration setting. You can specify multiple overrides. For example:
+
+    ```sh
+    auditbeat -E "name=mybeat" -E "output.elasticsearch.hosts=['http://myhost:9200']"
+    ```
+
+    This setting is applied to the currently running Auditbeat process. The Auditbeat configuration file is not changed.
+
+
+**`-c, --c FILE`**
+:   Specifies the configuration file to use for Auditbeat. The file you specify here is relative to `path.config`. If the `-c` flag is not specified, the default config file, `auditbeat.yml`, is used.
+
+**`-d, --d SELECTORS`**
+:   Enables debugging for the specified selectors. For the selectors, you can specify a comma-separated list of components, or you can use `-d "*"` to enable debugging for all components. For example, `-d "publisher"` displays all the publisher-related messages.
+
+**`-e, --e`**
+:   Logs to stderr and disables syslog/file output.
+
+**`--environment`**
+:   For logging purposes, specifies the environment that Auditbeat is running in. This setting is used to select a default log output when no log output is configured. Supported values are: `systemd`, `container`, `macos_service`, and `windows_service`. If `systemd` or `container` is specified, Auditbeat will log to stdout and stderr by default.
+
+**`--path.config`**
+:   Sets the path for configuration files. See the [Directory layout](/reference/auditbeat/directory-layout.md) section for details.
+
+**`--path.data`**
+:   Sets the path for data files. See the [Directory layout](/reference/auditbeat/directory-layout.md) section for details.
+
+**`--path.home`**
+:   Sets the path for miscellaneous files. See the [Directory layout](/reference/auditbeat/directory-layout.md) section for details.
+
+**`--path.logs`**
+:   Sets the path for log files. See the [Directory layout](/reference/auditbeat/directory-layout.md) section for details.
+
+**`--strict.perms`**
+:   Sets strict permission checking on configuration files. The default is `--strict.perms=true`. See [Config file ownership and permissions](/reference/libbeat/config-file-permissions.md) for more information.
+
+**`-v, --v`**
+:   Logs INFO-level messages.
+
+
diff --git a/docs/reference/auditbeat/community-id.md b/docs/reference/auditbeat/community-id.md
new file mode 100644
index 000000000000..c5882878e85a
--- /dev/null
+++ b/docs/reference/auditbeat/community-id.md
@@ -0,0 +1,41 @@
+---
+navigation_title: "community_id"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/community-id.html
+---
+
+# Community ID Network Flow Hash [community-id]
+
+
+The `community_id` processor computes a network flow hash according to the [Community ID Flow Hash specification](https://github.com/corelight/community-id-spec).
+
+The flow hash is useful for correlating all network events related to a single flow. For example you can filter on a community ID value and you might get back the Netflow records from multiple collectors and layer 7 protocol records from Packetbeat.
+
+By default the processor is configured to read the flow parameters from the appropriate Elastic Common Schema (ECS) fields. If you are processing ECS data then no parameters are required.
+
+```yaml
+processors:
+  - community_id:
+```
+
+If the data does not conform to ECS then you can customize the field names that the processor reads from. You can also change the `target` field which is where the computed hash is written to.
+
+```yaml
+processors:
+  - community_id:
+      fields:
+        source_ip: my_source_ip
+        source_port: my_source_port
+        destination_ip: my_dest_ip
+        destination_port: my_dest_port
+        iana_number: my_iana_number
+        transport: my_transport
+        icmp_type: my_icmp_type
+        icmp_code: my_icmp_code
+      target: network.community_id
+```
+
+If the necessary fields are not present in the event then the processor will silently continue without adding the target field.
+
+The processor also accepts an optional `seed` parameter that must be a 16-bit unsigned integer. This value gets incorporated into all generated hashes.
+
diff --git a/docs/reference/auditbeat/configuration-auditbeat.md b/docs/reference/auditbeat/configuration-auditbeat.md
new file mode 100644
index 000000000000..0d13f0766834
--- /dev/null
+++ b/docs/reference/auditbeat/configuration-auditbeat.md
@@ -0,0 +1,32 @@
+---
+navigation_title: "Modules"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/configuration-auditbeat.html
+---
+
+# Configure modules [configuration-auditbeat]
+
+
+To enable specific modules you add entries to the `auditbeat.modules` list in the `auditbeat.yml` config file. Each entry in the list begins with a dash (-) and is followed by settings for that module.
+
+The following example shows a configuration that runs the `auditd` and `file_integrity` modules.
+
+```yaml
+auditbeat.modules:
+
+- module: auditd
+  audit_rules: |
+    -w /etc/passwd -p wa -k identity
+    -a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access
+
+- module: file_integrity
+  paths:
+  - /bin
+  - /usr/bin
+  - /sbin
+  - /usr/sbin
+  - /etc
+```
+
+The configuration details vary by module. See the [module documentation](/reference/auditbeat/auditbeat-modules.md) for more detail about configuring the available modules.
+
diff --git a/docs/reference/auditbeat/configuration-dashboards.md b/docs/reference/auditbeat/configuration-dashboards.md
new file mode 100644
index 000000000000..942260c97103
--- /dev/null
+++ b/docs/reference/auditbeat/configuration-dashboards.md
@@ -0,0 +1,103 @@
+---
+navigation_title: "Kibana dashboards"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/configuration-dashboards.html
+---
+
+# Configure Kibana dashboard loading [configuration-dashboards]
+
+
+Auditbeat comes packaged with example Kibana dashboards, visualizations, and searches for visualizing Auditbeat data in Kibana.
+
+To load the dashboards, you can either enable dashboard loading in the `setup.dashboards` section of the `auditbeat.yml` config file, or you can run the `setup` command. Dashboard loading is disabled by default.
+
+When dashboard loading is enabled, Auditbeat uses the Kibana API to load the sample dashboards. Dashboard loading is only attempted when Auditbeat starts up. If Kibana is not available at startup, Auditbeat will stop with an error.
+
+To enable dashboard loading, add the following setting to the config file:
+
+```yaml
+setup.dashboards.enabled: true
+```
+
+
+## Configuration options [_configuration_options_12]
+
+You can specify the following options in the `setup.dashboards` section of the `auditbeat.yml` config file:
+
+
+### `setup.dashboards.enabled` [_setup_dashboards_enabled]
+
+If this option is set to true, Auditbeat loads the sample Kibana dashboards from the local `kibana` directory in the home path of the Auditbeat installation.
+
+::::{note}
+Auditbeat loads dashboards on startup if either `enabled` is set to `true` or the `setup.dashboards` section is included in the configuration.
+::::
+
+
+::::{note}
+When dashboard loading is enabled, Auditbeat overwrites any existing dashboards that match the names of the dashboards you are loading. This happens every time Auditbeat starts.
+::::
+
+
+If no other options are set, the dashboard are loaded from the local `kibana` directory in the home path of the Auditbeat installation. To load dashboards from a different location, you can configure one of the following options: [`setup.dashboards.directory`](#directory-option), [`setup.dashboards.url`](#url-option), or [`setup.dashboards.file`](#file-option).
+
+
+### `setup.dashboards.directory` [directory-option]
+
+The directory that contains the dashboards to load. The default is the `kibana` folder in the home path.
+
+
+### `setup.dashboards.url` [url-option]
+
+The URL to use for downloading the dashboard archive. If this option is set, Auditbeat downloads the dashboard archive from the specified URL instead of using the local directory.
+
+
+### `setup.dashboards.file` [file-option]
+
+The file archive (zip file) that contains the dashboards to load. If this option is set, Auditbeat looks for a dashboard archive in the specified path instead of using the local directory.
+
+
+### `setup.dashboards.beat` [_setup_dashboards_beat]
+
+In case the archive contains the dashboards for multiple Beats, this setting lets you select the Beat for which you want to load dashboards. To load all the dashboards in the archive, set this option to an empty string. The default is `"auditbeat"`.
+
+
+### `setup.dashboards.kibana_index` [_setup_dashboards_kibana_index]
+
+The name of the Kibana index to use for setting the configuration. The default is `".kibana"`
+
+
+### `setup.dashboards.index` [_setup_dashboards_index]
+
+The Elasticsearch index name. This setting overwrites the index name defined in the dashboards and index pattern. Example: `"testbeat-*"`
+
+::::{note}
+This setting only works for Kibana 6.0 and newer.
+::::
+
+
+
+### `setup.dashboards.always_kibana` [_setup_dashboards_always_kibana]
+
+Force loading of dashboards using the Kibana API without querying Elasticsearch for the version. The default is `false`.
+
+
+### `setup.dashboards.retry.enabled` [_setup_dashboards_retry_enabled]
+
+If this option is set to true, and Kibana is not reachable at the time when dashboards are loaded, Auditbeat will retry to reconnect to Kibana instead of exiting with an error. Disabled by default.
+
+
+### `setup.dashboards.retry.interval` [_setup_dashboards_retry_interval]
+
+Duration interval between Kibana connection retries. Defaults to 1 second.
+
+
+### `setup.dashboards.retry.maximum` [_setup_dashboards_retry_maximum]
+
+Maximum number of retries before exiting with an error. Set to 0 for unlimited retrying. Default is unlimited.
+
+
+### `setup.dashboards.string_replacements` [_setup_dashboards_string_replacements]
+
+The needle and replacements string map, which is used to replace needle string in dashboards and their references contents.
+
diff --git a/docs/reference/auditbeat/configuration-feature-flags.md b/docs/reference/auditbeat/configuration-feature-flags.md
new file mode 100644
index 000000000000..7a64f2939d68
--- /dev/null
+++ b/docs/reference/auditbeat/configuration-feature-flags.md
@@ -0,0 +1,54 @@
+---
+navigation_title: "Feature flags"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/configuration-feature-flags.html
+---
+
+# Configure feature flags [configuration-feature-flags]
+
+
+The Feature Flags section of the `auditbeat.yml` config file contains settings in Auditbeat that are disabled by default. These may include experimental features, changes to behaviors within Auditbeat, or settings that could cause a breaking change. For example a setting that changes information included in events might be inconsistent with the naming pattern expected in your configured Auditbeat output.
+
+To enable any of the settings listed on this page, change the associated `enabled` flag from `false` to `true`.
+
+```yaml
+features:
+  mysetting:
+    enabled: true
+```
+
+
+## Configuration options [_configuration_options_16]
+
+You can specify the following options in the `features` section of the `auditbeat.yml` config file:
+
+
+### `fqdn` [_fqdn]
+
+Contains configuration for the FQDN reporting feature. When this feature is enabled, the fully-qualified domain name for the host is reported in the `host.name` field in events produced by Auditbeat.
+
+::::{warning}
+This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
+::::
+
+
+For FQDN reporting to work as expected, the hostname of the current host must either:
+
+* Have a CNAME entry defined in DNS.
+* Have one of its corresponding IP addresses respond successfully to a reverse DNS lookup.
+
+If neither pre-requisite is satisfied, `host.name` continues to report the hostname of the current host as if the FQDN feature flag were not enabled.
+
+Example configuration:
+
+```yaml
+features:
+  fqdn:
+    enabled: true
+```
+
+
+#### `enabled` [_enabled_10]
+
+Set to `true` to enable the FQDN reporting feature of Auditbeat. Defaults to `false`.
+
diff --git a/docs/reference/auditbeat/configuration-general-options.md b/docs/reference/auditbeat/configuration-general-options.md
new file mode 100644
index 000000000000..fca99fbe88e3
--- /dev/null
+++ b/docs/reference/auditbeat/configuration-general-options.md
@@ -0,0 +1,88 @@
+---
+navigation_title: "General settings"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/configuration-general-options.html
+---
+
+# Configure general settings [configuration-general-options]
+
+
+You can specify settings in the `auditbeat.yml` config file to control the general behavior of Auditbeat.
+
+
+## General configuration options [configuration-general]
+
+
+These options are supported by all Elastic Beats. Because they are common options, they are not namespaced.
+
+Here is an example configuration:
+
+```yaml
+name: "my-shipper"
+tags: ["service-X", "web-tier"]
+```
+
+
+### `name` [_name]
+
+The name of the Beat. If this option is empty, the `hostname` of the server is used. The name is included as the `agent.name` field in each published transaction. You can use the name to group all transactions sent by a single Beat.
+
+Example:
+
+```yaml
+name: "my-shipper"
+```
+
+
+### `tags` [_tags]
+
+A list of tags that the Beat includes in the `tags` field of each published transaction. Tags make it easy to group servers by different logical properties. For example, if you have a cluster of web servers, you can add the "webservers" tag to the Beat on each server, and then use filters and queries in the Kibana web interface to get visualisations for the whole group of servers.
+
+Example:
+
+```yaml
+tags: ["my-service", "hardware", "test"]
+```
+
+
+### `fields` [libbeat-configuration-fields]
+
+Optional fields that you can specify to add additional information to the output. Fields can be scalar values, arrays, dictionaries, or any nested combination of these. By default, the fields that you specify here will be grouped under a `fields` sub-dictionary in the output document. To store the custom fields as top-level fields, set the `fields_under_root` option to true.
+
+Example:
+
+```yaml
+fields: {project: "myproject", instance-id: "574734885120952459"}
+```
+
+
+### `fields_under_root` [_fields_under_root]
+
+If this option is set to true, the custom [fields](#libbeat-configuration-fields) are stored as top-level fields in the output document instead of being grouped under a `fields` sub-dictionary. If the custom field names conflict with other field names, then the custom fields overwrite the other fields.
+
+Example:
+
+```yaml
+fields_under_root: true
+fields:
+  instance_id: i-10a64379
+  region: us-east-1
+```
+
+
+### `processors` [_processors]
+
+A list of processors to apply to the data generated by the beat.
+
+See [Processors](/reference/auditbeat/filtering-enhancing-data.md) for information about specifying processors in your config.
+
+
+### `max_procs` [_max_procs]
+
+Sets the maximum number of CPUs that can be executing simultaneously. The default is the number of logical CPUs available in the system.
+
+
+### `timestamp.precision` [_timestamp_precision]
+
+Configure the precision of all timestamps. By default it is set to millisecond. Available options: millisecond, microsecond, nanosecond
+
diff --git a/docs/reference/auditbeat/configuration-instrumentation.md b/docs/reference/auditbeat/configuration-instrumentation.md
new file mode 100644
index 000000000000..6b935e91ebc6
--- /dev/null
+++ b/docs/reference/auditbeat/configuration-instrumentation.md
@@ -0,0 +1,87 @@
+---
+navigation_title: "Instrumentation"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/configuration-instrumentation.html
+---
+
+# Configure APM instrumentation [configuration-instrumentation]
+
+
+Libbeat uses the Elastic APM Go Agent to instrument its publishing pipeline. Currently, only the Elasticsearch output is instrumented. To gain insight into the performance of Auditbeat, you can enable this instrumentation and send trace data to the APM Integration.
+
+Example configuration with instrumentation enabled:
+
+```yaml
+instrumentation:
+  enabled: true
+  environment: production
+  hosts:
+    - "http://localhost:8200"
+  api_key: L5ER6FEvjkmlfalBealQ3f3fLqf03fazfOV
+```
+
+
+## Configuration options [_configuration_options_15]
+
+You can specify the following options in the `instrumentation` section of the `auditbeat.yml` config file:
+
+
+### `enabled` [_enabled_9]
+
+Set to `true` to enable instrumentation of Auditbeat. Defaults to `false`.
+
+
+### `environment` [_environment]
+
+Set the environment in which Auditbeat is running, for example, `staging`, `production`, `dev`, etc. Environments can be filtered in the [APM app](docs-content://solutions/observability/apps/overviews.md).
+
+
+### `hosts` [_hosts_3]
+
+The APM integration [host](docs-content://reference/ingestion-tools/observability/apm-settings.md) to report instrumentation data to. Defaults to `http://localhost:8200`.
+
+
+### `api_key` [_api_key_2]
+
+The [API Key](docs-content://reference/ingestion-tools/observability/apm-settings.md) used to secure communication with the APM Integration. If `api_key` is set then `secret_token` will be ignored.
+
+
+### `secret_token` [_secret_token]
+
+The [Secret token](docs-content://reference/ingestion-tools/observability/apm-settings.md) used to secure communication with the APM Integration.
+
+
+### `profiling.cpu.enabled` [_profiling_cpu_enabled]
+
+Set to `true` to enable CPU profiling, where profile samples are recorded as events.
+
+This feature is experimental.
+
+
+### `profiling.cpu.interval` [_profiling_cpu_interval]
+
+Configure the CPU profiling interval. Defaults to `60s`.
+
+This feature is experimental.
+
+
+### `profiling.cpu.duration` [_profiling_cpu_duration]
+
+Configure the CPU profiling duration. Defaults to `10s`.
+
+This feature is experimental.
+
+
+### `profiling.heap.enabled` [_profiling_heap_enabled]
+
+Set to `true` to enable heap profiling.
+
+This feature is experimental.
+
+
+### `profiling.heap.interval` [_profiling_heap_interval]
+
+Configure the heap profiling interval. Defaults to `60s`.
+
+This feature is experimental.
+
diff --git a/docs/reference/auditbeat/configuration-kerberos.md b/docs/reference/auditbeat/configuration-kerberos.md
new file mode 100644
index 000000000000..e3a5a183572e
--- /dev/null
+++ b/docs/reference/auditbeat/configuration-kerberos.md
@@ -0,0 +1,90 @@
+---
+navigation_title: "Kerberos"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/configuration-kerberos.html
+---
+
+# Configure Kerberos [configuration-kerberos]
+
+
+You can specify Kerberos options with any output or input that supports Kerberos, like {{es}}.
+
+The following encryption types are supported:
+
+* aes128-cts-hmac-sha1-96
+* aes128-cts-hmac-sha256-128
+* aes256-cts-hmac-sha1-96
+* aes256-cts-hmac-sha384-192
+* des3-cbc-sha1-kd
+* rc4-hmac
+
+Example output config with Kerberos password based authentication:
+
+```yaml
+output.elasticsearch.hosts: ["http://my-elasticsearch.elastic.co:9200"]
+output.elasticsearch.kerberos.auth_type: password
+output.elasticsearch.kerberos.username: "elastic"
+output.elasticsearch.kerberos.password: "changeme"
+output.elasticsearch.kerberos.config_path: "/etc/krb5.conf"
+output.elasticsearch.kerberos.realm: "ELASTIC.CO"
+```
+
+The service principal name for the Elasticsearch instance is contructed from these options. Based on this configuration it is going to be `HTTP/my-elasticsearch.elastic.co@ELASTIC.CO`.
+
+
+## Configuration options [_configuration_options_9]
+
+You can specify the following options in the `kerberos` section of the `auditbeat.yml` config file:
+
+
+### `enabled` [_enabled_8]
+
+The `enabled` setting can be used to enable the kerberos configuration by setting it to `false`. The default value is `true`.
+
+::::{note}
+Kerberos settings are disabled if either `enabled` is set to `false` or the `kerberos` section is missing.
+::::
+
+
+
+### `auth_type` [_auth_type]
+
+There are two options to authenticate with Kerberos KDC: `password` and `keytab`.
+
+`password` expects the principal name and its password. When choosing `keytab`, you have to specify a principal name and a path to a keytab. The keytab must contain the keys of the selected principal. Otherwise, authentication will fail.
+
+
+### `config_path` [_config_path]
+
+You need to set the path to the `krb5.conf`, so Auditbeat can find the Kerberos KDC to retrieve a ticket.
+
+
+### `username` [_username_3]
+
+Name of the principal used to connect to the output.
+
+
+### `password` [_password_4]
+
+If you configured `password` for `auth_type`, you have to provide a password for the selected principal.
+
+
+### `keytab` [_keytab]
+
+If you configured `keytab` for `auth_type`, you have to provide the path to the keytab of the selected principal.
+
+
+### `service_name` [_service_name]
+
+This option can only be configured for Kafka. It is the name of the Kafka service, usually `kafka`.
+
+
+### `realm` [_realm]
+
+Name of the realm where the output resides.
+
+
+### `enable_krb5_fast` [_enable_krb5_fast]
+
+Enable Kerberos FAST authentication. This may conflict with some Active Directory installations. The default is `false`.
+
diff --git a/docs/reference/auditbeat/configuration-logging.md b/docs/reference/auditbeat/configuration-logging.md
new file mode 100644
index 000000000000..5ff9c17c26e9
--- /dev/null
+++ b/docs/reference/auditbeat/configuration-logging.md
@@ -0,0 +1,253 @@
+---
+navigation_title: "Logging"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/configuration-logging.html
+---
+
+# Configure logging [configuration-logging]
+
+
+The `logging` section of the `auditbeat.yml` config file contains options for configuring the logging output. The logging system can write logs to the syslog or rotate log files. If logging is not explicitly configured the file output is used.
+
+```yaml
+logging.level: info
+logging.to_files: true
+logging.files:
+  path: /var/log/auditbeat
+  name: auditbeat
+  keepfiles: 7
+  permissions: 0640
+```
+
+::::{tip}
+In addition to setting logging options in the config file, you can modify the logging output configuration from the command line. See [Command reference](/reference/auditbeat/command-line-options.md).
+::::
+
+
+::::{warning}
+When Auditbeat is running on a Linux system with systemd, it uses by default the `-e` command line option, that makes it write all the logging output to stderr so it can be captured by journald. Other outputs are disabled. See [Auditbeat and systemd](/reference/auditbeat/running-with-systemd.md) to know more and learn how to change this.
+::::
+
+
+
+## Configuration options [_configuration_options_14]
+
+You can specify the following options in the `logging` section of the `auditbeat.yml` config file:
+
+
+### `logging.to_stderr` [_logging_to_stderr]
+
+When true, writes all logging output to standard error output. This is equivalent to using the `-e` command line option.
+
+
+### `logging.to_syslog` [_logging_to_syslog]
+
+When true, writes all logging output to the syslog.
+
+::::{note}
+This option is not supported on Windows.
+::::
+
+
+
+### `logging.to_eventlog` [_logging_to_eventlog]
+
+When true, writes all logging output to the Windows Event Log.
+
+
+### `logging.to_files` [_logging_to_files]
+
+When true, writes all logging output to files. The log files are automatically rotated when the log file size limit is reached.
+
+::::{note}
+Auditbeat only creates a log file if there is logging output. For example, if you set the log [`level`](#level) to `error` and there are no errors, there will be no log file in the directory specified for logs.
+::::
+
+
+
+### `logging.level` [level]
+
+Minimum log level. One of `debug`, `info`, `warning`, or `error`. The default log level is `info`.
+
+`debug`
+:   Logs debug messages, including a detailed printout of all events flushed. Also logs informational messages, warnings, errors, and critical errors. When the log level is `debug`, you can specify a list of [`selectors`](#selectors) to display debug messages for specific components. If no selectors are specified, the `*` selector is used to display debug messages for all components.
+
+`info`
+:   Logs informational messages, including the number of events that are published. Also logs any warnings, errors, or critical errors.
+
+`warning`
+:   Logs warnings, errors, and critical errors.
+
+`error`
+:   Logs errors and critical errors.
+
+
+### `logging.selectors` [selectors]
+
+The list of debugging-only selector tags used by different Auditbeat components. Use `*` to enable debug output for all components. Use `publisher` to display debug messages related to event publishing.
+
+::::{tip}
+The list of available selectors may change between releases, so avoid creating tests that depend on specific selectors.
+
+To see which selectors are available, run Auditbeat in debug mode (set `logging.level: debug` in the configuration). The selector name appears after the log level and is enclosed in brackets.
+
+::::
+
+
+To configure multiple selectors, use the following [YAML list syntax](/reference/libbeat/config-file-format.md):
+
+```yaml
+logging.selectors: [ harvester, input ]
+```
+
+To override selectors at the command line, use the `-d` global flag (`-d` also sets the debug log level). For more information, see [Command reference](/reference/auditbeat/command-line-options.md).
+
+
+### `logging.metrics.enabled` [_logging_metrics_enabled]
+
+By default, Auditbeat periodically logs its internal metrics that have changed in the last period. For each metric that changed, the delta from the value at the beginning of the period is logged. Also, the total values for all non-zero internal metrics are logged on shutdown. Set this to false to disable this behavior. The default is true.
+
+Here is an example log line:
+
+```shell
+2017-12-17T19:17:42.667-0500    INFO    [metrics]       log/log.go:110  Non-zero metrics in the last 30s: beat.info.uptime.ms=30004 beat.memstats.gc_next=5046416
+```
+
+Note that we currently offer no backwards compatible guarantees for the internal metrics and for this reason they are also not documented.
+
+
+### `logging.metrics.period` [_logging_metrics_period]
+
+The period after which to log the internal metrics. The default is 30s.
+
+
+### `logging.metrics.namespaces` [_logging_metrics_namespaces]
+
+A list of metrics namespaces to report in the logs. Defaults to `[stats]`. `stats` contains general Beat metrics. `dataset` and `inputs` may be present in some Beats and contains module or input metrics.
+
+
+### `logging.files.path` [_logging_files_path]
+
+The directory that log files are written to. The default is the logs path. See the [Directory layout](/reference/auditbeat/directory-layout.md) section for details.
+
+
+### `logging.files.name` [_logging_files_name]
+
+The name of the file that logs are written to. The default is *auditbeat*.
+
+
+### `logging.files.rotateeverybytes` [_logging_files_rotateeverybytes]
+
+The maximum size of a log file. If the limit is reached, a new log file is generated. The default size limit is 10485760 (10 MB).
+
+
+### `logging.files.keepfiles` [_logging_files_keepfiles]
+
+The number of most recent rotated log files to keep on disk. Older files are deleted during log rotation. The default value is 7. The `keepfiles` options has to be in the range of 2 to 1024 files.
+
+
+### `logging.files.permissions` [_logging_files_permissions]
+
+The permissions mask to apply when rotating log files. The default value is 0600. The `permissions` option must be a valid Unix-style file permissions mask expressed in octal notation. In Go, numbers in octal notation must start with *0*.
+
+The most permissive mask allowed is 0640. If a higher permissions mask is specified via this setting, it will be subject to an umask of 0027.
+
+This option is not supported on Windows.
+
+Examples:
+
+* 0640: give read and write access to the file owner, and read access to members of the group associated with the file.
+* 0600: give read and write access to the file owner, and no access to all others.
+
+
+### `logging.files.interval` [_logging_files_interval]
+
+Enable log file rotation on time intervals in addition to size-based rotation. Intervals must be at least 1s. Values of 1m, 1h, 24h, 7*24h, 30*24h, and 365*24h are boundary-aligned with minutes, hours, days, weeks, months, and years as reported by the local system clock. All other intervals are calculated from the unix epoch. Defaults to disabled.
+
+
+### `logging.files.rotateonstartup` [_logging_files_rotateonstartup]
+
+If the log file already exists on startup, immediately rotate it and start writing to a new file instead of appending to the existing one. Defaults to true.
+
+
+### `logging.files.redirect_stderr` [preview] [_logging_files_redirect_stderr]
+
+When true, diagnostic messages printed to Auditbeat’s standard error output will also be logged to the log file. This can be helpful in situations were Auditbeat terminates unexpectedly because an error has been detected by Go’s runtime but diagnostic information is not present in the log file. This feature is only available when logging to files (`logging.to_files` is true). Disabled by default.
+
+
+## Logging format [_logging_format]
+
+The logging format is generally the same for each logging output. The one exception is with the syslog output where the timestamp is not included in the message because syslog adds its own timestamp.
+
+Each log message consists of the following parts:
+
+* Timestamp in ISO8601 format
+* Level
+* Logger name contained in brackets (Optional)
+* File name and line number of the caller
+* Message
+* Structured data encoded in JSON (Optional)
+
+Below are some samples:
+
+`2017-12-17T18:54:16.241-0500	INFO	logp/core_test.go:13	unnamed global logger`
+
+`2017-12-17T18:54:16.242-0500	INFO	[example]	logp/core_test.go:16	some message`
+
+`2017-12-17T18:54:16.242-0500	INFO	[example]	logp/core_test.go:19	some message	{"x": 1}`
+
+
+## Configuration options for event_data logger [_configuration_options_for_event_data_logger]
+
+Some outputs will log raw events on errors like indexing errors in the Elasticsearch output, to prevent logging raw events (that may contain sensitive information) together with other log messages, a different log file, only for log entries containing raw events, is used. It will use the same level, selectors and all other configurations from the default logger, but it will have it’s own file configuration.
+
+Having a different log file for raw events also prevents event data from drowning out the regular log files.
+
+::::{important}
+No matter the default logger output configuration, raw events will **always** be logged to a file configured by `logging.event_data.files`.
+::::
+
+
+
+### `logging.event_data.files.path` [_logging_event_data_files_path]
+
+The directory that log files are written to. The default is the logs path. See the [Directory layout](/reference/auditbeat/directory-layout.md) section for details.
+
+
+### `logging.event_data.files.name` [_logging_event_data_files_name]
+
+The name of the file that logs are written to. The default is *auditbeat*-events-data.
+
+
+### `logging.event_data.files.rotateeverybytes` [_logging_event_data_files_rotateeverybytes]
+
+The maximum size of a log file. If the limit is reached, a new log file is generated. The default size limit is 5242880 (5 MB).
+
+
+### `logging.event_data.files.keepfiles` [_logging_event_data_files_keepfiles]
+
+The number of most recent rotated log files to keep on disk. Older files are deleted during log rotation. The default value is 2. The `keepfiles` options has to be in the range of 2 to 1024 files.
+
+
+### `logging.event_data.files.permissions` [_logging_event_data_files_permissions]
+
+The permissions mask to apply when rotating log files. The default value is 0600. The `permissions` option must be a valid Unix-style file permissions mask expressed in octal notation. In Go, numbers in octal notation must start with *0*.
+
+The most permissive mask allowed is 0640. If a higher permissions mask is specified via this setting, it will be subject to an umask of 0027.
+
+This option is not supported on Windows.
+
+Examples:
+
+* 0640: give read and write access to the file owner, and read access to members of the group associated with the file.
+* 0600: give read and write access to the file owner, and no access to all others.
+
+
+### `logging.event_data.files.interval` [_logging_event_data_files_interval]
+
+Enable log file rotation on time intervals in addition to size-based rotation. Intervals must be at least 1s. Values of 1m, 1h, 24h, 7*24h, 30*24h, and 365*24h are boundary-aligned with minutes, hours, days, weeks, months, and years as reported by the local system clock. All other intervals are calculated from the unix epoch. Defaults to disabled.
+
+
+### `logging.event_data.files.rotateonstartup` [_logging_event_data_files_rotateonstartup]
+
+If the log file already exists on startup, immediately rotate it and start writing to a new file instead of appending to the existing one. Defaults to false.
diff --git a/docs/reference/auditbeat/configuration-monitor.md b/docs/reference/auditbeat/configuration-monitor.md
new file mode 100644
index 000000000000..5b595db68ae2
--- /dev/null
+++ b/docs/reference/auditbeat/configuration-monitor.md
@@ -0,0 +1,113 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/configuration-monitor.html
+---
+
+# Settings for internal collection [configuration-monitor]
+
+Use the following settings to configure internal collection when you are not using {{metricbeat}} to collect monitoring data.
+
+You specify these settings in the X-Pack monitoring section of the `auditbeat.yml` config file:
+
+## `monitoring.enabled` [_monitoring_enabled]
+
+The `monitoring.enabled` config is a boolean setting to enable or disable {{monitoring}}. If set to `true`, monitoring is enabled.
+
+The default value is `false`.
+
+
+## `monitoring.elasticsearch` [_monitoring_elasticsearch]
+
+The {{es}} instances that you want to ship your Auditbeat metrics to. This configuration option contains the following fields:
+
+
+## `monitoring.cluster_uuid` [_monitoring_cluster_uuid]
+
+The `monitoring.cluster_uuid` config identifies the {{es}} cluster under which the monitoring data will appear in the Stack Monitoring UI.
+
+### `api_key` [_api_key_3]
+
+The detail of the API key to be used to send monitoring information to {{es}}. See [*Grant access using API keys*](/reference/auditbeat/beats-api-keys.md) for more information.
+
+
+### `bulk_max_size` [_bulk_max_size_5]
+
+The maximum number of metrics to bulk in a single {{es}} bulk API index request. The default is `50`. For more information, see [Elasticsearch](/reference/auditbeat/elasticsearch-output.md).
+
+
+### `backoff.init` [_backoff_init_4]
+
+The number of seconds to wait before trying to reconnect to Elasticsearch after a network error. After waiting `backoff.init` seconds, Auditbeat tries to reconnect. If the attempt fails, the backoff timer is increased exponentially up to `backoff.max`. After a successful connection, the backoff timer is reset. The default is 1s.
+
+
+### `backoff.max` [_backoff_max_4]
+
+The maximum number of seconds to wait before attempting to connect to Elasticsearch after a network error. The default is 60s.
+
+
+### `compression_level` [_compression_level_3]
+
+The gzip compression level. Setting this value to `0` disables compression. The compression level must be in the range of `1` (best speed) to `9` (best compression). The default value is `0`. Increasing the compression level reduces the network usage but increases the CPU usage.
+
+
+### `headers` [_headers_3]
+
+Custom HTTP headers to add to each request. For more information, see [Elasticsearch](/reference/auditbeat/elasticsearch-output.md).
+
+
+### `hosts` [_hosts_4]
+
+The list of {{es}} nodes to connect to. Monitoring metrics are distributed to these nodes in round robin order. For more information, see [Elasticsearch](/reference/auditbeat/elasticsearch-output.md).
+
+
+### `max_retries` [_max_retries_5]
+
+The number of times to retry sending the monitoring metrics after a failure. After the specified number of retries, the metrics are typically dropped. The default value is `3`. For more information, see [Elasticsearch](/reference/auditbeat/elasticsearch-output.md).
+
+
+### `parameters` [_parameters_2]
+
+Dictionary of HTTP parameters to pass within the url with index operations.
+
+
+### `password` [_password_6]
+
+The password that Auditbeat uses to authenticate with the {{es}} instances for shipping monitoring data.
+
+
+### `metrics.period` [_metrics_period]
+
+The time interval (in seconds) when metrics are sent to the {{es}} cluster. A new snapshot of Auditbeat metrics is generated and scheduled for publishing each period. The default value is 10 * time.Second.
+
+
+### `state.period` [_state_period]
+
+The time interval (in seconds) when state information are sent to the {{es}} cluster. A new snapshot of Auditbeat state is generated and scheduled for publishing each period. The default value is 60 * time.Second.
+
+
+### `protocol` [_protocol]
+
+The name of the protocol to use when connecting to the {{es}} cluster. The options are: `http` or `https`. The default is `http`. If you specify a URL for `hosts`, however, the value of protocol is overridden by the scheme you specify in the URL.
+
+
+### `proxy_url` [_proxy_url_4]
+
+The URL of the proxy to use when connecting to the {{es}} cluster. For more information, see [Elasticsearch](/reference/auditbeat/elasticsearch-output.md).
+
+
+### `timeout` [_timeout_5]
+
+The HTTP request timeout in seconds for the {{es}} request. The default is `90`.
+
+
+### `ssl` [_ssl_5]
+
+Configuration options for Transport Layer Security (TLS) or Secure Sockets Layer (SSL) parameters like the certificate authority (CA) to use for HTTPS-based connections. If the `ssl` section is missing, the host CAs are used for HTTPS connections to {{es}}. For more information, see [SSL](/reference/auditbeat/configuration-ssl.md).
+
+
+### `username` [_username_4]
+
+The user ID that Auditbeat uses to authenticate with the {{es}} instances for shipping monitoring data.
+
+
+
diff --git a/docs/reference/auditbeat/configuration-output-codec.md b/docs/reference/auditbeat/configuration-output-codec.md
new file mode 100644
index 000000000000..fe4682d9aaef
--- /dev/null
+++ b/docs/reference/auditbeat/configuration-output-codec.md
@@ -0,0 +1,32 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/configuration-output-codec.html
+---
+
+# Change the output codec [configuration-output-codec]
+
+For outputs that do not require a specific encoding, you can change the encoding by using the codec configuration. You can specify either the `json` or `format` codec. By default the `json` codec is used.
+
+**`json.pretty`**: If `pretty` is set to true, events will be nicely formatted. The default is false.
+
+**`json.escape_html`**: If `escape_html` is set to true, html symbols will be escaped in strings. The default is false.
+
+Example configuration that uses the `json` codec with pretty printing enabled to write events to the console:
+
+```yaml
+output.console:
+  codec.json:
+    pretty: true
+    escape_html: false
+```
+
+**`format.string`**: Configurable format string used to create a custom formatted message.
+
+Example configurable that uses the `format` codec to print the events timestamp and message field to console:
+
+```yaml
+output.console:
+  codec.format:
+    string: '%{[@timestamp]} %{[message]}'
+```
+
diff --git a/docs/reference/auditbeat/configuration-path.md b/docs/reference/auditbeat/configuration-path.md
new file mode 100644
index 000000000000..a541aff4af20
--- /dev/null
+++ b/docs/reference/auditbeat/configuration-path.md
@@ -0,0 +1,78 @@
+---
+navigation_title: "Project paths"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/configuration-path.html
+---
+
+# Configure project paths [configuration-path]
+
+
+The `path` section of the `auditbeat.yml` config file contains configuration options that define where Auditbeat looks for its files. For example, Auditbeat looks for the Elasticsearch template file in the configuration path and writes log files in the logs path.
+
+Please see the [Directory layout](/reference/auditbeat/directory-layout.md) section for more details.
+
+Here is an example configuration:
+
+```yaml
+path.home: /usr/share/beat
+path.config: /etc/beat
+path.data: /var/lib/beat
+path.logs: /var/log/
+```
+
+Note that it is possible to override these options by using command line flags.
+
+
+## Configuration options [_configuration_options]
+
+You can specify the following options in the `path` section of the `auditbeat.yml` config file:
+
+
+### `home` [_home]
+
+The home path for the Auditbeat installation. This is the default base path for all other path settings and for miscellaneous files that come with the distribution (for example, the sample dashboards). If not set by a CLI flag or in the configuration file, the default for the home path is the location of the Auditbeat binary.
+
+Example:
+
+```yaml
+path.home: /usr/share/beats
+```
+
+
+### `config` [_config]
+
+The configuration path for the Auditbeat installation. This is the default base path for configuration files, including the main YAML configuration file and the Elasticsearch template file. If not set by a CLI flag or in the configuration file, the default for the configuration path is the home path.
+
+Example:
+
+```yaml
+path.config: /usr/share/beats/config
+```
+
+
+### `data` [_data]
+
+The data path for the Auditbeat installation. This is the default base path for all the files in which Auditbeat needs to store its data. If not set by a CLI flag or in the configuration file, the default for the data path is a `data` subdirectory inside the home path.
+
+Example:
+
+```yaml
+path.data: /var/lib/beats
+```
+
+::::{tip}
+When running multiple Auditbeat instances on the same host, make sure they each have a distinct `path.data` value.
+::::
+
+
+
+### `logs` [_logs]
+
+The logs path for a Auditbeat installation. This is the default location for Auditbeat’s log files. If not set by a CLI flag or in the configuration file, the default for the logs path is a `logs` subdirectory inside the home path.
+
+Example:
+
+```yaml
+path.logs: /var/log/beats
+```
+
diff --git a/docs/reference/auditbeat/configuration-ssl.md b/docs/reference/auditbeat/configuration-ssl.md
new file mode 100644
index 000000000000..519ce4cac46f
--- /dev/null
+++ b/docs/reference/auditbeat/configuration-ssl.md
@@ -0,0 +1,486 @@
+---
+navigation_title: "SSL"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/configuration-ssl.html
+---
+
+# Configure SSL [configuration-ssl]
+
+
+You can specify SSL options when you configure:
+
+* [outputs](/reference/auditbeat/configuring-output.md) that support SSL
+* the [Kibana endpoint](/reference/auditbeat/setup-kibana-endpoint.md)
+
+Example output config with SSL enabled:
+
+```yaml
+output.elasticsearch.hosts: ["https://192.168.1.42:9200"]
+output.elasticsearch.ssl.certificate_authorities: ["/etc/client/ca.pem"]
+output.elasticsearch.ssl.certificate: "/etc/client/cert.pem"
+output.elasticsearch.ssl.key: "/etc/client/cert.key"
+```
+
+Also see [*Secure communication with Logstash*](/reference/auditbeat/configuring-ssl-logstash.md).
+
+Example Kibana endpoint config with SSL enabled:
+
+```yaml
+setup.kibana.host: "https://192.0.2.255:5601"
+setup.kibana.ssl.enabled: true
+setup.kibana.ssl.certificate_authorities: ["/etc/client/ca.pem"]
+setup.kibana.ssl.certificate: "/etc/client/cert.pem"
+setup.kibana.ssl.key: "/etc/client/cert.key"
+```
+
+There are a number of SSL configuration options available to you:
+
+* [Common configuration options](#ssl-common-config)
+* [Client configuration options](#ssl-client-config)
+* [Server configuration options](#ssl-server-config)
+
+
+## Common configuration options [ssl-common-config]
+
+Common SSL configuration options can be used in both client and server configurations. You can specify the following options in the `ssl` section of each subsystem that supports SSL.
+
+
+### `enabled` [enabled]
+
+To disable SSL configuration, set the value to `false`. The default value is `true`.
+
+::::{note}
+SSL settings are disabled if either `enabled` is set to `false` or the `ssl` section is missing.
+
+::::
+
+
+
+### `supported_protocols` [supported-protocols]
+
+List of allowed SSL/TLS versions. If SSL/TLS server decides for protocol versions not configured, the connection will be dropped during or after the handshake. The setting is a list of allowed protocol versions: `TLSv1.1`, `TLSv1.2`, and `TLSv1.3`.
+
+The default value is `[TLSv1.2, TLSv1.3]`.
+
+
+### `cipher_suites` [cipher-suites]
+
+The list of cipher suites to use. The first entry has the highest priority. If this option is omitted, the Go crypto library’s [default suites](https://golang.org/pkg/crypto/tls/) are used (recommended).
+
+Note that if TLS 1.3 is enabled (which is true by default), then the default TLS 1.3 cipher suites are always included, because Go’s standard library adds them to all connections. In order to exclude the default TLS 1.3 ciphers, TLS 1.3 must also be disabled, e.g. with the setting `ssl.supported_protocols = [TLSv1.2]`.
+
+The following cipher suites are available:
+
+| Cypher | Notes |
+| --- | --- |
+| ECDHE-ECDSA-AES-128-CBC-SHA |  |
+| ECDHE-ECDSA-AES-128-CBC-SHA256 | TLS 1.2 only. Disabled by default. |
+| ECDHE-ECDSA-AES-128-GCM-SHA256 | TLS 1.2 only. |
+| ECDHE-ECDSA-AES-256-CBC-SHA |  |
+| ECDHE-ECDSA-AES-256-GCM-SHA384 | TLS 1.2 only. |
+| ECDHE-ECDSA-CHACHA20-POLY1305 | TLS 1.2 only. |
+| ECDHE-ECDSA-RC4-128-SHA | Disabled by default. RC4 not recommended. |
+| ECDHE-RSA-3DES-CBC3-SHA |  |
+| ECDHE-RSA-AES-128-CBC-SHA |  |
+| ECDHE-RSA-AES-128-CBC-SHA256 | TLS 1.2 only. Disabled by default. |
+| ECDHE-RSA-AES-128-GCM-SHA256 | TLS 1.2 only. |
+| ECDHE-RSA-AES-256-CBC-SHA |  |
+| ECDHE-RSA-AES-256-GCM-SHA384 | TLS 1.2 only. |
+| ECDHE-RSA-CHACHA20-POLY1205 | TLS 1.2 only. |
+| ECDHE-RSA-RC4-128-SHA | Disabled by default. RC4 not recommended. |
+| RSA-3DES-CBC3-SHA |  |
+| RSA-AES-128-CBC-SHA |  |
+| RSA-AES-128-CBC-SHA256 | TLS 1.2 only. Disabled by default. |
+| RSA-AES-128-GCM-SHA256 | TLS 1.2 only. |
+| RSA-AES-256-CBC-SHA |  |
+| RSA-AES-256-GCM-SHA384 | TLS 1.2 only. |
+| RSA-RC4-128-SHA | Disabled by default. RC4 not recommended. |
+
+Here is a list of acronyms used in defining the cipher suites:
+
+* 3DES: Cipher suites using triple DES
+* AES-128/256: Cipher suites using AES with 128/256-bit keys.
+* CBC: Cipher using Cipher Block Chaining as block cipher mode.
+* ECDHE: Cipher suites using Elliptic Curve Diffie-Hellman (DH) ephemeral key exchange.
+* ECDSA: Cipher suites using Elliptic Curve Digital Signature Algorithm for authentication.
+* GCM: Galois/Counter mode is used for symmetric key cryptography.
+* RC4: Cipher suites using RC4.
+* RSA: Cipher suites using RSA.
+* SHA, SHA256, SHA384: Cipher suites using SHA-1, SHA-256 or SHA-384.
+
+
+### `curve_types` [curve-types]
+
+The list of curve types for ECDHE (Elliptic Curve Diffie-Hellman ephemeral key exchange).
+
+The following elliptic curve types are available:
+
+* P-256
+* P-384
+* P-521
+* X25519
+
+
+### `ca_sha256` [ca-sha256]
+
+This configures a certificate pin that you can use to ensure that a specific certificate is part of the verified chain.
+
+The pin is a base64 encoded string of the SHA-256 of the certificate.
+
+::::{note}
+This check is not a replacement for the normal SSL validation, but it adds additional validation. If this option is used with  `verification_mode` set to `none`, the check will always fail because it will not receive any verified chains.
+::::
+
+
+
+## Client configuration options [ssl-client-config]
+
+You can specify the following options in the `ssl` section of each subsystem that supports SSL.
+
+
+### `certificate_authorities` [client-certificate-authorities]
+
+The list of root certificates for verifications is required. If `certificate_authorities` is empty or not set, the system keystore is used. If `certificate_authorities` is self-signed, the host system needs to trust that CA cert as well.
+
+By default you can specify a list of files that `auditbeat` will read, but you can also embed a certificate directly in the `YAML` configuration:
+
+```yaml
+certificate_authorities:
+  - |
+    -----BEGIN CERTIFICATE-----
+    MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF
+    ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2
+    MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB
+    BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n
+    fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl
+    94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t
+    /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP
+    PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41
+    CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O
+    BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux
+    8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D
+    874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw
+    3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA
+    H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu
+    8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0
+    yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk
+    sxSmbIUfc2SGJGCJD4I=
+    -----END CERTIFICATE-----
+```
+
+
+### `certificate: "/etc/client/cert.pem"` [client-certificate]
+
+The path to the certificate for SSL client authentication is only required if `client_authentication` is specified. If the certificate is not specified, client authentication is not available. The connection might fail if the server requests client authentication. If the SSL server does not require client authentication, the certificate will be loaded, but not requested or used by the server.
+
+When this option is configured, the [`key`](#client-key) option is also required. The certificate option support embedding of the certificate:
+
+```yaml
+certificate: |
+    -----BEGIN CERTIFICATE-----
+    MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF
+    ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2
+    MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB
+    BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n
+    fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl
+    94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t
+    /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP
+    PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41
+    CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O
+    BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux
+    8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D
+    874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw
+    3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA
+    H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu
+    8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0
+    yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk
+    sxSmbIUfc2SGJGCJD4I=
+    -----END CERTIFICATE-----
+```
+
+
+### `key: "/etc/client/cert.key"` [client-key]
+
+The client certificate key used for client authentication and is only required if `client_authentication` is configured. The key option support embedding of the private key:
+
+```yaml
+key: |
+    -----BEGIN PRIVATE KEY-----
+    MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDXHufGPycpCOfI
+    sjl6cRn8NP4DLxdIVEAHFK0jMRDup32UQOPW+DleEsFpgN9/ebi9ngdjQfMvKnUP
+    Zrl1HTwVhOJfazGeoJn7vdDeQebhJfeDXHwX2DiotXyUPYu1ioU45UZDAoAZFj5F
+    KJLwWRUbfEbRe8yO+wUhKKxxkApPbfw+wUtBicn1RIX7W1nBRABt1UXKDIRe5FM2
+    MKfqhEqK4hUWC3g1r+vGTrxu3qFpzz7L2UrRFRIpo7yuTUhEhEGvcVsiTppTil4Z
+    HcprXFHf5158elEwhYJ5IM0nU1leNQiOgemifbLwkyNkLqCKth8V/4sezr1tYblZ
+    nMh1cclBAgMBAAECggEBAKdP5jyOicqknoG9/G564RcDsDyRt64NuO7I6hBg7SZx
+    Jn7UKWDdFuFP/RYtoabn6QOxkVVlydp5Typ3Xu7zmfOyss479Q/HIXxmmbkD0Kp0
+    eRm2KN3y0b6FySsS40KDRjKGQCuGGlNotW3crMw6vOvvsLTlcKgUHF054UVCHoK/
+    Piz7igkDU7NjvJeha53vXL4hIjb10UtJNaGPxIyFLYRZdRPyyBJX7Yt3w8dgz8WM
+    epOPu0dq3bUrY3WQXcxKZo6sQjE1h7kdl4TNji5jaFlvD01Y8LnyG0oThOzf0tve
+    Gaw+kuy17gTGZGMIfGVcdeb+SlioXMAAfOps+mNIwTECgYEA/gTO8W0hgYpOQJzn
+    BpWkic3LAoBXWNpvsQkkC3uba8Fcps7iiEzotXGfwYcb5Ewf5O3Lrz1EwLj7GTW8
+    VNhB3gb7bGOvuwI/6vYk2/dwo84bwW9qRWP5hqPhNZ2AWl8kxmZgHns6WTTxpkRU
+    zrfZ5eUrBDWjRU2R8uppgRImsxMCgYEA2MxuL/C/Ko0d7XsSX1kM4JHJiGpQDvb5
+    GUrlKjP/qVyUysNF92B9xAZZHxxfPWpdfGGBynhw7X6s+YeIoxTzFPZVV9hlkpAA
+    5igma0n8ZpZEqzttjVdpOQZK8o/Oni/Q2S10WGftQOOGw5Is8+LY30XnLvHBJhO7
+    TKMurJ4KCNsCgYAe5TDSVmaj3dGEtFC5EUxQ4nHVnQyCpxa8npL+vor5wSvmsfUF
+    hO0s3GQE4sz2qHecnXuPldEd66HGwC1m2GKygYDk/v7prO1fQ47aHi9aDQB9N3Li
+    e7Vmtdn3bm+lDjtn0h3Qt0YygWj+wwLZnazn9EaWHXv9OuEMfYxVgYKpdwKBgEze
+    Zy8+WDm5IWRjn8cI5wT1DBT/RPWZYgcyxABrwXmGZwdhp3wnzU/kxFLAl5BKF22T
+    kRZ+D+RVZvVutebE9c937BiilJkb0AXLNJwT9pdVLnHcN2LHHHronUhV7vetkop+
+    kGMMLlY0lkLfoGq1AxpfSbIea9KZam6o6VKxEnPDAoGAFDCJm+ZtsJK9nE5GEMav
+    NHy+PwkYsHhbrPl4dgStTNXLenJLIJ+Ke0Pcld4ZPfYdSyu/Tv4rNswZBNpNsW9K
+    0NwJlyMBfayoPNcJKXrH/csJY7hbKviAHr1eYy9/8OL0dHf85FV+9uY5YndLcsDc
+    nygO9KTJuUiBrLr0AHEnqko=
+    -----END PRIVATE KEY-----
+```
+
+
+### `key_passphrase` [client-key-passphrase]
+
+The passphrase used to decrypt an encrypted key stored in the configured `key` file.
+
+
+### `verification_mode` [client-verification-mode]
+
+Controls the verification of server certificates. Valid values are:
+
+`full`
+:   Verifies that the provided certificate is signed by a trusted authority (CA) and also verifies that the server’s hostname (or IP address) matches the names identified within the certificate.
+
+`strict`
+:   Verifies that the provided certificate is signed by a trusted authority (CA) and also verifies that the server’s hostname (or IP address) matches the names identified within the certificate. If the Subject Alternative Name is empty, it returns an error.
+
+`certificate`
+:   Verifies that the provided certificate is signed by a trusted authority (CA), but does not perform any hostname verification.
+
+`none`
+:   Performs *no verification* of the server’s certificate. This mode disables many of the security benefits of SSL/TLS and should only be used after cautious consideration. It is primarily intended as a temporary diagnostic mechanism when attempting to resolve TLS errors; its use in production environments is strongly discouraged.
+
+    The default value is `full`.
+
+
+
+### `ca_trusted_fingerprint` [ca_trusted_fingerprint]
+
+A HEX encoded SHA-256 of a CA certificate. If this certificate is present in the chain during the handshake, it will be added to the `certificate_authorities` list and the handshake will continue normaly.
+
+To get the fingerprint from a CA certificate on a Unix-like system, you can use the following command, where `ca.crt` is the certificate.
+
+```
+openssl x509 -fingerprint -sha256 -noout -in ./ca.crt | awk --field-separator="=" '{print $2}' | sed 's/://g'
+```
+
+
+## Server configuration options [ssl-server-config]
+
+You can specify the following options in the `ssl` section of each subsystem that supports SSL.
+
+
+### `certificate_authorities` [server-certificate-authorities]
+
+The list of root certificates for client verifications is only required if `client_authentication` is configured. If `certificate_authorities` is empty or not set, and `client_authentication` is configured, the system keystore is used.
+
+If `certificate_authorities` is self-signed, the host system needs to trust that CA cert as well. By default you can specify a list of files that `auditbeat` will read, but you can also embed a certificate directly in the `YAML` configuration:
+
+```yaml
+certificate_authorities:
+  - |
+    -----BEGIN CERTIFICATE-----
+    MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF
+    ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2
+    MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB
+    BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n
+    fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl
+    94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t
+    /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP
+    PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41
+    CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O
+    BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux
+    8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D
+    874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw
+    3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA
+    H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu
+    8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0
+    yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk
+    sxSmbIUfc2SGJGCJD4I=
+    -----END CERTIFICATE-----
+```
+
+
+### `certificate: "/etc/server/cert.pem"` [server-certificate]
+
+The end-entity (leaf) certificate that the server uses to identify itself. If the certificate is signed by a certificate authority (CA), then it should include intermediate CA certificates, sorted from leaf to root. For servers, a `certificate` and [`key`](#server-key) must be specified.
+
+The certificate option supports embedding of the PEM certificate content. This example contains the leaf certificate followed by issuer’s certificate.
+
+```yaml
+certificate: |
+  -----BEGIN CERTIFICATE-----
+  MIIF2jCCA8KgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBlMQswCQYDVQQGEwJVUzEW
+  MBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEcMBoGA1UECRMTV2VzdCBFbCBDYW1pbm8g
+  UmVhbDEOMAwGA1UEERMFOTQwNDAxEDAOBgNVBAoTB0VsYXN0aWMwHhcNMjMxMDMw
+  MTkyMzU4WhcNMjMxMDMxMTkyMzU4WjB2MQswCQYDVQQGEwJVUzEWMBQGA1UEBxMN
+  U2FuIEZyYW5jaXNjbzEcMBoGA1UECRMTV2VzdCBFbCBDYW1pbm8gUmVhbDEOMAwG
+  A1UEERMFOTQwNDAxEDAOBgNVBAoTB0VsYXN0aWMxDzANBgNVBAMTBnNlcnZlcjCC
+  AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALW37cart7l0KE3LCStFbiGm
+  Rr/QSkuPv+Y+SXFT4zXrMFP3mOfUCVsR4lugv+jmql9qjbwR9jKsgKXA1kSvNXSZ
+  lLYWRcNnQ+QzwKxJf/jy246nSfqb2FKvVMs580lDwKHHxn/FSpHV93O4Goy5cLfF
+  ACE7BSdJdxl5DVAMmmkzd6gBGgN8dQIbcyJYuIZYQt44PqSYh/BomTyOXKrmvX4y
+  t7/pF+ldJjWZq/6SfCq6WE0jSrpI1P/42Qd9h5Tsnl6qsUGA2Tz5ZqKz2cyxaIlK
+  wL9tYDionfFIl+jZcxkGPF2a14O1TycCI0B/z+0VL+HR/8fKAB0NdP+QRLaPWOrn
+  DvraAO+bVKC6VrQyUYNUOwtd2gMUqm6Hzrf4s3wjP754eSJkvnSoSAB6l7ZmJKe5
+  Pz5oDDOVPwKHv/MrhsCSMNFeXSEO+rq9TtYEAFQI5rFGHlURga8kA1T1pirHyEtS
+  2o8GUSPSHVulaPdFnHg4xfTexfRYLCqya75ISJuY2/+2GblCie/re1GFitZCZ46/
+  xiQQDOjgL96soDVZ+cTtMpXanslgDapTts9LPIJTd9FUJCY1omISGiSjABRuTlCV
+  8054ja4BKVahSd5BqqtVkWyV64SCut6kce2ndwBkyFvlZ6cteLCW7KtzYvba4XBb
+  YIAs+H+9e/bZUVhws5mFAgMBAAGjgYMwgYAwDgYDVR0PAQH/BAQDAgeAMB0GA1Ud
+  JQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAOBgNVHQ4EBwQFAQIDBAUwPwYDVR0R
+  BDgwNoIJbG9jYWxob3N0ghFiZWF0cy5leGFtcGxlLmNvbYcEfwAAAYcQAAAAAAAA
+  AAAAAAAAAAAAATANBgkqhkiG9w0BAQsFAAOCAgEAldSZOUi+OUR46ERQuINl1oED
+  mjNsQ9FNP/RDu8mPJaNb5v2sAbcpuZb9YdnScT+d+n0+LMd5uz2g67Qr73QCpXwL
+  9YJIs56i7qMTKXlVvRQrvF9P/zP3sm5Zfd2I/x+8oXgEeYsxAWipJ8RsbnN1dtu8
+  C4l+P0E58jjrjom11W90RiHYaT0SI2PPBTTRhYLz0HayThPZDMdFnIQqVxUYbQD5
+  ybWu77hnsvC/g2C8/N2LAdQGJJ67owMa5T3YRneiaSvvOf3I45oeLE+olGAPdrSq
+  5Sp0G7fcAKMRPxcwYeD7V5lfYMtb+RzECpYAHT8zHKLZl6/34q2k8P8EWEpAsD80
+  +zSbCkdvNiU5lU90rV8E2baTKCg871k4O8sT48eUyDps6ZUCfT1dgefXeyOTV5bY
+  864Zo6bWJhAJ7Qa2d4HJkqPzSbqsosHVobojgkOcMqkStLHd8sgtCoFmJMflbp7E
+  ghawl/RVFEkL9+TWy9fR8sJWRx13P8CUP6AL9kVmcU2c3gMNpvQfIii9QOnQrRsi
+  yZj9FKl+ZM49I6RQ6dY5JVgWtpVm/+GBVuy1Aj91JEjw7r1jAeir5K9LAXG8kEN9
+  irndx1SK2MMTY79lGHFGQRv3vnQGI0Wzjtn31YJ7qIFNJ1WWbAZLR9FBtzmMeXM6
+  puoJ9UYvfIcHUGPdZGU=
+  -----END CERTIFICATE-----
+  -----BEGIN CERTIFICATE-----
+  MIIFpjCCA46gAwIBAgIBATANBgkqhkiG9w0BAQsFADBlMQswCQYDVQQGEwJVUzEW
+  MBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEcMBoGA1UECRMTV2VzdCBFbCBDYW1pbm8g
+  UmVhbDEOMAwGA1UEERMFOTQwNDAxEDAOBgNVBAoTB0VsYXN0aWMwHhcNMjMxMDMw
+  MTkyMzU2WhcNMjMxMDMxMTkyMzU2WjBlMQswCQYDVQQGEwJVUzEWMBQGA1UEBxMN
+  U2FuIEZyYW5jaXNjbzEcMBoGA1UECRMTV2VzdCBFbCBDYW1pbm8gUmVhbDEOMAwG
+  A1UEERMFOTQwNDAxEDAOBgNVBAoTB0VsYXN0aWMwggIiMA0GCSqGSIb3DQEBAQUA
+  A4ICDwAwggIKAoICAQDQP3hJt4jTIo+tBXB/R4RuBTvv6OOago9joxlNDm0abseJ
+  ehE0V8FDi0SSpa7ZiqwCGq/deu5OIWVNpFCLHeH5YBriNmB7oPkNRCleu50JsUrG
+  RjSTtBIJcu/CVpD7Q5XMbhbhYcPArrxrSreo3ox8a+2X7b8nA1xPgIcWqSCgs9iV
+  lwKHaQWNTUXYwwZG7b9WG4EJaki6t1+1QbDDJU0oWrZNg23wQEBvEVRDQs7kadvm
+  9YtZLPULlSyV4Rk3yNW8dPXHjcz2wp3PBPIWIQe9mzYU608307TkUMVN2EEOImxl
+  Wm1RtXYvvVb1LiY0C2lYbN3jLZQzffK5RsS87ocqTQM+HvDBv/PupHDvW08wietu
+  RtRbdx/2cN0GLmOHnkWKx+GlYDZfAtIj958fTKl2hHyNqJ1pE7vksSYBwBxMFQem
+  eSGzw5pO53kmPcZO203YQ2qoJd7z1aLf7eAOqDn5zwlYNc00bZ6DwTZsyptGv9sZ
+  zcZuovppPgCN4f1I9ja/NPKep+sVKfQqR5HuOFOPFcr6oOioESJSgIvXXF9RhCVh
+  UMeZKWWSCNm1ea4h6q8OJdQfM7XXkXm+dEyF0TogC00CidZWuYMZcgXND5p/1Di5
+  PkCKPUMllCoK0oaTfFioNW7qtNbDGQrW+spwDa4kjJNKYtDD0jjPgFMgSzQ2MwID
+  AQABo2EwXzAOBgNVHQ8BAf8EBAMCAoQwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsG
+  AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFImOXc9Tv+mgn9jOsPig
+  9vlAUTa+MA0GCSqGSIb3DQEBCwUAA4ICAQBZ9tqU88Nmgf+vDgkKMKLmLMaRCRlV
+  HcYrm7WoWLX+q6VSbmvf5eD5OrzzbAnnp16iXap8ivsAEFTo8XWh/bjl7G/2jetR
+  xZD2WHtzmAg3s4SVsEHIyFUF1ERwnjO2ndHjoIsx8ktUk1aNrmgPI6s07fkULDm+
+  2aXyBSZ9/oimZM/s3IqYJecxwE+yyS+FiS6mSDCCVIyQXdtVAbFHegyiBYv8EbwF
+  Xz70QiqQtxotGlfts/3uN1s+xnEoWz5E6S5DQn4xQh0xiKSXPizMXou9xKzypeSW
+  qtNdwtg62jKWDaVriBfrvoCnyjjCIjmcTcvA2VLmeZShyTuIucd0lkg2NKIGeM7I
+  o33hmdiKaop1fVtj8zqXvCRa3ecmlvcxPKX0otVFORFNOfaPjH/CjW0CnP0LByGK
+  YW19w0ncJZa9cc1SlNL28lnBhW+i1+ViR02wtjabH9XO+mtxuaEPDZ1hLhhjktqI
+  Y2oFUso4C5xiTU/hrH8+cFv0dn/+zyQoLfJEQbUX9biFeytt7T4Yynwhdy7jryqH
+  fdy/QM26YnsE8D7l4mv99z+zII0IRGnQOuLTuNAIyGJUf69hCDubZFDeHV/IB9hU
+  6GA6lBpsJlTDgfJLbtKuAHxdn1DO+uGg0GxgwggH6Vh9x9yQK2E6BaepJisL/zNB
+  RQQmEyTn1hn/eA==
+  -----END CERTIFICATE-----
+```
+
+
+### `key: "/etc/server/cert.key"` [server-key]
+
+The server certificate key used for authentication is required. The key option supports embedding of the private key:
+
+```yaml
+key: |
+    -----BEGIN PRIVATE KEY-----
+    MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDXHufGPycpCOfI
+    sjl6cRn8NP4DLxdIVEAHFK0jMRDup32UQOPW+DleEsFpgN9/ebi9ngdjQfMvKnUP
+    Zrl1HTwVhOJfazGeoJn7vdDeQebhJfeDXHwX2DiotXyUPYu1ioU45UZDAoAZFj5F
+    KJLwWRUbfEbRe8yO+wUhKKxxkApPbfw+wUtBicn1RIX7W1nBRABt1UXKDIRe5FM2
+    MKfqhEqK4hUWC3g1r+vGTrxu3qFpzz7L2UrRFRIpo7yuTUhEhEGvcVsiTppTil4Z
+    HcprXFHf5158elEwhYJ5IM0nU1leNQiOgemifbLwkyNkLqCKth8V/4sezr1tYblZ
+    nMh1cclBAgMBAAECggEBAKdP5jyOicqknoG9/G564RcDsDyRt64NuO7I6hBg7SZx
+    Jn7UKWDdFuFP/RYtoabn6QOxkVVlydp5Typ3Xu7zmfOyss479Q/HIXxmmbkD0Kp0
+    eRm2KN3y0b6FySsS40KDRjKGQCuGGlNotW3crMw6vOvvsLTlcKgUHF054UVCHoK/
+    Piz7igkDU7NjvJeha53vXL4hIjb10UtJNaGPxIyFLYRZdRPyyBJX7Yt3w8dgz8WM
+    epOPu0dq3bUrY3WQXcxKZo6sQjE1h7kdl4TNji5jaFlvD01Y8LnyG0oThOzf0tve
+    Gaw+kuy17gTGZGMIfGVcdeb+SlioXMAAfOps+mNIwTECgYEA/gTO8W0hgYpOQJzn
+    BpWkic3LAoBXWNpvsQkkC3uba8Fcps7iiEzotXGfwYcb5Ewf5O3Lrz1EwLj7GTW8
+    VNhB3gb7bGOvuwI/6vYk2/dwo84bwW9qRWP5hqPhNZ2AWl8kxmZgHns6WTTxpkRU
+    zrfZ5eUrBDWjRU2R8uppgRImsxMCgYEA2MxuL/C/Ko0d7XsSX1kM4JHJiGpQDvb5
+    GUrlKjP/qVyUysNF92B9xAZZHxxfPWpdfGGBynhw7X6s+YeIoxTzFPZVV9hlkpAA
+    5igma0n8ZpZEqzttjVdpOQZK8o/Oni/Q2S10WGftQOOGw5Is8+LY30XnLvHBJhO7
+    TKMurJ4KCNsCgYAe5TDSVmaj3dGEtFC5EUxQ4nHVnQyCpxa8npL+vor5wSvmsfUF
+    hO0s3GQE4sz2qHecnXuPldEd66HGwC1m2GKygYDk/v7prO1fQ47aHi9aDQB9N3Li
+    e7Vmtdn3bm+lDjtn0h3Qt0YygWj+wwLZnazn9EaWHXv9OuEMfYxVgYKpdwKBgEze
+    Zy8+WDm5IWRjn8cI5wT1DBT/RPWZYgcyxABrwXmGZwdhp3wnzU/kxFLAl5BKF22T
+    kRZ+D+RVZvVutebE9c937BiilJkb0AXLNJwT9pdVLnHcN2LHHHronUhV7vetkop+
+    kGMMLlY0lkLfoGq1AxpfSbIea9KZam6o6VKxEnPDAoGAFDCJm+ZtsJK9nE5GEMav
+    NHy+PwkYsHhbrPl4dgStTNXLenJLIJ+Ke0Pcld4ZPfYdSyu/Tv4rNswZBNpNsW9K
+    0NwJlyMBfayoPNcJKXrH/csJY7hbKviAHr1eYy9/8OL0dHf85FV+9uY5YndLcsDc
+    nygO9KTJuUiBrLr0AHEnqko=
+    -----END PRIVATE KEY-----
+```
+
+
+### `key_passphrase` [server-key-passphrase]
+
+The passphrase is used to decrypt an encrypted key stored in the configured `key` file.
+
+
+### `verification_mode` [server-verification-mode]
+
+Controls the verification of client certificates. Valid values are:
+
+`full`
+:   Verifies that the provided certificate is signed by a trusted authority (CA) and also verifies that the server’s hostname (or IP address) matches the names identified within the certificate.
+
+`strict`
+:   Verifies that the provided certificate is signed by a trusted authority (CA) and also verifies that the server’s hostname (or IP address) matches the names identified within the certificate. If the Subject Alternative Name is empty, it returns an error.
+
+`certificate`
+:   Verifies that the provided certificate is signed by a trusted authority (CA), but does not perform any hostname verification.
+
+`none`
+:   Performs *no verification* of the server’s certificate. This mode disables many of the security benefits of SSL/TLS and should only be used after cautious consideration. It is primarily intended as a temporary diagnostic mechanism when attempting to resolve TLS errors; its use in production environments is strongly discouraged.
+
+    The default value is `full`.
+
+
+
+### `renegotiation` [server-renegotiation]
+
+This configures what types of TLS renegotiation are supported. The valid options are:
+
+`never`
+:   Disables renegotiation.
+
+`once`
+:   Allows a remote server to request renegotiation once per connection.
+
+`freely`
+:   Allows a remote server to request renegotiation repeatedly.
+
+    The default value is `never`.
+
+
+
+### `restart_on_cert_change.enabled` [exit_on_cert_change_enabled]
+
+If set to `true` Auditbeat will restart if any file listed by `key`, `certificate`, or `certificate_authorities` is modified.
+
+::::{note}
+This feature is NOT supported on Windows. The default value is `false`.
+::::
+
+
+::::{note}
+This feature requres the `execve` system call to be enabled. If you have a custom seccomp policy in place, make sure to allow for `execve`.
+::::
+
+
+
+### `restart_on_cert_change.period` [restart_on_cert_change_period]
+
+Specifies how often the files are checked for changes. Do not set the period to less than 1s because the modification time of files is often stored in seconds. Setting the period to less than 1s will result in validation error and Auditbeat will not start. The default value is 1m.
+
diff --git a/docs/reference/auditbeat/configuration-template.md b/docs/reference/auditbeat/configuration-template.md
new file mode 100644
index 000000000000..e06b29197b15
--- /dev/null
+++ b/docs/reference/auditbeat/configuration-template.md
@@ -0,0 +1,112 @@
+---
+navigation_title: "Elasticsearch index template"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/configuration-template.html
+---
+
+# Configure Elasticsearch index template loading [configuration-template]
+
+
+The `setup.template` section of the `auditbeat.yml` config file specifies the [index template](docs-content://manage-data/data-store/templates.md) to use for setting mappings in Elasticsearch. If template loading is enabled (the default), Auditbeat loads the index template automatically after successfully connecting to Elasticsearch.
+
+::::{note}
+A connection to Elasticsearch is required to load the index template. If the configured output is not Elasticsearch (or {{ess}}), you must [load the template manually](/reference/auditbeat/auditbeat-template.md#load-template-manually).
+::::
+
+
+You can adjust the following settings to load your own template or overwrite an existing one.
+
+**`setup.template.enabled`**
+:   Set to false to disable template loading. If this is set to false, you must [load the template manually](/reference/auditbeat/auditbeat-template.md#load-template-manually).
+
+**`setup.template.name`**
+:   The name of the template. The default is `auditbeat`. The Auditbeat version is always appended to the given name, so the final name is `auditbeat-%{[agent.version]}`.
+
+**`setup.template.pattern`**
+:   The template pattern to apply to the default index settings. The default pattern is `auditbeat`. The Auditbeat version is always included in the pattern, so the final pattern is `auditbeat-%{[agent.version]}`.
+
+    Example:
+
+    ```yaml
+    setup.template.name: "auditbeat"
+    setup.template.pattern: "auditbeat"
+    ```
+
+
+**`setup.template.fields`**
+:   The path to the YAML file describing the fields. The default is `fields.yml`. If a relative path is set, it is considered relative to the config path. See the [Directory layout](/reference/auditbeat/directory-layout.md) section for details.
+
+**`setup.template.overwrite`**
+:   A boolean that specifies whether to overwrite the existing template. The default is false. Do not enable this option if you start more than one instance of Auditbeat at the same time. It can overload {{es}} by sending too many template update requests.
+
+**`setup.template.settings`**
+:   A dictionary of settings to place into the `settings.index` dictionary of the Elasticsearch template. For more details about the available Elasticsearch mapping options, please see the Elasticsearch [mapping reference](docs-content://manage-data/data-store/mapping.md).
+
+    Example:
+
+    ```yaml
+    setup.template.name: "auditbeat"
+    setup.template.fields: "fields.yml"
+    setup.template.overwrite: false
+    setup.template.settings:
+      index.number_of_shards: 1
+      index.number_of_replicas: 1
+    ```
+
+
+**`setup.template.settings._source`**
+:   A dictionary of settings for the `_source` field. For the available settings, please see the Elasticsearch [reference](elasticsearch://reference/elasticsearch/mapping-reference/mapping-source-field.md).
+
+    Example:
+
+    ```yaml
+    setup.template.name: "auditbeat"
+    setup.template.fields: "fields.yml"
+    setup.template.overwrite: false
+    setup.template.settings:
+      _source.enabled: false
+    ```
+
+
+**`setup.template.append_fields`**
+:   A list of fields to be added to the template and {{kib}} index pattern. This setting adds new fields. It does not overwrite or change existing fields.
+
+    This setting is useful when your data contains fields that Auditbeat doesn’t know about in advance.
+
+    If `append_fields` is specified along with `overwrite: true`, Auditbeat overwrites the existing template and applies the new template when creating new indices. Existing indices are not affected. If you’re running multiple instances of Auditbeat with different `append_fields` settings, the last one writing the template takes precedence.
+
+    Any changes to this setting also affect the {{kib}} index pattern.
+
+    Example config:
+
+    ```yaml
+    setup.template.overwrite: true
+    setup.template.append_fields:
+    - name: test.name
+      type: keyword
+    - name: test.hostname
+      type: long
+    ```
+
+
+**`setup.template.json.enabled`**
+:   Set to `true` to load a JSON-based template file. Specify the path to your {{es}} index template file and set the name of the template.
+
+    ```yaml
+    setup.template.json.enabled: true
+    setup.template.json.path: "template.json"
+    setup.template.json.name: "template-name"
+    setup.template.json.data_stream: false
+    ```
+
+
+::::{note}
+If the JSON template is used, the `fields.yml` is skipped for the template generation.
+::::
+
+
+::::{note}
+If the JSON template is a data stream, set `setup.template.json.data_stream`.
+::::
+
+
diff --git a/docs/reference/auditbeat/configure-cloud-id.md b/docs/reference/auditbeat/configure-cloud-id.md
new file mode 100644
index 000000000000..7e6e27b99092
--- /dev/null
+++ b/docs/reference/auditbeat/configure-cloud-id.md
@@ -0,0 +1,34 @@
+---
+navigation_title: "{{ess}}"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/configure-cloud-id.html
+---
+
+# Configure the output for {{ess}} on {{ecloud}} [configure-cloud-id]
+
+
+Auditbeat comes with two settings that simplify the output configuration when used together with [{{ess}}](https://www.elastic.co/cloud/elasticsearch-service?page=docs&placement=docs-body). When defined, these setting overwrite settings from other parts in the configuration.
+
+Example:
+
+```yaml
+cloud.id: "staging:dXMtZWFzdC0xLmF3cy5mb3VuZC5pbyRjZWM2ZjI2MWE3NGJmMjRjZTMzYmI4ODExYjg0Mjk0ZiRjNmMyY2E2ZDA0MjI0OWFmMGNjN2Q3YTllOTYyNTc0Mw=="
+cloud.auth: "elastic:{pwd}"
+```
+
+These settings can be also specified at the command line, like this:
+
+```sh
+auditbeat -e -E cloud.id="<cloud-id>" -E cloud.auth="<cloud.auth>"
+```
+
+## `cloud.id` [_cloud_id]
+
+The Cloud ID, which can be found in the {{ess}} web console, is used by Auditbeat to resolve the {{es}} and {{kib}} URLs. This setting overwrites the `output.elasticsearch.hosts` and `setup.kibana.host` settings. For more on locating and configuring the Cloud ID, see [Configure Beats and Logstash with Cloud ID](docs-content://deploy-manage/deploy/cloud-enterprise/find-cloud-id.md).
+
+
+## `cloud.auth` [_cloud_auth]
+
+When specified, the `cloud.auth` overwrites the `output.elasticsearch.username` and `output.elasticsearch.password` settings. Because the Kibana settings inherit the username and password from the {{es}} output, this can also be used to set the `setup.kibana.username` and `setup.kibana.password` options.
+
+
diff --git a/docs/reference/auditbeat/configuring-howto-auditbeat.md b/docs/reference/auditbeat/configuring-howto-auditbeat.md
new file mode 100644
index 000000000000..56bf5870a0a4
--- /dev/null
+++ b/docs/reference/auditbeat/configuring-howto-auditbeat.md
@@ -0,0 +1,46 @@
+---
+navigation_title: "Configure"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/configuring-howto-auditbeat.html
+---
+
+# Configure Auditbeat [configuring-howto-auditbeat]
+
+
+::::{tip}
+To get started quickly, read [Quick start: installation and configuration](/reference/auditbeat/auditbeat-installation-configuration.md).
+::::
+
+
+To configure Auditbeat, edit the configuration file. The default configuration file is called  `auditbeat.yml`. The location of the file varies by platform. To locate the file, see [Directory layout](/reference/auditbeat/directory-layout.md).
+
+There’s also a full example configuration file called `auditbeat.reference.yml` that shows all non-deprecated options.
+
+::::{tip}
+See the [Config File Format](/reference/libbeat/config-file-format.md) for more about the structure of the config file.
+::::
+
+
+The following topics describe how to configure Auditbeat:
+
+* [Modules](/reference/auditbeat/configuration-auditbeat.md)
+* [General settings](/reference/auditbeat/configuration-general-options.md)
+* [Project paths](/reference/auditbeat/configuration-path.md)
+* [Config file reloading](/reference/auditbeat/auditbeat-configuration-reloading.md)
+* [Output](/reference/auditbeat/configuring-output.md)
+* [SSL](/reference/auditbeat/configuration-ssl.md)
+* [Index lifecycle management (ILM)](/reference/auditbeat/ilm.md)
+* [Elasticsearch index template](/reference/auditbeat/configuration-template.md)
+* [{{kib}} endpoint](/reference/auditbeat/setup-kibana-endpoint.md)
+* [Kibana dashboards](/reference/auditbeat/configuration-dashboards.md)
+* [Processors](/reference/auditbeat/filtering-enhancing-data.md)
+* [Internal queue](/reference/auditbeat/configuring-internal-queue.md)
+* [Logging](/reference/auditbeat/configuration-logging.md)
+* [HTTP endpoint](/reference/auditbeat/http-endpoint.md)
+* [*Regular expression support*](/reference/auditbeat/regexp-support.md)
+* [Instrumentation](/reference/auditbeat/configuration-instrumentation.md)
+* [Feature flags](/reference/auditbeat/configuration-feature-flags.md)
+* [*auditbeat.reference.yml*](/reference/auditbeat/auditbeat-reference-yml.md)
+
+After changing configuration settings, you need to restart Auditbeat to pick up the changes.
+
diff --git a/docs/reference/auditbeat/configuring-ingest-node.md b/docs/reference/auditbeat/configuring-ingest-node.md
new file mode 100644
index 000000000000..178b83895baf
--- /dev/null
+++ b/docs/reference/auditbeat/configuring-ingest-node.md
@@ -0,0 +1,50 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/configuring-ingest-node.html
+---
+
+# Parse data using an ingest pipeline [configuring-ingest-node]
+
+When you use {{es}} for output, you can configure Auditbeat to use an [ingest pipeline](docs-content://manage-data/ingest/transform-enrich/ingest-pipelines.md) to pre-process documents before the actual indexing takes place in {{es}}. An ingest pipeline is a convenient processing option when you want to do some extra processing on your data, but you do not require the full power of {{ls}}. For example, you can create an ingest pipeline in {{es}} that consists of one processor that removes a field in a document followed by another processor that renames a field.
+
+After defining the pipeline in {{es}}, you simply configure Auditbeat to use the pipeline. To configure Auditbeat, you specify the pipeline ID in the `parameters` option under `elasticsearch` in the `auditbeat.yml` file:
+
+```yaml
+output.elasticsearch:
+  hosts: ["localhost:9200"]
+  pipeline: my_pipeline_id
+```
+
+For example, let’s say that you’ve defined the following pipeline in a file named `pipeline.json`:
+
+```json
+{
+    "description": "Test pipeline",
+    "processors": [
+        {
+            "lowercase": {
+                "field": "agent.name"
+            }
+        }
+    ]
+}
+```
+
+To add the pipeline in {{es}}, you would run:
+
+```shell
+curl -H 'Content-Type: application/json' -XPUT 'http://localhost:9200/_ingest/pipeline/test-pipeline' -d@pipeline.json
+```
+
+Then in the `auditbeat.yml` file, you would specify:
+
+```yaml
+output.elasticsearch:
+  hosts: ["localhost:9200"]
+  pipeline: "test-pipeline"
+```
+
+When you run Auditbeat, the value of `agent.name` is converted to lowercase before indexing.
+
+For more information about defining a pre-processing pipeline, see the [ingest pipeline](docs-content://manage-data/ingest/transform-enrich/ingest-pipelines.md) documentation.
+
diff --git a/docs/reference/auditbeat/configuring-internal-queue.md b/docs/reference/auditbeat/configuring-internal-queue.md
new file mode 100644
index 000000000000..3331c1b2a1b8
--- /dev/null
+++ b/docs/reference/auditbeat/configuring-internal-queue.md
@@ -0,0 +1,144 @@
+---
+navigation_title: "Internal queue"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/configuring-internal-queue.html
+---
+
+# Configure the internal queue [configuring-internal-queue]
+
+
+Auditbeat uses an internal queue to store events before publishing them. The queue is responsible for buffering and combining events into batches that can be consumed by the outputs. The outputs will use bulk operations to send a batch of events in one transaction.
+
+You can configure the type and behavior of the internal queue by setting options in the `queue` section of the `auditbeat.yml` config file or by setting options in the `queue` section of the output. Only one queue type can be configured.
+
+This sample configuration sets the memory queue to buffer up to 4096 events:
+
+```yaml
+queue.mem:
+  events: 4096
+```
+
+
+## Configure the memory queue [configuration-internal-queue-memory]
+
+The memory queue keeps all events in memory.
+
+The memory queue waits for the output to acknowledge or drop events. If the queue is full, no new events can be inserted into the memory queue. Only after the signal from the output will the queue free up space for more events to be accepted.
+
+The memory queue is controlled by the parameters `flush.min_events` and `flush.timeout`. `flush.min_events` gives a limit on the number of events that can be included in a single batch, and `flush.timeout` specifies how long the queue should wait to completely fill an event request. If the output supports a `bulk_max_size` parameter, the maximum batch size will be the smaller of `bulk_max_size` and `flush.min_events`.
+
+`flush.min_events` is a legacy parameter, and new configurations should prefer to control batch size with `bulk_max_size`. As of 8.13, there is never a performance advantage to limiting batch size with `flush.min_events` instead of `bulk_max_size`.
+
+In synchronous mode, an event request is always filled as soon as events are available, even if there are not enough events to fill the requested batch. This is useful when latency must be minimized. To use synchronous mode, set `flush.timeout` to 0.
+
+For backwards compatibility, synchronous mode can also be activated by setting `flush.min_events` to 0 or 1. In this case, batch size will be capped at 1/2 the queue capacity.
+
+In asynchronous mode, an event request will wait up to the specified timeout to try and fill the requested batch completely. If the timeout expires, the queue returns a partial batch with all available events. To use asynchronous mode, set `flush.timeout` to a positive duration, e.g. `5s`.
+
+This sample configuration forwards events to the output when there are enough events to fill the output’s request (usually controlled by `bulk_max_size`, and limited to at most 512 events by `flush.min_events`), or when events have been waiting for 5s without filling the requested size:
+
+```yaml
+queue.mem:
+  events: 4096
+  flush.min_events: 512
+  flush.timeout: 5s
+```
+
+
+## Configuration options [_configuration_options_13]
+
+You can specify the following options in the `queue.mem` section of the `auditbeat.yml` config file:
+
+
+#### `events` [queue-mem-events-option]
+
+Number of events the queue can store.
+
+The default value is 3200 events.
+
+
+#### `flush.min_events` [queue-mem-flush-min-events-option]
+
+If greater than 1, specifies the maximum number of events per batch. In this case the output must wait for the queue to accumulate the requested number of events or for `flush.timeout` to expire before publishing.
+
+If 0 or 1, sets the maximum number of events per batch to half the queue size, and sets the queue to synchronous mode (equivalent to `flush.timeout` of 0).
+
+The default value is 1600.
+
+
+#### `flush.timeout` [queue-mem-flush-timeout-option]
+
+Maximum wait time for event requests from the output to be fulfilled. If set to 0s, events are returned immediately.
+
+The default value is 10s.
+
+
+## Configure the disk queue [configuration-internal-queue-disk]
+
+The disk queue stores pending events on the disk rather than main memory. This allows Beats to queue a larger number of events than is possible with the memory queue, and to save events when a Beat or device is restarted. This increased reliability comes with a performance tradeoff, as every incoming event must be written and read from the device’s disk. However, for setups where the disk is not the main bottleneck, the disk queue gives a simple and relatively low-overhead way to add a layer of robustness to incoming event data.
+
+To enable the disk queue with default settings, specify a maximum size:
+
+```yaml
+queue.disk:
+  max_size: 10GB
+```
+
+The queue will use up to the specified maximum size on disk. It will only use as much space as required. For example, if the queue is only storing 1GB of events, then it will only occupy 1GB on disk no matter how high the maximum is. Queue data is deleted from disk after it has been successfully sent to the output.
+
+
+### Configuration options [configuration-internal-queue-disk-reference]
+
+You can specify the following options in the `queue.disk` section of the `auditbeat.yml` config file:
+
+
+#### `path` [_path]
+
+The path to the directory where the disk queue should store its data files. The directory is created on startup if it doesn’t exist.
+
+The default value is `"${path.data}/diskqueue"`.
+
+
+#### `max_size` (required) [_max_size_required]
+
+The maximum size the queue should use on disk. Events that exceed this maximum will either pause their input or be discarded, depending on the input’s configuration.
+
+A value of `0` means that no maximum size is enforced, and the queue can grow up to the amount of free space on the disk. This value should be used with caution, as completely filling a system’s main disk can make it inoperable. It is best to use this setting only with a dedicated data or backup partition that will not interfere with Auditbeat or the rest of the host system.
+
+The default value is `10GB`.
+
+
+#### `segment_size` [_segment_size]
+
+Data added to the queue is stored in segment files. Each segment contains some number of events waiting to be sent to the outputs, and is deleted when all its events are sent. By default, segment size is limited to 1/10 of the maximum queue size. Using a smaller size means that the queue will use more data files, but they will be deleted more quickly after use. Using a larger size means some data will take longer to delete, but the queue will use fewer auxiliary files. It is usually fine to leave this value unchanged.
+
+The default value is `max_size / 10`.
+
+
+#### `read_ahead` [_read_ahead]
+
+The number of events that should be read from disk into memory while waiting for an output to request them. If you find outputs are slowing down because they can’t read as many events at a time, adjusting this setting upward may help, at the cost of higher memory usage.
+
+The default value is `512`.
+
+
+#### `write_ahead` [_write_ahead]
+
+The number of events the queue should accept and store in memory while waiting for them to be written to disk. If you find the queue’s memory use is too high because events are waiting too long to be written to disk, adjusting this setting downward may help, at the cost of reduced event throughput. On the other hand, if inputs are waiting or discarding events because they are being produced faster than the disk can handle, adjusting this setting upward may help, at the cost of higher memory usage.
+
+The default value is `2048`.
+
+
+#### `retry_interval` [_retry_interval]
+
+Some disk errors may block operation of the queue, for example a permission error writing to the data directory, or a disk full error while writing an event. In this case, the queue reports the error and retries after pausing for the time specified in `retry_interval`.
+
+The default value is `1s` (one second).
+
+
+#### `max_retry_interval` [_max_retry_interval]
+
+When there are multiple consecutive errors writing to the disk, the queue increases the retry interval by factors of 2 up to a maximum of `max_retry_interval`. Increase this value if you are concerned about logging too many errors or overloading the host system if the target disk becomes unavailable for an extended time.
+
+The default value is `30s` (thirty seconds).
+
diff --git a/docs/reference/auditbeat/configuring-output.md b/docs/reference/auditbeat/configuring-output.md
new file mode 100644
index 000000000000..362fd8e7dc78
--- /dev/null
+++ b/docs/reference/auditbeat/configuring-output.md
@@ -0,0 +1,31 @@
+---
+navigation_title: "Output"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/configuring-output.html
+---
+
+# Configure the output [configuring-output]
+
+
+You configure Auditbeat to write to a specific output by setting options in the Outputs section of the `auditbeat.yml` config file. Only a single output may be defined.
+
+The following topics describe how to configure each supported output. If you’ve secured the {{stack}}, also read [Secure](/reference/auditbeat/securing-auditbeat.md) for more about security-related configuration options.
+
+* [{{ess}}](/reference/auditbeat/configure-cloud-id.md)
+* [Elasticsearch](/reference/auditbeat/elasticsearch-output.md)
+* [Logstash](/reference/auditbeat/logstash-output.md)
+* [Kafka](/reference/auditbeat/kafka-output.md)
+* [Redis](/reference/auditbeat/redis-output.md)
+* [File](/reference/auditbeat/file-output.md)
+* [Console](/reference/auditbeat/console-output.md)
+* [Discard](/reference/auditbeat/discard-output.md)
+
+
+
+
+
+
+
+
+
+
diff --git a/docs/reference/auditbeat/configuring-ssl-logstash.md b/docs/reference/auditbeat/configuring-ssl-logstash.md
new file mode 100644
index 000000000000..70f884d2e0f5
--- /dev/null
+++ b/docs/reference/auditbeat/configuring-ssl-logstash.md
@@ -0,0 +1,118 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/configuring-ssl-logstash.html
+---
+
+# Secure communication with Logstash [configuring-ssl-logstash]
+
+You can use SSL mutual authentication to secure connections between Auditbeat and Logstash. This ensures that Auditbeat sends encrypted data to trusted Logstash servers only, and that the Logstash server receives data from trusted Auditbeat clients only.
+
+To use SSL mutual authentication:
+
+1. Create a certificate authority (CA) and use it to sign the certificates that you plan to use for Auditbeat and Logstash. Creating a correct SSL/TLS infrastructure is outside the scope of this document. There are many online resources available that describe how to create certificates.
+
+    ::::{tip}
+    If you are using {{security-features}}, you can use the [elasticsearch-certutil tool](elasticsearch://reference/elasticsearch/command-line-tools/certutil.md) to generate certificates.
+    ::::
+
+2. Configure Auditbeat to use SSL. In the `auditbeat.yml` config file, specify the following settings under `ssl`:
+
+    * `certificate_authorities`: Configures Auditbeat to trust any certificates signed by the specified CA. If `certificate_authorities` is empty or not set, the trusted certificate authorities of the host system are used.
+    * `certificate` and `key`: Specifies the certificate and key that Auditbeat uses to authenticate with Logstash.
+
+        For example:
+
+        ```yaml
+        output.logstash:
+          hosts: ["logs.mycompany.com:5044"]
+          ssl.certificate_authorities: ["/etc/ca.crt"]
+          ssl.certificate: "/etc/client.crt"
+          ssl.key: "/etc/client.key"
+        ```
+
+        For more information about these configuration options, see [SSL](/reference/auditbeat/configuration-ssl.md).
+
+3. Configure Logstash to use SSL. In the Logstash config file, specify the following settings for the [Beats input plugin for Logstash](logstash://reference/plugins-inputs-beats.md):
+
+    * `ssl`: When set to true, enables Logstash to use SSL/TLS.
+    * `ssl_certificate_authorities`: Configures Logstash to trust any certificates signed by the specified CA.
+    * `ssl_certificate` and `ssl_key`: Specify the certificate and key that Logstash uses to authenticate with the client.
+    * `ssl_verify_mode`: Specifies whether the Logstash server verifies the client certificate against the CA. You need to specify either `peer` or `force_peer` to make the server ask for the certificate and validate it. If you specify `force_peer`, and Auditbeat doesn’t provide a certificate, the Logstash connection will be closed. If you choose not to use [certutil](elasticsearch://reference/elasticsearch/command-line-tools/certutil.md), the certificates that you obtain must allow for both `clientAuth` and `serverAuth` if the extended key usage extension is present.
+
+        For example:
+
+        ```json
+        input {
+          beats {
+            port => 5044
+            ssl => true
+            ssl_certificate_authorities => ["/etc/ca.crt"]
+            ssl_certificate => "/etc/server.crt"
+            ssl_key => "/etc/server.key"
+            ssl_verify_mode => "force_peer"
+          }
+        }
+        ```
+
+        For more information about these options, see the [documentation for the Beats input plugin](logstash://reference/plugins-inputs-beats.md).
+
+
+
+## Validate the Logstash server’s certificate [testing-ssl-logstash]
+
+Before running Auditbeat, you should validate the Logstash server’s certificate. You can use `curl` to validate the certificate even though the protocol used to communicate with Logstash is not based on HTTP. For example:
+
+```shell
+curl -v --cacert ca.crt https://logs.mycompany.com:5044
+```
+
+If the test is successful, you’ll receive an empty response error:
+
+```shell
+* Rebuilt URL to: https://logs.mycompany.com:5044/
+*   Trying 192.168.99.100...
+* Connected to logs.mycompany.com (192.168.99.100) port 5044 (#0)
+* TLS 1.2 connection using TLS_DHE_RSA_WITH_AES_256_CBC_SHA
+* Server certificate: logs.mycompany.com
+* Server certificate: mycompany.com
+> GET / HTTP/1.1
+> Host: logs.mycompany.com:5044
+> User-Agent: curl/7.43.0
+> Accept: */*
+>
+* Empty reply from server
+* Connection #0 to host logs.mycompany.com left intact
+curl: (52) Empty reply from server
+```
+
+The following example uses the IP address rather than the hostname to validate the certificate:
+
+```shell
+curl -v --cacert ca.crt https://192.168.99.100:5044
+```
+
+Validation for this test fails because the certificate is not valid for the specified IP address. It’s only valid for the `logs.mycompany.com`, the hostname that appears in the Subject field of the certificate.
+
+```shell
+* Rebuilt URL to: https://192.168.99.100:5044/
+*   Trying 192.168.99.100...
+* Connected to 192.168.99.100 (192.168.99.100) port 5044 (#0)
+* WARNING: using IP address, SNI is being disabled by the OS.
+* SSL: certificate verification failed (result: 5)
+* Closing connection 0
+curl: (51) SSL: certificate verification failed (result: 5)
+```
+
+See the [troubleshooting docs](/reference/auditbeat/ssl-client-fails.md) for info about resolving this issue.
+
+
+## Test the Auditbeat to Logstash connection [_test_the_auditbeat_to_logstash_connection]
+
+If you have Auditbeat running as a service, first stop the service. Then test your setup by running Auditbeat in the foreground so you can quickly see any errors that occur:
+
+```sh
+auditbeat -c auditbeat.yml -e -v
+```
+
+Any errors will be printed to the console. See the [troubleshooting docs](/reference/auditbeat/ssl-client-fails.md) for info about resolving common errors.
+
diff --git a/docs/reference/auditbeat/connection-problem.md b/docs/reference/auditbeat/connection-problem.md
new file mode 100644
index 000000000000..d52751bd2302
--- /dev/null
+++ b/docs/reference/auditbeat/connection-problem.md
@@ -0,0 +1,20 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/connection-problem.html
+---
+
+# Logstash connection doesn���t work [connection-problem]
+
+You may have configured {{ls}} or Auditbeat incorrectly. To resolve the issue:
+
+* Make sure that {{ls}} is running and you can connect to it. First, try to ping the {{ls}} host to verify that you can reach it from the host running Auditbeat. Then use either `nc` or `telnet` to make sure that the port is available. For example:
+
+    ```shell
+    ping <hostname or IP>
+    telnet <hostname or IP> 5044
+    ```
+
+* Verify that the config file for Auditbeat specifies the correct port where {{ls}} is running.
+* Make sure that the {{es}} output is commented out in the config file and the {{ls}} output is uncommented.
+* Confirm that the most recent [Beats input plugin for {{ls}}](logstash://reference/plugins-inputs-beats.md) is installed and configured. Note that Beats will not connect to the Lumberjack input plugin. To learn how to install and update plugins, see [Working with plugins](logstash://reference/working-with-plugins.md).
+
diff --git a/docs/reference/auditbeat/console-output.md b/docs/reference/auditbeat/console-output.md
new file mode 100644
index 000000000000..bd1c028cb6fa
--- /dev/null
+++ b/docs/reference/auditbeat/console-output.md
@@ -0,0 +1,67 @@
+---
+navigation_title: "Console"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/console-output.html
+---
+
+# Configure the Console output [console-output]
+
+
+The Console output writes events in JSON format to stdout.
+
+::::{warning}
+The Console output should be used only for debugging issues as it can produce a large amount of logging data.
+::::
+
+
+To use this output, edit the Auditbeat configuration file to disable the {{es}} output by commenting it out, and enable the console output by adding `output.console`.
+
+Example configuration:
+
+```yaml
+output.console:
+  pretty: true
+```
+
+## Configuration options [_configuration_options_7]
+
+You can specify the following `output.console` options in the `auditbeat.yml` config file:
+
+### `enabled` [_enabled_6]
+
+The enabled config is a boolean setting to enable or disable the output. If set to false, the output is disabled.
+
+The default value is `true`.
+
+
+### `pretty` [_pretty]
+
+If `pretty` is set to true, events written to stdout will be nicely formatted. The default is false.
+
+
+### `codec` [_codec_4]
+
+Output codec configuration. If the `codec` section is missing, events will be json encoded using the `pretty` option.
+
+See [Change the output codec](/reference/auditbeat/configuration-output-codec.md) for more information.
+
+
+### `bulk_max_size` [_bulk_max_size_4]
+
+The maximum number of events to buffer internally during publishing. The default is 2048.
+
+Specifying a larger batch size may add some latency and buffering during publishing. However, for Console output, this setting does not affect how events are published.
+
+Setting `bulk_max_size` to values less than or equal to 0 disables the splitting of batches. When splitting is disabled, the queue decides on the number of events to be contained in a batch.
+
+
+### `queue` [_queue_6]
+
+Configuration options for internal queue.
+
+See [Internal queue](/reference/auditbeat/configuring-internal-queue.md) for more information.
+
+Note:`queue` options can be set under `auditbeat.yml` or the `output` section but not both.
+
+
+
diff --git a/docs/reference/auditbeat/contributing-to-beats.md b/docs/reference/auditbeat/contributing-to-beats.md
new file mode 100644
index 000000000000..79b7d64c0734
--- /dev/null
+++ b/docs/reference/auditbeat/contributing-to-beats.md
@@ -0,0 +1,13 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/contributing-to-beats.html
+---
+
+# Contribute to Beats [contributing-to-beats]
+
+The Beats are open source and we love to receive contributions from our community — you!
+
+There are many ways to contribute, from writing tutorials or blog posts, improving the documentation, submitting bug reports and feature requests, or writing code that implements a whole new protocol, module, or Beat.
+
+The [Beats Developer Guide](http://www.elastic.co/guide/en/beats/devguide/master/index.md) is your one-stop shop for everything related to developing code for the Beats project.
+
diff --git a/docs/reference/auditbeat/convert.md b/docs/reference/auditbeat/convert.md
new file mode 100644
index 000000000000..cc42e44ba519
--- /dev/null
+++ b/docs/reference/auditbeat/convert.md
@@ -0,0 +1,42 @@
+---
+navigation_title: "convert"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/convert.html
+---
+
+# Convert [convert]
+
+
+The `convert` processor converts a field in the event to a different type, such as converting a string to an integer.
+
+The supported types include: `integer`, `long`, `float`, `double`, `string`, `boolean`, and `ip`.
+
+The `ip` type is effectively an alias for `string`, but with an added validation that the value is an IPv4 or IPv6 address.
+
+```yaml
+processors:
+  - convert:
+      fields:
+        - {from: "src_ip", to: "source.ip", type: "ip"}
+        - {from: "src_port", to: "source.port", type: "integer"}
+      ignore_missing: true
+      fail_on_error: false
+```
+
+The `convert` processor has the following configuration settings:
+
+`fields`
+:   (Required) This is the list of fields to convert. At least one item must be contained in the list. Each item in the list must have a `from` key that specifies the source field. The `to` key is optional and specifies where to assign the converted value. If `to` is omitted then the `from` field is updated in-place. The `type` key specifies the data type to convert the value to. If `type` is omitted then the processor copies or renames the field without any type conversion.
+
+`ignore_missing`
+:   (Optional) If `true` the processor continues to the next field when the `from` key is not found in the event. If false then the processor returns an error and does not process the remaining fields. Default is `false`.
+
+`fail_on_error`
+:   (Optional) If false type conversion failures are ignored and the processor continues to the next field. Default is `true`.
+
+`tag`
+:   (Optional) An identifier for this processor. Useful for debugging.
+
+`mode`
+:   (Optional) When both `from` and `to` are defined for a field then `mode` controls whether to `copy` or `rename` the field when the type conversion is successful. Default is `copy`.
+
diff --git a/docs/reference/auditbeat/copy-fields.md b/docs/reference/auditbeat/copy-fields.md
new file mode 100644
index 000000000000..0cb36da4318b
--- /dev/null
+++ b/docs/reference/auditbeat/copy-fields.md
@@ -0,0 +1,45 @@
+---
+navigation_title: "copy_fields"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/copy-fields.html
+---
+
+# Copy fields [copy-fields]
+
+
+The `copy_fields` processor takes the value of a field and copies it to a new field.
+
+You cannot use this processor to replace an existing field. If the target field already exists, you must [drop](/reference/auditbeat/drop-fields.md) or [rename](/reference/auditbeat/rename-fields.md) the field before using `copy_fields`.
+
+`fields`
+:   List of `from` and `to` pairs to copy from and to. It’s supported to use `@metadata.` prefix for `from` and `to` and copy values not just in/from/to the event fields but also in/from/to the event metadata.
+
+`fail_on_error`
+:   (Optional) If set to `true` and an error occurs, the changes are reverted and the original is returned. If set to `false`, processing continues if an error occurs. Default is `true`.
+
+`ignore_missing`
+:   (Optional) Indicates whether to ignore events that lack the source field. The default is `false`, which will fail processing of an event if a field is missing.
+
+For example, this configuration:
+
+```yaml
+processors:
+  - copy_fields:
+      fields:
+        - from: message
+          to: event.original
+      fail_on_error: false
+      ignore_missing: true
+```
+
+Copies the original `message` field to `event.original`:
+
+```json
+{
+  "message": "my-interesting-message",
+  "event": {
+      "original": "my-interesting-message"
+  }
+}
+```
+
diff --git a/docs/reference/auditbeat/could-not-locate-index-pattern.md b/docs/reference/auditbeat/could-not-locate-index-pattern.md
new file mode 100644
index 000000000000..d5aea2e11c9e
--- /dev/null
+++ b/docs/reference/auditbeat/could-not-locate-index-pattern.md
@@ -0,0 +1,20 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/could-not-locate-index-pattern.html
+---
+
+# Dashboard could not locate the index-pattern [could-not-locate-index-pattern]
+
+Typically Auditbeat sets up the index pattern automatically when it loads the index template. However, if for some reason Auditbeat loads the index template, but the index pattern does not get created correctly, you’ll see a "could not locate that index-pattern" error. To resolve this problem:
+
+1. Try running the `setup` command again. For example: `./auditbeat setup`.
+2. If that doesn’t work, go to the Management app in {{kib}}, and under **Index Patterns**, look for the pattern.
+
+    1. If the pattern doesn’t exist, create it manually.
+
+        * Set the **Time filter field name** to `@timestamp`.
+        * Set the **Custom index pattern ID** advanced option. For example, if your custom index name is `auditbeat-customname`, set the custom index pattern ID to `auditbeat-customname-*`.
+
+
+For more information, see [Creating an index pattern](docs-content://explore-analyze/find-and-organize/data-views.md) in the {{kib}} docs.
+
diff --git a/docs/reference/auditbeat/decode-base64-field.md b/docs/reference/auditbeat/decode-base64-field.md
new file mode 100644
index 000000000000..e1cd807859a3
--- /dev/null
+++ b/docs/reference/auditbeat/decode-base64-field.md
@@ -0,0 +1,35 @@
+---
+navigation_title: "decode_base64_field"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/decode-base64-field.html
+---
+
+# Decode Base64 fields [decode-base64-field]
+
+
+The `decode_base64_field` processor specifies a field to base64 decode. The `field` key contains a `from: old-key` and a `to: new-key` pair. `from` is the origin and `to` the target name of the field.
+
+To overwrite fields either first rename the target field or use the `drop_fields` processor to drop the field and then rename the field.
+
+```yaml
+processors:
+  - decode_base64_field:
+      field:
+        from: "field1"
+        to: "field2"
+      ignore_missing: false
+      fail_on_error: true
+```
+
+In the example above: - field1 is decoded in field2
+
+The `decode_base64_field` processor has the following configuration settings:
+
+`ignore_missing`
+:   (Optional) If set to true, no error is logged in case a key which should be base64 decoded is missing. Default is `false`.
+
+`fail_on_error`
+:   (Optional) If set to true, in case of an error the base64 decode of fields is stopped and the original event is returned. If set to false, decoding continues also if an error happened during decoding. Default is `true`.
+
+See [Conditions](/reference/auditbeat/defining-processors.md#conditions) for a list of supported conditions.
+
diff --git a/docs/reference/auditbeat/decode-duration.md b/docs/reference/auditbeat/decode-duration.md
new file mode 100644
index 000000000000..b153ba498e29
--- /dev/null
+++ b/docs/reference/auditbeat/decode-duration.md
@@ -0,0 +1,25 @@
+---
+navigation_title: "decode_duration"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/decode-duration.html
+---
+
+# Decode duration [decode-duration]
+
+
+The `decode_duration` processor decodes a Go-style duration string into a specific `format`.
+
+For more information about the Go `time.Duration` string style, refer to the [Go documentation](https://pkg.go.dev/time#Duration).
+
+| Name | Required | Default | Description |  |
+| --- | --- | --- | --- | --- |
+| `field` | yes |  | Which field of event needs to be decoded as `time.Duration` |  |
+| `format` | yes | `milliseconds` | Supported formats: `milliseconds`/`seconds`/`minutes`/`hours` |  |
+
+```yaml
+processors:
+  - decode_duration:
+      field: "app.rpc.cost"
+      format: "milliseconds"
+```
+
diff --git a/docs/reference/auditbeat/decode-json-fields.md b/docs/reference/auditbeat/decode-json-fields.md
new file mode 100644
index 000000000000..6a5e3aeba1c5
--- /dev/null
+++ b/docs/reference/auditbeat/decode-json-fields.md
@@ -0,0 +1,48 @@
+---
+navigation_title: "decode_json_fields"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/decode-json-fields.html
+---
+
+# Decode JSON fields [decode-json-fields]
+
+
+The `decode_json_fields` processor decodes fields containing JSON strings and replaces the strings with valid JSON objects.
+
+```yaml
+processors:
+  - decode_json_fields:
+      fields: ["field1", "field2", ...]
+      process_array: false
+      max_depth: 1
+      target: ""
+      overwrite_keys: false
+      add_error_key: true
+```
+
+The `decode_json_fields` processor has the following configuration settings:
+
+`fields`
+:   The fields containing JSON strings to decode.
+
+`process_array`
+:   (Optional) A Boolean value that specifies whether to process arrays. The default is `false`.
+
+`max_depth`
+:   (Optional) The maximum parsing depth. A value of `1`  will decode the JSON objects in fields indicated in `fields`, a value of `2` will also decode the objects embedded in the fields of these parsed documents. The default is `1`.
+
+`target`
+:   (Optional) The field under which the decoded JSON will be written. By default, the decoded JSON object replaces the string field from which it was read. To merge the decoded JSON fields into the root of the event, specify `target` with an empty string (`target: ""`). Note that the `null` value (`target:`) is treated as if the field was not set.
+
+`overwrite_keys`
+:   (Optional) A Boolean value that specifies whether existing keys in the event are overwritten by keys from the decoded JSON object. The default value is `false`.
+
+`expand_keys`
+:   (Optional) A Boolean value that specifies whether keys in the decoded JSON should be recursively de-dotted and expanded into a hierarchical object structure. For example, `{"a.b.c": 123}` would be expanded into `{"a":{"b":{"c":123}}}`.
+
+`add_error_key`
+:   (Optional) If set to `true` and an error occurs while decoding JSON keys, the `error` field will become a part of the event with the error message. If set to `false`, there will not be any error in the event’s field. The default value is `false`.
+
+`document_id`
+:   (Optional) JSON key that’s used as the document ID. If configured, the field will be removed from the original JSON document and stored in `@metadata._id`
+
diff --git a/docs/reference/auditbeat/decode-xml-wineventlog.md b/docs/reference/auditbeat/decode-xml-wineventlog.md
new file mode 100644
index 000000000000..6de117485e6f
--- /dev/null
+++ b/docs/reference/auditbeat/decode-xml-wineventlog.md
@@ -0,0 +1,162 @@
+---
+navigation_title: "decode_xml_wineventlog"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/decode-xml-wineventlog.html
+---
+
+# Decode XML Wineventlog [decode-xml-wineventlog]
+
+
+::::{warning}
+This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
+::::
+
+
+The `decode_xml_wineventlog` processor decodes Windows Event Log data in XML format that is stored under the `field` key. It outputs the result into the `target_field`.
+
+The output fields will be the same as the [winlogbeat winlog fields](/reference/winlogbeat/exported-fields-winlog.md#_winlog).
+
+The supported configuration options are:
+
+`field`
+:   (Required) Source field containing the XML. Defaults to `message`.
+
+`target_field`
+:   (Required) The field under which the decoded XML will be written. To merge the decoded XML fields into the root of the event specify `target_field` with an empty string (`target_field: ""`). The default value is `winlog`.
+
+`overwrite_keys`
+:   (Optional) A boolean that specifies whether keys that already exist in the event are overwritten by keys from the decoded XML object. The default value is `true`.
+
+`map_ecs_fields`
+:   (Optional) A boolean that specifies whether to map additional ECS fields when possible. Note that ECS field keys are placed outside of `target_field`. The default value is `true`.
+
+`ignore_missing`
+:   (Optional) If `true` the processor will not return an error when a specified field does not exist. Defaults to `false`.
+
+`ignore_failure`
+:   (Optional) Ignore all errors produced by the processor. Defaults to `false`.
+
+`language`
+:   (Optional) The language ID the events will be rendered in. The language will be forced regardless of the system language. Forwarded events will ignore this setting. A complete list of language IDs can be found [here](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-lcid/a9eac961-e77d-41a6-90a5-ce1a8b0cdb9c). It defaults to `0`, which indicates to use the system language.
+
+Example:
+
+```yaml
+processors:
+  - decode_xml_wineventlog:
+      field: event.original
+      target_field: winlog
+```
+
+```json
+{
+  "event": {
+    "original": "<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4672</EventID><Version>0</Version><Level>0</Level><Task>12548</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2021-03-23T09:56:13.137310000Z'/><EventRecordID>11303</EventRecordID><Correlation ActivityID='{ffb23523-1f32-0000-c335-b2ff321fd701}'/><Execution ProcessID='652' ThreadID='4660'/><Channel>Security</Channel><Computer>vagrant</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-5-18</Data><Data Name='SubjectUserName'>SYSTEM</Data><Data Name='SubjectDomainName'>NT AUTHORITY</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='PrivilegeList'>SeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege</Data></EventData><RenderingInfo Culture='en-US'><Message>Special privileges assigned to new logon.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3E7\n\nPrivileges:\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege</Message><Level>Information</Level><Task>Special Logon</Task><Opcode>Info</Opcode><Channel>Security</Channel><Provider>Microsoft Windows security auditing.</Provider><Keywords><Keyword>Audit Success</Keyword></Keywords></RenderingInfo></Event>"
+  }
+}
+```
+
+Will produce the following output:
+
+```json
+{
+  "event": {
+    "original": "<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4672</EventID><Version>0</Version><Level>0</Level><Task>12548</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2021-03-23T09:56:13.137310000Z'/><EventRecordID>11303</EventRecordID><Correlation ActivityID='{ffb23523-1f32-0000-c335-b2ff321fd701}'/><Execution ProcessID='652' ThreadID='4660'/><Channel>Security</Channel><Computer>vagrant</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-5-18</Data><Data Name='SubjectUserName'>SYSTEM</Data><Data Name='SubjectDomainName'>NT AUTHORITY</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='PrivilegeList'>SeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege</Data></EventData><RenderingInfo Culture='en-US'><Message>Special privileges assigned to new logon.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3E7\n\nPrivileges:\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege</Message><Level>Information</Level><Task>Special Logon</Task><Opcode>Info</Opcode><Channel>Security</Channel><Provider>Microsoft Windows security auditing.</Provider><Keywords><Keyword>Audit Success</Keyword></Keywords></RenderingInfo></Event>",
+    "action":   "Special Logon",
+		"code":     "4672",
+		"kind":     "event",
+		"outcome":  "success",
+		"provider": "Microsoft-Windows-Security-Auditing",
+  },
+	"host": {
+    "name": "vagrant",
+  },
+  "log": {
+    "level": "information",
+  },
+  "winlog": {
+    "channel": "Security",
+    "outcome": "success",
+    "activity_id": "{ffb23523-1f32-0000-c335-b2ff321fd701}",
+    "level": "information",
+    "event_id": 4672,
+    "provider_name": "Microsoft-Windows-Security-Auditing",
+    "record_id": 11303,
+    "computer_name": "vagrant",
+    "keywords_raw": 9232379236109516800,
+    "opcode": "Info",
+    "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+    "event_data": {
+      "SubjectUserSid": "S-1-5-18",
+      "SubjectUserName": "SYSTEM",
+      "SubjectDomainName": "NT AUTHORITY",
+      "SubjectLogonId": "0x3e7",
+      "PrivilegeList": "SeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege"
+    },
+    "task": "Special Logon",
+    "keywords": [
+      "Audit Success"
+    ],
+    "message": "Special privileges assigned to new logon.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3E7\n\nPrivileges:\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege",
+    "process": {
+      "pid": 652,
+      "thread": {
+        "id": 4660
+      }
+    }
+  }
+}
+```
+
+See [Conditions](/reference/auditbeat/defining-processors.md#conditions) for a list of supported conditions.
+
+The field mappings are as follows:
+
+| Event Field | Source XML Element | Notes |
+| --- | --- | --- |
+| `winlog.channel` | `<Event><System><Channel>` |  |
+| `winlog.event_id` | `<Event><System><EventID>` |  |
+| `winlog.provider_name` | `<Event><System><Provider>` | `Name` attribute |
+| `winlog.record_id` | `<Event><System><EventRecordID>` |  |
+| `winlog.task` | `<Event><System><Task>` |  |
+| `winlog.computer_name` | `<Event><System><Computer>` |  |
+| `winlog.keywords` | `<Event><RenderingInfo><Keywords>` | list of each `Keyword` |
+| `winlog.opcodes` | `<Event><RenderingInfo><Opcode>` |  |
+| `winlog.provider_guid` | `<Event><System><Provider>` | `Guid` attribute |
+| `winlog.version` | `<Event><System><Version>` |  |
+| `winlog.time_created` | `<Event><System><TimeCreated>` | `SystemTime` attribute |
+| `winlog.outcome` | `<Event><System><Keywords>` | "success" if bit 0x20000000000000 is set, "failure" if 0x10000000000000 is set |
+| `winlog.level` | `<Event><System><Level>` | converted to lowercase |
+| `winlog.message` | `<Event><RenderingInfo><Message>` | line endings removed |
+| `winlog.user.identifier` | `<Event><System><Security><UserID>` |  |
+| `winlog.user.domain` | `<Event><System><Security><Domain>` |  |
+| `winlog.user.name` | `<Event><System><Security><Name>` |  |
+| `winlog.user.type` | `<Event><System><Security><Type>` | converted from integer to String |
+| `winlog.event_data` | `<Event><EventData>` | map where `Name` attribute in Data element is key, and value is the value of the Data element |
+| `winlog.user_data` | `<Event><UserData>` | map where `Name` attribute in Data element is key, and value is the value of the Data element |
+| `winlog.activity_id` | `<Event><System><Correlation><ActivityID>` |  |
+| `winlog.related_activity_id` | `<Event><System><Correlation><RelatedActivityID>` |  |
+| `winlog.kernel_time` | `<Event><System><Execution><KernelTime>` |  |
+| `winlog.process.pid` | `<Event><System><Execution><ProcessID>` |  |
+| `winlog.process.thread.id` | `<Event><System><Execution><ThreadID>` |  |
+| `winlog.processor_id` | `<Event><System><Execution><ProcessorID>` |  |
+| `winlog.processor_time` | `<Event><System><Execution><ProcessorTime>` |  |
+| `winlog.session_id` | `<Event><System><Execution><SessionID>` |  |
+| `winlog.user_time` | `<Event><System><Execution><UserTime>` |  |
+| `winlog.error.code` | `<Event><ProcessingErrorData><ErrorCode>` |  |
+
+If `map_ecs_fields` is enabled then the following field mappings are also performed:
+
+| Event Field | Source XML or other field | Notes |
+| --- | --- | --- |
+| `event.code` | `winlog.event_id` |  |
+| `event.kind` | `"event"` |  |
+| `event.provider` | `<Event><System><Provider>` | `Name` attribute |
+| `event.action` | `<Event><RenderingInfo><Task>` |  |
+| `event.host.name` | `<Event><System><Computer>` |  |
+| `event.outcome` | `winlog.outcome` |  |
+| `log.level` | `winlog.level` |  |
+| `message` | `winlog.message` |  |
+| `error.code` | `winlog.error.code` |  |
+| `error.message` | `winlog.error.message` |  |
+
diff --git a/docs/reference/auditbeat/decode-xml.md b/docs/reference/auditbeat/decode-xml.md
new file mode 100644
index 000000000000..252cd8380806
--- /dev/null
+++ b/docs/reference/auditbeat/decode-xml.md
@@ -0,0 +1,96 @@
+---
+navigation_title: "decode_xml"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/decode-xml.html
+---
+
+# Decode XML [decode-xml]
+
+
+The `decode_xml` processor decodes XML data that is stored under the `field` key. It outputs the result into the `target_field`.
+
+This example demonstrates how to decode an XML string contained in the `message` field and write the resulting fields into the root of the document. Any fields that already exist will be overwritten.
+
+```yaml
+processors:
+  - decode_xml:
+      field: message
+      target_field: ""
+      overwrite_keys: true
+```
+
+By default any decoding errors that occur will stop the processing chain and the error will be added to `error.message` field. To ignore all errors and continue to the next processor you can set `ignore_failure: true`. To specifically ignore failures caused by `field` not existing you can set `ignore_missing: true`.
+
+```yaml
+processors:
+  - decode_xml:
+      field: example
+      target_field: xml
+      ignore_missing: true
+      ignore_failure: true
+```
+
+By default all keys converted from XML will have the names converted to lowercase. If there is a need to disable this behavior it is possible to use the below example:
+
+```yaml
+processors:
+  - decode_xml:
+      field: message
+      target_field: xml
+      to_lower: false
+```
+
+Example XML input:
+
+```xml
+<catalog>
+  <book seq="1">
+    <author>William H. Gaddis</author>
+    <title>The Recognitions</title>
+    <review>One of the great seminal American novels of the 20th century.</review>
+  </book>
+</catalog>
+```
+
+Will produce the following output:
+
+```json
+{
+	"xml": {
+		"catalog": {
+			"book": {
+				"author": "William H. Gaddis",
+				"review": "One of the great seminal American novels of the 20th century.",
+				"seq": "1",
+				"title": "The Recognitions"
+			}
+		}
+	}
+}
+```
+
+The supported configuration options are:
+
+`field`
+:   (Required) Source field containing the XML. Defaults to `message`.
+
+`target_field`
+:   (Optional) The field under which the decoded XML will be written. By default the decoded XML object replaces the field from which it was read. To merge the decoded XML fields into the root of the event specify `target_field` with an empty string (`target_field: ""`). Note that the `null` value (`target_field:`) is treated as if the field was not set at all.
+
+`overwrite_keys`
+:   (Optional) A boolean that specifies whether keys that already exist in the event are overwritten by keys from the decoded XML object. The default value is `true`.
+
+`to_lower`
+:   (Optional) Converts all keys to lowercase. Accepts either `true` or `false`. The default value is `true`.
+
+`document_id`
+:   (Optional) XML key to use as the document ID. If configured, the field will be removed from the original XML document and stored in `@metadata._id`.
+
+`ignore_missing`
+:   (Optional) If `true` the processor will not return an error when a specified field does not exist. Defaults to `false`.
+
+`ignore_failure`
+:   (Optional) Ignore all errors produced by the processor. Defaults to `false`.
+
+See [Conditions](/reference/auditbeat/defining-processors.md#conditions) for a list of supported conditions.
+
diff --git a/docs/reference/auditbeat/decompress-gzip-field.md b/docs/reference/auditbeat/decompress-gzip-field.md
new file mode 100644
index 000000000000..18ef37619cce
--- /dev/null
+++ b/docs/reference/auditbeat/decompress-gzip-field.md
@@ -0,0 +1,35 @@
+---
+navigation_title: "decompress_gzip_field"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/decompress-gzip-field.html
+---
+
+# Decompress gzip fields [decompress-gzip-field]
+
+
+The `decompress_gzip_field` processor specifies a field to gzip decompress. The `field` key contains a `from: old-key` and a `to: new-key` pair. `from` is the origin and `to` the target name of the field.
+
+To overwrite fields either first rename the target field or use the `drop_fields` processor to drop the field and then decompress the field.
+
+```yaml
+processors:
+  - decompress_gzip_field:
+      field:
+        from: "field1"
+        to: "field2"
+      ignore_missing: false
+      fail_on_error: true
+```
+
+In the example above: - field1 is decoded in field2
+
+The `decompress_gzip_field` processor has the following configuration settings:
+
+`ignore_missing`
+:   (Optional) If set to true, no error is logged in case a key which should be decompressed is missing. Default is `false`.
+
+`fail_on_error`
+:   (Optional) If set to true, in case of an error the decompression of fields is stopped and the original event is returned. If set to false, decompression continues also if an error happened during decoding. Default is `true`.
+
+See [Conditions](/reference/auditbeat/defining-processors.md#conditions) for a list of supported conditions.
+
diff --git a/docs/reference/auditbeat/defining-processors.md b/docs/reference/auditbeat/defining-processors.md
new file mode 100644
index 000000000000..dbcb0706c811
--- /dev/null
+++ b/docs/reference/auditbeat/defining-processors.md
@@ -0,0 +1,329 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/defining-processors.html
+---
+
+# Define processors [defining-processors]
+
+You can use processors to filter and enhance data before sending it to the configured output. To define a processor, you specify the processor name, an optional condition, and a set of parameters:
+
+```yaml
+processors:
+  - <processor_name>:
+      when:
+        <condition>
+      <parameters>
+
+  - <processor_name>:
+      when:
+        <condition>
+      <parameters>
+
+...
+```
+
+Where:
+
+* `<processor_name>` specifies a [processor](#processors) that performs some kind of action, such as selecting the fields that are exported or adding metadata to the event.
+* `<condition>` specifies an optional [condition](#conditions). If the condition is present, then the action is executed only if the condition is fulfilled. If no condition is set, then the action is always executed.
+* `<parameters>` is the list of parameters to pass to the processor.
+
+More complex conditional processing can be accomplished by using the if-then-else processor configuration. This allows multiple processors to be executed based on a single condition.
+
+```yaml
+processors:
+  - if:
+      <condition>
+    then: <1>
+      - <processor_name>:
+          <parameters>
+      - <processor_name>:
+          <parameters>
+      ...
+    else: <2>
+      - <processor_name>:
+          <parameters>
+      - <processor_name>:
+          <parameters>
+      ...
+```
+
+1. `then` must contain a single processor or a list of one or more processors to execute when the condition evaluates to true.
+2. `else` is optional. It can contain a single processor or a list of processors to execute when the conditional evaluate to false.
+
+
+## Where are processors valid? [where-valid]
+
+Processors are valid:
+
+* At the top-level in the configuration. The processor is applied to all data collected by Auditbeat.
+* Under a specific module. The processor is applied to the data collected for that module.
+
+    ```yaml
+    auditbeat.modules:
+    - module: <module_name>
+      processors:
+        - <processor_name>:
+            when:
+              <condition>
+            <parameters>
+    ```
+
+
+
+## Processors [processors]
+
+The supported processors are:
+
+* [`add_cloud_metadata`](/reference/auditbeat/add-cloud-metadata.md)
+* [`add_cloudfoundry_metadata`](/reference/auditbeat/add-cloudfoundry-metadata.md)
+* [`add_docker_metadata`](/reference/auditbeat/add-docker-metadata.md)
+* [`add_fields`](/reference/auditbeat/add-fields.md)
+* [`add_host_metadata`](/reference/auditbeat/add-host-metadata.md)
+* [`add_id`](/reference/auditbeat/add-id.md)
+* [`add_kubernetes_metadata`](/reference/auditbeat/add-kubernetes-metadata.md)
+* [`add_labels`](/reference/auditbeat/add-labels.md)
+* [`add_locale`](/reference/auditbeat/add-locale.md)
+* [`add_nomad_metadata`](/reference/auditbeat/add-nomad-metadata.md)
+* [`add_observer_metadata`](/reference/auditbeat/add-observer-metadata.md)
+* [`add_process_metadata`](/reference/auditbeat/add-process-metadata.md)
+* [`add_session_metadata`](/reference/auditbeat/add-session-metadata.md)
+* [`add_tags`](/reference/auditbeat/add-tags.md)
+* [`append`](/reference/auditbeat/append.md)
+* [`community_id`](/reference/auditbeat/community-id.md)
+* [`convert`](/reference/auditbeat/convert.md)
+* [`copy_fields`](/reference/auditbeat/copy-fields.md)
+* [`decode_base64_field`](/reference/auditbeat/decode-base64-field.md)
+* [`decode_duration`](/reference/auditbeat/decode-duration.md)
+* [`decode_json_fields`](/reference/auditbeat/decode-json-fields.md)
+* [`decode_xml`](/reference/auditbeat/decode-xml.md)
+* [`decode_xml_wineventlog`](/reference/auditbeat/decode-xml-wineventlog.md)
+* [`decompress_gzip_field`](/reference/auditbeat/decompress-gzip-field.md)
+* [`detect_mime_type`](/reference/auditbeat/detect-mime-type.md)
+* [`dissect`](/reference/auditbeat/dissect.md)
+* [`dns`](/reference/auditbeat/processor-dns.md)
+* [`drop_event`](/reference/auditbeat/drop-event.md)
+* [`drop_fields`](/reference/auditbeat/drop-fields.md)
+* [`extract_array`](/reference/auditbeat/extract-array.md)
+* [`fingerprint`](/reference/auditbeat/fingerprint.md)
+* [`include_fields`](/reference/auditbeat/include-fields.md)
+* [`move-fields`](/reference/auditbeat/move-fields.md)
+* [`rate_limit`](/reference/auditbeat/rate-limit.md)
+* [`registered_domain`](/reference/auditbeat/processor-registered-domain.md)
+* [`rename`](/reference/auditbeat/rename-fields.md)
+* [`replace`](/reference/auditbeat/replace-fields.md)
+* [`syslog`](/reference/auditbeat/syslog.md)
+* [`translate_ldap_attribute`](/reference/auditbeat/processor-translate-guid.md)
+* [`translate_sid`](/reference/auditbeat/processor-translate-sid.md)
+* [`truncate_fields`](/reference/auditbeat/truncate-fields.md)
+* [`urldecode`](/reference/auditbeat/urldecode.md)
+
+
+## Conditions [conditions]
+
+Each condition receives a field to compare. You can specify multiple fields under the same condition by using `AND` between the fields (for example, `field1 AND field2`).
+
+For each field, you can specify a simple field name or a nested map, for example `dns.question.name`.
+
+See [Exported fields](/reference/auditbeat/exported-fields.md) for a list of all the fields that are exported by Auditbeat.
+
+The supported conditions are:
+
+* [`equals`](#condition-equals)
+* [`contains`](#condition-contains)
+* [`regexp`](#condition-regexp)
+* [`range`](#condition-range)
+* [`network`](#condition-network)
+* [`has_fields`](#condition-has_fields)
+* [`or`](#condition-or)
+* [`and`](#condition-and)
+* [`not`](#condition-not)
+
+
+#### `equals` [condition-equals]
+
+With the `equals` condition, you can compare if a field has a certain value. The condition accepts only an integer or a string value.
+
+For example, the following condition checks if the response code of the HTTP transaction is 200:
+
+```yaml
+equals:
+  http.response.code: 200
+```
+
+
+#### `contains` [condition-contains]
+
+The `contains` condition checks if a value is part of a field. The field can be a string or an array of strings. The condition accepts only a string value.
+
+For example, the following condition checks if an error is part of the transaction status:
+
+```yaml
+contains:
+  status: "Specific error"
+```
+
+
+#### `regexp` [condition-regexp]
+
+The `regexp` condition checks the field against a regular expression. The condition accepts only strings.
+
+For example, the following condition checks if the process name starts with `foo`:
+
+```yaml
+regexp:
+  system.process.name: "^foo.*"
+```
+
+
+#### `range` [condition-range]
+
+The `range` condition checks if the field is in a certain range of values. The condition supports `lt`, `lte`, `gt` and `gte`. The condition accepts only integer, float, or strings that can be converted to either of these as values.
+
+For example, the following condition checks for failed HTTP transactions by comparing the `http.response.code` field with 400.
+
+```yaml
+range:
+  http.response.code:
+    gte: 400
+```
+
+This can also be written as:
+
+```yaml
+range:
+  http.response.code.gte: 400
+```
+
+The following condition checks if the CPU usage in percentage has a value between 0.5 and 0.8.
+
+```yaml
+range:
+  system.cpu.user.pct.gte: 0.5
+  system.cpu.user.pct.lt: 0.8
+```
+
+
+#### `network` [condition-network]
+
+The `network` condition checks whether a field’s value falls within a specified IP network range. If multiple fields are provided, each field value must match its corresponding network range. You can specify multiple network ranges for a single field, and a match occurs if any one of the ranges matches. If the field value is an array of IPs, it will match if any of the IPs fall within any of the given ranges. Both IPv4 and IPv6 addresses are supported.
+
+The network range may be specified using CIDR notation, like "192.0.2.0/24" or "2001:db8::/32", or by using one of these named ranges:
+
+* `loopback` - Matches loopback addresses in the range of `127.0.0.0/8` or `::1/128`.
+* `unicast` - Matches global unicast addresses defined in RFC 1122, RFC 4632, and RFC 4291 with the exception of the IPv4 broadcast address (`255.255.255.255`). This includes private address ranges.
+* `multicast` - Matches multicast addresses.
+* `interface_local_multicast` - Matches IPv6 interface-local multicast addresses.
+* `link_local_unicast` - Matches link-local unicast addresses.
+* `link_local_multicast` - Matches link-local multicast addresses.
+* `private` - Matches private address ranges defined in RFC 1918 (IPv4) and RFC 4193 (IPv6).
+* `public` - Matches addresses that are not loopback, unspecified, IPv4 broadcast, link local unicast, link local multicast, interface local multicast, or private.
+* `unspecified` - Matches unspecified addresses (either the IPv4 address "0.0.0.0" or the IPv6 address "::").
+
+The following condition returns true if the `source.ip` value is within the private address space.
+
+```yaml
+network:
+  source.ip: private
+```
+
+This condition returns true if the `destination.ip` value is within the IPv4 range of `192.168.1.0` - `192.168.1.255`.
+
+```yaml
+network:
+  destination.ip: '192.168.1.0/24'
+```
+
+And this condition returns true when `destination.ip` is within any of the given subnets.
+
+```yaml
+network:
+  destination.ip: ['192.168.1.0/24', '10.0.0.0/8', loopback]
+```
+
+
+#### `has_fields` [condition-has_fields]
+
+The `has_fields` condition checks if all the given fields exist in the event. The condition accepts a list of string values denoting the field names.
+
+For example, the following condition checks if the `http.response.code` field is present in the event.
+
+```yaml
+has_fields: ['http.response.code']
+```
+
+
+#### `or` [condition-or]
+
+The `or` operator receives a list of conditions.
+
+```yaml
+or:
+  - <condition1>
+  - <condition2>
+  - <condition3>
+  ...
+```
+
+For example, to configure the condition `http.response.code = 304 OR http.response.code = 404`:
+
+```yaml
+or:
+  - equals:
+      http.response.code: 304
+  - equals:
+      http.response.code: 404
+```
+
+
+#### `and` [condition-and]
+
+The `and` operator receives a list of conditions.
+
+```yaml
+and:
+  - <condition1>
+  - <condition2>
+  - <condition3>
+  ...
+```
+
+For example, to configure the condition `http.response.code = 200 AND status = OK`:
+
+```yaml
+and:
+  - equals:
+      http.response.code: 200
+  - equals:
+      status: OK
+```
+
+To configure a condition like `<condition1> OR <condition2> AND <condition3>`:
+
+```yaml
+or:
+  - <condition1>
+  - and:
+    - <condition2>
+    - <condition3>
+```
+
+
+#### `not` [condition-not]
+
+The `not` operator receives the condition to negate.
+
+```yaml
+not:
+  <condition>
+```
+
+For example, to configure the condition `NOT status = OK`:
+
+```yaml
+not:
+  equals:
+    status: OK
+```
+
+
diff --git a/docs/reference/auditbeat/detect-mime-type.md b/docs/reference/auditbeat/detect-mime-type.md
new file mode 100644
index 000000000000..c96dfec51582
--- /dev/null
+++ b/docs/reference/auditbeat/detect-mime-type.md
@@ -0,0 +1,22 @@
+---
+navigation_title: "detect_mime_type"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/detect-mime-type.html
+---
+
+# Detect mime type [detect-mime-type]
+
+
+The `detect_mime_type` processor attempts to detect a mime type for a field that contains a given stream of bytes. The `field` key contains the field used as the data source and the `target` key contains the field to populate with the detected type. It’s supported to use `@metadata.` prefix for `target` and set the value in the event metadata instead of fields.
+
+```yaml
+processors:
+  - detect_mime_type:
+      field: http.request.body.content
+      target: http.request.mime_type
+```
+
+In the example above: - http.request.body.content is used as the source and http.request.mime_type is set to the detected mime type
+
+See [Conditions](/reference/auditbeat/defining-processors.md#conditions) for a list of supported conditions.
+
diff --git a/docs/reference/auditbeat/diff-logstash-beats.md b/docs/reference/auditbeat/diff-logstash-beats.md
new file mode 100644
index 000000000000..2fece6444942
--- /dev/null
+++ b/docs/reference/auditbeat/diff-logstash-beats.md
@@ -0,0 +1,13 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/diff-logstash-beats.html
+---
+
+# Not sure whether to use Logstash or Beats [diff-logstash-beats]
+
+Beats are lightweight data shippers that you install as agents on your servers to send specific types of operational data to {{es}}. Beats have a small footprint and use fewer system resources than {{ls}}.
+
+{{ls}} has a larger footprint, but provides a broad array of input, filter, and output plugins for collecting, enriching, and transforming data from a variety of sources.
+
+For more information, see the [{{ls}} Introduction](logstash://reference/index.md) and the [Beats Overview](/reference/index.md).
+
diff --git a/docs/reference/auditbeat/directory-layout.md b/docs/reference/auditbeat/directory-layout.md
new file mode 100644
index 000000000000..f8b5d9103e2d
--- /dev/null
+++ b/docs/reference/auditbeat/directory-layout.md
@@ -0,0 +1,70 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/directory-layout.html
+---
+
+# Directory layout [directory-layout]
+
+The directory layout of an installation is as follows:
+
+::::{tip}
+Archive installation has a different layout. See [zip, tar.gz, or tgz](#directory-layout-archive).
+::::
+
+
+| Type | Description | Default Location | Config Option |
+| --- | --- | --- | --- |
+| home | Home of the Auditbeat installation. |  | `path.home` |
+| bin | The location for the binary files. | `{path.home}/bin` |  |
+| config | The location for configuration files. | `{path.home}` | `path.config` |
+| data | The location for persistent data files. | `{path.home}/data` | `path.data` |
+| logs | The location for the logs created by Auditbeat. | `{path.home}/logs` | `path.logs` |
+
+You can change these settings by using CLI flags or setting [path options](/reference/auditbeat/configuration-path.md) in the configuration file.
+
+## Default paths [_default_paths]
+
+Auditbeat uses the following default paths unless you explicitly change them.
+
+
+#### deb and rpm [_deb_and_rpm]
+
+| Type | Description | Location |
+| --- | --- | --- |
+| home | Home of the Auditbeat installation. | `/usr/share/auditbeat` |
+| bin | The location for the binary files. | `/usr/share/auditbeat/bin` |
+| config | The location for configuration files. | `/etc/auditbeat` |
+| data | The location for persistent data files. | `/var/lib/auditbeat` |
+| logs | The location for the logs created by Auditbeat. | `/var/log/auditbeat` |
+
+For the deb and rpm distributions, these paths are set in the init script or in the systemd unit file.  Make sure that you start the Auditbeat service by using the preferred operating system method (init scripts or `systemctl`). Otherwise the paths might be set incorrectly.
+
+
+#### docker [_docker]
+
+| Type | Description | Location |
+| --- | --- | --- |
+| home | Home of the Auditbeat installation. | `/usr/share/auditbeat` |
+| bin | The location for the binary files. | `/usr/share/auditbeat` |
+| config | The location for configuration files. | `/usr/share/auditbeat` |
+| data | The location for persistent data files. | `/usr/share/auditbeat/data` |
+| logs | The location for the logs created by Auditbeat. | `/usr/share/auditbeat/logs` |
+
+
+#### zip, tar.gz, or tgz [directory-layout-archive]
+
+| Type | Description | Location |
+| --- | --- | --- |
+| home | Home of the Auditbeat installation. | `{extract.path}` |
+| bin | The location for the binary files. | `{extract.path}` |
+| config | The location for configuration files. | `{extract.path}` |
+| data | The location for persistent data files. | `{extract.path}/data` |
+| logs | The location for the logs created by Auditbeat. | `{extract.path}/logs` |
+
+For the zip, tar.gz, or tgz distributions, these paths are based on the location of the extracted binary file. This means that if you start Auditbeat with the following simple command, all paths are set correctly:
+
+```sh
+./auditbeat
+```
+
+
diff --git a/docs/reference/auditbeat/discard-output.md b/docs/reference/auditbeat/discard-output.md
new file mode 100644
index 000000000000..e5c4fc8892e9
--- /dev/null
+++ b/docs/reference/auditbeat/discard-output.md
@@ -0,0 +1,37 @@
+---
+navigation_title: "Discard"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/discard-output.html
+---
+
+# Configure the Discard output [discard-output]
+
+
+The Discard output throws away data.
+
+::::{warning}
+The Discard output should be used only for development or debugging issues. Data is lost.
+::::
+
+
+This can be useful if you want to work on your input configuration without needing to configure an output. It can also be useful to test how changes in input and processor configuration affect performance.
+
+Example configuration:
+
+```yaml
+output.discard:
+  enabled: true
+```
+
+## Configuration options [_configuration_options_8]
+
+You can specify the following `output.discard` options in the `auditbeat.yml` config file:
+
+### `enabled` [_enabled_7]
+
+The enabled config is a boolean setting to enable or disable the output. If set to false, the output is disabled.
+
+The default value is `true`.
+
+
+
diff --git a/docs/reference/auditbeat/dissect.md b/docs/reference/auditbeat/dissect.md
new file mode 100644
index 000000000000..d76e3fcb122f
--- /dev/null
+++ b/docs/reference/auditbeat/dissect.md
@@ -0,0 +1,95 @@
+---
+navigation_title: "dissect"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/dissect.html
+---
+
+# Dissect strings [dissect]
+
+
+The `dissect` processor tokenizes incoming strings using defined patterns.
+
+```yaml
+processors:
+  - dissect:
+      tokenizer: "%{key1} %{key2} %{key3|convert_datatype}"
+      field: "message"
+      target_prefix: "dissect"
+```
+
+The `dissect` processor has the following configuration settings:
+
+`tokenizer`
+:   The field used to define the **dissection** pattern. Optional convert datatype can be provided after the key using `|` as separator to convert the value from string to integer, long, float, double, boolean or ip.
+
+`field`
+:   (Optional) The event field to tokenize. Default is `message`.
+
+`target_prefix`
+:   (Optional) The name of the field where the values will be extracted. When an empty string is defined, the processor will create the keys at the root of the event. Default is `dissect`. When the target key already exists in the event, the processor won’t replace it and log an error; you need to either drop or rename the key before using dissect, or enable the `overwrite_keys` flag.
+
+`ignore_failure`
+:   (Optional) Flag to control whether the processor returns an error if the tokenizer fails to match the message field. If set to true, the processor will silently restore the original event, allowing execution of subsequent processors (if any). If set to false (default), the processor will log an error, preventing execution of other processors.
+
+`overwrite_keys`
+:   (Optional) When set to true, the processor will overwrite existing keys in the event. The default is false, which causes the processor to fail when a key already exists.
+
+`trim_values`
+:   (Optional) Enables the trimming of the extracted values. Useful to remove leading and/or trailing spaces. Possible values are:
+
+    * `none`: (default) no trimming is performed.
+    * `left`: values are trimmed on the left (leading).
+    * `right`: values are trimmed on the right (trailing).
+    * `all`: values are trimmed for leading and trailing.
+
+
+`trim_chars`
+:   (Optional) Set of characters to trim from values, when trimming is enabled. The default is to trim the space character (`" "`). To trim multiple characters, simply set it to a string containing all characters to trim. For example, `trim_chars: " \t"` will trim spaces and/or tabs.
+
+For tokenization to be successful, all keys must be found and extracted, if one of them cannot be found an error will be logged and no modification is done on the original event.
+
+::::{note}
+A key can contain any characters except reserved suffix or prefix modifiers:  `/`,`&`, `+`, `#` and `?`.
+::::
+
+
+See [Conditions](/reference/auditbeat/defining-processors.md#conditions) for a list of supported conditions.
+
+## Dissect example [dissect-example]
+
+For this example, imagine that an application generates the following messages:
+
+```sh
+"321 - App01 - WebServer is starting"
+"321 - App01 - WebServer is up and running"
+"321 - App01 - WebServer is scaling 2 pods"
+"789 - App02 - Database is will be restarted in 5 minutes"
+"789 - App02 - Database is up and running"
+"789 - App02 - Database is refreshing tables"
+```
+
+Use the `dissect` processor to split each message into three fields, for example, `service.pid`, `service.name` and `service.status`:
+
+```yaml
+processors:
+  - dissect:
+      tokenizer: '"%{service.pid|integer} - %{service.name} - %{service.status}"'
+      field: "message"
+      target_prefix: ""
+```
+
+This configuration produces fields like:
+
+```json
+"service": {
+  "pid": 321,
+  "name": "App01",
+  "status": "WebServer is up and running"
+},
+```
+
+`service.name` is an ECS [keyword field](elasticsearch://reference/elasticsearch/mapping-reference/keyword.md), which means that you can use it in {{es}} for filtering, sorting, and aggregations.
+
+When possible, use ECS-compatible field names. For more information, see the [Elastic Common Schema](ecs://reference/index.md) documentation.
+
+
diff --git a/docs/reference/auditbeat/drop-event.md b/docs/reference/auditbeat/drop-event.md
new file mode 100644
index 000000000000..a5da398445e5
--- /dev/null
+++ b/docs/reference/auditbeat/drop-event.md
@@ -0,0 +1,20 @@
+---
+navigation_title: "drop_event"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/drop-event.html
+---
+
+# Drop events [drop-event]
+
+
+The `drop_event` processor drops the entire event if the associated condition is fulfilled. The condition is mandatory, because without one, all the events are dropped.
+
+```yaml
+processors:
+  - drop_event:
+      when:
+        condition
+```
+
+See [Conditions](/reference/auditbeat/defining-processors.md#conditions) for a list of supported conditions.
+
diff --git a/docs/reference/auditbeat/drop-fields.md b/docs/reference/auditbeat/drop-fields.md
new file mode 100644
index 000000000000..ba62bb65b75c
--- /dev/null
+++ b/docs/reference/auditbeat/drop-fields.md
@@ -0,0 +1,35 @@
+---
+navigation_title: "drop_fields"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/drop-fields.html
+---
+
+# Drop fields from events [drop-fields]
+
+
+The `drop_fields` processor specifies which fields to drop if a certain condition is fulfilled. The condition is optional. If it’s missing, the specified fields are always dropped. The `@timestamp` and `type` fields cannot be dropped, even if they show up in the `drop_fields` list.
+
+```yaml
+processors:
+  - drop_fields:
+      when:
+        condition
+      fields: ["field1", "field2", ...]
+      ignore_missing: false
+```
+
+See [Conditions](/reference/auditbeat/defining-processors.md#conditions) for a list of supported conditions.
+
+::::{note}
+If you define an empty list of fields under `drop_fields`, then no fields are dropped.
+::::
+
+
+The `drop_fields` processor has the following configuration settings:
+
+`fields`
+:   If non-empty, a list of matching field names will be removed. Any element in array can contain a regular expression delimited by two slashes (*/reg_exp/*), in order to match (name) and remove more than one field.
+
+`ignore_missing`
+:   (Optional) If `true` the processor will not return an error when a specified field does not exist. Defaults to `false`.
+
diff --git a/docs/reference/auditbeat/elasticsearch-output.md b/docs/reference/auditbeat/elasticsearch-output.md
new file mode 100644
index 000000000000..e075de21509c
--- /dev/null
+++ b/docs/reference/auditbeat/elasticsearch-output.md
@@ -0,0 +1,520 @@
+---
+navigation_title: "Elasticsearch"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/elasticsearch-output.html
+---
+
+# Configure the Elasticsearch output [elasticsearch-output]
+
+
+The Elasticsearch output sends events directly to Elasticsearch using the Elasticsearch HTTP API.
+
+Example configuration:
+
+```yaml
+output.elasticsearch:
+  hosts: ["https://myEShost:9200"] <1>
+```
+
+1. To enable SSL, add `https` to all URLs defined under *hosts*.
+
+
+When sending data to a secured cluster through the `elasticsearch` output, Auditbeat can use any of the following authentication methods:
+
+* Basic authentication credentials (username and password).
+* Token-based (API key) authentication.
+* Public Key Infrastructure (PKI) certificates.
+
+**Basic authentication:**
+
+```yaml
+output.elasticsearch:
+  hosts: ["https://myEShost:9200"]
+  username: "auditbeat_writer"
+  password: "{pwd}"
+```
+
+**API key authentication:**
+
+```yaml
+output.elasticsearch:
+  hosts: ["https://myEShost:9200"]
+  api_key: "ZCV7VnwBgnX0T19fN8Qe:KnR6yE41RrSowb0kQ0HWoA"
+```
+
+**PKI certificate authentication:**
+
+```yaml
+output.elasticsearch:
+  hosts: ["https://myEShost:9200"]
+  ssl.certificate: "/etc/pki/client/cert.pem"
+  ssl.key: "/etc/pki/client/cert.key"
+```
+
+See [*Secure communication with Elasticsearch*](/reference/auditbeat/securing-communication-elasticsearch.md) for details on each authentication method.
+
+## Compatibility [_compatibility]
+
+This output works with all compatible versions of Elasticsearch. See the [Elastic Support Matrix](https://www.elastic.co/support/matrix#matrix_compatibility).
+
+Optionally, you can set Auditbeat to only connect to instances that are at least on the same version as the Beat. The check can be enabled by setting `output.elasticsearch.allow_older_versions` to `false`. Leaving the setting at it’s default value of `true` avoids an issue where Auditbeat cannot connect to {{es}} after having been upgraded to a version higher than the {{stack}}.
+
+
+## Configuration options [_configuration_options_2]
+
+You can specify the following options in the `elasticsearch` section of the `auditbeat.yml` config file:
+
+### `enabled` [_enabled]
+
+The enabled config is a boolean setting to enable or disable the output. If set to `false`, the output is disabled.
+
+The default value is `true`.
+
+
+### `hosts` [hosts-option]
+
+The list of Elasticsearch nodes to connect to. The events are distributed to these nodes in round robin order. If one node becomes unreachable, the event is automatically sent to another node. Each Elasticsearch node can be defined as a `URL` or `IP:PORT`. For example: `http://192.15.3.2`, `https://es.found.io:9230` or `192.24.3.2:9300`. If no port is specified, `9200` is used.
+
+::::{note}
+When a node is defined as an `IP:PORT`, the *scheme* and *path* are taken from the [`protocol`](#protocol-option) and [`path`](#path-option) config options.
+::::
+
+
+```yaml
+output.elasticsearch:
+  hosts: ["10.45.3.2:9220", "10.45.3.1:9230"]
+  protocol: https
+  path: /elasticsearch
+```
+
+In the previous example, the Elasticsearch nodes are available at `https://10.45.3.2:9220/elasticsearch` and `https://10.45.3.1:9230/elasticsearch`.
+
+
+### `compression_level` [compression-level-option]
+
+The gzip compression level. Setting this value to `0` disables compression. The compression level must be in the range of `1` (best speed) to `9` (best compression).
+
+Increasing the compression level will reduce the network usage but will increase the cpu usage.
+
+The default value is `1`.
+
+
+### `escape_html` [_escape_html]
+
+Configure escaping of HTML in strings. Set to `true` to enable escaping.
+
+The default value is `false`.
+
+
+### `worker` or `workers` [worker-option]
+
+The number of workers per configured host publishing events to Elasticsearch. This is best used with load balancing mode enabled. Example: If you have 2 hosts and 3 workers, in total 6 workers are started (3 for each host).
+
+The default value is `1`.
+
+
+### `loadbalance` [_loadbalance]
+
+When `loadbalance: true` is set, Auditbeat connects to all configured hosts and sends data through all connections in parallel. If a connection fails, data is sent to the remaining hosts until it can be reestablished. Data will still be sent as long as Auditbeat can connect to at least one of its configured hosts.
+
+When `loadbalance: false` is set, Auditbeat sends data to a single host at a time. The target host is chosen at random from the list of configured hosts, and all data is sent to that target until the connection fails, when a new target is selected. Data will still be sent as long as Auditbeat can connect to at least one of its configured hosts.
+
+The default value is `true`.
+
+```yaml
+output.elasticsearch:
+  hosts: ["localhost:9200", "localhost:9201"]
+  loadbalance: true
+```
+
+
+### `api_key` [_api_key]
+
+Instead of using a username and password, you can use API keys to secure communication with {{es}}. The value must be the ID of the API key and the API key joined by a colon: `id:api_key`.
+
+See [*Grant access using API keys*](/reference/auditbeat/beats-api-keys.md) for more information.
+
+
+### `username` [_username]
+
+The basic authentication username for connecting to Elasticsearch.
+
+This user needs the privileges required to publish events to {{es}}. To create a user like this, see [Create a *publishing* user](/reference/auditbeat/privileges-to-publish-events.md).
+
+
+### `password` [_password]
+
+The basic authentication password for connecting to Elasticsearch.
+
+
+### `parameters` [_parameters]
+
+Dictionary of HTTP parameters to pass within the url with index operations.
+
+
+### `protocol` [protocol-option]
+
+The name of the protocol Elasticsearch is reachable on. The options are: `http` or `https`. The default is `http`. However, if you specify a URL for [`hosts`](#hosts-option), the value of `protocol` is overridden by whatever scheme you specify in the URL.
+
+
+### `path` [path-option]
+
+An HTTP path prefix that is prepended to the HTTP API calls. This is useful for the cases where Elasticsearch listens behind an HTTP reverse proxy that exports the API under a custom prefix.
+
+
+### `headers` [_headers]
+
+Custom HTTP headers to add to each request created by the Elasticsearch output. Example:
+
+```yaml
+output.elasticsearch.headers:
+  X-My-Header: Header contents
+```
+
+It is possible to specify multiple header values for the same header name by separating them with a comma.
+
+
+### `proxy_disable` [_proxy_disable]
+
+If set to `true` all proxy settings, including `HTTP_PROXY` and `HTTPS_PROXY` variables are ignored.
+
+
+### `proxy_url` [_proxy_url]
+
+The URL of the proxy to use when connecting to the Elasticsearch servers. The value must be a complete URL. If a value is not specified through the configuration file then proxy environment variables are used. See the [Go documentation](https://golang.org/pkg/net/http/#ProxyFromEnvironment) for more information about the environment variables.
+
+
+### `proxy_headers` [_proxy_headers]
+
+Additional headers to send to proxies during CONNECT requests.
+
+
+### `index` [index-option-es]
+
+The indexing target to write events to. Can point to an [index](https://www.elastic.co/guide/en/elasticsearch/reference/current/index-mgmt.html), [alias](docs-content://manage-data/data-store/aliases.md), or [data stream](docs-content://manage-data/data-store/data-streams.md). When using daily indices, this will be the index name. The default is `"auditbeat-%{[agent.version]}-%{+yyyy.MM.dd}"`, for example, `"auditbeat-9.0.0-beta1-2025-01-30"`. If you change this setting, you also need to configure the `setup.template.name` and `setup.template.pattern` options (see [Elasticsearch index template](/reference/auditbeat/configuration-template.md)).
+
+If you are using the pre-built Kibana dashboards, you also need to set the `setup.dashboards.index` option (see [Kibana dashboards](/reference/auditbeat/configuration-dashboards.md)).
+
+When [index lifecycle management (ILM)](/reference/auditbeat/ilm.md) is enabled, the default `index` is `"auditbeat-%{[agent.version]}-%{+yyyy.MM.dd}-%{{index_num}}"`, for example, `"auditbeat-9.0.0-beta1-2025-01-30-000001"`. Custom `index` settings are ignored when ILM is enabled. If you’re sending events to a cluster that supports index lifecycle management, see [Index lifecycle management (ILM)](/reference/auditbeat/ilm.md) to learn how to change the index name.
+
+You can set the index dynamically by using a format string to access any event field. For example, this configuration uses a custom field, `fields.log_type`, to set the index:
+
+```yaml
+output.elasticsearch:
+  hosts: ["http://localhost:9200"]
+  index: "%{[fields.log_type]}-%{[agent.version]}-%{+yyyy.MM.dd}" <1>
+```
+
+1. We recommend including `agent.version` in the name to avoid mapping issues when you upgrade.
+
+
+With this configuration, all events with `log_type: normal` are sent to an index named `normal-9.0.0-beta1-2025-01-30`, and all events with `log_type: critical` are sent to an index named `critical-9.0.0-beta1-2025-01-30`.
+
+::::{tip}
+To learn how to add custom fields to events, see the [`fields`](/reference/auditbeat/configuration-general-options.md#libbeat-configuration-fields) option.
+::::
+
+
+See the [`indices`](#indices-option-es) setting for other ways to set the index dynamically.
+
+
+### `indices` [indices-option-es]
+
+An array of index selector rules. Each rule specifies the index to use for events that match the rule. During publishing, Auditbeat uses the first matching rule in the array. Rules can contain conditionals, format string-based fields, and name mappings. If the `indices` setting is missing or no rule matches, the [`index`](#index-option-es) setting is used.
+
+Similar to `index`, defining custom `indices` will disable [Index lifecycle management (ILM)](/reference/auditbeat/ilm.md).
+
+Rule settings:
+
+**`index`**
+:   The index format string to use. If this string contains field references, such as `%{[fields.name]}`, the fields must exist, or the rule fails.
+
+**`mappings`**
+:   A dictionary that takes the value returned by `index` and maps it to a new name.
+
+**`default`**
+:   The default string value to use if `mappings` does not find a match.
+
+**`when`**
+:   A condition that must succeed in order to execute the current rule. All the [conditions](/reference/auditbeat/defining-processors.md#conditions) supported by processors are also supported here.
+
+The following example sets the index based on whether the `message` field contains the specified string:
+
+```yaml
+output.elasticsearch:
+  hosts: ["http://localhost:9200"]
+  indices:
+    - index: "warning-%{[agent.version]}-%{+yyyy.MM.dd}"
+      when.contains:
+        message: "WARN"
+    - index: "error-%{[agent.version]}-%{+yyyy.MM.dd}"
+      when.contains:
+        message: "ERR"
+```
+
+This configuration results in indices named `warning-9.0.0-beta1-2025-01-30` and `error-9.0.0-beta1-2025-01-30` (plus the default index if no matches are found).
+
+The following example sets the index by taking the name returned by the `index` format string and mapping it to a new name that’s used for the index:
+
+```yaml
+output.elasticsearch:
+  hosts: ["http://localhost:9200"]
+  indices:
+    - index: "%{[fields.log_type]}"
+      mappings:
+        critical: "sev1"
+        normal: "sev2"
+      default: "sev3"
+```
+
+This configuration results in indices named `sev1`, `sev2`, and `sev3`.
+
+The `mappings` setting simplifies the configuration, but is limited to string values. You cannot specify format strings within the mapping pairs.
+
+
+### `ilm` [ilm-es]
+
+Configuration options for index lifecycle management.
+
+See [Index lifecycle management (ILM)](/reference/auditbeat/ilm.md) for more information.
+
+
+### `pipeline` [pipeline-option-es]
+
+A format string value that specifies the ingest pipeline to write events to.
+
+```yaml
+output.elasticsearch:
+  hosts: ["http://localhost:9200"]
+  pipeline: my_pipeline_id
+```
+
+::::{important}
+The `pipeline` is always lowercased. If `pipeline: Foo-Bar`, then the pipeline name in {{es}} needs to be defined as `foo-bar`.
+::::
+
+
+For more information, see [*Parse data using an ingest pipeline*](/reference/auditbeat/configuring-ingest-node.md).
+
+You can set the ingest pipeline dynamically by using a format string to access any event field. For example, this configuration uses a custom field, `fields.log_type`, to set the pipeline for each event:
+
+```yaml
+output.elasticsearch:
+  hosts: ["http://localhost:9200"]
+  pipeline: "%{[fields.log_type]}_pipeline"
+```
+
+With this configuration, all events with `log_type: normal` are sent to a pipeline named `normal_pipeline`, and all events with `log_type: critical` are sent to a pipeline named `critical_pipeline`.
+
+::::{tip}
+To learn how to add custom fields to events, see the [`fields`](/reference/auditbeat/configuration-general-options.md#libbeat-configuration-fields) option.
+::::
+
+
+See the [`pipelines`](#pipelines-option-es) setting for other ways to set the ingest pipeline dynamically.
+
+
+### `pipelines` [pipelines-option-es]
+
+An array of pipeline selector rules. Each rule specifies the ingest pipeline to use for events that match the rule. During publishing, Auditbeat uses the first matching rule in the array. Rules can contain conditionals, format string-based fields, and name mappings. If the `pipelines` setting is missing or no rule matches, the [`pipeline`](#pipeline-option-es) setting is used.
+
+Rule settings:
+
+**`pipeline`**
+:   The pipeline format string to use. If this string contains field references, such as `%{[fields.name]}`, the fields must exist, or the rule fails.
+
+**`mappings`**
+:   A dictionary that takes the value returned by `pipeline` and maps it to a new name.
+
+**`default`**
+:   The default string value to use if `mappings` does not find a match.
+
+**`when`**
+:   A condition that must succeed in order to execute the current rule. All the [conditions](/reference/auditbeat/defining-processors.md#conditions) supported by processors are also supported here.
+
+The following example sends events to a specific pipeline based on whether the `message` field contains the specified string:
+
+```yaml
+output.elasticsearch:
+  hosts: ["http://localhost:9200"]
+  pipelines:
+    - pipeline: "warning_pipeline"
+      when.contains:
+        message: "WARN"
+    - pipeline: "error_pipeline"
+      when.contains:
+        message: "ERR"
+```
+
+The following example sets the pipeline by taking the name returned by the `pipeline` format string and mapping it to a new name that’s used for the pipeline:
+
+```yaml
+output.elasticsearch:
+  hosts: ["http://localhost:9200"]
+  pipelines:
+    - pipeline: "%{[fields.log_type]}"
+      mappings:
+        critical: "sev1_pipeline"
+        normal: "sev2_pipeline"
+      default: "sev3_pipeline"
+```
+
+With this configuration, all events with `log_type: critical` are sent to `sev1_pipeline`, all events with `log_type: normal` are sent to a `sev2_pipeline`, and all other events are sent to `sev3_pipeline`.
+
+For more information about ingest pipelines, see [*Parse data using an ingest pipeline*](/reference/auditbeat/configuring-ingest-node.md).
+
+
+### `max_retries` [_max_retries]
+
+The number of times to retry publishing an event after a publishing failure. After the specified number of retries, the events are typically dropped.
+
+Set `max_retries` to a value less than 0 to retry until all events are published.
+
+The default is 3.
+
+
+### `bulk_max_size` [bulk-max-size-option]
+
+The maximum number of events to bulk in a single Elasticsearch bulk API index request. The default is 1600.
+
+Events can be collected into batches. Auditbeat will split batches read from the queue which are larger than `bulk_max_size` into multiple batches.
+
+Specifying a larger batch size can improve performance by lowering the overhead of sending events. However big batch sizes can also increase processing times, which might result in API errors, killed connections, timed-out publishing requests, and, ultimately, lower throughput.
+
+Setting `bulk_max_size` to values less than or equal to 0 disables the splitting of batches. When splitting is disabled, the queue decides on the number of events to be contained in a batch.
+
+
+### `backoff.init` [backoff-init-option]
+
+The number of seconds to wait before trying to reconnect to Elasticsearch after a network error. After waiting `backoff.init` seconds, Auditbeat tries to reconnect. If the attempt fails, the backoff timer is increased exponentially up to `backoff.max`. After a successful connection, the backoff timer is reset. The default is `1s`.
+
+
+### `backoff.max` [backoff-max-option]
+
+The maximum number of seconds to wait before attempting to connect to Elasticsearch after a network error. The default is `60s`.
+
+
+### `idle_connection_timeout` [idle-connection-timeout-option]
+
+The maximum amount of time an idle connection will remain idle before closing itself. Zero means no limit. The format is a Go language duration (example 60s is 60 seconds). The default is 3s.
+
+
+### `timeout` [_timeout]
+
+The http request timeout in seconds for the Elasticsearch request. The default is 90.
+
+
+### `allow_older_versions` [_allow_older_versions]
+
+By default, Auditbeat expects the Elasticsearch instance to be on the same or newer version to provide optimal experience. We suggest you connect to the same version to make sure all features Auditbeat is using are available in your Elasticsearch instance.
+
+You can disable the check for example during updating the Elastic Stack, so data collection can go on.
+
+
+### `ssl` [_ssl]
+
+Configuration options for SSL parameters like the certificate authority to use for HTTPS-based connections. If the `ssl` section is missing, the host CAs are used for HTTPS connections to Elasticsearch.
+
+See the [secure communication with {{es}}](/reference/auditbeat/securing-communication-elasticsearch.md) guide or [SSL configuration reference](/reference/auditbeat/configuration-ssl.md) for more information.
+
+
+### `kerberos` [_kerberos]
+
+Configuration options for Kerberos authentication.
+
+See [Kerberos](/reference/auditbeat/configuration-kerberos.md) for more information.
+
+
+### `queue` [_queue]
+
+Configuration options for internal queue.
+
+See [Internal queue](/reference/auditbeat/configuring-internal-queue.md) for more information.
+
+Note:`queue` options can be set under `auditbeat.yml` or the `output` section but not both. ===== `non_indexable_policy`
+
+Specifies the behavior when the elasticsearch cluster explicitly rejects documents, for example on mapping conflicts.
+
+#### `drop` [_drop]
+
+The default behaviour, when an event is explicitly rejected by elasticsearch it is dropped.
+
+```yaml
+output.elasticsearch:
+  hosts: ["http://localhost:9200"]
+  non_indexable_policy.drop: ~
+```
+
+
+#### `dead_letter_index` [_dead_letter_index]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+On an explicit rejection, this policy will retry the event in the next batch. However, the target index will change to index specified. In addition, the structure of the event will be change to the following fields:
+
+message
+:   Contains the escaped json of the original event.
+
+error.type
+:   Contains the status code
+
+error.message
+:   Contains status returned by elasticsearch, describing the reason
+
+`index`
+:   The index to send rejected events to.
+
+```yaml
+output.elasticsearch:
+  hosts: ["http://localhost:9200"]
+  non_indexable_policy.dead_letter_index:
+    index: "my-dead-letter-index"
+```
+
+
+
+### `preset` [_preset]
+
+The performance preset to apply to the output configuration.
+
+```yaml
+output.elasticsearch:
+  hosts: ["http://localhost:9200"]
+  preset: balanced
+```
+
+Performance presets apply a set of configuration overrides based on a desired performance goal. If set, a performance preset will override other configuration flags to match the recommended settings for that preset. If a preset doesn’t set a value for a particular field, the user-specified value will be used if present, otherwise the default. Valid options are: * `balanced`: good starting point for general efficiency * `throughput`: good for high data volumes, may increase cpu and memory requirements * `scale`: reduces ambient resource use in large low-throughput deployments * `latency`: minimize the time for fresh data to become visible in Elasticsearch * `custom`: apply user configuration directly with no overrides
+
+The default if unspecified is `custom`.
+
+Presets represent current recommendations based on the intended goal; their effect may change between versions to better suit those goals. Currently the presets have the following effects:
+
+| preset | balanced | throughput | scale | latency |
+| --- | --- | --- | --- | --- |
+| [`bulk_max_size`](#bulk-max-size-option) | 1600 | 1600 | 1600 | 50 |
+| [`worker`](#worker-option) | 1 | 4 | 1 | 1 |
+| [`queue.mem.events`](/reference/auditbeat/configuring-internal-queue.md#queue-mem-events-option) | 3200 | 12800 | 3200 | 4100 |
+| [`queue.mem.flush.min_events`](/reference/auditbeat/configuring-internal-queue.md#queue-mem-flush-min-events-option) | 1600 | 1600 | 1600 | 2050 |
+| [`queue.mem.flush.timeout`](/reference/auditbeat/configuring-internal-queue.md#queue-mem-flush-timeout-option) | `10s` | `5s` | `20s` | `1s` |
+| [`compression_level`](#compression-level-option) | 1 | 1 | 1 | 1 |
+| [`idle_connection_timeout`](#idle-connection-timeout-option) | `3s` | `15s` | `1s` | `60s` |
+| [`backoff.init`](#backoff-init-option) | none | none | `5s` | none |
+| [`backoff.max`](#backoff-max-option) | none | none | `300s` | none |
+
+
+
+## Elasticsearch APIs [es-apis]
+
+Auditbeat will use the `_bulk` API from {{es}}, the events are sent in the order they arrive to the publishing pipeline, a single `_bulk` request may contain events from different inputs/modules. Temporary failures are re-tried.
+
+The status code for each event is checked and handled as:
+
+* `< 300`: The event is counted as `events.acked`
+* `409` (Conflict): The event is counted as `events.duplicates`
+* `429` (Too Many Requests): The event is counted as `events.toomany`
+* `> 399 and < 500`: The `non_indexable_policy` is applied.
+
+
diff --git a/docs/reference/auditbeat/enable-auditbeat-debugging.md b/docs/reference/auditbeat/enable-auditbeat-debugging.md
new file mode 100644
index 000000000000..aeb10d30bc1c
--- /dev/null
+++ b/docs/reference/auditbeat/enable-auditbeat-debugging.md
@@ -0,0 +1,31 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/enable-auditbeat-debugging.html
+---
+
+# Debug [enable-auditbeat-debugging]
+
+By default, Auditbeat sends all its output to syslog. When you run Auditbeat in the foreground, you can use the `-e` command line flag to redirect the output to standard error instead. For example:
+
+```sh
+auditbeat -e
+```
+
+The default configuration file is auditbeat.yml (the location of the file varies by platform). You can use a different configuration file by specifying the `-c` flag. For example:
+
+```sh
+auditbeat -e -c myauditbeatconfig.yml
+```
+
+You can increase the verbosity of debug messages by enabling one or more debug selectors. For example, to view publisher-related messages, start Auditbeat with the `publisher` selector:
+
+```sh
+auditbeat -e -d "publisher"
+```
+
+If you want all the debugging output (fair warning, it’s quite a lot), you can use `*`, like this:
+
+```sh
+auditbeat -e -d "*"
+```
+
diff --git a/docs/reference/auditbeat/error-found-unexpected-character.md b/docs/reference/auditbeat/error-found-unexpected-character.md
new file mode 100644
index 000000000000..fb523f7099e3
--- /dev/null
+++ b/docs/reference/auditbeat/error-found-unexpected-character.md
@@ -0,0 +1,13 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/error-found-unexpected-character.html
+---
+
+# Found unexpected or unknown characters [error-found-unexpected-character]
+
+Either there is a problem with the structure of your config file, or you have used a path or expression that the YAML parser cannot resolve because the config file contains characters that aren’t properly escaped.
+
+If the YAML file contains paths with spaces or unusual characters, wrap the paths in single quotation marks (see [Wrap paths in single quotation marks](/reference/auditbeat/yaml-tips.md#wrap-paths-in-quotes)).
+
+Also see the general advice under [*Avoid YAML formatting problems*](/reference/auditbeat/yaml-tips.md).
+
diff --git a/docs/reference/auditbeat/error-loading-config.md b/docs/reference/auditbeat/error-loading-config.md
new file mode 100644
index 000000000000..300664e9a2ca
--- /dev/null
+++ b/docs/reference/auditbeat/error-loading-config.md
@@ -0,0 +1,14 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/error-loading-config.html
+---
+
+# Error loading config file [error-loading-config]
+
+You may encounter errors loading the config file on POSIX operating systems if:
+
+* an unauthorized user tries to load the config file, or
+* the config file has the wrong permissions.
+
+See [Config File Ownership and Permissions](/reference/libbeat/config-file-permissions.md) for more about resolving these errors.
+
diff --git a/docs/reference/auditbeat/exported-fields-auditd.md b/docs/reference/auditbeat/exported-fields-auditd.md
new file mode 100644
index 000000000000..f3e4f5e62f0f
--- /dev/null
+++ b/docs/reference/auditbeat/exported-fields-auditd.md
@@ -0,0 +1,1575 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/exported-fields-auditd.html
+---
+
+# Auditd fields [exported-fields-auditd]
+
+These are the fields generated by the auditd module.
+
+**`user.auid`**
+:   type: alias
+
+alias to: user.audit.id
+
+
+**`user.uid`**
+:   type: alias
+
+alias to: user.id
+
+
+**`user.fsuid`**
+:   type: alias
+
+alias to: user.filesystem.id
+
+
+**`user.suid`**
+:   type: alias
+
+alias to: user.saved.id
+
+
+**`user.gid`**
+:   type: alias
+
+alias to: user.group.id
+
+
+**`user.sgid`**
+:   type: alias
+
+alias to: user.saved.group.id
+
+
+**`user.fsgid`**
+:   type: alias
+
+alias to: user.filesystem.group.id
+
+
+
+## name_map [_name_map]
+
+If `resolve_ids` is set to true in the configuration then `name_map` will contain a mapping of uid field names to the resolved name (e.g. auid → root).
+
+**`user.name_map.auid`**
+:   type: alias
+
+alias to: user.audit.name
+
+
+**`user.name_map.uid`**
+:   type: alias
+
+alias to: user.name
+
+
+**`user.name_map.fsuid`**
+:   type: alias
+
+alias to: user.filesystem.name
+
+
+**`user.name_map.suid`**
+:   type: alias
+
+alias to: user.saved.name
+
+
+**`user.name_map.gid`**
+:   type: alias
+
+alias to: user.group.name
+
+
+**`user.name_map.sgid`**
+:   type: alias
+
+alias to: user.saved.group.name
+
+
+**`user.name_map.fsgid`**
+:   type: alias
+
+alias to: user.filesystem.group.name
+
+
+
+## selinux [_selinux]
+
+The SELinux identity of the actor.
+
+**`user.selinux.user`**
+:   account submitted for authentication
+
+type: keyword
+
+
+**`user.selinux.role`**
+:   user’s SELinux role
+
+type: keyword
+
+
+**`user.selinux.domain`**
+:   The actor’s SELinux domain or type.
+
+type: keyword
+
+
+**`user.selinux.level`**
+:   The actor’s SELinux level.
+
+type: keyword
+
+example: s0
+
+
+**`user.selinux.category`**
+:   The actor’s SELinux category or compartments.
+
+type: keyword
+
+
+
+## process [_process]
+
+Process attributes.
+
+**`process.cwd`**
+:   The current working directory.
+
+type: alias
+
+alias to: process.working_directory
+
+
+
+## source [_source]
+
+Source that triggered the event.
+
+**`source.path`**
+:   This is the path associated with a unix socket.
+
+type: keyword
+
+
+
+## destination [_destination]
+
+Destination address that triggered the event.
+
+**`destination.path`**
+:   This is the path associated with a unix socket.
+
+type: keyword
+
+
+**`auditd.message_type`**
+:   The audit message type (e.g. syscall or apparmor_denied).
+
+type: keyword
+
+example: syscall
+
+
+**`auditd.sequence`**
+:   The sequence number of the event as assigned by the kernel. Sequence numbers are stored as a uint32 in the kernel and can rollover.
+
+type: long
+
+
+**`auditd.session`**
+:   The session ID assigned to a login. All events related to a login session will have the same value.
+
+type: keyword
+
+
+**`auditd.result`**
+:   The result of the audited operation (success/fail).
+
+type: keyword
+
+example: success or fail
+
+
+
+## actor [_actor]
+
+The actor is the user that triggered the audit event.
+
+**`auditd.summary.actor.primary`**
+:   The primary identity of the actor. This is the actor’s original login ID. It will not change even if the user changes to another account.
+
+type: keyword
+
+
+**`auditd.summary.actor.secondary`**
+:   The secondary identity of the actor. This is typically the same as the primary, except for when the user has used `su`.
+
+type: keyword
+
+
+
+## object [_object]
+
+This is the thing or object being acted upon in the event.
+
+**`auditd.summary.object.type`**
+:   A description of the what the "thing" is (e.g. file, socket, user-session).
+
+type: keyword
+
+
+**`auditd.summary.object.primary`**
+:   type: keyword
+
+
+**`auditd.summary.object.secondary`**
+:   type: keyword
+
+
+**`auditd.summary.how`**
+:   This describes how the action was performed. Usually this is the exe or command that was being executed that triggered the event.
+
+type: keyword
+
+
+
+## paths [_paths]
+
+List of paths associated with the event.
+
+**`auditd.paths.inode`**
+:   inode number
+
+type: keyword
+
+
+**`auditd.paths.dev`**
+:   device name as found in /dev
+
+type: keyword
+
+
+**`auditd.paths.obj_user`**
+:   type: keyword
+
+
+**`auditd.paths.obj_role`**
+:   type: keyword
+
+
+**`auditd.paths.obj_domain`**
+:   type: keyword
+
+
+**`auditd.paths.obj_level`**
+:   type: keyword
+
+
+**`auditd.paths.objtype`**
+:   type: keyword
+
+
+**`auditd.paths.ouid`**
+:   file owner user ID
+
+type: keyword
+
+
+**`auditd.paths.rdev`**
+:   the device identifier (special files only)
+
+type: keyword
+
+
+**`auditd.paths.nametype`**
+:   kind of file operation being referenced
+
+type: keyword
+
+
+**`auditd.paths.ogid`**
+:   file owner group ID
+
+type: keyword
+
+
+**`auditd.paths.item`**
+:   which item is being recorded
+
+type: keyword
+
+
+**`auditd.paths.mode`**
+:   mode flags on a file
+
+type: keyword
+
+
+**`auditd.paths.name`**
+:   file name in avcs
+
+type: keyword
+
+
+
+## data [_data_2]
+
+The data from the audit messages.
+
+**`auditd.data.action`**
+:   netfilter packet disposition
+
+type: keyword
+
+
+**`auditd.data.minor`**
+:   device minor number
+
+type: keyword
+
+
+**`auditd.data.acct`**
+:   a user’s account name
+
+type: keyword
+
+
+**`auditd.data.addr`**
+:   the remote address that the user is connecting from
+
+type: keyword
+
+
+**`auditd.data.cipher`**
+:   name of crypto cipher selected
+
+type: keyword
+
+
+**`auditd.data.id`**
+:   during account changes
+
+type: keyword
+
+
+**`auditd.data.entries`**
+:   number of entries in the netfilter table
+
+type: keyword
+
+
+**`auditd.data.kind`**
+:   server or client in crypto operation
+
+type: keyword
+
+
+**`auditd.data.ksize`**
+:   key size for crypto operation
+
+type: keyword
+
+
+**`auditd.data.spid`**
+:   sent process ID
+
+type: keyword
+
+
+**`auditd.data.arch`**
+:   the elf architecture flags
+
+type: keyword
+
+
+**`auditd.data.argc`**
+:   the number of arguments to an execve syscall
+
+type: keyword
+
+
+**`auditd.data.major`**
+:   device major number
+
+type: keyword
+
+
+**`auditd.data.unit`**
+:   systemd unit
+
+type: keyword
+
+
+**`auditd.data.table`**
+:   netfilter table name
+
+type: keyword
+
+
+**`auditd.data.terminal`**
+:   terminal name the user is running programs on
+
+type: keyword
+
+
+**`auditd.data.grantors`**
+:   pam modules approving the action
+
+type: keyword
+
+
+**`auditd.data.direction`**
+:   direction of crypto operation
+
+type: keyword
+
+
+**`auditd.data.op`**
+:   the operation being performed that is audited
+
+type: keyword
+
+
+**`auditd.data.tty`**
+:   tty udevice the user is running programs on
+
+type: keyword
+
+
+**`auditd.data.syscall`**
+:   syscall number in effect when the event occurred
+
+type: keyword
+
+
+**`auditd.data.data`**
+:   TTY text
+
+type: keyword
+
+
+**`auditd.data.family`**
+:   netfilter protocol
+
+type: keyword
+
+
+**`auditd.data.mac`**
+:   crypto MAC algorithm selected
+
+type: keyword
+
+
+**`auditd.data.pfs`**
+:   perfect forward secrecy method
+
+type: keyword
+
+
+**`auditd.data.items`**
+:   the number of path records in the event
+
+type: keyword
+
+
+**`auditd.data.a0`**
+:   type: keyword
+
+
+**`auditd.data.a1`**
+:   type: keyword
+
+
+**`auditd.data.a2`**
+:   type: keyword
+
+
+**`auditd.data.a3`**
+:   type: keyword
+
+
+**`auditd.data.hostname`**
+:   the hostname that the user is connecting from
+
+type: keyword
+
+
+**`auditd.data.lport`**
+:   local network port
+
+type: keyword
+
+
+**`auditd.data.rport`**
+:   remote port number
+
+type: keyword
+
+
+**`auditd.data.exit`**
+:   syscall exit code
+
+type: keyword
+
+
+**`auditd.data.fp`**
+:   crypto key finger print
+
+type: keyword
+
+
+**`auditd.data.laddr`**
+:   local network address
+
+type: keyword
+
+
+**`auditd.data.sport`**
+:   local port number
+
+type: keyword
+
+
+**`auditd.data.capability`**
+:   posix capabilities
+
+type: keyword
+
+
+**`auditd.data.nargs`**
+:   the number of arguments to a socket call
+
+type: keyword
+
+
+**`auditd.data.new-enabled`**
+:   new TTY audit enabled setting
+
+type: keyword
+
+
+**`auditd.data.audit_backlog_limit`**
+:   audit system’s backlog queue size
+
+type: keyword
+
+
+**`auditd.data.dir`**
+:   directory name
+
+type: keyword
+
+
+**`auditd.data.cap_pe`**
+:   process effective capability map
+
+type: keyword
+
+
+**`auditd.data.model`**
+:   security model being used for virt
+
+type: keyword
+
+
+**`auditd.data.new_pp`**
+:   new process permitted capability map
+
+type: keyword
+
+
+**`auditd.data.old-enabled`**
+:   present TTY audit enabled setting
+
+type: keyword
+
+
+**`auditd.data.oauid`**
+:   object’s login user ID
+
+type: keyword
+
+
+**`auditd.data.old`**
+:   old value
+
+type: keyword
+
+
+**`auditd.data.banners`**
+:   banners used on printed page
+
+type: keyword
+
+
+**`auditd.data.feature`**
+:   kernel feature being changed
+
+type: keyword
+
+
+**`auditd.data.vm-ctx`**
+:   the vm’s context string
+
+type: keyword
+
+
+**`auditd.data.opid`**
+:   object’s process ID
+
+type: keyword
+
+
+**`auditd.data.seperms`**
+:   SELinux permissions being used
+
+type: keyword
+
+
+**`auditd.data.seresult`**
+:   SELinux AVC decision granted/denied
+
+type: keyword
+
+
+**`auditd.data.new-rng`**
+:   device name of rng being added from a vm
+
+type: keyword
+
+
+**`auditd.data.old-net`**
+:   present MAC address assigned to vm
+
+type: keyword
+
+
+**`auditd.data.sigev_signo`**
+:   signal number
+
+type: keyword
+
+
+**`auditd.data.ino`**
+:   inode number
+
+type: keyword
+
+
+**`auditd.data.old_enforcing`**
+:   old MAC enforcement status
+
+type: keyword
+
+
+**`auditd.data.old-vcpu`**
+:   present number of CPU cores
+
+type: keyword
+
+
+**`auditd.data.range`**
+:   user’s SE Linux range
+
+type: keyword
+
+
+**`auditd.data.res`**
+:   result of the audited operation(success/fail)
+
+type: keyword
+
+
+**`auditd.data.added`**
+:   number of new files detected
+
+type: keyword
+
+
+**`auditd.data.fam`**
+:   socket address family
+
+type: keyword
+
+
+**`auditd.data.nlnk-pid`**
+:   pid of netlink packet sender
+
+type: keyword
+
+
+**`auditd.data.subj`**
+:   lspp subject’s context string
+
+type: keyword
+
+
+**`auditd.data.a[0-3]`**
+:   the arguments to a syscall
+
+type: keyword
+
+
+**`auditd.data.cgroup`**
+:   path to cgroup in sysfs
+
+type: keyword
+
+
+**`auditd.data.kernel`**
+:   kernel’s version number
+
+type: keyword
+
+
+**`auditd.data.ocomm`**
+:   object’s command line name
+
+type: keyword
+
+
+**`auditd.data.new-net`**
+:   MAC address being assigned to vm
+
+type: keyword
+
+
+**`auditd.data.permissive`**
+:   SELinux is in permissive mode
+
+type: keyword
+
+
+**`auditd.data.class`**
+:   resource class assigned to vm
+
+type: keyword
+
+
+**`auditd.data.compat`**
+:   is_compat_task result
+
+type: keyword
+
+
+**`auditd.data.fi`**
+:   file assigned inherited capability map
+
+type: keyword
+
+
+**`auditd.data.changed`**
+:   number of changed files
+
+type: keyword
+
+
+**`auditd.data.msg`**
+:   the payload of the audit record
+
+type: keyword
+
+
+**`auditd.data.dport`**
+:   remote port number
+
+type: keyword
+
+
+**`auditd.data.new-seuser`**
+:   new SELinux user
+
+type: keyword
+
+
+**`auditd.data.invalid_context`**
+:   SELinux context
+
+type: keyword
+
+
+**`auditd.data.dmac`**
+:   remote MAC address
+
+type: keyword
+
+
+**`auditd.data.ipx-net`**
+:   IPX network number
+
+type: keyword
+
+
+**`auditd.data.iuid`**
+:   ipc object’s user ID
+
+type: keyword
+
+
+**`auditd.data.macproto`**
+:   ethernet packet type ID field
+
+type: keyword
+
+
+**`auditd.data.obj`**
+:   lspp object context string
+
+type: keyword
+
+
+**`auditd.data.ipid`**
+:   IP datagram fragment identifier
+
+type: keyword
+
+
+**`auditd.data.new-fs`**
+:   file system being added to vm
+
+type: keyword
+
+
+**`auditd.data.vm-pid`**
+:   vm’s process ID
+
+type: keyword
+
+
+**`auditd.data.cap_pi`**
+:   process inherited capability map
+
+type: keyword
+
+
+**`auditd.data.old-auid`**
+:   previous auid value
+
+type: keyword
+
+
+**`auditd.data.oses`**
+:   object’s session ID
+
+type: keyword
+
+
+**`auditd.data.fd`**
+:   file descriptor number
+
+type: keyword
+
+
+**`auditd.data.igid`**
+:   ipc object’s group ID
+
+type: keyword
+
+
+**`auditd.data.new-disk`**
+:   disk being added to vm
+
+type: keyword
+
+
+**`auditd.data.parent`**
+:   the inode number of the parent file
+
+type: keyword
+
+
+**`auditd.data.len`**
+:   length
+
+type: keyword
+
+
+**`auditd.data.oflag`**
+:   open syscall flags
+
+type: keyword
+
+
+**`auditd.data.uuid`**
+:   a UUID
+
+type: keyword
+
+
+**`auditd.data.code`**
+:   seccomp action code
+
+type: keyword
+
+
+**`auditd.data.nlnk-grp`**
+:   netlink group number
+
+type: keyword
+
+
+**`auditd.data.cap_fp`**
+:   file permitted capability map
+
+type: keyword
+
+
+**`auditd.data.new-mem`**
+:   new amount of memory in KB
+
+type: keyword
+
+
+**`auditd.data.seperm`**
+:   SELinux permission being decided on
+
+type: keyword
+
+
+**`auditd.data.enforcing`**
+:   new MAC enforcement status
+
+type: keyword
+
+
+**`auditd.data.new-chardev`**
+:   new character device being assigned to vm
+
+type: keyword
+
+
+**`auditd.data.old-rng`**
+:   device name of rng being removed from a vm
+
+type: keyword
+
+
+**`auditd.data.outif`**
+:   out interface number
+
+type: keyword
+
+
+**`auditd.data.cmd`**
+:   command being executed
+
+type: keyword
+
+
+**`auditd.data.hook`**
+:   netfilter hook that packet came from
+
+type: keyword
+
+
+**`auditd.data.new-level`**
+:   new run level
+
+type: keyword
+
+
+**`auditd.data.sauid`**
+:   sent login user ID
+
+type: keyword
+
+
+**`auditd.data.sig`**
+:   signal number
+
+type: keyword
+
+
+**`auditd.data.audit_backlog_wait_time`**
+:   audit system’s backlog wait time
+
+type: keyword
+
+
+**`auditd.data.printer`**
+:   printer name
+
+type: keyword
+
+
+**`auditd.data.old-mem`**
+:   present amount of memory in KB
+
+type: keyword
+
+
+**`auditd.data.perm`**
+:   the file permission being used
+
+type: keyword
+
+
+**`auditd.data.old_pi`**
+:   old process inherited capability map
+
+type: keyword
+
+
+**`auditd.data.state`**
+:   audit daemon configuration resulting state
+
+type: keyword
+
+
+**`auditd.data.format`**
+:   audit log’s format
+
+type: keyword
+
+
+**`auditd.data.new_gid`**
+:   new group ID being assigned
+
+type: keyword
+
+
+**`auditd.data.tcontext`**
+:   the target’s or object’s context string
+
+type: keyword
+
+
+**`auditd.data.maj`**
+:   device major number
+
+type: keyword
+
+
+**`auditd.data.watch`**
+:   file name in a watch record
+
+type: keyword
+
+
+**`auditd.data.device`**
+:   device name
+
+type: keyword
+
+
+**`auditd.data.grp`**
+:   group name
+
+type: keyword
+
+
+**`auditd.data.bool`**
+:   name of SELinux boolean
+
+type: keyword
+
+
+**`auditd.data.icmp_type`**
+:   type of icmp message
+
+type: keyword
+
+
+**`auditd.data.new_lock`**
+:   new value of feature lock
+
+type: keyword
+
+
+**`auditd.data.old_prom`**
+:   network promiscuity flag
+
+type: keyword
+
+
+**`auditd.data.acl`**
+:   access mode of resource assigned to vm
+
+type: keyword
+
+
+**`auditd.data.ip`**
+:   network address of a printer
+
+type: keyword
+
+
+**`auditd.data.new_pi`**
+:   new process inherited capability map
+
+type: keyword
+
+
+**`auditd.data.default-context`**
+:   default MAC context
+
+type: keyword
+
+
+**`auditd.data.inode_gid`**
+:   group ID of the inode’s owner
+
+type: keyword
+
+
+**`auditd.data.new-log_passwd`**
+:   new value for TTY password logging
+
+type: keyword
+
+
+**`auditd.data.new_pe`**
+:   new process effective capability map
+
+type: keyword
+
+
+**`auditd.data.selected-context`**
+:   new MAC context assigned to session
+
+type: keyword
+
+
+**`auditd.data.cap_fver`**
+:   file system capabilities version number
+
+type: keyword
+
+
+**`auditd.data.file`**
+:   file name
+
+type: keyword
+
+
+**`auditd.data.net`**
+:   network MAC address
+
+type: keyword
+
+
+**`auditd.data.virt`**
+:   kind of virtualization being referenced
+
+type: keyword
+
+
+**`auditd.data.cap_pp`**
+:   process permitted capability map
+
+type: keyword
+
+
+**`auditd.data.old-range`**
+:   present SELinux range
+
+type: keyword
+
+
+**`auditd.data.resrc`**
+:   resource being assigned
+
+type: keyword
+
+
+**`auditd.data.new-range`**
+:   new SELinux range
+
+type: keyword
+
+
+**`auditd.data.obj_gid`**
+:   group ID of object
+
+type: keyword
+
+
+**`auditd.data.proto`**
+:   network protocol
+
+type: keyword
+
+
+**`auditd.data.old-disk`**
+:   disk being removed from vm
+
+type: keyword
+
+
+**`auditd.data.audit_failure`**
+:   audit system’s failure mode
+
+type: keyword
+
+
+**`auditd.data.inif`**
+:   in interface number
+
+type: keyword
+
+
+**`auditd.data.vm`**
+:   virtual machine name
+
+type: keyword
+
+
+**`auditd.data.flags`**
+:   mmap syscall flags
+
+type: keyword
+
+
+**`auditd.data.nlnk-fam`**
+:   netlink protocol number
+
+type: keyword
+
+
+**`auditd.data.old-fs`**
+:   file system being removed from vm
+
+type: keyword
+
+
+**`auditd.data.old-ses`**
+:   previous ses value
+
+type: keyword
+
+
+**`auditd.data.seqno`**
+:   sequence number
+
+type: keyword
+
+
+**`auditd.data.fver`**
+:   file system capabilities version number
+
+type: keyword
+
+
+**`auditd.data.qbytes`**
+:   ipc objects quantity of bytes
+
+type: keyword
+
+
+**`auditd.data.seuser`**
+:   user’s SE Linux user acct
+
+type: keyword
+
+
+**`auditd.data.cap_fe`**
+:   file assigned effective capability map
+
+type: keyword
+
+
+**`auditd.data.new-vcpu`**
+:   new number of CPU cores
+
+type: keyword
+
+
+**`auditd.data.old-level`**
+:   old run level
+
+type: keyword
+
+
+**`auditd.data.old_pp`**
+:   old process permitted capability map
+
+type: keyword
+
+
+**`auditd.data.daddr`**
+:   remote IP address
+
+type: keyword
+
+
+**`auditd.data.old-role`**
+:   present SELinux role
+
+type: keyword
+
+
+**`auditd.data.ioctlcmd`**
+:   The request argument to the ioctl syscall
+
+type: keyword
+
+
+**`auditd.data.smac`**
+:   local MAC address
+
+type: keyword
+
+
+**`auditd.data.apparmor`**
+:   apparmor event information
+
+type: keyword
+
+
+**`auditd.data.fe`**
+:   file assigned effective capability map
+
+type: keyword
+
+
+**`auditd.data.perm_mask`**
+:   file permission mask that triggered a watch event
+
+type: keyword
+
+
+**`auditd.data.ses`**
+:   login session ID
+
+type: keyword
+
+
+**`auditd.data.cap_fi`**
+:   file inherited capability map
+
+type: keyword
+
+
+**`auditd.data.obj_uid`**
+:   user ID of object
+
+type: keyword
+
+
+**`auditd.data.reason`**
+:   text string denoting a reason for the action
+
+type: keyword
+
+
+**`auditd.data.list`**
+:   the audit system’s filter list number
+
+type: keyword
+
+
+**`auditd.data.old_lock`**
+:   present value of feature lock
+
+type: keyword
+
+
+**`auditd.data.bus`**
+:   name of subsystem bus a vm resource belongs to
+
+type: keyword
+
+
+**`auditd.data.old_pe`**
+:   old process effective capability map
+
+type: keyword
+
+
+**`auditd.data.new-role`**
+:   new SELinux role
+
+type: keyword
+
+
+**`auditd.data.prom`**
+:   network promiscuity flag
+
+type: keyword
+
+
+**`auditd.data.uri`**
+:   URI pointing to a printer
+
+type: keyword
+
+
+**`auditd.data.audit_enabled`**
+:   audit systems’s enable/disable status
+
+type: keyword
+
+
+**`auditd.data.old-log_passwd`**
+:   present value for TTY password logging
+
+type: keyword
+
+
+**`auditd.data.old-seuser`**
+:   present SELinux user
+
+type: keyword
+
+
+**`auditd.data.per`**
+:   linux personality
+
+type: keyword
+
+
+**`auditd.data.scontext`**
+:   the subject’s context string
+
+type: keyword
+
+
+**`auditd.data.tclass`**
+:   target’s object classification
+
+type: keyword
+
+
+**`auditd.data.ver`**
+:   audit daemon’s version number
+
+type: keyword
+
+
+**`auditd.data.new`**
+:   value being set in feature
+
+type: keyword
+
+
+**`auditd.data.val`**
+:   generic value associated with the operation
+
+type: keyword
+
+
+**`auditd.data.img-ctx`**
+:   the vm’s disk image context string
+
+type: keyword
+
+
+**`auditd.data.old-chardev`**
+:   present character device assigned to vm
+
+type: keyword
+
+
+**`auditd.data.old_val`**
+:   current value of SELinux boolean
+
+type: keyword
+
+
+**`auditd.data.success`**
+:   whether the syscall was successful or not
+
+type: keyword
+
+
+**`auditd.data.inode_uid`**
+:   user ID of the inode’s owner
+
+type: keyword
+
+
+**`auditd.data.removed`**
+:   number of deleted files
+
+type: keyword
+
+
+**`auditd.data.socket.port`**
+:   The port number.
+
+type: keyword
+
+
+**`auditd.data.socket.saddr`**
+:   The raw socket address structure.
+
+type: keyword
+
+
+**`auditd.data.socket.addr`**
+:   The remote address.
+
+type: keyword
+
+
+**`auditd.data.socket.family`**
+:   The socket family (unix, ipv4, ipv6, netlink).
+
+type: keyword
+
+example: unix
+
+
+**`auditd.data.socket.path`**
+:   This is the path associated with a unix socket.
+
+type: keyword
+
+
+**`auditd.messages`**
+:   An ordered list of the raw messages received from the kernel that were used to construct this document. This field is present if an error occurred processing the data or if `include_raw_message` is set in the config.
+
+type: alias
+
+alias to: event.original
+
+
+**`auditd.warnings`**
+:   The warnings generated by the Beat during the construction of the event. These are disabled by default and are used for development and debug purposes only.
+
+type: alias
+
+alias to: error.message
+
+
+
+## geoip [_geoip]
+
+The geoip fields are defined as a convenience in case you decide to enrich the data using a geoip filter in Logstash or an Elasticsearch geoip ingest processor.
+
+**`geoip.continent_name`**
+:   The name of the continent.
+
+type: keyword
+
+
+**`geoip.city_name`**
+:   The name of the city.
+
+type: keyword
+
+
+**`geoip.region_name`**
+:   The name of the region.
+
+type: keyword
+
+
+**`geoip.country_iso_code`**
+:   Country ISO code.
+
+type: keyword
+
+
+**`geoip.location`**
+:   The longitude and latitude.
+
+type: geo_point
+
+
diff --git a/docs/reference/auditbeat/exported-fields-beat-common.md b/docs/reference/auditbeat/exported-fields-beat-common.md
new file mode 100644
index 000000000000..38c384eb9849
--- /dev/null
+++ b/docs/reference/auditbeat/exported-fields-beat-common.md
@@ -0,0 +1,47 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/exported-fields-beat-common.html
+---
+
+# Beat fields [exported-fields-beat-common]
+
+Contains common beat fields available in all event types.
+
+**`agent.hostname`**
+:   Deprecated - use agent.name or agent.id to identify an agent.
+
+type: alias
+
+alias to: agent.name
+
+
+**`beat.timezone`**
+:   type: alias
+
+alias to: event.timezone
+
+
+**`fields`**
+:   Contains user configurable fields.
+
+type: object
+
+
+**`beat.name`**
+:   type: alias
+
+alias to: host.name
+
+
+**`beat.hostname`**
+:   type: alias
+
+alias to: agent.name
+
+
+**`timeseries.instance`**
+:   Time series instance id
+
+type: keyword
+
+
diff --git a/docs/reference/auditbeat/exported-fields-cloud.md b/docs/reference/auditbeat/exported-fields-cloud.md
new file mode 100644
index 000000000000..1e9c2c59a67f
--- /dev/null
+++ b/docs/reference/auditbeat/exported-fields-cloud.md
@@ -0,0 +1,57 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/exported-fields-cloud.html
+---
+
+# Cloud provider metadata fields [exported-fields-cloud]
+
+Metadata from cloud providers added by the add_cloud_metadata processor.
+
+**`cloud.image.id`**
+:   Image ID for the cloud instance.
+
+example: ami-abcd1234
+
+
+**`meta.cloud.provider`**
+:   type: alias
+
+alias to: cloud.provider
+
+
+**`meta.cloud.instance_id`**
+:   type: alias
+
+alias to: cloud.instance.id
+
+
+**`meta.cloud.instance_name`**
+:   type: alias
+
+alias to: cloud.instance.name
+
+
+**`meta.cloud.machine_type`**
+:   type: alias
+
+alias to: cloud.machine.type
+
+
+**`meta.cloud.availability_zone`**
+:   type: alias
+
+alias to: cloud.availability_zone
+
+
+**`meta.cloud.project_id`**
+:   type: alias
+
+alias to: cloud.project.id
+
+
+**`meta.cloud.region`**
+:   type: alias
+
+alias to: cloud.region
+
+
diff --git a/docs/reference/auditbeat/exported-fields-common.md b/docs/reference/auditbeat/exported-fields-common.md
new file mode 100644
index 000000000000..6c5753afcc25
--- /dev/null
+++ b/docs/reference/auditbeat/exported-fields-common.md
@@ -0,0 +1,163 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/exported-fields-common.html
+---
+
+# Common fields [exported-fields-common]
+
+Contains common fields available in all event types.
+
+
+## file [_file]
+
+File attributes.
+
+**`file.setuid`**
+:   Set if the file has the `setuid` bit set. Omitted otherwise.
+
+type: boolean
+
+example: True
+
+
+**`file.setgid`**
+:   Set if the file has the `setgid` bit set. Omitted otherwise.
+
+type: boolean
+
+example: True
+
+
+**`file.origin`**
+:   An array of strings describing a possible external origin for this file. For example, the URL it was downloaded from. Only supported in macOS, via the kMDItemWhereFroms attribute. Omitted if origin information is not available.
+
+type: keyword
+
+
+**`file.origin.text`**
+:   This is an analyzed field that is useful for full text search on the origin data.
+
+type: text
+
+
+
+## selinux [_selinux_2]
+
+The SELinux identity of the file.
+
+**`file.selinux.user`**
+:   The owner of the object.
+
+type: keyword
+
+
+**`file.selinux.role`**
+:   The object’s SELinux role.
+
+type: keyword
+
+
+**`file.selinux.domain`**
+:   The object’s SELinux domain or type.
+
+type: keyword
+
+
+**`file.selinux.level`**
+:   The object’s SELinux level.
+
+type: keyword
+
+example: s0
+
+
+
+## user [_user]
+
+User information.
+
+
+## audit [_audit]
+
+Audit user information.
+
+**`user.audit.id`**
+:   Audit user ID.
+
+type: keyword
+
+
+**`user.audit.name`**
+:   Audit user name.
+
+type: keyword
+
+
+
+## filesystem [_filesystem]
+
+Filesystem user information.
+
+**`user.filesystem.id`**
+:   Filesystem user ID.
+
+type: keyword
+
+
+**`user.filesystem.name`**
+:   Filesystem user name.
+
+type: keyword
+
+
+
+## group [_group]
+
+Filesystem group information.
+
+**`user.filesystem.group.id`**
+:   Filesystem group ID.
+
+type: keyword
+
+
+**`user.filesystem.group.name`**
+:   Filesystem group name.
+
+type: keyword
+
+
+
+## saved [_saved]
+
+Saved user information.
+
+**`user.saved.id`**
+:   Saved user ID.
+
+type: keyword
+
+
+**`user.saved.name`**
+:   Saved user name.
+
+type: keyword
+
+
+
+## group [_group_2]
+
+Saved group information.
+
+**`user.saved.group.id`**
+:   Saved group ID.
+
+type: keyword
+
+
+**`user.saved.group.name`**
+:   Saved group name.
+
+type: keyword
+
+
diff --git a/docs/reference/auditbeat/exported-fields-docker-processor.md b/docs/reference/auditbeat/exported-fields-docker-processor.md
new file mode 100644
index 000000000000..aa3d77a624d8
--- /dev/null
+++ b/docs/reference/auditbeat/exported-fields-docker-processor.md
@@ -0,0 +1,33 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/exported-fields-docker-processor.html
+---
+
+# Docker fields [exported-fields-docker-processor]
+
+Docker stats collected from Docker.
+
+**`docker.container.id`**
+:   type: alias
+
+alias to: container.id
+
+
+**`docker.container.image`**
+:   type: alias
+
+alias to: container.image.name
+
+
+**`docker.container.name`**
+:   type: alias
+
+alias to: container.name
+
+
+**`docker.container.labels`**
+:   Image labels.
+
+type: object
+
+
diff --git a/docs/reference/auditbeat/exported-fields-ecs.md b/docs/reference/auditbeat/exported-fields-ecs.md
new file mode 100644
index 000000000000..14ac2a297c9d
--- /dev/null
+++ b/docs/reference/auditbeat/exported-fields-ecs.md
@@ -0,0 +1,10423 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/exported-fields-ecs.html
+---
+
+# ECS fields [exported-fields-ecs]
+
+This section defines Elastic Common Schema (ECS) fields—a common set of fields to be used when storing event data in {{es}}.
+
+This is an exhaustive list, and fields listed here are not necessarily used by Auditbeat. The goal of ECS is to enable and encourage users of {{es}} to normalize their event data, so that they can better analyze, visualize, and correlate the data represented in their events.
+
+See the [ECS reference](ecs://reference/index.md) for more information.
+
+**`@timestamp`**
+:   Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events.
+
+type: date
+
+example: 2016-05-23T08:05:34.853Z
+
+required: True
+
+
+**`labels`**
+:   Custom key/value pairs. Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. Example: `docker` and `k8s` labels.
+
+type: object
+
+example: {"application": "foo-bar", "env": "production"}
+
+
+**`message`**
+:   For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message.
+
+type: match_only_text
+
+example: Hello World
+
+
+**`tags`**
+:   List of keywords used to tag each event.
+
+type: keyword
+
+example: ["production", "env2"]
+
+
+
+## agent [_agent]
+
+The agent fields contain the data about the software entity, if any, that collects, detects, or observes events on a host, or takes measurements on a host. Examples include Beats. Agents may also run on observers. ECS agent.* fields shall be populated with details of the agent running on the host or observer where the event happened or the measurement was taken.
+
+**`agent.build.original`**
+:   Extended build information for the agent. This field is intended to contain any build information that a data source may provide, no specific formatting is required.
+
+type: keyword
+
+example: metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]
+
+
+**`agent.ephemeral_id`**
+:   Ephemeral identifier of this agent (if one exists). This id normally changes across restarts, but `agent.id` does not.
+
+type: keyword
+
+example: 8a4f500f
+
+
+**`agent.id`**
+:   Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id.
+
+type: keyword
+
+example: 8a4f500d
+
+
+**`agent.name`**
+:   Custom name of the agent. This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. If no name is given, the name is often left empty.
+
+type: keyword
+
+example: foo
+
+
+**`agent.type`**
+:   Type of the agent. The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine.
+
+type: keyword
+
+example: filebeat
+
+
+**`agent.version`**
+:   Version of the agent.
+
+type: keyword
+
+example: 6.0.0-rc2
+
+
+
+## as [_as]
+
+An autonomous system (AS) is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators on behalf of a single administrative entity or domain that presents a common, clearly defined routing policy to the internet.
+
+**`as.number`**
+:   Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+
+type: long
+
+example: 15169
+
+
+**`as.organization.name`**
+:   Organization name.
+
+type: keyword
+
+example: Google LLC
+
+
+**`as.organization.name.text`**
+:   type: match_only_text
+
+
+
+## client [_client]
+
+A client is defined as the initiator of a network connection for events regarding sessions, connections, or bidirectional flow records. For TCP events, the client is the initiator of the TCP connection that sends the SYN packet(s). For other protocols, the client is generally the initiator or requestor in the network transaction. Some systems use the term "originator" to refer the client in TCP connections. The client fields describe details about the system acting as the client in the network event. Client fields are usually populated in conjunction with server fields. Client fields are generally not populated for packet-level events. Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately.
+
+**`client.address`**
+:   Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
+
+type: keyword
+
+
+**`client.as.number`**
+:   Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+
+type: long
+
+example: 15169
+
+
+**`client.as.organization.name`**
+:   Organization name.
+
+type: keyword
+
+example: Google LLC
+
+
+**`client.as.organization.name.text`**
+:   type: match_only_text
+
+
+**`client.bytes`**
+:   Bytes sent from the client to the server.
+
+type: long
+
+example: 184
+
+format: bytes
+
+
+**`client.domain`**
+:   The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.
+
+type: keyword
+
+example: foo.example.com
+
+
+**`client.geo.city_name`**
+:   City name.
+
+type: keyword
+
+example: Montreal
+
+
+**`client.geo.continent_code`**
+:   Two-letter code representing continent’s name.
+
+type: keyword
+
+example: NA
+
+
+**`client.geo.continent_name`**
+:   Name of the continent.
+
+type: keyword
+
+example: North America
+
+
+**`client.geo.country_iso_code`**
+:   Country ISO code.
+
+type: keyword
+
+example: CA
+
+
+**`client.geo.country_name`**
+:   Country name.
+
+type: keyword
+
+example: Canada
+
+
+**`client.geo.location`**
+:   Longitude and latitude.
+
+type: geo_point
+
+example: { "lon": -73.614830, "lat": 45.505918 }
+
+
+**`client.geo.name`**
+:   User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.
+
+type: keyword
+
+example: boston-dc
+
+
+**`client.geo.postal_code`**
+:   Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.
+
+type: keyword
+
+example: 94040
+
+
+**`client.geo.region_iso_code`**
+:   Region ISO code.
+
+type: keyword
+
+example: CA-QC
+
+
+**`client.geo.region_name`**
+:   Region name.
+
+type: keyword
+
+example: Quebec
+
+
+**`client.geo.timezone`**
+:   The time zone of the location, such as IANA time zone name.
+
+type: keyword
+
+example: America/Argentina/Buenos_Aires
+
+
+**`client.ip`**
+:   IP address of the client (IPv4 or IPv6).
+
+type: ip
+
+
+**`client.mac`**
+:   MAC address of the client. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.
+
+type: keyword
+
+example: 00-00-5E-00-53-23
+
+
+**`client.nat.ip`**
+:   Translated IP of source based NAT sessions (e.g. internal client to internet). Typically connections traversing load balancers, firewalls, or routers.
+
+type: ip
+
+
+**`client.nat.port`**
+:   Translated port of source based NAT sessions (e.g. internal client to internet). Typically connections traversing load balancers, firewalls, or routers.
+
+type: long
+
+format: string
+
+
+**`client.packets`**
+:   Packets sent from the client to the server.
+
+type: long
+
+example: 12
+
+
+**`client.port`**
+:   Port of the client.
+
+type: long
+
+format: string
+
+
+**`client.registered_domain`**
+:   The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
+
+type: keyword
+
+example: example.com
+
+
+**`client.subdomain`**
+:   The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
+
+type: keyword
+
+example: east
+
+
+**`client.top_level_domain`**
+:   The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".
+
+type: keyword
+
+example: co.uk
+
+
+**`client.user.domain`**
+:   Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`client.user.email`**
+:   User email address.
+
+type: keyword
+
+
+**`client.user.full_name`**
+:   User’s full name, if available.
+
+type: keyword
+
+example: Albert Einstein
+
+
+**`client.user.full_name.text`**
+:   type: match_only_text
+
+
+**`client.user.group.domain`**
+:   Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`client.user.group.id`**
+:   Unique identifier for the group on the system/platform.
+
+type: keyword
+
+
+**`client.user.group.name`**
+:   Name of the group.
+
+type: keyword
+
+
+**`client.user.hash`**
+:   Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used.
+
+type: keyword
+
+
+**`client.user.id`**
+:   Unique identifier of the user.
+
+type: keyword
+
+example: S-1-5-21-202424912787-2692429404-2351956786-1000
+
+
+**`client.user.name`**
+:   Short name or login of the user.
+
+type: keyword
+
+example: a.einstein
+
+
+**`client.user.name.text`**
+:   type: match_only_text
+
+
+**`client.user.roles`**
+:   Array of user roles at the time of the event.
+
+type: keyword
+
+example: ["kibana_admin", "reporting_user"]
+
+
+
+## cloud [_cloud]
+
+Fields related to the cloud or infrastructure the events are coming from.
+
+**`cloud.account.id`**
+:   The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.
+
+type: keyword
+
+example: 666777888999
+
+
+**`cloud.account.name`**
+:   The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name.
+
+type: keyword
+
+example: elastic-dev
+
+
+**`cloud.availability_zone`**
+:   Availability zone in which this host, resource, or service is located.
+
+type: keyword
+
+example: us-east-1c
+
+
+**`cloud.instance.id`**
+:   Instance ID of the host machine.
+
+type: keyword
+
+example: i-1234567890abcdef0
+
+
+**`cloud.instance.name`**
+:   Instance name of the host machine.
+
+type: keyword
+
+
+**`cloud.machine.type`**
+:   Machine type of the host machine.
+
+type: keyword
+
+example: t2.medium
+
+
+**`cloud.origin.account.id`**
+:   The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.
+
+type: keyword
+
+example: 666777888999
+
+
+**`cloud.origin.account.name`**
+:   The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name.
+
+type: keyword
+
+example: elastic-dev
+
+
+**`cloud.origin.availability_zone`**
+:   Availability zone in which this host, resource, or service is located.
+
+type: keyword
+
+example: us-east-1c
+
+
+**`cloud.origin.instance.id`**
+:   Instance ID of the host machine.
+
+type: keyword
+
+example: i-1234567890abcdef0
+
+
+**`cloud.origin.instance.name`**
+:   Instance name of the host machine.
+
+type: keyword
+
+
+**`cloud.origin.machine.type`**
+:   Machine type of the host machine.
+
+type: keyword
+
+example: t2.medium
+
+
+**`cloud.origin.project.id`**
+:   The cloud project identifier. Examples: Google Cloud Project id, Azure Project id.
+
+type: keyword
+
+example: my-project
+
+
+**`cloud.origin.project.name`**
+:   The cloud project name. Examples: Google Cloud Project name, Azure Project name.
+
+type: keyword
+
+example: my project
+
+
+**`cloud.origin.provider`**
+:   Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
+
+type: keyword
+
+example: aws
+
+
+**`cloud.origin.region`**
+:   Region in which this host, resource, or service is located.
+
+type: keyword
+
+example: us-east-1
+
+
+**`cloud.origin.service.name`**
+:   The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda.
+
+type: keyword
+
+example: lambda
+
+
+**`cloud.project.id`**
+:   The cloud project identifier. Examples: Google Cloud Project id, Azure Project id.
+
+type: keyword
+
+example: my-project
+
+
+**`cloud.project.name`**
+:   The cloud project name. Examples: Google Cloud Project name, Azure Project name.
+
+type: keyword
+
+example: my project
+
+
+**`cloud.provider`**
+:   Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
+
+type: keyword
+
+example: aws
+
+
+**`cloud.region`**
+:   Region in which this host, resource, or service is located.
+
+type: keyword
+
+example: us-east-1
+
+
+**`cloud.service.name`**
+:   The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda.
+
+type: keyword
+
+example: lambda
+
+
+**`cloud.target.account.id`**
+:   The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.
+
+type: keyword
+
+example: 666777888999
+
+
+**`cloud.target.account.name`**
+:   The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name.
+
+type: keyword
+
+example: elastic-dev
+
+
+**`cloud.target.availability_zone`**
+:   Availability zone in which this host, resource, or service is located.
+
+type: keyword
+
+example: us-east-1c
+
+
+**`cloud.target.instance.id`**
+:   Instance ID of the host machine.
+
+type: keyword
+
+example: i-1234567890abcdef0
+
+
+**`cloud.target.instance.name`**
+:   Instance name of the host machine.
+
+type: keyword
+
+
+**`cloud.target.machine.type`**
+:   Machine type of the host machine.
+
+type: keyword
+
+example: t2.medium
+
+
+**`cloud.target.project.id`**
+:   The cloud project identifier. Examples: Google Cloud Project id, Azure Project id.
+
+type: keyword
+
+example: my-project
+
+
+**`cloud.target.project.name`**
+:   The cloud project name. Examples: Google Cloud Project name, Azure Project name.
+
+type: keyword
+
+example: my project
+
+
+**`cloud.target.provider`**
+:   Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
+
+type: keyword
+
+example: aws
+
+
+**`cloud.target.region`**
+:   Region in which this host, resource, or service is located.
+
+type: keyword
+
+example: us-east-1
+
+
+**`cloud.target.service.name`**
+:   The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda.
+
+type: keyword
+
+example: lambda
+
+
+
+## code_signature [_code_signature]
+
+These fields contain information about binary code signatures.
+
+**`code_signature.digest_algorithm`**
+:   The hashing algorithm used to sign the process. This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm.
+
+type: keyword
+
+example: sha256
+
+
+**`code_signature.exists`**
+:   Boolean to capture if a signature is present.
+
+type: boolean
+
+example: true
+
+
+**`code_signature.signing_id`**
+:   The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.
+
+type: keyword
+
+example: com.apple.xpc.proxy
+
+
+**`code_signature.status`**
+:   Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.
+
+type: keyword
+
+example: ERROR_UNTRUSTED_ROOT
+
+
+**`code_signature.subject_name`**
+:   Subject name of the code signer
+
+type: keyword
+
+example: Microsoft Corporation
+
+
+**`code_signature.team_id`**
+:   The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.
+
+type: keyword
+
+example: EQHXZ8M8AV
+
+
+**`code_signature.timestamp`**
+:   Date and time when the code signature was generated and signed.
+
+type: date
+
+example: 2021-01-01T12:10:30Z
+
+
+**`code_signature.trusted`**
+:   Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.
+
+type: boolean
+
+example: true
+
+
+**`code_signature.valid`**
+:   Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.
+
+type: boolean
+
+example: true
+
+
+
+## container [_container]
+
+Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.
+
+**`container.cpu.usage`**
+:   Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000.
+
+type: scaled_float
+
+
+**`container.disk.read.bytes`**
+:   The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection.
+
+type: long
+
+
+**`container.disk.write.bytes`**
+:   The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection.
+
+type: long
+
+
+**`container.id`**
+:   Unique container id.
+
+type: keyword
+
+
+**`container.image.name`**
+:   Name of the image the container was built on.
+
+type: keyword
+
+
+**`container.image.tag`**
+:   Container image tags.
+
+type: keyword
+
+
+**`container.labels`**
+:   Image labels.
+
+type: object
+
+
+**`container.memory.usage`**
+:   Memory usage percentage and it ranges from 0 to 1. Scaling factor: 1000.
+
+type: scaled_float
+
+
+**`container.name`**
+:   Container name.
+
+type: keyword
+
+
+**`container.network.egress.bytes`**
+:   The number of bytes (gauge) sent out on all network interfaces by the container since the last metric collection.
+
+type: long
+
+
+**`container.network.ingress.bytes`**
+:   The number of bytes received (gauge) on all network interfaces by the container since the last metric collection.
+
+type: long
+
+
+**`container.runtime`**
+:   Runtime managing this container.
+
+type: keyword
+
+example: docker
+
+
+
+## data_stream [_data_stream]
+
+The data_stream fields take part in defining the new data stream naming scheme. In the new data stream naming scheme the value of the data stream fields combine to the name of the actual data stream in the following manner: `{data_stream.type}-{data_stream.dataset}-{data_stream.namespace}`. This means the fields can only contain characters that are valid as part of names of data streams. More details about this can be found in this [blog post](https://www.elastic.co/blog/an-introduction-to-the-elastic-data-stream-naming-scheme). An Elasticsearch data stream consists of one or more backing indices, and a data stream name forms part of the backing indices names. Due to this convention, data streams must also follow index naming restrictions. For example, data stream names cannot include `\`, `/`, `*`, `?`, `"`, `<`, `>`, `|`, ` ` (space character), `,`, or `#`. Please see the Elasticsearch reference for additional [restrictions](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-indices-create).
+
+**`data_stream.dataset`**
+:   The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: * Must not contain `-` * No longer than 100 characters
+
+type: constant_keyword
+
+example: nginx.access
+
+
+**`data_stream.namespace`**
+:   A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: * Must not contain `-` * No longer than 100 characters
+
+type: constant_keyword
+
+example: production
+
+
+**`data_stream.type`**
+:   An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future.
+
+type: constant_keyword
+
+example: logs
+
+
+
+## destination [_destination_2]
+
+Destination fields capture details about the receiver of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction. Destination fields are usually populated in conjunction with source fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated.
+
+**`destination.address`**
+:   Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
+
+type: keyword
+
+
+**`destination.as.number`**
+:   Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+
+type: long
+
+example: 15169
+
+
+**`destination.as.organization.name`**
+:   Organization name.
+
+type: keyword
+
+example: Google LLC
+
+
+**`destination.as.organization.name.text`**
+:   type: match_only_text
+
+
+**`destination.bytes`**
+:   Bytes sent from the destination to the source.
+
+type: long
+
+example: 184
+
+format: bytes
+
+
+**`destination.domain`**
+:   The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.
+
+type: keyword
+
+example: foo.example.com
+
+
+**`destination.geo.city_name`**
+:   City name.
+
+type: keyword
+
+example: Montreal
+
+
+**`destination.geo.continent_code`**
+:   Two-letter code representing continent’s name.
+
+type: keyword
+
+example: NA
+
+
+**`destination.geo.continent_name`**
+:   Name of the continent.
+
+type: keyword
+
+example: North America
+
+
+**`destination.geo.country_iso_code`**
+:   Country ISO code.
+
+type: keyword
+
+example: CA
+
+
+**`destination.geo.country_name`**
+:   Country name.
+
+type: keyword
+
+example: Canada
+
+
+**`destination.geo.location`**
+:   Longitude and latitude.
+
+type: geo_point
+
+example: { "lon": -73.614830, "lat": 45.505918 }
+
+
+**`destination.geo.name`**
+:   User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.
+
+type: keyword
+
+example: boston-dc
+
+
+**`destination.geo.postal_code`**
+:   Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.
+
+type: keyword
+
+example: 94040
+
+
+**`destination.geo.region_iso_code`**
+:   Region ISO code.
+
+type: keyword
+
+example: CA-QC
+
+
+**`destination.geo.region_name`**
+:   Region name.
+
+type: keyword
+
+example: Quebec
+
+
+**`destination.geo.timezone`**
+:   The time zone of the location, such as IANA time zone name.
+
+type: keyword
+
+example: America/Argentina/Buenos_Aires
+
+
+**`destination.ip`**
+:   IP address of the destination (IPv4 or IPv6).
+
+type: ip
+
+
+**`destination.mac`**
+:   MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.
+
+type: keyword
+
+example: 00-00-5E-00-53-23
+
+
+**`destination.nat.ip`**
+:   Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers.
+
+type: ip
+
+
+**`destination.nat.port`**
+:   Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers.
+
+type: long
+
+format: string
+
+
+**`destination.packets`**
+:   Packets sent from the destination to the source.
+
+type: long
+
+example: 12
+
+
+**`destination.port`**
+:   Port of the destination.
+
+type: long
+
+format: string
+
+
+**`destination.registered_domain`**
+:   The highest registered destination domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
+
+type: keyword
+
+example: example.com
+
+
+**`destination.subdomain`**
+:   The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
+
+type: keyword
+
+example: east
+
+
+**`destination.top_level_domain`**
+:   The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".
+
+type: keyword
+
+example: co.uk
+
+
+**`destination.user.domain`**
+:   Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`destination.user.email`**
+:   User email address.
+
+type: keyword
+
+
+**`destination.user.full_name`**
+:   User’s full name, if available.
+
+type: keyword
+
+example: Albert Einstein
+
+
+**`destination.user.full_name.text`**
+:   type: match_only_text
+
+
+**`destination.user.group.domain`**
+:   Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`destination.user.group.id`**
+:   Unique identifier for the group on the system/platform.
+
+type: keyword
+
+
+**`destination.user.group.name`**
+:   Name of the group.
+
+type: keyword
+
+
+**`destination.user.hash`**
+:   Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used.
+
+type: keyword
+
+
+**`destination.user.id`**
+:   Unique identifier of the user.
+
+type: keyword
+
+example: S-1-5-21-202424912787-2692429404-2351956786-1000
+
+
+**`destination.user.name`**
+:   Short name or login of the user.
+
+type: keyword
+
+example: a.einstein
+
+
+**`destination.user.name.text`**
+:   type: match_only_text
+
+
+**`destination.user.roles`**
+:   Array of user roles at the time of the event.
+
+type: keyword
+
+example: ["kibana_admin", "reporting_user"]
+
+
+
+## dll [_dll]
+
+These fields contain information about code libraries dynamically loaded into processes.
+
+Many operating systems refer to "shared code libraries" with different names, but this field set refers to all of the following: * Dynamic-link library (`.dll`) commonly used on Windows * Shared Object (`.so`) commonly used on Unix-like operating systems * Dynamic library (`.dylib`) commonly used on macOS
+
+**`dll.code_signature.digest_algorithm`**
+:   The hashing algorithm used to sign the process. This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm.
+
+type: keyword
+
+example: sha256
+
+
+**`dll.code_signature.exists`**
+:   Boolean to capture if a signature is present.
+
+type: boolean
+
+example: true
+
+
+**`dll.code_signature.signing_id`**
+:   The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.
+
+type: keyword
+
+example: com.apple.xpc.proxy
+
+
+**`dll.code_signature.status`**
+:   Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.
+
+type: keyword
+
+example: ERROR_UNTRUSTED_ROOT
+
+
+**`dll.code_signature.subject_name`**
+:   Subject name of the code signer
+
+type: keyword
+
+example: Microsoft Corporation
+
+
+**`dll.code_signature.team_id`**
+:   The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.
+
+type: keyword
+
+example: EQHXZ8M8AV
+
+
+**`dll.code_signature.timestamp`**
+:   Date and time when the code signature was generated and signed.
+
+type: date
+
+example: 2021-01-01T12:10:30Z
+
+
+**`dll.code_signature.trusted`**
+:   Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.
+
+type: boolean
+
+example: true
+
+
+**`dll.code_signature.valid`**
+:   Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.
+
+type: boolean
+
+example: true
+
+
+**`dll.hash.md5`**
+:   MD5 hash.
+
+type: keyword
+
+
+**`dll.hash.sha1`**
+:   SHA1 hash.
+
+type: keyword
+
+
+**`dll.hash.sha256`**
+:   SHA256 hash.
+
+type: keyword
+
+
+**`dll.hash.sha512`**
+:   SHA512 hash.
+
+type: keyword
+
+
+**`dll.hash.ssdeep`**
+:   SSDEEP hash.
+
+type: keyword
+
+
+**`dll.name`**
+:   Name of the library. This generally maps to the name of the file on disk.
+
+type: keyword
+
+example: kernel32.dll
+
+
+**`dll.path`**
+:   Full file path of the library.
+
+type: keyword
+
+example: C:\Windows\System32\kernel32.dll
+
+
+**`dll.pe.architecture`**
+:   CPU architecture target for the file.
+
+type: keyword
+
+example: x64
+
+
+**`dll.pe.company`**
+:   Internal company name of the file, provided at compile-time.
+
+type: keyword
+
+example: Microsoft Corporation
+
+
+**`dll.pe.description`**
+:   Internal description of the file, provided at compile-time.
+
+type: keyword
+
+example: Paint
+
+
+**`dll.pe.file_version`**
+:   Internal version of the file, provided at compile-time.
+
+type: keyword
+
+example: 6.3.9600.17415
+
+
+**`dll.pe.imphash`**
+:   A hash of the imports in a PE file. An imphash — or import hash — can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at [https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html](https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html).
+
+type: keyword
+
+example: 0c6803c4e922103c4dca5963aad36ddf
+
+
+**`dll.pe.original_file_name`**
+:   Internal name of the file, provided at compile-time.
+
+type: keyword
+
+example: MSPAINT.EXE
+
+
+**`dll.pe.product`**
+:   Internal product name of the file, provided at compile-time.
+
+type: keyword
+
+example: Microsoft® Windows® Operating System
+
+
+
+## dns [_dns]
+
+Fields describing DNS queries and answers. DNS events should either represent a single DNS query prior to getting answers (`dns.type:query`) or they should represent a full exchange and contain the query details as well as all of the answers that were provided for this query (`dns.type:answer`).
+
+**`dns.answers`**
+:   An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields.
+
+type: object
+
+
+**`dns.answers.class`**
+:   The class of DNS data contained in this resource record.
+
+type: keyword
+
+example: IN
+
+
+**`dns.answers.data`**
+:   The data describing the resource. The meaning of this data depends on the type and class of the resource record.
+
+type: keyword
+
+example: 10.10.10.10
+
+
+**`dns.answers.name`**
+:   The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer’s `name` should be the one that corresponds with the answer’s `data`. It should not simply be the original `question.name` repeated.
+
+type: keyword
+
+example: www.example.com
+
+
+**`dns.answers.ttl`**
+:   The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached.
+
+type: long
+
+example: 180
+
+
+**`dns.answers.type`**
+:   The type of data contained in this resource record.
+
+type: keyword
+
+example: CNAME
+
+
+**`dns.header_flags`**
+:   Array of 2 letter DNS header flags. Expected values are: AA, TC, RD, RA, AD, CD, DO.
+
+type: keyword
+
+example: ["RD", "RA"]
+
+
+**`dns.id`**
+:   The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.
+
+type: keyword
+
+example: 62111
+
+
+**`dns.op_code`**
+:   The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response.
+
+type: keyword
+
+example: QUERY
+
+
+**`dns.question.class`**
+:   The class of records being queried.
+
+type: keyword
+
+example: IN
+
+
+**`dns.question.name`**
+:   The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively.
+
+type: keyword
+
+example: www.example.com
+
+
+**`dns.question.registered_domain`**
+:   The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
+
+type: keyword
+
+example: example.com
+
+
+**`dns.question.subdomain`**
+:   The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
+
+type: keyword
+
+example: www
+
+
+**`dns.question.top_level_domain`**
+:   The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".
+
+type: keyword
+
+example: co.uk
+
+
+**`dns.question.type`**
+:   The type of record being queried.
+
+type: keyword
+
+example: AAAA
+
+
+**`dns.resolved_ip`**
+:   Array containing all IPs seen in `answers.data`. The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for.
+
+type: ip
+
+example: ["10.10.10.10", "10.10.10.11"]
+
+
+**`dns.response_code`**
+:   The DNS response code.
+
+type: keyword
+
+example: NOERROR
+
+
+**`dns.type`**
+:   The type of DNS event captured, query or answer. If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers.
+
+type: keyword
+
+example: answer
+
+
+
+## ecs [_ecs]
+
+Meta-information specific to ECS.
+
+**`ecs.version`**
+:   ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices — which may conform to slightly different ECS versions — this field lets integrations adjust to the schema version of the events.
+
+type: keyword
+
+example: 1.0.0
+
+required: True
+
+
+
+## elf [_elf]
+
+These fields contain Linux Executable Linkable Format (ELF) metadata.
+
+**`elf.architecture`**
+:   Machine architecture of the ELF file.
+
+type: keyword
+
+example: x86-64
+
+
+**`elf.byte_order`**
+:   Byte sequence of ELF file.
+
+type: keyword
+
+example: Little Endian
+
+
+**`elf.cpu_type`**
+:   CPU type of the ELF file.
+
+type: keyword
+
+example: Intel
+
+
+**`elf.creation_date`**
+:   Extracted when possible from the file’s metadata. Indicates when it was built or compiled. It can also be faked by malware creators.
+
+type: date
+
+
+**`elf.exports`**
+:   List of exported element names and types.
+
+type: flattened
+
+
+**`elf.header.abi_version`**
+:   Version of the ELF Application Binary Interface (ABI).
+
+type: keyword
+
+
+**`elf.header.class`**
+:   Header class of the ELF file.
+
+type: keyword
+
+
+**`elf.header.data`**
+:   Data table of the ELF header.
+
+type: keyword
+
+
+**`elf.header.entrypoint`**
+:   Header entrypoint of the ELF file.
+
+type: long
+
+format: string
+
+
+**`elf.header.object_version`**
+:   "0x1" for original ELF files.
+
+type: keyword
+
+
+**`elf.header.os_abi`**
+:   Application Binary Interface (ABI) of the Linux OS.
+
+type: keyword
+
+
+**`elf.header.type`**
+:   Header type of the ELF file.
+
+type: keyword
+
+
+**`elf.header.version`**
+:   Version of the ELF header.
+
+type: keyword
+
+
+**`elf.imports`**
+:   List of imported element names and types.
+
+type: flattened
+
+
+**`elf.sections`**
+:   An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`.
+
+type: nested
+
+
+**`elf.sections.chi2`**
+:   Chi-square probability distribution of the section.
+
+type: long
+
+format: number
+
+
+**`elf.sections.entropy`**
+:   Shannon entropy calculation from the section.
+
+type: long
+
+format: number
+
+
+**`elf.sections.flags`**
+:   ELF Section List flags.
+
+type: keyword
+
+
+**`elf.sections.name`**
+:   ELF Section List name.
+
+type: keyword
+
+
+**`elf.sections.physical_offset`**
+:   ELF Section List offset.
+
+type: keyword
+
+
+**`elf.sections.physical_size`**
+:   ELF Section List physical size.
+
+type: long
+
+format: bytes
+
+
+**`elf.sections.type`**
+:   ELF Section List type.
+
+type: keyword
+
+
+**`elf.sections.virtual_address`**
+:   ELF Section List virtual address.
+
+type: long
+
+format: string
+
+
+**`elf.sections.virtual_size`**
+:   ELF Section List virtual size.
+
+type: long
+
+format: string
+
+
+**`elf.segments`**
+:   An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`.
+
+type: nested
+
+
+**`elf.segments.sections`**
+:   ELF object segment sections.
+
+type: keyword
+
+
+**`elf.segments.type`**
+:   ELF object segment type.
+
+type: keyword
+
+
+**`elf.shared_libraries`**
+:   List of shared libraries used by this ELF object.
+
+type: keyword
+
+
+**`elf.telfhash`**
+:   telfhash symbol hash for ELF file.
+
+type: keyword
+
+
+
+## error [_error]
+
+These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error.
+
+**`error.code`**
+:   Error code describing the error.
+
+type: keyword
+
+
+**`error.id`**
+:   Unique identifier for the error.
+
+type: keyword
+
+
+**`error.message`**
+:   Error message.
+
+type: match_only_text
+
+
+**`error.stack_trace`**
+:   The stack trace of this error in plain text.
+
+type: wildcard
+
+
+**`error.stack_trace.text`**
+:   type: match_only_text
+
+
+**`error.type`**
+:   The type of the error, for example the class name of the exception.
+
+type: keyword
+
+example: java.lang.NullPointerException
+
+
+
+## event [_event]
+
+The event fields are used for context information about the log or metric event itself. A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host and device temperature. See the `event.kind` definition in this section for additional details about metric and state events.
+
+**`event.action`**
+:   The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer.
+
+type: keyword
+
+example: user-password-change
+
+
+**`event.agent_id_status`**
+:   Agents are normally responsible for populating the `agent.id` field value. If the system receiving events is capable of validating the value based on authentication information for the client then this field can be used to reflect the outcome of that validation. For example if the agent’s connection is authenticated with mTLS and the client cert contains the ID of the agent to which the cert was issued then the `agent.id` value in events can be checked against the certificate. If the values match then `event.agent_id_status: verified` is added to the event, otherwise one of the other allowed values should be used. If no validation is performed then the field should be omitted. The allowed values are: `verified` - The `agent.id` field value matches expected value obtained from auth metadata. `mismatch` - The `agent.id` field value does not match the expected value obtained from auth metadata. `missing` - There was no `agent.id` field in the event to validate. `auth_metadata_missing` - There was no auth metadata or it was missing information about the agent ID.
+
+type: keyword
+
+example: verified
+
+
+**`event.category`**
+:   This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories.
+
+type: keyword
+
+example: authentication
+
+
+**`event.code`**
+:   Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID.
+
+type: keyword
+
+example: 4648
+
+
+**`event.created`**
+:   event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent’s or pipeline’s ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used.
+
+type: date
+
+example: 2016-05-23T08:05:34.857Z
+
+
+**`event.dataset`**
+:   Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It’s recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name.
+
+type: keyword
+
+example: apache.access
+
+
+**`event.duration`**
+:   Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time.
+
+type: long
+
+format: duration
+
+
+**`event.end`**
+:   event.end contains the date when the event ended or when the activity was last observed.
+
+type: date
+
+
+**`event.hash`**
+:   Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity.
+
+type: keyword
+
+example: 123456789012345678901234567890ABCD
+
+
+**`event.id`**
+:   Unique ID to describe the event.
+
+type: keyword
+
+example: 8a4f500d
+
+
+**`event.ingested`**
+:   Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred.  It’s also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`.
+
+type: date
+
+example: 2016-05-23T08:05:35.101Z
+
+
+**`event.kind`**
+:   This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not.
+
+type: keyword
+
+example: alert
+
+
+**`event.module`**
+:   Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module.
+
+type: keyword
+
+example: apache
+
+
+**`event.original`**
+:   Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`.
+
+type: keyword
+
+example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232
+
+Field is not indexed.
+
+
+**`event.outcome`**
+:   This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense.
+
+type: keyword
+
+example: success
+
+
+**`event.provider`**
+:   Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing).
+
+type: keyword
+
+example: kernel
+
+
+**`event.reason`**
+:   Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`).
+
+type: keyword
+
+example: Terminated an unexpected process
+
+
+**`event.reference`**
+:   Reference URL linking to additional information about this event. This URL links to a static definition of this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field.
+
+type: keyword
+
+example: [https://system.example.com/event/#0001234](https://system.example.com/event/#0001234)
+
+
+**`event.risk_score`**
+:   Risk score or priority of the event (e.g. security solutions). Use your system’s original value here.
+
+type: float
+
+
+**`event.risk_score_norm`**
+:   Normalized risk score or priority of the event, on a scale of 0 to 100. This is mainly useful if you use more than one system that assigns risk scores, and you want to see a normalized value across all systems.
+
+type: float
+
+
+**`event.sequence`**
+:   Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision.
+
+type: long
+
+format: string
+
+
+**`event.severity`**
+:   The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It’s up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`.
+
+type: long
+
+example: 7
+
+format: string
+
+
+**`event.start`**
+:   event.start contains the date when the event started or when the activity was first observed.
+
+type: date
+
+
+**`event.timezone`**
+:   This field should be populated when the event’s timestamp does not include timezone information already (e.g. default Syslog timestamps). It’s optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00").
+
+type: keyword
+
+
+**`event.type`**
+:   This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types.
+
+type: keyword
+
+
+**`event.url`**
+:   URL linking to an external system to continue investigation of this event. This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field.
+
+type: keyword
+
+example: [https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe](https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe)
+
+
+
+## faas [_faas]
+
+The user fields describe information about the function as a service that is relevant to the event.
+
+**`faas.coldstart`**
+:   Boolean value indicating a cold start of a function.
+
+type: boolean
+
+
+**`faas.execution`**
+:   The execution ID of the current function execution.
+
+type: keyword
+
+example: af9d5aa4-a685-4c5f-a22b-444f80b3cc28
+
+
+**`faas.trigger`**
+:   Details about the function trigger.
+
+type: nested
+
+
+**`faas.trigger.request_id`**
+:   The ID of the trigger request , message, event, etc.
+
+type: keyword
+
+example: 123456789
+
+
+**`faas.trigger.type`**
+:   The trigger for the function execution. Expected values are: * http * pubsub * datasource * timer * other
+
+type: keyword
+
+example: http
+
+
+
+## file [_file_2]
+
+A file is defined as a set of information that has been created on, or has existed on a filesystem. File objects can be associated with host events, network events, and/or file events (e.g., those produced by File Integrity Monitoring [FIM] products or services). File fields provide details about the affected file associated with the event or metric.
+
+**`file.accessed`**
+:   Last time the file was accessed. Note that not all filesystems keep track of access time.
+
+type: date
+
+
+**`file.attributes`**
+:   Array of file attributes. Attributes names will vary by platform. Here’s a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write.
+
+type: keyword
+
+example: ["readonly", "system"]
+
+
+**`file.code_signature.digest_algorithm`**
+:   The hashing algorithm used to sign the process. This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm.
+
+type: keyword
+
+example: sha256
+
+
+**`file.code_signature.exists`**
+:   Boolean to capture if a signature is present.
+
+type: boolean
+
+example: true
+
+
+**`file.code_signature.signing_id`**
+:   The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.
+
+type: keyword
+
+example: com.apple.xpc.proxy
+
+
+**`file.code_signature.status`**
+:   Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.
+
+type: keyword
+
+example: ERROR_UNTRUSTED_ROOT
+
+
+**`file.code_signature.subject_name`**
+:   Subject name of the code signer
+
+type: keyword
+
+example: Microsoft Corporation
+
+
+**`file.code_signature.team_id`**
+:   The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.
+
+type: keyword
+
+example: EQHXZ8M8AV
+
+
+**`file.code_signature.timestamp`**
+:   Date and time when the code signature was generated and signed.
+
+type: date
+
+example: 2021-01-01T12:10:30Z
+
+
+**`file.code_signature.trusted`**
+:   Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.
+
+type: boolean
+
+example: true
+
+
+**`file.code_signature.valid`**
+:   Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.
+
+type: boolean
+
+example: true
+
+
+**`file.created`**
+:   File creation time. Note that not all filesystems store the creation time.
+
+type: date
+
+
+**`file.ctime`**
+:   Last time the file attributes or metadata changed. Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file.
+
+type: date
+
+
+**`file.device`**
+:   Device that is the source of the file.
+
+type: keyword
+
+example: sda
+
+
+**`file.directory`**
+:   Directory where the file is located. It should include the drive letter, when appropriate.
+
+type: keyword
+
+example: /home/alice
+
+
+**`file.drive_letter`**
+:   Drive letter where the file is located. This field is only relevant on Windows. The value should be uppercase, and not include the colon.
+
+type: keyword
+
+example: C
+
+
+**`file.elf.architecture`**
+:   Machine architecture of the ELF file.
+
+type: keyword
+
+example: x86-64
+
+
+**`file.elf.byte_order`**
+:   Byte sequence of ELF file.
+
+type: keyword
+
+example: Little Endian
+
+
+**`file.elf.cpu_type`**
+:   CPU type of the ELF file.
+
+type: keyword
+
+example: Intel
+
+
+**`file.elf.creation_date`**
+:   Extracted when possible from the file’s metadata. Indicates when it was built or compiled. It can also be faked by malware creators.
+
+type: date
+
+
+**`file.elf.exports`**
+:   List of exported element names and types.
+
+type: flattened
+
+
+**`file.elf.header.abi_version`**
+:   Version of the ELF Application Binary Interface (ABI).
+
+type: keyword
+
+
+**`file.elf.header.class`**
+:   Header class of the ELF file.
+
+type: keyword
+
+
+**`file.elf.header.data`**
+:   Data table of the ELF header.
+
+type: keyword
+
+
+**`file.elf.header.entrypoint`**
+:   Header entrypoint of the ELF file.
+
+type: long
+
+format: string
+
+
+**`file.elf.header.object_version`**
+:   "0x1" for original ELF files.
+
+type: keyword
+
+
+**`file.elf.header.os_abi`**
+:   Application Binary Interface (ABI) of the Linux OS.
+
+type: keyword
+
+
+**`file.elf.header.type`**
+:   Header type of the ELF file.
+
+type: keyword
+
+
+**`file.elf.header.version`**
+:   Version of the ELF header.
+
+type: keyword
+
+
+**`file.elf.imports`**
+:   List of imported element names and types.
+
+type: flattened
+
+
+**`file.elf.sections`**
+:   An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`.
+
+type: nested
+
+
+**`file.elf.sections.chi2`**
+:   Chi-square probability distribution of the section.
+
+type: long
+
+format: number
+
+
+**`file.elf.sections.entropy`**
+:   Shannon entropy calculation from the section.
+
+type: long
+
+format: number
+
+
+**`file.elf.sections.flags`**
+:   ELF Section List flags.
+
+type: keyword
+
+
+**`file.elf.sections.name`**
+:   ELF Section List name.
+
+type: keyword
+
+
+**`file.elf.sections.physical_offset`**
+:   ELF Section List offset.
+
+type: keyword
+
+
+**`file.elf.sections.physical_size`**
+:   ELF Section List physical size.
+
+type: long
+
+format: bytes
+
+
+**`file.elf.sections.type`**
+:   ELF Section List type.
+
+type: keyword
+
+
+**`file.elf.sections.virtual_address`**
+:   ELF Section List virtual address.
+
+type: long
+
+format: string
+
+
+**`file.elf.sections.virtual_size`**
+:   ELF Section List virtual size.
+
+type: long
+
+format: string
+
+
+**`file.elf.segments`**
+:   An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`.
+
+type: nested
+
+
+**`file.elf.segments.sections`**
+:   ELF object segment sections.
+
+type: keyword
+
+
+**`file.elf.segments.type`**
+:   ELF object segment type.
+
+type: keyword
+
+
+**`file.elf.shared_libraries`**
+:   List of shared libraries used by this ELF object.
+
+type: keyword
+
+
+**`file.elf.telfhash`**
+:   telfhash symbol hash for ELF file.
+
+type: keyword
+
+
+**`file.extension`**
+:   File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").
+
+type: keyword
+
+example: png
+
+
+**`file.fork_name`**
+:   A fork is additional data associated with a filesystem object. On Linux, a resource fork is used to store additional data with a filesystem object. A file always has at least one fork for the data portion, and additional forks may exist. On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default data stream for a file is just called $DATA. Zone.Identifier is commonly used by Windows to track contents downloaded from the Internet. An ADS is typically of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name` is the value that should populate `fork_name`. `filename.extension` should populate `file.name`, and `extension` should populate `file.extension`. The full path, `file.path`, will include the fork name.
+
+type: keyword
+
+example: Zone.Identifer
+
+
+**`file.gid`**
+:   Primary group ID (GID) of the file.
+
+type: keyword
+
+example: 1001
+
+
+**`file.group`**
+:   Primary group name of the file.
+
+type: keyword
+
+example: alice
+
+
+**`file.hash.md5`**
+:   MD5 hash.
+
+type: keyword
+
+
+**`file.hash.sha1`**
+:   SHA1 hash.
+
+type: keyword
+
+
+**`file.hash.sha256`**
+:   SHA256 hash.
+
+type: keyword
+
+
+**`file.hash.sha512`**
+:   SHA512 hash.
+
+type: keyword
+
+
+**`file.hash.ssdeep`**
+:   SSDEEP hash.
+
+type: keyword
+
+
+**`file.inode`**
+:   Inode representing the file in the filesystem.
+
+type: keyword
+
+example: 256383
+
+
+**`file.mime_type`**
+:   MIME type should identify the format of the file or stream of bytes using [IANA official types](https://www.iana.org/assignments/media-types/media-types.xhtml), where possible. When more than one type is applicable, the most specific type should be used.
+
+type: keyword
+
+
+**`file.mode`**
+:   Mode of the file in octal representation.
+
+type: keyword
+
+example: 0640
+
+
+**`file.mtime`**
+:   Last time the file content was modified.
+
+type: date
+
+
+**`file.name`**
+:   Name of the file including the extension, without the directory.
+
+type: keyword
+
+example: example.png
+
+
+**`file.owner`**
+:   File owner’s username.
+
+type: keyword
+
+example: alice
+
+
+**`file.path`**
+:   Full path to the file, including the file name. It should include the drive letter, when appropriate.
+
+type: keyword
+
+example: /home/alice/example.png
+
+
+**`file.path.text`**
+:   type: match_only_text
+
+
+**`file.pe.architecture`**
+:   CPU architecture target for the file.
+
+type: keyword
+
+example: x64
+
+
+**`file.pe.company`**
+:   Internal company name of the file, provided at compile-time.
+
+type: keyword
+
+example: Microsoft Corporation
+
+
+**`file.pe.description`**
+:   Internal description of the file, provided at compile-time.
+
+type: keyword
+
+example: Paint
+
+
+**`file.pe.file_version`**
+:   Internal version of the file, provided at compile-time.
+
+type: keyword
+
+example: 6.3.9600.17415
+
+
+**`file.pe.imphash`**
+:   A hash of the imports in a PE file. An imphash — or import hash — can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at [https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html](https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html).
+
+type: keyword
+
+example: 0c6803c4e922103c4dca5963aad36ddf
+
+
+**`file.pe.original_file_name`**
+:   Internal name of the file, provided at compile-time.
+
+type: keyword
+
+example: MSPAINT.EXE
+
+
+**`file.pe.product`**
+:   Internal product name of the file, provided at compile-time.
+
+type: keyword
+
+example: Microsoft® Windows® Operating System
+
+
+**`file.size`**
+:   File size in bytes. Only relevant when `file.type` is "file".
+
+type: long
+
+example: 16384
+
+
+**`file.target_path`**
+:   Target path for symlinks.
+
+type: keyword
+
+
+**`file.target_path.text`**
+:   type: match_only_text
+
+
+**`file.type`**
+:   File type (file, dir, or symlink).
+
+type: keyword
+
+example: file
+
+
+**`file.uid`**
+:   The user ID (UID) or security identifier (SID) of the file owner.
+
+type: keyword
+
+example: 1001
+
+
+**`file.x509.alternative_names`**
+:   List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.
+
+type: keyword
+
+example: *.elastic.co
+
+
+**`file.x509.issuer.common_name`**
+:   List of common name (CN) of issuing certificate authority.
+
+type: keyword
+
+example: Example SHA2 High Assurance Server CA
+
+
+**`file.x509.issuer.country`**
+:   List of country © codes
+
+type: keyword
+
+example: US
+
+
+**`file.x509.issuer.distinguished_name`**
+:   Distinguished name (DN) of issuing certificate authority.
+
+type: keyword
+
+example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA
+
+
+**`file.x509.issuer.locality`**
+:   List of locality names (L)
+
+type: keyword
+
+example: Mountain View
+
+
+**`file.x509.issuer.organization`**
+:   List of organizations (O) of issuing certificate authority.
+
+type: keyword
+
+example: Example Inc
+
+
+**`file.x509.issuer.organizational_unit`**
+:   List of organizational units (OU) of issuing certificate authority.
+
+type: keyword
+
+example: www.example.com
+
+
+**`file.x509.issuer.state_or_province`**
+:   List of state or province names (ST, S, or P)
+
+type: keyword
+
+example: California
+
+
+**`file.x509.not_after`**
+:   Time at which the certificate is no longer considered valid.
+
+type: date
+
+example: 2020-07-16 03:15:39+00:00
+
+
+**`file.x509.not_before`**
+:   Time at which the certificate is first considered valid.
+
+type: date
+
+example: 2019-08-16 01:40:25+00:00
+
+
+**`file.x509.public_key_algorithm`**
+:   Algorithm used to generate the public key.
+
+type: keyword
+
+example: RSA
+
+
+**`file.x509.public_key_curve`**
+:   The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+
+type: keyword
+
+example: nistp521
+
+
+**`file.x509.public_key_exponent`**
+:   Exponent used to derive the public key. This is algorithm specific.
+
+type: long
+
+example: 65537
+
+Field is not indexed.
+
+
+**`file.x509.public_key_size`**
+:   The size of the public key space in bits.
+
+type: long
+
+example: 2048
+
+
+**`file.x509.serial_number`**
+:   Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.
+
+type: keyword
+
+example: 55FBB9C7DEBF09809D12CCAA
+
+
+**`file.x509.signature_algorithm`**
+:   Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See [https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353](https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353).
+
+type: keyword
+
+example: SHA256-RSA
+
+
+**`file.x509.subject.common_name`**
+:   List of common names (CN) of subject.
+
+type: keyword
+
+example: shared.global.example.net
+
+
+**`file.x509.subject.country`**
+:   List of country © code
+
+type: keyword
+
+example: US
+
+
+**`file.x509.subject.distinguished_name`**
+:   Distinguished name (DN) of the certificate subject entity.
+
+type: keyword
+
+example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
+
+
+**`file.x509.subject.locality`**
+:   List of locality names (L)
+
+type: keyword
+
+example: San Francisco
+
+
+**`file.x509.subject.organization`**
+:   List of organizations (O) of subject.
+
+type: keyword
+
+example: Example, Inc.
+
+
+**`file.x509.subject.organizational_unit`**
+:   List of organizational units (OU) of subject.
+
+type: keyword
+
+
+**`file.x509.subject.state_or_province`**
+:   List of state or province names (ST, S, or P)
+
+type: keyword
+
+example: California
+
+
+**`file.x509.version_number`**
+:   Version of x509 format.
+
+type: keyword
+
+example: 3
+
+
+
+## geo [_geo]
+
+Geo fields can carry data about a specific location related to an event. This geolocation information can be derived from techniques such as Geo IP, or be user-supplied.
+
+**`geo.city_name`**
+:   City name.
+
+type: keyword
+
+example: Montreal
+
+
+**`geo.continent_code`**
+:   Two-letter code representing continent’s name.
+
+type: keyword
+
+example: NA
+
+
+**`geo.continent_name`**
+:   Name of the continent.
+
+type: keyword
+
+example: North America
+
+
+**`geo.country_iso_code`**
+:   Country ISO code.
+
+type: keyword
+
+example: CA
+
+
+**`geo.country_name`**
+:   Country name.
+
+type: keyword
+
+example: Canada
+
+
+**`geo.location`**
+:   Longitude and latitude.
+
+type: geo_point
+
+example: { "lon": -73.614830, "lat": 45.505918 }
+
+
+**`geo.name`**
+:   User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.
+
+type: keyword
+
+example: boston-dc
+
+
+**`geo.postal_code`**
+:   Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.
+
+type: keyword
+
+example: 94040
+
+
+**`geo.region_iso_code`**
+:   Region ISO code.
+
+type: keyword
+
+example: CA-QC
+
+
+**`geo.region_name`**
+:   Region name.
+
+type: keyword
+
+example: Quebec
+
+
+**`geo.timezone`**
+:   The time zone of the location, such as IANA time zone name.
+
+type: keyword
+
+example: America/Argentina/Buenos_Aires
+
+
+
+## group [_group_3]
+
+The group fields are meant to represent groups that are relevant to the event.
+
+**`group.domain`**
+:   Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`group.id`**
+:   Unique identifier for the group on the system/platform.
+
+type: keyword
+
+
+**`group.name`**
+:   Name of the group.
+
+type: keyword
+
+
+
+## hash [_hash]
+
+The hash fields represent different bitwise hash algorithms and their values. Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for other hashes by lowercasing the hash algorithm name and using underscore separators as appropriate (snake case, e.g. sha3_512). Note that this fieldset is used for common hashes that may be computed over a range of generic bytes. Entity-specific hashes such as ja3 or imphash are placed in the fieldsets to which they relate (tls and pe, respectively).
+
+**`hash.md5`**
+:   MD5 hash.
+
+type: keyword
+
+
+**`hash.sha1`**
+:   SHA1 hash.
+
+type: keyword
+
+
+**`hash.sha256`**
+:   SHA256 hash.
+
+type: keyword
+
+
+**`hash.sha512`**
+:   SHA512 hash.
+
+type: keyword
+
+
+**`hash.ssdeep`**
+:   SSDEEP hash.
+
+type: keyword
+
+
+
+## host [_host]
+
+A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.
+
+**`host.architecture`**
+:   Operating system architecture.
+
+type: keyword
+
+example: x86_64
+
+
+**`host.cpu.usage`**
+:   Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1.
+
+type: scaled_float
+
+
+**`host.disk.read.bytes`**
+:   The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection.
+
+type: long
+
+
+**`host.disk.write.bytes`**
+:   The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection.
+
+type: long
+
+
+**`host.domain`**
+:   Name of the domain of which the host is a member. For example, on Windows this could be the host’s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host’s LDAP provider.
+
+type: keyword
+
+example: CONTOSO
+
+
+**`host.geo.city_name`**
+:   City name.
+
+type: keyword
+
+example: Montreal
+
+
+**`host.geo.continent_code`**
+:   Two-letter code representing continent’s name.
+
+type: keyword
+
+example: NA
+
+
+**`host.geo.continent_name`**
+:   Name of the continent.
+
+type: keyword
+
+example: North America
+
+
+**`host.geo.country_iso_code`**
+:   Country ISO code.
+
+type: keyword
+
+example: CA
+
+
+**`host.geo.country_name`**
+:   Country name.
+
+type: keyword
+
+example: Canada
+
+
+**`host.geo.location`**
+:   Longitude and latitude.
+
+type: geo_point
+
+example: { "lon": -73.614830, "lat": 45.505918 }
+
+
+**`host.geo.name`**
+:   User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.
+
+type: keyword
+
+example: boston-dc
+
+
+**`host.geo.postal_code`**
+:   Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.
+
+type: keyword
+
+example: 94040
+
+
+**`host.geo.region_iso_code`**
+:   Region ISO code.
+
+type: keyword
+
+example: CA-QC
+
+
+**`host.geo.region_name`**
+:   Region name.
+
+type: keyword
+
+example: Quebec
+
+
+**`host.geo.timezone`**
+:   The time zone of the location, such as IANA time zone name.
+
+type: keyword
+
+example: America/Argentina/Buenos_Aires
+
+
+**`host.hostname`**
+:   Hostname of the host. It normally contains what the `hostname` command returns on the host machine.
+
+type: keyword
+
+
+**`host.id`**
+:   Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.
+
+type: keyword
+
+
+**`host.ip`**
+:   Host ip addresses.
+
+type: ip
+
+
+**`host.mac`**
+:   Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.
+
+type: keyword
+
+example: ["00-00-5E-00-53-23", "00-00-5E-00-53-24"]
+
+
+**`host.name`**
+:   Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.
+
+type: keyword
+
+
+**`host.network.egress.bytes`**
+:   The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection.
+
+type: long
+
+
+**`host.network.egress.packets`**
+:   The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection.
+
+type: long
+
+
+**`host.network.ingress.bytes`**
+:   The number of bytes received (gauge) on all network interfaces by the host since the last metric collection.
+
+type: long
+
+
+**`host.network.ingress.packets`**
+:   The number of packets (gauge) received on all network interfaces by the host since the last metric collection.
+
+type: long
+
+
+**`host.os.family`**
+:   OS family (such as redhat, debian, freebsd, windows).
+
+type: keyword
+
+example: debian
+
+
+**`host.os.full`**
+:   Operating system name, including the version or code name.
+
+type: keyword
+
+example: Mac OS Mojave
+
+
+**`host.os.full.text`**
+:   type: match_only_text
+
+
+**`host.os.kernel`**
+:   Operating system kernel version as a raw string.
+
+type: keyword
+
+example: 4.4.0-112-generic
+
+
+**`host.os.name`**
+:   Operating system name, without the version.
+
+type: keyword
+
+example: Mac OS X
+
+
+**`host.os.name.text`**
+:   type: match_only_text
+
+
+**`host.os.platform`**
+:   Operating system platform (such centos, ubuntu, windows).
+
+type: keyword
+
+example: darwin
+
+
+**`host.os.type`**
+:   Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you’re dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.
+
+type: keyword
+
+example: macos
+
+
+**`host.os.version`**
+:   Operating system version as a raw string.
+
+type: keyword
+
+example: 10.14.1
+
+
+**`host.type`**
+:   Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.
+
+type: keyword
+
+
+**`host.uptime`**
+:   Seconds the host has been up.
+
+type: long
+
+example: 1325
+
+
+
+## http [_http]
+
+Fields related to HTTP activity. Use the `url` field set to store the url of the request.
+
+**`http.request.body.bytes`**
+:   Size in bytes of the request body.
+
+type: long
+
+example: 887
+
+format: bytes
+
+
+**`http.request.body.content`**
+:   The full HTTP request body.
+
+type: wildcard
+
+example: Hello world
+
+
+**`http.request.body.content.text`**
+:   type: match_only_text
+
+
+**`http.request.bytes`**
+:   Total size in bytes of the request (body and headers).
+
+type: long
+
+example: 1437
+
+format: bytes
+
+
+**`http.request.id`**
+:   A unique identifier for each HTTP request to correlate logs between clients and servers in transactions. The id may be contained in a non-standard HTTP header, such as `X-Request-ID` or `X-Correlation-ID`.
+
+type: keyword
+
+example: 123e4567-e89b-12d3-a456-426614174000
+
+
+**`http.request.method`**
+:   HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field.
+
+type: keyword
+
+example: POST
+
+
+**`http.request.mime_type`**
+:   Mime type of the body of the request. This value must only be populated based on the content of the request body, not on the `Content-Type` header. Comparing the mime type of a request with the request’s Content-Type header can be helpful in detecting threats or misconfigured clients.
+
+type: keyword
+
+example: image/gif
+
+
+**`http.request.referrer`**
+:   Referrer for this HTTP request.
+
+type: keyword
+
+example: [https://blog.example.com/](https://blog.example.com/)
+
+
+**`http.response.body.bytes`**
+:   Size in bytes of the response body.
+
+type: long
+
+example: 887
+
+format: bytes
+
+
+**`http.response.body.content`**
+:   The full HTTP response body.
+
+type: wildcard
+
+example: Hello world
+
+
+**`http.response.body.content.text`**
+:   type: match_only_text
+
+
+**`http.response.bytes`**
+:   Total size in bytes of the response (body and headers).
+
+type: long
+
+example: 1437
+
+format: bytes
+
+
+**`http.response.mime_type`**
+:   Mime type of the body of the response. This value must only be populated based on the content of the response body, not on the `Content-Type` header. Comparing the mime type of a response with the response’s Content-Type header can be helpful in detecting misconfigured servers.
+
+type: keyword
+
+example: image/gif
+
+
+**`http.response.status_code`**
+:   HTTP response status code.
+
+type: long
+
+example: 404
+
+format: string
+
+
+**`http.version`**
+:   HTTP version.
+
+type: keyword
+
+example: 1.1
+
+
+
+## interface [_interface]
+
+The interface fields are used to record ingress and egress interface information when reported by an observer (e.g. firewall, router, load balancer) in the context of the observer handling a network connection.  In the case of a single observer interface (e.g. network sensor on a span port) only the observer.ingress information should be populated.
+
+**`interface.alias`**
+:   Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming.
+
+type: keyword
+
+example: outside
+
+
+**`interface.id`**
+:   Interface ID as reported by an observer (typically SNMP interface ID).
+
+type: keyword
+
+example: 10
+
+
+**`interface.name`**
+:   Interface name as reported by the system.
+
+type: keyword
+
+example: eth0
+
+
+
+## log [_log]
+
+Details about the event’s logging mechanism or logging transport. The log.* fields are typically populated with details about the logging mechanism used to create and/or transport the event. For example, syslog details belong under `log.syslog.*`. The details specific to your event source are typically not logged under `log.*`, but rather in `event.*` or in other ECS fields.
+
+**`log.file.path`**
+:   Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn’t read from a log file, do not populate this field.
+
+type: keyword
+
+example: /var/log/fun-times.log
+
+
+**`log.level`**
+:   Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn’t specify one, you may put your event transport’s severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`.
+
+type: keyword
+
+example: error
+
+
+**`log.logger`**
+:   The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name.
+
+type: keyword
+
+example: org.elasticsearch.bootstrap.Bootstrap
+
+
+**`log.origin.file.line`**
+:   The line number of the file containing the source code which originated the log event.
+
+type: long
+
+example: 42
+
+
+**`log.origin.file.name`**
+:   The name of the file containing the source code which originated the log event. Note that this field is not meant to capture the log file. The correct field to capture the log file is `log.file.path`.
+
+type: keyword
+
+example: Bootstrap.java
+
+
+**`log.origin.function`**
+:   The name of the function or method which originated the log event.
+
+type: keyword
+
+example: init
+
+
+**`log.syslog`**
+:   The Syslog metadata of the event, if the event was transmitted via Syslog. Please see RFCs 5424 or 3164.
+
+type: object
+
+
+**`log.syslog.facility.code`**
+:   The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23.
+
+type: long
+
+example: 23
+
+format: string
+
+
+**`log.syslog.facility.name`**
+:   The Syslog text-based facility of the log event, if available.
+
+type: keyword
+
+example: local7
+
+
+**`log.syslog.priority`**
+:   Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191.
+
+type: long
+
+example: 135
+
+format: string
+
+
+**`log.syslog.severity.code`**
+:   The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source’s numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`.
+
+type: long
+
+example: 3
+
+
+**`log.syslog.severity.name`**
+:   The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source’s text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`.
+
+type: keyword
+
+example: Error
+
+
+
+## network [_network]
+
+The network is defined as the communication path over which a host or network event happens. The network.* fields should be populated with details about the network activity associated with an event.
+
+**`network.application`**
+:   When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application’s or service’s name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying.
+
+type: keyword
+
+example: aim
+
+
+**`network.bytes`**
+:   Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum.
+
+type: long
+
+example: 368
+
+format: bytes
+
+
+**`network.community_id`**
+:   A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at [https://github.com/corelight/community-id-spec](https://github.com/corelight/community-id-spec).
+
+type: keyword
+
+example: 1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=
+
+
+**`network.direction`**
+:   Direction of the network traffic. Recommended values are: * ingress * egress * inbound * outbound * internal * external * unknown
+
+When mapping events from a host-based monitoring context, populate this field from the host’s point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers.
+
+type: keyword
+
+example: inbound
+
+
+**`network.forwarded_ip`**
+:   Host IP address when the source IP address is the proxy.
+
+type: ip
+
+example: 192.1.1.2
+
+
+**`network.iana_number`**
+:   IANA Protocol Number ([https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml](https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml)). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number.
+
+type: keyword
+
+example: 6
+
+
+**`network.inner`**
+:   Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.)
+
+type: object
+
+
+**`network.inner.vlan.id`**
+:   VLAN ID as reported by the observer.
+
+type: keyword
+
+example: 10
+
+
+**`network.inner.vlan.name`**
+:   Optional VLAN name as reported by the observer.
+
+type: keyword
+
+example: outside
+
+
+**`network.name`**
+:   Name given by operators to sections of their network.
+
+type: keyword
+
+example: Guest Wifi
+
+
+**`network.packets`**
+:   Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum.
+
+type: long
+
+example: 24
+
+
+**`network.protocol`**
+:   In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying.
+
+type: keyword
+
+example: http
+
+
+**`network.transport`**
+:   Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying.
+
+type: keyword
+
+example: tcp
+
+
+**`network.type`**
+:   In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying.
+
+type: keyword
+
+example: ipv4
+
+
+**`network.vlan.id`**
+:   VLAN ID as reported by the observer.
+
+type: keyword
+
+example: 10
+
+
+**`network.vlan.name`**
+:   Optional VLAN name as reported by the observer.
+
+type: keyword
+
+example: outside
+
+
+
+## observer [_observer]
+
+An observer is defined as a special network, security, or application device used to detect, observe, or create network, security, or application-related events and metrics. This could be a custom hardware appliance or a server that has been configured to run special network, security, or application software. Examples include firewalls, web proxies, intrusion detection/prevention systems, network monitoring sensors, web application firewalls, data loss prevention systems, and APM servers. The observer.* fields shall be populated with details of the system, if any, that detects, observes and/or creates a network, security, or application event or metric. Message queues and ETL components used in processing events or metrics are not considered observers in ECS.
+
+**`observer.egress`**
+:   Observer.egress holds information like interface number and name, vlan, and zone information to classify egress traffic.  Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic.
+
+type: object
+
+
+**`observer.egress.interface.alias`**
+:   Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming.
+
+type: keyword
+
+example: outside
+
+
+**`observer.egress.interface.id`**
+:   Interface ID as reported by an observer (typically SNMP interface ID).
+
+type: keyword
+
+example: 10
+
+
+**`observer.egress.interface.name`**
+:   Interface name as reported by the system.
+
+type: keyword
+
+example: eth0
+
+
+**`observer.egress.vlan.id`**
+:   VLAN ID as reported by the observer.
+
+type: keyword
+
+example: 10
+
+
+**`observer.egress.vlan.name`**
+:   Optional VLAN name as reported by the observer.
+
+type: keyword
+
+example: outside
+
+
+**`observer.egress.zone`**
+:   Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc.
+
+type: keyword
+
+example: Public_Internet
+
+
+**`observer.geo.city_name`**
+:   City name.
+
+type: keyword
+
+example: Montreal
+
+
+**`observer.geo.continent_code`**
+:   Two-letter code representing continent’s name.
+
+type: keyword
+
+example: NA
+
+
+**`observer.geo.continent_name`**
+:   Name of the continent.
+
+type: keyword
+
+example: North America
+
+
+**`observer.geo.country_iso_code`**
+:   Country ISO code.
+
+type: keyword
+
+example: CA
+
+
+**`observer.geo.country_name`**
+:   Country name.
+
+type: keyword
+
+example: Canada
+
+
+**`observer.geo.location`**
+:   Longitude and latitude.
+
+type: geo_point
+
+example: { "lon": -73.614830, "lat": 45.505918 }
+
+
+**`observer.geo.name`**
+:   User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.
+
+type: keyword
+
+example: boston-dc
+
+
+**`observer.geo.postal_code`**
+:   Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.
+
+type: keyword
+
+example: 94040
+
+
+**`observer.geo.region_iso_code`**
+:   Region ISO code.
+
+type: keyword
+
+example: CA-QC
+
+
+**`observer.geo.region_name`**
+:   Region name.
+
+type: keyword
+
+example: Quebec
+
+
+**`observer.geo.timezone`**
+:   The time zone of the location, such as IANA time zone name.
+
+type: keyword
+
+example: America/Argentina/Buenos_Aires
+
+
+**`observer.hostname`**
+:   Hostname of the observer.
+
+type: keyword
+
+
+**`observer.ingress`**
+:   Observer.ingress holds information like interface number and name, vlan, and zone information to classify ingress traffic.  Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic.
+
+type: object
+
+
+**`observer.ingress.interface.alias`**
+:   Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming.
+
+type: keyword
+
+example: outside
+
+
+**`observer.ingress.interface.id`**
+:   Interface ID as reported by an observer (typically SNMP interface ID).
+
+type: keyword
+
+example: 10
+
+
+**`observer.ingress.interface.name`**
+:   Interface name as reported by the system.
+
+type: keyword
+
+example: eth0
+
+
+**`observer.ingress.vlan.id`**
+:   VLAN ID as reported by the observer.
+
+type: keyword
+
+example: 10
+
+
+**`observer.ingress.vlan.name`**
+:   Optional VLAN name as reported by the observer.
+
+type: keyword
+
+example: outside
+
+
+**`observer.ingress.zone`**
+:   Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc.
+
+type: keyword
+
+example: DMZ
+
+
+**`observer.ip`**
+:   IP addresses of the observer.
+
+type: ip
+
+
+**`observer.mac`**
+:   MAC addresses of the observer. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.
+
+type: keyword
+
+example: ["00-00-5E-00-53-23", "00-00-5E-00-53-24"]
+
+
+**`observer.name`**
+:   Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty.
+
+type: keyword
+
+example: 1_proxySG
+
+
+**`observer.os.family`**
+:   OS family (such as redhat, debian, freebsd, windows).
+
+type: keyword
+
+example: debian
+
+
+**`observer.os.full`**
+:   Operating system name, including the version or code name.
+
+type: keyword
+
+example: Mac OS Mojave
+
+
+**`observer.os.full.text`**
+:   type: match_only_text
+
+
+**`observer.os.kernel`**
+:   Operating system kernel version as a raw string.
+
+type: keyword
+
+example: 4.4.0-112-generic
+
+
+**`observer.os.name`**
+:   Operating system name, without the version.
+
+type: keyword
+
+example: Mac OS X
+
+
+**`observer.os.name.text`**
+:   type: match_only_text
+
+
+**`observer.os.platform`**
+:   Operating system platform (such centos, ubuntu, windows).
+
+type: keyword
+
+example: darwin
+
+
+**`observer.os.type`**
+:   Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you’re dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.
+
+type: keyword
+
+example: macos
+
+
+**`observer.os.version`**
+:   Operating system version as a raw string.
+
+type: keyword
+
+example: 10.14.1
+
+
+**`observer.product`**
+:   The product name of the observer.
+
+type: keyword
+
+example: s200
+
+
+**`observer.serial_number`**
+:   Observer serial number.
+
+type: keyword
+
+
+**`observer.type`**
+:   The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`.
+
+type: keyword
+
+example: firewall
+
+
+**`observer.vendor`**
+:   Vendor name of the observer.
+
+type: keyword
+
+example: Symantec
+
+
+**`observer.version`**
+:   Observer version.
+
+type: keyword
+
+
+
+## orchestrator [_orchestrator]
+
+Fields that describe the resources which container orchestrators manage or act upon.
+
+**`orchestrator.api_version`**
+:   API version being used to carry out the action
+
+type: keyword
+
+example: v1beta1
+
+
+**`orchestrator.cluster.name`**
+:   Name of the cluster.
+
+type: keyword
+
+
+**`orchestrator.cluster.url`**
+:   URL of the API used to manage the cluster.
+
+type: keyword
+
+
+**`orchestrator.cluster.version`**
+:   The version of the cluster.
+
+type: keyword
+
+
+**`orchestrator.namespace`**
+:   Namespace in which the action is taking place.
+
+type: keyword
+
+example: kube-system
+
+
+**`orchestrator.organization`**
+:   Organization affected by the event (for multi-tenant orchestrator setups).
+
+type: keyword
+
+example: elastic
+
+
+**`orchestrator.resource.name`**
+:   Name of the resource being acted upon.
+
+type: keyword
+
+example: test-pod-cdcws
+
+
+**`orchestrator.resource.type`**
+:   Type of resource being acted upon.
+
+type: keyword
+
+example: service
+
+
+**`orchestrator.type`**
+:   Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry).
+
+type: keyword
+
+example: kubernetes
+
+
+
+## organization [_organization]
+
+The organization fields enrich data with information about the company or entity the data is associated with. These fields help you arrange or filter data stored in an index by one or multiple organizations.
+
+**`organization.id`**
+:   Unique identifier for the organization.
+
+type: keyword
+
+
+**`organization.name`**
+:   Organization name.
+
+type: keyword
+
+
+**`organization.name.text`**
+:   type: match_only_text
+
+
+
+## os [_os]
+
+The OS fields contain information about the operating system.
+
+**`os.family`**
+:   OS family (such as redhat, debian, freebsd, windows).
+
+type: keyword
+
+example: debian
+
+
+**`os.full`**
+:   Operating system name, including the version or code name.
+
+type: keyword
+
+example: Mac OS Mojave
+
+
+**`os.full.text`**
+:   type: match_only_text
+
+
+**`os.kernel`**
+:   Operating system kernel version as a raw string.
+
+type: keyword
+
+example: 4.4.0-112-generic
+
+
+**`os.name`**
+:   Operating system name, without the version.
+
+type: keyword
+
+example: Mac OS X
+
+
+**`os.name.text`**
+:   type: match_only_text
+
+
+**`os.platform`**
+:   Operating system platform (such centos, ubuntu, windows).
+
+type: keyword
+
+example: darwin
+
+
+**`os.type`**
+:   Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you’re dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.
+
+type: keyword
+
+example: macos
+
+
+**`os.version`**
+:   Operating system version as a raw string.
+
+type: keyword
+
+example: 10.14.1
+
+
+
+## package [_package]
+
+These fields contain information about an installed software package. It contains general information about a package, such as name, version or size. It also contains installation details, such as time or location.
+
+**`package.architecture`**
+:   Package architecture.
+
+type: keyword
+
+example: x86_64
+
+
+**`package.build_version`**
+:   Additional information about the build version of the installed package. For example use the commit SHA of a non-released package.
+
+type: keyword
+
+example: 36f4f7e89dd61b0988b12ee000b98966867710cd
+
+
+**`package.checksum`**
+:   Checksum of the installed package for verification.
+
+type: keyword
+
+example: 68b329da9893e34099c7d8ad5cb9c940
+
+
+**`package.description`**
+:   Description of the package.
+
+type: keyword
+
+example: Open source programming language to build simple/reliable/efficient software.
+
+
+**`package.install_scope`**
+:   Indicating how the package was installed, e.g. user-local, global.
+
+type: keyword
+
+example: global
+
+
+**`package.installed`**
+:   Time when package was installed.
+
+type: date
+
+
+**`package.license`**
+:   License under which the package was released. Use a short name, e.g. the license identifier from SPDX License List where possible ([https://spdx.org/licenses/](https://spdx.org/licenses/)).
+
+type: keyword
+
+example: Apache License 2.0
+
+
+**`package.name`**
+:   Package name
+
+type: keyword
+
+example: go
+
+
+**`package.path`**
+:   Path where the package is installed.
+
+type: keyword
+
+example: /usr/local/Cellar/go/1.12.9/
+
+
+**`package.reference`**
+:   Home page or reference URL of the software in this package, if available.
+
+type: keyword
+
+example: [https://golang.org](https://golang.org)
+
+
+**`package.size`**
+:   Package size in bytes.
+
+type: long
+
+example: 62231
+
+format: string
+
+
+**`package.type`**
+:   Type of package. This should contain the package file type, rather than the package manager name. Examples: rpm, dpkg, brew, npm, gem, nupkg, jar.
+
+type: keyword
+
+example: rpm
+
+
+**`package.version`**
+:   Package version
+
+type: keyword
+
+example: 1.12.9
+
+
+
+## pe [_pe]
+
+These fields contain Windows Portable Executable (PE) metadata.
+
+**`pe.architecture`**
+:   CPU architecture target for the file.
+
+type: keyword
+
+example: x64
+
+
+**`pe.company`**
+:   Internal company name of the file, provided at compile-time.
+
+type: keyword
+
+example: Microsoft Corporation
+
+
+**`pe.description`**
+:   Internal description of the file, provided at compile-time.
+
+type: keyword
+
+example: Paint
+
+
+**`pe.file_version`**
+:   Internal version of the file, provided at compile-time.
+
+type: keyword
+
+example: 6.3.9600.17415
+
+
+**`pe.imphash`**
+:   A hash of the imports in a PE file. An imphash — or import hash — can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at [https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html](https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html).
+
+type: keyword
+
+example: 0c6803c4e922103c4dca5963aad36ddf
+
+
+**`pe.original_file_name`**
+:   Internal name of the file, provided at compile-time.
+
+type: keyword
+
+example: MSPAINT.EXE
+
+
+**`pe.product`**
+:   Internal product name of the file, provided at compile-time.
+
+type: keyword
+
+example: Microsoft® Windows® Operating System
+
+
+
+## process [_process_2]
+
+These fields contain information about a process. These fields can help you correlate metrics information with a process id/name from a log message.  The `process.pid` often stays in the metric itself and is copied to the global field for correlation.
+
+**`process.args`**
+:   Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information.
+
+type: keyword
+
+example: ["/usr/bin/ssh", "-l", "user", "10.0.0.16"]
+
+
+**`process.args_count`**
+:   Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity.
+
+type: long
+
+example: 4
+
+
+**`process.code_signature.digest_algorithm`**
+:   The hashing algorithm used to sign the process. This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm.
+
+type: keyword
+
+example: sha256
+
+
+**`process.code_signature.exists`**
+:   Boolean to capture if a signature is present.
+
+type: boolean
+
+example: true
+
+
+**`process.code_signature.signing_id`**
+:   The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.
+
+type: keyword
+
+example: com.apple.xpc.proxy
+
+
+**`process.code_signature.status`**
+:   Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.
+
+type: keyword
+
+example: ERROR_UNTRUSTED_ROOT
+
+
+**`process.code_signature.subject_name`**
+:   Subject name of the code signer
+
+type: keyword
+
+example: Microsoft Corporation
+
+
+**`process.code_signature.team_id`**
+:   The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.
+
+type: keyword
+
+example: EQHXZ8M8AV
+
+
+**`process.code_signature.timestamp`**
+:   Date and time when the code signature was generated and signed.
+
+type: date
+
+example: 2021-01-01T12:10:30Z
+
+
+**`process.code_signature.trusted`**
+:   Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.
+
+type: boolean
+
+example: true
+
+
+**`process.code_signature.valid`**
+:   Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.
+
+type: boolean
+
+example: true
+
+
+**`process.command_line`**
+:   Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information.
+
+type: wildcard
+
+example: /usr/bin/ssh -l user 10.0.0.16
+
+
+**`process.command_line.text`**
+:   type: match_only_text
+
+
+**`process.elf.architecture`**
+:   Machine architecture of the ELF file.
+
+type: keyword
+
+example: x86-64
+
+
+**`process.elf.byte_order`**
+:   Byte sequence of ELF file.
+
+type: keyword
+
+example: Little Endian
+
+
+**`process.elf.cpu_type`**
+:   CPU type of the ELF file.
+
+type: keyword
+
+example: Intel
+
+
+**`process.elf.creation_date`**
+:   Extracted when possible from the file’s metadata. Indicates when it was built or compiled. It can also be faked by malware creators.
+
+type: date
+
+
+**`process.elf.exports`**
+:   List of exported element names and types.
+
+type: flattened
+
+
+**`process.elf.header.abi_version`**
+:   Version of the ELF Application Binary Interface (ABI).
+
+type: keyword
+
+
+**`process.elf.header.class`**
+:   Header class of the ELF file.
+
+type: keyword
+
+
+**`process.elf.header.data`**
+:   Data table of the ELF header.
+
+type: keyword
+
+
+**`process.elf.header.entrypoint`**
+:   Header entrypoint of the ELF file.
+
+type: long
+
+format: string
+
+
+**`process.elf.header.object_version`**
+:   "0x1" for original ELF files.
+
+type: keyword
+
+
+**`process.elf.header.os_abi`**
+:   Application Binary Interface (ABI) of the Linux OS.
+
+type: keyword
+
+
+**`process.elf.header.type`**
+:   Header type of the ELF file.
+
+type: keyword
+
+
+**`process.elf.header.version`**
+:   Version of the ELF header.
+
+type: keyword
+
+
+**`process.elf.imports`**
+:   List of imported element names and types.
+
+type: flattened
+
+
+**`process.elf.sections`**
+:   An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`.
+
+type: nested
+
+
+**`process.elf.sections.chi2`**
+:   Chi-square probability distribution of the section.
+
+type: long
+
+format: number
+
+
+**`process.elf.sections.entropy`**
+:   Shannon entropy calculation from the section.
+
+type: long
+
+format: number
+
+
+**`process.elf.sections.flags`**
+:   ELF Section List flags.
+
+type: keyword
+
+
+**`process.elf.sections.name`**
+:   ELF Section List name.
+
+type: keyword
+
+
+**`process.elf.sections.physical_offset`**
+:   ELF Section List offset.
+
+type: keyword
+
+
+**`process.elf.sections.physical_size`**
+:   ELF Section List physical size.
+
+type: long
+
+format: bytes
+
+
+**`process.elf.sections.type`**
+:   ELF Section List type.
+
+type: keyword
+
+
+**`process.elf.sections.virtual_address`**
+:   ELF Section List virtual address.
+
+type: long
+
+format: string
+
+
+**`process.elf.sections.virtual_size`**
+:   ELF Section List virtual size.
+
+type: long
+
+format: string
+
+
+**`process.elf.segments`**
+:   An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`.
+
+type: nested
+
+
+**`process.elf.segments.sections`**
+:   ELF object segment sections.
+
+type: keyword
+
+
+**`process.elf.segments.type`**
+:   ELF object segment type.
+
+type: keyword
+
+
+**`process.elf.shared_libraries`**
+:   List of shared libraries used by this ELF object.
+
+type: keyword
+
+
+**`process.elf.telfhash`**
+:   telfhash symbol hash for ELF file.
+
+type: keyword
+
+
+**`process.end`**
+:   The time the process ended.
+
+type: date
+
+example: 2016-05-23T08:05:34.853Z
+
+
+**`process.entity_id`**
+:   Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.
+
+type: keyword
+
+example: c2c455d9f99375d
+
+
+**`process.executable`**
+:   Absolute path to the process executable.
+
+type: keyword
+
+example: /usr/bin/ssh
+
+
+**`process.executable.text`**
+:   type: match_only_text
+
+
+**`process.exit_code`**
+:   The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start).
+
+type: long
+
+example: 137
+
+
+**`process.hash.md5`**
+:   MD5 hash.
+
+type: keyword
+
+
+**`process.hash.sha1`**
+:   SHA1 hash.
+
+type: keyword
+
+
+**`process.hash.sha256`**
+:   SHA256 hash.
+
+type: keyword
+
+
+**`process.hash.sha512`**
+:   SHA512 hash.
+
+type: keyword
+
+
+**`process.hash.ssdeep`**
+:   SSDEEP hash.
+
+type: keyword
+
+
+**`process.name`**
+:   Process name. Sometimes called program name or similar.
+
+type: keyword
+
+example: ssh
+
+
+**`process.name.text`**
+:   type: match_only_text
+
+
+**`process.parent.args`**
+:   Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information.
+
+type: keyword
+
+example: ["/usr/bin/ssh", "-l", "user", "10.0.0.16"]
+
+
+**`process.parent.args_count`**
+:   Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity.
+
+type: long
+
+example: 4
+
+
+**`process.parent.code_signature.digest_algorithm`**
+:   The hashing algorithm used to sign the process. This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm.
+
+type: keyword
+
+example: sha256
+
+
+**`process.parent.code_signature.exists`**
+:   Boolean to capture if a signature is present.
+
+type: boolean
+
+example: true
+
+
+**`process.parent.code_signature.signing_id`**
+:   The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.
+
+type: keyword
+
+example: com.apple.xpc.proxy
+
+
+**`process.parent.code_signature.status`**
+:   Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.
+
+type: keyword
+
+example: ERROR_UNTRUSTED_ROOT
+
+
+**`process.parent.code_signature.subject_name`**
+:   Subject name of the code signer
+
+type: keyword
+
+example: Microsoft Corporation
+
+
+**`process.parent.code_signature.team_id`**
+:   The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.
+
+type: keyword
+
+example: EQHXZ8M8AV
+
+
+**`process.parent.code_signature.timestamp`**
+:   Date and time when the code signature was generated and signed.
+
+type: date
+
+example: 2021-01-01T12:10:30Z
+
+
+**`process.parent.code_signature.trusted`**
+:   Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.
+
+type: boolean
+
+example: true
+
+
+**`process.parent.code_signature.valid`**
+:   Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.
+
+type: boolean
+
+example: true
+
+
+**`process.parent.command_line`**
+:   Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information.
+
+type: wildcard
+
+example: /usr/bin/ssh -l user 10.0.0.16
+
+
+**`process.parent.command_line.text`**
+:   type: match_only_text
+
+
+**`process.parent.elf.architecture`**
+:   Machine architecture of the ELF file.
+
+type: keyword
+
+example: x86-64
+
+
+**`process.parent.elf.byte_order`**
+:   Byte sequence of ELF file.
+
+type: keyword
+
+example: Little Endian
+
+
+**`process.parent.elf.cpu_type`**
+:   CPU type of the ELF file.
+
+type: keyword
+
+example: Intel
+
+
+**`process.parent.elf.creation_date`**
+:   Extracted when possible from the file’s metadata. Indicates when it was built or compiled. It can also be faked by malware creators.
+
+type: date
+
+
+**`process.parent.elf.exports`**
+:   List of exported element names and types.
+
+type: flattened
+
+
+**`process.parent.elf.header.abi_version`**
+:   Version of the ELF Application Binary Interface (ABI).
+
+type: keyword
+
+
+**`process.parent.elf.header.class`**
+:   Header class of the ELF file.
+
+type: keyword
+
+
+**`process.parent.elf.header.data`**
+:   Data table of the ELF header.
+
+type: keyword
+
+
+**`process.parent.elf.header.entrypoint`**
+:   Header entrypoint of the ELF file.
+
+type: long
+
+format: string
+
+
+**`process.parent.elf.header.object_version`**
+:   "0x1" for original ELF files.
+
+type: keyword
+
+
+**`process.parent.elf.header.os_abi`**
+:   Application Binary Interface (ABI) of the Linux OS.
+
+type: keyword
+
+
+**`process.parent.elf.header.type`**
+:   Header type of the ELF file.
+
+type: keyword
+
+
+**`process.parent.elf.header.version`**
+:   Version of the ELF header.
+
+type: keyword
+
+
+**`process.parent.elf.imports`**
+:   List of imported element names and types.
+
+type: flattened
+
+
+**`process.parent.elf.sections`**
+:   An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`.
+
+type: nested
+
+
+**`process.parent.elf.sections.chi2`**
+:   Chi-square probability distribution of the section.
+
+type: long
+
+format: number
+
+
+**`process.parent.elf.sections.entropy`**
+:   Shannon entropy calculation from the section.
+
+type: long
+
+format: number
+
+
+**`process.parent.elf.sections.flags`**
+:   ELF Section List flags.
+
+type: keyword
+
+
+**`process.parent.elf.sections.name`**
+:   ELF Section List name.
+
+type: keyword
+
+
+**`process.parent.elf.sections.physical_offset`**
+:   ELF Section List offset.
+
+type: keyword
+
+
+**`process.parent.elf.sections.physical_size`**
+:   ELF Section List physical size.
+
+type: long
+
+format: bytes
+
+
+**`process.parent.elf.sections.type`**
+:   ELF Section List type.
+
+type: keyword
+
+
+**`process.parent.elf.sections.virtual_address`**
+:   ELF Section List virtual address.
+
+type: long
+
+format: string
+
+
+**`process.parent.elf.sections.virtual_size`**
+:   ELF Section List virtual size.
+
+type: long
+
+format: string
+
+
+**`process.parent.elf.segments`**
+:   An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`.
+
+type: nested
+
+
+**`process.parent.elf.segments.sections`**
+:   ELF object segment sections.
+
+type: keyword
+
+
+**`process.parent.elf.segments.type`**
+:   ELF object segment type.
+
+type: keyword
+
+
+**`process.parent.elf.shared_libraries`**
+:   List of shared libraries used by this ELF object.
+
+type: keyword
+
+
+**`process.parent.elf.telfhash`**
+:   telfhash symbol hash for ELF file.
+
+type: keyword
+
+
+**`process.parent.end`**
+:   The time the process ended.
+
+type: date
+
+example: 2016-05-23T08:05:34.853Z
+
+
+**`process.parent.entity_id`**
+:   Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.
+
+type: keyword
+
+example: c2c455d9f99375d
+
+
+**`process.parent.executable`**
+:   Absolute path to the process executable.
+
+type: keyword
+
+example: /usr/bin/ssh
+
+
+**`process.parent.executable.text`**
+:   type: match_only_text
+
+
+**`process.parent.exit_code`**
+:   The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start).
+
+type: long
+
+example: 137
+
+
+**`process.parent.hash.md5`**
+:   MD5 hash.
+
+type: keyword
+
+
+**`process.parent.hash.sha1`**
+:   SHA1 hash.
+
+type: keyword
+
+
+**`process.parent.hash.sha256`**
+:   SHA256 hash.
+
+type: keyword
+
+
+**`process.parent.hash.sha512`**
+:   SHA512 hash.
+
+type: keyword
+
+
+**`process.parent.hash.ssdeep`**
+:   SSDEEP hash.
+
+type: keyword
+
+
+**`process.parent.name`**
+:   Process name. Sometimes called program name or similar.
+
+type: keyword
+
+example: ssh
+
+
+**`process.parent.name.text`**
+:   type: match_only_text
+
+
+**`process.parent.pe.architecture`**
+:   CPU architecture target for the file.
+
+type: keyword
+
+example: x64
+
+
+**`process.parent.pe.company`**
+:   Internal company name of the file, provided at compile-time.
+
+type: keyword
+
+example: Microsoft Corporation
+
+
+**`process.parent.pe.description`**
+:   Internal description of the file, provided at compile-time.
+
+type: keyword
+
+example: Paint
+
+
+**`process.parent.pe.file_version`**
+:   Internal version of the file, provided at compile-time.
+
+type: keyword
+
+example: 6.3.9600.17415
+
+
+**`process.parent.pe.imphash`**
+:   A hash of the imports in a PE file. An imphash — or import hash — can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at [https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html](https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html).
+
+type: keyword
+
+example: 0c6803c4e922103c4dca5963aad36ddf
+
+
+**`process.parent.pe.original_file_name`**
+:   Internal name of the file, provided at compile-time.
+
+type: keyword
+
+example: MSPAINT.EXE
+
+
+**`process.parent.pe.product`**
+:   Internal product name of the file, provided at compile-time.
+
+type: keyword
+
+example: Microsoft® Windows® Operating System
+
+
+**`process.parent.pgid`**
+:   Identifier of the group of processes the process belongs to.
+
+type: long
+
+format: string
+
+
+**`process.parent.pid`**
+:   Process id.
+
+type: long
+
+example: 4242
+
+format: string
+
+
+**`process.parent.start`**
+:   The time the process started.
+
+type: date
+
+example: 2016-05-23T08:05:34.853Z
+
+
+**`process.parent.thread.id`**
+:   Thread ID.
+
+type: long
+
+example: 4242
+
+format: string
+
+
+**`process.parent.thread.name`**
+:   Thread name.
+
+type: keyword
+
+example: thread-0
+
+
+**`process.parent.title`**
+:   Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened.
+
+type: keyword
+
+
+**`process.parent.title.text`**
+:   type: match_only_text
+
+
+**`process.parent.uptime`**
+:   Seconds the process has been up.
+
+type: long
+
+example: 1325
+
+
+**`process.parent.working_directory`**
+:   The working directory of the process.
+
+type: keyword
+
+example: /home/alice
+
+
+**`process.parent.working_directory.text`**
+:   type: match_only_text
+
+
+**`process.pe.architecture`**
+:   CPU architecture target for the file.
+
+type: keyword
+
+example: x64
+
+
+**`process.pe.company`**
+:   Internal company name of the file, provided at compile-time.
+
+type: keyword
+
+example: Microsoft Corporation
+
+
+**`process.pe.description`**
+:   Internal description of the file, provided at compile-time.
+
+type: keyword
+
+example: Paint
+
+
+**`process.pe.file_version`**
+:   Internal version of the file, provided at compile-time.
+
+type: keyword
+
+example: 6.3.9600.17415
+
+
+**`process.pe.imphash`**
+:   A hash of the imports in a PE file. An imphash — or import hash — can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at [https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html](https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html).
+
+type: keyword
+
+example: 0c6803c4e922103c4dca5963aad36ddf
+
+
+**`process.pe.original_file_name`**
+:   Internal name of the file, provided at compile-time.
+
+type: keyword
+
+example: MSPAINT.EXE
+
+
+**`process.pe.product`**
+:   Internal product name of the file, provided at compile-time.
+
+type: keyword
+
+example: Microsoft® Windows® Operating System
+
+
+**`process.pgid`**
+:   Identifier of the group of processes the process belongs to.
+
+type: long
+
+format: string
+
+
+**`process.pid`**
+:   Process id.
+
+type: long
+
+example: 4242
+
+format: string
+
+
+**`process.start`**
+:   The time the process started.
+
+type: date
+
+example: 2016-05-23T08:05:34.853Z
+
+
+**`process.thread.id`**
+:   Thread ID.
+
+type: long
+
+example: 4242
+
+format: string
+
+
+**`process.thread.name`**
+:   Thread name.
+
+type: keyword
+
+example: thread-0
+
+
+**`process.title`**
+:   Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened.
+
+type: keyword
+
+
+**`process.title.text`**
+:   type: match_only_text
+
+
+**`process.uptime`**
+:   Seconds the process has been up.
+
+type: long
+
+example: 1325
+
+
+**`process.working_directory`**
+:   The working directory of the process.
+
+type: keyword
+
+example: /home/alice
+
+
+**`process.working_directory.text`**
+:   type: match_only_text
+
+
+
+## registry [_registry]
+
+Fields related to Windows Registry operations.
+
+**`registry.data.bytes`**
+:   Original bytes written with base64 encoding. For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values.
+
+type: keyword
+
+example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA=
+
+
+**`registry.data.strings`**
+:   Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`).
+
+type: wildcard
+
+example: ["C:\rta\red_ttp\bin\myapp.exe"]
+
+
+**`registry.data.type`**
+:   Standard registry type for encoding contents
+
+type: keyword
+
+example: REG_SZ
+
+
+**`registry.hive`**
+:   Abbreviated name for the hive.
+
+type: keyword
+
+example: HKLM
+
+
+**`registry.key`**
+:   Hive-relative path of keys.
+
+type: keyword
+
+example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe
+
+
+**`registry.path`**
+:   Full path, including hive, key and value
+
+type: keyword
+
+example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger
+
+
+**`registry.value`**
+:   Name of the value written.
+
+type: keyword
+
+example: Debugger
+
+
+
+## related [_related]
+
+This field set is meant to facilitate pivoting around a piece of data. Some pieces of information can be seen in many places in an ECS event. To facilitate searching for them, store an array of all seen values to their corresponding field in `related.`. A concrete example is IP addresses, which can be under host, observer, source, destination, client, server, and network.forwarded_ip. If you append all IPs to `related.ip`, you can then search for a given IP trivially, no matter where it appeared, by querying `related.ip:192.0.2.15`.
+
+**`related.hash`**
+:   All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you’re unsure what the hash algorithm is (and therefore which key name to search).
+
+type: keyword
+
+
+**`related.hosts`**
+:   All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases.
+
+type: keyword
+
+
+**`related.ip`**
+:   All of the IPs seen on your event.
+
+type: ip
+
+
+**`related.user`**
+:   All the user names or other user identifiers seen on the event.
+
+type: keyword
+
+
+
+## rule [_rule]
+
+Rule fields are used to capture the specifics of any observer or agent rules that generate alerts or other notable events. Examples of data sources that would populate the rule fields include: network admission control platforms, network or host IDS/IPS, network firewalls, web application firewalls, url filters, endpoint detection and response (EDR) systems, etc.
+
+**`rule.author`**
+:   Name, organization, or pseudonym of the author or authors who created the rule used to generate this event.
+
+type: keyword
+
+example: ["Star-Lord"]
+
+
+**`rule.category`**
+:   A categorization value keyword used by the entity using the rule for detection of this event.
+
+type: keyword
+
+example: Attempted Information Leak
+
+
+**`rule.description`**
+:   The description of the rule generating the event.
+
+type: keyword
+
+example: Block requests to public DNS over HTTPS / TLS protocols
+
+
+**`rule.id`**
+:   A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event.
+
+type: keyword
+
+example: 101
+
+
+**`rule.license`**
+:   Name of the license under which the rule used to generate this event is made available.
+
+type: keyword
+
+example: Apache 2.0
+
+
+**`rule.name`**
+:   The name of the rule or signature generating the event.
+
+type: keyword
+
+example: BLOCK_DNS_over_TLS
+
+
+**`rule.reference`**
+:   Reference URL to additional information about the rule used to generate this event. The URL can point to the vendor’s documentation about the rule. If that’s not available, it can also be a link to a more general page describing this type of alert.
+
+type: keyword
+
+example: [https://en.wikipedia.org/wiki/DNS_over_TLS](https://en.wikipedia.org/wiki/DNS_over_TLS)
+
+
+**`rule.ruleset`**
+:   Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member.
+
+type: keyword
+
+example: Standard_Protocol_Filters
+
+
+**`rule.uuid`**
+:   A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event.
+
+type: keyword
+
+example: 1100110011
+
+
+**`rule.version`**
+:   The version / revision of the rule being used for analysis.
+
+type: keyword
+
+example: 1.1
+
+
+
+## server [_server]
+
+A Server is defined as the responder in a network connection for events regarding sessions, connections, or bidirectional flow records. For TCP events, the server is the receiver of the initial SYN packet(s) of the TCP connection. For other protocols, the server is generally the responder in the network transaction. Some systems actually use the term "responder" to refer the server in TCP connections. The server fields describe details about the system acting as the server in the network event. Server fields are usually populated in conjunction with client fields. Server fields are generally not populated for packet-level events. Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately.
+
+**`server.address`**
+:   Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
+
+type: keyword
+
+
+**`server.as.number`**
+:   Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+
+type: long
+
+example: 15169
+
+
+**`server.as.organization.name`**
+:   Organization name.
+
+type: keyword
+
+example: Google LLC
+
+
+**`server.as.organization.name.text`**
+:   type: match_only_text
+
+
+**`server.bytes`**
+:   Bytes sent from the server to the client.
+
+type: long
+
+example: 184
+
+format: bytes
+
+
+**`server.domain`**
+:   The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.
+
+type: keyword
+
+example: foo.example.com
+
+
+**`server.geo.city_name`**
+:   City name.
+
+type: keyword
+
+example: Montreal
+
+
+**`server.geo.continent_code`**
+:   Two-letter code representing continent’s name.
+
+type: keyword
+
+example: NA
+
+
+**`server.geo.continent_name`**
+:   Name of the continent.
+
+type: keyword
+
+example: North America
+
+
+**`server.geo.country_iso_code`**
+:   Country ISO code.
+
+type: keyword
+
+example: CA
+
+
+**`server.geo.country_name`**
+:   Country name.
+
+type: keyword
+
+example: Canada
+
+
+**`server.geo.location`**
+:   Longitude and latitude.
+
+type: geo_point
+
+example: { "lon": -73.614830, "lat": 45.505918 }
+
+
+**`server.geo.name`**
+:   User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.
+
+type: keyword
+
+example: boston-dc
+
+
+**`server.geo.postal_code`**
+:   Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.
+
+type: keyword
+
+example: 94040
+
+
+**`server.geo.region_iso_code`**
+:   Region ISO code.
+
+type: keyword
+
+example: CA-QC
+
+
+**`server.geo.region_name`**
+:   Region name.
+
+type: keyword
+
+example: Quebec
+
+
+**`server.geo.timezone`**
+:   The time zone of the location, such as IANA time zone name.
+
+type: keyword
+
+example: America/Argentina/Buenos_Aires
+
+
+**`server.ip`**
+:   IP address of the server (IPv4 or IPv6).
+
+type: ip
+
+
+**`server.mac`**
+:   MAC address of the server. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.
+
+type: keyword
+
+example: 00-00-5E-00-53-23
+
+
+**`server.nat.ip`**
+:   Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers.
+
+type: ip
+
+
+**`server.nat.port`**
+:   Translated port of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers.
+
+type: long
+
+format: string
+
+
+**`server.packets`**
+:   Packets sent from the server to the client.
+
+type: long
+
+example: 12
+
+
+**`server.port`**
+:   Port of the server.
+
+type: long
+
+format: string
+
+
+**`server.registered_domain`**
+:   The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
+
+type: keyword
+
+example: example.com
+
+
+**`server.subdomain`**
+:   The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
+
+type: keyword
+
+example: east
+
+
+**`server.top_level_domain`**
+:   The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".
+
+type: keyword
+
+example: co.uk
+
+
+**`server.user.domain`**
+:   Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`server.user.email`**
+:   User email address.
+
+type: keyword
+
+
+**`server.user.full_name`**
+:   User’s full name, if available.
+
+type: keyword
+
+example: Albert Einstein
+
+
+**`server.user.full_name.text`**
+:   type: match_only_text
+
+
+**`server.user.group.domain`**
+:   Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`server.user.group.id`**
+:   Unique identifier for the group on the system/platform.
+
+type: keyword
+
+
+**`server.user.group.name`**
+:   Name of the group.
+
+type: keyword
+
+
+**`server.user.hash`**
+:   Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used.
+
+type: keyword
+
+
+**`server.user.id`**
+:   Unique identifier of the user.
+
+type: keyword
+
+example: S-1-5-21-202424912787-2692429404-2351956786-1000
+
+
+**`server.user.name`**
+:   Short name or login of the user.
+
+type: keyword
+
+example: a.einstein
+
+
+**`server.user.name.text`**
+:   type: match_only_text
+
+
+**`server.user.roles`**
+:   Array of user roles at the time of the event.
+
+type: keyword
+
+example: ["kibana_admin", "reporting_user"]
+
+
+
+## service [_service]
+
+The service fields describe the service for or from which the data was collected. These fields help you find and correlate logs for a specific service and version.
+
+**`service.address`**
+:   Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets).
+
+type: keyword
+
+example: 172.26.0.2:5432
+
+
+**`service.environment`**
+:   Identifies the environment where the service is running. If the same service runs in different environments (production, staging, QA, development, etc.), the environment can identify other instances of the same service. Can also group services and applications from the same environment.
+
+type: keyword
+
+example: production
+
+
+**`service.ephemeral_id`**
+:   Ephemeral identifier of this service (if one exists). This id normally changes across restarts, but `service.id` does not.
+
+type: keyword
+
+example: 8a4f500f
+
+
+**`service.id`**
+:   Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes. This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event. Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead.
+
+type: keyword
+
+example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6
+
+
+**`service.name`**
+:   Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified.
+
+type: keyword
+
+example: elasticsearch-metrics
+
+
+**`service.node.name`**
+:   Name of a service node. This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn’t have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set.
+
+type: keyword
+
+example: instance-0000000016
+
+
+**`service.origin.address`**
+:   Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets).
+
+type: keyword
+
+example: 172.26.0.2:5432
+
+
+**`service.origin.environment`**
+:   Identifies the environment where the service is running. If the same service runs in different environments (production, staging, QA, development, etc.), the environment can identify other instances of the same service. Can also group services and applications from the same environment.
+
+type: keyword
+
+example: production
+
+
+**`service.origin.ephemeral_id`**
+:   Ephemeral identifier of this service (if one exists). This id normally changes across restarts, but `service.id` does not.
+
+type: keyword
+
+example: 8a4f500f
+
+
+**`service.origin.id`**
+:   Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes. This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event. Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead.
+
+type: keyword
+
+example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6
+
+
+**`service.origin.name`**
+:   Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified.
+
+type: keyword
+
+example: elasticsearch-metrics
+
+
+**`service.origin.node.name`**
+:   Name of a service node. This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn’t have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set.
+
+type: keyword
+
+example: instance-0000000016
+
+
+**`service.origin.state`**
+:   Current state of the service.
+
+type: keyword
+
+
+**`service.origin.type`**
+:   The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`.
+
+type: keyword
+
+example: elasticsearch
+
+
+**`service.origin.version`**
+:   Version of the service the data was collected from. This allows to look at a data set only for a specific version of a service.
+
+type: keyword
+
+example: 3.2.4
+
+
+**`service.state`**
+:   Current state of the service.
+
+type: keyword
+
+
+**`service.target.address`**
+:   Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets).
+
+type: keyword
+
+example: 172.26.0.2:5432
+
+
+**`service.target.environment`**
+:   Identifies the environment where the service is running. If the same service runs in different environments (production, staging, QA, development, etc.), the environment can identify other instances of the same service. Can also group services and applications from the same environment.
+
+type: keyword
+
+example: production
+
+
+**`service.target.ephemeral_id`**
+:   Ephemeral identifier of this service (if one exists). This id normally changes across restarts, but `service.id` does not.
+
+type: keyword
+
+example: 8a4f500f
+
+
+**`service.target.id`**
+:   Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes. This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event. Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead.
+
+type: keyword
+
+example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6
+
+
+**`service.target.name`**
+:   Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified.
+
+type: keyword
+
+example: elasticsearch-metrics
+
+
+**`service.target.node.name`**
+:   Name of a service node. This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn’t have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set.
+
+type: keyword
+
+example: instance-0000000016
+
+
+**`service.target.state`**
+:   Current state of the service.
+
+type: keyword
+
+
+**`service.target.type`**
+:   The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`.
+
+type: keyword
+
+example: elasticsearch
+
+
+**`service.target.version`**
+:   Version of the service the data was collected from. This allows to look at a data set only for a specific version of a service.
+
+type: keyword
+
+example: 3.2.4
+
+
+**`service.type`**
+:   The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`.
+
+type: keyword
+
+example: elasticsearch
+
+
+**`service.version`**
+:   Version of the service the data was collected from. This allows to look at a data set only for a specific version of a service.
+
+type: keyword
+
+example: 3.2.4
+
+
+
+## source [_source_2]
+
+Source fields capture details about the sender of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction. Source fields are usually populated in conjunction with destination fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated.
+
+**`source.address`**
+:   Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
+
+type: keyword
+
+
+**`source.as.number`**
+:   Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+
+type: long
+
+example: 15169
+
+
+**`source.as.organization.name`**
+:   Organization name.
+
+type: keyword
+
+example: Google LLC
+
+
+**`source.as.organization.name.text`**
+:   type: match_only_text
+
+
+**`source.bytes`**
+:   Bytes sent from the source to the destination.
+
+type: long
+
+example: 184
+
+format: bytes
+
+
+**`source.domain`**
+:   The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.
+
+type: keyword
+
+example: foo.example.com
+
+
+**`source.geo.city_name`**
+:   City name.
+
+type: keyword
+
+example: Montreal
+
+
+**`source.geo.continent_code`**
+:   Two-letter code representing continent’s name.
+
+type: keyword
+
+example: NA
+
+
+**`source.geo.continent_name`**
+:   Name of the continent.
+
+type: keyword
+
+example: North America
+
+
+**`source.geo.country_iso_code`**
+:   Country ISO code.
+
+type: keyword
+
+example: CA
+
+
+**`source.geo.country_name`**
+:   Country name.
+
+type: keyword
+
+example: Canada
+
+
+**`source.geo.location`**
+:   Longitude and latitude.
+
+type: geo_point
+
+example: { "lon": -73.614830, "lat": 45.505918 }
+
+
+**`source.geo.name`**
+:   User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.
+
+type: keyword
+
+example: boston-dc
+
+
+**`source.geo.postal_code`**
+:   Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.
+
+type: keyword
+
+example: 94040
+
+
+**`source.geo.region_iso_code`**
+:   Region ISO code.
+
+type: keyword
+
+example: CA-QC
+
+
+**`source.geo.region_name`**
+:   Region name.
+
+type: keyword
+
+example: Quebec
+
+
+**`source.geo.timezone`**
+:   The time zone of the location, such as IANA time zone name.
+
+type: keyword
+
+example: America/Argentina/Buenos_Aires
+
+
+**`source.ip`**
+:   IP address of the source (IPv4 or IPv6).
+
+type: ip
+
+
+**`source.mac`**
+:   MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.
+
+type: keyword
+
+example: 00-00-5E-00-53-23
+
+
+**`source.nat.ip`**
+:   Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers.
+
+type: ip
+
+
+**`source.nat.port`**
+:   Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers.
+
+type: long
+
+format: string
+
+
+**`source.packets`**
+:   Packets sent from the source to the destination.
+
+type: long
+
+example: 12
+
+
+**`source.port`**
+:   Port of the source.
+
+type: long
+
+format: string
+
+
+**`source.registered_domain`**
+:   The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
+
+type: keyword
+
+example: example.com
+
+
+**`source.subdomain`**
+:   The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
+
+type: keyword
+
+example: east
+
+
+**`source.top_level_domain`**
+:   The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".
+
+type: keyword
+
+example: co.uk
+
+
+**`source.user.domain`**
+:   Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`source.user.email`**
+:   User email address.
+
+type: keyword
+
+
+**`source.user.full_name`**
+:   User’s full name, if available.
+
+type: keyword
+
+example: Albert Einstein
+
+
+**`source.user.full_name.text`**
+:   type: match_only_text
+
+
+**`source.user.group.domain`**
+:   Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`source.user.group.id`**
+:   Unique identifier for the group on the system/platform.
+
+type: keyword
+
+
+**`source.user.group.name`**
+:   Name of the group.
+
+type: keyword
+
+
+**`source.user.hash`**
+:   Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used.
+
+type: keyword
+
+
+**`source.user.id`**
+:   Unique identifier of the user.
+
+type: keyword
+
+example: S-1-5-21-202424912787-2692429404-2351956786-1000
+
+
+**`source.user.name`**
+:   Short name or login of the user.
+
+type: keyword
+
+example: a.einstein
+
+
+**`source.user.name.text`**
+:   type: match_only_text
+
+
+**`source.user.roles`**
+:   Array of user roles at the time of the event.
+
+type: keyword
+
+example: ["kibana_admin", "reporting_user"]
+
+
+
+## threat [_threat]
+
+Fields to classify events and alerts according to a threat taxonomy such as the MITRE ATT&CK® framework. These fields are for users to classify alerts from all of their sources (e.g. IDS, NGFW, etc.) within a common taxonomy. The threat.tactic.* fields are meant to capture the high level category of the threat (e.g. "impact"). The threat.technique.* fields are meant to capture which kind of approach is used by this detected threat, to accomplish the goal (e.g. "endpoint denial of service").
+
+**`threat.enrichments`**
+:   A list of associated indicators objects enriching the event, and the context of that association/enrichment.
+
+type: nested
+
+
+**`threat.enrichments.indicator`**
+:   Object containing associated indicators enriching the event.
+
+type: object
+
+
+**`threat.enrichments.indicator.as.number`**
+:   Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+
+type: long
+
+example: 15169
+
+
+**`threat.enrichments.indicator.as.organization.name`**
+:   Organization name.
+
+type: keyword
+
+example: Google LLC
+
+
+**`threat.enrichments.indicator.as.organization.name.text`**
+:   type: match_only_text
+
+
+**`threat.enrichments.indicator.confidence`**
+:   Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. Expected values are: * Not Specified * None * Low * Medium * High
+
+type: keyword
+
+example: Medium
+
+
+**`threat.enrichments.indicator.description`**
+:   Describes the type of action conducted by the threat.
+
+type: keyword
+
+example: IP x.x.x.x was observed delivering the Angler EK.
+
+
+**`threat.enrichments.indicator.email.address`**
+:   Identifies a threat indicator as an email address (irrespective of direction).
+
+type: keyword
+
+example: `phish@example.com`
+
+
+**`threat.enrichments.indicator.file.accessed`**
+:   Last time the file was accessed. Note that not all filesystems keep track of access time.
+
+type: date
+
+
+**`threat.enrichments.indicator.file.attributes`**
+:   Array of file attributes. Attributes names will vary by platform. Here’s a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write.
+
+type: keyword
+
+example: ["readonly", "system"]
+
+
+**`threat.enrichments.indicator.file.code_signature.digest_algorithm`**
+:   The hashing algorithm used to sign the process. This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm.
+
+type: keyword
+
+example: sha256
+
+
+**`threat.enrichments.indicator.file.code_signature.exists`**
+:   Boolean to capture if a signature is present.
+
+type: boolean
+
+example: true
+
+
+**`threat.enrichments.indicator.file.code_signature.signing_id`**
+:   The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.
+
+type: keyword
+
+example: com.apple.xpc.proxy
+
+
+**`threat.enrichments.indicator.file.code_signature.status`**
+:   Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.
+
+type: keyword
+
+example: ERROR_UNTRUSTED_ROOT
+
+
+**`threat.enrichments.indicator.file.code_signature.subject_name`**
+:   Subject name of the code signer
+
+type: keyword
+
+example: Microsoft Corporation
+
+
+**`threat.enrichments.indicator.file.code_signature.team_id`**
+:   The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.
+
+type: keyword
+
+example: EQHXZ8M8AV
+
+
+**`threat.enrichments.indicator.file.code_signature.timestamp`**
+:   Date and time when the code signature was generated and signed.
+
+type: date
+
+example: 2021-01-01T12:10:30Z
+
+
+**`threat.enrichments.indicator.file.code_signature.trusted`**
+:   Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.
+
+type: boolean
+
+example: true
+
+
+**`threat.enrichments.indicator.file.code_signature.valid`**
+:   Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.
+
+type: boolean
+
+example: true
+
+
+**`threat.enrichments.indicator.file.created`**
+:   File creation time. Note that not all filesystems store the creation time.
+
+type: date
+
+
+**`threat.enrichments.indicator.file.ctime`**
+:   Last time the file attributes or metadata changed. Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file.
+
+type: date
+
+
+**`threat.enrichments.indicator.file.device`**
+:   Device that is the source of the file.
+
+type: keyword
+
+example: sda
+
+
+**`threat.enrichments.indicator.file.directory`**
+:   Directory where the file is located. It should include the drive letter, when appropriate.
+
+type: keyword
+
+example: /home/alice
+
+
+**`threat.enrichments.indicator.file.drive_letter`**
+:   Drive letter where the file is located. This field is only relevant on Windows. The value should be uppercase, and not include the colon.
+
+type: keyword
+
+example: C
+
+
+**`threat.enrichments.indicator.file.elf.architecture`**
+:   Machine architecture of the ELF file.
+
+type: keyword
+
+example: x86-64
+
+
+**`threat.enrichments.indicator.file.elf.byte_order`**
+:   Byte sequence of ELF file.
+
+type: keyword
+
+example: Little Endian
+
+
+**`threat.enrichments.indicator.file.elf.cpu_type`**
+:   CPU type of the ELF file.
+
+type: keyword
+
+example: Intel
+
+
+**`threat.enrichments.indicator.file.elf.creation_date`**
+:   Extracted when possible from the file’s metadata. Indicates when it was built or compiled. It can also be faked by malware creators.
+
+type: date
+
+
+**`threat.enrichments.indicator.file.elf.exports`**
+:   List of exported element names and types.
+
+type: flattened
+
+
+**`threat.enrichments.indicator.file.elf.header.abi_version`**
+:   Version of the ELF Application Binary Interface (ABI).
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.elf.header.class`**
+:   Header class of the ELF file.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.elf.header.data`**
+:   Data table of the ELF header.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.elf.header.entrypoint`**
+:   Header entrypoint of the ELF file.
+
+type: long
+
+format: string
+
+
+**`threat.enrichments.indicator.file.elf.header.object_version`**
+:   "0x1" for original ELF files.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.elf.header.os_abi`**
+:   Application Binary Interface (ABI) of the Linux OS.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.elf.header.type`**
+:   Header type of the ELF file.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.elf.header.version`**
+:   Version of the ELF header.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.elf.imports`**
+:   List of imported element names and types.
+
+type: flattened
+
+
+**`threat.enrichments.indicator.file.elf.sections`**
+:   An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`.
+
+type: nested
+
+
+**`threat.enrichments.indicator.file.elf.sections.chi2`**
+:   Chi-square probability distribution of the section.
+
+type: long
+
+format: number
+
+
+**`threat.enrichments.indicator.file.elf.sections.entropy`**
+:   Shannon entropy calculation from the section.
+
+type: long
+
+format: number
+
+
+**`threat.enrichments.indicator.file.elf.sections.flags`**
+:   ELF Section List flags.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.elf.sections.name`**
+:   ELF Section List name.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.elf.sections.physical_offset`**
+:   ELF Section List offset.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.elf.sections.physical_size`**
+:   ELF Section List physical size.
+
+type: long
+
+format: bytes
+
+
+**`threat.enrichments.indicator.file.elf.sections.type`**
+:   ELF Section List type.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.elf.sections.virtual_address`**
+:   ELF Section List virtual address.
+
+type: long
+
+format: string
+
+
+**`threat.enrichments.indicator.file.elf.sections.virtual_size`**
+:   ELF Section List virtual size.
+
+type: long
+
+format: string
+
+
+**`threat.enrichments.indicator.file.elf.segments`**
+:   An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`.
+
+type: nested
+
+
+**`threat.enrichments.indicator.file.elf.segments.sections`**
+:   ELF object segment sections.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.elf.segments.type`**
+:   ELF object segment type.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.elf.shared_libraries`**
+:   List of shared libraries used by this ELF object.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.elf.telfhash`**
+:   telfhash symbol hash for ELF file.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.extension`**
+:   File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").
+
+type: keyword
+
+example: png
+
+
+**`threat.enrichments.indicator.file.fork_name`**
+:   A fork is additional data associated with a filesystem object. On Linux, a resource fork is used to store additional data with a filesystem object. A file always has at least one fork for the data portion, and additional forks may exist. On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default data stream for a file is just called $DATA. Zone.Identifier is commonly used by Windows to track contents downloaded from the Internet. An ADS is typically of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name` is the value that should populate `fork_name`. `filename.extension` should populate `file.name`, and `extension` should populate `file.extension`. The full path, `file.path`, will include the fork name.
+
+type: keyword
+
+example: Zone.Identifer
+
+
+**`threat.enrichments.indicator.file.gid`**
+:   Primary group ID (GID) of the file.
+
+type: keyword
+
+example: 1001
+
+
+**`threat.enrichments.indicator.file.group`**
+:   Primary group name of the file.
+
+type: keyword
+
+example: alice
+
+
+**`threat.enrichments.indicator.file.hash.md5`**
+:   MD5 hash.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.hash.sha1`**
+:   SHA1 hash.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.hash.sha256`**
+:   SHA256 hash.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.hash.sha512`**
+:   SHA512 hash.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.hash.ssdeep`**
+:   SSDEEP hash.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.inode`**
+:   Inode representing the file in the filesystem.
+
+type: keyword
+
+example: 256383
+
+
+**`threat.enrichments.indicator.file.mime_type`**
+:   MIME type should identify the format of the file or stream of bytes using [IANA official types](https://www.iana.org/assignments/media-types/media-types.xhtml), where possible. When more than one type is applicable, the most specific type should be used.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.mode`**
+:   Mode of the file in octal representation.
+
+type: keyword
+
+example: 0640
+
+
+**`threat.enrichments.indicator.file.mtime`**
+:   Last time the file content was modified.
+
+type: date
+
+
+**`threat.enrichments.indicator.file.name`**
+:   Name of the file including the extension, without the directory.
+
+type: keyword
+
+example: example.png
+
+
+**`threat.enrichments.indicator.file.owner`**
+:   File owner’s username.
+
+type: keyword
+
+example: alice
+
+
+**`threat.enrichments.indicator.file.path`**
+:   Full path to the file, including the file name. It should include the drive letter, when appropriate.
+
+type: keyword
+
+example: /home/alice/example.png
+
+
+**`threat.enrichments.indicator.file.path.text`**
+:   type: match_only_text
+
+
+**`threat.enrichments.indicator.file.pe.architecture`**
+:   CPU architecture target for the file.
+
+type: keyword
+
+example: x64
+
+
+**`threat.enrichments.indicator.file.pe.company`**
+:   Internal company name of the file, provided at compile-time.
+
+type: keyword
+
+example: Microsoft Corporation
+
+
+**`threat.enrichments.indicator.file.pe.description`**
+:   Internal description of the file, provided at compile-time.
+
+type: keyword
+
+example: Paint
+
+
+**`threat.enrichments.indicator.file.pe.file_version`**
+:   Internal version of the file, provided at compile-time.
+
+type: keyword
+
+example: 6.3.9600.17415
+
+
+**`threat.enrichments.indicator.file.pe.imphash`**
+:   A hash of the imports in a PE file. An imphash — or import hash — can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at [https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html](https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html).
+
+type: keyword
+
+example: 0c6803c4e922103c4dca5963aad36ddf
+
+
+**`threat.enrichments.indicator.file.pe.original_file_name`**
+:   Internal name of the file, provided at compile-time.
+
+type: keyword
+
+example: MSPAINT.EXE
+
+
+**`threat.enrichments.indicator.file.pe.product`**
+:   Internal product name of the file, provided at compile-time.
+
+type: keyword
+
+example: Microsoft® Windows® Operating System
+
+
+**`threat.enrichments.indicator.file.size`**
+:   File size in bytes. Only relevant when `file.type` is "file".
+
+type: long
+
+example: 16384
+
+
+**`threat.enrichments.indicator.file.target_path`**
+:   Target path for symlinks.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.target_path.text`**
+:   type: match_only_text
+
+
+**`threat.enrichments.indicator.file.type`**
+:   File type (file, dir, or symlink).
+
+type: keyword
+
+example: file
+
+
+**`threat.enrichments.indicator.file.uid`**
+:   The user ID (UID) or security identifier (SID) of the file owner.
+
+type: keyword
+
+example: 1001
+
+
+**`threat.enrichments.indicator.file.x509.alternative_names`**
+:   List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.
+
+type: keyword
+
+example: *.elastic.co
+
+
+**`threat.enrichments.indicator.file.x509.issuer.common_name`**
+:   List of common name (CN) of issuing certificate authority.
+
+type: keyword
+
+example: Example SHA2 High Assurance Server CA
+
+
+**`threat.enrichments.indicator.file.x509.issuer.country`**
+:   List of country © codes
+
+type: keyword
+
+example: US
+
+
+**`threat.enrichments.indicator.file.x509.issuer.distinguished_name`**
+:   Distinguished name (DN) of issuing certificate authority.
+
+type: keyword
+
+example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA
+
+
+**`threat.enrichments.indicator.file.x509.issuer.locality`**
+:   List of locality names (L)
+
+type: keyword
+
+example: Mountain View
+
+
+**`threat.enrichments.indicator.file.x509.issuer.organization`**
+:   List of organizations (O) of issuing certificate authority.
+
+type: keyword
+
+example: Example Inc
+
+
+**`threat.enrichments.indicator.file.x509.issuer.organizational_unit`**
+:   List of organizational units (OU) of issuing certificate authority.
+
+type: keyword
+
+example: www.example.com
+
+
+**`threat.enrichments.indicator.file.x509.issuer.state_or_province`**
+:   List of state or province names (ST, S, or P)
+
+type: keyword
+
+example: California
+
+
+**`threat.enrichments.indicator.file.x509.not_after`**
+:   Time at which the certificate is no longer considered valid.
+
+type: date
+
+example: 2020-07-16 03:15:39+00:00
+
+
+**`threat.enrichments.indicator.file.x509.not_before`**
+:   Time at which the certificate is first considered valid.
+
+type: date
+
+example: 2019-08-16 01:40:25+00:00
+
+
+**`threat.enrichments.indicator.file.x509.public_key_algorithm`**
+:   Algorithm used to generate the public key.
+
+type: keyword
+
+example: RSA
+
+
+**`threat.enrichments.indicator.file.x509.public_key_curve`**
+:   The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+
+type: keyword
+
+example: nistp521
+
+
+**`threat.enrichments.indicator.file.x509.public_key_exponent`**
+:   Exponent used to derive the public key. This is algorithm specific.
+
+type: long
+
+example: 65537
+
+Field is not indexed.
+
+
+**`threat.enrichments.indicator.file.x509.public_key_size`**
+:   The size of the public key space in bits.
+
+type: long
+
+example: 2048
+
+
+**`threat.enrichments.indicator.file.x509.serial_number`**
+:   Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.
+
+type: keyword
+
+example: 55FBB9C7DEBF09809D12CCAA
+
+
+**`threat.enrichments.indicator.file.x509.signature_algorithm`**
+:   Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See [https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353](https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353).
+
+type: keyword
+
+example: SHA256-RSA
+
+
+**`threat.enrichments.indicator.file.x509.subject.common_name`**
+:   List of common names (CN) of subject.
+
+type: keyword
+
+example: shared.global.example.net
+
+
+**`threat.enrichments.indicator.file.x509.subject.country`**
+:   List of country © code
+
+type: keyword
+
+example: US
+
+
+**`threat.enrichments.indicator.file.x509.subject.distinguished_name`**
+:   Distinguished name (DN) of the certificate subject entity.
+
+type: keyword
+
+example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
+
+
+**`threat.enrichments.indicator.file.x509.subject.locality`**
+:   List of locality names (L)
+
+type: keyword
+
+example: San Francisco
+
+
+**`threat.enrichments.indicator.file.x509.subject.organization`**
+:   List of organizations (O) of subject.
+
+type: keyword
+
+example: Example, Inc.
+
+
+**`threat.enrichments.indicator.file.x509.subject.organizational_unit`**
+:   List of organizational units (OU) of subject.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.x509.subject.state_or_province`**
+:   List of state or province names (ST, S, or P)
+
+type: keyword
+
+example: California
+
+
+**`threat.enrichments.indicator.file.x509.version_number`**
+:   Version of x509 format.
+
+type: keyword
+
+example: 3
+
+
+**`threat.enrichments.indicator.first_seen`**
+:   The date and time when intelligence source first reported sighting this indicator.
+
+type: date
+
+example: 2020-11-05T17:25:47.000Z
+
+
+**`threat.enrichments.indicator.geo.city_name`**
+:   City name.
+
+type: keyword
+
+example: Montreal
+
+
+**`threat.enrichments.indicator.geo.continent_code`**
+:   Two-letter code representing continent’s name.
+
+type: keyword
+
+example: NA
+
+
+**`threat.enrichments.indicator.geo.continent_name`**
+:   Name of the continent.
+
+type: keyword
+
+example: North America
+
+
+**`threat.enrichments.indicator.geo.country_iso_code`**
+:   Country ISO code.
+
+type: keyword
+
+example: CA
+
+
+**`threat.enrichments.indicator.geo.country_name`**
+:   Country name.
+
+type: keyword
+
+example: Canada
+
+
+**`threat.enrichments.indicator.geo.location`**
+:   Longitude and latitude.
+
+type: geo_point
+
+example: { "lon": -73.614830, "lat": 45.505918 }
+
+
+**`threat.enrichments.indicator.geo.name`**
+:   User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.
+
+type: keyword
+
+example: boston-dc
+
+
+**`threat.enrichments.indicator.geo.postal_code`**
+:   Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.
+
+type: keyword
+
+example: 94040
+
+
+**`threat.enrichments.indicator.geo.region_iso_code`**
+:   Region ISO code.
+
+type: keyword
+
+example: CA-QC
+
+
+**`threat.enrichments.indicator.geo.region_name`**
+:   Region name.
+
+type: keyword
+
+example: Quebec
+
+
+**`threat.enrichments.indicator.geo.timezone`**
+:   The time zone of the location, such as IANA time zone name.
+
+type: keyword
+
+example: America/Argentina/Buenos_Aires
+
+
+**`threat.enrichments.indicator.ip`**
+:   Identifies a threat indicator as an IP address (irrespective of direction).
+
+type: ip
+
+example: 1.2.3.4
+
+
+**`threat.enrichments.indicator.last_seen`**
+:   The date and time when intelligence source last reported sighting this indicator.
+
+type: date
+
+example: 2020-11-05T17:25:47.000Z
+
+
+**`threat.enrichments.indicator.marking.tlp`**
+:   Traffic Light Protocol sharing markings. Recommended values are: * WHITE * GREEN * AMBER * RED
+
+type: keyword
+
+example: White
+
+
+**`threat.enrichments.indicator.modified_at`**
+:   The date and time when intelligence source last modified information for this indicator.
+
+type: date
+
+example: 2020-11-05T17:25:47.000Z
+
+
+**`threat.enrichments.indicator.port`**
+:   Identifies a threat indicator as a port number (irrespective of direction).
+
+type: long
+
+example: 443
+
+
+**`threat.enrichments.indicator.provider`**
+:   The name of the indicator’s provider.
+
+type: keyword
+
+example: lrz_urlhaus
+
+
+**`threat.enrichments.indicator.reference`**
+:   Reference URL linking to additional information about this indicator.
+
+type: keyword
+
+example: [https://system.example.com/indicator/0001234](https://system.example.com/indicator/0001234)
+
+
+**`threat.enrichments.indicator.registry.data.bytes`**
+:   Original bytes written with base64 encoding. For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values.
+
+type: keyword
+
+example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA=
+
+
+**`threat.enrichments.indicator.registry.data.strings`**
+:   Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`).
+
+type: wildcard
+
+example: ["C:\rta\red_ttp\bin\myapp.exe"]
+
+
+**`threat.enrichments.indicator.registry.data.type`**
+:   Standard registry type for encoding contents
+
+type: keyword
+
+example: REG_SZ
+
+
+**`threat.enrichments.indicator.registry.hive`**
+:   Abbreviated name for the hive.
+
+type: keyword
+
+example: HKLM
+
+
+**`threat.enrichments.indicator.registry.key`**
+:   Hive-relative path of keys.
+
+type: keyword
+
+example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe
+
+
+**`threat.enrichments.indicator.registry.path`**
+:   Full path, including hive, key and value
+
+type: keyword
+
+example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger
+
+
+**`threat.enrichments.indicator.registry.value`**
+:   Name of the value written.
+
+type: keyword
+
+example: Debugger
+
+
+**`threat.enrichments.indicator.scanner_stats`**
+:   Count of AV/EDR vendors that successfully detected malicious file or URL.
+
+type: long
+
+example: 4
+
+
+**`threat.enrichments.indicator.sightings`**
+:   Number of times this indicator was observed conducting threat activity.
+
+type: long
+
+example: 20
+
+
+**`threat.enrichments.indicator.type`**
+:   Type of indicator as represented by Cyber Observable in STIX 2.0. Recommended values: * autonomous-system * artifact * directory * domain-name * email-addr * file * ipv4-addr * ipv6-addr * mac-addr * mutex * port * process * software * url * user-account * windows-registry-key * x509-certificate
+
+type: keyword
+
+example: ipv4-addr
+
+
+**`threat.enrichments.indicator.url.domain`**
+:   Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field.
+
+type: keyword
+
+example: www.elastic.co
+
+
+**`threat.enrichments.indicator.url.extension`**
+:   The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").
+
+type: keyword
+
+example: png
+
+
+**`threat.enrichments.indicator.url.fragment`**
+:   Portion of the url after the `#`, such as "top". The `#` is not part of the fragment.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.url.full`**
+:   If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source.
+
+type: wildcard
+
+example: [https://www.elastic.co:443/search?q=elasticsearch#top](https://www.elastic.co:443/search?q=elasticsearch#top)
+
+
+**`threat.enrichments.indicator.url.full.text`**
+:   type: match_only_text
+
+
+**`threat.enrichments.indicator.url.original`**
+:   Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not.
+
+type: wildcard
+
+example: [https://www.elastic.co:443/search?q=elasticsearch#top](https://www.elastic.co:443/search?q=elasticsearch#top) or /search?q=elasticsearch
+
+
+**`threat.enrichments.indicator.url.original.text`**
+:   type: match_only_text
+
+
+**`threat.enrichments.indicator.url.password`**
+:   Password of the request.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.url.path`**
+:   Path of the request, such as "/search".
+
+type: wildcard
+
+
+**`threat.enrichments.indicator.url.port`**
+:   Port of the request, such as 443.
+
+type: long
+
+example: 443
+
+format: string
+
+
+**`threat.enrichments.indicator.url.query`**
+:   The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.url.registered_domain`**
+:   The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
+
+type: keyword
+
+example: example.com
+
+
+**`threat.enrichments.indicator.url.scheme`**
+:   Scheme of the request, such as "https". Note: The `:` is not part of the scheme.
+
+type: keyword
+
+example: https
+
+
+**`threat.enrichments.indicator.url.subdomain`**
+:   The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
+
+type: keyword
+
+example: east
+
+
+**`threat.enrichments.indicator.url.top_level_domain`**
+:   The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".
+
+type: keyword
+
+example: co.uk
+
+
+**`threat.enrichments.indicator.url.username`**
+:   Username of the request.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.x509.alternative_names`**
+:   List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.
+
+type: keyword
+
+example: *.elastic.co
+
+
+**`threat.enrichments.indicator.x509.issuer.common_name`**
+:   List of common name (CN) of issuing certificate authority.
+
+type: keyword
+
+example: Example SHA2 High Assurance Server CA
+
+
+**`threat.enrichments.indicator.x509.issuer.country`**
+:   List of country © codes
+
+type: keyword
+
+example: US
+
+
+**`threat.enrichments.indicator.x509.issuer.distinguished_name`**
+:   Distinguished name (DN) of issuing certificate authority.
+
+type: keyword
+
+example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA
+
+
+**`threat.enrichments.indicator.x509.issuer.locality`**
+:   List of locality names (L)
+
+type: keyword
+
+example: Mountain View
+
+
+**`threat.enrichments.indicator.x509.issuer.organization`**
+:   List of organizations (O) of issuing certificate authority.
+
+type: keyword
+
+example: Example Inc
+
+
+**`threat.enrichments.indicator.x509.issuer.organizational_unit`**
+:   List of organizational units (OU) of issuing certificate authority.
+
+type: keyword
+
+example: www.example.com
+
+
+**`threat.enrichments.indicator.x509.issuer.state_or_province`**
+:   List of state or province names (ST, S, or P)
+
+type: keyword
+
+example: California
+
+
+**`threat.enrichments.indicator.x509.not_after`**
+:   Time at which the certificate is no longer considered valid.
+
+type: date
+
+example: 2020-07-16 03:15:39+00:00
+
+
+**`threat.enrichments.indicator.x509.not_before`**
+:   Time at which the certificate is first considered valid.
+
+type: date
+
+example: 2019-08-16 01:40:25+00:00
+
+
+**`threat.enrichments.indicator.x509.public_key_algorithm`**
+:   Algorithm used to generate the public key.
+
+type: keyword
+
+example: RSA
+
+
+**`threat.enrichments.indicator.x509.public_key_curve`**
+:   The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+
+type: keyword
+
+example: nistp521
+
+
+**`threat.enrichments.indicator.x509.public_key_exponent`**
+:   Exponent used to derive the public key. This is algorithm specific.
+
+type: long
+
+example: 65537
+
+Field is not indexed.
+
+
+**`threat.enrichments.indicator.x509.public_key_size`**
+:   The size of the public key space in bits.
+
+type: long
+
+example: 2048
+
+
+**`threat.enrichments.indicator.x509.serial_number`**
+:   Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.
+
+type: keyword
+
+example: 55FBB9C7DEBF09809D12CCAA
+
+
+**`threat.enrichments.indicator.x509.signature_algorithm`**
+:   Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See [https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353](https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353).
+
+type: keyword
+
+example: SHA256-RSA
+
+
+**`threat.enrichments.indicator.x509.subject.common_name`**
+:   List of common names (CN) of subject.
+
+type: keyword
+
+example: shared.global.example.net
+
+
+**`threat.enrichments.indicator.x509.subject.country`**
+:   List of country © code
+
+type: keyword
+
+example: US
+
+
+**`threat.enrichments.indicator.x509.subject.distinguished_name`**
+:   Distinguished name (DN) of the certificate subject entity.
+
+type: keyword
+
+example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
+
+
+**`threat.enrichments.indicator.x509.subject.locality`**
+:   List of locality names (L)
+
+type: keyword
+
+example: San Francisco
+
+
+**`threat.enrichments.indicator.x509.subject.organization`**
+:   List of organizations (O) of subject.
+
+type: keyword
+
+example: Example, Inc.
+
+
+**`threat.enrichments.indicator.x509.subject.organizational_unit`**
+:   List of organizational units (OU) of subject.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.x509.subject.state_or_province`**
+:   List of state or province names (ST, S, or P)
+
+type: keyword
+
+example: California
+
+
+**`threat.enrichments.indicator.x509.version_number`**
+:   Version of x509 format.
+
+type: keyword
+
+example: 3
+
+
+**`threat.enrichments.matched.atomic`**
+:   Identifies the atomic indicator value that matched a local environment endpoint or network event.
+
+type: keyword
+
+example: bad-domain.com
+
+
+**`threat.enrichments.matched.field`**
+:   Identifies the field of the atomic indicator that matched a local environment endpoint or network event.
+
+type: keyword
+
+example: file.hash.sha256
+
+
+**`threat.enrichments.matched.id`**
+:   Identifies the _id of the indicator document enriching the event.
+
+type: keyword
+
+example: ff93aee5-86a1-4a61-b0e6-0cdc313d01b5
+
+
+**`threat.enrichments.matched.index`**
+:   Identifies the _index of the indicator document enriching the event.
+
+type: keyword
+
+example: filebeat-8.0.0-2021.05.23-000011
+
+
+**`threat.enrichments.matched.type`**
+:   Identifies the type of match that caused the event to be enriched with the given indicator
+
+type: keyword
+
+example: indicator_match_rule
+
+
+**`threat.framework`**
+:   Name of the threat framework used to further categorize and classify the tactic and technique of the reported threat. Framework classification can be provided by detecting systems, evaluated at ingest time, or retrospectively tagged to events.
+
+type: keyword
+
+example: MITRE ATT&CK
+
+
+**`threat.group.alias`**
+:   The alias(es) of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group alias(es).
+
+type: keyword
+
+example: [ "Magecart Group 6" ]
+
+
+**`threat.group.id`**
+:   The id of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group id.
+
+type: keyword
+
+example: G0037
+
+
+**`threat.group.name`**
+:   The name of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group name.
+
+type: keyword
+
+example: FIN6
+
+
+**`threat.group.reference`**
+:   The reference URL of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group reference URL.
+
+type: keyword
+
+example: [https://attack.mitre.org/groups/G0037/](https://attack.mitre.org/groups/G0037/)
+
+
+**`threat.indicator.as.number`**
+:   Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+
+type: long
+
+example: 15169
+
+
+**`threat.indicator.as.organization.name`**
+:   Organization name.
+
+type: keyword
+
+example: Google LLC
+
+
+**`threat.indicator.as.organization.name.text`**
+:   type: match_only_text
+
+
+**`threat.indicator.confidence`**
+:   Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. Expected values are: * Not Specified * None * Low * Medium * High
+
+type: keyword
+
+example: Medium
+
+
+**`threat.indicator.description`**
+:   Describes the type of action conducted by the threat.
+
+type: keyword
+
+example: IP x.x.x.x was observed delivering the Angler EK.
+
+
+**`threat.indicator.email.address`**
+:   Identifies a threat indicator as an email address (irrespective of direction).
+
+type: keyword
+
+example: `phish@example.com`
+
+
+**`threat.indicator.file.accessed`**
+:   Last time the file was accessed. Note that not all filesystems keep track of access time.
+
+type: date
+
+
+**`threat.indicator.file.attributes`**
+:   Array of file attributes. Attributes names will vary by platform. Here’s a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write.
+
+type: keyword
+
+example: ["readonly", "system"]
+
+
+**`threat.indicator.file.code_signature.digest_algorithm`**
+:   The hashing algorithm used to sign the process. This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm.
+
+type: keyword
+
+example: sha256
+
+
+**`threat.indicator.file.code_signature.exists`**
+:   Boolean to capture if a signature is present.
+
+type: boolean
+
+example: true
+
+
+**`threat.indicator.file.code_signature.signing_id`**
+:   The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.
+
+type: keyword
+
+example: com.apple.xpc.proxy
+
+
+**`threat.indicator.file.code_signature.status`**
+:   Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.
+
+type: keyword
+
+example: ERROR_UNTRUSTED_ROOT
+
+
+**`threat.indicator.file.code_signature.subject_name`**
+:   Subject name of the code signer
+
+type: keyword
+
+example: Microsoft Corporation
+
+
+**`threat.indicator.file.code_signature.team_id`**
+:   The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.
+
+type: keyword
+
+example: EQHXZ8M8AV
+
+
+**`threat.indicator.file.code_signature.timestamp`**
+:   Date and time when the code signature was generated and signed.
+
+type: date
+
+example: 2021-01-01T12:10:30Z
+
+
+**`threat.indicator.file.code_signature.trusted`**
+:   Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.
+
+type: boolean
+
+example: true
+
+
+**`threat.indicator.file.code_signature.valid`**
+:   Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.
+
+type: boolean
+
+example: true
+
+
+**`threat.indicator.file.created`**
+:   File creation time. Note that not all filesystems store the creation time.
+
+type: date
+
+
+**`threat.indicator.file.ctime`**
+:   Last time the file attributes or metadata changed. Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file.
+
+type: date
+
+
+**`threat.indicator.file.device`**
+:   Device that is the source of the file.
+
+type: keyword
+
+example: sda
+
+
+**`threat.indicator.file.directory`**
+:   Directory where the file is located. It should include the drive letter, when appropriate.
+
+type: keyword
+
+example: /home/alice
+
+
+**`threat.indicator.file.drive_letter`**
+:   Drive letter where the file is located. This field is only relevant on Windows. The value should be uppercase, and not include the colon.
+
+type: keyword
+
+example: C
+
+
+**`threat.indicator.file.elf.architecture`**
+:   Machine architecture of the ELF file.
+
+type: keyword
+
+example: x86-64
+
+
+**`threat.indicator.file.elf.byte_order`**
+:   Byte sequence of ELF file.
+
+type: keyword
+
+example: Little Endian
+
+
+**`threat.indicator.file.elf.cpu_type`**
+:   CPU type of the ELF file.
+
+type: keyword
+
+example: Intel
+
+
+**`threat.indicator.file.elf.creation_date`**
+:   Extracted when possible from the file’s metadata. Indicates when it was built or compiled. It can also be faked by malware creators.
+
+type: date
+
+
+**`threat.indicator.file.elf.exports`**
+:   List of exported element names and types.
+
+type: flattened
+
+
+**`threat.indicator.file.elf.header.abi_version`**
+:   Version of the ELF Application Binary Interface (ABI).
+
+type: keyword
+
+
+**`threat.indicator.file.elf.header.class`**
+:   Header class of the ELF file.
+
+type: keyword
+
+
+**`threat.indicator.file.elf.header.data`**
+:   Data table of the ELF header.
+
+type: keyword
+
+
+**`threat.indicator.file.elf.header.entrypoint`**
+:   Header entrypoint of the ELF file.
+
+type: long
+
+format: string
+
+
+**`threat.indicator.file.elf.header.object_version`**
+:   "0x1" for original ELF files.
+
+type: keyword
+
+
+**`threat.indicator.file.elf.header.os_abi`**
+:   Application Binary Interface (ABI) of the Linux OS.
+
+type: keyword
+
+
+**`threat.indicator.file.elf.header.type`**
+:   Header type of the ELF file.
+
+type: keyword
+
+
+**`threat.indicator.file.elf.header.version`**
+:   Version of the ELF header.
+
+type: keyword
+
+
+**`threat.indicator.file.elf.imports`**
+:   List of imported element names and types.
+
+type: flattened
+
+
+**`threat.indicator.file.elf.sections`**
+:   An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`.
+
+type: nested
+
+
+**`threat.indicator.file.elf.sections.chi2`**
+:   Chi-square probability distribution of the section.
+
+type: long
+
+format: number
+
+
+**`threat.indicator.file.elf.sections.entropy`**
+:   Shannon entropy calculation from the section.
+
+type: long
+
+format: number
+
+
+**`threat.indicator.file.elf.sections.flags`**
+:   ELF Section List flags.
+
+type: keyword
+
+
+**`threat.indicator.file.elf.sections.name`**
+:   ELF Section List name.
+
+type: keyword
+
+
+**`threat.indicator.file.elf.sections.physical_offset`**
+:   ELF Section List offset.
+
+type: keyword
+
+
+**`threat.indicator.file.elf.sections.physical_size`**
+:   ELF Section List physical size.
+
+type: long
+
+format: bytes
+
+
+**`threat.indicator.file.elf.sections.type`**
+:   ELF Section List type.
+
+type: keyword
+
+
+**`threat.indicator.file.elf.sections.virtual_address`**
+:   ELF Section List virtual address.
+
+type: long
+
+format: string
+
+
+**`threat.indicator.file.elf.sections.virtual_size`**
+:   ELF Section List virtual size.
+
+type: long
+
+format: string
+
+
+**`threat.indicator.file.elf.segments`**
+:   An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`.
+
+type: nested
+
+
+**`threat.indicator.file.elf.segments.sections`**
+:   ELF object segment sections.
+
+type: keyword
+
+
+**`threat.indicator.file.elf.segments.type`**
+:   ELF object segment type.
+
+type: keyword
+
+
+**`threat.indicator.file.elf.shared_libraries`**
+:   List of shared libraries used by this ELF object.
+
+type: keyword
+
+
+**`threat.indicator.file.elf.telfhash`**
+:   telfhash symbol hash for ELF file.
+
+type: keyword
+
+
+**`threat.indicator.file.extension`**
+:   File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").
+
+type: keyword
+
+example: png
+
+
+**`threat.indicator.file.fork_name`**
+:   A fork is additional data associated with a filesystem object. On Linux, a resource fork is used to store additional data with a filesystem object. A file always has at least one fork for the data portion, and additional forks may exist. On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default data stream for a file is just called $DATA. Zone.Identifier is commonly used by Windows to track contents downloaded from the Internet. An ADS is typically of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name` is the value that should populate `fork_name`. `filename.extension` should populate `file.name`, and `extension` should populate `file.extension`. The full path, `file.path`, will include the fork name.
+
+type: keyword
+
+example: Zone.Identifer
+
+
+**`threat.indicator.file.gid`**
+:   Primary group ID (GID) of the file.
+
+type: keyword
+
+example: 1001
+
+
+**`threat.indicator.file.group`**
+:   Primary group name of the file.
+
+type: keyword
+
+example: alice
+
+
+**`threat.indicator.file.hash.md5`**
+:   MD5 hash.
+
+type: keyword
+
+
+**`threat.indicator.file.hash.sha1`**
+:   SHA1 hash.
+
+type: keyword
+
+
+**`threat.indicator.file.hash.sha256`**
+:   SHA256 hash.
+
+type: keyword
+
+
+**`threat.indicator.file.hash.sha512`**
+:   SHA512 hash.
+
+type: keyword
+
+
+**`threat.indicator.file.hash.ssdeep`**
+:   SSDEEP hash.
+
+type: keyword
+
+
+**`threat.indicator.file.inode`**
+:   Inode representing the file in the filesystem.
+
+type: keyword
+
+example: 256383
+
+
+**`threat.indicator.file.mime_type`**
+:   MIME type should identify the format of the file or stream of bytes using [IANA official types](https://www.iana.org/assignments/media-types/media-types.xhtml), where possible. When more than one type is applicable, the most specific type should be used.
+
+type: keyword
+
+
+**`threat.indicator.file.mode`**
+:   Mode of the file in octal representation.
+
+type: keyword
+
+example: 0640
+
+
+**`threat.indicator.file.mtime`**
+:   Last time the file content was modified.
+
+type: date
+
+
+**`threat.indicator.file.name`**
+:   Name of the file including the extension, without the directory.
+
+type: keyword
+
+example: example.png
+
+
+**`threat.indicator.file.owner`**
+:   File owner’s username.
+
+type: keyword
+
+example: alice
+
+
+**`threat.indicator.file.path`**
+:   Full path to the file, including the file name. It should include the drive letter, when appropriate.
+
+type: keyword
+
+example: /home/alice/example.png
+
+
+**`threat.indicator.file.path.text`**
+:   type: match_only_text
+
+
+**`threat.indicator.file.pe.architecture`**
+:   CPU architecture target for the file.
+
+type: keyword
+
+example: x64
+
+
+**`threat.indicator.file.pe.company`**
+:   Internal company name of the file, provided at compile-time.
+
+type: keyword
+
+example: Microsoft Corporation
+
+
+**`threat.indicator.file.pe.description`**
+:   Internal description of the file, provided at compile-time.
+
+type: keyword
+
+example: Paint
+
+
+**`threat.indicator.file.pe.file_version`**
+:   Internal version of the file, provided at compile-time.
+
+type: keyword
+
+example: 6.3.9600.17415
+
+
+**`threat.indicator.file.pe.imphash`**
+:   A hash of the imports in a PE file. An imphash — or import hash — can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at [https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html](https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html).
+
+type: keyword
+
+example: 0c6803c4e922103c4dca5963aad36ddf
+
+
+**`threat.indicator.file.pe.original_file_name`**
+:   Internal name of the file, provided at compile-time.
+
+type: keyword
+
+example: MSPAINT.EXE
+
+
+**`threat.indicator.file.pe.product`**
+:   Internal product name of the file, provided at compile-time.
+
+type: keyword
+
+example: Microsoft® Windows® Operating System
+
+
+**`threat.indicator.file.size`**
+:   File size in bytes. Only relevant when `file.type` is "file".
+
+type: long
+
+example: 16384
+
+
+**`threat.indicator.file.target_path`**
+:   Target path for symlinks.
+
+type: keyword
+
+
+**`threat.indicator.file.target_path.text`**
+:   type: match_only_text
+
+
+**`threat.indicator.file.type`**
+:   File type (file, dir, or symlink).
+
+type: keyword
+
+example: file
+
+
+**`threat.indicator.file.uid`**
+:   The user ID (UID) or security identifier (SID) of the file owner.
+
+type: keyword
+
+example: 1001
+
+
+**`threat.indicator.file.x509.alternative_names`**
+:   List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.
+
+type: keyword
+
+example: *.elastic.co
+
+
+**`threat.indicator.file.x509.issuer.common_name`**
+:   List of common name (CN) of issuing certificate authority.
+
+type: keyword
+
+example: Example SHA2 High Assurance Server CA
+
+
+**`threat.indicator.file.x509.issuer.country`**
+:   List of country © codes
+
+type: keyword
+
+example: US
+
+
+**`threat.indicator.file.x509.issuer.distinguished_name`**
+:   Distinguished name (DN) of issuing certificate authority.
+
+type: keyword
+
+example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA
+
+
+**`threat.indicator.file.x509.issuer.locality`**
+:   List of locality names (L)
+
+type: keyword
+
+example: Mountain View
+
+
+**`threat.indicator.file.x509.issuer.organization`**
+:   List of organizations (O) of issuing certificate authority.
+
+type: keyword
+
+example: Example Inc
+
+
+**`threat.indicator.file.x509.issuer.organizational_unit`**
+:   List of organizational units (OU) of issuing certificate authority.
+
+type: keyword
+
+example: www.example.com
+
+
+**`threat.indicator.file.x509.issuer.state_or_province`**
+:   List of state or province names (ST, S, or P)
+
+type: keyword
+
+example: California
+
+
+**`threat.indicator.file.x509.not_after`**
+:   Time at which the certificate is no longer considered valid.
+
+type: date
+
+example: 2020-07-16 03:15:39+00:00
+
+
+**`threat.indicator.file.x509.not_before`**
+:   Time at which the certificate is first considered valid.
+
+type: date
+
+example: 2019-08-16 01:40:25+00:00
+
+
+**`threat.indicator.file.x509.public_key_algorithm`**
+:   Algorithm used to generate the public key.
+
+type: keyword
+
+example: RSA
+
+
+**`threat.indicator.file.x509.public_key_curve`**
+:   The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+
+type: keyword
+
+example: nistp521
+
+
+**`threat.indicator.file.x509.public_key_exponent`**
+:   Exponent used to derive the public key. This is algorithm specific.
+
+type: long
+
+example: 65537
+
+Field is not indexed.
+
+
+**`threat.indicator.file.x509.public_key_size`**
+:   The size of the public key space in bits.
+
+type: long
+
+example: 2048
+
+
+**`threat.indicator.file.x509.serial_number`**
+:   Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.
+
+type: keyword
+
+example: 55FBB9C7DEBF09809D12CCAA
+
+
+**`threat.indicator.file.x509.signature_algorithm`**
+:   Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See [https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353](https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353).
+
+type: keyword
+
+example: SHA256-RSA
+
+
+**`threat.indicator.file.x509.subject.common_name`**
+:   List of common names (CN) of subject.
+
+type: keyword
+
+example: shared.global.example.net
+
+
+**`threat.indicator.file.x509.subject.country`**
+:   List of country © code
+
+type: keyword
+
+example: US
+
+
+**`threat.indicator.file.x509.subject.distinguished_name`**
+:   Distinguished name (DN) of the certificate subject entity.
+
+type: keyword
+
+example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
+
+
+**`threat.indicator.file.x509.subject.locality`**
+:   List of locality names (L)
+
+type: keyword
+
+example: San Francisco
+
+
+**`threat.indicator.file.x509.subject.organization`**
+:   List of organizations (O) of subject.
+
+type: keyword
+
+example: Example, Inc.
+
+
+**`threat.indicator.file.x509.subject.organizational_unit`**
+:   List of organizational units (OU) of subject.
+
+type: keyword
+
+
+**`threat.indicator.file.x509.subject.state_or_province`**
+:   List of state or province names (ST, S, or P)
+
+type: keyword
+
+example: California
+
+
+**`threat.indicator.file.x509.version_number`**
+:   Version of x509 format.
+
+type: keyword
+
+example: 3
+
+
+**`threat.indicator.first_seen`**
+:   The date and time when intelligence source first reported sighting this indicator.
+
+type: date
+
+example: 2020-11-05T17:25:47.000Z
+
+
+**`threat.indicator.geo.city_name`**
+:   City name.
+
+type: keyword
+
+example: Montreal
+
+
+**`threat.indicator.geo.continent_code`**
+:   Two-letter code representing continent’s name.
+
+type: keyword
+
+example: NA
+
+
+**`threat.indicator.geo.continent_name`**
+:   Name of the continent.
+
+type: keyword
+
+example: North America
+
+
+**`threat.indicator.geo.country_iso_code`**
+:   Country ISO code.
+
+type: keyword
+
+example: CA
+
+
+**`threat.indicator.geo.country_name`**
+:   Country name.
+
+type: keyword
+
+example: Canada
+
+
+**`threat.indicator.geo.location`**
+:   Longitude and latitude.
+
+type: geo_point
+
+example: { "lon": -73.614830, "lat": 45.505918 }
+
+
+**`threat.indicator.geo.name`**
+:   User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.
+
+type: keyword
+
+example: boston-dc
+
+
+**`threat.indicator.geo.postal_code`**
+:   Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.
+
+type: keyword
+
+example: 94040
+
+
+**`threat.indicator.geo.region_iso_code`**
+:   Region ISO code.
+
+type: keyword
+
+example: CA-QC
+
+
+**`threat.indicator.geo.region_name`**
+:   Region name.
+
+type: keyword
+
+example: Quebec
+
+
+**`threat.indicator.geo.timezone`**
+:   The time zone of the location, such as IANA time zone name.
+
+type: keyword
+
+example: America/Argentina/Buenos_Aires
+
+
+**`threat.indicator.ip`**
+:   Identifies a threat indicator as an IP address (irrespective of direction).
+
+type: ip
+
+example: 1.2.3.4
+
+
+**`threat.indicator.last_seen`**
+:   The date and time when intelligence source last reported sighting this indicator.
+
+type: date
+
+example: 2020-11-05T17:25:47.000Z
+
+
+**`threat.indicator.marking.tlp`**
+:   Traffic Light Protocol sharing markings. Recommended values are: * WHITE * GREEN * AMBER * RED
+
+type: keyword
+
+example: WHITE
+
+
+**`threat.indicator.modified_at`**
+:   The date and time when intelligence source last modified information for this indicator.
+
+type: date
+
+example: 2020-11-05T17:25:47.000Z
+
+
+**`threat.indicator.port`**
+:   Identifies a threat indicator as a port number (irrespective of direction).
+
+type: long
+
+example: 443
+
+
+**`threat.indicator.provider`**
+:   The name of the indicator’s provider.
+
+type: keyword
+
+example: lrz_urlhaus
+
+
+**`threat.indicator.reference`**
+:   Reference URL linking to additional information about this indicator.
+
+type: keyword
+
+example: [https://system.example.com/indicator/0001234](https://system.example.com/indicator/0001234)
+
+
+**`threat.indicator.registry.data.bytes`**
+:   Original bytes written with base64 encoding. For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values.
+
+type: keyword
+
+example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA=
+
+
+**`threat.indicator.registry.data.strings`**
+:   Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`).
+
+type: wildcard
+
+example: ["C:\rta\red_ttp\bin\myapp.exe"]
+
+
+**`threat.indicator.registry.data.type`**
+:   Standard registry type for encoding contents
+
+type: keyword
+
+example: REG_SZ
+
+
+**`threat.indicator.registry.hive`**
+:   Abbreviated name for the hive.
+
+type: keyword
+
+example: HKLM
+
+
+**`threat.indicator.registry.key`**
+:   Hive-relative path of keys.
+
+type: keyword
+
+example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe
+
+
+**`threat.indicator.registry.path`**
+:   Full path, including hive, key and value
+
+type: keyword
+
+example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger
+
+
+**`threat.indicator.registry.value`**
+:   Name of the value written.
+
+type: keyword
+
+example: Debugger
+
+
+**`threat.indicator.scanner_stats`**
+:   Count of AV/EDR vendors that successfully detected malicious file or URL.
+
+type: long
+
+example: 4
+
+
+**`threat.indicator.sightings`**
+:   Number of times this indicator was observed conducting threat activity.
+
+type: long
+
+example: 20
+
+
+**`threat.indicator.type`**
+:   Type of indicator as represented by Cyber Observable in STIX 2.0. Recommended values: * autonomous-system * artifact * directory * domain-name * email-addr * file * ipv4-addr * ipv6-addr * mac-addr * mutex * port * process * software * url * user-account * windows-registry-key * x509-certificate
+
+type: keyword
+
+example: ipv4-addr
+
+
+**`threat.indicator.url.domain`**
+:   Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field.
+
+type: keyword
+
+example: www.elastic.co
+
+
+**`threat.indicator.url.extension`**
+:   The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").
+
+type: keyword
+
+example: png
+
+
+**`threat.indicator.url.fragment`**
+:   Portion of the url after the `#`, such as "top". The `#` is not part of the fragment.
+
+type: keyword
+
+
+**`threat.indicator.url.full`**
+:   If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source.
+
+type: wildcard
+
+example: [https://www.elastic.co:443/search?q=elasticsearch#top](https://www.elastic.co:443/search?q=elasticsearch#top)
+
+
+**`threat.indicator.url.full.text`**
+:   type: match_only_text
+
+
+**`threat.indicator.url.original`**
+:   Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not.
+
+type: wildcard
+
+example: [https://www.elastic.co:443/search?q=elasticsearch#top](https://www.elastic.co:443/search?q=elasticsearch#top) or /search?q=elasticsearch
+
+
+**`threat.indicator.url.original.text`**
+:   type: match_only_text
+
+
+**`threat.indicator.url.password`**
+:   Password of the request.
+
+type: keyword
+
+
+**`threat.indicator.url.path`**
+:   Path of the request, such as "/search".
+
+type: wildcard
+
+
+**`threat.indicator.url.port`**
+:   Port of the request, such as 443.
+
+type: long
+
+example: 443
+
+format: string
+
+
+**`threat.indicator.url.query`**
+:   The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.
+
+type: keyword
+
+
+**`threat.indicator.url.registered_domain`**
+:   The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
+
+type: keyword
+
+example: example.com
+
+
+**`threat.indicator.url.scheme`**
+:   Scheme of the request, such as "https". Note: The `:` is not part of the scheme.
+
+type: keyword
+
+example: https
+
+
+**`threat.indicator.url.subdomain`**
+:   The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
+
+type: keyword
+
+example: east
+
+
+**`threat.indicator.url.top_level_domain`**
+:   The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".
+
+type: keyword
+
+example: co.uk
+
+
+**`threat.indicator.url.username`**
+:   Username of the request.
+
+type: keyword
+
+
+**`threat.indicator.x509.alternative_names`**
+:   List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.
+
+type: keyword
+
+example: *.elastic.co
+
+
+**`threat.indicator.x509.issuer.common_name`**
+:   List of common name (CN) of issuing certificate authority.
+
+type: keyword
+
+example: Example SHA2 High Assurance Server CA
+
+
+**`threat.indicator.x509.issuer.country`**
+:   List of country © codes
+
+type: keyword
+
+example: US
+
+
+**`threat.indicator.x509.issuer.distinguished_name`**
+:   Distinguished name (DN) of issuing certificate authority.
+
+type: keyword
+
+example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA
+
+
+**`threat.indicator.x509.issuer.locality`**
+:   List of locality names (L)
+
+type: keyword
+
+example: Mountain View
+
+
+**`threat.indicator.x509.issuer.organization`**
+:   List of organizations (O) of issuing certificate authority.
+
+type: keyword
+
+example: Example Inc
+
+
+**`threat.indicator.x509.issuer.organizational_unit`**
+:   List of organizational units (OU) of issuing certificate authority.
+
+type: keyword
+
+example: www.example.com
+
+
+**`threat.indicator.x509.issuer.state_or_province`**
+:   List of state or province names (ST, S, or P)
+
+type: keyword
+
+example: California
+
+
+**`threat.indicator.x509.not_after`**
+:   Time at which the certificate is no longer considered valid.
+
+type: date
+
+example: 2020-07-16 03:15:39+00:00
+
+
+**`threat.indicator.x509.not_before`**
+:   Time at which the certificate is first considered valid.
+
+type: date
+
+example: 2019-08-16 01:40:25+00:00
+
+
+**`threat.indicator.x509.public_key_algorithm`**
+:   Algorithm used to generate the public key.
+
+type: keyword
+
+example: RSA
+
+
+**`threat.indicator.x509.public_key_curve`**
+:   The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+
+type: keyword
+
+example: nistp521
+
+
+**`threat.indicator.x509.public_key_exponent`**
+:   Exponent used to derive the public key. This is algorithm specific.
+
+type: long
+
+example: 65537
+
+Field is not indexed.
+
+
+**`threat.indicator.x509.public_key_size`**
+:   The size of the public key space in bits.
+
+type: long
+
+example: 2048
+
+
+**`threat.indicator.x509.serial_number`**
+:   Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.
+
+type: keyword
+
+example: 55FBB9C7DEBF09809D12CCAA
+
+
+**`threat.indicator.x509.signature_algorithm`**
+:   Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See [https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353](https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353).
+
+type: keyword
+
+example: SHA256-RSA
+
+
+**`threat.indicator.x509.subject.common_name`**
+:   List of common names (CN) of subject.
+
+type: keyword
+
+example: shared.global.example.net
+
+
+**`threat.indicator.x509.subject.country`**
+:   List of country © code
+
+type: keyword
+
+example: US
+
+
+**`threat.indicator.x509.subject.distinguished_name`**
+:   Distinguished name (DN) of the certificate subject entity.
+
+type: keyword
+
+example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
+
+
+**`threat.indicator.x509.subject.locality`**
+:   List of locality names (L)
+
+type: keyword
+
+example: San Francisco
+
+
+**`threat.indicator.x509.subject.organization`**
+:   List of organizations (O) of subject.
+
+type: keyword
+
+example: Example, Inc.
+
+
+**`threat.indicator.x509.subject.organizational_unit`**
+:   List of organizational units (OU) of subject.
+
+type: keyword
+
+
+**`threat.indicator.x509.subject.state_or_province`**
+:   List of state or province names (ST, S, or P)
+
+type: keyword
+
+example: California
+
+
+**`threat.indicator.x509.version_number`**
+:   Version of x509 format.
+
+type: keyword
+
+example: 3
+
+
+**`threat.software.alias`**
+:   The alias(es) of the software for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® associated software description.
+
+type: keyword
+
+example: [ "X-Agent" ]
+
+
+**`threat.software.id`**
+:   The id of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software id.
+
+type: keyword
+
+example: S0552
+
+
+**`threat.software.name`**
+:   The name of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software name.
+
+type: keyword
+
+example: AdFind
+
+
+**`threat.software.platforms`**
+:   The platforms of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. Recommended Values: * AWS * Azure * Azure AD * GCP * Linux * macOS * Network * Office 365 * SaaS * Windows
+
+While not required, you can use a MITRE ATT&CK® software platforms.
+
+type: keyword
+
+example: [ "Windows" ]
+
+
+**`threat.software.reference`**
+:   The reference URL of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software reference URL.
+
+type: keyword
+
+example: [https://attack.mitre.org/software/S0552/](https://attack.mitre.org/software/S0552/)
+
+
+**`threat.software.type`**
+:   The type of software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. Recommended values * Malware * Tool
+
+```
+While not required, you can use a MITRE ATT&CK® software type.
+```
+type: keyword
+
+example: Tool
+
+
+**`threat.tactic.id`**
+:   The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. [https://attack.mitre.org/tactics/TA0002/](https://attack.mitre.org/tactics/TA0002/) )
+
+type: keyword
+
+example: TA0002
+
+
+**`threat.tactic.name`**
+:   Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. [https://attack.mitre.org/tactics/TA0002/](https://attack.mitre.org/tactics/TA0002/))
+
+type: keyword
+
+example: Execution
+
+
+**`threat.tactic.reference`**
+:   The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. [https://attack.mitre.org/tactics/TA0002/](https://attack.mitre.org/tactics/TA0002/) )
+
+type: keyword
+
+example: [https://attack.mitre.org/tactics/TA0002/](https://attack.mitre.org/tactics/TA0002/)
+
+
+**`threat.technique.id`**
+:   The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. [https://attack.mitre.org/techniques/T1059/](https://attack.mitre.org/techniques/T1059/))
+
+type: keyword
+
+example: T1059
+
+
+**`threat.technique.name`**
+:   The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. [https://attack.mitre.org/techniques/T1059/](https://attack.mitre.org/techniques/T1059/))
+
+type: keyword
+
+example: Command and Scripting Interpreter
+
+
+**`threat.technique.name.text`**
+:   type: match_only_text
+
+
+**`threat.technique.reference`**
+:   The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. [https://attack.mitre.org/techniques/T1059/](https://attack.mitre.org/techniques/T1059/))
+
+type: keyword
+
+example: [https://attack.mitre.org/techniques/T1059/](https://attack.mitre.org/techniques/T1059/)
+
+
+**`threat.technique.subtechnique.id`**
+:   The full id of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. [https://attack.mitre.org/techniques/T1059/001/](https://attack.mitre.org/techniques/T1059/001/))
+
+type: keyword
+
+example: T1059.001
+
+
+**`threat.technique.subtechnique.name`**
+:   The name of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. [https://attack.mitre.org/techniques/T1059/001/](https://attack.mitre.org/techniques/T1059/001/))
+
+type: keyword
+
+example: PowerShell
+
+
+**`threat.technique.subtechnique.name.text`**
+:   type: match_only_text
+
+
+**`threat.technique.subtechnique.reference`**
+:   The reference url of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. [https://attack.mitre.org/techniques/T1059/001/](https://attack.mitre.org/techniques/T1059/001/))
+
+type: keyword
+
+example: [https://attack.mitre.org/techniques/T1059/001/](https://attack.mitre.org/techniques/T1059/001/)
+
+
+
+## tls [_tls]
+
+Fields related to a TLS connection. These fields focus on the TLS protocol itself and intentionally avoids in-depth analysis of the related x.509 certificate files.
+
+**`tls.cipher`**
+:   String indicating the cipher used during the current connection.
+
+type: keyword
+
+example: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+
+
+**`tls.client.certificate`**
+:   PEM-encoded stand-alone certificate offered by the client. This is usually mutually-exclusive of `client.certificate_chain` since this value also exists in that list.
+
+type: keyword
+
+example: MII…​
+
+
+**`tls.client.certificate_chain`**
+:   Array of PEM-encoded certificates that make up the certificate chain offered by the client. This is usually mutually-exclusive of `client.certificate` since that value should be the first certificate in the chain.
+
+type: keyword
+
+example: ["MII…​", "MII…​"]
+
+
+**`tls.client.hash.md5`**
+:   Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash.
+
+type: keyword
+
+example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC
+
+
+**`tls.client.hash.sha1`**
+:   Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash.
+
+type: keyword
+
+example: 9E393D93138888D288266C2D915214D1D1CCEB2A
+
+
+**`tls.client.hash.sha256`**
+:   Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash.
+
+type: keyword
+
+example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0
+
+
+**`tls.client.issuer`**
+:   Distinguished name of subject of the issuer of the x.509 certificate presented by the client.
+
+type: keyword
+
+example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com
+
+
+**`tls.client.ja3`**
+:   A hash that identifies clients based on how they perform an SSL/TLS handshake.
+
+type: keyword
+
+example: d4e5b18d6b55c71272893221c96ba240
+
+
+**`tls.client.not_after`**
+:   Date/Time indicating when client certificate is no longer considered valid.
+
+type: date
+
+example: 2021-01-01T00:00:00.000Z
+
+
+**`tls.client.not_before`**
+:   Date/Time indicating when client certificate is first considered valid.
+
+type: date
+
+example: 1970-01-01T00:00:00.000Z
+
+
+**`tls.client.server_name`**
+:   Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`.
+
+type: keyword
+
+example: www.elastic.co
+
+
+**`tls.client.subject`**
+:   Distinguished name of subject of the x.509 certificate presented by the client.
+
+type: keyword
+
+example: CN=myclient, OU=Documentation Team, DC=example, DC=com
+
+
+**`tls.client.supported_ciphers`**
+:   Array of ciphers offered by the client during the client hello.
+
+type: keyword
+
+example: ["TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "…​"]
+
+
+**`tls.client.x509.alternative_names`**
+:   List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.
+
+type: keyword
+
+example: *.elastic.co
+
+
+**`tls.client.x509.issuer.common_name`**
+:   List of common name (CN) of issuing certificate authority.
+
+type: keyword
+
+example: Example SHA2 High Assurance Server CA
+
+
+**`tls.client.x509.issuer.country`**
+:   List of country © codes
+
+type: keyword
+
+example: US
+
+
+**`tls.client.x509.issuer.distinguished_name`**
+:   Distinguished name (DN) of issuing certificate authority.
+
+type: keyword
+
+example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA
+
+
+**`tls.client.x509.issuer.locality`**
+:   List of locality names (L)
+
+type: keyword
+
+example: Mountain View
+
+
+**`tls.client.x509.issuer.organization`**
+:   List of organizations (O) of issuing certificate authority.
+
+type: keyword
+
+example: Example Inc
+
+
+**`tls.client.x509.issuer.organizational_unit`**
+:   List of organizational units (OU) of issuing certificate authority.
+
+type: keyword
+
+example: www.example.com
+
+
+**`tls.client.x509.issuer.state_or_province`**
+:   List of state or province names (ST, S, or P)
+
+type: keyword
+
+example: California
+
+
+**`tls.client.x509.not_after`**
+:   Time at which the certificate is no longer considered valid.
+
+type: date
+
+example: 2020-07-16 03:15:39+00:00
+
+
+**`tls.client.x509.not_before`**
+:   Time at which the certificate is first considered valid.
+
+type: date
+
+example: 2019-08-16 01:40:25+00:00
+
+
+**`tls.client.x509.public_key_algorithm`**
+:   Algorithm used to generate the public key.
+
+type: keyword
+
+example: RSA
+
+
+**`tls.client.x509.public_key_curve`**
+:   The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+
+type: keyword
+
+example: nistp521
+
+
+**`tls.client.x509.public_key_exponent`**
+:   Exponent used to derive the public key. This is algorithm specific.
+
+type: long
+
+example: 65537
+
+Field is not indexed.
+
+
+**`tls.client.x509.public_key_size`**
+:   The size of the public key space in bits.
+
+type: long
+
+example: 2048
+
+
+**`tls.client.x509.serial_number`**
+:   Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.
+
+type: keyword
+
+example: 55FBB9C7DEBF09809D12CCAA
+
+
+**`tls.client.x509.signature_algorithm`**
+:   Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See [https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353](https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353).
+
+type: keyword
+
+example: SHA256-RSA
+
+
+**`tls.client.x509.subject.common_name`**
+:   List of common names (CN) of subject.
+
+type: keyword
+
+example: shared.global.example.net
+
+
+**`tls.client.x509.subject.country`**
+:   List of country © code
+
+type: keyword
+
+example: US
+
+
+**`tls.client.x509.subject.distinguished_name`**
+:   Distinguished name (DN) of the certificate subject entity.
+
+type: keyword
+
+example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
+
+
+**`tls.client.x509.subject.locality`**
+:   List of locality names (L)
+
+type: keyword
+
+example: San Francisco
+
+
+**`tls.client.x509.subject.organization`**
+:   List of organizations (O) of subject.
+
+type: keyword
+
+example: Example, Inc.
+
+
+**`tls.client.x509.subject.organizational_unit`**
+:   List of organizational units (OU) of subject.
+
+type: keyword
+
+
+**`tls.client.x509.subject.state_or_province`**
+:   List of state or province names (ST, S, or P)
+
+type: keyword
+
+example: California
+
+
+**`tls.client.x509.version_number`**
+:   Version of x509 format.
+
+type: keyword
+
+example: 3
+
+
+**`tls.curve`**
+:   String indicating the curve used for the given cipher, when applicable.
+
+type: keyword
+
+example: secp256r1
+
+
+**`tls.established`**
+:   Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel.
+
+type: boolean
+
+
+**`tls.next_protocol`**
+:   String indicating the protocol being tunneled. Per the values in the IANA registry ([https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids](https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids)), this string should be lower case.
+
+type: keyword
+
+example: http/1.1
+
+
+**`tls.resumed`**
+:   Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation.
+
+type: boolean
+
+
+**`tls.server.certificate`**
+:   PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list.
+
+type: keyword
+
+example: MII…​
+
+
+**`tls.server.certificate_chain`**
+:   Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain.
+
+type: keyword
+
+example: ["MII…​", "MII…​"]
+
+
+**`tls.server.hash.md5`**
+:   Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash.
+
+type: keyword
+
+example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC
+
+
+**`tls.server.hash.sha1`**
+:   Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash.
+
+type: keyword
+
+example: 9E393D93138888D288266C2D915214D1D1CCEB2A
+
+
+**`tls.server.hash.sha256`**
+:   Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash.
+
+type: keyword
+
+example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0
+
+
+**`tls.server.issuer`**
+:   Subject of the issuer of the x.509 certificate presented by the server.
+
+type: keyword
+
+example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com
+
+
+**`tls.server.ja3s`**
+:   A hash that identifies servers based on how they perform an SSL/TLS handshake.
+
+type: keyword
+
+example: 394441ab65754e2207b1e1b457b3641d
+
+
+**`tls.server.not_after`**
+:   Timestamp indicating when server certificate is no longer considered valid.
+
+type: date
+
+example: 2021-01-01T00:00:00.000Z
+
+
+**`tls.server.not_before`**
+:   Timestamp indicating when server certificate is first considered valid.
+
+type: date
+
+example: 1970-01-01T00:00:00.000Z
+
+
+**`tls.server.subject`**
+:   Subject of the x.509 certificate presented by the server.
+
+type: keyword
+
+example: CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com
+
+
+**`tls.server.x509.alternative_names`**
+:   List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.
+
+type: keyword
+
+example: *.elastic.co
+
+
+**`tls.server.x509.issuer.common_name`**
+:   List of common name (CN) of issuing certificate authority.
+
+type: keyword
+
+example: Example SHA2 High Assurance Server CA
+
+
+**`tls.server.x509.issuer.country`**
+:   List of country © codes
+
+type: keyword
+
+example: US
+
+
+**`tls.server.x509.issuer.distinguished_name`**
+:   Distinguished name (DN) of issuing certificate authority.
+
+type: keyword
+
+example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA
+
+
+**`tls.server.x509.issuer.locality`**
+:   List of locality names (L)
+
+type: keyword
+
+example: Mountain View
+
+
+**`tls.server.x509.issuer.organization`**
+:   List of organizations (O) of issuing certificate authority.
+
+type: keyword
+
+example: Example Inc
+
+
+**`tls.server.x509.issuer.organizational_unit`**
+:   List of organizational units (OU) of issuing certificate authority.
+
+type: keyword
+
+example: www.example.com
+
+
+**`tls.server.x509.issuer.state_or_province`**
+:   List of state or province names (ST, S, or P)
+
+type: keyword
+
+example: California
+
+
+**`tls.server.x509.not_after`**
+:   Time at which the certificate is no longer considered valid.
+
+type: date
+
+example: 2020-07-16 03:15:39+00:00
+
+
+**`tls.server.x509.not_before`**
+:   Time at which the certificate is first considered valid.
+
+type: date
+
+example: 2019-08-16 01:40:25+00:00
+
+
+**`tls.server.x509.public_key_algorithm`**
+:   Algorithm used to generate the public key.
+
+type: keyword
+
+example: RSA
+
+
+**`tls.server.x509.public_key_curve`**
+:   The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+
+type: keyword
+
+example: nistp521
+
+
+**`tls.server.x509.public_key_exponent`**
+:   Exponent used to derive the public key. This is algorithm specific.
+
+type: long
+
+example: 65537
+
+Field is not indexed.
+
+
+**`tls.server.x509.public_key_size`**
+:   The size of the public key space in bits.
+
+type: long
+
+example: 2048
+
+
+**`tls.server.x509.serial_number`**
+:   Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.
+
+type: keyword
+
+example: 55FBB9C7DEBF09809D12CCAA
+
+
+**`tls.server.x509.signature_algorithm`**
+:   Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See [https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353](https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353).
+
+type: keyword
+
+example: SHA256-RSA
+
+
+**`tls.server.x509.subject.common_name`**
+:   List of common names (CN) of subject.
+
+type: keyword
+
+example: shared.global.example.net
+
+
+**`tls.server.x509.subject.country`**
+:   List of country © code
+
+type: keyword
+
+example: US
+
+
+**`tls.server.x509.subject.distinguished_name`**
+:   Distinguished name (DN) of the certificate subject entity.
+
+type: keyword
+
+example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
+
+
+**`tls.server.x509.subject.locality`**
+:   List of locality names (L)
+
+type: keyword
+
+example: San Francisco
+
+
+**`tls.server.x509.subject.organization`**
+:   List of organizations (O) of subject.
+
+type: keyword
+
+example: Example, Inc.
+
+
+**`tls.server.x509.subject.organizational_unit`**
+:   List of organizational units (OU) of subject.
+
+type: keyword
+
+
+**`tls.server.x509.subject.state_or_province`**
+:   List of state or province names (ST, S, or P)
+
+type: keyword
+
+example: California
+
+
+**`tls.server.x509.version_number`**
+:   Version of x509 format.
+
+type: keyword
+
+example: 3
+
+
+**`tls.version`**
+:   Numeric part of the version parsed from the original string.
+
+type: keyword
+
+example: 1.2
+
+
+**`tls.version_protocol`**
+:   Normalized lowercase protocol name parsed from original string.
+
+type: keyword
+
+example: tls
+
+
+**`span.id`**
+:   Unique identifier of the span within the scope of its trace. A span represents an operation within a transaction, such as a request to another service, or a database query.
+
+type: keyword
+
+example: 3ff9a8981b7ccd5a
+
+
+**`trace.id`**
+:   Unique identifier of the trace. A trace groups multiple events like transactions that belong together. For example, a user request handled by multiple inter-connected services.
+
+type: keyword
+
+example: 4bf92f3577b34da6a3ce929d0e0e4736
+
+
+**`transaction.id`**
+:   Unique identifier of the transaction within the scope of its trace. A transaction is the highest level of work measured within a service, such as a request to a server.
+
+type: keyword
+
+example: 00f067aa0ba902b7
+
+
+
+## url [_url]
+
+URL fields provide support for complete or partial URLs, and supports the breaking down into scheme, domain, path, and so on.
+
+**`url.domain`**
+:   Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field.
+
+type: keyword
+
+example: www.elastic.co
+
+
+**`url.extension`**
+:   The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").
+
+type: keyword
+
+example: png
+
+
+**`url.fragment`**
+:   Portion of the url after the `#`, such as "top". The `#` is not part of the fragment.
+
+type: keyword
+
+
+**`url.full`**
+:   If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source.
+
+type: wildcard
+
+example: [https://www.elastic.co:443/search?q=elasticsearch#top](https://www.elastic.co:443/search?q=elasticsearch#top)
+
+
+**`url.full.text`**
+:   type: match_only_text
+
+
+**`url.original`**
+:   Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not.
+
+type: wildcard
+
+example: [https://www.elastic.co:443/search?q=elasticsearch#top](https://www.elastic.co:443/search?q=elasticsearch#top) or /search?q=elasticsearch
+
+
+**`url.original.text`**
+:   type: match_only_text
+
+
+**`url.password`**
+:   Password of the request.
+
+type: keyword
+
+
+**`url.path`**
+:   Path of the request, such as "/search".
+
+type: wildcard
+
+
+**`url.port`**
+:   Port of the request, such as 443.
+
+type: long
+
+example: 443
+
+format: string
+
+
+**`url.query`**
+:   The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.
+
+type: keyword
+
+
+**`url.registered_domain`**
+:   The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
+
+type: keyword
+
+example: example.com
+
+
+**`url.scheme`**
+:   Scheme of the request, such as "https". Note: The `:` is not part of the scheme.
+
+type: keyword
+
+example: https
+
+
+**`url.subdomain`**
+:   The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
+
+type: keyword
+
+example: east
+
+
+**`url.top_level_domain`**
+:   The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".
+
+type: keyword
+
+example: co.uk
+
+
+**`url.username`**
+:   Username of the request.
+
+type: keyword
+
+
+
+## user [_user_2]
+
+The user fields describe information about the user that is relevant to the event. Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them.
+
+**`user.changes.domain`**
+:   Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`user.changes.email`**
+:   User email address.
+
+type: keyword
+
+
+**`user.changes.full_name`**
+:   User’s full name, if available.
+
+type: keyword
+
+example: Albert Einstein
+
+
+**`user.changes.full_name.text`**
+:   type: match_only_text
+
+
+**`user.changes.group.domain`**
+:   Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`user.changes.group.id`**
+:   Unique identifier for the group on the system/platform.
+
+type: keyword
+
+
+**`user.changes.group.name`**
+:   Name of the group.
+
+type: keyword
+
+
+**`user.changes.hash`**
+:   Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used.
+
+type: keyword
+
+
+**`user.changes.id`**
+:   Unique identifier of the user.
+
+type: keyword
+
+example: S-1-5-21-202424912787-2692429404-2351956786-1000
+
+
+**`user.changes.name`**
+:   Short name or login of the user.
+
+type: keyword
+
+example: a.einstein
+
+
+**`user.changes.name.text`**
+:   type: match_only_text
+
+
+**`user.changes.roles`**
+:   Array of user roles at the time of the event.
+
+type: keyword
+
+example: ["kibana_admin", "reporting_user"]
+
+
+**`user.domain`**
+:   Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`user.effective.domain`**
+:   Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`user.effective.email`**
+:   User email address.
+
+type: keyword
+
+
+**`user.effective.full_name`**
+:   User’s full name, if available.
+
+type: keyword
+
+example: Albert Einstein
+
+
+**`user.effective.full_name.text`**
+:   type: match_only_text
+
+
+**`user.effective.group.domain`**
+:   Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`user.effective.group.id`**
+:   Unique identifier for the group on the system/platform.
+
+type: keyword
+
+
+**`user.effective.group.name`**
+:   Name of the group.
+
+type: keyword
+
+
+**`user.effective.hash`**
+:   Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used.
+
+type: keyword
+
+
+**`user.effective.id`**
+:   Unique identifier of the user.
+
+type: keyword
+
+example: S-1-5-21-202424912787-2692429404-2351956786-1000
+
+
+**`user.effective.name`**
+:   Short name or login of the user.
+
+type: keyword
+
+example: a.einstein
+
+
+**`user.effective.name.text`**
+:   type: match_only_text
+
+
+**`user.effective.roles`**
+:   Array of user roles at the time of the event.
+
+type: keyword
+
+example: ["kibana_admin", "reporting_user"]
+
+
+**`user.email`**
+:   User email address.
+
+type: keyword
+
+
+**`user.full_name`**
+:   User’s full name, if available.
+
+type: keyword
+
+example: Albert Einstein
+
+
+**`user.full_name.text`**
+:   type: match_only_text
+
+
+**`user.group.domain`**
+:   Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`user.group.id`**
+:   Unique identifier for the group on the system/platform.
+
+type: keyword
+
+
+**`user.group.name`**
+:   Name of the group.
+
+type: keyword
+
+
+**`user.hash`**
+:   Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used.
+
+type: keyword
+
+
+**`user.id`**
+:   Unique identifier of the user.
+
+type: keyword
+
+example: S-1-5-21-202424912787-2692429404-2351956786-1000
+
+
+**`user.name`**
+:   Short name or login of the user.
+
+type: keyword
+
+example: a.einstein
+
+
+**`user.name.text`**
+:   type: match_only_text
+
+
+**`user.roles`**
+:   Array of user roles at the time of the event.
+
+type: keyword
+
+example: ["kibana_admin", "reporting_user"]
+
+
+**`user.target.domain`**
+:   Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`user.target.email`**
+:   User email address.
+
+type: keyword
+
+
+**`user.target.full_name`**
+:   User’s full name, if available.
+
+type: keyword
+
+example: Albert Einstein
+
+
+**`user.target.full_name.text`**
+:   type: match_only_text
+
+
+**`user.target.group.domain`**
+:   Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`user.target.group.id`**
+:   Unique identifier for the group on the system/platform.
+
+type: keyword
+
+
+**`user.target.group.name`**
+:   Name of the group.
+
+type: keyword
+
+
+**`user.target.hash`**
+:   Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used.
+
+type: keyword
+
+
+**`user.target.id`**
+:   Unique identifier of the user.
+
+type: keyword
+
+example: S-1-5-21-202424912787-2692429404-2351956786-1000
+
+
+**`user.target.name`**
+:   Short name or login of the user.
+
+type: keyword
+
+example: a.einstein
+
+
+**`user.target.name.text`**
+:   type: match_only_text
+
+
+**`user.target.roles`**
+:   Array of user roles at the time of the event.
+
+type: keyword
+
+example: ["kibana_admin", "reporting_user"]
+
+
+
+## user_agent [_user_agent]
+
+The user_agent fields normally come from a browser request. They often show up in web service logs coming from the parsed user agent string.
+
+**`user_agent.device.name`**
+:   Name of the device.
+
+type: keyword
+
+example: iPhone
+
+
+**`user_agent.name`**
+:   Name of the user agent.
+
+type: keyword
+
+example: Safari
+
+
+**`user_agent.original`**
+:   Unparsed user_agent string.
+
+type: keyword
+
+example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1
+
+
+**`user_agent.original.text`**
+:   type: match_only_text
+
+
+**`user_agent.os.family`**
+:   OS family (such as redhat, debian, freebsd, windows).
+
+type: keyword
+
+example: debian
+
+
+**`user_agent.os.full`**
+:   Operating system name, including the version or code name.
+
+type: keyword
+
+example: Mac OS Mojave
+
+
+**`user_agent.os.full.text`**
+:   type: match_only_text
+
+
+**`user_agent.os.kernel`**
+:   Operating system kernel version as a raw string.
+
+type: keyword
+
+example: 4.4.0-112-generic
+
+
+**`user_agent.os.name`**
+:   Operating system name, without the version.
+
+type: keyword
+
+example: Mac OS X
+
+
+**`user_agent.os.name.text`**
+:   type: match_only_text
+
+
+**`user_agent.os.platform`**
+:   Operating system platform (such centos, ubuntu, windows).
+
+type: keyword
+
+example: darwin
+
+
+**`user_agent.os.type`**
+:   Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you’re dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.
+
+type: keyword
+
+example: macos
+
+
+**`user_agent.os.version`**
+:   Operating system version as a raw string.
+
+type: keyword
+
+example: 10.14.1
+
+
+**`user_agent.version`**
+:   Version of the user agent.
+
+type: keyword
+
+example: 12.0
+
+
+
+## vlan [_vlan]
+
+The VLAN fields are used to identify 802.1q tag(s) of a packet, as well as ingress and egress VLAN associations of an observer in relation to a specific packet or connection. Network.vlan fields are used to record a single VLAN tag, or the outer tag in the case of q-in-q encapsulations, for a packet or connection as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. Network.inner VLAN fields are used to report inner q-in-q 802.1q tags (multiple 802.1q encapsulations) as observed, typically provided by a network sensor  (e.g. Zeek, Wireshark) passively reporting on traffic. Network.inner VLAN fields should only be used in addition to network.vlan fields to indicate q-in-q tagging. Observer.ingress and observer.egress VLAN values are used to record observer specific information when observer events contain discrete ingress and egress VLAN information, typically provided by firewalls, routers, or load balancers.
+
+**`vlan.id`**
+:   VLAN ID as reported by the observer.
+
+type: keyword
+
+example: 10
+
+
+**`vlan.name`**
+:   Optional VLAN name as reported by the observer.
+
+type: keyword
+
+example: outside
+
+
+
+## vulnerability [_vulnerability]
+
+The vulnerability fields describe information about a vulnerability that is relevant to an event.
+
+**`vulnerability.category`**
+:   The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example ([Qualys vulnerability categories](https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm)) This field must be an array.
+
+type: keyword
+
+example: ["Firewall"]
+
+
+**`vulnerability.classification`**
+:   The classification of the vulnerability scoring system. For example ([https://www.first.org/cvss/](https://www.first.org/cvss/))
+
+type: keyword
+
+example: CVSS
+
+
+**`vulnerability.description`**
+:   The description of the vulnerability that provides additional context of the vulnerability. For example ([Common Vulnerabilities and Exposure CVE description](https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created))
+
+type: keyword
+
+example: In macOS before 2.12.6, there is a vulnerability in the RPC…​
+
+
+**`vulnerability.description.text`**
+:   type: match_only_text
+
+
+**`vulnerability.enumeration`**
+:   The type of identifier used for this vulnerability. For example ([https://cve.mitre.org/about/](https://cve.mitre.org/about/))
+
+type: keyword
+
+example: CVE
+
+
+**`vulnerability.id`**
+:   The identification (ID) is the number portion of a vulnerability entry. It includes a unique identification number for the vulnerability. For example ([Common Vulnerabilities and Exposure CVE ID](https://cve.mitre.org/about/faqs.html#what_is_cve_id))
+
+type: keyword
+
+example: CVE-2019-00001
+
+
+**`vulnerability.reference`**
+:   A resource that provides additional information, context, and mitigations for the identified vulnerability.
+
+type: keyword
+
+example: [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111)
+
+
+**`vulnerability.report_id`**
+:   The report or scan identification number.
+
+type: keyword
+
+example: 20191018.0001
+
+
+**`vulnerability.scanner.vendor`**
+:   The name of the vulnerability scanner vendor.
+
+type: keyword
+
+example: Tenable
+
+
+**`vulnerability.score.base`**
+:   Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentiality, integrity, and availability), and scope. For example ([https://www.first.org/cvss/specification-document](https://www.first.org/cvss/specification-document))
+
+type: float
+
+example: 5.5
+
+
+**`vulnerability.score.environmental`**
+:   Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Environmental scores cover an assessment for any modified Base metrics, confidentiality, integrity, and availability requirements. For example ([https://www.first.org/cvss/specification-document](https://www.first.org/cvss/specification-document))
+
+type: float
+
+example: 5.5
+
+
+**`vulnerability.score.temporal`**
+:   Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Temporal scores cover an assessment for code maturity, remediation level, and confidence. For example ([https://www.first.org/cvss/specification-document](https://www.first.org/cvss/specification-document))
+
+type: float
+
+
+**`vulnerability.score.version`**
+:   The National Vulnerability Database (NVD) provides qualitative severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges in addition to the severity ratings for CVSS v3.0 as they are defined in the CVSS v3.0 specification. CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit organization, whose mission is to help computer security incident response teams across the world. For example ([https://nvd.nist.gov/vuln-metrics/cvss](https://nvd.nist.gov/vuln-metrics/cvss))
+
+type: keyword
+
+example: 2.0
+
+
+**`vulnerability.severity`**
+:   The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example ([https://nvd.nist.gov/vuln-metrics/cvss](https://nvd.nist.gov/vuln-metrics/cvss))
+
+type: keyword
+
+example: Critical
+
+
+
+## x509 [_x509]
+
+This implements the common core fields for x509 certificates. This information is likely logged with TLS sessions, digital signatures found in executable binaries, S/MIME information in email bodies, or analysis of files on disk. When the certificate relates to a file, use the fields at `file.x509`. When hashes of the DER-encoded certificate are available, the `hash` data set should be populated as well (e.g. `file.hash.sha256`). Events that contain certificate information about network connections, should use the x509 fields under the relevant TLS fields: `tls.server.x509` and/or `tls.client.x509`.
+
+**`x509.alternative_names`**
+:   List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.
+
+type: keyword
+
+example: *.elastic.co
+
+
+**`x509.issuer.common_name`**
+:   List of common name (CN) of issuing certificate authority.
+
+type: keyword
+
+example: Example SHA2 High Assurance Server CA
+
+
+**`x509.issuer.country`**
+:   List of country © codes
+
+type: keyword
+
+example: US
+
+
+**`x509.issuer.distinguished_name`**
+:   Distinguished name (DN) of issuing certificate authority.
+
+type: keyword
+
+example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA
+
+
+**`x509.issuer.locality`**
+:   List of locality names (L)
+
+type: keyword
+
+example: Mountain View
+
+
+**`x509.issuer.organization`**
+:   List of organizations (O) of issuing certificate authority.
+
+type: keyword
+
+example: Example Inc
+
+
+**`x509.issuer.organizational_unit`**
+:   List of organizational units (OU) of issuing certificate authority.
+
+type: keyword
+
+example: www.example.com
+
+
+**`x509.issuer.state_or_province`**
+:   List of state or province names (ST, S, or P)
+
+type: keyword
+
+example: California
+
+
+**`x509.not_after`**
+:   Time at which the certificate is no longer considered valid.
+
+type: date
+
+example: 2020-07-16 03:15:39+00:00
+
+
+**`x509.not_before`**
+:   Time at which the certificate is first considered valid.
+
+type: date
+
+example: 2019-08-16 01:40:25+00:00
+
+
+**`x509.public_key_algorithm`**
+:   Algorithm used to generate the public key.
+
+type: keyword
+
+example: RSA
+
+
+**`x509.public_key_curve`**
+:   The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+
+type: keyword
+
+example: nistp521
+
+
+**`x509.public_key_exponent`**
+:   Exponent used to derive the public key. This is algorithm specific.
+
+type: long
+
+example: 65537
+
+Field is not indexed.
+
+
+**`x509.public_key_size`**
+:   The size of the public key space in bits.
+
+type: long
+
+example: 2048
+
+
+**`x509.serial_number`**
+:   Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.
+
+type: keyword
+
+example: 55FBB9C7DEBF09809D12CCAA
+
+
+**`x509.signature_algorithm`**
+:   Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See [https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353](https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353).
+
+type: keyword
+
+example: SHA256-RSA
+
+
+**`x509.subject.common_name`**
+:   List of common names (CN) of subject.
+
+type: keyword
+
+example: shared.global.example.net
+
+
+**`x509.subject.country`**
+:   List of country © code
+
+type: keyword
+
+example: US
+
+
+**`x509.subject.distinguished_name`**
+:   Distinguished name (DN) of the certificate subject entity.
+
+type: keyword
+
+example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
+
+
+**`x509.subject.locality`**
+:   List of locality names (L)
+
+type: keyword
+
+example: San Francisco
+
+
+**`x509.subject.organization`**
+:   List of organizations (O) of subject.
+
+type: keyword
+
+example: Example, Inc.
+
+
+**`x509.subject.organizational_unit`**
+:   List of organizational units (OU) of subject.
+
+type: keyword
+
+
+**`x509.subject.state_or_province`**
+:   List of state or province names (ST, S, or P)
+
+type: keyword
+
+example: California
+
+
+**`x509.version_number`**
+:   Version of x509 format.
+
+type: keyword
+
+example: 3
+
+
diff --git a/docs/reference/auditbeat/exported-fields-file_integrity.md b/docs/reference/auditbeat/exported-fields-file_integrity.md
new file mode 100644
index 000000000000..6b3ed764019e
--- /dev/null
+++ b/docs/reference/auditbeat/exported-fields-file_integrity.md
@@ -0,0 +1,424 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/exported-fields-file_integrity.html
+---
+
+# File Integrity fields [exported-fields-file_integrity]
+
+These are the fields generated by the file_integrity module.
+
+
+## file [_file_3]
+
+File attributes.
+
+
+## elf [_elf_2]
+
+These fields contain Linux Executable Linkable Format (ELF) metadata.
+
+**`file.elf.go_imports`**
+:   List of imported Go language element names and types.
+
+type: flattened
+
+
+**`file.elf.go_imports_names_entropy`**
+:   Shannon entropy calculation from the list of Go imports.
+
+type: long
+
+format: number
+
+
+**`file.elf.go_imports_names_var_entropy`**
+:   Variance for Shannon entropy calculation from the list of Go imports.
+
+type: long
+
+format: number
+
+
+**`file.elf.go_import_hash`**
+:   A hash of the Go language imports in an ELF file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. The algorithm used to calculate the Go symbol hash and a reference implementation are available [here](https://github.com/elastic/toutoumomoma).
+
+type: keyword
+
+example: 10bddcb4cee42080f76c88d9ff964491
+
+
+**`file.elf.go_stripped`**
+:   Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable.
+
+type: boolean
+
+
+**`file.elf.imports_names_entropy`**
+:   Shannon entropy calculation from the list of imported element names and types.
+
+type: long
+
+format: number
+
+
+**`file.elf.imports_names_var_entropy`**
+:   Variance for Shannon entropy calculation from the list of imported element names and types.
+
+type: long
+
+format: number
+
+
+**`file.elf.import_hash`**
+:   A hash of the imports in an ELF file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. This is an ELF implementation of the Windows PE imphash.
+
+type: keyword
+
+example: d41d8cd98f00b204e9800998ecf8427e
+
+
+**`file.elf.sections.var_entropy`**
+:   Variance for Shannon entropy calculation from the section.
+
+type: long
+
+format: number
+
+
+
+## macho [_macho]
+
+These fields contain Mach object file Format (Mach-O) metadata.
+
+**`file.macho.go_imports`**
+:   List of imported Go language element names and types.
+
+type: flattened
+
+
+**`file.macho.go_imports_names_entropy`**
+:   Shannon entropy calculation from the list of Go imports.
+
+type: long
+
+format: number
+
+
+**`file.macho.go_imports_names_var_entropy`**
+:   Variance for Shannon entropy calculation from the list of Go imports.
+
+type: long
+
+format: number
+
+
+**`file.macho.go_import_hash`**
+:   A hash of the Go language imports in a Mach-O file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. The algorithm used to calculate the Go symbol hash and a reference implementation are available [here](https://github.com/elastic/toutoumomoma).
+
+type: keyword
+
+example: 10bddcb4cee42080f76c88d9ff964491
+
+
+**`file.macho.go_stripped`**
+:   Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable.
+
+type: boolean
+
+
+**`file.macho.imports`**
+:   List of imported element names and types.
+
+type: flattened
+
+
+**`file.macho.imports_names_entropy`**
+:   Shannon entropy calculation from the list of imported element names and types.
+
+type: long
+
+format: number
+
+
+**`file.macho.imports_names_var_entropy`**
+:   Variance for Shannon entropy calculation from the list of imported element names and types.
+
+type: long
+
+format: number
+
+
+**`file.macho.import_hash`**
+:   A hash of the imports in a Mach-O file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. This is a synonym for symhash.
+
+type: keyword
+
+example: d3ccf195b62a9279c3c19af1080497ec
+
+
+**`file.macho.sections`**
+:   An array containing an object for each section of the Mach-O file. The keys that should be present in these objects are defined by sub-fields underneath `macho.sections.*`.
+
+type: nested
+
+
+**`file.macho.sections.entropy`**
+:   Shannon entropy calculation from the section.
+
+type: long
+
+format: number
+
+
+**`file.macho.sections.var_entropy`**
+:   Variance for Shannon entropy calculation from the section.
+
+type: long
+
+format: number
+
+
+**`file.macho.sections.name`**
+:   Mach-O Section List name.
+
+type: keyword
+
+
+**`file.macho.sections.physical_size`**
+:   Mach-O Section List physical size.
+
+type: long
+
+format: string
+
+
+**`file.macho.sections.virtual_size`**
+:   Mach-O Section List virtual size.
+
+type: long
+
+format: string
+
+
+**`file.macho.symhash`**
+:   A hash of the imports in a Mach-O file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.
+
+type: keyword
+
+example: d3ccf195b62a9279c3c19af1080497ec
+
+
+
+## pe [_pe_2]
+
+These fields contain Windows Portable Executable (PE) metadata.
+
+**`file.pe.go_imports`**
+:   List of imported Go language element names and types.
+
+type: flattened
+
+
+**`file.pe.go_imports_names_entropy`**
+:   Shannon entropy calculation from the list of Go imports.
+
+type: long
+
+format: number
+
+
+**`file.pe.go_imports_names_var_entropy`**
+:   Variance for Shannon entropy calculation from the list of Go imports.
+
+type: long
+
+format: number
+
+
+**`file.pe.go_import_hash`**
+:   A hash of the Go language imports in a PE file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. The algorithm used to calculate the Go symbol hash and a reference implementation are available [here](https://github.com/elastic/toutoumomoma).
+
+type: keyword
+
+example: 10bddcb4cee42080f76c88d9ff964491
+
+
+**`file.pe.go_stripped`**
+:   Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable.
+
+type: boolean
+
+
+**`file.pe.imports`**
+:   List of imported element names and types.
+
+type: flattened
+
+
+**`file.pe.imports_names_entropy`**
+:   Shannon entropy calculation from the list of imported element names and types.
+
+type: long
+
+format: number
+
+
+**`file.pe.imports_names_var_entropy`**
+:   Variance for Shannon entropy calculation from the list of imported element names and types.
+
+type: long
+
+format: number
+
+
+**`file.pe.import_hash`**
+:   A hash of the imports in a PE file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. This is a synonym for imphash.
+
+type: keyword
+
+
+**`file.pe.sections`**
+:   An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `pe.sections.*`.
+
+type: nested
+
+
+**`file.pe.sections.entropy`**
+:   Shannon entropy calculation from the section.
+
+type: long
+
+format: number
+
+
+**`file.pe.sections.var_entropy`**
+:   Variance for Shannon entropy calculation from the section.
+
+type: long
+
+format: number
+
+
+**`file.pe.sections.name`**
+:   PE Section List name.
+
+type: keyword
+
+
+**`file.pe.sections.physical_size`**
+:   PE Section List physical size.
+
+type: long
+
+format: string
+
+
+**`file.pe.sections.virtual_size`**
+:   PE Section List virtual size.
+
+type: long
+
+format: string
+
+
+
+## hash [_hash_2]
+
+Hashes of the file. The keys are algorithm names and the values are the hex encoded digest values.
+
+**`hash.blake2b_256`**
+:   BLAKE2b-256 hash of the file.
+
+type: keyword
+
+
+**`hash.blake2b_384`**
+:   BLAKE2b-384 hash of the file.
+
+type: keyword
+
+
+**`hash.blake2b_512`**
+:   BLAKE2b-512 hash of the file.
+
+type: keyword
+
+
+**`hash.md5`**
+:   MD5 hash of the file.
+
+type: keyword
+
+
+**`hash.sha1`**
+:   SHA1 hash of the file.
+
+type: keyword
+
+
+**`hash.sha224`**
+:   SHA224 hash of the file.
+
+type: keyword
+
+
+**`hash.sha256`**
+:   SHA256 hash of the file.
+
+type: keyword
+
+
+**`hash.sha384`**
+:   SHA384 hash of the file.
+
+type: keyword
+
+
+**`hash.sha3_224`**
+:   SHA3_224 hash of the file.
+
+type: keyword
+
+
+**`hash.sha3_256`**
+:   SHA3_256 hash of the file.
+
+type: keyword
+
+
+**`hash.sha3_384`**
+:   SHA3_384 hash of the file.
+
+type: keyword
+
+
+**`hash.sha3_512`**
+:   SHA3_512 hash of the file.
+
+type: keyword
+
+
+**`hash.sha512`**
+:   SHA512 hash of the file.
+
+type: keyword
+
+
+**`hash.sha512_224`**
+:   SHA512/224 hash of the file.
+
+type: keyword
+
+
+**`hash.sha512_256`**
+:   SHA512/256 hash of the file.
+
+type: keyword
+
+
+**`hash.xxh64`**
+:   XX64 hash of the file.
+
+type: keyword
+
+
diff --git a/docs/reference/auditbeat/exported-fields-host-processor.md b/docs/reference/auditbeat/exported-fields-host-processor.md
new file mode 100644
index 000000000000..000cd178de6c
--- /dev/null
+++ b/docs/reference/auditbeat/exported-fields-host-processor.md
@@ -0,0 +1,31 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/exported-fields-host-processor.html
+---
+
+# Host fields [exported-fields-host-processor]
+
+Info collected for the host machine.
+
+**`host.containerized`**
+:   If the host is a container.
+
+type: boolean
+
+
+**`host.os.build`**
+:   OS build information.
+
+type: keyword
+
+example: 18D109
+
+
+**`host.os.codename`**
+:   OS codename, if any.
+
+type: keyword
+
+example: stretch
+
+
diff --git a/docs/reference/auditbeat/exported-fields-jolokia-autodiscover.md b/docs/reference/auditbeat/exported-fields-jolokia-autodiscover.md
new file mode 100644
index 000000000000..c6cb8d08936c
--- /dev/null
+++ b/docs/reference/auditbeat/exported-fields-jolokia-autodiscover.md
@@ -0,0 +1,51 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/exported-fields-jolokia-autodiscover.html
+---
+
+# Jolokia Discovery autodiscover provider fields [exported-fields-jolokia-autodiscover]
+
+Metadata from Jolokia Discovery added by the jolokia provider.
+
+**`jolokia.agent.version`**
+:   Version number of jolokia agent.
+
+type: keyword
+
+
+**`jolokia.agent.id`**
+:   Each agent has a unique id which can be either provided during startup of the agent in form of a configuration parameter or being autodetected. If autodected, the id has several parts: The IP, the process id, hashcode of the agent and its type.
+
+type: keyword
+
+
+**`jolokia.server.product`**
+:   The container product if detected.
+
+type: keyword
+
+
+**`jolokia.server.version`**
+:   The container’s version (if detected).
+
+type: keyword
+
+
+**`jolokia.server.vendor`**
+:   The vendor of the container the agent is running in.
+
+type: keyword
+
+
+**`jolokia.url`**
+:   The URL how this agent can be contacted.
+
+type: keyword
+
+
+**`jolokia.secured`**
+:   Whether the agent was configured for authentication or not.
+
+type: boolean
+
+
diff --git a/docs/reference/auditbeat/exported-fields-kubernetes-processor.md b/docs/reference/auditbeat/exported-fields-kubernetes-processor.md
new file mode 100644
index 000000000000..e7e61358f7f0
--- /dev/null
+++ b/docs/reference/auditbeat/exported-fields-kubernetes-processor.md
@@ -0,0 +1,87 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/exported-fields-kubernetes-processor.html
+---
+
+# Kubernetes fields [exported-fields-kubernetes-processor]
+
+Kubernetes metadata added by the kubernetes processor
+
+**`kubernetes.pod.name`**
+:   Kubernetes pod name
+
+type: keyword
+
+
+**`kubernetes.pod.uid`**
+:   Kubernetes Pod UID
+
+type: keyword
+
+
+**`kubernetes.pod.ip`**
+:   Kubernetes Pod IP
+
+type: ip
+
+
+**`kubernetes.namespace`**
+:   Kubernetes namespace
+
+type: keyword
+
+
+**`kubernetes.node.name`**
+:   Kubernetes node name
+
+type: keyword
+
+
+**`kubernetes.node.hostname`**
+:   Kubernetes hostname as reported by the node’s kernel
+
+type: keyword
+
+
+**`kubernetes.labels.*`**
+:   Kubernetes labels map
+
+type: object
+
+
+**`kubernetes.annotations.*`**
+:   Kubernetes annotations map
+
+type: object
+
+
+**`kubernetes.selectors.*`**
+:   Kubernetes selectors map
+
+type: object
+
+
+**`kubernetes.replicaset.name`**
+:   Kubernetes replicaset name
+
+type: keyword
+
+
+**`kubernetes.deployment.name`**
+:   Kubernetes deployment name
+
+type: keyword
+
+
+**`kubernetes.statefulset.name`**
+:   Kubernetes statefulset name
+
+type: keyword
+
+
+**`kubernetes.container.name`**
+:   Kubernetes container name (different than the name from the runtime)
+
+type: keyword
+
+
diff --git a/docs/reference/auditbeat/exported-fields-process.md b/docs/reference/auditbeat/exported-fields-process.md
new file mode 100644
index 000000000000..91f014574da2
--- /dev/null
+++ b/docs/reference/auditbeat/exported-fields-process.md
@@ -0,0 +1,38 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/exported-fields-process.html
+---
+
+# Process fields [exported-fields-process]
+
+Process metadata fields
+
+**`process.exe`**
+:   type: alias
+
+alias to: process.executable
+
+
+
+## owner [_owner]
+
+Process owner information.
+
+**`process.owner.id`**
+:   Unique identifier of the user.
+
+type: keyword
+
+
+**`process.owner.name`**
+:   Short name or login of the user.
+
+type: keyword
+
+example: albert
+
+
+**`process.owner.name.text`**
+:   type: text
+
+
diff --git a/docs/reference/auditbeat/exported-fields-system.md b/docs/reference/auditbeat/exported-fields-system.md
new file mode 100644
index 000000000000..913ca9a32c33
--- /dev/null
+++ b/docs/reference/auditbeat/exported-fields-system.md
@@ -0,0 +1,364 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/exported-fields-system.html
+---
+
+# System fields [exported-fields-system]
+
+These are the fields generated by the system module.
+
+**`event.origin`**
+:   Origin of the event. This can be a file path (e.g. `/var/log/log.1`), or the name of the system component that supplied the data (e.g. `netlink`).
+
+type: keyword
+
+
+**`user.entity_id`**
+:   ID uniquely identifying the user on a host. It is computed as a SHA-256 hash of the host ID, user ID, and user name.
+
+type: keyword
+
+
+**`user.terminal`**
+:   Terminal of the user.
+
+type: keyword
+
+
+**`process.thread.capabilities.effective`**
+:   This is the set of capabilities used by the kernel to perform permission checks for the thread.
+
+type: keyword
+
+example: ["CAP_BPF", "CAP_SYS_ADMIN"]
+
+
+**`process.thread.capabilities.permitted`**
+:   This is a limiting superset for the effective capabilities that the thread may assume.
+
+type: keyword
+
+example: ["CAP_BPF", "CAP_SYS_ADMIN"]
+
+
+
+## hash [_hash_3]
+
+Hashes of the executable. The keys are algorithm names and the values are the hex encoded digest values.
+
+**`process.hash.blake2b_256`**
+:   BLAKE2b-256 hash of the executable.
+
+type: keyword
+
+
+**`process.hash.blake2b_384`**
+:   BLAKE2b-384 hash of the executable.
+
+type: keyword
+
+
+**`process.hash.blake2b_512`**
+:   BLAKE2b-512 hash of the executable.
+
+type: keyword
+
+
+**`process.hash.sha224`**
+:   SHA224 hash of the executable.
+
+type: keyword
+
+
+**`process.hash.sha384`**
+:   SHA384 hash of the executable.
+
+type: keyword
+
+
+**`process.hash.sha3_224`**
+:   SHA3_224 hash of the executable.
+
+type: keyword
+
+
+**`process.hash.sha3_256`**
+:   SHA3_256 hash of the executable.
+
+type: keyword
+
+
+**`process.hash.sha3_384`**
+:   SHA3_384 hash of the executable.
+
+type: keyword
+
+
+**`process.hash.sha3_512`**
+:   SHA3_512 hash of the executable.
+
+type: keyword
+
+
+**`process.hash.sha512_224`**
+:   SHA512/224 hash of the executable.
+
+type: keyword
+
+
+**`process.hash.sha512_256`**
+:   SHA512/256 hash of the executable.
+
+type: keyword
+
+
+**`process.hash.xxh64`**
+:   XX64 hash of the executable.
+
+type: keyword
+
+
+
+## system.audit [_system_audit]
+
+
+## host [_host_2]
+
+`host` contains general host information.
+
+**`system.audit.host.uptime`**
+:   Uptime in nanoseconds.
+
+type: long
+
+format: duration
+
+
+**`system.audit.host.boottime`**
+:   Boot time.
+
+type: date
+
+
+**`system.audit.host.containerized`**
+:   Set if host is a container.
+
+type: boolean
+
+
+**`system.audit.host.timezone.name`**
+:   Name of the timezone of the host, e.g. BST.
+
+type: keyword
+
+
+**`system.audit.host.timezone.offset.sec`**
+:   Timezone offset in seconds.
+
+type: long
+
+
+**`system.audit.host.hostname`**
+:   Hostname.
+
+type: keyword
+
+
+**`system.audit.host.id`**
+:   Host ID.
+
+type: keyword
+
+
+**`system.audit.host.architecture`**
+:   Host architecture (e.g. x86_64).
+
+type: keyword
+
+
+**`system.audit.host.mac`**
+:   MAC addresses.
+
+type: keyword
+
+
+**`system.audit.host.ip`**
+:   IP addresses.
+
+type: ip
+
+
+
+## os [_os_2]
+
+`os` contains information about the operating system.
+
+**`system.audit.host.os.codename`**
+:   OS codename, if any (e.g. stretch).
+
+type: keyword
+
+
+**`system.audit.host.os.platform`**
+:   OS platform (e.g. centos, ubuntu, windows).
+
+type: keyword
+
+
+**`system.audit.host.os.name`**
+:   OS name (e.g. Mac OS X).
+
+type: keyword
+
+
+**`system.audit.host.os.family`**
+:   OS family (e.g. redhat, debian, freebsd, windows).
+
+type: keyword
+
+
+**`system.audit.host.os.version`**
+:   OS version.
+
+type: keyword
+
+
+**`system.audit.host.os.kernel`**
+:   The operating system’s kernel version.
+
+type: keyword
+
+
+**`system.audit.host.os.type`**
+:   OS type (see ECS os.type).
+
+type: keyword
+
+
+
+## package [_package_2]
+
+`package` contains information about an installed or removed package.
+
+**`system.audit.package.entity_id`**
+:   ID uniquely identifying the package. It is computed as a SHA-256 hash of the host ID, package name, and package version.
+
+type: keyword
+
+
+**`system.audit.package.name`**
+:   Package name.
+
+type: keyword
+
+
+**`system.audit.package.version`**
+:   Package version.
+
+type: keyword
+
+
+**`system.audit.package.release`**
+:   Package release.
+
+type: keyword
+
+
+**`system.audit.package.arch`**
+:   Package architecture.
+
+type: keyword
+
+
+**`system.audit.package.license`**
+:   Package license.
+
+type: keyword
+
+
+**`system.audit.package.installtime`**
+:   Package install time.
+
+type: date
+
+
+**`system.audit.package.size`**
+:   Package size.
+
+type: long
+
+
+**`system.audit.package.summary`**
+:   Package summary.
+
+
+**`system.audit.package.url`**
+:   Package URL.
+
+type: keyword
+
+
+
+## user [_user_3]
+
+`user` contains information about the users on a system.
+
+**`system.audit.user.name`**
+:   User name.
+
+type: keyword
+
+
+**`system.audit.user.uid`**
+:   User ID.
+
+type: keyword
+
+
+**`system.audit.user.gid`**
+:   Group ID.
+
+type: keyword
+
+
+**`system.audit.user.dir`**
+:   User’s home directory.
+
+type: keyword
+
+
+**`system.audit.user.shell`**
+:   Program to run at login.
+
+type: keyword
+
+
+**`system.audit.user.user_information`**
+:   General user information. On Linux, this is the gecos field.
+
+type: keyword
+
+
+**`system.audit.user.group`**
+:   `group` contains information about any groups the user is part of (beyond the user’s primary group).
+
+type: object
+
+
+
+## password [_password_5]
+
+`password` contains information about a user’s password (not the password itself).
+
+**`system.audit.user.password.type`**
+:   A user’s password type. Possible values are `shadow_password` (the password hash is in the shadow file), `password_disabled`, `no_password` (this is dangerous as anyone can log in), and `crypt_password` (when the password field in /etc/passwd seems to contain an encrypted password).
+
+type: keyword
+
+
+**`system.audit.user.password.last_changed`**
+:   The day the user’s password was last changed.
+
+type: date
+
+
diff --git a/docs/reference/auditbeat/exported-fields.md b/docs/reference/auditbeat/exported-fields.md
new file mode 100644
index 000000000000..61e48cfd67aa
--- /dev/null
+++ b/docs/reference/auditbeat/exported-fields.md
@@ -0,0 +1,22 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/exported-fields.html
+---
+
+# Exported fields [exported-fields]
+
+This document describes the fields that are exported by Auditbeat. They are grouped in the following categories:
+
+* [*Auditd fields*](/reference/auditbeat/exported-fields-auditd.md)
+* [*Beat fields*](/reference/auditbeat/exported-fields-beat-common.md)
+* [*Cloud provider metadata fields*](/reference/auditbeat/exported-fields-cloud.md)
+* [*Common fields*](/reference/auditbeat/exported-fields-common.md)
+* [*Docker fields*](/reference/auditbeat/exported-fields-docker-processor.md)
+* [*ECS fields*](/reference/auditbeat/exported-fields-ecs.md)
+* [*File Integrity fields*](/reference/auditbeat/exported-fields-file_integrity.md)
+* [*Host fields*](/reference/auditbeat/exported-fields-host-processor.md)
+* [*Jolokia Discovery autodiscover provider fields*](/reference/auditbeat/exported-fields-jolokia-autodiscover.md)
+* [*Kubernetes fields*](/reference/auditbeat/exported-fields-kubernetes-processor.md)
+* [*Process fields*](/reference/auditbeat/exported-fields-process.md)
+* [*System fields*](/reference/auditbeat/exported-fields-system.md)
+
diff --git a/docs/reference/auditbeat/extract-array.md b/docs/reference/auditbeat/extract-array.md
new file mode 100644
index 000000000000..fd8555430899
--- /dev/null
+++ b/docs/reference/auditbeat/extract-array.md
@@ -0,0 +1,46 @@
+---
+navigation_title: "extract_array"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/extract-array.html
+---
+
+# Extract array [extract-array]
+
+
+::::{warning}
+This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
+::::
+
+
+The `extract_array` processor populates fields with values read from an array field. The following example will populate `source.ip` with the first element of the `my_array` field, `destination.ip` with the second element, and `network.transport` with the third.
+
+```yaml
+processors:
+  - extract_array:
+      field: my_array
+      mappings:
+        source.ip: 0
+        destination.ip: 1
+        network.transport: 2
+```
+
+The following settings are supported:
+
+`field`
+:   The array field whose elements are to be extracted.
+
+`mappings`
+:   Maps each field name to an array index. Use 0 for the first element in the array. Multiple fields can be mapped to the same array element.
+
+`ignore_missing`
+:   (Optional) Whether to ignore events where the array field is missing. The default is `false`, which will fail processing of an event if the specified field does not exist. Set it to `true` to ignore this condition.
+
+`overwrite_keys`
+:   Whether the target fields specified in the mapping are overwritten if they already exist. The default is `false`, which will fail processing if a target field already exists.
+
+`fail_on_error`
+:   (Optional) If set to `true` and an error happens, changes to the event are reverted, and the original event is returned. If set to `false`, processing continues despite errors. Default is `true`.
+
+`omit_empty`
+:   (Optional) Whether empty values are extracted from the array. If set to `true`, instead of the target field being set to an empty value, it is left unset. The empty string (`""`), an empty array (`[]`) or an empty object (`{}`) are considered empty values. Default is `false`.
+
diff --git a/docs/reference/auditbeat/faq.md b/docs/reference/auditbeat/faq.md
new file mode 100644
index 000000000000..1b8d8e77bd95
--- /dev/null
+++ b/docs/reference/auditbeat/faq.md
@@ -0,0 +1,21 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/faq.html
+---
+
+# Common problems [faq]
+
+This section describes common problems you might encounter with Auditbeat. Also check out the [Auditbeat discussion forum](https://discuss.elastic.co/c/beats/auditbeat).
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/docs/reference/auditbeat/feature-roles.md b/docs/reference/auditbeat/feature-roles.md
new file mode 100644
index 000000000000..f0d161ba9415
--- /dev/null
+++ b/docs/reference/auditbeat/feature-roles.md
@@ -0,0 +1,25 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/feature-roles.html
+---
+
+# Grant users access to secured resources [feature-roles]
+
+You can use role-based access control to grant users access to secured resources. The roles that you set up depend on your organization’s security requirements and the minimum privileges required to use specific features.
+
+Typically you need the create the following separate roles:
+
+* [setup role](/reference/auditbeat/privileges-to-setup-beats.md) for setting up index templates and other dependencies
+* [monitoring role](/reference/auditbeat/privileges-to-publish-monitoring.md) for sending monitoring information
+* [writer role](/reference/auditbeat/privileges-to-publish-events.md)  for publishing events collected by Auditbeat
+* [reader role](/reference/auditbeat/kibana-user-privileges.md) for {{kib}} users who need to view and create visualizations that access Auditbeat data
+
+{{es-security-features}} provides [built-in roles](elasticsearch://reference/elasticsearch/roles.md) that grant a subset of the privileges needed by Auditbeat users. When possible, use the built-in roles to minimize the affect of future changes on your security strategy.
+
+Instead of using usernames and passwords, roles and privileges can be assigned to API keys to grant access to Elasticsearch resources. See [*Grant access using API keys*](/reference/auditbeat/beats-api-keys.md) for more information.
+
+
+
+
+
+
diff --git a/docs/reference/auditbeat/file-output.md b/docs/reference/auditbeat/file-output.md
new file mode 100644
index 000000000000..ff782532405f
--- /dev/null
+++ b/docs/reference/auditbeat/file-output.md
@@ -0,0 +1,89 @@
+---
+navigation_title: "File"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/file-output.html
+---
+
+# Configure the File output [file-output]
+
+
+The File output dumps the transactions into a file where each transaction is in a JSON format. Currently, this output is used for testing, but it can be used as input for Logstash.
+
+To use this output, edit the Auditbeat configuration file to disable the {{es}} output by commenting it out, and enable the file output by adding `output.file`.
+
+Example configuration:
+
+```yaml
+output.file:
+  path: "/tmp/auditbeat"
+  filename: auditbeat
+  #rotate_every_kb: 10000
+  #number_of_files: 7
+  #permissions: 0600
+  #rotate_on_startup: true
+```
+
+## Configuration options [_configuration_options_6]
+
+You can specify the following `output.file` options in the `auditbeat.yml` config file:
+
+### `enabled` [_enabled_5]
+
+The enabled config is a boolean setting to enable or disable the output. If set to false, the output is disabled.
+
+The default value is `true`.
+
+
+### `path` [path]
+
+The path to the directory where the generated files will be saved. This option is mandatory.
+
+The path may include the timestamp when the file output is initialized using the `+FORMAT` syntax where `FORMAT` is a valid [time format](https://github.com/elastic/beats/blob/main/libbeat/common/dtfmt/doc.go), and enclosed with expansion braces: `%{+FORMAT}`. For example:
+
+```
+path: 'fileoutput-%{+yyyy.MM.dd}'
+```
+
+
+### `filename` [_filename]
+
+The name of the generated files. The default is set to the Beat name. For example, the files generated by default for Auditbeat would be `"auditbeat-{{datetime}}.ndjson"`, `"auditbeat-{{datetime}}-1.ndjson"`, `"auditbeat-{{datetime}}-2.ndjson"`, and so on.
+
+
+### `rotate_every_kb` [_rotate_every_kb]
+
+The maximum size in kilobytes of each file. When this size is reached, the files are rotated. The default value is 10240 KB.
+
+
+### `number_of_files` [_number_of_files]
+
+The maximum number of files to save under [`path`](#path). When this number of files is reached, the oldest file is deleted, and the rest of the files are shifted from last to first. The number of files must be between 2 and 1024. The default is 7.
+
+
+### `permissions` [_permissions]
+
+Permissions to use for file creation. The default is 0600.
+
+
+### `rotate_on_startup` [_rotate_on_startup]
+
+If the output file already exists on startup, immediately rotate it and start writing to a new file instead of appending to the existing one. Defaults to true.
+
+
+### `codec` [_codec_3]
+
+Output codec configuration. If the `codec` section is missing, events will be json encoded.
+
+See [Change the output codec](/reference/auditbeat/configuration-output-codec.md) for more information.
+
+
+### `queue` [_queue_5]
+
+Configuration options for internal queue.
+
+See [Internal queue](/reference/auditbeat/configuring-internal-queue.md) for more information.
+
+Note:`queue` options can be set under `auditbeat.yml` or the `output` section but not both.
+
+
+
diff --git a/docs/reference/auditbeat/filtering-enhancing-data.md b/docs/reference/auditbeat/filtering-enhancing-data.md
new file mode 100644
index 000000000000..ca9313943148
--- /dev/null
+++ b/docs/reference/auditbeat/filtering-enhancing-data.md
@@ -0,0 +1,70 @@
+---
+navigation_title: "Processors"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/filtering-and-enhancing-data.html
+---
+
+# Filter and enhance data with processors [filtering-and-enhancing-data]
+
+
+You can [define processors](/reference/auditbeat/defining-processors.md) in your configuration to process events before they are sent to the configured output. The libbeat library provides processors for:
+
+* reducing the number of exported fields
+* enhancing events with additional metadata
+* performing additional processing and decoding
+
+Each processor receives an event, applies a defined action to the event, and returns the event. If you define a list of processors, they are executed in the order they are defined in the Auditbeat configuration file.
+
+```yaml
+event -> processor 1 -> event1 -> processor 2 -> event2 ...
+```
+
+::::{important}
+It’s recommended to do all drop and renaming of existing fields as the last step in a processor configuration. This is because dropping or renaming fields can remove data necessary for the next processor in the chain, for example dropping the `source.ip` field would remove one of the fields necessary for the `community_id` processor to function. If it’s necessary to remove, rename or overwrite an existing event field, please make sure it’s done by a corresponding processor ([`drop_fields`](/reference/auditbeat/drop-fields.md), [`rename`](/reference/auditbeat/rename-fields.md) or [`add_fields`](/reference/auditbeat/add-fields.md)) placed at the end of the processor list defined in the input configuration.
+::::
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/docs/reference/auditbeat/fingerprint.md b/docs/reference/auditbeat/fingerprint.md
new file mode 100644
index 000000000000..eaefff14b269
--- /dev/null
+++ b/docs/reference/auditbeat/fingerprint.md
@@ -0,0 +1,38 @@
+---
+navigation_title: "fingerprint"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/fingerprint.html
+---
+
+# Generate a fingerprint of an event [fingerprint]
+
+
+The `fingerprint` processor generates a fingerprint of an event based on a specified subset of its fields.
+
+The value that is hashed is constructed as a concatenation of the field name and field value separated by `|`. For example `|field1|value1|field2|value2|`.
+
+Nested fields are supported in the following format: `"field1.field2"` e.g: `["log.path.file", "foo"]`
+
+```yaml
+processors:
+  - fingerprint:
+      fields: ["field1", "field2", ...]
+```
+
+The following settings are supported:
+
+`fields`
+:   List of fields to use as the source for the fingerprint. The list will be alphabetically sorted by the processor.
+
+`ignore_missing`
+:   (Optional) Whether to ignore missing fields. Default is `false`.
+
+`target_field`
+:   (Optional) Field in which the generated fingerprint should be stored. Default is `fingerprint`.
+
+`method`
+:   (Optional) Algorithm to use for computing the fingerprint. Must be one of: `md5`, `sha1`, `sha256`, `sha384`, `sha512`, `xxhash`. Default is `sha256`.
+
+`encoding`
+:   (Optional) Encoding to use on the fingerprint value. Must be one of `hex`, `base32`, or `base64`. Default is `hex`.
+
diff --git a/docs/reference/auditbeat/getting-help.md b/docs/reference/auditbeat/getting-help.md
new file mode 100644
index 000000000000..a3253c386d4b
--- /dev/null
+++ b/docs/reference/auditbeat/getting-help.md
@@ -0,0 +1,16 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/getting-help.html
+---
+
+# Get Help [getting-help]
+
+Start by searching the [Auditbeat discussion forum](https://discuss.elastic.co/c/beats/auditbeat) for your issue. If you can’t find a resolution, open a new issue or add a comment to an existing one. Make sure you provide the following information, and we’ll help you troubleshoot the problem:
+
+* Auditbeat version
+* Operating System
+* Configuration
+* Any supporting information, such as debugging output, that will help us diagnose your problem. See [*Debug*](/reference/auditbeat/enable-auditbeat-debugging.md) for more details.
+
+If you’re sure you found a bug, you can open a ticket on [GitHub](https://github.com/elastic/beats/issues?state=open). Note, however, that we close GitHub issues containing questions or requests for help if they don’t indicate the presence of a bug.
+
diff --git a/docs/reference/auditbeat/howto-guides.md b/docs/reference/auditbeat/howto-guides.md
new file mode 100644
index 000000000000..04b8239315c2
--- /dev/null
+++ b/docs/reference/auditbeat/howto-guides.md
@@ -0,0 +1,18 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/howto-guides.html
+---
+
+# How to guides [howto-guides]
+
+Learn how to perform common Auditbeat configuration tasks.
+
+* [*Load the {{es}} index template*](/reference/auditbeat/auditbeat-template.md)
+* [*Change the index name*](/reference/auditbeat/change-index-name.md)
+* [*Load {{kib}} dashboards*](/reference/auditbeat/load-kibana-dashboards.md)
+* [*Enrich events with geoIP information*](/reference/auditbeat/auditbeat-geoip.md)
+* [*Use environment variables in the configuration*](/reference/auditbeat/using-environ-vars.md)
+* [*Parse data using an ingest pipeline*](/reference/auditbeat/configuring-ingest-node.md)
+* [*Use environment variables in the configuration*](/reference/auditbeat/using-environ-vars.md)
+* [*Avoid YAML formatting problems*](/reference/auditbeat/yaml-tips.md)
+
diff --git a/docs/reference/auditbeat/http-endpoint.md b/docs/reference/auditbeat/http-endpoint.md
new file mode 100644
index 000000000000..c6686b788ec1
--- /dev/null
+++ b/docs/reference/auditbeat/http-endpoint.md
@@ -0,0 +1,187 @@
+---
+navigation_title: "HTTP endpoint"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/http-endpoint.html
+---
+
+# Configure an HTTP endpoint for metrics [http-endpoint]
+
+
+::::{warning}
+This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
+::::
+
+
+Auditbeat can expose internal metrics through an HTTP endpoint. These are useful to monitor the internal state of the Beat. For security reasons the endpoint is disabled by default, as you may want to avoid exposing this info.
+
+The HTTP endpoint has the following configuration settings:
+
+`http.enabled`
+:   (Optional) Enable the HTTP endpoint. Default is `false`.
+
+`http.host`
+:   (Optional) Bind to this hostname, IP address, unix socket (unix:///var/run/auditbeat.sock) or Windows named pipe (npipe:///auditbeat). It is recommended to use only localhost. Default is `localhost`
+
+`http.port`
+:   (Optional) Port on which the HTTP endpoint will bind. Default is `5066`.
+
+`http.named_pipe.user`
+:   (Optional) User to use to create the named pipe, only work on Windows, Default to the current user.
+
+`http.named_pipe.security_descriptor`
+:   (Optional) Windows Security descriptor string defined in the SDDL format. Default to read and write permission for the current user.
+
+`http.pprof.enabled`
+:   (Optional) Enable the `/debug/pprof/` endpoints when serving HTTP. It is recommended that this is only enabled on localhost as these endpoints may leak data. Default is `false`.
+
+`http.pprof.block_profile_rate`
+:   (Optional) `block_profile_rate` controls the fraction of goroutine blocking events that are reported in the blocking profile available from `/debug/pprof/block`. The profiler aims to sample an average of one blocking event per rate nanoseconds spent blocked. To include every blocking event in the profile, pass rate = 1. To turn off profiling entirely, pass rate ⇐ 0. Defaults to 0.
+
+`http.pprof.mem_profile_rate`
+:   (Optional) `mem_profile_rate` controls the fraction of memory allocations that are recorded and reported in the memory profile available from `/debug/pprof/heap`. The profiler aims to sample an average of one allocation per `mem_profile_rate` bytes allocated. To include every allocated block in the profile, set `mem_profile_rate` to 1. To turn off profiling entirely, set `mem_profile_rate` to 0. Defaults to 524288.
+
+`http.pprof.mutex_profile_rate`
+:   (Optional) `mutex_profile_rate` controls the fraction of mutex contention events that are reported in the mutex profile available from `/debug/pprof/mutex`. On average 1/rate events are reported. To turn off profiling entirely, pass rate 0. The default value is 0.
+
+This is the list of paths you can access. For pretty JSON output append `?pretty` to the URL.
+
+You can query a unix socket using the `cURL` command and the `--unix-socket` flag.
+
+```js
+curl -XGET --unix-socket '/var/run/{beatname_lc}.sock' 'http:/stats/?pretty'
+```
+
+
+## Info [_info]
+
+`/` provides basic info from the Auditbeat. Example:
+
+```js
+curl -XGET 'localhost:5066/?pretty'
+```
+
+```js
+{
+  "beat": "auditbeat",
+  "hostname": "example.lan",
+  "name": "example.lan",
+  "uuid": "34f6c6e1-45a8-4b12-9125-11b3e6e89866",
+  "version": "9.0.0-beta1"
+}
+```
+
+
+## Stats [_stats]
+
+`/stats` reports internal metrics. Example:
+
+```js
+curl -XGET 'localhost:5066/stats?pretty'
+```
+
+```js
+{
+  "beat": {
+    "cpu": {
+      "system": {
+        "ticks": 1710,
+        "time": {
+          "ms": 1712
+        }
+      },
+      "total": {
+        "ticks": 3420,
+        "time": {
+          "ms": 3424
+        },
+        "value": 3420
+      },
+      "user": {
+        "ticks": 1710,
+        "time": {
+          "ms": 1712
+        }
+      }
+    },
+    "info": {
+      "ephemeral_id": "ab4287c4-d907-4d9d-b074-d8c3cec4a577",
+      "uptime": {
+        "ms": 195547
+      }
+    },
+    "memstats": {
+      "gc_next": 17855152,
+      "memory_alloc": 9433384,
+      "memory_total": 492478864,
+      "rss": 50405376
+    },
+    "runtime": {
+      "goroutines": 22
+    }
+  },
+  "libbeat": {
+    "config": {
+      "module": {
+        "running": 0,
+        "starts": 0,
+        "stops": 0
+      },
+      "scans": 1,
+      "reloads": 1
+    },
+    "output": {
+      "events": {
+        "acked": 0,
+        "active": 0,
+        "batches": 0,
+        "dropped": 0,
+        "duplicates": 0,
+        "failed": 0,
+        "total": 0
+      },
+      "read": {
+        "bytes": 0,
+        "errors": 0
+      },
+      "type": "elasticsearch",
+      "write": {
+        "bytes": 0,
+        "errors": 0
+      }
+    },
+    "pipeline": {
+      "clients": 6,
+      "events": {
+        "active": 716,
+        "dropped": 0,
+        "failed": 0,
+        "filtered": 0,
+        "published": 716,
+        "retry": 278,
+        "total": 716
+      },
+      "queue": {
+        "acked": 0
+      }
+    }
+  },
+  "system": {
+    "cpu": {
+      "cores": 4
+    },
+    "load": {
+      "1": 2.22,
+      "15": 1.8,
+      "5": 1.74,
+      "norm": {
+        "1": 0.555,
+        "15": 0.45,
+        "5": 0.435
+      }
+    }
+  }
+}
+```
+
+The actual output may contain more metrics specific to Auditbeat
+
diff --git a/docs/reference/auditbeat/ilm.md b/docs/reference/auditbeat/ilm.md
new file mode 100644
index 000000000000..9fbb89a4d2de
--- /dev/null
+++ b/docs/reference/auditbeat/ilm.md
@@ -0,0 +1,58 @@
+---
+navigation_title: "Index lifecycle management (ILM)"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/ilm.html
+---
+
+# Configure index lifecycle management [ilm]
+
+
+Use the [index lifecycle management](docs-content://manage-data/lifecycle/index-lifecycle-management/tutorial-automate-rollover.md) (ILM) feature in {{es}} to manage your Auditbeat their backing indices of your data streams as they age. Auditbeat loads the default policy automatically and applies it to any data streams created by Auditbeat.
+
+You can view and edit the policy in the **Index lifecycle policies** UI in {{kib}}. For more information about working with the UI, see [Index lifecyle policies](docs-content://manage-data/lifecycle/index-lifecycle-management.md).
+
+Example configuration:
+
+```yaml
+setup.ilm.enabled: true
+```
+
+::::{warning}
+If index lifecycle management is enabled (which is typically the default), `setup.template.name` and `setup.template.pattern` are ignored.
+::::
+
+
+
+## Configuration options [_configuration_options_10]
+
+You can specify the following settings in the `setup.ilm` section of the `auditbeat.yml` config file:
+
+
+### `setup.ilm.enabled` [setup-ilm-option]
+
+Enables or disables index lifecycle management on any new indices created by Auditbeat. Valid values are `true` and `false`.
+
+
+### `setup.ilm.policy_name` [setup-ilm-policy_name-option]
+
+The name to use for the lifecycle policy. The default is `auditbeat`.
+
+
+### `setup.ilm.policy_file` [setup-ilm-policy_file-option]
+
+The path to a JSON file that contains a lifecycle policy configuration. Use this setting to load your own lifecycle policy.
+
+For more information about lifecycle policies, see [Set up index lifecycle management policy](docs-content://manage-data/lifecycle/index-lifecycle-management/configure-lifecycle-policy.md) in the *{{es}} Reference*.
+
+
+### `setup.ilm.check_exists` [setup-ilm-check_exists-option]
+
+When set to `false`, disables the check for an existing lifecycle policy. The default is `true`. You need to disable this check if the Auditbeat user connecting to a secured cluster doesn’t have the `read_ilm` privilege.
+
+If you set this option to `false`, lifecycle policy will not be installed, even if `setup.ilm.overwrite` is set to `true`.
+
+
+### `setup.ilm.overwrite` [setup-ilm-overwrite-option]
+
+When set to `true`, the lifecycle policy is overwritten at startup. The default is `false`.
+
diff --git a/auditbeat/docs/images/auditbeat-auditd-dashboard.png b/docs/reference/auditbeat/images/auditbeat-auditd-dashboard.png
similarity index 100%
rename from auditbeat/docs/images/auditbeat-auditd-dashboard.png
rename to docs/reference/auditbeat/images/auditbeat-auditd-dashboard.png
diff --git a/x-pack/auditbeat/docs/images/auditbeat-system-host-dashboard.png b/docs/reference/auditbeat/images/auditbeat-system-host-dashboard.png
similarity index 100%
rename from x-pack/auditbeat/docs/images/auditbeat-system-host-dashboard.png
rename to docs/reference/auditbeat/images/auditbeat-system-host-dashboard.png
diff --git a/x-pack/auditbeat/docs/images/auditbeat-system-login-dashboard.png b/docs/reference/auditbeat/images/auditbeat-system-login-dashboard.png
similarity index 100%
rename from x-pack/auditbeat/docs/images/auditbeat-system-login-dashboard.png
rename to docs/reference/auditbeat/images/auditbeat-system-login-dashboard.png
diff --git a/x-pack/auditbeat/docs/images/auditbeat-system-overview-dashboard.png b/docs/reference/auditbeat/images/auditbeat-system-overview-dashboard.png
similarity index 100%
rename from x-pack/auditbeat/docs/images/auditbeat-system-overview-dashboard.png
rename to docs/reference/auditbeat/images/auditbeat-system-overview-dashboard.png
diff --git a/x-pack/auditbeat/docs/images/auditbeat-system-package-dashboard.png b/docs/reference/auditbeat/images/auditbeat-system-package-dashboard.png
similarity index 100%
rename from x-pack/auditbeat/docs/images/auditbeat-system-package-dashboard.png
rename to docs/reference/auditbeat/images/auditbeat-system-package-dashboard.png
diff --git a/x-pack/auditbeat/docs/images/auditbeat-system-process-dashboard.png b/docs/reference/auditbeat/images/auditbeat-system-process-dashboard.png
similarity index 100%
rename from x-pack/auditbeat/docs/images/auditbeat-system-process-dashboard.png
rename to docs/reference/auditbeat/images/auditbeat-system-process-dashboard.png
diff --git a/x-pack/auditbeat/docs/images/auditbeat-system-user-dashboard.png b/docs/reference/auditbeat/images/auditbeat-system-user-dashboard.png
similarity index 100%
rename from x-pack/auditbeat/docs/images/auditbeat-system-user-dashboard.png
rename to docs/reference/auditbeat/images/auditbeat-system-user-dashboard.png
diff --git a/auditbeat/docs/images/coordinate-map.png b/docs/reference/auditbeat/images/coordinate-map.png
similarity index 100%
rename from auditbeat/docs/images/coordinate-map.png
rename to docs/reference/auditbeat/images/coordinate-map.png
diff --git a/docs/reference/auditbeat/include-fields.md b/docs/reference/auditbeat/include-fields.md
new file mode 100644
index 000000000000..4d68d654b9c5
--- /dev/null
+++ b/docs/reference/auditbeat/include-fields.md
@@ -0,0 +1,28 @@
+---
+navigation_title: "include_fields"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/include-fields.html
+---
+
+# Keep fields from events [include-fields]
+
+
+The `include_fields` processor specifies which fields to export if a certain condition is fulfilled. The condition is optional. If it’s missing, the specified fields are always exported. The `@timestamp`, `@metadata` and `type` fields are always exported, even if they are not defined in the `include_fields` list.
+
+```yaml
+processors:
+  - include_fields:
+      when:
+        condition
+      fields: ["field1", "field2", ...]
+```
+
+See [Conditions](/reference/auditbeat/defining-processors.md#conditions) for a list of supported conditions.
+
+You can specify multiple `include_fields` processors under the `processors` section.
+
+::::{note}
+If you define an empty list of fields under `include_fields`, then only the required fields, `@timestamp` and `type`, are exported.
+::::
+
+
diff --git a/docs/reference/auditbeat/kafka-output.md b/docs/reference/auditbeat/kafka-output.md
new file mode 100644
index 000000000000..1ba8f434e2e6
--- /dev/null
+++ b/docs/reference/auditbeat/kafka-output.md
@@ -0,0 +1,331 @@
+---
+navigation_title: "Kafka"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/kafka-output.html
+---
+
+# Configure the Kafka output [kafka-output]
+
+
+The Kafka output sends events to Apache Kafka.
+
+To use this output, edit the Auditbeat configuration file to disable the {{es}} output by commenting it out, and enable the Kafka output by uncommenting the Kafka section.
+
+::::{note}
+For Kafka version 0.10.0.0+ the message creation timestamp is set by beats and equals to the initial timestamp of the event. This affects the retention policy in Kafka: for example, if a beat event was created 2 weeks ago, the retention policy is set to 7 days and the message from beats arrives to Kafka today, it’s going to be immediately discarded since the timestamp value is before the last 7 days. It’s possible to change this behavior by setting timestamps on message arrival instead, so the message is not discarded but kept for 7 more days. To do that, please set `log.message.timestamp.type` to `LogAppendTime` (default `CreateTime`) in the Kafka configuration.
+::::
+
+
+Example configuration:
+
+```yaml
+output.kafka:
+  # initial brokers for reading cluster metadata
+  hosts: ["kafka1:9092", "kafka2:9092", "kafka3:9092"]
+
+  # message topic selection + partitioning
+  topic: '%{[fields.log_topic]}'
+  partition.round_robin:
+    reachable_only: false
+
+  required_acks: 1
+  compression: gzip
+  max_message_bytes: 1000000
+```
+
+::::{note}
+Events bigger than [`max_message_bytes`](#kafka-max_message_bytes) will be dropped. To avoid this problem, make sure Auditbeat does not generate events bigger than [`max_message_bytes`](#kafka-max_message_bytes).
+::::
+
+
+## Compatibility [kafka-compatibility]
+
+This output can connect to Kafka version 0.8.2.0 and later. Older versions might work as well, but are not supported. When using Kafka 4.0 and newer, the version must be set to at least `"2.1.0"`
+
+
+## Configuration options [_configuration_options_4]
+
+You can specify the following options in the `kafka` section of the `auditbeat.yml` config file:
+
+### `enabled` [_enabled_3]
+
+The `enabled` config is a boolean setting to enable or disable the output. If set to false, the output is disabled.
+
+The default value is `true`.
+
+
+### `hosts` [_hosts]
+
+The list of Kafka broker addresses from where to fetch the cluster metadata. The cluster metadata contain the actual Kafka brokers events are published to.
+
+
+### `version` [_version]
+
+Kafka protocol version that Auditbeat will request when connecting. Defaults to 2.1.0. When using Kafka 4.0 and newer, the version must be set to at least `"2.1.0"`
+
+Valid values are all kafka releases in between `0.8.2.0` and `2.6.0`.
+
+The protocol version controls the Kafka client features available to Auditbeat; it does not prevent Auditbeat from connecting to Kafka versions newer than the protocol version.
+
+See [Compatibility](#kafka-compatibility) for information on supported versions.
+
+
+### `username` [_username_2]
+
+The username for connecting to Kafka. If username is configured, the password must be configured as well.
+
+
+### `password` [_password_2]
+
+The password for connecting to Kafka.
+
+
+### `sasl.mechanism` [_sasl_mechanism]
+
+The SASL mechanism to use when connecting to Kafka. It can be one of:
+
+* `PLAIN` for SASL/PLAIN.
+* `SCRAM-SHA-256` for SCRAM-SHA-256.
+* `SCRAM-SHA-512` for SCRAM-SHA-512.
+
+If `sasl.mechanism` is not set, `PLAIN` is used if `username` and `password` are provided. Otherwise, SASL authentication is disabled.
+
+To use `GSSAPI` mechanism to authenticate with Kerberos, you must leave this field empty, and use the [`kerberos`](#kerberos-option-kafka) options.
+
+
+### `topic` [topic-option-kafka]
+
+The Kafka topic used for produced events.
+
+You can set the topic dynamically by using a format string to access any event field. For example, this configuration uses a custom field, `fields.log_topic`, to set the topic for each event:
+
+```yaml
+topic: '%{[fields.log_topic]}'
+```
+
+::::{tip}
+To learn how to add custom fields to events, see the [`fields`](/reference/auditbeat/configuration-general-options.md#libbeat-configuration-fields) option.
+::::
+
+
+See the [`topics`](#topics-option-kafka) setting for other ways to set the topic dynamically.
+
+
+### `topics` [topics-option-kafka]
+
+An array of topic selector rules. Each rule specifies the `topic` to use for events that match the rule. During publishing, Auditbeat sets the `topic` for each event based on the first matching rule in the array. Rules can contain conditionals, format string-based fields, and name mappings. If the `topics` setting is missing or no rule matches, the [`topic`](#topic-option-kafka) field is used.
+
+Rule settings:
+
+**`topic`**
+:   The topic format string to use.  If this string contains field references, such as `%{[fields.name]}`, the fields must exist, or the rule fails.
+
+**`mappings`**
+:   A dictionary that takes the value returned by `topic` and maps it to a new name.
+
+**`default`**
+:   The default string value to use if `mappings` does not find a match.
+
+**`when`**
+:   A condition that must succeed in order to execute the current rule. All the [conditions](/reference/auditbeat/defining-processors.md#conditions) supported by processors are also supported here.
+
+The following example sets the topic based on whether the message field contains the specified string:
+
+```yaml
+output.kafka:
+  hosts: ["localhost:9092"]
+  topic: "logs-%{[agent.version]}"
+  topics:
+    - topic: "critical-%{[agent.version]}"
+      when.contains:
+        message: "CRITICAL"
+    - topic: "error-%{[agent.version]}"
+      when.contains:
+        message: "ERR"
+```
+
+This configuration results in topics named `critical-9.0.0-beta1`, `error-9.0.0-beta1`, and `logs-9.0.0-beta1`.
+
+
+### `key` [_key]
+
+Optional formatted string specifying the Kafka event key. If configured, the event key can be extracted from the event using a format string.
+
+See the Kafka documentation for the implications of a particular choice of key; by default, the key is chosen by the Kafka cluster.
+
+
+### `partition` [_partition]
+
+Kafka output broker event partitioning strategy. Must be one of `random`, `round_robin`, or `hash`. By default the `hash` partitioner is used.
+
+**`random.group_events`**: Sets the number of events to be published to the same partition, before the partitioner selects a new partition by random. The default value is 1 meaning after each event a new partition is picked randomly.
+
+**`round_robin.group_events`**: Sets the number of events to be published to the same partition, before the partitioner selects the next partition. The default value is 1 meaning after each event the next partition will be selected.
+
+**`hash.hash`**: List of fields used to compute the partitioning hash value from. If no field is configured, the events `key` value will be used.
+
+**`hash.random`**: Randomly distribute events if no hash or key value can be computed.
+
+All partitioners will try to publish events to all partitions by default. If a partition’s leader becomes unreachable for the beat, the output might block. All partitioners support setting `reachable_only` to overwrite this behavior. If `reachable_only` is set to `true`, events will be published to available partitions only.
+
+::::{note}
+Publishing to a subset of available partitions potentially increases resource usage because events may become unevenly distributed.
+::::
+
+
+
+### `headers` [_headers_2]
+
+A header is a key-value pair, and multiple headers can be included with the same `key`. Only string values are supported. These headers will be included in each produced Kafka message.
+
+```yaml
+output.kafka:
+  hosts: ["localhost:9092"]
+  topic: "logs-%{[agent.version]}"
+  headers:
+    - key: "some-key"
+      value: "some value"
+    - key: "another-key"
+      value: "another value"
+```
+
+
+### `client_id` [_client_id]
+
+The configurable ClientID used for logging, debugging, and auditing purposes. The default is "beats".
+
+
+### `codec` [_codec]
+
+Output codec configuration. If the `codec` section is missing, events will be json encoded.
+
+See [Change the output codec](/reference/auditbeat/configuration-output-codec.md) for more information.
+
+
+### `metadata` [_metadata]
+
+Kafka metadata update settings. The metadata do contain information about brokers, topics, partition, and active leaders to use for publishing.
+
+**`refresh_frequency`**
+:   Metadata refresh interval. Defaults to 10 minutes.
+
+**`full`**
+:   Strategy to use when fetching metadata, when this option is `true`, the client will maintain a full set of metadata for all the available topics, if the this option is set to `false` it will only refresh the metadata for the configured topics. The default is false.
+
+**`retry.max`**
+:   Total number of metadata update retries when cluster is in middle of leader election. The default is 3.
+
+**`retry.backoff`**
+:   Waiting time between retries during leader elections. Default is 250ms.
+
+
+### `max_retries` [_max_retries_3]
+
+The number of times to retry publishing an event after a publishing failure. After the specified number of retries, the events are typically dropped.
+
+Set `max_retries` to a value less than 0 to retry until all events are published.
+
+The default is 3.
+
+
+### `backoff.init` [_backoff_init_2]
+
+The number of seconds to wait before trying to republish to Kafka after a network error. After waiting `backoff.init` seconds, Auditbeat tries to republish. If the attempt fails, the backoff timer is increased exponentially up to `backoff.max`. After a successful publish, the backoff timer is reset. The default is 1s.
+
+
+### `backoff.max` [_backoff_max_2]
+
+The maximum number of seconds to wait before attempting to republish to Kafka after a network error. The default is 60s.
+
+
+### `bulk_max_size` [_bulk_max_size_2]
+
+The maximum number of events to bulk in a single Kafka request. The default is 2048.
+
+
+### `bulk_flush_frequency` [_bulk_flush_frequency]
+
+Duration to wait before sending bulk Kafka request. 0 is no delay. The default is 0.
+
+
+### `timeout` [_timeout_3]
+
+The number of seconds to wait for responses from the Kafka brokers before timing out. The default is 30 (seconds).
+
+
+### `broker_timeout` [_broker_timeout]
+
+The maximum duration a broker will wait for number of required ACKs. The default is 10s.
+
+
+### `channel_buffer_size` [_channel_buffer_size]
+
+Per Kafka broker number of messages buffered in output pipeline. The default is 256.
+
+
+### `keep_alive` [_keep_alive]
+
+The keep-alive period for an active network connection. If 0s, keep-alives are disabled. The default is 0 seconds.
+
+
+### `compression` [_compression]
+
+Sets the output compression codec. Must be one of `none`, `snappy`, `lz4`, `gzip` and `zstd`. The default is `gzip`.
+
+::::{admonition} Known issue with Azure Event Hub for Kafka
+:class: important
+
+When targeting Azure Event Hub for Kafka, set `compression` to `none` as the provided codecs are not supported.
+
+::::
+
+
+
+### `compression_level` [_compression_level_2]
+
+Sets the compression level used by gzip. Setting this value to 0 disables compression. The compression level must be in the range of 1 (best speed) to 9 (best compression).
+
+Increasing the compression level will reduce the network usage but will increase the cpu usage.
+
+The default value is 4.
+
+
+### `max_message_bytes` [kafka-max_message_bytes]
+
+The maximum permitted size of JSON-encoded messages. Bigger messages will be dropped. The default value is 1000000 (bytes). This value should be equal to or less than the broker’s `message.max.bytes`.
+
+
+### `required_acks` [_required_acks]
+
+The ACK reliability level required from broker. 0=no response, 1=wait for local commit, -1=wait for all replicas to commit. The default is 1.
+
+Note: If set to 0, no ACKs are returned by Kafka. Messages might be lost silently on error.
+
+
+### `ssl` [_ssl_3]
+
+Configuration options for SSL parameters like the root CA for Kafka connections. The Kafka host keystore should be created with the `-keyalg RSA` argument to ensure it uses a cipher supported by [Filebeat’s Kafka library](https://github.com/Shopify/sarama/wiki/Frequently-Asked-Questions#why-cant-sarama-connect-to-my-kafka-cluster-using-ssl). See [SSL](/reference/auditbeat/configuration-ssl.md) for more information.
+
+
+### `kerberos` [kerberos-option-kafka]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+Configuration options for Kerberos authentication.
+
+See [Kerberos](/reference/auditbeat/configuration-kerberos.md) for more information.
+
+
+### `queue` [_queue_3]
+
+Configuration options for internal queue.
+
+See [Internal queue](/reference/auditbeat/configuring-internal-queue.md) for more information.
+
+Note:`queue` options can be set under `auditbeat.yml` or the `output` section but not both.
+
+
+
diff --git a/docs/reference/auditbeat/keystore.md b/docs/reference/auditbeat/keystore.md
new file mode 100644
index 000000000000..2cf4fdebf453
--- /dev/null
+++ b/docs/reference/auditbeat/keystore.md
@@ -0,0 +1,87 @@
+---
+navigation_title: "Secrets keystore"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/keystore.html
+---
+
+# Secrets keystore for secure settings [keystore]
+
+
+When you configure Auditbeat, you might need to specify sensitive settings, such as passwords. Rather than relying on file system permissions to protect these values, you can use the Auditbeat keystore to obfuscate stored secret values for use in configuration settings.
+
+After adding a key and its secret value to the keystore, you can use the key in place of the secret value when you configure sensitive settings.
+
+The syntax for referencing keys is identical to the syntax for environment variables:
+
+`${KEY}`
+
+Where KEY is the name of the key.
+
+For example, imagine that the keystore contains a key called `ES_PWD` with the value `yourelasticsearchpassword`:
+
+* In the configuration file, use `output.elasticsearch.password: "${ES_PWD}"`
+* On the command line, use: `-E "output.elasticsearch.password=\${ES_PWD}"`
+
+When Auditbeat unpacks the configuration, it resolves keys before resolving environment variables and other variables.
+
+Notice that the Auditbeat keystore differs from the Elasticsearch keystore. Whereas the Elasticsearch keystore lets you store `elasticsearch.yml` values by name, the Auditbeat keystore lets you specify arbitrary names that you can reference in the Auditbeat configuration.
+
+To create and manage keys, use the `keystore` command. See the [command reference](/reference/auditbeat/command-line-options.md#keystore-command) for the full command syntax, including optional flags.
+
+::::{note}
+The `keystore` command must be run by the same user who will run Auditbeat.
+::::
+
+
+
+## Create a keystore [creating-keystore]
+
+To create a secrets keystore, use:
+
+```sh
+auditbeat keystore create
+```
+
+Auditbeat creates the keystore in the directory defined by the `path.data` configuration setting.
+
+
+## Add keys [add-keys-to-keystore]
+
+To store sensitive values, such as authentication credentials for Elasticsearch, use the `keystore add` command:
+
+```sh
+auditbeat keystore add ES_PWD
+```
+
+When prompted, enter a value for the key.
+
+To overwrite an existing key’s value, use the `--force` flag:
+
+```sh
+auditbeat keystore add ES_PWD --force
+```
+
+To pass the value through stdin, use the `--stdin` flag. You can also use `--force`:
+
+```sh
+cat /file/containing/setting/value | auditbeat keystore add ES_PWD --stdin --force
+```
+
+
+## List keys [list-settings]
+
+To list the keys defined in the keystore, use:
+
+```sh
+auditbeat keystore list
+```
+
+
+## Remove keys [remove-settings]
+
+To remove a key from the keystore, use:
+
+```sh
+auditbeat keystore remove ES_PWD
+```
+
diff --git a/docs/reference/auditbeat/kibana-user-privileges.md b/docs/reference/auditbeat/kibana-user-privileges.md
new file mode 100644
index 000000000000..5ffa8ca6b401
--- /dev/null
+++ b/docs/reference/auditbeat/kibana-user-privileges.md
@@ -0,0 +1,27 @@
+---
+navigation_title: "Create a _reader_ user"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/kibana-user-privileges.html
+---
+
+# Grant privileges and roles needed to read Auditbeat data from {{kib}} [kibana-user-privileges]
+
+
+{{kib}} users typically need to view dashboards and visualizations that contain Auditbeat data. These users might also need to create and edit dashboards and visualizations.
+
+To grant users the required privileges:
+
+1. Create a **reader role**, called something like `auditbeat_reader`, that has the following privilege:
+
+    | Type | Privilege | Purpose |
+    | --- | --- | --- |
+    | Index | `read` on `auditbeat-*` indices | Read data indexed by Auditbeat |
+    | Spaces | `Read` or `All` on Dashboards, Visualize, and Discover | Allow the user to view, edit, and create dashboards, as well as browse data. |
+
+2. Assign the **reader role**, along with the following built-in roles, to users who need to read Auditbeat data:
+
+    | Role | Purpose |
+    | --- | --- |
+    | `monitoring_user` | Allow users to monitor the health of Auditbeat itself. Only assign this role to users who manage Auditbeat. |
+
+
diff --git a/docs/reference/auditbeat/learn-more-security.md b/docs/reference/auditbeat/learn-more-security.md
new file mode 100644
index 000000000000..cfc24ca647f6
--- /dev/null
+++ b/docs/reference/auditbeat/learn-more-security.md
@@ -0,0 +1,12 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/learn-more-security.html
+---
+
+# Learn more about privileges, roles, and users [learn-more-security]
+
+Want to learn more about creating users and roles? See [Secure a cluster](docs-content://deploy-manage/security.md). Also see:
+
+* [Security privileges](elasticsearch://reference/elasticsearch/security-privileges.md) for a description of available privileges
+* [Built-in roles](elasticsearch://reference/elasticsearch/roles.md) for a description of roles that you can assign to users
+
diff --git a/docs/reference/auditbeat/linux-seccomp.md b/docs/reference/auditbeat/linux-seccomp.md
new file mode 100644
index 000000000000..e14effdcb388
--- /dev/null
+++ b/docs/reference/auditbeat/linux-seccomp.md
@@ -0,0 +1,75 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/linux-seccomp.html
+---
+
+# Use Linux Secure Computing Mode (seccomp) [linux-seccomp]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+On Linux 3.17 and later, Auditbeat can take advantage of secure computing mode, also known as seccomp. Seccomp restricts the system calls that a process can issue. Specifically Auditbeat can load a seccomp BPF filter at process start-up that drops the privileges to invoke specific system calls. Once a filter is loaded by the process it cannot be removed.
+
+The kernel exposes a large number of system calls that are not used by Auditbeat. By installing a seccomp filter, you can limit the total kernel surface exposed to Auditbeat (principle of least privilege). This minimizes the impact of unknown vulnerabilities that might be found in the process.
+
+The filter is expressed as a Berkeley Packet Filter (BPF) program. The BPF program is generated based on a policy defined by Auditbeat. The policy can be customized through configuration as well.
+
+A seccomp policy is architecture specific due to the fact that system calls vary by architecture. Auditbeat includes a whitelist seccomp policy for the amd64 and 386 architectures. You can view those policies [here](https://github.com/elastic/beats/tree/master/libbeat/common/seccomp).
+
+
+## Seccomp Policy Configuration [seccomp-policy-config]
+
+The seccomp policy can be customized through the configuration policy. This is an example blacklist policy that prohibits `execve`, `execveat`, `fork`, and `vfork` syscalls.
+
+```yaml
+seccomp:
+  default_action: allow <1>
+  syscalls:
+  - action: errno <2>
+    names: <3>
+    - execve
+    - execveat
+    - fork
+    - vfork
+```
+
+1. If the system call being invoked by the process does not match one of the names below then it will be allowed.
+2. If the system call being invoked matches one of the names below then an error will be returned to caller. This is known as a blacklist policy.
+3. These are system calls being prohibited.
+
+
+These are the configuration options for a seccomp policy.
+
+**`enabled`**
+:   On Linux, this option is enabled by default. To disable seccomp filter loading, set this option to `false`.
+
+**`default_action`**
+:   The default action to take when none of the defined system calls match. See [action](#seccomp-policy-config-action) for the full list of values. This is required.
+
+**`syscalls`**
+:   Each object in this list must contain an `action` and a list of system call `names`. The list must contain at least one item.
+
+**`names`**
+:   A list of system call names. The system call name must exist for the runtime architecture, otherwise an error will be logged and the filter will not be installed. At least one system call must be defined.
+
+$$$seccomp-policy-config-action$$$
+
+**`action`**
+:   The action to take when any of the system calls listed in `names` is executed. This is required. These are the available action values. The actions that are available depend on the kernel version.
+
+    * `errno` - The system call will return `EPERM` (permission denied) to the caller.
+    * `trace` - The kernel will notify a `ptrace` tracer. If no tracer is present then the system call fails with `ENOSYS` (function not implemented).
+    * `trap` - The kernel will send a `SIGSYS` signal to the calling thread and not execute the system call. The Go runtime will exit.
+    * `kill_thread` - The kernel will immediately terminate the thread. Other threads will continue to execute.
+    * `kill_process` - The kernel will terminate the process. Available in Linux 4.14 and later.
+    * `log` - The kernel will log the system call before executing it. Available in Linux 4.14 and later. (This does not go to the Beat’s log.)
+    * `allow` - The kernel will allow the system call to execute.
+
+
+
+## Auditbeat Reports Seccomp Violations [_auditbeat_reports_seccomp_violations]
+
+You can use Auditbeat to report any seccomp violations that occur on the system. The kernel generates an event for each violation and Auditbeat reports the event. The `event.action` value will be `violated-seccomp-policy` and the event will contain information about the process and system call.
+
diff --git a/docs/reference/auditbeat/load-kibana-dashboards.md b/docs/reference/auditbeat/load-kibana-dashboards.md
new file mode 100644
index 000000000000..462bf83869b2
--- /dev/null
+++ b/docs/reference/auditbeat/load-kibana-dashboards.md
@@ -0,0 +1,146 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/load-kibana-dashboards.html
+---
+
+# Load Kibana dashboards [load-kibana-dashboards]
+
+Auditbeat comes packaged with example Kibana dashboards, visualizations, and searches for visualizing Auditbeat data in Kibana. Before you can use the dashboards, you need to create the index pattern, `auditbeat-*`, and load the dashboards into Kibana.
+
+To do this, you can either run the `setup` command (as described here) or [configure dashboard loading](/reference/auditbeat/configuration-dashboards.md) in the `auditbeat.yml` config file. This requires a Kibana endpoint configuration. If you didn’t already configure a Kibana endpoint, see [{{kib}} endpoint](/reference/auditbeat/setup-kibana-endpoint.md).
+
+
+## Load dashboards [load-dashboards]
+
+Make sure Kibana is running before you perform this step. If you are accessing a secured Kibana instance, make sure you’ve configured credentials as described in the [Quick start: installation and configuration](/reference/auditbeat/auditbeat-installation-configuration.md).
+
+To load the recommended index template for writing to {{es}} and deploy the sample dashboards for visualizing the data in {{kib}}, use the command that works with your system.
+
+:::::::{tab-set}
+
+::::::{tab-item} DEB
+```sh
+auditbeat setup --dashboards
+```
+::::::
+
+::::::{tab-item} RPM
+```sh
+auditbeat setup --dashboards
+```
+::::::
+
+::::::{tab-item} MacOS
+```sh
+./auditbeat setup --dashboards
+```
+::::::
+
+::::::{tab-item} Linux
+```sh
+./auditbeat setup --dashboards
+```
+::::::
+
+::::::{tab-item} Docker
+```sh
+docker run --rm --net="host" docker.elastic.co/beats/auditbeat:9.0.0-beta1 setup --dashboards
+```
+::::::
+
+::::::{tab-item} Windows
+Open a PowerShell prompt as an Administrator (right-click the PowerShell icon and select **Run As Administrator**).
+
+From the PowerShell prompt, change to the directory where you installed Auditbeat, and run:
+
+```sh
+PS > .\auditbeat.exe setup --dashboards
+```
+::::::
+
+:::::::
+For more options, such as loading customized dashboards, see [Importing Existing Beat Dashboards](http://www.elastic.co/guide/en/beats/devguide/master/import-dashboards.md). If you’ve configured the Logstash output, see [Load dashboards for Logstash output](#load-dashboards-logstash).
+
+
+## Load dashboards for Logstash output [load-dashboards-logstash]
+
+During dashboard loading, Auditbeat connects to Elasticsearch to check version information. To load dashboards when the Logstash output is enabled, you need to temporarily disable the Logstash output and enable Elasticsearch. To connect to a secured Elasticsearch cluster, you also need to pass Elasticsearch credentials.
+
+::::{tip}
+The example shows a hard-coded password, but you should store sensitive values in the [secrets keystore](/reference/auditbeat/keystore.md).
+::::
+
+
+:::::::{tab-set}
+
+::::::{tab-item} DEB
+```sh
+auditbeat setup -e \
+  -E output.logstash.enabled=false \
+  -E output.elasticsearch.hosts=['localhost:9200'] \
+  -E output.elasticsearch.username=auditbeat_internal \
+  -E output.elasticsearch.password={pwd} \
+  -E setup.kibana.host=localhost:5601
+```
+::::::
+
+::::::{tab-item} RPM
+```sh
+auditbeat setup -e \
+  -E output.logstash.enabled=false \
+  -E output.elasticsearch.hosts=['localhost:9200'] \
+  -E output.elasticsearch.username=auditbeat_internal \
+  -E output.elasticsearch.password={pwd} \
+  -E setup.kibana.host=localhost:5601
+```
+::::::
+
+::::::{tab-item} MacOS
+```sh
+./auditbeat setup -e \
+  -E output.logstash.enabled=false \
+  -E output.elasticsearch.hosts=['localhost:9200'] \
+  -E output.elasticsearch.username=auditbeat_internal \
+  -E output.elasticsearch.password={pwd} \
+  -E setup.kibana.host=localhost:5601
+```
+::::::
+
+::::::{tab-item} Linux
+```sh
+./auditbeat setup -e \
+  -E output.logstash.enabled=false \
+  -E output.elasticsearch.hosts=['localhost:9200'] \
+  -E output.elasticsearch.username=auditbeat_internal \
+  -E output.elasticsearch.password={pwd} \
+  -E setup.kibana.host=localhost:5601
+```
+::::::
+
+::::::{tab-item} Docker
+```sh
+docker run --rm --net="host" docker.elastic.co/beats/auditbeat:9.0.0-beta1 setup -e \
+  -E output.logstash.enabled=false \
+  -E output.elasticsearch.hosts=['localhost:9200'] \
+  -E output.elasticsearch.username=auditbeat_internal \
+  -E output.elasticsearch.password={pwd} \
+  -E setup.kibana.host=localhost:5601
+```
+::::::
+
+::::::{tab-item} Windows
+Open a PowerShell prompt as an Administrator (right-click the PowerShell icon and select **Run As Administrator**).
+
+From the PowerShell prompt, change to the directory where you installed Auditbeat, and run:
+
+```sh
+PS > .\auditbeat.exe setup -e `
+  -E output.logstash.enabled=false `
+  -E output.elasticsearch.hosts=['localhost:9200'] `
+  -E output.elasticsearch.username=auditbeat_internal `
+  -E output.elasticsearch.password={pwd} `
+  -E setup.kibana.host=localhost:5601
+```
+::::::
+
+:::::::
diff --git a/docs/reference/auditbeat/logstash-output.md b/docs/reference/auditbeat/logstash-output.md
new file mode 100644
index 000000000000..a065c513ebc8
--- /dev/null
+++ b/docs/reference/auditbeat/logstash-output.md
@@ -0,0 +1,245 @@
+---
+navigation_title: "Logstash"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/logstash-output.html
+---
+
+# Configure the Logstash output [logstash-output]
+
+
+The {{ls}} output sends events directly to {{ls}} by using the lumberjack protocol, which runs over TCP. {{ls}} allows for additional processing and routing of generated events.
+
+::::{admonition} Prerequisite
+:class: important
+
+To send events to {{ls}}, you also need to create a {{ls}} configuration pipeline that listens for incoming Beats connections and indexes the received events into {{es}}. For more information, see [Getting Started with {{ls}}](logstash://reference/getting-started-with-logstash.md). Also see the documentation for the [{{beats}} input](logstash://reference/plugins-inputs-beats.md) and [{{es}} output](logstash://reference/plugins-outputs-elasticsearch.md) plugins.
+::::
+
+
+If you want to use {{ls}} to perform additional processing on the data collected by Auditbeat, you need to configure Auditbeat to use {{ls}}.
+
+To do this, edit the Auditbeat configuration file to disable the {{es}} output by commenting it out and enable the {{ls}} output by uncommenting the {{ls}} section:
+
+```yaml
+output.logstash:
+  hosts: ["127.0.0.1:5044"]
+```
+
+The `hosts` option specifies the {{ls}} server and the port (`5044`) where {{ls}} is configured to listen for incoming Beats connections.
+
+For this configuration, you must [load the index template into {{es}} manually](/reference/auditbeat/auditbeat-template.md#load-template-manually) because the options for auto loading the template are only available for the {{es}} output.
+
+## Accessing metadata fields [_accessing_metadata_fields]
+
+Every event sent to {{ls}} contains the following metadata fields that you can use in {{ls}} for indexing and filtering:
+
+```json
+{
+    ...
+    "@metadata": { <1>
+      "beat": "auditbeat", <2>
+      "version": "9.0.0-beta1" <3>
+    }
+}
+```
+
+1. Auditbeat uses the `@metadata` field to send metadata to {{ls}}. See the [{{ls}} documentation](logstash://reference/event-dependent-configuration.md#metadata) for more about the `@metadata` field.
+2. The default is auditbeat. To change this value, set the [`index`](#logstash-index) option in the Auditbeat config file.
+3. The current version of Auditbeat.
+
+
+You can access this metadata from within the {{ls}} config file to set values dynamically based on the contents of the metadata.
+
+For example, the following {{ls}} configuration file tells {{ls}} to use the index reported by Auditbeat for indexing events into {{es}}:
+
+```json
+input {
+  beats {
+    port => 5044
+  }
+}
+
+output {
+  elasticsearch {
+    hosts => ["http://localhost:9200"]
+    index => "%{[@metadata][beat]}-%{[@metadata][version]}" <1>
+    action => "create"
+  }
+}
+```
+
+1. `%{[@metadata][beat]}` sets the first part of the index name to the value of the `beat` metadata field and `%{[@metadata][version]}` sets the second part to the Beat’s version. For example: `auditbeat-9.0.0-beta1`.
+
+
+Events indexed into {{es}} with the {{ls}} configuration shown here will be similar to events directly indexed by Auditbeat into {{es}}.
+
+::::{note}
+If ILM is not being used, set `index` to `%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}` instead so {{ls}} creates an index per day, based on the `@timestamp` value of the events coming from Beats.
+::::
+
+
+
+## Compatibility [_compatibility_2]
+
+This output works with all compatible versions of {{ls}}. See the [Elastic Support Matrix](https://www.elastic.co/support/matrix#matrix_compatibility).
+
+
+## Configuration options [_configuration_options_3]
+
+You can specify the following options in the `logstash` section of the `auditbeat.yml` config file:
+
+### `enabled` [_enabled_2]
+
+The enabled config is a boolean setting to enable or disable the output. If set to false, the output is disabled.
+
+The default value is `true`.
+
+
+### `hosts` [hosts]
+
+The list of known {{ls}} servers to connect to. If load balancing is disabled, but multiple hosts are configured, one host is selected randomly (there is no precedence). If one host becomes unreachable, another one is selected randomly.
+
+All entries in this list can contain a port number. The default port number 5044 will be used if no number is given.
+
+
+### `compression_level` [_compression_level]
+
+The gzip compression level. Setting this value to 0 disables compression. The compression level must be in the range of 1 (best speed) to 9 (best compression).
+
+Increasing the compression level will reduce the network usage but will increase the CPU usage.
+
+The default value is 3.
+
+
+### `escape_html` [_escape_html_2]
+
+Configure escaping of HTML in strings. Set to `true` to enable escaping.
+
+The default value is `false`.
+
+
+### `worker` or `workers` [_worker_or_workers]
+
+The number of workers per configured host publishing events to {{ls}}. This is best used with load balancing mode enabled. Example: If you have 2 hosts and 3 workers, in total 6 workers are started (3 for each host).
+
+
+### `loadbalance` [loadbalance]
+
+When `loadbalance: true` is set, Auditbeat connects to all configured hosts and sends data through all connections in parallel. If a connection fails, data is sent to the remaining hosts until it can be reestablished. Data will still be sent as long as Auditbeat can connect to at least one of its configured hosts.
+
+When `loadbalance: false` is set, Auditbeat sends data to a single host at a time. The target host is chosen at random from the list of configured hosts, and all data is sent to that target until the connection fails, when a new target is selected. Data will still be sent as long as Auditbeat can connect to at least one of its configured hosts. To rotate through the list of configured hosts over time, use this option in conjunction with the `ttl` setting to close the connection at the configured interval and choose a new target host.
+
+The default value is `false`.
+
+```yaml
+output.logstash:
+  hosts: ["localhost:5044", "localhost:5045"]
+  loadbalance: true
+  index: auditbeat
+```
+
+
+### `ttl` [_ttl]
+
+Time to live for a connection to {{ls}} after which the connection will be re-established. Useful when {{ls}} hosts represent load balancers. Since the connections to {{ls}} hosts are sticky, operating behind load balancers can lead to uneven load distribution between the instances. Specifying a TTL on the connection allows to achieve equal connection distribution between the instances.  Specifying a TTL of 0 will disable this feature.
+
+The default value is 0. This setting accepts [duration](/reference/libbeat/config-file-format-type.md#_duration) data type values.
+
+::::{note}
+The "ttl" option is not yet supported on an async {{ls}} client (one with the "pipelining" option set).
+::::
+
+
+
+### `pipelining` [_pipelining]
+
+Configures the number of batches to be sent asynchronously to {{ls}} while waiting for ACK from {{ls}}. Output only becomes blocking once number of `pipelining` batches have been written. Pipelining is disabled if a value of 0 is configured. The default value is 2.
+
+
+### `proxy_url` [_proxy_url_2]
+
+The URL of the SOCKS5 proxy to use when connecting to the {{ls}} servers. The value must be a URL with a scheme of `socks5://`. The protocol used to communicate to {{ls}} is not based on HTTP so a web-proxy cannot be used.
+
+If the SOCKS5 proxy server requires client authentication, then a username and password can be embedded in the URL as shown in the example.
+
+When using a proxy, hostnames are resolved on the proxy server instead of on the client. You can change this behavior by setting the [`proxy_use_local_resolver`](#logstash-proxy-use-local-resolver) option.
+
+```yaml
+output.logstash:
+  hosts: ["remote-host:5044"]
+  proxy_url: socks5://user:password@socks5-proxy:2233
+```
+
+
+### `proxy_use_local_resolver` [logstash-proxy-use-local-resolver]
+
+The `proxy_use_local_resolver` option determines if {{ls}} hostnames are resolved locally when using a proxy. The default value is false, which means that when a proxy is used the name resolution occurs on the proxy server.
+
+
+### `index` [logstash-index]
+
+The index root name to write events to. The default is the Beat name. For example `"auditbeat"` generates `"[auditbeat-]9.0.0-beta1-YYYY.MM.DD"` indices (for example, `"auditbeat-9.0.0-beta1-2017.04.26"`).
+
+::::{note}
+This parameter’s value will be assigned to the `metadata.beat` field. It can then be accessed in {{ls}}'s output section as `%{[@metadata][beat]}`.
+::::
+
+
+
+### `ssl` [_ssl_2]
+
+Configuration options for SSL parameters like the root CA for {{ls}} connections. See [SSL](/reference/auditbeat/configuration-ssl.md) for more information. To use SSL, you must also configure the [Beats input plugin for Logstash](logstash://reference/plugins-inputs-beats.md) to use SSL/TLS.
+
+
+### `timeout` [_timeout_2]
+
+The number of seconds to wait for responses from the {{ls}} server before timing out. The default is 30 (seconds).
+
+
+### `max_retries` [_max_retries_2]
+
+The number of times to retry publishing an event after a publishing failure. After the specified number of retries, the events are typically dropped.
+
+Set `max_retries` to a value less than 0 to retry until all events are published.
+
+The default is 3.
+
+
+### `bulk_max_size` [_bulk_max_size]
+
+The maximum number of events to bulk in a single {{ls}} request. The default is 2048.
+
+Events can be collected into batches. Auditbeat will split batches read from the queue which are larger than `bulk_max_size` into multiple batches.
+
+Specifying a larger batch size can improve performance by lowering the overhead of sending events. However big batch sizes can also increase processing times, which might result in API errors, killed connections, timed-out publishing requests, and, ultimately, lower throughput.
+
+Setting `bulk_max_size` to values less than or equal to 0 disables the splitting of batches. When splitting is disabled, the queue decides on the number of events to be contained in a batch.
+
+
+### `slow_start` [_slow_start]
+
+If enabled, only a subset of events in a batch of events is transferred per transaction. The number of events to be sent increases up to `bulk_max_size` if no error is encountered. On error, the number of events per transaction is reduced again.
+
+The default is `false`.
+
+
+### `backoff.init` [_backoff_init]
+
+The number of seconds to wait before trying to reconnect to {{ls}} after a network error. After waiting `backoff.init` seconds, Auditbeat tries to reconnect. If the attempt fails, the backoff timer is increased exponentially up to `backoff.max`. After a successful connection, the backoff timer is reset. The default is 1s.
+
+
+### `backoff.max` [_backoff_max]
+
+The maximum number of seconds to wait before attempting to connect to {{ls}} after a network error. The default is 60s.
+
+
+### `queue` [_queue_2]
+
+Configuration options for internal queue.
+
+See [Internal queue](/reference/auditbeat/configuring-internal-queue.md) for more information.
+
+Note:`queue` options can be set under `auditbeat.yml` or the `output` section but not both.
+
+
+
diff --git a/docs/reference/auditbeat/madvdontneed-rss.md b/docs/reference/auditbeat/madvdontneed-rss.md
new file mode 100644
index 000000000000..9af1b0ccce94
--- /dev/null
+++ b/docs/reference/auditbeat/madvdontneed-rss.md
@@ -0,0 +1,9 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/madvdontneed-rss.html
+---
+
+# High RSS memory usage due to MADV settings [madvdontneed-rss]
+
+In versions of Auditbeat prior to 7.10.2, the go runtime defaults to `MADV_FREE` by default. In some cases, this can lead to high RSS memory usage while the kernel waits to reclaim any pages assigned to Auditbeat. On versions prior to 7.10.2, set the `GODEBUG="madvdontneed=1"` environment variable if you run into RSS usage issues.
+
diff --git a/docs/reference/auditbeat/metadata-missing.md b/docs/reference/auditbeat/metadata-missing.md
new file mode 100644
index 000000000000..de51069cb206
--- /dev/null
+++ b/docs/reference/auditbeat/metadata-missing.md
@@ -0,0 +1,14 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/metadata-missing.html
+---
+
+# @metadata is missing in Logstash [metadata-missing]
+
+{{ls}} outputs remove `@metadata` fields automatically. Therefore, if {{ls}} instances are chained directly or via some message queue (for example, Redis or Kafka), the `@metadata` field will not be available in the final {{ls}} instance.
+
+::::{tip}
+To preserve `@metadata` fields, use the {{ls}} mutate filter with the rename setting to rename the fields to non-internal fields.
+::::
+
+
diff --git a/docs/reference/auditbeat/monitoring-internal-collection.md b/docs/reference/auditbeat/monitoring-internal-collection.md
new file mode 100644
index 000000000000..806e9eb4245a
--- /dev/null
+++ b/docs/reference/auditbeat/monitoring-internal-collection.md
@@ -0,0 +1,73 @@
+---
+navigation_title: "Use internal collection"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/monitoring-internal-collection.html
+---
+
+# Use internal collection to send monitoring data [monitoring-internal-collection]
+
+
+Use internal collectors to send {{beats}} monitoring data directly to your monitoring cluster. Or as an alternative to internal collection, use [Use {{metricbeat}} collection](/reference/auditbeat/monitoring-metricbeat-collection.md). The benefit of using internal collection instead of {{metricbeat}} is that you have fewer pieces of software to install and maintain.
+
+1. Create an API key or user that has appropriate authority to send system-level monitoring data to {{es}}. For example, you can use the built-in `beats_system` user or assign the built-in `beats_system` role to another user. For more information on the required privileges, see [Create a *monitoring* user](/reference/auditbeat/privileges-to-publish-monitoring.md). For more information on how to use API keys, see [*Grant access using API keys*](/reference/auditbeat/beats-api-keys.md).
+2. Add the `monitoring` settings in the Auditbeat configuration file. If you configured the {{es}} output and want to send Auditbeat monitoring events to the same {{es}} cluster, specify the following minimal configuration:
+
+    ```yaml
+    monitoring:
+      enabled: true
+      elasticsearch:
+        api_key:  id:api_key <1>
+        username: beats_system
+        password: somepassword
+    ```
+
+    1. Specify one of `api_key` or `username`/`password`.
+
+
+    If you want to send monitoring events to an [{{ecloud}}](https://cloud.elastic.co/) monitoring cluster, you can use two simpler settings. When defined, these settings overwrite settings from other parts in the configuration. For example:
+
+    ```yaml
+    monitoring:
+      enabled: true
+      cloud.id: 'staging:dXMtZWFzdC0xLmF3cy5mb3VuZC5pbyRjZWM2ZjI2MWE3NGJmMjRjZTMzYmI4ODExYjg0Mjk0ZiRjNmMyY2E2ZDA0MjI0OWFmMGNjN2Q3YTllOTYyNTc0Mw=='
+      cloud.auth: 'elastic:{pwd}'
+    ```
+
+    If you configured a different output, such as {{ls}} or you want to send Auditbeat monitoring events to a separate {{es}} cluster (referred to as the *monitoring cluster*), you must specify additional configuration options. For example:
+
+    ```yaml
+    monitoring:
+      enabled: true
+      cluster_uuid: PRODUCTION_ES_CLUSTER_UUID <1>
+      elasticsearch:
+        hosts: ["https://example.com:9200", "https://example2.com:9200"] <2>
+        api_key:  id:api_key <3>
+        username: beats_system
+        password: somepassword
+    ```
+
+    1. This setting identifies the {{es}} cluster under which the monitoring data for this Auditbeat instance will appear in the Stack Monitoring UI. To get a cluster’s `cluster_uuid`, call the `GET /` API against that production cluster.
+    2. This setting identifies the hosts and port numbers of {{es}} nodes that are part of the monitoring cluster.
+    3. Specify one of `api_key` or `username`/`password`.
+
+
+    If you want to use PKI authentication to send monitoring events to {{es}}, you must specify a different set of configuration options. For example:
+
+    ```yaml
+    monitoring:
+      enabled: true
+      cluster_uuid: PRODUCTION_ES_CLUSTER_UUID
+      elasticsearch:
+        hosts: ["https://example.com:9200", "https://example2.com:9200"]
+        username: ""
+        ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
+        ssl.certificate: "/etc/pki/client/cert.pem"
+        ssl.key: "/etc/pki/client/cert.key"
+    ```
+
+    You must specify the `username` as `""` explicitly so that the username from the client certificate (`CN`) is used. See [SSL](/reference/auditbeat/configuration-ssl.md) for more information about SSL settings.
+
+3. Start Auditbeat.
+4. [View the monitoring data in {{kib}}](docs-content://deploy-manage/monitor/stack-monitoring/kibana-monitoring-data.md).
+
+
diff --git a/docs/reference/auditbeat/monitoring-metricbeat-collection.md b/docs/reference/auditbeat/monitoring-metricbeat-collection.md
new file mode 100644
index 000000000000..5b5b03831125
--- /dev/null
+++ b/docs/reference/auditbeat/monitoring-metricbeat-collection.md
@@ -0,0 +1,163 @@
+---
+navigation_title: "Use {{metricbeat}} collection"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/monitoring-metricbeat-collection.html
+---
+
+# Use {{metricbeat}} to send monitoring data [monitoring-metricbeat-collection]
+
+
+In 7.3 and later, you can use {{metricbeat}} to collect data about Auditbeat and ship it to the monitoring cluster. The benefit of using {{metricbeat}} instead of internal collection is that the monitoring agent remains active even if the Auditbeat instance dies.
+
+To collect and ship monitoring data:
+
+1. [Configure the shipper you want to monitor](#configure-shipper)
+2. [Install and configure {{metricbeat}} to collect monitoring data](#configure-metricbeat)
+
+
+## Configure the shipper you want to monitor [configure-shipper]
+
+1. Enable the HTTP endpoint to allow external collection of monitoring data:
+
+    Add the following setting in the Auditbeat configuration file (`auditbeat.yml`):
+
+    ```yaml
+    http.enabled: true
+    ```
+
+    By default, metrics are exposed on port 5066. If you need to monitor multiple {{beats}} shippers running on the same server, set `http.port` to expose metrics for each shipper on a different port number:
+
+    ```yaml
+    http.port: 5067
+    ```
+
+2. Disable the default collection of Auditbeat monitoring metrics.<br>
+
+    Add the following setting in the Auditbeat configuration file (`auditbeat.yml`):
+
+    ```yaml
+    monitoring.enabled: false
+    ```
+
+    For more information, see [Monitoring configuration options](/reference/auditbeat/configuration-monitor.md).
+
+3. Configure host (optional).<br>
+
+    If you intend to get metrics using {{metricbeat}} installed on another server, you need to bind the Auditbeat to host’s IP:
+
+    ```yaml
+    http.host: xxx.xxx.xxx.xxx
+    ```
+
+4. Configure cluster UUID.<br>
+
+    The cluster UUID is necessary if you want to see {{beats}} monitoring in the {{kib}} stack monitoring view. The monitoring data will be grouped under the cluster for that UUID. To associate Auditbeat with the cluster UUID, set:
+
+    ```yaml
+    monitoring.cluster_uuid: "cluster-uuid"
+    ```
+
+5. Start Auditbeat.
+
+
+## Install and configure {{metricbeat}} to collect monitoring data [configure-metricbeat]
+
+1. Install {{metricbeat}} on the same server as Auditbeat. To learn how, see [Get started with {{metricbeat}}](/reference/metricbeat/metricbeat-installation-configuration.md). If you already have {{metricbeat}} installed on the server, skip this step.
+2. Enable the `beat-xpack` module in {{metricbeat}}.<br>
+
+    For example, to enable the default configuration in the `modules.d` directory, run the following command, using the correct command syntax for your OS:
+
+    ```sh
+    metricbeat modules enable beat-xpack
+    ```
+
+    For more information, see [Configure modules](/reference/metricbeat/configuration-metricbeat.md) and [beat module](/reference/metricbeat/metricbeat-module-beat.md).
+
+3. Configure the `beat-xpack` module in {{metricbeat}}.<br>
+
+    The `modules.d/beat-xpack.yml` file contains the following settings:
+
+    ```yaml
+    - module: beat
+      metricsets:
+        - stats
+        - state
+      period: 10s
+      hosts: ["http://localhost:5066"]
+      #username: "user"
+      #password: "secret"
+      xpack.enabled: true
+    ```
+
+    Set the `hosts`, `username`, and `password` settings as required by your environment. For other module settings, it’s recommended that you accept the defaults.
+
+    By default, the module collects Auditbeat monitoring data from `localhost:5066`. If you exposed the metrics on a different host or port when you enabled the HTTP endpoint, update the `hosts` setting.
+
+    To monitor multiple {{beats}} agents, specify a list of hosts, for example:
+
+    ```yaml
+    hosts: ["http://localhost:5066","http://localhost:5067","http://localhost:5068"]
+    ```
+
+    If you configured Auditbeat to use encrypted communications, you must access it via HTTPS. For example, use a `hosts` setting like `https://localhost:5066`.
+
+    If the Elastic {{security-features}} are enabled, you must also provide a user ID and password so that {{metricbeat}} can collect metrics successfully:
+
+    1. Create a user on the {{es}} cluster that has the `remote_monitoring_collector` [built-in role](elasticsearch://reference/elasticsearch/roles.md). Alternatively, if it’s available in your environment, use the `remote_monitoring_user` [built-in user](docs-content://deploy-manage/users-roles/cluster-or-deployment-auth/built-in-users.md).
+    2. Add the `username` and `password` settings to the beat module configuration file.
+
+4. Optional: Disable the system module in the {{metricbeat}}.
+
+    By default, the [system module](/reference/metricbeat/metricbeat-module-system.md) is enabled. The information it collects, however, is not shown on the **Stack Monitoring** page in {{kib}}. Unless you want to use that information for other purposes, run the following command:
+
+    ```sh
+    metricbeat modules disable system
+    ```
+
+5. Identify where to send the monitoring data.<br>
+
+    ::::{tip}
+    In production environments, we strongly recommend using a separate cluster (referred to as the *monitoring cluster*) to store the data. Using a separate monitoring cluster prevents production cluster outages from impacting your ability to access your monitoring data. It also prevents monitoring activities from impacting the performance of your production cluster.
+    ::::
+
+
+    For example, specify the {{es}} output information in the {{metricbeat}} configuration file (`metricbeat.yml`):
+
+    ```yaml
+    output.elasticsearch:
+      # Array of hosts to connect to.
+      hosts: ["http://es-mon-1:9200", "http://es-mon2:9200"] <1>
+
+      # Optional protocol and basic auth credentials.
+      #protocol: "https"
+      #api_key:  "id:api_key" <2>
+      #username: "elastic"
+      #password: "changeme"
+    ```
+
+    1. In this example, the data is stored on a monitoring cluster with nodes `es-mon-1` and `es-mon-2`.
+    2. Specify one of `api_key` or `username`/`password`.
+
+
+    If you configured the monitoring cluster to use encrypted communications, you must access it via HTTPS. For example, use a `hosts` setting like `https://es-mon-1:9200`.
+
+    ::::{important}
+    The {{es}} {{monitor-features}} use ingest pipelines. The cluster that stores the monitoring data must have at least one node with the `ingest` role.
+    ::::
+
+
+    If the {{es}} {{security-features}} are enabled on the monitoring cluster, you must provide a valid user ID and password so that {{metricbeat}} can send metrics successfully:
+
+    1. Create a user on the monitoring cluster that has the `remote_monitoring_agent` [built-in role](elasticsearch://reference/elasticsearch/roles.md). Alternatively, if it’s available in your environment, use the `remote_monitoring_user` [built-in user](docs-content://deploy-manage/users-roles/cluster-or-deployment-auth/built-in-users.md).
+
+        ::::{tip}
+        If you’re using index lifecycle management, the remote monitoring user requires additional privileges to create and read indices. For more information, see [*Grant users access to secured resources*](/reference/auditbeat/feature-roles.md).
+        ::::
+
+    2. Add the `username` and `password` settings to the {{es}} output information in the {{metricbeat}} configuration file.
+
+    For more information about these configuration options, see [Configure the {{es}} output](/reference/metricbeat/elasticsearch-output.md).
+
+6. [Start {{metricbeat}}](/reference/metricbeat/metricbeat-starting.md) to begin collecting monitoring data.
+7. [View the monitoring data in {{kib}}](docs-content://deploy-manage/monitor/stack-monitoring/kibana-monitoring-data.md).
+
diff --git a/docs/reference/auditbeat/monitoring-shows-fewer-than-expected-beats.md b/docs/reference/auditbeat/monitoring-shows-fewer-than-expected-beats.md
new file mode 100644
index 000000000000..f6e2ea279057
--- /dev/null
+++ b/docs/reference/auditbeat/monitoring-shows-fewer-than-expected-beats.md
@@ -0,0 +1,9 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/monitoring-shows-fewer-than-expected-beats.html
+---
+
+# Monitoring UI shows fewer Beats than expected [monitoring-shows-fewer-than-expected-beats]
+
+If you are running multiple Beat instances on the same host, make sure they each have a distinct `path.data` value.
+
diff --git a/docs/reference/auditbeat/monitoring.md b/docs/reference/auditbeat/monitoring.md
new file mode 100644
index 000000000000..b8207b724b55
--- /dev/null
+++ b/docs/reference/auditbeat/monitoring.md
@@ -0,0 +1,16 @@
+---
+navigation_title: "Monitor"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/monitoring.html
+---
+
+# Monitor Auditbeat [monitoring]
+
+
+You can use the {{stack}} {{monitor-features}} to gain insight into the health of Auditbeat instances running in your environment.
+
+To monitor Auditbeat, make sure monitoring is enabled on your {{es}} cluster, then configure the method used to collect Auditbeat metrics. You can use one of following methods:
+
+* [Internal collection](/reference/auditbeat/monitoring-internal-collection.md) - Internal collectors send monitoring data directly to your monitoring cluster.
+* [{{metricbeat}} collection](/reference/auditbeat/monitoring-metricbeat-collection.md) - {{metricbeat}} collects monitoring data from your Auditbeat instance and sends it directly to your monitoring cluster.
+
diff --git a/docs/reference/auditbeat/move-fields.md b/docs/reference/auditbeat/move-fields.md
new file mode 100644
index 000000000000..fa7c4eacbc8d
--- /dev/null
+++ b/docs/reference/auditbeat/move-fields.md
@@ -0,0 +1,93 @@
+---
+navigation_title: "move_fields"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/move-fields.html
+---
+
+# Move fields [move-fields]
+
+
+The `move_fields` processor moves event fields from one object into another. It can also rearrange fields or add a prefix to fields.
+
+The processor extracts fields from `from`, then uses `fields` and `exclude` as filters to choose which fields to move into the `to` field.
+
+For example, given the following event:
+
+```json
+{
+  "app": {
+    "method": "a",
+    "elapsed_time": 100,
+    "user_id": 100,
+    "message": "i'm a message"
+  }
+}
+```
+
+To move `method` and `elapsed_time` into another object, use this configuration:
+
+```yaml
+processors:
+  - move_fields:
+      from: "app"
+      fields: ["method", "elapsed_time"],
+      to: "rpc."
+```
+
+Your final event will be:
+
+```json
+{
+  "app": {
+    "user_id": 100,
+    "message": "i'm a message",
+    "rpc": {
+      "method": "a",
+      "elapsed_time": 100
+    }
+  }
+}
+```
+
+To add a prefix to the whole event:
+
+```json
+{
+  "app": { "method": "a"},
+  "cost": 100
+}
+```
+
+Use this configuration:
+
+```yaml
+processors:
+  - move_fields:
+      to: "my_prefix_"
+```
+
+Your final event will be:
+
+```json
+{
+  "my_prefix_app": { "method": "a"},
+  "my_prefix_cost": 100
+}
+```
+
+| Name | Required | Default | Description |  |
+| --- | --- | --- | --- | --- |
+| `from` | no |  | Which field you want extract. This field and any nested fields will be moved into `to` unless they are filtered out. If empty, indicates event root. |  |
+| `fields` | no |  | Which fields to extract from `from` and move to `to`. An empty list indicates all fields. |  |
+| `ignore_missing` | no | false | Ignore "not found" errors when extracting fields. |  |
+| `exclude` | no |  | A list of fields to exclude and not move. |  |
+| `to` | yes |  | These fields extract from `from` destination field prefix the `to` will base on fields root. |  |
+
+```yaml
+processors:
+  - move_fields:
+      from: "app"
+      fields: [ "method", "elapsed_time" ]
+      to: "rpc."
+```
+
diff --git a/docs/reference/auditbeat/privileges-to-publish-events.md b/docs/reference/auditbeat/privileges-to-publish-events.md
new file mode 100644
index 000000000000..9f3dd37d0ba3
--- /dev/null
+++ b/docs/reference/auditbeat/privileges-to-publish-events.md
@@ -0,0 +1,37 @@
+---
+navigation_title: "Create a _publishing_ user"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/privileges-to-publish-events.html
+---
+
+# Grant privileges and roles needed for publishing [privileges-to-publish-events]
+
+
+Users who publish events to {{es}} need to create and write to Auditbeat indices. To minimize the privileges required by the writer role, use the [setup role](/reference/auditbeat/privileges-to-setup-beats.md) to pre-load dependencies. This section assumes that you’ve run the setup.
+
+When using ILM, turn off the ILM setup check in the Auditbeat config file before running Auditbeat to publish events:
+
+```yaml
+setup.ilm.check_exists: false
+```
+
+To grant the required privileges:
+
+1. Create a **writer role**, called something like `auditbeat_writer`, that has the following privileges:
+
+    ::::{note}
+    The `monitor` cluster privilege and the `create_doc` and `auto_configure` privileges on `auditbeat-*` indices are required in every configuration.
+    ::::
+
+
+    | Type | Privilege | Purpose |
+    | --- | --- | --- |
+    | Cluster | `monitor` | Retrieve cluster details (e.g. version) |
+    | Cluster | `read_ilm` | Read the ILM policy when connecting to clusters that support ILM.Not needed when `setup.ilm.check_exists` is `false`. |
+    | Index | `create_doc` on `auditbeat-*` indices | Write events into {{es}} |
+    | Index | `auto_configure` on `auditbeat-*` indices | Update the datastream mapping. Consider either disabling entirely or adding therule `-{{beat_default_index_prefix}}-*` to the cluster settings[action.auto_create_index](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-create)to prevent unwanted indices creations from the agents. |
+
+    Omit any privileges that aren’t relevant in your environment.
+
+2. Assign the **writer role** to users who will index events into {{es}}.
+
diff --git a/docs/reference/auditbeat/privileges-to-publish-monitoring.md b/docs/reference/auditbeat/privileges-to-publish-monitoring.md
new file mode 100644
index 000000000000..fd04644d5f63
--- /dev/null
+++ b/docs/reference/auditbeat/privileges-to-publish-monitoring.md
@@ -0,0 +1,61 @@
+---
+navigation_title: "Create a _monitoring_ user"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/privileges-to-publish-monitoring.html
+---
+
+# Grant privileges and roles needed for monitoring [privileges-to-publish-monitoring]
+
+
+{{es-security-features}} provides built-in users and roles for monitoring. The privileges and roles needed depend on the method used to collect monitoring data.
+
+::::{admonition} Important note for {{ecloud}} users
+:class: important
+
+Built-in users are not available when running our [hosted {{ess}}](https://www.elastic.co/cloud/elasticsearch-service) on {{ecloud}}. To send monitoring data securely, create a monitoring user and grant it the roles described in the following sections.
+
+::::
+
+
+* If you’re using [internal collection](/reference/auditbeat/monitoring-internal-collection.md) to collect metrics about Auditbeat, {{es-security-features}} provides the `beats_system` [built-in user](docs-content://deploy-manage/users-roles/cluster-or-deployment-auth/built-in-users.md) and `beats_system` [built-in role](elasticsearch://reference/elasticsearch/roles.md) to send monitoring information. You can use the built-in user, if it’s available in your environment, or create a user who has the privileges needed to send monitoring information.
+
+    If you use the `beats_system` user, make sure you set the password.
+
+    If you don’t use the `beats_system` user:
+
+    1. Create a **monitoring role**, called something like `auditbeat_monitoring`, that has the following privileges:
+
+        | Type | Privilege | Purpose |
+        | --- | --- | --- |
+        | Cluster | `monitor` | Retrieve cluster details (e.g. version) |
+        | Index | `create_index` on `.monitoring-beats-*` indices | Create monitoring indices in {{es}} |
+        | Index | `create_doc` on `.monitoring-beats-*` indices | Write monitoring events into {{es}} |
+
+    2. Assign the **monitoring role**, along with the following built-in roles, to users who need to monitor Auditbeat:
+
+        | Role | Purpose |
+        | --- | --- |
+        | `kibana_admin` | Use {{kib}} |
+        | `monitoring_user` | Use **Stack Monitoring** in {{kib}} to monitor Auditbeat |
+
+* If you’re [using {{metricbeat}}](/reference/auditbeat/monitoring-metricbeat-collection.md) to collect metrics about Auditbeat, {{es-security-features}} provides the `remote_monitoring_user` [built-in user](docs-content://deploy-manage/users-roles/cluster-or-deployment-auth/built-in-users.md), and the `remote_monitoring_collector` and `remote_monitoring_agent` [built-in roles](elasticsearch://reference/elasticsearch/roles.md) for collecting and sending monitoring information. You can use the built-in user, if it’s available in your environment, or create a user who has the privileges needed to collect and send monitoring information.
+
+    If you use the `remote_monitoring_user` user, make sure you set the password.
+
+    If you don’t use the `remote_monitoring_user` user:
+
+    1. Create a user on the production cluster who will collect and send monitoring information.
+    2. Assign the following roles to the user:
+
+        | Role | Purpose |
+        | --- | --- |
+        | `remote_monitoring_collector` | Collect monitoring metrics from Auditbeat |
+        | `remote_monitoring_agent` | Send monitoring data to the monitoring cluster |
+
+    3. Assign the following role to users who will view the monitoring data in {{kib}}:
+
+        | Role | Purpose |
+        | --- | --- |
+        | `monitoring_user` | Use **Stack Monitoring** in {{kib}} to monitor Auditbeat |
+
+
diff --git a/docs/reference/auditbeat/privileges-to-setup-beats.md b/docs/reference/auditbeat/privileges-to-setup-beats.md
new file mode 100644
index 000000000000..bd7676a93ee8
--- /dev/null
+++ b/docs/reference/auditbeat/privileges-to-setup-beats.md
@@ -0,0 +1,42 @@
+---
+navigation_title: "Create a _setup_ user"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/privileges-to-setup-beats.html
+---
+
+# Grant privileges and roles needed for setup [privileges-to-setup-beats]
+
+
+::::{important}
+Setting up Auditbeat is an admin-level task that requires extra privileges. As a best practice, grant the setup role to administrators only, and use a more restrictive role for event publishing.
+::::
+
+
+Administrators who set up Auditbeat typically need to load mappings, dashboards, and other objects used to index data into {{es}} and visualize it in {{kib}}.
+
+To grant users the required privileges:
+
+1. Create a **setup role**, called something like `auditbeat_setup`, that has the following privileges:
+
+    | Type | Privilege | Purpose |
+    | --- | --- | --- |
+    | Cluster | `monitor` | Retrieve cluster details (e.g. version) |
+    | Cluster | `manage_ilm` | Set up and manage index lifecycle management (ILM) policy |
+    | Index | `manage` on `auditbeat-*` indices | Load data stream |
+
+    Omit any privileges that aren’t relevant in your environment.
+
+    ::::{note}
+    These instructions assume that you are using the default name for Auditbeat indices. If `auditbeat-*` is not listed, or you are using a custom name, enter it manually and modify the privileges to match your index naming pattern.
+    ::::
+
+2. Assign the **setup role**, along with the following built-in roles, to users who need to set up Auditbeat:
+
+    | Role | Purpose |
+    | --- | --- |
+    | `kibana_admin` | Load dependencies, such as example dashboards, if available, into {{kib}} |
+    | `ingest_admin` | Set up index templates and, if available, ingest pipelines |
+
+    Omit any roles that aren’t relevant in your environment.
+
+
diff --git a/docs/reference/auditbeat/processor-dns.md b/docs/reference/auditbeat/processor-dns.md
new file mode 100644
index 000000000000..8f3587ddcfdb
--- /dev/null
+++ b/docs/reference/auditbeat/processor-dns.md
@@ -0,0 +1,102 @@
+---
+navigation_title: "dns"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/processor-dns.html
+---
+
+# DNS Reverse Lookup [processor-dns]
+
+
+The `dns` processor performs DNS queries. It caches the responses that it receives in accordance to the time-to-live (TTL) value contained in the response. It also caches failures that occur during lookups. Each instance of this processor maintains its own independent cache.
+
+The processor uses its own DNS resolver to send requests to nameservers and does not use the operating system’s resolver. It does not read any values contained in `/etc/hosts`.
+
+This processor can significantly slow down your pipeline’s throughput if you have a high latency network or slow upstream nameserver. The cache will help with performance, but if the addresses being resolved have a high cardinality then the cache benefits will be diminished due to the high miss ratio.
+
+By way of example, if each DNS lookup takes 2 milliseconds, the maximum throughput you can achieve is 500 events per second (1000 milliseconds / 2 milliseconds). If you have a high cache hit ratio then your throughput can be higher.
+
+The processor can send the following query types:
+
+* `A` - IPv4 addresses
+* `AAAA` - IPv6 addresses
+* `TXT` - arbitrary human-readable text data
+* `PTR` - reverse IP address lookups
+
+The output value is a list of strings for all query types except `PTR`. For `PTR` queries the output value is a string.
+
+This is a minimal configuration example that resolves the IP addresses contained in two fields.
+
+```yaml
+processors:
+  - dns:
+      type: reverse
+      fields:
+        source.ip: source.domain
+        destination.ip: destination.domain
+```
+
+Next is a configuration example showing all options.
+
+```yaml
+processors:
+- dns:
+    type: reverse
+    action: append
+    transport: tls
+    fields:
+      server.ip: server.domain
+      client.ip: client.domain
+    success_cache:
+      capacity.initial: 1000
+      capacity.max: 10000
+      min_ttl: 1m
+    failure_cache:
+      capacity.initial: 1000
+      capacity.max: 10000
+      ttl: 1m
+    nameservers: ['192.0.2.1', '203.0.113.1']
+    timeout: 500ms
+    tag_on_failure: [_dns_reverse_lookup_failed]
+```
+
+The `dns` processor has the following configuration settings:
+
+`type`
+:   The type of DNS query to perform. The supported types are `A`, `AAAA`, `PTR` (or `reverse`), and `TXT`.
+
+`action`
+:   This defines the behavior of the processor when the target field already exists in the event. The options are `append` (default) and `replace`.
+
+`fields`
+:   This is a mapping of source field names to target field names. The value of the source field will be used in the DNS query and result will be written to the target field.
+
+`success_cache.capacity.initial`
+:   The initial number of items that the success cache will be allocated to hold. When initialized the processor will allocate the memory for this number of items. Default value is `1000`.
+
+`success_cache.capacity.max`
+:   The maximum number of items that the success cache can hold. When the maximum capacity is reached a random item is evicted. Default value is `10000`.
+
+`success_cache.min_ttl`
+:   The duration of the minimum alternative cache TTL for successful DNS responses. Ensures that `TTL=0` successful reverse DNS responses can be cached. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". Default value is `1m`.
+
+`failure_cache.capacity.initial`
+:   The initial number of items that the failure cache will be allocated to hold. When initialized the processor will allocate the memory for this number of items. Default value is `1000`.
+
+`failure_cache.capacity.max`
+:   The maximum number of items that the failure cache can hold. When the maximum capacity is reached a random item is evicted. Default value is `10000`.
+
+`failure_cache.ttl`
+:   The duration for which failures are cached. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". Default value is `1m`.
+
+`nameservers`
+:   A list of nameservers to query. If there are multiple servers, the resolver queries them in the order listed. If none are specified then it will read the nameservers listed in `/etc/resolv.conf` once at initialization. On Windows you must always supply at least one nameserver.
+
+`timeout`
+:   The duration after which a DNS query will timeout. This is timeout for each DNS request so if you have 2 nameservers then the total timeout will be 2 times this value. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". Default value is `500ms`.
+
+`tag_on_failure`
+:   A list of tags to add to the event when any lookup fails. The tags are only added once even if multiple lookups fail. By default, no tags are added upon failure.
+
+`transport`
+:   The type of transport connection that should be used can either be `tls` (DNS over TLS) or `udp`. Defaults to `udp`.
+
diff --git a/docs/reference/auditbeat/processor-registered-domain.md b/docs/reference/auditbeat/processor-registered-domain.md
new file mode 100644
index 000000000000..db232ba58986
--- /dev/null
+++ b/docs/reference/auditbeat/processor-registered-domain.md
@@ -0,0 +1,36 @@
+---
+navigation_title: "registered_domain"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/processor-registered-domain.html
+---
+
+# Registered Domain [processor-registered-domain]
+
+
+The `registered_domain` processor reads a field containing a hostname and then writes the "registered domain" contained in the hostname to the target field. For example, given `www.google.co.uk` the processor would output `google.co.uk`. In other words the "registered domain" is the effective top-level domain (`co.uk`) plus one level (`google`). Optionally, it can store the rest of the domain, the `subdomain` into another target field.
+
+This processor uses the Mozilla Public Suffix list to determine the value.
+
+```yaml
+processors:
+  - registered_domain:
+      field: dns.question.name
+      target_field: dns.question.registered_domain
+      target_etld_field: dns.question.top_level_domain
+      target_subdomain_field: dns.question.sudomain
+      ignore_missing: true
+      ignore_failure: true
+```
+
+The `registered_domain` processor has the following configuration settings:
+
+| Name | Required | Default | Description |  |
+| --- | --- | --- | --- | --- |
+| `field` | yes |  | Source field containing a fully qualified domain name (FQDN). |  |
+| `target_field` | yes |  | Target field for the registered domain value. |  |
+| `target_etld_field` | no |  | Target field for the effective top-level domain value. |  |
+| `target_subdomain_field` | no |  | Target subdomain field for the subdomain value. |  |
+| `ignore_missing` | no | false | Ignore errors when the source field is missing. |  |
+| `ignore_failure` | no | false | Ignore all errors produced by the processor. |  |
+| `id` | no |  | An identifier for this processor instance. Useful for debugging. |  |
+
diff --git a/docs/reference/auditbeat/processor-translate-guid.md b/docs/reference/auditbeat/processor-translate-guid.md
new file mode 100644
index 000000000000..d6595dd7b246
--- /dev/null
+++ b/docs/reference/auditbeat/processor-translate-guid.md
@@ -0,0 +1,79 @@
+---
+navigation_title: "translate_ldap_attribute"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/processor-translate-guid.html
+---
+
+# Translate GUID [processor-translate-guid]
+
+
+The `translate_ldap_attribute` processor translates an LDAP attributes between eachother. It is typically used to translate AD Global Unique Identifiers (GUID) into their common names.
+
+Every object on an Active Directory or an LDAP server is issued a GUID. Internal processes refer to their GUID’s rather than the object’s name and these values sometimes appear in logs.
+
+If the search attribute is invalid (malformed) or does not map to any object on the domain then this will result in the processor returning an error unless `ignore_failure` is set.
+
+The result of this operation is an array of values, given that a single attribute can hold multiple values.
+
+Note: the search attribute is expected to map to a single object. If it doesn’t, no error will be returned, but only results of the first entry will be added to the event.
+
+```yaml
+processors:
+  - translate_ldap_attribute:
+      field: winlog.event_data.ObjectGuid
+      ldap_address: "ldap://"
+      ldap_base_dn: "dc=example,dc=com"
+      ignore_missing: true
+      ignore_failure: true
+```
+
+The `translate_ldap_attribute` processor has the following configuration settings:
+
+| Name | Required | Default | Description |
+| --- | --- | --- | --- |
+| `field` | yes |  | Source field containing a GUID. |
+| `target_field` | no |  | Target field for the mapped attribute value. If not set it will be replaced in place. |
+| `ldap_address` | yes |  | LDAP server address. eg: `ldap://ds.example.com:389` |
+| `ldap_base_dn` | yes |  | LDAP base DN. eg: `dc=example,dc=com` |
+| `ldap_bind_user` | no |  | LDAP user. |
+| `ldap_bind_password` | no |  | LDAP password. |
+| `ldap_search_attribute` | yes | `objectGUID` | LDAP attribute to search by. |
+| `ldap_mapped_attribute` | yes | `cn` | LDAP attribute to map to. |
+| `ldap_search_time_limit` | no | 30 | LDAP search time limit in seconds. |
+| `ldap_ssl`* | no | 30 | LDAP TLS/SSL connection settings. |
+| `ignore_missing` | no | false | Ignore errors when the source field is missing. |
+| `ignore_failure` | no | false | Ignore all errors produced by the processor. |
+
+* Also see [SSL](/reference/auditbeat/configuration-ssl.md) for a full description of the `ldap_ssl` options.
+
+If the searches are slow or you expect a high amount of different key attributes to be found, consider using a cache processor to speed processing:
+
+```yaml
+processors:
+  - cache:
+      backend:
+        memory:
+          id: ldapguids
+      get:
+        key_field: winlog.event_data.ObjectGuid
+        target_field: winlog.common_name
+      ignore_missing: true
+  - if:
+      not:
+        - has_fields: winlog.common_name
+    then:
+      - translate_ldap_attribute:
+          field: winlog.event_data.ObjectGuid
+          target_field: winlog.common_name
+          ldap_address: "ldap://"
+          ldap_base_dn: "dc=example,dc=com"
+      - cache:
+          backend:
+            memory:
+              id: ldapguids
+            capacity: 10000
+          put:
+            key_field: winlog.event_data.ObjectGuid
+            value_field: winlog.common_name
+```
+
diff --git a/docs/reference/auditbeat/processor-translate-sid.md b/docs/reference/auditbeat/processor-translate-sid.md
new file mode 100644
index 000000000000..b6d1bef8e860
--- /dev/null
+++ b/docs/reference/auditbeat/processor-translate-sid.md
@@ -0,0 +1,38 @@
+---
+navigation_title: "translate_sid"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/processor-translate-sid.html
+---
+
+# Translate SID [processor-translate-sid]
+
+
+The `translate_sid` processor translates a Windows security identifier (SID) into an account name. It retrieves the name of the account associated with the SID, the first domain on which the SID is found, and the type of account. This is only available on Windows.
+
+Every account on a network is issued a unique SID when the account is first created. Internal processes in Windows refer to an account’s SID rather than the account’s user or group name and these values sometimes appear in logs.
+
+If the SID is invalid (malformed) or does not map to any account on the local system or domain then this will result in the processor returning an error unless `ignore_failure` is set.
+
+```yaml
+processors:
+  - translate_sid:
+      field: winlog.event_data.MemberSid
+      account_name_target: user.name
+      domain_target: user.domain
+      ignore_missing: true
+      ignore_failure: true
+```
+
+The `translate_sid` processor has the following configuration settings:
+
+| Name | Required | Default | Description |
+| --- | --- | --- | --- |
+| `field` | yes |  | Source field containing a Windows security identifier (SID). |
+| `account_name_target` | yes* |  | Target field for the account name value. |
+| `account_type_target` | yes* |  | Target field for the account type value. |
+| `domain_target` | yes* |  | Target field for the domain value. |
+| `ignore_missing` | no | false | Ignore errors when the source field is missing. |
+| `ignore_failure` | no | false | Ignore all errors produced by the processor. |
+
+* At least one of `account_name_target`, `account_type_target`, and `domain_target` is required to be configured.
+
diff --git a/docs/reference/auditbeat/publishing-ls-fails-connection-reset-by-peer.md b/docs/reference/auditbeat/publishing-ls-fails-connection-reset-by-peer.md
new file mode 100644
index 000000000000..4384fac7f1a2
--- /dev/null
+++ b/docs/reference/auditbeat/publishing-ls-fails-connection-reset-by-peer.md
@@ -0,0 +1,18 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/publishing-ls-fails-connection-reset-by-peer.html
+---
+
+# Publishing to Logstash fails with "connection reset by peer" message [publishing-ls-fails-connection-reset-by-peer]
+
+Auditbeat requires a persistent TCP connection to {{ls}}. If a firewall interferes with the connection, you might see errors like this:
+
+```shell
+Failed to publish events caused by: write tcp ... write: connection reset by peer
+```
+
+To solve the problem:
+
+* make sure the firewall is not closing connections between Auditbeat and {{ls}}, or
+* set the `ttl` value in the [{{ls}} output](/reference/auditbeat/logstash-output.md) to a value that’s lower than the maximum time allowed by the firewall, and set `pipelining` to 0 (pipelining cannot be enabled when `ttl` is used).
+
diff --git a/docs/reference/auditbeat/rate-limit.md b/docs/reference/auditbeat/rate-limit.md
new file mode 100644
index 000000000000..730f0715174b
--- /dev/null
+++ b/docs/reference/auditbeat/rate-limit.md
@@ -0,0 +1,43 @@
+---
+navigation_title: "rate_limit"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/rate-limit.html
+---
+
+# Rate limit the flow of events [rate-limit]
+
+
+The `rate_limit` processor limits the throughput of events based on the specified configuration.
+
+In the current implementation, rate-limited events are dropped. Future implementations may allow rate-limited events to be handled differently.
+
+```yaml
+processors:
+- rate_limit:
+   limit: "10000/m"
+```
+
+```yaml
+processors:
+- rate_limit:
+   fields:
+   - "cloudfoundry.org.name"
+   limit: "400/s"
+```
+
+```yaml
+processors:
+- if.equals.cloudfoundry.org.name: "acme"
+  then:
+  - rate_limit:
+      limit: "500/s"
+```
+
+The following settings are supported:
+
+`limit`
+:   The rate limit. Supported time units for the rate are `s` (per second), `m` (per minute), and `h` (per hour).
+
+`fields`
+:   (Optional) List of fields. The rate limit will be applied to each distinct value derived by combining the values of these fields.
+
diff --git a/docs/reference/auditbeat/redis-output.md b/docs/reference/auditbeat/redis-output.md
new file mode 100644
index 000000000000..8c5ac0aebf5b
--- /dev/null
+++ b/docs/reference/auditbeat/redis-output.md
@@ -0,0 +1,209 @@
+---
+navigation_title: "Redis"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/redis-output.html
+---
+
+# Configure the Redis output [redis-output]
+
+
+The Redis output inserts the events into a Redis list or a Redis channel. This output plugin is compatible with the [Redis input plugin](logstash://reference/plugins-inputs-redis.md) for Logstash.
+
+To use this output, edit the Auditbeat configuration file to disable the {{es}} output by commenting it out, and enable the Redis output by adding `output.redis`.
+
+Example configuration:
+
+```yaml
+output.redis:
+  hosts: ["localhost"]
+  password: "my_password"
+  key: "auditbeat"
+  db: 0
+  timeout: 5
+```
+
+## Compatibility [_compatibility_3]
+
+This output is expected to work with all Redis versions between 3.2.4 and 5.0.8. Other versions might work as well, but are not supported.
+
+
+## Configuration options [_configuration_options_5]
+
+You can specify the following `output.redis` options in the `auditbeat.yml` config file:
+
+### `enabled` [_enabled_4]
+
+The enabled config is a boolean setting to enable or disable the output. If set to false, the output is disabled.
+
+The default value is `true`.
+
+
+### `hosts` [_hosts_2]
+
+The list of Redis servers to connect to. If load balancing is enabled, the events are distributed to the servers in the list. If one server becomes unreachable, the events are distributed to the reachable servers only. You can define each Redis server by specifying `HOST` or `HOST:PORT`. For example: `"192.15.3.2"` or `"test.redis.io:12345"`. If you don’t specify a port number, the value configured by `port` is used. Configure each Redis server with an `IP:PORT` pair or with a `URL`. For example: `redis://localhost:6379` or `rediss://localhost:6379`. URLs can include a server-specific password. For example: `redis://:password@localhost:6379`. The `redis` scheme will disable the `ssl` settings for the host, while `rediss` will enforce TLS.  If `rediss` is specified and no `ssl` settings are configured, the output uses the system certificate store.
+
+
+### `index` [_index]
+
+The index name added to the events metadata for use by Logstash. The default is "auditbeat".
+
+
+### `key` [key-option-redis]
+
+The name of the Redis list or channel the events are published to. If not configured, the value of the `index` setting is used.
+
+You can set the key dynamically by using a format string to access any event field. For example, this configuration uses a custom field, `fields.list`, to set the Redis list key. If `fields.list` is missing, `fallback` is used:
+
+```yaml
+output.redis:
+  hosts: ["localhost"]
+  key: "%{[fields.list]:fallback}"
+```
+
+::::{tip}
+To learn how to add custom fields to events, see the [`fields`](/reference/auditbeat/configuration-general-options.md#libbeat-configuration-fields) option.
+::::
+
+
+See the [`keys`](#keys-option-redis) setting for other ways to set the key dynamically.
+
+
+### `keys` [keys-option-redis]
+
+An array of key selector rules. Each rule specifies the `key` to use for events that match the rule. During publishing, Auditbeat uses the first matching rule in the array. Rules can contain conditionals, format string-based fields, and name mappings. If the `keys` setting is missing or no rule matches, the [`key`](#key-option-redis) setting is used.
+
+Rule settings:
+
+**`index`**
+:   The key format string to use. If this string contains field references, such as `%{[fields.name]}`, the fields must exist, or the rule fails.
+
+**`mappings`**
+:   A dictionary that takes the value returned by `key` and maps it to a new name.
+
+**`default`**
+:   The default string value to use if `mappings` does not find a match.
+
+**`when`**
+:   A condition that must succeed in order to execute the current rule. All the [conditions](/reference/auditbeat/defining-processors.md#conditions) supported by processors are also supported here.
+
+Example `keys` settings:
+
+```yaml
+output.redis:
+  hosts: ["localhost"]
+  key: "default_list"
+  keys:
+    - key: "info_list"   # send to info_list if `message` field contains INFO
+      when.contains:
+        message: "INFO"
+    - key: "debug_list"  # send to debug_list if `message` field contains DEBUG
+      when.contains:
+        message: "DEBUG"
+    - key: "%{[fields.list]}"
+      mappings:
+        http: "frontend_list"
+        nginx: "frontend_list"
+        mysql: "backend_list"
+```
+
+
+### `password` [_password_3]
+
+The password to authenticate with. The default is no authentication.
+
+
+### `db` [_db]
+
+The Redis database number where the events are published. The default is 0.
+
+
+### `datatype` [_datatype]
+
+The Redis data type to use for publishing events.If the data type is `list`, the Redis RPUSH command is used and all events are added to the list with the key defined under `key`. If the data type `channel` is used, the Redis `PUBLISH` command is used and means that all events are pushed to the pub/sub mechanism of Redis. The name of the channel is the one defined under `key`. The default value is `list`.
+
+
+### `codec` [_codec_2]
+
+Output codec configuration. If the `codec` section is missing, events will be json encoded.
+
+See [Change the output codec](/reference/auditbeat/configuration-output-codec.md) for more information.
+
+
+### `worker` or `workers` [_worker_or_workers_2]
+
+The number of workers to use for each host configured to publish events to Redis. Use this setting along with the `loadbalance` option. For example, if you have 2 hosts and 3 workers, in total 6 workers are started (3 for each host).
+
+
+### `loadbalance` [_loadbalance_2]
+
+When `loadbalance: true` is set, Auditbeat connects to all configured hosts and sends data through all connections in parallel. If a connection fails, data is sent to the remaining hosts until it can be reestablished. Data will still be sent as long as Auditbeat can connect to at least one of its configured hosts.
+
+When `loadbalance: false` is set, Auditbeat sends data to a single host at a time. The target host is chosen at random from the list of configured hosts, and all data is sent to that target until the connection fails, when a new target is selected. Data will still be sent as long as Auditbeat can connect to at least one of its configured hosts.
+
+The default value is `true`.
+
+
+### `timeout` [_timeout_4]
+
+The Redis connection timeout in seconds. The default is 5 seconds.
+
+
+### `backoff.init` [_backoff_init_3]
+
+The number of seconds to wait before trying to reconnect to Redis after a network error. After waiting `backoff.init` seconds, Auditbeat tries to reconnect. If the attempt fails, the backoff timer is increased exponentially up to `backoff.max`. After a successful connection, the backoff timer is reset. The default is 1s.
+
+
+### `backoff.max` [_backoff_max_3]
+
+The maximum number of seconds to wait before attempting to connect to Redis after a network error. The default is 60s.
+
+
+### `max_retries` [_max_retries_4]
+
+The number of times to retry publishing an event after a publishing failure. After the specified number of retries, the events are typically dropped.
+
+Set `max_retries` to a value less than 0 to retry until all events are published.
+
+The default is 3.
+
+
+### `bulk_max_size` [_bulk_max_size_3]
+
+The maximum number of events to bulk in a single Redis request or pipeline. The default is 2048.
+
+Events can be collected into batches. Auditbeat will split batches read from the queue which are larger than `bulk_max_size` into multiple batches.
+
+Specifying a larger batch size can improve performance by lowering the overhead of sending events. However big batch sizes can also increase processing times, which might result in API errors, killed connections, timed-out publishing requests, and, ultimately, lower throughput.
+
+Setting `bulk_max_size` to values less than or equal to 0 disables the splitting of batches. When splitting is disabled, the queue decides on the number of events to be contained in a batch.
+
+
+### `ssl` [_ssl_4]
+
+Configuration options for SSL parameters like the root CA for Redis connections guarded by SSL proxies (for example [stunnel](https://www.stunnel.org)). See [SSL](/reference/auditbeat/configuration-ssl.md) for more information.
+
+
+### `proxy_url` [_proxy_url_3]
+
+The URL of the SOCKS5 proxy to use when connecting to the Redis servers. The value must be a URL with a scheme of `socks5://`. You cannot use a web proxy because the protocol used to communicate with Redis is not based on HTTP.
+
+If the SOCKS5 proxy server requires client authentication, you can embed a username and password in the URL.
+
+When using a proxy, hostnames are resolved on the proxy server instead of on the client. You can change this behavior by setting the [`proxy_use_local_resolver`](#redis-proxy-use-local-resolver) option.
+
+
+### `proxy_use_local_resolver` [redis-proxy-use-local-resolver]
+
+This option determines whether Redis hostnames are resolved locally when using a proxy. The default value is false, which means that name resolution occurs on the proxy server.
+
+
+### `queue` [_queue_4]
+
+Configuration options for internal queue.
+
+See [Internal queue](/reference/auditbeat/configuring-internal-queue.md) for more information.
+
+Note:`queue` options can be set under `auditbeat.yml` or the `output` section but not both.
+
+
+
diff --git a/docs/reference/auditbeat/regexp-support.md b/docs/reference/auditbeat/regexp-support.md
new file mode 100644
index 000000000000..3243ae9a0685
--- /dev/null
+++ b/docs/reference/auditbeat/regexp-support.md
@@ -0,0 +1,111 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/regexp-support.html
+---
+
+# Regular expression support [regexp-support]
+
+Auditbeat regular expression support is based on [RE2](https://godoc.org/regexp/syntax).
+
+Before using a regular expression in the config file, refer to the documentation to verify that the option you are setting accepts a regular expression.
+
+::::{note}
+We recommend that you wrap regular expressions in single quotation marks to work around YAML’s string escaping rules. For example, `'^\[?[0-9][0-9]:?[0-9][0-9]|^[[:graph:]]+'`.
+::::
+
+
+For more examples of supported regexp patterns, see [Managing Multiline Messages](/reference/filebeat/multiline-examples.md). Although the examples pertain to Filebeat, the regexp patterns are applicable to other use cases.
+
+The following patterns are supported:
+
+* [Single Characters](#single-characters)
+* [Composites](#composites)
+* [Repetitions](#repetitions)
+* [Groupings](#grouping)
+* [Empty Strings](#empty-strings)
+* [Escape Sequences](#escape-sequences)
+* [ASCII Character Classes](#ascii-character-classes)
+* [Perl Character Classes](#perl-character-classes)
+
+| Pattern | Description |
+| --- | --- |
+| $$$single-characters$$$**Single Characters** |  |
+| `x` | single character |
+| `.` | any character |
+| `[xyz]` | character class |
+| `[^xyz]` | negated character class |
+| `[[:alpha:]]` | ASCII character class |
+| `[[:^alpha:]]` | negated ASCII character class |
+| `\d` | Perl character class |
+| `\D` | negated Perl character class |
+| `\pN` | Unicode character class (one-letter name) |
+| `\p{{Greek}}` | Unicode character class |
+| `\PN` | negated Unicode character class (one-letter name) |
+| `\P{{Greek}}` | negated Unicode character class |
+| $$$composites$$$**Composites** |  |
+| `xy` | `x` followed by `y` |
+| `x&#124;y` | `x` or `y` (prefer `x`) |
+| $$$repetitions$$$**Repetitions** |  |
+| `x*` | zero or more `x` |
+| `x+` | one or more `x` |
+| `x?` | zero or one `x` |
+| `x{n,m}` | `n` or `n+1` or …​ or `m` `x`, prefer more |
+| `x{n,}` | `n` or more `x`, prefer more |
+| `x{{n}}` | exactly `n` `x` |
+| `x*?` | zero or more `x`, prefer fewer |
+| `x+?` | one or more `x`, prefer fewer |
+| `x??` | zero or one `x`, prefer zero |
+| `x{n,m}?` | `n` or `n+1` or …​ or `m` `x`, prefer fewer |
+| `x{n,}?` | `n` or more `x`, prefer fewer |
+| `x{{n}}?` | exactly `n` `x` |
+| $$$grouping$$$**Grouping** |  |
+| `(re)` | numbered capturing group (submatch) |
+| `(?P<name>re)` | named & numbered capturing group (submatch) |
+| `(?:re)` | non-capturing group |
+| `(?i)abc` | set flags within current group, non-capturing |
+| `(?i:re)` | set flags during re, non-capturing |
+| `(?i)PaTTeRN` | case-insensitive (default false) |
+| `(?m)multiline` | multi-line mode: `^` and `$` match begin/end line in addition to begin/end text (default false) |
+| `(?s)pattern.` | let `.` match `\n` (default false) |
+| `(?U)x*abc` | ungreedy: swap meaning of `x*` and `x*?`, `x+` and `x+?`, etc (default false) |
+| $$$empty-strings$$$**Empty Strings** |  |
+| `^` | at beginning of text or line (`m`=true) |
+| `$` | at end of text (like `\z` not `\Z`) or line (`m`=true) |
+| `\A` | at beginning of text |
+| `\b` | at ASCII word boundary (`\w` on one side and `\W`, `\A`, or `\z` on the other) |
+| `\B` | not at ASCII word boundary |
+| `\z` | at end of text |
+| $$$escape-sequences$$$**Escape Sequences** |  |
+| `\a` | bell (same as `\007`) |
+| `\f` | form feed (same as `\014`) |
+| `\t` | horizontal tab (same as `\011`) |
+| `\n` | newline (same as `\012`) |
+| `\r` | carriage return (same as `\015`) |
+| `\v` | vertical tab character (same as `\013`) |
+| `\*` | literal `*`, for any punctuation character `*` |
+| `\123` | octal character code (up to three digits) |
+| `\x7F` | two-digit hex character code |
+| `\x{{10FFFF}}` | hex character code |
+| `\Q...\E` | literal text `...` even if `...` has punctuation |
+| $$$ascii-character-classes$$$**ASCII Character Classes** |  |
+| `[[:alnum:]]` | alphanumeric (same as `[0-9A-Za-z]`) |
+| `[[:alpha:]]` | alphabetic (same as `[A-Za-z]`) |
+| `[[:ascii:]]` | ASCII (same as `\x00-\x7F]`) |
+| `[[:blank:]]` | blank (same as `[\t ]`) |
+| `[[:cntrl:]]` | control (same as `[\x00-\x1F\x7F]`) |
+| `[[:digit:]]` | digits (same as `[0-9]`) |
+| `[[:graph:]]` | graphical (same as ```[!-~] == [A-Za-z0-9!"#$%&'()*+,\-./:;<=>?@[\\\]^_` ``` ```{&#124;}~]```) |
+| `[[:lower:]]` | lower case (same as `[a-z]`) |
+| `[[:print:]]` | printable (same as `[ -~] == [ [:graph:]]`) |
+| `[[:punct:]]` | punctuation (same as ```[!-/:-@[-`{-~]```) |
+| `[[:space:]]` | whitespace (same as `[\t\n\v\f\r ]`) |
+| `[[:upper:]]` | upper case (same as `[A-Z]`) |
+| `[[:word:]]` | word characters (same as `[0-9A-Za-z_]`) |
+| `[[:xdigit:]]` | hex digit (same as `[0-9A-Fa-f]`) |
+| $$$perl-character-classes$$$**Supported Perl Character Classes** |  |
+| `\d` | digits (same as `[0-9]`) |
+| `\D` | not digits (same as `[^0-9]`) |
+| `\s` | whitespace (same as `[\t\n\f\r ]`) |
+| `\S` | not whitespace (same as `[^\t\n\f\r ]`) |
+| `\w` | word characters (same as `[0-9A-Za-z_]`) |
+| `\W` | not word characters (same as `[^0-9A-Za-z_]`) |
diff --git a/docs/reference/auditbeat/rename-fields.md b/docs/reference/auditbeat/rename-fields.md
new file mode 100644
index 000000000000..1f96667679d1
--- /dev/null
+++ b/docs/reference/auditbeat/rename-fields.md
@@ -0,0 +1,43 @@
+---
+navigation_title: "rename"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/rename-fields.html
+---
+
+# Rename fields from events [rename-fields]
+
+
+The `rename` processor specifies a list of fields to rename. Under the `fields` key, each entry contains a `from: old-key` and a `to: new-key` pair, where:
+
+* `from` is the original field name. It’s supported to use `@metadata.` prefix for `from` and rename keys in the event metadata instead of event fields.
+* `to` is the target field name
+
+The `rename` processor cannot be used to overwrite fields. To overwrite fields either first rename the target field, or use the `drop_fields` processor to drop the field and then rename the field.
+
+::::{tip}
+You can rename fields to resolve field name conflicts. For example, if an event has two fields, `c` and `c.b` (where `b` is a subfield of `c`), assigning scalar values results in an {{es}} error at ingest time. The assignment `{"c": 1, "c.b": 2}` would result in an error because `c` is an object and cannot be assigned a scalar value. To prevent this conflict, rename `c` to `c.value` before assigning values.
+::::
+
+
+```yaml
+processors:
+  - rename:
+      fields:
+        - from: "a.g"
+          to: "e.d"
+      ignore_missing: false
+      fail_on_error: true
+```
+
+The `rename` processor has the following configuration settings:
+
+`ignore_missing`
+:   (Optional) If set to true, no error is logged in case a key which should be renamed is missing. Default is `false`.
+
+`fail_on_error`
+:   (Optional) If set to true, in case of an error the renaming of fields is stopped and the original event is returned. If set to false, renaming continues also if an error happened during renaming. Default is `true`.
+
+See [Conditions](/reference/auditbeat/defining-processors.md#conditions) for a list of supported conditions.
+
+You can specify multiple `rename` processors under the `processors` section.
+
diff --git a/docs/reference/auditbeat/replace-fields.md b/docs/reference/auditbeat/replace-fields.md
new file mode 100644
index 000000000000..9224357c02f0
--- /dev/null
+++ b/docs/reference/auditbeat/replace-fields.md
@@ -0,0 +1,44 @@
+---
+navigation_title: "replace"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/replace-fields.html
+---
+
+# Replace fields from events [replace-fields]
+
+
+The `replace` processor takes a list of fields to search for a matching value and replaces the matching value with a specified string.
+
+The `replace` processor cannot be used to create a completely new value.
+
+::::{tip}
+You can use this processor to truncate a field value or replace it with a new string value. You can also use this processor to mask PII information.
+::::
+
+
+
+## Example [_example]
+
+The following example changes the path from `/usr/bin` to `/usr/local/bin`:
+
+```yaml
+  - replace:
+      fields:
+        - field: "file.path"
+          pattern: "/usr/"
+          replacement: "/usr/local/"
+      ignore_missing: false
+      fail_on_error: true
+```
+
+
+## Configuration settings [_configuration_settings]
+
+| Name | Required | Default | Description |
+| --- | --- | --- | --- |
+| `fields` | Yes |  | List of one or more items. Each item contains a `field: field-name`, `pattern: regex-pattern`, and `replacement: replacement-string`, where:<br><br>* `field` is the original field name. You can use the `@metadata.` prefix in this field to replace values in the event metadata instead of event fields.<br>* `pattern` is the regex pattern to match the field’s value<br>* `replacement` is the replacement string to use to update the field’s value<br> |
+| `ignore_missing` | No | `false` | Whether to ignore missing fields. If `true`, no error is logged if the specified field is missing. |
+| `fail_on_error` | No | `true` | Whether to fail replacement of field values if an error occurs.If `true` and there’s an error, the replacement of field values is stopped, and the original event is returned.If `false`, replacement continues even if an error occurs during replacement. |
+
+See [Conditions](/reference/auditbeat/defining-processors.md#conditions) for a list of supported conditions.
+
diff --git a/docs/reference/auditbeat/running-on-docker.md b/docs/reference/auditbeat/running-on-docker.md
new file mode 100644
index 000000000000..c78cd78ac846
--- /dev/null
+++ b/docs/reference/auditbeat/running-on-docker.md
@@ -0,0 +1,164 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html
+---
+
+# Run Auditbeat on Docker [running-on-docker]
+
+Docker images for Auditbeat are available from the Elastic Docker registry. The base image is [centos:7](https://hub.docker.com/_/centos/).
+
+A list of all published Docker images and tags is available at [www.docker.elastic.co](https://www.docker.elastic.co).
+
+These images are free to use under the Elastic license. They contain open source and free commercial features and access to paid commercial features. [Start a 30-day trial](docs-content://deploy-manage/license/manage-your-license-in-self-managed-cluster.md) to try out all of the paid commercial features. See the [Subscriptions](https://www.elastic.co/subscriptions) page for information about Elastic license levels.
+
+## Pull the image [_pull_the_image]
+
+Obtaining Auditbeat for Docker is as simple as issuing a `docker pull` command against the Elastic Docker registry.
+
+::::{warning}
+Version 9.0.0-beta1 of Auditbeat has not yet been released. No Docker image is currently available for Auditbeat 9.0.0-beta1.
+::::
+
+
+```sh
+docker pull docker.elastic.co/beats/auditbeat:9.0.0-beta1
+```
+
+Alternatively, you can download other Docker images that contain only features available under the Apache 2.0 license. To download the images, go to [www.docker.elastic.co](https://www.docker.elastic.co).
+
+As another option, you can use the hardened [Wolfi](https://wolfi.dev/) image. Using Wolfi images requires Docker version 20.10.10 or higher. For details about why the Wolfi images have been introduced, refer to our article [Reducing CVEs in Elastic container images](https://www.elastic.co/blog/reducing-cves-in-elastic-container-images).
+
+```bash
+docker pull docker.elastic.co/beats/auditbeat-wolfi:9.0.0-beta1
+```
+
+
+## Optional: Verify the image [_optional_verify_the_image]
+
+You can use the [Cosign application](https://docs.sigstore.dev/cosign/installation/) to verify the Auditbeat Docker image signature.
+
+::::{warning}
+Version 9.0.0-beta1 of Auditbeat has not yet been released. No Docker image is currently available for Auditbeat 9.0.0-beta1.
+::::
+
+
+```sh
+wget https://artifacts.elastic.co/cosign.pub
+cosign verify --key cosign.pub docker.elastic.co/beats/auditbeat:9.0.0-beta1
+```
+
+The `cosign` command prints the check results and the signature payload in JSON format:
+
+```sh
+Verification for docker.elastic.co/beats/auditbeat:9.0.0-beta1 --
+The following checks were performed on each of these signatures:
+  - The cosign claims were validated
+  - Existence of the claims in the transparency log was verified offline
+  - The signatures were verified against the specified public key
+```
+
+
+## Run the Auditbeat setup [_run_the_auditbeat_setup]
+
+::::{important}
+A [known issue](https://github.com/elastic/beats/issues/42038) in version 8.17.0 prevents {{beats}} Docker images from starting when no options are provided. When running an image on that version, add an `--environment container` parameter to avoid the problem. This is planned to be addressed in issue [#42060](https://github.com/elastic/beats/pull/42060).
+::::
+
+
+Running Auditbeat with the setup command will create the index pattern and load visualizations , dashboards, and machine learning jobs.  Run this command:
+
+```sh
+docker run --rm \
+  --cap-add="AUDIT_CONTROL" \
+  --cap-add="AUDIT_READ" \
+  docker.elastic.co/beats/auditbeat:9.0.0-beta1 \
+  setup -E setup.kibana.host=kibana:5601 \
+  -E output.elasticsearch.hosts=["elasticsearch:9200"] <1> <2>
+```
+
+1. Substitute your Kibana and Elasticsearch hosts and ports.
+2. If you are using the hosted {{ess}} in {{ecloud}}, replace the `-E output.elasticsearch.hosts` line with the Cloud ID and elastic password using this syntax:
+
+
+```shell
+-E cloud.id=<Cloud ID from Elasticsearch Service> \
+-E cloud.auth=elastic:<elastic password>
+```
+
+
+## Run Auditbeat on a read-only file system [_run_auditbeat_on_a_read_only_file_system]
+
+If you’d like to run Auditbeat in a Docker container on a read-only file system, you can do so by specifying the `--read-only` option. Auditbeat requires a stateful directory to store application data, so with the `--read-only` option you also need to use the `--mount` option to specify a path to where that data can be stored.
+
+For example:
+
+```sh
+docker run --rm \
+  --mount type=bind,source=$(pwd)/data,destination=/usr/share/auditbeat/data \
+  --read-only \
+  docker.elastic.co/beats/auditbeat:9.0.0-beta1
+```
+
+
+## Configure Auditbeat on Docker [_configure_auditbeat_on_docker]
+
+The Docker image provides several methods for configuring Auditbeat. The conventional approach is to provide a configuration file via a volume mount, but it’s also possible to create a custom image with your configuration included.
+
+### Example configuration file [_example_configuration_file]
+
+Download this example configuration file as a starting point:
+
+```sh
+curl -L -O https://raw.githubusercontent.com/elastic/beats/master/deploy/docker/auditbeat.docker.yml
+```
+
+
+### Volume-mounted configuration [_volume_mounted_configuration]
+
+One way to configure Auditbeat on Docker is to provide `auditbeat.docker.yml` via a volume mount. With `docker run`, the volume mount can be specified like this.
+
+```sh
+docker run -d \
+  --name=auditbeat \
+  --user=root \
+  --volume="$(pwd)/auditbeat.docker.yml:/usr/share/auditbeat/auditbeat.yml:ro" \
+  --cap-add="AUDIT_CONTROL" \
+  --cap-add="AUDIT_READ" \
+  --pid=host \
+  docker.elastic.co/beats/auditbeat:9.0.0-beta1 -e \
+  --strict.perms=false \
+  -E output.elasticsearch.hosts=["elasticsearch:9200"] <1> <2>
+```
+
+1. Substitute your Elasticsearch hosts and ports.
+2. If you are using the hosted {{ess}} in {{ecloud}}, replace the `-E output.elasticsearch.hosts` line with the Cloud ID and elastic password using the syntax shown earlier.
+
+
+
+### Customize your configuration [_customize_your_configuration]
+
+The `auditbeat.docker.yml` downloaded earlier should be customized for your environment. See [Configure](/reference/auditbeat/configuring-howto-auditbeat.md) for more details. Edit the configuration file and customize it to match your environment then re-deploy your Auditbeat container.
+
+
+### Custom image configuration [_custom_image_configuration]
+
+It’s possible to embed your Auditbeat configuration in a custom image. Here is an example Dockerfile to achieve this:
+
+```dockerfile
+FROM docker.elastic.co/beats/auditbeat:9.0.0-beta1
+COPY auditbeat.yml /usr/share/auditbeat/auditbeat.yml
+```
+
+
+
+## Special requirements [_special_requirements]
+
+Under Docker, Auditbeat runs as a non-root user, but requires some privileged capabilities to operate correctly. Ensure that the `AUDIT_CONTROL` and `AUDIT_READ` capabilities are available to the container.
+
+It is also essential to run Auditbeat in the host PID namespace.
+
+```sh
+docker run --cap-add=AUDIT_CONTROL --cap-add=AUDIT_READ --user=root --pid=host docker.elastic.co/beats/auditbeat:9.0.0-beta1
+```
+
+
diff --git a/docs/reference/auditbeat/running-on-kubernetes.md b/docs/reference/auditbeat/running-on-kubernetes.md
new file mode 100644
index 000000000000..69e1e9efa761
--- /dev/null
+++ b/docs/reference/auditbeat/running-on-kubernetes.md
@@ -0,0 +1,87 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html
+---
+
+# Running Auditbeat on Kubernetes [running-on-kubernetes]
+
+Auditbeat [Docker images](/reference/auditbeat/running-on-docker.md) can be used on Kubernetes to check files integrity.
+
+::::{tip}
+Running {{ecloud}} on Kubernetes? See [Run {{beats}} on ECK](docs-content://deploy-manage/deploy/cloud-on-k8s/beats.md).
+::::
+
+
+However, version 9.0.0-beta1 of Auditbeat has not yet been released, so no Docker image is currently available for this version.
+
+
+## Kubernetes deploy manifests [_kubernetes_deploy_manifests]
+
+By deploying Auditbeat as a [DaemonSet](https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/) we ensure we get a running instance on each node of the cluster.
+
+Everything is deployed under `kube-system` namespace, you can change that by updating the YAML file.
+
+To get the manifests just run:
+
+```sh
+curl -L -O https://raw.githubusercontent.com/elastic/beats/master/deploy/kubernetes/auditbeat-kubernetes.yaml
+```
+
+::::{warning}
+If you are using Kubernetes 1.7 or earlier: Auditbeat uses a hostPath volume to persist internal data, it’s located under /var/lib/auditbeat-data. The manifest uses folder autocreation (`DirectoryOrCreate`), which was introduced in Kubernetes 1.8. You will need to remove `type: DirectoryOrCreate` from the manifest and create the host folder yourself.
+
+::::
+
+
+
+## Settings [_settings]
+
+Some parameters are exposed in the manifest to configure logs destination, by default they will use an existing Elasticsearch deploy if it’s present, but you may want to change that behavior, so just edit the YAML file and modify them:
+
+```yaml
+- name: ELASTICSEARCH_HOST
+  value: elasticsearch
+- name: ELASTICSEARCH_PORT
+  value: "9200"
+- name: ELASTICSEARCH_USERNAME
+  value: elastic
+- name: ELASTICSEARCH_PASSWORD
+  value: changeme
+```
+
+
+### Running Auditbeat on control plane nodes [_running_auditbeat_on_control_plane_nodes]
+
+Kubernetes control plane nodes can use [taints](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) to limit the workloads that can run on them. To run Auditbeat on control plane nodes you may need to update the Daemonset spec to include proper tolerations:
+
+```yaml
+spec:
+ tolerations:
+ - key: node-role.kubernetes.io/control-plane
+   effect: NoSchedule
+```
+
+
+## Deploy [_deploy]
+
+To deploy Auditbeat to Kubernetes just run:
+
+```sh
+kubectl create -f auditbeat-kubernetes.yaml
+```
+
+Then you should be able to check the status by running:
+
+```sh
+$ kubectl --namespace=kube-system get ds/auditbeat
+
+NAME       DESIRED   CURRENT   READY     UP-TO-DATE   AVAILABLE   NODE-SELECTOR   AGE
+auditbeat   32        32        0         32           0           <none>          1m
+```
+
+::::{warning}
+Auditbeat is able to monitor the file integrity of files in pods, to do that, the directories with the container root file systems have to be mounted as volumes in the Auditbeat container. For example, containers executed with containerd have their root file systems under `/run/containerd`. The [reference manifest](https://raw.githubusercontent.com/elastic/beats/master/deploy/kubernetes/auditbeat-kubernetes.yaml) contains an example of this.
+
+::::
+
+
diff --git a/docs/reference/auditbeat/running-with-systemd.md b/docs/reference/auditbeat/running-with-systemd.md
new file mode 100644
index 000000000000..728271ebcbff
--- /dev/null
+++ b/docs/reference/auditbeat/running-with-systemd.md
@@ -0,0 +1,86 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/running-with-systemd.html
+---
+
+# Auditbeat and systemd [running-with-systemd]
+
+The DEB and RPM packages include a service unit for Linux systems with systemd. On these systems, you can manage Auditbeat by using the usual systemd commands.
+
+The service unit is configured with `UMask=0027` which means the most permissive mask allowed for files created by Auditbeat is `0640`. All configured file permissions higher than `0640` will be ignored. Please edit the unit file manually in case you need to change that.
+
+## Start and stop Auditbeat [_start_and_stop_auditbeat]
+
+Use `systemctl` to start or stop Auditbeat:
+
+```sh
+sudo systemctl start auditbeat
+```
+
+```sh
+sudo systemctl stop auditbeat
+```
+
+By default, the Auditbeat service starts automatically when the system boots. To enable or disable auto start use:
+
+```sh
+sudo systemctl enable auditbeat
+```
+
+```sh
+sudo systemctl disable auditbeat
+```
+
+
+## Auditbeat status and logs [_auditbeat_status_and_logs]
+
+To get the service status, use `systemctl`:
+
+```sh
+systemctl status auditbeat
+```
+
+Logs are stored by default in journald. To view the Logs, use `journalctl`:
+
+```sh
+journalctl -u auditbeat.service
+```
+
+
+## Customize systemd unit for Auditbeat [_customize_systemd_unit_for_auditbeat]
+
+The systemd service unit file includes environment variables that you can override to change the default options.
+
+| Variable | Description | Default value |
+| --- | --- | --- |
+| BEAT_LOG_OPTS | Log options |  |
+| BEAT_CONFIG_OPTS | Flags for configuration file path | ``-c /etc/auditbeat/auditbeat.yml`` |
+| BEAT_PATH_OPTS | Other paths | ``--path.home /usr/share/auditbeat --path.config /etc/auditbeat --path.data /var/lib/auditbeat --path.logs /var/log/auditbeat`` |
+
+::::{note}
+You can use `BEAT_LOG_OPTS` to set debug selectors for logging. However, to configure logging behavior, set the logging options described in [Configure logging](/reference/auditbeat/configuration-logging.md).
+::::
+
+
+To override these variables, create a drop-in unit file in the `/etc/systemd/system/auditbeat.service.d` directory.
+
+For example a file with the following content placed in `/etc/systemd/system/auditbeat.service.d/debug.conf` would override `BEAT_LOG_OPTS` to enable debug for Elasticsearch output.
+
+```text
+[Service]
+Environment="BEAT_LOG_OPTS=-d elasticsearch"
+```
+
+To apply your changes, reload the systemd configuration and restart the service:
+
+```sh
+systemctl daemon-reload
+systemctl restart auditbeat
+```
+
+::::{note}
+It is recommended that you use a configuration management tool to include drop-in unit files. If you need to add a drop-in manually, use `systemctl edit auditbeat.service`.
+::::
+
+
+
diff --git a/docs/reference/auditbeat/securing-auditbeat.md b/docs/reference/auditbeat/securing-auditbeat.md
new file mode 100644
index 000000000000..be5afc590c63
--- /dev/null
+++ b/docs/reference/auditbeat/securing-auditbeat.md
@@ -0,0 +1,25 @@
+---
+navigation_title: "Secure"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/securing-auditbeat.html
+---
+
+# Secure Auditbeat [securing-auditbeat]
+
+
+The following topics provide information about securing the Auditbeat process and connecting to a cluster that has {{security-features}} enabled.
+
+You can use role-based access control and optionally, API keys to grant Auditbeat users access to secured resources.
+
+* [*Grant users access to secured resources*](/reference/auditbeat/feature-roles.md)
+* [*Grant access using API keys*](/reference/auditbeat/beats-api-keys.md).
+
+After privileged users have been created, use authentication to connect to a secured Elastic cluster.
+
+* [*Secure communication with Elasticsearch*](/reference/auditbeat/securing-communication-elasticsearch.md)
+* [*Secure communication with Logstash*](/reference/auditbeat/configuring-ssl-logstash.md)
+
+On Linux, Auditbeat can take advantage of secure computing mode to restrict the system calls that a process can issue.
+
+* [*Use Linux Secure Computing Mode (seccomp)*](/reference/auditbeat/linux-seccomp.md)
+
diff --git a/docs/reference/auditbeat/securing-communication-elasticsearch.md b/docs/reference/auditbeat/securing-communication-elasticsearch.md
new file mode 100644
index 000000000000..f6fda6096876
--- /dev/null
+++ b/docs/reference/auditbeat/securing-communication-elasticsearch.md
@@ -0,0 +1,104 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/securing-communication-elasticsearch.html
+---
+
+# Secure communication with Elasticsearch [securing-communication-elasticsearch]
+
+When sending data to a secured cluster through the `elasticsearch` output, Auditbeat can use any of the following authentication methods:
+
+* Basic authentication credentials (username and password).
+* Token-based API authentication.
+* A client certificate.
+
+Authentication is specified in the Auditbeat configuration file:
+
+* To use **basic authentication**, specify the `username` and `password` settings under `output.elasticsearch`. For example:
+
+    ```yaml
+    output.elasticsearch:
+      hosts: ["https://myEShost:9200"]
+      username: "auditbeat_writer" <1>
+      password: "{pwd}" <2>
+    ```
+
+    1. This user needs the privileges required to publish events to {{es}}. To create a user like this, see [Create a *publishing* user](/reference/auditbeat/privileges-to-publish-events.md).
+    2. This example shows a hard-coded password, but you should store sensitive values in the [secrets keystore](/reference/auditbeat/keystore.md).
+
+* To use token-based **API key authentication**, specify the `api_key` under `output.elasticsearch`. For example:
+
+    ```yaml
+    output.elasticsearch:
+      hosts: ["https://myEShost:9200"]
+      api_key: "ZCV7VnwBgnX0T19fN8Qe:KnR6yE41RrSowb0kQ0HWoA" <1>
+    ```
+
+    1. This API key must have the privileges required to publish events to {{es}}. To create an API key like this, see [*Grant access using API keys*](/reference/auditbeat/beats-api-keys.md).
+
+
+* To use **Public Key Infrastructure (PKI) certificates** to authenticate users, specify the `certificate` and `key` settings under `output.elasticsearch`. For example:
+
+    ```yaml
+    output.elasticsearch:
+      hosts: ["https://myEShost:9200"]
+      ssl.certificate: "/etc/pki/client/cert.pem" <1>
+      ssl.key: "/etc/pki/client/cert.key" <2>
+    ```
+
+    1. The path to the certificate for SSL client authentication
+    2. The client certificate key
+
+
+    These settings assume that the distinguished name (DN) in the certificate is mapped to the appropriate roles in the `role_mapping.yml` file on each node in the {{es}} cluster. For more information, see [Using role mapping files](docs-content://deploy-manage/users-roles/cluster-or-deployment-auth/mapping-users-groups-to-roles.md#mapping-roles-file).
+
+    By default, Auditbeat uses the list of trusted certificate authorities (CA) from the operating system where Auditbeat is running. If the certificate authority that signed your node certificates is not in the host system’s trusted certificate authorities list, you need to add the path to the `.pem` file that contains your CA’s certificate to the Auditbeat configuration. This will configure Auditbeat to use a specific list of CA certificates instead of the default list from the OS.
+
+    Here is an example configuration:
+
+    ```yaml
+    output.elasticsearch:
+      hosts: ["https://myEShost:9200"]
+      ssl.certificate_authorities: <1>
+        - /etc/pki/my_root_ca.pem
+        - /etc/pki/my_other_ca.pem
+      ssl.certificate: "/etc/pki/client.pem" <2>
+      ssl.key: "/etc/pki/key.pem" <3>
+    ```
+
+    1. Specify the path to the local `.pem` file that contains your Certificate Authority’s certificate. This is needed if you use your own CA to sign your node certificates.
+    2. The path to the certificate for SSL client authentication
+    3. The client certificate key
+
+
+    ::::{note}
+    For any given connection, the SSL/TLS certificates must have a subject that matches the value specified for `hosts`, or the SSL handshake fails. For example, if you specify `hosts: ["foobar:9200"]`, the certificate MUST include `foobar` in the subject (`CN=foobar`) or as a subject alternative name (SAN). Make sure the hostname resolves to the correct IP address. If no DNS is available, then you can associate the IP address with your hostname in `/etc/hosts` (on Unix) or `C:\Windows\System32\drivers\etc\hosts` (on Windows).
+    ::::
+
+
+
+## Secure communication with the Kibana endpoint [securing-communication-kibana]
+
+If you’ve configured the [{{kib}} endpoint](/reference/auditbeat/setup-kibana-endpoint.md), you can also specify credentials for authenticating with {{kib}} under `kibana.setup`. If no credentials are specified, Kibana will use the configured authentication method in the Elasticsearch output.
+
+For example, specify a unique username and password to connect to Kibana like this:
+
+```yaml
+setup.kibana:
+  host: "mykibanahost:5601"
+  username: "auditbeat_kib_setup" <1>
+  password: "{pwd}" <2>
+```
+
+1. This user needs privileges required to set up dashboards. To create a user like this, see [Create a *setup* user](/reference/auditbeat/privileges-to-setup-beats.md).
+2. This example shows a hard-coded password, but you should store sensitive values in the [secrets keystore](/reference/auditbeat/keystore.md).
+
+
+
+## Learn more about secure communication [securing-communication-learn-more]
+
+More information on sending data to a secured cluster is available in the configuration reference:
+
+* [Elasticsearch](/reference/auditbeat/elasticsearch-output.md)
+* [SSL](/reference/auditbeat/configuration-ssl.md)
+* [{{kib}} endpoint](/reference/auditbeat/setup-kibana-endpoint.md)
+
diff --git a/docs/reference/auditbeat/setting-up-running.md b/docs/reference/auditbeat/setting-up-running.md
new file mode 100644
index 000000000000..f50b575571d4
--- /dev/null
+++ b/docs/reference/auditbeat/setting-up-running.md
@@ -0,0 +1,32 @@
+---
+navigation_title: "Set up and run"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html
+---
+
+# Set up and run Auditbeat [setting-up-and-running]
+
+
+Before reading this section, see [Quick start: installation and configuration](/reference/auditbeat/auditbeat-installation-configuration.md) for basic installation instructions to get you started.
+
+This section includes additional information on how to install, set up, and run Auditbeat, including:
+
+* [Directory layout](/reference/auditbeat/directory-layout.md)
+* [Secrets keystore](/reference/auditbeat/keystore.md)
+* [Command reference](/reference/auditbeat/command-line-options.md)
+* [Repositories for APT and YUM](/reference/auditbeat/setup-repositories.md)
+* [Run Auditbeat on Docker](/reference/auditbeat/running-on-docker.md)
+* [Running Auditbeat on Kubernetes](/reference/auditbeat/running-on-kubernetes.md)
+* [Auditbeat and systemd](/reference/auditbeat/running-with-systemd.md)
+* [Start Auditbeat](/reference/auditbeat/auditbeat-starting.md)
+* [Stop Auditbeat](/reference/auditbeat/shutdown.md)
+
+
+
+
+
+
+
+
+
+
diff --git a/docs/reference/auditbeat/setup-kibana-endpoint.md b/docs/reference/auditbeat/setup-kibana-endpoint.md
new file mode 100644
index 000000000000..075a517453ca
--- /dev/null
+++ b/docs/reference/auditbeat/setup-kibana-endpoint.md
@@ -0,0 +1,96 @@
+---
+navigation_title: "{{kib}} endpoint"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/setup-kibana-endpoint.html
+---
+
+# Configure the {{kib}} endpoint [setup-kibana-endpoint]
+
+
+{{kib}} dashboards are loaded into {{kib}} via the {{kib}} API. This requires a {{kib}} endpoint configuration. For details on authenticating to the {{kib}} API, see [Authentication](https://www.elastic.co/docs/api/doc/kibana/authentication).
+
+You configure the endpoint in the `setup.kibana` section of the `auditbeat.yml` config file.
+
+Here is an example configuration:
+
+```yaml
+setup.kibana.host: "http://localhost:5601"
+```
+
+
+## Configuration options [_configuration_options_11]
+
+You can specify the following options in the `setup.kibana` section of the `auditbeat.yml` config file:
+
+
+### `setup.kibana.host` [_setup_kibana_host]
+
+The {{kib}} host where the dashboards will be loaded. The default is `127.0.0.1:5601`. The value of `host` can be a `URL` or `IP:PORT`. For example: `http://192.15.3.2`, `192:15.3.2:5601` or `http://192.15.3.2:6701/path`. If no port is specified, `5601` is used.
+
+::::{note}
+When a node is defined as an `IP:PORT`, the *scheme* and *path* are taken from the [setup.kibana.protocol](#kibana-protocol-option) and [setup.kibana.path](#kibana-path-option) config options.
+::::
+
+
+IPv6 addresses must be defined using the following format: `https://[2001:db8::1]:5601`.
+
+
+### `setup.kibana.protocol` [kibana-protocol-option]
+
+The name of the protocol {{kib}} is reachable on. The options are: `http` or `https`. The default is `http`. However, if you specify a URL for host, the value of `protocol` is overridden by whatever scheme you specify in the URL.
+
+Example config:
+
+```yaml
+setup.kibana.host: "192.0.2.255:5601"
+setup.kibana.protocol: "http"
+setup.kibana.path: /kibana
+```
+
+
+### `setup.kibana.username` [_setup_kibana_username]
+
+The basic authentication username for connecting to {{kib}}. If you don’t specify a value for this setting, Auditbeat uses the `username` specified for the {{es}} output.
+
+
+### `setup.kibana.password` [_setup_kibana_password]
+
+The basic authentication password for connecting to {{kib}}. If you don’t specify a value for this setting, Auditbeat uses the `password` specified for the {{es}} output.
+
+
+### `setup.kibana.path` [kibana-path-option]
+
+An HTTP path prefix that is prepended to the HTTP API calls. This is useful for the cases where {{kib}} listens behind an HTTP reverse proxy that exports the API under a custom prefix.
+
+
+### `setup.kibana.space.id` [kibana-space-id-option]
+
+The [Kibana space](docs-content://deploy-manage/manage-spaces.md) ID to use. If specified, Auditbeat loads {{kib}} assets into this {{kib}} space. Omit this option to use the default space.
+
+
+#### `setup.kibana.headers` [_setup_kibana_headers]
+
+Custom HTTP headers to add to each request sent to {{kib}}. Example:
+
+```yaml
+setup.kibana.headers:
+  X-My-Header: Header contents
+```
+
+
+### `setup.kibana.ssl.enabled` [_setup_kibana_ssl_enabled]
+
+Enables Auditbeat to use SSL settings when connecting to {{kib}} via HTTPS. If you configure Auditbeat to connect over HTTPS, this setting defaults to `true` and Auditbeat uses the default SSL settings.
+
+Example configuration:
+
+```yaml
+setup.kibana.host: "https://192.0.2.255:5601"
+setup.kibana.ssl.enabled: true
+setup.kibana.ssl.certificate_authorities: ["/etc/client/ca.pem"]
+setup.kibana.ssl.certificate: "/etc/client/cert.pem"
+setup.kibana.ssl.key: "/etc/client/cert.key
+```
+
+See [SSL](/reference/auditbeat/configuration-ssl.md) for more information.
+
diff --git a/docs/reference/auditbeat/setup-repositories.md b/docs/reference/auditbeat/setup-repositories.md
new file mode 100644
index 000000000000..73e59739fac8
--- /dev/null
+++ b/docs/reference/auditbeat/setup-repositories.md
@@ -0,0 +1,26 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html
+---
+
+# Repositories for APT and YUM [setup-repositories]
+
+We have repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.
+
+We use the PGP key [D88E42B4](https://pgp.mit.edu/pks/lookup?op=vindex&search=0xD27D666CD88E42B4), Elasticsearch Signing Key, with fingerprint
+
+```
+4609 5ACC 8548 582C 1A26 99A9 D27D 666C D88E 42B4
+```
+to sign all our packages. It is available from [https://pgp.mit.edu](https://pgp.mit.edu).
+
+
+## APT [_apt]
+
+Version 9.0.0-beta1 of Beats has not yet been released.
+
+
+## YUM [_yum]
+
+Version 9.0.0-beta1 of Beats has not yet been released.
+
diff --git a/docs/reference/auditbeat/shutdown.md b/docs/reference/auditbeat/shutdown.md
new file mode 100644
index 000000000000..88db8de3b2e3
--- /dev/null
+++ b/docs/reference/auditbeat/shutdown.md
@@ -0,0 +1,13 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/shutdown.html
+---
+
+# Stop Auditbeat [shutdown]
+
+An orderly shutdown of Auditbeat ensures that it has a chance to clean up and close outstanding resources. You can help ensure an orderly shutdown by stopping Auditbeat properly.
+
+If you’re running Auditbeat as a service, you can stop it via the service management functionality provided by your installation.
+
+If you’re running Auditbeat directly in the console, you can stop it by entering **Ctrl-C**. Alternatively, send SIGTERM to the Auditbeat process on a POSIX system.
+
diff --git a/docs/reference/auditbeat/ssl-client-fails.md b/docs/reference/auditbeat/ssl-client-fails.md
new file mode 100644
index 000000000000..64be8603c45e
--- /dev/null
+++ b/docs/reference/auditbeat/ssl-client-fails.md
@@ -0,0 +1,71 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/ssl-client-fails.html
+---
+
+# SSL client fails to connect to Logstash [ssl-client-fails]
+
+The host running {{ls}} might be unreachable or the certificate may not be valid. To resolve your issue:
+
+* Make sure that {{ls}} is running and you can connect to it. First, try to ping the {{ls}} host to verify that you can reach it from the host running Auditbeat. Then use either `nc` or `telnet` to make sure that the port is available. For example:
+
+    ```shell
+    ping <hostname or IP>
+    telnet <hostname or IP> 5044
+    ```
+
+* Verify that the certificate is valid and that the hostname and IP match.
+
+    ::::{tip}
+    For testing purposes only, you can set `verification_mode: none` to disable hostname checking.
+    ::::
+
+* Use OpenSSL to test connectivity to the {{ls}} server and diagnose problems. See the [OpenSSL documentation](https://www.openssl.org/docs/manmaster/man1/openssl-s_client.md) for more info.
+* Make sure that you have enabled SSL (set `ssl => true`) when configuring the [Beats input plugin for {{ls}}](logstash://reference/plugins-inputs-beats.md).
+
+## Common SSL-Related Errors and Resolutions [_common_ssl_related_errors_and_resolutions]
+
+Here are some common errors and ways to fix them:
+
+* [tls: failed to parse private key](#failed-to-parse-private-key)
+* [x509: cannot validate certificate](#cannot-validate-certificate)
+* [getsockopt: no route to host](#getsockopt-no-route-to-host)
+* [getsockopt: connection refused](#getsockopt-connection-refused)
+* [No connection could be made because the target machine actively refused it](#target-machine-refused-connection)
+
+### tls: failed to parse private key [failed-to-parse-private-key]
+
+This might occur for a few reasons:
+
+* The encrypted file is not recognized as an encrypted PEM block. Auditbeat tries to use the encrypted content as the final key, which fails.
+* The file is correctly encrypted in a PEM block, but the decrypted content is not a key in a format that Auditbeat recognizes. The key must be encoded as PEM format.
+* The passphrase is missing or has an error.
+
+
+### x509: cannot validate certificate for <IP address> because it doesn’t contain any IP SANs [cannot-validate-certificate]
+
+This happens because your certificate is only valid for the hostname present in the Subject field.
+
+To resolve this problem, try one of these solutions:
+
+* Create a DNS entry for the hostname mapping it to the server’s IP.
+* Create an entry in `/etc/hosts` for the hostname. Or on Windows add an entry to `C:\Windows\System32\drivers\etc\hosts`.
+* Re-create the server certificate and add a SubjectAltName (SAN) for the IP address of the server. This makes the server’s certificate valid for both the hostname and the IP address.
+
+
+### getsockopt: no route to host [getsockopt-no-route-to-host]
+
+This is not a SSL problem. It’s a networking problem. Make sure the two hosts can communicate.
+
+
+### getsockopt: connection refused [getsockopt-connection-refused]
+
+This is not a SSL problem. Make sure that {{ls}} is running and that there is no firewall blocking the traffic.
+
+
+### No connection could be made because the target machine actively refused it [target-machine-refused-connection]
+
+A firewall is refusing the connection. Check if a firewall is blocking the traffic on the client, the network, or the destination host.
+
+
+
diff --git a/docs/reference/auditbeat/syslog.md b/docs/reference/auditbeat/syslog.md
new file mode 100644
index 000000000000..ab6d781cc70a
--- /dev/null
+++ b/docs/reference/auditbeat/syslog.md
@@ -0,0 +1,156 @@
+---
+navigation_title: "syslog"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/syslog.html
+---
+
+# Syslog [syslog]
+
+
+The syslog processor parses RFC 3146 and/or RFC 5424 formatted syslog messages that are stored in a field. The processor itself does not handle receiving syslog messages from external sources. This is done through an input, such as the TCP input. Certain integrations, when enabled through configuration, will embed the syslog processor to process syslog messages, such as Custom TCP Logs and Custom UDP Logs.
+
+
+## Configuration [_configuration]
+
+The `syslog` processor parses RFC 3146 and/or RFC 5424 formatted syslog messages that are stored under the `field` key.
+
+The supported configuration options are:
+
+`field`
+:   (Required) Source field containing the syslog message. Defaults to `message`.
+
+`format`
+:   (Optional) The syslog format to use, `rfc3164`, or `rfc5424`. To automatically detect the format from the log entries, set this option to `auto`. The default is `auto`.
+
+`timezone`
+:   (Optional) IANA time zone name(e.g. `America/New York`) or a fixed time offset (e.g. +0200) to use when parsing syslog timestamps that do not contain a time zone. `Local` may be specified to use the machine’s local time zone. Defaults to `Local`.
+
+`overwrite_keys`
+:   (Optional) A boolean that specifies whether keys that already exist in the event are overwritten by keys from the syslog message. The default value is `true`.
+
+`ignore_missing`
+:   (Optional) If `true` the processor will not return an error when a specified field does not exist. Defaults to `false`.
+
+`ignore_failure`
+:   (Optional) Ignore all errors produced by the processor. Defaults to `false`.
+
+`tag`
+:   (Optional) An identifier for this processor. Useful for debugging.
+
+Example:
+
+```yaml
+processors:
+  - syslog:
+      field: message
+```
+
+```json
+{
+  "message": "<165>1 2022-01-11T22:14:15.003Z mymachine.example.com eventslog 1024 ID47 [exampleSDID@32473 iut=\"3\" eventSource=\"Application\" eventID=\"1011\"][examplePriority@32473 class=\"high\"] this is the message"
+}
+```
+
+Will produce the following output:
+
+```json
+{
+  "@timestamp": "2022-01-11T22:14:15.003Z",
+  "log": {
+    "syslog": {
+      "priority": 165,
+      "facility": {
+        "code": 20,
+        "name": "local4"
+      },
+      "severity": {
+        "code": 5,
+        "name": "Notice"
+      },
+      "hostname": "mymachine.example.com",
+      "appname": "eventslog",
+      "procid": "1024",
+      "msgid": "ID47",
+      "version": 1,
+      "structured_data": {
+        "exampleSDID@32473": {
+          "iut":         "3",
+          "eventSource": "Application",
+          "eventID":     "1011"
+        },
+        "examplePriority@32473": {
+          "class": "high"
+        }
+      }
+    }
+  },
+  "message": "this is the message"
+}
+```
+
+
+## Timestamps [_timestamps]
+
+The RFC 3164 format accepts the following forms of timestamps:
+
+* Local timestamp (`Mmm dd hh:mm:ss`):
+
+    * `Jan 23 14:09:01`
+
+* RFC-3339*:
+
+    * `2003-10-11T22:14:15Z`
+    * `2003-10-11T22:14:15.123456Z`
+    * `2003-10-11T22:14:15-06:00`
+    * `2003-10-11T22:14:15.123456-06:00`
+
+
+**Note**: The local timestamp (for example, `Jan 23 14:09:01`) that accompanies an RFC 3164 message lacks year and time zone information. The time zone will be enriched using the `timezone` configuration option, and the year will be enriched using the Auditbeat system’s local time (accounting for time zones). Because of this, it is possible for messages to appear in the future. An example of when this might happen is logs generated on December 31 2021 are ingested on January 1 2022. The logs would be enriched with the year 2022 instead of 2021.
+
+The RFC 5424 format accepts the following forms of timestamps:
+
+* RFC-3339:
+
+    * `2003-10-11T22:14:15Z`
+    * `2003-10-11T22:14:15.123456Z`
+    * `2003-10-11T22:14:15-06:00`
+    * `2003-10-11T22:14:15.123456-06:00`
+
+
+Formats with an asterisk (*) are a non-standard allowance.
+
+
+## Structured Data [_structured_data]
+
+For RFC 5424-formatted logs, if the structured data cannot be parsed according to RFC standards, the original structured data text will be prepended to the message field, separated by a space.
+
+
+## Metrics [_metrics]
+
+Internal metrics are available to assist with debugging efforts. The metrics are served from the metrics HTTP endpoint (for example: `http://localhost:5066/stats`) and are found under `processor.syslog.[instance ID]` or `processor.syslog.[tag]-[instance ID]` if a **tag** is provided. See [HTTP endpoint](/reference/auditbeat/http-endpoint.md) for more information on configuration the metrics HTTP endpoint.
+
+For example, here are metrics from a processor with a **tag** of `log-input` and an **instance ID** of `1`:
+
+```json
+{
+  "processor": {
+    "syslog": {
+      "log-input-1": {
+        "failure": 10,
+        "missing": 0,
+        "success": 3
+      }
+    }
+  }
+}
+```
+
+`failure`
+:   Measures the number of occurrences where a message was unable to be parsed.
+
+`missing`
+:   Measures the number of occurrences where an event was missing the required input field.
+
+`success`
+:   Measures the number of successfully parsed syslog messages.
+
diff --git a/docs/reference/auditbeat/troubleshooting.md b/docs/reference/auditbeat/troubleshooting.md
new file mode 100644
index 000000000000..897a8f875721
--- /dev/null
+++ b/docs/reference/auditbeat/troubleshooting.md
@@ -0,0 +1,14 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/troubleshooting.html
+---
+
+# Troubleshoot [troubleshooting]
+
+If you have issues installing or running Auditbeat, read the following tips:
+
+* [*Get Help*](/reference/auditbeat/getting-help.md)
+* [*Debug*](/reference/auditbeat/enable-auditbeat-debugging.md)
+* [Understand logged metrics](/reference/auditbeat/understand-auditbeat-logs.md)
+* [*Common problems*](/reference/auditbeat/faq.md)
+
diff --git a/docs/reference/auditbeat/truncate-fields.md b/docs/reference/auditbeat/truncate-fields.md
new file mode 100644
index 000000000000..66bec172b72e
--- /dev/null
+++ b/docs/reference/auditbeat/truncate-fields.md
@@ -0,0 +1,38 @@
+---
+navigation_title: "truncate_fields"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/truncate-fields.html
+---
+
+# Truncate fields [truncate-fields]
+
+
+The `truncate_fields` processor truncates a field to a given size. If the size of the field is smaller than the limit, the field is left as is.
+
+`fields`
+:   List of fields to truncate. It’s supported to use `@metadata.` prefix for the fields and truncate values in the event metadata instead of event fields.
+
+`max_bytes`
+:   Maximum number of bytes in a field. Mutually exclusive with `max_characters`.
+
+`max_characters`
+:   Maximum number of characters in a field. Mutually exclusive with `max_bytes`.
+
+`fail_on_error`
+:   (Optional) If set to true, in case of an error the changes to the event are reverted, and the original event is returned. If set to `false`, processing continues also if an error happens. Default is `true`.
+
+`ignore_missing`
+:   (Optional) Whether to ignore events that lack the source field. The default is `false`, which will fail processing of an event if a field is missing.
+
+For example, this configuration truncates the field named `message` to 5 characters:
+
+```yaml
+processors:
+  - truncate_fields:
+      fields:
+        - message
+      max_characters: 5
+      fail_on_error: false
+      ignore_missing: true
+```
+
diff --git a/docs/reference/auditbeat/ulimit.md b/docs/reference/auditbeat/ulimit.md
new file mode 100644
index 000000000000..626cb10e4c20
--- /dev/null
+++ b/docs/reference/auditbeat/ulimit.md
@@ -0,0 +1,28 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/ulimit.html
+---
+
+# Auditbeat fails to watch folders because too many files are open [ulimit]
+
+Because of the way file monitoring is implemented on macOS, you may see a warning similar to the following:
+
+```shell
+eventreader_fsnotify.go:42: WARN [audit.file] Failed to watch /usr/bin: too many
+open files (check the max number of open files allowed with 'ulimit -a')
+```
+
+To resolve this issue, run Auditbeat with the `ulimit` set to a larger value, for example:
+
+```sh
+sudo sh -c 'ulimit -n 8192 && ./Auditbeat -e
+```
+
+Or:
+
+```sh
+sudo su
+ulimit -n 8192
+./auditbeat -e
+```
+
diff --git a/docs/reference/auditbeat/understand-auditbeat-logs.md b/docs/reference/auditbeat/understand-auditbeat-logs.md
new file mode 100644
index 000000000000..8d720213d925
--- /dev/null
+++ b/docs/reference/auditbeat/understand-auditbeat-logs.md
@@ -0,0 +1,210 @@
+---
+navigation_title: "Understand logged metrics"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/understand-auditbeat-logs.html
+---
+
+# Understand metrics in Auditbeat logs [understand-auditbeat-logs]
+
+
+Every 30 seconds (by default), Auditbeat collects a *snapshot* of metrics about itself. From this snapshot, Auditbeat computes a *delta snapshot*; this delta snapshot contains any metrics that have *changed* since the last snapshot. Note that the values of the metrics are the values when the snapshot is taken, *NOT* the *difference* in values from the last snapshot.
+
+If this delta snapshot contains *any* metrics (indicating at least one metric that has changed since the last snapshot), this delta snapshot is serialized as JSON and emitted in Auditbeat’s logs at the `INFO` log level. Most snapshot fields report the change in the metric since the last snapshot, however some fields are *gauges*, which always report the current value. Here is an example of such a log entry:
+
+```json
+{"log.level":"info","@timestamp":"2023-07-14T12:50:36.811Z","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cgroup":{"memory":{"mem":{"usage":{"bytes":0}}}},"cpu":{"system":{"ticks":692690,"time":{"ms":60}},"total":{"ticks":3167250,"time":{"ms":150},"value":3167250},"user":{"ticks":2474560,"time":{"ms":90}}},"handles":{"limit":{"hard":1048576,"soft":1048576},"open":32},"info":{"ephemeral_id":"2bab8688-34c0-4522-80af-db86948d547d","uptime":{"ms":617670096},"version":"8.6.2"},"memstats":{"gc_next":57189272,"memory_alloc":43589824,"memory_total":275281335792,"rss":183574528},"runtime":{"goroutines":212}},"filebeat":{"events":{"active":5,"added":52,"done":49},"harvester":{"open_files":6,"running":6,"started":1}},"libbeat":{"config":{"module":{"running":15}},"output":{"events":{"acked":48,"active":0,"batches":6,"total":48},"read":{"bytes":210},"write":{"bytes":26923}},"pipeline":{"clients":15,"events":{"active":5,"filtered":1,"published":51,"total":52},"queue":{"max_events":3500,"filled":{"events":5,"bytes":6425,"pct":0.0014},"added":{"events":52,"bytes":65702},"consumed":{"events":52,"bytes":65702},"removed":{"events":48,"bytes":59277},"acked":48}}},"registrar":{"states":{"current":14,"update":49},"writes":{"success":6,"total":6}},"system":{"load":{"1":0.91,"15":0.37,"5":0.4,"norm":{"1":0.1138,"15":0.0463,"5":0.05}}}},"ecs.version":"1.6.0"}}
+```
+
+
+## Details [_details]
+
+Focussing on the `.monitoring.metrics` field, and formatting the JSON, it’s value is:
+
+```json
+{
+  "beat": {
+    "cgroup": {
+      "memory": {
+        "mem": {
+          "usage": {
+            "bytes": 0
+          }
+        }
+      }
+    },
+    "cpu": {
+      "system": {
+        "ticks": 692690,
+        "time": {
+          "ms": 60
+        }
+      },
+      "total": {
+        "ticks": 3167250,
+        "time": {
+          "ms": 150
+        },
+        "value": 3167250
+      },
+      "user": {
+        "ticks": 2474560,
+        "time": {
+          "ms": 90
+        }
+      }
+    },
+    "handles": {
+      "limit": {
+        "hard": 1048576,
+        "soft": 1048576
+      },
+      "open": 32
+    },
+    "info": {
+      "ephemeral_id": "2bab8688-34c0-4522-80af-db86948d547d",
+      "uptime": {
+        "ms": 617670096
+      },
+      "version": "8.6.2"
+    },
+    "memstats": {
+      "gc_next": 57189272,
+      "memory_alloc": 43589824,
+      "memory_total": 275281335792,
+      "rss": 183574528
+    },
+    "runtime": {
+      "goroutines": 212
+    }
+  },
+  "filebeat": {
+    "events": {
+      "active": 5,
+      "added": 52,
+      "done": 49
+    },
+    "harvester": {
+      "open_files": 6,
+      "running": 6,
+      "started": 1
+    }
+  },
+  "libbeat": {
+    "config": {
+      "module": {
+        "running": 15
+      }
+    },
+    "output": {
+      "events": {
+        "acked": 48,
+        "active": 0,
+        "batches": 6,
+        "total": 48
+      },
+      "read": {
+        "bytes": 210
+      },
+      "write": {
+        "bytes": 26923
+      }
+    },
+    "pipeline": {
+      "clients": 15,
+      "events": {
+        "active": 5,
+        "filtered": 1,
+        "published": 51,
+        "total": 52
+      },
+      "queue": {
+        "max_events": 3500,
+        "filled": {
+          "events": 5,
+          "bytes": 6425,
+          "pct": 0.0014
+        },
+        "added": {
+          "events": 52,
+          "bytes": 65702
+        },
+        "consumed": {
+          "events": 52,
+          "bytes": 65702
+        },
+        "removed": {
+          "events": 48,
+          "bytes": 59277
+        },
+        "acked": 48
+      }
+    }
+  },
+  "registrar": {
+    "states": {
+      "current": 14,
+      "update": 49
+    },
+    "writes": {
+      "success": 6,
+      "total": 6
+    }
+  },
+  "system": {
+    "load": {
+      "1": 0.91,
+      "15": 0.37,
+      "5": 0.4,
+      "norm": {
+        "1": 0.1138,
+        "15": 0.0463,
+        "5": 0.05
+      }
+    }
+  }
+}
+```
+
+The following tables explain the meaning of the most important fields under `.monitoring.metrics` and also provide hints that might be helpful in troubleshooting Auditbeat issues.
+
+| Field path (relative to `.monitoring.metrics`) | Type | Meaning | Troubleshooting hints |
+| --- | --- | --- | --- |
+| `.beat` | Object | Information that is common to all Beats, e.g. version, goroutines, file handles, CPU, memory |  |
+| `.libbeat` | Object | Information about the publisher pipeline and output, also common to all Beats |  |
+
+| Field path (relative to `.monitoring.metrics.beat`) | Type | Meaning | Troubleshooting hints |
+| --- | --- | --- | --- |
+| `.runtime.goroutines` | Integer | Number of goroutines running | If this number grows over time, it indicates a goroutine leak |
+
+| Field path (relative to `.monitoring.metrics.libbeat`) | Type | Meaning | Troubleshooting hints |
+| --- | --- | --- | --- |
+| `.pipeline.events.active` | Integer | Number of events currently in the libbeat publisher pipeline. | If this number grows over time, it may indicate that Auditbeat is producing events faster than the output can consume them. Consider increasing the number of output workers (if this setting is supported by the output; {{es}} and {{ls}} outputs support this setting). The pipeline includes events currently being processed as well as events in the queue. So this metric can sometimes end up slightly higher than the queue size. If this metric reaches the maximum queue size (`queue.mem.events` for the in-memory queue), it almost certainly indicates backpressure on Auditbeat, implying that Auditbeat may need to temporarily stop ingesting more events from the source until this backpressure is relieved. |
+| `.output.events.total` | Integer | Number of events currently being processed by the output. | If this number grows over time, it may indicate that the output destination (e.g. {{ls}} pipeline or {{es}} cluster) is not able to accept events at the same or faster rate than what Auditbeat is sending to it. |
+| `.output.events.acked` | Integer | Number of events acknowledged by the output destination. | Generally, we want this number to be the same as `.output.events.total` as this indicates that the output destination has reliably received all the events sent to it. |
+| `.output.events.failed` | Integer | Number of events that Auditbeat tried to send to the output destination, but the destination failed to receive them. | Generally, we want this field to be absent or its value to be zero. When the value is greater than zero, it’s useful to check Auditbeat’s logs right before this log entry’s `@timestamp` to see if there are any connectivity issues with the output destination. Note that failed events are not lost or dropped; they will be sent back to the publisher pipeline for retrying later. |
+| `.output.events.dropped` | Integer | Number of events that Auditbeat gave up sending to the output destination because of a permanent (non-retryable) error. | `.output.events.dead_letter` |
+| Integer | Number of events that Auditbeat successfully sent to a configured dead letter index after they failed to ingest in the primary index. | `.output.write.latency` | Object |
+
+| Field path (relative to `.monitoring.metrics.libbeat.pipeline`) | Type | Meaning | Troubleshooting hints |
+| --- | --- | --- | --- |
+| `.queue.max_events` | Integer (gauge) | The queue’s maximum event count if it has one, otherwise zero. | `.queue.max_bytes` |
+| Integer (gauge) | The queue’s maximum byte count if it has one, otherwise zero. | `.queue.filled.events` | Integer (gauge) |
+| Number of events currently stored by the queue. |  | `.queue.filled.bytes` | Integer (gauge) |
+| Number of bytes currently stored by the queue. |  | `.queue.filled.pct` | Float (gauge) |
+| How full the queue is relative to its maximum size, as a fraction from 0 to 1. | Low throughput while `queue.filled.pct` is low means congestion in the input. Low throughput while `queue.filled.pct` is high means congestion in the output. | `.queue.added.events` | Integer |
+| Number of events added to the queue by input workers. |  | `.queue.added.bytes` | Integer |
+| Number of bytes added to the queue by input workers. |  | `.queue.consumed.events` | Integer |
+| Number of events sent to output workers. |  | `.queue.consumed.bytes` | Integer |
+| Number of bytes sent to output workers. |  | `.queue.removed.events` | Integer |
+| Number of events removed from the queue after being processed by output workers. |  | `.queue.removed.bytes` | Integer |
+
+When using the memory queue, byte metrics are only set if the output supports them. Currently only the Elasticsearch output supports byte metrics.
+
+
+## Useful commands [_useful_commands_2]
+
+
+### Parse monitoring metrics from unstructured Auditbeat logs [_parse_monitoring_metrics_from_unstructured_auditbeat_logs]
+
+For Auditbeat versions that emit unstructured logs, the following script can be used to parse monitoring metrics from such logs: [https://github.com/elastic/beats/blob/main/script/metrics_from_log_file.sh](https://github.com/elastic/beats/blob/main/script/metrics_from_log_file.sh).
+
diff --git a/docs/reference/auditbeat/upgrading-auditbeat.md b/docs/reference/auditbeat/upgrading-auditbeat.md
new file mode 100644
index 000000000000..b82256334a22
--- /dev/null
+++ b/docs/reference/auditbeat/upgrading-auditbeat.md
@@ -0,0 +1,12 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/upgrading-auditbeat.html
+---
+
+# Upgrade Auditbeat [upgrading-auditbeat]
+
+For information about upgrading to a new version, see:
+
+* [Breaking Changes](/release-notes/breaking-changes.md)
+* [Upgrade](/reference/libbeat/upgrading.md)
+
diff --git a/docs/reference/auditbeat/urldecode.md b/docs/reference/auditbeat/urldecode.md
new file mode 100644
index 000000000000..82911d16c83f
--- /dev/null
+++ b/docs/reference/auditbeat/urldecode.md
@@ -0,0 +1,38 @@
+---
+navigation_title: "urldecode"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/urldecode.html
+---
+
+# URL Decode [urldecode]
+
+
+The `urldecode` processor specifies a list of fields to decode from URL encoded format. Under the `fields` key, each entry contains a `from: source-field` and a `to: target-field` pair, where:
+
+* `from` is the source field name
+* `to` is the target field name (defaults to the `from` value)
+
+```yaml
+processors:
+  - urldecode:
+      fields:
+        - from: "field1"
+          to: "field2"
+      ignore_missing: false
+      fail_on_error: true
+```
+
+In the example above:
+
+* field1 is decoded in field2
+
+The `urldecode` processor has the following configuration settings:
+
+`ignore_missing`
+:   (Optional) If set to true, no error is logged in case a key which should be URL-decoded is missing. Default is `false`.
+
+`fail_on_error`
+:   (Optional) If set to true, in case of an error the URL-decoding of fields is stopped and the original event is returned. If set to false, decoding continues also if an error happened during decoding. Default is `true`.
+
+See [Conditions](/reference/auditbeat/defining-processors.md#conditions) for a list of supported conditions.
+
diff --git a/docs/reference/auditbeat/using-environ-vars.md b/docs/reference/auditbeat/using-environ-vars.md
new file mode 100644
index 000000000000..581b7e8febf0
--- /dev/null
+++ b/docs/reference/auditbeat/using-environ-vars.md
@@ -0,0 +1,80 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/using-environ-vars.html
+---
+
+# Use environment variables in the configuration [using-environ-vars]
+
+You can use environment variable references in the config file to set values that need to be configurable during deployment. To do this, use:
+
+`${VAR}`
+
+Where `VAR` is the name of the environment variable.
+
+Each variable reference is replaced at startup by the value of the environment variable. The replacement is case-sensitive and occurs before the YAML file is parsed. References to undefined variables are replaced by empty strings unless you specify a default value or custom error text.
+
+To specify a default value, use:
+
+`${VAR:default_value}`
+
+Where `default_value` is the value to use if the environment variable is undefined.
+
+To specify custom error text, use:
+
+`${VAR:?error_text}`
+
+Where `error_text` is custom text that will be prepended to the error message if the environment variable cannot be expanded.
+
+If you need to use a special character in your configuration file, use `$` to escape the expansion. For example, you can escape `${` or `}` with `$${` or `$}`.
+
+After changing the value of an environment variable, you need to restart Auditbeat to pick up the new value.
+
+::::{note}
+You can also specify environment variables when you override a config setting from the command line by using the `-E` option. For example:
+
+`-E name=${NAME}`
+
+::::
+
+
+
+## Examples [_examples]
+
+Here are some examples of configurations that use environment variables and what each configuration looks like after replacement:
+
+| Config source | Environment setting | Config after replacement |
+| --- | --- | --- |
+| `name: ${NAME}` | `export NAME=elastic` | `name: elastic` |
+| `name: ${NAME}` | no setting | `name:` |
+| `name: ${NAME:beats}` | no setting | `name: beats` |
+| `name: ${NAME:beats}` | `export NAME=elastic` | `name: elastic` |
+| `name: ${NAME:?You need to set the NAME environment variable}` | no setting | None. Returns an error message that’s prepended with the custom text. |
+| `name: ${NAME:?You need to set the NAME environment variable}` | `export NAME=elastic` | `name: elastic` |
+
+
+## Specify complex objects in environment variables [_specify_complex_objects_in_environment_variables]
+
+You can specify complex objects, such as lists or dictionaries, in environment variables by using a JSON-like syntax.
+
+As with JSON, dictionaries and lists are constructed using `{}` and `[]`. But unlike JSON, the syntax allows for trailing commas and slightly different string quotation rules. Strings can be unquoted, single-quoted, or double-quoted, as a convenience for simple settings and to make it easier for you to mix quotation usage in the shell. Arrays at the top-level do not require brackets (`[]`).
+
+For example, the following environment variable is set to a list:
+
+```yaml
+ES_HOSTS="10.45.3.2:9220,10.45.3.1:9230"
+```
+
+You can reference this variable in the config file:
+
+```yaml
+output.elasticsearch:
+  hosts: '${ES_HOSTS}'
+```
+
+When Auditbeat loads the config file, it resolves the environment variable and replaces it with the specified list before reading the `hosts` setting.
+
+::::{note}
+Do not use double-quotes (`"`) to wrap regular expressions, or the backslash (`\`) will be interpreted as an escape character.
+::::
+
+
diff --git a/docs/reference/auditbeat/yaml-tips.md b/docs/reference/auditbeat/yaml-tips.md
new file mode 100644
index 000000000000..1dc1b1b4c9ee
--- /dev/null
+++ b/docs/reference/auditbeat/yaml-tips.md
@@ -0,0 +1,60 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/auditbeat/current/yaml-tips.html
+---
+
+# Avoid YAML formatting problems [yaml-tips]
+
+The configuration file uses [YAML](http://yaml.org/) for its syntax. When you edit the file to modify configuration settings, there are a few things that you should know.
+
+
+## Use spaces for indentation [_use_spaces_for_indentation]
+
+Indentation is meaningful in YAML. Make sure that you use spaces, rather than tab characters, to indent sections.
+
+In the default configuration files and in all the examples in the documentation, we use 2 spaces per indentation level. We recommend you do the same.
+
+
+## Look at the default config file for structure [_look_at_the_default_config_file_for_structure]
+
+The best way to understand where to define a configuration option is by looking at the provided sample configuration files. The configuration files contain most of the default configurations that are available for the Beat. To change a setting, simply uncomment the line and change the values.
+
+
+## Test your config file [_test_your_config_file]
+
+You can test your configuration file to verify that the structure is valid. Simply change to the directory where the binary is installed, and run the Beat in the foreground with the `test config` command specified. For example:
+
+```shell
+auditbeat test config -c auditbeat.yml
+```
+
+You’ll see a message if the Beat finds an error in the file.
+
+
+## Wrap regular expressions in single quotation marks [_wrap_regular_expressions_in_single_quotation_marks]
+
+If you need to specify a regular expression in a YAML file, it’s a good idea to wrap the regular expression in single quotation marks to work around YAML’s tricky rules for string escaping.
+
+For more information about YAML, see [http://yaml.org/](http://yaml.org/).
+
+
+## Wrap paths in single quotation marks [wrap-paths-in-quotes]
+
+Windows paths in particular sometimes contain spaces or characters, such as drive letters or triple dots, that may be misinterpreted by the YAML parser.
+
+To avoid this problem, it’s a good idea to wrap paths in single quotation marks.
+
+
+## Avoid using leading zeros in numeric values [avoid-leading-zeros]
+
+If you use a leading zero (for example, `09`) in a numeric field without wrapping the value in single quotation marks, the value may be interpreted incorrectly by the YAML parser. If the value is a valid octal, it’s converted to an integer. If not, it’s converted to a float.
+
+To prevent unwanted type conversions, avoid using leading zeros in field values, or wrap the values in single quotation marks.
+
+
+## Avoid accidental template variable resolution [dollar-sign-strings]
+
+The templating engine that allows the config to resolve data from environment variables can result in errors in strings with `$` characters. For example, if a password field contains `$$`, the engine will resolve this to `$`.
+
+To work around this, either use the [Secrets keystore](/reference/auditbeat/keystore.md) or escape all instances of `$` with `$$`.
+
diff --git a/docs/reference/filebeat/_debugging_on_kibana.md b/docs/reference/filebeat/_debugging_on_kibana.md
new file mode 100644
index 000000000000..4ea4aacef52a
--- /dev/null
+++ b/docs/reference/filebeat/_debugging_on_kibana.md
@@ -0,0 +1,9 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/_debugging_on_kibana.html
+---
+
+# Debugging on Kibana [_debugging_on_kibana]
+
+Events produced by `filestream` with `take_over: true` contains `take_over` tag. You can filter on this tag in Kibana and see the events which came from a filestream in the "take over" mode.
+
diff --git a/docs/reference/filebeat/_if_something_went_wrong.md b/docs/reference/filebeat/_if_something_went_wrong.md
new file mode 100644
index 000000000000..90e994b8604a
--- /dev/null
+++ b/docs/reference/filebeat/_if_something_went_wrong.md
@@ -0,0 +1,21 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/_if_something_went_wrong.html
+---
+
+# If something went wrong [_if_something_went_wrong]
+
+If for whatever reason you’d like to revert the configuration after running the migrated configuration and return to old `log` inputs the files that were taken by `filestream` inputs, you need to do the following:
+
+1. Stop Filebeat as soon as possible
+2. Save its debug-level logs for further investigation
+3. Find your [`registry.path/filebeat` directory](/reference/filebeat/configuration-general-options.md#configuration-global-options)
+4. Find the created backup files, they have the `<timestamp>.bak` suffix. If you have multiple backups for the same file, choose the one with the more recent timestamp.
+5. Replace the files with their backups, e.g. `log.json` should be replaced by `log.json-1674152412247684000.bak`
+6. Run Filebeat with the old configuration (no `filestream` inputs with `take_over: true`).
+
+::::{note}
+Reverting to backups might cause some events to repeat, depends on the amount of time the new configuration was running.
+::::
+
+
diff --git a/docs/reference/filebeat/_live_reloading.md b/docs/reference/filebeat/_live_reloading.md
new file mode 100644
index 000000000000..3ef988079520
--- /dev/null
+++ b/docs/reference/filebeat/_live_reloading.md
@@ -0,0 +1,37 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/_live_reloading.html
+---
+
+# Live reloading [_live_reloading]
+
+You can configure Filebeat to dynamically reload external configuration files when there are changes. This feature is available for input and module configurations that are loaded as [external configuration files](/reference/filebeat/filebeat-configuration-reloading.md). You cannot use this feature to reload the main `filebeat.yml` configuration file.
+
+To configure this feature, you specify a path ([Glob](https://golang.org/pkg/path/filepath/#Glob)) to watch for configuration changes. When the files found by the Glob change, new inputs and/or modules are started and stopped according to changes in the configuration files.
+
+This feature is especially useful in container environments where one container is used to tail logs for services running in other containers on the same host.
+
+To enable dynamic config reloading, you specify the `path` and `reload` options under `filebeat.config.inputs` or `filebeat.config.modules` sections. For example:
+
+```sh
+filebeat.config.inputs:
+  enabled: true
+  path: configs/*.yml
+  reload.enabled: true
+  reload.period: 10s
+```
+
+`path`
+:   A Glob that defines the files to check for changes.
+
+`reload.enabled`
+:   When set to `true`, enables dynamic config reload.
+
+`reload.period`
+:   Specifies how often the files are checked for changes. Do not set the `period` to less than 1s because the modification time of files is often stored in seconds. Setting the `period` to less than 1s will result in unnecessary overhead.
+
+::::{note}
+On systems with POSIX file permissions, all Beats configuration files are subject to ownership and file permission checks. For more information, see [Config File Ownership and Permissions](/reference/libbeat/config-file-permissions.md).
+::::
+
+
diff --git a/docs/reference/filebeat/_set_up_the_oauth_app_in_the_salesforce_2.md b/docs/reference/filebeat/_set_up_the_oauth_app_in_the_salesforce_2.md
new file mode 100644
index 000000000000..5a20c4b3bd3a
--- /dev/null
+++ b/docs/reference/filebeat/_set_up_the_oauth_app_in_the_salesforce_2.md
@@ -0,0 +1,451 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/_set_up_the_oauth_app_in_the_salesforce_2.html
+---
+
+# Set up the OAuth App in the Salesforce [_set_up_the_oauth_app_in_the_salesforce_2]
+
+In order to use this integration, users need to create a new Salesforce Application using OAuth. Follow the steps below to create a connected application in Salesforce:
+
+1. Login to [Salesforce](https://login.salesforce.com/) with the same user credentials that the user wants to collect data with.
+2. Click on Setup on the top right menu bar. On the Setup page, search for `App Manager` in the `Search Setup` search box at the top of the page, then select `App Manager`.
+3. Click *New Connected App*.
+4. Provide a name for the connected application. This will be displayed in the App Manager and on its App Launcher tile.
+5. Enter the API name. The default is a version of the name without spaces. Only letters, numbers, and underscores are allowed. If the original app name contains any other characters, edit the default name.
+6. Enter the contact email for Salesforce.
+7. Under the API (Enable OAuth Settings) section of the page, select *Enable OAuth Settings*.
+8. In the Callback URL, enter the Instance URL (Please refer to `Salesforce Instance URL`).
+9. Select the following OAuth scopes to apply to the connected app:
+
+    * Manage user data via APIs (api).
+    * Perform requests at any time (refresh_token, offline_access).
+    * (Optional) In case of data collection, if any permission issues arise, add the Full access (full) scope.
+
+10. Select *Require Secret for the Web Server Flow* to require the app’s client secret in exchange for an access token.
+11. Select *Require Secret for Refresh Token Flow* to require the app’s client secret in the authorization request of a refresh token and hybrid refresh token flow.
+12. Click Save. It may take approximately 10 minutes for the changes to take effect.
+13. Click Continue and then under API details, click Manage Consumer Details. Verify the user account using the Verification Code.
+14. Copy `Consumer Key` and `Consumer Secret` from the Consumer Details section, which should be populated as values for Client ID and Client Secret respectively in the configuration.
+
+For more details on how to create a Connected App, refer to the Salesforce documentation [here](https://help.salesforce.com/apex/HTViewHelpDoc?id=connected_app_create.htm).
+
+::::{note}
+**Enabling real-time events**
+
+To get started with [real-time](https://developer.salesforce.com/blogs/2020/05/introduction-to-real-time-event-monitoring) events, head to setup and into the quick find search for *Event Manager*. Enterprise and Unlimited environments have access to the Logout Event by default, but the remainder of the events need licensing to access [Shield Event Monitoring](https://help.salesforce.com/s/articleView?id=sf.salesforce_shield.htm&type=5).
+
+::::
+
+
+::::{tip}
+Read the [quick start](/reference/filebeat/filebeat-installation-configuration.md) to learn how to configure and run modules.
+::::
+
+
+
+## Configure the module [configuring-salesforce-module]
+
+You can further refine the behavior of the `salesforce` module by specifying [variable settings](#salesforce-settings) in the `modules.d/salesforce.yml` file, or overriding settings at the command line.
+
+You must enable at least one fileset in the module. **Filesets are disabled by default.**
+
+
+### Variable settings [salesforce-settings]
+
+Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the `salesforce` module uses the defaults.
+
+For advanced use cases, you can also override input settings. See [Override input settings](/reference/filebeat/advanced-settings.md).
+
+::::{tip}
+When you specify a setting at the command line, remember to prefix the setting with the module name, for example, `salesforce.login.var.paths` instead of `login.var.paths`.
+::::
+
+
+
+## Fileset settings [_fileset_settings]
+
+
+### `login` fileset [_login_fileset]
+
+Example config:
+
+```yaml
+- module: salesforce
+  login:
+    enabled: true
+    var.initial_interval: 1d
+    var.api_version: 56
+
+    var.authentication:
+      jwt_bearer_flow:
+        enabled: false
+        client.id: "my-client-id"
+        client.username: "my.email@here.com"
+        client.key_path: client_key.pem
+        url: https://login.salesforce.com
+      user_password_flow:
+        enabled: true
+        client.id: "my-client-id"
+        client.secret: "my-client-secret"
+        token_url: "https://login.salesforce.com"
+        username: "my.email@here.com"
+        password: "password"
+
+    var.url: "https://instance-url.salesforce.com"
+
+    var.event_log_file: true
+    var.elf_interval: 1h
+    var.log_file_interval: Hourly
+
+    var.real_time: true
+    var.real_time_interval: 5m
+```
+
+**`var.initial_interval`**
+:   The time window for collecting historical data when the input starts. Expects a duration string (e.g. 12h or 7d).
+
+**`var.api_version`**
+:   The API version of the Salesforce instance.
+
+**`var.authentication`**
+:   Authentication config for connecting to Salesforce API. Supports JWT or user-password auth flows.
+
+**`var.authentication.jwt_bearer_flow.enabled`**
+:   Set to true to use JWT authentication.
+
+**`var.authentication.jwt_bearer_flow.client.id`**
+:   The client ID for JWT authentication.
+
+**`var.authentication.jwt_bearer_flow.client.username`**
+:   The username for JWT authentication.
+
+**`var.authentication.jwt_bearer_flow.client.key_path`**
+:   Path to the client key file for JWT authentication.
+
+**`var.authentication.jwt_bearer_flow.url`**
+:   The audience URL for JWT authentication.
+
+**`var.authentication.user_password_flow.enabled`**
+:   Set to true to use user-password authentication.
+
+**`var.authentication.user_password_flow.client.id`**
+:   The client ID for user-password authentication.
+
+**`var.authentication.user_password_flow.client.secret`**
+:   The client secret for user-password authentication.
+
+**`var.authentication.user_password_flow.token_url`**
+:   The Salesforce token URL for user-password authentication.
+
+**`var.authentication.user_password_flow.username`**
+:   The Salesforce username for authentication.
+
+**`var.authentication.user_password_flow.password`**
+:   The password for the Salesforce user.
+
+**`var.url`**
+:   The URL of the Salesforce instance.
+
+**`var.event_log_file`**
+:   Set to true to collect logs from EventLogFile (historical data).
+
+**`var.elf_interval`**
+:   Interval for collecting EventLogFile logs, e.g. 1h or 5m.
+
+**`var.log_file_interval`**
+:   Either "Hourly" or "Daily". The time interval of each log file from EventLogFile.
+
+**`var.real_time`**
+:   Set to true to collect real-time data collection.
+
+**`var.real_time_interval`**
+:   Interval for collecting real-time logs, e.g. 30s or 5m.
+
+
+### `logout` fileset [_logout_fileset]
+
+Example config:
+
+```yaml
+- module: salesforce
+  logout:
+    enabled: true
+    var.initial_interval: 1d
+    var.api_version: 56
+
+    var.authentication:
+      jwt_bearer_flow:
+        enabled: false
+        client.id: "my-client-id"
+        client.username: "my.email@here.com"
+        client.key_path: client_key.pem
+        url: https://login.salesforce.com
+      user_password_flow:
+        enabled: true
+        client.id: "my-client-id"
+        client.secret: "my-client-secret"
+        token_url: "https://login.salesforce.com"
+        username: "my.email@here.com"
+        password: "password"
+
+    var.url: "https://instance-url.salesforce.com"
+
+    var.event_log_file: true
+    var.elf_interval: 1h
+    var.log_file_interval: Hourly
+
+    var.real_time: true
+    var.real_time_interval: 5m
+```
+
+**`var.initial_interval`**
+:   The time window for collecting historical data when the input starts. Expects a duration string (e.g. 12h or 7d).
+
+**`var.api_version`**
+:   The API version of the Salesforce instance.
+
+**`var.authentication`**
+:   Authentication config for connecting to Salesforce API. Supports JWT or user-password auth flows.
+
+**`var.authentication.jwt_bearer_flow.enabled`**
+:   Set to true to use JWT authentication.
+
+**`var.authentication.jwt_bearer_flow.client.id`**
+:   The client ID for JWT authentication.
+
+**`var.authentication.jwt_bearer_flow.client.username`**
+:   The username for JWT authentication.
+
+**`var.authentication.jwt_bearer_flow.client.key_path`**
+:   Path to the client key file for JWT authentication.
+
+**`var.authentication.jwt_bearer_flow.url`**
+:   The audience URL for JWT authentication.
+
+**`var.authentication.user_password_flow.enabled`**
+:   Set to true to use user-password authentication.
+
+**`var.authentication.user_password_flow.client.id`**
+:   The client ID for user-password authentication.
+
+**`var.authentication.user_password_flow.client.secret`**
+:   The client secret for user-password authentication.
+
+**`var.authentication.user_password_flow.token_url`**
+:   The Salesforce token URL for user-password authentication.
+
+**`var.authentication.user_password_flow.username`**
+:   The Salesforce username for authentication.
+
+**`var.authentication.user_password_flow.password`**
+:   The password for the Salesforce user.
+
+**`var.url`**
+:   The URL of the Salesforce instance.
+
+**`var.event_log_file`**
+:   Set to true to collect logs from EventLogFile (historical data).
+
+**`var.elf_interval`**
+:   Interval for collecting EventLogFile logs, e.g. 1h or 5m.
+
+**`var.log_file_interval`**
+:   Either "Hourly" or "Daily". The time interval of each log file from EventLogFile.
+
+**`var.real_time`**
+:   Set to true to collect real-time data collection.
+
+**`var.real_time_interval`**
+:   Interval for collecting real-time logs, e.g. 30s or 5m.
+
+
+### `setupaudittrail` fileset [_setupaudittrail_fileset]
+
+Example config:
+
+```yaml
+- module: salesforce
+  setupaudittrail:
+    enabled: true
+    var.initial_interval: 1d
+    var.api_version: 56
+
+    var.authentication:
+      jwt_bearer_flow:
+        enabled: false
+        client.id: "my-client-id"
+        client.username: "my.email@here.com"
+        client.key_path: client_key.pem
+        url: https://login.salesforce.com
+      user_password_flow:
+        enabled: true
+        client.id: "my-client-id"
+        client.secret: "my-client-secret"
+        token_url: "https://login.salesforce.com"
+        username: "my.email@here.com"
+        password: "password"
+
+    var.url: "https://instance-url.salesforce.com"
+
+    var.real_time: true
+    var.real_time_interval: 5m
+```
+
+**`var.initial_interval`**
+:   The time window for collecting historical data when the input starts. Expects a duration string (e.g. 12h or 7d).
+
+**`var.api_version`**
+:   The API version of the Salesforce instance.
+
+**`var.authentication`**
+:   Authentication config for connecting to Salesforce API. Supports JWT or user-password auth flows.
+
+**`var.authentication.jwt_bearer_flow.enabled`**
+:   Set to true to use JWT authentication.
+
+**`var.authentication.jwt_bearer_flow.client.id`**
+:   The client ID for JWT authentication.
+
+**`var.authentication.jwt_bearer_flow.client.username`**
+:   The username for JWT authentication.
+
+**`var.authentication.jwt_bearer_flow.client.key_path`**
+:   Path to the client key file for JWT authentication.
+
+**`var.authentication.jwt_bearer_flow.url`**
+:   The audience URL for JWT authentication.
+
+**`var.authentication.user_password_flow.enabled`**
+:   Set to true to use user-password authentication.
+
+**`var.authentication.user_password_flow.client.id`**
+:   The client ID for user-password authentication.
+
+**`var.authentication.user_password_flow.client.secret`**
+:   The client secret for user-password authentication.
+
+**`var.authentication.user_password_flow.token_url`**
+:   The Salesforce token URL for user-password authentication.
+
+**`var.authentication.user_password_flow.username`**
+:   The Salesforce username for authentication.
+
+**`var.authentication.user_password_flow.password`**
+:   The password for the Salesforce user.
+
+**`var.url`**
+:   The URL of the Salesforce instance.
+
+**`var.real_time`**
+:   Set to true to collect real-time data collection.
+
+**`var.real_time_interval`**
+:   Interval for collecting real-time logs, e.g. 30s or 5m.
+
+
+### `apex` fileset [_apex_fileset]
+
+Example config:
+
+```yaml
+- module: salesforce
+  apex:
+    enabled: true
+    var.initial_interval: 1d
+    var.log_file_interval: Hourly
+    var.api_version: 56
+
+    var.authentication:
+      jwt_bearer_flow:
+        enabled: false
+        client.id: "my-client-id"
+        client.username: "my.email@here.com"
+        client.key_path: client_key.pem
+        url: https://login.salesforce.com
+      user_password_flow:
+        enabled: true
+        client.id: "my-client-id"
+        client.secret: "my-client-secret"
+        token_url: "https://login.salesforce.com"
+        username: "my.email@here.com"
+        password: "password"
+
+    var.url: "https://instance-url.salesforce.com"
+
+    var.event_log_file: true
+    var.elf_interval: 1h
+    var.log_file_interval: Hourly
+```
+
+**`var.initial_interval`**
+:   The time window for collecting historical data when the input starts. Expects a duration string (e.g. 12h or 7d).
+
+**`var.api_version`**
+:   The API version of the Salesforce instance.
+
+**`var.authentication`**
+:   Authentication config for connecting to Salesforce API. Supports JWT or user-password auth flows.
+
+**`var.authentication.jwt_bearer_flow.enabled`**
+:   Set to true to use JWT authentication.
+
+**`var.authentication.jwt_bearer_flow.client.id`**
+:   The client ID for JWT authentication.
+
+**`var.authentication.jwt_bearer_flow.client.username`**
+:   The username for JWT authentication.
+
+**`var.authentication.jwt_bearer_flow.client.key_path`**
+:   Path to the client key file for JWT authentication.
+
+**`var.authentication.jwt_bearer_flow.url`**
+:   The audience URL for JWT authentication.
+
+**`var.authentication.user_password_flow.enabled`**
+:   Set to true to use user-password authentication.
+
+**`var.authentication.user_password_flow.client.id`**
+:   The client ID for user-password authentication.
+
+**`var.authentication.user_password_flow.client.secret`**
+:   The client secret for user-password authentication.
+
+**`var.authentication.user_password_flow.token_url`**
+:   The Salesforce token URL for user-password authentication.
+
+**`var.authentication.user_password_flow.username`**
+:   The Salesforce username for authentication.
+
+**`var.authentication.user_password_flow.password`**
+:   The password for the Salesforce user.
+
+**`var.url`**
+:   The URL of the Salesforce instance.
+
+**`var.event_log_file`**
+:   Set to true to collect logs from EventLogFile (historical data).
+
+**`var.elf_interval`**
+:   Interval for collecting EventLogFile logs, e.g. 1h or 5m.
+
+**`var.log_file_interval`**
+:   Either "Hourly" or "Daily". The time interval of each log file from EventLogFile.
+
+
+## Troubleshooting [_troubleshooting]
+
+Here are some common issues and how to resolve them:
+
+**Hitting Salesforce API limits**
+:   Reduce the values of `var.real_time_interval` and `var.elf_interval` to poll the API less frequently. Monitor the API usage in your Salesforce instance.
+
+**Connectivity issues**
+:   Verify the `var.url` is correct. Check that the user credentials are valid and have the necessary permissions. Ensure network connectivity between the Elastic Agent and Salesforce instance.
+
+**Not seeing any data**
+:   Check the Elastic Agent logs for errors. Verify the module configuration is correct, the filesets are enabled, and the intervals are reasonable. Confirm there is log activity in Salesforce for the log types being collected.
+
+
+## Fields [_fields_47]
+
+For a description of each field in the module, see the [exported fields](/reference/filebeat/exported-fields-salesforce.md) section.
diff --git a/docs/reference/filebeat/_step_1_set_an_identifier_for_each_filestream_input.md b/docs/reference/filebeat/_step_1_set_an_identifier_for_each_filestream_input.md
new file mode 100644
index 000000000000..6565f0077d84
--- /dev/null
+++ b/docs/reference/filebeat/_step_1_set_an_identifier_for_each_filestream_input.md
@@ -0,0 +1,35 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/_step_1_set_an_identifier_for_each_filestream_input.html
+---
+
+# Step 1: Set an identifier for each filestream input [_step_1_set_an_identifier_for_each_filestream_input]
+
+All `filestream` inputs require an ID. Ensure you set a unique identifier for every input.
+
+::::{important}
+Never change the ID of an input, or you will end up with duplicate events.
+::::
+
+
+```yaml
+filebeat.inputs:
+- type: filestream
+  enabled: true
+  id: my-java-collector
+  paths:
+    - /var/log/java-exceptions*.log
+
+- type: filestream
+  enabled: true
+  id: my-application-input
+  paths:
+    - /var/log/my-application*.json
+
+- type: filestream
+  enabled: true
+  id: my-old-files
+  paths:
+    - /var/log/my-old-files*.log
+```
+
diff --git a/docs/reference/filebeat/_step_2_enable_the_take_over_mode.md b/docs/reference/filebeat/_step_2_enable_the_take_over_mode.md
new file mode 100644
index 000000000000..d951575d93c2
--- /dev/null
+++ b/docs/reference/filebeat/_step_2_enable_the_take_over_mode.md
@@ -0,0 +1,50 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/_step_2_enable_the_take_over_mode.html
+---
+
+# Step 2: Enable the take over mode [_step_2_enable_the_take_over_mode]
+
+Now, to indicate that the new `filestream` is supposed to take over the files from a previously defined `log` input, we need to add `take_over: true` to each new `filestream`. This will make sure that the new `filestream` inputs will continue ingesting files from the same offset where the `log` inputs stopped.
+
+::::{note}
+It’s recommended to enable debug-level logs for Filebeat in order to follow the migration process. After the first run with `take_over: true` the setting can be removed.
+::::
+
+
+::::{warning}
+The `take over` mode is in beta.
+::::
+
+
+::::{important}
+If this parameter is not set, all the files will be re-ingested from the beginning and this will lead to data duplication. Please, double-check that this parameter is set.
+::::
+
+
+```yaml
+logging:
+  level: debug
+filebeat.inputs:
+- type: filestream
+  enabled: true
+  id: my-java-collector
+  take_over: true
+  paths:
+    - /var/log/java-exceptions*.log
+
+- type: filestream
+  enabled: true
+  id: my-application-input
+  take_over: true
+  paths:
+    - /var/log/my-application*.json
+
+- type: filestream
+  enabled: true
+  id: my-old-files
+  take_over: true
+  paths:
+    - /var/log/my-old-files*.log
+```
+
diff --git a/docs/reference/filebeat/_step_3_use_new_option_names.md b/docs/reference/filebeat/_step_3_use_new_option_names.md
new file mode 100644
index 000000000000..fadb26d49082
--- /dev/null
+++ b/docs/reference/filebeat/_step_3_use_new_option_names.md
@@ -0,0 +1,68 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/_step_3_use_new_option_names.html
+---
+
+# Step 3: Use new option names [_step_3_use_new_option_names]
+
+Several options are renamed in `filestream`. You can find a table with all of the changed configuration names at the end of this guide.
+
+The most significant change you have to know about is in parsers. The configuration of `multiline`, `json`, and other parsers has changed. Now the ordering is configurable, so `filestream` expects a list of parsers. Furthermore, the `json` parser was renamed to `ndjson`.
+
+The example configuration shown earlier needs to be adjusted as well:
+
+```yaml
+- type: filestream
+  enabled: true
+  id: my-java-collector
+  take_over: true
+  paths:
+    - /var/log/java-exceptions*.log
+  parsers:
+    - multiline:
+        pattern: '^\['
+        negate: true
+        match: after
+  close.on_state_change.removed: true
+  close.on_state_change.renamed: true
+
+- type: filestream
+  enabled: true
+  id: my-application-input
+  take_over: true
+  paths:
+    - /var/log/my-application*.json
+  prospector.scanner.check_interval: 1m
+  parsers:
+    - ndjson:
+        keys_under_root: true
+
+- type: filestream
+  enabled: true
+  id: my-old-files
+  take_over: true
+  paths:
+    - /var/log/my-old-files*.log
+  ignore_inactive: since_last_start
+```
+
+|     |     |
+| --- | --- |
+| Option name in log input | Option name in filestream input |
+| recursive_glob.enabled | prospector.scanner.recursive_glob |
+| harvester_buffer_size | buffer_size |
+| max_bytes | message_max_bytes |
+| json | parsers.n.ndjson |
+| multiline | parsers.n.multiline |
+| exclude_files | prospector.scanner.exclude_files |
+| close_inactive | close.on_state_change.inactive |
+| close_removed | close.on_state_change.removed |
+| close_eof | close.reader.on_eof |
+| close_timeout | close.reader.after_interval |
+| close_inactive | close.on_state_change.inactive |
+| scan_frequency | prospector.scanner.check_interval |
+| tail_files | ignore_inactive.since_last_start |
+| symlinks | prospector.scanner.symlinks |
+| backoff | backoff.init |
+| backoff_max | backoff.max |
+
diff --git a/docs/reference/filebeat/_step_4.md b/docs/reference/filebeat/_step_4.md
new file mode 100644
index 000000000000..9bf4bc25c37a
--- /dev/null
+++ b/docs/reference/filebeat/_step_4.md
@@ -0,0 +1,11 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/_step_4.html
+---
+
+# Step 4 [_step_4]
+
+The events produced by `filestream` input with `take_over: true` contain a `take_over` tag. You can filter on this tag in Kibana and see the events which came from a filestream in the "take_over" mode.
+
+Once you start receiving events with this tag, you can remove `take_over: true` and restart the fileinput again.
+
diff --git a/docs/reference/filebeat/add-cached-metadata.md b/docs/reference/filebeat/add-cached-metadata.md
new file mode 100644
index 000000000000..bcc7195c0ac0
--- /dev/null
+++ b/docs/reference/filebeat/add-cached-metadata.md
@@ -0,0 +1,121 @@
+---
+navigation_title: "cache"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/add-cached-metadata.html
+---
+
+# Add cached metadata [add-cached-metadata]
+
+
+::::{warning}
+This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
+::::
+
+
+The `cache` processor enriches events with information from a previously cached events.
+
+```yaml
+processors:
+  - cache:
+      backend:
+        memory:
+          id: cache_id
+      put:
+        key_field: join_key_field
+        value_field: source_field
+```
+
+```yaml
+processors:
+  - cache:
+      backend:
+        memory:
+          id: cache_id
+      get:
+        key_field: join_key_field
+        target_field: destination_field
+```
+
+```yaml
+processors:
+  - cache:
+      backend:
+        memory:
+          id: cache_id
+      delete:
+        key_field: join_key_field
+```
+
+The fields added to the target field will depend on the provider.
+
+It has the following settings:
+
+One of `backend.memory.id` or `backend.file.id` must be provided.
+
+`backend.capacity`
+:   The number of elements that can be stored in the cache. `put` operations that would cause the capacity to be exceeded will result in evictions of the oldest elements. Values at or below zero indicate no limit. The capacity should not be lower than the number of elements that are expected to be referenced when processing the input as evicted elements are lost. The default is `0`, no limit.
+
+`backend.memory.id`
+:   The ID of a memory-based cache. Use the same ID across instance to reference the same cache.
+
+`backend.file.id`
+:   The ID of a file-based cache. Use the same ID across instance to reference the same cache.
+
+`backend.file.write_interval`
+:   The interval between periodic cache writes to the backing file. Valid time units are h, m, s, ms, us/µs and ns. Periodic writes are only made if `backend.file.write_interval` is greater than zero. The contents are always written out to the backing file when the processor is closed. Default is zero, no periodic writes.
+
+One of `put`, `get` or `delete` must be provided.
+
+`put.key_field`
+:   Name of the field containing the key to put into the cache. Required if `put` is present.
+
+`put.value_field`
+:   Name of the field containing the value to put into the cache. Required if `put` is present.
+
+`put.ttl`
+:   The TTL to associate with the cached key/value. Valid time units are h, m, s, ms, us/µs and ns. Required if `put` is present.
+
+`get.key_field`
+:   Name of the field containing the key to get. Required if `get` is present.
+
+`get.target_field`
+:   Name of the field to which the cached value will be written. Required if `get` is present.
+
+`delete.key_field`
+:   Name of the field containing the key to delete. Required if `delete` is present.
+
+`ignore_missing`
+:   (Optional) When set to `false`, events that don’t contain any of the fields in `match_keys` will be discarded and an error will be generated. By default, this condition is ignored.
+
+`overwrite_keys`
+:   (Optional) By default, if a target field already exists, it will not be overwritten and an error will be logged. If `overwrite_keys` is set to `true`, this condition will be ignored.
+
+The `cache` processor can be used to perform joins within the Beat between documents within an event stream.
+
+```yaml
+processors:
+  - if:
+      contains:
+        log.file.path: fdrv2/aidmaster
+    then:
+      - cache:
+          backend:
+            memory:
+              id: aidmaster
+            capacity: 10000
+          put:
+            ttl: 168h
+            key_field: crowdstrike.aid
+            value_field: crowdstrike.metadata
+    else:
+      - cache:
+          backend:
+            memory:
+              id: aidmaster
+          get:
+            key_field: crowdstrike.aid
+            target_field: crowdstrike.metadata
+```
+
+This would enrich an event events with `log.file.path` not equal to "fdrv2/aidmaster" with the `crowdstrike.metadata` fields from events with `log.file.path` equal to that value where the `crowdstrike.aid` field matches between the source and destination documents. The capacity allows up to 10,000 metadata object to be cached between `put` and `get` operations.
+
diff --git a/docs/reference/filebeat/add-cloud-metadata.md b/docs/reference/filebeat/add-cloud-metadata.md
new file mode 100644
index 000000000000..be14896041bb
--- /dev/null
+++ b/docs/reference/filebeat/add-cloud-metadata.md
@@ -0,0 +1,205 @@
+---
+navigation_title: "add_cloud_metadata"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/add-cloud-metadata.html
+---
+
+# Add cloud metadata [add-cloud-metadata]
+
+
+The `add_cloud_metadata` processor enriches each event with instance metadata from the machine’s hosting provider. At startup it will query a list of hosting providers and cache the instance metadata.
+
+The following cloud providers are supported:
+
+* Amazon Web Services (AWS)
+* Digital Ocean
+* Google Compute Engine (GCE)
+* [Tencent Cloud](https://www.qcloud.com/?lang=en) (QCloud)
+* Alibaba Cloud (ECS)
+* Huawei Cloud (ECS)
+* Azure Virtual Machine
+* Openstack Nova
+* Hetzner Cloud
+
+
+## Special notes [_special_notes]
+
+`huawei` is an alias for `openstack`. Huawei cloud runs on OpenStack platform, and when viewed from a metadata API standpoint, it is impossible to differentiate it from OpenStack. If you know that your deployments run on Huawei Cloud exclusively, and you wish to have `cloud.provider` value as `huawei`, you can achieve this by overwriting the value using an `add_fields` processor.
+
+The Alibaba Cloud and Tencent cloud providers are disabled by default, because they require to access a remote host. The `providers` setting allows users to select a list of default providers to query.
+
+Cloud providers tend to maintain metadata services compliant with other cloud providers. For example, Openstack supports [EC2 compliant metadat service](https://docs.openstack.org/nova/latest/user/metadata.html#ec2-compatible-metadata). This makes it impossible to differentiate cloud provider (`cloud.provider` property) with auto discovery (when `providers` configuration is omitted). The processor implementation incorporates a priority mechanism where priority is given to some providers over others when there are multiple successful metadata results. Currently, `aws/ec2` and `azure` have priority over any other provider as their metadata retrival rely on SDKs. The expectation here is that SDK methods should fail if run in an environment not configured accordingly (ex:- missing configurations or credentials).
+
+
+## Configurations [_configurations]
+
+The simple configuration below enables the processor.
+
+```yaml
+processors:
+  - add_cloud_metadata: ~
+```
+
+The `add_cloud_metadata` processor has three optional configuration settings. The first one is `timeout` which specifies the maximum amount of time to wait for a successful response when detecting the hosting provider. The default timeout value is `3s`.
+
+If a timeout occurs then no instance metadata will be added to the events. This makes it possible to enable this processor for all your deployments (in the cloud or on-premise).
+
+The second optional setting is `providers`. The `providers` settings accepts a list of cloud provider names to be used. If `providers` is not configured, then all providers that do not access a remote endpoint are enabled by default. The list of providers may alternatively be configured with the environment variable `BEATS_ADD_CLOUD_METADATA_PROVIDERS`, by setting it to a comma-separated list of provider names.
+
+List of names the `providers` setting supports:
+
+* "alibaba", or "ecs" for the Alibaba Cloud provider (disabled by default).
+* "azure" for Azure Virtual Machine (enabled by default). If the virtual machine is part of an AKS managed cluster, the fields `orchestrator.cluster.name` and `orchestrator.cluster.id` can also be retrieved. "TENANT_ID", "CLIENT_ID" and "CLIENT_SECRET" environment variables need to be set for authentication purposes. If not set we fallback to [DefaultAzureCredential](https://learn.microsoft.com/en-us/azure/developer/go/azure-sdk-authentication?tabs=bash#2-authenticate-with-azure) and user can choose different authentication methods (e.g. workload identity).
+* "digitalocean" for Digital Ocean (enabled by default).
+* "aws", or "ec2" for Amazon Web Services (enabled by default).
+* "gcp" for Google Copmute Enging (enabled by default).
+* "openstack", "nova", or "huawei" for Openstack Nova (enabled by default).
+* "openstack-ssl", or "nova-ssl" for Openstack Nova when SSL metadata APIs are enabled (enabled by default).
+* "tencent", or "qcloud" for Tencent Cloud (disabled by default).
+* "hetzner" for Hetzner Cloud (enabled by default).
+
+For example, configuration below only utilize `aws` metadata retrival mechanism,
+
+```yaml
+processors:
+  - add_cloud_metadata:
+      providers:
+        aws
+```
+
+The third optional configuration setting is `overwrite`. When `overwrite` is `true`, `add_cloud_metadata` overwrites existing `cloud.*` fields (`false` by default).
+
+The `add_cloud_metadata` processor supports SSL options to configure the http client used to query cloud metadata. See [SSL](/reference/filebeat/configuration-ssl.md) for more information.
+
+
+## Provided metadata [_provided_metadata]
+
+The metadata that is added to events varies by hosting provider. Below are examples for each of the supported providers.
+
+*AWS*
+
+Metadata given below are extracted from [instance identity document](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-identity-documents.html),
+
+```json
+{
+  "cloud": {
+    "account.id": "123456789012",
+    "availability_zone": "us-east-1c",
+    "instance.id": "i-4e123456",
+    "machine.type": "t2.medium",
+    "image.id": "ami-abcd1234",
+    "provider": "aws",
+    "region": "us-east-1"
+  }
+}
+```
+
+If the EC2 instance has IMDS enabled and if tags are allowed through IMDS endpoint, the processor will further append tags in metadata. Please refer official documentation on [IMDS endpoint](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html) for further details.
+
+```json
+{
+  "aws": {
+    "tags": {
+      "org" : "myOrg",
+      "owner": "userID"
+    }
+  }
+}
+```
+
+*Digital Ocean*
+
+```json
+{
+  "cloud": {
+    "instance.id": "1234567",
+    "provider": "digitalocean",
+    "region": "nyc2"
+  }
+}
+```
+
+*GCP*
+
+```json
+{
+  "cloud": {
+    "availability_zone": "us-east1-b",
+    "instance.id": "1234556778987654321",
+    "machine.type": "f1-micro",
+    "project.id": "my-dev",
+    "provider": "gcp"
+  }
+}
+```
+
+*Tencent Cloud*
+
+```json
+{
+  "cloud": {
+    "availability_zone": "gz-azone2",
+    "instance.id": "ins-qcloudv5",
+    "provider": "qcloud",
+    "region": "china-south-gz"
+  }
+}
+```
+
+*Alibaba Cloud*
+
+This metadata is only available when VPC is selected as the network type of the ECS instance.
+
+```json
+{
+  "cloud": {
+    "availability_zone": "cn-shenzhen",
+    "instance.id": "i-wz9g2hqiikg0aliyun2b",
+    "provider": "ecs",
+    "region": "cn-shenzhen-a"
+  }
+}
+```
+
+*Azure Virtual Machine*
+
+```json
+{
+  "cloud": {
+    "provider": "azure",
+    "instance.id": "04ab04c3-63de-4709-a9f9-9ab8c0411d5e",
+    "instance.name": "test-az-vm",
+    "machine.type": "Standard_D3_v2",
+    "region": "eastus2"
+  }
+}
+```
+
+*Openstack Nova*
+
+```json
+{
+  "cloud": {
+    "instance.name": "test-998d932195.mycloud.tld",
+    "instance.id": "i-00011a84",
+    "availability_zone": "xxxx-az-c",
+    "provider": "openstack",
+    "machine.type": "m2.large"
+  }
+}
+```
+
+*Hetzner Cloud*
+
+```json
+{
+  "cloud": {
+    "availability_zone": "hel1-dc2",
+    "instance.name": "my-hetzner-instance",
+    "instance.id": "111111",
+    "provider": "hetzner",
+    "region": "eu-central"
+  }
+}
+```
+
diff --git a/docs/reference/filebeat/add-cloudfoundry-metadata.md b/docs/reference/filebeat/add-cloudfoundry-metadata.md
new file mode 100644
index 000000000000..522df68560ba
--- /dev/null
+++ b/docs/reference/filebeat/add-cloudfoundry-metadata.md
@@ -0,0 +1,70 @@
+---
+navigation_title: "add_cloudfoundry_metadata"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/add-cloudfoundry-metadata.html
+---
+
+# Add Cloud Foundry metadata [add-cloudfoundry-metadata]
+
+
+The `add_cloudfoundry_metadata` processor annotates each event with relevant metadata from Cloud Foundry applications. The events are annotated with Cloud Foundry metadata, only if the event contains a reference to a Cloud Foundry application (using field `cloudfoundry.app.id`) and the configured Cloud Foundry client is able to retrieve information for the application.
+
+Each event is annotated with:
+
+* Application Name
+* Space ID
+* Space Name
+* Organization ID
+* Organization Name
+
+::::{note}
+Pivotal Application Service and Tanzu Application Service include this metadata in all events from the firehose since version 2.8. In these cases the metadata in the events is used, and `add_cloudfoundry_metadata` processor doesn’t modify these fields.
+::::
+
+
+For efficient annotation, application metadata retrieved by the Cloud Foundry client is stored in a persistent cache on the filesystem under the `path.data` directory. This is done so the metadata can persist across restarts of Filebeat. For control over this cache, use the `cache_duration` and `cache_retry_delay` settings.
+
+```yaml
+processors:
+  - add_cloudfoundry_metadata:
+      api_address: https://api.dev.cfdev.sh
+      client_id: uaa-filebeat
+      client_secret: verysecret
+      ssl:
+        verification_mode: none
+      # To connect to Cloud Foundry over verified TLS you can specify a client and CA certificate.
+      #ssl:
+      #  certificate_authorities: ["/etc/pki/cf/ca.pem"]
+      #  certificate:              "/etc/pki/cf/cert.pem"
+      #  key:                      "/etc/pki/cf/cert.key"
+```
+
+It has the following settings:
+
+`api_address`
+:   (Optional) The URL of the Cloud Foundry API. It uses `http://api.bosh-lite.com` by default.
+
+`doppler_address`
+:   (Optional) The URL of the Cloud Foundry Doppler Websocket. It uses value from ${api_address}/v2/info by default.
+
+`uaa_address`
+:   (Optional) The URL of the Cloud Foundry UAA API. It uses value from ${api_address}/v2/info by default.
+
+`rlp_address`
+:   (Optional) The URL of the Cloud Foundry RLP Gateway. It uses value from ${api_address}/v2/info by default.
+
+`client_id`
+:   Client ID to authenticate with Cloud Foundry.
+
+`client_secret`
+:   Client Secret to authenticate with Cloud Foundry.
+
+`cache_duration`
+:   (Optional) Maximum amount of time to cache an application’s metadata. Defaults to 120 seconds.
+
+`cache_retry_delay`
+:   (Optional) Time to wait before trying to obtain an application’s metadata again in case of error. Defaults to 20 seconds.
+
+`ssl`
+:   (Optional) SSL configuration to use when connecting to Cloud Foundry.
+
diff --git a/docs/reference/filebeat/add-docker-metadata.md b/docs/reference/filebeat/add-docker-metadata.md
new file mode 100644
index 000000000000..989bd27a83f9
--- /dev/null
+++ b/docs/reference/filebeat/add-docker-metadata.md
@@ -0,0 +1,80 @@
+---
+navigation_title: "add_docker_metadata"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/add-docker-metadata.html
+---
+
+# Add Docker metadata [add-docker-metadata]
+
+
+The `add_docker_metadata` processor annotates each event with relevant metadata from Docker containers. At startup it detects a docker environment and caches the metadata. The events are annotated with Docker metadata, only if a valid configuration is detected and the processor is able to reach Docker API.
+
+Each event is annotated with:
+
+* Container ID
+* Name
+* Image
+* Labels
+
+::::{note}
+When running Filebeat in a container, you need to provide access to Docker’s unix socket in order for the `add_docker_metadata` processor to work. You can do this by mounting the socket inside the container. For example:
+
+`docker run -v /var/run/docker.sock:/var/run/docker.sock ...`
+
+To avoid privilege issues, you may also need to add `--user=root` to the `docker run` flags. Because the user must be part of the docker group in order to access `/var/run/docker.sock`, root access is required if Filebeat is running as non-root inside the container.
+
+If Docker daemon is restarted the mounted socket will become invalid and metadata will stop working, in these situations there are two options:
+
+* Restart Filebeat every time Docker is restarted
+* Mount the entire `/var/run` directory (instead of just the socket)
+
+::::
+
+
+```yaml
+processors:
+  - add_docker_metadata:
+      host: "unix:///var/run/docker.sock"
+      #match_fields: ["system.process.cgroup.id"]
+      #match_pids: ["process.pid", "process.parent.pid"]
+      #match_source: true
+      #match_source_index: 4
+      #match_short_id: true
+      #cleanup_timeout: 60
+      #labels.dedot: false
+      # To connect to Docker over TLS you must specify a client and CA certificate.
+      #ssl:
+      #  certificate_authority: "/etc/pki/root/ca.pem"
+      #  certificate:           "/etc/pki/client/cert.pem"
+      #  key:                   "/etc/pki/client/cert.key"
+```
+
+It has the following settings:
+
+`host`
+:   (Optional) Docker socket (UNIX or TCP socket). It uses `unix:///var/run/docker.sock` by default.
+
+`ssl`
+:   (Optional) SSL configuration to use when connecting to the Docker socket.
+
+`match_fields`
+:   (Optional) A list of fields to match a container ID, at least one of them should hold a container ID to get the event enriched.
+
+`match_pids`
+:   (Optional) A list of fields that contain process IDs. If the process is running in Docker then the event will be enriched. The default value is `["process.pid", "process.parent.pid"]`.
+
+`match_source`
+:   (Optional) Match container ID from a log path present in the `log.file.path` field. Enabled by default.
+
+`match_short_id`
+:   (Optional) Match container short ID from a log path present in the `log.file.path` field. Disabled by default. This allows to match directories names that have the first 12 characters of the container ID. For example, `/var/log/containers/b7e3460e2b21/*.log`.
+
+`match_source_index`
+:   (Optional) Index in the source path split by `/` to look for container ID. It defaults to 4 to match `/var/lib/docker/containers/<container_id>/*.log`
+
+`cleanup_timeout`
+:   (Optional) Time of inactivity to consider we can clean and forget metadata for a container, 60s by default.
+
+`labels.dedot`
+:   (Optional) Default to be false. If set to true, replace dots in labels with `_`.
+
diff --git a/docs/reference/filebeat/add-fields.md b/docs/reference/filebeat/add-fields.md
new file mode 100644
index 000000000000..2068d570f47b
--- /dev/null
+++ b/docs/reference/filebeat/add-fields.md
@@ -0,0 +1,51 @@
+---
+navigation_title: "add_fields"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/add-fields.html
+---
+
+# Add fields [add-fields]
+
+
+The `add_fields` processor adds additional fields to the event.  Fields can be scalar values, arrays, dictionaries, or any nested combination of these. The `add_fields` processor will overwrite the target field if it already exists. By default the fields that you specify will be grouped under the `fields` sub-dictionary in the event. To group the fields under a different sub-dictionary, use the `target` setting. To store the fields as top-level fields, set `target: ''`.
+
+`target`
+:   (Optional) Sub-dictionary to put all fields into. Defaults to `fields`. Setting this to `@metadata` will add values to the event metadata instead of fields.
+
+`fields`
+:   Fields to be added.
+
+For example, this configuration:
+
+```yaml
+processors:
+  - add_fields:
+      target: project
+      fields:
+        name: myproject
+        id: '574734885120952459'
+```
+
+Adds these fields to any event:
+
+```json
+{
+  "project": {
+    "name": "myproject",
+    "id": "574734885120952459"
+  }
+}
+```
+
+This configuration will alter the event metadata:
+
+```yaml
+processors:
+  - add_fields:
+      target: '@metadata'
+      fields:
+        op_type: "index"
+```
+
+When the event is ingested (e.g. by Elastisearch) the document will have `op_type: "index"` set as a metadata field.
+
diff --git a/docs/reference/filebeat/add-host-metadata.md b/docs/reference/filebeat/add-host-metadata.md
new file mode 100644
index 000000000000..e4b8db929f94
--- /dev/null
+++ b/docs/reference/filebeat/add-host-metadata.md
@@ -0,0 +1,92 @@
+---
+navigation_title: "add_host_metadata"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/add-host-metadata.html
+---
+
+# Add Host metadata [add-host-metadata]
+
+
+```yaml
+processors:
+  - add_host_metadata:
+      cache.ttl: 5m
+      geo:
+        name: nyc-dc1-rack1
+        location: 40.7128, -74.0060
+        continent_name: North America
+        country_iso_code: US
+        region_name: New York
+        region_iso_code: NY
+        city_name: New York
+```
+
+It has the following settings:
+
+`netinfo.enabled`
+:   (Optional) Default true. Include IP addresses and MAC addresses as fields host.ip and host.mac
+
+`cache.ttl`
+:   (Optional) The processor uses an internal cache for the host metadata. This sets the cache expiration time. The default is 5m, negative values disable caching altogether.
+
+`geo.name`
+:   (Optional) User definable token to be used for identifying a discrete location. Frequently a datacenter, rack, or similar.
+
+`geo.location`
+:   (Optional) Longitude and latitude in comma separated format.
+
+`geo.continent_name`
+:   (Optional) Name of the continent.
+
+`geo.country_name`
+:   (Optional) Name of the country.
+
+`geo.region_name`
+:   (Optional) Name of the region.
+
+`geo.city_name`
+:   (Optional) Name of the city.
+
+`geo.country_iso_code`
+:   (Optional) ISO country code.
+
+`geo.region_iso_code`
+:   (Optional) ISO region code.
+
+`replace_fields`
+:   (Optional) Default true. If set to false, original host fields from the event will not be replaced by host fields from `add_host_metadata`.
+
+The `add_host_metadata` processor annotates each event with relevant metadata from the host machine. The fields added to the event look like the following:
+
+```json
+{
+   "host":{
+      "architecture":"x86_64",
+      "name":"example-host",
+      "id":"",
+      "os":{
+         "family":"darwin",
+         "type":"macos",
+         "build":"16G1212",
+         "platform":"darwin",
+         "version":"10.12.6",
+         "kernel":"16.7.0",
+         "name":"Mac OS X"
+      },
+      "ip": ["192.168.0.1", "10.0.0.1"],
+      "mac": ["00:25:96:12:34:56", "72:00:06:ff:79:f1"],
+      "geo": {
+          "continent_name": "North America",
+          "country_iso_code": "US",
+          "region_name": "New York",
+          "region_iso_code": "NY",
+          "city_name": "New York",
+          "name": "nyc-dc1-rack1",
+          "location": "40.7128, -74.0060"
+        }
+   }
+}
+```
+
+Note: `add_host_metadata` processor will overwrite host fields if `host.*` fields already exist in the event from Beats by default with `replace_fields` equals to `true`. Please use `add_observer_metadata` if the beat is being used to monitor external systems.
+
diff --git a/docs/reference/filebeat/add-id.md b/docs/reference/filebeat/add-id.md
new file mode 100644
index 000000000000..f9f672dd362b
--- /dev/null
+++ b/docs/reference/filebeat/add-id.md
@@ -0,0 +1,24 @@
+---
+navigation_title: "add_id"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/add-id.html
+---
+
+# Generate an ID for an event [add-id]
+
+
+The `add_id` processor generates a unique ID for an event.
+
+```yaml
+processors:
+  - add_id: ~
+```
+
+The following settings are supported:
+
+`target_field`
+:   (Optional) Field where the generated ID will be stored. Default is `@metadata._id`.
+
+`type`
+:   (Optional) Type of ID to generate. Currently only `elasticsearch` is supported and is the default. The `elasticsearch` type generates IDs using the same algorithm that Elasticsearch uses for auto-generating document IDs.
+
diff --git a/docs/reference/filebeat/add-kubernetes-metadata.md b/docs/reference/filebeat/add-kubernetes-metadata.md
new file mode 100644
index 000000000000..e6f0da382a01
--- /dev/null
+++ b/docs/reference/filebeat/add-kubernetes-metadata.md
@@ -0,0 +1,282 @@
+---
+navigation_title: "add_kubernetes_metadata"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/add-kubernetes-metadata.html
+---
+
+# Add Kubernetes metadata [add-kubernetes-metadata]
+
+
+The `add_kubernetes_metadata` processor annotates each event with relevant metadata based on which Kubernetes pod the event originated from. This processor only adds metadata to the events that do not have it yet present.
+
+At startup, it detects an `in_cluster` environment and caches the Kubernetes-related metadata. Events are only annotated if a valid configuration is detected. If it’s not able to detect a valid Kubernetes configuration, the events are not annotated with Kubernetes-related metadata.
+
+Each event is annotated with:
+
+* Pod Name
+* Pod UID
+* Namespace
+* Labels
+
+In addition, the node and namespace metadata are added to the pod metadata.
+
+The `add_kubernetes_metadata` processor has two basic building blocks:
+
+* Indexers
+* Matchers
+
+Indexers use pod metadata to create unique identifiers for each one of the pods. These identifiers help to correlate the metadata of the observed pods with actual events. For example, the `ip_port` indexer can take a Kubernetes pod and create identifiers for it based on all its `pod_ip:container_port` combinations.
+
+Matchers use information in events to construct lookup keys that match the identifiers created by the indexers. For example, when the `fields` matcher takes `["metricset.host"]` as a lookup field, it would construct a lookup key with the value of the field `metricset.host`. When one of these lookup keys matches with one of the identifiers, the event is enriched with the metadata of the identified pod.
+
+When `add_kubernetes_metadata` is used with Filebeat, it uses the `container` indexer and the `logs_path`. So events whose path in `log.file.path` contains a reference to a container ID are enriched with metadata of the pod of this container.
+
+This behaviour can be disabled by disabling default indexers and matchers in the configuration:
+
+```yaml
+processors:
+  - add_kubernetes_metadata:
+      default_indexers.enabled: false
+      default_matchers.enabled: false
+```
+
+You can find more information about the available indexers and matchers, and some examples in [Indexers and matchers](#kubernetes-indexers-and-matchers).
+
+The configuration below enables the processor when filebeat is run as a pod in Kubernetes.
+
+```yaml
+processors:
+  - add_kubernetes_metadata:
+      #labels.dedot: true
+      #annotations.dedot: true
+```
+
+The configuration below enables the processor on a Beat running as a process on the Kubernetes node.
+
+```yaml
+processors:
+  - add_kubernetes_metadata:
+      host: <hostname>
+      # If kube_config is not set, KUBECONFIG environment variable will be checked
+      # and if not present it will fall back to InCluster
+      kube_config: $Filebeat Reference/.kube/config
+      #labels.dedot: true
+      #annotations.dedot: true
+```
+
+The configuration below has the default indexers and matchers disabled and enables ones that the user is interested in.
+
+```yaml
+processors:
+  - add_kubernetes_metadata:
+      host: <hostname>
+      # If kube_config is not set, KUBECONFIG environment variable will be checked
+      # and if not present it will fall back to InCluster
+      kube_config: ~/.kube/config
+      default_indexers.enabled: false
+      default_matchers.enabled: false
+      indexers:
+        - ip_port:
+      matchers:
+        - fields:
+            lookup_fields: ["metricset.host"]
+      #labels.dedot: true
+      #annotations.dedot: true
+```
+
+The `add_kubernetes_metadata` processor has the following configuration settings:
+
+`host`
+:   (Optional) Specify the node to scope filebeat to in case it cannot be accurately detected, as when running filebeat in host network mode.
+
+`scope`
+:   (Optional) Specify if the processor should have visibility at the node level or at the entire cluster level. Possible values are `node` and `cluster`. Scope is `node` by default.
+
+`namespace`
+:   (Optional) Select the namespace from which to collect the metadata. If it is not set, the processor collects metadata from all namespaces. It is unset by default.
+
+`add_resource_metadata`
+:   (Optional) Specify filters and configuration for the extra metadata, that will be added to the event. Configuration parameters:
+
+    * `node` or `namespace`: Specify labels and annotations filters for the extra metadata coming from node and namespace. By default all labels are included while annotations are not. To change default behaviour `include_labels`, `exclude_labels` and `include_annotations` can be defined. Those settings are useful when storing labels and annotations that require special handling to avoid overloading the storage output. Note: wildcards are not supported for those settings. The enrichment of `node` or `namespace` metadata can be individually disabled by setting `enabled: false`.
+    * `deployment`: If resource is `pod` and it is created from a `deployment`, by default the deployment name is added, this can be disabled by setting `deployment: false`.
+    * `cronjob`: If resource is `pod` and it is created from a `cronjob`, by default the cronjob name is added, this can be disabled by setting `cronjob: false`.
+
+        Example:
+
+
+```yaml
+      add_resource_metadata:
+        namespace:
+          include_labels: ["namespacelabel1"]
+          #labels.dedot: true
+          #annotations.dedot: true
+        node:
+          include_labels: ["nodelabel2"]
+          include_annotations: ["nodeannotation1"]
+          #labels.dedot: true
+          #annotations.dedot: true
+        deployment: false
+        cronjob: false
+```
+
+`kube_config`
+:   (Optional) Use given config file as configuration for Kubernetes client. It defaults to `KUBECONFIG` environment variable if present.
+
+`use_kubeadm`
+:   (Optional) Default true. By default requests to kubeadm config map are made in order to enrich cluster name by requesting /api/v1/namespaces/kube-system/configmaps/kubeadm-config API endpoint.
+
+`kube_client_options`
+:   (Optional) Additional options can be configured for Kubernetes client. Currently client QPS and burst are supported, if not set Kubernetes client’s [default QPS and burst](https://pkg.go.dev/k8s.io/client-go/rest#pkg-constants) will be used. Example:
+
+```yaml
+      kube_client_options:
+        qps: 5
+        burst: 10
+```
+
+`cleanup_timeout`
+:   (Optional) Specify the time of inactivity before stopping the running configuration for a container. This is `60s` by default.
+
+`sync_period`
+:   (Optional) Specify the timeout for listing historical resources.
+
+`default_indexers.enabled`
+:   (Optional) Enable or disable default pod indexers when you want to specify your own.
+
+`default_matchers.enabled`
+:   (Optional) Enable or disable default pod matchers when you want to specify your own.
+
+`labels.dedot`
+:   (Optional) Default to be true. If set to true, then `.` in labels will be replaced with `_`.
+
+`annotations.dedot`
+:   (Optional) Default to be true. If set to true, then `.` in labels will be replaced with `_`.
+
+
+## Indexers and matchers [kubernetes-indexers-and-matchers]
+
+## Indexers [_indexers]
+
+Indexers use pods metadata to create unique identifiers for each one of the pods.
+
+Available indexers are:
+
+`container`
+:   Identifies the pod metadata using the IDs of its containers.
+
+`ip_port`
+:   Identifies the pod metadata using combinations of its IP and its exposed ports. When using this indexer metadata is identified using the IP of the pods, and the combination if `ip:port` for each one of the ports exposed by its containers.
+
+`pod_name`
+:   Identifies the pod metadata using its namespace and its name as `namespace/pod_name`.
+
+`pod_uid`
+:   Identifies the pod metadata using the UID of the pod.
+
+
+## Matchers [_matchers]
+
+Matchers are used to construct the lookup keys that match with the identifiers created by indexes.
+
+### `field_format` [_field_format]
+
+Looks up pod metadata using a key created with a string format that can include event fields.
+
+This matcher has an option `format` to define the string format. This string format can contain placeholders for any field in the event.
+
+For example, the following configuration uses the `ip_port` indexer to identify the pod metadata by combinations of the pod IP and its exposed ports, and uses the destination IP and port in events as match keys:
+
+```yaml
+processors:
+- add_kubernetes_metadata:
+    ...
+    default_indexers.enabled: false
+    default_matchers.enabled: false
+    indexers:
+      - ip_port:
+    matchers:
+      - field_format:
+          format: '%{[destination.ip]}:%{[destination.port]}'
+```
+
+
+### `fields` [_fields]
+
+Looks up pod metadata using as key the value of some specific fields. When multiple fields are defined, the first one included in the event is used.
+
+This matcher has an option `lookup_fields` to define the files whose value will be used for lookup.
+
+For example, the following configuration uses the `ip_port` indexer to identify pods, and defines a matcher that uses the destination IP or the server IP for the lookup, the first it finds in the event:
+
+```yaml
+processors:
+- add_kubernetes_metadata:
+    ...
+    default_indexers.enabled: false
+    default_matchers.enabled: false
+    indexers:
+      - ip_port:
+    matchers:
+      - fields:
+          lookup_fields: ['destination.ip', 'server.ip']
+```
+
+It’s also possible to extract the matching key from fields using a regex pattern. The optional `regex_pattern` field can be used to set the pattern. The pattern **must** contain a capture group named `key`, whose value will be used as the matching key.
+
+For example, the following configuration uses the `container` indexer to identify containers by their id, and extracts the matching key from the cgroup id field added to system process metrics. This field has the form `cri-containerd-<id>.scope`, so we need a regex pattern to obtain the container id.
+
+```yaml
+processors:
+  - add_kubernetes_metadata:
+      indexers:
+        - container:
+      matchers:
+        - fields:
+            lookup_fields: ['system.process.cgroup.id']
+            regex_pattern: 'cri-containerd-(?P<key>[0-9a-z]+)\.scope'
+```
+
+
+### `logs_path` [_logs_path]
+
+Looks up pod metadata using identifiers extracted from the log path stored in the `log.file.path` field.
+
+This matcher has the following configuration settings:
+
+`logs_path`
+:   (Optional) Base path of container logs. If not specified, it uses the default logs path of the platform where Filebeat is running: for Linux - `/var/lib/docker/containers/`, Windows - `C:\\ProgramData\\Docker\\containers`. To change the default value: container ID must follow right after the `logs_path` - `<log_path>/<container_id>`, where `container_id` is a 64-character-long hexadecimal string.
+
+`resource_type`
+:   (Optional) Type of the resource to obtain the ID of. Valid `resource_type`:
+
+    * `pod`: to make the lookup based on the pod UID. When `resource_type` is set to `pod`, `logs_path` must be set as well, supported path in this case:
+
+        * `/var/lib/kubelet/pods/` used to read logs from mounted into the pod volumes, those logs end up under `/var/lib/kubelet/pods/<pod UID>/volumes/<volume name>/...` To use `/var/lib/kubelet/pods/` as a `log_path`, `/var/lib/kubelet/pods` must be mounted into the filebeat Pods.
+        * `/var/log/pods/` Note: when using `resource_type: 'pod'` logs will be enriched only with pod metadata: pod id, pod name, etc., not container metadata.
+
+    * `container`: to make the lookup based on the container ID, `logs_path` must be set to `/var/log/containers/`. It defaults to `container`.
+
+
+To be able to use `logs_path` matcher filebeat input path must be a subdirectory of directory defined in `logs_path` configuration setting.
+
+The default configuration is able to lookup the metadata using the container ID when the logs are collected from the default docker logs path (`/var/lib/docker/containers/<container ID>/...` on Linux).
+
+For example the following configuration would use the pod UID when the logs are collected from `/var/lib/kubelet/pods/<pod UID>/...`.
+
+```yaml
+processors:
+- add_kubernetes_metadata:
+    ...
+    default_indexers.enabled: false
+    default_matchers.enabled: false
+    indexers:
+      - pod_uid:
+    matchers:
+      - logs_path:
+          logs_path: '/var/lib/kubelet/pods'
+          resource_type: 'pod'
+```
+
+
+
diff --git a/docs/reference/filebeat/add-labels.md b/docs/reference/filebeat/add-labels.md
new file mode 100644
index 000000000000..ff01769c1df3
--- /dev/null
+++ b/docs/reference/filebeat/add-labels.md
@@ -0,0 +1,45 @@
+---
+navigation_title: "add_labels"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/add-labels.html
+---
+
+# Add labels [add-labels]
+
+
+The `add_labels` processors adds a set of key-value pairs to an event. The processor will flatten nested configuration objects like arrays or dictionaries into a fully qualified name by merging nested names with a `.`. Array entries create numeric names starting with 0.  Labels are always stored under the Elastic Common Schema compliant `labels` sub-dictionary.
+
+`labels`
+:   dictionaries of labels to be added.
+
+For example, this configuration:
+
+```yaml
+processors:
+  - add_labels:
+      labels:
+        number: 1
+        with.dots: test
+        nested:
+          with.dots: nested
+        array:
+          - do
+          - re
+          - with.field: mi
+```
+
+Adds these fields to every event:
+
+```json
+{
+  "labels": {
+    "number": 1,
+    "with.dots": "test",
+    "nested.with.dots": "nested",
+    "array.0": "do",
+    "array.1": "re",
+    "array.2.with.field": "mi"
+  }
+}
+```
+
diff --git a/docs/reference/filebeat/add-locale.md b/docs/reference/filebeat/add-locale.md
new file mode 100644
index 000000000000..503e798c7454
--- /dev/null
+++ b/docs/reference/filebeat/add-locale.md
@@ -0,0 +1,31 @@
+---
+navigation_title: "add_locale"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/add-locale.html
+---
+
+# Add the local time zone [add-locale]
+
+
+The `add_locale` processor enriches each event with the machine’s time zone offset from UTC or with the name of the time zone. It supports one configuration option named `format` that controls whether an offset or time zone abbreviation is added to the event. The default format is `offset`. The processor adds the a `event.timezone` value to each event.
+
+The configuration below enables the processor with the default settings.
+
+```yaml
+processors:
+  - add_locale: ~
+```
+
+This configuration enables the processor and configures it to add the time zone abbreviation to events.
+
+```yaml
+processors:
+  - add_locale:
+      format: abbreviation
+```
+
+::::{note}
+Please note that `add_locale` differentiates between daylight savings time (DST) and regular time. For example `CEST` indicates DST and and `CET` is regular time.
+::::
+
+
diff --git a/docs/reference/filebeat/add-network-direction.md b/docs/reference/filebeat/add-network-direction.md
new file mode 100644
index 000000000000..8cc396a71227
--- /dev/null
+++ b/docs/reference/filebeat/add-network-direction.md
@@ -0,0 +1,22 @@
+---
+navigation_title: "add_network_direction"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/add-network-direction.html
+---
+
+# Add network direction [add-network-direction]
+
+
+The `add_network_direction` processor attempts to compute the perimeter-based network direction given an a source and destination ip address and list of internal networks. The key `internal_networks` can contain either CIDR blocks or a list of special values enumerated in the network section of [Conditions](/reference/filebeat/defining-processors.md#conditions).
+
+```yaml
+processors:
+  - add_network_direction:
+      source: source.ip
+      destination: destination.ip
+      target: network.direction
+      internal_networks: [ private ]
+```
+
+See [Conditions](/reference/filebeat/defining-processors.md#conditions) for a list of supported conditions.
+
diff --git a/docs/reference/filebeat/add-nomad-metadata.md b/docs/reference/filebeat/add-nomad-metadata.md
new file mode 100644
index 000000000000..a7fab850eedc
--- /dev/null
+++ b/docs/reference/filebeat/add-nomad-metadata.md
@@ -0,0 +1,161 @@
+---
+navigation_title: "add_nomad_metadata"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/add-nomad-metadata.html
+---
+
+# Add Nomad metadata [add-nomad-metadata]
+
+
+::::{warning}
+This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
+::::
+
+
+The `add_nomad_metadata` processor adds fields with relevant metadata for applications deployed in Nomad.
+
+Each event is annotated with the following information:
+
+* Allocation name, identifier and status.
+* Job name and type.
+* Namespace where the job is deployed.
+* Datacenter and region where the agent running the allocation is located.
+
+```yaml
+processors:
+  - add_nomad_metadata: ~
+```
+
+It has the following settings to configure the connection:
+
+`address`
+:   (Optional) The URL of the agent API used to request the metadata. It uses `http://127.0.0.1:4646` by default.
+
+`namespace`
+:   (Optional) Namespace to watch. If set, only events for allocations in this namespace will be annotated.
+
+`region`
+:   (Optional) Region to watch. If set, only events for allocations in this region will be annotated.
+
+`secret_id`
+:   (Optional) SecretID to use when connecting with the agent API. This is an example ACL policy to apply to the token.
+
+```json
+namespace "*" {
+  policy = "read"
+}
+node {
+  policy = "read"
+}
+agent {
+  policy = "read"
+}
+```
+
+`refresh_interval`
+:   (Optional) Interval used to update the cached metadata. It defaults to 30 seconds.
+
+`cleanup_timeout`
+:   (Optional) After an allocation has been removed, time to wait before cleaning up their associated resources. This is useful if you expect to receive events after an allocation has been removed, which can happen when collecting logs. It defaults to 60 seconds.
+
+You can decide if Filebeat should annotate events related to allocations in local node or on the whole cluster configuring the scope with the following settings:
+
+`scope`
+:   (Optional) Scope of the resources to watch. It can be `node` to get metadata only for the allocations in a single agent, or `global`, to get metadata for allocations running on any agent. It defaults to `node`.
+
+`node`
+:   (Optional) When using `scope: node`, use `node` to specify the name of the local node if it cannot be discovered automatically.
+
+For example the following configuration could be used if Filebeat is collecting events from all the allocations in the cluster:
+
+```yaml
+processors:
+  - add_nomad_metadata:
+      scope: global
+```
+
+## Indexers and matchers [_indexers_and_matchers]
+
+Indexers and matchers are used to correlate fields in events with actual metadata. Filebeat uses this information to know what metadata to include in each event.
+
+### Indexers [_indexers_2]
+
+Indexers use allocation metadata to create unique identifiers for each one of the pods.
+
+Avaliable indexers are: `allocation_name`:: Identifies allocations by its name and namespace (as `<namespace>/<name>`) `allocation_uuid`:: Identifies allocations by its unique identifier.
+
+
+### Matchers [_matchers_2]
+
+Matchers are used to construct the lookup keys that match with the identifiers created by indexes.
+
+
+### `field_format` [_field_format_2]
+
+Looks up allocation metadata using a key created with a string format that can include event fields.
+
+This matcher has an option `format` to define the string format. This string format can contain placeholders for any field in the event.
+
+For example, the following configuration uses the `allocation_name` indexer to identify the allocation metadata by its name and namespace, and uses custom fields existing in the event as match keys:
+
+```yaml
+processors:
+- add_nomad_metadata:
+    ...
+    default_indexers.enabled: false
+    default_matchers.enabled: false
+    indexers:
+      - allocation_name:
+    matchers:
+      - field_format:
+          format: '%{[labels.nomad_namespace]}/%{[fields.nomad_alloc_name]}'
+```
+
+
+### `fields` [_fields_2]
+
+Looks up allocation metadata using as key the value of some specific fields. When multiple fields are defined, the first one included in the event is used.
+
+This matcher has an option `lookup_fields` to define the fields whose value will be used for lookup.
+
+For example, the following configuration uses the `allocation_uuid` indexer to identify allocations, and defines a matcher that uses some fields where the allocation UUID can be found for lookup, the first it finds in the event:
+
+```yaml
+processors:
+- add_nomad_metadata:
+    ...
+    default_indexers.enabled: false
+    default_matchers.enabled: false
+    indexers:
+      - allocation_uuid:
+    matchers:
+      - fields:
+          lookup_fields: ['host.name', 'fields.nomad_alloc_uuid']
+```
+
+
+### `logs_path` [_logs_path_2]
+
+Looks up allocation metadata using identifiers extracted from the log path stored in the `log.file.path` field.
+
+This matcher has an optional `logs_path` option with the base path of the directory containing the logs for the local agent.
+
+The default configuration is able to lookup the metadata using the allocation UUID when the logs are collected under `/var/lib/nomad`.
+
+For example the following configuration would use the allocation UUID when the logs are collected from `/var/lib/NomadClient001/alloc/<alloc UUID>/alloc/logs/...`.
+
+```yaml
+processors:
+- add_nomad_metadata:
+    ...
+    default_indexers.enabled: false
+    default_matchers.enabled: false
+    indexers:
+      - allocation_uuid:
+    matchers:
+      - logs_path:
+          logs_path: '/var/lib/NomadClient001'
+```
+
+
+
diff --git a/docs/reference/filebeat/add-observer-metadata.md b/docs/reference/filebeat/add-observer-metadata.md
new file mode 100644
index 000000000000..8a0f8ac92ea8
--- /dev/null
+++ b/docs/reference/filebeat/add-observer-metadata.md
@@ -0,0 +1,88 @@
+---
+navigation_title: "add_observer_metadata"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/add-observer-metadata.html
+---
+
+# Add Observer metadata [add-observer-metadata]
+
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+```yaml
+processors:
+  - add_observer_metadata:
+      cache.ttl: 5m
+      geo:
+        name: nyc-dc1-rack1
+        location: 40.7128, -74.0060
+        continent_name: North America
+        country_iso_code: US
+        region_name: New York
+        region_iso_code: NY
+        city_name: New York
+```
+
+It has the following settings:
+
+`netinfo.enabled`
+:   (Optional) Default true. Include IP addresses and MAC addresses as fields observer.ip and observer.mac
+
+`cache.ttl`
+:   (Optional) The processor uses an internal cache for the observer metadata. This sets the cache expiration time. The default is 5m, negative values disable caching altogether.
+
+`geo.name`
+:   (Optional) User definable token to be used for identifying a discrete location. Frequently a datacenter, rack, or similar.
+
+`geo.location`
+:   (Optional) Longitude and latitude in comma separated format.
+
+`geo.continent_name`
+:   (Optional) Name of the continent.
+
+`geo.country_name`
+:   (Optional) Name of the country.
+
+`geo.region_name`
+:   (Optional) Name of the region.
+
+`geo.city_name`
+:   (Optional) Name of the city.
+
+`geo.country_iso_code`
+:   (Optional) ISO country code.
+
+`geo.region_iso_code`
+:   (Optional) ISO region code.
+
+The `add_observer_metadata` processor annotates each event with relevant metadata from the observer machine. The fields added to the event look like the following:
+
+```json
+{
+  "observer" : {
+    "hostname" : "avce",
+    "type" : "heartbeat",
+    "vendor" : "elastic",
+    "ip" : [
+      "192.168.1.251",
+      "fe80::64b2:c3ff:fe5b:b974",
+    ],
+    "mac" : [
+      "dc:c1:02:6f:1b:ed",
+    ],
+    "geo": {
+      "continent_name": "North America",
+      "country_iso_code": "US",
+      "region_name": "New York",
+      "region_iso_code": "NY",
+      "city_name": "New York",
+      "name": "nyc-dc1-rack1",
+      "location": "40.7128, -74.0060"
+    }
+  }
+}
+```
+
diff --git a/docs/reference/filebeat/add-process-metadata.md b/docs/reference/filebeat/add-process-metadata.md
new file mode 100644
index 000000000000..02e942a7e6ca
--- /dev/null
+++ b/docs/reference/filebeat/add-process-metadata.md
@@ -0,0 +1,94 @@
+---
+navigation_title: "add_process_metadata"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/add-process-metadata.html
+---
+
+# Add process metadata [add-process-metadata]
+
+
+The `add_process_metadata` processor enriches events with information from running processes, identified by their process ID (PID).
+
+```yaml
+processors:
+  - add_process_metadata:
+      match_pids:
+        - process.pid
+```
+
+The fields added to the event look as follows:
+
+```json
+{
+  "container": {
+    "id": "b5285682fba7449c86452b89a800609440ecc88a7ba5f2d38bedfb85409b30b1"
+  },
+  "process": {
+    "args": [
+      "/usr/lib/systemd/systemd",
+      "--switched-root",
+      "--system",
+      "--deserialize",
+      "22"
+    ],
+    "executable": "/usr/lib/systemd/systemd",
+    "name": "systemd",
+    "owner": {
+      "id": "0",
+      "name": "root"
+    },
+    "parent": {
+      "pid": 0
+    },
+    "pid": 1,
+    "start_time": "2018-08-22T08:44:50.684Z",
+    "title": "/usr/lib/systemd/systemd --switched-root --system --deserialize 22"
+  }
+}
+```
+
+Optionally, the process environment can be included, too:
+
+```json
+  ...
+  "env": {
+    "HOME":       "/",
+    "TERM":       "linux",
+    "BOOT_IMAGE": "/boot/vmlinuz-4.11.8-300.fc26.x86_64",
+    "LANG":       "en_US.UTF-8",
+  }
+  ...
+```
+
+It has the following settings:
+
+`match_pids`
+:   List of fields to lookup for a PID. The processor will search the list sequentially until the field is found in the current event, and the PID lookup will be applied to the value of this field.
+
+`target`
+:   (Optional) Destination prefix where the `process` object will be created. The default is the event’s root.
+
+`include_fields`
+:   (Optional) List of fields to add. By default, the processor will add all the available fields except `process.env`.
+
+`ignore_missing`
+:   (Optional) When set to `false`, events that don’t contain any of the fields in match_pids will be discarded and an error will be generated. By default, this condition is ignored.
+
+`overwrite_keys`
+:   (Optional) By default, if a target field already exists, it will not be overwritten, and an error will be logged. If `overwrite_keys` is set to `true`, this condition will be ignored.
+
+`restricted_fields`
+:   (Optional) By default, the `process.env` field is not output, to avoid leaking sensitive data. If `restricted_fields` is `true`, the field will be present in the output.
+
+`host_path`
+:   (Optional) By default, the `host_path` field is set to the root directory of the host `/`. This is the path where `/proc` is mounted. For different runtime configurations of Kubernetes or Docker, the `host_path` can be set to overwrite the default.
+
+`cgroup_prefixes`
+:   (Optional) List of prefixes that will be matched against cgroup paths. When a cgroup path begins with a prefix in the list, then the last element of the path is returned as the container ID. Only one of `cgroup_prefixes` and `cgroup_rexex` should be configured. If neither are configured then a default `cgroup_regex` value is used that matches cgroup paths containing 64-character container IDs (like those from Docker, Kubernetes, and Podman).
+
+`cgroup_regex`
+:   (Optional) A regular expression that will be matched against cgroup paths. It must contain one capturing group. When a cgroup path matches the regular expression then the value of the capturing group is returned as the container ID.  Only one of `cgroup_prefixes` and `cgroup_rexex` should be configured. If neither are configured then a default `cgroup_regex` value is used that matches cgroup paths containing 64-character container IDs (like those from Docker, Kubernetes, and Podman).
+
+`cgroup_cache_expire_time`
+:   (Optional) By default, the `cgroup_cache_expire_time` is set to 30 seconds. This is the length of time before cgroup cache elements expire in seconds. It can be set to 0 to disable the cgroup cache. In some container runtimes technology like runc, the container’s process is also process in the host kernel, and will be affected by PID rollover/reuse. The expire time needs to set smaller than the PIDs wrap around time to avoid wrong container id.
+
diff --git a/docs/reference/filebeat/add-tags.md b/docs/reference/filebeat/add-tags.md
new file mode 100644
index 000000000000..f99b05e2a4f7
--- /dev/null
+++ b/docs/reference/filebeat/add-tags.md
@@ -0,0 +1,34 @@
+---
+navigation_title: "add_tags"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/add-tags.html
+---
+
+# Add tags [add-tags]
+
+
+The `add_tags` processor adds tags to a list of tags. If the target field already exists, the tags are appended to the existing list of tags.
+
+`tags`
+:   List of tags to add.
+
+`target`
+:   (Optional) Field the tags will be added to. Defaults to `tags`. Setting tags in `@metadata` is not supported.
+
+For example, this configuration:
+
+```yaml
+processors:
+  - add_tags:
+      tags: [web, production]
+      target: "environment"
+```
+
+Adds the environment field to every event:
+
+```json
+{
+  "environment": ["web", "production"]
+}
+```
+
diff --git a/docs/reference/filebeat/advanced-settings.md b/docs/reference/filebeat/advanced-settings.md
new file mode 100644
index 000000000000..0d8170ea6dcb
--- /dev/null
+++ b/docs/reference/filebeat/advanced-settings.md
@@ -0,0 +1,34 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/advanced-settings.html
+---
+
+# Override input settings [advanced-settings]
+
+Behind the scenes, each module starts a Filebeat input. Advanced users can add or override any input settings. For example, you can set [close_eof](/reference/filebeat/filebeat-input-log.md#filebeat-input-log-close-eof) to `true` in the module configuration:
+
+```yaml
+- module: nginx
+  access:
+    input:
+      close_eof: true
+```
+
+Or at the command line when you run Filebeat:
+
+```sh
+-M "nginx.access.input.close_eof=true"
+```
+
+You can use wildcards to change variables or settings for multiple modules/filesets at once. For example, you can enable `close_eof` for all the filesets in the `nginx` module:
+
+```sh
+-M "nginx.*.input.close_eof=true"
+```
+
+You can also enable `close_eof` for all inputs created by any of the modules:
+
+```sh
+-M "*.*.input.close_eof=true"
+```
+
diff --git a/docs/reference/filebeat/append.md b/docs/reference/filebeat/append.md
new file mode 100644
index 000000000000..868c7721a626
--- /dev/null
+++ b/docs/reference/filebeat/append.md
@@ -0,0 +1,73 @@
+---
+navigation_title: "append"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/append.html
+---
+
+# Append Processor [append]
+
+
+The `append` processor appends one or more values to an existing array if the target field already exists and it is an array. Converts a scaler to an array and appends one or more values to it if the field exists and it is a scaler. Here the values can either be one or more static values or one or more values from the fields listed under *fields* key.
+
+`target_field`
+:   The field in which you want to append the data.
+
+`fields`
+:   (Optional) List of fields from which you want to copy data from. If the value is of a concrete type it will be appended directly to the target. However, if the value is an array, all the elements of the array are pushed individually to the target field.
+
+`values`
+:   (Optional) List of static values you want to append to target field.
+
+`ignore_empty_values`
+:   (Optional) If set to `true`, all the `""` and `nil` are omitted from being appended to the target field.
+
+`fail_on_error`
+:   (Optional) If set to `true` and an error occurs, the changes are reverted and the original is returned. If set to `false`, processing continues if an error occurs. Default is `true`.
+
+`allow_duplicate`
+:   (Optional) If set to `false`, the processor does not append values already present in the field. The default is `true`, which will append duplicate values in the array.
+
+`ignore_missing`
+:   (Optional) Indicates whether to ignore events that lack the source field. The default is `false`, which will fail processing of an event if a field is missing.
+
+note: If you want to use `fields` parameter with fields under `message`, make sure you use `decode_json_fields` first with `target: ""`.
+
+For example, this configuration:
+
+```yaml
+processors:
+  - decode_json_fields:
+      fields: message
+      target: ""
+  - append:
+      target_field: target-field
+      fields:
+        - concrete.field
+        - array.one
+      values:
+        - static-value
+        - ""
+      ignore_missing: true
+      fail_on_error: true
+      ignore_empty_values: true
+```
+
+Copies the values of `concrete.field`, `array.one` response fields and the static values to `target-field`:
+
+```json
+{
+  "concrete": {
+    "field": "val0"
+  },
+  "array": {
+      "one": [ "val1", "val2" ]
+  },
+  "target-field": [
+    "val0",
+    "val1",
+    "val2",
+    "static-value"
+  ]
+}
+```
+
diff --git a/docs/reference/filebeat/bandwidth-throttling.md b/docs/reference/filebeat/bandwidth-throttling.md
new file mode 100644
index 000000000000..3b7bcaef6980
--- /dev/null
+++ b/docs/reference/filebeat/bandwidth-throttling.md
@@ -0,0 +1,20 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/bandwidth-throttling.html
+---
+
+# Filebeat uses too much bandwidth [bandwidth-throttling]
+
+If you need to limit bandwidth usage, we recommend that you configure the network stack on your OS to perform bandwidth throttling.
+
+For example, the following Linux commands cap the connection between Filebeat and Logstash by setting a limit of 50 kbps on TCP connections over port 5044:
+
+```shell
+tc qdisc add dev $DEV root handle 1: htb
+tc class add dev $DEV parent 1:1 classid 1:10 htb rate 50kbps ceil 50kbps
+tc filter add dev $DEV parent 1:0 prio 1 protocol ip handle 10 fw flowid 1:10
+iptables -A OUTPUT -t mangle -p tcp --dport 5044 -j MARK --set-mark 10
+```
+
+Using OS tools to perform bandwidth throttling gives you better control over policies. For example, you can use OS tools to cap bandwidth during the day, but not at night. Or you can leave the bandwidth uncapped, but assign a low priority to the traffic.
+
diff --git a/docs/reference/filebeat/beats-api-keys.md b/docs/reference/filebeat/beats-api-keys.md
new file mode 100644
index 000000000000..375d49d8e60d
--- /dev/null
+++ b/docs/reference/filebeat/beats-api-keys.md
@@ -0,0 +1,142 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/beats-api-keys.html
+---
+
+# Grant access using API keys [beats-api-keys]
+
+Instead of using usernames and passwords, you can use API keys to grant access to {{es}} resources. You can set API keys to expire at a certain time, and you can explicitly invalidate them. Any user with the `manage_api_key` or `manage_own_api_key` cluster privilege can create API keys.
+
+Filebeat instances typically send both collected data and monitoring information to {{es}}. If you are sending both to the same cluster, you can use the same API key. For different clusters, you need to use an API key per cluster.
+
+::::{note}
+For security reasons, we recommend using a unique API key per Filebeat instance. You can create as many API keys per user as necessary.
+::::
+
+
+::::{important}
+Review [*Grant users access to secured resources*](/reference/filebeat/feature-roles.md) before creating API keys for Filebeat.
+::::
+
+
+
+## Create an API key for publishing [beats-api-key-publish]
+
+To create an API key to use for writing data to {{es}}, use the [Create API key API](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-create-api-key), for example:
+
+```console
+POST /_security/api_key
+{
+  "name": "filebeat_host001", <1>
+  "role_descriptors": {
+    "filebeat_writer": { <2>
+      "cluster": ["monitor", "read_ilm", "read_pipeline"],
+      "index": [
+        {
+          "names": ["filebeat-*"],
+          "privileges": ["view_index_metadata", "create_doc", "auto_configure"]
+        }
+      ]
+    }
+  }
+}
+```
+
+1. Name of the API key
+2. Granted privileges, see [*Grant users access to secured resources*](/reference/filebeat/feature-roles.md)
+
+
+::::{note}
+See [Create a *publishing* user](/reference/filebeat/privileges-to-publish-events.md) for the list of privileges required to publish events.
+::::
+
+
+The return value will look something like this:
+
+```console-result
+{
+  "id":"TiNAGG4BaaMdaH1tRfuU", <1>
+  "name":"filebeat_host001",
+  "api_key":"KnR6yE41RrSowb0kQ0HWoA" <2>
+}
+```
+
+1. Unique id for this API key
+2. Generated API key
+
+
+You can now use this API key in your `filebeat.yml` configuration file like this:
+
+```yaml
+output.elasticsearch:
+  api_key: TiNAGG4BaaMdaH1tRfuU:KnR6yE41RrSowb0kQ0HWoA <1>
+```
+
+1. Format is `id:api_key` (as returned by [Create API key](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-create-api-key))
+
+
+
+## Create an API key for monitoring [beats-api-key-monitor]
+
+To create an API key to use for sending monitoring data to {{es}}, use the [Create API key API](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-create-api-key), for example:
+
+```console
+POST /_security/api_key
+{
+  "name": "filebeat_host001", <1>
+  "role_descriptors": {
+    "filebeat_monitoring": { <2>
+      "cluster": ["monitor"],
+      "index": [
+        {
+          "names": [".monitoring-beats-*"],
+          "privileges": ["create_index", "create"]
+        }
+      ]
+    }
+  }
+}
+```
+
+1. Name of the API key
+2. Granted privileges, see [*Grant users access to secured resources*](/reference/filebeat/feature-roles.md)
+
+
+::::{note}
+See [Create a *monitoring* user](/reference/filebeat/privileges-to-publish-monitoring.md) for the list of privileges required to send monitoring data.
+::::
+
+
+The return value will look something like this:
+
+```console-result
+{
+  "id":"TiNAGG4BaaMdaH1tRfuU", <1>
+  "name":"filebeat_host001",
+  "api_key":"KnR6yE41RrSowb0kQ0HWoA" <2>
+}
+```
+
+1. Unique id for this API key
+2. Generated API key
+
+
+You can now use this API key in your `filebeat.yml` configuration file like this:
+
+```yaml
+monitoring.elasticsearch:
+  api_key: TiNAGG4BaaMdaH1tRfuU:KnR6yE41RrSowb0kQ0HWoA <1>
+```
+
+1. Format is `id:api_key` (as returned by [Create API key](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-create-api-key))
+
+
+
+## Learn more about API keys [learn-more-api-keys]
+
+See the {{es}} API key documentation for more information:
+
+* [Create API key](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-create-api-key)
+* [Get API key information](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-get-api-key)
+* [Invalidate API key](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-invalidate-api-key)
+
diff --git a/docs/reference/filebeat/change-index-name.md b/docs/reference/filebeat/change-index-name.md
new file mode 100644
index 000000000000..dc88f911f22d
--- /dev/null
+++ b/docs/reference/filebeat/change-index-name.md
@@ -0,0 +1,23 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/change-index-name.html
+---
+
+# Change the index name [change-index-name]
+
+Filebeat uses data streams named `filebeat-9.0.0-beta1`. To use a different name, set the [`index`](/reference/filebeat/elasticsearch-output.md#index-option-es) option in the {{es}} output. You also need to configure the `setup.template.name` and `setup.template.pattern` options to match the new name. For example:
+
+```sh
+output.elasticsearch.index: "customname-%{[agent.version]}"
+setup.template.name: "customname-%{[agent.version]}"
+setup.template.pattern: "customname-%{[agent.version]}"
+```
+
+If you’re using pre-built Kibana dashboards, also set the `setup.dashboards.index` option. For example:
+
+```yaml
+setup.dashboards.index: "customname-*"
+```
+
+For a full list of template setup options, see [Elasticsearch index template](/reference/filebeat/configuration-template.md).
+
diff --git a/docs/reference/filebeat/command-line-options.md b/docs/reference/filebeat/command-line-options.md
new file mode 100644
index 000000000000..fb820e55d4ae
--- /dev/null
+++ b/docs/reference/filebeat/command-line-options.md
@@ -0,0 +1,443 @@
+---
+navigation_title: "Command reference"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/command-line-options.html
+---
+
+# Filebeat command reference [command-line-options]
+
+
+Filebeat provides a command-line interface for starting Filebeat and performing common tasks, like testing configuration files and loading dashboards.
+
+The command-line also supports [global flags](#global-flags) for controlling global behaviors.
+
+::::{tip}
+Use `sudo` to run the following commands if:
+
+* the config file is owned by `root`, or
+* Filebeat is configured to capture data that requires `root` access
+
+::::
+
+
+Some of the features described here require an Elastic license. For more information, see [https://www.elastic.co/subscriptions](https://www.elastic.co/subscriptions) and [License Management](docs-content://deploy-manage/license/manage-your-license-in-self-managed-cluster.md).
+
+| Commands |  |
+| --- | --- |
+| [`export`](#export-command) | Exports the configuration, index template, ILM policy, or a dashboard to stdout. |
+| [`help`](#help-command) | Shows help for any command. |
+| [`keystore`](#keystore-command) | Manages the [secrets keystore](/reference/filebeat/keystore.md). |
+| [`modules`](#modules-command) | Manages configured modules. |
+| [`run`](#run-command) | Runs Filebeat. This command is used by default if you start Filebeat without specifying a command. |
+| [`setup`](#setup-command) | Sets up the initial environment, including the index template, ILM policy and write alias, {{kib}} dashboards (when available), and machine learning jobs (when available). |
+| [`test`](#test-command) | Tests the configuration. |
+| [`version`](#version-command) | Shows information about the current version. |
+
+Also see [Global flags](#global-flags).
+
+## `export` command [export-command]
+
+Exports the configuration, index template, ILM policy, or a dashboard to stdout. You can use this command to quickly view your configuration, see the contents of the index template and the ILM policy, or export a dashboard from {{kib}}.
+
+**SYNOPSIS**
+
+```sh
+filebeat export SUBCOMMAND [FLAGS]
+```
+
+**SUBCOMMANDS**
+
+**`config`**
+:   Exports the current configuration to stdout. If you use the `-c` flag, this command exports the configuration that’s defined in the specified file.
+
+$$$dashboard-subcommand$$$**`dashboard`**
+:   Exports a dashboard. You can use this option to store a dashboard on disk in a module and load it automatically. For example, to export the dashboard to a JSON file, run:
+
+    ```shell
+    filebeat export dashboard --id="DASHBOARD_ID" > dashboard.json
+    ```
+
+    To find the `DASHBOARD_ID`, look at the URL for the dashboard in {{kib}}. By default, `export dashboard` writes the dashboard to stdout. The example shows how to write the dashboard to a JSON file so that you can import it later. The JSON file will contain the dashboard with all visualizations and searches. You must load the index pattern separately for Filebeat.
+
+    To load the dashboard, copy the generated `dashboard.json` file into the `kibana/6/dashboard` directory of Filebeat, and run `filebeat setup --dashboards` to import the dashboard.
+
+    If {{kib}} is not running on `localhost:5061`, you must also adjust the Filebeat configuration under `setup.kibana`.
+
+
+$$$template-subcommand$$$**`template`**
+:   Exports the index template to stdout. You can specify the `--es.version` flag to further define what gets exported. Furthermore you can export the template to a file instead of `stdout` by defining a directory via `--dir`.
+
+$$$ilm-policy-subcommand$$$
+
+**`ilm-policy`**
+:   Exports the index lifecycle management policy to stdout. You can specify the `--es.version` and a `--dir` to which the policy should be exported as a file rather than exporting to `stdout`.
+
+**FLAGS**
+
+**`--es.version VERSION`**
+:   When used with [`template`](#template-subcommand), exports an index template that is compatible with the specified version.  When used with [`ilm-policy`](#ilm-policy-subcommand), exports the ILM policy if the specified ES version is enabled for ILM.
+
+**`-h, --help`**
+:   Shows help for the `export` command.
+
+**`--dir DIRNAME`**
+:   Define a directory to which the template, pipelines, and ILM policy should be exported to as files instead of printing them to `stdout`.
+
+**`--id DASHBOARD_ID`**
+:   When used with [`dashboard`](#dashboard-subcommand), specifies the dashboard ID.
+
+Also see [Global flags](#global-flags).
+
+**EXAMPLES**
+
+```sh
+filebeat export config
+filebeat export template --es.version 9.0.0-beta1
+filebeat export dashboard --id="a7b35890-8baa-11e8-9676-ef67484126fb" > dashboard.json
+```
+
+
+## `help` command [help-command]
+
+Shows help for any command. If no command is specified, shows help for the `run` command.
+
+**SYNOPSIS**
+
+```sh
+filebeat help COMMAND_NAME [FLAGS]
+```
+
+**`COMMAND_NAME`**
+:   Specifies the name of the command to show help for.
+
+**FLAGS**
+
+**`-h, --help`**
+:   Shows help for the `help` command.
+
+Also see [Global flags](#global-flags).
+
+**EXAMPLE**
+
+```sh
+filebeat help export
+```
+
+
+## `keystore` command [keystore-command]
+
+Manages the [secrets keystore](/reference/filebeat/keystore.md).
+
+**SYNOPSIS**
+
+```sh
+filebeat keystore SUBCOMMAND [FLAGS]
+```
+
+**SUBCOMMANDS**
+
+**`add KEY`**
+:   Adds the specified key to the keystore. Use the `--force` flag to overwrite an existing key. Use the `--stdin` flag to pass the value through `stdin`.
+
+**`create`**
+:   Creates a keystore to hold secrets. Use the `--force` flag to overwrite the existing keystore.
+
+**`list`**
+:   Lists the keys in the keystore.
+
+**`remove KEY`**
+:   Removes the specified key from the keystore.
+
+**FLAGS**
+
+**`--force`**
+:   Valid with the `add` and `create` subcommands. When used with `add`, overwrites the specified key. When used with `create`, overwrites the keystore.
+
+**`--stdin`**
+:   When used with `add`, uses the stdin as the source of the key’s value.
+
+**`-h, --help`**
+:   Shows help for the `keystore` command.
+
+Also see [Global flags](#global-flags).
+
+**EXAMPLES**
+
+```sh
+filebeat keystore create
+filebeat keystore add ES_PWD
+filebeat keystore remove ES_PWD
+filebeat keystore list
+```
+
+See [Secrets keystore](/reference/filebeat/keystore.md) for more examples.
+
+
+## `modules` command [modules-command]
+
+Manages configured modules. You can use this command to enable and disable specific module configurations defined in the `modules.d` directory. The changes you make with this command are persisted and used for subsequent runs of Filebeat.
+
+To see which modules are enabled and disabled, run the `list` subcommand.
+
+**SYNOPSIS**
+
+```sh
+filebeat modules SUBCOMMAND [FLAGS]
+```
+
+**SUBCOMMANDS**
+
+**`disable MODULE_LIST`**
+:   Disables the modules specified in the space-separated list.
+
+**`enable MODULE_LIST`**
+:   Enables the modules specified in the space-separated list.
+
+**`list`**
+:   Lists the modules that are currently enabled and disabled.
+
+**FLAGS**
+
+**`-h, --help`**
+:   Shows help for the `modules` command.
+
+Also see [Global flags](#global-flags).
+
+**EXAMPLES**
+
+```sh
+filebeat modules list
+filebeat modules enable apache2 auditd mysql
+```
+
+
+## `run` command [run-command]
+
+Runs Filebeat. This command is used by default if you start Filebeat without specifying a command.
+
+**SYNOPSIS**
+
+```sh
+filebeat run [FLAGS]
+```
+
+Or:
+
+```sh
+filebeat [FLAGS]
+```
+
+**FLAGS**
+
+**`-N, --N`**
+:   Disables publishing for testing purposes. This option disables all outputs except the [File output](/reference/filebeat/file-output.md).
+
+**`--cpuprofile FILE`**
+:   Writes CPU profile data to the specified file. This option is useful for troubleshooting Filebeat.
+
+**`-h, --help`**
+:   Shows help for the `run` command.
+
+**`--httpprof [HOST]:PORT`**
+:   Starts an http server for profiling. This option is useful for troubleshooting and profiling Filebeat.
+
+**`--memprofile FILE`**
+:   Writes memory profile data to the specified output file. This option is useful for troubleshooting Filebeat.
+
+**`--modules MODULE_LIST`**
+:   Specifies a comma-separated list of modules to run. For example:
+
+    ```sh
+    filebeat run --modules nginx,mysql,system
+    ```
+
+    Rather than specifying the list of modules every time you run Filebeat, you can use the [`modules`](#modules-command) command to enable and disable specific modules. Then when you run Filebeat, it will run any modules that are enabled.
+
+
+**`--once`**
+:   When the `--once` flag is used, Filebeat starts all configured harvesters and inputs, and runs each input until the harvesters are closed. If you set the `--once` flag, you should also set `close_eof` so the harvester is closed when the end of the file is reached. By default harvesters are closed after `close_inactive` is reached.
+
+    The `--once` option is not currently supported with the [`filestream`](/reference/filebeat/filebeat-input-filestream.md) input type.
+
+
+**`--system.hostfs MOUNT_POINT`**
+:   Specifies the mount point of the host’s filesystem for use in monitoring a host. This flag is depricated, and an alternate hostfs should be specified via the `hostfs` module config value.
+
+Also see [Global flags](#global-flags).
+
+**EXAMPLE**
+
+```sh
+filebeat run -e
+```
+
+Or:
+
+```sh
+filebeat -e
+```
+
+
+## `setup` command [setup-command]
+
+Sets up the initial environment, including the index template, ILM policy and write alias, {{kib}} dashboards (when available), and machine learning jobs (when available)
+
+* The index template ensures that fields are mapped correctly in Elasticsearch. If index lifecycle management is enabled it also ensures that the defined ILM policy and write alias are connected to the indices matching the index template. The ILM policy takes care of the lifecycle of an index, when to do a rollover, when to move an index from the hot phase to the next phase, etc.
+* The {{kib}} dashboards make it easier for you to visualize Filebeat data in {{kib}}.
+* The machine learning jobs contain the configuration information and metadata necessary to analyze data for anomalies.
+
+This command sets up the environment without actually running Filebeat and ingesting data. Specify optional flags to set up a subset of assets.
+
+**SYNOPSIS**
+
+```sh
+filebeat setup [FLAGS]
+```
+
+**FLAGS**
+
+**`--dashboards`**
+:   Sets up the {{kib}} dashboards (when available). This option loads the dashboards from the Filebeat package. For more options, such as loading customized dashboards, see [Importing Existing Beat Dashboards](http://www.elastic.co/guide/en/beats/devguide/master/import-dashboards.md) in the *Beats Developer Guide*.
+
+**`-h, --help`**
+:   Shows help for the `setup` command.
+
+**`--modules MODULE_LIST`**
+:   Specifies a comma-separated list of modules. Use this flag to avoid errors when there are no modules defined in the `filebeat.yml` file.
+
+**`--pipelines`**
+:   Sets up ingest pipelines for configured filesets. Filebeat looks for enabled modules in the `filebeat.yml` file. If you used the [`modules`](#modules-command) command to enable modules in the `modules.d` directory, also specify the `--modules` flag.
+
+**`--enable-all-filesets`**
+:   Enables all modules and filesets. This is useful with `--pipelines` if you want to load all ingest pipelines. Without this option you would have to list every module with the [`modules`](#modules-command) command and enable every fileset within the module with a `-M` option, to load all of the ingest pipelines.
+
+**`--force-enable-module-filesets`**
+:   Enables all filesets in the enabled modules. This is useful with `--pipelines` if you want to load ingest pipelines. Without this option you enable every fileset within the module with a `-M` option, to load the ingest pipelines.
+
+**`--index-management`**
+:   Sets up components related to Elasticsearch index management including template, ILM policy, and write alias (if supported and configured).
+
+Also see [Global flags](#global-flags).
+
+**EXAMPLES**
+
+```sh
+filebeat setup --dashboards
+filebeat setup --pipelines
+filebeat setup --pipelines --modules system,nginx,mysql <1>
+filebeat setup --index-management
+```
+
+1. If you used the [`modules`](#modules-command) command to enable modules in the `modules.d` directory, also specify the `--modules` flag to indicate which modules to load pipelines for.
+
+
+
+## `test` command [test-command]
+
+Tests the configuration.
+
+**SYNOPSIS**
+
+```sh
+filebeat test SUBCOMMAND [FLAGS]
+```
+
+**SUBCOMMANDS**
+
+**`config`**
+:   Tests the configuration settings.
+
+**`output`**
+:   Tests that Filebeat can connect to the output by using the current settings.
+
+**FLAGS**
+
+**`-h, --help`**
+:   Shows help for the `test` command.
+
+Also see [Global flags](#global-flags).
+
+**EXAMPLE**
+
+```sh
+filebeat test config
+```
+
+
+## `version` command [version-command]
+
+Shows information about the current version.
+
+**SYNOPSIS**
+
+```sh
+filebeat version [FLAGS]
+```
+
+**FLAGS**
+
+**`-h, --help`**
+:   Shows help for the `version` command.
+
+Also see [Global flags](#global-flags).
+
+**EXAMPLE**
+
+```sh
+filebeat version
+```
+
+
+## Global flags [global-flags]
+
+These global flags are available whenever you run Filebeat.
+
+**`-E, --E "SETTING_NAME=VALUE"`**
+:   Overrides a specific configuration setting. You can specify multiple overrides. For example:
+
+    ```sh
+    filebeat -E "name=mybeat" -E "output.elasticsearch.hosts=['http://myhost:9200']"
+    ```
+
+    This setting is applied to the currently running Filebeat process. The Filebeat configuration file is not changed.
+
+
+**`-M, --M "VAR_NAME=VALUE"`**
+:   Overrides the default configuration for a Filebeat module. You can specify multiple variable overrides. For example:
+
+    ```sh
+    filebeat --modules=nginx -M "nginx.access.var.paths=['/var/log/nginx/access.log*']" -M "nginx.access.var.pipeline=no_plugins"
+    ```
+
+
+**`-c, --c FILE`**
+:   Specifies the configuration file to use for Filebeat. The file you specify here is relative to `path.config`. If the `-c` flag is not specified, the default config file, `filebeat.yml`, is used.
+
+**`-d, --d SELECTORS`**
+:   Enables debugging for the specified selectors. For the selectors, you can specify a comma-separated list of components, or you can use `-d "*"` to enable debugging for all components. For example, `-d "publisher"` displays all the publisher-related messages.
+
+**`-e, --e`**
+:   Logs to stderr and disables syslog/file output.
+
+**`--environment`**
+:   For logging purposes, specifies the environment that Filebeat is running in. This setting is used to select a default log output when no log output is configured. Supported values are: `systemd`, `container`, `macos_service`, and `windows_service`. If `systemd` or `container` is specified, Filebeat will log to stdout and stderr by default.
+
+**`--path.config`**
+:   Sets the path for configuration files. See the [Directory layout](/reference/filebeat/directory-layout.md) section for details.
+
+**`--path.data`**
+:   Sets the path for data files. See the [Directory layout](/reference/filebeat/directory-layout.md) section for details.
+
+**`--path.home`**
+:   Sets the path for miscellaneous files. See the [Directory layout](/reference/filebeat/directory-layout.md) section for details.
+
+**`--path.logs`**
+:   Sets the path for log files. See the [Directory layout](/reference/filebeat/directory-layout.md) section for details.
+
+**`--strict.perms`**
+:   Sets strict permission checking on configuration files. The default is `--strict.perms=true`. See [Config file ownership and permissions](/reference/libbeat/config-file-permissions.md) for more information.
+
+**`-v, --v`**
+:   Logs INFO-level messages.
+
+
diff --git a/docs/reference/filebeat/community-id.md b/docs/reference/filebeat/community-id.md
new file mode 100644
index 000000000000..15e82552ab9e
--- /dev/null
+++ b/docs/reference/filebeat/community-id.md
@@ -0,0 +1,41 @@
+---
+navigation_title: "community_id"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/community-id.html
+---
+
+# Community ID Network Flow Hash [community-id]
+
+
+The `community_id` processor computes a network flow hash according to the [Community ID Flow Hash specification](https://github.com/corelight/community-id-spec).
+
+The flow hash is useful for correlating all network events related to a single flow. For example you can filter on a community ID value and you might get back the Netflow records from multiple collectors and layer 7 protocol records from Packetbeat.
+
+By default the processor is configured to read the flow parameters from the appropriate Elastic Common Schema (ECS) fields. If you are processing ECS data then no parameters are required.
+
+```yaml
+processors:
+  - community_id:
+```
+
+If the data does not conform to ECS then you can customize the field names that the processor reads from. You can also change the `target` field which is where the computed hash is written to.
+
+```yaml
+processors:
+  - community_id:
+      fields:
+        source_ip: my_source_ip
+        source_port: my_source_port
+        destination_ip: my_dest_ip
+        destination_port: my_dest_port
+        iana_number: my_iana_number
+        transport: my_transport
+        icmp_type: my_icmp_type
+        icmp_code: my_icmp_code
+      target: network.community_id
+```
+
+If the necessary fields are not present in the event then the processor will silently continue without adding the target field.
+
+The processor also accepts an optional `seed` parameter that must be a 16-bit unsigned integer. This value gets incorporated into all generated hashes.
+
diff --git a/docs/reference/filebeat/configuration-autodiscover-advanced.md b/docs/reference/filebeat/configuration-autodiscover-advanced.md
new file mode 100644
index 000000000000..d918e5cda96d
--- /dev/null
+++ b/docs/reference/filebeat/configuration-autodiscover-advanced.md
@@ -0,0 +1,32 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/configuration-autodiscover-advanced.html
+---
+
+# Advanced usage [configuration-autodiscover-advanced]
+
+
+## Appenders [_appenders]
+
+Appenders allow users to append configuration that is already built with the help of either templates or builders. Appenders can be configured to be applied only when a required condition is matched. The kind of configuration that is applied is specific to each appender.
+
+
+### Config [_config_2]
+
+The config appender can apply a config on top of the config that was generated by templates or builders. The config is applied whenever a provided condition is matched. It is always applied if there is no condition provided.
+
+```yaml
+filebeat.autodiscover:
+  providers:
+    - type: kubernetes
+      templates:
+        ...
+      appenders:
+        - type: config
+          condition.equals:
+            kubernetes.namespace: "prometheus"
+          config:
+            fields:
+              type: monitoring
+```
+
diff --git a/docs/reference/filebeat/configuration-autodiscover-hints.md b/docs/reference/filebeat/configuration-autodiscover-hints.md
new file mode 100644
index 000000000000..bff6e319eb03
--- /dev/null
+++ b/docs/reference/filebeat/configuration-autodiscover-hints.md
@@ -0,0 +1,395 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/configuration-autodiscover-hints.html
+---
+
+# Hints based autodiscover [configuration-autodiscover-hints]
+
+Filebeat supports autodiscover based on hints from the provider. The hints system looks for hints in Kubernetes Pod annotations or Docker labels that have the prefix `co.elastic.logs`. As soon as the container starts, Filebeat will check if it contains any hints and launch the proper config for it. Hints tell Filebeat how to get logs for the given container. By default logs will be retrieved from the container using the `filestream` input. You can use hints to modify this behavior. This is the full list of supported hints:
+
+
+### `co.elastic.logs/enabled` [_co_elastic_logsenabled]
+
+Filebeat gets logs from all containers by default, you can set this hint to `false` to ignore the output of the container. Filebeat won’t read or send logs from it. If default config is disabled, you can use this annotation to enable log retrieval only for containers with this set to `true`. If you are aiming to use this with Kubernetes, have in mind that annotation values can only be of string type so you will need to explicitly define this as `"true"` or `"false"` accordingly.
+
+
+### `co.elastic.logs/multiline.*` [_co_elastic_logsmultiline]
+
+Multiline settings. See [Multiline messages](/reference/filebeat/multiline-examples.md) for a full list of all supported options.
+
+
+### `co.elastic.logs/json.*` [_co_elastic_logsjson]
+
+JSON settings. See [`ndjson`](/reference/filebeat/filebeat-input-filestream.md#filebeat-input-filestream-ndjson) for a full list of all supported options.
+
+For example, the following hints with json options:
+
+```yaml
+co.elastic.logs/json.message_key: "log"
+co.elastic.logs/json.add_error_key: "true"
+```
+
+will lead to the following input configuration:
+
+`filestream`
+
+```yaml
+parsers:
+  - ndjson:
+      message_key: "log"
+      add_error_key: "true"
+```
+
+
+### `co.elastic.logs/include_lines` [_co_elastic_logsinclude_lines]
+
+A list of regular expressions to match the lines that you want Filebeat to include. See [Inputs](/reference/filebeat/configuration-filebeat-options.md) for more info.
+
+
+### `co.elastic.logs/exclude_lines` [_co_elastic_logsexclude_lines]
+
+A list of regular expressions to match the lines that you want Filebeat to exclude. See [Inputs](/reference/filebeat/configuration-filebeat-options.md) for more info.
+
+
+### `co.elastic.logs/module` [_co_elastic_logsmodule]
+
+Instead of using raw `docker` input, specifies the module to use to parse logs from the container. See [Modules](/reference/filebeat/filebeat-modules.md) for the list of supported modules.
+
+
+### `co.elastic.logs/fileset` [_co_elastic_logsfileset]
+
+When module is configured, map container logs to module filesets. You can either configure a single fileset like this:
+
+```yaml
+co.elastic.logs/fileset: access
+```
+
+Or configure a fileset per stream in the container (stdout and stderr):
+
+```yaml
+co.elastic.logs/fileset.stdout: access
+co.elastic.logs/fileset.stderr: error
+```
+
+
+### `co.elastic.logs/raw` [_co_elastic_logsraw]
+
+When an entire input/module configuration needs to be completely set the `raw` hint can be used. You can provide a stringified JSON of the input configuration. `raw` overrides every other hint and can be used to create both a single or a list of configurations.
+
+```yaml
+co.elastic.logs/raw: "[{\"containers\":{\"ids\":[\"${data.container.id}\"]},\"multiline\":{\"negate\":\"true\",\"pattern\":\"^test\"},\"type\":\"docker\"}]"
+```
+
+
+### `co.elastic.logs/processors` [_co_elastic_logsprocessors]
+
+Define a processor to be added to the Filebeat input/module configuration. See [Processors](/reference/filebeat/filtering-enhancing-data.md) for the list of supported processors.
+
+If processors configuration uses list data structure, object fields must be enumerated. For example, hints for the `rename` processor configuration below
+
+```yaml
+processors:
+  - rename:
+      fields:
+        - from: "a.g"
+          to: "e.d"
+      fail_on_error: true
+```
+
+will look like:
+
+```yaml
+co.elastic.logs/processors.rename.fields.0.from: "a.g"
+co.elastic.logs/processors.rename.fields.1.to: "e.d"
+co.elastic.logs/processors.rename.fail_on_error: 'true'
+```
+
+If processors configuration uses map data structure, enumeration is not needed. For example, the equivalent to the `add_fields` configuration below
+
+```yaml
+processors:
+  - add_fields:
+      target: project
+      fields:
+        name: myproject
+```
+
+is
+
+```yaml
+co.elastic.logs/processors.1.add_fields.target: "project"
+co.elastic.logs/processors.1.add_fields.fields.name: "myproject"
+```
+
+In order to provide ordering of the processor definition, numbers can be provided. If not, the hints builder will do arbitrary ordering:
+
+```yaml
+co.elastic.logs/processors.1.dissect.tokenizer: "%{key1} %{key2}"
+co.elastic.logs/processors.dissect.tokenizer: "%{key2} %{key1}"
+```
+
+In the above sample the processor definition tagged with `1` would be executed first.
+
+
+### `co.elastic.logs/pipeline` [_co_elastic_logspipeline]
+
+Define an ingest pipeline ID to be added to the Filebeat input/module configuration.
+
+```yaml
+co.elastic.logs/pipeline: custom-pipeline
+```
+
+When hints are used along with templates, then hints will be evaluated only in case there is no template’s condition that resolves to true. For example:
+
+```yaml
+filebeat.autodiscover.providers:
+  - type: docker
+    hints.enabled: true
+    hints.default_config:
+      type: container
+      paths:
+        - /var/lib/docker/containers/${data.container.id}/*.log
+    templates:
+      - condition:
+          equals:
+            docker.container.labels.type: "pipeline"
+        config:
+          - type: container
+            paths:
+              - "/var/lib/docker/containers/${data.docker.container.id}/*.log"
+            pipeline: my-pipeline
+```
+
+In this example first the condition `docker.container.labels.type: "pipeline"` is evaluated and if not matched the hints will be processed and if there is again no valid config the `hints.default_config` will be used.
+
+
+## Kubernetes [_kubernetes_2]
+
+Kubernetes autodiscover provider supports hints in Pod annotations. To enable it just set `hints.enabled`:
+
+```yaml
+filebeat.autodiscover:
+  providers:
+    - type: kubernetes
+      hints.enabled: true
+```
+
+You can configure the default config that will be launched when a new container is seen, like this:
+
+```yaml
+filebeat.autodiscover:
+  providers:
+    - type: kubernetes
+      hints.enabled: true
+      hints.default_config:
+        type: container
+        paths:
+          - /var/log/containers/*-${data.container.id}.log  # CRI path
+```
+
+You can also disable default settings entirely, so only Pods annotated like `co.elastic.logs/enabled: true` will be retrieved:
+
+```yaml
+filebeat.autodiscover:
+  providers:
+    - type: kubernetes
+      hints.enabled: true
+      hints.default_config.enabled: false
+```
+
+You can annotate Kubernetes Pods with useful info to spin up Filebeat inputs or modules:
+
+```yaml
+annotations:
+  co.elastic.logs/multiline.pattern: '^\['
+  co.elastic.logs/multiline.negate: true
+  co.elastic.logs/multiline.match: after
+```
+
+
+### Multiple containers [_multiple_containers]
+
+When a pod has multiple containers, the settings are shared unless you put the container name in the hint. For example, these hints configure multiline settings for all containers in the pod, but set a specific `exclude_lines` hint for the container called `sidecar`.
+
+```yaml
+annotations:
+  co.elastic.logs/multiline.pattern: '^\['
+  co.elastic.logs/multiline.negate: true
+  co.elastic.logs/multiline.match: after
+  co.elastic.logs.sidecar/exclude_lines: '^DBG'
+```
+
+
+### Multiple sets of hints [_multiple_sets_of_hints]
+
+When a container needs multiple inputs to be defined on it, sets of annotations can be provided with numeric prefixes. If there are hints that don’t have a numeric prefix then they get grouped together into a single configuration.
+
+```yaml
+annotations:
+  co.elastic.logs/exclude_lines: '^DBG'
+  co.elastic.logs/1.include_lines: '^DBG'
+  co.elastic.logs/1.processors.dissect.tokenizer: "%{key2} %{key1}"
+```
+
+The above configuration would generate two input configurations. The first input handles only debug logs and passes it through a dissect tokenizer. The second input handles everything but debug logs.
+
+
+### Namespace Defaults [_namespace_defaults]
+
+Hints can be configured on the Namespace’s annotations as defaults to use when Pod level annotations are missing. The resultant hints are a combination of Pod annotations and Namespace annotations with the Pod’s taking precedence. To enable Namespace defaults configure the `add_resource_metadata` for Namespace objects as follows:
+
+```yaml
+filebeat.autodiscover:
+  providers:
+    - type: kubernetes
+      hints.enabled: true
+      add_resource_metadata:
+        namespace:
+          include_annotations: ["nsannotation1"]
+```
+
+
+## Docker [_docker_3]
+
+Docker autodiscover provider supports hints in labels. To enable it just set `hints.enabled`:
+
+```yaml
+filebeat.autodiscover:
+  providers:
+    - type: docker
+      hints.enabled: true
+```
+
+You can configure the default config that will be launched when a new container is seen, like this:
+
+```yaml
+filebeat.autodiscover:
+  providers:
+    - type: docker
+      hints.enabled: true
+      hints.default_config:
+        type: container
+        paths:
+          - /var/log/containers/*-${data.container.id}.log  # CRI path
+```
+
+You can also disable default settings entirely, so only containers labeled with `co.elastic.logs/enabled: true` will be retrieved:
+
+```yaml
+filebeat.autodiscover:
+  providers:
+    - type: docker
+      hints.enabled: true
+      hints.default_config.enabled: false
+```
+
+You can label Docker containers with useful info to spin up Filebeat inputs, for example:
+
+```yaml
+  co.elastic.logs/module: nginx
+  co.elastic.logs/fileset.stdout: access
+  co.elastic.logs/fileset.stderr: error
+```
+
+The above labels configure Filebeat to use the Nginx module to harvest logs for this container. Access logs will be retrieved from stdout stream, and error logs from stderr.
+
+You can label Docker containers with useful info to decode logs structured as JSON messages, for example:
+
+```yaml
+  co.elastic.logs/json.keys_under_root: true
+  co.elastic.logs/json.add_error_key: true
+  co.elastic.logs/json.message_key: log
+```
+
+
+## Nomad [_nomad_2]
+
+Nomad autodiscover provider supports hints using the [`meta` stanza](https://www.nomadproject.io/docs/job-specification/meta.html). To enable it just set `hints.enabled`:
+
+```yaml
+filebeat.autodiscover:
+  providers:
+    - type: nomad
+      hints.enabled: true
+```
+
+You can configure the default config that will be launched when a new job is seen, like this:
+
+```yaml
+filebeat.autodiscover:
+  providers:
+    - type: nomad
+      hints.enabled: true
+      hints.default_config:
+        type: filestream
+        id: ${data.nomad.task.name}-${data.nomad.allocation.id} # unique ID required
+        paths:
+          - /opt/nomad/alloc/${data.nomad.allocation.id}/alloc/logs/${data.nomad.task.name}.*
+```
+
+You can also disable the default config such that only logs from jobs explicitly annotated with `"co.elastic.logs/enabled" = "true"` will be collected:
+
+```yaml
+filebeat.autodiscover:
+  providers:
+    - type: nomad
+      hints.enabled: true
+      hints.default_config:
+        enabled: false
+        type: filestream
+        id: ${data.nomad.task.name}-${data.nomad.allocation.id} # unique ID required
+        paths:
+          - /opt/nomad/alloc/${data.nomad.allocation.id}/alloc/logs/${data.nomad.task.name}.*
+```
+
+You can annotate Nomad Jobs using the `meta` stanza with useful info to spin up Filebeat inputs or modules:
+
+```json
+meta {
+  "co.elastic.logs/enabled"           = "true"
+  "co.elastic.logs/multiline.pattern" = "^\\["
+  "co.elastic.logs/multiline.negate"  = "true"
+  "co.elastic.logs/multiline.match"   = "after"
+}
+```
+
+If you are using autodiscover then in most cases you will want to use the [`add_nomad_metadata`](/reference/filebeat/add-nomad-metadata.md) processor to enrich events with Nomad metadata. This example configures {{Filebeat}} to connect to the local Nomad agent over HTTPS and adds the Nomad allocation ID to all events from the input. Later in the pipeline the `add_nomad_metadata` processor will use that ID to enrich the event.
+
+```yaml
+filebeat.autodiscover:
+  providers:
+    - type: nomad
+      address: https://localhost:4646
+      hints.enabled: true
+      hints.default_config:
+        enabled: false <1>
+        type: filestream
+        id: ${data.nomad.task.name}-${data.nomad.allocation.id} <2>
+        paths:
+          - /opt/nomad/alloc/${data.nomad.allocation.id}/alloc/logs/${data.nomad.task.name}.*
+        processors:
+          - add_fields: <3>
+              target: nomad
+              fields:
+                allocation.id: ${data.nomad.allocation.id}
+
+processors:
+  - add_nomad_metadata: <4>
+      when.has_fields.fields: [nomad.allocation.id]
+      address: https://localhost:4646
+      default_indexers.enabled: false
+      default_matchers.enabled: false
+      indexers:
+        - allocation_uuid:
+      matchers:
+        - fields:
+            lookup_fields:
+              - 'nomad.allocation.id'
+```
+
+1. The default config is disabled meaning any task without the `"co.elastic.logs/enabled" = "true"` metadata will be ignored.
+2. Unique ID is required.
+3. The `add_fields` processor populates the `nomad.allocation.id` field with the Nomad allocation UUID.
+4. The `add_nomad_metadata` processor is configured at the global level so that it is only instantiated one time which saves resources.
+
+
diff --git a/docs/reference/filebeat/configuration-autodiscover.md b/docs/reference/filebeat/configuration-autodiscover.md
new file mode 100644
index 000000000000..fbe02fa7f36f
--- /dev/null
+++ b/docs/reference/filebeat/configuration-autodiscover.md
@@ -0,0 +1,570 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/configuration-autodiscover.html
+---
+
+# Autodiscover [configuration-autodiscover]
+
+When you run applications on containers, they become moving targets to the monitoring system. Autodiscover allows you to track them and adapt settings as changes happen. By defining configuration templates, the autodiscover subsystem can monitor services as they start running.
+
+You define autodiscover settings in the  `filebeat.autodiscover` section of the `filebeat.yml` config file. To enable autodiscover, you specify a list of providers.
+
+
+## Providers [_providers_2]
+
+Autodiscover providers work by watching for events on the system and translating those events into internal autodiscover events with a common format. When you configure the provider, you can optionally use fields from the autodiscover event to set conditions that, when met, launch specific configurations.
+
+On start, Filebeat will scan existing containers and launch the proper configs for them. Then it will watch for new start/stop events. This ensures you don’t need to worry about state, but only define your desired configs.
+
+
+#### Docker [_docker_2]
+
+The Docker autodiscover provider watches for Docker containers to start and stop.
+
+It has the following settings:
+
+`host`
+:   (Optional) Docker socket (UNIX or TCP socket). It uses `unix:///var/run/docker.sock` by default.
+
+`ssl`
+:   (Optional) SSL configuration to use when connecting to the Docker socket.
+
+`cleanup_timeout`
+:   (Optional) Specify the time of inactivity before stopping the running configuration for a container, 60s by default.
+
+`labels.dedot`
+:   (Optional) Default to be false. If set to true, replace dots in labels with `_`.
+
+These are the fields available within config templating. The `docker.*` fields will be available on each emitted event. event:
+
+* host
+* port
+* docker.container.id
+* docker.container.image
+* docker.container.name
+* docker.container.labels
+
+For example:
+
+```yaml
+{
+  "host": "10.4.15.9",
+  "port": 6379,
+  "docker": {
+    "container": {
+      "id": "382184ecdb385cfd5d1f1a65f78911054c8511ae009635300ac28b4fc357ce51"
+      "name": "redis",
+      "image": "redis:3.2.11",
+      "labels": {
+        "io.kubernetes.pod.namespace": "default"
+        ...
+      }
+    }
+  }
+}
+```
+
+You can define a set of configuration templates to be applied when the condition matches an event. Templates define a condition to match on autodiscover events, together with the list of configurations to launch when this condition happens.
+
+Conditions match events from the provider. Providers use the same format for [Conditions](/reference/filebeat/defining-processors.md#conditions) that processors use.
+
+Configuration templates can contain variables from the autodiscover event. They can be accessed under the `data` namespace. For example, with the example event, "`${data.port}`" resolves to `6379`.
+
+Filebeat supports templates for inputs and modules.
+
+```yaml
+filebeat.autodiscover:
+  providers:
+    - type: docker
+      templates:
+        - condition:
+            contains:
+              docker.container.image: redis
+          config:
+            - type: container
+              paths:
+                - /var/lib/docker/containers/${data.docker.container.id}/*.log
+              exclude_lines: ["^\\s+[\\-`('.|_]"]  # drop asciiart lines
+```
+
+This configuration launches a `docker` logs input for all containers running an image with `redis` in the name. `labels.dedot` defaults to be `true` for docker autodiscover, which means dots in docker labels are replaced with *_* by default.
+
+If you are using modules, you can override the default input and use the docker input instead.
+
+```yaml
+filebeat.autodiscover:
+  providers:
+    - type: docker
+      templates:
+        - condition:
+            contains:
+              docker.container.image: redis
+          config:
+            - module: redis
+              log:
+                input:
+                  type: container
+                  paths:
+                    - /var/lib/docker/containers/${data.docker.container.id}/*.log
+```
+
+::::{warning}
+When using autodiscover, you have to be careful when defining config templates, especially if they are reading from places holding information for several containers. For instance, under this file structure:
+
+`/mnt/logs/<container_id>/*.log`
+
+You can define a config template like this:
+
+**Wrong settings**:
+
+```yaml
+autodiscover.providers:
+  - type: docker
+    templates:
+      - condition.contains:
+          docker.container.image: nginx
+        config:
+          - type: log
+            paths:
+              - "/mnt/logs/*/*.log"
+```
+
+That would read all the files under the given path several times (one per nginx container). What you really want is to scope your template to the container that matched the autodiscover condition. Good settings:
+
+```yaml
+autodiscover.providers:
+  - type: docker
+    templates:
+      - condition.contains:
+          docker.container.image: nginx
+        config:
+          - type: log
+            paths:
+              - "/mnt/logs/${data.docker.container.id}/*.log"
+```
+
+::::
+
+
+
+#### Kubernetes [_kubernetes]
+
+The Kubernetes autodiscover provider watches for Kubernetes nodes, pods, services to start, update, and stop.
+
+The `kubernetes` autodiscover provider has the following configuration settings:
+
+`node`
+:   (Optional) Specify the node to scope filebeat to in case it cannot be accurately detected, as when running filebeat in host network mode.
+
+`namespace`
+:   (Optional) Select the namespace from which to collect the events from the resources. If it is not set, the provider collects them from all namespaces. It is unset by default. The namespace configuration only applies to kubernetes resources that are namespace scoped and if `unique` field is set to `false`.
+
+`cleanup_timeout`
+:   (Optional) Specify the time of inactivity before stopping the running configuration for a container, 60s by default.
+
+`kube_config`
+:   (Optional) Use given config file as configuration for Kubernetes client. If kube_config is not set, KUBECONFIG environment variable will be checked and if not present it will fall back to InCluster.
+
+`kube_client_options`
+:   (Optional) Additional options can be configured for Kubernetes client. Currently client QPS and burst are supported, if not set Kubernetes client’s [default QPS and burst](https://pkg.go.dev/k8s.io/client-go/rest#pkg-constants) will be used. Example:
+
+```yaml
+      kube_client_options:
+        qps: 5
+        burst: 10
+```
+
+`resource`
+:   (Optional) Select the resource to do discovery on. Currently supported Kubernetes resources are `pod`, `service` and `node`. If not configured `resource` defaults to `pod`.
+
+`scope`
+:   (Optional) Specify at what level autodiscover needs to be done at. `scope` can either take `node` or `cluster` as values. `node` scope allows discovery of resources in the specified node. `cluster` scope allows cluster wide discovery. Only `pod` and `node` resources can be discovered at node scope.
+
+`add_resource_metadata`
+:   (Optional) Specify filters and configration for the extra metadata, that will be added to the event. Configuration parameters:
+
+    * `node` or `namespace`: Specify labels and annotations filters for the extra metadata coming from node and namespace. By default all labels are included while annotations are not. To change default behaviour `include_labels`, `exclude_labels` and `include_annotations` can be defined. Those settings are useful when storing labels and annotations that require special handling to avoid overloading the storage output. Note: wildcards are not supported for those settings. The enrichment of `node` or `namespace` metadata can be individually disabled by setting `enabled: false`.
+    * `deployment`: If resource is `pod` and it is created from a `deployment`, by default the deployment name isn’t added, this can be enabled by setting `deployment: true`.
+    * `cronjob`: If resource is `pod` and it is created from a `cronjob`, by default the cronjob name isn’t added, this can be enabled by setting `cronjob: true`.
+
+        Example:
+
+
+```yaml
+      add_resource_metadata:
+        namespace:
+          include_labels: ["namespacelabel1"]
+        node:
+          include_labels: ["nodelabel2"]
+          include_annotations: ["nodeannotation1"]
+        # deployment: false
+        # cronjob: false
+```
+
+`unique`
+:   (Optional) Defaults to `false`. Marking an autodiscover provider as unique results into making the provider to enable the provided templates only when it will gain the leader lease. This setting can only be combined with `cluster` scope. When `unique` is enabled, `resource` and `add_resource_metadata` settings are not taken into account.
+
+`leader_lease`
+:   (Optional) Defaults to `filebeat-cluster-leader`. This will be name of the lock lease. One can monitor the status of the lease with `kubectl describe lease beats-cluster-leader`. Different Beats that refer to the same leader lease will be competitors in holding the lease and only one will be elected as leader each time.
+
+`leader_leaseduration`
+:   (Optional) Duration that non-leader candidates will wait to force acquire the lease leadership. Defaults to `15s`.
+
+`leader_renewdeadline`
+:   (Optional) Duration that the leader will retry refreshing its leadership before giving up. Defaults to `10s`.
+
+`leader_retryperiod`
+:   (Optional) Duration that the metricbeat instances running to acquire the lease should wait between tries of actions. Defaults to `2s`.
+
+Configuration templates can contain variables from the autodiscover event. These variables can be accessed under the `data` namespace, e.g. to access Pod IP: `${data.kubernetes.pod.ip}`.
+
+These are the fields available within config templating. The `kubernetes.*` fields will be available on each emitted event:
+
+
+##### Generic fields: [_generic_fields]
+
+* host
+
+
+##### Pod specific: [_pod_specific]
+
+| Key | Type | Description |
+| --- | --- | --- |
+| `port` | `string` | Pod port. If pod has multiple ports exposed should be used `ports.<port-name>` instead |
+| `kubernetes.namespace` | `string` | Namespace, where the Pod is running |
+| `kubernetes.namespace_uuid` | `string` | UUID of the Namespace, where the Pod is running |
+| `kubernetes.namespace_annotations.*` | `object` | Annotations of the Namespace, where the Pod is running. Annotations should be used in not dedoted format, e.g. `kubernetes.namespace_annotations.app.kubernetes.io/name` |
+| `kubernetes.pod.name` | `string` | Name of the Pod |
+| `kubernetes.pod.uid` | `string` | UID of the Pod |
+| `kubernetes.pod.ip` | `string` | IP of the Pod |
+| `kubernetes.labels.*` | `object` | Object of the Pod labels. Labels should be used in not dedoted format, e.g. `kubernetes.labels.app.kubernetes.io/name` |
+| `kubernetes.annotations.*` | `object` | Object of the Pod annotations. Annotations should be used in not dedoted format, e.g. `kubernetes.annotations.test.io/test` |
+| `kubernetes.container.name` | `string` | Name of the container |
+| `kubernetes.container.runtime` | `string` | Runtime of the container |
+| `kubernetes.container.id` | `string` | ID of the container |
+| `kubernetes.container.image` | `string` | Image of the container |
+| `kubernetes.node.name` | `string` | Name of the Node |
+| `kubernetes.node.uid` | `string` | UID of the Node |
+| `kubernetes.node.hostname` | `string` | Hostname of the Node |
+
+
+##### Node specific: [_node_specific]
+
+| Key | Type | Description |
+| --- | --- | --- |
+| `kubernetes.labels.*` | `object` | Object of labels of the Node |
+| `kubernetes.annotations.*` | `object` | Object of annotations of the Node |
+| `kubernetes.node.name` | `string` | Name of the Node |
+| `kubernetes.node.uid` | `string` | UID of the Node |
+| `kubernetes.node.hostname` | `string` | Hostname of the Node |
+
+
+##### Service specific: [_service_specific]
+
+| Key | Type | Description |
+| --- | --- | --- |
+| `port` | `string` | Service port |
+| `kubernetes.namespace` | `string` | Namespace of the Service |
+| `kubernetes.namespace_uuid` | `string` | UUID of the Namespace of the Service |
+| `kubernetes.namespace_annotations.*` | `object` | Annotations of the Namespace of the Service. Annotations should be used in not dedoted format, e.g. `kubernetes.namespace_annotations.app.kubernetes.io/name` |
+| `kubernetes.labels.*` | `object` | Object of the Service labels |
+| `kubernetes.annotations.*` | `object` | Object of the Service annotations |
+| `kubernetes.service.name` | `string` | Name of the Service |
+| `kubernetes.service.uid` | `string` | UID of the Service |
+
+If the `include_annotations` config is added to the provider config, then the list of annotations present in the config are added to the event.
+
+If the `include_labels` config is added to the provider config, then the list of labels present in the config will be added to the event.
+
+If the `exclude_labels` config is added to the provider config, then the list of labels present in the config will be excluded from the event.
+
+if the `labels.dedot` config is set to be `true` in the provider config, then `.` in labels will be replaced with `_`. By default it is `true`.
+
+if the `annotations.dedot` config is set to be `true` in the provider config, then `.` in annotations will be replaced with `_`. By default it is `true`.
+
+::::{note}
+Starting from 8.6 release `kubernetes.labels.*` used in config templating are not dedoted regardless of `labels.dedot` value. This config parameter only affects the fields added in the final Elasticsearch document. For example, for a pod with label `app.kubernetes.io/name=ingress-nginx` the matching condition should be `condition.equals: kubernetes.labels.app.kubernetes.io/name: "ingress-nginx"`. If `labels.dedot` is set to `true`(default value) the label will be stored in Elasticsearch as `kubernetes.labels.app_kubernetes_io/name`. The same applies for kubernetes annotations.
+::::
+
+
+For example:
+
+```yaml
+{
+  "host": "172.17.0.21",
+  "port": 9090,
+  "kubernetes": {
+    "container": {
+      "id": "bb3a50625c01b16a88aa224779c39262a9ad14264c3034669a50cd9a90af1527",
+      "image": "prom/prometheus",
+      "name": "prometheus"
+    },
+    "labels": {
+      "project": "prometheus",
+      ...
+    },
+    "namespace": "default",
+    "node": {
+      "name": "minikube"
+    },
+    "pod": {
+      "name": "prometheus-2657348378-k1pnh"
+    }
+  },
+}
+```
+
+Filebeat supports templates for inputs and modules.
+
+```yaml
+filebeat.autodiscover:
+  providers:
+    - type: kubernetes
+      templates:
+        - condition:
+            equals:
+              kubernetes.namespace: kube-system
+          config:
+            - type: container
+              paths:
+                - /var/log/containers/*-${data.kubernetes.container.id}.log
+              exclude_lines: ["^\\s+[\\-`('.|_]"]  # drop asciiart lines
+```
+
+This configuration launches a `docker` logs input for all containers of pods running in the Kubernetes namespace `kube-system`.
+
+If you are using modules, you can override the default input and use the docker input instead.
+
+```yaml
+filebeat.autodiscover:
+  providers:
+    - type: kubernetes
+      templates:
+        - condition:
+            equals:
+              kubernetes.container.image: "redis"
+          config:
+            - module: redis
+              log:
+                input:
+                  type: container
+                  paths:
+                    - /var/log/containers/*-${data.kubernetes.container.id}.log
+```
+
+
+#### Jolokia [_jolokia]
+
+The Jolokia autodiscover provider uses Jolokia Discovery to find agents running in your host or your network.
+
+The configuration of this provider consists in a set of network interfaces, as well as a set of templates as in other providers. The network interfaces will be the ones used for discovery probes, each item of `interfaces` has these settings:
+
+`name`
+:   the name of the interface (e.g. `br0`), it can contain a wildcard as suffix to apply the same settings to multiple network interfaces of the same type (e.g. `br*`).
+
+`interval`
+:   time between probes (defaults to 10s)
+
+`grace_period`
+:   time since the last reply to consider an instance stopped (defaults to 30s)
+
+`probe_timeout`
+:   max time to wait for responses since a probe is sent (defaults to 1s)
+
+Jolokia Discovery mechanism is supported by any Jolokia agent since version 1.2.0, it is enabled by default when Jolokia is included in the application as a JVM agent, but disabled in other cases as the OSGI or WAR (Java EE) agents. In any case, this feature is controlled with two properties:
+
+* `discoveryEnabled`, to enable the feature
+* `discoveryAgentUrl`, if set, this is the URL announced by the agent when being discovered, setting this parameter implicitly enables the feature
+
+There are multiple ways of setting these properties, and they can vary from application to application, please refer to the documentation of your application to find the more suitable way to set them in your case.
+
+Jolokia Discovery is based on UDP multicast requests. Agents join the multicast group 239.192.48.84, port 24884, and discovery is done by sending queries to this group. You have to take into account that UDP traffic between Filebeat and the Jolokia agents has to be allowed. Also notice that this multicast address is in the 239.0.0.0/8 range, that is reserved for private use within an organization, so it can only be used in private networks.
+
+These are the available fields during within config templating. The `jolokia.*` fields will be available on each emitted event.
+
+* jolokia.agent.id
+* jolokia.agent.version
+* jolokia.secured
+* jolokia.server.product
+* jolokia.server.vendor
+* jolokia.server.version
+* jolokia.url
+
+Filebeat supports templates for inputs and modules:
+
+```yaml
+filebeat.autodiscover:
+  providers:
+    - type: jolokia
+      interfaces:
+      - name: lo
+      templates:
+      - condition:
+          contains:
+            jolokia.server.product: "kafka"
+        config:
+        - module: kafka
+          log:
+            enabled: true
+            var.paths:
+            - /var/log/kafka/*.log
+```
+
+This configuration starts a jolokia module that collects logs of kafka if it is running. Discovery probes are sent using the local interface.
+
+
+#### Nomad [_nomad]
+
+::::{warning}
+This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
+::::
+
+
+The Nomad autodiscover provider watches for Nomad jobs to start, update, and stop.
+
+The `nomad` autodiscover provider has the following configuration settings:
+
+`address`
+:   (Optional) Specify the address of the Nomad agent. By default it will try to talk to a Nomad agent running locally (`http://127.0.0.1:4646`).
+
+`region`
+:   (Optional) Region to use. If not provided, the default agent region is used.
+
+`namespace`
+:   (Optional) Namespace to use. If not provided the `default` namespace is used.
+
+`secret_id`
+:   (Optional) SecretID to use if ACL is enabled in Nomad. This is an example ACL policy to apply to the token.
+
+```json
+namespace "*" {
+  policy = "read"
+}
+node {
+  policy = "read"
+}
+agent {
+  policy = "read"
+}
+```
+
+`node`
+:   (Optional) Specify the node to scope filebeat to in case it cannot be accurately detected when `node` scope is used.
+
+`scope`
+:   (Optional) Specify at what level autodiscover needs to be done at. `scope` can either take `node` or `cluster` as values. `node` scope allows discovery of resources in the specified node. `cluster` scope allows cluster wide discovery. Defaults to `node`.
+
+`wait_time`
+:   (Optional) Limits how long a Watch will block. If not specified (or set to `0`) the default configuration from the agent will be used.
+
+`allow_stale`
+:   (Optional) allows any Nomad server (non-leader) to service a read. This normally means that the local node where filebeat is allocated will service filebeat’s requests. Defaults to `true`.
+
+The configuration of templates and conditions is similar to that of the Docker provider. Configuration templates can contain variables from the autodiscover event. They can be accessed under `data` namespace.
+
+These are the available fields during config templating. The `nomad.*` fields will be available on each emitted event.
+
+* nomad.allocation.id
+* nomad.allocation.name
+* nomad.allocation.status
+* nomad.datacenter
+* nomad.job.name
+* nomad.job.type
+* nomad.namespace
+* nomad.region
+* nomad.task.name
+* nomad.task.service.canary_tags
+* nomad.task.service.name
+* nomad.task.service.tags
+
+If the `include_labels` config is added to the provider config, then the list of labels present in the config will be added to the event.
+
+If the `exclude_labels` config is added to the provider config, then the list of labels present in the config will be excluded from the event.
+
+if the `labels.dedot` config is set to be `true` in the provider config, then `.` in labels will be replaced with `_`.
+
+For example:
+
+```yaml
+{
+  ...
+  "region": "europe",
+  "allocation": {
+    "name": "coffeshop.api[0]",
+    "id": "35eba07f-e5e4-20ac-6def-85117bee6efb",
+    "status": "running"
+  },
+  "datacenters": [
+    "europe-west4"
+  ],
+  "namespace": "default",
+  "job": {
+    "type": "service",
+    "name": "coffeshop"
+  },
+  "task": {
+    "service": {
+      "name": [
+        "coffeshop"
+      ],
+      "tags": [
+        "coffeshop",
+        "nginx"
+      ],
+      "canary_tags": [
+        "coffeshop"
+      ]
+    },
+    "name": "api"
+  },
+  ...
+}
+```
+
+Filebeat supports templates for inputs and modules.
+
+```yaml
+filebeat.autodiscover:
+  providers:
+    - type: nomad
+      node: nomad1
+      scope: local
+      hints.enabled: true
+      allow_stale: true
+      templates:
+        - condition:
+            equals:
+              nomad.namespace: web
+          config:
+            - type: filestream
+              id: ${data.nomad.task.name}-${data.nomad.allocation.id} # unique ID required
+              paths:
+                - /var/lib/nomad/alloc/${data.nomad.allocation.id}/alloc/logs/${data.nomad.task.name}.stderr.[0-9]*
+              exclude_lines: ["^\\s+[\\-`('.|_]"]  # drop asciiart lines
+```
+
+This configuration launches a `filestream` input for all jobs under the `web` Nomad namespace.
+
+If you are using modules, you can override the default input and customize it to read from the `${data.nomad.task.name}.stdout` and/or `${data.nomad.task.name}.stderr` files.
+
+```yaml
+filebeat.autodiscover:
+  providers:
+    - type: nomad
+      templates:
+        - condition:
+            equals:
+              nomad.task.service.tags: "redis"
+          config:
+            - module: redis
+              log:
+                input:
+                  type: filestream
+                  id: ${data.nomad.task.name}-${data.nomad.allocation.id} # unique ID required
+                  paths:
+                    - /var/lib/nomad/alloc/${data.nomad.allocation.id}/alloc/logs/${data.nomad.task.name}.*
+```
+
+::::{warning}
+The `docker` input is currently not supported. Nomad doesn’t expose the container ID associated with the allocation. Without the container ID, there is no way of generating the proper path for reading the container’s logs.
+::::
diff --git a/docs/reference/filebeat/configuration-dashboards.md b/docs/reference/filebeat/configuration-dashboards.md
new file mode 100644
index 000000000000..519070bbbd64
--- /dev/null
+++ b/docs/reference/filebeat/configuration-dashboards.md
@@ -0,0 +1,103 @@
+---
+navigation_title: "Kibana dashboards"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/configuration-dashboards.html
+---
+
+# Configure Kibana dashboard loading [configuration-dashboards]
+
+
+Filebeat comes packaged with example Kibana dashboards, visualizations, and searches for visualizing Filebeat data in Kibana.
+
+To load the dashboards, you can either enable dashboard loading in the `setup.dashboards` section of the `filebeat.yml` config file, or you can run the `setup` command. Dashboard loading is disabled by default.
+
+When dashboard loading is enabled, Filebeat uses the Kibana API to load the sample dashboards. Dashboard loading is only attempted when Filebeat starts up. If Kibana is not available at startup, Filebeat will stop with an error.
+
+To enable dashboard loading, add the following setting to the config file:
+
+```yaml
+setup.dashboards.enabled: true
+```
+
+
+## Configuration options [_configuration_options_35]
+
+You can specify the following options in the `setup.dashboards` section of the `filebeat.yml` config file:
+
+
+### `setup.dashboards.enabled` [_setup_dashboards_enabled]
+
+If this option is set to true, Filebeat loads the sample Kibana dashboards from the local `kibana` directory in the home path of the Filebeat installation.
+
+::::{note}
+Filebeat loads dashboards on startup if either `enabled` is set to `true` or the `setup.dashboards` section is included in the configuration.
+::::
+
+
+::::{note}
+When dashboard loading is enabled, Filebeat overwrites any existing dashboards that match the names of the dashboards you are loading. This happens every time Filebeat starts.
+::::
+
+
+If no other options are set, the dashboard are loaded from the local `kibana` directory in the home path of the Filebeat installation. To load dashboards from a different location, you can configure one of the following options: [`setup.dashboards.directory`](#directory-option), [`setup.dashboards.url`](#url-option), or [`setup.dashboards.file`](#file-option).
+
+
+### `setup.dashboards.directory` [directory-option]
+
+The directory that contains the dashboards to load. The default is the `kibana` folder in the home path.
+
+
+### `setup.dashboards.url` [url-option]
+
+The URL to use for downloading the dashboard archive. If this option is set, Filebeat downloads the dashboard archive from the specified URL instead of using the local directory.
+
+
+### `setup.dashboards.file` [file-option]
+
+The file archive (zip file) that contains the dashboards to load. If this option is set, Filebeat looks for a dashboard archive in the specified path instead of using the local directory.
+
+
+### `setup.dashboards.beat` [_setup_dashboards_beat]
+
+In case the archive contains the dashboards for multiple Beats, this setting lets you select the Beat for which you want to load dashboards. To load all the dashboards in the archive, set this option to an empty string. The default is `"filebeat"`.
+
+
+### `setup.dashboards.kibana_index` [_setup_dashboards_kibana_index]
+
+The name of the Kibana index to use for setting the configuration. The default is `".kibana"`
+
+
+### `setup.dashboards.index` [_setup_dashboards_index]
+
+The Elasticsearch index name. This setting overwrites the index name defined in the dashboards and index pattern. Example: `"testbeat-*"`
+
+::::{note}
+This setting only works for Kibana 6.0 and newer.
+::::
+
+
+
+### `setup.dashboards.always_kibana` [_setup_dashboards_always_kibana]
+
+Force loading of dashboards using the Kibana API without querying Elasticsearch for the version. The default is `false`.
+
+
+### `setup.dashboards.retry.enabled` [_setup_dashboards_retry_enabled]
+
+If this option is set to true, and Kibana is not reachable at the time when dashboards are loaded, Filebeat will retry to reconnect to Kibana instead of exiting with an error. Disabled by default.
+
+
+### `setup.dashboards.retry.interval` [_setup_dashboards_retry_interval]
+
+Duration interval between Kibana connection retries. Defaults to 1 second.
+
+
+### `setup.dashboards.retry.maximum` [_setup_dashboards_retry_maximum]
+
+Maximum number of retries before exiting with an error. Set to 0 for unlimited retrying. Default is unlimited.
+
+
+### `setup.dashboards.string_replacements` [_setup_dashboards_string_replacements]
+
+The needle and replacements string map, which is used to replace needle string in dashboards and their references contents.
+
diff --git a/docs/reference/filebeat/configuration-feature-flags.md b/docs/reference/filebeat/configuration-feature-flags.md
new file mode 100644
index 000000000000..49376c262432
--- /dev/null
+++ b/docs/reference/filebeat/configuration-feature-flags.md
@@ -0,0 +1,54 @@
+---
+navigation_title: "Feature flags"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/configuration-feature-flags.html
+---
+
+# Configure feature flags [configuration-feature-flags]
+
+
+The Feature Flags section of the `filebeat.yml` config file contains settings in Filebeat that are disabled by default. These may include experimental features, changes to behaviors within Filebeat, or settings that could cause a breaking change. For example a setting that changes information included in events might be inconsistent with the naming pattern expected in your configured Filebeat output.
+
+To enable any of the settings listed on this page, change the associated `enabled` flag from `false` to `true`.
+
+```yaml
+features:
+  mysetting:
+    enabled: true
+```
+
+
+## Configuration options [_configuration_options_40]
+
+You can specify the following options in the `features` section of the `filebeat.yml` config file:
+
+
+### `fqdn` [_fqdn]
+
+Contains configuration for the FQDN reporting feature. When this feature is enabled, the fully-qualified domain name for the host is reported in the `host.name` field in events produced by Filebeat.
+
+::::{warning}
+This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
+::::
+
+
+For FQDN reporting to work as expected, the hostname of the current host must either:
+
+* Have a CNAME entry defined in DNS.
+* Have one of its corresponding IP addresses respond successfully to a reverse DNS lookup.
+
+If neither pre-requisite is satisfied, `host.name` continues to report the hostname of the current host as if the FQDN feature flag were not enabled.
+
+Example configuration:
+
+```yaml
+features:
+  fqdn:
+    enabled: true
+```
+
+
+#### `enabled` [_enabled_39]
+
+Set to `true` to enable the FQDN reporting feature of Filebeat. Defaults to `false`.
+
diff --git a/docs/reference/filebeat/configuration-filebeat-modules.md b/docs/reference/filebeat/configuration-filebeat-modules.md
new file mode 100644
index 000000000000..60c2b76664f8
--- /dev/null
+++ b/docs/reference/filebeat/configuration-filebeat-modules.md
@@ -0,0 +1,95 @@
+---
+navigation_title: "Modules"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/configuration-filebeat-modules.html
+---
+
+# Configure modules [configuration-filebeat-modules]
+
+
+::::{note}
+Using Filebeat modules is optional. You may decide to [configure inputs manually](/reference/filebeat/configuration-filebeat-options.md) if you’re using a log type that isn’t supported, or you want to use a different setup.
+::::
+
+
+Filebeat [modules](/reference/filebeat/filebeat-modules.md) provide a quick way to get started processing common log formats. They contain default configurations, {{es}} ingest pipeline definitions, and {{kib}} dashboards to help you implement and deploy a log monitoring solution.
+
+You can configure modules in the `modules.d` directory (recommended), or in the Filebeat configuration file.
+
+Before running Filebeat with modules enabled, make sure you also set up the environment to use {{kib}} dashboards. See [Quick start: installation and configuration](/reference/filebeat/filebeat-installation-configuration.md) for more information.
+
+::::{note}
+On systems with POSIX file permissions, all Beats configuration files are subject to ownership and file permission checks. For more information, see [Config File Ownership and Permissions](/reference/libbeat/config-file-permissions.md).
+::::
+
+
+
+## Configure modules in the `modules.d` directory [configure-modules-d-configs]
+
+The `modules.d` directory contains default configurations for all the modules available in Filebeat. To enable or disable specific module configurations under `modules.d`, run the [`modules enable` or `modules disable`](/reference/filebeat/command-line-options.md#modules-command) command. For example:
+
+:::::::{tab-set}
+
+::::::{tab-item} DEB
+```sh
+filebeat modules enable nginx
+```
+::::::
+
+::::::{tab-item} RPM
+```sh
+filebeat modules enable nginx
+```
+::::::
+
+::::::{tab-item} MacOS
+```sh
+./filebeat modules enable nginx
+```
+::::::
+
+::::::{tab-item} Linux
+```sh
+./filebeat modules enable nginx
+```
+::::::
+
+::::::{tab-item} Windows
+```sh
+PS > .\filebeat.exe modules enable nginx
+```
+::::::
+
+:::::::
+The default configurations assume that your data is in the location expected for your OS and that the behavior of the module is appropriate for your environment. To change the default behavior, configure variable settings. For a list of available settings, see the documentation under [Modules](/reference/filebeat/filebeat-modules.md).
+
+For advanced use cases, you can also [override input settings](/reference/filebeat/advanced-settings.md).
+
+::::{tip}
+You can enable modules at runtime by using the [--modules flag](/reference/filebeat/filebeat-modules.md). This is useful if you’re getting started and want to try things out. Any modules specified at the command line are loaded along with any modules that are enabled in the configuration file or `modules.d` directory. If there’s a conflict, the configuration specified at the command line is used.
+::::
+
+
+
+## Configure modules in the `filebeat.yml` file [configure-modules-config-file]
+
+When possible, you should use the config files in the `modules.d` directory.
+
+However, configuring [modules](/reference/filebeat/filebeat-modules.md) directly in the config file is a practical approach if you have upgraded from a previous version of Filebeat and don’t want to move your module configs to the `modules.d` directory. You can continue to configure modules in the `filebeat.yml` file, but you won’t be able to use the `modules` command to enable and disable configurations because the command requires the `modules.d` layout.
+
+To enable specific modules in the `filebeat.yml` config file, add entries to the `filebeat.modules` list. Each entry in the list begins with a dash (-) and is followed by settings for that module.
+
+The following example shows a configuration that runs the `nginx`,`mysql`, and `system` modules:
+
+```yaml
+filebeat.modules:
+- module: nginx
+  access:
+  error:
+- module: mysql
+  slowlog:
+- module: system
+  auth:
+```
+
+
diff --git a/docs/reference/filebeat/configuration-filebeat-options.md b/docs/reference/filebeat/configuration-filebeat-options.md
new file mode 100644
index 000000000000..55c249bd5f98
--- /dev/null
+++ b/docs/reference/filebeat/configuration-filebeat-options.md
@@ -0,0 +1,88 @@
+---
+navigation_title: "Inputs"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/configuration-filebeat-options.html
+---
+
+# Configure inputs [configuration-filebeat-options]
+
+
+::::{tip}
+[Filebeat modules](/reference/filebeat/filebeat-modules-overview.md) provide the fastest getting started experience for common log formats. See [Quick start: installation and configuration](/reference/filebeat/filebeat-installation-configuration.md) to learn how to get started.
+::::
+
+
+To configure Filebeat manually (instead of using [modules](/reference/filebeat/filebeat-modules-overview.md)), you specify a list of inputs in the `filebeat.inputs` section of the `filebeat.yml`. Inputs specify how Filebeat locates and processes input data.
+
+The list is a [YAML](http://yaml.org/) array, so each input begins with a dash (`-`). You can specify multiple inputs, and you can specify the same input type more than once. For example:
+
+```yaml
+filebeat.inputs:
+- type: filestream
+  id: my-filestream-id <1>
+  paths:
+    - /var/log/system.log
+    - /var/log/wifi.log
+- type: filestream
+  id: apache-filestream-id
+  paths:
+    - "/var/log/apache2/*"
+  fields:
+    apache: true
+  fields_under_root: true
+```
+
+1. Each filestream input must have a unique ID to allow tracking the state of files.
+
+
+For the most basic configuration, define a single input with a single path. For example:
+
+```yaml
+filebeat.inputs:
+- type: filestream
+  id: my-filestream-id
+  paths:
+    - /var/log/*.log
+```
+
+The input in this example harvests all files in the path `/var/log/*.log`, which means that Filebeat will harvest all files in the directory `/var/log/` that end with `.log`. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here.
+
+To fetch all files from a predefined level of subdirectories, use this pattern: `/var/log/*/*.log`. This fetches all `.log` files from the subfolders of `/var/log`. It does not fetch log files from the `/var/log` folder itself. Currently it is not possible to recursively fetch all files in all subdirectories of a directory.
+
+
+## Input types [filebeat-input-types]
+
+You can configure Filebeat to use the following inputs:
+
+* [AWS CloudWatch](/reference/filebeat/filebeat-input-aws-cloudwatch.md)
+* [AWS S3](/reference/filebeat/filebeat-input-aws-s3.md)
+* [Azure Event Hub](/reference/filebeat/filebeat-input-azure-eventhub.md)
+* [Azure Blob Storage](/reference/filebeat/filebeat-input-azure-blob-storage.md)
+* [Benchmark](/reference/filebeat/filebeat-input-benchmark.md)
+* [CEL](/reference/filebeat/filebeat-input-cel.md)
+* [Cloud Foundry](/reference/filebeat/filebeat-input-cloudfoundry.md)
+* [CometD](/reference/filebeat/filebeat-input-cometd.md)
+* [Container](/reference/filebeat/filebeat-input-container.md)
+* [Entity Analytics](/reference/filebeat/filebeat-input-entity-analytics.md)
+* [ETW](/reference/filebeat/filebeat-input-etw.md)
+* [filestream](/reference/filebeat/filebeat-input-filestream.md)
+* [GCP Pub/Sub](/reference/filebeat/filebeat-input-gcp-pubsub.md)
+* [Google Cloud Storage](/reference/filebeat/filebeat-input-gcs.md)
+* [HTTP Endpoint](/reference/filebeat/filebeat-input-http_endpoint.md)
+* [HTTP JSON](/reference/filebeat/filebeat-input-httpjson.md)
+* [journald](/reference/filebeat/filebeat-input-journald.md)
+* [Kafka](/reference/filebeat/filebeat-input-kafka.md)
+* [Log](/reference/filebeat/filebeat-input-log.md) (deprecated in 7.16.0, use [filestream](/reference/filebeat/filebeat-input-filestream.md))
+* [MQTT](/reference/filebeat/filebeat-input-mqtt.md)
+* [NetFlow](/reference/filebeat/filebeat-input-netflow.md)
+* [Office 365 Management Activity API](/reference/filebeat/filebeat-input-o365audit.md)
+* [Redis](/reference/filebeat/filebeat-input-redis.md)
+* [Salesforce](/reference/filebeat/filebeat-input-salesforce.md)
+* [Stdin](/reference/filebeat/filebeat-input-stdin.md)
+* [Streaming](/reference/filebeat/filebeat-input-streaming.md)
+* [Syslog](/reference/filebeat/filebeat-input-syslog.md)
+* [TCP](/reference/filebeat/filebeat-input-tcp.md)
+* [UDP](/reference/filebeat/filebeat-input-udp.md)
+* [Unified Logs](/reference/filebeat/filebeat-input-unifiedlogs.md)
+* [Unix](/reference/filebeat/filebeat-input-unix.md)
+* [winlog](/reference/filebeat/filebeat-input-winlog.md)
diff --git a/docs/reference/filebeat/configuration-general-options.md b/docs/reference/filebeat/configuration-general-options.md
new file mode 100644
index 000000000000..16afda2da579
--- /dev/null
+++ b/docs/reference/filebeat/configuration-general-options.md
@@ -0,0 +1,187 @@
+---
+navigation_title: "General settings"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/configuration-general-options.html
+---
+
+# Configure general settings [configuration-general-options]
+
+
+You can specify settings in the `filebeat.yml` config file to control the general behavior of Filebeat. This includes:
+
+* [Global options](#configuration-global-options) that control things like publisher behavior and the location of some files.
+* [General options](#configuration-general) that are supported by all Elastic Beats.
+
+
+## Global Filebeat configuration options [configuration-global-options]
+
+These options are in the `filebeat` namespace.
+
+
+### `registry.path` [_registry_path]
+
+The root path of the registry.  If a relative path is used, it is considered relative to the data path. See the [Directory layout](/reference/filebeat/directory-layout.md) section for details. The default is `${path.data}/registry`.
+
+```yaml
+filebeat.registry.path: registry
+```
+
+::::{note}
+The registry is only updated when new events are flushed and not on a predefined period. That means in case there are some states where the TTL expired, these are only removed when new events are processed.
+::::
+
+
+
+### `registry.file_permissions` [_registry_file_permissions]
+
+The permissions mask to apply on registry data file. The default value is 0600. The permissions option must be a valid Unix-style file permissions mask expressed in octal notation. In Go, numbers in octal notation must start with 0.
+
+The most permissive mask allowed is 0640. If a higher permissions mask is specified via this setting, it will be subject to an umask of 0027.
+
+This option is not supported on Windows.
+
+Examples:
+
+* 0640: give read and write access to the file owner, and read access to members of the group associated with the file.
+* 0600: give read and write access to the file owner, and no access to all others.
+
+```yaml
+filebeat.registry.file_permissions: 0600
+```
+
+
+### `registry.flush` [_registry_flush]
+
+The timeout value that controls when registry entries are written to disk (flushed). When an unwritten update exceeds this value, it triggers a write to disk. When `registry.flush` is set to 0s, the registry is written to disk after each batch of events has been published successfully. The default value is 1s.
+
+::::{note}
+The registry is always updated when Filebeat shuts down normally. After an abnormal shutdown, the registry will not be up-to-date if the `registry.flush` value is >0s. Filebeat will send published events again (depending on values in the last updated registry file).
+::::
+
+
+::::{note}
+Filtering out a huge number of logs can cause many registry updates, slowing down processing. Setting `registry.flush` to a value >0s reduces write operations, helping Filebeat process more events.
+::::
+
+
+
+### `registry.migrate_file` [_registry_migrate_file]
+
+Prior to Filebeat 7.0 the registry is stored in a single file. When you upgrade to 7.0, Filebeat will automatically migrate the old Filebeat 6.x registry file to use the new directory format. Filebeat looks for the file in the location specified by `filebeat.registry.path`. If you changed the path while upgrading, set `filebeat.registry.migrate_file` to point to the old registry file.
+
+```yaml
+filebeat.registry.path: ${path.data}/registry
+filebeat.registry.migrate_file: /path/to/old/registry_file
+```
+
+The registry will be migrated to the new location only if a registry using the directory format does not already exist.
+
+
+### `config_dir` [_config_dir]
+
+[6.0.0]
+
+The full path to the directory that contains additional input configuration files. Each configuration file must end with `.yml`. Each config file must also specify the full Filebeat config hierarchy even though only the `inputs` part of each file is processed. All global options, such as `registry_file`, are ignored.
+
+The `config_dir` option MUST point to a directory other than the directory where the main Filebeat config file resides.
+
+If the specified path is not absolute, it is considered relative to the configuration path. See the [Directory layout](/reference/filebeat/directory-layout.md) section for details.
+
+```yaml
+filebeat.config_dir: path/to/configs
+```
+
+
+### `shutdown_timeout` [shutdown-timeout]
+
+How long Filebeat waits on shutdown for the publisher to finish sending events before Filebeat shuts down.
+
+By default, this option is disabled, and Filebeat does not wait for the publisher to finish sending events before shutting down. This means that any events sent to the output, but not acknowledged before Filebeat shuts down, are sent again when you restart Filebeat. For more details about how this works, see [How does Filebeat ensure at-least-once delivery?](/reference/filebeat/how-filebeat-works.md#at-least-once-delivery).
+
+You can configure the `shutdown_timeout` option to specify the maximum amount of time that Filebeat waits for the publisher to finish sending events before shutting down. If all events are acknowledged before `shutdown_timeout` is reached, Filebeat will shut down.
+
+There is no recommended setting for this option because determining the correct value for `shutdown_timeout` depends heavily on the environment in which Filebeat is running and the current state of the output.
+
+Example configuration:
+
+```yaml
+filebeat.shutdown_timeout: 5s
+```
+
+
+## General configuration options [configuration-general]
+
+
+These options are supported by all Elastic Beats. Because they are common options, they are not namespaced.
+
+Here is an example configuration:
+
+```yaml
+name: "my-shipper"
+tags: ["service-X", "web-tier"]
+```
+
+
+### `name` [_name_2]
+
+The name of the Beat. If this option is empty, the `hostname` of the server is used. The name is included as the `agent.name` field in each published transaction. You can use the name to group all transactions sent by a single Beat.
+
+Example:
+
+```yaml
+name: "my-shipper"
+```
+
+
+### `tags` [_tags_30]
+
+A list of tags that the Beat includes in the `tags` field of each published transaction. Tags make it easy to group servers by different logical properties. For example, if you have a cluster of web servers, you can add the "webservers" tag to the Beat on each server, and then use filters and queries in the Kibana web interface to get visualisations for the whole group of servers.
+
+Example:
+
+```yaml
+tags: ["my-service", "hardware", "test"]
+```
+
+
+### `fields` [libbeat-configuration-fields]
+
+Optional fields that you can specify to add additional information to the output. Fields can be scalar values, arrays, dictionaries, or any nested combination of these. By default, the fields that you specify here will be grouped under a `fields` sub-dictionary in the output document. To store the custom fields as top-level fields, set the `fields_under_root` option to true.
+
+Example:
+
+```yaml
+fields: {project: "myproject", instance-id: "574734885120952459"}
+```
+
+
+### `fields_under_root` [_fields_under_root_2]
+
+If this option is set to true, the custom [fields](#libbeat-configuration-fields) are stored as top-level fields in the output document instead of being grouped under a `fields` sub-dictionary. If the custom field names conflict with other field names, then the custom fields overwrite the other fields.
+
+Example:
+
+```yaml
+fields_under_root: true
+fields:
+  instance_id: i-10a64379
+  region: us-east-1
+```
+
+
+### `processors` [_processors_30]
+
+A list of processors to apply to the data generated by the beat.
+
+See [Processors](/reference/filebeat/filtering-enhancing-data.md) for information about specifying processors in your config.
+
+
+### `max_procs` [_max_procs]
+
+Sets the maximum number of CPUs that can be executing simultaneously. The default is the number of logical CPUs available in the system.
+
+
+### `timestamp.precision` [_timestamp_precision]
+
+Configure the precision of all timestamps. By default it is set to millisecond. Available options: millisecond, microsecond, nanosecond
+
diff --git a/docs/reference/filebeat/configuration-instrumentation.md b/docs/reference/filebeat/configuration-instrumentation.md
new file mode 100644
index 000000000000..4f4e8aa53639
--- /dev/null
+++ b/docs/reference/filebeat/configuration-instrumentation.md
@@ -0,0 +1,87 @@
+---
+navigation_title: "Instrumentation"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/configuration-instrumentation.html
+---
+
+# Configure APM instrumentation [configuration-instrumentation]
+
+
+Libbeat uses the Elastic APM Go Agent to instrument its publishing pipeline. Currently, only the Elasticsearch output is instrumented. To gain insight into the performance of Filebeat, you can enable this instrumentation and send trace data to the APM Integration.
+
+Example configuration with instrumentation enabled:
+
+```yaml
+instrumentation:
+  enabled: true
+  environment: production
+  hosts:
+    - "http://localhost:8200"
+  api_key: L5ER6FEvjkmlfalBealQ3f3fLqf03fazfOV
+```
+
+
+## Configuration options [_configuration_options_39]
+
+You can specify the following options in the `instrumentation` section of the `filebeat.yml` config file:
+
+
+### `enabled` [_enabled_38]
+
+Set to `true` to enable instrumentation of Filebeat. Defaults to `false`.
+
+
+### `environment` [_environment]
+
+Set the environment in which Filebeat is running, for example, `staging`, `production`, `dev`, etc. Environments can be filtered in the [APM app](docs-content://solutions/observability/apps/overviews.md).
+
+
+### `hosts` [_hosts_4]
+
+The APM integration [host](docs-content://reference/ingestion-tools/observability/apm-settings.md) to report instrumentation data to. Defaults to `http://localhost:8200`.
+
+
+### `api_key` [_api_key_2]
+
+The [API Key](docs-content://reference/ingestion-tools/observability/apm-settings.md) used to secure communication with the APM Integration. If `api_key` is set then `secret_token` will be ignored.
+
+
+### `secret_token` [_secret_token]
+
+The [Secret token](docs-content://reference/ingestion-tools/observability/apm-settings.md) used to secure communication with the APM Integration.
+
+
+### `profiling.cpu.enabled` [_profiling_cpu_enabled]
+
+Set to `true` to enable CPU profiling, where profile samples are recorded as events.
+
+This feature is experimental.
+
+
+### `profiling.cpu.interval` [_profiling_cpu_interval]
+
+Configure the CPU profiling interval. Defaults to `60s`.
+
+This feature is experimental.
+
+
+### `profiling.cpu.duration` [_profiling_cpu_duration]
+
+Configure the CPU profiling duration. Defaults to `10s`.
+
+This feature is experimental.
+
+
+### `profiling.heap.enabled` [_profiling_heap_enabled]
+
+Set to `true` to enable heap profiling.
+
+This feature is experimental.
+
+
+### `profiling.heap.interval` [_profiling_heap_interval]
+
+Configure the heap profiling interval. Defaults to `60s`.
+
+This feature is experimental.
+
diff --git a/docs/reference/filebeat/configuration-kerberos.md b/docs/reference/filebeat/configuration-kerberos.md
new file mode 100644
index 000000000000..d36ffc8c768e
--- /dev/null
+++ b/docs/reference/filebeat/configuration-kerberos.md
@@ -0,0 +1,90 @@
+---
+navigation_title: "Kerberos"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/configuration-kerberos.html
+---
+
+# Configure Kerberos [configuration-kerberos]
+
+
+You can specify Kerberos options with any output or input that supports Kerberos, like {{es}}.
+
+The following encryption types are supported:
+
+* aes128-cts-hmac-sha1-96
+* aes128-cts-hmac-sha256-128
+* aes256-cts-hmac-sha1-96
+* aes256-cts-hmac-sha384-192
+* des3-cbc-sha1-kd
+* rc4-hmac
+
+Example output config with Kerberos password based authentication:
+
+```yaml
+output.elasticsearch.hosts: ["http://my-elasticsearch.elastic.co:9200"]
+output.elasticsearch.kerberos.auth_type: password
+output.elasticsearch.kerberos.username: "elastic"
+output.elasticsearch.kerberos.password: "changeme"
+output.elasticsearch.kerberos.config_path: "/etc/krb5.conf"
+output.elasticsearch.kerberos.realm: "ELASTIC.CO"
+```
+
+The service principal name for the Elasticsearch instance is contructed from these options. Based on this configuration it is going to be `HTTP/my-elasticsearch.elastic.co@ELASTIC.CO`.
+
+
+## Configuration options [_configuration_options_32]
+
+You can specify the following options in the `kerberos` section of the `filebeat.yml` config file:
+
+
+### `enabled` [_enabled_37]
+
+The `enabled` setting can be used to enable the kerberos configuration by setting it to `false`. The default value is `true`.
+
+::::{note}
+Kerberos settings are disabled if either `enabled` is set to `false` or the `kerberos` section is missing.
+::::
+
+
+
+### `auth_type` [_auth_type]
+
+There are two options to authenticate with Kerberos KDC: `password` and `keytab`.
+
+`password` expects the principal name and its password. When choosing `keytab`, you have to specify a principal name and a path to a keytab. The keytab must contain the keys of the selected principal. Otherwise, authentication will fail.
+
+
+### `config_path` [_config_path]
+
+You need to set the path to the `krb5.conf`, so Filebeat can find the Kerberos KDC to retrieve a ticket.
+
+
+### `username` [_username_5]
+
+Name of the principal used to connect to the output.
+
+
+### `password` [_password_6]
+
+If you configured `password` for `auth_type`, you have to provide a password for the selected principal.
+
+
+### `keytab` [_keytab]
+
+If you configured `keytab` for `auth_type`, you have to provide the path to the keytab of the selected principal.
+
+
+### `service_name` [_service_name]
+
+This option can only be configured for Kafka. It is the name of the Kafka service, usually `kafka`.
+
+
+### `realm` [_realm]
+
+Name of the realm where the output resides.
+
+
+### `enable_krb5_fast` [_enable_krb5_fast]
+
+Enable Kerberos FAST authentication. This may conflict with some Active Directory installations. The default is `false`.
+
diff --git a/docs/reference/filebeat/configuration-logging.md b/docs/reference/filebeat/configuration-logging.md
new file mode 100644
index 000000000000..b92c2d52b98d
--- /dev/null
+++ b/docs/reference/filebeat/configuration-logging.md
@@ -0,0 +1,253 @@
+---
+navigation_title: "Logging"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/configuration-logging.html
+---
+
+# Configure logging [configuration-logging]
+
+
+The `logging` section of the `filebeat.yml` config file contains options for configuring the logging output. The logging system can write logs to the syslog or rotate log files. If logging is not explicitly configured the file output is used.
+
+```yaml
+logging.level: info
+logging.to_files: true
+logging.files:
+  path: /var/log/filebeat
+  name: filebeat
+  keepfiles: 7
+  permissions: 0640
+```
+
+::::{tip}
+In addition to setting logging options in the config file, you can modify the logging output configuration from the command line. See [Command reference](/reference/filebeat/command-line-options.md).
+::::
+
+
+::::{warning}
+When Filebeat is running on a Linux system with systemd, it uses by default the `-e` command line option, that makes it write all the logging output to stderr so it can be captured by journald. Other outputs are disabled. See [Filebeat and systemd](/reference/filebeat/running-with-systemd.md) to know more and learn how to change this.
+::::
+
+
+
+## Configuration options [_configuration_options_38]
+
+You can specify the following options in the `logging` section of the `filebeat.yml` config file:
+
+
+### `logging.to_stderr` [_logging_to_stderr]
+
+When true, writes all logging output to standard error output. This is equivalent to using the `-e` command line option.
+
+
+### `logging.to_syslog` [_logging_to_syslog]
+
+When true, writes all logging output to the syslog.
+
+::::{note}
+This option is not supported on Windows.
+::::
+
+
+
+### `logging.to_eventlog` [_logging_to_eventlog]
+
+When true, writes all logging output to the Windows Event Log.
+
+
+### `logging.to_files` [_logging_to_files]
+
+When true, writes all logging output to files. The log files are automatically rotated when the log file size limit is reached.
+
+::::{note}
+Filebeat only creates a log file if there is logging output. For example, if you set the log [`level`](#level) to `error` and there are no errors, there will be no log file in the directory specified for logs.
+::::
+
+
+
+### `logging.level` [level]
+
+Minimum log level. One of `debug`, `info`, `warning`, or `error`. The default log level is `info`.
+
+`debug`
+:   Logs debug messages, including a detailed printout of all events flushed. Also logs informational messages, warnings, errors, and critical errors. When the log level is `debug`, you can specify a list of [`selectors`](#selectors) to display debug messages for specific components. If no selectors are specified, the `*` selector is used to display debug messages for all components.
+
+`info`
+:   Logs informational messages, including the number of events that are published. Also logs any warnings, errors, or critical errors.
+
+`warning`
+:   Logs warnings, errors, and critical errors.
+
+`error`
+:   Logs errors and critical errors.
+
+
+### `logging.selectors` [selectors]
+
+The list of debugging-only selector tags used by different Filebeat components. Use `*` to enable debug output for all components. Use `publisher` to display debug messages related to event publishing.
+
+::::{tip}
+The list of available selectors may change between releases, so avoid creating tests that depend on specific selectors.
+
+To see which selectors are available, run Filebeat in debug mode (set `logging.level: debug` in the configuration). The selector name appears after the log level and is enclosed in brackets.
+
+::::
+
+
+To configure multiple selectors, use the following [YAML list syntax](/reference/libbeat/config-file-format.md):
+
+```yaml
+logging.selectors: [ harvester, input ]
+```
+
+To override selectors at the command line, use the `-d` global flag (`-d` also sets the debug log level). For more information, see [Command reference](/reference/filebeat/command-line-options.md).
+
+
+### `logging.metrics.enabled` [_logging_metrics_enabled]
+
+By default, Filebeat periodically logs its internal metrics that have changed in the last period. For each metric that changed, the delta from the value at the beginning of the period is logged. Also, the total values for all non-zero internal metrics are logged on shutdown. Set this to false to disable this behavior. The default is true.
+
+Here is an example log line:
+
+```shell
+2017-12-17T19:17:42.667-0500    INFO    [metrics]       log/log.go:110  Non-zero metrics in the last 30s: beat.info.uptime.ms=30004 beat.memstats.gc_next=5046416
+```
+
+Note that we currently offer no backwards compatible guarantees for the internal metrics and for this reason they are also not documented.
+
+
+### `logging.metrics.period` [_logging_metrics_period]
+
+The period after which to log the internal metrics. The default is 30s.
+
+
+### `logging.metrics.namespaces` [_logging_metrics_namespaces]
+
+A list of metrics namespaces to report in the logs. Defaults to `[stats]`. `stats` contains general Beat metrics. `dataset` and `inputs` may be present in some Beats and contains module or input metrics.
+
+
+### `logging.files.path` [_logging_files_path]
+
+The directory that log files are written to. The default is the logs path. See the [Directory layout](/reference/filebeat/directory-layout.md) section for details.
+
+
+### `logging.files.name` [_logging_files_name]
+
+The name of the file that logs are written to. The default is *filebeat*.
+
+
+### `logging.files.rotateeverybytes` [_logging_files_rotateeverybytes]
+
+The maximum size of a log file. If the limit is reached, a new log file is generated. The default size limit is 10485760 (10 MB).
+
+
+### `logging.files.keepfiles` [_logging_files_keepfiles]
+
+The number of most recent rotated log files to keep on disk. Older files are deleted during log rotation. The default value is 7. The `keepfiles` options has to be in the range of 2 to 1024 files.
+
+
+### `logging.files.permissions` [_logging_files_permissions]
+
+The permissions mask to apply when rotating log files. The default value is 0600. The `permissions` option must be a valid Unix-style file permissions mask expressed in octal notation. In Go, numbers in octal notation must start with *0*.
+
+The most permissive mask allowed is 0640. If a higher permissions mask is specified via this setting, it will be subject to an umask of 0027.
+
+This option is not supported on Windows.
+
+Examples:
+
+* 0640: give read and write access to the file owner, and read access to members of the group associated with the file.
+* 0600: give read and write access to the file owner, and no access to all others.
+
+
+### `logging.files.interval` [_logging_files_interval]
+
+Enable log file rotation on time intervals in addition to size-based rotation. Intervals must be at least 1s. Values of 1m, 1h, 24h, 7*24h, 30*24h, and 365*24h are boundary-aligned with minutes, hours, days, weeks, months, and years as reported by the local system clock. All other intervals are calculated from the unix epoch. Defaults to disabled.
+
+
+### `logging.files.rotateonstartup` [_logging_files_rotateonstartup]
+
+If the log file already exists on startup, immediately rotate it and start writing to a new file instead of appending to the existing one. Defaults to true.
+
+
+### `logging.files.redirect_stderr` [preview] [_logging_files_redirect_stderr]
+
+When true, diagnostic messages printed to Filebeat’s standard error output will also be logged to the log file. This can be helpful in situations were Filebeat terminates unexpectedly because an error has been detected by Go’s runtime but diagnostic information is not present in the log file. This feature is only available when logging to files (`logging.to_files` is true). Disabled by default.
+
+
+## Logging format [_logging_format]
+
+The logging format is generally the same for each logging output. The one exception is with the syslog output where the timestamp is not included in the message because syslog adds its own timestamp.
+
+Each log message consists of the following parts:
+
+* Timestamp in ISO8601 format
+* Level
+* Logger name contained in brackets (Optional)
+* File name and line number of the caller
+* Message
+* Structured data encoded in JSON (Optional)
+
+Below are some samples:
+
+`2017-12-17T18:54:16.241-0500	INFO	logp/core_test.go:13	unnamed global logger`
+
+`2017-12-17T18:54:16.242-0500	INFO	[example]	logp/core_test.go:16	some message`
+
+`2017-12-17T18:54:16.242-0500	INFO	[example]	logp/core_test.go:19	some message	{"x": 1}`
+
+
+## Configuration options for event_data logger [_configuration_options_for_event_data_logger]
+
+Some outputs will log raw events on errors like indexing errors in the Elasticsearch output, to prevent logging raw events (that may contain sensitive information) together with other log messages, a different log file, only for log entries containing raw events, is used. It will use the same level, selectors and all other configurations from the default logger, but it will have it’s own file configuration.
+
+Having a different log file for raw events also prevents event data from drowning out the regular log files.
+
+::::{important}
+No matter the default logger output configuration, raw events will **always** be logged to a file configured by `logging.event_data.files`.
+::::
+
+
+
+### `logging.event_data.files.path` [_logging_event_data_files_path]
+
+The directory that log files are written to. The default is the logs path. See the [Directory layout](/reference/filebeat/directory-layout.md) section for details.
+
+
+### `logging.event_data.files.name` [_logging_event_data_files_name]
+
+The name of the file that logs are written to. The default is *filebeat*-events-data.
+
+
+### `logging.event_data.files.rotateeverybytes` [_logging_event_data_files_rotateeverybytes]
+
+The maximum size of a log file. If the limit is reached, a new log file is generated. The default size limit is 5242880 (5 MB).
+
+
+### `logging.event_data.files.keepfiles` [_logging_event_data_files_keepfiles]
+
+The number of most recent rotated log files to keep on disk. Older files are deleted during log rotation. The default value is 2. The `keepfiles` options has to be in the range of 2 to 1024 files.
+
+
+### `logging.event_data.files.permissions` [_logging_event_data_files_permissions]
+
+The permissions mask to apply when rotating log files. The default value is 0600. The `permissions` option must be a valid Unix-style file permissions mask expressed in octal notation. In Go, numbers in octal notation must start with *0*.
+
+The most permissive mask allowed is 0640. If a higher permissions mask is specified via this setting, it will be subject to an umask of 0027.
+
+This option is not supported on Windows.
+
+Examples:
+
+* 0640: give read and write access to the file owner, and read access to members of the group associated with the file.
+* 0600: give read and write access to the file owner, and no access to all others.
+
+
+### `logging.event_data.files.interval` [_logging_event_data_files_interval]
+
+Enable log file rotation on time intervals in addition to size-based rotation. Intervals must be at least 1s. Values of 1m, 1h, 24h, 7*24h, 30*24h, and 365*24h are boundary-aligned with minutes, hours, days, weeks, months, and years as reported by the local system clock. All other intervals are calculated from the unix epoch. Defaults to disabled.
+
+
+### `logging.event_data.files.rotateonstartup` [_logging_event_data_files_rotateonstartup]
+
+If the log file already exists on startup, immediately rotate it and start writing to a new file instead of appending to the existing one. Defaults to false.
diff --git a/docs/reference/filebeat/configuration-monitor.md b/docs/reference/filebeat/configuration-monitor.md
new file mode 100644
index 000000000000..e811628350b8
--- /dev/null
+++ b/docs/reference/filebeat/configuration-monitor.md
@@ -0,0 +1,113 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/configuration-monitor.html
+---
+
+# Settings for internal collection [configuration-monitor]
+
+Use the following settings to configure internal collection when you are not using {{metricbeat}} to collect monitoring data.
+
+You specify these settings in the X-Pack monitoring section of the `filebeat.yml` config file:
+
+## `monitoring.enabled` [_monitoring_enabled]
+
+The `monitoring.enabled` config is a boolean setting to enable or disable {{monitoring}}. If set to `true`, monitoring is enabled.
+
+The default value is `false`.
+
+
+## `monitoring.elasticsearch` [_monitoring_elasticsearch]
+
+The {{es}} instances that you want to ship your Filebeat metrics to. This configuration option contains the following fields:
+
+
+## `monitoring.cluster_uuid` [_monitoring_cluster_uuid]
+
+The `monitoring.cluster_uuid` config identifies the {{es}} cluster under which the monitoring data will appear in the Stack Monitoring UI.
+
+### `api_key` [_api_key_3]
+
+The detail of the API key to be used to send monitoring information to {{es}}. See [*Grant access using API keys*](/reference/filebeat/beats-api-keys.md) for more information.
+
+
+### `bulk_max_size` [_bulk_max_size_5]
+
+The maximum number of metrics to bulk in a single {{es}} bulk API index request. The default is `50`. For more information, see [Elasticsearch](/reference/filebeat/elasticsearch-output.md).
+
+
+### `backoff.init` [_backoff_init_5]
+
+The number of seconds to wait before trying to reconnect to Elasticsearch after a network error. After waiting `backoff.init` seconds, Filebeat tries to reconnect. If the attempt fails, the backoff timer is increased exponentially up to `backoff.max`. After a successful connection, the backoff timer is reset. The default is 1s.
+
+
+### `backoff.max` [_backoff_max_5]
+
+The maximum number of seconds to wait before attempting to connect to Elasticsearch after a network error. The default is 60s.
+
+
+### `compression_level` [_compression_level_3]
+
+The gzip compression level. Setting this value to `0` disables compression. The compression level must be in the range of `1` (best speed) to `9` (best compression). The default value is `0`. Increasing the compression level reduces the network usage but increases the CPU usage.
+
+
+### `headers` [_headers_3]
+
+Custom HTTP headers to add to each request. For more information, see [Elasticsearch](/reference/filebeat/elasticsearch-output.md).
+
+
+### `hosts` [_hosts_5]
+
+The list of {{es}} nodes to connect to. Monitoring metrics are distributed to these nodes in round robin order. For more information, see [Elasticsearch](/reference/filebeat/elasticsearch-output.md).
+
+
+### `max_retries` [_max_retries_5]
+
+The number of times to retry sending the monitoring metrics after a failure. After the specified number of retries, the metrics are typically dropped. The default value is `3`. For more information, see [Elasticsearch](/reference/filebeat/elasticsearch-output.md).
+
+
+### `parameters` [_parameters_2]
+
+Dictionary of HTTP parameters to pass within the url with index operations.
+
+
+### `password` [_password_7]
+
+The password that Filebeat uses to authenticate with the {{es}} instances for shipping monitoring data.
+
+
+### `metrics.period` [_metrics_period]
+
+The time interval (in seconds) when metrics are sent to the {{es}} cluster. A new snapshot of Filebeat metrics is generated and scheduled for publishing each period. The default value is 10 * time.Second.
+
+
+### `state.period` [_state_period]
+
+The time interval (in seconds) when state information are sent to the {{es}} cluster. A new snapshot of Filebeat state is generated and scheduled for publishing each period. The default value is 60 * time.Second.
+
+
+### `protocol` [_protocol]
+
+The name of the protocol to use when connecting to the {{es}} cluster. The options are: `http` or `https`. The default is `http`. If you specify a URL for `hosts`, however, the value of protocol is overridden by the scheme you specify in the URL.
+
+
+### `proxy_url` [_proxy_url_5]
+
+The URL of the proxy to use when connecting to the {{es}} cluster. For more information, see [Elasticsearch](/reference/filebeat/elasticsearch-output.md).
+
+
+### `timeout` [_timeout_6]
+
+The HTTP request timeout in seconds for the {{es}} request. The default is `90`.
+
+
+### `ssl` [_ssl_9]
+
+Configuration options for Transport Layer Security (TLS) or Secure Sockets Layer (SSL) parameters like the certificate authority (CA) to use for HTTPS-based connections. If the `ssl` section is missing, the host CAs are used for HTTPS connections to {{es}}. For more information, see [SSL](/reference/filebeat/configuration-ssl.md).
+
+
+### `username` [_username_6]
+
+The user ID that Filebeat uses to authenticate with the {{es}} instances for shipping monitoring data.
+
+
+
diff --git a/docs/reference/filebeat/configuration-output-codec.md b/docs/reference/filebeat/configuration-output-codec.md
new file mode 100644
index 000000000000..cd7a2be3ddcf
--- /dev/null
+++ b/docs/reference/filebeat/configuration-output-codec.md
@@ -0,0 +1,32 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/configuration-output-codec.html
+---
+
+# Change the output codec [configuration-output-codec]
+
+For outputs that do not require a specific encoding, you can change the encoding by using the codec configuration. You can specify either the `json` or `format` codec. By default the `json` codec is used.
+
+**`json.pretty`**: If `pretty` is set to true, events will be nicely formatted. The default is false.
+
+**`json.escape_html`**: If `escape_html` is set to true, html symbols will be escaped in strings. The default is false.
+
+Example configuration that uses the `json` codec with pretty printing enabled to write events to the console:
+
+```yaml
+output.console:
+  codec.json:
+    pretty: true
+    escape_html: false
+```
+
+**`format.string`**: Configurable format string used to create a custom formatted message.
+
+Example configurable that uses the `format` codec to print the events timestamp and message field to console:
+
+```yaml
+output.console:
+  codec.format:
+    string: '%{[@timestamp]} %{[message]}'
+```
+
diff --git a/docs/reference/filebeat/configuration-path.md b/docs/reference/filebeat/configuration-path.md
new file mode 100644
index 000000000000..6a98c88ce5fc
--- /dev/null
+++ b/docs/reference/filebeat/configuration-path.md
@@ -0,0 +1,78 @@
+---
+navigation_title: "Project paths"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/configuration-path.html
+---
+
+# Configure project paths [configuration-path]
+
+
+The `path` section of the `filebeat.yml` config file contains configuration options that define where Filebeat looks for its files. For example, Filebeat looks for the Elasticsearch template file in the configuration path and writes log files in the logs path. Filebeat looks for its registry files in the data path.
+
+Please see the [Directory layout](/reference/filebeat/directory-layout.md) section for more details.
+
+Here is an example configuration:
+
+```yaml
+path.home: /usr/share/beat
+path.config: /etc/beat
+path.data: /var/lib/beat
+path.logs: /var/log/
+```
+
+Note that it is possible to override these options by using command line flags.
+
+
+## Configuration options [_configuration_options_24]
+
+You can specify the following options in the `path` section of the `filebeat.yml` config file:
+
+
+### `home` [_home]
+
+The home path for the Filebeat installation. This is the default base path for all other path settings and for miscellaneous files that come with the distribution (for example, the sample dashboards). If not set by a CLI flag or in the configuration file, the default for the home path is the location of the Filebeat binary.
+
+Example:
+
+```yaml
+path.home: /usr/share/beats
+```
+
+
+### `config` [_config]
+
+The configuration path for the Filebeat installation. This is the default base path for configuration files, including the main YAML configuration file and the Elasticsearch template file. If not set by a CLI flag or in the configuration file, the default for the configuration path is the home path.
+
+Example:
+
+```yaml
+path.config: /usr/share/beats/config
+```
+
+
+### `data` [_data]
+
+The data path for the Filebeat installation. This is the default base path for all the files in which Filebeat needs to store its data. If not set by a CLI flag or in the configuration file, the default for the data path is a `data` subdirectory inside the home path.
+
+Example:
+
+```yaml
+path.data: /var/lib/beats
+```
+
+::::{tip}
+When running multiple Filebeat instances on the same host, make sure they each have a distinct `path.data` value.
+::::
+
+
+
+### `logs` [_logs]
+
+The logs path for a Filebeat installation. This is the default location for Filebeat’s log files. If not set by a CLI flag or in the configuration file, the default for the logs path is a `logs` subdirectory inside the home path.
+
+Example:
+
+```yaml
+path.logs: /var/log/beats
+```
+
diff --git a/docs/reference/filebeat/configuration-ssl.md b/docs/reference/filebeat/configuration-ssl.md
new file mode 100644
index 000000000000..9b4285ec9390
--- /dev/null
+++ b/docs/reference/filebeat/configuration-ssl.md
@@ -0,0 +1,502 @@
+---
+navigation_title: "SSL"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html
+---
+
+# Configure SSL [configuration-ssl]
+
+
+You can specify SSL options when you configure:
+
+* [outputs](/reference/filebeat/configuring-output.md) that support SSL
+* the [Kibana endpoint](/reference/filebeat/setup-kibana-endpoint.md)
+
+Example output config with SSL enabled:
+
+```yaml
+output.elasticsearch.hosts: ["https://192.168.1.42:9200"]
+output.elasticsearch.ssl.certificate_authorities: ["/etc/client/ca.pem"]
+output.elasticsearch.ssl.certificate: "/etc/client/cert.pem"
+output.elasticsearch.ssl.key: "/etc/client/cert.key"
+```
+
+Also see [*Secure communication with Logstash*](/reference/filebeat/configuring-ssl-logstash.md).
+
+Example Kibana endpoint config with SSL enabled:
+
+```yaml
+setup.kibana.host: "https://192.0.2.255:5601"
+setup.kibana.ssl.enabled: true
+setup.kibana.ssl.certificate_authorities: ["/etc/client/ca.pem"]
+setup.kibana.ssl.certificate: "/etc/client/cert.pem"
+setup.kibana.ssl.key: "/etc/client/cert.key"
+```
+
+There are a number of SSL configuration options available to you:
+
+* [Common configuration options](#ssl-common-config)
+* [Client configuration options](#ssl-client-config)
+* [Server configuration options](#ssl-server-config)
+
+
+## Common configuration options [ssl-common-config]
+
+Common SSL configuration options can be used in both client and server configurations. You can specify the following options in the `ssl` section of each subsystem that supports SSL.
+
+
+### `enabled` [enabled]
+
+To disable SSL configuration, set the value to `false`. The default value is `true`.
+
+::::{note}
+SSL settings are disabled if either `enabled` is set to `false` or the `ssl` section is missing.
+
+::::
+
+
+
+### `supported_protocols` [supported-protocols]
+
+List of allowed SSL/TLS versions. If SSL/TLS server decides for protocol versions not configured, the connection will be dropped during or after the handshake. The setting is a list of allowed protocol versions: `TLSv1.1`, `TLSv1.2`, and `TLSv1.3`.
+
+The default value is `[TLSv1.2, TLSv1.3]`.
+
+
+### `cipher_suites` [cipher-suites]
+
+The list of cipher suites to use. The first entry has the highest priority. If this option is omitted, the Go crypto library’s [default suites](https://golang.org/pkg/crypto/tls/) are used (recommended).
+
+Note that if TLS 1.3 is enabled (which is true by default), then the default TLS 1.3 cipher suites are always included, because Go’s standard library adds them to all connections. In order to exclude the default TLS 1.3 ciphers, TLS 1.3 must also be disabled, e.g. with the setting `ssl.supported_protocols = [TLSv1.2]`.
+
+The following cipher suites are available:
+
+| Cypher | Notes |
+| --- | --- |
+| ECDHE-ECDSA-AES-128-CBC-SHA |  |
+| ECDHE-ECDSA-AES-128-CBC-SHA256 | TLS 1.2 only. Disabled by default. |
+| ECDHE-ECDSA-AES-128-GCM-SHA256 | TLS 1.2 only. |
+| ECDHE-ECDSA-AES-256-CBC-SHA |  |
+| ECDHE-ECDSA-AES-256-GCM-SHA384 | TLS 1.2 only. |
+| ECDHE-ECDSA-CHACHA20-POLY1305 | TLS 1.2 only. |
+| ECDHE-ECDSA-RC4-128-SHA | Disabled by default. RC4 not recommended. |
+| ECDHE-RSA-3DES-CBC3-SHA |  |
+| ECDHE-RSA-AES-128-CBC-SHA |  |
+| ECDHE-RSA-AES-128-CBC-SHA256 | TLS 1.2 only. Disabled by default. |
+| ECDHE-RSA-AES-128-GCM-SHA256 | TLS 1.2 only. |
+| ECDHE-RSA-AES-256-CBC-SHA |  |
+| ECDHE-RSA-AES-256-GCM-SHA384 | TLS 1.2 only. |
+| ECDHE-RSA-CHACHA20-POLY1205 | TLS 1.2 only. |
+| ECDHE-RSA-RC4-128-SHA | Disabled by default. RC4 not recommended. |
+| RSA-3DES-CBC3-SHA |  |
+| RSA-AES-128-CBC-SHA |  |
+| RSA-AES-128-CBC-SHA256 | TLS 1.2 only. Disabled by default. |
+| RSA-AES-128-GCM-SHA256 | TLS 1.2 only. |
+| RSA-AES-256-CBC-SHA |  |
+| RSA-AES-256-GCM-SHA384 | TLS 1.2 only. |
+| RSA-RC4-128-SHA | Disabled by default. RC4 not recommended. |
+
+Here is a list of acronyms used in defining the cipher suites:
+
+* 3DES: Cipher suites using triple DES
+* AES-128/256: Cipher suites using AES with 128/256-bit keys.
+* CBC: Cipher using Cipher Block Chaining as block cipher mode.
+* ECDHE: Cipher suites using Elliptic Curve Diffie-Hellman (DH) ephemeral key exchange.
+* ECDSA: Cipher suites using Elliptic Curve Digital Signature Algorithm for authentication.
+* GCM: Galois/Counter mode is used for symmetric key cryptography.
+* RC4: Cipher suites using RC4.
+* RSA: Cipher suites using RSA.
+* SHA, SHA256, SHA384: Cipher suites using SHA-1, SHA-256 or SHA-384.
+
+
+### `curve_types` [curve-types]
+
+The list of curve types for ECDHE (Elliptic Curve Diffie-Hellman ephemeral key exchange).
+
+The following elliptic curve types are available:
+
+* P-256
+* P-384
+* P-521
+* X25519
+
+
+### `ca_sha256` [ca-sha256]
+
+This configures a certificate pin that you can use to ensure that a specific certificate is part of the verified chain.
+
+The pin is a base64 encoded string of the SHA-256 of the certificate.
+
+::::{note}
+This check is not a replacement for the normal SSL validation, but it adds additional validation. If this option is used with  `verification_mode` set to `none`, the check will always fail because it will not receive any verified chains.
+::::
+
+
+
+## Client configuration options [ssl-client-config]
+
+You can specify the following options in the `ssl` section of each subsystem that supports SSL.
+
+
+### `certificate_authorities` [client-certificate-authorities]
+
+The list of root certificates for verifications is required. If `certificate_authorities` is empty or not set, the system keystore is used. If `certificate_authorities` is self-signed, the host system needs to trust that CA cert as well.
+
+By default you can specify a list of files that `filebeat` will read, but you can also embed a certificate directly in the `YAML` configuration:
+
+```yaml
+certificate_authorities:
+  - |
+    -----BEGIN CERTIFICATE-----
+    MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF
+    ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2
+    MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB
+    BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n
+    fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl
+    94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t
+    /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP
+    PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41
+    CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O
+    BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux
+    8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D
+    874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw
+    3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA
+    H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu
+    8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0
+    yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk
+    sxSmbIUfc2SGJGCJD4I=
+    -----END CERTIFICATE-----
+```
+
+
+### `certificate: "/etc/client/cert.pem"` [client-certificate]
+
+The path to the certificate for SSL client authentication is only required if `client_authentication` is specified. If the certificate is not specified, client authentication is not available. The connection might fail if the server requests client authentication. If the SSL server does not require client authentication, the certificate will be loaded, but not requested or used by the server.
+
+When this option is configured, the [`key`](#client-key) option is also required. The certificate option support embedding of the certificate:
+
+```yaml
+certificate: |
+    -----BEGIN CERTIFICATE-----
+    MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF
+    ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2
+    MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB
+    BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n
+    fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl
+    94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t
+    /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP
+    PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41
+    CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O
+    BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux
+    8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D
+    874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw
+    3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA
+    H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu
+    8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0
+    yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk
+    sxSmbIUfc2SGJGCJD4I=
+    -----END CERTIFICATE-----
+```
+
+
+### `key: "/etc/client/cert.key"` [client-key]
+
+The client certificate key used for client authentication and is only required if `client_authentication` is configured. The key option support embedding of the private key:
+
+```yaml
+key: |
+    -----BEGIN PRIVATE KEY-----
+    MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDXHufGPycpCOfI
+    sjl6cRn8NP4DLxdIVEAHFK0jMRDup32UQOPW+DleEsFpgN9/ebi9ngdjQfMvKnUP
+    Zrl1HTwVhOJfazGeoJn7vdDeQebhJfeDXHwX2DiotXyUPYu1ioU45UZDAoAZFj5F
+    KJLwWRUbfEbRe8yO+wUhKKxxkApPbfw+wUtBicn1RIX7W1nBRABt1UXKDIRe5FM2
+    MKfqhEqK4hUWC3g1r+vGTrxu3qFpzz7L2UrRFRIpo7yuTUhEhEGvcVsiTppTil4Z
+    HcprXFHf5158elEwhYJ5IM0nU1leNQiOgemifbLwkyNkLqCKth8V/4sezr1tYblZ
+    nMh1cclBAgMBAAECggEBAKdP5jyOicqknoG9/G564RcDsDyRt64NuO7I6hBg7SZx
+    Jn7UKWDdFuFP/RYtoabn6QOxkVVlydp5Typ3Xu7zmfOyss479Q/HIXxmmbkD0Kp0
+    eRm2KN3y0b6FySsS40KDRjKGQCuGGlNotW3crMw6vOvvsLTlcKgUHF054UVCHoK/
+    Piz7igkDU7NjvJeha53vXL4hIjb10UtJNaGPxIyFLYRZdRPyyBJX7Yt3w8dgz8WM
+    epOPu0dq3bUrY3WQXcxKZo6sQjE1h7kdl4TNji5jaFlvD01Y8LnyG0oThOzf0tve
+    Gaw+kuy17gTGZGMIfGVcdeb+SlioXMAAfOps+mNIwTECgYEA/gTO8W0hgYpOQJzn
+    BpWkic3LAoBXWNpvsQkkC3uba8Fcps7iiEzotXGfwYcb5Ewf5O3Lrz1EwLj7GTW8
+    VNhB3gb7bGOvuwI/6vYk2/dwo84bwW9qRWP5hqPhNZ2AWl8kxmZgHns6WTTxpkRU
+    zrfZ5eUrBDWjRU2R8uppgRImsxMCgYEA2MxuL/C/Ko0d7XsSX1kM4JHJiGpQDvb5
+    GUrlKjP/qVyUysNF92B9xAZZHxxfPWpdfGGBynhw7X6s+YeIoxTzFPZVV9hlkpAA
+    5igma0n8ZpZEqzttjVdpOQZK8o/Oni/Q2S10WGftQOOGw5Is8+LY30XnLvHBJhO7
+    TKMurJ4KCNsCgYAe5TDSVmaj3dGEtFC5EUxQ4nHVnQyCpxa8npL+vor5wSvmsfUF
+    hO0s3GQE4sz2qHecnXuPldEd66HGwC1m2GKygYDk/v7prO1fQ47aHi9aDQB9N3Li
+    e7Vmtdn3bm+lDjtn0h3Qt0YygWj+wwLZnazn9EaWHXv9OuEMfYxVgYKpdwKBgEze
+    Zy8+WDm5IWRjn8cI5wT1DBT/RPWZYgcyxABrwXmGZwdhp3wnzU/kxFLAl5BKF22T
+    kRZ+D+RVZvVutebE9c937BiilJkb0AXLNJwT9pdVLnHcN2LHHHronUhV7vetkop+
+    kGMMLlY0lkLfoGq1AxpfSbIea9KZam6o6VKxEnPDAoGAFDCJm+ZtsJK9nE5GEMav
+    NHy+PwkYsHhbrPl4dgStTNXLenJLIJ+Ke0Pcld4ZPfYdSyu/Tv4rNswZBNpNsW9K
+    0NwJlyMBfayoPNcJKXrH/csJY7hbKviAHr1eYy9/8OL0dHf85FV+9uY5YndLcsDc
+    nygO9KTJuUiBrLr0AHEnqko=
+    -----END PRIVATE KEY-----
+```
+
+
+### `key_passphrase` [client-key-passphrase]
+
+The passphrase used to decrypt an encrypted key stored in the configured `key` file.
+
+
+### `verification_mode` [client-verification-mode]
+
+Controls the verification of server certificates. Valid values are:
+
+`full`
+:   Verifies that the provided certificate is signed by a trusted authority (CA) and also verifies that the server’s hostname (or IP address) matches the names identified within the certificate.
+
+`strict`
+:   Verifies that the provided certificate is signed by a trusted authority (CA) and also verifies that the server’s hostname (or IP address) matches the names identified within the certificate. If the Subject Alternative Name is empty, it returns an error.
+
+`certificate`
+:   Verifies that the provided certificate is signed by a trusted authority (CA), but does not perform any hostname verification.
+
+`none`
+:   Performs *no verification* of the server’s certificate. This mode disables many of the security benefits of SSL/TLS and should only be used after cautious consideration. It is primarily intended as a temporary diagnostic mechanism when attempting to resolve TLS errors; its use in production environments is strongly discouraged.
+
+    The default value is `full`.
+
+
+
+### `ca_trusted_fingerprint` [ca_trusted_fingerprint]
+
+A HEX encoded SHA-256 of a CA certificate. If this certificate is present in the chain during the handshake, it will be added to the `certificate_authorities` list and the handshake will continue normaly.
+
+To get the fingerprint from a CA certificate on a Unix-like system, you can use the following command, where `ca.crt` is the certificate.
+
+```
+openssl x509 -fingerprint -sha256 -noout -in ./ca.crt | awk --field-separator="=" '{print $2}' | sed 's/://g'
+```
+
+
+## Server configuration options [ssl-server-config]
+
+You can specify the following options in the `ssl` section of each subsystem that supports SSL.
+
+
+### `certificate_authorities` [server-certificate-authorities]
+
+The list of root certificates for client verifications is only required if `client_authentication` is configured. If `certificate_authorities` is empty or not set, and `client_authentication` is configured, the system keystore is used.
+
+If `certificate_authorities` is self-signed, the host system needs to trust that CA cert as well. By default you can specify a list of files that `filebeat` will read, but you can also embed a certificate directly in the `YAML` configuration:
+
+```yaml
+certificate_authorities:
+  - |
+    -----BEGIN CERTIFICATE-----
+    MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF
+    ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2
+    MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB
+    BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n
+    fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl
+    94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t
+    /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP
+    PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41
+    CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O
+    BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux
+    8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D
+    874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw
+    3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA
+    H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu
+    8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0
+    yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk
+    sxSmbIUfc2SGJGCJD4I=
+    -----END CERTIFICATE-----
+```
+
+
+### `certificate: "/etc/server/cert.pem"` [server-certificate]
+
+The end-entity (leaf) certificate that the server uses to identify itself. If the certificate is signed by a certificate authority (CA), then it should include intermediate CA certificates, sorted from leaf to root. For servers, a `certificate` and [`key`](#server-key) must be specified.
+
+The certificate option supports embedding of the PEM certificate content. This example contains the leaf certificate followed by issuer’s certificate.
+
+```yaml
+certificate: |
+  -----BEGIN CERTIFICATE-----
+  MIIF2jCCA8KgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBlMQswCQYDVQQGEwJVUzEW
+  MBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEcMBoGA1UECRMTV2VzdCBFbCBDYW1pbm8g
+  UmVhbDEOMAwGA1UEERMFOTQwNDAxEDAOBgNVBAoTB0VsYXN0aWMwHhcNMjMxMDMw
+  MTkyMzU4WhcNMjMxMDMxMTkyMzU4WjB2MQswCQYDVQQGEwJVUzEWMBQGA1UEBxMN
+  U2FuIEZyYW5jaXNjbzEcMBoGA1UECRMTV2VzdCBFbCBDYW1pbm8gUmVhbDEOMAwG
+  A1UEERMFOTQwNDAxEDAOBgNVBAoTB0VsYXN0aWMxDzANBgNVBAMTBnNlcnZlcjCC
+  AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALW37cart7l0KE3LCStFbiGm
+  Rr/QSkuPv+Y+SXFT4zXrMFP3mOfUCVsR4lugv+jmql9qjbwR9jKsgKXA1kSvNXSZ
+  lLYWRcNnQ+QzwKxJf/jy246nSfqb2FKvVMs580lDwKHHxn/FSpHV93O4Goy5cLfF
+  ACE7BSdJdxl5DVAMmmkzd6gBGgN8dQIbcyJYuIZYQt44PqSYh/BomTyOXKrmvX4y
+  t7/pF+ldJjWZq/6SfCq6WE0jSrpI1P/42Qd9h5Tsnl6qsUGA2Tz5ZqKz2cyxaIlK
+  wL9tYDionfFIl+jZcxkGPF2a14O1TycCI0B/z+0VL+HR/8fKAB0NdP+QRLaPWOrn
+  DvraAO+bVKC6VrQyUYNUOwtd2gMUqm6Hzrf4s3wjP754eSJkvnSoSAB6l7ZmJKe5
+  Pz5oDDOVPwKHv/MrhsCSMNFeXSEO+rq9TtYEAFQI5rFGHlURga8kA1T1pirHyEtS
+  2o8GUSPSHVulaPdFnHg4xfTexfRYLCqya75ISJuY2/+2GblCie/re1GFitZCZ46/
+  xiQQDOjgL96soDVZ+cTtMpXanslgDapTts9LPIJTd9FUJCY1omISGiSjABRuTlCV
+  8054ja4BKVahSd5BqqtVkWyV64SCut6kce2ndwBkyFvlZ6cteLCW7KtzYvba4XBb
+  YIAs+H+9e/bZUVhws5mFAgMBAAGjgYMwgYAwDgYDVR0PAQH/BAQDAgeAMB0GA1Ud
+  JQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAOBgNVHQ4EBwQFAQIDBAUwPwYDVR0R
+  BDgwNoIJbG9jYWxob3N0ghFiZWF0cy5leGFtcGxlLmNvbYcEfwAAAYcQAAAAAAAA
+  AAAAAAAAAAAAATANBgkqhkiG9w0BAQsFAAOCAgEAldSZOUi+OUR46ERQuINl1oED
+  mjNsQ9FNP/RDu8mPJaNb5v2sAbcpuZb9YdnScT+d+n0+LMd5uz2g67Qr73QCpXwL
+  9YJIs56i7qMTKXlVvRQrvF9P/zP3sm5Zfd2I/x+8oXgEeYsxAWipJ8RsbnN1dtu8
+  C4l+P0E58jjrjom11W90RiHYaT0SI2PPBTTRhYLz0HayThPZDMdFnIQqVxUYbQD5
+  ybWu77hnsvC/g2C8/N2LAdQGJJ67owMa5T3YRneiaSvvOf3I45oeLE+olGAPdrSq
+  5Sp0G7fcAKMRPxcwYeD7V5lfYMtb+RzECpYAHT8zHKLZl6/34q2k8P8EWEpAsD80
+  +zSbCkdvNiU5lU90rV8E2baTKCg871k4O8sT48eUyDps6ZUCfT1dgefXeyOTV5bY
+  864Zo6bWJhAJ7Qa2d4HJkqPzSbqsosHVobojgkOcMqkStLHd8sgtCoFmJMflbp7E
+  ghawl/RVFEkL9+TWy9fR8sJWRx13P8CUP6AL9kVmcU2c3gMNpvQfIii9QOnQrRsi
+  yZj9FKl+ZM49I6RQ6dY5JVgWtpVm/+GBVuy1Aj91JEjw7r1jAeir5K9LAXG8kEN9
+  irndx1SK2MMTY79lGHFGQRv3vnQGI0Wzjtn31YJ7qIFNJ1WWbAZLR9FBtzmMeXM6
+  puoJ9UYvfIcHUGPdZGU=
+  -----END CERTIFICATE-----
+  -----BEGIN CERTIFICATE-----
+  MIIFpjCCA46gAwIBAgIBATANBgkqhkiG9w0BAQsFADBlMQswCQYDVQQGEwJVUzEW
+  MBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEcMBoGA1UECRMTV2VzdCBFbCBDYW1pbm8g
+  UmVhbDEOMAwGA1UEERMFOTQwNDAxEDAOBgNVBAoTB0VsYXN0aWMwHhcNMjMxMDMw
+  MTkyMzU2WhcNMjMxMDMxMTkyMzU2WjBlMQswCQYDVQQGEwJVUzEWMBQGA1UEBxMN
+  U2FuIEZyYW5jaXNjbzEcMBoGA1UECRMTV2VzdCBFbCBDYW1pbm8gUmVhbDEOMAwG
+  A1UEERMFOTQwNDAxEDAOBgNVBAoTB0VsYXN0aWMwggIiMA0GCSqGSIb3DQEBAQUA
+  A4ICDwAwggIKAoICAQDQP3hJt4jTIo+tBXB/R4RuBTvv6OOago9joxlNDm0abseJ
+  ehE0V8FDi0SSpa7ZiqwCGq/deu5OIWVNpFCLHeH5YBriNmB7oPkNRCleu50JsUrG
+  RjSTtBIJcu/CVpD7Q5XMbhbhYcPArrxrSreo3ox8a+2X7b8nA1xPgIcWqSCgs9iV
+  lwKHaQWNTUXYwwZG7b9WG4EJaki6t1+1QbDDJU0oWrZNg23wQEBvEVRDQs7kadvm
+  9YtZLPULlSyV4Rk3yNW8dPXHjcz2wp3PBPIWIQe9mzYU608307TkUMVN2EEOImxl
+  Wm1RtXYvvVb1LiY0C2lYbN3jLZQzffK5RsS87ocqTQM+HvDBv/PupHDvW08wietu
+  RtRbdx/2cN0GLmOHnkWKx+GlYDZfAtIj958fTKl2hHyNqJ1pE7vksSYBwBxMFQem
+  eSGzw5pO53kmPcZO203YQ2qoJd7z1aLf7eAOqDn5zwlYNc00bZ6DwTZsyptGv9sZ
+  zcZuovppPgCN4f1I9ja/NPKep+sVKfQqR5HuOFOPFcr6oOioESJSgIvXXF9RhCVh
+  UMeZKWWSCNm1ea4h6q8OJdQfM7XXkXm+dEyF0TogC00CidZWuYMZcgXND5p/1Di5
+  PkCKPUMllCoK0oaTfFioNW7qtNbDGQrW+spwDa4kjJNKYtDD0jjPgFMgSzQ2MwID
+  AQABo2EwXzAOBgNVHQ8BAf8EBAMCAoQwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsG
+  AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFImOXc9Tv+mgn9jOsPig
+  9vlAUTa+MA0GCSqGSIb3DQEBCwUAA4ICAQBZ9tqU88Nmgf+vDgkKMKLmLMaRCRlV
+  HcYrm7WoWLX+q6VSbmvf5eD5OrzzbAnnp16iXap8ivsAEFTo8XWh/bjl7G/2jetR
+  xZD2WHtzmAg3s4SVsEHIyFUF1ERwnjO2ndHjoIsx8ktUk1aNrmgPI6s07fkULDm+
+  2aXyBSZ9/oimZM/s3IqYJecxwE+yyS+FiS6mSDCCVIyQXdtVAbFHegyiBYv8EbwF
+  Xz70QiqQtxotGlfts/3uN1s+xnEoWz5E6S5DQn4xQh0xiKSXPizMXou9xKzypeSW
+  qtNdwtg62jKWDaVriBfrvoCnyjjCIjmcTcvA2VLmeZShyTuIucd0lkg2NKIGeM7I
+  o33hmdiKaop1fVtj8zqXvCRa3ecmlvcxPKX0otVFORFNOfaPjH/CjW0CnP0LByGK
+  YW19w0ncJZa9cc1SlNL28lnBhW+i1+ViR02wtjabH9XO+mtxuaEPDZ1hLhhjktqI
+  Y2oFUso4C5xiTU/hrH8+cFv0dn/+zyQoLfJEQbUX9biFeytt7T4Yynwhdy7jryqH
+  fdy/QM26YnsE8D7l4mv99z+zII0IRGnQOuLTuNAIyGJUf69hCDubZFDeHV/IB9hU
+  6GA6lBpsJlTDgfJLbtKuAHxdn1DO+uGg0GxgwggH6Vh9x9yQK2E6BaepJisL/zNB
+  RQQmEyTn1hn/eA==
+  -----END CERTIFICATE-----
+```
+
+
+### `key: "/etc/server/cert.key"` [server-key]
+
+The server certificate key used for authentication is required. The key option supports embedding of the private key:
+
+```yaml
+key: |
+    -----BEGIN PRIVATE KEY-----
+    MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDXHufGPycpCOfI
+    sjl6cRn8NP4DLxdIVEAHFK0jMRDup32UQOPW+DleEsFpgN9/ebi9ngdjQfMvKnUP
+    Zrl1HTwVhOJfazGeoJn7vdDeQebhJfeDXHwX2DiotXyUPYu1ioU45UZDAoAZFj5F
+    KJLwWRUbfEbRe8yO+wUhKKxxkApPbfw+wUtBicn1RIX7W1nBRABt1UXKDIRe5FM2
+    MKfqhEqK4hUWC3g1r+vGTrxu3qFpzz7L2UrRFRIpo7yuTUhEhEGvcVsiTppTil4Z
+    HcprXFHf5158elEwhYJ5IM0nU1leNQiOgemifbLwkyNkLqCKth8V/4sezr1tYblZ
+    nMh1cclBAgMBAAECggEBAKdP5jyOicqknoG9/G564RcDsDyRt64NuO7I6hBg7SZx
+    Jn7UKWDdFuFP/RYtoabn6QOxkVVlydp5Typ3Xu7zmfOyss479Q/HIXxmmbkD0Kp0
+    eRm2KN3y0b6FySsS40KDRjKGQCuGGlNotW3crMw6vOvvsLTlcKgUHF054UVCHoK/
+    Piz7igkDU7NjvJeha53vXL4hIjb10UtJNaGPxIyFLYRZdRPyyBJX7Yt3w8dgz8WM
+    epOPu0dq3bUrY3WQXcxKZo6sQjE1h7kdl4TNji5jaFlvD01Y8LnyG0oThOzf0tve
+    Gaw+kuy17gTGZGMIfGVcdeb+SlioXMAAfOps+mNIwTECgYEA/gTO8W0hgYpOQJzn
+    BpWkic3LAoBXWNpvsQkkC3uba8Fcps7iiEzotXGfwYcb5Ewf5O3Lrz1EwLj7GTW8
+    VNhB3gb7bGOvuwI/6vYk2/dwo84bwW9qRWP5hqPhNZ2AWl8kxmZgHns6WTTxpkRU
+    zrfZ5eUrBDWjRU2R8uppgRImsxMCgYEA2MxuL/C/Ko0d7XsSX1kM4JHJiGpQDvb5
+    GUrlKjP/qVyUysNF92B9xAZZHxxfPWpdfGGBynhw7X6s+YeIoxTzFPZVV9hlkpAA
+    5igma0n8ZpZEqzttjVdpOQZK8o/Oni/Q2S10WGftQOOGw5Is8+LY30XnLvHBJhO7
+    TKMurJ4KCNsCgYAe5TDSVmaj3dGEtFC5EUxQ4nHVnQyCpxa8npL+vor5wSvmsfUF
+    hO0s3GQE4sz2qHecnXuPldEd66HGwC1m2GKygYDk/v7prO1fQ47aHi9aDQB9N3Li
+    e7Vmtdn3bm+lDjtn0h3Qt0YygWj+wwLZnazn9EaWHXv9OuEMfYxVgYKpdwKBgEze
+    Zy8+WDm5IWRjn8cI5wT1DBT/RPWZYgcyxABrwXmGZwdhp3wnzU/kxFLAl5BKF22T
+    kRZ+D+RVZvVutebE9c937BiilJkb0AXLNJwT9pdVLnHcN2LHHHronUhV7vetkop+
+    kGMMLlY0lkLfoGq1AxpfSbIea9KZam6o6VKxEnPDAoGAFDCJm+ZtsJK9nE5GEMav
+    NHy+PwkYsHhbrPl4dgStTNXLenJLIJ+Ke0Pcld4ZPfYdSyu/Tv4rNswZBNpNsW9K
+    0NwJlyMBfayoPNcJKXrH/csJY7hbKviAHr1eYy9/8OL0dHf85FV+9uY5YndLcsDc
+    nygO9KTJuUiBrLr0AHEnqko=
+    -----END PRIVATE KEY-----
+```
+
+
+### `key_passphrase` [server-key-passphrase]
+
+The passphrase is used to decrypt an encrypted key stored in the configured `key` file.
+
+
+### `verification_mode` [server-verification-mode]
+
+Controls the verification of client certificates. Valid values are:
+
+`full`
+:   Verifies that the provided certificate is signed by a trusted authority (CA) and also verifies that the server’s hostname (or IP address) matches the names identified within the certificate.
+
+`strict`
+:   Verifies that the provided certificate is signed by a trusted authority (CA) and also verifies that the server’s hostname (or IP address) matches the names identified within the certificate. If the Subject Alternative Name is empty, it returns an error.
+
+`certificate`
+:   Verifies that the provided certificate is signed by a trusted authority (CA), but does not perform any hostname verification.
+
+`none`
+:   Performs *no verification* of the server’s certificate. This mode disables many of the security benefits of SSL/TLS and should only be used after cautious consideration. It is primarily intended as a temporary diagnostic mechanism when attempting to resolve TLS errors; its use in production environments is strongly discouraged.
+
+    The default value is `full`.
+
+
+
+### `renegotiation` [server-renegotiation]
+
+This configures what types of TLS renegotiation are supported. The valid options are:
+
+`never`
+:   Disables renegotiation.
+
+`once`
+:   Allows a remote server to request renegotiation once per connection.
+
+`freely`
+:   Allows a remote server to request renegotiation repeatedly.
+
+    The default value is `never`.
+
+
+
+### `restart_on_cert_change.enabled` [exit_on_cert_change_enabled]
+
+If set to `true` Filebeat will restart if any file listed by `key`, `certificate`, or `certificate_authorities` is modified.
+
+::::{note}
+This feature is NOT supported on Windows. The default value is `false`.
+::::
+
+
+::::{note}
+This feature requres the `execve` system call to be enabled. If you have a custom seccomp policy in place, make sure to allow for `execve`.
+::::
+
+
+
+### `restart_on_cert_change.period` [restart_on_cert_change_period]
+
+Specifies how often the files are checked for changes. Do not set the period to less than 1s because the modification time of files is often stored in seconds. Setting the period to less than 1s will result in validation error and Filebeat will not start. The default value is 1m.
+
+
+### `client_authentication` [server-client-renegotiation]
+
+The type of client authentication mode. When `certificate_authorities` is set, it defaults to `required`. Otherwise, it defaults to `none`.
+
+The valid options are:
+
+`none`
+:   Disables client authentication.
+
+`optional`
+:   When a client certificate is supplied, the server will verify it.
+
+`required`
+:   Will require clients to provide a valid certificate.
+
diff --git a/docs/reference/filebeat/configuration-template.md b/docs/reference/filebeat/configuration-template.md
new file mode 100644
index 000000000000..f16c1e95363d
--- /dev/null
+++ b/docs/reference/filebeat/configuration-template.md
@@ -0,0 +1,112 @@
+---
+navigation_title: "Elasticsearch index template"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/configuration-template.html
+---
+
+# Configure Elasticsearch index template loading [configuration-template]
+
+
+The `setup.template` section of the `filebeat.yml` config file specifies the [index template](docs-content://manage-data/data-store/templates.md) to use for setting mappings in Elasticsearch. If template loading is enabled (the default), Filebeat loads the index template automatically after successfully connecting to Elasticsearch.
+
+::::{note}
+A connection to Elasticsearch is required to load the index template. If the configured output is not Elasticsearch (or {{ess}}), you must [load the template manually](/reference/filebeat/filebeat-template.md#load-template-manually).
+::::
+
+
+You can adjust the following settings to load your own template or overwrite an existing one.
+
+**`setup.template.enabled`**
+:   Set to false to disable template loading. If this is set to false, you must [load the template manually](/reference/filebeat/filebeat-template.md#load-template-manually).
+
+**`setup.template.name`**
+:   The name of the template. The default is `filebeat`. The Filebeat version is always appended to the given name, so the final name is `filebeat-%{[agent.version]}`.
+
+**`setup.template.pattern`**
+:   The template pattern to apply to the default index settings. The default pattern is `filebeat`. The Filebeat version is always included in the pattern, so the final pattern is `filebeat-%{[agent.version]}`.
+
+    Example:
+
+    ```yaml
+    setup.template.name: "filebeat"
+    setup.template.pattern: "filebeat"
+    ```
+
+
+**`setup.template.fields`**
+:   The path to the YAML file describing the fields. The default is `fields.yml`. If a relative path is set, it is considered relative to the config path. See the [Directory layout](/reference/filebeat/directory-layout.md) section for details.
+
+**`setup.template.overwrite`**
+:   A boolean that specifies whether to overwrite the existing template. The default is false. Do not enable this option if you start more than one instance of Filebeat at the same time. It can overload {{es}} by sending too many template update requests.
+
+**`setup.template.settings`**
+:   A dictionary of settings to place into the `settings.index` dictionary of the Elasticsearch template. For more details about the available Elasticsearch mapping options, please see the Elasticsearch [mapping reference](docs-content://manage-data/data-store/mapping.md).
+
+    Example:
+
+    ```yaml
+    setup.template.name: "filebeat"
+    setup.template.fields: "fields.yml"
+    setup.template.overwrite: false
+    setup.template.settings:
+      index.number_of_shards: 1
+      index.number_of_replicas: 1
+    ```
+
+
+**`setup.template.settings._source`**
+:   A dictionary of settings for the `_source` field. For the available settings, please see the Elasticsearch [reference](elasticsearch://reference/elasticsearch/mapping-reference/mapping-source-field.md).
+
+    Example:
+
+    ```yaml
+    setup.template.name: "filebeat"
+    setup.template.fields: "fields.yml"
+    setup.template.overwrite: false
+    setup.template.settings:
+      _source.enabled: false
+    ```
+
+
+**`setup.template.append_fields`**
+:   A list of fields to be added to the template and {{kib}} index pattern. This setting adds new fields. It does not overwrite or change existing fields.
+
+    This setting is useful when your data contains fields that Filebeat doesn’t know about in advance.
+
+    If `append_fields` is specified along with `overwrite: true`, Filebeat overwrites the existing template and applies the new template when creating new indices. Existing indices are not affected. If you’re running multiple instances of Filebeat with different `append_fields` settings, the last one writing the template takes precedence.
+
+    Any changes to this setting also affect the {{kib}} index pattern.
+
+    Example config:
+
+    ```yaml
+    setup.template.overwrite: true
+    setup.template.append_fields:
+    - name: test.name
+      type: keyword
+    - name: test.hostname
+      type: long
+    ```
+
+
+**`setup.template.json.enabled`**
+:   Set to `true` to load a JSON-based template file. Specify the path to your {{es}} index template file and set the name of the template.
+
+    ```yaml
+    setup.template.json.enabled: true
+    setup.template.json.path: "template.json"
+    setup.template.json.name: "template-name"
+    setup.template.json.data_stream: false
+    ```
+
+
+::::{note}
+If the JSON template is used, the `fields.yml` is skipped for the template generation.
+::::
+
+
+::::{note}
+If the JSON template is a data stream, set `setup.template.json.data_stream`.
+::::
+
+
diff --git a/docs/reference/filebeat/configure-cloud-id.md b/docs/reference/filebeat/configure-cloud-id.md
new file mode 100644
index 000000000000..059f0cac75d7
--- /dev/null
+++ b/docs/reference/filebeat/configure-cloud-id.md
@@ -0,0 +1,34 @@
+---
+navigation_title: "{{ess}}"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/configure-cloud-id.html
+---
+
+# Configure the output for {{ess}} on {{ecloud}} [configure-cloud-id]
+
+
+Filebeat comes with two settings that simplify the output configuration when used together with [{{ess}}](https://www.elastic.co/cloud/elasticsearch-service?page=docs&placement=docs-body). When defined, these setting overwrite settings from other parts in the configuration.
+
+Example:
+
+```yaml
+cloud.id: "staging:dXMtZWFzdC0xLmF3cy5mb3VuZC5pbyRjZWM2ZjI2MWE3NGJmMjRjZTMzYmI4ODExYjg0Mjk0ZiRjNmMyY2E2ZDA0MjI0OWFmMGNjN2Q3YTllOTYyNTc0Mw=="
+cloud.auth: "elastic:{pwd}"
+```
+
+These settings can be also specified at the command line, like this:
+
+```sh
+filebeat -e -E cloud.id="<cloud-id>" -E cloud.auth="<cloud.auth>"
+```
+
+## `cloud.id` [_cloud_id]
+
+The Cloud ID, which can be found in the {{ess}} web console, is used by Filebeat to resolve the {{es}} and {{kib}} URLs. This setting overwrites the `output.elasticsearch.hosts` and `setup.kibana.host` settings. For more on locating and configuring the Cloud ID, see [Configure Beats and Logstash with Cloud ID](docs-content://deploy-manage/deploy/cloud-enterprise/find-cloud-id.md).
+
+
+## `cloud.auth` [_cloud_auth]
+
+When specified, the `cloud.auth` overwrites the `output.elasticsearch.username` and `output.elasticsearch.password` settings. Because the Kibana settings inherit the username and password from the {{es}} output, this can also be used to set the `setup.kibana.username` and `setup.kibana.password` options.
+
+
diff --git a/docs/reference/filebeat/configuring-howto-filebeat.md b/docs/reference/filebeat/configuring-howto-filebeat.md
new file mode 100644
index 000000000000..be6a3e99194f
--- /dev/null
+++ b/docs/reference/filebeat/configuring-howto-filebeat.md
@@ -0,0 +1,46 @@
+---
+navigation_title: "Configure"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/configuring-howto-filebeat.html
+---
+
+# Configure Filebeat [configuring-howto-filebeat]
+
+
+::::{tip}
+To get started quickly, read [Quick start: installation and configuration](/reference/filebeat/filebeat-installation-configuration.md).
+::::
+
+
+To configure Filebeat, edit the configuration file. The default configuration file is called  `filebeat.yml`. The location of the file varies by platform. To locate the file, see [Directory layout](/reference/filebeat/directory-layout.md).
+
+There’s also a full example configuration file called `filebeat.reference.yml` that shows all non-deprecated options.
+
+::::{tip}
+See the [Config File Format](/reference/libbeat/config-file-format.md) for more about the structure of the config file.
+::::
+
+
+The following topics describe how to configure Filebeat:
+
+* [Inputs](/reference/filebeat/configuration-filebeat-options.md)
+* [Modules](/reference/filebeat/configuration-filebeat-modules.md)
+* [General settings](/reference/filebeat/configuration-general-options.md)
+* [Project paths](/reference/filebeat/configuration-path.md)
+* [Config file loading](/reference/filebeat/filebeat-configuration-reloading.md)
+* [Output](/reference/filebeat/configuring-output.md)
+* [SSL](/reference/filebeat/configuration-ssl.md)
+* [Index lifecycle management (ILM)](/reference/filebeat/ilm.md)
+* [Elasticsearch index template](/reference/filebeat/configuration-template.md)
+* [{{kib}} endpoint](/reference/filebeat/setup-kibana-endpoint.md)
+* [Kibana dashboards](/reference/filebeat/configuration-dashboards.md)
+* [Processors](/reference/filebeat/filtering-enhancing-data.md)
+* [*Autodiscover*](/reference/filebeat/configuration-autodiscover.md)
+* [Internal queue](/reference/filebeat/configuring-internal-queue.md)
+* [Logging](/reference/filebeat/configuration-logging.md)
+* [HTTP endpoint](/reference/filebeat/http-endpoint.md)
+* [Regular expression support](/reference/filebeat/regexp-support.md)
+* [Instrumentation](/reference/filebeat/configuration-instrumentation.md)
+* [Feature flags](/reference/filebeat/configuration-feature-flags.md)
+* [*filebeat.reference.yml*](/reference/filebeat/filebeat-reference-yml.md)
+
diff --git a/docs/reference/filebeat/configuring-ingest-node.md b/docs/reference/filebeat/configuring-ingest-node.md
new file mode 100644
index 000000000000..bba49947e74d
--- /dev/null
+++ b/docs/reference/filebeat/configuring-ingest-node.md
@@ -0,0 +1,50 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/configuring-ingest-node.html
+---
+
+# Parse data using an ingest pipeline [configuring-ingest-node]
+
+When you use {{es}} for output, you can configure Filebeat to use an [ingest pipeline](docs-content://manage-data/ingest/transform-enrich/ingest-pipelines.md) to pre-process documents before the actual indexing takes place in {{es}}. An ingest pipeline is a convenient processing option when you want to do some extra processing on your data, but you do not require the full power of {{ls}}. For example, you can create an ingest pipeline in {{es}} that consists of one processor that removes a field in a document followed by another processor that renames a field.
+
+After defining the pipeline in {{es}}, you simply configure Filebeat to use the pipeline. To configure Filebeat, you specify the pipeline ID in the `parameters` option under `elasticsearch` in the `filebeat.yml` file:
+
+```yaml
+output.elasticsearch:
+  hosts: ["localhost:9200"]
+  pipeline: my_pipeline_id
+```
+
+For example, let’s say that you’ve defined the following pipeline in a file named `pipeline.json`:
+
+```json
+{
+    "description": "Test pipeline",
+    "processors": [
+        {
+            "lowercase": {
+                "field": "agent.name"
+            }
+        }
+    ]
+}
+```
+
+To add the pipeline in {{es}}, you would run:
+
+```shell
+curl -H 'Content-Type: application/json' -XPUT 'http://localhost:9200/_ingest/pipeline/test-pipeline' -d@pipeline.json
+```
+
+Then in the `filebeat.yml` file, you would specify:
+
+```yaml
+output.elasticsearch:
+  hosts: ["localhost:9200"]
+  pipeline: "test-pipeline"
+```
+
+When you run Filebeat, the value of `agent.name` is converted to lowercase before indexing.
+
+For more information about defining a pre-processing pipeline, see the [ingest pipeline](docs-content://manage-data/ingest/transform-enrich/ingest-pipelines.md) documentation.
+
diff --git a/docs/reference/filebeat/configuring-internal-queue.md b/docs/reference/filebeat/configuring-internal-queue.md
new file mode 100644
index 000000000000..55dce103bf2d
--- /dev/null
+++ b/docs/reference/filebeat/configuring-internal-queue.md
@@ -0,0 +1,144 @@
+---
+navigation_title: "Internal queue"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/configuring-internal-queue.html
+---
+
+# Configure the internal queue [configuring-internal-queue]
+
+
+Filebeat uses an internal queue to store events before publishing them. The queue is responsible for buffering and combining events into batches that can be consumed by the outputs. The outputs will use bulk operations to send a batch of events in one transaction.
+
+You can configure the type and behavior of the internal queue by setting options in the `queue` section of the `filebeat.yml` config file or by setting options in the `queue` section of the output. Only one queue type can be configured.
+
+This sample configuration sets the memory queue to buffer up to 4096 events:
+
+```yaml
+queue.mem:
+  events: 4096
+```
+
+
+## Configure the memory queue [configuration-internal-queue-memory]
+
+The memory queue keeps all events in memory.
+
+The memory queue waits for the output to acknowledge or drop events. If the queue is full, no new events can be inserted into the memory queue. Only after the signal from the output will the queue free up space for more events to be accepted.
+
+The memory queue is controlled by the parameters `flush.min_events` and `flush.timeout`. `flush.min_events` gives a limit on the number of events that can be included in a single batch, and `flush.timeout` specifies how long the queue should wait to completely fill an event request. If the output supports a `bulk_max_size` parameter, the maximum batch size will be the smaller of `bulk_max_size` and `flush.min_events`.
+
+`flush.min_events` is a legacy parameter, and new configurations should prefer to control batch size with `bulk_max_size`. As of 8.13, there is never a performance advantage to limiting batch size with `flush.min_events` instead of `bulk_max_size`.
+
+In synchronous mode, an event request is always filled as soon as events are available, even if there are not enough events to fill the requested batch. This is useful when latency must be minimized. To use synchronous mode, set `flush.timeout` to 0.
+
+For backwards compatibility, synchronous mode can also be activated by setting `flush.min_events` to 0 or 1. In this case, batch size will be capped at 1/2 the queue capacity.
+
+In asynchronous mode, an event request will wait up to the specified timeout to try and fill the requested batch completely. If the timeout expires, the queue returns a partial batch with all available events. To use asynchronous mode, set `flush.timeout` to a positive duration, e.g. `5s`.
+
+This sample configuration forwards events to the output when there are enough events to fill the output’s request (usually controlled by `bulk_max_size`, and limited to at most 512 events by `flush.min_events`), or when events have been waiting for 5s without filling the requested size:
+
+```yaml
+queue.mem:
+  events: 4096
+  flush.min_events: 512
+  flush.timeout: 5s
+```
+
+
+## Configuration options [_configuration_options_37]
+
+You can specify the following options in the `queue.mem` section of the `filebeat.yml` config file:
+
+
+#### `events` [queue-mem-events-option]
+
+Number of events the queue can store.
+
+The default value is 3200 events.
+
+
+#### `flush.min_events` [queue-mem-flush-min-events-option]
+
+If greater than 1, specifies the maximum number of events per batch. In this case the output must wait for the queue to accumulate the requested number of events or for `flush.timeout` to expire before publishing.
+
+If 0 or 1, sets the maximum number of events per batch to half the queue size, and sets the queue to synchronous mode (equivalent to `flush.timeout` of 0).
+
+The default value is 1600.
+
+
+#### `flush.timeout` [queue-mem-flush-timeout-option]
+
+Maximum wait time for event requests from the output to be fulfilled. If set to 0s, events are returned immediately.
+
+The default value is 10s.
+
+
+## Configure the disk queue [configuration-internal-queue-disk]
+
+The disk queue stores pending events on the disk rather than main memory. This allows Beats to queue a larger number of events than is possible with the memory queue, and to save events when a Beat or device is restarted. This increased reliability comes with a performance tradeoff, as every incoming event must be written and read from the device’s disk. However, for setups where the disk is not the main bottleneck, the disk queue gives a simple and relatively low-overhead way to add a layer of robustness to incoming event data.
+
+To enable the disk queue with default settings, specify a maximum size:
+
+```yaml
+queue.disk:
+  max_size: 10GB
+```
+
+The queue will use up to the specified maximum size on disk. It will only use as much space as required. For example, if the queue is only storing 1GB of events, then it will only occupy 1GB on disk no matter how high the maximum is. Queue data is deleted from disk after it has been successfully sent to the output.
+
+
+### Configuration options [configuration-internal-queue-disk-reference]
+
+You can specify the following options in the `queue.disk` section of the `filebeat.yml` config file:
+
+
+#### `path` [_path]
+
+The path to the directory where the disk queue should store its data files. The directory is created on startup if it doesn’t exist.
+
+The default value is `"${path.data}/diskqueue"`.
+
+
+#### `max_size` (required) [_max_size_required]
+
+The maximum size the queue should use on disk. Events that exceed this maximum will either pause their input or be discarded, depending on the input’s configuration.
+
+A value of `0` means that no maximum size is enforced, and the queue can grow up to the amount of free space on the disk. This value should be used with caution, as completely filling a system’s main disk can make it inoperable. It is best to use this setting only with a dedicated data or backup partition that will not interfere with Filebeat or the rest of the host system.
+
+The default value is `10GB`.
+
+
+#### `segment_size` [_segment_size]
+
+Data added to the queue is stored in segment files. Each segment contains some number of events waiting to be sent to the outputs, and is deleted when all its events are sent. By default, segment size is limited to 1/10 of the maximum queue size. Using a smaller size means that the queue will use more data files, but they will be deleted more quickly after use. Using a larger size means some data will take longer to delete, but the queue will use fewer auxiliary files. It is usually fine to leave this value unchanged.
+
+The default value is `max_size / 10`.
+
+
+#### `read_ahead` [_read_ahead]
+
+The number of events that should be read from disk into memory while waiting for an output to request them. If you find outputs are slowing down because they can’t read as many events at a time, adjusting this setting upward may help, at the cost of higher memory usage.
+
+The default value is `512`.
+
+
+#### `write_ahead` [_write_ahead]
+
+The number of events the queue should accept and store in memory while waiting for them to be written to disk. If you find the queue’s memory use is too high because events are waiting too long to be written to disk, adjusting this setting downward may help, at the cost of reduced event throughput. On the other hand, if inputs are waiting or discarding events because they are being produced faster than the disk can handle, adjusting this setting upward may help, at the cost of higher memory usage.
+
+The default value is `2048`.
+
+
+#### `retry_interval` [_retry_interval]
+
+Some disk errors may block operation of the queue, for example a permission error writing to the data directory, or a disk full error while writing an event. In this case, the queue reports the error and retries after pausing for the time specified in `retry_interval`.
+
+The default value is `1s` (one second).
+
+
+#### `max_retry_interval` [_max_retry_interval]
+
+When there are multiple consecutive errors writing to the disk, the queue increases the retry interval by factors of 2 up to a maximum of `max_retry_interval`. Increase this value if you are concerned about logging too many errors or overloading the host system if the target disk becomes unavailable for an extended time.
+
+The default value is `30s` (thirty seconds).
+
diff --git a/docs/reference/filebeat/configuring-output.md b/docs/reference/filebeat/configuring-output.md
new file mode 100644
index 000000000000..a089d5b2f462
--- /dev/null
+++ b/docs/reference/filebeat/configuring-output.md
@@ -0,0 +1,31 @@
+---
+navigation_title: "Output"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/configuring-output.html
+---
+
+# Configure the output [configuring-output]
+
+
+You configure Filebeat to write to a specific output by setting options in the Outputs section of the `filebeat.yml` config file. Only a single output may be defined.
+
+The following topics describe how to configure each supported output. If you’ve secured the {{stack}}, also read [Secure](/reference/filebeat/securing-filebeat.md) for more about security-related configuration options.
+
+* [{{ess}}](/reference/filebeat/configure-cloud-id.md)
+* [Elasticsearch](/reference/filebeat/elasticsearch-output.md)
+* [Logstash](/reference/filebeat/logstash-output.md)
+* [Kafka](/reference/filebeat/kafka-output.md)
+* [Redis](/reference/filebeat/redis-output.md)
+* [File](/reference/filebeat/file-output.md)
+* [Console](/reference/filebeat/console-output.md)
+* [Discard](/reference/filebeat/discard-output.md)
+
+
+
+
+
+
+
+
+
+
diff --git a/docs/reference/filebeat/configuring-ssl-logstash.md b/docs/reference/filebeat/configuring-ssl-logstash.md
new file mode 100644
index 000000000000..12345e1cfa48
--- /dev/null
+++ b/docs/reference/filebeat/configuring-ssl-logstash.md
@@ -0,0 +1,118 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/configuring-ssl-logstash.html
+---
+
+# Secure communication with Logstash [configuring-ssl-logstash]
+
+You can use SSL mutual authentication to secure connections between Filebeat and Logstash. This ensures that Filebeat sends encrypted data to trusted Logstash servers only, and that the Logstash server receives data from trusted Filebeat clients only.
+
+To use SSL mutual authentication:
+
+1. Create a certificate authority (CA) and use it to sign the certificates that you plan to use for Filebeat and Logstash. Creating a correct SSL/TLS infrastructure is outside the scope of this document. There are many online resources available that describe how to create certificates.
+
+    ::::{tip}
+    If you are using {{security-features}}, you can use the [elasticsearch-certutil tool](elasticsearch://reference/elasticsearch/command-line-tools/certutil.md) to generate certificates.
+    ::::
+
+2. Configure Filebeat to use SSL. In the `filebeat.yml` config file, specify the following settings under `ssl`:
+
+    * `certificate_authorities`: Configures Filebeat to trust any certificates signed by the specified CA. If `certificate_authorities` is empty or not set, the trusted certificate authorities of the host system are used.
+    * `certificate` and `key`: Specifies the certificate and key that Filebeat uses to authenticate with Logstash.
+
+        For example:
+
+        ```yaml
+        output.logstash:
+          hosts: ["logs.mycompany.com:5044"]
+          ssl.certificate_authorities: ["/etc/ca.crt"]
+          ssl.certificate: "/etc/client.crt"
+          ssl.key: "/etc/client.key"
+        ```
+
+        For more information about these configuration options, see [SSL](/reference/filebeat/configuration-ssl.md).
+
+3. Configure Logstash to use SSL. In the Logstash config file, specify the following settings for the [Beats input plugin for Logstash](logstash://reference/plugins-inputs-beats.md):
+
+    * `ssl`: When set to true, enables Logstash to use SSL/TLS.
+    * `ssl_certificate_authorities`: Configures Logstash to trust any certificates signed by the specified CA.
+    * `ssl_certificate` and `ssl_key`: Specify the certificate and key that Logstash uses to authenticate with the client.
+    * `ssl_verify_mode`: Specifies whether the Logstash server verifies the client certificate against the CA. You need to specify either `peer` or `force_peer` to make the server ask for the certificate and validate it. If you specify `force_peer`, and Filebeat doesn’t provide a certificate, the Logstash connection will be closed. If you choose not to use [certutil](elasticsearch://reference/elasticsearch/command-line-tools/certutil.md), the certificates that you obtain must allow for both `clientAuth` and `serverAuth` if the extended key usage extension is present.
+
+        For example:
+
+        ```json
+        input {
+          beats {
+            port => 5044
+            ssl => true
+            ssl_certificate_authorities => ["/etc/ca.crt"]
+            ssl_certificate => "/etc/server.crt"
+            ssl_key => "/etc/server.key"
+            ssl_verify_mode => "force_peer"
+          }
+        }
+        ```
+
+        For more information about these options, see the [documentation for the Beats input plugin](logstash://reference/plugins-inputs-beats.md).
+
+
+
+## Validate the Logstash server’s certificate [testing-ssl-logstash]
+
+Before running Filebeat, you should validate the Logstash server’s certificate. You can use `curl` to validate the certificate even though the protocol used to communicate with Logstash is not based on HTTP. For example:
+
+```shell
+curl -v --cacert ca.crt https://logs.mycompany.com:5044
+```
+
+If the test is successful, you’ll receive an empty response error:
+
+```shell
+* Rebuilt URL to: https://logs.mycompany.com:5044/
+*   Trying 192.168.99.100...
+* Connected to logs.mycompany.com (192.168.99.100) port 5044 (#0)
+* TLS 1.2 connection using TLS_DHE_RSA_WITH_AES_256_CBC_SHA
+* Server certificate: logs.mycompany.com
+* Server certificate: mycompany.com
+> GET / HTTP/1.1
+> Host: logs.mycompany.com:5044
+> User-Agent: curl/7.43.0
+> Accept: */*
+>
+* Empty reply from server
+* Connection #0 to host logs.mycompany.com left intact
+curl: (52) Empty reply from server
+```
+
+The following example uses the IP address rather than the hostname to validate the certificate:
+
+```shell
+curl -v --cacert ca.crt https://192.168.99.100:5044
+```
+
+Validation for this test fails because the certificate is not valid for the specified IP address. It’s only valid for the `logs.mycompany.com`, the hostname that appears in the Subject field of the certificate.
+
+```shell
+* Rebuilt URL to: https://192.168.99.100:5044/
+*   Trying 192.168.99.100...
+* Connected to 192.168.99.100 (192.168.99.100) port 5044 (#0)
+* WARNING: using IP address, SNI is being disabled by the OS.
+* SSL: certificate verification failed (result: 5)
+* Closing connection 0
+curl: (51) SSL: certificate verification failed (result: 5)
+```
+
+See the [troubleshooting docs](/reference/filebeat/ssl-client-fails.md) for info about resolving this issue.
+
+
+## Test the Filebeat to Logstash connection [_test_the_filebeat_to_logstash_connection]
+
+If you have Filebeat running as a service, first stop the service. Then test your setup by running Filebeat in the foreground so you can quickly see any errors that occur:
+
+```sh
+filebeat -c filebeat.yml -e -v
+```
+
+Any errors will be printed to the console. See the [troubleshooting docs](/reference/filebeat/ssl-client-fails.md) for info about resolving common errors.
+
diff --git a/docs/reference/filebeat/connection-problem.md b/docs/reference/filebeat/connection-problem.md
new file mode 100644
index 000000000000..f84cb9519258
--- /dev/null
+++ b/docs/reference/filebeat/connection-problem.md
@@ -0,0 +1,20 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/connection-problem.html
+---
+
+# Logstash connection doesn���t work [connection-problem]
+
+You may have configured {{ls}} or Filebeat incorrectly. To resolve the issue:
+
+* Make sure that {{ls}} is running and you can connect to it. First, try to ping the {{ls}} host to verify that you can reach it from the host running Filebeat. Then use either `nc` or `telnet` to make sure that the port is available. For example:
+
+    ```shell
+    ping <hostname or IP>
+    telnet <hostname or IP> 5044
+    ```
+
+* Verify that the config file for Filebeat specifies the correct port where {{ls}} is running.
+* Make sure that the {{es}} output is commented out in the config file and the {{ls}} output is uncommented.
+* Confirm that the most recent [Beats input plugin for {{ls}}](logstash://reference/plugins-inputs-beats.md) is installed and configured. Note that Beats will not connect to the Lumberjack input plugin. To learn how to install and update plugins, see [Working with plugins](logstash://reference/working-with-plugins.md).
+
diff --git a/docs/reference/filebeat/console-output.md b/docs/reference/filebeat/console-output.md
new file mode 100644
index 000000000000..e0c26ede6ecf
--- /dev/null
+++ b/docs/reference/filebeat/console-output.md
@@ -0,0 +1,67 @@
+---
+navigation_title: "Console"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/console-output.html
+---
+
+# Configure the Console output [console-output]
+
+
+The Console output writes events in JSON format to stdout.
+
+::::{warning}
+The Console output should be used only for debugging issues as it can produce a large amount of logging data.
+::::
+
+
+To use this output, edit the Filebeat configuration file to disable the {{es}} output by commenting it out, and enable the console output by adding `output.console`.
+
+Example configuration:
+
+```yaml
+output.console:
+  pretty: true
+```
+
+## Configuration options [_configuration_options_30]
+
+You can specify the following `output.console` options in the `filebeat.yml` config file:
+
+### `enabled` [_enabled_35]
+
+The enabled config is a boolean setting to enable or disable the output. If set to false, the output is disabled.
+
+The default value is `true`.
+
+
+### `pretty` [_pretty]
+
+If `pretty` is set to true, events written to stdout will be nicely formatted. The default is false.
+
+
+### `codec` [_codec_4]
+
+Output codec configuration. If the `codec` section is missing, events will be json encoded using the `pretty` option.
+
+See [Change the output codec](/reference/filebeat/configuration-output-codec.md) for more information.
+
+
+### `bulk_max_size` [_bulk_max_size_4]
+
+The maximum number of events to buffer internally during publishing. The default is 2048.
+
+Specifying a larger batch size may add some latency and buffering during publishing. However, for Console output, this setting does not affect how events are published.
+
+Setting `bulk_max_size` to values less than or equal to 0 disables the splitting of batches. When splitting is disabled, the queue decides on the number of events to be contained in a batch.
+
+
+### `queue` [_queue_6]
+
+Configuration options for internal queue.
+
+See [Internal queue](/reference/filebeat/configuring-internal-queue.md) for more information.
+
+Note:`queue` options can be set under `filebeat.yml` or the `output` section but not both.
+
+
+
diff --git a/docs/reference/filebeat/contributing-to-beats.md b/docs/reference/filebeat/contributing-to-beats.md
new file mode 100644
index 000000000000..7938a0e5a9ad
--- /dev/null
+++ b/docs/reference/filebeat/contributing-to-beats.md
@@ -0,0 +1,13 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/contributing-to-beats.html
+---
+
+# Contribute to Beats [contributing-to-beats]
+
+The Beats are open source and we love to receive contributions from our community — you!
+
+There are many ways to contribute, from writing tutorials or blog posts, improving the documentation, submitting bug reports and feature requests, or writing code that implements a whole new protocol, module, or Beat.
+
+The [Beats Developer Guide](http://www.elastic.co/guide/en/beats/devguide/master/index.md) is your one-stop shop for everything related to developing code for the Beats project.
+
diff --git a/docs/reference/filebeat/convert.md b/docs/reference/filebeat/convert.md
new file mode 100644
index 000000000000..e474c21188ad
--- /dev/null
+++ b/docs/reference/filebeat/convert.md
@@ -0,0 +1,42 @@
+---
+navigation_title: "convert"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/convert.html
+---
+
+# Convert [convert]
+
+
+The `convert` processor converts a field in the event to a different type, such as converting a string to an integer.
+
+The supported types include: `integer`, `long`, `float`, `double`, `string`, `boolean`, and `ip`.
+
+The `ip` type is effectively an alias for `string`, but with an added validation that the value is an IPv4 or IPv6 address.
+
+```yaml
+processors:
+  - convert:
+      fields:
+        - {from: "src_ip", to: "source.ip", type: "ip"}
+        - {from: "src_port", to: "source.port", type: "integer"}
+      ignore_missing: true
+      fail_on_error: false
+```
+
+The `convert` processor has the following configuration settings:
+
+`fields`
+:   (Required) This is the list of fields to convert. At least one item must be contained in the list. Each item in the list must have a `from` key that specifies the source field. The `to` key is optional and specifies where to assign the converted value. If `to` is omitted then the `from` field is updated in-place. The `type` key specifies the data type to convert the value to. If `type` is omitted then the processor copies or renames the field without any type conversion.
+
+`ignore_missing`
+:   (Optional) If `true` the processor continues to the next field when the `from` key is not found in the event. If false then the processor returns an error and does not process the remaining fields. Default is `false`.
+
+`fail_on_error`
+:   (Optional) If false type conversion failures are ignored and the processor continues to the next field. Default is `true`.
+
+`tag`
+:   (Optional) An identifier for this processor. Useful for debugging.
+
+`mode`
+:   (Optional) When both `from` and `to` are defined for a field then `mode` controls whether to `copy` or `rename` the field when the type conversion is successful. Default is `copy`.
+
diff --git a/docs/reference/filebeat/copy-fields.md b/docs/reference/filebeat/copy-fields.md
new file mode 100644
index 000000000000..47d9aca409a8
--- /dev/null
+++ b/docs/reference/filebeat/copy-fields.md
@@ -0,0 +1,45 @@
+---
+navigation_title: "copy_fields"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/copy-fields.html
+---
+
+# Copy fields [copy-fields]
+
+
+The `copy_fields` processor takes the value of a field and copies it to a new field.
+
+You cannot use this processor to replace an existing field. If the target field already exists, you must [drop](/reference/filebeat/drop-fields.md) or [rename](/reference/filebeat/rename-fields.md) the field before using `copy_fields`.
+
+`fields`
+:   List of `from` and `to` pairs to copy from and to. It’s supported to use `@metadata.` prefix for `from` and `to` and copy values not just in/from/to the event fields but also in/from/to the event metadata.
+
+`fail_on_error`
+:   (Optional) If set to `true` and an error occurs, the changes are reverted and the original is returned. If set to `false`, processing continues if an error occurs. Default is `true`.
+
+`ignore_missing`
+:   (Optional) Indicates whether to ignore events that lack the source field. The default is `false`, which will fail processing of an event if a field is missing.
+
+For example, this configuration:
+
+```yaml
+processors:
+  - copy_fields:
+      fields:
+        - from: message
+          to: event.original
+      fail_on_error: false
+      ignore_missing: true
+```
+
+Copies the original `message` field to `event.original`:
+
+```json
+{
+  "message": "my-interesting-message",
+  "event": {
+      "original": "my-interesting-message"
+  }
+}
+```
+
diff --git a/docs/reference/filebeat/could-not-locate-index-pattern.md b/docs/reference/filebeat/could-not-locate-index-pattern.md
new file mode 100644
index 000000000000..7ec1ec01ffd0
--- /dev/null
+++ b/docs/reference/filebeat/could-not-locate-index-pattern.md
@@ -0,0 +1,20 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/could-not-locate-index-pattern.html
+---
+
+# Dashboard could not locate the index-pattern [could-not-locate-index-pattern]
+
+Typically Filebeat sets up the index pattern automatically when it loads the index template. However, if for some reason Filebeat loads the index template, but the index pattern does not get created correctly, you’ll see a "could not locate that index-pattern" error. To resolve this problem:
+
+1. Try running the `setup` command again. For example: `./filebeat setup`.
+2. If that doesn’t work, go to the Management app in {{kib}}, and under **Index Patterns**, look for the pattern.
+
+    1. If the pattern doesn’t exist, create it manually.
+
+        * Set the **Time filter field name** to `@timestamp`.
+        * Set the **Custom index pattern ID** advanced option. For example, if your custom index name is `filebeat-customname`, set the custom index pattern ID to `filebeat-customname-*`.
+
+
+For more information, see [Creating an index pattern](docs-content://explore-analyze/find-and-organize/data-views.md) in the {{kib}} docs.
+
diff --git a/docs/reference/filebeat/dashboard-fields-incorrect-filebeat.md b/docs/reference/filebeat/dashboard-fields-incorrect-filebeat.md
new file mode 100644
index 000000000000..d05db3fed0c1
--- /dev/null
+++ b/docs/reference/filebeat/dashboard-fields-incorrect-filebeat.md
@@ -0,0 +1,9 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/dashboard-fields-incorrect-filebeat.html
+---
+
+# Dashboard in Kibana is breaking up data fields incorrectly [dashboard-fields-incorrect-filebeat]
+
+The index template might not be loaded correctly. See [*Load the {{es}} index template*](/reference/filebeat/filebeat-template.md).
+
diff --git a/docs/reference/filebeat/decode-base64-field.md b/docs/reference/filebeat/decode-base64-field.md
new file mode 100644
index 000000000000..d900eea58ef2
--- /dev/null
+++ b/docs/reference/filebeat/decode-base64-field.md
@@ -0,0 +1,35 @@
+---
+navigation_title: "decode_base64_field"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/decode-base64-field.html
+---
+
+# Decode Base64 fields [decode-base64-field]
+
+
+The `decode_base64_field` processor specifies a field to base64 decode. The `field` key contains a `from: old-key` and a `to: new-key` pair. `from` is the origin and `to` the target name of the field.
+
+To overwrite fields either first rename the target field or use the `drop_fields` processor to drop the field and then rename the field.
+
+```yaml
+processors:
+  - decode_base64_field:
+      field:
+        from: "field1"
+        to: "field2"
+      ignore_missing: false
+      fail_on_error: true
+```
+
+In the example above: - field1 is decoded in field2
+
+The `decode_base64_field` processor has the following configuration settings:
+
+`ignore_missing`
+:   (Optional) If set to true, no error is logged in case a key which should be base64 decoded is missing. Default is `false`.
+
+`fail_on_error`
+:   (Optional) If set to true, in case of an error the base64 decode of fields is stopped and the original event is returned. If set to false, decoding continues also if an error happened during decoding. Default is `true`.
+
+See [Conditions](/reference/filebeat/defining-processors.md#conditions) for a list of supported conditions.
+
diff --git a/docs/reference/filebeat/decode-csv-fields.md b/docs/reference/filebeat/decode-csv-fields.md
new file mode 100644
index 000000000000..8df815bb8d0f
--- /dev/null
+++ b/docs/reference/filebeat/decode-csv-fields.md
@@ -0,0 +1,48 @@
+---
+navigation_title: "decode_csv_fields"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/decode-csv-fields.html
+---
+
+# Decode CSV fields [decode-csv-fields]
+
+
+::::{warning}
+This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
+::::
+
+
+The `decode_csv_fields` processor decodes fields containing records in comma-separated format (CSV). It will output the values as an array of strings. This processor is available for Filebeat.
+
+```yaml
+processors:
+  - decode_csv_fields:
+      fields:
+        message: decoded.csv
+      separator: ","
+      ignore_missing: false
+      overwrite_keys: true
+      trim_leading_space: false
+      fail_on_error: true
+```
+
+The `decode_csv_fields` has the following settings:
+
+`fields`
+:   This is a mapping from the source field containing the CSV data to the destination field to which the decoded array will be written.
+
+`separator`
+:   (Optional) Character to be used as a column separator. The default is the comma character. For using a TAB character you must set it to "\t".
+
+`ignore_missing`
+:   (Optional) Whether to ignore events which lack the source field. The default is `false`, which will fail processing of an event if a field is missing.
+
+`overwrite_keys`
+:   Whether the target field is overwritten if it already exists. The default is false, which will fail processing of an event when `target` already exists.
+
+`trim_leading_space`
+:   Whether extra space after the separator is trimmed from values. This works even if the separator is also a space. The default is `false`.
+
+`fail_on_error`
+:   (Optional) If set to true, in case of an error the changes to the event are reverted, and the original event is returned. If set to `false`, processing continues also if an error happens. Default is `true`.
+
diff --git a/docs/reference/filebeat/decode-duration.md b/docs/reference/filebeat/decode-duration.md
new file mode 100644
index 000000000000..1e8bb3d50a53
--- /dev/null
+++ b/docs/reference/filebeat/decode-duration.md
@@ -0,0 +1,25 @@
+---
+navigation_title: "decode_duration"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/decode-duration.html
+---
+
+# Decode duration [decode-duration]
+
+
+The `decode_duration` processor decodes a Go-style duration string into a specific `format`.
+
+For more information about the Go `time.Duration` string style, refer to the [Go documentation](https://pkg.go.dev/time#Duration).
+
+| Name | Required | Default | Description |  |
+| --- | --- | --- | --- | --- |
+| `field` | yes |  | Which field of event needs to be decoded as `time.Duration` |  |
+| `format` | yes | `milliseconds` | Supported formats: `milliseconds`/`seconds`/`minutes`/`hours` |  |
+
+```yaml
+processors:
+  - decode_duration:
+      field: "app.rpc.cost"
+      format: "milliseconds"
+```
+
diff --git a/docs/reference/filebeat/decode-json-fields.md b/docs/reference/filebeat/decode-json-fields.md
new file mode 100644
index 000000000000..89be9851d52c
--- /dev/null
+++ b/docs/reference/filebeat/decode-json-fields.md
@@ -0,0 +1,48 @@
+---
+navigation_title: "decode_json_fields"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/decode-json-fields.html
+---
+
+# Decode JSON fields [decode-json-fields]
+
+
+The `decode_json_fields` processor decodes fields containing JSON strings and replaces the strings with valid JSON objects.
+
+```yaml
+processors:
+  - decode_json_fields:
+      fields: ["field1", "field2", ...]
+      process_array: false
+      max_depth: 1
+      target: ""
+      overwrite_keys: false
+      add_error_key: true
+```
+
+The `decode_json_fields` processor has the following configuration settings:
+
+`fields`
+:   The fields containing JSON strings to decode.
+
+`process_array`
+:   (Optional) A Boolean value that specifies whether to process arrays. The default is `false`.
+
+`max_depth`
+:   (Optional) The maximum parsing depth. A value of `1`  will decode the JSON objects in fields indicated in `fields`, a value of `2` will also decode the objects embedded in the fields of these parsed documents. The default is `1`.
+
+`target`
+:   (Optional) The field under which the decoded JSON will be written. By default, the decoded JSON object replaces the string field from which it was read. To merge the decoded JSON fields into the root of the event, specify `target` with an empty string (`target: ""`). Note that the `null` value (`target:`) is treated as if the field was not set.
+
+`overwrite_keys`
+:   (Optional) A Boolean value that specifies whether existing keys in the event are overwritten by keys from the decoded JSON object. The default value is `false`.
+
+`expand_keys`
+:   (Optional) A Boolean value that specifies whether keys in the decoded JSON should be recursively de-dotted and expanded into a hierarchical object structure. For example, `{"a.b.c": 123}` would be expanded into `{"a":{"b":{"c":123}}}`.
+
+`add_error_key`
+:   (Optional) If set to `true` and an error occurs while decoding JSON keys, the `error` field will become a part of the event with the error message. If set to `false`, there will not be any error in the event’s field. The default value is `false`.
+
+`document_id`
+:   (Optional) JSON key that’s used as the document ID. If configured, the field will be removed from the original JSON document and stored in `@metadata._id`
+
diff --git a/docs/reference/filebeat/decode-xml-wineventlog.md b/docs/reference/filebeat/decode-xml-wineventlog.md
new file mode 100644
index 000000000000..4f2ebce14121
--- /dev/null
+++ b/docs/reference/filebeat/decode-xml-wineventlog.md
@@ -0,0 +1,162 @@
+---
+navigation_title: "decode_xml_wineventlog"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/decode-xml-wineventlog.html
+---
+
+# Decode XML Wineventlog [decode-xml-wineventlog]
+
+
+::::{warning}
+This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
+::::
+
+
+The `decode_xml_wineventlog` processor decodes Windows Event Log data in XML format that is stored under the `field` key. It outputs the result into the `target_field`.
+
+The output fields will be the same as the [winlogbeat winlog fields](/reference/winlogbeat/exported-fields-winlog.md#_winlog).
+
+The supported configuration options are:
+
+`field`
+:   (Required) Source field containing the XML. Defaults to `message`.
+
+`target_field`
+:   (Required) The field under which the decoded XML will be written. To merge the decoded XML fields into the root of the event specify `target_field` with an empty string (`target_field: ""`). The default value is `winlog`.
+
+`overwrite_keys`
+:   (Optional) A boolean that specifies whether keys that already exist in the event are overwritten by keys from the decoded XML object. The default value is `true`.
+
+`map_ecs_fields`
+:   (Optional) A boolean that specifies whether to map additional ECS fields when possible. Note that ECS field keys are placed outside of `target_field`. The default value is `true`.
+
+`ignore_missing`
+:   (Optional) If `true` the processor will not return an error when a specified field does not exist. Defaults to `false`.
+
+`ignore_failure`
+:   (Optional) Ignore all errors produced by the processor. Defaults to `false`.
+
+`language`
+:   (Optional) The language ID the events will be rendered in. The language will be forced regardless of the system language. Forwarded events will ignore this setting. A complete list of language IDs can be found [here](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-lcid/a9eac961-e77d-41a6-90a5-ce1a8b0cdb9c). It defaults to `0`, which indicates to use the system language.
+
+Example:
+
+```yaml
+processors:
+  - decode_xml_wineventlog:
+      field: event.original
+      target_field: winlog
+```
+
+```json
+{
+  "event": {
+    "original": "<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4672</EventID><Version>0</Version><Level>0</Level><Task>12548</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2021-03-23T09:56:13.137310000Z'/><EventRecordID>11303</EventRecordID><Correlation ActivityID='{ffb23523-1f32-0000-c335-b2ff321fd701}'/><Execution ProcessID='652' ThreadID='4660'/><Channel>Security</Channel><Computer>vagrant</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-5-18</Data><Data Name='SubjectUserName'>SYSTEM</Data><Data Name='SubjectDomainName'>NT AUTHORITY</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='PrivilegeList'>SeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege</Data></EventData><RenderingInfo Culture='en-US'><Message>Special privileges assigned to new logon.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3E7\n\nPrivileges:\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege</Message><Level>Information</Level><Task>Special Logon</Task><Opcode>Info</Opcode><Channel>Security</Channel><Provider>Microsoft Windows security auditing.</Provider><Keywords><Keyword>Audit Success</Keyword></Keywords></RenderingInfo></Event>"
+  }
+}
+```
+
+Will produce the following output:
+
+```json
+{
+  "event": {
+    "original": "<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4672</EventID><Version>0</Version><Level>0</Level><Task>12548</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2021-03-23T09:56:13.137310000Z'/><EventRecordID>11303</EventRecordID><Correlation ActivityID='{ffb23523-1f32-0000-c335-b2ff321fd701}'/><Execution ProcessID='652' ThreadID='4660'/><Channel>Security</Channel><Computer>vagrant</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-5-18</Data><Data Name='SubjectUserName'>SYSTEM</Data><Data Name='SubjectDomainName'>NT AUTHORITY</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='PrivilegeList'>SeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege</Data></EventData><RenderingInfo Culture='en-US'><Message>Special privileges assigned to new logon.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3E7\n\nPrivileges:\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege</Message><Level>Information</Level><Task>Special Logon</Task><Opcode>Info</Opcode><Channel>Security</Channel><Provider>Microsoft Windows security auditing.</Provider><Keywords><Keyword>Audit Success</Keyword></Keywords></RenderingInfo></Event>",
+    "action":   "Special Logon",
+		"code":     "4672",
+		"kind":     "event",
+		"outcome":  "success",
+		"provider": "Microsoft-Windows-Security-Auditing",
+  },
+	"host": {
+    "name": "vagrant",
+  },
+  "log": {
+    "level": "information",
+  },
+  "winlog": {
+    "channel": "Security",
+    "outcome": "success",
+    "activity_id": "{ffb23523-1f32-0000-c335-b2ff321fd701}",
+    "level": "information",
+    "event_id": 4672,
+    "provider_name": "Microsoft-Windows-Security-Auditing",
+    "record_id": 11303,
+    "computer_name": "vagrant",
+    "keywords_raw": 9232379236109516800,
+    "opcode": "Info",
+    "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+    "event_data": {
+      "SubjectUserSid": "S-1-5-18",
+      "SubjectUserName": "SYSTEM",
+      "SubjectDomainName": "NT AUTHORITY",
+      "SubjectLogonId": "0x3e7",
+      "PrivilegeList": "SeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege"
+    },
+    "task": "Special Logon",
+    "keywords": [
+      "Audit Success"
+    ],
+    "message": "Special privileges assigned to new logon.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3E7\n\nPrivileges:\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege",
+    "process": {
+      "pid": 652,
+      "thread": {
+        "id": 4660
+      }
+    }
+  }
+}
+```
+
+See [Conditions](/reference/filebeat/defining-processors.md#conditions) for a list of supported conditions.
+
+The field mappings are as follows:
+
+| Event Field | Source XML Element | Notes |
+| --- | --- | --- |
+| `winlog.channel` | `<Event><System><Channel>` |  |
+| `winlog.event_id` | `<Event><System><EventID>` |  |
+| `winlog.provider_name` | `<Event><System><Provider>` | `Name` attribute |
+| `winlog.record_id` | `<Event><System><EventRecordID>` |  |
+| `winlog.task` | `<Event><System><Task>` |  |
+| `winlog.computer_name` | `<Event><System><Computer>` |  |
+| `winlog.keywords` | `<Event><RenderingInfo><Keywords>` | list of each `Keyword` |
+| `winlog.opcodes` | `<Event><RenderingInfo><Opcode>` |  |
+| `winlog.provider_guid` | `<Event><System><Provider>` | `Guid` attribute |
+| `winlog.version` | `<Event><System><Version>` |  |
+| `winlog.time_created` | `<Event><System><TimeCreated>` | `SystemTime` attribute |
+| `winlog.outcome` | `<Event><System><Keywords>` | "success" if bit 0x20000000000000 is set, "failure" if 0x10000000000000 is set |
+| `winlog.level` | `<Event><System><Level>` | converted to lowercase |
+| `winlog.message` | `<Event><RenderingInfo><Message>` | line endings removed |
+| `winlog.user.identifier` | `<Event><System><Security><UserID>` |  |
+| `winlog.user.domain` | `<Event><System><Security><Domain>` |  |
+| `winlog.user.name` | `<Event><System><Security><Name>` |  |
+| `winlog.user.type` | `<Event><System><Security><Type>` | converted from integer to String |
+| `winlog.event_data` | `<Event><EventData>` | map where `Name` attribute in Data element is key, and value is the value of the Data element |
+| `winlog.user_data` | `<Event><UserData>` | map where `Name` attribute in Data element is key, and value is the value of the Data element |
+| `winlog.activity_id` | `<Event><System><Correlation><ActivityID>` |  |
+| `winlog.related_activity_id` | `<Event><System><Correlation><RelatedActivityID>` |  |
+| `winlog.kernel_time` | `<Event><System><Execution><KernelTime>` |  |
+| `winlog.process.pid` | `<Event><System><Execution><ProcessID>` |  |
+| `winlog.process.thread.id` | `<Event><System><Execution><ThreadID>` |  |
+| `winlog.processor_id` | `<Event><System><Execution><ProcessorID>` |  |
+| `winlog.processor_time` | `<Event><System><Execution><ProcessorTime>` |  |
+| `winlog.session_id` | `<Event><System><Execution><SessionID>` |  |
+| `winlog.user_time` | `<Event><System><Execution><UserTime>` |  |
+| `winlog.error.code` | `<Event><ProcessingErrorData><ErrorCode>` |  |
+
+If `map_ecs_fields` is enabled then the following field mappings are also performed:
+
+| Event Field | Source XML or other field | Notes |
+| --- | --- | --- |
+| `event.code` | `winlog.event_id` |  |
+| `event.kind` | `"event"` |  |
+| `event.provider` | `<Event><System><Provider>` | `Name` attribute |
+| `event.action` | `<Event><RenderingInfo><Task>` |  |
+| `event.host.name` | `<Event><System><Computer>` |  |
+| `event.outcome` | `winlog.outcome` |  |
+| `log.level` | `winlog.level` |  |
+| `message` | `winlog.message` |  |
+| `error.code` | `winlog.error.code` |  |
+| `error.message` | `winlog.error.message` |  |
+
diff --git a/docs/reference/filebeat/decode-xml.md b/docs/reference/filebeat/decode-xml.md
new file mode 100644
index 000000000000..f29f6c6f7d89
--- /dev/null
+++ b/docs/reference/filebeat/decode-xml.md
@@ -0,0 +1,96 @@
+---
+navigation_title: "decode_xml"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/decode-xml.html
+---
+
+# Decode XML [decode-xml]
+
+
+The `decode_xml` processor decodes XML data that is stored under the `field` key. It outputs the result into the `target_field`.
+
+This example demonstrates how to decode an XML string contained in the `message` field and write the resulting fields into the root of the document. Any fields that already exist will be overwritten.
+
+```yaml
+processors:
+  - decode_xml:
+      field: message
+      target_field: ""
+      overwrite_keys: true
+```
+
+By default any decoding errors that occur will stop the processing chain and the error will be added to `error.message` field. To ignore all errors and continue to the next processor you can set `ignore_failure: true`. To specifically ignore failures caused by `field` not existing you can set `ignore_missing: true`.
+
+```yaml
+processors:
+  - decode_xml:
+      field: example
+      target_field: xml
+      ignore_missing: true
+      ignore_failure: true
+```
+
+By default all keys converted from XML will have the names converted to lowercase. If there is a need to disable this behavior it is possible to use the below example:
+
+```yaml
+processors:
+  - decode_xml:
+      field: message
+      target_field: xml
+      to_lower: false
+```
+
+Example XML input:
+
+```xml
+<catalog>
+  <book seq="1">
+    <author>William H. Gaddis</author>
+    <title>The Recognitions</title>
+    <review>One of the great seminal American novels of the 20th century.</review>
+  </book>
+</catalog>
+```
+
+Will produce the following output:
+
+```json
+{
+	"xml": {
+		"catalog": {
+			"book": {
+				"author": "William H. Gaddis",
+				"review": "One of the great seminal American novels of the 20th century.",
+				"seq": "1",
+				"title": "The Recognitions"
+			}
+		}
+	}
+}
+```
+
+The supported configuration options are:
+
+`field`
+:   (Required) Source field containing the XML. Defaults to `message`.
+
+`target_field`
+:   (Optional) The field under which the decoded XML will be written. By default the decoded XML object replaces the field from which it was read. To merge the decoded XML fields into the root of the event specify `target_field` with an empty string (`target_field: ""`). Note that the `null` value (`target_field:`) is treated as if the field was not set at all.
+
+`overwrite_keys`
+:   (Optional) A boolean that specifies whether keys that already exist in the event are overwritten by keys from the decoded XML object. The default value is `true`.
+
+`to_lower`
+:   (Optional) Converts all keys to lowercase. Accepts either `true` or `false`. The default value is `true`.
+
+`document_id`
+:   (Optional) XML key to use as the document ID. If configured, the field will be removed from the original XML document and stored in `@metadata._id`.
+
+`ignore_missing`
+:   (Optional) If `true` the processor will not return an error when a specified field does not exist. Defaults to `false`.
+
+`ignore_failure`
+:   (Optional) Ignore all errors produced by the processor. Defaults to `false`.
+
+See [Conditions](/reference/filebeat/defining-processors.md#conditions) for a list of supported conditions.
+
diff --git a/docs/reference/filebeat/decompress-gzip-field.md b/docs/reference/filebeat/decompress-gzip-field.md
new file mode 100644
index 000000000000..7ea90012c0cd
--- /dev/null
+++ b/docs/reference/filebeat/decompress-gzip-field.md
@@ -0,0 +1,35 @@
+---
+navigation_title: "decompress_gzip_field"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/decompress-gzip-field.html
+---
+
+# Decompress gzip fields [decompress-gzip-field]
+
+
+The `decompress_gzip_field` processor specifies a field to gzip decompress. The `field` key contains a `from: old-key` and a `to: new-key` pair. `from` is the origin and `to` the target name of the field.
+
+To overwrite fields either first rename the target field or use the `drop_fields` processor to drop the field and then decompress the field.
+
+```yaml
+processors:
+  - decompress_gzip_field:
+      field:
+        from: "field1"
+        to: "field2"
+      ignore_missing: false
+      fail_on_error: true
+```
+
+In the example above: - field1 is decoded in field2
+
+The `decompress_gzip_field` processor has the following configuration settings:
+
+`ignore_missing`
+:   (Optional) If set to true, no error is logged in case a key which should be decompressed is missing. Default is `false`.
+
+`fail_on_error`
+:   (Optional) If set to true, in case of an error the decompression of fields is stopped and the original event is returned. If set to false, decompression continues also if an error happened during decoding. Default is `true`.
+
+See [Conditions](/reference/filebeat/defining-processors.md#conditions) for a list of supported conditions.
+
diff --git a/docs/reference/filebeat/defining-processors.md b/docs/reference/filebeat/defining-processors.md
new file mode 100644
index 000000000000..800c5f876562
--- /dev/null
+++ b/docs/reference/filebeat/defining-processors.md
@@ -0,0 +1,335 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/defining-processors.html
+---
+
+# Define processors [defining-processors]
+
+You can use processors to filter and enhance data before sending it to the configured output. To define a processor, you specify the processor name, an optional condition, and a set of parameters:
+
+```yaml
+processors:
+  - <processor_name>:
+      when:
+        <condition>
+      <parameters>
+
+  - <processor_name>:
+      when:
+        <condition>
+      <parameters>
+
+...
+```
+
+Where:
+
+* `<processor_name>` specifies a [processor](#processors) that performs some kind of action, such as selecting the fields that are exported or adding metadata to the event.
+* `<condition>` specifies an optional [condition](#conditions). If the condition is present, then the action is executed only if the condition is fulfilled. If no condition is set, then the action is always executed.
+* `<parameters>` is the list of parameters to pass to the processor.
+
+More complex conditional processing can be accomplished by using the if-then-else processor configuration. This allows multiple processors to be executed based on a single condition.
+
+```yaml
+processors:
+  - if:
+      <condition>
+    then: <1>
+      - <processor_name>:
+          <parameters>
+      - <processor_name>:
+          <parameters>
+      ...
+    else: <2>
+      - <processor_name>:
+          <parameters>
+      - <processor_name>:
+          <parameters>
+      ...
+```
+
+1. `then` must contain a single processor or a list of one or more processors to execute when the condition evaluates to true.
+2. `else` is optional. It can contain a single processor or a list of processors to execute when the conditional evaluate to false.
+
+
+## Where are processors valid? [where-valid]
+
+Processors are valid:
+
+* At the top-level in the configuration. The processor is applied to all data collected by Filebeat.
+* Under a specific input. The processor is applied to the data collected for that input.
+
+    ```yaml
+    - type: <input_type>
+      processors:
+        - <processor_name>:
+            when:
+              <condition>
+            <parameters>
+    ...
+    ```
+
+    Similarly, for Filebeat modules, you can define processors under the `input` section of the module definition.
+
+
+
+## Processors [processors]
+
+The supported processors are:
+
+* [`add_cloud_metadata`](/reference/filebeat/add-cloud-metadata.md)
+* [`add_cloudfoundry_metadata`](/reference/filebeat/add-cloudfoundry-metadata.md)
+* [`add_docker_metadata`](/reference/filebeat/add-docker-metadata.md)
+* [`add_fields`](/reference/filebeat/add-fields.md)
+* [`add_host_metadata`](/reference/filebeat/add-host-metadata.md)
+* [`add_id`](/reference/filebeat/add-id.md)
+* [`add_kubernetes_metadata`](/reference/filebeat/add-kubernetes-metadata.md)
+* [`add_labels`](/reference/filebeat/add-labels.md)
+* [`add_locale`](/reference/filebeat/add-locale.md)
+* [`add_nomad_metadata`](/reference/filebeat/add-nomad-metadata.md)
+* [`add_observer_metadata`](/reference/filebeat/add-observer-metadata.md)
+* [`add_process_metadata`](/reference/filebeat/add-process-metadata.md)
+* [`add_tags`](/reference/filebeat/add-tags.md)
+* [`append`](/reference/filebeat/append.md)
+* [`community_id`](/reference/filebeat/community-id.md)
+* [`convert`](/reference/filebeat/convert.md)
+* [`copy_fields`](/reference/filebeat/copy-fields.md)
+* [`decode_base64_field`](/reference/filebeat/decode-base64-field.md)
+* [`decode_cef`](/reference/filebeat/processor-decode-cef.md)
+* [`decode_csv_fields`](/reference/filebeat/decode-csv-fields.md)
+* [`decode_duration`](/reference/filebeat/decode-duration.md)
+* [`decode_json_fields`](/reference/filebeat/decode-json-fields.md)
+* [`decode_xml`](/reference/filebeat/decode-xml.md)
+* [`decode_xml_wineventlog`](/reference/filebeat/decode-xml-wineventlog.md)
+* [`decompress_gzip_field`](/reference/filebeat/decompress-gzip-field.md)
+* [`detect_mime_type`](/reference/filebeat/detect-mime-type.md)
+* [`dissect`](/reference/filebeat/dissect.md)
+* [`dns`](/reference/filebeat/processor-dns.md)
+* [`drop_event`](/reference/filebeat/drop-event.md)
+* [`drop_fields`](/reference/filebeat/drop-fields.md)
+* [`extract_array`](/reference/filebeat/extract-array.md)
+* [`fingerprint`](/reference/filebeat/fingerprint.md)
+* [`include_fields`](/reference/filebeat/include-fields.md)
+* [`move-fields`](/reference/filebeat/move-fields.md)
+* [`parse_aws_vpc_flow_log`](/reference/filebeat/processor-parse-aws-vpc-flow-log.md)
+* [`rate_limit`](/reference/filebeat/rate-limit.md)
+* [`registered_domain`](/reference/filebeat/processor-registered-domain.md)
+* [`rename`](/reference/filebeat/rename-fields.md)
+* [`replace`](/reference/filebeat/replace-fields.md)
+* [`script`](/reference/filebeat/processor-script.md)
+* [`syslog`](/reference/filebeat/syslog.md)
+* [`timestamp`](/reference/filebeat/processor-timestamp.md)
+* [`translate_ldap_attribute`](/reference/filebeat/processor-translate-guid.md)
+* [`translate_sid`](/reference/filebeat/processor-translate-sid.md)
+* [`truncate_fields`](/reference/filebeat/truncate-fields.md)
+* [`urldecode`](/reference/filebeat/urldecode.md)
+
+
+## Conditions [conditions]
+
+Each condition receives a field to compare. You can specify multiple fields under the same condition by using `AND` between the fields (for example, `field1 AND field2`).
+
+For each field, you can specify a simple field name or a nested map, for example `dns.question.name`.
+
+See [Exported fields](/reference/filebeat/exported-fields.md) for a list of all the fields that are exported by Filebeat.
+
+The supported conditions are:
+
+* [`equals`](#condition-equals)
+* [`contains`](#condition-contains)
+* [`regexp`](#condition-regexp)
+* [`range`](#condition-range)
+* [`network`](#condition-network)
+* [`has_fields`](#condition-has_fields)
+* [`or`](#condition-or)
+* [`and`](#condition-and)
+* [`not`](#condition-not)
+
+
+#### `equals` [condition-equals]
+
+With the `equals` condition, you can compare if a field has a certain value. The condition accepts only an integer or a string value.
+
+For example, the following condition checks if the response code of the HTTP transaction is 200:
+
+```yaml
+equals:
+  http.response.code: 200
+```
+
+
+#### `contains` [condition-contains]
+
+The `contains` condition checks if a value is part of a field. The field can be a string or an array of strings. The condition accepts only a string value.
+
+For example, the following condition checks if an error is part of the transaction status:
+
+```yaml
+contains:
+  status: "Specific error"
+```
+
+
+#### `regexp` [condition-regexp]
+
+The `regexp` condition checks the field against a regular expression. The condition accepts only strings.
+
+For example, the following condition checks if the process name starts with `foo`:
+
+```yaml
+regexp:
+  system.process.name: "^foo.*"
+```
+
+
+#### `range` [condition-range]
+
+The `range` condition checks if the field is in a certain range of values. The condition supports `lt`, `lte`, `gt` and `gte`. The condition accepts only integer, float, or strings that can be converted to either of these as values.
+
+For example, the following condition checks for failed HTTP transactions by comparing the `http.response.code` field with 400.
+
+```yaml
+range:
+  http.response.code:
+    gte: 400
+```
+
+This can also be written as:
+
+```yaml
+range:
+  http.response.code.gte: 400
+```
+
+The following condition checks if the CPU usage in percentage has a value between 0.5 and 0.8.
+
+```yaml
+range:
+  system.cpu.user.pct.gte: 0.5
+  system.cpu.user.pct.lt: 0.8
+```
+
+
+#### `network` [condition-network]
+
+The `network` condition checks whether a field’s value falls within a specified IP network range. If multiple fields are provided, each field value must match its corresponding network range. You can specify multiple network ranges for a single field, and a match occurs if any one of the ranges matches. If the field value is an array of IPs, it will match if any of the IPs fall within any of the given ranges. Both IPv4 and IPv6 addresses are supported.
+
+The network range may be specified using CIDR notation, like "192.0.2.0/24" or "2001:db8::/32", or by using one of these named ranges:
+
+* `loopback` - Matches loopback addresses in the range of `127.0.0.0/8` or `::1/128`.
+* `unicast` - Matches global unicast addresses defined in RFC 1122, RFC 4632, and RFC 4291 with the exception of the IPv4 broadcast address (`255.255.255.255`). This includes private address ranges.
+* `multicast` - Matches multicast addresses.
+* `interface_local_multicast` - Matches IPv6 interface-local multicast addresses.
+* `link_local_unicast` - Matches link-local unicast addresses.
+* `link_local_multicast` - Matches link-local multicast addresses.
+* `private` - Matches private address ranges defined in RFC 1918 (IPv4) and RFC 4193 (IPv6).
+* `public` - Matches addresses that are not loopback, unspecified, IPv4 broadcast, link local unicast, link local multicast, interface local multicast, or private.
+* `unspecified` - Matches unspecified addresses (either the IPv4 address "0.0.0.0" or the IPv6 address "::").
+
+The following condition returns true if the `source.ip` value is within the private address space.
+
+```yaml
+network:
+  source.ip: private
+```
+
+This condition returns true if the `destination.ip` value is within the IPv4 range of `192.168.1.0` - `192.168.1.255`.
+
+```yaml
+network:
+  destination.ip: '192.168.1.0/24'
+```
+
+And this condition returns true when `destination.ip` is within any of the given subnets.
+
+```yaml
+network:
+  destination.ip: ['192.168.1.0/24', '10.0.0.0/8', loopback]
+```
+
+
+#### `has_fields` [condition-has_fields]
+
+The `has_fields` condition checks if all the given fields exist in the event. The condition accepts a list of string values denoting the field names.
+
+For example, the following condition checks if the `http.response.code` field is present in the event.
+
+```yaml
+has_fields: ['http.response.code']
+```
+
+
+#### `or` [condition-or]
+
+The `or` operator receives a list of conditions.
+
+```yaml
+or:
+  - <condition1>
+  - <condition2>
+  - <condition3>
+  ...
+```
+
+For example, to configure the condition `http.response.code = 304 OR http.response.code = 404`:
+
+```yaml
+or:
+  - equals:
+      http.response.code: 304
+  - equals:
+      http.response.code: 404
+```
+
+
+#### `and` [condition-and]
+
+The `and` operator receives a list of conditions.
+
+```yaml
+and:
+  - <condition1>
+  - <condition2>
+  - <condition3>
+  ...
+```
+
+For example, to configure the condition `http.response.code = 200 AND status = OK`:
+
+```yaml
+and:
+  - equals:
+      http.response.code: 200
+  - equals:
+      status: OK
+```
+
+To configure a condition like `<condition1> OR <condition2> AND <condition3>`:
+
+```yaml
+or:
+  - <condition1>
+  - and:
+    - <condition2>
+    - <condition3>
+```
+
+
+#### `not` [condition-not]
+
+The `not` operator receives the condition to negate.
+
+```yaml
+not:
+  <condition>
+```
+
+For example, to configure the condition `NOT status = OK`:
+
+```yaml
+not:
+  equals:
+    status: OK
+```
+
+
diff --git a/docs/reference/filebeat/detect-mime-type.md b/docs/reference/filebeat/detect-mime-type.md
new file mode 100644
index 000000000000..d2430ff391e9
--- /dev/null
+++ b/docs/reference/filebeat/detect-mime-type.md
@@ -0,0 +1,22 @@
+---
+navigation_title: "detect_mime_type"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/detect-mime-type.html
+---
+
+# Detect mime type [detect-mime-type]
+
+
+The `detect_mime_type` processor attempts to detect a mime type for a field that contains a given stream of bytes. The `field` key contains the field used as the data source and the `target` key contains the field to populate with the detected type. It’s supported to use `@metadata.` prefix for `target` and set the value in the event metadata instead of fields.
+
+```yaml
+processors:
+  - detect_mime_type:
+      field: http.request.body.content
+      target: http.request.mime_type
+```
+
+In the example above: - http.request.body.content is used as the source and http.request.mime_type is set to the detected mime type
+
+See [Conditions](/reference/filebeat/defining-processors.md#conditions) for a list of supported conditions.
+
diff --git a/docs/reference/filebeat/diff-logstash-beats.md b/docs/reference/filebeat/diff-logstash-beats.md
new file mode 100644
index 000000000000..214708605b3f
--- /dev/null
+++ b/docs/reference/filebeat/diff-logstash-beats.md
@@ -0,0 +1,13 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/diff-logstash-beats.html
+---
+
+# Not sure whether to use Logstash or Beats [diff-logstash-beats]
+
+Beats are lightweight data shippers that you install as agents on your servers to send specific types of operational data to {{es}}. Beats have a small footprint and use fewer system resources than {{ls}}.
+
+{{ls}} has a larger footprint, but provides a broad array of input, filter, and output plugins for collecting, enriching, and transforming data from a variety of sources.
+
+For more information, see the [{{ls}} Introduction](logstash://reference/index.md) and the [Beats Overview](/reference/index.md).
+
diff --git a/docs/reference/filebeat/directory-layout.md b/docs/reference/filebeat/directory-layout.md
new file mode 100644
index 000000000000..1c50acf899c0
--- /dev/null
+++ b/docs/reference/filebeat/directory-layout.md
@@ -0,0 +1,70 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/directory-layout.html
+---
+
+# Directory layout [directory-layout]
+
+The directory layout of an installation is as follows:
+
+::::{tip}
+Archive installation has a different layout. See [zip, tar.gz, or tgz](#directory-layout-archive).
+::::
+
+
+| Type | Description | Default Location | Config Option |
+| --- | --- | --- | --- |
+| home | Home of the Filebeat installation. |  | `path.home` |
+| bin | The location for the binary files. | `{path.home}/bin` |  |
+| config | The location for configuration files. | `{path.home}` | `path.config` |
+| data | The location for persistent data files. | `{path.home}/data` | `path.data` |
+| logs | The location for the logs created by Filebeat. | `{path.home}/logs` | `path.logs` |
+
+You can change these settings by using CLI flags or setting [path options](/reference/filebeat/configuration-path.md) in the configuration file.
+
+## Default paths [_default_paths]
+
+Filebeat uses the following default paths unless you explicitly change them.
+
+
+#### deb and rpm [_deb_and_rpm]
+
+| Type | Description | Location |
+| --- | --- | --- |
+| home | Home of the Filebeat installation. | `/usr/share/filebeat` |
+| bin | The location for the binary files. | `/usr/share/filebeat/bin` |
+| config | The location for configuration files. | `/etc/filebeat` |
+| data | The location for persistent data files. | `/var/lib/filebeat` |
+| logs | The location for the logs created by Filebeat. | `/var/log/filebeat` |
+
+For the deb and rpm distributions, these paths are set in the init script or in the systemd unit file.  Make sure that you start the Filebeat service by using the preferred operating system method (init scripts or `systemctl`). Otherwise the paths might be set incorrectly.
+
+
+#### docker [_docker]
+
+| Type | Description | Location |
+| --- | --- | --- |
+| home | Home of the Filebeat installation. | `/usr/share/filebeat` |
+| bin | The location for the binary files. | `/usr/share/filebeat` |
+| config | The location for configuration files. | `/usr/share/filebeat` |
+| data | The location for persistent data files. | `/usr/share/filebeat/data` |
+| logs | The location for the logs created by Filebeat. | `/usr/share/filebeat/logs` |
+
+
+#### zip, tar.gz, or tgz [directory-layout-archive]
+
+| Type | Description | Location |
+| --- | --- | --- |
+| home | Home of the Filebeat installation. | `{extract.path}` |
+| bin | The location for the binary files. | `{extract.path}` |
+| config | The location for configuration files. | `{extract.path}` |
+| data | The location for persistent data files. | `{extract.path}/data` |
+| logs | The location for the logs created by Filebeat. | `{extract.path}/logs` |
+
+For the zip, tar.gz, or tgz distributions, these paths are based on the location of the extracted binary file. This means that if you start Filebeat with the following simple command, all paths are set correctly:
+
+```sh
+./filebeat
+```
+
+
diff --git a/docs/reference/filebeat/discard-output.md b/docs/reference/filebeat/discard-output.md
new file mode 100644
index 000000000000..69a26343d49e
--- /dev/null
+++ b/docs/reference/filebeat/discard-output.md
@@ -0,0 +1,37 @@
+---
+navigation_title: "Discard"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/discard-output.html
+---
+
+# Configure the Discard output [discard-output]
+
+
+The Discard output throws away data.
+
+::::{warning}
+The Discard output should be used only for development or debugging issues. Data is lost.
+::::
+
+
+This can be useful if you want to work on your input configuration without needing to configure an output. It can also be useful to test how changes in input and processor configuration affect performance.
+
+Example configuration:
+
+```yaml
+output.discard:
+  enabled: true
+```
+
+## Configuration options [_configuration_options_31]
+
+You can specify the following `output.discard` options in the `filebeat.yml` config file:
+
+### `enabled` [_enabled_36]
+
+The enabled config is a boolean setting to enable or disable the output. If set to false, the output is disabled.
+
+The default value is `true`.
+
+
+
diff --git a/docs/reference/filebeat/dissect.md b/docs/reference/filebeat/dissect.md
new file mode 100644
index 000000000000..8603d041a692
--- /dev/null
+++ b/docs/reference/filebeat/dissect.md
@@ -0,0 +1,95 @@
+---
+navigation_title: "dissect"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/dissect.html
+---
+
+# Dissect strings [dissect]
+
+
+The `dissect` processor tokenizes incoming strings using defined patterns.
+
+```yaml
+processors:
+  - dissect:
+      tokenizer: "%{key1} %{key2} %{key3|convert_datatype}"
+      field: "message"
+      target_prefix: "dissect"
+```
+
+The `dissect` processor has the following configuration settings:
+
+`tokenizer`
+:   The field used to define the **dissection** pattern. Optional convert datatype can be provided after the key using `|` as separator to convert the value from string to integer, long, float, double, boolean or ip.
+
+`field`
+:   (Optional) The event field to tokenize. Default is `message`.
+
+`target_prefix`
+:   (Optional) The name of the field where the values will be extracted. When an empty string is defined, the processor will create the keys at the root of the event. Default is `dissect`. When the target key already exists in the event, the processor won’t replace it and log an error; you need to either drop or rename the key before using dissect, or enable the `overwrite_keys` flag.
+
+`ignore_failure`
+:   (Optional) Flag to control whether the processor returns an error if the tokenizer fails to match the message field. If set to true, the processor will silently restore the original event, allowing execution of subsequent processors (if any). If set to false (default), the processor will log an error, preventing execution of other processors.
+
+`overwrite_keys`
+:   (Optional) When set to true, the processor will overwrite existing keys in the event. The default is false, which causes the processor to fail when a key already exists.
+
+`trim_values`
+:   (Optional) Enables the trimming of the extracted values. Useful to remove leading and/or trailing spaces. Possible values are:
+
+    * `none`: (default) no trimming is performed.
+    * `left`: values are trimmed on the left (leading).
+    * `right`: values are trimmed on the right (trailing).
+    * `all`: values are trimmed for leading and trailing.
+
+
+`trim_chars`
+:   (Optional) Set of characters to trim from values, when trimming is enabled. The default is to trim the space character (`" "`). To trim multiple characters, simply set it to a string containing all characters to trim. For example, `trim_chars: " \t"` will trim spaces and/or tabs.
+
+For tokenization to be successful, all keys must be found and extracted, if one of them cannot be found an error will be logged and no modification is done on the original event.
+
+::::{note}
+A key can contain any characters except reserved suffix or prefix modifiers:  `/`,`&`, `+`, `#` and `?`.
+::::
+
+
+See [Conditions](/reference/filebeat/defining-processors.md#conditions) for a list of supported conditions.
+
+## Dissect example [dissect-example]
+
+For this example, imagine that an application generates the following messages:
+
+```sh
+"321 - App01 - WebServer is starting"
+"321 - App01 - WebServer is up and running"
+"321 - App01 - WebServer is scaling 2 pods"
+"789 - App02 - Database is will be restarted in 5 minutes"
+"789 - App02 - Database is up and running"
+"789 - App02 - Database is refreshing tables"
+```
+
+Use the `dissect` processor to split each message into three fields, for example, `service.pid`, `service.name` and `service.status`:
+
+```yaml
+processors:
+  - dissect:
+      tokenizer: '"%{service.pid|integer} - %{service.name} - %{service.status}"'
+      field: "message"
+      target_prefix: ""
+```
+
+This configuration produces fields like:
+
+```json
+"service": {
+  "pid": 321,
+  "name": "App01",
+  "status": "WebServer is up and running"
+},
+```
+
+`service.name` is an ECS [keyword field](elasticsearch://reference/elasticsearch/mapping-reference/keyword.md), which means that you can use it in {{es}} for filtering, sorting, and aggregations.
+
+When possible, use ECS-compatible field names. For more information, see the [Elastic Common Schema](ecs://reference/index.md) documentation.
+
+
diff --git a/docs/reference/filebeat/drop-event.md b/docs/reference/filebeat/drop-event.md
new file mode 100644
index 000000000000..06f39ed06764
--- /dev/null
+++ b/docs/reference/filebeat/drop-event.md
@@ -0,0 +1,20 @@
+---
+navigation_title: "drop_event"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/drop-event.html
+---
+
+# Drop events [drop-event]
+
+
+The `drop_event` processor drops the entire event if the associated condition is fulfilled. The condition is mandatory, because without one, all the events are dropped.
+
+```yaml
+processors:
+  - drop_event:
+      when:
+        condition
+```
+
+See [Conditions](/reference/filebeat/defining-processors.md#conditions) for a list of supported conditions.
+
diff --git a/docs/reference/filebeat/drop-fields.md b/docs/reference/filebeat/drop-fields.md
new file mode 100644
index 000000000000..51558ad4550d
--- /dev/null
+++ b/docs/reference/filebeat/drop-fields.md
@@ -0,0 +1,35 @@
+---
+navigation_title: "drop_fields"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/drop-fields.html
+---
+
+# Drop fields from events [drop-fields]
+
+
+The `drop_fields` processor specifies which fields to drop if a certain condition is fulfilled. The condition is optional. If it’s missing, the specified fields are always dropped. The `@timestamp` and `type` fields cannot be dropped, even if they show up in the `drop_fields` list.
+
+```yaml
+processors:
+  - drop_fields:
+      when:
+        condition
+      fields: ["field1", "field2", ...]
+      ignore_missing: false
+```
+
+See [Conditions](/reference/filebeat/defining-processors.md#conditions) for a list of supported conditions.
+
+::::{note}
+If you define an empty list of fields under `drop_fields`, then no fields are dropped.
+::::
+
+
+The `drop_fields` processor has the following configuration settings:
+
+`fields`
+:   If non-empty, a list of matching field names will be removed. Any element in array can contain a regular expression delimited by two slashes (*/reg_exp/*), in order to match (name) and remove more than one field.
+
+`ignore_missing`
+:   (Optional) If `true` the processor will not return an error when a specified field does not exist. Defaults to `false`.
+
diff --git a/docs/reference/filebeat/elasticsearch-output.md b/docs/reference/filebeat/elasticsearch-output.md
new file mode 100644
index 000000000000..803fd05da3e5
--- /dev/null
+++ b/docs/reference/filebeat/elasticsearch-output.md
@@ -0,0 +1,516 @@
+---
+navigation_title: "Elasticsearch"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/elasticsearch-output.html
+---
+
+# Configure the Elasticsearch output [elasticsearch-output]
+
+
+The Elasticsearch output sends events directly to Elasticsearch using the Elasticsearch HTTP API.
+
+Example configuration:
+
+```yaml
+output.elasticsearch:
+  hosts: ["https://myEShost:9200"] <1>
+```
+
+1. To enable SSL, add `https` to all URLs defined under *hosts*.
+
+
+When sending data to a secured cluster through the `elasticsearch` output, Filebeat can use any of the following authentication methods:
+
+* Basic authentication credentials (username and password).
+* Token-based (API key) authentication.
+* Public Key Infrastructure (PKI) certificates.
+
+**Basic authentication:**
+
+```yaml
+output.elasticsearch:
+  hosts: ["https://myEShost:9200"]
+  username: "filebeat_writer"
+  password: "{pwd}"
+```
+
+**API key authentication:**
+
+```yaml
+output.elasticsearch:
+  hosts: ["https://myEShost:9200"]
+  api_key: "ZCV7VnwBgnX0T19fN8Qe:KnR6yE41RrSowb0kQ0HWoA"
+```
+
+**PKI certificate authentication:**
+
+```yaml
+output.elasticsearch:
+  hosts: ["https://myEShost:9200"]
+  ssl.certificate: "/etc/pki/client/cert.pem"
+  ssl.key: "/etc/pki/client/cert.key"
+```
+
+See [*Secure communication with Elasticsearch*](/reference/filebeat/securing-communication-elasticsearch.md) for details on each authentication method.
+
+## Compatibility [_compatibility]
+
+This output works with all compatible versions of Elasticsearch. See the [Elastic Support Matrix](https://www.elastic.co/support/matrix#matrix_compatibility).
+
+Optionally, you can set Filebeat to only connect to instances that are at least on the same version as the Beat. The check can be enabled by setting `output.elasticsearch.allow_older_versions` to `false`. Leaving the setting at it’s default value of `true` avoids an issue where Filebeat cannot connect to {{es}} after having been upgraded to a version higher than the {{stack}}.
+
+
+## Configuration options [_configuration_options_25]
+
+You can specify the following options in the `elasticsearch` section of the `filebeat.yml` config file:
+
+### `enabled` [_enabled_30]
+
+The enabled config is a boolean setting to enable or disable the output. If set to `false`, the output is disabled.
+
+The default value is `true`.
+
+
+### `hosts` [hosts-option]
+
+The list of Elasticsearch nodes to connect to. The events are distributed to these nodes in round robin order. If one node becomes unreachable, the event is automatically sent to another node. Each Elasticsearch node can be defined as a `URL` or `IP:PORT`. For example: `http://192.15.3.2`, `https://es.found.io:9230` or `192.24.3.2:9300`. If no port is specified, `9200` is used.
+
+::::{note}
+When a node is defined as an `IP:PORT`, the *scheme* and *path* are taken from the [`protocol`](#protocol-option) and [`path`](#path-option) config options.
+::::
+
+
+```yaml
+output.elasticsearch:
+  hosts: ["10.45.3.2:9220", "10.45.3.1:9230"]
+  protocol: https
+  path: /elasticsearch
+```
+
+In the previous example, the Elasticsearch nodes are available at `https://10.45.3.2:9220/elasticsearch` and `https://10.45.3.1:9230/elasticsearch`.
+
+
+### `compression_level` [compression-level-option]
+
+The gzip compression level. Setting this value to `0` disables compression. The compression level must be in the range of `1` (best speed) to `9` (best compression).
+
+Increasing the compression level will reduce the network usage but will increase the cpu usage.
+
+The default value is `1`.
+
+
+### `escape_html` [_escape_html]
+
+Configure escaping of HTML in strings. Set to `true` to enable escaping.
+
+The default value is `false`.
+
+
+### `worker` or `workers` [worker-option]
+
+The number of workers per configured host publishing events to Elasticsearch. This is best used with load balancing mode enabled. Example: If you have 2 hosts and 3 workers, in total 6 workers are started (3 for each host).
+
+The default value is `1`.
+
+
+### `loadbalance` [_loadbalance]
+
+When `loadbalance: true` is set, Filebeat connects to all configured hosts and sends data through all connections in parallel. If a connection fails, data is sent to the remaining hosts until it can be reestablished. Data will still be sent as long as Filebeat can connect to at least one of its configured hosts.
+
+When `loadbalance: false` is set, Filebeat sends data to a single host at a time. The target host is chosen at random from the list of configured hosts, and all data is sent to that target until the connection fails, when a new target is selected. Data will still be sent as long as Filebeat can connect to at least one of its configured hosts.
+
+The default value is `true`.
+
+```yaml
+output.elasticsearch:
+  hosts: ["localhost:9200", "localhost:9201"]
+  loadbalance: true
+```
+
+
+### `api_key` [_api_key]
+
+Instead of using a username and password, you can use API keys to secure communication with {{es}}. The value must be the ID of the API key and the API key joined by a colon: `id:api_key`.
+
+See [*Grant access using API keys*](/reference/filebeat/beats-api-keys.md) for more information.
+
+
+### `username` [_username_3]
+
+The basic authentication username for connecting to Elasticsearch.
+
+This user needs the privileges required to publish events to {{es}}. To create a user like this, see [Create a *publishing* user](/reference/filebeat/privileges-to-publish-events.md).
+
+
+### `password` [_password_3]
+
+The basic authentication password for connecting to Elasticsearch.
+
+
+### `parameters` [_parameters]
+
+Dictionary of HTTP parameters to pass within the url with index operations.
+
+
+### `protocol` [protocol-option]
+
+The name of the protocol Elasticsearch is reachable on. The options are: `http` or `https`. The default is `http`. However, if you specify a URL for [`hosts`](#hosts-option), the value of `protocol` is overridden by whatever scheme you specify in the URL.
+
+
+### `path` [path-option]
+
+An HTTP path prefix that is prepended to the HTTP API calls. This is useful for the cases where Elasticsearch listens behind an HTTP reverse proxy that exports the API under a custom prefix.
+
+
+### `headers` [_headers]
+
+Custom HTTP headers to add to each request created by the Elasticsearch output. Example:
+
+```yaml
+output.elasticsearch.headers:
+  X-My-Header: Header contents
+```
+
+It is possible to specify multiple header values for the same header name by separating them with a comma.
+
+
+### `proxy_disable` [_proxy_disable]
+
+If set to `true` all proxy settings, including `HTTP_PROXY` and `HTTPS_PROXY` variables are ignored.
+
+
+### `proxy_url` [_proxy_url_2]
+
+The URL of the proxy to use when connecting to the Elasticsearch servers. The value must be a complete URL. If a value is not specified through the configuration file then proxy environment variables are used. See the [Go documentation](https://golang.org/pkg/net/http/#ProxyFromEnvironment) for more information about the environment variables.
+
+
+### `proxy_headers` [_proxy_headers_2]
+
+Additional headers to send to proxies during CONNECT requests.
+
+
+### `index` [index-option-es]
+
+The indexing target to write events to. Can point to an [index](https://www.elastic.co/guide/en/elasticsearch/reference/current/index-mgmt.html), [alias](docs-content://manage-data/data-store/aliases.md), or [data stream](docs-content://manage-data/data-store/data-streams.md). When using daily indices, this will be the index name. The default is `"filebeat-%{[agent.version]}-%{+yyyy.MM.dd}"`, for example, `"filebeat-9.0.0-beta1-2025-01-30"`. If you change this setting, you also need to configure the `setup.template.name` and `setup.template.pattern` options (see [Elasticsearch index template](/reference/filebeat/configuration-template.md)).
+
+If you are using the pre-built Kibana dashboards, you also need to set the `setup.dashboards.index` option (see [Kibana dashboards](/reference/filebeat/configuration-dashboards.md)).
+
+When [index lifecycle management (ILM)](/reference/filebeat/ilm.md) is enabled, the default `index` is `"filebeat-%{[agent.version]}-%{+yyyy.MM.dd}-%{{index_num}}"`, for example, `"filebeat-9.0.0-beta1-2025-01-30-000001"`. Custom `index` settings are ignored when ILM is enabled. If you’re sending events to a cluster that supports index lifecycle management, see [Index lifecycle management (ILM)](/reference/filebeat/ilm.md) to learn how to change the index name.
+
+You can set the index dynamically by using a format string to access any event field. For example, this configuration uses a custom field, `fields.log_type`, to set the index:
+
+```yaml
+output.elasticsearch:
+  hosts: ["http://localhost:9200"]
+  index: "%{[fields.log_type]}-%{[agent.version]}-%{+yyyy.MM.dd}" <1>
+```
+
+1. We recommend including `agent.version` in the name to avoid mapping issues when you upgrade.
+
+
+With this configuration, all events with `log_type: normal` are sent to an index named `normal-9.0.0-beta1-2025-01-30`, and all events with `log_type: critical` are sent to an index named `critical-9.0.0-beta1-2025-01-30`.
+
+::::{tip}
+To learn how to add custom fields to events, see the [`fields`](/reference/filebeat/configuration-general-options.md#libbeat-configuration-fields) option.
+::::
+
+
+See the [`indices`](#indices-option-es) setting for other ways to set the index dynamically.
+
+
+### `indices` [indices-option-es]
+
+An array of index selector rules. Each rule specifies the index to use for events that match the rule. During publishing, Filebeat uses the first matching rule in the array. Rules can contain conditionals, format string-based fields, and name mappings. If the `indices` setting is missing or no rule matches, the [`index`](#index-option-es) setting is used.
+
+Similar to `index`, defining custom `indices` will disable [Index lifecycle management (ILM)](/reference/filebeat/ilm.md).
+
+Rule settings:
+
+**`index`**
+:   The index format string to use. If this string contains field references, such as `%{[fields.name]}`, the fields must exist, or the rule fails.
+
+**`mappings`**
+:   A dictionary that takes the value returned by `index` and maps it to a new name.
+
+**`default`**
+:   The default string value to use if `mappings` does not find a match.
+
+**`when`**
+:   A condition that must succeed in order to execute the current rule. All the [conditions](/reference/filebeat/defining-processors.md#conditions) supported by processors are also supported here.
+
+The following example sets the index based on whether the `message` field contains the specified string:
+
+```yaml
+output.elasticsearch:
+  hosts: ["http://localhost:9200"]
+  indices:
+    - index: "warning-%{[agent.version]}-%{+yyyy.MM.dd}"
+      when.contains:
+        message: "WARN"
+    - index: "error-%{[agent.version]}-%{+yyyy.MM.dd}"
+      when.contains:
+        message: "ERR"
+```
+
+This configuration results in indices named `warning-9.0.0-beta1-2025-01-30` and `error-9.0.0-beta1-2025-01-30` (plus the default index if no matches are found).
+
+The following example sets the index by taking the name returned by the `index` format string and mapping it to a new name that’s used for the index:
+
+```yaml
+output.elasticsearch:
+  hosts: ["http://localhost:9200"]
+  indices:
+    - index: "%{[fields.log_type]}"
+      mappings:
+        critical: "sev1"
+        normal: "sev2"
+      default: "sev3"
+```
+
+This configuration results in indices named `sev1`, `sev2`, and `sev3`.
+
+The `mappings` setting simplifies the configuration, but is limited to string values. You cannot specify format strings within the mapping pairs.
+
+
+### `ilm` [ilm-es]
+
+Configuration options for index lifecycle management.
+
+See [Index lifecycle management (ILM)](/reference/filebeat/ilm.md) for more information.
+
+
+### `pipeline` [pipeline-option-es]
+
+A format string value that specifies the ingest pipeline to write events to.
+
+```yaml
+output.elasticsearch:
+  hosts: ["http://localhost:9200"]
+  pipeline: my_pipeline_id
+```
+
+::::{important}
+The `pipeline` is always lowercased. If `pipeline: Foo-Bar`, then the pipeline name in {{es}} needs to be defined as `foo-bar`.
+::::
+
+
+For more information, see [*Parse data using an ingest pipeline*](/reference/filebeat/configuring-ingest-node.md).
+
+You can set the ingest pipeline dynamically by using a format string to access any event field. For example, this configuration uses a custom field, `fields.log_type`, to set the pipeline for each event:
+
+```yaml
+output.elasticsearch:
+  hosts: ["http://localhost:9200"]
+  pipeline: "%{[fields.log_type]}_pipeline"
+```
+
+With this configuration, all events with `log_type: normal` are sent to a pipeline named `normal_pipeline`, and all events with `log_type: critical` are sent to a pipeline named `critical_pipeline`.
+
+::::{tip}
+To learn how to add custom fields to events, see the [`fields`](/reference/filebeat/configuration-general-options.md#libbeat-configuration-fields) option.
+::::
+
+
+See the [`pipelines`](#pipelines-option-es) setting for other ways to set the ingest pipeline dynamically.
+
+
+### `pipelines` [pipelines-option-es]
+
+An array of pipeline selector rules. Each rule specifies the ingest pipeline to use for events that match the rule. During publishing, Filebeat uses the first matching rule in the array. Rules can contain conditionals, format string-based fields, and name mappings. If the `pipelines` setting is missing or no rule matches, the [`pipeline`](#pipeline-option-es) setting is used.
+
+Rule settings:
+
+**`pipeline`**
+:   The pipeline format string to use. If this string contains field references, such as `%{[fields.name]}`, the fields must exist, or the rule fails.
+
+**`mappings`**
+:   A dictionary that takes the value returned by `pipeline` and maps it to a new name.
+
+**`default`**
+:   The default string value to use if `mappings` does not find a match.
+
+**`when`**
+:   A condition that must succeed in order to execute the current rule. All the [conditions](/reference/filebeat/defining-processors.md#conditions) supported by processors are also supported here.
+
+The following example sends events to a specific pipeline based on whether the `message` field contains the specified string:
+
+```yaml
+output.elasticsearch:
+  hosts: ["http://localhost:9200"]
+  pipelines:
+    - pipeline: "warning_pipeline"
+      when.contains:
+        message: "WARN"
+    - pipeline: "error_pipeline"
+      when.contains:
+        message: "ERR"
+```
+
+The following example sets the pipeline by taking the name returned by the `pipeline` format string and mapping it to a new name that’s used for the pipeline:
+
+```yaml
+output.elasticsearch:
+  hosts: ["http://localhost:9200"]
+  pipelines:
+    - pipeline: "%{[fields.log_type]}"
+      mappings:
+        critical: "sev1_pipeline"
+        normal: "sev2_pipeline"
+      default: "sev3_pipeline"
+```
+
+With this configuration, all events with `log_type: critical` are sent to `sev1_pipeline`, all events with `log_type: normal` are sent to a `sev2_pipeline`, and all other events are sent to `sev3_pipeline`.
+
+For more information about ingest pipelines, see [*Parse data using an ingest pipeline*](/reference/filebeat/configuring-ingest-node.md).
+
+
+### `max_retries` [_max_retries]
+
+Filebeat ignores the `max_retries` setting and retries indefinitely.
+
+
+### `bulk_max_size` [bulk-max-size-option]
+
+The maximum number of events to bulk in a single Elasticsearch bulk API index request. The default is 1600.
+
+Events can be collected into batches. Filebeat will split batches read from the queue which are larger than `bulk_max_size` into multiple batches.
+
+Specifying a larger batch size can improve performance by lowering the overhead of sending events. However big batch sizes can also increase processing times, which might result in API errors, killed connections, timed-out publishing requests, and, ultimately, lower throughput.
+
+Setting `bulk_max_size` to values less than or equal to 0 disables the splitting of batches. When splitting is disabled, the queue decides on the number of events to be contained in a batch.
+
+
+### `backoff.init` [backoff-init-option]
+
+The number of seconds to wait before trying to reconnect to Elasticsearch after a network error. After waiting `backoff.init` seconds, Filebeat tries to reconnect. If the attempt fails, the backoff timer is increased exponentially up to `backoff.max`. After a successful connection, the backoff timer is reset. The default is `1s`.
+
+
+### `backoff.max` [backoff-max-option]
+
+The maximum number of seconds to wait before attempting to connect to Elasticsearch after a network error. The default is `60s`.
+
+
+### `idle_connection_timeout` [idle-connection-timeout-option]
+
+The maximum amount of time an idle connection will remain idle before closing itself. Zero means no limit. The format is a Go language duration (example 60s is 60 seconds). The default is 3s.
+
+
+### `timeout` [_timeout_2]
+
+The http request timeout in seconds for the Elasticsearch request. The default is 90.
+
+
+### `allow_older_versions` [_allow_older_versions]
+
+By default, Filebeat expects the Elasticsearch instance to be on the same or newer version to provide optimal experience. We suggest you connect to the same version to make sure all features Filebeat is using are available in your Elasticsearch instance.
+
+You can disable the check for example during updating the Elastic Stack, so data collection can go on.
+
+
+### `ssl` [_ssl_4]
+
+Configuration options for SSL parameters like the certificate authority to use for HTTPS-based connections. If the `ssl` section is missing, the host CAs are used for HTTPS connections to Elasticsearch.
+
+See the [secure communication with {{es}}](/reference/filebeat/securing-communication-elasticsearch.md) guide or [SSL configuration reference](/reference/filebeat/configuration-ssl.md) for more information.
+
+
+### `kerberos` [_kerberos_2]
+
+Configuration options for Kerberos authentication.
+
+See [Kerberos](/reference/filebeat/configuration-kerberos.md) for more information.
+
+
+### `queue` [_queue]
+
+Configuration options for internal queue.
+
+See [Internal queue](/reference/filebeat/configuring-internal-queue.md) for more information.
+
+Note:`queue` options can be set under `filebeat.yml` or the `output` section but not both. ===== `non_indexable_policy`
+
+Specifies the behavior when the elasticsearch cluster explicitly rejects documents, for example on mapping conflicts.
+
+#### `drop` [_drop]
+
+The default behaviour, when an event is explicitly rejected by elasticsearch it is dropped.
+
+```yaml
+output.elasticsearch:
+  hosts: ["http://localhost:9200"]
+  non_indexable_policy.drop: ~
+```
+
+
+#### `dead_letter_index` [_dead_letter_index]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+On an explicit rejection, this policy will retry the event in the next batch. However, the target index will change to index specified. In addition, the structure of the event will be change to the following fields:
+
+message
+:   Contains the escaped json of the original event.
+
+error.type
+:   Contains the status code
+
+error.message
+:   Contains status returned by elasticsearch, describing the reason
+
+`index`
+:   The index to send rejected events to.
+
+```yaml
+output.elasticsearch:
+  hosts: ["http://localhost:9200"]
+  non_indexable_policy.dead_letter_index:
+    index: "my-dead-letter-index"
+```
+
+
+
+### `preset` [_preset]
+
+The performance preset to apply to the output configuration.
+
+```yaml
+output.elasticsearch:
+  hosts: ["http://localhost:9200"]
+  preset: balanced
+```
+
+Performance presets apply a set of configuration overrides based on a desired performance goal. If set, a performance preset will override other configuration flags to match the recommended settings for that preset. If a preset doesn’t set a value for a particular field, the user-specified value will be used if present, otherwise the default. Valid options are: * `balanced`: good starting point for general efficiency * `throughput`: good for high data volumes, may increase cpu and memory requirements * `scale`: reduces ambient resource use in large low-throughput deployments * `latency`: minimize the time for fresh data to become visible in Elasticsearch * `custom`: apply user configuration directly with no overrides
+
+The default if unspecified is `custom`.
+
+Presets represent current recommendations based on the intended goal; their effect may change between versions to better suit those goals. Currently the presets have the following effects:
+
+| preset | balanced | throughput | scale | latency |
+| --- | --- | --- | --- | --- |
+| [`bulk_max_size`](#bulk-max-size-option) | 1600 | 1600 | 1600 | 50 |
+| [`worker`](#worker-option) | 1 | 4 | 1 | 1 |
+| [`queue.mem.events`](/reference/filebeat/configuring-internal-queue.md#queue-mem-events-option) | 3200 | 12800 | 3200 | 4100 |
+| [`queue.mem.flush.min_events`](/reference/filebeat/configuring-internal-queue.md#queue-mem-flush-min-events-option) | 1600 | 1600 | 1600 | 2050 |
+| [`queue.mem.flush.timeout`](/reference/filebeat/configuring-internal-queue.md#queue-mem-flush-timeout-option) | `10s` | `5s` | `20s` | `1s` |
+| [`compression_level`](#compression-level-option) | 1 | 1 | 1 | 1 |
+| [`idle_connection_timeout`](#idle-connection-timeout-option) | `3s` | `15s` | `1s` | `60s` |
+| [`backoff.init`](#backoff-init-option) | none | none | `5s` | none |
+| [`backoff.max`](#backoff-max-option) | none | none | `300s` | none |
+
+
+
+## Elasticsearch APIs [es-apis]
+
+Filebeat will use the `_bulk` API from {{es}}, the events are sent in the order they arrive to the publishing pipeline, a single `_bulk` request may contain events from different inputs/modules. Temporary failures are re-tried.
+
+The status code for each event is checked and handled as:
+
+* `< 300`: The event is counted as `events.acked`
+* `409` (Conflict): The event is counted as `events.duplicates`
+* `429` (Too Many Requests): The event is counted as `events.toomany`
+* `> 399 and < 500`: The `non_indexable_policy` is applied.
+
+
diff --git a/docs/reference/filebeat/enable-filebeat-debugging.md b/docs/reference/filebeat/enable-filebeat-debugging.md
new file mode 100644
index 000000000000..d15d09a65f31
--- /dev/null
+++ b/docs/reference/filebeat/enable-filebeat-debugging.md
@@ -0,0 +1,31 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/enable-filebeat-debugging.html
+---
+
+# Debug [enable-filebeat-debugging]
+
+By default, Filebeat sends all its output to syslog. When you run Filebeat in the foreground, you can use the `-e` command line flag to redirect the output to standard error instead. For example:
+
+```sh
+filebeat -e
+```
+
+The default configuration file is filebeat.yml (the location of the file varies by platform). You can use a different configuration file by specifying the `-c` flag. For example:
+
+```sh
+filebeat -e -c myfilebeatconfig.yml
+```
+
+You can increase the verbosity of debug messages by enabling one or more debug selectors. For example, to view publisher-related messages, start Filebeat with the `publisher` selector:
+
+```sh
+filebeat -e -d "publisher"
+```
+
+If you want all the debugging output (fair warning, it’s quite a lot), you can use `*`, like this:
+
+```sh
+filebeat -e -d "*"
+```
+
diff --git a/docs/reference/filebeat/error-found-unexpected-character.md b/docs/reference/filebeat/error-found-unexpected-character.md
new file mode 100644
index 000000000000..6ca9214f3605
--- /dev/null
+++ b/docs/reference/filebeat/error-found-unexpected-character.md
@@ -0,0 +1,13 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/error-found-unexpected-character.html
+---
+
+# Found unexpected or unknown characters [error-found-unexpected-character]
+
+Either there is a problem with the structure of your config file, or you have used a path or expression that the YAML parser cannot resolve because the config file contains characters that aren’t properly escaped.
+
+If the YAML file contains paths with spaces or unusual characters, wrap the paths in single quotation marks (see [Wrap paths in single quotation marks](/reference/filebeat/yaml-tips.md#wrap-paths-in-quotes)).
+
+Also see the general advice under [*Avoid YAML formatting problems*](/reference/filebeat/yaml-tips.md).
+
diff --git a/docs/reference/filebeat/error-loading-config.md b/docs/reference/filebeat/error-loading-config.md
new file mode 100644
index 000000000000..4eadd353fbab
--- /dev/null
+++ b/docs/reference/filebeat/error-loading-config.md
@@ -0,0 +1,14 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/error-loading-config.html
+---
+
+# Error loading config file [error-loading-config]
+
+You may encounter errors loading the config file on POSIX operating systems if:
+
+* an unauthorized user tries to load the config file, or
+* the config file has the wrong permissions.
+
+See [Config File Ownership and Permissions](/reference/libbeat/config-file-permissions.md) for more about resolving these errors.
+
diff --git a/docs/reference/filebeat/exported-fields-activemq.md b/docs/reference/filebeat/exported-fields-activemq.md
new file mode 100644
index 000000000000..71b9572ca970
--- /dev/null
+++ b/docs/reference/filebeat/exported-fields-activemq.md
@@ -0,0 +1,44 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-activemq.html
+---
+
+# ActiveMQ fields [exported-fields-activemq]
+
+Module for parsing ActiveMQ log files.
+
+
+## activemq [_activemq]
+
+**`activemq.caller`**
+:   Name of the caller issuing the logging request (class or resource).
+
+type: keyword
+
+
+**`activemq.thread`**
+:   Thread that generated the logging event.
+
+type: keyword
+
+
+**`activemq.user`**
+:   User that generated the logging event.
+
+type: keyword
+
+
+
+## audit [_audit]
+
+Fields from ActiveMQ audit logs.
+
+
+## log [_log]
+
+Fields from ActiveMQ application logs.
+
+**`activemq.log.stack_trace`**
+:   type: keyword
+
+
diff --git a/docs/reference/filebeat/exported-fields-apache.md b/docs/reference/filebeat/exported-fields-apache.md
new file mode 100644
index 000000000000..259bb6fee646
--- /dev/null
+++ b/docs/reference/filebeat/exported-fields-apache.md
@@ -0,0 +1,42 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-apache.html
+---
+
+# Apache fields [exported-fields-apache]
+
+Apache Module
+
+
+## apache [_apache]
+
+Apache fields.
+
+
+## access [_access]
+
+Contains fields for the Apache HTTP Server access logs.
+
+**`apache.access.ssl.protocol`**
+:   SSL protocol version.
+
+type: keyword
+
+
+**`apache.access.ssl.cipher`**
+:   SSL cipher name.
+
+type: keyword
+
+
+
+## error [_error]
+
+Fields from the Apache error logs.
+
+**`apache.error.module`**
+:   The module producing the logged message.
+
+type: keyword
+
+
diff --git a/docs/reference/filebeat/exported-fields-auditd.md b/docs/reference/filebeat/exported-fields-auditd.md
new file mode 100644
index 000000000000..86db1a334e57
--- /dev/null
+++ b/docs/reference/filebeat/exported-fields-auditd.md
@@ -0,0 +1,363 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-auditd.html
+---
+
+# Auditd fields [exported-fields-auditd]
+
+Module for parsing auditd logs.
+
+**`user.terminal`**
+:   Terminal or tty device on which the user is performing the observed activity.
+
+type: keyword
+
+
+**`user.audit.id`**
+:   One or multiple unique identifiers of the user.
+
+type: keyword
+
+
+**`user.audit.name`**
+:   Short name or login of the user.
+
+type: keyword
+
+example: albert
+
+
+**`user.audit.group.id`**
+:   Unique identifier for the group on the system/platform.
+
+type: keyword
+
+
+**`user.audit.group.name`**
+:   Name of the group.
+
+type: keyword
+
+
+**`user.filesystem.id`**
+:   One or multiple unique identifiers of the user.
+
+type: keyword
+
+
+**`user.filesystem.name`**
+:   Short name or login of the user.
+
+type: keyword
+
+example: albert
+
+
+**`user.filesystem.group.id`**
+:   Unique identifier for the group on the system/platform.
+
+type: keyword
+
+
+**`user.filesystem.group.name`**
+:   Name of the group.
+
+type: keyword
+
+
+**`user.owner.id`**
+:   One or multiple unique identifiers of the user.
+
+type: keyword
+
+
+**`user.owner.name`**
+:   Short name or login of the user.
+
+type: keyword
+
+example: albert
+
+
+**`user.owner.group.id`**
+:   Unique identifier for the group on the system/platform.
+
+type: keyword
+
+
+**`user.owner.group.name`**
+:   Name of the group.
+
+type: keyword
+
+
+**`user.saved.id`**
+:   One or multiple unique identifiers of the user.
+
+type: keyword
+
+
+**`user.saved.name`**
+:   Short name or login of the user.
+
+type: keyword
+
+example: albert
+
+
+**`user.saved.group.id`**
+:   Unique identifier for the group on the system/platform.
+
+type: keyword
+
+
+**`user.saved.group.name`**
+:   Name of the group.
+
+type: keyword
+
+
+
+## auditd [_auditd]
+
+Fields from the auditd logs.
+
+
+## log [_log_2]
+
+Fields from the Linux audit log. Not all fields are documented here because they are dynamic and vary by audit event type.
+
+**`auditd.log.old_auid`**
+:   For login events this is the old audit ID used for the user prior to this login.
+
+
+**`auditd.log.new_auid`**
+:   For login events this is the new audit ID. The audit ID can be used to trace future events to the user even if their identity changes (like becoming root).
+
+
+**`auditd.log.old_ses`**
+:   For login events this is the old session ID used for the user prior to this login.
+
+
+**`auditd.log.new_ses`**
+:   For login events this is the new session ID. It can be used to tie a user to future events by session ID.
+
+
+**`auditd.log.sequence`**
+:   The audit event sequence number.
+
+type: long
+
+
+**`auditd.log.items`**
+:   The number of items in an event.
+
+
+**`auditd.log.item`**
+:   The item field indicates which item out of the total number of items. This number is zero-based; a value of 0 means it is the first item.
+
+
+**`auditd.log.tty`**
+:   type: keyword
+
+
+**`auditd.log.a0`**
+:   The first argument to the system call.
+
+
+**`auditd.log.addr`**
+:   type: ip
+
+
+**`auditd.log.rport`**
+:   type: long
+
+
+**`auditd.log.laddr`**
+:   type: ip
+
+
+**`auditd.log.lport`**
+:   type: long
+
+
+**`auditd.log.acct`**
+:   type: alias
+
+alias to: user.name
+
+
+**`auditd.log.pid`**
+:   type: alias
+
+alias to: process.pid
+
+
+**`auditd.log.ppid`**
+:   type: alias
+
+alias to: process.parent.pid
+
+
+**`auditd.log.res`**
+:   type: alias
+
+alias to: event.outcome
+
+
+**`auditd.log.record_type`**
+:   type: alias
+
+alias to: event.action
+
+
+**`auditd.log.geoip.continent_name`**
+:   type: alias
+
+alias to: source.geo.continent_name
+
+
+**`auditd.log.geoip.country_iso_code`**
+:   type: alias
+
+alias to: source.geo.country_iso_code
+
+
+**`auditd.log.geoip.location`**
+:   type: alias
+
+alias to: source.geo.location
+
+
+**`auditd.log.geoip.region_name`**
+:   type: alias
+
+alias to: source.geo.region_name
+
+
+**`auditd.log.geoip.city_name`**
+:   type: alias
+
+alias to: source.geo.city_name
+
+
+**`auditd.log.geoip.region_iso_code`**
+:   type: alias
+
+alias to: source.geo.region_iso_code
+
+
+**`auditd.log.arch`**
+:   type: alias
+
+alias to: host.architecture
+
+
+**`auditd.log.gid`**
+:   type: alias
+
+alias to: user.group.id
+
+
+**`auditd.log.uid`**
+:   type: alias
+
+alias to: user.id
+
+
+**`auditd.log.agid`**
+:   type: alias
+
+alias to: user.audit.group.id
+
+
+**`auditd.log.auid`**
+:   type: alias
+
+alias to: user.audit.id
+
+
+**`auditd.log.fsgid`**
+:   type: alias
+
+alias to: user.filesystem.group.id
+
+
+**`auditd.log.fsuid`**
+:   type: alias
+
+alias to: user.filesystem.id
+
+
+**`auditd.log.egid`**
+:   type: alias
+
+alias to: user.effective.group.id
+
+
+**`auditd.log.euid`**
+:   type: alias
+
+alias to: user.effective.id
+
+
+**`auditd.log.sgid`**
+:   type: alias
+
+alias to: user.saved.group.id
+
+
+**`auditd.log.suid`**
+:   type: alias
+
+alias to: user.saved.id
+
+
+**`auditd.log.ogid`**
+:   type: alias
+
+alias to: user.owner.group.id
+
+
+**`auditd.log.ouid`**
+:   type: alias
+
+alias to: user.owner.id
+
+
+**`auditd.log.comm`**
+:   type: alias
+
+alias to: process.name
+
+
+**`auditd.log.exe`**
+:   type: alias
+
+alias to: process.executable
+
+
+**`auditd.log.terminal`**
+:   type: alias
+
+alias to: user.terminal
+
+
+**`auditd.log.msg`**
+:   type: alias
+
+alias to: message
+
+
+**`auditd.log.src`**
+:   type: alias
+
+alias to: source.address
+
+
+**`auditd.log.dst`**
+:   type: alias
+
+alias to: destination.address
+
+
diff --git a/docs/reference/filebeat/exported-fields-aws-cloudwatch.md b/docs/reference/filebeat/exported-fields-aws-cloudwatch.md
new file mode 100644
index 000000000000..847bb00da8eb
--- /dev/null
+++ b/docs/reference/filebeat/exported-fields-aws-cloudwatch.md
@@ -0,0 +1,32 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-aws-cloudwatch.html
+---
+
+# AWS CloudWatch fields [exported-fields-aws-cloudwatch]
+
+Fields from AWS CloudWatch logs.
+
+
+## aws.cloudwatch [_aws_cloudwatch]
+
+Fields from AWS CloudWatch logs.
+
+**`aws.cloudwatch.log_group`**
+:   The name of the log group to which this event belongs.
+
+type: keyword
+
+
+**`aws.cloudwatch.log_stream`**
+:   The name of the log stream to which this event belongs.
+
+type: keyword
+
+
+**`aws.cloudwatch.ingestion_time`**
+:   The time the event was ingested in AWS CloudWatch.
+
+type: keyword
+
+
diff --git a/docs/reference/filebeat/exported-fields-aws.md b/docs/reference/filebeat/exported-fields-aws.md
new file mode 100644
index 000000000000..6d22d7f397c8
--- /dev/null
+++ b/docs/reference/filebeat/exported-fields-aws.md
@@ -0,0 +1,788 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-aws.html
+---
+
+# AWS fields [exported-fields-aws]
+
+Module for handling logs from AWS.
+
+
+## aws [_aws]
+
+Fields from AWS logs.
+
+
+## cloudtrail [_cloudtrail]
+
+Fields for AWS CloudTrail logs.
+
+**`aws.cloudtrail.event_version`**
+:   The CloudTrail version of the log event format.
+
+type: keyword
+
+
+
+## user_identity [_user_identity]
+
+The userIdentity element contains details about the type of IAM identity that made the request, and which credentials were used. If temporary credentials were used, the element shows how the credentials were obtained.
+
+**`aws.cloudtrail.user_identity.type`**
+:   The type of the identity
+
+type: keyword
+
+
+**`aws.cloudtrail.user_identity.arn`**
+:   The Amazon Resource Name (ARN) of the principal that made the call.
+
+type: keyword
+
+
+**`aws.cloudtrail.user_identity.access_key_id`**
+:   The access key ID that was used to sign the request.
+
+type: keyword
+
+
+
+## session_context [_session_context]
+
+If the request was made with temporary security credentials, an element that provides information about the session that was created for those credentials
+
+**`aws.cloudtrail.user_identity.session_context.mfa_authenticated`**
+:   The value is true if the root user or IAM user whose credentials were used for the request also was authenticated with an MFA device; otherwise, false.
+
+type: keyword
+
+
+**`aws.cloudtrail.user_identity.session_context.creation_date`**
+:   The date and time when the temporary security credentials were issued.
+
+type: date
+
+
+
+## session_issuer [_session_issuer]
+
+If the request was made with temporary security credentials, an element that provides information about how the credentials were obtained.
+
+**`aws.cloudtrail.user_identity.session_context.session_issuer.type`**
+:   The source of the temporary security credentials, such as Root, IAMUser, or Role.
+
+type: keyword
+
+
+**`aws.cloudtrail.user_identity.session_context.session_issuer.principal_id`**
+:   The internal ID of the entity that was used to get credentials.
+
+type: keyword
+
+
+**`aws.cloudtrail.user_identity.session_context.session_issuer.arn`**
+:   The ARN of the source (account, IAM user, or role) that was used to get temporary security credentials.
+
+type: keyword
+
+
+**`aws.cloudtrail.user_identity.session_context.session_issuer.account_id`**
+:   The account that owns the entity that was used to get credentials.
+
+type: keyword
+
+
+**`aws.cloudtrail.user_identity.invoked_by`**
+:   The name of the AWS service that made the request, such as Amazon EC2 Auto Scaling or AWS Elastic Beanstalk.
+
+type: keyword
+
+
+**`aws.cloudtrail.error_code`**
+:   The AWS service error if the request returns an error.
+
+type: keyword
+
+
+**`aws.cloudtrail.error_message`**
+:   If the request returns an error, the description of the error.
+
+type: keyword
+
+
+**`aws.cloudtrail.request_parameters`**
+:   The parameters, if any, that were sent with the request.
+
+type: keyword
+
+
+**`aws.cloudtrail.request_parameters.text`**
+:   type: text
+
+
+**`aws.cloudtrail.response_elements`**
+:   The response element for actions that make changes (create, update, or delete actions).
+
+type: keyword
+
+
+**`aws.cloudtrail.response_elements.text`**
+:   type: text
+
+
+**`aws.cloudtrail.additional_eventdata`**
+:   Additional data about the event that was not part of the request or response.
+
+type: keyword
+
+
+**`aws.cloudtrail.additional_eventdata.text`**
+:   type: text
+
+
+**`aws.cloudtrail.request_id`**
+:   The value that identifies the request. The service being called generates this value.
+
+type: keyword
+
+
+**`aws.cloudtrail.event_type`**
+:   Identifies the type of event that generated the event record.
+
+type: keyword
+
+
+**`aws.cloudtrail.api_version`**
+:   Identifies the API version associated with the AwsApiCall eventType value.
+
+type: keyword
+
+
+**`aws.cloudtrail.management_event`**
+:   A Boolean value that identifies whether the event is a management event.
+
+type: keyword
+
+
+**`aws.cloudtrail.read_only`**
+:   Identifies whether this operation is a read-only operation.
+
+type: keyword
+
+
+
+## resources [_resources]
+
+A list of resources accessed in the event.
+
+**`aws.cloudtrail.resources.arn`**
+:   Resource ARNs
+
+type: keyword
+
+
+**`aws.cloudtrail.resources.account_id`**
+:   Account ID of the resource owner
+
+type: keyword
+
+
+**`aws.cloudtrail.resources.type`**
+:   Resource type identifier in the format: AWS::aws-service-name::data-type-name
+
+type: keyword
+
+
+**`aws.cloudtrail.recipient_account_id`**
+:   Represents the account ID that received this event.
+
+type: keyword
+
+
+**`aws.cloudtrail.service_event_details`**
+:   Identifies the service event, including what triggered the event and the result.
+
+type: keyword
+
+
+**`aws.cloudtrail.service_event_details.text`**
+:   type: text
+
+
+**`aws.cloudtrail.shared_event_id`**
+:   GUID generated by CloudTrail to uniquely identify CloudTrail events from the same AWS action that is sent to different AWS accounts.
+
+type: keyword
+
+
+**`aws.cloudtrail.vpc_endpoint_id`**
+:   Identifies the VPC endpoint in which requests were made from a VPC to another AWS service, such as Amazon S3.
+
+type: keyword
+
+
+**`aws.cloudtrail.event_category`**
+:   Shows the event category that is used in LookupEvents calls.
+
+* For management events, the value is management.
+* For data events, the value is data.
+* For Insights events, the value is insight.
+
+type: keyword
+
+
+
+## console_login [_console_login]
+
+Fields specific to ConsoleLogin events
+
+
+## additional_eventdata [_additional_eventdata]
+
+Additional Event Data for ConsoleLogin events
+
+**`aws.cloudtrail.console_login.additional_eventdata.mobile_version`**
+:   Identifies whether ConsoleLogin was from mobile version
+
+type: boolean
+
+
+**`aws.cloudtrail.console_login.additional_eventdata.login_to`**
+:   URL for ConsoleLogin
+
+type: keyword
+
+
+**`aws.cloudtrail.console_login.additional_eventdata.mfa_used`**
+:   Identifies whether multi factor authentication was used during ConsoleLogin
+
+type: boolean
+
+
+
+## flattened [_flattened]
+
+ES flattened datatype for objects where the subfields aren’t known in advance.
+
+**`aws.cloudtrail.flattened.additional_eventdata`**
+:   Additional data about the event that was not part of the request or response.
+
+type: flattened
+
+
+**`aws.cloudtrail.flattened.request_parameters`**
+:   The parameters, if any, that were sent with the request.
+
+type: flattened
+
+
+**`aws.cloudtrail.flattened.response_elements`**
+:   The response element for actions that make changes (create, update, or delete actions).
+
+type: flattened
+
+
+**`aws.cloudtrail.flattened.service_event_details`**
+:   Identifies the service event, including what triggered the event and the result.
+
+type: flattened
+
+
+
+## digest [_digest]
+
+Fields from Cloudtrail Digest Logs
+
+**`aws.cloudtrail.digest.log_files`**
+:   A list of Logfiles contained in the digest.
+
+type: nested
+
+
+**`aws.cloudtrail.digest.start_time`**
+:   The starting UTC time range that the digest file covers, taking as a reference the time in which log files have been delivered by CloudTrail.
+
+type: date
+
+
+**`aws.cloudtrail.digest.end_time`**
+:   The ending UTC time range that the digest file covers, taking as a reference the time in which log files have been delivered by CloudTrail.
+
+type: date
+
+
+**`aws.cloudtrail.digest.s3_bucket`**
+:   The name of the Amazon S3 bucket to which the current digest file has been delivered.
+
+type: keyword
+
+
+**`aws.cloudtrail.digest.s3_object`**
+:   The Amazon S3 object key (that is, the Amazon S3 bucket location) of the current digest file.
+
+type: keyword
+
+
+**`aws.cloudtrail.digest.newest_event_time`**
+:   The UTC time of the most recent event among all of the events in the log files in the digest.
+
+type: date
+
+
+**`aws.cloudtrail.digest.oldest_event_time`**
+:   The UTC time of the oldest event among all of the events in the log files in the digest.
+
+type: date
+
+
+**`aws.cloudtrail.digest.previous_s3_bucket`**
+:   The Amazon S3 bucket to which the previous digest file was delivered.
+
+type: keyword
+
+
+**`aws.cloudtrail.digest.previous_hash_algorithm`**
+:   The name of the hash algorithm that was used to hash the previous digest file.
+
+type: keyword
+
+
+**`aws.cloudtrail.digest.public_key_fingerprint`**
+:   The hexadecimal encoded fingerprint of the public key that matches the private key used to sign this digest file.
+
+type: keyword
+
+
+**`aws.cloudtrail.digest.signature_algorithm`**
+:   The algorithm used to sign the digest file.
+
+type: keyword
+
+
+**`aws.cloudtrail.insight_details`**
+:   Shows information about the underlying triggers of an Insights event, such as event source, user agent, statistics, API name, and whether the event is the start or end of the Insights event.
+
+type: flattened
+
+
+
+## cloudwatch [_cloudwatch]
+
+Fields for AWS CloudWatch logs.
+
+**`aws.cloudwatch.message`**
+:   CloudWatch log message.
+
+type: text
+
+
+
+## ec2 [_ec2]
+
+Fields for AWS EC2 logs in CloudWatch.
+
+**`aws.ec2.ip_address`**
+:   The internet address of the requester.
+
+type: keyword
+
+
+
+## elb [_elb]
+
+Fields for AWS ELB logs.
+
+**`aws.elb.name`**
+:   The name of the load balancer.
+
+type: keyword
+
+
+**`aws.elb.type`**
+:   The type of the load balancer for v2 Load Balancers.
+
+type: keyword
+
+
+**`aws.elb.target_group.arn`**
+:   The ARN of the target group handling the request.
+
+type: keyword
+
+
+**`aws.elb.listener`**
+:   The ELB listener that received the connection.
+
+type: keyword
+
+
+**`aws.elb.protocol`**
+:   The protocol of the load balancer (http or tcp).
+
+type: keyword
+
+
+**`aws.elb.request_processing_time.sec`**
+:   The total time in seconds since the connection or request is received until it is sent to a registered backend.
+
+type: float
+
+
+**`aws.elb.backend_processing_time.sec`**
+:   The total time in seconds since the connection is sent to the backend till the backend starts responding.
+
+type: float
+
+
+**`aws.elb.response_processing_time.sec`**
+:   The total time in seconds since the response is received from the backend till it is sent to the client.
+
+type: float
+
+
+**`aws.elb.connection_time.ms`**
+:   The total time of the connection in milliseconds, since it is opened till it is closed.
+
+type: long
+
+
+**`aws.elb.tls_handshake_time.ms`**
+:   The total time for the TLS handshake to complete in milliseconds once the connection has been established.
+
+type: long
+
+
+**`aws.elb.backend.ip`**
+:   The IP address of the backend processing this connection.
+
+type: keyword
+
+
+**`aws.elb.backend.port`**
+:   The port in the backend processing this connection.
+
+type: keyword
+
+
+**`aws.elb.backend.http.response.status_code`**
+:   The status code from the backend (status code sent to the client from ELB is stored in `http.response.status_code`
+
+type: keyword
+
+
+**`aws.elb.ssl_cipher`**
+:   The SSL cipher used in TLS/SSL connections.
+
+type: keyword
+
+
+**`aws.elb.ssl_protocol`**
+:   The SSL protocol used in TLS/SSL connections.
+
+type: keyword
+
+
+**`aws.elb.chosen_cert.arn`**
+:   The ARN of the chosen certificate presented to the client in TLS/SSL connections.
+
+type: keyword
+
+
+**`aws.elb.chosen_cert.serial`**
+:   The serial number of the chosen certificate presented to the client in TLS/SSL connections.
+
+type: keyword
+
+
+**`aws.elb.incoming_tls_alert`**
+:   The integer value of TLS alerts received by the load balancer from the client, if present.
+
+type: keyword
+
+
+**`aws.elb.tls_named_group`**
+:   The TLS named group.
+
+type: keyword
+
+
+**`aws.elb.trace_id`**
+:   The contents of the `X-Amzn-Trace-Id` header.
+
+type: keyword
+
+
+**`aws.elb.matched_rule_priority`**
+:   The priority value of the rule that matched the request, if a rule matched.
+
+type: keyword
+
+
+**`aws.elb.action_executed`**
+:   The action executed when processing the request (forward, fixed-response, authenticate…​). It can contain several values.
+
+type: keyword
+
+
+**`aws.elb.redirect_url`**
+:   The URL used if a redirection action was executed.
+
+type: keyword
+
+
+**`aws.elb.error.reason`**
+:   The error reason if the executed action failed.
+
+type: keyword
+
+
+**`aws.elb.target_port`**
+:   List of IP addresses and ports for the targets that processed this request.
+
+type: keyword
+
+
+**`aws.elb.target_status_code`**
+:   List of status codes from the responses of the targets.
+
+type: keyword
+
+
+**`aws.elb.classification`**
+:   The classification for desync mitigation.
+
+type: keyword
+
+
+**`aws.elb.classification_reason`**
+:   The classification reason code.
+
+type: keyword
+
+
+
+## s3access [_s3access]
+
+Fields for AWS S3 server access logs.
+
+**`aws.s3access.bucket_owner`**
+:   The canonical user ID of the owner of the source bucket.
+
+type: keyword
+
+
+**`aws.s3access.bucket`**
+:   The name of the bucket that the request was processed against.
+
+type: keyword
+
+
+**`aws.s3access.remote_ip`**
+:   The apparent internet address of the requester.
+
+type: ip
+
+
+**`aws.s3access.requester`**
+:   The canonical user ID of the requester, or a - for unauthenticated requests.
+
+type: keyword
+
+
+**`aws.s3access.request_id`**
+:   A string generated by Amazon S3 to uniquely identify each request.
+
+type: keyword
+
+
+**`aws.s3access.operation`**
+:   The operation listed here is declared as SOAP.operation, REST.HTTP_method.resource_type, WEBSITE.HTTP_method.resource_type, or BATCH.DELETE.OBJECT.
+
+type: keyword
+
+
+**`aws.s3access.key`**
+:   The "key" part of the request, URL encoded, or "-" if the operation does not take a key parameter.
+
+type: keyword
+
+
+**`aws.s3access.request_uri`**
+:   The Request-URI part of the HTTP request message.
+
+type: keyword
+
+
+**`aws.s3access.http_status`**
+:   The numeric HTTP status code of the response.
+
+type: long
+
+
+**`aws.s3access.error_code`**
+:   The Amazon S3 Error Code, or "-" if no error occurred.
+
+type: keyword
+
+
+**`aws.s3access.bytes_sent`**
+:   The number of response bytes sent, excluding HTTP protocol overhead, or "-" if zero.
+
+type: long
+
+
+**`aws.s3access.object_size`**
+:   The total size of the object in question.
+
+type: long
+
+
+**`aws.s3access.total_time`**
+:   The number of milliseconds the request was in flight from the server’s perspective.
+
+type: long
+
+
+**`aws.s3access.turn_around_time`**
+:   The number of milliseconds that Amazon S3 spent processing your request.
+
+type: long
+
+
+**`aws.s3access.referrer`**
+:   The value of the HTTP Referrer header, if present.
+
+type: keyword
+
+
+**`aws.s3access.user_agent`**
+:   The value of the HTTP User-Agent header.
+
+type: keyword
+
+
+**`aws.s3access.version_id`**
+:   The version ID in the request, or "-" if the operation does not take a versionId parameter.
+
+type: keyword
+
+
+**`aws.s3access.host_id`**
+:   The x-amz-id-2 or Amazon S3 extended request ID.
+
+type: keyword
+
+
+**`aws.s3access.signature_version`**
+:   The signature version, SigV2 or SigV4, that was used to authenticate the request or a - for unauthenticated requests.
+
+type: keyword
+
+
+**`aws.s3access.cipher_suite`**
+:   The Secure Sockets Layer (SSL) cipher that was negotiated for HTTPS request or a - for HTTP.
+
+type: keyword
+
+
+**`aws.s3access.authentication_type`**
+:   The type of request authentication used, AuthHeader for authentication headers, QueryString for query string (pre-signed URL) or a - for unauthenticated requests.
+
+type: keyword
+
+
+**`aws.s3access.host_header`**
+:   The endpoint used to connect to Amazon S3.
+
+type: keyword
+
+
+**`aws.s3access.tls_version`**
+:   The Transport Layer Security (TLS) version negotiated by the client.
+
+type: keyword
+
+
+
+## vpcflow [_vpcflow]
+
+Fields for AWS VPC flow logs.
+
+**`aws.vpcflow.version`**
+:   The VPC Flow Logs version. If you use the default format, the version is 2. If you specify a custom format, the version is 3.
+
+type: keyword
+
+
+**`aws.vpcflow.account_id`**
+:   The AWS account ID for the flow log.
+
+type: keyword
+
+
+**`aws.vpcflow.interface_id`**
+:   The ID of the network interface for which the traffic is recorded.
+
+type: keyword
+
+
+**`aws.vpcflow.action`**
+:   The action that is associated with the traffic, ACCEPT or REJECT.
+
+type: keyword
+
+
+**`aws.vpcflow.log_status`**
+:   The logging status of the flow log, OK, NODATA or SKIPDATA.
+
+type: keyword
+
+
+**`aws.vpcflow.instance_id`**
+:   The ID of the instance that’s associated with network interface for which the traffic is recorded, if the instance is owned by you.
+
+type: keyword
+
+
+**`aws.vpcflow.pkt_srcaddr`**
+:   The packet-level (original) source IP address of the traffic.
+
+type: ip
+
+
+**`aws.vpcflow.pkt_dstaddr`**
+:   The packet-level (original) destination IP address for the traffic.
+
+type: ip
+
+
+**`aws.vpcflow.vpc_id`**
+:   The ID of the VPC that contains the network interface for which the traffic is recorded.
+
+type: keyword
+
+
+**`aws.vpcflow.subnet_id`**
+:   The ID of the subnet that contains the network interface for which the traffic is recorded.
+
+type: keyword
+
+
+**`aws.vpcflow.tcp_flags`**
+:   The bitmask value for the following TCP flags: 2=SYN,18=SYN-ACK,1=FIN,4=RST
+
+type: keyword
+
+
+**`aws.vpcflow.tcp_flags_array`**
+:   List of TCP flags: *fin, syn, rst, psh, ack, urg*
+
+type: keyword
+
+
+**`aws.vpcflow.type`**
+:   The type of traffic: IPv4, IPv6, or EFA.
+
+type: keyword
+
+
diff --git a/docs/reference/filebeat/exported-fields-awsfargate.md b/docs/reference/filebeat/exported-fields-awsfargate.md
new file mode 100644
index 000000000000..2f5da54155bc
--- /dev/null
+++ b/docs/reference/filebeat/exported-fields-awsfargate.md
@@ -0,0 +1,19 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-awsfargate.html
+---
+
+# AWS Fargate fields [exported-fields-awsfargate]
+
+Module for collecting container logs from Amazon ECS Fargate.
+
+
+## awsfargate [_awsfargate]
+
+Fields from Amazon ECS Fargate logs.
+
+
+## log [_log_3]
+
+Fields for Amazon Fargate container logs.
+
diff --git a/docs/reference/filebeat/exported-fields-azure.md b/docs/reference/filebeat/exported-fields-azure.md
new file mode 100644
index 000000000000..c21190a4acbb
--- /dev/null
+++ b/docs/reference/filebeat/exported-fields-azure.md
@@ -0,0 +1,895 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-azure.html
+---
+
+# Azure fields [exported-fields-azure]
+
+Azure Module
+
+
+## azure [_azure]
+
+**`azure.subscription_id`**
+:   Azure subscription ID
+
+type: keyword
+
+
+**`azure.correlation_id`**
+:   Correlation ID
+
+type: keyword
+
+
+**`azure.tenant_id`**
+:   tenant ID
+
+type: keyword
+
+
+
+## resource [_resource]
+
+Resource
+
+**`azure.resource.id`**
+:   Resource ID
+
+type: keyword
+
+
+**`azure.resource.group`**
+:   Resource group
+
+type: keyword
+
+
+**`azure.resource.provider`**
+:   Resource type/namespace
+
+type: keyword
+
+
+**`azure.resource.namespace`**
+:   Resource type/namespace
+
+type: keyword
+
+
+**`azure.resource.name`**
+:   Name
+
+type: keyword
+
+
+**`azure.resource.authorization_rule`**
+:   Authorization rule
+
+type: keyword
+
+
+
+## activitylogs [_activitylogs]
+
+Fields for Azure activity logs.
+
+**`azure.activitylogs.identity_name`**
+:   identity name
+
+type: keyword
+
+
+
+## identity [_identity]
+
+Identity
+
+
+## claims_initiated_by_user [_claims_initiated_by_user]
+
+Claims initiated by user
+
+**`azure.activitylogs.identity.claims_initiated_by_user.name`**
+:   Name
+
+type: keyword
+
+
+**`azure.activitylogs.identity.claims_initiated_by_user.givenname`**
+:   Givenname
+
+type: keyword
+
+
+**`azure.activitylogs.identity.claims_initiated_by_user.surname`**
+:   Surname
+
+type: keyword
+
+
+**`azure.activitylogs.identity.claims_initiated_by_user.fullname`**
+:   Fullname
+
+type: keyword
+
+
+**`azure.activitylogs.identity.claims_initiated_by_user.schema`**
+:   Schema
+
+type: keyword
+
+
+**`azure.activitylogs.identity.claims.*`**
+:   Claims
+
+type: object
+
+
+
+## authorization [_authorization]
+
+Authorization
+
+**`azure.activitylogs.identity.authorization.scope`**
+:   Scope
+
+type: keyword
+
+
+**`azure.activitylogs.identity.authorization.action`**
+:   Action
+
+type: keyword
+
+
+
+## evidence [_evidence]
+
+Evidence
+
+**`azure.activitylogs.identity.authorization.evidence.role_assignment_scope`**
+:   Role assignment scope
+
+type: keyword
+
+
+**`azure.activitylogs.identity.authorization.evidence.role_definition_id`**
+:   Role definition ID
+
+type: keyword
+
+
+**`azure.activitylogs.identity.authorization.evidence.role`**
+:   Role
+
+type: keyword
+
+
+**`azure.activitylogs.identity.authorization.evidence.role_assignment_id`**
+:   Role assignment ID
+
+type: keyword
+
+
+**`azure.activitylogs.identity.authorization.evidence.principal_id`**
+:   Principal ID
+
+type: keyword
+
+
+**`azure.activitylogs.identity.authorization.evidence.principal_type`**
+:   Principal type
+
+type: keyword
+
+
+**`azure.activitylogs.tenant_id`**
+:   Tenant ID
+
+type: keyword
+
+
+**`azure.activitylogs.level`**
+:   Level
+
+type: long
+
+
+**`azure.activitylogs.operation_version`**
+:   Operation version
+
+type: keyword
+
+
+**`azure.activitylogs.operation_name`**
+:   Operation name
+
+type: keyword
+
+
+**`azure.activitylogs.result_type`**
+:   Result type
+
+type: keyword
+
+
+**`azure.activitylogs.result_signature`**
+:   Result signature
+
+type: keyword
+
+
+**`azure.activitylogs.category`**
+:   Category
+
+type: keyword
+
+
+**`azure.activitylogs.event_category`**
+:   Event Category
+
+type: keyword
+
+
+**`azure.activitylogs.properties`**
+:   Properties
+
+type: flattened
+
+
+
+## auditlogs [_auditlogs]
+
+Fields for Azure audit logs.
+
+**`azure.auditlogs.category`**
+:   The category of the operation.  Currently, Audit is the only supported value.
+
+type: keyword
+
+
+**`azure.auditlogs.operation_name`**
+:   The operation name
+
+type: keyword
+
+
+**`azure.auditlogs.operation_version`**
+:   The operation version
+
+type: keyword
+
+
+**`azure.auditlogs.identity`**
+:   Identity
+
+type: keyword
+
+
+**`azure.auditlogs.tenant_id`**
+:   Tenant ID
+
+type: keyword
+
+
+**`azure.auditlogs.result_signature`**
+:   Result signature
+
+type: keyword
+
+
+
+## properties [_properties]
+
+The audit log properties
+
+**`azure.auditlogs.properties.result`**
+:   Log result
+
+type: keyword
+
+
+**`azure.auditlogs.properties.activity_display_name`**
+:   Activity display name
+
+type: keyword
+
+
+**`azure.auditlogs.properties.result_reason`**
+:   Reason for the log result
+
+type: keyword
+
+
+**`azure.auditlogs.properties.correlation_id`**
+:   Correlation ID
+
+type: keyword
+
+
+**`azure.auditlogs.properties.logged_by_service`**
+:   Logged by service
+
+type: keyword
+
+
+**`azure.auditlogs.properties.operation_type`**
+:   Operation type
+
+type: keyword
+
+
+**`azure.auditlogs.properties.id`**
+:   ID
+
+type: keyword
+
+
+**`azure.auditlogs.properties.activity_datetime`**
+:   Activity timestamp
+
+type: date
+
+
+**`azure.auditlogs.properties.category`**
+:   category
+
+type: keyword
+
+
+
+## target_resources.* [_target_resources]
+
+Target resources
+
+**`azure.auditlogs.properties.target_resources.*.display_name`**
+:   Display name
+
+type: keyword
+
+
+**`azure.auditlogs.properties.target_resources.*.id`**
+:   ID
+
+type: keyword
+
+
+**`azure.auditlogs.properties.target_resources.*.type`**
+:   Type
+
+type: keyword
+
+
+**`azure.auditlogs.properties.target_resources.*.ip_address`**
+:   ip Address
+
+type: keyword
+
+
+**`azure.auditlogs.properties.target_resources.*.user_principal_name`**
+:   User principal name
+
+type: keyword
+
+
+
+## modified_properties.* [_modified_properties]
+
+Modified properties
+
+**`azure.auditlogs.properties.target_resources.*.modified_properties.*.new_value`**
+:   New value
+
+type: keyword
+
+
+**`azure.auditlogs.properties.target_resources.*.modified_properties.*.display_name`**
+:   Display value
+
+type: keyword
+
+
+**`azure.auditlogs.properties.target_resources.*.modified_properties.*.old_value`**
+:   Old value
+
+type: keyword
+
+
+
+## initiated_by [_initiated_by]
+
+Information regarding the initiator
+
+
+## app [_app]
+
+App
+
+**`azure.auditlogs.properties.initiated_by.app.servicePrincipalName`**
+:   Service principal name
+
+type: keyword
+
+
+**`azure.auditlogs.properties.initiated_by.app.displayName`**
+:   Display name
+
+type: keyword
+
+
+**`azure.auditlogs.properties.initiated_by.app.appId`**
+:   App ID
+
+type: keyword
+
+
+**`azure.auditlogs.properties.initiated_by.app.servicePrincipalId`**
+:   Service principal ID
+
+type: keyword
+
+
+
+## user [_user]
+
+User
+
+**`azure.auditlogs.properties.initiated_by.user.userPrincipalName`**
+:   User principal name
+
+type: keyword
+
+
+**`azure.auditlogs.properties.initiated_by.user.displayName`**
+:   Display name
+
+type: keyword
+
+
+**`azure.auditlogs.properties.initiated_by.user.id`**
+:   ID
+
+type: keyword
+
+
+**`azure.auditlogs.properties.initiated_by.user.ipAddress`**
+:   ip Address
+
+type: keyword
+
+
+
+## platformlogs [_platformlogs]
+
+Fields for Azure platform logs.
+
+**`azure.platformlogs.operation_name`**
+:   Operation name
+
+type: keyword
+
+
+**`azure.platformlogs.result_type`**
+:   Result type
+
+type: keyword
+
+
+**`azure.platformlogs.result_signature`**
+:   Result signature
+
+type: keyword
+
+
+**`azure.platformlogs.category`**
+:   Category
+
+type: keyword
+
+
+**`azure.platformlogs.event_category`**
+:   Event Category
+
+type: keyword
+
+
+**`azure.platformlogs.status`**
+:   Status
+
+type: keyword
+
+
+**`azure.platformlogs.ccpNamespace`**
+:   ccpNamespace
+
+type: keyword
+
+
+**`azure.platformlogs.Cloud`**
+:   Cloud
+
+type: keyword
+
+
+**`azure.platformlogs.Environment`**
+:   Environment
+
+type: keyword
+
+
+**`azure.platformlogs.EventTimeString`**
+:   EventTimeString
+
+type: keyword
+
+
+**`azure.platformlogs.Caller`**
+:   Caller
+
+type: keyword
+
+
+**`azure.platformlogs.ScaleUnit`**
+:   ScaleUnit
+
+type: keyword
+
+
+**`azure.platformlogs.ActivityId`**
+:   ActivityId
+
+type: keyword
+
+
+**`azure.platformlogs.identity_name`**
+:   Identity name
+
+type: keyword
+
+
+**`azure.platformlogs.properties`**
+:   Event inner properties
+
+type: flattened
+
+
+
+## signinlogs [_signinlogs]
+
+Fields for Azure sign-in logs.
+
+**`azure.signinlogs.operation_name`**
+:   The operation name
+
+type: keyword
+
+
+**`azure.signinlogs.operation_version`**
+:   The operation version
+
+type: keyword
+
+
+**`azure.signinlogs.tenant_id`**
+:   Tenant ID
+
+type: keyword
+
+
+**`azure.signinlogs.result_signature`**
+:   Result signature
+
+type: keyword
+
+
+**`azure.signinlogs.result_description`**
+:   Result description
+
+type: keyword
+
+
+**`azure.signinlogs.result_type`**
+:   Result type
+
+type: keyword
+
+
+**`azure.signinlogs.identity`**
+:   Identity
+
+type: keyword
+
+
+**`azure.signinlogs.category`**
+:   Category
+
+type: keyword
+
+
+**`azure.signinlogs.properties.id`**
+:   Unique ID representing the sign-in activity.
+
+type: keyword
+
+
+**`azure.signinlogs.properties.created_at`**
+:   Date and time (UTC) the sign-in was initiated.
+
+type: date
+
+
+**`azure.signinlogs.properties.user_display_name`**
+:   User display name
+
+type: keyword
+
+
+**`azure.signinlogs.properties.correlation_id`**
+:   Correlation ID
+
+type: keyword
+
+
+**`azure.signinlogs.properties.user_principal_name`**
+:   User principal name
+
+type: keyword
+
+
+**`azure.signinlogs.properties.user_id`**
+:   User ID
+
+type: keyword
+
+
+**`azure.signinlogs.properties.app_id`**
+:   App ID
+
+type: keyword
+
+
+**`azure.signinlogs.properties.app_display_name`**
+:   App display name
+
+type: keyword
+
+
+**`azure.signinlogs.properties.autonomous_system_number`**
+:   Autonomous system number.
+
+type: long
+
+
+**`azure.signinlogs.properties.client_app_used`**
+:   Client app used
+
+type: keyword
+
+
+**`azure.signinlogs.properties.conditional_access_status`**
+:   Conditional access status
+
+type: keyword
+
+
+**`azure.signinlogs.properties.original_request_id`**
+:   Original request ID
+
+type: keyword
+
+
+**`azure.signinlogs.properties.is_interactive`**
+:   Is interactive
+
+type: boolean
+
+
+**`azure.signinlogs.properties.token_issuer_name`**
+:   Token issuer name
+
+type: keyword
+
+
+**`azure.signinlogs.properties.token_issuer_type`**
+:   Token issuer type
+
+type: keyword
+
+
+**`azure.signinlogs.properties.processing_time_ms`**
+:   Processing time in milliseconds
+
+type: float
+
+
+**`azure.signinlogs.properties.risk_detail`**
+:   Risk detail
+
+type: keyword
+
+
+**`azure.signinlogs.properties.risk_level_aggregated`**
+:   Risk level aggregated
+
+type: keyword
+
+
+**`azure.signinlogs.properties.risk_level_during_signin`**
+:   Risk level during signIn
+
+type: keyword
+
+
+**`azure.signinlogs.properties.risk_state`**
+:   Risk state
+
+type: keyword
+
+
+**`azure.signinlogs.properties.resource_display_name`**
+:   Resource display name
+
+type: keyword
+
+
+**`azure.signinlogs.properties.status.error_code`**
+:   Error code
+
+type: long
+
+
+**`azure.signinlogs.properties.device_detail.device_id`**
+:   Device ID
+
+type: keyword
+
+
+**`azure.signinlogs.properties.device_detail.operating_system`**
+:   Operating system
+
+type: keyword
+
+
+**`azure.signinlogs.properties.device_detail.browser`**
+:   Browser
+
+type: keyword
+
+
+**`azure.signinlogs.properties.device_detail.display_name`**
+:   Display name
+
+type: keyword
+
+
+**`azure.signinlogs.properties.device_detail.trust_type`**
+:   Trust type
+
+type: keyword
+
+
+**`azure.signinlogs.properties.device_detail.is_compliant`**
+:   If the device is compliant
+
+type: boolean
+
+
+**`azure.signinlogs.properties.device_detail.is_managed`**
+:   If the device is managed
+
+type: boolean
+
+
+**`azure.signinlogs.properties.applied_conditional_access_policies`**
+:   A list of conditional access policies that are triggered by the corresponding sign-in activity.
+
+type: array
+
+
+**`azure.signinlogs.properties.authentication_details`**
+:   The result of the authentication attempt and additional details on the authentication method.
+
+type: array
+
+
+**`azure.signinlogs.properties.authentication_processing_details`**
+:   Additional authentication processing details, such as the agent name in case of PTA/PHS or Server/farm name in case of federated authentication.
+
+type: flattened
+
+
+**`azure.signinlogs.properties.authentication_protocol`**
+:   Authentication protocol type.
+
+type: keyword
+
+
+**`azure.signinlogs.properties.incoming_token_type`**
+:   Incoming token type.
+
+type: keyword
+
+
+**`azure.signinlogs.properties.unique_token_identifier`**
+:   Unique token identifier for the request.
+
+type: keyword
+
+
+**`azure.signinlogs.properties.authentication_requirement`**
+:   This holds the highest level of authentication needed through all the sign-in steps, for sign-in to succeed.
+
+type: keyword
+
+
+**`azure.signinlogs.properties.authentication_requirement_policies`**
+:   Set of CA policies that apply to this sign-in, each as CA: policy name, and/or MFA: Per-user
+
+type: flattened
+
+
+**`azure.signinlogs.properties.flagged_for_review`**
+:   type: boolean
+
+
+**`azure.signinlogs.properties.home_tenant_id`**
+:   type: keyword
+
+
+**`azure.signinlogs.properties.network_location_details`**
+:   The network location details including the type of network used and its names.
+
+type: array
+
+
+**`azure.signinlogs.properties.resource_id`**
+:   The identifier of the resource that the user signed in to.
+
+type: keyword
+
+
+**`azure.signinlogs.properties.resource_tenant_id`**
+:   type: keyword
+
+
+**`azure.signinlogs.properties.risk_event_types`**
+:   The list of risk event types associated with the sign-in. Possible values: unlikelyTravel, anonymizedIPAddress, maliciousIPAddress, unfamiliarFeatures, malwareInfectedIPAddress, suspiciousIPAddress, leakedCredentials, investigationsThreatIntelligence, generic, or unknownFutureValue.
+
+type: keyword
+
+
+**`azure.signinlogs.properties.risk_event_types_v2`**
+:   The list of risk event types associated with the sign-in. Possible values: unlikelyTravel, anonymizedIPAddress, maliciousIPAddress, unfamiliarFeatures, malwareInfectedIPAddress, suspiciousIPAddress, leakedCredentials, investigationsThreatIntelligence, generic, or unknownFutureValue.
+
+type: keyword
+
+
+**`azure.signinlogs.properties.service_principal_name`**
+:   The application name used for sign-in. This field is populated when you are signing in using an application.
+
+type: keyword
+
+
+**`azure.signinlogs.properties.user_type`**
+:   type: keyword
+
+
+**`azure.signinlogs.properties.service_principal_id`**
+:   The application identifier used for sign-in. This field is populated when you are signing in using an application.
+
+type: keyword
+
+
+**`azure.signinlogs.properties.cross_tenant_access_type`**
+:   type: keyword
+
+
+**`azure.signinlogs.properties.is_tenant_restricted`**
+:   type: boolean
+
+
+**`azure.signinlogs.properties.sso_extension_version`**
+:   type: keyword
+
+
diff --git a/docs/reference/filebeat/exported-fields-beat-common.md b/docs/reference/filebeat/exported-fields-beat-common.md
new file mode 100644
index 000000000000..a08765d86088
--- /dev/null
+++ b/docs/reference/filebeat/exported-fields-beat-common.md
@@ -0,0 +1,47 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-beat-common.html
+---
+
+# Beat fields [exported-fields-beat-common]
+
+Contains common beat fields available in all event types.
+
+**`agent.hostname`**
+:   Deprecated - use agent.name or agent.id to identify an agent.
+
+type: alias
+
+alias to: agent.name
+
+
+**`beat.timezone`**
+:   type: alias
+
+alias to: event.timezone
+
+
+**`fields`**
+:   Contains user configurable fields.
+
+type: object
+
+
+**`beat.name`**
+:   type: alias
+
+alias to: host.name
+
+
+**`beat.hostname`**
+:   type: alias
+
+alias to: agent.name
+
+
+**`timeseries.instance`**
+:   Time series instance id
+
+type: keyword
+
+
diff --git a/docs/reference/filebeat/exported-fields-cef-module.md b/docs/reference/filebeat/exported-fields-cef-module.md
new file mode 100644
index 000000000000..e1262cd78bfd
--- /dev/null
+++ b/docs/reference/filebeat/exported-fields-cef-module.md
@@ -0,0 +1,360 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-cef-module.html
+---
+
+# CEF fields [exported-fields-cef-module]
+
+Module for receiving CEF logs over Syslog. The module adds vendor specific fields in addition to the fields the decode_cef processor provides.
+
+
+## forcepoint [_forcepoint]
+
+Fields for Forcepoint Custom String mappings
+
+**`forcepoint.virus_id`**
+:   Virus ID
+
+type: keyword
+
+
+
+## checkpoint [_checkpoint]
+
+Fields for Check Point custom string mappings.
+
+**`checkpoint.app_risk`**
+:   Application risk.
+
+type: keyword
+
+
+**`checkpoint.app_severity`**
+:   Application threat severity.
+
+type: keyword
+
+
+**`checkpoint.app_sig_id`**
+:   The signature ID which the application was detected by.
+
+type: keyword
+
+
+**`checkpoint.auth_method`**
+:   Password authentication protocol used.
+
+type: keyword
+
+
+**`checkpoint.category`**
+:   Category.
+
+type: keyword
+
+
+**`checkpoint.confidence_level`**
+:   Confidence level determined.
+
+type: integer
+
+
+**`checkpoint.connectivity_state`**
+:   Connectivity state.
+
+type: keyword
+
+
+**`checkpoint.cookie`**
+:   IKE cookie.
+
+type: keyword
+
+
+**`checkpoint.dst_phone_number`**
+:   Destination IP-Phone.
+
+type: keyword
+
+
+**`checkpoint.email_control`**
+:   Engine name.
+
+type: keyword
+
+
+**`checkpoint.email_id`**
+:   Internal email ID.
+
+type: keyword
+
+
+**`checkpoint.email_recipients_num`**
+:   Number of recipients.
+
+type: long
+
+
+**`checkpoint.email_session_id`**
+:   Internal email session ID.
+
+type: keyword
+
+
+**`checkpoint.email_spool_id`**
+:   Internal email spool ID.
+
+type: keyword
+
+
+**`checkpoint.email_subject`**
+:   Email subject.
+
+type: keyword
+
+
+**`checkpoint.event_count`**
+:   Number of events associated with the log.
+
+type: long
+
+
+**`checkpoint.frequency`**
+:   Scan frequency.
+
+type: keyword
+
+
+**`checkpoint.icmp_type`**
+:   ICMP type.
+
+type: long
+
+
+**`checkpoint.icmp_code`**
+:   ICMP code.
+
+type: long
+
+
+**`checkpoint.identity_type`**
+:   Identity type.
+
+type: keyword
+
+
+**`checkpoint.incident_extension`**
+:   Format of original data.
+
+type: keyword
+
+
+**`checkpoint.integrity_av_invoke_type`**
+:   Scan invoke type.
+
+type: keyword
+
+
+**`checkpoint.malware_family`**
+:   Malware family.
+
+type: keyword
+
+
+**`checkpoint.peer_gateway`**
+:   Main IP of the peer Security Gateway.
+
+type: ip
+
+
+**`checkpoint.performance_impact`**
+:   Protection performance impact.
+
+type: integer
+
+
+**`checkpoint.protection_id`**
+:   Protection malware ID.
+
+type: keyword
+
+
+**`checkpoint.protection_name`**
+:   Specific signature name of the attack.
+
+type: keyword
+
+
+**`checkpoint.protection_type`**
+:   Type of protection used to detect the attack.
+
+type: keyword
+
+
+**`checkpoint.scan_result`**
+:   Scan result.
+
+type: keyword
+
+
+**`checkpoint.sensor_mode`**
+:   Sensor mode.
+
+type: keyword
+
+
+**`checkpoint.severity`**
+:   Threat severity.
+
+type: keyword
+
+
+**`checkpoint.spyware_name`**
+:   Spyware name.
+
+type: keyword
+
+
+**`checkpoint.spyware_status`**
+:   Spyware status.
+
+type: keyword
+
+
+**`checkpoint.subs_exp`**
+:   The expiration date of the subscription.
+
+type: date
+
+
+**`checkpoint.tcp_flags`**
+:   TCP packet flags.
+
+type: keyword
+
+
+**`checkpoint.termination_reason`**
+:   Termination reason.
+
+type: keyword
+
+
+**`checkpoint.update_status`**
+:   Update status.
+
+type: keyword
+
+
+**`checkpoint.user_status`**
+:   User response.
+
+type: keyword
+
+
+**`checkpoint.uuid`**
+:   External ID.
+
+type: keyword
+
+
+**`checkpoint.virus_name`**
+:   Virus name.
+
+type: keyword
+
+
+**`checkpoint.voip_log_type`**
+:   VoIP log types.
+
+type: keyword
+
+
+
+## cef.extensions [_cef_extensions]
+
+Extra vendor-specific extensions.
+
+**`cef.extensions.cp_app_risk`**
+:   type: keyword
+
+
+**`cef.extensions.cp_severity`**
+:   type: keyword
+
+
+**`cef.extensions.ifname`**
+:   type: keyword
+
+
+**`cef.extensions.inzone`**
+:   type: keyword
+
+
+**`cef.extensions.layer_uuid`**
+:   type: keyword
+
+
+**`cef.extensions.layer_name`**
+:   type: keyword
+
+
+**`cef.extensions.logid`**
+:   type: keyword
+
+
+**`cef.extensions.loguid`**
+:   type: keyword
+
+
+**`cef.extensions.match_id`**
+:   type: keyword
+
+
+**`cef.extensions.nat_addtnl_rulenum`**
+:   type: keyword
+
+
+**`cef.extensions.nat_rulenum`**
+:   type: keyword
+
+
+**`cef.extensions.origin`**
+:   type: keyword
+
+
+**`cef.extensions.originsicname`**
+:   type: keyword
+
+
+**`cef.extensions.outzone`**
+:   type: keyword
+
+
+**`cef.extensions.parent_rule`**
+:   type: keyword
+
+
+**`cef.extensions.product`**
+:   type: keyword
+
+
+**`cef.extensions.rule_action`**
+:   type: keyword
+
+
+**`cef.extensions.rule_uid`**
+:   type: keyword
+
+
+**`cef.extensions.sequencenum`**
+:   type: keyword
+
+
+**`cef.extensions.service_id`**
+:   type: keyword
+
+
+**`cef.extensions.version`**
+:   type: keyword
+
+
diff --git a/docs/reference/filebeat/exported-fields-cef.md b/docs/reference/filebeat/exported-fields-cef.md
new file mode 100644
index 000000000000..cb260b32f100
--- /dev/null
+++ b/docs/reference/filebeat/exported-fields-cef.md
@@ -0,0 +1,1109 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-cef.html
+---
+
+# Decode CEF processor fields fields [exported-fields-cef]
+
+Common Event Format (CEF) data.
+
+
+## cef [_cef]
+
+By default the `decode_cef` processor writes all data from the CEF message to this `cef` object. It contains the CEF header fields and the extension data.
+
+**`cef.version`**
+:   Version of the CEF specification used by the message.
+
+type: keyword
+
+
+**`cef.device.vendor`**
+:   Vendor of the device that produced the message.
+
+type: keyword
+
+
+**`cef.device.product`**
+:   Product of the device that produced the message.
+
+type: keyword
+
+
+**`cef.device.version`**
+:   Version of the product that produced the message.
+
+type: keyword
+
+
+**`cef.device.event_class_id`**
+:   Unique identifier of the event type.
+
+type: keyword
+
+
+**`cef.severity`**
+:   Importance of the event. The valid string values are Unknown, Low, Medium, High, and Very-High. The valid integer values are 0-3=Low, 4-6=Medium, 7- 8=High, and 9-10=Very-High.
+
+type: keyword
+
+example: Very-High
+
+
+**`cef.name`**
+:   Short description of the event.
+
+type: keyword
+
+
+
+## extensions [_extensions]
+
+Collection of key-value pairs carried in the CEF extension field.
+
+**`cef.extensions.agentAddress`**
+:   The IP address of the ArcSight connector that processed the event.
+
+type: ip
+
+
+**`cef.extensions.agentDnsDomain`**
+:   The DNS domain name of the ArcSight connector that processed the event.
+
+type: keyword
+
+
+**`cef.extensions.agentHostName`**
+:   The hostname of the ArcSight connector that processed the event.
+
+type: keyword
+
+
+**`cef.extensions.agentId`**
+:   The agent ID of the ArcSight connector that processed the event.
+
+type: keyword
+
+
+**`cef.extensions.agentMacAddress`**
+:   The MAC address of the ArcSight connector that processed the event.
+
+type: keyword
+
+
+**`cef.extensions.agentNtDomain`**
+:   None
+
+type: keyword
+
+
+**`cef.extensions.agentReceiptTime`**
+:   The time at which information about the event was received by the ArcSight connector.
+
+type: date
+
+
+**`cef.extensions.agentTimeZone`**
+:   The agent time zone of the ArcSight connector that processed the event.
+
+type: keyword
+
+
+**`cef.extensions.agentTranslatedAddress`**
+:   None
+
+type: ip
+
+
+**`cef.extensions.agentTranslatedZoneExternalID`**
+:   None
+
+type: keyword
+
+
+**`cef.extensions.agentTranslatedZoneURI`**
+:   None
+
+type: keyword
+
+
+**`cef.extensions.agentType`**
+:   The agent type of the ArcSight connector that processed the event
+
+type: keyword
+
+
+**`cef.extensions.agentVersion`**
+:   The version of the ArcSight connector that processed the event.
+
+type: keyword
+
+
+**`cef.extensions.agentZoneExternalID`**
+:   None
+
+type: keyword
+
+
+**`cef.extensions.agentZoneURI`**
+:   None
+
+type: keyword
+
+
+**`cef.extensions.applicationProtocol`**
+:   Application level protocol, example values are HTTP, HTTPS, SSHv2, Telnet, POP, IMPA, IMAPS, and so on.
+
+type: keyword
+
+
+**`cef.extensions.baseEventCount`**
+:   A count associated with this event. How many times was this same event observed? Count can be omitted if it is 1.
+
+type: long
+
+
+**`cef.extensions.bytesIn`**
+:   Number of bytes transferred inbound, relative to the source to destination relationship, meaning that data was flowing from source to destination.
+
+type: long
+
+
+**`cef.extensions.bytesOut`**
+:   Number of bytes transferred outbound relative to the source to destination relationship. For example, the byte number of data flowing from the destination to the source.
+
+type: long
+
+
+**`cef.extensions.customerExternalID`**
+:   None
+
+type: keyword
+
+
+**`cef.extensions.customerURI`**
+:   None
+
+type: keyword
+
+
+**`cef.extensions.destinationAddress`**
+:   Identifies the destination address that the event refers to in an IP network. The format is an IPv4 address.
+
+type: ip
+
+
+**`cef.extensions.destinationDnsDomain`**
+:   The DNS domain part of the complete fully qualified domain name (FQDN).
+
+type: keyword
+
+
+**`cef.extensions.destinationGeoLatitude`**
+:   The latitudinal value from which the destination’s IP address belongs.
+
+type: double
+
+
+**`cef.extensions.destinationGeoLongitude`**
+:   The longitudinal value from which the destination’s IP address belongs.
+
+type: double
+
+
+**`cef.extensions.destinationHostName`**
+:   Identifies the destination that an event refers to in an IP network. The format should be a fully qualified domain name (FQDN) associated with the destination node, when a node is available.
+
+type: keyword
+
+
+**`cef.extensions.destinationMacAddress`**
+:   Six colon-seperated hexadecimal numbers.
+
+type: keyword
+
+
+**`cef.extensions.destinationNtDomain`**
+:   The Windows domain name of the destination address.
+
+type: keyword
+
+
+**`cef.extensions.destinationPort`**
+:   The valid port numbers are between 0 and 65535.
+
+type: long
+
+
+**`cef.extensions.destinationProcessId`**
+:   Provides the ID of the destination process associated with the event. For example, if an event contains process ID 105, "105" is the process ID.
+
+type: long
+
+
+**`cef.extensions.destinationProcessName`**
+:   The name of the event’s destination process.
+
+type: keyword
+
+
+**`cef.extensions.destinationServiceName`**
+:   The service targeted by this event.
+
+type: keyword
+
+
+**`cef.extensions.destinationTranslatedAddress`**
+:   Identifies the translated destination that the event refers to in an IP network.
+
+type: ip
+
+
+**`cef.extensions.destinationTranslatedPort`**
+:   Port after it was translated; for example, a firewall. Valid port numbers are 0 to 65535.
+
+type: long
+
+
+**`cef.extensions.destinationTranslatedZoneExternalID`**
+:   None
+
+type: keyword
+
+
+**`cef.extensions.destinationTranslatedZoneURI`**
+:   The URI for the Translated Zone that the destination asset has been assigned to in ArcSight.
+
+type: keyword
+
+
+**`cef.extensions.destinationUserId`**
+:   Identifies the destination user by ID. For example, in UNIX, the root user is generally associated with user ID 0.
+
+type: keyword
+
+
+**`cef.extensions.destinationUserName`**
+:   Identifies the destination user by name. This is the user associated with the event’s destination. Email addresses are often mapped into the UserName fields. The recipient is a candidate to put into this field.
+
+type: keyword
+
+
+**`cef.extensions.destinationUserPrivileges`**
+:   The typical values are "Administrator", "User", and "Guest". This identifies the destination user’s privileges. In UNIX, for example, activity executed on the root user would be identified with destinationUser Privileges of "Administrator".
+
+type: keyword
+
+
+**`cef.extensions.destinationZoneExternalID`**
+:   None
+
+type: keyword
+
+
+**`cef.extensions.destinationZoneURI`**
+:   The URI for the Zone that the destination asset has been assigned to in ArcSight.
+
+type: keyword
+
+
+**`cef.extensions.deviceAction`**
+:   Action taken by the device.
+
+type: keyword
+
+
+**`cef.extensions.deviceAddress`**
+:   Identifies the device address that an event refers to in an IP network.
+
+type: ip
+
+
+**`cef.extensions.deviceCustomFloatingPoint1Label`**
+:   All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.
+
+type: keyword
+
+
+**`cef.extensions.deviceCustomFloatingPoint3Label`**
+:   All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.
+
+type: keyword
+
+
+**`cef.extensions.deviceCustomFloatingPoint4Label`**
+:   All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.
+
+type: keyword
+
+
+**`cef.extensions.deviceCustomDate1`**
+:   One of two timestamp fields available to map fields that do not apply to any other in this dictionary.
+
+type: date
+
+
+**`cef.extensions.deviceCustomDate1Label`**
+:   All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.
+
+type: keyword
+
+
+**`cef.extensions.deviceCustomDate2`**
+:   One of two timestamp fields available to map fields that do not apply to any other in this dictionary.
+
+type: date
+
+
+**`cef.extensions.deviceCustomDate2Label`**
+:   All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.
+
+type: keyword
+
+
+**`cef.extensions.deviceCustomFloatingPoint1`**
+:   One of four floating point fields available to map fields that do not apply to any other in this dictionary.
+
+type: double
+
+
+**`cef.extensions.deviceCustomFloatingPoint2`**
+:   One of four floating point fields available to map fields that do not apply to any other in this dictionary.
+
+type: double
+
+
+**`cef.extensions.deviceCustomFloatingPoint2Label`**
+:   All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.
+
+type: keyword
+
+
+**`cef.extensions.deviceCustomFloatingPoint3`**
+:   One of four floating point fields available to map fields that do not apply to any other in this dictionary.
+
+type: double
+
+
+**`cef.extensions.deviceCustomFloatingPoint4`**
+:   One of four floating point fields available to map fields that do not apply to any other in this dictionary.
+
+type: double
+
+
+**`cef.extensions.deviceCustomIPv6Address1`**
+:   One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary.
+
+type: ip
+
+
+**`cef.extensions.deviceCustomIPv6Address1Label`**
+:   All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.
+
+type: keyword
+
+
+**`cef.extensions.deviceCustomIPv6Address2`**
+:   One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary.
+
+type: ip
+
+
+**`cef.extensions.deviceCustomIPv6Address2Label`**
+:   All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.
+
+type: keyword
+
+
+**`cef.extensions.deviceCustomIPv6Address3`**
+:   One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary.
+
+type: ip
+
+
+**`cef.extensions.deviceCustomIPv6Address3Label`**
+:   All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.
+
+type: keyword
+
+
+**`cef.extensions.deviceCustomIPv6Address4`**
+:   One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary.
+
+type: ip
+
+
+**`cef.extensions.deviceCustomIPv6Address4Label`**
+:   All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.
+
+type: keyword
+
+
+**`cef.extensions.deviceCustomNumber1`**
+:   One of three number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.
+
+type: long
+
+
+**`cef.extensions.deviceCustomNumber1Label`**
+:   All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.
+
+type: keyword
+
+
+**`cef.extensions.deviceCustomNumber2`**
+:   One of three number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.
+
+type: long
+
+
+**`cef.extensions.deviceCustomNumber2Label`**
+:   All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.
+
+type: keyword
+
+
+**`cef.extensions.deviceCustomNumber3`**
+:   One of three number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.
+
+type: long
+
+
+**`cef.extensions.deviceCustomNumber3Label`**
+:   All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.
+
+type: keyword
+
+
+**`cef.extensions.deviceCustomString1`**
+:   One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.
+
+type: keyword
+
+
+**`cef.extensions.deviceCustomString1Label`**
+:   All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.
+
+type: keyword
+
+
+**`cef.extensions.deviceCustomString2`**
+:   One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.
+
+type: keyword
+
+
+**`cef.extensions.deviceCustomString2Label`**
+:   All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.
+
+type: keyword
+
+
+**`cef.extensions.deviceCustomString3`**
+:   One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.
+
+type: keyword
+
+
+**`cef.extensions.deviceCustomString3Label`**
+:   All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.
+
+type: keyword
+
+
+**`cef.extensions.deviceCustomString4`**
+:   One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.
+
+type: keyword
+
+
+**`cef.extensions.deviceCustomString4Label`**
+:   All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.
+
+type: keyword
+
+
+**`cef.extensions.deviceCustomString5`**
+:   One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.
+
+type: keyword
+
+
+**`cef.extensions.deviceCustomString5Label`**
+:   All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.
+
+type: keyword
+
+
+**`cef.extensions.deviceCustomString6`**
+:   One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.
+
+type: keyword
+
+
+**`cef.extensions.deviceCustomString6Label`**
+:   All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.
+
+type: keyword
+
+
+**`cef.extensions.deviceDirection`**
+:   Any information about what direction the observed communication has taken. The following values are supported - "0" for inbound or "1" for outbound.
+
+type: long
+
+
+**`cef.extensions.deviceDnsDomain`**
+:   The DNS domain part of the complete fully qualified domain name (FQDN).
+
+type: keyword
+
+
+**`cef.extensions.deviceEventCategory`**
+:   Represents the category assigned by the originating device. Devices often use their own categorization schema to classify event. Example "/Monitor/Disk/Read".
+
+type: keyword
+
+
+**`cef.extensions.deviceExternalId`**
+:   A name that uniquely identifies the device generating this event.
+
+type: keyword
+
+
+**`cef.extensions.deviceFacility`**
+:   The facility generating this event. For example, Syslog has an explicit facility associated with every event.
+
+type: keyword
+
+
+**`cef.extensions.deviceFlexNumber1`**
+:   One of two alternative number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.
+
+type: long
+
+
+**`cef.extensions.deviceFlexNumber1Label`**
+:   All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.
+
+type: keyword
+
+
+**`cef.extensions.deviceFlexNumber2`**
+:   One of two alternative number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.
+
+type: long
+
+
+**`cef.extensions.deviceFlexNumber2Label`**
+:   All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.
+
+type: keyword
+
+
+**`cef.extensions.deviceHostName`**
+:   The format should be a fully qualified domain name (FQDN) associated with the device node, when a node is available.
+
+type: keyword
+
+
+**`cef.extensions.deviceInboundInterface`**
+:   Interface on which the packet or data entered the device.
+
+type: keyword
+
+
+**`cef.extensions.deviceMacAddress`**
+:   Six colon-separated hexadecimal numbers.
+
+type: keyword
+
+
+**`cef.extensions.deviceNtDomain`**
+:   The Windows domain name of the device address.
+
+type: keyword
+
+
+**`cef.extensions.deviceOutboundInterface`**
+:   Interface on which the packet or data left the device.
+
+type: keyword
+
+
+**`cef.extensions.devicePayloadId`**
+:   Unique identifier for the payload associated with the event.
+
+type: keyword
+
+
+**`cef.extensions.deviceProcessId`**
+:   Provides the ID of the process on the device generating the event.
+
+type: long
+
+
+**`cef.extensions.deviceProcessName`**
+:   Process name associated with the event. An example might be the process generating the syslog entry in UNIX.
+
+type: keyword
+
+
+**`cef.extensions.deviceReceiptTime`**
+:   The time at which the event related to the activity was received. The format is MMM dd yyyy HH:mm:ss or milliseconds since epoch (Jan 1st 1970)
+
+type: date
+
+
+**`cef.extensions.deviceTimeZone`**
+:   The time zone for the device generating the event.
+
+type: keyword
+
+
+**`cef.extensions.deviceTranslatedAddress`**
+:   Identifies the translated device address that the event refers to in an IP network.
+
+type: ip
+
+
+**`cef.extensions.deviceTranslatedZoneExternalID`**
+:   None
+
+type: keyword
+
+
+**`cef.extensions.deviceTranslatedZoneURI`**
+:   The URI for the Translated Zone that the device asset has been assigned to in ArcSight.
+
+type: keyword
+
+
+**`cef.extensions.deviceZoneExternalID`**
+:   None
+
+type: keyword
+
+
+**`cef.extensions.deviceZoneURI`**
+:   Thee URI for the Zone that the device asset has been assigned to in ArcSight.
+
+type: keyword
+
+
+**`cef.extensions.endTime`**
+:   The time at which the activity related to the event ended. The format is MMM dd yyyy HH:mm:ss or milliseconds since epoch (Jan 1st1970). An example would be reporting the end of a session.
+
+type: date
+
+
+**`cef.extensions.eventId`**
+:   This is a unique ID that ArcSight assigns to each event.
+
+type: long
+
+
+**`cef.extensions.eventOutcome`**
+:   Displays the outcome, usually as *success* or *failure*.
+
+type: keyword
+
+
+**`cef.extensions.externalId`**
+:   The ID used by an originating device. They are usually increasing numbers, associated with events.
+
+type: keyword
+
+
+**`cef.extensions.fileCreateTime`**
+:   Time when the file was created.
+
+type: date
+
+
+**`cef.extensions.fileHash`**
+:   Hash of a file.
+
+type: keyword
+
+
+**`cef.extensions.fileId`**
+:   An ID associated with a file could be the inode.
+
+type: keyword
+
+
+**`cef.extensions.fileModificationTime`**
+:   Time when the file was last modified.
+
+type: date
+
+
+**`cef.extensions.filename`**
+:   Name of the file only (without its path).
+
+type: keyword
+
+
+**`cef.extensions.filePath`**
+:   Full path to the file, including file name itself.
+
+type: keyword
+
+
+**`cef.extensions.filePermission`**
+:   Permissions of the file.
+
+type: keyword
+
+
+**`cef.extensions.fileSize`**
+:   Size of the file.
+
+type: long
+
+
+**`cef.extensions.fileType`**
+:   Type of file (pipe, socket, etc.)
+
+type: keyword
+
+
+**`cef.extensions.flexDate1`**
+:   A timestamp field available to map a timestamp that does not apply to any other defined timestamp field in this dictionary. Use all flex fields sparingly and seek a more specific, dictionary supplied field when possible. These fields are typically reserved for customer use and should not be set by vendors unless necessary.
+
+type: date
+
+
+**`cef.extensions.flexDate1Label`**
+:   The label field is a string and describes the purpose of the flex field.
+
+type: keyword
+
+
+**`cef.extensions.flexString1`**
+:   One of four floating point fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. These fields are typically reserved for customer use and should not be set by vendors unless necessary.
+
+type: keyword
+
+
+**`cef.extensions.flexString2`**
+:   One of four floating point fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. These fields are typically reserved for customer use and should not be set by vendors unless necessary.
+
+type: keyword
+
+
+**`cef.extensions.flexString1Label`**
+:   The label field is a string and describes the purpose of the flex field.
+
+type: keyword
+
+
+**`cef.extensions.flexString2Label`**
+:   The label field is a string and describes the purpose of the flex field.
+
+type: keyword
+
+
+**`cef.extensions.message`**
+:   An arbitrary message giving more details about the event. Multi-line entries can be produced by using \n as the new line separator.
+
+type: keyword
+
+
+**`cef.extensions.oldFileCreateTime`**
+:   Time when old file was created.
+
+type: date
+
+
+**`cef.extensions.oldFileHash`**
+:   Hash of the old file.
+
+type: keyword
+
+
+**`cef.extensions.oldFileId`**
+:   An ID associated with the old file could be the inode.
+
+type: keyword
+
+
+**`cef.extensions.oldFileModificationTime`**
+:   Time when old file was last modified.
+
+type: date
+
+
+**`cef.extensions.oldFileName`**
+:   Name of the old file.
+
+type: keyword
+
+
+**`cef.extensions.oldFilePath`**
+:   Full path to the old file, including the file name itself.
+
+type: keyword
+
+
+**`cef.extensions.oldFilePermission`**
+:   Permissions of the old file.
+
+type: keyword
+
+
+**`cef.extensions.oldFileSize`**
+:   Size of the old file.
+
+type: long
+
+
+**`cef.extensions.oldFileType`**
+:   Type of the old file (pipe, socket, etc.)
+
+type: keyword
+
+
+**`cef.extensions.rawEvent`**
+:   None
+
+type: keyword
+
+
+**`cef.extensions.Reason`**
+:   The reason an audit event was generated. For example "bad password" or "unknown user". This could also be an error or return code. Example "0x1234".
+
+type: keyword
+
+
+**`cef.extensions.requestClientApplication`**
+:   The User-Agent associated with the request.
+
+type: keyword
+
+
+**`cef.extensions.requestContext`**
+:   Description of the content from which the request originated (for example, HTTP Referrer)
+
+type: keyword
+
+
+**`cef.extensions.requestCookies`**
+:   Cookies associated with the request.
+
+type: keyword
+
+
+**`cef.extensions.requestMethod`**
+:   The HTTP method used to access a URL.
+
+type: keyword
+
+
+**`cef.extensions.requestUrl`**
+:   In the case of an HTTP request, this field contains the URL accessed. The URL should contain the protocol as well.
+
+type: keyword
+
+
+**`cef.extensions.sourceAddress`**
+:   Identifies the source that an event refers to in an IP network.
+
+type: ip
+
+
+**`cef.extensions.sourceDnsDomain`**
+:   The DNS domain part of the complete fully qualified domain name (FQDN).
+
+type: keyword
+
+
+**`cef.extensions.sourceGeoLatitude`**
+:   None
+
+type: double
+
+
+**`cef.extensions.sourceGeoLongitude`**
+:   None
+
+type: double
+
+
+**`cef.extensions.sourceHostName`**
+:   Identifies the source that an event refers to in an IP network. The format should be a fully qualified domain name (FQDN) associated with the source node, when a mode is available. Examples: *host* or *host.domain.com*.
+
+type: keyword
+
+
+**`cef.extensions.sourceMacAddress`**
+:   Six colon-separated hexadecimal numbers.
+
+type: keyword
+
+example: 00:0d:60:af:1b:61
+
+
+**`cef.extensions.sourceNtDomain`**
+:   The Windows domain name for the source address.
+
+type: keyword
+
+
+**`cef.extensions.sourcePort`**
+:   The valid port numbers are 0 to 65535.
+
+type: long
+
+
+**`cef.extensions.sourceProcessId`**
+:   The ID of the source process associated with the event.
+
+type: long
+
+
+**`cef.extensions.sourceProcessName`**
+:   The name of the event’s source process.
+
+type: keyword
+
+
+**`cef.extensions.sourceServiceName`**
+:   The service that is responsible for generating this event.
+
+type: keyword
+
+
+**`cef.extensions.sourceTranslatedAddress`**
+:   Identifies the translated source that the event refers to in an IP network.
+
+type: ip
+
+
+**`cef.extensions.sourceTranslatedPort`**
+:   A port number after being translated by, for example, a firewall. Valid port numbers are 0 to 65535.
+
+type: long
+
+
+**`cef.extensions.sourceTranslatedZoneExternalID`**
+:   None
+
+type: keyword
+
+
+**`cef.extensions.sourceTranslatedZoneURI`**
+:   The URI for the Translated Zone that the destination asset has been assigned to in ArcSight.
+
+type: keyword
+
+
+**`cef.extensions.sourceUserId`**
+:   Identifies the source user by ID. This is the user associated with the source of the event. For example, in UNIX, the root user is generally associated with user ID 0.
+
+type: keyword
+
+
+**`cef.extensions.sourceUserName`**
+:   Identifies the source user by name. Email addresses are also mapped into the UserName fields. The sender is a candidate to put into this field.
+
+type: keyword
+
+
+**`cef.extensions.sourceUserPrivileges`**
+:   The typical values are "Administrator", "User", and "Guest". It identifies the source user’s privileges. In UNIX, for example, activity executed by the root user would be identified with "Administrator".
+
+type: keyword
+
+
+**`cef.extensions.sourceZoneExternalID`**
+:   None
+
+type: keyword
+
+
+**`cef.extensions.sourceZoneURI`**
+:   The URI for the Zone that the source asset has been assigned to in ArcSight.
+
+type: keyword
+
+
+**`cef.extensions.startTime`**
+:   The time when the activity the event referred to started. The format is MMM dd yyyy HH:mm:ss or milliseconds since epoch (Jan 1st 1970)
+
+type: date
+
+
+**`cef.extensions.transportProtocol`**
+:   Identifies the Layer-4 protocol used. The possible values are protocols such as TCP or UDP.
+
+type: keyword
+
+
+**`cef.extensions.type`**
+:   0 means base event, 1 means aggregated, 2 means correlation, and 3 means action. This field can be omitted for base events (type 0).
+
+type: long
+
+
+**`cef.extensions.categoryDeviceType`**
+:   Device type. Examples - Proxy, IDS, Web Server
+
+type: keyword
+
+
+**`cef.extensions.categoryObject`**
+:   Object that the event is about. For example it can be an operating sytem, database, file, etc.
+
+type: keyword
+
+
+**`cef.extensions.categoryBehavior`**
+:   Action or a behavior associated with an event. It’s what is being done to the object.
+
+type: keyword
+
+
+**`cef.extensions.categoryTechnique`**
+:   Technique being used (e.g. /DoS).
+
+type: keyword
+
+
+**`cef.extensions.categoryDeviceGroup`**
+:   General device group like Firewall.
+
+type: keyword
+
+
+**`cef.extensions.categorySignificance`**
+:   Characterization of the importance of the event.
+
+type: keyword
+
+
+**`cef.extensions.categoryOutcome`**
+:   Outcome of the event (e.g. sucess, failure, or attempt).
+
+type: keyword
+
+
+**`cef.extensions.managerReceiptTime`**
+:   When the Arcsight ESM received the event.
+
+type: date
+
+
+**`source.service.name`**
+:   Service that is the source of the event.
+
+type: keyword
+
+
+**`destination.service.name`**
+:   Service that is the target of the event.
+
+type: keyword
+
+
diff --git a/docs/reference/filebeat/exported-fields-checkpoint.md b/docs/reference/filebeat/exported-fields-checkpoint.md
new file mode 100644
index 000000000000..5905e0056e24
--- /dev/null
+++ b/docs/reference/filebeat/exported-fields-checkpoint.md
@@ -0,0 +1,2478 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-checkpoint.html
+---
+
+# Checkpoint fields [exported-fields-checkpoint]
+
+Some checkpoint module
+
+
+## checkpoint [_checkpoint_2]
+
+Module for parsing Checkpoint syslog.
+
+**`checkpoint.confidence_level`**
+:   Confidence level determined by ThreatCloud.
+
+type: integer
+
+
+**`checkpoint.calc_desc`**
+:   Log description.
+
+type: keyword
+
+
+**`checkpoint.dst_country`**
+:   Destination country.
+
+type: keyword
+
+
+**`checkpoint.dst_user_name`**
+:   Connected user name on the destination IP.
+
+type: keyword
+
+
+**`checkpoint.email_id`**
+:   Email number in smtp connection.
+
+type: keyword
+
+
+**`checkpoint.email_subject`**
+:   Original email subject.
+
+type: keyword
+
+
+**`checkpoint.email_session_id`**
+:   Connection uuid.
+
+type: keyword
+
+
+**`checkpoint.event_count`**
+:   Number of events associated with the log.
+
+type: long
+
+
+**`checkpoint.sys_message`**
+:   System messages
+
+type: keyword
+
+
+**`checkpoint.logid`**
+:   System messages
+
+type: keyword
+
+
+**`checkpoint.failure_impact`**
+:   The impact of update service failure.
+
+type: keyword
+
+
+**`checkpoint.id`**
+:   Override application ID.
+
+type: integer
+
+
+**`checkpoint.identity_src`**
+:   The source for authentication identity information.
+
+type: keyword
+
+
+**`checkpoint.information`**
+:   Policy installation status for a specific blade.
+
+type: keyword
+
+
+**`checkpoint.layer_name`**
+:   Layer name.
+
+type: keyword
+
+
+**`checkpoint.layer_uuid`**
+:   Layer UUID.
+
+type: keyword
+
+
+**`checkpoint.log_id`**
+:   Unique identity for logs.
+
+type: integer
+
+
+**`checkpoint.malware_family`**
+:   Additional information on protection.
+
+type: keyword
+
+
+**`checkpoint.origin_sic_name`**
+:   Machine SIC.
+
+type: keyword
+
+
+**`checkpoint.policy_mgmt`**
+:   Name of the Management Server that manages this Security Gateway.
+
+type: keyword
+
+
+**`checkpoint.policy_name`**
+:   Name of the last policy that this Security Gateway fetched.
+
+type: keyword
+
+
+**`checkpoint.protection_id`**
+:   Protection malware id.
+
+type: keyword
+
+
+**`checkpoint.protection_name`**
+:   Specific signature name of the attack.
+
+type: keyword
+
+
+**`checkpoint.protection_type`**
+:   Type of protection used to detect the attack.
+
+type: keyword
+
+
+**`checkpoint.protocol`**
+:   Protocol detected on the connection.
+
+type: keyword
+
+
+**`checkpoint.proxy_src_ip`**
+:   Sender source IP (even when using proxy).
+
+type: ip
+
+
+**`checkpoint.rule`**
+:   Matched rule number.
+
+type: integer
+
+
+**`checkpoint.rule_action`**
+:   Action of the matched rule in the access policy.
+
+type: keyword
+
+
+**`checkpoint.scan_direction`**
+:   Scan direction.
+
+type: keyword
+
+
+**`checkpoint.session_id`**
+:   Log uuid.
+
+type: keyword
+
+
+**`checkpoint.source_os`**
+:   OS which generated the attack.
+
+type: keyword
+
+
+**`checkpoint.src_country`**
+:   Country name, derived from connection source IP address.
+
+type: keyword
+
+
+**`checkpoint.src_user_name`**
+:   User name connected to source IP
+
+type: keyword
+
+
+**`checkpoint.ticket_id`**
+:   Unique ID per file.
+
+type: keyword
+
+
+**`checkpoint.tls_server_host_name`**
+:   SNI/CN from encrypted TLS connection used by URLF for categorization.
+
+type: keyword
+
+
+**`checkpoint.verdict`**
+:   TE engine verdict Possible values: Malicious/Benign/Error.
+
+type: keyword
+
+
+**`checkpoint.user`**
+:   Source user name.
+
+type: keyword
+
+
+**`checkpoint.vendor_list`**
+:   The vendor name that provided the verdict for a malicious URL.
+
+type: keyword
+
+
+**`checkpoint.web_server_type`**
+:   Web server detected in the HTTP response.
+
+type: keyword
+
+
+**`checkpoint.client_name`**
+:   Client Application or Software Blade that detected the event.
+
+type: keyword
+
+
+**`checkpoint.client_version`**
+:   Build version of SandBlast Agent client installed on the computer.
+
+type: keyword
+
+
+**`checkpoint.extension_version`**
+:   Build version of the SandBlast Agent browser extension.
+
+type: keyword
+
+
+**`checkpoint.host_time`**
+:   Local time on the endpoint computer.
+
+type: keyword
+
+
+**`checkpoint.installed_products`**
+:   List of installed Endpoint Software Blades.
+
+type: keyword
+
+
+**`checkpoint.cc`**
+:   The Carbon Copy address of the email.
+
+type: keyword
+
+
+**`checkpoint.parent_process_username`**
+:   Owner username of the parent process of the process that triggered the attack.
+
+type: keyword
+
+
+**`checkpoint.process_username`**
+:   Owner username of the process that triggered the attack.
+
+type: keyword
+
+
+**`checkpoint.audit_status`**
+:   Audit Status. Can be Success or Failure.
+
+type: keyword
+
+
+**`checkpoint.objecttable`**
+:   Table of affected objects.
+
+type: keyword
+
+
+**`checkpoint.objecttype`**
+:   The type of the affected object.
+
+type: keyword
+
+
+**`checkpoint.operation_number`**
+:   The operation nuber.
+
+type: keyword
+
+
+**`checkpoint.email_recipients_num`**
+:   Amount of recipients whom the mail was sent to.
+
+type: integer
+
+
+**`checkpoint.suppressed_logs`**
+:   Aggregated connections for five minutes on the same source, destination and port.
+
+type: integer
+
+
+**`checkpoint.blade_name`**
+:   Blade name.
+
+type: keyword
+
+
+**`checkpoint.status`**
+:   Ok/Warning/Error.
+
+type: keyword
+
+
+**`checkpoint.short_desc`**
+:   Short description of the process that was executed.
+
+type: keyword
+
+
+**`checkpoint.long_desc`**
+:   More information on the process (usually describing error reason in failure).
+
+type: keyword
+
+
+**`checkpoint.scan_hosts_hour`**
+:   Number of unique hosts during the last hour.
+
+type: integer
+
+
+**`checkpoint.scan_hosts_day`**
+:   Number of unique hosts during the last day.
+
+type: integer
+
+
+**`checkpoint.scan_hosts_week`**
+:   Number of unique hosts during the last week.
+
+type: integer
+
+
+**`checkpoint.unique_detected_hour`**
+:   Detected virus for a specific host during the last hour.
+
+type: integer
+
+
+**`checkpoint.unique_detected_day`**
+:   Detected virus for a specific host during the last day.
+
+type: integer
+
+
+**`checkpoint.unique_detected_week`**
+:   Detected virus for a specific host during the last week.
+
+type: integer
+
+
+**`checkpoint.scan_mail`**
+:   Number of emails that were scanned by "AB malicious activity" engine.
+
+type: integer
+
+
+**`checkpoint.additional_ip`**
+:   DNS host name.
+
+type: keyword
+
+
+**`checkpoint.description`**
+:   Additional explanation how the security gateway enforced the connection.
+
+type: keyword
+
+
+**`checkpoint.email_spam_category`**
+:   Email categories. Possible values: spam/not spam/phishing.
+
+type: keyword
+
+
+**`checkpoint.email_control_analysis`**
+:   Message classification, received from spam vendor engine.
+
+type: keyword
+
+
+**`checkpoint.scan_results`**
+:   "Infected"/description of a failure.
+
+type: keyword
+
+
+**`checkpoint.original_queue_id`**
+:   Original postfix email queue id.
+
+type: keyword
+
+
+**`checkpoint.risk`**
+:   Risk level we got from the engine.
+
+type: keyword
+
+
+**`checkpoint.roles`**
+:   The role of identity.
+
+type: keyword
+
+
+**`checkpoint.observable_name`**
+:   IOC observable signature name.
+
+type: keyword
+
+
+**`checkpoint.observable_id`**
+:   IOC observable signature id.
+
+type: keyword
+
+
+**`checkpoint.observable_comment`**
+:   IOC observable signature description.
+
+type: keyword
+
+
+**`checkpoint.indicator_name`**
+:   IOC indicator name.
+
+type: keyword
+
+
+**`checkpoint.indicator_description`**
+:   IOC indicator description.
+
+type: keyword
+
+
+**`checkpoint.indicator_reference`**
+:   IOC indicator reference.
+
+type: keyword
+
+
+**`checkpoint.indicator_uuid`**
+:   IOC indicator uuid.
+
+type: keyword
+
+
+**`checkpoint.app_desc`**
+:   Application description.
+
+type: keyword
+
+
+**`checkpoint.app_id`**
+:   Application ID.
+
+type: integer
+
+
+**`checkpoint.app_sig_id`**
+:   IOC indicator description.
+
+type: keyword
+
+
+**`checkpoint.certificate_resource`**
+:   HTTPS resource Possible values: SNI or domain name (DN).
+
+type: keyword
+
+
+**`checkpoint.certificate_validation`**
+:   Precise error, describing HTTPS certificate failure under "HTTPS categorize websites" feature.
+
+type: keyword
+
+
+**`checkpoint.browse_time`**
+:   Application session browse time.
+
+type: keyword
+
+
+**`checkpoint.limit_requested`**
+:   Indicates whether data limit was requested for the session.
+
+type: integer
+
+
+**`checkpoint.limit_applied`**
+:   Indicates whether the session was actually date limited.
+
+type: integer
+
+
+**`checkpoint.dropped_total`**
+:   Amount of dropped packets (both incoming and outgoing).
+
+type: integer
+
+
+**`checkpoint.client_type_os`**
+:   Client OS detected in the HTTP request.
+
+type: keyword
+
+
+**`checkpoint.name`**
+:   Application name.
+
+type: keyword
+
+
+**`checkpoint.properties`**
+:   Application categories.
+
+type: keyword
+
+
+**`checkpoint.sig_id`**
+:   Application’s signature ID which how it was detected by.
+
+type: keyword
+
+
+**`checkpoint.desc`**
+:   Override application description.
+
+type: keyword
+
+
+**`checkpoint.referrer_self_uid`**
+:   UUID of the current log.
+
+type: keyword
+
+
+**`checkpoint.referrer_parent_uid`**
+:   Log UUID of the referring application.
+
+type: keyword
+
+
+**`checkpoint.needs_browse_time`**
+:   Browse time required for the connection.
+
+type: integer
+
+
+**`checkpoint.cluster_info`**
+:   Cluster information. Possible options: Failover reason/cluster state changes/CP cluster or 3rd party.
+
+type: keyword
+
+
+**`checkpoint.sync`**
+:   Sync status and the reason (stable, at risk).
+
+type: keyword
+
+
+**`checkpoint.file_direction`**
+:   File direction. Possible options: upload/download.
+
+type: keyword
+
+
+**`checkpoint.invalid_file_size`**
+:   File_size field is valid only if this field is set to 0.
+
+type: integer
+
+
+**`checkpoint.top_archive_file_name`**
+:   In case of archive file: the file that was sent/received.
+
+type: keyword
+
+
+**`checkpoint.data_type_name`**
+:   Data type in rulebase that was matched.
+
+type: keyword
+
+
+**`checkpoint.specific_data_type_name`**
+:   Compound/Group scenario, data type that was matched.
+
+type: keyword
+
+
+**`checkpoint.word_list`**
+:   Words matched by data type.
+
+type: keyword
+
+
+**`checkpoint.info`**
+:   Special log message.
+
+type: keyword
+
+
+**`checkpoint.outgoing_url`**
+:   URL related to this log (for HTTP).
+
+type: keyword
+
+
+**`checkpoint.dlp_rule_name`**
+:   Matched rule name.
+
+type: keyword
+
+
+**`checkpoint.dlp_recipients`**
+:   Mail recipients.
+
+type: keyword
+
+
+**`checkpoint.dlp_subject`**
+:   Mail subject.
+
+type: keyword
+
+
+**`checkpoint.dlp_word_list`**
+:   Phrases matched by data type.
+
+type: keyword
+
+
+**`checkpoint.dlp_template_score`**
+:   Template data type match score.
+
+type: keyword
+
+
+**`checkpoint.message_size`**
+:   Mail/post size.
+
+type: integer
+
+
+**`checkpoint.dlp_incident_uid`**
+:   Unique ID of the matched rule.
+
+type: keyword
+
+
+**`checkpoint.dlp_related_incident_uid`**
+:   Other ID related to this one.
+
+type: keyword
+
+
+**`checkpoint.dlp_data_type_name`**
+:   Matched data type.
+
+type: keyword
+
+
+**`checkpoint.dlp_data_type_uid`**
+:   Unique ID of the matched data type.
+
+type: keyword
+
+
+**`checkpoint.dlp_violation_description`**
+:   Violation descriptions described in the rulebase.
+
+type: keyword
+
+
+**`checkpoint.dlp_relevant_data_types`**
+:   In case of Compound/Group: the inner data types that were matched.
+
+type: keyword
+
+
+**`checkpoint.dlp_action_reason`**
+:   Action chosen reason.
+
+type: keyword
+
+
+**`checkpoint.dlp_categories`**
+:   Data type category.
+
+type: keyword
+
+
+**`checkpoint.dlp_transint`**
+:   HTTP/SMTP/FTP.
+
+type: keyword
+
+
+**`checkpoint.duplicate`**
+:   Log marked as duplicated, when mail is split and the Security Gateway sees it twice.
+
+type: keyword
+
+
+**`checkpoint.incident_extension`**
+:   Matched data type.
+
+type: keyword
+
+
+**`checkpoint.matched_file`**
+:   Unique ID of the matched data type.
+
+type: keyword
+
+
+**`checkpoint.matched_file_text_segments`**
+:   Fingerprint: number of text segments matched by this traffic.
+
+type: integer
+
+
+**`checkpoint.matched_file_percentage`**
+:   Fingerprint: match percentage of the traffic.
+
+type: integer
+
+
+**`checkpoint.dlp_additional_action`**
+:   Watermark/None.
+
+type: keyword
+
+
+**`checkpoint.dlp_watermark_profile`**
+:   Watermark which was applied.
+
+type: keyword
+
+
+**`checkpoint.dlp_repository_id`**
+:   ID of scanned repository.
+
+type: keyword
+
+
+**`checkpoint.dlp_repository_root_path`**
+:   Repository path.
+
+type: keyword
+
+
+**`checkpoint.scan_id`**
+:   Sequential number of scan.
+
+type: keyword
+
+
+**`checkpoint.special_properties`**
+:   If this field is set to *1* the log will not be shown (in use for monitoring scan progress).
+
+type: integer
+
+
+**`checkpoint.dlp_repository_total_size`**
+:   Repository size.
+
+type: integer
+
+
+**`checkpoint.dlp_repository_files_number`**
+:   Number of files in repository.
+
+type: integer
+
+
+**`checkpoint.dlp_repository_scanned_files_number`**
+:   Number of scanned files in repository.
+
+type: integer
+
+
+**`checkpoint.duration`**
+:   Scan duration.
+
+type: keyword
+
+
+**`checkpoint.dlp_fingerprint_long_status`**
+:   Scan status - long format.
+
+type: keyword
+
+
+**`checkpoint.dlp_fingerprint_short_status`**
+:   Scan status - short format.
+
+type: keyword
+
+
+**`checkpoint.dlp_repository_directories_number`**
+:   Number of directories in repository.
+
+type: integer
+
+
+**`checkpoint.dlp_repository_unreachable_directories_number`**
+:   Number of directories the Security Gateway was unable to read.
+
+type: integer
+
+
+**`checkpoint.dlp_fingerprint_files_number`**
+:   Number of successfully scanned files in repository.
+
+type: integer
+
+
+**`checkpoint.dlp_repository_skipped_files_number`**
+:   Skipped number of files because of configuration.
+
+type: integer
+
+
+**`checkpoint.dlp_repository_scanned_directories_number`**
+:   Amount of directories scanned.
+
+type: integer
+
+
+**`checkpoint.number_of_errors`**
+:   Number of files that were not  scanned due to an error.
+
+type: integer
+
+
+**`checkpoint.next_scheduled_scan_date`**
+:   Next scan scheduled time according to time object.
+
+type: keyword
+
+
+**`checkpoint.dlp_repository_scanned_total_size`**
+:   Size scanned.
+
+type: integer
+
+
+**`checkpoint.dlp_repository_reached_directories_number`**
+:   Number of scanned directories in repository.
+
+type: integer
+
+
+**`checkpoint.dlp_repository_not_scanned_directories_percentage`**
+:   Percentage of directories the Security Gateway was unable to read.
+
+type: integer
+
+
+**`checkpoint.speed`**
+:   Current scan speed.
+
+type: integer
+
+
+**`checkpoint.dlp_repository_scan_progress`**
+:   Scan percentage.
+
+type: integer
+
+
+**`checkpoint.sub_policy_name`**
+:   Layer name.
+
+type: keyword
+
+
+**`checkpoint.sub_policy_uid`**
+:   Layer uid.
+
+type: keyword
+
+
+**`checkpoint.fw_message`**
+:   Used for various firewall errors.
+
+type: keyword
+
+
+**`checkpoint.message`**
+:   ISP link has failed.
+
+type: keyword
+
+
+**`checkpoint.isp_link`**
+:   Name of ISP link.
+
+type: keyword
+
+
+**`checkpoint.fw_subproduct`**
+:   Can be vpn/non vpn.
+
+type: keyword
+
+
+**`checkpoint.sctp_error`**
+:   Error information, what caused sctp to fail on out_of_state.
+
+type: keyword
+
+
+**`checkpoint.chunk_type`**
+:   Chunck of the sctp stream.
+
+type: keyword
+
+
+**`checkpoint.sctp_association_state`**
+:   The bad state you were trying to update to.
+
+type: keyword
+
+
+**`checkpoint.tcp_packet_out_of_state`**
+:   State violation.
+
+type: keyword
+
+
+**`checkpoint.tcp_flags`**
+:   TCP packet flags (SYN, ACK, etc.,).
+
+type: keyword
+
+
+**`checkpoint.connectivity_level`**
+:   Log for a new connection in wire mode.
+
+type: keyword
+
+
+**`checkpoint.ip_option`**
+:   IP option that was dropped.
+
+type: integer
+
+
+**`checkpoint.tcp_state`**
+:   Log reinting a tcp state change.
+
+type: keyword
+
+
+**`checkpoint.expire_time`**
+:   Connection closing time.
+
+type: keyword
+
+
+**`checkpoint.icmp_type`**
+:   In case a connection is ICMP, type info will be added to the log.
+
+type: integer
+
+
+**`checkpoint.icmp_code`**
+:   In case a connection is ICMP, code info will be added to the log.
+
+type: integer
+
+
+**`checkpoint.rpc_prog`**
+:   Log for new RPC state - prog values.
+
+type: integer
+
+
+**`checkpoint.dce-rpc_interface_uuid`**
+:   Log for new RPC state - UUID values
+
+type: keyword
+
+
+**`checkpoint.elapsed`**
+:   Time passed since start time.
+
+type: keyword
+
+
+**`checkpoint.icmp`**
+:   Number of packets, received by the client.
+
+type: keyword
+
+
+**`checkpoint.capture_uuid`**
+:   UUID generated for the capture. Used when enabling the capture when logging.
+
+type: keyword
+
+
+**`checkpoint.diameter_app_ID`**
+:   The ID of diameter application.
+
+type: integer
+
+
+**`checkpoint.diameter_cmd_code`**
+:   Diameter not allowed application command id.
+
+type: integer
+
+
+**`checkpoint.diameter_msg_type`**
+:   Diameter message type.
+
+type: keyword
+
+
+**`checkpoint.cp_message`**
+:   Used to log a general message.
+
+type: integer
+
+
+**`checkpoint.log_delay`**
+:   Time left before deleting template.
+
+type: integer
+
+
+**`checkpoint.attack_status`**
+:   In case of a malicious event on an endpoint computer, the status of the attack.
+
+type: keyword
+
+
+**`checkpoint.impacted_files`**
+:   In case of an infection on an endpoint computer, the list of files that the malware impacted.
+
+type: keyword
+
+
+**`checkpoint.remediated_files`**
+:   In case of an infection and a successful cleaning of that infection, this is a list of remediated files on the computer.
+
+type: keyword
+
+
+**`checkpoint.triggered_by`**
+:   The name of the mechanism that triggered the Software Blade to enforce a protection.
+
+type: keyword
+
+
+**`checkpoint.https_inspection_rule_id`**
+:   ID of the matched rule.
+
+type: keyword
+
+
+**`checkpoint.https_inspection_rule_name`**
+:   Name of the matched rule.
+
+type: keyword
+
+
+**`checkpoint.app_properties`**
+:   List of all found categories.
+
+type: keyword
+
+
+**`checkpoint.https_validation`**
+:   Precise error, describing HTTPS inspection failure.
+
+type: keyword
+
+
+**`checkpoint.https_inspection_action`**
+:   HTTPS inspection action (Inspect/Bypass/Error).
+
+type: keyword
+
+
+**`checkpoint.icap_service_id`**
+:   Service ID, can work with multiple servers, treated as services.
+
+type: integer
+
+
+**`checkpoint.icap_server_name`**
+:   Server name.
+
+type: keyword
+
+
+**`checkpoint.internal_error`**
+:   Internal error, for troubleshooting
+
+type: keyword
+
+
+**`checkpoint.icap_more_info`**
+:   Free text for verdict.
+
+type: integer
+
+
+**`checkpoint.reply_status`**
+:   ICAP reply status code, e.g. 200 or 204.
+
+type: integer
+
+
+**`checkpoint.icap_server_service`**
+:   Service name, as given in the ICAP URI
+
+type: keyword
+
+
+**`checkpoint.mirror_and_decrypt_type`**
+:   Information about decrypt and forward. Possible values: Mirror only, Decrypt and mirror, Partial mirroring (HTTPS inspection Bypass).
+
+type: keyword
+
+
+**`checkpoint.interface_name`**
+:   Designated interface for mirror And decrypt.
+
+type: keyword
+
+
+**`checkpoint.session_uid`**
+:   HTTP session-id.
+
+type: keyword
+
+
+**`checkpoint.broker_publisher`**
+:   IP address of the broker publisher who shared the session information.
+
+type: ip
+
+
+**`checkpoint.src_user_dn`**
+:   User distinguished name connected to source IP.
+
+type: keyword
+
+
+**`checkpoint.proxy_user_name`**
+:   User name connected to proxy IP.
+
+type: keyword
+
+
+**`checkpoint.proxy_machine_name`**
+:   Machine name connected to proxy IP.
+
+type: integer
+
+
+**`checkpoint.proxy_user_dn`**
+:   User distinguished name connected to proxy IP.
+
+type: keyword
+
+
+**`checkpoint.query`**
+:   DNS query.
+
+type: keyword
+
+
+**`checkpoint.dns_query`**
+:   DNS query.
+
+type: keyword
+
+
+**`checkpoint.inspection_item`**
+:   Blade element performed inspection.
+
+type: keyword
+
+
+**`checkpoint.performance_impact`**
+:   Protection performance impact.
+
+type: integer
+
+
+**`checkpoint.inspection_category`**
+:   Inspection category: protocol anomaly, signature etc.
+
+type: keyword
+
+
+**`checkpoint.inspection_profile`**
+:   Profile which the activated protection belongs to.
+
+type: keyword
+
+
+**`checkpoint.summary`**
+:   Summary message of a non-compliant DNS traffic drops or detects.
+
+type: keyword
+
+
+**`checkpoint.question_rdata`**
+:   List of question records domains.
+
+type: keyword
+
+
+**`checkpoint.answer_rdata`**
+:   List of answer resource records to the questioned domains.
+
+type: keyword
+
+
+**`checkpoint.authority_rdata`**
+:   List of authoritative servers.
+
+type: keyword
+
+
+**`checkpoint.additional_rdata`**
+:   List of additional resource records.
+
+type: keyword
+
+
+**`checkpoint.files_names`**
+:   List of files requested by FTP.
+
+type: keyword
+
+
+**`checkpoint.ftp_user`**
+:   FTP username.
+
+type: keyword
+
+
+**`checkpoint.mime_from`**
+:   Sender’s address.
+
+type: keyword
+
+
+**`checkpoint.mime_to`**
+:   List of receiver address.
+
+type: keyword
+
+
+**`checkpoint.bcc`**
+:   List of BCC addresses.
+
+type: keyword
+
+
+**`checkpoint.content_type`**
+:   Mail content type. Possible values: application/msword, text/html, image/gif etc.
+
+type: keyword
+
+
+**`checkpoint.user_agent`**
+:   String identifying requesting software user agent.
+
+type: keyword
+
+
+**`checkpoint.referrer`**
+:   Referrer HTTP request header, previous web page address.
+
+type: keyword
+
+
+**`checkpoint.http_location`**
+:   Response header, indicates the URL to redirect a page to.
+
+type: keyword
+
+
+**`checkpoint.content_disposition`**
+:   Indicates how the content is expected to be displayed inline in the browser.
+
+type: keyword
+
+
+**`checkpoint.via`**
+:   Via header is added by proxies for tracking purposes to avoid sending reqests in loop.
+
+type: keyword
+
+
+**`checkpoint.http_server`**
+:   Server HTTP header value, contains information about the software used by the origin server, which handles the request.
+
+type: keyword
+
+
+**`checkpoint.content_length`**
+:   Indicates the size of the entity-body of the HTTP header.
+
+type: keyword
+
+
+**`checkpoint.authorization`**
+:   Authorization HTTP header value.
+
+type: keyword
+
+
+**`checkpoint.http_host`**
+:   Domain name of the server that the HTTP request is sent to.
+
+type: keyword
+
+
+**`checkpoint.inspection_settings_log`**
+:   Indicats that the log was released by inspection settings.
+
+type: keyword
+
+
+**`checkpoint.cvpn_resource`**
+:   Mobile Access application.
+
+type: keyword
+
+
+**`checkpoint.cvpn_category`**
+:   Mobile Access application type.
+
+type: keyword
+
+
+**`checkpoint.url`**
+:   Translated URL.
+
+type: keyword
+
+
+**`checkpoint.reject_id`**
+:   A reject ID that corresponds to the one presented in the Mobile Access error page.
+
+type: keyword
+
+
+**`checkpoint.fs-proto`**
+:   The file share protocol used in mobile acess file share application.
+
+type: keyword
+
+
+**`checkpoint.app_package`**
+:   Unique identifier of the application on the protected mobile device.
+
+type: keyword
+
+
+**`checkpoint.appi_name`**
+:   Name of application downloaded on the protected mobile device.
+
+type: keyword
+
+
+**`checkpoint.app_repackaged`**
+:   Indicates whether the original application was repackage not by the official developer.
+
+type: keyword
+
+
+**`checkpoint.app_sid_id`**
+:   Unique SHA identifier of a mobile application.
+
+type: keyword
+
+
+**`checkpoint.app_version`**
+:   Version of the application downloaded on the protected mobile device.
+
+type: keyword
+
+
+**`checkpoint.developer_certificate_name`**
+:   Name of the developer’s certificate that was used to sign the mobile application.
+
+type: keyword
+
+
+**`checkpoint.email_control`**
+:   Engine name.
+
+type: keyword
+
+
+**`checkpoint.email_message_id`**
+:   Email session id (uniqe ID of the mail).
+
+type: keyword
+
+
+**`checkpoint.email_queue_id`**
+:   Postfix email queue id.
+
+type: keyword
+
+
+**`checkpoint.email_queue_name`**
+:   Postfix email queue name.
+
+type: keyword
+
+
+**`checkpoint.file_name`**
+:   Malicious file name.
+
+type: keyword
+
+
+**`checkpoint.failure_reason`**
+:   MTA failure description.
+
+type: keyword
+
+
+**`checkpoint.email_headers`**
+:   String containing all the email headers.
+
+type: keyword
+
+
+**`checkpoint.arrival_time`**
+:   Email arrival timestamp.
+
+type: keyword
+
+
+**`checkpoint.email_status`**
+:   Describes the email’s state. Possible options: delivered, deferred, skipped, bounced, hold, new, scan_started, scan_ended
+
+type: keyword
+
+
+**`checkpoint.status_update`**
+:   Last time log was updated.
+
+type: keyword
+
+
+**`checkpoint.delivery_time`**
+:   Timestamp of when email was delivered (MTA finished handling the email.
+
+type: keyword
+
+
+**`checkpoint.links_num`**
+:   Number of links in the mail.
+
+type: integer
+
+
+**`checkpoint.attachments_num`**
+:   Number of attachments in the mail.
+
+type: integer
+
+
+**`checkpoint.email_content`**
+:   Mail contents. Possible options: attachments/links & attachments/links/text only.
+
+type: keyword
+
+
+**`checkpoint.allocated_ports`**
+:   Amount of allocated ports.
+
+type: integer
+
+
+**`checkpoint.capacity`**
+:   Capacity of the ports.
+
+type: integer
+
+
+**`checkpoint.ports_usage`**
+:   Percentage of allocated ports.
+
+type: integer
+
+
+**`checkpoint.nat_exhausted_pool`**
+:   4-tuple of an exhausted pool.
+
+type: keyword
+
+
+**`checkpoint.nat_rulenum`**
+:   NAT rulebase first matched rule.
+
+type: integer
+
+
+**`checkpoint.nat_addtnl_rulenum`**
+:   When matching 2 automatic rules , second rule match will be shown otherwise field will be 0.
+
+type: integer
+
+
+**`checkpoint.message_info`**
+:   Used for information messages, for example:NAT connection has ended.
+
+type: keyword
+
+
+**`checkpoint.nat46`**
+:   NAT 46 status, in most cases "enabled".
+
+type: keyword
+
+
+**`checkpoint.end_time`**
+:   TCP connection end time.
+
+type: keyword
+
+
+**`checkpoint.tcp_end_reason`**
+:   Reason for TCP connection closure.
+
+type: keyword
+
+
+**`checkpoint.cgnet`**
+:   Describes NAT allocation for specific subscriber.
+
+type: keyword
+
+
+**`checkpoint.subscriber`**
+:   Source IP before CGNAT.
+
+type: ip
+
+
+**`checkpoint.hide_ip`**
+:   Source IP which will be used after CGNAT.
+
+type: ip
+
+
+**`checkpoint.int_start`**
+:   Subscriber start int which will be used for NAT.
+
+type: integer
+
+
+**`checkpoint.int_end`**
+:   Subscriber end int which will be used for NAT.
+
+type: integer
+
+
+**`checkpoint.packet_amount`**
+:   Amount of packets dropped.
+
+type: integer
+
+
+**`checkpoint.monitor_reason`**
+:   Aggregated logs of monitored packets.
+
+type: keyword
+
+
+**`checkpoint.drops_amount`**
+:   Amount of multicast packets dropped.
+
+type: integer
+
+
+**`checkpoint.securexl_message`**
+:   Two options for a SecureXL message: 1. Missed accounting records after heavy load on logging system. 2. FW log message regarding a packet drop.
+
+type: keyword
+
+
+**`checkpoint.conns_amount`**
+:   Connections amount of aggregated log info.
+
+type: integer
+
+
+**`checkpoint.scope`**
+:   IP related to the attack.
+
+type: keyword
+
+
+**`checkpoint.analyzed_on`**
+:   Check Point ThreatCloud / emulator name.
+
+type: keyword
+
+
+**`checkpoint.detected_on`**
+:   System and applications version the file was emulated on.
+
+type: keyword
+
+
+**`checkpoint.dropped_file_name`**
+:   List of names dropped from the original file.
+
+type: keyword
+
+
+**`checkpoint.dropped_file_type`**
+:   List of file types dropped from the original file.
+
+type: keyword
+
+
+**`checkpoint.dropped_file_hash`**
+:   List of file hashes dropped from the original file.
+
+type: keyword
+
+
+**`checkpoint.dropped_file_verdict`**
+:   List of file verdics dropped from the original file.
+
+type: keyword
+
+
+**`checkpoint.emulated_on`**
+:   Images the files were emulated on.
+
+type: keyword
+
+
+**`checkpoint.extracted_file_type`**
+:   Types of extracted files in case of an archive.
+
+type: keyword
+
+
+**`checkpoint.extracted_file_names`**
+:   Names of extracted files in case of an archive.
+
+type: keyword
+
+
+**`checkpoint.extracted_file_hash`**
+:   Archive hash in case of extracted files.
+
+type: keyword
+
+
+**`checkpoint.extracted_file_verdict`**
+:   Verdict of extracted files in case of an archive.
+
+type: keyword
+
+
+**`checkpoint.extracted_file_uid`**
+:   UID of extracted files in case of an archive.
+
+type: keyword
+
+
+**`checkpoint.mitre_initial_access`**
+:   The adversary is trying to break into your network.
+
+type: keyword
+
+
+**`checkpoint.mitre_execution`**
+:   The adversary is trying to run malicious code.
+
+type: keyword
+
+
+**`checkpoint.mitre_persistence`**
+:   The adversary is trying to maintain his foothold.
+
+type: keyword
+
+
+**`checkpoint.mitre_privilege_escalation`**
+:   The adversary is trying to gain higher-level permissions.
+
+type: keyword
+
+
+**`checkpoint.mitre_defense_evasion`**
+:   The adversary is trying to avoid being detected.
+
+type: keyword
+
+
+**`checkpoint.mitre_credential_access`**
+:   The adversary is trying to steal account names and passwords.
+
+type: keyword
+
+
+**`checkpoint.mitre_discovery`**
+:   The adversary is trying to expose information about your environment.
+
+type: keyword
+
+
+**`checkpoint.mitre_lateral_movement`**
+:   The adversary is trying to explore your environment.
+
+type: keyword
+
+
+**`checkpoint.mitre_collection`**
+:   The adversary is trying to collect data of interest to achieve his goal.
+
+type: keyword
+
+
+**`checkpoint.mitre_command_and_control`**
+:   The adversary is trying to communicate with compromised systems in order to control them.
+
+type: keyword
+
+
+**`checkpoint.mitre_exfiltration`**
+:   The adversary is trying to steal data.
+
+type: keyword
+
+
+**`checkpoint.mitre_impact`**
+:   The adversary is trying to manipulate, interrupt, or destroy your systems and data.
+
+type: keyword
+
+
+**`checkpoint.parent_file_hash`**
+:   Archive’s hash in case of extracted files.
+
+type: keyword
+
+
+**`checkpoint.parent_file_name`**
+:   Archive’s name in case of extracted files.
+
+type: keyword
+
+
+**`checkpoint.parent_file_uid`**
+:   Archive’s UID in case of extracted files.
+
+type: keyword
+
+
+**`checkpoint.similiar_iocs`**
+:   Other IoCs similar to the ones found, related to the malicious file.
+
+type: keyword
+
+
+**`checkpoint.similar_hashes`**
+:   Hashes found similar to the malicious file.
+
+type: keyword
+
+
+**`checkpoint.similar_strings`**
+:   Strings found similar to the malicious file.
+
+type: keyword
+
+
+**`checkpoint.similar_communication`**
+:   Network action found similar to the malicious file.
+
+type: keyword
+
+
+**`checkpoint.te_verdict_determined_by`**
+:   Emulators determined file verdict.
+
+type: keyword
+
+
+**`checkpoint.packet_capture_unique_id`**
+:   Identifier of the packet capture files.
+
+type: keyword
+
+
+**`checkpoint.total_attachments`**
+:   The number of attachments in an email.
+
+type: integer
+
+
+**`checkpoint.additional_info`**
+:   ID of original file/mail which are sent by admin.
+
+type: keyword
+
+
+**`checkpoint.content_risk`**
+:   File risk.
+
+type: integer
+
+
+**`checkpoint.operation`**
+:   Operation made by Threat Extraction.
+
+type: keyword
+
+
+**`checkpoint.scrubbed_content`**
+:   Active content that was found.
+
+type: keyword
+
+
+**`checkpoint.scrub_time`**
+:   Extraction process duration.
+
+type: keyword
+
+
+**`checkpoint.scrub_download_time`**
+:   File download time from resource.
+
+type: keyword
+
+
+**`checkpoint.scrub_total_time`**
+:   Threat extraction total file handling time.
+
+type: keyword
+
+
+**`checkpoint.scrub_activity`**
+:   The result of the extraction
+
+type: keyword
+
+
+**`checkpoint.watermark`**
+:   Reports whether watermark is added to the cleaned file.
+
+type: keyword
+
+
+**`checkpoint.snid`**
+:   The Check Point session ID.
+
+type: keyword
+
+
+**`checkpoint.source_object`**
+:   Matched object name on source column.
+
+type: keyword
+
+
+**`checkpoint.destination_object`**
+:   Matched object name on destination column.
+
+type: keyword
+
+
+**`checkpoint.drop_reason`**
+:   Drop reason description.
+
+type: keyword
+
+
+**`checkpoint.hit`**
+:   Number of hits on a rule.
+
+type: integer
+
+
+**`checkpoint.rulebase_id`**
+:   Layer number.
+
+type: integer
+
+
+**`checkpoint.first_hit_time`**
+:   First hit time in current interval.
+
+type: integer
+
+
+**`checkpoint.last_hit_time`**
+:   Last hit time in current interval.
+
+type: integer
+
+
+**`checkpoint.rematch_info`**
+:   Information sent when old connections cannot be matched during policy installation.
+
+type: keyword
+
+
+**`checkpoint.last_rematch_time`**
+:   Connection rematched time.
+
+type: keyword
+
+
+**`checkpoint.action_reason`**
+:   Connection drop reason.
+
+type: integer
+
+
+**`checkpoint.action_reason_msg`**
+:   Connection drop reason message.
+
+type: keyword
+
+
+**`checkpoint.c_bytes`**
+:   Boolean value indicates whether bytes sent from the client side are used.
+
+type: integer
+
+
+**`checkpoint.context_num`**
+:   Serial number of the log for a specific connection.
+
+type: integer
+
+
+**`checkpoint.match_id`**
+:   Private key of the rule
+
+type: integer
+
+
+**`checkpoint.alert`**
+:   Alert level of matched rule (for connection logs).
+
+type: keyword
+
+
+**`checkpoint.parent_rule`**
+:   Parent rule number, in case of inline layer.
+
+type: integer
+
+
+**`checkpoint.match_fk`**
+:   Rule number.
+
+type: integer
+
+
+**`checkpoint.dropped_outgoing`**
+:   Number of outgoing bytes dropped when using UP-limit feature.
+
+type: integer
+
+
+**`checkpoint.dropped_incoming`**
+:   Number of incoming bytes dropped when using UP-limit feature.
+
+type: integer
+
+
+**`checkpoint.media_type`**
+:   Media used (audio, video, etc.)
+
+type: keyword
+
+
+**`checkpoint.sip_reason`**
+:   Explains why *source_ip* isn’t allowed to redirect (handover).
+
+type: keyword
+
+
+**`checkpoint.voip_method`**
+:   Registration request.
+
+type: keyword
+
+
+**`checkpoint.registered_ip-phones`**
+:   Registered IP-Phones.
+
+type: keyword
+
+
+**`checkpoint.voip_reg_user_type`**
+:   Registered IP-Phone type.
+
+type: keyword
+
+
+**`checkpoint.voip_call_id`**
+:   Call-ID.
+
+type: keyword
+
+
+**`checkpoint.voip_reg_int`**
+:   Registration port.
+
+type: integer
+
+
+**`checkpoint.voip_reg_ipp`**
+:   Registration IP protocol.
+
+type: integer
+
+
+**`checkpoint.voip_reg_period`**
+:   Registration period.
+
+type: integer
+
+
+**`checkpoint.voip_log_type`**
+:   VoIP log types. Possible values: reject, call, registration.
+
+type: keyword
+
+
+**`checkpoint.src_phone_number`**
+:   Source IP-Phone.
+
+type: keyword
+
+
+**`checkpoint.voip_from_user_type`**
+:   Source IP-Phone type.
+
+type: keyword
+
+
+**`checkpoint.dst_phone_number`**
+:   Destination IP-Phone.
+
+type: keyword
+
+
+**`checkpoint.voip_to_user_type`**
+:   Destination IP-Phone type.
+
+type: keyword
+
+
+**`checkpoint.voip_call_dir`**
+:   Call direction: in/out.
+
+type: keyword
+
+
+**`checkpoint.voip_call_state`**
+:   Call state. Possible values: in/out.
+
+type: keyword
+
+
+**`checkpoint.voip_call_term_time`**
+:   Call termination time stamp.
+
+type: keyword
+
+
+**`checkpoint.voip_duration`**
+:   Call duration (seconds).
+
+type: keyword
+
+
+**`checkpoint.voip_media_port`**
+:   Media int.
+
+type: keyword
+
+
+**`checkpoint.voip_media_ipp`**
+:   Media IP protocol.
+
+type: keyword
+
+
+**`checkpoint.voip_est_codec`**
+:   Estimated codec.
+
+type: keyword
+
+
+**`checkpoint.voip_exp`**
+:   Expiration.
+
+type: integer
+
+
+**`checkpoint.voip_attach_sz`**
+:   Attachment size.
+
+type: integer
+
+
+**`checkpoint.voip_attach_action_info`**
+:   Attachment action Info.
+
+type: keyword
+
+
+**`checkpoint.voip_media_codec`**
+:   Estimated codec.
+
+type: keyword
+
+
+**`checkpoint.voip_reject_reason`**
+:   Reject reason.
+
+type: keyword
+
+
+**`checkpoint.voip_reason_info`**
+:   Information.
+
+type: keyword
+
+
+**`checkpoint.voip_config`**
+:   Configuration.
+
+type: keyword
+
+
+**`checkpoint.voip_reg_server`**
+:   Registrar server IP address.
+
+type: ip
+
+
+**`checkpoint.scv_user`**
+:   Username whose packets are dropped on SCV.
+
+type: keyword
+
+
+**`checkpoint.scv_message_info`**
+:   Drop reason.
+
+type: keyword
+
+
+**`checkpoint.ppp`**
+:   Authentication status.
+
+type: keyword
+
+
+**`checkpoint.scheme`**
+:   Describes the scheme used for the log.
+
+type: keyword
+
+
+**`checkpoint.auth_method`**
+:   Password authentication protocol used (PAP or EAP).
+
+type: keyword
+
+
+**`checkpoint.auth_status`**
+:   The authentication status for an event.
+
+type: keyword
+
+
+**`checkpoint.machine`**
+:   L2TP machine which triggered the log and the log refers to it.
+
+type: keyword
+
+
+**`checkpoint.vpn_feature_name`**
+:   L2TP /IKE / Link Selection.
+
+type: keyword
+
+
+**`checkpoint.reject_category`**
+:   Authentication failure reason.
+
+type: keyword
+
+
+**`checkpoint.peer_ip_probing_status_update`**
+:   IP address response status.
+
+type: keyword
+
+
+**`checkpoint.peer_ip`**
+:   IP address which the client connects to.
+
+type: keyword
+
+
+**`checkpoint.peer_gateway`**
+:   Main IP of the peer Security Gateway.
+
+type: ip
+
+
+**`checkpoint.link_probing_status_update`**
+:   IP address response status.
+
+type: keyword
+
+
+**`checkpoint.source_interface`**
+:   External Interface name for source interface or Null if not found.
+
+type: keyword
+
+
+**`checkpoint.next_hop_ip`**
+:   Next hop IP address.
+
+type: keyword
+
+
+**`checkpoint.srckeyid`**
+:   Initiator Spi ID.
+
+type: keyword
+
+
+**`checkpoint.dstkeyid`**
+:   Responder Spi ID.
+
+type: keyword
+
+
+**`checkpoint.encryption_failure`**
+:   Message indicating why the encryption failed.
+
+type: keyword
+
+
+**`checkpoint.ike_ids`**
+:   All QM ids.
+
+type: keyword
+
+
+**`checkpoint.community`**
+:   Community name for the IPSec key and the use of the IKEv.
+
+type: keyword
+
+
+**`checkpoint.ike`**
+:   IKEMode (PHASE1, PHASE2, etc..).
+
+type: keyword
+
+
+**`checkpoint.cookieI`**
+:   Initiator cookie.
+
+type: keyword
+
+
+**`checkpoint.cookieR`**
+:   Responder cookie.
+
+type: keyword
+
+
+**`checkpoint.msgid`**
+:   Message ID.
+
+type: keyword
+
+
+**`checkpoint.methods`**
+:   IPSEc methods.
+
+type: keyword
+
+
+**`checkpoint.connection_uid`**
+:   Calculation of md5 of the IP and user name as UID.
+
+type: keyword
+
+
+**`checkpoint.site_name`**
+:   Site name.
+
+type: keyword
+
+
+**`checkpoint.esod_rule_name`**
+:   Unknown rule name.
+
+type: keyword
+
+
+**`checkpoint.esod_rule_action`**
+:   Unknown rule action.
+
+type: keyword
+
+
+**`checkpoint.esod_rule_type`**
+:   Unknown rule type.
+
+type: keyword
+
+
+**`checkpoint.esod_noncompliance_reason`**
+:   Non-compliance reason.
+
+type: keyword
+
+
+**`checkpoint.esod_associated_policies`**
+:   Associated policies.
+
+type: keyword
+
+
+**`checkpoint.spyware_name`**
+:   Spyware name.
+
+type: keyword
+
+
+**`checkpoint.spyware_type`**
+:   Spyware type.
+
+type: keyword
+
+
+**`checkpoint.anti_virus_type`**
+:   Anti virus type.
+
+type: keyword
+
+
+**`checkpoint.end_user_firewall_type`**
+:   End user firewall type.
+
+type: keyword
+
+
+**`checkpoint.esod_scan_status`**
+:   Scan failed.
+
+type: keyword
+
+
+**`checkpoint.esod_access_status`**
+:   Access denied.
+
+type: keyword
+
+
+**`checkpoint.client_type`**
+:   Endpoint Connect.
+
+type: keyword
+
+
+**`checkpoint.precise_error`**
+:   HTTP parser error.
+
+type: keyword
+
+
+**`checkpoint.method`**
+:   HTTP method.
+
+type: keyword
+
+
+**`checkpoint.trusted_domain`**
+:   In case of phishing event, the domain, which the attacker was impersonating.
+
+type: keyword
+
+
+**`checkpoint.comment`**
+:   type: keyword
+
+
+**`checkpoint.conn_direction`**
+:   Connection direction
+
+type: keyword
+
+
+**`checkpoint.db_ver`**
+:   Database version
+
+type: keyword
+
+
+**`checkpoint.update_status`**
+:   Status of database update
+
+type: keyword
+
+
diff --git a/docs/reference/filebeat/exported-fields-cisco.md b/docs/reference/filebeat/exported-fields-cisco.md
new file mode 100644
index 000000000000..c2683a3fcc9c
--- /dev/null
+++ b/docs/reference/filebeat/exported-fields-cisco.md
@@ -0,0 +1,850 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-cisco.html
+---
+
+# Cisco fields [exported-fields-cisco]
+
+Module for handling Cisco network device logs.
+
+
+## cisco.amp [_cisco_amp]
+
+Module for parsing Cisco AMP logs.
+
+**`cisco.amp.timestamp_nanoseconds`**
+:   The timestamp in Epoch nanoseconds.
+
+type: date
+
+
+**`cisco.amp.event_type_id`**
+:   A sub ID of the event, depending on event type.
+
+type: keyword
+
+
+**`cisco.amp.detection`**
+:   The name of the malware detected.
+
+type: keyword
+
+
+**`cisco.amp.detection_id`**
+:   The ID of the detection.
+
+type: keyword
+
+
+**`cisco.amp.connector_guid`**
+:   The GUID of the connector sending information to AMP.
+
+type: keyword
+
+
+**`cisco.amp.group_guids`**
+:   An array of group GUIDS related to the connector sending information to AMP.
+
+type: keyword
+
+
+**`cisco.amp.vulnerabilities`**
+:   An array of related vulnerabilities to the malicious event.
+
+type: flattened
+
+
+**`cisco.amp.scan.description`**
+:   Description of an event related to a scan being initiated, for example the specific directory name.
+
+type: keyword
+
+
+**`cisco.amp.scan.clean`**
+:   Boolean value if a scanned file was clean or not.
+
+type: boolean
+
+
+**`cisco.amp.scan.scanned_files`**
+:   Count of files scanned in a directory.
+
+type: long
+
+
+**`cisco.amp.scan.scanned_processes`**
+:   Count of processes scanned related to a single scan event.
+
+type: long
+
+
+**`cisco.amp.scan.scanned_paths`**
+:   Count of different directories scanned related to a single scan event.
+
+type: long
+
+
+**`cisco.amp.scan.malicious_detections`**
+:   Count of malicious files or documents detected related to a single scan event.
+
+type: long
+
+
+**`cisco.amp.computer.connector_guid`**
+:   The GUID of the connector, similar to top level connector_guid, but unique if multiple connectors are involved.
+
+type: keyword
+
+
+**`cisco.amp.computer.external_ip`**
+:   The external IP of the related host.
+
+type: ip
+
+
+**`cisco.amp.computer.active`**
+:   If the current endpoint is active or not.
+
+type: boolean
+
+
+**`cisco.amp.computer.network_addresses`**
+:   All network interface information on the related host.
+
+type: flattened
+
+
+**`cisco.amp.file.disposition`**
+:   Categorization of file, for example "Malicious" or "Clean".
+
+type: keyword
+
+
+**`cisco.amp.network_info.disposition`**
+:   Categorization of a network event related to a file, for example "Malicious" or "Clean".
+
+type: keyword
+
+
+**`cisco.amp.network_info.nfm.direction`**
+:   The current direction based on source and destination IP.
+
+type: keyword
+
+
+**`cisco.amp.related.mac`**
+:   An array of all related MAC addresses.
+
+type: keyword
+
+
+**`cisco.amp.related.cve`**
+:   An array of all related MAC addresses.
+
+type: keyword
+
+
+**`cisco.amp.cloud_ioc.description`**
+:   Description of the related IOC for specific IOC events from AMP.
+
+type: keyword
+
+
+**`cisco.amp.cloud_ioc.short_description`**
+:   Short description of the related IOC for specific IOC events from AMP.
+
+type: keyword
+
+
+**`cisco.amp.network_info.parent.disposition`**
+:   Categorization of a IOC for example "Malicious" or "Clean".
+
+type: keyword
+
+
+**`cisco.amp.network_info.parent.identity.md5`**
+:   MD5 hash of the related IOC.
+
+type: keyword
+
+
+**`cisco.amp.network_info.parent.identity.sha1`**
+:   SHA1 hash of the related IOC.
+
+type: keyword
+
+
+**`cisco.amp.network_info.parent.identify.sha256`**
+:   SHA256 hash of the related IOC.
+
+type: keyword
+
+
+**`cisco.amp.file.archived_file.disposition`**
+:   Categorization of a file archive related to a file, for example "Malicious" or "Clean".
+
+type: keyword
+
+
+**`cisco.amp.file.archived_file.identity.md5`**
+:   MD5 hash of the archived file related to the malicious event.
+
+type: keyword
+
+
+**`cisco.amp.file.archived_file.identity.sha1`**
+:   SHA1 hash of the archived file related to the malicious event.
+
+type: keyword
+
+
+**`cisco.amp.file.archived_file.identity.sha256`**
+:   SHA256 hash of the archived file related to the malicious event.
+
+type: keyword
+
+
+**`cisco.amp.file.attack_details.application`**
+:   The application name related to Exploit Prevention events.
+
+type: keyword
+
+
+**`cisco.amp.file.attack_details.attacked_module`**
+:   Path to the executable or dll that was attacked and detected by Exploit Prevention.
+
+type: keyword
+
+
+**`cisco.amp.file.attack_details.base_address`**
+:   The base memory address related to the exploit detected.
+
+type: keyword
+
+
+**`cisco.amp.file.attack_details.suspicious_files`**
+:   An array of related files when an attack is detected by Exploit Prevention.
+
+type: keyword
+
+
+**`cisco.amp.file.parent.disposition`**
+:   Categorization of parrent, for example "Malicious" or "Clean".
+
+type: keyword
+
+
+**`cisco.amp.error.description`**
+:   Description of an endpoint error event.
+
+type: keyword
+
+
+**`cisco.amp.error.error_code`**
+:   The error code describing the related error event.
+
+type: keyword
+
+
+**`cisco.amp.threat_hunting.severity`**
+:   Severity result of the threat hunt registered to the malicious event. Can be Low-Critical.
+
+type: keyword
+
+
+**`cisco.amp.threat_hunting.incident_report_guid`**
+:   The GUID of the related threat hunting report.
+
+type: keyword
+
+
+**`cisco.amp.threat_hunting.incident_hunt_guid`**
+:   The GUID of the related investigation tracking issue.
+
+type: keyword
+
+
+**`cisco.amp.threat_hunting.incident_title`**
+:   Title of the incident related to the threat hunting activity.
+
+type: keyword
+
+
+**`cisco.amp.threat_hunting.incident_summary`**
+:   Summary of the outcome on the threat hunting activity.
+
+type: keyword
+
+
+**`cisco.amp.threat_hunting.incident_remediation`**
+:   Recommendations to resolve the vulnerability or exploited host.
+
+type: keyword
+
+
+**`cisco.amp.threat_hunting.incident_id`**
+:   The id of the related incident for the threat hunting activity.
+
+type: keyword
+
+
+**`cisco.amp.threat_hunting.incident_end_time`**
+:   When the threat hunt finalized or closed.
+
+type: date
+
+
+**`cisco.amp.threat_hunting.incident_start_time`**
+:   When the threat hunt was initiated.
+
+type: date
+
+
+**`cisco.amp.file.attack_details.indicators`**
+:   Different indicator types that matches the exploit detected, for example different MITRE tactics.
+
+type: flattened
+
+
+**`cisco.amp.threat_hunting.tactics`**
+:   List of all MITRE tactics related to the incident found.
+
+type: flattened
+
+
+**`cisco.amp.threat_hunting.techniques`**
+:   List of all MITRE techniques related to the incident found.
+
+type: flattened
+
+
+**`cisco.amp.tactics`**
+:   List of all MITRE tactics related to the incident found.
+
+type: flattened
+
+
+**`cisco.amp.mitre_tactics`**
+:   Array of all related mitre tactic ID’s
+
+type: keyword
+
+
+**`cisco.amp.techniques`**
+:   List of all MITRE techniques related to the incident found.
+
+type: flattened
+
+
+**`cisco.amp.mitre_techniques`**
+:   Array of all related mitre technique ID’s
+
+type: keyword
+
+
+**`cisco.amp.command_line.arguments`**
+:   The CLI arguments related to the Cloud Threat IOC reported by Cisco.
+
+type: keyword
+
+
+**`cisco.amp.bp_data`**
+:   Endpoint isolation information
+
+type: flattened
+
+
+
+## cisco.asa [_cisco_asa]
+
+Fields for Cisco ASA Firewall.
+
+**`cisco.asa.message_id`**
+:   The Cisco ASA message identifier.
+
+type: keyword
+
+
+**`cisco.asa.suffix`**
+:   Optional suffix after %ASA identifier.
+
+type: keyword
+
+example: session
+
+
+**`cisco.asa.source_interface`**
+:   Source interface for the flow or event.
+
+type: keyword
+
+
+**`cisco.asa.destination_interface`**
+:   Destination interface for the flow or event.
+
+type: keyword
+
+
+**`cisco.asa.rule_name`**
+:   Name of the Access Control List rule that matched this event.
+
+type: keyword
+
+
+**`cisco.asa.source_username`**
+:   Name of the user that is the source for this event.
+
+type: keyword
+
+
+**`cisco.asa.source_user_security_group_tag`**
+:   The Security Group Tag for the source user. Security Group Tag are 16-bit identifiers used to represent logical group privilege.
+
+type: long
+
+
+**`cisco.asa.destination_username`**
+:   Name of the user that is the destination for this event.
+
+type: keyword
+
+
+**`cisco.asa.destination_user_security_group_tag`**
+:   The Security Group Tag for the destination user. Security Group Tag are 16-bit identifiers used to represent logical group privilege.
+
+type: long
+
+
+**`cisco.asa.mapped_source_ip`**
+:   The translated source IP address.
+
+type: ip
+
+
+**`cisco.asa.mapped_source_host`**
+:   The translated source host.
+
+type: keyword
+
+
+**`cisco.asa.mapped_source_port`**
+:   The translated source port.
+
+type: long
+
+
+**`cisco.asa.mapped_destination_ip`**
+:   The translated destination IP address.
+
+type: ip
+
+
+**`cisco.asa.mapped_destination_host`**
+:   The translated destination host.
+
+type: keyword
+
+
+**`cisco.asa.mapped_destination_port`**
+:   The translated destination port.
+
+type: long
+
+
+**`cisco.asa.threat_level`**
+:   Threat level for malware / botnet traffic. One of very-low, low, moderate, high or very-high.
+
+type: keyword
+
+
+**`cisco.asa.threat_category`**
+:   Category for the malware / botnet traffic. For example: virus, botnet, trojan, etc.
+
+type: keyword
+
+
+**`cisco.asa.connection_id`**
+:   Unique identifier for a flow.
+
+type: keyword
+
+
+**`cisco.asa.icmp_type`**
+:   ICMP type.
+
+type: short
+
+
+**`cisco.asa.icmp_code`**
+:   ICMP code.
+
+type: short
+
+
+**`cisco.asa.connection_type`**
+:   The VPN connection type
+
+type: keyword
+
+
+**`cisco.asa.dap_records`**
+:   The assigned DAP records
+
+type: keyword
+
+
+**`cisco.asa.command_line_arguments`**
+:   The command line arguments logged by the local audit log
+
+type: keyword
+
+
+**`cisco.asa.assigned_ip`**
+:   The IP address assigned to a VPN client successfully connecting
+
+type: ip
+
+
+**`cisco.asa.privilege.old`**
+:   When a users privilege is changed this is the old value
+
+type: keyword
+
+
+**`cisco.asa.privilege.new`**
+:   When a users privilege is changed this is the new value
+
+type: keyword
+
+
+**`cisco.asa.burst.object`**
+:   The related object for burst warnings
+
+type: keyword
+
+
+**`cisco.asa.burst.id`**
+:   The related rate ID for burst warnings
+
+type: keyword
+
+
+**`cisco.asa.burst.current_rate`**
+:   The current burst rate seen
+
+type: keyword
+
+
+**`cisco.asa.burst.configured_rate`**
+:   The current configured burst rate
+
+type: keyword
+
+
+**`cisco.asa.burst.avg_rate`**
+:   The current average burst rate seen
+
+type: keyword
+
+
+**`cisco.asa.burst.configured_avg_rate`**
+:   The current configured average burst rate allowed
+
+type: keyword
+
+
+**`cisco.asa.burst.cumulative_count`**
+:   The total count of burst rate hits since the object was created or cleared
+
+type: keyword
+
+
+**`cisco.asa.termination_user`**
+:   AAA name of user requesting termination
+
+type: keyword
+
+
+**`cisco.asa.webvpn.group_name`**
+:   The WebVPN group name the user belongs to
+
+type: keyword
+
+
+**`cisco.asa.termination_initiator`**
+:   Interface name of the side that initiated the teardown
+
+type: keyword
+
+
+**`cisco.asa.tunnel_type`**
+:   SA type (remote access or L2L)
+
+type: keyword
+
+
+**`cisco.asa.session_type`**
+:   Session type (for example, IPsec or UDP)
+
+type: keyword
+
+
+
+## cisco.ftd [_cisco_ftd]
+
+Fields for Cisco Firepower Threat Defense Firewall.
+
+**`cisco.ftd.message_id`**
+:   The Cisco FTD message identifier.
+
+type: keyword
+
+
+**`cisco.ftd.suffix`**
+:   Optional suffix after %FTD identifier.
+
+type: keyword
+
+example: session
+
+
+**`cisco.ftd.source_interface`**
+:   Source interface for the flow or event.
+
+type: keyword
+
+
+**`cisco.ftd.destination_interface`**
+:   Destination interface for the flow or event.
+
+type: keyword
+
+
+**`cisco.ftd.rule_name`**
+:   Name of the Access Control List rule that matched this event.
+
+type: keyword
+
+
+**`cisco.ftd.source_username`**
+:   Name of the user that is the source for this event.
+
+type: keyword
+
+
+**`cisco.ftd.destination_username`**
+:   Name of the user that is the destination for this event.
+
+type: keyword
+
+
+**`cisco.ftd.mapped_source_ip`**
+:   The translated source IP address. Use ECS source.nat.ip.
+
+type: ip
+
+
+**`cisco.ftd.mapped_source_host`**
+:   The translated source host.
+
+type: keyword
+
+
+**`cisco.ftd.mapped_source_port`**
+:   The translated source port. Use ECS source.nat.port.
+
+type: long
+
+
+**`cisco.ftd.mapped_destination_ip`**
+:   The translated destination IP address. Use ECS destination.nat.ip.
+
+type: ip
+
+
+**`cisco.ftd.mapped_destination_host`**
+:   The translated destination host.
+
+type: keyword
+
+
+**`cisco.ftd.mapped_destination_port`**
+:   The translated destination port. Use ECS destination.nat.port.
+
+type: long
+
+
+**`cisco.ftd.threat_level`**
+:   Threat level for malware / botnet traffic. One of very-low, low, moderate, high or very-high.
+
+type: keyword
+
+
+**`cisco.ftd.threat_category`**
+:   Category for the malware / botnet traffic. For example: virus, botnet, trojan, etc.
+
+type: keyword
+
+
+**`cisco.ftd.connection_id`**
+:   Unique identifier for a flow.
+
+type: keyword
+
+
+**`cisco.ftd.icmp_type`**
+:   ICMP type.
+
+type: short
+
+
+**`cisco.ftd.icmp_code`**
+:   ICMP code.
+
+type: short
+
+
+**`cisco.ftd.security`**
+:   Raw fields for Security Events.
+
+type: object
+
+
+**`cisco.ftd.connection_type`**
+:   The VPN connection type
+
+type: keyword
+
+
+**`cisco.ftd.dap_records`**
+:   The assigned DAP records
+
+type: keyword
+
+
+**`cisco.ftd.termination_user`**
+:   AAA name of user requesting termination
+
+type: keyword
+
+
+**`cisco.ftd.webvpn.group_name`**
+:   The WebVPN group name the user belongs to
+
+type: keyword
+
+
+**`cisco.ftd.termination_initiator`**
+:   Interface name of the side that initiated the teardown
+
+type: keyword
+
+
+
+## cisco.ios [_cisco_ios]
+
+Fields for Cisco IOS logs.
+
+**`cisco.ios.access_list`**
+:   Name of the IP access list.
+
+type: keyword
+
+
+**`cisco.ios.facility`**
+:   The facility to which the message refers (for example, SNMP, SYS, and so forth). A facility can be a hardware device, a protocol, or a module of the system software. It denotes the source or the cause of the system message.
+
+type: keyword
+
+example: SEC
+
+
+
+## cisco.umbrella [_cisco_umbrella]
+
+Fields for Cisco Umbrella.
+
+**`cisco.umbrella.identities`**
+:   An array of the different identities related to the event.
+
+type: keyword
+
+
+**`cisco.umbrella.categories`**
+:   The security or content categories that the destination matches.
+
+type: keyword
+
+
+**`cisco.umbrella.policy_identity_type`**
+:   The first identity type matched with this request. Available in version 3 and above.
+
+type: keyword
+
+
+**`cisco.umbrella.identity_types`**
+:   The type of identity that made the request. For example, Roaming Computer or Network.
+
+type: keyword
+
+
+**`cisco.umbrella.blocked_categories`**
+:   The categories that resulted in the destination being blocked. Available in version 4 and above.
+
+type: keyword
+
+
+**`cisco.umbrella.content_type`**
+:   The type of web content, typically text/html.
+
+type: keyword
+
+
+**`cisco.umbrella.sha_sha256`**
+:   Hex digest of the response content.
+
+type: keyword
+
+
+**`cisco.umbrella.av_detections`**
+:   The detection name according to the antivirus engine used in file inspection.
+
+type: keyword
+
+
+**`cisco.umbrella.puas`**
+:   A list of all potentially unwanted application (PUA) results for the proxied file as returned by the antivirus scanner.
+
+type: keyword
+
+
+**`cisco.umbrella.amp_disposition`**
+:   The status of the files proxied and scanned by Cisco Advanced Malware Protection (AMP) as part of the Umbrella File Inspection feature; can be Clean, Malicious or Unknown.
+
+type: keyword
+
+
+**`cisco.umbrella.amp_malware_name`**
+:   If Malicious, the name of the malware according to AMP.
+
+type: keyword
+
+
+**`cisco.umbrella.amp_score`**
+:   The score of the malware from AMP. This field is not currently used and will be blank.
+
+type: keyword
+
+
+**`cisco.umbrella.datacenter`**
+:   The name of the Umbrella Data Center that processed the user-generated traffic.
+
+type: keyword
+
+
+**`cisco.umbrella.origin_id`**
+:   The unique identity of the network tunnel.
+
+type: keyword
+
+
diff --git a/docs/reference/filebeat/exported-fields-cloud.md b/docs/reference/filebeat/exported-fields-cloud.md
new file mode 100644
index 000000000000..31d6f8a522cf
--- /dev/null
+++ b/docs/reference/filebeat/exported-fields-cloud.md
@@ -0,0 +1,57 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-cloud.html
+---
+
+# Cloud provider metadata fields [exported-fields-cloud]
+
+Metadata from cloud providers added by the add_cloud_metadata processor.
+
+**`cloud.image.id`**
+:   Image ID for the cloud instance.
+
+example: ami-abcd1234
+
+
+**`meta.cloud.provider`**
+:   type: alias
+
+alias to: cloud.provider
+
+
+**`meta.cloud.instance_id`**
+:   type: alias
+
+alias to: cloud.instance.id
+
+
+**`meta.cloud.instance_name`**
+:   type: alias
+
+alias to: cloud.instance.name
+
+
+**`meta.cloud.machine_type`**
+:   type: alias
+
+alias to: cloud.machine.type
+
+
+**`meta.cloud.availability_zone`**
+:   type: alias
+
+alias to: cloud.availability_zone
+
+
+**`meta.cloud.project_id`**
+:   type: alias
+
+alias to: cloud.project.id
+
+
+**`meta.cloud.region`**
+:   type: alias
+
+alias to: cloud.region
+
+
diff --git a/docs/reference/filebeat/exported-fields-coredns.md b/docs/reference/filebeat/exported-fields-coredns.md
new file mode 100644
index 000000000000..6acf696e4d90
--- /dev/null
+++ b/docs/reference/filebeat/exported-fields-coredns.md
@@ -0,0 +1,30 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-coredns.html
+---
+
+# Coredns fields [exported-fields-coredns]
+
+Module for handling logs produced by coredns
+
+
+## coredns [_coredns]
+
+coredns fields after normalization
+
+**`coredns.query.size`**
+:   size of the DNS query
+
+type: integer
+
+format: bytes
+
+
+**`coredns.response.size`**
+:   size of the DNS response
+
+type: integer
+
+format: bytes
+
+
diff --git a/docs/reference/filebeat/exported-fields-crowdstrike.md b/docs/reference/filebeat/exported-fields-crowdstrike.md
new file mode 100644
index 000000000000..525f2c933d02
--- /dev/null
+++ b/docs/reference/filebeat/exported-fields-crowdstrike.md
@@ -0,0 +1,558 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-crowdstrike.html
+---
+
+# Crowdstrike fields [exported-fields-crowdstrike]
+
+Module for collecting Crowdstrike events.
+
+
+## crowdstrike [_crowdstrike]
+
+Fields for Crowdstrike Falcon event and alert data.
+
+
+## metadata [_metadata_2]
+
+Meta data fields for each event that include type and timestamp.
+
+**`crowdstrike.metadata.eventType`**
+:   DetectionSummaryEvent, FirewallMatchEvent, IncidentSummaryEvent, RemoteResponseSessionStartEvent, RemoteResponseSessionEndEvent, AuthActivityAuditEvent, or UserActivityAuditEvent
+
+type: keyword
+
+
+**`crowdstrike.metadata.eventCreationTime`**
+:   The time this event occurred on the endpoint in UTC UNIX_MS format.
+
+type: date
+
+
+**`crowdstrike.metadata.offset`**
+:   Offset number that tracks the location of the event in stream. This is used to identify unique detection events.
+
+type: integer
+
+
+**`crowdstrike.metadata.customerIDString`**
+:   Customer identifier
+
+type: keyword
+
+
+**`crowdstrike.metadata.version`**
+:   Schema version
+
+type: keyword
+
+
+
+## event [_event]
+
+Event data fields for each event and alert.
+
+**`crowdstrike.event.ProcessStartTime`**
+:   The process start time in UTC UNIX_MS format.
+
+type: date
+
+
+**`crowdstrike.event.ProcessEndTime`**
+:   The process termination time in UTC UNIX_MS format.
+
+type: date
+
+
+**`crowdstrike.event.ProcessId`**
+:   Process ID related to the detection.
+
+type: integer
+
+
+**`crowdstrike.event.ParentProcessId`**
+:   Parent process ID related to the detection.
+
+type: integer
+
+
+**`crowdstrike.event.ComputerName`**
+:   Name of the computer where the detection occurred.
+
+type: keyword
+
+
+**`crowdstrike.event.UserName`**
+:   User name associated with the detection.
+
+type: keyword
+
+
+**`crowdstrike.event.DetectName`**
+:   Name of the detection.
+
+type: keyword
+
+
+**`crowdstrike.event.DetectDescription`**
+:   Description of the detection.
+
+type: keyword
+
+
+**`crowdstrike.event.Severity`**
+:   Severity score of the detection.
+
+type: integer
+
+
+**`crowdstrike.event.SeverityName`**
+:   Severity score text.
+
+type: keyword
+
+
+**`crowdstrike.event.FileName`**
+:   File name of the associated process for the detection.
+
+type: keyword
+
+
+**`crowdstrike.event.FilePath`**
+:   Path of the executable associated with the detection.
+
+type: keyword
+
+
+**`crowdstrike.event.CommandLine`**
+:   Executable path with command line arguments.
+
+type: keyword
+
+
+**`crowdstrike.event.SHA1String`**
+:   SHA1 sum of the executable associated with the detection.
+
+type: keyword
+
+
+**`crowdstrike.event.SHA256String`**
+:   SHA256 sum of the executable associated with the detection.
+
+type: keyword
+
+
+**`crowdstrike.event.MD5String`**
+:   MD5 sum of the executable associated with the detection.
+
+type: keyword
+
+
+**`crowdstrike.event.MachineDomain`**
+:   Domain for the machine associated with the detection.
+
+type: keyword
+
+
+**`crowdstrike.event.FalconHostLink`**
+:   URL to view the detection in Falcon.
+
+type: keyword
+
+
+**`crowdstrike.event.SensorId`**
+:   Unique ID associated with the Falcon sensor.
+
+type: keyword
+
+
+**`crowdstrike.event.DetectId`**
+:   Unique ID associated with the detection.
+
+type: keyword
+
+
+**`crowdstrike.event.LocalIP`**
+:   IP address of the host associated with the detection.
+
+type: keyword
+
+
+**`crowdstrike.event.MACAddress`**
+:   MAC address of the host associated with the detection.
+
+type: keyword
+
+
+**`crowdstrike.event.Tactic`**
+:   MITRE tactic category of the detection.
+
+type: keyword
+
+
+**`crowdstrike.event.Technique`**
+:   MITRE technique category of the detection.
+
+type: keyword
+
+
+**`crowdstrike.event.Objective`**
+:   Method of detection.
+
+type: keyword
+
+
+**`crowdstrike.event.PatternDispositionDescription`**
+:   Action taken by Falcon.
+
+type: keyword
+
+
+**`crowdstrike.event.PatternDispositionValue`**
+:   Unique ID associated with action taken.
+
+type: integer
+
+
+**`crowdstrike.event.PatternDispositionFlags`**
+:   Flags indicating actions taken.
+
+type: object
+
+
+**`crowdstrike.event.State`**
+:   Whether the incident summary is open and ongoing or closed.
+
+type: keyword
+
+
+**`crowdstrike.event.IncidentStartTime`**
+:   Start time for the incident in UTC UNIX format.
+
+type: date
+
+
+**`crowdstrike.event.IncidentEndTime`**
+:   End time for the incident in UTC UNIX format.
+
+type: date
+
+
+**`crowdstrike.event.FineScore`**
+:   Score for incident.
+
+type: float
+
+
+**`crowdstrike.event.UserId`**
+:   Email address or user ID associated with the event.
+
+type: keyword
+
+
+**`crowdstrike.event.UserIp`**
+:   IP address associated with the user.
+
+type: keyword
+
+
+**`crowdstrike.event.OperationName`**
+:   Event subtype.
+
+type: keyword
+
+
+**`crowdstrike.event.ServiceName`**
+:   Service associated with this event.
+
+type: keyword
+
+
+**`crowdstrike.event.Success`**
+:   Indicator of whether or not this event was successful.
+
+type: boolean
+
+
+**`crowdstrike.event.UTCTimestamp`**
+:   Timestamp associated with this event in UTC UNIX format.
+
+type: date
+
+
+**`crowdstrike.event.AuditKeyValues`**
+:   Fields that were changed in this event.
+
+type: nested
+
+
+**`crowdstrike.event.ExecutablesWritten`**
+:   Detected executables written to disk by a process.
+
+type: nested
+
+
+**`crowdstrike.event.SessionId`**
+:   Session ID of the remote response session.
+
+type: keyword
+
+
+**`crowdstrike.event.HostnameField`**
+:   Host name of the machine for the remote session.
+
+type: keyword
+
+
+**`crowdstrike.event.StartTimestamp`**
+:   Start time for the remote session in UTC UNIX format.
+
+type: date
+
+
+**`crowdstrike.event.EndTimestamp`**
+:   End time for the remote session in UTC UNIX format.
+
+type: date
+
+
+**`crowdstrike.event.LateralMovement`**
+:   Lateral movement field for incident.
+
+type: long
+
+
+**`crowdstrike.event.ParentImageFileName`**
+:   Path to the parent process.
+
+type: keyword
+
+
+**`crowdstrike.event.ParentCommandLine`**
+:   Parent process command line arguments.
+
+type: keyword
+
+
+**`crowdstrike.event.GrandparentImageFileName`**
+:   Path to the grandparent process.
+
+type: keyword
+
+
+**`crowdstrike.event.GrandparentCommandLine`**
+:   Grandparent process command line arguments.
+
+type: keyword
+
+
+**`crowdstrike.event.IOCType`**
+:   CrowdStrike type for indicator of compromise.
+
+type: keyword
+
+
+**`crowdstrike.event.IOCValue`**
+:   CrowdStrike value for indicator of compromise.
+
+type: keyword
+
+
+**`crowdstrike.event.CustomerId`**
+:   Customer identifier.
+
+type: keyword
+
+
+**`crowdstrike.event.DeviceId`**
+:   Device on which the event occurred.
+
+type: keyword
+
+
+**`crowdstrike.event.Ipv`**
+:   Protocol for network request.
+
+type: keyword
+
+
+**`crowdstrike.event.ConnectionDirection`**
+:   Direction for network connection.
+
+type: keyword
+
+
+**`crowdstrike.event.EventType`**
+:   CrowdStrike provided event type.
+
+type: keyword
+
+
+**`crowdstrike.event.HostName`**
+:   Host name of the local machine.
+
+type: keyword
+
+
+**`crowdstrike.event.ICMPCode`**
+:   RFC2780 ICMP Code field.
+
+type: keyword
+
+
+**`crowdstrike.event.ICMPType`**
+:   RFC2780 ICMP Type field.
+
+type: keyword
+
+
+**`crowdstrike.event.ImageFileName`**
+:   File name of the associated process for the detection.
+
+type: keyword
+
+
+**`crowdstrike.event.PID`**
+:   Associated process id for the detection.
+
+type: long
+
+
+**`crowdstrike.event.LocalAddress`**
+:   IP address of local machine.
+
+type: ip
+
+
+**`crowdstrike.event.LocalPort`**
+:   Port of local machine.
+
+type: long
+
+
+**`crowdstrike.event.RemoteAddress`**
+:   IP address of remote machine.
+
+type: ip
+
+
+**`crowdstrike.event.RemotePort`**
+:   Port of remote machine.
+
+type: long
+
+
+**`crowdstrike.event.RuleAction`**
+:   Firewall rule action.
+
+type: keyword
+
+
+**`crowdstrike.event.RuleDescription`**
+:   Firewall rule description.
+
+type: keyword
+
+
+**`crowdstrike.event.RuleFamilyID`**
+:   Firewall rule family id.
+
+type: keyword
+
+
+**`crowdstrike.event.RuleGroupName`**
+:   Firewall rule group name.
+
+type: keyword
+
+
+**`crowdstrike.event.RuleName`**
+:   Firewall rule name.
+
+type: keyword
+
+
+**`crowdstrike.event.RuleId`**
+:   Firewall rule id.
+
+type: keyword
+
+
+**`crowdstrike.event.MatchCount`**
+:   Number of firewall rule matches.
+
+type: long
+
+
+**`crowdstrike.event.MatchCountSinceLastReport`**
+:   Number of firewall rule matches since the last report.
+
+type: long
+
+
+**`crowdstrike.event.Timestamp`**
+:   Firewall rule triggered timestamp.
+
+type: date
+
+
+**`crowdstrike.event.Flags.Audit`**
+:   CrowdStrike audit flag.
+
+type: boolean
+
+
+**`crowdstrike.event.Flags.Log`**
+:   CrowdStrike log flag.
+
+type: boolean
+
+
+**`crowdstrike.event.Flags.Monitor`**
+:   CrowdStrike monitor flag.
+
+type: boolean
+
+
+**`crowdstrike.event.Protocol`**
+:   CrowdStrike provided protocol.
+
+type: keyword
+
+
+**`crowdstrike.event.NetworkProfile`**
+:   CrowdStrike network profile.
+
+type: keyword
+
+
+**`crowdstrike.event.PolicyName`**
+:   CrowdStrike policy name.
+
+type: keyword
+
+
+**`crowdstrike.event.PolicyID`**
+:   CrowdStrike policy id.
+
+type: keyword
+
+
+**`crowdstrike.event.Status`**
+:   CrowdStrike status.
+
+type: keyword
+
+
+**`crowdstrike.event.TreeID`**
+:   CrowdStrike tree id.
+
+type: keyword
+
+
+**`crowdstrike.event.Commands`**
+:   Commands run in a remote session.
+
+type: keyword
+
+
diff --git a/docs/reference/filebeat/exported-fields-cyberarkpas.md b/docs/reference/filebeat/exported-fields-cyberarkpas.md
new file mode 100644
index 000000000000..6bc21632e06a
--- /dev/null
+++ b/docs/reference/filebeat/exported-fields-cyberarkpas.md
@@ -0,0 +1,364 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-cyberarkpas.html
+---
+
+# CyberArk PAS fields [exported-fields-cyberarkpas]
+
+cyberarkpas fields.
+
+
+## audit [_audit_2]
+
+Cyberark Privileged Access Security Audit fields.
+
+**`cyberarkpas.audit.action`**
+:   A description of the audit record.
+
+type: keyword
+
+
+
+## ca_properties [_ca_properties]
+
+Account metadata.
+
+**`cyberarkpas.audit.ca_properties.address`**
+:   type: keyword
+
+
+**`cyberarkpas.audit.ca_properties.cpm_disabled`**
+:   type: keyword
+
+
+**`cyberarkpas.audit.ca_properties.cpm_error_details`**
+:   type: keyword
+
+
+**`cyberarkpas.audit.ca_properties.cpm_status`**
+:   type: keyword
+
+
+**`cyberarkpas.audit.ca_properties.creation_method`**
+:   type: keyword
+
+
+**`cyberarkpas.audit.ca_properties.customer`**
+:   type: keyword
+
+
+**`cyberarkpas.audit.ca_properties.database`**
+:   type: keyword
+
+
+**`cyberarkpas.audit.ca_properties.device_type`**
+:   type: keyword
+
+
+**`cyberarkpas.audit.ca_properties.dual_account_status`**
+:   type: keyword
+
+
+**`cyberarkpas.audit.ca_properties.group_name`**
+:   type: keyword
+
+
+**`cyberarkpas.audit.ca_properties.in_process`**
+:   type: keyword
+
+
+**`cyberarkpas.audit.ca_properties.index`**
+:   type: keyword
+
+
+**`cyberarkpas.audit.ca_properties.last_fail_date`**
+:   type: keyword
+
+
+**`cyberarkpas.audit.ca_properties.last_success_change`**
+:   type: keyword
+
+
+**`cyberarkpas.audit.ca_properties.last_success_reconciliation`**
+:   type: keyword
+
+
+**`cyberarkpas.audit.ca_properties.last_success_verification`**
+:   type: keyword
+
+
+**`cyberarkpas.audit.ca_properties.last_task`**
+:   type: keyword
+
+
+**`cyberarkpas.audit.ca_properties.logon_domain`**
+:   type: keyword
+
+
+**`cyberarkpas.audit.ca_properties.policy_id`**
+:   type: keyword
+
+
+**`cyberarkpas.audit.ca_properties.port`**
+:   type: keyword
+
+
+**`cyberarkpas.audit.ca_properties.privcloud`**
+:   type: keyword
+
+
+**`cyberarkpas.audit.ca_properties.reset_immediately`**
+:   type: keyword
+
+
+**`cyberarkpas.audit.ca_properties.retries_count`**
+:   type: keyword
+
+
+**`cyberarkpas.audit.ca_properties.sequence_id`**
+:   type: keyword
+
+
+**`cyberarkpas.audit.ca_properties.tags`**
+:   type: keyword
+
+
+**`cyberarkpas.audit.ca_properties.user_dn`**
+:   type: keyword
+
+
+**`cyberarkpas.audit.ca_properties.user_name`**
+:   type: keyword
+
+
+**`cyberarkpas.audit.ca_properties.virtual_username`**
+:   type: keyword
+
+
+**`cyberarkpas.audit.ca_properties.other`**
+:   type: flattened
+
+
+**`cyberarkpas.audit.category`**
+:   The category name (for category-related operations).
+
+type: keyword
+
+
+**`cyberarkpas.audit.desc`**
+:   A static value that displays a description of the audit codes.
+
+type: keyword
+
+
+
+## extra_details [_extra_details]
+
+Specific extra details of the audit records.
+
+**`cyberarkpas.audit.extra_details.ad_process_id`**
+:   type: keyword
+
+
+**`cyberarkpas.audit.extra_details.ad_process_name`**
+:   type: keyword
+
+
+**`cyberarkpas.audit.extra_details.application_type`**
+:   type: keyword
+
+
+**`cyberarkpas.audit.extra_details.command`**
+:   type: keyword
+
+
+**`cyberarkpas.audit.extra_details.connection_component_id`**
+:   type: keyword
+
+
+**`cyberarkpas.audit.extra_details.dst_host`**
+:   type: keyword
+
+
+**`cyberarkpas.audit.extra_details.logon_account`**
+:   type: keyword
+
+
+**`cyberarkpas.audit.extra_details.managed_account`**
+:   type: keyword
+
+
+**`cyberarkpas.audit.extra_details.process_id`**
+:   type: keyword
+
+
+**`cyberarkpas.audit.extra_details.process_name`**
+:   type: keyword
+
+
+**`cyberarkpas.audit.extra_details.protocol`**
+:   type: keyword
+
+
+**`cyberarkpas.audit.extra_details.psmid`**
+:   type: keyword
+
+
+**`cyberarkpas.audit.extra_details.session_duration`**
+:   type: keyword
+
+
+**`cyberarkpas.audit.extra_details.session_id`**
+:   type: keyword
+
+
+**`cyberarkpas.audit.extra_details.src_host`**
+:   type: keyword
+
+
+**`cyberarkpas.audit.extra_details.username`**
+:   type: keyword
+
+
+**`cyberarkpas.audit.extra_details.other`**
+:   type: flattened
+
+
+**`cyberarkpas.audit.file`**
+:   The name of the target file.
+
+type: keyword
+
+
+**`cyberarkpas.audit.gateway_station`**
+:   The IP of the web application machine (PVWA).
+
+type: ip
+
+
+**`cyberarkpas.audit.hostname`**
+:   The hostname, in upper case.
+
+type: keyword
+
+example: MY-COMPUTER
+
+
+**`cyberarkpas.audit.iso_timestamp`**
+:   The timestamp, in ISO Timestamp format (RFC 3339).
+
+type: date
+
+example: 2013-06-25 10:47:19+00:00
+
+
+**`cyberarkpas.audit.issuer`**
+:   The Vault user who wrote the audit. This is usually the user who performed the operation.
+
+type: keyword
+
+
+**`cyberarkpas.audit.location`**
+:   The target Location (for Location operations).
+
+type: keyword
+
+Field is not indexed.
+
+
+**`cyberarkpas.audit.message`**
+:   A description of the audit records (same information as in the Desc field).
+
+type: keyword
+
+
+**`cyberarkpas.audit.message_id`**
+:   The code ID of the audit records.
+
+type: keyword
+
+
+**`cyberarkpas.audit.product`**
+:   A static value that represents the product.
+
+type: keyword
+
+
+**`cyberarkpas.audit.pvwa_details`**
+:   Specific details of the PVWA audit records.
+
+type: flattened
+
+
+**`cyberarkpas.audit.raw`**
+:   Raw XML for the original audit record. Only present when XSLT file has debugging enabled.
+
+type: keyword
+
+Field is not indexed.
+
+
+**`cyberarkpas.audit.reason`**
+:   The reason entered by the user.
+
+type: text
+
+
+**`cyberarkpas.audit.rfc5424`**
+:   Whether the syslog format complies with RFC5424.
+
+type: boolean
+
+example: True
+
+
+**`cyberarkpas.audit.safe`**
+:   The name of the target Safe.
+
+type: keyword
+
+
+**`cyberarkpas.audit.severity`**
+:   The severity of the audit records.
+
+type: keyword
+
+
+**`cyberarkpas.audit.source_user`**
+:   The name of the Vault user who performed the operation.
+
+type: keyword
+
+
+**`cyberarkpas.audit.station`**
+:   The IP from where the operation was performed. For PVWA sessions, this will be the real client machine IP.
+
+type: ip
+
+
+**`cyberarkpas.audit.target_user`**
+:   The name of the Vault user on which the operation was performed.
+
+type: keyword
+
+
+**`cyberarkpas.audit.timestamp`**
+:   The timestamp, in MMM DD HH:MM:SS format.
+
+type: keyword
+
+example: Jun 25 10:47:19
+
+
+**`cyberarkpas.audit.vendor`**
+:   A static value that represents the vendor.
+
+type: keyword
+
+
+**`cyberarkpas.audit.version`**
+:   A static value that represents the version of the Vault.
+
+type: keyword
+
+
diff --git a/docs/reference/filebeat/exported-fields-docker-processor.md b/docs/reference/filebeat/exported-fields-docker-processor.md
new file mode 100644
index 000000000000..81cfd82e4f21
--- /dev/null
+++ b/docs/reference/filebeat/exported-fields-docker-processor.md
@@ -0,0 +1,33 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-docker-processor.html
+---
+
+# Docker fields [exported-fields-docker-processor]
+
+Docker stats collected from Docker.
+
+**`docker.container.id`**
+:   type: alias
+
+alias to: container.id
+
+
+**`docker.container.image`**
+:   type: alias
+
+alias to: container.image.name
+
+
+**`docker.container.name`**
+:   type: alias
+
+alias to: container.name
+
+
+**`docker.container.labels`**
+:   Image labels.
+
+type: object
+
+
diff --git a/docs/reference/filebeat/exported-fields-ecs.md b/docs/reference/filebeat/exported-fields-ecs.md
new file mode 100644
index 000000000000..65768bc8b85a
--- /dev/null
+++ b/docs/reference/filebeat/exported-fields-ecs.md
@@ -0,0 +1,10423 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-ecs.html
+---
+
+# ECS fields [exported-fields-ecs]
+
+This section defines Elastic Common Schema (ECS) fields—a common set of fields to be used when storing event data in {{es}}.
+
+This is an exhaustive list, and fields listed here are not necessarily used by Filebeat. The goal of ECS is to enable and encourage users of {{es}} to normalize their event data, so that they can better analyze, visualize, and correlate the data represented in their events.
+
+See the [ECS reference](ecs://reference/index.md) for more information.
+
+**`@timestamp`**
+:   Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events.
+
+type: date
+
+example: 2016-05-23T08:05:34.853Z
+
+required: True
+
+
+**`labels`**
+:   Custom key/value pairs. Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. Example: `docker` and `k8s` labels.
+
+type: object
+
+example: {"application": "foo-bar", "env": "production"}
+
+
+**`message`**
+:   For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message.
+
+type: match_only_text
+
+example: Hello World
+
+
+**`tags`**
+:   List of keywords used to tag each event.
+
+type: keyword
+
+example: ["production", "env2"]
+
+
+
+## agent [_agent]
+
+The agent fields contain the data about the software entity, if any, that collects, detects, or observes events on a host, or takes measurements on a host. Examples include Beats. Agents may also run on observers. ECS agent.* fields shall be populated with details of the agent running on the host or observer where the event happened or the measurement was taken.
+
+**`agent.build.original`**
+:   Extended build information for the agent. This field is intended to contain any build information that a data source may provide, no specific formatting is required.
+
+type: keyword
+
+example: metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]
+
+
+**`agent.ephemeral_id`**
+:   Ephemeral identifier of this agent (if one exists). This id normally changes across restarts, but `agent.id` does not.
+
+type: keyword
+
+example: 8a4f500f
+
+
+**`agent.id`**
+:   Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id.
+
+type: keyword
+
+example: 8a4f500d
+
+
+**`agent.name`**
+:   Custom name of the agent. This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. If no name is given, the name is often left empty.
+
+type: keyword
+
+example: foo
+
+
+**`agent.type`**
+:   Type of the agent. The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine.
+
+type: keyword
+
+example: filebeat
+
+
+**`agent.version`**
+:   Version of the agent.
+
+type: keyword
+
+example: 6.0.0-rc2
+
+
+
+## as [_as]
+
+An autonomous system (AS) is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators on behalf of a single administrative entity or domain that presents a common, clearly defined routing policy to the internet.
+
+**`as.number`**
+:   Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+
+type: long
+
+example: 15169
+
+
+**`as.organization.name`**
+:   Organization name.
+
+type: keyword
+
+example: Google LLC
+
+
+**`as.organization.name.text`**
+:   type: match_only_text
+
+
+
+## client [_client]
+
+A client is defined as the initiator of a network connection for events regarding sessions, connections, or bidirectional flow records. For TCP events, the client is the initiator of the TCP connection that sends the SYN packet(s). For other protocols, the client is generally the initiator or requestor in the network transaction. Some systems use the term "originator" to refer the client in TCP connections. The client fields describe details about the system acting as the client in the network event. Client fields are usually populated in conjunction with server fields. Client fields are generally not populated for packet-level events. Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately.
+
+**`client.address`**
+:   Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
+
+type: keyword
+
+
+**`client.as.number`**
+:   Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+
+type: long
+
+example: 15169
+
+
+**`client.as.organization.name`**
+:   Organization name.
+
+type: keyword
+
+example: Google LLC
+
+
+**`client.as.organization.name.text`**
+:   type: match_only_text
+
+
+**`client.bytes`**
+:   Bytes sent from the client to the server.
+
+type: long
+
+example: 184
+
+format: bytes
+
+
+**`client.domain`**
+:   The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.
+
+type: keyword
+
+example: foo.example.com
+
+
+**`client.geo.city_name`**
+:   City name.
+
+type: keyword
+
+example: Montreal
+
+
+**`client.geo.continent_code`**
+:   Two-letter code representing continent’s name.
+
+type: keyword
+
+example: NA
+
+
+**`client.geo.continent_name`**
+:   Name of the continent.
+
+type: keyword
+
+example: North America
+
+
+**`client.geo.country_iso_code`**
+:   Country ISO code.
+
+type: keyword
+
+example: CA
+
+
+**`client.geo.country_name`**
+:   Country name.
+
+type: keyword
+
+example: Canada
+
+
+**`client.geo.location`**
+:   Longitude and latitude.
+
+type: geo_point
+
+example: { "lon": -73.614830, "lat": 45.505918 }
+
+
+**`client.geo.name`**
+:   User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.
+
+type: keyword
+
+example: boston-dc
+
+
+**`client.geo.postal_code`**
+:   Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.
+
+type: keyword
+
+example: 94040
+
+
+**`client.geo.region_iso_code`**
+:   Region ISO code.
+
+type: keyword
+
+example: CA-QC
+
+
+**`client.geo.region_name`**
+:   Region name.
+
+type: keyword
+
+example: Quebec
+
+
+**`client.geo.timezone`**
+:   The time zone of the location, such as IANA time zone name.
+
+type: keyword
+
+example: America/Argentina/Buenos_Aires
+
+
+**`client.ip`**
+:   IP address of the client (IPv4 or IPv6).
+
+type: ip
+
+
+**`client.mac`**
+:   MAC address of the client. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.
+
+type: keyword
+
+example: 00-00-5E-00-53-23
+
+
+**`client.nat.ip`**
+:   Translated IP of source based NAT sessions (e.g. internal client to internet). Typically connections traversing load balancers, firewalls, or routers.
+
+type: ip
+
+
+**`client.nat.port`**
+:   Translated port of source based NAT sessions (e.g. internal client to internet). Typically connections traversing load balancers, firewalls, or routers.
+
+type: long
+
+format: string
+
+
+**`client.packets`**
+:   Packets sent from the client to the server.
+
+type: long
+
+example: 12
+
+
+**`client.port`**
+:   Port of the client.
+
+type: long
+
+format: string
+
+
+**`client.registered_domain`**
+:   The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
+
+type: keyword
+
+example: example.com
+
+
+**`client.subdomain`**
+:   The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
+
+type: keyword
+
+example: east
+
+
+**`client.top_level_domain`**
+:   The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".
+
+type: keyword
+
+example: co.uk
+
+
+**`client.user.domain`**
+:   Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`client.user.email`**
+:   User email address.
+
+type: keyword
+
+
+**`client.user.full_name`**
+:   User’s full name, if available.
+
+type: keyword
+
+example: Albert Einstein
+
+
+**`client.user.full_name.text`**
+:   type: match_only_text
+
+
+**`client.user.group.domain`**
+:   Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`client.user.group.id`**
+:   Unique identifier for the group on the system/platform.
+
+type: keyword
+
+
+**`client.user.group.name`**
+:   Name of the group.
+
+type: keyword
+
+
+**`client.user.hash`**
+:   Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used.
+
+type: keyword
+
+
+**`client.user.id`**
+:   Unique identifier of the user.
+
+type: keyword
+
+example: S-1-5-21-202424912787-2692429404-2351956786-1000
+
+
+**`client.user.name`**
+:   Short name or login of the user.
+
+type: keyword
+
+example: a.einstein
+
+
+**`client.user.name.text`**
+:   type: match_only_text
+
+
+**`client.user.roles`**
+:   Array of user roles at the time of the event.
+
+type: keyword
+
+example: ["kibana_admin", "reporting_user"]
+
+
+
+## cloud [_cloud]
+
+Fields related to the cloud or infrastructure the events are coming from.
+
+**`cloud.account.id`**
+:   The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.
+
+type: keyword
+
+example: 666777888999
+
+
+**`cloud.account.name`**
+:   The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name.
+
+type: keyword
+
+example: elastic-dev
+
+
+**`cloud.availability_zone`**
+:   Availability zone in which this host, resource, or service is located.
+
+type: keyword
+
+example: us-east-1c
+
+
+**`cloud.instance.id`**
+:   Instance ID of the host machine.
+
+type: keyword
+
+example: i-1234567890abcdef0
+
+
+**`cloud.instance.name`**
+:   Instance name of the host machine.
+
+type: keyword
+
+
+**`cloud.machine.type`**
+:   Machine type of the host machine.
+
+type: keyword
+
+example: t2.medium
+
+
+**`cloud.origin.account.id`**
+:   The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.
+
+type: keyword
+
+example: 666777888999
+
+
+**`cloud.origin.account.name`**
+:   The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name.
+
+type: keyword
+
+example: elastic-dev
+
+
+**`cloud.origin.availability_zone`**
+:   Availability zone in which this host, resource, or service is located.
+
+type: keyword
+
+example: us-east-1c
+
+
+**`cloud.origin.instance.id`**
+:   Instance ID of the host machine.
+
+type: keyword
+
+example: i-1234567890abcdef0
+
+
+**`cloud.origin.instance.name`**
+:   Instance name of the host machine.
+
+type: keyword
+
+
+**`cloud.origin.machine.type`**
+:   Machine type of the host machine.
+
+type: keyword
+
+example: t2.medium
+
+
+**`cloud.origin.project.id`**
+:   The cloud project identifier. Examples: Google Cloud Project id, Azure Project id.
+
+type: keyword
+
+example: my-project
+
+
+**`cloud.origin.project.name`**
+:   The cloud project name. Examples: Google Cloud Project name, Azure Project name.
+
+type: keyword
+
+example: my project
+
+
+**`cloud.origin.provider`**
+:   Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
+
+type: keyword
+
+example: aws
+
+
+**`cloud.origin.region`**
+:   Region in which this host, resource, or service is located.
+
+type: keyword
+
+example: us-east-1
+
+
+**`cloud.origin.service.name`**
+:   The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda.
+
+type: keyword
+
+example: lambda
+
+
+**`cloud.project.id`**
+:   The cloud project identifier. Examples: Google Cloud Project id, Azure Project id.
+
+type: keyword
+
+example: my-project
+
+
+**`cloud.project.name`**
+:   The cloud project name. Examples: Google Cloud Project name, Azure Project name.
+
+type: keyword
+
+example: my project
+
+
+**`cloud.provider`**
+:   Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
+
+type: keyword
+
+example: aws
+
+
+**`cloud.region`**
+:   Region in which this host, resource, or service is located.
+
+type: keyword
+
+example: us-east-1
+
+
+**`cloud.service.name`**
+:   The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda.
+
+type: keyword
+
+example: lambda
+
+
+**`cloud.target.account.id`**
+:   The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.
+
+type: keyword
+
+example: 666777888999
+
+
+**`cloud.target.account.name`**
+:   The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name.
+
+type: keyword
+
+example: elastic-dev
+
+
+**`cloud.target.availability_zone`**
+:   Availability zone in which this host, resource, or service is located.
+
+type: keyword
+
+example: us-east-1c
+
+
+**`cloud.target.instance.id`**
+:   Instance ID of the host machine.
+
+type: keyword
+
+example: i-1234567890abcdef0
+
+
+**`cloud.target.instance.name`**
+:   Instance name of the host machine.
+
+type: keyword
+
+
+**`cloud.target.machine.type`**
+:   Machine type of the host machine.
+
+type: keyword
+
+example: t2.medium
+
+
+**`cloud.target.project.id`**
+:   The cloud project identifier. Examples: Google Cloud Project id, Azure Project id.
+
+type: keyword
+
+example: my-project
+
+
+**`cloud.target.project.name`**
+:   The cloud project name. Examples: Google Cloud Project name, Azure Project name.
+
+type: keyword
+
+example: my project
+
+
+**`cloud.target.provider`**
+:   Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
+
+type: keyword
+
+example: aws
+
+
+**`cloud.target.region`**
+:   Region in which this host, resource, or service is located.
+
+type: keyword
+
+example: us-east-1
+
+
+**`cloud.target.service.name`**
+:   The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda.
+
+type: keyword
+
+example: lambda
+
+
+
+## code_signature [_code_signature]
+
+These fields contain information about binary code signatures.
+
+**`code_signature.digest_algorithm`**
+:   The hashing algorithm used to sign the process. This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm.
+
+type: keyword
+
+example: sha256
+
+
+**`code_signature.exists`**
+:   Boolean to capture if a signature is present.
+
+type: boolean
+
+example: true
+
+
+**`code_signature.signing_id`**
+:   The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.
+
+type: keyword
+
+example: com.apple.xpc.proxy
+
+
+**`code_signature.status`**
+:   Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.
+
+type: keyword
+
+example: ERROR_UNTRUSTED_ROOT
+
+
+**`code_signature.subject_name`**
+:   Subject name of the code signer
+
+type: keyword
+
+example: Microsoft Corporation
+
+
+**`code_signature.team_id`**
+:   The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.
+
+type: keyword
+
+example: EQHXZ8M8AV
+
+
+**`code_signature.timestamp`**
+:   Date and time when the code signature was generated and signed.
+
+type: date
+
+example: 2021-01-01T12:10:30Z
+
+
+**`code_signature.trusted`**
+:   Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.
+
+type: boolean
+
+example: true
+
+
+**`code_signature.valid`**
+:   Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.
+
+type: boolean
+
+example: true
+
+
+
+## container [_container_2]
+
+Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.
+
+**`container.cpu.usage`**
+:   Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000.
+
+type: scaled_float
+
+
+**`container.disk.read.bytes`**
+:   The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection.
+
+type: long
+
+
+**`container.disk.write.bytes`**
+:   The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection.
+
+type: long
+
+
+**`container.id`**
+:   Unique container id.
+
+type: keyword
+
+
+**`container.image.name`**
+:   Name of the image the container was built on.
+
+type: keyword
+
+
+**`container.image.tag`**
+:   Container image tags.
+
+type: keyword
+
+
+**`container.labels`**
+:   Image labels.
+
+type: object
+
+
+**`container.memory.usage`**
+:   Memory usage percentage and it ranges from 0 to 1. Scaling factor: 1000.
+
+type: scaled_float
+
+
+**`container.name`**
+:   Container name.
+
+type: keyword
+
+
+**`container.network.egress.bytes`**
+:   The number of bytes (gauge) sent out on all network interfaces by the container since the last metric collection.
+
+type: long
+
+
+**`container.network.ingress.bytes`**
+:   The number of bytes received (gauge) on all network interfaces by the container since the last metric collection.
+
+type: long
+
+
+**`container.runtime`**
+:   Runtime managing this container.
+
+type: keyword
+
+example: docker
+
+
+
+## data_stream [_data_stream]
+
+The data_stream fields take part in defining the new data stream naming scheme. In the new data stream naming scheme the value of the data stream fields combine to the name of the actual data stream in the following manner: `{data_stream.type}-{data_stream.dataset}-{data_stream.namespace}`. This means the fields can only contain characters that are valid as part of names of data streams. More details about this can be found in this [blog post](https://www.elastic.co/blog/an-introduction-to-the-elastic-data-stream-naming-scheme). An Elasticsearch data stream consists of one or more backing indices, and a data stream name forms part of the backing indices names. Due to this convention, data streams must also follow index naming restrictions. For example, data stream names cannot include `\`, `/`, `*`, `?`, `"`, `<`, `>`, `|`, ` ` (space character), `,`, or `#`. Please see the Elasticsearch reference for additional [restrictions](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-indices-create).
+
+**`data_stream.dataset`**
+:   The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: * Must not contain `-` * No longer than 100 characters
+
+type: constant_keyword
+
+example: nginx.access
+
+
+**`data_stream.namespace`**
+:   A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: * Must not contain `-` * No longer than 100 characters
+
+type: constant_keyword
+
+example: production
+
+
+**`data_stream.type`**
+:   An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future.
+
+type: constant_keyword
+
+example: logs
+
+
+
+## destination [_destination]
+
+Destination fields capture details about the receiver of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction. Destination fields are usually populated in conjunction with source fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated.
+
+**`destination.address`**
+:   Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
+
+type: keyword
+
+
+**`destination.as.number`**
+:   Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+
+type: long
+
+example: 15169
+
+
+**`destination.as.organization.name`**
+:   Organization name.
+
+type: keyword
+
+example: Google LLC
+
+
+**`destination.as.organization.name.text`**
+:   type: match_only_text
+
+
+**`destination.bytes`**
+:   Bytes sent from the destination to the source.
+
+type: long
+
+example: 184
+
+format: bytes
+
+
+**`destination.domain`**
+:   The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.
+
+type: keyword
+
+example: foo.example.com
+
+
+**`destination.geo.city_name`**
+:   City name.
+
+type: keyword
+
+example: Montreal
+
+
+**`destination.geo.continent_code`**
+:   Two-letter code representing continent’s name.
+
+type: keyword
+
+example: NA
+
+
+**`destination.geo.continent_name`**
+:   Name of the continent.
+
+type: keyword
+
+example: North America
+
+
+**`destination.geo.country_iso_code`**
+:   Country ISO code.
+
+type: keyword
+
+example: CA
+
+
+**`destination.geo.country_name`**
+:   Country name.
+
+type: keyword
+
+example: Canada
+
+
+**`destination.geo.location`**
+:   Longitude and latitude.
+
+type: geo_point
+
+example: { "lon": -73.614830, "lat": 45.505918 }
+
+
+**`destination.geo.name`**
+:   User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.
+
+type: keyword
+
+example: boston-dc
+
+
+**`destination.geo.postal_code`**
+:   Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.
+
+type: keyword
+
+example: 94040
+
+
+**`destination.geo.region_iso_code`**
+:   Region ISO code.
+
+type: keyword
+
+example: CA-QC
+
+
+**`destination.geo.region_name`**
+:   Region name.
+
+type: keyword
+
+example: Quebec
+
+
+**`destination.geo.timezone`**
+:   The time zone of the location, such as IANA time zone name.
+
+type: keyword
+
+example: America/Argentina/Buenos_Aires
+
+
+**`destination.ip`**
+:   IP address of the destination (IPv4 or IPv6).
+
+type: ip
+
+
+**`destination.mac`**
+:   MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.
+
+type: keyword
+
+example: 00-00-5E-00-53-23
+
+
+**`destination.nat.ip`**
+:   Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers.
+
+type: ip
+
+
+**`destination.nat.port`**
+:   Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers.
+
+type: long
+
+format: string
+
+
+**`destination.packets`**
+:   Packets sent from the destination to the source.
+
+type: long
+
+example: 12
+
+
+**`destination.port`**
+:   Port of the destination.
+
+type: long
+
+format: string
+
+
+**`destination.registered_domain`**
+:   The highest registered destination domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
+
+type: keyword
+
+example: example.com
+
+
+**`destination.subdomain`**
+:   The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
+
+type: keyword
+
+example: east
+
+
+**`destination.top_level_domain`**
+:   The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".
+
+type: keyword
+
+example: co.uk
+
+
+**`destination.user.domain`**
+:   Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`destination.user.email`**
+:   User email address.
+
+type: keyword
+
+
+**`destination.user.full_name`**
+:   User’s full name, if available.
+
+type: keyword
+
+example: Albert Einstein
+
+
+**`destination.user.full_name.text`**
+:   type: match_only_text
+
+
+**`destination.user.group.domain`**
+:   Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`destination.user.group.id`**
+:   Unique identifier for the group on the system/platform.
+
+type: keyword
+
+
+**`destination.user.group.name`**
+:   Name of the group.
+
+type: keyword
+
+
+**`destination.user.hash`**
+:   Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used.
+
+type: keyword
+
+
+**`destination.user.id`**
+:   Unique identifier of the user.
+
+type: keyword
+
+example: S-1-5-21-202424912787-2692429404-2351956786-1000
+
+
+**`destination.user.name`**
+:   Short name or login of the user.
+
+type: keyword
+
+example: a.einstein
+
+
+**`destination.user.name.text`**
+:   type: match_only_text
+
+
+**`destination.user.roles`**
+:   Array of user roles at the time of the event.
+
+type: keyword
+
+example: ["kibana_admin", "reporting_user"]
+
+
+
+## dll [_dll]
+
+These fields contain information about code libraries dynamically loaded into processes.
+
+Many operating systems refer to "shared code libraries" with different names, but this field set refers to all of the following: * Dynamic-link library (`.dll`) commonly used on Windows * Shared Object (`.so`) commonly used on Unix-like operating systems * Dynamic library (`.dylib`) commonly used on macOS
+
+**`dll.code_signature.digest_algorithm`**
+:   The hashing algorithm used to sign the process. This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm.
+
+type: keyword
+
+example: sha256
+
+
+**`dll.code_signature.exists`**
+:   Boolean to capture if a signature is present.
+
+type: boolean
+
+example: true
+
+
+**`dll.code_signature.signing_id`**
+:   The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.
+
+type: keyword
+
+example: com.apple.xpc.proxy
+
+
+**`dll.code_signature.status`**
+:   Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.
+
+type: keyword
+
+example: ERROR_UNTRUSTED_ROOT
+
+
+**`dll.code_signature.subject_name`**
+:   Subject name of the code signer
+
+type: keyword
+
+example: Microsoft Corporation
+
+
+**`dll.code_signature.team_id`**
+:   The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.
+
+type: keyword
+
+example: EQHXZ8M8AV
+
+
+**`dll.code_signature.timestamp`**
+:   Date and time when the code signature was generated and signed.
+
+type: date
+
+example: 2021-01-01T12:10:30Z
+
+
+**`dll.code_signature.trusted`**
+:   Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.
+
+type: boolean
+
+example: true
+
+
+**`dll.code_signature.valid`**
+:   Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.
+
+type: boolean
+
+example: true
+
+
+**`dll.hash.md5`**
+:   MD5 hash.
+
+type: keyword
+
+
+**`dll.hash.sha1`**
+:   SHA1 hash.
+
+type: keyword
+
+
+**`dll.hash.sha256`**
+:   SHA256 hash.
+
+type: keyword
+
+
+**`dll.hash.sha512`**
+:   SHA512 hash.
+
+type: keyword
+
+
+**`dll.hash.ssdeep`**
+:   SSDEEP hash.
+
+type: keyword
+
+
+**`dll.name`**
+:   Name of the library. This generally maps to the name of the file on disk.
+
+type: keyword
+
+example: kernel32.dll
+
+
+**`dll.path`**
+:   Full file path of the library.
+
+type: keyword
+
+example: C:\Windows\System32\kernel32.dll
+
+
+**`dll.pe.architecture`**
+:   CPU architecture target for the file.
+
+type: keyword
+
+example: x64
+
+
+**`dll.pe.company`**
+:   Internal company name of the file, provided at compile-time.
+
+type: keyword
+
+example: Microsoft Corporation
+
+
+**`dll.pe.description`**
+:   Internal description of the file, provided at compile-time.
+
+type: keyword
+
+example: Paint
+
+
+**`dll.pe.file_version`**
+:   Internal version of the file, provided at compile-time.
+
+type: keyword
+
+example: 6.3.9600.17415
+
+
+**`dll.pe.imphash`**
+:   A hash of the imports in a PE file. An imphash — or import hash — can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at [https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html](https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html).
+
+type: keyword
+
+example: 0c6803c4e922103c4dca5963aad36ddf
+
+
+**`dll.pe.original_file_name`**
+:   Internal name of the file, provided at compile-time.
+
+type: keyword
+
+example: MSPAINT.EXE
+
+
+**`dll.pe.product`**
+:   Internal product name of the file, provided at compile-time.
+
+type: keyword
+
+example: Microsoft® Windows® Operating System
+
+
+
+## dns [_dns]
+
+Fields describing DNS queries and answers. DNS events should either represent a single DNS query prior to getting answers (`dns.type:query`) or they should represent a full exchange and contain the query details as well as all of the answers that were provided for this query (`dns.type:answer`).
+
+**`dns.answers`**
+:   An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields.
+
+type: object
+
+
+**`dns.answers.class`**
+:   The class of DNS data contained in this resource record.
+
+type: keyword
+
+example: IN
+
+
+**`dns.answers.data`**
+:   The data describing the resource. The meaning of this data depends on the type and class of the resource record.
+
+type: keyword
+
+example: 10.10.10.10
+
+
+**`dns.answers.name`**
+:   The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer’s `name` should be the one that corresponds with the answer’s `data`. It should not simply be the original `question.name` repeated.
+
+type: keyword
+
+example: www.example.com
+
+
+**`dns.answers.ttl`**
+:   The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached.
+
+type: long
+
+example: 180
+
+
+**`dns.answers.type`**
+:   The type of data contained in this resource record.
+
+type: keyword
+
+example: CNAME
+
+
+**`dns.header_flags`**
+:   Array of 2 letter DNS header flags. Expected values are: AA, TC, RD, RA, AD, CD, DO.
+
+type: keyword
+
+example: ["RD", "RA"]
+
+
+**`dns.id`**
+:   The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.
+
+type: keyword
+
+example: 62111
+
+
+**`dns.op_code`**
+:   The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response.
+
+type: keyword
+
+example: QUERY
+
+
+**`dns.question.class`**
+:   The class of records being queried.
+
+type: keyword
+
+example: IN
+
+
+**`dns.question.name`**
+:   The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively.
+
+type: keyword
+
+example: www.example.com
+
+
+**`dns.question.registered_domain`**
+:   The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
+
+type: keyword
+
+example: example.com
+
+
+**`dns.question.subdomain`**
+:   The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
+
+type: keyword
+
+example: www
+
+
+**`dns.question.top_level_domain`**
+:   The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".
+
+type: keyword
+
+example: co.uk
+
+
+**`dns.question.type`**
+:   The type of record being queried.
+
+type: keyword
+
+example: AAAA
+
+
+**`dns.resolved_ip`**
+:   Array containing all IPs seen in `answers.data`. The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for.
+
+type: ip
+
+example: ["10.10.10.10", "10.10.10.11"]
+
+
+**`dns.response_code`**
+:   The DNS response code.
+
+type: keyword
+
+example: NOERROR
+
+
+**`dns.type`**
+:   The type of DNS event captured, query or answer. If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers.
+
+type: keyword
+
+example: answer
+
+
+
+## ecs [_ecs_2]
+
+Meta-information specific to ECS.
+
+**`ecs.version`**
+:   ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices — which may conform to slightly different ECS versions — this field lets integrations adjust to the schema version of the events.
+
+type: keyword
+
+example: 1.0.0
+
+required: True
+
+
+
+## elf [_elf]
+
+These fields contain Linux Executable Linkable Format (ELF) metadata.
+
+**`elf.architecture`**
+:   Machine architecture of the ELF file.
+
+type: keyword
+
+example: x86-64
+
+
+**`elf.byte_order`**
+:   Byte sequence of ELF file.
+
+type: keyword
+
+example: Little Endian
+
+
+**`elf.cpu_type`**
+:   CPU type of the ELF file.
+
+type: keyword
+
+example: Intel
+
+
+**`elf.creation_date`**
+:   Extracted when possible from the file’s metadata. Indicates when it was built or compiled. It can also be faked by malware creators.
+
+type: date
+
+
+**`elf.exports`**
+:   List of exported element names and types.
+
+type: flattened
+
+
+**`elf.header.abi_version`**
+:   Version of the ELF Application Binary Interface (ABI).
+
+type: keyword
+
+
+**`elf.header.class`**
+:   Header class of the ELF file.
+
+type: keyword
+
+
+**`elf.header.data`**
+:   Data table of the ELF header.
+
+type: keyword
+
+
+**`elf.header.entrypoint`**
+:   Header entrypoint of the ELF file.
+
+type: long
+
+format: string
+
+
+**`elf.header.object_version`**
+:   "0x1" for original ELF files.
+
+type: keyword
+
+
+**`elf.header.os_abi`**
+:   Application Binary Interface (ABI) of the Linux OS.
+
+type: keyword
+
+
+**`elf.header.type`**
+:   Header type of the ELF file.
+
+type: keyword
+
+
+**`elf.header.version`**
+:   Version of the ELF header.
+
+type: keyword
+
+
+**`elf.imports`**
+:   List of imported element names and types.
+
+type: flattened
+
+
+**`elf.sections`**
+:   An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`.
+
+type: nested
+
+
+**`elf.sections.chi2`**
+:   Chi-square probability distribution of the section.
+
+type: long
+
+format: number
+
+
+**`elf.sections.entropy`**
+:   Shannon entropy calculation from the section.
+
+type: long
+
+format: number
+
+
+**`elf.sections.flags`**
+:   ELF Section List flags.
+
+type: keyword
+
+
+**`elf.sections.name`**
+:   ELF Section List name.
+
+type: keyword
+
+
+**`elf.sections.physical_offset`**
+:   ELF Section List offset.
+
+type: keyword
+
+
+**`elf.sections.physical_size`**
+:   ELF Section List physical size.
+
+type: long
+
+format: bytes
+
+
+**`elf.sections.type`**
+:   ELF Section List type.
+
+type: keyword
+
+
+**`elf.sections.virtual_address`**
+:   ELF Section List virtual address.
+
+type: long
+
+format: string
+
+
+**`elf.sections.virtual_size`**
+:   ELF Section List virtual size.
+
+type: long
+
+format: string
+
+
+**`elf.segments`**
+:   An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`.
+
+type: nested
+
+
+**`elf.segments.sections`**
+:   ELF object segment sections.
+
+type: keyword
+
+
+**`elf.segments.type`**
+:   ELF object segment type.
+
+type: keyword
+
+
+**`elf.shared_libraries`**
+:   List of shared libraries used by this ELF object.
+
+type: keyword
+
+
+**`elf.telfhash`**
+:   telfhash symbol hash for ELF file.
+
+type: keyword
+
+
+
+## error [_error_2]
+
+These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error.
+
+**`error.code`**
+:   Error code describing the error.
+
+type: keyword
+
+
+**`error.id`**
+:   Unique identifier for the error.
+
+type: keyword
+
+
+**`error.message`**
+:   Error message.
+
+type: match_only_text
+
+
+**`error.stack_trace`**
+:   The stack trace of this error in plain text.
+
+type: wildcard
+
+
+**`error.stack_trace.text`**
+:   type: match_only_text
+
+
+**`error.type`**
+:   The type of the error, for example the class name of the exception.
+
+type: keyword
+
+example: java.lang.NullPointerException
+
+
+
+## event [_event_2]
+
+The event fields are used for context information about the log or metric event itself. A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host and device temperature. See the `event.kind` definition in this section for additional details about metric and state events.
+
+**`event.action`**
+:   The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer.
+
+type: keyword
+
+example: user-password-change
+
+
+**`event.agent_id_status`**
+:   Agents are normally responsible for populating the `agent.id` field value. If the system receiving events is capable of validating the value based on authentication information for the client then this field can be used to reflect the outcome of that validation. For example if the agent’s connection is authenticated with mTLS and the client cert contains the ID of the agent to which the cert was issued then the `agent.id` value in events can be checked against the certificate. If the values match then `event.agent_id_status: verified` is added to the event, otherwise one of the other allowed values should be used. If no validation is performed then the field should be omitted. The allowed values are: `verified` - The `agent.id` field value matches expected value obtained from auth metadata. `mismatch` - The `agent.id` field value does not match the expected value obtained from auth metadata. `missing` - There was no `agent.id` field in the event to validate. `auth_metadata_missing` - There was no auth metadata or it was missing information about the agent ID.
+
+type: keyword
+
+example: verified
+
+
+**`event.category`**
+:   This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories.
+
+type: keyword
+
+example: authentication
+
+
+**`event.code`**
+:   Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID.
+
+type: keyword
+
+example: 4648
+
+
+**`event.created`**
+:   event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent’s or pipeline’s ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used.
+
+type: date
+
+example: 2016-05-23T08:05:34.857Z
+
+
+**`event.dataset`**
+:   Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It’s recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name.
+
+type: keyword
+
+example: apache.access
+
+
+**`event.duration`**
+:   Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time.
+
+type: long
+
+format: duration
+
+
+**`event.end`**
+:   event.end contains the date when the event ended or when the activity was last observed.
+
+type: date
+
+
+**`event.hash`**
+:   Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity.
+
+type: keyword
+
+example: 123456789012345678901234567890ABCD
+
+
+**`event.id`**
+:   Unique ID to describe the event.
+
+type: keyword
+
+example: 8a4f500d
+
+
+**`event.ingested`**
+:   Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred.  It’s also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`.
+
+type: date
+
+example: 2016-05-23T08:05:35.101Z
+
+
+**`event.kind`**
+:   This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not.
+
+type: keyword
+
+example: alert
+
+
+**`event.module`**
+:   Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module.
+
+type: keyword
+
+example: apache
+
+
+**`event.original`**
+:   Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`.
+
+type: keyword
+
+example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232
+
+Field is not indexed.
+
+
+**`event.outcome`**
+:   This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense.
+
+type: keyword
+
+example: success
+
+
+**`event.provider`**
+:   Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing).
+
+type: keyword
+
+example: kernel
+
+
+**`event.reason`**
+:   Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`).
+
+type: keyword
+
+example: Terminated an unexpected process
+
+
+**`event.reference`**
+:   Reference URL linking to additional information about this event. This URL links to a static definition of this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field.
+
+type: keyword
+
+example: [https://system.example.com/event/#0001234](https://system.example.com/event/#0001234)
+
+
+**`event.risk_score`**
+:   Risk score or priority of the event (e.g. security solutions). Use your system’s original value here.
+
+type: float
+
+
+**`event.risk_score_norm`**
+:   Normalized risk score or priority of the event, on a scale of 0 to 100. This is mainly useful if you use more than one system that assigns risk scores, and you want to see a normalized value across all systems.
+
+type: float
+
+
+**`event.sequence`**
+:   Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision.
+
+type: long
+
+format: string
+
+
+**`event.severity`**
+:   The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It’s up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`.
+
+type: long
+
+example: 7
+
+format: string
+
+
+**`event.start`**
+:   event.start contains the date when the event started or when the activity was first observed.
+
+type: date
+
+
+**`event.timezone`**
+:   This field should be populated when the event’s timestamp does not include timezone information already (e.g. default Syslog timestamps). It’s optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00").
+
+type: keyword
+
+
+**`event.type`**
+:   This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types.
+
+type: keyword
+
+
+**`event.url`**
+:   URL linking to an external system to continue investigation of this event. This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field.
+
+type: keyword
+
+example: [https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe](https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe)
+
+
+
+## faas [_faas]
+
+The user fields describe information about the function as a service that is relevant to the event.
+
+**`faas.coldstart`**
+:   Boolean value indicating a cold start of a function.
+
+type: boolean
+
+
+**`faas.execution`**
+:   The execution ID of the current function execution.
+
+type: keyword
+
+example: af9d5aa4-a685-4c5f-a22b-444f80b3cc28
+
+
+**`faas.trigger`**
+:   Details about the function trigger.
+
+type: nested
+
+
+**`faas.trigger.request_id`**
+:   The ID of the trigger request , message, event, etc.
+
+type: keyword
+
+example: 123456789
+
+
+**`faas.trigger.type`**
+:   The trigger for the function execution. Expected values are: * http * pubsub * datasource * timer * other
+
+type: keyword
+
+example: http
+
+
+
+## file [_file_2]
+
+A file is defined as a set of information that has been created on, or has existed on a filesystem. File objects can be associated with host events, network events, and/or file events (e.g., those produced by File Integrity Monitoring [FIM] products or services). File fields provide details about the affected file associated with the event or metric.
+
+**`file.accessed`**
+:   Last time the file was accessed. Note that not all filesystems keep track of access time.
+
+type: date
+
+
+**`file.attributes`**
+:   Array of file attributes. Attributes names will vary by platform. Here’s a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write.
+
+type: keyword
+
+example: ["readonly", "system"]
+
+
+**`file.code_signature.digest_algorithm`**
+:   The hashing algorithm used to sign the process. This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm.
+
+type: keyword
+
+example: sha256
+
+
+**`file.code_signature.exists`**
+:   Boolean to capture if a signature is present.
+
+type: boolean
+
+example: true
+
+
+**`file.code_signature.signing_id`**
+:   The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.
+
+type: keyword
+
+example: com.apple.xpc.proxy
+
+
+**`file.code_signature.status`**
+:   Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.
+
+type: keyword
+
+example: ERROR_UNTRUSTED_ROOT
+
+
+**`file.code_signature.subject_name`**
+:   Subject name of the code signer
+
+type: keyword
+
+example: Microsoft Corporation
+
+
+**`file.code_signature.team_id`**
+:   The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.
+
+type: keyword
+
+example: EQHXZ8M8AV
+
+
+**`file.code_signature.timestamp`**
+:   Date and time when the code signature was generated and signed.
+
+type: date
+
+example: 2021-01-01T12:10:30Z
+
+
+**`file.code_signature.trusted`**
+:   Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.
+
+type: boolean
+
+example: true
+
+
+**`file.code_signature.valid`**
+:   Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.
+
+type: boolean
+
+example: true
+
+
+**`file.created`**
+:   File creation time. Note that not all filesystems store the creation time.
+
+type: date
+
+
+**`file.ctime`**
+:   Last time the file attributes or metadata changed. Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file.
+
+type: date
+
+
+**`file.device`**
+:   Device that is the source of the file.
+
+type: keyword
+
+example: sda
+
+
+**`file.directory`**
+:   Directory where the file is located. It should include the drive letter, when appropriate.
+
+type: keyword
+
+example: /home/alice
+
+
+**`file.drive_letter`**
+:   Drive letter where the file is located. This field is only relevant on Windows. The value should be uppercase, and not include the colon.
+
+type: keyword
+
+example: C
+
+
+**`file.elf.architecture`**
+:   Machine architecture of the ELF file.
+
+type: keyword
+
+example: x86-64
+
+
+**`file.elf.byte_order`**
+:   Byte sequence of ELF file.
+
+type: keyword
+
+example: Little Endian
+
+
+**`file.elf.cpu_type`**
+:   CPU type of the ELF file.
+
+type: keyword
+
+example: Intel
+
+
+**`file.elf.creation_date`**
+:   Extracted when possible from the file’s metadata. Indicates when it was built or compiled. It can also be faked by malware creators.
+
+type: date
+
+
+**`file.elf.exports`**
+:   List of exported element names and types.
+
+type: flattened
+
+
+**`file.elf.header.abi_version`**
+:   Version of the ELF Application Binary Interface (ABI).
+
+type: keyword
+
+
+**`file.elf.header.class`**
+:   Header class of the ELF file.
+
+type: keyword
+
+
+**`file.elf.header.data`**
+:   Data table of the ELF header.
+
+type: keyword
+
+
+**`file.elf.header.entrypoint`**
+:   Header entrypoint of the ELF file.
+
+type: long
+
+format: string
+
+
+**`file.elf.header.object_version`**
+:   "0x1" for original ELF files.
+
+type: keyword
+
+
+**`file.elf.header.os_abi`**
+:   Application Binary Interface (ABI) of the Linux OS.
+
+type: keyword
+
+
+**`file.elf.header.type`**
+:   Header type of the ELF file.
+
+type: keyword
+
+
+**`file.elf.header.version`**
+:   Version of the ELF header.
+
+type: keyword
+
+
+**`file.elf.imports`**
+:   List of imported element names and types.
+
+type: flattened
+
+
+**`file.elf.sections`**
+:   An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`.
+
+type: nested
+
+
+**`file.elf.sections.chi2`**
+:   Chi-square probability distribution of the section.
+
+type: long
+
+format: number
+
+
+**`file.elf.sections.entropy`**
+:   Shannon entropy calculation from the section.
+
+type: long
+
+format: number
+
+
+**`file.elf.sections.flags`**
+:   ELF Section List flags.
+
+type: keyword
+
+
+**`file.elf.sections.name`**
+:   ELF Section List name.
+
+type: keyword
+
+
+**`file.elf.sections.physical_offset`**
+:   ELF Section List offset.
+
+type: keyword
+
+
+**`file.elf.sections.physical_size`**
+:   ELF Section List physical size.
+
+type: long
+
+format: bytes
+
+
+**`file.elf.sections.type`**
+:   ELF Section List type.
+
+type: keyword
+
+
+**`file.elf.sections.virtual_address`**
+:   ELF Section List virtual address.
+
+type: long
+
+format: string
+
+
+**`file.elf.sections.virtual_size`**
+:   ELF Section List virtual size.
+
+type: long
+
+format: string
+
+
+**`file.elf.segments`**
+:   An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`.
+
+type: nested
+
+
+**`file.elf.segments.sections`**
+:   ELF object segment sections.
+
+type: keyword
+
+
+**`file.elf.segments.type`**
+:   ELF object segment type.
+
+type: keyword
+
+
+**`file.elf.shared_libraries`**
+:   List of shared libraries used by this ELF object.
+
+type: keyword
+
+
+**`file.elf.telfhash`**
+:   telfhash symbol hash for ELF file.
+
+type: keyword
+
+
+**`file.extension`**
+:   File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").
+
+type: keyword
+
+example: png
+
+
+**`file.fork_name`**
+:   A fork is additional data associated with a filesystem object. On Linux, a resource fork is used to store additional data with a filesystem object. A file always has at least one fork for the data portion, and additional forks may exist. On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default data stream for a file is just called $DATA. Zone.Identifier is commonly used by Windows to track contents downloaded from the Internet. An ADS is typically of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name` is the value that should populate `fork_name`. `filename.extension` should populate `file.name`, and `extension` should populate `file.extension`. The full path, `file.path`, will include the fork name.
+
+type: keyword
+
+example: Zone.Identifer
+
+
+**`file.gid`**
+:   Primary group ID (GID) of the file.
+
+type: keyword
+
+example: 1001
+
+
+**`file.group`**
+:   Primary group name of the file.
+
+type: keyword
+
+example: alice
+
+
+**`file.hash.md5`**
+:   MD5 hash.
+
+type: keyword
+
+
+**`file.hash.sha1`**
+:   SHA1 hash.
+
+type: keyword
+
+
+**`file.hash.sha256`**
+:   SHA256 hash.
+
+type: keyword
+
+
+**`file.hash.sha512`**
+:   SHA512 hash.
+
+type: keyword
+
+
+**`file.hash.ssdeep`**
+:   SSDEEP hash.
+
+type: keyword
+
+
+**`file.inode`**
+:   Inode representing the file in the filesystem.
+
+type: keyword
+
+example: 256383
+
+
+**`file.mime_type`**
+:   MIME type should identify the format of the file or stream of bytes using [IANA official types](https://www.iana.org/assignments/media-types/media-types.xhtml), where possible. When more than one type is applicable, the most specific type should be used.
+
+type: keyword
+
+
+**`file.mode`**
+:   Mode of the file in octal representation.
+
+type: keyword
+
+example: 0640
+
+
+**`file.mtime`**
+:   Last time the file content was modified.
+
+type: date
+
+
+**`file.name`**
+:   Name of the file including the extension, without the directory.
+
+type: keyword
+
+example: example.png
+
+
+**`file.owner`**
+:   File owner’s username.
+
+type: keyword
+
+example: alice
+
+
+**`file.path`**
+:   Full path to the file, including the file name. It should include the drive letter, when appropriate.
+
+type: keyword
+
+example: /home/alice/example.png
+
+
+**`file.path.text`**
+:   type: match_only_text
+
+
+**`file.pe.architecture`**
+:   CPU architecture target for the file.
+
+type: keyword
+
+example: x64
+
+
+**`file.pe.company`**
+:   Internal company name of the file, provided at compile-time.
+
+type: keyword
+
+example: Microsoft Corporation
+
+
+**`file.pe.description`**
+:   Internal description of the file, provided at compile-time.
+
+type: keyword
+
+example: Paint
+
+
+**`file.pe.file_version`**
+:   Internal version of the file, provided at compile-time.
+
+type: keyword
+
+example: 6.3.9600.17415
+
+
+**`file.pe.imphash`**
+:   A hash of the imports in a PE file. An imphash — or import hash — can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at [https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html](https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html).
+
+type: keyword
+
+example: 0c6803c4e922103c4dca5963aad36ddf
+
+
+**`file.pe.original_file_name`**
+:   Internal name of the file, provided at compile-time.
+
+type: keyword
+
+example: MSPAINT.EXE
+
+
+**`file.pe.product`**
+:   Internal product name of the file, provided at compile-time.
+
+type: keyword
+
+example: Microsoft® Windows® Operating System
+
+
+**`file.size`**
+:   File size in bytes. Only relevant when `file.type` is "file".
+
+type: long
+
+example: 16384
+
+
+**`file.target_path`**
+:   Target path for symlinks.
+
+type: keyword
+
+
+**`file.target_path.text`**
+:   type: match_only_text
+
+
+**`file.type`**
+:   File type (file, dir, or symlink).
+
+type: keyword
+
+example: file
+
+
+**`file.uid`**
+:   The user ID (UID) or security identifier (SID) of the file owner.
+
+type: keyword
+
+example: 1001
+
+
+**`file.x509.alternative_names`**
+:   List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.
+
+type: keyword
+
+example: *.elastic.co
+
+
+**`file.x509.issuer.common_name`**
+:   List of common name (CN) of issuing certificate authority.
+
+type: keyword
+
+example: Example SHA2 High Assurance Server CA
+
+
+**`file.x509.issuer.country`**
+:   List of country © codes
+
+type: keyword
+
+example: US
+
+
+**`file.x509.issuer.distinguished_name`**
+:   Distinguished name (DN) of issuing certificate authority.
+
+type: keyword
+
+example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA
+
+
+**`file.x509.issuer.locality`**
+:   List of locality names (L)
+
+type: keyword
+
+example: Mountain View
+
+
+**`file.x509.issuer.organization`**
+:   List of organizations (O) of issuing certificate authority.
+
+type: keyword
+
+example: Example Inc
+
+
+**`file.x509.issuer.organizational_unit`**
+:   List of organizational units (OU) of issuing certificate authority.
+
+type: keyword
+
+example: www.example.com
+
+
+**`file.x509.issuer.state_or_province`**
+:   List of state or province names (ST, S, or P)
+
+type: keyword
+
+example: California
+
+
+**`file.x509.not_after`**
+:   Time at which the certificate is no longer considered valid.
+
+type: date
+
+example: 2020-07-16 03:15:39+00:00
+
+
+**`file.x509.not_before`**
+:   Time at which the certificate is first considered valid.
+
+type: date
+
+example: 2019-08-16 01:40:25+00:00
+
+
+**`file.x509.public_key_algorithm`**
+:   Algorithm used to generate the public key.
+
+type: keyword
+
+example: RSA
+
+
+**`file.x509.public_key_curve`**
+:   The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+
+type: keyword
+
+example: nistp521
+
+
+**`file.x509.public_key_exponent`**
+:   Exponent used to derive the public key. This is algorithm specific.
+
+type: long
+
+example: 65537
+
+Field is not indexed.
+
+
+**`file.x509.public_key_size`**
+:   The size of the public key space in bits.
+
+type: long
+
+example: 2048
+
+
+**`file.x509.serial_number`**
+:   Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.
+
+type: keyword
+
+example: 55FBB9C7DEBF09809D12CCAA
+
+
+**`file.x509.signature_algorithm`**
+:   Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See [https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353](https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353).
+
+type: keyword
+
+example: SHA256-RSA
+
+
+**`file.x509.subject.common_name`**
+:   List of common names (CN) of subject.
+
+type: keyword
+
+example: shared.global.example.net
+
+
+**`file.x509.subject.country`**
+:   List of country © code
+
+type: keyword
+
+example: US
+
+
+**`file.x509.subject.distinguished_name`**
+:   Distinguished name (DN) of the certificate subject entity.
+
+type: keyword
+
+example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
+
+
+**`file.x509.subject.locality`**
+:   List of locality names (L)
+
+type: keyword
+
+example: San Francisco
+
+
+**`file.x509.subject.organization`**
+:   List of organizations (O) of subject.
+
+type: keyword
+
+example: Example, Inc.
+
+
+**`file.x509.subject.organizational_unit`**
+:   List of organizational units (OU) of subject.
+
+type: keyword
+
+
+**`file.x509.subject.state_or_province`**
+:   List of state or province names (ST, S, or P)
+
+type: keyword
+
+example: California
+
+
+**`file.x509.version_number`**
+:   Version of x509 format.
+
+type: keyword
+
+example: 3
+
+
+
+## geo [_geo]
+
+Geo fields can carry data about a specific location related to an event. This geolocation information can be derived from techniques such as Geo IP, or be user-supplied.
+
+**`geo.city_name`**
+:   City name.
+
+type: keyword
+
+example: Montreal
+
+
+**`geo.continent_code`**
+:   Two-letter code representing continent’s name.
+
+type: keyword
+
+example: NA
+
+
+**`geo.continent_name`**
+:   Name of the continent.
+
+type: keyword
+
+example: North America
+
+
+**`geo.country_iso_code`**
+:   Country ISO code.
+
+type: keyword
+
+example: CA
+
+
+**`geo.country_name`**
+:   Country name.
+
+type: keyword
+
+example: Canada
+
+
+**`geo.location`**
+:   Longitude and latitude.
+
+type: geo_point
+
+example: { "lon": -73.614830, "lat": 45.505918 }
+
+
+**`geo.name`**
+:   User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.
+
+type: keyword
+
+example: boston-dc
+
+
+**`geo.postal_code`**
+:   Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.
+
+type: keyword
+
+example: 94040
+
+
+**`geo.region_iso_code`**
+:   Region ISO code.
+
+type: keyword
+
+example: CA-QC
+
+
+**`geo.region_name`**
+:   Region name.
+
+type: keyword
+
+example: Quebec
+
+
+**`geo.timezone`**
+:   The time zone of the location, such as IANA time zone name.
+
+type: keyword
+
+example: America/Argentina/Buenos_Aires
+
+
+
+## group [_group]
+
+The group fields are meant to represent groups that are relevant to the event.
+
+**`group.domain`**
+:   Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`group.id`**
+:   Unique identifier for the group on the system/platform.
+
+type: keyword
+
+
+**`group.name`**
+:   Name of the group.
+
+type: keyword
+
+
+
+## hash [_hash]
+
+The hash fields represent different bitwise hash algorithms and their values. Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for other hashes by lowercasing the hash algorithm name and using underscore separators as appropriate (snake case, e.g. sha3_512). Note that this fieldset is used for common hashes that may be computed over a range of generic bytes. Entity-specific hashes such as ja3 or imphash are placed in the fieldsets to which they relate (tls and pe, respectively).
+
+**`hash.md5`**
+:   MD5 hash.
+
+type: keyword
+
+
+**`hash.sha1`**
+:   SHA1 hash.
+
+type: keyword
+
+
+**`hash.sha256`**
+:   SHA256 hash.
+
+type: keyword
+
+
+**`hash.sha512`**
+:   SHA512 hash.
+
+type: keyword
+
+
+**`hash.ssdeep`**
+:   SSDEEP hash.
+
+type: keyword
+
+
+
+## host [_host]
+
+A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.
+
+**`host.architecture`**
+:   Operating system architecture.
+
+type: keyword
+
+example: x86_64
+
+
+**`host.cpu.usage`**
+:   Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1.
+
+type: scaled_float
+
+
+**`host.disk.read.bytes`**
+:   The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection.
+
+type: long
+
+
+**`host.disk.write.bytes`**
+:   The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection.
+
+type: long
+
+
+**`host.domain`**
+:   Name of the domain of which the host is a member. For example, on Windows this could be the host’s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host’s LDAP provider.
+
+type: keyword
+
+example: CONTOSO
+
+
+**`host.geo.city_name`**
+:   City name.
+
+type: keyword
+
+example: Montreal
+
+
+**`host.geo.continent_code`**
+:   Two-letter code representing continent’s name.
+
+type: keyword
+
+example: NA
+
+
+**`host.geo.continent_name`**
+:   Name of the continent.
+
+type: keyword
+
+example: North America
+
+
+**`host.geo.country_iso_code`**
+:   Country ISO code.
+
+type: keyword
+
+example: CA
+
+
+**`host.geo.country_name`**
+:   Country name.
+
+type: keyword
+
+example: Canada
+
+
+**`host.geo.location`**
+:   Longitude and latitude.
+
+type: geo_point
+
+example: { "lon": -73.614830, "lat": 45.505918 }
+
+
+**`host.geo.name`**
+:   User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.
+
+type: keyword
+
+example: boston-dc
+
+
+**`host.geo.postal_code`**
+:   Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.
+
+type: keyword
+
+example: 94040
+
+
+**`host.geo.region_iso_code`**
+:   Region ISO code.
+
+type: keyword
+
+example: CA-QC
+
+
+**`host.geo.region_name`**
+:   Region name.
+
+type: keyword
+
+example: Quebec
+
+
+**`host.geo.timezone`**
+:   The time zone of the location, such as IANA time zone name.
+
+type: keyword
+
+example: America/Argentina/Buenos_Aires
+
+
+**`host.hostname`**
+:   Hostname of the host. It normally contains what the `hostname` command returns on the host machine.
+
+type: keyword
+
+
+**`host.id`**
+:   Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.
+
+type: keyword
+
+
+**`host.ip`**
+:   Host ip addresses.
+
+type: ip
+
+
+**`host.mac`**
+:   Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.
+
+type: keyword
+
+example: ["00-00-5E-00-53-23", "00-00-5E-00-53-24"]
+
+
+**`host.name`**
+:   Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.
+
+type: keyword
+
+
+**`host.network.egress.bytes`**
+:   The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection.
+
+type: long
+
+
+**`host.network.egress.packets`**
+:   The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection.
+
+type: long
+
+
+**`host.network.ingress.bytes`**
+:   The number of bytes received (gauge) on all network interfaces by the host since the last metric collection.
+
+type: long
+
+
+**`host.network.ingress.packets`**
+:   The number of packets (gauge) received on all network interfaces by the host since the last metric collection.
+
+type: long
+
+
+**`host.os.family`**
+:   OS family (such as redhat, debian, freebsd, windows).
+
+type: keyword
+
+example: debian
+
+
+**`host.os.full`**
+:   Operating system name, including the version or code name.
+
+type: keyword
+
+example: Mac OS Mojave
+
+
+**`host.os.full.text`**
+:   type: match_only_text
+
+
+**`host.os.kernel`**
+:   Operating system kernel version as a raw string.
+
+type: keyword
+
+example: 4.4.0-112-generic
+
+
+**`host.os.name`**
+:   Operating system name, without the version.
+
+type: keyword
+
+example: Mac OS X
+
+
+**`host.os.name.text`**
+:   type: match_only_text
+
+
+**`host.os.platform`**
+:   Operating system platform (such centos, ubuntu, windows).
+
+type: keyword
+
+example: darwin
+
+
+**`host.os.type`**
+:   Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you’re dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.
+
+type: keyword
+
+example: macos
+
+
+**`host.os.version`**
+:   Operating system version as a raw string.
+
+type: keyword
+
+example: 10.14.1
+
+
+**`host.type`**
+:   Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.
+
+type: keyword
+
+
+**`host.uptime`**
+:   Seconds the host has been up.
+
+type: long
+
+example: 1325
+
+
+
+## http [_http]
+
+Fields related to HTTP activity. Use the `url` field set to store the url of the request.
+
+**`http.request.body.bytes`**
+:   Size in bytes of the request body.
+
+type: long
+
+example: 887
+
+format: bytes
+
+
+**`http.request.body.content`**
+:   The full HTTP request body.
+
+type: wildcard
+
+example: Hello world
+
+
+**`http.request.body.content.text`**
+:   type: match_only_text
+
+
+**`http.request.bytes`**
+:   Total size in bytes of the request (body and headers).
+
+type: long
+
+example: 1437
+
+format: bytes
+
+
+**`http.request.id`**
+:   A unique identifier for each HTTP request to correlate logs between clients and servers in transactions. The id may be contained in a non-standard HTTP header, such as `X-Request-ID` or `X-Correlation-ID`.
+
+type: keyword
+
+example: 123e4567-e89b-12d3-a456-426614174000
+
+
+**`http.request.method`**
+:   HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field.
+
+type: keyword
+
+example: POST
+
+
+**`http.request.mime_type`**
+:   Mime type of the body of the request. This value must only be populated based on the content of the request body, not on the `Content-Type` header. Comparing the mime type of a request with the request’s Content-Type header can be helpful in detecting threats or misconfigured clients.
+
+type: keyword
+
+example: image/gif
+
+
+**`http.request.referrer`**
+:   Referrer for this HTTP request.
+
+type: keyword
+
+example: [https://blog.example.com/](https://blog.example.com/)
+
+
+**`http.response.body.bytes`**
+:   Size in bytes of the response body.
+
+type: long
+
+example: 887
+
+format: bytes
+
+
+**`http.response.body.content`**
+:   The full HTTP response body.
+
+type: wildcard
+
+example: Hello world
+
+
+**`http.response.body.content.text`**
+:   type: match_only_text
+
+
+**`http.response.bytes`**
+:   Total size in bytes of the response (body and headers).
+
+type: long
+
+example: 1437
+
+format: bytes
+
+
+**`http.response.mime_type`**
+:   Mime type of the body of the response. This value must only be populated based on the content of the response body, not on the `Content-Type` header. Comparing the mime type of a response with the response’s Content-Type header can be helpful in detecting misconfigured servers.
+
+type: keyword
+
+example: image/gif
+
+
+**`http.response.status_code`**
+:   HTTP response status code.
+
+type: long
+
+example: 404
+
+format: string
+
+
+**`http.version`**
+:   HTTP version.
+
+type: keyword
+
+example: 1.1
+
+
+
+## interface [_interface]
+
+The interface fields are used to record ingress and egress interface information when reported by an observer (e.g. firewall, router, load balancer) in the context of the observer handling a network connection.  In the case of a single observer interface (e.g. network sensor on a span port) only the observer.ingress information should be populated.
+
+**`interface.alias`**
+:   Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming.
+
+type: keyword
+
+example: outside
+
+
+**`interface.id`**
+:   Interface ID as reported by an observer (typically SNMP interface ID).
+
+type: keyword
+
+example: 10
+
+
+**`interface.name`**
+:   Interface name as reported by the system.
+
+type: keyword
+
+example: eth0
+
+
+
+## log [_log_4]
+
+Details about the event’s logging mechanism or logging transport. The log.* fields are typically populated with details about the logging mechanism used to create and/or transport the event. For example, syslog details belong under `log.syslog.*`. The details specific to your event source are typically not logged under `log.*`, but rather in `event.*` or in other ECS fields.
+
+**`log.file.path`**
+:   Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn’t read from a log file, do not populate this field.
+
+type: keyword
+
+example: /var/log/fun-times.log
+
+
+**`log.level`**
+:   Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn’t specify one, you may put your event transport’s severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`.
+
+type: keyword
+
+example: error
+
+
+**`log.logger`**
+:   The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name.
+
+type: keyword
+
+example: org.elasticsearch.bootstrap.Bootstrap
+
+
+**`log.origin.file.line`**
+:   The line number of the file containing the source code which originated the log event.
+
+type: long
+
+example: 42
+
+
+**`log.origin.file.name`**
+:   The name of the file containing the source code which originated the log event. Note that this field is not meant to capture the log file. The correct field to capture the log file is `log.file.path`.
+
+type: keyword
+
+example: Bootstrap.java
+
+
+**`log.origin.function`**
+:   The name of the function or method which originated the log event.
+
+type: keyword
+
+example: init
+
+
+**`log.syslog`**
+:   The Syslog metadata of the event, if the event was transmitted via Syslog. Please see RFCs 5424 or 3164.
+
+type: object
+
+
+**`log.syslog.facility.code`**
+:   The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23.
+
+type: long
+
+example: 23
+
+format: string
+
+
+**`log.syslog.facility.name`**
+:   The Syslog text-based facility of the log event, if available.
+
+type: keyword
+
+example: local7
+
+
+**`log.syslog.priority`**
+:   Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191.
+
+type: long
+
+example: 135
+
+format: string
+
+
+**`log.syslog.severity.code`**
+:   The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source’s numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`.
+
+type: long
+
+example: 3
+
+
+**`log.syslog.severity.name`**
+:   The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source’s text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`.
+
+type: keyword
+
+example: Error
+
+
+
+## network [_network]
+
+The network is defined as the communication path over which a host or network event happens. The network.* fields should be populated with details about the network activity associated with an event.
+
+**`network.application`**
+:   When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application’s or service’s name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying.
+
+type: keyword
+
+example: aim
+
+
+**`network.bytes`**
+:   Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum.
+
+type: long
+
+example: 368
+
+format: bytes
+
+
+**`network.community_id`**
+:   A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at [https://github.com/corelight/community-id-spec](https://github.com/corelight/community-id-spec).
+
+type: keyword
+
+example: 1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=
+
+
+**`network.direction`**
+:   Direction of the network traffic. Recommended values are: * ingress * egress * inbound * outbound * internal * external * unknown
+
+When mapping events from a host-based monitoring context, populate this field from the host’s point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers.
+
+type: keyword
+
+example: inbound
+
+
+**`network.forwarded_ip`**
+:   Host IP address when the source IP address is the proxy.
+
+type: ip
+
+example: 192.1.1.2
+
+
+**`network.iana_number`**
+:   IANA Protocol Number ([https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml](https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml)). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number.
+
+type: keyword
+
+example: 6
+
+
+**`network.inner`**
+:   Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.)
+
+type: object
+
+
+**`network.inner.vlan.id`**
+:   VLAN ID as reported by the observer.
+
+type: keyword
+
+example: 10
+
+
+**`network.inner.vlan.name`**
+:   Optional VLAN name as reported by the observer.
+
+type: keyword
+
+example: outside
+
+
+**`network.name`**
+:   Name given by operators to sections of their network.
+
+type: keyword
+
+example: Guest Wifi
+
+
+**`network.packets`**
+:   Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum.
+
+type: long
+
+example: 24
+
+
+**`network.protocol`**
+:   In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying.
+
+type: keyword
+
+example: http
+
+
+**`network.transport`**
+:   Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying.
+
+type: keyword
+
+example: tcp
+
+
+**`network.type`**
+:   In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying.
+
+type: keyword
+
+example: ipv4
+
+
+**`network.vlan.id`**
+:   VLAN ID as reported by the observer.
+
+type: keyword
+
+example: 10
+
+
+**`network.vlan.name`**
+:   Optional VLAN name as reported by the observer.
+
+type: keyword
+
+example: outside
+
+
+
+## observer [_observer]
+
+An observer is defined as a special network, security, or application device used to detect, observe, or create network, security, or application-related events and metrics. This could be a custom hardware appliance or a server that has been configured to run special network, security, or application software. Examples include firewalls, web proxies, intrusion detection/prevention systems, network monitoring sensors, web application firewalls, data loss prevention systems, and APM servers. The observer.* fields shall be populated with details of the system, if any, that detects, observes and/or creates a network, security, or application event or metric. Message queues and ETL components used in processing events or metrics are not considered observers in ECS.
+
+**`observer.egress`**
+:   Observer.egress holds information like interface number and name, vlan, and zone information to classify egress traffic.  Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic.
+
+type: object
+
+
+**`observer.egress.interface.alias`**
+:   Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming.
+
+type: keyword
+
+example: outside
+
+
+**`observer.egress.interface.id`**
+:   Interface ID as reported by an observer (typically SNMP interface ID).
+
+type: keyword
+
+example: 10
+
+
+**`observer.egress.interface.name`**
+:   Interface name as reported by the system.
+
+type: keyword
+
+example: eth0
+
+
+**`observer.egress.vlan.id`**
+:   VLAN ID as reported by the observer.
+
+type: keyword
+
+example: 10
+
+
+**`observer.egress.vlan.name`**
+:   Optional VLAN name as reported by the observer.
+
+type: keyword
+
+example: outside
+
+
+**`observer.egress.zone`**
+:   Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc.
+
+type: keyword
+
+example: Public_Internet
+
+
+**`observer.geo.city_name`**
+:   City name.
+
+type: keyword
+
+example: Montreal
+
+
+**`observer.geo.continent_code`**
+:   Two-letter code representing continent’s name.
+
+type: keyword
+
+example: NA
+
+
+**`observer.geo.continent_name`**
+:   Name of the continent.
+
+type: keyword
+
+example: North America
+
+
+**`observer.geo.country_iso_code`**
+:   Country ISO code.
+
+type: keyword
+
+example: CA
+
+
+**`observer.geo.country_name`**
+:   Country name.
+
+type: keyword
+
+example: Canada
+
+
+**`observer.geo.location`**
+:   Longitude and latitude.
+
+type: geo_point
+
+example: { "lon": -73.614830, "lat": 45.505918 }
+
+
+**`observer.geo.name`**
+:   User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.
+
+type: keyword
+
+example: boston-dc
+
+
+**`observer.geo.postal_code`**
+:   Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.
+
+type: keyword
+
+example: 94040
+
+
+**`observer.geo.region_iso_code`**
+:   Region ISO code.
+
+type: keyword
+
+example: CA-QC
+
+
+**`observer.geo.region_name`**
+:   Region name.
+
+type: keyword
+
+example: Quebec
+
+
+**`observer.geo.timezone`**
+:   The time zone of the location, such as IANA time zone name.
+
+type: keyword
+
+example: America/Argentina/Buenos_Aires
+
+
+**`observer.hostname`**
+:   Hostname of the observer.
+
+type: keyword
+
+
+**`observer.ingress`**
+:   Observer.ingress holds information like interface number and name, vlan, and zone information to classify ingress traffic.  Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic.
+
+type: object
+
+
+**`observer.ingress.interface.alias`**
+:   Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming.
+
+type: keyword
+
+example: outside
+
+
+**`observer.ingress.interface.id`**
+:   Interface ID as reported by an observer (typically SNMP interface ID).
+
+type: keyword
+
+example: 10
+
+
+**`observer.ingress.interface.name`**
+:   Interface name as reported by the system.
+
+type: keyword
+
+example: eth0
+
+
+**`observer.ingress.vlan.id`**
+:   VLAN ID as reported by the observer.
+
+type: keyword
+
+example: 10
+
+
+**`observer.ingress.vlan.name`**
+:   Optional VLAN name as reported by the observer.
+
+type: keyword
+
+example: outside
+
+
+**`observer.ingress.zone`**
+:   Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc.
+
+type: keyword
+
+example: DMZ
+
+
+**`observer.ip`**
+:   IP addresses of the observer.
+
+type: ip
+
+
+**`observer.mac`**
+:   MAC addresses of the observer. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.
+
+type: keyword
+
+example: ["00-00-5E-00-53-23", "00-00-5E-00-53-24"]
+
+
+**`observer.name`**
+:   Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty.
+
+type: keyword
+
+example: 1_proxySG
+
+
+**`observer.os.family`**
+:   OS family (such as redhat, debian, freebsd, windows).
+
+type: keyword
+
+example: debian
+
+
+**`observer.os.full`**
+:   Operating system name, including the version or code name.
+
+type: keyword
+
+example: Mac OS Mojave
+
+
+**`observer.os.full.text`**
+:   type: match_only_text
+
+
+**`observer.os.kernel`**
+:   Operating system kernel version as a raw string.
+
+type: keyword
+
+example: 4.4.0-112-generic
+
+
+**`observer.os.name`**
+:   Operating system name, without the version.
+
+type: keyword
+
+example: Mac OS X
+
+
+**`observer.os.name.text`**
+:   type: match_only_text
+
+
+**`observer.os.platform`**
+:   Operating system platform (such centos, ubuntu, windows).
+
+type: keyword
+
+example: darwin
+
+
+**`observer.os.type`**
+:   Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you’re dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.
+
+type: keyword
+
+example: macos
+
+
+**`observer.os.version`**
+:   Operating system version as a raw string.
+
+type: keyword
+
+example: 10.14.1
+
+
+**`observer.product`**
+:   The product name of the observer.
+
+type: keyword
+
+example: s200
+
+
+**`observer.serial_number`**
+:   Observer serial number.
+
+type: keyword
+
+
+**`observer.type`**
+:   The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`.
+
+type: keyword
+
+example: firewall
+
+
+**`observer.vendor`**
+:   Vendor name of the observer.
+
+type: keyword
+
+example: Symantec
+
+
+**`observer.version`**
+:   Observer version.
+
+type: keyword
+
+
+
+## orchestrator [_orchestrator]
+
+Fields that describe the resources which container orchestrators manage or act upon.
+
+**`orchestrator.api_version`**
+:   API version being used to carry out the action
+
+type: keyword
+
+example: v1beta1
+
+
+**`orchestrator.cluster.name`**
+:   Name of the cluster.
+
+type: keyword
+
+
+**`orchestrator.cluster.url`**
+:   URL of the API used to manage the cluster.
+
+type: keyword
+
+
+**`orchestrator.cluster.version`**
+:   The version of the cluster.
+
+type: keyword
+
+
+**`orchestrator.namespace`**
+:   Namespace in which the action is taking place.
+
+type: keyword
+
+example: kube-system
+
+
+**`orchestrator.organization`**
+:   Organization affected by the event (for multi-tenant orchestrator setups).
+
+type: keyword
+
+example: elastic
+
+
+**`orchestrator.resource.name`**
+:   Name of the resource being acted upon.
+
+type: keyword
+
+example: test-pod-cdcws
+
+
+**`orchestrator.resource.type`**
+:   Type of resource being acted upon.
+
+type: keyword
+
+example: service
+
+
+**`orchestrator.type`**
+:   Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry).
+
+type: keyword
+
+example: kubernetes
+
+
+
+## organization [_organization]
+
+The organization fields enrich data with information about the company or entity the data is associated with. These fields help you arrange or filter data stored in an index by one or multiple organizations.
+
+**`organization.id`**
+:   Unique identifier for the organization.
+
+type: keyword
+
+
+**`organization.name`**
+:   Organization name.
+
+type: keyword
+
+
+**`organization.name.text`**
+:   type: match_only_text
+
+
+
+## os [_os]
+
+The OS fields contain information about the operating system.
+
+**`os.family`**
+:   OS family (such as redhat, debian, freebsd, windows).
+
+type: keyword
+
+example: debian
+
+
+**`os.full`**
+:   Operating system name, including the version or code name.
+
+type: keyword
+
+example: Mac OS Mojave
+
+
+**`os.full.text`**
+:   type: match_only_text
+
+
+**`os.kernel`**
+:   Operating system kernel version as a raw string.
+
+type: keyword
+
+example: 4.4.0-112-generic
+
+
+**`os.name`**
+:   Operating system name, without the version.
+
+type: keyword
+
+example: Mac OS X
+
+
+**`os.name.text`**
+:   type: match_only_text
+
+
+**`os.platform`**
+:   Operating system platform (such centos, ubuntu, windows).
+
+type: keyword
+
+example: darwin
+
+
+**`os.type`**
+:   Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you’re dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.
+
+type: keyword
+
+example: macos
+
+
+**`os.version`**
+:   Operating system version as a raw string.
+
+type: keyword
+
+example: 10.14.1
+
+
+
+## package [_package]
+
+These fields contain information about an installed software package. It contains general information about a package, such as name, version or size. It also contains installation details, such as time or location.
+
+**`package.architecture`**
+:   Package architecture.
+
+type: keyword
+
+example: x86_64
+
+
+**`package.build_version`**
+:   Additional information about the build version of the installed package. For example use the commit SHA of a non-released package.
+
+type: keyword
+
+example: 36f4f7e89dd61b0988b12ee000b98966867710cd
+
+
+**`package.checksum`**
+:   Checksum of the installed package for verification.
+
+type: keyword
+
+example: 68b329da9893e34099c7d8ad5cb9c940
+
+
+**`package.description`**
+:   Description of the package.
+
+type: keyword
+
+example: Open source programming language to build simple/reliable/efficient software.
+
+
+**`package.install_scope`**
+:   Indicating how the package was installed, e.g. user-local, global.
+
+type: keyword
+
+example: global
+
+
+**`package.installed`**
+:   Time when package was installed.
+
+type: date
+
+
+**`package.license`**
+:   License under which the package was released. Use a short name, e.g. the license identifier from SPDX License List where possible ([https://spdx.org/licenses/](https://spdx.org/licenses/)).
+
+type: keyword
+
+example: Apache License 2.0
+
+
+**`package.name`**
+:   Package name
+
+type: keyword
+
+example: go
+
+
+**`package.path`**
+:   Path where the package is installed.
+
+type: keyword
+
+example: /usr/local/Cellar/go/1.12.9/
+
+
+**`package.reference`**
+:   Home page or reference URL of the software in this package, if available.
+
+type: keyword
+
+example: [https://golang.org](https://golang.org)
+
+
+**`package.size`**
+:   Package size in bytes.
+
+type: long
+
+example: 62231
+
+format: string
+
+
+**`package.type`**
+:   Type of package. This should contain the package file type, rather than the package manager name. Examples: rpm, dpkg, brew, npm, gem, nupkg, jar.
+
+type: keyword
+
+example: rpm
+
+
+**`package.version`**
+:   Package version
+
+type: keyword
+
+example: 1.12.9
+
+
+
+## pe [_pe]
+
+These fields contain Windows Portable Executable (PE) metadata.
+
+**`pe.architecture`**
+:   CPU architecture target for the file.
+
+type: keyword
+
+example: x64
+
+
+**`pe.company`**
+:   Internal company name of the file, provided at compile-time.
+
+type: keyword
+
+example: Microsoft Corporation
+
+
+**`pe.description`**
+:   Internal description of the file, provided at compile-time.
+
+type: keyword
+
+example: Paint
+
+
+**`pe.file_version`**
+:   Internal version of the file, provided at compile-time.
+
+type: keyword
+
+example: 6.3.9600.17415
+
+
+**`pe.imphash`**
+:   A hash of the imports in a PE file. An imphash — or import hash — can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at [https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html](https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html).
+
+type: keyword
+
+example: 0c6803c4e922103c4dca5963aad36ddf
+
+
+**`pe.original_file_name`**
+:   Internal name of the file, provided at compile-time.
+
+type: keyword
+
+example: MSPAINT.EXE
+
+
+**`pe.product`**
+:   Internal product name of the file, provided at compile-time.
+
+type: keyword
+
+example: Microsoft® Windows® Operating System
+
+
+
+## process [_process_2]
+
+These fields contain information about a process. These fields can help you correlate metrics information with a process id/name from a log message.  The `process.pid` often stays in the metric itself and is copied to the global field for correlation.
+
+**`process.args`**
+:   Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information.
+
+type: keyword
+
+example: ["/usr/bin/ssh", "-l", "user", "10.0.0.16"]
+
+
+**`process.args_count`**
+:   Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity.
+
+type: long
+
+example: 4
+
+
+**`process.code_signature.digest_algorithm`**
+:   The hashing algorithm used to sign the process. This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm.
+
+type: keyword
+
+example: sha256
+
+
+**`process.code_signature.exists`**
+:   Boolean to capture if a signature is present.
+
+type: boolean
+
+example: true
+
+
+**`process.code_signature.signing_id`**
+:   The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.
+
+type: keyword
+
+example: com.apple.xpc.proxy
+
+
+**`process.code_signature.status`**
+:   Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.
+
+type: keyword
+
+example: ERROR_UNTRUSTED_ROOT
+
+
+**`process.code_signature.subject_name`**
+:   Subject name of the code signer
+
+type: keyword
+
+example: Microsoft Corporation
+
+
+**`process.code_signature.team_id`**
+:   The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.
+
+type: keyword
+
+example: EQHXZ8M8AV
+
+
+**`process.code_signature.timestamp`**
+:   Date and time when the code signature was generated and signed.
+
+type: date
+
+example: 2021-01-01T12:10:30Z
+
+
+**`process.code_signature.trusted`**
+:   Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.
+
+type: boolean
+
+example: true
+
+
+**`process.code_signature.valid`**
+:   Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.
+
+type: boolean
+
+example: true
+
+
+**`process.command_line`**
+:   Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information.
+
+type: wildcard
+
+example: /usr/bin/ssh -l user 10.0.0.16
+
+
+**`process.command_line.text`**
+:   type: match_only_text
+
+
+**`process.elf.architecture`**
+:   Machine architecture of the ELF file.
+
+type: keyword
+
+example: x86-64
+
+
+**`process.elf.byte_order`**
+:   Byte sequence of ELF file.
+
+type: keyword
+
+example: Little Endian
+
+
+**`process.elf.cpu_type`**
+:   CPU type of the ELF file.
+
+type: keyword
+
+example: Intel
+
+
+**`process.elf.creation_date`**
+:   Extracted when possible from the file’s metadata. Indicates when it was built or compiled. It can also be faked by malware creators.
+
+type: date
+
+
+**`process.elf.exports`**
+:   List of exported element names and types.
+
+type: flattened
+
+
+**`process.elf.header.abi_version`**
+:   Version of the ELF Application Binary Interface (ABI).
+
+type: keyword
+
+
+**`process.elf.header.class`**
+:   Header class of the ELF file.
+
+type: keyword
+
+
+**`process.elf.header.data`**
+:   Data table of the ELF header.
+
+type: keyword
+
+
+**`process.elf.header.entrypoint`**
+:   Header entrypoint of the ELF file.
+
+type: long
+
+format: string
+
+
+**`process.elf.header.object_version`**
+:   "0x1" for original ELF files.
+
+type: keyword
+
+
+**`process.elf.header.os_abi`**
+:   Application Binary Interface (ABI) of the Linux OS.
+
+type: keyword
+
+
+**`process.elf.header.type`**
+:   Header type of the ELF file.
+
+type: keyword
+
+
+**`process.elf.header.version`**
+:   Version of the ELF header.
+
+type: keyword
+
+
+**`process.elf.imports`**
+:   List of imported element names and types.
+
+type: flattened
+
+
+**`process.elf.sections`**
+:   An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`.
+
+type: nested
+
+
+**`process.elf.sections.chi2`**
+:   Chi-square probability distribution of the section.
+
+type: long
+
+format: number
+
+
+**`process.elf.sections.entropy`**
+:   Shannon entropy calculation from the section.
+
+type: long
+
+format: number
+
+
+**`process.elf.sections.flags`**
+:   ELF Section List flags.
+
+type: keyword
+
+
+**`process.elf.sections.name`**
+:   ELF Section List name.
+
+type: keyword
+
+
+**`process.elf.sections.physical_offset`**
+:   ELF Section List offset.
+
+type: keyword
+
+
+**`process.elf.sections.physical_size`**
+:   ELF Section List physical size.
+
+type: long
+
+format: bytes
+
+
+**`process.elf.sections.type`**
+:   ELF Section List type.
+
+type: keyword
+
+
+**`process.elf.sections.virtual_address`**
+:   ELF Section List virtual address.
+
+type: long
+
+format: string
+
+
+**`process.elf.sections.virtual_size`**
+:   ELF Section List virtual size.
+
+type: long
+
+format: string
+
+
+**`process.elf.segments`**
+:   An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`.
+
+type: nested
+
+
+**`process.elf.segments.sections`**
+:   ELF object segment sections.
+
+type: keyword
+
+
+**`process.elf.segments.type`**
+:   ELF object segment type.
+
+type: keyword
+
+
+**`process.elf.shared_libraries`**
+:   List of shared libraries used by this ELF object.
+
+type: keyword
+
+
+**`process.elf.telfhash`**
+:   telfhash symbol hash for ELF file.
+
+type: keyword
+
+
+**`process.end`**
+:   The time the process ended.
+
+type: date
+
+example: 2016-05-23T08:05:34.853Z
+
+
+**`process.entity_id`**
+:   Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.
+
+type: keyword
+
+example: c2c455d9f99375d
+
+
+**`process.executable`**
+:   Absolute path to the process executable.
+
+type: keyword
+
+example: /usr/bin/ssh
+
+
+**`process.executable.text`**
+:   type: match_only_text
+
+
+**`process.exit_code`**
+:   The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start).
+
+type: long
+
+example: 137
+
+
+**`process.hash.md5`**
+:   MD5 hash.
+
+type: keyword
+
+
+**`process.hash.sha1`**
+:   SHA1 hash.
+
+type: keyword
+
+
+**`process.hash.sha256`**
+:   SHA256 hash.
+
+type: keyword
+
+
+**`process.hash.sha512`**
+:   SHA512 hash.
+
+type: keyword
+
+
+**`process.hash.ssdeep`**
+:   SSDEEP hash.
+
+type: keyword
+
+
+**`process.name`**
+:   Process name. Sometimes called program name or similar.
+
+type: keyword
+
+example: ssh
+
+
+**`process.name.text`**
+:   type: match_only_text
+
+
+**`process.parent.args`**
+:   Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information.
+
+type: keyword
+
+example: ["/usr/bin/ssh", "-l", "user", "10.0.0.16"]
+
+
+**`process.parent.args_count`**
+:   Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity.
+
+type: long
+
+example: 4
+
+
+**`process.parent.code_signature.digest_algorithm`**
+:   The hashing algorithm used to sign the process. This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm.
+
+type: keyword
+
+example: sha256
+
+
+**`process.parent.code_signature.exists`**
+:   Boolean to capture if a signature is present.
+
+type: boolean
+
+example: true
+
+
+**`process.parent.code_signature.signing_id`**
+:   The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.
+
+type: keyword
+
+example: com.apple.xpc.proxy
+
+
+**`process.parent.code_signature.status`**
+:   Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.
+
+type: keyword
+
+example: ERROR_UNTRUSTED_ROOT
+
+
+**`process.parent.code_signature.subject_name`**
+:   Subject name of the code signer
+
+type: keyword
+
+example: Microsoft Corporation
+
+
+**`process.parent.code_signature.team_id`**
+:   The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.
+
+type: keyword
+
+example: EQHXZ8M8AV
+
+
+**`process.parent.code_signature.timestamp`**
+:   Date and time when the code signature was generated and signed.
+
+type: date
+
+example: 2021-01-01T12:10:30Z
+
+
+**`process.parent.code_signature.trusted`**
+:   Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.
+
+type: boolean
+
+example: true
+
+
+**`process.parent.code_signature.valid`**
+:   Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.
+
+type: boolean
+
+example: true
+
+
+**`process.parent.command_line`**
+:   Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information.
+
+type: wildcard
+
+example: /usr/bin/ssh -l user 10.0.0.16
+
+
+**`process.parent.command_line.text`**
+:   type: match_only_text
+
+
+**`process.parent.elf.architecture`**
+:   Machine architecture of the ELF file.
+
+type: keyword
+
+example: x86-64
+
+
+**`process.parent.elf.byte_order`**
+:   Byte sequence of ELF file.
+
+type: keyword
+
+example: Little Endian
+
+
+**`process.parent.elf.cpu_type`**
+:   CPU type of the ELF file.
+
+type: keyword
+
+example: Intel
+
+
+**`process.parent.elf.creation_date`**
+:   Extracted when possible from the file’s metadata. Indicates when it was built or compiled. It can also be faked by malware creators.
+
+type: date
+
+
+**`process.parent.elf.exports`**
+:   List of exported element names and types.
+
+type: flattened
+
+
+**`process.parent.elf.header.abi_version`**
+:   Version of the ELF Application Binary Interface (ABI).
+
+type: keyword
+
+
+**`process.parent.elf.header.class`**
+:   Header class of the ELF file.
+
+type: keyword
+
+
+**`process.parent.elf.header.data`**
+:   Data table of the ELF header.
+
+type: keyword
+
+
+**`process.parent.elf.header.entrypoint`**
+:   Header entrypoint of the ELF file.
+
+type: long
+
+format: string
+
+
+**`process.parent.elf.header.object_version`**
+:   "0x1" for original ELF files.
+
+type: keyword
+
+
+**`process.parent.elf.header.os_abi`**
+:   Application Binary Interface (ABI) of the Linux OS.
+
+type: keyword
+
+
+**`process.parent.elf.header.type`**
+:   Header type of the ELF file.
+
+type: keyword
+
+
+**`process.parent.elf.header.version`**
+:   Version of the ELF header.
+
+type: keyword
+
+
+**`process.parent.elf.imports`**
+:   List of imported element names and types.
+
+type: flattened
+
+
+**`process.parent.elf.sections`**
+:   An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`.
+
+type: nested
+
+
+**`process.parent.elf.sections.chi2`**
+:   Chi-square probability distribution of the section.
+
+type: long
+
+format: number
+
+
+**`process.parent.elf.sections.entropy`**
+:   Shannon entropy calculation from the section.
+
+type: long
+
+format: number
+
+
+**`process.parent.elf.sections.flags`**
+:   ELF Section List flags.
+
+type: keyword
+
+
+**`process.parent.elf.sections.name`**
+:   ELF Section List name.
+
+type: keyword
+
+
+**`process.parent.elf.sections.physical_offset`**
+:   ELF Section List offset.
+
+type: keyword
+
+
+**`process.parent.elf.sections.physical_size`**
+:   ELF Section List physical size.
+
+type: long
+
+format: bytes
+
+
+**`process.parent.elf.sections.type`**
+:   ELF Section List type.
+
+type: keyword
+
+
+**`process.parent.elf.sections.virtual_address`**
+:   ELF Section List virtual address.
+
+type: long
+
+format: string
+
+
+**`process.parent.elf.sections.virtual_size`**
+:   ELF Section List virtual size.
+
+type: long
+
+format: string
+
+
+**`process.parent.elf.segments`**
+:   An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`.
+
+type: nested
+
+
+**`process.parent.elf.segments.sections`**
+:   ELF object segment sections.
+
+type: keyword
+
+
+**`process.parent.elf.segments.type`**
+:   ELF object segment type.
+
+type: keyword
+
+
+**`process.parent.elf.shared_libraries`**
+:   List of shared libraries used by this ELF object.
+
+type: keyword
+
+
+**`process.parent.elf.telfhash`**
+:   telfhash symbol hash for ELF file.
+
+type: keyword
+
+
+**`process.parent.end`**
+:   The time the process ended.
+
+type: date
+
+example: 2016-05-23T08:05:34.853Z
+
+
+**`process.parent.entity_id`**
+:   Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.
+
+type: keyword
+
+example: c2c455d9f99375d
+
+
+**`process.parent.executable`**
+:   Absolute path to the process executable.
+
+type: keyword
+
+example: /usr/bin/ssh
+
+
+**`process.parent.executable.text`**
+:   type: match_only_text
+
+
+**`process.parent.exit_code`**
+:   The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start).
+
+type: long
+
+example: 137
+
+
+**`process.parent.hash.md5`**
+:   MD5 hash.
+
+type: keyword
+
+
+**`process.parent.hash.sha1`**
+:   SHA1 hash.
+
+type: keyword
+
+
+**`process.parent.hash.sha256`**
+:   SHA256 hash.
+
+type: keyword
+
+
+**`process.parent.hash.sha512`**
+:   SHA512 hash.
+
+type: keyword
+
+
+**`process.parent.hash.ssdeep`**
+:   SSDEEP hash.
+
+type: keyword
+
+
+**`process.parent.name`**
+:   Process name. Sometimes called program name or similar.
+
+type: keyword
+
+example: ssh
+
+
+**`process.parent.name.text`**
+:   type: match_only_text
+
+
+**`process.parent.pe.architecture`**
+:   CPU architecture target for the file.
+
+type: keyword
+
+example: x64
+
+
+**`process.parent.pe.company`**
+:   Internal company name of the file, provided at compile-time.
+
+type: keyword
+
+example: Microsoft Corporation
+
+
+**`process.parent.pe.description`**
+:   Internal description of the file, provided at compile-time.
+
+type: keyword
+
+example: Paint
+
+
+**`process.parent.pe.file_version`**
+:   Internal version of the file, provided at compile-time.
+
+type: keyword
+
+example: 6.3.9600.17415
+
+
+**`process.parent.pe.imphash`**
+:   A hash of the imports in a PE file. An imphash — or import hash — can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at [https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html](https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html).
+
+type: keyword
+
+example: 0c6803c4e922103c4dca5963aad36ddf
+
+
+**`process.parent.pe.original_file_name`**
+:   Internal name of the file, provided at compile-time.
+
+type: keyword
+
+example: MSPAINT.EXE
+
+
+**`process.parent.pe.product`**
+:   Internal product name of the file, provided at compile-time.
+
+type: keyword
+
+example: Microsoft® Windows® Operating System
+
+
+**`process.parent.pgid`**
+:   Identifier of the group of processes the process belongs to.
+
+type: long
+
+format: string
+
+
+**`process.parent.pid`**
+:   Process id.
+
+type: long
+
+example: 4242
+
+format: string
+
+
+**`process.parent.start`**
+:   The time the process started.
+
+type: date
+
+example: 2016-05-23T08:05:34.853Z
+
+
+**`process.parent.thread.id`**
+:   Thread ID.
+
+type: long
+
+example: 4242
+
+format: string
+
+
+**`process.parent.thread.name`**
+:   Thread name.
+
+type: keyword
+
+example: thread-0
+
+
+**`process.parent.title`**
+:   Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened.
+
+type: keyword
+
+
+**`process.parent.title.text`**
+:   type: match_only_text
+
+
+**`process.parent.uptime`**
+:   Seconds the process has been up.
+
+type: long
+
+example: 1325
+
+
+**`process.parent.working_directory`**
+:   The working directory of the process.
+
+type: keyword
+
+example: /home/alice
+
+
+**`process.parent.working_directory.text`**
+:   type: match_only_text
+
+
+**`process.pe.architecture`**
+:   CPU architecture target for the file.
+
+type: keyword
+
+example: x64
+
+
+**`process.pe.company`**
+:   Internal company name of the file, provided at compile-time.
+
+type: keyword
+
+example: Microsoft Corporation
+
+
+**`process.pe.description`**
+:   Internal description of the file, provided at compile-time.
+
+type: keyword
+
+example: Paint
+
+
+**`process.pe.file_version`**
+:   Internal version of the file, provided at compile-time.
+
+type: keyword
+
+example: 6.3.9600.17415
+
+
+**`process.pe.imphash`**
+:   A hash of the imports in a PE file. An imphash — or import hash — can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at [https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html](https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html).
+
+type: keyword
+
+example: 0c6803c4e922103c4dca5963aad36ddf
+
+
+**`process.pe.original_file_name`**
+:   Internal name of the file, provided at compile-time.
+
+type: keyword
+
+example: MSPAINT.EXE
+
+
+**`process.pe.product`**
+:   Internal product name of the file, provided at compile-time.
+
+type: keyword
+
+example: Microsoft® Windows® Operating System
+
+
+**`process.pgid`**
+:   Identifier of the group of processes the process belongs to.
+
+type: long
+
+format: string
+
+
+**`process.pid`**
+:   Process id.
+
+type: long
+
+example: 4242
+
+format: string
+
+
+**`process.start`**
+:   The time the process started.
+
+type: date
+
+example: 2016-05-23T08:05:34.853Z
+
+
+**`process.thread.id`**
+:   Thread ID.
+
+type: long
+
+example: 4242
+
+format: string
+
+
+**`process.thread.name`**
+:   Thread name.
+
+type: keyword
+
+example: thread-0
+
+
+**`process.title`**
+:   Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened.
+
+type: keyword
+
+
+**`process.title.text`**
+:   type: match_only_text
+
+
+**`process.uptime`**
+:   Seconds the process has been up.
+
+type: long
+
+example: 1325
+
+
+**`process.working_directory`**
+:   The working directory of the process.
+
+type: keyword
+
+example: /home/alice
+
+
+**`process.working_directory.text`**
+:   type: match_only_text
+
+
+
+## registry [_registry]
+
+Fields related to Windows Registry operations.
+
+**`registry.data.bytes`**
+:   Original bytes written with base64 encoding. For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values.
+
+type: keyword
+
+example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA=
+
+
+**`registry.data.strings`**
+:   Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`).
+
+type: wildcard
+
+example: ["C:\rta\red_ttp\bin\myapp.exe"]
+
+
+**`registry.data.type`**
+:   Standard registry type for encoding contents
+
+type: keyword
+
+example: REG_SZ
+
+
+**`registry.hive`**
+:   Abbreviated name for the hive.
+
+type: keyword
+
+example: HKLM
+
+
+**`registry.key`**
+:   Hive-relative path of keys.
+
+type: keyword
+
+example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe
+
+
+**`registry.path`**
+:   Full path, including hive, key and value
+
+type: keyword
+
+example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger
+
+
+**`registry.value`**
+:   Name of the value written.
+
+type: keyword
+
+example: Debugger
+
+
+
+## related [_related]
+
+This field set is meant to facilitate pivoting around a piece of data. Some pieces of information can be seen in many places in an ECS event. To facilitate searching for them, store an array of all seen values to their corresponding field in `related.`. A concrete example is IP addresses, which can be under host, observer, source, destination, client, server, and network.forwarded_ip. If you append all IPs to `related.ip`, you can then search for a given IP trivially, no matter where it appeared, by querying `related.ip:192.0.2.15`.
+
+**`related.hash`**
+:   All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you’re unsure what the hash algorithm is (and therefore which key name to search).
+
+type: keyword
+
+
+**`related.hosts`**
+:   All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases.
+
+type: keyword
+
+
+**`related.ip`**
+:   All of the IPs seen on your event.
+
+type: ip
+
+
+**`related.user`**
+:   All the user names or other user identifiers seen on the event.
+
+type: keyword
+
+
+
+## rule [_rule]
+
+Rule fields are used to capture the specifics of any observer or agent rules that generate alerts or other notable events. Examples of data sources that would populate the rule fields include: network admission control platforms, network or host IDS/IPS, network firewalls, web application firewalls, url filters, endpoint detection and response (EDR) systems, etc.
+
+**`rule.author`**
+:   Name, organization, or pseudonym of the author or authors who created the rule used to generate this event.
+
+type: keyword
+
+example: ["Star-Lord"]
+
+
+**`rule.category`**
+:   A categorization value keyword used by the entity using the rule for detection of this event.
+
+type: keyword
+
+example: Attempted Information Leak
+
+
+**`rule.description`**
+:   The description of the rule generating the event.
+
+type: keyword
+
+example: Block requests to public DNS over HTTPS / TLS protocols
+
+
+**`rule.id`**
+:   A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event.
+
+type: keyword
+
+example: 101
+
+
+**`rule.license`**
+:   Name of the license under which the rule used to generate this event is made available.
+
+type: keyword
+
+example: Apache 2.0
+
+
+**`rule.name`**
+:   The name of the rule or signature generating the event.
+
+type: keyword
+
+example: BLOCK_DNS_over_TLS
+
+
+**`rule.reference`**
+:   Reference URL to additional information about the rule used to generate this event. The URL can point to the vendor’s documentation about the rule. If that’s not available, it can also be a link to a more general page describing this type of alert.
+
+type: keyword
+
+example: [https://en.wikipedia.org/wiki/DNS_over_TLS](https://en.wikipedia.org/wiki/DNS_over_TLS)
+
+
+**`rule.ruleset`**
+:   Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member.
+
+type: keyword
+
+example: Standard_Protocol_Filters
+
+
+**`rule.uuid`**
+:   A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event.
+
+type: keyword
+
+example: 1100110011
+
+
+**`rule.version`**
+:   The version / revision of the rule being used for analysis.
+
+type: keyword
+
+example: 1.1
+
+
+
+## server [_server]
+
+A Server is defined as the responder in a network connection for events regarding sessions, connections, or bidirectional flow records. For TCP events, the server is the receiver of the initial SYN packet(s) of the TCP connection. For other protocols, the server is generally the responder in the network transaction. Some systems actually use the term "responder" to refer the server in TCP connections. The server fields describe details about the system acting as the server in the network event. Server fields are usually populated in conjunction with client fields. Server fields are generally not populated for packet-level events. Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately.
+
+**`server.address`**
+:   Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
+
+type: keyword
+
+
+**`server.as.number`**
+:   Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+
+type: long
+
+example: 15169
+
+
+**`server.as.organization.name`**
+:   Organization name.
+
+type: keyword
+
+example: Google LLC
+
+
+**`server.as.organization.name.text`**
+:   type: match_only_text
+
+
+**`server.bytes`**
+:   Bytes sent from the server to the client.
+
+type: long
+
+example: 184
+
+format: bytes
+
+
+**`server.domain`**
+:   The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.
+
+type: keyword
+
+example: foo.example.com
+
+
+**`server.geo.city_name`**
+:   City name.
+
+type: keyword
+
+example: Montreal
+
+
+**`server.geo.continent_code`**
+:   Two-letter code representing continent’s name.
+
+type: keyword
+
+example: NA
+
+
+**`server.geo.continent_name`**
+:   Name of the continent.
+
+type: keyword
+
+example: North America
+
+
+**`server.geo.country_iso_code`**
+:   Country ISO code.
+
+type: keyword
+
+example: CA
+
+
+**`server.geo.country_name`**
+:   Country name.
+
+type: keyword
+
+example: Canada
+
+
+**`server.geo.location`**
+:   Longitude and latitude.
+
+type: geo_point
+
+example: { "lon": -73.614830, "lat": 45.505918 }
+
+
+**`server.geo.name`**
+:   User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.
+
+type: keyword
+
+example: boston-dc
+
+
+**`server.geo.postal_code`**
+:   Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.
+
+type: keyword
+
+example: 94040
+
+
+**`server.geo.region_iso_code`**
+:   Region ISO code.
+
+type: keyword
+
+example: CA-QC
+
+
+**`server.geo.region_name`**
+:   Region name.
+
+type: keyword
+
+example: Quebec
+
+
+**`server.geo.timezone`**
+:   The time zone of the location, such as IANA time zone name.
+
+type: keyword
+
+example: America/Argentina/Buenos_Aires
+
+
+**`server.ip`**
+:   IP address of the server (IPv4 or IPv6).
+
+type: ip
+
+
+**`server.mac`**
+:   MAC address of the server. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.
+
+type: keyword
+
+example: 00-00-5E-00-53-23
+
+
+**`server.nat.ip`**
+:   Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers.
+
+type: ip
+
+
+**`server.nat.port`**
+:   Translated port of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers.
+
+type: long
+
+format: string
+
+
+**`server.packets`**
+:   Packets sent from the server to the client.
+
+type: long
+
+example: 12
+
+
+**`server.port`**
+:   Port of the server.
+
+type: long
+
+format: string
+
+
+**`server.registered_domain`**
+:   The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
+
+type: keyword
+
+example: example.com
+
+
+**`server.subdomain`**
+:   The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
+
+type: keyword
+
+example: east
+
+
+**`server.top_level_domain`**
+:   The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".
+
+type: keyword
+
+example: co.uk
+
+
+**`server.user.domain`**
+:   Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`server.user.email`**
+:   User email address.
+
+type: keyword
+
+
+**`server.user.full_name`**
+:   User’s full name, if available.
+
+type: keyword
+
+example: Albert Einstein
+
+
+**`server.user.full_name.text`**
+:   type: match_only_text
+
+
+**`server.user.group.domain`**
+:   Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`server.user.group.id`**
+:   Unique identifier for the group on the system/platform.
+
+type: keyword
+
+
+**`server.user.group.name`**
+:   Name of the group.
+
+type: keyword
+
+
+**`server.user.hash`**
+:   Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used.
+
+type: keyword
+
+
+**`server.user.id`**
+:   Unique identifier of the user.
+
+type: keyword
+
+example: S-1-5-21-202424912787-2692429404-2351956786-1000
+
+
+**`server.user.name`**
+:   Short name or login of the user.
+
+type: keyword
+
+example: a.einstein
+
+
+**`server.user.name.text`**
+:   type: match_only_text
+
+
+**`server.user.roles`**
+:   Array of user roles at the time of the event.
+
+type: keyword
+
+example: ["kibana_admin", "reporting_user"]
+
+
+
+## service [_service]
+
+The service fields describe the service for or from which the data was collected. These fields help you find and correlate logs for a specific service and version.
+
+**`service.address`**
+:   Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets).
+
+type: keyword
+
+example: 172.26.0.2:5432
+
+
+**`service.environment`**
+:   Identifies the environment where the service is running. If the same service runs in different environments (production, staging, QA, development, etc.), the environment can identify other instances of the same service. Can also group services and applications from the same environment.
+
+type: keyword
+
+example: production
+
+
+**`service.ephemeral_id`**
+:   Ephemeral identifier of this service (if one exists). This id normally changes across restarts, but `service.id` does not.
+
+type: keyword
+
+example: 8a4f500f
+
+
+**`service.id`**
+:   Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes. This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event. Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead.
+
+type: keyword
+
+example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6
+
+
+**`service.name`**
+:   Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified.
+
+type: keyword
+
+example: elasticsearch-metrics
+
+
+**`service.node.name`**
+:   Name of a service node. This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn’t have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set.
+
+type: keyword
+
+example: instance-0000000016
+
+
+**`service.origin.address`**
+:   Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets).
+
+type: keyword
+
+example: 172.26.0.2:5432
+
+
+**`service.origin.environment`**
+:   Identifies the environment where the service is running. If the same service runs in different environments (production, staging, QA, development, etc.), the environment can identify other instances of the same service. Can also group services and applications from the same environment.
+
+type: keyword
+
+example: production
+
+
+**`service.origin.ephemeral_id`**
+:   Ephemeral identifier of this service (if one exists). This id normally changes across restarts, but `service.id` does not.
+
+type: keyword
+
+example: 8a4f500f
+
+
+**`service.origin.id`**
+:   Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes. This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event. Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead.
+
+type: keyword
+
+example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6
+
+
+**`service.origin.name`**
+:   Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified.
+
+type: keyword
+
+example: elasticsearch-metrics
+
+
+**`service.origin.node.name`**
+:   Name of a service node. This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn’t have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set.
+
+type: keyword
+
+example: instance-0000000016
+
+
+**`service.origin.state`**
+:   Current state of the service.
+
+type: keyword
+
+
+**`service.origin.type`**
+:   The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`.
+
+type: keyword
+
+example: elasticsearch
+
+
+**`service.origin.version`**
+:   Version of the service the data was collected from. This allows to look at a data set only for a specific version of a service.
+
+type: keyword
+
+example: 3.2.4
+
+
+**`service.state`**
+:   Current state of the service.
+
+type: keyword
+
+
+**`service.target.address`**
+:   Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets).
+
+type: keyword
+
+example: 172.26.0.2:5432
+
+
+**`service.target.environment`**
+:   Identifies the environment where the service is running. If the same service runs in different environments (production, staging, QA, development, etc.), the environment can identify other instances of the same service. Can also group services and applications from the same environment.
+
+type: keyword
+
+example: production
+
+
+**`service.target.ephemeral_id`**
+:   Ephemeral identifier of this service (if one exists). This id normally changes across restarts, but `service.id` does not.
+
+type: keyword
+
+example: 8a4f500f
+
+
+**`service.target.id`**
+:   Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes. This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event. Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead.
+
+type: keyword
+
+example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6
+
+
+**`service.target.name`**
+:   Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified.
+
+type: keyword
+
+example: elasticsearch-metrics
+
+
+**`service.target.node.name`**
+:   Name of a service node. This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn’t have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set.
+
+type: keyword
+
+example: instance-0000000016
+
+
+**`service.target.state`**
+:   Current state of the service.
+
+type: keyword
+
+
+**`service.target.type`**
+:   The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`.
+
+type: keyword
+
+example: elasticsearch
+
+
+**`service.target.version`**
+:   Version of the service the data was collected from. This allows to look at a data set only for a specific version of a service.
+
+type: keyword
+
+example: 3.2.4
+
+
+**`service.type`**
+:   The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`.
+
+type: keyword
+
+example: elasticsearch
+
+
+**`service.version`**
+:   Version of the service the data was collected from. This allows to look at a data set only for a specific version of a service.
+
+type: keyword
+
+example: 3.2.4
+
+
+
+## source [_source_2]
+
+Source fields capture details about the sender of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction. Source fields are usually populated in conjunction with destination fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated.
+
+**`source.address`**
+:   Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
+
+type: keyword
+
+
+**`source.as.number`**
+:   Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+
+type: long
+
+example: 15169
+
+
+**`source.as.organization.name`**
+:   Organization name.
+
+type: keyword
+
+example: Google LLC
+
+
+**`source.as.organization.name.text`**
+:   type: match_only_text
+
+
+**`source.bytes`**
+:   Bytes sent from the source to the destination.
+
+type: long
+
+example: 184
+
+format: bytes
+
+
+**`source.domain`**
+:   The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.
+
+type: keyword
+
+example: foo.example.com
+
+
+**`source.geo.city_name`**
+:   City name.
+
+type: keyword
+
+example: Montreal
+
+
+**`source.geo.continent_code`**
+:   Two-letter code representing continent’s name.
+
+type: keyword
+
+example: NA
+
+
+**`source.geo.continent_name`**
+:   Name of the continent.
+
+type: keyword
+
+example: North America
+
+
+**`source.geo.country_iso_code`**
+:   Country ISO code.
+
+type: keyword
+
+example: CA
+
+
+**`source.geo.country_name`**
+:   Country name.
+
+type: keyword
+
+example: Canada
+
+
+**`source.geo.location`**
+:   Longitude and latitude.
+
+type: geo_point
+
+example: { "lon": -73.614830, "lat": 45.505918 }
+
+
+**`source.geo.name`**
+:   User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.
+
+type: keyword
+
+example: boston-dc
+
+
+**`source.geo.postal_code`**
+:   Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.
+
+type: keyword
+
+example: 94040
+
+
+**`source.geo.region_iso_code`**
+:   Region ISO code.
+
+type: keyword
+
+example: CA-QC
+
+
+**`source.geo.region_name`**
+:   Region name.
+
+type: keyword
+
+example: Quebec
+
+
+**`source.geo.timezone`**
+:   The time zone of the location, such as IANA time zone name.
+
+type: keyword
+
+example: America/Argentina/Buenos_Aires
+
+
+**`source.ip`**
+:   IP address of the source (IPv4 or IPv6).
+
+type: ip
+
+
+**`source.mac`**
+:   MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.
+
+type: keyword
+
+example: 00-00-5E-00-53-23
+
+
+**`source.nat.ip`**
+:   Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers.
+
+type: ip
+
+
+**`source.nat.port`**
+:   Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers.
+
+type: long
+
+format: string
+
+
+**`source.packets`**
+:   Packets sent from the source to the destination.
+
+type: long
+
+example: 12
+
+
+**`source.port`**
+:   Port of the source.
+
+type: long
+
+format: string
+
+
+**`source.registered_domain`**
+:   The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
+
+type: keyword
+
+example: example.com
+
+
+**`source.subdomain`**
+:   The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
+
+type: keyword
+
+example: east
+
+
+**`source.top_level_domain`**
+:   The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".
+
+type: keyword
+
+example: co.uk
+
+
+**`source.user.domain`**
+:   Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`source.user.email`**
+:   User email address.
+
+type: keyword
+
+
+**`source.user.full_name`**
+:   User’s full name, if available.
+
+type: keyword
+
+example: Albert Einstein
+
+
+**`source.user.full_name.text`**
+:   type: match_only_text
+
+
+**`source.user.group.domain`**
+:   Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`source.user.group.id`**
+:   Unique identifier for the group on the system/platform.
+
+type: keyword
+
+
+**`source.user.group.name`**
+:   Name of the group.
+
+type: keyword
+
+
+**`source.user.hash`**
+:   Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used.
+
+type: keyword
+
+
+**`source.user.id`**
+:   Unique identifier of the user.
+
+type: keyword
+
+example: S-1-5-21-202424912787-2692429404-2351956786-1000
+
+
+**`source.user.name`**
+:   Short name or login of the user.
+
+type: keyword
+
+example: a.einstein
+
+
+**`source.user.name.text`**
+:   type: match_only_text
+
+
+**`source.user.roles`**
+:   Array of user roles at the time of the event.
+
+type: keyword
+
+example: ["kibana_admin", "reporting_user"]
+
+
+
+## threat [_threat]
+
+Fields to classify events and alerts according to a threat taxonomy such as the MITRE ATT&CK® framework. These fields are for users to classify alerts from all of their sources (e.g. IDS, NGFW, etc.) within a common taxonomy. The threat.tactic.* fields are meant to capture the high level category of the threat (e.g. "impact"). The threat.technique.* fields are meant to capture which kind of approach is used by this detected threat, to accomplish the goal (e.g. "endpoint denial of service").
+
+**`threat.enrichments`**
+:   A list of associated indicators objects enriching the event, and the context of that association/enrichment.
+
+type: nested
+
+
+**`threat.enrichments.indicator`**
+:   Object containing associated indicators enriching the event.
+
+type: object
+
+
+**`threat.enrichments.indicator.as.number`**
+:   Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+
+type: long
+
+example: 15169
+
+
+**`threat.enrichments.indicator.as.organization.name`**
+:   Organization name.
+
+type: keyword
+
+example: Google LLC
+
+
+**`threat.enrichments.indicator.as.organization.name.text`**
+:   type: match_only_text
+
+
+**`threat.enrichments.indicator.confidence`**
+:   Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. Expected values are: * Not Specified * None * Low * Medium * High
+
+type: keyword
+
+example: Medium
+
+
+**`threat.enrichments.indicator.description`**
+:   Describes the type of action conducted by the threat.
+
+type: keyword
+
+example: IP x.x.x.x was observed delivering the Angler EK.
+
+
+**`threat.enrichments.indicator.email.address`**
+:   Identifies a threat indicator as an email address (irrespective of direction).
+
+type: keyword
+
+example: `phish@example.com`
+
+
+**`threat.enrichments.indicator.file.accessed`**
+:   Last time the file was accessed. Note that not all filesystems keep track of access time.
+
+type: date
+
+
+**`threat.enrichments.indicator.file.attributes`**
+:   Array of file attributes. Attributes names will vary by platform. Here’s a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write.
+
+type: keyword
+
+example: ["readonly", "system"]
+
+
+**`threat.enrichments.indicator.file.code_signature.digest_algorithm`**
+:   The hashing algorithm used to sign the process. This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm.
+
+type: keyword
+
+example: sha256
+
+
+**`threat.enrichments.indicator.file.code_signature.exists`**
+:   Boolean to capture if a signature is present.
+
+type: boolean
+
+example: true
+
+
+**`threat.enrichments.indicator.file.code_signature.signing_id`**
+:   The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.
+
+type: keyword
+
+example: com.apple.xpc.proxy
+
+
+**`threat.enrichments.indicator.file.code_signature.status`**
+:   Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.
+
+type: keyword
+
+example: ERROR_UNTRUSTED_ROOT
+
+
+**`threat.enrichments.indicator.file.code_signature.subject_name`**
+:   Subject name of the code signer
+
+type: keyword
+
+example: Microsoft Corporation
+
+
+**`threat.enrichments.indicator.file.code_signature.team_id`**
+:   The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.
+
+type: keyword
+
+example: EQHXZ8M8AV
+
+
+**`threat.enrichments.indicator.file.code_signature.timestamp`**
+:   Date and time when the code signature was generated and signed.
+
+type: date
+
+example: 2021-01-01T12:10:30Z
+
+
+**`threat.enrichments.indicator.file.code_signature.trusted`**
+:   Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.
+
+type: boolean
+
+example: true
+
+
+**`threat.enrichments.indicator.file.code_signature.valid`**
+:   Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.
+
+type: boolean
+
+example: true
+
+
+**`threat.enrichments.indicator.file.created`**
+:   File creation time. Note that not all filesystems store the creation time.
+
+type: date
+
+
+**`threat.enrichments.indicator.file.ctime`**
+:   Last time the file attributes or metadata changed. Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file.
+
+type: date
+
+
+**`threat.enrichments.indicator.file.device`**
+:   Device that is the source of the file.
+
+type: keyword
+
+example: sda
+
+
+**`threat.enrichments.indicator.file.directory`**
+:   Directory where the file is located. It should include the drive letter, when appropriate.
+
+type: keyword
+
+example: /home/alice
+
+
+**`threat.enrichments.indicator.file.drive_letter`**
+:   Drive letter where the file is located. This field is only relevant on Windows. The value should be uppercase, and not include the colon.
+
+type: keyword
+
+example: C
+
+
+**`threat.enrichments.indicator.file.elf.architecture`**
+:   Machine architecture of the ELF file.
+
+type: keyword
+
+example: x86-64
+
+
+**`threat.enrichments.indicator.file.elf.byte_order`**
+:   Byte sequence of ELF file.
+
+type: keyword
+
+example: Little Endian
+
+
+**`threat.enrichments.indicator.file.elf.cpu_type`**
+:   CPU type of the ELF file.
+
+type: keyword
+
+example: Intel
+
+
+**`threat.enrichments.indicator.file.elf.creation_date`**
+:   Extracted when possible from the file’s metadata. Indicates when it was built or compiled. It can also be faked by malware creators.
+
+type: date
+
+
+**`threat.enrichments.indicator.file.elf.exports`**
+:   List of exported element names and types.
+
+type: flattened
+
+
+**`threat.enrichments.indicator.file.elf.header.abi_version`**
+:   Version of the ELF Application Binary Interface (ABI).
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.elf.header.class`**
+:   Header class of the ELF file.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.elf.header.data`**
+:   Data table of the ELF header.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.elf.header.entrypoint`**
+:   Header entrypoint of the ELF file.
+
+type: long
+
+format: string
+
+
+**`threat.enrichments.indicator.file.elf.header.object_version`**
+:   "0x1" for original ELF files.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.elf.header.os_abi`**
+:   Application Binary Interface (ABI) of the Linux OS.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.elf.header.type`**
+:   Header type of the ELF file.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.elf.header.version`**
+:   Version of the ELF header.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.elf.imports`**
+:   List of imported element names and types.
+
+type: flattened
+
+
+**`threat.enrichments.indicator.file.elf.sections`**
+:   An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`.
+
+type: nested
+
+
+**`threat.enrichments.indicator.file.elf.sections.chi2`**
+:   Chi-square probability distribution of the section.
+
+type: long
+
+format: number
+
+
+**`threat.enrichments.indicator.file.elf.sections.entropy`**
+:   Shannon entropy calculation from the section.
+
+type: long
+
+format: number
+
+
+**`threat.enrichments.indicator.file.elf.sections.flags`**
+:   ELF Section List flags.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.elf.sections.name`**
+:   ELF Section List name.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.elf.sections.physical_offset`**
+:   ELF Section List offset.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.elf.sections.physical_size`**
+:   ELF Section List physical size.
+
+type: long
+
+format: bytes
+
+
+**`threat.enrichments.indicator.file.elf.sections.type`**
+:   ELF Section List type.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.elf.sections.virtual_address`**
+:   ELF Section List virtual address.
+
+type: long
+
+format: string
+
+
+**`threat.enrichments.indicator.file.elf.sections.virtual_size`**
+:   ELF Section List virtual size.
+
+type: long
+
+format: string
+
+
+**`threat.enrichments.indicator.file.elf.segments`**
+:   An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`.
+
+type: nested
+
+
+**`threat.enrichments.indicator.file.elf.segments.sections`**
+:   ELF object segment sections.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.elf.segments.type`**
+:   ELF object segment type.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.elf.shared_libraries`**
+:   List of shared libraries used by this ELF object.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.elf.telfhash`**
+:   telfhash symbol hash for ELF file.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.extension`**
+:   File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").
+
+type: keyword
+
+example: png
+
+
+**`threat.enrichments.indicator.file.fork_name`**
+:   A fork is additional data associated with a filesystem object. On Linux, a resource fork is used to store additional data with a filesystem object. A file always has at least one fork for the data portion, and additional forks may exist. On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default data stream for a file is just called $DATA. Zone.Identifier is commonly used by Windows to track contents downloaded from the Internet. An ADS is typically of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name` is the value that should populate `fork_name`. `filename.extension` should populate `file.name`, and `extension` should populate `file.extension`. The full path, `file.path`, will include the fork name.
+
+type: keyword
+
+example: Zone.Identifer
+
+
+**`threat.enrichments.indicator.file.gid`**
+:   Primary group ID (GID) of the file.
+
+type: keyword
+
+example: 1001
+
+
+**`threat.enrichments.indicator.file.group`**
+:   Primary group name of the file.
+
+type: keyword
+
+example: alice
+
+
+**`threat.enrichments.indicator.file.hash.md5`**
+:   MD5 hash.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.hash.sha1`**
+:   SHA1 hash.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.hash.sha256`**
+:   SHA256 hash.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.hash.sha512`**
+:   SHA512 hash.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.hash.ssdeep`**
+:   SSDEEP hash.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.inode`**
+:   Inode representing the file in the filesystem.
+
+type: keyword
+
+example: 256383
+
+
+**`threat.enrichments.indicator.file.mime_type`**
+:   MIME type should identify the format of the file or stream of bytes using [IANA official types](https://www.iana.org/assignments/media-types/media-types.xhtml), where possible. When more than one type is applicable, the most specific type should be used.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.mode`**
+:   Mode of the file in octal representation.
+
+type: keyword
+
+example: 0640
+
+
+**`threat.enrichments.indicator.file.mtime`**
+:   Last time the file content was modified.
+
+type: date
+
+
+**`threat.enrichments.indicator.file.name`**
+:   Name of the file including the extension, without the directory.
+
+type: keyword
+
+example: example.png
+
+
+**`threat.enrichments.indicator.file.owner`**
+:   File owner’s username.
+
+type: keyword
+
+example: alice
+
+
+**`threat.enrichments.indicator.file.path`**
+:   Full path to the file, including the file name. It should include the drive letter, when appropriate.
+
+type: keyword
+
+example: /home/alice/example.png
+
+
+**`threat.enrichments.indicator.file.path.text`**
+:   type: match_only_text
+
+
+**`threat.enrichments.indicator.file.pe.architecture`**
+:   CPU architecture target for the file.
+
+type: keyword
+
+example: x64
+
+
+**`threat.enrichments.indicator.file.pe.company`**
+:   Internal company name of the file, provided at compile-time.
+
+type: keyword
+
+example: Microsoft Corporation
+
+
+**`threat.enrichments.indicator.file.pe.description`**
+:   Internal description of the file, provided at compile-time.
+
+type: keyword
+
+example: Paint
+
+
+**`threat.enrichments.indicator.file.pe.file_version`**
+:   Internal version of the file, provided at compile-time.
+
+type: keyword
+
+example: 6.3.9600.17415
+
+
+**`threat.enrichments.indicator.file.pe.imphash`**
+:   A hash of the imports in a PE file. An imphash — or import hash — can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at [https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html](https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html).
+
+type: keyword
+
+example: 0c6803c4e922103c4dca5963aad36ddf
+
+
+**`threat.enrichments.indicator.file.pe.original_file_name`**
+:   Internal name of the file, provided at compile-time.
+
+type: keyword
+
+example: MSPAINT.EXE
+
+
+**`threat.enrichments.indicator.file.pe.product`**
+:   Internal product name of the file, provided at compile-time.
+
+type: keyword
+
+example: Microsoft® Windows® Operating System
+
+
+**`threat.enrichments.indicator.file.size`**
+:   File size in bytes. Only relevant when `file.type` is "file".
+
+type: long
+
+example: 16384
+
+
+**`threat.enrichments.indicator.file.target_path`**
+:   Target path for symlinks.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.target_path.text`**
+:   type: match_only_text
+
+
+**`threat.enrichments.indicator.file.type`**
+:   File type (file, dir, or symlink).
+
+type: keyword
+
+example: file
+
+
+**`threat.enrichments.indicator.file.uid`**
+:   The user ID (UID) or security identifier (SID) of the file owner.
+
+type: keyword
+
+example: 1001
+
+
+**`threat.enrichments.indicator.file.x509.alternative_names`**
+:   List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.
+
+type: keyword
+
+example: *.elastic.co
+
+
+**`threat.enrichments.indicator.file.x509.issuer.common_name`**
+:   List of common name (CN) of issuing certificate authority.
+
+type: keyword
+
+example: Example SHA2 High Assurance Server CA
+
+
+**`threat.enrichments.indicator.file.x509.issuer.country`**
+:   List of country © codes
+
+type: keyword
+
+example: US
+
+
+**`threat.enrichments.indicator.file.x509.issuer.distinguished_name`**
+:   Distinguished name (DN) of issuing certificate authority.
+
+type: keyword
+
+example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA
+
+
+**`threat.enrichments.indicator.file.x509.issuer.locality`**
+:   List of locality names (L)
+
+type: keyword
+
+example: Mountain View
+
+
+**`threat.enrichments.indicator.file.x509.issuer.organization`**
+:   List of organizations (O) of issuing certificate authority.
+
+type: keyword
+
+example: Example Inc
+
+
+**`threat.enrichments.indicator.file.x509.issuer.organizational_unit`**
+:   List of organizational units (OU) of issuing certificate authority.
+
+type: keyword
+
+example: www.example.com
+
+
+**`threat.enrichments.indicator.file.x509.issuer.state_or_province`**
+:   List of state or province names (ST, S, or P)
+
+type: keyword
+
+example: California
+
+
+**`threat.enrichments.indicator.file.x509.not_after`**
+:   Time at which the certificate is no longer considered valid.
+
+type: date
+
+example: 2020-07-16 03:15:39+00:00
+
+
+**`threat.enrichments.indicator.file.x509.not_before`**
+:   Time at which the certificate is first considered valid.
+
+type: date
+
+example: 2019-08-16 01:40:25+00:00
+
+
+**`threat.enrichments.indicator.file.x509.public_key_algorithm`**
+:   Algorithm used to generate the public key.
+
+type: keyword
+
+example: RSA
+
+
+**`threat.enrichments.indicator.file.x509.public_key_curve`**
+:   The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+
+type: keyword
+
+example: nistp521
+
+
+**`threat.enrichments.indicator.file.x509.public_key_exponent`**
+:   Exponent used to derive the public key. This is algorithm specific.
+
+type: long
+
+example: 65537
+
+Field is not indexed.
+
+
+**`threat.enrichments.indicator.file.x509.public_key_size`**
+:   The size of the public key space in bits.
+
+type: long
+
+example: 2048
+
+
+**`threat.enrichments.indicator.file.x509.serial_number`**
+:   Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.
+
+type: keyword
+
+example: 55FBB9C7DEBF09809D12CCAA
+
+
+**`threat.enrichments.indicator.file.x509.signature_algorithm`**
+:   Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See [https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353](https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353).
+
+type: keyword
+
+example: SHA256-RSA
+
+
+**`threat.enrichments.indicator.file.x509.subject.common_name`**
+:   List of common names (CN) of subject.
+
+type: keyword
+
+example: shared.global.example.net
+
+
+**`threat.enrichments.indicator.file.x509.subject.country`**
+:   List of country © code
+
+type: keyword
+
+example: US
+
+
+**`threat.enrichments.indicator.file.x509.subject.distinguished_name`**
+:   Distinguished name (DN) of the certificate subject entity.
+
+type: keyword
+
+example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
+
+
+**`threat.enrichments.indicator.file.x509.subject.locality`**
+:   List of locality names (L)
+
+type: keyword
+
+example: San Francisco
+
+
+**`threat.enrichments.indicator.file.x509.subject.organization`**
+:   List of organizations (O) of subject.
+
+type: keyword
+
+example: Example, Inc.
+
+
+**`threat.enrichments.indicator.file.x509.subject.organizational_unit`**
+:   List of organizational units (OU) of subject.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.x509.subject.state_or_province`**
+:   List of state or province names (ST, S, or P)
+
+type: keyword
+
+example: California
+
+
+**`threat.enrichments.indicator.file.x509.version_number`**
+:   Version of x509 format.
+
+type: keyword
+
+example: 3
+
+
+**`threat.enrichments.indicator.first_seen`**
+:   The date and time when intelligence source first reported sighting this indicator.
+
+type: date
+
+example: 2020-11-05T17:25:47.000Z
+
+
+**`threat.enrichments.indicator.geo.city_name`**
+:   City name.
+
+type: keyword
+
+example: Montreal
+
+
+**`threat.enrichments.indicator.geo.continent_code`**
+:   Two-letter code representing continent’s name.
+
+type: keyword
+
+example: NA
+
+
+**`threat.enrichments.indicator.geo.continent_name`**
+:   Name of the continent.
+
+type: keyword
+
+example: North America
+
+
+**`threat.enrichments.indicator.geo.country_iso_code`**
+:   Country ISO code.
+
+type: keyword
+
+example: CA
+
+
+**`threat.enrichments.indicator.geo.country_name`**
+:   Country name.
+
+type: keyword
+
+example: Canada
+
+
+**`threat.enrichments.indicator.geo.location`**
+:   Longitude and latitude.
+
+type: geo_point
+
+example: { "lon": -73.614830, "lat": 45.505918 }
+
+
+**`threat.enrichments.indicator.geo.name`**
+:   User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.
+
+type: keyword
+
+example: boston-dc
+
+
+**`threat.enrichments.indicator.geo.postal_code`**
+:   Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.
+
+type: keyword
+
+example: 94040
+
+
+**`threat.enrichments.indicator.geo.region_iso_code`**
+:   Region ISO code.
+
+type: keyword
+
+example: CA-QC
+
+
+**`threat.enrichments.indicator.geo.region_name`**
+:   Region name.
+
+type: keyword
+
+example: Quebec
+
+
+**`threat.enrichments.indicator.geo.timezone`**
+:   The time zone of the location, such as IANA time zone name.
+
+type: keyword
+
+example: America/Argentina/Buenos_Aires
+
+
+**`threat.enrichments.indicator.ip`**
+:   Identifies a threat indicator as an IP address (irrespective of direction).
+
+type: ip
+
+example: 1.2.3.4
+
+
+**`threat.enrichments.indicator.last_seen`**
+:   The date and time when intelligence source last reported sighting this indicator.
+
+type: date
+
+example: 2020-11-05T17:25:47.000Z
+
+
+**`threat.enrichments.indicator.marking.tlp`**
+:   Traffic Light Protocol sharing markings. Recommended values are: * WHITE * GREEN * AMBER * RED
+
+type: keyword
+
+example: White
+
+
+**`threat.enrichments.indicator.modified_at`**
+:   The date and time when intelligence source last modified information for this indicator.
+
+type: date
+
+example: 2020-11-05T17:25:47.000Z
+
+
+**`threat.enrichments.indicator.port`**
+:   Identifies a threat indicator as a port number (irrespective of direction).
+
+type: long
+
+example: 443
+
+
+**`threat.enrichments.indicator.provider`**
+:   The name of the indicator’s provider.
+
+type: keyword
+
+example: lrz_urlhaus
+
+
+**`threat.enrichments.indicator.reference`**
+:   Reference URL linking to additional information about this indicator.
+
+type: keyword
+
+example: [https://system.example.com/indicator/0001234](https://system.example.com/indicator/0001234)
+
+
+**`threat.enrichments.indicator.registry.data.bytes`**
+:   Original bytes written with base64 encoding. For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values.
+
+type: keyword
+
+example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA=
+
+
+**`threat.enrichments.indicator.registry.data.strings`**
+:   Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`).
+
+type: wildcard
+
+example: ["C:\rta\red_ttp\bin\myapp.exe"]
+
+
+**`threat.enrichments.indicator.registry.data.type`**
+:   Standard registry type for encoding contents
+
+type: keyword
+
+example: REG_SZ
+
+
+**`threat.enrichments.indicator.registry.hive`**
+:   Abbreviated name for the hive.
+
+type: keyword
+
+example: HKLM
+
+
+**`threat.enrichments.indicator.registry.key`**
+:   Hive-relative path of keys.
+
+type: keyword
+
+example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe
+
+
+**`threat.enrichments.indicator.registry.path`**
+:   Full path, including hive, key and value
+
+type: keyword
+
+example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger
+
+
+**`threat.enrichments.indicator.registry.value`**
+:   Name of the value written.
+
+type: keyword
+
+example: Debugger
+
+
+**`threat.enrichments.indicator.scanner_stats`**
+:   Count of AV/EDR vendors that successfully detected malicious file or URL.
+
+type: long
+
+example: 4
+
+
+**`threat.enrichments.indicator.sightings`**
+:   Number of times this indicator was observed conducting threat activity.
+
+type: long
+
+example: 20
+
+
+**`threat.enrichments.indicator.type`**
+:   Type of indicator as represented by Cyber Observable in STIX 2.0. Recommended values: * autonomous-system * artifact * directory * domain-name * email-addr * file * ipv4-addr * ipv6-addr * mac-addr * mutex * port * process * software * url * user-account * windows-registry-key * x509-certificate
+
+type: keyword
+
+example: ipv4-addr
+
+
+**`threat.enrichments.indicator.url.domain`**
+:   Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field.
+
+type: keyword
+
+example: www.elastic.co
+
+
+**`threat.enrichments.indicator.url.extension`**
+:   The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").
+
+type: keyword
+
+example: png
+
+
+**`threat.enrichments.indicator.url.fragment`**
+:   Portion of the url after the `#`, such as "top". The `#` is not part of the fragment.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.url.full`**
+:   If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source.
+
+type: wildcard
+
+example: [https://www.elastic.co:443/search?q=elasticsearch#top](https://www.elastic.co:443/search?q=elasticsearch#top)
+
+
+**`threat.enrichments.indicator.url.full.text`**
+:   type: match_only_text
+
+
+**`threat.enrichments.indicator.url.original`**
+:   Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not.
+
+type: wildcard
+
+example: [https://www.elastic.co:443/search?q=elasticsearch#top](https://www.elastic.co:443/search?q=elasticsearch#top) or /search?q=elasticsearch
+
+
+**`threat.enrichments.indicator.url.original.text`**
+:   type: match_only_text
+
+
+**`threat.enrichments.indicator.url.password`**
+:   Password of the request.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.url.path`**
+:   Path of the request, such as "/search".
+
+type: wildcard
+
+
+**`threat.enrichments.indicator.url.port`**
+:   Port of the request, such as 443.
+
+type: long
+
+example: 443
+
+format: string
+
+
+**`threat.enrichments.indicator.url.query`**
+:   The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.url.registered_domain`**
+:   The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
+
+type: keyword
+
+example: example.com
+
+
+**`threat.enrichments.indicator.url.scheme`**
+:   Scheme of the request, such as "https". Note: The `:` is not part of the scheme.
+
+type: keyword
+
+example: https
+
+
+**`threat.enrichments.indicator.url.subdomain`**
+:   The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
+
+type: keyword
+
+example: east
+
+
+**`threat.enrichments.indicator.url.top_level_domain`**
+:   The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".
+
+type: keyword
+
+example: co.uk
+
+
+**`threat.enrichments.indicator.url.username`**
+:   Username of the request.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.x509.alternative_names`**
+:   List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.
+
+type: keyword
+
+example: *.elastic.co
+
+
+**`threat.enrichments.indicator.x509.issuer.common_name`**
+:   List of common name (CN) of issuing certificate authority.
+
+type: keyword
+
+example: Example SHA2 High Assurance Server CA
+
+
+**`threat.enrichments.indicator.x509.issuer.country`**
+:   List of country © codes
+
+type: keyword
+
+example: US
+
+
+**`threat.enrichments.indicator.x509.issuer.distinguished_name`**
+:   Distinguished name (DN) of issuing certificate authority.
+
+type: keyword
+
+example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA
+
+
+**`threat.enrichments.indicator.x509.issuer.locality`**
+:   List of locality names (L)
+
+type: keyword
+
+example: Mountain View
+
+
+**`threat.enrichments.indicator.x509.issuer.organization`**
+:   List of organizations (O) of issuing certificate authority.
+
+type: keyword
+
+example: Example Inc
+
+
+**`threat.enrichments.indicator.x509.issuer.organizational_unit`**
+:   List of organizational units (OU) of issuing certificate authority.
+
+type: keyword
+
+example: www.example.com
+
+
+**`threat.enrichments.indicator.x509.issuer.state_or_province`**
+:   List of state or province names (ST, S, or P)
+
+type: keyword
+
+example: California
+
+
+**`threat.enrichments.indicator.x509.not_after`**
+:   Time at which the certificate is no longer considered valid.
+
+type: date
+
+example: 2020-07-16 03:15:39+00:00
+
+
+**`threat.enrichments.indicator.x509.not_before`**
+:   Time at which the certificate is first considered valid.
+
+type: date
+
+example: 2019-08-16 01:40:25+00:00
+
+
+**`threat.enrichments.indicator.x509.public_key_algorithm`**
+:   Algorithm used to generate the public key.
+
+type: keyword
+
+example: RSA
+
+
+**`threat.enrichments.indicator.x509.public_key_curve`**
+:   The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+
+type: keyword
+
+example: nistp521
+
+
+**`threat.enrichments.indicator.x509.public_key_exponent`**
+:   Exponent used to derive the public key. This is algorithm specific.
+
+type: long
+
+example: 65537
+
+Field is not indexed.
+
+
+**`threat.enrichments.indicator.x509.public_key_size`**
+:   The size of the public key space in bits.
+
+type: long
+
+example: 2048
+
+
+**`threat.enrichments.indicator.x509.serial_number`**
+:   Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.
+
+type: keyword
+
+example: 55FBB9C7DEBF09809D12CCAA
+
+
+**`threat.enrichments.indicator.x509.signature_algorithm`**
+:   Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See [https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353](https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353).
+
+type: keyword
+
+example: SHA256-RSA
+
+
+**`threat.enrichments.indicator.x509.subject.common_name`**
+:   List of common names (CN) of subject.
+
+type: keyword
+
+example: shared.global.example.net
+
+
+**`threat.enrichments.indicator.x509.subject.country`**
+:   List of country © code
+
+type: keyword
+
+example: US
+
+
+**`threat.enrichments.indicator.x509.subject.distinguished_name`**
+:   Distinguished name (DN) of the certificate subject entity.
+
+type: keyword
+
+example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
+
+
+**`threat.enrichments.indicator.x509.subject.locality`**
+:   List of locality names (L)
+
+type: keyword
+
+example: San Francisco
+
+
+**`threat.enrichments.indicator.x509.subject.organization`**
+:   List of organizations (O) of subject.
+
+type: keyword
+
+example: Example, Inc.
+
+
+**`threat.enrichments.indicator.x509.subject.organizational_unit`**
+:   List of organizational units (OU) of subject.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.x509.subject.state_or_province`**
+:   List of state or province names (ST, S, or P)
+
+type: keyword
+
+example: California
+
+
+**`threat.enrichments.indicator.x509.version_number`**
+:   Version of x509 format.
+
+type: keyword
+
+example: 3
+
+
+**`threat.enrichments.matched.atomic`**
+:   Identifies the atomic indicator value that matched a local environment endpoint or network event.
+
+type: keyword
+
+example: bad-domain.com
+
+
+**`threat.enrichments.matched.field`**
+:   Identifies the field of the atomic indicator that matched a local environment endpoint or network event.
+
+type: keyword
+
+example: file.hash.sha256
+
+
+**`threat.enrichments.matched.id`**
+:   Identifies the _id of the indicator document enriching the event.
+
+type: keyword
+
+example: ff93aee5-86a1-4a61-b0e6-0cdc313d01b5
+
+
+**`threat.enrichments.matched.index`**
+:   Identifies the _index of the indicator document enriching the event.
+
+type: keyword
+
+example: filebeat-8.0.0-2021.05.23-000011
+
+
+**`threat.enrichments.matched.type`**
+:   Identifies the type of match that caused the event to be enriched with the given indicator
+
+type: keyword
+
+example: indicator_match_rule
+
+
+**`threat.framework`**
+:   Name of the threat framework used to further categorize and classify the tactic and technique of the reported threat. Framework classification can be provided by detecting systems, evaluated at ingest time, or retrospectively tagged to events.
+
+type: keyword
+
+example: MITRE ATT&CK
+
+
+**`threat.group.alias`**
+:   The alias(es) of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group alias(es).
+
+type: keyword
+
+example: [ "Magecart Group 6" ]
+
+
+**`threat.group.id`**
+:   The id of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group id.
+
+type: keyword
+
+example: G0037
+
+
+**`threat.group.name`**
+:   The name of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group name.
+
+type: keyword
+
+example: FIN6
+
+
+**`threat.group.reference`**
+:   The reference URL of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group reference URL.
+
+type: keyword
+
+example: [https://attack.mitre.org/groups/G0037/](https://attack.mitre.org/groups/G0037/)
+
+
+**`threat.indicator.as.number`**
+:   Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+
+type: long
+
+example: 15169
+
+
+**`threat.indicator.as.organization.name`**
+:   Organization name.
+
+type: keyword
+
+example: Google LLC
+
+
+**`threat.indicator.as.organization.name.text`**
+:   type: match_only_text
+
+
+**`threat.indicator.confidence`**
+:   Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. Expected values are: * Not Specified * None * Low * Medium * High
+
+type: keyword
+
+example: Medium
+
+
+**`threat.indicator.description`**
+:   Describes the type of action conducted by the threat.
+
+type: keyword
+
+example: IP x.x.x.x was observed delivering the Angler EK.
+
+
+**`threat.indicator.email.address`**
+:   Identifies a threat indicator as an email address (irrespective of direction).
+
+type: keyword
+
+example: `phish@example.com`
+
+
+**`threat.indicator.file.accessed`**
+:   Last time the file was accessed. Note that not all filesystems keep track of access time.
+
+type: date
+
+
+**`threat.indicator.file.attributes`**
+:   Array of file attributes. Attributes names will vary by platform. Here’s a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write.
+
+type: keyword
+
+example: ["readonly", "system"]
+
+
+**`threat.indicator.file.code_signature.digest_algorithm`**
+:   The hashing algorithm used to sign the process. This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm.
+
+type: keyword
+
+example: sha256
+
+
+**`threat.indicator.file.code_signature.exists`**
+:   Boolean to capture if a signature is present.
+
+type: boolean
+
+example: true
+
+
+**`threat.indicator.file.code_signature.signing_id`**
+:   The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.
+
+type: keyword
+
+example: com.apple.xpc.proxy
+
+
+**`threat.indicator.file.code_signature.status`**
+:   Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.
+
+type: keyword
+
+example: ERROR_UNTRUSTED_ROOT
+
+
+**`threat.indicator.file.code_signature.subject_name`**
+:   Subject name of the code signer
+
+type: keyword
+
+example: Microsoft Corporation
+
+
+**`threat.indicator.file.code_signature.team_id`**
+:   The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.
+
+type: keyword
+
+example: EQHXZ8M8AV
+
+
+**`threat.indicator.file.code_signature.timestamp`**
+:   Date and time when the code signature was generated and signed.
+
+type: date
+
+example: 2021-01-01T12:10:30Z
+
+
+**`threat.indicator.file.code_signature.trusted`**
+:   Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.
+
+type: boolean
+
+example: true
+
+
+**`threat.indicator.file.code_signature.valid`**
+:   Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.
+
+type: boolean
+
+example: true
+
+
+**`threat.indicator.file.created`**
+:   File creation time. Note that not all filesystems store the creation time.
+
+type: date
+
+
+**`threat.indicator.file.ctime`**
+:   Last time the file attributes or metadata changed. Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file.
+
+type: date
+
+
+**`threat.indicator.file.device`**
+:   Device that is the source of the file.
+
+type: keyword
+
+example: sda
+
+
+**`threat.indicator.file.directory`**
+:   Directory where the file is located. It should include the drive letter, when appropriate.
+
+type: keyword
+
+example: /home/alice
+
+
+**`threat.indicator.file.drive_letter`**
+:   Drive letter where the file is located. This field is only relevant on Windows. The value should be uppercase, and not include the colon.
+
+type: keyword
+
+example: C
+
+
+**`threat.indicator.file.elf.architecture`**
+:   Machine architecture of the ELF file.
+
+type: keyword
+
+example: x86-64
+
+
+**`threat.indicator.file.elf.byte_order`**
+:   Byte sequence of ELF file.
+
+type: keyword
+
+example: Little Endian
+
+
+**`threat.indicator.file.elf.cpu_type`**
+:   CPU type of the ELF file.
+
+type: keyword
+
+example: Intel
+
+
+**`threat.indicator.file.elf.creation_date`**
+:   Extracted when possible from the file’s metadata. Indicates when it was built or compiled. It can also be faked by malware creators.
+
+type: date
+
+
+**`threat.indicator.file.elf.exports`**
+:   List of exported element names and types.
+
+type: flattened
+
+
+**`threat.indicator.file.elf.header.abi_version`**
+:   Version of the ELF Application Binary Interface (ABI).
+
+type: keyword
+
+
+**`threat.indicator.file.elf.header.class`**
+:   Header class of the ELF file.
+
+type: keyword
+
+
+**`threat.indicator.file.elf.header.data`**
+:   Data table of the ELF header.
+
+type: keyword
+
+
+**`threat.indicator.file.elf.header.entrypoint`**
+:   Header entrypoint of the ELF file.
+
+type: long
+
+format: string
+
+
+**`threat.indicator.file.elf.header.object_version`**
+:   "0x1" for original ELF files.
+
+type: keyword
+
+
+**`threat.indicator.file.elf.header.os_abi`**
+:   Application Binary Interface (ABI) of the Linux OS.
+
+type: keyword
+
+
+**`threat.indicator.file.elf.header.type`**
+:   Header type of the ELF file.
+
+type: keyword
+
+
+**`threat.indicator.file.elf.header.version`**
+:   Version of the ELF header.
+
+type: keyword
+
+
+**`threat.indicator.file.elf.imports`**
+:   List of imported element names and types.
+
+type: flattened
+
+
+**`threat.indicator.file.elf.sections`**
+:   An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`.
+
+type: nested
+
+
+**`threat.indicator.file.elf.sections.chi2`**
+:   Chi-square probability distribution of the section.
+
+type: long
+
+format: number
+
+
+**`threat.indicator.file.elf.sections.entropy`**
+:   Shannon entropy calculation from the section.
+
+type: long
+
+format: number
+
+
+**`threat.indicator.file.elf.sections.flags`**
+:   ELF Section List flags.
+
+type: keyword
+
+
+**`threat.indicator.file.elf.sections.name`**
+:   ELF Section List name.
+
+type: keyword
+
+
+**`threat.indicator.file.elf.sections.physical_offset`**
+:   ELF Section List offset.
+
+type: keyword
+
+
+**`threat.indicator.file.elf.sections.physical_size`**
+:   ELF Section List physical size.
+
+type: long
+
+format: bytes
+
+
+**`threat.indicator.file.elf.sections.type`**
+:   ELF Section List type.
+
+type: keyword
+
+
+**`threat.indicator.file.elf.sections.virtual_address`**
+:   ELF Section List virtual address.
+
+type: long
+
+format: string
+
+
+**`threat.indicator.file.elf.sections.virtual_size`**
+:   ELF Section List virtual size.
+
+type: long
+
+format: string
+
+
+**`threat.indicator.file.elf.segments`**
+:   An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`.
+
+type: nested
+
+
+**`threat.indicator.file.elf.segments.sections`**
+:   ELF object segment sections.
+
+type: keyword
+
+
+**`threat.indicator.file.elf.segments.type`**
+:   ELF object segment type.
+
+type: keyword
+
+
+**`threat.indicator.file.elf.shared_libraries`**
+:   List of shared libraries used by this ELF object.
+
+type: keyword
+
+
+**`threat.indicator.file.elf.telfhash`**
+:   telfhash symbol hash for ELF file.
+
+type: keyword
+
+
+**`threat.indicator.file.extension`**
+:   File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").
+
+type: keyword
+
+example: png
+
+
+**`threat.indicator.file.fork_name`**
+:   A fork is additional data associated with a filesystem object. On Linux, a resource fork is used to store additional data with a filesystem object. A file always has at least one fork for the data portion, and additional forks may exist. On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default data stream for a file is just called $DATA. Zone.Identifier is commonly used by Windows to track contents downloaded from the Internet. An ADS is typically of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name` is the value that should populate `fork_name`. `filename.extension` should populate `file.name`, and `extension` should populate `file.extension`. The full path, `file.path`, will include the fork name.
+
+type: keyword
+
+example: Zone.Identifer
+
+
+**`threat.indicator.file.gid`**
+:   Primary group ID (GID) of the file.
+
+type: keyword
+
+example: 1001
+
+
+**`threat.indicator.file.group`**
+:   Primary group name of the file.
+
+type: keyword
+
+example: alice
+
+
+**`threat.indicator.file.hash.md5`**
+:   MD5 hash.
+
+type: keyword
+
+
+**`threat.indicator.file.hash.sha1`**
+:   SHA1 hash.
+
+type: keyword
+
+
+**`threat.indicator.file.hash.sha256`**
+:   SHA256 hash.
+
+type: keyword
+
+
+**`threat.indicator.file.hash.sha512`**
+:   SHA512 hash.
+
+type: keyword
+
+
+**`threat.indicator.file.hash.ssdeep`**
+:   SSDEEP hash.
+
+type: keyword
+
+
+**`threat.indicator.file.inode`**
+:   Inode representing the file in the filesystem.
+
+type: keyword
+
+example: 256383
+
+
+**`threat.indicator.file.mime_type`**
+:   MIME type should identify the format of the file or stream of bytes using [IANA official types](https://www.iana.org/assignments/media-types/media-types.xhtml), where possible. When more than one type is applicable, the most specific type should be used.
+
+type: keyword
+
+
+**`threat.indicator.file.mode`**
+:   Mode of the file in octal representation.
+
+type: keyword
+
+example: 0640
+
+
+**`threat.indicator.file.mtime`**
+:   Last time the file content was modified.
+
+type: date
+
+
+**`threat.indicator.file.name`**
+:   Name of the file including the extension, without the directory.
+
+type: keyword
+
+example: example.png
+
+
+**`threat.indicator.file.owner`**
+:   File owner’s username.
+
+type: keyword
+
+example: alice
+
+
+**`threat.indicator.file.path`**
+:   Full path to the file, including the file name. It should include the drive letter, when appropriate.
+
+type: keyword
+
+example: /home/alice/example.png
+
+
+**`threat.indicator.file.path.text`**
+:   type: match_only_text
+
+
+**`threat.indicator.file.pe.architecture`**
+:   CPU architecture target for the file.
+
+type: keyword
+
+example: x64
+
+
+**`threat.indicator.file.pe.company`**
+:   Internal company name of the file, provided at compile-time.
+
+type: keyword
+
+example: Microsoft Corporation
+
+
+**`threat.indicator.file.pe.description`**
+:   Internal description of the file, provided at compile-time.
+
+type: keyword
+
+example: Paint
+
+
+**`threat.indicator.file.pe.file_version`**
+:   Internal version of the file, provided at compile-time.
+
+type: keyword
+
+example: 6.3.9600.17415
+
+
+**`threat.indicator.file.pe.imphash`**
+:   A hash of the imports in a PE file. An imphash — or import hash — can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at [https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html](https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html).
+
+type: keyword
+
+example: 0c6803c4e922103c4dca5963aad36ddf
+
+
+**`threat.indicator.file.pe.original_file_name`**
+:   Internal name of the file, provided at compile-time.
+
+type: keyword
+
+example: MSPAINT.EXE
+
+
+**`threat.indicator.file.pe.product`**
+:   Internal product name of the file, provided at compile-time.
+
+type: keyword
+
+example: Microsoft® Windows® Operating System
+
+
+**`threat.indicator.file.size`**
+:   File size in bytes. Only relevant when `file.type` is "file".
+
+type: long
+
+example: 16384
+
+
+**`threat.indicator.file.target_path`**
+:   Target path for symlinks.
+
+type: keyword
+
+
+**`threat.indicator.file.target_path.text`**
+:   type: match_only_text
+
+
+**`threat.indicator.file.type`**
+:   File type (file, dir, or symlink).
+
+type: keyword
+
+example: file
+
+
+**`threat.indicator.file.uid`**
+:   The user ID (UID) or security identifier (SID) of the file owner.
+
+type: keyword
+
+example: 1001
+
+
+**`threat.indicator.file.x509.alternative_names`**
+:   List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.
+
+type: keyword
+
+example: *.elastic.co
+
+
+**`threat.indicator.file.x509.issuer.common_name`**
+:   List of common name (CN) of issuing certificate authority.
+
+type: keyword
+
+example: Example SHA2 High Assurance Server CA
+
+
+**`threat.indicator.file.x509.issuer.country`**
+:   List of country © codes
+
+type: keyword
+
+example: US
+
+
+**`threat.indicator.file.x509.issuer.distinguished_name`**
+:   Distinguished name (DN) of issuing certificate authority.
+
+type: keyword
+
+example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA
+
+
+**`threat.indicator.file.x509.issuer.locality`**
+:   List of locality names (L)
+
+type: keyword
+
+example: Mountain View
+
+
+**`threat.indicator.file.x509.issuer.organization`**
+:   List of organizations (O) of issuing certificate authority.
+
+type: keyword
+
+example: Example Inc
+
+
+**`threat.indicator.file.x509.issuer.organizational_unit`**
+:   List of organizational units (OU) of issuing certificate authority.
+
+type: keyword
+
+example: www.example.com
+
+
+**`threat.indicator.file.x509.issuer.state_or_province`**
+:   List of state or province names (ST, S, or P)
+
+type: keyword
+
+example: California
+
+
+**`threat.indicator.file.x509.not_after`**
+:   Time at which the certificate is no longer considered valid.
+
+type: date
+
+example: 2020-07-16 03:15:39+00:00
+
+
+**`threat.indicator.file.x509.not_before`**
+:   Time at which the certificate is first considered valid.
+
+type: date
+
+example: 2019-08-16 01:40:25+00:00
+
+
+**`threat.indicator.file.x509.public_key_algorithm`**
+:   Algorithm used to generate the public key.
+
+type: keyword
+
+example: RSA
+
+
+**`threat.indicator.file.x509.public_key_curve`**
+:   The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+
+type: keyword
+
+example: nistp521
+
+
+**`threat.indicator.file.x509.public_key_exponent`**
+:   Exponent used to derive the public key. This is algorithm specific.
+
+type: long
+
+example: 65537
+
+Field is not indexed.
+
+
+**`threat.indicator.file.x509.public_key_size`**
+:   The size of the public key space in bits.
+
+type: long
+
+example: 2048
+
+
+**`threat.indicator.file.x509.serial_number`**
+:   Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.
+
+type: keyword
+
+example: 55FBB9C7DEBF09809D12CCAA
+
+
+**`threat.indicator.file.x509.signature_algorithm`**
+:   Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See [https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353](https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353).
+
+type: keyword
+
+example: SHA256-RSA
+
+
+**`threat.indicator.file.x509.subject.common_name`**
+:   List of common names (CN) of subject.
+
+type: keyword
+
+example: shared.global.example.net
+
+
+**`threat.indicator.file.x509.subject.country`**
+:   List of country © code
+
+type: keyword
+
+example: US
+
+
+**`threat.indicator.file.x509.subject.distinguished_name`**
+:   Distinguished name (DN) of the certificate subject entity.
+
+type: keyword
+
+example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
+
+
+**`threat.indicator.file.x509.subject.locality`**
+:   List of locality names (L)
+
+type: keyword
+
+example: San Francisco
+
+
+**`threat.indicator.file.x509.subject.organization`**
+:   List of organizations (O) of subject.
+
+type: keyword
+
+example: Example, Inc.
+
+
+**`threat.indicator.file.x509.subject.organizational_unit`**
+:   List of organizational units (OU) of subject.
+
+type: keyword
+
+
+**`threat.indicator.file.x509.subject.state_or_province`**
+:   List of state or province names (ST, S, or P)
+
+type: keyword
+
+example: California
+
+
+**`threat.indicator.file.x509.version_number`**
+:   Version of x509 format.
+
+type: keyword
+
+example: 3
+
+
+**`threat.indicator.first_seen`**
+:   The date and time when intelligence source first reported sighting this indicator.
+
+type: date
+
+example: 2020-11-05T17:25:47.000Z
+
+
+**`threat.indicator.geo.city_name`**
+:   City name.
+
+type: keyword
+
+example: Montreal
+
+
+**`threat.indicator.geo.continent_code`**
+:   Two-letter code representing continent’s name.
+
+type: keyword
+
+example: NA
+
+
+**`threat.indicator.geo.continent_name`**
+:   Name of the continent.
+
+type: keyword
+
+example: North America
+
+
+**`threat.indicator.geo.country_iso_code`**
+:   Country ISO code.
+
+type: keyword
+
+example: CA
+
+
+**`threat.indicator.geo.country_name`**
+:   Country name.
+
+type: keyword
+
+example: Canada
+
+
+**`threat.indicator.geo.location`**
+:   Longitude and latitude.
+
+type: geo_point
+
+example: { "lon": -73.614830, "lat": 45.505918 }
+
+
+**`threat.indicator.geo.name`**
+:   User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.
+
+type: keyword
+
+example: boston-dc
+
+
+**`threat.indicator.geo.postal_code`**
+:   Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.
+
+type: keyword
+
+example: 94040
+
+
+**`threat.indicator.geo.region_iso_code`**
+:   Region ISO code.
+
+type: keyword
+
+example: CA-QC
+
+
+**`threat.indicator.geo.region_name`**
+:   Region name.
+
+type: keyword
+
+example: Quebec
+
+
+**`threat.indicator.geo.timezone`**
+:   The time zone of the location, such as IANA time zone name.
+
+type: keyword
+
+example: America/Argentina/Buenos_Aires
+
+
+**`threat.indicator.ip`**
+:   Identifies a threat indicator as an IP address (irrespective of direction).
+
+type: ip
+
+example: 1.2.3.4
+
+
+**`threat.indicator.last_seen`**
+:   The date and time when intelligence source last reported sighting this indicator.
+
+type: date
+
+example: 2020-11-05T17:25:47.000Z
+
+
+**`threat.indicator.marking.tlp`**
+:   Traffic Light Protocol sharing markings. Recommended values are: * WHITE * GREEN * AMBER * RED
+
+type: keyword
+
+example: WHITE
+
+
+**`threat.indicator.modified_at`**
+:   The date and time when intelligence source last modified information for this indicator.
+
+type: date
+
+example: 2020-11-05T17:25:47.000Z
+
+
+**`threat.indicator.port`**
+:   Identifies a threat indicator as a port number (irrespective of direction).
+
+type: long
+
+example: 443
+
+
+**`threat.indicator.provider`**
+:   The name of the indicator’s provider.
+
+type: keyword
+
+example: lrz_urlhaus
+
+
+**`threat.indicator.reference`**
+:   Reference URL linking to additional information about this indicator.
+
+type: keyword
+
+example: [https://system.example.com/indicator/0001234](https://system.example.com/indicator/0001234)
+
+
+**`threat.indicator.registry.data.bytes`**
+:   Original bytes written with base64 encoding. For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values.
+
+type: keyword
+
+example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA=
+
+
+**`threat.indicator.registry.data.strings`**
+:   Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`).
+
+type: wildcard
+
+example: ["C:\rta\red_ttp\bin\myapp.exe"]
+
+
+**`threat.indicator.registry.data.type`**
+:   Standard registry type for encoding contents
+
+type: keyword
+
+example: REG_SZ
+
+
+**`threat.indicator.registry.hive`**
+:   Abbreviated name for the hive.
+
+type: keyword
+
+example: HKLM
+
+
+**`threat.indicator.registry.key`**
+:   Hive-relative path of keys.
+
+type: keyword
+
+example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe
+
+
+**`threat.indicator.registry.path`**
+:   Full path, including hive, key and value
+
+type: keyword
+
+example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger
+
+
+**`threat.indicator.registry.value`**
+:   Name of the value written.
+
+type: keyword
+
+example: Debugger
+
+
+**`threat.indicator.scanner_stats`**
+:   Count of AV/EDR vendors that successfully detected malicious file or URL.
+
+type: long
+
+example: 4
+
+
+**`threat.indicator.sightings`**
+:   Number of times this indicator was observed conducting threat activity.
+
+type: long
+
+example: 20
+
+
+**`threat.indicator.type`**
+:   Type of indicator as represented by Cyber Observable in STIX 2.0. Recommended values: * autonomous-system * artifact * directory * domain-name * email-addr * file * ipv4-addr * ipv6-addr * mac-addr * mutex * port * process * software * url * user-account * windows-registry-key * x509-certificate
+
+type: keyword
+
+example: ipv4-addr
+
+
+**`threat.indicator.url.domain`**
+:   Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field.
+
+type: keyword
+
+example: www.elastic.co
+
+
+**`threat.indicator.url.extension`**
+:   The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").
+
+type: keyword
+
+example: png
+
+
+**`threat.indicator.url.fragment`**
+:   Portion of the url after the `#`, such as "top". The `#` is not part of the fragment.
+
+type: keyword
+
+
+**`threat.indicator.url.full`**
+:   If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source.
+
+type: wildcard
+
+example: [https://www.elastic.co:443/search?q=elasticsearch#top](https://www.elastic.co:443/search?q=elasticsearch#top)
+
+
+**`threat.indicator.url.full.text`**
+:   type: match_only_text
+
+
+**`threat.indicator.url.original`**
+:   Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not.
+
+type: wildcard
+
+example: [https://www.elastic.co:443/search?q=elasticsearch#top](https://www.elastic.co:443/search?q=elasticsearch#top) or /search?q=elasticsearch
+
+
+**`threat.indicator.url.original.text`**
+:   type: match_only_text
+
+
+**`threat.indicator.url.password`**
+:   Password of the request.
+
+type: keyword
+
+
+**`threat.indicator.url.path`**
+:   Path of the request, such as "/search".
+
+type: wildcard
+
+
+**`threat.indicator.url.port`**
+:   Port of the request, such as 443.
+
+type: long
+
+example: 443
+
+format: string
+
+
+**`threat.indicator.url.query`**
+:   The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.
+
+type: keyword
+
+
+**`threat.indicator.url.registered_domain`**
+:   The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
+
+type: keyword
+
+example: example.com
+
+
+**`threat.indicator.url.scheme`**
+:   Scheme of the request, such as "https". Note: The `:` is not part of the scheme.
+
+type: keyword
+
+example: https
+
+
+**`threat.indicator.url.subdomain`**
+:   The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
+
+type: keyword
+
+example: east
+
+
+**`threat.indicator.url.top_level_domain`**
+:   The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".
+
+type: keyword
+
+example: co.uk
+
+
+**`threat.indicator.url.username`**
+:   Username of the request.
+
+type: keyword
+
+
+**`threat.indicator.x509.alternative_names`**
+:   List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.
+
+type: keyword
+
+example: *.elastic.co
+
+
+**`threat.indicator.x509.issuer.common_name`**
+:   List of common name (CN) of issuing certificate authority.
+
+type: keyword
+
+example: Example SHA2 High Assurance Server CA
+
+
+**`threat.indicator.x509.issuer.country`**
+:   List of country © codes
+
+type: keyword
+
+example: US
+
+
+**`threat.indicator.x509.issuer.distinguished_name`**
+:   Distinguished name (DN) of issuing certificate authority.
+
+type: keyword
+
+example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA
+
+
+**`threat.indicator.x509.issuer.locality`**
+:   List of locality names (L)
+
+type: keyword
+
+example: Mountain View
+
+
+**`threat.indicator.x509.issuer.organization`**
+:   List of organizations (O) of issuing certificate authority.
+
+type: keyword
+
+example: Example Inc
+
+
+**`threat.indicator.x509.issuer.organizational_unit`**
+:   List of organizational units (OU) of issuing certificate authority.
+
+type: keyword
+
+example: www.example.com
+
+
+**`threat.indicator.x509.issuer.state_or_province`**
+:   List of state or province names (ST, S, or P)
+
+type: keyword
+
+example: California
+
+
+**`threat.indicator.x509.not_after`**
+:   Time at which the certificate is no longer considered valid.
+
+type: date
+
+example: 2020-07-16 03:15:39+00:00
+
+
+**`threat.indicator.x509.not_before`**
+:   Time at which the certificate is first considered valid.
+
+type: date
+
+example: 2019-08-16 01:40:25+00:00
+
+
+**`threat.indicator.x509.public_key_algorithm`**
+:   Algorithm used to generate the public key.
+
+type: keyword
+
+example: RSA
+
+
+**`threat.indicator.x509.public_key_curve`**
+:   The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+
+type: keyword
+
+example: nistp521
+
+
+**`threat.indicator.x509.public_key_exponent`**
+:   Exponent used to derive the public key. This is algorithm specific.
+
+type: long
+
+example: 65537
+
+Field is not indexed.
+
+
+**`threat.indicator.x509.public_key_size`**
+:   The size of the public key space in bits.
+
+type: long
+
+example: 2048
+
+
+**`threat.indicator.x509.serial_number`**
+:   Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.
+
+type: keyword
+
+example: 55FBB9C7DEBF09809D12CCAA
+
+
+**`threat.indicator.x509.signature_algorithm`**
+:   Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See [https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353](https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353).
+
+type: keyword
+
+example: SHA256-RSA
+
+
+**`threat.indicator.x509.subject.common_name`**
+:   List of common names (CN) of subject.
+
+type: keyword
+
+example: shared.global.example.net
+
+
+**`threat.indicator.x509.subject.country`**
+:   List of country © code
+
+type: keyword
+
+example: US
+
+
+**`threat.indicator.x509.subject.distinguished_name`**
+:   Distinguished name (DN) of the certificate subject entity.
+
+type: keyword
+
+example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
+
+
+**`threat.indicator.x509.subject.locality`**
+:   List of locality names (L)
+
+type: keyword
+
+example: San Francisco
+
+
+**`threat.indicator.x509.subject.organization`**
+:   List of organizations (O) of subject.
+
+type: keyword
+
+example: Example, Inc.
+
+
+**`threat.indicator.x509.subject.organizational_unit`**
+:   List of organizational units (OU) of subject.
+
+type: keyword
+
+
+**`threat.indicator.x509.subject.state_or_province`**
+:   List of state or province names (ST, S, or P)
+
+type: keyword
+
+example: California
+
+
+**`threat.indicator.x509.version_number`**
+:   Version of x509 format.
+
+type: keyword
+
+example: 3
+
+
+**`threat.software.alias`**
+:   The alias(es) of the software for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® associated software description.
+
+type: keyword
+
+example: [ "X-Agent" ]
+
+
+**`threat.software.id`**
+:   The id of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software id.
+
+type: keyword
+
+example: S0552
+
+
+**`threat.software.name`**
+:   The name of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software name.
+
+type: keyword
+
+example: AdFind
+
+
+**`threat.software.platforms`**
+:   The platforms of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. Recommended Values: * AWS * Azure * Azure AD * GCP * Linux * macOS * Network * Office 365 * SaaS * Windows
+
+While not required, you can use a MITRE ATT&CK® software platforms.
+
+type: keyword
+
+example: [ "Windows" ]
+
+
+**`threat.software.reference`**
+:   The reference URL of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software reference URL.
+
+type: keyword
+
+example: [https://attack.mitre.org/software/S0552/](https://attack.mitre.org/software/S0552/)
+
+
+**`threat.software.type`**
+:   The type of software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. Recommended values * Malware * Tool
+
+```
+While not required, you can use a MITRE ATT&CK® software type.
+```
+type: keyword
+
+example: Tool
+
+
+**`threat.tactic.id`**
+:   The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. [https://attack.mitre.org/tactics/TA0002/](https://attack.mitre.org/tactics/TA0002/) )
+
+type: keyword
+
+example: TA0002
+
+
+**`threat.tactic.name`**
+:   Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. [https://attack.mitre.org/tactics/TA0002/](https://attack.mitre.org/tactics/TA0002/))
+
+type: keyword
+
+example: Execution
+
+
+**`threat.tactic.reference`**
+:   The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. [https://attack.mitre.org/tactics/TA0002/](https://attack.mitre.org/tactics/TA0002/) )
+
+type: keyword
+
+example: [https://attack.mitre.org/tactics/TA0002/](https://attack.mitre.org/tactics/TA0002/)
+
+
+**`threat.technique.id`**
+:   The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. [https://attack.mitre.org/techniques/T1059/](https://attack.mitre.org/techniques/T1059/))
+
+type: keyword
+
+example: T1059
+
+
+**`threat.technique.name`**
+:   The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. [https://attack.mitre.org/techniques/T1059/](https://attack.mitre.org/techniques/T1059/))
+
+type: keyword
+
+example: Command and Scripting Interpreter
+
+
+**`threat.technique.name.text`**
+:   type: match_only_text
+
+
+**`threat.technique.reference`**
+:   The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. [https://attack.mitre.org/techniques/T1059/](https://attack.mitre.org/techniques/T1059/))
+
+type: keyword
+
+example: [https://attack.mitre.org/techniques/T1059/](https://attack.mitre.org/techniques/T1059/)
+
+
+**`threat.technique.subtechnique.id`**
+:   The full id of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. [https://attack.mitre.org/techniques/T1059/001/](https://attack.mitre.org/techniques/T1059/001/))
+
+type: keyword
+
+example: T1059.001
+
+
+**`threat.technique.subtechnique.name`**
+:   The name of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. [https://attack.mitre.org/techniques/T1059/001/](https://attack.mitre.org/techniques/T1059/001/))
+
+type: keyword
+
+example: PowerShell
+
+
+**`threat.technique.subtechnique.name.text`**
+:   type: match_only_text
+
+
+**`threat.technique.subtechnique.reference`**
+:   The reference url of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. [https://attack.mitre.org/techniques/T1059/001/](https://attack.mitre.org/techniques/T1059/001/))
+
+type: keyword
+
+example: [https://attack.mitre.org/techniques/T1059/001/](https://attack.mitre.org/techniques/T1059/001/)
+
+
+
+## tls [_tls]
+
+Fields related to a TLS connection. These fields focus on the TLS protocol itself and intentionally avoids in-depth analysis of the related x.509 certificate files.
+
+**`tls.cipher`**
+:   String indicating the cipher used during the current connection.
+
+type: keyword
+
+example: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+
+
+**`tls.client.certificate`**
+:   PEM-encoded stand-alone certificate offered by the client. This is usually mutually-exclusive of `client.certificate_chain` since this value also exists in that list.
+
+type: keyword
+
+example: MII…​
+
+
+**`tls.client.certificate_chain`**
+:   Array of PEM-encoded certificates that make up the certificate chain offered by the client. This is usually mutually-exclusive of `client.certificate` since that value should be the first certificate in the chain.
+
+type: keyword
+
+example: ["MII…​", "MII…​"]
+
+
+**`tls.client.hash.md5`**
+:   Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash.
+
+type: keyword
+
+example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC
+
+
+**`tls.client.hash.sha1`**
+:   Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash.
+
+type: keyword
+
+example: 9E393D93138888D288266C2D915214D1D1CCEB2A
+
+
+**`tls.client.hash.sha256`**
+:   Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash.
+
+type: keyword
+
+example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0
+
+
+**`tls.client.issuer`**
+:   Distinguished name of subject of the issuer of the x.509 certificate presented by the client.
+
+type: keyword
+
+example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com
+
+
+**`tls.client.ja3`**
+:   A hash that identifies clients based on how they perform an SSL/TLS handshake.
+
+type: keyword
+
+example: d4e5b18d6b55c71272893221c96ba240
+
+
+**`tls.client.not_after`**
+:   Date/Time indicating when client certificate is no longer considered valid.
+
+type: date
+
+example: 2021-01-01T00:00:00.000Z
+
+
+**`tls.client.not_before`**
+:   Date/Time indicating when client certificate is first considered valid.
+
+type: date
+
+example: 1970-01-01T00:00:00.000Z
+
+
+**`tls.client.server_name`**
+:   Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`.
+
+type: keyword
+
+example: www.elastic.co
+
+
+**`tls.client.subject`**
+:   Distinguished name of subject of the x.509 certificate presented by the client.
+
+type: keyword
+
+example: CN=myclient, OU=Documentation Team, DC=example, DC=com
+
+
+**`tls.client.supported_ciphers`**
+:   Array of ciphers offered by the client during the client hello.
+
+type: keyword
+
+example: ["TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "…​"]
+
+
+**`tls.client.x509.alternative_names`**
+:   List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.
+
+type: keyword
+
+example: *.elastic.co
+
+
+**`tls.client.x509.issuer.common_name`**
+:   List of common name (CN) of issuing certificate authority.
+
+type: keyword
+
+example: Example SHA2 High Assurance Server CA
+
+
+**`tls.client.x509.issuer.country`**
+:   List of country © codes
+
+type: keyword
+
+example: US
+
+
+**`tls.client.x509.issuer.distinguished_name`**
+:   Distinguished name (DN) of issuing certificate authority.
+
+type: keyword
+
+example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA
+
+
+**`tls.client.x509.issuer.locality`**
+:   List of locality names (L)
+
+type: keyword
+
+example: Mountain View
+
+
+**`tls.client.x509.issuer.organization`**
+:   List of organizations (O) of issuing certificate authority.
+
+type: keyword
+
+example: Example Inc
+
+
+**`tls.client.x509.issuer.organizational_unit`**
+:   List of organizational units (OU) of issuing certificate authority.
+
+type: keyword
+
+example: www.example.com
+
+
+**`tls.client.x509.issuer.state_or_province`**
+:   List of state or province names (ST, S, or P)
+
+type: keyword
+
+example: California
+
+
+**`tls.client.x509.not_after`**
+:   Time at which the certificate is no longer considered valid.
+
+type: date
+
+example: 2020-07-16 03:15:39+00:00
+
+
+**`tls.client.x509.not_before`**
+:   Time at which the certificate is first considered valid.
+
+type: date
+
+example: 2019-08-16 01:40:25+00:00
+
+
+**`tls.client.x509.public_key_algorithm`**
+:   Algorithm used to generate the public key.
+
+type: keyword
+
+example: RSA
+
+
+**`tls.client.x509.public_key_curve`**
+:   The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+
+type: keyword
+
+example: nistp521
+
+
+**`tls.client.x509.public_key_exponent`**
+:   Exponent used to derive the public key. This is algorithm specific.
+
+type: long
+
+example: 65537
+
+Field is not indexed.
+
+
+**`tls.client.x509.public_key_size`**
+:   The size of the public key space in bits.
+
+type: long
+
+example: 2048
+
+
+**`tls.client.x509.serial_number`**
+:   Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.
+
+type: keyword
+
+example: 55FBB9C7DEBF09809D12CCAA
+
+
+**`tls.client.x509.signature_algorithm`**
+:   Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See [https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353](https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353).
+
+type: keyword
+
+example: SHA256-RSA
+
+
+**`tls.client.x509.subject.common_name`**
+:   List of common names (CN) of subject.
+
+type: keyword
+
+example: shared.global.example.net
+
+
+**`tls.client.x509.subject.country`**
+:   List of country © code
+
+type: keyword
+
+example: US
+
+
+**`tls.client.x509.subject.distinguished_name`**
+:   Distinguished name (DN) of the certificate subject entity.
+
+type: keyword
+
+example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
+
+
+**`tls.client.x509.subject.locality`**
+:   List of locality names (L)
+
+type: keyword
+
+example: San Francisco
+
+
+**`tls.client.x509.subject.organization`**
+:   List of organizations (O) of subject.
+
+type: keyword
+
+example: Example, Inc.
+
+
+**`tls.client.x509.subject.organizational_unit`**
+:   List of organizational units (OU) of subject.
+
+type: keyword
+
+
+**`tls.client.x509.subject.state_or_province`**
+:   List of state or province names (ST, S, or P)
+
+type: keyword
+
+example: California
+
+
+**`tls.client.x509.version_number`**
+:   Version of x509 format.
+
+type: keyword
+
+example: 3
+
+
+**`tls.curve`**
+:   String indicating the curve used for the given cipher, when applicable.
+
+type: keyword
+
+example: secp256r1
+
+
+**`tls.established`**
+:   Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel.
+
+type: boolean
+
+
+**`tls.next_protocol`**
+:   String indicating the protocol being tunneled. Per the values in the IANA registry ([https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids](https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids)), this string should be lower case.
+
+type: keyword
+
+example: http/1.1
+
+
+**`tls.resumed`**
+:   Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation.
+
+type: boolean
+
+
+**`tls.server.certificate`**
+:   PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list.
+
+type: keyword
+
+example: MII…​
+
+
+**`tls.server.certificate_chain`**
+:   Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain.
+
+type: keyword
+
+example: ["MII…​", "MII…​"]
+
+
+**`tls.server.hash.md5`**
+:   Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash.
+
+type: keyword
+
+example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC
+
+
+**`tls.server.hash.sha1`**
+:   Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash.
+
+type: keyword
+
+example: 9E393D93138888D288266C2D915214D1D1CCEB2A
+
+
+**`tls.server.hash.sha256`**
+:   Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash.
+
+type: keyword
+
+example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0
+
+
+**`tls.server.issuer`**
+:   Subject of the issuer of the x.509 certificate presented by the server.
+
+type: keyword
+
+example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com
+
+
+**`tls.server.ja3s`**
+:   A hash that identifies servers based on how they perform an SSL/TLS handshake.
+
+type: keyword
+
+example: 394441ab65754e2207b1e1b457b3641d
+
+
+**`tls.server.not_after`**
+:   Timestamp indicating when server certificate is no longer considered valid.
+
+type: date
+
+example: 2021-01-01T00:00:00.000Z
+
+
+**`tls.server.not_before`**
+:   Timestamp indicating when server certificate is first considered valid.
+
+type: date
+
+example: 1970-01-01T00:00:00.000Z
+
+
+**`tls.server.subject`**
+:   Subject of the x.509 certificate presented by the server.
+
+type: keyword
+
+example: CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com
+
+
+**`tls.server.x509.alternative_names`**
+:   List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.
+
+type: keyword
+
+example: *.elastic.co
+
+
+**`tls.server.x509.issuer.common_name`**
+:   List of common name (CN) of issuing certificate authority.
+
+type: keyword
+
+example: Example SHA2 High Assurance Server CA
+
+
+**`tls.server.x509.issuer.country`**
+:   List of country © codes
+
+type: keyword
+
+example: US
+
+
+**`tls.server.x509.issuer.distinguished_name`**
+:   Distinguished name (DN) of issuing certificate authority.
+
+type: keyword
+
+example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA
+
+
+**`tls.server.x509.issuer.locality`**
+:   List of locality names (L)
+
+type: keyword
+
+example: Mountain View
+
+
+**`tls.server.x509.issuer.organization`**
+:   List of organizations (O) of issuing certificate authority.
+
+type: keyword
+
+example: Example Inc
+
+
+**`tls.server.x509.issuer.organizational_unit`**
+:   List of organizational units (OU) of issuing certificate authority.
+
+type: keyword
+
+example: www.example.com
+
+
+**`tls.server.x509.issuer.state_or_province`**
+:   List of state or province names (ST, S, or P)
+
+type: keyword
+
+example: California
+
+
+**`tls.server.x509.not_after`**
+:   Time at which the certificate is no longer considered valid.
+
+type: date
+
+example: 2020-07-16 03:15:39+00:00
+
+
+**`tls.server.x509.not_before`**
+:   Time at which the certificate is first considered valid.
+
+type: date
+
+example: 2019-08-16 01:40:25+00:00
+
+
+**`tls.server.x509.public_key_algorithm`**
+:   Algorithm used to generate the public key.
+
+type: keyword
+
+example: RSA
+
+
+**`tls.server.x509.public_key_curve`**
+:   The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+
+type: keyword
+
+example: nistp521
+
+
+**`tls.server.x509.public_key_exponent`**
+:   Exponent used to derive the public key. This is algorithm specific.
+
+type: long
+
+example: 65537
+
+Field is not indexed.
+
+
+**`tls.server.x509.public_key_size`**
+:   The size of the public key space in bits.
+
+type: long
+
+example: 2048
+
+
+**`tls.server.x509.serial_number`**
+:   Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.
+
+type: keyword
+
+example: 55FBB9C7DEBF09809D12CCAA
+
+
+**`tls.server.x509.signature_algorithm`**
+:   Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See [https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353](https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353).
+
+type: keyword
+
+example: SHA256-RSA
+
+
+**`tls.server.x509.subject.common_name`**
+:   List of common names (CN) of subject.
+
+type: keyword
+
+example: shared.global.example.net
+
+
+**`tls.server.x509.subject.country`**
+:   List of country © code
+
+type: keyword
+
+example: US
+
+
+**`tls.server.x509.subject.distinguished_name`**
+:   Distinguished name (DN) of the certificate subject entity.
+
+type: keyword
+
+example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
+
+
+**`tls.server.x509.subject.locality`**
+:   List of locality names (L)
+
+type: keyword
+
+example: San Francisco
+
+
+**`tls.server.x509.subject.organization`**
+:   List of organizations (O) of subject.
+
+type: keyword
+
+example: Example, Inc.
+
+
+**`tls.server.x509.subject.organizational_unit`**
+:   List of organizational units (OU) of subject.
+
+type: keyword
+
+
+**`tls.server.x509.subject.state_or_province`**
+:   List of state or province names (ST, S, or P)
+
+type: keyword
+
+example: California
+
+
+**`tls.server.x509.version_number`**
+:   Version of x509 format.
+
+type: keyword
+
+example: 3
+
+
+**`tls.version`**
+:   Numeric part of the version parsed from the original string.
+
+type: keyword
+
+example: 1.2
+
+
+**`tls.version_protocol`**
+:   Normalized lowercase protocol name parsed from original string.
+
+type: keyword
+
+example: tls
+
+
+**`span.id`**
+:   Unique identifier of the span within the scope of its trace. A span represents an operation within a transaction, such as a request to another service, or a database query.
+
+type: keyword
+
+example: 3ff9a8981b7ccd5a
+
+
+**`trace.id`**
+:   Unique identifier of the trace. A trace groups multiple events like transactions that belong together. For example, a user request handled by multiple inter-connected services.
+
+type: keyword
+
+example: 4bf92f3577b34da6a3ce929d0e0e4736
+
+
+**`transaction.id`**
+:   Unique identifier of the transaction within the scope of its trace. A transaction is the highest level of work measured within a service, such as a request to a server.
+
+type: keyword
+
+example: 00f067aa0ba902b7
+
+
+
+## url [_url_3]
+
+URL fields provide support for complete or partial URLs, and supports the breaking down into scheme, domain, path, and so on.
+
+**`url.domain`**
+:   Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field.
+
+type: keyword
+
+example: www.elastic.co
+
+
+**`url.extension`**
+:   The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").
+
+type: keyword
+
+example: png
+
+
+**`url.fragment`**
+:   Portion of the url after the `#`, such as "top". The `#` is not part of the fragment.
+
+type: keyword
+
+
+**`url.full`**
+:   If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source.
+
+type: wildcard
+
+example: [https://www.elastic.co:443/search?q=elasticsearch#top](https://www.elastic.co:443/search?q=elasticsearch#top)
+
+
+**`url.full.text`**
+:   type: match_only_text
+
+
+**`url.original`**
+:   Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not.
+
+type: wildcard
+
+example: [https://www.elastic.co:443/search?q=elasticsearch#top](https://www.elastic.co:443/search?q=elasticsearch#top) or /search?q=elasticsearch
+
+
+**`url.original.text`**
+:   type: match_only_text
+
+
+**`url.password`**
+:   Password of the request.
+
+type: keyword
+
+
+**`url.path`**
+:   Path of the request, such as "/search".
+
+type: wildcard
+
+
+**`url.port`**
+:   Port of the request, such as 443.
+
+type: long
+
+example: 443
+
+format: string
+
+
+**`url.query`**
+:   The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.
+
+type: keyword
+
+
+**`url.registered_domain`**
+:   The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
+
+type: keyword
+
+example: example.com
+
+
+**`url.scheme`**
+:   Scheme of the request, such as "https". Note: The `:` is not part of the scheme.
+
+type: keyword
+
+example: https
+
+
+**`url.subdomain`**
+:   The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
+
+type: keyword
+
+example: east
+
+
+**`url.top_level_domain`**
+:   The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".
+
+type: keyword
+
+example: co.uk
+
+
+**`url.username`**
+:   Username of the request.
+
+type: keyword
+
+
+
+## user [_user_2]
+
+The user fields describe information about the user that is relevant to the event. Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them.
+
+**`user.changes.domain`**
+:   Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`user.changes.email`**
+:   User email address.
+
+type: keyword
+
+
+**`user.changes.full_name`**
+:   User’s full name, if available.
+
+type: keyword
+
+example: Albert Einstein
+
+
+**`user.changes.full_name.text`**
+:   type: match_only_text
+
+
+**`user.changes.group.domain`**
+:   Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`user.changes.group.id`**
+:   Unique identifier for the group on the system/platform.
+
+type: keyword
+
+
+**`user.changes.group.name`**
+:   Name of the group.
+
+type: keyword
+
+
+**`user.changes.hash`**
+:   Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used.
+
+type: keyword
+
+
+**`user.changes.id`**
+:   Unique identifier of the user.
+
+type: keyword
+
+example: S-1-5-21-202424912787-2692429404-2351956786-1000
+
+
+**`user.changes.name`**
+:   Short name or login of the user.
+
+type: keyword
+
+example: a.einstein
+
+
+**`user.changes.name.text`**
+:   type: match_only_text
+
+
+**`user.changes.roles`**
+:   Array of user roles at the time of the event.
+
+type: keyword
+
+example: ["kibana_admin", "reporting_user"]
+
+
+**`user.domain`**
+:   Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`user.effective.domain`**
+:   Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`user.effective.email`**
+:   User email address.
+
+type: keyword
+
+
+**`user.effective.full_name`**
+:   User’s full name, if available.
+
+type: keyword
+
+example: Albert Einstein
+
+
+**`user.effective.full_name.text`**
+:   type: match_only_text
+
+
+**`user.effective.group.domain`**
+:   Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`user.effective.group.id`**
+:   Unique identifier for the group on the system/platform.
+
+type: keyword
+
+
+**`user.effective.group.name`**
+:   Name of the group.
+
+type: keyword
+
+
+**`user.effective.hash`**
+:   Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used.
+
+type: keyword
+
+
+**`user.effective.id`**
+:   Unique identifier of the user.
+
+type: keyword
+
+example: S-1-5-21-202424912787-2692429404-2351956786-1000
+
+
+**`user.effective.name`**
+:   Short name or login of the user.
+
+type: keyword
+
+example: a.einstein
+
+
+**`user.effective.name.text`**
+:   type: match_only_text
+
+
+**`user.effective.roles`**
+:   Array of user roles at the time of the event.
+
+type: keyword
+
+example: ["kibana_admin", "reporting_user"]
+
+
+**`user.email`**
+:   User email address.
+
+type: keyword
+
+
+**`user.full_name`**
+:   User’s full name, if available.
+
+type: keyword
+
+example: Albert Einstein
+
+
+**`user.full_name.text`**
+:   type: match_only_text
+
+
+**`user.group.domain`**
+:   Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`user.group.id`**
+:   Unique identifier for the group on the system/platform.
+
+type: keyword
+
+
+**`user.group.name`**
+:   Name of the group.
+
+type: keyword
+
+
+**`user.hash`**
+:   Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used.
+
+type: keyword
+
+
+**`user.id`**
+:   Unique identifier of the user.
+
+type: keyword
+
+example: S-1-5-21-202424912787-2692429404-2351956786-1000
+
+
+**`user.name`**
+:   Short name or login of the user.
+
+type: keyword
+
+example: a.einstein
+
+
+**`user.name.text`**
+:   type: match_only_text
+
+
+**`user.roles`**
+:   Array of user roles at the time of the event.
+
+type: keyword
+
+example: ["kibana_admin", "reporting_user"]
+
+
+**`user.target.domain`**
+:   Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`user.target.email`**
+:   User email address.
+
+type: keyword
+
+
+**`user.target.full_name`**
+:   User’s full name, if available.
+
+type: keyword
+
+example: Albert Einstein
+
+
+**`user.target.full_name.text`**
+:   type: match_only_text
+
+
+**`user.target.group.domain`**
+:   Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`user.target.group.id`**
+:   Unique identifier for the group on the system/platform.
+
+type: keyword
+
+
+**`user.target.group.name`**
+:   Name of the group.
+
+type: keyword
+
+
+**`user.target.hash`**
+:   Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used.
+
+type: keyword
+
+
+**`user.target.id`**
+:   Unique identifier of the user.
+
+type: keyword
+
+example: S-1-5-21-202424912787-2692429404-2351956786-1000
+
+
+**`user.target.name`**
+:   Short name or login of the user.
+
+type: keyword
+
+example: a.einstein
+
+
+**`user.target.name.text`**
+:   type: match_only_text
+
+
+**`user.target.roles`**
+:   Array of user roles at the time of the event.
+
+type: keyword
+
+example: ["kibana_admin", "reporting_user"]
+
+
+
+## user_agent [_user_agent]
+
+The user_agent fields normally come from a browser request. They often show up in web service logs coming from the parsed user agent string.
+
+**`user_agent.device.name`**
+:   Name of the device.
+
+type: keyword
+
+example: iPhone
+
+
+**`user_agent.name`**
+:   Name of the user agent.
+
+type: keyword
+
+example: Safari
+
+
+**`user_agent.original`**
+:   Unparsed user_agent string.
+
+type: keyword
+
+example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1
+
+
+**`user_agent.original.text`**
+:   type: match_only_text
+
+
+**`user_agent.os.family`**
+:   OS family (such as redhat, debian, freebsd, windows).
+
+type: keyword
+
+example: debian
+
+
+**`user_agent.os.full`**
+:   Operating system name, including the version or code name.
+
+type: keyword
+
+example: Mac OS Mojave
+
+
+**`user_agent.os.full.text`**
+:   type: match_only_text
+
+
+**`user_agent.os.kernel`**
+:   Operating system kernel version as a raw string.
+
+type: keyword
+
+example: 4.4.0-112-generic
+
+
+**`user_agent.os.name`**
+:   Operating system name, without the version.
+
+type: keyword
+
+example: Mac OS X
+
+
+**`user_agent.os.name.text`**
+:   type: match_only_text
+
+
+**`user_agent.os.platform`**
+:   Operating system platform (such centos, ubuntu, windows).
+
+type: keyword
+
+example: darwin
+
+
+**`user_agent.os.type`**
+:   Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you’re dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.
+
+type: keyword
+
+example: macos
+
+
+**`user_agent.os.version`**
+:   Operating system version as a raw string.
+
+type: keyword
+
+example: 10.14.1
+
+
+**`user_agent.version`**
+:   Version of the user agent.
+
+type: keyword
+
+example: 12.0
+
+
+
+## vlan [_vlan]
+
+The VLAN fields are used to identify 802.1q tag(s) of a packet, as well as ingress and egress VLAN associations of an observer in relation to a specific packet or connection. Network.vlan fields are used to record a single VLAN tag, or the outer tag in the case of q-in-q encapsulations, for a packet or connection as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. Network.inner VLAN fields are used to report inner q-in-q 802.1q tags (multiple 802.1q encapsulations) as observed, typically provided by a network sensor  (e.g. Zeek, Wireshark) passively reporting on traffic. Network.inner VLAN fields should only be used in addition to network.vlan fields to indicate q-in-q tagging. Observer.ingress and observer.egress VLAN values are used to record observer specific information when observer events contain discrete ingress and egress VLAN information, typically provided by firewalls, routers, or load balancers.
+
+**`vlan.id`**
+:   VLAN ID as reported by the observer.
+
+type: keyword
+
+example: 10
+
+
+**`vlan.name`**
+:   Optional VLAN name as reported by the observer.
+
+type: keyword
+
+example: outside
+
+
+
+## vulnerability [_vulnerability]
+
+The vulnerability fields describe information about a vulnerability that is relevant to an event.
+
+**`vulnerability.category`**
+:   The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example ([Qualys vulnerability categories](https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm)) This field must be an array.
+
+type: keyword
+
+example: ["Firewall"]
+
+
+**`vulnerability.classification`**
+:   The classification of the vulnerability scoring system. For example ([https://www.first.org/cvss/](https://www.first.org/cvss/))
+
+type: keyword
+
+example: CVSS
+
+
+**`vulnerability.description`**
+:   The description of the vulnerability that provides additional context of the vulnerability. For example ([Common Vulnerabilities and Exposure CVE description](https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created))
+
+type: keyword
+
+example: In macOS before 2.12.6, there is a vulnerability in the RPC…​
+
+
+**`vulnerability.description.text`**
+:   type: match_only_text
+
+
+**`vulnerability.enumeration`**
+:   The type of identifier used for this vulnerability. For example ([https://cve.mitre.org/about/](https://cve.mitre.org/about/))
+
+type: keyword
+
+example: CVE
+
+
+**`vulnerability.id`**
+:   The identification (ID) is the number portion of a vulnerability entry. It includes a unique identification number for the vulnerability. For example ([Common Vulnerabilities and Exposure CVE ID](https://cve.mitre.org/about/faqs.html#what_is_cve_id))
+
+type: keyword
+
+example: CVE-2019-00001
+
+
+**`vulnerability.reference`**
+:   A resource that provides additional information, context, and mitigations for the identified vulnerability.
+
+type: keyword
+
+example: [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111)
+
+
+**`vulnerability.report_id`**
+:   The report or scan identification number.
+
+type: keyword
+
+example: 20191018.0001
+
+
+**`vulnerability.scanner.vendor`**
+:   The name of the vulnerability scanner vendor.
+
+type: keyword
+
+example: Tenable
+
+
+**`vulnerability.score.base`**
+:   Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentiality, integrity, and availability), and scope. For example ([https://www.first.org/cvss/specification-document](https://www.first.org/cvss/specification-document))
+
+type: float
+
+example: 5.5
+
+
+**`vulnerability.score.environmental`**
+:   Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Environmental scores cover an assessment for any modified Base metrics, confidentiality, integrity, and availability requirements. For example ([https://www.first.org/cvss/specification-document](https://www.first.org/cvss/specification-document))
+
+type: float
+
+example: 5.5
+
+
+**`vulnerability.score.temporal`**
+:   Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Temporal scores cover an assessment for code maturity, remediation level, and confidence. For example ([https://www.first.org/cvss/specification-document](https://www.first.org/cvss/specification-document))
+
+type: float
+
+
+**`vulnerability.score.version`**
+:   The National Vulnerability Database (NVD) provides qualitative severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges in addition to the severity ratings for CVSS v3.0 as they are defined in the CVSS v3.0 specification. CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit organization, whose mission is to help computer security incident response teams across the world. For example ([https://nvd.nist.gov/vuln-metrics/cvss](https://nvd.nist.gov/vuln-metrics/cvss))
+
+type: keyword
+
+example: 2.0
+
+
+**`vulnerability.severity`**
+:   The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example ([https://nvd.nist.gov/vuln-metrics/cvss](https://nvd.nist.gov/vuln-metrics/cvss))
+
+type: keyword
+
+example: Critical
+
+
+
+## x509 [_x509]
+
+This implements the common core fields for x509 certificates. This information is likely logged with TLS sessions, digital signatures found in executable binaries, S/MIME information in email bodies, or analysis of files on disk. When the certificate relates to a file, use the fields at `file.x509`. When hashes of the DER-encoded certificate are available, the `hash` data set should be populated as well (e.g. `file.hash.sha256`). Events that contain certificate information about network connections, should use the x509 fields under the relevant TLS fields: `tls.server.x509` and/or `tls.client.x509`.
+
+**`x509.alternative_names`**
+:   List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.
+
+type: keyword
+
+example: *.elastic.co
+
+
+**`x509.issuer.common_name`**
+:   List of common name (CN) of issuing certificate authority.
+
+type: keyword
+
+example: Example SHA2 High Assurance Server CA
+
+
+**`x509.issuer.country`**
+:   List of country © codes
+
+type: keyword
+
+example: US
+
+
+**`x509.issuer.distinguished_name`**
+:   Distinguished name (DN) of issuing certificate authority.
+
+type: keyword
+
+example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA
+
+
+**`x509.issuer.locality`**
+:   List of locality names (L)
+
+type: keyword
+
+example: Mountain View
+
+
+**`x509.issuer.organization`**
+:   List of organizations (O) of issuing certificate authority.
+
+type: keyword
+
+example: Example Inc
+
+
+**`x509.issuer.organizational_unit`**
+:   List of organizational units (OU) of issuing certificate authority.
+
+type: keyword
+
+example: www.example.com
+
+
+**`x509.issuer.state_or_province`**
+:   List of state or province names (ST, S, or P)
+
+type: keyword
+
+example: California
+
+
+**`x509.not_after`**
+:   Time at which the certificate is no longer considered valid.
+
+type: date
+
+example: 2020-07-16 03:15:39+00:00
+
+
+**`x509.not_before`**
+:   Time at which the certificate is first considered valid.
+
+type: date
+
+example: 2019-08-16 01:40:25+00:00
+
+
+**`x509.public_key_algorithm`**
+:   Algorithm used to generate the public key.
+
+type: keyword
+
+example: RSA
+
+
+**`x509.public_key_curve`**
+:   The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+
+type: keyword
+
+example: nistp521
+
+
+**`x509.public_key_exponent`**
+:   Exponent used to derive the public key. This is algorithm specific.
+
+type: long
+
+example: 65537
+
+Field is not indexed.
+
+
+**`x509.public_key_size`**
+:   The size of the public key space in bits.
+
+type: long
+
+example: 2048
+
+
+**`x509.serial_number`**
+:   Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.
+
+type: keyword
+
+example: 55FBB9C7DEBF09809D12CCAA
+
+
+**`x509.signature_algorithm`**
+:   Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See [https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353](https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353).
+
+type: keyword
+
+example: SHA256-RSA
+
+
+**`x509.subject.common_name`**
+:   List of common names (CN) of subject.
+
+type: keyword
+
+example: shared.global.example.net
+
+
+**`x509.subject.country`**
+:   List of country © code
+
+type: keyword
+
+example: US
+
+
+**`x509.subject.distinguished_name`**
+:   Distinguished name (DN) of the certificate subject entity.
+
+type: keyword
+
+example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
+
+
+**`x509.subject.locality`**
+:   List of locality names (L)
+
+type: keyword
+
+example: San Francisco
+
+
+**`x509.subject.organization`**
+:   List of organizations (O) of subject.
+
+type: keyword
+
+example: Example, Inc.
+
+
+**`x509.subject.organizational_unit`**
+:   List of organizational units (OU) of subject.
+
+type: keyword
+
+
+**`x509.subject.state_or_province`**
+:   List of state or province names (ST, S, or P)
+
+type: keyword
+
+example: California
+
+
+**`x509.version_number`**
+:   Version of x509 format.
+
+type: keyword
+
+example: 3
+
+
diff --git a/docs/reference/filebeat/exported-fields-elasticsearch.md b/docs/reference/filebeat/exported-fields-elasticsearch.md
new file mode 100644
index 000000000000..e16a887cb1fb
--- /dev/null
+++ b/docs/reference/filebeat/exported-fields-elasticsearch.md
@@ -0,0 +1,589 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-elasticsearch.html
+---
+
+# Elasticsearch fields [exported-fields-elasticsearch]
+
+elasticsearch Module
+
+
+## elasticsearch [_elasticsearch]
+
+**`elasticsearch.component`**
+:   Elasticsearch component from where the log event originated
+
+type: keyword
+
+example: o.e.c.m.MetaDataCreateIndexService
+
+
+**`elasticsearch.cluster.uuid`**
+:   UUID of the cluster
+
+type: keyword
+
+example: GmvrbHlNTiSVYiPf8kxg9g
+
+
+**`elasticsearch.cluster.name`**
+:   Name of the cluster
+
+type: keyword
+
+example: docker-cluster
+
+
+**`elasticsearch.node.id`**
+:   ID of the node
+
+type: keyword
+
+example: DSiWcTyeThWtUXLB9J0BMw
+
+
+**`elasticsearch.node.name`**
+:   Name of the node
+
+type: keyword
+
+example: vWNJsZ3
+
+
+**`elasticsearch.index.name`**
+:   Index name
+
+type: keyword
+
+example: filebeat-test-input
+
+
+**`elasticsearch.index.id`**
+:   Index id
+
+type: keyword
+
+example: aOGgDwbURfCV57AScqbCgw
+
+
+**`elasticsearch.shard.id`**
+:   Id of the shard
+
+type: keyword
+
+example: 0
+
+
+**`elasticsearch.elastic_product_origin`**
+:   Used by Elastic stack to identify which component of the stack sent the request
+
+type: keyword
+
+example: kibana
+
+
+**`elasticsearch.http.request.x_opaque_id`**
+:   Used by Elasticsearch to throttle and deduplicate deprecation warnings
+
+type: keyword
+
+example: v7app
+
+
+**`elasticsearch.event.category`**
+:   Category of the deprecation event
+
+type: keyword
+
+example: compatible_api
+
+
+**`elasticsearch.audit.layer`**
+:   The layer from which this event originated: rest, transport or ip_filter
+
+type: keyword
+
+example: rest
+
+
+**`elasticsearch.audit.event_type`**
+:   The type of event that occurred: anonymous_access_denied, authentication_failed, access_denied, access_granted, connection_granted, connection_denied, tampered_request, run_as_granted, run_as_denied
+
+type: keyword
+
+example: access_granted
+
+
+**`elasticsearch.audit.origin.type`**
+:   Where the request originated: rest (request originated from a REST API request), transport (request was received on the transport channel), local_node (the local node issued the request)
+
+type: keyword
+
+example: local_node
+
+
+**`elasticsearch.audit.realm`**
+:   The authentication realm the authentication was validated against
+
+type: keyword
+
+
+**`elasticsearch.audit.user.realm`**
+:   The user’s authentication realm, if authenticated
+
+type: keyword
+
+
+**`elasticsearch.audit.user.roles`**
+:   Roles to which the principal belongs
+
+type: keyword
+
+example: [*kibana_admin*, *beats_admin*]
+
+
+**`elasticsearch.audit.user.run_as.name`**
+:   type: keyword
+
+
+**`elasticsearch.audit.user.run_as.realm`**
+:   type: keyword
+
+
+**`elasticsearch.audit.component`**
+:   type: keyword
+
+
+**`elasticsearch.audit.action`**
+:   The name of the action that was executed
+
+type: keyword
+
+example: cluster:monitor/main
+
+
+**`elasticsearch.audit.url.params`**
+:   REST URI parameters
+
+example: {username=jacknich2}
+
+
+**`elasticsearch.audit.indices`**
+:   Indices accessed by action
+
+type: keyword
+
+example: [*foo-2019.01.04*, *foo-2019.01.03*, *foo-2019.01.06*]
+
+
+**`elasticsearch.audit.request.id`**
+:   Unique ID of request
+
+type: keyword
+
+example: WzL_kb6VSvOhAq0twPvHOQ
+
+
+**`elasticsearch.audit.request.name`**
+:   The type of request that was executed
+
+type: keyword
+
+example: ClearScrollRequest
+
+
+**`elasticsearch.audit.request_body`**
+:   type: alias
+
+alias to: http.request.body.content
+
+
+**`elasticsearch.audit.origin_address`**
+:   type: alias
+
+alias to: source.ip
+
+
+**`elasticsearch.audit.uri`**
+:   type: alias
+
+alias to: url.original
+
+
+**`elasticsearch.audit.principal`**
+:   type: alias
+
+alias to: user.name
+
+
+**`elasticsearch.audit.message`**
+:   type: text
+
+
+**`elasticsearch.audit.invalidate.apikeys.owned_by_authenticated_user`**
+:   type: boolean
+
+
+**`elasticsearch.audit.authentication.type`**
+:   type: keyword
+
+
+**`elasticsearch.audit.opaque_id`**
+:   type: text
+
+
+
+## deprecation [_deprecation]
+
+
+## gc [_gc]
+
+GC fileset fields.
+
+
+## phase [_phase]
+
+Fields specific to GC phase.
+
+**`elasticsearch.gc.phase.name`**
+:   Name of the GC collection phase.
+
+type: keyword
+
+
+**`elasticsearch.gc.phase.duration_sec`**
+:   Collection phase duration according to the Java virtual machine.
+
+type: float
+
+
+**`elasticsearch.gc.phase.scrub_symbol_table_time_sec`**
+:   Pause time in seconds cleaning up symbol tables.
+
+type: float
+
+
+**`elasticsearch.gc.phase.scrub_string_table_time_sec`**
+:   Pause time in seconds cleaning up string tables.
+
+type: float
+
+
+**`elasticsearch.gc.phase.weak_refs_processing_time_sec`**
+:   Time spent processing weak references in seconds.
+
+type: float
+
+
+**`elasticsearch.gc.phase.parallel_rescan_time_sec`**
+:   Time spent in seconds marking live objects while application is stopped.
+
+type: float
+
+
+**`elasticsearch.gc.phase.class_unload_time_sec`**
+:   Time spent unloading unused classes in seconds.
+
+type: float
+
+
+
+## cpu_time [_cpu_time]
+
+Process CPU time spent performing collections.
+
+**`elasticsearch.gc.phase.cpu_time.user_sec`**
+:   CPU time spent outside the kernel.
+
+type: float
+
+
+**`elasticsearch.gc.phase.cpu_time.sys_sec`**
+:   CPU time spent inside the kernel.
+
+type: float
+
+
+**`elasticsearch.gc.phase.cpu_time.real_sec`**
+:   Total elapsed CPU time spent to complete the collection from start to finish.
+
+type: float
+
+
+**`elasticsearch.gc.jvm_runtime_sec`**
+:   The time from JVM start up in seconds, as a floating point number.
+
+type: float
+
+
+**`elasticsearch.gc.threads_total_stop_time_sec`**
+:   Garbage collection threads total stop time seconds.
+
+type: float
+
+
+**`elasticsearch.gc.stopping_threads_time_sec`**
+:   Time took to stop threads seconds.
+
+type: float
+
+
+**`elasticsearch.gc.tags`**
+:   GC logging tags.
+
+type: keyword
+
+
+
+## heap [_heap]
+
+Heap allocation and total size.
+
+**`elasticsearch.gc.heap.size_kb`**
+:   Total heap size in kilobytes.
+
+type: integer
+
+
+**`elasticsearch.gc.heap.used_kb`**
+:   Used heap in kilobytes.
+
+type: integer
+
+
+
+## old_gen [_old_gen]
+
+Old generation occupancy and total size.
+
+**`elasticsearch.gc.old_gen.size_kb`**
+:   Total size of old generation in kilobytes.
+
+type: integer
+
+
+**`elasticsearch.gc.old_gen.used_kb`**
+:   Old generation occupancy in kilobytes.
+
+type: integer
+
+
+
+## young_gen [_young_gen]
+
+Young generation occupancy and total size.
+
+**`elasticsearch.gc.young_gen.size_kb`**
+:   Total size of young generation in kilobytes.
+
+type: integer
+
+
+**`elasticsearch.gc.young_gen.used_kb`**
+:   Young generation occupancy in kilobytes.
+
+type: integer
+
+
+
+## server [_server_2]
+
+Server log file
+
+**`elasticsearch.server.stacktrace`**
+:   Field is not indexed.
+
+
+
+## gc [_gc_2]
+
+GC log
+
+
+## young [_young]
+
+Young GC
+
+**`elasticsearch.server.gc.young.one`**
+:   type: long
+
+example:
+
+
+**`elasticsearch.server.gc.young.two`**
+:   type: long
+
+example:
+
+
+**`elasticsearch.server.gc.overhead_seq`**
+:   Sequence number
+
+type: long
+
+example: 3449992
+
+
+**`elasticsearch.server.gc.collection_duration.ms`**
+:   Time spent in GC, in milliseconds
+
+type: float
+
+example: 1600
+
+
+**`elasticsearch.server.gc.observation_duration.ms`**
+:   Total time over which collection was observed, in milliseconds
+
+type: float
+
+example: 1800
+
+
+
+## slowlog [_slowlog]
+
+Slowlog events from Elasticsearch
+
+**`elasticsearch.slowlog.logger`**
+:   Logger name
+
+type: keyword
+
+example: index.search.slowlog.fetch
+
+
+**`elasticsearch.slowlog.took`**
+:   Time it took to execute the query
+
+type: keyword
+
+example: 300ms
+
+
+**`elasticsearch.slowlog.types`**
+:   Types
+
+type: keyword
+
+example:
+
+
+**`elasticsearch.slowlog.stats`**
+:   Stats groups
+
+type: keyword
+
+example: group1
+
+
+**`elasticsearch.slowlog.search_type`**
+:   Search type
+
+type: keyword
+
+example: QUERY_THEN_FETCH
+
+
+**`elasticsearch.slowlog.source_query`**
+:   Slow query
+
+type: keyword
+
+example: {"query":{"match_all":{"boost":1.0}}}
+
+
+**`elasticsearch.slowlog.extra_source`**
+:   Extra source information
+
+type: keyword
+
+example:
+
+
+**`elasticsearch.slowlog.total_hits`**
+:   Total hits
+
+type: keyword
+
+example: 42
+
+
+**`elasticsearch.slowlog.total_shards`**
+:   Total queried shards
+
+type: keyword
+
+example: 22
+
+
+**`elasticsearch.slowlog.routing`**
+:   Routing
+
+type: keyword
+
+example: s01HZ2QBk9jw4gtgaFtn
+
+
+**`elasticsearch.slowlog.id`**
+:   Id
+
+type: keyword
+
+example:
+
+
+**`elasticsearch.slowlog.type`**
+:   Type
+
+type: keyword
+
+example: doc
+
+
+**`elasticsearch.slowlog.source`**
+:   Source of document that was indexed
+
+type: keyword
+
+
+**`elasticsearch.slowlog.user.realm`**
+:   The authentication realm the user was authenticated against
+
+type: keyword
+
+example: default_file
+
+
+**`elasticsearch.slowlog.user.effective.realm`**
+:   The authentication realm the effective user was authenticated against
+
+type: keyword
+
+example: default_file
+
+
+**`elasticsearch.slowlog.auth.type`**
+:   The authentication type used to authenticate the user. One of TOKEN | REALM | API_KEY
+
+type: keyword
+
+example: REALM
+
+
+**`elasticsearch.slowlog.apikey.id`**
+:   The id of the API key used
+
+type: keyword
+
+example: WzL_kb6VSvOhAq0twPvHOQ
+
+
+**`elasticsearch.slowlog.apikey.name`**
+:   The name of the API key used
+
+type: keyword
+
+example: my-api-key
+
+
diff --git a/docs/reference/filebeat/exported-fields-envoyproxy.md b/docs/reference/filebeat/exported-fields-envoyproxy.md
new file mode 100644
index 000000000000..f3becb7610a4
--- /dev/null
+++ b/docs/reference/filebeat/exported-fields-envoyproxy.md
@@ -0,0 +1,52 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-envoyproxy.html
+---
+
+# Envoyproxy fields [exported-fields-envoyproxy]
+
+Module for handling logs produced by envoy
+
+
+## envoyproxy [_envoyproxy]
+
+Fields from envoy proxy logs after normalization
+
+**`envoyproxy.log_type`**
+:   Envoy log type, normally ACCESS
+
+type: keyword
+
+
+**`envoyproxy.response_flags`**
+:   Response flags
+
+type: keyword
+
+
+**`envoyproxy.upstream_service_time`**
+:   Upstream service time in nanoseconds
+
+type: long
+
+format: duration
+
+
+**`envoyproxy.request_id`**
+:   ID of the request
+
+type: keyword
+
+
+**`envoyproxy.authority`**
+:   Envoy proxy authority field
+
+type: keyword
+
+
+**`envoyproxy.proxy_type`**
+:   Envoy proxy type, tcp or http
+
+type: keyword
+
+
diff --git a/docs/reference/filebeat/exported-fields-fortinet.md b/docs/reference/filebeat/exported-fields-fortinet.md
new file mode 100644
index 000000000000..6632cf7caa76
--- /dev/null
+++ b/docs/reference/filebeat/exported-fields-fortinet.md
@@ -0,0 +1,2611 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-fortinet.html
+---
+
+# Fortinet fields [exported-fields-fortinet]
+
+fortinet Module
+
+
+## fortinet [_fortinet]
+
+Fields from fortinet FortiOS
+
+**`fortinet.file.hash.crc32`**
+:   CRC32 Hash of file
+
+type: keyword
+
+
+
+## firewall [_firewall]
+
+Module for parsing Fortinet syslog.
+
+**`fortinet.firewall.acct_stat`**
+:   Accounting state (RADIUS)
+
+type: keyword
+
+
+**`fortinet.firewall.acktime`**
+:   Alarm Acknowledge Time
+
+type: keyword
+
+
+**`fortinet.firewall.act`**
+:   Action
+
+type: keyword
+
+
+**`fortinet.firewall.action`**
+:   Status of the session
+
+type: keyword
+
+
+**`fortinet.firewall.activity`**
+:   HA activity message
+
+type: keyword
+
+
+**`fortinet.firewall.addr`**
+:   IP Address
+
+type: ip
+
+
+**`fortinet.firewall.addr_type`**
+:   Address Type
+
+type: keyword
+
+
+**`fortinet.firewall.addrgrp`**
+:   Address Group
+
+type: keyword
+
+
+**`fortinet.firewall.adgroup`**
+:   AD Group Name
+
+type: keyword
+
+
+**`fortinet.firewall.admin`**
+:   Admin User
+
+type: keyword
+
+
+**`fortinet.firewall.age`**
+:   Time in seconds - time passed since last seen
+
+type: integer
+
+
+**`fortinet.firewall.agent`**
+:   User agent - eg. agent="Mozilla/5.0"
+
+type: keyword
+
+
+**`fortinet.firewall.alarmid`**
+:   Alarm ID
+
+type: integer
+
+
+**`fortinet.firewall.alert`**
+:   Alert
+
+type: keyword
+
+
+**`fortinet.firewall.analyticscksum`**
+:   The checksum of the file submitted for analytics
+
+type: keyword
+
+
+**`fortinet.firewall.analyticssubmit`**
+:   The flag for analytics submission
+
+type: keyword
+
+
+**`fortinet.firewall.ap`**
+:   Access Point
+
+type: keyword
+
+
+**`fortinet.firewall.app-type`**
+:   Address Type
+
+type: keyword
+
+
+**`fortinet.firewall.appact`**
+:   The security action from app control
+
+type: keyword
+
+
+**`fortinet.firewall.appid`**
+:   Application ID
+
+type: integer
+
+
+**`fortinet.firewall.applist`**
+:   Application Control profile
+
+type: keyword
+
+
+**`fortinet.firewall.apprisk`**
+:   Application Risk Level
+
+type: keyword
+
+
+**`fortinet.firewall.apscan`**
+:   The name of the AP, which scanned and detected the rogue AP
+
+type: keyword
+
+
+**`fortinet.firewall.apsn`**
+:   Access Point
+
+type: keyword
+
+
+**`fortinet.firewall.apstatus`**
+:   Access Point status
+
+type: keyword
+
+
+**`fortinet.firewall.aptype`**
+:   Access Point type
+
+type: keyword
+
+
+**`fortinet.firewall.assigned`**
+:   Assigned IP Address
+
+type: ip
+
+
+**`fortinet.firewall.assignip`**
+:   Assigned IP Address
+
+type: ip
+
+
+**`fortinet.firewall.attachment`**
+:   The flag for email attachement
+
+type: keyword
+
+
+**`fortinet.firewall.attack`**
+:   Attack Name
+
+type: keyword
+
+
+**`fortinet.firewall.attackcontext`**
+:   The trigger patterns and the packetdata with base64 encoding
+
+type: keyword
+
+
+**`fortinet.firewall.attackcontextid`**
+:   Attack context id / total
+
+type: keyword
+
+
+**`fortinet.firewall.attackid`**
+:   Attack ID
+
+type: integer
+
+
+**`fortinet.firewall.auditid`**
+:   Audit ID
+
+type: long
+
+
+**`fortinet.firewall.auditscore`**
+:   The Audit Score
+
+type: keyword
+
+
+**`fortinet.firewall.audittime`**
+:   The time of the audit
+
+type: long
+
+
+**`fortinet.firewall.authgrp`**
+:   Authorization Group
+
+type: keyword
+
+
+**`fortinet.firewall.authid`**
+:   Authentication ID
+
+type: keyword
+
+
+**`fortinet.firewall.authproto`**
+:   The protocol that initiated the authentication
+
+type: keyword
+
+
+**`fortinet.firewall.authserver`**
+:   Authentication server
+
+type: keyword
+
+
+**`fortinet.firewall.bandwidth`**
+:   Bandwidth
+
+type: keyword
+
+
+**`fortinet.firewall.banned_rule`**
+:   NAC quarantine Banned Rule Name
+
+type: keyword
+
+
+**`fortinet.firewall.banned_src`**
+:   NAC quarantine Banned Source IP
+
+type: keyword
+
+
+**`fortinet.firewall.banword`**
+:   Banned word
+
+type: keyword
+
+
+**`fortinet.firewall.botnetdomain`**
+:   Botnet Domain Name
+
+type: keyword
+
+
+**`fortinet.firewall.botnetip`**
+:   Botnet IP Address
+
+type: ip
+
+
+**`fortinet.firewall.bssid`**
+:   Service Set ID
+
+type: keyword
+
+
+**`fortinet.firewall.call_id`**
+:   Caller ID
+
+type: keyword
+
+
+**`fortinet.firewall.carrier_ep`**
+:   The FortiOS Carrier end-point identification
+
+type: keyword
+
+
+**`fortinet.firewall.cat`**
+:   DNS category ID
+
+type: integer
+
+
+**`fortinet.firewall.category`**
+:   Authentication category
+
+type: keyword
+
+
+**`fortinet.firewall.cc`**
+:   CC Email Address
+
+type: keyword
+
+
+**`fortinet.firewall.cdrcontent`**
+:   Cdrcontent
+
+type: keyword
+
+
+**`fortinet.firewall.centralnatid`**
+:   Central NAT ID
+
+type: integer
+
+
+**`fortinet.firewall.cert`**
+:   Certificate
+
+type: keyword
+
+
+**`fortinet.firewall.cert-type`**
+:   Certificate type
+
+type: keyword
+
+
+**`fortinet.firewall.certhash`**
+:   Certificate hash
+
+type: keyword
+
+
+**`fortinet.firewall.cfgattr`**
+:   Configuration attribute
+
+type: keyword
+
+
+**`fortinet.firewall.cfgobj`**
+:   Configuration object
+
+type: keyword
+
+
+**`fortinet.firewall.cfgpath`**
+:   Configuration path
+
+type: keyword
+
+
+**`fortinet.firewall.cfgtid`**
+:   Configuration transaction ID
+
+type: keyword
+
+
+**`fortinet.firewall.cfgtxpower`**
+:   Configuration TX power
+
+type: integer
+
+
+**`fortinet.firewall.channel`**
+:   Wireless Channel
+
+type: integer
+
+
+**`fortinet.firewall.channeltype`**
+:   SSH channel type
+
+type: keyword
+
+
+**`fortinet.firewall.chassisid`**
+:   Chassis ID
+
+type: integer
+
+
+**`fortinet.firewall.checksum`**
+:   The checksum of the scanned file
+
+type: keyword
+
+
+**`fortinet.firewall.chgheaders`**
+:   HTTP Headers
+
+type: keyword
+
+
+**`fortinet.firewall.cldobjid`**
+:   Connector object ID
+
+type: keyword
+
+
+**`fortinet.firewall.client_addr`**
+:   Wifi client address
+
+type: keyword
+
+
+**`fortinet.firewall.cloudaction`**
+:   Cloud Action
+
+type: keyword
+
+
+**`fortinet.firewall.clouduser`**
+:   Cloud User
+
+type: keyword
+
+
+**`fortinet.firewall.column`**
+:   VOIP Column
+
+type: integer
+
+
+**`fortinet.firewall.command`**
+:   CLI Command
+
+type: keyword
+
+
+**`fortinet.firewall.community`**
+:   SNMP Community
+
+type: keyword
+
+
+**`fortinet.firewall.configcountry`**
+:   Configuration country
+
+type: keyword
+
+
+**`fortinet.firewall.connection_type`**
+:   FortiClient Connection Type
+
+type: keyword
+
+
+**`fortinet.firewall.conserve`**
+:   Flag for conserve mode
+
+type: keyword
+
+
+**`fortinet.firewall.constraint`**
+:   WAF http protocol restrictions
+
+type: keyword
+
+
+**`fortinet.firewall.contentdisarmed`**
+:   Email scanned content
+
+type: keyword
+
+
+**`fortinet.firewall.contenttype`**
+:   Content Type from HTTP header
+
+type: keyword
+
+
+**`fortinet.firewall.cookies`**
+:   VPN Cookie
+
+type: keyword
+
+
+**`fortinet.firewall.count`**
+:   Counts of action type
+
+type: integer
+
+
+**`fortinet.firewall.countapp`**
+:   Number of App Ctrl logs associated with the session
+
+type: integer
+
+
+**`fortinet.firewall.countav`**
+:   Number of AV logs associated with the session
+
+type: integer
+
+
+**`fortinet.firewall.countcifs`**
+:   Number of CIFS logs associated with the session
+
+type: integer
+
+
+**`fortinet.firewall.countdlp`**
+:   Number of DLP logs associated with the session
+
+type: integer
+
+
+**`fortinet.firewall.countdns`**
+:   Number of DNS logs associated with the session
+
+type: integer
+
+
+**`fortinet.firewall.countemail`**
+:   Number of email logs associated with the session
+
+type: integer
+
+
+**`fortinet.firewall.countff`**
+:   Number of ff logs associated with the session
+
+type: integer
+
+
+**`fortinet.firewall.countips`**
+:   Number of IPS logs associated with the session
+
+type: integer
+
+
+**`fortinet.firewall.countssh`**
+:   Number of SSH logs associated with the session
+
+type: integer
+
+
+**`fortinet.firewall.countssl`**
+:   Number of SSL logs associated with the session
+
+type: integer
+
+
+**`fortinet.firewall.countwaf`**
+:   Number of WAF logs associated with the session
+
+type: integer
+
+
+**`fortinet.firewall.countweb`**
+:   Number of Web filter logs associated with the session
+
+type: integer
+
+
+**`fortinet.firewall.cpu`**
+:   CPU Usage
+
+type: integer
+
+
+**`fortinet.firewall.craction`**
+:   Client Reputation Action
+
+type: integer
+
+
+**`fortinet.firewall.criticalcount`**
+:   Number of critical ratings
+
+type: integer
+
+
+**`fortinet.firewall.crl`**
+:   Client Reputation Level
+
+type: keyword
+
+
+**`fortinet.firewall.crlevel`**
+:   Client Reputation Level
+
+type: keyword
+
+
+**`fortinet.firewall.crscore`**
+:   Some description
+
+type: integer
+
+
+**`fortinet.firewall.cveid`**
+:   CVE ID
+
+type: keyword
+
+
+**`fortinet.firewall.daemon`**
+:   Daemon name
+
+type: keyword
+
+
+**`fortinet.firewall.datarange`**
+:   Data range for reports
+
+type: keyword
+
+
+**`fortinet.firewall.date`**
+:   Date
+
+type: keyword
+
+
+**`fortinet.firewall.ddnsserver`**
+:   DDNS server
+
+type: ip
+
+
+**`fortinet.firewall.desc`**
+:   Description
+
+type: keyword
+
+
+**`fortinet.firewall.detectionmethod`**
+:   Detection method
+
+type: keyword
+
+
+**`fortinet.firewall.devcategory`**
+:   Device category
+
+type: keyword
+
+
+**`fortinet.firewall.devintfname`**
+:   HA device Interface Name
+
+type: keyword
+
+
+**`fortinet.firewall.devtype`**
+:   Device type
+
+type: keyword
+
+
+**`fortinet.firewall.dhcp_msg`**
+:   DHCP Message
+
+type: keyword
+
+
+**`fortinet.firewall.dintf`**
+:   Destination interface
+
+type: keyword
+
+
+**`fortinet.firewall.disk`**
+:   Assosciated disk
+
+type: keyword
+
+
+**`fortinet.firewall.disklograte`**
+:   Disk logging rate
+
+type: long
+
+
+**`fortinet.firewall.dlpextra`**
+:   DLP extra information
+
+type: keyword
+
+
+**`fortinet.firewall.docsource`**
+:   DLP fingerprint document source
+
+type: keyword
+
+
+**`fortinet.firewall.domainctrlauthstate`**
+:   CIFS domain auth state
+
+type: integer
+
+
+**`fortinet.firewall.domainctrlauthtype`**
+:   CIFS domain auth type
+
+type: integer
+
+
+**`fortinet.firewall.domainctrldomain`**
+:   CIFS domain auth domain
+
+type: keyword
+
+
+**`fortinet.firewall.domainctrlip`**
+:   CIFS Domain IP
+
+type: ip
+
+
+**`fortinet.firewall.domainctrlname`**
+:   CIFS Domain name
+
+type: keyword
+
+
+**`fortinet.firewall.domainctrlprotocoltype`**
+:   CIFS Domain connection protocol
+
+type: integer
+
+
+**`fortinet.firewall.domainctrlusername`**
+:   CIFS Domain username
+
+type: keyword
+
+
+**`fortinet.firewall.domainfilteridx`**
+:   Domain filter ID
+
+type: integer
+
+
+**`fortinet.firewall.domainfilterlist`**
+:   Domain filter name
+
+type: keyword
+
+
+**`fortinet.firewall.ds`**
+:   Direction with distribution system
+
+type: keyword
+
+
+**`fortinet.firewall.dst_int`**
+:   Destination interface
+
+type: keyword
+
+
+**`fortinet.firewall.dstintfrole`**
+:   Destination interface role
+
+type: keyword
+
+
+**`fortinet.firewall.dstcountry`**
+:   Destination country
+
+type: keyword
+
+
+**`fortinet.firewall.dstdevcategory`**
+:   Destination device category
+
+type: keyword
+
+
+**`fortinet.firewall.dstdevtype`**
+:   Destination device type
+
+type: keyword
+
+
+**`fortinet.firewall.dstfamily`**
+:   Destination OS family
+
+type: keyword
+
+
+**`fortinet.firewall.dsthwvendor`**
+:   Destination HW vendor
+
+type: keyword
+
+
+**`fortinet.firewall.dsthwversion`**
+:   Destination HW version
+
+type: keyword
+
+
+**`fortinet.firewall.dstinetsvc`**
+:   Destination interface service
+
+type: keyword
+
+
+**`fortinet.firewall.dstosname`**
+:   Destination OS name
+
+type: keyword
+
+
+**`fortinet.firewall.dstosversion`**
+:   Destination OS version
+
+type: keyword
+
+
+**`fortinet.firewall.dstserver`**
+:   Destination server
+
+type: integer
+
+
+**`fortinet.firewall.dstssid`**
+:   Destination SSID
+
+type: keyword
+
+
+**`fortinet.firewall.dstswversion`**
+:   Destination software version
+
+type: keyword
+
+
+**`fortinet.firewall.dstunauthusersource`**
+:   Destination unauthenticated source
+
+type: keyword
+
+
+**`fortinet.firewall.dstuuid`**
+:   UUID of the Destination IP address
+
+type: keyword
+
+
+**`fortinet.firewall.duid`**
+:   DHCP UID
+
+type: keyword
+
+
+**`fortinet.firewall.eapolcnt`**
+:   EAPOL packet count
+
+type: integer
+
+
+**`fortinet.firewall.eapoltype`**
+:   EAPOL packet type
+
+type: keyword
+
+
+**`fortinet.firewall.encrypt`**
+:   Whether the packet is encrypted or not
+
+type: integer
+
+
+**`fortinet.firewall.encryption`**
+:   Encryption method
+
+type: keyword
+
+
+**`fortinet.firewall.epoch`**
+:   Epoch used for locating file
+
+type: integer
+
+
+**`fortinet.firewall.espauth`**
+:   ESP Authentication
+
+type: keyword
+
+
+**`fortinet.firewall.esptransform`**
+:   ESP Transform
+
+type: keyword
+
+
+**`fortinet.firewall.eventtype`**
+:   UTM Event Type
+
+type: keyword
+
+
+**`fortinet.firewall.exch`**
+:   Mail Exchanges from DNS response answer section
+
+type: keyword
+
+
+**`fortinet.firewall.exchange`**
+:   Mail Exchanges from DNS response answer section
+
+type: keyword
+
+
+**`fortinet.firewall.expectedsignature`**
+:   Expected SSL signature
+
+type: keyword
+
+
+**`fortinet.firewall.expiry`**
+:   FortiGuard override expiry timestamp
+
+type: keyword
+
+
+**`fortinet.firewall.fams_pause`**
+:   Fortinet Analysis and Management Service Pause
+
+type: integer
+
+
+**`fortinet.firewall.fazlograte`**
+:   FortiAnalyzer Logging Rate
+
+type: long
+
+
+**`fortinet.firewall.fctemssn`**
+:   FortiClient Endpoint SSN
+
+type: keyword
+
+
+**`fortinet.firewall.fctuid`**
+:   FortiClient UID
+
+type: keyword
+
+
+**`fortinet.firewall.field`**
+:   NTP status field
+
+type: keyword
+
+
+**`fortinet.firewall.filefilter`**
+:   The filter used to identify the affected file
+
+type: keyword
+
+
+**`fortinet.firewall.filehashsrc`**
+:   Filehash source
+
+type: keyword
+
+
+**`fortinet.firewall.filtercat`**
+:   DLP filter category
+
+type: keyword
+
+
+**`fortinet.firewall.filteridx`**
+:   DLP filter ID
+
+type: integer
+
+
+**`fortinet.firewall.filtername`**
+:   DLP rule name
+
+type: keyword
+
+
+**`fortinet.firewall.filtertype`**
+:   DLP filter type
+
+type: keyword
+
+
+**`fortinet.firewall.fortiguardresp`**
+:   Antispam ESP value
+
+type: keyword
+
+
+**`fortinet.firewall.forwardedfor`**
+:   Email address forwarded
+
+type: keyword
+
+
+**`fortinet.firewall.fqdn`**
+:   FQDN
+
+type: keyword
+
+
+**`fortinet.firewall.frametype`**
+:   Wireless frametype
+
+type: keyword
+
+
+**`fortinet.firewall.freediskstorage`**
+:   Free disk integer
+
+type: integer
+
+
+**`fortinet.firewall.from`**
+:   From email address
+
+type: keyword
+
+
+**`fortinet.firewall.from_vcluster`**
+:   Source virtual cluster number
+
+type: integer
+
+
+**`fortinet.firewall.fsaverdict`**
+:   FSA verdict
+
+type: keyword
+
+
+**`fortinet.firewall.fwserver_name`**
+:   Web proxy server name
+
+type: keyword
+
+
+**`fortinet.firewall.gateway`**
+:   Gateway ip address for PPPoE status report
+
+type: ip
+
+
+**`fortinet.firewall.green`**
+:   Memory status
+
+type: keyword
+
+
+**`fortinet.firewall.groupid`**
+:   User Group ID
+
+type: integer
+
+
+**`fortinet.firewall.ha-prio`**
+:   HA Priority
+
+type: integer
+
+
+**`fortinet.firewall.ha_group`**
+:   HA Group
+
+type: keyword
+
+
+**`fortinet.firewall.ha_role`**
+:   HA Role
+
+type: keyword
+
+
+**`fortinet.firewall.handshake`**
+:   SSL Handshake
+
+type: keyword
+
+
+**`fortinet.firewall.hash`**
+:   Hash value of downloaded file
+
+type: keyword
+
+
+**`fortinet.firewall.hbdn_reason`**
+:   Heartbeat down reason
+
+type: keyword
+
+
+**`fortinet.firewall.highcount`**
+:   Highcount fabric summary
+
+type: integer
+
+
+**`fortinet.firewall.host`**
+:   Hostname
+
+type: keyword
+
+
+**`fortinet.firewall.iaid`**
+:   DHCPv6 id
+
+type: keyword
+
+
+**`fortinet.firewall.icmpcode`**
+:   Destination Port of the ICMP message
+
+type: keyword
+
+
+**`fortinet.firewall.icmpid`**
+:   Source port of the ICMP message
+
+type: keyword
+
+
+**`fortinet.firewall.icmptype`**
+:   The type of ICMP message
+
+type: keyword
+
+
+**`fortinet.firewall.identifier`**
+:   Network traffic identifier
+
+type: integer
+
+
+**`fortinet.firewall.in_spi`**
+:   IPSEC inbound SPI
+
+type: keyword
+
+
+**`fortinet.firewall.incidentserialno`**
+:   Incident serial number
+
+type: integer
+
+
+**`fortinet.firewall.infected`**
+:   Infected MMS
+
+type: integer
+
+
+**`fortinet.firewall.infectedfilelevel`**
+:   DLP infected file level
+
+type: integer
+
+
+**`fortinet.firewall.informationsource`**
+:   Information source
+
+type: keyword
+
+
+**`fortinet.firewall.init`**
+:   IPSEC init stage
+
+type: keyword
+
+
+**`fortinet.firewall.initiator`**
+:   Original login user name for Fortiguard override
+
+type: keyword
+
+
+**`fortinet.firewall.interface`**
+:   Related interface
+
+type: keyword
+
+
+**`fortinet.firewall.intf`**
+:   Related interface
+
+type: keyword
+
+
+**`fortinet.firewall.invalidmac`**
+:   The MAC address with invalid OUI
+
+type: keyword
+
+
+**`fortinet.firewall.ip`**
+:   Related IP
+
+type: ip
+
+
+**`fortinet.firewall.iptype`**
+:   Related IP type
+
+type: keyword
+
+
+**`fortinet.firewall.keyword`**
+:   Keyword used for search
+
+type: keyword
+
+
+**`fortinet.firewall.kind`**
+:   VOIP kind
+
+type: keyword
+
+
+**`fortinet.firewall.lanin`**
+:   LAN incoming traffic in bytes
+
+type: long
+
+
+**`fortinet.firewall.lanout`**
+:   LAN outbound traffic in bytes
+
+type: long
+
+
+**`fortinet.firewall.lease`**
+:   DHCP lease
+
+type: integer
+
+
+**`fortinet.firewall.license_limit`**
+:   Maximum Number of FortiClients for the License
+
+type: keyword
+
+
+**`fortinet.firewall.limit`**
+:   Virtual Domain Resource Limit
+
+type: integer
+
+
+**`fortinet.firewall.line`**
+:   VOIP line
+
+type: keyword
+
+
+**`fortinet.firewall.live`**
+:   Time in seconds
+
+type: integer
+
+
+**`fortinet.firewall.local`**
+:   Local IP for a PPPD Connection
+
+type: ip
+
+
+**`fortinet.firewall.log`**
+:   Log message
+
+type: keyword
+
+
+**`fortinet.firewall.login`**
+:   SSH login
+
+type: keyword
+
+
+**`fortinet.firewall.lowcount`**
+:   Fabric lowcount
+
+type: integer
+
+
+**`fortinet.firewall.mac`**
+:   DHCP mac address
+
+type: keyword
+
+
+**`fortinet.firewall.malform_data`**
+:   VOIP malformed data
+
+type: integer
+
+
+**`fortinet.firewall.malform_desc`**
+:   VOIP malformed data description
+
+type: keyword
+
+
+**`fortinet.firewall.manuf`**
+:   Manufacturer name
+
+type: keyword
+
+
+**`fortinet.firewall.masterdstmac`**
+:   Master mac address for a host with multiple network interfaces
+
+type: keyword
+
+
+**`fortinet.firewall.mastersrcmac`**
+:   The master MAC address for a host that has multiple network interfaces
+
+type: keyword
+
+
+**`fortinet.firewall.mediumcount`**
+:   Fabric medium count
+
+type: integer
+
+
+**`fortinet.firewall.mem`**
+:   Memory usage system statistics
+
+type: integer
+
+
+**`fortinet.firewall.meshmode`**
+:   Wireless mesh mode
+
+type: keyword
+
+
+**`fortinet.firewall.message_type`**
+:   VOIP message type
+
+type: keyword
+
+
+**`fortinet.firewall.method`**
+:   HTTP method
+
+type: keyword
+
+
+**`fortinet.firewall.mgmtcnt`**
+:   The number of unauthorized client flooding managemet frames
+
+type: integer
+
+
+**`fortinet.firewall.mode`**
+:   IPSEC mode
+
+type: keyword
+
+
+**`fortinet.firewall.module`**
+:   PCI-DSS module
+
+type: keyword
+
+
+**`fortinet.firewall.monitor-name`**
+:   Health Monitor Name
+
+type: keyword
+
+
+**`fortinet.firewall.monitor-type`**
+:   Health Monitor Type
+
+type: keyword
+
+
+**`fortinet.firewall.mpsk`**
+:   Wireless MPSK
+
+type: keyword
+
+
+**`fortinet.firewall.msgproto`**
+:   Message Protocol Number
+
+type: keyword
+
+
+**`fortinet.firewall.mtu`**
+:   Max Transmission Unit Value
+
+type: integer
+
+
+**`fortinet.firewall.name`**
+:   Name
+
+type: keyword
+
+
+**`fortinet.firewall.nat`**
+:   NAT IP Address
+
+type: keyword
+
+
+**`fortinet.firewall.netid`**
+:   Connector NetID
+
+type: keyword
+
+
+**`fortinet.firewall.new_status`**
+:   New status on user change
+
+type: keyword
+
+
+**`fortinet.firewall.new_value`**
+:   New Virtual Domain Name
+
+type: keyword
+
+
+**`fortinet.firewall.newchannel`**
+:   New Channel Number
+
+type: integer
+
+
+**`fortinet.firewall.newchassisid`**
+:   New Chassis ID
+
+type: integer
+
+
+**`fortinet.firewall.newslot`**
+:   New Slot Number
+
+type: integer
+
+
+**`fortinet.firewall.nextstat`**
+:   Time interval in seconds for the next statistics.
+
+type: integer
+
+
+**`fortinet.firewall.nf_type`**
+:   Notification Type
+
+type: keyword
+
+
+**`fortinet.firewall.noise`**
+:   Wifi Noise
+
+type: integer
+
+
+**`fortinet.firewall.old_status`**
+:   Original Status
+
+type: keyword
+
+
+**`fortinet.firewall.old_value`**
+:   Original Virtual Domain name
+
+type: keyword
+
+
+**`fortinet.firewall.oldchannel`**
+:   Original channel
+
+type: integer
+
+
+**`fortinet.firewall.oldchassisid`**
+:   Original Chassis Number
+
+type: integer
+
+
+**`fortinet.firewall.oldslot`**
+:   Original Slot Number
+
+type: integer
+
+
+**`fortinet.firewall.oldsn`**
+:   Old Serial number
+
+type: keyword
+
+
+**`fortinet.firewall.oldwprof`**
+:   Old Web Filter Profile
+
+type: keyword
+
+
+**`fortinet.firewall.onwire`**
+:   A flag to indicate if the AP is onwire or not
+
+type: keyword
+
+
+**`fortinet.firewall.opercountry`**
+:   Operating Country
+
+type: keyword
+
+
+**`fortinet.firewall.opertxpower`**
+:   Operating TX power
+
+type: integer
+
+
+**`fortinet.firewall.osname`**
+:   Operating System name
+
+type: keyword
+
+
+**`fortinet.firewall.osversion`**
+:   Operating System version
+
+type: keyword
+
+
+**`fortinet.firewall.out_spi`**
+:   Out SPI
+
+type: keyword
+
+
+**`fortinet.firewall.outintf`**
+:   Out interface
+
+type: keyword
+
+
+**`fortinet.firewall.passedcount`**
+:   Fabric passed count
+
+type: integer
+
+
+**`fortinet.firewall.passwd`**
+:   Changed user password information
+
+type: keyword
+
+
+**`fortinet.firewall.path`**
+:   Path of looped configuration for security fabric
+
+type: keyword
+
+
+**`fortinet.firewall.peer`**
+:   WAN optimization peer
+
+type: keyword
+
+
+**`fortinet.firewall.peer_notif`**
+:   VPN peer notification
+
+type: keyword
+
+
+**`fortinet.firewall.phase2_name`**
+:   VPN phase2 name
+
+type: keyword
+
+
+**`fortinet.firewall.phone`**
+:   VOIP Phone
+
+type: keyword
+
+
+**`fortinet.firewall.pid`**
+:   Process ID
+
+type: integer
+
+
+**`fortinet.firewall.policytype`**
+:   Policy Type
+
+type: keyword
+
+
+**`fortinet.firewall.poolname`**
+:   IP Pool name
+
+type: keyword
+
+
+**`fortinet.firewall.port`**
+:   Log upload error port
+
+type: integer
+
+
+**`fortinet.firewall.portbegin`**
+:   IP Pool port number to begin
+
+type: integer
+
+
+**`fortinet.firewall.portend`**
+:   IP Pool port number to end
+
+type: integer
+
+
+**`fortinet.firewall.probeproto`**
+:   Link Monitor Probe Protocol
+
+type: keyword
+
+
+**`fortinet.firewall.process`**
+:   URL Filter process
+
+type: keyword
+
+
+**`fortinet.firewall.processtime`**
+:   Process time for reports
+
+type: integer
+
+
+**`fortinet.firewall.profile`**
+:   Profile Name
+
+type: keyword
+
+
+**`fortinet.firewall.profile_vd`**
+:   Virtual Domain Name
+
+type: keyword
+
+
+**`fortinet.firewall.profilegroup`**
+:   Profile Group Name
+
+type: keyword
+
+
+**`fortinet.firewall.profiletype`**
+:   Profile Type
+
+type: keyword
+
+
+**`fortinet.firewall.qtypeval`**
+:   DNS question type value
+
+type: integer
+
+
+**`fortinet.firewall.quarskip`**
+:   Quarantine skip explanation
+
+type: keyword
+
+
+**`fortinet.firewall.quotaexceeded`**
+:   If quota has been exceeded
+
+type: keyword
+
+
+**`fortinet.firewall.quotamax`**
+:   Maximum quota allowed - in seconds if time-based - in bytes if traffic-based
+
+type: long
+
+
+**`fortinet.firewall.quotatype`**
+:   Quota type
+
+type: keyword
+
+
+**`fortinet.firewall.quotaused`**
+:   Quota used - in seconds if time-based - in bytes if trafficbased)
+
+type: long
+
+
+**`fortinet.firewall.radioband`**
+:   Radio band
+
+type: keyword
+
+
+**`fortinet.firewall.radioid`**
+:   Radio ID
+
+type: integer
+
+
+**`fortinet.firewall.radioidclosest`**
+:   Radio ID on the AP closest the rogue AP
+
+type: integer
+
+
+**`fortinet.firewall.radioiddetected`**
+:   Radio ID on the AP which detected the rogue AP
+
+type: integer
+
+
+**`fortinet.firewall.rate`**
+:   Wireless rogue rate value
+
+type: keyword
+
+
+**`fortinet.firewall.rawdata`**
+:   Raw data value
+
+type: keyword
+
+
+**`fortinet.firewall.rawdataid`**
+:   Raw data ID
+
+type: keyword
+
+
+**`fortinet.firewall.rcvddelta`**
+:   Received bytes delta
+
+type: keyword
+
+
+**`fortinet.firewall.reason`**
+:   Alert reason
+
+type: keyword
+
+
+**`fortinet.firewall.received`**
+:   Server key exchange received
+
+type: integer
+
+
+**`fortinet.firewall.receivedsignature`**
+:   Server key exchange received signature
+
+type: keyword
+
+
+**`fortinet.firewall.red`**
+:   Memory information in red
+
+type: keyword
+
+
+**`fortinet.firewall.referralurl`**
+:   Web filter referralurl
+
+type: keyword
+
+
+**`fortinet.firewall.remote`**
+:   Remote PPP IP address
+
+type: ip
+
+
+**`fortinet.firewall.remotewtptime`**
+:   Remote Wifi Radius authentication time
+
+type: keyword
+
+
+**`fortinet.firewall.reporttype`**
+:   Report type
+
+type: keyword
+
+
+**`fortinet.firewall.reqtype`**
+:   Request type
+
+type: keyword
+
+
+**`fortinet.firewall.request_name`**
+:   VOIP request name
+
+type: keyword
+
+
+**`fortinet.firewall.result`**
+:   VPN phase result
+
+type: keyword
+
+
+**`fortinet.firewall.role`**
+:   VPN Phase 2 role
+
+type: keyword
+
+
+**`fortinet.firewall.rssi`**
+:   Received signal strength indicator
+
+type: integer
+
+
+**`fortinet.firewall.rsso_key`**
+:   RADIUS SSO attribute value
+
+type: keyword
+
+
+**`fortinet.firewall.ruledata`**
+:   Rule data
+
+type: keyword
+
+
+**`fortinet.firewall.ruletype`**
+:   Rule type
+
+type: keyword
+
+
+**`fortinet.firewall.scanned`**
+:   Number of Scanned MMSs
+
+type: integer
+
+
+**`fortinet.firewall.scantime`**
+:   Scanned time
+
+type: long
+
+
+**`fortinet.firewall.scope`**
+:   FortiGuard Override Scope
+
+type: keyword
+
+
+**`fortinet.firewall.security`**
+:   Wireless rogue security
+
+type: keyword
+
+
+**`fortinet.firewall.sensitivity`**
+:   Sensitivity for document fingerprint
+
+type: keyword
+
+
+**`fortinet.firewall.sensor`**
+:   NAC Sensor Name
+
+type: keyword
+
+
+**`fortinet.firewall.sentdelta`**
+:   Sent bytes delta
+
+type: keyword
+
+
+**`fortinet.firewall.seq`**
+:   Sequence number
+
+type: keyword
+
+
+**`fortinet.firewall.serial`**
+:   WAN optimisation serial
+
+type: keyword
+
+
+**`fortinet.firewall.serialno`**
+:   Serial number
+
+type: keyword
+
+
+**`fortinet.firewall.server`**
+:   AD server FQDN or IP
+
+type: keyword
+
+
+**`fortinet.firewall.session_id`**
+:   Session ID
+
+type: keyword
+
+
+**`fortinet.firewall.sessionid`**
+:   WAD Session ID
+
+type: integer
+
+
+**`fortinet.firewall.setuprate`**
+:   Session Setup Rate
+
+type: long
+
+
+**`fortinet.firewall.severity`**
+:   Severity
+
+type: keyword
+
+
+**`fortinet.firewall.shaperdroprcvdbyte`**
+:   Received bytes dropped by shaper
+
+type: integer
+
+
+**`fortinet.firewall.shaperdropsentbyte`**
+:   Sent bytes dropped by shaper
+
+type: integer
+
+
+**`fortinet.firewall.shaperperipdropbyte`**
+:   Dropped bytes per IP by shaper
+
+type: integer
+
+
+**`fortinet.firewall.shaperperipname`**
+:   Traffic shaper name (per IP)
+
+type: keyword
+
+
+**`fortinet.firewall.shaperrcvdname`**
+:   Traffic shaper name for received traffic
+
+type: keyword
+
+
+**`fortinet.firewall.shapersentname`**
+:   Traffic shaper name for sent traffic
+
+type: keyword
+
+
+**`fortinet.firewall.shapingpolicyid`**
+:   Traffic shaper policy ID
+
+type: integer
+
+
+**`fortinet.firewall.signal`**
+:   Wireless rogue API signal
+
+type: integer
+
+
+**`fortinet.firewall.size`**
+:   Email size in bytes
+
+type: long
+
+
+**`fortinet.firewall.slot`**
+:   Slot number
+
+type: integer
+
+
+**`fortinet.firewall.sn`**
+:   Security fabric serial number
+
+type: keyword
+
+
+**`fortinet.firewall.snclosest`**
+:   SN of the AP closest to the rogue AP
+
+type: keyword
+
+
+**`fortinet.firewall.sndetected`**
+:   SN of the AP which detected the rogue AP
+
+type: keyword
+
+
+**`fortinet.firewall.snmeshparent`**
+:   SN of the mesh parent
+
+type: keyword
+
+
+**`fortinet.firewall.spi`**
+:   IPSEC SPI
+
+type: keyword
+
+
+**`fortinet.firewall.src_int`**
+:   Source interface
+
+type: keyword
+
+
+**`fortinet.firewall.srcintfrole`**
+:   Source interface role
+
+type: keyword
+
+
+**`fortinet.firewall.srccountry`**
+:   Source country
+
+type: keyword
+
+
+**`fortinet.firewall.srcfamily`**
+:   Source family
+
+type: keyword
+
+
+**`fortinet.firewall.srchwvendor`**
+:   Source hardware vendor
+
+type: keyword
+
+
+**`fortinet.firewall.srchwversion`**
+:   Source hardware version
+
+type: keyword
+
+
+**`fortinet.firewall.srcinetsvc`**
+:   Source interface service
+
+type: keyword
+
+
+**`fortinet.firewall.srcname`**
+:   Source name
+
+type: keyword
+
+
+**`fortinet.firewall.srcserver`**
+:   Source server
+
+type: integer
+
+
+**`fortinet.firewall.srcssid`**
+:   Source SSID
+
+type: keyword
+
+
+**`fortinet.firewall.srcswversion`**
+:   Source software version
+
+type: keyword
+
+
+**`fortinet.firewall.srcuuid`**
+:   Source UUID
+
+type: keyword
+
+
+**`fortinet.firewall.sscname`**
+:   SSC name
+
+type: keyword
+
+
+**`fortinet.firewall.ssid`**
+:   Base Service Set ID
+
+type: keyword
+
+
+**`fortinet.firewall.sslaction`**
+:   SSL Action
+
+type: keyword
+
+
+**`fortinet.firewall.ssllocal`**
+:   WAD SSL local
+
+type: keyword
+
+
+**`fortinet.firewall.sslremote`**
+:   WAD SSL remote
+
+type: keyword
+
+
+**`fortinet.firewall.stacount`**
+:   Number of stations/clients
+
+type: integer
+
+
+**`fortinet.firewall.stage`**
+:   IPSEC stage
+
+type: keyword
+
+
+**`fortinet.firewall.stamac`**
+:   802.1x station mac
+
+type: keyword
+
+
+**`fortinet.firewall.state`**
+:   Admin login state
+
+type: keyword
+
+
+**`fortinet.firewall.status`**
+:   Status
+
+type: keyword
+
+
+**`fortinet.firewall.stitch`**
+:   Automation stitch triggered
+
+type: keyword
+
+
+**`fortinet.firewall.subject`**
+:   Email subject
+
+type: keyword
+
+
+**`fortinet.firewall.submodule`**
+:   Configuration Sub-Module Name
+
+type: keyword
+
+
+**`fortinet.firewall.subservice`**
+:   AV subservice
+
+type: keyword
+
+
+**`fortinet.firewall.subtype`**
+:   Log subtype
+
+type: keyword
+
+
+**`fortinet.firewall.suspicious`**
+:   Number of Suspicious MMSs
+
+type: integer
+
+
+**`fortinet.firewall.switchproto`**
+:   Protocol change information
+
+type: keyword
+
+
+**`fortinet.firewall.sync_status`**
+:   The sync status with the master
+
+type: keyword
+
+
+**`fortinet.firewall.sync_type`**
+:   The sync type with the master
+
+type: keyword
+
+
+**`fortinet.firewall.sysuptime`**
+:   System uptime
+
+type: keyword
+
+
+**`fortinet.firewall.tamac`**
+:   the MAC address of Transmitter, if none, then Receiver
+
+type: keyword
+
+
+**`fortinet.firewall.threattype`**
+:   WIDS threat type
+
+type: keyword
+
+
+**`fortinet.firewall.time`**
+:   Time of the event
+
+type: keyword
+
+
+**`fortinet.firewall.to`**
+:   Email to field
+
+type: keyword
+
+
+**`fortinet.firewall.to_vcluster`**
+:   destination virtual cluster number
+
+type: integer
+
+
+**`fortinet.firewall.total`**
+:   Total memory
+
+type: integer
+
+
+**`fortinet.firewall.totalsession`**
+:   Total Number of Sessions
+
+type: integer
+
+
+**`fortinet.firewall.trace_id`**
+:   Session clash trace ID
+
+type: keyword
+
+
+**`fortinet.firewall.trandisp`**
+:   NAT translation type
+
+type: keyword
+
+
+**`fortinet.firewall.transid`**
+:   HTTP transaction ID
+
+type: integer
+
+
+**`fortinet.firewall.translationid`**
+:   DNS filter transaltion ID
+
+type: keyword
+
+
+**`fortinet.firewall.trigger`**
+:   Automation stitch trigger
+
+type: keyword
+
+
+**`fortinet.firewall.trueclntip`**
+:   File filter true client IP
+
+type: ip
+
+
+**`fortinet.firewall.tunnelid`**
+:   IPSEC tunnel ID
+
+type: integer
+
+
+**`fortinet.firewall.tunnelip`**
+:   IPSEC tunnel IP
+
+type: ip
+
+
+**`fortinet.firewall.tunneltype`**
+:   IPSEC tunnel type
+
+type: keyword
+
+
+**`fortinet.firewall.type`**
+:   Module type
+
+type: keyword
+
+
+**`fortinet.firewall.ui`**
+:   Admin authentication UI type
+
+type: keyword
+
+
+**`fortinet.firewall.unauthusersource`**
+:   Unauthenticated user source
+
+type: keyword
+
+
+**`fortinet.firewall.unit`**
+:   Power supply unit
+
+type: integer
+
+
+**`fortinet.firewall.urlfilteridx`**
+:   URL filter ID
+
+type: integer
+
+
+**`fortinet.firewall.urlfilterlist`**
+:   URL filter list
+
+type: keyword
+
+
+**`fortinet.firewall.urlsource`**
+:   URL filter source
+
+type: keyword
+
+
+**`fortinet.firewall.urltype`**
+:   URL filter type
+
+type: keyword
+
+
+**`fortinet.firewall.used`**
+:   Number of Used IPs
+
+type: integer
+
+
+**`fortinet.firewall.used_for_type`**
+:   Connection for the type
+
+type: integer
+
+
+**`fortinet.firewall.utmaction`**
+:   Security action performed by UTM
+
+type: keyword
+
+
+**`fortinet.firewall.utmref`**
+:   Reference to UTM
+
+type: keyword
+
+
+**`fortinet.firewall.vap`**
+:   Virtual AP
+
+type: keyword
+
+
+**`fortinet.firewall.vapmode`**
+:   Virtual AP mode
+
+type: keyword
+
+
+**`fortinet.firewall.vcluster`**
+:   virtual cluster id
+
+type: integer
+
+
+**`fortinet.firewall.vcluster_member`**
+:   Virtual cluster member
+
+type: integer
+
+
+**`fortinet.firewall.vcluster_state`**
+:   Virtual cluster state
+
+type: keyword
+
+
+**`fortinet.firewall.vd`**
+:   Virtual Domain Name
+
+type: keyword
+
+
+**`fortinet.firewall.vdname`**
+:   Virtual Domain Name
+
+type: keyword
+
+
+**`fortinet.firewall.vendorurl`**
+:   Vulnerability scan vendor name
+
+type: keyword
+
+
+**`fortinet.firewall.version`**
+:   Version
+
+type: keyword
+
+
+**`fortinet.firewall.vip`**
+:   Virtual IP
+
+type: keyword
+
+
+**`fortinet.firewall.virus`**
+:   Virus name
+
+type: keyword
+
+
+**`fortinet.firewall.virusid`**
+:   Virus ID (unique virus identifier)
+
+type: integer
+
+
+**`fortinet.firewall.voip_proto`**
+:   VOIP protocol
+
+type: keyword
+
+
+**`fortinet.firewall.vpn`**
+:   VPN description
+
+type: keyword
+
+
+**`fortinet.firewall.vpntunnel`**
+:   IPsec Vpn Tunnel Name
+
+type: keyword
+
+
+**`fortinet.firewall.vpntype`**
+:   The type of the VPN tunnel
+
+type: keyword
+
+
+**`fortinet.firewall.vrf`**
+:   VRF number
+
+type: integer
+
+
+**`fortinet.firewall.vulncat`**
+:   Vulnerability Category
+
+type: keyword
+
+
+**`fortinet.firewall.vulnid`**
+:   Vulnerability ID
+
+type: integer
+
+
+**`fortinet.firewall.vulnname`**
+:   Vulnerability name
+
+type: keyword
+
+
+**`fortinet.firewall.vwlid`**
+:   VWL ID
+
+type: integer
+
+
+**`fortinet.firewall.vwlquality`**
+:   VWL quality
+
+type: keyword
+
+
+**`fortinet.firewall.vwlservice`**
+:   VWL service
+
+type: keyword
+
+
+**`fortinet.firewall.vwpvlanid`**
+:   VWP VLAN ID
+
+type: integer
+
+
+**`fortinet.firewall.wanin`**
+:   WAN incoming traffic in bytes
+
+type: long
+
+
+**`fortinet.firewall.wanoptapptype`**
+:   WAN Optimization Application type
+
+type: keyword
+
+
+**`fortinet.firewall.wanout`**
+:   WAN outgoing traffic in bytes
+
+type: long
+
+
+**`fortinet.firewall.weakwepiv`**
+:   Weak Wep Initiation Vector
+
+type: keyword
+
+
+**`fortinet.firewall.xauthgroup`**
+:   XAuth Group Name
+
+type: keyword
+
+
+**`fortinet.firewall.xauthuser`**
+:   XAuth User Name
+
+type: keyword
+
+
+**`fortinet.firewall.xid`**
+:   Wireless X ID
+
+type: integer
+
+
diff --git a/docs/reference/filebeat/exported-fields-gcp.md b/docs/reference/filebeat/exported-fields-gcp.md
new file mode 100644
index 000000000000..b5849d9e4c2c
--- /dev/null
+++ b/docs/reference/filebeat/exported-fields-gcp.md
@@ -0,0 +1,377 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-gcp.html
+---
+
+# Google Cloud Platform (GCP) fields [exported-fields-gcp]
+
+Module for handling logs from Google Cloud.
+
+
+## gcp [_gcp]
+
+Fields from Google Cloud logs.
+
+
+## destination.instance [_destination_instance]
+
+If the destination of the connection was a VM located on the same VPC, this field is populated with VM instance details. In a Shared VPC configuration, project_id corresponds to the project that owns the instance, usually the service project.
+
+**`gcp.destination.instance.project_id`**
+:   ID of the project containing the VM.
+
+type: keyword
+
+
+**`gcp.destination.instance.region`**
+:   Region of the VM.
+
+type: keyword
+
+
+**`gcp.destination.instance.zone`**
+:   Zone of the VM.
+
+type: keyword
+
+
+
+## destination.vpc [_destination_vpc]
+
+If the destination of the connection was a VM located on the same VPC, this field is populated with VPC network details. In a Shared VPC configuration, project_id corresponds to that of the host project.
+
+**`gcp.destination.vpc.project_id`**
+:   ID of the project containing the VM.
+
+type: keyword
+
+
+**`gcp.destination.vpc.vpc_name`**
+:   VPC on which the VM is operating.
+
+type: keyword
+
+
+**`gcp.destination.vpc.subnetwork_name`**
+:   Subnetwork on which the VM is operating.
+
+type: keyword
+
+
+
+## source.instance [_source_instance]
+
+If the source of the connection was a VM located on the same VPC, this field is populated with VM instance details. In a Shared VPC configuration, project_id corresponds to the project that owns the instance, usually the service project.
+
+**`gcp.source.instance.project_id`**
+:   ID of the project containing the VM.
+
+type: keyword
+
+
+**`gcp.source.instance.region`**
+:   Region of the VM.
+
+type: keyword
+
+
+**`gcp.source.instance.zone`**
+:   Zone of the VM.
+
+type: keyword
+
+
+
+## source.vpc [_source_vpc]
+
+If the source of the connection was a VM located on the same VPC, this field is populated with VPC network details. In a Shared VPC configuration, project_id corresponds to that of the host project.
+
+**`gcp.source.vpc.project_id`**
+:   ID of the project containing the VM.
+
+type: keyword
+
+
+**`gcp.source.vpc.vpc_name`**
+:   VPC on which the VM is operating.
+
+type: keyword
+
+
+**`gcp.source.vpc.subnetwork_name`**
+:   Subnetwork on which the VM is operating.
+
+type: keyword
+
+
+
+## audit [_audit_3]
+
+Fields for Google Cloud audit logs.
+
+**`gcp.audit.type`**
+:   Type property.
+
+type: keyword
+
+
+
+## authentication_info [_authentication_info]
+
+Authentication information.
+
+**`gcp.audit.authentication_info.principal_email`**
+:   The email address of the authenticated user making the request.
+
+type: keyword
+
+
+**`gcp.audit.authentication_info.authority_selector`**
+:   The authority selector specified by the requestor, if any. It is not guaranteed  that the principal was allowed to use this authority.
+
+type: keyword
+
+
+**`gcp.audit.authorization_info`**
+:   Authorization information for the operation.
+
+type: array
+
+
+**`gcp.audit.method_name`**
+:   The name of the service method or operation. For API calls, this  should be the name of the API method.  For example, *google.datastore.v1.Datastore.RunQuery*.
+
+type: keyword
+
+
+**`gcp.audit.num_response_items`**
+:   The number of items returned from a List or Query API method, if applicable.
+
+type: long
+
+
+
+## request [_request]
+
+The operation request.
+
+**`gcp.audit.request.proto_name`**
+:   Type property of the request.
+
+type: keyword
+
+
+**`gcp.audit.request.filter`**
+:   Filter of the request.
+
+type: keyword
+
+
+**`gcp.audit.request.name`**
+:   Name of the request.
+
+type: keyword
+
+
+**`gcp.audit.request.resource_name`**
+:   Name of the request resource.
+
+type: keyword
+
+
+
+## request_metadata [_request_metadata]
+
+Metadata about the request.
+
+**`gcp.audit.request_metadata.caller_ip`**
+:   The IP address of the caller.
+
+type: ip
+
+
+**`gcp.audit.request_metadata.caller_supplied_user_agent`**
+:   The user agent of the caller. This information is not authenticated and  should be treated accordingly.
+
+type: keyword
+
+
+
+## response [_response]
+
+The operation response.
+
+**`gcp.audit.response.proto_name`**
+:   Type property of the response.
+
+type: keyword
+
+
+
+## details [_details]
+
+The details of the response.
+
+**`gcp.audit.response.details.group`**
+:   The name of the group.
+
+type: keyword
+
+
+**`gcp.audit.response.details.kind`**
+:   The kind of the response details.
+
+type: keyword
+
+
+**`gcp.audit.response.details.name`**
+:   The name of the response details.
+
+type: keyword
+
+
+**`gcp.audit.response.details.uid`**
+:   The uid of the response details.
+
+type: keyword
+
+
+**`gcp.audit.response.status`**
+:   Status of the response.
+
+type: keyword
+
+
+**`gcp.audit.resource_name`**
+:   The resource or collection that is the target of the operation.  The name is a scheme-less URI, not including the API service name.  For example, *shelves/SHELF_ID/books*.
+
+type: keyword
+
+
+
+## resource_location [_resource_location]
+
+The location of the resource.
+
+**`gcp.audit.resource_location.current_locations`**
+:   Current locations of the resource.
+
+type: keyword
+
+
+**`gcp.audit.service_name`**
+:   The name of the API service performing the operation.  For example, datastore.googleapis.com.
+
+type: keyword
+
+
+
+## status [_status]
+
+The status of the overall operation.
+
+**`gcp.audit.status.code`**
+:   The status code, which should be an enum value of google.rpc.Code.
+
+type: integer
+
+
+**`gcp.audit.status.message`**
+:   A developer-facing error message, which should be in English. Any user-facing  error message should be localized and sent in the google.rpc.Status.details  field, or localized by the client.
+
+type: keyword
+
+
+
+## firewall [_firewall_2]
+
+Fields for Google Cloud Firewall logs.
+
+
+## rule_details [_rule_details]
+
+Description of the firewall rule that matched this connection.
+
+**`gcp.firewall.rule_details.priority`**
+:   The priority for the firewall rule.
+
+type: long
+
+
+**`gcp.firewall.rule_details.action`**
+:   Action that the rule performs on match.
+
+type: keyword
+
+
+**`gcp.firewall.rule_details.direction`**
+:   Direction of traffic that matches this rule.
+
+type: keyword
+
+
+**`gcp.firewall.rule_details.reference`**
+:   Reference to the firewall rule.
+
+type: keyword
+
+
+**`gcp.firewall.rule_details.source_range`**
+:   List of source ranges that the firewall rule applies to.
+
+type: keyword
+
+
+**`gcp.firewall.rule_details.destination_range`**
+:   List of destination ranges that the firewall applies to.
+
+type: keyword
+
+
+**`gcp.firewall.rule_details.source_tag`**
+:   List of all the source tags that the firewall rule applies to.
+
+type: keyword
+
+
+**`gcp.firewall.rule_details.target_tag`**
+:   List of all the target tags that the firewall rule applies to.
+
+type: keyword
+
+
+**`gcp.firewall.rule_details.ip_port_info`**
+:   List of ip protocols and applicable port ranges for rules.
+
+type: array
+
+
+**`gcp.firewall.rule_details.source_service_account`**
+:   List of all the source service accounts that the firewall rule applies to.
+
+type: keyword
+
+
+**`gcp.firewall.rule_details.target_service_account`**
+:   List of all the target service accounts that the firewall rule applies to.
+
+type: keyword
+
+
+
+## vpcflow [_vpcflow_2]
+
+Fields for Google Cloud VPC flow logs.
+
+**`gcp.vpcflow.reporter`**
+:   The side which reported the flow. Can be either *SRC* or *DEST*.
+
+type: keyword
+
+
+**`gcp.vpcflow.rtt.ms`**
+:   Latency as measured (for TCP flows only) during the time interval. This is the time elapsed between sending a SEQ and receiving a corresponding ACK and it contains the network RTT as well as the application related delay.
+
+type: long
+
+
diff --git a/docs/reference/filebeat/exported-fields-google_workspace.md b/docs/reference/filebeat/exported-fields-google_workspace.md
new file mode 100644
index 000000000000..6fa5fefbd3f0
--- /dev/null
+++ b/docs/reference/filebeat/exported-fields-google_workspace.md
@@ -0,0 +1,802 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-google_workspace.html
+---
+
+# google_workspace fields [exported-fields-google_workspace]
+
+Google Workspace Module
+
+
+## google_workspace [_google_workspace]
+
+Google Workspace specific fields. More information about specific fields can be found at [https://developers.google.com/admin-sdk/reports/v1/reference/activities/list](https://developers.google.com/admin-sdk/reports/v1/reference/activities/list)
+
+**`google_workspace.actor.type`**
+:   The type of actor. Values can be: **USER**: Another user in the same domain. **EXTERNAL_USER**: A user outside the domain. **KEY**: A non-human actor.
+
+type: keyword
+
+
+**`google_workspace.actor.key`**
+:   Only present when `actor.type` is `KEY`. Can be the `consumer_key` of the requestor for OAuth 2LO API requests or an identifier for robot accounts.
+
+type: keyword
+
+
+**`google_workspace.event.type`**
+:   The type of Google Workspace event, mapped from `items[].events[].type` in the original payload. Each fileset can have a different set of values for it, more details can be found at [https://developers.google.com/admin-sdk/reports/v1/reference/activities/list](https://developers.google.com/admin-sdk/reports/v1/reference/activities/list)
+
+type: keyword
+
+example: audit#activity
+
+
+**`google_workspace.kind`**
+:   The type of API resource, mapped from `kind` in the original payload. More details can be found at [https://developers.google.com/admin-sdk/reports/v1/reference/activities/list](https://developers.google.com/admin-sdk/reports/v1/reference/activities/list)
+
+type: keyword
+
+example: audit#activity
+
+
+**`google_workspace.organization.domain`**
+:   The domain that is affected by the report’s event.
+
+type: keyword
+
+
+**`google_workspace.admin.application.edition`**
+:   The Google Workspace edition.
+
+type: keyword
+
+
+**`google_workspace.admin.application.name`**
+:   The application’s name.
+
+type: keyword
+
+
+**`google_workspace.admin.application.enabled`**
+:   The enabled application.
+
+type: keyword
+
+
+**`google_workspace.admin.application.licences_order_number`**
+:   Order number used to redeem licenses.
+
+type: keyword
+
+
+**`google_workspace.admin.application.licences_purchased`**
+:   Number of licences purchased.
+
+type: keyword
+
+
+**`google_workspace.admin.application.id`**
+:   The application ID.
+
+type: keyword
+
+
+**`google_workspace.admin.application.asp_id`**
+:   The application specific password ID.
+
+type: keyword
+
+
+**`google_workspace.admin.application.package_id`**
+:   The mobile application package ID.
+
+type: keyword
+
+
+**`google_workspace.admin.group.email`**
+:   The group’s primary email address.
+
+type: keyword
+
+
+**`google_workspace.admin.new_value`**
+:   The new value for the setting.
+
+type: keyword
+
+
+**`google_workspace.admin.old_value`**
+:   The old value for the setting.
+
+type: keyword
+
+
+**`google_workspace.admin.org_unit.name`**
+:   The organizational unit name.
+
+type: keyword
+
+
+**`google_workspace.admin.org_unit.full`**
+:   The org unit full path including the root org unit name.
+
+type: keyword
+
+
+**`google_workspace.admin.setting.name`**
+:   The setting name.
+
+type: keyword
+
+
+**`google_workspace.admin.user_defined_setting.name`**
+:   The name of the user-defined setting.
+
+type: keyword
+
+
+**`google_workspace.admin.setting.description`**
+:   The setting name.
+
+type: keyword
+
+
+**`google_workspace.admin.group.priorities`**
+:   Group priorities.
+
+type: keyword
+
+
+**`google_workspace.admin.domain.alias`**
+:   The domain alias.
+
+type: keyword
+
+
+**`google_workspace.admin.domain.name`**
+:   The primary domain name.
+
+type: keyword
+
+
+**`google_workspace.admin.domain.secondary_name`**
+:   The secondary domain name.
+
+type: keyword
+
+
+**`google_workspace.admin.managed_configuration`**
+:   The name of the managed configuration.
+
+type: keyword
+
+
+**`google_workspace.admin.non_featured_services_selection`**
+:   Non-featured services selection. For a list of possible values refer to [https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings#FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED](https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings#FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED)
+
+type: keyword
+
+
+**`google_workspace.admin.field`**
+:   The name of the field.
+
+type: keyword
+
+
+**`google_workspace.admin.resource.id`**
+:   The name of the resource identifier.
+
+type: keyword
+
+
+**`google_workspace.admin.user.email`**
+:   The user’s primary email address.
+
+type: keyword
+
+
+**`google_workspace.admin.user.nickname`**
+:   The user’s nickname.
+
+type: keyword
+
+
+**`google_workspace.admin.user.birthdate`**
+:   The user’s birth date.
+
+type: date
+
+
+**`google_workspace.admin.gateway.name`**
+:   Gateway name. Present on some chat settings.
+
+type: keyword
+
+
+**`google_workspace.admin.chrome_os.session_type`**
+:   Chrome OS session type.
+
+type: keyword
+
+
+**`google_workspace.admin.device.serial_number`**
+:   Device serial number.
+
+type: keyword
+
+
+**`google_workspace.admin.device.id`**
+:   type: keyword
+
+
+**`google_workspace.admin.device.type`**
+:   Device type.
+
+type: keyword
+
+
+**`google_workspace.admin.print_server.name`**
+:   The name of the print server.
+
+type: keyword
+
+
+**`google_workspace.admin.printer.name`**
+:   The name of the printer.
+
+type: keyword
+
+
+**`google_workspace.admin.device.command_details`**
+:   Command details.
+
+type: keyword
+
+
+**`google_workspace.admin.role.id`**
+:   Unique identifier for this role privilege.
+
+type: keyword
+
+
+**`google_workspace.admin.role.name`**
+:   The role name. For a list of possible values refer to [https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings](https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings)
+
+type: keyword
+
+
+**`google_workspace.admin.privilege.name`**
+:   Privilege name.
+
+type: keyword
+
+
+**`google_workspace.admin.service.name`**
+:   The service name.
+
+type: keyword
+
+
+**`google_workspace.admin.url.name`**
+:   The website name.
+
+type: keyword
+
+
+**`google_workspace.admin.product.name`**
+:   The product name.
+
+type: keyword
+
+
+**`google_workspace.admin.product.sku`**
+:   The product SKU.
+
+type: keyword
+
+
+**`google_workspace.admin.bulk_upload.failed`**
+:   Number of failed records in bulk upload operation.
+
+type: long
+
+
+**`google_workspace.admin.bulk_upload.total`**
+:   Number of total records in bulk upload operation.
+
+type: long
+
+
+**`google_workspace.admin.group.allowed_list`**
+:   Names of allow-listed groups.
+
+type: keyword
+
+
+**`google_workspace.admin.email.quarantine_name`**
+:   The name of the quarantine.
+
+type: keyword
+
+
+**`google_workspace.admin.email.log_search_filter.message_id`**
+:   The log search filter’s email message ID.
+
+type: keyword
+
+
+**`google_workspace.admin.email.log_search_filter.start_date`**
+:   The log search filter’s start date.
+
+type: date
+
+
+**`google_workspace.admin.email.log_search_filter.end_date`**
+:   The log search filter’s ending date.
+
+type: date
+
+
+**`google_workspace.admin.email.log_search_filter.recipient.value`**
+:   The log search filter’s email recipient.
+
+type: keyword
+
+
+**`google_workspace.admin.email.log_search_filter.sender.value`**
+:   The log search filter’s email sender.
+
+type: keyword
+
+
+**`google_workspace.admin.email.log_search_filter.recipient.ip`**
+:   The log search filter’s email recipient’s IP address.
+
+type: ip
+
+
+**`google_workspace.admin.email.log_search_filter.sender.ip`**
+:   The log search filter’s email sender’s IP address.
+
+type: ip
+
+
+**`google_workspace.admin.chrome_licenses.enabled`**
+:   Licences enabled. For a list of possible values refer to [https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-org-settings](https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-org-settings)
+
+type: keyword
+
+
+**`google_workspace.admin.chrome_licenses.allowed`**
+:   Licences enabled. For a list of possible values refer to [https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-org-settings](https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-org-settings)
+
+type: keyword
+
+
+**`google_workspace.admin.oauth2.service.name`**
+:   OAuth2 service name. For a list of possible values refer to [https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings](https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings)
+
+type: keyword
+
+
+**`google_workspace.admin.oauth2.application.id`**
+:   OAuth2 application ID.
+
+type: keyword
+
+
+**`google_workspace.admin.oauth2.application.name`**
+:   OAuth2 application name.
+
+type: keyword
+
+
+**`google_workspace.admin.oauth2.application.type`**
+:   OAuth2 application type. For a list of possible values refer to [https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings](https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings)
+
+type: keyword
+
+
+**`google_workspace.admin.verification_method`**
+:   Related verification method. For a list of possible values refer to [https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings](https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings) and [https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings](https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings)
+
+type: keyword
+
+
+**`google_workspace.admin.alert.name`**
+:   The alert name.
+
+type: keyword
+
+
+**`google_workspace.admin.rule.name`**
+:   The rule name.
+
+type: keyword
+
+
+**`google_workspace.admin.api.client.name`**
+:   The API client name.
+
+type: keyword
+
+
+**`google_workspace.admin.api.scopes`**
+:   The API scopes.
+
+type: keyword
+
+
+**`google_workspace.admin.mdm.token`**
+:   The MDM vendor enrollment token.
+
+type: keyword
+
+
+**`google_workspace.admin.mdm.vendor`**
+:   The MDM vendor’s name.
+
+type: keyword
+
+
+**`google_workspace.admin.info_type`**
+:   This will be used to state what kind of information was changed. For a list of possible values refer to [https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings](https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings)
+
+type: keyword
+
+
+**`google_workspace.admin.email_monitor.dest_email`**
+:   The destination address of the email monitor.
+
+type: keyword
+
+
+**`google_workspace.admin.email_monitor.level.chat`**
+:   The chat email monitor level.
+
+type: keyword
+
+
+**`google_workspace.admin.email_monitor.level.draft`**
+:   The draft email monitor level.
+
+type: keyword
+
+
+**`google_workspace.admin.email_monitor.level.incoming`**
+:   The incoming email monitor level.
+
+type: keyword
+
+
+**`google_workspace.admin.email_monitor.level.outgoing`**
+:   The outgoing email monitor level.
+
+type: keyword
+
+
+**`google_workspace.admin.email_dump.include_deleted`**
+:   Indicates if deleted emails are included in the export.
+
+type: boolean
+
+
+**`google_workspace.admin.email_dump.package_content`**
+:   The contents of the mailbox package.
+
+type: keyword
+
+
+**`google_workspace.admin.email_dump.query`**
+:   The search query used for the dump.
+
+type: keyword
+
+
+**`google_workspace.admin.request.id`**
+:   The request ID.
+
+type: keyword
+
+
+**`google_workspace.admin.mobile.action.id`**
+:   The mobile device action’s ID.
+
+type: keyword
+
+
+**`google_workspace.admin.mobile.action.type`**
+:   The mobile device action’s type. For a list of possible values refer to [https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings](https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings)
+
+type: keyword
+
+
+**`google_workspace.admin.mobile.certificate.name`**
+:   The mobile certificate common name.
+
+type: keyword
+
+
+**`google_workspace.admin.mobile.company_owned_devices`**
+:   The number of devices a company owns.
+
+type: long
+
+
+**`google_workspace.admin.distribution.entity.name`**
+:   The distribution entity value, which can be a group name or an org-unit name. For a list of possible values refer to [https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings](https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings)
+
+type: keyword
+
+
+**`google_workspace.admin.distribution.entity.type`**
+:   The distribution entity type, which can be a group or an org-unit. For a list of possible values refer to [https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings](https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings)
+
+type: keyword
+
+
+**`google_workspace.drive.billable`**
+:   Whether this activity is billable.
+
+type: boolean
+
+
+**`google_workspace.drive.source_folder_id`**
+:   type: keyword
+
+
+**`google_workspace.drive.source_folder_title`**
+:   type: keyword
+
+
+**`google_workspace.drive.destination_folder_id`**
+:   type: keyword
+
+
+**`google_workspace.drive.destination_folder_title`**
+:   type: keyword
+
+
+**`google_workspace.drive.file.id`**
+:   type: keyword
+
+
+**`google_workspace.drive.file.type`**
+:   Document Drive type. For a list of possible values refer to [https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive](https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive)
+
+type: keyword
+
+
+**`google_workspace.drive.originating_app_id`**
+:   The Google Cloud Project ID of the application that performed the action.
+
+type: keyword
+
+
+**`google_workspace.drive.file.owner.email`**
+:   type: keyword
+
+
+**`google_workspace.drive.file.owner.is_shared_drive`**
+:   Boolean flag denoting whether owner is a shared drive.
+
+type: boolean
+
+
+**`google_workspace.drive.primary_event`**
+:   Whether this is a primary event. A single user action in Drive may generate several events.
+
+type: boolean
+
+
+**`google_workspace.drive.shared_drive_id`**
+:   The unique identifier of the Team Drive. Only populated for for events relating to a Team Drive or item contained inside a Team Drive.
+
+type: keyword
+
+
+**`google_workspace.drive.visibility`**
+:   Visibility of target file. For a list of possible values refer to [https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive](https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive)
+
+type: keyword
+
+
+**`google_workspace.drive.new_value`**
+:   When a setting or property of the file changes, the new value for it will appear here.
+
+type: keyword
+
+
+**`google_workspace.drive.old_value`**
+:   When a setting or property of the file changes, the old value for it will appear here.
+
+type: keyword
+
+
+**`google_workspace.drive.sheets_import_range_recipient_doc`**
+:   Doc ID of the recipient of a sheets import range.
+
+type: keyword
+
+
+**`google_workspace.drive.old_visibility`**
+:   When visibility changes, this holds the old value.
+
+type: keyword
+
+
+**`google_workspace.drive.visibility_change`**
+:   When visibility changes, this holds the new overall visibility of the file.
+
+type: keyword
+
+
+**`google_workspace.drive.target_domain`**
+:   The domain for which the acccess scope was changed. This can also be the alias all to indicate the access scope was changed for all domains that have visibility for this document.
+
+type: keyword
+
+
+**`google_workspace.drive.added_role`**
+:   Added membership role of a user/group in a Team Drive. For a list of possible values refer to [https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive](https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive)
+
+type: keyword
+
+
+**`google_workspace.drive.membership_change_type`**
+:   Type of change in Team Drive membership of a user/group. For a list of possible values refer to [https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive](https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive)
+
+type: keyword
+
+
+**`google_workspace.drive.shared_drive_settings_change_type`**
+:   Type of change in Team Drive settings. For a list of possible values refer to [https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive](https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive)
+
+type: keyword
+
+
+**`google_workspace.drive.removed_role`**
+:   Removed membership role of a user/group in a Team Drive. For a list of possible values refer to [https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive](https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive)
+
+type: keyword
+
+
+**`google_workspace.drive.target`**
+:   Target user or group.
+
+type: keyword
+
+
+**`google_workspace.groups.acl_permission`**
+:   Group permission setting updated. For a list of possible values refer to [https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups](https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups)
+
+type: keyword
+
+
+**`google_workspace.groups.email`**
+:   Group email.
+
+type: keyword
+
+
+**`google_workspace.groups.member.email`**
+:   Member email.
+
+type: keyword
+
+
+**`google_workspace.groups.member.role`**
+:   Member role. For a list of possible values refer to [https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups](https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups)
+
+type: keyword
+
+
+**`google_workspace.groups.setting`**
+:   Group setting updated. For a list of possible values refer to [https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups](https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups)
+
+type: keyword
+
+
+**`google_workspace.groups.new_value`**
+:   New value(s) of the group setting. For a list of possible values refer to [https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups](https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups)
+
+type: keyword
+
+
+**`google_workspace.groups.old_value`**
+:   Old value(s) of the group setting. For a list of possible values refer to [https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups](https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups)
+
+type: keyword
+
+
+**`google_workspace.groups.value`**
+:   Value of the group setting. For a list of possible values refer to [https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups](https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups)
+
+type: keyword
+
+
+**`google_workspace.groups.message.id`**
+:   SMTP message Id of an email message. Present for moderation events.
+
+type: keyword
+
+
+**`google_workspace.groups.message.moderation_action`**
+:   Message moderation action. Possible values are `approved` and `rejected`.
+
+type: keyword
+
+
+**`google_workspace.groups.status`**
+:   A status describing the output of an operation. Possible values are `failed` and `succeeded`.
+
+type: keyword
+
+
+**`google_workspace.login.affected_email_address`**
+:   type: keyword
+
+
+**`google_workspace.login.challenge_method`**
+:   Login challenge method. For a list of possible values refer to [https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login](https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login).
+
+type: keyword
+
+
+**`google_workspace.login.failure_type`**
+:   Login failure type. For a list of possible values refer to [https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login](https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login).
+
+type: keyword
+
+
+**`google_workspace.login.type`**
+:   Login credentials type. For a list of possible values refer to [https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login](https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login).
+
+type: keyword
+
+
+**`google_workspace.login.is_second_factor`**
+:   type: boolean
+
+
+**`google_workspace.login.is_suspicious`**
+:   type: boolean
+
+
+**`google_workspace.saml.application_name`**
+:   Saml SP application name.
+
+type: keyword
+
+
+**`google_workspace.saml.failure_type`**
+:   Login failure type. For a list of possible values refer to [https://developers.google.com/admin-sdk/reports/v1/appendix/activity/saml](https://developers.google.com/admin-sdk/reports/v1/appendix/activity/saml).
+
+type: keyword
+
+
+**`google_workspace.saml.initiated_by`**
+:   Requester of SAML authentication.
+
+type: keyword
+
+
+**`google_workspace.saml.orgunit_path`**
+:   User orgunit.
+
+type: keyword
+
+
+**`google_workspace.saml.status_code`**
+:   SAML status code.
+
+type: keyword
+
+
+**`google_workspace.saml.second_level_status_code`**
+:   SAML second level status code.
+
+type: keyword
+
+
diff --git a/docs/reference/filebeat/exported-fields-haproxy.md b/docs/reference/filebeat/exported-fields-haproxy.md
new file mode 100644
index 000000000000..1c52c481ad4b
--- /dev/null
+++ b/docs/reference/filebeat/exported-fields-haproxy.md
@@ -0,0 +1,284 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-haproxy.html
+---
+
+# HAProxy fields [exported-fields-haproxy]
+
+haproxy Module
+
+
+## haproxy [_haproxy]
+
+**`haproxy.frontend_name`**
+:   Name of the frontend (or listener) which received and processed the connection.
+
+
+**`haproxy.backend_name`**
+:   Name of the backend (or listener) which was selected to manage the connection to the server.
+
+
+**`haproxy.server_name`**
+:   Name of the last server to which the connection was sent.
+
+
+**`haproxy.total_waiting_time_ms`**
+:   Total time in milliseconds spent waiting in the various queues
+
+type: long
+
+
+**`haproxy.connection_wait_time_ms`**
+:   Total time in milliseconds spent waiting for the connection to establish to the final server
+
+type: long
+
+
+**`haproxy.bytes_read`**
+:   Total number of bytes transmitted to the client when the log is emitted.
+
+type: long
+
+
+**`haproxy.time_queue`**
+:   Total time in milliseconds spent waiting in the various queues.
+
+type: long
+
+
+**`haproxy.time_backend_connect`**
+:   Total time in milliseconds spent waiting for the connection to establish to the final server, including retries.
+
+type: long
+
+
+**`haproxy.server_queue`**
+:   Total number of requests which were processed before this one in the server queue.
+
+type: long
+
+
+**`haproxy.backend_queue`**
+:   Total number of requests which were processed before this one in the backend’s global queue.
+
+type: long
+
+
+**`haproxy.bind_name`**
+:   Name of the listening address which received the connection.
+
+
+**`haproxy.error_message`**
+:   Error message logged by HAProxy in case of error.
+
+type: text
+
+
+**`haproxy.source`**
+:   The HAProxy source of the log
+
+type: keyword
+
+
+**`haproxy.termination_state`**
+:   Condition the session was in when the session ended.
+
+
+**`haproxy.mode`**
+:   mode that the frontend is operating (TCP or HTTP)
+
+type: keyword
+
+
+
+## connections [_connections]
+
+Contains various counts of connections active in the process.
+
+**`haproxy.connections.active`**
+:   Total number of concurrent connections on the process when the session was logged.
+
+type: long
+
+
+**`haproxy.connections.frontend`**
+:   Total number of concurrent connections on the frontend when the session was logged.
+
+type: long
+
+
+**`haproxy.connections.backend`**
+:   Total number of concurrent connections handled by the backend when the session was logged.
+
+type: long
+
+
+**`haproxy.connections.server`**
+:   Total number of concurrent connections still active on the server when the session was logged.
+
+type: long
+
+
+**`haproxy.connections.retries`**
+:   Number of connection retries experienced by this session when trying to connect to the server.
+
+type: long
+
+
+
+## client [_client_2]
+
+Information about the client doing the request
+
+**`haproxy.client.ip`**
+:   type: alias
+
+alias to: source.address
+
+
+**`haproxy.client.port`**
+:   type: alias
+
+alias to: source.port
+
+
+**`haproxy.process_name`**
+:   type: alias
+
+alias to: process.name
+
+
+**`haproxy.pid`**
+:   type: alias
+
+alias to: process.pid
+
+
+
+## destination [_destination_2]
+
+Destination information
+
+**`haproxy.destination.port`**
+:   type: alias
+
+alias to: destination.port
+
+
+**`haproxy.destination.ip`**
+:   type: alias
+
+alias to: destination.ip
+
+
+
+## geoip [_geoip]
+
+Contains GeoIP information gathered based on the client.ip field. Only present if the GeoIP Elasticsearch plugin is available and used.
+
+**`haproxy.geoip.continent_name`**
+:   type: alias
+
+alias to: source.geo.continent_name
+
+
+**`haproxy.geoip.country_iso_code`**
+:   type: alias
+
+alias to: source.geo.country_iso_code
+
+
+**`haproxy.geoip.location`**
+:   type: alias
+
+alias to: source.geo.location
+
+
+**`haproxy.geoip.region_name`**
+:   type: alias
+
+alias to: source.geo.region_name
+
+
+**`haproxy.geoip.city_name`**
+:   type: alias
+
+alias to: source.geo.city_name
+
+
+**`haproxy.geoip.region_iso_code`**
+:   type: alias
+
+alias to: source.geo.region_iso_code
+
+
+
+## http [_http_2]
+
+Please add description
+
+
+## response [_response_2]
+
+Fields related to the HTTP response
+
+**`haproxy.http.response.captured_cookie`**
+:   Optional "name=value" entry indicating that the client had this cookie in the response.
+
+
+**`haproxy.http.response.captured_headers`**
+:   List of headers captured in the response due to the presence of the "capture response header" statement in the frontend.
+
+type: keyword
+
+
+**`haproxy.http.response.status_code`**
+:   type: alias
+
+alias to: http.response.status_code
+
+
+
+## request [_request_2]
+
+Fields related to the HTTP request
+
+**`haproxy.http.request.captured_cookie`**
+:   Optional "name=value" entry indicating that the server has returned a cookie with its request.
+
+
+**`haproxy.http.request.captured_headers`**
+:   List of headers captured in the request due to the presence of the "capture request header" statement in the frontend.
+
+type: keyword
+
+
+**`haproxy.http.request.raw_request_line`**
+:   Complete HTTP request line, including the method, request and HTTP version string.
+
+type: keyword
+
+
+**`haproxy.http.request.time_wait_without_data_ms`**
+:   Total time in milliseconds spent waiting for the server to send a full HTTP response, not counting data.
+
+type: long
+
+
+**`haproxy.http.request.time_wait_ms`**
+:   Total time in milliseconds spent waiting for a full HTTP request from the client (not counting body) after the first byte was received.
+
+type: long
+
+
+
+## tcp [_tcp]
+
+TCP log format
+
+**`haproxy.tcp.connection_waiting_time_ms`**
+:   Total time in milliseconds elapsed between the accept and the last close
+
+type: long
+
+
diff --git a/docs/reference/filebeat/exported-fields-host-processor.md b/docs/reference/filebeat/exported-fields-host-processor.md
new file mode 100644
index 000000000000..f4eacbcc6060
--- /dev/null
+++ b/docs/reference/filebeat/exported-fields-host-processor.md
@@ -0,0 +1,31 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-host-processor.html
+---
+
+# Host fields [exported-fields-host-processor]
+
+Info collected for the host machine.
+
+**`host.containerized`**
+:   If the host is a container.
+
+type: boolean
+
+
+**`host.os.build`**
+:   OS build information.
+
+type: keyword
+
+example: 18D109
+
+
+**`host.os.codename`**
+:   OS codename, if any.
+
+type: keyword
+
+example: stretch
+
+
diff --git a/docs/reference/filebeat/exported-fields-ibmmq.md b/docs/reference/filebeat/exported-fields-ibmmq.md
new file mode 100644
index 000000000000..c2e371fad7a8
--- /dev/null
+++ b/docs/reference/filebeat/exported-fields-ibmmq.md
@@ -0,0 +1,67 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-ibmmq.html
+---
+
+# ibmmq fields [exported-fields-ibmmq]
+
+ibmmq Module
+
+
+## ibmmq [_ibmmq]
+
+
+## errorlog [_errorlog]
+
+IBM MQ error logs
+
+**`ibmmq.errorlog.installation`**
+:   This is the installation name which can be given at installation time. Each installation of IBM MQ on UNIX, Linux, and Windows, has a unique identifier known as an installation name. The installation name is used to associate things such as queue managers and configuration files with an installation.
+
+type: keyword
+
+
+**`ibmmq.errorlog.qmgr`**
+:   Name of the queue manager. Queue managers provide queuing services to applications, and manages the queues that belong to them.
+
+type: keyword
+
+
+**`ibmmq.errorlog.arithinsert`**
+:   Changing content based on error.id
+
+type: keyword
+
+
+**`ibmmq.errorlog.commentinsert`**
+:   Changing content based on error.id
+
+type: keyword
+
+
+**`ibmmq.errorlog.errordescription`**
+:   Please add description
+
+type: text
+
+example: Please add example
+
+
+**`ibmmq.errorlog.explanation`**
+:   Explaines the error in more detail
+
+type: keyword
+
+
+**`ibmmq.errorlog.action`**
+:   Defines what to do when the error occurs
+
+type: keyword
+
+
+**`ibmmq.errorlog.code`**
+:   Error code.
+
+type: keyword
+
+
diff --git a/docs/reference/filebeat/exported-fields-icinga.md b/docs/reference/filebeat/exported-fields-icinga.md
new file mode 100644
index 000000000000..7d2c0a731e36
--- /dev/null
+++ b/docs/reference/filebeat/exported-fields-icinga.md
@@ -0,0 +1,81 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-icinga.html
+---
+
+# Icinga fields [exported-fields-icinga]
+
+Icinga Module
+
+
+## icinga [_icinga]
+
+
+## debug [_debug_2]
+
+Contains fields for the Icinga debug logs.
+
+**`icinga.debug.facility`**
+:   Specifies what component of Icinga logged the message.
+
+type: keyword
+
+
+**`icinga.debug.severity`**
+:   type: alias
+
+alias to: log.level
+
+
+**`icinga.debug.message`**
+:   type: alias
+
+alias to: message
+
+
+
+## main [_main]
+
+Contains fields for the Icinga main logs.
+
+**`icinga.main.facility`**
+:   Specifies what component of Icinga logged the message.
+
+type: keyword
+
+
+**`icinga.main.severity`**
+:   type: alias
+
+alias to: log.level
+
+
+**`icinga.main.message`**
+:   type: alias
+
+alias to: message
+
+
+
+## startup [_startup]
+
+Contains fields for the Icinga startup logs.
+
+**`icinga.startup.facility`**
+:   Specifies what component of Icinga logged the message.
+
+type: keyword
+
+
+**`icinga.startup.severity`**
+:   type: alias
+
+alias to: log.level
+
+
+**`icinga.startup.message`**
+:   type: alias
+
+alias to: message
+
+
diff --git a/docs/reference/filebeat/exported-fields-iis.md b/docs/reference/filebeat/exported-fields-iis.md
new file mode 100644
index 000000000000..759ecb8d7de8
--- /dev/null
+++ b/docs/reference/filebeat/exported-fields-iis.md
@@ -0,0 +1,294 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-iis.html
+---
+
+# IIS fields [exported-fields-iis]
+
+Module for parsing IIS log files.
+
+
+## iis [_iis]
+
+Fields from IIS log files.
+
+
+## access [_access_2]
+
+Contains fields for IIS access logs.
+
+**`iis.access.sub_status`**
+:   The HTTP substatus code.
+
+type: long
+
+
+**`iis.access.win32_status`**
+:   The Windows status code.
+
+type: long
+
+
+**`iis.access.site_name`**
+:   The site name and instance number.
+
+type: keyword
+
+
+**`iis.access.server_name`**
+:   The name of the server on which the log file entry was generated.
+
+type: keyword
+
+
+**`iis.access.cookie`**
+:   The content of the cookie sent or received, if any.
+
+type: keyword
+
+
+**`iis.access.body_received.bytes`**
+:   type: alias
+
+alias to: http.request.body.bytes
+
+
+**`iis.access.body_sent.bytes`**
+:   type: alias
+
+alias to: http.response.body.bytes
+
+
+**`iis.access.server_ip`**
+:   type: alias
+
+alias to: destination.address
+
+
+**`iis.access.method`**
+:   type: alias
+
+alias to: http.request.method
+
+
+**`iis.access.url`**
+:   type: alias
+
+alias to: url.path
+
+
+**`iis.access.query_string`**
+:   type: alias
+
+alias to: url.query
+
+
+**`iis.access.port`**
+:   type: alias
+
+alias to: destination.port
+
+
+**`iis.access.user_name`**
+:   type: alias
+
+alias to: user.name
+
+
+**`iis.access.remote_ip`**
+:   type: alias
+
+alias to: source.address
+
+
+**`iis.access.referrer`**
+:   type: alias
+
+alias to: http.request.referrer
+
+
+**`iis.access.response_code`**
+:   type: alias
+
+alias to: http.response.status_code
+
+
+**`iis.access.http_version`**
+:   type: alias
+
+alias to: http.version
+
+
+**`iis.access.hostname`**
+:   type: alias
+
+alias to: host.hostname
+
+
+**`iis.access.user_agent.device`**
+:   type: alias
+
+alias to: user_agent.device.name
+
+
+**`iis.access.user_agent.name`**
+:   type: alias
+
+alias to: user_agent.name
+
+
+**`iis.access.user_agent.os`**
+:   type: alias
+
+alias to: user_agent.os.full_name
+
+
+**`iis.access.user_agent.os_name`**
+:   type: alias
+
+alias to: user_agent.os.name
+
+
+**`iis.access.user_agent.original`**
+:   type: alias
+
+alias to: user_agent.original
+
+
+**`iis.access.geoip.continent_name`**
+:   type: alias
+
+alias to: source.geo.continent_name
+
+
+**`iis.access.geoip.country_iso_code`**
+:   type: alias
+
+alias to: source.geo.country_iso_code
+
+
+**`iis.access.geoip.location`**
+:   type: alias
+
+alias to: source.geo.location
+
+
+**`iis.access.geoip.region_name`**
+:   type: alias
+
+alias to: source.geo.region_name
+
+
+**`iis.access.geoip.city_name`**
+:   type: alias
+
+alias to: source.geo.city_name
+
+
+**`iis.access.geoip.region_iso_code`**
+:   type: alias
+
+alias to: source.geo.region_iso_code
+
+
+
+## error [_error_3]
+
+Contains fields for IIS error logs.
+
+**`iis.error.reason_phrase`**
+:   The HTTP reason phrase.
+
+type: keyword
+
+
+**`iis.error.queue_name`**
+:   The IIS application pool name.
+
+type: keyword
+
+
+**`iis.error.remote_ip`**
+:   type: alias
+
+alias to: source.address
+
+
+**`iis.error.remote_port`**
+:   type: alias
+
+alias to: source.port
+
+
+**`iis.error.server_ip`**
+:   type: alias
+
+alias to: destination.address
+
+
+**`iis.error.server_port`**
+:   type: alias
+
+alias to: destination.port
+
+
+**`iis.error.http_version`**
+:   type: alias
+
+alias to: http.version
+
+
+**`iis.error.method`**
+:   type: alias
+
+alias to: http.request.method
+
+
+**`iis.error.url`**
+:   type: alias
+
+alias to: url.original
+
+
+**`iis.error.response_code`**
+:   type: alias
+
+alias to: http.response.status_code
+
+
+**`iis.error.geoip.continent_name`**
+:   type: alias
+
+alias to: source.geo.continent_name
+
+
+**`iis.error.geoip.country_iso_code`**
+:   type: alias
+
+alias to: source.geo.country_iso_code
+
+
+**`iis.error.geoip.location`**
+:   type: alias
+
+alias to: source.geo.location
+
+
+**`iis.error.geoip.region_name`**
+:   type: alias
+
+alias to: source.geo.region_name
+
+
+**`iis.error.geoip.city_name`**
+:   type: alias
+
+alias to: source.geo.city_name
+
+
+**`iis.error.geoip.region_iso_code`**
+:   type: alias
+
+alias to: source.geo.region_iso_code
+
+
diff --git a/docs/reference/filebeat/exported-fields-iptables.md b/docs/reference/filebeat/exported-fields-iptables.md
new file mode 100644
index 000000000000..ccce9163ad4f
--- /dev/null
+++ b/docs/reference/filebeat/exported-fields-iptables.md
@@ -0,0 +1,202 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-iptables.html
+---
+
+# iptables fields [exported-fields-iptables]
+
+Module for handling the iptables logs.
+
+
+## iptables [_iptables]
+
+Fields from the iptables logs.
+
+**`iptables.ether_type`**
+:   Value of the ethernet type field identifying the network layer protocol.
+
+type: long
+
+
+**`iptables.flow_label`**
+:   IPv6 flow label.
+
+type: integer
+
+
+**`iptables.fragment_flags`**
+:   IP fragment flags. A combination of CE, DF and MF.
+
+type: keyword
+
+
+**`iptables.fragment_offset`**
+:   Offset of the current IP fragment.
+
+type: long
+
+
+
+## icmp [_icmp]
+
+ICMP fields.
+
+**`iptables.icmp.code`**
+:   ICMP code.
+
+type: long
+
+
+**`iptables.icmp.id`**
+:   ICMP ID.
+
+type: long
+
+
+**`iptables.icmp.parameter`**
+:   ICMP parameter.
+
+type: long
+
+
+**`iptables.icmp.redirect`**
+:   ICMP redirect address.
+
+type: ip
+
+
+**`iptables.icmp.seq`**
+:   ICMP sequence number.
+
+type: long
+
+
+**`iptables.icmp.type`**
+:   ICMP type.
+
+type: long
+
+
+**`iptables.id`**
+:   Packet identifier.
+
+type: long
+
+
+**`iptables.incomplete_bytes`**
+:   Number of incomplete bytes.
+
+type: long
+
+
+**`iptables.input_device`**
+:   Device that received the packet.
+
+type: keyword
+
+
+**`iptables.precedence_bits`**
+:   IP precedence bits.
+
+type: short
+
+
+**`iptables.tos`**
+:   IP Type of Service field.
+
+type: long
+
+
+**`iptables.length`**
+:   Packet length.
+
+type: long
+
+
+**`iptables.output_device`**
+:   Device that output the packet.
+
+type: keyword
+
+
+
+## tcp [_tcp_2]
+
+TCP fields.
+
+**`iptables.tcp.flags`**
+:   TCP flags.
+
+type: keyword
+
+
+**`iptables.tcp.reserved_bits`**
+:   TCP reserved bits.
+
+type: short
+
+
+**`iptables.tcp.seq`**
+:   TCP sequence number.
+
+type: long
+
+
+**`iptables.tcp.ack`**
+:   TCP Acknowledgment number.
+
+type: long
+
+
+**`iptables.tcp.window`**
+:   Advertised TCP window size.
+
+type: long
+
+
+**`iptables.ttl`**
+:   Time To Live field.
+
+type: integer
+
+
+
+## udp [_udp]
+
+UDP fields.
+
+**`iptables.udp.length`**
+:   Length of the UDP header and payload.
+
+type: long
+
+
+
+## ubiquiti [_ubiquiti]
+
+Fields for Ubiquiti network devices.
+
+**`iptables.ubiquiti.input_zone`**
+:   Input zone.
+
+type: keyword
+
+
+**`iptables.ubiquiti.output_zone`**
+:   Output zone.
+
+type: keyword
+
+
+**`iptables.ubiquiti.rule_number`**
+:   The rule number within the rule set.
+
+type: keyword
+
+
+**`iptables.ubiquiti.rule_set`**
+:   The rule set name.
+
+type: keyword
+
+
diff --git a/docs/reference/filebeat/exported-fields-jolokia-autodiscover.md b/docs/reference/filebeat/exported-fields-jolokia-autodiscover.md
new file mode 100644
index 000000000000..b9023a51b82c
--- /dev/null
+++ b/docs/reference/filebeat/exported-fields-jolokia-autodiscover.md
@@ -0,0 +1,51 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-jolokia-autodiscover.html
+---
+
+# Jolokia Discovery autodiscover provider fields [exported-fields-jolokia-autodiscover]
+
+Metadata from Jolokia Discovery added by the jolokia provider.
+
+**`jolokia.agent.version`**
+:   Version number of jolokia agent.
+
+type: keyword
+
+
+**`jolokia.agent.id`**
+:   Each agent has a unique id which can be either provided during startup of the agent in form of a configuration parameter or being autodetected. If autodected, the id has several parts: The IP, the process id, hashcode of the agent and its type.
+
+type: keyword
+
+
+**`jolokia.server.product`**
+:   The container product if detected.
+
+type: keyword
+
+
+**`jolokia.server.version`**
+:   The container’s version (if detected).
+
+type: keyword
+
+
+**`jolokia.server.vendor`**
+:   The vendor of the container the agent is running in.
+
+type: keyword
+
+
+**`jolokia.url`**
+:   The URL how this agent can be contacted.
+
+type: keyword
+
+
+**`jolokia.secured`**
+:   Whether the agent was configured for authentication or not.
+
+type: boolean
+
+
diff --git a/docs/reference/filebeat/exported-fields-juniper.md b/docs/reference/filebeat/exported-fields-juniper.md
new file mode 100644
index 000000000000..762004b9d07f
--- /dev/null
+++ b/docs/reference/filebeat/exported-fields-juniper.md
@@ -0,0 +1,590 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-juniper.html
+---
+
+# Juniper JUNOS fields [exported-fields-juniper]
+
+juniper fields.
+
+
+## juniper.srx [_juniper_srx]
+
+Module for parsing junipersrx syslog.
+
+**`juniper.srx.reason`**
+:   reason
+
+type: keyword
+
+
+**`juniper.srx.connection_tag`**
+:   connection tag
+
+type: keyword
+
+
+**`juniper.srx.service_name`**
+:   service name
+
+type: keyword
+
+
+**`juniper.srx.nat_connection_tag`**
+:   nat connection tag
+
+type: keyword
+
+
+**`juniper.srx.src_nat_rule_type`**
+:   src nat rule type
+
+type: keyword
+
+
+**`juniper.srx.src_nat_rule_name`**
+:   src nat rule name
+
+type: keyword
+
+
+**`juniper.srx.dst_nat_rule_type`**
+:   dst nat rule type
+
+type: keyword
+
+
+**`juniper.srx.dst_nat_rule_name`**
+:   dst nat rule name
+
+type: keyword
+
+
+**`juniper.srx.protocol_id`**
+:   protocol id
+
+type: keyword
+
+
+**`juniper.srx.policy_name`**
+:   policy name
+
+type: keyword
+
+
+**`juniper.srx.session_id_32`**
+:   session id 32
+
+type: keyword
+
+
+**`juniper.srx.session_id`**
+:   session id
+
+type: keyword
+
+
+**`juniper.srx.outbound_packets`**
+:   packets from client
+
+type: integer
+
+
+**`juniper.srx.outbound_bytes`**
+:   bytes from client
+
+type: integer
+
+
+**`juniper.srx.inbound_packets`**
+:   packets from server
+
+type: integer
+
+
+**`juniper.srx.inbound_bytes`**
+:   bytes from server
+
+type: integer
+
+
+**`juniper.srx.elapsed_time`**
+:   elapsed time
+
+type: date
+
+
+**`juniper.srx.application`**
+:   application
+
+type: keyword
+
+
+**`juniper.srx.nested_application`**
+:   nested application
+
+type: keyword
+
+
+**`juniper.srx.username`**
+:   username
+
+type: keyword
+
+
+**`juniper.srx.roles`**
+:   roles
+
+type: keyword
+
+
+**`juniper.srx.encrypted`**
+:   encrypted
+
+type: keyword
+
+
+**`juniper.srx.application_category`**
+:   application category
+
+type: keyword
+
+
+**`juniper.srx.application_sub_category`**
+:   application sub category
+
+type: keyword
+
+
+**`juniper.srx.application_characteristics`**
+:   application characteristics
+
+type: keyword
+
+
+**`juniper.srx.secure_web_proxy_session_type`**
+:   secure web proxy session type
+
+type: keyword
+
+
+**`juniper.srx.peer_session_id`**
+:   peer session id
+
+type: keyword
+
+
+**`juniper.srx.peer_source_address`**
+:   peer source address
+
+type: ip
+
+
+**`juniper.srx.peer_source_port`**
+:   peer source port
+
+type: integer
+
+
+**`juniper.srx.peer_destination_address`**
+:   peer destination address
+
+type: ip
+
+
+**`juniper.srx.peer_destination_port`**
+:   peer destination port
+
+type: integer
+
+
+**`juniper.srx.hostname`**
+:   hostname
+
+type: keyword
+
+
+**`juniper.srx.src_vrf_grp`**
+:   src_vrf_grp
+
+type: keyword
+
+
+**`juniper.srx.dst_vrf_grp`**
+:   dst_vrf_grp
+
+type: keyword
+
+
+**`juniper.srx.icmp_type`**
+:   icmp type
+
+type: integer
+
+
+**`juniper.srx.process`**
+:   process that generated the message
+
+type: keyword
+
+
+**`juniper.srx.apbr_rule_type`**
+:   apbr rule type
+
+type: keyword
+
+
+**`juniper.srx.dscp_value`**
+:   apbr rule type
+
+type: integer
+
+
+**`juniper.srx.logical_system_name`**
+:   logical system name
+
+type: keyword
+
+
+**`juniper.srx.profile_name`**
+:   profile name
+
+type: keyword
+
+
+**`juniper.srx.routing_instance`**
+:   routing instance
+
+type: keyword
+
+
+**`juniper.srx.rule_name`**
+:   rule name
+
+type: keyword
+
+
+**`juniper.srx.uplink_tx_bytes`**
+:   uplink tx bytes
+
+type: integer
+
+
+**`juniper.srx.uplink_rx_bytes`**
+:   uplink rx bytes
+
+type: integer
+
+
+**`juniper.srx.obj`**
+:   url path
+
+type: keyword
+
+
+**`juniper.srx.url`**
+:   url domain
+
+type: keyword
+
+
+**`juniper.srx.profile`**
+:   filter profile
+
+type: keyword
+
+
+**`juniper.srx.category`**
+:   filter category
+
+type: keyword
+
+
+**`juniper.srx.filename`**
+:   filename
+
+type: keyword
+
+
+**`juniper.srx.temporary_filename`**
+:   temporary_filename
+
+type: keyword
+
+
+**`juniper.srx.name`**
+:   name
+
+type: keyword
+
+
+**`juniper.srx.error_message`**
+:   error_message
+
+type: keyword
+
+
+**`juniper.srx.error_code`**
+:   error_code
+
+type: keyword
+
+
+**`juniper.srx.action`**
+:   action
+
+type: keyword
+
+
+**`juniper.srx.protocol`**
+:   protocol
+
+type: keyword
+
+
+**`juniper.srx.protocol_name`**
+:   protocol name
+
+type: keyword
+
+
+**`juniper.srx.type`**
+:   type
+
+type: keyword
+
+
+**`juniper.srx.repeat_count`**
+:   repeat count
+
+type: integer
+
+
+**`juniper.srx.alert`**
+:   repeat alert
+
+type: keyword
+
+
+**`juniper.srx.message_type`**
+:   message type
+
+type: keyword
+
+
+**`juniper.srx.threat_severity`**
+:   threat severity
+
+type: keyword
+
+
+**`juniper.srx.application_name`**
+:   application name
+
+type: keyword
+
+
+**`juniper.srx.attack_name`**
+:   attack name
+
+type: keyword
+
+
+**`juniper.srx.index`**
+:   index
+
+type: keyword
+
+
+**`juniper.srx.message`**
+:   mesagge
+
+type: keyword
+
+
+**`juniper.srx.epoch_time`**
+:   epoch time
+
+type: date
+
+
+**`juniper.srx.packet_log_id`**
+:   packet log id
+
+type: integer
+
+
+**`juniper.srx.export_id`**
+:   packet log id
+
+type: integer
+
+
+**`juniper.srx.ddos_application_name`**
+:   ddos application name
+
+type: keyword
+
+
+**`juniper.srx.connection_hit_rate`**
+:   connection hit rate
+
+type: integer
+
+
+**`juniper.srx.time_scope`**
+:   time scope
+
+type: keyword
+
+
+**`juniper.srx.context_hit_rate`**
+:   context hit rate
+
+type: integer
+
+
+**`juniper.srx.context_value_hit_rate`**
+:   context value hit rate
+
+type: integer
+
+
+**`juniper.srx.time_count`**
+:   time count
+
+type: integer
+
+
+**`juniper.srx.time_period`**
+:   time period
+
+type: integer
+
+
+**`juniper.srx.context_value`**
+:   context value
+
+type: keyword
+
+
+**`juniper.srx.context_name`**
+:   context name
+
+type: keyword
+
+
+**`juniper.srx.ruleebase_name`**
+:   ruleebase name
+
+type: keyword
+
+
+**`juniper.srx.verdict_source`**
+:   verdict source
+
+type: keyword
+
+
+**`juniper.srx.verdict_number`**
+:   verdict number
+
+type: integer
+
+
+**`juniper.srx.file_category`**
+:   file category
+
+type: keyword
+
+
+**`juniper.srx.sample_sha256`**
+:   sample sha256
+
+type: keyword
+
+
+**`juniper.srx.malware_info`**
+:   malware info
+
+type: keyword
+
+
+**`juniper.srx.client_ip`**
+:   client ip
+
+type: ip
+
+
+**`juniper.srx.tenant_id`**
+:   tenant id
+
+type: keyword
+
+
+**`juniper.srx.timestamp`**
+:   timestamp
+
+type: date
+
+
+**`juniper.srx.th`**
+:   th
+
+type: keyword
+
+
+**`juniper.srx.status`**
+:   status
+
+type: keyword
+
+
+**`juniper.srx.state`**
+:   state
+
+type: keyword
+
+
+**`juniper.srx.file_hash_lookup`**
+:   file hash lookup
+
+type: keyword
+
+
+**`juniper.srx.file_name`**
+:   file name
+
+type: keyword
+
+
+**`juniper.srx.action_detail`**
+:   action detail
+
+type: keyword
+
+
+**`juniper.srx.sub_category`**
+:   sub category
+
+type: keyword
+
+
+**`juniper.srx.feed_name`**
+:   feed name
+
+type: keyword
+
+
+**`juniper.srx.occur_count`**
+:   occur count
+
+type: integer
+
+
+**`juniper.srx.tag`**
+:   system log message tag, which uniquely identifies the message.
+
+type: keyword
+
+
diff --git a/docs/reference/filebeat/exported-fields-kafka.md b/docs/reference/filebeat/exported-fields-kafka.md
new file mode 100644
index 000000000000..8e8c9b6df493
--- /dev/null
+++ b/docs/reference/filebeat/exported-fields-kafka.md
@@ -0,0 +1,52 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-kafka.html
+---
+
+# Kafka fields [exported-fields-kafka]
+
+Kafka module
+
+
+## kafka [_kafka]
+
+
+## log [_log_5]
+
+Kafka log lines.
+
+**`kafka.log.component`**
+:   Component the log is coming from.
+
+type: keyword
+
+
+**`kafka.log.class`**
+:   Java class the log is coming from.
+
+type: keyword
+
+
+**`kafka.log.thread`**
+:   Thread name the log is coming from.
+
+type: keyword
+
+
+
+## trace [_trace]
+
+Trace in the log line.
+
+**`kafka.log.trace.class`**
+:   Java class the trace is coming from.
+
+type: keyword
+
+
+**`kafka.log.trace.message`**
+:   Message part of the trace.
+
+type: text
+
+
diff --git a/docs/reference/filebeat/exported-fields-kibana.md b/docs/reference/filebeat/exported-fields-kibana.md
new file mode 100644
index 000000000000..05205fb07b21
--- /dev/null
+++ b/docs/reference/filebeat/exported-fields-kibana.md
@@ -0,0 +1,135 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-kibana.html
+---
+
+# kibana fields [exported-fields-kibana]
+
+kibana Module
+
+**`service.node.roles`**
+:   type: keyword
+
+
+
+## kibana [_kibana]
+
+Module for parsing Kibana logs.
+
+**`kibana.session_id`**
+:   The ID of the user session associated with this event. Each login attempt results in a unique session id.
+
+type: keyword
+
+example: 123e4567-e89b-12d3-a456-426614174000
+
+
+**`kibana.space_id`**
+:   The id of the space associated with this event.
+
+type: keyword
+
+example: default
+
+
+**`kibana.saved_object.type`**
+:   The type of the saved object associated with this event.
+
+type: keyword
+
+example: dashboard
+
+
+**`kibana.saved_object.id`**
+:   The id of the saved object associated with this event.
+
+type: keyword
+
+example: 6295bdd0-0a0e-11e7-825f-6748cda7d858
+
+
+**`kibana.saved_object.name`**
+:   The name of the saved object associated with this event.
+
+type: keyword
+
+example: my-saved-object
+
+
+**`kibana.add_to_spaces`**
+:   The set of space ids that a saved object was shared to.
+
+type: keyword
+
+example: [*default*, *marketing*]
+
+
+**`kibana.delete_from_spaces`**
+:   The set of space ids that a saved object was removed from.
+
+type: keyword
+
+example: [*default*, *marketing*]
+
+
+**`kibana.authentication_provider`**
+:   The authentication provider associated with a login event.
+
+type: keyword
+
+example: basic1
+
+
+**`kibana.authentication_type`**
+:   The authentication provider type associated with a login event.
+
+type: keyword
+
+example: basic
+
+
+**`kibana.authentication_realm`**
+:   The Elasticsearch authentication realm name which fulfilled a login event.
+
+type: keyword
+
+example: native
+
+
+**`kibana.lookup_realm`**
+:   The Elasticsearch lookup realm which fulfilled a login event.
+
+type: keyword
+
+example: native
+
+
+
+## log [_log_6]
+
+Kibana log lines.
+
+**`kibana.log.tags`**
+:   Kibana logging tags.
+
+type: keyword
+
+
+**`kibana.log.state`**
+:   Current state of Kibana.
+
+type: keyword
+
+
+**`kibana.log.meta`**
+:   type: object
+
+
+**`kibana.log.meta.req.headers`**
+:   type: flattened
+
+
+**`kibana.log.meta.res.headers`**
+:   type: flattened
+
+
diff --git a/docs/reference/filebeat/exported-fields-kubernetes-processor.md b/docs/reference/filebeat/exported-fields-kubernetes-processor.md
new file mode 100644
index 000000000000..8d8f2d6e83a1
--- /dev/null
+++ b/docs/reference/filebeat/exported-fields-kubernetes-processor.md
@@ -0,0 +1,87 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-kubernetes-processor.html
+---
+
+# Kubernetes fields [exported-fields-kubernetes-processor]
+
+Kubernetes metadata added by the kubernetes processor
+
+**`kubernetes.pod.name`**
+:   Kubernetes pod name
+
+type: keyword
+
+
+**`kubernetes.pod.uid`**
+:   Kubernetes Pod UID
+
+type: keyword
+
+
+**`kubernetes.pod.ip`**
+:   Kubernetes Pod IP
+
+type: ip
+
+
+**`kubernetes.namespace`**
+:   Kubernetes namespace
+
+type: keyword
+
+
+**`kubernetes.node.name`**
+:   Kubernetes node name
+
+type: keyword
+
+
+**`kubernetes.node.hostname`**
+:   Kubernetes hostname as reported by the node’s kernel
+
+type: keyword
+
+
+**`kubernetes.labels.*`**
+:   Kubernetes labels map
+
+type: object
+
+
+**`kubernetes.annotations.*`**
+:   Kubernetes annotations map
+
+type: object
+
+
+**`kubernetes.selectors.*`**
+:   Kubernetes selectors map
+
+type: object
+
+
+**`kubernetes.replicaset.name`**
+:   Kubernetes replicaset name
+
+type: keyword
+
+
+**`kubernetes.deployment.name`**
+:   Kubernetes deployment name
+
+type: keyword
+
+
+**`kubernetes.statefulset.name`**
+:   Kubernetes statefulset name
+
+type: keyword
+
+
+**`kubernetes.container.name`**
+:   Kubernetes container name (different than the name from the runtime)
+
+type: keyword
+
+
diff --git a/docs/reference/filebeat/exported-fields-log.md b/docs/reference/filebeat/exported-fields-log.md
new file mode 100644
index 000000000000..e2e0908ddacc
--- /dev/null
+++ b/docs/reference/filebeat/exported-fields-log.md
@@ -0,0 +1,207 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-log.html
+---
+
+# Log file content fields [exported-fields-log]
+
+Contains log file lines.
+
+**`log.source.address`**
+:   Source address from which the log event was read / sent from.
+
+type: keyword
+
+required: False
+
+
+**`log.offset`**
+:   The file offset the reported line starts at.
+
+type: long
+
+required: False
+
+
+**`stream`**
+:   Log stream when reading container logs, can be *stdout* or *stderr*
+
+type: keyword
+
+required: False
+
+
+**`input.type`**
+:   The input type from which the event was generated. This field is set to the value specified for the `type` option in the input section of the Filebeat config file.
+
+required: True
+
+
+**`syslog.facility`**
+:   The facility extracted from the priority.
+
+type: long
+
+required: False
+
+
+**`syslog.priority`**
+:   The priority of the syslog event.
+
+type: long
+
+required: False
+
+
+**`syslog.severity_label`**
+:   The human readable severity.
+
+type: keyword
+
+required: False
+
+
+**`syslog.facility_label`**
+:   The human readable facility.
+
+type: keyword
+
+required: False
+
+
+**`process.program`**
+:   The name of the program.
+
+type: keyword
+
+required: False
+
+
+**`log.flags`**
+:   This field contains the flags of the event.
+
+
+**`http.response.content_length`**
+:   type: alias
+
+alias to: http.response.body.bytes
+
+
+**`user_agent.os.full_name`**
+:   type: keyword
+
+
+**`fileset.name`**
+:   The Filebeat fileset that generated this event.
+
+type: keyword
+
+
+**`fileset.module`**
+:   type: alias
+
+alias to: event.module
+
+
+**`read_timestamp`**
+:   type: alias
+
+alias to: event.created
+
+
+**`docker.attrs`**
+:   docker.attrs contains labels and environment variables written by docker’s JSON File logging driver. These fields are only available when they are configured in the logging driver options.
+
+type: object
+
+
+**`icmp.code`**
+:   ICMP code.
+
+type: keyword
+
+
+**`icmp.type`**
+:   ICMP type.
+
+type: keyword
+
+
+**`igmp.type`**
+:   IGMP type.
+
+type: keyword
+
+
+**`azure.eventhub`**
+:   Name of the eventhub.
+
+type: keyword
+
+
+**`azure.offset`**
+:   The offset.
+
+type: long
+
+
+**`azure.enqueued_time`**
+:   The enqueued time.
+
+type: date
+
+
+**`azure.partition_id`**
+:   The partition id.
+
+type: long
+
+
+**`azure.consumer_group`**
+:   The consumer group.
+
+type: keyword
+
+
+**`azure.sequence_number`**
+:   The sequence number.
+
+type: long
+
+
+**`kafka.topic`**
+:   Kafka topic
+
+type: keyword
+
+
+**`kafka.partition`**
+:   Kafka partition number
+
+type: long
+
+
+**`kafka.offset`**
+:   Kafka offset of this message
+
+type: long
+
+
+**`kafka.key`**
+:   Kafka key, corresponding to the Kafka value stored in the message
+
+type: keyword
+
+
+**`kafka.block_timestamp`**
+:   Kafka outer (compressed) block timestamp
+
+type: date
+
+
+**`kafka.headers`**
+:   An array of Kafka header strings for this message, in the form "<key>: <value>".
+
+type: array
+
+
diff --git a/docs/reference/filebeat/exported-fields-logstash.md b/docs/reference/filebeat/exported-fields-logstash.md
new file mode 100644
index 000000000000..29436edad0a7
--- /dev/null
+++ b/docs/reference/filebeat/exported-fields-logstash.md
@@ -0,0 +1,140 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-logstash.html
+---
+
+# logstash fields [exported-fields-logstash]
+
+logstash Module
+
+
+## logstash [_logstash]
+
+
+## log [_log_7]
+
+Fields from the Logstash logs.
+
+**`logstash.log.module`**
+:   The module or class where the event originate.
+
+type: keyword
+
+
+**`logstash.log.thread`**
+:   Information about the running thread where the log originate.
+
+type: keyword
+
+
+**`logstash.log.thread.text`**
+:   type: text
+
+
+**`logstash.log.log_event`**
+:   key and value debugging information.
+
+type: object
+
+
+**`logstash.log.log_event.action`**
+:   type: keyword
+
+
+**`logstash.log.pipeline_id`**
+:   The ID of the pipeline.
+
+type: keyword
+
+example: main
+
+
+**`logstash.log.message`**
+:   type: alias
+
+alias to: message
+
+
+**`logstash.log.level`**
+:   type: alias
+
+alias to: log.level
+
+
+
+## slowlog [_slowlog_2]
+
+slowlog
+
+**`logstash.slowlog.module`**
+:   The module or class where the event originate.
+
+type: keyword
+
+
+**`logstash.slowlog.thread`**
+:   Information about the running thread where the log originate.
+
+type: keyword
+
+
+**`logstash.slowlog.thread.text`**
+:   type: text
+
+
+**`logstash.slowlog.event`**
+:   Raw dump of the original event
+
+type: keyword
+
+
+**`logstash.slowlog.event.text`**
+:   type: text
+
+
+**`logstash.slowlog.plugin_name`**
+:   Name of the plugin
+
+type: keyword
+
+
+**`logstash.slowlog.plugin_type`**
+:   Type of the plugin: Inputs, Filters, Outputs or Codecs.
+
+type: keyword
+
+
+**`logstash.slowlog.took_in_millis`**
+:   Execution time for the plugin in milliseconds.
+
+type: long
+
+
+**`logstash.slowlog.plugin_params`**
+:   String value of the plugin configuration
+
+type: keyword
+
+
+**`logstash.slowlog.plugin_params.text`**
+:   type: text
+
+
+**`logstash.slowlog.plugin_params_object`**
+:   key → value of the configuration used by the plugin.
+
+type: object
+
+
+**`logstash.slowlog.level`**
+:   type: alias
+
+alias to: log.level
+
+
+**`logstash.slowlog.took_in_nanos`**
+:   type: alias
+
+alias to: event.duration
+
+
diff --git a/docs/reference/filebeat/exported-fields-lumberjack.md b/docs/reference/filebeat/exported-fields-lumberjack.md
new file mode 100644
index 000000000000..d8614d9d91a0
--- /dev/null
+++ b/docs/reference/filebeat/exported-fields-lumberjack.md
@@ -0,0 +1,15 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-lumberjack.html
+---
+
+# Lumberjack fields [exported-fields-lumberjack]
+
+Fields from Lumberjack input.
+
+**`lumberjack`**
+:   Structured data received in an event sent over the Lumberjack protocol.
+
+type: flattened
+
+
diff --git a/docs/reference/filebeat/exported-fields-microsoft.md b/docs/reference/filebeat/exported-fields-microsoft.md
new file mode 100644
index 000000000000..66ffb0c8ebc9
--- /dev/null
+++ b/docs/reference/filebeat/exported-fields-microsoft.md
@@ -0,0 +1,373 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-microsoft.html
+---
+
+# Microsoft fields [exported-fields-microsoft]
+
+Microsoft Module
+
+
+## microsoft.defender_atp [_microsoft_defender_atp]
+
+Module for ingesting Microsoft Defender ATP.
+
+**`microsoft.defender_atp.lastUpdateTime`**
+:   The date and time (in UTC) the alert was last updated.
+
+type: date
+
+
+**`microsoft.defender_atp.resolvedTime`**
+:   The date and time in which the status of the alert was changed to *Resolved*.
+
+type: date
+
+
+**`microsoft.defender_atp.incidentId`**
+:   The Incident ID of the Alert.
+
+type: keyword
+
+
+**`microsoft.defender_atp.investigationId`**
+:   The Investigation ID related to the Alert.
+
+type: keyword
+
+
+**`microsoft.defender_atp.investigationState`**
+:   The current state of the Investigation.
+
+type: keyword
+
+
+**`microsoft.defender_atp.assignedTo`**
+:   Owner of the alert.
+
+type: keyword
+
+
+**`microsoft.defender_atp.status`**
+:   Specifies the current status of the alert. Possible values are: *Unknown*, *New*, *InProgress* and *Resolved*.
+
+type: keyword
+
+
+**`microsoft.defender_atp.classification`**
+:   Specification of the alert. Possible values are: *Unknown*, *FalsePositive*, *TruePositive*.
+
+type: keyword
+
+
+**`microsoft.defender_atp.determination`**
+:   Specifies the determination of the alert. Possible values are: *NotAvailable*, *Apt*, *Malware*, *SecurityPersonnel*, *SecurityTesting*, *UnwantedSoftware*, *Other*.
+
+type: keyword
+
+
+**`microsoft.defender_atp.threatFamilyName`**
+:   Threat family.
+
+type: keyword
+
+
+**`microsoft.defender_atp.rbacGroupName`**
+:   User group related to the alert
+
+type: keyword
+
+
+**`microsoft.defender_atp.evidence.domainName`**
+:   Domain name related to the alert
+
+type: keyword
+
+
+**`microsoft.defender_atp.evidence.ipAddress`**
+:   IP address involved in the alert
+
+type: ip
+
+
+**`microsoft.defender_atp.evidence.aadUserId`**
+:   ID of the user involved in the alert
+
+type: keyword
+
+
+**`microsoft.defender_atp.evidence.accountName`**
+:   Username of the user involved in the alert
+
+type: keyword
+
+
+**`microsoft.defender_atp.evidence.entityType`**
+:   The type of evidence
+
+type: keyword
+
+
+**`microsoft.defender_atp.evidence.userPrincipalName`**
+:   Principal name of the user involved in the alert
+
+type: keyword
+
+
+
+## microsoft.m365_defender [_microsoft_m365_defender]
+
+Module for ingesting Microsoft Defender ATP.
+
+**`microsoft.m365_defender.incidentId`**
+:   Unique identifier to represent the incident.
+
+type: keyword
+
+
+**`microsoft.m365_defender.redirectIncidentId`**
+:   Only populated in case an incident is being grouped together with another incident, as part of the incident processing logic.
+
+type: keyword
+
+
+**`microsoft.m365_defender.incidentName`**
+:   Name of the Incident.
+
+type: keyword
+
+
+**`microsoft.m365_defender.determination`**
+:   Specifies the determination of the incident. The property values are: NotAvailable, Apt, Malware, SecurityPersonnel, SecurityTesting, UnwantedSoftware, Other.
+
+type: keyword
+
+
+**`microsoft.m365_defender.investigationState`**
+:   The current state of the Investigation.
+
+type: keyword
+
+
+**`microsoft.m365_defender.assignedTo`**
+:   Owner of the alert.
+
+type: keyword
+
+
+**`microsoft.m365_defender.tags`**
+:   Array of custom tags associated with an incident, for example to flag a group of incidents with a common characteristic.
+
+type: keyword
+
+
+**`microsoft.m365_defender.status`**
+:   Specifies the current status of the alert. Possible values are: *Unknown*, *New*, *InProgress* and *Resolved*.
+
+type: keyword
+
+
+**`microsoft.m365_defender.classification`**
+:   Specification of the alert. Possible values are: *Unknown*, *FalsePositive*, *TruePositive*.
+
+type: keyword
+
+
+**`microsoft.m365_defender.alerts.incidentId`**
+:   Unique identifier to represent the incident this alert is associated with.
+
+type: keyword
+
+
+**`microsoft.m365_defender.alerts.resolvedTime`**
+:   Time when alert was resolved.
+
+type: date
+
+
+**`microsoft.m365_defender.alerts.status`**
+:   Categorize alerts (as New, Active, or Resolved).
+
+type: keyword
+
+
+**`microsoft.m365_defender.alerts.severity`**
+:   The severity of the related alert.
+
+type: keyword
+
+
+**`microsoft.m365_defender.alerts.creationTime`**
+:   Time when alert was first created.
+
+type: date
+
+
+**`microsoft.m365_defender.alerts.lastUpdatedTime`**
+:   Time when alert was last updated.
+
+type: date
+
+
+**`microsoft.m365_defender.alerts.investigationId`**
+:   The automated investigation id triggered by this alert.
+
+type: keyword
+
+
+**`microsoft.m365_defender.alerts.userSid`**
+:   The SID of the related user
+
+type: keyword
+
+
+**`microsoft.m365_defender.alerts.detectionSource`**
+:   The service that initially detected the threat.
+
+type: keyword
+
+
+**`microsoft.m365_defender.alerts.classification`**
+:   The specification for the incident. The property values are: Unknown, FalsePositive, TruePositive or null.
+
+type: keyword
+
+
+**`microsoft.m365_defender.alerts.investigationState`**
+:   Information on the investigation’s current status.
+
+type: keyword
+
+
+**`microsoft.m365_defender.alerts.determination`**
+:   Specifies the determination of the incident. The property values are: NotAvailable, Apt, Malware, SecurityPersonnel, SecurityTesting, UnwantedSoftware, Other or null
+
+type: keyword
+
+
+**`microsoft.m365_defender.alerts.assignedTo`**
+:   Owner of the incident, or null if no owner is assigned.
+
+type: keyword
+
+
+**`microsoft.m365_defender.alerts.actorName`**
+:   The activity group, if any, the associated with this alert.
+
+type: keyword
+
+
+**`microsoft.m365_defender.alerts.threatFamilyName`**
+:   Threat family associated with this alert.
+
+type: keyword
+
+
+**`microsoft.m365_defender.alerts.mitreTechniques`**
+:   The attack techniques, as aligned with the MITRE ATT&CK™ framework.
+
+type: keyword
+
+
+**`microsoft.m365_defender.alerts.entities.entityType`**
+:   Entities that have been identified to be part of, or related to, a given alert. The properties values are: User, Ip, Url, File, Process, MailBox, MailMessage, MailCluster, Registry.
+
+type: keyword
+
+
+**`microsoft.m365_defender.alerts.entities.accountName`**
+:   Account name of the related user.
+
+type: keyword
+
+
+**`microsoft.m365_defender.alerts.entities.mailboxDisplayName`**
+:   The display name of the related mailbox.
+
+type: keyword
+
+
+**`microsoft.m365_defender.alerts.entities.mailboxAddress`**
+:   The mail address of the related mailbox.
+
+type: keyword
+
+
+**`microsoft.m365_defender.alerts.entities.clusterBy`**
+:   A list of metadata if the entityType is MailCluster.
+
+type: keyword
+
+
+**`microsoft.m365_defender.alerts.entities.sender`**
+:   The sender for the related email message.
+
+type: keyword
+
+
+**`microsoft.m365_defender.alerts.entities.recipient`**
+:   The recipient for the related email message.
+
+type: keyword
+
+
+**`microsoft.m365_defender.alerts.entities.subject`**
+:   The subject for the related email message.
+
+type: keyword
+
+
+**`microsoft.m365_defender.alerts.entities.deliveryAction`**
+:   The delivery status for the related email message.
+
+type: keyword
+
+
+**`microsoft.m365_defender.alerts.entities.securityGroupId`**
+:   The Security Group ID for the user related to the email message.
+
+type: keyword
+
+
+**`microsoft.m365_defender.alerts.entities.securityGroupName`**
+:   The Security Group Name for the user related to the email message.
+
+type: keyword
+
+
+**`microsoft.m365_defender.alerts.entities.registryHive`**
+:   Reference to which Hive in registry the event is related to, if eventType is registry. Example: HKEY_LOCAL_MACHINE.
+
+type: keyword
+
+
+**`microsoft.m365_defender.alerts.entities.registryKey`**
+:   Reference to the related registry key to the event.
+
+type: keyword
+
+
+**`microsoft.m365_defender.alerts.entities.registryValueType`**
+:   Value type of the registry key/value pair related to the event.
+
+type: keyword
+
+
+**`microsoft.m365_defender.alerts.entities.deviceId`**
+:   The unique ID of the device related to the event.
+
+type: keyword
+
+
+**`microsoft.m365_defender.alerts.entities.ipAddress`**
+:   The related IP address to the event.
+
+type: keyword
+
+
+**`microsoft.m365_defender.alerts.devices`**
+:   The devices related to the investigation.
+
+type: flattened
+
+
diff --git a/docs/reference/filebeat/exported-fields-misp.md b/docs/reference/filebeat/exported-fields-misp.md
new file mode 100644
index 000000000000..bd784f759931
--- /dev/null
+++ b/docs/reference/filebeat/exported-fields-misp.md
@@ -0,0 +1,657 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-misp.html
+---
+
+# MISP fields [exported-fields-misp]
+
+Module for handling threat information from MISP.
+
+
+## misp [_misp]
+
+Fields from MISP threat information.
+
+
+## attack_pattern [_attack_pattern]
+
+Fields provide support for specifying information about attack patterns.
+
+**`misp.attack_pattern.id`**
+:   Identifier of the threat indicator.
+
+type: keyword
+
+
+**`misp.attack_pattern.name`**
+:   Name of the attack pattern.
+
+type: keyword
+
+
+**`misp.attack_pattern.description`**
+:   Description of the attack pattern.
+
+type: text
+
+
+**`misp.attack_pattern.kill_chain_phases`**
+:   The kill chain phase(s) to which this attack pattern corresponds.
+
+type: keyword
+
+
+
+## campaign [_campaign]
+
+Fields provide support for specifying information about campaigns.
+
+**`misp.campaign.id`**
+:   Identifier of the campaign.
+
+type: keyword
+
+
+**`misp.campaign.name`**
+:   Name of the campaign.
+
+type: keyword
+
+
+**`misp.campaign.description`**
+:   Description of the campaign.
+
+type: text
+
+
+**`misp.campaign.aliases`**
+:   Alternative names used to identify this campaign.
+
+type: text
+
+
+**`misp.campaign.first_seen`**
+:   The time that this Campaign was first seen, in RFC3339 format.
+
+type: date
+
+
+**`misp.campaign.last_seen`**
+:   The time that this Campaign was last seen, in RFC3339 format.
+
+type: date
+
+
+**`misp.campaign.objective`**
+:   This field defines the Campaign’s primary goal, objective, desired outcome, or intended effect.
+
+type: keyword
+
+
+
+## course_of_action [_course_of_action]
+
+A Course of Action is an action taken either to prevent an attack or to respond to an attack that is in progress.
+
+**`misp.course_of_action.id`**
+:   Identifier of the Course of Action.
+
+type: keyword
+
+
+**`misp.course_of_action.name`**
+:   The name used to identify the Course of Action.
+
+type: keyword
+
+
+**`misp.course_of_action.description`**
+:   Description of the Course of Action.
+
+type: text
+
+
+
+## identity [_identity_2]
+
+Identity can represent actual individuals, organizations, or groups, as well as classes of individuals, organizations, or groups.
+
+**`misp.identity.id`**
+:   Identifier of the Identity.
+
+type: keyword
+
+
+**`misp.identity.name`**
+:   The name used to identify the Identity.
+
+type: keyword
+
+
+**`misp.identity.description`**
+:   Description of the Identity.
+
+type: text
+
+
+**`misp.identity.identity_class`**
+:   The type of entity that this Identity describes, e.g., an individual or organization. Open Vocab - identity-class-ov
+
+type: keyword
+
+
+**`misp.identity.labels`**
+:   The list of roles that this Identity performs.
+
+type: keyword
+
+example: CEO
+
+
+**`misp.identity.sectors`**
+:   The list of sectors that this Identity belongs to. Open Vocab - industry-sector-ov
+
+type: keyword
+
+
+**`misp.identity.contact_information`**
+:   The contact information (e-mail, phone number, etc.) for this Identity.
+
+type: text
+
+
+
+## intrusion_set [_intrusion_set]
+
+An Intrusion Set is a grouped set of adversary behavior and resources with common properties that is believed to be orchestrated by a single organization.
+
+**`misp.intrusion_set.id`**
+:   Identifier of the Intrusion Set.
+
+type: keyword
+
+
+**`misp.intrusion_set.name`**
+:   The name used to identify the Intrusion Set.
+
+type: keyword
+
+
+**`misp.intrusion_set.description`**
+:   Description of the Intrusion Set.
+
+type: text
+
+
+**`misp.intrusion_set.aliases`**
+:   Alternative names used to identify the Intrusion Set.
+
+type: text
+
+
+**`misp.intrusion_set.first_seen`**
+:   The time that this Intrusion Set was first seen, in RFC3339 format.
+
+type: date
+
+
+**`misp.intrusion_set.last_seen`**
+:   The time that this Intrusion Set was last seen, in RFC3339 format.
+
+type: date
+
+
+**`misp.intrusion_set.goals`**
+:   The high level goals of this Intrusion Set, namely, what are they trying to do.
+
+type: text
+
+
+**`misp.intrusion_set.resource_level`**
+:   This defines the organizational level at which this Intrusion Set typically works. Open Vocab - attack-resource-level-ov
+
+type: text
+
+
+**`misp.intrusion_set.primary_motivation`**
+:   The primary reason, motivation, or purpose behind this Intrusion Set. Open Vocab - attack-motivation-ov
+
+type: text
+
+
+**`misp.intrusion_set.secondary_motivations`**
+:   The secondary reasons, motivations, or purposes behind this Intrusion Set. Open Vocab - attack-motivation-ov
+
+type: text
+
+
+
+## malware [_malware]
+
+Malware is a type of TTP that is also known as malicious code and malicious software, refers to a program that is inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity, or availability of the victim’s data, applications, or operating system (OS) or of otherwise annoying or disrupting the victim.
+
+**`misp.malware.id`**
+:   Identifier of the Malware.
+
+type: keyword
+
+
+**`misp.malware.name`**
+:   The name used to identify the Malware.
+
+type: keyword
+
+
+**`misp.malware.description`**
+:   Description of the Malware.
+
+type: text
+
+
+**`misp.malware.labels`**
+:   The type of malware being described.  Open Vocab - malware-label-ov.  adware,backdoor,bot,ddos,dropper,exploit-kit,keylogger,ransomware, remote-access-trojan,resource-exploitation,rogue-security-software,rootkit, screen-capture,spyware,trojan,virus,worm
+
+type: keyword
+
+
+**`misp.malware.kill_chain_phases`**
+:   The list of kill chain phases for which this Malware instance can be used.
+
+type: keyword
+
+format: string
+
+
+
+## note [_note]
+
+A Note is a comment or note containing informative text to help explain the context of one or more STIX Objects (SDOs or SROs) or to provide additional analysis that is not contained in the original object.
+
+**`misp.note.id`**
+:   Identifier of the Note.
+
+type: keyword
+
+
+**`misp.note.summary`**
+:   A brief description used as a summary of the Note.
+
+type: keyword
+
+
+**`misp.note.description`**
+:   The content of the Note.
+
+type: text
+
+
+**`misp.note.authors`**
+:   The name of the author(s) of this Note.
+
+type: keyword
+
+
+**`misp.note.object_refs`**
+:   The STIX Objects (SDOs and SROs) that the note is being applied to.
+
+type: keyword
+
+
+
+## threat_indicator [_threat_indicator]
+
+Fields provide support for specifying information about threat indicators, and related matching patterns.
+
+**`misp.threat_indicator.labels`**
+:   list of type open-vocab that specifies the type of indicator.
+
+type: keyword
+
+example: Domain Watchlist
+
+
+**`misp.threat_indicator.id`**
+:   Identifier of the threat indicator.
+
+type: keyword
+
+
+**`misp.threat_indicator.version`**
+:   Version of the threat indicator.
+
+type: keyword
+
+
+**`misp.threat_indicator.type`**
+:   Type of the threat indicator.
+
+type: keyword
+
+
+**`misp.threat_indicator.description`**
+:   Description of the threat indicator.
+
+type: text
+
+
+**`misp.threat_indicator.feed`**
+:   Name of the threat feed.
+
+type: text
+
+
+**`misp.threat_indicator.valid_from`**
+:   The time from which this Indicator should be considered valuable  intelligence, in RFC3339 format.
+
+type: date
+
+
+**`misp.threat_indicator.valid_until`**
+:   The time at which this Indicator should no longer be considered valuable intelligence. If the valid_until property is omitted, then there is no constraint on the latest time for which the indicator should be used, in RFC3339 format.
+
+type: date
+
+
+**`misp.threat_indicator.severity`**
+:   Threat severity to which this indicator corresponds.
+
+type: keyword
+
+example: high
+
+format: string
+
+
+**`misp.threat_indicator.confidence`**
+:   Confidence level to which this indicator corresponds.
+
+type: keyword
+
+example: high
+
+
+**`misp.threat_indicator.kill_chain_phases`**
+:   The kill chain phase(s) to which this indicator corresponds.
+
+type: keyword
+
+format: string
+
+
+**`misp.threat_indicator.mitre_tactic`**
+:   MITRE tactics to which this indicator corresponds.
+
+type: keyword
+
+example: Initial Access
+
+format: string
+
+
+**`misp.threat_indicator.mitre_technique`**
+:   MITRE techniques to which this indicator corresponds.
+
+type: keyword
+
+example: Drive-by Compromise
+
+format: string
+
+
+**`misp.threat_indicator.attack_pattern`**
+:   The attack_pattern for this indicator is a STIX Pattern as specified in STIX Version 2.0 Part 5 - STIX Patterning.
+
+type: keyword
+
+example: [destination:ip = *91.219.29.188/32*]
+
+
+**`misp.threat_indicator.attack_pattern_kql`**
+:   The attack_pattern for this indicator is KQL query that matches the attack_pattern specified in the STIX Pattern format.
+
+type: keyword
+
+example: destination.ip: "91.219.29.188/32"
+
+
+**`misp.threat_indicator.negate`**
+:   When set to true, it specifies the absence of the attack_pattern.
+
+type: boolean
+
+
+**`misp.threat_indicator.intrusion_set`**
+:   Name of the intrusion set if known.
+
+type: keyword
+
+
+**`misp.threat_indicator.campaign`**
+:   Name of the attack campaign if known.
+
+type: keyword
+
+
+**`misp.threat_indicator.threat_actor`**
+:   Name of the threat actor if known.
+
+type: keyword
+
+
+
+## observed_data [_observed_data]
+
+Observed data conveys information that was observed on systems and networks, such as log data or network traffic, using the Cyber Observable specification.
+
+**`misp.observed_data.id`**
+:   Identifier of the Observed Data.
+
+type: keyword
+
+
+**`misp.observed_data.first_observed`**
+:   The beginning of the time window that the data was observed, in RFC3339 format.
+
+type: date
+
+
+**`misp.observed_data.last_observed`**
+:   The end of the time window that the data was observed, in RFC3339 format.
+
+type: date
+
+
+**`misp.observed_data.number_observed`**
+:   The number of times the data represented in the objects property was observed. This MUST be an integer between 1 and 999,999,999 inclusive.
+
+type: integer
+
+
+**`misp.observed_data.objects`**
+:   A dictionary of Cyber Observable Objects that describes the single fact that was observed.
+
+type: keyword
+
+
+
+## report [_report]
+
+Reports are collections of threat intelligence focused on one or more topics, such as a description of a threat actor, malware, or attack technique, including context and related details.
+
+**`misp.report.id`**
+:   Identifier of the Report.
+
+type: keyword
+
+
+**`misp.report.labels`**
+:   This field is an Open Vocabulary that specifies the primary subject of this report.  Open Vocab - report-label-ov. threat-report,attack-pattern,campaign,identity,indicator,malware,observed-data,threat-actor,tool,vulnerability
+
+type: keyword
+
+
+**`misp.report.name`**
+:   The name used to identify the Report.
+
+type: keyword
+
+
+**`misp.report.description`**
+:   A description that provides more details and context about Report.
+
+type: text
+
+
+**`misp.report.published`**
+:   The date that this report object was officially published by the creator of this report, in RFC3339 format.
+
+type: date
+
+
+**`misp.report.object_refs`**
+:   Specifies the STIX Objects that are referred to by this Report.
+
+type: text
+
+
+
+## threat_actor [_threat_actor]
+
+Threat Actors are actual individuals, groups, or organizations believed to be operating with malicious intent.
+
+**`misp.threat_actor.id`**
+:   Identifier of the Threat Actor.
+
+type: keyword
+
+
+**`misp.threat_actor.labels`**
+:   This field specifies the type of threat actor.  Open Vocab - threat-actor-label-ov. activist,competitor,crime-syndicate,criminal,hacker,insider-accidental,insider-disgruntled,nation-state,sensationalist,spy,terrorist
+
+type: keyword
+
+
+**`misp.threat_actor.name`**
+:   The name used to identify this Threat Actor or Threat Actor group.
+
+type: keyword
+
+
+**`misp.threat_actor.description`**
+:   A description that provides more details and context about the Threat Actor.
+
+type: text
+
+
+**`misp.threat_actor.aliases`**
+:   A list of other names that this Threat Actor is believed to use.
+
+type: text
+
+
+**`misp.threat_actor.roles`**
+:   This is a list of roles the Threat Actor plays.  Open Vocab - threat-actor-role-ov. agent,director,independent,sponsor,infrastructure-operator,infrastructure-architect,malware-author
+
+type: text
+
+
+**`misp.threat_actor.goals`**
+:   The high level goals of this Threat Actor, namely, what are they trying to do.
+
+type: text
+
+
+**`misp.threat_actor.sophistication`**
+:   The skill, specific knowledge, special training, or expertise a Threat Actor  must have to perform the attack.  Open Vocab - threat-actor-sophistication-ov. none,minimal,intermediate,advanced,strategic,expert,innovator
+
+type: text
+
+
+**`misp.threat_actor.resource_level`**
+:   This defines the organizational level at which this Threat Actor typically works.  Open Vocab - attack-resource-level-ov. individual,club,contest,team,organization,government
+
+type: text
+
+
+**`misp.threat_actor.primary_motivation`**
+:   The primary reason, motivation, or purpose behind this Threat Actor.  Open Vocab - attack-motivation-ov. accidental,coercion,dominance,ideology,notoriety,organizational-gain,personal-gain,personal-satisfaction,revenge,unpredictable
+
+type: text
+
+
+**`misp.threat_actor.secondary_motivations`**
+:   The secondary reasons, motivations, or purposes behind this Threat Actor.  Open Vocab - attack-motivation-ov. accidental,coercion,dominance,ideology,notoriety,organizational-gain,personal-gain,personal-satisfaction,revenge,unpredictable
+
+type: text
+
+
+**`misp.threat_actor.personal_motivations`**
+:   The personal reasons, motivations, or purposes of the Threat Actor regardless of  organizational goals. Open Vocab - attack-motivation-ov. accidental,coercion,dominance,ideology,notoriety,organizational-gain,personal-gain,personal-satisfaction,revenge,unpredictable
+
+type: text
+
+
+
+## tool [_tool]
+
+Tools are legitimate software that can be used by threat actors to perform attacks.
+
+**`misp.tool.id`**
+:   Identifier of the Tool.
+
+type: keyword
+
+
+**`misp.tool.labels`**
+:   The kind(s) of tool(s) being described.  Open Vocab - tool-label-ov. denial-of-service,exploitation,information-gathering,network-capture,credential-exploitation,remote-access,vulnerability-scanning
+
+type: keyword
+
+
+**`misp.tool.name`**
+:   The name used to identify the Tool.
+
+type: keyword
+
+
+**`misp.tool.description`**
+:   A description that provides more details and context about the Tool.
+
+type: text
+
+
+**`misp.tool.tool_version`**
+:   The version identifier associated with the Tool.
+
+type: keyword
+
+
+**`misp.tool.kill_chain_phases`**
+:   The list of kill chain phases for which this Tool instance can be used.
+
+type: text
+
+
+
+## vulnerability [_vulnerability_2]
+
+A Vulnerability is a mistake in software that can be directly used by a hacker to gain access to a system or network.
+
+**`misp.vulnerability.id`**
+:   Identifier of the Vulnerability.
+
+type: keyword
+
+
+**`misp.vulnerability.name`**
+:   The name used to identify the Vulnerability.
+
+type: keyword
+
+
+**`misp.vulnerability.description`**
+:   A description that provides more details and context about the Vulnerability.
+
+type: text
+
+
diff --git a/docs/reference/filebeat/exported-fields-mongodb.md b/docs/reference/filebeat/exported-fields-mongodb.md
new file mode 100644
index 000000000000..ece3e38488d0
--- /dev/null
+++ b/docs/reference/filebeat/exported-fields-mongodb.md
@@ -0,0 +1,55 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-mongodb.html
+---
+
+# mongodb fields [exported-fields-mongodb]
+
+Module for parsing MongoDB log files.
+
+
+## mongodb [_mongodb]
+
+Fields from MongoDB logs.
+
+
+## log [_log_8]
+
+Contains fields from MongoDB logs.
+
+**`mongodb.log.component`**
+:   Functional categorization of message
+
+type: keyword
+
+example: COMMAND
+
+
+**`mongodb.log.context`**
+:   Context of message
+
+type: keyword
+
+example: initandlisten
+
+
+**`mongodb.log.severity`**
+:   type: alias
+
+alias to: log.level
+
+
+**`mongodb.log.message`**
+:   type: alias
+
+alias to: message
+
+
+**`mongodb.log.id`**
+:   Integer representing the unique identifier of the log statement
+
+type: long
+
+example: 4615611
+
+
diff --git a/docs/reference/filebeat/exported-fields-mssql.md b/docs/reference/filebeat/exported-fields-mssql.md
new file mode 100644
index 000000000000..6067d30ea6ea
--- /dev/null
+++ b/docs/reference/filebeat/exported-fields-mssql.md
@@ -0,0 +1,25 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-mssql.html
+---
+
+# mssql fields [exported-fields-mssql]
+
+MS SQL Filebeat Module
+
+
+## mssql [_mssql]
+
+Fields from the MSSQL log files
+
+
+## log [_log_9]
+
+Common log fields
+
+**`mssql.log.origin`**
+:   Origin of the message, usually the server but it can also be a recovery process
+
+type: keyword
+
+
diff --git a/docs/reference/filebeat/exported-fields-mysql.md b/docs/reference/filebeat/exported-fields-mysql.md
new file mode 100644
index 000000000000..8e07439ba140
--- /dev/null
+++ b/docs/reference/filebeat/exported-fields-mysql.md
@@ -0,0 +1,341 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-mysql.html
+---
+
+# MySQL fields [exported-fields-mysql]
+
+Module for parsing the MySQL log files.
+
+
+## mysql [_mysql]
+
+Fields from the MySQL log files.
+
+**`mysql.thread_id`**
+:   The connection or thread ID for the query.
+
+type: long
+
+
+
+## error [_error_4]
+
+Contains fields from the MySQL error logs.
+
+**`mysql.error.thread_id`**
+:   type: alias
+
+alias to: mysql.thread_id
+
+
+**`mysql.error.level`**
+:   type: alias
+
+alias to: log.level
+
+
+**`mysql.error.message`**
+:   type: alias
+
+alias to: message
+
+
+
+## slowlog [_slowlog_3]
+
+Contains fields from the MySQL slow logs.
+
+**`mysql.slowlog.lock_time.sec`**
+:   The amount of time the query waited for the lock to be available. The value is in seconds, as a floating point number.
+
+type: float
+
+
+**`mysql.slowlog.rows_sent`**
+:   The number of rows returned by the query.
+
+type: long
+
+
+**`mysql.slowlog.rows_examined`**
+:   The number of rows scanned by the query.
+
+type: long
+
+
+**`mysql.slowlog.rows_affected`**
+:   The number of rows modified by the query.
+
+type: long
+
+
+**`mysql.slowlog.bytes_sent`**
+:   The number of bytes sent to client.
+
+type: long
+
+format: bytes
+
+
+**`mysql.slowlog.bytes_received`**
+:   The number of bytes received from client.
+
+type: long
+
+format: bytes
+
+
+**`mysql.slowlog.query`**
+:   The slow query.
+
+
+**`mysql.slowlog.id`**
+:   type: alias
+
+alias to: mysql.thread_id
+
+
+**`mysql.slowlog.schema`**
+:   The schema where the slow query was executed.
+
+type: keyword
+
+
+**`mysql.slowlog.current_user`**
+:   Current authenticated user, used to determine access privileges. Can differ from the value for user.
+
+type: keyword
+
+
+**`mysql.slowlog.last_errno`**
+:   Last SQL error seen.
+
+type: keyword
+
+
+**`mysql.slowlog.killed`**
+:   Code of the reason if the query was killed.
+
+type: keyword
+
+
+**`mysql.slowlog.query_cache_hit`**
+:   Whether the query cache was hit.
+
+type: boolean
+
+
+**`mysql.slowlog.tmp_table`**
+:   Whether a temporary table was used to resolve the query.
+
+type: boolean
+
+
+**`mysql.slowlog.tmp_table_on_disk`**
+:   Whether the query needed temporary tables on disk.
+
+type: boolean
+
+
+**`mysql.slowlog.tmp_tables`**
+:   Number of temporary tables created for this query
+
+type: long
+
+
+**`mysql.slowlog.tmp_disk_tables`**
+:   Number of temporary tables created on disk for this query.
+
+type: long
+
+
+**`mysql.slowlog.tmp_table_sizes`**
+:   Size of temporary tables created for this query.
+
+type: long
+
+format: bytes
+
+
+**`mysql.slowlog.filesort`**
+:   Whether filesort optimization was used.
+
+type: boolean
+
+
+**`mysql.slowlog.filesort_on_disk`**
+:   Whether filesort optimization was used and it needed temporary tables on disk.
+
+type: boolean
+
+
+**`mysql.slowlog.priority_queue`**
+:   Whether a priority queue was used for filesort.
+
+type: boolean
+
+
+**`mysql.slowlog.full_scan`**
+:   Whether a full table scan was needed for the slow query.
+
+type: boolean
+
+
+**`mysql.slowlog.full_join`**
+:   Whether a full join was needed for the slow query (no indexes were used for joins).
+
+type: boolean
+
+
+**`mysql.slowlog.merge_passes`**
+:   Number of merge passes executed for the query.
+
+type: long
+
+
+**`mysql.slowlog.sort_merge_passes`**
+:   Number of merge passes that the sort algorithm has had to do.
+
+type: long
+
+
+**`mysql.slowlog.sort_range_count`**
+:   Number of sorts that were done using ranges.
+
+type: long
+
+
+**`mysql.slowlog.sort_rows`**
+:   Number of sorted rows.
+
+type: long
+
+
+**`mysql.slowlog.sort_scan_count`**
+:   Number of sorts that were done by scanning the table.
+
+type: long
+
+
+**`mysql.slowlog.log_slow_rate_type`**
+:   Type of slow log rate limit, it can be `session` if the rate limit is applied per session, or `query` if it applies per query.
+
+type: keyword
+
+
+**`mysql.slowlog.log_slow_rate_limit`**
+:   Slow log rate limit, a value of 100 means that one in a hundred queries or sessions are being logged.
+
+type: keyword
+
+
+**`mysql.slowlog.read_first`**
+:   The number of times the first entry in an index was read.
+
+type: long
+
+
+**`mysql.slowlog.read_last`**
+:   The number of times the last key in an index was read.
+
+type: long
+
+
+**`mysql.slowlog.read_key`**
+:   The number of requests to read a row based on a key.
+
+type: long
+
+
+**`mysql.slowlog.read_next`**
+:   The number of requests to read the next row in key order.
+
+type: long
+
+
+**`mysql.slowlog.read_prev`**
+:   The number of requests to read the previous row in key order.
+
+type: long
+
+
+**`mysql.slowlog.read_rnd`**
+:   The number of requests to read a row based on a fixed position.
+
+type: long
+
+
+**`mysql.slowlog.read_rnd_next`**
+:   The number of requests to read the next row in the data file.
+
+type: long
+
+
+
+## innodb [_innodb]
+
+Contains fields relative to InnoDB engine
+
+**`mysql.slowlog.innodb.trx_id`**
+:   Transaction ID
+
+type: keyword
+
+
+**`mysql.slowlog.innodb.io_r_ops`**
+:   Number of page read operations.
+
+type: long
+
+
+**`mysql.slowlog.innodb.io_r_bytes`**
+:   Bytes read during page read operations.
+
+type: long
+
+format: bytes
+
+
+**`mysql.slowlog.innodb.io_r_wait.sec`**
+:   How long it took to read all needed data from storage.
+
+type: long
+
+
+**`mysql.slowlog.innodb.rec_lock_wait.sec`**
+:   How long the query waited for locks.
+
+type: long
+
+
+**`mysql.slowlog.innodb.queue_wait.sec`**
+:   How long the query waited to enter the InnoDB queue and to be executed once in the queue.
+
+type: long
+
+
+**`mysql.slowlog.innodb.pages_distinct`**
+:   Approximated count of pages accessed to execute the query.
+
+type: long
+
+
+**`mysql.slowlog.user`**
+:   type: alias
+
+alias to: user.name
+
+
+**`mysql.slowlog.host`**
+:   type: alias
+
+alias to: source.domain
+
+
+**`mysql.slowlog.ip`**
+:   type: alias
+
+alias to: source.ip
+
+
diff --git a/docs/reference/filebeat/exported-fields-mysqlenterprise.md b/docs/reference/filebeat/exported-fields-mysqlenterprise.md
new file mode 100644
index 000000000000..1dd60c46621b
--- /dev/null
+++ b/docs/reference/filebeat/exported-fields-mysqlenterprise.md
@@ -0,0 +1,157 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-mysqlenterprise.html
+---
+
+# MySQL Enterprise fields [exported-fields-mysqlenterprise]
+
+MySQL Enterprise Audit module
+
+
+## mysqlenterprise [_mysqlenterprise]
+
+Fields from MySQL Enterprise Logs
+
+
+## audit [_audit_4]
+
+Module for parsing MySQL Enterprise Audit Logs
+
+**`mysqlenterprise.audit.class`**
+:   A string representing the event class. The class defines the type of event, when taken together with the event item that specifies the event subclass.
+
+type: keyword
+
+
+**`mysqlenterprise.audit.connection_id`**
+:   An integer representing the client connection identifier. This is the same as the value returned by the CONNECTION_ID() function within the session.
+
+type: keyword
+
+
+**`mysqlenterprise.audit.id`**
+:   An unsigned integer representing an event ID.
+
+type: keyword
+
+
+**`mysqlenterprise.audit.connection_data.connection_type`**
+:   The security state of the connection to the server. Permitted values are tcp/ip (TCP/IP connection established without encryption), ssl (TCP/IP connection established with encryption), socket (Unix socket file connection), named_pipe (Windows named pipe connection), and shared_memory (Windows shared memory connection).
+
+type: keyword
+
+
+**`mysqlenterprise.audit.connection_data.status`**
+:   An integer representing the command status: 0 for success, nonzero if an error occurred.
+
+type: long
+
+
+**`mysqlenterprise.audit.connection_data.db`**
+:   A string representing a database name. For connection_data, it is the default database. For table_access_data, it is the table database.
+
+type: keyword
+
+
+**`mysqlenterprise.audit.connection_data.connection_attributes`**
+:   Connection attributes that might be passed by different MySQL Clients.
+
+type: flattened
+
+
+**`mysqlenterprise.audit.general_data.command`**
+:   A string representing the type of instruction that generated the audit event, such as a command that the server received from a client.
+
+type: keyword
+
+
+**`mysqlenterprise.audit.general_data.sql_command`**
+:   A string that indicates the SQL statement type.
+
+type: keyword
+
+
+**`mysqlenterprise.audit.general_data.query`**
+:   A string representing the text of an SQL statement. The value can be empty. Long values may be truncated. The string, like the audit log file itself, is written using UTF-8 (up to 4 bytes per character), so the value may be the result of conversion.
+
+type: keyword
+
+
+**`mysqlenterprise.audit.general_data.status`**
+:   An integer representing the command status: 0 for success, nonzero if an error occurred. This is the same as the value of the mysql_errno() C API function.
+
+type: long
+
+
+**`mysqlenterprise.audit.login.user`**
+:   A string representing the information indicating how a client connected to the server.
+
+type: keyword
+
+
+**`mysqlenterprise.audit.login.proxy`**
+:   A string representing the proxy user. The value is empty if user proxying is not in effect.
+
+type: keyword
+
+
+**`mysqlenterprise.audit.shutdown_data.server_id`**
+:   An integer representing the server ID. This is the same as the value of the server_id system variable.
+
+type: keyword
+
+
+**`mysqlenterprise.audit.startup_data.server_id`**
+:   An integer representing the server ID. This is the same as the value of the server_id system variable.
+
+type: keyword
+
+
+**`mysqlenterprise.audit.startup_data.mysql_version`**
+:   An integer representing the server ID. This is the same as the value of the server_id system variable.
+
+type: keyword
+
+
+**`mysqlenterprise.audit.table_access_data.db`**
+:   A string representing a database name. For connection_data, it is the default database. For table_access_data, it is the table database.
+
+type: keyword
+
+
+**`mysqlenterprise.audit.table_access_data.table`**
+:   A string representing a table name.
+
+type: keyword
+
+
+**`mysqlenterprise.audit.table_access_data.query`**
+:   A string representing the text of an SQL statement. The value can be empty. Long values may be truncated. The string, like the audit log file itself, is written using UTF-8 (up to 4 bytes per character), so the value may be the result of conversion.
+
+type: keyword
+
+
+**`mysqlenterprise.audit.table_access_data.sql_command`**
+:   A string that indicates the SQL statement type.
+
+type: keyword
+
+
+**`mysqlenterprise.audit.account.user`**
+:   A string representing the user that the server authenticated the client as. This is the user name that the server uses for privilege checking.
+
+type: keyword
+
+
+**`mysqlenterprise.audit.account.host`**
+:   A string representing the client host name.
+
+type: keyword
+
+
+**`mysqlenterprise.audit.login.os`**
+:   A string representing the external user name used during the authentication process, as set by the plugin used to authenticate the client.
+
+type: keyword
+
+
diff --git a/docs/reference/filebeat/exported-fields-nats.md b/docs/reference/filebeat/exported-fields-nats.md
new file mode 100644
index 000000000000..2f481ec670d2
--- /dev/null
+++ b/docs/reference/filebeat/exported-fields-nats.md
@@ -0,0 +1,85 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-nats.html
+---
+
+# NATS fields [exported-fields-nats]
+
+Module for parsing NATS log files.
+
+
+## nats [_nats]
+
+Fields from NATS logs.
+
+
+## log [_log_10]
+
+Nats log files
+
+
+## client [_client_3]
+
+Fields from NATS logs client.
+
+**`nats.log.client.id`**
+:   The id of the client
+
+type: integer
+
+
+
+## msg [_msg]
+
+Fields from NATS logs message.
+
+**`nats.log.msg.bytes`**
+:   Size of the payload in bytes
+
+type: long
+
+format: bytes
+
+
+**`nats.log.msg.type`**
+:   The protocol message type
+
+type: keyword
+
+
+**`nats.log.msg.subject`**
+:   Subject name this message was received on
+
+type: keyword
+
+
+**`nats.log.msg.sid`**
+:   The unique alphanumeric subscription ID of the subject
+
+type: integer
+
+
+**`nats.log.msg.reply_to`**
+:   The inbox subject on which the publisher is listening for responses
+
+type: keyword
+
+
+**`nats.log.msg.max_messages`**
+:   An optional number of messages to wait for before automatically unsubscribing
+
+type: integer
+
+
+**`nats.log.msg.error.message`**
+:   Details about the error occurred
+
+type: text
+
+
+**`nats.log.msg.queue_group`**
+:   The queue group which subscriber will join
+
+type: text
+
+
diff --git a/docs/reference/filebeat/exported-fields-netflow.md b/docs/reference/filebeat/exported-fields-netflow.md
new file mode 100644
index 000000000000..4c598bbe2ce0
--- /dev/null
+++ b/docs/reference/filebeat/exported-fields-netflow.md
@@ -0,0 +1,5319 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-netflow.html
+---
+
+# NetFlow fields [exported-fields-netflow]
+
+Fields from NetFlow and IPFIX flows.
+
+
+## netflow [_netflow]
+
+Fields from NetFlow and IPFIX.
+
+**`netflow.type`**
+:   The type of NetFlow record described by this event.
+
+type: keyword
+
+
+
+## exporter [_exporter]
+
+Metadata related to the exporter device that generated this record.
+
+**`netflow.exporter.address`**
+:   Exporter’s network address in IP:port format.
+
+type: keyword
+
+
+**`netflow.exporter.source_id`**
+:   Observation domain ID to which this record belongs.
+
+type: long
+
+
+**`netflow.exporter.timestamp`**
+:   Time and date of export.
+
+type: date
+
+
+**`netflow.exporter.uptime_millis`**
+:   How long the exporter process has been running, in milliseconds.
+
+type: long
+
+
+**`netflow.exporter.version`**
+:   NetFlow version used.
+
+type: integer
+
+
+**`netflow.absolute_error`**
+:   type: double
+
+
+**`netflow.address_pool_high_threshold`**
+:   type: long
+
+
+**`netflow.address_pool_low_threshold`**
+:   type: long
+
+
+**`netflow.address_port_mapping_high_threshold`**
+:   type: long
+
+
+**`netflow.address_port_mapping_low_threshold`**
+:   type: long
+
+
+**`netflow.address_port_mapping_per_user_high_threshold`**
+:   type: long
+
+
+**`netflow.afc_protocol`**
+:   type: integer
+
+
+**`netflow.afc_protocol_name`**
+:   type: keyword
+
+
+**`netflow.anonymization_flags`**
+:   type: integer
+
+
+**`netflow.anonymization_technique`**
+:   type: integer
+
+
+**`netflow.application_business-relevance`**
+:   type: long
+
+
+**`netflow.application_category_name`**
+:   type: keyword
+
+
+**`netflow.application_description`**
+:   type: keyword
+
+
+**`netflow.application_group_name`**
+:   type: keyword
+
+
+**`netflow.application_http_uri_statistics`**
+:   type: short
+
+
+**`netflow.application_http_user-agent`**
+:   type: short
+
+
+**`netflow.application_id`**
+:   type: short
+
+
+**`netflow.application_name`**
+:   type: keyword
+
+
+**`netflow.application_sub_category_name`**
+:   type: keyword
+
+
+**`netflow.application_traffic-class`**
+:   type: long
+
+
+**`netflow.art_client_network_time_maximum`**
+:   type: long
+
+
+**`netflow.art_client_network_time_minimum`**
+:   type: long
+
+
+**`netflow.art_client_network_time_sum`**
+:   type: long
+
+
+**`netflow.art_clientpackets`**
+:   type: long
+
+
+**`netflow.art_count_late_responses`**
+:   type: long
+
+
+**`netflow.art_count_new_connections`**
+:   type: long
+
+
+**`netflow.art_count_responses`**
+:   type: long
+
+
+**`netflow.art_count_responses_histogram_bucket1`**
+:   type: long
+
+
+**`netflow.art_count_responses_histogram_bucket2`**
+:   type: long
+
+
+**`netflow.art_count_responses_histogram_bucket3`**
+:   type: long
+
+
+**`netflow.art_count_responses_histogram_bucket4`**
+:   type: long
+
+
+**`netflow.art_count_responses_histogram_bucket5`**
+:   type: long
+
+
+**`netflow.art_count_responses_histogram_bucket6`**
+:   type: long
+
+
+**`netflow.art_count_responses_histogram_bucket7`**
+:   type: long
+
+
+**`netflow.art_count_retransmissions`**
+:   type: long
+
+
+**`netflow.art_count_transactions`**
+:   type: long
+
+
+**`netflow.art_network_time_maximum`**
+:   type: long
+
+
+**`netflow.art_network_time_minimum`**
+:   type: long
+
+
+**`netflow.art_network_time_sum`**
+:   type: long
+
+
+**`netflow.art_response_time_maximum`**
+:   type: long
+
+
+**`netflow.art_response_time_minimum`**
+:   type: long
+
+
+**`netflow.art_response_time_sum`**
+:   type: long
+
+
+**`netflow.art_server_network_time_maximum`**
+:   type: long
+
+
+**`netflow.art_server_network_time_minimum`**
+:   type: long
+
+
+**`netflow.art_server_network_time_sum`**
+:   type: long
+
+
+**`netflow.art_server_response_time_maximum`**
+:   type: long
+
+
+**`netflow.art_server_response_time_minimum`**
+:   type: long
+
+
+**`netflow.art_server_response_time_sum`**
+:   type: long
+
+
+**`netflow.art_serverpackets`**
+:   type: long
+
+
+**`netflow.art_total_response_time_maximum`**
+:   type: long
+
+
+**`netflow.art_total_response_time_minimum`**
+:   type: long
+
+
+**`netflow.art_total_response_time_sum`**
+:   type: long
+
+
+**`netflow.art_total_transaction_time_maximum`**
+:   type: long
+
+
+**`netflow.art_total_transaction_time_minimum`**
+:   type: long
+
+
+**`netflow.art_total_transaction_time_sum`**
+:   type: long
+
+
+**`netflow.assembled_fragment_count`**
+:   type: long
+
+
+**`netflow.audit_counter`**
+:   type: long
+
+
+**`netflow.average_interarrival_time`**
+:   type: long
+
+
+**`netflow.bgp_destination_as_number`**
+:   type: long
+
+
+**`netflow.bgp_next_adjacent_as_number`**
+:   type: long
+
+
+**`netflow.bgp_next_hop_ipv4_address`**
+:   type: ip
+
+
+**`netflow.bgp_next_hop_ipv6_address`**
+:   type: ip
+
+
+**`netflow.bgp_prev_adjacent_as_number`**
+:   type: long
+
+
+**`netflow.bgp_source_as_number`**
+:   type: long
+
+
+**`netflow.bgp_validity_state`**
+:   type: short
+
+
+**`netflow.biflow_direction`**
+:   type: short
+
+
+**`netflow.bind_ipv4_address`**
+:   type: ip
+
+
+**`netflow.bind_transport_port`**
+:   type: integer
+
+
+**`netflow.class_id`**
+:   type: long
+
+
+**`netflow.class_name`**
+:   type: keyword
+
+
+**`netflow.classification_engine_id`**
+:   type: short
+
+
+**`netflow.collection_time_milliseconds`**
+:   type: date
+
+
+**`netflow.collector_certificate`**
+:   type: short
+
+
+**`netflow.collector_ipv4_address`**
+:   type: ip
+
+
+**`netflow.collector_ipv6_address`**
+:   type: ip
+
+
+**`netflow.collector_transport_port`**
+:   type: integer
+
+
+**`netflow.common_properties_id`**
+:   type: long
+
+
+**`netflow.confidence_level`**
+:   type: double
+
+
+**`netflow.conn_ipv4_address`**
+:   type: ip
+
+
+**`netflow.conn_transport_port`**
+:   type: integer
+
+
+**`netflow.connection_sum_duration_seconds`**
+:   type: long
+
+
+**`netflow.connection_transaction_id`**
+:   type: long
+
+
+**`netflow.conntrack_id`**
+:   type: long
+
+
+**`netflow.data_byte_count`**
+:   type: long
+
+
+**`netflow.data_link_frame_section`**
+:   type: short
+
+
+**`netflow.data_link_frame_size`**
+:   type: integer
+
+
+**`netflow.data_link_frame_type`**
+:   type: integer
+
+
+**`netflow.data_records_reliability`**
+:   type: boolean
+
+
+**`netflow.delta_flow_count`**
+:   type: long
+
+
+**`netflow.destination_ipv4_address`**
+:   type: ip
+
+
+**`netflow.destination_ipv4_prefix`**
+:   type: ip
+
+
+**`netflow.destination_ipv4_prefix_length`**
+:   type: short
+
+
+**`netflow.destination_ipv6_address`**
+:   type: ip
+
+
+**`netflow.destination_ipv6_prefix`**
+:   type: ip
+
+
+**`netflow.destination_ipv6_prefix_length`**
+:   type: short
+
+
+**`netflow.destination_mac_address`**
+:   type: keyword
+
+
+**`netflow.destination_transport_port`**
+:   type: integer
+
+
+**`netflow.digest_hash_value`**
+:   type: long
+
+
+**`netflow.distinct_count_of_destination_ip_address`**
+:   type: long
+
+
+**`netflow.distinct_count_of_destination_ipv4_address`**
+:   type: long
+
+
+**`netflow.distinct_count_of_destination_ipv6_address`**
+:   type: long
+
+
+**`netflow.distinct_count_of_source_ip_address`**
+:   type: long
+
+
+**`netflow.distinct_count_of_source_ipv4_address`**
+:   type: long
+
+
+**`netflow.distinct_count_of_source_ipv6_address`**
+:   type: long
+
+
+**`netflow.dns_authoritative`**
+:   type: short
+
+
+**`netflow.dns_cname`**
+:   type: keyword
+
+
+**`netflow.dns_id`**
+:   type: integer
+
+
+**`netflow.dns_mx_exchange`**
+:   type: keyword
+
+
+**`netflow.dns_mx_preference`**
+:   type: integer
+
+
+**`netflow.dns_nsd_name`**
+:   type: keyword
+
+
+**`netflow.dns_nx_domain`**
+:   type: short
+
+
+**`netflow.dns_ptrd_name`**
+:   type: keyword
+
+
+**`netflow.dns_qname`**
+:   type: keyword
+
+
+**`netflow.dns_qr_type`**
+:   type: integer
+
+
+**`netflow.dns_query_response`**
+:   type: short
+
+
+**`netflow.dns_rr_section`**
+:   type: short
+
+
+**`netflow.dns_soa_expire`**
+:   type: long
+
+
+**`netflow.dns_soa_minimum`**
+:   type: long
+
+
+**`netflow.dns_soa_refresh`**
+:   type: long
+
+
+**`netflow.dns_soa_retry`**
+:   type: long
+
+
+**`netflow.dns_soa_serial`**
+:   type: long
+
+
+**`netflow.dns_soam_name`**
+:   type: keyword
+
+
+**`netflow.dns_soar_name`**
+:   type: keyword
+
+
+**`netflow.dns_srv_port`**
+:   type: integer
+
+
+**`netflow.dns_srv_priority`**
+:   type: integer
+
+
+**`netflow.dns_srv_target`**
+:   type: integer
+
+
+**`netflow.dns_srv_weight`**
+:   type: integer
+
+
+**`netflow.dns_ttl`**
+:   type: long
+
+
+**`netflow.dns_txt_data`**
+:   type: keyword
+
+
+**`netflow.dot1q_customer_dei`**
+:   type: boolean
+
+
+**`netflow.dot1q_customer_destination_mac_address`**
+:   type: keyword
+
+
+**`netflow.dot1q_customer_priority`**
+:   type: short
+
+
+**`netflow.dot1q_customer_source_mac_address`**
+:   type: keyword
+
+
+**`netflow.dot1q_customer_vlan_id`**
+:   type: integer
+
+
+**`netflow.dot1q_dei`**
+:   type: boolean
+
+
+**`netflow.dot1q_priority`**
+:   type: short
+
+
+**`netflow.dot1q_service_instance_id`**
+:   type: long
+
+
+**`netflow.dot1q_service_instance_priority`**
+:   type: short
+
+
+**`netflow.dot1q_service_instance_tag`**
+:   type: short
+
+
+**`netflow.dot1q_vlan_id`**
+:   type: integer
+
+
+**`netflow.dropped_layer2_octet_delta_count`**
+:   type: long
+
+
+**`netflow.dropped_layer2_octet_total_count`**
+:   type: long
+
+
+**`netflow.dropped_octet_delta_count`**
+:   type: long
+
+
+**`netflow.dropped_octet_total_count`**
+:   type: long
+
+
+**`netflow.dropped_packet_delta_count`**
+:   type: long
+
+
+**`netflow.dropped_packet_total_count`**
+:   type: long
+
+
+**`netflow.dst_traffic_index`**
+:   type: long
+
+
+**`netflow.egress_broadcast_packet_total_count`**
+:   type: long
+
+
+**`netflow.egress_interface`**
+:   type: long
+
+
+**`netflow.egress_interface_type`**
+:   type: long
+
+
+**`netflow.egress_physical_interface`**
+:   type: long
+
+
+**`netflow.egress_unicast_packet_total_count`**
+:   type: long
+
+
+**`netflow.egress_vrfid`**
+:   type: long
+
+
+**`netflow.encrypted_technology`**
+:   type: keyword
+
+
+**`netflow.engine_id`**
+:   type: short
+
+
+**`netflow.engine_type`**
+:   type: short
+
+
+**`netflow.ethernet_header_length`**
+:   type: short
+
+
+**`netflow.ethernet_payload_length`**
+:   type: integer
+
+
+**`netflow.ethernet_total_length`**
+:   type: integer
+
+
+**`netflow.ethernet_type`**
+:   type: integer
+
+
+**`netflow.expired_fragment_count`**
+:   type: long
+
+
+**`netflow.export_interface`**
+:   type: long
+
+
+**`netflow.export_protocol_version`**
+:   type: short
+
+
+**`netflow.export_sctp_stream_id`**
+:   type: integer
+
+
+**`netflow.export_transport_protocol`**
+:   type: short
+
+
+**`netflow.exported_flow_record_total_count`**
+:   type: long
+
+
+**`netflow.exported_message_total_count`**
+:   type: long
+
+
+**`netflow.exported_octet_total_count`**
+:   type: long
+
+
+**`netflow.exporter_certificate`**
+:   type: short
+
+
+**`netflow.exporter_ipv4_address`**
+:   type: ip
+
+
+**`netflow.exporter_ipv6_address`**
+:   type: ip
+
+
+**`netflow.exporter_transport_port`**
+:   type: integer
+
+
+**`netflow.exporting_process_id`**
+:   type: long
+
+
+**`netflow.external_address_realm`**
+:   type: short
+
+
+**`netflow.firewall_event`**
+:   type: short
+
+
+**`netflow.first_eight_non_empty_packet_directions`**
+:   type: short
+
+
+**`netflow.first_non_empty_packet_size`**
+:   type: integer
+
+
+**`netflow.first_packet_banner`**
+:   type: keyword
+
+
+**`netflow.flags_and_sampler_id`**
+:   type: long
+
+
+**`netflow.flow_active_timeout`**
+:   type: integer
+
+
+**`netflow.flow_attributes`**
+:   type: integer
+
+
+**`netflow.flow_direction`**
+:   type: short
+
+
+**`netflow.flow_duration_microseconds`**
+:   type: long
+
+
+**`netflow.flow_duration_milliseconds`**
+:   type: long
+
+
+**`netflow.flow_end_delta_microseconds`**
+:   type: long
+
+
+**`netflow.flow_end_microseconds`**
+:   type: date
+
+
+**`netflow.flow_end_milliseconds`**
+:   type: date
+
+
+**`netflow.flow_end_nanoseconds`**
+:   type: date
+
+
+**`netflow.flow_end_reason`**
+:   type: short
+
+
+**`netflow.flow_end_seconds`**
+:   type: date
+
+
+**`netflow.flow_end_sys_up_time`**
+:   type: long
+
+
+**`netflow.flow_id`**
+:   type: long
+
+
+**`netflow.flow_idle_timeout`**
+:   type: integer
+
+
+**`netflow.flow_key_indicator`**
+:   type: long
+
+
+**`netflow.flow_label_ipv6`**
+:   type: long
+
+
+**`netflow.flow_sampling_time_interval`**
+:   type: long
+
+
+**`netflow.flow_sampling_time_spacing`**
+:   type: long
+
+
+**`netflow.flow_selected_flow_delta_count`**
+:   type: long
+
+
+**`netflow.flow_selected_octet_delta_count`**
+:   type: long
+
+
+**`netflow.flow_selected_packet_delta_count`**
+:   type: long
+
+
+**`netflow.flow_selector_algorithm`**
+:   type: integer
+
+
+**`netflow.flow_start_delta_microseconds`**
+:   type: long
+
+
+**`netflow.flow_start_microseconds`**
+:   type: date
+
+
+**`netflow.flow_start_milliseconds`**
+:   type: date
+
+
+**`netflow.flow_start_nanoseconds`**
+:   type: date
+
+
+**`netflow.flow_start_seconds`**
+:   type: date
+
+
+**`netflow.flow_start_sys_up_time`**
+:   type: long
+
+
+**`netflow.flow_table_flush_event_count`**
+:   type: long
+
+
+**`netflow.flow_table_peak_count`**
+:   type: long
+
+
+**`netflow.forwarding_status`**
+:   type: short
+
+
+**`netflow.fragment_flags`**
+:   type: short
+
+
+**`netflow.fragment_identification`**
+:   type: long
+
+
+**`netflow.fragment_offset`**
+:   type: integer
+
+
+**`netflow.fw_blackout_secs`**
+:   type: long
+
+
+**`netflow.fw_configured_value`**
+:   type: long
+
+
+**`netflow.fw_cts_src_sgt`**
+:   type: long
+
+
+**`netflow.fw_event_level`**
+:   type: long
+
+
+**`netflow.fw_event_level_id`**
+:   type: long
+
+
+**`netflow.fw_ext_event`**
+:   type: integer
+
+
+**`netflow.fw_ext_event_alt`**
+:   type: long
+
+
+**`netflow.fw_ext_event_desc`**
+:   type: keyword
+
+
+**`netflow.fw_half_open_count`**
+:   type: long
+
+
+**`netflow.fw_half_open_high`**
+:   type: long
+
+
+**`netflow.fw_half_open_rate`**
+:   type: long
+
+
+**`netflow.fw_max_sessions`**
+:   type: long
+
+
+**`netflow.fw_rule`**
+:   type: keyword
+
+
+**`netflow.fw_summary_pkt_count`**
+:   type: long
+
+
+**`netflow.fw_zone_pair_id`**
+:   type: long
+
+
+**`netflow.fw_zone_pair_name`**
+:   type: long
+
+
+**`netflow.global_address_mapping_high_threshold`**
+:   type: long
+
+
+**`netflow.gre_key`**
+:   type: long
+
+
+**`netflow.hash_digest_output`**
+:   type: boolean
+
+
+**`netflow.hash_flow_domain`**
+:   type: integer
+
+
+**`netflow.hash_initialiser_value`**
+:   type: long
+
+
+**`netflow.hash_ip_payload_offset`**
+:   type: long
+
+
+**`netflow.hash_ip_payload_size`**
+:   type: long
+
+
+**`netflow.hash_output_range_max`**
+:   type: long
+
+
+**`netflow.hash_output_range_min`**
+:   type: long
+
+
+**`netflow.hash_selected_range_max`**
+:   type: long
+
+
+**`netflow.hash_selected_range_min`**
+:   type: long
+
+
+**`netflow.http_content_type`**
+:   type: keyword
+
+
+**`netflow.http_message_version`**
+:   type: keyword
+
+
+**`netflow.http_reason_phrase`**
+:   type: keyword
+
+
+**`netflow.http_request_host`**
+:   type: keyword
+
+
+**`netflow.http_request_method`**
+:   type: keyword
+
+
+**`netflow.http_request_target`**
+:   type: keyword
+
+
+**`netflow.http_status_code`**
+:   type: integer
+
+
+**`netflow.http_user_agent`**
+:   type: keyword
+
+
+**`netflow.icmp_code_ipv4`**
+:   type: short
+
+
+**`netflow.icmp_code_ipv6`**
+:   type: short
+
+
+**`netflow.icmp_type_code_ipv4`**
+:   type: integer
+
+
+**`netflow.icmp_type_code_ipv6`**
+:   type: integer
+
+
+**`netflow.icmp_type_ipv4`**
+:   type: short
+
+
+**`netflow.icmp_type_ipv6`**
+:   type: short
+
+
+**`netflow.igmp_type`**
+:   type: short
+
+
+**`netflow.ignored_data_record_total_count`**
+:   type: long
+
+
+**`netflow.ignored_layer2_frame_total_count`**
+:   type: long
+
+
+**`netflow.ignored_layer2_octet_total_count`**
+:   type: long
+
+
+**`netflow.ignored_octet_total_count`**
+:   type: long
+
+
+**`netflow.ignored_packet_total_count`**
+:   type: long
+
+
+**`netflow.information_element_data_type`**
+:   type: short
+
+
+**`netflow.information_element_description`**
+:   type: keyword
+
+
+**`netflow.information_element_id`**
+:   type: integer
+
+
+**`netflow.information_element_index`**
+:   type: integer
+
+
+**`netflow.information_element_name`**
+:   type: keyword
+
+
+**`netflow.information_element_range_begin`**
+:   type: long
+
+
+**`netflow.information_element_range_end`**
+:   type: long
+
+
+**`netflow.information_element_semantics`**
+:   type: short
+
+
+**`netflow.information_element_units`**
+:   type: integer
+
+
+**`netflow.ingress_broadcast_packet_total_count`**
+:   type: long
+
+
+**`netflow.ingress_interface`**
+:   type: long
+
+
+**`netflow.ingress_interface_type`**
+:   type: long
+
+
+**`netflow.ingress_multicast_packet_total_count`**
+:   type: long
+
+
+**`netflow.ingress_physical_interface`**
+:   type: long
+
+
+**`netflow.ingress_unicast_packet_total_count`**
+:   type: long
+
+
+**`netflow.ingress_vrfid`**
+:   type: long
+
+
+**`netflow.initial_tcp_flags`**
+:   type: short
+
+
+**`netflow.initiator_octets`**
+:   type: long
+
+
+**`netflow.initiator_packets`**
+:   type: long
+
+
+**`netflow.interface_description`**
+:   type: keyword
+
+
+**`netflow.interface_name`**
+:   type: keyword
+
+
+**`netflow.intermediate_process_id`**
+:   type: long
+
+
+**`netflow.internal_address_realm`**
+:   type: short
+
+
+**`netflow.ip_class_of_service`**
+:   type: short
+
+
+**`netflow.ip_diff_serv_code_point`**
+:   type: short
+
+
+**`netflow.ip_header_length`**
+:   type: short
+
+
+**`netflow.ip_header_packet_section`**
+:   type: short
+
+
+**`netflow.ip_next_hop_ipv4_address`**
+:   type: ip
+
+
+**`netflow.ip_next_hop_ipv6_address`**
+:   type: ip
+
+
+**`netflow.ip_payload_length`**
+:   type: long
+
+
+**`netflow.ip_payload_packet_section`**
+:   type: short
+
+
+**`netflow.ip_precedence`**
+:   type: short
+
+
+**`netflow.ip_sec_spi`**
+:   type: long
+
+
+**`netflow.ip_total_length`**
+:   type: long
+
+
+**`netflow.ip_ttl`**
+:   type: short
+
+
+**`netflow.ip_version`**
+:   type: short
+
+
+**`netflow.ipv4_ihl`**
+:   type: short
+
+
+**`netflow.ipv4_options`**
+:   type: long
+
+
+**`netflow.ipv4_router_sc`**
+:   type: ip
+
+
+**`netflow.ipv6_extension_headers`**
+:   type: long
+
+
+**`netflow.is_multicast`**
+:   type: short
+
+
+**`netflow.ixia_browser_id`**
+:   type: short
+
+
+**`netflow.ixia_browser_name`**
+:   type: keyword
+
+
+**`netflow.ixia_device_id`**
+:   type: short
+
+
+**`netflow.ixia_device_name`**
+:   type: keyword
+
+
+**`netflow.ixia_dns_answer`**
+:   type: keyword
+
+
+**`netflow.ixia_dns_classes`**
+:   type: keyword
+
+
+**`netflow.ixia_dns_query`**
+:   type: keyword
+
+
+**`netflow.ixia_dns_record_txt`**
+:   type: keyword
+
+
+**`netflow.ixia_dst_as_name`**
+:   type: keyword
+
+
+**`netflow.ixia_dst_city_name`**
+:   type: keyword
+
+
+**`netflow.ixia_dst_country_code`**
+:   type: keyword
+
+
+**`netflow.ixia_dst_country_name`**
+:   type: keyword
+
+
+**`netflow.ixia_dst_latitude`**
+:   type: float
+
+
+**`netflow.ixia_dst_longitude`**
+:   type: float
+
+
+**`netflow.ixia_dst_region_code`**
+:   type: keyword
+
+
+**`netflow.ixia_dst_region_node`**
+:   type: keyword
+
+
+**`netflow.ixia_encrypt_cipher`**
+:   type: keyword
+
+
+**`netflow.ixia_encrypt_key_length`**
+:   type: integer
+
+
+**`netflow.ixia_encrypt_type`**
+:   type: keyword
+
+
+**`netflow.ixia_http_host_name`**
+:   type: keyword
+
+
+**`netflow.ixia_http_uri`**
+:   type: keyword
+
+
+**`netflow.ixia_http_user_agent`**
+:   type: keyword
+
+
+**`netflow.ixia_imsi_subscriber`**
+:   type: keyword
+
+
+**`netflow.ixia_l7_app_id`**
+:   type: long
+
+
+**`netflow.ixia_l7_app_name`**
+:   type: keyword
+
+
+**`netflow.ixia_latency`**
+:   type: long
+
+
+**`netflow.ixia_rev_octet_delta_count`**
+:   type: long
+
+
+**`netflow.ixia_rev_packet_delta_count`**
+:   type: long
+
+
+**`netflow.ixia_src_as_name`**
+:   type: keyword
+
+
+**`netflow.ixia_src_city_name`**
+:   type: keyword
+
+
+**`netflow.ixia_src_country_code`**
+:   type: keyword
+
+
+**`netflow.ixia_src_country_name`**
+:   type: keyword
+
+
+**`netflow.ixia_src_latitude`**
+:   type: float
+
+
+**`netflow.ixia_src_longitude`**
+:   type: float
+
+
+**`netflow.ixia_src_region_code`**
+:   type: keyword
+
+
+**`netflow.ixia_src_region_name`**
+:   type: keyword
+
+
+**`netflow.ixia_threat_ipv4`**
+:   type: ip
+
+
+**`netflow.ixia_threat_ipv6`**
+:   type: ip
+
+
+**`netflow.ixia_threat_type`**
+:   type: keyword
+
+
+**`netflow.large_packet_count`**
+:   type: long
+
+
+**`netflow.layer2_frame_delta_count`**
+:   type: long
+
+
+**`netflow.layer2_frame_total_count`**
+:   type: long
+
+
+**`netflow.layer2_octet_delta_count`**
+:   type: long
+
+
+**`netflow.layer2_octet_delta_sum_of_squares`**
+:   type: long
+
+
+**`netflow.layer2_octet_total_count`**
+:   type: long
+
+
+**`netflow.layer2_octet_total_sum_of_squares`**
+:   type: long
+
+
+**`netflow.layer2_segment_id`**
+:   type: long
+
+
+**`netflow.layer2packet_section_data`**
+:   type: short
+
+
+**`netflow.layer2packet_section_offset`**
+:   type: integer
+
+
+**`netflow.layer2packet_section_size`**
+:   type: integer
+
+
+**`netflow.line_card_id`**
+:   type: long
+
+
+**`netflow.log_op`**
+:   type: short
+
+
+**`netflow.lower_ci_limit`**
+:   type: double
+
+
+**`netflow.mark`**
+:   type: long
+
+
+**`netflow.max_bib_entries`**
+:   type: long
+
+
+**`netflow.max_entries_per_user`**
+:   type: long
+
+
+**`netflow.max_export_seconds`**
+:   type: date
+
+
+**`netflow.max_flow_end_microseconds`**
+:   type: date
+
+
+**`netflow.max_flow_end_milliseconds`**
+:   type: date
+
+
+**`netflow.max_flow_end_nanoseconds`**
+:   type: date
+
+
+**`netflow.max_flow_end_seconds`**
+:   type: date
+
+
+**`netflow.max_fragments_pending_reassembly`**
+:   type: long
+
+
+**`netflow.max_packet_size`**
+:   type: integer
+
+
+**`netflow.max_session_entries`**
+:   type: long
+
+
+**`netflow.max_subscribers`**
+:   type: long
+
+
+**`netflow.maximum_ip_total_length`**
+:   type: long
+
+
+**`netflow.maximum_layer2_total_length`**
+:   type: long
+
+
+**`netflow.maximum_ttl`**
+:   type: short
+
+
+**`netflow.mean_flow_rate`**
+:   type: long
+
+
+**`netflow.mean_packet_rate`**
+:   type: long
+
+
+**`netflow.message_md5_checksum`**
+:   type: short
+
+
+**`netflow.message_scope`**
+:   type: short
+
+
+**`netflow.metering_process_id`**
+:   type: long
+
+
+**`netflow.metro_evc_id`**
+:   type: keyword
+
+
+**`netflow.metro_evc_type`**
+:   type: short
+
+
+**`netflow.mib_capture_time_semantics`**
+:   type: short
+
+
+**`netflow.mib_context_engine_id`**
+:   type: short
+
+
+**`netflow.mib_context_name`**
+:   type: keyword
+
+
+**`netflow.mib_index_indicator`**
+:   type: long
+
+
+**`netflow.mib_module_name`**
+:   type: keyword
+
+
+**`netflow.mib_object_description`**
+:   type: keyword
+
+
+**`netflow.mib_object_identifier`**
+:   type: short
+
+
+**`netflow.mib_object_name`**
+:   type: keyword
+
+
+**`netflow.mib_object_syntax`**
+:   type: keyword
+
+
+**`netflow.mib_object_value_bits`**
+:   type: short
+
+
+**`netflow.mib_object_value_counter`**
+:   type: long
+
+
+**`netflow.mib_object_value_gauge`**
+:   type: long
+
+
+**`netflow.mib_object_value_integer`**
+:   type: integer
+
+
+**`netflow.mib_object_value_ip_address`**
+:   type: ip
+
+
+**`netflow.mib_object_value_octet_string`**
+:   type: short
+
+
+**`netflow.mib_object_value_oid`**
+:   type: short
+
+
+**`netflow.mib_object_value_time_ticks`**
+:   type: long
+
+
+**`netflow.mib_object_value_unsigned`**
+:   type: long
+
+
+**`netflow.mib_sub_identifier`**
+:   type: long
+
+
+**`netflow.min_export_seconds`**
+:   type: date
+
+
+**`netflow.min_flow_start_microseconds`**
+:   type: date
+
+
+**`netflow.min_flow_start_milliseconds`**
+:   type: date
+
+
+**`netflow.min_flow_start_nanoseconds`**
+:   type: date
+
+
+**`netflow.min_flow_start_seconds`**
+:   type: date
+
+
+**`netflow.minimum_ip_total_length`**
+:   type: long
+
+
+**`netflow.minimum_layer2_total_length`**
+:   type: long
+
+
+**`netflow.minimum_ttl`**
+:   type: short
+
+
+**`netflow.mobile_imsi`**
+:   type: keyword
+
+
+**`netflow.mobile_msisdn`**
+:   type: keyword
+
+
+**`netflow.monitoring_interval_end_milli_seconds`**
+:   type: date
+
+
+**`netflow.monitoring_interval_start_milli_seconds`**
+:   type: date
+
+
+**`netflow.mpls_label_stack_depth`**
+:   type: long
+
+
+**`netflow.mpls_label_stack_length`**
+:   type: long
+
+
+**`netflow.mpls_label_stack_section`**
+:   type: short
+
+
+**`netflow.mpls_label_stack_section10`**
+:   type: short
+
+
+**`netflow.mpls_label_stack_section2`**
+:   type: short
+
+
+**`netflow.mpls_label_stack_section3`**
+:   type: short
+
+
+**`netflow.mpls_label_stack_section4`**
+:   type: short
+
+
+**`netflow.mpls_label_stack_section5`**
+:   type: short
+
+
+**`netflow.mpls_label_stack_section6`**
+:   type: short
+
+
+**`netflow.mpls_label_stack_section7`**
+:   type: short
+
+
+**`netflow.mpls_label_stack_section8`**
+:   type: short
+
+
+**`netflow.mpls_label_stack_section9`**
+:   type: short
+
+
+**`netflow.mpls_payload_length`**
+:   type: long
+
+
+**`netflow.mpls_payload_packet_section`**
+:   type: short
+
+
+**`netflow.mpls_top_label_exp`**
+:   type: short
+
+
+**`netflow.mpls_top_label_ipv4_address`**
+:   type: ip
+
+
+**`netflow.mpls_top_label_ipv6_address`**
+:   type: ip
+
+
+**`netflow.mpls_top_label_prefix_length`**
+:   type: short
+
+
+**`netflow.mpls_top_label_stack_section`**
+:   type: short
+
+
+**`netflow.mpls_top_label_ttl`**
+:   type: short
+
+
+**`netflow.mpls_top_label_type`**
+:   type: short
+
+
+**`netflow.mpls_vpn_route_distinguisher`**
+:   type: short
+
+
+**`netflow.mptcp_address_id`**
+:   type: short
+
+
+**`netflow.mptcp_flags`**
+:   type: short
+
+
+**`netflow.mptcp_initial_data_sequence_number`**
+:   type: long
+
+
+**`netflow.mptcp_maximum_segment_size`**
+:   type: integer
+
+
+**`netflow.mptcp_receiver_token`**
+:   type: long
+
+
+**`netflow.multicast_replication_factor`**
+:   type: long
+
+
+**`netflow.nat_event`**
+:   type: short
+
+
+**`netflow.nat_inside_svcid`**
+:   type: integer
+
+
+**`netflow.nat_instance_id`**
+:   type: long
+
+
+**`netflow.nat_originating_address_realm`**
+:   type: short
+
+
+**`netflow.nat_outside_svcid`**
+:   type: integer
+
+
+**`netflow.nat_pool_id`**
+:   type: long
+
+
+**`netflow.nat_pool_name`**
+:   type: keyword
+
+
+**`netflow.nat_quota_exceeded_event`**
+:   type: long
+
+
+**`netflow.nat_sub_string`**
+:   type: keyword
+
+
+**`netflow.nat_threshold_event`**
+:   type: long
+
+
+**`netflow.nat_type`**
+:   type: short
+
+
+**`netflow.netscale_ica_client_version`**
+:   type: keyword
+
+
+**`netflow.netscaler_aaa_username`**
+:   type: keyword
+
+
+**`netflow.netscaler_app_name`**
+:   type: keyword
+
+
+**`netflow.netscaler_app_name_app_id`**
+:   type: long
+
+
+**`netflow.netscaler_app_name_incarnation_number`**
+:   type: long
+
+
+**`netflow.netscaler_app_template_name`**
+:   type: keyword
+
+
+**`netflow.netscaler_app_unit_name_app_id`**
+:   type: long
+
+
+**`netflow.netscaler_application_startup_duration`**
+:   type: long
+
+
+**`netflow.netscaler_application_startup_time`**
+:   type: long
+
+
+**`netflow.netscaler_cache_redir_client_connection_core_id`**
+:   type: long
+
+
+**`netflow.netscaler_cache_redir_client_connection_transaction_id`**
+:   type: long
+
+
+**`netflow.netscaler_client_rtt`**
+:   type: long
+
+
+**`netflow.netscaler_connection_chain_hop_count`**
+:   type: long
+
+
+**`netflow.netscaler_connection_chain_id`**
+:   type: short
+
+
+**`netflow.netscaler_connection_id`**
+:   type: long
+
+
+**`netflow.netscaler_current_license_consumed`**
+:   type: long
+
+
+**`netflow.netscaler_db_clt_host_name`**
+:   type: keyword
+
+
+**`netflow.netscaler_db_database_name`**
+:   type: keyword
+
+
+**`netflow.netscaler_db_login_flags`**
+:   type: long
+
+
+**`netflow.netscaler_db_protocol_name`**
+:   type: short
+
+
+**`netflow.netscaler_db_req_string`**
+:   type: keyword
+
+
+**`netflow.netscaler_db_req_type`**
+:   type: short
+
+
+**`netflow.netscaler_db_resp_length`**
+:   type: long
+
+
+**`netflow.netscaler_db_resp_status`**
+:   type: long
+
+
+**`netflow.netscaler_db_resp_status_string`**
+:   type: keyword
+
+
+**`netflow.netscaler_db_user_name`**
+:   type: keyword
+
+
+**`netflow.netscaler_flow_flags`**
+:   type: long
+
+
+**`netflow.netscaler_http_client_interaction_end_time`**
+:   type: keyword
+
+
+**`netflow.netscaler_http_client_interaction_start_time`**
+:   type: keyword
+
+
+**`netflow.netscaler_http_client_render_end_time`**
+:   type: keyword
+
+
+**`netflow.netscaler_http_client_render_start_time`**
+:   type: keyword
+
+
+**`netflow.netscaler_http_content_type`**
+:   type: keyword
+
+
+**`netflow.netscaler_http_domain_name`**
+:   type: keyword
+
+
+**`netflow.netscaler_http_req_authorization`**
+:   type: keyword
+
+
+**`netflow.netscaler_http_req_cookie`**
+:   type: keyword
+
+
+**`netflow.netscaler_http_req_forw_fb`**
+:   type: long
+
+
+**`netflow.netscaler_http_req_forw_lb`**
+:   type: long
+
+
+**`netflow.netscaler_http_req_host`**
+:   type: keyword
+
+
+**`netflow.netscaler_http_req_method`**
+:   type: keyword
+
+
+**`netflow.netscaler_http_req_rcv_fb`**
+:   type: long
+
+
+**`netflow.netscaler_http_req_rcv_lb`**
+:   type: long
+
+
+**`netflow.netscaler_http_req_referer`**
+:   type: keyword
+
+
+**`netflow.netscaler_http_req_url`**
+:   type: keyword
+
+
+**`netflow.netscaler_http_req_user_agent`**
+:   type: keyword
+
+
+**`netflow.netscaler_http_req_via`**
+:   type: keyword
+
+
+**`netflow.netscaler_http_req_xforwarded_for`**
+:   type: keyword
+
+
+**`netflow.netscaler_http_res_forw_fb`**
+:   type: long
+
+
+**`netflow.netscaler_http_res_forw_lb`**
+:   type: long
+
+
+**`netflow.netscaler_http_res_location`**
+:   type: keyword
+
+
+**`netflow.netscaler_http_res_rcv_fb`**
+:   type: long
+
+
+**`netflow.netscaler_http_res_rcv_lb`**
+:   type: long
+
+
+**`netflow.netscaler_http_res_set_cookie`**
+:   type: keyword
+
+
+**`netflow.netscaler_http_res_set_cookie2`**
+:   type: keyword
+
+
+**`netflow.netscaler_http_rsp_len`**
+:   type: long
+
+
+**`netflow.netscaler_http_rsp_status`**
+:   type: integer
+
+
+**`netflow.netscaler_ica_app_module_path`**
+:   type: keyword
+
+
+**`netflow.netscaler_ica_app_process_id`**
+:   type: long
+
+
+**`netflow.netscaler_ica_application_name`**
+:   type: keyword
+
+
+**`netflow.netscaler_ica_application_termination_time`**
+:   type: long
+
+
+**`netflow.netscaler_ica_application_termination_type`**
+:   type: integer
+
+
+**`netflow.netscaler_ica_channel_id1`**
+:   type: long
+
+
+**`netflow.netscaler_ica_channel_id1_bytes`**
+:   type: long
+
+
+**`netflow.netscaler_ica_channel_id2`**
+:   type: long
+
+
+**`netflow.netscaler_ica_channel_id2_bytes`**
+:   type: long
+
+
+**`netflow.netscaler_ica_channel_id3`**
+:   type: long
+
+
+**`netflow.netscaler_ica_channel_id3_bytes`**
+:   type: long
+
+
+**`netflow.netscaler_ica_channel_id4`**
+:   type: long
+
+
+**`netflow.netscaler_ica_channel_id4_bytes`**
+:   type: long
+
+
+**`netflow.netscaler_ica_channel_id5`**
+:   type: long
+
+
+**`netflow.netscaler_ica_channel_id5_bytes`**
+:   type: long
+
+
+**`netflow.netscaler_ica_client_host_name`**
+:   type: keyword
+
+
+**`netflow.netscaler_ica_client_ip`**
+:   type: ip
+
+
+**`netflow.netscaler_ica_client_launcher`**
+:   type: integer
+
+
+**`netflow.netscaler_ica_client_side_rto_count`**
+:   type: integer
+
+
+**`netflow.netscaler_ica_client_side_window_size`**
+:   type: integer
+
+
+**`netflow.netscaler_ica_client_type`**
+:   type: integer
+
+
+**`netflow.netscaler_ica_clientside_delay`**
+:   type: long
+
+
+**`netflow.netscaler_ica_clientside_jitter`**
+:   type: long
+
+
+**`netflow.netscaler_ica_clientside_packets_retransmit`**
+:   type: integer
+
+
+**`netflow.netscaler_ica_clientside_rtt`**
+:   type: long
+
+
+**`netflow.netscaler_ica_clientside_rx_bytes`**
+:   type: long
+
+
+**`netflow.netscaler_ica_clientside_srtt`**
+:   type: long
+
+
+**`netflow.netscaler_ica_clientside_tx_bytes`**
+:   type: long
+
+
+**`netflow.netscaler_ica_connection_priority`**
+:   type: integer
+
+
+**`netflow.netscaler_ica_device_serial_no`**
+:   type: long
+
+
+**`netflow.netscaler_ica_domain_name`**
+:   type: keyword
+
+
+**`netflow.netscaler_ica_flags`**
+:   type: long
+
+
+**`netflow.netscaler_ica_host_delay`**
+:   type: long
+
+
+**`netflow.netscaler_ica_l7_client_latency`**
+:   type: long
+
+
+**`netflow.netscaler_ica_l7_server_latency`**
+:   type: long
+
+
+**`netflow.netscaler_ica_launch_mechanism`**
+:   type: integer
+
+
+**`netflow.netscaler_ica_network_update_end_time`**
+:   type: long
+
+
+**`netflow.netscaler_ica_network_update_start_time`**
+:   type: long
+
+
+**`netflow.netscaler_ica_rtt`**
+:   type: long
+
+
+**`netflow.netscaler_ica_server_name`**
+:   type: keyword
+
+
+**`netflow.netscaler_ica_server_side_rto_count`**
+:   type: integer
+
+
+**`netflow.netscaler_ica_server_side_window_size`**
+:   type: integer
+
+
+**`netflow.netscaler_ica_serverside_delay`**
+:   type: long
+
+
+**`netflow.netscaler_ica_serverside_jitter`**
+:   type: long
+
+
+**`netflow.netscaler_ica_serverside_packets_retransmit`**
+:   type: integer
+
+
+**`netflow.netscaler_ica_serverside_rtt`**
+:   type: long
+
+
+**`netflow.netscaler_ica_serverside_srtt`**
+:   type: long
+
+
+**`netflow.netscaler_ica_session_end_time`**
+:   type: long
+
+
+**`netflow.netscaler_ica_session_guid`**
+:   type: short
+
+
+**`netflow.netscaler_ica_session_reconnects`**
+:   type: short
+
+
+**`netflow.netscaler_ica_session_setup_time`**
+:   type: long
+
+
+**`netflow.netscaler_ica_session_update_begin_sec`**
+:   type: long
+
+
+**`netflow.netscaler_ica_session_update_end_sec`**
+:   type: long
+
+
+**`netflow.netscaler_ica_username`**
+:   type: keyword
+
+
+**`netflow.netscaler_license_type`**
+:   type: short
+
+
+**`netflow.netscaler_main_page_core_id`**
+:   type: long
+
+
+**`netflow.netscaler_main_page_id`**
+:   type: long
+
+
+**`netflow.netscaler_max_license_count`**
+:   type: long
+
+
+**`netflow.netscaler_msi_client_cookie`**
+:   type: short
+
+
+**`netflow.netscaler_round_trip_time`**
+:   type: long
+
+
+**`netflow.netscaler_server_ttfb`**
+:   type: long
+
+
+**`netflow.netscaler_server_ttlb`**
+:   type: long
+
+
+**`netflow.netscaler_syslog_message`**
+:   type: keyword
+
+
+**`netflow.netscaler_syslog_priority`**
+:   type: short
+
+
+**`netflow.netscaler_syslog_timestamp`**
+:   type: long
+
+
+**`netflow.netscaler_transaction_id`**
+:   type: long
+
+
+**`netflow.netscaler_unknown270`**
+:   type: long
+
+
+**`netflow.netscaler_unknown271`**
+:   type: long
+
+
+**`netflow.netscaler_unknown272`**
+:   type: long
+
+
+**`netflow.netscaler_unknown273`**
+:   type: long
+
+
+**`netflow.netscaler_unknown274`**
+:   type: long
+
+
+**`netflow.netscaler_unknown275`**
+:   type: long
+
+
+**`netflow.netscaler_unknown276`**
+:   type: long
+
+
+**`netflow.netscaler_unknown277`**
+:   type: long
+
+
+**`netflow.netscaler_unknown278`**
+:   type: long
+
+
+**`netflow.netscaler_unknown279`**
+:   type: long
+
+
+**`netflow.netscaler_unknown280`**
+:   type: long
+
+
+**`netflow.netscaler_unknown281`**
+:   type: long
+
+
+**`netflow.netscaler_unknown282`**
+:   type: long
+
+
+**`netflow.netscaler_unknown283`**
+:   type: long
+
+
+**`netflow.netscaler_unknown284`**
+:   type: long
+
+
+**`netflow.netscaler_unknown285`**
+:   type: long
+
+
+**`netflow.netscaler_unknown286`**
+:   type: long
+
+
+**`netflow.netscaler_unknown287`**
+:   type: long
+
+
+**`netflow.netscaler_unknown288`**
+:   type: long
+
+
+**`netflow.netscaler_unknown289`**
+:   type: long
+
+
+**`netflow.netscaler_unknown290`**
+:   type: long
+
+
+**`netflow.netscaler_unknown291`**
+:   type: long
+
+
+**`netflow.netscaler_unknown292`**
+:   type: long
+
+
+**`netflow.netscaler_unknown293`**
+:   type: long
+
+
+**`netflow.netscaler_unknown294`**
+:   type: long
+
+
+**`netflow.netscaler_unknown295`**
+:   type: long
+
+
+**`netflow.netscaler_unknown296`**
+:   type: long
+
+
+**`netflow.netscaler_unknown297`**
+:   type: long
+
+
+**`netflow.netscaler_unknown298`**
+:   type: long
+
+
+**`netflow.netscaler_unknown299`**
+:   type: long
+
+
+**`netflow.netscaler_unknown300`**
+:   type: long
+
+
+**`netflow.netscaler_unknown301`**
+:   type: long
+
+
+**`netflow.netscaler_unknown302`**
+:   type: long
+
+
+**`netflow.netscaler_unknown303`**
+:   type: long
+
+
+**`netflow.netscaler_unknown304`**
+:   type: long
+
+
+**`netflow.netscaler_unknown305`**
+:   type: long
+
+
+**`netflow.netscaler_unknown306`**
+:   type: long
+
+
+**`netflow.netscaler_unknown307`**
+:   type: long
+
+
+**`netflow.netscaler_unknown308`**
+:   type: long
+
+
+**`netflow.netscaler_unknown309`**
+:   type: long
+
+
+**`netflow.netscaler_unknown310`**
+:   type: long
+
+
+**`netflow.netscaler_unknown311`**
+:   type: long
+
+
+**`netflow.netscaler_unknown312`**
+:   type: long
+
+
+**`netflow.netscaler_unknown313`**
+:   type: long
+
+
+**`netflow.netscaler_unknown314`**
+:   type: long
+
+
+**`netflow.netscaler_unknown315`**
+:   type: long
+
+
+**`netflow.netscaler_unknown316`**
+:   type: keyword
+
+
+**`netflow.netscaler_unknown317`**
+:   type: long
+
+
+**`netflow.netscaler_unknown318`**
+:   type: long
+
+
+**`netflow.netscaler_unknown319`**
+:   type: keyword
+
+
+**`netflow.netscaler_unknown320`**
+:   type: integer
+
+
+**`netflow.netscaler_unknown321`**
+:   type: long
+
+
+**`netflow.netscaler_unknown322`**
+:   type: long
+
+
+**`netflow.netscaler_unknown323`**
+:   type: integer
+
+
+**`netflow.netscaler_unknown324`**
+:   type: integer
+
+
+**`netflow.netscaler_unknown325`**
+:   type: integer
+
+
+**`netflow.netscaler_unknown326`**
+:   type: integer
+
+
+**`netflow.netscaler_unknown327`**
+:   type: long
+
+
+**`netflow.netscaler_unknown328`**
+:   type: integer
+
+
+**`netflow.netscaler_unknown329`**
+:   type: integer
+
+
+**`netflow.netscaler_unknown330`**
+:   type: integer
+
+
+**`netflow.netscaler_unknown331`**
+:   type: integer
+
+
+**`netflow.netscaler_unknown332`**
+:   type: long
+
+
+**`netflow.netscaler_unknown333`**
+:   type: keyword
+
+
+**`netflow.netscaler_unknown334`**
+:   type: keyword
+
+
+**`netflow.netscaler_unknown335`**
+:   type: long
+
+
+**`netflow.netscaler_unknown336`**
+:   type: long
+
+
+**`netflow.netscaler_unknown337`**
+:   type: long
+
+
+**`netflow.netscaler_unknown338`**
+:   type: long
+
+
+**`netflow.netscaler_unknown339`**
+:   type: long
+
+
+**`netflow.netscaler_unknown340`**
+:   type: long
+
+
+**`netflow.netscaler_unknown341`**
+:   type: long
+
+
+**`netflow.netscaler_unknown342`**
+:   type: long
+
+
+**`netflow.netscaler_unknown343`**
+:   type: long
+
+
+**`netflow.netscaler_unknown344`**
+:   type: long
+
+
+**`netflow.netscaler_unknown345`**
+:   type: long
+
+
+**`netflow.netscaler_unknown346`**
+:   type: long
+
+
+**`netflow.netscaler_unknown347`**
+:   type: long
+
+
+**`netflow.netscaler_unknown348`**
+:   type: integer
+
+
+**`netflow.netscaler_unknown349`**
+:   type: keyword
+
+
+**`netflow.netscaler_unknown350`**
+:   type: keyword
+
+
+**`netflow.netscaler_unknown351`**
+:   type: keyword
+
+
+**`netflow.netscaler_unknown352`**
+:   type: integer
+
+
+**`netflow.netscaler_unknown353`**
+:   type: long
+
+
+**`netflow.netscaler_unknown354`**
+:   type: long
+
+
+**`netflow.netscaler_unknown355`**
+:   type: long
+
+
+**`netflow.netscaler_unknown356`**
+:   type: long
+
+
+**`netflow.netscaler_unknown357`**
+:   type: long
+
+
+**`netflow.netscaler_unknown363`**
+:   type: short
+
+
+**`netflow.netscaler_unknown383`**
+:   type: short
+
+
+**`netflow.netscaler_unknown391`**
+:   type: long
+
+
+**`netflow.netscaler_unknown398`**
+:   type: long
+
+
+**`netflow.netscaler_unknown404`**
+:   type: long
+
+
+**`netflow.netscaler_unknown405`**
+:   type: long
+
+
+**`netflow.netscaler_unknown427`**
+:   type: long
+
+
+**`netflow.netscaler_unknown429`**
+:   type: short
+
+
+**`netflow.netscaler_unknown432`**
+:   type: short
+
+
+**`netflow.netscaler_unknown433`**
+:   type: short
+
+
+**`netflow.netscaler_unknown453`**
+:   type: long
+
+
+**`netflow.netscaler_unknown465`**
+:   type: long
+
+
+**`netflow.new_connection_delta_count`**
+:   type: long
+
+
+**`netflow.next_header_ipv6`**
+:   type: short
+
+
+**`netflow.non_empty_packet_count`**
+:   type: long
+
+
+**`netflow.not_sent_flow_total_count`**
+:   type: long
+
+
+**`netflow.not_sent_layer2_octet_total_count`**
+:   type: long
+
+
+**`netflow.not_sent_octet_total_count`**
+:   type: long
+
+
+**`netflow.not_sent_packet_total_count`**
+:   type: long
+
+
+**`netflow.observation_domain_id`**
+:   type: long
+
+
+**`netflow.observation_domain_name`**
+:   type: keyword
+
+
+**`netflow.observation_point_id`**
+:   type: long
+
+
+**`netflow.observation_point_type`**
+:   type: short
+
+
+**`netflow.observation_time_microseconds`**
+:   type: date
+
+
+**`netflow.observation_time_milliseconds`**
+:   type: date
+
+
+**`netflow.observation_time_nanoseconds`**
+:   type: date
+
+
+**`netflow.observation_time_seconds`**
+:   type: date
+
+
+**`netflow.observed_flow_total_count`**
+:   type: long
+
+
+**`netflow.octet_delta_count`**
+:   type: long
+
+
+**`netflow.octet_delta_sum_of_squares`**
+:   type: long
+
+
+**`netflow.octet_total_count`**
+:   type: long
+
+
+**`netflow.octet_total_sum_of_squares`**
+:   type: long
+
+
+**`netflow.opaque_octets`**
+:   type: short
+
+
+**`netflow.original_exporter_ipv4_address`**
+:   type: ip
+
+
+**`netflow.original_exporter_ipv6_address`**
+:   type: ip
+
+
+**`netflow.original_flows_completed`**
+:   type: long
+
+
+**`netflow.original_flows_initiated`**
+:   type: long
+
+
+**`netflow.original_flows_present`**
+:   type: long
+
+
+**`netflow.original_observation_domain_id`**
+:   type: long
+
+
+**`netflow.os_finger_print`**
+:   type: keyword
+
+
+**`netflow.os_name`**
+:   type: keyword
+
+
+**`netflow.os_version`**
+:   type: keyword
+
+
+**`netflow.p2p_technology`**
+:   type: keyword
+
+
+**`netflow.packet_delta_count`**
+:   type: long
+
+
+**`netflow.packet_total_count`**
+:   type: long
+
+
+**`netflow.padding_octets`**
+:   type: short
+
+
+**`netflow.payload`**
+:   type: keyword
+
+
+**`netflow.payload_entropy`**
+:   type: short
+
+
+**`netflow.payload_length_ipv6`**
+:   type: integer
+
+
+**`netflow.policy_qos_classification_hierarchy`**
+:   type: long
+
+
+**`netflow.policy_qos_queue_index`**
+:   type: long
+
+
+**`netflow.policy_qos_queuedrops`**
+:   type: long
+
+
+**`netflow.policy_qos_queueindex`**
+:   type: long
+
+
+**`netflow.port_id`**
+:   type: long
+
+
+**`netflow.port_range_end`**
+:   type: integer
+
+
+**`netflow.port_range_num_ports`**
+:   type: integer
+
+
+**`netflow.port_range_start`**
+:   type: integer
+
+
+**`netflow.port_range_step_size`**
+:   type: integer
+
+
+**`netflow.post_destination_mac_address`**
+:   type: keyword
+
+
+**`netflow.post_dot1q_customer_vlan_id`**
+:   type: integer
+
+
+**`netflow.post_dot1q_vlan_id`**
+:   type: integer
+
+
+**`netflow.post_ip_class_of_service`**
+:   type: short
+
+
+**`netflow.post_ip_diff_serv_code_point`**
+:   type: short
+
+
+**`netflow.post_ip_precedence`**
+:   type: short
+
+
+**`netflow.post_layer2_octet_delta_count`**
+:   type: long
+
+
+**`netflow.post_layer2_octet_total_count`**
+:   type: long
+
+
+**`netflow.post_mcast_layer2_octet_delta_count`**
+:   type: long
+
+
+**`netflow.post_mcast_layer2_octet_total_count`**
+:   type: long
+
+
+**`netflow.post_mcast_octet_delta_count`**
+:   type: long
+
+
+**`netflow.post_mcast_octet_total_count`**
+:   type: long
+
+
+**`netflow.post_mcast_packet_delta_count`**
+:   type: long
+
+
+**`netflow.post_mcast_packet_total_count`**
+:   type: long
+
+
+**`netflow.post_mpls_top_label_exp`**
+:   type: short
+
+
+**`netflow.post_napt_destination_transport_port`**
+:   type: integer
+
+
+**`netflow.post_napt_source_transport_port`**
+:   type: integer
+
+
+**`netflow.post_nat_destination_ipv4_address`**
+:   type: ip
+
+
+**`netflow.post_nat_destination_ipv6_address`**
+:   type: ip
+
+
+**`netflow.post_nat_source_ipv4_address`**
+:   type: ip
+
+
+**`netflow.post_nat_source_ipv6_address`**
+:   type: ip
+
+
+**`netflow.post_octet_delta_count`**
+:   type: long
+
+
+**`netflow.post_octet_total_count`**
+:   type: long
+
+
+**`netflow.post_packet_delta_count`**
+:   type: long
+
+
+**`netflow.post_packet_total_count`**
+:   type: long
+
+
+**`netflow.post_source_mac_address`**
+:   type: keyword
+
+
+**`netflow.post_vlan_id`**
+:   type: integer
+
+
+**`netflow.private_enterprise_number`**
+:   type: long
+
+
+**`netflow.procera_apn`**
+:   type: keyword
+
+
+**`netflow.procera_base_service`**
+:   type: keyword
+
+
+**`netflow.procera_content_categories`**
+:   type: keyword
+
+
+**`netflow.procera_device_id`**
+:   type: long
+
+
+**`netflow.procera_external_rtt`**
+:   type: integer
+
+
+**`netflow.procera_flow_behavior`**
+:   type: keyword
+
+
+**`netflow.procera_ggsn`**
+:   type: keyword
+
+
+**`netflow.procera_http_content_type`**
+:   type: keyword
+
+
+**`netflow.procera_http_file_length`**
+:   type: long
+
+
+**`netflow.procera_http_language`**
+:   type: keyword
+
+
+**`netflow.procera_http_location`**
+:   type: keyword
+
+
+**`netflow.procera_http_referer`**
+:   type: keyword
+
+
+**`netflow.procera_http_request_method`**
+:   type: keyword
+
+
+**`netflow.procera_http_request_version`**
+:   type: keyword
+
+
+**`netflow.procera_http_response_status`**
+:   type: integer
+
+
+**`netflow.procera_http_url`**
+:   type: keyword
+
+
+**`netflow.procera_http_user_agent`**
+:   type: keyword
+
+
+**`netflow.procera_imsi`**
+:   type: long
+
+
+**`netflow.procera_incoming_octets`**
+:   type: long
+
+
+**`netflow.procera_incoming_packets`**
+:   type: long
+
+
+**`netflow.procera_incoming_shaping_drops`**
+:   type: long
+
+
+**`netflow.procera_incoming_shaping_latency`**
+:   type: integer
+
+
+**`netflow.procera_internal_rtt`**
+:   type: integer
+
+
+**`netflow.procera_local_ipv4_host`**
+:   type: ip
+
+
+**`netflow.procera_local_ipv6_host`**
+:   type: ip
+
+
+**`netflow.procera_msisdn`**
+:   type: long
+
+
+**`netflow.procera_outgoing_octets`**
+:   type: long
+
+
+**`netflow.procera_outgoing_packets`**
+:   type: long
+
+
+**`netflow.procera_outgoing_shaping_drops`**
+:   type: long
+
+
+**`netflow.procera_outgoing_shaping_latency`**
+:   type: integer
+
+
+**`netflow.procera_property`**
+:   type: keyword
+
+
+**`netflow.procera_qoe_incoming_external`**
+:   type: float
+
+
+**`netflow.procera_qoe_incoming_internal`**
+:   type: float
+
+
+**`netflow.procera_qoe_outgoing_external`**
+:   type: float
+
+
+**`netflow.procera_qoe_outgoing_internal`**
+:   type: float
+
+
+**`netflow.procera_rat`**
+:   type: keyword
+
+
+**`netflow.procera_remote_ipv4_host`**
+:   type: ip
+
+
+**`netflow.procera_remote_ipv6_host`**
+:   type: ip
+
+
+**`netflow.procera_rnc`**
+:   type: integer
+
+
+**`netflow.procera_server_hostname`**
+:   type: keyword
+
+
+**`netflow.procera_service`**
+:   type: keyword
+
+
+**`netflow.procera_sgsn`**
+:   type: keyword
+
+
+**`netflow.procera_subscriber_identifier`**
+:   type: keyword
+
+
+**`netflow.procera_template_name`**
+:   type: keyword
+
+
+**`netflow.procera_user_location_information`**
+:   type: keyword
+
+
+**`netflow.protocol_identifier`**
+:   type: short
+
+
+**`netflow.pseudo_wire_control_word`**
+:   type: long
+
+
+**`netflow.pseudo_wire_destination_ipv4_address`**
+:   type: ip
+
+
+**`netflow.pseudo_wire_id`**
+:   type: long
+
+
+**`netflow.pseudo_wire_type`**
+:   type: integer
+
+
+**`netflow.reason`**
+:   type: long
+
+
+**`netflow.reason_text`**
+:   type: keyword
+
+
+**`netflow.relative_error`**
+:   type: double
+
+
+**`netflow.responder_octets`**
+:   type: long
+
+
+**`netflow.responder_packets`**
+:   type: long
+
+
+**`netflow.reverse_absolute_error`**
+:   type: double
+
+
+**`netflow.reverse_anonymization_flags`**
+:   type: integer
+
+
+**`netflow.reverse_anonymization_technique`**
+:   type: integer
+
+
+**`netflow.reverse_application_category_name`**
+:   type: keyword
+
+
+**`netflow.reverse_application_description`**
+:   type: keyword
+
+
+**`netflow.reverse_application_group_name`**
+:   type: keyword
+
+
+**`netflow.reverse_application_id`**
+:   type: keyword
+
+
+**`netflow.reverse_application_name`**
+:   type: keyword
+
+
+**`netflow.reverse_application_sub_category_name`**
+:   type: keyword
+
+
+**`netflow.reverse_average_interarrival_time`**
+:   type: long
+
+
+**`netflow.reverse_bgp_destination_as_number`**
+:   type: long
+
+
+**`netflow.reverse_bgp_next_adjacent_as_number`**
+:   type: long
+
+
+**`netflow.reverse_bgp_next_hop_ipv4_address`**
+:   type: ip
+
+
+**`netflow.reverse_bgp_next_hop_ipv6_address`**
+:   type: ip
+
+
+**`netflow.reverse_bgp_prev_adjacent_as_number`**
+:   type: long
+
+
+**`netflow.reverse_bgp_source_as_number`**
+:   type: long
+
+
+**`netflow.reverse_bgp_validity_state`**
+:   type: short
+
+
+**`netflow.reverse_class_id`**
+:   type: short
+
+
+**`netflow.reverse_class_name`**
+:   type: keyword
+
+
+**`netflow.reverse_classification_engine_id`**
+:   type: short
+
+
+**`netflow.reverse_collection_time_milliseconds`**
+:   type: long
+
+
+**`netflow.reverse_collector_certificate`**
+:   type: keyword
+
+
+**`netflow.reverse_confidence_level`**
+:   type: double
+
+
+**`netflow.reverse_connection_sum_duration_seconds`**
+:   type: long
+
+
+**`netflow.reverse_connection_transaction_id`**
+:   type: long
+
+
+**`netflow.reverse_data_byte_count`**
+:   type: long
+
+
+**`netflow.reverse_data_link_frame_section`**
+:   type: keyword
+
+
+**`netflow.reverse_data_link_frame_size`**
+:   type: integer
+
+
+**`netflow.reverse_data_link_frame_type`**
+:   type: integer
+
+
+**`netflow.reverse_data_records_reliability`**
+:   type: short
+
+
+**`netflow.reverse_delta_flow_count`**
+:   type: long
+
+
+**`netflow.reverse_destination_ipv4_address`**
+:   type: ip
+
+
+**`netflow.reverse_destination_ipv4_prefix`**
+:   type: ip
+
+
+**`netflow.reverse_destination_ipv4_prefix_length`**
+:   type: short
+
+
+**`netflow.reverse_destination_ipv6_address`**
+:   type: ip
+
+
+**`netflow.reverse_destination_ipv6_prefix`**
+:   type: ip
+
+
+**`netflow.reverse_destination_ipv6_prefix_length`**
+:   type: short
+
+
+**`netflow.reverse_destination_mac_address`**
+:   type: keyword
+
+
+**`netflow.reverse_destination_transport_port`**
+:   type: integer
+
+
+**`netflow.reverse_digest_hash_value`**
+:   type: long
+
+
+**`netflow.reverse_distinct_count_of_destination_ip_address`**
+:   type: long
+
+
+**`netflow.reverse_distinct_count_of_destination_ipv4_address`**
+:   type: long
+
+
+**`netflow.reverse_distinct_count_of_destination_ipv6_address`**
+:   type: long
+
+
+**`netflow.reverse_distinct_count_of_source_ip_address`**
+:   type: long
+
+
+**`netflow.reverse_distinct_count_of_source_ipv4_address`**
+:   type: long
+
+
+**`netflow.reverse_distinct_count_of_source_ipv6_address`**
+:   type: long
+
+
+**`netflow.reverse_dot1q_customer_dei`**
+:   type: short
+
+
+**`netflow.reverse_dot1q_customer_destination_mac_address`**
+:   type: keyword
+
+
+**`netflow.reverse_dot1q_customer_priority`**
+:   type: short
+
+
+**`netflow.reverse_dot1q_customer_source_mac_address`**
+:   type: keyword
+
+
+**`netflow.reverse_dot1q_customer_vlan_id`**
+:   type: integer
+
+
+**`netflow.reverse_dot1q_dei`**
+:   type: short
+
+
+**`netflow.reverse_dot1q_priority`**
+:   type: short
+
+
+**`netflow.reverse_dot1q_service_instance_id`**
+:   type: long
+
+
+**`netflow.reverse_dot1q_service_instance_priority`**
+:   type: short
+
+
+**`netflow.reverse_dot1q_service_instance_tag`**
+:   type: keyword
+
+
+**`netflow.reverse_dot1q_vlan_id`**
+:   type: integer
+
+
+**`netflow.reverse_dropped_layer2_octet_delta_count`**
+:   type: long
+
+
+**`netflow.reverse_dropped_layer2_octet_total_count`**
+:   type: long
+
+
+**`netflow.reverse_dropped_octet_delta_count`**
+:   type: long
+
+
+**`netflow.reverse_dropped_octet_total_count`**
+:   type: long
+
+
+**`netflow.reverse_dropped_packet_delta_count`**
+:   type: long
+
+
+**`netflow.reverse_dropped_packet_total_count`**
+:   type: long
+
+
+**`netflow.reverse_dst_traffic_index`**
+:   type: long
+
+
+**`netflow.reverse_egress_broadcast_packet_total_count`**
+:   type: long
+
+
+**`netflow.reverse_egress_interface`**
+:   type: long
+
+
+**`netflow.reverse_egress_interface_type`**
+:   type: long
+
+
+**`netflow.reverse_egress_physical_interface`**
+:   type: long
+
+
+**`netflow.reverse_egress_unicast_packet_total_count`**
+:   type: long
+
+
+**`netflow.reverse_egress_vrfid`**
+:   type: long
+
+
+**`netflow.reverse_encrypted_technology`**
+:   type: keyword
+
+
+**`netflow.reverse_engine_id`**
+:   type: short
+
+
+**`netflow.reverse_engine_type`**
+:   type: short
+
+
+**`netflow.reverse_ethernet_header_length`**
+:   type: short
+
+
+**`netflow.reverse_ethernet_payload_length`**
+:   type: integer
+
+
+**`netflow.reverse_ethernet_total_length`**
+:   type: integer
+
+
+**`netflow.reverse_ethernet_type`**
+:   type: integer
+
+
+**`netflow.reverse_export_sctp_stream_id`**
+:   type: integer
+
+
+**`netflow.reverse_exporter_certificate`**
+:   type: keyword
+
+
+**`netflow.reverse_exporting_process_id`**
+:   type: long
+
+
+**`netflow.reverse_firewall_event`**
+:   type: short
+
+
+**`netflow.reverse_first_non_empty_packet_size`**
+:   type: integer
+
+
+**`netflow.reverse_first_packet_banner`**
+:   type: keyword
+
+
+**`netflow.reverse_flags_and_sampler_id`**
+:   type: long
+
+
+**`netflow.reverse_flow_active_timeout`**
+:   type: integer
+
+
+**`netflow.reverse_flow_attributes`**
+:   type: integer
+
+
+**`netflow.reverse_flow_delta_milliseconds`**
+:   type: long
+
+
+**`netflow.reverse_flow_direction`**
+:   type: short
+
+
+**`netflow.reverse_flow_duration_microseconds`**
+:   type: long
+
+
+**`netflow.reverse_flow_duration_milliseconds`**
+:   type: long
+
+
+**`netflow.reverse_flow_end_delta_microseconds`**
+:   type: long
+
+
+**`netflow.reverse_flow_end_microseconds`**
+:   type: long
+
+
+**`netflow.reverse_flow_end_milliseconds`**
+:   type: long
+
+
+**`netflow.reverse_flow_end_nanoseconds`**
+:   type: long
+
+
+**`netflow.reverse_flow_end_reason`**
+:   type: short
+
+
+**`netflow.reverse_flow_end_seconds`**
+:   type: long
+
+
+**`netflow.reverse_flow_end_sys_up_time`**
+:   type: long
+
+
+**`netflow.reverse_flow_idle_timeout`**
+:   type: integer
+
+
+**`netflow.reverse_flow_label_ipv6`**
+:   type: long
+
+
+**`netflow.reverse_flow_sampling_time_interval`**
+:   type: long
+
+
+**`netflow.reverse_flow_sampling_time_spacing`**
+:   type: long
+
+
+**`netflow.reverse_flow_selected_flow_delta_count`**
+:   type: long
+
+
+**`netflow.reverse_flow_selected_octet_delta_count`**
+:   type: long
+
+
+**`netflow.reverse_flow_selected_packet_delta_count`**
+:   type: long
+
+
+**`netflow.reverse_flow_selector_algorithm`**
+:   type: integer
+
+
+**`netflow.reverse_flow_start_delta_microseconds`**
+:   type: long
+
+
+**`netflow.reverse_flow_start_microseconds`**
+:   type: long
+
+
+**`netflow.reverse_flow_start_milliseconds`**
+:   type: long
+
+
+**`netflow.reverse_flow_start_nanoseconds`**
+:   type: long
+
+
+**`netflow.reverse_flow_start_seconds`**
+:   type: long
+
+
+**`netflow.reverse_flow_start_sys_up_time`**
+:   type: long
+
+
+**`netflow.reverse_forwarding_status`**
+:   type: long
+
+
+**`netflow.reverse_fragment_flags`**
+:   type: short
+
+
+**`netflow.reverse_fragment_identification`**
+:   type: long
+
+
+**`netflow.reverse_fragment_offset`**
+:   type: integer
+
+
+**`netflow.reverse_gre_key`**
+:   type: long
+
+
+**`netflow.reverse_hash_digest_output`**
+:   type: short
+
+
+**`netflow.reverse_hash_flow_domain`**
+:   type: integer
+
+
+**`netflow.reverse_hash_initialiser_value`**
+:   type: long
+
+
+**`netflow.reverse_hash_ip_payload_offset`**
+:   type: long
+
+
+**`netflow.reverse_hash_ip_payload_size`**
+:   type: long
+
+
+**`netflow.reverse_hash_output_range_max`**
+:   type: long
+
+
+**`netflow.reverse_hash_output_range_min`**
+:   type: long
+
+
+**`netflow.reverse_hash_selected_range_max`**
+:   type: long
+
+
+**`netflow.reverse_hash_selected_range_min`**
+:   type: long
+
+
+**`netflow.reverse_icmp_code_ipv4`**
+:   type: short
+
+
+**`netflow.reverse_icmp_code_ipv6`**
+:   type: short
+
+
+**`netflow.reverse_icmp_type_code_ipv4`**
+:   type: integer
+
+
+**`netflow.reverse_icmp_type_code_ipv6`**
+:   type: integer
+
+
+**`netflow.reverse_icmp_type_ipv4`**
+:   type: short
+
+
+**`netflow.reverse_icmp_type_ipv6`**
+:   type: short
+
+
+**`netflow.reverse_igmp_type`**
+:   type: short
+
+
+**`netflow.reverse_ignored_data_record_total_count`**
+:   type: long
+
+
+**`netflow.reverse_ignored_layer2_frame_total_count`**
+:   type: long
+
+
+**`netflow.reverse_ignored_layer2_octet_total_count`**
+:   type: long
+
+
+**`netflow.reverse_information_element_data_type`**
+:   type: short
+
+
+**`netflow.reverse_information_element_description`**
+:   type: keyword
+
+
+**`netflow.reverse_information_element_id`**
+:   type: integer
+
+
+**`netflow.reverse_information_element_index`**
+:   type: integer
+
+
+**`netflow.reverse_information_element_name`**
+:   type: keyword
+
+
+**`netflow.reverse_information_element_range_begin`**
+:   type: long
+
+
+**`netflow.reverse_information_element_range_end`**
+:   type: long
+
+
+**`netflow.reverse_information_element_semantics`**
+:   type: short
+
+
+**`netflow.reverse_information_element_units`**
+:   type: integer
+
+
+**`netflow.reverse_ingress_broadcast_packet_total_count`**
+:   type: long
+
+
+**`netflow.reverse_ingress_interface`**
+:   type: long
+
+
+**`netflow.reverse_ingress_interface_type`**
+:   type: long
+
+
+**`netflow.reverse_ingress_multicast_packet_total_count`**
+:   type: long
+
+
+**`netflow.reverse_ingress_physical_interface`**
+:   type: long
+
+
+**`netflow.reverse_ingress_unicast_packet_total_count`**
+:   type: long
+
+
+**`netflow.reverse_ingress_vrfid`**
+:   type: long
+
+
+**`netflow.reverse_initial_tcp_flags`**
+:   type: short
+
+
+**`netflow.reverse_initiator_octets`**
+:   type: long
+
+
+**`netflow.reverse_initiator_packets`**
+:   type: long
+
+
+**`netflow.reverse_interface_description`**
+:   type: keyword
+
+
+**`netflow.reverse_interface_name`**
+:   type: keyword
+
+
+**`netflow.reverse_intermediate_process_id`**
+:   type: long
+
+
+**`netflow.reverse_ip_class_of_service`**
+:   type: short
+
+
+**`netflow.reverse_ip_diff_serv_code_point`**
+:   type: short
+
+
+**`netflow.reverse_ip_header_length`**
+:   type: short
+
+
+**`netflow.reverse_ip_header_packet_section`**
+:   type: keyword
+
+
+**`netflow.reverse_ip_next_hop_ipv4_address`**
+:   type: ip
+
+
+**`netflow.reverse_ip_next_hop_ipv6_address`**
+:   type: ip
+
+
+**`netflow.reverse_ip_payload_length`**
+:   type: long
+
+
+**`netflow.reverse_ip_payload_packet_section`**
+:   type: keyword
+
+
+**`netflow.reverse_ip_precedence`**
+:   type: short
+
+
+**`netflow.reverse_ip_sec_spi`**
+:   type: long
+
+
+**`netflow.reverse_ip_total_length`**
+:   type: long
+
+
+**`netflow.reverse_ip_ttl`**
+:   type: short
+
+
+**`netflow.reverse_ip_version`**
+:   type: short
+
+
+**`netflow.reverse_ipv4_ihl`**
+:   type: short
+
+
+**`netflow.reverse_ipv4_options`**
+:   type: long
+
+
+**`netflow.reverse_ipv4_router_sc`**
+:   type: ip
+
+
+**`netflow.reverse_ipv6_extension_headers`**
+:   type: long
+
+
+**`netflow.reverse_is_multicast`**
+:   type: short
+
+
+**`netflow.reverse_large_packet_count`**
+:   type: long
+
+
+**`netflow.reverse_layer2_frame_delta_count`**
+:   type: long
+
+
+**`netflow.reverse_layer2_frame_total_count`**
+:   type: long
+
+
+**`netflow.reverse_layer2_octet_delta_count`**
+:   type: long
+
+
+**`netflow.reverse_layer2_octet_delta_sum_of_squares`**
+:   type: long
+
+
+**`netflow.reverse_layer2_octet_total_count`**
+:   type: long
+
+
+**`netflow.reverse_layer2_octet_total_sum_of_squares`**
+:   type: long
+
+
+**`netflow.reverse_layer2_segment_id`**
+:   type: long
+
+
+**`netflow.reverse_layer2packet_section_data`**
+:   type: keyword
+
+
+**`netflow.reverse_layer2packet_section_offset`**
+:   type: integer
+
+
+**`netflow.reverse_layer2packet_section_size`**
+:   type: integer
+
+
+**`netflow.reverse_line_card_id`**
+:   type: long
+
+
+**`netflow.reverse_lower_ci_limit`**
+:   type: double
+
+
+**`netflow.reverse_max_export_seconds`**
+:   type: long
+
+
+**`netflow.reverse_max_flow_end_microseconds`**
+:   type: long
+
+
+**`netflow.reverse_max_flow_end_milliseconds`**
+:   type: long
+
+
+**`netflow.reverse_max_flow_end_nanoseconds`**
+:   type: long
+
+
+**`netflow.reverse_max_flow_end_seconds`**
+:   type: long
+
+
+**`netflow.reverse_max_packet_size`**
+:   type: integer
+
+
+**`netflow.reverse_maximum_ip_total_length`**
+:   type: long
+
+
+**`netflow.reverse_maximum_layer2_total_length`**
+:   type: long
+
+
+**`netflow.reverse_maximum_ttl`**
+:   type: short
+
+
+**`netflow.reverse_message_md5_checksum`**
+:   type: keyword
+
+
+**`netflow.reverse_message_scope`**
+:   type: short
+
+
+**`netflow.reverse_metering_process_id`**
+:   type: long
+
+
+**`netflow.reverse_metro_evc_id`**
+:   type: keyword
+
+
+**`netflow.reverse_metro_evc_type`**
+:   type: short
+
+
+**`netflow.reverse_min_export_seconds`**
+:   type: long
+
+
+**`netflow.reverse_min_flow_start_microseconds`**
+:   type: long
+
+
+**`netflow.reverse_min_flow_start_milliseconds`**
+:   type: long
+
+
+**`netflow.reverse_min_flow_start_nanoseconds`**
+:   type: long
+
+
+**`netflow.reverse_min_flow_start_seconds`**
+:   type: long
+
+
+**`netflow.reverse_minimum_ip_total_length`**
+:   type: long
+
+
+**`netflow.reverse_minimum_layer2_total_length`**
+:   type: long
+
+
+**`netflow.reverse_minimum_ttl`**
+:   type: short
+
+
+**`netflow.reverse_monitoring_interval_end_milli_seconds`**
+:   type: long
+
+
+**`netflow.reverse_monitoring_interval_start_milli_seconds`**
+:   type: long
+
+
+**`netflow.reverse_mpls_label_stack_depth`**
+:   type: long
+
+
+**`netflow.reverse_mpls_label_stack_length`**
+:   type: long
+
+
+**`netflow.reverse_mpls_label_stack_section`**
+:   type: keyword
+
+
+**`netflow.reverse_mpls_label_stack_section10`**
+:   type: keyword
+
+
+**`netflow.reverse_mpls_label_stack_section2`**
+:   type: keyword
+
+
+**`netflow.reverse_mpls_label_stack_section3`**
+:   type: keyword
+
+
+**`netflow.reverse_mpls_label_stack_section4`**
+:   type: keyword
+
+
+**`netflow.reverse_mpls_label_stack_section5`**
+:   type: keyword
+
+
+**`netflow.reverse_mpls_label_stack_section6`**
+:   type: keyword
+
+
+**`netflow.reverse_mpls_label_stack_section7`**
+:   type: keyword
+
+
+**`netflow.reverse_mpls_label_stack_section8`**
+:   type: keyword
+
+
+**`netflow.reverse_mpls_label_stack_section9`**
+:   type: keyword
+
+
+**`netflow.reverse_mpls_payload_length`**
+:   type: long
+
+
+**`netflow.reverse_mpls_payload_packet_section`**
+:   type: keyword
+
+
+**`netflow.reverse_mpls_top_label_exp`**
+:   type: short
+
+
+**`netflow.reverse_mpls_top_label_ipv4_address`**
+:   type: ip
+
+
+**`netflow.reverse_mpls_top_label_ipv6_address`**
+:   type: ip
+
+
+**`netflow.reverse_mpls_top_label_prefix_length`**
+:   type: short
+
+
+**`netflow.reverse_mpls_top_label_stack_section`**
+:   type: keyword
+
+
+**`netflow.reverse_mpls_top_label_ttl`**
+:   type: short
+
+
+**`netflow.reverse_mpls_top_label_type`**
+:   type: short
+
+
+**`netflow.reverse_mpls_vpn_route_distinguisher`**
+:   type: keyword
+
+
+**`netflow.reverse_multicast_replication_factor`**
+:   type: long
+
+
+**`netflow.reverse_nat_event`**
+:   type: short
+
+
+**`netflow.reverse_nat_originating_address_realm`**
+:   type: short
+
+
+**`netflow.reverse_nat_pool_id`**
+:   type: long
+
+
+**`netflow.reverse_nat_pool_name`**
+:   type: keyword
+
+
+**`netflow.reverse_nat_type`**
+:   type: short
+
+
+**`netflow.reverse_new_connection_delta_count`**
+:   type: long
+
+
+**`netflow.reverse_next_header_ipv6`**
+:   type: short
+
+
+**`netflow.reverse_non_empty_packet_count`**
+:   type: long
+
+
+**`netflow.reverse_not_sent_layer2_octet_total_count`**
+:   type: long
+
+
+**`netflow.reverse_observation_domain_name`**
+:   type: keyword
+
+
+**`netflow.reverse_observation_point_id`**
+:   type: long
+
+
+**`netflow.reverse_observation_point_type`**
+:   type: short
+
+
+**`netflow.reverse_observation_time_microseconds`**
+:   type: long
+
+
+**`netflow.reverse_observation_time_milliseconds`**
+:   type: long
+
+
+**`netflow.reverse_observation_time_nanoseconds`**
+:   type: long
+
+
+**`netflow.reverse_observation_time_seconds`**
+:   type: long
+
+
+**`netflow.reverse_octet_delta_count`**
+:   type: long
+
+
+**`netflow.reverse_octet_delta_sum_of_squares`**
+:   type: long
+
+
+**`netflow.reverse_octet_total_count`**
+:   type: long
+
+
+**`netflow.reverse_octet_total_sum_of_squares`**
+:   type: long
+
+
+**`netflow.reverse_opaque_octets`**
+:   type: keyword
+
+
+**`netflow.reverse_original_exporter_ipv4_address`**
+:   type: ip
+
+
+**`netflow.reverse_original_exporter_ipv6_address`**
+:   type: ip
+
+
+**`netflow.reverse_original_flows_completed`**
+:   type: long
+
+
+**`netflow.reverse_original_flows_initiated`**
+:   type: long
+
+
+**`netflow.reverse_original_flows_present`**
+:   type: long
+
+
+**`netflow.reverse_original_observation_domain_id`**
+:   type: long
+
+
+**`netflow.reverse_os_finger_print`**
+:   type: keyword
+
+
+**`netflow.reverse_os_name`**
+:   type: keyword
+
+
+**`netflow.reverse_os_version`**
+:   type: keyword
+
+
+**`netflow.reverse_p2p_technology`**
+:   type: keyword
+
+
+**`netflow.reverse_packet_delta_count`**
+:   type: long
+
+
+**`netflow.reverse_packet_total_count`**
+:   type: long
+
+
+**`netflow.reverse_payload`**
+:   type: keyword
+
+
+**`netflow.reverse_payload_entropy`**
+:   type: short
+
+
+**`netflow.reverse_payload_length_ipv6`**
+:   type: integer
+
+
+**`netflow.reverse_port_id`**
+:   type: long
+
+
+**`netflow.reverse_port_range_end`**
+:   type: integer
+
+
+**`netflow.reverse_port_range_num_ports`**
+:   type: integer
+
+
+**`netflow.reverse_port_range_start`**
+:   type: integer
+
+
+**`netflow.reverse_port_range_step_size`**
+:   type: integer
+
+
+**`netflow.reverse_post_destination_mac_address`**
+:   type: keyword
+
+
+**`netflow.reverse_post_dot1q_customer_vlan_id`**
+:   type: integer
+
+
+**`netflow.reverse_post_dot1q_vlan_id`**
+:   type: integer
+
+
+**`netflow.reverse_post_ip_class_of_service`**
+:   type: short
+
+
+**`netflow.reverse_post_ip_diff_serv_code_point`**
+:   type: short
+
+
+**`netflow.reverse_post_ip_precedence`**
+:   type: short
+
+
+**`netflow.reverse_post_layer2_octet_delta_count`**
+:   type: long
+
+
+**`netflow.reverse_post_layer2_octet_total_count`**
+:   type: long
+
+
+**`netflow.reverse_post_mcast_layer2_octet_delta_count`**
+:   type: long
+
+
+**`netflow.reverse_post_mcast_layer2_octet_total_count`**
+:   type: long
+
+
+**`netflow.reverse_post_mcast_octet_delta_count`**
+:   type: long
+
+
+**`netflow.reverse_post_mcast_octet_total_count`**
+:   type: long
+
+
+**`netflow.reverse_post_mcast_packet_delta_count`**
+:   type: long
+
+
+**`netflow.reverse_post_mcast_packet_total_count`**
+:   type: long
+
+
+**`netflow.reverse_post_mpls_top_label_exp`**
+:   type: short
+
+
+**`netflow.reverse_post_napt_destination_transport_port`**
+:   type: integer
+
+
+**`netflow.reverse_post_napt_source_transport_port`**
+:   type: integer
+
+
+**`netflow.reverse_post_nat_destination_ipv4_address`**
+:   type: ip
+
+
+**`netflow.reverse_post_nat_destination_ipv6_address`**
+:   type: ip
+
+
+**`netflow.reverse_post_nat_source_ipv4_address`**
+:   type: ip
+
+
+**`netflow.reverse_post_nat_source_ipv6_address`**
+:   type: ip
+
+
+**`netflow.reverse_post_octet_delta_count`**
+:   type: long
+
+
+**`netflow.reverse_post_octet_total_count`**
+:   type: long
+
+
+**`netflow.reverse_post_packet_delta_count`**
+:   type: long
+
+
+**`netflow.reverse_post_packet_total_count`**
+:   type: long
+
+
+**`netflow.reverse_post_source_mac_address`**
+:   type: keyword
+
+
+**`netflow.reverse_post_vlan_id`**
+:   type: integer
+
+
+**`netflow.reverse_private_enterprise_number`**
+:   type: long
+
+
+**`netflow.reverse_protocol_identifier`**
+:   type: short
+
+
+**`netflow.reverse_pseudo_wire_control_word`**
+:   type: long
+
+
+**`netflow.reverse_pseudo_wire_destination_ipv4_address`**
+:   type: ip
+
+
+**`netflow.reverse_pseudo_wire_id`**
+:   type: long
+
+
+**`netflow.reverse_pseudo_wire_type`**
+:   type: integer
+
+
+**`netflow.reverse_relative_error`**
+:   type: double
+
+
+**`netflow.reverse_responder_octets`**
+:   type: long
+
+
+**`netflow.reverse_responder_packets`**
+:   type: long
+
+
+**`netflow.reverse_rfc3550_jitter_microseconds`**
+:   type: long
+
+
+**`netflow.reverse_rfc3550_jitter_milliseconds`**
+:   type: long
+
+
+**`netflow.reverse_rfc3550_jitter_nanoseconds`**
+:   type: long
+
+
+**`netflow.reverse_rtp_payload_type`**
+:   type: short
+
+
+**`netflow.reverse_rtp_sequence_number`**
+:   type: integer
+
+
+**`netflow.reverse_sampler_id`**
+:   type: short
+
+
+**`netflow.reverse_sampler_mode`**
+:   type: short
+
+
+**`netflow.reverse_sampler_name`**
+:   type: keyword
+
+
+**`netflow.reverse_sampler_random_interval`**
+:   type: long
+
+
+**`netflow.reverse_sampling_algorithm`**
+:   type: short
+
+
+**`netflow.reverse_sampling_flow_interval`**
+:   type: long
+
+
+**`netflow.reverse_sampling_flow_spacing`**
+:   type: long
+
+
+**`netflow.reverse_sampling_interval`**
+:   type: long
+
+
+**`netflow.reverse_sampling_packet_interval`**
+:   type: long
+
+
+**`netflow.reverse_sampling_packet_space`**
+:   type: long
+
+
+**`netflow.reverse_sampling_population`**
+:   type: long
+
+
+**`netflow.reverse_sampling_probability`**
+:   type: double
+
+
+**`netflow.reverse_sampling_size`**
+:   type: long
+
+
+**`netflow.reverse_sampling_time_interval`**
+:   type: long
+
+
+**`netflow.reverse_sampling_time_space`**
+:   type: long
+
+
+**`netflow.reverse_second_packet_banner`**
+:   type: keyword
+
+
+**`netflow.reverse_section_exported_octets`**
+:   type: integer
+
+
+**`netflow.reverse_section_offset`**
+:   type: integer
+
+
+**`netflow.reverse_selection_sequence_id`**
+:   type: long
+
+
+**`netflow.reverse_selector_algorithm`**
+:   type: integer
+
+
+**`netflow.reverse_selector_id`**
+:   type: long
+
+
+**`netflow.reverse_selector_id_total_flows_observed`**
+:   type: long
+
+
+**`netflow.reverse_selector_id_total_flows_selected`**
+:   type: long
+
+
+**`netflow.reverse_selector_id_total_pkts_observed`**
+:   type: long
+
+
+**`netflow.reverse_selector_id_total_pkts_selected`**
+:   type: long
+
+
+**`netflow.reverse_selector_name`**
+:   type: keyword
+
+
+**`netflow.reverse_session_scope`**
+:   type: short
+
+
+**`netflow.reverse_small_packet_count`**
+:   type: long
+
+
+**`netflow.reverse_source_ipv4_address`**
+:   type: ip
+
+
+**`netflow.reverse_source_ipv4_prefix`**
+:   type: ip
+
+
+**`netflow.reverse_source_ipv4_prefix_length`**
+:   type: short
+
+
+**`netflow.reverse_source_ipv6_address`**
+:   type: ip
+
+
+**`netflow.reverse_source_ipv6_prefix`**
+:   type: ip
+
+
+**`netflow.reverse_source_ipv6_prefix_length`**
+:   type: short
+
+
+**`netflow.reverse_source_mac_address`**
+:   type: keyword
+
+
+**`netflow.reverse_source_transport_port`**
+:   type: integer
+
+
+**`netflow.reverse_src_traffic_index`**
+:   type: long
+
+
+**`netflow.reverse_sta_ipv4_address`**
+:   type: ip
+
+
+**`netflow.reverse_sta_mac_address`**
+:   type: keyword
+
+
+**`netflow.reverse_standard_deviation_interarrival_time`**
+:   type: long
+
+
+**`netflow.reverse_standard_deviation_payload_length`**
+:   type: integer
+
+
+**`netflow.reverse_system_init_time_milliseconds`**
+:   type: long
+
+
+**`netflow.reverse_tcp_ack_total_count`**
+:   type: long
+
+
+**`netflow.reverse_tcp_acknowledgement_number`**
+:   type: long
+
+
+**`netflow.reverse_tcp_control_bits`**
+:   type: integer
+
+
+**`netflow.reverse_tcp_destination_port`**
+:   type: integer
+
+
+**`netflow.reverse_tcp_fin_total_count`**
+:   type: long
+
+
+**`netflow.reverse_tcp_header_length`**
+:   type: short
+
+
+**`netflow.reverse_tcp_options`**
+:   type: long
+
+
+**`netflow.reverse_tcp_psh_total_count`**
+:   type: long
+
+
+**`netflow.reverse_tcp_rst_total_count`**
+:   type: long
+
+
+**`netflow.reverse_tcp_sequence_number`**
+:   type: long
+
+
+**`netflow.reverse_tcp_source_port`**
+:   type: integer
+
+
+**`netflow.reverse_tcp_syn_total_count`**
+:   type: long
+
+
+**`netflow.reverse_tcp_urg_total_count`**
+:   type: long
+
+
+**`netflow.reverse_tcp_urgent_pointer`**
+:   type: integer
+
+
+**`netflow.reverse_tcp_window_scale`**
+:   type: integer
+
+
+**`netflow.reverse_tcp_window_size`**
+:   type: integer
+
+
+**`netflow.reverse_total_length_ipv4`**
+:   type: integer
+
+
+**`netflow.reverse_transport_octet_delta_count`**
+:   type: long
+
+
+**`netflow.reverse_transport_packet_delta_count`**
+:   type: long
+
+
+**`netflow.reverse_tunnel_technology`**
+:   type: keyword
+
+
+**`netflow.reverse_udp_destination_port`**
+:   type: integer
+
+
+**`netflow.reverse_udp_message_length`**
+:   type: integer
+
+
+**`netflow.reverse_udp_source_port`**
+:   type: integer
+
+
+**`netflow.reverse_union_tcp_flags`**
+:   type: short
+
+
+**`netflow.reverse_upper_ci_limit`**
+:   type: double
+
+
+**`netflow.reverse_user_name`**
+:   type: keyword
+
+
+**`netflow.reverse_value_distribution_method`**
+:   type: short
+
+
+**`netflow.reverse_virtual_station_interface_id`**
+:   type: keyword
+
+
+**`netflow.reverse_virtual_station_interface_name`**
+:   type: keyword
+
+
+**`netflow.reverse_virtual_station_name`**
+:   type: keyword
+
+
+**`netflow.reverse_virtual_station_uuid`**
+:   type: keyword
+
+
+**`netflow.reverse_vlan_id`**
+:   type: integer
+
+
+**`netflow.reverse_vr_fname`**
+:   type: keyword
+
+
+**`netflow.reverse_wlan_channel_id`**
+:   type: short
+
+
+**`netflow.reverse_wlan_ssid`**
+:   type: keyword
+
+
+**`netflow.reverse_wtp_mac_address`**
+:   type: keyword
+
+
+**`netflow.rfc3550_jitter_microseconds`**
+:   type: long
+
+
+**`netflow.rfc3550_jitter_milliseconds`**
+:   type: long
+
+
+**`netflow.rfc3550_jitter_nanoseconds`**
+:   type: long
+
+
+**`netflow.rtp_payload_type`**
+:   type: short
+
+
+**`netflow.rtp_sequence_number`**
+:   type: integer
+
+
+**`netflow.sampler_id`**
+:   type: short
+
+
+**`netflow.sampler_mode`**
+:   type: short
+
+
+**`netflow.sampler_name`**
+:   type: keyword
+
+
+**`netflow.sampler_random_interval`**
+:   type: long
+
+
+**`netflow.sampling_algorithm`**
+:   type: short
+
+
+**`netflow.sampling_flow_interval`**
+:   type: long
+
+
+**`netflow.sampling_flow_spacing`**
+:   type: long
+
+
+**`netflow.sampling_interval`**
+:   type: long
+
+
+**`netflow.sampling_packet_interval`**
+:   type: long
+
+
+**`netflow.sampling_packet_space`**
+:   type: long
+
+
+**`netflow.sampling_population`**
+:   type: long
+
+
+**`netflow.sampling_probability`**
+:   type: double
+
+
+**`netflow.sampling_size`**
+:   type: long
+
+
+**`netflow.sampling_time_interval`**
+:   type: long
+
+
+**`netflow.sampling_time_space`**
+:   type: long
+
+
+**`netflow.second_packet_banner`**
+:   type: keyword
+
+
+**`netflow.section_exported_octets`**
+:   type: integer
+
+
+**`netflow.section_offset`**
+:   type: integer
+
+
+**`netflow.selection_sequence_id`**
+:   type: long
+
+
+**`netflow.selector_algorithm`**
+:   type: integer
+
+
+**`netflow.selector_id`**
+:   type: long
+
+
+**`netflow.selector_id_total_flows_observed`**
+:   type: long
+
+
+**`netflow.selector_id_total_flows_selected`**
+:   type: long
+
+
+**`netflow.selector_id_total_pkts_observed`**
+:   type: long
+
+
+**`netflow.selector_id_total_pkts_selected`**
+:   type: long
+
+
+**`netflow.selector_name`**
+:   type: keyword
+
+
+**`netflow.service_name`**
+:   type: keyword
+
+
+**`netflow.session_scope`**
+:   type: short
+
+
+**`netflow.silk_app_label`**
+:   type: integer
+
+
+**`netflow.small_packet_count`**
+:   type: long
+
+
+**`netflow.source_ipv4_address`**
+:   type: ip
+
+
+**`netflow.source_ipv4_prefix`**
+:   type: ip
+
+
+**`netflow.source_ipv4_prefix_length`**
+:   type: short
+
+
+**`netflow.source_ipv6_address`**
+:   type: ip
+
+
+**`netflow.source_ipv6_prefix`**
+:   type: ip
+
+
+**`netflow.source_ipv6_prefix_length`**
+:   type: short
+
+
+**`netflow.source_mac_address`**
+:   type: keyword
+
+
+**`netflow.source_transport_port`**
+:   type: integer
+
+
+**`netflow.source_transport_ports_limit`**
+:   type: integer
+
+
+**`netflow.src_traffic_index`**
+:   type: long
+
+
+**`netflow.ssl_cert_serial_number`**
+:   type: keyword
+
+
+**`netflow.ssl_cert_signature`**
+:   type: keyword
+
+
+**`netflow.ssl_cert_validity_not_after`**
+:   type: keyword
+
+
+**`netflow.ssl_cert_validity_not_before`**
+:   type: keyword
+
+
+**`netflow.ssl_cert_version`**
+:   type: short
+
+
+**`netflow.ssl_certificate_hash`**
+:   type: keyword
+
+
+**`netflow.ssl_cipher`**
+:   type: keyword
+
+
+**`netflow.ssl_client_version`**
+:   type: short
+
+
+**`netflow.ssl_compression_method`**
+:   type: short
+
+
+**`netflow.ssl_object_type`**
+:   type: keyword
+
+
+**`netflow.ssl_object_value`**
+:   type: keyword
+
+
+**`netflow.ssl_public_key_algorithm`**
+:   type: keyword
+
+
+**`netflow.ssl_public_key_length`**
+:   type: keyword
+
+
+**`netflow.ssl_server_cipher`**
+:   type: long
+
+
+**`netflow.ssl_server_name`**
+:   type: keyword
+
+
+**`netflow.sta_ipv4_address`**
+:   type: ip
+
+
+**`netflow.sta_mac_address`**
+:   type: keyword
+
+
+**`netflow.standard_deviation_interarrival_time`**
+:   type: long
+
+
+**`netflow.standard_deviation_payload_length`**
+:   type: short
+
+
+**`netflow.system_init_time_milliseconds`**
+:   type: date
+
+
+**`netflow.tcp_ack_total_count`**
+:   type: long
+
+
+**`netflow.tcp_acknowledgement_number`**
+:   type: long
+
+
+**`netflow.tcp_control_bits`**
+:   type: integer
+
+
+**`netflow.tcp_destination_port`**
+:   type: integer
+
+
+**`netflow.tcp_fin_total_count`**
+:   type: long
+
+
+**`netflow.tcp_header_length`**
+:   type: short
+
+
+**`netflow.tcp_options`**
+:   type: long
+
+
+**`netflow.tcp_psh_total_count`**
+:   type: long
+
+
+**`netflow.tcp_rst_total_count`**
+:   type: long
+
+
+**`netflow.tcp_sequence_number`**
+:   type: long
+
+
+**`netflow.tcp_source_port`**
+:   type: integer
+
+
+**`netflow.tcp_syn_total_count`**
+:   type: long
+
+
+**`netflow.tcp_urg_total_count`**
+:   type: long
+
+
+**`netflow.tcp_urgent_pointer`**
+:   type: integer
+
+
+**`netflow.tcp_window_scale`**
+:   type: integer
+
+
+**`netflow.tcp_window_size`**
+:   type: integer
+
+
+**`netflow.template_id`**
+:   type: integer
+
+
+**`netflow.tftp_filename`**
+:   type: keyword
+
+
+**`netflow.tftp_mode`**
+:   type: keyword
+
+
+**`netflow.timestamp`**
+:   type: long
+
+
+**`netflow.timestamp_absolute_monitoring-interval`**
+:   type: long
+
+
+**`netflow.total_length_ipv4`**
+:   type: integer
+
+
+**`netflow.traffic_type`**
+:   type: short
+
+
+**`netflow.transport_octet_delta_count`**
+:   type: long
+
+
+**`netflow.transport_packet_delta_count`**
+:   type: long
+
+
+**`netflow.tunnel_technology`**
+:   type: keyword
+
+
+**`netflow.udp_destination_port`**
+:   type: integer
+
+
+**`netflow.udp_message_length`**
+:   type: integer
+
+
+**`netflow.udp_source_port`**
+:   type: integer
+
+
+**`netflow.union_tcp_flags`**
+:   type: short
+
+
+**`netflow.upper_ci_limit`**
+:   type: double
+
+
+**`netflow.user_name`**
+:   type: keyword
+
+
+**`netflow.username`**
+:   type: keyword
+
+
+**`netflow.value_distribution_method`**
+:   type: short
+
+
+**`netflow.viptela_vpn_id`**
+:   type: long
+
+
+**`netflow.virtual_station_interface_id`**
+:   type: short
+
+
+**`netflow.virtual_station_interface_name`**
+:   type: keyword
+
+
+**`netflow.virtual_station_name`**
+:   type: keyword
+
+
+**`netflow.virtual_station_uuid`**
+:   type: short
+
+
+**`netflow.vlan_id`**
+:   type: integer
+
+
+**`netflow.vmware_egress_interface_attr`**
+:   type: integer
+
+
+**`netflow.vmware_ingress_interface_attr`**
+:   type: integer
+
+
+**`netflow.vmware_tenant_dest_ipv4`**
+:   type: ip
+
+
+**`netflow.vmware_tenant_dest_ipv6`**
+:   type: ip
+
+
+**`netflow.vmware_tenant_dest_port`**
+:   type: integer
+
+
+**`netflow.vmware_tenant_protocol`**
+:   type: short
+
+
+**`netflow.vmware_tenant_source_ipv4`**
+:   type: ip
+
+
+**`netflow.vmware_tenant_source_ipv6`**
+:   type: ip
+
+
+**`netflow.vmware_tenant_source_port`**
+:   type: integer
+
+
+**`netflow.vmware_vxlan_export_role`**
+:   type: short
+
+
+**`netflow.vpn_identifier`**
+:   type: short
+
+
+**`netflow.vr_fname`**
+:   type: keyword
+
+
+**`netflow.waasoptimization_segment`**
+:   type: short
+
+
+**`netflow.wlan_channel_id`**
+:   type: short
+
+
+**`netflow.wlan_ssid`**
+:   type: keyword
+
+
+**`netflow.wtp_mac_address`**
+:   type: keyword
+
+
+**`netflow.xlate_destination_address_ip_v4`**
+:   type: ip
+
+
+**`netflow.xlate_destination_port`**
+:   type: integer
+
+
+**`netflow.xlate_source_address_ip_v4`**
+:   type: ip
+
+
+**`netflow.xlate_source_port`**
+:   type: integer
+
+
diff --git a/docs/reference/filebeat/exported-fields-nginx.md b/docs/reference/filebeat/exported-fields-nginx.md
new file mode 100644
index 000000000000..02f15d819bcb
--- /dev/null
+++ b/docs/reference/filebeat/exported-fields-nginx.md
@@ -0,0 +1,391 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-nginx.html
+---
+
+# Nginx fields [exported-fields-nginx]
+
+Module for parsing the Nginx log files.
+
+
+## nginx [_nginx]
+
+Fields from the Nginx log files.
+
+
+## access [_access_3]
+
+Contains fields for the Nginx access logs.
+
+**`nginx.access.remote_ip_list`**
+:   An array of remote IP addresses. It is a list because it is common to include, besides the client IP address, IP addresses from headers like `X-Forwarded-For`. Real source IP is restored to `source.ip`.
+
+type: array
+
+
+**`nginx.access.body_sent.bytes`**
+:   type: alias
+
+alias to: http.response.body.bytes
+
+
+**`nginx.access.user_name`**
+:   type: alias
+
+alias to: user.name
+
+
+**`nginx.access.method`**
+:   type: alias
+
+alias to: http.request.method
+
+
+**`nginx.access.url`**
+:   type: alias
+
+alias to: url.original
+
+
+**`nginx.access.http_version`**
+:   type: alias
+
+alias to: http.version
+
+
+**`nginx.access.response_code`**
+:   type: alias
+
+alias to: http.response.status_code
+
+
+**`nginx.access.referrer`**
+:   type: alias
+
+alias to: http.request.referrer
+
+
+**`nginx.access.agent`**
+:   type: alias
+
+alias to: user_agent.original
+
+
+**`nginx.access.user_agent.device`**
+:   type: alias
+
+alias to: user_agent.device.name
+
+
+**`nginx.access.user_agent.name`**
+:   type: alias
+
+alias to: user_agent.name
+
+
+**`nginx.access.user_agent.os`**
+:   type: alias
+
+alias to: user_agent.os.full_name
+
+
+**`nginx.access.user_agent.os_name`**
+:   type: alias
+
+alias to: user_agent.os.name
+
+
+**`nginx.access.user_agent.original`**
+:   type: alias
+
+alias to: user_agent.original
+
+
+**`nginx.access.geoip.continent_name`**
+:   type: alias
+
+alias to: source.geo.continent_name
+
+
+**`nginx.access.geoip.country_iso_code`**
+:   type: alias
+
+alias to: source.geo.country_iso_code
+
+
+**`nginx.access.geoip.location`**
+:   type: alias
+
+alias to: source.geo.location
+
+
+**`nginx.access.geoip.region_name`**
+:   type: alias
+
+alias to: source.geo.region_name
+
+
+**`nginx.access.geoip.city_name`**
+:   type: alias
+
+alias to: source.geo.city_name
+
+
+**`nginx.access.geoip.region_iso_code`**
+:   type: alias
+
+alias to: source.geo.region_iso_code
+
+
+
+## error [_error_5]
+
+Contains fields for the Nginx error logs.
+
+**`nginx.error.connection_id`**
+:   Connection identifier.
+
+type: long
+
+
+**`nginx.error.level`**
+:   type: alias
+
+alias to: log.level
+
+
+**`nginx.error.pid`**
+:   type: alias
+
+alias to: process.pid
+
+
+**`nginx.error.tid`**
+:   type: alias
+
+alias to: process.thread.id
+
+
+**`nginx.error.message`**
+:   type: alias
+
+alias to: message
+
+
+
+## ingress_controller [_ingress_controller]
+
+Contains fields for the Ingress Nginx controller access logs.
+
+**`nginx.ingress_controller.remote_ip_list`**
+:   An array of remote IP addresses. It is a list because it is common to include, besides the client IP address, IP addresses from headers like `X-Forwarded-For`. Real source IP is restored to `source.ip`.
+
+type: array
+
+
+**`nginx.ingress_controller.upstream_address_list`**
+:   An array of the upstream addresses. It is a list because it is common that several upstream servers were contacted during request processing.
+
+type: keyword
+
+
+**`nginx.ingress_controller.upstream.response.length_list`**
+:   An array of upstream response lengths. It is a list because it is common that several upstream servers were contacted during request processing.
+
+type: keyword
+
+
+**`nginx.ingress_controller.upstream.response.time_list`**
+:   An array of upstream response durations. It is a list because it is common that several upstream servers were contacted during request processing.
+
+type: keyword
+
+
+**`nginx.ingress_controller.upstream.response.status_code_list`**
+:   An array of upstream response status codes. It is a list because it is common that several upstream servers were contacted during request processing.
+
+type: keyword
+
+
+**`nginx.ingress_controller.http.request.length`**
+:   The request length (including request line, header, and request body)
+
+type: long
+
+format: bytes
+
+
+**`nginx.ingress_controller.http.request.time`**
+:   Time elapsed since the first bytes were read from the client
+
+type: double
+
+format: duration
+
+
+**`nginx.ingress_controller.upstream.name`**
+:   The name of the upstream.
+
+type: keyword
+
+
+**`nginx.ingress_controller.upstream.alternative_name`**
+:   The name of the alternative upstream.
+
+type: keyword
+
+
+**`nginx.ingress_controller.upstream.response.length`**
+:   The length of the response obtained from the upstream server. If several servers were contacted during request process, the summary of the multiple response lengths is stored.
+
+type: long
+
+format: bytes
+
+
+**`nginx.ingress_controller.upstream.response.time`**
+:   The time spent on receiving the response from the upstream as seconds with millisecond resolution. If several servers were contacted during request process, the summary of the multiple response times is stored.
+
+type: double
+
+format: duration
+
+
+**`nginx.ingress_controller.upstream.response.status_code`**
+:   The status code of the response obtained from the upstream server. If several servers were contacted during request process, only the status code of the response from the last one is stored in this field.
+
+type: long
+
+
+**`nginx.ingress_controller.upstream.ip`**
+:   The IP address of the upstream server. If several servers were contacted during request process, only the last one is stored in this field.
+
+type: ip
+
+
+**`nginx.ingress_controller.upstream.port`**
+:   The port of the upstream server. If several servers were contacted during request process, only the last one is stored in this field.
+
+type: long
+
+
+**`nginx.ingress_controller.http.request.id`**
+:   The randomly generated ID of the request
+
+type: keyword
+
+
+**`nginx.ingress_controller.body_sent.bytes`**
+:   type: alias
+
+alias to: http.response.body.bytes
+
+
+**`nginx.ingress_controller.user_name`**
+:   type: alias
+
+alias to: user.name
+
+
+**`nginx.ingress_controller.method`**
+:   type: alias
+
+alias to: http.request.method
+
+
+**`nginx.ingress_controller.url`**
+:   type: alias
+
+alias to: url.original
+
+
+**`nginx.ingress_controller.http_version`**
+:   type: alias
+
+alias to: http.version
+
+
+**`nginx.ingress_controller.response_code`**
+:   type: alias
+
+alias to: http.response.status_code
+
+
+**`nginx.ingress_controller.referrer`**
+:   type: alias
+
+alias to: http.request.referrer
+
+
+**`nginx.ingress_controller.agent`**
+:   type: alias
+
+alias to: user_agent.original
+
+
+**`nginx.ingress_controller.user_agent.device`**
+:   type: alias
+
+alias to: user_agent.device.name
+
+
+**`nginx.ingress_controller.user_agent.name`**
+:   type: alias
+
+alias to: user_agent.name
+
+
+**`nginx.ingress_controller.user_agent.os`**
+:   type: alias
+
+alias to: user_agent.os.full_name
+
+
+**`nginx.ingress_controller.user_agent.os_name`**
+:   type: alias
+
+alias to: user_agent.os.name
+
+
+**`nginx.ingress_controller.user_agent.original`**
+:   type: alias
+
+alias to: user_agent.original
+
+
+**`nginx.ingress_controller.geoip.continent_name`**
+:   type: alias
+
+alias to: source.geo.continent_name
+
+
+**`nginx.ingress_controller.geoip.country_iso_code`**
+:   type: alias
+
+alias to: source.geo.country_iso_code
+
+
+**`nginx.ingress_controller.geoip.location`**
+:   type: alias
+
+alias to: source.geo.location
+
+
+**`nginx.ingress_controller.geoip.region_name`**
+:   type: alias
+
+alias to: source.geo.region_name
+
+
+**`nginx.ingress_controller.geoip.city_name`**
+:   type: alias
+
+alias to: source.geo.city_name
+
+
+**`nginx.ingress_controller.geoip.region_iso_code`**
+:   type: alias
+
+alias to: source.geo.region_iso_code
+
+
diff --git a/docs/reference/filebeat/exported-fields-o365.md b/docs/reference/filebeat/exported-fields-o365.md
new file mode 100644
index 000000000000..68ece7e933a0
--- /dev/null
+++ b/docs/reference/filebeat/exported-fields-o365.md
@@ -0,0 +1,474 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-o365.html
+---
+
+# Office 365 fields [exported-fields-o365]
+
+Module for handling logs from Office 365.
+
+
+## o365.audit [_o365_audit]
+
+Fields from Office 365 Management API audit logs.
+
+**`o365.audit.AADGroupId`**
+:   type: keyword
+
+
+**`o365.audit.Activity`**
+:   type: keyword
+
+
+**`o365.audit.Actor`**
+:   type: array
+
+
+**`o365.audit.ActorContextId`**
+:   type: keyword
+
+
+**`o365.audit.ActorIpAddress`**
+:   type: keyword
+
+
+**`o365.audit.ActorUserId`**
+:   type: keyword
+
+
+**`o365.audit.ActorYammerUserId`**
+:   type: keyword
+
+
+**`o365.audit.AlertEntityId`**
+:   type: keyword
+
+
+**`o365.audit.AlertId`**
+:   type: keyword
+
+
+**`o365.audit.AlertLinks`**
+:   type: array
+
+
+**`o365.audit.AlertType`**
+:   type: keyword
+
+
+**`o365.audit.AppId`**
+:   type: keyword
+
+
+**`o365.audit.ApplicationDisplayName`**
+:   type: keyword
+
+
+**`o365.audit.ApplicationId`**
+:   type: keyword
+
+
+**`o365.audit.AzureActiveDirectoryEventType`**
+:   type: keyword
+
+
+**`o365.audit.ExchangeMetaData.*`**
+:   type: object
+
+
+**`o365.audit.Category`**
+:   type: keyword
+
+
+**`o365.audit.ClientAppId`**
+:   type: keyword
+
+
+**`o365.audit.ClientInfoString`**
+:   type: keyword
+
+
+**`o365.audit.ClientIP`**
+:   type: keyword
+
+
+**`o365.audit.ClientIPAddress`**
+:   type: keyword
+
+
+**`o365.audit.Comments`**
+:   type: text
+
+
+**`o365.audit.CommunicationType`**
+:   type: keyword
+
+
+**`o365.audit.CorrelationId`**
+:   type: keyword
+
+
+**`o365.audit.CreationTime`**
+:   type: keyword
+
+
+**`o365.audit.CustomUniqueId`**
+:   type: keyword
+
+
+**`o365.audit.Data`**
+:   type: keyword
+
+
+**`o365.audit.DataType`**
+:   type: keyword
+
+
+**`o365.audit.DoNotDistributeEvent`**
+:   type: boolean
+
+
+**`o365.audit.EntityType`**
+:   type: keyword
+
+
+**`o365.audit.ErrorNumber`**
+:   type: keyword
+
+
+**`o365.audit.EventData`**
+:   type: keyword
+
+
+**`o365.audit.EventSource`**
+:   type: keyword
+
+
+**`o365.audit.ExceptionInfo.*`**
+:   type: object
+
+
+**`o365.audit.Experience`**
+:   type: keyword
+
+
+**`o365.audit.ExtendedProperties.*`**
+:   type: object
+
+
+**`o365.audit.ExternalAccess`**
+:   type: keyword
+
+
+**`o365.audit.FromApp`**
+:   type: boolean
+
+
+**`o365.audit.GroupName`**
+:   type: keyword
+
+
+**`o365.audit.Id`**
+:   type: keyword
+
+
+**`o365.audit.ImplicitShare`**
+:   type: keyword
+
+
+**`o365.audit.IncidentId`**
+:   type: keyword
+
+
+**`o365.audit.InternalLogonType`**
+:   type: keyword
+
+
+**`o365.audit.InterSystemsId`**
+:   type: keyword
+
+
+**`o365.audit.IntraSystemId`**
+:   type: keyword
+
+
+**`o365.audit.IsDocLib`**
+:   type: boolean
+
+
+**`o365.audit.Item.*`**
+:   type: object
+
+
+**`o365.audit.Item.*.*`**
+:   type: object
+
+
+**`o365.audit.ItemCount`**
+:   type: long
+
+
+**`o365.audit.ItemName`**
+:   type: keyword
+
+
+**`o365.audit.ItemType`**
+:   type: keyword
+
+
+**`o365.audit.ListBaseTemplateType`**
+:   type: keyword
+
+
+**`o365.audit.ListBaseType`**
+:   type: keyword
+
+
+**`o365.audit.ListColor`**
+:   type: keyword
+
+
+**`o365.audit.ListIcon`**
+:   type: keyword
+
+
+**`o365.audit.ListId`**
+:   type: keyword
+
+
+**`o365.audit.ListTitle`**
+:   type: keyword
+
+
+**`o365.audit.ListItemUniqueId`**
+:   type: keyword
+
+
+**`o365.audit.LogonError`**
+:   type: keyword
+
+
+**`o365.audit.LogonType`**
+:   type: keyword
+
+
+**`o365.audit.LogonUserSid`**
+:   type: keyword
+
+
+**`o365.audit.MailboxGuid`**
+:   type: keyword
+
+
+**`o365.audit.MailboxOwnerMasterAccountSid`**
+:   type: keyword
+
+
+**`o365.audit.MailboxOwnerSid`**
+:   type: keyword
+
+
+**`o365.audit.MailboxOwnerUPN`**
+:   type: keyword
+
+
+**`o365.audit.Members`**
+:   type: array
+
+
+**`o365.audit.Members.*`**
+:   type: object
+
+
+**`o365.audit.ModifiedProperties.*.*`**
+:   type: object
+
+
+**`o365.audit.Name`**
+:   type: keyword
+
+
+**`o365.audit.ObjectId`**
+:   type: keyword
+
+
+**`o365.audit.ObjectDisplayName`**
+:   type: keyword
+
+
+**`o365.audit.ObjectType`**
+:   type: keyword
+
+
+**`o365.audit.Operation`**
+:   type: keyword
+
+
+**`o365.audit.OperationId`**
+:   type: keyword
+
+
+**`o365.audit.OperationProperties`**
+:   type: object
+
+
+**`o365.audit.OrganizationId`**
+:   type: keyword
+
+
+**`o365.audit.OrganizationName`**
+:   type: keyword
+
+
+**`o365.audit.OriginatingServer`**
+:   type: keyword
+
+
+**`o365.audit.Parameters.*`**
+:   type: object
+
+
+**`o365.audit.PolicyDetails`**
+:   type: array
+
+
+**`o365.audit.PolicyId`**
+:   type: keyword
+
+
+**`o365.audit.RecordType`**
+:   type: keyword
+
+
+**`o365.audit.RequestId`**
+:   type: keyword
+
+
+**`o365.audit.ResultStatus`**
+:   type: keyword
+
+
+**`o365.audit.SensitiveInfoDetectionIsIncluded`**
+:   type: keyword
+
+
+**`o365.audit.SharePointMetaData.*`**
+:   type: object
+
+
+**`o365.audit.SessionId`**
+:   type: keyword
+
+
+**`o365.audit.Severity`**
+:   type: keyword
+
+
+**`o365.audit.Site`**
+:   type: keyword
+
+
+**`o365.audit.SiteUrl`**
+:   type: keyword
+
+
+**`o365.audit.Source`**
+:   type: keyword
+
+
+**`o365.audit.SourceFileExtension`**
+:   type: keyword
+
+
+**`o365.audit.SourceFileName`**
+:   type: keyword
+
+
+**`o365.audit.SourceRelativeUrl`**
+:   type: keyword
+
+
+**`o365.audit.Status`**
+:   type: keyword
+
+
+**`o365.audit.SupportTicketId`**
+:   type: keyword
+
+
+**`o365.audit.Target`**
+:   type: array
+
+
+**`o365.audit.TargetContextId`**
+:   type: keyword
+
+
+**`o365.audit.TargetUserOrGroupName`**
+:   type: keyword
+
+
+**`o365.audit.TargetUserOrGroupType`**
+:   type: keyword
+
+
+**`o365.audit.TeamName`**
+:   type: keyword
+
+
+**`o365.audit.TeamGuid`**
+:   type: keyword
+
+
+**`o365.audit.TemplateTypeId`**
+:   type: keyword
+
+
+**`o365.audit.Timestamp`**
+:   type: keyword
+
+
+**`o365.audit.UniqueSharingId`**
+:   type: keyword
+
+
+**`o365.audit.UserAgent`**
+:   type: keyword
+
+
+**`o365.audit.UserId`**
+:   type: keyword
+
+
+**`o365.audit.UserKey`**
+:   type: keyword
+
+
+**`o365.audit.UserType`**
+:   type: keyword
+
+
+**`o365.audit.Version`**
+:   type: keyword
+
+
+**`o365.audit.WebId`**
+:   type: keyword
+
+
+**`o365.audit.Workload`**
+:   type: keyword
+
+
+**`o365.audit.WorkspaceId`**
+:   type: keyword
+
+
+**`o365.audit.WorkspaceName`**
+:   type: keyword
+
+
+**`o365.audit.YammerNetworkId`**
+:   type: keyword
+
+
diff --git a/docs/reference/filebeat/exported-fields-okta.md b/docs/reference/filebeat/exported-fields-okta.md
new file mode 100644
index 000000000000..7090ece760ff
--- /dev/null
+++ b/docs/reference/filebeat/exported-fields-okta.md
@@ -0,0 +1,415 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-okta.html
+---
+
+# Okta fields [exported-fields-okta]
+
+Module for handling system logs from Okta.
+
+
+## okta [_okta]
+
+Fields from Okta.
+
+**`okta.uuid`**
+:   The unique identifier of the Okta LogEvent.
+
+type: keyword
+
+
+**`okta.event_type`**
+:   The type of the LogEvent.
+
+type: keyword
+
+
+**`okta.version`**
+:   The version of the LogEvent.
+
+type: keyword
+
+
+**`okta.severity`**
+:   The severity of the LogEvent. Must be one of DEBUG, INFO, WARN, or ERROR.
+
+type: keyword
+
+
+**`okta.display_message`**
+:   The display message of the LogEvent.
+
+type: keyword
+
+
+
+## actor [_actor]
+
+Fields that let you store information of the actor for the LogEvent.
+
+**`okta.actor.id`**
+:   Identifier of the actor.
+
+type: keyword
+
+
+**`okta.actor.type`**
+:   Type of the actor.
+
+type: keyword
+
+
+**`okta.actor.alternate_id`**
+:   Alternate identifier of the actor.
+
+type: keyword
+
+
+**`okta.actor.display_name`**
+:   Display name of the actor.
+
+type: keyword
+
+
+
+## client [_client_4]
+
+Fields that let you store information about the client of the actor.
+
+**`okta.client.ip`**
+:   The IP address of the client.
+
+type: ip
+
+
+
+## user_agent [_user_agent_2]
+
+Fields about the user agent information of the client.
+
+**`okta.client.user_agent.raw_user_agent`**
+:   The raw informaton of the user agent.
+
+type: keyword
+
+
+**`okta.client.user_agent.os`**
+:   The OS informaton.
+
+type: keyword
+
+
+**`okta.client.user_agent.browser`**
+:   The browser informaton of the client.
+
+type: keyword
+
+
+**`okta.client.zone`**
+:   The zone information of the client.
+
+type: keyword
+
+
+**`okta.client.device`**
+:   The information of the client device.
+
+type: keyword
+
+
+**`okta.client.id`**
+:   The identifier of the client.
+
+type: keyword
+
+
+
+## outcome [_outcome]
+
+Fields that let you store information about the outcome.
+
+**`okta.outcome.reason`**
+:   The reason of the outcome.
+
+type: keyword
+
+
+**`okta.outcome.result`**
+:   The result of the outcome. Must be one of: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
+
+type: keyword
+
+
+**`okta.target`**
+:   The list of targets.
+
+type: flattened
+
+
+
+## transaction [_transaction]
+
+Fields that let you store information about related transaction.
+
+**`okta.transaction.id`**
+:   Identifier of the transaction.
+
+type: keyword
+
+
+**`okta.transaction.type`**
+:   The type of transaction. Must be one of "WEB", "JOB".
+
+type: keyword
+
+
+
+## debug_context [_debug_context]
+
+Fields that let you store information about the debug context.
+
+
+## debug_data [_debug_data]
+
+The debug data.
+
+**`okta.debug_context.debug_data.device_fingerprint`**
+:   The fingerprint of the device.
+
+type: keyword
+
+
+**`okta.debug_context.debug_data.factor`**
+:   The factor used for authentication.
+
+type: keyword
+
+
+**`okta.debug_context.debug_data.request_id`**
+:   The identifier of the request.
+
+type: keyword
+
+
+**`okta.debug_context.debug_data.request_uri`**
+:   The request URI.
+
+type: keyword
+
+
+**`okta.debug_context.debug_data.threat_suspected`**
+:   Threat suspected.
+
+type: keyword
+
+
+**`okta.debug_context.debug_data.risk_behaviors`**
+:   The set of behaviors that contribute to a risk assessment.
+
+type: keyword
+
+
+**`okta.debug_context.debug_data.risk_level`**
+:   The risk level assigned to the sign in attempt.
+
+type: keyword
+
+
+**`okta.debug_context.debug_data.risk_reasons`**
+:   The reasons for the risk.
+
+type: keyword
+
+
+**`okta.debug_context.debug_data.url`**
+:   The URL.
+
+type: keyword
+
+
+**`okta.debug_context.debug_data.flattened`**
+:   The complete debug_data object.
+
+type: flattened
+
+
+
+## suspicious_activity [_suspicious_activity]
+
+The suspicious activity fields from the debug data.
+
+**`okta.debug_context.debug_data.suspicious_activity.browser`**
+:   The browser used.
+
+type: keyword
+
+
+**`okta.debug_context.debug_data.suspicious_activity.event_city`**
+:   The city where the suspicious activity took place.
+
+type: keyword
+
+
+**`okta.debug_context.debug_data.suspicious_activity.event_country`**
+:   The country where the suspicious activity took place.
+
+type: keyword
+
+
+**`okta.debug_context.debug_data.suspicious_activity.event_id`**
+:   The event ID.
+
+type: keyword
+
+
+**`okta.debug_context.debug_data.suspicious_activity.event_ip`**
+:   The IP of the suspicious event.
+
+type: ip
+
+
+**`okta.debug_context.debug_data.suspicious_activity.event_latitude`**
+:   The latitude where the suspicious activity took place.
+
+type: float
+
+
+**`okta.debug_context.debug_data.suspicious_activity.event_longitude`**
+:   The longitude where the suspicious activity took place.
+
+type: float
+
+
+**`okta.debug_context.debug_data.suspicious_activity.event_state`**
+:   The state where the suspicious activity took place.
+
+type: keyword
+
+
+**`okta.debug_context.debug_data.suspicious_activity.event_transaction_id`**
+:   The event transaction ID.
+
+type: keyword
+
+
+**`okta.debug_context.debug_data.suspicious_activity.event_type`**
+:   The event type.
+
+type: keyword
+
+
+**`okta.debug_context.debug_data.suspicious_activity.os`**
+:   The OS of the system from where the suspicious activity occured.
+
+type: keyword
+
+
+**`okta.debug_context.debug_data.suspicious_activity.timestamp`**
+:   The timestamp of when the activity occurred.
+
+type: date
+
+
+
+## authentication_context [_authentication_context]
+
+Fields that let you store information about authentication context.
+
+**`okta.authentication_context.authentication_provider`**
+:   The information about the authentication provider. Must be one of OKTA_AUTHENTICATION_PROVIDER, ACTIVE_DIRECTORY, LDAP, FEDERATION, SOCIAL, FACTOR_PROVIDER.
+
+type: keyword
+
+
+**`okta.authentication_context.authentication_step`**
+:   The authentication step.
+
+type: integer
+
+
+**`okta.authentication_context.credential_provider`**
+:   The information about credential provider. Must be one of OKTA_CREDENTIAL_PROVIDER, RSA, SYMANTEC, GOOGLE, DUO, YUBIKEY.
+
+type: keyword
+
+
+**`okta.authentication_context.credential_type`**
+:   The information about credential type. Must be one of OTP, SMS, PASSWORD, ASSERTION, IWA, EMAIL, OAUTH2, JWT, CERTIFICATE, PRE_SHARED_SYMMETRIC_KEY, OKTA_CLIENT_SESSION, DEVICE_UDID.
+
+type: keyword
+
+
+**`okta.authentication_context.issuer`**
+:   The information about the issuer.
+
+type: array
+
+
+**`okta.authentication_context.external_session_id`**
+:   The session identifer of the external session if any.
+
+type: keyword
+
+
+**`okta.authentication_context.interface`**
+:   The interface used. e.g., Outlook, Office365, wsTrust
+
+type: keyword
+
+
+
+## security_context [_security_context]
+
+Fields that let you store information about security context.
+
+
+## as [_as_2]
+
+The autonomous system.
+
+**`okta.security_context.as.number`**
+:   The AS number.
+
+type: integer
+
+
+
+## organization [_organization_2]
+
+The organization that owns the AS number.
+
+**`okta.security_context.as.organization.name`**
+:   The organization name.
+
+type: keyword
+
+
+**`okta.security_context.isp`**
+:   The Internet Service Provider.
+
+type: keyword
+
+
+**`okta.security_context.domain`**
+:   The domain name.
+
+type: keyword
+
+
+**`okta.security_context.is_proxy`**
+:   Whether it is a proxy or not.
+
+type: boolean
+
+
+
+## request [_request_3]
+
+Fields that let you store information about the request, in the form of list of ip_chain.
+
+**`okta.request.ip_chain`**
+:   List of ip_chain objects.
+
+type: flattened
+
+
diff --git a/docs/reference/filebeat/exported-fields-oracle.md b/docs/reference/filebeat/exported-fields-oracle.md
new file mode 100644
index 000000000000..75be1b689d89
--- /dev/null
+++ b/docs/reference/filebeat/exported-fields-oracle.md
@@ -0,0 +1,175 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-oracle.html
+---
+
+# Oracle fields [exported-fields-oracle]
+
+Oracle Module
+
+
+## oracle [_oracle]
+
+Fields from Oracle logs.
+
+
+## database_audit [_database_audit]
+
+Module for parsing Oracle Database audit logs
+
+**`oracle.database_audit.priv_used`**
+:   System privilege used to execute the action.
+
+type: integer
+
+
+**`oracle.database_audit.logoff_pread`**
+:   Physical reads for the session.
+
+type: integer
+
+
+**`oracle.database_audit.logoff_lread`**
+:   Logical reads for the session.
+
+type: integer
+
+
+**`oracle.database_audit.logoff_lwrite`**
+:   Logical writes for the session.
+
+type: integer
+
+
+**`oracle.database_audit.logoff_dead`**
+:   Deadlocks detected during the session.
+
+type: integer
+
+
+**`oracle.database_audit.sessioncpu`**
+:   Amount of CPU time used by each Oracle session.
+
+type: integer
+
+
+**`oracle.database_audit.returncode`**
+:   Oracle error code generated by the action.
+
+type: integer
+
+
+**`oracle.database_audit.statement`**
+:   nth statement in the user session.
+
+type: integer
+
+
+**`oracle.database_audit.userid`**
+:   Name of the user whose actions were audited.
+
+type: keyword
+
+
+**`oracle.database_audit.entryid`**
+:   Numeric ID for each audit trail entry in the session. The entry ID is an index of a session’s audit entries that starts at 1 and increases to the number of entries that are written.
+
+type: integer
+
+
+**`oracle.database_audit.comment_text`**
+:   Text comment on the audit trail entry, providing more information about the statement audited.
+
+type: text
+
+
+**`oracle.database_audit.os_userid`**
+:   Operating system login username of the user whose actions were audited.
+
+type: keyword
+
+
+**`oracle.database_audit.terminal`**
+:   Identifier of the user’s terminal.
+
+type: text
+
+
+**`oracle.database_audit.status`**
+:   Database Audit Status.
+
+type: keyword
+
+
+**`oracle.database_audit.session_id`**
+:   Indicates the audit session ID number.
+
+type: keyword
+
+
+**`oracle.database_audit.client.terminal`**
+:   If available, the client terminal type, for example "pty".
+
+type: keyword
+
+
+**`oracle.database_audit.client.address`**
+:   The IP Address or Domain used by the client.
+
+type: keyword
+
+
+**`oracle.database_audit.client.user`**
+:   The user running the client or connection to the database.
+
+type: keyword
+
+
+**`oracle.database_audit.database.user`**
+:   The database user used to authenticate.
+
+type: keyword
+
+
+**`oracle.database_audit.privilege`**
+:   The privilege group related to the database user.
+
+type: keyword
+
+
+**`oracle.database_audit.entry.id`**
+:   Indicates the current audit entry number, assigned to each audit trail record. The audit entry.id sequence number is shared between fine-grained audit records and regular audit records.
+
+type: keyword
+
+
+**`oracle.database_audit.database.host`**
+:   Client host machine name.
+
+type: keyword
+
+
+**`oracle.database_audit.action`**
+:   The action performed during the audit event. This could for example be the raw query.
+
+type: keyword
+
+
+**`oracle.database_audit.action_number`**
+:   Action is a numeric value representing the action the user performed. The corresponding name of the action type is in the AUDIT_ACTIONS table. For example, action 100 refers to LOGON.
+
+type: keyword
+
+
+**`oracle.database_audit.database.id`**
+:   Database identifier calculated when the database is created. It corresponds to the DBID column of the V$DATABASE data dictionary view.
+
+type: keyword
+
+
+**`oracle.database_audit.length`**
+:   Refers to the total number of bytes used in this audit record. This number includes the trailing newline bytes (\n), if any, at the end of the audit record.
+
+type: long
+
+
diff --git a/docs/reference/filebeat/exported-fields-osquery.md b/docs/reference/filebeat/exported-fields-osquery.md
new file mode 100644
index 000000000000..0c70abd6d254
--- /dev/null
+++ b/docs/reference/filebeat/exported-fields-osquery.md
@@ -0,0 +1,47 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-osquery.html
+---
+
+# Osquery fields [exported-fields-osquery]
+
+Fields exported by the `osquery` module
+
+
+## osquery [_osquery]
+
+
+## result [_result]
+
+Common fields exported by the result metricset.
+
+**`osquery.result.name`**
+:   The name of the query that generated this event.
+
+type: keyword
+
+
+**`osquery.result.action`**
+:   For incremental data, marks whether the entry was added or removed. It can be one of "added", "removed", or "snapshot".
+
+type: keyword
+
+
+**`osquery.result.host_identifier`**
+:   The identifier for the host on which the osquery agent is running. Normally the hostname.
+
+type: keyword
+
+
+**`osquery.result.unix_time`**
+:   Unix timestamp of the event, in seconds since the epoch. Used for computing the `@timestamp` column.
+
+type: long
+
+
+**`osquery.result.calendar_time`**
+:   String representation of the collection time, as formatted by osquery.
+
+type: keyword
+
+
diff --git a/docs/reference/filebeat/exported-fields-panw.md b/docs/reference/filebeat/exported-fields-panw.md
new file mode 100644
index 000000000000..b94cf8086a92
--- /dev/null
+++ b/docs/reference/filebeat/exported-fields-panw.md
@@ -0,0 +1,401 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-panw.html
+---
+
+# panw fields [exported-fields-panw]
+
+Module for Palo Alto Networks (PAN-OS)
+
+
+## panw [_panw]
+
+Fields from the panw module.
+
+
+## panos [_panos]
+
+Fields for the Palo Alto Networks PAN-OS logs.
+
+**`panw.panos.ruleset`**
+:   Name of the rule that matched this session.
+
+type: keyword
+
+
+
+## source [_source_3]
+
+Fields to extend the top-level source object.
+
+**`panw.panos.source.zone`**
+:   Source zone for this session.
+
+type: keyword
+
+
+**`panw.panos.source.interface`**
+:   Source interface for this session.
+
+type: keyword
+
+
+
+## nat [_nat]
+
+Post-NAT source address, if source NAT is performed.
+
+**`panw.panos.source.nat.ip`**
+:   Post-NAT source IP.
+
+type: ip
+
+
+**`panw.panos.source.nat.port`**
+:   Post-NAT source port.
+
+type: long
+
+
+
+## destination [_destination_3]
+
+Fields to extend the top-level destination object.
+
+**`panw.panos.destination.zone`**
+:   Destination zone for this session.
+
+type: keyword
+
+
+**`panw.panos.destination.interface`**
+:   Destination interface for this session.
+
+type: keyword
+
+
+
+## nat [_nat_2]
+
+Post-NAT destination address, if destination NAT is performed.
+
+**`panw.panos.destination.nat.ip`**
+:   Post-NAT destination IP.
+
+type: ip
+
+
+**`panw.panos.destination.nat.port`**
+:   Post-NAT destination port.
+
+type: long
+
+
+**`panw.panos.endreason`**
+:   The reason a session terminated.
+
+type: keyword
+
+
+
+## network [_network_2]
+
+Fields to extend the top-level network object.
+
+**`panw.panos.network.pcap_id`**
+:   Packet capture ID for a threat.
+
+type: keyword
+
+
+**`panw.panos.network.nat.community_id`**
+:   Community ID flow-hash for the NAT 5-tuple.
+
+type: keyword
+
+
+
+## file [_file_3]
+
+Fields to extend the top-level file object.
+
+**`panw.panos.file.hash`**
+:   Binary hash for a threat file sent to be analyzed by the WildFire service.
+
+type: keyword
+
+
+
+## url [_url_4]
+
+Fields to extend the top-level url object.
+
+**`panw.panos.url.category`**
+:   For threat URLs, it’s the URL category. For WildFire, the verdict on the file and is either *malicious*, *grayware*, or *benign*.
+
+type: keyword
+
+
+**`panw.panos.flow_id`**
+:   Internal numeric identifier for each session.
+
+type: keyword
+
+
+**`panw.panos.sequence_number`**
+:   Log entry identifier that is incremented sequentially. Unique for each log type.
+
+type: long
+
+
+**`panw.panos.threat.resource`**
+:   URL or file name for a threat.
+
+type: keyword
+
+
+**`panw.panos.threat.id`**
+:   Palo Alto Networks identifier for the threat.
+
+type: keyword
+
+
+**`panw.panos.threat.name`**
+:   Palo Alto Networks name for the threat.
+
+type: keyword
+
+
+**`panw.panos.action`**
+:   Action taken for the session.
+
+type: keyword
+
+
+**`panw.panos.type`**
+:   Specifies the type of the log
+
+
+**`panw.panos.sub_type`**
+:   Specifies the sub type of the log
+
+
+**`panw.panos.virtual_sys`**
+:   Virtual system instance
+
+type: keyword
+
+
+**`panw.panos.client_os_ver`**
+:   The client device’s OS version.
+
+type: keyword
+
+
+**`panw.panos.client_os`**
+:   The client device’s OS version.
+
+type: keyword
+
+
+**`panw.panos.client_ver`**
+:   The client’s GlobalProtect app version.
+
+type: keyword
+
+
+**`panw.panos.stage`**
+:   A string showing the stage of the connection
+
+type: keyword
+
+example: before-login
+
+
+**`panw.panos.actionflags`**
+:   A bit field indicating if the log was forwarded to Panorama.
+
+type: keyword
+
+
+**`panw.panos.error`**
+:   A string showing that error that has occurred in any event.
+
+type: keyword
+
+
+**`panw.panos.error_code`**
+:   An integer associated with any errors that occurred.
+
+type: integer
+
+
+**`panw.panos.repeatcnt`**
+:   The number of sessions with the same source IP address, destination IP address, application, and subtype that GlobalProtect has detected within the last five seconds.An integer associated with any errors that occurred.
+
+type: integer
+
+
+**`panw.panos.serial_number`**
+:   The serial number of the user’s machine or device.
+
+type: keyword
+
+
+**`panw.panos.auth_method`**
+:   A string showing the authentication type
+
+type: keyword
+
+example: LDAP
+
+
+**`panw.panos.datasource`**
+:   Source from which mapping information is collected.
+
+type: keyword
+
+
+**`panw.panos.datasourcetype`**
+:   Mechanism used to identify the IP/User mappings within a data source.
+
+type: keyword
+
+
+**`panw.panos.datasourcename`**
+:   User-ID source that sends the IP (Port)-User Mapping.
+
+type: keyword
+
+
+**`panw.panos.factorno`**
+:   Indicates the use of primary authentication (1) or additional factors (2, 3).
+
+type: integer
+
+
+**`panw.panos.factortype`**
+:   Vendor used to authenticate a user when Multi Factor authentication is present.
+
+type: keyword
+
+
+**`panw.panos.factorcompletiontime`**
+:   Time the authentication was completed.
+
+type: date
+
+
+**`panw.panos.ugflags`**
+:   Displays whether the user group that was found during user group mapping. Supported values are: User Group Found—Indicates whether the user could be mapped to a group. Duplicate User—Indicates whether duplicate users were found in a user group. Displays N/A if no user group is found.
+
+type: keyword
+
+
+
+## device_group_hierarchy [_device_group_hierarchy]
+
+A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure. If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12.
+
+**`panw.panos.device_group_hierarchy.level_1`**
+:   A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure. If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12.
+
+type: keyword
+
+
+**`panw.panos.device_group_hierarchy.level_2`**
+:   A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure. If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12.
+
+type: keyword
+
+
+**`panw.panos.device_group_hierarchy.level_3`**
+:   A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure. If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12.
+
+type: keyword
+
+
+**`panw.panos.device_group_hierarchy.level_4`**
+:   A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure. If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12.
+
+type: keyword
+
+
+**`panw.panos.timeout`**
+:   Timeout after which the IP/User Mappings are cleared.
+
+type: integer
+
+
+**`panw.panos.vsys_id`**
+:   A unique identifier for a virtual system on a Palo Alto Networks firewall.
+
+type: keyword
+
+
+**`panw.panos.vsys_name`**
+:   The name of the virtual system associated with the session; only valid on firewalls enabled for multiple virtual systems.
+
+type: keyword
+
+
+**`panw.panos.description`**
+:   Additional information for any event that has occurred.
+
+type: keyword
+
+
+**`panw.panos.tunnel_type`**
+:   The type of tunnel (either SSLVPN or IPSec).
+
+type: keyword
+
+
+**`panw.panos.connect_method`**
+:   A string showing the how the GlobalProtect app connects to Gateway
+
+type: keyword
+
+
+**`panw.panos.matchname`**
+:   Name of the HIP object or profile.
+
+type: keyword
+
+
+**`panw.panos.matchtype`**
+:   Whether the hip field represents a HIP object or a HIP profile.
+
+type: keyword
+
+
+**`panw.panos.priority`**
+:   The priority order of the gateway that is based on highest (1), high (2), medium (3), low (4), or lowest (5) to which the GlobalProtect app can connect.
+
+type: keyword
+
+
+**`panw.panos.response_time`**
+:   The SSL response time of the selected gateway that is measured in milliseconds on the endpoint during tunnel setup.
+
+type: keyword
+
+
+**`panw.panos.attempted_gateways`**
+:   The fields that are collected for each gateway connection attempt with the gateway name, SSL response time, and priority
+
+type: keyword
+
+
+**`panw.panos.gateway`**
+:   The name of the gateway that is specified on the portal configuration.
+
+type: keyword
+
+
+**`panw.panos.selection_type`**
+:   The connection method that is selected to connect to the gateway.
+
+type: keyword
+
+
diff --git a/docs/reference/filebeat/exported-fields-pensando.md b/docs/reference/filebeat/exported-fields-pensando.md
new file mode 100644
index 000000000000..2e24579f8f07
--- /dev/null
+++ b/docs/reference/filebeat/exported-fields-pensando.md
@@ -0,0 +1,91 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-pensando.html
+---
+
+# Pensando fields [exported-fields-pensando]
+
+pensando Module
+
+
+## pensando [_pensando]
+
+Fields from Pensando logs.
+
+
+## dfw [_dfw]
+
+Fields for Pensando DFW
+
+**`pensando.dfw.action`**
+:   Action on the flow.
+
+type: keyword
+
+
+**`pensando.dfw.app_id`**
+:   Application ID
+
+type: integer
+
+
+**`pensando.dfw.destination_address`**
+:   Address of destination.
+
+type: keyword
+
+
+**`pensando.dfw.destination_port`**
+:   Port of destination.
+
+type: integer
+
+
+**`pensando.dfw.direction`**
+:   Direction of the flow
+
+type: keyword
+
+
+**`pensando.dfw.protocol`**
+:   Protocol of the flow
+
+type: keyword
+
+
+**`pensando.dfw.rule_id`**
+:   Rule ID that was matched.
+
+type: keyword
+
+
+**`pensando.dfw.session_id`**
+:   Session ID of the flow
+
+type: integer
+
+
+**`pensando.dfw.session_state`**
+:   Session state of the flow.
+
+type: keyword
+
+
+**`pensando.dfw.source_address`**
+:   Source address of the flow.
+
+type: keyword
+
+
+**`pensando.dfw.source_port`**
+:   Source port of the flow.
+
+type: integer
+
+
+**`pensando.dfw.timestamp`**
+:   Timestamp of the log.
+
+type: date
+
+
diff --git a/docs/reference/filebeat/exported-fields-postgresql.md b/docs/reference/filebeat/exported-fields-postgresql.md
new file mode 100644
index 000000000000..a5fd2cfba56d
--- /dev/null
+++ b/docs/reference/filebeat/exported-fields-postgresql.md
@@ -0,0 +1,191 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-postgresql.html
+---
+
+# PostgreSQL fields [exported-fields-postgresql]
+
+Module for parsing the PostgreSQL log files.
+
+
+## postgresql [_postgresql]
+
+Fields from PostgreSQL logs.
+
+
+## log [_log_11]
+
+Fields from the PostgreSQL log files.
+
+**`postgresql.log.timestamp`**
+:   [7.3.0]
+
+The timestamp from the log line.
+
+
+**`postgresql.log.core_id`**
+:   [8.0.0]
+
+Core id. (deprecated, there is no core_id in PostgreSQL logs, this is actually session_line_number).
+
+type: alias
+
+alias to: postgresql.log.session_line_number
+
+
+**`postgresql.log.client_addr`**
+:   Host where the connection originated from.
+
+example: 127.0.0.1
+
+
+**`postgresql.log.client_port`**
+:   Port where the connection originated from.
+
+example: 59700
+
+
+**`postgresql.log.session_id`**
+:   PostgreSQL session.
+
+example: 5ff1dd98.22
+
+
+**`postgresql.log.session_line_number`**
+:   Line number inside a session. (%l in `log_line_prefix`).
+
+type: long
+
+
+**`postgresql.log.database`**
+:   Name of database.
+
+example: postgres
+
+
+**`postgresql.log.query`**
+:   Query statement. In the case of CSV parse, look at command_tag to get more context.
+
+example: SELECT * FROM users;
+
+
+**`postgresql.log.query_step`**
+:   Statement step when using extended query protocol (one of statement, parse, bind or execute).
+
+example: parse
+
+
+**`postgresql.log.query_name`**
+:   Name given to a query when using extended query protocol. If it is "<unnamed>", or not present, this field is ignored.
+
+example: pdo_stmt_00000001
+
+
+**`postgresql.log.command_tag`**
+:   Type of session’s current command. The complete list can be found at: src/include/tcop/cmdtaglist.h
+
+example: SELECT
+
+
+**`postgresql.log.session_start_time`**
+:   Time when this session started.
+
+type: date
+
+
+**`postgresql.log.virtual_transaction_id`**
+:   Backend local transaction id.
+
+
+**`postgresql.log.transaction_id`**
+:   The id of current transaction.
+
+type: long
+
+
+**`postgresql.log.sql_state_code`**
+:   State code returned by Postgres (if any). See also [https://www.postgresql.org/docs/current/errcodes-appendix.html](https://www.postgresql.org/docs/current/errcodes-appendix.html)
+
+type: keyword
+
+
+**`postgresql.log.detail`**
+:   More information about the message, parameters in case of a parametrized query. e.g. *Role \"user\" does not exist.*, *parameters: $1 = 42*, etc.
+
+
+**`postgresql.log.hint`**
+:   A possible solution to solve an error.
+
+
+**`postgresql.log.internal_query`**
+:   Internal query that led to the error (if any).
+
+
+**`postgresql.log.internal_query_pos`**
+:   Character count of the internal query (if any).
+
+type: long
+
+
+**`postgresql.log.context`**
+:   Error context.
+
+
+**`postgresql.log.query_pos`**
+:   Character count of the error position (if any).
+
+type: long
+
+
+**`postgresql.log.location`**
+:   Location of the error in the PostgreSQL source code (if log_error_verbosity is set to verbose).
+
+
+**`postgresql.log.application_name`**
+:   Name of the application of this event. It is defined by the client.
+
+
+**`postgresql.log.backend_type`**
+:   Type of backend of this event. Possible types are autovacuum launcher, autovacuum worker, logical replication launcher, logical replication worker, parallel worker, background writer, client backend, checkpointer, startup, walreceiver, walsender and walwriter. In addition, background workers registered by extensions may have additional types.
+
+example: client backend
+
+
+**`postgresql.log.error.code`**
+:   [8.0.0]
+
+Error code returned by Postgres (if any). Deprecated: errors can have letters. Use sql_state_code instead.
+
+type: alias
+
+alias to: postgresql.log.sql_state_code
+
+
+**`postgresql.log.timezone`**
+:   type: alias
+
+alias to: event.timezone
+
+
+**`postgresql.log.user`**
+:   type: alias
+
+alias to: user.name
+
+
+**`postgresql.log.level`**
+:   Valid values are DEBUG5, DEBUG4, DEBUG3, DEBUG2, DEBUG1, INFO, NOTICE, WARNING, ERROR, LOG, FATAL, and PANIC.
+
+type: alias
+
+example: LOG
+
+alias to: log.level
+
+
+**`postgresql.log.message`**
+:   type: alias
+
+alias to: message
+
+
diff --git a/docs/reference/filebeat/exported-fields-process.md b/docs/reference/filebeat/exported-fields-process.md
new file mode 100644
index 000000000000..1376d72752fb
--- /dev/null
+++ b/docs/reference/filebeat/exported-fields-process.md
@@ -0,0 +1,38 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-process.html
+---
+
+# Process fields [exported-fields-process]
+
+Process metadata fields
+
+**`process.exe`**
+:   type: alias
+
+alias to: process.executable
+
+
+
+## owner [_owner]
+
+Process owner information.
+
+**`process.owner.id`**
+:   Unique identifier of the user.
+
+type: keyword
+
+
+**`process.owner.name`**
+:   Short name or login of the user.
+
+type: keyword
+
+example: albert
+
+
+**`process.owner.name.text`**
+:   type: text
+
+
diff --git a/docs/reference/filebeat/exported-fields-rabbitmq.md b/docs/reference/filebeat/exported-fields-rabbitmq.md
new file mode 100644
index 000000000000..56e221758b16
--- /dev/null
+++ b/docs/reference/filebeat/exported-fields-rabbitmq.md
@@ -0,0 +1,25 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-rabbitmq.html
+---
+
+# RabbitMQ fields [exported-fields-rabbitmq]
+
+RabbitMQ Module
+
+
+## rabbitmq [_rabbitmq]
+
+
+## log [_log_12]
+
+RabbitMQ log files
+
+**`rabbitmq.log.pid`**
+:   The Erlang process id
+
+type: keyword
+
+example: <0.222.0>
+
+
diff --git a/docs/reference/filebeat/exported-fields-redis.md b/docs/reference/filebeat/exported-fields-redis.md
new file mode 100644
index 000000000000..d49af843cd32
--- /dev/null
+++ b/docs/reference/filebeat/exported-fields-redis.md
@@ -0,0 +1,76 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-redis.html
+---
+
+# Redis fields [exported-fields-redis]
+
+Redis Module
+
+
+## redis [_redis]
+
+
+## log [_log_13]
+
+Redis log files
+
+**`redis.log.role`**
+:   The role of the Redis instance. Can be one of `master`, `slave`, `child` (for RDF/AOF writing child), or `sentinel`.
+
+type: keyword
+
+
+**`redis.log.pid`**
+:   type: alias
+
+alias to: process.pid
+
+
+**`redis.log.level`**
+:   type: alias
+
+alias to: log.level
+
+
+**`redis.log.message`**
+:   type: alias
+
+alias to: message
+
+
+
+## slowlog [_slowlog_4]
+
+Slow logs are retrieved from Redis via a network connection.
+
+**`redis.slowlog.cmd`**
+:   The command executed.
+
+type: keyword
+
+
+**`redis.slowlog.duration.us`**
+:   How long it took to execute the command in microseconds.
+
+type: long
+
+
+**`redis.slowlog.id`**
+:   The ID of the query.
+
+type: long
+
+
+**`redis.slowlog.key`**
+:   The key on which the command was executed.
+
+type: keyword
+
+
+**`redis.slowlog.args`**
+:   The arguments with which the command was called.
+
+type: keyword
+
+
diff --git a/docs/reference/filebeat/exported-fields-s3.md b/docs/reference/filebeat/exported-fields-s3.md
new file mode 100644
index 000000000000..32a4982df101
--- /dev/null
+++ b/docs/reference/filebeat/exported-fields-s3.md
@@ -0,0 +1,33 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-s3.html
+---
+
+# s3 fields [exported-fields-s3]
+
+S3 fields from s3 input.
+
+**`bucket.name`**
+:   Name of the S3 bucket that this log retrieved from.
+
+type: keyword
+
+
+**`bucket.arn`**
+:   ARN of the S3 bucket that this log retrieved from.
+
+type: keyword
+
+
+**`object.key`**
+:   Name of the S3 object that this log retrieved from.
+
+type: keyword
+
+
+**`metadata`**
+:   AWS S3 object metadata values.
+
+type: flattened
+
+
diff --git a/docs/reference/filebeat/exported-fields-salesforce.md b/docs/reference/filebeat/exported-fields-salesforce.md
new file mode 100644
index 000000000000..d2962a345b95
--- /dev/null
+++ b/docs/reference/filebeat/exported-fields-salesforce.md
@@ -0,0 +1,646 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-salesforce.html
+---
+
+# Salesforce fields [exported-fields-salesforce]
+
+Salesforce Module
+
+
+## salesforce [_salesforce]
+
+Fileset for ingesting Salesforce Apex logs.
+
+**`salesforce.instance_url`**
+:   The Instance URL of the Salesforce instance.
+
+type: keyword
+
+
+
+## apex [_apex]
+
+Fileset for ingesting Salesforce Apex logs.
+
+**`salesforce.apex.document_id`**
+:   Unique ID of the Apex document.
+
+type: keyword
+
+
+**`salesforce.apex.action`**
+:   Action performed by the callout.
+
+type: keyword
+
+
+**`salesforce.apex.callout_time`**
+:   Time spent waiting on web service callouts, in milliseconds.
+
+type: float
+
+
+**`salesforce.apex.class_name`**
+:   The Apex class name. If the class is part of a managed package, this string includes the package namespace.
+
+type: keyword
+
+
+**`salesforce.apex.client_name`**
+:   The name of the client that’s using Salesforce services. This field is an optional parameter that can be passed in API calls. If blank, the caller didn’t specify a client in the CallOptions header.
+
+type: keyword
+
+
+**`salesforce.apex.cpu_time`**
+:   The CPU time in milliseconds used to complete the request.
+
+type: float
+
+
+**`salesforce.apex.db_blocks`**
+:   Indicates how much activity is occurring in the database. A high value for this field suggests that adding indexes or filters on your queries would benefit performance.
+
+type: long
+
+
+**`salesforce.apex.db_cpu_time`**
+:   The CPU time in milliseconds to complete the request. Indicates the amount of activity taking place in the database layer during the request.
+
+type: float
+
+
+**`salesforce.apex.db_total_time`**
+:   Time (in milliseconds) spent waiting for database processing in aggregate for all operations in the request. Compare this field to cpu_time to determine whether performance issues are occurring in the database layer or in your own code.
+
+type: float
+
+
+**`salesforce.apex.entity`**
+:   Name of the external object being accessed.
+
+type: keyword
+
+
+**`salesforce.apex.entity_name`**
+:   The name of the object affected by the trigger.
+
+type: keyword
+
+
+**`salesforce.apex.entry_point`**
+:   The entry point for this Apex execution.
+
+type: keyword
+
+
+**`salesforce.apex.event_type`**
+:   The type of event.
+
+type: keyword
+
+
+**`salesforce.apex.execute_ms`**
+:   How long it took (in milliseconds) for Salesforce to prepare and execute the query. Available in API version 42.0 and later.
+
+type: float
+
+
+**`salesforce.apex.fetch_ms`**
+:   How long it took (in milliseconds) to retrieve the query results from the external system. Available in API version 42.0 and later.
+
+type: float
+
+
+**`salesforce.apex.filter`**
+:   Field expressions to filter which rows to return. Corresponds to WHERE in SOQL queries.
+
+type: keyword
+
+
+**`salesforce.apex.is_long_running_request`**
+:   Indicates whether the request is counted against your org’s concurrent long-running Apex request limit (true) or not (false).
+
+type: keyword
+
+
+**`salesforce.apex.limit`**
+:   Maximum number of rows to return for a query. Corresponds to LIMIT in SOQL queries.
+
+type: long
+
+
+**`salesforce.apex.limit_usage_pct`**
+:   The percentage of Apex SOAP calls that were made against the organization’s limit.
+
+type: float
+
+
+**`salesforce.apex.login_key`**
+:   The string that ties together all events in a given user’s login session. It starts with a login event and ends with either a logout event or the user session expiring.
+
+type: keyword
+
+
+**`salesforce.apex.media_type`**
+:   The media type of the response.
+
+type: keyword
+
+
+**`salesforce.apex.message`**
+:   Error or warning message associated with the failed call.
+
+type: text
+
+
+**`salesforce.apex.method_name`**
+:   The name of the calling Apex method.
+
+type: keyword
+
+
+**`salesforce.apex.fields_count`**
+:   The number of fields or columns, where applicable.
+
+type: long
+
+
+**`salesforce.apex.soql_queries_count`**
+:   The number of SOQL queries that were executed during the event.
+
+type: long
+
+
+**`salesforce.apex.offset`**
+:   Number of rows to skip when paging through a result set. Corresponds to OFFSET in SOQL queries.
+
+type: long
+
+
+**`salesforce.apex.orderby`**
+:   Field or column to use for sorting query results, and whether to sort the results in ascending (default) or descending order. Corresponds to ORDER BY in SOQL queries.
+
+type: keyword
+
+
+**`salesforce.apex.organization_id`**
+:   The 15-character ID of the organization.
+
+type: keyword
+
+
+**`salesforce.apex.query`**
+:   The SOQL query, if one was performed.
+
+type: keyword
+
+
+**`salesforce.apex.quiddity`**
+:   The type of outer execution associated with this event.
+
+type: keyword
+
+
+**`salesforce.apex.request_id`**
+:   The unique ID of a single transaction. A transaction can contain one or more events. Each event in a given transaction has the same request_id.
+
+type: keyword
+
+
+**`salesforce.apex.request_status`**
+:   The status of the request for a page view or user interface action.
+
+type: keyword
+
+
+**`salesforce.apex.rows_total`**
+:   Total number of records in the result set. The value is always -1 if the custom adapter’s DataSource.Provider class doesn’t declare the QUERY_TOTAL_SIZE capability.
+
+type: long
+
+
+**`salesforce.apex.rows_fetched`**
+:   Number of rows fetched by the callout. Available in API version 42.0 and later.
+
+type: long
+
+
+**`salesforce.apex.rows_processed`**
+:   The number of rows that were processed in the request.
+
+type: long
+
+
+**`salesforce.apex.run_time`**
+:   The amount of time that the request took in milliseconds.
+
+type: float
+
+
+**`salesforce.apex.select`**
+:   Comma-separated list of fields being queried. Corresponds to SELECT in SOQL queries.
+
+type: keyword
+
+
+**`salesforce.apex.subqueries`**
+:   Reserved for future use.
+
+type: keyword
+
+
+**`salesforce.apex.throughput`**
+:   Number of records retrieved in one second.
+
+type: float
+
+
+**`salesforce.apex.trigger_id`**
+:   The 15-character ID of the trigger that was fired.
+
+type: keyword
+
+
+**`salesforce.apex.trigger_name`**
+:   For triggers coming from managed packages, trigger_name includes a namespace prefix separated with a . character. If no namespace prefix is present, the trigger is from an unmanaged trigger.
+
+type: keyword
+
+
+**`salesforce.apex.trigger_type`**
+:   The type of this trigger.
+
+type: keyword
+
+
+**`salesforce.apex.type`**
+:   The type of Apex callout.
+
+type: keyword
+
+
+**`salesforce.apex.uri`**
+:   The URI of the page that’s receiving the request.
+
+type: keyword
+
+
+**`salesforce.apex.uri_derived_id`**
+:   The 18-character case-safe ID of the URI of the page that’s receiving the request.
+
+type: keyword
+
+
+**`salesforce.apex.user_agent`**
+:   The numeric code for the type of client used to make the request (for example, the browser, application, or API).
+
+type: keyword
+
+
+**`salesforce.apex.user_id_derived`**
+:   The 18-character case-safe ID of the user who’s using Salesforce services through the UI or the API.
+
+type: keyword
+
+
+
+## salesforce.login [_salesforce_login]
+
+Fileset for ingesting Salesforce Login (REST) logs.
+
+**`salesforce.login.document_id`**
+:   Unique Id.
+
+type: keyword
+
+
+**`salesforce.login.application`**
+:   The application used to access the organization.
+
+type: keyword
+
+
+**`salesforce.login.api.type`**
+:   The type of Salesforce API request.
+
+type: keyword
+
+
+**`salesforce.login.api.version`**
+:   The version of the Salesforce API that’s being used.
+
+type: keyword
+
+
+**`salesforce.login.auth.service_id`**
+:   The authentication method used by a third-party identification provider for an OpenID Connect single sign-on protocol.
+
+type: keyword
+
+
+**`salesforce.login.auth.method_reference`**
+:   The authentication method used by a third-party identification provider for an OpenID Connect single sign-on protocol. This field is available in API version 51.0 and later.
+
+type: keyword
+
+
+**`salesforce.login.session.level`**
+:   Session-level security controls user access to features that support it, such as connected apps and reporting. This field is available in API version 42.0 and later.
+
+type: text
+
+
+**`salesforce.login.session.key`**
+:   The user’s unique session ID. Use this value to identify all user events within a session. When a user logs out and logs in again, a new session is started. For LoginEvent, this field is often null because the event is captured before a session is created. For example, vMASKIU6AxEr+Op5. This field is available in API version 46.0 and later.
+
+type: keyword
+
+
+**`salesforce.login.key`**
+:   The string that ties together all events in a given user’s login session. It starts with a login event and ends with either a logout event or the user session expiring.
+
+type: keyword
+
+
+**`salesforce.login.history_id`**
+:   Tracks a user session so you can correlate user activity with a particular login instance. This field is also available on the LoginHistory, AuthSession, and other objects, making it easier to trace events back to a user’s original authentication.
+
+type: keyword
+
+
+**`salesforce.login.type`**
+:   The type of login used to access the session.
+
+type: keyword
+
+
+**`salesforce.login.geo_id`**
+:   The Salesforce ID of the LoginGeo object associated with the login user’s IP address.
+
+type: keyword
+
+
+**`salesforce.login.additional_info`**
+:   JSON serialization of additional information that’s captured from the HTTP headers during a login request.
+
+type: text
+
+
+**`salesforce.login.client_version`**
+:   The version number of the login client. If no version number is available, “Unknown” is returned.
+
+type: keyword
+
+
+**`salesforce.login.client_ip`**
+:   The IP address of the client that’s using Salesforce services. A Salesforce internal IP (such as a login from Salesforce Workbench or AppExchange) is shown as “Salesforce.com IP”.
+
+type: keyword
+
+
+**`salesforce.login.cpu_time`**
+:   The CPU time in milliseconds used to complete the request. This field indicates the amount of activity taking place in the app server layer.
+
+type: long
+
+
+**`salesforce.login.db_time_total`**
+:   The time in nanoseconds for a database round trip. Includes time spent in the JDBC driver, network to the database, and DB’s CPU time. Compare this field to cpu_time to determine whether performance issues are occurring in the database layer or in your own code.
+
+type: double
+
+
+**`salesforce.login.event_type`**
+:   The type of event. The value is always Login.
+
+type: keyword
+
+
+**`salesforce.login.organization_id`**
+:   The 15-character ID of the organization.
+
+type: keyword
+
+
+**`salesforce.login.request_id`**
+:   The unique ID of a single transaction. A transaction can contain one or more events. Each event in a given transaction has the same REQUEST_ID.
+
+type: keyword
+
+
+**`salesforce.login.request_status`**
+:   The status of the request for a page view or user interface action.
+
+type: keyword
+
+
+**`salesforce.login.run_time`**
+:   The amount of time that the request took in milliseconds.
+
+type: long
+
+
+**`salesforce.login.user_id`**
+:   The 15-character ID of the user who’s using Salesforce services through the UI or the API.
+
+type: keyword
+
+
+**`salesforce.login.uri_id_derived`**
+:   The 18-character case insensitive ID of the URI of the page that’s receiving the request.
+
+type: keyword
+
+
+**`salesforce.login.evaluation_time`**
+:   The amount of time it took to evaluate the transaction security policy, in milliseconds.
+
+type: float
+
+
+**`salesforce.login.login_type`**
+:   The type of login used to access the session.
+
+type: keyword
+
+
+
+## salesforce.logout [_salesforce_logout]
+
+Fileset for parsing Salesforce Logout (REST) logs.
+
+**`salesforce.logout.document_id`**
+:   Unique Id.
+
+type: keyword
+
+
+**`salesforce.logout.session.key`**
+:   The user’s unique session ID. You can use this value to identify all user events within a session. When a user logs out and logs in again, a new session is started.
+
+type: keyword
+
+
+**`salesforce.logout.session.level`**
+:   The security level of the session that was used when logging out (e.g. Standard Session or High-Assurance Session).
+
+type: text
+
+
+**`salesforce.logout.session.type`**
+:   The session type that was used when logging out (e.g. API, Oauth2 or UI).
+
+type: keyword
+
+
+**`salesforce.logout.login_key`**
+:   The string that ties together all events in a given user’s login session. It starts with a login event and ends with either a logout event or the user session expiring.
+
+type: keyword
+
+
+**`salesforce.logout.api.type`**
+:   The type of Salesforce API request.
+
+type: keyword
+
+
+**`salesforce.logout.api.version`**
+:   The version of the Salesforce API that’s being used.
+
+type: keyword
+
+
+**`salesforce.logout.app_type`**
+:   The application type that was in use upon logging out.
+
+type: keyword
+
+
+**`salesforce.logout.browser_type`**
+:   The identifier string returned by the browser used at login.
+
+type: keyword
+
+
+**`salesforce.logout.client_version`**
+:   The version of the client that was in use upon logging out.
+
+type: keyword
+
+
+**`salesforce.logout.event_type`**
+:   The type of event. The value is always Logout.
+
+type: keyword
+
+
+**`salesforce.logout.organization_by_id`**
+:   The 15-character ID of the organization.
+
+type: keyword
+
+
+**`salesforce.logout.platform_type`**
+:   The code for the client platform. If a timeout caused the logout, this field is null.
+
+type: keyword
+
+
+**`salesforce.logout.resolution_type`**
+:   The screen resolution of the client. If a timeout caused the logout, this field is null.
+
+type: keyword
+
+
+**`salesforce.logout.user_id`**
+:   The 15-character ID of the user who’s using Salesforce services through the UI or the API.
+
+type: keyword
+
+
+**`salesforce.logout.user_id_derived`**
+:   The 18-character case-safe ID of the user who’s using Salesforce services through the UI or the API.
+
+type: keyword
+
+
+**`salesforce.logout.user_initiated_logout`**
+:   The value is 1 if the user intentionally logged out of the organization by clicking the Logout button. If the user’s session timed out due to inactivity or another implicit logout action, the value is 0.
+
+type: keyword
+
+
+**`salesforce.logout.created_by_id`**
+:   Unavailable
+
+type: keyword
+
+
+**`salesforce.logout.event_identifier`**
+:   This field is populated only when the activity that this event monitors requires extra authentication, such as multi-factor authentication. In this case, Salesforce generates more events and sets the RelatedEventIdentifier field of the new events to the value of the EventIdentifier field of the original event. Use this field with the EventIdentifier field to correlate all the related events. If no extra authentication is required, this field is blank.
+
+type: keyword
+
+
+**`salesforce.logout.organization_id`**
+:   The 15-character ID of the organization.
+
+type: keyword
+
+
+
+## salesforce.setup_audit_trail [_salesforce_setup_audit_trail]
+
+Fileset for ingesting Salesforce SetupAuditTrail logs.
+
+**`salesforce.setup_audit_trail.document_id`**
+:   Unique Id.
+
+type: keyword
+
+
+**`salesforce.setup_audit_trail.created_by_context`**
+:   The context under which the Setup change was made. For example, if Einstein uses cloud-to-cloud services to make a change in Setup, the value of this field is Einstein.
+
+type: keyword
+
+
+**`salesforce.setup_audit_trail.created_by_id`**
+:   Unknown
+
+type: keyword
+
+
+**`salesforce.setup_audit_trail.created_by_issuer`**
+:   Reserved for future use.
+
+type: keyword
+
+
+**`salesforce.setup_audit_trail.delegate_user`**
+:   The Login-As user who executed the action in Setup. If a Login-As user didn’t perform the action, this field is blank. This field is available in API version 35.0 and later.
+
+type: keyword
+
+
+**`salesforce.setup_audit_trail.display`**
+:   The full description of changes made in Setup. For example, if the Action field has a value of PermSetCreate, the Display field has a value like “Created permission set MAD: with user license Salesforce.
+
+type: keyword
+
+
+**`salesforce.setup_audit_trail.responsible_namespace_prefix`**
+:   Unknown
+
+type: keyword
+
+
+**`salesforce.setup_audit_trail.section`**
+:   The section in the Setup menu where the action occurred. For example, Manage Users or Company Profile.
+
+type: keyword
+
+
diff --git a/docs/reference/filebeat/exported-fields-santa.md b/docs/reference/filebeat/exported-fields-santa.md
new file mode 100644
index 000000000000..ef58370052bc
--- /dev/null
+++ b/docs/reference/filebeat/exported-fields-santa.md
@@ -0,0 +1,95 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-santa.html
+---
+
+# Google Santa fields [exported-fields-santa]
+
+Santa Module
+
+
+## santa [_santa]
+
+**`santa.action`**
+:   Action
+
+type: keyword
+
+example: EXEC
+
+
+**`santa.decision`**
+:   Decision that santad took.
+
+type: keyword
+
+example: ALLOW
+
+
+**`santa.reason`**
+:   Reason for the decsision.
+
+type: keyword
+
+example: CERT
+
+
+**`santa.mode`**
+:   Operating mode of Santa.
+
+type: keyword
+
+example: M
+
+
+
+## disk [_disk]
+
+Fields for DISKAPPEAR actions.
+
+**`santa.disk.volume`**
+:   The volume name.
+
+
+**`santa.disk.bus`**
+:   The disk bus protocol.
+
+
+**`santa.disk.serial`**
+:   The disk serial number.
+
+
+**`santa.disk.bsdname`**
+:   The disk BSD name.
+
+example: disk1s3
+
+
+**`santa.disk.model`**
+:   The disk model.
+
+example: APPLE SSD SM0512L
+
+
+**`santa.disk.fs`**
+:   The disk volume kind (filesystem type).
+
+example: apfs
+
+
+**`santa.disk.mount`**
+:   The disk volume path.
+
+
+**`santa.certificate.common_name`**
+:   Common name from code signing certificate.
+
+type: keyword
+
+
+**`santa.certificate.sha256`**
+:   SHA256 hash of code signing certificate.
+
+type: keyword
+
+
diff --git a/docs/reference/filebeat/exported-fields-snyk.md b/docs/reference/filebeat/exported-fields-snyk.md
new file mode 100644
index 000000000000..d19da3d68af2
--- /dev/null
+++ b/docs/reference/filebeat/exported-fields-snyk.md
@@ -0,0 +1,222 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-snyk.html
+---
+
+# Snyk fields [exported-fields-snyk]
+
+Snyk module
+
+
+## snyk [_snyk]
+
+Module for parsing Snyk project vulnerabilities.
+
+**`snyk.projects`**
+:   Array with all related projects objects.
+
+type: flattened
+
+
+**`snyk.related.projects`**
+:   Array of all the related project ID’s.
+
+type: keyword
+
+
+
+## audit [_audit_5]
+
+Module for parsing Snyk audit logs.
+
+**`snyk.audit.org_id`**
+:   ID of the related Organization related to the event.
+
+type: keyword
+
+
+**`snyk.audit.project_id`**
+:   ID of the project related to the event.
+
+type: keyword
+
+
+**`snyk.audit.content`**
+:   Overview of the content that was changed, both old and new values.
+
+type: flattened
+
+
+
+## vulnerabilities [_vulnerabilities]
+
+Module for parsing Snyk project vulnerabilities.
+
+**`snyk.vulnerabilities.cvss3`**
+:   CSSv3 scores.
+
+type: keyword
+
+
+**`snyk.vulnerabilities.disclosure_time`**
+:   The time this vulnerability was originally disclosed to the package maintainers.
+
+type: date
+
+
+**`snyk.vulnerabilities.exploit_maturity`**
+:   The Snyk exploit maturity level.
+
+type: keyword
+
+
+**`snyk.vulnerabilities.id`**
+:   The vulnerability reference ID.
+
+type: keyword
+
+
+**`snyk.vulnerabilities.is_ignored`**
+:   If the vulnerability report has been ignored.
+
+type: boolean
+
+
+**`snyk.vulnerabilities.is_patchable`**
+:   If vulnerability is fixable by using a Snyk supplied patch.
+
+type: boolean
+
+
+**`snyk.vulnerabilities.is_patched`**
+:   If the vulnerability has been patched.
+
+type: boolean
+
+
+**`snyk.vulnerabilities.is_pinnable`**
+:   If the vulnerability is fixable by pinning a transitive dependency.
+
+type: boolean
+
+
+**`snyk.vulnerabilities.is_upgradable`**
+:   If the vulnerability fixable by upgrading a dependency.
+
+type: boolean
+
+
+**`snyk.vulnerabilities.language`**
+:   The package’s programming language.
+
+type: keyword
+
+
+**`snyk.vulnerabilities.package`**
+:   The package identifier according to its package manager.
+
+type: keyword
+
+
+**`snyk.vulnerabilities.package_manager`**
+:   The package manager.
+
+type: keyword
+
+
+**`snyk.vulnerabilities.patches`**
+:   Patches required to resolve the issue created by Snyk.
+
+type: flattened
+
+
+**`snyk.vulnerabilities.priority_score`**
+:   The CVS priority score.
+
+type: long
+
+
+**`snyk.vulnerabilities.publication_time`**
+:   The vulnerability publication time.
+
+type: date
+
+
+**`snyk.vulnerabilities.jira_issue_url`**
+:   Link to the related Jira issue.
+
+type: keyword
+
+
+**`snyk.vulnerabilities.original_severity`**
+:   The original severity of the vulnerability.
+
+type: long
+
+
+**`snyk.vulnerabilities.reachability`**
+:   If the vulnerable function from the library is used in the code scanned. Can either be No Info, Potentially reachable and Reachable.
+
+type: keyword
+
+
+**`snyk.vulnerabilities.title`**
+:   The issue title.
+
+type: keyword
+
+
+**`snyk.vulnerabilities.type`**
+:   The issue type. Can be either "license" or "vulnerability".
+
+type: keyword
+
+
+**`snyk.vulnerabilities.unique_severities_list`**
+:   A list of related unique severities.
+
+type: keyword
+
+
+**`snyk.vulnerabilities.version`**
+:   The package version this issue is applicable to.
+
+type: keyword
+
+
+**`snyk.vulnerabilities.introduced_date`**
+:   The date the vulnerability was initially found.
+
+type: date
+
+
+**`snyk.vulnerabilities.is_fixed`**
+:   If the related vulnerability has been resolved.
+
+type: boolean
+
+
+**`snyk.vulnerabilities.credit`**
+:   Reference to the person that original found the vulnerability.
+
+type: keyword
+
+
+**`snyk.vulnerabilities.semver`**
+:   One or more semver ranges this issue is applicable to. The format varies according to package manager.
+
+type: flattened
+
+
+**`snyk.vulnerabilities.identifiers.alternative`**
+:   Additional vulnerability identifiers.
+
+type: keyword
+
+
+**`snyk.vulnerabilities.identifiers.cwe`**
+:   CWE vulnerability identifiers.
+
+type: keyword
+
+
diff --git a/docs/reference/filebeat/exported-fields-sophos.md b/docs/reference/filebeat/exported-fields-sophos.md
new file mode 100644
index 000000000000..d8b805f4b101
--- /dev/null
+++ b/docs/reference/filebeat/exported-fields-sophos.md
@@ -0,0 +1,1244 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-sophos.html
+---
+
+# sophos fields [exported-fields-sophos]
+
+sophos Module
+
+
+## sophos.xg [_sophos_xg]
+
+Module for parsing sophosxg syslog.
+
+**`sophos.xg.action`**
+:   Event Action
+
+type: keyword
+
+
+**`sophos.xg.activityname`**
+:   Web policy activity that matched and caused the policy result.
+
+type: keyword
+
+
+**`sophos.xg.ap`**
+:   Access Point Serial ID or LocalWifi0 or LocalWifi1.
+
+type: keyword
+
+
+**`sophos.xg.app_category`**
+:   Name of the category under which application falls
+
+type: keyword
+
+
+**`sophos.xg.app_filter_policy_id`**
+:   Application filter policy ID applied on the traffic
+
+type: keyword
+
+
+**`sophos.xg.app_is_cloud`**
+:   Application is Cloud
+
+type: keyword
+
+
+**`sophos.xg.app_name`**
+:   Application name
+
+type: keyword
+
+
+**`sophos.xg.app_resolved_by`**
+:   Application is resolved by signature or synchronized application
+
+type: keyword
+
+
+**`sophos.xg.app_risk`**
+:   Risk level assigned to the application
+
+type: keyword
+
+
+**`sophos.xg.app_technology`**
+:   Technology of the application
+
+type: keyword
+
+
+**`sophos.xg.appfilter_policy_id`**
+:   Application Filter policy applied on the traffic
+
+type: integer
+
+
+**`sophos.xg.application`**
+:   Application name
+
+type: keyword
+
+
+**`sophos.xg.application_category`**
+:   Application is resolved by signature or synchronized application
+
+type: keyword
+
+
+**`sophos.xg.application_filter_policy`**
+:   Application Filter policy applied on the traffic
+
+type: integer
+
+
+**`sophos.xg.application_name`**
+:   Application name
+
+type: keyword
+
+
+**`sophos.xg.application_risk`**
+:   Risk level assigned to the application
+
+type: keyword
+
+
+**`sophos.xg.application_technology`**
+:   Technology of the application
+
+type: keyword
+
+
+**`sophos.xg.appresolvedby`**
+:   Technology of the application
+
+type: keyword
+
+
+**`sophos.xg.auth_client`**
+:   Auth Client
+
+type: keyword
+
+
+**`sophos.xg.auth_mechanism`**
+:   Auth mechanism
+
+type: keyword
+
+
+**`sophos.xg.av_policy_name`**
+:   Malware scanning policy name which is applied on the traffic
+
+type: keyword
+
+
+**`sophos.xg.backup_mode`**
+:   Backup mode
+
+type: keyword
+
+
+**`sophos.xg.branch_name`**
+:   Branch Name
+
+type: keyword
+
+
+**`sophos.xg.category`**
+:   IPS signature category.
+
+type: keyword
+
+
+**`sophos.xg.category_type`**
+:   Type of category under which website falls
+
+type: keyword
+
+
+**`sophos.xg.classification`**
+:   Signature classification
+
+type: keyword
+
+
+**`sophos.xg.client_host_name`**
+:   Client host name
+
+type: keyword
+
+
+**`sophos.xg.client_physical_address`**
+:   Client physical address
+
+type: keyword
+
+
+**`sophos.xg.clients_conn_ssid`**
+:   Number of client connected to the SSID.
+
+type: long
+
+
+**`sophos.xg.collisions`**
+:   collisions
+
+type: long
+
+
+**`sophos.xg.con_event`**
+:   Event Start/Stop
+
+type: keyword
+
+
+**`sophos.xg.con_id`**
+:   Unique identifier of connection
+
+type: integer
+
+
+**`sophos.xg.configuration`**
+:   Configuration
+
+type: float
+
+
+**`sophos.xg.conn_id`**
+:   Unique identifier of connection
+
+type: integer
+
+
+**`sophos.xg.connectionname`**
+:   Connectionname
+
+type: keyword
+
+
+**`sophos.xg.connectiontype`**
+:   Connectiontype
+
+type: keyword
+
+
+**`sophos.xg.connevent`**
+:   Event on which this log is generated
+
+type: keyword
+
+
+**`sophos.xg.connid`**
+:   Connection ID
+
+type: keyword
+
+
+**`sophos.xg.content_type`**
+:   Type of the content
+
+type: keyword
+
+
+**`sophos.xg.contenttype`**
+:   Type of the content
+
+type: keyword
+
+
+**`sophos.xg.context_match`**
+:   Context Match
+
+type: keyword
+
+
+**`sophos.xg.context_prefix`**
+:   Content Prefix
+
+type: keyword
+
+
+**`sophos.xg.context_suffix`**
+:   Context Suffix
+
+type: keyword
+
+
+**`sophos.xg.cookie`**
+:   cookie
+
+type: keyword
+
+
+**`sophos.xg.date`**
+:   Date (yyyy-mm-dd) when the event occurred
+
+type: date
+
+
+**`sophos.xg.destinationip`**
+:   Original destination IP address of traffic
+
+type: ip
+
+
+**`sophos.xg.device`**
+:   device
+
+type: keyword
+
+
+**`sophos.xg.device_id`**
+:   Serial number of the device
+
+type: keyword
+
+
+**`sophos.xg.device_model`**
+:   Model number of the device
+
+type: keyword
+
+
+**`sophos.xg.device_name`**
+:   Model number of the device
+
+type: keyword
+
+
+**`sophos.xg.dictionary_name`**
+:   Dictionary Name
+
+type: keyword
+
+
+**`sophos.xg.dir_disp`**
+:   TPacket direction. Possible values:“org”, “reply”, “”
+
+type: keyword
+
+
+**`sophos.xg.direction`**
+:   Direction
+
+type: keyword
+
+
+**`sophos.xg.domainname`**
+:   Domain from which virus was downloaded
+
+type: keyword
+
+
+**`sophos.xg.download_file_name`**
+:   Download file name
+
+type: keyword
+
+
+**`sophos.xg.download_file_type`**
+:   Download file type
+
+type: keyword
+
+
+**`sophos.xg.dst_country_code`**
+:   Code of the country to which the destination IP belongs
+
+type: keyword
+
+
+**`sophos.xg.dst_domainname`**
+:   Receiver domain name
+
+type: keyword
+
+
+**`sophos.xg.dst_ip`**
+:   Original destination IP address of traffic
+
+type: ip
+
+
+**`sophos.xg.dst_port`**
+:   Original destination port of TCP and UDP traffic
+
+type: integer
+
+
+**`sophos.xg.dst_zone_type`**
+:   Type of destination zone
+
+type: keyword
+
+
+**`sophos.xg.dstdomain`**
+:   Destination Domain
+
+type: keyword
+
+
+**`sophos.xg.duration`**
+:   Durability of traffic (seconds)
+
+type: long
+
+
+**`sophos.xg.email_subject`**
+:   Email Subject
+
+type: keyword
+
+
+**`sophos.xg.ep_uuid`**
+:   Endpoint UUID
+
+type: keyword
+
+
+**`sophos.xg.ether_type`**
+:   ethernet frame type
+
+type: keyword
+
+
+**`sophos.xg.eventid`**
+:   ATP Evenet ID
+
+type: keyword
+
+
+**`sophos.xg.eventtime`**
+:   Event time
+
+type: date
+
+
+**`sophos.xg.eventtype`**
+:   ATP event type
+
+type: keyword
+
+
+**`sophos.xg.exceptions`**
+:   List of the checks excluded by web exceptions.
+
+type: keyword
+
+
+**`sophos.xg.execution_path`**
+:   ATP execution path
+
+type: keyword
+
+
+**`sophos.xg.extra`**
+:   extra
+
+type: keyword
+
+
+**`sophos.xg.file_name`**
+:   Filename
+
+type: keyword
+
+
+**`sophos.xg.file_path`**
+:   File path
+
+type: keyword
+
+
+**`sophos.xg.file_size`**
+:   File Size
+
+type: integer
+
+
+**`sophos.xg.filename`**
+:   File name associated with the event
+
+type: keyword
+
+
+**`sophos.xg.filepath`**
+:   Path of the file containing virus
+
+type: keyword
+
+
+**`sophos.xg.filesize`**
+:   Size of the file that contained virus
+
+type: integer
+
+
+**`sophos.xg.free`**
+:   free
+
+type: integer
+
+
+**`sophos.xg.from_email_address`**
+:   Sender email address
+
+type: keyword
+
+
+**`sophos.xg.ftp_direction`**
+:   Direction of FTP transfer: Upload or Download
+
+type: keyword
+
+
+**`sophos.xg.ftp_url`**
+:   FTP URL from which virus was downloaded
+
+type: keyword
+
+
+**`sophos.xg.ftpcommand`**
+:   FTP command used when virus was found
+
+type: keyword
+
+
+**`sophos.xg.fw_rule_id`**
+:   Firewall Rule ID which is applied on the traffic
+
+type: integer
+
+
+**`sophos.xg.fw_rule_type`**
+:   Firewall rule type which is applied on the traffic
+
+type: keyword
+
+
+**`sophos.xg.hb_health`**
+:   Heartbeat status
+
+type: keyword
+
+
+**`sophos.xg.hb_status`**
+:   Heartbeat status
+
+type: keyword
+
+
+**`sophos.xg.host`**
+:   Host
+
+type: keyword
+
+
+**`sophos.xg.http_category`**
+:   HTTP Category
+
+type: keyword
+
+
+**`sophos.xg.http_category_type`**
+:   HTTP Category Type
+
+type: keyword
+
+
+**`sophos.xg.httpresponsecode`**
+:   code of HTTP response
+
+type: long
+
+
+**`sophos.xg.iap`**
+:   Internet Access policy ID applied on the traffic
+
+type: keyword
+
+
+**`sophos.xg.icmp_code`**
+:   ICMP code of ICMP traffic
+
+type: keyword
+
+
+**`sophos.xg.icmp_type`**
+:   ICMP type of ICMP traffic
+
+type: keyword
+
+
+**`sophos.xg.idle_cpu`**
+:   idle ##
+
+type: float
+
+
+**`sophos.xg.idp_policy_id`**
+:   IPS policy ID which is applied on the traffic
+
+type: integer
+
+
+**`sophos.xg.idp_policy_name`**
+:   IPS policy name i.e. IPS policy name which is applied on the traffic
+
+type: keyword
+
+
+**`sophos.xg.in_interface`**
+:   Interface for incoming traffic, e.g., Port A
+
+type: keyword
+
+
+**`sophos.xg.interface`**
+:   interface
+
+type: keyword
+
+
+**`sophos.xg.ipaddress`**
+:   Ipaddress
+
+type: keyword
+
+
+**`sophos.xg.ips_policy_id`**
+:   IPS policy ID applied on the traffic
+
+type: integer
+
+
+**`sophos.xg.lease_time`**
+:   Lease Time
+
+type: keyword
+
+
+**`sophos.xg.localgateway`**
+:   Localgateway
+
+type: keyword
+
+
+**`sophos.xg.localnetwork`**
+:   Localnetwork
+
+type: keyword
+
+
+**`sophos.xg.log_component`**
+:   Component responsible for logging e.g. Firewall rule
+
+type: keyword
+
+
+**`sophos.xg.log_id`**
+:   Unique 12 characters code (0101011)
+
+type: keyword
+
+
+**`sophos.xg.log_subtype`**
+:   Sub type of event
+
+type: keyword
+
+
+**`sophos.xg.log_type`**
+:   Type of event e.g. firewall event
+
+type: keyword
+
+
+**`sophos.xg.log_version`**
+:   Log Version
+
+type: keyword
+
+
+**`sophos.xg.login_user`**
+:   ATP login user
+
+type: keyword
+
+
+**`sophos.xg.mailid`**
+:   mailid
+
+type: keyword
+
+
+**`sophos.xg.mailsize`**
+:   mailsize
+
+type: integer
+
+
+**`sophos.xg.message`**
+:   Message
+
+type: keyword
+
+
+**`sophos.xg.mode`**
+:   Mode
+
+type: keyword
+
+
+**`sophos.xg.nat_rule_id`**
+:   NAT Rule ID
+
+type: keyword
+
+
+**`sophos.xg.newversion`**
+:   Newversion
+
+type: keyword
+
+
+**`sophos.xg.oldversion`**
+:   Oldversion
+
+type: keyword
+
+
+**`sophos.xg.out_interface`**
+:   Interface for outgoing traffic, e.g., Port B
+
+type: keyword
+
+
+**`sophos.xg.override_authorizer`**
+:   Override authorizer
+
+type: keyword
+
+
+**`sophos.xg.override_name`**
+:   Override name
+
+type: keyword
+
+
+**`sophos.xg.override_token`**
+:   Override token
+
+type: keyword
+
+
+**`sophos.xg.phpsessid`**
+:   PHP session ID
+
+type: keyword
+
+
+**`sophos.xg.platform`**
+:   Platform of the traffic.
+
+type: keyword
+
+
+**`sophos.xg.policy_type`**
+:   Policy type applied to the traffic
+
+type: keyword
+
+
+**`sophos.xg.priority`**
+:   Severity level of traffic
+
+type: keyword
+
+
+**`sophos.xg.protocol`**
+:   Protocol number of traffic
+
+type: keyword
+
+
+**`sophos.xg.qualifier`**
+:   Qualifier
+
+type: keyword
+
+
+**`sophos.xg.quarantine`**
+:   Path and filename of the file quarantined
+
+type: keyword
+
+
+**`sophos.xg.quarantine_reason`**
+:   Quarantine reason
+
+type: keyword
+
+
+**`sophos.xg.querystring`**
+:   querystring
+
+type: keyword
+
+
+**`sophos.xg.raw_data`**
+:   Raw data
+
+type: keyword
+
+
+**`sophos.xg.received_pkts`**
+:   Total number of packets received
+
+type: long
+
+
+**`sophos.xg.receiveddrops`**
+:   received drops
+
+type: long
+
+
+**`sophos.xg.receivederrors`**
+:   received errors
+
+type: keyword
+
+
+**`sophos.xg.receivedkbits`**
+:   received kbits
+
+type: long
+
+
+**`sophos.xg.recv_bytes`**
+:   Total number of bytes received
+
+type: long
+
+
+**`sophos.xg.red_id`**
+:   RED ID
+
+type: keyword
+
+
+**`sophos.xg.referer`**
+:   Referer
+
+type: keyword
+
+
+**`sophos.xg.remote_ip`**
+:   Remote IP
+
+type: ip
+
+
+**`sophos.xg.remotenetwork`**
+:   remotenetwork
+
+type: keyword
+
+
+**`sophos.xg.reported_host`**
+:   Reported Host
+
+type: keyword
+
+
+**`sophos.xg.reported_ip`**
+:   Reported IP
+
+type: keyword
+
+
+**`sophos.xg.reports`**
+:   Reports
+
+type: float
+
+
+**`sophos.xg.rule_priority`**
+:   Priority of IPS policy
+
+type: keyword
+
+
+**`sophos.xg.sent_bytes`**
+:   Total number of bytes sent
+
+type: long
+
+
+**`sophos.xg.sent_pkts`**
+:   Total number of packets sent
+
+type: long
+
+
+**`sophos.xg.server`**
+:   Server
+
+type: keyword
+
+
+**`sophos.xg.sessionid`**
+:   Sessionid
+
+type: keyword
+
+
+**`sophos.xg.sha1sum`**
+:   SHA1 checksum of the item being analyzed
+
+type: keyword
+
+
+**`sophos.xg.signature`**
+:   Signature
+
+type: float
+
+
+**`sophos.xg.signature_id`**
+:   Signature ID
+
+type: keyword
+
+
+**`sophos.xg.signature_msg`**
+:   Signature messsage
+
+type: keyword
+
+
+**`sophos.xg.site_category`**
+:   Site Category
+
+type: keyword
+
+
+**`sophos.xg.source`**
+:   Source
+
+type: keyword
+
+
+**`sophos.xg.sourceip`**
+:   Original source IP address of traffic
+
+type: ip
+
+
+**`sophos.xg.spamaction`**
+:   Spam Action
+
+type: keyword
+
+
+**`sophos.xg.sqli`**
+:   related SQLI caught by the WAF
+
+type: keyword
+
+
+**`sophos.xg.src_country_code`**
+:   Code of the country to which the source IP belongs
+
+type: keyword
+
+
+**`sophos.xg.src_domainname`**
+:   Sender domain name
+
+type: keyword
+
+
+**`sophos.xg.src_ip`**
+:   Original source IP address of traffic
+
+type: ip
+
+
+**`sophos.xg.src_mac`**
+:   Original source MAC address of traffic
+
+type: keyword
+
+
+**`sophos.xg.src_port`**
+:   Original source port of TCP and UDP traffic
+
+type: integer
+
+
+**`sophos.xg.src_zone_type`**
+:   Type of source zone
+
+type: keyword
+
+
+**`sophos.xg.ssid`**
+:   Configured SSID name.
+
+type: keyword
+
+
+**`sophos.xg.start_time`**
+:   Start time
+
+type: date
+
+
+**`sophos.xg.starttime`**
+:   Starttime
+
+type: date
+
+
+**`sophos.xg.status`**
+:   Ultimate status of traffic – Allowed or Denied
+
+type: keyword
+
+
+**`sophos.xg.status_code`**
+:   Status code
+
+type: keyword
+
+
+**`sophos.xg.subject`**
+:   Email subject
+
+type: keyword
+
+
+**`sophos.xg.syslog_server_name`**
+:   Syslog server name.
+
+type: keyword
+
+
+**`sophos.xg.system_cpu`**
+:   system
+
+type: float
+
+
+**`sophos.xg.target`**
+:   Platform of the traffic.
+
+type: keyword
+
+
+**`sophos.xg.temp`**
+:   Temp
+
+type: float
+
+
+**`sophos.xg.threatname`**
+:   ATP threatname
+
+type: keyword
+
+
+**`sophos.xg.timestamp`**
+:   timestamp
+
+type: date
+
+
+**`sophos.xg.timezone`**
+:   Time (hh:mm:ss) when the event occurred
+
+type: keyword
+
+
+**`sophos.xg.to_email_address`**
+:   Receipeint email address
+
+type: keyword
+
+
+**`sophos.xg.total_memory`**
+:   Total Memory
+
+type: integer
+
+
+**`sophos.xg.trans_dst_ip`**
+:   Translated destination IP address for outgoing traffic
+
+type: ip
+
+
+**`sophos.xg.trans_dst_port`**
+:   Translated destination port for outgoing traffic
+
+type: integer
+
+
+**`sophos.xg.trans_src_ip`**
+:   Translated source IP address for outgoing traffic
+
+type: ip
+
+
+**`sophos.xg.trans_src_port`**
+:   Translated source port for outgoing traffic
+
+type: integer
+
+
+**`sophos.xg.transaction_id`**
+:   Transaction ID
+
+type: keyword
+
+
+**`sophos.xg.transactionid`**
+:   Transaction ID of the AV scan.
+
+type: keyword
+
+
+**`sophos.xg.transmitteddrops`**
+:   transmitted drops
+
+type: long
+
+
+**`sophos.xg.transmittederrors`**
+:   transmitted errors
+
+type: keyword
+
+
+**`sophos.xg.transmittedkbits`**
+:   transmitted kbits
+
+type: long
+
+
+**`sophos.xg.unit`**
+:   unit
+
+type: keyword
+
+
+**`sophos.xg.updatedip`**
+:   updatedip
+
+type: ip
+
+
+**`sophos.xg.upload_file_name`**
+:   Upload file name
+
+type: keyword
+
+
+**`sophos.xg.upload_file_type`**
+:   Upload file type
+
+type: keyword
+
+
+**`sophos.xg.url`**
+:   URL from which virus was downloaded
+
+type: keyword
+
+
+**`sophos.xg.used`**
+:   used
+
+type: integer
+
+
+**`sophos.xg.used_quota`**
+:   Used Quota
+
+type: keyword
+
+
+**`sophos.xg.user`**
+:   User
+
+type: keyword
+
+
+**`sophos.xg.user_cpu`**
+:   system
+
+type: float
+
+
+**`sophos.xg.user_gp`**
+:   Group name to which the user belongs.
+
+type: keyword
+
+
+**`sophos.xg.user_group`**
+:   Group name to which the user belongs
+
+type: keyword
+
+
+**`sophos.xg.user_name`**
+:   user_name
+
+type: keyword
+
+
+**`sophos.xg.users`**
+:   Number of users from System Health / Live User events.
+
+type: long
+
+
+**`sophos.xg.vconn_id`**
+:   Connection ID of the master connection
+
+type: integer
+
+
+**`sophos.xg.virus`**
+:   virus name
+
+type: keyword
+
+
+**`sophos.xg.web_policy_id`**
+:   Web policy ID
+
+type: keyword
+
+
+**`sophos.xg.website`**
+:   Website
+
+type: keyword
+
+
+**`sophos.xg.xss`**
+:   related XSS caught by the WAF
+
+type: keyword
+
+
diff --git a/docs/reference/filebeat/exported-fields-suricata.md b/docs/reference/filebeat/exported-fields-suricata.md
new file mode 100644
index 000000000000..685bb47faf72
--- /dev/null
+++ b/docs/reference/filebeat/exported-fields-suricata.md
@@ -0,0 +1,861 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-suricata.html
+---
+
+# Suricata fields [exported-fields-suricata]
+
+Module for handling the EVE JSON logs produced by Suricata.
+
+
+## suricata [_suricata]
+
+Fields from the Suricata EVE log file.
+
+
+## eve [_eve]
+
+Fields exported by the EVE JSON logs
+
+**`suricata.eve.event_type`**
+:   type: keyword
+
+
+**`suricata.eve.app_proto_orig`**
+:   type: keyword
+
+
+**`suricata.eve.tcp.tcp_flags`**
+:   type: keyword
+
+
+**`suricata.eve.tcp.psh`**
+:   type: boolean
+
+
+**`suricata.eve.tcp.tcp_flags_tc`**
+:   type: keyword
+
+
+**`suricata.eve.tcp.ack`**
+:   type: boolean
+
+
+**`suricata.eve.tcp.syn`**
+:   type: boolean
+
+
+**`suricata.eve.tcp.state`**
+:   type: keyword
+
+
+**`suricata.eve.tcp.tcp_flags_ts`**
+:   type: keyword
+
+
+**`suricata.eve.tcp.rst`**
+:   type: boolean
+
+
+**`suricata.eve.tcp.fin`**
+:   type: boolean
+
+
+**`suricata.eve.fileinfo.sha1`**
+:   type: keyword
+
+
+**`suricata.eve.fileinfo.tx_id`**
+:   type: long
+
+
+**`suricata.eve.fileinfo.state`**
+:   type: keyword
+
+
+**`suricata.eve.fileinfo.stored`**
+:   type: boolean
+
+
+**`suricata.eve.fileinfo.gaps`**
+:   type: boolean
+
+
+**`suricata.eve.fileinfo.sha256`**
+:   type: keyword
+
+
+**`suricata.eve.fileinfo.md5`**
+:   type: keyword
+
+
+**`suricata.eve.icmp_type`**
+:   type: long
+
+
+**`suricata.eve.pcap_cnt`**
+:   type: long
+
+
+**`suricata.eve.dns.type`**
+:   type: keyword
+
+
+**`suricata.eve.dns.rrtype`**
+:   type: keyword
+
+
+**`suricata.eve.dns.rrname`**
+:   type: keyword
+
+
+**`suricata.eve.dns.rdata`**
+:   type: keyword
+
+
+**`suricata.eve.dns.tx_id`**
+:   type: long
+
+
+**`suricata.eve.dns.ttl`**
+:   type: long
+
+
+**`suricata.eve.dns.rcode`**
+:   type: keyword
+
+
+**`suricata.eve.dns.id`**
+:   type: long
+
+
+**`suricata.eve.flow_id`**
+:   type: keyword
+
+
+**`suricata.eve.email.status`**
+:   type: keyword
+
+
+**`suricata.eve.icmp_code`**
+:   type: long
+
+
+**`suricata.eve.http.redirect`**
+:   type: keyword
+
+
+**`suricata.eve.http.protocol`**
+:   type: keyword
+
+
+**`suricata.eve.http.http_content_type`**
+:   type: keyword
+
+
+**`suricata.eve.in_iface`**
+:   type: keyword
+
+
+**`suricata.eve.alert.metadata`**
+:   Metadata about the alert.
+
+type: flattened
+
+
+**`suricata.eve.alert.category`**
+:   type: keyword
+
+
+**`suricata.eve.alert.rev`**
+:   type: long
+
+
+**`suricata.eve.alert.gid`**
+:   type: long
+
+
+**`suricata.eve.alert.signature`**
+:   type: keyword
+
+
+**`suricata.eve.alert.signature_id`**
+:   type: long
+
+
+**`suricata.eve.alert.protocols`**
+:   type: keyword
+
+
+**`suricata.eve.alert.attack_target`**
+:   type: keyword
+
+
+**`suricata.eve.alert.capec_id`**
+:   type: keyword
+
+
+**`suricata.eve.alert.cwe_id`**
+:   type: keyword
+
+
+**`suricata.eve.alert.malware`**
+:   type: keyword
+
+
+**`suricata.eve.alert.cve`**
+:   type: keyword
+
+
+**`suricata.eve.alert.cvss_v2_base`**
+:   type: keyword
+
+
+**`suricata.eve.alert.cvss_v2_temporal`**
+:   type: keyword
+
+
+**`suricata.eve.alert.cvss_v3_base`**
+:   type: keyword
+
+
+**`suricata.eve.alert.cvss_v3_temporal`**
+:   type: keyword
+
+
+**`suricata.eve.alert.priority`**
+:   type: keyword
+
+
+**`suricata.eve.alert.hostile`**
+:   type: keyword
+
+
+**`suricata.eve.alert.infected`**
+:   type: keyword
+
+
+**`suricata.eve.alert.created_at`**
+:   type: date
+
+
+**`suricata.eve.alert.updated_at`**
+:   type: date
+
+
+**`suricata.eve.alert.classtype`**
+:   type: keyword
+
+
+**`suricata.eve.alert.rule_source`**
+:   type: keyword
+
+
+**`suricata.eve.alert.sid`**
+:   type: keyword
+
+
+**`suricata.eve.alert.affected_product`**
+:   type: keyword
+
+
+**`suricata.eve.alert.deployment`**
+:   type: keyword
+
+
+**`suricata.eve.alert.former_category`**
+:   type: keyword
+
+
+**`suricata.eve.alert.mitre_tool_id`**
+:   type: keyword
+
+
+**`suricata.eve.alert.performance_impact`**
+:   type: keyword
+
+
+**`suricata.eve.alert.signature_severity`**
+:   type: keyword
+
+
+**`suricata.eve.alert.tag`**
+:   type: keyword
+
+
+**`suricata.eve.ssh.client.proto_version`**
+:   type: keyword
+
+
+**`suricata.eve.ssh.client.software_version`**
+:   type: keyword
+
+
+**`suricata.eve.ssh.server.proto_version`**
+:   type: keyword
+
+
+**`suricata.eve.ssh.server.software_version`**
+:   type: keyword
+
+
+**`suricata.eve.stats.capture.kernel_packets`**
+:   type: long
+
+
+**`suricata.eve.stats.capture.kernel_drops`**
+:   type: long
+
+
+**`suricata.eve.stats.capture.kernel_ifdrops`**
+:   type: long
+
+
+**`suricata.eve.stats.uptime`**
+:   type: long
+
+
+**`suricata.eve.stats.detect.alert`**
+:   type: long
+
+
+**`suricata.eve.stats.http.memcap`**
+:   type: long
+
+
+**`suricata.eve.stats.http.memuse`**
+:   type: long
+
+
+**`suricata.eve.stats.file_store.open_files`**
+:   type: long
+
+
+**`suricata.eve.stats.defrag.max_frag_hits`**
+:   type: long
+
+
+**`suricata.eve.stats.defrag.ipv4.timeouts`**
+:   type: long
+
+
+**`suricata.eve.stats.defrag.ipv4.fragments`**
+:   type: long
+
+
+**`suricata.eve.stats.defrag.ipv4.reassembled`**
+:   type: long
+
+
+**`suricata.eve.stats.defrag.ipv6.timeouts`**
+:   type: long
+
+
+**`suricata.eve.stats.defrag.ipv6.fragments`**
+:   type: long
+
+
+**`suricata.eve.stats.defrag.ipv6.reassembled`**
+:   type: long
+
+
+**`suricata.eve.stats.flow.tcp_reuse`**
+:   type: long
+
+
+**`suricata.eve.stats.flow.udp`**
+:   type: long
+
+
+**`suricata.eve.stats.flow.memcap`**
+:   type: long
+
+
+**`suricata.eve.stats.flow.emerg_mode_entered`**
+:   type: long
+
+
+**`suricata.eve.stats.flow.emerg_mode_over`**
+:   type: long
+
+
+**`suricata.eve.stats.flow.tcp`**
+:   type: long
+
+
+**`suricata.eve.stats.flow.icmpv6`**
+:   type: long
+
+
+**`suricata.eve.stats.flow.icmpv4`**
+:   type: long
+
+
+**`suricata.eve.stats.flow.spare`**
+:   type: long
+
+
+**`suricata.eve.stats.flow.memuse`**
+:   type: long
+
+
+**`suricata.eve.stats.tcp.pseudo_failed`**
+:   type: long
+
+
+**`suricata.eve.stats.tcp.ssn_memcap_drop`**
+:   type: long
+
+
+**`suricata.eve.stats.tcp.insert_data_overlap_fail`**
+:   type: long
+
+
+**`suricata.eve.stats.tcp.sessions`**
+:   type: long
+
+
+**`suricata.eve.stats.tcp.pseudo`**
+:   type: long
+
+
+**`suricata.eve.stats.tcp.synack`**
+:   type: long
+
+
+**`suricata.eve.stats.tcp.insert_data_normal_fail`**
+:   type: long
+
+
+**`suricata.eve.stats.tcp.syn`**
+:   type: long
+
+
+**`suricata.eve.stats.tcp.memuse`**
+:   type: long
+
+
+**`suricata.eve.stats.tcp.invalid_checksum`**
+:   type: long
+
+
+**`suricata.eve.stats.tcp.segment_memcap_drop`**
+:   type: long
+
+
+**`suricata.eve.stats.tcp.overlap`**
+:   type: long
+
+
+**`suricata.eve.stats.tcp.insert_list_fail`**
+:   type: long
+
+
+**`suricata.eve.stats.tcp.rst`**
+:   type: long
+
+
+**`suricata.eve.stats.tcp.stream_depth_reached`**
+:   type: long
+
+
+**`suricata.eve.stats.tcp.reassembly_memuse`**
+:   type: long
+
+
+**`suricata.eve.stats.tcp.reassembly_gap`**
+:   type: long
+
+
+**`suricata.eve.stats.tcp.overlap_diff_data`**
+:   type: long
+
+
+**`suricata.eve.stats.tcp.no_flow`**
+:   type: long
+
+
+**`suricata.eve.stats.decoder.avg_pkt_size`**
+:   type: long
+
+
+**`suricata.eve.stats.decoder.bytes`**
+:   type: long
+
+
+**`suricata.eve.stats.decoder.tcp`**
+:   type: long
+
+
+**`suricata.eve.stats.decoder.raw`**
+:   type: long
+
+
+**`suricata.eve.stats.decoder.ppp`**
+:   type: long
+
+
+**`suricata.eve.stats.decoder.vlan_qinq`**
+:   type: long
+
+
+**`suricata.eve.stats.decoder.null`**
+:   type: long
+
+
+**`suricata.eve.stats.decoder.ltnull.unsupported_type`**
+:   type: long
+
+
+**`suricata.eve.stats.decoder.ltnull.pkt_too_small`**
+:   type: long
+
+
+**`suricata.eve.stats.decoder.invalid`**
+:   type: long
+
+
+**`suricata.eve.stats.decoder.gre`**
+:   type: long
+
+
+**`suricata.eve.stats.decoder.ipv4`**
+:   type: long
+
+
+**`suricata.eve.stats.decoder.ipv6`**
+:   type: long
+
+
+**`suricata.eve.stats.decoder.pkts`**
+:   type: long
+
+
+**`suricata.eve.stats.decoder.ipv6_in_ipv6`**
+:   type: long
+
+
+**`suricata.eve.stats.decoder.ipraw.invalid_ip_version`**
+:   type: long
+
+
+**`suricata.eve.stats.decoder.pppoe`**
+:   type: long
+
+
+**`suricata.eve.stats.decoder.udp`**
+:   type: long
+
+
+**`suricata.eve.stats.decoder.dce.pkt_too_small`**
+:   type: long
+
+
+**`suricata.eve.stats.decoder.vlan`**
+:   type: long
+
+
+**`suricata.eve.stats.decoder.sctp`**
+:   type: long
+
+
+**`suricata.eve.stats.decoder.max_pkt_size`**
+:   type: long
+
+
+**`suricata.eve.stats.decoder.teredo`**
+:   type: long
+
+
+**`suricata.eve.stats.decoder.mpls`**
+:   type: long
+
+
+**`suricata.eve.stats.decoder.sll`**
+:   type: long
+
+
+**`suricata.eve.stats.decoder.icmpv6`**
+:   type: long
+
+
+**`suricata.eve.stats.decoder.icmpv4`**
+:   type: long
+
+
+**`suricata.eve.stats.decoder.erspan`**
+:   type: long
+
+
+**`suricata.eve.stats.decoder.ethernet`**
+:   type: long
+
+
+**`suricata.eve.stats.decoder.ipv4_in_ipv6`**
+:   type: long
+
+
+**`suricata.eve.stats.decoder.ieee8021ah`**
+:   type: long
+
+
+**`suricata.eve.stats.dns.memcap_global`**
+:   type: long
+
+
+**`suricata.eve.stats.dns.memcap_state`**
+:   type: long
+
+
+**`suricata.eve.stats.dns.memuse`**
+:   type: long
+
+
+**`suricata.eve.stats.flow_mgr.rows_busy`**
+:   type: long
+
+
+**`suricata.eve.stats.flow_mgr.flows_timeout`**
+:   type: long
+
+
+**`suricata.eve.stats.flow_mgr.flows_notimeout`**
+:   type: long
+
+
+**`suricata.eve.stats.flow_mgr.rows_skipped`**
+:   type: long
+
+
+**`suricata.eve.stats.flow_mgr.closed_pruned`**
+:   type: long
+
+
+**`suricata.eve.stats.flow_mgr.new_pruned`**
+:   type: long
+
+
+**`suricata.eve.stats.flow_mgr.flows_removed`**
+:   type: long
+
+
+**`suricata.eve.stats.flow_mgr.bypassed_pruned`**
+:   type: long
+
+
+**`suricata.eve.stats.flow_mgr.est_pruned`**
+:   type: long
+
+
+**`suricata.eve.stats.flow_mgr.flows_timeout_inuse`**
+:   type: long
+
+
+**`suricata.eve.stats.flow_mgr.flows_checked`**
+:   type: long
+
+
+**`suricata.eve.stats.flow_mgr.rows_maxlen`**
+:   type: long
+
+
+**`suricata.eve.stats.flow_mgr.rows_checked`**
+:   type: long
+
+
+**`suricata.eve.stats.flow_mgr.rows_empty`**
+:   type: long
+
+
+**`suricata.eve.stats.app_layer.flow.tls`**
+:   type: long
+
+
+**`suricata.eve.stats.app_layer.flow.ftp`**
+:   type: long
+
+
+**`suricata.eve.stats.app_layer.flow.http`**
+:   type: long
+
+
+**`suricata.eve.stats.app_layer.flow.failed_udp`**
+:   type: long
+
+
+**`suricata.eve.stats.app_layer.flow.dns_udp`**
+:   type: long
+
+
+**`suricata.eve.stats.app_layer.flow.dns_tcp`**
+:   type: long
+
+
+**`suricata.eve.stats.app_layer.flow.smtp`**
+:   type: long
+
+
+**`suricata.eve.stats.app_layer.flow.failed_tcp`**
+:   type: long
+
+
+**`suricata.eve.stats.app_layer.flow.msn`**
+:   type: long
+
+
+**`suricata.eve.stats.app_layer.flow.ssh`**
+:   type: long
+
+
+**`suricata.eve.stats.app_layer.flow.imap`**
+:   type: long
+
+
+**`suricata.eve.stats.app_layer.flow.dcerpc_udp`**
+:   type: long
+
+
+**`suricata.eve.stats.app_layer.flow.dcerpc_tcp`**
+:   type: long
+
+
+**`suricata.eve.stats.app_layer.flow.smb`**
+:   type: long
+
+
+**`suricata.eve.stats.app_layer.tx.tls`**
+:   type: long
+
+
+**`suricata.eve.stats.app_layer.tx.ftp`**
+:   type: long
+
+
+**`suricata.eve.stats.app_layer.tx.http`**
+:   type: long
+
+
+**`suricata.eve.stats.app_layer.tx.dns_udp`**
+:   type: long
+
+
+**`suricata.eve.stats.app_layer.tx.dns_tcp`**
+:   type: long
+
+
+**`suricata.eve.stats.app_layer.tx.smtp`**
+:   type: long
+
+
+**`suricata.eve.stats.app_layer.tx.ssh`**
+:   type: long
+
+
+**`suricata.eve.stats.app_layer.tx.dcerpc_udp`**
+:   type: long
+
+
+**`suricata.eve.stats.app_layer.tx.dcerpc_tcp`**
+:   type: long
+
+
+**`suricata.eve.stats.app_layer.tx.smb`**
+:   type: long
+
+
+**`suricata.eve.tls.notbefore`**
+:   type: date
+
+
+**`suricata.eve.tls.issuerdn`**
+:   type: keyword
+
+
+**`suricata.eve.tls.sni`**
+:   type: keyword
+
+
+**`suricata.eve.tls.version`**
+:   type: keyword
+
+
+**`suricata.eve.tls.session_resumed`**
+:   type: boolean
+
+
+**`suricata.eve.tls.fingerprint`**
+:   type: keyword
+
+
+**`suricata.eve.tls.serial`**
+:   type: keyword
+
+
+**`suricata.eve.tls.notafter`**
+:   type: date
+
+
+**`suricata.eve.tls.subject`**
+:   type: keyword
+
+
+**`suricata.eve.tls.ja3s.string`**
+:   type: keyword
+
+
+**`suricata.eve.tls.ja3s.hash`**
+:   type: keyword
+
+
+**`suricata.eve.tls.ja3.string`**
+:   type: keyword
+
+
+**`suricata.eve.tls.ja3.hash`**
+:   type: keyword
+
+
+**`suricata.eve.app_proto_ts`**
+:   type: keyword
+
+
+**`suricata.eve.flow.age`**
+:   type: long
+
+
+**`suricata.eve.flow.state`**
+:   type: keyword
+
+
+**`suricata.eve.flow.reason`**
+:   type: keyword
+
+
+**`suricata.eve.flow.alerted`**
+:   type: boolean
+
+
+**`suricata.eve.tx_id`**
+:   type: long
+
+
+**`suricata.eve.app_proto_tc`**
+:   type: keyword
+
+
+**`suricata.eve.smtp.rcpt_to`**
+:   type: keyword
+
+
+**`suricata.eve.smtp.mail_from`**
+:   type: keyword
+
+
+**`suricata.eve.smtp.helo`**
+:   type: keyword
+
+
+**`suricata.eve.app_proto_expected`**
+:   type: keyword
+
+
diff --git a/docs/reference/filebeat/exported-fields-system.md b/docs/reference/filebeat/exported-fields-system.md
new file mode 100644
index 000000000000..b0021fd1a8bb
--- /dev/null
+++ b/docs/reference/filebeat/exported-fields-system.md
@@ -0,0 +1,235 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-system.html
+---
+
+# System fields [exported-fields-system]
+
+Module for parsing system log files.
+
+
+## system [_system]
+
+Fields from the system log files.
+
+
+## auth [_auth_2]
+
+Fields from the Linux authorization logs.
+
+**`system.auth.timestamp`**
+:   type: alias
+
+alias to: @timestamp
+
+
+**`system.auth.hostname`**
+:   type: alias
+
+alias to: host.hostname
+
+
+**`system.auth.program`**
+:   type: alias
+
+alias to: process.name
+
+
+**`system.auth.pid`**
+:   type: alias
+
+alias to: process.pid
+
+
+**`system.auth.message`**
+:   type: alias
+
+alias to: message
+
+
+**`system.auth.user`**
+:   type: alias
+
+alias to: user.name
+
+
+**`system.auth.ssh.method`**
+:   The SSH authentication method. Can be one of "password" or "publickey".
+
+
+**`system.auth.ssh.signature`**
+:   The signature of the client public key.
+
+
+**`system.auth.ssh.dropped_ip`**
+:   The client IP from SSH connections that are open and immediately dropped.
+
+type: ip
+
+
+**`system.auth.ssh.event`**
+:   The SSH event as found in the logs (Accepted, Invalid, Failed, etc.)
+
+example: Accepted
+
+
+**`system.auth.ssh.ip`**
+:   type: alias
+
+alias to: source.ip
+
+
+**`system.auth.ssh.port`**
+:   type: alias
+
+alias to: source.port
+
+
+**`system.auth.ssh.geoip.continent_name`**
+:   type: alias
+
+alias to: source.geo.continent_name
+
+
+**`system.auth.ssh.geoip.country_iso_code`**
+:   type: alias
+
+alias to: source.geo.country_iso_code
+
+
+**`system.auth.ssh.geoip.location`**
+:   type: alias
+
+alias to: source.geo.location
+
+
+**`system.auth.ssh.geoip.region_name`**
+:   type: alias
+
+alias to: source.geo.region_name
+
+
+**`system.auth.ssh.geoip.city_name`**
+:   type: alias
+
+alias to: source.geo.city_name
+
+
+**`system.auth.ssh.geoip.region_iso_code`**
+:   type: alias
+
+alias to: source.geo.region_iso_code
+
+
+
+## sudo [_sudo]
+
+Fields specific to events created by the `sudo` command.
+
+**`system.auth.sudo.error`**
+:   The error message in case the sudo command failed.
+
+example: user NOT in sudoers
+
+
+**`system.auth.sudo.tty`**
+:   The TTY where the sudo command is executed.
+
+
+**`system.auth.sudo.pwd`**
+:   The current directory where the sudo command is executed.
+
+
+**`system.auth.sudo.user`**
+:   The target user to which the sudo command is switching.
+
+example: root
+
+
+**`system.auth.sudo.command`**
+:   The command executed via sudo.
+
+
+
+## useradd [_useradd]
+
+Fields specific to events created by the `useradd` command.
+
+**`system.auth.useradd.home`**
+:   The home folder for the new user.
+
+
+**`system.auth.useradd.shell`**
+:   The default shell for the new user.
+
+
+**`system.auth.useradd.name`**
+:   type: alias
+
+alias to: user.name
+
+
+**`system.auth.useradd.uid`**
+:   type: alias
+
+alias to: user.id
+
+
+**`system.auth.useradd.gid`**
+:   type: alias
+
+alias to: group.id
+
+
+
+## groupadd [_groupadd]
+
+Fields specific to events created by the `groupadd` command.
+
+**`system.auth.groupadd.name`**
+:   type: alias
+
+alias to: group.name
+
+
+**`system.auth.groupadd.gid`**
+:   type: alias
+
+alias to: group.id
+
+
+
+## syslog [_syslog_3]
+
+Contains fields from the syslog system logs.
+
+**`system.syslog.timestamp`**
+:   type: alias
+
+alias to: @timestamp
+
+
+**`system.syslog.hostname`**
+:   type: alias
+
+alias to: host.hostname
+
+
+**`system.syslog.program`**
+:   type: alias
+
+alias to: process.name
+
+
+**`system.syslog.pid`**
+:   type: alias
+
+alias to: process.pid
+
+
+**`system.syslog.message`**
+:   type: alias
+
+alias to: message
+
+
diff --git a/docs/reference/filebeat/exported-fields-threatintel.md b/docs/reference/filebeat/exported-fields-threatintel.md
new file mode 100644
index 000000000000..20a9378de79b
--- /dev/null
+++ b/docs/reference/filebeat/exported-fields-threatintel.md
@@ -0,0 +1,815 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-threatintel.html
+---
+
+# threatintel fields [exported-fields-threatintel]
+
+Threat intelligence Filebeat Module.
+
+**`threat.indicator.file.hash.tlsh`**
+:   The file’s import tlsh, if available.
+
+type: keyword
+
+
+**`threat.indicator.file.hash.sha384`**
+:   The file’s sha384 hash, if available.
+
+type: keyword
+
+
+**`threat.feed.name`**
+:   type: keyword
+
+
+**`threat.feed.dashboard_id`**
+:   type: keyword
+
+
+
+## abusech.malware [_abusech_malware]
+
+Fields for AbuseCH Malware Threat Intel
+
+**`abusech.malware.file_type`**
+:   File type guessed by URLhaus.
+
+type: keyword
+
+
+**`abusech.malware.signature`**
+:   Malware familiy.
+
+type: keyword
+
+
+**`abusech.malware.urlhaus_download`**
+:   Location (URL) where you can download a copy of this file.
+
+type: keyword
+
+
+**`abusech.malware.virustotal.result`**
+:   AV detection ration.
+
+type: keyword
+
+
+**`abusech.malware.virustotal.percent`**
+:   AV detection in percent.
+
+type: float
+
+
+**`abusech.malware.virustotal.link`**
+:   Link to the Virustotal report.
+
+type: keyword
+
+
+
+## abusech.url [_abusech_url]
+
+Fields for AbuseCH Malware Threat Intel
+
+**`abusech.url.id`**
+:   The ID of the url.
+
+type: keyword
+
+
+**`abusech.url.urlhaus_reference`**
+:   Link to URLhaus entry.
+
+type: keyword
+
+
+**`abusech.url.url_status`**
+:   The current status of the URL. Possible values are: online, offline and unknown.
+
+type: keyword
+
+
+**`abusech.url.threat`**
+:   The threat corresponding to this malware URL.
+
+type: keyword
+
+
+**`abusech.url.blacklists.surbl`**
+:   SURBL blacklist status. Possible values are: listed and not_listed
+
+type: keyword
+
+
+**`abusech.url.blacklists.spamhaus_dbl`**
+:   Spamhaus DBL blacklist status.
+
+type: keyword
+
+
+**`abusech.url.reporter`**
+:   The Twitter handle of the reporter that has reported this malware URL (or anonymous).
+
+type: keyword
+
+
+**`abusech.url.larted`**
+:   Indicates whether the malware URL has been reported to the hosting provider (true or false)
+
+type: boolean
+
+
+**`abusech.url.tags`**
+:   A list of tags associated with the queried malware URL
+
+type: keyword
+
+
+
+## anomali.limo [_anomali_limo]
+
+Fields for Anomali Threat Intel
+
+**`anomali.limo.id`**
+:   The ID of the indicator.
+
+type: keyword
+
+
+**`anomali.limo.name`**
+:   The name of the indicator.
+
+type: keyword
+
+
+**`anomali.limo.pattern`**
+:   The pattern ID of the indicator.
+
+type: keyword
+
+
+**`anomali.limo.valid_from`**
+:   When the indicator was first found or is considered valid.
+
+type: date
+
+
+**`anomali.limo.modified`**
+:   When the indicator was last modified
+
+type: date
+
+
+**`anomali.limo.labels`**
+:   The labels related to the indicator
+
+type: keyword
+
+
+**`anomali.limo.indicator`**
+:   The value of the indicator, for example if the type is domain, this would be the value.
+
+type: keyword
+
+
+**`anomali.limo.description`**
+:   A description of the indicator.
+
+type: keyword
+
+
+**`anomali.limo.title`**
+:   Title describing the indicator.
+
+type: keyword
+
+
+**`anomali.limo.content`**
+:   Extra text or descriptive content related to the indicator.
+
+type: keyword
+
+
+**`anomali.limo.type`**
+:   The indicator type, can for example be "domain, email, FileHash-SHA256".
+
+type: keyword
+
+
+**`anomali.limo.object_marking_refs`**
+:   The STIX reference object.
+
+type: keyword
+
+
+
+## anomali.threatstream [_anomali_threatstream]
+
+Fields for Anomali ThreatStream
+
+**`anomali.threatstream.classification`**
+:   Indicates whether an indicator is private or from a public feed and available publicly. Possible values: private, public.
+
+type: keyword
+
+example: private
+
+
+**`anomali.threatstream.confidence`**
+:   The measure of the accuracy (from 0 to 100) assigned by ThreatStream’s predictive analytics technology to indicators.
+
+type: short
+
+
+**`anomali.threatstream.detail2`**
+:   Detail text for indicator.
+
+type: text
+
+example: Imported by user 42.
+
+
+**`anomali.threatstream.id`**
+:   The ID of the indicator.
+
+type: keyword
+
+
+**`anomali.threatstream.import_session_id`**
+:   ID of the import session that created the indicator on ThreatStream.
+
+type: keyword
+
+
+**`anomali.threatstream.itype`**
+:   Indicator type. Possible values: "apt_domain", "apt_email", "apt_ip", "apt_url", "bot_ip", "c2_domain", "c2_ip", "c2_url", "i2p_ip", "mal_domain", "mal_email", "mal_ip", "mal_md5", "mal_url", "parked_ip", "phish_email", "phish_ip", "phish_url", "scan_ip", "spam_domain", "ssh_ip", "suspicious_domain", "tor_ip" and "torrent_tracker_url".
+
+type: keyword
+
+
+**`anomali.threatstream.maltype`**
+:   Information regarding a malware family, a CVE ID, or another attack or threat, associated with the indicator.
+
+type: wildcard
+
+
+**`anomali.threatstream.md5`**
+:   Hash for the indicator.
+
+type: keyword
+
+
+**`anomali.threatstream.resource_uri`**
+:   Relative URI for the indicator details.
+
+type: keyword
+
+
+**`anomali.threatstream.severity`**
+:   Criticality associated with the threat feed that supplied the indicator. Possible values: low, medium, high, very-high.
+
+type: keyword
+
+
+**`anomali.threatstream.source`**
+:   Source for the indicator.
+
+type: keyword
+
+example: Analyst
+
+
+**`anomali.threatstream.source_feed_id`**
+:   ID for the integrator source.
+
+type: keyword
+
+
+**`anomali.threatstream.state`**
+:   State for this indicator.
+
+type: keyword
+
+example: active
+
+
+**`anomali.threatstream.trusted_circle_ids`**
+:   ID of the trusted circle that imported the indicator.
+
+type: keyword
+
+
+**`anomali.threatstream.update_id`**
+:   Update ID.
+
+type: keyword
+
+
+**`anomali.threatstream.url`**
+:   URL for the indicator.
+
+type: keyword
+
+
+**`anomali.threatstream.value_type`**
+:   Data type of the indicator. Possible values: ip, domain, url, email, md5.
+
+type: keyword
+
+
+
+## abusech.malwarebazaar [_abusech_malwarebazaar]
+
+Fields for Malware Bazaar Threat Intel
+
+**`abusech.malwarebazaar.file_type`**
+:   File type guessed by Malware Bazaar.
+
+type: keyword
+
+
+**`abusech.malwarebazaar.signature`**
+:   Malware familiy.
+
+type: keyword
+
+
+**`abusech.malwarebazaar.tags`**
+:   A list of tags associated with the queried malware sample.
+
+type: keyword
+
+
+**`abusech.malwarebazaar.intelligence.downloads`**
+:   Number of downloads from MalwareBazaar.
+
+type: long
+
+
+**`abusech.malwarebazaar.intelligence.uploads`**
+:   Number of uploads from MalwareBazaar.
+
+type: long
+
+
+**`abusech.malwarebazaar.intelligence.mail.Generic`**
+:   Malware seen in generic spam traffic.
+
+type: keyword
+
+
+**`abusech.malwarebazaar.intelligence.mail.IT`**
+:   Malware seen in IT spam traffic.
+
+type: keyword
+
+
+**`abusech.malwarebazaar.anonymous`**
+:   Identifies if the sample was submitted anonymously.
+
+type: long
+
+
+**`abusech.malwarebazaar.code_sign`**
+:   Code signing information for the sample.
+
+type: nested
+
+
+
+## misp [_misp_2]
+
+Fields for MISP Threat Intel
+
+**`misp.id`**
+:   Attribute ID.
+
+type: keyword
+
+
+**`misp.orgc_id`**
+:   Organization Community ID of the event.
+
+type: keyword
+
+
+**`misp.org_id`**
+:   Organization ID of the event.
+
+type: keyword
+
+
+**`misp.threat_level_id`**
+:   Threat level from 5 to 1, where 1 is the most critical.
+
+type: long
+
+
+**`misp.info`**
+:   Additional text or information related to the event.
+
+type: keyword
+
+
+**`misp.published`**
+:   When the event was published.
+
+type: boolean
+
+
+**`misp.uuid`**
+:   The UUID of the event object.
+
+type: keyword
+
+
+**`misp.date`**
+:   The date of when the event object was created.
+
+type: date
+
+
+**`misp.attribute_count`**
+:   How many attributes are included in a single event object.
+
+type: long
+
+
+**`misp.timestamp`**
+:   The timestamp of when the event object was created.
+
+type: date
+
+
+**`misp.distribution`**
+:   Distribution type related to MISP.
+
+type: keyword
+
+
+**`misp.proposal_email_lock`**
+:   Settings configured on MISP for email lock on this event object.
+
+type: boolean
+
+
+**`misp.locked`**
+:   If the current MISP event object is locked or not.
+
+type: boolean
+
+
+**`misp.publish_timestamp`**
+:   At what time the event object was published
+
+type: date
+
+
+**`misp.sharing_group_id`**
+:   The ID of the grouped events or sources of the event.
+
+type: keyword
+
+
+**`misp.disable_correlation`**
+:   If correlation is disabled on the MISP event object.
+
+type: boolean
+
+
+**`misp.extends_uuid`**
+:   The UUID of the event object it might extend.
+
+type: keyword
+
+
+**`misp.org.id`**
+:   The organization ID related to the event object.
+
+type: keyword
+
+
+**`misp.org.name`**
+:   The organization name related to the event object.
+
+type: keyword
+
+
+**`misp.org.uuid`**
+:   The UUID of the organization related to the event object.
+
+type: keyword
+
+
+**`misp.org.local`**
+:   If the event object is local or from a remote source.
+
+type: boolean
+
+
+**`misp.orgc.id`**
+:   The Organization Community ID in which the event object was reported from.
+
+type: keyword
+
+
+**`misp.orgc.name`**
+:   The Organization Community name in which the event object was reported from.
+
+type: keyword
+
+
+**`misp.orgc.uuid`**
+:   The Organization Community UUID in which the event object was reported from.
+
+type: keyword
+
+
+**`misp.orgc.local`**
+:   If the Organization Community was local or synced from a remote source.
+
+type: boolean
+
+
+**`misp.attribute.id`**
+:   The ID of the attribute related to the event object.
+
+type: keyword
+
+
+**`misp.attribute.type`**
+:   The type of the attribute related to the event object. For example email, ipv4, sha1 and such.
+
+type: keyword
+
+
+**`misp.attribute.category`**
+:   The category of the attribute related to the event object. For example "Network Activity".
+
+type: keyword
+
+
+**`misp.attribute.to_ids`**
+:   If the attribute should be automatically synced with an IDS.
+
+type: boolean
+
+
+**`misp.attribute.uuid`**
+:   The UUID of the attribute related to the event.
+
+type: keyword
+
+
+**`misp.attribute.event_id`**
+:   The local event ID of the attribute related to the event.
+
+type: keyword
+
+
+**`misp.attribute.distribution`**
+:   How the attribute has been distributed, represented by integer numbers.
+
+type: long
+
+
+**`misp.attribute.timestamp`**
+:   The timestamp in which the attribute was attached to the event object.
+
+type: date
+
+
+**`misp.attribute.comment`**
+:   Comments made to the attribute itself.
+
+type: keyword
+
+
+**`misp.attribute.sharing_group_id`**
+:   The group ID of the sharing group related to the specific attribute.
+
+type: keyword
+
+
+**`misp.attribute.deleted`**
+:   If the attribute has been removed from the event object.
+
+type: boolean
+
+
+**`misp.attribute.disable_correlation`**
+:   If correlation has been enabled on the attribute related to the event object.
+
+type: boolean
+
+
+**`misp.attribute.object_id`**
+:   The ID of the Object in which the attribute is attached.
+
+type: keyword
+
+
+**`misp.attribute.object_relation`**
+:   The type of relation the attribute has with the event object itself.
+
+type: keyword
+
+
+**`misp.attribute.value`**
+:   The value of the attribute, depending on the type like "url, sha1, email-src".
+
+type: keyword
+
+
+**`misp.context.attribute.id`**
+:   The ID of the secondary attribute related to the event object.
+
+type: keyword
+
+
+**`misp.context.attribute.type`**
+:   The type of the secondary attribute related to the event object. For example email, ipv4, sha1 and such.
+
+type: keyword
+
+
+**`misp.context.attribute.category`**
+:   The category of the secondary attribute related to the event object. For example "Network Activity".
+
+type: keyword
+
+
+**`misp.context.attribute.to_ids`**
+:   If the secondary attribute should be automatically synced with an IDS.
+
+type: boolean
+
+
+**`misp.context.attribute.uuid`**
+:   The UUID of the secondary attribute related to the event.
+
+type: keyword
+
+
+**`misp.context.attribute.event_id`**
+:   The local event ID of the secondary attribute related to the event.
+
+type: keyword
+
+
+**`misp.context.attribute.distribution`**
+:   How the secondary attribute has been distributed, represented by integer numbers.
+
+type: long
+
+
+**`misp.context.attribute.timestamp`**
+:   The timestamp in which the secondary attribute was attached to the event object.
+
+type: date
+
+
+**`misp.context.attribute.comment`**
+:   Comments made to the secondary attribute itself.
+
+type: keyword
+
+
+**`misp.context.attribute.sharing_group_id`**
+:   The group ID of the sharing group related to the specific secondary attribute.
+
+type: keyword
+
+
+**`misp.context.attribute.deleted`**
+:   If the secondary attribute has been removed from the event object.
+
+type: boolean
+
+
+**`misp.context.attribute.disable_correlation`**
+:   If correlation has been enabled on the secondary attribute related to the event object.
+
+type: boolean
+
+
+**`misp.context.attribute.object_id`**
+:   The ID of the Object in which the secondary attribute is attached.
+
+type: keyword
+
+
+**`misp.context.attribute.object_relation`**
+:   The type of relation the secondary attribute has with the event object itself.
+
+type: keyword
+
+
+**`misp.context.attribute.value`**
+:   The value of the attribute, depending on the type like "url, sha1, email-src".
+
+type: keyword
+
+
+
+## otx [_otx]
+
+Fields for OTX Threat Intel
+
+**`otx.id`**
+:   The ID of the indicator.
+
+type: keyword
+
+
+**`otx.indicator`**
+:   The value of the indicator, for example if the type is domain, this would be the value.
+
+type: keyword
+
+
+**`otx.description`**
+:   A description of the indicator.
+
+type: keyword
+
+
+**`otx.title`**
+:   Title describing the indicator.
+
+type: keyword
+
+
+**`otx.content`**
+:   Extra text or descriptive content related to the indicator.
+
+type: keyword
+
+
+**`otx.type`**
+:   The indicator type, can for example be "domain, email, FileHash-SHA256".
+
+type: keyword
+
+
+
+## threatq [_threatq]
+
+Fields for ThreatQ Threat Library
+
+**`threatq.updated_at`**
+:   Last modification time
+
+type: date
+
+
+**`threatq.created_at`**
+:   Object creation time
+
+type: date
+
+
+**`threatq.expires_at`**
+:   Expiration time
+
+type: date
+
+
+**`threatq.expires_calculated_at`**
+:   Expiration calculation time
+
+type: date
+
+
+**`threatq.published_at`**
+:   Object publication time
+
+type: date
+
+
+**`threatq.status`**
+:   Object status within the Threat Library
+
+type: keyword
+
+
+**`threatq.indicator_value`**
+:   Original indicator value
+
+type: keyword
+
+
+**`threatq.adversaries`**
+:   Adversaries that are linked to the object
+
+type: keyword
+
+
+**`threatq.attributes`**
+:   These provide additional context about an object
+
+type: flattened
+
+
diff --git a/docs/reference/filebeat/exported-fields-traefik.md b/docs/reference/filebeat/exported-fields-traefik.md
new file mode 100644
index 000000000000..7a9a5805f8bd
--- /dev/null
+++ b/docs/reference/filebeat/exported-fields-traefik.md
@@ -0,0 +1,157 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-traefik.html
+---
+
+# Traefik fields [exported-fields-traefik]
+
+Module for parsing the Traefik log files.
+
+
+## traefik [_traefik]
+
+Fields from the Traefik log files.
+
+
+## access [_access_4]
+
+Contains fields for the Traefik access logs.
+
+**`traefik.access.user_identifier`**
+:   Is the RFC 1413 identity of the client
+
+type: keyword
+
+
+**`traefik.access.request_count`**
+:   The number of requests
+
+type: long
+
+
+**`traefik.access.frontend_name`**
+:   The name of the frontend used
+
+type: keyword
+
+
+**`traefik.access.backend_url`**
+:   The url of the backend where request is forwarded
+
+type: keyword
+
+
+**`traefik.access.body_sent.bytes`**
+:   type: alias
+
+alias to: http.response.body.bytes
+
+
+**`traefik.access.remote_ip`**
+:   type: alias
+
+alias to: source.address
+
+
+**`traefik.access.user_name`**
+:   type: alias
+
+alias to: user.name
+
+
+**`traefik.access.method`**
+:   type: alias
+
+alias to: http.request.method
+
+
+**`traefik.access.url`**
+:   type: alias
+
+alias to: url.original
+
+
+**`traefik.access.http_version`**
+:   type: alias
+
+alias to: http.version
+
+
+**`traefik.access.response_code`**
+:   type: alias
+
+alias to: http.response.status_code
+
+
+**`traefik.access.referrer`**
+:   type: alias
+
+alias to: http.request.referrer
+
+
+**`traefik.access.agent`**
+:   type: alias
+
+alias to: user_agent.original
+
+
+**`traefik.access.user_agent.name`**
+:   type: alias
+
+alias to: user_agent.name
+
+
+**`traefik.access.user_agent.os`**
+:   type: alias
+
+alias to: user_agent.os.full_name
+
+
+**`traefik.access.user_agent.os_name`**
+:   type: alias
+
+alias to: user_agent.os.name
+
+
+**`traefik.access.user_agent.original`**
+:   type: alias
+
+alias to: user_agent.original
+
+
+**`traefik.access.geoip.continent_name`**
+:   type: alias
+
+alias to: source.geo.continent_name
+
+
+**`traefik.access.geoip.country_iso_code`**
+:   type: alias
+
+alias to: source.geo.country_iso_code
+
+
+**`traefik.access.geoip.location`**
+:   type: alias
+
+alias to: source.geo.location
+
+
+**`traefik.access.geoip.region_name`**
+:   type: alias
+
+alias to: source.geo.region_name
+
+
+**`traefik.access.geoip.city_name`**
+:   type: alias
+
+alias to: source.geo.city_name
+
+
+**`traefik.access.geoip.region_iso_code`**
+:   type: alias
+
+alias to: source.geo.region_iso_code
+
+
diff --git a/docs/reference/filebeat/exported-fields-winlog.md b/docs/reference/filebeat/exported-fields-winlog.md
new file mode 100644
index 000000000000..53147bd3bfb3
--- /dev/null
+++ b/docs/reference/filebeat/exported-fields-winlog.md
@@ -0,0 +1,134 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-winlog.html
+---
+
+# Windows ETW fields [exported-fields-winlog]
+
+Fields from the ETW input (Event Tracing for Windows).
+
+
+## winlog [_winlog]
+
+All fields specific to the Windows Event Tracing are defined here.
+
+**`winlog.activity_id`**
+:   A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity.
+
+type: keyword
+
+required: False
+
+
+**`winlog.channel`**
+:   Used to enable special event processing. Channel values below 16 are reserved for use by Microsoft to enable special treatment by the ETW runtime. Channel values 16 and above will be ignored by the ETW runtime (treated the same as channel 0) and can be given user-defined semantics.
+
+type: keyword
+
+required: False
+
+
+**`winlog.event_data`**
+:   The event-specific data. The content of this object is specific to any provider and event.
+
+type: object
+
+required: False
+
+
+**`winlog.flags`**
+:   Flags that provide information about the event such as the type of session it was logged to and if the event contains extended data.
+
+type: keyword
+
+required: False
+
+
+**`winlog.keywords`**
+:   The keywords are used to indicate an event’s membership in a set of event categories.
+
+type: keyword
+
+required: False
+
+
+**`winlog.level`**
+:   Level of severity. Level values 0 through 5 are defined by Microsoft. Level values 6 through 15 are reserved. Level values 16 through 255 can be defined by the event provider.
+
+type: keyword
+
+required: False
+
+
+**`winlog.opcode`**
+:   The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged.
+
+type: keyword
+
+required: False
+
+
+**`winlog.process_id`**
+:   Identifies the process that generated the event.
+
+type: keyword
+
+required: False
+
+
+**`winlog.provider_guid`**
+:   A globally unique identifier that identifies the provider that logged the event.
+
+type: keyword
+
+required: False
+
+
+**`winlog.provider_name`**
+:   The source of the event log record (the application or service that logged the record).
+
+type: keyword
+
+required: False
+
+
+**`winlog.session`**
+:   Configured session to forward ETW events from providers to consumers.
+
+type: keyword
+
+required: False
+
+
+**`winlog.severity`**
+:   Human-readable level of severity.
+
+type: keyword
+
+required: False
+
+
+**`winlog.task`**
+:   The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged.
+
+type: keyword
+
+required: False
+
+
+**`winlog.thread_id`**
+:   Identifies the thread that generated the event.
+
+type: keyword
+
+required: False
+
+
+**`winlog.version`**
+:   Specify the version of a manifest-based event.
+
+type: long
+
+required: False
+
+
diff --git a/docs/reference/filebeat/exported-fields-zeek.md b/docs/reference/filebeat/exported-fields-zeek.md
new file mode 100644
index 000000000000..635656ef6452
--- /dev/null
+++ b/docs/reference/filebeat/exported-fields-zeek.md
@@ -0,0 +1,3308 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-zeek.html
+---
+
+# Zeek fields [exported-fields-zeek]
+
+Module for handling logs produced by Zeek/Bro
+
+
+## zeek [_zeek]
+
+Fields from Zeek/Bro logs after normalization
+
+**`zeek.session_id`**
+:   A unique identifier of the session
+
+type: keyword
+
+
+
+## capture_loss [_capture_loss]
+
+Fields exported by the Zeek capture_loss log
+
+**`zeek.capture_loss.ts_delta`**
+:   The time delay between this measurement and the last.
+
+type: integer
+
+
+**`zeek.capture_loss.peer`**
+:   In the event that there are multiple Bro instances logging to the same host, this distinguishes each peer with its individual name.
+
+type: keyword
+
+
+**`zeek.capture_loss.gaps`**
+:   Number of missed ACKs from the previous measurement interval.
+
+type: integer
+
+
+**`zeek.capture_loss.acks`**
+:   Total number of ACKs seen in the previous measurement interval.
+
+type: integer
+
+
+**`zeek.capture_loss.percent_lost`**
+:   Percentage of ACKs seen where the data being ACKed wasn’t seen.
+
+type: double
+
+
+
+## connection [_connection]
+
+Fields exported by the Zeek Connection log
+
+**`zeek.connection.local_orig`**
+:   Indicates whether the session is originated locally.
+
+type: boolean
+
+
+**`zeek.connection.local_resp`**
+:   Indicates whether the session is responded locally.
+
+type: boolean
+
+
+**`zeek.connection.missed_bytes`**
+:   Missed bytes for the session.
+
+type: long
+
+
+**`zeek.connection.state`**
+:   Code indicating the state of the session.
+
+type: keyword
+
+
+**`zeek.connection.state_message`**
+:   The state of the session.
+
+type: keyword
+
+
+**`zeek.connection.icmp.type`**
+:   ICMP message type.
+
+type: integer
+
+
+**`zeek.connection.icmp.code`**
+:   ICMP message code.
+
+type: integer
+
+
+**`zeek.connection.history`**
+:   Flags indicating the history of the session.
+
+type: keyword
+
+
+**`zeek.connection.vlan`**
+:   VLAN identifier.
+
+type: integer
+
+
+**`zeek.connection.inner_vlan`**
+:   VLAN identifier.
+
+type: integer
+
+
+
+## dce_rpc [_dce_rpc]
+
+Fields exported by the Zeek DCE_RPC log
+
+**`zeek.dce_rpc.rtt`**
+:   Round trip time from the request to the response. If either the request or response wasn’t seen, this will be null.
+
+type: integer
+
+
+**`zeek.dce_rpc.named_pipe`**
+:   Remote pipe name.
+
+type: keyword
+
+
+**`zeek.dce_rpc.endpoint`**
+:   Endpoint name looked up from the uuid.
+
+type: keyword
+
+
+**`zeek.dce_rpc.operation`**
+:   Operation seen in the call.
+
+type: keyword
+
+
+
+## dhcp [_dhcp]
+
+Fields exported by the Zeek DHCP log
+
+**`zeek.dhcp.domain`**
+:   Domain given by the server in option 15.
+
+type: keyword
+
+
+**`zeek.dhcp.duration`**
+:   Duration of the DHCP session representing the time from the first message to the last, in seconds.
+
+type: double
+
+
+**`zeek.dhcp.hostname`**
+:   Name given by client in Hostname option 12.
+
+type: keyword
+
+
+**`zeek.dhcp.client_fqdn`**
+:   FQDN given by client in Client FQDN option 81.
+
+type: keyword
+
+
+**`zeek.dhcp.lease_time`**
+:   IP address lease interval in seconds.
+
+type: integer
+
+
+
+## address [_address]
+
+Addresses seen in this DHCP exchange.
+
+**`zeek.dhcp.address.assigned`**
+:   IP address assigned by the server.
+
+type: ip
+
+
+**`zeek.dhcp.address.client`**
+:   IP address of the client. If a transaction is only a client sending INFORM messages then there is no lease information exchanged so this is helpful to know who sent the messages. Getting an address in this field does require that the client sources at least one DHCP message using a non-broadcast address.
+
+type: ip
+
+
+**`zeek.dhcp.address.mac`**
+:   Client’s hardware address.
+
+type: keyword
+
+
+**`zeek.dhcp.address.requested`**
+:   IP address requested by the client.
+
+type: ip
+
+
+**`zeek.dhcp.address.server`**
+:   IP address of the DHCP server.
+
+type: ip
+
+
+**`zeek.dhcp.msg.types`**
+:   List of DHCP message types seen in this exchange.
+
+type: keyword
+
+
+**`zeek.dhcp.msg.origin`**
+:   (present if policy/protocols/dhcp/msg-orig.bro is loaded) The address that originated each message from the msg.types field.
+
+type: ip
+
+
+**`zeek.dhcp.msg.client`**
+:   Message typically accompanied with a DHCP_DECLINE so the client can tell the server why it rejected an address.
+
+type: keyword
+
+
+**`zeek.dhcp.msg.server`**
+:   Message typically accompanied with a DHCP_NAK to let the client know why it rejected the request.
+
+type: keyword
+
+
+**`zeek.dhcp.software.client`**
+:   (present if policy/protocols/dhcp/software.bro is loaded) Software reported by the client in the vendor_class option.
+
+type: keyword
+
+
+**`zeek.dhcp.software.server`**
+:   (present if policy/protocols/dhcp/software.bro is loaded) Software reported by the client in the vendor_class option.
+
+type: keyword
+
+
+**`zeek.dhcp.id.circuit`**
+:   (present if policy/protocols/dhcp/sub-opts.bro is loaded) Added by DHCP relay agents which terminate switched or permanent circuits. It encodes an agent-local identifier of the circuit from which a DHCP client-to-server packet was received. Typically it should represent a router or switch interface number.
+
+type: keyword
+
+
+**`zeek.dhcp.id.remote_agent`**
+:   (present if policy/protocols/dhcp/sub-opts.bro is loaded) A globally unique identifier added by relay agents to identify the remote host end of the circuit.
+
+type: keyword
+
+
+**`zeek.dhcp.id.subscriber`**
+:   (present if policy/protocols/dhcp/sub-opts.bro is loaded) The subscriber ID is a value independent of the physical network configuration so that a customer’s DHCP configuration can be given to them correctly no matter where they are physically connected.
+
+type: keyword
+
+
+
+## dnp3 [_dnp3]
+
+Fields exported by the Zeek DNP3 log
+
+**`zeek.dnp3.function.request`**
+:   The name of the function message in the request.
+
+type: keyword
+
+
+**`zeek.dnp3.function.reply`**
+:   The name of the function message in the reply.
+
+type: keyword
+
+
+**`zeek.dnp3.id`**
+:   The response’s internal indication number.
+
+type: integer
+
+
+
+## dns [_dns_2]
+
+Fields exported by the Zeek DNS log
+
+**`zeek.dns.trans_id`**
+:   DNS transaction identifier.
+
+type: keyword
+
+
+**`zeek.dns.rtt`**
+:   Round trip time for the query and response.
+
+type: double
+
+
+**`zeek.dns.query`**
+:   The domain name that is the subject of the DNS query.
+
+type: keyword
+
+
+**`zeek.dns.qclass`**
+:   The QCLASS value specifying the class of the query.
+
+type: long
+
+
+**`zeek.dns.qclass_name`**
+:   A descriptive name for the class of the query.
+
+type: keyword
+
+
+**`zeek.dns.qtype`**
+:   A QTYPE value specifying the type of the query.
+
+type: long
+
+
+**`zeek.dns.qtype_name`**
+:   A descriptive name for the type of the query.
+
+type: keyword
+
+
+**`zeek.dns.rcode`**
+:   The response code value in DNS response messages.
+
+type: long
+
+
+**`zeek.dns.rcode_name`**
+:   A descriptive name for the response code value.
+
+type: keyword
+
+
+**`zeek.dns.AA`**
+:   The Authoritative Answer bit for response messages specifies that the responding name server is an authority for the domain name in the question section.
+
+type: boolean
+
+
+**`zeek.dns.TC`**
+:   The Truncation bit specifies that the message was truncated.
+
+type: boolean
+
+
+**`zeek.dns.RD`**
+:   The Recursion Desired bit in a request message indicates that the client wants recursive service for this query.
+
+type: boolean
+
+
+**`zeek.dns.RA`**
+:   The Recursion Available bit in a response message indicates that the name server supports recursive queries.
+
+type: boolean
+
+
+**`zeek.dns.answers`**
+:   The set of resource descriptions in the query answer.
+
+type: keyword
+
+
+**`zeek.dns.TTLs`**
+:   The caching intervals of the associated RRs described by the answers field.
+
+type: double
+
+
+**`zeek.dns.rejected`**
+:   Indicates whether the DNS query was rejected by the server.
+
+type: boolean
+
+
+**`zeek.dns.total_answers`**
+:   The total number of resource records in the reply.
+
+type: integer
+
+
+**`zeek.dns.total_replies`**
+:   The total number of resource records in the reply message.
+
+type: integer
+
+
+**`zeek.dns.saw_query`**
+:   Whether the full DNS query has been seen.
+
+type: boolean
+
+
+**`zeek.dns.saw_reply`**
+:   Whether the full DNS reply has been seen.
+
+type: boolean
+
+
+
+## dpd [_dpd]
+
+Fields exported by the Zeek DPD log
+
+**`zeek.dpd.analyzer`**
+:   The analyzer that generated the violation.
+
+type: keyword
+
+
+**`zeek.dpd.failure_reason`**
+:   The textual reason for the analysis failure.
+
+type: keyword
+
+
+**`zeek.dpd.packet_segment`**
+:   (present if policy/frameworks/dpd/packet-segment-logging.bro is loaded) A chunk of the payload that most likely resulted in the protocol violation.
+
+type: keyword
+
+
+
+## files [_files]
+
+Fields exported by the Zeek Files log.
+
+**`zeek.files.fuid`**
+:   A file unique identifier.
+
+type: keyword
+
+
+**`zeek.files.tx_host`**
+:   The host that transferred the file.
+
+type: ip
+
+
+**`zeek.files.rx_host`**
+:   The host that received the file.
+
+type: ip
+
+
+**`zeek.files.session_ids`**
+:   The sessions that have this file.
+
+type: keyword
+
+
+**`zeek.files.source`**
+:   An identification of the source of the file data. E.g. it may be a network protocol over which it was transferred, or a local file path which was read, or some other input source.
+
+type: keyword
+
+
+**`zeek.files.depth`**
+:   A value to represent the depth of this file in relation to its source. In SMTP, it is the depth of the MIME attachment on the message. In HTTP, it is the depth of the request within the TCP connection.
+
+type: long
+
+
+**`zeek.files.analyzers`**
+:   A set of analysis types done during the file analysis.
+
+type: keyword
+
+
+**`zeek.files.mime_type`**
+:   Mime type of the file.
+
+type: keyword
+
+
+**`zeek.files.filename`**
+:   Name of the file if available.
+
+type: keyword
+
+
+**`zeek.files.local_orig`**
+:   If the source of this file is a network connection, this field indicates if the data originated from the local network or not.
+
+type: boolean
+
+
+**`zeek.files.is_orig`**
+:   If the source of this file is a network connection, this field indicates if the file is being sent by the originator of the connection or the responder.
+
+type: boolean
+
+
+**`zeek.files.duration`**
+:   The duration the file was analyzed for. Not the duration of the session.
+
+type: double
+
+
+**`zeek.files.seen_bytes`**
+:   Number of bytes provided to the file analysis engine for the file.
+
+type: long
+
+
+**`zeek.files.total_bytes`**
+:   Total number of bytes that are supposed to comprise the full file.
+
+type: long
+
+
+**`zeek.files.missing_bytes`**
+:   The number of bytes in the file stream that were completely missed during the process of analysis.
+
+type: long
+
+
+**`zeek.files.overflow_bytes`**
+:   The number of bytes in the file stream that were not delivered to stream file analyzers. This could be overlapping bytes or bytes that couldn’t be reassembled.
+
+type: long
+
+
+**`zeek.files.timedout`**
+:   Whether the file analysis timed out at least once for the file.
+
+type: boolean
+
+
+**`zeek.files.parent_fuid`**
+:   Identifier associated with a container file from which this one was extracted as part of the file analysis.
+
+type: keyword
+
+
+**`zeek.files.md5`**
+:   An MD5 digest of the file contents.
+
+type: keyword
+
+
+**`zeek.files.sha1`**
+:   A SHA1 digest of the file contents.
+
+type: keyword
+
+
+**`zeek.files.sha256`**
+:   A SHA256 digest of the file contents.
+
+type: keyword
+
+
+**`zeek.files.extracted`**
+:   Local filename of extracted file.
+
+type: keyword
+
+
+**`zeek.files.extracted_cutoff`**
+:   Indicate whether the file being extracted was cut off hence not extracted completely.
+
+type: boolean
+
+
+**`zeek.files.extracted_size`**
+:   The number of bytes extracted to disk.
+
+type: long
+
+
+**`zeek.files.entropy`**
+:   The information density of the contents of the file.
+
+type: double
+
+
+
+## ftp [_ftp]
+
+Fields exported by the Zeek FTP log
+
+**`zeek.ftp.user`**
+:   User name for the current FTP session.
+
+type: keyword
+
+
+**`zeek.ftp.password`**
+:   Password for the current FTP session if captured.
+
+type: keyword
+
+
+**`zeek.ftp.command`**
+:   Command given by the client.
+
+type: keyword
+
+
+**`zeek.ftp.arg`**
+:   Argument for the command if one is given.
+
+type: keyword
+
+
+**`zeek.ftp.file.size`**
+:   Size of the file if the command indicates a file transfer.
+
+type: long
+
+
+**`zeek.ftp.file.mime_type`**
+:   Sniffed mime type of file.
+
+type: keyword
+
+
+**`zeek.ftp.file.fuid`**
+:   (present if base/protocols/ftp/files.bro is loaded) File unique ID.
+
+type: keyword
+
+
+**`zeek.ftp.reply.code`**
+:   Reply code from the server in response to the command.
+
+type: integer
+
+
+**`zeek.ftp.reply.msg`**
+:   Reply message from the server in response to the command.
+
+type: keyword
+
+
+
+## data_channel [_data_channel]
+
+Expected FTP data channel.
+
+**`zeek.ftp.data_channel.passive`**
+:   Whether PASV mode is toggled for control channel.
+
+type: boolean
+
+
+**`zeek.ftp.data_channel.originating_host`**
+:   The host that will be initiating the data connection.
+
+type: ip
+
+
+**`zeek.ftp.data_channel.response_host`**
+:   The host that will be accepting the data connection.
+
+type: ip
+
+
+**`zeek.ftp.data_channel.response_port`**
+:   The port at which the acceptor is listening for the data connection.
+
+type: integer
+
+
+**`zeek.ftp.cwd`**
+:   Current working directory that this session is in. By making the default value *.*, we can indicate that unless something more concrete is discovered that the existing but unknown directory is ok to use.
+
+type: keyword
+
+
+
+## cmdarg [_cmdarg]
+
+Command that is currently waiting for a response.
+
+**`zeek.ftp.cmdarg.cmd`**
+:   Command.
+
+type: keyword
+
+
+**`zeek.ftp.cmdarg.arg`**
+:   Argument for the command if one was given.
+
+type: keyword
+
+
+**`zeek.ftp.cmdarg.seq`**
+:   Counter to track how many commands have been executed.
+
+type: integer
+
+
+**`zeek.ftp.pending_commands`**
+:   Queue for commands that have been sent but not yet responded to are tracked here.
+
+type: integer
+
+
+**`zeek.ftp.passive`**
+:   Indicates if the session is in active or passive mode.
+
+type: boolean
+
+
+**`zeek.ftp.capture_password`**
+:   Determines if the password will be captured for this request.
+
+type: boolean
+
+
+**`zeek.ftp.last_auth_requested`**
+:   present if base/protocols/ftp/gridftp.bro is loaded. Last authentication/security mechanism that was used.
+
+type: keyword
+
+
+
+## http [_http_3]
+
+Fields exported by the Zeek HTTP log
+
+**`zeek.http.trans_depth`**
+:   Represents the pipelined depth into the connection of this request/response transaction.
+
+type: integer
+
+
+**`zeek.http.status_msg`**
+:   Status message returned by the server.
+
+type: keyword
+
+
+**`zeek.http.info_code`**
+:   Last seen 1xx informational reply code returned by the server.
+
+type: integer
+
+
+**`zeek.http.info_msg`**
+:   Last seen 1xx informational reply message returned by the server.
+
+type: keyword
+
+
+**`zeek.http.tags`**
+:   A set of indicators of various attributes discovered and related to a particular request/response pair.
+
+type: keyword
+
+
+**`zeek.http.password`**
+:   Password if basic-auth is performed for the request.
+
+type: keyword
+
+
+**`zeek.http.captured_password`**
+:   Determines if the password will be captured for this request.
+
+type: boolean
+
+
+**`zeek.http.proxied`**
+:   All of the headers that may indicate if the HTTP request was proxied.
+
+type: keyword
+
+
+**`zeek.http.range_request`**
+:   Indicates if this request can assume 206 partial content in response.
+
+type: boolean
+
+
+**`zeek.http.client_header_names`**
+:   The vector of HTTP header names sent by the client. No header values are included here, just the header names.
+
+type: keyword
+
+
+**`zeek.http.server_header_names`**
+:   The vector of HTTP header names sent by the server. No header values are included here, just the header names.
+
+type: keyword
+
+
+**`zeek.http.orig_fuids`**
+:   An ordered vector of file unique IDs from the originator.
+
+type: keyword
+
+
+**`zeek.http.orig_mime_types`**
+:   An ordered vector of mime types from the originator.
+
+type: keyword
+
+
+**`zeek.http.orig_filenames`**
+:   An ordered vector of filenames from the originator.
+
+type: keyword
+
+
+**`zeek.http.resp_fuids`**
+:   An ordered vector of file unique IDs from the responder.
+
+type: keyword
+
+
+**`zeek.http.resp_mime_types`**
+:   An ordered vector of mime types from the responder.
+
+type: keyword
+
+
+**`zeek.http.resp_filenames`**
+:   An ordered vector of filenames from the responder.
+
+type: keyword
+
+
+**`zeek.http.orig_mime_depth`**
+:   Current number of MIME entities in the HTTP request message body.
+
+type: integer
+
+
+**`zeek.http.resp_mime_depth`**
+:   Current number of MIME entities in the HTTP response message body.
+
+type: integer
+
+
+
+## intel [_intel]
+
+Fields exported by the Zeek Intel log.
+
+**`zeek.intel.seen.indicator`**
+:   The intelligence indicator.
+
+type: keyword
+
+
+**`zeek.intel.seen.indicator_type`**
+:   The type of data the indicator represents.
+
+type: keyword
+
+
+**`zeek.intel.seen.host`**
+:   If the indicator type was Intel::ADDR, then this field will be present.
+
+type: keyword
+
+
+**`zeek.intel.seen.conn`**
+:   If the data was discovered within a connection, the connection record should go here to give context to the data.
+
+type: keyword
+
+
+**`zeek.intel.seen.where`**
+:   Where the data was discovered.
+
+type: keyword
+
+
+**`zeek.intel.seen.node`**
+:   The name of the node where the match was discovered.
+
+type: keyword
+
+
+**`zeek.intel.seen.uid`**
+:   If the data was discovered within a connection, the connection uid should go here to give context to the data. If the conn field is provided, this will be automatically filled out.
+
+type: keyword
+
+
+**`zeek.intel.seen.f`**
+:   If the data was discovered within a file, the file record should go here to provide context to the data.
+
+type: object
+
+
+**`zeek.intel.seen.fuid`**
+:   If the data was discovered within a file, the file uid should go here to provide context to the data. If the file record f is provided, this will be automatically filled out.
+
+type: keyword
+
+
+**`zeek.intel.matched`**
+:   Event to represent a match in the intelligence data from data that was seen.
+
+type: keyword
+
+
+**`zeek.intel.sources`**
+:   Sources which supplied data for this match.
+
+type: keyword
+
+
+**`zeek.intel.fuid`**
+:   If a file was associated with this intelligence hit, this is the uid for the file.
+
+type: keyword
+
+
+**`zeek.intel.file_mime_type`**
+:   A mime type if the intelligence hit is related to a file. If the $f field is provided this will be automatically filled out.
+
+type: keyword
+
+
+**`zeek.intel.file_desc`**
+:   Frequently files can be described to give a bit more context. If the $f field is provided this field will be automatically filled out.
+
+type: keyword
+
+
+
+## irc [_irc]
+
+Fields exported by the Zeek IRC log
+
+**`zeek.irc.nick`**
+:   Nickname given for the connection.
+
+type: keyword
+
+
+**`zeek.irc.user`**
+:   Username given for the connection.
+
+type: keyword
+
+
+**`zeek.irc.command`**
+:   Command given by the client.
+
+type: keyword
+
+
+**`zeek.irc.value`**
+:   Value for the command given by the client.
+
+type: keyword
+
+
+**`zeek.irc.addl`**
+:   Any additional data for the command.
+
+type: keyword
+
+
+**`zeek.irc.dcc.file.name`**
+:   Present if base/protocols/irc/dcc-send.bro is loaded. DCC filename requested.
+
+type: keyword
+
+
+**`zeek.irc.dcc.file.size`**
+:   Present if base/protocols/irc/dcc-send.bro is loaded. Size of the DCC transfer as indicated by the sender.
+
+type: long
+
+
+**`zeek.irc.dcc.mime_type`**
+:   present if base/protocols/irc/dcc-send.bro is loaded. Sniffed mime type of the file.
+
+type: keyword
+
+
+**`zeek.irc.fuid`**
+:   present if base/protocols/irc/files.bro is loaded. File unique ID.
+
+type: keyword
+
+
+
+## kerberos [_kerberos_3]
+
+Fields exported by the Zeek Kerberos log
+
+**`zeek.kerberos.request_type`**
+:   Request type - Authentication Service (AS) or Ticket Granting Service (TGS).
+
+type: keyword
+
+
+**`zeek.kerberos.client`**
+:   Client name.
+
+type: keyword
+
+
+**`zeek.kerberos.service`**
+:   Service name.
+
+type: keyword
+
+
+**`zeek.kerberos.success`**
+:   Request result.
+
+type: boolean
+
+
+**`zeek.kerberos.error.code`**
+:   Error code.
+
+type: integer
+
+
+**`zeek.kerberos.error.msg`**
+:   Error message.
+
+type: keyword
+
+
+**`zeek.kerberos.valid.from`**
+:   Ticket valid from.
+
+type: date
+
+
+**`zeek.kerberos.valid.until`**
+:   Ticket valid until.
+
+type: date
+
+
+**`zeek.kerberos.valid.days`**
+:   Number of days the ticket is valid for.
+
+type: integer
+
+
+**`zeek.kerberos.cipher`**
+:   Ticket encryption type.
+
+type: keyword
+
+
+**`zeek.kerberos.forwardable`**
+:   Forwardable ticket requested.
+
+type: boolean
+
+
+**`zeek.kerberos.renewable`**
+:   Renewable ticket requested.
+
+type: boolean
+
+
+**`zeek.kerberos.ticket.auth`**
+:   Hash of ticket used to authorize request/transaction.
+
+type: keyword
+
+
+**`zeek.kerberos.ticket.new`**
+:   Hash of ticket returned by the KDC.
+
+type: keyword
+
+
+**`zeek.kerberos.cert.client.value`**
+:   Client certificate.
+
+type: keyword
+
+
+**`zeek.kerberos.cert.client.fuid`**
+:   File unique ID of client cert.
+
+type: keyword
+
+
+**`zeek.kerberos.cert.client.subject`**
+:   Subject of client certificate.
+
+type: keyword
+
+
+**`zeek.kerberos.cert.server.value`**
+:   Server certificate.
+
+type: keyword
+
+
+**`zeek.kerberos.cert.server.fuid`**
+:   File unique ID of server certificate.
+
+type: keyword
+
+
+**`zeek.kerberos.cert.server.subject`**
+:   Subject of server certificate.
+
+type: keyword
+
+
+
+## modbus [_modbus]
+
+Fields exported by the Zeek modbus log.
+
+**`zeek.modbus.function`**
+:   The name of the function message that was sent.
+
+type: keyword
+
+
+**`zeek.modbus.exception`**
+:   The exception if the response was a failure.
+
+type: keyword
+
+
+**`zeek.modbus.track_address`**
+:   Present if policy/protocols/modbus/track-memmap.bro is loaded. Modbus track address.
+
+type: integer
+
+
+
+## mysql [_mysql_2]
+
+Fields exported by the Zeek MySQL log.
+
+**`zeek.mysql.cmd`**
+:   The command that was issued.
+
+type: keyword
+
+
+**`zeek.mysql.arg`**
+:   The argument issued to the command.
+
+type: keyword
+
+
+**`zeek.mysql.success`**
+:   Whether the command succeeded.
+
+type: boolean
+
+
+**`zeek.mysql.rows`**
+:   The number of affected rows, if any.
+
+type: integer
+
+
+**`zeek.mysql.response`**
+:   Server message, if any.
+
+type: keyword
+
+
+
+## notice [_notice]
+
+Fields exported by the Zeek Notice log.
+
+**`zeek.notice.connection_id`**
+:   Identifier of the related connection session.
+
+type: keyword
+
+
+**`zeek.notice.icmp_id`**
+:   Identifier of the related ICMP session.
+
+type: keyword
+
+
+**`zeek.notice.file.id`**
+:   An identifier associated with a single file that is related to this notice.
+
+type: keyword
+
+
+**`zeek.notice.file.parent_id`**
+:   Identifier associated with a container file from which this one was extracted.
+
+type: keyword
+
+
+**`zeek.notice.file.source`**
+:   An identification of the source of the file data. E.g. it may be a network protocol over which it was transferred, or a local file path which was read, or some other input source.
+
+type: keyword
+
+
+**`zeek.notice.file.mime_type`**
+:   A mime type if the notice is related to a file.
+
+type: keyword
+
+
+**`zeek.notice.file.is_orig`**
+:   If the source of this file is a network connection, this field indicates if the file is being sent by the originator of the connection or the responder.
+
+type: boolean
+
+
+**`zeek.notice.file.seen_bytes`**
+:   Number of bytes provided to the file analysis engine for the file.
+
+type: long
+
+
+**`zeek.notice.ffile.total_bytes`**
+:   Total number of bytes that are supposed to comprise the full file.
+
+type: long
+
+
+**`zeek.notice.file.missing_bytes`**
+:   The number of bytes in the file stream that were completely missed during the process of analysis.
+
+type: long
+
+
+**`zeek.notice.file.overflow_bytes`**
+:   The number of bytes in the file stream that were not delivered to stream file analyzers. This could be overlapping bytes or bytes that couldn’t be reassembled.
+
+type: long
+
+
+**`zeek.notice.fuid`**
+:   A file unique ID if this notice is related to a file.
+
+type: keyword
+
+
+**`zeek.notice.note`**
+:   The type of the notice.
+
+type: keyword
+
+
+**`zeek.notice.msg`**
+:   The human readable message for the notice.
+
+type: keyword
+
+
+**`zeek.notice.sub`**
+:   The human readable sub-message.
+
+type: keyword
+
+
+**`zeek.notice.n`**
+:   Associated count, or a status code.
+
+type: long
+
+
+**`zeek.notice.peer_name`**
+:   Name of remote peer that raised this notice.
+
+type: keyword
+
+
+**`zeek.notice.peer_descr`**
+:   Textual description for the peer that raised this notice.
+
+type: text
+
+
+**`zeek.notice.actions`**
+:   The actions which have been applied to this notice.
+
+type: keyword
+
+
+**`zeek.notice.email_body_sections`**
+:   By adding chunks of text into this element, other scripts can expand on notices that are being emailed.
+
+type: text
+
+
+**`zeek.notice.email_delay_tokens`**
+:   Adding a string token to this set will cause the built-in emailing functionality to delay sending the email either the token has been removed or the email has been delayed for the specified time duration.
+
+type: keyword
+
+
+**`zeek.notice.identifier`**
+:   This field is provided when a notice is generated for the purpose of deduplicating notices.
+
+type: keyword
+
+
+**`zeek.notice.suppress_for`**
+:   This field indicates the length of time that this unique notice should be suppressed.
+
+type: double
+
+
+**`zeek.notice.dropped`**
+:   Indicate if the source IP address was dropped and denied network access.
+
+type: boolean
+
+
+
+## ntlm [_ntlm]
+
+Fields exported by the Zeek NTLM log.
+
+**`zeek.ntlm.domain`**
+:   Domain name given by the client.
+
+type: keyword
+
+
+**`zeek.ntlm.hostname`**
+:   Hostname given by the client.
+
+type: keyword
+
+
+**`zeek.ntlm.success`**
+:   Indicate whether or not the authentication was successful.
+
+type: boolean
+
+
+**`zeek.ntlm.username`**
+:   Username given by the client.
+
+type: keyword
+
+
+**`zeek.ntlm.server.name.dns`**
+:   DNS name given by the server in a CHALLENGE.
+
+type: keyword
+
+
+**`zeek.ntlm.server.name.netbios`**
+:   NetBIOS name given by the server in a CHALLENGE.
+
+type: keyword
+
+
+**`zeek.ntlm.server.name.tree`**
+:   Tree name given by the server in a CHALLENGE.
+
+type: keyword
+
+
+
+## ntp [_ntp]
+
+Fields exported by the Zeek NTP log.
+
+**`zeek.ntp.version`**
+:   The NTP version number (1, 2, 3, 4).
+
+type: integer
+
+
+**`zeek.ntp.mode`**
+:   The NTP mode being used.
+
+type: integer
+
+
+**`zeek.ntp.stratum`**
+:   The stratum (primary server, secondary server, etc.).
+
+type: integer
+
+
+**`zeek.ntp.poll`**
+:   The maximum interval between successive messages in seconds.
+
+type: double
+
+
+**`zeek.ntp.precision`**
+:   The precision of the system clock in seconds.
+
+type: double
+
+
+**`zeek.ntp.root_delay`**
+:   Total round-trip delay to the reference clock in seconds.
+
+type: double
+
+
+**`zeek.ntp.root_disp`**
+:   Total dispersion to the reference clock in seconds.
+
+type: double
+
+
+**`zeek.ntp.ref_id`**
+:   For stratum 0, 4 character string used for debugging. For stratum 1, ID assigned to the reference clock by IANA. Above stratum 1, when using IPv4, the IP address of the reference clock. Note that the NTP protocol did not originally specify a large enough field to represent IPv6 addresses, so they use the first four bytes of the MD5 hash of the reference clock’s IPv6 address (i.e. an IPv4 address here is not necessarily IPv4).
+
+type: keyword
+
+
+**`zeek.ntp.ref_time`**
+:   Time when the system clock was last set or correct.
+
+type: date
+
+
+**`zeek.ntp.org_time`**
+:   Time at the client when the request departed for the NTP server.
+
+type: date
+
+
+**`zeek.ntp.rec_time`**
+:   Time at the server when the request arrived from the NTP client.
+
+type: date
+
+
+**`zeek.ntp.xmt_time`**
+:   Time at the server when the response departed for the NTP client.
+
+type: date
+
+
+**`zeek.ntp.num_exts`**
+:   Number of extension fields (which are not currently parsed).
+
+type: integer
+
+
+
+## ocsp [_ocsp]
+
+Fields exported by the Zeek OCSP log Online Certificate Status Protocol (OCSP). Only created if policy script is loaded.
+
+**`zeek.ocsp.file_id`**
+:   File id of the OCSP reply.
+
+type: keyword
+
+
+**`zeek.ocsp.hash.algorithm`**
+:   Hash algorithm used to generate issuerNameHash and issuerKeyHash.
+
+type: keyword
+
+
+**`zeek.ocsp.hash.issuer.name`**
+:   Hash of the issuer’s distingueshed name.
+
+type: keyword
+
+
+**`zeek.ocsp.hash.issuer.key`**
+:   Hash of the issuer’s public key.
+
+type: keyword
+
+
+**`zeek.ocsp.serial_number`**
+:   Serial number of the affected certificate.
+
+type: keyword
+
+
+**`zeek.ocsp.status`**
+:   Status of the affected certificate.
+
+type: keyword
+
+
+**`zeek.ocsp.revoke.time`**
+:   Time at which the certificate was revoked.
+
+type: date
+
+
+**`zeek.ocsp.revoke.reason`**
+:   Reason for which the certificate was revoked.
+
+type: keyword
+
+
+**`zeek.ocsp.update.this`**
+:   The time at which the status being shows is known to have been correct.
+
+type: date
+
+
+**`zeek.ocsp.update.next`**
+:   The latest time at which new information about the status of the certificate will be available.
+
+type: date
+
+
+
+## pe [_pe_2]
+
+Fields exported by the Zeek pe log.
+
+**`zeek.pe.client`**
+:   The client’s version string.
+
+type: keyword
+
+
+**`zeek.pe.id`**
+:   File id of this portable executable file.
+
+type: keyword
+
+
+**`zeek.pe.machine`**
+:   The target machine that the file was compiled for.
+
+type: keyword
+
+
+**`zeek.pe.compile_time`**
+:   The time that the file was created at.
+
+type: date
+
+
+**`zeek.pe.os`**
+:   The required operating system.
+
+type: keyword
+
+
+**`zeek.pe.subsystem`**
+:   The subsystem that is required to run this file.
+
+type: keyword
+
+
+**`zeek.pe.is_exe`**
+:   Is the file an executable, or just an object file?
+
+type: boolean
+
+
+**`zeek.pe.is_64bit`**
+:   Is the file a 64-bit executable?
+
+type: boolean
+
+
+**`zeek.pe.uses_aslr`**
+:   Does the file support Address Space Layout Randomization?
+
+type: boolean
+
+
+**`zeek.pe.uses_dep`**
+:   Does the file support Data Execution Prevention?
+
+type: boolean
+
+
+**`zeek.pe.uses_code_integrity`**
+:   Does the file enforce code integrity checks?
+
+type: boolean
+
+
+**`zeek.pe.uses_seh`**
+:   Does the file use structured exception handing?
+
+type: boolean
+
+
+**`zeek.pe.has_import_table`**
+:   Does the file have an import table?
+
+type: boolean
+
+
+**`zeek.pe.has_export_table`**
+:   Does the file have an export table?
+
+type: boolean
+
+
+**`zeek.pe.has_cert_table`**
+:   Does the file have an attribute certificate table?
+
+type: boolean
+
+
+**`zeek.pe.has_debug_data`**
+:   Does the file have a debug table?
+
+type: boolean
+
+
+**`zeek.pe.section_names`**
+:   The names of the sections, in order.
+
+type: keyword
+
+
+
+## radius [_radius]
+
+Fields exported by the Zeek Radius log.
+
+**`zeek.radius.username`**
+:   The username, if present.
+
+type: keyword
+
+
+**`zeek.radius.mac`**
+:   MAC address, if present.
+
+type: keyword
+
+
+**`zeek.radius.framed_addr`**
+:   The address given to the network access server, if present. This is only a hint from the RADIUS server and the network access server is not required to honor the address.
+
+type: ip
+
+
+**`zeek.radius.remote_ip`**
+:   Remote IP address, if present. This is collected from the Tunnel-Client-Endpoint attribute.
+
+type: ip
+
+
+**`zeek.radius.connect_info`**
+:   Connect info, if present.
+
+type: keyword
+
+
+**`zeek.radius.reply_msg`**
+:   Reply message from the server challenge. This is frequently shown to the user authenticating.
+
+type: keyword
+
+
+**`zeek.radius.result`**
+:   Successful or failed authentication.
+
+type: keyword
+
+
+**`zeek.radius.ttl`**
+:   The duration between the first request and either the "Access-Accept" message or an error. If the field is empty, it means that either the request or response was not seen.
+
+type: integer
+
+
+**`zeek.radius.logged`**
+:   Whether this has already been logged and can be ignored.
+
+type: boolean
+
+
+
+## rdp [_rdp]
+
+Fields exported by the Zeek RDP log.
+
+**`zeek.rdp.cookie`**
+:   Cookie value used by the client machine. This is typically a username.
+
+type: keyword
+
+
+**`zeek.rdp.result`**
+:   Status result for the connection. It’s a mix between RDP negotation failure messages and GCC server create response messages.
+
+type: keyword
+
+
+**`zeek.rdp.security_protocol`**
+:   Security protocol chosen by the server.
+
+type: keyword
+
+
+**`zeek.rdp.keyboard_layout`**
+:   Keyboard layout (language) of the client machine.
+
+type: keyword
+
+
+**`zeek.rdp.client.build`**
+:   RDP client version used by the client machine.
+
+type: keyword
+
+
+**`zeek.rdp.client.client_name`**
+:   Name of the client machine.
+
+type: keyword
+
+
+**`zeek.rdp.client.product_id`**
+:   Product ID of the client machine.
+
+type: keyword
+
+
+**`zeek.rdp.desktop.width`**
+:   Desktop width of the client machine.
+
+type: integer
+
+
+**`zeek.rdp.desktop.height`**
+:   Desktop height of the client machine.
+
+type: integer
+
+
+**`zeek.rdp.desktop.color_depth`**
+:   The color depth requested by the client in the high_color_depth field.
+
+type: keyword
+
+
+**`zeek.rdp.cert.type`**
+:   If the connection is being encrypted with native RDP encryption, this is the type of cert being used.
+
+type: keyword
+
+
+**`zeek.rdp.cert.count`**
+:   The number of certs seen. X.509 can transfer an entire certificate chain.
+
+type: integer
+
+
+**`zeek.rdp.cert.permanent`**
+:   Indicates if the provided certificate or certificate chain is permanent or temporary.
+
+type: boolean
+
+
+**`zeek.rdp.encryption.level`**
+:   Encryption level of the connection.
+
+type: keyword
+
+
+**`zeek.rdp.encryption.method`**
+:   Encryption method of the connection.
+
+type: keyword
+
+
+**`zeek.rdp.done`**
+:   Track status of logging RDP connections.
+
+type: boolean
+
+
+**`zeek.rdp.ssl`**
+:   (present if policy/protocols/rdp/indicate_ssl.bro is loaded) Flag the connection if it was seen over SSL.
+
+type: boolean
+
+
+
+## rfb [_rfb]
+
+Fields exported by the Zeek RFB log.
+
+**`zeek.rfb.version.client.major`**
+:   Major version of the client.
+
+type: keyword
+
+
+**`zeek.rfb.version.client.minor`**
+:   Minor version of the client.
+
+type: keyword
+
+
+**`zeek.rfb.version.server.major`**
+:   Major version of the server.
+
+type: keyword
+
+
+**`zeek.rfb.version.server.minor`**
+:   Minor version of the server.
+
+type: keyword
+
+
+**`zeek.rfb.auth.success`**
+:   Whether or not authentication was successful.
+
+type: boolean
+
+
+**`zeek.rfb.auth.method`**
+:   Identifier of authentication method used.
+
+type: keyword
+
+
+**`zeek.rfb.share_flag`**
+:   Whether the client has an exclusive or a shared session.
+
+type: boolean
+
+
+**`zeek.rfb.desktop_name`**
+:   Name of the screen that is being shared.
+
+type: keyword
+
+
+**`zeek.rfb.width`**
+:   Width of the screen that is being shared.
+
+type: integer
+
+
+**`zeek.rfb.height`**
+:   Height of the screen that is being shared.
+
+type: integer
+
+
+
+## signature [_signature]
+
+Fields exported by the Zeek Signature log.
+
+**`zeek.signature.note`**
+:   Notice associated with signature event.
+
+type: keyword
+
+
+**`zeek.signature.sig_id`**
+:   The name of the signature that matched.
+
+type: keyword
+
+
+**`zeek.signature.event_msg`**
+:   A more descriptive message of the signature-matching event.
+
+type: keyword
+
+
+**`zeek.signature.sub_msg`**
+:   Extracted payload data or extra message.
+
+type: keyword
+
+
+**`zeek.signature.sig_count`**
+:   Number of sigs, usually from summary count.
+
+type: integer
+
+
+**`zeek.signature.host_count`**
+:   Number of hosts, from a summary count.
+
+type: integer
+
+
+
+## sip [_sip]
+
+Fields exported by the Zeek SIP log.
+
+**`zeek.sip.transaction_depth`**
+:   Represents the pipelined depth into the connection of this request/response transaction.
+
+type: integer
+
+
+**`zeek.sip.sequence.method`**
+:   Verb used in the SIP request (INVITE, REGISTER etc.).
+
+type: keyword
+
+
+**`zeek.sip.sequence.number`**
+:   Contents of the CSeq: header from the client.
+
+type: keyword
+
+
+**`zeek.sip.uri`**
+:   URI used in the request.
+
+type: keyword
+
+
+**`zeek.sip.date`**
+:   Contents of the Date: header from the client.
+
+type: keyword
+
+
+**`zeek.sip.request.from`**
+:   Contents of the request From: header Note: The tag= value that’s usually appended to the sender is stripped off and not logged.
+
+type: keyword
+
+
+**`zeek.sip.request.to`**
+:   Contents of the To: header.
+
+type: keyword
+
+
+**`zeek.sip.request.path`**
+:   The client message transmission path, as extracted from the headers.
+
+type: keyword
+
+
+**`zeek.sip.request.body_length`**
+:   Contents of the Content-Length: header from the client.
+
+type: long
+
+
+**`zeek.sip.response.from`**
+:   Contents of the response From: header Note: The tag= value that’s usually appended to the sender is stripped off and not logged.
+
+type: keyword
+
+
+**`zeek.sip.response.to`**
+:   Contents of the response To: header.
+
+type: keyword
+
+
+**`zeek.sip.response.path`**
+:   The server message transmission path, as extracted from the headers.
+
+type: keyword
+
+
+**`zeek.sip.response.body_length`**
+:   Contents of the Content-Length: header from the server.
+
+type: long
+
+
+**`zeek.sip.reply_to`**
+:   Contents of the Reply-To: header.
+
+type: keyword
+
+
+**`zeek.sip.call_id`**
+:   Contents of the Call-ID: header from the client.
+
+type: keyword
+
+
+**`zeek.sip.subject`**
+:   Contents of the Subject: header from the client.
+
+type: keyword
+
+
+**`zeek.sip.user_agent`**
+:   Contents of the User-Agent: header from the client.
+
+type: keyword
+
+
+**`zeek.sip.status.code`**
+:   Status code returned by the server.
+
+type: integer
+
+
+**`zeek.sip.status.msg`**
+:   Status message returned by the server.
+
+type: keyword
+
+
+**`zeek.sip.warning`**
+:   Contents of the Warning: header.
+
+type: keyword
+
+
+**`zeek.sip.content_type`**
+:   Contents of the Content-Type: header from the server.
+
+type: keyword
+
+
+
+## smb_cmd [_smb_cmd]
+
+Fields exported by the Zeek smb_cmd log.
+
+**`zeek.smb_cmd.command`**
+:   The command sent by the client.
+
+type: keyword
+
+
+**`zeek.smb_cmd.sub_command`**
+:   The subcommand sent by the client, if present.
+
+type: keyword
+
+
+**`zeek.smb_cmd.argument`**
+:   Command argument sent by the client, if any.
+
+type: keyword
+
+
+**`zeek.smb_cmd.status`**
+:   Server reply to the client’s command.
+
+type: keyword
+
+
+**`zeek.smb_cmd.rtt`**
+:   Round trip time from the request to the response.
+
+type: double
+
+
+**`zeek.smb_cmd.version`**
+:   Version of SMB for the command.
+
+type: keyword
+
+
+**`zeek.smb_cmd.username`**
+:   Authenticated username, if available.
+
+type: keyword
+
+
+**`zeek.smb_cmd.tree`**
+:   If this is related to a tree, this is the tree that was used for the current command.
+
+type: keyword
+
+
+**`zeek.smb_cmd.tree_service`**
+:   The type of tree (disk share, printer share, named pipe, etc.).
+
+type: keyword
+
+
+
+## file [_file_4]
+
+If the command referenced a file, store it here.
+
+**`zeek.smb_cmd.file.name`**
+:   Filename if one was seen.
+
+type: keyword
+
+
+**`zeek.smb_cmd.file.action`**
+:   Action this log record represents.
+
+type: keyword
+
+
+**`zeek.smb_cmd.file.uid`**
+:   UID of the referenced file.
+
+type: keyword
+
+
+**`zeek.smb_cmd.file.host.tx`**
+:   Address of the transmitting host.
+
+type: ip
+
+
+**`zeek.smb_cmd.file.host.rx`**
+:   Address of the receiving host.
+
+type: ip
+
+
+**`zeek.smb_cmd.smb1_offered_dialects`**
+:   Present if base/protocols/smb/smb1-main.bro is loaded. Dialects offered by the client.
+
+type: keyword
+
+
+**`zeek.smb_cmd.smb2_offered_dialects`**
+:   Present if base/protocols/smb/smb2-main.bro is loaded. Dialects offered by the client.
+
+type: integer
+
+
+
+## smb_files [_smb_files]
+
+Fields exported by the Zeek SMB Files log.
+
+**`zeek.smb_files.action`**
+:   Action this log record represents.
+
+type: keyword
+
+
+**`zeek.smb_files.fid`**
+:   ID referencing this file.
+
+type: integer
+
+
+**`zeek.smb_files.name`**
+:   Filename if one was seen.
+
+type: keyword
+
+
+**`zeek.smb_files.path`**
+:   Path pulled from the tree this file was transferred to or from.
+
+type: keyword
+
+
+**`zeek.smb_files.previous_name`**
+:   If the rename action was seen, this will be the file’s previous name.
+
+type: keyword
+
+
+**`zeek.smb_files.size`**
+:   Byte size of the file.
+
+type: long
+
+
+
+## times [_times]
+
+Timestamps of the file.
+
+**`zeek.smb_files.times.accessed`**
+:   The file’s access time.
+
+type: date
+
+
+**`zeek.smb_files.times.changed`**
+:   The file’s change time.
+
+type: date
+
+
+**`zeek.smb_files.times.created`**
+:   The file’s create time.
+
+type: date
+
+
+**`zeek.smb_files.times.modified`**
+:   The file’s modify time.
+
+type: date
+
+
+**`zeek.smb_files.uuid`**
+:   UUID referencing this file if DCE/RPC.
+
+type: keyword
+
+
+
+## smb_mapping [_smb_mapping]
+
+Fields exported by the Zeek SMB_Mapping log.
+
+**`zeek.smb_mapping.path`**
+:   Name of the tree path.
+
+type: keyword
+
+
+**`zeek.smb_mapping.service`**
+:   The type of resource of the tree (disk share, printer share, named pipe, etc.).
+
+type: keyword
+
+
+**`zeek.smb_mapping.native_file_system`**
+:   File system of the tree.
+
+type: keyword
+
+
+**`zeek.smb_mapping.share_type`**
+:   If this is SMB2, a share type will be included. For SMB1, the type of share will be deduced and included as well.
+
+type: keyword
+
+
+
+## smtp [_smtp]
+
+Fields exported by the Zeek SMTP log.
+
+**`zeek.smtp.transaction_depth`**
+:   A count to represent the depth of this message transaction in a single connection where multiple messages were transferred.
+
+type: integer
+
+
+**`zeek.smtp.helo`**
+:   Contents of the Helo header.
+
+type: keyword
+
+
+**`zeek.smtp.mail_from`**
+:   Email addresses found in the MAIL FROM header.
+
+type: keyword
+
+
+**`zeek.smtp.rcpt_to`**
+:   Email addresses found in the RCPT TO header.
+
+type: keyword
+
+
+**`zeek.smtp.date`**
+:   Contents of the Date header.
+
+type: date
+
+
+**`zeek.smtp.from`**
+:   Contents of the From header.
+
+type: keyword
+
+
+**`zeek.smtp.to`**
+:   Contents of the To header.
+
+type: keyword
+
+
+**`zeek.smtp.cc`**
+:   Contents of the CC header.
+
+type: keyword
+
+
+**`zeek.smtp.reply_to`**
+:   Contents of the ReplyTo header.
+
+type: keyword
+
+
+**`zeek.smtp.msg_id`**
+:   Contents of the MsgID header.
+
+type: keyword
+
+
+**`zeek.smtp.in_reply_to`**
+:   Contents of the In-Reply-To header.
+
+type: keyword
+
+
+**`zeek.smtp.subject`**
+:   Contents of the Subject header.
+
+type: keyword
+
+
+**`zeek.smtp.x_originating_ip`**
+:   Contents of the X-Originating-IP header.
+
+type: keyword
+
+
+**`zeek.smtp.first_received`**
+:   Contents of the first Received header.
+
+type: keyword
+
+
+**`zeek.smtp.second_received`**
+:   Contents of the second Received header.
+
+type: keyword
+
+
+**`zeek.smtp.last_reply`**
+:   The last message that the server sent to the client.
+
+type: keyword
+
+
+**`zeek.smtp.path`**
+:   The message transmission path, as extracted from the headers.
+
+type: ip
+
+
+**`zeek.smtp.user_agent`**
+:   Value of the User-Agent header from the client.
+
+type: keyword
+
+
+**`zeek.smtp.tls`**
+:   Indicates that the connection has switched to using TLS.
+
+type: boolean
+
+
+**`zeek.smtp.process_received_from`**
+:   Indicates if the "Received: from" headers should still be processed.
+
+type: boolean
+
+
+**`zeek.smtp.has_client_activity`**
+:   Indicates if client activity has been seen, but not yet logged.
+
+type: boolean
+
+
+**`zeek.smtp.fuids`**
+:   (present if base/protocols/smtp/files.bro is loaded) An ordered vector of file unique IDs seen attached to the message.
+
+type: keyword
+
+
+**`zeek.smtp.is_webmail`**
+:   Indicates if the message was sent through a webmail interface.
+
+type: boolean
+
+
+
+## snmp [_snmp]
+
+Fields exported by the Zeek SNMP log.
+
+**`zeek.snmp.duration`**
+:   The amount of time between the first packet beloning to the SNMP session and the latest one seen.
+
+type: double
+
+
+**`zeek.snmp.version`**
+:   The version of SNMP being used.
+
+type: keyword
+
+
+**`zeek.snmp.community`**
+:   The community string of the first SNMP packet associated with the session. This is used as part of SNMP’s (v1 and v2c) administrative/security framework. See RFC 1157 or RFC 1901.
+
+type: keyword
+
+
+**`zeek.snmp.get.requests`**
+:   The number of variable bindings in GetRequest/GetNextRequest PDUs seen for the session.
+
+type: integer
+
+
+**`zeek.snmp.get.bulk_requests`**
+:   The number of variable bindings in GetBulkRequest PDUs seen for the session.
+
+type: integer
+
+
+**`zeek.snmp.get.responses`**
+:   The number of variable bindings in GetResponse/Response PDUs seen for the session.
+
+type: integer
+
+
+**`zeek.snmp.set.requests`**
+:   The number of variable bindings in SetRequest PDUs seen for the session.
+
+type: integer
+
+
+**`zeek.snmp.display_string`**
+:   A system description of the SNMP responder endpoint.
+
+type: keyword
+
+
+**`zeek.snmp.up_since`**
+:   The time at which the SNMP responder endpoint claims it’s been up since.
+
+type: date
+
+
+
+## socks [_socks]
+
+Fields exported by the Zeek SOCKS log.
+
+**`zeek.socks.version`**
+:   Protocol version of SOCKS.
+
+type: integer
+
+
+**`zeek.socks.user`**
+:   Username used to request a login to the proxy.
+
+type: keyword
+
+
+**`zeek.socks.password`**
+:   Password used to request a login to the proxy.
+
+type: keyword
+
+
+**`zeek.socks.status`**
+:   Server status for the attempt at using the proxy.
+
+type: keyword
+
+
+**`zeek.socks.request.host`**
+:   Client requested SOCKS address. Could be an address, a name or both.
+
+type: keyword
+
+
+**`zeek.socks.request.port`**
+:   Client requested port.
+
+type: integer
+
+
+**`zeek.socks.bound.host`**
+:   Server bound address. Could be an address, a name or both.
+
+type: keyword
+
+
+**`zeek.socks.bound.port`**
+:   Server bound port.
+
+type: integer
+
+
+**`zeek.socks.capture_password`**
+:   Determines if the password will be captured for this request.
+
+type: boolean
+
+
+
+## ssh [_ssh]
+
+Fields exported by the Zeek SSH log.
+
+**`zeek.ssh.client`**
+:   The client’s version string.
+
+type: keyword
+
+
+**`zeek.ssh.direction`**
+:   Direction of the connection. If the client was a local host logging into an external host, this would be OUTBOUND. INBOUND would be set for the opposite situation.
+
+type: keyword
+
+
+**`zeek.ssh.host_key`**
+:   The server’s key thumbprint.
+
+type: keyword
+
+
+**`zeek.ssh.server`**
+:   The server’s version string.
+
+type: keyword
+
+
+**`zeek.ssh.version`**
+:   SSH major version (1 or 2).
+
+type: integer
+
+
+
+## algorithm [_algorithm]
+
+Cipher algorithms used in this session.
+
+**`zeek.ssh.algorithm.cipher`**
+:   The encryption algorithm in use.
+
+type: keyword
+
+
+**`zeek.ssh.algorithm.compression`**
+:   The compression algorithm in use.
+
+type: keyword
+
+
+**`zeek.ssh.algorithm.host_key`**
+:   The server host key’s algorithm.
+
+type: keyword
+
+
+**`zeek.ssh.algorithm.key_exchange`**
+:   The key exchange algorithm in use.
+
+type: keyword
+
+
+**`zeek.ssh.algorithm.mac`**
+:   The signing (MAC) algorithm in use.
+
+type: keyword
+
+
+**`zeek.ssh.auth.attempts`**
+:   The number of authentication attemps we observed. There’s always at least one, since some servers might support no authentication at all. It’s important to note that not all of these are failures, since some servers require two-factor auth (e.g. password AND pubkey).
+
+type: integer
+
+
+**`zeek.ssh.auth.success`**
+:   Authentication result.
+
+type: boolean
+
+
+
+## ssl [_ssl_8]
+
+Fields exported by the Zeek SSL log.
+
+**`zeek.ssl.version`**
+:   SSL/TLS version that was logged.
+
+type: keyword
+
+
+**`zeek.ssl.cipher`**
+:   SSL/TLS cipher suite that was logged.
+
+type: keyword
+
+
+**`zeek.ssl.curve`**
+:   Elliptic curve that was logged when using ECDH/ECDHE.
+
+type: keyword
+
+
+**`zeek.ssl.resumed`**
+:   Flag to indicate if the session was resumed reusing the key material exchanged in an earlier connection.
+
+type: boolean
+
+
+**`zeek.ssl.next_protocol`**
+:   Next protocol the server chose using the application layer next protocol extension.
+
+type: keyword
+
+
+**`zeek.ssl.established`**
+:   Flag to indicate if this ssl session has been established successfully.
+
+type: boolean
+
+
+**`zeek.ssl.validation.status`**
+:   Result of certificate validation for this connection.
+
+type: keyword
+
+
+**`zeek.ssl.validation.code`**
+:   Result of certificate validation for this connection, given as OpenSSL validation code.
+
+type: keyword
+
+
+**`zeek.ssl.last_alert`**
+:   Last alert that was seen during the connection.
+
+type: keyword
+
+
+**`zeek.ssl.server.name`**
+:   Value of the Server Name Indicator SSL/TLS extension. It indicates the server name that the client was requesting.
+
+type: keyword
+
+
+**`zeek.ssl.server.cert_chain`**
+:   Chain of certificates offered by the server to validate its complete signing chain.
+
+type: keyword
+
+
+**`zeek.ssl.server.cert_chain_fuids`**
+:   An ordered vector of certificate file identifiers for the certificates offered by the server.
+
+type: keyword
+
+
+
+## issuer [_issuer]
+
+Subject of the signer of the X.509 certificate offered by the server.
+
+**`zeek.ssl.server.issuer.common_name`**
+:   Common name of the signer of the X.509 certificate offered by the server.
+
+type: keyword
+
+
+**`zeek.ssl.server.issuer.country`**
+:   Country code of the signer of the X.509 certificate offered by the server.
+
+type: keyword
+
+
+**`zeek.ssl.server.issuer.locality`**
+:   Locality of the signer of the X.509 certificate offered by the server.
+
+type: keyword
+
+
+**`zeek.ssl.server.issuer.organization`**
+:   Organization of the signer of the X.509 certificate offered by the server.
+
+type: keyword
+
+
+**`zeek.ssl.server.issuer.organizational_unit`**
+:   Organizational unit of the signer of the X.509 certificate offered by the server.
+
+type: keyword
+
+
+**`zeek.ssl.server.issuer.state`**
+:   State or province name of the signer of the X.509 certificate offered by the server.
+
+type: keyword
+
+
+
+## subject [_subject]
+
+Subject of the X.509 certificate offered by the server.
+
+**`zeek.ssl.server.subject.common_name`**
+:   Common name of the X.509 certificate offered by the server.
+
+type: keyword
+
+
+**`zeek.ssl.server.subject.country`**
+:   Country code of the X.509 certificate offered by the server.
+
+type: keyword
+
+
+**`zeek.ssl.server.subject.locality`**
+:   Locality of the X.509 certificate offered by the server.
+
+type: keyword
+
+
+**`zeek.ssl.server.subject.organization`**
+:   Organization of the X.509 certificate offered by the server.
+
+type: keyword
+
+
+**`zeek.ssl.server.subject.organizational_unit`**
+:   Organizational unit of the X.509 certificate offered by the server.
+
+type: keyword
+
+
+**`zeek.ssl.server.subject.state`**
+:   State or province name of the X.509 certificate offered by the server.
+
+type: keyword
+
+
+**`zeek.ssl.client.cert_chain`**
+:   Chain of certificates offered by the client to validate its complete signing chain.
+
+type: keyword
+
+
+**`zeek.ssl.client.cert_chain_fuids`**
+:   An ordered vector of certificate file identifiers for the certificates offered by the client.
+
+type: keyword
+
+
+
+## issuer [_issuer_2]
+
+Subject of the signer of the X.509 certificate offered by the client.
+
+**`zeek.ssl.client.issuer.common_name`**
+:   Common name of the signer of the X.509 certificate offered by the client.
+
+type: keyword
+
+
+**`zeek.ssl.client.issuer.country`**
+:   Country code of the signer of the X.509 certificate offered by the client.
+
+type: keyword
+
+
+**`zeek.ssl.client.issuer.locality`**
+:   Locality of the signer of the X.509 certificate offered by the client.
+
+type: keyword
+
+
+**`zeek.ssl.client.issuer.organization`**
+:   Organization of the signer of the X.509 certificate offered by the client.
+
+type: keyword
+
+
+**`zeek.ssl.client.issuer.organizational_unit`**
+:   Organizational unit of the signer of the X.509 certificate offered by the client.
+
+type: keyword
+
+
+**`zeek.ssl.client.issuer.state`**
+:   State or province name of the signer of the X.509 certificate offered by the client.
+
+type: keyword
+
+
+
+## subject [_subject_2]
+
+Subject of the X.509 certificate offered by the client.
+
+**`zeek.ssl.client.subject.common_name`**
+:   Common name of the X.509 certificate offered by the client.
+
+type: keyword
+
+
+**`zeek.ssl.client.subject.country`**
+:   Country code of the X.509 certificate offered by the client.
+
+type: keyword
+
+
+**`zeek.ssl.client.subject.locality`**
+:   Locality of the X.509 certificate offered by the client.
+
+type: keyword
+
+
+**`zeek.ssl.client.subject.organization`**
+:   Organization of the X.509 certificate offered by the client.
+
+type: keyword
+
+
+**`zeek.ssl.client.subject.organizational_unit`**
+:   Organizational unit of the X.509 certificate offered by the client.
+
+type: keyword
+
+
+**`zeek.ssl.client.subject.state`**
+:   State or province name of the X.509 certificate offered by the client.
+
+type: keyword
+
+
+
+## stats [_stats_2]
+
+Fields exported by the Zeek stats log.
+
+**`zeek.stats.peer`**
+:   Peer that generated this log. Mostly for clusters.
+
+type: keyword
+
+
+**`zeek.stats.memory`**
+:   Amount of memory currently in use in MB.
+
+type: integer
+
+
+**`zeek.stats.packets.processed`**
+:   Number of packets processed since the last stats interval.
+
+type: long
+
+
+**`zeek.stats.packets.dropped`**
+:   Number of packets dropped since the last stats interval if reading live traffic.
+
+type: long
+
+
+**`zeek.stats.packets.received`**
+:   Number of packets seen on the link since the last stats interval if reading live traffic.
+
+type: long
+
+
+**`zeek.stats.bytes.received`**
+:   Number of bytes received since the last stats interval if reading live traffic.
+
+type: long
+
+
+**`zeek.stats.connections.tcp.active`**
+:   TCP connections currently in memory.
+
+type: integer
+
+
+**`zeek.stats.connections.tcp.count`**
+:   TCP connections seen since last stats interval.
+
+type: integer
+
+
+**`zeek.stats.connections.udp.active`**
+:   UDP connections currently in memory.
+
+type: integer
+
+
+**`zeek.stats.connections.udp.count`**
+:   UDP connections seen since last stats interval.
+
+type: integer
+
+
+**`zeek.stats.connections.icmp.active`**
+:   ICMP connections currently in memory.
+
+type: integer
+
+
+**`zeek.stats.connections.icmp.count`**
+:   ICMP connections seen since last stats interval.
+
+type: integer
+
+
+**`zeek.stats.events.processed`**
+:   Number of events processed since the last stats interval.
+
+type: integer
+
+
+**`zeek.stats.events.queued`**
+:   Number of events that have been queued since the last stats interval.
+
+type: integer
+
+
+**`zeek.stats.timers.count`**
+:   Number of timers scheduled since last stats interval.
+
+type: integer
+
+
+**`zeek.stats.timers.active`**
+:   Current number of scheduled timers.
+
+type: integer
+
+
+**`zeek.stats.files.count`**
+:   Number of files seen since last stats interval.
+
+type: integer
+
+
+**`zeek.stats.files.active`**
+:   Current number of files actively being seen.
+
+type: integer
+
+
+**`zeek.stats.dns_requests.count`**
+:   Number of DNS requests seen since last stats interval.
+
+type: integer
+
+
+**`zeek.stats.dns_requests.active`**
+:   Current number of DNS requests awaiting a reply.
+
+type: integer
+
+
+**`zeek.stats.reassembly_size.tcp`**
+:   Current size of TCP data in reassembly.
+
+type: integer
+
+
+**`zeek.stats.reassembly_size.file`**
+:   Current size of File data in reassembly.
+
+type: integer
+
+
+**`zeek.stats.reassembly_size.frag`**
+:   Current size of packet fragment data in reassembly.
+
+type: integer
+
+
+**`zeek.stats.reassembly_size.unknown`**
+:   Current size of unknown data in reassembly (this is only PIA buffer right now).
+
+type: integer
+
+
+**`zeek.stats.timestamp_lag`**
+:   Lag between the wall clock and packet timestamps if reading live traffic.
+
+type: integer
+
+
+
+## syslog [_syslog_4]
+
+Fields exported by the Zeek syslog log.
+
+**`zeek.syslog.facility`**
+:   Syslog facility for the message.
+
+type: keyword
+
+
+**`zeek.syslog.severity`**
+:   Syslog severity for the message.
+
+type: keyword
+
+
+**`zeek.syslog.message`**
+:   The plain text message.
+
+type: keyword
+
+
+
+## tunnel [_tunnel]
+
+Fields exported by the Zeek SSH log.
+
+**`zeek.tunnel.type`**
+:   The type of tunnel.
+
+type: keyword
+
+
+**`zeek.tunnel.action`**
+:   The type of activity that occurred.
+
+type: keyword
+
+
+
+## weird [_weird]
+
+Fields exported by the Zeek Weird log.
+
+**`zeek.weird.name`**
+:   The name of the weird that occurred.
+
+type: keyword
+
+
+**`zeek.weird.additional_info`**
+:   Additional information accompanying the weird if any.
+
+type: keyword
+
+
+**`zeek.weird.notice`**
+:   Indicate if this weird was also turned into a notice.
+
+type: boolean
+
+
+**`zeek.weird.peer`**
+:   The peer that originated this weird. This is helpful in cluster deployments if a particular cluster node is having trouble to help identify which node is having trouble.
+
+type: keyword
+
+
+**`zeek.weird.identifier`**
+:   This field is to be provided when a weird is generated for the purpose of deduplicating weirds. The identifier string should be unique for a single instance of the weird. This field is used to define when a weird is conceptually a duplicate of a previous weird.
+
+type: keyword
+
+
+
+## x509 [_x509_2]
+
+Fields exported by the Zeek x509 log.
+
+**`zeek.x509.id`**
+:   File id of this certificate.
+
+type: keyword
+
+
+
+## certificate [_certificate_2]
+
+Basic information about the certificate.
+
+**`zeek.x509.certificate.version`**
+:   Version number.
+
+type: integer
+
+
+**`zeek.x509.certificate.serial`**
+:   Serial number.
+
+type: keyword
+
+
+
+## subject [_subject_3]
+
+Subject.
+
+**`zeek.x509.certificate.subject.country`**
+:   Country provided in the certificate subject.
+
+type: keyword
+
+
+**`zeek.x509.certificate.subject.common_name`**
+:   Common name provided in the certificate subject.
+
+type: keyword
+
+
+**`zeek.x509.certificate.subject.locality`**
+:   Locality provided in the certificate subject.
+
+type: keyword
+
+
+**`zeek.x509.certificate.subject.organization`**
+:   Organization provided in the certificate subject.
+
+type: keyword
+
+
+**`zeek.x509.certificate.subject.organizational_unit`**
+:   Organizational unit provided in the certificate subject.
+
+type: keyword
+
+
+**`zeek.x509.certificate.subject.state`**
+:   State or province provided in the certificate subject.
+
+type: keyword
+
+
+
+## issuer [_issuer_3]
+
+Issuer.
+
+**`zeek.x509.certificate.issuer.country`**
+:   Country provided in the certificate issuer field.
+
+type: keyword
+
+
+**`zeek.x509.certificate.issuer.common_name`**
+:   Common name provided in the certificate issuer field.
+
+type: keyword
+
+
+**`zeek.x509.certificate.issuer.locality`**
+:   Locality provided in the certificate issuer field.
+
+type: keyword
+
+
+**`zeek.x509.certificate.issuer.organization`**
+:   Organization provided in the certificate issuer field.
+
+type: keyword
+
+
+**`zeek.x509.certificate.issuer.organizational_unit`**
+:   Organizational unit provided in the certificate issuer field.
+
+type: keyword
+
+
+**`zeek.x509.certificate.issuer.state`**
+:   State or province provided in the certificate issuer field.
+
+type: keyword
+
+
+**`zeek.x509.certificate.common_name`**
+:   Last (most specific) common name.
+
+type: keyword
+
+
+
+## valid [_valid]
+
+Certificate validity timestamps
+
+**`zeek.x509.certificate.valid.from`**
+:   Timestamp before when certificate is not valid.
+
+type: date
+
+
+**`zeek.x509.certificate.valid.until`**
+:   Timestamp after when certificate is not valid.
+
+type: date
+
+
+**`zeek.x509.certificate.key.algorithm`**
+:   Name of the key algorithm.
+
+type: keyword
+
+
+**`zeek.x509.certificate.key.type`**
+:   Key type, if key parseable by openssl (either rsa, dsa or ec).
+
+type: keyword
+
+
+**`zeek.x509.certificate.key.length`**
+:   Key length in bits.
+
+type: integer
+
+
+**`zeek.x509.certificate.signature_algorithm`**
+:   Name of the signature algorithm.
+
+type: keyword
+
+
+**`zeek.x509.certificate.exponent`**
+:   Exponent, if RSA-certificate.
+
+type: keyword
+
+
+**`zeek.x509.certificate.curve`**
+:   Curve, if EC-certificate.
+
+type: keyword
+
+
+
+## san [_san]
+
+Subject alternative name extension of the certificate.
+
+**`zeek.x509.san.dns`**
+:   List of DNS entries in SAN.
+
+type: keyword
+
+
+**`zeek.x509.san.uri`**
+:   List of URI entries in SAN.
+
+type: keyword
+
+
+**`zeek.x509.san.email`**
+:   List of email entries in SAN.
+
+type: keyword
+
+
+**`zeek.x509.san.ip`**
+:   List of IP entries in SAN.
+
+type: ip
+
+
+**`zeek.x509.san.other_fields`**
+:   True if the certificate contained other, not recognized or parsed name fields.
+
+type: boolean
+
+
+
+## basic_constraints [_basic_constraints]
+
+Basic constraints extension of the certificate.
+
+**`zeek.x509.basic_constraints.certificate_authority`**
+:   CA flag set or not.
+
+type: boolean
+
+
+**`zeek.x509.basic_constraints.path_length`**
+:   Maximum path length.
+
+type: integer
+
+
+**`zeek.x509.log_cert`**
+:   Present if policy/protocols/ssl/log-hostcerts-only.bro is loaded Logging of certificate is suppressed if set to F.
+
+type: boolean
+
+
diff --git a/docs/reference/filebeat/exported-fields-zookeeper.md b/docs/reference/filebeat/exported-fields-zookeeper.md
new file mode 100644
index 000000000000..472be5994b44
--- /dev/null
+++ b/docs/reference/filebeat/exported-fields-zookeeper.md
@@ -0,0 +1,58 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-zookeeper.html
+---
+
+# ZooKeeper fields [exported-fields-zookeeper]
+
+ZooKeeper Module
+
+
+## zookeeper [_zookeeper]
+
+
+## audit [_audit_6]
+
+ZooKeeper Audit logs.
+
+**`zookeeper.audit.session`**
+:   Client session id
+
+type: keyword
+
+
+**`zookeeper.audit.znode`**
+:   Path of the znode
+
+type: keyword
+
+
+**`zookeeper.audit.znode_type`**
+:   Type of znode in case of creation operation
+
+type: keyword
+
+
+**`zookeeper.audit.acl`**
+:   String representation of znode ACL like cdrwa(create, delete,read, write, admin). This is logged only for setAcl operation
+
+type: keyword
+
+
+**`zookeeper.audit.result`**
+:   Result of the operation. Possible values are (success/failure/invoked). Result "invoked" is used for serverStop operation because stop is logged before ensuring that server actually stopped.
+
+type: keyword
+
+
+**`zookeeper.audit.user`**
+:   Comma separated list of users who are associate with a client session
+
+type: keyword
+
+
+
+## log [_log_14]
+
+ZooKeeper logs.
+
diff --git a/docs/reference/filebeat/exported-fields-zoom.md b/docs/reference/filebeat/exported-fields-zoom.md
new file mode 100644
index 000000000000..efc2777b95e4
--- /dev/null
+++ b/docs/reference/filebeat/exported-fields-zoom.md
@@ -0,0 +1,932 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-zoom.html
+---
+
+# Zoom fields [exported-fields-zoom]
+
+Module for handling incoming Zoom webhook requests
+
+
+## zoom [_zoom]
+
+Module for parsing Zoom API Webhooks.
+
+**`zoom.master_account_id`**
+:   Master Account related to a specific Sub Account
+
+type: keyword
+
+
+**`zoom.sub_account_id`**
+:   Related Sub Account
+
+type: keyword
+
+
+**`zoom.operator_id`**
+:   UserID that triggered the event
+
+type: keyword
+
+
+**`zoom.operator`**
+:   Username/Email related to the user that triggered the event
+
+type: keyword
+
+
+**`zoom.account_id`**
+:   Related accountID to the event
+
+type: keyword
+
+
+**`zoom.timestamp`**
+:   Timestamp related to the event
+
+type: date
+
+
+**`zoom.creation_type`**
+:   Creation type
+
+type: keyword
+
+
+**`zoom.account.owner_id`**
+:   UserID of the user whose sub account was created/disassociated
+
+type: keyword
+
+
+**`zoom.account.email`**
+:   Email related to the user the action was performed on
+
+type: keyword
+
+
+**`zoom.account.owner_email`**
+:   Email of the user whose sub account was created/disassociated
+
+type: keyword
+
+
+**`zoom.account.account_name`**
+:   When an account name is updated, this is the new value set
+
+type: keyword
+
+
+**`zoom.account.account_alias`**
+:   When an account alias is updated, this is the new value set
+
+type: keyword
+
+
+**`zoom.account.account_support_name`**
+:   When an account support_name is updated, this is the new value set
+
+type: keyword
+
+
+**`zoom.account.account_support_email`**
+:   When an account support_email is updated, this is the new value set
+
+type: keyword
+
+
+**`zoom.chat_channel.name`**
+:   The name of the channel that has been added/modified/deleted
+
+type: keyword
+
+
+**`zoom.chat_channel.id`**
+:   The ID of the channel that has been added/modified/deleted
+
+type: keyword
+
+
+**`zoom.chat_channel.type`**
+:   Type of channel related to the event. Can be 1(Invite-Only), 2(Private) or 3(Public)
+
+type: keyword
+
+
+**`zoom.chat_message.id`**
+:   Unique ID of the related chat message
+
+type: keyword
+
+
+**`zoom.chat_message.type`**
+:   Type of message, can be either "to_contact" or "to_channel"
+
+type: keyword
+
+
+**`zoom.chat_message.session_id`**
+:   SessionID for the channel related to the message
+
+type: keyword
+
+
+**`zoom.chat_message.contact_email`**
+:   Email address related to the user sending the message
+
+type: keyword
+
+
+**`zoom.chat_message.contact_id`**
+:   UserID belonging to the user receiving a message
+
+type: keyword
+
+
+**`zoom.chat_message.channel_id`**
+:   ChannelID related to the message
+
+type: keyword
+
+
+**`zoom.chat_message.channel_name`**
+:   Channel name related to the message
+
+type: keyword
+
+
+**`zoom.chat_message.message`**
+:   A string containing the full message that was sent
+
+type: keyword
+
+
+**`zoom.meeting.id`**
+:   Unique ID of the related meeting
+
+type: keyword
+
+
+**`zoom.meeting.uuid`**
+:   The UUID of the related meeting
+
+type: keyword
+
+
+**`zoom.meeting.host_id`**
+:   The UserID of the configured meeting host
+
+type: keyword
+
+
+**`zoom.meeting.topic`**
+:   Topic of the related meeting
+
+type: keyword
+
+
+**`zoom.meeting.type`**
+:   Type of meeting created
+
+type: keyword
+
+
+**`zoom.meeting.start_time`**
+:   Date and time the meeting started
+
+type: date
+
+
+**`zoom.meeting.timezone`**
+:   Which timezone is used for the meeting timestamps
+
+type: keyword
+
+
+**`zoom.meeting.duration`**
+:   The duration of a meeting in minutes
+
+type: long
+
+
+**`zoom.meeting.issues`**
+:   When a user reports an issue with the meeting, for example: "Unstable audio quality"
+
+type: keyword
+
+
+**`zoom.meeting.password`**
+:   Password related to the meeting
+
+type: keyword
+
+
+**`zoom.phone.id`**
+:   Unique ID for the phone or conversation
+
+type: keyword
+
+
+**`zoom.phone.user_id`**
+:   UserID for the phone owner related to a Call Log being completed
+
+type: keyword
+
+
+**`zoom.phone.download_url`**
+:   Download URL for the voicemail
+
+type: keyword
+
+
+**`zoom.phone.ringing_start_time`**
+:   The timestamp when a ringtone was established to the callee
+
+type: date
+
+
+**`zoom.phone.connected_start_time`**
+:   The date and time when a ringtone was established to the callee
+
+type: date
+
+
+**`zoom.phone.answer_start_time`**
+:   The date and time when the call was answered
+
+type: date
+
+
+**`zoom.phone.call_end_time`**
+:   The date and time when the call ended
+
+type: date
+
+
+**`zoom.phone.call_id`**
+:   Unique ID of the related call
+
+type: keyword
+
+
+**`zoom.phone.duration`**
+:   Duration of a voicemail in minutes
+
+type: long
+
+
+**`zoom.phone.caller.id`**
+:   UserID of the caller related to the voicemail/call
+
+type: keyword
+
+
+**`zoom.phone.caller.user_id`**
+:   UserID of the person which initiated the call
+
+type: keyword
+
+
+**`zoom.phone.caller.number_type`**
+:   The type of number, can be 1(Internal) or 2(External)
+
+type: keyword
+
+
+**`zoom.phone.caller.name`**
+:   The name of the related callee
+
+type: keyword
+
+
+**`zoom.phone.caller.phone_number`**
+:   Phone Number of the caller related to the call
+
+type: keyword
+
+
+**`zoom.phone.caller.extension_type`**
+:   Extension type of the caller number, can be user, callQueue, autoReceptionist or shareLineGroup
+
+type: keyword
+
+
+**`zoom.phone.caller.extension_number`**
+:   Extension number of the caller
+
+type: keyword
+
+
+**`zoom.phone.caller.timezone`**
+:   Timezone of the caller
+
+type: keyword
+
+
+**`zoom.phone.caller.device_type`**
+:   Device type used by the caller
+
+type: keyword
+
+
+**`zoom.phone.callee.id`**
+:   UserID of the callee related to the voicemail/call
+
+type: keyword
+
+
+**`zoom.phone.callee.user_id`**
+:   UserID of the related callee of a voicemail/call
+
+type: keyword
+
+
+**`zoom.phone.callee.name`**
+:   The name of the related callee
+
+type: keyword
+
+
+**`zoom.phone.callee.number_type`**
+:   The type of number, can be 1(Internal) or 2(External)
+
+type: keyword
+
+
+**`zoom.phone.callee.phone_number`**
+:   Phone Number of the callee related to the call
+
+type: keyword
+
+
+**`zoom.phone.callee.extension_type`**
+:   Extension type of the callee number, can be user, callQueue, autoReceptionist or shareLineGroup
+
+type: keyword
+
+
+**`zoom.phone.callee.extension_number`**
+:   Extension number of the callee related to the call
+
+type: keyword
+
+
+**`zoom.phone.callee.timezone`**
+:   Timezone of the callee related to the call
+
+type: keyword
+
+
+**`zoom.phone.callee.device_type`**
+:   Device type used by the callee related to the call
+
+type: keyword
+
+
+**`zoom.phone.date_time`**
+:   Date and time of the related phone event
+
+type: date
+
+
+**`zoom.recording.id`**
+:   Unique ID of the related recording
+
+type: keyword
+
+
+**`zoom.recording.uuid`**
+:   UUID of the related recording
+
+type: keyword
+
+
+**`zoom.recording.host_id`**
+:   UserID of the host of the meeting that was recorded
+
+type: keyword
+
+
+**`zoom.recording.topic`**
+:   Topic of the meeting related to the recording
+
+type: keyword
+
+
+**`zoom.recording.type`**
+:   Type of recording, can be multiple type of values, please check Zoom documentation
+
+type: keyword
+
+
+**`zoom.recording.start_time`**
+:   The date and time when the recording started
+
+type: date
+
+
+**`zoom.recording.timezone`**
+:   The timezone used for the recording date
+
+type: keyword
+
+
+**`zoom.recording.duration`**
+:   Duration of the recording in minutes
+
+type: long
+
+
+**`zoom.recording.share_url`**
+:   The URL to access the recording
+
+type: keyword
+
+
+**`zoom.recording.total_size`**
+:   Total size of the recording in bytes
+
+type: long
+
+
+**`zoom.recording.recording_count`**
+:   Number of recording files related to the recording
+
+type: long
+
+
+**`zoom.recording.recording_file.recording_start`**
+:   The date and time the recording started
+
+type: date
+
+
+**`zoom.recording.recording_file.recording_end`**
+:   The date and time the recording finished
+
+type: date
+
+
+**`zoom.recording.host_email`**
+:   Email address of the host related to the meeting that was recorded
+
+type: keyword
+
+
+**`zoom.user.id`**
+:   UserID related to the user event
+
+type: keyword
+
+
+**`zoom.user.first_name`**
+:   User first name related to the user event
+
+type: keyword
+
+
+**`zoom.user.last_name`**
+:   User last name related to the user event
+
+type: keyword
+
+
+**`zoom.user.email`**
+:   User email related to the user event
+
+type: keyword
+
+
+**`zoom.user.type`**
+:   User type related to the user event
+
+type: keyword
+
+
+**`zoom.user.phone_number`**
+:   User phone number related to the user event
+
+type: keyword
+
+
+**`zoom.user.phone_country`**
+:   User country code related to the user event
+
+type: keyword
+
+
+**`zoom.user.company`**
+:   User company related to the user event
+
+type: keyword
+
+
+**`zoom.user.pmi`**
+:   User personal meeting ID related to the user event
+
+type: keyword
+
+
+**`zoom.user.use_pmi`**
+:   If a user has PMI enabled
+
+type: boolean
+
+
+**`zoom.user.pic_url`**
+:   Full URL to the profile picture used by the user
+
+type: keyword
+
+
+**`zoom.user.vanity_name`**
+:   Name of the personal meeting room related to the user event
+
+type: keyword
+
+
+**`zoom.user.timezone`**
+:   Timezone configured for the user
+
+type: keyword
+
+
+**`zoom.user.language`**
+:   Language configured for the user
+
+type: keyword
+
+
+**`zoom.user.host_key`**
+:   Host key set for the user
+
+type: keyword
+
+
+**`zoom.user.role`**
+:   The configured role for the user
+
+type: keyword
+
+
+**`zoom.user.dept`**
+:   The configured departement for the user
+
+type: keyword
+
+
+**`zoom.user.presence_status`**
+:   Current presence status of user
+
+type: keyword
+
+
+**`zoom.user.personal_notes`**
+:   Personal notes for the User
+
+type: keyword
+
+
+**`zoom.user.client_type`**
+:   Type of client used by the user. Can be browser, mac, win, iphone or android
+
+type: keyword
+
+
+**`zoom.user.version`**
+:   Version of the client used by the user
+
+type: keyword
+
+
+**`zoom.webinar.id`**
+:   Unique ID for the related webinar
+
+type: keyword
+
+
+**`zoom.webinar.join_url`**
+:   The URL configured to join the webinar
+
+type: keyword
+
+
+**`zoom.webinar.uuid`**
+:   UUID for the related webinar
+
+type: keyword
+
+
+**`zoom.webinar.host_id`**
+:   UserID for the configured host of the webinar
+
+type: keyword
+
+
+**`zoom.webinar.topic`**
+:   Meeting topic of the related webinar
+
+type: keyword
+
+
+**`zoom.webinar.type`**
+:   Type of webinar created. Can be either 5(Webinar), 6(Recurring webinar without fixed time) or 9(Recurring webinar with fixed time)
+
+type: keyword
+
+
+**`zoom.webinar.start_time`**
+:   The date and time when the webinar started
+
+type: date
+
+
+**`zoom.webinar.timezone`**
+:   Timezone used for the dates related to the webinar
+
+type: keyword
+
+
+**`zoom.webinar.duration`**
+:   Duration of the webinar in minutes
+
+type: long
+
+
+**`zoom.webinar.agenda`**
+:   The configured agenda of the webinar
+
+type: keyword
+
+
+**`zoom.webinar.password`**
+:   Password configured to access the webinar
+
+type: keyword
+
+
+**`zoom.webinar.issues`**
+:   Any reported issues about a webinar is reported in this field
+
+type: keyword
+
+
+**`zoom.zoomroom.id`**
+:   Unique ID of the Zoom room
+
+type: keyword
+
+
+**`zoom.zoomroom.room_name`**
+:   The configured name of the Zoom room
+
+type: keyword
+
+
+**`zoom.zoomroom.calendar_name`**
+:   Calendar name of the Zoom room
+
+type: keyword
+
+
+**`zoom.zoomroom.calendar_id`**
+:   Unique ID of the calendar used by the Zoom room
+
+type: keyword
+
+
+**`zoom.zoomroom.event_id`**
+:   Unique ID of the calendar event associated with the Zoom Room
+
+type: keyword
+
+
+**`zoom.zoomroom.change_key`**
+:   Key used by Microsoft products integration that represents a specific version of a calendar
+
+type: keyword
+
+
+**`zoom.zoomroom.resource_email`**
+:   Email address associated with the calendar in use by the Zoom room
+
+type: keyword
+
+
+**`zoom.zoomroom.email`**
+:   Email address associated with the Zoom room itself
+
+type: keyword
+
+
+**`zoom.zoomroom.issue`**
+:   Any reported alerts or issues related to the Zoom room or its equipment
+
+type: keyword
+
+
+**`zoom.zoomroom.alert_type`**
+:   An integer value representing the type of alert. The list of alert types can be found in the Zoom documentation
+
+type: keyword
+
+
+**`zoom.zoomroom.component`**
+:   An integer value representing the type of equipment or component, The list of component types can be found in the Zoom documentation
+
+type: keyword
+
+
+**`zoom.zoomroom.alert_kind`**
+:   An integer value showing if the Zoom room alert has been either 1(Triggered) or 2(Cleared)
+
+type: keyword
+
+
+**`zoom.registrant.id`**
+:   Unique ID of the user registering to a meeting or webinar
+
+type: keyword
+
+
+**`zoom.registrant.status`**
+:   Status of the specific user registration
+
+type: keyword
+
+
+**`zoom.registrant.email`**
+:   Email of the user registering to a meeting or webinar
+
+type: keyword
+
+
+**`zoom.registrant.first_name`**
+:   First name of the user registering to a meeting or webinar
+
+type: keyword
+
+
+**`zoom.registrant.last_name`**
+:   Last name of the user registering to a meeting or webinar
+
+type: keyword
+
+
+**`zoom.registrant.address`**
+:   Address of the user registering to a meeting or webinar
+
+type: keyword
+
+
+**`zoom.registrant.city`**
+:   City of the user registering to a meeting or webinar
+
+type: keyword
+
+
+**`zoom.registrant.country`**
+:   Country of the user registering to a meeting or webinar
+
+type: keyword
+
+
+**`zoom.registrant.zip`**
+:   Zip code of the user registering to a meeting or webinar
+
+type: keyword
+
+
+**`zoom.registrant.state`**
+:   State of the user registering to a meeting or webinar
+
+type: keyword
+
+
+**`zoom.registrant.phone`**
+:   Phone number of the user registering to a meeting or webinar
+
+type: keyword
+
+
+**`zoom.registrant.industry`**
+:   Related industry of the user registering to a meeting or webinar
+
+type: keyword
+
+
+**`zoom.registrant.org`**
+:   Organization related to the user registering to a meeting or webinar
+
+type: keyword
+
+
+**`zoom.registrant.job_title`**
+:   Job title of the user registering to a meeting or webinar
+
+type: keyword
+
+
+**`zoom.registrant.purchasing_time_frame`**
+:   Choosen purchase timeframe of the user registering to a meeting or webinar
+
+type: keyword
+
+
+**`zoom.registrant.role_in_purchase_process`**
+:   Choosen role in a purchase process related to the user registering to a meeting or webinar
+
+type: keyword
+
+
+**`zoom.registrant.no_of_employees`**
+:   Number of employees choosen by the user registering to a meeting or webinar
+
+type: keyword
+
+
+**`zoom.registrant.comments`**
+:   Comments left by the user registering to a meeting or webinar
+
+type: keyword
+
+
+**`zoom.registrant.join_url`**
+:   The URL that the registrant can use to join the webinar
+
+type: keyword
+
+
+**`zoom.participant.id`**
+:   Unique ID of the participant related to a meeting
+
+type: keyword
+
+
+**`zoom.participant.user_id`**
+:   UserID of the participant related to a meeting
+
+type: keyword
+
+
+**`zoom.participant.user_name`**
+:   Username of the participant related to a meeting
+
+type: keyword
+
+
+**`zoom.participant.join_time`**
+:   The date and time a participant joined a meeting
+
+type: date
+
+
+**`zoom.participant.leave_time`**
+:   The date and time a participant left a meeting
+
+type: date
+
+
+**`zoom.participant.sharing_details.link_source`**
+:   Method of sharing with dropbox integration
+
+type: keyword
+
+
+**`zoom.participant.sharing_details.content`**
+:   Type of content that was shared
+
+type: keyword
+
+
+**`zoom.participant.sharing_details.file_link`**
+:   The file link that was shared
+
+type: keyword
+
+
+**`zoom.participant.sharing_details.date_time`**
+:   Timestamp the sharing started
+
+type: keyword
+
+
+**`zoom.participant.sharing_details.source`**
+:   The file source that was share
+
+type: keyword
+
+
+**`zoom.old_values`**
+:   Includes the old values when updating a object like user, meeting, account or webinar
+
+type: flattened
+
+
+**`zoom.settings`**
+:   The current active settings related to a object like user, meeting, account or webinar
+
+type: flattened
+
+
diff --git a/docs/reference/filebeat/exported-fields.md b/docs/reference/filebeat/exported-fields.md
new file mode 100644
index 000000000000..7bfb7491a137
--- /dev/null
+++ b/docs/reference/filebeat/exported-fields.md
@@ -0,0 +1,79 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields.html
+---
+
+# Exported fields [exported-fields]
+
+This document describes the fields that are exported by Filebeat. They are grouped in the following categories:
+
+* [*ActiveMQ fields*](/reference/filebeat/exported-fields-activemq.md)
+* [*Apache fields*](/reference/filebeat/exported-fields-apache.md)
+* [*Auditd fields*](/reference/filebeat/exported-fields-auditd.md)
+* [*AWS fields*](/reference/filebeat/exported-fields-aws.md)
+* [*AWS CloudWatch fields*](/reference/filebeat/exported-fields-aws-cloudwatch.md)
+* [*AWS Fargate fields*](/reference/filebeat/exported-fields-awsfargate.md)
+* [*Azure fields*](/reference/filebeat/exported-fields-azure.md)
+* [*Beat fields*](/reference/filebeat/exported-fields-beat-common.md)
+* [*Decode CEF processor fields fields*](/reference/filebeat/exported-fields-cef.md)
+* [*CEF fields*](/reference/filebeat/exported-fields-cef-module.md)
+* [*Checkpoint fields*](/reference/filebeat/exported-fields-checkpoint.md)
+* [*Cisco fields*](/reference/filebeat/exported-fields-cisco.md)
+* [*Cloud provider metadata fields*](/reference/filebeat/exported-fields-cloud.md)
+* [*Coredns fields*](/reference/filebeat/exported-fields-coredns.md)
+* [*Crowdstrike fields*](/reference/filebeat/exported-fields-crowdstrike.md)
+* [*CyberArk PAS fields*](/reference/filebeat/exported-fields-cyberarkpas.md)
+* [*Docker fields*](/reference/filebeat/exported-fields-docker-processor.md)
+* [*ECS fields*](/reference/filebeat/exported-fields-ecs.md)
+* [*Elasticsearch fields*](/reference/filebeat/exported-fields-elasticsearch.md)
+* [*Envoyproxy fields*](/reference/filebeat/exported-fields-envoyproxy.md)
+* [*Fortinet fields*](/reference/filebeat/exported-fields-fortinet.md)
+* [*Google Cloud Platform (GCP) fields*](/reference/filebeat/exported-fields-gcp.md)
+* [*google_workspace fields*](/reference/filebeat/exported-fields-google_workspace.md)
+* [*HAProxy fields*](/reference/filebeat/exported-fields-haproxy.md)
+* [*Host fields*](/reference/filebeat/exported-fields-host-processor.md)
+* [*ibmmq fields*](/reference/filebeat/exported-fields-ibmmq.md)
+* [*Icinga fields*](/reference/filebeat/exported-fields-icinga.md)
+* [*IIS fields*](/reference/filebeat/exported-fields-iis.md)
+* [*iptables fields*](/reference/filebeat/exported-fields-iptables.md)
+* [*Jolokia Discovery autodiscover provider fields*](/reference/filebeat/exported-fields-jolokia-autodiscover.md)
+* [*Juniper JUNOS fields*](/reference/filebeat/exported-fields-juniper.md)
+* [*Kafka fields*](/reference/filebeat/exported-fields-kafka.md)
+* [*kibana fields*](/reference/filebeat/exported-fields-kibana.md)
+* [*Kubernetes fields*](/reference/filebeat/exported-fields-kubernetes-processor.md)
+* [*Log file content fields*](/reference/filebeat/exported-fields-log.md)
+* [*logstash fields*](/reference/filebeat/exported-fields-logstash.md)
+* [*Lumberjack fields*](/reference/filebeat/exported-fields-lumberjack.md)
+* [*Microsoft fields*](/reference/filebeat/exported-fields-microsoft.md)
+* [*MISP fields*](/reference/filebeat/exported-fields-misp.md)
+* [*mongodb fields*](/reference/filebeat/exported-fields-mongodb.md)
+* [*mssql fields*](/reference/filebeat/exported-fields-mssql.md)
+* [*MySQL fields*](/reference/filebeat/exported-fields-mysql.md)
+* [*MySQL Enterprise fields*](/reference/filebeat/exported-fields-mysqlenterprise.md)
+* [*NATS fields*](/reference/filebeat/exported-fields-nats.md)
+* [*NetFlow fields*](/reference/filebeat/exported-fields-netflow.md)
+* [*Nginx fields*](/reference/filebeat/exported-fields-nginx.md)
+* [*Office 365 fields*](/reference/filebeat/exported-fields-o365.md)
+* [*Okta fields*](/reference/filebeat/exported-fields-okta.md)
+* [*Oracle fields*](/reference/filebeat/exported-fields-oracle.md)
+* [*Osquery fields*](/reference/filebeat/exported-fields-osquery.md)
+* [*panw fields*](/reference/filebeat/exported-fields-panw.md)
+* [*Pensando fields*](/reference/filebeat/exported-fields-pensando.md)
+* [*PostgreSQL fields*](/reference/filebeat/exported-fields-postgresql.md)
+* [*Process fields*](/reference/filebeat/exported-fields-process.md)
+* [*RabbitMQ fields*](/reference/filebeat/exported-fields-rabbitmq.md)
+* [*Redis fields*](/reference/filebeat/exported-fields-redis.md)
+* [*s3 fields*](/reference/filebeat/exported-fields-s3.md)
+* [*Salesforce fields*](/reference/filebeat/exported-fields-salesforce.md)
+* [*Google Santa fields*](/reference/filebeat/exported-fields-santa.md)
+* [*Snyk fields*](/reference/filebeat/exported-fields-snyk.md)
+* [*sophos fields*](/reference/filebeat/exported-fields-sophos.md)
+* [*Suricata fields*](/reference/filebeat/exported-fields-suricata.md)
+* [*System fields*](/reference/filebeat/exported-fields-system.md)
+* [*threatintel fields*](/reference/filebeat/exported-fields-threatintel.md)
+* [*Traefik fields*](/reference/filebeat/exported-fields-traefik.md)
+* [*Windows ETW fields*](/reference/filebeat/exported-fields-winlog.md)
+* [*Zeek fields*](/reference/filebeat/exported-fields-zeek.md)
+* [*ZooKeeper fields*](/reference/filebeat/exported-fields-zookeeper.md)
+* [*Zoom fields*](/reference/filebeat/exported-fields-zoom.md)
+
diff --git a/docs/reference/filebeat/extract-array.md b/docs/reference/filebeat/extract-array.md
new file mode 100644
index 000000000000..a2f1d1287309
--- /dev/null
+++ b/docs/reference/filebeat/extract-array.md
@@ -0,0 +1,46 @@
+---
+navigation_title: "extract_array"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/extract-array.html
+---
+
+# Extract array [extract-array]
+
+
+::::{warning}
+This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
+::::
+
+
+The `extract_array` processor populates fields with values read from an array field. The following example will populate `source.ip` with the first element of the `my_array` field, `destination.ip` with the second element, and `network.transport` with the third.
+
+```yaml
+processors:
+  - extract_array:
+      field: my_array
+      mappings:
+        source.ip: 0
+        destination.ip: 1
+        network.transport: 2
+```
+
+The following settings are supported:
+
+`field`
+:   The array field whose elements are to be extracted.
+
+`mappings`
+:   Maps each field name to an array index. Use 0 for the first element in the array. Multiple fields can be mapped to the same array element.
+
+`ignore_missing`
+:   (Optional) Whether to ignore events where the array field is missing. The default is `false`, which will fail processing of an event if the specified field does not exist. Set it to `true` to ignore this condition.
+
+`overwrite_keys`
+:   Whether the target fields specified in the mapping are overwritten if they already exist. The default is `false`, which will fail processing if a target field already exists.
+
+`fail_on_error`
+:   (Optional) If set to `true` and an error happens, changes to the event are reverted, and the original event is returned. If set to `false`, processing continues despite errors. Default is `true`.
+
+`omit_empty`
+:   (Optional) Whether empty values are extracted from the array. If set to `true`, instead of the target field being set to an empty value, it is left unset. The empty string (`""`), an empty array (`[]`) or an empty object (`{}`) are considered empty values. Default is `false`.
+
diff --git a/docs/reference/filebeat/faq-deleted-files-are-not-freed.md b/docs/reference/filebeat/faq-deleted-files-are-not-freed.md
new file mode 100644
index 000000000000..1dfc8c65083c
--- /dev/null
+++ b/docs/reference/filebeat/faq-deleted-files-are-not-freed.md
@@ -0,0 +1,11 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/faq-deleted-files-are-not-freed.html
+---
+
+# Filebeat keeps open file handlers of deleted files for a long time [faq-deleted-files-are-not-freed]
+
+In the default behaviour, Filebeat opens the files and keeps them open until it reaches the end of them.  In situations when the configured output is blocked (e.g. {{es}} or {{ls}} is unavailable) for a long time, this can cause Filebeat to keep file handlers to files that were deleted from the file system in the mean time. As long as Filebeat keeps the deleted files open, the operating system doesn’t free up the space on disk, which can lead to increase disk utilisation or even out of disk situations.
+
+To mitigate this issue, you can set the [`close_timeout`](/reference/filebeat/filebeat-input-log.md#filebeat-input-log-close-timeout) setting to `5m`. This will ensure every file handler is closed once every 5 minutes, regardless of whether it reached EOF or not. Note that this option can lead to data loss if the file is deleted before Filebeat reaches the end of the file.
+
diff --git a/docs/reference/filebeat/faq.md b/docs/reference/filebeat/faq.md
new file mode 100644
index 000000000000..f93c2a3a8ee8
--- /dev/null
+++ b/docs/reference/filebeat/faq.md
@@ -0,0 +1,33 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/faq.html
+---
+
+# Common problems [faq]
+
+This section describes common problems you might encounter with Filebeat. Also check out the [Filebeat discussion forum](https://discuss.elastic.co/c/beats/filebeat).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/docs/reference/filebeat/feature-roles.md b/docs/reference/filebeat/feature-roles.md
new file mode 100644
index 000000000000..3370ecc55f72
--- /dev/null
+++ b/docs/reference/filebeat/feature-roles.md
@@ -0,0 +1,25 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/feature-roles.html
+---
+
+# Grant users access to secured resources [feature-roles]
+
+You can use role-based access control to grant users access to secured resources. The roles that you set up depend on your organization’s security requirements and the minimum privileges required to use specific features.
+
+Typically you need the create the following separate roles:
+
+* [setup role](/reference/filebeat/privileges-to-setup-beats.md) for setting up index templates and other dependencies
+* [monitoring role](/reference/filebeat/privileges-to-publish-monitoring.md) for sending monitoring information
+* [writer role](/reference/filebeat/privileges-to-publish-events.md)  for publishing events collected by Filebeat
+* [reader role](/reference/filebeat/kibana-user-privileges.md) for {{kib}} users who need to view and create visualizations that access Filebeat data
+
+{{es-security-features}} provides [built-in roles](elasticsearch://reference/elasticsearch/roles.md) that grant a subset of the privileges needed by Filebeat users. When possible, use the built-in roles to minimize the affect of future changes on your security strategy.
+
+Instead of using usernames and passwords, roles and privileges can be assigned to API keys to grant access to Elasticsearch resources. See [*Grant access using API keys*](/reference/filebeat/beats-api-keys.md) for more information.
+
+
+
+
+
+
diff --git a/docs/reference/filebeat/fields-not-indexed.md b/docs/reference/filebeat/fields-not-indexed.md
new file mode 100644
index 000000000000..e4faf305c462
--- /dev/null
+++ b/docs/reference/filebeat/fields-not-indexed.md
@@ -0,0 +1,13 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/fields-not-indexed.html
+---
+
+# Fields are not indexed or usable in Kibana visualizations [fields-not-indexed]
+
+If you have recently performed an operation that loads or parses custom, structured logs, you might need to refresh the index to make the fields available in {{kib}}. To refresh the index, use the [refresh API](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-indices-refresh). For example:
+
+```sh
+curl -XPOST 'http://localhost:9200/filebeat-2016.08.09/_refresh'
+```
+
diff --git a/docs/reference/filebeat/file-log-rotation.md b/docs/reference/filebeat/file-log-rotation.md
new file mode 100644
index 000000000000..8cd24ffe26a9
--- /dev/null
+++ b/docs/reference/filebeat/file-log-rotation.md
@@ -0,0 +1,68 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/file-log-rotation.html
+---
+
+# Log rotation results in lost or duplicate events [file-log-rotation]
+
+Filebeat supports reading from rotating log files. However, some log rotation strategies can result in lost or duplicate events when using Filebeat to forward messages. To resolve this issue:
+
+* **Avoid log rotation strategies that copy and truncate log files**
+
+    Log rotation strategies that copy and truncate the input log file can result in Filebeat sending duplicate events. This happens because Filebeat identifies files by inode and device name. During log rotation, lines that Filebeat has already processed are moved to a new file. When Filebeat encounters the new file, it reads from the beginning because the previous state information (the offset and read timestamp) is associated with the inode and device name of the old file.
+
+    Furthermore, strategies that copy and truncate the input log file can result in lost events if lines are written to the log file after it’s copied, but before it’s truncated.
+
+* **Make sure Filebeat is configured to read from all rotated logs**
+
+    When an input log file is moved or renamed during log rotation, Filebeat is able to recognize that the file has already been read. After the file is rotated, a new log file is created, and the application continues logging. Filebeat picks up the new file during the next scan. Because the file has a new inode and device name, Filebeat starts reading it from the beginning.
+
+    To avoid missing events from a rotated file, configure the input to read from the log file and all the rotated files. For examples, see [Example configurations](#log-rotate-example).
+
+
+If you’re using Windows, also see [More about log rotation on Windows](#log-rotation-windows).
+
+
+## Example configurations [log-rotate-example]
+
+This section shows a typical configuration for logrotate, a popular tool for doing log rotation on Linux, followed by a Filebeat configuration that reads all the rotated logs.
+
+
+### logrotate.conf [log-rotate-example-logrotate]
+
+In this example, Filebeat reads web server log. The logs are rotated every day, and the new file is created with the specified permissions.
+
+```yaml
+/var/log/my-server/my-server.log {
+    daily
+    missingok
+    rotate 7
+    notifempty
+    create 0640 www-data www-data
+}
+```
+
+
+### filebeat.yml [log-rotate-example-filebeat]
+
+In this example, Filebeat is configured to read all log files to make sure it does not miss any events.
+
+```yaml
+filebeat.inputs:
+- type: filestream
+  id: my-server-filestream-id
+  paths:
+  - /var/log/my-server/my-server.log*
+```
+
+
+## More about log rotation on Windows [log-rotation-windows]
+
+On Windows, log rotation schemes that delete old files and rename newer files to old filenames might get blocked if the old files are being processed by Filebeat. This happens because Windows does not delete files and file metadata until the last process has closed the file. Unlike most *nix filesystems, a Windows filename cannot be reused until all processes accessing the file have closed the deleted file.
+
+To avoid this problem, use dates in rotated filenames. The file will never be renamed to an older filename, and the log writer and log rotator will always be able to open the file. This approach also highly reduces the chance of log writing, rotation, and collection interfering with each other.
+
+Because log rotation is typically handled by the logging application, we are not providing an example configuration for Windows.
+
+Also read [Open file handlers cause issues with Windows file rotation](/reference/filebeat/windows-file-rotation.md).
+
diff --git a/docs/reference/filebeat/file-output.md b/docs/reference/filebeat/file-output.md
new file mode 100644
index 000000000000..e499b2d70d27
--- /dev/null
+++ b/docs/reference/filebeat/file-output.md
@@ -0,0 +1,89 @@
+---
+navigation_title: "File"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/file-output.html
+---
+
+# Configure the File output [file-output]
+
+
+The File output dumps the transactions into a file where each transaction is in a JSON format. Currently, this output is used for testing, but it can be used as input for Logstash.
+
+To use this output, edit the Filebeat configuration file to disable the {{es}} output by commenting it out, and enable the file output by adding `output.file`.
+
+Example configuration:
+
+```yaml
+output.file:
+  path: "/tmp/filebeat"
+  filename: filebeat
+  #rotate_every_kb: 10000
+  #number_of_files: 7
+  #permissions: 0600
+  #rotate_on_startup: true
+```
+
+## Configuration options [_configuration_options_29]
+
+You can specify the following `output.file` options in the `filebeat.yml` config file:
+
+### `enabled` [_enabled_34]
+
+The enabled config is a boolean setting to enable or disable the output. If set to false, the output is disabled.
+
+The default value is `true`.
+
+
+### `path` [path]
+
+The path to the directory where the generated files will be saved. This option is mandatory.
+
+The path may include the timestamp when the file output is initialized using the `+FORMAT` syntax where `FORMAT` is a valid [time format](https://github.com/elastic/beats/blob/main/libbeat/common/dtfmt/doc.go), and enclosed with expansion braces: `%{+FORMAT}`. For example:
+
+```
+path: 'fileoutput-%{+yyyy.MM.dd}'
+```
+
+
+### `filename` [_filename]
+
+The name of the generated files. The default is set to the Beat name. For example, the files generated by default for Filebeat would be `"filebeat-{{datetime}}.ndjson"`, `"filebeat-{{datetime}}-1.ndjson"`, `"filebeat-{{datetime}}-2.ndjson"`, and so on.
+
+
+### `rotate_every_kb` [_rotate_every_kb]
+
+The maximum size in kilobytes of each file. When this size is reached, the files are rotated. The default value is 10240 KB.
+
+
+### `number_of_files` [_number_of_files]
+
+The maximum number of files to save under [`path`](#path). When this number of files is reached, the oldest file is deleted, and the rest of the files are shifted from last to first. The number of files must be between 2 and 1024. The default is 7.
+
+
+### `permissions` [_permissions]
+
+Permissions to use for file creation. The default is 0600.
+
+
+### `rotate_on_startup` [_rotate_on_startup]
+
+If the output file already exists on startup, immediately rotate it and start writing to a new file instead of appending to the existing one. Defaults to true.
+
+
+### `codec` [_codec_3]
+
+Output codec configuration. If the `codec` section is missing, events will be json encoded.
+
+See [Change the output codec](/reference/filebeat/configuration-output-codec.md) for more information.
+
+
+### `queue` [_queue_5]
+
+Configuration options for internal queue.
+
+See [Internal queue](/reference/filebeat/configuring-internal-queue.md) for more information.
+
+Note:`queue` options can be set under `filebeat.yml` or the `output` section but not both.
+
+
+
diff --git a/docs/reference/filebeat/filebeat-configuration-reloading.md b/docs/reference/filebeat/filebeat-configuration-reloading.md
new file mode 100644
index 000000000000..5dc1bcbc8421
--- /dev/null
+++ b/docs/reference/filebeat/filebeat-configuration-reloading.md
@@ -0,0 +1,88 @@
+---
+navigation_title: "Config file loading"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-configuration-reloading.html
+---
+
+# Load external configuration files [filebeat-configuration-reloading]
+
+
+Filebeat can load external configuration files for inputs and modules, allowing you to separate your configuration into multiple smaller configuration files. See the [Input config](#load-input-config) and the [Module config](#load-module-config) sections for details.
+
+::::{note}
+On systems with POSIX file permissions, all Beats configuration files are subject to ownership and file permission checks. For more information, see [Config File Ownership and Permissions](/reference/libbeat/config-file-permissions.md).
+::::
+
+
+
+## Input config [load-input-config]
+
+For input configurations, you specify the `path` option in the `filebeat.config.inputs` section of the `filebeat.yml` file. For example:
+
+```sh
+filebeat.config.inputs:
+  enabled: true
+  path: inputs.d/*.yml
+```
+
+Each file found by the `path` Glob must contain a list of one or more input definitions.
+
+::::{tip}
+The first line of each external configuration file must be an input definition that starts with `- type`. Make sure you omit the line `filebeat.config.inputs` from this file. All [`input type configuration options`](/reference/filebeat/configuration-filebeat-options.md#filebeat-input-types) must be specified within each external configuration file.  Specifying these configuration options at the global `filebeat.config.inputs` level is not supported.
+::::
+
+
+Example external configuration file:
+
+```yaml
+- type: filestream
+  id: first
+  paths:
+    - /var/log/mysql.log
+  prospector.scanner.check_interval: 10s
+
+- type: filestream
+  id: second
+  paths:
+    - /var/log/apache.log
+  prospector.scanner.check_interval: 5s
+```
+
+::::{warning}
+It is critical that two running inputs DO NOT have overlapping file paths defined. If more than one input harvests the same file at the same time, it can lead to unexpected behavior.
+::::
+
+
+
+## Module config [load-module-config]
+
+For module configurations, you specify the `path` option in the `filebeat.config.modules` section of the `filebeat.yml` file. By default, Filebeat loads the module configurations enabled in the [`modules.d`](/reference/filebeat/configuration-filebeat-modules.md#configure-modules-d-configs) directory. For example:
+
+```sh
+filebeat.config.modules:
+  enabled: true
+  path: ${path.config}/modules.d/*.yml
+```
+
+The `path` setting must point to the `modules.d` directory if you want to use the [`modules`](/reference/filebeat/command-line-options.md#modules-command) command to enable and disable module configurations.
+
+Each file found by the Glob must contain a list of one or more module definitions.
+
+::::{tip}
+The first line of each external configuration file must be a module definition that starts with `- module`. Make sure you omit the line `filebeat.config.modules` from this file.
+::::
+
+
+For example:
+
+```yaml
+- module: apache
+  access:
+    enabled: true
+    var.paths: [/var/log/apache2/access.log*]
+  error:
+    enabled: true
+    var.paths: [/var/log/apache2/error.log*]
+```
+
+
diff --git a/docs/reference/filebeat/filebeat-cpu.md b/docs/reference/filebeat/filebeat-cpu.md
new file mode 100644
index 000000000000..a5c4648ae5d2
--- /dev/null
+++ b/docs/reference/filebeat/filebeat-cpu.md
@@ -0,0 +1,9 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-cpu.html
+---
+
+# Filebeat is using too much CPU [filebeat-cpu]
+
+Filebeat might be configured to scan for files too frequently. Check the setting for `scan_frequency` in the `filebeat.yml` config file. Setting `scan_frequency` to less than 1s may cause Filebeat to scan the disk in a tight loop.
+
diff --git a/docs/reference/filebeat/filebeat-deduplication.md b/docs/reference/filebeat/filebeat-deduplication.md
new file mode 100644
index 000000000000..adca4f11569b
--- /dev/null
+++ b/docs/reference/filebeat/filebeat-deduplication.md
@@ -0,0 +1,112 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-deduplication.html
+---
+
+# Deduplicate data [filebeat-deduplication]
+
+The {{beats}} framework guarantees at-least-once delivery to ensure that no data is lost when events are sent to outputs that support acknowledgement, such as {{es}}, {{ls}}, Kafka, and Redis. This is great if everything goes as planned. But if Filebeat shuts down during processing, or the connection is lost before events are acknowledged, you can end up with duplicate data.
+
+
+## What causes duplicates in {{es}}? [_what_causes_duplicates_in_es]
+
+When an output is blocked, the retry mechanism in Filebeat attempts to resend events until they are acknowledged by the output. If the output receives the events, but is unable to acknowledge them, the data might be sent to the output multiple times. Because document IDs are typically set by {{es}} *after* it receives the data from {{beats}}, the duplicate events are indexed as new documents.
+
+
+## How can I avoid duplicates? [_how_can_i_avoid_duplicates]
+
+Rather than allowing {{es}} to set the document ID, set the ID in {{beats}}. The ID is stored in the {{beats}} `@metadata._id` field and used to set the document ID during indexing. That way, if {{beats}} sends the same event to {{es}} more than once, {{es}} overwrites the existing document rather than creating a new one.
+
+The `@metadata._id` field is passed along with the event so that you can use it to set the document ID after the event has been published by Filebeat but before it’s received by {{es}}. For example, see [{{ls}} pipeline example](#ls-doc-id).
+
+There are several ways to set the document ID in {{beats}}:
+
+* **`add_id` processor**
+
+    Use the [`add_id`](/reference/filebeat/add-id.md) processor when your data has no natural key field, and you can’t derive a unique key from existing fields.
+
+    This example generates a unique ID for each event and adds it to the `@metadata._id` field:
+
+    ```yaml
+    processors:
+      - add_id: ~
+    ```
+
+* **`fingerprint` processor**
+
+    Use the [`fingerprint`](/reference/filebeat/fingerprint.md) processor to derive a unique key from one or more existing fields.
+
+    This example uses the values of `field1` and `field2` to derive a unique key that it adds to the `@metadata._id` field:
+
+    ```yaml
+    processors:
+      - fingerprint:
+          fields: ["field1", "field2"]
+          target_field: "@metadata._id"
+    ```
+
+* **`decode_json_fields` processor**
+
+    Use the `document_id` setting in the [`decode_json_fields`](/reference/filebeat/decode-json-fields.md) processor when you’re decoding a JSON string that contains a natural key field.
+
+    For this example, assume that the `message` field contains the JSON string `{"myid": "100", "text": "Some text"}`. This example takes the value of `myid` from the JSON string and stores it in the `@metadata._id` field:
+
+    ```yaml
+    processors:
+      - decode_json_fields:
+          document_id: "myid"
+          fields: ["message"]
+          max_depth: 1
+          target: ""
+    ```
+
+    The resulting document ID is `100`.
+
+* **JSON input settings**
+
+    Use the `json.document_id` input setting if you’re ingesting JSON-formatted data, and the data has a natural key field.
+
+    This example takes the value of `key1` from the JSON document and stores it in the `@metadata._id` field:
+
+    ```yaml
+    filebeat.inputs:
+    - type: log
+      paths:
+        - /path/to/json.log
+      json.document_id: "key1"
+    ```
+
+
+
+## {{ls}} pipeline example [ls-doc-id]
+
+For this example, assume that you’ve used one of the approaches described earlier to store the document ID in the {{beats}} `@metadata._id` field. To preserve the ID when you send {{beats}} data through {{ls}} en route to {{es}}, set the `document_id` field in the {{ls}} pipeline:
+
+```json
+input {
+  beats {
+    port => 5044
+  }
+}
+
+output {
+  if [@metadata][_id] {
+    elasticsearch {
+      hosts => ["http://localhost:9200"]
+      document_id => "%{[@metadata][_id]}" <1>
+      index => "%{[@metadata][beat]}-%{[@metadata][version]}"
+    }
+  } else {
+    elasticsearch {
+      hosts => ["http://localhost:9200"]
+      index => "%{[@metadata][beat]}-%{[@metadata][version]}"
+    }
+  }
+}
+```
+
+1. Sets the `document_id` field in the [{{es}} output](logstash://reference/plugins-outputs-elasticsearch.md) to the value stored in `@metadata._id`.
+
+
+When {{es}} indexes the document, it sets the document ID to the specified value, preserving the ID passed from {{beats}}.
+
diff --git a/docs/reference/filebeat/filebeat-geoip.md b/docs/reference/filebeat/filebeat-geoip.md
new file mode 100644
index 000000000000..f373192d0c1b
--- /dev/null
+++ b/docs/reference/filebeat/filebeat-geoip.md
@@ -0,0 +1,206 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-geoip.html
+---
+
+# Enrich events with geoIP information [filebeat-geoip]
+
+You can use Filebeat along with the [GeoIP Processor](elasticsearch://reference/ingestion-tools/enrich-processor/geoip-processor.md) in {{es}} to export geographic location information based on IP addresses. Then you can use this information to visualize the location of IP addresses on a map in {{kib}}.
+
+The `geoip` processor adds information about the geographical location of IP addresses, based on data from the Maxmind GeoLite2 City Database. Because the processor uses a geoIP database that’s installed on {{es}}, you don’t need to install a geoIP database on the machines running Filebeat.
+
+::::{note}
+If your use case involves using {{ls}}, you can use the [GeoIP filter](logstash://reference/plugins-filters-geoip.md) available in {{ls}} instead of using the `geoip` processor. However, using the `geoip` processor is the simplest approach when you don’t require the additional processing power of {{ls}}.
+::::
+
+
+
+## Configure the `geoip` processor [filebeat-configuring-geoip]
+
+To configure Filebeat and the `geoip` processor:
+
+1. Define an ingest pipeline that uses one or more `geoip` processors to add location information to the event. For example, you can use the Console in {{kib}} to create the following pipeline:
+
+    ```console
+    PUT _ingest/pipeline/geoip-info
+    {
+      "description": "Add geoip info",
+      "processors": [
+        {
+          "geoip": {
+            "field": "client.ip",
+            "target_field": "client.geo",
+            "ignore_missing": true
+          }
+        },
+        {
+          "geoip": {
+            "database_file": "GeoLite2-ASN.mmdb",
+            "field": "client.ip",
+            "target_field": "client.as",
+            "properties": [
+              "asn",
+              "organization_name"
+            ],
+            "ignore_missing": true
+          }
+        },
+        {
+          "geoip": {
+            "field": "source.ip",
+            "target_field": "source.geo",
+            "ignore_missing": true
+          }
+        },
+        {
+          "geoip": {
+            "database_file": "GeoLite2-ASN.mmdb",
+            "field": "source.ip",
+            "target_field": "source.as",
+            "properties": [
+              "asn",
+              "organization_name"
+            ],
+            "ignore_missing": true
+          }
+        },
+        {
+          "geoip": {
+            "field": "destination.ip",
+            "target_field": "destination.geo",
+            "ignore_missing": true
+          }
+        },
+        {
+          "geoip": {
+            "database_file": "GeoLite2-ASN.mmdb",
+            "field": "destination.ip",
+            "target_field": "destination.as",
+            "properties": [
+              "asn",
+              "organization_name"
+            ],
+            "ignore_missing": true
+          }
+        },
+        {
+          "geoip": {
+            "field": "server.ip",
+            "target_field": "server.geo",
+            "ignore_missing": true
+          }
+        },
+        {
+          "geoip": {
+            "database_file": "GeoLite2-ASN.mmdb",
+            "field": "server.ip",
+            "target_field": "server.as",
+            "properties": [
+              "asn",
+              "organization_name"
+            ],
+            "ignore_missing": true
+          }
+        },
+        {
+          "geoip": {
+            "field": "host.ip",
+            "target_field": "host.geo",
+            "ignore_missing": true
+          }
+        },
+        {
+          "rename": {
+            "field": "server.as.asn",
+            "target_field": "server.as.number",
+            "ignore_missing": true
+          }
+        },
+        {
+          "rename": {
+            "field": "server.as.organization_name",
+            "target_field": "server.as.organization.name",
+            "ignore_missing": true
+          }
+        },
+        {
+          "rename": {
+            "field": "client.as.asn",
+            "target_field": "client.as.number",
+            "ignore_missing": true
+          }
+        },
+        {
+          "rename": {
+            "field": "client.as.organization_name",
+            "target_field": "client.as.organization.name",
+            "ignore_missing": true
+          }
+        },
+        {
+          "rename": {
+            "field": "source.as.asn",
+            "target_field": "source.as.number",
+            "ignore_missing": true
+          }
+        },
+        {
+          "rename": {
+            "field": "source.as.organization_name",
+            "target_field": "source.as.organization.name",
+            "ignore_missing": true
+          }
+        },
+        {
+          "rename": {
+            "field": "destination.as.asn",
+            "target_field": "destination.as.number",
+            "ignore_missing": true
+          }
+        },
+        {
+          "rename": {
+            "field": "destination.as.organization_name",
+            "target_field": "destination.as.organization.name",
+            "ignore_missing": true
+          }
+        }
+      ]
+    }
+    ```
+
+    In this example, the pipeline ID is `geoip-info`. `field` specifies the field that contains the IP address to use for the geographical lookup, and `target_field` is the field that will hold the geographical information. `"ignore_missing": true` configures the pipeline to continue processing when it encounters an event that doesn’t have the specified field.
+
+    See [GeoIP Processor](elasticsearch://reference/ingestion-tools/enrich-processor/geoip-processor.md) for more options.
+
+    To learn more about adding host information to an event, see [add_host_metadata](/reference/filebeat/add-host-metadata.md).
+
+2. In the Filebeat config file, configure the {{es}} output to use the pipeline. Specify the pipeline ID in the `pipeline` option under `output.elasticsearch`. For example:
+
+    ```yaml
+    output.elasticsearch:
+      hosts: ["localhost:9200"]
+      pipeline: geoip-info
+    ```
+
+3. Run Filebeat. Remember to use `sudo` if the config file is owned by root.
+
+    ```sh
+    ./filebeat -e
+    ```
+
+    If the lookups succeed, the events are enriched with `geo_point` fields, such as `client.geo.location` and `host.geo.location`, that you can use to populate visualizations in {{kib}}.
+
+
+If you add a field that’s not already defined as a `geo_point` in the index template, add a mapping so the field gets indexed correctly.
+
+
+## Visualize locations [filebeat-visualizing-location]
+
+To visualize the location of IP addresses, you can create a new [coordinate map](docs-content://explore-analyze/visualize/maps.md) in {{kib}} and select the location field, for example `client.geo.location` or `host.geo.location`, as the Geohash.
+
+:::{image} images/coordinate-map.png
+:alt: Coordinate map in {kib}
+:class: screenshot
+:::
+
diff --git a/docs/reference/filebeat/filebeat-input-aws-cloudwatch.md b/docs/reference/filebeat/filebeat-input-aws-cloudwatch.md
new file mode 100644
index 000000000000..18e8de25e57f
--- /dev/null
+++ b/docs/reference/filebeat/filebeat-input-aws-cloudwatch.md
@@ -0,0 +1,225 @@
+---
+navigation_title: "AWS CloudWatch"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-aws-cloudwatch.html
+---
+
+# AWS CloudWatch input [filebeat-input-aws-cloudwatch]
+
+
+`aws-cloudwatch` input can be used to retrieve all logs from all log streams in a specific log group. `filterLogEvents` AWS API is used to list log events from the specified log group. Amazon CloudWatch Logs can be used to store log files from Amazon Elastic Compute Cloud(EC2), AWS CloudTrail, Route53, and other sources.
+
+A log group is a group of log streams that share the same retention, monitoring, and access control settings. You can define log groups and specify which streams to put into each group. There is no limit on the number of log streams that can belong to one log group.
+
+A log stream is a sequence of log events that share the same source. Each separate source of logs in CloudWatch Logs makes up a separate log stream.
+
+```yaml
+filebeat.inputs:
+- type: aws-cloudwatch
+  log_group_arn: arn:aws:logs:us-east-1:428152502467:log-group:test:*
+  scan_frequency: 1m
+  credential_profile_name: elastic-beats
+  start_position: beginning
+```
+
+The `aws-cloudwatch` input supports the following configuration options plus the [Common options](#filebeat-input-aws-cloudwatch-common-options) described later.
+
+
+### `log_group_arn` [_log_group_arn]
+
+ARN of the log group to collect logs from. The ARN may refer to a log group in a linked source account.
+
+Note: `log_group_arn` cannot be combined with `log_group_name`, `log_group_name_prefix` and `region_name` properties. If set, values extracted from `log_group_arn` takes precedence over them.
+
+Note: If the log group is in a linked source account and filebeat is configured to use a monitoring account, you must use the `log_group_arn`. You can read more about AWS account linking and cross account observability from the [official documentation](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Unified-Cross-Account.html).
+
+
+### `log_group_name` [_log_group_name]
+
+Name of the log group to collect logs from.
+
+Note: `region_name` is required when log_group_name is given.
+
+
+### `log_group_name_prefix` [_log_group_name_prefix]
+
+The prefix for a group of log group names. See `include_linked_accounts_for_prefix_mode` option for linked source accounts behavior.
+
+Note: `region_name` is required when `log_group_name_prefix` is given. `log_group_name` and `log_group_name_prefix` cannot be given at the same time. The number of workers that will process the log groups under this prefix is set through the `number_of_workers` config.
+
+
+### `include_linked_accounts_for_prefix_mode` [_include_linked_accounts_for_prefix_mode]
+
+Configure whether to include linked source accounts that contains the prefix value defined through `log_group_name_prefix`. Accepts a boolean and this is by default disabled.
+
+Note: Utilize `log_group_arn` if you desire to obtain logs from a known log group (including linked source accounts) You can read more about AWS account linking and cross account observability from the [official documentation](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Unified-Cross-Account.html).
+
+
+### `region_name` [_region_name]
+
+Region that the specified log group or log group prefix belongs to.
+
+
+### `number_of_workers` [_number_of_workers]
+
+Number of workers that will process the log groups with the given `log_group_name_prefix`. Default value is 1.
+
+
+### `log_streams` [_log_streams]
+
+A list of strings of log streams names that Filebeat collect log events from.
+
+
+### `log_stream_prefix` [_log_stream_prefix]
+
+A string to filter the results to include only log events from log streams that have names starting with this prefix.
+
+
+### `start_position` [_start_position]
+
+`start_position` allows user to specify if this input should read log files from the `beginning` or from the `end`.
+
+* `beginning`: reads from the beginning of the log group (default).
+* `end`: read only new messages from current time minus `scan_frequency` going forward
+
+For example, with `scan_frequency` equals to `30s` and current timestamp is `2020-06-24 12:00:00`:
+
+* with `start_position = beginning`:
+
+    * first iteration: startTime=0, endTime=2020-06-24 12:00:00
+    * second iteration: startTime=2020-06-24 12:00:00, endTime=2020-06-24 12:00:30
+
+* with `start_position = end`:
+
+    * first iteration: startTime=2020-06-24 11:59:30, endTime=2020-06-24 12:00:00
+    * second iteration: startTime=2020-06-24 12:00:00, endTime=2020-06-24 12:00:30
+
+
+
+### `scan_frequency` [_scan_frequency]
+
+This config parameter sets how often Filebeat checks for new log events from the specified log group. Default `scan_frequency` is 1 minute, which means Filebeat will sleep for 1 minute before querying for new logs again.
+
+
+### `api_timeout` [_api_timeout]
+
+The maximum duration of AWS API can take. If it exceeds the timeout, AWS API will be interrupted. The default AWS API timeout for a message is 120 seconds. The minimum is 0 seconds.
+
+
+### `api_sleep` [_api_sleep]
+
+This is used to sleep between AWS `FilterLogEvents` API calls inside the same collection period. `FilterLogEvents` API has a quota of 5 transactions per second (TPS)/account/Region. By default, `api_sleep` is 200 ms. This value should only be adjusted when there are multiple Filebeats or multiple Filebeat inputs collecting logs from the same region and AWS account.
+
+
+### `latency` [_latency]
+
+Some AWS services send logs to CloudWatch with a latency to process larger than `aws-cloudwatch` input `scan_frequency`. This case, please specify a `latency` parameter so collection start time and end time will be shifted by the given latency amount.
+
+
+### `aws credentials` [_aws_credentials]
+
+In order to make AWS API calls, `aws-cloudwatch` input requires AWS credentials. Please see [AWS credentials options](/reference/filebeat/filebeat-input-aws-s3.md#aws-credentials-config) for more details.
+
+
+## AWS Permissions [_aws_permissions]
+
+Specific AWS permissions are required for IAM user to access aws-cloudwatch:
+
+```
+cloudwatchlogs:DescribeLogGroups
+logs:FilterLogEvents
+```
+
+
+## Metrics [_metrics]
+
+This input exposes metrics under the [HTTP monitoring endpoint](/reference/filebeat/http-endpoint.md). These metrics are exposed under the `/inputs` path. They can be used to observe the activity of the input.
+
+| Metric | Description |
+| --- | --- |
+| `log_events_received_total` | Number of CloudWatch log events received. |
+| `log_groups_total` | Logs collected from number of CloudWatch log groups. |
+| `cloudwatch_events_created_total` | Number of events created from processing logs from CloudWatch. |
+| `api_calls_total` | Number of API calls made total. |
+
+## Common options [filebeat-input-aws-cloudwatch-common-options]
+
+The following configuration options are supported by all inputs.
+
+
+#### `enabled` [_enabled]
+
+Use the `enabled` option to enable and disable inputs. By default, enabled is set to true.
+
+
+#### `tags` [_tags]
+
+A list of tags that Filebeat includes in the `tags` field of each published event. Tags make it easy to select specific events in Kibana or apply conditional filtering in Logstash. These tags will be appended to the list of tags specified in the general configuration.
+
+Example:
+
+```yaml
+filebeat.inputs:
+- type: aws-cloudwatch
+  . . .
+  tags: ["json"]
+```
+
+
+#### `fields` [filebeat-input-aws-cloudwatch-fields]
+
+Optional fields that you can specify to add additional information to the output. For example, you might add fields that you can use for filtering log data. Fields can be scalar values, arrays, dictionaries, or any nested combination of these. By default, the fields that you specify here will be grouped under a `fields` sub-dictionary in the output document. To store the custom fields as top-level fields, set the `fields_under_root` option to true. If a duplicate field is declared in the general configuration, then its value will be overwritten by the value declared here.
+
+```yaml
+filebeat.inputs:
+- type: aws-cloudwatch
+  . . .
+  fields:
+    app_id: query_engine_12
+```
+
+
+#### `fields_under_root` [fields-under-root-aws-cloudwatch]
+
+If this option is set to true, the custom [fields](#filebeat-input-aws-cloudwatch-fields) are stored as top-level fields in the output document instead of being grouped under a `fields` sub-dictionary. If the custom field names conflict with other field names added by Filebeat, then the custom fields overwrite the other fields.
+
+
+#### `processors` [_processors]
+
+A list of processors to apply to the input data.
+
+See [Processors](/reference/filebeat/filtering-enhancing-data.md) for information about specifying processors in your config.
+
+
+#### `pipeline` [_pipeline]
+
+The ingest pipeline ID to set for the events generated by this input.
+
+::::{note}
+The pipeline ID can also be configured in the Elasticsearch output, but this option usually results in simpler configuration files. If the pipeline is configured both in the input and output, the option from the input is used.
+::::
+
+
+::::{important}
+The `pipeline` is always lowercased. If `pipeline: Foo-Bar`, then the pipeline name in {{es}} needs to be defined as `foo-bar`.
+::::
+
+
+
+#### `keep_null` [_keep_null]
+
+If this option is set to true, fields with `null` values will be published in the output document. By default, `keep_null` is set to `false`.
+
+
+#### `index` [_index]
+
+If present, this formatted string overrides the index for events from this input (for elasticsearch outputs), or sets the `raw_index` field of the event’s metadata (for other outputs). This string can only refer to the agent name and version and the event timestamp; for access to dynamic fields, use `output.elasticsearch.index` or a processor.
+
+Example value: `"%{[agent.name]}-myindex-%{+yyyy.MM.dd}"` might expand to `"filebeat-myindex-2019.11.01"`.
+
+
+#### `publisher_pipeline.disable_host` [_publisher_pipeline_disable_host]
+
+By default, all events contain `host.name`. This option can be set to `true` to disable the addition of this field to all events. The default value is `false`.
+
+
diff --git a/docs/reference/filebeat/filebeat-input-aws-s3.md b/docs/reference/filebeat/filebeat-input-aws-s3.md
new file mode 100644
index 000000000000..d8bc2f957dab
--- /dev/null
+++ b/docs/reference/filebeat/filebeat-input-aws-s3.md
@@ -0,0 +1,1150 @@
+---
+navigation_title: "AWS S3"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-aws-s3.html
+---
+
+# AWS S3 input [filebeat-input-aws-s3]
+
+
+Use the `aws-s3` input to retrieve logs from S3 objects that are pointed to by S3 notification events read from an SQS queue or directly polling list of S3 objects in an S3 bucket.  The use of SQS notification is preferred: polling lists of S3 objects is expensive in terms of performance and costs and should be preferably used only when no SQS notification can be attached to the S3 buckets. This input can, for example, be used to receive S3 access logs to monitor detailed records for the requests that are made to a bucket. This input also supports S3 notification from SNS to SQS.
+
+SQS notification method is enabled setting `queue_url` configuration value.  S3 bucket list polling method is enabled setting `bucket_arn` configuration value. Both values cannot be set at the same time, at least one of the values must be set.
+
+When using the SQS notification method, this input depends on S3 notifications delivered to an SQS queue for `s3:ObjectCreated:*` events. You must create an SQS queue and configure S3 to publish events to the queue.
+
+The S3 input manages SQS message visibility to prevent messages from being reprocessed while the S3 object is still being processed. If the processing takes longer than half of the visibility timeout, the timeout is reset to ensure the message doesn’t return to the queue before processing is complete.
+
+If an error occurs during the processing of the S3 object, the processing will be stopped, and the SQS message will be returned to the queue for reprocessing.
+
+
+## Configuration Examples [_configuration_examples]
+
+
+### SQS with JSON files [_sqs_with_json_files]
+
+This example reads s3:ObjectCreated notifications from SQS, and assumes that all the S3 objects have a `Content-Type` of `application/json`. It splits the `Records` array in the JSON into separate events.
+
+```yaml
+filebeat.inputs:
+- type: aws-s3
+  queue_url: https://sqs.ap-southeast-1.amazonaws.com/1234/test-s3-queue
+  expand_event_list_from_field: Records
+```
+
+
+### S3 bucket listing [_s3_bucket_listing]
+
+When using the direct polling list of S3 objects in an S3 buckets, a number of workers that will process the S3 objects listed must be set through the `number_of_workers` config. Listing of the S3 bucket will be polled according the time interval defined by `bucket_list_interval` config. The default value is 120 sec.
+
+```yaml
+filebeat.inputs:
+- type: aws-s3
+  bucket_arn: arn:aws:s3:::test-s3-bucket
+  number_of_workers: 5
+  bucket_list_interval: 300s
+  credential_profile_name: elastic-beats
+  expand_event_list_from_field: Records
+```
+
+
+### S3-compatible services [_s3_compatible_services]
+
+The `aws-s3` input can also poll third party S3-compatible services such as the Minio. Using non-AWS S3 compatible buckets requires the use of `access_key_id` and `secret_access_key` for authentication.  To specify the S3 bucket name, use the `non_aws_bucket_name` config and the `endpoint` must be set to replace the default API endpoint.  `endpoint` should be a full URI in the form of `https(s)://<s3 endpoint>` in the case of `non_aws_bucket_name`, that will be used as the API endpoint of the service.  No `endpoint` is needed if using the native AWS S3 service hosted at `amazonaws.com`.  Please see [Configuration parameters](#aws-credentials-config) for alternate AWS domains that require a different endpoint.
+
+```yaml
+filebeat.inputs:
+- type: aws-s3
+  non_aws_bucket_name: test-s3-bucket
+  number_of_workers: 5
+  bucket_list_interval: 300s
+  access_key_id: xxxxxxx
+  secret_access_key: xxxxxxx
+  endpoint: https://s3.example.com:9000
+  expand_event_list_from_field: Records
+```
+
+
+## Document ID Generation [_document_id_generation]
+
+This aws-s3 input feature prevents the duplication of events in Elasticsearch by generating a custom document `_id` for each event, rather than relying on Elasticsearch to automatically generate one. Each document in an Elasticsearch index must have a unique `_id`, and Filebeat uses this property to avoid ingesting duplicate events.
+
+The custom `_id` is based on several pieces of information from the S3 object: the Last-Modified timestamp, the bucket ARN, the object key, and the byte offset of the data in the event.
+
+Duplicate prevention is particularly useful in scenarios where Filebeat needs to retry an operation. Filebeat guarantees at-least-once delivery, meaning it will retry any failed or incomplete operations. These retries may be triggered by issues with the host, `{{beatname_uc}}`, network connectivity, or services such as Elasticsearch, SQS, or S3.
+
+
+### Limitations of `_id`-Based Deduplication [_limitations_of_id_based_deduplication]
+
+There are some limitations to consider when using `_id`-based deduplication in Elasticsearch:
+
+* Deduplication works only within a single index. The same `_id` can exist in different indices, which is important if you’re using data streams or index aliases. When the backing index rolls over, a duplicate may be ingested.
+* Indexing operations in Elasticsearch may take longer when an `_id` is specified. Elasticsearch needs to check if the ID already exists before writing, which can increase the time required for indexing.
+
+
+### Disabling Duplicate Prevention [_disabling_duplicate_prevention]
+
+If you want to disable the `_id`-based deduplication, you can remove the document `_id` using the [`drop_fields`](/reference/filebeat/drop-fields.md) processor in Filebeat.
+
+```yaml
+filebeat.inputs:
+  - type: aws-s3
+    queue_url: https://queue.amazonaws.com/80398EXAMPLE/MyQueue
+    processors:
+      - drop_fields:
+          fields:
+            - '@metadata._id'
+          ignore_missing: true
+```
+
+Alternatively, you can remove the `_id` field using an Elasticsearch Ingest Node pipeline.
+
+```json
+{
+  "processors": [
+    {
+      "remove": {
+        "if": "ctx.input?.type == \"aws-s3\"",
+        "field": "_id",
+        "ignore_missing": true
+      }
+    }
+  ]
+}
+```
+
+
+## Handling Compressed Objects [_handling_compressed_objects]
+
+S3 objects that use the gzip format ([RFC 1952](https://rfc-editor.org/rfc/rfc1952.html)) with the DEFLATE compression algorithm are automatically decompressed during processing. This is achieved by checking for the gzip file magic header.
+
+
+## Configuration [_configuration]
+
+The `aws-s3` input supports the following configuration options plus the [Common options](#filebeat-input-aws-s3-common-options) described later.
+
+::::{note}
+For time durations, valid time units are - "ns", "us" (or "µs"), "ms", "s", "m", "h". For example, "2h"
+::::
+
+
+
+### `api_timeout` [_api_timeout_2]
+
+The maximum duration of the AWS API call. If it exceeds the timeout, the AWS API call will be interrupted. The default AWS API timeout is `120s`.
+
+The API timeout must be longer than the `sqs.wait_time` value.
+
+
+### `buffer_size` [input-aws-s3-buffer_size]
+
+The size  of the buffer in bytes that each harvester uses when fetching a file. This only applies to non-JSON logs. The default is `16 KiB`.
+
+
+### `content_type` [input-aws-s3-content_type]
+
+A standard MIME type describing the format of the object data.  This can be set to override the MIME type given to the object when it was uploaded. For example: `application/json`.
+
+
+### `encoding` [input-aws-s3-encoding]
+
+The file encoding to use for reading data that contains international characters. This only applies to non-JSON logs. See [`encoding`](/reference/filebeat/filebeat-input-log.md#_encoding_3).
+
+
+### `decoding` [input-aws-s3-decoding]
+
+The file decoding option is used to specify a codec that will be used to decode the file contents. This can apply to any file stream data. An example config is shown below:
+
+Currently supported codecs are given below:-
+
+1. [csv](#attrib-decoding-csv): This codec decodes RFC 4180 CSV data streams.
+2. [parquet](#attrib-decoding-parquet): This codec decodes Apache Parquet data streams.
+
+
+#### `csv` [attrib-decoding-csv]
+
+The CSV codec is used to decode RFC 4180 CSV data streams. Enabling the codec without other options will use the default codec options.
+
+```yaml
+  decoding.codec.csv.enabled: true
+```
+
+The `csv` codec supports five sub attributes to control aspects of CSV decoding. The `comma` attribute specifies the field separator character used by the CSV format. If it is not specified, the comma character *`,`* is used. The `comment` attribute specifies the character that should be interpreted as a comment mark.  If it is specified, lines starting with the character will be ignored. Both `comma` and `comment` must be single characters. The `lazy_quotes` attribute controls how quoting in fields is handled. If `lazy_quotes` is true, a quote may appear in an unquoted field and a non-doubled quote may appear in a quoted field.  The `trim_leading_space` attribute specifies that leading white space should be ignored, even if the `comma` character is white space. For complete details of the preceding configuration attribute behaviors, see the CSV decoder [documentation](https://pkg.go.dev/encoding/csv#Reader) The `fields_names` attribute can be used to specify the column names for the data. If it is absent, the field names are obtained from the first non-comment line of data. The number of fields must match the number of field names.
+
+An example config is shown below:
+
+```yaml
+  decoding.codec.csv.enabled: true
+  decoding.codec.csv.comma: "\t"
+  decoding.codec.csv.comment: "#"
+```
+
+
+#### `parquet` [attrib-decoding-parquet]
+
+The `parquet` codec is used to decode the [Apache Parquet](https://en.wikipedia.org/wiki/Apache_Parquet) data storage format. Enabling the codec without other options will use the default codec options.
+
+```yaml
+  decoding.codec.parquet.enabled: true
+```
+
+The Parquet codec supports two attributes, batch_size and process_parallel, to improve decoding performance:
+
+* `batch_size`: This attribute specifies the number of records to read from the Parquet stream at a time. By default, batch_size is set to 1. Increasing the batch size can boost processing speed by reading more records in each operation.
+* `process_parallel`: When set to true, this attribute allows Filebeat to read multiple columns from the Parquet stream in parallel, using as many readers as there are columns. Enabling parallel processing can significantly increase throughput, but it will also result in higher memory usage. By default, process_parallel is set to false.
+
+By adjusting both batch_size and process_parallel, you can fine-tune the trade-off between processing speed and memory consumption.
+
+An example config is shown below:
+
+```yaml
+  decoding.codec.parquet.enabled: true
+  decoding.codec.parquet.process_parallel: true
+  decoding.codec.parquet.batch_size: 1000
+```
+
+
+### `expand_event_list_from_field` [_expand_event_list_from_field]
+
+If the fileset using this input expects to receive multiple messages bundled under a specific field or an array of objects then the config option `expand_event_list_from_field` value can be assigned the name of the field or `.[]`. This setting will be able to split the messages under the group value into separate events. For example, CloudTrail logs are in JSON format and events are found under the JSON object "Records".
+
+::::{note}
+When using `expand_event_list_from_field`, `content_type` config parameter has to be set to `application/json`.
+::::
+
+
+```json
+{
+    "Records": [
+        {
+            "eventVersion": "1.07",
+            "eventTime": "2019-11-14T00:51:00Z",
+            "awsRegion": "us-east-1",
+            "eventID": "EXAMPLE8-9621-4d00-b913-beca2EXAMPLE",
+        },
+        {
+            "eventVersion": "1.07",
+            "eventTime": "2019-11-14T00:52:00Z",
+            "awsRegion": "us-east-1",
+            "eventID": "EXAMPLEc-28be-486c-8928-49ce6EXAMPLE",
+        }
+    ]
+}
+```
+
+Or when `expand_event_list_from_field` is set to `.[]`, an array of objects will be split into separate events.
+
+```json
+[
+   {
+      "id":"1234",
+      "message":"success"
+   },
+   {
+      "id":"5678",
+      "message":"failure"
+   }
+]
+```
+
+Note: When `expand_event_list_from_field` parameter is given in the config, aws-s3 input will assume the logs are in JSON format and decode them as JSON. Content type will not be checked. If a file has "application/json" content-type, `expand_event_list_from_field` becomes required to read the JSON file.
+
+
+### `file_selectors` [_file_selectors]
+
+If the SQS queue will have events that correspond to files that Filebeat shouldn’t process `file_selectors` can be used to limit the files that are downloaded.  This is a list of selectors which are made up of `regex` and `expand_event_list_from_field` options.  The `regex` should match the S3 object key in the SQS message, and the optional `expand_event_list_from_field` is the same as the global setting.  If `file_selectors` is given, then any global `expand_event_list_from_field` value is ignored in favor of the ones specified in the `file_selectors`.  Regex syntax is the same as the Go language.  Files that don’t match one of the regexes won’t be processed.  [`content_type`](#input-aws-s3-content_type), [`parsers`](#input-aws-s3-parsers), [`include_s3_metadata`](#input-aws-s3-include_s3_metadata),[`max_bytes`](#input-aws-s3-max_bytes), [`buffer_size`](#input-aws-s3-buffer_size), and [`encoding`](#input-aws-s3-encoding) may also be set for each file selector.
+
+```yaml
+file_selectors:
+  - regex: '/CloudTrail/'
+    expand_event_list_from_field: 'Records'
+  - regex: '/CloudTrail-Digest/'
+  - regex: '/CloudTrail-Insight/'
+    expand_event_list_from_field: 'Records'
+```
+
+
+### `fips_enabled` [_fips_enabled]
+
+Moved to [AWS credentials options](#aws-credentials-config).
+
+
+### `include_s3_metadata` [input-aws-s3-include_s3_metadata]
+
+This input can include S3 object metadata in the generated events for use in follow-on processing. You must specify the list of keys to include. By default, none are included. If the key exists in the S3 response, then it will be included in the event as `aws.s3.metadata.<key>` where the key name as been normalized to all lowercase.
+
+```
+include_s3_metadata:
+  - last-modified
+  - x-amz-version-id
+```
+
+
+### `max_bytes` [input-aws-s3-max_bytes]
+
+The maximum number of bytes that a single log message can have. All bytes after `max_bytes` are discarded and not sent. This setting is especially useful for multiline log messages, which can get large. This only applies to non-JSON logs.  The default is `10 MiB`.
+
+
+### `parsers` [input-aws-s3-parsers]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+This option expects a list of parsers that non-JSON logs go through.
+
+Available parsers:
+
+* `multiline`
+
+In this example, Filebeat is reading multiline messages that consist of XML that start with the `<Event>` tag.
+
+```yaml
+filebeat.inputs:
+- type: aws-s3
+  ...
+  parsers:
+    - multiline:
+        pattern: "^<Event"
+        negate:  true
+        match:   after
+```
+
+See the available parser settings in detail below.
+
+
+#### `multiline` [_multiline]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+Options that control how Filebeat deals with log messages that span multiple lines. See [Multiline messages](/reference/filebeat/multiline-examples.md) for more information about configuring multiline options.
+
+
+### `queue_url` [_queue_url]
+
+URL of the AWS SQS queue that messages will be received from. (Required when `bucket_arn`, `access_point_arn`, and `non_aws_bucket_name` are not set).
+
+
+### `region` [_region]
+
+The name of the AWS region of the end point. If this option is given it takes precedence over the region name obtained from the `queue_url` value.
+
+
+### `visibility_timeout` [_visibility_timeout]
+
+The duration that the received SQS messages are hidden from retrieve requests after being retrieved by a `ReceiveMessage` request. The default visibility timeout is `300s`. The maximum is `12h`. Filebeat will automatically reset the visibility timeout of a message after 1/2 of the duration passes to prevent a message that is still being processed from returning to the queue.
+
+
+### `sqs.max_receive_count` [_sqs_max_receive_count]
+
+The maximum number of times a SQS message should be received (retried) before deleting it. This feature prevents poison-pill messages (messages that can be received but can’t be processed) from consuming resources. The number of times a message has been received is tracked using the `ApproximateReceiveCount` SQS attribute. The default value is 5.
+
+If you have configured a dead letter queue, then you can set this value to `-1` to disable deletion on failure.
+
+
+### `sqs.notification_parsing_script.source` [_sqs_notification_parsing_script_source]
+
+Inline Javascript source code.
+
+```yaml
+sqs.notification_parsing_script.source: >
+  function parse(notification) {
+      var evts = [];
+      var evt = new S3EventV2();
+      evt.SetS3BucketName(notification.bucket);
+      evt.SetS3ObjectKey(notification.path);
+      evts.push(evt);
+      return evts;
+  }
+```
+
+
+### `sqs.notification_parsing_script.file` [_sqs_notification_parsing_script_file]
+
+Path to a script file to load. Relative paths are interpreted as relative to the `path.config` directory. Globs are expanded.
+
+This loads `filter.js` from disk.
+
+```yaml
+sqs.notification_parsing_script.file: ${path.config}/filter.js
+```
+
+
+### `sqs.notification_parsing_script.files` [_sqs_notification_parsing_script_files]
+
+List of script files to load. The scripts are concatenated together. Relative paths are interpreted as relative to the `path.config` directory. And globs are expanded.
+
+
+### `sqs.notification_parsing_script.params` [_sqs_notification_parsing_script_params]
+
+A dictionary of parameters that are passed to the `register` of the script.
+
+Parameters can be passed to the script by adding `params` to the config. This allows for a script to be made reusable. When using `params` the code must define a `register(params)` function to receive the parameters.
+
+```yaml
+sqs.notification_parsing_script:
+  params:
+    provider: aws:s3
+  source: >
+    var params = {provider: ""};
+    function register(scriptParams) {
+      params = scriptParams;
+    }
+    function parse(notification) {
+      var evts = [];
+      var evt = new S3EventV2();
+      evt.SetS3BucketName(notification.bucket);
+      evt.SetS3ObjectKey(notification.path);
+      evt.SetProvider(params.provider);
+      evts.push(evt);
+      return evts;
+    }
+```
+
+
+### `sqs.notification_parsing_script.timeout` [_sqs_notification_parsing_script_timeout]
+
+This sets an execution timeout for the `process` function. When the `process` function takes longer than the `timeout` period the function is interrupted. You can set this option to prevent a script from running for too long (like preventing an infinite `while` loop). By default, there is no timeout.
+
+
+### `sqs.notification_parsing_script.max_cached_sessions` [_sqs_notification_parsing_script_max_cached_sessions]
+
+This sets the maximum number of JavaScript VM sessions that will be cached to avoid reallocation.
+
+
+### `sqs.wait_time` [_sqs_wait_time]
+
+The maximum duration that an SQS `ReceiveMessage` call should wait for a message to arrive in the queue before returning. The default value is `20s`. The maximum value is `20s`.
+
+
+### `bucket_arn` [_bucket_arn]
+
+ARN of the AWS S3 bucket that will be polled for list operation. (Required when `queue_url`, `access_point_arn, and `non_aws_bucket_name` are not set).
+
+
+### `access_point_arn` [_access_point_arn]
+
+ARN of the AWS S3 Access Point that will be polled for list operation. (Required when `queue_url`, `bucket_arn`, and `non_aws_bucket_name` are not set).
+
+
+### `non_aws_bucket_name` [_non_aws_bucket_name]
+
+Name of the S3 bucket that will be polled for list operation. Required for third-party S3 compatible services. (Required when `queue_url` and `bucket_arn` are not set).
+
+
+### `bucket_list_interval` [_bucket_list_interval]
+
+Time interval for polling listing of the S3 bucket: default to `120s`.
+
+
+### `bucket_list_prefix` [_bucket_list_prefix]
+
+Prefix to apply for the list request to the S3 bucket. Default empty.
+
+
+### `number_of_workers` [_number_of_workers_2]
+
+Number of workers that will process the S3 or SQS objects listed. Required when `bucket_arn` or `access_point_arn` is set, otherwise (in the SQS case) defaults to 5.
+
+
+### `provider` [_provider]
+
+Name of the third-party S3 bucket provider like backblaze or GCP. The following endpoints/providers will be detected automatically:
+
+|     |     |
+| --- | --- |
+| Domain | Provider |
+| amazonaws.com, amazonaws.com.cn, c2s.sgov.gov, c2s.ic.gov | aws |
+| backblazeb2.com | backblaze |
+| wasabisys.com | wasabi |
+| digitaloceanspaces.com | digitalocean |
+| dream.io | dreamhost |
+| scw.cloud | scaleway |
+| googleapis.com | gcp |
+| cloud.it | arubacloud |
+| linodeobjects.com | linode |
+| vultrobjects.com | vultr |
+| appdomain.cloud | ibm |
+| aliyuncs.com | alibaba |
+| oraclecloud.com | oracle |
+| exo.io | exoscale |
+| upcloudobjects.com | upcloud |
+| ilandcloud.com | iland |
+| zadarazios.com | zadara |
+
+
+### `path_style` [_path_style]
+
+Enabling this option sets the bucket name as a path in the API call instead of a subdomain. When enabled `https://<bucket-name>.s3.<region>.<provider>.com` becomes `https://s3.<region>.<provider>.com/<bucket-name>`.  This is only supported with third-party S3 providers.  AWS does not support path style.
+
+
+### `aws credentials` [_aws_credentials_2]
+
+To make AWS API calls, `aws-s3` input requires AWS credentials. Please see [AWS credentials options](#aws-credentials-config) for more details.
+
+
+### `backup_to_bucket_arn` [_backup_to_bucket_arn]
+
+The ARN of the S3 bucket where processed files are copied. The copy is created after the S3 object is fully processed. When using the `non_aws_bucket_name`, please use `non_aws_backup_to_bucket_name` accordingly.
+
+Naming of the backed up files can be controlled with `backup_to_bucket_prefix`.
+
+
+### `backup_to_bucket_prefix` [_backup_to_bucket_prefix]
+
+This prefix will be prepended to the object key when backing it up to another (or the same) bucket.
+
+
+### `non_aws_backup_to_bucket_name` [_non_aws_backup_to_bucket_name]
+
+The name of the non-AWS bucket where processed files are copied. Use this parameter when not using AWS buckets. The copy is created after the S3 object is fully processed.  When using the `bucket_arn`, please use `backup_to_bucket_arn` accordingly.
+
+Naming of the backed up files can be controlled with `backup_to_bucket_prefix`.
+
+
+### `delete_after_backup` [_delete_after_backup]
+
+Controls whether fully processed files will be deleted from the bucket.
+
+This option can only be used together with the backup functionality.
+
+## Common options [filebeat-input-aws-s3-common-options]
+
+The following configuration options are supported by all inputs.
+
+
+#### `enabled` [_enabled_2]
+
+Use the `enabled` option to enable and disable inputs. By default, enabled is set to true.
+
+
+#### `tags` [_tags_2]
+
+A list of tags that Filebeat includes in the `tags` field of each published event. Tags make it easy to select specific events in Kibana or apply conditional filtering in Logstash. These tags will be appended to the list of tags specified in the general configuration.
+
+Example:
+
+```yaml
+filebeat.inputs:
+- type: aws-s3
+  . . .
+  tags: ["json"]
+```
+
+
+#### `fields` [filebeat-input-aws-s3-fields]
+
+Optional fields that you can specify to add additional information to the output. For example, you might add fields that you can use for filtering log data. Fields can be scalar values, arrays, dictionaries, or any nested combination of these. By default, the fields that you specify here will be grouped under a `fields` sub-dictionary in the output document. To store the custom fields as top-level fields, set the `fields_under_root` option to true. If a duplicate field is declared in the general configuration, then its value will be overwritten by the value declared here.
+
+```yaml
+filebeat.inputs:
+- type: aws-s3
+  . . .
+  fields:
+    app_id: query_engine_12
+```
+
+
+#### `fields_under_root` [fields-under-root-aws-s3]
+
+If this option is set to true, the custom [fields](#filebeat-input-aws-s3-fields) are stored as top-level fields in the output document instead of being grouped under a `fields` sub-dictionary. If the custom field names conflict with other field names added by Filebeat, then the custom fields overwrite the other fields.
+
+
+#### `processors` [_processors_2]
+
+A list of processors to apply to the input data.
+
+See [Processors](/reference/filebeat/filtering-enhancing-data.md) for information about specifying processors in your config.
+
+
+#### `pipeline` [_pipeline_2]
+
+The ingest pipeline ID to set for the events generated by this input.
+
+::::{note}
+The pipeline ID can also be configured in the Elasticsearch output, but this option usually results in simpler configuration files. If the pipeline is configured both in the input and output, the option from the input is used.
+::::
+
+
+::::{important}
+The `pipeline` is always lowercased. If `pipeline: Foo-Bar`, then the pipeline name in {{es}} needs to be defined as `foo-bar`.
+::::
+
+
+
+#### `keep_null` [_keep_null_2]
+
+If this option is set to true, fields with `null` values will be published in the output document. By default, `keep_null` is set to `false`.
+
+
+#### `index` [_index_2]
+
+If present, this formatted string overrides the index for events from this input (for elasticsearch outputs), or sets the `raw_index` field of the event’s metadata (for other outputs). This string can only refer to the agent name and version and the event timestamp; for access to dynamic fields, use `output.elasticsearch.index` or a processor.
+
+Example value: `"%{[agent.name]}-myindex-%{+yyyy.MM.dd}"` might expand to `"filebeat-myindex-2019.11.01"`.
+
+
+#### `publisher_pipeline.disable_host` [_publisher_pipeline_disable_host_2]
+
+By default, all events contain `host.name`. This option can be set to `true` to disable the addition of this field to all events. The default value is `false`.
+
+
+### `ignore_older` [_ignore_older]
+
+The parameter specifies the time duration (ex:- 30m, 2h or 48h) during which bucket entries are accepted for processing. By default, this feature is disabled, allowing any entry in the bucket to be processed. It is recommended to set a suitable duration to prevent older bucket entries from being tracked, which helps to reduce the memory usage.
+
+When defined, bucket entries are processed only if their last modified timestamp falls within the specified time duration, relative to the current time. However, when the start_timestamp is set, the initial processing will include all bucket entries up to that timestamp.
+
+::::{note}
+Bucket entries that are older than the defined duration and have failed processing will not be re-processed. It is recommended to configure a sufficiently long duration based on your use case and current settings to avoid conflicts with the bucket_list_interval property. Additionally, this ensures that subsequent runs can include and re-process objects that failed due to unavoidable errors.
+::::
+
+
+
+### `start_timestamp` [_start_timestamp]
+
+Accepts a timestamp in the YYYY-MM-DDTHH:MM:SSZ format, which defines the point from which bucket entries are accepted for processing. By default, this is disabled, allowing all entries in the bucket to be processed.
+
+This parameter is useful when configuring input for the first time, especially if you want to ingest logs starting from a specific time. The timestamp can also be set to a future time, offering greater flexibility. You can combine this property with ignore_older duration to improve memory usage by reducing tracked bucket entries.
+
+::::{note}
+It is recommended to update this value when updating or restarting filebeat
+::::
+
+
+
+## AWS Permissions [_aws_permissions_2]
+
+Specific AWS permissions are required for IAM user to access SQS and S3 when using the SQS notifications method:
+
+```
+s3:GetObject
+sqs:ReceiveMessage
+sqs:ChangeMessageVisibility
+sqs:DeleteMessage
+```
+
+Reduced specific S3 AWS permissions are required for IAM user to access S3 when using the polling list of S3 bucket objects:
+
+```
+s3:GetObject
+s3:ListBucket
+s3:GetBucketLocation
+```
+
+In case `backup_to_bucket_arn` or `non_aws_backup_to_bucket_name` are set the following permission is required as well:
+
+```
+s3:PutObject
+```
+
+In case `delete_after_backup` is set the following permission is required as well:
+
+```
+s3:DeleteObject
+```
+
+In case optional SQS metric `sqs_messages_waiting_gauge` is desired, the following permission is required:
+
+```
+sqs:GetQueueAttributes
+```
+
+
+## S3 and SQS setup [_s3_and_sqs_setup]
+
+To configure SQS notifications for an existing S3 bucket, you can follow [create-sqs-queue-for-notification](https://docs.aws.amazon.com/AmazonS3/latest/dev/ways-to-add-notification-config-to-bucket.html#step1-create-sqs-queue-for-notification) guide.
+
+Alternatively, you can follow steps given which use a CloudFormation template to create a S3 bucket connected to a SQS with object creation notifications already enabled.
+
+1. First copy the CloudFormation template given below to a desired location. For example, to file `awsCloudFormation.yaml`
+
+    ::::{dropdown} CloudFormation template
+    ```yaml
+    AWSTemplateFormatVersion: '2010-09-09'
+    Description: |
+      Create a S3 bucket connected to a SQS for filebeat validations
+    Resources:
+      S3BucketWithSQS:
+        Type: AWS::S3::Bucket
+        Properties:
+          BucketName: !Sub ${AWS::StackName}-s3bucket
+          BucketEncryption:
+            ServerSideEncryptionConfiguration:
+              - ServerSideEncryptionByDefault:
+                  SSEAlgorithm: aws:kms
+                  KMSMasterKeyID: alias/aws/s3
+          PublicAccessBlockConfiguration:
+            IgnorePublicAcls: true
+            RestrictPublicBuckets: true
+          NotificationConfiguration:
+            QueueConfigurations:
+              - Event: s3:ObjectCreated:*
+                Queue: !GetAtt SQSWithS3BucketConnected.Arn
+        DependsOn:
+          - S3BucketWithSQSToSQSWithS3BucketConnectedPermission
+      S3BucketWithSQSBucketPolicy:
+        Type: AWS::S3::BucketPolicy
+        Properties:
+          Bucket: !Ref S3BucketWithSQS
+          PolicyDocument:
+            Id: RequireEncryptionInTransit
+            Version: '2012-10-17'
+            Statement:
+              - Principal: '*'
+                Action: '*'
+                Effect: Deny
+                Resource:
+                  - !GetAtt S3BucketWithSQS.Arn
+                  - !Sub ${S3BucketWithSQS.Arn}/*
+                Condition:
+                  Bool:
+                    aws:SecureTransport: 'false'
+      SQSWithS3BucketConnected:
+        Type: AWS::SQS::Queue
+        Properties:
+          MessageRetentionPeriod: 345600
+      S3BucketWithSQSToSQSWithS3BucketConnectedPermission:
+        Type: AWS::SQS::QueuePolicy
+        Properties:
+          PolicyDocument:
+            Version: '2012-10-17'
+            Statement:
+              - Effect: Allow
+                Principal:
+                  Service: s3.amazonaws.com
+                Action: sqs:SendMessage
+                Resource: !GetAtt SQSWithS3BucketConnected.Arn
+                Condition:
+                  ArnEquals:
+                    aws:SourceArn: !Sub arn:${AWS::Partition}:s3:::${AWS::StackName}-s3bucket
+          Queues:
+            - !Ref SQSWithS3BucketConnected
+    Outputs:
+      S3BucketArn:
+        Description: The ARN of the S3 bucket to insert logs
+        Value: !GetAtt S3BucketWithSQS.Arn
+      SQSUrl:
+        Description: The SQS URL to use for filebeat
+        Value: !GetAtt SQSWithS3BucketConnected.QueueUrl
+    ```
+
+    ::::
+
+2. Next, create a CloudFormation stack sourcing the copied.
+
+    ```sh
+    aws cloudformation create-stack --stack-name <STACK_NAME> --template-body file://awsCloudFormation.yaml
+    ```
+
+3. Then, obtain the S3 bucket ARN and SQS queue url using stack’s output
+
+    For this, you can describe the stack created above. The S3 ARN is set to `S3BucketArn` output and SQS url is set to `SQSUrl` output.  The output will be populated once the `StackStatus` is set to `CREATE_COMPLETE`.
+
+    ```sh
+    aws cloudformation describe-stacks --stack-name <STACK_NAME>
+    ```
+
+4. Finally, you can configure filebeat to use SQS notifications
+
+    ```yaml
+    filebeat.inputs:
+    - type: aws-s3
+      queue_url: <URL_FROM_STACK>
+      expand_event_list_from_field: Records
+      credential_profile_name: elastic-beats
+    ```
+
+    With this configuration, Filebeat avoids polling and uses SQS notifications to extract logs from the S3 bucket.
+
+
+
+## S3 → SNS → SQS setup [_s3_sns_sqs_setup]
+
+If you would like to use the bucket notification in multiple different consumers (others than filebeat), you should use an SNS topic for the bucket notification.  Please see [create-SNS-topic-for-notification](https://docs.aws.amazon.com/AmazonS3/latest/userguide/ways-to-add-notification-config-to-bucket.html#step1-create-sns-topic-for-notification) for more details. SQS queue will be configured as a [subscriber to the SNS topic](https://docs.aws.amazon.com/sns/latest/dg/sns-sqs-as-subscriber.html).
+
+
+## S3 → EventBridge → SQS setup [_s3_eventbridge_sqs_setup]
+
+Amazon S3 can alternatively [send events to EventBridge](https://docs.aws.amazon.com/AmazonS3/latest/userguide/EventBridge.html), which can then be used to route these events to SQS. While the S3 input will filter for *Object Created* events, it is more efficient to configure EventBridge to only forward the *Object Created* events.
+
+
+## Parallel Processing [_parallel_processing]
+
+When using the SQS notifications method, multiple Filebeat instances can read from the same SQS queues at the same time.  To horizontally scale processing when there are large amounts of log data flowing into an S3 bucket, you can run multiple Filebeat instances that read from the same SQS queues at the same time. No additional configuration is required.
+
+Using SQS ensures that each message in the queue is processed only once even when multiple Filebeat instances are running in parallel. To prevent Filebeat from receiving and processing the message more than once, set the visibility timeout.
+
+The visibility timeout begins when SQS returns a message to Filebeat. During this time, Filebeat processes and deletes the message. However, if Filebeat fails before deleting the message and your system doesn’t call the DeleteMessage action for that message before the visibility timeout expires, the message becomes visible to other Filebeat instances, and the message is received again. By default, the visibility timeout is set to 5 minutes for aws-s3 input in Filebeat. 5 minutes is sufficient time for Filebeat to read SQS messages and process related s3 log files.
+
+When using the polling list of S3 bucket objects method be aware that if running multiple Filebeat instances, they can list the same S3 bucket at the same time. Since the state of the ingested S3 objects is persisted (upon processing a single list operation) in the `path.data` configuration and multiple Filebeat cannot share the same `path.data` this will produce repeated ingestion of the S3 object.  Therefore, when using the polling list of S3 bucket objects method, scaling should be vertical, with a single bigger Filebeat instance and higher `number_of_workers` config value.
+
+
+## SQS Custom Notification Parsing Script [_sqs_custom_notification_parsing_script]
+
+Under some circumstances, you might want to listen to events that are not following the standard SQS notifications format. To be able to parse them, it is possible to define a custom script that will take care of processing them and generating the required list of S3 Events used to download the files.
+
+The `sqs.notification_parsing_script` executes JavaScript code to process an event.  It uses a pure Go implementation of ECMAScript 5.1 and has no external dependencies.
+
+It can be configured by embedding JavaScript in your configuration file or by pointing the processor at external file(s). Only one of the options `sqs.notification_parsing_script.source`, `sqs.notification_parsing_script.file`, and `sqs.notification_parsing_script.files` can be set at the same time.
+
+The script requires a `parse(notification)` function that receives the notification as a raw string and returns a list of `S3EventV2` objects. This raw string can then be processed as needed, e.g.: `JSON.parse(n)` or the provided helper for XML `new XMLDecoder(n)`.
+
+If the script defines a `test()` function it will be invoked when it is loaded. Any exceptions thrown will cause the processor to fail to load. This can be used to make assertions about the behavior of the script.
+
+```javascript
+function parse(n) {
+  var m = JSON.parse(n);
+  var evts = [];
+  var files = m.files;
+  var bucket = m.bucket;
+
+  if (!Array.isArray(files) || (files.length == 0) || bucket == null || bucket == "") {
+    return evts;
+  }
+
+  files.forEach(function(f){
+    var evt = new S3EventV2();
+    evt.SetS3BucketName(bucket);
+    evt.SetS3ObjectKey(f.path);
+    evts.push(evt);
+  });
+
+  return evts;
+}
+
+function test() {
+    var events = parse({bucket: "aBucket", files: [{path: "path/to/file"}]});
+    if (events.length !== 1) {
+      throw "expecting one event";
+    }
+    if (events[0].S3.Bucket.Name === "aBucket") {
+        throw "expected bucket === aBucket";
+    }
+    if (events[0].S3.Object.Key === "path/to/file") {
+        throw "expected bucket === path/to/file";
+    }
+}
+```
+
+
+### S3EventV2 API [_s3eventv2_api]
+
+The `S3EventV2` object returned by the `parse` method.
+
+| Method | Description |
+| --- | --- |
+| `new S3EventV2()` | Returns a new `S3EventV2` object.<br>**Example**: `var evt = new S3EventV2();` |
+| `SetAWSRegion(string)` | Sets the AWS region.<br>**Example**: `evt.SetAWSRegion("us-east-1");` |
+| `SetProvider(string)` | Sets the provider.<br>**Example**: `evt.SetProvider("provider");` |
+| `SetEventName(string)` | Sets the event name.<br>**Example**: `evt.SetEventName("event-type");` |
+| `SetEventSource(string)` | Sets the event surce.<br>**Example**: `evt.SetEventSource("aws:s3");` |
+| `SetS3BucketName(string)` | Sets the bucket name.<br>**Example**: `evt.SetS3BucketName("bucket-name");` |
+| `SetS3BucketARN(string)` | Sets the bucket ARN.<br>**Example**: `evt.SetS3BucketARN("bucket-ARN");` |
+| `SetS3ObjectKey(string)` | Sets the object key.<br>**Example**: `evt.SetS3ObjectKey("path/to/object");` |
+
+To be able to retrieve an S3 object successfully, at least `S3.Object.Key` and `S3.Bucket.Name` properties must be set (using the provided setters). The other properties will be used as metadata in the resulting event when available.
+
+
+### XMLDecoder API [_xmldecoder_api]
+
+To help with XML decoding, an `XMLDecoder` class is provided.
+
+Example XML input:
+
+```xml
+<catalog>
+  <book seq="1">
+    <author>William H. Gaddis</author>
+    <title>The Recognitions</title>
+    <review>One of the great seminal American novels of the 20th century.</review>
+  </book>
+</catalog>
+```
+
+Will produce the following output:
+
+```json
+{
+  "catalog": {
+    "book": {
+      "author": "William H. Gaddis",
+      "review": "One of the great seminal American novels of the 20th century.",
+      "seq": "1",
+      "title": "The Recognitions"
+    }
+  }
+}
+```
+
+| Method | Description |
+| --- | --- |
+| `new XMLDecoder(string)` | Returns a new `XMLDecoder` object to decode the provided `string`.<br>**Example**: `var dec = new XMLDecoder(n);` |
+| `PrependHyphenToAttr()` | Causes the Decoder to prepend a hyphen (`-`) to all XML attribute names.<br>**Example**: `dec.PrependHyphenToAttr();` |
+| `LowercaseKeys()` | Causes the Decoder to transform all key names to lowercase.<br>**Example**: `dec.LowercaseKeys();` |
+| `Decode()` | Reads the XML string and return a map containing the data.<br>**Example**: `var m = dec.Decode();` |
+
+
+## AWS Credentials Configuration [aws-credentials-config]
+
+To configure AWS credentials, either put the credentials into the Filebeat configuration, or use a shared credentials file, as shown in the following examples.
+
+
+### Configuration parameters [_configuration_parameters]
+
+* **access_key_id**: first part of access key.
+* **secret_access_key**: second part of access key.
+* **session_token**: required when using temporary security credentials.
+* **credential_profile_name**: profile name in shared credentials file.
+* **shared_credential_file**: directory of the shared credentials file.
+* **role_arn**: AWS IAM Role to assume.
+* **external_id**: external ID to use when assuming a role in another account, see [the AWS documentation for use of external IDs](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html).
+* **proxy_url**: URL of the proxy to use to connect to AWS web services. The syntax is `http(s)://<IP/Hostname>:<port>`
+* **fips_enabled**: Enabling this option instructs Filebeat to use the FIPS endpoint of a service. All services used by Filebeat are FIPS compatible except for `tagging` but only certain regions are FIPS compatible. See [https://aws.amazon.com/compliance/fips/](https://aws.amazon.com/compliance/fips/) or the appropriate service page, [https://docs.aws.amazon.com/general/latest/gr/aws-service-information.html](https://docs.aws.amazon.com/general/latest/gr/aws-service-information.html), for a full list of FIPS endpoints and regions.
+* **ssl**: This specifies SSL/TLS configuration. If the ssl section is missing, the host’s CAs are used for HTTPS connections. See [SSL](/reference/filebeat/configuration-ssl.md) for more information.
+* **default_region**: Default region to query if no other region is set. Most AWS services offer a regional endpoint that can be used to make requests. Some services, such as IAM, do not support regions. If a region is not provided by any other way (environment variable, credential or instance profile), the value set here will be used.
+* **assume_role.duration**: The duration of the requested assume role session. Defaults to 15m when not set. AWS allows a maximum session duration between 1h and 12h depending on your maximum session duration policies.
+* **assume_role.expiry_window**: The expiry_window will allow refreshing the session prior to its expiration. This is beneficial to prevent expiring tokens from causing requests to fail with an ExpiredTokenException.
+
+
+### Supported Formats [_supported_formats]
+
+::::{note}
+The examples in this section refer to Metricbeat, but the credential options for authentication with AWS are the same no matter which Beat is being used.
+::::
+
+
+* Use `access_key_id`, `secret_access_key`, and/or `session_token`
+
+Users can either put the credentials into the Metricbeat module configuration or use environment variable `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY` and/or `AWS_SESSION_TOKEN` instead.
+
+If running on Docker, these environment variables should be added as a part of the docker command. For example, with Metricbeat:
+
+```bash
+$ docker run -e AWS_ACCESS_KEY_ID=abcd -e AWS_SECRET_ACCESS_KEY=abcd -d --name=metricbeat --user=root --volume="$(pwd)/metricbeat.aws.yml:/usr/share/metricbeat/metricbeat.yml:ro" docker.elastic.co/beats/metricbeat:7.11.1 metricbeat -e -E cloud.auth=elastic:1234 -E cloud.id=test-aws:1234
+```
+
+Sample `metricbeat.aws.yml` looks like:
+
+```yaml
+metricbeat.modules:
+- module: aws
+  period: 5m
+  access_key_id: ${AWS_ACCESS_KEY_ID}
+  secret_access_key: ${AWS_SECRET_ACCESS_KEY}
+  session_token: ${AWS_SESSION_TOKEN}
+  metricsets:
+    - ec2
+```
+
+Environment variables can also be added through a file. For example:
+
+```bash
+$ cat env.list
+AWS_ACCESS_KEY_ID=abcd
+AWS_SECRET_ACCESS_KEY=abcd
+
+$ docker run --env-file env.list -d --name=metricbeat --user=root --volume="$(pwd)/metricbeat.aws.yml:/usr/share/metricbeat/metricbeat.yml:ro" docker.elastic.co/beats/metricbeat:7.11.1 metricbeat -e -E cloud.auth=elastic:1234 -E cloud.id=test-aws:1234
+```
+
+* Use `credential_profile_name` and/or `shared_credential_file`
+
+If `access_key_id`, `secret_access_key` and `role_arn` are all not given, then filebeat will check for `credential_profile_name`. If you use different credentials for different tools or applications, you can use profiles to configure multiple access keys in the same configuration file. If there is no `credential_profile_name` given, the default profile will be used.
+
+`shared_credential_file` is optional to specify the directory of your shared credentials file. If it’s empty, the default directory will be used. In Windows, shared credentials file is at `C:\Users\<yourUserName>\.aws\credentials`. For Linux, macOS or Unix, the file is located at `~/.aws/credentials`. When running as a service, the home path depends on the user that manages the service, so the `shared_credential_file` parameter can be used to avoid ambiguity. Please see [Create Shared Credentials File](https://docs.aws.amazon.com/ses/latest/DeveloperGuide/create-shared-credentials-file.md) for more details.
+
+* Use `role_arn`
+
+`role_arn` is used to specify which AWS IAM role to assume for generating temporary credentials. If `role_arn` is given, filebeat will check if access keys are given. If not, filebeat will check for credential profile name. If neither is given, default credential profile will be used. Please make sure credentials are given under either a credential profile or access keys.
+
+If running on Docker, the credential file needs to be provided via a volume mount. For example, with Metricbeat:
+
+```bash
+docker run -d --name=metricbeat --user=root --volume="$(pwd)/metricbeat.aws.yml:/usr/share/metricbeat/metricbeat.yml:ro" --volume="/Users/foo/.aws/credentials:/usr/share/metricbeat/credentials:ro" docker.elastic.co/beats/metricbeat:7.11.1 metricbeat -e -E cloud.auth=elastic:1234 -E cloud.id=test-aws:1234
+```
+
+Sample `metricbeat.aws.yml` looks like:
+
+```yaml
+metricbeat.modules:
+- module: aws
+  period: 5m
+  credential_profile_name: elastic-beats
+  shared_credential_file: /usr/share/metricbeat/credentials
+  metricsets:
+    - ec2
+```
+
+* Use AWS credentials in Filebeat configuration
+
+    ```yaml
+    filebeat.inputs:
+    - type: aws-s3
+      queue_url: https://sqs.us-east-1.amazonaws.com/123/test-queue
+      access_key_id: '<access_key_id>'
+      secret_access_key: '<secret_access_key>'
+      session_token: '<session_token>'
+    ```
+
+    or
+
+    ```yaml
+    filebeat.inputs:
+    - type: aws-s3
+      queue_url: https://sqs.us-east-1.amazonaws.com/123/test-queue
+      access_key_id: '${AWS_ACCESS_KEY_ID:""}'
+      secret_access_key: '${AWS_SECRET_ACCESS_KEY:""}'
+      session_token: '${AWS_SESSION_TOKEN:""}'
+    ```
+
+* Use IAM role ARN
+
+    ```yaml
+    filebeat.inputs:
+    - type: aws-s3
+      queue_url: https://sqs.us-east-1.amazonaws.com/123/test-queue
+      role_arn: arn:aws:iam::123456789012:role/test-mb
+    ```
+
+* Use shared AWS credentials file
+
+    ```yaml
+    filebeat.inputs:
+    - type: aws-s3
+      queue_url: https://sqs.us-east-1.amazonaws.com/123/test-queue
+      credential_profile_name: test-fb
+    ```
+
+
+
+### AWS Credentials Types [_aws_credentials_types]
+
+There are two different types of AWS credentials can be used: access keys and temporary security credentials.
+
+* Access keys
+
+`AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` are the two parts of access keys. They are long-term credentials for an IAM user or the AWS account root user. Please see [AWS Access Keys and Secret Access Keys](https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys) for more details.
+
+* IAM role ARN
+
+An IAM role is an IAM identity that you can create in your account that has specific permissions that determine what the identity can and cannot do in AWS. A role does not have standard long-term credentials such as a password or access keys associated with it. Instead, when you assume a role, it provides you with temporary security credentials for your role session. IAM role Amazon Resource Name (ARN) can be used to specify which AWS IAM role to assume to generate temporary credentials. Please see [AssumeRole API documentation](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) for more details.
+
+Here are the steps to set up IAM role using AWS CLI for Metricbeat. Please replace `123456789012` with your own account ID.
+
+Step 1. Create `example-policy.json` file to include all permissions:
+
+```yaml
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "VisualEditor0",
+            "Effect": "Allow",
+            "Action": [
+                "s3:GetObject",
+                "sqs:ReceiveMessage"
+            ],
+            "Resource": "*"
+        },
+        {
+            "Sid": "VisualEditor1",
+            "Effect": "Allow",
+            "Action": "sqs:ChangeMessageVisibility",
+            "Resource": "arn:aws:sqs:us-east-1:123456789012:test-fb-ks"
+        },
+        {
+            "Sid": "VisualEditor2",
+            "Effect": "Allow",
+            "Action": "sqs:DeleteMessage",
+            "Resource": "arn:aws:sqs:us-east-1:123456789012:test-fb-ks"
+        },
+        {
+            "Sid": "VisualEditor3",
+            "Effect": "Allow",
+            "Action": [
+                "sts:AssumeRole",
+                "sqs:ListQueues",
+                "tag:GetResources",
+                "ec2:DescribeInstances",
+                "cloudwatch:GetMetricData",
+                "ec2:DescribeRegions",
+                "iam:ListAccountAliases",
+                "sts:GetCallerIdentity",
+                "cloudwatch:ListMetrics"
+            ],
+            "Resource": "*"
+        }
+    ]
+}
+```
+
+Step 2. Create IAM policy using the `aws iam create-policy` command:
+
+```bash
+$ aws iam create-policy --policy-name example-policy --policy-document file://example-policy.json
+```
+
+Step 3. Create the JSON file `example-role-trust-policy.json` that defines the trust relationship of the IAM role
+
+```yaml
+{
+    "Version": "2012-10-17",
+    "Statement": {
+        "Effect": "Allow",
+        "Principal": { "AWS": "arn:aws:iam::123456789012:root" },
+        "Action": "sts:AssumeRole"
+    }
+}
+```
+
+Step 4. Create the IAM role and attach the policy:
+
+```bash
+$ aws iam create-role --role-name example-role --assume-role-policy-document file://example-role-trust-policy.json
+$ aws iam attach-role-policy --role-name example-role --policy-arn "arn:aws:iam::123456789012:policy/example-policy"
+```
+
+After these steps are done, IAM role ARN can be used for authentication in Metricbeat `aws` module.
+
+* Temporary security credentials
+
+Temporary security credentials has a limited lifetime and consists of an access key ID, a secret access key, and a security token which typically returned from `GetSessionToken`. MFA-enabled IAM users would need to submit an MFA code while calling `GetSessionToken`. Please see [Temporary Security Credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html) for more details. `sts get-session-token` AWS CLI can be used to generate temporary credentials. For example. with MFA-enabled:
+
+```bash
+aws> sts get-session-token --serial-number arn:aws:iam::1234:mfa/your-email@example.com --token-code 456789 --duration-seconds 129600
+```
+
+Because temporary security credentials are short term, after they expire, the user needs to generate new ones and modify the aws.yml config file with the new credentials. Unless [live reloading](/reference/metricbeat/_live_reloading.md) feature is enabled for Metricbeat, the user needs to manually restart Metricbeat after updating the config file in order to continue collecting Cloudwatch metrics. This will cause data loss if the config file is not updated with new credentials before the old ones expire. For Metricbeat, we recommend users to use access keys in config file to enable aws module making AWS api calls without have to generate new temporary credentials and update the config frequently.
+
+IAM policy is an entity that defines permissions to an object within your AWS environment. Specific permissions needs to be added into the IAM user’s policy to authorize Metricbeat to collect AWS monitoring metrics. Please see documentation under each metricset for required permissions.
+
+
+## Metrics [_metrics_2]
+
+This input exposes metrics under the [HTTP monitoring endpoint](/reference/filebeat/http-endpoint.md). These metrics are exposed under the `/inputs` path. They can be used to observe the activity of the input.
+
+| Metric | Description |
+| --- | --- |
+| `sqs_messages_received_total` | Number of SQS messages received (not necessarily processed fully). |
+| `sqs_visibility_timeout_extensions_total` | Number of SQS visibility timeout extensions. |
+| `sqs_messages_inflight_gauge` | Number of SQS messages inflight (gauge). |
+| `sqs_messages_returned_total` | Number of SQS messages returned to queue (happens on errors implicitly after visibility timeout passes). |
+| `sqs_messages_deleted_total` | Number of SQS messages deleted. |
+| `sqs_messages_waiting_gauge` | Number of SQS messages waiting in the SQS queue (gauge). The value is refreshed every minute via data from [https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_GetQueueAttributes.html<GetQueueAttributes&gt](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_GetQueueAttributes.md<GetQueueAttributes&gt);. A value of `-1` indicates the metric is uninitialized or could not be collected due to an error. |
+| `sqs_worker_utilization` | Rate of SQS worker utilization over the previous 5 seconds. 0 indicates idle, 1 indicates all workers utilized. |
+| `sqs_message_processing_time` | Histogram of the elapsed SQS processing times in nanoseconds (time of receipt to time of delete/return). |
+| `sqs_lag_time` | Histogram of the difference between the SQS SentTimestamp attribute and the time when the SQS message was received expressed in nanoseconds. |
+| `s3_objects_requested_total` | Number of S3 objects downloaded. |
+| `s3_objects_listed_total` | Number of S3 objects returned by list operations. |
+| `s3_objects_processed_total` | Number of S3 objects that matched file_selectors rules. |
+| `s3_objects_acked_total` | Number of S3 objects processed that were fully ACKed. |
+| `s3_bytes_processed_total` | Number of S3 bytes processed. |
+| `s3_events_created_total` | Number of events created from processing S3 data. |
+| `s3_objects_inflight_gauge` | Number of S3 objects inflight (gauge). |
+| `s3_object_processing_time` | Histogram of the elapsed S3 object processing times in nanoseconds (start of download to completion of parsing). |
+
+
diff --git a/docs/reference/filebeat/filebeat-input-azure-blob-storage.md b/docs/reference/filebeat/filebeat-input-azure-blob-storage.md
new file mode 100644
index 000000000000..c5a25239c07a
--- /dev/null
+++ b/docs/reference/filebeat/filebeat-input-azure-blob-storage.md
@@ -0,0 +1,395 @@
+---
+navigation_title: "Azure Blob Storage"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-azure-blob-storage.html
+---
+
+# Azure Blob Storage Input [filebeat-input-azure-blob-storage]
+
+
+Use the `azure blob storage input` to read content from files stored in containers which reside on your Azure Cloud. The input can be configured to work with and without polling, though currently, if polling is disabled it will only perform a one time passthrough, list the file contents and end the process. Polling is generally recommented for most cases even though it can get expensive with dealing with a very large number of files.
+
+**To mitigate errors and ensure a stable processing environment, this input employs the following features :**
+
+1. When processing azure blob containers, if suddenly there is any outage, the process will be able to resume post the last file it processed and was successfully able to save the state for.
+2. If any errors occur for certain files, they will be logged appropriately, but the rest of the files will continue to be processed normally.
+3. If any major error occurs which stops the main thread, the logs will be appropriately generated, describing said error.
+
+::::{note}
+:name: supported-types
+
+`JSON`, `NDJSON` and `CSV` are supported blob/file formats. Blobs/files may be also be gzip compressed. `shared access keys`, `connection strings` and `Microsoft Entra ID RBAC` authentication types are supported.
+::::
+
+
+$$$basic-config$$$
+**A sample configuration with detailed explanation for each field is given below :-**
+
+```yaml
+filebeat.inputs:
+- type: azure-blob-storage
+  id: my-azureblobstorage-id
+  enabled: true
+  account_name: some_account
+  auth.shared_credentials.account_key: some_key
+  containers:
+  - name: container_1
+    max_workers: 3
+    poll: true
+    poll_interval: 10s
+  - name: container_2
+    max_workers: 3
+    poll: true
+    poll_interval: 10s
+```
+
+**Explanation :** This `configuration` given above describes a basic blob storage config having two containers named `container_1` and `container_2`. Each of these containers have their own attributes such as `name`, `max_workers`, `poll` and `poll_interval`. These attributes have detailed explanations given [below](#supported-attributes). For now lets try to understand how this config works.
+
+For azure blob storage input to identify the files it needs to read and process, it will require the container names to be specified. We can have as many containers as we deem fit. We are also able to configure the attributes `max_workers`, `poll` and `poll_interval` at the root level, which will then be applied to all containers which do not specify any of these attributes explicitly.
+
+::::{note}
+If the attributes `max_workers`, `poll` and `poll_interval` are specified at the root level, these can still be overridden at the container level with different values, thus offering extensive flexibility and customization. Examples [below](#container-overrides) show this behaviour.
+::::
+
+
+On receiving this config the azure blob storage input will connect to the service and retrieve a `ServiceClient` using the given `account_name` and `auth.shared_credentials.account_key`, then it will spawn two main go-routines, one for each container. After this each of these routines (threads) will initialize a scheduler which will in turn use the `max_workers` value to initialize an in-memory worker pool (thread pool) with `3` `workers` available. Basically that equates to two instances of a worker pool, one per container, each having 3 workers. These `workers` will be responsible if performing `jobs` that process a file (in this case read and output the contents of a file).
+
+::::{note}
+The scheduler is responsible for scheduling jobs, and uses the `maximum available workers` in the pool, at each iteration, to decide the number of files to retrieve and process. This keeps work distribution efficient. The scheduler uses `poll_interval` attribute value to decide how long to wait after each iteration. Each iteration consists of processing a certain number of files, decided by the `maximum available workers` value.
+::::
+
+
+**A Sample Response :-**
+
+```json
+ {
+    "@timestamp": "2022-07-25T07:00:18.544Z",
+    "@metadata": {
+        "beat": "filebeat",
+        "type": "_doc",
+        "version": "8.4.0",
+        "_id": "beatscontainer-data_3.json-worker-1"
+    },
+    "message": "{\n    \"id\": 3,\n    \"title\": \"Samsung Universe 9\",\n    \"description\": \"Samsung's new variant which goes beyond Galaxy to the Universe\",\n    \"price\": 1249,\n    \"discountPercentage\": 15.46,\n    \"rating\": 4.09,\n    \"stock\": 36,\n    \"brand\": \"Samsung\",\n    \"category\": \"smartphones\",\n    \"thumbnail\": \"https://dummyjson.com/image/i/products/3/thumbnail.jpg\",\n    \"images\": [\n        \"https://dummyjson.com/image/i/products/3/1.jpg\"\n    ]\n}",
+    "cloud": {
+        "provider": "azure"
+    },
+    "input": {
+        "type": "azure-blob-storage"
+    },
+    "log": {
+        "offset": 200,
+        "file": {
+            "path": "https://beatsblobstorage1.blob.core.windows.net/beatscontainer/data_3.json"
+        }
+    },
+    "azure": {
+        "storage": {
+            "container": {
+                "name": "beatscontainer"
+            },
+            "blob": {
+                "content_type": "application/json",
+                "name": "data_3.json"
+            }
+        }
+    },
+    "event": {
+        "kind": "publish_data"
+    }
+}
+```
+
+As we can see from the response above, the `message` field contains the original stringified data.
+
+**Some of the key attributes are as follows :-**
+
+1. **message** : Original stringified blob data.
+2. **log.file.path** : Path of the blob in azure cloud.
+3. **azure.storage.blob.container.name** : Name of the container from which the file has been read.
+4. **azure.storage.blob.object.name** : Name of the file/blob which has been read.
+5. **azure.storage.blob.object.content_type** : Content type of the file/blob. You can find the supported content types [here](#supported-types).
+
+Now let’s explore the configuration attributes a bit more elaborately.
+
+$$$supported-attributes$$$
+**Supported Attributes :-**
+
+1. [account_name](#attrib-account-name)
+2. [auth.oauth2](#attrib-auth-oauth2)
+3. [auth.shared_credentials.account_key](#attrib-auth-shared-account-key)
+4. [auth.connection_string.uri](#attrib-auth-connection-string)
+5. [storage_url](#attrib-storage-url)
+6. [containers](#attrib-containers)
+7. [name](#attrib-container-name)
+8. [max_workers](#attrib-max_workers)
+9. [poll](#attrib-poll)
+10. [poll_interval](#attrib-poll_interval)
+11. [file_selectors](#attrib-file_selectors)
+12. [expand_event_list_from_field](#attrib-expand_event_list_from_field)
+13. [timestamp_epoch](#attrib-timestamp_epoch)
+
+
+## `account_name` [attrib-account-name]
+
+This attribute is required for various internal operations with respect to authentication, creating service clients and blob clients which are used internally for various processing purposes.
+
+
+## `auth.oauth2` [attrib-auth-oauth2]
+
+This attribute contains the Microsoft Entra ID RBAC authentication credentials for a secure connection to the Azure Blob Storage. The `auth.oauth2` attribute contains the following sub-attributes:
+
+1. `client_id`: The client ID of the Azure Entra ID application.
+2. `client_secret`: The client secret of the Azure Entra ID application.
+3. `tenant_id`: The tenant ID of the Azure Entra ID application.
+
+A sample configuration with `auth.oauth2` is given below:
+
+```yaml
+filebeat.inputs:
+- type: azure-blob-storage
+  account_name: some_account
+  auth.oauth2:
+    client_id: "some_client_id"
+    client_secret: "some_client_secret"
+    tenant_id: "some_tenant_id"
+  containers:
+  - name: container_1
+    max_workers: 3
+    poll: true
+    poll_interval: 10s
+```
+
+How to setup the `auth.oauth2` credentials can be found in the Azure documentation [here](https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app)
+
+::::{note}
+According to our internal testing it seems that we require at least an access level of **blobOwner** for the service principle to be able to read the blobs. If you are facing any issues with the access level, ensure that the access level is set to **blobOwner**.
+::::
+
+
+
+## `auth.shared_credentials.account_key` [attrib-auth-shared-account-key]
+
+This attribute contains the **access key**, found under the `Access keys` section on Azure Clound, under the respective storage account. A single storage account can contain multiple containers, and they will all use this common access key.
+
+
+## `auth.connection_string.uri` [attrib-auth-connection-string]
+
+This attribute contains the **connection string**, found under the `Access keys` section on Azure Clound, under the respective storage account. A single storage account can contain multiple containers, and they will all use this common connection string.
+
+::::{note}
+We require only either of `auth.shared_credentials.account_key` or `auth.connection_string.uri` to be specified for authentication purposes. If both attributes are specified, then the one that occurs first in the configuration will be used.
+::::
+
+
+
+## `storage_url` [attrib-storage-url]
+
+Use this attribute to specify a custom storage URL if required. By default it points to azure cloud storage. Only use this if there is a specific need to connect to a different environment where blob storage is available.
+
+**URL format :** `{{protocol}}://{{account_name}}.{{storage_uri}}`. This attribute resides at the root level of the config and not inside any container block.
+
+
+## `containers` [attrib-containers]
+
+This attribute contains the details about a specific container like `name`, `max_workers`, `poll` and `poll_interval`. The attribute `name` is specific to a container as it describes the container name, while the fields `max_workers`, `poll` and `poll_interval` can exist both at the container level and the root level. This attribute is internally represented as an array, so we can add as many containers as we require.
+
+
+## `name` [attrib-container-name]
+
+This is a specific subfield of a container. It specifies the container name.
+
+
+## `max_workers` [attrib-max_workers]
+
+This attribute defines the maximum number of workers allocated to the worker pool for processing jobs which read file contents. It can be specified both at the root level of the configuration, and at the container level. Container level values override root level values if both are specified. Larger number of workers do not necessarily improve throughput, and this should be carefully tuned based on the number of files, the size of the files being processed and resources available. Increasing `max_workers` to very high values may cause resource utilization problems and may lead to bottlenecks in processing. Usually a maximum of `2000` workers is recommended. A very low `max_worker` count will drastically increase the number of network calls required to fetch the blobs, which may cause a bottleneck in processing.
+
+The batch size for workload distribution is calculated by the input to ensure that there is an even workload across all workers. This means that for a given `max_workers` parameter value, the input will calculate the optimal batch size for that setting. The `max_workers` value should be configured based on factors such as the total number of files to be processed, available system resources and network bandwidth.
+
+Example:
+
+* Setting `max_workers=3` would result in each request fetching `3 blobs` (batch size = 3), which are then distributed among `3 workers`.
+* Setting `max_workers=100` would fetch `100 blobs` (batch size = 100) per request, distributed among `100 workers`.
+
+
+## `poll` [attrib-poll]
+
+This attribute informs the scheduler whether to keep polling for new files or not. Default value of this is `false`, so it will not keep polling if not explicitly specified. This attribute can be specified both at the root level of the configuration as well at the container level. The container level values will always take priority and override the root level values if both are specified.
+
+
+## `poll_interval` [attrib-poll_interval]
+
+This attribute defines the maximum amount of time after which the internal scheduler will make the polling call for the next set of blobs/files. It can be defined in the following formats : `{{x}}s`, `{{x}}m`, `{{x}}h`, here `s = seconds`, `m = minutes` and `h = hours`. The value `{{x}}` can be anything we wish. Example : `10s` would mean we would like the polling to occur every 10 seconds. If no value is specified for this, by default its initialized to `300 seconds`. This attribute can be specified both at the root level of the configuration as well at the container level. The container level values will always take priority and override the root level values if both are specified.
+
+
+## `encoding` [input-azure-blob-storage-encoding]
+
+The file encoding to use for reading data that contains international characters. This only applies to non-JSON logs. See [`encoding`](/reference/filebeat/filebeat-input-log.md#_encoding_3).
+
+
+## `decoding` [input-azure-blob-storage-decoding]
+
+The file decoding option is used to specify a codec that will be used to decode the file contents. This can apply to any file stream data. An example config is shown below:
+
+Currently supported codecs are given below:-
+
+1. [CSV](#attrib-decoding-csv-azureblobstorage): This codec decodes RFC 4180 CSV data streams.
+
+
+## `the CSV codec` [attrib-decoding-csv-azureblobstorage]
+
+The `CSV` codec is used to decode RFC 4180 CSV data streams. Enabling the codec without other options will use the default codec options.
+
+```yaml
+  decoding.codec.csv.enabled: true
+```
+
+The CSV codec supports five sub attributes to control aspects of CSV decoding. The `comma` attribute specifies the field separator character used by the CSV format. If it is not specified, the comma character *`,`* is used. The `comment` attribute specifies the character that should be interpreted as a comment mark. If it is specified, lines starting with the character will be ignored. Both `comma` and `comment` must be single characters. The `lazy_quotes` attribute controls how quoting in fields is handled. If `lazy_quotes` is true, a quote may appear in an unquoted field and a non-doubled quote may appear in a quoted field. The `trim_leading_space` attribute specifies that leading white space should be ignored, even if the `comma` character is white space. For complete details of the preceding configuration attribute behaviors, see the CSV decoder [documentation](https://pkg.go.dev/encoding/csv#Reader) The `fields_names` attribute can be used to specify the column names for the data. If it is absent, the field names are obtained from the first non-comment line of data. The number of fields must match the number of field names.
+
+An example config is shown below:
+
+```yaml
+  decoding.codec.csv.enabled: true
+  decoding.codec.csv.comma: "\t"
+  decoding.codec.csv.comment: "#"
+```
+
+
+## `file_selectors` [attrib-file_selectors]
+
+If the Azure blob storage container will have blobs that correspond to files that Filebeat shouldn’t process, `file_selectors` can be used to limit the files that are downloaded. This is a list of selectors which are based on a `regex` pattern. The `regex` should match the blob name or should be a part of the blob name (ideally a prefix). The `regex` syntax is the same as used in the Go programming language. Files that don’t match any configured regex won’t be processed.This attribute can be specified both at the root level of the configuration as well at the container level. The container level values will always take priority and override the root level values if both are specified.
+
+```yaml
+filebeat.inputs:
+- type: azure-blob-storage
+  id: my-azureblobstorage-id
+  enabled: true
+  account_name: some_account
+  auth.shared_credentials.account_key: some_key
+  containers:
+  - name: container_1
+    file_selectors:
+    - regex: '/Monitoring/'
+    - regex: 'docs/'
+    - regex: '/Security-Logs/'
+```
+
+The `file_selectors` operation is performed within the agent locally. The agent will download all the files and then filter them based on the `file_selectors`. This can cause a bottleneck in processing if the number of files are very high. It is recommended to use this attribute only when the number of files are limited or ample resources are available.
+
+
+## `expand_event_list_from_field` [attrib-expand_event_list_from_field]
+
+If the file-set using this input expects to receive multiple messages bundled under a specific field or an array of objects then the config option for `expand_event_list_from_field` can be specified. This setting will be able to split the messages under the group value into separate events. For example, if you have logs that are in JSON format and events are found under the JSON object "Records". To split the events into separate events, the config option `expand_event_list_from_field` can be set to "Records". This attribute can be specified both at the root level of the configuration as well at the container level. The container level values will always take priority and override the root level values if both are specified.
+
+```json
+{
+    "Records": [
+        {
+            "eventVersion": "1.07",
+            "eventTime": "2019-11-14T00:51:00Z",
+            "region": "us-east-1",
+            "eventID": "EXAMPLE8-9621-4d00-b913-beca2EXAMPLE",
+        },
+        {
+            "eventVersion": "1.07",
+            "eventTime": "2019-11-14T00:52:00Z",
+            "region": "us-east-1",
+            "eventID": "EXAMPLEc-28be-486c-8928-49ce6EXAMPLE",
+        }
+    ]
+}
+```
+
+```yaml
+filebeat.inputs:
+- type: azure-blob-storage
+  id: my-azureblobstorage-id
+  enabled: true
+  account_name: some_account
+  auth.shared_credentials.account_key: some_key
+  containers:
+  - name: container_1
+    expand_event_list_from_field: Records
+```
+
+::::{note}
+This attribute is only applicable for JSON file formats. You do not require to specify this attribute if the file has an array of objects at the root level. Root level array of objects are automatically split into separate events. If failures occur or the input crashes due to some unexpected error, the processing will resume from the last successfully processed file/blob.
+::::
+
+
+
+## `timestamp_epoch` [attrib-timestamp_epoch]
+
+This attribute can be used to filter out files/blobs which have a timestamp older than the specified value. The value of this attribute should be in unix `epoch` (seconds) format. The timestamp value is compared with the `LastModified Timestamp` obtained from the blob metadata. This attribute can be specified both at the root level of the configuration as well at the container level. The container level values will always take priority and override the root level values if both are specified.
+
+```yaml
+filebeat.inputs:
+- type: azure-blob-storage
+  id: my-azureblobstorage-id
+  enabled: true
+  account_name: some_account
+  auth.shared_credentials.account_key: some_key
+  containers:
+  - name: container_1
+    timestamp_epoch: 1627233600
+```
+
+The Azure Blob Storage APIs don’t provide a direct way to filter files based on timestamp, so the input will download all the files and then filter them based on the timestamp. This can cause a bottleneck in processing if the number of files are very high. It is recommended to use this attribute only when the number of files are limited or ample resources are available.
+
+$$$container-overrides$$$
+**The sample configs below will explain the container level overriding of attributes a bit further :-**
+
+**CASE - 1 :**
+
+Here `container_1` is using root level attributes while `container_2` overrides the values :
+
+```yaml
+filebeat.inputs:
+- type: azure-blob-storage
+  id: my-azureblobstorage-id
+  enabled: true
+  account_name: some_account
+  auth.shared_credentials.account_key: some_key
+  max_workers: 10
+  poll: true
+  poll_interval: 15s
+  containers:
+  - name: container_1
+  - name: container_2
+    max_workers: 3
+    poll: true
+    poll_interval: 10s
+```
+
+**Explanation :** In this configuration `container_1` has no sub attributes in `max_workers`, `poll` and `poll_interval` defined. It inherits the values for these fileds from the root level, which is `max_workers = 10`, `poll = true` and `poll_interval = 15 seconds`. However `container_2` has these fields defined and it will use those values instead of using the root values.
+
+**CASE - 2 :**
+
+Here both `container_1` and `container_2` overrides the root values :
+
+```yaml
+filebeat.inputs:
+  - type: azure-blob-storage
+    id: my-azureblobstorage-id
+    enabled: true
+    account_name: some_account
+    auth.shared_credentials.account_key: some_key
+    max_workers: 10
+    poll: true
+    poll_interval: 15s
+    containers:
+    - name: container_1
+      max_workers: 5
+      poll: true
+      poll_interval: 10s
+    - name: container_2
+      max_workers: 5
+      poll: true
+      poll_interval: 10s
+```
+
+**Explanation :** In this configuration even though we have specified `max_workers = 10`, `poll = true` and `poll_interval = 15s` at the root level, both the containers will override these values with their own respective values which are defined as part of their sub attibutes.
+
+::::{note}
+Any feedback is welcome which will help us further optimize this input. Please feel free to open a github issue for any bugs or feature requests.
+::::
diff --git a/docs/reference/filebeat/filebeat-input-azure-eventhub.md b/docs/reference/filebeat/filebeat-input-azure-eventhub.md
new file mode 100644
index 000000000000..9684ef2ac014
--- /dev/null
+++ b/docs/reference/filebeat/filebeat-input-azure-eventhub.md
@@ -0,0 +1,85 @@
+---
+navigation_title: "Azure Event Hub"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-azure-eventhub.html
+---
+
+# Azure eventhub input [filebeat-input-azure-eventhub]
+
+
+Users can make use of the `azure-eventhub` input in order to read messages from an azure eventhub. The azure-eventhub input implementation is based on the the event processor host (EPH is intended to be run across multiple processes and machines while load balancing message consumers more on this here [https://github.com/Azure/azure-event-hubs-go#event-processor-host](https://github.com/Azure/azure-event-hubs-go#event-processor-host), [https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-event-processor-host](https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-event-processor-host)). State such as leases on partitions and checkpoints in the event stream are shared between receivers using an Azure Storage container. For this reason, as a prerequisite to using this input, users will have to create or use an existing storage account.
+
+Users can enable internal logs tracing for this input by setting the environment variable `BEATS_AZURE_EVENTHUB_INPUT_TRACING_ENABLED: true`. When enabled, this input will log additional information to the logs. Additional information includes partition ownership, blob lease information, and other internal state.
+
+Example configuration:
+
+```yaml
+filebeat.inputs:
+- type: azure-eventhub
+  eventhub: "insights-operational-logs"
+  consumer_group: "test"
+  connection_string: "Endpoint=sb://....."
+  storage_account: "azureeph"
+  storage_account_key: "....."
+  storage_account_container: ""
+  resource_manager_endpoint: ""
+```
+
+## Configuration options [_configuration_options]
+
+The `azure-eventhub` input supports the following configuration:
+
+
+## `eventhub` [_eventhub]
+
+The name of the eventhub users would like to read from, field required.
+
+
+## `consumer_group` [_consumer_group]
+
+Optional, we recommend using a dedicated consumer group for the azure input. Reusing consumer groups among non-related consumers can cause unexpected behavior and possibly lost events.
+
+
+## `connection_string` [_connection_string]
+
+The connection string required to communicate with Event Hubs, steps here [https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-get-connection-string](https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-get-connection-string).
+
+A Blob Storage account is required in order to store/retrieve/update the offset or state of the eventhub messages. This means that after stopping filebeat it can start back up at the spot that it stopped processing messages.
+
+
+## `storage_account` [_storage_account]
+
+The name of the storage account. Required.
+
+
+## `storage_account_key` [_storage_account_key]
+
+The storage account key, this key will be used to authorize access to data in your storage account, option is required.
+
+
+## `storage_account_container` [_storage_account_container]
+
+Optional, the name of the storage account container you would like to store the offset information in.
+
+
+## `resource_manager_endpoint` [_resource_manager_endpoint]
+
+Optional, by default we are using the azure public environment, to override, users can provide a specific resource manager endpoint in order to use a different azure environment. Ex: [https://management.chinacloudapi.cn/](https://management.chinacloudapi.cn/) for azure ChinaCloud [https://management.microsoftazure.de/](https://management.microsoftazure.de/) for azure GermanCloud [https://management.azure.com/](https://management.azure.com/) for azure PublicCloud [https://management.usgovcloudapi.net/](https://management.usgovcloudapi.net/) for azure USGovernmentCloud Users can also use this in case of a Hybrid Cloud model, where one may define their own endpoints.
+
+
+## Metrics [_metrics_3]
+
+This input exposes metrics under the [HTTP monitoring endpoint](/reference/filebeat/http-endpoint.md). These metrics are exposed under the `/inputs` path. They can be used to observe the activity of the input.
+
+| Metric | Description |
+| --- | --- |
+| `received_messages_total` | Number of messages received from the event hub. |
+| `received_bytes_total` | Number of bytes received from the event hub. |
+| `sanitized_messages_total` | Number of messages that were sanitized successfully. |
+| `processed_messages_total` | Number of messages that were processed successfully. |
+| `received_events_total` | Number of events received decoding messages. |
+| `sent_events_total` | Number of events that were sent successfully. |
+| `processing_time` | Histogram of the elapsed processing times in nanoseconds. |
+| `decode_errors_total` | Number of errors that occurred while decoding a message. |
+
+
diff --git a/docs/reference/filebeat/filebeat-input-benchmark.md b/docs/reference/filebeat/filebeat-input-benchmark.md
new file mode 100644
index 000000000000..57e510feb019
--- /dev/null
+++ b/docs/reference/filebeat/filebeat-input-benchmark.md
@@ -0,0 +1,166 @@
+---
+navigation_title: "Benchmark"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-benchmark.html
+---
+
+# Benchmark input [filebeat-input-benchmark]
+
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+The Benchmark input generates generic events and sends them to the output. This can be useful when you want to benchmark the difference between outputs or output settings.
+
+Example configurations:
+
+Basic example, infinite events as quickly as possible:
+
+```yaml
+filebeat.inputs:
+- type: benchmark
+  enabled: true
+  message: "test message"
+  threads: 1
+```
+
+Send 1024 events and stop example:
+
+```yaml
+filebeat.inputs:
+- type: benchmark
+  enabled: true
+  message: "test message"
+  threads: 1
+  count: 1024
+```
+
+Send 5 events per second example:
+
+```yaml
+filebeat.inputs:
+- type: benchmark
+  enabled: true
+  message: "test message"
+  threads: 1
+  eps: 5
+```
+
+## Configuration options [_configuration_options_2]
+
+The Benchmark input supports the following configuration options plus the [Common options](#filebeat-input-benchmark-common-options) described later.
+
+
+### `message` [_message]
+
+This is the value that will be in the `message` field of the json document.
+
+
+### `threads` [_threads]
+
+This is the number of goroutines that will be started generating messages. Normally 1 thread can saturate an output but if necessary this can be increased.
+
+
+### `count` [_count]
+
+This is the number of messages to send. 0 represents sending infinite messages. This is mutually exclusive with the `eps` option.
+
+
+### `eps` [_eps]
+
+This is the number of events per second to send. 0 represents sending as quickly as possible. This is mutually exclusive with the `count` option.
+
+
+## Metrics [_metrics_4]
+
+This input exposes metrics under the [HTTP monitoring endpoint](/reference/filebeat/http-endpoint.md). These metrics are exposed under the `/inputs` path. They can be used to observe the activity of the input.
+
+| Metric | Description |
+| --- | --- |
+| `events_published_total` | Number of events published. |
+| `publishing_time` | Histogram of the elapsed in nanoseconds (time of publisher.Publish). |
+
+
+## Common options [filebeat-input-benchmark-common-options]
+
+The following configuration options are supported by all inputs.
+
+
+#### `enabled` [_enabled_3]
+
+Use the `enabled` option to enable and disable inputs. By default, enabled is set to true.
+
+
+#### `tags` [_tags_3]
+
+A list of tags that Filebeat includes in the `tags` field of each published event. Tags make it easy to select specific events in Kibana or apply conditional filtering in Logstash. These tags will be appended to the list of tags specified in the general configuration.
+
+Example:
+
+```yaml
+filebeat.inputs:
+- type: benchmark
+  . . .
+  tags: ["json"]
+```
+
+
+#### `fields` [filebeat-input-benchmark-fields]
+
+Optional fields that you can specify to add additional information to the output. For example, you might add fields that you can use for filtering log data. Fields can be scalar values, arrays, dictionaries, or any nested combination of these. By default, the fields that you specify here will be grouped under a `fields` sub-dictionary in the output document. To store the custom fields as top-level fields, set the `fields_under_root` option to true. If a duplicate field is declared in the general configuration, then its value will be overwritten by the value declared here.
+
+```yaml
+filebeat.inputs:
+- type: benchmark
+  . . .
+  fields:
+    app_id: query_engine_12
+```
+
+
+#### `fields_under_root` [fields-under-root-benchmark]
+
+If this option is set to true, the custom [fields](#filebeat-input-benchmark-fields) are stored as top-level fields in the output document instead of being grouped under a `fields` sub-dictionary. If the custom field names conflict with other field names added by Filebeat, then the custom fields overwrite the other fields.
+
+
+#### `processors` [_processors_3]
+
+A list of processors to apply to the input data.
+
+See [Processors](/reference/filebeat/filtering-enhancing-data.md) for information about specifying processors in your config.
+
+
+#### `pipeline` [_pipeline_3]
+
+The ingest pipeline ID to set for the events generated by this input.
+
+::::{note}
+The pipeline ID can also be configured in the Elasticsearch output, but this option usually results in simpler configuration files. If the pipeline is configured both in the input and output, the option from the input is used.
+::::
+
+
+::::{important}
+The `pipeline` is always lowercased. If `pipeline: Foo-Bar`, then the pipeline name in {{es}} needs to be defined as `foo-bar`.
+::::
+
+
+
+#### `keep_null` [_keep_null_3]
+
+If this option is set to true, fields with `null` values will be published in the output document. By default, `keep_null` is set to `false`.
+
+
+#### `index` [_index_3]
+
+If present, this formatted string overrides the index for events from this input (for elasticsearch outputs), or sets the `raw_index` field of the event’s metadata (for other outputs). This string can only refer to the agent name and version and the event timestamp; for access to dynamic fields, use `output.elasticsearch.index` or a processor.
+
+Example value: `"%{[agent.name]}-myindex-%{+yyyy.MM.dd}"` might expand to `"filebeat-myindex-2019.11.01"`.
+
+
+#### `publisher_pipeline.disable_host` [_publisher_pipeline_disable_host_3]
+
+By default, all events contain `host.name`. This option can be set to `true` to disable the addition of this field to all events. The default value is `false`.
+
+
diff --git a/docs/reference/filebeat/filebeat-input-cel.md b/docs/reference/filebeat/filebeat-input-cel.md
new file mode 100644
index 000000000000..40ea4c4ef175
--- /dev/null
+++ b/docs/reference/filebeat/filebeat-input-cel.md
@@ -0,0 +1,909 @@
+---
+navigation_title: "CEL"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html
+---
+
+# Common Expression Language input [filebeat-input-cel]
+
+
+Use the `cel` input to read messages from a file path or HTTP API with a variety of payloads using the [Common Expression Language (CEL)](https://opensource.google.com/projects/cel) and the [mito](https://pkg.go.dev/github.com/elastic/mito/lib) CEL extension libraries.
+
+CEL is a non-Turing complete language that can perform evaluation of expression in inputs, which can include file and API endpoints using the mito extension library. The `cel` input periodically runs a CEL program that is given an execution environment that may be configured by the user, and publishes the set of events that result from the program evaluation. Optionally the CEL program may return cursor states that will be provided to the next execution of the CEL program. The cursor states may be used to control the behaviour of the program.
+
+This input supports:
+
+* Auth
+
+    * Basic
+    * Digest
+    * OAuth2
+
+* Retrieval at a configurable interval
+* Pagination
+* Retries
+* Rate limiting
+* Proxying
+
+Example configurations:
+
+```yaml
+filebeat.inputs:
+# Fetch your public IP every minute.
+- type: cel
+  interval: 1m
+  resource.url: https://api.ipify.org/?format=json
+  program: |
+    bytes(get(state.url).Body).as(body, {
+        "events": [body.decode_json()]
+    })
+```
+
+or equivalently using the text format from ipify.org
+
+```yaml
+filebeat.inputs:
+# Fetch your public IP every minute.
+- type: cel
+  interval: 1m
+  resource.url: https://api.ipify.org/?format=text
+  program: |
+    {
+        "events": [{"ip": string(get(state.url).Body)}]
+    }
+```
+
+```yaml
+filebeat.inputs:
+- type: cel
+  resource.url: http://localhost:9200/_search
+  state:
+    scroll: 5m
+  program: |
+    (
+        !has(state.cursor) || !has(state.cursor.scroll_id) ?
+            post(state.url+"?scroll=5m", "", "")
+        :
+            post(
+                state.url+"/scroll?"+{"scroll_id": [state.cursor.scroll_id]}.format_query(),
+                "application/json",
+                {"scroll": state.scroll}.encode_json()
+            )
+    ).as(resp, bytes(resp.Body).decode_json().as(body, {
+            "events": body.hits.hits,
+            "cursor": {"scroll_id": body._scroll_id},
+    }))
+```
+
+## Execution [_execution]
+
+The execution environment provided for the input includes includes the functions, macros, and global variables provided by the mito library. A single JSON object is provided as an input accessible through a `state` variable. `state` contains a string `url` field and may contain arbitrary other fields configured via the input’s `state` configuration. If the CEL program saves cursor states between executions of the program, the configured `state.cursor` value will be replaced by the saved cursor prior to execution.
+
+On start the `state` is will be something like this:
+
+```json
+{
+    "url": <resource address>,
+    "cursor": { ... },
+    ...
+}
+```
+
+The `state.url` field will be present and may be an HTTP end-point or a file path. It is the responsibility of the CEL program to handle removing the scheme from a file URL if it is present. The `state.url` field may be mutated during execution of the program, but the mutated state will not be persisted between restarts The `state.url` field must be present in the returned value to ensure that it is available in the next evaluation unless the program has the resource address hard-coded in or it is available from the cursor.
+
+Additional fields may be present at the root of the object and if the program tolerates it, the cursor value may be absent. Only the cursor is persisted over restarts, but all fields in state are retained between iterations of the processing loop except for the produced events array, see below.
+
+If the cursor is present the program should perform and process requests based on its value. If cursor is not present the program must have alternative logic to determine what requests to make.
+
+After completion of a program’s execution it should return a single object with a structure looking like this:
+
+```json
+{
+    "events": [ <1>
+        {...},
+        ...
+    ],
+    "cursor": [ <2>
+        {...},
+        ...
+    ],
+    "url": <resource address>,
+    "status_code": <HTTP request status code if a network request>,
+    "header": <HTTP response headers if a network request>,
+    "rate_limit": <HTTP rate limit map if required by API>, <3>
+    "want_more": false <4>
+}
+```
+
+1. The `events` field must be present, but may be empty or null. If it is not empty, it must only have objects as elements. The field should be an array, but in the case of an error condition in the CEL program it is acceptable to return a single object instead of an array; this will will be wrapped as an array for publication and an error will be logged. If the single object contains a key, "error", the error value will be used to update the status of the input to report to Elastic Agent. This can be used to more rapidly respond to API failures.
+2. If `cursor` is present it must be either be a single object or an array with the same length as events; each element *i* of the `cursor` will be the details for obtaining the events at and beyond event *i* in the `events` array. If the `cursor` is a single object it is will be the details for obtaining events after the last event in the `events` array and will only be retained on successful publication of all the events in the `events` array.
+3. If `rate_limit` is present it must be a map with numeric fields `rate` and `burst`. The `rate_limit` field may also have a string `error` field and other fields which will be logged. If it has an `error` field, the `rate` and `burst` will not be used to set rate limit behavior. The [Limit](https://pkg.go.dev/github.com/elastic/mito@v1.16.0/lib#Limit), and [Okta Rate Limit policy](https://pkg.go.dev/github.com/elastic/mito@v1.16.0/lib#OktaRateLimit) and [Draft Rate Limit policy](https://pkg.go.dev/github.com/elastic/mito@v1.16.0/lib#DraftRateLimit) documentation show how to construct this field.
+4. The evaluation is repeated with the new state, after removing the events field, if the "want_more" field is present and true, and a non-zero events array is returned. If the "want_more" field is present after a failed evaluation, it is set to false.
+
+
+The `status_code`, `header` and `rate_limit` values may be omitted if the program is not interacting with an HTTP API end-point and so will not be needed to contribute to program control.
+
+
+## Debug state logging [_debug_state_logging]
+
+The CEL input will log the complete state after evaluation when logging at the DEBUG level. This will include any sensitive or secret information kept in the `state` object, and so DEBUG level logging should not be used in production when sensitive information is retained in the `state` object. See [`redact`](#cel-state-redact) configuration parameters for settings to exclude sensitive fields from DEBUG logs.
+
+
+## CEL extension libraries [_cel_extension_libraries]
+
+As noted above the `cel` input provides functions, macros, and global variables to extend the language.
+
+* [Collections](https://pkg.go.dev/github.com/elastic/mito@v1.16.0/lib#Collections)
+
+    * [Collate](https://pkg.go.dev/github.com/elastic/mito@v1.16.0/lib#hdr-Collate)
+    * [Drop](https://pkg.go.dev/github.com/elastic/mito@v1.16.0/lib#hdr-Drop)
+    * [Drop Empty](https://pkg.go.dev/github.com/elastic/mito@v1.16.0/lib#hdr-Drop_Empty)
+    * [Flatten](https://pkg.go.dev/github.com/elastic/mito@v1.16.0/lib#hdr-Flatten)
+    * [Keys](https://pkg.go.dev/github.com/elastic/mito@v1.16.0/lib#hdr-Keys)
+    * [Max](https://pkg.go.dev/github.com/elastic/mito@v1.16.0/lib#hdr-Max)
+    * [Min](https://pkg.go.dev/github.com/elastic/mito@v1.16.0/lib#hdr-Min)
+    * [Tail](https://pkg.go.dev/github.com/elastic/mito@v1.16.0/lib#hdr-Tail)
+    * [Values](https://pkg.go.dev/github.com/elastic/mito@v1.16.0/lib#hdr-Values)
+    * [With](https://pkg.go.dev/github.com/elastic/mito@v1.16.0/lib#hdr-With)
+    * [With Replace](https://pkg.go.dev/github.com/elastic/mito@v1.16.0/lib#hdr-With_Replace)
+    * [With Update](https://pkg.go.dev/github.com/elastic/mito@v1.16.0/lib#hdr-With_Update)
+    * [Zip](https://pkg.go.dev/github.com/elastic/mito@v1.16.0/lib#hdr-Zip)
+
+* [Crypto](https://pkg.go.dev/github.com/elastic/mito@v1.16.0/lib#Crypto)
+
+    * [Base64](https://pkg.go.dev/github.com/elastic/mito@v1.16.0/lib#hdr-Base64)
+    * [Base64 Decode](https://pkg.go.dev/github.com/elastic/mito@v1.16.0/lib#hdr-Base64_Decode)
+    * [Base64 Raw](https://pkg.go.dev/github.com/elastic/mito@v1.16.0/lib#hdr-Base64_Raw)
+    * [Base64 Raw Decode](https://pkg.go.dev/github.com/elastic/mito@v1.16.0/lib#hdr-Base64_Raw_Decode)
+    * [Hex](https://pkg.go.dev/github.com/elastic/mito@v1.16.0/lib#hdr-Hex)
+    * [MD5](https://pkg.go.dev/github.com/elastic/mito@v1.16.0/lib#hdr-MD5)
+    * [SHA-1](https://pkg.go.dev/github.com/elastic/mito@v1.16.0/lib#hdr-SHA_1)
+    * [SHA-256](https://pkg.go.dev/github.com/elastic/mito@v1.16.0/lib#hdr-SHA_256)
+    * [HMAC](https://pkg.go.dev/github.com/elastic/mito@v1.16.0/lib#hdr-HMAC)
+    * [UUID](https://pkg.go.dev/github.com/elastic/mito@v1.16.0/lib#hdr-UUID)
+
+* [File](https://pkg.go.dev/github.com/elastic/mito@v1.16.0/lib#File)
+
+    * [Dir](https://pkg.go.dev/github.com/elastic/mito@v1.16.0/lib#hdr-Dir)
+    * [File](https://pkg.go.dev/github.com/elastic/mito@v1.16.0/lib#hdr-File)
+
+* [HTTP](https://pkg.go.dev/github.com/elastic/mito@v1.16.0/lib#HTTP)
+
+    * [HEAD](https://pkg.go.dev/github.com/elastic/mito@v1.16.0/lib#hdr-HEAD)
+    * [GET](https://pkg.go.dev/github.com/elastic/mito@v1.16.0/lib#hdr-GET)
+    * [GET Request](https://pkg.go.dev/github.com/elastic/mito@v1.16.0/lib#hdr-GET_Request)
+    * [POST](https://pkg.go.dev/github.com/elastic/mito@v1.16.0/lib#hdr-POST)
+    * [POST Request](https://pkg.go.dev/github.com/elastic/mito@v1.16.0/lib#hdr-POST_Request)
+    * [Request](https://pkg.go.dev/github.com/elastic/mito@v1.16.0/lib#hdr-Request)
+    * [Basic Authentication](https://pkg.go.dev/github.com/elastic/mito@v1.16.0/lib#hdr-Basic_Authentication)
+    * [Do Request](https://pkg.go.dev/github.com/elastic/mito@v1.16.0/lib#hdr-Do_Request)
+    * [Parse URL](https://pkg.go.dev/github.com/elastic/mito@v1.16.0/lib#hdr-Parse_URL)
+    * [Format URL](https://pkg.go.dev/github.com/elastic/mito@v1.16.0/lib#hdr-Format_URL)
+    * [Parse Query](https://pkg.go.dev/github.com/elastic/mito@v1.16.0/lib#hdr-Parse_Query)
+    * [Format Query](https://pkg.go.dev/github.com/elastic/mito@v1.16.0/lib#hdr-Format_Query)
+
+* [File](https://pkg.go.dev/github.com/elastic/mito@v1.16.0/lib#File) — the file extension is initialized with MIME handlers for "application/gzip", ["application/x-ndjson"](https://pkg.go.dev/github.com/elastic/mito@v1.16.0/lib#NDJSON), ["application/zip"](https://pkg.go.dev/github.com/elastic/mito@v1.16.0/lib#Zip), ["text/csv; header=absent"](https://pkg.go.dev/github.com/elastic/mito@v1.16.0/lib#CSVNoHeader), and ["text/csv; header=present"](https://pkg.go.dev/github.com/elastic/mito@v1.16.0/lib#CSVHeader).
+
+    * [Dir](https://pkg.go.dev/github.com/elastic/mito@v1.16.0/lib#hdr-Dir)
+    * [File](https://pkg.go.dev/github.com/elastic/mito@v1.16.0/lib#hdr-File)
+
+* [JSON](https://pkg.go.dev/github.com/elastic/mito@v1.16.0/lib#JSON)
+
+    * [Encode JSON](https://pkg.go.dev/github.com/elastic/mito@v1.16.0/lib#hdr-Encode_JSON)
+    * [Decode JSON](https://pkg.go.dev/github.com/elastic/mito@v1.16.0/lib#hdr-Decode_JSON)
+    * [Decode JSON Stream](https://pkg.go.dev/github.com/elastic/mito@v1.16.0/lib#hdr-Decode_JSON_Stream)
+
+* [XML](https://pkg.go.dev/github.com/elastic/mito@v1.16.0/lib#XML) — the XML extension is initialized with XML schema definitions provided via the `xsd` configuration option.
+
+    * [Decode XML](https://pkg.go.dev/github.com/elastic/mito@v1.16.0/lib#hdr-Decode_XML)
+
+* [Limit](https://pkg.go.dev/github.com/elastic/mito@v1.16.0/lib#Limit) — the rate limit extension is initialized with [Okta (as "okta")](https://pkg.go.dev/github.com/elastic/mito@v1.16.0/lib#OktaRateLimit) and the [Draft Rate Limit (as "draft")](https://pkg.go.dev/github.com/elastic/mito@v1.16.0/lib#DraftRateLimit) policies.
+
+    * [Rate Limit](https://pkg.go.dev/github.com/elastic/mito@v1.16.0/lib#hdr-Rate_Limit)
+
+* [MIME](https://pkg.go.dev/github.com/elastic/mito@v1.16.0/lib#MIME) — the MIME extension is initialized with MIME handlers for "application/gzip", ["application/x-ndjson"](https://pkg.go.dev/github.com/elastic/mito@v1.16.0/lib#NDJSON), ["application/zip"](https://pkg.go.dev/github.com/elastic/mito@v1.16.0/lib#Zip), ["text/csv; header=absent"](https://pkg.go.dev/github.com/elastic/mito@v1.16.0/lib#CSVNoHeader), and ["text/csv; header=present"](https://pkg.go.dev/github.com/elastic/mito@v1.16.0/lib#CSVHeader).
+
+    * [MIME](https://pkg.go.dev/github.com/elastic/mito@v1.16.0/lib#hdr-MIME)
+
+* [Regexp](https://pkg.go.dev/github.com/elastic/mito@v1.16.0/lib#Regexp) — the regular expression extension is initialized with the patterns specified in the user input configuration via the `regexp` field.
+
+    * [RE Match](https://pkg.go.dev/github.com/elastic/mito@v1.16.0/lib#hdr-RE_Match)
+    * [RE Find](https://pkg.go.dev/github.com/elastic/mito@v1.16.0/lib#hdr-RE_Find)
+    * [RE Find All](https://pkg.go.dev/github.com/elastic/mito@v1.16.0/lib#hdr-RE_Find_All)
+    * [RE Find Submatch](https://pkg.go.dev/github.com/elastic/mito@v1.16.0/lib#hdr-RE_Find_Submatch)
+    * [RE Find All Submatch](https://pkg.go.dev/github.com/elastic/mito@v1.16.0/lib#hdr-RE_Find_All_Submatch)
+    * [RE Replace All](https://pkg.go.dev/github.com/elastic/mito@v1.16.0/lib#hdr-RE_Replace_All)
+
+* [Printf](https://pkg.go.dev/github.com/elastic/mito@v1.16.0/lib#Printf)
+
+    * [Sprintf](https://pkg.go.dev/github.com/elastic/mito@v1.16.0/lib#hdr-Sprintf-Printf)
+
+* [Strings](https://pkg.go.dev/github.com/elastic/mito@v1.16.0/lib#Strings)
+
+    * [String Methods](https://pkg.go.dev/github.com/elastic/mito@v1.16.0/lib#hdr-String_Methods)
+    * [String List Methods](https://pkg.go.dev/github.com/elastic/mito@v1.16.0/lib#hdr-String_List_Methods)
+    * [Bytes Methods](https://pkg.go.dev/github.com/elastic/mito@v1.16.0/lib#hdr-Bytes_Methods)
+
+* [Time](https://pkg.go.dev/github.com/elastic/mito@v1.16.0/lib#Time)
+
+    * [Format](https://pkg.go.dev/github.com/elastic/mito@v1.16.0/lib#hdr-Format)
+    * [Parse Time](https://pkg.go.dev/github.com/elastic/mito@v1.16.0/lib#hdr-Parse_Time)
+    * [Global Variables](https://pkg.go.dev/github.com/elastic/mito@v1.16.0/lib#hdr-Global_Variables)
+
+* [Try](https://pkg.go.dev/github.com/elastic/mito@v1.16.0/lib#Try)
+
+    * [Try](https://pkg.go.dev/github.com/elastic/mito@v1.16.0/lib#hdr-Try)
+    * [Is Error](https://pkg.go.dev/github.com/elastic/mito@v1.16.0/lib#hdr-Is_Error)
+
+* [Debug](https://pkg.go.dev/github.com/elastic/mito@v1.16.0/lib#Debug) — the debug handler registers a logger with the name extension `cel_debug` and calls to the CEL `debug` function are emitted to that logger.
+
+    * [Debug](https://pkg.go.dev/github.com/elastic/mito@v1.16.0/lib#hdr-Debug)
+
+
+In addition to the extensions provided in the packages listed above, a global variable `useragent` is also provided which gives the user CEL program access to the filebeat user-agent string. By default, this value is assigned to all requests' user-agent headers unless the CEL program has already set the user-agent header value. Programs wishing to not provide a user-agent, should set this header to the empty string, `""`.
+
+Host environment variables are made available via the global map `env`. Only environment variables that have been allow listed via the `allowed_environment` configuration list are visible to the CEL program.
+
+The CEL environment enables the [optional types](https://pkg.go.dev/github.com/google/cel-go/cel#OptionalTypes) library using the version defined [here](https://pkg.go.dev/github.com/elastic/mito@v1.16.0/lib#OptionalTypesVersion).
+
+Additionally, it supports authentication via Basic Authentication, Digest Authentication or OAuth2.
+
+Example configurations with authentication:
+
+```yaml
+filebeat.inputs:
+- type: cel
+  auth.basic:
+    user: user@domain.tld
+    password: P@$$W0₹D
+  resource.url: http://localhost
+```
+
+```yaml
+filebeat.inputs:
+- type: cel
+  auth.digest:
+    user: user@domain.tld
+    password: P@$$W0₹D
+  resource.url: http://localhost
+```
+
+```yaml
+filebeat.inputs:
+- type: cel
+  auth.oauth2:
+    client.id: 12345678901234567890abcdef
+    client.secret: abcdef12345678901234567890
+    token_url: http://localhost/oauth2/token
+  resource.url: http://localhost
+```
+
+```yaml
+filebeat.inputs:
+- type: cel
+  auth.oauth2:
+    client.id: 12345678901234567890abcdef
+    client.secret: abcdef12345678901234567890
+    token_url: http://localhost/oauth2/token
+    user: user@domain.tld
+    password: P@$$W0₹D
+  resource.url: http://localhost
+```
+
+
+## Input state [input-state-cel]
+
+The `cel` input keeps a runtime state between requests. This state can be accessed by the CEL program and may contain arbitrary objects.
+
+The state must contain a `url` string and may contain any object the user wishes to store in it.
+
+All objects are stored at runtime, except `cursor`, which has values that are persisted between restarts.
+
+
+## Configuration options [_configuration_options_3]
+
+The `cel` input supports the following configuration options plus the [Common options](#filebeat-input-cel-common-options) described later.
+
+
+### `interval` [_interval]
+
+Duration between repeated requests. It may make additional pagination requests in response to the initial request if pagination is enabled. Default: `60s`.
+
+
+### `program` [program-cel]
+
+The CEL program that is executed each polling period. This field is required.
+
+
+### `max_executions` [max_executions-cel]
+
+`max_executions` is the maximum number of times a CEL program can request to be re-run with a `want_more` field. This is used to ensure that accidental infinite loops do not halt processing. When the execution budget is exceeded, execution will be restarted at the next interval and a warning will be written into the logs. Default: 1000.
+
+
+### `state` [state-cel]
+
+`state` is an optional object that is passed to the CEL program on the first execution. It is available to the executing program as the `state` variable. It is made available to subsequent executions of the program during the life of input as the returned value of the previous execution, but with the `state.events` field removed. Except for the `state.cursor` field, `state` does not persist over restarts.
+
+
+### `state.cursor` [cursor-cel]
+
+The cursor is an object available as `state.cursor` where arbitrary values may be stored. Cursor state is kept between input restarts and updated after each event of a request has been published. When a cursor is used the CEL program must either create a cursor state for each event that is returned by the program, or a single cursor that reflect the cursor for completion of the full set of events.
+
+```yaml
+filebeat.inputs:
+# Fetch your public IP every minute and note when the last request was made.
+- type: cel
+  interval: 1m
+  resource.url: https://api.ipify.org/?format=json
+  program: |
+    bytes(get(state.url).Body).as(body, {
+        "events": [body.decode_json().with({
+            "last_requested_at": has(state.cursor) && has(state.cursor.last_requested_at) ?
+                state.cursor.last_requested_at
+            :
+                now
+        })],
+        "cursor": {"last_requested_at": now}
+    })
+```
+
+
+## `allowed_environment` [environ-cel]
+
+A list of host environment variable that will be made visible to the CEL execution environment. By default, no environment variables are visible.
+
+```yaml
+filebeat.inputs:
+# Publish the list of files in $PATH every minute.
+- type: cel
+  interval: 1m
+  resource.url: ""
+  allowed_environment:
+    - PATH
+  program: |
+{
+  "events": {
+    "message": env.?PATH.orValue("").split(":")
+      .map(p, try(dir(p)))
+      .filter(d, type(d) != type(""))
+      .flatten()
+      .collate("name")
+  }
+}
+```
+
+
+### `regexp` [regexp-cel]
+
+A set of named regular expressions that may be used during a CEL program’s execution using the `regexp` extension library. The syntax used for the regular expressions is [RE2](https://github.com/google/re2/wiki/Syntax).
+
+```yaml
+filebeat.inputs:
+- type: cel
+  # Define two regular expressions, 'products' and 'solutions' for use during CEL execution.
+  regexp:
+    products: '(?i)(Elasticsearch|Beats|Logstash|Kibana)'
+    solutions: '(?i)(Search|Observability|Security)'
+```
+
+
+### `xsd` [xsd-cel]
+
+XML documents may require additional type information to enable correct parsing and ingestion. This information can be provided as an XML Schema Definitions (XSD) for XML documents using the `xsd` option. The key under which the XSD information is provided is accessed via the `decode_xml` CEL extension.
+
+```yaml
+filebeat.inputs:
+- type: cel
+  # Provide an XSD, 'order', for use during CEL execution (truncated for example).
+  xsd:
+    order: |
+       <xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema">
+         <xs:element name="order">
+           <xs:complexType>
+             <xs:sequence>
+               <xs:element name="sender" type="xs:string"/>
+               <xs:element name="address">
+                 <xs:complexType>
+                   <xs:sequence>
+                     <xs:element name="name" type="xs:string"/>
+                     <xs:element name="company" type="xs:string"/>
+```
+
+
+### `auth.basic.enabled` [_auth_basic_enabled]
+
+When set to `false`, disables the basic auth configuration. Default: `true`.
+
+::::{note}
+Basic auth settings are disabled if either `enabled` is set to `false` or the `auth.basic` section is missing.
+::::
+
+
+
+### `auth.basic.user` [_auth_basic_user]
+
+The user to authenticate with.
+
+
+### `auth.basic.password` [_auth_basic_password]
+
+The password to use.
+
+
+### `auth.digest.enabled` [_auth_digest_enabled]
+
+When set to `false`, disables the digest auth configuration. Default: `true`.
+
+::::{note}
+digest auth settings are disabled if either `enabled` is set to `false` or the `auth.digest` section is missing.
+::::
+
+
+
+### `auth.digest.user` [_auth_digest_user]
+
+The user to authenticate with.
+
+
+### `auth.digest.password` [_auth_digest_password]
+
+The password to use.
+
+
+### `auth.digest.no_reuse` [_auth_digest_no_reuse]
+
+When set to `true`, Digest Authentication challenges are not reused.
+
+
+### `auth.oauth2.enabled` [_auth_oauth2_enabled]
+
+When set to `false`, disables the oauth2 configuration. Default: `true`.
+
+::::{note}
+OAuth2 settings are disabled if either `enabled` is set to `false` or the `auth.oauth2` section is missing.
+::::
+
+
+
+### `auth.oauth2.provider` [_auth_oauth2_provider]
+
+Used to configure supported oauth2 providers. Each supported provider will require specific settings. It is not set by default. Supported providers are: `azure`, `google`, `okta`.
+
+
+### `auth.oauth2.client.id` [_auth_oauth2_client_id]
+
+The client ID used as part of the authentication flow. It is always required except if using `google` as provider. Required for providers: `default`, `azure`, `okta`.
+
+
+### `auth.oauth2.client.secret` [_auth_oauth2_client_secret]
+
+The client secret used as part of the authentication flow. It is always required except if using `google` or `okta` as provider. Required for providers: `default`, `azure`.
+
+
+### `auth.oauth2.user` [_auth_oauth2_user]
+
+The user used as part of the authentication flow. It is required for authentication - grant type password. It is only available for provider `default`.
+
+
+### `auth.oauth2.password` [_auth_oauth2_password]
+
+The password used as part of the authentication flow. It is required for authentication - grant type password. It is only available for provider `default`.
+
+::::{note}
+user and password are required for grant_type password. If user and password is not used then it will automatically use the `token_url` and `client credential` method.
+::::
+
+
+
+### `auth.oauth2.scopes` [_auth_oauth2_scopes]
+
+A list of scopes that will be requested during the oauth2 flow. It is optional for all providers.
+
+
+### `auth.oauth2.token_url` [_auth_oauth2_token_url]
+
+The endpoint that will be used to generate the tokens during the oauth2 flow. It is required if no provider is specified.
+
+::::{note}
+For `azure` provider either `token_url` or `azure.tenant_id` is required.
+::::
+
+
+
+### `auth.oauth2.endpoint_params` [_auth_oauth2_endpoint_params]
+
+Set of values that will be sent on each request to the `token_url`. Each param key can have multiple values. Can be set for all providers except `google`.
+
+```yaml
+- type: cel
+  auth.oauth2:
+    endpoint_params:
+      Param1:
+        - ValueA
+        - ValueB
+      Param2:
+        - Value
+```
+
+
+### `auth.oauth2.azure.tenant_id` [_auth_oauth2_azure_tenant_id]
+
+Used for authentication when using `azure` provider. Since it is used in the process to generate the `token_url`, it can’t be used in combination with it. It is not required.
+
+For information about where to find it, you can refer to [https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal](https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal).
+
+
+### `auth.oauth2.azure.resource` [_auth_oauth2_azure_resource]
+
+The accessed WebAPI resource when using `azure` provider. It is not required.
+
+
+### `auth.oauth2.google.credentials_file` [_auth_oauth2_google_credentials_file]
+
+The credentials file for Google.
+
+::::{note}
+Only one of the credentials settings can be set at once. If none is provided, loading default credentials from the environment will be attempted via ADC. For more information about how to provide Google credentials, please refer to [https://cloud.google.com/docs/authentication](https://cloud.google.com/docs/authentication).
+::::
+
+
+
+### `auth.oauth2.google.credentials_json` [_auth_oauth2_google_credentials_json]
+
+Your credentials information as raw JSON.
+
+::::{note}
+Only one of the credentials settings can be set at once. If none is provided, loading default credentials from the environment will be attempted via ADC. For more information about how to provide Google credentials, please refer to [https://cloud.google.com/docs/authentication](https://cloud.google.com/docs/authentication).
+::::
+
+
+
+### `auth.oauth2.google.jwt_file` [_auth_oauth2_google_jwt_file]
+
+The JWT Account Key file for Google.
+
+::::{note}
+Only one of the credentials settings can be set at once. If none is provided, loading default credentials from the environment will be attempted via ADC. For more information about how to provide Google credentials, please refer to [https://cloud.google.com/docs/authentication](https://cloud.google.com/docs/authentication).
+::::
+
+
+
+### `auth.oauth2.google.jwt_json` [_auth_oauth2_google_jwt_json]
+
+The JWT Account Key file as raw JSON.
+
+::::{note}
+Only one of the credentials settings can be set at once. If none is provided, loading default credentials from the environment will be attempted via ADC. For more information about how to provide Google credentials, please refer to [https://cloud.google.com/docs/authentication](https://cloud.google.com/docs/authentication).
+::::
+
+
+
+### `auth.oauth2.google.delegated_account` [_auth_oauth2_google_delegated_account]
+
+Email of the delegated account used to create the credentials (usually an admin). Used in combination with `auth.oauth2.google.jwt_file` or `auth.oauth2.google.jwt_json`.
+
+
+### `auth.oauth2.okta.jwk_file` [_auth_oauth2_okta_jwk_file]
+
+The RSA JWK Private Key file for your Okta Service App which is used for interacting with Okta Org Auth Server to mint tokens with okta.* scopes.
+
+::::{note}
+Only one of the credentials settings can be set at once. For more information please refer to [https://developer.okta.com/docs/guides/implement-oauth-for-okta-serviceapp/main/](https://developer.okta.com/docs/guides/implement-oauth-for-okta-serviceapp/main/)
+::::
+
+
+
+### `auth.oauth2.okta.jwk_json` [_auth_oauth2_okta_jwk_json]
+
+The RSA JWK Private Key JSON for your Okta Service App which is used for interacting with Okta Org Auth Server to mint tokens with okta.* scopes.
+
+::::{note}
+Only one of the credentials settings can be set at once. For more information please refer to [https://developer.okta.com/docs/guides/implement-oauth-for-okta-serviceapp/main/](https://developer.okta.com/docs/guides/implement-oauth-for-okta-serviceapp/main/)
+::::
+
+
+
+### `auth.oauth2.okta.jwk_pem` [_auth_oauth2_okta_jwk_pem]
+
+The RSA JWK private key PEM block for your Okta Service App which is used for interacting with Okta Org Auth Server to mint tokens with okta.* scopes.
+
+::::{note}
+Only one of the credentials settings can be set at once. For more information please refer to [https://developer.okta.com/docs/guides/implement-oauth-for-okta-serviceapp/main/](https://developer.okta.com/docs/guides/implement-oauth-for-okta-serviceapp/main/)
+::::
+
+
+
+### `resource.url` [resource-parameters]
+
+The URL of the HTTP API. Required.
+
+The API endpoint may be accessed via unix socket and Windows named pipes by adding  `+unix` or `+npipe` to the URL scheme, for example, `http+unix:///var/socket/`.
+
+
+### `resource.timeout` [_resource_timeout]
+
+Duration before declaring that the HTTP client connection has timed out. Valid time units are `ns`, `us`, `ms`, `s`, `m`, `h`. Default: `30s`.
+
+
+### `resource.ssl` [_resource_ssl]
+
+This specifies SSL/TLS configuration. If the ssl section is missing, the host’s CAs are used for HTTPS connections. See [SSL](/reference/filebeat/configuration-ssl.md) for more information.
+
+
+### `resource.keep_alive.disable` [_resource_keep_alive_disable]
+
+This specifies whether to disable keep-alives for HTTP end-points. Default: `true`.
+
+
+### `resource.keep_alive.max_idle_connections` [_resource_keep_alive_max_idle_connections]
+
+The maximum number of idle connections across all hosts. Zero means no limit. Default: `0`.
+
+
+### `resource.keep_alive.max_idle_connections_per_host` [_resource_keep_alive_max_idle_connections_per_host]
+
+The maximum idle connections to keep per-host. If zero, defaults to two. Default: `0`.
+
+
+### `resource.keep_alive.idle_connection_timeout` [_resource_keep_alive_idle_connection_timeout]
+
+The maximum amount of time an idle connection will remain idle before closing itself. Valid time units are `ns`, `us`, `ms`, `s`, `m`, `h`. Zero means no limit. Default: `0s`.
+
+
+### `resource.retry.max_attempts` [_resource_retry_max_attempts]
+
+The maximum number of retries for the HTTP client. Default: `5`.
+
+
+### `resource.retry.wait_min` [_resource_retry_wait_min]
+
+The minimum time to wait before a retry is attempted. Default: `1s`.
+
+
+### `resource.retry.wait_max` [_resource_retry_wait_max]
+
+The maximum time to wait before a retry is attempted. Default: `60s`.
+
+
+### `resource.redirect.forward_headers` [_resource_redirect_forward_headers]
+
+When set to `true` request headers are forwarded in case of a redirect. Default: `false`.
+
+
+### `resource.redirect.headers_ban_list` [_resource_redirect_headers_ban_list]
+
+When `redirect.forward_headers` is set to `true`, all headers *except* the ones defined in this list will be forwarded. Default: `[]`.
+
+
+### `resource.redirect.max_redirects` [_resource_redirect_max_redirects]
+
+The maximum number of redirects to follow for a request. Default: `10`.
+
+
+### `resource.rate_limit.limit` [resource-rate-limit]
+
+The value of the response that specifies the maximum overall resource request rate.
+
+
+### `resource.rate_limit.burst` [_resource_rate_limit_burst]
+
+The maximum burst size. Burst is the maximum number of resource requests that can be made above the overall rate limit.
+
+
+### `resource.tracer.enable` [_resource_tracer_enable]
+
+It is possible to log HTTP requests and responses in a CEL program to a local file-system for debugging configurations. This option is enabled by setting `resource.tracer.enabled` to true and setting the `resource.tracer.filename` value. Additional options are available to tune log rotation behavior. To delete existing logs, set `resource.tracer.enabled` to false without unsetting the filename option.
+
+Enabling this option compromises security and should only be used for debugging.
+
+
+### `resource.tracer.filename` [_resource_tracer_filename]
+
+To differentiate the trace files generated from different input instances, a placeholder `*` can be added to the filename and will be replaced with the input instance id. For Example, `http-request-trace-*.ndjson`. Setting `resource.tracer.filename` with `resource.tracer.enable` set to false will cause any existing trace logs matching the filename option to be deleted.
+
+
+### `resource.tracer.maxsize` [_resource_tracer_maxsize]
+
+This value sets the maximum size, in megabytes, the log file will reach before it is rotated. By default logs are allowed to reach 1MB before rotation. Individual request/response bodies will be truncated to 10% of this size.
+
+
+### `resource.tracer.maxage` [_resource_tracer_maxage]
+
+This specifies the number days to retain rotated log files. If it is not set, log files are retained indefinitely.
+
+
+### `resource.tracer.maxbackups` [_resource_tracer_maxbackups]
+
+The number of old logs to retain. If it is not set all old logs are retained subject to the `resource.tracer.maxage` setting.
+
+
+### `resource.tracer.localtime` [_resource_tracer_localtime]
+
+Whether to use the host’s local time rather that UTC for timestamping rotated log file names.
+
+
+### `resource.tracer.compress` [_resource_tracer_compress]
+
+This determines whether rotated logs should be gzip compressed.
+
+
+### `redact` [cel-state-redact]
+
+During debug level logging, the `state` object and the resulting evaluation result are included in logs. This may result in leaking of secrets. In order to prevent this, fields may be redacted or deleted from the logged `state`. The `redact` configuration allows users to configure this field redaction behaviour. For safety reasons if the `redact` configuration is missing a warning is logged.
+
+In the case of no-required redaction an empty `redact.fields` configuration should be used to silence the logged warning.
+
+```yaml
+- type: cel
+  redact:
+    fields: ~
+```
+
+As an example, if a user-constructed Basic Authentication request is used in a CEL program the password can be redacted like so
+
+```yaml
+filebeat.inputs:
+- type: cel
+  resource.url: http://localhost:9200/_search
+  state:
+    user: user@domain.tld
+    password: P@$$W0₹D
+  redact:
+    fields:
+      - password
+    delete: true
+```
+
+Note that fields under the `auth` configuration hierarchy are not exposed to the `state` and so do not need to be redacted. For this reason it is preferable to use these for authentication over the request construction shown above where possible.
+
+
+### `redact.fields` [_redact_fields]
+
+This specifies fields in the `state` to be redacted prior to debug logging. Fields listed in this array will be either replaced with a `*` or deleted entirely from messages sent to debug logs.
+
+
+### `redact.delete` [_redact_delete]
+
+This specifies whether fields should be replaced with a `*` or deleted entirely from messages sent to debug logs. If delete is `true`, fields will be deleted rather than replaced.
+
+
+### `failure_dump.enabled` [_failure_dump_enabled]
+
+It is possible to log CEL program evaluation failures to a local file-system for debugging configurations. This option is enabled by setting `failure_dump.enabled` to true and setting the `failure_dump.filename` value. To delete existing failure dumps, set `failure_dump.enabled` to false without unsetting the filename option.
+
+Enabling this option compromises security and should only be used for debugging.
+
+
+### `failure_dump.filename` [_failure_dump_filename]
+
+This specifies a directory path to write failure dumps to. If it is not empty and a CEL program evaluation fails, the complete set of states for the CEL program’s evaluation will be written as a JSON file, along with the error that was reported. This option should only be used when debugging a failure as it imposes a significant performance impact on the input and may potentially use large quantities of memory to hold the full set of states. If a failure dump is configured, it is recommended that data input sizes be reduced to avoid excessive memory consumption, and making dumps that are intractable to analysis. To delete existing failure dumps, set `failure_dump.enabled` to false without unsetting the filename option.
+
+
+### `record_coverage` [cel-record-coverage]
+
+This specifies that CEL code evaluation coverage should be recorded and logged in debug logs. This is a developer-only option.
+
+
+## Metrics [_metrics_5]
+
+This input exposes metrics under the [HTTP monitoring endpoint](/reference/filebeat/http-endpoint.md). These metrics are exposed under the `/inputs` path. They can be used to observe the activity of the input.
+
+| Metric | Description |
+| --- | --- |
+| `resource` | URL or path of the input resource. |
+| `cel_executions` | Number times the CEL program has been executed. |
+| `batches_received_total` | Number of event arrays received. |
+| `events_received_total` | Number of events received. |
+| `batches_published_total` | Number of event arrays published. |
+| `events_published_total` | Number of events published. |
+| `cel_processing_time` | Histogram of the elapsed successful CEL program processing times in nanoseconds. |
+| `batch_processing_time` | Histogram of the elapsed successful batch processing times in nanoseconds (time of receipt to time of ACK for non-empty batches). |
+| `http_request_total` | Total number of processed requests. |
+| `http_request_errors_total` | Total number of request errors. |
+| `http_request_delete_total` | Total number of `DELETE` requests. |
+| `http_request_get_total` | Total number of `GET` requests. |
+| `http_request_head_total` | Total number of `HEAD` requests. |
+| `http_request_options_total` | Total number of `OPTIONS` requests. |
+| `http_request_patch_total` | Total number of `PATCH` requests. |
+| `http_request_post_total` | Total number of `POST` requests. |
+| `http_request_put_total` | Total number of `PUT` requests. |
+| `http_request_body_bytes_total` | Total of the requests body size. |
+| `http_request_body_bytes` | Histogram of the requests body size. |
+| `http_response_total` | Total number of responses received. |
+| `http_response_errors_total` | Total number of response errors. |
+| `http_response_1xx_total` | Total number of `1xx` responses. |
+| `http_response_2xx_total` | Total number of `2xx` responses. |
+| `http_response_3xx_total` | Total number of `3xx` responses. |
+| `http_response_4xx_total` | Total number of `4xx` responses. |
+| `http_response_5xx_total` | Total number of `5xx` responses. |
+| `http_response_body_bytes_total` | Total of the responses body size. |
+| `http_response_body_bytes` | Histogram of the responses body size. |
+| `http_round_trip_time` | Histogram of the round trip time. |
+
+
+## Developer tools [_developer_tools]
+
+A stand-alone CEL environment that implements the majority of the CEL input’s Comment Expression Language functionality is available in the [Elastic Mito](https://github.com/elastic/mito) repository. This tool may be used to help develop CEL programs to be used by the input. Installation is available from source by running `go install github.com/elastic/mito/cmd/mito@latest` and requires a Go toolchain.
+
+
+## Common options [filebeat-input-cel-common-options]
+
+The following configuration options are supported by all inputs.
+
+
+#### `enabled` [_enabled_4]
+
+Use the `enabled` option to enable and disable inputs. By default, enabled is set to true.
+
+
+#### `tags` [_tags_4]
+
+A list of tags that Filebeat includes in the `tags` field of each published event. Tags make it easy to select specific events in Kibana or apply conditional filtering in Logstash. These tags will be appended to the list of tags specified in the general configuration.
+
+Example:
+
+```yaml
+filebeat.inputs:
+- type: cel
+  . . .
+  tags: ["json"]
+```
+
+
+#### `fields` [filebeat-input-cel-fields]
+
+Optional fields that you can specify to add additional information to the output. For example, you might add fields that you can use for filtering log data. Fields can be scalar values, arrays, dictionaries, or any nested combination of these. By default, the fields that you specify here will be grouped under a `fields` sub-dictionary in the output document. To store the custom fields as top-level fields, set the `fields_under_root` option to true. If a duplicate field is declared in the general configuration, then its value will be overwritten by the value declared here.
+
+```yaml
+filebeat.inputs:
+- type: cel
+  . . .
+  fields:
+    app_id: query_engine_12
+```
+
+
+#### `fields_under_root` [fields-under-root-cel]
+
+If this option is set to true, the custom [fields](#filebeat-input-cel-fields) are stored as top-level fields in the output document instead of being grouped under a `fields` sub-dictionary. If the custom field names conflict with other field names added by Filebeat, then the custom fields overwrite the other fields.
+
+
+#### `processors` [_processors_4]
+
+A list of processors to apply to the input data.
+
+See [Processors](/reference/filebeat/filtering-enhancing-data.md) for information about specifying processors in your config.
+
+
+#### `pipeline` [_pipeline_4]
+
+The ingest pipeline ID to set for the events generated by this input.
+
+::::{note}
+The pipeline ID can also be configured in the Elasticsearch output, but this option usually results in simpler configuration files. If the pipeline is configured both in the input and output, the option from the input is used.
+::::
+
+
+::::{important}
+The `pipeline` is always lowercased. If `pipeline: Foo-Bar`, then the pipeline name in {{es}} needs to be defined as `foo-bar`.
+::::
+
+
+
+#### `keep_null` [_keep_null_4]
+
+If this option is set to true, fields with `null` values will be published in the output document. By default, `keep_null` is set to `false`.
+
+
+#### `index` [_index_4]
+
+If present, this formatted string overrides the index for events from this input (for elasticsearch outputs), or sets the `raw_index` field of the event’s metadata (for other outputs). This string can only refer to the agent name and version and the event timestamp; for access to dynamic fields, use `output.elasticsearch.index` or a processor.
+
+Example value: `"%{[agent.name]}-myindex-%{+yyyy.MM.dd}"` might expand to `"filebeat-myindex-2019.11.01"`.
+
+
+#### `publisher_pipeline.disable_host` [_publisher_pipeline_disable_host_4]
+
+By default, all events contain `host.name`. This option can be set to `true` to disable the addition of this field to all events. The default value is `false`.
+
+
diff --git a/docs/reference/filebeat/filebeat-input-cloudfoundry.md b/docs/reference/filebeat/filebeat-input-cloudfoundry.md
new file mode 100644
index 000000000000..30b4136d58e0
--- /dev/null
+++ b/docs/reference/filebeat/filebeat-input-cloudfoundry.md
@@ -0,0 +1,167 @@
+---
+navigation_title: "Cloud Foundry"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cloudfoundry.html
+---
+
+# Cloud Foundry input [filebeat-input-cloudfoundry]
+
+
+Use the `cloudfoundry` input to get http access logs, container logs and error logs from Cloud Foundry. Connects to the Cloud Foundry loggregator to receive events.
+
+Example configurations:
+
+```yaml
+filebeat.inputs:
+- type: cloudfoundry
+  api_address: https://api.dev.cfdev.sh
+  client_id: uaa-filebeat
+  client_secret: verysecret
+  shard_id: filebeat
+  ssl:
+      verification_mode: none
+```
+
+```yaml
+filebeat.inputs:
+- type: cloudfoundry
+  api_address: https://api.dev.cfdev.sh
+  client_id: uaa-filebeat
+  client_secret: verysecret
+  shard_id: filebeat
+  ssl.certificate_authorities: ["/etc/pki/cf/ca.pem"]
+  ssl.certificate: "/etc/pki/cf/cert.pem"
+  ssl.key: "/etc/pki/cf/cert.key"
+```
+
+## Configuration options [_configuration_options_4]
+
+The `cloudfoundry` input supports the following configuration options plus the [Common options](#filebeat-input-cloudfoundry-common-options) described later.
+
+
+### `api_address` [_api_address]
+
+The URL of the Cloud Foundry API. Optional. Default: "http://api.bosh-lite.com".
+
+
+### `doppler_address` [_doppler_address]
+
+The URL of the Cloud Foundry Doppler Websocket. Optional. Default: "(value from ${api_address}/v2/info)".
+
+
+### `uaa_address` [_uaa_address]
+
+The URL of the Cloud Foundry UAA API. Optional. Default: "(value from ${api_address}/v2/info)".
+
+
+### `rlp_address` [_rlp_address]
+
+The URL of the Cloud Foundry RLP Gateway. Optional. Default: "(`log-stream` subdomain under the same domain as `api_server`)".
+
+
+### `client_id` [_client_id]
+
+Client ID to authenticate with Cloud Foundry. Default: "".
+
+
+### `client_secret` [_client_secret]
+
+Client Secret to authenticate with Cloud Foundry. Default: "".
+
+
+### `shard_id` [_shard_id]
+
+Shard ID for the connection with Cloud Foundry. Use the same ID across multiple filebeat to shard the load of events. Default: "(generated UUID)".
+
+
+### `version` [_version]
+
+Consumer API version to connect with Cloud Foundry to collect events. Use `v1` to collect events using Doppler/Traffic Control. Use `v2` to collect events from the RLP Gateway. Default: "`v1`".
+
+
+### `ssl` [_ssl]
+
+This specifies SSL/TLS common config. Default: not used.
+
+
+## Common options [filebeat-input-cloudfoundry-common-options]
+
+The following configuration options are supported by all inputs.
+
+
+#### `enabled` [_enabled_5]
+
+Use the `enabled` option to enable and disable inputs. By default, enabled is set to true.
+
+
+#### `tags` [_tags_5]
+
+A list of tags that Filebeat includes in the `tags` field of each published event. Tags make it easy to select specific events in Kibana or apply conditional filtering in Logstash. These tags will be appended to the list of tags specified in the general configuration.
+
+Example:
+
+```yaml
+filebeat.inputs:
+- type: cloudfoundry
+  . . .
+  tags: ["json"]
+```
+
+
+#### `fields` [filebeat-input-cloudfoundry-fields]
+
+Optional fields that you can specify to add additional information to the output. For example, you might add fields that you can use for filtering log data. Fields can be scalar values, arrays, dictionaries, or any nested combination of these. By default, the fields that you specify here will be grouped under a `fields` sub-dictionary in the output document. To store the custom fields as top-level fields, set the `fields_under_root` option to true. If a duplicate field is declared in the general configuration, then its value will be overwritten by the value declared here.
+
+```yaml
+filebeat.inputs:
+- type: cloudfoundry
+  . . .
+  fields:
+    app_id: query_engine_12
+```
+
+
+#### `fields_under_root` [fields-under-root-cloudfoundry]
+
+If this option is set to true, the custom [fields](#filebeat-input-cloudfoundry-fields) are stored as top-level fields in the output document instead of being grouped under a `fields` sub-dictionary. If the custom field names conflict with other field names added by Filebeat, then the custom fields overwrite the other fields.
+
+
+#### `processors` [_processors_5]
+
+A list of processors to apply to the input data.
+
+See [Processors](/reference/filebeat/filtering-enhancing-data.md) for information about specifying processors in your config.
+
+
+#### `pipeline` [_pipeline_5]
+
+The ingest pipeline ID to set for the events generated by this input.
+
+::::{note}
+The pipeline ID can also be configured in the Elasticsearch output, but this option usually results in simpler configuration files. If the pipeline is configured both in the input and output, the option from the input is used.
+::::
+
+
+::::{important}
+The `pipeline` is always lowercased. If `pipeline: Foo-Bar`, then the pipeline name in {{es}} needs to be defined as `foo-bar`.
+::::
+
+
+
+#### `keep_null` [_keep_null_5]
+
+If this option is set to true, fields with `null` values will be published in the output document. By default, `keep_null` is set to `false`.
+
+
+#### `index` [_index_5]
+
+If present, this formatted string overrides the index for events from this input (for elasticsearch outputs), or sets the `raw_index` field of the event’s metadata (for other outputs). This string can only refer to the agent name and version and the event timestamp; for access to dynamic fields, use `output.elasticsearch.index` or a processor.
+
+Example value: `"%{[agent.name]}-myindex-%{+yyyy.MM.dd}"` might expand to `"filebeat-myindex-2019.11.01"`.
+
+
+#### `publisher_pipeline.disable_host` [_publisher_pipeline_disable_host_5]
+
+By default, all events contain `host.name`. This option can be set to `true` to disable the addition of this field to all events. The default value is `false`.
+
+
diff --git a/docs/reference/filebeat/filebeat-input-cometd.md b/docs/reference/filebeat/filebeat-input-cometd.md
new file mode 100644
index 000000000000..cce3316d256f
--- /dev/null
+++ b/docs/reference/filebeat/filebeat-input-cometd.md
@@ -0,0 +1,62 @@
+---
+navigation_title: "CometD"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cometd.html
+---
+
+# CometD input [filebeat-input-cometd]
+
+
+Use the `https://docs.cometd.org/[cometd]` input to stream the real-time events from a [Salesforce generic subscription Push Topic](https://resources.docs.salesforce.com/sfdc/pdf/api_streaming.pdf).
+
+This input can, for example, be used to receive Login and Logout events that are generated when users log in or out of the Salesforce instance.
+
+Example configuration:
+
+```yaml
+filebeat.inputs:
+- type: cometd
+  channel_name: /event/MyEventStream
+  auth.oauth2:
+    client.id: my-client-id
+    client.secret: my-client-secret
+    token_url: https://login.salesforce.com/services/oauth2/token
+    user: my.email@mail.com
+    password: my-password
+```
+
+## Configuration options [_configuration_options_5]
+
+The `cometd` input supports the following configuration options.
+
+
+### `channel_name` [_channel_name]
+
+Salesforce generic subscription Push Topic name. Required.
+
+
+### `auth.oauth2.client.id` [_auth_oauth2_client_id_2]
+
+The client ID used as part of the authentication flow. Required.
+
+
+### `auth.oauth2.client.secret` [_auth_oauth2_client_secret_2]
+
+The client secret used as part of the authentication flow. Required.
+
+
+### `auth.oauth2.token_url` [_auth_oauth2_token_url_2]
+
+The endpoint that will be used to generate the token during the oauth2 flow. Required.
+
+
+### `auth.oauth2.user` [_auth_oauth2_user_2]
+
+The user used as part of the authentication flow. It is required for authentication - grant type password. Required.
+
+
+### `auth.oauth2.password` [_auth_oauth2_password_2]
+
+The password used as part of the authentication flow. It is required for authentication - grant type password. Required.
+
+
diff --git a/docs/reference/filebeat/filebeat-input-container.md b/docs/reference/filebeat/filebeat-input-container.md
new file mode 100644
index 000000000000..75695a0652f6
--- /dev/null
+++ b/docs/reference/filebeat/filebeat-input-container.md
@@ -0,0 +1,600 @@
+---
+navigation_title: "Container"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-container.html
+---
+
+# Container input [filebeat-input-container]
+
+[7.16.0]
+
+The container input is just a preset for the [`log`](/reference/filebeat/filebeat-input-log.md) input. The [`log`](/reference/filebeat/filebeat-input-log.md) input has been deprecated since 7.16.0, therefore the container input is also deprecated. Please use the [`filestream`](/reference/filebeat/filebeat-input-filestream.md) input and its [`container`](/reference/filebeat/filebeat-input-filestream.md#filebeat-input-filestream-parsers-container) parser instead.
+
+Example configuration of using the [`container`](/reference/filebeat/filebeat-input-filestream.md#filebeat-input-filestream-parsers-container) parser with the [`filestream`](/reference/filebeat/filebeat-input-filestream.md) input:
+
+```yaml
+filebeat.inputs:
+- type: filestream
+  id: unique-input-id <1>
+  prospector.scanner.symlinks: true <2>
+  parsers:
+    - container:
+        stream: stdout
+        format: docker
+  paths: <3>
+    - '/var/log/containers/*.log'
+```
+
+1. all [`filestream`](/reference/filebeat/filebeat-input-filestream.md) inputs require a [`unique ID`](/reference/filebeat/filebeat-input-filestream.md#filebeat-input-filestream-id).
+2. container logs use symlinks, so they need to be [`enabled`](/reference/filebeat/filebeat-input-filestream.md#filebeat-input-filestream-prospector-scanner-symlinks).
+3. `paths` is required.
+
+
+
+Due to deprecation of this input, it’s possible to use it only in combination with the `allow_deprecated_use: true` setting as a part of the input configuration.
+
+This input searches for container logs under the given path, and parse them into common message lines, extracting timestamps too. Everything happens before line filtering, multiline, and JSON decoding, so this input can be used in combination with those settings.
+
+Example configuration:
+
+```yaml
+filebeat.inputs:
+- type: container
+  paths: <1>
+    - '/var/log/containers/*.log'
+```
+
+1. `paths` is required. All other settings are optional.
+
+
+::::{note}
+*/var/log/containers/**.log* is normally a symlink to */var/log/pods/**/*/.log*, so above path can be edited accordingly
+::::
+
+
+## Configuration options [_configuration_options_6]
+
+The `container` input supports the following configuration options plus the [Common options](#filebeat-input-container-common-options) described later.
+
+### `stream` [_stream]
+
+Reads from the specified streams only: `all`, `stdout` or `stderr`. The default is `all`.
+
+
+### `format` [_format]
+
+Use the given format when reading the log file: `auto`, `docker` or `cri`. The default is `auto`, it will automatically detect the format. To disable autodetection set any of the other options.
+
+The following input configures Filebeat to read the `stdout` stream from all containers under the default Kubernetes logs path:
+
+```yaml
+- type: container
+  stream: stdout
+  paths:
+    - "/var/log/containers/*.log"
+```
+
+
+#### `encoding` [_encoding]
+
+The file encoding to use for reading data that contains international characters. See the encoding names [recommended by the W3C for use in HTML5](http://www.w3.org/TR/encoding/).
+
+Valid encodings:
+
+* `plain`: plain ASCII encoding
+* `utf-8` or `utf8`: UTF-8 encoding
+* `gbk`: simplified Chinese charaters
+* `iso8859-6e`: ISO8859-6E, Latin/Arabic
+* `iso8859-6i`: ISO8859-6I, Latin/Arabic
+* `iso8859-8e`: ISO8859-8E, Latin/Hebrew
+* `iso8859-8i`: ISO8859-8I, Latin/Hebrew
+* `iso8859-1`: ISO8859-1, Latin-1
+* `iso8859-2`: ISO8859-2, Latin-2
+* `iso8859-3`: ISO8859-3, Latin-3
+* `iso8859-4`: ISO8859-4, Latin-4
+* `iso8859-5`: ISO8859-5, Latin/Cyrillic
+* `iso8859-6`: ISO8859-6, Latin/Arabic
+* `iso8859-7`: ISO8859-7, Latin/Greek
+* `iso8859-8`: ISO8859-8, Latin/Hebrew
+* `iso8859-9`: ISO8859-9, Latin-5
+* `iso8859-10`: ISO8859-10, Latin-6
+* `iso8859-13`: ISO8859-13, Latin-7
+* `iso8859-14`: ISO8859-14, Latin-8
+* `iso8859-15`: ISO8859-15, Latin-9
+* `iso8859-16`: ISO8859-16, Latin-10
+* `cp437`: IBM CodePage 437
+* `cp850`: IBM CodePage 850
+* `cp852`: IBM CodePage 852
+* `cp855`: IBM CodePage 855
+* `cp858`: IBM CodePage 858
+* `cp860`: IBM CodePage 860
+* `cp862`: IBM CodePage 862
+* `cp863`: IBM CodePage 863
+* `cp865`: IBM CodePage 865
+* `cp866`: IBM CodePage 866
+* `ebcdic-037`: IBM CodePage 037
+* `ebcdic-1040`: IBM CodePage 1140
+* `ebcdic-1047`: IBM CodePage 1047
+* `koi8r`: KOI8-R, Russian (Cyrillic)
+* `koi8u`: KOI8-U, Ukranian (Cyrillic)
+* `macintosh`: Macintosh encoding
+* `macintosh-cyrillic`: Macintosh Cyrillic encoding
+* `windows1250`: Windows1250, Central and Eastern European
+* `windows1251`: Windows1251, Russian, Serbian (Cyrillic)
+* `windows1252`: Windows1252, Legacy
+* `windows1253`: Windows1253, Modern Greek
+* `windows1254`: Windows1254, Turkish
+* `windows1255`: Windows1255, Hebrew
+* `windows1256`: Windows1256, Arabic
+* `windows1257`: Windows1257, Estonian, Latvian, Lithuanian
+* `windows1258`: Windows1258, Vietnamese
+* `windows874`:  Windows874, ISO/IEC 8859-11, Latin/Thai
+* `utf-16-bom`: UTF-16 with required BOM
+* `utf-16be-bom`: big endian UTF-16 with required BOM
+* `utf-16le-bom`: little endian UTF-16 with required BOM
+
+The `plain` encoding is special, because it does not validate or transform any input.
+
+
+#### `exclude_lines` [filebeat-input-container-exclude-lines]
+
+A list of regular expressions to match the lines that you want Filebeat to exclude. Filebeat drops any lines that match a regular expression in the list. By default, no lines are dropped. Empty lines are ignored.
+
+If [multiline](/reference/filebeat/multiline-examples.md#multiline) settings are also specified, each multiline message is combined into a single line before the lines are filtered by `exclude_lines`.
+
+The following example configures Filebeat to drop any lines that start with `DBG`.
+
+```yaml
+filebeat.inputs:
+- type: container
+  ...
+  exclude_lines: ['^DBG']
+```
+
+See [Regular expression support](/reference/filebeat/regexp-support.md) for a list of supported regexp patterns.
+
+
+#### `include_lines` [filebeat-input-container-include-lines]
+
+A list of regular expressions to match the lines that you want Filebeat to include. Filebeat exports only the lines that match a regular expression in the list. By default, all lines are exported. Empty lines are ignored.
+
+If [multiline](/reference/filebeat/multiline-examples.md#multiline) settings also specified, each multiline message is combined into a single line before the lines are filtered by `include_lines`.
+
+The following example configures Filebeat to export any lines that start with `ERR` or `WARN`:
+
+```yaml
+filebeat.inputs:
+- type: container
+  ...
+  include_lines: ['^ERR', '^WARN']
+```
+
+::::{note}
+If both `include_lines` and `exclude_lines` are defined, Filebeat executes `include_lines` first and then executes `exclude_lines`. The order in which the two options are defined doesn’t matter. The `include_lines` option will always be executed before the `exclude_lines` option, even if `exclude_lines` appears before `include_lines` in the config file.
+::::
+
+
+The following example exports all log lines that contain `sometext`, except for lines that begin with `DBG` (debug messages):
+
+```yaml
+filebeat.inputs:
+- type: container
+  ...
+  include_lines: ['sometext']
+  exclude_lines: ['^DBG']
+```
+
+See [Regular expression support](/reference/filebeat/regexp-support.md) for a list of supported regexp patterns.
+
+
+#### `harvester_buffer_size` [_harvester_buffer_size]
+
+The size in bytes of the buffer that each harvester uses when fetching a file. The default is 16384.
+
+
+#### `max_bytes` [_max_bytes]
+
+The maximum number of bytes that a single log message can have. All bytes after `max_bytes` are discarded and not sent. This setting is especially useful for multiline log messages, which can get large. The default is 10MB (10485760).
+
+
+#### `json` [filebeat-input-container-config-json]
+
+These options make it possible for Filebeat to decode logs structured as JSON messages. Filebeat processes the logs line by line, so the JSON decoding only works if there is one JSON object per line.
+
+The decoding happens before line filtering and multiline. You can combine JSON decoding with filtering and multiline if you set the `message_key` option. This can be helpful in situations where the application logs are wrapped in JSON objects, as with like it happens for example with Docker.
+
+Example configuration:
+
+```yaml
+json.keys_under_root: true
+json.add_error_key: true
+json.message_key: log
+```
+
+You must specify at least one of the following settings to enable JSON parsing mode:
+
+**`keys_under_root`**
+:   By default, the decoded JSON is placed under a "json" key in the output document. If you enable this setting, the keys are copied top level in the output document. The default is false.
+
+**`overwrite_keys`**
+:   If `keys_under_root` and this setting are enabled, then the values from the decoded JSON object overwrite the fields that Filebeat normally adds (type, source, offset, etc.) in case of conflicts.
+
+**`expand_keys`**
+:   If this setting is enabled, Filebeat will recursively de-dot keys in the decoded JSON, and expand them into a hierarchical object structure. For example, `{"a.b.c": 123}` would be expanded into `{"a":{"b":{"c":123}}}`. This setting should be enabled when the input is produced by an [ECS logger](https://github.com/elastic/ecs-logging).
+
+**`add_error_key`**
+:   If this setting is enabled, Filebeat adds a "error.message" and "error.type: json" key in case of JSON unmarshalling errors or when a `message_key` is defined in the configuration but cannot be used.
+
+**`message_key`**
+:   An optional configuration setting that specifies a JSON key on which to apply the line filtering and multiline settings. If specified the key must be at the top level in the JSON object and the value associated with the key must be a string, otherwise no filtering or multiline aggregation will occur.
+
+**`document_id`**
+:   Option configuration setting that specifies the JSON key to set the document id. If configured, the field will be removed from the original json document and stored in `@metadata._id`
+
+**`ignore_decoding_error`**
+:   An optional configuration setting that specifies if JSON decoding errors should be logged or not. If set to true, errors will not be logged. The default is false.
+
+
+#### `multiline` [_multiline_2]
+
+Options that control how Filebeat deals with log messages that span multiple lines. See [Multiline messages](/reference/filebeat/multiline-examples.md) for more information about configuring multiline options.
+
+
+#### `exclude_files` [filebeat-input-container-exclude-files]
+
+A list of regular expressions to match the files that you want Filebeat to ignore. By default no files are excluded.
+
+The following example configures Filebeat to ignore all the files that have a `gz` extension:
+
+```yaml
+filebeat.inputs:
+- type: container
+  ...
+  exclude_files: ['\.gz$']
+```
+
+See [Regular expression support](/reference/filebeat/regexp-support.md) for a list of supported regexp patterns.
+
+
+#### `ignore_older` [filebeat-input-container-ignore-older]
+
+If this option is enabled, Filebeat ignores any files that were modified before the specified timespan. Configuring `ignore_older` can be especially useful if you keep log files for a long time. For example, if you want to start Filebeat, but only want to send the newest files and files from last week, you can configure this option.
+
+You can use time strings like 2h (2 hours) and 5m (5 minutes). The default is 0, which disables the setting. Commenting out the config has the same effect as setting it to 0.
+
+::::{important}
+You must set `ignore_older` to be greater than `close_inactive`.
+::::
+
+
+The files affected by this setting fall into two categories:
+
+* Files that were never harvested
+* Files that were harvested but weren’t updated for longer than `ignore_older`
+
+For files which were never seen before, the offset state is set to the end of the file. If a state already exist, the offset is not changed. In case a file is updated again later, reading continues at the set offset position.
+
+The `ignore_older` setting relies on the modification time of the file to determine if a file is ignored. If the modification time of the file is not updated when lines are written to a file (which can happen on Windows), the `ignore_older` setting may cause Filebeat to ignore files even though content was added at a later time.
+
+To remove the state of previously harvested files from the registry file, use the `clean_inactive` configuration option.
+
+Before a file can be ignored by Filebeat, the file must be closed. To ensure a file is no longer being harvested when it is ignored, you must set `ignore_older` to a longer duration than `close_inactive`.
+
+If a file that’s currently being harvested falls under `ignore_older`, the harvester will first finish reading the file and close it after `close_inactive` is reached. Then, after that, the file will be ignored.
+
+
+#### `close_*` [filebeat-input-container-close-options]
+
+The `close_*` configuration options are used to close the harvester after a certain criteria or time. Closing the harvester means closing the file handler. If a file is updated after the harvester is closed, the file will be picked up again after `scan_frequency` has elapsed. However, if the file is moved or deleted while the harvester is closed, Filebeat will not be able to pick up the file again, and any data that the harvester hasn’t read will be lost. The `close_*` settings are applied synchronously when Filebeat attempts to read from a file, meaning that if Filebeat is in a blocked state due to blocked output, full queue or other issue, a file that would otherwise be closed remains open until Filebeat once again attempts to read from the file.
+
+
+#### `close_inactive` [filebeat-input-container-close-inactive]
+
+When this option is enabled, Filebeat closes the file handle if a file has not been harvested for the specified duration. The counter for the defined period starts when the last log line was read by the harvester. It is not based on the modification time of the file. If the closed file changes again, a new harvester is started and the latest changes will be picked up after `scan_frequency` has elapsed.
+
+We recommended that you set `close_inactive` to a value that is larger than the least frequent updates to your log files. For example, if your log files get updated every few seconds, you can safely set `close_inactive` to `1m`. If there are log files with very different update rates, you can use multiple configurations with different values.
+
+Setting `close_inactive` to a lower value means that file handles are closed sooner. However this has the side effect that new log lines are not sent in near real time if the harvester is closed.
+
+The timestamp for closing a file does not depend on the modification time of the file. Instead, Filebeat uses an internal timestamp that reflects when the file was last harvested. For example, if `close_inactive` is set to 5 minutes, the countdown for the 5 minutes starts after the harvester reads the last line of the file.
+
+You can use time strings like 2h (2 hours) and 5m (5 minutes). The default is 5m.
+
+
+#### `close_renamed` [filebeat-input-container-close-renamed]
+
+::::{warning}
+Only use this option if you understand that data loss is a potential side effect.
+::::
+
+
+When this option is enabled, Filebeat closes the file handler when a file is renamed. This happens, for example, when rotating files. By default, the harvester stays open and keeps reading the file because the file handler does not depend on the file name. If the `close_renamed` option is enabled and the file is renamed or moved in such a way that it’s no longer matched by the file patterns specified for the path, the file will not be picked up again. Filebeat will not finish reading the file.
+
+Do not use this option when `path` based `file_identity` is configured. It does not make sense to enable the option, as Filebeat cannot detect renames using path names as unique identifiers.
+
+WINDOWS: If your Windows log rotation system shows errors because it can’t rotate the files, you should enable this option.
+
+
+#### `close_removed` [filebeat-input-container-close-removed]
+
+When this option is enabled, Filebeat closes the harvester when a file is removed. Normally a file should only be removed after it’s inactive for the duration specified by `close_inactive`. However, if a file is removed early and you don’t enable `close_removed`, Filebeat keeps the file open to make sure the harvester has completed. If this setting results in files that are not completely read because they are removed from disk too early, disable this option.
+
+This option is enabled by default. If you disable this option, you must also disable `clean_removed`.
+
+WINDOWS: If your Windows log rotation system shows errors because it can’t rotate files, make sure this option is enabled.
+
+
+#### `close_eof` [filebeat-input-container-close-eof]
+
+::::{warning}
+Only use this option if you understand that data loss is a potential side effect.
+::::
+
+
+When this option is enabled, Filebeat closes a file as soon as the end of a file is reached. This is useful when your files are only written once and not updated from time to time. For example, this happens when you are writing every single log event to a new file. This option is disabled by default.
+
+
+#### `close_timeout` [filebeat-input-container-close-timeout]
+
+::::{warning}
+Only use this option if you understand that data loss is a potential side effect. Another side effect is that multiline events might not be completely sent before the timeout expires.
+::::
+
+
+When this option is enabled, Filebeat gives every harvester a predefined lifetime. Regardless of where the reader is in the file, reading will stop after the `close_timeout` period has elapsed. This option can be useful for older log files when you want to spend only a predefined amount of time on the files. While `close_timeout` will close the file after the predefined timeout, if the file is still being updated, Filebeat will start a new harvester again per the defined `scan_frequency`. And the close_timeout for this harvester will start again with the countdown for the timeout.
+
+This option is particularly useful in case the output is blocked, which makes Filebeat keep open file handlers even for files that were deleted from the disk. Setting `close_timeout` to `5m` ensures that the files are periodically closed so they can be freed up by the operating system.
+
+If you set `close_timeout` to equal `ignore_older`, the file will not be picked up if it’s modified while the harvester is closed. This combination of settings normally leads to data loss, and the complete file is not sent.
+
+When you use `close_timeout` for logs that contain multiline events, the harvester might stop in the middle of a multiline event, which means that only parts of the event will be sent. If the harvester is started again and the file still exists, only the second part of the event will be sent.
+
+This option is set to 0 by default which means it is disabled.
+
+
+#### `clean_*` [filebeat-input-container-clean-options]
+
+The `clean_*` options are used to clean up the state entries in the registry file. These settings help to reduce the size of the registry file and can prevent a potential [inode reuse issue](/reference/filebeat/inode-reuse-issue.md).
+
+
+#### `clean_inactive` [filebeat-input-container-clean-inactive]
+
+::::{warning}
+Only use this option if you understand that data loss is a potential side effect.
+::::
+
+
+When this option is enabled, Filebeat removes the state of a file after the specified period of inactivity has elapsed. The  state can only be removed if the file is already ignored by Filebeat (the file is older than `ignore_older`). The `clean_inactive` setting must be greater than `ignore_older + scan_frequency` to make sure that no states are removed while a file is still being harvested. Otherwise, the setting could result in Filebeat resending the full content constantly because  `clean_inactive` removes state for files that are still detected by Filebeat. If a file is updated or appears again, the file is read from the beginning.
+
+The `clean_inactive` configuration option is useful to reduce the size of the registry file, especially if a large amount of new files are generated every day.
+
+This config option is also useful to prevent Filebeat problems resulting from inode reuse on Linux. For more information, see [Inode reuse causes Filebeat to skip lines](/reference/filebeat/inode-reuse-issue.md).
+
+::::{note}
+Every time a file is renamed, the file state is updated and the counter for `clean_inactive` starts at 0 again.
+::::
+
+
+::::{tip}
+During testing, you might notice that the registry contains state entries that should be removed based on the `clean_inactive` setting. This happens because Filebeat doesn’t remove the entries until it opens the registry again to read a different file. If you are testing the `clean_inactive` setting, make sure Filebeat is configured to read from more than one file, or the file state will never be removed from the registry.
+::::
+
+
+
+#### `clean_removed` [filebeat-input-container-clean-removed]
+
+When this option is enabled, Filebeat cleans files from the registry if they cannot be found on disk anymore under the last known name. This means also files which were renamed after the harvester was finished will be removed. This option is enabled by default.
+
+If a shared drive disappears for a short period and appears again, all files will be read again from the beginning because the states were removed from the registry file. In such cases, we recommend that you disable the `clean_removed` option.
+
+You must disable this option if you also disable `close_removed`.
+
+
+#### `scan_frequency` [filebeat-input-container-scan-frequency]
+
+How often Filebeat checks for new files in the paths that are specified for harvesting. For example, if you specify a glob like `/var/log/*`, the directory is scanned for files using the frequency specified by `scan_frequency`. Specify 1s to scan the directory as frequently as possible without causing Filebeat to scan too frequently. We do not recommend to set this value `<1s`.
+
+If you require log lines to be sent in near real time do not use a very low `scan_frequency` but adjust `close_inactive` so the file handler stays open and constantly polls your files.
+
+The default setting is 10s.
+
+
+#### `scan.sort` [filebeat-input-container-scan-sort]
+
+::::{warning}
+This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
+::::
+
+
+If you specify a value other than the empty string for this setting you can determine whether to use ascending or descending order using `scan.order`. Possible values are `modtime` and `filename`. To sort by file modification time, use `modtime`, otherwise use `filename`. Leave this option empty to disable it.
+
+If you specify a value for this setting, you can use `scan.order` to configure whether files are scanned in ascending or descending order.
+
+The default setting is disabled.
+
+
+#### `scan.order` [filebeat-input-container-scan-order]
+
+::::{warning}
+This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
+::::
+
+
+Specifies whether to use ascending or descending order when `scan.sort` is set to a value other than none. Possible values are `asc` or `desc`.
+
+The default setting is `asc`.
+
+
+#### `tail_files` [_tail_files]
+
+If this option is set to true, Filebeat starts reading new files at the end of each file instead of the beginning. When this option is used in combination with log rotation, it’s possible that the first log entries in a new file might be skipped. The default setting is false.
+
+This option applies to files that Filebeat has not already processed. If you ran Filebeat previously and the state of the file was already persisted, `tail_files` will not apply. Harvesting will continue at the previous offset. To apply `tail_files` to all files, you must stop Filebeat and remove the registry file. Be aware that doing this removes ALL previous states.
+
+::::{note}
+You can use this setting to avoid indexing old log lines when you run Filebeat on a set of log files for the first time. After the first run, we recommend disabling this option, or you risk losing lines during file rotation.
+::::
+
+
+
+#### `symlinks` [_symlinks]
+
+The `symlinks` option allows Filebeat to harvest symlinks in addition to regular files. When harvesting symlinks, Filebeat opens and reads the original file even though it reports the path of the symlink.
+
+When you configure a symlink for harvesting, make sure the original path is excluded. If a single input is configured to harvest both the symlink and the original file, Filebeat will detect the problem and only process the first file it finds. However, if two different inputs are configured (one to read the symlink and the other the original path), both paths will be harvested, causing Filebeat to send duplicate data and the inputs to overwrite each other’s state.
+
+The `symlinks` option can be useful if symlinks to the log files have additional metadata in the file name, and you want to process the metadata in Logstash. This is, for example, the case for Kubernetes log files.
+
+Because this option may lead to data loss, it is disabled by default.
+
+
+#### `backoff` [_backoff]
+
+The backoff options specify how aggressively Filebeat crawls open files for updates. You can use the default values in most cases.
+
+The `backoff` option defines how long Filebeat waits before checking a file again after EOF is reached. The default is 1s, which means the file is checked every second if new lines were added. This enables near real-time crawling. Every time a new line appears in the file, the `backoff` value is reset to the initial value. The default is 1s.
+
+
+#### `max_backoff` [_max_backoff]
+
+The maximum time for Filebeat to wait before checking a file again after EOF is reached. After having backed off multiple times from checking the file, the wait time will never exceed `max_backoff` regardless of what is specified for  `backoff_factor`. Because it takes a maximum of 10s to read a new line, specifying 10s for `max_backoff` means that, at the worst, a new line could be added to the log file if Filebeat has backed off multiple times. The default is 10s.
+
+Requirement: Set `max_backoff` to be greater than or equal to `backoff` and less than or equal to `scan_frequency` (`backoff <= max_backoff <= scan_frequency`). If `max_backoff` needs to be higher, it is recommended to close the file handler instead and let Filebeat pick up the file again.
+
+
+#### `backoff_factor` [_backoff_factor]
+
+This option specifies how fast the waiting time is increased. The bigger the backoff factor, the faster the `max_backoff` value is reached. The backoff factor increments exponentially. The minimum value allowed is 1. If this value is set to 1, the backoff algorithm is disabled, and the `backoff` value is used for waiting for new lines. The `backoff` value will be multiplied each time with the `backoff_factor` until `max_backoff` is reached. The default is 2.
+
+
+#### `harvester_limit` [filebeat-input-container-harvester-limit]
+
+The `harvester_limit` option limits the number of harvesters that are started in parallel for one input. This directly relates to the maximum number of file handlers that are opened. The default for `harvester_limit` is 0, which means there is no limit. This configuration is useful if the number of files to be harvested exceeds the open file handler limit of the operating system.
+
+Setting a limit on the number of harvesters means that potentially not all files are opened in parallel. Therefore we recommended that you use this option in combination with the `close_*` options to make sure harvesters are stopped more often so that new files can be picked up.
+
+Currently if a new harvester can be started again, the harvester is picked randomly. This means it’s possible that the harvester for a file that was just closed and then updated again might be started instead of the harvester for a file that hasn’t been harvested for a longer period of time.
+
+This configuration option applies per input. You can use this option to indirectly set higher priorities on certain inputs by assigning a higher limit of harvesters.
+
+
+#### `file_identity` [_file_identity]
+
+Different `file_identity` methods can be configured to suit the environment where you are collecting log messages.
+
+**`native`**
+:   The default behaviour of Filebeat is to differentiate between files using their inodes and device ids.
+
+```yaml
+file_identity.native: ~
+```
+
+**`path`**
+:   To identify files based on their paths use this strategy.
+
+::::{warning}
+Only use this strategy if your log files are rotated to a folder outside of the scope of your input or not at all. Otherwise you end up with duplicated events.
+::::
+
+
+::::{warning}
+This strategy does not support renaming files. If an input file is renamed, Filebeat will read it again if the new path matches the settings of the input.
+::::
+
+
+```yaml
+file_identity.path: ~
+```
+
+**`inode_marker`**
+:   If the device id changes from time to time, you must use this method to distinguish files. This option is not supported on Windows.
+
+Set the location of the marker file the following way:
+
+```yaml
+file_identity.inode_marker.path: /logs/.filebeat-marker
+```
+
+
+
+## Common options [filebeat-input-container-common-options]
+
+The following configuration options are supported by all inputs.
+
+
+#### `enabled` [_enabled_6]
+
+Use the `enabled` option to enable and disable inputs. By default, enabled is set to true.
+
+
+#### `tags` [_tags_6]
+
+A list of tags that Filebeat includes in the `tags` field of each published event. Tags make it easy to select specific events in Kibana or apply conditional filtering in Logstash. These tags will be appended to the list of tags specified in the general configuration.
+
+Example:
+
+```yaml
+filebeat.inputs:
+- type: container
+  . . .
+  tags: ["json"]
+```
+
+
+#### `fields` [filebeat-input-container-fields]
+
+Optional fields that you can specify to add additional information to the output. For example, you might add fields that you can use for filtering log data. Fields can be scalar values, arrays, dictionaries, or any nested combination of these. By default, the fields that you specify here will be grouped under a `fields` sub-dictionary in the output document. To store the custom fields as top-level fields, set the `fields_under_root` option to true. If a duplicate field is declared in the general configuration, then its value will be overwritten by the value declared here.
+
+```yaml
+filebeat.inputs:
+- type: container
+  . . .
+  fields:
+    app_id: query_engine_12
+```
+
+
+#### `fields_under_root` [fields-under-root-container]
+
+If this option is set to true, the custom [fields](#filebeat-input-container-fields) are stored as top-level fields in the output document instead of being grouped under a `fields` sub-dictionary. If the custom field names conflict with other field names added by Filebeat, then the custom fields overwrite the other fields.
+
+
+#### `processors` [_processors_6]
+
+A list of processors to apply to the input data.
+
+See [Processors](/reference/filebeat/filtering-enhancing-data.md) for information about specifying processors in your config.
+
+
+#### `pipeline` [_pipeline_6]
+
+The ingest pipeline ID to set for the events generated by this input.
+
+::::{note}
+The pipeline ID can also be configured in the Elasticsearch output, but this option usually results in simpler configuration files. If the pipeline is configured both in the input and output, the option from the input is used.
+::::
+
+
+::::{important}
+The `pipeline` is always lowercased. If `pipeline: Foo-Bar`, then the pipeline name in {{es}} needs to be defined as `foo-bar`.
+::::
+
+
+
+#### `keep_null` [_keep_null_6]
+
+If this option is set to true, fields with `null` values will be published in the output document. By default, `keep_null` is set to `false`.
+
+
+#### `index` [_index_6]
+
+If present, this formatted string overrides the index for events from this input (for elasticsearch outputs), or sets the `raw_index` field of the event’s metadata (for other outputs). This string can only refer to the agent name and version and the event timestamp; for access to dynamic fields, use `output.elasticsearch.index` or a processor.
+
+Example value: `"%{[agent.name]}-myindex-%{+yyyy.MM.dd}"` might expand to `"filebeat-myindex-2019.11.01"`.
+
+
+#### `publisher_pipeline.disable_host` [_publisher_pipeline_disable_host_6]
+
+By default, all events contain `host.name`. This option can be set to `true` to disable the addition of this field to all events. The default value is `false`.
+
+
diff --git a/docs/reference/filebeat/filebeat-input-entity-analytics.md b/docs/reference/filebeat/filebeat-input-entity-analytics.md
new file mode 100644
index 000000000000..3795f4b79e96
--- /dev/null
+++ b/docs/reference/filebeat/filebeat-input-entity-analytics.md
@@ -0,0 +1,992 @@
+---
+navigation_title: "Entity Analytics"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-entity-analytics.html
+---
+
+# Entity Analytics Input [filebeat-input-entity-analytics]
+
+
+::::{warning}
+This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
+::::
+
+
+The Entity Analytics input collects identity assets, such as users, from external identity providers.
+
+The following identity providers are supported:
+
+* [Active Directory (`activedirectory`)](#provider-activedirectory)
+* [Azure Active Directory (`azure-ad`)](#provider-azure-ad)
+* [Jamf Computer Management (`jamf`)](#provider-jamf)
+* [Okta User Identities (`okta`)](#provider-okta)
+
+## Configuration options [_configuration_options_7]
+
+The `entity-analytics` input supports the following configuration options plus the [Common options](#filebeat-input-entity-analytics-common-options) described later.
+
+
+### `provider` [_provider_2]
+
+The identity provider. Must be one of: `activedirectory`, `azure-ad` or `okta`.
+
+
+## Common options [filebeat-input-entity-analytics-common-options]
+
+The following configuration options are supported by all inputs.
+
+
+#### `enabled` [_enabled_7]
+
+Use the `enabled` option to enable and disable inputs. By default, enabled is set to true.
+
+
+#### `tags` [_tags_7]
+
+A list of tags that Filebeat includes in the `tags` field of each published event. Tags make it easy to select specific events in Kibana or apply conditional filtering in Logstash. These tags will be appended to the list of tags specified in the general configuration.
+
+Example:
+
+```yaml
+filebeat.inputs:
+- type: entity-analytics
+  . . .
+  tags: ["json"]
+```
+
+
+#### `fields` [filebeat-input-entity-analytics-fields]
+
+Optional fields that you can specify to add additional information to the output. For example, you might add fields that you can use for filtering log data. Fields can be scalar values, arrays, dictionaries, or any nested combination of these. By default, the fields that you specify here will be grouped under a `fields` sub-dictionary in the output document. To store the custom fields as top-level fields, set the `fields_under_root` option to true. If a duplicate field is declared in the general configuration, then its value will be overwritten by the value declared here.
+
+```yaml
+filebeat.inputs:
+- type: entity-analytics
+  . . .
+  fields:
+    app_id: query_engine_12
+```
+
+
+#### `fields_under_root` [fields-under-root-entity-analytics]
+
+If this option is set to true, the custom [fields](#filebeat-input-entity-analytics-fields) are stored as top-level fields in the output document instead of being grouped under a `fields` sub-dictionary. If the custom field names conflict with other field names added by Filebeat, then the custom fields overwrite the other fields.
+
+
+#### `processors` [_processors_7]
+
+A list of processors to apply to the input data.
+
+See [Processors](/reference/filebeat/filtering-enhancing-data.md) for information about specifying processors in your config.
+
+
+#### `pipeline` [_pipeline_7]
+
+The ingest pipeline ID to set for the events generated by this input.
+
+::::{note}
+The pipeline ID can also be configured in the Elasticsearch output, but this option usually results in simpler configuration files. If the pipeline is configured both in the input and output, the option from the input is used.
+::::
+
+
+::::{important}
+The `pipeline` is always lowercased. If `pipeline: Foo-Bar`, then the pipeline name in {{es}} needs to be defined as `foo-bar`.
+::::
+
+
+
+#### `keep_null` [_keep_null_7]
+
+If this option is set to true, fields with `null` values will be published in the output document. By default, `keep_null` is set to `false`.
+
+
+#### `index` [_index_7]
+
+If present, this formatted string overrides the index for events from this input (for elasticsearch outputs), or sets the `raw_index` field of the event’s metadata (for other outputs). This string can only refer to the agent name and version and the event timestamp; for access to dynamic fields, use `output.elasticsearch.index` or a processor.
+
+Example value: `"%{[agent.name]}-myindex-%{+yyyy.MM.dd}"` might expand to `"filebeat-myindex-2019.11.01"`.
+
+
+#### `publisher_pipeline.disable_host` [_publisher_pipeline_disable_host_7]
+
+By default, all events contain `host.name`. This option can be set to `true` to disable the addition of this field to all events. The default value is `false`.
+
+
+## Providers [_providers]
+
+
+## Active Directory (`activedirectory`) [provider-activedirectory]
+
+The `activedirectory` provider allows the input to retrieve users, with group memberships, from Active Directory.
+
+
+### Setup [_setup]
+
+A user with appropriate permissions must be set up in the Active Directory Server Manager in order for the provider to function properly.
+
+
+### How It Works [_how_it_works]
+
+
+#### Overview [_overview]
+
+The Active Directory provider periodically queries the Active Directory server, retrieving updates for users and groups, updates its internal cache of user and group metadata and group membership information, and ships updated user metadata to Elasticsearch.
+
+Fetching and shipping updates occurs in one of two processes: **full synchronizations** and **incremental updates**. Full synchronizations will send the entire list of users and group membership in state, along with write markers to indicate the start and end of the synchronization event. Incremental updates will only send data for changed users during that event. Changes on a user can come in many forms, whether it be a change to the user metadata, a user was added or modified, or group membership was changed.
+
+
+#### Sending User and Device Metadata to Elasticsearch [_sending_user_and_device_metadata_to_elasticsearch]
+
+During a full synchronization, all users and groups stored in state will be sent to the output, while incremental updates will only send users and group that have been updated. Full synchronizations will be bounded on either side by write marker documents, which will look something like this:
+
+```json
+{
+    "@timestamp": "2022-11-04T09:57:19.786056-05:00",
+    "event": {
+        "action": "started",
+        "start": "2022-11-04T09:57:19.786056-05:00"
+    },
+    "labels": {
+        "identity_source": "activedirectory-1"
+    }
+}
+```
+
+User documents will show the current state of the user.
+
+Example user document:
+
+```json
+{
+    "@timestamp": "2024-02-05T06:37:40.876026-05:00",
+    "event": {
+        "action": "user-discovered",
+    },
+    "activedirectory": {
+        "id": "CN=Guest,CN=Users,DC=testserver,DC=local",
+        "user": {
+            "accountExpires": "2185-07-21T23:34:33.709551516Z",
+            "badPasswordTime": "0",
+            "badPwdCount": "0",
+            "cn": "Guest",
+            "codePage": "0",
+            "countryCode": "0",
+            "dSCorePropagationData": [
+                "2024-01-22T06:37:40Z",
+                "1601-01-01T00:00:01Z"
+            ],
+            "description": "Built-in account for guest access to the computer/domain",
+            "distinguishedName": "CN=Guest,CN=Users,DC=testserver,DC=local",
+            "instanceType": "4",
+            "isCriticalSystemObject": true,
+            "lastLogoff": "0",
+            "lastLogon": "2185-07-21T23:34:33.709551616Z",
+            "logonCount": "0",
+            "memberOf": "CN=Guests,CN=Builtin,DC=testserver,DC=local",
+            "name": "Guest",
+            "objectCategory": "CN=Person,CN=Schema,CN=Configuration,DC=testserver,DC=local",
+            "objectClass": [
+                "top",
+                "person",
+                "organizationalPerson",
+                "user"
+            ],
+            "objectGUID": "hSt/40XJQU6cf+J2XoYMHw==",
+            "objectSid": "AQUAAAAAAAUVAAAA0JU2Fq1k30YZ7UPx9QEAAA==",
+            "primaryGroupID": "514",
+            "pwdLastSet": "2185-07-21T23:34:33.709551616Z",
+            "sAMAccountName": "Guest",
+            "sAMAccountType": "805306368",
+            "uSNChanged": "8197",
+            "uSNCreated": "8197",
+            "userAccountControl": "66082",
+            "whenChanged": "2024-01-22T06:36:59Z",
+            "whenCreated": "2024-01-22T06:36:59Z"
+        },
+        "whenChanged": "2024-01-22T06:36:59Z"
+    },
+    "user": {
+        "id": "CN=Guest,CN=Users,DC=testserver,DC=local"
+    },
+    "labels": {
+        "identity_source": "activedirectory-1"
+    }
+}
+```
+
+
+### Configuration [_configuration_2]
+
+Example configuration:
+
+```yaml
+filebeat.inputs:
+- type: entity-analytics
+  enabled: true
+  id: activedirectory-1
+  provider: activedirectory
+  sync_interval: "12h"
+  update_interval: "30m"
+  ad_url: "ldaps://host.domain.tld"
+  ad_base_dn: "CN=Users,DC=SERVER,DC=DOMAIN"
+  ad_user: "USERNAME"
+  ad_password: "PASSWORD"
+```
+
+The `azure-ad` provider supports the following configuration:
+
+
+#### `ad_url` [_ad_url]
+
+The Active Directory server URL. Field is required.
+
+
+#### `ad_base_dn` [_ad_base_dn]
+
+The Active Directory Base Distinguished Name. Field is required.
+
+
+#### `ad_user` [_ad_user]
+
+The client user name. Used for authentication. The user must have Active Directory read access. Field is required.
+
+
+#### `user_attributes` [_user_attributes]
+
+The set of directory attributes to request from the Active Directory server when collecting user data. If not set, all user attributes are requested. If set, only listed attributes are requested, including `distinguishedDomain` and `whenChanged`. Note that the Active Directory attribute names are used.
+
+
+#### `group_attributes` [_group_attributes]
+
+The set of directory attributes to request from the Active Directory server when collecting group data. If not set, all group attributes are requested. If set, only listed attributes are requested, including `distinguishedDomain` and `whenChanged`. Note that the Active Directory attribute names are used.
+
+
+#### `ad_paging_size` [_ad_paging_size]
+
+The number of records to request from the Active Directory server for each page, if set.
+
+
+#### `ad_password` [_ad_password]
+
+The client’s password, used for authentication. Field is required.
+
+
+#### `sync_interval` [_sync_interval]
+
+The interval in which full synchronizations should occur. The interval must be longer than the update interval (`update_interval`) Expressed as a duration string (e.g., 1m, 3h, 24h). Defaults to `24h` (24 hours).
+
+
+#### `update_interval` [_update_interval]
+
+The interval in which incremental updates should occur. The interval must be shorter than the full synchronization interval (`sync_interval`). Expressed as a duration string (e.g., 1m, 3h, 24h). Defaults to `15m` (15 minutes).
+
+
+## Azure Active Directory (`azure-ad`) [provider-azure-ad]
+
+The `azure-ad` provider allows the input to retrieve users, with group memberships, from Azure Active Directory (AD).
+
+
+### Setup [_setup_2]
+
+The necessary API permissions need to be granted in Azure in order for the provider to function properly:
+
+| Permission | Type |
+| --- | --- |
+| GroupMember.Read.All | Application |
+| User.Read.All | Application |
+| Device.Read.All | Application |
+
+For a full guide on how to set up the necessary App Registration, permission granting, and secret configuration, follow this [guide](https://learn.microsoft.com/en-us/graph/auth-v2-service).
+
+
+### How It Works [_how_it_works_2]
+
+
+#### Overview [_overview_2]
+
+The Azure AD provider periodically contacts Azure Active Directory, retrieving updates for users, devices and groups, updates its internal cache of user and device metadata and group membership information, and ships updated user metadata to Elasticsearch.
+
+Fetching and shipping updates occurs in one of two processes: **full synchronizations** and **incremental updates**. Full synchronizations will send the entire list of users and devices in state, along with write markers to indicate the start and end of the synchronization event. Incremental updates will only send data for changed users and devices during that event. Changes on a user or device can come in many forms, whether it be a change to the user or device metadata, a user/device was added or deleted, or group membership was changed (either direct or transitive).
+
+
+#### API Interactions [_api_interactions]
+
+The provider periodically retrieves changes to user, device and group metadata from the Microsoft Graph API for Azure Active Directory. This is done through calls to three API endpoints:
+
+* [/users/delta](https://learn.microsoft.com/en-us/graph/api/user-delta?view=graph-rest-1.0&tabs=http)
+* [/devices/delta](https://learn.microsoft.com/en-us/graph/api/device-delta?view=graph-rest-1.0&tabs=http)
+* [/groups/delta](https://learn.microsoft.com/en-us/graph/api/group-delta?view=graph-rest-1.0&tabs=http)
+
+The `/delta` endpoint will provide changes that have occurred since the last call, with state being tracked through a delta token. If the /delta endpoint is called without a delta token, it will provide a full listing of users, devices or groups, similar to the non-delta endpoint. Since many results may be returned, there is a paging mechanism that is used. In the response body, there are two fields that may appear, `@odata.nextLink` and `@odata.deltaLink`.
+
+* If a `@odata.nextLink` is returned, then there are more results to fetch, and the value of this field will contain the URL which should be immediately fetched.
+* If a `@odata.deltaLink` is returned, then there are currently no more results, and the value of this field (a URL) should be saved for the next time updates need to be fetched (the delta token).
+
+The group metadata will be used to enrich users and devices with group membership information. Direct memberships, along with transitive memberships, will be provided for users and devices.
+
+
+#### Sending User and Device Metadata to Elasticsearch [_sending_user_and_device_metadata_to_elasticsearch_2]
+
+During a full synchronization, all users and devices stored in state will be sent to the output, while incremental updates will only send users which have been updated. Full synchronizations will be bounded on either side by write marker documents, which will look something like this:
+
+```json
+{
+    "@timestamp": "2022-11-04T09:57:19.786056-05:00",
+    "event": {
+        "action": "started",
+        "start": "2022-11-04T09:57:19.786056-05:00"
+    },
+    "labels": {
+        "identity_source": "azure-1"
+    }
+}
+```
+
+User documents will show the current state of the user.
+
+Example user document:
+
+```json
+{
+    "@timestamp": "2022-11-04T09:57:19.786056-05:00",
+    "event": {
+        "action": "user-discovered",
+    },
+    "azure_ad": {
+        "userPrincipalName": "example.user@example.com",
+        "mail": "example.user@example.com",
+        "displayName": "Example User",
+        "givenName": "Example",
+        "surname": "User",
+        "jobTitle": "Software Engineer",
+        "mobilePhone": "123-555-1000",
+        "businessPhones": ["123-555-0122"]
+    },
+    "user": {
+        "id": "5ebc6a0f-05b7-4f42-9c8a-682bbc75d0fc",
+        "group": [
+            {
+                "id": "331676df-b8fd-4492-82ed-02b927f8dd80",
+                "name": "group1"
+            },
+            {
+                "id": "d140978f-d641-4f01-802f-4ecc1acf8935",
+                "name": "group2"
+            }
+        ]
+    },
+    "labels": {
+        "identity_source": "azure-1"
+    }
+}
+```
+
+Device documents will show the current state of the device.
+
+Example device document:
+
+```json
+{
+    "@timestamp": "2022-11-04T09:57:19.786056-05:00",
+    "event": {
+        "action": "device-discovered",
+    },
+    "azure_ad": {
+        "accountEnabled": true,
+        "deviceId": "2fbbb8f9-ff67-4a21-b867-a344d18a4198",
+        "displayName": "DESKTOP-LETW452G",
+        "operatingSystem": "Windows",
+        "operatingSystemVersion": "10.0.19043.1337",
+        "physicalIds": {
+            "extensionAttributes": {
+                "extensionAttribute1": "BYOD-Device"
+            }
+        },
+        "alternativeSecurityIds": [
+            {
+                "type": 2,
+                "identityProvider": null,
+                "key": "DGFSGHSGGTH345A...35DSFH0A"
+            },
+        ]
+    },
+    "device": {
+        "id": "adbbe40a-0627-4328-89f1-88cac84dbc7f",
+        "group": [
+            {
+                "id": "331676df-b8fd-4492-82ed-02b927f8dd80",
+                "name": "group1"
+            }
+        ]
+        "registered_owners": [
+            {
+                "id": "5ebc6a0f-05b7-4f42-9c8a-682bbc75d0fc",
+                "userPrincipalName": "example.user@example.com",
+                "mail": "example.user@example.com",
+                "displayName": "Example User",
+                "givenName": "Example",
+                "surname": "User",
+                "jobTitle": "Software Engineer",
+                "mobilePhone": "123-555-1000",
+                "businessPhones": ["123-555-0122"]
+            },
+        ],
+        "registered_users": [
+            {
+                "id": "5ebc6a0f-05b7-4f42-9c8a-682bbc75d0fc",
+                "userPrincipalName": "example.user@example.com",
+                "mail": "example.user@example.com",
+                "displayName": "Example User",
+                "givenName": "Example",
+                "surname": "User",
+                "jobTitle": "Software Engineer",
+                "mobilePhone": "123-555-1000",
+                "businessPhones": ["123-555-0122"]
+            },
+        ],
+    },
+    "labels": {
+        "identity_source": "azure-1"
+    }
+}
+```
+
+
+### Configuration [_configuration_3]
+
+Example configuration:
+
+```yaml
+filebeat.inputs:
+- type: entity-analytics
+  enabled: true
+  id: azure-1
+  provider: azure-ad
+  dataset: "all"
+  sync_interval: "12h"
+  update_interval: "30m"
+  client_id: "CLIENT_ID"
+  tenant_id: "TENANT_ID"
+  secret: "SECRET"
+```
+
+The `azure-ad` provider supports the following configuration:
+
+
+#### `tenant_id` [_tenant_id]
+
+The Tenant ID. Field is required.
+
+
+#### `client_id` [_client_id_2]
+
+The client/application ID. Used for authentication. Field is required.
+
+
+#### `secret` [_secret]
+
+The secret value, used for authentication. Field is required.
+
+
+#### `dataset` [_dataset]
+
+The datasets to collect from the API. This can be one of "all", "users" or "devices", or may be left empty for the default behavior which is to collect all entities. When the `dataset` is set to "devices", some user entity data is collected in order to populate the registered users and registered owner fields for each device.
+
+
+#### `sync_interval` [_sync_interval_2]
+
+The interval in which full synchronizations should occur. The interval must be longer than the update interval (`update_interval`) Expressed as a duration string (e.g., 1m, 3h, 24h). Defaults to `24h` (24 hours).
+
+
+#### `update_interval` [_update_interval_2]
+
+The interval in which incremental updates should occur. The interval must be shorter than the full synchronization interval (`sync_interval`). Expressed as a duration string (e.g., 1m, 3h, 24h). Defaults to `15m` (15 minutes).
+
+
+#### `login_endpoint` [_login_endpoint]
+
+Override the default authentication login endpoint. Only change if directed to do so. Altering this value will also require a change to `login_scopes`.
+
+
+#### `login_scopes` [_login_scopes]
+
+Override the default authentication scopes. Only change if directed to do so.
+
+
+#### `select.users` [_select_users]
+
+Override the default [user query selections](https://learn.microsoft.com/en-us/graph/api/user-get?view=graph-rest-1.0&tabs=http#optional-query-parameters). This is a list of optional query parameters. The default is `["accountEnabled", "userPrincipalName", "mail", "displayName", "givenName", "surname", "jobTitle", "officeLocation", "mobilePhone", "businessPhones"]`.
+
+
+#### `select.groups` [_select_groups]
+
+Override the default [group query selections](https://learn.microsoft.com/en-us/graph/api/group-get?view=graph-rest-1.0&tabs=http#optional-query-parameters). This is a list of optional query parameters. The default is `["displayName", "members"]`.
+
+
+#### `select.devices` [_select_devices]
+
+Override the default [device query selections](https://learn.microsoft.com/en-us/graph/api/device-get?view=graph-rest-1.0&tabs=http#optional-query-parameters). This is a list of optional query parameters. The default is `["accountEnabled", "deviceId", "displayName", "operatingSystem", "operatingSystemVersion", "physicalIds", "extensionAttributes", "alternativeSecurityIds"]`.
+
+
+### `tracer.enabled` [_tracer_enabled]
+
+It is possible to log HTTP requests and responses to the EntraID API to a local file-system for debugging configurations. This option is enabled by setting `tracer.enabled` to true and setting the `tracer.filename` value. Additional options are available to tune log rotation behavior. To delete existing logs, set `tracer.enabled` to false without unsetting the filename option.
+
+Enabling this option compromises security and should only be used for debugging.
+
+
+### `tracer.filename` [_tracer_filename]
+
+To differentiate the trace files generated from different input instances, a placeholder `*` can be added to the filename and will be replaced with the input instance id. For Example, `http-request-trace-*.ndjson`.
+
+
+## Jamf Computer Management (`jamf`) [provider-jamf]
+
+The `jamf` provider allows the input to retrieve computer records from the Jamf API.
+
+
+### How It Works [_how_it_works_3]
+
+
+#### Overview [_overview_3]
+
+The Jamf provider periodically contacts the Jamf API, retrieving updates for computers, updates its internal cache of managed computer metadata, and ships updated metadata to Elasticsearch.
+
+Fetching and shipping updates occurs in one of two processes: **full synchronizations** and **incremental updates**. Full synchronizations will send the entire list of computers in state, along with write markers to indicate the start and end of the synchronization event. Incremental updates will only send data for changed computers records during that event. Changes on a user or device can come in many forms, whether it be a change to the user’s metadata, or a user was added or deleted.
+
+
+#### API Interactions [_api_interactions_2]
+
+The provider periodically retrieves changes to user/device metadata from the Jamf computers-preview API. This is done through calls to:
+
+* [/api/preview/computers](https://developer.jamf.com/jamf-pro/reference/get_preview-computers)
+
+Updates are tracked by the provider by retaining a record of the time of the last noted update in the returned user list. During provider updates the Jamf provider makes use of the Jamf API’s query filtering to only request records updated at or since the provider’s recorded last update.
+
+
+#### Sending Computer Metadata to Elasticsearch [_sending_computer_metadata_to_elasticsearch]
+
+During a full synchronization, all users/devices stored in state will be sent to the output, while incremental updates will only send users and devices that have been updated. Full synchronizations will be bounded on either side by write marker documents, which will look something like this:
+
+```json
+{
+    "@timestamp": "2022-11-04T09:57:19.786056-05:00",
+    "event": {
+        "action": "started",
+        "start": "2022-11-04T09:57:19.786056-05:00"
+    },
+    "labels": {
+        "identity_source": "jamf-1"
+    }
+}
+```
+
+Documents will show the current state of the computer record.
+
+Example document:
+
+```json
+{
+    "device": {
+        "id": "5982CE36-4526-580B-B4B9-ECC6782535BC"
+    },
+    "event": {
+        "action": "device-discovered"
+    },
+    "jamf": {
+        "location": {
+            "username": "john.doe",
+            "position": "Unknown Developer"
+        },
+        "site": null,
+        "name": "acme-C07DM3AZQ6NV",
+        "udid": "5982CE36-4526-580B-B4B9-ECC6782535BC",
+        "serialNumber": "C07DM3AZQ6NV",
+        "operatingSystemVersion": "14.0",
+        "operatingSystemBuild": "23A344",
+        "operatingSystemSupplementalBuildVersion": null,
+        "operatingSystemRapidSecurityResponse": null,
+        "macAddress": "64:0B:D7:AA:E4:B2",
+        "assetTag": null,
+        "modelIdentifier": "Macmini9,1",
+        "mdmAccessRights": 0,
+        "lastContactDate": "2024-04-18T14:26:51.514Z",
+        "lastReportDate": "2024-06-19T15:54:37.692Z",
+        "lastEnrolledDate": "2023-02-22T10:46:17.199Z",
+        "ipAddress": null,
+        "managementId": "1a59c510-b3a9-41cb-8afa-3d4187ac60d0",
+        "isManaged": true
+    },
+    "labels": {
+        "identity_source": "jamf-1"
+    }
+}
+```
+
+
+### Configuration [_configuration_4]
+
+Example configuration:
+
+```yaml
+filebeat.inputs:
+- type: entity-analytics
+  enabled: true
+  id: jamf-1
+  provider: jamf
+  dataset: "all"
+  sync_interval: "12h"
+  update_interval: "30m"
+  jamf_tenant: "JAMF_TENANT"
+  jamf_username: "JAMF_USERNAME"
+  jamf_password: "JAMF_PASSWORD"
+```
+
+The `jamf` provider supports the following configuration:
+
+
+#### `jamf_tenant` [_jamf_tenant]
+
+The Jamf tenant host. Field is required.
+
+
+#### `jamf_username` [_jamf_username]
+
+The Jamf username, used for authentication. Field is required.
+
+
+#### `jamf_password` [_jamf_password]
+
+The Jamf user password, used for authentication. Field is required.
+
+
+#### `page_size` [_page_size]
+
+The number of computer records to collect with each API request. Defaults to [API default](https://developer.jamf.com/jamf-pro/reference/get_preview-computers).
+
+
+#### `sync_interval` [_sync_interval_3]
+
+The interval in which full synchronizations should occur. The interval must be longer than the update interval (`update_interval`) Expressed as a duration string (e.g., 1m, 3h, 24h). Defaults to `24h` (24 hours).
+
+
+#### `update_interval` [_update_interval_3]
+
+The interval in which incremental updates should occur. The interval must be shorter than the full synchronization interval (`sync_interval`). Expressed as a duration string (e.g., 1m, 3h, 24h). Defaults to `15m` (15 minutes).
+
++==== `tracer.enabled`
+
+It is possible to log HTTP requests and responses to the Jamf API to a local file-system for debugging configurations. This option is enabled by setting `tracer.enabled` to true and setting the `tracer.filename` value. Additional options are available to tune log rotation behavior. To delete existing logs, set `tracer.enabled` to false without unsetting the filename option.
+
+Enabling this option compromises security and should only be used for debugging.
+
+
+### `tracer.filename` [_tracer_filename_2]
+
+To differentiate the trace files generated from different input instances, a placeholder `*` can be added to the filename and will be replaced with the input instance id. For Example, `http-request-trace-*.ndjson`.
+
+
+## Okta User Identities (`okta`) [provider-okta]
+
+The `okta` provider allows the input to retrieve users and devices from the Okta user API.
+
+
+### Setup [_setup_3]
+
+The necessary API permissions need to be granted in Okta in order for the provider to function properly. In the administration dashboard for your Okta account, navigate to Security>API and in the Tokens tab click the "Create token" button to create a new token. Copy the token value and retain this to configure the provider. Note that the token will not be presented again, so it must be copied now. This value will use given to the provider via the `okta_token` configuration field.
+
+Devices API access needs to be activated by Okta support.
+
+
+### How It Works [_how_it_works_4]
+
+
+#### Overview [_overview_4]
+
+The Okta provider periodically contacts the Okta API, retrieving updates for users and devices, updates its internal cache of user metadata, and ships updated user/device metadata to Elasticsearch.
+
+Fetching and shipping updates occurs in one of two processes: **full synchronizations** and **incremental updates**. Full synchronizations will send the entire list of users and devices in state, along with write markers to indicate the start and end of the synchronization event. Incremental updates will only send data for changed users and devices during that event. Changes on a user or device can come in many forms, whether it be a change to the user’s metadata, or a user was added or deleted.
+
+
+#### API Interactions [_api_interactions_3]
+
+The provider periodically retrieves changes to user/device metadata from the Okta User and Device APIs. This is done through calls to:
+
+* [/api/v1/users](https://developer.okta.com/docs/reference/api/users/#list-users)
+* [/api/v1/devices](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Device/#tag/Device/operation/listDevices)
+
+Updates are tracked by the provider by retaining a record of the time of the last noted update in the returned user list. During provider updates the Okta provider makes use of the Okta API’s query filtering to only request records updated at or since the provider’s recorded last update.
+
+
+#### Sending User Metadata to Elasticsearch [_sending_user_metadata_to_elasticsearch]
+
+During a full synchronization, all users/devices stored in state will be sent to the output, while incremental updates will only send users and devices that have been updated. Full synchronizations will be bounded on either side by write marker documents, which will look something like this:
+
+```json
+{
+    "@timestamp": "2022-11-04T09:57:19.786056-05:00",
+    "event": {
+        "action": "started",
+        "start": "2022-11-04T09:57:19.786056-05:00"
+    },
+    "labels": {
+        "identity_source": "okta-1"
+    }
+}
+```
+
+User documents will show the current state of the user.
+
+Example user document:
+
+```json
+{
+    "@timestamp": "2023-07-04T09:57:19.786056-05:00",
+    "event": {
+        "action": "user-discovered",
+    },
+    "okta": {
+        "id": "userid",
+        "status": "RECOVERY",
+        "created": "2023-06-02T09:33:00.189752+09:30",
+        "activated": "0001-01-01T00:00:00Z",
+        "statusChanged": "2023-06-02T09:33:00.189752+09:30",
+        "lastLogin": "2023-06-02T09:33:00.189752+09:30",
+        "lastUpdated": "2023-06-02T09:33:00.189753+09:30",
+        "passwordChanged": "2023-06-02T09:33:00.189753+09:30",
+        "type": {
+            "id": "typeid"
+        },
+        "profile": {
+            "login": "name.surname@example.com",
+            "email": "name.surname@example.com",
+            "firstName": "name",
+            "lastName": "surname"
+        },
+        "credentials": {
+            "password": {},
+            "provider": {
+                "type": "OKTA",
+                "name": "OKTA"
+            }
+        },
+        "_links": {
+            "self": {
+                "href": "https://localhost/api/v1/users/userid"
+            }
+        }
+    },
+    "user": {
+        "id": "userid",
+    },
+    "labels": {
+        "identity_source": "okta-1"
+    }
+}
+```
+
+Device documents will show the current state of the device, including any associated users.
+
+Example device document:
+
+```json
+{
+    "@timestamp": "2023-07-04T09:57:19.786056-05:00",
+    "event": {
+        "action": "device-discovered",
+    },
+    "okta": {
+        "created": "2019-10-02T18:03:07Z",
+        "id": "deviceid",
+        "lastUpdated": "2019-10-02T18:03:07Z",
+        "profile": {
+            "diskEncryptionType": "ALL_INTERNAL_VOLUMES",
+            "displayName": "Example Device name 1",
+            "platform": "WINDOWS",
+            "registered": true,
+            "secureHardwarePresent": false,
+            "serialNumber": "XXDDRFCFRGF3M8MD6D",
+            "sid": "S-1-11-111"
+        },
+        "resourceAlternateID": "",
+        "resourceDisplayName": {
+            "sensitive": false,
+            "value": "Example Device name 1"
+        },
+        "resourceID": "deviceid",
+        "resourceType": "UDDevice",
+        "status": "ACTIVE",
+        "_links": {
+            "activate": {
+                "hints": {
+                    "allow": [
+                        "POST"
+                    ]
+                },
+                "href": "https://localhost/api/v1/devices/deviceid/lifecycle/activate"
+            },
+            "self": {
+                "hints": {
+                    "allow": [
+                        "GET",
+                        "PATCH",
+                        "PUT"
+                    ]
+                },
+                "href": "https://localhost/api/v1/devices/deviceid"
+            },
+            "users": {
+                "hints": {
+                    "allow": [
+                        "GET"
+                    ]
+                },
+                "href": "https://localhost/api/v1/devices/deviceid/users"
+            }
+        },
+        "users": [
+            {
+                "id": "userid",
+                "status": "RECOVERY",
+                "created": "2023-05-14T13:37:20Z",
+                "activated": "0001-01-01T00:00:00Z",
+                "statusChanged": "2023-05-15T01:50:30Z",
+                "lastLogin": "2023-05-15T01:59:20Z",
+                "lastUpdated": "2023-05-15T01:50:32Z",
+                "passwordChanged": "2023-05-15T01:50:32Z",
+                "type": {
+                    "id": "typeid"
+                },
+                "profile": {
+                    "login": "name.surname@example.com",
+                    "email": "name.surname@example.com",
+                    "firstName": "name",
+                    "lastName": "surname"
+                },
+                "credentials": {
+                    "password": {},
+                    "provider": {
+                        "type": "OKTA",
+                        "name": "OKTA"
+                    }
+                },
+                "_links": {
+                    "self": {
+                        "href": "https://localhost/api/v1/users/userid"
+                    }
+                }
+            }
+        ]
+    },
+    "device": {
+        "id": "deviceid",
+    },
+    "labels": {
+        "identity_source": "okta-1"
+    }
+}
+```
+
+
+### Configuration [_configuration_5]
+
+Example configuration:
+
+```yaml
+filebeat.inputs:
+- type: entity-analytics
+  enabled: true
+  id: okta-1
+  provider: okta
+  dataset: "all"
+  enrich_with: ["groups", "roles"]
+  sync_interval: "12h"
+  update_interval: "30m"
+  okta_domain: "OKTA_DOMAIN"
+  okta_token: "OKTA_TOKEN"
+```
+
+The `okta` provider supports the following configuration:
+
+
+#### `okta_domain` [_okta_domain]
+
+The Okta domain. Field is required.
+
+
+#### `okta_token` [_okta_token]
+
+The Okta secret token, used for authentication. Field is required.
+
+
+#### `collect_device_details` [_collect_device_details]
+
+Whether the input should collect device and device-associated user details from the Okta API. Device details must be activated on the Okta account for this option.
+
+
+#### `dataset` [_dataset_2]
+
+The datasets to collect from the API. This can be one of "all", "users" or "devices", or may be left empty for the default behavior which is to collect all entities. When the `dataset` is set to "devices", some user entity data is collected in order to populate the registered users and registered owner fields for each device.
+
+
+#### `enrich_with` [_enrich_with]
+
+The metadata to enrich users with. This is an array of values that may contain "groups", "roles" and "factors", or "none". If the array only contains "none", no metadata is collected for users. The default behavior is to collect "groups".
+
+
+#### `sync_interval` [_sync_interval_4]
+
+The interval in which full synchronizations should occur. The interval must be longer than the update interval (`update_interval`) Expressed as a duration string (e.g., 1m, 3h, 24h). Defaults to `24h` (24 hours).
+
+
+#### `update_interval` [_update_interval_4]
+
+The interval in which incremental updates should occur. The interval must be shorter than the full synchronization interval (`sync_interval`). Expressed as a duration string (e.g., 1m, 3h, 24h). Defaults to `15m` (15 minutes).
+
+
+#### `limit_window` [_limit_window]
+
+The time between Okta API rate limit resets. Expressed as a duration string (e.g., 1m, 3h, 24h). Defaults to `1m` (1 minute).
+
+
+#### `limit_fixed` [_limit_fixed]
+
+The number of requests to allow in each limit window, if set. This parameter should only be set in exceptional cases. When it is set, rate limit information in API responses will be ignored in favor of the fixed limit. The limit is applied separately to each endopint. Defaults to unset.
+
+
+#### `tracer.enabled` [_tracer_enabled_2]
+
+It is possible to log HTTP requests and responses to the Okta API to a local file-system for debugging configurations. This option is enabled by setting `tracer.enabled` to true and setting the `tracer.filename` value. Additional options are available to tune log rotation behavior. To delete existing logs, set `tracer.enabled` to false without unsetting the filename option.
+
+Enabling this option compromises security and should only be used for debugging.
+
+
+#### `tracer.filename` [_tracer_filename_3]
+
+To differentiate the trace files generated from different input instances, a placeholder `*` can be added to the filename and will be replaced with the input instance id. For Example, `http-request-trace-*.ndjson`.
+
+
+### `tracer.maxsize` [_tracer_maxsize]
+
+This value sets the maximum size, in megabytes, the log file will reach before it is rotated. By default logs are allowed to reach 1MB before rotation. Individual request/response bodies will be truncated to 10% of this size.
+
+
+### Metrics [_metrics_6]
+
+This input exposes metrics under the [HTTP monitoring endpoint](/reference/filebeat/http-endpoint.md). These metrics are exposed under the `/inputs` path. They can be used to observe the activity of the input.
+
+| Metric | Description |
+| --- | --- |
+| `sync_total` | The total number of full synchronizations. |
+| `sync_error` | The number of full synchronizations that failed due to an error. |
+| `sync_processing_time` | Histogram of the elapsed full synchronizations times in nanoseconds (time of API contact to items sent to output). |
+| `update_total` | The total number of incremental updates. |
+| `update_error` | The number of incremental updates that failed due to an error. |
+| `update_processing_time` | Histogram of the elapsed incremental updates times in nanoseconds (time of API contact to items sent to output). |
+
+::::{note}
+This input is experimental and is under active developement. Configuration options and behaviors may change without warning. Use with caution and do not use in production environments.
+::::
+
+
+
diff --git a/docs/reference/filebeat/filebeat-input-etw.md b/docs/reference/filebeat/filebeat-input-etw.md
new file mode 100644
index 000000000000..f75ebc8cf4db
--- /dev/null
+++ b/docs/reference/filebeat/filebeat-input-etw.md
@@ -0,0 +1,243 @@
+---
+navigation_title: "ETW"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-etw.html
+---
+
+# ETW input [filebeat-input-etw]
+
+
+[Event Tracing for Windows](https://learn.microsoft.com/en-us/windows/win32/etw/event-tracing-portal) is a powerful logging and tracing mechanism built into the Windows operating system. It provides a detailed view of application and system behavior, performance issues, and runtime diagnostics. Trace events contain an event header and provider-defined data that describes the current state of an application or operation. You can use the events to debug an application and perform capacity and performance analysis.
+
+The ETW input can interact with ETW in three distinct ways: it can create a new session to capture events from user-mode providers, attach to an already existing session to collect ongoing event data, or read events from a pre-recorded .etl file. This functionality enables the module to adapt to different scenarios, such as real-time event monitoring or analyzing historical data.
+
+This input currently supports manifest-based, MOF (classic) and TraceLogging providers while WPP providers are not supported. [Here](https://learn.microsoft.com/en-us/windows/win32/etw/about-event-tracing#types-of-providers) you can find more information about the available types of providers.
+
+It has been tested in the Windows versions supported by Filebeat, starting from Windows 10 and Windows Server 2016. In addition, administrative privileges are required to control event tracing sessions.
+
+Example configurations:
+
+Read from a provider by name:
+
+```yaml
+filebeat.inputs:
+- type: etw
+  id: etw-dnsserver
+  enabled: true
+  provider.name: Microsoft-Windows-DNSServer
+  session_name: DNSServer-Analytical
+  trace_level: verbose
+  match_any_keyword: 0x8000000000000000
+  match_all_keyword: 0
+```
+
+Read from a provider by its GUID:
+
+```yaml
+filebeat.inputs:
+- type: etw
+  id: etw-dnsserver
+  enabled: true
+  provider.guid: {EB79061A-A566-4698-9119-3ED2807060E7}
+  session_name: DNSServer-Analytical
+  trace_level: verbose
+  match_any_keyword: 0x8000000000000000
+  match_all_keyword: 0
+```
+
+Read from an existing session:
+
+```yaml
+filebeat.inputs:
+- type: etw
+  enabled: true
+  id: etw-dnsserver-session
+  session: UAL_Usermode_Provider
+```
+
+Read from a .etl file:
+
+```yaml
+filebeat.inputs:
+- type: etw
+  enabled: true
+  id: etw-dnsserver-session
+  file: "C\Windows\System32\Winevt\Logs\Logfile.etl"
+```
+
+::::{note}
+Examples shown above are mutually exclusive, the options `provider.name`, `provider.guid`, `session` and `file` cannot be present at the same time. Nevertheless, it is a requirement that one of them is present.
+::::
+
+
+Multiple providers example:
+
+```yaml
+filebeat.inputs:
+- type: etw
+  id: etw-dnsserver
+  enabled: true
+  provider.name: Microsoft-Windows-DNSServer
+  session_name: DNSServer-Analytical
+  trace_level: verbose
+  match_any_keyword: 0xffffffffffffffff
+  match_all_keyword: 0
+- type: etw
+  id: etw-security
+  enabled: true
+  provider.name: Microsoft-Windows-Security-Auditing
+  session_name: Security-Auditing
+  trace_level: warning
+  match_any_keyword: 0xfffffffffffffff
+  match_all_keyword: 0
+```
+
+## Configuration options [_configuration_options_8]
+
+The `etw` input supports the following configuration options plus the [Common options](#filebeat-input-etw-common-options) described later.
+
+
+### `file` [_file]
+
+Specifies the path to an .etl file for reading ETW events. This file format is commonly used for storing ETW event logs.
+
+
+### `provider.guid` [_provider_guid]
+
+Identifies the GUID of an ETW provider. To see available providers, use the command `logman query providers`.
+
+
+### `provider.name` [_provider_name]
+
+Specifies the name of the ETW provider. Available providers can be listed using `logman query providers`.
+
+
+### `session_name` [_session_name]
+
+When specifying a provider, a new session is created. This controls the name for the new ETW session it will create. If not specified, the session will be named using the provider ID prefixed by *Elastic-*.
+
+
+### `trace_level` [_trace_level]
+
+Defines the filtering level for events based on severity. Valid options include critical, error, warning, information, and verbose.
+
+
+### `match_any_keyword` [_match_any_keyword]
+
+An 8-byte bitmask used for filtering events from specific provider subcomponents based on keyword matching. Any matching keyword will enable the event to be written. Default value is `0xffffffffffffffff` so it matches every available keyword.
+
+Run `logman query providers "<provider.name>"` to list the available keywords for a specific provider.
+
+
+### `match_all_keyword` [_match_all_keyword]
+
+Similar to MatchAnyKeyword, this 8-byte bitmask filters events that match all specified keyword bits. Default value is `0` to let every event pass.
+
+Run `logman query providers "<provider.name>"` to list the available keywords for a specific provider.
+
+
+### `session` [_session]
+
+Names an existing ETW session to read from. Existing sessions can be listed using `logman query -ets`.
+
+
+## Common options [filebeat-input-etw-common-options]
+
+The following configuration options are supported by all inputs.
+
+
+#### `enabled` [_enabled_8]
+
+Use the `enabled` option to enable and disable inputs. By default, enabled is set to true.
+
+
+#### `tags` [_tags_8]
+
+A list of tags that Filebeat includes in the `tags` field of each published event. Tags make it easy to select specific events in Kibana or apply conditional filtering in Logstash. These tags will be appended to the list of tags specified in the general configuration.
+
+Example:
+
+```yaml
+filebeat.inputs:
+- type: etw
+  . . .
+  tags: ["json"]
+```
+
+
+#### `fields` [filebeat-input-etw-fields]
+
+Optional fields that you can specify to add additional information to the output. For example, you might add fields that you can use for filtering log data. Fields can be scalar values, arrays, dictionaries, or any nested combination of these. By default, the fields that you specify here will be grouped under a `fields` sub-dictionary in the output document. To store the custom fields as top-level fields, set the `fields_under_root` option to true. If a duplicate field is declared in the general configuration, then its value will be overwritten by the value declared here.
+
+```yaml
+filebeat.inputs:
+- type: etw
+  . . .
+  fields:
+    app_id: query_engine_12
+```
+
+
+#### `fields_under_root` [fields-under-root-etw]
+
+If this option is set to true, the custom [fields](#filebeat-input-etw-fields) are stored as top-level fields in the output document instead of being grouped under a `fields` sub-dictionary. If the custom field names conflict with other field names added by Filebeat, then the custom fields overwrite the other fields.
+
+
+#### `processors` [_processors_8]
+
+A list of processors to apply to the input data.
+
+See [Processors](/reference/filebeat/filtering-enhancing-data.md) for information about specifying processors in your config.
+
+
+#### `pipeline` [_pipeline_8]
+
+The ingest pipeline ID to set for the events generated by this input.
+
+::::{note}
+The pipeline ID can also be configured in the Elasticsearch output, but this option usually results in simpler configuration files. If the pipeline is configured both in the input and output, the option from the input is used.
+::::
+
+
+::::{important}
+The `pipeline` is always lowercased. If `pipeline: Foo-Bar`, then the pipeline name in {{es}} needs to be defined as `foo-bar`.
+::::
+
+
+
+#### `keep_null` [_keep_null_8]
+
+If this option is set to true, fields with `null` values will be published in the output document. By default, `keep_null` is set to `false`.
+
+
+#### `index` [_index_8]
+
+If present, this formatted string overrides the index for events from this input (for elasticsearch outputs), or sets the `raw_index` field of the event’s metadata (for other outputs). This string can only refer to the agent name and version and the event timestamp; for access to dynamic fields, use `output.elasticsearch.index` or a processor.
+
+Example value: `"%{[agent.name]}-myindex-%{+yyyy.MM.dd}"` might expand to `"filebeat-myindex-2019.11.01"`.
+
+
+#### `publisher_pipeline.disable_host` [_publisher_pipeline_disable_host_8]
+
+By default, all events contain `host.name`. This option can be set to `true` to disable the addition of this field to all events. The default value is `false`.
+
+
+## Metrics [_metrics_7]
+
+This input exposes metrics under the [HTTP monitoring endpoint](/reference/filebeat/http-endpoint.md). These metrics are exposed under the `/inputs/` path. They can be used to observe the activity of the input.
+
+You must assign a unique `id` to the input to expose metrics.
+
+| Metric | Description |
+| --- | --- |
+| `session` | Name of the ETW session. |
+| `received_events_total` | Total number of events received. |
+| `discarded_events_total` | Total number of discarded events. |
+| `errors_total` | Total number of errors. |
+| `source_lag_time` | Histogram of the difference between timestamped event’s creation and reading. |
+| `arrival_period` | Histogram of the elapsed time between event notification callbacks. |
+| `processing_time` | Histogram of the elapsed time between event notification callback and publication to the internal queue. |
+
+Histogram metrics are aggregated over the previous 1024 events.
+
+
diff --git a/docs/reference/filebeat/filebeat-input-filestream.md b/docs/reference/filebeat/filebeat-input-filestream.md
new file mode 100644
index 000000000000..a3d5f061881f
--- /dev/null
+++ b/docs/reference/filebeat/filebeat-input-filestream.md
@@ -0,0 +1,988 @@
+---
+navigation_title: "filestream"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-filestream.html
+---
+
+# filestream input [filebeat-input-filestream]
+
+
+Use the `filestream` input to read lines from active log files. It is the new, improved alternative to the `log` input. It comes with various improvements to the existing input:
+
+1. Checking of `close.on_state_change.*` options happens out of band. Thus, if an output is blocked, Filebeat can close the reader and avoid keeping too many files open.
+2. Detailed metrics are available for all files that match the `paths` configuration regardless of the `harvester_limit`. This way, you can keep track of all files, even ones that are not actively read.
+3. The order of `parsers` is configurable. So it is possible to parse JSON lines and then aggregate the contents into a multiline event.
+4. Some position updates and metadata changes no longer depend on the publishing pipeline. If the pipeline is blocked some changes are still applied to the registry.
+5. Only the most recent updates are serialized to the registry. In contrast, the `log` input has to serialize the complete registry on each ACK from the outputs. This makes the registry updates much quicker with this input.
+6. The input ensures that only offsets updates are written to the registry append only log. The `log` writes the complete file state.
+7. Stale entries can be removed from the registry, even if there is no active input.
+8. The default behaviour is to identify files based on their contents using the [`fingerprint`](#filebeat-input-filestream-file-identity-fingerprint) [`file_identity`](#filebeat-input-filestream-file-identity) This solves data duplication caused by inode reuse.
+
+To configure this input, specify a list of glob-based [`paths`](#filestream-input-paths) that must be crawled to locate and fetch the log lines.
+
+Example configuration:
+
+```yaml
+filebeat.inputs:
+- type: filestream
+  id: my-filestream-id
+  paths:
+    - /var/log/messages
+    - /var/log/*.log
+```
+
+::::{warning}
+Each filestream input must have a unique ID. Omitting or changing the filestream ID may cause data duplication. Without a unique ID, filestream is unable to correctly track the state of files.
+::::
+
+
+You can apply additional [configuration settings](#filebeat-input-filestream-options) (such as `fields`, `include_lines`, `exclude_lines` and so on) to the lines harvested from these files. The options that you specify are applied to all the files harvested by this input.
+
+To apply different configuration settings to different files, you need to define multiple input sections:
+
+```yaml
+filebeat.inputs:
+- type: filestream <1>
+  id: my-filestream-id
+  paths:
+    - /var/log/system.log
+    - /var/log/wifi.log
+- type: filestream <2>
+  id: apache-filestream-id
+  paths:
+    - "/var/log/apache2/*"
+  fields:
+    apache: true
+```
+
+1. Harvests lines from two files:  `system.log` and `wifi.log`.
+2. Harvests lines from every file in the `apache2` directory, and uses the `fields` configuration option to add a field called `apache` to the output.
+
+
+## Reading files on network shares and cloud providers [filestream-file-identity]
+
+::::{warning}
+Some file identity methods do not support reading from network shares and cloud providers, to avoid duplicating events, use the default `file_identity`: `fingerprint`.
+::::
+
+
+::::{important}
+Changing `file_identity` is only supported when migrating from `native` or `path` to `fingerprint`.
+::::
+
+
+::::{warning}
+Any unsupported change in `file_identity` methods between runs may result in duplicated events in the output.
+::::
+
+
+`fingerprint` is the default and recommended file identity because it does not rely on the file system/OS, it generates a hash from a portion of the file (the first 1024 bytes, by default) and uses that to identify the file. This works well with log rotation strategies that move/rename the file and on Windows as file identifiers might be more volatile. The downside is that Filebeat will wait until the file reaches 1024 bytes before start ingesting any file.
+
+::::{warning}
+Once this file identity is enabled, changing the fingerprint configuration (offset, length, etc) will lead to a global re-ingestion of all files that match the paths configuration of the input.
+::::
+
+
+Please refer to the [fingerprint configuration for details](#filebeat-input-filestream-scan-fingerprint).
+
+Selecting `path` instructs Filebeat to identify files based on their paths. This is a quick way to avoid rereading files if inode and device ids might change. However, keep in mind if the files are rotated (renamed), they will be reread and resubmitted.
+
+The option `inode_marker` can be used if the inodes stay the same even if the device id is changed. You should choose this method if your files are rotated instead of `path` if possible. You have to configure a marker file readable by Filebeat and set the path in the option `path` of `inode_marker`.
+
+The content of this file must be unique to the device. You can put the UUID of the device or mountpoint where the input is stored. The following example oneliner generates a hidden marker file for the selected mountpoint `/logs`: Please note that you should not use this option on Windows as file identifiers might be more volatile.
+
+```sh
+$ lsblk -o MOUNTPOINT,UUID | grep /logs | awk '{print $2}' >> /logs/.filebeat-marker
+```
+
+To set the generated file as a marker for `file_identity` you should configure the input the following way:
+
+```yaml
+filebeat.inputs:
+- type: filestream
+  id: my-filestream-id
+  paths:
+    - /logs/*.log
+  file_identity.inode_marker.path: /logs/.filebeat-marker
+```
+
+
+## Reading from rotating logs [filestream-rotating-logs]
+
+When dealing with file rotation, avoid harvesting symlinks. Instead use the [`paths`](#filestream-input-paths) setting to point to the original file, and specify a pattern that matches the file you want to harvest and all of its rotated files. Also make sure your log rotation strategy prevents lost or duplicate messages. For more information, see [Log rotation results in lost or duplicate events](/reference/filebeat/file-log-rotation.md).
+
+Furthermore, to avoid duplicate of rotated log messages, do not use the `path` method for `file_identity`. Or exclude the rotated files with `exclude_files` option.
+
+
+## Prospector options [filebeat-input-filestream-options]
+
+The prospector is running a file system watcher which looks for files specified in the `paths` option. At the moment only simple file system scanning is supported.
+
+
+#### `id` [filebeat-input-filestream-id]
+
+A unique identifier for this filestream input. Each filestream input must have a unique ID. Filestream will not start inputs with duplicated IDs.
+
+::::{warning}
+Changing input ID may cause data duplication because the state of the files will be lost and they will be read from the beginning again.
+::::
+
+
+
+#### `allow_deprecated_id_duplication` [filestream-input-allow_deprecated_id_duplication]
+
+This allows Filebeat to run multiple instances of the filestream input with the same ID. This is intended to add backwards compatibility with the behaviour prior to 9.0. It defaults to `false` and is **not recommended** in new configurations.
+
+This setting is per input, so make sure to enable it in all filestream inputs that use duplicated IDs.
+
+::::{warning}
+Duplicated IDs will lead to data duplication and some input instances will not produce any metrics.
+::::
+
+
+
+#### `paths` [filestream-input-paths]
+
+A list of glob-based paths that will be crawled and fetched. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, to fetch all files from a predefined level of subdirectories, the following pattern can be used: `/var/log/*/*.log`. This fetches all `.log` files from the subfolders of `/var/log`. It does not fetch log files from the `/var/log` folder itself. It is possible to recursively fetch all files in all subdirectories of a directory using the optional [`recursive_glob`](#filestream-recursive-glob) settings.
+
+Filebeat starts a harvester for each file that it finds under the specified paths. You can specify one path per line. Each line begins with a dash (-).
+
+
+## Scanner options [_scanner_options]
+
+The scanner watches the configured paths. It scans the file system periodically and returns the file system events to the Prospector.
+
+
+#### `prospector.scanner.recursive_glob` [filestream-recursive-glob]
+
+Enable expanding `**` into recursive glob patterns. With this feature enabled, the rightmost `**` in each path is expanded into a fixed number of glob patterns. For example: `/foo/**` expands to `/foo`, `/foo/*`, `/foo/*/*`, and so on. If enabled it expands a single `**` into a 8-level deep `*` pattern.
+
+This feature is enabled by default. Set `prospector.scanner.recursive_glob` to false to disable it.
+
+
+#### `prospector.scanner.exclude_files` [filebeat-input-filestream-exclude-files]
+
+A list of regular expressions to match the files that you want Filebeat to ignore. By default no files are excluded.
+
+The following example configures Filebeat to ignore all the files that have a `gz` extension:
+
+```yaml
+filebeat.inputs:
+- type: filestream
+  ...
+  prospector.scanner.exclude_files: ['\.gz$']
+```
+
+See [Regular expression support](/reference/filebeat/regexp-support.md) for a list of supported regexp patterns.
+
+### `prospector.scanner.include_files` [_prospector_scanner_include_files]
+
+A list of regular expressions to match the files that you want Filebeat to include. If a list of regexes is provided, only the files that are allowed by the patterns are harvested.
+
+By default no files are excluded. This option is the counterpart of `prospector.scanner.exclude_files`.
+
+The following example configures Filebeat to exclude files that are not under `/var/log`:
+
+```yaml
+filebeat.inputs:
+- type: filestream
+  ...
+  prospector.scanner.include_files: ['^/var/log/.*']
+```
+
+::::{note}
+Patterns should start with `^` in case of absolute paths.
+::::
+
+
+See [Regular expression support](/reference/filebeat/regexp-support.md) for a list of supported regexp patterns.
+
+
+### `prospector.scanner.symlinks` [filebeat-input-filestream-prospector-scanner-symlinks]
+
+The `symlinks` option allows Filebeat to harvest symlinks in addition to regular files. When harvesting symlinks, Filebeat opens and reads the original file even though it reports the path of the symlink.
+
+When you configure a symlink for harvesting, make sure the original path is excluded. If a single input is configured to harvest both the symlink and the original file, Filebeat will detect the problem and only process the first file it finds. However, if two different inputs are configured (one to read the symlink and the other the original path), both paths will be harvested, causing Filebeat to send duplicate data and the inputs to overwrite each other’s state.
+
+The `symlinks` option can be useful if symlinks to the log files have additional metadata in the file name, and you want to process the metadata in Logstash. This is, for example, the case for Kubernetes log files.
+
+Because this option may lead to data loss, it is disabled by default.
+
+
+### `prospector.scanner.resend_on_touch` [_prospector_scanner_resend_on_touch]
+
+If this option is enabled a file is resent if its size has not changed but its modification time has changed to a later time than before. It is disabled by default to avoid accidentally resending files.
+
+
+#### `prospector.scanner.check_interval` [filebeat-input-filestream-scan-frequency]
+
+How often Filebeat checks for new files in the paths that are specified for harvesting. For example, if you specify a glob like `/var/log/*`, the directory is scanned for files using the frequency specified by `check_interval`. Specify 1s to scan the directory as frequently as possible without causing Filebeat to scan too frequently. We do not recommend to set this value `<1s`.
+
+If you require log lines to be sent in near real time do not use a very low `check_interval` but adjust `close.on_state_change.inactive` so the file handler stays open and constantly polls your files.
+
+The default setting is 10s.
+
+
+#### `prospector.scanner.fingerprint` [filebeat-input-filestream-scan-fingerprint]
+
+Instead of relying on the device ID and inode values when comparing files, compare hashes of the given byte ranges of files. This is the default behaviour for Filebeat.
+
+Following are some scenarios where this can happen:
+
+1. Some file systems (i.e. in Docker) cache and re-use inodes
+
+    for example if you:
+
+    1. Create a file (`touch x`)
+    2. Check the file’s inode (`ls -i x`)
+    3. Delete the file (`rm x`)
+    4. Create a new file right away (`touch y`)
+    5. Check the inode of the new file (`ls -i y`)
+
+        For both files you might see the same inode value despite even having different filenames.
+
+2. Non-Ext file systems can change inodes:
+
+    Ext file systems store the inode number in the `i_ino` file, inside a struct `inode`, which is written to disk. In this case, if the file is the same (not another file with the same name) then the inode number is guaranteed to be the same.
+
+    If the file system is other than Ext, the inode number is generated by the inode operations defined by the file system driver. As they don’t have the concept of what an inode is, they have to mimic all of the inode’s internal fields to comply with VFS, so this number will probably be different after a reboot, even after closing and opening the file again (theoretically).
+
+3. Some file processing tools change inode values
+
+    Sometimes users unintentionally change inodes by using tools like `rsync` or `sed`.
+
+4. Some operating systems change device IDs after reboot
+
+    Depending on a mounting approach, the device ID (which is also used for comparing files) might change after a reboot.
+
+
+**Configuration**
+
+Fingerprint mode is disabled by default.
+
+::::{warning}
+Enabling fingerprint mode delays ingesting new files until they grow to at least `offset`+`length` bytes in size, so they can be fingerprinted. Until then these files are ignored.
+::::
+
+
+Normally, log lines contain timestamps and other unique fields that should be able to use the fingerprint mode, but in every use-case users should inspect their logs to determine what are the appropriate values for the `offset` and `length` parameters. Default `offset` is `0` and default `length` is `1024` or 1 KB. `length` cannot be less than `64`.
+
+```yaml
+fingerprint:
+  enabled: false
+  offset: 0
+  length: 1024
+```
+
+
+#### `ignore_older` [filebeat-input-filestream-ignore-older]
+
+If this option is enabled, Filebeat ignores any files that were modified before the specified timespan. Configuring `ignore_older` can be especially useful if you keep log files for a long time. For example, if you want to start Filebeat, but only want to send the newest files and files from last week, you can configure this option.
+
+You can use time strings like 2h (2 hours) and 5m (5 minutes). The default is 0, which disables the setting. Commenting out the config has the same effect as setting it to 0.
+
+::::{important}
+You must set `ignore_older` to be greater than `close.on_state_change.inactive`.
+::::
+
+
+The files affected by this setting fall into two categories:
+
+* Files that were never harvested
+* Files that were harvested but weren’t updated for longer than `ignore_older`
+
+For files which were never seen before, the offset state is set to the end of the file. If a state already exists, the offset is reset to the size of the file. If a file is updated again later, reading continues at the set offset position.
+
+The `ignore_older` setting relies on the modification time of the file to determine if a file is ignored. If the modification time of the file is not updated when lines are written to a file (which can happen on Windows), the `ignore_older` setting may cause Filebeat to ignore files even though content was added at a later time.
+
+To remove the state of previously harvested files from the registry file, use the `clean_inactive` configuration option.
+
+Before a file can be ignored by Filebeat, the file must be closed. To ensure a file is no longer being harvested when it is ignored, you must set `ignore_older` to a longer duration than `close.on_state_change.inactive`.
+
+If a file that’s currently being harvested falls under `ignore_older`, the harvester will first finish reading the file and close it after `close.on_state_change.inactive` is reached. Then, after that, the file will be ignored.
+
+
+#### `ignore_inactive` [filebeat-input-filestream-ignore-inactive]
+
+If this option is enabled, Filebeat ignores every file that has not been updated since the selected time. Possible options are `since_first_start` and `since_last_start`. The first option ignores every file that has not been updated since the first start of Filebeat. It is useful when the Beat might be restarted due to configuration changes or a failure. The second option tells the Beat to read from files that have been updated since its start.
+
+The files affected by this setting fall into two categories:
+
+* Files that were never harvested
+* Files that were harvested but weren’t updated since `ignore_inactive`.
+
+For files that were never seen before, the offset state is set to the end of the file. If a state already exist, the offset is not changed. In case a file is updated again later, reading continues at the set offset position.
+
+The setting relies on the modification time of the file to determine if a file is ignored. If the modification time of the file is not updated when lines are written to a file (which can happen on Windows), the setting may cause Filebeat to ignore files even though content was added at a later time.
+
+To remove the state of previously harvested files from the registry file, use the `clean_inactive` configuration option.
+
+
+#### `take_over` [filebeat-input-filestream-take-over]
+
+If `take_over` is set to `true`, this `filestream` will take over all files from `log` inputs if they match at least one of the `paths` set in the `filestream`.
+
+::::{important}
+`take_over: true` requires the `filestream` to have a unique ID.
+::::
+
+
+This `take over` mode was created to enable smooth migration from deprecated `log` inputs to the new `filestream` inputs.
+
+See [*Migrate `log` input configurations to `filestream`*](/reference/filebeat/migrate-to-filestream.md) for more details about the migration process.
+
+::::{warning}
+The `take over` mode is still in beta, however, it’s manually reversible due to backups created in the [`registry.path/filebeat` directory](/reference/filebeat/configuration-general-options.md#configuration-global-options) and should be generally safe to use.
+::::
+
+
+
+#### `close.*` [filebeat-input-filestream-close-options]
+
+The `close.*` configuration options are used to close the harvester after a certain criteria or time. Closing the harvester means closing the file handler. If a file is updated after the harvester is closed, the file will be picked up again after `prospector.scanner.check_interval` has elapsed. However, if the file is moved or deleted while the harvester is closed, Filebeat will not be able to pick up the file again, and any data that the harvester hasn’t read will be lost.
+
+The `close.on_state_change.*` settings are applied asynchronously to read from a file, meaning that if Filebeat is in a blocked state due to blocked output, full queue or other issue, a file that would be closed regardless.
+
+
+#### `close.on_state_change.inactive` [filebeat-input-filestream-close-inactive]
+
+When this option is enabled, Filebeat closes the file handle if a file has not been harvested for the specified duration. The counter for the defined period starts when the last log line was read by the harvester. It is not based on the modification time of the file. If the closed file changes again, a new harvester is started and the latest changes will be picked up after `prospector.scanner.check_interval` has elapsed.
+
+We recommended that you set `close.on_state_change.inactive` to a value that is larger than the least frequent updates to your log files. For example, if your log files get updated every few seconds, you can safely set `close.on_state_change.inactive` to `1m`. If there are log files with very different update rates, you can use multiple configurations with different values.
+
+Setting `close.on_state_change.inactive` to a lower value means that file handles are closed sooner. However this has the side effect that new log lines are not sent in near real time if the harvester is closed.
+
+The timestamp for closing a file does not depend on the modification time of the file. Instead, Filebeat uses an internal timestamp that reflects when the file was last harvested. For example, if `close.on_state_change.inactive` is set to 5 minutes, the countdown for the 5 minutes starts after the harvester reads the last line of the file.
+
+You can use time strings like 2h (2 hours) and 5m (5 minutes). The default is 5m.
+
+
+#### `close.on_state_change.renamed` [filebeat-input-filestream-close-renamed]
+
+::::{warning}
+Only use this option if you understand that data loss is a potential side effect.
+::::
+
+
+When this option is enabled, Filebeat closes the file handler when a file is renamed. This happens, for example, when rotating files. By default, the harvester stays open and keeps reading the file because the file handler does not depend on the file name. If the `close.on_state_change.renamed` option is enabled and the file is renamed or moved in such a way that it’s no longer matched by the file patterns specified for the , the file will not be picked up again. Filebeat will not finish reading the file.
+
+Do not use this option when `path` based `file_identity` is configured. It does not make sense to enable the option, as Filebeat cannot detect renames using path names as unique identifiers.
+
+WINDOWS: If your Windows log rotation system shows errors because it can’t rotate the files, you should enable this option.
+
+
+#### `close.on_state_change.removed` [filebeat-input-filestream-close-removed]
+
+When this option is enabled, Filebeat closes the harvester when a file is removed. Normally a file should only be removed after it’s inactive for the duration specified by `close.on_state_change.inactive`. However, if a file is removed early and you don’t enable `close.on_state_change.removed`, Filebeat keeps the file open to make sure the harvester has completed. If this setting results in files that are not completely read because they are removed from disk too early, disable this option.
+
+This option is enabled by default. If you disable this option, you must also disable `clean_removed`.
+
+WINDOWS: If your Windows log rotation system shows errors because it can’t rotate files, make sure this option is enabled.
+
+
+#### `close.reader.on_eof` [filebeat-input-filestream-close-eof]
+
+::::{warning}
+Only use this option if you understand that data loss is a potential side effect.
+::::
+
+
+When this option is enabled, Filebeat closes a file as soon as the end of a file is reached. This is useful when your files are only written once and not updated from time to time. For example, this happens when you are writing every single log event to a new file. This option is disabled by default.
+
+
+#### `close.reader.after_interval` [filebeat-input-filestream-close-timeout]
+
+::::{warning}
+Only use this option if you understand that data loss is a potential side effect. Another side effect is that multiline events might not be completely sent before the timeout expires.
+::::
+
+
+When this option is enabled, Filebeat gives every harvester a predefined lifetime. Regardless of where the reader is in the file, reading will stop after the `close.reader.after_interval` period has elapsed. This option can be useful for older log files when you want to spend only a predefined amount of time on the files. While `close.reader.after_interval` will close the file after the predefined timeout, if the file is still being updated, Filebeat will start a new harvester again per the defined `prospector.scanner.check_interval`. And the close.reader.after_interval for this harvester will start again with the countdown for the timeout.
+
+This option is particularly useful in case the output is blocked, which makes Filebeat keep open file handlers even for files that were deleted from the disk. Setting `close.reader.after_interval` to `5m` ensures that the files are periodically closed so they can be freed up by the operating system.
+
+If you set `close.reader.after_interval` to equal `ignore_older`, the file will not be picked up if it’s modified while the harvester is closed. This combination of settings normally leads to data loss, and the complete file is not sent.
+
+When you use `close.reader.after_interval` for logs that contain multiline events, the harvester might stop in the middle of a multiline event, which means that only parts of the event will be sent. If the harvester is started again and the file still exists, only the second part of the event will be sent.
+
+This option is set to 0 by default which means it is disabled.
+
+
+#### `clean_*` [filebeat-input-filestream-clean-options]
+
+The `clean_*` options are used to clean up the state entries in the registry file. These settings help to reduce the size of the registry file and can prevent a potential [inode reuse issue](/reference/filebeat/inode-reuse-issue.md).
+
+
+#### `clean_inactive` [filebeat-input-filestream-clean-inactive]
+
+::::{warning}
+Only use this option if you understand that data loss is a potential side effect.
+::::
+
+
+When this option is enabled, Filebeat removes the state of a file after the specified period of inactivity has elapsed. The state can only be removed if the file is already ignored by Filebeat (the file is older than `ignore_older`). The `clean_inactive` setting must be greater than `ignore_older + prospector.scanner.check_interval` to make sure that no states are removed while a file is still being harvested. Otherwise, the setting could result in Filebeat resending the full content constantly because `clean_inactive` removes state for files that are still detected by Filebeat. If a file is updated or appears again, the file is read from the beginning.
+
+The `clean_inactive` configuration option is useful to reduce the size of the registry file, especially if a large amount of new files are generated every day.
+
+This config option is also useful to prevent Filebeat problems resulting from inode reuse on Linux. For more information, see [Inode reuse causes Filebeat to skip lines](/reference/filebeat/inode-reuse-issue.md).
+
+::::{note}
+Every time a file is renamed, the file state is updated and the counter for `clean_inactive` starts at 0 again.
+::::
+
+
+::::{tip}
+During testing, you might notice that the registry contains state entries that should be removed based on the `clean_inactive` setting. This happens because Filebeat doesn’t remove the entries until the registry garbage collector (GC) runs. Once the TTL for a state expired, there are no active harvesters for the file and the registry GC runs, then, and only then the state is removed from memory and an `op: remove` is added to the registry log file.
+::::
+
+
+
+#### `clean_removed` [filebeat-input-filestream-clean-removed]
+
+When this option is enabled, Filebeat cleans files from the registry if they cannot be found on disk anymore under the last known name. This means also files which were renamed after the harvester was finished will be removed. This option is enabled by default.
+
+If a shared drive disappears for a short period and appears again, all files will be read again from the beginning because the states were removed from the registry file. In such cases, we recommend that you disable the `clean_removed` option.
+
+You must disable this option if you also disable `close.on_state_change.removed`.
+
+
+#### `backoff.*` [_backoff_2]
+
+The backoff options specify how aggressively Filebeat crawls open files for updates. You can use the default values in most cases.
+
+
+#### `backoff.init` [_backoff_init]
+
+The `backoff.init` option defines how long Filebeat waits for the first time before checking a file again after EOF is reached. The backoff intervals increase exponentially. The default is 2s. Thus, the file is checked after 2 seconds, then 4 seconds, then 8 seconds and so on until it reaches the limit defined in `backoff.max`. Every time a new line appears in the file, the `backoff.init` value is reset to the initial value.
+
+
+#### `backoff.max` [_backoff_max]
+
+The maximum time for Filebeat to wait before checking a file again after EOF is reached. After having backed off multiple times from checking the file, the wait time will never exceed `backoff.max`. Because it takes a maximum of 10s to read a new line, specifying 10s for `backoff.max` means that, at the worst, a new line could be added to the log file if Filebeat has backed off multiple times. The default is 10s.
+
+Requirement: Set `backoff.max` to be greater than or equal to `backoff.init` and less than or equal to `prospector.scanner.check_interval` (`backoff.init <= backoff.max <= prospector.scanner.check_interval`). If `backoff.max` needs to be higher, it is recommended to close the file handler instead and let Filebeat pick up the file again.
+
+
+#### `harvester_limit` [filebeat-input-filestream-harvester-limit]
+
+The `harvester_limit` option limits the number of harvesters that are started in parallel for one input. This directly relates to the maximum number of file handlers that are opened. The default for `harvester_limit` is 0, which means there is no limit. This configuration is useful if the number of files to be harvested exceeds the open file handler limit of the operating system.
+
+Setting a limit on the number of harvesters means that potentially not all files are opened in parallel. Therefore we recommended that you use this option in combination with the `close.on_state_change.*` options to make sure harvesters are stopped more often so that new files can be picked up.
+
+Currently if a new harvester can be started again, the harvester is picked randomly. This means it’s possible that the harvester for a file that was just closed and then updated again might be started instead of the harvester for a file that hasn’t been harvested for a longer period of time.
+
+This configuration option applies per input. You can use this option to indirectly set higher priorities on certain inputs by assigning a higher limit of harvesters.
+
+
+#### `file_identity` [filebeat-input-filestream-file-identity]
+
+Different `file_identity` methods can be configured to suit the environment where you are collecting log messages.
+
+::::{important}
+Changing `file_identity` is only supported from `native` or `path` to `fingerprint`. On those cases Filebeat will automatically migrate the state of the file when filestream starts.
+::::
+
+
+::::{warning}
+Any unsupported change in `file_identity` methods between runs may result in duplicated events in the output.
+::::
+
+
+$$$filebeat-input-filestream-file-identity-fingerprint$$$
+
+**`fingerprint`**
+:   The default behaviour of Filebeat is to identify files based on content by hashing a specific range (0 to 1024 bytes by default).
+
+::::{warning}
+In order to use this file identity option, you must enable the [fingerprint option in the scanner](#filebeat-input-filestream-scan-fingerprint). Once this file identity is enabled, changing the fingerprint configuration (offset, length, or other settings) will lead to a global re-ingestion of all files that match the paths configuration of the input.
+::::
+
+
+Please refer to the [fingerprint configuration for details](#filebeat-input-filestream-scan-fingerprint).
+
+```yaml
+file_identity.fingerprint: ~
+```
+
+**`native`**
+:   Differentiates between files using their inodes and device ids.
+
+    In some cases these values can change during the lifetime of a file. For example, when using the Linux [LVM](https://en.wikipedia.org/wiki/Logical_Volume_Manager_%28Linux%29) (Logical Volume Manager), device numbers are allocated dynamically at module load (refer to [Persistent Device Numbers](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/logical_volume_manager_administration/lv#persistent_numbers) in the Red Hat Enterprise Linux documentation). To avoid the possibility of data duplication in this case, you can set `file_identity` to `fingerprint` rather than the default `native`.
+
+    The states of files generated by `native` file identity can be migrated to `fingerprint`.
+
+
+```yaml
+file_identity.native: ~
+```
+
+**`path`**
+:   To identify files based on their paths use this strategy.
+
+    ::::{warning}
+    Only use this strategy if your log files are rotated to a folder outside of the scope of your input or not at all. Otherwise you end up with duplicated events.
+    ::::
+
+
+    ::::{warning}
+    This strategy does not support renaming files. If an input file is renamed, Filebeat will read it again if the new path matches the settings of the input.
+    ::::
+
+
+    The states of files generated by `path` file identity can be migrated to `fingerprint`.
+
+
+```yaml
+file_identity.path: ~
+```
+
+**`inode_marker`**
+:   If the device id changes from time to time, you must use this method to distinguish files. This option is not supported on Windows.
+
+    Set the location of the marker file the following way:
+
+
+```yaml
+file_identity.inode_marker.path: /logs/.filebeat-marker
+```
+
+
+## Log rotation [filestream-log-rotation-support]
+
+As log files are constantly written, they must be rotated and purged to prevent the logger application from filling up the disk. Rotation is done by an external application, thus, Filebeat needs information how to cooperate with it.
+
+When reading from rotating files make sure the paths configuration includes both the active file and all rotated files.
+
+By default, Filebeat is able to track files correctly in the following strategies:
+
+* create: new active file with a unique name is created on rotation
+* rename: rotated files are renamed
+
+However, in case of copytruncate strategy, you should provide additional configuration to Filebeat.
+
+
+### rotation.external.strategy.copytruncate [_rotation_external_strategy_copytruncate]
+
+::::{warning}
+This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
+::::
+
+
+If the log rotating application copies the contents of the active file and then truncates the original file, use these options to help Filebeat to read files correctly.
+
+Set the option `suffix_regex` so Filebeat can tell active and rotated files apart. There are two supported suffix types in the input: numberic and date.
+
+
+
+## Numeric suffix [_numeric_suffix]
+
+If your rotated files have an incrementing index appended to the end of the filename, e.g. active file `apache.log` and the rotated files are named `apache.log.1`, `apache.log.2`, etc, use the following configuration.
+
+```yaml
+---
+rotation.external.strategy.copytruncate:
+  suffix_regex: \.\d$
+---
+```
+
+
+## Date suffix [_date_suffix]
+
+If the rotation date is appended to the end of the filename, e.g. active file `apache.log` and the rotated files are named `apache.log-20210526`, `apache.log-20210527`, etc. use the following configuration:
+
+```yaml
+---
+rotation.external.strategy.copytruncate:
+  suffix_regex: \-\d{6}$
+  dateformat: -20060102
+---
+```
+
+
+#### `encoding` [_encoding_2]
+
+The file encoding to use for reading data that contains international characters. See the encoding names [recommended by the W3C for use in HTML5](http://www.w3.org/TR/encoding/).
+
+Valid encodings:
+
+* `plain`: plain ASCII encoding
+* `utf-8` or `utf8`: UTF-8 encoding
+* `gbk`: simplified Chinese charaters
+* `iso8859-6e`: ISO8859-6E, Latin/Arabic
+* `iso8859-6i`: ISO8859-6I, Latin/Arabic
+* `iso8859-8e`: ISO8859-8E, Latin/Hebrew
+* `iso8859-8i`: ISO8859-8I, Latin/Hebrew
+* `iso8859-1`: ISO8859-1, Latin-1
+* `iso8859-2`: ISO8859-2, Latin-2
+* `iso8859-3`: ISO8859-3, Latin-3
+* `iso8859-4`: ISO8859-4, Latin-4
+* `iso8859-5`: ISO8859-5, Latin/Cyrillic
+* `iso8859-6`: ISO8859-6, Latin/Arabic
+* `iso8859-7`: ISO8859-7, Latin/Greek
+* `iso8859-8`: ISO8859-8, Latin/Hebrew
+* `iso8859-9`: ISO8859-9, Latin-5
+* `iso8859-10`: ISO8859-10, Latin-6
+* `iso8859-13`: ISO8859-13, Latin-7
+* `iso8859-14`: ISO8859-14, Latin-8
+* `iso8859-15`: ISO8859-15, Latin-9
+* `iso8859-16`: ISO8859-16, Latin-10
+* `cp437`: IBM CodePage 437
+* `cp850`: IBM CodePage 850
+* `cp852`: IBM CodePage 852
+* `cp855`: IBM CodePage 855
+* `cp858`: IBM CodePage 858
+* `cp860`: IBM CodePage 860
+* `cp862`: IBM CodePage 862
+* `cp863`: IBM CodePage 863
+* `cp865`: IBM CodePage 865
+* `cp866`: IBM CodePage 866
+* `ebcdic-037`: IBM CodePage 037
+* `ebcdic-1040`: IBM CodePage 1140
+* `ebcdic-1047`: IBM CodePage 1047
+* `koi8r`: KOI8-R, Russian (Cyrillic)
+* `koi8u`: KOI8-U, Ukranian (Cyrillic)
+* `macintosh`: Macintosh encoding
+* `macintosh-cyrillic`: Macintosh Cyrillic encoding
+* `windows1250`: Windows1250, Central and Eastern European
+* `windows1251`: Windows1251, Russian, Serbian (Cyrillic)
+* `windows1252`: Windows1252, Legacy
+* `windows1253`: Windows1253, Modern Greek
+* `windows1254`: Windows1254, Turkish
+* `windows1255`: Windows1255, Hebrew
+* `windows1256`: Windows1256, Arabic
+* `windows1257`: Windows1257, Estonian, Latvian, Lithuanian
+* `windows1258`: Windows1258, Vietnamese
+* `windows874`:  Windows874, ISO/IEC 8859-11, Latin/Thai
+* `utf-16-bom`: UTF-16 with required BOM
+* `utf-16be-bom`: big endian UTF-16 with required BOM
+* `utf-16le-bom`: little endian UTF-16 with required BOM
+
+The `plain` encoding is special, because it does not validate or transform any input.
+
+
+#### `exclude_lines` [filebeat-input-filestream-exclude-lines]
+
+A list of regular expressions to match the lines that you want Filebeat to exclude. Filebeat drops any lines that match a regular expression in the list. By default, no lines are dropped. Empty lines are ignored.
+
+The following example configures Filebeat to drop any lines that start with `DBG`.
+
+```yaml
+filebeat.inputs:
+- type: filestream
+  ...
+  exclude_lines: ['^DBG']
+```
+
+See [Regular expression support](/reference/filebeat/regexp-support.md) for a list of supported regexp patterns.
+
+
+#### `include_lines` [filebeat-input-filestream-include-lines]
+
+A list of regular expressions to match the lines that you want Filebeat to include. Filebeat exports only the lines that match a regular expression in the list. By default, all lines are exported. Empty lines are ignored.
+
+The following example configures Filebeat to export any lines that start with `ERR` or `WARN`:
+
+```yaml
+filebeat.inputs:
+- type: filestream
+  ...
+  include_lines: ['^ERR', '^WARN']
+```
+
+::::{note}
+If both `include_lines` and `exclude_lines` are defined, Filebeat executes `include_lines` first and then executes `exclude_lines`. The order in which the two options are defined doesn’t matter. The `include_lines` option will always be executed before the `exclude_lines` option, even if `exclude_lines` appears before `include_lines` in the config file.
+::::
+
+
+The following example exports all log lines that contain `sometext`, except for lines that begin with `DBG` (debug messages):
+
+```yaml
+filebeat.inputs:
+- type: filestream
+  ...
+  include_lines: ['sometext']
+  exclude_lines: ['^DBG']
+```
+
+See [Regular expression support](/reference/filebeat/regexp-support.md) for a list of supported regexp patterns.
+
+
+#### `buffer_size` [_buffer_size]
+
+The size in bytes of the buffer that each harvester uses when fetching a file. The default is 16384.
+
+
+#### `message_max_bytes` [_message_max_bytes]
+
+The maximum number of bytes that a single log message can have. All bytes after `message_max_bytes` are discarded and not sent. The default is 10MB (10485760).
+
+
+#### `parsers` [_parsers]
+
+This option expects a list of parsers that the log line has to go through.
+
+Available parsers:
+
+* `multiline`
+* `ndjson`
+* `container`
+* `syslog`
+* `include_message`
+
+In this example, Filebeat is reading multiline messages that consist of 3 lines and are encapsulated in single-line JSON objects. The multiline message is stored under the key `msg`.
+
+```yaml
+filebeat.inputs:
+- type: filestream
+  ...
+  parsers:
+    - ndjson:
+        target: ""
+        message_key: msg
+    - multiline:
+        type: count
+        count_lines: 3
+```
+
+See the available parser settings in detail below.
+
+
+#### `multiline` [_multiline_3]
+
+Options that control how Filebeat deals with log messages that span multiple lines. See [Multiline messages](/reference/filebeat/multiline-examples.md) for more information about configuring multiline options.
+
+
+#### `ndjson` [filebeat-input-filestream-ndjson]
+
+These options make it possible for Filebeat to decode logs structured as JSON messages. Filebeat processes the logs line by line, so the JSON decoding only works if there is one JSON object per message.
+
+The decoding happens before line filtering. You can combine JSON decoding with filtering if you set the `message_key` option. This can be helpful in situations where the application logs are wrapped in JSON objects, like when using Docker.
+
+Example configuration:
+
+```yaml
+- ndjson:
+    target: ""
+    add_error_key: true
+    message_key: log
+```
+
+**`target`**
+:   The name of the new JSON object that should contain the parsed key value pairs. If you leave it empty, the new keys will go under root.
+
+**`overwrite_keys`**
+:   Values from the decoded JSON object overwrite the fields that Filebeat normally adds (type, source, offset, etc.) in case of conflicts. Disable it if you want to keep previously added values.
+
+**`expand_keys`**
+:   If this setting is enabled, Filebeat will recursively de-dot keys in the decoded JSON, and expand them into a hierarchical object structure. For example, `{"a.b.c": 123}` would be expanded into `{"a":{"b":{"c":123}}}`. This setting should be enabled when the input is produced by an [ECS logger](https://github.com/elastic/ecs-logging).
+
+**`add_error_key`**
+:   If this setting is enabled, Filebeat adds an "error.message" and "error.type: json" key in case of JSON unmarshalling errors or when a `message_key` is defined in the configuration but cannot be used.
+
+**`message_key`**
+:   An optional configuration setting that specifies a JSON key on which to apply the line filtering and multiline settings. If specified the key must be at the top level in the JSON object and the value associated with the key must be a string, otherwise no filtering or multiline aggregation will occur.
+
+**`document_id`**
+:   Option configuration setting that specifies the JSON key to set the document id. If configured, the field will be removed from the original JSON document and stored in `@metadata._id`
+
+**`ignore_decoding_error`**
+:   An optional configuration setting that specifies if JSON decoding errors should be logged or not. If set to true, errors will not be logged. The default is false.
+
+
+#### `container` [filebeat-input-filestream-parsers-container]
+
+Use the `container` parser to extract information from  containers log files. It parses lines into common message lines, extracting timestamps too.
+
+**`stream`**
+:   Reads from the specified streams only: `all`, `stdout` or `stderr`. The default is `all`.
+
+**`format`**
+:   Use the given format when parsing logs: `auto`, `docker` or `cri`. The default is `auto`, it will automatically detect the format. To disable autodetection set any of the other options.
+
+The following snippet configures Filebeat to read the `stdout` stream from all containers under the default Kubernetes logs path:
+
+```yaml
+  paths:
+    - "/var/log/containers/*.log"
+  parsers:
+    - container:
+        stream: stdout
+```
+
+
+#### `syslog` [_syslog]
+
+The `syslog` parser parses RFC 3146 and/or RFC 5424 formatted syslog messages.
+
+The supported configuration options are:
+
+**`format`**
+:   (Optional) The syslog format to use, `rfc3164`, or `rfc5424`. To automatically detect the format from the log entries, set this option to `auto`. The default is `auto`.
+
+**`timezone`**
+:   (Optional) IANA time zone name(e.g. `America/New York`) or a fixed time offset (e.g. +0200) to use when parsing syslog timestamps that do not contain a time zone. `Local` may be specified to use the machine’s local time zone. Defaults to `Local`.
+
+**`log_errors`**
+:   (Optional) If `true` the parser will log syslog parsing errors. Defaults to `false`.
+
+**`add_error_key`**
+:   (Optional) If this setting is enabled, the parser adds or appends to an `error.message` key with the parsing error that was encountered. Defaults to `true`.
+
+Example configuration:
+
+```yaml
+- syslog:
+    format: rfc3164
+    timezone: America/Chicago
+    log_errors: true
+    add_error_key: true
+```
+
+**Timestamps**
+
+The RFC 3164 format accepts the following forms of timestamps:
+
+* Local timestamp (`Mmm dd hh:mm:ss`):
+
+    * `Jan 23 14:09:01`
+
+* RFC-3339*:
+
+    * `2003-10-11T22:14:15Z`
+    * `2003-10-11T22:14:15.123456Z`
+    * `2003-10-11T22:14:15-06:00`
+    * `2003-10-11T22:14:15.123456-06:00`
+
+
+**Note**: The local timestamp (for example, `Jan 23 14:09:01`) that accompanies an RFC 3164 message lacks year and time zone information. The time zone will be enriched using the `timezone` configuration option, and the year will be enriched using the Filebeat system’s local time (accounting for time zones). Because of this, it is possible for messages to appear in the future. An example of when this might happen is logs generated on December 31 2021 are ingested on January 1 2022. The logs would be enriched with the year 2022 instead of 2021.
+
+The RFC 5424 format accepts the following forms of timestamps:
+
+* RFC-3339:
+
+    * `2003-10-11T22:14:15Z`
+    * `2003-10-11T22:14:15.123456Z`
+    * `2003-10-11T22:14:15-06:00`
+    * `2003-10-11T22:14:15.123456-06:00`
+
+
+Formats with an asterisk (*) are a non-standard allowance.
+
+
+#### `include_message` [_include_message]
+
+Use the `include_message` parser to filter messages in the parsers pipeline. Messages that match the provided pattern are passed to the next parser, the others are dropped.
+
+You should use `include_message` instead of `include_lines` if you would like to control when the filtering happens. `include_lines` runs after the parsers, `include_message` runs in the parsers pipeline.
+
+**`patterns`**
+:   List of regexp patterns to match.
+
+This example shows you how to include messages that start with the string ERR or WARN:
+
+```yaml
+  paths:
+    - "/var/log/containers/*.log"
+  parsers:
+    - include_message.patterns: ["^ERR", "^WARN"]
+```
+
+
+## Metrics [_metrics_8]
+
+This input exposes metrics under the [HTTP monitoring endpoint](/reference/filebeat/http-endpoint.md). These metrics are exposed under the `/inputs` path. They can be used to observe the activity of the input. Note that metrics from processors are not included.
+
+| Metric | Description |
+| --- | --- |
+| `files_opened_total` | Total number of files opened. |
+| `files_closed_total` | Total number of files closed. |
+| `files_active` | Number of files currently open (gauge). |
+| `messages_read_total` | Total number of messages read. |
+| `messages_truncated_total` | Total number of messages truncated. |
+| `bytes_processed_total` | Total number of bytes processed. |
+| `events_processed_total` | Total number of events processed. |
+| `processing_errors_total` | Total number of processing errors. |
+| `processing_time` | Histogram of the elapsed time to process messages (expressed in nanoseconds). |
+
+Note:
+
+
+## Common options [filebeat-input-filestream-common-options]
+
+The following configuration options are supported by all inputs.
+
+
+#### `enabled` [_enabled_9]
+
+Use the `enabled` option to enable and disable inputs. By default, enabled is set to true.
+
+
+#### `tags` [_tags_9]
+
+A list of tags that Filebeat includes in the `tags` field of each published event. Tags make it easy to select specific events in Kibana or apply conditional filtering in Logstash. These tags will be appended to the list of tags specified in the general configuration.
+
+Example:
+
+```yaml
+filebeat.inputs:
+- type: filestream
+  . . .
+  tags: ["json"]
+```
+
+
+#### `fields` [filebeat-input-filestream-fields]
+
+Optional fields that you can specify to add additional information to the output. For example, you might add fields that you can use for filtering log data. Fields can be scalar values, arrays, dictionaries, or any nested combination of these. By default, the fields that you specify here will be grouped under a `fields` sub-dictionary in the output document. To store the custom fields as top-level fields, set the `fields_under_root` option to true. If a duplicate field is declared in the general configuration, then its value will be overwritten by the value declared here.
+
+```yaml
+filebeat.inputs:
+- type: filestream
+  . . .
+  fields:
+    app_id: query_engine_12
+```
+
+
+#### `fields_under_root` [fields-under-root-filestream]
+
+If this option is set to true, the custom [fields](#filebeat-input-filestream-fields) are stored as top-level fields in the output document instead of being grouped under a `fields` sub-dictionary. If the custom field names conflict with other field names added by Filebeat, then the custom fields overwrite the other fields.
+
+
+#### `processors` [_processors_9]
+
+A list of processors to apply to the input data.
+
+See [Processors](/reference/filebeat/filtering-enhancing-data.md) for information about specifying processors in your config.
+
+
+#### `pipeline` [_pipeline_9]
+
+The ingest pipeline ID to set for the events generated by this input.
+
+::::{note}
+The pipeline ID can also be configured in the Elasticsearch output, but this option usually results in simpler configuration files. If the pipeline is configured both in the input and output, the option from the input is used.
+::::
+
+
+::::{important}
+The `pipeline` is always lowercased. If `pipeline: Foo-Bar`, then the pipeline name in {{es}} needs to be defined as `foo-bar`.
+::::
+
+
+
+#### `keep_null` [_keep_null_9]
+
+If this option is set to true, fields with `null` values will be published in the output document. By default, `keep_null` is set to `false`.
+
+
+#### `index` [_index_9]
+
+If present, this formatted string overrides the index for events from this input (for elasticsearch outputs), or sets the `raw_index` field of the event’s metadata (for other outputs). This string can only refer to the agent name and version and the event timestamp; for access to dynamic fields, use `output.elasticsearch.index` or a processor.
+
+Example value: `"%{[agent.name]}-myindex-%{+yyyy.MM.dd}"` might expand to `"filebeat-myindex-2019.11.01"`.
+
+
+#### `publisher_pipeline.disable_host` [_publisher_pipeline_disable_host_9]
+
+By default, all events contain `host.name`. This option can be set to `true` to disable the addition of this field to all events. The default value is `false`.
diff --git a/docs/reference/filebeat/filebeat-input-gcp-pubsub.md b/docs/reference/filebeat/filebeat-input-gcp-pubsub.md
new file mode 100644
index 000000000000..157d612fbbab
--- /dev/null
+++ b/docs/reference/filebeat/filebeat-input-gcp-pubsub.md
@@ -0,0 +1,165 @@
+---
+navigation_title: "GCP Pub/Sub"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-gcp-pubsub.html
+---
+
+# GCP Pub/Sub input [filebeat-input-gcp-pubsub]
+
+
+Use the `gcp-pubsub` input to read messages from a Google Cloud Pub/Sub topic subscription.
+
+This input can, for example, be used to receive Stackdriver logs that have been exported to a Google Cloud Pub/Sub topic.
+
+Multiple Filebeat instances can be configured to read from the same subscription to achieve high-availability or increased throughput.
+
+Example configuration:
+
+```yaml
+filebeat.inputs:
+- type: gcp-pubsub
+  project_id: my-gcp-project-id
+  topic: vpc-firewall-logs-topic
+  subscription.name: filebeat-vpc-firewall-logs-sub
+  credentials_file: ${path.config}/my-pubsub-subscriber-credentials.json
+```
+
+## Configuration options [_configuration_options_9]
+
+The `gcp-pubsub` input supports the following configuration options plus the [Common options](#filebeat-input-gcp-pubsub-common-options) described later.
+
+
+### `project_id` [_project_id]
+
+Google Cloud project ID. Required.
+
+
+### `topic` [_topic]
+
+Google Cloud Pub/Sub topic name. Required.
+
+
+### `subscription.name` [_subscription_name]
+
+Name of the subscription to read from. Required.
+
+
+### `subscription.create` [_subscription_create]
+
+Boolean value that configures the input to create the subscription if it does not exist. The default value is `true`.
+
+
+### `subscription.num_goroutines` [_subscription_num_goroutines]
+
+Number of goroutines to create to read from the subscription. This does not limit the number of messages that can be processed concurrently or the maximum number of goroutines the input will create. Even with one goroutine, many messages might be processed at once, because that goroutine may continually receive messages. To limit the number of messages being processed concurrently, set `subscription.max_outstanding_messages`. Default is 1.
+
+
+### `subscription.max_outstanding_messages` [_subscription_max_outstanding_messages]
+
+The maximum number of unprocessed messages (unacknowledged but not yet expired). If the value is negative, then there will be no limit on the number of unprocessed messages. Due to the presence of internal queue, the input gets blocked until `queue.mem.flush.min_events` or `queue.mem.flush.timeout` is reached. To prevent this blockage, this option must be at least `queue.mem.flush.min_events`. Default is 1600.
+
+
+### `credentials_file` [_credentials_file]
+
+Path to a JSON file containing the credentials and key used to subscribe. As an alternative you can use the `credentials_json` config option or rely on [Google Application Default Credentials](https://cloud.google.com/docs/authentication/production) (ADC).
+
+
+### `credentials_json` [_credentials_json]
+
+JSON blob containing the credentials and key used to subscribe. This can be as an alternative to `credentials_file` if you want to embed the credential data within your config file or put the information into a keystore. You may also use [Google Application Default Credentials](https://cloud.google.com/docs/authentication/production) (ADC).
+
+
+## Common options [filebeat-input-gcp-pubsub-common-options]
+
+The following configuration options are supported by all inputs.
+
+
+#### `enabled` [_enabled_10]
+
+Use the `enabled` option to enable and disable inputs. By default, enabled is set to true.
+
+
+#### `tags` [_tags_10]
+
+A list of tags that Filebeat includes in the `tags` field of each published event. Tags make it easy to select specific events in Kibana or apply conditional filtering in Logstash. These tags will be appended to the list of tags specified in the general configuration.
+
+Example:
+
+```yaml
+filebeat.inputs:
+- type: gcp-pubsub
+  . . .
+  tags: ["json"]
+```
+
+
+#### `fields` [filebeat-input-gcp-pubsub-fields]
+
+Optional fields that you can specify to add additional information to the output. For example, you might add fields that you can use for filtering log data. Fields can be scalar values, arrays, dictionaries, or any nested combination of these. By default, the fields that you specify here will be grouped under a `fields` sub-dictionary in the output document. To store the custom fields as top-level fields, set the `fields_under_root` option to true. If a duplicate field is declared in the general configuration, then its value will be overwritten by the value declared here.
+
+```yaml
+filebeat.inputs:
+- type: gcp-pubsub
+  . . .
+  fields:
+    app_id: query_engine_12
+```
+
+
+#### `fields_under_root` [fields-under-root-gcp-pubsub]
+
+If this option is set to true, the custom [fields](#filebeat-input-gcp-pubsub-fields) are stored as top-level fields in the output document instead of being grouped under a `fields` sub-dictionary. If the custom field names conflict with other field names added by Filebeat, then the custom fields overwrite the other fields.
+
+
+#### `processors` [_processors_10]
+
+A list of processors to apply to the input data.
+
+See [Processors](/reference/filebeat/filtering-enhancing-data.md) for information about specifying processors in your config.
+
+
+#### `pipeline` [_pipeline_10]
+
+The ingest pipeline ID to set for the events generated by this input.
+
+::::{note}
+The pipeline ID can also be configured in the Elasticsearch output, but this option usually results in simpler configuration files. If the pipeline is configured both in the input and output, the option from the input is used.
+::::
+
+
+::::{important}
+The `pipeline` is always lowercased. If `pipeline: Foo-Bar`, then the pipeline name in {{es}} needs to be defined as `foo-bar`.
+::::
+
+
+
+#### `keep_null` [_keep_null_10]
+
+If this option is set to true, fields with `null` values will be published in the output document. By default, `keep_null` is set to `false`.
+
+
+#### `index` [_index_10]
+
+If present, this formatted string overrides the index for events from this input (for elasticsearch outputs), or sets the `raw_index` field of the event’s metadata (for other outputs). This string can only refer to the agent name and version and the event timestamp; for access to dynamic fields, use `output.elasticsearch.index` or a processor.
+
+Example value: `"%{[agent.name]}-myindex-%{+yyyy.MM.dd}"` might expand to `"filebeat-myindex-2019.11.01"`.
+
+
+#### `publisher_pipeline.disable_host` [_publisher_pipeline_disable_host_10]
+
+By default, all events contain `host.name`. This option can be set to `true` to disable the addition of this field to all events. The default value is `false`.
+
+
+## Metrics [_metrics_9]
+
+This input exposes metrics under the [HTTP monitoring endpoint](/reference/filebeat/http-endpoint.md). These metrics are exposed under the `/inputs` path. They can be used to observe the activity of the input.
+
+| Metric | Description |
+| --- | --- |
+| `acked_message_total` | Number of successfully ACKed messages. |
+| `failed_acked_message_total` | Number of failed ACKed messages. |
+| `nacked_message_total` | Number of NACKed messages. |
+| `bytes_processed_total` | Number of bytes processed. |
+| `processing_time` | Histogram of the elapsed time for processing an event in nanoseconds. |
+
+
diff --git a/docs/reference/filebeat/filebeat-input-gcs.md b/docs/reference/filebeat/filebeat-input-gcs.md
new file mode 100644
index 000000000000..99a77fdb3024
--- /dev/null
+++ b/docs/reference/filebeat/filebeat-input-gcs.md
@@ -0,0 +1,531 @@
+---
+navigation_title: "Google Cloud Storage"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-gcs.html
+---
+
+# Google Cloud Storage Input [filebeat-input-gcs]
+
+
+Use the `google cloud storage input` to read content from files stored in buckets which reside on your Google Cloud. The input can be configured to work with and without polling, though if polling is disabled it will only perform a single collection of data, list the file contents and end the process.
+
+**To mitigate errors and ensure a stable processing environment, this input employs the following features :**
+
+1. When processing google cloud buckets, if suddenly there is any outage, the process will be able to resume post the last file it processed and was successfully able to save the state for.
+2. If any errors occur for certain files, they will be logged appropriately, but the rest of the files will continue to be processed normally.
+3. If any major error occurs which stops the main thread, the logs will be appropriately generated, describing said error.
+
+**Config Option Removal Notice** : The `bucket_timeout` config option has been removed from the google cloud storage input. The intention behind this removal is to simplify the configuration and to make it more user friendly. The `bucket_timeout` option was confusing and had the potential to let users malconfigure the input, which could lead to unexpected behavior. The input now uses a more robust and efficient way to handle the bucket timeout internally.
+
+::::{note}
+:name: supported-types-gcs
+
+Currently only `JSON` and `NDJSON` are supported object/file formats. Objects/files may be also be gzip compressed. "JSON credential keys" and "credential files" are supported authentication types. If an array is present as the root object for an object/file, it is automatically split into individual objects and processed. If a download for a file/object fails or gets interrupted, the download is retried for 2 times. This is currently not user configurable.
+::::
+
+
+$$$basic-config-gcs$$$
+**A sample configuration with detailed explanation for each field is given below :-**
+
+```yaml
+filebeat.inputs:
+- type: gcs
+  id: my-gcs-id
+  enabled: true
+  project_id: my_project_id
+  auth.credentials_file.path: {{file_path}}/{{creds_file_name}}.json
+  parse_json: true
+  buckets:
+  - name: gcs-test-new
+    max_workers: 3
+    poll: true
+    poll_interval: 15s
+  - name: gcs-test-old
+    max_workers: 3
+    poll: true
+    poll_interval: 10s
+```
+
+**Explanation :** This `configuration` given above describes a basic gcs config having two buckets named `gcs-test-new` and `gcs-test-old`. Each of these buckets have their own attributes such as `name`, `max_workers`, `poll` and `poll_interval`. These attributes have detailed explanations given [below](#supported-attributes-gcs). For now lets try to understand how this config works.
+
+For google cloud storage input to identify the files it needs to read and process, it will require the bucket names to be specified. We can have as many buckets as we deem fit. We are also able to configure the attributes `max_workers`, `poll` and `poll_interval` at the root level, which will then be applied to all buckets which do not specify any of these attributes explicitly.
+
+::::{note}
+If the attributes `max_workers`, `poll` and `poll_interval` are specified at the root level, these can still be overridden at the bucket level with different values, thus offering extensive flexibility and customization. Examples [below](#bucket-overrides) show this behavior.
+::::
+
+
+On receiving this config the google cloud storage input will connect to the service and retrieve a `Storage Client` using the given `bucket_name` and `auth.credentials_file`, then it will spawn two main go-routines, one for each bucket. After this each of these routines (threads) will initialize a scheduler which will in turn use the `max_workers` value to initialize an in-memory worker pool (thread pool) with `3` `workers` available. Basically that equates to two instances of a worker pool, one per bucket, each having 3 workers. These `workers` will be responsible for performing `jobs` that process a file (in this case read and output the contents of a file).
+
+::::{note}
+The scheduler is responsible for scheduling jobs, and uses the `maximum available workers` in the pool, at each iteration, to decide the number of files to retrieve and process. This keeps work distribution efficient. The scheduler uses `poll_interval` attribute value to decide how long to wait after each iteration. Each iteration consists of processing a certain number of files, decided by the `maximum available workers` value.
+::::
+
+
+**A Sample Response :-**
+
+```json
+{
+  "@timestamp": "2022-09-01T13:54:24.588Z",
+  "@metadata": {
+    "beat": "filebeat",
+    "type": "_doc",
+    "version": "8.5.0",
+    "_id": "gcs-test-new-data_3.json-worker-1"
+  },
+  "log": {
+    "offset": 200,
+    "file": {
+      "path": "gs://gcs-test-new/data_3.json"
+    }
+  },
+  "input": {
+    "type": "gcs"
+  },
+  "message": "{\n    \"id\": 1,\n    \"title\": \"iPhone 9\",\n    \"description\": \"An apple mobile which is nothing like apple\",\n    \"price\": 549,\n    \"discountPercentage\": 12.96,\n    \"rating\": 4.69,\n    \"stock\": 94,\n    \"brand\": \"Apple\",\n    \"category\": \"smartphones\",\n    \"thumbnail\": \"https://dummyjson.com/image/i/products/1/thumbnail.jpg\",\n    \"images\": [\n        \"https://dummyjson.com/image/i/products/1/1.jpg\",\n        \"https://dummyjson.com/image/i/products/1/2.jpg\",\n        \"https://dummyjson.com/image/i/products/1/3.jpg\",\n        \"https://dummyjson.com/image/i/products/1/4.jpg\",\n        \"https://dummyjson.com/image/i/products/1/thumbnail.jpg\"\n    ]\n}\n",
+  "cloud": {
+    "provider": "goole cloud"
+  },
+  "gcs": {
+    "storage": {
+      "bucket": {
+        "name": "gcs-test-new"
+      },
+      "object": {
+        "name": "data_3.json",
+        "content_type": "application/json",
+        "json_data": [
+          {
+            "id": 1,
+            "discountPercentage": 12.96,
+            "rating": 4.69,
+            "brand": "Apple",
+            "price": 549,
+            "category": "smartphones",
+            "thumbnail": "https://dummyjson.com/image/i/products/1/thumbnail.jpg",
+            "description": "An apple mobile which is nothing like apple",
+            "title": "iPhone 9",
+            "stock": 94,
+            "images": [
+              "https://dummyjson.com/image/i/products/1/1.jpg",
+              "https://dummyjson.com/image/i/products/1/2.jpg",
+              "https://dummyjson.com/image/i/products/1/3.jpg",
+              "https://dummyjson.com/image/i/products/1/4.jpg",
+              "https://dummyjson.com/image/i/products/1/thumbnail.jpg"
+            ]
+          }
+        ]
+      }
+    }
+  },
+  "event": {
+    "kind": "publish_data"
+  }
+}
+```
+
+As we can see from the response above, the `message` field contains the original stringified data while the `gcs.storage.object.data` contains the objectified data.
+
+**Some of the key attributes are as follows :-**
+
+1. **message** : Original stringified object data.
+2. **log.file.path** : Path of the object in google cloud.
+3. **gcs.storage.bucket.name** : Name of the bucket from which the file has been read.
+4. **gcs.storage.object.name** : Name of the file/object which has been read.
+5. **gcs.storage.object.content_type** : Content type of the file/object. You can find the supported content types [here](#supported-types-gcs) .
+6. **gcs.storage.object.json_data** :  Objectified json file data, representing the contents of the file.
+
+Now let’s explore the configuration attributes a bit more elaborately.
+
+$$$supported-attributes-gcs$$$
+**Supported Attributes :-**
+
+1. [project_id](#attrib-project-id)
+2. [auth.credentials_json.account_key](#attrib-auth-credentials-json)
+3. [auth.credentials_file.path](#attrib-auth-credentials-file)
+4. [buckets](#attrib-buckets)
+5. [name](#attrib-bucket-name)
+6. [max_workers](#attrib-max_workers-gcs)
+7. [poll](#attrib-poll-gcs)
+8. [poll_interval](#attrib-poll_interval-gcs)
+9. [parse_json](#attrib-parse_json)
+10. [file_selectors](#attrib-file_selectors-gcs)
+11. [expand_event_list_from_field](#attrib-expand_event_list_from_field-gcs)
+12. [timestamp_epoch](#attrib-timestamp_epoch-gcs)
+13. [retry](#attrib-retry-gcs)
+
+
+### `project_id` [attrib-project-id]
+
+This attribute is required for various internal operations with respect to authentication, creating storage clients and logging which are used internally for various processing purposes.
+
+
+### `auth.credentials_json.account_key` [attrib-auth-credentials-json]
+
+This attribute contains the **json service account credentials string**, which can be generated from the google cloud console, ref: [https://cloud.google.com/iam/docs/creating-managing-service-account-keys](https://cloud.google.com/iam/docs/creating-managing-service-account-keys), under the respective storage account. A single storage account can contain multiple buckets, and they will all use this common service account access key.
+
+
+### `auth.credentials_file.path` [attrib-auth-credentials-file]
+
+This attribute contains the **service account credentials file**, which can be generated from the google cloud console, ref: [https://cloud.google.com/iam/docs/creating-managing-service-account-keys](https://cloud.google.com/iam/docs/creating-managing-service-account-keys), under the respective storage account. A single storage account can contain multiple buckets, and they will all use this common service account credentials file.
+
+::::{note}
+We require only either of `auth.credentials_json.account_key` or `auth.credentials_file.path` to be specified for authentication purposes. If both attributes are specified, then the one that occurs first in the configuration will be used.
+::::
+
+
+
+### `buckets` [attrib-buckets]
+
+This attribute contains the details about a specific bucket like `name`, `max_workers`, `poll` and `poll_interval`. The attribute `name` is specific to a bucket as it describes the bucket name, while the fields `max_workers`, `poll` and `poll_interval` can exist both at the bucket level and the root level. This attribute is internally represented as an array, so we can add as many buckets as we require.
+
+
+### `name` [attrib-bucket-name]
+
+This is a specific subfield of a bucket. It specifies the bucket name.
+
+
+### `max_workers` [attrib-max_workers-gcs]
+
+This attribute defines the maximum number of workers (goroutines / lightweight threads) are allocated in the worker pool (thread pool) for processing jobs which read the contents of files. This attribute can be specified both at the root level of the configuration and at the bucket level. Bucket level values override the root level values if both are specified. Larger number of workers do not necessarily improve of throughput, and this should be carefully tuned based on the number of files, the size of the files being processed and resources available. Increasing `max_workers` to very high values may cause resource utilization problems and can lead to a bottleneck in processing. Usually a maximum cap of `2000` workers is recommended. A very low `max_worker` count will drastically increase the number of network calls required to fetch the objects, which can cause a bottleneck in processing.
+
+::::{note}
+The value of `max_workers` is tied to the `batch_size` currently to ensure even distribution of workloads across all goroutines. This ensures that the input is able to process the files in an efficient manner. This `batch_size` determines how many objects will be fetched in one single call. The `max_workers` value should be set based on the number of files to be read, the resources available and the network speed. For example,`max_workers=3` would mean that every pagination request a total number of `3` gcs objects are fetched and distributed among `3 goroutines`, `max_workers=100` would mean `100` gcs objects are fetched in every pagination request and distributed among `100 goroutines`.
+::::
+
+
+
+### `poll` [attrib-poll-gcs]
+
+This attribute informs the scheduler whether to keep polling for new files or not. Default value of this is set to `true`. This attribute can be specified both at the root level of the configuration as well at the bucket level. The bucket level values will always take priority and override the root level values if both are specified.
+
+
+### `poll_interval` [attrib-poll_interval-gcs]
+
+This attribute defines the maximum amount of time after which the internal scheduler will make the polling call for the next set of objects/files. It can be defined in the following formats : `{{x}}s`, `{{x}}m`, `{{x}}h`, here `s = seconds`, `m = minutes` and `h = hours`. The value `{{x}}` can be anything we wish. Example : `10s` would mean we would like the polling to occur every 10 seconds. If no value is specified for this, by default its initialized to `5 minutes`. This attribute can be specified both at the root level of the configuration as well at the bucket level. The bucket level values will always take priority and override the root level values if both are specified. Having a lower `poll_interval` can make the input faster at the cost of more resource utilization.
+
+
+### `parse_json` [attrib-parse_json]
+
+This attribute informs the publisher  whether to parse & objectify json data or not. By default this is set to `false`, since it can get expensive dealing with highly nested json data. If this is set to `false` the **gcs.storage.object.json_data** field in the response will have an empty array. This attribute is only applicable for json objects and has no effect on other types of objects. This attribute can be specified both at the root level of the configuration as well at the bucket level. The bucket level values will always take priority and override the root level values if both are specified.
+
+
+### `encoding` [input-gcs-encoding]
+
+The file encoding to use for reading data that contains international characters. This only applies to non-JSON logs. See [`encoding`](/reference/filebeat/filebeat-input-log.md#_encoding_3).
+
+
+### `decoding` [input-gcs-decoding]
+
+The file decoding option is used to specify a codec that will be used to decode the file contents. This can apply to any file stream data. An example config is shown below:
+
+Currently supported codecs are given below:-
+
+1. [CSV](#attrib-decoding-csv-gcs): This codec decodes RFC 4180 CSV data streams.
+
+
+### `the CSV codec` [attrib-decoding-csv-gcs]
+
+The `CSV` codec is used to decode RFC 4180 CSV data streams. Enabling the codec without other options will use the default codec options.
+
+```yaml
+  decoding.codec.csv.enabled: true
+```
+
+The CSV codec supports five sub attributes to control aspects of CSV decoding. The `comma` attribute specifies the field separator character used by the CSV format. If it is not specified, the comma character *`,`* is used. The `comment` attribute specifies the character that should be interpreted as a comment mark. If it is specified, lines starting with the character will be ignored. Both `comma` and `comment` must be single characters. The `lazy_quotes` attribute controls how quoting in fields is handled. If `lazy_quotes` is true, a quote may appear in an unquoted field and a non-doubled quote may appear in a quoted field. The `trim_leading_space` attribute specifies that leading white space should be ignored, even if the `comma` character is white space. For complete details of the preceding configuration attribute behaviors, see the CSV decoder [documentation](https://pkg.go.dev/encoding/csv#Reader) The `fields_names` attribute can be used to specify the column names for the data. If it is absent, the field names are obtained from the first non-comment line of data. The number of fields must match the number of field names.
+
+An example config is shown below:
+
+```yaml
+  decoding.codec.csv.enabled: true
+  decoding.codec.csv.comma: "\t"
+  decoding.codec.csv.comment: "#"
+```
+
+
+### `file_selectors` [attrib-file_selectors-gcs]
+
+If the GCS buckets have objects that correspond to files that Filebeat shouldn’t process, `file_selectors` can be used to limit the files that are downloaded. This is a list of selectors which are based on a regular expression pattern. The regular expression should match the object name or should be a part of the object name (ideally a prefix). The regular expression syntax used is [RE2](https://github.com/google/re2/wiki/Syntax). Files that don’t match any configured expression won’t be processed.This attribute can be specified both at the root level of the configuration as well at the container level. The container level values will always take priority and override the root level values if both are specified.
+
+```yaml
+filebeat.inputs:
+- type: gcs
+  project_id: my_project_id
+  auth.credentials_file.path: {{file_path}}/{{creds_file_name}}.json
+  buckets:
+  - name: obs-bucket
+    max_workers: 3
+    poll: true
+    poll_interval: 15s
+    file_selectors:
+    - regex: '/Monitoring/'
+    - regex: 'docs/'
+    - regex: '/Security-Logs/'
+```
+
+The `file_selectors` operation is performed within the agent locally, hence using this option will cause the agent to download all the files and then filter them. This can cause a bottleneck in processing if the number of files is very high. It is recommended to use this attribute only when the number of files is limited or ample resources are available.
+
+
+### `expand_event_list_from_field` [attrib-expand_event_list_from_field-gcs]
+
+If the file-set using this input expects to receive multiple messages bundled under a specific field or an array of objects then the config option for `expand_event_list_from_field` can be specified. This setting will be able to split the messages under the group value into separate events. For example, if you have logs that are in JSON format and events are found under the JSON object "Records". To split the events into separate events, the config option `expand_event_list_from_field` can be set to "Records". This attribute can be specified both at the root level of the configuration as well at the container level. The container level values will always take priority and override the root level values if both are specified.
+
+```json
+{
+    "Records": [
+        {
+            "eventVersion": "1.07",
+            "eventTime": "2019-11-14T00:51:00Z",
+            "region": "us-east-1",
+            "eventID": "EXAMPLE8-9621-4d00-b913-beca2EXAMPLE",
+        },
+        {
+            "eventVersion": "1.07",
+            "eventTime": "2019-11-14T00:52:00Z",
+            "region": "us-east-1",
+            "eventID": "EXAMPLEc-28be-486c-8928-49ce6EXAMPLE",
+        }
+    ]
+}
+```
+
+```yaml
+filebeat.inputs:
+- type: gcs
+  project_id: my_project_id
+  auth.credentials_file.path: {{file_path}}/{{creds_file_name}}.json
+  buckets:
+  - name: obs-bucket
+    max_workers: 3
+    poll: true
+    poll_interval: 15s
+    expand_event_list_from_field: Records
+```
+
+::::{note}
+The `parse_json` setting is incompatible with `expand_event_list_from_field`. If enabled it will be ignored. This attribute is only applicable for JSON file formats. You do not need to specify this attribute if the file has an array of objects at the root level. Root level array of objects are automatically split into separate events. If failures occur or the input crashes due to some unexpected error, the processing will resume from the last successfully processed file or object.
+::::
+
+
+
+### `timestamp_epoch` [attrib-timestamp_epoch-gcs]
+
+This attribute can be used to filter out files and objects that have a timestamp older than the specified value. The value of this attribute should be in unix `epoch` (seconds) format. The timestamp value is compared with the `object.Updated` field obtained from the object metadata. This attribute can be specified both at the root level of the configuration as well at the container level. The container level values will always take priority and override the root level values if both are specified.
+
+```yaml
+filebeat.inputs:
+- type: gcs
+  project_id: my_project_id
+  auth.credentials_file.path: {{file_path}}/{{creds_file_name}}.json
+  buckets:
+  - name: obs-bucket
+    max_workers: 3
+    poll: true
+    poll_interval: 15s
+    timestamp_epoch: 1630444800
+```
+
+The GCS APIs don’t provide a direct way to filter files based on the timestamp, so the input will download all the files and then filter them based on the timestamp. This can cause a bottleneck in processing if the number of files are very high. It is recommended to use this attribute only when the number of files are limited or ample resources are available. This option scales vertically and not horizontally.
+
+
+### `retry` [attrib-retry-gcs]
+
+This attribute can be used to configure a list of sub attributes that directly control how the input should behave when a download for a file/object fails or gets interrupted.
+
+* `max_attempts`: This attribute defines the maximum number of retry attempts(including the initial api call) that should be attempted for a retryable error. The default value for this is `3`.
+* `initial_backoff_duration`: This attribute defines the initial backoff time. The default value for this is `1s`.
+* `max_backoff_duration`: This attribute defines the maximum backoff time. The default value for this is `30s`.
+* `backoff_multiplier`: This attribute defines the backoff multiplication factor. The default value for this is `2`.
+
+::::{note}
+The `initial_backoff_duration` and `max_backoff_duration` attributes must have time units. Valid time units are `ns`, `us` (or `µs`), `ms`, `s`, `m`, `h`.
+::::
+
+
+By configuring these attributes, the user is given the flexibility to control how the input should behave when a download fails or gets interrupted. This attribute can only be specified at the root level of the configuration and not at the bucket level. It applies uniformly to all the buckets.
+
+An example configuration is given below :-
+
+```yaml
+filebeat.inputs:
+- type: gcs
+  project_id: my_project_id
+  auth.credentials_file.path: {{file_path}}/{{creds_file_name}}.json
+  retry:
+    max_attempts: 3
+    initial_backoff_duration: 2s
+    max_backoff_duration: 60s
+    backoff_multiplier: 2
+  buckets:
+  - name: obs-bucket
+    max_workers: 3
+    poll: true
+    poll_interval: 11m
+```
+
+$$$bucket-overrides$$$
+**The sample configs below will explain the bucket level overriding of attributes a bit further :-**
+
+**CASE - 1 :**
+
+Here `bucket_1` is using root level attributes while `bucket_2` overrides the values :
+
+```yaml
+filebeat.inputs:
+- type: gcs
+  id: my-gcs-id
+  enabled: true
+  project_id: my_project_id
+  auth.credentials_file.path: {{file_path}}/{{creds_file_name}}.json
+  max_workers: 10
+  poll: true
+  poll_interval: 15s
+  buckets:
+  - name: bucket_1
+  - name: bucket_2
+    max_workers: 3
+    poll: true
+    poll_interval: 10s
+```
+
+**Explanation :** In this configuration `bucket_1` has no sub attributes in `max_workers`, `poll` and `poll_interval` defined. It inherits the values for these fileds from the root level, which is `max_workers = 10`, `poll = true` and `poll_interval = 15 seconds`. However `bucket_2` has these fields defined and it will use those values instead of using the root values.
+
+**CASE - 2 :**
+
+Here both `bucket_1` and `bucket_2` overrides the root values :
+
+```yaml
+filebeat.inputs:
+  - type: gcs
+    id: my-gcs-id
+    enabled: true
+    project_id: my_project_id
+    auth.credentials_file.path: {{file_path}}/{{creds_file_name}}.json
+    max_workers: 10
+    poll: true
+    poll_interval: 15s
+    buckets:
+    - name: bucket_1
+      max_workers: 5
+      poll: true
+      poll_interval: 10s
+    - name: bucket_2
+      max_workers: 5
+      poll: true
+      poll_interval: 10s
+```
+
+**Explanation :** In this configuration even though we have specified `max_workers = 10`, `poll = true` and `poll_interval = 15s` at the root level, both the buckets will override these values with their own respective values which are defined as part of their sub attibutes.
+
+
+## Metrics [_metrics_10]
+
+This input exposes metrics under the [HTTP monitoring endpoint](/reference/filebeat/http-endpoint.md). These metrics are exposed under the `/inputs` path. They can be used to observe the activity of the input.
+
+| Metric | Description |
+| --- | --- |
+| `url` | URL of the input resource. |
+| `errors_total` | Total number of errors encountered by the input. |
+| `decode_errors_total` | Total number of decode errors encountered by the input. |
+| `gcs_objects_requested_total` | Total number of GCS objects downloaded. |
+| `gcs_objects_published_total` | Total number of GCS objects processed that were published. |
+| `gcs_objects_listed_total` | Total number of GCS objects returned by list operations. |
+| `gcs_bytes_processed_total` | Total number of GCS bytes processed. |
+| `gcs_events_created_total` | Total number of events created from processing GCS data. |
+| `gcs_failed_jobs_total` | Total number of failed jobs. |
+| `gcs_expired_failed_jobs_total` | Total number of expired failed jobs that could not be recovered. |
+| `gcs_objects_tracked_gauge` | Number of objects currently tracked in the state registry (gauge). |
+| `gcs_objects_inflight_gauge` | Number of GCS objects inflight (gauge). |
+| `gcs_jobs_scheduled_after_validation` | Histogram of the number of jobs scheduled after validation. |
+| `gcs_object_processing_time` | Histogram of the elapsed GCS object processing times in nanoseconds (start of download to completion of parsing). |
+| `gcs_object_size_in_bytes` | Histogram of processed GCS object size in bytes. |
+| `gcs_events_per_object` | Histogram of event count per GCS object. |
+| `source_lag_time` | Histogram of the time between the source (Updated) timestamp and the time the object was read, in nanoseconds. |
+
+## Common input options [_common_input_options]
+
+
+
+## Common options [filebeat-input-gcs-common-options]
+
+The following configuration options are supported by all inputs.
+
+
+#### `enabled` [_enabled_11]
+
+Use the `enabled` option to enable and disable inputs. By default, enabled is set to true.
+
+
+#### `tags` [_tags_11]
+
+A list of tags that Filebeat includes in the `tags` field of each published event. Tags make it easy to select specific events in Kibana or apply conditional filtering in Logstash. These tags will be appended to the list of tags specified in the general configuration.
+
+Example:
+
+```yaml
+filebeat.inputs:
+- type: gcs
+  . . .
+  tags: ["json"]
+```
+
+
+#### `fields` [filebeat-input-gcs-fields]
+
+Optional fields that you can specify to add additional information to the output. For example, you might add fields that you can use for filtering log data. Fields can be scalar values, arrays, dictionaries, or any nested combination of these. By default, the fields that you specify here will be grouped under a `fields` sub-dictionary in the output document. To store the custom fields as top-level fields, set the `fields_under_root` option to true. If a duplicate field is declared in the general configuration, then its value will be overwritten by the value declared here.
+
+```yaml
+filebeat.inputs:
+- type: gcs
+  . . .
+  fields:
+    app_id: query_engine_12
+```
+
+
+#### `fields_under_root` [fields-under-root-gcs]
+
+If this option is set to true, the custom [fields](#filebeat-input-gcs-fields) are stored as top-level fields in the output document instead of being grouped under a `fields` sub-dictionary. If the custom field names conflict with other field names added by Filebeat, then the custom fields overwrite the other fields.
+
+
+#### `processors` [_processors_11]
+
+A list of processors to apply to the input data.
+
+See [Processors](/reference/filebeat/filtering-enhancing-data.md) for information about specifying processors in your config.
+
+
+#### `pipeline` [_pipeline_11]
+
+The ingest pipeline ID to set for the events generated by this input.
+
+::::{note}
+The pipeline ID can also be configured in the Elasticsearch output, but this option usually results in simpler configuration files. If the pipeline is configured both in the input and output, the option from the input is used.
+::::
+
+
+::::{important}
+The `pipeline` is always lowercased. If `pipeline: Foo-Bar`, then the pipeline name in {{es}} needs to be defined as `foo-bar`.
+::::
+
+
+
+#### `keep_null` [_keep_null_11]
+
+If this option is set to true, fields with `null` values will be published in the output document. By default, `keep_null` is set to `false`.
+
+
+#### `index` [_index_11]
+
+If present, this formatted string overrides the index for events from this input (for elasticsearch outputs), or sets the `raw_index` field of the event’s metadata (for other outputs). This string can only refer to the agent name and version and the event timestamp; for access to dynamic fields, use `output.elasticsearch.index` or a processor.
+
+Example value: `"%{[agent.name]}-myindex-%{+yyyy.MM.dd}"` might expand to `"filebeat-myindex-2019.11.01"`.
+
+
+#### `publisher_pipeline.disable_host` [_publisher_pipeline_disable_host_11]
+
+By default, all events contain `host.name`. This option can be set to `true` to disable the addition of this field to all events. The default value is `false`.
+
+::::{note}
+Any feedback is welcome which will help us further optimize this input. Please feel free to open a github issue for any bugs or feature requests.
+::::
diff --git a/docs/reference/filebeat/filebeat-input-http_endpoint.md b/docs/reference/filebeat/filebeat-input-http_endpoint.md
new file mode 100644
index 000000000000..a1f8df9da465
--- /dev/null
+++ b/docs/reference/filebeat/filebeat-input-http_endpoint.md
@@ -0,0 +1,470 @@
+---
+navigation_title: "HTTP Endpoint"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-http_endpoint.html
+---
+
+# HTTP Endpoint input [filebeat-input-http_endpoint]
+
+
+The HTTP Endpoint input initializes a listening HTTP server that collects incoming HTTP POST requests containing a JSON body. The body must be either an object or an array of objects, otherwise a Common Expression Language expression that converts the the JSON body to these types can be provided. Any other data types will result in an HTTP 400 (Bad Request) response. For arrays, one document is created for each object in the array.
+
+gzip encoded request bodies are supported if a `Content-Encoding: gzip` header is sent with the request.
+
+This input can for example be used to receive incoming webhooks from a third-party application or service.
+
+Multiple endpoints may be assigned to a single address and port, and the HTTP Endpoint input will resolve requests based on the URL pattern configuration. If multiple endpoints are configured on a single address they must all have the same TLS configuration, either all disabled or all enabled with identical configurations.
+
+These are the possible response codes from the server.
+
+| HTTP Response Code | Name | Reason |
+| --- | --- | --- |
+| 200 | OK | Returned on success. |
+| 400 | Bad Request | Returned if JSON body decoding fails or if `wait_for_completion_timeout` query validation fails. |
+| 401 | Unauthorized | Returned when basic auth, secret header, or HMAC validation fails. |
+| 405 | Method Not Allowed | Returned if methods other than POST are used. |
+| 406 | Not Acceptable | Returned if the POST request does not contain a body. |
+| 415 | Unsupported Media Type | Returned if the Content-Type is not application/json. Or if Content-Encoding is present and is not gzip. |
+| 500 | Internal Server Error | Returned if an I/O error occurs reading the request. |
+| 503 | Service Unavailable | Returned if the length of the request body would take the total number of in-flight bytes above the configured `max_in_flight_bytes` value. |
+| 504 | Gateway Timeout | Returned if a request publication cannot be ACKed within the required timeout. |
+
+The endpoint will enforce end-to-end ACK when a URL query parameter `wait_for_completion_timeout` with a duration is provided. For example `http://localhost:8080/?wait_for_completion_timeout=1m` will wait up to 1 minute for the event to be published to the cluster and then return the user-defined response message. In the case that the publication does not complete within the timeout duration, the HTTP response will have a 504 Gateway Timeout status code. The syntax for durations is a number followed by units which may be h, m and s. No other HTTP query is accepted. If another query parameter is provided or duration syntax is incorrect, the request will fail with an HTTP 400 "Bad Request" status.
+
+Example configurations:
+
+Basic example:
+
+```yaml
+filebeat.inputs:
+- type: http_endpoint
+  enabled: true
+  listen_address: 192.168.1.1
+  listen_port: 8080
+```
+
+Custom response example:
+
+```yaml
+filebeat.inputs:
+- type: http_endpoint
+  enabled: true
+  listen_address: 192.168.1.1
+  listen_port: 8080
+  response_code: 200
+  response_body: '{"message": "success"}'
+  url: "/"
+  prefix: "json"
+```
+
+Map request to root of document example:
+
+```yaml
+filebeat.inputs:
+- type: http_endpoint
+  enabled: true
+  listen_address: 192.168.1.1
+  listen_port: 8080
+  prefix: "."
+```
+
+Multiple endpoints example:
+
+```yaml
+filebeat.inputs:
+- type: http_endpoint
+  enabled: true
+  listen_address: 192.168.1.1
+  listen_port: 8080
+  url: "/open/"
+  tags: [open]
+- type: http_endpoint
+  enabled: true
+  listen_address: 192.168.1.1
+  listen_port: 8080
+  url: "/admin/"
+  basic_auth: true
+  username: adminuser
+  password: somepassword
+  tags: [admin]
+```
+
+Disable Content-Type checks
+
+```yaml
+filebeat.inputs:
+- type: http_endpoint
+  enabled: true
+  listen_address: 192.168.1.1
+  content_type: ""
+  prefix: "json"
+```
+
+Basic auth and SSL example:
+
+```yaml
+filebeat.inputs:
+- type: http_endpoint
+  enabled: true
+  listen_address: 192.168.1.1
+  listen_port: 8080
+  ssl.enabled: true
+  ssl.certificate: "/home/user/server.pem"
+  ssl.key: "/home/user/server.key"
+  ssl.verification_mode: "none"
+  ssl.certificate_authority: "/home/user/ca.pem"
+  basic_auth: true
+  username: someuser
+  password: somepassword
+```
+
+Authentication or checking that a specific header includes a specific value
+
+```yaml
+filebeat.inputs:
+- type: http_endpoint
+  enabled: true
+  listen_address: 192.168.1.1
+  listen_port: 8080
+  secret.header: someheadername
+  secret.value: secretheadertoken
+```
+
+Validate webhook endpoint for a specific provider using CRC
+
+```yaml
+filebeat.inputs:
+- type: http_endpoint
+  enabled: true
+  listen_address: 192.168.1.1
+  listen_port: 8080
+  secret.header: someheadername
+  secret.value: secretheadertoken
+  crc.provider: webhookProvider
+  crc.secret: secretToken
+```
+
+Validate a HMAC signature from a specific header
+
+```yaml
+filebeat.inputs:
+- type: http_endpoint
+  enabled: true
+  listen_address: 192.168.1.1
+  listen_port: 8080
+  hmac.header: "X-Hub-Signature-256"
+  hmac.key: "password123"
+  hmac.type: "sha256"
+  hmac.prefix: "sha256="
+```
+
+Preserving original event and including headers in document
+
+```yaml
+filebeat.inputs:
+- type: http_endpoint
+  enabled: true
+  listen_address: 192.168.1.1
+  listen_port: 8080
+  preserve_original_event: true
+  include_headers: ["TestHeader"]
+```
+
+Common Expression Language example:
+
+```yaml
+filebeat.inputs:
+- type: http_endpoint
+  enabled: true
+  listen_address: 192.168.1.1
+  listen_port: 8080
+  program: |
+    obj.records.map(r, {
+     "requestId": obj.requestId,
+     "timestamp": string(obj.timestamp),
+     "event": r,
+    })
+```
+
+This example would allow handling of a JSON body that is an object containing more than one event that each should be ingested as separate documents with the common timestamp and request ID:
+
+```json
+{
+  "requestId": "ed4acda5-034f-9f42-bba1-f29aea6d7d8f",
+  "timestamp": 1578090901599,
+  "records": [
+    {
+      "data": "event record 1"
+    },
+    {
+      "data": "event record 2"
+    }
+  ]
+}
+```
+
+## Configuration options [_configuration_options_10]
+
+The `http_endpoint` input supports the following configuration options plus the [Common options](#filebeat-input-http_endpoint-common-options) described later.
+
+
+### `basic_auth` [_basic_auth]
+
+Enables or disables HTTP basic auth for each incoming request. If enabled then `username` and `password` will also need to be configured.
+
+
+### `username` [_username]
+
+If `basic_auth` is enabled, this is the username used for authentication against the HTTP listener. Requires `password` to also be set.
+
+
+### `password` [_password]
+
+If `basic_auth` is enabled, this is the password used for authentication against the HTTP listener. Requires `username` to also be set.
+
+
+### `secret.header` [_secret_header]
+
+The header to check for a specific value specified by `secret.value`. Certain webhooks provide the possibility to include a special header and secret to identify the source.
+
+
+### `secret.value` [_secret_value]
+
+The secret stored in the header name specified by `secret.header`. Certain webhooks provide the possibility to include a special header and secret to identify the source.
+
+
+### `hmac.header` [_hmac_header]
+
+The name of the header that contains the HMAC signature: `X-Dropbox-Signature`, `X-Hub-Signature-256`, etc. HMAC signatures may be encoded as hex or base64.
+
+
+### `hmac.key` [_hmac_key]
+
+The secret key used to calculate the HMAC signature. Typically, the webhook sender provides this value.
+
+
+### `hmac.type` [_hmac_type]
+
+The hash algorithm to use for the HMAC comparison. At this time the only valid values are `sha256` or `sha1`.
+
+
+### `hmac.prefix` [_hmac_prefix]
+
+The prefix for the signature. Certain webhooks prefix the HMAC signature with a value, for example `sha256=`.
+
+
+### `content_type` [_content_type]
+
+By default the input expects the incoming POST to include a Content-Type of `application/json` to try to enforce the incoming data to be valid JSON. In certain scenarios when the source of the request is not able to do that, it can be overwritten with another value or set to null.
+
+
+### `max_in_flight_bytes` [_max_in_flight_bytes]
+
+The total sum of request body lengths that are allowed at any given time. If non-zero, the input will compare this value to the sum of in-flight request body lengths from requests that include a `wait_for_completion_timeout` request query and will return a 503 HTTP status code, along with a Retry-After header configured with the `retry_after` option. The default value for this option is zero, no limit.
+
+
+### `retry_after` [_retry_after]
+
+If a request has exceeded the `max_in_flight_bytes` limit, the response to the client will include a Retry-After header specifying how many seconds the client should wait to retry again. The default value for this option is 10 seconds.
+
+
+### `program` [_program]
+
+The normal operation of the input treats the body either as a single event when the body is an object, or as a set of events when the body is an array. If the body should be handled differently, for example a set of events in an array field of an object to be handled as a set of events, then a [Common Expression Language (CEL)](https://opensource.google.com/projects/cel) program can be provided through this configuration field. The name of the object in the CEL program is `obj`. No CEL extensions are provided beyond the function in the CEL [standard library](https://github.com/google/cel-spec/blob/master/doc/langdef.md#standard). CEL [optional types](https://pkg.go.dev/github.com/google/cel-go/cel#OptionalTypes) are supported.
+
+Note that during evaluation, numbers that are not representable exactly within a double floating point value will be converted to a string to avoid data corruption.
+
+
+### `response_code` [_response_code]
+
+The HTTP response code returned upon success. Should be in the 2XX range.
+
+
+### `response_body` [_response_body]
+
+The response body returned upon success.
+
+
+### `listen_address` [_listen_address]
+
+If multiple interfaces is present the `listen_address` can be set to control which IP address the listener binds to. Defaults to `127.0.0.1`.
+
+
+### `listen_port` [_listen_port]
+
+Which port the listener binds to. Defaults to 8000.
+
+
+### `url` [_url]
+
+This options specific which URL path to accept requests on. Defaults to `/`
+
+
+### `prefix` [_prefix]
+
+This option specifies which prefix the incoming request will be mapped to. If `prefix` is "`.`", the request will be mapped to the root of the resulting document.
+
+
+### `include_headers` [_include_headers]
+
+This options specifies a list of HTTP headers that should be copied from the incoming request and included in the document. All configured headers will always be canonicalized to match the headers of the incoming request. For example, `["content-type"]` will become `["Content-Type"]` when the filebeat is running.
+
+
+### `preserve_original_event` [_preserve_original_event]
+
+This option includes the JSON representation of the incoming request in the `event.original` field as a string before sending the event to Elasticsearch. The representation may not be a verbatim copy of the original message, but is guaranteed to be an [RFC7493](https://datatracker.ietf.org/doc/html/rfc7493) compliant message.
+
+
+### `crc.provider` [_crc_provider]
+
+This option defines the provider of the webhook that uses CRC (Challenge-Response Check) for validating the endpoint. The HTTP endpoint input is responsible for ensuring the authenticity of incoming webhook requests by generating and verifying a unique token. By specifying the `crc.provider`, you ensure that the system correctly handles the specific CRC validation process required by the chosen provider.
+
+
+### `crc.secret` [_crc_secret]
+
+The secret token provided by the webhook owner for the CRC validation. It is required when a `crc.provider` is set.
+
+
+### `method` [_method]
+
+The HTTP method handled by the endpoint. If specified, `method` must be `POST`, `PUT` or `PATCH`. The default method is `POST`. If `PUT` or `PATCH` are specified, requests using those method types are accepted, but are treated as `POST` requests and are expected to have a request body containing the request data.
+
+
+### `tracer.enabled` [_tracer_enabled_3]
+
+It is possible to log HTTP requests to a local file-system for debugging configurations. This option is enabled by setting `tracer.enabled` to true and setting the `tracer.filename` value. Additional options are available to tune log rotation behavior. To delete existing logs, set `tracer.enabled` to false without unsetting the filename option.
+
+Enabling this option compromises security and should only be used for debugging.
+
+
+### `tracer.filename` [_tracer_filename_4]
+
+To differentiate the trace files generated from different input instances, a placeholder `*` can be added to the filename and will be replaced with the input instance id. For Example, `http-request-trace-*.ndjson`.
+
+
+### `tracer.maxsize` [_tracer_maxsize_2]
+
+This value sets the maximum size, in megabytes, the log file will reach before it is rotated. By default logs are allowed to reach 1MB before rotation. Individual request bodies will be truncated to a maximum size of 10kiB.
+
+
+### `tracer.maxage` [_tracer_maxage]
+
+This specifies the number days to retain rotated log files. If it is not set, log files are retained indefinitely.
+
+
+### `tracer.maxbackups` [_tracer_maxbackups]
+
+The number of old logs to retain. If it is not set all old logs are retained subject to the `tracer.maxage` setting.
+
+
+### `tracer.localtime` [_tracer_localtime]
+
+Whether to use the host’s local time rather that UTC for timestamping rotated log file names.
+
+
+### `tracer.compress` [_tracer_compress]
+
+This determines whether rotated logs should be gzip compressed.
+
+
+## Metrics [_metrics_11]
+
+This input exposes metrics under the [HTTP monitoring endpoint](/reference/filebeat/http-endpoint.md). These metrics are exposed under the `/inputs` path. They can be used to observe the activity of the input.
+
+| Metric | Description |
+| --- | --- |
+| `bind_address` | Bind address of input. |
+| `route` | HTTP request route of the input. |
+| `is_tls_connection` | Whether the input is listening on a TLS connection. |
+| `api_errors_total` | Number of API errors. |
+| `batches_received_total` | Number of event arrays received. |
+| `batches_published_total` | Number of event arrays published. |
+| `batches_acked_total` | Number of event arrays ACKed. |
+| `events_published_total` | Number of events published. |
+| `size` | Histogram of request content lengths. |
+| `batch_size` | Histogram of the received event array length. |
+| `batch_processing_time` | Histogram of the elapsed successful batch processing times in nanoseconds (time of receipt to time of ACK for non-empty batches). |
+| `batch_ack_time` | Histogram of the elapsed successful batch ACKing times in nanoseconds (time of handler start to time of ACK for non-empty batches). |
+
+
+## Common options [filebeat-input-http_endpoint-common-options]
+
+The following configuration options are supported by all inputs.
+
+
+#### `enabled` [_enabled_12]
+
+Use the `enabled` option to enable and disable inputs. By default, enabled is set to true.
+
+
+#### `tags` [_tags_12]
+
+A list of tags that Filebeat includes in the `tags` field of each published event. Tags make it easy to select specific events in Kibana or apply conditional filtering in Logstash. These tags will be appended to the list of tags specified in the general configuration.
+
+Example:
+
+```yaml
+filebeat.inputs:
+- type: http_endpoint
+  . . .
+  tags: ["json"]
+```
+
+
+#### `fields` [filebeat-input-http_endpoint-fields]
+
+Optional fields that you can specify to add additional information to the output. For example, you might add fields that you can use for filtering log data. Fields can be scalar values, arrays, dictionaries, or any nested combination of these. By default, the fields that you specify here will be grouped under a `fields` sub-dictionary in the output document. To store the custom fields as top-level fields, set the `fields_under_root` option to true. If a duplicate field is declared in the general configuration, then its value will be overwritten by the value declared here.
+
+```yaml
+filebeat.inputs:
+- type: http_endpoint
+  . . .
+  fields:
+    app_id: query_engine_12
+```
+
+
+#### `fields_under_root` [fields-under-root-http_endpoint]
+
+If this option is set to true, the custom [fields](#filebeat-input-http_endpoint-fields) are stored as top-level fields in the output document instead of being grouped under a `fields` sub-dictionary. If the custom field names conflict with other field names added by Filebeat, then the custom fields overwrite the other fields.
+
+
+#### `processors` [_processors_12]
+
+A list of processors to apply to the input data.
+
+See [Processors](/reference/filebeat/filtering-enhancing-data.md) for information about specifying processors in your config.
+
+
+#### `pipeline` [_pipeline_12]
+
+The ingest pipeline ID to set for the events generated by this input.
+
+::::{note}
+The pipeline ID can also be configured in the Elasticsearch output, but this option usually results in simpler configuration files. If the pipeline is configured both in the input and output, the option from the input is used.
+::::
+
+
+::::{important}
+The `pipeline` is always lowercased. If `pipeline: Foo-Bar`, then the pipeline name in {{es}} needs to be defined as `foo-bar`.
+::::
+
+
+
+#### `keep_null` [_keep_null_12]
+
+If this option is set to true, fields with `null` values will be published in the output document. By default, `keep_null` is set to `false`.
+
+
+#### `index` [_index_12]
+
+If present, this formatted string overrides the index for events from this input (for elasticsearch outputs), or sets the `raw_index` field of the event’s metadata (for other outputs). This string can only refer to the agent name and version and the event timestamp; for access to dynamic fields, use `output.elasticsearch.index` or a processor.
+
+Example value: `"%{[agent.name]}-myindex-%{+yyyy.MM.dd}"` might expand to `"filebeat-myindex-2019.11.01"`.
+
+
+#### `publisher_pipeline.disable_host` [_publisher_pipeline_disable_host_12]
+
+By default, all events contain `host.name`. This option can be set to `true` to disable the addition of this field to all events. The default value is `false`.
+
+
diff --git a/docs/reference/filebeat/filebeat-input-httpjson.md b/docs/reference/filebeat/filebeat-input-httpjson.md
new file mode 100644
index 000000000000..63cc76c96f33
--- /dev/null
+++ b/docs/reference/filebeat/filebeat-input-httpjson.md
@@ -0,0 +1,1631 @@
+---
+navigation_title: "HTTP JSON"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-httpjson.html
+---
+
+# HTTP JSON input [filebeat-input-httpjson]
+
+
+Use the `httpjson` input to read messages from an HTTP API with JSON payloads.
+
+If you are starting development of a new custom HTTP API input, we recommend that you use the [Common Expression Language input](/reference/filebeat/filebeat-input-cel.md) which provides greater flexibility and an improved developer experience.
+
+This input supports:
+
+* Auth
+
+    * Basic
+    * OAuth2
+
+* Retrieval at a configurable interval
+* Pagination
+* Retries
+* Rate limiting
+* Proxying
+* Request transformations
+* Response transformations
+
+Example configurations:
+
+```yaml
+filebeat.inputs:
+# Fetch your public IP every minute.
+- type: httpjson
+  interval: 1m
+  request.url: https://api.ipify.org/?format=json
+  processors:
+    - decode_json_fields:
+        fields: ["message"]
+        target: "json"
+```
+
+```yaml
+filebeat.inputs:
+- type: httpjson
+  request.url: http://localhost:9200/_search?scroll=5m
+  request.method: POST
+  response.split:
+    target: body.hits.hits
+  response.pagination:
+    - set:
+        target: url.value
+        value: http://localhost:9200/_search/scroll
+    - set:
+        target: url.params.scroll_id
+        value: '[[.last_response.body._scroll_id]]'
+    - set:
+        target: body.scroll
+        value: 5m
+```
+
+Additionally, it supports authentication via Basic auth, HTTP Headers or oauth2.
+
+Example configurations with authentication:
+
+```yaml
+filebeat.inputs:
+- type: httpjson
+  request.url: http://localhost
+  request.transforms:
+    - set:
+        target: header.Authorization
+        value: 'Basic aGVsbG86d29ybGQ='
+```
+
+```yaml
+filebeat.inputs:
+- type: httpjson
+  auth.oauth2:
+    client.id: 12345678901234567890abcdef
+    client.secret: abcdef12345678901234567890
+    token_url: http://localhost/oauth2/token
+  request.url: http://localhost
+```
+
+```yaml
+filebeat.inputs:
+- type: httpjson
+  auth.oauth2:
+    client.id: 12345678901234567890abcdef
+    client.secret: abcdef12345678901234567890
+    token_url: http://localhost/oauth2/token
+    user: user@domain.tld
+    password: P@$$W0₹D
+  request.url: http://localhost
+```
+
+## Input state [input-state]
+
+The `httpjson` input keeps a runtime state between requests. This state can be accessed by some configuration options and transforms.
+
+The state has the following elements:
+
+* `last_response.url.value`: The full URL with params and fragments from the last request with a successful response.
+* `last_response.url.params`: A [`url.Values`](https://pkg.go.dev/net/url#Values) of the params from the URL in `last_response.url.value`.  Can be queried with the [`Get`](https://pkg.go.dev/net/url#Values.Get) function.
+* `last_response.header`: A map containing the headers from the last successful response.
+* `last_response.body`: A map containing the parsed JSON body from the last successful response. This is the response as it comes from the remote server.
+* `last_response.page`: A number indicating the page number of the last response. It starts with the value `0` at every interval.
+* `first_event`: A map representing the first event sent to the output (result from applying transforms to `last_response.body`).
+* `last_event`: A map representing the last event of the current request in the requests chain (result from applying transforms to `last_response.body`).
+* `url`: The last requested URL as a raw [`url.URL`](https://pkg.go.dev/net/url#URL) Go type.
+* `header`: A map containing the headers. References the next request headers when used in [`request.rate_limit.early_limit`](#request-transforms-headers) or [`response.pagination`](#response-pagination) configuration sections, and to the last response headers when used in [`response.transforms`](#response-transforms), [`response.split`](#response-split), or [`request.rate_limit.limit`](#request-rate-limit) configuration sections.
+* `body`: A map containing the body. References the next request body when used in [`request.rate_limit.early_limit`](#request-transforms-headers) or [`response.pagination`](#response-pagination) configuration sections, and to the last response body when used in [`response.transforms`](#response-transforms) or [`response.split`](#response-split) configuration sections.
+* `cursor`: A map containing any data the user configured to be stored between restarts (See [`cursor`](#cursor)).
+
+All of the mentioned objects are only stored at runtime during the execution of the periodic request, except `cursor`, which has values that are persisted between periodic request and restarts.
+
+
+## Transforms [transforms]
+
+A transform is an action that lets the user modify the [input state](#input-state). Depending on where the transform is defined, it will have access for reading or writing different elements of the [state](#input-state).
+
+The access limitations are described in the corresponding configuration sections.
+
+
+### `append` [_append]
+
+Appends a value to an array. If the field does not exist, the first entry will create a new array. If the field exists, the value is appended to the existing field and converted to a list.
+
+```yaml
+- append:
+    target: body.foo.bar
+    value: '[[.cursor.baz]]'
+    default: "a default value"
+```
+
+* `target` defines the destination field where the value is stored.
+* `value` defines the value that will be stored and it is a [value template](#value-templates).
+* `default` defines the fallback value whenever `value` is empty or the template parsing fails. Default templates do not have access to any state, only to functions.
+* `value_type` defines the type of the resulting value. Possible values are: `string`, `json`, and `int`. Default is `string`.
+* `fail_on_template_error` if set to `true` an error will be returned and the request will be aborted when the template evaluation fails. Default is `false`.
+* `do_not_log_failure` if set to true a `fail_on_template_error` will not be logged except at DEBUG level. This should be used when template failure is expected in normal operation as control flow.
+
+
+### `delete` [_delete]
+
+Deletes the target field.
+
+```yaml
+- delete:
+    target: body.foo.bar
+```
+
+* `target` defines the destination field to delete. If `target` is a list and not a single element, the complete list will be deleted.
+
+
+### `set` [_set]
+
+Sets a value.
+
+```yaml
+- set:
+    target: body.foo.bar
+    value: '[[.cursor.baz]]'
+    default: "a default value"
+```
+
+* `target` defines the destination field where the value is stored.
+* `value` defines the value that will be stored and it is a [value template](#value-templates).
+* `default` defines the fallback value whenever `value` is empty or the template parsing fails. Default templates do not have access to any state, only to functions.
+* `value_type` defines how the resulting value will be treated. Possible values are: `string`, `json`, and `int`. Default is `string`.
+* `fail_on_template_error` if set to `true` an error will be returned and the request will be aborted when the template evaluation fails. Default is `false`.
+* `do_not_log_failure` if set to true a `fail_on_template_error` will not be logged except at DEBUG level. This should be used when template failure is expected in normal operation as control flow.
+
+
+## Value templates [value-templates]
+
+Some configuration options and transforms can use value templates. Value templates are Go templates with access to the input state and to some built-in functions. Please note that delimiters are changed from the default `{{ }}` to `[[ ]]` to improve interoperability with other templating mechanisms.
+
+To see which [state elements](#input-state) and operations are available, see the documentation for the option or [transform](#transforms) where you want to use a value template.
+
+A value template looks like:
+
+```yaml
+- set:
+    target: body.foo.bar
+    value: '[[.cursor.baz]] more data'
+    default: "a default value"
+```
+
+The content inside the brackets `[[` `]]` is evaluated. For more information on Go templates please refer to [the Go docs](https://golang.org/pkg/text/template).
+
+Some built-in helper functions are provided to work with the input state inside value templates:
+
+* `add`: adds a list of integers and returns their sum.
+* `base64DecodeNoPad`: Decodes the base64 string without padding. Any binary output will be converted to a UTF8 string.
+* `base64Decode`: Decodes the base64 string. Any binary output will be converted to a UTF8 string.
+* `base64EncodeNoPad`: Joins and base64 encodes all supplied strings without padding. Example `[[base64EncodeNoPad "string1" "string2"]]`
+* `base64Encode`: Joins and base64 encodes all supplied strings. Example `[[base64Encode "string1" "string2"]]`
+* `beatInfo`: returns a map containing information about the Beat.  Available keys in the map are `goos` (running operating system), `goarch` (running system architecture), `commit` (git commit of current build), `buildtime` (compile time of current build), `version` (version of current build). Example: `[[ beatInfo.version ]]` returns `{{version}}`.
+* `div`: does the integer division of two integer values.
+* `formatDate`: formats a `time.Time`. By default the format layout is `RFC3339` but optionally can accept any of the Golang predefined layouts or a custom one. It will default to UTC timezone when formatting, but you can specify a different timezone. If the timezone is incorrect, it will default to UTC. Example: `[[ formatDate (now) "UnixDate" ]]`, `[[ formatDate (now) "UnixDate" "America/New_York" ]]`.
+* `getRFC5988Link`: extracts a specific relation from a list of [RFC5988](https://tools.ietf.org/html/rfc5988) links. It is useful when parsing header values for pagination. Example: `[[ getRFC5988Link "next" .last_response.header.Link ]]`.
+* `hashBase64`: calculates the hash of a list of strings concatenated together. Returns a base64 encoded hash. Supports sha1 or sha256. Example `[[hash "sha256" "string1" "string2" (formatDate (now) "RFC1123")]]`
+* `hash`: calculates the hash of a list of strings concatenated together. Returns a hex encoded hash. Supports sha1 or sha256. Example `[[hash "sha256" "string1" "string2" (formatDate (now) "RFC1123")]]`
+* `hexDecode`: Decodes the hexadecimal string. Any hexadecimal string will be converted to its bytes representation. Example `[[hexDecode "b0a92a08a9b4883aa3aa2d0957be12a678cbdbb32dc5db09fe68239a09872f96"]]`; Expected Output: `"\xb0\xa9*\b\xa9\xb4\x88:\xa3\xaa-\tW\xbe\x12\xa6x\xcb۳-\xc5\xdb\t\xfeh#\x9a\t\x87/\x96"`
+* `hmacBase64`: calculates the hmac signature of a list of strings concatenated together. Returns a base64 encoded signature. Supports sha1 or sha256. Example `[[hmac "sha256" "secret" "string1" "string2" (formatDate (now) "RFC1123")]]`
+* `hmac`: calculates the hmac signature of a list of strings concatenated together. Returns a hex encoded signature. Supports sha1 or sha256. Example `[[hmac "sha256" "secret" "string1" "string2" (formatDate (now) "RFC1123")]]`
+* `join`: joins a list using the specified separator. Example: `[[join .body.arr ","]]`
+* `max`: returns the maximum of two values.
+* `min`: returns the minimum of two values.
+* `mul`: multiplies two integers.
+* `now`: returns the current `time.Time` object in UTC. Optionally, it can receive a `time.Duration` as a parameter. Example: `[[now (parseDuration "-1h")]]` returns the time at 1 hour before now.
+* `parseDate`: parses a date string and returns a `time.Time` in UTC. By default the expected layout is `RFC3339` but optionally can accept any of the Golang predefined layouts or a custom one. Note: Parsing timezone abbreviations may cause ambiguities. Prefer `parseDateInTZ` for explicit timezone handling. Example: `[[ parseDate "2020-11-05T12:25:32Z" ]]`, `[[ parseDate "2020-11-05T12:25:32.1234567Z" "RFC3339Nano" ]]`, `[[ (parseDate "Thu Nov  5 12:25:32 +0000 2020" "Mon Jan _2 15:04:05 -0700 2006").UTC ]]`.
+* `parseDateInTZ`: parses a date string within a specified timezone (TZ), returning a `time.Time` in UTC. Specified timezone overwrites implicit timezone from the input date. Accepts timezone offsets ("-07:00", "-0700", "-07") or IANA Time Zone names ("America/New_York"). If TZ is invalid, defaults to UTC. Optional layout argument as in parseDate. Example: `[[ parseDateInTZ "2020-11-05T12:25:32" "America/New_York" ]]`, `[[ parseDateInTZ "2020-11-05T12:25:32" "-07:00" "RFC3339" ]]`.
+* `parseDuration`: parses duration strings and returns `time.Duration`. Example: `[[parseDuration "1h"]]`.
+* `parseTimestampMilli`: parses a timestamp in milliseconds and returns a `time.Time` in UTC. Example: `[[parseTimestamp 1604582732000]]` returns `2020-11-05 13:25:32 +0000 UTC`.
+* `parseTimestampNano`: parses a timestamp in nanoseconds and returns a `time.Time` in UTC. Example: `[[parseTimestamp 1604582732000000000]]` returns `2020-11-05 13:25:32 +0000 UTC`.
+* `parseTimestamp`: parses a timestamp in seconds and returns a `time.Time` in UTC. Example: `[[parseTimestamp 1604582732]]` returns `2020-11-05 13:25:32 +0000 UTC`.
+* `replaceAll(old, new, s)`: replaces all non-overlapping instances of `old` with `new` in `s`. Example: `[[ replaceAll "some" "my" "some value" ]]` returns `my value`.
+* `sprintf`: formats according to a format specifier and returns the resulting string. Refer to [the Go docs](https://pkg.go.dev/fmt#Sprintf) for usage. Example: `[[sprintf "%d:%q" 34 "quote this"]]`
+* `toInt`: converts a value of any type to an integer when possible. Returns 0 if the conversion fails.
+* `toJSON`: converts a value to a JSON string. This can be used with `value_type: json` to create an object from a template. Example: `[[ toJSON .last_response.body.pagingIdentifiers ]]`.
+* `urlEncode`: URL encodes the supplied string. Example `[[urlEncode "string1"]]`. Example `[[urlEncode "<string1>"]]` will return `%3Cstring1%3E`.
+* `userAgent`: generates the User Agent with optional additional values. If no arguments are provided, it will generate the default User Agent that is added to all requests by default. It is recommended to delete the existing User-Agent header before setting a new one. Example: `[[ userAgent "integration/1.2.3" ]]` would generate `Elastic-Filebeat/8.1.0 (darwin; amd64; 9b893e88cfe109e64638d65c58fd75c2ff695402; 2021-12-15 13:20:00 +0000 UTC; integration_name/1.2.3)`
+* `uuid`: returns a random UUID such as `a11e8780-e3e7-46d0-8e76-f66e75acf019`. Example: `[[ uuid ]]`
+
+In addition to the provided functions, any of the native functions for [`time.Time`](https://golang.org/pkg/time/#Time), [`http.Header`](https://golang.org/pkg/net/http/#Header), and [`url.Values`](https://golang.org/pkg/net/url/#Values) types can be used on the corresponding objects. Examples: `[[(now).Day]]`, `[[.last_response.header.Get "key"]]`
+
+
+## Configuration options [_configuration_options_11]
+
+The `httpjson` input supports the following configuration options plus the [Common options](#filebeat-input-httpjson-common-options) described later.
+
+
+### `interval` [_interval_2]
+
+Duration between repeated requests. It may make additional pagination requests in response to the initial request if pagination is enabled. Default: `60s`.
+
+
+### `auth.basic.enabled` [_auth_basic_enabled_2]
+
+When set to `false`, disables the basic auth configuration. Default: `true`.
+
+::::{note}
+Basic auth settings are disabled if either `enabled` is set to `false` or the `auth.basic` section is missing.
+::::
+
+
+
+### `auth.basic.user` [_auth_basic_user_2]
+
+The user to authenticate with.
+
+
+### `auth.basic.password` [_auth_basic_password_2]
+
+The password to use.
+
+
+### `auth.oauth2.enabled` [_auth_oauth2_enabled_2]
+
+When set to `false`, disables the oauth2 configuration. Default: `true`.
+
+::::{note}
+OAuth2 settings are disabled if either `enabled` is set to `false` or the `auth.oauth2` section is missing.
+::::
+
+
+
+### `auth.oauth2.provider` [_auth_oauth2_provider_2]
+
+Used to configure supported oauth2 providers. Each supported provider will require specific settings. It is not set by default. Supported providers are: `azure`, `google`, `okta`.
+
+
+### `auth.oauth2.client.id` [_auth_oauth2_client_id_3]
+
+The client ID used as part of the authentication flow. It is always required except if using `google` as provider. Required for providers: `default`, `azure`, `okta`.
+
+
+### `auth.oauth2.client.secret` [_auth_oauth2_client_secret_3]
+
+The client secret used as part of the authentication flow. It is always required except if using `google` or `okta` as provider. Required for providers: `default`, `azure`.
+
+
+### `auth.oauth2.user` [_auth_oauth2_user_3]
+
+The user used as part of the authentication flow. It is required for authentication - grant type password. It is only available for provider `default`.
+
+
+### `auth.oauth2.password` [_auth_oauth2_password_3]
+
+The password used as part of the authentication flow. It is required for authentication - grant type password. It is only available for provider `default`.
+
+::::{note}
+user and password are required for grant_type password. If user and password is not used then it will automatically use the `token_url` and `client credential` method.
+::::
+
+
+
+### `auth.oauth2.scopes` [_auth_oauth2_scopes_2]
+
+A list of scopes that will be requested during the oauth2 flow. It is optional for all providers.
+
+
+### `auth.oauth2.token_url` [_auth_oauth2_token_url_3]
+
+The endpoint that will be used to generate the tokens during the oauth2 flow. It is required if no provider is specified.
+
+::::{note}
+For `azure` provider either `token_url` or `azure.tenant_id` is required.
+::::
+
+
+
+### `auth.oauth2.endpoint_params` [_auth_oauth2_endpoint_params_2]
+
+Set of values that will be sent on each request to the `token_url`. Each param key can have multiple values. Can be set for all providers except `google`.
+
+```yaml
+- type: httpjson
+  auth.oauth2:
+    endpoint_params:
+      Param1:
+        - ValueA
+        - ValueB
+      Param2:
+        - Value
+```
+
+
+### `auth.oauth2.azure.tenant_id` [_auth_oauth2_azure_tenant_id_2]
+
+Used for authentication when using `azure` provider. Since it is used in the process to generate the `token_url`, it can’t be used in combination with it. It is not required.
+
+For information about where to find it, you can refer to [https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal](https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal).
+
+
+### `auth.oauth2.azure.resource` [_auth_oauth2_azure_resource_2]
+
+The accessed WebAPI resource when using `azure` provider. It is not required.
+
+
+### `auth.oauth2.google.credentials_file` [_auth_oauth2_google_credentials_file_2]
+
+The credentials file for Google.
+
+::::{note}
+Only one of the credentials settings can be set at once. If none is provided, loading default credentials from the environment will be attempted via ADC. For more information about how to provide Google credentials, please refer to [https://cloud.google.com/docs/authentication](https://cloud.google.com/docs/authentication).
+::::
+
+
+
+### `auth.oauth2.google.credentials_json` [_auth_oauth2_google_credentials_json_2]
+
+Your credentials information as raw JSON.
+
+::::{note}
+Only one of the credentials settings can be set at once. If none is provided, loading default credentials from the environment will be attempted via ADC. For more information about how to provide Google credentials, please refer to [https://cloud.google.com/docs/authentication](https://cloud.google.com/docs/authentication).
+::::
+
+
+
+### `auth.oauth2.google.jwt_file` [_auth_oauth2_google_jwt_file_2]
+
+The JWT Account Key file for Google.
+
+::::{note}
+Only one of the credentials settings can be set at once. If none is provided, loading default credentials from the environment will be attempted via ADC. For more information about how to provide Google credentials, please refer to [https://cloud.google.com/docs/authentication](https://cloud.google.com/docs/authentication).
+::::
+
+
+
+### `auth.oauth2.google.jwt_json` [_auth_oauth2_google_jwt_json_2]
+
+The JWT Account Key file as raw JSON.
+
+::::{note}
+Only one of the credentials settings can be set at once. If none is provided, loading default credentials from the environment will be attempted via ADC. For more information about how to provide Google credentials, please refer to [https://cloud.google.com/docs/authentication](https://cloud.google.com/docs/authentication).
+::::
+
+
+
+### `auth.oauth2.okta.jwk_file` [_auth_oauth2_okta_jwk_file_2]
+
+The RSA JWK Private Key file for your Okta Service App which is used for interacting with Okta Org Auth Server to mint tokens with okta.* scopes.
+
+::::{note}
+Only one of the credentials settings can be set at once. For more information please refer to [https://developer.okta.com/docs/guides/implement-oauth-for-okta-serviceapp/main/](https://developer.okta.com/docs/guides/implement-oauth-for-okta-serviceapp/main/)
+::::
+
+
+
+### `auth.oauth2.okta.jwk_json` [_auth_oauth2_okta_jwk_json_2]
+
+The RSA JWK Private Key JSON for your Okta Service App which is used for interacting with Okta Org Auth Server to mint tokens with okta.* scopes.
+
+
+### `auth.oauth2.okta.jwk_pem` [_auth_oauth2_okta_jwk_pem_2]
+
+The RSA JWK private key PEM block for your Okta Service App which is used for interacting with Okta Org Auth Server to mint tokens with okta.* scopes.
+
+::::{note}
+Only one of the credentials settings can be set at once. For more information please refer to [https://developer.okta.com/docs/guides/implement-oauth-for-okta-serviceapp/main/](https://developer.okta.com/docs/guides/implement-oauth-for-okta-serviceapp/main/)
+::::
+
+
+
+### `auth.oauth2.google.delegated_account` [_auth_oauth2_google_delegated_account_2]
+
+Email of the delegated account used to create the credentials (usually an admin). Used in combination with `auth.oauth2.google.jwt_file`, `auth.oauth2.google.jwt_json`, and when defaulting to use ADC.
+
+
+### `request.url` [request-parameters]
+
+The URL of the HTTP API. Required.
+
+The API endpoint may be accessed via unix socket and Windows named pipes by adding  `+unix` or `+npipe` to the URL scheme, for example, `http+unix:///var/socket/`.
+
+
+### `request.method` [_request_method]
+
+HTTP method to use when making requests. `GET` or `POST` are the options. Default: `GET`.
+
+
+### `request.encode_as` [_request_encode_as]
+
+ContentType used for encoding the request body. If set it will force the encoding in the specified format regardless of the `Content-Type` header value, otherwise it will honor it if possible or fallback to `application/json`. By default the requests are sent with `Content-Type: application/json`. Supported values: `application/json` and `application/x-www-form-urlencoded`. `application/x-www-form-urlencoded` will url encode the `url.params` and set them as the body. It is not set by default.
+
+
+### `request.body` [_request_body]
+
+An optional HTTP POST body. The configuration value must be an object, and it will be encoded to JSON. This is only valid when `request.method` is `POST`. Defaults to `null` (no HTTP body).
+
+```yaml
+- type: httpjson
+  request.method: POST
+  request.body:
+    query:
+      bool:
+        filter:
+          term:
+            type: authentication
+```
+
+
+### `request.timeout` [_request_timeout]
+
+Duration before declaring that the HTTP client connection has timed out. Valid time units are `ns`, `us`, `ms`, `s`, `m`, `h`. Default: `30s`.
+
+
+### `request.ssl` [_request_ssl]
+
+This specifies SSL/TLS configuration. If the ssl section is missing, the host’s CAs are used for HTTPS connections. See [SSL](/reference/filebeat/configuration-ssl.md) for more information.
+
+
+### `request.proxy_url` [_request_proxy_url]
+
+This specifies proxy configuration in the form of `http[s]://<user>:<password>@<server name/ip>:<port>`
+
+```yaml
+filebeat.inputs:
+# Fetch your public IP every minute.
+- type: httpjson
+  interval: 1m
+  request.url: https://api.ipify.org/?format=json
+  request.proxy_url: http://proxy.example:8080
+```
+
+
+### `request.keep_alive.disable` [_request_keep_alive_disable]
+
+This specifies whether to disable keep-alives for HTTP end-points. Default: `true`.
+
+
+### `request.keep_alive.max_idle_connections` [_request_keep_alive_max_idle_connections]
+
+The maximum number of idle connections across all hosts. Zero means no limit. Default: `0`.
+
+
+### `request.keep_alive.max_idle_connections_per_host` [_request_keep_alive_max_idle_connections_per_host]
+
+The maximum idle connections to keep per-host. If zero, defaults to two. Default: `0`.
+
+
+### `request.keep_alive.idle_connection_timeout` [_request_keep_alive_idle_connection_timeout]
+
+The maximum amount of time an idle connection will remain idle before closing itself. Valid time units are `ns`, `us`, `ms`, `s`, `m`, `h`. Zero means no limit. Default: `0s`.
+
+
+### `request.retry.max_attempts` [_request_retry_max_attempts]
+
+The maximum number of retries for the HTTP client. Default: `5`.
+
+
+### `request.retry.wait_min` [_request_retry_wait_min]
+
+The minimum time to wait before a retry is attempted. Default: `1s`.
+
+
+### `request.retry.wait_max` [_request_retry_wait_max]
+
+The maximum time to wait before a retry is attempted. Default: `60s`.
+
+
+### `request.redirect.forward_headers` [_request_redirect_forward_headers]
+
+When set to `true` request headers are forwarded in case of a redirect. Default: `false`.
+
+
+### `request.redirect.headers_ban_list` [_request_redirect_headers_ban_list]
+
+When `redirect.forward_headers` is set to `true`, all headers *except* the ones defined in this list will be forwarded. Default: `[]`.
+
+
+### `request.redirect.max_redirects` [_request_redirect_max_redirects]
+
+The maximum number of redirects to follow for a request. Default: `10`.
+
+
+### `request.rate_limit.limit` [request-rate-limit]
+
+The value of the response that specifies the total limit. It is defined with a Go template value. Can read state from: [`.last_response.header`]
+
+
+### `request.rate_limit.remaining` [_request_rate_limit_remaining]
+
+The value of the response that specifies the remaining quota of the rate limit. It is defined with a Go template value. Can read state from: [`.last_response.header`] If the `remaining` header is missing from the Response, no rate-limiting will occur.
+
+
+### `request.rate_limit.reset` [_request_rate_limit_reset]
+
+The value of the response that specifies the epoch time when the rate limit will reset. It is defined with a Go template value. Can read state from: [`.last_response.header`]
+
+
+### `request.rate_limit.early_limit` [request-transforms-headers]
+
+Optionally start rate-limiting prior to the value specified in the Response.
+
+Under the default behavior, Requests will continue while the `remaining` value is non-zero. Specifying an `early_limit` will mean that rate-limiting will occur prior to reaching `0`.
+
+* If the value specified for `early_limit` is less than `1`, the value is treated as a percentage of the Response provided `limit`. e.g. specifying `0.9` will mean that Requests will continue until reaching 90% of the rate-limit — for a `limit` value of `120`, the rate-limit starts when the `remaining` reaches `12`. If the `limit` header is missing from the Response, default rate-limiting will occur (when `remaining` reaches `0`).
+* If the value specified for `early_limit` is greater than or equal to `1`, the value is treated as the target value for `remaining`. e.g. instead of rate-limiting when `remaining` hits `0`, rate-limiting will occur when `remaining` hits the value specified.
+
+It is not set by default (by default the rate-limiting as specified in the Response is followed).
+
+
+### `request.transforms` [request-transforms]
+
+List of transforms to apply to the request before each execution.
+
+Available transforms for request: [`append`, `delete`, `set`].
+
+Can read state from: [`.first_response.*`,`.last_response.*`, `.parent_last_response.*` `.last_event.*`, `.cursor.*`, `.header.*`, `.url.*`, `.body.*`].
+
+Can write state to: [`body.*`, `header.*`, `url.*`].
+
+```yaml
+filebeat.inputs:
+- type: httpjson
+  request.url: http://localhost:9200/_search?scroll=5m
+  request.method: POST
+  request.transforms:
+    - set:
+        target: body.from
+        value: '[[now (parseDuration "-1h")]]'
+```
+
+::::{note}
+The clause `.parent_last_response.` should only be used from within chain steps and when pagination exists at the root request level. If pagination does not exist at the root level, please use the clause `.first_response.` to access parent response object from within chains. You can look at this **example** below for a better idea.
+::::
+
+
+**Example Config:**
+
+```yaml
+  filebeat.inputs:
+  - type: httpjson
+    enabled: true
+    id: my-httpjson-id
+    request.url: http://xyz.com/services/data/v1.0/export_ids/page
+    request.method: POST
+    interval: 1h
+    request.retry.max_attempts: 2
+    request.retry.wait_min: 5s
+    request.transforms:
+    - set:
+        target: body.page
+        value: 0
+    response.request_body_on_pagination: true
+    response.pagination:
+      - set:
+          target: body.page
+          value: '[[ .last_response.body.page ]]'
+          fail_on_template_error: true
+          do_not_log_failure: true
+    chain:
+    - step:
+          request.url: http://xyz.com/services/data/v1.0/$.exportId/export_ids/$.files[:].id/info
+          request.method: POST
+          request.transforms:
+          - set:
+              target: body.exportId
+              value: '[[ .parent_last_response.body.exportId ]]'
+          replace: $.files[:].id
+          replace_with: '$.exportId,.parent_last_response.body.exportId'
+```
+
+Here we can see that the chain step uses `.parent_last_response.body.exportId` only because `response.pagination` is present for the parent (root) request. However if `response.pagination` was not present in the parent (root) request, `replace_with` clause should have used `.first_response.body.exportId`. This is because when pagination does not exist at the parent level `parent_last_response` object is not populated with required values for performance reasons, but the `first_response` object always stores the very first response in the process chain.
+
+::::{note}
+The `first_response` object at the moment can only store flat JSON structures (i.e. no support for JSONS having array at root level, NDJSON or Gzipped JSON), hence it should only be used in scenarios where the this is the case. Splits cannot be performed on `first_response`. It needs to be explicitly enabled by setting the flag `response.save_first_response` to `true` in the httpjson config.
+::::
+
+
+
+### `request.tracer.enable` [_request_tracer_enable]
+
+It is possible to log HTTP requests and responses to a local file-system for debugging configurations. This option is enabled by setting `request.tracer.enabled` to true and setting the `request.tracer.filename` value. Additional options are available to tune log rotation behavior. To delete existing logs, set `request.tracer.enabled` to false without unsetting the filename option.
+
+Enabling this option compromises security and should only be used for debugging.
+
+
+## `request.tracer.filename` [_request_tracer_filename]
+
+To differentiate the trace files generated from different input instances, a placeholder `*` can be added to the filename and will be replaced with the input instance id. For Example, `http-request-trace-*.ndjson`.
+
+
+### `request.tracer.maxsize` [_request_tracer_maxsize]
+
+This value sets the maximum size, in megabytes, the log file will reach before it is rotated. By default logs are allowed to reach 1MB before rotation. Individual request/response bodies will be truncated to 10% of this size.
+
+
+### `request.tracer.maxage` [_request_tracer_maxage]
+
+This specifies the number days to retain rotated log files. If it is not set, log files are retained indefinitely.
+
+
+### `request.tracer.maxbackups` [_request_tracer_maxbackups]
+
+The number of old logs to retain. If it is not set all old logs are retained subject to the `request.tracer.maxage` setting.
+
+
+### `request.tracer.localtime` [_request_tracer_localtime]
+
+Whether to use the host’s local time rather that UTC for timestamping rotated log file names.
+
+
+### `request.tracer.compress` [_request_tracer_compress]
+
+This determines whether rotated logs should be gzip compressed.
+
+
+### `response.decode_as` [_response_decode_as]
+
+ContentType used for decoding the response body. If set it will force the decoding in the specified format regardless of the `Content-Type` header value, otherwise it will honor it if possible or fallback to `application/json`. Supported values: `application/json, application/x-ndjson`, `text/csv`, `application/zip`, `application/xml` and `text/xml`. It is not set by default.
+
+::::{note}
+For `text/csv`, one event for each line will be created, using the header values as the object keys. For this reason is always assumed that a header exists.
+::::
+
+
+::::{note}
+For `application/zip`, the `zip` file is expected to contain one or more `.json` or `.ndjson` files. The contents of all of them will be merged into a single list of `JSON` objects.
+::::
+
+
+::::{note}
+For `application/xml` and `text/xml` type information for decoding the XML document can be provided via the `response.xsd` option.
+::::
+
+
+
+### `response.xsd` [_response_xsd]
+
+XML documents may require additional type information to enable correct parsing and ingestion. This information can be provided as an XML Schema Definition (XSD) for the document using the `response.xsd` option.
+
+
+### `response.transforms` [response-transforms]
+
+List of transforms to apply to the response once it is received.
+
+Available transforms for response: [`append`, `delete`, `set`].
+
+Can read state from: [`.last_response.*`, `.last_event.*`, `.cursor.*`, `.header.*`, `.url.*`].
+
+Can write state to: [`body.*`].
+
+```yaml
+filebeat.inputs:
+- type: httpjson
+  request.url: http://localhost:9200/_search?scroll=5m
+  request.method: POST
+  response.transforms:
+    - delete:
+        target: body.very_confidential
+  response.split:
+    target: body.hits.hits
+  response.pagination:
+    - set:
+        target: url.value
+        value: http://localhost:9200/_search/scroll
+    - set:
+        target: url.params.scroll_id
+        value: '[[.last_response.body._scroll_id]]'
+    - set:
+        target: body.scroll
+        value: 5m
+```
+
+
+### `response.split` [response-split]
+
+Split operation to apply to the response once it is received. A split can convert a map, array, or string into multiple events. If the split target is empty the parent document will be kept. If documents with empty splits should be dropped, the `ignore_empty_value` option should be set to `true`.
+
+
+### `response.split[].target` [_response_split_target]
+
+Defines the target field upon the split operation will be performed.
+
+
+### `response.split[].type` [_response_split_type]
+
+Defines the field type of the target. Allowed values: `array`, `map`, `string`. `string` requires the use of the `delimiter` options to specify what characters to split the string on.  `delimiter` always behaves as if `keep_parent` is set to `true`. Default: `array`.
+
+
+### `response.split[].transforms` [_response_split_transforms]
+
+A set of transforms can be defined. This list will be applied after [response.transforms](#response-transforms) and after the object has been modified based on `response.split[].keep_parent` and `response.split[].key_field`.
+
+Available transforms for response: [`append`, `delete`, `set`].
+
+Can read state from: [`.last_response.*`, `.first_event.*`, `.last_event.*`, `.cursor.*`, `.header.*`, `.url.*`].
+
+Can write state to: [`body.*`].
+
+::::{note}
+in this context, `body.*` will be the result of all the previous transformations.
+::::
+
+
+
+### `response.split[].keep_parent` [_response_split_keep_parent]
+
+If set to true, the fields from the parent document (at the same level as `target`) will be kept. Otherwise a new document will be created using `target` as the root. Default: `false`.
+
+
+### `response.split[].delimiter` [_response_split_delimiter]
+
+Required if using split type of `string`.  This is the sub string used to split the string.  For example if `delimiter` was "\n" and the string was "line 1\nline 2", then the split would result in "line 1" and "line 2".
+
+
+### `response.split[].key_field` [_response_split_key_field]
+
+Valid when used with `type: map`. When not empty, defines a new field where the original key value will be stored.
+
+
+### `response.split[].ignore_empty_value` [_response_split_ignore_empty_value]
+
+If set to true, empty or missing value will be ignored and processing will pass on to the next nested split operation instead of failing with an error. Default: `false`.
+
+Note that if `ignore_empty_value` is `true` and the final result is empty, no event will be published, and no cursor update will be made. If a cursor update must be made for all responses, this should be set to `false` and the ingest pipeline must be configured to tolerate empty event sets.
+
+
+### `response.split[].split` [_response_split_split]
+
+Nested split operation. Split operations can be nested at will. An event won’t be created until the deepest split operation is applied.
+
+
+### `response.request_body_on_pagination` [_response_request_body_on_pagination]
+
+If set to true, the values in `request.body` are sent for pagination requests. Default: `false`.
+
+
+### `response.pagination` [response-pagination]
+
+List of transforms that will be applied to the response to every new page request. All the transforms from `request.transform` will be executed and then `response.pagination` will be added to modify the next request as needed. For subsequent responses, the usual [response.transforms](#response-transforms) and [response.split](#response-split) will be executed normally.
+
+Available transforms for pagination: [`append`, `delete`, `set`].
+
+Can read state from: [`.last_response.*`, `.first_event.*`, `.last_event.*`, `.cursor.*`, `.header.*`, `.url.*`, `.body.*`].
+
+Can write state to: [`body.*`, `header.*`, `url.*`].
+
+Examples using split:
+
+* We have a response with two nested arrays, and we want a document for each of the elements of the inner array:
+
+    ```json
+    {
+      "this": "is kept",
+      "alerts": [
+        {
+          "this_is": "also kept",
+          "entities": [
+            {
+              "something": "something"
+            },
+            {
+              "else": "else"
+            }
+          ]
+        },
+        {
+          "this_is": "also kept 2",
+          "entities": [
+            {
+              "something": "something 2"
+            },
+            {
+              "else": "else 2"
+            }
+          ]
+        }
+      ]
+    }
+    ```
+
+    The config will look like:
+
+    ```yaml
+    filebeat.inputs:
+    - type: httpjson
+      interval: 1m
+      request.url: https://example.com
+      response.split:
+        target: body.alerts
+        type: array
+        keep_parent: true
+        split:
+          # paths in nested splits need to represent the state of body, not only their current level of nesting
+          target: body.alerts.entities
+          type: array
+          keep_parent: true
+    ```
+
+    This will output:
+
+    ```json
+    [
+      {
+        "this": "is kept",
+        "alerts": {
+          "this_is": "also kept",
+          "entities": {
+            "something": "something"
+          }
+        }
+      },
+      {
+        "this": "is kept",
+        "alerts": {
+          "this_is": "also kept",
+          "entities": {
+            "else": "else"
+          }
+        }
+      },
+      {
+        "this": "is kept",
+        "alerts": {
+          "this_is": "also kept 2",
+          "entities": {
+            "something": "something 2"
+          }
+        }
+      },
+      {
+        "this": "is kept",
+        "alerts": {
+          "this_is": "also kept 2",
+          "entities": {
+            "else": "else 2"
+          }
+        }
+      }
+    ]
+    ```
+
+* We have a response with an array with two objects, and we want a document for each of the object keys while keeping the keys values:
+
+    ```json
+    {
+      "this": "is not kept",
+      "alerts": [
+        {
+          "this_is": "kept",
+          "entities": {
+            "id1": {
+              "something": "something"
+            }
+          }
+        },
+        {
+          "this_is": "kept 2",
+          "entities": {
+            "id2": {
+              "something": "something 2"
+            }
+          }
+        }
+      ]
+    }
+    ```
+
+    The config will look like:
+
+    ```yaml
+    filebeat.inputs:
+    - type: httpjson
+      interval: 1m
+      request.url: https://example.com
+      response.split:
+        target: body.alerts
+        type: array
+        keep_parent: false
+        split:
+          # this time alerts will not exist because previous keep_parent is false
+          target: body.entities
+          type: map
+          keep_parent: true
+          key_field: id
+    ```
+
+    This will output:
+
+    ```json
+    [
+      {
+        "this_is": "kept",
+        "entities": {
+          "id": "id1",
+          "something": "something"
+        }
+      },
+      {
+        "this_is": "kept 2",
+        "entities": {
+          "id": "id2",
+          "something": "something 2"
+        }
+      }
+    ]
+    ```
+
+* We have a response with an array with two objects, and we want a document for each of the object keys while applying a transform to each:
+
+    ```json
+    {
+      "this": "is not kept",
+      "alerts": [
+        {
+          "this_is": "also not kept",
+          "entities": {
+            "id1": {
+              "something": "something"
+            }
+          }
+        },
+        {
+          "this_is": "also not kept",
+          "entities": {
+            "id2": {
+              "something": "something 2"
+            }
+          }
+        }
+      ]
+    }
+    ```
+
+    The config will look like:
+
+    ```yaml
+    filebeat.inputs:
+    - type: httpjson
+      interval: 1m
+      request.url: https://example.com
+      response.split:
+        target: body.alerts
+        type: array
+        split:
+          transforms:
+            - set:
+                target: body.new
+                value: will be added to each
+          target: body.entities
+          type: map
+    ```
+
+    This will output:
+
+    ```json
+    [
+      {
+        "something": "something",
+        "new": "will be added for each"
+      },
+      {
+        "something": "something 2",
+        "new": "will be added for each"
+      }
+    ]
+    ```
+
+* We have a response with a keys whose value is a string.  We want the string to be split on a delimiter and a document for each sub strings.
+
+    ```json
+    {
+      "this": "is kept",
+      "lines": "Line 1\nLine 2\nLine 3"
+    }
+    ```
+
+    The config will look like:
+
+    ```yaml
+    filebeat.inputs:
+    - type: httpjson
+      interval: 1m
+      request.url: https://example.com
+      response.split:
+        target: body.lines
+        type: string
+        delimiter: "\n"
+    ```
+
+    This will output:
+
+    ```json
+    [
+      {
+        "this": "is kept",
+        "lines": "Line 1"
+      },
+      {
+        "this": "is kept",
+        "lines": "Line 2"
+      },
+      {
+        "this": "is kept",
+        "lines": "Line 3"
+      }
+    ]
+    ```
+
+
+
+## `chain` [chain]
+
+A chain is a list of requests to be made after the first one.
+
+
+### `chain[].step` [_chain_step]
+
+Contains basic request and response configuration for chained calls.
+
+
+### `chain[].step.request` [_chain_step_request]
+
+See [request parameters](#request-parameters). Required.
+
+Example:
+
+First call: https://example.com/services/data/v1.0/
+
+Second call: https://example.com/services/data/v1.0/1/export_ids
+
+Third call: https://example.com/services/data/v1.0/export_ids/file_1/info
+
+
+### `chain[].step.response.split` [_chain_step_response_split]
+
+See [response split parameter](#response-split).
+
++
+
+
+### `chain[].step.replace` [chain-step-replace]
+
+A [JSONPath](https://goessner.net/articles/JsonPath/index.html#e2) string to parse values from responses JSON, collected from previous chain steps. Place same replace string in url where collected values from previous call should be placed. Required.
+
+Example:
+
+* First call: https://example.com/services/data/v1.0/
+
+    [response](#response-json1)
+
+* Second call: https://example.com/services/data/v1.0/`$.records[:].id`/export_ids
+
+    [response](#response-json2)
+
+* Third call: https://example.com/services/data/v1.0/export_ids/`$.file_name`/info
+
+```yaml
+filebeat.inputs:
+- type: httpjson
+  enabled: true
+  # first call
+  request.url: https://example.com/services/data/v1.0/records
+  interval: 1h
+  chain:
+    # second call
+    - step:
+        request.url: https://example.com/services/data/v1.0/$.records[:].id/export_ids
+        request.method: GET
+        replace: $.records[:].id
+    # third call
+    - step:
+        request.url: https://example.com/services/data/v1.0/export_ids/$.file_name/info
+        request.method: GET
+        replace: $.file_name
+```
+
+Example:
+
+* First call to collect record ids
+
+    request_url: https://example.com/services/data/v1.0/records
+
+    response_json:
+
+    $$$response-json1$$$
+
+    ```json
+    {
+        "records": [
+            {
+                "id": 1,
+            },
+            {
+                "id": 2,
+            },
+            {
+                "id": 3,
+            },
+        ]
+    }
+    ```
+
+* Second call to collect `file_name` using collected ids from first call.
+
+    request_url using id as *1*: https://example.com/services/data/v1.0/1/export_ids
+
+    response_json using id as *1*:
+
+    $$$response-json2$$$
+
+    ```json
+    {
+        "file_name": "file_1"
+    }
+    ```
+
+    request_url using id as *2*: https://example.com/services/data/v1.0/2/export_ids
+
+    response_json using id as *2*:
+
+    ```json
+    {
+        "file_name": "file_2"
+    }
+    ```
+
+* Third call to collect `files` using collected `file_name` from second call.
+
+    request_url using file_name as *file_1*: https://example.com/services/data/v1.0/export_ids/file_1/info
+
+    request_url using file_name as *file_2*: https://example.com/services/data/v1.0/export_ids/file_2/info
+
+    Collect and make events from response in any format supported by httpjson for all calls.
+
+    Note that since `request.url` must be a valid URL, if an API returns complete URLs in place of an identifier as in the example above, it would not be possible to use the JSON Path syntax. To achieve the desired result in this case an opaque URI syntax can be used. An opaque URI has an arbitrary scheme and opaque text separated by a colon. When the replacement is done, the scheme and colon are stripped from the URI prior to the replacement and the remaining opaque text is used as the replacement target. In the following example, the scheme is "placeholder".
+
+
+```yaml
+filebeat.inputs:
+- type: httpjson
+  enabled: true
+  # first call
+  request.url: https://example.com/services/data/v1.0/records
+  interval: 1h
+  chain:
+    # second call
+    - step:
+        request.url: placeholder:$.records[:]
+        request.method: GET
+        replace: $.records[:]
+    # third call
+    - step:
+        request.url: placeholder:$.file_name
+        request.method: GET
+        replace: $.file_name
+```
+
++
+
+
+### `chain[].step.replace_with` [chain-step-replace_with]
+
+The `replace_with: "pattern,value"` clause is used to replace a fixed pattern string defined in `request.url` with the given value. The fixed pattern must have a `$.` prefix, for example: `$.xyz`. The `value` may be hard coded or extracted from context variables like [`.last_response.*`, `.first_response.*`, `.parent_last_response.*`] etc. The `replace_with` clause can be used in combination with the `replace` clause thus providing a lot of flexibility in the logic of chain requests.
+
+Example:
+
+* First call: https://example.com/services/data/v1.0/exports
+
+    [response](#response-json1-replace_with)
+
+* Second call: https://example.com/services/data/v1.0/$.exportId/files
+
+    [response](#response-json2-replace_with)
+
+
+```yaml
+filebeat.inputs:
+- type: httpjson
+  enabled: true
+  # first call
+  request.url: https://example.com/services/data/v1.0/exports
+  interval: 1h
+  chain:
+    # second call
+    - step:
+        request.url: https://example.com/services/data/v1.0/$.exportId/files
+        request.method: GET
+        replace_with: '$.exportId,.first_response.body.exportId'
+```
+
+Example:
+
+* First call to fetch exportId
+
+    request_url: https://example.com/services/data/v1.0/exports
+
+    response_json:
+
+    $$$response-json1-replace_with$$$
+
+    ```json
+    {
+        "exportId" : "2212"
+    }
+    ```
+
+* Second call to fetch `file ids` using exportId from first call.
+
+    request_url using exportId as *2212*: https://example.com/services/data/v1.0/2212/files
+
+    response_json using exportId as *2212*:
+
+    $$$response-json2-replace_with$$$
+
+    ```json
+    {
+        "files": [
+            {
+                "id": 1,
+            },
+            {
+                "id": 2,
+            },
+            {
+                "id": 3,
+            },
+        ]
+    }
+    ```
+
+    This behaviour of targeted fixed pattern replacement in the url helps solve various use cases.
+
+
+**Some useful points to remember:- **
+
+1. If you want the `value` to be treated as an expression to be evaluated for data extraction from context variables, it should always have a **single *.* (dot) prefix**. Example: `replace_with: '$.exportId,.first_response.body.exportId'`. Anything more or less will have the internal processor treat it as a hard coded value, `replace_with: '$.exportId,..first_response.body.exportId'` (more than one *.* (dot) as prefix) or `replace_with:'$.exportId,first_response.body.exportId'` (no *.* dot as prefix)
+2. Incomplete `value expressions` will cause an error while processing. Example: `replace_with: '$.exportId,.first_response.'`, `replace_with: '$.exportId,.last_response.'` etc. These expressions are incomplete because they do not evaluate down to a valid key that can be extracted from the context variables. The value expression: `.first_response.`, on processing, will result in an array `[first_response ""]` where the key to be extrated becomes `"" (an empty string)`, which has no definition within any context variable.
+
+::::{note}
+Fixed patterns must not contain commas in their definition. String replacement patterns are matched by the `replace_with` processor with exact string matching. The `first_response` object at the moment can only store flat JSON structures (i.e. no support for JSONS having array at root level, NDJSON or Gzipped JSON), hence it should only be used in scenarios where the this is the case. Splits cannot be performed on `first_response`. It needs to be explicitly enabled by setting the flag `response.save_first_response` to `true` in the httpjson config.
+::::
+
+
+
+### `chain[].while` [_chain_while]
+
+Contains basic request and response configuration for chained while calls. Chained while calls will keep making the requests for a given number of times until a condition is met or the maximum number of attempts gets exhausted. While chain has an attribute `until` which holds the expression to be evaluated. Ideally the `until` field should always be used together with the attributes `request.retry.max_attempts` and `request.retry.wait_min` which specifies the maximum number of attempts to evaluate `until` before giving up and the maximum wait time in between such requests. If `request.retry.max_attempts` is not specified, it will only try to evaluate the expression once and give up if it fails. If `request.retry.wait_min` is not specified the default wait time will always be `0` as in successive calls will be made immediately.
+
+
+### `chain[].while.request` [_chain_while_request]
+
+See  [request parameters](#request-parameters) .
+
+Example:
+
+First call: http://example.com/services/data/v1.0/exports
+
+Second call: http://example.com/services/data/v1.0/9ef0e6a5/export_ids/status
+
+Third call: http://example.com/services/data/v1.0/export_ids/1/info
+
+
+### `chain[].while.response.split` [_chain_while_response_split]
+
+See  [response split parameter](#response-split) .
+
+
+### `chain[].while.replace` [_chain_while_replace]
+
+See  [chain[].step.replace](#chain-step-replace) .
+
+Example:
+
+* First call: http://example.com/services/data/v1.0/exports
+
+    [response](#response-json1-while)
+
+* Second call: http://example.com/services/data/v1.0/`$.exportId`/export_ids/status
+
+    [response](#response-json2-while)
+
+* Third call: http://example.com/services/data/v1.0/export_ids/`$.files[:].id`/info
+
+    [response 1](#response-json3-while), [response 2](#response-json4-while)
+
+
+```yaml
+filebeat.inputs:
+- type: httpjson
+  enabled: true
+  # first call
+  id: my-httpjson-id
+  request.url: http://example.com/services/data/v1.0/exports
+  interval: 1h
+  chain:
+    # second call
+    - while:
+        request.url: http://example.com/services/data/v1.0/$.exportId/export_ids/status
+        request.method: GET
+        replace: $.exportId
+        until: '[[ eq .last_response.body.status "completed" ]]'
+        request.retry.max_attempts: 5
+        request.retry.wait_min: 5s
+    # third call
+    - step:
+        request.url: http://example.com/services/data/v1.0/export_ids/$.files[:].id/info
+        request.method: GET
+        replace: $.files[:].id
+```
+
+Example:
+
+* First call to collect export ids
+
+    request_url: https://example.com/services/data/v1.0/exports
+
+    response_json:
+
+    $$$response-json1-while$$$
+
+    ```json
+    {
+        "exportId": "9ef0e6a5"
+    }
+    ```
+
+* Second call to collect `file_ids` using collected id from first call when `response.body.sataus == "completed"`. This call continues until the condition is satisfied or the maximum number of attempts gets exhausted.
+
+    request_url using id as *9ef0e6a5*: https://example.com/services/data/v1.0/9ef0e6a5/export_ids/status
+
+    response_json using id as *9ef0e6a5*:
+
+    $$$response-json2-while$$$
+
+    ```json
+    {
+        "status": "completed",
+        "files": [
+          {
+            "id": 1
+          },
+          {
+            "id": 2
+          },
+          {
+            "id": 3
+          }
+        ]
+    }
+    ```
+
+* Third call to collect `files` using collected `file_id` from second call.
+
+    request_url using file_id as *1*: https://example.com/services/data/v1.0/export_ids/1/info
+
+    request_url using file_id as *2*: https://example.com/services/data/v1.0/export_ids/2/info
+
+    response_json using id as *1*:
+
+    $$$response-json3-while$$$
+
+    ```json
+    {
+        "file_name": "file_1",
+        "file_data": "some data"
+    }
+    ```
+
+    response_json using id as *2*:
+
+    $$$response-json4-while$$$
+
+    ```json
+    {
+        "file_name": "file_2",
+        "file_data": "some data"
+    }
+    ```
+
+    Collect and make events from response in any format supported by httpjson for all calls.
+
+    Note that since `request.url` must be a valid URL, if an API returns complete URLs in place of an identifier as in the example above, it would not be possible to use the JSON Path syntax. To achieve the desired result in this case an opaque URI syntax can be used. An opaque URI has an arbitrary scheme and opaque text separated by a colon. When the replacement is done, the scheme and colon are stripped from the URI prior to the replacement and the remaining opaque text is used as the replacement target. In the following example, the scheme is "placeholder".
+
+
+```yaml
+filebeat.inputs:
+- type: httpjson
+  enabled: true
+  # first call
+  id: my-httpjson-id
+  request.url: http://example.com/services/data/v1.0/exports
+  interval: 1h
+  chain:
+    # second call
+    - while:
+        request.url: placeholder:$.exportId
+        request.method: GET
+        replace: $.exportId
+        until: '[[ eq .last_response.body.status "completed" ]]'
+        request.retry.max_attempts: 5
+        request.retry.wait_min: 5s
+    # third call
+    - step:
+        request.url: placeholder:$.files[:]
+        request.method: GET
+        replace: $.files[:]
+```
+
+::::{note}
+httpjson chain will only create and ingest events from last call on chained configurations. Also, the current chain only supports the following: all [request parameters](#request-parameters), [response.transforms](#response-transforms) and [response.split](#response-split).
+::::
+
+
+
+### `chain[].while.replace_with` [_chain_while_replace_with]
+
+See  [chain[].step.replace_with](#chain-step-replace_with) .
+
+
+### `cursor` [cursor]
+
+Cursor is a list of key value objects where arbitrary values are defined. The values are interpreted as  [value templates](#value-templates) and a default template can be set. Cursor state is kept between input restarts and updated once all the events for a request are published.
+
+If no event is published, no cursor update is made. This can have implications on how cursor updates should be performed when the target API returns empty response sets.
+
+Each cursor entry is formed by:
+
+* A `value` template, which will define the value to store when evaluated.
+* A `default` template, which will define the value to store when the value template fails or is empty.
+* An `ignore_empty_value` flag. When set to `true`, will not store empty values, preserving the previous one, if any. Default: `true`.
+
+Can read state from: [`.last_response.*`, `.first_event.*`, `.last_event.*`].
+
+::::{note}
+Default templates do not have access to any state, only to functions.
+::::
+
+
+```yaml
+filebeat.inputs:
+- type: httpjson
+  interval: 1m
+  request.url: https://api.ipify.org/?format=json
+  response.transforms:
+    - set:
+        target: body.last_requested_at
+        value: '[[.cursor.last_requested_at]]'
+        default: "[[now]]"
+  cursor:
+    last_requested_at:
+      value: '[[now]]'
+  processors:
+    - decode_json_fields:
+        fields: ["message"]
+        target: "json"
+```
+
+
+## Request life cycle [_request_life_cycle]
+
+![Request lifecycle](images/input-httpjson-lifecycle.png "")
+
+1. At every defined interval a new request is created.
+2. The request is transformed using the configured [request.transforms](#request-transforms).
+3. The resulting transformed request is executed.
+4. The server responds (here is where any retry or rate limit policy takes place when configured).
+5. The response is transformed using the configured [response.transforms](#response-transforms) and [response.split](#response-split).
+6. If a chain step is configured. Each step will generate new requests based on collected IDs from responses. The requests will be transformed using configured [request.transforms](#request-transforms) and the resulting generated transformed requests will be executed. This process will happen for all the steps mentioned in the chain.
+7. Each resulting event is published to the output.
+8. If a `response.pagination` is configured and there are more pages, a new request is created using it, otherwise the process ends until the next interval.
+
+![Chain Request lifecycle](images/input-httpjson-chain-lifecycle.png "")
+
+1. Response from regular call will be processed.
+2. Extract data from response and generate new requests from responses.
+3. Process generated requests and collect responses from server.
+4. Go back to step-2 for the next step.
+5. Publish collected responses from the last chain step.
+
+
+## Metrics [_metrics_12]
+
+This input exposes metrics under the [HTTP monitoring endpoint](/reference/filebeat/http-endpoint.md). These metrics are exposed under the `/inputs` path. They can be used to observe the activity of the input.
+
+| Metric | Description |
+| --- | --- |
+| `http_request_total` | Total number of processed requests. |
+| `http_request_errors_total` | Total number of request errors. |
+| `http_request_delete_total` | Total number of `DELETE` requests. |
+| `http_request_get_total` | Total number of `GET` requests. |
+| `http_request_head_total` | Total number of `HEAD` requests. |
+| `http_request_options_total` | Total number of `OPTIONS` requests. |
+| `http_request_patch_total` | Total number of `PATCH` requests. |
+| `http_request_post_total` | Total number of `POST` requests. |
+| `http_request_put_total` | Total number of `PUT` requests. |
+| `http_request_body_bytes_total` | Total of the requests body size. |
+| `http_request_body_bytes` | Histogram of the requests body size. |
+| `http_response_total` | Total number of responses received. |
+| `http_response_errors_total` | Total number of response errors. |
+| `http_response_1xx_total` | Total number of `1xx` responses. |
+| `http_response_2xx_total` | Total number of `2xx` responses. |
+| `http_response_3xx_total` | Total number of `3xx` responses. |
+| `http_response_4xx_total` | Total number of `4xx` responses. |
+| `http_response_5xx_total` | Total number of `5xx` responses. |
+| `http_response_body_bytes_total` | Total of the responses body size. |
+| `http_response_body_bytes` | Histogram of the responses body size. |
+| `http_round_trip_time` | Histogram of the round trip time. |
+| `httpjson_interval_total` | Total number of intervals executed. |
+| `httpjson_interval_errors_total` | Total number of interval errors. |
+| `httpjson_interval_execution_time` | Histogram of the interval execution time. |
+| `httpjson_interval_pages` | Histogram of the total number of pages per interval. |
+| `httpjson_interval_pages_execution_time` | Histogram of the interval pages execution time. |
+
+
+## Common options [filebeat-input-httpjson-common-options]
+
+The following configuration options are supported by all inputs.
+
+
+#### `enabled` [_enabled_13]
+
+Use the `enabled` option to enable and disable inputs. By default, enabled is set to true.
+
+
+#### `tags` [_tags_13]
+
+A list of tags that Filebeat includes in the `tags` field of each published event. Tags make it easy to select specific events in Kibana or apply conditional filtering in Logstash. These tags will be appended to the list of tags specified in the general configuration.
+
+Example:
+
+```yaml
+filebeat.inputs:
+- type: httpjson
+  . . .
+  tags: ["json"]
+```
+
+
+#### `fields` [filebeat-input-httpjson-fields]
+
+Optional fields that you can specify to add additional information to the output. For example, you might add fields that you can use for filtering log data. Fields can be scalar values, arrays, dictionaries, or any nested combination of these. By default, the fields that you specify here will be grouped under a `fields` sub-dictionary in the output document. To store the custom fields as top-level fields, set the `fields_under_root` option to true. If a duplicate field is declared in the general configuration, then its value will be overwritten by the value declared here.
+
+```yaml
+filebeat.inputs:
+- type: httpjson
+  . . .
+  fields:
+    app_id: query_engine_12
+```
+
+
+#### `fields_under_root` [fields-under-root-httpjson]
+
+If this option is set to true, the custom [fields](#filebeat-input-httpjson-fields) are stored as top-level fields in the output document instead of being grouped under a `fields` sub-dictionary. If the custom field names conflict with other field names added by Filebeat, then the custom fields overwrite the other fields.
+
+
+#### `processors` [_processors_13]
+
+A list of processors to apply to the input data.
+
+See [Processors](/reference/filebeat/filtering-enhancing-data.md) for information about specifying processors in your config.
+
+
+#### `pipeline` [_pipeline_13]
+
+The ingest pipeline ID to set for the events generated by this input.
+
+::::{note}
+The pipeline ID can also be configured in the Elasticsearch output, but this option usually results in simpler configuration files. If the pipeline is configured both in the input and output, the option from the input is used.
+::::
+
+
+::::{important}
+The `pipeline` is always lowercased. If `pipeline: Foo-Bar`, then the pipeline name in {{es}} needs to be defined as `foo-bar`.
+::::
+
+
+
+#### `keep_null` [_keep_null_13]
+
+If this option is set to true, fields with `null` values will be published in the output document. By default, `keep_null` is set to `false`.
+
+
+#### `index` [_index_13]
+
+If present, this formatted string overrides the index for events from this input (for elasticsearch outputs), or sets the `raw_index` field of the event’s metadata (for other outputs). This string can only refer to the agent name and version and the event timestamp; for access to dynamic fields, use `output.elasticsearch.index` or a processor.
+
+Example value: `"%{[agent.name]}-myindex-%{+yyyy.MM.dd}"` might expand to `"filebeat-myindex-2019.11.01"`.
+
+
+#### `publisher_pipeline.disable_host` [_publisher_pipeline_disable_host_13]
+
+By default, all events contain `host.name`. This option can be set to `true` to disable the addition of this field to all events. The default value is `false`.
diff --git a/docs/reference/filebeat/filebeat-input-journald.md b/docs/reference/filebeat/filebeat-input-journald.md
new file mode 100644
index 000000000000..719641e04988
--- /dev/null
+++ b/docs/reference/filebeat/filebeat-input-journald.md
@@ -0,0 +1,587 @@
+---
+navigation_title: "journald"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-journald.html
+---
+
+# Journald input [filebeat-input-journald]
+
+
+::::{warning}
+This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
+::::
+
+
+[`journald`](https://www.freedesktop.org/software/systemd/man/systemd-journald.service.html) is a system service that collects and stores logging data. The `journald` input reads this log data and the metadata associated with it. To read this log data Filebeat calls `journalctl` to read from the journal, therefore Filebeat needs permission to execute `journalctl`.
+
+If the `journalctl` process exits unexpectedly the journald input will terminate with an error and Filebeat will need to be restarted to start reading from the jouranl again.
+
+The simplest configuration example is one that reads all logs from the default journal.
+
+```yaml
+filebeat.inputs:
+- type: journald
+  id: everything
+```
+
+You may wish to have separate inputs for each service. You can use `include_matches` to specify filtering expressions. A good way to list the [journald fields](https://www.freedesktop.org/software/systemd/man/systemd.journal-fields.html) that are available for filtering messages is to run `journalctl -o json` to output logs and metadata as JSON. This example collects logs from the `vault.service` systemd unit.
+
+```yaml
+filebeat.inputs:
+- type: journald
+  id: service-vault
+  include_matches.match:
+    - _SYSTEMD_UNIT=vault.service
+```
+
+This example collects kernel logs where the message begins with `iptables`. Note that `include_matches` is more efficient than Beat processors because that are applied before the data is passed to the Filebeat so prefer them where possible.
+
+```yaml
+filebeat.inputs:
+- type: journald
+  id: iptables
+  include_matches.match:
+    - _TRANSPORT=kernel
+  processors:
+    - drop_event:
+        when.not.regexp.message: '^iptables'
+```
+
+Each example adds the `id` for the input to ensure the cursor is persisted to the registry with a unique ID. The ID should be unique among journald inputs. If you don’t specify and `id` then one is created for you by hashing the configuration. So when you modify the config this will result in a new ID and a fresh cursor.
+
+## Configuration options [filebeat-input-journald-options]
+
+The `journald` input supports the following configuration options plus the [Common options](#filebeat-input-journald-common-options) described later.
+
+
+### `id` [filebeat-input-journald-id]
+
+An unique identifier for the input. By providing a unique `id` you can operate multiple inputs on the same journal. This allows each input’s cursor to be persisted independently in the registry file. Each journald input must have an unique ID.
+
+```yaml
+filebeat.inputs:
+- type: journald
+  id: consul.service
+  include_matches.match:
+    - _SYSTEMD_UNIT=consul.service
+
+- type: journald
+  id: vault.service
+  include_matches.match:
+    - _SYSTEMD_UNIT=vault.service
+```
+
+
+### `paths` [filebeat-input-journald-paths]
+
+A list of paths that will be crawled and fetched. Each path can be a directory path (to collect events from all journals in a directory), or a file path. If you specify a directory, Filebeat merges all journals under the directory into a single journal and reads them.
+
+If no paths are specified, Filebeat reads from the default journal.
+
+
+### `seek` [filebeat-input-journald-seek]
+
+The position to start reading the journal from. Valid settings are:
+
+* `head`: Starts reading at the beginning of the journal. After a restart, Filebeat resends all log messages in the journal.
+* `tail`: Starts reading at the end of the journal. This means that no events will be sent until a new message is written.
+* `since`: Use the `since` option to determine where to start reading from.
+
+Regardless of the value of `seek` if Filebeat has a state (cursor) for this input, the `seek` value is ignored and the current cursor is used. To reset the cursor, just change the `id` of the input, this will start from a fresh state.
+
+
+### `since` [filebeat-input-journald-since]
+
+A time offset from the current time to start reading from. To use `since`, `seek` option must be set to `since`.
+
+This example demonstrates how to resume from the persisted cursor when it exists, or otherwise begin reading logs from the last 24 hours.
+
+```yaml
+seek: since
+since: -24h
+```
+
+
+### `units` [filebeat-input-journald-units]
+
+Iterate only the entries of the units specified in this option. The iterated entries include messages from the units, messages about the units by authorized daemons and coredumps. However, it does not match systemd user units.
+
+
+### `syslog_identifiers` [filebeat-input-journald-syslog-identifiers]
+
+Read only the entries with the selected syslog identifiers.
+
+
+### `transports` [filebeat-input-journald-transports]
+
+Collect the messages using the specified transports. Example: syslog.
+
+Valid transports:
+
+* audit: messages from the kernel audit subsystem
+* driver: internally generated messages
+* syslog: messages received via the local syslog socket with the syslog protocol
+* journal: messages received via the native journal protocol
+* stdout: messages from a service’s standard output or error output
+* kernel: messages from the kernel
+
+
+### `facilities` [filebeat-input-journald-facilities]
+
+Filter entries by facilities, facilities must be specified using their numeric code.
+
+
+### `include_matches` [filebeat-input-journald-include-matches]
+
+A collection of filter expressions used to match fields. The format of the expression is `field=value`. Filebeat fetches all events that exactly match the expressions. Pattern matching is not supported.
+
+If you configured a filter expression, only entries with this field set will be iterated by the journald reader of Filebeat. If the filter expressions apply to different fields, only entries with all fields set will be iterated. If they apply to the same fields, only entries where the field takes one of the specified values will be iterated.
+
+`match`: List of filter expressions to match fields.
+
+Please note that these expressions are limited. You can build complex filtering, but full logical expressions are not supported.
+
+The following include matches configuration will ingest entries that contain `journald.process.name: systemd` and `systemd.transport: syslog`.
+
+```yaml
+include_matches:
+  match:
+    - "journald.process.name=systemd"
+    - "systemd.transport=syslog"
+```
+
+The following include matches configuration will ingest entries that contain `systemd.transport: systemd` or `systemd.transport: kernel`.
+
+```yaml
+include_matches:
+  match:
+    - "systemd.transport=kernel"
+    - "systemd.transport=syslog"
+```
+
+To reference fields, use one of the following:
+
+* The field name used by the systemd journal. For example, `CONTAINER_TAG=redis`.
+* The [translated field name](#filebeat-input-journald-translated-fields) used by Filebeat. For example, `container.image.tag=redis`. Filebeat does not translate all fields from the journal. For custom fields, use the name specified in the systemd journal.
+
+
+#### `parsers` [_parsers_2]
+
+This option expects a list of parsers that the entry has to go through.
+
+Available parsers:
+
+* `multiline`
+* `ndjson`
+* `container`
+* `syslog`
+* `include_message`
+
+In this example, Filebeat is reading multiline messages that consist of 3 lines and are encapsulated in single-line JSON objects. The multiline message is stored under the key `msg`.
+
+```yaml
+filebeat.inputs:
+- type: journald
+  ...
+  parsers:
+    - ndjson:
+        target: ""
+        message_key: msg
+    - multiline:
+        type: count
+        count_lines: 3
+```
+
+See the available parser settings in detail below.
+
+
+#### `multiline` [_multiline_4]
+
+Options that control how Filebeat deals with log messages that span multiple lines. See [Multiline messages](/reference/filebeat/multiline-examples.md) for more information about configuring multiline options.
+
+
+#### `ndjson` [filebeat-input-journald-ndjson]
+
+These options make it possible for Filebeat to decode logs structured as JSON messages. Filebeat processes the entry by line, so the JSON decoding only works if there is one JSON object per message.
+
+The decoding happens before line filtering. You can combine JSON decoding with filtering if you set the `message_key` option. This can be helpful in situations where the application logs are wrapped in JSON objects, like when using Docker.
+
+Example configuration:
+
+```yaml
+- ndjson:
+    target: ""
+    add_error_key: true
+    message_key: log
+```
+
+**`target`**
+:   The name of the new JSON object that should contain the parsed key value pairs. If you leave it empty, the new keys will go under root.
+
+**`overwrite_keys`**
+:   Values from the decoded JSON object overwrite the fields that Filebeat normally adds (type, source, offset, etc.) in case of conflicts. Disable it if you want to keep previously added values.
+
+**`expand_keys`**
+:   If this setting is enabled, Filebeat will recursively de-dot keys in the decoded JSON, and expand them into a hierarchical object structure. For example, `{"a.b.c": 123}` would be expanded into `{"a":{"b":{"c":123}}}`. This setting should be enabled when the input is produced by an [ECS logger](https://github.com/elastic/ecs-logging).
+
+**`add_error_key`**
+:   If this setting is enabled, Filebeat adds an "error.message" and "error.type: json" key in case of JSON unmarshalling errors or when a `message_key` is defined in the configuration but cannot be used.
+
+**`message_key`**
+:   An optional configuration setting that specifies a JSON key on which to apply the line filtering and multiline settings. If specified the key must be at the top level in the JSON object and the value associated with the key must be a string, otherwise no filtering or multiline aggregation will occur.
+
+**`document_id`**
+:   Option configuration setting that specifies the JSON key to set the document id. If configured, the field will be removed from the original JSON document and stored in `@metadata._id`
+
+**`ignore_decoding_error`**
+:   An optional configuration setting that specifies if JSON decoding errors should be logged or not. If set to true, errors will not be logged. The default is false.
+
+
+#### `container` [_container]
+
+Use the `container` parser to extract information from  containers log files. It parses lines into common message lines, extracting timestamps too.
+
+**`stream`**
+:   Reads from the specified streams only: `all`, `stdout` or `stderr`. The default is `all`.
+
+**`format`**
+:   Use the given format when parsing logs: `auto`, `docker` or `cri`. The default is `auto`, it will automatically detect the format. To disable autodetection set any of the other options.
+
+The following snippet configures Filebeat to read the `stdout` stream from all containers under the default Kubernetes logs path:
+
+```yaml
+  parsers:
+    - container:
+        stream: stdout
+```
+
+
+#### `syslog` [_syslog_2]
+
+The `syslog` parser parses RFC 3146 and/or RFC 5424 formatted syslog messages.
+
+The supported configuration options are:
+
+**`format`**
+:   (Optional) The syslog format to use, `rfc3164`, or `rfc5424`. To automatically detect the format from the log entries, set this option to `auto`. The default is `auto`.
+
+**`timezone`**
+:   (Optional) IANA time zone name(e.g. `America/New York`) or a fixed time offset (e.g. +0200) to use when parsing syslog timestamps that do not contain a time zone. `Local` may be specified to use the machine’s local time zone. Defaults to `Local`.
+
+**`log_errors`**
+:   (Optional) If `true` the parser will log syslog parsing errors. Defaults to `false`.
+
+**`add_error_key`**
+:   (Optional) If this setting is enabled, the parser adds or appends to an `error.message` key with the parsing error that was encountered. Defaults to `true`.
+
+Example configuration:
+
+```yaml
+- syslog:
+    format: rfc3164
+    timezone: America/Chicago
+    log_errors: true
+    add_error_key: true
+```
+
+**Timestamps**
+
+The RFC 3164 format accepts the following forms of timestamps:
+
+* Local timestamp (`Mmm dd hh:mm:ss`):
+
+    * `Jan 23 14:09:01`
+
+* RFC-3339*:
+
+    * `2003-10-11T22:14:15Z`
+    * `2003-10-11T22:14:15.123456Z`
+    * `2003-10-11T22:14:15-06:00`
+    * `2003-10-11T22:14:15.123456-06:00`
+
+
+**Note**: The local timestamp (for example, `Jan 23 14:09:01`) that accompanies an RFC 3164 message lacks year and time zone information. The time zone will be enriched using the `timezone` configuration option, and the year will be enriched using the Filebeat system’s local time (accounting for time zones). Because of this, it is possible for messages to appear in the future. An example of when this might happen is logs generated on December 31 2021 are ingested on January 1 2022. The logs would be enriched with the year 2022 instead of 2021.
+
+The RFC 5424 format accepts the following forms of timestamps:
+
+* RFC-3339:
+
+    * `2003-10-11T22:14:15Z`
+    * `2003-10-11T22:14:15.123456Z`
+    * `2003-10-11T22:14:15-06:00`
+    * `2003-10-11T22:14:15.123456-06:00`
+
+
+Formats with an asterisk (*) are a non-standard allowance.
+
+
+#### `include_message` [_include_message_2]
+
+Use the `include_message` parser to filter messages in the parsers pipeline. Messages that match the provided pattern are passed to the next parser, the others are dropped.
+
+You should use `include_message` instead of `include_lines` if you would like to control when the filtering happens. `include_lines` runs after the parsers, `include_message` runs in the parsers pipeline.
+
+**`patterns`**
+:   List of regexp patterns to match.
+
+This example shows you how to include messages that start with the string ERR or WARN:
+
+```yaml
+  parsers:
+    - include_message.patterns: ["^ERR", "^WARN"]
+```
+
+
+## Translated field names [filebeat-input-journald-translated-fields]
+
+You can use the following translated names in filter expressions to reference journald fields:
+
+**Journald field name**
+:   **Translated name**
+
+`COREDUMP_UNIT`
+:   `journald.coredump.unit`
+
+`COREDUMP_USER_UNIT`
+:   `journald.coredump.user_unit`
+
+`OBJECT_AUDIT_LOGINUID`
+:   `journald.object.audit.login_uid`
+
+`OBJECT_AUDIT_SESSION`
+:   `journald.object.audit.session`
+
+`OBJECT_CMDLINE`
+:   `journald.object.cmd`
+
+`OBJECT_COMM`
+:   `journald.object.name`
+
+`OBJECT_EXE`
+:   `journald.object.executable`
+
+`OBJECT_GID`
+:   `journald.object.gid`
+
+`OBJECT_PID`
+:   `journald.object.pid`
+
+`OBJECT_SYSTEMD_OWNER_UID`
+:   `journald.object.systemd.owner_uid`
+
+`OBJECT_SYSTEMD_SESSION`
+:   `journald.object.systemd.session`
+
+`OBJECT_SYSTEMD_UNIT`
+:   `journald.object.systemd.unit`
+
+`OBJECT_SYSTEMD_USER_UNIT`
+:   `journald.object.systemd.user_unit`
+
+`OBJECT_UID`
+:   `journald.object.uid`
+
+`_AUDIT_LOGINUID`
+:   `process.audit.login_uid`
+
+`_AUDIT_SESSION`
+:   `process.audit.session`
+
+`_BOOT_ID`
+:   `host.boot_id`
+
+`_CAP_EFFECTIVE`
+:   `process.capabilites`
+
+`_CMDLINE`
+:   `process.cmd`
+
+`_CODE_FILE`
+:   `journald.code.file`
+
+`_CODE_FUNC`
+:   `journald.code.func`
+
+`_CODE_LINE`
+:   `journald.code.line`
+
+`_COMM`
+:   `process.name`
+
+`_EXE`
+:   `process.executable`
+
+`_GID`
+:   `process.uid`
+
+`_HOSTNAME`
+:   `host.name`
+
+`_KERNEL_DEVICE`
+:   `journald.kernel.device`
+
+`_KERNEL_SUBSYSTEM`
+:   `journald.kernel.subsystem`
+
+`_MACHINE_ID`
+:   `host.id`
+
+`_MESSAGE`
+:   `message`
+
+`_PID`
+:   `process.pid`
+
+`_PRIORITY`
+:   `syslog.priority`
+
+`_SYSLOG_FACILITY`
+:   `syslog.facility`
+
+`_SYSLOG_IDENTIFIER`
+:   `syslog.identifier`
+
+`_SYSLOG_PID`
+:   `syslog.pid`
+
+`_SYSTEMD_CGROUP`
+:   `systemd.cgroup`
+
+`_SYSTEMD_INVOCATION_ID`
+:   `systemd.invocation_id`
+
+`_SYSTEMD_OWNER_UID`
+:   `systemd.owner_uid`
+
+`_SYSTEMD_SESSION`
+:   `systemd.session`
+
+`_SYSTEMD_SLICE`
+:   `systemd.slice`
+
+`_SYSTEMD_UNIT`
+:   `systemd.unit`
+
+`_SYSTEMD_USER_SLICE`
+:   `systemd.user_slice`
+
+`_SYSTEMD_USER_UNIT`
+:   `systemd.user_unit`
+
+`_TRANSPORT`
+:   `systemd.transport`
+
+`_UDEV_DEVLINK`
+:   `journald.kernel.device_symlinks`
+
+`_UDEV_DEVNODE`
+:   `journald.kernel.device_node_path`
+
+`_UDEV_SYSNAME`
+:   `journald.kernel.device_name`
+
+`_UID`
+:   `process.uid`
+
+The following translated fields for [Docker](https://docs.docker.com/config/containers/logging/journald/) are also available:
+
+`CONTAINER_ID`
+:   `container.id_truncated`
+
+`CONTAINER_ID_FULL`
+:   `container.id`
+
+`CONTAINER_NAME`
+:   `container.name`
+
+`CONTAINER_PARTIAL_MESSAGE`
+:   `container.partial`
+
+`CONTAINER_TAG`
+:   `container.log.tag`
+
+`IMAGE_NAME`
+:   `container.image.name`
+
+
+## Common options [filebeat-input-journald-common-options]
+
+The following configuration options are supported by all inputs.
+
+
+#### `enabled` [_enabled_14]
+
+Use the `enabled` option to enable and disable inputs. By default, enabled is set to true.
+
+
+#### `tags` [_tags_14]
+
+A list of tags that Filebeat includes in the `tags` field of each published event. Tags make it easy to select specific events in Kibana or apply conditional filtering in Logstash. These tags will be appended to the list of tags specified in the general configuration.
+
+Example:
+
+```yaml
+filebeat.inputs:
+- type: journald
+  . . .
+  tags: ["json"]
+```
+
+
+#### `fields` [filebeat-input-journald-fields]
+
+Optional fields that you can specify to add additional information to the output. For example, you might add fields that you can use for filtering log data. Fields can be scalar values, arrays, dictionaries, or any nested combination of these. By default, the fields that you specify here will be grouped under a `fields` sub-dictionary in the output document. To store the custom fields as top-level fields, set the `fields_under_root` option to true. If a duplicate field is declared in the general configuration, then its value will be overwritten by the value declared here.
+
+```yaml
+filebeat.inputs:
+- type: journald
+  . . .
+  fields:
+    app_id: query_engine_12
+```
+
+
+#### `fields_under_root` [fields-under-root-journald]
+
+If this option is set to true, the custom [fields](#filebeat-input-journald-fields) are stored as top-level fields in the output document instead of being grouped under a `fields` sub-dictionary. If the custom field names conflict with other field names added by Filebeat, then the custom fields overwrite the other fields.
+
+
+#### `processors` [_processors_14]
+
+A list of processors to apply to the input data.
+
+See [Processors](/reference/filebeat/filtering-enhancing-data.md) for information about specifying processors in your config.
+
+
+#### `pipeline` [_pipeline_14]
+
+The ingest pipeline ID to set for the events generated by this input.
+
+::::{note}
+The pipeline ID can also be configured in the Elasticsearch output, but this option usually results in simpler configuration files. If the pipeline is configured both in the input and output, the option from the input is used.
+::::
+
+
+::::{important}
+The `pipeline` is always lowercased. If `pipeline: Foo-Bar`, then the pipeline name in {{es}} needs to be defined as `foo-bar`.
+::::
+
+
+
+#### `keep_null` [_keep_null_14]
+
+If this option is set to true, fields with `null` values will be published in the output document. By default, `keep_null` is set to `false`.
+
+
+#### `index` [_index_14]
+
+If present, this formatted string overrides the index for events from this input (for elasticsearch outputs), or sets the `raw_index` field of the event’s metadata (for other outputs). This string can only refer to the agent name and version and the event timestamp; for access to dynamic fields, use `output.elasticsearch.index` or a processor.
+
+Example value: `"%{[agent.name]}-myindex-%{+yyyy.MM.dd}"` might expand to `"filebeat-myindex-2019.11.01"`.
+
+
+#### `publisher_pipeline.disable_host` [_publisher_pipeline_disable_host_14]
+
+By default, all events contain `host.name`. This option can be set to `true` to disable the addition of this field to all events. The default value is `false`.
+
+
diff --git a/docs/reference/filebeat/filebeat-input-kafka.md b/docs/reference/filebeat/filebeat-input-kafka.md
new file mode 100644
index 000000000000..e4c7981cde85
--- /dev/null
+++ b/docs/reference/filebeat/filebeat-input-kafka.md
@@ -0,0 +1,316 @@
+---
+navigation_title: "Kafka"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-kafka.html
+---
+
+# Kafka input [filebeat-input-kafka]
+
+
+Use the `kafka` input to read from topics in a Kafka cluster.
+
+To configure this input, specify a list of one or more [`hosts`](/reference/filebeat/logstash-output.md#hosts) in the cluster to bootstrap the connection with, a list of [`topics`](#topics) to track, and a [`group_id`](#groupid) for the connection.
+
+Example configuration:
+
+```yaml
+filebeat.inputs:
+- type: kafka
+  hosts:
+    - kafka-broker-1:9092
+    - kafka-broker-2:9092
+  topics: ["my-topic"]
+  group_id: "filebeat"
+```
+
+The following example shows how to use the `kafka` input to ingest data from Microsoft Azure Event Hubs that have Kafka compatibility enabled:
+
+```yaml
+filebeat.inputs:
+- type: kafka
+  hosts: ["<your event hub namespace>.servicebus.windows.net:9093"]
+  topics: ["<your event hub instance>"]
+  group_id: "<your consumer group>"
+
+  username: "$ConnectionString"
+  password: "<your connection string>"
+  ssl.enabled: true
+```
+
+For more details on the mapping between Kafka and Event Hubs configuration parameters, see the [Azure documentation](https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-for-kafka-ecosystem-overview).
+
+## Compatibility [kafka-input-compatibility]
+
+This input works with all Kafka versions in between 0.11 and 2.8.0. Older versions might work as well, but are not supported.
+
+
+## Configuration options [filebeat-input-kafka-options]
+
+The `kafka` input supports the following configuration options plus the [Common options](#filebeat-input-kafka-common-options) described later.
+
+::::{note}
+If you’re using {{agent}} with a Kafka input and need to increase throughput, we recommend scaling horizontally by additional {{agents}} to read from the Kafka topic. Note that each {{agent}} reads concurrently from each of the partitions it has been assigned.
+::::
+
+
+
+#### `hosts` [kafka-hosts]
+
+A list of Kafka bootstrapping hosts (brokers) for this cluster.
+
+
+#### `topics` [topics]
+
+A list of topics to read from.
+
+
+#### `group_id` [groupid]
+
+The Kafka consumer group id.
+
+
+#### `client_id` [_client_id_3]
+
+The Kafka client id (optional).
+
+
+#### `version` [_version_2]
+
+The version of the Kafka protocol to use (defaults to `"2.1.0"`). When using Kafka 4.0 and newer, the version must be set to at least `"2.1.0"`.
+
+
+#### `initial_offset` [_initial_offset]
+
+The initial offset to start reading, either "oldest" or "newest". Defaults to "oldest".
+
+### `connect_backoff` [_connect_backoff]
+
+How long to wait before trying to reconnect to the kafka cluster after a fatal error. Default is 30s.
+
+
+### `consume_backoff` [_consume_backoff]
+
+How long to wait before retrying a failed read. Default is 2s.
+
+
+### `max_wait_time` [_max_wait_time]
+
+How long to wait for the minimum number of input bytes while reading. Default is 250ms.
+
+
+### `wait_close` [_wait_close]
+
+When shutting down, how long to wait for in-flight messages to be delivered and acknowledged.
+
+
+### `isolation_level` [_isolation_level]
+
+This configures the Kafka group isolation level:
+
+* `"read_uncommitted"` returns *all* messages in the message channel.
+* `"read_committed"` hides messages that are part of an aborted transaction.
+
+The default is `"read_uncommitted"`.
+
+
+### `fetch` [_fetch]
+
+Kafka fetch settings:
+
+**`min`**
+:   The minimum number of bytes to wait for. Defaults to 1.
+
+**`default`**
+:   The default number of bytes to read per request. Defaults to 1MB.
+
+**`max`**
+:   The maximum number of bytes to read per request. Defaults to 0 (no limit).
+
+
+### `expand_event_list_from_field` [_expand_event_list_from_field_2]
+
+If the fileset using this input expects to receive multiple messages bundled under a specific field then the config option `expand_event_list_from_field` value can be assigned the name of the field. For example in the case of azure filesets the events are found under the json object "records".
+
+```json
+{
+"records": [ {event1}, {event2}]
+}
+```
+
+This setting will be able to split the messages under the group value (*records*) into separate events.
+
+
+### `rebalance` [_rebalance]
+
+Kafka rebalance settings:
+
+**`strategy`**
+:   Either `"range"` or `"roundrobin"`. Defaults to `"range"`.
+
+**`timeout`**
+:   How long to wait for an attempted rebalance. Defaults to 60s.
+
+**`max_retries`**
+:   How many times to retry if rebalancing fails. Defaults to 4.
+
+**`retry_backoff`**
+:   How long to wait after an unsuccessful rebalance attempt. Defaults to 2s.
+
+
+### `sasl.mechanism` [_sasl_mechanism]
+
+The SASL mechanism to use when connecting to Kafka. It can be one of:
+
+* `PLAIN` for SASL/PLAIN.
+* `SCRAM-SHA-256` for SCRAM-SHA-256.
+* `SCRAM-SHA-512` for SCRAM-SHA-512.
+
+If `sasl.mechanism` is not set, `PLAIN` is used if `username` and `password` are provided. Otherwise, SASL authentication is disabled.
+
+To use `GSSAPI` mechanism to authenticate with Kerberos, you must leave this field empty, and use the [`kerberos`](/reference/filebeat/kafka-output.md#kerberos-option-kafka) options.
+
+
+### `kerberos` [_kerberos]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+Configuration options for Kerberos authentication.
+
+See [Kerberos](/reference/filebeat/configuration-kerberos.md) for more information.
+
+
+#### `parsers` [_parsers_3]
+
+This option expects a list of parsers that the payload has to go through.
+
+Available parsers:
+
+* `ndjson`
+* `multiline`
+
+
+#### `ndjson` [_ndjson]
+
+These options make it possible for Filebeat to decode the payload as JSON messages.
+
+Example configuration:
+
+```yaml
+- ndjson:
+  target: ""
+  add_error_key: true
+  message_key: log
+```
+
+**`target`**
+:   The name of the new JSON object that should contain the parsed key value pairs. If you leave it empty, the new keys will go under root.
+
+**`overwrite_keys`**
+:   Values from the decoded JSON object overwrite the fields that Filebeat normally adds (type, source, offset, etc.) in case of conflicts. Disable it if you want to keep previously added values.
+
+**`expand_keys`**
+:   If this setting is enabled, Filebeat will recursively de-dot keys in the decoded JSON, and expand them into a hierarchical object structure. For example, `{"a.b.c": 123}` would be expanded into `{"a":{"b":{"c":123}}}`. This setting should be enabled when the input is produced by an [ECS logger](https://github.com/elastic/ecs-logging).
+
+**`add_error_key`**
+:   If this setting is enabled, Filebeat adds an "error.message" and "error.type: json" key in case of JSON unmarshalling errors or when a `message_key` is defined in the configuration but cannot be used.
+
+**`message_key`**
+:   An optional configuration setting that specifies a JSON key on which to apply the line filtering and multiline settings. If specified the key must be at the top level in the JSON object and the value associated with the key must be a string, otherwise no filtering or multiline aggregation will occur.
+
+**`document_id`**
+:   Option configuration setting that specifies the JSON key to set the document id. If configured, the field will be removed from the original JSON document and stored in `@metadata._id`
+
+**`ignore_decoding_error`**
+:   An optional configuration setting that specifies if JSON decoding errors should be logged or not. If set to true, errors will not be logged. The default is false.
+
+
+#### `multiline` [_multiline_5]
+
+Options that control how Filebeat deals with log messages that span multiple lines. See [Multiline messages](/reference/filebeat/multiline-examples.md) for more information about configuring multiline options.
+
+
+
+## Common options [filebeat-input-kafka-common-options]
+
+The following configuration options are supported by all inputs.
+
+
+#### `enabled` [_enabled_15]
+
+Use the `enabled` option to enable and disable inputs. By default, enabled is set to true.
+
+
+#### `tags` [_tags_15]
+
+A list of tags that Filebeat includes in the `tags` field of each published event. Tags make it easy to select specific events in Kibana or apply conditional filtering in Logstash. These tags will be appended to the list of tags specified in the general configuration.
+
+Example:
+
+```yaml
+filebeat.inputs:
+- type: kafka
+  . . .
+  tags: ["json"]
+```
+
+
+#### `fields` [filebeat-input-kafka-fields]
+
+Optional fields that you can specify to add additional information to the output. For example, you might add fields that you can use for filtering log data. Fields can be scalar values, arrays, dictionaries, or any nested combination of these. By default, the fields that you specify here will be grouped under a `fields` sub-dictionary in the output document. To store the custom fields as top-level fields, set the `fields_under_root` option to true. If a duplicate field is declared in the general configuration, then its value will be overwritten by the value declared here.
+
+```yaml
+filebeat.inputs:
+- type: kafka
+  . . .
+  fields:
+    app_id: query_engine_12
+```
+
+
+#### `fields_under_root` [fields-under-root-kafka]
+
+If this option is set to true, the custom [fields](#filebeat-input-kafka-fields) are stored as top-level fields in the output document instead of being grouped under a `fields` sub-dictionary. If the custom field names conflict with other field names added by Filebeat, then the custom fields overwrite the other fields.
+
+
+#### `processors` [_processors_15]
+
+A list of processors to apply to the input data.
+
+See [Processors](/reference/filebeat/filtering-enhancing-data.md) for information about specifying processors in your config.
+
+
+#### `pipeline` [_pipeline_15]
+
+The ingest pipeline ID to set for the events generated by this input.
+
+::::{note}
+The pipeline ID can also be configured in the Elasticsearch output, but this option usually results in simpler configuration files. If the pipeline is configured both in the input and output, the option from the input is used.
+::::
+
+
+::::{important}
+The `pipeline` is always lowercased. If `pipeline: Foo-Bar`, then the pipeline name in {{es}} needs to be defined as `foo-bar`.
+::::
+
+
+
+#### `keep_null` [_keep_null_15]
+
+If this option is set to true, fields with `null` values will be published in the output document. By default, `keep_null` is set to `false`.
+
+
+#### `index` [_index_15]
+
+If present, this formatted string overrides the index for events from this input (for elasticsearch outputs), or sets the `raw_index` field of the event’s metadata (for other outputs). This string can only refer to the agent name and version and the event timestamp; for access to dynamic fields, use `output.elasticsearch.index` or a processor.
+
+Example value: `"%{[agent.name]}-myindex-%{+yyyy.MM.dd}"` might expand to `"filebeat-myindex-2019.11.01"`.
+
+
+#### `publisher_pipeline.disable_host` [_publisher_pipeline_disable_host_15]
+
+By default, all events contain `host.name`. This option can be set to `true` to disable the addition of this field to all events. The default value is `false`.
+
+
diff --git a/docs/reference/filebeat/filebeat-input-log.md b/docs/reference/filebeat/filebeat-input-log.md
new file mode 100644
index 000000000000..4ded80b87992
--- /dev/null
+++ b/docs/reference/filebeat/filebeat-input-log.md
@@ -0,0 +1,636 @@
+---
+navigation_title: "Log"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-log.html
+---
+
+# Log input [filebeat-input-log]
+
+[7.16.0]
+
+The log input is deprecated. Please use the the [`filestream input`](/reference/filebeat/filebeat-input-filestream.md) for sending log files to outputs.
+
+It’s possible to use this input type only in combination with the `allow_deprecated_use: true` setting as a part of the input configuration.
+
+
+Use the `log` input to read lines from log files.
+
+To configure this input, specify a list of glob-based [`paths`](#input-paths) that must be crawled to locate and fetch the log lines.
+
+Example configuration:
+
+```yaml
+filebeat.inputs:
+- type: log
+  paths:
+    - /var/log/messages
+    - /var/log/*.log
+```
+
+You can apply additional [configuration settings](#filebeat-input-log-options) (such as `fields`, `include_lines`, `exclude_lines`, `multiline`, and so on) to the lines harvested from these files. The options that you specify are applied to all the files harvested by this input.
+
+To apply different configuration settings to different files, you need to define multiple input sections:
+
+```yaml
+filebeat.inputs:
+- type: log <1>
+  paths:
+    - /var/log/system.log
+    - /var/log/wifi.log
+- type: log <2>
+  paths:
+    - "/var/log/apache2/*"
+  fields:
+    apache: true
+  fields_under_root: true
+```
+
+1. Harvests lines from two files:  `system.log` and `wifi.log`.
+2. Harvests lines from every file in the `apache2` directory, and uses the `fields` configuration option to add a field called `apache` to the output.
+
+
+::::{important}
+Make sure a file is not defined more than once across all inputs because this can lead to unexpected behaviour.
+::::
+
+
+## Reading files on network shares and cloud providers [file-identity]
+
+::::{warning}
+Filebeat does not support reading from network shares and cloud providers.
+::::
+
+
+However, one of the limitations of these data sources can be mitigated if you configure Filebeat adequately.
+
+By default, Filebeat identifies files based on their inodes and device IDs. However, on network shares and cloud providers these values might change during the lifetime of the file. If this happens Filebeat thinks that file is new and resends the whole content of the file. To solve this problem you can configure `file_identity` option. Possible values besides the default `inode_deviceid` are `path` and `inode_marker`.
+
+Selecting `path` instructs Filebeat to identify files based on their paths. This is a quick way to avoid rereading files if inode and device ids might change. However, keep in mind if the files are rotated (renamed), they will be reread and resubmitted.
+
+The option `inode_marker` can be used if the inodes stay the same even if the device id is changed. You should choose this method if your files are rotated instead of `path` if possible. You have to configure a marker file readable by Filebeat and set the path in the option `path` of `inode_marker`.
+
+The content of this file must be unique to the device. You can put the UUID of the device or mountpoint where the input is stored. The following example oneliner generates a hidden marker file for the selected mountpoint `/logs`: Please note that you should not use this option on Windows as file identifiers might be more volatile.
+
+```sh
+$ lsblk -o MOUNTPOINT,UUID | grep /logs | awk '{print $2}' >> /logs/.filebeat-marker
+```
+
+To set the generated file as a marker for `file_identity` you should configure the input the following way:
+
+```yaml
+filebeat.inputs:
+- type: log
+  paths:
+    - /logs/*.log
+  file_identity.inode_marker.path: /logs/.filebeat-marker
+```
+
+
+## Reading from rotating logs [rotating-logs]
+
+When dealing with file rotation, avoid harvesting symlinks. Instead use the [`paths`](#input-paths) setting to point to the original file, and specify a pattern that matches the file you want to harvest and all of its rotated files. Also make sure your log rotation strategy prevents lost or duplicate messages. For more information, see [Log rotation results in lost or duplicate events](/reference/filebeat/file-log-rotation.md).
+
+Furthermore, to avoid duplicate of rotated log messages, do not use the `path` method for `file_identity`. Or exclude the rotated files with `exclude_files` option.
+
+
+## Configuration options [filebeat-input-log-options]
+
+The `log` input supports the following configuration options plus the [Common options](#filebeat-input-log-common-options) described later.
+
+
+#### `paths` [input-paths]
+
+A list of glob-based paths that will be crawled and fetched. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, to fetch all files from a predefined level of subdirectories, the following pattern can be used: `/var/log/*/*.log`. This fetches all `.log` files from the subfolders of `/var/log`. It does not fetch log files from the `/var/log` folder itself. It is possible to recursively fetch all files in all subdirectories of a directory using the optional [`recursive_glob`](#recursive_glob) settings.
+
+Filebeat starts a harvester for each file that it finds under the specified paths. You can specify one path per line. Each line begins with a dash (-).
+
+
+#### `recursive_glob.enabled` [recursive_glob]
+
+Enable expanding `**` into recursive glob patterns. With this feature enabled, the rightmost `**` in each path is expanded into a fixed number of glob patterns. For example: `/foo/**` expands to `/foo`, `/foo/*`, `/foo/*/*`, and so on. If enabled it expands a single `**` into a 8-level deep `*` pattern.
+
+This feature is enabled by default. Set `recursive_glob.enabled` to false to disable it.
+
+
+#### `encoding` [_encoding_3]
+
+The file encoding to use for reading data that contains international characters. See the encoding names [recommended by the W3C for use in HTML5](http://www.w3.org/TR/encoding/).
+
+Valid encodings:
+
+* `plain`: plain ASCII encoding
+* `utf-8` or `utf8`: UTF-8 encoding
+* `gbk`: simplified Chinese charaters
+* `iso8859-6e`: ISO8859-6E, Latin/Arabic
+* `iso8859-6i`: ISO8859-6I, Latin/Arabic
+* `iso8859-8e`: ISO8859-8E, Latin/Hebrew
+* `iso8859-8i`: ISO8859-8I, Latin/Hebrew
+* `iso8859-1`: ISO8859-1, Latin-1
+* `iso8859-2`: ISO8859-2, Latin-2
+* `iso8859-3`: ISO8859-3, Latin-3
+* `iso8859-4`: ISO8859-4, Latin-4
+* `iso8859-5`: ISO8859-5, Latin/Cyrillic
+* `iso8859-6`: ISO8859-6, Latin/Arabic
+* `iso8859-7`: ISO8859-7, Latin/Greek
+* `iso8859-8`: ISO8859-8, Latin/Hebrew
+* `iso8859-9`: ISO8859-9, Latin-5
+* `iso8859-10`: ISO8859-10, Latin-6
+* `iso8859-13`: ISO8859-13, Latin-7
+* `iso8859-14`: ISO8859-14, Latin-8
+* `iso8859-15`: ISO8859-15, Latin-9
+* `iso8859-16`: ISO8859-16, Latin-10
+* `cp437`: IBM CodePage 437
+* `cp850`: IBM CodePage 850
+* `cp852`: IBM CodePage 852
+* `cp855`: IBM CodePage 855
+* `cp858`: IBM CodePage 858
+* `cp860`: IBM CodePage 860
+* `cp862`: IBM CodePage 862
+* `cp863`: IBM CodePage 863
+* `cp865`: IBM CodePage 865
+* `cp866`: IBM CodePage 866
+* `ebcdic-037`: IBM CodePage 037
+* `ebcdic-1040`: IBM CodePage 1140
+* `ebcdic-1047`: IBM CodePage 1047
+* `koi8r`: KOI8-R, Russian (Cyrillic)
+* `koi8u`: KOI8-U, Ukranian (Cyrillic)
+* `macintosh`: Macintosh encoding
+* `macintosh-cyrillic`: Macintosh Cyrillic encoding
+* `windows1250`: Windows1250, Central and Eastern European
+* `windows1251`: Windows1251, Russian, Serbian (Cyrillic)
+* `windows1252`: Windows1252, Legacy
+* `windows1253`: Windows1253, Modern Greek
+* `windows1254`: Windows1254, Turkish
+* `windows1255`: Windows1255, Hebrew
+* `windows1256`: Windows1256, Arabic
+* `windows1257`: Windows1257, Estonian, Latvian, Lithuanian
+* `windows1258`: Windows1258, Vietnamese
+* `windows874`:  Windows874, ISO/IEC 8859-11, Latin/Thai
+* `utf-16-bom`: UTF-16 with required BOM
+* `utf-16be-bom`: big endian UTF-16 with required BOM
+* `utf-16le-bom`: little endian UTF-16 with required BOM
+
+The `plain` encoding is special, because it does not validate or transform any input.
+
+
+#### `exclude_lines` [filebeat-input-log-exclude-lines]
+
+A list of regular expressions to match the lines that you want Filebeat to exclude. Filebeat drops any lines that match a regular expression in the list. By default, no lines are dropped. Empty lines are ignored.
+
+If [multiline](/reference/filebeat/multiline-examples.md#multiline) settings are also specified, each multiline message is combined into a single line before the lines are filtered by `exclude_lines`.
+
+The following example configures Filebeat to drop any lines that start with `DBG`.
+
+```yaml
+filebeat.inputs:
+- type: log
+  ...
+  exclude_lines: ['^DBG']
+```
+
+See [Regular expression support](/reference/filebeat/regexp-support.md) for a list of supported regexp patterns.
+
+
+#### `include_lines` [filebeat-input-log-include-lines]
+
+A list of regular expressions to match the lines that you want Filebeat to include. Filebeat exports only the lines that match a regular expression in the list. By default, all lines are exported. Empty lines are ignored.
+
+If [multiline](/reference/filebeat/multiline-examples.md#multiline) settings also specified, each multiline message is combined into a single line before the lines are filtered by `include_lines`.
+
+The following example configures Filebeat to export any lines that start with `ERR` or `WARN`:
+
+```yaml
+filebeat.inputs:
+- type: log
+  ...
+  include_lines: ['^ERR', '^WARN']
+```
+
+::::{note}
+If both `include_lines` and `exclude_lines` are defined, Filebeat executes `include_lines` first and then executes `exclude_lines`. The order in which the two options are defined doesn’t matter. The `include_lines` option will always be executed before the `exclude_lines` option, even if `exclude_lines` appears before `include_lines` in the config file.
+::::
+
+
+The following example exports all log lines that contain `sometext`, except for lines that begin with `DBG` (debug messages):
+
+```yaml
+filebeat.inputs:
+- type: log
+  ...
+  include_lines: ['sometext']
+  exclude_lines: ['^DBG']
+```
+
+See [Regular expression support](/reference/filebeat/regexp-support.md) for a list of supported regexp patterns.
+
+
+#### `harvester_buffer_size` [_harvester_buffer_size_2]
+
+The size in bytes of the buffer that each harvester uses when fetching a file. The default is 16384.
+
+
+#### `max_bytes` [_max_bytes_2]
+
+The maximum number of bytes that a single log message can have. All bytes after `max_bytes` are discarded and not sent. This setting is especially useful for multiline log messages, which can get large. The default is 10MB (10485760).
+
+
+#### `json` [filebeat-input-log-config-json]
+
+These options make it possible for Filebeat to decode logs structured as JSON messages. Filebeat processes the logs line by line, so the JSON decoding only works if there is one JSON object per line.
+
+The decoding happens before line filtering and multiline. You can combine JSON decoding with filtering and multiline if you set the `message_key` option. This can be helpful in situations where the application logs are wrapped in JSON objects, as with like it happens for example with Docker.
+
+Example configuration:
+
+```yaml
+json.keys_under_root: true
+json.add_error_key: true
+json.message_key: log
+```
+
+You must specify at least one of the following settings to enable JSON parsing mode:
+
+**`keys_under_root`**
+:   By default, the decoded JSON is placed under a "json" key in the output document. If you enable this setting, the keys are copied top level in the output document. The default is false.
+
+**`overwrite_keys`**
+:   If `keys_under_root` and this setting are enabled, then the values from the decoded JSON object overwrite the fields that Filebeat normally adds (type, source, offset, etc.) in case of conflicts.
+
+**`expand_keys`**
+:   If this setting is enabled, Filebeat will recursively de-dot keys in the decoded JSON, and expand them into a hierarchical object structure. For example, `{"a.b.c": 123}` would be expanded into `{"a":{"b":{"c":123}}}`. This setting should be enabled when the input is produced by an [ECS logger](https://github.com/elastic/ecs-logging).
+
+**`add_error_key`**
+:   If this setting is enabled, Filebeat adds a "error.message" and "error.type: json" key in case of JSON unmarshalling errors or when a `message_key` is defined in the configuration but cannot be used.
+
+**`message_key`**
+:   An optional configuration setting that specifies a JSON key on which to apply the line filtering and multiline settings. If specified the key must be at the top level in the JSON object and the value associated with the key must be a string, otherwise no filtering or multiline aggregation will occur.
+
+**`document_id`**
+:   Option configuration setting that specifies the JSON key to set the document id. If configured, the field will be removed from the original json document and stored in `@metadata._id`
+
+**`ignore_decoding_error`**
+:   An optional configuration setting that specifies if JSON decoding errors should be logged or not. If set to true, errors will not be logged. The default is false.
+
+
+#### `multiline` [_multiline_6]
+
+Options that control how Filebeat deals with log messages that span multiple lines. See [Multiline messages](/reference/filebeat/multiline-examples.md) for more information about configuring multiline options.
+
+
+#### `exclude_files` [filebeat-input-log-exclude-files]
+
+A list of regular expressions to match the files that you want Filebeat to ignore. By default no files are excluded.
+
+The following example configures Filebeat to ignore all the files that have a `gz` extension:
+
+```yaml
+filebeat.inputs:
+- type: log
+  ...
+  exclude_files: ['\.gz$']
+```
+
+See [Regular expression support](/reference/filebeat/regexp-support.md) for a list of supported regexp patterns.
+
+
+#### `ignore_older` [filebeat-input-log-ignore-older]
+
+If this option is enabled, Filebeat ignores any files that were modified before the specified timespan. Configuring `ignore_older` can be especially useful if you keep log files for a long time. For example, if you want to start Filebeat, but only want to send the newest files and files from last week, you can configure this option.
+
+You can use time strings like 2h (2 hours) and 5m (5 minutes). The default is 0, which disables the setting. Commenting out the config has the same effect as setting it to 0.
+
+::::{important}
+You must set `ignore_older` to be greater than `close_inactive`.
+::::
+
+
+The files affected by this setting fall into two categories:
+
+* Files that were never harvested
+* Files that were harvested but weren’t updated for longer than `ignore_older`
+
+For files which were never seen before, the offset state is set to the end of the file. If a state already exist, the offset is not changed. In case a file is updated again later, reading continues at the set offset position.
+
+The `ignore_older` setting relies on the modification time of the file to determine if a file is ignored. If the modification time of the file is not updated when lines are written to a file (which can happen on Windows), the `ignore_older` setting may cause Filebeat to ignore files even though content was added at a later time.
+
+To remove the state of previously harvested files from the registry file, use the `clean_inactive` configuration option.
+
+Before a file can be ignored by Filebeat, the file must be closed. To ensure a file is no longer being harvested when it is ignored, you must set `ignore_older` to a longer duration than `close_inactive`.
+
+If a file that’s currently being harvested falls under `ignore_older`, the harvester will first finish reading the file and close it after `close_inactive` is reached. Then, after that, the file will be ignored.
+
+
+#### `close_*` [filebeat-input-log-close-options]
+
+The `close_*` configuration options are used to close the harvester after a certain criteria or time. Closing the harvester means closing the file handler. If a file is updated after the harvester is closed, the file will be picked up again after `scan_frequency` has elapsed. However, if the file is moved or deleted while the harvester is closed, Filebeat will not be able to pick up the file again, and any data that the harvester hasn’t read will be lost. The `close_*` settings are applied synchronously when Filebeat attempts to read from a file, meaning that if Filebeat is in a blocked state due to blocked output, full queue or other issue, a file that would otherwise be closed remains open until Filebeat once again attempts to read from the file.
+
+
+#### `close_inactive` [filebeat-input-log-close-inactive]
+
+When this option is enabled, Filebeat closes the file handle if a file has not been harvested for the specified duration. The counter for the defined period starts when the last log line was read by the harvester. It is not based on the modification time of the file. If the closed file changes again, a new harvester is started and the latest changes will be picked up after `scan_frequency` has elapsed.
+
+We recommended that you set `close_inactive` to a value that is larger than the least frequent updates to your log files. For example, if your log files get updated every few seconds, you can safely set `close_inactive` to `1m`. If there are log files with very different update rates, you can use multiple configurations with different values.
+
+Setting `close_inactive` to a lower value means that file handles are closed sooner. However this has the side effect that new log lines are not sent in near real time if the harvester is closed.
+
+The timestamp for closing a file does not depend on the modification time of the file. Instead, Filebeat uses an internal timestamp that reflects when the file was last harvested. For example, if `close_inactive` is set to 5 minutes, the countdown for the 5 minutes starts after the harvester reads the last line of the file.
+
+You can use time strings like 2h (2 hours) and 5m (5 minutes). The default is 5m.
+
+
+#### `close_renamed` [filebeat-input-log-close-renamed]
+
+::::{warning}
+Only use this option if you understand that data loss is a potential side effect.
+::::
+
+
+When this option is enabled, Filebeat closes the file handler when a file is renamed. This happens, for example, when rotating files. By default, the harvester stays open and keeps reading the file because the file handler does not depend on the file name. If the `close_renamed` option is enabled and the file is renamed or moved in such a way that it’s no longer matched by the file patterns specified for the path, the file will not be picked up again. Filebeat will not finish reading the file.
+
+Do not use this option when `path` based `file_identity` is configured. It does not make sense to enable the option, as Filebeat cannot detect renames using path names as unique identifiers.
+
+WINDOWS: If your Windows log rotation system shows errors because it can’t rotate the files, you should enable this option.
+
+
+#### `close_removed` [filebeat-input-log-close-removed]
+
+When this option is enabled, Filebeat closes the harvester when a file is removed. Normally a file should only be removed after it’s inactive for the duration specified by `close_inactive`. However, if a file is removed early and you don’t enable `close_removed`, Filebeat keeps the file open to make sure the harvester has completed. If this setting results in files that are not completely read because they are removed from disk too early, disable this option.
+
+This option is enabled by default. If you disable this option, you must also disable `clean_removed`.
+
+WINDOWS: If your Windows log rotation system shows errors because it can’t rotate files, make sure this option is enabled.
+
+
+#### `close_eof` [filebeat-input-log-close-eof]
+
+::::{warning}
+Only use this option if you understand that data loss is a potential side effect.
+::::
+
+
+When this option is enabled, Filebeat closes a file as soon as the end of a file is reached. This is useful when your files are only written once and not updated from time to time. For example, this happens when you are writing every single log event to a new file. This option is disabled by default.
+
+
+#### `close_timeout` [filebeat-input-log-close-timeout]
+
+::::{warning}
+Only use this option if you understand that data loss is a potential side effect. Another side effect is that multiline events might not be completely sent before the timeout expires.
+::::
+
+
+When this option is enabled, Filebeat gives every harvester a predefined lifetime. Regardless of where the reader is in the file, reading will stop after the `close_timeout` period has elapsed. This option can be useful for older log files when you want to spend only a predefined amount of time on the files. While `close_timeout` will close the file after the predefined timeout, if the file is still being updated, Filebeat will start a new harvester again per the defined `scan_frequency`. And the close_timeout for this harvester will start again with the countdown for the timeout.
+
+This option is particularly useful in case the output is blocked, which makes Filebeat keep open file handlers even for files that were deleted from the disk. Setting `close_timeout` to `5m` ensures that the files are periodically closed so they can be freed up by the operating system.
+
+If you set `close_timeout` to equal `ignore_older`, the file will not be picked up if it’s modified while the harvester is closed. This combination of settings normally leads to data loss, and the complete file is not sent.
+
+When you use `close_timeout` for logs that contain multiline events, the harvester might stop in the middle of a multiline event, which means that only parts of the event will be sent. If the harvester is started again and the file still exists, only the second part of the event will be sent.
+
+This option is set to 0 by default which means it is disabled.
+
+
+#### `clean_*` [filebeat-input-log-clean-options]
+
+The `clean_*` options are used to clean up the state entries in the registry file. These settings help to reduce the size of the registry file and can prevent a potential [inode reuse issue](/reference/filebeat/inode-reuse-issue.md).
+
+
+#### `clean_inactive` [filebeat-input-log-clean-inactive]
+
+::::{warning}
+Only use this option if you understand that data loss is a potential side effect.
+::::
+
+
+When this option is enabled, Filebeat removes the state of a file after the specified period of inactivity has elapsed. The  state can only be removed if the file is already ignored by Filebeat (the file is older than `ignore_older`). The `clean_inactive` setting must be greater than `ignore_older + scan_frequency` to make sure that no states are removed while a file is still being harvested. Otherwise, the setting could result in Filebeat resending the full content constantly because  `clean_inactive` removes state for files that are still detected by Filebeat. If a file is updated or appears again, the file is read from the beginning.
+
+The `clean_inactive` configuration option is useful to reduce the size of the registry file, especially if a large amount of new files are generated every day.
+
+This config option is also useful to prevent Filebeat problems resulting from inode reuse on Linux. For more information, see [Inode reuse causes Filebeat to skip lines](/reference/filebeat/inode-reuse-issue.md).
+
+::::{note}
+Every time a file is renamed, the file state is updated and the counter for `clean_inactive` starts at 0 again.
+::::
+
+
+::::{tip}
+During testing, you might notice that the registry contains state entries that should be removed based on the `clean_inactive` setting. This happens because Filebeat doesn’t remove the entries until it opens the registry again to read a different file. If you are testing the `clean_inactive` setting, make sure Filebeat is configured to read from more than one file, or the file state will never be removed from the registry.
+::::
+
+
+
+#### `clean_removed` [filebeat-input-log-clean-removed]
+
+When this option is enabled, Filebeat cleans files from the registry if they cannot be found on disk anymore under the last known name. This means also files which were renamed after the harvester was finished will be removed. This option is enabled by default.
+
+If a shared drive disappears for a short period and appears again, all files will be read again from the beginning because the states were removed from the registry file. In such cases, we recommend that you disable the `clean_removed` option.
+
+You must disable this option if you also disable `close_removed`.
+
+
+#### `scan_frequency` [filebeat-input-log-scan-frequency]
+
+How often Filebeat checks for new files in the paths that are specified for harvesting. For example, if you specify a glob like `/var/log/*`, the directory is scanned for files using the frequency specified by `scan_frequency`. Specify 1s to scan the directory as frequently as possible without causing Filebeat to scan too frequently. We do not recommend to set this value `<1s`.
+
+If you require log lines to be sent in near real time do not use a very low `scan_frequency` but adjust `close_inactive` so the file handler stays open and constantly polls your files.
+
+The default setting is 10s.
+
+
+#### `scan.sort` [filebeat-input-log-scan-sort]
+
+::::{warning}
+This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
+::::
+
+
+If you specify a value other than the empty string for this setting you can determine whether to use ascending or descending order using `scan.order`. Possible values are `modtime` and `filename`. To sort by file modification time, use `modtime`, otherwise use `filename`. Leave this option empty to disable it.
+
+If you specify a value for this setting, you can use `scan.order` to configure whether files are scanned in ascending or descending order.
+
+The default setting is disabled.
+
+
+#### `scan.order` [filebeat-input-log-scan-order]
+
+::::{warning}
+This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
+::::
+
+
+Specifies whether to use ascending or descending order when `scan.sort` is set to a value other than none. Possible values are `asc` or `desc`.
+
+The default setting is `asc`.
+
+
+#### `tail_files` [_tail_files_2]
+
+If this option is set to true, Filebeat starts reading new files at the end of each file instead of the beginning. When this option is used in combination with log rotation, it’s possible that the first log entries in a new file might be skipped. The default setting is false.
+
+This option applies to files that Filebeat has not already processed. If you ran Filebeat previously and the state of the file was already persisted, `tail_files` will not apply. Harvesting will continue at the previous offset. To apply `tail_files` to all files, you must stop Filebeat and remove the registry file. Be aware that doing this removes ALL previous states.
+
+::::{note}
+You can use this setting to avoid indexing old log lines when you run Filebeat on a set of log files for the first time. After the first run, we recommend disabling this option, or you risk losing lines during file rotation.
+::::
+
+
+
+#### `symlinks` [_symlinks_2]
+
+The `symlinks` option allows Filebeat to harvest symlinks in addition to regular files. When harvesting symlinks, Filebeat opens and reads the original file even though it reports the path of the symlink.
+
+When you configure a symlink for harvesting, make sure the original path is excluded. If a single input is configured to harvest both the symlink and the original file, Filebeat will detect the problem and only process the first file it finds. However, if two different inputs are configured (one to read the symlink and the other the original path), both paths will be harvested, causing Filebeat to send duplicate data and the inputs to overwrite each other’s state.
+
+The `symlinks` option can be useful if symlinks to the log files have additional metadata in the file name, and you want to process the metadata in Logstash. This is, for example, the case for Kubernetes log files.
+
+Because this option may lead to data loss, it is disabled by default.
+
+
+#### `backoff` [_backoff_3]
+
+The backoff options specify how aggressively Filebeat crawls open files for updates. You can use the default values in most cases.
+
+The `backoff` option defines how long Filebeat waits before checking a file again after EOF is reached. The default is 1s, which means the file is checked every second if new lines were added. This enables near real-time crawling. Every time a new line appears in the file, the `backoff` value is reset to the initial value. The default is 1s.
+
+
+#### `max_backoff` [_max_backoff_2]
+
+The maximum time for Filebeat to wait before checking a file again after EOF is reached. After having backed off multiple times from checking the file, the wait time will never exceed `max_backoff` regardless of what is specified for  `backoff_factor`. Because it takes a maximum of 10s to read a new line, specifying 10s for `max_backoff` means that, at the worst, a new line could be added to the log file if Filebeat has backed off multiple times. The default is 10s.
+
+Requirement: Set `max_backoff` to be greater than or equal to `backoff` and less than or equal to `scan_frequency` (`backoff <= max_backoff <= scan_frequency`). If `max_backoff` needs to be higher, it is recommended to close the file handler instead and let Filebeat pick up the file again.
+
+
+#### `backoff_factor` [_backoff_factor_2]
+
+This option specifies how fast the waiting time is increased. The bigger the backoff factor, the faster the `max_backoff` value is reached. The backoff factor increments exponentially. The minimum value allowed is 1. If this value is set to 1, the backoff algorithm is disabled, and the `backoff` value is used for waiting for new lines. The `backoff` value will be multiplied each time with the `backoff_factor` until `max_backoff` is reached. The default is 2.
+
+
+#### `harvester_limit` [filebeat-input-log-harvester-limit]
+
+The `harvester_limit` option limits the number of harvesters that are started in parallel for one input. This directly relates to the maximum number of file handlers that are opened. The default for `harvester_limit` is 0, which means there is no limit. This configuration is useful if the number of files to be harvested exceeds the open file handler limit of the operating system.
+
+Setting a limit on the number of harvesters means that potentially not all files are opened in parallel. Therefore we recommended that you use this option in combination with the `close_*` options to make sure harvesters are stopped more often so that new files can be picked up.
+
+Currently if a new harvester can be started again, the harvester is picked randomly. This means it’s possible that the harvester for a file that was just closed and then updated again might be started instead of the harvester for a file that hasn’t been harvested for a longer period of time.
+
+This configuration option applies per input. You can use this option to indirectly set higher priorities on certain inputs by assigning a higher limit of harvesters.
+
+
+#### `file_identity` [_file_identity_2]
+
+Different `file_identity` methods can be configured to suit the environment where you are collecting log messages.
+
+**`native`**
+:   The default behaviour of Filebeat is to differentiate between files using their inodes and device ids.
+
+```yaml
+file_identity.native: ~
+```
+
+**`path`**
+:   To identify files based on their paths use this strategy.
+
+::::{warning}
+Only use this strategy if your log files are rotated to a folder outside of the scope of your input or not at all. Otherwise you end up with duplicated events.
+::::
+
+
+::::{warning}
+This strategy does not support renaming files. If an input file is renamed, Filebeat will read it again if the new path matches the settings of the input.
+::::
+
+
+```yaml
+file_identity.path: ~
+```
+
+**`inode_marker`**
+:   If the device id changes from time to time, you must use this method to distinguish files. This option is not supported on Windows.
+
+Set the location of the marker file the following way:
+
+```yaml
+file_identity.inode_marker.path: /logs/.filebeat-marker
+```
+
+
+## Common options [filebeat-input-log-common-options]
+
+The following configuration options are supported by all inputs.
+
+
+#### `enabled` [_enabled_16]
+
+Use the `enabled` option to enable and disable inputs. By default, enabled is set to true.
+
+
+#### `tags` [_tags_16]
+
+A list of tags that Filebeat includes in the `tags` field of each published event. Tags make it easy to select specific events in Kibana or apply conditional filtering in Logstash. These tags will be appended to the list of tags specified in the general configuration.
+
+Example:
+
+```yaml
+filebeat.inputs:
+- type: log
+  . . .
+  tags: ["json"]
+```
+
+
+#### `fields` [filebeat-input-log-fields]
+
+Optional fields that you can specify to add additional information to the output. For example, you might add fields that you can use for filtering log data. Fields can be scalar values, arrays, dictionaries, or any nested combination of these. By default, the fields that you specify here will be grouped under a `fields` sub-dictionary in the output document. To store the custom fields as top-level fields, set the `fields_under_root` option to true. If a duplicate field is declared in the general configuration, then its value will be overwritten by the value declared here.
+
+```yaml
+filebeat.inputs:
+- type: log
+  . . .
+  fields:
+    app_id: query_engine_12
+```
+
+
+#### `fields_under_root` [fields-under-root-log]
+
+If this option is set to true, the custom [fields](#filebeat-input-log-fields) are stored as top-level fields in the output document instead of being grouped under a `fields` sub-dictionary. If the custom field names conflict with other field names added by Filebeat, then the custom fields overwrite the other fields.
+
+
+#### `processors` [_processors_16]
+
+A list of processors to apply to the input data.
+
+See [Processors](/reference/filebeat/filtering-enhancing-data.md) for information about specifying processors in your config.
+
+
+#### `pipeline` [_pipeline_16]
+
+The ingest pipeline ID to set for the events generated by this input.
+
+::::{note}
+The pipeline ID can also be configured in the Elasticsearch output, but this option usually results in simpler configuration files. If the pipeline is configured both in the input and output, the option from the input is used.
+::::
+
+
+::::{important}
+The `pipeline` is always lowercased. If `pipeline: Foo-Bar`, then the pipeline name in {{es}} needs to be defined as `foo-bar`.
+::::
+
+
+
+#### `keep_null` [_keep_null_16]
+
+If this option is set to true, fields with `null` values will be published in the output document. By default, `keep_null` is set to `false`.
+
+
+#### `index` [_index_16]
+
+If present, this formatted string overrides the index for events from this input (for elasticsearch outputs), or sets the `raw_index` field of the event’s metadata (for other outputs). This string can only refer to the agent name and version and the event timestamp; for access to dynamic fields, use `output.elasticsearch.index` or a processor.
+
+Example value: `"%{[agent.name]}-myindex-%{+yyyy.MM.dd}"` might expand to `"filebeat-myindex-2019.11.01"`.
+
+
+#### `publisher_pipeline.disable_host` [_publisher_pipeline_disable_host_16]
+
+By default, all events contain `host.name`. This option can be set to `true` to disable the addition of this field to all events. The default value is `false`.
+
+
diff --git a/docs/reference/filebeat/filebeat-input-mqtt.md b/docs/reference/filebeat/filebeat-input-mqtt.md
new file mode 100644
index 000000000000..87035fa63e28
--- /dev/null
+++ b/docs/reference/filebeat/filebeat-input-mqtt.md
@@ -0,0 +1,169 @@
+---
+navigation_title: "MQTT"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-mqtt.html
+---
+
+# MQTT input [filebeat-input-mqtt]
+
+
+Use the `MQTT` input to read data transmitted using lightweight messaging protocol for small and mobile devices, optimized for high-latency or unreliable networks.
+
+This input connects to the MQTT broker, subscribes to selected topics and parses data into common message lines. Everything happens before line filtering, multiline, and JSON decoding, so this input can be used in combination with those settings.
+
+Example configuration:
+
+```yaml
+filebeat.inputs:
+- type: mqtt
+  hosts: <1>
+    - tcp://broker:1883
+    - ssl://secure_broker:8883
+  topics: <2>
+    - sample_topic
+```
+
+1. `hosts` are required.
+2. `topics` are required.
+
+
+All other settings are optional.
+
+## Configuration options [_configuration_options_12]
+
+The `mqtt` input supports the following configuration options plus the [Common options](#filebeat-input-mqtt-common-options) described later.
+
+### `hosts` [_hosts]
+
+A list of MQTT brokers to connect to.
+
+
+### `topics` [_topics]
+
+A list of topics to subscribe to and read from.
+
+
+### `qos` [_qos]
+
+An agreement level between the sender of a message and the receiver of a message that defines the guarantee of delivery.
+
+There are 3 QoS levels in MQTT. Defaults to `0`:
+
+* At most once (`0`),
+* At least once (`1`),
+* Exactly once (`2`).
+
+
+### `client_id` [_client_id_4]
+
+A unique identifier of each MQTT client connecting to a MQTT broker.
+
+
+### `username` [_username_2]
+
+A client username used for authentication provided on the application level by the MQTT protocol.
+
+
+### `password` [_password_2]
+
+A client password used for authentication provided on the application level by the MQTT protocol.
+
+
+### `clean_session` [_clean_session]
+
+The `clean_session` flag indicates whether the client wants to establish a persistent session with the broker. The default is `true`.
+
+When `clean_session` is set to false, the session is considered to be persistent. The broker stores all subscriptions for the client and all missed messages for the client that subscribed with a Quality of Service (QoS) level 1 or 2.
+
+In contrast, when `clean_session` is set to true, the broker doesn’t retain any information for the client and discards any previous state from any persistent session.
+
+
+### `ssl` [_ssl_2]
+
+Configuration options for SSL parameters like the certificate, key and the certificate authorities to use.
+
+See [SSL](/reference/filebeat/configuration-ssl.md) for more information.
+
+
+
+## Common options [filebeat-input-mqtt-common-options]
+
+The following configuration options are supported by all inputs.
+
+
+#### `enabled` [_enabled_17]
+
+Use the `enabled` option to enable and disable inputs. By default, enabled is set to true.
+
+
+#### `tags` [_tags_17]
+
+A list of tags that Filebeat includes in the `tags` field of each published event. Tags make it easy to select specific events in Kibana or apply conditional filtering in Logstash. These tags will be appended to the list of tags specified in the general configuration.
+
+Example:
+
+```yaml
+filebeat.inputs:
+- type: mqtt
+  . . .
+  tags: ["json"]
+```
+
+
+#### `fields` [filebeat-input-mqtt-fields]
+
+Optional fields that you can specify to add additional information to the output. For example, you might add fields that you can use for filtering log data. Fields can be scalar values, arrays, dictionaries, or any nested combination of these. By default, the fields that you specify here will be grouped under a `fields` sub-dictionary in the output document. To store the custom fields as top-level fields, set the `fields_under_root` option to true. If a duplicate field is declared in the general configuration, then its value will be overwritten by the value declared here.
+
+```yaml
+filebeat.inputs:
+- type: mqtt
+  . . .
+  fields:
+    app_id: query_engine_12
+```
+
+
+#### `fields_under_root` [fields-under-root-mqtt]
+
+If this option is set to true, the custom [fields](#filebeat-input-mqtt-fields) are stored as top-level fields in the output document instead of being grouped under a `fields` sub-dictionary. If the custom field names conflict with other field names added by Filebeat, then the custom fields overwrite the other fields.
+
+
+#### `processors` [_processors_17]
+
+A list of processors to apply to the input data.
+
+See [Processors](/reference/filebeat/filtering-enhancing-data.md) for information about specifying processors in your config.
+
+
+#### `pipeline` [_pipeline_17]
+
+The ingest pipeline ID to set for the events generated by this input.
+
+::::{note}
+The pipeline ID can also be configured in the Elasticsearch output, but this option usually results in simpler configuration files. If the pipeline is configured both in the input and output, the option from the input is used.
+::::
+
+
+::::{important}
+The `pipeline` is always lowercased. If `pipeline: Foo-Bar`, then the pipeline name in {{es}} needs to be defined as `foo-bar`.
+::::
+
+
+
+#### `keep_null` [_keep_null_17]
+
+If this option is set to true, fields with `null` values will be published in the output document. By default, `keep_null` is set to `false`.
+
+
+#### `index` [_index_17]
+
+If present, this formatted string overrides the index for events from this input (for elasticsearch outputs), or sets the `raw_index` field of the event’s metadata (for other outputs). This string can only refer to the agent name and version and the event timestamp; for access to dynamic fields, use `output.elasticsearch.index` or a processor.
+
+Example value: `"%{[agent.name]}-myindex-%{+yyyy.MM.dd}"` might expand to `"filebeat-myindex-2019.11.01"`.
+
+
+#### `publisher_pipeline.disable_host` [_publisher_pipeline_disable_host_17]
+
+By default, all events contain `host.name`. This option can be set to `true` to disable the addition of this field to all events. The default value is `false`.
+
+
diff --git a/docs/reference/filebeat/filebeat-input-netflow.md b/docs/reference/filebeat/filebeat-input-netflow.md
new file mode 100644
index 000000000000..93b8a3531a62
--- /dev/null
+++ b/docs/reference/filebeat/filebeat-input-netflow.md
@@ -0,0 +1,244 @@
+---
+navigation_title: "NetFlow"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-netflow.html
+---
+
+# NetFlow input [filebeat-input-netflow]
+
+
+Use the `netflow` input to read NetFlow and IPFIX exported flows and options records over UDP.
+
+This input supports NetFlow versions 1, 5, 6, 7, 8 and 9, as well as IPFIX. For NetFlow versions older than 9, fields are mapped automatically to NetFlow v9.
+
+Example configuration:
+
+```yaml
+filebeat.inputs:
+- type: netflow
+  max_message_size: 10KiB
+  host: "0.0.0.0:2055"
+  protocols: [ v5, v9, ipfix ]
+  expiration_timeout: 30m
+  queue_size: 8192
+  custom_definitions:
+  - path/to/fields.yml
+  detect_sequence_reset: true
+```
+
+## Configuration options [_configuration_options_13]
+
+The `netflow` input supports the following configuration options plus the [Common options](#filebeat-input-netflow-common-options) described later.
+
+
+### `max_message_size` [filebeat-input-netflow-udp-max-message-size]
+
+The maximum size of the message received over UDP. The default is `10KiB`.
+
+
+### `host` [filebeat-input-netflow-udp-host]
+
+The host and UDP port to listen on for event streams.
+
+
+### `network` [filebeat-input-netflow-udp-network]
+
+The network type. Acceptable values are: "udp" (default), "udp4", "udp6"
+
+
+### `read_buffer` [filebeat-input-netflow-udp-read-buffer]
+
+The size of the read buffer on the UDP socket. If not specified the default from the operating system will be used.
+
+
+### `timeout` [filebeat-input-netflow-udp-timeout]
+
+The read and write timeout for socket operations. The default is `5m`.
+
+
+### `protocols` [protocols]
+
+List of enabled protocols. Valid values are `v1`, `v5`, `v6`, `v7`, `v8`, `v9` and `ipfix`.
+
+
+### `expiration_timeout` [expiration_timeout]
+
+The time before an idle session or unused template is expired. Only applicable to v9 and IPFIX protocols. A value of zero disables expiration.
+
+
+### `share_templates` [share_templates]
+
+This option allows v9 and ipfix templates to be shared within a session without reference to the origin of the template.
+
+Note that setting this to true is not recommended as it can result in the wrong template being applied under certain conditions, but it may be required for some systems.
+
+
+### `queue_size` [queue_size]
+
+The maximum number of packets that can be queued for processing. Use this setting to avoid packet-loss when dealing with occasional bursts of traffic.
+
+
+### `workers` [workers]
+
+The number of workers to read and decode concurrently netflow packets. Default is `1`. Note that in order to maximize the performance gains of multiple workers it is advised to switch the output to `throughput` preset ([link](/reference/filebeat/elasticsearch-output.md#_preset)).
+
+
+### `custom_definitions` [custom_definitions]
+
+A list of paths to field definitions YAML files. These allow to update the NetFlow/IPFIX fields with vendor extensions and to override existing fields.
+
+The expected format is the same as used by Logstash’s NetFlow codec [ipfix_definitions](logstash://reference/plugins-codecs-netflow.md#plugins-codecs-netflow-ipfix_definitions) and [netflow_definitions](logstash://reference/plugins-codecs-netflow.md#plugins-codecs-netflow-netflow_definitions). Filebeat will detect which of the two formats is used.
+
+NetFlow format example:
+
+```yaml
+id:
+- default length in bytes
+- :name
+id:
+- :uintN or :intN: or :ip4_addr or :ip6_addr or :mac_addr or :string
+- :name
+id:
+- :skip
+```
+
+Where `id` is the numeric field ID.
+
+The IPFIX format similar, but grouped by Private Enterprise Number (PEN):
+
+```yaml
+pen1:
+  id:
+  - :uintN or :ip4_addr or :ip6_addr or :mac_addr or :string
+  - :name
+  id:
+  - :skip
+pen2:
+  id:
+  - :octetarray
+  - :name
+```
+
+Note that fields are shared between NetFlow V9 and IPFIX. Changes to IPFIX PEN zero are equivalent to changes to NetFlow fields.
+
+::::{warning}
+Overriding the names and/or types of standard fields can prevent mapping of ECS fields to function properly.
+::::
+
+
+
+### `detect_sequence_reset` [detect_sequence_reset]
+
+Flag controlling whether Filebeat should monitor sequence numbers in the Netflow packets to detect an Exporting Process reset. When this condition is detected, record templates for the given exporter will be dropped. This will cause flow loss until the exporter provides new templates. If set to `false`, Filebeat will ignore sequence numbers, which can cause some invalid flows if the exporter process is reset. This option is only applicable to Netflow V9 and IPFIX. Default is `true`.
+
+
+### `internal_networks` [internal_networks]
+
+A list of CIDR ranges describing the IP addresses that you consider internal. This is used in determining the values of `source.locality`, `destination.locality`, and `flow.locality`. The values can be either a CIDR value or one of the named ranges supported by the [`network`](/reference/filebeat/defining-processors.md#condition-network) condition. The default value is `[private]` which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal.
+
+
+## Common options [filebeat-input-netflow-common-options]
+
+The following configuration options are supported by all inputs.
+
+
+#### `enabled` [_enabled_18]
+
+Use the `enabled` option to enable and disable inputs. By default, enabled is set to true.
+
+
+#### `tags` [_tags_18]
+
+A list of tags that Filebeat includes in the `tags` field of each published event. Tags make it easy to select specific events in Kibana or apply conditional filtering in Logstash. These tags will be appended to the list of tags specified in the general configuration.
+
+Example:
+
+```yaml
+filebeat.inputs:
+- type: netflow
+  . . .
+  tags: ["json"]
+```
+
+
+#### `fields` [filebeat-input-netflow-fields]
+
+Optional fields that you can specify to add additional information to the output. For example, you might add fields that you can use for filtering log data. Fields can be scalar values, arrays, dictionaries, or any nested combination of these. By default, the fields that you specify here will be grouped under a `fields` sub-dictionary in the output document. To store the custom fields as top-level fields, set the `fields_under_root` option to true. If a duplicate field is declared in the general configuration, then its value will be overwritten by the value declared here.
+
+```yaml
+filebeat.inputs:
+- type: netflow
+  . . .
+  fields:
+    app_id: query_engine_12
+```
+
+
+#### `fields_under_root` [fields-under-root-netflow]
+
+If this option is set to true, the custom [fields](#filebeat-input-netflow-fields) are stored as top-level fields in the output document instead of being grouped under a `fields` sub-dictionary. If the custom field names conflict with other field names added by Filebeat, then the custom fields overwrite the other fields.
+
+
+#### `processors` [_processors_18]
+
+A list of processors to apply to the input data.
+
+See [Processors](/reference/filebeat/filtering-enhancing-data.md) for information about specifying processors in your config.
+
+
+#### `pipeline` [_pipeline_18]
+
+The ingest pipeline ID to set for the events generated by this input.
+
+::::{note}
+The pipeline ID can also be configured in the Elasticsearch output, but this option usually results in simpler configuration files. If the pipeline is configured both in the input and output, the option from the input is used.
+::::
+
+
+::::{important}
+The `pipeline` is always lowercased. If `pipeline: Foo-Bar`, then the pipeline name in {{es}} needs to be defined as `foo-bar`.
+::::
+
+
+
+#### `keep_null` [_keep_null_18]
+
+If this option is set to true, fields with `null` values will be published in the output document. By default, `keep_null` is set to `false`.
+
+
+#### `index` [_index_18]
+
+If present, this formatted string overrides the index for events from this input (for elasticsearch outputs), or sets the `raw_index` field of the event’s metadata (for other outputs). This string can only refer to the agent name and version and the event timestamp; for access to dynamic fields, use `output.elasticsearch.index` or a processor.
+
+Example value: `"%{[agent.name]}-myindex-%{+yyyy.MM.dd}"` might expand to `"filebeat-myindex-2019.11.01"`.
+
+
+#### `publisher_pipeline.disable_host` [_publisher_pipeline_disable_host_18]
+
+By default, all events contain `host.name`. This option can be set to `true` to disable the addition of this field to all events. The default value is `false`.
+
+
+## Metrics [_metrics_13]
+
+This input exposes metrics under the [HTTP monitoring endpoint](/reference/filebeat/http-endpoint.md). These metrics are exposed under the `/inputs/` path. They can be used to observe the activity of the input.
+
+You must assign a unique `id` to the input to expose metrics.
+
+| Metric | Description |
+| --- | --- |
+| `device` | Host/port of the UDP stream. |
+| `udp_read_buffer_length_gauge` | Size of the UDP socket buffer length in bytes (gauge). |
+| `received_events_total` | Total number of packets (events) that have been received. |
+| `received_bytes_total` | Total number of bytes received. |
+| `receive_queue_length` | Aggregated size of the system receive queues (IPv4 and IPv6) (linux only) (gauge). |
+| `system_packet_drops` | Aggregated number of system packet drops (IPv4 and IPv6) (linux only) (gauge). |
+| `arrival_period` | Histogram of the time between successive packets in nanoseconds. |
+| `processing_time` | Histogram of the time taken to process packets in nanoseconds. |
+| `discarded_events_total` | Total number of discarded events. |
+| `decode_errors_total` | Total number of errors at decoding a packet. |
+| `flows_total` | Total number of received flows. |
+| `open_connections` | Number of current active netflow sessions. |
+
+Histogram metrics are aggregated over the previous 1024 events.
+
+
diff --git a/docs/reference/filebeat/filebeat-input-o365audit.md b/docs/reference/filebeat/filebeat-input-o365audit.md
new file mode 100644
index 000000000000..7796867996bd
--- /dev/null
+++ b/docs/reference/filebeat/filebeat-input-o365audit.md
@@ -0,0 +1,211 @@
+---
+navigation_title: "Office 365 Management Activity API"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-o365audit.html
+---
+
+# Office 365 Management Activity API input [filebeat-input-o365audit]
+
+[8.14.0]
+
+The o365audit input is deprecated. For collecting Microsoft Office 365 log data, please use the [Microsoft 365](integration-docs://reference/o365.md) integration package. For more complex or user-specific use cases, similar functionality can be achieved using the [`CEL input`](/reference/filebeat/filebeat-input-cel.md) .
+
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+Use the `o365audit` input to retrieve audit messages from Office 365 and Azure AD activity logs. These are the same logs that are available under *Audit* *log* *search* in the *Security* *and* *Compliance* center.
+
+A single input instance can be used to fetch events for multiple tenants as long as a single application is configured to access all tenants. Certificate-based authentication is recommended in this scenario.
+
+This input doesn’t perform any transformation on the incoming messages, notably no [Elastic Common Schema fields](ecs://reference/index.md) are populated, and some data is encoded as arrays of objects, which are difficult to query in Elasticsearch. You probably want to use the [Office 365 module](/reference/filebeat/filebeat-module-o365.md) instead.
+
+Example configuration:
+
+```yaml
+filebeat.inputs:
+- type: o365audit
+  application_id: my-application-id
+  tenant_id: my-tenant-id
+  client_secret: my-client-secret
+```
+
+Multi-tenancy and certificate-based authentication is also supported:
+
+```yaml
+filebeat.inputs:
+- type: o365audit
+  application_id: my-application-id
+  tenant_id:
+    - tenant-id-A
+    - tenant-id-B
+    - tenant-id-C
+  certificate: /path/to/cert.pem
+  key: /path/to/private.pem
+  # key_passphrase: "my key's password"
+```
+
+## Configuration options [_configuration_options_14]
+
+The `o365audit` input supports the following configuration options plus the [Common options](#filebeat-input-o365audit-common-options) described later.
+
+
+#### `application_id` [_application_id]
+
+The Application ID (also known as Client ID) of the Azure application to authenticate as.
+
+
+#### `tenant_id` [_tenant_id_2]
+
+The tenant ID (also known as Directory ID) whose data is to be fetched. It’s also possible to specify a list of tenants IDs to fetch data from more than one tenant.
+
+
+#### `content_type` [_content_type_2]
+
+List of content types to fetch. The default is to fetch all known content types:
+
+* Audit.AzureActiveDirectory
+* Audit.Exchange
+* Audit.SharePoint
+* Audit.General
+* DLP.All
+
+
+#### `client_secret` [_client_secret_2]
+
+The client secret used for authentication.
+
+
+#### `certificate` [_certificate]
+
+Path to the public certificate file used for certificate-based authentication.
+
+
+#### `key` [_key]
+
+Path to the certificate’s private key file for certificate-based authentication.
+
+
+#### `key_passphrase` [_key_passphrase]
+
+Passphrase used to decrypt the private key.
+
+
+#### `api.authentication_endpoint` [_api_authentication_endpoint]
+
+The authentication endpoint used to authorize the Azure app. This is `https://login.microsoftonline.com/` by default, and can be changed to access alternative endpoints.
+
+### `api.resource` [_api_resource]
+
+The API resource to retrieve information from. This is `https://manage.office.com` by default, and can be changed to access alternative endpoints.
+
+
+### `api.max_retention` [_api_max_retention]
+
+The maximum data retention period to support. `168h` by default. Filebeat will fetch all retained data for a tenant when run for the first time.
+
+
+### `api.poll_interval` [_api_poll_interval]
+
+The interval to wait before polling the API server for new events. Default `3m`.
+
+
+### `api.max_requests_per_minute` [_api_max_requests_per_minute]
+
+The maximum number of requests to perform per minute, for each tenant. The default is `2000`, as this is the server-side limit per tenant.
+
+
+### `api.max_query_size` [_api_max_query_size]
+
+The maximum time window that API allows in a single query. Defaults to `24h` to match Microsoft’s documented limit.
+
+
+### `api.preserve_original_event` [_api_preserve_original_event]
+
+Controls whether the original o365 audit object will be kept in `event.original` or not. Defaults to `false`.
+
+
+
+## Common options [filebeat-input-o365audit-common-options]
+
+The following configuration options are supported by all inputs.
+
+
+#### `enabled` [_enabled_19]
+
+Use the `enabled` option to enable and disable inputs. By default, enabled is set to true.
+
+
+#### `tags` [_tags_19]
+
+A list of tags that Filebeat includes in the `tags` field of each published event. Tags make it easy to select specific events in Kibana or apply conditional filtering in Logstash. These tags will be appended to the list of tags specified in the general configuration.
+
+Example:
+
+```yaml
+filebeat.inputs:
+- type: o365audit
+  . . .
+  tags: ["json"]
+```
+
+
+#### `fields` [filebeat-input-o365audit-fields]
+
+Optional fields that you can specify to add additional information to the output. For example, you might add fields that you can use for filtering log data. Fields can be scalar values, arrays, dictionaries, or any nested combination of these. By default, the fields that you specify here will be grouped under a `fields` sub-dictionary in the output document. To store the custom fields as top-level fields, set the `fields_under_root` option to true. If a duplicate field is declared in the general configuration, then its value will be overwritten by the value declared here.
+
+```yaml
+filebeat.inputs:
+- type: o365audit
+  . . .
+  fields:
+    app_id: query_engine_12
+```
+
+
+#### `fields_under_root` [fields-under-root-o365audit]
+
+If this option is set to true, the custom [fields](#filebeat-input-o365audit-fields) are stored as top-level fields in the output document instead of being grouped under a `fields` sub-dictionary. If the custom field names conflict with other field names added by Filebeat, then the custom fields overwrite the other fields.
+
+
+#### `processors` [_processors_19]
+
+A list of processors to apply to the input data.
+
+See [Processors](/reference/filebeat/filtering-enhancing-data.md) for information about specifying processors in your config.
+
+
+#### `pipeline` [_pipeline_19]
+
+The ingest pipeline ID to set for the events generated by this input.
+
+::::{note}
+The pipeline ID can also be configured in the Elasticsearch output, but this option usually results in simpler configuration files. If the pipeline is configured both in the input and output, the option from the input is used.
+::::
+
+
+::::{important}
+The `pipeline` is always lowercased. If `pipeline: Foo-Bar`, then the pipeline name in {{es}} needs to be defined as `foo-bar`.
+::::
+
+
+
+#### `keep_null` [_keep_null_19]
+
+If this option is set to true, fields with `null` values will be published in the output document. By default, `keep_null` is set to `false`.
+
+
+#### `index` [_index_19]
+
+If present, this formatted string overrides the index for events from this input (for elasticsearch outputs), or sets the `raw_index` field of the event’s metadata (for other outputs). This string can only refer to the agent name and version and the event timestamp; for access to dynamic fields, use `output.elasticsearch.index` or a processor.
+
+Example value: `"%{[agent.name]}-myindex-%{+yyyy.MM.dd}"` might expand to `"filebeat-myindex-2019.11.01"`.
+
+
+#### `publisher_pipeline.disable_host` [_publisher_pipeline_disable_host_19]
+
+By default, all events contain `host.name`. This option can be set to `true` to disable the addition of this field to all events. The default value is `false`.
+
+
diff --git a/docs/reference/filebeat/filebeat-input-redis.md b/docs/reference/filebeat/filebeat-input-redis.md
new file mode 100644
index 000000000000..d7cae276025a
--- /dev/null
+++ b/docs/reference/filebeat/filebeat-input-redis.md
@@ -0,0 +1,160 @@
+---
+navigation_title: "Redis"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-redis.html
+---
+
+# Redis input [filebeat-input-redis]
+
+
+::::{warning}
+This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
+::::
+
+
+Use the `redis` input to read entries from Redis slowlogs.
+
+Example configuration:
+
+```yaml
+filebeat.inputs:
+- type: redis
+  hosts: ["localhost:6379"]
+  password: "${redis_pwd}"
+```
+
+## Configuration options [_configuration_options_15]
+
+The `redis` input supports the following configuration options plus the [Common options](#filebeat-input-redis-common-options) described later.
+
+
+#### `hosts` [redis-hosts]
+
+The list of Redis hosts to connect to.
+
+
+#### `password` [redis-password]
+
+The password to use when connecting to Redis.
+
+
+#### `username` [redis-username]
+
+The username to use when connecting to Redis.
+
+
+#### `scan_frequency` [redis-scan_frequency]
+
+How often Filebeat reads entries from Redis slowlogs. Specify `1s` to scan Redis as frequently as possible without causing Filebeat to scan too frequently. Do not set this value to less than `1s`.
+
+The default is `10s`.
+
+::::{important}
+Redis slowlogs are not permanent. To ensure that all slowlog entries are collected, set `scan_frequency` to a value that allows Filebeat sufficient time to connect to Redis, query the logs, and buffer them to the output within the specified interval.
+::::
+
+
+
+#### `timeout` [redis-timeout]
+
+How long to wait for a response from Redis before the input returns an error. The default is `1s`.
+
+
+#### `network` [redis-network]
+
+The network type to use for the Redis connection. Valid settings include: `tcp`, `tcp4`, `tcp6`, and `unix`. The default is `tcp`.
+
+
+#### `maxconn` [redis-maxconn]
+
+The maximum number of concurrent connections. The default is `10`.
+
+
+## Common options [filebeat-input-redis-common-options]
+
+The following configuration options are supported by all inputs.
+
+
+#### `enabled` [_enabled_20]
+
+Use the `enabled` option to enable and disable inputs. By default, enabled is set to true.
+
+
+#### `tags` [_tags_20]
+
+A list of tags that Filebeat includes in the `tags` field of each published event. Tags make it easy to select specific events in Kibana or apply conditional filtering in Logstash. These tags will be appended to the list of tags specified in the general configuration.
+
+Example:
+
+```yaml
+filebeat.inputs:
+- type: redis
+  . . .
+  tags: ["json"]
+```
+
+
+#### `fields` [filebeat-input-redis-fields]
+
+Optional fields that you can specify to add additional information to the output. For example, you might add fields that you can use for filtering log data. Fields can be scalar values, arrays, dictionaries, or any nested combination of these. By default, the fields that you specify here will be grouped under a `fields` sub-dictionary in the output document. To store the custom fields as top-level fields, set the `fields_under_root` option to true. If a duplicate field is declared in the general configuration, then its value will be overwritten by the value declared here.
+
+```yaml
+filebeat.inputs:
+- type: redis
+  . . .
+  fields:
+    app_id: query_engine_12
+```
+
+
+#### `fields_under_root` [fields-under-root-redis]
+
+If this option is set to true, the custom [fields](#filebeat-input-redis-fields) are stored as top-level fields in the output document instead of being grouped under a `fields` sub-dictionary. If the custom field names conflict with other field names added by Filebeat, then the custom fields overwrite the other fields.
+
+
+#### `processors` [_processors_20]
+
+A list of processors to apply to the input data.
+
+See [Processors](/reference/filebeat/filtering-enhancing-data.md) for information about specifying processors in your config.
+
+
+#### `pipeline` [_pipeline_20]
+
+The ingest pipeline ID to set for the events generated by this input.
+
+::::{note}
+The pipeline ID can also be configured in the Elasticsearch output, but this option usually results in simpler configuration files. If the pipeline is configured both in the input and output, the option from the input is used.
+::::
+
+
+::::{important}
+The `pipeline` is always lowercased. If `pipeline: Foo-Bar`, then the pipeline name in {{es}} needs to be defined as `foo-bar`.
+::::
+
+
+
+#### `keep_null` [_keep_null_20]
+
+If this option is set to true, fields with `null` values will be published in the output document. By default, `keep_null` is set to `false`.
+
+
+#### `index` [_index_20]
+
+If present, this formatted string overrides the index for events from this input (for elasticsearch outputs), or sets the `raw_index` field of the event’s metadata (for other outputs). This string can only refer to the agent name and version and the event timestamp; for access to dynamic fields, use `output.elasticsearch.index` or a processor.
+
+Example value: `"%{[agent.name]}-myindex-%{+yyyy.MM.dd}"` might expand to `"filebeat-myindex-2019.11.01"`.
+
+
+#### `publisher_pipeline.disable_host` [_publisher_pipeline_disable_host_20]
+
+By default, all events contain `host.name`. This option can be set to `true` to disable the addition of this field to all events. The default value is `false`.
+
+
+#### `ssl` [redis-ssl]
+
+Configuration options for SSL parameters like the certificate, key and the certificate authorities to use.
+
+See [SSL](/reference/filebeat/configuration-ssl.md) for more information.
+
+
diff --git a/docs/reference/filebeat/filebeat-input-salesforce.md b/docs/reference/filebeat/filebeat-input-salesforce.md
new file mode 100644
index 000000000000..70ff6c5c0525
--- /dev/null
+++ b/docs/reference/filebeat/filebeat-input-salesforce.md
@@ -0,0 +1,420 @@
+---
+navigation_title: "Salesforce"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-salesforce.html
+---
+
+# Salesforce input [filebeat-input-salesforce]
+
+
+Use the `salesforce` input to monitor Salesforce events either via the [Salesforce EventLogFile (ELF) API](https://developer.salesforce.com/docs/atlas.en-us.object_reference.meta/object_reference/sforce_api_objects_eventlogfile.htm) or the [Salesforce Real-time event monitoring API](https://developer.salesforce.com/blogs/2020/05/introduction-to-real-time-event-monitoring). Both use REST API (to execute SOQL queries in the Salesforce instance) under the hood to query the relevant objects to fetch the events.
+
+The Salesforce input maintains cursor states between requests to track the last event retrieved in each execution. These cursor states are passed to the next event monitoring execution to resume fetching events from the last known position. The cursor states allow the input to pick up where it left off and provide control over the behavior of the input.
+
+Here are some supported authentication methods and event monitoring methods:
+
+* Authentication methods
+
+    * OAuth2
+
+        * User-Password flow
+        * JWT Bearer flow
+
+* Event monitoring methods
+
+    * EventLogFile (ELF) using REST API
+    * REST API for objects (For monitoring real-time events)
+
+
+Here are some key points about how cursors are used in the Salesforce input:
+
+* Separate cursor states are maintained for each configured event monitoring method (`event_log_file` and `object`).
+* The cursor state stores the unique identifier of the last event retrieved, based on the `cursor.field` specified in the configuration.
+* On the first run, the `query.default` is used to fetch an initial set of events.
+* On subsequent runs, the `query.value` template is populated with the cursor state to fetch events since the last execution.
+* If the input is restarted, it will resume from the last persisted cursor state rather than starting over from scratch.
+
+Using cursors allows the Salesforce input to reliably keep track of its progress and avoid missing or duplicating events across executions. The cursor field should be chosen carefully to have a monotonically increasing value for each new event.
+
+Event Monitoring methods are highly configurable and can be used to monitor any supported object or event log file. The input can be configured to monitor multiple objects or event log files at the same time.
+
+Example configuration:
+
+```yaml
+filebeat.inputs:
+  - type: salesforce
+    enabled: true
+    version: 56
+    auth.oauth2:
+      user_password_flow:
+        enabled: true
+        client.id: client-id
+        client.secret: client-secret
+        token_url: https://instance-id.develop.my.salesforce.com
+        username: salesforce-instance@user.in
+        password: salesforce-instance-password
+      jwt_bearer_flow:
+        enabled: true
+        client.id: client-id
+        client.username: salesforce-instance@user.in
+        client.key_path: server_client.key
+        url: https://login.salesforce.com
+    url: https://instance-id.develop.my.salesforce.com
+    event_monitoring_method:
+      event_log_file:
+        enabled: true
+        interval: 1h
+        query:
+          default: "SELECT Id,CreatedDate,LogDate,LogFile FROM EventLogFile WHERE EventType = 'Login' ORDER BY CreatedDate ASC NULLS FIRST"
+          value: "SELECT Id,CreatedDate,LogDate,LogFile FROM EventLogFile WHERE EventType = 'Login' AND CreatedDate > [[ .cursor.event_log_file.last_event_time ]] ORDER BY CreatedDate ASC NULLS FIRST"
+        cursor:
+          field: "CreatedDate"
+      object:
+        enabled: true
+        interval: 5m
+        query:
+          default: "SELECT FIELDS(STANDARD) FROM LoginEvent"
+          value: "SELECT FIELDS(STANDARD) FROM LoginEvent WHERE EventDate > [[ .cursor.object.first_event_time ]]"
+        cursor:
+          field: "EventDate"
+```
+
+## Set up the OAuth App in the Salesforce [_set_up_the_oauth_app_in_the_salesforce]
+
+In order to use this integration, users need to create a new Salesforce Application using OAuth. Follow the steps below to create a connected application in Salesforce:
+
+1. Login to [Salesforce](https://login.salesforce.com/) with the same user credentials that the user wants to collect data with.
+2. Click on Setup on the top right menu bar. On the Setup page, search for `App Manager` in the `Search Setup` search box at the top of the page, then select `App Manager`.
+3. Click *New Connected App*.
+4. Provide a name for the connected application. This will be displayed in the App Manager and on its App Launcher tile.
+5. Enter the API name. The default is a version of the name without spaces. Only letters, numbers, and underscores are allowed. If the original app name contains any other characters, edit the default name.
+6. Enter the contact email for Salesforce.
+7. Under the API (Enable OAuth Settings) section of the page, select *Enable OAuth Settings*.
+8. In the Callback URL, enter the Instance URL (Please refer to `Salesforce Instance URL`).
+9. Select the following OAuth scopes to apply to the connected app:
+
+    * Manage user data via APIs (api).
+    * Perform requests at any time (refresh_token, offline_access).
+    * (Optional) In case of data collection, if any permission issues arise, add the Full access (full) scope.
+
+10. Select *Require Secret for the Web Server Flow* to require the app’s client secret in exchange for an access token.
+11. Select *Require Secret for Refresh Token Flow* to require the app’s client secret in the authorization request of a refresh token and hybrid refresh token flow.
+12. Click Save. It may take approximately 10 minutes for the changes to take effect.
+13. Click Continue and then under API details, click Manage Consumer Details. Verify the user account using the Verification Code.
+14. Copy `Consumer Key` and `Consumer Secret` from the Consumer Details section, which should be populated as values for Client ID and Client Secret respectively in the configuration.
+
+For more details on how to create a Connected App, refer to the Salesforce documentation [here](https://help.salesforce.com/apex/HTViewHelpDoc?id=connected_app_create.htm).
+
+::::{note}
+**Enabling real-time events**
+
+To get started with [real-time](https://developer.salesforce.com/blogs/2020/05/introduction-to-real-time-event-monitoring) events, head to setup and into the quick find search for *Event Manager*. Enterprise and Unlimited environments have access to the Logout Event by default, but the remainder of the events need licensing to access [Shield Event Monitoring](https://help.salesforce.com/s/articleView?id=sf.salesforce_shield.htm&type=5).
+
+::::
+
+
+
+## Execution [_execution_2]
+
+The `salesforce` input is a long-running program that retrieves events from a Salesforce instance and sends them to the specified output. The program executes in a loop, fetching events from the Salesforce instance at a preconfigured interval. Each event monitoring method can be configured to run separately and at different intervals. To prevent a sudden spike in memory usage, if multiple event monitoring methods are configured, they are scheduled to run one at a time. Even if the intervals overlap, only one method will be executed randomly, and the other will be executed after the first one completes.
+
+There are two methods to fetch the events from the Salesforce instance:
+
+* `event_log_file`: [EventLogFile](https://developer.salesforce.com/docs/atlas.en-us.object_reference.meta/object_reference/sforce_api_objects_eventlogfile.htm) is a standard object in Salesforce and the event monitoring method uses the REST API under the hood to gather the Salesforce org’s operational events from the object. There is a field EventType that helps distinguish between the types of operational events like — Login, Logout, etc. Uses Salesforce’s query language SOQL to query the object.
+* `object`: This method is a general way of retrieving events from a Salesforce instance by using the REST API. It can be used for monitoring [objects](https://developer.salesforce.com/docs/atlas.en-us.object_reference.meta/object_reference/sforce_api_objects_list.htm) in real-time. In real-time event monitoring, subscribing to the events is a common practice, but the events are also stored in Salesforce org (if configured), specifically in big object tables that are preconfigured for each event type. With this method, we query the object using Salesforce’s query language ([SOQL](https://developer.salesforce.com/docs/atlas.en-us.soql_sosl.meta/soql_sosl/sforce_api_calls_soql.htm)). The collection happens at the configured scrape `interval`.
+
+::::{note}
+**Salesforce Objects and SOQL Query Field Ordering Limitations**
+
+Each Salesforce Object contains a set of fields, but SOQL queries have restrictions on the fields that can be ordered and the specific ordering method. The Object description on the Salesforce Developers page provides information about these limitations. For instance, the Login Object only allows ordering by the EventDate field in descending order.
+
+When collecting data over time using cursors, the following cursor inputs are available:
+
+* `object.first_event_time`: This cursor input stores the cursor value from the first event encountered during data collection using the object method.
+* `object.last_event_time`: This cursor input stores the cursor value from the last event encountered during data collection using the object method.
+* `event_log_file.first_event_time`: This cursor input stores the cursor value from the first event encountered during data collection using the event log file method.
+* `event_log_file.last_event_time`: This cursor input stores the cursor value from the last event encountered during data collection using the event log file method.
+
+By selecting one of the above cursor inputs, users can collect data from both the object and event log file in the desired order. The cursor configuration can be customized based on the user’s specific requirements.
+
+::::
+
+
+
+## Configuration options [_configuration_options_16]
+
+The `salesforce` input supports the following configuration options plus the [Common options](#filebeat-input-salesforce-common-options) described later.
+
+
+## `enabled` [_enabled_21]
+
+Whether the input is enabled or not. Default: `false`.
+
+
+## `version` [_version_3]
+
+The version of the Salesforce API to use. Minimum supported version is 46.
+
+
+## `auth` [_auth]
+
+The authentication settings for the Salesforce instance.
+
+
+## `auth.oauth2` [_auth_oauth2]
+
+The OAuth2 authentication options for the Salesforce instance.
+
+There are two OAuth2 authentication flows supported:
+
+* `user_password_flow`: User-Password flow
+* `jwt_bearer_flow`: JWT Bearer flow
+
+
+## `auth.oauth2.user_password_flow.enabled` [_auth_oauth2_user_password_flow_enabled]
+
+Whether to use the user-password flow for authentication. Default: `false`.
+
+::::{note}
+Only one authentication flow can be enabled at a time.
+::::
+
+
+
+## `auth.oauth2.user_password_flow.client.id` [_auth_oauth2_user_password_flow_client_id]
+
+The client ID for the user-password flow.
+
+
+## `auth.oauth2.user_password_flow.client.secret` [_auth_oauth2_user_password_flow_client_secret]
+
+The client secret for the user-password flow.
+
+
+## `auth.oauth2.user_password_flow.token_url` [_auth_oauth2_user_password_flow_token_url]
+
+The token URL for the user-password flow.
+
+
+## `auth.oauth2.user_password_flow.username` [_auth_oauth2_user_password_flow_username]
+
+The username for the user-password flow.
+
+
+## `auth.oauth2.user_password_flow.password` [_auth_oauth2_user_password_flow_password]
+
+The password for the user-password flow.
+
+
+## `auth.oauth2.jwt_bearer_flow.enabled` [_auth_oauth2_jwt_bearer_flow_enabled]
+
+Whether to use the JWT bearer flow for authentication. Default: `false`.
+
+::::{note}
+Only one authentication flow can be enabled at a time.
+::::
+
+
+
+## `auth.oauth2.jwt_bearer_flow.client.id` [_auth_oauth2_jwt_bearer_flow_client_id]
+
+The client ID for the JWT bearer flow.
+
+
+## `auth.oauth2.jwt_bearer_flow.client.username` [_auth_oauth2_jwt_bearer_flow_client_username]
+
+The username for the JWT bearer flow.
+
+
+## `auth.oauth2.jwt_bearer_flow.client.key_path` [_auth_oauth2_jwt_bearer_flow_client_key_path]
+
+The path to the private key file for the JWT bearer flow. The file must be PEM encoded PKCS1 or PKCS8 private key and must have the right permissions set to have read access for the user running the program.
+
+
+## `auth.oauth2.jwt_bearer_flow.url` [_auth_oauth2_jwt_bearer_flow_url]
+
+The URL for the JWT bearer flow.
+
+
+## `url` [_url_2]
+
+The URL of the Salesforce instance. Required.
+
+
+## `resource.timeout` [_resource_timeout_2]
+
+Duration before declaring that the HTTP client connection has timed out. Valid time units are `ns`, `us`, `ms`, `s`, `m`, `h`. Default: `30s`.
+
+
+## `resource.retry.max_attempts` [_resource_retry_max_attempts_2]
+
+The maximum number of retries for the HTTP client. Default: `5`.
+
+
+## `resource.retry.wait_min` [_resource_retry_wait_min_2]
+
+The minimum time to wait before a retry is attempted. Default: `1s`.
+
+
+## `resource.retry.wait_max` [_resource_retry_wait_max_2]
+
+The maximum time to wait before a retry is attempted. Default: `60s`.
+
+
+## `event_monitoring_method` [_event_monitoring_method]
+
+The event monitoring method to use. There are two event monitoring methods supported:
+
+* `event_log_file`: EventLogFile (ELF) using REST API
+* `object`: Real-time event monitoring using REST API (objects)
+
+
+## `event_monitoring_method.event_log_file` [_event_monitoring_method_event_log_file]
+
+The event monitoring method to use — event_log_file. Uses the EventLogFile API to fetch the events from the Salesforce instance.
+
+
+## `event_monitoring_method.event_log_file.enabled` [_event_monitoring_method_event_log_file_enabled]
+
+Whether to use the EventLogFile API for event monitoring. Default: `false`.
+
+
+## `event_monitoring_method.event_log_file.interval` [_event_monitoring_method_event_log_file_interval]
+
+The interval to collect the events from the Salesforce instance using the EventLogFile API.
+
+
+## `event_monitoring_method.event_log_file.query.default` [_event_monitoring_method_event_log_file_query_default]
+
+The default query to fetch the events from the Salesforce instance using the EventLogFile API.
+
+In case the cursor state is not available, the default query will be used to fetch the events from the Salesforce instance. The default query must be a valid SOQL query. If the SOQL query in `event_monitoring_method.event_log_file.query.value` is not valid, the default query will be used to fetch the events from the Salesforce instance.
+
+
+## `event_monitoring_method.event_log_file.query.value` [_event_monitoring_method_event_log_file_query_value]
+
+The SOQL query to fetch the events from the Salesforce instance using the EventLogFile API but it uses the cursor state to fetch the events from the Salesforce instance. The SOQL query must be a valid SOQL query. If the SOQL query is not valid, the default query will be used to fetch the events from the Salesforce instance.
+
+In case of restarts or subsequent executions, the cursor state will be used to fetch the events from the Salesforce instance. The cursor state is the last event time of the last event fetched from the Salesforce instance. The cursor state is taken from `event_monitoring_method.event_log_file.cursor.field` field for the last event fetched from the Salesforce instance.
+
+
+## `event_monitoring_method.event_log_file.cursor.field` [_event_monitoring_method_event_log_file_cursor_field]
+
+The field to use to fetch the cursor state from the last event fetched from the Salesforce instance. The field must be a valid field in the SOQL query specified in `event_monitoring_method.event_log_file.query.default` and `event_monitoring_method.event_log_file.query.value` i.e., part of the selected fields in the SOQL query.
+
+
+## `event_monitoring_method.object` [_event_monitoring_method_object]
+
+The event monitoring method to use — object. Uses REST API to fetch the events directly from the objects from the Salesforce instance.
+
+
+## `event_monitoring_method.object.enabled` [_event_monitoring_method_object_enabled]
+
+Whether to use the REST API for objects for event monitoring. Default: `false`.
+
+
+## `event_monitoring_method.object.interval` [_event_monitoring_method_object_interval]
+
+The interval to collect the events from the Salesforce instance using the REST API from objects.
+
+
+## `event_monitoring_method.object.query.default` [_event_monitoring_method_object_query_default]
+
+The default SOQL query to fetch the events from the Salesforce instance using the REST API from objects.
+
+In case the cursor state is not available, the default query will be used to fetch the events from the Salesforce instance. The default query must be a valid SOQL query. If the SOQL query in `event_monitoring_method.object.query.value` is not valid, the default query will be used to fetch the events from the Salesforce instance.
+
+
+## `event_monitoring_method.object.query.value` [_event_monitoring_method_object_query_value]
+
+The SOQL query to fetch the events from the Salesforce instance using the REST API from objects but it uses the cursor state to fetch the events from the Salesforce instance. The SOQL query must be a valid SOQL query. If the SOQL query is not valid, the default query will be used to fetch the events from the Salesforce instance.
+
+In case of restarts or subsequent executions, the cursor state will be used to fetch the events from the Salesforce instance. The cursor state is the last event time of the last event fetched from the Salesforce instance. The cursor state is taken from `event_monitoring_method.object.cursor.field` field for the last event fetched from the Salesforce instance.
+
+
+## `event_monitoring_method.object.cursor.field` [_event_monitoring_method_object_cursor_field]
+
+The field to use to fetch the cursor state from the last event fetched from the Salesforce instance. The field must be a valid field in the SOQL query specified in `event_monitoring_method.object.query.default` and `event_monitoring_method.object.query.value` i.e., part of the selected fields in the SOQL query.
+
+
+## Common options [filebeat-input-salesforce-common-options]
+
+The following configuration options are supported by all inputs.
+
+
+#### `enabled` [_enabled_22]
+
+Use the `enabled` option to enable and disable inputs. By default, enabled is set to true.
+
+
+#### `tags` [_tags_21]
+
+A list of tags that Filebeat includes in the `tags` field of each published event. Tags make it easy to select specific events in Kibana or apply conditional filtering in Logstash. These tags will be appended to the list of tags specified in the general configuration.
+
+Example:
+
+```yaml
+filebeat.inputs:
+- type: salesforce
+  . . .
+  tags: ["json"]
+```
+
+
+#### `fields` [filebeat-input-salesforce-fields]
+
+Optional fields that you can specify to add additional information to the output. For example, you might add fields that you can use for filtering log data. Fields can be scalar values, arrays, dictionaries, or any nested combination of these. By default, the fields that you specify here will be grouped under a `fields` sub-dictionary in the output document. To store the custom fields as top-level fields, set the `fields_under_root` option to true. If a duplicate field is declared in the general configuration, then its value will be overwritten by the value declared here.
+
+```yaml
+filebeat.inputs:
+- type: salesforce
+  . . .
+  fields:
+    app_id: query_engine_12
+```
+
+
+#### `fields_under_root` [fields-under-root-salesforce]
+
+If this option is set to true, the custom [fields](#filebeat-input-salesforce-fields) are stored as top-level fields in the output document instead of being grouped under a `fields` sub-dictionary. If the custom field names conflict with other field names added by Filebeat, then the custom fields overwrite the other fields.
+
+
+#### `processors` [_processors_21]
+
+A list of processors to apply to the input data.
+
+See [Processors](/reference/filebeat/filtering-enhancing-data.md) for information about specifying processors in your config.
+
+
+#### `pipeline` [_pipeline_21]
+
+The ingest pipeline ID to set for the events generated by this input.
+
+::::{note}
+The pipeline ID can also be configured in the Elasticsearch output, but this option usually results in simpler configuration files. If the pipeline is configured both in the input and output, the option from the input is used.
+::::
+
+
+::::{important}
+The `pipeline` is always lowercased. If `pipeline: Foo-Bar`, then the pipeline name in {{es}} needs to be defined as `foo-bar`.
+::::
+
+
+
+#### `keep_null` [_keep_null_21]
+
+If this option is set to true, fields with `null` values will be published in the output document. By default, `keep_null` is set to `false`.
+
+
+#### `index` [_index_21]
+
+If present, this formatted string overrides the index for events from this input (for elasticsearch outputs), or sets the `raw_index` field of the event’s metadata (for other outputs). This string can only refer to the agent name and version and the event timestamp; for access to dynamic fields, use `output.elasticsearch.index` or a processor.
+
+Example value: `"%{[agent.name]}-myindex-%{+yyyy.MM.dd}"` might expand to `"filebeat-myindex-2019.11.01"`.
+
+
+#### `publisher_pipeline.disable_host` [_publisher_pipeline_disable_host_21]
+
+By default, all events contain `host.name`. This option can be set to `true` to disable the addition of this field to all events. The default value is `false`.
+
+
diff --git a/docs/reference/filebeat/filebeat-input-stdin.md b/docs/reference/filebeat/filebeat-input-stdin.md
new file mode 100644
index 000000000000..a096320e92dd
--- /dev/null
+++ b/docs/reference/filebeat/filebeat-input-stdin.md
@@ -0,0 +1,271 @@
+---
+navigation_title: "Stdin"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-stdin.html
+---
+
+# Stdin input [filebeat-input-stdin]
+
+
+Use the `stdin` input to read events from standard in.
+
+Note: This input cannot be run at the same time with other input types.
+
+Example configuration:
+
+```yaml
+filebeat.inputs:
+- type: stdin
+```
+
+## Configuration options [stdin-input-options]
+
+The `stdin` input supports the following configuration options plus the [Common options](#filebeat-input-stdin-common-options) described later.
+
+
+#### `encoding` [_encoding_4]
+
+The file encoding to use for reading data that contains international characters. See the encoding names [recommended by the W3C for use in HTML5](http://www.w3.org/TR/encoding/).
+
+Valid encodings:
+
+* `plain`: plain ASCII encoding
+* `utf-8` or `utf8`: UTF-8 encoding
+* `gbk`: simplified Chinese charaters
+* `iso8859-6e`: ISO8859-6E, Latin/Arabic
+* `iso8859-6i`: ISO8859-6I, Latin/Arabic
+* `iso8859-8e`: ISO8859-8E, Latin/Hebrew
+* `iso8859-8i`: ISO8859-8I, Latin/Hebrew
+* `iso8859-1`: ISO8859-1, Latin-1
+* `iso8859-2`: ISO8859-2, Latin-2
+* `iso8859-3`: ISO8859-3, Latin-3
+* `iso8859-4`: ISO8859-4, Latin-4
+* `iso8859-5`: ISO8859-5, Latin/Cyrillic
+* `iso8859-6`: ISO8859-6, Latin/Arabic
+* `iso8859-7`: ISO8859-7, Latin/Greek
+* `iso8859-8`: ISO8859-8, Latin/Hebrew
+* `iso8859-9`: ISO8859-9, Latin-5
+* `iso8859-10`: ISO8859-10, Latin-6
+* `iso8859-13`: ISO8859-13, Latin-7
+* `iso8859-14`: ISO8859-14, Latin-8
+* `iso8859-15`: ISO8859-15, Latin-9
+* `iso8859-16`: ISO8859-16, Latin-10
+* `cp437`: IBM CodePage 437
+* `cp850`: IBM CodePage 850
+* `cp852`: IBM CodePage 852
+* `cp855`: IBM CodePage 855
+* `cp858`: IBM CodePage 858
+* `cp860`: IBM CodePage 860
+* `cp862`: IBM CodePage 862
+* `cp863`: IBM CodePage 863
+* `cp865`: IBM CodePage 865
+* `cp866`: IBM CodePage 866
+* `ebcdic-037`: IBM CodePage 037
+* `ebcdic-1040`: IBM CodePage 1140
+* `ebcdic-1047`: IBM CodePage 1047
+* `koi8r`: KOI8-R, Russian (Cyrillic)
+* `koi8u`: KOI8-U, Ukranian (Cyrillic)
+* `macintosh`: Macintosh encoding
+* `macintosh-cyrillic`: Macintosh Cyrillic encoding
+* `windows1250`: Windows1250, Central and Eastern European
+* `windows1251`: Windows1251, Russian, Serbian (Cyrillic)
+* `windows1252`: Windows1252, Legacy
+* `windows1253`: Windows1253, Modern Greek
+* `windows1254`: Windows1254, Turkish
+* `windows1255`: Windows1255, Hebrew
+* `windows1256`: Windows1256, Arabic
+* `windows1257`: Windows1257, Estonian, Latvian, Lithuanian
+* `windows1258`: Windows1258, Vietnamese
+* `windows874`:  Windows874, ISO/IEC 8859-11, Latin/Thai
+* `utf-16-bom`: UTF-16 with required BOM
+* `utf-16be-bom`: big endian UTF-16 with required BOM
+* `utf-16le-bom`: little endian UTF-16 with required BOM
+
+The `plain` encoding is special, because it does not validate or transform any input.
+
+
+#### `exclude_lines` [filebeat-input-stdin-exclude-lines]
+
+A list of regular expressions to match the lines that you want Filebeat to exclude. Filebeat drops any lines that match a regular expression in the list. By default, no lines are dropped. Empty lines are ignored.
+
+If [multiline](/reference/filebeat/multiline-examples.md#multiline) settings are also specified, each multiline message is combined into a single line before the lines are filtered by `exclude_lines`.
+
+The following example configures Filebeat to drop any lines that start with `DBG`.
+
+```yaml
+filebeat.inputs:
+- type: stdin
+  ...
+  exclude_lines: ['^DBG']
+```
+
+See [Regular expression support](/reference/filebeat/regexp-support.md) for a list of supported regexp patterns.
+
+
+#### `include_lines` [filebeat-input-stdin-include-lines]
+
+A list of regular expressions to match the lines that you want Filebeat to include. Filebeat exports only the lines that match a regular expression in the list. By default, all lines are exported. Empty lines are ignored.
+
+If [multiline](/reference/filebeat/multiline-examples.md#multiline) settings also specified, each multiline message is combined into a single line before the lines are filtered by `include_lines`.
+
+The following example configures Filebeat to export any lines that start with `ERR` or `WARN`:
+
+```yaml
+filebeat.inputs:
+- type: stdin
+  ...
+  include_lines: ['^ERR', '^WARN']
+```
+
+::::{note}
+If both `include_lines` and `exclude_lines` are defined, Filebeat executes `include_lines` first and then executes `exclude_lines`. The order in which the two options are defined doesn’t matter. The `include_lines` option will always be executed before the `exclude_lines` option, even if `exclude_lines` appears before `include_lines` in the config file.
+::::
+
+
+The following example exports all log lines that contain `sometext`, except for lines that begin with `DBG` (debug messages):
+
+```yaml
+filebeat.inputs:
+- type: stdin
+  ...
+  include_lines: ['sometext']
+  exclude_lines: ['^DBG']
+```
+
+See [Regular expression support](/reference/filebeat/regexp-support.md) for a list of supported regexp patterns.
+
+
+#### `harvester_buffer_size` [_harvester_buffer_size_3]
+
+The size in bytes of the buffer that each harvester uses when fetching a file. The default is 16384.
+
+
+#### `max_bytes` [_max_bytes_3]
+
+The maximum number of bytes that a single log message can have. All bytes after `max_bytes` are discarded and not sent. This setting is especially useful for multiline log messages, which can get large. The default is 10MB (10485760).
+
+
+#### `json` [filebeat-input-stdin-config-json]
+
+These options make it possible for Filebeat to decode logs structured as JSON messages. Filebeat processes the logs line by line, so the JSON decoding only works if there is one JSON object per line.
+
+The decoding happens before line filtering and multiline. You can combine JSON decoding with filtering and multiline if you set the `message_key` option. This can be helpful in situations where the application logs are wrapped in JSON objects, as with like it happens for example with Docker.
+
+Example configuration:
+
+```yaml
+json.keys_under_root: true
+json.add_error_key: true
+json.message_key: log
+```
+
+You must specify at least one of the following settings to enable JSON parsing mode:
+
+**`keys_under_root`**
+:   By default, the decoded JSON is placed under a "json" key in the output document. If you enable this setting, the keys are copied top level in the output document. The default is false.
+
+**`overwrite_keys`**
+:   If `keys_under_root` and this setting are enabled, then the values from the decoded JSON object overwrite the fields that Filebeat normally adds (type, source, offset, etc.) in case of conflicts.
+
+**`expand_keys`**
+:   If this setting is enabled, Filebeat will recursively de-dot keys in the decoded JSON, and expand them into a hierarchical object structure. For example, `{"a.b.c": 123}` would be expanded into `{"a":{"b":{"c":123}}}`. This setting should be enabled when the input is produced by an [ECS logger](https://github.com/elastic/ecs-logging).
+
+**`add_error_key`**
+:   If this setting is enabled, Filebeat adds a "error.message" and "error.type: json" key in case of JSON unmarshalling errors or when a `message_key` is defined in the configuration but cannot be used.
+
+**`message_key`**
+:   An optional configuration setting that specifies a JSON key on which to apply the line filtering and multiline settings. If specified the key must be at the top level in the JSON object and the value associated with the key must be a string, otherwise no filtering or multiline aggregation will occur.
+
+**`document_id`**
+:   Option configuration setting that specifies the JSON key to set the document id. If configured, the field will be removed from the original json document and stored in `@metadata._id`
+
+**`ignore_decoding_error`**
+:   An optional configuration setting that specifies if JSON decoding errors should be logged or not. If set to true, errors will not be logged. The default is false.
+
+
+#### `multiline` [_multiline_7]
+
+Options that control how Filebeat deals with log messages that span multiple lines. See [Multiline messages](/reference/filebeat/multiline-examples.md) for more information about configuring multiline options.
+
+
+## Common options [filebeat-input-stdin-common-options]
+
+The following configuration options are supported by all inputs.
+
+
+#### `enabled` [_enabled_23]
+
+Use the `enabled` option to enable and disable inputs. By default, enabled is set to true.
+
+
+#### `tags` [_tags_22]
+
+A list of tags that Filebeat includes in the `tags` field of each published event. Tags make it easy to select specific events in Kibana or apply conditional filtering in Logstash. These tags will be appended to the list of tags specified in the general configuration.
+
+Example:
+
+```yaml
+filebeat.inputs:
+- type: stdin
+  . . .
+  tags: ["json"]
+```
+
+
+#### `fields` [filebeat-input-stdin-fields]
+
+Optional fields that you can specify to add additional information to the output. For example, you might add fields that you can use for filtering log data. Fields can be scalar values, arrays, dictionaries, or any nested combination of these. By default, the fields that you specify here will be grouped under a `fields` sub-dictionary in the output document. To store the custom fields as top-level fields, set the `fields_under_root` option to true. If a duplicate field is declared in the general configuration, then its value will be overwritten by the value declared here.
+
+```yaml
+filebeat.inputs:
+- type: stdin
+  . . .
+  fields:
+    app_id: query_engine_12
+```
+
+
+#### `fields_under_root` [fields-under-root-stdin]
+
+If this option is set to true, the custom [fields](#filebeat-input-stdin-fields) are stored as top-level fields in the output document instead of being grouped under a `fields` sub-dictionary. If the custom field names conflict with other field names added by Filebeat, then the custom fields overwrite the other fields.
+
+
+#### `processors` [_processors_22]
+
+A list of processors to apply to the input data.
+
+See [Processors](/reference/filebeat/filtering-enhancing-data.md) for information about specifying processors in your config.
+
+
+#### `pipeline` [_pipeline_22]
+
+The ingest pipeline ID to set for the events generated by this input.
+
+::::{note}
+The pipeline ID can also be configured in the Elasticsearch output, but this option usually results in simpler configuration files. If the pipeline is configured both in the input and output, the option from the input is used.
+::::
+
+
+::::{important}
+The `pipeline` is always lowercased. If `pipeline: Foo-Bar`, then the pipeline name in {{es}} needs to be defined as `foo-bar`.
+::::
+
+
+
+#### `keep_null` [_keep_null_22]
+
+If this option is set to true, fields with `null` values will be published in the output document. By default, `keep_null` is set to `false`.
+
+
+#### `index` [_index_22]
+
+If present, this formatted string overrides the index for events from this input (for elasticsearch outputs), or sets the `raw_index` field of the event’s metadata (for other outputs). This string can only refer to the agent name and version and the event timestamp; for access to dynamic fields, use `output.elasticsearch.index` or a processor.
+
+Example value: `"%{[agent.name]}-myindex-%{+yyyy.MM.dd}"` might expand to `"filebeat-myindex-2019.11.01"`.
+
+
+#### `publisher_pipeline.disable_host` [_publisher_pipeline_disable_host_22]
+
+By default, all events contain `host.name`. This option can be set to `true` to disable the addition of this field to all events. The default value is `false`.
+
+
diff --git a/docs/reference/filebeat/filebeat-input-streaming.md b/docs/reference/filebeat/filebeat-input-streaming.md
new file mode 100644
index 000000000000..b9eb9acc2b52
--- /dev/null
+++ b/docs/reference/filebeat/filebeat-input-streaming.md
@@ -0,0 +1,522 @@
+---
+navigation_title: "Streaming"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-streaming.html
+---
+
+# Streaming Input [filebeat-input-streaming]
+
+::::{warning}
+This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
+::::
+
+
+
+The `streaming` input reads messages from a streaming data source, for example a websocket server. This input uses the `CEL engine` and the `mito` library internally to parse and process the messages. Having support for `CEL` allows you to parse and process the messages in a more flexible way. It has many similarities with the `cel` input as to how the `CEL` programs are written but differs in the way the messages are read and processed. Currently websocket server or API endpoints, and the Crowdstrike Falcon streaming API are supported.
+
+The websocket streaming input supports:
+
+* Auth
+
+    * Basic
+    * Bearer
+    * Custom
+    * OAuth2.0
+
+
+::::{note}
+The `streaming` input websocket handler does not currently support XML messages. Auto-reconnects are also not supported at the moment so reconnection will occur on input restart.
+::::
+
+
+The Crowdstrike streaming input requires OAuth2.0 as described in the Crowdstrike documentation for the API. When using the Crowdstrike streaming type, the `crowdstrike_app_id` configuration field must be set. This field specifies the `appId` parameter sent to the Crowdstrike API. See the Crowdstrike documentation for details.
+
+The `stream_type` configuration field specifies which type of streaming input to use, "websocket" or "crowdstrike". If it is not set, the input defaults to websocket streaming  .
+
+## Execution [_execution_3]
+
+The execution environment provided for the input includes includes the functions, macros, and global variables provided by the mito library. A single JSON object is provided as an input accessible through a `state` variable. `state` contains a `response` map field and may contain arbitrary other fields configured via the input’s `state` configuration. If the CEL program saves cursor states between executions of the program, the configured `state.cursor` value will be replaced by the saved cursor prior to execution.
+
+On start the `state` will be something like this:
+
+```json
+{
+    "response": { ... },
+    "cursor": { ... },
+    ...
+}
+```
+
+The `streaming` input websocket handler creates a `response` field in the state map and attaches the websocket message to this field. All `CEL` programs written should act on this `response` field. Additional fields may be present at the root of the object and if the program tolerates it, the cursor value may be absent. Only the cursor is persisted over restarts, but all fields in state are retained between iterations of the processing loop except for the produced events array, see below.
+
+If the cursor is present the program should process or filter out responses based on its value. If cursor is not present all responses should be processed as per the program’s logic.
+
+After completion of a program’s execution it should return a single object with a structure looking like this:
+
+```json
+{
+    "events": [ <1>
+        {...},
+        ...
+    ],
+    "cursor": [ <2>
+        {...},
+        ...
+    ]
+}
+```
+
+1. The `events` field must be present, but may be empty or null. If it is not empty, it must only have objects as elements. The field could be an array or a single object that will be treated as an array with a single element. This depends completely on the streaming data source. The `events` field is the array of events to be published to the output. Each event must be a JSON object.
+2. If `cursor` is present it must be either be a single object or an array with the same length as events; each element *i* of the `cursor` will be the details for obtaining the events at and beyond event *i* in the `events` array. If the `cursor` is a single object, it will be the details for obtaining events after the last event in the `events` array and will only be retained on successful publication of all the events in the `events` array.
+
+
+Example configurations:
+
+```yaml
+filebeat.inputs:
+# Read and process simple websocket messages from a local websocket server
+- type: streaming
+  url: ws://localhost:443/v1/stream
+  program: |
+    bytes(state.response).decode_json().as(inner_body,{
+      "events": {
+        "message":  inner_body.encode_json(),
+      }
+    })
+```
+
+```yaml
+filebeat.inputs:
+# Read and process events from the Crowdstrike Falcon Hose API
+- type: streaming
+  stream_type: crowdstrike
+  url: https://api.crowdstrike.com/sensors/entities/datafeed/v2
+  auth:
+    client_id: a23fcea2643868ef1a41565a1a8a1c7c
+    client_secret: c3VwZXJzZWNyZXRfY2xpZW50X3NlY3JldF9zaGhoaGgK
+    token_url: https://api.crowdstrike.com/oauth2/token
+  crowdstrike_app_id: my_app_id
+  program: |
+    state.response.decode_json().as(body,{
+      "events": [body],
+      ?"cursor": has(body.?metadata.offset) ?
+        optional.of({"offset": body.metadata.offset})
+      :
+        optional.none(),
+    })
+```
+
+
+## Debug state logging [_debug_state_logging_2]
+
+The Websocket input will log the complete state when logging at the DEBUG level before and after CEL evaluation. This will include any sensitive or secret information kept in the `state` object, and so DEBUG level logging should not be used in production when sensitive information is retained in the `state` object. See [`redact`](#streaming-state-redact) configuration parameters for settings to exclude sensitive fields from DEBUG logs.
+
+
+## Authentication [_authentication]
+
+The websocket streaming input supports authentication via Basic token authentication, Bearer token authentication, authentication via a custom auth config and OAuth2 based authentication. Unlike REST inputs Basic Authentication contains a basic auth token, Bearer Authentication contains a bearer token and custom auth contains any combination of custom header and value. These token/key values are are added to the request headers and are not exposed to the `state` object. The custom auth configuration is useful for constructing requests that require custom headers and values for authentication. The basic and bearer token configurations will always use the `Authorization` header and prepend the token with `Basic` or `Bearer` respectively.
+
+Example configurations with authentication:
+
+```yaml
+filebeat.inputs:
+- type: streaming
+  auth.basic_token: "dXNlcjpwYXNzd29yZA=="
+  url: wss://localhost:443/_stream
+```
+
+```yaml
+filebeat.inputs:
+- type: streaming
+  auth.bearer_token: "dXNlcjpwYXNzd29yZA=="
+  url: wss://localhost:443/_stream
+```
+
+```yaml
+filebeat.inputs:
+- type: streaming
+  auth.custom:
+    header: "x-api-key"
+    value: "dXNlcjpwYXNzd29yZA=="
+  url: wss://localhost:443/_stream
+```
+
+```yaml
+filebeat.inputs:
+- type: streaming
+  auth.custom:
+    header: "Auth"
+    value: "Bearer dXNlcjpwYXNzd29yZA=="
+  url: wss://localhost:443/_stream
+```
+
+The crowdstrike streaming input requires OAuth2.0 authentication using a client ID, client secret and a token URL. These values are not exposed to the `state` object. OAuth2.0 scopes and endpoint parameters are available via the `auth.scopes` and `auth.endpoint_params` config parameters.
+
+```yaml
+filebeat.inputs:
+- type: streaming
+  stream_type: crowdstrike
+  auth:
+    client_id: a23fcea2643868ef1a41565a1a8a1c7c
+    client_secret: c3VwZXJzZWNyZXRfY2xpZW50X3NlY3JldF9zaGhoaGgK
+    token_url: https://api.crowdstrike.com/oauth2/token
+```
+
+
+## Websocket OAuth2.0 [_websocket_oauth2_0]
+
+The `websocket` streaming input supports OAuth2.0 authentication. The `auth` configuration field is used to specify the OAuth2.0 configuration. These values are not exposed to the `state` object.
+
+The `auth` configuration field has the following subfields:
+
+* `client_id`: The client ID to use for OAuth2.0 authentication.
+* `client_secret`: The client secret to use for OAuth2.0 authentication.
+* `token_url`: The token URL to use for OAuth2.0 authentication.
+* `scopes`: The scopes to use for OAuth2.0 authentication.
+* `endpoint_params`: The endpoint parameters to use for OAuth2.0 authentication.
+* `auth_style`: The authentication style to use for OAuth2.0 authentication. If left unset, the style will be automatically detected.
+* `token_expiry_buffer`: Minimum valid time remaining before attempting an OAuth2 token renewal. The default value is `2m`.
+
+**Explanations for `auth_style` and `token_expiry_buffer`:**
+
+* `auth_style`: The authentication style to use for OAuth2.0 authentication which determines how the values of sensitive information like `client_id` and `client_secret` are sent in the token request. The default style value is automatically inferred and used appropriately if no value is provided. The `auth_style` configuration field is optional and can be used to specify the authentication style to use for OAuth2.0 authentication. The `auth_style` configuration field supports the following configurable values:
+
+    * `in_header`: The `client_id` and `client_secret` is sent in the header as a base64 encoded `Authorization` header.
+    * `in_params`: The `client_id` and `client_secret` is sent in the request body along with the other OAuth2 parameters.
+
+* `token_expiry_buffer`: The token expiry buffer to use for OAuth2.0 authentication. The `token_expiry_buffer` is used as a safety net to ensure that the token does not expire before the input can refresh it. The `token_expiry_buffer` configuration field is optional. If the `token_expiry_buffer` configuration field is not set, the default value of `2m` is used.
+
+::::{note}
+We recommend leaving the `auth_style` configuration field unset (automatically inferred internally) for most scenarios, except where manual intervention is required.
+::::
+
+
+```yaml
+filebeat.inputs:
+- type: streaming
+  auth:
+    client_id: a23fcea2643868ef1a41565a1a8a1c7c
+    client_secret: c3VwZXJzZWNyZXRfY2xpZW50X3NlY3JldF9zaGhoaGgK
+    token_url: https://api.sample-url.com/oauth2/token
+    scopes: ["read", "write"]
+    endpoint_params:
+      param1: value1
+      param2: value2
+    auth_style: in_params
+    token_expiry_buffer: 5m
+  url: wss://localhost:443/_stream
+```
+
+
+## Input state [input-state-streaming]
+
+The `streaming` input keeps a runtime state between every message received. This state can be accessed by the CEL program and may contain arbitrary objects. The state must contain a `response` map and may contain any object the user wishes to store in it. All objects are stored at runtime, except `cursor`, which has values that are persisted between restarts.
+
+
+## Configuration options [_configuration_options_17]
+
+The `streaming` input supports the following configuration options plus the [Common options](#filebeat-input-streaming-common-options) described later.
+
+
+### `stream_type` [stream_type-streaming]
+
+The flavor of streaming to use. This may be either "websocket", "crowdstrike", or unset. If the field is unset, websocket streaming is used.
+
+
+### `program` [program-streaming]
+
+The CEL program that is executed on each message received. This field should ideally be present but if not the default program given below is used.
+
+```yaml
+program: |
+  bytes(state.response).decode_json().as(inner_body,{
+    "events": {
+      "message":  inner_body.encode_json(),
+    }
+  })
+```
+
+
+### `url_program` [input-url-program-streaming]
+
+If present, this CEL program is executed before the streaming connection is established using the `state` object, including any stored cursor value. It must evaluate to a valid URL. The returned URL is used to make the streaming connection for processing. The program may use cursor values or other state defined values to customize the URL at runtime.
+
+```yaml
+url: ws://testapi:443/v1/streamresults
+state:
+  initial_start_time: "2022-01-01T00:00:00Z"
+url_program: |
+  state.url + "?since=" + state.?cursor.since.orValue(state.initial_start_time)
+program: |
+  bytes(state.response).decode_json().as(inner_body,{
+    "events": {
+      "message":  inner_body.encode_json(),
+    },
+    "cursor": {
+      "since": inner_body.timestamp
+    }
+  })
+```
+
+
+### `state` [state-streaming]
+
+`state` is an optional object that is passed to the CEL program on the first execution. It is available to the executing program as the `state` variable. Except for the `state.cursor` field, `state` does not persist over restarts.
+
+
+### `state.cursor` [cursor-streaming]
+
+The cursor is an object available as `state.cursor` where arbitrary values may be stored. Cursor state is kept between input restarts and updated after each event of a request has been published. When a cursor is used the CEL program must either create a cursor state for each event that is returned by the program, or a single cursor that reflects the cursor for completion of the full set of events.
+
+```yaml
+filebeat.inputs:
+# Read and process simple websocket messages from a local websocket server
+- type: streaming
+  url: ws://localhost:443/v1/stream
+  program: |
+    bytes(state.response).as(body, {
+      "events": [body.decode_json().with({
+        "last_requested_at": has(state.cursor) && has(state.cursor.last_requested_at) ?
+          state.cursor.last_requested_at
+        :
+          now
+      })],
+      "cursor": {"last_requested_at": now}
+    })
+```
+
+
+### `regexp` [regexp-streaming]
+
+A set of named regular expressions that may be used during a CEL program’s execution using the `regexp` extension library. The syntax used for the regular expressions is [RE2](https://github.com/google/re2/wiki/Syntax).
+
+```yaml
+filebeat.inputs:
+- type: streaming
+  # Define two regular expressions, 'products' and 'solutions' for use during CEL program execution.
+  regexp:
+    products: '(?i)(Elasticsearch|Beats|Logstash|Kibana)'
+    solutions: '(?i)(Search|Observability|Security)'
+```
+
+
+### `redact` [streaming-state-redact]
+
+During debug level logging, the `state` object and the resulting evaluation result are included in logs. This may result in leaking of secrets. In order to prevent this, fields may be redacted or deleted from the logged `state`. The `redact` configuration allows users to configure this field redaction behaviour. For safety reasons if the `redact` configuration is missing a warning is logged.
+
+In the case of no-required redaction an empty `redact.fields` configuration should be used to silence the logged warning.
+
+```yaml
+- type: streaming
+  redact:
+    fields: ~
+```
+
+As an example, if a user-constructed Basic Authentication request is used in a CEL program the password can be redacted like so
+
+```yaml
+filebeat.inputs:
+- type: streaming
+  url: ws://localhost:443/_stream
+  state:
+    user: user@domain.tld
+    password: P@$$W0₹D
+  redact:
+    fields:
+      - password
+    delete: true
+```
+
+Note that fields under the `auth` configuration hierarchy are not exposed to the `state` and so do not need to be redacted. For this reason it is preferable to use these for authentication over the request construction shown above where possible.
+
+
+### `redact.fields` [_redact_fields_2]
+
+This specifies fields in the `state` to be redacted prior to debug logging. Fields listed in this array will be either replaced with a `*` or deleted entirely from messages sent to debug logs.
+
+
+### `redact.delete` [_redact_delete_2]
+
+This specifies whether fields should be replaced with a `*` or deleted entirely from messages sent to debug logs. If delete is `true`, fields will be deleted rather than replaced.
+
+
+### `retry` [retry-streaming]
+
+The `retry` configuration allows the user to specify the number of times the input should attempt to reconnect to the streaming data source in the event of a connection failure. The default value is `nil` which means no retries will be attempted. It has a `wait_min` and `wait_max` configuration which specifies the minimum and maximum time to wait between retries. It also supports blanket retries and infinite retries via the `blanket_retires` and `infinite_retries` configuration options. These are set to `false` by default.
+
+```yaml
+filebeat.inputs:
+- type: streaming
+  url: ws://localhost:443/_stream
+  program: |
+    bytes(state.response).decode_json().as(inner_body,{
+      "events": {
+        "message":  inner_body.encode_json(),
+      }
+    })
+  retry:
+    max_attempts: 5
+    wait_min: 1s
+    wait_max: 10s
+    blanket_retries: false
+    infinite_retries: false
+```
+
+
+### `retry.max_attempts` [_retry_max_attempts]
+
+The maximum number of times the input should attempt to reconnect to the streaming data source in the event of a connection failure. The default value is `5` which means a maximum of 5 retries will be attempted.
+
+
+### `retry.wait_min` [_retry_wait_min]
+
+The minimum time to wait between retries. This ensures that retries are spaced out enough to give the system time to recover or resolve transient issues, rather than bombarding the system with rapid retries. For example, `wait_min` might be set to 1 second, meaning that even if the calculated backoff is less than this, the client will wait at least 1 second before retrying. The default value is `1` second.
+
+
+### `retry.wait_max` [_retry_wait_max]
+
+The maximum time to wait between retries. This prevents the retry mechanism from becoming too slow, ensuring that the client does not wait indefinitely between retries. This is crucial in systems where timeouts or user experience are critical. For example, `wait_max` might be set to 10 seconds, meaning that even if the calculated backoff is greater than this, the client will wait at most 10 seconds before retrying. The default value is `30` seconds.
+
+
+### `retry.blanket_retries` [_retry_blanket_retries]
+
+Normally the input will only retry when a connection error is found to be retryable based on the error type and the RFC 6455 error codes defined by the websocket protocol. If `blanket_retries` is set to `true` (`false` by default) the input will retry on any error. This is not recommended unless the user is certain that all errors are transient and can be resolved by retrying.
+
+
+### `retry.infinite_retries` [_retry_infinite_retries]
+
+Normally the input will only retry a maximum of `max_attempts` times. If `infinite_retries` is set to `true` (`false` by default) the input will retry indefinitely. This is not recommended unless the user is certain that the connection will eventually succeed.
+
+
+## `timeout` [_timeout]
+
+Timeout is the maximum amount of time the websocket dialer will wait for a connection to be established. The default value is `180` seconds.
+
+
+### `proxy_url` [_proxy_url]
+
+This specifies the forward proxy URL to use for the connection. The `proxy_url` configuration is optional and can be used to configure the proxy settings for the connection. The `proxy_url` default value is set by `http.ProxyFromEnvironment` which reads the `HTTP_PROXY`, `HTTPS_PROXY`, and `NO_PROXY` environment variables.
+
+
+### `proxy_headers` [_proxy_headers]
+
+This specifies the headers to be sent to the proxy server. The `proxy_headers` configuration is optional and can be used to configure the headers to be sent to the proxy server.
+
+
+### `ssl` [_ssl_3]
+
+This specifies the SSL configuration for the connection. The `ssl` configuration is optional and can be used to configure the SSL settings for the connection. The `ssl` configuration has the following subfields:
+
+* `certificate_authorities`: A list of root certificates to use for verifying the server’s certificate.
+* `certificate`: The (PEM encoded) certificate to use for client authentication.
+* `key`: The (PEM encoded) private key to use for client authentication.
+
+If this is a self-signed certificate, the `certificate_authorities` field should be set to the certificate itself.
+
+
+## Metrics [_metrics_14]
+
+This input exposes metrics under the [HTTP monitoring endpoint](/reference/filebeat/http-endpoint.md). These metrics are exposed under the `/inputs` path. They can be used to observe the activity of the input.
+
+| Metric | Description |
+| --- | --- |
+| `url` | URL of the input resource. |
+| `cel_eval_errors` | Number of errors encountered during cel program evaluation. |
+| `errors_total` | Number of errors encountered over the life cycle of the input. |
+| `batches_received_total` | Number of event arrays received. |
+| `batches_published_total` | Number of event arrays published. |
+| `received_bytes_total` | Number of bytes received over the life cycle of the input. |
+| `events_received_total` | Number of events received. |
+| `events_published_total` | Number of events published. |
+| `cel_processing_time` | Histogram of the elapsed successful CEL program processing times in nanoseconds. |
+| `batch_processing_time` | Histogram of the elapsed successful batch processing times in nanoseconds (time of receipt to time of ACK for non-empty batches). |
+
+
+## Developer tools [_developer_tools_2]
+
+A stand-alone CEL environment that implements the majority of the streaming input’s Comment Expression Language functionality is available in the [Elastic Mito](https://github.com/elastic/mito) repository. This tool may be used to help develop CEL programs to be used by the input. Installation is available from source by running `go install github.com/elastic/mito/cmd/mito@latest` and requires a Go toolchain.
+
+
+## Common options [filebeat-input-streaming-common-options]
+
+The following configuration options are supported by all inputs.
+
+
+#### `enabled` [_enabled_24]
+
+Use the `enabled` option to enable and disable inputs. By default, enabled is set to true.
+
+
+#### `tags` [_tags_23]
+
+A list of tags that Filebeat includes in the `tags` field of each published event. Tags make it easy to select specific events in Kibana or apply conditional filtering in Logstash. These tags will be appended to the list of tags specified in the general configuration.
+
+Example:
+
+```yaml
+filebeat.inputs:
+- type: streaming
+  . . .
+  tags: ["json"]
+```
+
+
+#### `fields` [filebeat-input-streaming-fields]
+
+Optional fields that you can specify to add additional information to the output. For example, you might add fields that you can use for filtering log data. Fields can be scalar values, arrays, dictionaries, or any nested combination of these. By default, the fields that you specify here will be grouped under a `fields` sub-dictionary in the output document. To store the custom fields as top-level fields, set the `fields_under_root` option to true. If a duplicate field is declared in the general configuration, then its value will be overwritten by the value declared here.
+
+```yaml
+filebeat.inputs:
+- type: streaming
+  . . .
+  fields:
+    app_id: query_engine_12
+```
+
+
+#### `fields_under_root` [fields-under-root-streaming]
+
+If this option is set to true, the custom [fields](#filebeat-input-streaming-fields) are stored as top-level fields in the output document instead of being grouped under a `fields` sub-dictionary. If the custom field names conflict with other field names added by Filebeat, then the custom fields overwrite the other fields.
+
+
+#### `processors` [_processors_23]
+
+A list of processors to apply to the input data.
+
+See [Processors](/reference/filebeat/filtering-enhancing-data.md) for information about specifying processors in your config.
+
+
+#### `pipeline` [_pipeline_23]
+
+The ingest pipeline ID to set for the events generated by this input.
+
+::::{note}
+The pipeline ID can also be configured in the Elasticsearch output, but this option usually results in simpler configuration files. If the pipeline is configured both in the input and output, the option from the input is used.
+::::
+
+
+::::{important}
+The `pipeline` is always lowercased. If `pipeline: Foo-Bar`, then the pipeline name in {{es}} needs to be defined as `foo-bar`.
+::::
+
+
+
+#### `keep_null` [_keep_null_23]
+
+If this option is set to true, fields with `null` values will be published in the output document. By default, `keep_null` is set to `false`.
+
+
+#### `index` [_index_23]
+
+If present, this formatted string overrides the index for events from this input (for elasticsearch outputs), or sets the `raw_index` field of the event’s metadata (for other outputs). This string can only refer to the agent name and version and the event timestamp; for access to dynamic fields, use `output.elasticsearch.index` or a processor.
+
+Example value: `"%{[agent.name]}-myindex-%{+yyyy.MM.dd}"` might expand to `"filebeat-myindex-2019.11.01"`.
+
+
+#### `publisher_pipeline.disable_host` [_publisher_pipeline_disable_host_23]
+
+By default, all events contain `host.name`. This option can be set to `true` to disable the addition of this field to all events. The default value is `false`.
+
+::::{note}
+The `streaming` input is currently tagged as experimental and might have bugs and other issues. Please report any issues on the [Github](https://github.com/elastic/beats) repository.
+::::
diff --git a/docs/reference/filebeat/filebeat-input-syslog.md b/docs/reference/filebeat/filebeat-input-syslog.md
new file mode 100644
index 000000000000..0d368db5a579
--- /dev/null
+++ b/docs/reference/filebeat/filebeat-input-syslog.md
@@ -0,0 +1,260 @@
+---
+navigation_title: "Syslog"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-syslog.html
+---
+
+# Syslog input [filebeat-input-syslog]
+
+[8.14.0]
+
+The syslog input is deprecated. Please use the [`syslog`](/reference/filebeat/syslog.md) processor for processing syslog messages.
+
+
+The `syslog` input reads Syslog events as specified by RFC 3164 and RFC 5424, over TCP, UDP, or a Unix stream socket.
+
+Example configurations:
+
+```yaml
+filebeat.inputs:
+- type: syslog
+  format: rfc3164
+  protocol.udp:
+    host: "localhost:9000"
+```
+
+```yaml
+filebeat.inputs:
+- type: syslog
+  format: rfc5424
+  protocol.tcp:
+    host: "localhost:9000"
+```
+
+```yaml
+filebeat.inputs:
+- type: syslog
+  format: auto
+  protocol.unix:
+    path: "/path/to/syslog.sock"
+```
+
+## Configuration options [_configuration_options_18]
+
+The `syslog` input configuration includes format, protocol specific options, and the [Common options](#filebeat-input-syslog-common-options) described later..
+
+### `format` [_format_2]
+
+The syslog variant to use, `rfc3164` or `rfc5424`. To automatically detect the format from the log entries, set this option to `auto`. The default is `rfc3164`.
+
+
+### `timezone` [_timezone]
+
+IANA time zone name (e.g. `America/New_York`) or fixed time offset (e.g. `+0200`) to use when parsing syslog timestamps that do not contain a time zone. `Local` may be specified to use the machine’s local time zone. Defaults to `Local`.
+
+
+### Protocol `udp`: [_protocol_udp]
+
+
+### `max_message_size` [filebeat-input-syslog-udp-max-message-size]
+
+The maximum size of the message received over UDP. The default is `10KiB`.
+
+
+### `host` [filebeat-input-syslog-udp-host]
+
+The host and UDP port to listen on for event streams.
+
+
+### `network` [filebeat-input-syslog-udp-network]
+
+The network type. Acceptable values are: "udp" (default), "udp4", "udp6"
+
+
+### `read_buffer` [filebeat-input-syslog-udp-read-buffer]
+
+The size of the read buffer on the UDP socket. If not specified the default from the operating system will be used.
+
+
+### `timeout` [filebeat-input-syslog-udp-timeout]
+
+The read and write timeout for socket operations. The default is `5m`.
+
+
+### Protocol `tcp`: [_protocol_tcp]
+
+
+### `max_message_size` [filebeat-input-syslog-tcp-max-message-size]
+
+The maximum size of the message received over TCP. The default is `20MiB`.
+
+
+### `host` [filebeat-input-syslog-tcp-host]
+
+The host and TCP port to listen on for event streams.
+
+
+### `network` [filebeat-input-syslog-tcp-network]
+
+The network type. Acceptable values are: "tcp" (default), "tcp4", "tcp6"
+
+
+### `framing` [filebeat-input-syslog-tcp-framing]
+
+Specify the framing used to split incoming events.  Can be one of `delimiter` or `rfc6587`.  `delimiter` uses the characters specified in `line_delimiter` to split the incoming events.  `rfc6587` supports octet counting and non-transparent framing as described in [RFC6587](https://tools.ietf.org/html/rfc6587).  `line_delimiter` is used to split the events in non-transparent framing.  The default is `delimiter`.
+
+
+### `line_delimiter` [filebeat-input-syslog-tcp-line-delimiter]
+
+Specify the characters used to split the incoming events. The default is *\n*.
+
+
+### `max_connections` [filebeat-input-syslog-tcp-max-connections]
+
+The at most number of connections to accept at any given point in time.
+
+
+### `timeout` [filebeat-input-syslog-tcp-timeout]
+
+The number of seconds of inactivity before a remote connection is closed. The default is `300s`.
+
+
+#### `ssl` [filebeat-input-syslog-tcp-ssl]
+
+Configuration options for SSL parameters like the certificate, key and the certificate authorities to use.
+
+See [SSL](/reference/filebeat/configuration-ssl.md) for more information.
+
+
+### Protocol `unix`: [_protocol_unix]
+
+
+### `max_message_size` [filebeat-input-syslog-unix-max-message-size]
+
+The maximum size of the message received over the socket. The default is `20MiB`.
+
+
+### `path` [filebeat-input-syslog-unix-path]
+
+The path to the Unix socket that will receive events.
+
+
+### `socket_type` [filebeat-input-syslog-unix-socket-type]
+
+The type to of the Unix socket that will receive events. Valid values are `stream` and `datagram`. The default is `stream`.
+
+
+### `group` [filebeat-input-syslog-unix-group]
+
+The group ownership of the Unix socket that will be created by Filebeat. The default is the primary group name for the user Filebeat is running as. This option is ignored on Windows.
+
+
+### `mode` [filebeat-input-syslog-unix-mode]
+
+The file mode of the Unix socket that will be created by Filebeat. This is expected to be a file mode as an octal string. The default value is the system default (generally `0755`).
+
+
+### `framing` [filebeat-input-syslog-unix-framing]
+
+Specify the framing used to split incoming events.  Can be one of `delimiter` or `rfc6587`.  `delimiter` uses the characters specified in `line_delimiter` to split the incoming events.  `rfc6587` supports octet counting and non-transparent framing as described in [RFC6587](https://tools.ietf.org/html/rfc6587).  `line_delimiter` is used to split the events in non-transparent framing.  The default is `delimiter`.
+
+
+### `line_delimiter` [filebeat-input-syslog-unix-line-delimiter]
+
+Specify the characters used to split the incoming events. The default is *\n*.
+
+
+### `max_connections` [filebeat-input-syslog-unix-max-connections]
+
+The at most number of connections to accept at any given point in time.
+
+
+### `timeout` [filebeat-input-syslog-unix-timeout]
+
+The number of seconds of inactivity before a connection is closed. The default is `300s`.
+
+See [SSL](/reference/filebeat/configuration-ssl.md) for more information.
+
+
+
+## Common options [filebeat-input-syslog-common-options]
+
+The following configuration options are supported by all inputs.
+
+
+#### `enabled` [_enabled_25]
+
+Use the `enabled` option to enable and disable inputs. By default, enabled is set to true.
+
+
+#### `tags` [_tags_24]
+
+A list of tags that Filebeat includes in the `tags` field of each published event. Tags make it easy to select specific events in Kibana or apply conditional filtering in Logstash. These tags will be appended to the list of tags specified in the general configuration.
+
+Example:
+
+```yaml
+filebeat.inputs:
+- type: syslog
+  . . .
+  tags: ["json"]
+```
+
+
+#### `fields` [filebeat-input-syslog-fields]
+
+Optional fields that you can specify to add additional information to the output. For example, you might add fields that you can use for filtering log data. Fields can be scalar values, arrays, dictionaries, or any nested combination of these. By default, the fields that you specify here will be grouped under a `fields` sub-dictionary in the output document. To store the custom fields as top-level fields, set the `fields_under_root` option to true. If a duplicate field is declared in the general configuration, then its value will be overwritten by the value declared here.
+
+```yaml
+filebeat.inputs:
+- type: syslog
+  . . .
+  fields:
+    app_id: query_engine_12
+```
+
+
+#### `fields_under_root` [fields-under-root-syslog]
+
+If this option is set to true, the custom [fields](#filebeat-input-syslog-fields) are stored as top-level fields in the output document instead of being grouped under a `fields` sub-dictionary. If the custom field names conflict with other field names added by Filebeat, then the custom fields overwrite the other fields.
+
+
+#### `processors` [_processors_24]
+
+A list of processors to apply to the input data.
+
+See [Processors](/reference/filebeat/filtering-enhancing-data.md) for information about specifying processors in your config.
+
+
+#### `pipeline` [_pipeline_24]
+
+The ingest pipeline ID to set for the events generated by this input.
+
+::::{note}
+The pipeline ID can also be configured in the Elasticsearch output, but this option usually results in simpler configuration files. If the pipeline is configured both in the input and output, the option from the input is used.
+::::
+
+
+::::{important}
+The `pipeline` is always lowercased. If `pipeline: Foo-Bar`, then the pipeline name in {{es}} needs to be defined as `foo-bar`.
+::::
+
+
+
+#### `keep_null` [_keep_null_24]
+
+If this option is set to true, fields with `null` values will be published in the output document. By default, `keep_null` is set to `false`.
+
+
+#### `index` [_index_24]
+
+If present, this formatted string overrides the index for events from this input (for elasticsearch outputs), or sets the `raw_index` field of the event’s metadata (for other outputs). This string can only refer to the agent name and version and the event timestamp; for access to dynamic fields, use `output.elasticsearch.index` or a processor.
+
+Example value: `"%{[agent.name]}-myindex-%{+yyyy.MM.dd}"` might expand to `"filebeat-myindex-2019.11.01"`.
+
+
+#### `publisher_pipeline.disable_host` [_publisher_pipeline_disable_host_24]
+
+By default, all events contain `host.name`. This option can be set to `true` to disable the addition of this field to all events. The default value is `false`.
+
+
diff --git a/docs/reference/filebeat/filebeat-input-tcp.md b/docs/reference/filebeat/filebeat-input-tcp.md
new file mode 100644
index 000000000000..d8d266d146b7
--- /dev/null
+++ b/docs/reference/filebeat/filebeat-input-tcp.md
@@ -0,0 +1,162 @@
+---
+navigation_title: "TCP"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-tcp.html
+---
+
+# TCP input [filebeat-input-tcp]
+
+
+Use the `TCP` input to read events over TCP.
+
+Example configuration:
+
+```yaml
+filebeat.inputs:
+- type: tcp
+  max_message_size: 10MiB
+  host: "localhost:9000"
+```
+
+## Configuration options [_configuration_options_19]
+
+The `tcp` input supports the following configuration options plus the [Common options](#filebeat-input-tcp-common-options) described later.
+
+
+### `max_message_size` [filebeat-input-tcp-tcp-max-message-size]
+
+The maximum size of the message received over TCP. The default is `20MiB`.
+
+
+### `host` [filebeat-input-tcp-tcp-host]
+
+The host and TCP port to listen on for event streams.
+
+
+### `network` [filebeat-input-tcp-tcp-network]
+
+The network type. Acceptable values are: "tcp" (default), "tcp4", "tcp6"
+
+
+### `framing` [filebeat-input-tcp-tcp-framing]
+
+Specify the framing used to split incoming events.  Can be one of `delimiter` or `rfc6587`.  `delimiter` uses the characters specified in `line_delimiter` to split the incoming events.  `rfc6587` supports octet counting and non-transparent framing as described in [RFC6587](https://tools.ietf.org/html/rfc6587).  `line_delimiter` is used to split the events in non-transparent framing.  The default is `delimiter`.
+
+
+### `line_delimiter` [filebeat-input-tcp-tcp-line-delimiter]
+
+Specify the characters used to split the incoming events. The default is *\n*.
+
+
+### `max_connections` [filebeat-input-tcp-tcp-max-connections]
+
+The at most number of connections to accept at any given point in time.
+
+
+### `timeout` [filebeat-input-tcp-tcp-timeout]
+
+The number of seconds of inactivity before a remote connection is closed. The default is `300s`.
+
+
+#### `ssl` [filebeat-input-tcp-tcp-ssl]
+
+Configuration options for SSL parameters like the certificate, key and the certificate authorities to use.
+
+See [SSL](/reference/filebeat/configuration-ssl.md) for more information.
+
+
+## Metrics [_metrics_15]
+
+This input exposes metrics under the [HTTP monitoring endpoint](/reference/filebeat/http-endpoint.md). These metrics are exposed under the `/inputs` path. They can be used to observe the activity of the input.
+
+| Metric | Description |
+| --- | --- |
+| `device` | Host/port of the TCP stream. |
+| `received_events_total` | Total number of packets (events) that have been received. |
+| `received_bytes_total` | Total number of bytes received. |
+| `receive_queue_length` | Aggregated size of the system receive queues (IPv4 and IPv6) (linux only) (gauge). |
+| `arrival_period` | Histogram of the time between successive packets in nanoseconds. |
+| `processing_time` | Histogram of the time taken to process packets in nanoseconds. |
+
+
+## Common options [filebeat-input-tcp-common-options]
+
+The following configuration options are supported by all inputs.
+
+
+#### `enabled` [_enabled_26]
+
+Use the `enabled` option to enable and disable inputs. By default, enabled is set to true.
+
+
+#### `tags` [_tags_25]
+
+A list of tags that Filebeat includes in the `tags` field of each published event. Tags make it easy to select specific events in Kibana or apply conditional filtering in Logstash. These tags will be appended to the list of tags specified in the general configuration.
+
+Example:
+
+```yaml
+filebeat.inputs:
+- type: tcp
+  . . .
+  tags: ["json"]
+```
+
+
+#### `fields` [filebeat-input-tcp-fields]
+
+Optional fields that you can specify to add additional information to the output. For example, you might add fields that you can use for filtering log data. Fields can be scalar values, arrays, dictionaries, or any nested combination of these. By default, the fields that you specify here will be grouped under a `fields` sub-dictionary in the output document. To store the custom fields as top-level fields, set the `fields_under_root` option to true. If a duplicate field is declared in the general configuration, then its value will be overwritten by the value declared here.
+
+```yaml
+filebeat.inputs:
+- type: tcp
+  . . .
+  fields:
+    app_id: query_engine_12
+```
+
+
+#### `fields_under_root` [fields-under-root-tcp]
+
+If this option is set to true, the custom [fields](#filebeat-input-tcp-fields) are stored as top-level fields in the output document instead of being grouped under a `fields` sub-dictionary. If the custom field names conflict with other field names added by Filebeat, then the custom fields overwrite the other fields.
+
+
+#### `processors` [_processors_25]
+
+A list of processors to apply to the input data.
+
+See [Processors](/reference/filebeat/filtering-enhancing-data.md) for information about specifying processors in your config.
+
+
+#### `pipeline` [_pipeline_25]
+
+The ingest pipeline ID to set for the events generated by this input.
+
+::::{note}
+The pipeline ID can also be configured in the Elasticsearch output, but this option usually results in simpler configuration files. If the pipeline is configured both in the input and output, the option from the input is used.
+::::
+
+
+::::{important}
+The `pipeline` is always lowercased. If `pipeline: Foo-Bar`, then the pipeline name in {{es}} needs to be defined as `foo-bar`.
+::::
+
+
+
+#### `keep_null` [_keep_null_25]
+
+If this option is set to true, fields with `null` values will be published in the output document. By default, `keep_null` is set to `false`.
+
+
+#### `index` [_index_25]
+
+If present, this formatted string overrides the index for events from this input (for elasticsearch outputs), or sets the `raw_index` field of the event’s metadata (for other outputs). This string can only refer to the agent name and version and the event timestamp; for access to dynamic fields, use `output.elasticsearch.index` or a processor.
+
+Example value: `"%{[agent.name]}-myindex-%{+yyyy.MM.dd}"` might expand to `"filebeat-myindex-2019.11.01"`.
+
+
+#### `publisher_pipeline.disable_host` [_publisher_pipeline_disable_host_25]
+
+By default, all events contain `host.name`. This option can be set to `true` to disable the addition of this field to all events. The default value is `false`.
+
+
diff --git a/docs/reference/filebeat/filebeat-input-udp.md b/docs/reference/filebeat/filebeat-input-udp.md
new file mode 100644
index 000000000000..a77bfb55b70a
--- /dev/null
+++ b/docs/reference/filebeat/filebeat-input-udp.md
@@ -0,0 +1,147 @@
+---
+navigation_title: "UDP"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-udp.html
+---
+
+# UDP input [filebeat-input-udp]
+
+
+Use the `udp` input to read events over UDP.
+
+Example configuration:
+
+```yaml
+filebeat.inputs:
+- type: udp
+  max_message_size: 10KiB
+  host: "localhost:8080"
+```
+
+## Configuration options [_configuration_options_20]
+
+The `udp` input supports the following configuration options plus the [Common options](#filebeat-input-udp-common-options) described later.
+
+
+### `max_message_size` [filebeat-input-udp-udp-max-message-size]
+
+The maximum size of the message received over UDP. The default is `10KiB`.
+
+
+### `host` [filebeat-input-udp-udp-host]
+
+The host and UDP port to listen on for event streams.
+
+
+### `network` [filebeat-input-udp-udp-network]
+
+The network type. Acceptable values are: "udp" (default), "udp4", "udp6"
+
+
+### `read_buffer` [filebeat-input-udp-udp-read-buffer]
+
+The size of the read buffer on the UDP socket. If not specified the default from the operating system will be used.
+
+
+### `timeout` [filebeat-input-udp-udp-timeout]
+
+The read and write timeout for socket operations. The default is `5m`.
+
+
+## Metrics [_metrics_16]
+
+This input exposes metrics under the [HTTP monitoring endpoint](/reference/filebeat/http-endpoint.md). These metrics are exposed under the `/inputs` path. They can be used to observe the activity of the input.
+
+| Metric | Description |
+| --- | --- |
+| `device` | Host/port of the UDP stream. |
+| `udp_read_buffer_length_gauge` | Size of the UDP socket buffer length in bytes (gauge). |
+| `received_events_total` | Total number of packets (events) that have been received. |
+| `received_bytes_total` | Total number of bytes received. |
+| `receive_queue_length` | Aggregated size of the system receive queues (IPv4 and IPv6) (linux only) (gauge). |
+| `system_packet_drops` | Aggregated number of system packet drops (IPv4 and IPv6) (linux only) (gauge). |
+| `arrival_period` | Histogram of the time between successive packets in nanoseconds. |
+| `processing_time` | Histogram of the time taken to process packets in nanoseconds. |
+
+
+## Common options [filebeat-input-udp-common-options]
+
+The following configuration options are supported by all inputs.
+
+
+#### `enabled` [_enabled_27]
+
+Use the `enabled` option to enable and disable inputs. By default, enabled is set to true.
+
+
+#### `tags` [_tags_26]
+
+A list of tags that Filebeat includes in the `tags` field of each published event. Tags make it easy to select specific events in Kibana or apply conditional filtering in Logstash. These tags will be appended to the list of tags specified in the general configuration.
+
+Example:
+
+```yaml
+filebeat.inputs:
+- type: udp
+  . . .
+  tags: ["json"]
+```
+
+
+#### `fields` [filebeat-input-udp-fields]
+
+Optional fields that you can specify to add additional information to the output. For example, you might add fields that you can use for filtering log data. Fields can be scalar values, arrays, dictionaries, or any nested combination of these. By default, the fields that you specify here will be grouped under a `fields` sub-dictionary in the output document. To store the custom fields as top-level fields, set the `fields_under_root` option to true. If a duplicate field is declared in the general configuration, then its value will be overwritten by the value declared here.
+
+```yaml
+filebeat.inputs:
+- type: udp
+  . . .
+  fields:
+    app_id: query_engine_12
+```
+
+
+#### `fields_under_root` [fields-under-root-udp]
+
+If this option is set to true, the custom [fields](#filebeat-input-udp-fields) are stored as top-level fields in the output document instead of being grouped under a `fields` sub-dictionary. If the custom field names conflict with other field names added by Filebeat, then the custom fields overwrite the other fields.
+
+
+#### `processors` [_processors_26]
+
+A list of processors to apply to the input data.
+
+See [Processors](/reference/filebeat/filtering-enhancing-data.md) for information about specifying processors in your config.
+
+
+#### `pipeline` [_pipeline_26]
+
+The ingest pipeline ID to set for the events generated by this input.
+
+::::{note}
+The pipeline ID can also be configured in the Elasticsearch output, but this option usually results in simpler configuration files. If the pipeline is configured both in the input and output, the option from the input is used.
+::::
+
+
+::::{important}
+The `pipeline` is always lowercased. If `pipeline: Foo-Bar`, then the pipeline name in {{es}} needs to be defined as `foo-bar`.
+::::
+
+
+
+#### `keep_null` [_keep_null_26]
+
+If this option is set to true, fields with `null` values will be published in the output document. By default, `keep_null` is set to `false`.
+
+
+#### `index` [_index_26]
+
+If present, this formatted string overrides the index for events from this input (for elasticsearch outputs), or sets the `raw_index` field of the event’s metadata (for other outputs). This string can only refer to the agent name and version and the event timestamp; for access to dynamic fields, use `output.elasticsearch.index` or a processor.
+
+Example value: `"%{[agent.name]}-myindex-%{+yyyy.MM.dd}"` might expand to `"filebeat-myindex-2019.11.01"`.
+
+
+#### `publisher_pipeline.disable_host` [_publisher_pipeline_disable_host_26]
+
+By default, all events contain `host.name`. This option can be set to `true` to disable the addition of this field to all events. The default value is `false`.
+
+
diff --git a/docs/reference/filebeat/filebeat-input-unifiedlogs.md b/docs/reference/filebeat/filebeat-input-unifiedlogs.md
new file mode 100644
index 000000000000..69e0e64ed05b
--- /dev/null
+++ b/docs/reference/filebeat/filebeat-input-unifiedlogs.md
@@ -0,0 +1,232 @@
+---
+navigation_title: "Unified Logs"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-input-unifiedlogs.html
+---
+
+# Unified Logs input [filebeat-input-unifiedlogs]
+
+
+::::{note}
+Only available for MacOS.
+::::
+
+
+The unified logging system provides a comprehensive and performant API to capture telemetry across all levels of the system. This system centralizes the storage of log data in memory and on disk, rather than writing that data to a text-based log file.
+
+The input interacts with the `log` command-line tool to provide access to the events.
+
+The input starts streaming events from the current point in time unless a start date or the `backfill` options are set. When restarted it will continue where it left off.
+
+Alternatively, it can also do one off operations, such as:
+
+* Stream events contained in a `.logarchive` file.
+* Stream events contained in a `.tracev3` file.
+* Stream events in a specific time span, by providing a specific end date.
+
+After this one off operations complete, the input will stop.
+
+Other configuration options can be specified to filter what events to process.
+
+::::{note}
+The input can cause some duplicated events when backfilling and/or restarting. This is caused by how the underlying fetching method works and should be taken into account when using the input.
+::::
+
+
+Example configuration:
+
+Process all old and new logs:
+
+```yaml
+filebeat.inputs:
+- type: unifiedlogs
+  id: unifiedlogs-id
+  enabled: true
+  backfill: true
+```
+
+Process logs with predicate filters:
+
+```yaml
+filebeat.inputs:
+- type: unifiedlogs
+  id: unifiedlogs-id
+  enabled: true
+  predicate:
+    # Captures keychain.db unlock events
+    - 'process == "loginwindow" && sender == "Security"'
+    # Captures user login events
+    - 'process == "logind"'
+    # Captures command line activity run with elevated privileges
+    - 'process == "sudo"'
+```
+
+## Configuration options [_configuration_options_21]
+
+The `unifiedlogs` input supports the following configuration options plus the [Common options](filebeat-input-unifiedlogs.md#filebeat-input-unifiedlogs-common-options) described later.
+
+
+### `archive_file` [_archive_file]
+
+Display events stored in the given archive. The archive must be a valid log archive bundle with the suffix `.logarchive`.
+
+
+### `trace_file` [_trace_file]
+
+Display events stored in the given `.tracev3` file. In order to be decoded, the file must be contained within a valid `.logarchive`
+
+
+### `start` [_start]
+
+Shows content starting from the provided date. The following date/time formats are accepted: `YYYY-MM-DD`, `YYYY-MM-DD HH:MM:SS`, `YYYY-MM-DD HH:MM:SSZZZZZ`.
+
+
+### `end` [_end]
+
+Shows content up to the provided date. The following date/time formats are accepted: `YYYY-MM-DD`, `YYYY-MM-DD HH:MM:SS`, `YYYY-MM-DD HH:MM:SSZZZZZ`.
+
+
+### `predicate` [_predicate]
+
+Filters messages using the provided predicate based on NSPredicate. A compound predicate or multiple predicates can be provided as a list.
+
+For detailed information on the use of predicate based filtering, please refer to the [Predicate Programming Guide](https://developer.apple.com/library/mac/documentation/Cocoa/Conceptual/Predicates/Articles/pSyntax.html).
+
+
+### `process` [_process]
+
+A list of the processes on which to operate. It accepts a PID or process name.
+
+
+### `source` [_source]
+
+Include symbol names and source line numbers for messages, if available. Default: `false`.
+
+
+### `info` [_info]
+
+Disable or enable info level messages. Default: `false`.
+
+
+### `debug` [_debug]
+
+Disable or enable debug level messages. Default: `false`.
+
+
+### `backtrace` [_backtrace]
+
+Disable or enable display of backtraces. Default: `false`.
+
+
+### `signpost` [_signpost]
+
+Disable or enable display of signposts. Default: `false`.
+
+
+### `unreliable` [_unreliable]
+
+Annotate events with whether the log was emitted unreliably. Default: `false`.
+
+
+### `mach_continuous_time` [_mach_continuous_time]
+
+Use mach continuous time timestamps rather than walltime. Default: `false`.
+
+
+### `backfill` [_backfill]
+
+If set to true the input will process all available logs since the beginning of time the first time it starts. Default: `false`.
+
+
+## Common options [filebeat-input-unifiedlogs-common-options]
+
+The following configuration options are supported by all inputs.
+
+
+#### `enabled` [_enabled_28]
+
+Use the `enabled` option to enable and disable inputs. By default, enabled is set to true.
+
+
+#### `tags` [_tags_27]
+
+A list of tags that Filebeat includes in the `tags` field of each published event. Tags make it easy to select specific events in Kibana or apply conditional filtering in Logstash. These tags will be appended to the list of tags specified in the general configuration.
+
+Example:
+
+```yaml
+filebeat.inputs:
+- type: unifiedlogs
+  . . .
+  tags: ["json"]
+```
+
+
+#### `fields` [filebeat-input-unifiedlogs-fields]
+
+Optional fields that you can specify to add additional information to the output. For example, you might add fields that you can use for filtering log data. Fields can be scalar values, arrays, dictionaries, or any nested combination of these. By default, the fields that you specify here will be grouped under a `fields` sub-dictionary in the output document. To store the custom fields as top-level fields, set the `fields_under_root` option to true. If a duplicate field is declared in the general configuration, then its value will be overwritten by the value declared here.
+
+```yaml
+filebeat.inputs:
+- type: unifiedlogs
+  . . .
+  fields:
+    app_id: query_engine_12
+```
+
+
+#### `fields_under_root` [fields-under-root-unifiedlogs]
+
+If this option is set to true, the custom [fields](filebeat-input-unifiedlogs.md#filebeat-input-unifiedlogs-fields) are stored as top-level fields in the output document instead of being grouped under a `fields` sub-dictionary. If the custom field names conflict with other field names added by Filebeat, then the custom fields overwrite the other fields.
+
+
+#### `processors` [_processors_27]
+
+A list of processors to apply to the input data.
+
+See [Processors](filtering-enhancing-data.md) for information about specifying processors in your config.
+
+
+#### `pipeline` [_pipeline_27]
+
+The ingest pipeline ID to set for the events generated by this input.
+
+::::{note}
+The pipeline ID can also be configured in the Elasticsearch output, but this option usually results in simpler configuration files. If the pipeline is configured both in the input and output, the option from the input is used.
+::::
+
+
+::::{important}
+The `pipeline` is always lowercased. If `pipeline: Foo-Bar`, then the pipeline name in {{es}} needs to be defined as `foo-bar`.
+::::
+
+
+
+#### `keep_null` [_keep_null_27]
+
+If this option is set to true, fields with `null` values will be published in the output document. By default, `keep_null` is set to `false`.
+
+
+#### `index` [_index_27]
+
+If present, this formatted string overrides the index for events from this input (for elasticsearch outputs), or sets the `raw_index` field of the event’s metadata (for other outputs). This string can only refer to the agent name and version and the event timestamp; for access to dynamic fields, use `output.elasticsearch.index` or a processor.
+
+Example value: `"%{[agent.name]}-myindex-%{+yyyy.MM.dd}"` might expand to `"filebeat-myindex-2019.11.01"`.
+
+
+#### `publisher_pipeline.disable_host` [_publisher_pipeline_disable_host_27]
+
+By default, all events contain `host.name`. This option can be set to `true` to disable the addition of this field to all events. The default value is `false`.
+
+
+## Metrics [_metrics_17]
+
+This input exposes metrics under the [HTTP monitoring endpoint](http-endpoint.md). These metrics are exposed under the `/inputs/` path. They can be used to observe the activity of the input.
+
+You must assign a unique `id` to the input to expose metrics.
+
+| Metric | Description |
+| --- | --- |
+| `errors_total` | Total number of errors. |
+
+
diff --git a/docs/reference/filebeat/filebeat-input-unix.md b/docs/reference/filebeat/filebeat-input-unix.md
new file mode 100644
index 000000000000..f5b8849ad7ca
--- /dev/null
+++ b/docs/reference/filebeat/filebeat-input-unix.md
@@ -0,0 +1,171 @@
+---
+navigation_title: "Unix"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-unix.html
+---
+
+# Unix input [filebeat-input-unix]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+
+Use the `unix` input to read events over a stream-oriented Unix domain socket.
+
+Example configuration:
+
+```yaml
+filebeat.inputs:
+- type: unix
+  max_message_size: 10MiB
+  path: "/var/run/filebeat.sock"
+```
+
+## Configuration options [_configuration_options_22]
+
+The `unix` input supports the following configuration options plus the [Common options](#filebeat-input-unix-common-options) described later.
+
+
+### `max_message_size` [filebeat-input-unix-unix-max-message-size]
+
+The maximum size of the message received over the socket. The default is `20MiB`.
+
+
+### `path` [filebeat-input-unix-unix-path]
+
+The path to the Unix socket that will receive events.
+
+
+### `socket_type` [filebeat-input-unix-unix-socket-type]
+
+The type to of the Unix socket that will receive events. Valid values are `stream` and `datagram`. The default is `stream`.
+
+
+### `group` [filebeat-input-unix-unix-group]
+
+The group ownership of the Unix socket that will be created by Filebeat. The default is the primary group name for the user Filebeat is running as. This option is ignored on Windows.
+
+
+### `mode` [filebeat-input-unix-unix-mode]
+
+The file mode of the Unix socket that will be created by Filebeat. This is expected to be a file mode as an octal string. The default value is the system default (generally `0755`).
+
+
+### `framing` [filebeat-input-unix-unix-framing]
+
+Specify the framing used to split incoming events.  Can be one of `delimiter` or `rfc6587`.  `delimiter` uses the characters specified in `line_delimiter` to split the incoming events.  `rfc6587` supports octet counting and non-transparent framing as described in [RFC6587](https://tools.ietf.org/html/rfc6587).  `line_delimiter` is used to split the events in non-transparent framing.  The default is `delimiter`.
+
+
+### `line_delimiter` [filebeat-input-unix-unix-line-delimiter]
+
+Specify the characters used to split the incoming events. The default is *\n*.
+
+
+### `max_connections` [filebeat-input-unix-unix-max-connections]
+
+The at most number of connections to accept at any given point in time.
+
+
+### `timeout` [filebeat-input-unix-unix-timeout]
+
+The number of seconds of inactivity before a connection is closed. The default is `300s`.
+
+See [SSL](/reference/filebeat/configuration-ssl.md) for more information.
+
+
+## Metrics [_metrics_18]
+
+This input exposes metrics under the [HTTP monitoring endpoint](/reference/filebeat/http-endpoint.md). These metrics are exposed under the `/inputs` path. They can be used to observe the activity of the input.
+
+| Metric | Description |
+| --- | --- |
+| `path` | Path of the unix socket. |
+| `received_events_total` | Total number of packets (events) that have been received. |
+| `received_bytes_total` | Total number of bytes received. |
+| `arrival_period` | Histogram of the time between successive packets in nanoseconds. |
+| `processing_time` | Histogram of the time taken to process packets in nanoseconds. |
+
+
+## Common options [filebeat-input-unix-common-options]
+
+The following configuration options are supported by all inputs.
+
+
+#### `enabled` [_enabled_29]
+
+Use the `enabled` option to enable and disable inputs. By default, enabled is set to true.
+
+
+#### `tags` [_tags_28]
+
+A list of tags that Filebeat includes in the `tags` field of each published event. Tags make it easy to select specific events in Kibana or apply conditional filtering in Logstash. These tags will be appended to the list of tags specified in the general configuration.
+
+Example:
+
+```yaml
+filebeat.inputs:
+- type: unix
+  . . .
+  tags: ["json"]
+```
+
+
+#### `fields` [filebeat-input-unix-fields]
+
+Optional fields that you can specify to add additional information to the output. For example, you might add fields that you can use for filtering log data. Fields can be scalar values, arrays, dictionaries, or any nested combination of these. By default, the fields that you specify here will be grouped under a `fields` sub-dictionary in the output document. To store the custom fields as top-level fields, set the `fields_under_root` option to true. If a duplicate field is declared in the general configuration, then its value will be overwritten by the value declared here.
+
+```yaml
+filebeat.inputs:
+- type: unix
+  . . .
+  fields:
+    app_id: query_engine_12
+```
+
+
+#### `fields_under_root` [fields-under-root-unix]
+
+If this option is set to true, the custom [fields](#filebeat-input-unix-fields) are stored as top-level fields in the output document instead of being grouped under a `fields` sub-dictionary. If the custom field names conflict with other field names added by Filebeat, then the custom fields overwrite the other fields.
+
+
+#### `processors` [_processors_28]
+
+A list of processors to apply to the input data.
+
+See [Processors](/reference/filebeat/filtering-enhancing-data.md) for information about specifying processors in your config.
+
+
+#### `pipeline` [_pipeline_28]
+
+The ingest pipeline ID to set for the events generated by this input.
+
+::::{note}
+The pipeline ID can also be configured in the Elasticsearch output, but this option usually results in simpler configuration files. If the pipeline is configured both in the input and output, the option from the input is used.
+::::
+
+
+::::{important}
+The `pipeline` is always lowercased. If `pipeline: Foo-Bar`, then the pipeline name in {{es}} needs to be defined as `foo-bar`.
+::::
+
+
+
+#### `keep_null` [_keep_null_28]
+
+If this option is set to true, fields with `null` values will be published in the output document. By default, `keep_null` is set to `false`.
+
+
+#### `index` [_index_28]
+
+If present, this formatted string overrides the index for events from this input (for elasticsearch outputs), or sets the `raw_index` field of the event’s metadata (for other outputs). This string can only refer to the agent name and version and the event timestamp; for access to dynamic fields, use `output.elasticsearch.index` or a processor.
+
+Example value: `"%{[agent.name]}-myindex-%{+yyyy.MM.dd}"` might expand to `"filebeat-myindex-2019.11.01"`.
+
+
+#### `publisher_pipeline.disable_host` [_publisher_pipeline_disable_host_28]
+
+By default, all events contain `host.name`. This option can be set to `true` to disable the addition of this field to all events. The default value is `false`.
+
+
diff --git a/docs/reference/filebeat/filebeat-input-winlog.md b/docs/reference/filebeat/filebeat-input-winlog.md
new file mode 100644
index 000000000000..56c5ffc479fb
--- /dev/null
+++ b/docs/reference/filebeat/filebeat-input-winlog.md
@@ -0,0 +1,307 @@
+---
+navigation_title: "winlog"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-winlog.html
+---
+
+# winlog input [filebeat-input-winlog]
+
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+Use the `winlog` input to read Windows event logs. It reads from one event log using Windows APIs, filters the events based on user-configured criteria, then sends the event data to the configured outputs. It watches the event log so that new event data is sent in a timely manner. The read position for the event log is persisted to disk to allow the input to resume after restarts.
+
+The `winlog` input can capture event data from any event logs running on your system. For example, you can capture events such as:
+
+* application events
+* hardware events
+* security events
+* system events
+
+Here is a sample configuration:
+
+```yaml
+- type: winlog
+  name: Application
+  ignore_older: 72h
+```
+
+
+## Configuration options [_configuration_options_23]
+
+
+### `batch_read_size` [_batch_read_size]
+
+The maximum number of event log records to read from the Windows API in a single batch. The default batch size is 512. Most Windows versions return an error if the value is larger than 1024. **{This option is only available on operating systems +
+  supporting the Windows Event Log API (Microsoft Windows Vista and newer).}**
+
+Filebeat starts a goroutine (a lightweight thread) to read from each individual event log. The goroutine reads a batch of event log records using the Windows API, applies any processors to the events, publishes them to the configured outputs, and waits for an acknowledgement from the outputs before reading additional event log records.
+
+
+### `name` [_name]
+
+The name of the event log to monitor. It must have a `name` field, except for those which use a custom XML query. A channel is a named stream of events that transports events from an event source to an event log. Most channels are tied to specific event publishers. You can get a list of available event logs by using the PowerShell [`Get-WinEvent`](https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/get-winevent) cmdlet on Windows Vista or newer. Here is a sample of the output from the command:
+
+```sh
+PS C:\> Get-WinEvent -ListLog * | Format-List -Property LogName
+LogName : Application
+LogName : HardwareEvents
+LogName : Internet Explorer
+LogName : Key Management Service
+LogName : Security
+LogName : System
+LogName : Windows PowerShell
+LogName : ForwardedEvents
+LogName : Microsoft-Management-UI/Admin
+LogName : Microsoft-Rdms-UI/Admin
+LogName : Microsoft-Rdms-UI/Operational
+LogName : Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
+...
+```
+
+If `Get-WinEvent` is not available, the [`Get-EventLog`](https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-eventlog) cmdlet can be used in its place.
+
+```sh
+PS C:\Users\vagrant> Get-EventLog *
+
+  Max(K) Retain OverflowAction        Entries Log
+  ------ ------ --------------        ------- ---
+  20,480      0 OverwriteAsNeeded          75 Application
+  20,480      0 OverwriteAsNeeded           0 HardwareEvents
+     512      7 OverwriteOlder              0 Internet Explorer
+  20,480      0 OverwriteAsNeeded           0 Key Management Service
+  20,480      0 OverwriteAsNeeded       1,609 Security
+  20,480      0 OverwriteAsNeeded       1,184 System
+  15,360      0 OverwriteAsNeeded         464 Windows PowerShell
+```
+
+You must specify the full name of the channel in the configuration file.
+
+```yaml
+- type: winlog
+  name: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
+```
+
+To read events from an archived `.evtx` file you can specify the `name` as the absolute path (it cannot be relative) to the file.
+
+```yaml
+- type: winlog
+  name: 'C:\backup\sysmon-2019.08.evtx'
+  no_more_events: stop
+```
+
+The name key must not be used with custom XML queries.
+
+
+### `id` [_id]
+
+A unique identifier for the event log. This key is required when using a custom XML query.
+
+It is used to uniquely identify the event log reader in the registry file. This is useful if multiple event logs are being set up to watch the same channel or file. If an ID is not given, the `name` value will be used.
+
+This value must be unique.
+
+```yaml
+- type: winlog
+  name: Application
+  id: application-logs
+  ignore_older: 168h
+```
+
+
+### `ignore_older` [_ignore_older_2]
+
+If this option is specified, the input filters events that are older than the specified amount of time. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". This option is useful when you are beginning to monitor an event log that contains older records that you would like to ignore. This field is optional.
+
+```yaml
+- type: winlog
+  name: Application
+  ignore_older: 168h
+```
+
+
+### `forwarded` [_forwarded]
+
+A boolean flag to indicate that the log contains only events collected from remote hosts using the Windows Event Collector. The value defaults to true for the ForwardedEvents log and false for any other log. **{This option is only available on operating systems +
+  supporting the Windows Event Log API (Microsoft Windows Vista and newer).}**
+
+This settings allows Filebeat to optimize reads for forwarded events that are already rendered. When the value is true Filebeat does not attempt to render the event using message files from the host computer. The Windows Event Collector subscription should be configured to use the "RenderedText" format (this is the default) to ensure that the events are distributed with messages and descriptions.
+
+
+### `event_id` [_event_id]
+
+An allowlist and blocklist of event IDs. The value is a comma-separated list. The accepted values are single event IDs to include (e.g. 4624), a range of event IDs to include (e.g. 4700-4800), and single event IDs to exclude (e.g. -4735). **{This option is only available on operating systems +
+  supporting the Windows Event Log API (Microsoft Windows Vista and newer).}**
+
+```yaml
+- type: winlog
+  name: Security
+  event_id: 4624, 4625, 4700-4800, -4735
+```
+
+
+### `language` [_language]
+
+The language ID the events will be rendered in. The language will be forced regardless of the system language. A complete list of language IDs can be found [here](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-lcid/a9eac961-e77d-41a6-90a5-ce1a8b0cdb9c). It defaults to `0`, which indicates to use the system language.
+
+```yaml
+- type: winlog
+  name: Security
+  event_id: 4624, 4625, 4700-4800, -4735
+  language: 0x0409 # en-US
+```
+
+
+### `level` [_level]
+
+A list of event levels to include. The value is a comma-separated list of levels. **{This option is only available on operating systems +
+  supporting the Windows Event Log API (Microsoft Windows Vista and newer).}**
+
+| Level | Value |
+| --- | --- |
+| critical, crit | 1 |
+| error, err | 2 |
+| warning, warn | 3 |
+| information, info | 0 or 4 |
+| verbose | 5 |
+
+```yaml
+- type: winlog
+  name: Security
+  level: critical, error, warning
+```
+
+
+### `provider` [_provider_3]
+
+A list of providers (source names) to include. The value is a YAML list. **{This option is only available on operating systems +
+  supporting the Windows Event Log API (Microsoft Windows Vista and newer).}**
+
+```yaml
+- type: winlog
+  name: Application
+  provider:
+    - Application Error
+    - Application Hang
+    - Windows Error Reporting
+    - EMET
+```
+
+You can obtain a list of providers associated with a log by using PowerShell. Here is an example showing the providers associated with the Security log.
+
+```sh
+PS C:\> (Get-WinEvent -ListLog Security).ProviderNames
+DS
+LSA
+SC Manager
+Security
+Security Account Manager
+ServiceModel 4.0.0.0
+Spooler
+TCP/IP
+VSSAudit
+Microsoft-Windows-Security-Auditing
+Microsoft-Windows-Eventlog
+```
+
+
+### `xml_query` [_xml_query]
+
+Provide a custom XML query. This option is mutually exclusive with the `name`, `event_id`, `ignore_older`, `level`, and `provider` options. These options should be included in the XML query directly. Furthermore, an `id` must be provided. Custom XML queries provide more flexibility and advanced options than the simpler query options in Filebeat. **{This option is only available on operating systems +
+  supporting the Windows Event Log API (Microsoft Windows Vista and newer).}**
+
+Here is a configuration which will collect DHCP server events from multiple channels:
+
+```yaml
+- type: winlog
+  id: dhcp-server-logs
+  xml_query: >
+    <QueryList>
+      <Query Id="0" Path="DhcpAdminEvents">
+        <Select Path="DhcpAdminEvents">*</Select>
+        <Select Path="Microsoft-Windows-Dhcp-Server/FilterNotifications">*</Select>
+        <Select Path="Microsoft-Windows-Dhcp-Server/Operational">*</Select>
+      </Query>
+    </QueryList>
+```
+
+XML queries may also be created in Windows Event Viewer using custom views. The query can be created using a graphical interface and the corresponding XML can be retrieved from the XML tab.
+
+
+### `include_xml` [_include_xml]
+
+Boolean option that controls if the raw XML representation of an event is included in the data sent by Filebeat. The default is false. **{This option is only available on operating systems +
+  supporting the Windows Event Log API (Microsoft Windows Vista and newer).}**
+
+The XML representation of the event is useful for troubleshooting purposes. The data in the fields reported by Filebeat can be compared to the data in the XML to diagnose problems.
+
+Example:
+
+```yaml
+- type: winlog
+  name: Microsoft-Windows-Windows Defender/Operational
+  include_xml: true
+```
+
+* This can have a significant impact on performance that can vary depending on your system specs.
+
+
+### `tags` [_tags_29]
+
+A list of tags that the Beat includes in the `tags` field of each published event. Tags make it easy to select specific events in Kibana or apply conditional filtering in Logstash. These tags will be appended to the list of tags specified in the general configuration.
+
+Example:
+
+```yaml
+- type: winlog
+  name: CustomLog
+  tags: ["web"]
+```
+
+
+### `fields` [winlog-configuration-fields]
+
+Optional fields that you can specify to add additional information to the output. For example, you might add fields that you can use for filtering event data. Fields can be scalar values, arrays, dictionaries, or any nested combination of these. By default, the fields that you specify here will be grouped under a `fields` sub-dictionary in the output document. To store the custom fields as top-level fields, set the `fields_under_root` option to true. If a duplicate field is declared in the general configuration, then its value will be overwritten by the value declared here.
+
+```yaml
+- type: winlog
+  name: CustomLog
+  fields:
+    customer_id: 51415432
+```
+
+
+### `fields_under_root` [_fields_under_root]
+
+If this option is set to true, the custom [fields](#winlog-configuration-fields) are stored as top-level fields in the output document instead of being grouped under a `fields` sub-dictionary. If the custom field names conflict with other field names added by Filebeat, then the custom fields overwrite the other fields.
+
+
+### `processors` [_processors_29]
+
+A list of processors to apply to the data generated by the event log.
+
+See [Processors](/reference/filebeat/filtering-enhancing-data.md) for information about specifying processors in your config.
+
+
+### `index` [_index_29]
+
+If present, this formatted string overrides the index for events from this event log (for elasticsearch outputs), or sets the `raw_index` field of the event’s metadata (for other outputs). This string can only refer to the agent name and version and the event timestamp; for access to dynamic fields, use `output.elasticsearch.index` or a processor.
+
+Example value: `"%{[agent.name]}-myindex-%{+yyyy.MM.dd}"` might expand to `"filebeat-myindex-2019.12.13"`.
+
+
+### `keep_null` [_keep_null_29]
+
+If this option is set to true, fields with `null` values will be published in the output document. By default, `keep_null` is set to `false`.
+
+
+### `no_more_events` [_no_more_events]
+
+The action that the event log reader should take when it receives a signal from Windows that there are no more events to read. It can either `wait` for more events to be written (the default behavior) or it can `stop`. The overall Filebeat process will stop when all of the individual event log readers have stopped. **{This option is only available on operating systems +
+  supporting the Windows Event Log API (Microsoft Windows Vista and newer).}**
+
+Setting `no_more_events` to `stop` is useful when reading from archived event log files where you want to read the whole file then exit.
+
diff --git a/docs/reference/filebeat/filebeat-installation-configuration.md b/docs/reference/filebeat/filebeat-installation-configuration.md
new file mode 100644
index 000000000000..0e8f5f16f4ba
--- /dev/null
+++ b/docs/reference/filebeat/filebeat-installation-configuration.md
@@ -0,0 +1,378 @@
+---
+navigation_title: "Quick start"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-installation-configuration.html
+---
+
+# Filebeat quick start: installation and configuration [filebeat-installation-configuration]
+
+
+This guide describes how to get started quickly with log collection. You’ll learn how to:
+
+* install Filebeat on each system you want to monitor
+* specify the location of your log files
+* parse log data into fields and send it to {es}
+* visualize the log data in {kib}
+
+:::{image} images/kibana-system.png
+:alt: Filebeat System dashboard
+:class: screenshot
+:::
+
+
+## Before you begin [_before_you_begin]
+
+You need {{es}} for storing and searching your data, and {{kib}} for visualizing and managing it.
+
+:::::::{tab-set}
+
+::::::{tab-item} Elasticsearch Service
+To get started quickly, spin up a deployment of our [hosted {{ess}}](https://www.elastic.co/cloud/elasticsearch-service). The {{ess}} is available on AWS, GCP, and Azure. [Try it out for free](https://cloud.elastic.co/registration?page=docs&placement=docs-body).
+::::::
+
+::::::{tab-item} Self-managed
+To install and run {{es}} and {{kib}}, see [Installing the {{stack}}](docs-content://deploy-manage/deploy/self-managed/deploy-cluster.md).
+::::::
+
+:::::::
+
+## Step 1: Install Filebeat [installation]
+
+Install Filebeat on all the servers you want to monitor.
+
+To download and install Filebeat, use the commands that work with your system:
+
+:::::::{tab-set}
+
+::::::{tab-item} DEB
+Version 9.0.0-beta1 of Filebeat has not yet been released.
+::::::
+
+::::::{tab-item} RPM
+Version 9.0.0-beta1 of Filebeat has not yet been released.
+::::::
+
+::::::{tab-item} MacOS
+Version 9.0.0-beta1 of Filebeat has not yet been released.
+::::::
+
+::::::{tab-item} Linux
+Version 9.0.0-beta1 of Filebeat has not yet been released.
+::::::
+
+::::::{tab-item} Windows
+Version 9.0.0-beta1 of Filebeat has not yet been released.
+::::::
+
+:::::::
+The commands shown are for AMD platforms, but ARM packages are also available. Refer to the [download page](https://www.elastic.co/downloads/beats/filebeat) for the full list of available packages.
+
+
+### Other installation options [other-installation-options]
+
+* [APT or YUM](/reference/filebeat/setup-repositories.md)
+* [Download page](https://www.elastic.co/downloads/beats/filebeat)
+* [Docker](/reference/filebeat/running-on-docker.md)
+* [Kubernetes](/reference/filebeat/running-on-kubernetes.md)
+* [Cloud Foundry](/reference/filebeat/running-on-cloudfoundry.md)
+
+
+## Step 2: Connect to the {{stack}} [set-connection]
+
+Connections to {{es}} and {{kib}} are required to set up Filebeat.
+
+Set the connection information in `filebeat.yml`. To locate this configuration file, see [Directory layout](/reference/filebeat/directory-layout.md).
+
+:::::::{tab-set}
+
+::::::{tab-item} Elasticsearch Service
+Specify the [cloud.id](/reference/filebeat/configure-cloud-id.md) of your {{ess}}, and set [cloud.auth](/reference/filebeat/configure-cloud-id.md) to a user who is authorized to set up Filebeat. For example:
+
+```yaml
+cloud.id: "staging:dXMtZWFzdC0xLmF3cy5mb3VuZC5pbyRjZWM2ZjI2MWE3NGJmMjRjZTMzYmI4ODExYjg0Mjk0ZiRjNmMyY2E2ZDA0MjI0OWFmMGNjN2Q3YTllOTYyNTc0Mw=="
+cloud.auth: "filebeat_setup:{pwd}" <1>
+```
+
+1. This examples shows a hard-coded password, but you should store sensitive values in the [secrets keystore](/reference/filebeat/keystore.md).
+::::::
+
+::::::{tab-item} Self-managed
+1. Set the host and port where Filebeat can find the {{es}} installation, and set the username and password of a user who is authorized to set up Filebeat. For example:
+
+    ```yaml
+    output.elasticsearch:
+      hosts: ["https://myEShost:9200"]
+      username: "filebeat_internal"
+      password: "{pwd}" <1>
+      ssl:
+        enabled: true
+        ca_trusted_fingerprint: "b9a10bbe64ee9826abeda6546fc988c8bf798b41957c33d05db736716513dc9c" <2>
+    ```
+
+    1. This example shows a hard-coded password, but you should store sensitive values in the [secrets keystore](/reference/filebeat/keystore.md).
+    2. This example shows a hard-coded fingerprint, but you should store sensitive values in the [secrets keystore](/reference/filebeat/keystore.md). The fingerprint is a HEX encoded SHA-256 of a CA certificate, when you start {{es}} for the first time, security features such as network encryption (TLS) for {{es}} are enabled by default. If you are using the self-signed certificate generated by {{es}} when it is started for the first time, you will need to add its fingerprint here. The fingerprint is printed on {{es}} start up logs, or you can refer to [connect clients to {{es}} documentation](docs-content://deploy-manage/security/security-certificates-keys.md#_connect_clients_to_es_5) for other options on retrieving it. If you are providing your own SSL certificate to {{es}} refer to [Filebeat documentation on how to setup SSL](/reference/filebeat/configuration-ssl.md#ssl-client-config).
+
+2. If you plan to use our pre-built {{kib}} dashboards, configure the {{kib}} endpoint. Skip this step if {{kib}} is running on the same host as {{es}}.
+
+    ```yaml
+      setup.kibana:
+        host: "mykibanahost:5601" <1>
+        username: "my_kibana_user" <2> <3>
+        password: "{pwd}"
+    ```
+
+    1. The hostname and port of the machine where {{kib}} is running, for example, `mykibanahost:5601`. If you specify a path after the port number, include the scheme and port: `http://mykibanahost:5601/path`.
+    2. The `username` and `password` settings for {{kib}} are optional. If you don’t specify credentials for {{kib}}, Filebeat uses the `username` and `password` specified for the {{es}} output.
+    3. To use the pre-built {{kib}} dashboards, this user must be authorized to view dashboards or have the `kibana_admin` [built-in role](elasticsearch://reference/elasticsearch/roles.md).
+::::::
+
+:::::::
+To learn more about required roles and privileges, see [*Grant users access to secured resources*](/reference/filebeat/feature-roles.md).
+
+::::{note}
+You can send data to other [outputs](/reference/filebeat/configuring-output.md), such as {{ls}}, but that requires additional configuration and setup.
+::::
+
+
+
+## Step 3: Collect log data [collect-log-data]
+
+There are several ways to collect log data with Filebeat:
+
+* Data collection modules — simplify the collection, parsing, and visualization of common log formats
+* ECS loggers — structure and format application logs into ECS-compatible JSON
+* Manual Filebeat configuration
+
+
+### Enable and configure data collection modules [enable-modules]
+
+1. Identify the modules you need to enable. To see a list of available [modules](/reference/filebeat/filebeat-modules.md), run:
+
+    :::::::{tab-set}
+
+::::::{tab-item} DEB
+```sh
+    filebeat modules list
+    ```
+::::::
+
+::::::{tab-item} RPM
+```sh
+    filebeat modules list
+    ```
+::::::
+
+::::::{tab-item} MacOS
+```sh
+    ./filebeat modules list
+    ```
+::::::
+
+::::::{tab-item} Linux
+```sh
+    ./filebeat modules list
+    ```
+::::::
+
+::::::{tab-item} Windows
+```sh
+    PS > .\filebeat.exe modules list
+    ```
+::::::
+
+::::::{tab-item} DEB
+```sh
+    filebeat modules enable nginx
+    ```
+::::::
+
+::::::{tab-item} RPM
+```sh
+    filebeat modules enable nginx
+    ```
+::::::
+
+::::::{tab-item} MacOS
+```sh
+    ./filebeat modules enable nginx
+    ```
+::::::
+
+::::::{tab-item} Linux
+```sh
+    ./filebeat modules enable nginx
+    ```
+::::::
+
+::::::{tab-item} Windows
+```sh
+    PS > .\filebeat.exe modules enable nginx
+    ```
+::::::
+
+::::::{tab-item} DEB
+```sh
+    filebeat setup -e
+    ```
+::::::
+
+::::::{tab-item} RPM
+```sh
+    filebeat setup -e
+    ```
+::::::
+
+::::::{tab-item} MacOS
+```sh
+    ./filebeat setup -e
+    ```
+::::::
+
+::::::{tab-item} Linux
+```sh
+    ./filebeat setup -e
+    ```
+::::::
+
+::::::{tab-item} Windows
+```sh
+    PS > .\filebeat.exe setup -e
+    ```
+::::::
+
+::::::{tab-item} DEB
+```sh
+sudo service filebeat start
+```
+
+::::{note}
+If you use an `init.d` script to start Filebeat, you can’t specify command line flags (see [Command reference](/reference/filebeat/command-line-options.md)). To specify flags, start Filebeat in the foreground.
+::::
+
+
+Also see [Filebeat and systemd](/reference/filebeat/running-with-systemd.md).
+::::::
+
+::::::{tab-item} RPM
+```sh
+sudo service filebeat start
+```
+
+::::{note}
+If you use an `init.d` script to start Filebeat, you can’t specify command line flags (see [Command reference](/reference/filebeat/command-line-options.md)). To specify flags, start Filebeat in the foreground.
+::::
+
+
+Also see [Filebeat and systemd](/reference/filebeat/running-with-systemd.md).
+::::::
+
+::::::{tab-item} MacOS
+```sh
+sudo chown root filebeat.yml <1>
+sudo chown root modules.d/nginx.yml <1>
+sudo ./filebeat -e
+```
+
+1. You’ll be running Filebeat as root, so you need to change ownership of the configuration file and any configurations enabled in the `modules.d` directory, or run Filebeat with `--strict.perms=false` specified. See [Config File Ownership and Permissions](/reference/libbeat/config-file-permissions.md).
+::::::
+
+::::::{tab-item} Linux
+```sh
+sudo chown root filebeat.yml <1>
+sudo chown root modules.d/nginx.yml <1>
+sudo ./filebeat -e
+```
+
+1. You’ll be running Filebeat as root, so you need to change ownership of the configuration file and any configurations enabled in the `modules.d` directory, or run Filebeat with `--strict.perms=false` specified. See [Config File Ownership and Permissions](/reference/libbeat/config-file-permissions.md).
+::::::
+
+::::::{tab-item} Windows
+```sh
+PS C:\Program Files\filebeat> Start-Service filebeat
+```
+
+By default, Windows log files are stored in `C:\ProgramData\filebeat\Logs`.
+::::::
+
+:::::::
+Filebeat should begin streaming events to {{es}}.
+
+
+## Step 6: View your data in {{kib}} [view-data]
+
+Filebeat comes with pre-built {{kib}} dashboards and UIs for visualizing log data. You loaded the dashboards earlier when you ran the `setup` command.
+
+To open the dashboards:
+
+1. Launch {{kib}}:
+
+    <div class="tabs" data-tab-group="host">
+      <div role="tablist" aria-label="Open Kibana">
+        <button role="tab"
+                aria-selected="true"
+                aria-controls="cloud-tab-open-kibana"
+                id="cloud-open-kibana">
+          Elasticsearch Service
+        </button>
+        <button role="tab"
+                aria-selected="false"
+                aria-controls="self-managed-tab-open-kibana"
+                id="self-managed-open-kibana"
+                tabindex="-1">
+          Self-managed
+        </button>
+      </div>
+      <div tabindex="0"
+           role="tabpanel"
+           id="cloud-tab-open-kibana"
+           aria-labelledby="cloud-open-kibana">
+    1. [Log in](https://cloud.elastic.co/) to your {{ecloud}} account.
+    2. Navigate to the {{kib}} endpoint in your deployment.
+
+      </div>
+      <div tabindex="0"
+           role="tabpanel"
+           id="self-managed-tab-open-kibana"
+           aria-labelledby="self-managed-open-kibana"
+           hidden="">
+    Point your browser to [http://localhost:5601](http://localhost:5601), replacing `localhost` with the name of the {{kib}} host.
+
+      </div>
+    </div>
+
+2. In the side navigation, click **Discover**. To see Filebeat data, make sure the predefined `filebeat-*` data view is selected.
+
+    ::::{tip}
+    If you don’t see data in {{kib}}, try changing the time filter to a larger range. By default, {{kib}} shows the last 15 minutes.
+    ::::
+
+3. In the side navigation, click **Dashboard**, then select the dashboard that you want to open.
+
+The dashboards are provided as examples. We recommend that you [customize](docs-content://explore-analyze/dashboards.md) them to meet your needs.
+
+
+## What’s next? [_whats_next]
+
+Now that you have your logs streaming into {{es}}, learn how to unify your logs, metrics, uptime, and application performance data.
+
+1. Ingest data from other sources by installing and configuring other Elastic {{beats}}:
+
+    | Elastic {{beats}} | To capture |
+    | --- | --- |
+    | [{{metricbeat}}](/reference/metricbeat/metricbeat-installation-configuration.md) | Infrastructure metrics |
+    | [{{winlogbeat}}](/reference/winlogbeat/winlogbeat-installation-configuration.md) | Windows event logs |
+    | [{{heartbeat}}](/reference/heartbeat/heartbeat-installation-configuration.md) | Uptime information |
+    | [APM](docs-content://solutions/observability/apps/application-performance-monitoring-apm.md) | Application performance metrics |
+    | [{{auditbeat}}](/reference/auditbeat/auditbeat-installation-configuration.md) | Audit events |
+
+2. Use the Observability apps in {{kib}} to search across all your data:
+
+    | Elastic apps | Use to |
+    | --- | --- |
+    | [{{metrics-app}}](docs-content://solutions/observability/infra-and-hosts/analyze-infrastructure-host-metrics.md) | Explore metrics about systems and services across your ecosystem |
+    | [{{logs-app}}](docs-content://solutions/observability/logs/explore-logs.md) | Tail related log data in real time |
+    | [{{uptime-app}}](docs-content://solutions/observability/apps/synthetic-monitoring.md#monitoring-uptime) | Monitor availability issues across your apps and services |
+    | [APM app](docs-content://solutions/observability/apps/overviews.md) | Monitor application performance |
+    | [{{siem-app}}](docs-content://solutions/security.md) | Analyze security events |
+
+
diff --git a/docs/reference/filebeat/filebeat-kubernetes-metadata-error-extracting-container-id.md b/docs/reference/filebeat/filebeat-kubernetes-metadata-error-extracting-container-id.md
new file mode 100644
index 000000000000..396e37b6e0d8
--- /dev/null
+++ b/docs/reference/filebeat/filebeat-kubernetes-metadata-error-extracting-container-id.md
@@ -0,0 +1,9 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-kubernetes-metadata-error-extracting-container-id.html
+---
+
+# Error extracting container id while using Kubernetes metadata [filebeat-kubernetes-metadata-error-extracting-container-id]
+
+The `add_kubernetes_metadata` processor might throw the error `Error extracting container id - source value does not contain matcher's logs_path`. There might be some issues with the matchers definitions or the location of `logs_path`. Please verify the Kubernetes pod is healthy.
+
diff --git a/docs/reference/filebeat/filebeat-module-activemq.md b/docs/reference/filebeat/filebeat-module-activemq.md
new file mode 100644
index 000000000000..b53db60ca681
--- /dev/null
+++ b/docs/reference/filebeat/filebeat-module-activemq.md
@@ -0,0 +1,116 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-activemq.html
+---
+
+# ActiveMQ module [filebeat-module-activemq]
+
+:::::{admonition} Prefer to use {{agent}} for this use case?
+Refer to the [Elastic Integrations documentation](integration-docs://reference/activemq.md).
+
+::::{dropdown} Learn more
+{{agent}} is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, forward data from remote services or hardware, and more. Refer to the documentation for a detailed [comparison of {{beats}} and {{agent}}](docs-content://reference/ingestion-tools/fleet/index.md).
+
+::::
+
+
+:::::
+
+
+This module parses Apache ActiveMQ logs. It supports application and audit logs.
+
+When you run the module, it performs a few tasks under the hood:
+
+* Sets the default paths to the log files (but don’t worry, you can override the defaults)
+* Makes sure each multiline log event gets sent as a single event
+* Uses an {{es}} ingest pipeline to parse and process the log lines, shaping the data into a structure suitable for visualizing in Kibana
+* Deploys dashboards for visualizing the log data
+
+::::{tip}
+Read the [quick start](/reference/filebeat/filebeat-installation-configuration.md) to learn how to configure and run modules.
+::::
+
+
+
+## Compatibility [_compatibility_4]
+
+The module has been tested with ActiveMQ 5.13.0 and 5.15.9. Other versions are expected to work.
+
+
+## Configure the module [configuring-activemq-module]
+
+You can further refine the behavior of the `activemq` module by specifying [variable settings](#activemq-settings) in the `modules.d/activemq.yml` file, or overriding settings at the command line.
+
+You must enable at least one fileset in the module. **Filesets are disabled by default.**
+
+
+### Variable settings [activemq-settings]
+
+Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the `activemq` module uses the defaults.
+
+For advanced use cases, you can also override input settings. See [Override input settings](/reference/filebeat/advanced-settings.md).
+
+::::{tip}
+When you specify a setting at the command line, remember to prefix the setting with the module name, for example, `activemq.log.var.paths` instead of `log.var.paths`.
+::::
+
+
+The following example shows how to set paths in the `modules.d/activemq.yml` file to override the default paths for ActiveMQ logs:
+
+```yaml
+- module: activemq
+  audit:
+    enabled: true
+    var.paths: ["/path/to/log/activemq/data/audit.log*"]
+  log:
+    enabled: true
+    var.paths: ["/path/to/log/activemq/data/activemq.log*"]
+```
+
+To specify the same settings at the command line, you use:
+
+```sh
+-M "activemq.audit.var.paths=[/path/to/log/activemq/data/audit.log*]"
+-M "activemq.log.var.paths=[/path/to/log/activemq/data/activemq.log*]"
+```
+
+
+### `audit` log fileset settings [_audit_log_fileset_settings]
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+
+### `log` log fileset settings [_log_log_fileset_settings]
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+
+### Time zone support [_time_zone_support]
+
+This module parses logs that don’t contain time zone information. For these logs, Filebeat reads the local time zone and uses it when parsing to convert the timestamp to UTC. The time zone to be used for parsing is included in the event in the `event.timezone` field.
+
+To disable this conversion, the `event.timezone` field can be removed with the `drop_fields` processor.
+
+If logs are originated from systems or applications with a different time zone to the local one, the `event.timezone` field can be overwritten with the original time zone using the `add_fields` processor.
+
+See [Processors](/reference/filebeat/filtering-enhancing-data.md) for information about specifying processors in your config.
+
+
+## Dashboards [_dashboards]
+
+The ActiveMQ module comes with several predefined dashboards for application and audit logs. For example:
+
+:::{image} images/filebeat-activemq-application-events.png
+:alt: filebeat activemq application events
+:::
+
+:::{image} images/filebeat-activemq-audit-events.png
+:alt: filebeat activemq audit events
+:::
+
+
+## Fields [_fields_3]
+
+For a description of each field in the module, see the [exported fields](/reference/filebeat/exported-fields-activemq.md) section.
diff --git a/docs/reference/filebeat/filebeat-module-apache.md b/docs/reference/filebeat/filebeat-module-apache.md
new file mode 100644
index 000000000000..78c3ed64a6d1
--- /dev/null
+++ b/docs/reference/filebeat/filebeat-module-apache.md
@@ -0,0 +1,126 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-apache.html
+---
+
+# Apache module [filebeat-module-apache]
+
+:::::{admonition} Prefer to use {{agent}} for this use case?
+Refer to the [Elastic Integrations documentation](integration-docs://reference/apache.md).
+
+::::{dropdown} Learn more
+{{agent}} is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, forward data from remote services or hardware, and more. Refer to the documentation for a detailed [comparison of {{beats}} and {{agent}}](docs-content://reference/ingestion-tools/fleet/index.md).
+
+::::
+
+
+:::::
+
+
+The `apache` module parses access and error logs created by the [Apache HTTP](https://httpd.apache.org/) server.
+
+When you run the module, it performs a few tasks under the hood:
+
+* Sets the default paths to the log files (but don’t worry, you can override the defaults)
+* Makes sure each multiline log event gets sent as a single event
+* Uses an {{es}} ingest pipeline to parse and process the log lines, shaping the data into a structure suitable for visualizing in Kibana
+* Deploys dashboards for visualizing the log data
+
+::::{tip}
+Read the [quick start](/reference/filebeat/filebeat-installation-configuration.md) to learn how to configure and run modules.
+::::
+
+
+
+## Compatibility [_compatibility_5]
+
+The `apache` module was tested with logs from versions 2.2.22 and 2.4.23.
+
+On Windows, the module was tested with Apache HTTP Server installed from the Chocolatey repository.
+
+
+## Configure the module [configuring-apache-module]
+
+You can further refine the behavior of the `apache` module by specifying [variable settings](#apache-settings) in the `modules.d/apache.yml` file, or overriding settings at the command line.
+
+You must enable at least one fileset in the module. **Filesets are disabled by default.**
+
+The following example shows how to set paths in the `modules.d/apache.yml` file to override the default paths for Apache HTTP Server access and error logs:
+
+```yaml
+- module: apache
+  access:
+    enabled: true
+    var.paths: ["/path/to/log/apache/access.log*"]
+  error:
+    enabled: true
+    var.paths: ["/path/to/log/apache/error.log*"]
+```
+
+To specify the same settings at the command line, you use:
+
+```sh
+-M "apache.access.var.paths=[/path/to/apache/access.log*]" -M "apache.error.var.paths=[/path/to/log/apache/error.log*]"
+```
+
+
+### Variable settings [apache-settings]
+
+Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the `apache` module uses the defaults.
+
+For advanced use cases, you can also override input settings. See [Override input settings](/reference/filebeat/advanced-settings.md).
+
+::::{tip}
+When you specify a setting at the command line, remember to prefix the setting with the module name, for example, `apache.access.var.paths` instead of `access.var.paths`.
+::::
+
+
+
+### `access` log fileset settings [_access_log_fileset_settings]
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+
+### `error` log fileset settings [_error_log_fileset_settings]
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+
+### Time zone support [_time_zone_support_2]
+
+This module parses logs that don’t contain time zone information. For these logs, Filebeat reads the local time zone and uses it when parsing to convert the timestamp to UTC. The time zone to be used for parsing is included in the event in the `event.timezone` field.
+
+To disable this conversion, the `event.timezone` field can be removed with the `drop_fields` processor.
+
+If logs are originated from systems or applications with a different time zone to the local one, the `event.timezone` field can be overwritten with the original time zone using the `add_fields` processor.
+
+See [Processors](/reference/filebeat/filtering-enhancing-data.md) for information about specifying processors in your config.
+
+
+## Virtual Host [_virtual_host]
+
+See customlog documentation  [https://httpd.apache.org/docs/2.4/en/mod/mod_log_config.html](https://httpd.apache.org/docs/2.4/en/mod/mod_log_config.html) Add %v config in httpd.conf in log section
+
+```sh
+    # Replace
+    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
+    # By
+    LogFormat "%v %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
+```
+
+
+## Example dashboard [_example_dashboard]
+
+This module comes with a sample dashboard. For example:
+
+:::{image} images/kibana-apache.png
+:alt: kibana apache
+:class: screenshot
+:::
+
+
+## Fields [_fields_4]
+
+For a description of each field in the module, see the [exported fields](/reference/filebeat/exported-fields-apache.md) section.
diff --git a/docs/reference/filebeat/filebeat-module-auditd.md b/docs/reference/filebeat/filebeat-module-auditd.md
new file mode 100644
index 000000000000..1f4046a9ea78
--- /dev/null
+++ b/docs/reference/filebeat/filebeat-module-auditd.md
@@ -0,0 +1,99 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-auditd.html
+---
+
+# Auditd module [filebeat-module-auditd]
+
+:::::{admonition} Prefer to use {{agent}} for this use case?
+Refer to the [Elastic Integrations documentation](integration-docs://reference/auditd.md).
+
+::::{dropdown} Learn more
+{{agent}} is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, forward data from remote services or hardware, and more. Refer to the documentation for a detailed [comparison of {{beats}} and {{agent}}](docs-content://reference/ingestion-tools/fleet/index.md).
+
+::::
+
+
+:::::
+
+
+The `auditd` module collects and parses logs from the audit daemon (`auditd`).
+
+::::{note}
+Although Filebeat is able to parse logs by using the `auditd` module, [{{auditbeat}}](/reference/auditbeat/auditbeat-module-auditd.md) offers more advanced features for monitoring audit logs.
+::::
+
+
+When you run the module, it performs a few tasks under the hood:
+
+* Sets the default paths to the log files (but don’t worry, you can override the defaults)
+* Makes sure each multiline log event gets sent as a single event
+* Uses an {{es}} ingest pipeline to parse and process the log lines, shaping the data into a structure suitable for visualizing in Kibana
+* Deploys dashboards for visualizing the log data
+
+::::{tip}
+Read the [quick start](/reference/filebeat/filebeat-installation-configuration.md) to learn how to configure and run modules.
+::::
+
+
+
+## Compatibility [_compatibility_6]
+
+The `auditd` module was tested with logs from `auditd` on OSes like CentOS 6 and CentOS 7.
+
+This module is not available for Windows.
+
+
+## Configure the module [configuring-auditd-module]
+
+You can further refine the behavior of the `auditd` module by specifying [variable settings](#auditd-settings) in the `modules.d/auditd.yml` file, or overriding settings at the command line.
+
+You must enable at least one fileset in the module. **Filesets are disabled by default.**
+
+The following example shows how to set paths in the `modules.d/auditd.yml` file to override the default paths for logs:
+
+```yaml
+- module: auditd
+  log:
+    enabled: true
+    var.paths: ["/path/to/log/audit/audit.log*"]
+```
+
+To specify the same settings at the command line, you use:
+
+```sh
+-M "auditd.log.var.paths=[/path/to/log/audit/audit.log*]"
+```
+
+
+### Variable settings [auditd-settings]
+
+Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the `auditd` module uses the defaults.
+
+For advanced use cases, you can also override input settings. See [Override input settings](/reference/filebeat/advanced-settings.md).
+
+::::{tip}
+When you specify a setting at the command line, remember to prefix the setting with the module name, for example, `auditd.log.var.paths` instead of `log.var.paths`.
+::::
+
+
+
+### `log` fileset settings [_log_fileset_settings]
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+
+## Example dashboard [_example_dashboard_2]
+
+This module comes with a sample dashboard showing an overview of the audit log data. You can build more specific dashboards that are tailored to the audit rules that you use on your systems.
+
+:::{image} images/kibana-audit-auditd.png
+:alt: kibana audit auditd
+:class: screenshot
+:::
+
+
+## Fields [_fields_5]
+
+For a description of each field in the module, see the [exported fields](/reference/filebeat/exported-fields-auditd.md) section.
diff --git a/docs/reference/filebeat/filebeat-module-aws.md b/docs/reference/filebeat/filebeat-module-aws.md
new file mode 100644
index 000000000000..b882279043d3
--- /dev/null
+++ b/docs/reference/filebeat/filebeat-module-aws.md
@@ -0,0 +1,525 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-aws.html
+---
+
+# AWS module [filebeat-module-aws]
+
+:::::{admonition} Prefer to use {{agent}} for this use case?
+Refer to the [Elastic Integrations documentation](integration-docs://reference/aws.md).
+
+::::{dropdown} Learn more
+{{agent}} is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, forward data from remote services or hardware, and more. Refer to the documentation for a detailed [comparison of {{beats}} and {{agent}}](docs-content://reference/ingestion-tools/fleet/index.md).
+
+::::
+
+
+:::::
+
+
+This is a module for aws logs. It uses filebeat s3 input to get log files from AWS S3 buckets with SQS notification or directly polling list of S3 objects in an S3 bucket. The use of SQS notification is preferred: polling list of S3 objects is expensive in terms of performance and costs, and cannot scale horizontally without ingestion duplication, and should be preferably used only when no SQS notification can be attached to the S3 buckets.
+
+This module supports reading S3 server access logs with `s3access` fileset, ELB access logs with `elb` fileset, VPC flow logs with `vpcflow` fileset, and CloudTrail logs with `cloudtrail` fileset.
+
+Access logs contain detailed information about the requests made to these services. VPC flow logs captures information about the IP traffic going to and from network interfaces in AWS VPC. ELB access logs captures detailed information about requests sent to the load balancer. CloudTrail logs contain events that represent actions taken by a user, role or AWS service.
+
+The `aws` module requires AWS credentials configuration in order to make AWS API calls. Users can either use `access_key_id`, `secret_access_key` and/or `session_token`, or use `role_arn` AWS IAM role, or use shared AWS credentials file.
+
+Users may use `external_id` to support assuming a role in another account, see [the AWS documentation for use of external IDs](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html).
+
+Please see [AWS credentials options](#aws-credentials-options) for more details.
+
+::::{tip}
+Read the [quick start](/reference/filebeat/filebeat-installation-configuration.md) to learn how to configure and run modules.
+::::
+
+
+
+## Module configuration [_module_configuration]
+
+Example config:
+
+```yaml
+- module: aws
+  cloudtrail:
+    enabled: false
+    #var.queue_url: https://sqs.myregion.amazonaws.com/123456/myqueue
+    #var.bucket_arn: 'arn:aws:s3:::mybucket'
+    #var.bucket_list_prefix: 'prefix'
+    #var.bucket_list_interval: 300s
+    #var.number_of_workers: 5
+    #var.shared_credential_file: /etc/filebeat/aws_credentials
+    #var.credential_profile_name: fb-aws
+    #var.access_key_id: access_key_id
+    #var.secret_access_key: secret_access_key
+    #var.session_token: session_token
+    #var.visibility_timeout: 300s
+    #var.api_timeout: 120s
+    #var.endpoint: amazonaws.com
+    #var.default_region: us-east-1
+    #var.role_arn: arn:aws:iam::123456789012:role/test-mb
+    #var.proxy_url: http://proxy:8080
+
+  cloudwatch:
+    enabled: false
+    #var.queue_url: https://sqs.myregion.amazonaws.com/123456/myqueue
+    #var.bucket_arn: 'arn:aws:s3:::mybucket'
+    #var.bucket_list_prefix: 'prefix'
+    #var.bucket_list_interval: 300s
+    #var.number_of_workers: 5
+    #var.shared_credential_file: /etc/filebeat/aws_credentials
+    #var.credential_profile_name: fb-aws
+    #var.access_key_id: access_key_id
+    #var.secret_access_key: secret_access_key
+    #var.session_token: session_token
+    #var.visibility_timeout: 300s
+    #var.api_timeout: 120s
+    #var.endpoint: amazonaws.com
+    #var.default_region: us-east-1
+    #var.role_arn: arn:aws:iam::123456789012:role/test-mb
+    #var.proxy_url: http://proxy:8080
+
+  ec2:
+    enabled: false
+    #var.queue_url: https://sqs.myregion.amazonaws.com/123456/myqueue
+    #var.bucket_arn: 'arn:aws:s3:::mybucket'
+    #var.bucket_list_prefix: 'prefix'
+    #var.bucket_list_interval: 300s
+    #var.number_of_workers: 5
+    #var.shared_credential_file: /etc/filebeat/aws_credentials
+    #var.credential_profile_name: fb-aws
+    #var.access_key_id: access_key_id
+    #var.secret_access_key: secret_access_key
+    #var.session_token: session_token
+    #var.visibility_timeout: 300s
+    #var.api_timeout: 120s
+    #var.endpoint: amazonaws.com
+    #var.default_region: us-east-1
+    #var.role_arn: arn:aws:iam::123456789012:role/test-mb
+    #var.proxy_url: http://proxy:8080
+
+  elb:
+    enabled: false
+    #var.queue_url: https://sqs.myregion.amazonaws.com/123456/myqueue
+    #var.bucket_arn: 'arn:aws:s3:::mybucket'
+    #var.bucket_list_prefix: 'prefix'
+    #var.bucket_list_interval: 300s
+    #var.number_of_workers: 5
+    #var.shared_credential_file: /etc/filebeat/aws_credentials
+    #var.credential_profile_name: fb-aws
+    #var.access_key_id: access_key_id
+    #var.secret_access_key: secret_access_key
+    #var.session_token: session_token
+    #var.visibility_timeout: 300s
+    #var.api_timeout: 120s
+    #var.endpoint: amazonaws.com
+    #var.default_region: us-east-1
+    #var.role_arn: arn:aws:iam::123456789012:role/test-mb
+    #var.proxy_url: http://proxy:8080
+
+  s3access:
+    enabled: false
+    #var.queue_url: https://sqs.myregion.amazonaws.com/123456/myqueue
+    #var.bucket_arn: 'arn:aws:s3:::mybucket'
+    #var.bucket_list_prefix: 'prefix'
+    #var.bucket_list_interval: 300s
+    #var.number_of_workers: 5
+    #var.shared_credential_file: /etc/filebeat/aws_credentials
+    #var.credential_profile_name: fb-aws
+    #var.access_key_id: access_key_id
+    #var.secret_access_key: secret_access_key
+    #var.session_token: session_token
+    #var.visibility_timeout: 300s
+    #var.api_timeout: 120s
+    #var.endpoint: amazonaws.com
+    #var.default_region: us-east-1
+    #var.role_arn: arn:aws:iam::123456789012:role/test-mb
+    #var.proxy_url: http://proxy:8080
+
+  vpcflow:
+    enabled: false
+    #var.queue_url: https://sqs.myregion.amazonaws.com/123456/myqueue
+    #var.bucket_arn: 'arn:aws:s3:::mybucket'
+    #var.bucket_list_prefix: 'prefix'
+    #var.bucket_list_interval: 300s
+    #var.number_of_workers: 5
+    #var.shared_credential_file: /etc/filebeat/aws_credentials
+    #var.credential_profile_name: fb-aws
+    #var.access_key_id: access_key_id
+    #var.secret_access_key: secret_access_key
+    #var.session_token: session_token
+    #var.visibility_timeout: 300s
+    #var.api_timeout: 120s
+    #var.endpoint: amazonaws.com
+    #var.default_region: us-east-1
+    #var.role_arn: arn:aws:iam::123456789012:role/test-mb
+    #var.proxy_url: http://proxy:8080
+```
+
+**`var.queue_url`**
+:   AWS SQS queue url (Required when `var.bucket_arn` is not set).
+
+**`var.visibility_timeout`**
+:   The duration that the received messages are hidden from ReceiveMessage request. Default to be 300 seconds.
+
+**`var.api_timeout`**
+:   The maximum duration of the AWS API call. If it exceeds the timeout, the AWS API call will be interrupted. The default AWS API timeout is `120s`.
+
+The API timeout must be longer than the `sqs.wait_time` value.
+
+**`var.bucket_arn`**
+:   AWS S3 bucket ARN (Required when `var.queue_url` is not set).
+
+**`var.number_of_workers`**
+:   Number of workers that will process the S3 objects listed (Required when `var.bucket_arn` is set). Use to vertically scale the input.
+
+**`var.bucket_list_interval`**
+:   Wait interval between completion of a list request to the S3 bucket and beginning of the next one. Default to be 120 seconds.
+
+**`var.bucket_list_prefix`**
+:   Prefix to apply for the list request to the S3 bucket. Default empty.
+
+**`var.endpoint`**
+:   Custom endpoint used to access AWS APIs.
+
+**`var.default_region`**
+:   Default region to query if no other region is set.
+
+**`var.shared_credential_file`**
+:   Filename of AWS credential file.
+
+**`var.credential_profile_name`**
+:   AWS credential profile name.
+
+**`var.access_key_id`**
+:   First part of access key.
+
+**`var.secret_access_key`**
+:   Second part of access key.
+
+**`var.session_token`**
+:   Required when using temporary security credentials.
+
+**`var.role_arn`**
+:   AWS IAM Role to assume.
+
+
+## config behaviour [_config_behaviour]
+
+Beware that in case both `var.queue_url` and `var.bucket_arn` are not set instead of failing to start Filebeat with a config validation error, only the specific fileset input will be stopped and a warning printed:
+
+```
+2021-08-26T14:33:03.661-0600 WARN [aws-s3] awss3/config.go:54 neither queue_url nor bucket_arn were provided, input aws-s3 will stop
+2021-08-26T14:33:10.668-0600 INFO [input.aws-s3] compat/compat.go:111 Input aws-s3 starting {"id": "29F3565F5B2A7070"}
+2021-08-26T14:33:10.668-0600 INFO [input.aws-s3] compat/compat.go:124 Input 'aws-s3' stopped {"id": "29F3565F5B2A7070"}
+```
+
+This behaviour is required in order to reduce destruction of existing Filebeat setup where not all AWS module’s filesets are defined and will change in next major release.
+
+Setting `enabled: false` in the unused fileset will silence the warning and it is the suggested setup. For example (assuming `cloudtrail` as unused fileset):
+
+```
+- module: aws
+  cloudtrail:
+    enabled: false
+```
+
+
+## cloudtrail fileset [_cloudtrail_fileset]
+
+CloudTrail monitors events for the account. If user creates a trail, it delivers those events as log files to a specific Amazon S3 bucket. The `cloudtrail` fileset does not read the CloudTrail Digest files that are delivered to the S3 bucket when Log File Integrity is turned on, it only reads the CloudTrail logs.
+
+:::{image} images/filebeat-aws-cloudtrail.png
+:alt: filebeat aws cloudtrail
+:class: screenshot
+:::
+
+
+## cloudwatch fileset [_cloudwatch_fileset]
+
+Users can use Amazon CloudWatch Logs to monitor, store, and access log files from different sources. Export logs from log groups to an Amazon S3 bucket which has SQS notification setup already. This fileset will parse these logs into `timestamp` and `message` field.
+
+
+## ec2 fileset [_ec2_fileset]
+
+This fileset is specifically for EC2 logs stored in AWS CloudWatch. Export logs from log groups to Amazon S3 bucket which has SQS notification setup already. With this fileset, EC2 logs will be parsed into fields like  `ip` and `program_name`. For logs from other services, please use `cloudwatch` fileset.
+
+
+## elb fileset [_elb_fileset]
+
+Elastic Load Balancing provides access logs that capture detailed information about requests sent to the load balancer. Each log contains information such as the time the request was received, the client’s IP address, latencies, request paths, and server responses. Users can use these access logs to analyze traffic patterns and to troubleshoot issues.
+
+Please follow [enable access logs for classic load balancer](https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-access-logs.html) for sending Classic ELB access logs to S3 bucket. For application load balancer, please follow [enable access log for application load balancer](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html#enable-access-logging). For network load balancer, please follow [enable access log for network load balancer](https://docs.aws.amazon.com/elasticloadbalancing/latest//network/load-balancer-access-logs.html).
+
+This fileset comes with a predefined dashboard:
+
+:::{image} images/filebeat-aws-elb-overview.png
+:alt: filebeat aws elb overview
+:class: screenshot
+:::
+
+
+## s3access fileset [_s3access_fileset]
+
+Server access logging provides detailed records for the requests that are made to a bucket. Server access logs are useful for many applications. For example, access log information can be useful in security and access audits. It can also help you learn about customer base and understand Amazon S3 bill.
+
+Please follow [how to enable server access logging](https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerLogs.html#server-access-logging-overview) for sending server access logs to S3 bucket.
+
+This fileset comes with a predefined dashboard:
+
+:::{image} images/filebeat-aws-s3access-overview.png
+:alt: filebeat aws s3access overview
+:class: screenshot
+:::
+
+
+## vpcflow fileset [_vpcflow_fileset]
+
+VPC Flow Logs is a feature in AWS that enables users to capture information about the IP traffic going to and from network interfaces in VPC. Flow log data needs to be published to Amazon S3 in order for `vpcflow` fileset to retrieve. Flow logs can help users to monitor traffic that is reaching each instance and determine the direction of the traffic to and from the network interfaces.
+
+This fileset comes with a predefined dashboard:
+
+:::{image} images/filebeat-aws-vpcflow-overview.png
+:alt: filebeat aws vpcflow overview
+:class: screenshot
+:::
+
+
+## AWS Credentials Configuration [aws-credentials-options]
+
+To configure AWS credentials, either put the credentials into the Filebeat configuration, or use a shared credentials file, as shown in the following examples.
+
+
+### Configuration parameters [_configuration_parameters_2]
+
+* **access_key_id**: first part of access key.
+* **secret_access_key**: second part of access key.
+* **session_token**: required when using temporary security credentials.
+* **credential_profile_name**: profile name in shared credentials file.
+* **shared_credential_file**: directory of the shared credentials file.
+* **role_arn**: AWS IAM Role to assume.
+* **external_id**: external ID to use when assuming a role in another account, see [the AWS documentation for use of external IDs](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html).
+* **proxy_url**: URL of the proxy to use to connect to AWS web services. The syntax is `http(s)://<IP/Hostname>:<port>`
+* **fips_enabled**: Enabling this option instructs Filebeat to use the FIPS endpoint of a service. All services used by Filebeat are FIPS compatible except for `tagging` but only certain regions are FIPS compatible. See [https://aws.amazon.com/compliance/fips/](https://aws.amazon.com/compliance/fips/) or the appropriate service page, [https://docs.aws.amazon.com/general/latest/gr/aws-service-information.html](https://docs.aws.amazon.com/general/latest/gr/aws-service-information.html), for a full list of FIPS endpoints and regions.
+* **ssl**: This specifies SSL/TLS configuration. If the ssl section is missing, the host’s CAs are used for HTTPS connections. See [SSL](/reference/filebeat/configuration-ssl.md) for more information.
+* **default_region**: Default region to query if no other region is set. Most AWS services offer a regional endpoint that can be used to make requests. Some services, such as IAM, do not support regions. If a region is not provided by any other way (environment variable, credential or instance profile), the value set here will be used.
+* **assume_role.duration**: The duration of the requested assume role session. Defaults to 15m when not set. AWS allows a maximum session duration between 1h and 12h depending on your maximum session duration policies.
+* **assume_role.expiry_window**: The expiry_window will allow refreshing the session prior to its expiration. This is beneficial to prevent expiring tokens from causing requests to fail with an ExpiredTokenException.
+
+
+### Supported Formats [_supported_formats_2]
+
+::::{note}
+The examples in this section refer to Metricbeat, but the credential options for authentication with AWS are the same no matter which Beat is being used.
+::::
+
+
+* Use `access_key_id`, `secret_access_key`, and/or `session_token`
+
+Users can either put the credentials into the Metricbeat module configuration or use environment variable `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY` and/or `AWS_SESSION_TOKEN` instead.
+
+If running on Docker, these environment variables should be added as a part of the docker command. For example, with Metricbeat:
+
+```bash
+$ docker run -e AWS_ACCESS_KEY_ID=abcd -e AWS_SECRET_ACCESS_KEY=abcd -d --name=metricbeat --user=root --volume="$(pwd)/metricbeat.aws.yml:/usr/share/metricbeat/metricbeat.yml:ro" docker.elastic.co/beats/metricbeat:7.11.1 metricbeat -e -E cloud.auth=elastic:1234 -E cloud.id=test-aws:1234
+```
+
+Sample `metricbeat.aws.yml` looks like:
+
+```yaml
+metricbeat.modules:
+- module: aws
+  period: 5m
+  access_key_id: ${AWS_ACCESS_KEY_ID}
+  secret_access_key: ${AWS_SECRET_ACCESS_KEY}
+  session_token: ${AWS_SESSION_TOKEN}
+  metricsets:
+    - ec2
+```
+
+Environment variables can also be added through a file. For example:
+
+```bash
+$ cat env.list
+AWS_ACCESS_KEY_ID=abcd
+AWS_SECRET_ACCESS_KEY=abcd
+
+$ docker run --env-file env.list -d --name=metricbeat --user=root --volume="$(pwd)/metricbeat.aws.yml:/usr/share/metricbeat/metricbeat.yml:ro" docker.elastic.co/beats/metricbeat:7.11.1 metricbeat -e -E cloud.auth=elastic:1234 -E cloud.id=test-aws:1234
+```
+
+* Use `credential_profile_name` and/or `shared_credential_file`
+
+If `access_key_id`, `secret_access_key` and `role_arn` are all not given, then filebeat will check for `credential_profile_name`. If you use different credentials for different tools or applications, you can use profiles to configure multiple access keys in the same configuration file. If there is no `credential_profile_name` given, the default profile will be used.
+
+`shared_credential_file` is optional to specify the directory of your shared credentials file. If it’s empty, the default directory will be used. In Windows, shared credentials file is at `C:\Users\<yourUserName>\.aws\credentials`. For Linux, macOS or Unix, the file is located at `~/.aws/credentials`. When running as a service, the home path depends on the user that manages the service, so the `shared_credential_file` parameter can be used to avoid ambiguity. Please see [Create Shared Credentials File](https://docs.aws.amazon.com/ses/latest/DeveloperGuide/create-shared-credentials-file.md) for more details.
+
+* Use `role_arn`
+
+`role_arn` is used to specify which AWS IAM role to assume for generating temporary credentials. If `role_arn` is given, filebeat will check if access keys are given. If not, filebeat will check for credential profile name. If neither is given, default credential profile will be used. Please make sure credentials are given under either a credential profile or access keys.
+
+If running on Docker, the credential file needs to be provided via a volume mount. For example, with Metricbeat:
+
+```bash
+docker run -d --name=metricbeat --user=root --volume="$(pwd)/metricbeat.aws.yml:/usr/share/metricbeat/metricbeat.yml:ro" --volume="/Users/foo/.aws/credentials:/usr/share/metricbeat/credentials:ro" docker.elastic.co/beats/metricbeat:7.11.1 metricbeat -e -E cloud.auth=elastic:1234 -E cloud.id=test-aws:1234
+```
+
+Sample `metricbeat.aws.yml` looks like:
+
+```yaml
+metricbeat.modules:
+- module: aws
+  period: 5m
+  credential_profile_name: elastic-beats
+  shared_credential_file: /usr/share/metricbeat/credentials
+  metricsets:
+    - ec2
+```
+
+* Use AWS credentials in Filebeat configuration
+
+    ```yaml
+    filebeat.inputs:
+    - type: aws-s3
+      queue_url: https://sqs.us-east-1.amazonaws.com/123/test-queue
+      access_key_id: '<access_key_id>'
+      secret_access_key: '<secret_access_key>'
+      session_token: '<session_token>'
+    ```
+
+    or
+
+    ```yaml
+    filebeat.inputs:
+    - type: aws-s3
+      queue_url: https://sqs.us-east-1.amazonaws.com/123/test-queue
+      access_key_id: '${AWS_ACCESS_KEY_ID:""}'
+      secret_access_key: '${AWS_SECRET_ACCESS_KEY:""}'
+      session_token: '${AWS_SESSION_TOKEN:""}'
+    ```
+
+* Use IAM role ARN
+
+    ```yaml
+    filebeat.inputs:
+    - type: aws-s3
+      queue_url: https://sqs.us-east-1.amazonaws.com/123/test-queue
+      role_arn: arn:aws:iam::123456789012:role/test-mb
+    ```
+
+* Use shared AWS credentials file
+
+    ```yaml
+    filebeat.inputs:
+    - type: aws-s3
+      queue_url: https://sqs.us-east-1.amazonaws.com/123/test-queue
+      credential_profile_name: test-fb
+    ```
+
+
+
+### AWS Credentials Types [_aws_credentials_types_2]
+
+There are two different types of AWS credentials can be used: access keys and temporary security credentials.
+
+* Access keys
+
+`AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` are the two parts of access keys. They are long-term credentials for an IAM user or the AWS account root user. Please see [AWS Access Keys and Secret Access Keys](https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys) for more details.
+
+* IAM role ARN
+
+An IAM role is an IAM identity that you can create in your account that has specific permissions that determine what the identity can and cannot do in AWS. A role does not have standard long-term credentials such as a password or access keys associated with it. Instead, when you assume a role, it provides you with temporary security credentials for your role session. IAM role Amazon Resource Name (ARN) can be used to specify which AWS IAM role to assume to generate temporary credentials. Please see [AssumeRole API documentation](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) for more details.
+
+Here are the steps to set up IAM role using AWS CLI for Metricbeat. Please replace `123456789012` with your own account ID.
+
+Step 1. Create `example-policy.json` file to include all permissions:
+
+```yaml
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "VisualEditor0",
+            "Effect": "Allow",
+            "Action": [
+                "s3:GetObject",
+                "sqs:ReceiveMessage"
+            ],
+            "Resource": "*"
+        },
+        {
+            "Sid": "VisualEditor1",
+            "Effect": "Allow",
+            "Action": "sqs:ChangeMessageVisibility",
+            "Resource": "arn:aws:sqs:us-east-1:123456789012:test-fb-ks"
+        },
+        {
+            "Sid": "VisualEditor2",
+            "Effect": "Allow",
+            "Action": "sqs:DeleteMessage",
+            "Resource": "arn:aws:sqs:us-east-1:123456789012:test-fb-ks"
+        },
+        {
+            "Sid": "VisualEditor3",
+            "Effect": "Allow",
+            "Action": [
+                "sts:AssumeRole",
+                "sqs:ListQueues",
+                "tag:GetResources",
+                "ec2:DescribeInstances",
+                "cloudwatch:GetMetricData",
+                "ec2:DescribeRegions",
+                "iam:ListAccountAliases",
+                "sts:GetCallerIdentity",
+                "cloudwatch:ListMetrics"
+            ],
+            "Resource": "*"
+        }
+    ]
+}
+```
+
+Step 2. Create IAM policy using the `aws iam create-policy` command:
+
+```bash
+$ aws iam create-policy --policy-name example-policy --policy-document file://example-policy.json
+```
+
+Step 3. Create the JSON file `example-role-trust-policy.json` that defines the trust relationship of the IAM role
+
+```yaml
+{
+    "Version": "2012-10-17",
+    "Statement": {
+        "Effect": "Allow",
+        "Principal": { "AWS": "arn:aws:iam::123456789012:root" },
+        "Action": "sts:AssumeRole"
+    }
+}
+```
+
+Step 4. Create the IAM role and attach the policy:
+
+```bash
+$ aws iam create-role --role-name example-role --assume-role-policy-document file://example-role-trust-policy.json
+$ aws iam attach-role-policy --role-name example-role --policy-arn "arn:aws:iam::123456789012:policy/example-policy"
+```
+
+After these steps are done, IAM role ARN can be used for authentication in Metricbeat `aws` module.
+
+* Temporary security credentials
+
+Temporary security credentials has a limited lifetime and consists of an access key ID, a secret access key, and a security token which typically returned from `GetSessionToken`. MFA-enabled IAM users would need to submit an MFA code while calling `GetSessionToken`. Please see [Temporary Security Credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html) for more details. `sts get-session-token` AWS CLI can be used to generate temporary credentials. For example. with MFA-enabled:
+
+```bash
+aws> sts get-session-token --serial-number arn:aws:iam::1234:mfa/your-email@example.com --token-code 456789 --duration-seconds 129600
+```
+
+Because temporary security credentials are short term, after they expire, the user needs to generate new ones and modify the aws.yml config file with the new credentials. Unless [live reloading](/reference/metricbeat/_live_reloading.md) feature is enabled for Metricbeat, the user needs to manually restart Metricbeat after updating the config file in order to continue collecting Cloudwatch metrics. This will cause data loss if the config file is not updated with new credentials before the old ones expire. For Metricbeat, we recommend users to use access keys in config file to enable aws module making AWS api calls without have to generate new temporary credentials and update the config frequently.
+
+IAM policy is an entity that defines permissions to an object within your AWS environment. Specific permissions needs to be added into the IAM user’s policy to authorize Metricbeat to collect AWS monitoring metrics. Please see documentation under each metricset for required permissions.
+
+
+## Fields [_fields_6]
+
+For a description of each field in the module, see the [exported fields](/reference/filebeat/exported-fields-aws.md) section.
+
diff --git a/docs/reference/filebeat/filebeat-module-awsfargate.md b/docs/reference/filebeat/filebeat-module-awsfargate.md
new file mode 100644
index 000000000000..ca3f454f333b
--- /dev/null
+++ b/docs/reference/filebeat/filebeat-module-awsfargate.md
@@ -0,0 +1,333 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-awsfargate.html
+---
+
+# AWS Fargate module [filebeat-module-awsfargate]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+This module can be used to collect container logs from Amazon ECS on Fargate. It uses filebeat `awscloudwatch` input to get log files from one or more log streams in AWS CloudWatch. Logs from all containers in Fargate launch type tasks can be sent to CloudWatch by adding the `awslogs` log driver under `logConfiguration` section in the task definition. For example, `logConfiguration` can be added into the task definition by adding this section into the `containerDefinitions`:
+
+```json
+{
+   "logDriver":"awslogs",
+   "options":{
+      "awslogs-group":"awslogs-wordpress",
+      "awslogs-region":"us-west-2",
+      "awslogs-stream-prefix":"awslogs-example"
+   }
+}
+```
+
+The `awsfargate` module requires AWS credentials configuration in order to make AWS API calls. Users can either use `access_key_id`, `secret_access_key` and/or `session_token`, or use `role_arn` AWS IAM role, or use shared AWS credentials file.
+
+Please see [AWS credentials options](#awsfargate-credentials) for more details.
+
+
+## Module configuration [_module_configuration_2]
+
+Example config:
+
+```yaml
+- module: awsfargate
+  log:
+    enabled: true
+    var.credential_profile_name: test-filebeat
+    var.log_group_arn: arn:aws:logs:us-east-1:1234567890:log-group:/ecs/test-log-group:*
+```
+
+**`var.log_group_arn`**
+:   ARN of the log group to collect logs from.
+
+**`var.log_group_name`**
+:   Name of the log group to collect logs from. Note: region_name is required when log_group_name is given.
+
+**`var.region_name`**
+:   Region that the specified log group belongs to.
+
+**`var.log_streams`**
+:   A list of strings of log streams names that Filebeat collect log events from.
+
+**`var.log_stream_prefix`**
+:   A string to filter the results to include only log events from log streams that have names starting with this prefix.
+
+**`var.start_position`**
+:   `start_position` allows user to specify if this input should read log files from the `beginning` or from the `end`.
+
+    * `beginning`: reads from the beginning of the log group (default).
+    * `end`: read only new messages from current time minus `scan_frequency` going forward
+
+
+**`var.scan_frequency`**
+:   This config parameter sets how often Filebeat checks for new log events from the specified log group. Default `scan_frequency` is 1 minute, which means Filebeat will sleep for 1 minute before querying for new logs again.
+
+**`var.api_timeout`**
+:   The maximum duration of AWS API can take. If it exceeds the timeout, AWS API will be interrupted. The default AWS API timeout for a message is 120 seconds. The minimum is 0 seconds.
+
+**`var.api_sleep`**
+:   This is used to sleep between AWS `FilterLogEvents` API calls inside the same collection period. `FilterLogEvents` API has a quota of 5 transactions per second (TPS)/account/Region. By default, `api_sleep` is 200 ms. This value should only be adjusted when there are multiple Filebeats or multiple Filebeat inputs collecting logs from the same region and AWS account.
+
+**`var.shared_credential_file`**
+:   Filename of AWS credential file.
+
+**`var.credential_profile_name`**
+:   AWS credential profile name.
+
+**`var.access_key_id`**
+:   First part of access key.
+
+**`var.secret_access_key`**
+:   Second part of access key.
+
+**`var.session_token`**
+:   Required when using temporary security credentials.
+
+**`var.role_arn`**
+:   AWS IAM Role to assume.
+
+**`var.endpoint`**
+:   The custom endpoint used to access AWS APIs.
+
+
+## AWS Credentials Configuration [awsfargate-credentials]
+
+To configure AWS credentials, either put the credentials into the Filebeat configuration, or use a shared credentials file, as shown in the following examples.
+
+
+### Configuration parameters [_configuration_parameters_3]
+
+* **access_key_id**: first part of access key.
+* **secret_access_key**: second part of access key.
+* **session_token**: required when using temporary security credentials.
+* **credential_profile_name**: profile name in shared credentials file.
+* **shared_credential_file**: directory of the shared credentials file.
+* **role_arn**: AWS IAM Role to assume.
+* **external_id**: external ID to use when assuming a role in another account, see [the AWS documentation for use of external IDs](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html).
+* **proxy_url**: URL of the proxy to use to connect to AWS web services. The syntax is `http(s)://<IP/Hostname>:<port>`
+* **fips_enabled**: Enabling this option instructs Filebeat to use the FIPS endpoint of a service. All services used by Filebeat are FIPS compatible except for `tagging` but only certain regions are FIPS compatible. See [https://aws.amazon.com/compliance/fips/](https://aws.amazon.com/compliance/fips/) or the appropriate service page, [https://docs.aws.amazon.com/general/latest/gr/aws-service-information.html](https://docs.aws.amazon.com/general/latest/gr/aws-service-information.html), for a full list of FIPS endpoints and regions.
+* **ssl**: This specifies SSL/TLS configuration. If the ssl section is missing, the host’s CAs are used for HTTPS connections. See [SSL](/reference/filebeat/configuration-ssl.md) for more information.
+* **default_region**: Default region to query if no other region is set. Most AWS services offer a regional endpoint that can be used to make requests. Some services, such as IAM, do not support regions. If a region is not provided by any other way (environment variable, credential or instance profile), the value set here will be used.
+* **assume_role.duration**: The duration of the requested assume role session. Defaults to 15m when not set. AWS allows a maximum session duration between 1h and 12h depending on your maximum session duration policies.
+* **assume_role.expiry_window**: The expiry_window will allow refreshing the session prior to its expiration. This is beneficial to prevent expiring tokens from causing requests to fail with an ExpiredTokenException.
+
+
+### Supported Formats [_supported_formats_3]
+
+::::{note}
+The examples in this section refer to Metricbeat, but the credential options for authentication with AWS are the same no matter which Beat is being used.
+::::
+
+
+* Use `access_key_id`, `secret_access_key`, and/or `session_token`
+
+Users can either put the credentials into the Metricbeat module configuration or use environment variable `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY` and/or `AWS_SESSION_TOKEN` instead.
+
+If running on Docker, these environment variables should be added as a part of the docker command. For example, with Metricbeat:
+
+```bash
+$ docker run -e AWS_ACCESS_KEY_ID=abcd -e AWS_SECRET_ACCESS_KEY=abcd -d --name=metricbeat --user=root --volume="$(pwd)/metricbeat.aws.yml:/usr/share/metricbeat/metricbeat.yml:ro" docker.elastic.co/beats/metricbeat:7.11.1 metricbeat -e -E cloud.auth=elastic:1234 -E cloud.id=test-aws:1234
+```
+
+Sample `metricbeat.aws.yml` looks like:
+
+```yaml
+metricbeat.modules:
+- module: aws
+  period: 5m
+  access_key_id: ${AWS_ACCESS_KEY_ID}
+  secret_access_key: ${AWS_SECRET_ACCESS_KEY}
+  session_token: ${AWS_SESSION_TOKEN}
+  metricsets:
+    - ec2
+```
+
+Environment variables can also be added through a file. For example:
+
+```bash
+$ cat env.list
+AWS_ACCESS_KEY_ID=abcd
+AWS_SECRET_ACCESS_KEY=abcd
+
+$ docker run --env-file env.list -d --name=metricbeat --user=root --volume="$(pwd)/metricbeat.aws.yml:/usr/share/metricbeat/metricbeat.yml:ro" docker.elastic.co/beats/metricbeat:7.11.1 metricbeat -e -E cloud.auth=elastic:1234 -E cloud.id=test-aws:1234
+```
+
+* Use `credential_profile_name` and/or `shared_credential_file`
+
+If `access_key_id`, `secret_access_key` and `role_arn` are all not given, then filebeat will check for `credential_profile_name`. If you use different credentials for different tools or applications, you can use profiles to configure multiple access keys in the same configuration file. If there is no `credential_profile_name` given, the default profile will be used.
+
+`shared_credential_file` is optional to specify the directory of your shared credentials file. If it’s empty, the default directory will be used. In Windows, shared credentials file is at `C:\Users\<yourUserName>\.aws\credentials`. For Linux, macOS or Unix, the file is located at `~/.aws/credentials`. When running as a service, the home path depends on the user that manages the service, so the `shared_credential_file` parameter can be used to avoid ambiguity. Please see [Create Shared Credentials File](https://docs.aws.amazon.com/ses/latest/DeveloperGuide/create-shared-credentials-file.md) for more details.
+
+* Use `role_arn`
+
+`role_arn` is used to specify which AWS IAM role to assume for generating temporary credentials. If `role_arn` is given, filebeat will check if access keys are given. If not, filebeat will check for credential profile name. If neither is given, default credential profile will be used. Please make sure credentials are given under either a credential profile or access keys.
+
+If running on Docker, the credential file needs to be provided via a volume mount. For example, with Metricbeat:
+
+```bash
+docker run -d --name=metricbeat --user=root --volume="$(pwd)/metricbeat.aws.yml:/usr/share/metricbeat/metricbeat.yml:ro" --volume="/Users/foo/.aws/credentials:/usr/share/metricbeat/credentials:ro" docker.elastic.co/beats/metricbeat:7.11.1 metricbeat -e -E cloud.auth=elastic:1234 -E cloud.id=test-aws:1234
+```
+
+Sample `metricbeat.aws.yml` looks like:
+
+```yaml
+metricbeat.modules:
+- module: aws
+  period: 5m
+  credential_profile_name: elastic-beats
+  shared_credential_file: /usr/share/metricbeat/credentials
+  metricsets:
+    - ec2
+```
+
+* Use AWS credentials in Filebeat configuration
+
+    ```yaml
+    filebeat.inputs:
+    - type: aws-s3
+      queue_url: https://sqs.us-east-1.amazonaws.com/123/test-queue
+      access_key_id: '<access_key_id>'
+      secret_access_key: '<secret_access_key>'
+      session_token: '<session_token>'
+    ```
+
+    or
+
+    ```yaml
+    filebeat.inputs:
+    - type: aws-s3
+      queue_url: https://sqs.us-east-1.amazonaws.com/123/test-queue
+      access_key_id: '${AWS_ACCESS_KEY_ID:""}'
+      secret_access_key: '${AWS_SECRET_ACCESS_KEY:""}'
+      session_token: '${AWS_SESSION_TOKEN:""}'
+    ```
+
+* Use IAM role ARN
+
+    ```yaml
+    filebeat.inputs:
+    - type: aws-s3
+      queue_url: https://sqs.us-east-1.amazonaws.com/123/test-queue
+      role_arn: arn:aws:iam::123456789012:role/test-mb
+    ```
+
+* Use shared AWS credentials file
+
+    ```yaml
+    filebeat.inputs:
+    - type: aws-s3
+      queue_url: https://sqs.us-east-1.amazonaws.com/123/test-queue
+      credential_profile_name: test-fb
+    ```
+
+
+
+### AWS Credentials Types [_aws_credentials_types_3]
+
+There are two different types of AWS credentials can be used: access keys and temporary security credentials.
+
+* Access keys
+
+`AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` are the two parts of access keys. They are long-term credentials for an IAM user or the AWS account root user. Please see [AWS Access Keys and Secret Access Keys](https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys) for more details.
+
+* IAM role ARN
+
+An IAM role is an IAM identity that you can create in your account that has specific permissions that determine what the identity can and cannot do in AWS. A role does not have standard long-term credentials such as a password or access keys associated with it. Instead, when you assume a role, it provides you with temporary security credentials for your role session. IAM role Amazon Resource Name (ARN) can be used to specify which AWS IAM role to assume to generate temporary credentials. Please see [AssumeRole API documentation](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) for more details.
+
+Here are the steps to set up IAM role using AWS CLI for Metricbeat. Please replace `123456789012` with your own account ID.
+
+Step 1. Create `example-policy.json` file to include all permissions:
+
+```yaml
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "VisualEditor0",
+            "Effect": "Allow",
+            "Action": [
+                "s3:GetObject",
+                "sqs:ReceiveMessage"
+            ],
+            "Resource": "*"
+        },
+        {
+            "Sid": "VisualEditor1",
+            "Effect": "Allow",
+            "Action": "sqs:ChangeMessageVisibility",
+            "Resource": "arn:aws:sqs:us-east-1:123456789012:test-fb-ks"
+        },
+        {
+            "Sid": "VisualEditor2",
+            "Effect": "Allow",
+            "Action": "sqs:DeleteMessage",
+            "Resource": "arn:aws:sqs:us-east-1:123456789012:test-fb-ks"
+        },
+        {
+            "Sid": "VisualEditor3",
+            "Effect": "Allow",
+            "Action": [
+                "sts:AssumeRole",
+                "sqs:ListQueues",
+                "tag:GetResources",
+                "ec2:DescribeInstances",
+                "cloudwatch:GetMetricData",
+                "ec2:DescribeRegions",
+                "iam:ListAccountAliases",
+                "sts:GetCallerIdentity",
+                "cloudwatch:ListMetrics"
+            ],
+            "Resource": "*"
+        }
+    ]
+}
+```
+
+Step 2. Create IAM policy using the `aws iam create-policy` command:
+
+```bash
+$ aws iam create-policy --policy-name example-policy --policy-document file://example-policy.json
+```
+
+Step 3. Create the JSON file `example-role-trust-policy.json` that defines the trust relationship of the IAM role
+
+```yaml
+{
+    "Version": "2012-10-17",
+    "Statement": {
+        "Effect": "Allow",
+        "Principal": { "AWS": "arn:aws:iam::123456789012:root" },
+        "Action": "sts:AssumeRole"
+    }
+}
+```
+
+Step 4. Create the IAM role and attach the policy:
+
+```bash
+$ aws iam create-role --role-name example-role --assume-role-policy-document file://example-role-trust-policy.json
+$ aws iam attach-role-policy --role-name example-role --policy-arn "arn:aws:iam::123456789012:policy/example-policy"
+```
+
+After these steps are done, IAM role ARN can be used for authentication in Metricbeat `aws` module.
+
+* Temporary security credentials
+
+Temporary security credentials has a limited lifetime and consists of an access key ID, a secret access key, and a security token which typically returned from `GetSessionToken`. MFA-enabled IAM users would need to submit an MFA code while calling `GetSessionToken`. Please see [Temporary Security Credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html) for more details. `sts get-session-token` AWS CLI can be used to generate temporary credentials. For example. with MFA-enabled:
+
+```bash
+aws> sts get-session-token --serial-number arn:aws:iam::1234:mfa/your-email@example.com --token-code 456789 --duration-seconds 129600
+```
+
+Because temporary security credentials are short term, after they expire, the user needs to generate new ones and modify the aws.yml config file with the new credentials. Unless [live reloading](/reference/metricbeat/_live_reloading.md) feature is enabled for Metricbeat, the user needs to manually restart Metricbeat after updating the config file in order to continue collecting Cloudwatch metrics. This will cause data loss if the config file is not updated with new credentials before the old ones expire. For Metricbeat, we recommend users to use access keys in config file to enable aws module making AWS api calls without have to generate new temporary credentials and update the config frequently.
+
+IAM policy is an entity that defines permissions to an object within your AWS environment. Specific permissions needs to be added into the IAM user’s policy to authorize Metricbeat to collect AWS monitoring metrics. Please see documentation under each metricset for required permissions.
+
+
+## Fields [_fields_7]
+
+For a description of each field in the module, see the [exported fields](/reference/filebeat/exported-fields-awsfargate.md) section.
+
diff --git a/docs/reference/filebeat/filebeat-module-azure.md b/docs/reference/filebeat/filebeat-module-azure.md
new file mode 100644
index 000000000000..2b2f93395d61
--- /dev/null
+++ b/docs/reference/filebeat/filebeat-module-azure.md
@@ -0,0 +1,130 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-azure.html
+---
+
+# Azure module [filebeat-module-azure]
+
+:::::{admonition} Prefer to use {{agent}} for this use case?
+Refer to the [Elastic Integrations documentation](integration-docs://reference/azure.md).
+
+::::{dropdown} Learn more
+{{agent}} is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, forward data from remote services or hardware, and more. Refer to the documentation for a detailed [comparison of {{beats}} and {{agent}}](docs-content://reference/ingestion-tools/fleet/index.md).
+
+::::
+
+
+:::::
+
+
+The azure module retrieves different types of log data from Azure. There are several requirements before using the module since the logs will actually be read from azure event hubs.
+
+* the logs have to be exported first to the event hubs [https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-create-kafka-enabled](https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-create-kafka-enabled)
+* to export activity logs to event hubs users can follow the steps here [https://docs.microsoft.com/en-us/azure/azure-monitor/platform/activity-log-export](https://docs.microsoft.com/en-us/azure/azure-monitor/platform/activity-log-export)
+* to export audit and sign-in logs to event hubs users can follow the steps here [https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub](https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub)
+
+The module contains the following filesets:
+
+`activitylogs`
+:   Will retrieve azure activity logs. Control-plane events on Azure Resource Manager resources. Activity logs provide insight into the operations that were performed on resources in your subscription. To learn more, refer to the [Azure Activity log](https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log) documentation.
+
+`platformlogs`
+:   Will retrieve azure platform logs. Platform logs provide detailed diagnostic and auditing information for Azure resources and the Azure platform they depend on. To learn more, refer to the [Azure platform logs](https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/platform-logs-overview) documentation.
+
+`signinlogs`
+:   Will retrieve azure Active Directory sign-in logs. The sign-ins report provides information about the usage of managed applications and user sign-in activities. To learn more, refer to the [Azure sign-in logs](https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-sign-ins) documentation.
+
+`auditlogs`
+:   Will retrieve azure Active Directory audit logs. The audit logs provide traceability through logs for all changes done by various features within Azure AD. Examples of audit logs include changes made to any resources within Azure AD like adding or removing users, apps, groups, roles and policies. To learn more, refer to the [Azure audit logs](https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-audit-logs) documentation.
+
+
+## Module configuration [_module_configuration_3]
+
+```yaml
+- module: azure
+  activitylogs:
+    enabled: true
+    var:
+      eventhub: "insights-operational-logs"
+      consumer_group: "$Default"
+      connection_string: ""
+      storage_account: ""
+      storage_account_key: ""
+      resource_manager_endpoint: ""
+
+  platformlogs:
+    enabled: false
+    var:
+      eventhub: ""
+      consumer_group: "$Default"
+      connection_string: ""
+      storage_account: ""
+      storage_account_key: ""
+      resource_manager_endpoint: ""
+
+  auditlogs:
+    enabled: false
+    var:
+      eventhub: "insights-logs-auditlogs"
+      consumer_group: "$Default"
+      connection_string: ""
+      storage_account: ""
+      storage_account_key: ""
+      resource_manager_endpoint: ""
+
+  signinlogs:
+    enabled: false
+    var:
+      eventhub: "insights-logs-signinlogs"
+      consumer_group: "$Default"
+      connection_string: ""
+      storage_account: ""
+      storage_account_key: ""
+      resource_manager_endpoint: ""
+```
+
+`eventhub`
+:   *string* Is the fully managed, real-time data ingestion service. Default value of `insights-operational-logs` for activitylogs, `insights-logs-auditlogs` for auditlogs, and `insights-logs-signinlogs` for signinlogs. It is recommended to use a separate eventhub for each log type as the field mappings of each log type are different.
+
+`consumer_group`
+:   *string* The publish/subscribe mechanism of Event Hubs is enabled through consumer groups. A consumer group is a view (state, position, or offset) of an entire event hub. Consumer groups enable multiple consuming applications to each have a separate view of the event stream, and to read the stream independently at their own pace and with their own offsets. Default value: `$Default`
+
+`connection_string`
+:   *string* The connection string required to communicate with Event Hubs, steps here [https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-get-connection-string](https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-get-connection-string).
+
+A Blob Storage account is required in order to store/retrieve/update the offset or state of the eventhub messages. This means that after stopping the filebeat azure module it can start back up at the spot that it stopped processing messages.
+
+`storage_account`
+:   *string* The name of the storage account the state/offsets will be stored and updated.
+
+`storage_account_key`
+:   *string* The storage account key, this key will be used to authorize access to data in your storage account.
+
+`resource_manager_endpoint`
+:   *string* Optional, by default we are using the azure public environment, to override, users can provide a specific resource manager endpoint in order to use a different azure environment. Ex: [https://management.chinacloudapi.cn/](https://management.chinacloudapi.cn/) for azure ChinaCloud [https://management.microsoftazure.de/](https://management.microsoftazure.de/) for azure GermanCloud [https://management.azure.com/](https://management.azure.com/) for azure PublicCloud [https://management.usgovcloudapi.net/](https://management.usgovcloudapi.net/) for azure USGovernmentCloud Users can also use this in case of a Hybrid Cloud model, where one may define their own endpoints.
+
+When you run the module, it performs a few tasks under the hood:
+
+* Sets the default paths to the log files (but don’t worry, you can override the defaults)
+* Makes sure each multiline log event gets sent as a single event
+* Uses an {{es}} ingest pipeline to parse and process the log lines, shaping the data into a structure suitable for visualizing in Kibana
+
+::::{tip}
+Read the [quick start](/reference/filebeat/filebeat-installation-configuration.md) to learn how to configure and run modules.
+::::
+
+
+
+## Dashboards [_dashboards_2]
+
+The azure module comes with several predefined dashboards for general cloud overview, user activity and alerts. For example:
+
+:::{image} images/filebeat-azure-overview.png
+:alt: filebeat azure overview
+:::
+
+
+## Fields [_fields_8]
+
+For a description of each field in the module, see the [exported fields](/reference/filebeat/exported-fields-azure.md) section.
+
diff --git a/docs/reference/filebeat/filebeat-module-cef.md b/docs/reference/filebeat/filebeat-module-cef.md
new file mode 100644
index 000000000000..d647930c8d3f
--- /dev/null
+++ b/docs/reference/filebeat/filebeat-module-cef.md
@@ -0,0 +1,156 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-cef.html
+---
+
+# CEF module [filebeat-module-cef]
+
+:::::{admonition} Prefer to use {{agent}} for this use case?
+Refer to the [Elastic Integrations documentation](integration-docs://reference/cef.md).
+
+::::{dropdown} Learn more
+{{agent}} is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, forward data from remote services or hardware, and more. Refer to the documentation for a detailed [comparison of {{beats}} and {{agent}}](docs-content://reference/ingestion-tools/fleet/index.md).
+
+::::
+
+
+:::::
+
+
+This is a module for receiving Common Event Format (CEF) data over Syslog. When messages are received over the syslog protocol the syslog input will parse the header and set the timestamp value. Then the [`decode_cef`](/reference/filebeat/processor-decode-cef.md) processor is applied to parse the CEF encoded data. The decoded data is written into a `cef` object field. Lastly any Elastic Common Schema (ECS) fields that can be populated with the CEF data are populated.
+
+::::{tip}
+Read the [quick start](/reference/filebeat/filebeat-installation-configuration.md) to learn how to configure and run modules.
+::::
+
+
+
+## Configure the module [configuring-cef-module]
+
+You can further refine the behavior of the `cef` module by specifying [variable settings](#cef-settings) in the `modules.d/cef.yml` file, or overriding settings at the command line.
+
+You must enable at least one fileset in the module. **Filesets are disabled by default.**
+
+
+### Variable settings [cef-settings]
+
+Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the `cef` module uses the defaults.
+
+For advanced use cases, you can also override input settings. See [Override input settings](/reference/filebeat/advanced-settings.md).
+
+::::{tip}
+When you specify a setting at the command line, remember to prefix the setting with the module name, for example, `cef.log.var.paths` instead of `log.var.paths`.
+::::
+
+
+
+### `log` fileset settings [_log_fileset_settings_2]
+
+**`var.syslog_host`**
+:   The interface to listen to UDP based syslog traffic. Defaults to `localhost`. Set to `0.0.0.0` to bind to all available interfaces.
+
+**`var.syslog_port`**
+:   The UDP port to listen for syslog traffic. Defaults to `9003`
+
+::::{note}
+Ports below 1024 require Filebeat to run as root.
+::::
+
+
+**`var.tags`**
+:   A list of tags to include in events. Including `forwarded` indicates that the events did not originate on this host and causes `host.name` to not be added to events. Defaults to `[cef, forwarded]`.
+
+**`var.timezone`**
+:   IANA time zone name (e.g. `America/New_York`) or fixed time offset (e.g. `+0200`) to use when parsing times from the CEF message that do not contain a time zone. `Local` may be specified to use the machine’s local time zone. Defaults to `UTC`.
+
+
+### Forcepoint NGFW Security Management Center [_forcepoint_ngfw_security_management_center]
+
+This module will process CEF data from Forcepoint NGFW Security Management Center (SMC).  In the SMC configure the logs to be forwarded to the address set in `var.syslog_host` in format CEF and service UDP on `var.syslog_port`.  Instructions can be found in [KB 15002](https://support.forcepoint.com/KBArticle?id=000015002) for configuring the SMC.  Testing was done with CEF logs from SMC version 6.6.1 and custom string mappings were taken from *CEF Connector Configuration Guide* dated December 5, 2011.
+
+
+### Check Point devices [_check_point_devices]
+
+This module will parse CEF data form Check Point devices as documented in [Log Exporter CEF Field Mappings.](https://community.checkpoint.com/t5/Logging-and-Reporting/Log-Exporter-CEF-Field-Mappings/td-p/41060)
+
+Check Point CEF extensions are mapped as follows:
+
+| CEF Extension | CEF Label value | ECS Fields | Non-ECS Field |  |
+| --- | --- | --- | --- | --- |
+| cp_app_risk | - | event.risk_score | checkpoint.app_risk |  |
+| cp_severity | - | event.severity | checkpoint.severity |  |
+| baseEventCount | - | - | checkpoint.event_count |  |
+| deviceExternalId | - | observer.type | - |  |
+| deviceFacility | - | observer.type | - |  |
+| deviceInboundInterface | - | observer.ingress.interface.name | - |  |
+| deviceOutboundInterface | - | observer.egress.interface.name | - |  |
+| externalId | - | - | checkpoint.uuid |  |
+| fileHash | - | file.hash.{md5,sha1} | - |  |
+| reason | - | - | checkpoint.termination_reason |  |
+| requestCookies | - | - | checkpoint.cookie |  |
+| sourceNtDomain | - | dns.question.name | - |  |
+| Signature | - | vulnerability.id | - |  |
+| Recipient | - | destination.user.email | - |  |
+| Sender | - | source.user.email | - |  |
+| deviceCustomFloatingPoint1 | update version | observer.version | - |  |
+| deviceCustomIPv6Address2 | source ipv6 address | source.ip | - |  |
+| deviceCustomIPv6Address3 | destination ipv6 address | destination.ip | - |  |
+| deviceCustomNumber1 | elapsed time in seconds | event.duration | - |  |
+| email recipients number | - | checkpoint.email_recipients_num |  |
+| payload | network.bytes | - |  |
+| deviceCustomNumber2 | icmp type | - | checkpoint.icmp_type |  |
+| duration in seconds | event.duration | - |  |
+| deviceCustomNumber3 | icmp code | - | checkpoint.icmp_code |  |
+| deviceCustomString1 | connectivity state | - | checkpoint.connectivity_state |  |
+| application rule name | rule.name | - |  |
+| threat prevention rule name | rule.name | - |  |
+| voip log type | - | checkpoint.voip_log_type |  |
+| dlp rule name | rule.name | - |  |
+| email id | - | checkpoint.email_id |  |
+| deviceCustomString2 | category | - | checkpoint.category |  |
+| email subject | - | checkpoint.email_subject |  |
+| sensor mode | - | checkpoint.sensor_mode |  |
+| protection id | - | checkpoint.protection_id |  |
+| scan invoke type | - | checkpoint.integrity_av_invoke_type |  |
+| update status | - | checkpoint.update_status |  |
+| peer gateway | - | checkpoint.peer_gateway |  |
+| categories | rule.category | - |  |
+| deviceCustomString6 | application name | network.application | - |  |
+| virus name | - | checkpoint.virus_name |  |
+| malware name | - | checkpoint.spyware_name |  |
+| malware family | - | checkpoint.malware_family |  |
+| deviceCustomString3 | user group | group.name | - |  |
+| incident extension | - | checkpoint.incident_extension |  |
+| protection type | - | checkpoint.protection_type |  |
+| email spool id | - | checkpoint.email_spool_id |  |
+| identity type | - | checkpoint.identity_type |  |
+| deviceCustomString4 | malware status | - | checkpoint.spyware_status |  |
+| threat prevention rule id | rule.id | - |  |
+| scan result | - | checkpoint.scan_result |  |
+| tcp flags | - | checkpoint.tcp_flags |  |
+| destination os | os.name | - |  |
+| protection name | - | checkpoint.protection_name |  |
+| email control | - | checkpoint.email_control |  |
+| frequency | - | checkpoint.frequency |  |
+| user response | - | checkpoint.user_status |  |
+| deviceCustomString5 | matched category | rule.category | - |  |
+| vlan id | network.vlan.id | - |  |
+| authentication method | - | checkpoint.auth_method |  |
+| email session id | - | checkpoint.email_session_id |  |
+| deviceCustomDate2 | subscription expiration | - | checkpoint.subs_exp |  |
+| deviceFlexNumber1 | confidence | - | checkpoint.confidence_level |  |
+| deviceFlexNumber2 | performance impact | - | checkpoint.performance_impact |  |
+| destination phone number | - | checkpoint.dst_phone_number |  |
+| flexString1 | application signature id | - | checkpoint.app_sig_id |  |
+| flexString2 | malware action | rule.description | - |  |
+| attack information | event.action | - |  |
+| rule_uid | - | rule.uuid | - |  |
+| ifname | - | observer.ingress.interface.name | - |  |
+| inzone | - | observer.ingress.zone | - |  |
+| outzone | - | observer.egress.zone | - |  |
+| product | - | observer.product | - |  |
+
+
+## Fields [_fields_9]
+
+For a description of each field in the module, see the [exported fields](/reference/filebeat/exported-fields-cef.md) section.
diff --git a/docs/reference/filebeat/filebeat-module-checkpoint.md b/docs/reference/filebeat/filebeat-module-checkpoint.md
new file mode 100644
index 000000000000..9e04eaa714bb
--- /dev/null
+++ b/docs/reference/filebeat/filebeat-module-checkpoint.md
@@ -0,0 +1,199 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-checkpoint.html
+---
+
+# Check Point module [filebeat-module-checkpoint]
+
+:::::{admonition} Prefer to use {{agent}} for this use case?
+Refer to the [Elastic Integrations documentation](integration-docs://reference/checkpoint.md).
+
+::::{dropdown} Learn more
+{{agent}} is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, forward data from remote services or hardware, and more. Refer to the documentation for a detailed [comparison of {{beats}} and {{agent}}](docs-content://reference/ingestion-tools/fleet/index.md).
+
+::::
+
+
+:::::
+
+
+This is a module for Check Point firewall logs. It supports logs from the Log Exporter in the Syslog RFC 5424 format. If you need to ingest Check Point logs in CEF format then please use the [`CEF module`](/reference/filebeat/filebeat-module-cef.md) (more fields are provided in the syslog output).
+
+To configure a Log Exporter, please refer to the documentation by [Check Point](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk122323).
+
+Example Log Exporter config:
+
+`cp_log_export add name testdestination target-server 192.168.1.1 target-port 9001 protocol udp format syslog`
+
+::::{tip}
+Read the [quick start](/reference/filebeat/filebeat-installation-configuration.md) to learn how to configure and run modules.
+::::
+
+
+
+## Compatibility [_compatibility_7]
+
+This module has been tested against Check Point Log Exporter on R80.X but should also work with R77.30.
+
+
+## Configure the module [configuring-checkpoint-module]
+
+You can further refine the behavior of the `checkpoint` module by specifying [variable settings](#checkpoint-settings) in the `modules.d/checkpoint.yml` file, or overriding settings at the command line.
+
+You must enable at least one fileset in the module. **Filesets are disabled by default.**
+
+
+### Variable settings [checkpoint-settings]
+
+Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the `checkpoint` module uses the defaults.
+
+For advanced use cases, you can also override input settings. See [Override input settings](/reference/filebeat/advanced-settings.md).
+
+::::{tip}
+When you specify a setting at the command line, remember to prefix the setting with the module name, for example, `checkpoint.firewall.var.paths` instead of `firewall.var.paths`.
+::::
+
+
+
+### `firewall` fileset settings [_firewall_fileset_settings]
+
+Example config:
+
+```yaml
+- module: checkpoint
+  firewall:
+    var.syslog_host: 0.0.0.0
+    var.syslog_port: 9001
+```
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+**`var.syslog_host`**
+:   The interface to listen to UDP based syslog traffic. Defaults to localhost. Set to 0.0.0.0 to bind to all available interfaces.
+
+**`var.syslog_port`**
+:   The UDP port to listen for syslog traffic. Defaults to 9001.
+
+**`var.timezone_offset`**
+:   IANA time zone or time offset (e.g. `+0200`) to use when interpreting syslog timestamps without a time zone. Defaults to UTC.
+
+**`var.tags`**
+:   A list of tags to include in events. Including `forwarded` indicates that the events did not originate on this host and causes `host.name` to not be added to events. Defaults to `[checkpoint-firewall, forwarded]`.
+
+**`var.ssl`**
+:   The SSL/TLS configuration for the filebeat instance. This can be used to enforce mutual TLS.
+
+```yaml
+ssl:
+  enabled: true
+  certificate_authorities: ["my-ca.pem"]
+  certificate: "filebeat-cert.pem"
+  key: "filebeat-key.pem"
+  client_authentication: "required"
+```
+
+
+### Check Point devices [_check_point_devices_2]
+
+This module will parse Check Point Syslog data as documented in: [Checkpoint Log Fields Description.](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk144192)
+
+Check Point Syslog extensions are mapped as follows to ECS:
+
+| Check Point Fields | ECS Fields |  |
+| --- | --- | --- |
+| action | event.action |  |
+| appi_name | network.application |  |
+| app_risk | event.risk_score |  |
+| app_rule_id | rule.id |  |
+| app_rule_name | rule.name |  |
+| bytes | network.bytes |  |
+| categories | rule.category |  |
+| client_inbound_interface | observer.ingress.interface.name |  |
+| client_outbound_bytes | source.bytes |  |
+| client_outbound_interface | observer.egress.interface.name |  |
+| client_outbound_packets | source.packets |  |
+| destination_dns_hostname | destination.domain |  |
+| dlp_file_name | file.name |  |
+| dns_message_type | dns.type |  |
+| dns_type | dns.question.type |  |
+| domain_name | dns.question.name |  |
+| dst | destination.ip |  |
+| dst_machine_name | destination.domain |  |
+| dlp_rule_name | rule.name |  |
+| dlp_rule_uid | rule.uuid |  |
+| endpoint_ip | observer.ip |  |
+| file_id | file.inode |  |
+| file_type | file.type |  |
+| file_name | file.name |  |
+| file_size | file.size |  |
+| file_md5 | file.hash.md5 |  |
+| file_sha1 | file.hash.sha1 |  |
+| file_sha256 | file.hash.sha256 |  |
+| first_detection | event.start |  |
+| from | source.user.email |  |
+| ifdir | network.direction |  |
+| industry_reference | vulnerability.id |  |
+| inzone | observer.ingress.zone |  |
+| last_detection | event.end |  |
+| loguid | event.id |  |
+| mac_destination_address | destination.mac |  |
+| mac_source_address | source.mac |  |
+| malware_action | rule.description |  |
+| matched_category | rule.category |  |
+| malware_rule_id | rule.rule.id |  |
+| message | message |  |
+| method | http.request.method |  |
+| origin | observer.name |  |
+| origin_ip | observer.ip |  |
+| os_name | host.os.name |  |
+| os_version | host.os.version |  |
+| outzone | observer.egress.zone |  |
+| packet_capture | event.url |  |
+| packets | network.packets |  |
+| parent_process_md5 | process.parent.hash.md5 |  |
+| parent_process_name | process.parent.name |  |
+| process_md5 | process.hash.md5 |  |
+| process_name | process.name |  |
+| product | observer.product |  |
+| proto | network.iana_number |  |
+| reason | message |  |
+| received_bytes | destination.bytes |  |
+| referrer | http.request.referrer |  |
+| rule_name | rule.name |  |
+| resource | url.original |  |
+| s_port | source.port |  |
+| security_inzone | observer.ingress.zone |  |
+| security_outzone | observer.egress.zone |  |
+| sent_bytes | source.bytes |  |
+| sequencenum | event.sequence |  |
+| service | destination.port |  |
+| service_id | network.application |  |
+| service_name | destination.service.name |  |
+| server_outbound_packets | destination.packets |  |
+| server_outbound_bytes | destination.bytes |  |
+| severity | event.severity |  |
+| smartdefense_profile | rule.ruleset |  |
+| src | source.ip |  |
+| src_machine_name | source.domain |  |
+| src_user_group | source.user.group.name |  |
+| start_time | event.start |  |
+| status | http.response.status_code |  |
+| tid | dns.id |  |
+| time | @timestamp |  |
+| to | destination.user.email |  |
+| type | observer.type |  |
+| update_version | observer.version |  |
+| url | url.original |  |
+| user_group | group.name |  |
+| usercheck_incident_uid | destination.user.id |  |
+| web_client_type | user_agent.name |  |
+| xlatesrc | source.nat.ip |  |
+| xlatedst | destination.nat.ip |  |
+| xlatesport | source.nat.port |  |
+| xlatedport | destination.nat.port |  |
+
+
+## Fields [_fields_10]
+
+For a description of each field in the module, see the [exported fields](/reference/filebeat/exported-fields-checkpoint.md) section.
diff --git a/docs/reference/filebeat/filebeat-module-cisco.md b/docs/reference/filebeat/filebeat-module-cisco.md
new file mode 100644
index 000000000000..84a253447dbb
--- /dev/null
+++ b/docs/reference/filebeat/filebeat-module-cisco.md
@@ -0,0 +1,405 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-cisco.html
+---
+
+# Cisco module [filebeat-module-cisco]
+
+:::::{admonition} Prefer to use {{agent}} for this use case?
+Refer to the [Elastic Integrations documentation](integration-docs://reference/cisco_asa.md).
+
+::::{dropdown} Learn more
+{{agent}} is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, forward data from remote services or hardware, and more. Refer to the documentation for a detailed [comparison of {{beats}} and {{agent}}](docs-content://reference/ingestion-tools/fleet/index.md).
+
+::::
+
+
+:::::
+
+
+This is a module for Cisco network device’s logs and Cisco Umbrella. It includes the following filesets for receiving logs over syslog or read from a file:
+
+* `asa` fileset: supports Cisco ASA firewall logs.
+* `amp` fileset: supports Cisco AMP API logs.
+* `ftd` fileset: supports Cisco Firepower Threat Defense logs.
+* `ios` fileset: supports Cisco IOS router and switch logs.
+* `umbrella` fileset: supports Cisco Umbrella logs.
+
+Cisco ASA devices also support exporting flow records using NetFlow, which is supported by the [netflow module](/reference/filebeat/filebeat-module-netflow.md) in Filebeat.
+
+When you run the module, it performs a few tasks under the hood:
+
+* Sets the default paths to the log files (but don’t worry, you can override the defaults)
+* Makes sure each multiline log event gets sent as a single event
+* Uses an {{es}} ingest pipeline to parse and process the log lines, shaping the data into a structure suitable for visualizing in Kibana
+* Deploys dashboards for visualizing the log data
+
+::::{tip}
+Read the [quick start](/reference/filebeat/filebeat-installation-configuration.md) to learn how to configure and run modules.
+::::
+
+
+
+## Configure the module [configuring-cisco-module]
+
+You can further refine the behavior of the `cisco` module by specifying [variable settings](#cisco-settings) in the `modules.d/cisco.yml` file, or overriding settings at the command line.
+
+You must enable at least one fileset in the module. **Filesets are disabled by default.**
+
+The module is by default configured to run via syslog on port 9001 for ASA and port 9002 for IOS. However it can also be configured to read from a file path. See the following example.
+
+Cisco Umbrella publishes its logs in a compressed CSV format to a S3 bucket.
+
+```yaml
+- module: cisco
+  asa:
+    enabled: true
+    var.paths: ["/var/log/cisco-asa.log"]
+    var.input: "file"
+```
+
+
+### Variable settings [cisco-settings]
+
+Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the `cisco` module uses the defaults.
+
+For advanced use cases, you can also override input settings. See [Override input settings](/reference/filebeat/advanced-settings.md).
+
+::::{tip}
+When you specify a setting at the command line, remember to prefix the setting with the module name, for example, `cisco.asa.var.paths` instead of `asa.var.paths`.
+::::
+
+
+
+### `asa` fileset settings [_asa_fileset_settings]
+
+Example config:
+
+```yaml
+- module: cisco
+  asa:
+    var.syslog_host: 0.0.0.0
+    var.syslog_port: 9001
+    var.log_level: 5
+```
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+**`var.log_level`**
+:   An integer between 1 and 7 that allows filtering messages based on the severity level. The different severity levels supported by the Cisco ASA are:
+
+| log_level | severity |
+| --- | --- |
+| 1 | Alert |
+| 2 | Critical |
+| 3 | Error |
+| 4 | Warning |
+| 5 | Notification |
+| 6 | Informational |
+| 7 | Debugging |
+
+A value of 7 (default) will not filter any messages. A lower value will drop any messages with a severity level higher than the specified value. For example, `var.log_level: 3` will allow messages of level 1 (Alert), 2 (Critical) and 3 (Error). All other messages will be dropped.
+
+::::{note}
+The filtering is done in the ingest pipeline, if this setting is changed, the ingest pipeline need to be reloaded manually. To reload the ingest pipeline, set `filebeat.overwrite_pipelines: true` and manually [*Load ingest pipelines*](/reference/filebeat/load-ingest-pipelines.md).
+::::
+
+
+**`var.syslog_host`**
+:   The interface to listen to UDP based syslog traffic. Defaults to localhost. Set to 0.0.0.0 to bind to all available interfaces.
+
+**`var.syslog_port`**
+:   The UDP port to listen for syslog traffic. Defaults to 9001.
+
+**`var.timezone_offset`**
+:   IANA time zone or time offset (e.g. `+0200`) to use when interpreting syslog timestamps without a time zone. Defaults to UTC.
+
+**`var.tags`**
+:   A list of tags to include in events. Including `forwarded` indicates that the events did not originate on this host and causes `host.name` to not be added to events. Defaults to `[cisco-asa, forwarded]`.
+
+
+### `ftd` fileset settings [_ftd_fileset_settings]
+
+The Cisco FTD fileset primarily supports parsing IPv4 and IPv6 access list log messages similar to that of ASA devices as well as Security Event Syslog Messages for Intrusion, Connection, File and Malware events.
+
+**Field mappings**
+
+The `ftd` fileset maps Security Event Syslog Messages to the Elastic Common Schema (ECS) format. The following table illustrates the mapping from Security Event fields to ECS. The `cisco.ftd` prefix is used when there is no corresponding ECS field available.
+
+Mappings for Intrusion events fields:
+
+| FTD Field | Mapped fields |
+| --- | --- |
+| ApplicationProtocol | network.protocol |
+| DstIP | destination.address |
+| DstPort | destination.port |
+| EgressInterface | cisco.ftd.destination_interface |
+| GID | service.id |
+| HTTPResponse | http.response.status_code |
+| IngressInterface | cisco.ftd.source_interface |
+| InlineResult | event.outcome |
+| IntrusionPolicy | cisco.ftd.rule_name |
+| Message | message |
+| Protocol | network.transport |
+| SrcIP | source.address |
+| SrcPort | source.port |
+| User | user.id, user.name |
+| WebApplication | network.application |
+
+Mappings for Connection and Security Intelligence events fields:
+
+| FTD Field | Mapped fields |
+| --- | --- |
+| ACPolicy | cisco.ftd.rule_name |
+| AccessControlRuleAction | event.outcome |
+| AccessControlRuleName | cisco.ftd.rule_name |
+| ApplicationProtocol | network.protocol |
+| ConnectionDuration | event.duration |
+| DNSQuery | dns.question.name |
+| DNSRecordType | dns.question.type |
+| DNSResponseType | dns.response_code |
+| DstIP | destination.address |
+| DstPort | destination.port |
+| EgressInterface | cisco.ftd.destination_interface |
+| HTTPReferer | http.request.referrer |
+| HTTPResponse | http.response.status_code |
+| IngressInterface | cisco.ftd.source_interface |
+| InitiatorBytes | source.bytes |
+| InitiatorPackets | source.packets |
+| NetBIOSDomain | host.hostname |
+| Protocol | network.transport |
+| ReferencedHost | url.domain |
+| ResponderBytes | destination.bytes |
+| ResponderPackets | destination.packets |
+| SSLActualAction | event.outcome |
+| SSLServerName | server.domain |
+| SrcIP | source.address |
+| SrcPort | source.port |
+| URL | url.original |
+| User | user.name |
+| UserAgent | user_agent.original |
+| WebApplication | network.application |
+| originalClientSrcIP | client.address |
+
+Mappings for File and Malware events fields:
+
+| FTD Field | Mapped fields |
+| --- | --- |
+| ApplicationProtocol | network.protocol |
+| ArchiveFileName | file.name |
+| ArchiveSHA256 | file.hash.sha256 |
+| Client | network.application |
+| DstIP | destination.address |
+| DstPort | destination.port |
+| FileName | file.name |
+| FilePolicy | cisco.ftd.rule_name |
+| FileSHA256 | file.hash.sha256 |
+| FileSize | file.size |
+| FirstPacketSecond | event.start |
+| Protocol | network.transport |
+| SrcIP | source.address |
+| SrcPort | source.port |
+| URI | url.original |
+| User | user.name |
+| WebApplication | network.application |
+
+**Example configuration:**
+
+```yaml
+- module: cisco
+  ftd:
+    var.syslog_host: 0.0.0.0
+    var.syslog_port: 9003
+    var.log_level: 5
+```
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+**`var.log_level`**
+:   An integer between 1 and 7 that allows filtering messages based on the severity level. The different severity levels supported by the Cisco ASA are:
+
+| log_level | severity |
+| --- | --- |
+| 1 | Alert |
+| 2 | Critical |
+| 3 | Error |
+| 4 | Warning |
+| 5 | Notification |
+| 6 | Informational |
+| 7 | Debugging |
+
+A value of 7 (default) will not filter any messages. A lower value will drop any messages with a severity level higher than the specified value. For example, `var.log_level: 3` will allow messages of level 1 (Alert), 2 (Critical) and 3 (Error). All other messages will be dropped.
+
+::::{note}
+The filtering is done in the ingest pipeline, if this setting is changed, the ingest pipeline need to be reloaded manually. To reload the ingest pipeline, set `filebeat.overwrite_pipelines: true` and manually [*Load ingest pipelines*](/reference/filebeat/load-ingest-pipelines.md).
+::::
+
+
+**`var.syslog_host`**
+:   The interface to listen to UDP based syslog traffic. Defaults to localhost. Set to 0.0.0.0 to bind to all available interfaces.
+
+**`var.syslog_port`**
+:   The UDP port to listen for syslog traffic. Defaults to 9003.
+
+**`var.timezone_offset`**
+:   IANA time zone or time offset (e.g. `+0200`) to use when interpreting syslog timestamps without a time zone. Defaults to UTC.
+
+**`var.tags`**
+:   A list of tags to include in events. Including `forwarded` indicates that the events did not originate on this host and causes `host.name` to not be added to events. Defaults to `[cisco-ftd, forwarded]`.
+
+
+### `ios` fileset settings [_ios_fileset_settings]
+
+The Cisco IOS fileset primarily supports parsing IPv4 and IPv6 access list log messages.
+
+Example config:
+
+```yaml
+- module: cisco
+  ios:
+    var.syslog_host: 0.0.0.0
+    var.syslog_port: 9002
+```
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+**`var.syslog_host`**
+:   The interface to listen to UDP based syslog traffic. Defaults to localhost. Set to 0.0.0.0 to bind to all available interfaces.
+
+**`var.syslog_port`**
+:   The UDP port to listen for syslog traffic. Defaults to 9002.
+
+**`var.tags`**
+:   A list of tags to include in events. Including `forwarded` indicates that the events did not originate on this host and causes `host.name` to not be added to events. Defaults to `[cisco-ios, forwarded]`.
+
+
+### Time zone support [_time_zone_support_3]
+
+This module parses logs that don’t contain time zone information. For these logs, Filebeat reads the local time zone and uses it when parsing to convert the timestamp to UTC. The time zone to be used for parsing is included in the event in the `event.timezone` field.
+
+To disable this conversion, the `event.timezone` field can be removed with the `drop_fields` processor.
+
+If logs are originated from systems or applications with a different time zone to the local one, the `event.timezone` field can be overwritten with the original time zone using the `add_fields` processor.
+
+See [Processors](/reference/filebeat/filtering-enhancing-data.md) for information about specifying processors in your config.
+
+
+### `umbrella` fileset settings [_umbrella_fileset_settings]
+
+The Cisco Umbrella fileset primarily focuses on reading CSV files from an S3 bucket using the filebeat S3 input.
+
+To configure Cisco Umbrella to log to a self-managed S3 bucket please follow the [Cisco Umbrella User Guide](https://docs.umbrella.com/deployment-umbrella/docs/log-management), and the [AWS S3 input documentation](/reference/filebeat/filebeat-input-aws-s3.md) to setup the necessary Amazon SQS queue.  Retrieving logs from a Cisco-managed S3 bucket is not currently supported.
+
+This fileset supports all 4 log types: - Proxy - Cloud Firewall - IP Logs - DNS logs
+
+The Cisco Umbrella fileset depends on the original file path structure being followed. This structure is documented [Umbrella Log Formats and Versioning](https://docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning):
+
+<subfolder>/<YYYY>-<MM>-<DD>/<YYYY>-<MM>-<DD>-<hh>-<mm>-<xxxx>.csv.gz dnslogs/<year>-<month>-<day>/<year>-<month>-<day>-<hour>-<minute>.csv.gz
+
+Example config:
+
+```yaml
+- module: cisco
+  umbrella:
+    enabled: true
+    var.input: aws-s3
+    var.queue_url: https://sqs.us-east-1.amazonaws.com/ID/CiscoQueue
+    var.access_key_id: 123456
+    var.secret_access_key: PASSWORD
+```
+
+**`var.input`**
+:   The input from which messages are read. Can be S3 or file.
+
+**`var.queue_url`**
+:   The URL to the SQS queue if the input type is S3.
+
+**`var.access_key_id`**
+:   The ID for the access key used to read from the SQS queue.
+
+**`var.secret_access_key`**
+:   The secret token used for authenticating to the SQS queue.
+
+**`var.visibility_timeout`**
+:   The duration that the received messages are hidden from ReceiveMessage request. Default to be 300 seconds.
+
+**`var.api_timeout`**
+:   Maximum duration before AWS API request will be interrupted. Default to be 120 seconds.
+
+
+### `amp` fileset settings [_amp_fileset_settings]
+
+The Cisco AMP fileset focuses on collecting events from your Cisco AMP/Cisco Secure Endpoint API.
+
+To configure the Cisco AMP fileset you will need to retrieve your `client_id` and `api_key` from the AMP dashboard. For more information on how to retrieve these credentials, please reference the [Cisco AMP API documentation](https://api-docs.amp.cisco.com/api_resources?api_host=api.amp.cisco.com&api_version=v1).
+
+The URL configured for the API depends on which region your AMP is located, currently there are three choices: - api.amp.cisco.com - api.apjc.amp.cisco.com - api.eu.amp.cisco.com
+
+If new endpoints are added by Cisco in the future, please reference the API URL list located at the [Cisco AMP API Docs](https://api-docs.amp.cisco.com/).
+
+Example config:
+
+```yaml
+- module: cisco
+  amp:
+    enabled: true
+    var.input: httpjson
+    var.url: https://api.amp.cisco.com/v1/events
+    var.client_id: 123456
+    var.api_key: sfda987gdf90s0df0
+```
+
+When starting up the Filebeat module for the first time, you are able to configure how far back you want Filebeat to collect existing events from. It is also possible to select how often Filebeat will check the Cisco AMP API. Another example below which looks back 200 hours and have a custom timeout:
+
+```yaml
+- module: cisco
+  amp:
+    enabled: true
+    var.input: httpjson
+    var.url: https://api.amp.cisco.com/v1/events
+    var.client_id: 123456
+    var.api_key: sfda987gdf90s0df0
+    var.first_interval: 200h
+    var.interval: 60m
+    var.request_timeout: 120s
+    var.limit: 100
+```
+
+**`var.input`**
+:   The input from which messages are read. Supports httpjson.
+
+**`var.url`**
+:   The URL to the Cisco AMP API endpoint, this url value depends on your region. It will be the same region as your Cisco AMP Dashboard URL.
+
+**`var.client_id`**
+:   The ID for the user account used to access the API.
+
+**`var.api_key`**
+:   The API secret used together with the related client_id.
+
+**`var.request_timeout`**
+:   When handling large influxes of events, especially for large enterprises, the API might take longer to respond. This value is to set a custom timeout value for each request sent by Filebeat.
+
+**`var.first_interval`**
+:   How far back you would want to collect events the first time the Filebeat module starts up. Supports amount in hours(example: 24h), minutes(example: 10m) and seconds(example: 50s).
+
+**`var.limit`**
+:   This value controls how many events are returned by the Cisco AMP API per page.
+
+
+## Example dashboard [_example_dashboard_3]
+
+This module comes with a sample dashboard for ASA:
+
+:::{image} images/kibana-cisco-asa.png
+:alt: kibana cisco asa
+:class: screenshot
+:::
+
+
+## Fields [_fields_11]
+
+For a description of each field in the module, see the [exported fields](/reference/filebeat/exported-fields-cisco.md) section.
diff --git a/docs/reference/filebeat/filebeat-module-coredns.md b/docs/reference/filebeat/filebeat-module-coredns.md
new file mode 100644
index 000000000000..7e5dc28d76f4
--- /dev/null
+++ b/docs/reference/filebeat/filebeat-module-coredns.md
@@ -0,0 +1,71 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-coredns.html
+---
+
+# CoreDNS module [filebeat-module-coredns]
+
+This is a filebeat module for CoreDNS. It supports both standalone CoreDNS deployment and CoreDNS deployment in Kubernetes.
+
+::::{tip}
+Read the [quick start](/reference/filebeat/filebeat-installation-configuration.md) to learn how to configure and run modules.
+::::
+
+
+
+## Compatibility [_compatibility_8]
+
+Although this module has been developed against Kubernetes v1.13.x, it is expected to work with other versions of Kubernetes.
+
+
+## Configure the module [configuring-coredns-module]
+
+You can further refine the behavior of the `coredns` module by specifying [variable settings](#coredns-settings) in the `modules.d/coredns.yml` file, or overriding settings at the command line.
+
+You must enable at least one fileset in the module. **Filesets are disabled by default.**
+
+
+### Variable settings [coredns-settings]
+
+Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the `coredns` module uses the defaults.
+
+For advanced use cases, you can also override input settings. See [Override input settings](/reference/filebeat/advanced-settings.md).
+
+::::{tip}
+When you specify a setting at the command line, remember to prefix the setting with the module name, for example, `coredns.log.var.paths` instead of `log.var.paths`.
+::::
+
+
+
+### `log` fileset settings [_log_fileset_settings_3]
+
+Example config:
+
+```yaml
+- module: coredns
+  log:
+    enabled: true
+    var.paths: ["/var/log/coredns.log"]
+    var.tags: ["coredns", "staging"]
+```
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+**`var.tags`**
+:   An array of tags describing the monitored CoreDNS setup.
+
+
+## Example dashboard [_example_dashboard_4]
+
+This module comes with a sample dashboard.
+
+:::{image} images/kibana-coredns.jpg
+:alt: kibana coredns
+:class: screenshot
+:::
+
+
+## Fields [_fields_12]
+
+For a description of each field in the module, see the [exported fields](/reference/filebeat/exported-fields-coredns.md) section.
diff --git a/docs/reference/filebeat/filebeat-module-crowdstrike.md b/docs/reference/filebeat/filebeat-module-crowdstrike.md
new file mode 100644
index 000000000000..2c4b968dd863
--- /dev/null
+++ b/docs/reference/filebeat/filebeat-module-crowdstrike.md
@@ -0,0 +1,97 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-crowdstrike.html
+---
+
+# CrowdStrike module [filebeat-module-crowdstrike]
+
+:::::{admonition} Prefer to use {{agent}} for this use case?
+Refer to the [Elastic Integrations documentation](integration-docs://reference/crowdstrike.md).
+
+::::{dropdown} Learn more
+{{agent}} is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, forward data from remote services or hardware, and more. Refer to the documentation for a detailed [comparison of {{beats}} and {{agent}}](docs-content://reference/ingestion-tools/fleet/index.md).
+
+::::
+
+
+:::::
+
+
+This is the Filebeat module for CrowdStrike Falcon using the Falcon [SIEM Connector](https://www.crowdstrike.com/blog/tech-center/integrate-with-your-siem). This module collects this data, converts it to ECS, and ingests it to view in the SIEM. By default, the Falcon SIEM connector outputs JSON formatted Falcon Streaming API event data.
+
+This module segments events forwarded by the Falcon SIEM connector into two datasets for endpoint data and Falcon platform audit data.
+
+When you run the module, it performs a few tasks under the hood:
+
+* Sets the default paths to the log files (but don’t worry, you can override the defaults)
+* Makes sure each multiline log event gets sent as a single event
+* Uses an {{es}} ingest pipeline to parse and process the log lines, shaping the data into a structure suitable for visualizing in Kibana
+* Deploys dashboards for visualizing the log data
+
+::::{tip}
+Read the [quick start](/reference/filebeat/filebeat-installation-configuration.md) to learn how to configure and run modules.
+::::
+
+
+
+## Compatibility [_compatibility_9]
+
+This input supports CrowdStrike Falcon SIEM-Connector-v2.0.
+
+
+## Configure the module [configuring-crowdstrike-module]
+
+You can further refine the behavior of the `crowdstrike` module by specifying [variable settings](#crowdstrike-settings) in the `modules.d/crowdstrike.yml` file, or overriding settings at the command line.
+
+You must enable at least one fileset in the module. **Filesets are disabled by default.**
+
+
+### Variable settings [crowdstrike-settings]
+
+Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the `crowdstrike` module uses the defaults.
+
+For advanced use cases, you can also override input settings. See [Override input settings](/reference/filebeat/advanced-settings.md).
+
+::::{tip}
+When you specify a setting at the command line, remember to prefix the setting with the module name, for example, `crowdstrike.falcon_endpoint.var.paths` instead of `falcon_endpoint.var.paths`.
+::::
+
+
+
+### `falcon` fileset settings [_falcon_fileset_settings]
+
+The fileset is by default configured to collect JSON formated event data from `/var/log/crowdstrike/falconhoseclient/output`. It forwards DetectionSummaryEvent and IncidentSummaryEvent events.
+
+```yaml
+var:
+  - name: paths
+    default:
+      - /var/log/crowdstrike/falconhoseclient/output
+```
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+
+## Dashboards [_dashboards_3]
+
+The best way to view CrowdStrike events and alert data is in the SIEM.
+
+:::{image} images/siem-alerts-cs.jpg
+:alt: siem alerts cs
+:class: screenshot
+:::
+
+For alerts, go to Detections → External alerts.
+
+:::{image} images/siem-events-cs.jpg
+:alt: siem events cs
+:class: screenshot
+:::
+
+And for all over event CrowdStrike Falcon event types, go to Host → Events.
+
+
+## Fields [_fields_13]
+
+For a description of each field in the module, see the [exported fields](/reference/filebeat/exported-fields-crowdstrike.md) section.
diff --git a/docs/reference/filebeat/filebeat-module-cyberarkpas.md b/docs/reference/filebeat/filebeat-module-cyberarkpas.md
new file mode 100644
index 000000000000..69fffd206522
--- /dev/null
+++ b/docs/reference/filebeat/filebeat-module-cyberarkpas.md
@@ -0,0 +1,175 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-cyberarkpas.html
+---
+
+# Cyberark PAS module [filebeat-module-cyberarkpas]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+:::::{admonition} Prefer to use {{agent}} for this use case?
+Refer to the [Elastic Integrations documentation](integration-docs://reference/cyberarkpas.md).
+
+::::{dropdown} Learn more
+{{agent}} is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, forward data from remote services or hardware, and more. Refer to the documentation for a detailed [comparison of {{beats}} and {{agent}}](docs-content://reference/ingestion-tools/fleet/index.md).
+
+::::
+
+
+:::::
+
+
+This is a module for receiving CyberArk Privileged Account Security (PAS) logs over Syslog or a file.
+
+The [ingest-geoip](elasticsearch://reference/ingestion-tools/enrich-processor/geoip-processor.md) Elasticsearch plugin is required to run this module.
+
+::::{tip}
+Read the [quick start](/reference/filebeat/filebeat-installation-configuration.md) to learn how to configure and run modules.
+::::
+
+
+
+## Configure the module [configuring-cyberarkpas-module]
+
+You can further refine the behavior of the `cyberarkpas` module by specifying [variable settings](#cyberarkpas-settings) in the `modules.d/cyberarkpas.yml` file, or overriding settings at the command line.
+
+You must enable at least one fileset in the module. **Filesets are disabled by default.**
+
+
+### `audit` fileset settings [_audit_fileset_settings]
+
+The `audit` fileset receives Vault Audit logs for User and Safe activities over the syslog protocol.
+
+
+#### Vault configuration [_vault_configuration]
+
+Follow the steps under [Security Information and Event Management (SIEM) Applications](https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASIMP/DV-Integrating-with-SIEM-Applications.htm) documentation to setup the integration:
+
+* Copy the [elastic-json-v1.0.xsl](https://raw.githubusercontent.com/elastic/beats/master/x-pack/filebeat/module/cyberarkpas/_meta/assets/elastic-json-v1.0.xsl) XSL Translator file to the `Server\Syslog` folder.
+* Sample syslog configuration for `DBPARM.ini`:
+
+```ini
+[SYSLOG]
+UseLegacySyslogFormat=No
+SyslogTranslatorFile=Syslog\elastic-json-v1.0.xsl
+SyslogServerIP=<INSERT FILEBEAT IP HERE>
+SyslogServerPort=<INSERT FILEBEAT PORT HERE>
+SyslogServerProtocol=TCP
+```
+
+For proper timestamping of events, it’s recommended to use the newer RFC5424 Syslog format (`UseLegacySyslogFormat=No`). To avoid event loss, use `TCP` or `TLS` protocols instead of `UDP`.
+
+
+#### Filebeat configuration [_filebeat_configuration]
+
+Edit the `cyberarkpas.yml` configuration. The following sample configuration will accept `TCP` protocol connections from all interfaces:
+
+```yaml
+- module: cyberarkpas
+  audit:
+    enabled: true
+
+    # Set which input to use between tcp (default), udp, or file.
+    #
+    var.input: tcp
+    var.syslog_host: 0.0.0.0
+    var.syslog_port: 9301
+
+    # With tcp input, set the optional tls configuration:
+    #var.ssl:
+    #  enabled: true
+    #  certificate: /path/to/cert.pem
+    #  key: /path/to/privatekey.pem
+    #  key_passphrase: 'password for my key'
+
+    # Uncoment to keep the original syslog event under event.original.
+    # var.preserve_original_event: true
+
+    # Set paths for the log files when file input is used.
+    # var.paths:
+```
+
+For encrypted communications, follow the [CyberArk documentation](https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASIMP/DV-Integrating-with-SIEM-Applications.htm#ConfigureSIEMintegration) to configure encrypted protocol in the Vault server and use `tcp` input with `var.ssl` settings in Filebeat:
+
+```yaml
+- module: cyberarkpas
+  audit:
+    enabled: true
+
+    # Set which input to use between tcp (default), udp, or file.
+    #
+    var.input: tcp
+    var.syslog_host: 0.0.0.0
+    var.syslog_port: 9301
+
+    # With tcp input, set the optional tls configuration:
+    var.ssl:
+      enabled: true
+      certificate: /path/to/cert.pem
+      key: /path/to/privatekey.pem
+      key_passphrase: 'password for my key'
+
+    # Uncoment to keep the original syslog event under event.original.
+    # var.preserve_original_event: true
+
+    # Set paths for the log files when file input is used.
+    # var.paths:
+```
+
+
+#### Configuration options [_configuration_options_41]
+
+
+### Variable settings [cyberarkpas-settings]
+
+Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the `cyberarkpas` module uses the defaults.
+
+For advanced use cases, you can also override input settings. See [Override input settings](/reference/filebeat/advanced-settings.md).
+
+::::{tip}
+When you specify a setting at the command line, remember to prefix the setting with the module name, for example, `cyberarkpas.audit.var.paths` instead of `audit.var.paths`.
+::::
+
+
+**`var.input`**
+:   The input to use. One of `tcp` (default), `udp` or `file`.
+
+**`var.syslog_host`**
+:   The address to listen to UDP or TCP based syslog traffic. Defaults to `localhost`. Set to `0.0.0.0` to bind to all available interfaces.
+
+**`var.syslog_port`**
+:   The port to listen for syslog traffic. Defaults to `9301`.
+
+::::{note}
+Ports below 1024 require Filebeat to run as root.
+::::
+
+
+**`var.ssl`**
+:   Configuration options for SSL parameters to use when acting as a server for `TLS` protocol. See [SSL server configuration options.](/reference/filebeat/configuration-ssl.md#ssl-server-config) for a description of the available sub-options.
+
+**`var.preserve_original_event`**
+:   Set to `true` to store the original syslog message under the `event.original` field. Defaults to `false`.
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself.
+
+This setting is only applicable when `file` input is configured.
+
+
+## Example dashboard [_example_dashboard_5]
+
+This module comes with a sample dashboard:
+
+:::{image} images/filebeat-cyberarkpas-overview.png
+:alt: filebeat cyberarkpas overview
+:class: screenshot
+:::
+
+
+## Fields [_fields_14]
+
+For a description of each field in the module, see the [exported fields](/reference/filebeat/exported-fields-cyberarkpas.md) section.
diff --git a/docs/reference/filebeat/filebeat-module-elasticsearch.md b/docs/reference/filebeat/filebeat-module-elasticsearch.md
new file mode 100644
index 000000000000..6d598ca161a9
--- /dev/null
+++ b/docs/reference/filebeat/filebeat-module-elasticsearch.md
@@ -0,0 +1,170 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-elasticsearch.html
+---
+
+# Elasticsearch module [filebeat-module-elasticsearch]
+
+:::::{admonition} Prefer to use {{agent}} for this use case?
+Refer to the [Elastic Integrations documentation](integration-docs://reference/elasticsearch.md).
+
+::::{dropdown} Learn more
+{{agent}} is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, forward data from remote services or hardware, and more. Refer to the documentation for a detailed [comparison of {{beats}} and {{agent}}](docs-content://reference/ingestion-tools/fleet/index.md).
+
+::::
+
+
+:::::
+
+
+This is the elasticsearch module.
+
+When you run the module, it performs a few tasks under the hood:
+
+* Sets the default paths to the log files (but don’t worry, you can override the defaults)
+* Makes sure each multiline log event gets sent as a single event
+* Uses an {{es}} ingest pipeline to parse and process the log lines, shaping the data into a structure suitable for visualizing in Kibana
+
+::::{tip}
+Read the [quick start](/reference/filebeat/filebeat-installation-configuration.md) to learn how to configure and run modules.
+::::
+
+
+
+## Compatibility [_compatibility_10]
+
+The Elasticsearch module is compatible with Elasticsearch 6.2 and newer.
+
+
+## Configure the module [configuring-elasticsearch-module]
+
+You can further refine the behavior of the `elasticsearch` module by specifying [variable settings](#elasticsearch-settings) in the `modules.d/elasticsearch.yml` file, or overriding settings at the command line.
+
+You must enable at least one fileset in the module. **Filesets are disabled by default.**
+
+
+### Variable settings [elasticsearch-settings]
+
+Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the `elasticsearch` module uses the defaults.
+
+For advanced use cases, you can also override input settings. See [Override input settings](/reference/filebeat/advanced-settings.md).
+
+::::{tip}
+When you specify a setting at the command line, remember to prefix the setting with the module name, for example, `elasticsearch.server.var.paths` instead of `server.var.paths`.
+::::
+
+
+
+### `server` log fileset settings [_server_log_fileset_settings]
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+    Example config:
+
+    ```yaml
+      server:
+        enabled: true
+        var.paths:
+          - /var/log/elasticsearch/*.log          # Plain text logs
+          - /var/log/elasticsearch/*_server.json  # JSON logs
+    ```
+
+    ::::{note}
+    If you’re running against Elasticsearch >= 7.0.0, configure the `var.paths` setting to point to JSON logs. Otherwise, configure it to point to plain text logs.
+    ::::
+
+
+
+### `gc` log fileset settings [_gc_log_fileset_settings]
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+    Example config:
+
+    ```yaml
+      gc:
+        var.paths:
+          - /var/log/elasticsearch/gc.log.[0-9]*
+          - /var/log/elasticsearch/gc.log
+    ```
+
+
+
+### `audit` log fileset settings [_audit_log_fileset_settings_2]
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+    Example config:
+
+    ```yaml
+      audit:
+        var.paths:
+          - /var/log/elasticsearch/*_access.log  # Plain text logs
+          - /var/log/elasticsearch/*_audit.json  # JSON logs
+    ```
+
+    ::::{note}
+    If you’re running against Elasticsearch >= 7.0.0, configure the `var.paths` setting to point to JSON logs. Otherwise, configure it to point to plain text logs.
+    ::::
+
+
+
+### `slowlog` log fileset settings [_slowlog_log_fileset_settings]
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+    Example config:
+
+    ```yaml
+      slowlog:
+        var.paths:
+          - /var/log/elasticsearch/*_index_search_slowlog.log     # Plain text logs
+          - /var/log/elasticsearch/*_index_indexing_slowlog.log   # Plain text logs
+          - /var/log/elasticsearch/*_index_search_slowlog.json    # JSON logs
+          - /var/log/elasticsearch/*_index_indexing_slowlog.json  # JSON logs
+    ```
+
+    ::::{note}
+    If you’re running against Elasticsearch >= 7.0.0, configure the `var.paths` setting to point to JSON logs. Otherwise, configure it to point to plain text logs.
+    ::::
+
+
+
+### `deprecation` log fileset settings [_deprecation_log_fileset_settings]
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+    Example config:
+
+    ```yaml
+      deprecation:
+        var.paths:
+          - /var/log/elasticsearch/*_deprecation.log   # Plain text logs
+          - /var/log/elasticsearch/*_deprecation.json  # JSON logs
+    ```
+
+    ::::{note}
+    If you’re running against Elasticsearch >= 7.0.0, configure the `var.paths` setting to point to JSON logs. Otherwise, configure it to point to plain text logs.
+    ::::
+
+
+
+### Time zone support [_time_zone_support_4]
+
+This module parses logs that don’t contain time zone information. For these logs, Filebeat reads the local time zone and uses it when parsing to convert the timestamp to UTC. The time zone to be used for parsing is included in the event in the `event.timezone` field.
+
+To disable this conversion, the `event.timezone` field can be removed with the `drop_fields` processor.
+
+If logs are originated from systems or applications with a different time zone to the local one, the `event.timezone` field can be overwritten with the original time zone using the `add_fields` processor.
+
+See [Processors](/reference/filebeat/filtering-enhancing-data.md) for information about specifying processors in your config.
+
+
+## Fields [_fields_15]
+
+For a description of each field in the module, see the [exported fields](/reference/filebeat/exported-fields-elasticsearch.md) section.
diff --git a/docs/reference/filebeat/filebeat-module-envoyproxy.md b/docs/reference/filebeat/filebeat-module-envoyproxy.md
new file mode 100644
index 000000000000..5495b658298c
--- /dev/null
+++ b/docs/reference/filebeat/filebeat-module-envoyproxy.md
@@ -0,0 +1,34 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-envoyproxy.html
+---
+
+# Envoyproxy Module [filebeat-module-envoyproxy]
+
+This is a Filebeat module for Envoy proxy access log ([https://www.envoyproxy.io/docs/envoy/v1.10.0/configuration/access_log](https://www.envoyproxy.io/docs/envoy/v1.10.0/configuration/access_log)). It supports both standalone deployment and Envoy proxy deployment in Kubernetes.
+
+::::{tip}
+Read the [quick start](/reference/filebeat/filebeat-installation-configuration.md) to learn how to configure and run modules.
+::::
+
+
+
+## Compatibility [_compatibility_11]
+
+Although this module has been developed against Envoy proxy 1.10.0 and Kubernetes v1.13.x, it is expected to work with other versions of Envoy proxy and Kubernetes.
+
+
+## Example dashboard [_example_dashboard_6]
+
+This module comes with a sample dashboard.
+
+:::{image} images/kibana-envoyproxy.jpg
+:alt: kibana envoyproxy
+:class: screenshot
+:::
+
+
+## Fields [_fields_16]
+
+For a description of each field in the module, see the [exported fields](/reference/filebeat/exported-fields-envoyproxy.md) section.
+
diff --git a/docs/reference/filebeat/filebeat-module-fortinet.md b/docs/reference/filebeat/filebeat-module-fortinet.md
new file mode 100644
index 000000000000..83e22a077d4e
--- /dev/null
+++ b/docs/reference/filebeat/filebeat-module-fortinet.md
@@ -0,0 +1,196 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-fortinet.html
+---
+
+# Fortinet module [filebeat-module-fortinet]
+
+:::::{admonition} Prefer to use {{agent}} for this use case?
+Refer to the [Elastic Integrations documentation](integration-docs://reference/fortinet.md).
+
+::::{dropdown} Learn more
+{{agent}} is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, forward data from remote services or hardware, and more. Refer to the documentation for a detailed [comparison of {{beats}} and {{agent}}](docs-content://reference/ingestion-tools/fleet/index.md).
+
+::::
+
+
+:::::
+
+
+This is a module for Fortinet logs sent in the syslog format. It supports the following devices:
+
+* `firewall` fileset: Supports FortiOS Firewall logs.
+
+To configure a remote syslog destination, please reference the [Fortigate/FortiOS Documentation](https://docs.fortinet.com/document/fortigate/6.0.0/cli-reference/260508/log-syslogd-syslogd2-syslogd3-syslogd4-setting).
+
+The syslog format choosen should be `Default`.
+
+::::{tip}
+Read the [quick start](/reference/filebeat/filebeat-installation-configuration.md) to learn how to configure and run modules.
+::::
+
+
+
+## Compatibility [_compatibility_12]
+
+This module has been tested against FortiOS version 6.0.x and 6.2.x. Versions above this are expected to work but have not been tested.
+
+
+## Configure the module [configuring-fortinet-module]
+
+You can further refine the behavior of the `fortinet` module by specifying [variable settings](#fortinet-settings) in the `modules.d/fortinet.yml` file, or overriding settings at the command line.
+
+You must enable at least one fileset in the module. **Filesets are disabled by default.**
+
+
+### Variable settings [fortinet-settings]
+
+Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the `fortinet` module uses the defaults.
+
+For advanced use cases, you can also override input settings. See [Override input settings](/reference/filebeat/advanced-settings.md).
+
+::::{tip}
+When you specify a setting at the command line, remember to prefix the setting with the module name, for example, `fortinet.firewall.var.paths` instead of `firewall.var.paths`.
+::::
+
+
+
+### `firewall` fileset settings [_firewall_fileset_settings_2]
+
+```yaml
+- module: fortinet
+  firewall:
+    enabled: true
+    var.input: udp
+    var.syslog_host: 0.0.0.0
+    var.syslog_port: 9004
+```
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+
+### Time zone support [_time_zone_support_5]
+
+This module parses logs that don’t contain time zone information. For these logs, Filebeat reads the local time zone and uses it when parsing to convert the timestamp to UTC. The time zone to be used for parsing is included in the event in the `event.timezone` field.
+
+To disable this conversion, the `event.timezone` field can be removed with the `drop_fields` processor.
+
+If logs are originated from systems or applications with a different time zone to the local one, the `event.timezone` field can be overwritten with the original time zone using the `add_fields` processor.
+
+See [Processors](/reference/filebeat/filtering-enhancing-data.md) for information about specifying processors in your config.
+
+**`var.input`**
+:   The input to use, can be either the value `tcp`, `udp` or `file`.
+
+**`var.syslog_host`**
+:   The interface to listen to all syslog traffic. Defaults to localhost. Set to 0.0.0.0 to bind to all available interfaces.
+
+**`var.syslog_port`**
+:   The port to listen for syslog traffic. Defaults to 9004.
+
+**`var.tags`**
+:   A list of tags to include in events. Including `forwarded` indicates that the events did not originate on this host and causes `host.name` to not be added to events. Defaults to `[fortinet-firewall, forwarded]`.
+
+
+### Fortinet ECS fields [_fortinet_ecs_fields]
+
+This is a list of FortiOS fields that are mapped to ECS.
+
+| Fortinet Fields | ECS Fields |  |
+| --- | --- | --- |
+| action | event.action |  |
+| agent | user_agent.original |  |
+| app | network.application |  |
+| appcat | rule.category |  |
+| applist | rule.ruleset |  |
+| catdesc | rule.category |  |
+| ccertissuer | tls.client_issuer |  |
+| collectedemail | source.user.email |  |
+| comment | rule.description |  |
+| daddr | destination.address |  |
+| devid | observer.serial_number |  |
+| dir | network.direction |  |
+| direction | network.direction |  |
+| dst_host | destination.address |  |
+| dstcollectedemail | destination.user.email |  |
+| dst_int | observer.egress.interface.name |  |
+| dstintf | observer.egress.interface.name |  |
+| dstip | destination.ip |  |
+| dstmac | destination.mac |  |
+| dstname | destination.address |  |
+| dst_port | destination.port |  |
+| dstport | destination.port |  |
+| dstunauthuser | destination.user.name |  |
+| dtype | vulnerability.category |  |
+| duration | event.duration |  |
+| errorcode | error.code |  |
+| event_id | event.id |  |
+| eventid | event.id |  |
+| eventtime | event.start |  |
+| eventtype | event.action |  |
+| file | file.name |  |
+| filename | file.name |  |
+| filesize | file.size |  |
+| filetype | file.extension |  |
+| filehash | file.hash.crc32 |  |
+| from | source.user.email |  |
+| group | source.user.group |  |
+| hostname | url.domain |  |
+| infectedfilename | file.name |  |
+| infectedfilesize | file.size |  |
+| infectedfiletype | file.extension |  |
+| ipaddr | dns.resolved_ip |  |
+| level | log.level |  |
+| locip | source.ip |  |
+| locport | source.port |  |
+| logdesc | rule.description |  |
+| logid | event.code |  |
+| matchfilename | file.name |  |
+| matchfiletype | file.extension |  |
+| msg | message |  |
+| error_num | error.code |  |
+| policyid | rule.id |  |
+| policy_id | rule.id |  |
+| policyname | rule.name |  |
+| policytype | rule.ruleset |  |
+| poluuid | rule.uuid |  |
+| profile | rule.ruleset |  |
+| proto | network.iana_number |  |
+| qclass | dns.question.class |  |
+| qname | dns.question.name |  |
+| qtype | dns.question.type |  |
+| rcvdbyte | source.bytes |  |
+| rcvdpkt | source.packets |  |
+| recipient | destination.user.email |  |
+| ref | event.reference |  |
+| remip | destination.ip |  |
+| remport | destination.port |  |
+| saddr | source.address |  |
+| scertcname | tls.client.server_name |  |
+| scertissuer | tls.server.issuer |  |
+| sender | source.user.email |  |
+| sentbyte | source.bytes |  |
+| sentpkt | source.packets |  |
+| service | network.protocol |  |
+| sess_duration | event.duration |  |
+| srcdomain | source.domain |  |
+| srcintf | observer.ingress.interface.name |  |
+| srcip | source.ip |  |
+| source_mac | source.mac |  |
+| srcmac | source.mac |  |
+| srcport | source.port |  |
+| tranip | destination.nat.ip |  |
+| tranport | destination.nat.port |  |
+| transip | source.nat.ip |  |
+| transport | source.nat.port |  |
+| tz | event.timezone |  |
+| unauthuser | source.user.name |  |
+| url | url.path |  |
+| user | source.user.name |  |
+| xid | dns.id |  |
+
+
+## Fields [_fields_17]
+
+For a description of each field in the module, see the [exported fields](/reference/filebeat/exported-fields-fortinet.md) section.
diff --git a/docs/reference/filebeat/filebeat-module-gcp.md b/docs/reference/filebeat/filebeat-module-gcp.md
new file mode 100644
index 000000000000..5950b8477ba3
--- /dev/null
+++ b/docs/reference/filebeat/filebeat-module-gcp.md
@@ -0,0 +1,162 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gcp.html
+---
+
+# Google Cloud module [filebeat-module-gcp]
+
+:::::{admonition} Prefer to use {{agent}} for this use case?
+Refer to the [Elastic Integrations documentation](integration-docs://reference/gcp.md).
+
+::::{dropdown} Learn more
+{{agent}} is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, forward data from remote services or hardware, and more. Refer to the documentation for a detailed [comparison of {{beats}} and {{agent}}](docs-content://reference/ingestion-tools/fleet/index.md).
+
+::::
+
+
+:::::
+
+
+This is a module for Google Cloud logs. It supports reading audit, VPC flow, and firewall logs that have been exported from Stackdriver to a Google Pub/Sub topic sink.
+
+When you run the module, it performs a few tasks under the hood:
+
+* Sets the default paths to the log files (but don’t worry, you can override the defaults)
+* Makes sure each multiline log event gets sent as a single event
+* Uses an {{es}} ingest pipeline to parse and process the log lines, shaping the data into a structure suitable for visualizing in Kibana
+
+::::{tip}
+Read the [quick start](/reference/filebeat/filebeat-installation-configuration.md) to learn how to configure and run modules.
+::::
+
+
+
+## Configure the module [configuring-gcp-module]
+
+You can further refine the behavior of the `gcp` module by specifying [variable settings](#gcp-settings) in the `modules.d/gcp.yml` file, or overriding settings at the command line.
+
+You must enable at least one fileset in the module. **Filesets are disabled by default.**
+
+
+### Variable settings [gcp-settings]
+
+Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the `gcp` module uses the defaults.
+
+For advanced use cases, you can also override input settings. See [Override input settings](/reference/filebeat/advanced-settings.md).
+
+::::{tip}
+When you specify a setting at the command line, remember to prefix the setting with the module name, for example, `gcp.audit.var.paths` instead of `audit.var.paths`.
+::::
+
+
+
+### `audit` fileset settings [_audit_fileset_settings_2]
+
+:::{image} images/filebeat-gcp-audit.png
+:alt: filebeat gcp audit
+:class: screenshot
+:::
+
+Example config:
+
+```yaml
+- module: gcp
+  audit:
+    enabled: true
+    var.project_id: my-gcp-project-id
+    var.topic: gcp-vpc-audit
+    var.subscription_name: filebeat-gcp-audit-sub
+    var.credentials_file: ${path.config}/gcp-service-account-xyz.json
+    var.keep_original_message: false
+```
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+**`var.project_id`**
+:   Google Cloud project ID.
+
+**`var.topic`**
+:   Google Cloud Pub/Sub topic name.
+
+**`var.subscription_name`**
+:   Google Cloud Pub/Sub topic subscription name. If the subscription does not exist it will be created.
+
+**`var.credentials_file`**
+:   Path to a JSON file containing the credentials and key used to subscribe.
+
+**`var.keep_original_message`**
+:   Flag to control whether the original message is stored in the `log.original` field. Defaults to `false`, meaning the original message is not saved.
+
+
+### `vpcflow` fileset settings [_vpcflow_fileset_settings]
+
+Example config:
+
+```yaml
+- module: gcp
+  vpcflow:
+    enabled: true
+    var.project_id: my-gcp-project-id
+    var.topic: gcp-vpc-flowlogs
+    var.subscription_name: filebeat-gcp-vpc-flowlogs-sub
+    var.credentials_file: ${path.config}/gcp-service-account-xyz.json
+    var.keep_original_message: false
+```
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+**`var.project_id`**
+:   Google Cloud project ID.
+
+**`var.topic`**
+:   Google Cloud Pub/Sub topic name.
+
+**`var.subscription_name`**
+:   Google Cloud Pub/Sub topic subscription name. If the subscription does not exist it will be created.
+
+**`var.credentials_file`**
+:   Path to a JSON file containing the credentials and key used to subscribe.
+
+**`var.keep_original_message`**
+:   Flag to control whether the original message is stored in the `log.original` field. Defaults to `false`, meaning the original message is not saved.
+
+
+### `firewall` fileset settings [_firewall_fileset_settings_3]
+
+Example config:
+
+```yaml
+- module: gcp
+  firewall:
+    enabled: true
+    var.project_id: my-gcp-project-id
+    var.topic: gcp-vpc-firewall
+    var.subscription_name: filebeat-gcp-vpc-firewall-sub
+    var.credentials_file: ${path.config}/gcp-service-account-xyz.json
+    var.keep_original_message: false
+```
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+**`var.project_id`**
+:   Google Cloud project ID.
+
+**`var.topic`**
+:   Google Cloud Pub/Sub topic name.
+
+**`var.subscription_name`**
+:   Google Cloud Pub/Sub topic subscription name. If the subscription does not exist it will be created.
+
+**`var.credentials_file`**
+:   Path to a JSON file containing the credentials and key used to subscribe.
+
+**`var.keep_original_message`**
+:   Flag to control whether the original message is stored in the `log.original` field. Defaults to `false`, meaning the original message is not saved.
+
+
+## Fields [_fields_18]
+
+For a description of each field in the module, see the [exported fields](/reference/filebeat/exported-fields-gcp.md) section.
diff --git a/docs/reference/filebeat/filebeat-module-google_workspace.md b/docs/reference/filebeat/filebeat-module-google_workspace.md
new file mode 100644
index 000000000000..654d359d8559
--- /dev/null
+++ b/docs/reference/filebeat/filebeat-module-google_workspace.md
@@ -0,0 +1,135 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html
+---
+
+# Google Workspace module [filebeat-module-google_workspace]
+
+:::::{admonition} Prefer to use {{agent}} for this use case?
+Refer to the [Elastic Integrations documentation](integration-docs://reference/google_workspace.md).
+
+::::{dropdown} Learn more
+{{agent}} is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, forward data from remote services or hardware, and more. Refer to the documentation for a detailed [comparison of {{beats}} and {{agent}}](docs-content://reference/ingestion-tools/fleet/index.md).
+
+::::
+
+
+:::::
+
+
+This is a module for ingesting data from the different Google Workspace audit reports APIs.
+
+::::{tip}
+Read the [quick start](/reference/filebeat/filebeat-installation-configuration.md) to learn how to configure and run modules.
+::::
+
+
+
+## Compatibility [_compatibility_13]
+
+It is compatible with a subset of applications under the [Google Reports API v1](https://developers.google.com/admin-sdk/reports/v1/get-start/getting-started). As of today it supports:
+
+| Google Workspace Service | Description |  |
+| --- | --- | --- |
+| SAML [api docs](https://developers.google.com/admin-sdk/reports/v1/appendix/activity/saml) [help](https://support.google.com/a/answer/7007375?hl=en&ref_topic=9027054) | View users’ successful and failed sign-ins to SAML applications. |  |
+| User Accounts [api docs](https://developers.google.com/admin-sdk/reports/v1/appendix/activity/user-accounts) [help](https://support.google.com/a/answer/9022875?hl=en&ref_topic=9027054) | Audit actions carried out by users on their own accounts including password changes, account recovery details and 2-Step Verification enrollment. |  |
+| Login [api docs](https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login) [help](https://support.google.com/a/answer/4580120?hl=en&ref_topic=9027054) | Track user sign-in activity to your domain. |  |
+| Admin [api docs](https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings) [help](https://support.google.com/a/answer/4579579?hl=en&ref_topic=9027054) | View administrator activity performed within the Google Admin console. |  |
+| Drive [api docs](https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive) [help](https://support.google.com/a/answer/4579696?hl=en&ref_topic=9027054) | Record user activity within Google Drive including content creation in such as Google Docs, as well as content created elsewhere that your users upload to Drive such as PDFs and Microsoft Word files. |  |
+| Groups [api docs](https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups) [help](https://support.google.com/a/answer/6270454?hl=en&ref_topic=9027054) | Track changes to groups, group memberships and group messages. |  |
+
+
+## Configure the module [_configure_the_module]
+
+In order for Filebeat to ingest data from the Google Reports API you must:
+
+* Have an **administrator account**, as described [here](https://developers.google.com/admin-sdk/reports/v1/guides/prerequisites).
+* [Set up a ServiceAccount](https://support.google.com/workspacemigrate/answer/9222993?hl=en) using the administrator account.
+* [Set up access to the Admin SDK API](https://developers.google.com/admin-sdk/reports/v1/guides/authorizing) for the ServiceAccount.
+* [Enable Domain-Wide Delegation](https://developers.google.com/admin-sdk/reports/v1/guides/delegation) for your ServiceAccount.
+
+This module will make use of the following **oauth2 scope**:
+
+* `https://www.googleapis.com/auth/admin.reports.audit.readonly`
+
+Once you have downloaded your service account credentials as a JSON file, you can set up your module:
+
+
+#### Configuration options [_configuration_options_42]
+
+```yaml
+- module: google_workspace
+  saml:
+    enabled: true
+    var.jwt_file: "./credentials_file.json"
+    var.delegated_account: "user@example.com"
+  user_accounts:
+    enabled: true
+    var.jwt_file: "./credentials_file.json"
+    var.delegated_account: "user@example.com"
+  login:
+    enabled: true
+    var.jwt_file: "./credentials_file.json"
+    var.delegated_account: "user@example.com"
+  admin:
+    enabled: true
+    var.jwt_file: "./credentials_file.json"
+    var.delegated_account: "user@example.com"
+  drive:
+    enabled: true
+    var.jwt_file: "./credentials_file.json"
+    var.delegated_account: "user@example.com"
+  groups:
+    enabled: true
+    var.jwt_file: "./credentials_file.json"
+    var.delegated_account: "user@example.com"
+```
+
+Every fileset has the following configuration options:
+
+**`var.jwt_file`**
+:   Specifies the path to the JWT credentials file.
+
+**`var.delegated_account`**
+:   Email of the admin user used to access the API.
+
+**`var.http_client_timeout`**
+:   Duration of the time limit on HTTP requests made by the module. Defaults to `60s`.
+
+**`var.interval`**
+:   Duration between requests to the API. Defaults to `2h`.
+
+::::{note}
+Google Workspace defaults to a 2 hour polling interval because Google reports can go from some minutes up to 3 days of delay. For more details on this, you can read more [here](https://support.google.com/a/answer/7061566).
+::::
+
+
+**`var.user_key`**
+:   Specifies the user key to fetch reports from. Defaults to `all`.
+
+**`var.initial_interval`**
+:   It will poll events up to this time period when the module starts. This is to prevent polling too many or repeated events on module restarts. Defaults to `24h`.
+
+
+### Google Workspace Reports ECS fields [_google_workspace_reports_ecs_fields]
+
+This is a list of Google Workspace Reports fields that are mapped to ECS.
+
+| Google Workspace Reports | ECS Fields |  |
+| --- | --- | --- |
+| `items[].id.time` | `@timestamp` |  |
+| `items[].id.uniqueQualifier` | `event.id` |  |
+| `items[].id.applicationName` | `event.provider` |  |
+| `items[].events[].name` | `event.action` |  |
+| `items[].customerId` | `organization.id` |  |
+| `items[].ipAddress` | `source.ip`, related.ip`, `source.as.*`, `source.geo.*` |  |
+| `items[].actor.email` | `source.user.email`, `source.user.name`, `source.user.domain` |  |
+| `items[].actor.profileId` | `source.user.id` |  |
+
+These are the common ones to all filesets.
+
+
+## Fields [_fields_19]
+
+For a description of each field in the module, see the [exported fields](/reference/filebeat/exported-fields-google_workspace.md) section.
+
diff --git a/docs/reference/filebeat/filebeat-module-haproxy.md b/docs/reference/filebeat/filebeat-module-haproxy.md
new file mode 100644
index 000000000000..f3d3a0fe031f
--- /dev/null
+++ b/docs/reference/filebeat/filebeat-module-haproxy.md
@@ -0,0 +1,102 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-haproxy.html
+---
+
+# HAproxy module [filebeat-module-haproxy]
+
+:::::{admonition} Prefer to use {{agent}} for this use case?
+Refer to the [Elastic Integrations documentation](integration-docs://reference/haproxy.md).
+
+::::{dropdown} Learn more
+{{agent}} is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, forward data from remote services or hardware, and more. Refer to the documentation for a detailed [comparison of {{beats}} and {{agent}}](docs-content://reference/ingestion-tools/fleet/index.md).
+
+::::
+
+
+:::::
+
+
+The `haproxy` module collects and parses logs from a (`haproxy`) process.
+
+When you run the module, it performs a few tasks under the hood:
+
+* Sets the default paths to the log files (but don’t worry, you can override the defaults)
+* Makes sure each multiline log event gets sent as a single event
+* Uses an {{es}} ingest pipeline to parse and process the log lines, shaping the data into a structure suitable for visualizing in Kibana
+* Deploys dashboards for visualizing the log data
+
+::::{tip}
+Read the [quick start](/reference/filebeat/filebeat-installation-configuration.md) to learn how to configure and run modules.
+::::
+
+
+
+## Compatibility [_compatibility_14]
+
+The `haproxy` module was tested with logs from `haproxy` running on AWS Linux as a gateway to a cluster of microservices.
+
+The module was also tested with HAProxy 1.8, 1.9 and 2.0 running on a Debian.
+
+This module is not available for Windows.
+
+
+## Configure the module [configuring-haproxy-module]
+
+You can further refine the behavior of the `haproxy` module by specifying [variable settings](#haproxy-settings) in the `modules.d/haproxy.yml` file, or overriding settings at the command line.
+
+You must enable at least one fileset in the module. **Filesets are disabled by default.**
+
+The module is by default configured to run via syslog on port 9001. However it can also be configured to read from a file path. See the following example.
+
+```yaml
+- module: haproxy
+  log:
+    enabled: true
+    var.paths: ["/var/log/haproxy.log"]
+    var.input: "file"
+```
+
+
+### Variable settings [haproxy-settings]
+
+Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the `haproxy` module uses the defaults.
+
+For advanced use cases, you can also override input settings. See [Override input settings](/reference/filebeat/advanced-settings.md).
+
+::::{tip}
+When you specify a setting at the command line, remember to prefix the setting with the module name, for example, `haproxy.log.var.paths` instead of `log.var.paths`.
+::::
+
+
+
+### `log` fileset settings [_log_fileset_settings_4]
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+
+### Time zone support [_time_zone_support_6]
+
+This module parses logs that don’t contain time zone information. For these logs, Filebeat reads the local time zone and uses it when parsing to convert the timestamp to UTC. The time zone to be used for parsing is included in the event in the `event.timezone` field.
+
+To disable this conversion, the `event.timezone` field can be removed with the `drop_fields` processor.
+
+If logs are originated from systems or applications with a different time zone to the local one, the `event.timezone` field can be overwritten with the original time zone using the `add_fields` processor.
+
+See [Processors](/reference/filebeat/filtering-enhancing-data.md) for information about specifying processors in your config.
+
+
+## Example dashboard [_example_dashboard_7]
+
+This module comes with a sample dashboard showing geolocation, distribution of requests between backends and frontends, and status codes over time. For example:
+
+:::{image} images/kibana-haproxy-overview.png
+:alt: kibana haproxy overview
+:class: screenshot
+:::
+
+
+## Fields [_fields_20]
+
+For a description of each field in the module, see the [exported fields](/reference/filebeat/exported-fields-haproxy.md) section.
diff --git a/docs/reference/filebeat/filebeat-module-ibmmq.md b/docs/reference/filebeat/filebeat-module-ibmmq.md
new file mode 100644
index 000000000000..0eeeb897ed3e
--- /dev/null
+++ b/docs/reference/filebeat/filebeat-module-ibmmq.md
@@ -0,0 +1,73 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-ibmmq.html
+---
+
+# IBM MQ module [filebeat-module-ibmmq]
+
+The `ibmmq` module collects and parses the queue manager error logs from IBM MQ in the standard format.
+
+When you run the module, it performs a few tasks under the hood:
+
+* Sets the default paths to the log files (but don’t worry, you can override the defaults)
+* Makes sure each multiline log event gets sent as a single event
+* Uses an {{es}} ingest pipeline to parse and process the log lines, shaping the data into a structure suitable for visualizing in Kibana
+
+::::{tip}
+Read the [quick start](/reference/filebeat/filebeat-installation-configuration.md) to learn how to configure and run modules.
+::::
+
+
+
+## Compatibility [_compatibility_15]
+
+This module has been tested with IBM MQ v9.1.0.0, but it should be compatible with older versions.
+
+
+## Configure the module [configuring-ibmmq-module]
+
+You can further refine the behavior of the `ibmmq` module by specifying [variable settings](#ibmmq-settings) in the `modules.d/ibmmq.yml` file, or overriding settings at the command line.
+
+You must enable at least one fileset in the module. **Filesets are disabled by default.**
+
+The following example shows how to set paths in the `modules.d/ibmmq.yml` file to override the default paths for IBM MQ errorlog:
+
+```yaml
+- module: ibmmq
+  errorlog:
+    enabled: true
+    var.paths: ["C:/ibmmq/logs/*.log"]
+```
+
+
+### Variable settings [ibmmq-settings]
+
+Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the `ibmmq` module uses the defaults.
+
+For advanced use cases, you can also override input settings. See [Override input settings](/reference/filebeat/advanced-settings.md).
+
+::::{tip}
+When you specify a setting at the command line, remember to prefix the setting with the module name, for example, `ibmmq.errorlog.var.paths` instead of `errorlog.var.paths`.
+::::
+
+
+
+### `errorlog` fileset settings [_errorlog_fileset_settings]
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+
+## Example dashboard [_example_dashboard_8]
+
+This module comes with a sample dashboard. For example:
+
+:::{image} images/filebeat-ibmmq.png
+:alt: filebeat ibmmq
+:class: screenshot
+:::
+
+
+## Fields [_fields_21]
+
+For a description of each field in the module, see the [exported fields](/reference/filebeat/exported-fields-ibmmq.md) section.
diff --git a/docs/reference/filebeat/filebeat-module-icinga.md b/docs/reference/filebeat/filebeat-module-icinga.md
new file mode 100644
index 000000000000..f611d5458fe6
--- /dev/null
+++ b/docs/reference/filebeat/filebeat-module-icinga.md
@@ -0,0 +1,100 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-icinga.html
+---
+
+# Icinga module [filebeat-module-icinga]
+
+The `icinga` module parses the main, debug, and startup logs of [Icinga](https://www.icinga.com/products/icinga-2/).
+
+When you run the module, it performs a few tasks under the hood:
+
+* Sets the default paths to the log files (but don’t worry, you can override the defaults)
+* Makes sure each multiline log event gets sent as a single event
+* Uses an {{es}} ingest pipeline to parse and process the log lines, shaping the data into a structure suitable for visualizing in Kibana
+* Deploys dashboards for visualizing the log data
+
+::::{tip}
+Read the [quick start](/reference/filebeat/filebeat-installation-configuration.md) to learn how to configure and run modules.
+::::
+
+
+
+## Compatibility [_compatibility_16]
+
+The `icinga` module was tested with Icinga >= 2.x on various Linux and Windows systems.
+
+This module is not available for macOS.
+
+
+## Configure the module [configuring-icinga-module]
+
+You can further refine the behavior of the `icinga` module by specifying [variable settings](#icinga-settings) in the `modules.d/icinga.yml` file, or overriding settings at the command line.
+
+You must enable at least one fileset in the module. **Filesets are disabled by default.**
+
+The following example shows how to set paths in the `modules.d/icinga.yml` file to override the default paths for logs:
+
+```yaml
+- module: icinga
+  main:
+    enabled: true
+    var.paths: ["/path/to/log/icinga2/icinga2.log*"]
+  debug:
+    enabled: true
+    var.paths: ["/path/to/log/icinga2/debug.log*"]
+  startup:
+    enabled: true
+    var.paths: ["/path/to/log/icinga2/startup.log"]
+```
+
+To specify the same settings at the command line, you use:
+
+```sh
+-M "icinga.main.var.paths=[/path/to/log/icinga2/icinga2.log*]" -M "icinga.debug.var.paths=[/path/to/log/icinga2/debug.log*]" -M "icinga.startup.var.paths=[/path/to/log/icinga2/startup.log]"
+```
+
+
+### Variable settings [icinga-settings]
+
+Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the `icinga` module uses the defaults.
+
+For advanced use cases, you can also override input settings. See [Override input settings](/reference/filebeat/advanced-settings.md).
+
+::::{tip}
+When you specify a setting at the command line, remember to prefix the setting with the module name, for example, `icinga.main.var.paths` instead of `main.var.paths`.
+::::
+
+
+
+### `main` log fileset settings [_main_log_fileset_settings]
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+
+### `debug` log fileset settings [_debug_log_fileset_settings]
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+
+### `startup` log fileset settings [_startup_log_fileset_settings]
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+
+## Example dashboard [_example_dashboard_9]
+
+This module comes with sample dashboards. For example:
+
+:::{image} images/kibana-icinga-main.png
+:alt: kibana icinga main
+:class: screenshot
+:::
+
+
+## Fields [_fields_22]
+
+For a description of each field in the module, see the [exported fields](/reference/filebeat/exported-fields-icinga.md) section.
diff --git a/docs/reference/filebeat/filebeat-module-iis.md b/docs/reference/filebeat/filebeat-module-iis.md
new file mode 100644
index 000000000000..9b182289ef8d
--- /dev/null
+++ b/docs/reference/filebeat/filebeat-module-iis.md
@@ -0,0 +1,107 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-iis.html
+---
+
+# IIS module [filebeat-module-iis]
+
+:::::{admonition} Prefer to use {{agent}} for this use case?
+Refer to the [Elastic Integrations documentation](integration-docs://reference/iis.md).
+
+::::{dropdown} Learn more
+{{agent}} is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, forward data from remote services or hardware, and more. Refer to the documentation for a detailed [comparison of {{beats}} and {{agent}}](docs-content://reference/ingestion-tools/fleet/index.md).
+
+::::
+
+
+:::::
+
+
+The `iis` module parses access and error logs created by the Internet Information Services (IIS) HTTP server.
+
+::::{important}
+The `iis` module currently supports only the default W3C log format.
+
+::::
+
+
+When you run the module, it performs a few tasks under the hood:
+
+* Sets the default paths to the log files (but don’t worry, you can override the defaults)
+* Makes sure each multiline log event gets sent as a single event
+* Uses an {{es}} ingest pipeline to parse and process the log lines, shaping the data into a structure suitable for visualizing in Kibana
+* Deploys dashboards for visualizing the log data
+
+::::{tip}
+Read the [quick start](/reference/filebeat/filebeat-installation-configuration.md) to learn how to configure and run modules.
+::::
+
+
+
+## Compatibility [_compatibility_17]
+
+The IIS module was tested with logs from version 7.5 and version 10.
+
+
+## Configure the module [configuring-iis-module]
+
+You can further refine the behavior of the `iis` module by specifying [variable settings](#iis-settings) in the `modules.d/iis.yml` file, or overriding settings at the command line.
+
+You must enable at least one fileset in the module. **Filesets are disabled by default.**
+
+The following example shows how to set paths in the `modules.d/iis.yml` file to override the default paths for IIS access logs and error logs:
+
+```yaml
+- module: iis
+  access:
+    enabled: true
+    var.paths: ["C:/inetpub/logs/LogFiles/*/*.log"]
+  error:
+    enabled: true
+    var.paths: ["C:/Windows/System32/LogFiles/HTTPERR/*.log"]
+```
+
+To specify the same settings at the command line, you use:
+
+```sh
+-M "iis.access.var.paths=[C:/inetpub/logs/LogFiles/*/*.log]" -M "iis.error.var.paths=[C:/Windows/System32/LogFiles/HTTPERR/*.log]"
+```
+
+
+### Variable settings [iis-settings]
+
+Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the `iis` module uses the defaults.
+
+For advanced use cases, you can also override input settings. See [Override input settings](/reference/filebeat/advanced-settings.md).
+
+::::{tip}
+When you specify a setting at the command line, remember to prefix the setting with the module name, for example, `iis.access.var.paths` instead of `access.var.paths`.
+::::
+
+
+
+### `access` log fileset settings [_access_log_fileset_settings_2]
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+
+### `error` log fileset settings [_error_log_fileset_settings_2]
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+
+## Example dashboard [_example_dashboard_10]
+
+This module comes with a sample dashboard. For example:
+
+:::{image} images/kibana-iis.png
+:alt: kibana iis
+:class: screenshot
+:::
+
+
+## Fields [_fields_23]
+
+For a description of each field in the module, see the [exported fields](/reference/filebeat/exported-fields-iis.md) section.
diff --git a/docs/reference/filebeat/filebeat-module-iptables.md b/docs/reference/filebeat/filebeat-module-iptables.md
new file mode 100644
index 000000000000..241ab2823c48
--- /dev/null
+++ b/docs/reference/filebeat/filebeat-module-iptables.md
@@ -0,0 +1,113 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-iptables.html
+---
+
+# Iptables module [filebeat-module-iptables]
+
+:::::{admonition} Prefer to use {{agent}} for this use case?
+Refer to the [Elastic Integrations documentation](integration-docs://reference/iptables.md).
+
+::::{dropdown} Learn more
+{{agent}} is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, forward data from remote services or hardware, and more. Refer to the documentation for a detailed [comparison of {{beats}} and {{agent}}](docs-content://reference/ingestion-tools/fleet/index.md).
+
+::::
+
+
+:::::
+
+
+This is a module for iptables and ip6tables logs. It parses logs received over the network via syslog or from a file. Also, it understands the prefix added by some Ubiquiti firewalls, which includes the rule set name, rule number and the action performed on the traffic (allow/deny).
+
+When you run the module, it performs a few tasks under the hood:
+
+* Sets the default input to `syslog` and binds to `localhost` port `9001` (but don’t worry, you can override the defaults).
+* Uses an ingest pipeline to parse and process the log lines, shaping the data into a structure suitable for visualizing in Kibana.
+* Deploys dashboards for visualizing the log data.
+
+::::{tip}
+Read the [quick start](/reference/filebeat/filebeat-installation-configuration.md) to learn how to configure and run modules.
+::::
+
+
+
+## Configure the module [configuring-iptables-module]
+
+You can further refine the behavior of the `iptables` module by specifying [variable settings](#iptables-settings) in the `modules.d/iptables.yml` file, or overriding settings at the command line.
+
+You must enable at least one fileset in the module. **Filesets are disabled by default.**
+
+The module is by default configured to run via syslog on port 9001. However it can also be configured to read from a file path. See the following example.
+
+```yaml
+- module: iptables
+  log:
+    enabled: true
+    var.paths: ["/var/log/iptables.log"]
+    var.input: "file"
+```
+
+
+### Variable settings [iptables-settings]
+
+Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the `iptables` module uses the defaults.
+
+For advanced use cases, you can also override input settings. See [Override input settings](/reference/filebeat/advanced-settings.md).
+
+::::{tip}
+When you specify a setting at the command line, remember to prefix the setting with the module name, for example, `iptables.log.var.paths` instead of `log.var.paths`.
+::::
+
+
+
+### `log` log fileset settings [_log_log_fileset_settings_2]
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+**`var.syslog_host`**
+:   The interface to listen to UDP based syslog traffic. Defaults to `localhost`. Set to `0.0.0.0` to bind to all available interfaces.
+
+**`var.syslog_port`**
+:   The UDP port to listen for syslog traffic. Defaults to `9001`
+
+::::{note}
+Ports below 1024 require Filebeat to run as root.
+::::
+
+
+**`var.tags`**
+:   A list of tags to include in events. Including `forwarded` indicates that the events did not originate on this host and causes `host.name` to not be added to events. Defaults to `[iptables, forwarded]`.
+
+
+### Time zone support [_time_zone_support_7]
+
+This module parses logs that don’t contain time zone information. For these logs, Filebeat reads the local time zone and uses it when parsing to convert the timestamp to UTC. The time zone to be used for parsing is included in the event in the `event.timezone` field.
+
+To disable this conversion, the `event.timezone` field can be removed with the `drop_fields` processor.
+
+If logs are originated from systems or applications with a different time zone to the local one, the `event.timezone` field can be overwritten with the original time zone using the `add_fields` processor.
+
+See [Processors](/reference/filebeat/filtering-enhancing-data.md) for information about specifying processors in your config.
+
+
+## Example dashboard [_example_dashboard_11]
+
+This module comes with sample dashboards showing geolocation and network protocols used. One for all iptables logs:
+
+:::{image} images/kibana-iptables.png
+:alt: kibana iptables
+:class: screenshot
+:::
+
+and one specific for Ubiquiti Firewall logs:
+
+:::{image} images/kibana-iptables-ubiquiti.png
+:alt: kibana iptables ubiquiti
+:class: screenshot
+:::
+
+
+## Fields [_fields_24]
+
+For a description of each field in the module, see the [exported fields](/reference/filebeat/exported-fields-iptables.md) section.
diff --git a/docs/reference/filebeat/filebeat-module-juniper.md b/docs/reference/filebeat/filebeat-module-juniper.md
new file mode 100644
index 000000000000..9850e4b0a969
--- /dev/null
+++ b/docs/reference/filebeat/filebeat-module-juniper.md
@@ -0,0 +1,153 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-juniper.html
+---
+
+# Juniper module [filebeat-module-juniper]
+
+:::::{admonition} Prefer to use {{agent}} for this use case?
+Refer to the [Elastic Integrations documentation](integration-docs://reference/index.md).
+
+::::{dropdown} Learn more
+{{agent}} is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, forward data from remote services or hardware, and more. Refer to the documentation for a detailed [comparison of {{beats}} and {{agent}}](docs-content://reference/ingestion-tools/fleet/index.md).
+
+::::
+
+
+:::::
+
+
+This is a module for ingesting data from the different Juniper Products. Currently supports these filesets:
+
+* `srx` fileset: Supports Juniper SRX logs
+
+::::{tip}
+Read the [quick start](/reference/filebeat/filebeat-installation-configuration.md) to learn how to configure and run modules.
+::::
+
+
+
+## Configure the module [configuring-juniper-module]
+
+You can further refine the behavior of the `juniper` module by specifying [variable settings](#juniper-settings) in the `modules.d/juniper.yml` file, or overriding settings at the command line.
+
+You must enable at least one fileset in the module. **Filesets are disabled by default.**
+
+
+### Variable settings [juniper-settings]
+
+Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the `juniper` module uses the defaults.
+
+For advanced use cases, you can also override input settings. See [Override input settings](/reference/filebeat/advanced-settings.md).
+
+::::{tip}
+When you specify a setting at the command line, remember to prefix the setting with the module name, for example, `juniper.{{fileset_ex}}.var.paths` instead of `{{fileset_ex}}.var.paths`.
+::::
+
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+
+### `srx` fileset settings [_srx_fileset_settings]
+
+The Juniper-SRX module only supports syslog messages in the format "structured-data + brief" [JunOS Documentation structured-data](https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/structured-data-edit-system.html)
+
+To configure a remote syslog destination, please reference the [SRX Getting Started - Configure System Logging](https://kb.juniper.net/InfoCenter/index?page=content&id=kb16502).
+
+The following processes and tags are supported:
+
+| JunOS processes | JunOS tags |  |
+| --- | --- | --- |
+| RT_FLOW | RT_FLOW_SESSION_CREATE |  |
+|  | RT_FLOW_SESSION_CLOSE |  |
+|  | RT_FLOW_SESSION_DENY |  |
+|  | APPTRACK_SESSION_CREATE |  |
+|  | APPTRACK_SESSION_CLOSE |  |
+|  | APPTRACK_SESSION_VOL_UPDATE |  |
+| RT_IDS | RT_SCREEN_TCP |  |
+|  | RT_SCREEN_UDP |  |
+|  | RT_SCREEN_ICMP |  |
+|  | RT_SCREEN_IP |  |
+|  | RT_SCREEN_TCP_DST_IP |  |
+|  | RT_SCREEN_TCP_SRC_IP |  |
+| RT_UTM | WEBFILTER_URL_PERMITTED |  |
+|  | WEBFILTER_URL_BLOCKED |  |
+|  | AV_VIRUS_DETECTED_MT |  |
+|  | CONTENT_FILTERING_BLOCKED_MT |  |
+|  | ANTISPAM_SPAM_DETECTED_MT |  |
+| RT_IDP | IDP_ATTACK_LOG_EVENT |  |
+|  | IDP_APPDDOS_APP_STATE_EVENT |  |
+| RT_AAMW | SRX_AAMW_ACTION_LOG |  |
+|  | AAMW_MALWARE_EVENT_LOG |  |
+|  | AAMW_HOST_INFECTED_EVENT_LOG |  |
+|  | AAMW_ACTION_LOG |  |
+| RT_SECINTEL | SECINTEL_ACTION_LOG |  |
+
+The syslog format choosen should be `Default`.
+
+
+## Compatibility [_compatibility_18]
+
+This module has been tested against JunOS version 19.x and 20.x. Versions above this are expected to work but have not been tested.
+
+```yaml
+- module: juniper
+  junos:
+    enabled: true
+    var.input: udp
+    var.syslog_host: 0.0.0.0
+    var.syslog_port: 9006
+```
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+**`var.input`**
+:   The input to use, can be either the value `tcp`, `udp` or `file`.
+
+**`var.syslog_host`**
+:   The interface to listen to all syslog traffic. Defaults to localhost. Set to 0.0.0.0 to bind to all available interfaces.
+
+**`var.syslog_port`**
+:   The port to listen for syslog traffic. Defaults to 9006.
+
+
+### Juniper SRX ECS fields [_juniper_srx_ecs_fields]
+
+This is a list of JunOS fields that are mapped to ECS.
+
+| Juniper SRX Fields | ECS Fields |  |
+| --- | --- | --- |
+| application-risk | event.risk_score |  |
+| bytes-from-client | source.bytes |  |
+| bytes-from-server | destination.bytes |  |
+| destination-interface-name | observer.egress.interface.name |  |
+| destination-zone-name | observer.egress.zone |  |
+| destination-address | destination.ip |  |
+| destination-port | destination.port |  |
+| dst_domainname | url.domain |  |
+| elapsed-time | event.duration |  |
+| filename | file.name |  |
+| nat-destination-address | destination.nat.ip |  |
+| nat-destination-port | destination.nat.port |  |
+| nat-source-address | source.nat.ip |  |
+| nat-source-port | source.nat.port |  |
+| message | message |  |
+| obj | url.path |  |
+| packets-from-client | source.packets |  |
+| packets-from-server | destination.packets |  |
+| policy-name | rule.name |  |
+| protocol | network.transport |  |
+| source-address | source.ip |  |
+| source-interface-name | observer.ingress.interface.name |  |
+| source-port | source.port |  |
+| source-zone-name | observer.ingress.zone |  |
+| url | url.domain |  |
+
+
+## Fields [_fields_25]
+
+For a description of each field in the module, see the [exported fields](/reference/filebeat/exported-fields-juniper.md) section.
diff --git a/docs/reference/filebeat/filebeat-module-kafka.md b/docs/reference/filebeat/filebeat-module-kafka.md
new file mode 100644
index 000000000000..644458c57c81
--- /dev/null
+++ b/docs/reference/filebeat/filebeat-module-kafka.md
@@ -0,0 +1,121 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-kafka.html
+---
+
+# Kafka module [filebeat-module-kafka]
+
+:::::{admonition} Prefer to use {{agent}} for this use case?
+Refer to the [Elastic Integrations documentation](integration-docs://reference/kafka.md).
+
+::::{dropdown} Learn more
+{{agent}} is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, forward data from remote services or hardware, and more. Refer to the documentation for a detailed [comparison of {{beats}} and {{agent}}](docs-content://reference/ingestion-tools/fleet/index.md).
+
+::::
+
+
+:::::
+
+
+The `kafka` module collects and parses the logs created by [Kafka](https://kafka.apache.org/).
+
+The module has additional support for parsing thread ID from logs.
+
+When you run the module, it performs a few tasks under the hood:
+
+* Sets the default paths to the log files (but don’t worry, you can override the defaults)
+* Makes sure each multiline log event gets sent as a single event
+* Uses an {{es}} ingest pipeline to parse and process the log lines, shaping the data into a structure suitable for visualizing in Kibana
+* Deploys dashboards for visualizing the log data
+
+::::{tip}
+Read the [quick start](/reference/filebeat/filebeat-installation-configuration.md) to learn how to configure and run modules.
+::::
+
+
+
+## Compatibility [_compatibility_19]
+
+The `kafka` module was tested with logs from versions 0.9, 1.1.0 and 2.0.0.
+
+
+## Configure the module [configuring-kafka-module]
+
+You can further refine the behavior of the `kafka` module by specifying [variable settings](#kafka-settings) in the `modules.d/kafka.yml` file, or overriding settings at the command line.
+
+You must enable at least one fileset in the module. **Filesets are disabled by default.**
+
+The following example shows how to set paths in the `modules.d/kafka.yml` file to override the default paths for logs:
+
+```yaml
+- module: kafka
+  log:
+    enabled: true
+    var.paths:
+      - "/path/to/logs/controller.log*"
+      - "/path/to/logs/server.log*"
+      - "/path/to/logs/state-change.log*"
+      - "/path/to/logs/kafka-*.log*"
+```
+
+To specify the same settings at the command line, you use:
+
+```yaml
+-M "kafka.log.var.paths=[/path/to/logs/controller.log*, /path/to/logs/server.log*, /path/to/logs/state-change.log*, /path/to/logs/kafka-*.log*]"
+```
+
+
+### Variable settings [kafka-settings]
+
+Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the `kafka` module uses the defaults.
+
+For advanced use cases, you can also override input settings. See [Override input settings](/reference/filebeat/advanced-settings.md).
+
+::::{tip}
+When you specify a setting at the command line, remember to prefix the setting with the module name, for example, `kafka.log.var.paths` instead of `log.var.paths`.
+::::
+
+
+
+### `log` fileset settings [_log_fileset_settings_5]
+
+**`var.kafka_home`**
+:   The path to your Kafka installation. The default is `/opt`. For example:
+
+    ```yaml
+    - module: kafka
+      log:
+        enabled: true
+        var.kafka_home: /usr/share/kafka_2.12-2.4.0
+        ...
+    ```
+
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+
+### Time zone support [_time_zone_support_8]
+
+This module parses logs that don’t contain time zone information. For these logs, Filebeat reads the local time zone and uses it when parsing to convert the timestamp to UTC. The time zone to be used for parsing is included in the event in the `event.timezone` field.
+
+To disable this conversion, the `event.timezone` field can be removed with the `drop_fields` processor.
+
+If logs are originated from systems or applications with a different time zone to the local one, the `event.timezone` field can be overwritten with the original time zone using the `add_fields` processor.
+
+See [Processors](/reference/filebeat/filtering-enhancing-data.md) for information about specifying processors in your config.
+
+
+## Example dashboard [_example_dashboard_12]
+
+This module comes with a sample dashboard to see Kafka logs and stack traces.
+
+:::{image} images/filebeat-kafka-logs-overview.png
+:alt: filebeat kafka logs overview
+:class: screenshot
+:::
+
+
+## Fields [_fields_26]
+
+For a description of each field in the module, see the [exported fields](/reference/filebeat/exported-fields-kafka.md) section.
diff --git a/docs/reference/filebeat/filebeat-module-kibana.md b/docs/reference/filebeat/filebeat-module-kibana.md
new file mode 100644
index 000000000000..ad536c02d591
--- /dev/null
+++ b/docs/reference/filebeat/filebeat-module-kibana.md
@@ -0,0 +1,72 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-kibana.html
+---
+
+# Kibana module [filebeat-module-kibana]
+
+:::::{admonition} Prefer to use {{agent}} for this use case?
+Refer to the [Elastic Integrations documentation](integration-docs://reference/kibana.md).
+
+::::{dropdown} Learn more
+{{agent}} is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, forward data from remote services or hardware, and more. Refer to the documentation for a detailed [comparison of {{beats}} and {{agent}}](docs-content://reference/ingestion-tools/fleet/index.md).
+
+::::
+
+
+:::::
+
+
+This is the Kibana module.
+
+When you run the module, it performs a few tasks under the hood:
+
+* Sets the default paths to the log files (but don’t worry, you can override the defaults)
+* Makes sure each multiline log event gets sent as a single event
+* Uses an {{es}} ingest pipeline to parse and process the log lines, shaping the data into a structure suitable for visualizing in Kibana
+
+::::{tip}
+Read the [quick start](/reference/filebeat/filebeat-installation-configuration.md) to learn how to configure and run modules.
+::::
+
+
+
+## Compatibility [_compatibility_20]
+
+The Kibana modules is compatible with Kibana 6.3 and newer.
+
+
+## Configure the module [configuring-kibana-module]
+
+You can further refine the behavior of the `kibana` module by specifying [variable settings](#kibana-settings) in the `modules.d/kibana.yml` file, or overriding settings at the command line.
+
+You must enable at least one fileset in the module. **Filesets are disabled by default.**
+
+
+### Variable settings [kibana-settings]
+
+Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the `kibana` module uses the defaults.
+
+For advanced use cases, you can also override input settings. See [Override input settings](/reference/filebeat/advanced-settings.md).
+
+::::{tip}
+When you specify a setting at the command line, remember to prefix the setting with the module name, for example, `kibana.log.var.paths` instead of `log.var.paths`.
+::::
+
+
+
+### `log` fileset settings [_log_fileset_settings_6]
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+
+### `audit` fileset settings [_audit_fileset_settings_3]
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+
+## Fields [_fields_27]
+
+For a description of each field in the module, see the [exported fields](/reference/filebeat/exported-fields-kibana.md) section.
diff --git a/docs/reference/filebeat/filebeat-module-logstash.md b/docs/reference/filebeat/filebeat-module-logstash.md
new file mode 100644
index 000000000000..b045bfa46b4c
--- /dev/null
+++ b/docs/reference/filebeat/filebeat-module-logstash.md
@@ -0,0 +1,131 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-logstash.html
+---
+
+# Logstash module [filebeat-module-logstash]
+
+:::::{admonition} Prefer to use {{agent}} for this use case?
+Refer to the [Elastic Integrations documentation](integration-docs://reference/logstash.md).
+
+::::{dropdown} Learn more
+{{agent}} is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, forward data from remote services or hardware, and more. Refer to the documentation for a detailed [comparison of {{beats}} and {{agent}}](docs-content://reference/ingestion-tools/fleet/index.md).
+
+::::
+
+
+:::::
+
+
+The `logstash` modules parse logstash regular logs and the slow log, it will support the plain text format and the JSON format.
+
+When you run the module, it performs a few tasks under the hood:
+
+* Sets the default paths to the log files (but don’t worry, you can override the defaults)
+* Makes sure each multiline log event gets sent as a single event
+* Uses an {{es}} ingest pipeline to parse and process the log lines, shaping the data into a structure suitable for visualizing in Kibana
+* Deploys dashboards for visualizing the log data
+
+::::{tip}
+Read the [quick start](/reference/filebeat/filebeat-installation-configuration.md) to learn how to configure and run modules.
+::::
+
+
+The `logstash` module has two filesets:
+
+* The `log` fileset collects and parses the logs that Logstash writes to disk.
+* The `slowlog` fileset parses the logstash slowlog.
+
+For the `slowlog` fileset, make sure to configure the [Logstash slowlog option](logstash://reference/logging.md#_slowlog).
+
+
+## Compatibility [_compatibility_21]
+
+The Logstash `log` fileset was tested with logs from Logstash 5.6 and 6.0.
+
+The Logstash `slowlog` fileset was tested with logs from Logstash 5.6 and 6.0
+
+
+## Configure the module [configuring-logstash-module]
+
+You can further refine the behavior of the `logstash` module by specifying [variable settings](#logstash-settings) in the `modules.d/logstash.yml` file, or overriding settings at the command line.
+
+You must enable at least one fileset in the module. **Filesets are disabled by default.**
+
+The following example shows how to set paths in the `modules.d/logstash.yml` file to override the default paths for Logstash logs.
+
+```yaml
+- module: logstash
+  log:
+    enabled: true
+    var.paths: ["/path/to/log/logstash.log*"]
+  slowlog:
+    enabled: true
+    var.paths: ["/path/to/log/logstash-slowlog.log*"]
+```
+
+To specify the same settings at the command line, you use:
+
+```sh
+-M "logstash.log.var.paths=[/path/to/log/logstash/logstash-server.log*]" -M "logstash.slowlog.var.paths=[/path/to/log/logstash/logstash-slowlog.log*]"
+```
+
+
+### Variable settings [logstash-settings]
+
+Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the `logstash` module uses the defaults.
+
+For advanced use cases, you can also override input settings. See [Override input settings](/reference/filebeat/advanced-settings.md).
+
+::::{tip}
+When you specify a setting at the command line, remember to prefix the setting with the module name, for example, `logstash.log.var.paths` instead of `log.var.paths`.
+::::
+
+
+
+### `log` fileset settings [_log_fileset_settings_7]
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+
+### `slowlog` fileset settings [_slowlog_fileset_settings]
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+
+### Time zone support [_time_zone_support_9]
+
+This module parses logs that don’t contain time zone information. For these logs, Filebeat reads the local time zone and uses it when parsing to convert the timestamp to UTC. The time zone to be used for parsing is included in the event in the `event.timezone` field.
+
+To disable this conversion, the `event.timezone` field can be removed with the `drop_fields` processor.
+
+If logs are originated from systems or applications with a different time zone to the local one, the `event.timezone` field can be overwritten with the original time zone using the `add_fields` processor.
+
+See [Processors](/reference/filebeat/filtering-enhancing-data.md) for information about specifying processors in your config.
+
+
+## Example dashboards [_example_dashboards]
+
+This module comes with two sample dashboards.
+
+:::{image} images/kibana-logstash-log.png
+:alt: kibana logstash log
+:class: screenshot
+:::
+
+:::{image} images/kibana-logstash-slowlog.png
+:alt: kibana logstash slowlog
+:class: screenshot
+:::
+
+
+## Known issues [_known_issues]
+
+When using the `log` fileset to parse plaintext logs, if a multiline plaintext log contains an embedded JSON object such that the JSON object starts on a new line, the fileset may not parse the multiline plaintext log event correctly.
+
+
+## Fields [_fields_28]
+
+For a description of each field in the module, see the [exported fields](/reference/filebeat/exported-fields-logstash.md) section.
diff --git a/docs/reference/filebeat/filebeat-module-microsoft.md b/docs/reference/filebeat/filebeat-module-microsoft.md
new file mode 100644
index 000000000000..7930175759ac
--- /dev/null
+++ b/docs/reference/filebeat/filebeat-module-microsoft.md
@@ -0,0 +1,231 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-microsoft.html
+---
+
+# Microsoft module [filebeat-module-microsoft]
+
+:::::{admonition} Prefer to use {{agent}} for this use case?
+Refer to the [Elastic Integrations documentation](integration-docs://reference/m365_defender.md).
+
+::::{dropdown} Learn more
+{{agent}} is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, forward data from remote services or hardware, and more. Refer to the documentation for a detailed [comparison of {{beats}} and {{agent}}](docs-content://reference/ingestion-tools/fleet/index.md).
+
+::::
+
+
+:::::
+
+
+This is a module for ingesting data from the different Microsoft Products. Currently supports these filesets:
+
+* `defender_atp` fileset: Supports Microsoft Defender for Endpoint (Microsoft Defender ATP)
+* `m365_defender` fileset: Supports Microsoft 365 Defender (Microsoft Threat Protection)
+
+When you run the module, it performs a few tasks under the hood:
+
+* Sets the default paths to the log files (but don’t worry, you can override the defaults)
+* Makes sure each multiline log event gets sent as a single event
+* Uses an {{es}} ingest pipeline to parse and process the log lines, shaping the data into a structure suitable for visualizing in Kibana
+* Deploys dashboards for visualizing the log data
+
+::::{tip}
+Read the [quick start](/reference/filebeat/filebeat-installation-configuration.md) to learn how to configure and run modules.
+::::
+
+
+
+## Configure the module [configuring-microsoft-module]
+
+You can further refine the behavior of the `microsoft` module by specifying [variable settings](#microsoft-settings) in the `modules.d/microsoft.yml` file, or overriding settings at the command line.
+
+You must enable at least one fileset in the module. **Filesets are disabled by default.**
+
+
+### Variable settings [microsoft-settings]
+
+Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the `microsoft` module uses the defaults.
+
+For advanced use cases, you can also override input settings. See [Override input settings](/reference/filebeat/advanced-settings.md).
+
+::::{tip}
+When you specify a setting at the command line, remember to prefix the setting with the module name, for example, `microsoft.defender_atp.var.paths` instead of `defender_atp.var.paths`.
+::::
+
+
+
+### `m365_defender` fileset settings [_m365_defender_fileset_settings]
+
+To configure access for Filebeat to Microsoft 365 Defender you will have to create a new Azure Application registration, this will again return Oauth tokens with access to the Microsoft 365 Defender API
+
+The procedure to create an application is found on the below link:
+
+[Create a new Azure Application](https://docs.microsoft.com/en-us/microsoft-365/security/mtp/api-create-app-web?view=o365-worldwide#create-an-app)
+
+When giving the application the API permissions described in the documentation (Incident.Read.All) it will only grant access to read Incidents from 365 Defender and nothing else in the Azure Domain.
+
+After the application has been created, it should contain 3 values that you need to apply to the module configuration.
+
+These values are:
+
+* Client ID
+* Client Secret
+* Tenant ID
+
+Example config:
+
+```yaml
+- module: microsoft
+  m365_defender:
+    enabled: true
+    var.oauth2.client.id: "123abc-879546asd-349587-ad64508"
+    var.oauth2.client.secret: "980453~-Sg99gedf"
+    var.oauth2.token_url: "https://login.microsoftonline.com/INSERT-TENANT-ID/oauth2/v2.0/token"
+    var.oauth2.scopes:
+      - "https://api.security.microsoft.com/.default"
+```
+
+**`var.oauth2.client.id`**
+:   This is the client ID related to creating a new application on Azure.
+
+**`var.oauth2.client.secret`**
+:   The secret related to the client ID.
+
+**`var.oauth2.token_url`**
+:   A predefined URL towards the Oauth2 service for Microsoft. The URL should always be the same with the exception of the Tenant ID that needs to be added to the full URL.
+
+**`var.oauth2.scopes`**
+:   A list of included scopes, should use .default unless different is specified.
+
+
+### 365 Defender ECS fields [_365_defender_ecs_fields]
+
+This is a list of 365 Defender fields that are mapped to ECS.
+
+| 365 Defender Fields | ECS Fields |  |
+| --- | --- | --- |
+| lastUpdateTime | @timestamp |  |
+| severity | event.severity |  |
+| createdTime | event.created |  |
+| alerts.category | threat.technique.name |  |
+| alerts.description | rule.description |  |
+| alerts.serviceSource | event.provider |  |
+| alerts.alertId | event.id |  |
+| alerts.firstActivity | event.start |  |
+| alerts.lastActivity | event.end |  |
+| alerts.title | message |  |
+| entities.processId | process.pid |  |
+| entities.processCommandLine | process.command_line |  |
+| entities.processCreationTime | process.start |  |
+| entities.parentProcessId | process.parent.pid |  |
+| entities.parentProcessCreationTime | process.parent.start |  |
+| entities.sha1 | file.hash.sha1 |  |
+| entities.sha256 | file.hash.sha256 |  |
+| entities.url | url.full |  |
+| entities.filePath | file.path |  |
+| entities.fileName | file.name |  |
+| entities.userPrincipalName | host.user.name |  |
+| entities.domainName | host.user.domain |  |
+| entities.aadUserId | host.user.id |  |
+
+
+### `defender_atp` fileset settings [_defender_atp_fileset_settings]
+
+To allow the filebeat module to ingest data from the Microsoft Defender API, you would need to create a new application on your Azure domain.
+
+The procedure to create an application is found on the below link:
+
+[Create a new Azure Application](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp)
+
+When giving the application the API permissions described in the documentation (Windows Defender ATP Alert.Read.All) it will only grant access to read alerts from ATP and nothing else in the Azure Domain.
+
+After the application has been created, it should contain 3 values that you need to apply to the module configuration.
+
+These values are:
+
+* Client ID
+* Client Secret
+* Tenant ID
+
+Example config:
+
+```yaml
+- module: microsoft
+  defender_atp:
+    enabled: true
+    var.oauth2.client.id: "123abc-879546asd-349587-ad64508"
+    var.oauth2.client.secret: "980453~-Sg99gedf"
+    var.oauth2.token_url: "https://login.microsoftonline.com/INSERT-TENANT-ID/oauth2/token"
+```
+
+**`var.oauth2.client.id`**
+:   This is the client ID related to creating a new application on Azure.
+
+**`var.oauth2.client.secret`**
+:   The secret related to the client ID.
+
+**`var.oauth2.token_url`**
+:   A predefined URL towards the Oauth2 service for Microsoft. The URL should always be the same with the exception of the Tenant ID that needs to be added to the full URL.
+
+
+### Defender ATP ECS fields [_defender_atp_ecs_fields]
+
+This is a list of Defender ATP fields that are mapped to ECS.
+
+| Defender ATP Fields | ECS Fields |  |
+| --- | --- | --- |
+| alertCreationTime | @timestamp |  |
+| aadTenantId | cloud.account.id |  |
+| category | threat.technique.name |  |
+| computerDnsName | host.hostname |  |
+| description | rule.description |  |
+| detectionSource | observer.name |  |
+| evidence.fileName | file.name |  |
+| evidence.filePath | file.path |  |
+| evidence.processId | process.pid |  |
+| evidence.processCommandLine | process.command_line |  |
+| evidence.processCreationTime | process.start |  |
+| evidence.parentProcessId | process.parent.pid |  |
+| evidence.parentProcessCreationTime | process.parent.start |  |
+| evidence.sha1 | file.hash.sha1 |  |
+| evidence.sha256 | file.hash.sha256 |  |
+| evidence.url | url.full |  |
+| firstEventTime | event.start |  |
+| id | event.id |  |
+| lastEventTime | event.end |  |
+| machineId | cloud.instance.id |  |
+| relatedUser.userName | host.user.name |  |
+| relatedUser.domainName | host.user.domain |  |
+| title | message |  |
+| severity | event.severity |  |
+
+
+## Dashboards [_dashboards_4]
+
+This module comes with a sample dashboard for Defender ATP.
+
+:::{image} images/filebeat-defender-atp-overview.png
+:alt: filebeat defender atp overview
+:class: screenshot
+:::
+
+The best way to view Defender ATP events and alert data is in the SIEM.
+
+:::{image} images/siem-alerts-cs.jpg
+:alt: siem alerts cs
+:class: screenshot
+:::
+
+For alerts, go to Detections → External alerts.
+
+:::{image} images/siem-events-cs.jpg
+:alt: siem events cs
+:class: screenshot
+:::
+
+And for all other Defender ATP event types, go to Host → Events.
+
+
+## Fields [_fields_29]
+
+For a description of each field in the module, see the [exported fields](/reference/filebeat/exported-fields-microsoft.md) section.
diff --git a/docs/reference/filebeat/filebeat-module-misp.md b/docs/reference/filebeat/filebeat-module-misp.md
new file mode 100644
index 000000000000..10daa86c4512
--- /dev/null
+++ b/docs/reference/filebeat/filebeat-module-misp.md
@@ -0,0 +1,47 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-misp.html
+---
+
+# MISP module [filebeat-module-misp]
+
+::::{admonition} Deprecated in 7.14.0.
+:class: warning
+
+This module is deprecated. Use the [Threat Intel module](/reference/filebeat/filebeat-module-threatintel.md) instead.
+::::
+
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+This is a filebeat module for reading threat intel information from the MISP platform ([https://www.circl.lu/doc/misp/](https://www.circl.lu/doc/misp/)). It uses the httpjson input to access the MISP REST API interface.
+
+The configuration in the config.yml file uses the following format:
+
+* var.api_key: specifies the API key to access MISP.
+* var.http_request_body: an object containing any parameter that needs to be sent to the search API. Default: `limit: 1000`
+* var.url: URL of the MISP REST API, e.g., "http://x.x.x.x/attributes/restSearch"
+
+::::{tip}
+Read the [quick start](/reference/filebeat/filebeat-installation-configuration.md) to learn how to configure and run modules.
+::::
+
+
+
+## Example dashboard [_example_dashboard_13]
+
+This module comes with a sample dashboard. For example:
+
+:::{image} images/kibana-misp.png
+:alt: kibana misp
+:class: screenshot
+:::
+
+
+## Fields [_fields_30]
+
+For a description of each field in the module, see the [exported fields](/reference/filebeat/exported-fields-misp.md) section.
+
diff --git a/docs/reference/filebeat/filebeat-module-mongodb.md b/docs/reference/filebeat/filebeat-module-mongodb.md
new file mode 100644
index 000000000000..073d84e6802d
--- /dev/null
+++ b/docs/reference/filebeat/filebeat-module-mongodb.md
@@ -0,0 +1,92 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-mongodb.html
+---
+
+# MongoDB module [filebeat-module-mongodb]
+
+:::::{admonition} Prefer to use {{agent}} for this use case?
+Refer to the [Elastic Integrations documentation](integration-docs://reference/mongodb.md).
+
+::::{dropdown} Learn more
+{{agent}} is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, forward data from remote services or hardware, and more. Refer to the documentation for a detailed [comparison of {{beats}} and {{agent}}](docs-content://reference/ingestion-tools/fleet/index.md).
+
+::::
+
+
+:::::
+
+
+The `mongodb` module collects and parses logs created by [MongoDB](https://www.mongodb.com/).
+
+When you run the module, it performs a few tasks under the hood:
+
+* Sets the default paths to the log files (but don’t worry, you can override the defaults)
+* Makes sure each multiline log event gets sent as a single event
+* Uses an {{es}} ingest pipeline to parse and process the log lines, shaping the data into a structure suitable for visualizing in Kibana
+* Deploys dashboards for visualizing the log data
+
+::::{tip}
+Read the [quick start](/reference/filebeat/filebeat-installation-configuration.md) to learn how to configure and run modules.
+::::
+
+
+
+## Compatibility [_compatibility_22]
+
+The `mongodb` module was tested with plaintext logs from version v3.2.11 on Debian and json logs from version v4.4.4 on Ubuntu.
+
+
+## Configure the module [configuring-mongodb-module]
+
+You can further refine the behavior of the `mongodb` module by specifying [variable settings](#mongodb-settings) in the `modules.d/mongodb.yml` file, or overriding settings at the command line.
+
+You must enable at least one fileset in the module. **Filesets are disabled by default.**
+
+The following example shows how to set paths in the `modules.d/mongodb.yml` file to override the default paths for MongoDB logs:
+
+```yaml
+- module: mongodb
+  log:
+    enabled: true
+    var.paths: ["/path/to/log/mongodb/*.log*"]
+```
+
+To specify the same settings at the command line, you use:
+
+```sh
+-M "mongodb.log.var.paths=[/path/to/log/mongodb/*.log*]"
+```
+
+
+### Variable settings [mongodb-settings]
+
+Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the `mongodb` module uses the defaults.
+
+For advanced use cases, you can also override input settings. See [Override input settings](/reference/filebeat/advanced-settings.md).
+
+::::{tip}
+When you specify a setting at the command line, remember to prefix the setting with the module name, for example, `mongodb.log.var.paths` instead of `log.var.paths`.
+::::
+
+
+
+### `log` log fileset settings [_log_log_fileset_settings_3]
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+
+## Example dashboard [_example_dashboard_14]
+
+This module comes with one sample dashboard including error and regular logs.
+
+:::{image} images/filebeat-mongodb-overview.png
+:alt: filebeat mongodb overview
+:class: screenshot
+:::
+
+
+## Fields [_fields_31]
+
+For a description of each field in the module, see the [exported fields](/reference/filebeat/exported-fields-mongodb.md) section.
diff --git a/docs/reference/filebeat/filebeat-module-mssql.md b/docs/reference/filebeat/filebeat-module-mssql.md
new file mode 100644
index 000000000000..f9554ee3c3d9
--- /dev/null
+++ b/docs/reference/filebeat/filebeat-module-mssql.md
@@ -0,0 +1,75 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-mssql.html
+---
+
+# MSSQL module [filebeat-module-mssql]
+
+The `mssql` module parses error logs created by MSSQL.
+
+When you run the module, it performs a few tasks under the hood:
+
+* Sets the default paths to the log files (but don’t worry, you can override the defaults)
+* Makes sure each multiline log event gets sent as a single event
+* Uses an {{es}} ingest pipeline to parse and process the log lines, shaping the data into a structure suitable for visualizing in Kibana
+
+::::{tip}
+Read the [quick start](/reference/filebeat/filebeat-installation-configuration.md) to learn how to configure and run modules.
+::::
+
+
+
+## Configure the module [configuring-mssql-module]
+
+You can further refine the behavior of the `mssql` module by specifying [variable settings](#mssql-settings) in the `modules.d/mssql.yml` file, or overriding settings at the command line.
+
+You must enable at least one fileset in the module. **Filesets are disabled by default.**
+
+The following example shows how to set paths in the `modules.d/mssql.yml` file to override the default paths for MSSQL logs:
+
+```yaml
+- module: mssql
+  log:
+    enabled: true
+    var.paths: ['C:\Program Files\Microsoft SQL Server\MSSQL.150\MSSQL\LOG\ERRORLOG*']
+```
+
+To specify the same settings at the command line, you use:
+
+```sh
+-M "mssql.log.var.paths=['C:\Program Files\Microsoft SQL Server\MSSQL.150\MSSQL\LOG\ERRORLOG*']"
+```
+
+
+### Variable settings [mssql-settings]
+
+Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the `mssql` module uses the defaults.
+
+For advanced use cases, you can also override input settings. See [Override input settings](/reference/filebeat/advanced-settings.md).
+
+::::{tip}
+When you specify a setting at the command line, remember to prefix the setting with the module name, for example, `mssql.log.var.paths` instead of `log.var.paths`.
+::::
+
+
+
+### `log` fileset settings [_log_fileset_settings_8]
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+
+### Time zone support [_time_zone_support_10]
+
+This module parses logs that don’t contain time zone information. For these logs, Filebeat reads the local time zone and uses it when parsing to convert the timestamp to UTC. The time zone to be used for parsing is included in the event in the `event.timezone` field.
+
+To disable this conversion, the `event.timezone` field can be removed with the `drop_fields` processor.
+
+If logs are originated from systems or applications with a different time zone to the local one, the `event.timezone` field can be overwritten with the original time zone using the `add_fields` processor.
+
+See [Processors](/reference/filebeat/filtering-enhancing-data.md) for information about specifying processors in your config.
+
+
+## Fields [_fields_32]
+
+For a description of each field in the module, see the [exported fields](/reference/filebeat/exported-fields-mssql.md) section.
diff --git a/docs/reference/filebeat/filebeat-module-mysql.md b/docs/reference/filebeat/filebeat-module-mysql.md
new file mode 100644
index 000000000000..6aed696bf8c4
--- /dev/null
+++ b/docs/reference/filebeat/filebeat-module-mysql.md
@@ -0,0 +1,103 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-mysql.html
+---
+
+# MySQL module [filebeat-module-mysql]
+
+:::::{admonition} Prefer to use {{agent}} for this use case?
+Refer to the [Elastic Integrations documentation](integration-docs://reference/mysql.md).
+
+::::{dropdown} Learn more
+{{agent}} is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, forward data from remote services or hardware, and more. Refer to the documentation for a detailed [comparison of {{beats}} and {{agent}}](docs-content://reference/ingestion-tools/fleet/index.md).
+
+::::
+
+
+:::::
+
+
+The `mysql` module collects and parses the slow logs and error logs created by [MySQL](https://www.mysql.com/).
+
+When you run the module, it performs a few tasks under the hood:
+
+* Sets the default paths to the log files (but don’t worry, you can override the defaults)
+* Makes sure each multiline log event gets sent as a single event
+* Uses an {{es}} ingest pipeline to parse and process the log lines, shaping the data into a structure suitable for visualizing in Kibana
+* Deploys dashboards for visualizing the log data
+
+::::{tip}
+Read the [quick start](/reference/filebeat/filebeat-installation-configuration.md) to learn how to configure and run modules.
+::::
+
+
+
+## Compatibility [_compatibility_23]
+
+The  `mysql` module was tested with logs from MySQL 5.5, 5.7 and 8.0, MariaDB 10.1, 10.2 and 10.3, and Percona 5.7 and 8.0.
+
+On Windows, the module was tested with MySQL installed from the Chocolatey repository.
+
+
+## Configure the module [configuring-mysql-module]
+
+You can further refine the behavior of the `mysql` module by specifying [variable settings](#mysql-settings) in the `modules.d/mysql.yml` file, or overriding settings at the command line.
+
+You must enable at least one fileset in the module. **Filesets are disabled by default.**
+
+The following example shows how to set paths in the `modules.d/mysql.yml` file to override the default paths for slow logs and error logs:
+
+```yaml
+- module: mysql
+  error:
+    enabled: true
+    var.paths: ["/path/to/log/mysql/error.log*"]
+  slowlog:
+    enabled: true
+    var.paths: ["/path/to/log/mysql/mysql-slow.log*"]
+```
+
+To specify the same settings at the command line, you use:
+
+```sh
+-M "mysql.error.var.paths=[/path/to/log/mysql/error.log*]" -M "mysql.slowlog.var.paths=[/path/to/log/mysql/mysql-slow.log*]"
+```
+
+
+### Variable settings [mysql-settings]
+
+Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the `mysql` module uses the defaults.
+
+For advanced use cases, you can also override input settings. See [Override input settings](/reference/filebeat/advanced-settings.md).
+
+::::{tip}
+When you specify a setting at the command line, remember to prefix the setting with the module name, for example, `mysql.error.var.paths` instead of `error.var.paths`.
+::::
+
+
+
+### `error` log fileset settings [_error_log_fileset_settings_3]
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+
+### `slowlog` fileset settings [_slowlog_fileset_settings_2]
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+
+## Example dashboard [_example_dashboard_15]
+
+This module comes with a sample dashboard. For example:
+
+:::{image} images/kibana-mysql.png
+:alt: kibana mysql
+:class: screenshot
+:::
+
+
+## Fields [_fields_33]
+
+For a description of each field in the module, see the [exported fields](/reference/filebeat/exported-fields-mysql.md) section.
diff --git a/docs/reference/filebeat/filebeat-module-mysqlenterprise.md b/docs/reference/filebeat/filebeat-module-mysqlenterprise.md
new file mode 100644
index 000000000000..67fd2f844f1f
--- /dev/null
+++ b/docs/reference/filebeat/filebeat-module-mysqlenterprise.md
@@ -0,0 +1,83 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-mysqlenterprise.html
+---
+
+# MySQL Enterprise module [filebeat-module-mysqlenterprise]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+This is a module for different types of MySQL logs. Currently focusing on data from the MySQL Enterprise Audit Plugin in JSON format.
+
+To configure the the Enterprise Audit Plugin to output in JSON format please follow the directions in the [MySQL Documentation.](https://dev.mysql.com/doc/refman/8.0/en/audit-log-file-formats.md)
+
+::::{tip}
+Read the [quick start](/reference/filebeat/filebeat-installation-configuration.md) to learn how to configure and run modules.
+::::
+
+
+
+## Compatibility [_compatibility_24]
+
+This module has been tested against MySQL Enterprise 5.7.x and 8.0.x
+
+
+## Configure the module [configuring-mysqlenterprise-module]
+
+You can further refine the behavior of the `mysqlenterprise` module by specifying [variable settings](#mysqlenterprise-settings) in the `modules.d/mysqlenterprise.yml` file, or overriding settings at the command line.
+
+You must enable at least one fileset in the module. **Filesets are disabled by default.**
+
+
+### Variable settings [mysqlenterprise-settings]
+
+Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the `mysqlenterprise` module uses the defaults.
+
+For advanced use cases, you can also override input settings. See [Override input settings](/reference/filebeat/advanced-settings.md).
+
+::::{tip}
+When you specify a setting at the command line, remember to prefix the setting with the module name, for example, `mysqlenterprise.audit.var.paths` instead of `audit.var.paths`.
+::::
+
+
+
+### `audit` fileset settings [_audit_fileset_settings_4]
+
+Example config:
+
+```yaml
+- module: mysqlenterprise
+  audit:
+    var.input: file
+    var.paths: /home/user/mysqlauditlogs/audit.*.log
+```
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+**`var.tags`**
+:   A list of tags to include in events. Including `forwarded` indicates that the events did not originate on this host and causes `host.name` to not be added to events. Defaults to `[mysqlenterprise-audit]`.
+
+
+### MySQL Enterprise ECS Fields [_mysql_enterprise_ecs_fields]
+
+MySQL Enterprise Audit fields are mapped to ECS in the following way:
+
+| MySQL Enterprise Fields | ECS Fields |  |
+| --- | --- | --- |
+| account.user | server.user.name |  |
+| account.host | client.domain |  |
+| login.os | client.user.name |  |
+| login.ip | client.ip |  |
+| startup_data.os_version | host.os.full |  |
+| startup_data.args | process.args |  |
+| connection_attributes._pid | process.pid |  |
+| timestamp | @timestamp |  |
+
+
+## Fields [_fields_34]
+
+For a description of each field in the module, see the [exported fields](/reference/filebeat/exported-fields-mysqlenterprise.md) section.
diff --git a/docs/reference/filebeat/filebeat-module-nats.md b/docs/reference/filebeat/filebeat-module-nats.md
new file mode 100644
index 000000000000..bb271b4e441c
--- /dev/null
+++ b/docs/reference/filebeat/filebeat-module-nats.md
@@ -0,0 +1,75 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-nats.html
+---
+
+# NATS module [filebeat-module-nats]
+
+:::::{admonition} Prefer to use {{agent}} for this use case?
+Refer to the [Elastic Integrations documentation](integration-docs://reference/nats.md).
+
+::::{dropdown} Learn more
+{{agent}} is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, forward data from remote services or hardware, and more. Refer to the documentation for a detailed [comparison of {{beats}} and {{agent}}](docs-content://reference/ingestion-tools/fleet/index.md).
+
+::::
+
+
+:::::
+
+
+This is the NATS module.
+
+When you run the module, it performs a few tasks under the hood:
+
+* Sets the default paths to the log files (but don’t worry, you can override the defaults)
+* Makes sure each multiline log event gets sent as a single event
+* Uses an {{es}} ingest pipeline to parse and process the log lines, shaping the data into a structure suitable for visualizing in Kibana
+
+::::{tip}
+Read the [quick start](/reference/filebeat/filebeat-installation-configuration.md) to learn how to configure and run modules.
+::::
+
+
+
+## Compatibility [_compatibility_25]
+
+The `nats` module was tested with logs from version v1.4.0.
+
+
+## Configure the module [configuring-nats-module]
+
+You can further refine the behavior of the `nats` module by specifying [variable settings](#nats-settings) in the `modules.d/nats.yml` file, or overriding settings at the command line.
+
+You must enable at least one fileset in the module. **Filesets are disabled by default.**
+
+
+### Variable settings [nats-settings]
+
+Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the `nats` module uses the defaults.
+
+For advanced use cases, you can also override input settings. See [Override input settings](/reference/filebeat/advanced-settings.md).
+
+::::{tip}
+When you specify a setting at the command line, remember to prefix the setting with the module name, for example, `nats.log.var.paths` instead of `log.var.paths`.
+::::
+
+
+
+### `log` log fileset settings [_log_log_fileset_settings_4]
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+
+## Dashboard [_dashboard]
+
+The `nats` module comes with a predefined dashboard. For example:
+
+:::{image} images/filebeat_nats_dashboard.png
+:alt: filebeat nats dashboard
+:::
+
+
+## Fields [_fields_35]
+
+For a description of each field in the module, see the [exported fields](/reference/filebeat/exported-fields-nats.md) section.
diff --git a/docs/reference/filebeat/filebeat-module-netflow.md b/docs/reference/filebeat/filebeat-module-netflow.md
new file mode 100644
index 000000000000..b24951fa8836
--- /dev/null
+++ b/docs/reference/filebeat/filebeat-module-netflow.md
@@ -0,0 +1,98 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-netflow.html
+---
+
+# NetFlow module [filebeat-module-netflow]
+
+:::::{admonition} Prefer to use {{agent}} for this use case?
+Refer to the [Elastic Integrations documentation](integration-docs://reference/netflow.md).
+
+::::{dropdown} Learn more
+{{agent}} is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, forward data from remote services or hardware, and more. Refer to the documentation for a detailed [comparison of {{beats}} and {{agent}}](docs-content://reference/ingestion-tools/fleet/index.md).
+
+::::
+
+
+:::::
+
+
+This is a module for receiving NetFlow and IPFIX flow records over UDP. This input supports NetFlow versions 1, 5, 6, 7, 8 and 9, as well as IPFIX. For NetFlow versions older than 9, fields are mapped automatically to NetFlow v9.
+
+This module wraps the [netflow input](/reference/filebeat/filebeat-input-netflow.md) to enrich the flow records with geolocation information about the IP endpoints by using an {{es}} ingest pipeline.
+
+::::{tip}
+Read the [quick start](/reference/filebeat/filebeat-installation-configuration.md) to learn how to configure and run modules.
+::::
+
+
+
+## Configure the module [configuring-netflow-module]
+
+You can further refine the behavior of the `netflow` module by specifying [variable settings](#netflow-settings) in the `modules.d/netflow.yml` file, or overriding settings at the command line.
+
+You must enable at least one fileset in the module. **Filesets are disabled by default.**
+
+
+### Variable settings [netflow-settings]
+
+Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the `netflow` module uses the defaults.
+
+For advanced use cases, you can also override input settings. See [Override input settings](/reference/filebeat/advanced-settings.md).
+
+::::{tip}
+When you specify a setting at the command line, remember to prefix the setting with the module name, for example, `netflow.log.var.paths` instead of `log.var.paths`.
+::::
+
+
+
+### `log` fileset settings [_log_fileset_settings_9]
+
+The fileset is by default configured to listen for UDP traffic on `localhost:2055`. For most uses cases you will want to set the `netflow_host` variable to allow the input bind to all interfaces so that it can receive traffic from network devices.
+
+```yaml
+- module: netflow
+  log:
+    enabled: true
+    var:
+      netflow_host: 0.0.0.0
+      netflow_port: 2055
+```
+
+`var.netflow_host`
+:   Address to bind to. Defaults to `localhost`.
+
+`var.netflow_port`
+:   Port to listen on. Defaults to `2055`.
+
+`var.max_message_size`
+:   The maximum size of the message received over UDP. The default is `10KiB`.
+
+`var.read_buffer`
+:   The size of the read buffer on the UDP socket.
+
+`var.timeout`
+:   The read and write timeout for socket operations.
+
+`var.expiration_timeout`
+:   The time before an idle session or unused template is expired. Only applicable to v9 and IPFIX protocols. A value of zero disables expiration.
+
+`var.queue_size`
+:   The maximum number of packets that can be queued for processing. Use this setting to avoid packet-loss when dealing with occasional bursts of traffic.
+
+`var.custom_definitions`
+:   A list of paths to field definitions YAML files. These allow to update the NetFlow/IPFIX fields with vendor extensions and to override existing fields. See [netflow input](/reference/filebeat/filebeat-input-netflow.md) for details.
+
+`var.detect_sequence_reset`
+:   Flag controlling whether Filebeat should monitor sequence numbers in the Netflow packets to detect an Exporting Process reset. See [netflow input](/reference/filebeat/filebeat-input-netflow.md) for details.
+
+`var.internal_networks`
+:   A list of CIDR ranges describing the IP addresses that you consider internal. This is used in determining the values of `source.locality`, `destination.locality`, and `flow.locality`. The values can be either a CIDR value or one of the named ranges supported by the [`network`](/reference/filebeat/defining-processors.md#condition-network) condition. The default value is `[private]` which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal.
+
+**`var.tags`**
+:   A list of tags to include in events. Including `forwarded` indicates that the events did not originate on this host and causes `host.name` to not be added to events. Defaults to `[forwarded]`.
+
+
+## Fields [_fields_36]
+
+For a description of each field in the module, see the [exported fields](/reference/filebeat/exported-fields-netflow.md) section.
diff --git a/docs/reference/filebeat/filebeat-module-nginx.md b/docs/reference/filebeat/filebeat-module-nginx.md
new file mode 100644
index 000000000000..dd524f0d3008
--- /dev/null
+++ b/docs/reference/filebeat/filebeat-module-nginx.md
@@ -0,0 +1,133 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-nginx.html
+---
+
+# Nginx module [filebeat-module-nginx]
+
+:::::{admonition} Prefer to use {{agent}} for this use case?
+Refer to the [Elastic Integrations documentation](integration-docs://reference/nginx.md).
+
+::::{dropdown} Learn more
+{{agent}} is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, forward data from remote services or hardware, and more. Refer to the documentation for a detailed [comparison of {{beats}} and {{agent}}](docs-content://reference/ingestion-tools/fleet/index.md).
+
+::::
+
+
+:::::
+
+
+The `nginx` module parses access and error logs created by the [Nginx](http://nginx.org/) HTTP server.
+
+`ingress_controller` fileset parses access logs created by [ingress-nginx](https://github.com/kubernetes/ingress-nginx) controller. Log patterns could be found on the controllers' [docs](https://github.com/kubernetes/ingress-nginx/blob/nginx-0.28.0/docs/user-guide/nginx-configuration/log-format.md).
+
+When you run the module, it performs a few tasks under the hood:
+
+* Sets the default paths to the log files (but don’t worry, you can override the defaults)
+* Makes sure each multiline log event gets sent as a single event
+* Uses an {{es}} ingest pipeline to parse and process the log lines, shaping the data into a structure suitable for visualizing in Kibana
+* Deploys dashboards for visualizing the log data
+
+::::{tip}
+Read the [quick start](/reference/filebeat/filebeat-installation-configuration.md) to learn how to configure and run modules.
+::::
+
+
+
+## Compatibility [_compatibility_26]
+
+The Nginx module was tested with logs from version 1.10.
+
+On Windows, the module was tested with Nginx installed from the Chocolatey repository.
+
+`ingress_controller` fileset was tested with version v0.28.0 and v0.34.1 of `nginx-ingress-controller`.
+
+
+## Configure the module [configuring-nginx-module]
+
+You can further refine the behavior of the `nginx` module by specifying [variable settings](#nginx-settings) in the `modules.d/nginx.yml` file, or overriding settings at the command line.
+
+You must enable at least one fileset in the module. **Filesets are disabled by default.**
+
+The following example shows how to set paths in the `modules.d/nginx.yml` file to override the default paths for access logs and error logs:
+
+```yaml
+- module: nginx
+  access:
+    enabled: true
+    var.paths: ["/path/to/log/nginx/access.log*"]
+  error:
+    enabled: true
+    var.paths: ["/path/to/log/nginx/error.log*"]
+```
+
+To specify the same settings at the command line, you use:
+
+```sh
+-M "nginx.access.var.paths=[/path/to/log/nginx/access.log*]" -M "nginx.error.var.paths=[/path/to/log/nginx/error.log*]"
+```
+
+The following example shows how to configure `ingress_controller` fileset which can be used in Kubernetes environments to parse ingress-nginx logs:
+
+```yaml
+- module: nginx
+  ingress_controller:
+    enabled: true
+    var.paths: ["/path/to/log/nginx/ingress.log"]
+```
+
+
+### Variable settings [nginx-settings]
+
+Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the `nginx` module uses the defaults.
+
+For advanced use cases, you can also override input settings. See [Override input settings](/reference/filebeat/advanced-settings.md).
+
+::::{tip}
+When you specify a setting at the command line, remember to prefix the setting with the module name, for example, `nginx.access.var.paths` instead of `access.var.paths`.
+::::
+
+
+
+### `access` log fileset settings [_access_log_fileset_settings_3]
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+
+### `error` log fileset [_error_log_fileset]
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+
+### `ingress_controller` log fileset [_ingress_controller_log_fileset]
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+
+### Time zone support [_time_zone_support_11]
+
+This module parses logs that don’t contain time zone information. For these logs, Filebeat reads the local time zone and uses it when parsing to convert the timestamp to UTC. The time zone to be used for parsing is included in the event in the `event.timezone` field.
+
+To disable this conversion, the `event.timezone` field can be removed with the `drop_fields` processor.
+
+If logs are originated from systems or applications with a different time zone to the local one, the `event.timezone` field can be overwritten with the original time zone using the `add_fields` processor.
+
+See [Processors](/reference/filebeat/filtering-enhancing-data.md) for information about specifying processors in your config.
+
+
+## Example dashboard [_example_dashboard_16]
+
+This module comes with sample dashboards. For example:
+
+:::{image} images/kibana-nginx.png
+:alt: kibana nginx
+:class: screenshot
+:::
+
+
+## Fields [_fields_37]
+
+For a description of each field in the module, see the [exported fields](/reference/filebeat/exported-fields-nginx.md) section.
diff --git a/docs/reference/filebeat/filebeat-module-o365.md b/docs/reference/filebeat/filebeat-module-o365.md
new file mode 100644
index 000000000000..f9517ab5640e
--- /dev/null
+++ b/docs/reference/filebeat/filebeat-module-o365.md
@@ -0,0 +1,197 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-o365.html
+---
+
+# Office 365 module [filebeat-module-o365]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+:::::{admonition} Prefer to use {{agent}} for this use case?
+Refer to the [Elastic Integrations documentation](integration-docs://reference/o365.md).
+
+::::{dropdown} Learn more
+{{agent}} is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, forward data from remote services or hardware, and more. Refer to the documentation for a detailed [comparison of {{beats}} and {{agent}}](docs-content://reference/ingestion-tools/fleet/index.md).
+
+::::
+
+
+:::::
+
+
+This is a module for Office 365 logs received via one of the Office 365 API endpoints. It currently supports user, admin, system, and policy actions and events from Office 365 and Azure AD activity logs exposed by the Office 365 Management Activity API.
+
+The [ingest-geoip](elasticsearch://reference/ingestion-tools/enrich-processor/geoip-processor.md) and [ingest-user_agent](elasticsearch://reference/ingestion-tools/enrich-processor/user-agent-processor.md) Elasticsearch plugins are required to run this module.
+
+::::{tip}
+Read the [quick start](/reference/filebeat/filebeat-installation-configuration.md) to learn how to configure and run modules.
+::::
+
+
+
+## Configure the module [configuring-o365-module]
+
+You can further refine the behavior of the `o365` module by specifying [variable settings](#o365-settings) in the `modules.d/o365.yml` file, or overriding settings at the command line.
+
+You must enable at least one fileset in the module. **Filesets are disabled by default.**
+
+
+### Variable settings [o365-settings]
+
+Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the `o365` module uses the defaults.
+
+For advanced use cases, you can also override input settings. See [Override input settings](/reference/filebeat/advanced-settings.md).
+
+::::{tip}
+When you specify a setting at the command line, remember to prefix the setting with the module name, for example, `o365.audit.var.paths` instead of `audit.var.paths`.
+::::
+
+
+
+### `audit` fileset settings [_audit_fileset_settings_5]
+
+The `audit` fileset uses the Office 365 Management Activity API to retrieve audit messages from Office 365 and Azure AD activity logs. These are the same logs that are available under *Audit* *Log* *Search* in the *Security* *and* *Compliance* *Center.*
+
+
+#### Setup [_setup_4]
+
+To use this fileset you need to [enable Audit Log Search](https://docs.microsoft.com/en-us/microsoft-365/compliance/turn-audit-log-search-on-or-off?view=o365-worldwide#turn-on-audit-log-search) and [register an application in Azure AD.](https://docs.microsoft.com/en-us/office/office-365-management-api/get-started-with-office-365-management-apis#register-your-application-in-azure-ad)
+
+Once this application is registered note the *Application (client) ID* and the *Directory (tenant) ID.* Then configure the authentication in the *Certificates & Secrets* section.
+
+Example configuration `o365.yml` using client-secret authentication:
+
+```yaml
+  audit:
+    enabled: true
+    var.application_id: "<My Azure AD Application ID>"
+    var.tenants:
+      - id: "<My Tenant ID>"
+        name: "mytenant.onmicrosoft.com"
+    var.client_secret: "<My client secret>"
+```
+
+Certificate-based authentication is specially useful when monitoring multiple tenants. Example configuration:
+
+```yaml
+  audit:
+    enabled: true
+    var.application_id: "<My Azure AD Application ID>"
+    var.tenants:
+      - id: "<Tenant A ID>"
+        name: "tenantA.onmicrosoft.com"
+      - id: "<Tenant B ID>"
+        name: "tenantB.onmicrosoft.com"
+    var.certificate: "/path/to/certificate.pem"
+    var.key: "/path/to/private_key.pem"
+    var.key_passphrase: "my_passphrase" # (optional) for encrypted keys
+```
+
+Finally you need to add permissions in the *API permissions* section and grant it admin consent. Click on *Add permission* and select *Office 365 Management APIs.* The needed permissions are:
+
+* User.Read
+* ActivityFeed.Read
+* ActivityFeed.ReadDlp
+* ServiceHealth.Read
+
+:::{image} images/filebeat-o365-azure-permissions.png
+:alt: filebeat o365 azure permissions
+:class: screenshot
+:::
+
+Once the required permissions are added, click the *Grant admin consent* button. Note that it can take a while for the required permissions to be in effect, so it’s possible that you observe some permission errors when running Filebeat right away.
+
+
+#### Alternative endpoints [_alternative_endpoints]
+
+This module supports custom endpoints for on-prem deployments as well as alternative endpoints (GCC High endponts, U.S. DoD, European Union, etc). In order to point the module to an alternative endpoint, you need to adjust the `authentication_endpoint` and `resource` variables accordingly. For example:
+
+```yaml
+    var.api:
+      # default is https://login.microsoftonline.com/
+      authentication_endpoint: https://login.microsoftonline.us/
+      # default is https://manage.office.com
+      resource: https://manage.office365.us
+```
+
+
+#### Configuration options [_configuration_options_43]
+
+**`var.application_id`**
+:   The Application ID (also known as client ID) of the Azure application.
+
+**`var.tenants`**
+:   A list of one or more tenant IDs and name pairs. Set the `id` field to the tenant ID (also known as Directory ID). Set the name to the host name for the tenant, that is, the Office 365 domain for your organization.
+
+**`var.client_secret`**
+:   The client-secret (api_key) used to authenticate your Azure AD application. This option cannot be specified at the same time as the `var.certificate` option.
+
+**`var.certificate`**
+:   Path to the certificate file used for client authentication. This option cannot be specified at the same time as the `var.client_secret` option.
+
+**`var.key`**
+:   Path to the private key file used for client authentication.
+
+**`var.key_passphrase`**
+:   The passphrase used to decrypt an encrypted key stored in the configured `var.key` file. Only set this option when the key is encrypted.
+
+**`var.content_type`**
+:   The list of content-types to subscribe to. By default, it subscribes to all known content-types:
+
+    * Audit.AzureActiveDirectory
+    * Audit.Exchange
+    * Audit.SharePoint
+    * Audit.General
+    * DLP.All
+
+
+
+#### Advanced configuration options [_advanced_configuration_options]
+
+The following configuration options are only recomended in case of problems. They must be nested under a single `var.api` key, like this:
+
+```yaml
+    var.api:
+      authentication_endpoint: https://login.microsoftonline.com/
+      resource: https://manage.office.com
+      max_retention: 168h
+      poll_interval: 3m
+      max_requests_per_minute: 2000
+      max_query_size: 24h
+```
+
+**`var.api.authentication_endpoint`**
+:   The authentication endpoint used to authorize the Azure app. This is `https://login.microsoftonline.com/` by default, and can be changed to access alternative endpoints.
+
+**`var.api.resource`**
+:   The API resource to retrieve information from. This is `https://manage.office.com` by default, and can be changed to access alternative endpoints.
+
+**`var.api.max_retention`**
+:   The maximum data retention period to support. `168h` by default. Filebeat will fetch all retained data for a tenant when run for the first time. The default is 7 days, which matches the standard period that Microsoft will keep the logs before deleting them. Only increase it if your tenant has a longer retention period.
+
+**`var.api.poll_interval`**
+:   The interval to wait before polling the API server for new events. Default `3m`.
+
+**`var.api.max_requests_per_minute`**
+:   The maximum number of requests to perform per minute, for each tenant. The default is `2000`, as this is the server-side limit per tenant.
+
+**`var.api.max_query_size`**
+:   The maximum time window that API allows in a single query. Defaults to `24h` to match Microsoft’s documented limit.
+
+
+## Example dashboard [_example_dashboard_17]
+
+This module comes with a sample dashboard:
+
+:::{image} images/filebeat-o365-audit.png
+:alt: filebeat o365 audit
+:class: screenshot
+:::
+
+
+## Fields [_fields_38]
+
+For a description of each field in the module, see the [exported fields](/reference/filebeat/exported-fields-o365.md) section.
diff --git a/docs/reference/filebeat/filebeat-module-okta.md b/docs/reference/filebeat/filebeat-module-okta.md
new file mode 100644
index 000000000000..91169ff894cf
--- /dev/null
+++ b/docs/reference/filebeat/filebeat-module-okta.md
@@ -0,0 +1,115 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-okta.html
+---
+
+# Okta module [filebeat-module-okta]
+
+:::::{admonition} Prefer to use {{agent}} for this use case?
+Refer to the [Elastic Integrations documentation](integration-docs://reference/okta.md).
+
+::::{dropdown} Learn more
+{{agent}} is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, forward data from remote services or hardware, and more. Refer to the documentation for a detailed [comparison of {{beats}} and {{agent}}](docs-content://reference/ingestion-tools/fleet/index.md).
+
+::::
+
+
+:::::
+
+
+The Okta module collects events from the [Okta API](https://developer.okta.com/docs/reference/). Specifically this supports reading from the [Okta System Log API](https://developer.okta.com/docs/reference/api/system-log/).
+
+
+### Variable settings [okta-settings]
+
+Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the `okta` module uses the defaults.
+
+For advanced use cases, you can also override input settings. See [Override input settings](/reference/filebeat/advanced-settings.md).
+
+::::{tip}
+When you specify a setting at the command line, remember to prefix the setting with the module name, for example, `okta.system.var.paths` instead of `system.var.paths`.
+::::
+
+
+
+### `system` fileset settings [_system_fileset_settings]
+
+The Okta System Log records system events related to your organization in order to provide an audit trail that can be used to understand platform activity and to diagnose problems. This module is implemented using the [httpjson](/reference/filebeat/filebeat-input-httpjson.md) input and is configured to paginate through the logs while honoring any [rate-limiting](https://developer.okta.com/docs/reference/rate-limits/) headers sent by Okta.
+
+This is an example configuration for the module.
+
+```yaml
+- module: okta
+  system:
+    var.url: https://yourOktaDomain/api/v1/logs
+    var.api_key: '00QCjAl4MlV-WPXM...0HmjFx-vbGua'
+```
+
+
+#### Configuration options [_configuration_options_44]
+
+**`var.url`**
+:   Specifies the URL to the Okta System Log API. Required.
+
+    ```yaml
+        var.url: https://mycompany.okta.com/api/v1/logs
+    ```
+
+
+**`var.api_key`**
+:   Specifies the Okta API token to use in requests to the API. Required. The token is used in an HTTP `Authorization` header with the `SSWS` scheme. See [ Create an API token](https://developer.okta.com/docs/guides/create-an-api-token/create-the-token/) for information on how to obtain a token.
+
+    ```yaml
+        var.api_key: '00QCjAl4MlV-WPXM...0HmjFx-vbGua'
+    ```
+
+
+**`var.http_client_timeout`**
+:   Duration of the time limit on HTTP requests made by the module. Defaults to `60s`.
+
+**`var.interval`**
+:   Duration between requests to the API. Defaults to `60s`.
+
+**`var.keep_original_message`**
+:   Boolean flag indicating if the original JSON event string should be included in the `event.original` field. Defaults to `true`.
+
+**`var.ssl`**
+:   Configuration options for SSL parameters like the certificate authority to use for HTTPS-based connections. If the `ssl` section is missing, the host CAs are used for HTTPS connections to Okta. See [SSL](/reference/filebeat/configuration-ssl.md) for more information.
+
+    ```yaml
+        var.ssl:
+          supported_protocols: [TLSv1.2]
+    ```
+
+
+**`var.initial_interval`**
+:   An initial interval can be defined. The first time the module starts, will fetch events from the current moment minus the initial interval value. Following restarts will fetch events starting from the last event read. It defaults to `24h`.
+
+    ```yaml
+        var.initial_interval: 24h # will fetch events starting 24h ago.
+    ```
+
+
+**`input.request.rate_limit.early_limit`**
+:   You can override the default rate-limiting behavior in [HTTP JSON](/reference/filebeat/filebeat-input-httpjson.md). The default for the Okta module is to use up to 89% of the Okta rate-limit, which should avoid Okta Warnings on rate-limit usage.
+
+    ```
+        input.request.rate_limit.early_limit: 0.89
+    ```
+
+
+
+## Example dashboard [_example_dashboard_18]
+
+This module comes with a sample dashboard:
+
+:::{image} images/filebeat-okta-dashboard.png
+:alt: filebeat okta dashboard
+:class: screenshot
+:::
+
+
+## Fields [_fields_39]
+
+For a description of each field in the module, see the [exported fields](/reference/filebeat/exported-fields-okta.md) section.
+
diff --git a/docs/reference/filebeat/filebeat-module-oracle.md b/docs/reference/filebeat/filebeat-module-oracle.md
new file mode 100644
index 000000000000..09efd10a0a8c
--- /dev/null
+++ b/docs/reference/filebeat/filebeat-module-oracle.md
@@ -0,0 +1,86 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-oracle.html
+---
+
+# Oracle module [filebeat-module-oracle]
+
+:::::{admonition} Prefer to use {{agent}} for this use case?
+Refer to the [Elastic Integrations documentation](integration-docs://reference/oracle.md).
+
+::::{dropdown} Learn more
+{{agent}} is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, forward data from remote services or hardware, and more. Refer to the documentation for a detailed [comparison of {{beats}} and {{agent}}](docs-content://reference/ingestion-tools/fleet/index.md).
+
+::::
+
+
+:::::
+
+
+This is a module for ingesting Audit Trail logs from Oracle Databases.
+
+The module expects an *.aud audit file that is generated from Oracle Databases by default. If this has been disabled then please see the [Oracle Database Audit Trail Documentation](https://docs.oracle.com/en/database/oracle/oracle-database/19/dbseg/introduction-to-auditing.html#GUID-8D96829C-9151-4FA4-BED9-831D088F12FF).
+
+::::{tip}
+Read the [quick start](/reference/filebeat/filebeat-installation-configuration.md) to learn how to configure and run modules.
+::::
+
+
+
+## Compatibility [_compatibility_27]
+
+This module has been tested with Oracle Database 19c, and should work for 18c as well though it has not been tested.
+
+
+## Configure the module [configuring-oracle-module]
+
+You can further refine the behavior of the `oracle` module by specifying [variable settings](#oracle-settings) in the `modules.d/oracle.yml` file, or overriding settings at the command line.
+
+You must enable at least one fileset in the module. **Filesets are disabled by default.**
+
+
+### Variable settings [oracle-settings]
+
+Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the `oracle` module uses the defaults.
+
+For advanced use cases, you can also override input settings. See [Override input settings](/reference/filebeat/advanced-settings.md).
+
+::::{tip}
+When you specify a setting at the command line, remember to prefix the setting with the module name, for example, `oracle.database_audit.var.paths` instead of `database_audit.var.paths`.
+::::
+
+
+
+### `database_audit` fileset settings [_database_audit_fileset_settings]
+
+Example config:
+
+```yaml
+- module: oracle
+  database_audit:
+    var.input: file
+    var.paths: /home/user/oracleauditlogs/*/*.aud
+```
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+**`var.tags`**
+:   A list of tags to include in events. Including `forwarded` indicates that the events did not originate on this host and causes `host.name` to not be added to events. Defaults to `[oracle-database-audit]`.
+
+
+### Oracle Database fields [_oracle_database_fields]
+
+Oracle Database fields are mapped to the current ECS Fields:
+
+| Oracle Fields | ECS Fields |  |
+| --- | --- | --- |
+| privilege | host.user.roles |  |
+| client_user | client.user.name |  |
+| userhost | client.ip/domain |  |
+| database_user | server.user.name |  |
+
+
+## Fields [_fields_40]
+
+For a description of each field in the module, see the [exported fields](/reference/filebeat/exported-fields-oracle.md) section.
diff --git a/docs/reference/filebeat/filebeat-module-osquery.md b/docs/reference/filebeat/filebeat-module-osquery.md
new file mode 100644
index 000000000000..f431417eb229
--- /dev/null
+++ b/docs/reference/filebeat/filebeat-module-osquery.md
@@ -0,0 +1,97 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-osquery.html
+---
+
+# Osquery module [filebeat-module-osquery]
+
+:::::{admonition} Prefer to use {{agent}} for this use case?
+Refer to the [Elastic Integrations documentation](integration-docs://reference/osquery.md).
+
+::::{dropdown} Learn more
+{{agent}} is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, forward data from remote services or hardware, and more. Refer to the documentation for a detailed [comparison of {{beats}} and {{agent}}](docs-content://reference/ingestion-tools/fleet/index.md).
+
+::::
+
+
+:::::
+
+
+The `osquery` module collects and decodes the result logs written by [osqueryd](https://osquery.readthedocs.io/en/latest/introduction/using-osqueryd/) in the JSON format. To set up osqueryd follow the osquery installation instructions for your operating system and configure the `filesystem` logging driver (the default). Make sure UTC timestamps are enabled.
+
+When you run the module, it performs a few tasks under the hood:
+
+* Sets the default paths to the log files (but don’t worry, you can override the defaults)
+* Makes sure each multiline log event gets sent as a single event
+* Uses an {{es}} ingest pipeline to parse and process the log lines, shaping the data into a structure suitable for visualizing in Kibana
+* Deploys dashboards for visualizing the log data
+
+::::{tip}
+Read the [quick start](/reference/filebeat/filebeat-installation-configuration.md) to learn how to configure and run modules.
+::::
+
+
+
+## Compatibility [_compatibility_28]
+
+The  `osquery` module was tested with logs from osquery version 2.10.2. Since the results are written in the JSON format, it is likely that this module works with any version of osquery.
+
+This module is available on Linux, macOS, and Windows.
+
+
+## Configure the module [configuring-osquery-module]
+
+You can further refine the behavior of the `osquery` module by specifying [variable settings](#osquery-settings) in the `modules.d/osquery.yml` file, or overriding settings at the command line.
+
+You must enable at least one fileset in the module. **Filesets are disabled by default.**
+
+The following example shows how to set paths in the `modules.d/osquery.yml` file to override the default paths for the syslog and authorization logs:
+
+```yaml
+- module: osquery
+  result:
+    enabled: true
+    var.paths: ["/path/to/osqueryd.results.log*"]
+```
+
+To specify the same settings at the command line, you use:
+
+```sh
+-M "osquery.result.var.paths=[/path/to/osqueryd.results.log*]"
+```
+
+
+### Variable settings [osquery-settings]
+
+Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the `osquery` module uses the defaults.
+
+For advanced use cases, you can also override input settings. See [Override input settings](/reference/filebeat/advanced-settings.md).
+
+::::{tip}
+When you specify a setting at the command line, remember to prefix the setting with the module name, for example, `osquery.result.var.paths` instead of `result.var.paths`.
+::::
+
+
+
+### `result` fileset settings [_result_fileset_settings]
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+**`var.use_namespace`**
+:   If true, all fields exported by this module are prefixed with `osquery.result`. Set to false to copy the fields in the root of the document. If enabled, this setting also disables the renaming of some fields (e.g. `hostIdentifier` to `host_identifier`).  Note that if you set this to false, the sample dashboards coming with this module won’t work correctly. The default is true.
+
+
+## Example dashboard [_example_dashboard_19]
+
+This module comes with a sample dashboard for visualizing the data collected by the "compliance" pack. To collect this data, enable the `it-compliance` pack in the osquery configuration file.
+
+:::{image} images/kibana-osquery-compatibility.png
+:alt: kibana osquery compatibility
+:class: screenshot
+:::
+
+
+## Fields [_fields_41]
+
+For a description of each field in the module, see the [exported fields](/reference/filebeat/exported-fields-osquery.md) section.
diff --git a/docs/reference/filebeat/filebeat-module-panw.md b/docs/reference/filebeat/filebeat-module-panw.md
new file mode 100644
index 000000000000..1a8e7a580a1e
--- /dev/null
+++ b/docs/reference/filebeat/filebeat-module-panw.md
@@ -0,0 +1,206 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-panw.html
+---
+
+# Palo Alto Networks module [filebeat-module-panw]
+
+:::::{admonition} Prefer to use {{agent}} for this use case?
+Refer to the [Elastic Integrations documentation](integration-docs://reference/panw.md).
+
+::::{dropdown} Learn more
+{{agent}} is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, forward data from remote services or hardware, and more. Refer to the documentation for a detailed [comparison of {{beats}} and {{agent}}](docs-content://reference/ingestion-tools/fleet/index.md).
+
+::::
+
+
+:::::
+
+
+This is a module for Palo Alto Networks PAN-OS firewall monitoring logs received over Syslog or read from a file. It currently supports messages of Traffic and Threat types.
+
+::::{tip}
+Read the [quick start](/reference/filebeat/filebeat-installation-configuration.md) to learn how to configure and run modules.
+::::
+
+
+
+## Compatibility [_compatibility_29]
+
+This module has been tested with logs generated by devices running PAN-OS versions 7.1 to 9.0 but limited compatibility is expected for earlier versions.
+
+The [ingest-geoip](elasticsearch://reference/ingestion-tools/enrich-processor/geoip-processor.md) Elasticsearch plugin is required to run this module.
+
+
+## Configure the module [configuring-panw-module]
+
+You can further refine the behavior of the `panw` module by specifying [variable settings](#panw-settings) in the `modules.d/panw.yml` file, or overriding settings at the command line.
+
+You must enable at least one fileset in the module. **Filesets are disabled by default.**
+
+The module is by default configured to run via syslog on port 9001. However it can also be configured to read logs from a file. See the following example.
+
+```yaml
+- module: panw
+  panos:
+    enabled: true
+    var.paths: ["/var/log/pan-os.log"]
+    var.input: "file"
+```
+
+
+### Variable settings [panw-settings]
+
+Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the `panw` module uses the defaults.
+
+For advanced use cases, you can also override input settings. See [Override input settings](/reference/filebeat/advanced-settings.md).
+
+::::{tip}
+When you specify a setting at the command line, remember to prefix the setting with the module name, for example, `panw.panos.var.paths` instead of `panos.var.paths`.
+::::
+
+
+
+### `panos` fileset settings [_panos_fileset_settings]
+
+Example config:
+
+```yaml
+  panos:
+    var.syslog_host: 0.0.0.0
+    var.syslog_port: 514
+```
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+**`var.syslog_host`**
+:   The interface to listen to UDP based syslog traffic. Defaults to `localhost`. Set to `0.0.0.0` to bind to all available interfaces.
+
+**`var.syslog_port`**
+:   The UDP port to listen for syslog traffic. Defaults to `9001`
+
+::::{note}
+Ports below 1024 require Filebeat to run as root.
+::::
+
+
+
+### Time zone support [_time_zone_support_12]
+
+This module parses logs that don’t contain time zone information. For these logs, Filebeat reads the local time zone and uses it when parsing to convert the timestamp to UTC. The time zone to be used for parsing is included in the event in the `event.timezone` field.
+
+To disable this conversion, the `event.timezone` field can be removed with the `drop_fields` processor.
+
+If logs are originated from systems or applications with a different time zone to the local one, the `event.timezone` field can be overwritten with the original time zone using the `add_fields` processor.
+
+See [Processors](/reference/filebeat/filtering-enhancing-data.md) for information about specifying processors in your config.
+
+
+## ECS field mappings [_ecs_field_mappings]
+
+These are the PAN-OS to ECS field mappings as well as those fields still not in ECS that are added under the `panw.panos` prefix:
+
+| PAN-OS Field | ECS Field | Non-standard field |
+| --- | --- | --- |
+| Receive Time | event.created |  |
+| Serial Number | observer.serial_number |  |
+| Type | event.category |  |
+| Subtype | event.action |  |
+| Generated Time | `@timestamp` |  |
+| Source IP | client.ip source.ip |  |
+| Destination IP | server.ip destination.ip |  |
+| NAT Source IP |  | panw.panos.source.nat.ip |
+| NAT Destination IP |  | panw.panos.destination.nat.ip |
+| Rule Name |  | panw.panos.ruleset |
+| Source User | client.user.name source.user.name |  |
+| Destination User | server.user.name destination.user.name |  |
+| Application | network.application |  |
+| Source Zone |  | panw.panos.source.zone |
+| Destination Zone |  | panw.panos.destination.zone |
+| Ingress Interface |  | panw.panos.source.interface |
+| Egress Interface |  | panw.panos.destination.interface |
+| Session ID |  | panw.panos.flow_id |
+| Source Port | client.port source.port |  |
+| Destination Port | destination.port server.port |  |
+| NAT Source Port |  | panw.panos.source.nat.port |
+| NAT Destination Port |  | panw.panos.destination.nat.port |
+| Flags | labels |  |
+| Protocol | network.transport |  |
+| Action | event.outcome |  |
+| Bytes | network.bytes |  |
+| Bytes Sent | client.bytes source.bytes |  |
+| Bytes Received | server.bytes destination.bytes |  |
+| Packets | network.packets |  |
+| Start Time | event.start |  |
+| Elapsed Time | event.duration |  |
+| Category |  | panw.panos.url.category |
+| Sequence Number |  | panw.panos.sequence_number |
+| Packets Sent | server.packets destination.packets |  |
+| Packets Received | client.packets source.packets |  |
+| Device Name | observer.hostname |  |
+
+| PAN-OS Field | ECS Field | Non-standard field |
+| --- | --- | --- |
+| Receive Time | event.created |  |
+| Serial Number | observer.serial_number |  |
+| Type | event.category |  |
+| Subtype | event.action |  |
+| Generated Time | `@timestamp` |  |
+| Source IP | client.ip source.ip |  |
+| Destination IP | server.ip destination.ip |  |
+| NAT Source IP |  | panw.panos.source.nat.ip |
+| NAT Destination IP |  | panw.panos.destination.nat.ip |
+| Rule Name |  | panw.panos.ruleset |
+| Source User | client.user.name source.user.name |  |
+| Destination User | server.user.name destination.user.name |  |
+| Application | network.application |  |
+| Source Zone |  | panw.panos.source.zone |
+| Destination Zone |  | panw.panos.destination.zone |
+| Ingress Interface |  | panw.panos.source.interface |
+| Egress Interface |  | panw.panos.destination.interface |
+| Session ID |  | panw.panos.flow_id |
+| Source Port | client.port source.port |  |
+| Destination Port | destination.port server.port |  |
+| NAT Source Port |  | panw.panos.source.nat.port |
+| NAT Destination Port |  | panw.panos.destination.nat.port |
+| Flags | labels |  |
+| Protocol | network.transport |  |
+| Action | event.outcome |  |
+| Miscellaneous | url.original | panw.panos.threat.resource |
+| Threat ID |  | panw.panos.threat.id |
+| Category |  | panw.panos.url.category |
+| Severity | log.level |  |
+| Direction | network.direction |  |
+| Source Location | source.geo.name |  |
+| Destination Location | destination.geo.name |  |
+| PCAP_id |  | panw.panos.network.pcap_id |
+| Filedigest |  | panw.panos.file.hash |
+| User Agent | user_agent.original |  |
+| File Type | file.type |  |
+| X-Forwarded-For | network.forwarded_ip |  |
+| Referer | http.request.referer |  |
+| Sender | source.user.email |  |
+| Subject |  | panw.panos.subject |
+| Recipient | destination.user.email |  |
+| Device Name | observer.hostname |  |
+
+
+## Example dashboard [_example_dashboard_20]
+
+This module comes with two sample dashboards:
+
+:::{image} images/filebeat-panw-traffic.png
+:alt: filebeat panw traffic
+:class: screenshot
+:::
+
+:::{image} images/filebeat-panw-threat.png
+:alt: filebeat panw threat
+:class: screenshot
+:::
+
+
+## Fields [_fields_42]
+
+For a description of each field in the module, see the [exported fields](/reference/filebeat/exported-fields-panw.md) section.
diff --git a/docs/reference/filebeat/filebeat-module-pensando.md b/docs/reference/filebeat/filebeat-module-pensando.md
new file mode 100644
index 000000000000..1784e738b7c7
--- /dev/null
+++ b/docs/reference/filebeat/filebeat-module-pensando.md
@@ -0,0 +1,75 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-pensando.html
+---
+
+# pensando module [filebeat-module-pensando]
+
+The `pensando` module parses distributed firewall logs created by the [Pensando](http://pensando.io/) distributed services card (DSC).
+
+When you run the module, it performs a few tasks under the hood:
+
+* Sets the default paths to the log files (but don’t worry, you can override the defaults)
+* Makes sure each multiline log event gets sent as a single event
+* Uses an {{es}} ingest pipeline to parse and process the log lines, shaping the data into a structure suitable for visualizing in Kibana
+* Deploys dashboards for visualizing the log data
+
+::::{tip}
+Read the [quick start](/reference/filebeat/filebeat-installation-configuration.md) to learn how to configure and run modules.
+::::
+
+
+
+## Compatibility [_compatibility_30]
+
+The Pensando module has been tested with 1.12.0-E-54 and later.
+
+
+## Configure the module [configuring-pensando-module]
+
+You can further refine the behavior of the `pensando` module by specifying [variable settings](#pensando-settings) in the `modules.d/pensando.yml` file, or overriding settings at the command line.
+
+You must enable at least one fileset in the module. **Filesets are disabled by default.**
+
+The following example shows how to set parameters in the `modules.d/pensando.yml` file to listen for firewall logs sent from the Pensando DSC(s) on port 5514 (default is 9001):
+
+```yaml
+- module: pensando
+  access:
+    enabled: true
+    var.syslog_host: 0.0.0.0
+    var.syslog_port: [9001]
+```
+
+
+### Variable settings [pensando-settings]
+
+Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the `pensando` module uses the defaults.
+
+For advanced use cases, you can also override input settings. See [Override input settings](/reference/filebeat/advanced-settings.md).
+
+::::{tip}
+When you specify a setting at the command line, remember to prefix the setting with the module name, for example, `pensando.dfw.var.paths` instead of `dfw.var.paths`.
+::::
+
+
+
+### `dfw` log fileset settings [_dfw_log_fileset_settings]
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+
+## Example dashboard [_example_dashboard_21]
+
+This module comes with a sample dashboard. For example:
+
+:::{image} images/filebeat-pensando-dfw.png
+:alt: filebeat pensando dfw
+:class: screenshot
+:::
+
+
+## Fields [_fields_43]
+
+For a description of each field in the module, see the [exported fields](/reference/filebeat/exported-fields-pensando.md) section.
diff --git a/docs/reference/filebeat/filebeat-module-postgresql.md b/docs/reference/filebeat/filebeat-module-postgresql.md
new file mode 100644
index 000000000000..5c52ee26182c
--- /dev/null
+++ b/docs/reference/filebeat/filebeat-module-postgresql.md
@@ -0,0 +1,158 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-postgresql.html
+---
+
+# PostgreSQL module [filebeat-module-postgresql]
+
+:::::{admonition} Prefer to use {{agent}} for this use case?
+Refer to the [Elastic Integrations documentation](integration-docs://reference/postgresql.md).
+
+::::{dropdown} Learn more
+{{agent}} is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, forward data from remote services or hardware, and more. Refer to the documentation for a detailed [comparison of {{beats}} and {{agent}}](docs-content://reference/ingestion-tools/fleet/index.md).
+
+::::
+
+
+:::::
+
+
+The `postgresql` module  collects and parses logs created by [PostgreSQL](https://www.postgresql.org/).
+
+When you run the module, it performs a few tasks under the hood:
+
+* Sets the default paths to the log files (but don’t worry, you can override the defaults)
+* Makes sure each multiline log event gets sent as a single event
+* Uses an {{es}} ingest pipeline to parse and process the log lines, shaping the data into a structure suitable for visualizing in Kibana
+* Deploys dashboards for visualizing the log data
+
+::::{tip}
+Read the [quick start](/reference/filebeat/filebeat-installation-configuration.md) to learn how to configure and run modules.
+::::
+
+
+
+## Compatibility [_compatibility_31]
+
+This module comes in two flavours: a parser of log files based on Linux distribution defaults, and a CSV log parser, that you need to enable in database configuration.
+
+The `postgresql` module using `.log` was tested with logs from versions 9.5 on Ubuntu, 9.6 on Debian, and finally 10.11, 11.4 and 12.2 on Arch Linux 9.3.
+
+The `postgresql` module using `.csv` was tested using versions 11 and 13 (distro is not relevant here).
+
+
+## Supported log formats [_supported_log_formats]
+
+This module can collect any logs from PostgreSQL servers, but to be able to better analyze their contents and extract more information, they should be formatted in a determined way.
+
+There are some settings to take into account for the log format.
+
+Log lines should be preffixed with the timestamp in milliseconds, the process id, the user id and the database name. This uses to be the default in most distributions, and is translated to this setting in the configuration file:
+
+```sh
+log_line_prefix = '%m [%p] %q%u@%d '
+```
+
+PostgreSQL server can be configured to log statements and their durations and this module is able to collect this information. To be able to correlate each duration with their statements, they must be logged in the same line. This happens when the following options are used:
+
+```sh
+log_duration = 'on'
+log_statement = 'none'
+log_min_duration_statement = 0
+```
+
+Setting a zero value in `log_min_duration_statement` will log all statements executed by a client. You probably want to configure it to a higher value, so it logs only slower statements. This value is configured in milliseconds.
+
+When using `log_statement` and `log_duration` together, statements and durations are logged in different lines, and Filebeat is not able to correlate both values, for this reason it is recommended to disable `log_statement`.
+
+::::{note}
+The PostgreSQL module of Metricbeat is also able to collect information about all statements executed in the server. You may chose which one is better for your needings. An important difference is that the Metricbeat module collects aggregated information when the statement is executed several times, but cannot know when each statement was executed. This information can be obtained from logs.
+::::
+
+
+Other logging options that you may consider to enable are the following ones:
+
+```sh
+log_checkpoints = 'on';
+log_connections = 'on';
+log_disconnections = 'on';
+log_lock_waits = 'on';
+```
+
+Both `log_connections` and `log_disconnections` can cause a lot of events if you don’t have persistent connections, so enable with care.
+
+
+## Using CSV logs [_using_csv_logs]
+
+Since the PostgreSQL CSV log file is a well-defined format, there is almost no configuration to be done in Filebeat, just the filepath.
+
+On the other hand, it’s necessary to configure postgresql to emit `.csv` logs. The recommended parameters are:
+
+```sh
+logging_collector = 'on';
+log_destination = 'csvlog';
+```
+
+
+## Configure the module [configuring-postgresql-module]
+
+You can further refine the behavior of the `postgresql` module by specifying [variable settings](#postgresql-settings) in the `modules.d/postgresql.yml` file, or overriding settings at the command line.
+
+You must enable at least one fileset in the module. **Filesets are disabled by default.**
+
+The following example shows how to set paths in the `modules.d/postgresql.yml` file to override the default paths for PostgreSQL logs:
+
+```yaml
+- module: postgresql
+  log:
+    enabled: true
+    var.paths: ["/path/to/log/postgres/*.log*"]
+```
+
+To specify the same settings at the command line, you use:
+
+```sh
+-M "postgresql.log.var.paths=[/path/to/log/postgres/*.log*]"
+```
+
+
+### Variable settings [postgresql-settings]
+
+Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the `postgresql` module uses the defaults.
+
+For advanced use cases, you can also override input settings. See [Override input settings](/reference/filebeat/advanced-settings.md).
+
+::::{tip}
+When you specify a setting at the command line, remember to prefix the setting with the module name, for example, `postgresql.log.var.paths` instead of `log.var.paths`.
+::::
+
+
+
+### `log` fileset settings [_log_fileset_settings_10]
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+
+## Example dashboards [_example_dashboards_2]
+
+This module comes with two sample dashboards.
+
+The first dashboard is for regular logs.
+
+:::{image} images/filebeat-postgresql-overview.png
+:alt: filebeat postgresql overview
+:class: screenshot
+:::
+
+The second one shows the slowlogs of PostgreSQL. If `log_min_duration_statement` is not used, this dashboard will show incomplete or no data.
+
+:::{image} images/filebeat-postgresql-slowlog-overview.png
+:alt: filebeat postgresql slowlog overview
+:class: screenshot
+:::
+
+
+## Fields [_fields_44]
+
+For a description of each field in the module, see the [exported fields](/reference/filebeat/exported-fields-postgresql.md) section.
diff --git a/docs/reference/filebeat/filebeat-module-rabbitmq.md b/docs/reference/filebeat/filebeat-module-rabbitmq.md
new file mode 100644
index 000000000000..e7837657a319
--- /dev/null
+++ b/docs/reference/filebeat/filebeat-module-rabbitmq.md
@@ -0,0 +1,94 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-rabbitmq.html
+---
+
+# RabbitMQ module [filebeat-module-rabbitmq]
+
+:::::{admonition} Prefer to use {{agent}} for this use case?
+Refer to the [Elastic Integrations documentation](integration-docs://reference/rabbitmq.md).
+
+::::{dropdown} Learn more
+{{agent}} is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, forward data from remote services or hardware, and more. Refer to the documentation for a detailed [comparison of {{beats}} and {{agent}}](docs-content://reference/ingestion-tools/fleet/index.md).
+
+::::
+
+
+:::::
+
+
+This is the module for parsing [RabbitMQ log files](https://www.rabbitmq.com/logging.html) It will only support RabbitMQ default i.e RFC 3339 timestamp format using TIMESTAMP_ISO8601.
+
+When you run the module, it performs a few tasks under the hood:
+
+* Sets the default paths to the log files (but don’t worry, you can override the defaults)
+* Makes sure each multiline log event gets sent as a single event
+* Uses an {{es}} ingest pipeline to parse and process the log lines, shaping the data into a structure suitable for visualizing in Kibana
+
+::::{tip}
+Read the [quick start](/reference/filebeat/filebeat-installation-configuration.md) to learn how to configure and run modules.
+::::
+
+
+
+## Compatibility [_compatibility_32]
+
+Parses [single file format](https://www.rabbitmq.com/logging.html) introduced in 3.7.0.
+
+Tested with version 3.7.14.
+
+
+## Configure the module [configuring-rabbitmq-module]
+
+You can further refine the behavior of the `rabbitmq` module by specifying [variable settings](#rabbitmq-settings) in the `modules.d/rabbitmq.yml` file, or overriding settings at the command line.
+
+You must enable at least one fileset in the module. **Filesets are disabled by default.**
+
+The following example shows how to set paths in the `modules.d/rabbitmq.yml` file to override the default paths for RabbitMQ logs:
+
+```yaml
+- module: rabbitmq
+  log:
+    enabled: true
+    var.paths: ["/path/to/log/rabbitmq/*.log*"]
+```
+
+To specify the same settings at the command line, you use:
+
+```sh
+-M "rabbitmq.log.var.paths=[/path/to/log/rabbitmq/*.log*]"
+```
+
+
+### Variable settings [rabbitmq-settings]
+
+Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the `rabbitmq` module uses the defaults.
+
+For advanced use cases, you can also override input settings. See [Override input settings](/reference/filebeat/advanced-settings.md).
+
+::::{tip}
+When you specify a setting at the command line, remember to prefix the setting with the module name, for example, `rabbitmq.log.var.paths` instead of `log.var.paths`.
+::::
+
+
+
+### `log` fileset settings [_log_fileset_settings_11]
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+
+### Time zone support [_time_zone_support_13]
+
+This module parses logs that don’t contain time zone information. For these logs, Filebeat reads the local time zone and uses it when parsing to convert the timestamp to UTC. The time zone to be used for parsing is included in the event in the `event.timezone` field.
+
+To disable this conversion, the `event.timezone` field can be removed with the `drop_fields` processor.
+
+If logs are originated from systems or applications with a different time zone to the local one, the `event.timezone` field can be overwritten with the original time zone using the `add_fields` processor.
+
+See [Processors](/reference/filebeat/filtering-enhancing-data.md) for information about specifying processors in your config.
+
+
+## Fields [_fields_45]
+
+For a description of each field in the module, see the [exported fields](/reference/filebeat/exported-fields-rabbitmq.md) section.
diff --git a/docs/reference/filebeat/filebeat-module-redis.md b/docs/reference/filebeat/filebeat-module-redis.md
new file mode 100644
index 000000000000..eb78b22101f8
--- /dev/null
+++ b/docs/reference/filebeat/filebeat-module-redis.md
@@ -0,0 +1,118 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-redis.html
+---
+
+# Redis module [filebeat-module-redis]
+
+:::::{admonition} Prefer to use {{agent}} for this use case?
+Refer to the [Elastic Integrations documentation](integration-docs://reference/redis.md).
+
+::::{dropdown} Learn more
+{{agent}} is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, forward data from remote services or hardware, and more. Refer to the documentation for a detailed [comparison of {{beats}} and {{agent}}](docs-content://reference/ingestion-tools/fleet/index.md).
+
+::::
+
+
+:::::
+
+
+The `redis` module parses logs and slowlogs created by [Redis](https://redis.io/).
+
+When you run the module, it performs a few tasks under the hood:
+
+* Sets the default paths to the log files (but don’t worry, you can override the defaults)
+* Makes sure each multiline log event gets sent as a single event
+* Uses an {{es}} ingest pipeline to parse and process the log lines, shaping the data into a structure suitable for visualizing in Kibana
+* Deploys dashboards for visualizing the log data
+
+::::{tip}
+Read the [quick start](/reference/filebeat/filebeat-installation-configuration.md) to learn how to configure and run modules.
+::::
+
+
+The `redis` module has two filesets:
+
+* The `log` fileset collects and parses the logs that Redis writes to disk.
+* The `slowlog` fileset connects to Redis via the network and retrieves the slow logs by using the `SLOWLOG` command.
+
+For the `log` fileset, make sure the `logfile` option, from the Redis configuration file, is set to `redis-server.log`.
+
+For the `slowlog` fileset, make sure the `slowlog-log-slower-than` option, from the Redis configuration file, is set to a lower value than the default one.
+
+
+## Compatibility [_compatibility_33]
+
+The Redis `log` fileset was tested with logs from Redis versions 1.2.6, 2.4.6, and 3.0.2, so we expect compatibility with any version 1.x, 2.x, or 3.x.
+
+On Windows, the default paths assume that Redis was installed from the Chocolatey repository.
+
+The Redis `slowlog` fileset was tested with Redis 3.0.2 and 2.4.6. We expect compatibility with any Redis version newer than 2.2.12, when the SLOWLOG command was added.
+
+
+## Configure the module [configuring-redis-module]
+
+You can further refine the behavior of the `redis` module by specifying [variable settings](#redis-settings) in the `modules.d/redis.yml` file, or overriding settings at the command line.
+
+You must enable at least one fileset in the module. **Filesets are disabled by default.**
+
+The following example shows how to set paths in the `modules.d/redis.yml` file to override the default paths for Redis logs. It also shows how to set the host and password to retrieve slow logs:
+
+```yaml
+- module: redis
+  log:
+    enabled: true
+    var.paths: ["/path/to/log/redis/redis-server.log*"]
+  slowlog:
+    enabled: true
+    var.hosts: ["localhost:6378"]
+    var.password: "{pwd}"
+```
+
+To specify the same settings at the command line, you use:
+
+```sh
+-M "redis.log.var.paths=[/path/to/log/redis/redis-server.log*]" -M "redis.slowlog.var.hosts=[localhost:6378]" -M "redis.slowlog.var.password=[YOUR_PASSWORD]"
+```
+
+
+### Variable settings [redis-settings]
+
+Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the `redis` module uses the defaults.
+
+For advanced use cases, you can also override input settings. See [Override input settings](/reference/filebeat/advanced-settings.md).
+
+::::{tip}
+When you specify a setting at the command line, remember to prefix the setting with the module name, for example, `redis.log.var.paths` instead of `log.var.paths`.
+::::
+
+
+
+### `log` fileset settings [_log_fileset_settings_12]
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+
+### `slowlog` fileset settings [_slowlog_fileset_settings_3]
+
+**`var.hosts`**
+:   An array of hosts to which Filebeat should connect to retrieve the slow logs. If left empty, `localhost:6379` is assumed.
+
+**`var.password`**
+:   The password to use to connect to Redis, in case Redis authentication is enabled (the `requirepass` option in the Redis configuration).
+
+
+## Example dashboard [_example_dashboard_22]
+
+This module comes with a sample dashboard. For example:
+
+:::{image} images/kibana-redis.png
+:alt: kibana redis
+:class: screenshot
+:::
+
+
+## Fields [_fields_46]
+
+For a description of each field in the module, see the [exported fields](/reference/filebeat/exported-fields-redis.md) section.
diff --git a/docs/reference/filebeat/filebeat-module-salesforce.md b/docs/reference/filebeat/filebeat-module-salesforce.md
new file mode 100644
index 000000000000..7b1a86f3bf93
--- /dev/null
+++ b/docs/reference/filebeat/filebeat-module-salesforce.md
@@ -0,0 +1,47 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-salesforce.html
+---
+
+# Salesforce module [filebeat-module-salesforce]
+
+:::::{admonition} Prefer to use {{agent}} for this use case?
+Refer to the [Elastic Integrations documentation](integration-docs://reference/salesforce.md).
+
+::::{dropdown} Learn more
+{{agent}} is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, forward data from remote services or hardware, and more. Refer to the documentation for a detailed [comparison of {{beats}} and {{agent}}](docs-content://reference/ingestion-tools/fleet/index.md).
+
+::::
+
+
+:::::
+
+
+::::{note}
+The Salesforce module has been completely revamped to use a new dedicated Salesforce input for event collection, replacing the previous HTTPJSON input method. This change brings improved performance and reliability. However, please be aware that this update introduces a breaking change. We believe this is the right time to make this necessary improvement as the previous module was in beta.
+::::
+
+
+The Salesforce module collects logs from a Salesforce instance using the Salesforce REST API. It supports real-time and historical data collection for various log types including Login, Logout, APEX, and Setup Audit Trail.
+
+The Salesforce module contains the following filesets for collecting different types of logs:
+
+* The `login` fileset collects Login events from the EventLogFile or Objects (real-time).
+* The `logout` fileset collects Logout events from the EventLogFile or Objects (real-time).
+* The `apex` fileset collects APEX execution logs from the EventLogFile.
+* The `setupaudittrail` fileset collects Audit Trails events generated when admins make configuration changes in the org’s Setup area from the Objects (real-time).
+
+| Fileset | EventLogFile | Objects (real-time) |
+| --- | --- | --- |
+| login | yes | yes |
+| logout | yes | yes |
+| apex | yes | no |
+| setupaudittrail | no | yes |
+
+::::{important}
+The default interval for collecting logs (`var.real_time_interval` or `var.elf_interval`) is 5m/1h. Exercise caution when reducing this interval, as it directly impacts the Salesforce API rate limit of ~1000 calls per hour. Exceeding the limit will result in errors from the Salesforce API. Refer to the [Salesforce API Rate Limit](https://developer.salesforce.com/docs/atlas.en-us.salesforce_app_limits_cheatsheet.meta/salesforce_app_limits_cheatsheet/salesforce_app_limits_platform_api.htm) documentation for more details.
+
+::::
+
+
+
diff --git a/docs/reference/filebeat/filebeat-module-santa.md b/docs/reference/filebeat/filebeat-module-santa.md
new file mode 100644
index 000000000000..65d0433768e2
--- /dev/null
+++ b/docs/reference/filebeat/filebeat-module-santa.md
@@ -0,0 +1,89 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-santa.html
+---
+
+# Santa module [filebeat-module-santa]
+
+:::::{admonition} Prefer to use {{agent}} for this use case?
+Refer to the [Elastic Integrations documentation](integration-docs://reference/santa.md).
+
+::::{dropdown} Learn more
+{{agent}} is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, forward data from remote services or hardware, and more. Refer to the documentation for a detailed [comparison of {{beats}} and {{agent}}](docs-content://reference/ingestion-tools/fleet/index.md).
+
+::::
+
+
+:::::
+
+
+The `santa` module collects and parses logs from [Google Santa](https://github.com/google/santa), a security tool for macOS that monitors process executions and can blacklist/whitelist binaries.
+
+When you run the module, it performs a few tasks under the hood:
+
+* Sets the default paths to the log files (but don’t worry, you can override the defaults)
+* Makes sure each multiline log event gets sent as a single event
+* Uses an {{es}} ingest pipeline to parse and process the log lines, shaping the data into a structure suitable for visualizing in Kibana
+* Deploys dashboards for visualizing the log data
+
+::::{tip}
+Read the [quick start](/reference/filebeat/filebeat-installation-configuration.md) to learn how to configure and run modules.
+::::
+
+
+
+## Compatibility [_compatibility_34]
+
+The `santa` module was tested with logs from Santa 0.9.14.
+
+This module is available for MacOS only.
+
+
+## Configure the module [configuring-santa-module]
+
+You can further refine the behavior of the `santa` module by specifying [variable settings](#santa-settings) in the `modules.d/santa.yml` file, or overriding settings at the command line.
+
+You must enable at least one fileset in the module. **Filesets are disabled by default.**
+
+The module is by default configured to read logs from `/var/log/santa.log`.
+
+```yaml
+- module: santa
+  log:
+    enabled: true
+    var.paths: ["/var/log/santa.log"]
+    var.input: "file"
+```
+
+
+### Variable settings [santa-settings]
+
+Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the `santa` module uses the defaults.
+
+For advanced use cases, you can also override input settings. See [Override input settings](/reference/filebeat/advanced-settings.md).
+
+::::{tip}
+When you specify a setting at the command line, remember to prefix the setting with the module name, for example, `santa.log.var.paths` instead of `log.var.paths`.
+::::
+
+
+
+### `log` fileset settings [_log_fileset_settings_13]
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+
+## Example dashboard [_example_dashboard_23]
+
+This module comes with a sample dashboard showing and overview of the processes that are executing.
+
+:::{image} images/kibana-santa-log-overview.png
+:alt: kibana santa log overview
+:class: screenshot
+:::
+
+
+## Fields [_fields_48]
+
+For a description of each field in the module, see the [exported fields](/reference/filebeat/exported-fields-santa.md) section.
diff --git a/docs/reference/filebeat/filebeat-module-snyk.md b/docs/reference/filebeat/filebeat-module-snyk.md
new file mode 100644
index 000000000000..776ca12fd044
--- /dev/null
+++ b/docs/reference/filebeat/filebeat-module-snyk.md
@@ -0,0 +1,224 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-snyk.html
+---
+
+# Snyk module [filebeat-module-snyk]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+This is a module for ingesting data from the different Snyk API Endpoints. Currently supports these filesets:
+
+* `vulnerabilities` fileset: Collects all found vulnerabilities for the related organizations and projects
+* `audit` fileset: Collects audit logging from Snyk, this can be actions like users, permissions, groups, api access and more.
+
+When you run the module, it performs a few tasks under the hood:
+
+* Sets the default paths to the log files (but don’t worry, you can override the defaults)
+* Makes sure each multiline log event gets sent as a single event
+* Uses an {{es}} ingest pipeline to parse and process the log lines, shaping the data into a structure suitable for visualizing in Kibana
+
+::::{tip}
+Read the [quick start](/reference/filebeat/filebeat-installation-configuration.md) to learn how to configure and run modules.
+::::
+
+
+
+## Configure the module [configuring-snyk-module]
+
+You can further refine the behavior of the `snyk` module by specifying [variable settings](#snyk-settings) in the `modules.d/snyk.yml` file, or overriding settings at the command line.
+
+You must enable at least one fileset in the module. **Filesets are disabled by default.**
+
+
+### Variable settings [snyk-settings]
+
+Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the `snyk` module uses the defaults.
+
+For advanced use cases, you can also override input settings. See [Override input settings](/reference/filebeat/advanced-settings.md).
+
+::::{tip}
+When you specify a setting at the command line, remember to prefix the setting with the module name, for example, `snyk.audit.var.paths` instead of `audit.var.paths`.
+::::
+
+
+
+### `audit` fileset settings [_audit_fileset_settings_6]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+To configure access for Filebeat to the Snyk Audit Log API you will have to generate an API access token as described in the [Snyk Documentation](https://snyk.docs.apiary.io/#introduction/authorization)
+
+Example config:
+
+```yaml
+- module: snyk
+  audit:
+    var.input: httpjson
+    var.audit_type: organization
+    var.audit_id: 1235432-asdfdf-2341234-asdgjhg
+    var.interval: 1h
+    var.api_token: 53453Sddf8-7fsf-414234gfd-9sdfb7-5asdfh9f8e342
+```
+
+There is also multiple optional configuration options that can be used to filter out unwanted content, an example below:
+
+```yaml
+- module: snyk
+  audit:
+    var.input: httpjson
+    var.audit_type: organization
+    var.audit_id: 1235432-asdfdf-2341234-asdgjhg
+    var.interval: 1h
+    var.api_token: 53453Sddf8-7fsf-414234gfd-9sdfb7-5asdfh9f8e342
+    var.email_address: "test@example.com"
+```
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+**`var.first_interval`**
+:   How far to look back the first time the module starts, this supports values in full days (24h, 48h etc).
+
+**`var.audit_type`**
+:   What audit type to collect, can be either "group" or "organization".
+
+**`var.audit_id`**
+:   The ID related to the audit_type. If audit type is group, then this value should be the group ID, or if it is organization it should be the organization ID to collect from.
+
+**`var.api_token`**
+:   The API token that is created for a specific user, found in the Snyk management dashboard.
+
+**`var.project_id`**
+:   Optional field for filtering, will return only logs for this specific project.
+
+**`var.user_id`**
+:   Optional field for filtering, user public ID. Will fetch only audit logs originated from this user’s actions.
+
+**`var.event`**
+:   Optional field for filtering, will return only logs for this specific event.
+
+**`var.email_address`**
+:   Optional field for filtering, User email address. Will fetch only audit logs originated from this user’s actions.
+
+
+### Snyk Audit Log ECS Fields [_snyk_audit_log_ecs_fields]
+
+This is a list of Snyk Audit Log fields that are mapped to ECS.
+
+| Snyk Audit log fields | ECS Fields |  |
+| --- | --- | --- |
+| groupId | user.group.id |  |
+| userId | user.id |  |
+| event | event.action |  |
+| created | @timestamp |  |
+
+
+### `vulnerabilities` fileset settings [_vulnerabilities_fileset_settings]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+To configure access for Filebeat to the Snyk Vulnerabilities API you will have to generate an API access token as described in the [Snyk Documentation](https://snyk.docs.apiary.io/#introduction/authorization)
+
+Example config:
+
+```yaml
+- module: snyk
+  vulnerabilities:
+    var.input: httpjson
+    var.interval: 24h
+    var.api_token: 53453Sddf8-7fsf-414234gfd-9sdfb7-5asdfh9f8e342
+    var.orgs:
+      - 12354-asdfdf-123543-asdsdfg
+      - 76554-jhggfd-654342-hgrfasd
+```
+
+There is also multiple optional configuration options that can be used to filter out unwanted content, an example below:
+
+```yaml
+- module: snyk
+  vulnerabilities:
+    var.input: httpjson
+    var.interval: 24h
+    var.api_token: 53453Sddf8-7fsf-414234gfd-9sdfb7-5asdfh9f8e342
+    var.orgs:
+      - 12354-asdfdf-123543-asdsdfg
+      - 76554-jhggfd-654342-hgrfasd
+    var.included_severity:
+      - medium
+      - high
+    var.types:
+      - vuln
+```
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+**`var.first_interval`**
+:   How far to look back the first time the module starts, this supports values in full days (24h, 48h etc).
+
+**`var.api_token`**
+:   The API token that is created for a specific user, found in the Snyk management dashboard.
+
+**`var.orgs`**
+:   The list of org IDs to filter the results by. One organization ID per line, starting with a - sign
+
+**`var.included_severity`**
+:   Optional list of fields for filtering, the severity levels of issues to filter the results by.
+
+**`var.exploit_maturit`**
+:   Optional list of fields for filtering, the exploit maturity levels of issues to filter the results by.
+
+**`var.types`**
+:   Optional list of fields for filtering, the type of issues to filter the results by.
+
+**`var.languages`**
+:   Optional list of fields for filtering, the type of languages to filter the results by.
+
+**`var.identifier`**
+:   Optional field for filtering, search term to filter issue name by, or an exact CVE or CWE.
+
+**`var.ignored`**
+:   Optional field for filtering, If set to true, only include issues which are ignored, if set to false, only include issues which are not ignored.
+
+**`var.patched`**
+:   Optional field for filtering, If set to true, only include issues which are ignored, if set to false, only include issues which are not ignored.
+
+**`var.fixable`**
+:   Optional field for filtering, If set to true, only include issues which are ignored, if set to false, only include issues which are not ignored.
+
+**`var.is_fixed`**
+:   Optional field for filtering, If set to true, only include issues which are ignored, if set to false, only include issues which are not ignored.
+
+**`var.is_patchable`**
+:   Optional field for filtering, If set to true, only include issues which are ignored, if set to false, only include issues which are not ignored.
+
+**`var.is_pinnable`**
+:   Optional field for filtering, If set to true, only include issues which are ignored, if set to false, only include issues which are not ignored.
+
+**`var.min_priority_score`**
+:   Optional field for filtering, The minimum priority score ranging between 0-1000
+
+**`var.max_priority_score`**
+:   Optional field for filtering, The maximum priority score ranging between 0-1000
+
+
+### Snyk Audit Log ECS Fields [_snyk_audit_log_ecs_fields_2]
+
+This is a list of Snyk Vulnerability fields that are mapped to ECS.
+
+|============================================================| | Snyk Fields                   | ECS Fields                 | | issue.description             | vulnerability.description  | | issue.identifiers.CVE         | vulnerability.id           | | issue.identifiers.ALTERNATIVE | vulnerability.id           | | issue.cvssScore               | vulnerability.score.base   | | issue.severity                | vulnerability.severity     | | issue.url                     | vulnerability.reference    | |============================================================|
+
+
+## Fields [_fields_49]
+
+For a description of each field in the module, see the [exported fields](/reference/filebeat/exported-fields-snyk.md) section.
diff --git a/docs/reference/filebeat/filebeat-module-sophos.md b/docs/reference/filebeat/filebeat-module-sophos.md
new file mode 100644
index 000000000000..13a52b062d48
--- /dev/null
+++ b/docs/reference/filebeat/filebeat-module-sophos.md
@@ -0,0 +1,158 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-sophos.html
+---
+
+# Sophos module [filebeat-module-sophos]
+
+:::::{admonition} Prefer to use {{agent}} for this use case?
+Refer to the [Elastic Integrations documentation](integration-docs://reference/sophos.md).
+
+::::{dropdown} Learn more
+{{agent}} is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, forward data from remote services or hardware, and more. Refer to the documentation for a detailed [comparison of {{beats}} and {{agent}}](docs-content://reference/ingestion-tools/fleet/index.md).
+
+::::
+
+
+:::::
+
+
+This is a module for Sophos Products, currently it accepts logs in syslog format or from a file for the following devices:
+
+* `xg` fileset: supports Sophos XG SFOS logs.
+
+To configure a remote syslog destination, please reference the [SophosXG/SFOS Documentation](https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/nsg/tasks/SyslogServerAdd.md).
+
+The syslog format choosen in Sophos configuration should be `Central Reporting Format`.
+
+::::{tip}
+Read the [quick start](/reference/filebeat/filebeat-installation-configuration.md) to learn how to configure and run modules.
+::::
+
+
+
+## Compatibility [_compatibility_35]
+
+This module has been tested against SFOS version 17.5.x, 18.0.x, and 18.5.x. Versions above this and between 18.0 - 18.5 are expected to work but have not been tested.
+
+
+## Configure the module [configuring-sophos-module]
+
+You can further refine the behavior of the `sophos` module by specifying [variable settings](#sophos-settings) in the `modules.d/sophos.yml` file, or overriding settings at the command line.
+
+You must enable at least one fileset in the module. **Filesets are disabled by default.**
+
+
+### Variable settings [sophos-settings]
+
+Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the `sophos` module uses the defaults.
+
+For advanced use cases, you can also override input settings. See [Override input settings](/reference/filebeat/advanced-settings.md).
+
+::::{tip}
+When you specify a setting at the command line, remember to prefix the setting with the module name, for example, `sophos.xg.var.paths` instead of `xg.var.paths`.
+::::
+
+
+
+### `xg` fileset settings [_xg_fileset_settings]
+
+The Sophos XG firewalls do not include hostname in either the syslog header or body, and the only unique identifier for each firewall is the related serial number.
+
+Below you will see an example configuration file, that sets the default hostname (if no serial number is included in the config file), and example on how to map serial numbers to a hostname
+
+```yaml
+- module: sophos
+  xg:
+    enabled: true
+    var.input: udp
+    var.syslog_host: 0.0.0.0
+    var.syslog_port: 9005
+    var.default_host_name: firewall.localgroup.local
+    var.known_devices:
+      - serial_number: "1234567890123457"
+        hostname: "a.host.local"
+      - serial_number: "1234234590678557"
+        hostname: "b.host.local"
+```
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+**`var.input`**
+:   The input to use, can be either the value `tcp`, `udp` or `file`.
+
+**`var.syslog_host`**
+:   The interface to listen to all syslog traffic. Defaults to localhost. Set to 0.0.0.0 to bind to all available interfaces.
+
+**`var.syslog_port`**
+:   The port to listen for syslog traffic. Defaults to 9005.
+
+**`var.host_name`**
+:   Host name / Observer name, since SophosXG does not provide this in the syslog file. Default to `firewall.localgroup.local`
+
+
+### SophosXG ECS fields [_sophosxg_ecs_fields]
+
+This is a list of SophosXG fields that are mapped to ECS.
+
+| SophosXG Fields | ECS Fields |  |
+| --- | --- | --- |
+| application | network.protocol |  |
+| classification | rule.category |  |
+| device_id | observer.serial_number |  |
+| domainname | url.domain |  |
+| dst_host | destination.address |  |
+| dst_int | observer.egress.interface.name |  |
+| dstzonetype | observer.egress.zone |  |
+| dst_ip | destination.ip |  |
+| destinationip | destination.ip |  |
+| dst_mac | destination.mac |  |
+| dstname | destination.address |  |
+| dst_port | destination.port |  |
+| dst_domainname | url.domain |  |
+| duration | event.duration |  |
+| filename | file.name |  |
+| filetype | file.extension |  |
+| file_size | file.size |  |
+| file_path | file.directory |  |
+| fw_rule_id | rule.id |  |
+| from_email_address | source.user.email |  |
+| httpstatus | http.response.status_code |  |
+| in_interface | observer.ingress.interface.name |  |
+| log_id | event.code |  |
+| log_subtype | event.action |  |
+| message | message |  |
+| method | http.request.method |  |
+| policy_type | rule.ruleset |  |
+| protocol | network.transport |  |
+| recv_bytes | destination.bytes |  |
+| recv_pkts | destination.packets |  |
+| referer | http.request.referrer |  |
+| sent_bytes | source.bytes |  |
+| sent_pkts | source.packets |  |
+| sha1sum | file.hash.sha1 |  |
+| srczonetype | observer.ingress.zone |  |
+| src_ip | source.ip |  |
+| src_domainname | url.domain |  |
+| sourceip | source.ip |  |
+| src_mac | source.mac |  |
+| src_port | source.port |  |
+| status_code | http.response.status_code |  |
+| time_zone | event.timezone |  |
+| to_email_address | destination.user.email |  |
+| tran_dst_ip | destination.nat.ip |  |
+| tran_dst_port | destination.nat.port |  |
+| tran_src_ip | source.nat.ip |  |
+| tran_src_port | source.nat.port |  |
+| url | url.original |  |
+| user_agent | user_agent.original |  |
+| useragent | user_agent.original |  |
+| user_gp | source.user.group |  |
+| user_name | source.user.name |  |
+| ws_protocol | http.version |  |
+
+
+## Fields [_fields_50]
+
+For a description of each field in the module, see the [exported fields](/reference/filebeat/exported-fields-sophos.md) section.
diff --git a/docs/reference/filebeat/filebeat-module-suricata.md b/docs/reference/filebeat/filebeat-module-suricata.md
new file mode 100644
index 000000000000..69e23b6b5d8d
--- /dev/null
+++ b/docs/reference/filebeat/filebeat-module-suricata.md
@@ -0,0 +1,97 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-suricata.html
+---
+
+# Suricata module [filebeat-module-suricata]
+
+:::::{admonition} Prefer to use {{agent}} for this use case?
+Refer to the [Elastic Integrations documentation](integration-docs://reference/suricata.md).
+
+::::{dropdown} Learn more
+{{agent}} is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, forward data from remote services or hardware, and more. Refer to the documentation for a detailed [comparison of {{beats}} and {{agent}}](docs-content://reference/ingestion-tools/fleet/index.md).
+
+::::
+
+
+:::::
+
+
+This is a module to the Suricata IDS/IPS/NSM log. It parses logs that are in the [ Suricata Eve JSON format](https://suricata.readthedocs.io/en/latest/output/eve/eve-json-format.html).
+
+When you run the module, it performs a few tasks under the hood:
+
+* Sets the default paths to the log files (but don’t worry, you can override the defaults)
+* Makes sure each multiline log event gets sent as a single event
+* Uses an {{es}} ingest pipeline to parse and process the log lines, shaping the data into a structure suitable for visualizing in Kibana
+* Deploys dashboards for visualizing the log data
+
+::::{tip}
+Read the [quick start](/reference/filebeat/filebeat-installation-configuration.md) to learn how to configure and run modules.
+::::
+
+
+
+## Compatibility [_compatibility_36]
+
+This module has been developed against Suricata v4.0.4, but is expected to work with other versions of Suricata.
+
+
+## Configure the module [configuring-suricata-module]
+
+You can further refine the behavior of the `suricata` module by specifying [variable settings](#suricata-settings) in the `modules.d/suricata.yml` file, or overriding settings at the command line.
+
+You must enable at least one fileset in the module. **Filesets are disabled by default.**
+
+This is an example of how to overwrite the default log file path.
+
+```yaml
+- module: suricata
+  eve:
+    enabled: true
+    var.paths: ["/my/path/suricata.json"]
+```
+
+
+### Variable settings [suricata-settings]
+
+Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the `suricata` module uses the defaults.
+
+For advanced use cases, you can also override input settings. See [Override input settings](/reference/filebeat/advanced-settings.md).
+
+::::{tip}
+When you specify a setting at the command line, remember to prefix the setting with the module name, for example, `suricata.eve.var.paths` instead of `eve.var.paths`.
+::::
+
+
+
+### `eve` log fileset settings [_eve_log_fileset_settings]
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+**`var.tags`**
+:   A list of tags to include in events. Including `forwarded` indicates that the events did not originate on this host and causes `host.name` to not be added to events. Defaults to `[suricata]`.
+
+`var.internal_networks`
+:   A list of CIDR ranges describing the IP addresses that you consider internal. This is used in determining the value of `network.direction`. The values can be either a CIDR value or one of the named ranges supported by the [`network`](/reference/filebeat/defining-processors.md#condition-network) condition. The default value is `[private]` which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal.
+
+
+## Example dashboard [_example_dashboard_24]
+
+This module comes with sample dashboards. For example:
+
+:::{image} images/filebeat-suricata-events.png
+:alt: filebeat suricata events
+:class: screenshot
+:::
+
+:::{image} images/filebeat-suricata-alerts.png
+:alt: filebeat suricata alerts
+:class: screenshot
+:::
+
+
+## Fields [_fields_51]
+
+For a description of each field in the module, see the [exported fields](/reference/filebeat/exported-fields-suricata.md) section.
diff --git a/docs/reference/filebeat/filebeat-module-system.md b/docs/reference/filebeat/filebeat-module-system.md
new file mode 100644
index 000000000000..eda48484b662
--- /dev/null
+++ b/docs/reference/filebeat/filebeat-module-system.md
@@ -0,0 +1,123 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html
+---
+
+# System module [filebeat-module-system]
+
+:::::{admonition} Prefer to use {{agent}} for this use case?
+Refer to the [Elastic Integrations documentation](integration-docs://reference/system.md).
+
+::::{dropdown} Learn more
+{{agent}} is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, forward data from remote services or hardware, and more. Refer to the documentation for a detailed [comparison of {{beats}} and {{agent}}](docs-content://reference/ingestion-tools/fleet/index.md).
+
+::::
+
+
+:::::
+
+
+The `system` module collects and parses logs created by the system logging service of common Unix/Linux based distributions.
+
+When you run the module, it performs a few tasks under the hood:
+
+* Sets the default paths to the log files (but don’t worry, you can override the defaults)
+* Makes sure each multiline log event gets sent as a single event
+* Uses an {{es}} ingest pipeline to parse and process the log lines, shaping the data into a structure suitable for visualizing in Kibana
+* Deploys dashboards for visualizing the log data
+
+::::{tip}
+Read the [quick start](/reference/filebeat/filebeat-installation-configuration.md) to learn how to configure and run modules.
+::::
+
+
+
+## Compatibility [_compatibility_37]
+
+This module was tested with logs from OSes like Ubuntu 12.04, Centos 7, and macOS Sierra.
+
+This module is not available for Windows.
+
+
+## Configure the module [configuring-system-module]
+
+You can further refine the behavior of the `system` module by specifying [variable settings](#system-settings) in the `modules.d/system.yml` file, or overriding settings at the command line.
+
+You must enable at least one fileset in the module. **Filesets are disabled by default.**
+
+The following example shows how to set paths in the `modules.d/system.yml` file to override the default paths for the syslog and authorization logs:
+
+```yaml
+- module: system
+  syslog:
+    enabled: true
+    var.paths: ["/path/to/log/syslog*"]
+  auth:
+    enabled: true
+    var.paths: ["/path/to/log/auth.log*"]
+```
+
+To specify the same settings at the command line, you use:
+
+```sh
+-M "system.syslog.var.paths=[/path/to/log/syslog*]" -M "system.auth.var.paths=[/path/to/log/auth.log*]"
+```
+
+
+### Variable settings [system-settings]
+
+Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the `system` module uses the defaults.
+
+For advanced use cases, you can also override input settings. See [Override input settings](/reference/filebeat/advanced-settings.md).
+
+::::{tip}
+When you specify a setting at the command line, remember to prefix the setting with the module name, for example, `system.syslog.var.paths` instead of `syslog.var.paths`.
+::::
+
+
+
+### `syslog` fileset settings [_syslog_fileset_settings]
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+**`var.use_journald`**
+:   A boolean that when set to `true` will read logs from Journald. When Journald is used all events contain the tag `journald`.
+
+
+### `auth` fileset settings [_auth_fileset_settings]
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+**`var.use_journald`**
+:   A boolean that when set to `true` will read logs from Journald. When Journald is used all events contain the tag `journald`.
+
+**`var.tags`**
+:   A list of tags to include in events. Including `forwarded` indicates that the events did not originate on this host and causes `host.name` to not be added to events. Include `preserve_orginal_event` causes the pipeline to retain the raw log in `event.original`. Defaults to `[]`.
+
+
+### Time zone support [_time_zone_support_14]
+
+This module parses logs that don’t contain time zone information. For these logs, Filebeat reads the local time zone and uses it when parsing to convert the timestamp to UTC. The time zone to be used for parsing is included in the event in the `event.timezone` field.
+
+To disable this conversion, the `event.timezone` field can be removed with the `drop_fields` processor.
+
+If logs are originated from systems or applications with a different time zone to the local one, the `event.timezone` field can be overwritten with the original time zone using the `add_fields` processor.
+
+See [Processors](/reference/filebeat/filtering-enhancing-data.md) for information about specifying processors in your config.
+
+
+## Example dashboards [_example_dashboards_3]
+
+This module comes with sample dashboards. For example:
+
+:::{image} images/kibana-system.png
+:alt: kibana system
+:class: screenshot
+:::
+
+
+## Fields [_fields_52]
+
+For a description of each field in the module, see the [exported fields](/reference/filebeat/exported-fields-system.md) section.
diff --git a/docs/reference/filebeat/filebeat-module-threatintel.md b/docs/reference/filebeat/filebeat-module-threatintel.md
new file mode 100644
index 000000000000..970648438693
--- /dev/null
+++ b/docs/reference/filebeat/filebeat-module-threatintel.md
@@ -0,0 +1,579 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html
+---
+
+# Threat Intel module [filebeat-module-threatintel]
+
+:::::{admonition} Prefer to use {{agent}} for this use case?
+Refer to the [Elastic Integrations documentation](integration-docs://reference/ti_abusech.md).
+
+::::{dropdown} Learn more
+{{agent}} is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, forward data from remote services or hardware, and more. Refer to the documentation for a detailed [comparison of {{beats}} and {{agent}}](docs-content://reference/ingestion-tools/fleet/index.md).
+
+::::
+
+
+:::::
+
+
+This module ingests data from a collection of different threat intelligence sources. The ingested data is meant to be used with [Indicator Match rules](docs-content://solutions/security/detect-and-alert/create-detection-rule.md#create-indicator-rule), but is also compatible with other features like [Enrich Processors](elasticsearch://reference/ingestion-tools/enrich-processor/enrich-processor.md). The related threat intel attribute that is meant to be used for matching incoming source data is stored under the `threat.indicator.*` fields.
+
+The available filesets are:
+
+* [abuseurl](#abuseurl): Supports gathering URL entities from Abuse.ch.
+* [abusemalware](#abusemalware): Supports gathering Malware/Payload entities from Abuse.ch.
+* [misp](#misp): Supports gathering threat intel attributes from MISP (replaces MISP module).
+* [malwarebazaar](#malwarebazaar): Supports gathering Malware/Payload entities from Malware Bazaar.
+* [otx](#otx): Supports gathering threat intel attributes from AlientVault OTX.
+* [anomali](#anomali): Supports gathering threat intel attributes from Anomali Limo.
+* [anomalithreatstream](#anomalithreatstream): Supports gathering threat intel attributes from Anomali ThreatStream.
+* [threatq](#threatq): Supports gathering threat intel attributes from ThreatQuotient.
+
+::::{tip}
+Read the [quick start](/reference/filebeat/filebeat-installation-configuration.md) to learn how to configure and run modules.
+::::
+
+
+
+### `abuseurl` fileset settings [abuseurl]
+
+This fileset contacts the abuse.ch API and fetches all new malicious URLs found the last 60 minutes.
+
+To configure the module, please utilize the default URL unless specified as the example below:
+
+```yaml
+- module: threatintel
+  abuseurl:
+    enabled: true
+    var.input: httpjson
+    var.url: https://urlhaus-api.abuse.ch/v1/urls/recent/
+    var.interval: 60m
+```
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+**`var.url`**
+:   The URL of the API endpoint to connect with.
+
+**`var.interval`**
+:   How often the API is polled for updated information.
+
+**`var.proxy_url`**
+:   Optional URL to use as HTTP proxy.
+
+Abuse.ch URL Threat Intel is mapped to the following ECS fields.
+
+| URL Threat Intel Fields | ECS Fields |
+| --- | --- |
+| url | threat.indicator.url.full |
+| date_added | @timestamp |
+| host | threat.indicator.ip/domain |
+
+
+### `abusemalware` fileset settings [abusemalware]
+
+This fileset contacts the Abuse.ch API and fetches all new malicious hashes found the last 60 minutes.
+
+To configure the module, please utilize the default URL unless specified as the example below:
+
+```yaml
+- module: threatintel
+  abusemalware:
+    enabled: true
+    var.input: httpjson
+    var.url: https://urlhaus-api.abuse.ch/v1/payloads/recent/
+    var.interval: 60m
+```
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+**`var.url`**
+:   The URL of the API endpoint to connect with.
+
+**`var.interval`**
+:   How often the API is polled for updated information.
+
+**`var.proxy_url`**
+:   Optional URL to use as HTTP proxy.
+
+Abuse.ch Malware Threat Intel is mapped to the following ECS fields.
+
+| Malware Threat IntelFields | ECS Fields |
+| --- | --- |
+| md5_hash | threat.indicator.file.hash.md5 |
+| sha256_hash | threat.indicator.file.hash.sha256 |
+| file_size | threat.indicator.file.size |
+
+
+### `malwarebazaar` fileset settings [malwarebazaar]
+
+This fileset contacts the Malware Bazaar API and fetches all new malicious hashes found the last 10 minutes.
+
+To configure the module, please utilize the default URL unless specified as the example below:
+
+```yaml
+- module: threatintel
+  malwarebazaar:
+    enabled: true
+    var.input: httpjson
+    var.url: https://mb-api.abuse.ch/api/v1/
+    var.interval: 10m
+```
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+**`var.url`**
+:   The URL of the API endpoint to connect with.
+
+**`var.interval`**
+:   How often the API is polled for updated information.
+
+**`var.proxy_url`**
+:   Optional URL to use as HTTP proxy.
+
+Malware Bazaar Threat Intel is mapped to the following ECS fields.
+
+| Malware Threat IntelFields | ECS Fields |
+| --- | --- |
+| md5_hash | threat.indicator.file.hash.md5 |
+| sha256_hash | threat.indicator.file.hash.sha256 |
+| sha384_hash | threat.indicator.file.hash.sha384 |
+| tlsh | threat.indicator.file.hash.tlsh |
+| ssdeep | threat.indicator.file.hash.ssdeep |
+| imphash | threat.indicator.file.pe.imphash |
+| file_size | threat.indicator.file.size |
+| file_name | threat.indicator.file.name |
+| file_type_mime | threat.indicator.file.mime_type |
+| file_type | threat.indicator.file.type |
+| reporter | threat.indicator.provider |
+| origin_country | threat.indicator.geo.country_iso_code |
+| signature | threat.indicator.signature |
+| code_sign.subject_cn | threat.indicator.file.x509.subject.common_name |
+| code_sign.issuer_cn | threat.indicator.file.x509.issuer.common_name |
+| code_sign.algorithm | threat.indicator.file.x509.public_key_algorithm |
+| code_sign.valid_from | threat.indicator.file.x509.not_before |
+| code_sign.valid_to | threat.indicator.file.x509.not_after |
+| code_sign.serial_number | threat.indicator.file.x509.serial_number |
+
+
+### `misp` fileset settings [misp]
+
+This fileset communicates with a local or remote MISP server. This replaces the older MISP module.
+
+The fileset configuration allows to set the polling interval, how far back it should look initially, and optionally any filters used to filter the results.
+
+```yaml
+- module: threatintel
+  misp:
+    enabled: true
+    var.input: httpjson
+    var.url: https://SERVER/events/restSearch
+    var.api_token: xVfaM3DSt8QEwO2J1ix00V4ZHJs14nq5GMsHcK6Z
+    var.first_interval: 24h
+    var.interval: 60m
+```
+
+To configure the output with filters, use fields that already exist on the MISP server, and define either a single value or multiple. By adding a filter, only events that have attributes that match the filter will be returned.
+
+The below filters are only examples, for a full list of all fields please reference the MISP fields located on the MISP server itself.
+
+```yaml
+- module: threatintel
+  misp:
+    enabled: true
+    var.input: httpjson
+    var.url: https://SERVER/events/restSearch
+    var.api_token: xVfaM3DSt8QEwO2J1ix00V4ZHJs14nq5GMsHcK6Z
+    var.filters:
+      type: ["md5", "sha256", "url", "ip-src"]
+      threat_level: 4
+    var.first_interval: 24h
+    var.interval: 60m
+```
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+**`var.url`**
+:   The URL of the API endpoint to connect with.
+
+**`var.interval`**
+:   How often the API is polled for updated information.
+
+**`var.first_interval`**
+:   How far back to search when retrieving events the first time Filebeat starts up. After the first interval has passed the module itself will use the timestamp from the last response as the filter when retrieving new events.
+
+**`var.filters`**
+:   Dictionary of filters to apply when retrieving new events from the MISP server, this field is optional and defaults to all events. A list of available options is located at [https://www.circl.lu/doc/misp/automation/#search](https://www.circl.lu/doc/misp/automation/#search)
+
+**`var.proxy_url`**
+:   Optional URL to use as HTTP proxy.
+
+MISP Threat Intel is mapped to the following ECS fields.
+
+| Malware Threat IntelFields | ECS Fields |
+| --- | --- |
+| misp.first_seen | threat.indicator.first_seen |
+| misp.last_seen | threat.indicator.last_seen |
+| misp.tag | tag |
+| misp.value | threat.indicator.* |
+
+`misp.value` is mapped to the appropriate field dependent on attribute type.
+
+
+### `otx` fileset settings [otx]
+
+To configure the module, please utilize the default URL unless specified as the example below:
+
+```yaml
+- module: threatintel
+  otx:
+    enabled: true
+    var.input: httpjson
+    var.url: https://otx.alienvault.com/api/v1/indicators/export
+    var.api_token: 754dcaafbcb9740dc0d119e72d5eaad699cc4a5cdbc856fc6215883842ba8142
+    var.first_interval: 24h
+    var.lookback_range: 2h
+    var.interval: 60m
+```
+
+To filter only on specific indicator types, this is an example of some possible filters that are supported:
+
+```yaml
+- module: threatintel
+  otx:
+    enabled: true
+    var.input: httpjson
+    var.url: https://otx.alienvault.com/api/v1/indicators/export
+    var.types: "domain,IPv4,hostname,url,FileHash-SHA256"
+    var.first_interval: 24h
+    var.interval: 60m
+```
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+**`var.url`**
+:   The URL of the API endpoint to connect with.
+
+**`var.api_token`**
+:   The API key used to access OTX. This can be found on your [OTX API homepage](https://otx.alienvault.com/api).
+
+**`var.interval`**
+:   How often the API is polled for updated information.
+
+**`var.first_interval`**
+:   How far back to search when retrieving events the first time the Filebeat starts up. After the first interval has passed the module itself will use the timestamp from the last response as the filter when retrieving new events.
+
+**`var.types`**
+:   A comma delimited list of indicator types to include, defaults to all. A list of possible types to filter on can be found in the [AlientVault OTX documentation](https://cybersecurity.att.com/documentation/usm-appliance/otx/about-otx.htm).
+
+**`var.proxy_url`**
+:   Optional URL to use as HTTP proxy.
+
+OTX Threat Intel is mapped to the following ECS fields.
+
+| Malware Threat Intel  Fields | ECS Fields |
+| --- | --- |
+| otx.type | threat.indicator.type |
+| otx.description | threat.indicator.description |
+| otx.indicator | threat.indicator.* |
+
+`otx.indicator` is mapped to the appropriate field dependent on attribute type.
+
+
+### `anomali` fileset settings [anomali]
+
+To configure the module please fill in the credentials, for Anomali Limo (the free Taxii service) these are usually default credentials found at the [Anomali Limo webpage](https://www.anomali.com/resources/limo) Anomali Limo offers multiple sources called collections. Each collection has a specific ID, which then fits into the url used in this configuration. A list of different collections can be found using the credentials at [Limo Collections](https://limo.anomali.com/api/v1/taxii2/feeds/collections/).
+
+The example below uses the collection of ID 41 as can be seen in the URL.
+
+```yaml
+- module: threatintel
+  anomali:
+    enabled: true
+    var.input: httpjson
+    var.url: https://limo.anomali.com/api/v1/taxii2/feeds/collections/41/objects?match[type]=indicator
+    var.username: guest
+    var.password: guest
+    var.interval: 60m
+```
+
+To filter on specific types, you can define `var.types` as a comma delimited list of object types. This defaults to "indicators".
+
+```yaml
+- module: threatintel
+  anomali:
+    enabled: true
+    var.input: httpjson
+    var.url: https://limo.anomali.com/api/v1/taxii2/feeds/collections/41/objects?match[type]=indicator
+    var.types: "indicators,other"
+    var.username: guest
+    var.password: guest
+    var.interval: 60m
+```
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+**`var.url`**
+:   The URL of the API endpoint to connect with. Limo offers multiple collections of threat intelligence.
+
+**`var.username`**
+:   Username used to access the API.
+
+**`var.password`**
+:   Password used to access the API.
+
+**`var.interval`**
+:   How often the API is polled for updated information.
+
+**`var.types`**
+:   A comma delimited list of indicator types to include, defaults to all. A list of possible types to filter on can be found on the [Stix 2.1 Object types](https://oasis-open.github.io/cti-documentation/stix/intro.html#stix-21-objects) page.
+
+**`var.proxy_url`**
+:   Optional URL to use as HTTP proxy.
+
+Anomali Threat Intel is mapped to the following ECS fields.
+
+| Malware Threat Intel Fields | ECS Fields |
+| --- | --- |
+| anomali.description | threat.indicator.description |
+| anomali.created | threat.indicator.first_seen |
+| anomali.modified | threat.indicator.last_seen |
+| anomali.pattern | threat.indicator.* |
+| anomali.labels | tags |
+
+`anomali.pattern` is mapped to the appropriate field dependent on attribute type.
+
+
+### `anomalithreatstream` fileset settings [anomalithreatstream]
+
+To configure the ThreatStream integration you first need to define an output in the Anomali ThreatStream Integrator using the Elastic SDK provided by Anomali. It will deliver indicators via HTTP or HTTPS to a Filebeat instance running as a server.
+
+Configure an Integrator output with the following settings:
+
+* Indicator Filter: `*` (or use any desired filter).
+* SDK Executable Command: `/path/to/python /path/to/anomali-sdk/main.py`. Adjust the paths to the python executable and the directory where the Elastic SDK has been unpacked.
+* Metadata in JSON Format: `{"url": "https://filebeat:8080/", "server_certificate": "/path/to/cert.pem", "secret": "my secret"}`.
+
+    * `url`: Use the host and port where Filebeat will be running, and `http` or `https` accordingly.
+    * `server_certificate`: If using HTTPS, absolute path to the server certificate. Otherwise don’t set this field.
+    * `secret`: A shared secret string to authenticate messages between the SDK and Filebeat.
+
+
+Then configure the `anomalithreatstream` fileset in Filebeat accordingly:
+
+```yaml
+- module: threatintel
+  anomalithreatstream:
+    enabled: true
+    var.input: http_endpoint
+    var.listen_address: 0.0.0.0 # Listen on all interfaces.
+    var.listen_port: 8080
+    var.secret: 'my secret'
+    var.ssl_certificate: path/to/server_ssl_cert.pem
+    var.ssl_key: path/to/ssl_key.pem
+```
+
+**`var.listen_address`**
+:   Local address to bind the HTTP server to. Use `0.0.0.0` to accept connections from all interfaces.
+
+**`var.listen_port`**
+:   Port number to use for the HTTP server.
+
+**`var.secret`**
+:   Shared secret between the SDK and Filebeat, used to authenticate messages.
+
+**`var.ssl_certificate`**
+:   Path to the public SSL certificate for the HTTPS server. If unset, Filebeat will use unsecure HTTP connections.
+
+**`var.ssl_key`**
+:   Path to the certificate’s private key.
+
+Anomali ThreatStream fields are mapped to the following ECS fields:
+
+| ThreatStream fields | ECS Fields |
+| --- | --- |
+| asn | threat.indicator.as.number |
+| classification[[1]](#a) | threat.indicator.marking.tlp |
+| confidence[[1]](#a) | threat.indicator.confidence |
+| country | threat.indicator.geo.country_iso_code |
+| date_first | threat.indicator.first_seen |
+| date_last | threat.indicator.last_seen |
+| detail | tags |
+| domain | threat.indicator.url.domain |
+| email | threat.indicator.email.address |
+| itype[[1]](#a) | threat.indicator.type |
+| lat | threat.indicator.geo.location.lat |
+| lon | threat.indicator.geo.location.lon |
+| md5 | threat.indicator.file.hash |
+| org | threat.indicator.as.organization.name |
+| severity[[1]](#a) | event.severity |
+| source | threat.indicator.provider |
+| srcip | threat.indicator.ip |
+| url | threat.indicator.url.original |
+
+$$$a$$$
+[1]: Field is used to derive a value for the ECS field but its original value is kept under `threatintel.anomalithreatstream`.
+
+
+## Dashboards [_dashboards_5]
+
+This module comes with dashboards for the threat information feeds.
+
+:::{image} images/filebeat-threatintel-overview.png
+:alt: filebeat threatintel overview
+:class: screenshot
+:::
+
+Overview of the information provided, and the health of, the Threat Intel module.
+
+:::{image} images/filebeat-threatintel-abuse-malware.png
+:alt: filebeat threatintel abuse malware
+:class: screenshot
+:::
+
+Overview of the information provided by the Abuse.ch Malware feed.
+
+:::{image} images/filebeat-threatintel-abuse-url.png
+:alt: filebeat threatintel abuse url
+:class: screenshot
+:::
+
+Overview of the information provided by the Abuse.ch URL feed.
+
+:::{image} images/filebeat-threatintel-alienvault-otx.png
+:alt: filebeat threatintel alienvault otx
+:class: screenshot
+:::
+
+Overview of the information provided by the AlienVault OTX feed.
+
+:::{image} images/filebeat-threatintel-anomali.png
+:alt: filebeat threatintel anomali
+:class: screenshot
+:::
+
+Overview of the information provided by the Anomali Limo and Anomali ThreatStream feeds.
+
+:::{image} images/filebeat-threatintel-misp.png
+:alt: filebeat threatintel misp
+:class: screenshot
+:::
+
+Overview of the information provided by the MISP feed.
+
+
+### `threatq` fileset settings [threatq]
+
+The `threatq` fileset fetches intelligence from the ThreatQuotient API.
+
+The ThreatQ module requires you to set a valid URL, combination of Oauth2 credentials and the ID of the collection to retrieve indicators from. By default the indicators will be collected every 1 minute, and deduplication is handled by the API itself.
+
+Sample configuration:
+
+```yaml
+- module: threatintel
+  threatq:
+    enabled: true
+    var.input: httpjson
+    var.host: https://testurl.threatq.com/
+    var.token_url: https://testurl.threatq.com/api/token
+    var.client_id: oauthclient
+    var.client_secret: 123abcd
+    var.interval: 1m
+    var.data_collection_id: "fsd2f54fsg2sf"
+```
+
+**`var.url`**
+:   The URL of the API endpoint to connect with.
+
+**`var.client_id`**
+:   The Oauth2 client ID to be used for authentication.
+
+**`var.client_secret`**
+:   The Oauth2 secret related to the client_id.
+
+**`var.interval`**
+:   How often the API is polled for updated information.
+
+**`var.proxy_url`**
+:   Optional URL to use as HTTP proxy.
+
+**`var.http_client_timeout`**
+:   Optional value to override the default HTTP timeout of 30 seconds.
+
+ThreatQ fields are mapped to the following ECS fields:
+
+| ThreatQ fields | ECS Fields |
+| --- | --- |
+| type.name | threat.indicator.type |
+| description | threat.indicator.description |
+| score | threat.indicator.confidence |
+| value | threat.indicator.{url,ip,domain,file.hash} |
+| sources | threat.indicator.provider |
+
+
+## Dashboards [_dashboards_6]
+
+This module comes with dashboards for the threat information feeds.
+
+:::{image} images/filebeat-threatintel-overview.png
+:alt: filebeat threatintel overview
+:class: screenshot
+:::
+
+Overview of the information provided, and the health of, the Threat Intel module.
+
+:::{image} images/filebeat-threatintel-abuse-malware.png
+:alt: filebeat threatintel abuse malware
+:class: screenshot
+:::
+
+Overview of the information provided by the Abuse.ch Malware feed.
+
+:::{image} images/filebeat-threatintel-abuse-url.png
+:alt: filebeat threatintel abuse url
+:class: screenshot
+:::
+
+Overview of the information provided by the Abuse.ch URL feed.
+
+:::{image} images/filebeat-threatintel-alienvault-otx.png
+:alt: filebeat threatintel alienvault otx
+:class: screenshot
+:::
+
+Overview of the information provided by the AlienVault OTX feed.
+
+:::{image} images/filebeat-threatintel-anomali.png
+:alt: filebeat threatintel anomali
+:class: screenshot
+:::
+
+Overview of the information provided by the Anomali Limo and Anomali ThreatStream feeds.
+
+:::{image} images/filebeat-threatintel-misp.png
+:alt: filebeat threatintel misp
+:class: screenshot
+:::
+
+Overview of the information provided by the MISP feed.
+
+:::{image} images/filebeat-threatintel-threatq.png
+:alt: filebeat threatintel threatq
+:class: screenshot
+:::
+
+Overview of the information provided by the ThreatQuotient feed.
+
+
+## Fields [_fields_53]
+
+For a description of each field in the module, see the [exported fields](/reference/filebeat/exported-fields-threatintel.md) section.
+
diff --git a/docs/reference/filebeat/filebeat-module-traefik.md b/docs/reference/filebeat/filebeat-module-traefik.md
new file mode 100644
index 000000000000..f9832ff015f4
--- /dev/null
+++ b/docs/reference/filebeat/filebeat-module-traefik.md
@@ -0,0 +1,87 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-traefik.html
+---
+
+# Traefik module [filebeat-module-traefik]
+
+:::::{admonition} Prefer to use {{agent}} for this use case?
+Refer to the [Elastic Integrations documentation](integration-docs://reference/traefik.md).
+
+::::{dropdown} Learn more
+{{agent}} is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, forward data from remote services or hardware, and more. Refer to the documentation for a detailed [comparison of {{beats}} and {{agent}}](docs-content://reference/ingestion-tools/fleet/index.md).
+
+::::
+
+
+:::::
+
+
+The `traefik` module parses access logs created by [Træfik](https://traefik.io/).
+
+When you run the module, it performs a few tasks under the hood:
+
+* Sets the default paths to the log files (but don’t worry, you can override the defaults)
+* Makes sure each multiline log event gets sent as a single event
+* Uses an {{es}} ingest pipeline to parse and process the log lines, shaping the data into a structure suitable for visualizing in Kibana
+* Deploys dashboards for visualizing the log data
+
+::::{tip}
+Read the [quick start](/reference/filebeat/filebeat-installation-configuration.md) to learn how to configure and run modules.
+::::
+
+
+
+## Configure the module [configuring-traefik-module]
+
+You can further refine the behavior of the `traefik` module by specifying [variable settings](#traefik-settings) in the `modules.d/traefik.yml` file, or overriding settings at the command line.
+
+You must enable at least one fileset in the module. **Filesets are disabled by default.**
+
+The following example shows how to set paths in the `modules.d/traefik.yml` file to override the default paths for Træfik logs:
+
+```yaml
+- module: traefik
+  access:
+    enabled: true
+    var.paths: ["/usr/local/traefik/access.log*"]
+```
+
+To specify the same settings at the command line, you use:
+
+```sh
+-M "traefik.access.var.paths=[/path/to/traefik/access.log*]"
+```
+
+
+### Variable settings [traefik-settings]
+
+Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the `traefik` module uses the defaults.
+
+For advanced use cases, you can also override input settings. See [Override input settings](/reference/filebeat/advanced-settings.md).
+
+::::{tip}
+When you specify a setting at the command line, remember to prefix the setting with the module name, for example, `traefik.access.var.paths` instead of `access.var.paths`.
+::::
+
+
+
+### `access` log fileset settings [_access_log_fileset_settings_4]
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+
+## Example dashboards [_example_dashboards_4]
+
+This module comes with sample dashboards. For example:
+
+:::{image} images/kibana-traefik.png
+:alt: kibana traefik
+:class: screenshot
+:::
+
+
+## Fields [_fields_54]
+
+For a description of each field in the module, see the [exported fields](/reference/filebeat/exported-fields-traefik.md) section.
diff --git a/docs/reference/filebeat/filebeat-module-zeek.md b/docs/reference/filebeat/filebeat-module-zeek.md
new file mode 100644
index 000000000000..4ff293ff0c29
--- /dev/null
+++ b/docs/reference/filebeat/filebeat-module-zeek.md
@@ -0,0 +1,515 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-zeek.html
+---
+
+# Zeek (Bro) Module [filebeat-module-zeek]
+
+:::::{admonition} Prefer to use {{agent}} for this use case?
+Refer to the [Elastic Integrations documentation](integration-docs://reference/zeek.md).
+
+::::{dropdown} Learn more
+{{agent}} is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, forward data from remote services or hardware, and more. Refer to the documentation for a detailed [comparison of {{beats}} and {{agent}}](docs-content://reference/ingestion-tools/fleet/index.md).
+
+::::
+
+
+:::::
+
+
+This is a module for [Zeek](https://zeek.org/), which used to be called Bro. It parses logs that are in the Zeek JSON format.
+
+The Zeek SSL fileset will handle fields from these scripts if they are installed in Zeek.
+
+* [JA3/JA3S Hashes](https://github.com/salesforce/ja3/tree/master/zeek)
+* [SHA1 Certificate Hashes](https://github.com/rocknsm/rock-scripts/blob/1abcb137c3c0cb7bc1d54248d738255d2d6eb4ba/protocols/ssl/ssl-add-cert-hash.zeek)
+
+::::{tip}
+Read the [quick start](/reference/filebeat/filebeat-installation-configuration.md) to learn how to configure and run modules.
+::::
+
+
+
+## Compatibility [_compatibility_38]
+
+This module has been developed against Zeek 2.6.1, but is expected to work with newer versions of Zeek.
+
+Zeek requires a Unix-like platform, and it currently supports Linux, FreeBSD, and Mac OS X.
+
+
+### `capture_loss` log fileset settings [_capture_loss_log_fileset_settings]
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+**`var.tags`**
+:   A list of tags to include in events. Including `forwarded` indicates that the events did not originate on this host and causes `host.name` to not be added to events. Defaults to `[suricata]`.
+
+
+### `connection` log fileset settings [_connection_log_fileset_settings]
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+**`var.tags`**
+:   A list of tags to include in events. Including `forwarded` indicates that the events did not originate on this host and causes `host.name` to not be added to events. Defaults to `[suricata]`.
+
+`var.internal_networks`
+:   A list of CIDR ranges describing the IP addresses that you consider internal. This is used in determining the value of `network.direction`. The values can be either a CIDR value or one of the named ranges supported by the [`network`](/reference/filebeat/defining-processors.md#condition-network) condition. The default value is `[private]` which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal.
+
+
+### `dce_rpc` log fileset settings [_dce_rpc_log_fileset_settings]
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+**`var.tags`**
+:   A list of tags to include in events. Including `forwarded` indicates that the events did not originate on this host and causes `host.name` to not be added to events. Defaults to `[suricata]`.
+
+`var.internal_networks`
+:   A list of CIDR ranges describing the IP addresses that you consider internal. This is used in determining the value of `network.direction`. The values can be either a CIDR value or one of the named ranges supported by the [`network`](/reference/filebeat/defining-processors.md#condition-network) condition. The default value is `[private]` which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal.
+
+
+### `dhcp` log fileset settings [_dhcp_log_fileset_settings]
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+**`var.tags`**
+:   A list of tags to include in events. Including `forwarded` indicates that the events did not originate on this host and causes `host.name` to not be added to events. Defaults to `[suricata]`.
+
+`var.internal_networks`
+:   A list of CIDR ranges describing the IP addresses that you consider internal. This is used in determining the value of `network.direction`. The values can be either a CIDR value or one of the named ranges supported by the [`network`](/reference/filebeat/defining-processors.md#condition-network) condition. The default value is `[private]` which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal.
+
+
+### `dnp3` log fileset settings [_dnp3_log_fileset_settings]
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+**`var.tags`**
+:   A list of tags to include in events. Including `forwarded` indicates that the events did not originate on this host and causes `host.name` to not be added to events. Defaults to `[suricata]`.
+
+`var.internal_networks`
+:   A list of CIDR ranges describing the IP addresses that you consider internal. This is used in determining the value of `network.direction`. The values can be either a CIDR value or one of the named ranges supported by the [`network`](/reference/filebeat/defining-processors.md#condition-network) condition. The default value is `[private]` which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal.
+
+
+### `dns` log fileset settings [_dns_log_fileset_settings]
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+**`var.tags`**
+:   A list of tags to include in events. Including `forwarded` indicates that the events did not originate on this host and causes `host.name` to not be added to events. Defaults to `[suricata]`.
+
+`var.internal_networks`
+:   A list of CIDR ranges describing the IP addresses that you consider internal. This is used in determining the value of `network.direction`. The values can be either a CIDR value or one of the named ranges supported by the [`network`](/reference/filebeat/defining-processors.md#condition-network) condition. The default value is `[private]` which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal.
+
+
+### `dpd` log fileset settings [_dpd_log_fileset_settings]
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+**`var.tags`**
+:   A list of tags to include in events. Including `forwarded` indicates that the events did not originate on this host and causes `host.name` to not be added to events. Defaults to `[suricata]`.
+
+`var.internal_networks`
+:   A list of CIDR ranges describing the IP addresses that you consider internal. This is used in determining the value of `network.direction`. The values can be either a CIDR value or one of the named ranges supported by the [`network`](/reference/filebeat/defining-processors.md#condition-network) condition. The default value is `[private]` which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal.
+
+
+### `files` log fileset settings [_files_log_fileset_settings]
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+**`var.tags`**
+:   A list of tags to include in events. Including `forwarded` indicates that the events did not originate on this host and causes `host.name` to not be added to events. Defaults to `[suricata]`.
+
+
+### `ftp` log fileset settings [_ftp_log_fileset_settings]
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+**`var.tags`**
+:   A list of tags to include in events. Including `forwarded` indicates that the events did not originate on this host and causes `host.name` to not be added to events. Defaults to `[suricata]`.
+
+`var.internal_networks`
+:   A list of CIDR ranges describing the IP addresses that you consider internal. This is used in determining the value of `network.direction`. The values can be either a CIDR value or one of the named ranges supported by the [`network`](/reference/filebeat/defining-processors.md#condition-network) condition. The default value is `[private]` which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal.
+
+
+### `files` log fileset settings [_files_log_fileset_settings_2]
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+**`var.tags`**
+:   A list of tags to include in events. Including `forwarded` indicates that the events did not originate on this host and causes `host.name` to not be added to events. Defaults to `[suricata]`.
+
+`var.internal_networks`
+:   A list of CIDR ranges describing the IP addresses that you consider internal. This is used in determining the value of `network.direction`. The values can be either a CIDR value or one of the named ranges supported by the [`network`](/reference/filebeat/defining-processors.md#condition-network) condition. The default value is `[private]` which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal.
+
+
+### `http` log fileset settings [_http_log_fileset_settings]
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+**`var.tags`**
+:   A list of tags to include in events. Including `forwarded` indicates that the events did not originate on this host and causes `host.name` to not be added to events. Defaults to `[suricata]`.
+
+`var.internal_networks`
+:   A list of CIDR ranges describing the IP addresses that you consider internal. This is used in determining the value of `network.direction`. The values can be either a CIDR value or one of the named ranges supported by the [`network`](/reference/filebeat/defining-processors.md#condition-network) condition. The default value is `[private]` which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal.
+
+
+### `intel` log fileset settings [_intel_log_fileset_settings]
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+**`var.tags`**
+:   A list of tags to include in events. Including `forwarded` indicates that the events did not originate on this host and causes `host.name` to not be added to events. Defaults to `[suricata]`.
+
+`var.internal_networks`
+:   A list of CIDR ranges describing the IP addresses that you consider internal. This is used in determining the value of `network.direction`. The values can be either a CIDR value or one of the named ranges supported by the [`network`](/reference/filebeat/defining-processors.md#condition-network) condition. The default value is `[private]` which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal.
+
+
+### `irc` log fileset settings [_irc_log_fileset_settings]
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+**`var.tags`**
+:   A list of tags to include in events. Including `forwarded` indicates that the events did not originate on this host and causes `host.name` to not be added to events. Defaults to `[suricata]`.
+
+`var.internal_networks`
+:   A list of CIDR ranges describing the IP addresses that you consider internal. This is used in determining the value of `network.direction`. The values can be either a CIDR value or one of the named ranges supported by the [`network`](/reference/filebeat/defining-processors.md#condition-network) condition. The default value is `[private]` which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal.
+
+
+### `kerberos` log fileset settings [_kerberos_log_fileset_settings]
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+**`var.tags`**
+:   A list of tags to include in events. Including `forwarded` indicates that the events did not originate on this host and causes `host.name` to not be added to events. Defaults to `[suricata]`.
+
+`var.internal_networks`
+:   A list of CIDR ranges describing the IP addresses that you consider internal. This is used in determining the value of `network.direction`. The values can be either a CIDR value or one of the named ranges supported by the [`network`](/reference/filebeat/defining-processors.md#condition-network) condition. The default value is `[private]` which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal.
+
+
+### `modbus` log fileset settings [_modbus_log_fileset_settings]
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+**`var.tags`**
+:   A list of tags to include in events. Including `forwarded` indicates that the events did not originate on this host and causes `host.name` to not be added to events. Defaults to `[suricata]`.
+
+`var.internal_networks`
+:   A list of CIDR ranges describing the IP addresses that you consider internal. This is used in determining the value of `network.direction`. The values can be either a CIDR value or one of the named ranges supported by the [`network`](/reference/filebeat/defining-processors.md#condition-network) condition. The default value is `[private]` which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal.
+
+
+### `mysql` log fileset settings [_mysql_log_fileset_settings]
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+**`var.tags`**
+:   A list of tags to include in events. Including `forwarded` indicates that the events did not originate on this host and causes `host.name` to not be added to events. Defaults to `[suricata]`.
+
+`var.internal_networks`
+:   A list of CIDR ranges describing the IP addresses that you consider internal. This is used in determining the value of `network.direction`. The values can be either a CIDR value or one of the named ranges supported by the [`network`](/reference/filebeat/defining-processors.md#condition-network) condition. The default value is `[private]` which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal.
+
+
+### `notice` log fileset settings [_notice_log_fileset_settings]
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+**`var.tags`**
+:   A list of tags to include in events. Including `forwarded` indicates that the events did not originate on this host and causes `host.name` to not be added to events. Defaults to `[suricata]`.
+
+`var.internal_networks`
+:   A list of CIDR ranges describing the IP addresses that you consider internal. This is used in determining the value of `network.direction`. The values can be either a CIDR value or one of the named ranges supported by the [`network`](/reference/filebeat/defining-processors.md#condition-network) condition. The default value is `[private]` which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal.
+
+
+### `ntls` log fileset settings [_ntls_log_fileset_settings]
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+**`var.tags`**
+:   A list of tags to include in events. Including `forwarded` indicates that the events did not originate on this host and causes `host.name` to not be added to events. Defaults to `[suricata]`.
+
+`var.internal_networks`
+:   A list of CIDR ranges describing the IP addresses that you consider internal. This is used in determining the value of `network.direction`. The values can be either a CIDR value or one of the named ranges supported by the [`network`](/reference/filebeat/defining-processors.md#condition-network) condition. The default value is `[private]` which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal.
+
+
+### `ntp` log fileset settings [_ntp_log_fileset_settings]
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+**`var.tags`**
+:   A list of tags to include in events. Including `forwarded` indicates that the events did not originate on this host and causes `host.name` to not be added to events. Defaults to `[suricata]`.
+
+`var.internal_networks`
+:   A list of CIDR ranges describing the IP addresses that you consider internal. This is used in determining the value of `network.direction`. The values can be either a CIDR value or one of the named ranges supported by the [`network`](/reference/filebeat/defining-processors.md#condition-network) condition. The default value is `[private]` which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal.
+
+
+### `ocsp` log fileset settings [_ocsp_log_fileset_settings]
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+**`var.tags`**
+:   A list of tags to include in events. Including `forwarded` indicates that the events did not originate on this host and causes `host.name` to not be added to events. Defaults to `[suricata]`.
+
+
+### `pe` log fileset settings [_pe_log_fileset_settings]
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+**`var.tags`**
+:   A list of tags to include in events. Including `forwarded` indicates that the events did not originate on this host and causes `host.name` to not be added to events. Defaults to `[suricata]`.
+
+
+### `radius` log fileset settings [_radius_log_fileset_settings]
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+**`var.tags`**
+:   A list of tags to include in events. Including `forwarded` indicates that the events did not originate on this host and causes `host.name` to not be added to events. Defaults to `[suricata]`.
+
+`var.internal_networks`
+:   A list of CIDR ranges describing the IP addresses that you consider internal. This is used in determining the value of `network.direction`. The values can be either a CIDR value or one of the named ranges supported by the [`network`](/reference/filebeat/defining-processors.md#condition-network) condition. The default value is `[private]` which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal.
+
+
+### `rdp` log fileset settings [_rdp_log_fileset_settings]
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+**`var.tags`**
+:   A list of tags to include in events. Including `forwarded` indicates that the events did not originate on this host and causes `host.name` to not be added to events. Defaults to `[suricata]`.
+
+`var.internal_networks`
+:   A list of CIDR ranges describing the IP addresses that you consider internal. This is used in determining the value of `network.direction`. The values can be either a CIDR value or one of the named ranges supported by the [`network`](/reference/filebeat/defining-processors.md#condition-network) condition. The default value is `[private]` which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal.
+
+
+### `rfb` log fileset settings [_rfb_log_fileset_settings]
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+**`var.tags`**
+:   A list of tags to include in events. Including `forwarded` indicates that the events did not originate on this host and causes `host.name` to not be added to events. Defaults to `[suricata]`.
+
+`var.internal_networks`
+:   A list of CIDR ranges describing the IP addresses that you consider internal. This is used in determining the value of `network.direction`. The values can be either a CIDR value or one of the named ranges supported by the [`network`](/reference/filebeat/defining-processors.md#condition-network) condition. The default value is `[private]` which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal.
+
+
+### `signature` log fileset settings [_signature_log_fileset_settings]
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+**`var.tags`**
+:   A list of tags to include in events. Including `forwarded` indicates that the events did not originate on this host and causes `host.name` to not be added to events. Defaults to `[suricata]`.
+
+`var.internal_networks`
+:   A list of CIDR ranges describing the IP addresses that you consider internal. This is used in determining the value of `network.direction`. The values can be either a CIDR value or one of the named ranges supported by the [`network`](/reference/filebeat/defining-processors.md#condition-network) condition. The default value is `[private]` which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal.
+
+
+### `sip` log fileset settings [_sip_log_fileset_settings]
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+**`var.tags`**
+:   A list of tags to include in events. Including `forwarded` indicates that the events did not originate on this host and causes `host.name` to not be added to events. Defaults to `[suricata]`.
+
+`var.internal_networks`
+:   A list of CIDR ranges describing the IP addresses that you consider internal. This is used in determining the value of `network.direction`. The values can be either a CIDR value or one of the named ranges supported by the [`network`](/reference/filebeat/defining-processors.md#condition-network) condition. The default value is `[private]` which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal.
+
+
+### `smb_cmd` log fileset settings [_smb_cmd_log_fileset_settings]
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+**`var.tags`**
+:   A list of tags to include in events. Including `forwarded` indicates that the events did not originate on this host and causes `host.name` to not be added to events. Defaults to `[suricata]`.
+
+`var.internal_networks`
+:   A list of CIDR ranges describing the IP addresses that you consider internal. This is used in determining the value of `network.direction`. The values can be either a CIDR value or one of the named ranges supported by the [`network`](/reference/filebeat/defining-processors.md#condition-network) condition. The default value is `[private]` which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal.
+
+
+### `smb_files` log fileset settings [_smb_files_log_fileset_settings]
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+**`var.tags`**
+:   A list of tags to include in events. Including `forwarded` indicates that the events did not originate on this host and causes `host.name` to not be added to events. Defaults to `[suricata]`.
+
+`var.internal_networks`
+:   A list of CIDR ranges describing the IP addresses that you consider internal. This is used in determining the value of `network.direction`. The values can be either a CIDR value or one of the named ranges supported by the [`network`](/reference/filebeat/defining-processors.md#condition-network) condition. The default value is `[private]` which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal.
+
+
+### `smb_mapping` log fileset settings [_smb_mapping_log_fileset_settings]
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+**`var.tags`**
+:   A list of tags to include in events. Including `forwarded` indicates that the events did not originate on this host and causes `host.name` to not be added to events. Defaults to `[suricata]`.
+
+`var.internal_networks`
+:   A list of CIDR ranges describing the IP addresses that you consider internal. This is used in determining the value of `network.direction`. The values can be either a CIDR value or one of the named ranges supported by the [`network`](/reference/filebeat/defining-processors.md#condition-network) condition. The default value is `[private]` which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal.
+
+
+### `smtp` log fileset settings [_smtp_log_fileset_settings]
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+**`var.tags`**
+:   A list of tags to include in events. Including `forwarded` indicates that the events did not originate on this host and causes `host.name` to not be added to events. Defaults to `[suricata]`.
+
+`var.internal_networks`
+:   A list of CIDR ranges describing the IP addresses that you consider internal. This is used in determining the value of `network.direction`. The values can be either a CIDR value or one of the named ranges supported by the [`network`](/reference/filebeat/defining-processors.md#condition-network) condition. The default value is `[private]` which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal.
+
+
+### `snmp` log fileset settings [_snmp_log_fileset_settings]
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+**`var.tags`**
+:   A list of tags to include in events. Including `forwarded` indicates that the events did not originate on this host and causes `host.name` to not be added to events. Defaults to `[suricata]`.
+
+`var.internal_networks`
+:   A list of CIDR ranges describing the IP addresses that you consider internal. This is used in determining the value of `network.direction`. The values can be either a CIDR value or one of the named ranges supported by the [`network`](/reference/filebeat/defining-processors.md#condition-network) condition. The default value is `[private]` which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal.
+
+
+### `socks` log fileset settings [_socks_log_fileset_settings]
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+**`var.tags`**
+:   A list of tags to include in events. Including `forwarded` indicates that the events did not originate on this host and causes `host.name` to not be added to events. Defaults to `[suricata]`.
+
+`var.internal_networks`
+:   A list of CIDR ranges describing the IP addresses that you consider internal. This is used in determining the value of `network.direction`. The values can be either a CIDR value or one of the named ranges supported by the [`network`](/reference/filebeat/defining-processors.md#condition-network) condition. The default value is `[private]` which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal.
+
+
+### `ssh` log fileset settings [_ssh_log_fileset_settings]
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+**`var.tags`**
+:   A list of tags to include in events. Including `forwarded` indicates that the events did not originate on this host and causes `host.name` to not be added to events. Defaults to `[suricata]`.
+
+`var.internal_networks`
+:   A list of CIDR ranges describing the IP addresses that you consider internal. This is used in determining the value of `network.direction`. The values can be either a CIDR value or one of the named ranges supported by the [`network`](/reference/filebeat/defining-processors.md#condition-network) condition. The default value is `[private]` which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal.
+
+
+### `ssl` log fileset settings [_ssl_log_fileset_settings]
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+**`var.tags`**
+:   A list of tags to include in events. Including `forwarded` indicates that the events did not originate on this host and causes `host.name` to not be added to events. Defaults to `[suricata]`.
+
+`var.internal_networks`
+:   A list of CIDR ranges describing the IP addresses that you consider internal. This is used in determining the value of `network.direction`. The values can be either a CIDR value or one of the named ranges supported by the [`network`](/reference/filebeat/defining-processors.md#condition-network) condition. The default value is `[private]` which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal.
+
+
+### `stats` log fileset settings [_stats_log_fileset_settings]
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+**`var.tags`**
+:   A list of tags to include in events. Including `forwarded` indicates that the events did not originate on this host and causes `host.name` to not be added to events. Defaults to `[suricata]`.
+
+
+### `syslog` log fileset settings [_syslog_log_fileset_settings]
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+**`var.tags`**
+:   A list of tags to include in events. Including `forwarded` indicates that the events did not originate on this host and causes `host.name` to not be added to events. Defaults to `[suricata]`.
+
+`var.internal_networks`
+:   A list of CIDR ranges describing the IP addresses that you consider internal. This is used in determining the value of `network.direction`. The values can be either a CIDR value or one of the named ranges supported by the [`network`](/reference/filebeat/defining-processors.md#condition-network) condition. The default value is `[private]` which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal.
+
+
+### `traceroute` log fileset settings [_traceroute_log_fileset_settings]
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+**`var.tags`**
+:   A list of tags to include in events. Including `forwarded` indicates that the events did not originate on this host and causes `host.name` to not be added to events. Defaults to `[suricata]`.
+
+`var.internal_networks`
+:   A list of CIDR ranges describing the IP addresses that you consider internal. This is used in determining the value of `network.direction`. The values can be either a CIDR value or one of the named ranges supported by the [`network`](/reference/filebeat/defining-processors.md#condition-network) condition. The default value is `[private]` which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal.
+
+
+### `tunnel` log fileset settings [_tunnel_log_fileset_settings]
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+**`var.tags`**
+:   A list of tags to include in events. Including `forwarded` indicates that the events did not originate on this host and causes `host.name` to not be added to events. Defaults to `[suricata]`.
+
+`var.internal_networks`
+:   A list of CIDR ranges describing the IP addresses that you consider internal. This is used in determining the value of `network.direction`. The values can be either a CIDR value or one of the named ranges supported by the [`network`](/reference/filebeat/defining-processors.md#condition-network) condition. The default value is `[private]` which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal.
+
+
+### `weird` log fileset settings [_weird_log_fileset_settings]
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+**`var.tags`**
+:   A list of tags to include in events. Including `forwarded` indicates that the events did not originate on this host and causes `host.name` to not be added to events. Defaults to `[suricata]`.
+
+`var.internal_networks`
+:   A list of CIDR ranges describing the IP addresses that you consider internal. This is used in determining the value of `network.direction`. The values can be either a CIDR value or one of the named ranges supported by the [`network`](/reference/filebeat/defining-processors.md#condition-network) condition. The default value is `[private]` which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal.
+
+
+### `x509` log fileset settings [_x509_log_fileset_settings]
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+**`var.tags`**
+:   A list of tags to include in events. Including `forwarded` indicates that the events did not originate on this host and causes `host.name` to not be added to events. Defaults to `[suricata]`.
+
+
+## Example dashboard [_example_dashboard_25]
+
+This module comes with a sample dashboard. For example:
+
+:::{image} images/kibana-zeek.png
+:alt: kibana zeek
+:class: screenshot
+:::
+
+
+## Fields [_fields_55]
+
+For a description of each field in the module, see the [exported fields](/reference/filebeat/exported-fields-zeek.md) section.
+
diff --git a/docs/reference/filebeat/filebeat-module-zookeeper.md b/docs/reference/filebeat/filebeat-module-zookeeper.md
new file mode 100644
index 000000000000..60426ebaebd5
--- /dev/null
+++ b/docs/reference/filebeat/filebeat-module-zookeeper.md
@@ -0,0 +1,123 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-zookeeper.html
+---
+
+# ZooKeeper module [filebeat-module-zookeeper]
+
+:::::{admonition} Prefer to use {{agent}} for this use case?
+Refer to the [Elastic Integrations documentation](integration-docs://reference/zookeeper.md).
+
+::::{dropdown} Learn more
+{{agent}} is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, forward data from remote services or hardware, and more. Refer to the documentation for a detailed [comparison of {{beats}} and {{agent}}](docs-content://reference/ingestion-tools/fleet/index.md).
+
+::::
+
+
+:::::
+
+
+The `zookeeper` module collects and parses the logs created by [Apache ZooKeeper](https://zookeeper.apache.org/)
+
+When you run the module, it performs a few tasks under the hood:
+
+* Sets the default paths to the log files (but don’t worry, you can override the defaults)
+* Makes sure each multiline log event gets sent as a single event
+* Uses an {{es}} ingest pipeline to parse and process the log lines, shaping the data into a structure suitable for visualizing in Kibana
+
+::::{tip}
+Read the [quick start](/reference/filebeat/filebeat-installation-configuration.md) to learn how to configure and run modules.
+::::
+
+
+
+## Compatibility [_compatibility_39]
+
+The `zookeeper` module was tested with logs from versions 3.7.0.
+
+
+## Configure the module [configuring-zookeeper-module]
+
+You can further refine the behavior of the `zookeeper` module by specifying [variable settings](#zookeeper-settings) in the `modules.d/zookeeper.yml` file, or overriding settings at the command line.
+
+You must enable at least one fileset in the module. **Filesets are disabled by default.**
+
+
+### Variable settings [zookeeper-settings]
+
+Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the `zookeeper` module uses the defaults.
+
+For advanced use cases, you can also override input settings. See [Override input settings](/reference/filebeat/advanced-settings.md).
+
+::::{tip}
+When you specify a setting at the command line, remember to prefix the setting with the module name, for example, `zookeeper.audit.var.paths` instead of `audit.var.paths`.
+::::
+
+
+The following example shows how to set paths in the `modules.d/zookeeper.yml` file to override the default paths for logs:
+
+```yaml
+- module: zookeeper
+  audit:
+    enabled: true
+    var.paths:
+      - "/path/to/logs/zookeeper_audit.log*"
+  log:
+    enabled: true
+    var.paths:
+      - "/path/to/logs/zookeeper.log*"
+```
+
+To specify the same settings at the command line, you use:
+
+```yaml
+-M "zookeeper.audit.var.paths=[/path/to/logs/zookeeper_audit.log*]" -M "zookeeper.log.var.paths=[/path/to/logs/zookeeper.log*]"
+```
+
+
+## Audit logging [_audit_logging]
+
+Audit logging is available since Zookeeper 3.6.0, but it is disabled by default. To enable it, you can add the following setting to the configuration file:
+
+```sh
+audit.enable=true
+```
+
+
+### `audit` fileset settings [_audit_fileset_settings_7]
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+
+### Time zone support [_time_zone_support_15]
+
+This module parses logs that don’t contain time zone information. For these logs, Filebeat reads the local time zone and uses it when parsing to convert the timestamp to UTC. The time zone to be used for parsing is included in the event in the `event.timezone` field.
+
+To disable this conversion, the `event.timezone` field can be removed with the `drop_fields` processor.
+
+If logs are originated from systems or applications with a different time zone to the local one, the `event.timezone` field can be overwritten with the original time zone using the `add_fields` processor.
+
+See [Processors](/reference/filebeat/filtering-enhancing-data.md) for information about specifying processors in your config.
+
+
+### `log` fileset settings [_log_fileset_settings_14]
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+
+### Time zone support [_time_zone_support_16]
+
+This module parses logs that don’t contain time zone information. For these logs, Filebeat reads the local time zone and uses it when parsing to convert the timestamp to UTC. The time zone to be used for parsing is included in the event in the `event.timezone` field.
+
+To disable this conversion, the `event.timezone` field can be removed with the `drop_fields` processor.
+
+If logs are originated from systems or applications with a different time zone to the local one, the `event.timezone` field can be overwritten with the original time zone using the `add_fields` processor.
+
+See [Processors](/reference/filebeat/filtering-enhancing-data.md) for information about specifying processors in your config.
+
+
+## Fields [_fields_56]
+
+For a description of each field in the module, see the [exported fields](/reference/filebeat/exported-fields-zookeeper.md) section.
diff --git a/docs/reference/filebeat/filebeat-module-zoom.md b/docs/reference/filebeat/filebeat-module-zoom.md
new file mode 100644
index 000000000000..fd2dc57cb41e
--- /dev/null
+++ b/docs/reference/filebeat/filebeat-module-zoom.md
@@ -0,0 +1,85 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-zoom.html
+---
+
+# Zoom module [filebeat-module-zoom]
+
+:::::{admonition} Prefer to use {{agent}} for this use case?
+Refer to the [Elastic Integrations documentation](integration-docs://reference/zoom.md).
+
+::::{dropdown} Learn more
+{{agent}} is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, forward data from remote services or hardware, and more. Refer to the documentation for a detailed [comparison of {{beats}} and {{agent}}](docs-content://reference/ingestion-tools/fleet/index.md).
+
+::::
+
+
+:::::
+
+
+This is a module for Zoom webhook logs. The module creates an HTTP listener that accepts incoming webhooks from Zoom.
+
+To configure Zoom to send webhooks to the filebeat module, please follow the [Zoom Documentation](https://developers.zoom.us/docs/api/rest/webhook-only-app).
+
+::::{tip}
+Read the [quick start](/reference/filebeat/filebeat-installation-configuration.md) to learn how to configure and run modules.
+::::
+
+
+
+## Configure the module [configuring-zoom-module]
+
+You can further refine the behavior of the `zoom` module by specifying [variable settings](#zoom-settings) in the `modules.d/zoom.yml` file, or overriding settings at the command line.
+
+You must enable at least one fileset in the module. **Filesets are disabled by default.**
+
+
+### Variable settings [zoom-settings]
+
+Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the `zoom` module uses the defaults.
+
+For advanced use cases, you can also override input settings. See [Override input settings](/reference/filebeat/advanced-settings.md).
+
+::::{tip}
+When you specify a setting at the command line, remember to prefix the setting with the module name, for example, `zoom.webhook.var.paths` instead of `webhook.var.paths`.
+::::
+
+
+
+### `webhook` fileset settings [_webhook_fileset_settings]
+
+When a webhook integration is created on Zoom, you can create a custom header to verify webhook events. See [Custom Header](https://developers.zoom.us/docs/api/rest/webhook-reference/#custom-header) for more information about this process. This is configured with the `secret.header` and `secret.value` settings as shown below.
+
+On the other hand, Zoom also requires webhook validation for created or modified webhooks after October, 2022. This follows a challenge-response check (CRC) algorithm which is configured with the `crc.enabled` and `crc.secret` settings. Learn more about it at [Validate your webhook endpoint](https://developers.zoom.us/docs/api/rest/webhook-reference/#validate-your-webhook-endpoint).
+
+Example config:
+
+```yaml
+- module: zoom
+  webhook:
+    enabled: true
+    var.input: http_endpoint
+    var.listen_address: 0.0.0.0
+    var.listen_port: 8080
+    var.secret.header: x-my-custom-key
+    var.secret.value: my-custom-value
+    var.crc.enabled: true
+    var.crc.secret: ZOOMSECRETTOKEN
+```
+
+**`var.paths`**
+:   An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
+
+**`var.listen_address`**
+:   The IP address of the interface the module should listen on. Also supports 0.0.0.0 to listen on all interfaces.
+
+**`var.listen_port`**
+:   The port the module should be listening on.
+
+**`var.ssl`**
+:   Configuration options for SSL parameters like the SSL certificate and CA to use for the HTTP(s) listener See [SSL](/reference/filebeat/configuration-ssl.md) for more information.
+
+
+## Fields [_fields_57]
+
+For a description of each field in the module, see the [exported fields](/reference/filebeat/exported-fields-zoom.md) section.
diff --git a/docs/reference/filebeat/filebeat-modules-overview.md b/docs/reference/filebeat/filebeat-modules-overview.md
new file mode 100644
index 000000000000..e71a3548be31
--- /dev/null
+++ b/docs/reference/filebeat/filebeat-modules-overview.md
@@ -0,0 +1,28 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-modules-overview.html
+---
+
+# Modules overview [filebeat-modules-overview]
+
+Filebeat modules simplify the collection, parsing, and visualization of common log formats.
+
+A typical module (say, for the Nginx logs) is composed of one or more filesets (in the case of Nginx, `access` and `error`). A fileset contains the following:
+
+* Filebeat input configurations, which contain the default paths where to look for the log files. These default paths depend on the operating system. The Filebeat configuration is also responsible with stitching together multiline events when needed.
+* {{es}} [ingest pipeline](docs-content://manage-data/ingest/transform-enrich/ingest-pipelines.md) definition, which is used to parse the log lines.
+* Fields definitions, which are used to configure {{es}} with the correct types for each field. They also contain short descriptions for each of the fields.
+* Sample {{kib}} dashboards, when available, that can be used to visualize the log files.
+
+Filebeat automatically adjusts these configurations based on your environment and loads them to the respective {{stack}} components.
+
+If a module configuration is updated, the {{es}} ingest pipeline definition is not reloaded automatically. To reload the ingest pipeline, set `filebeat.overwrite_pipelines: true` and manually [load the ingest pipelines](/reference/filebeat/load-ingest-pipelines.md).
+
+
+## Get started [_get_started]
+
+To learn how to configure and run Filebeat modules:
+
+* Get started by reading [Quick start: installation and configuration](/reference/filebeat/filebeat-installation-configuration.md).
+* Dive into the documentation for each [module](/reference/filebeat/filebeat-modules.md).
+
diff --git a/docs/reference/filebeat/filebeat-modules.md b/docs/reference/filebeat/filebeat-modules.md
new file mode 100644
index 000000000000..19ae0349661d
--- /dev/null
+++ b/docs/reference/filebeat/filebeat-modules.md
@@ -0,0 +1,73 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-modules.html
+---
+
+# Modules [filebeat-modules]
+
+This section contains an [overview](/reference/filebeat/filebeat-modules-overview.md) of the Filebeat modules feature as well as details about each of the currently supported modules.
+
+Filebeat modules require Elasticsearch 5.2 or later.
+
+::::{note}
+While {{filebeat}} modules are still supported, we recommend {{agent}} integrations over {{filebeat}} modules. Integrations provide a streamlined way to connect data from a variety of vendors to the {{stack}}. Refer to the [full list of integrations](https://www.elastic.co/integrations/data-integrations). For more information, please refer to the [{{beats}} vs {{agent}} comparison documentation](docs-content://reference/ingestion-tools/fleet/index.md).
+::::
+
+
+* [*Modules overview*](/reference/filebeat/filebeat-modules-overview.md)
+* [*ActiveMQ module*](/reference/filebeat/filebeat-module-activemq.md)
+* [*Apache module*](/reference/filebeat/filebeat-module-apache.md)
+* [*Auditd module*](/reference/filebeat/filebeat-module-auditd.md)
+* [*AWS module*](/reference/filebeat/filebeat-module-aws.md)
+* [*AWS Fargate module*](/reference/filebeat/filebeat-module-awsfargate.md)
+* [*Azure module*](/reference/filebeat/filebeat-module-azure.md)
+* [*CEF module*](/reference/filebeat/filebeat-module-cef.md)
+* [*Check Point module*](/reference/filebeat/filebeat-module-checkpoint.md)
+* [*Cisco module*](/reference/filebeat/filebeat-module-cisco.md)
+* [*CoreDNS module*](/reference/filebeat/filebeat-module-coredns.md)
+* [*CrowdStrike module*](/reference/filebeat/filebeat-module-crowdstrike.md)
+* [*Cyberark PAS module*](/reference/filebeat/filebeat-module-cyberarkpas.md)
+* [*Elasticsearch module*](/reference/filebeat/filebeat-module-elasticsearch.md)
+* [*Envoyproxy Module*](/reference/filebeat/filebeat-module-envoyproxy.md)
+* [*Fortinet module*](/reference/filebeat/filebeat-module-fortinet.md)
+* [*Google Cloud module*](/reference/filebeat/filebeat-module-gcp.md)
+* [*Google Workspace module*](/reference/filebeat/filebeat-module-google_workspace.md)
+* [*HAproxy module*](/reference/filebeat/filebeat-module-haproxy.md)
+* [*IBM MQ module*](/reference/filebeat/filebeat-module-ibmmq.md)
+* [*Icinga module*](/reference/filebeat/filebeat-module-icinga.md)
+* [*IIS module*](/reference/filebeat/filebeat-module-iis.md)
+* [*Iptables module*](/reference/filebeat/filebeat-module-iptables.md)
+* [*Juniper module*](/reference/filebeat/filebeat-module-juniper.md)
+* [*Kafka module*](/reference/filebeat/filebeat-module-kafka.md)
+* [*Kibana module*](/reference/filebeat/filebeat-module-kibana.md)
+* [*Logstash module*](/reference/filebeat/filebeat-module-logstash.md)
+* [*Microsoft module*](/reference/filebeat/filebeat-module-microsoft.md)
+* [*MISP module*](/reference/filebeat/filebeat-module-misp.md)
+* [*MongoDB module*](/reference/filebeat/filebeat-module-mongodb.md)
+* [*MSSQL module*](/reference/filebeat/filebeat-module-mssql.md)
+* [*MySQL module*](/reference/filebeat/filebeat-module-mysql.md)
+* [*MySQL Enterprise module*](/reference/filebeat/filebeat-module-mysqlenterprise.md)
+* [*NATS module*](/reference/filebeat/filebeat-module-nats.md)
+* [*NetFlow module*](/reference/filebeat/filebeat-module-netflow.md)
+* [*Nginx module*](/reference/filebeat/filebeat-module-nginx.md)
+* [*Office 365 module*](/reference/filebeat/filebeat-module-o365.md)
+* [*Okta module*](/reference/filebeat/filebeat-module-okta.md)
+* [*Oracle module*](/reference/filebeat/filebeat-module-oracle.md)
+* [*Osquery module*](/reference/filebeat/filebeat-module-osquery.md)
+* [*Palo Alto Networks module*](/reference/filebeat/filebeat-module-panw.md)
+* [*pensando module*](/reference/filebeat/filebeat-module-pensando.md)
+* [*PostgreSQL module*](/reference/filebeat/filebeat-module-postgresql.md)
+* [*RabbitMQ module*](/reference/filebeat/filebeat-module-rabbitmq.md)
+* [*Redis module*](/reference/filebeat/filebeat-module-redis.md)
+* [*Salesforce module*](/reference/filebeat/filebeat-module-salesforce.md)
+* [*Santa module*](/reference/filebeat/filebeat-module-santa.md)
+* [*Snyk module*](/reference/filebeat/filebeat-module-snyk.md)
+* [*Sophos module*](/reference/filebeat/filebeat-module-sophos.md)
+* [*Suricata module*](/reference/filebeat/filebeat-module-suricata.md)
+* [*System module*](/reference/filebeat/filebeat-module-system.md)
+* [*Threat Intel module*](/reference/filebeat/filebeat-module-threatintel.md)
+* [*Traefik module*](/reference/filebeat/filebeat-module-traefik.md)
+* [*Zeek (Bro) Module*](/reference/filebeat/filebeat-module-zeek.md)
+* [*ZooKeeper module*](/reference/filebeat/filebeat-module-zookeeper.md)
+* [*Zoom module*](/reference/filebeat/filebeat-module-zoom.md)
+
diff --git a/docs/reference/filebeat/filebeat-network-volumes.md b/docs/reference/filebeat/filebeat-network-volumes.md
new file mode 100644
index 000000000000..ef92d8fb536a
--- /dev/null
+++ b/docs/reference/filebeat/filebeat-network-volumes.md
@@ -0,0 +1,11 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-network-volumes.html
+---
+
+# Can���t read log files from network volumes [filebeat-network-volumes]
+
+We do not recommend reading log files from network volumes. Whenever possible, install Filebeat on the host machine and send the log files directly from there. Reading files from network volumes (especially on Windows) can have unexpected side effects. For example, changed file identifiers may result in Filebeat reading a log file from scratch again.
+
+If it is not possible to read from the host, then using the [`fingerprint`](/reference/filebeat/filebeat-input-filestream.md#filebeat-input-filestream-file-identity-fingerprint) file identity is the next best option.
+
diff --git a/docs/reference/filebeat/filebeat-not-collecting-lines.md b/docs/reference/filebeat/filebeat-not-collecting-lines.md
new file mode 100644
index 000000000000..6d2298584c4a
--- /dev/null
+++ b/docs/reference/filebeat/filebeat-not-collecting-lines.md
@@ -0,0 +1,18 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-not-collecting-lines.html
+---
+
+# Filebeat isn���t collecting lines from a file [filebeat-not-collecting-lines]
+
+Filebeat might be incorrectly configured or unable to send events to the output. To resolve the issue:
+
+* If using modules, make sure the `var.paths` setting points to the file. If configuring an input manually, make sure the `paths` setting is correct.
+* Verify that the file is not older than the value specified by [`ignore_older`](/reference/filebeat/filebeat-input-log.md#filebeat-input-log-ignore-older). `ignore_older` is disable by default so this depends on the value you have set. You can change this behavior by specifying a different value for [`ignore_older`](/reference/filebeat/filebeat-input-log.md#filebeat-input-log-ignore-older).
+* Make sure that Filebeat is able to send events to the configured output. Run Filebeat in debug mode to determine whether it’s publishing events successfully:
+
+    ```sh
+    ./filebeat -c config.yml -e -d "*"
+    ```
+
+
diff --git a/docs/reference/filebeat/filebeat-overview.md b/docs/reference/filebeat/filebeat-overview.md
new file mode 100644
index 000000000000..071e92a2a26a
--- /dev/null
+++ b/docs/reference/filebeat/filebeat-overview.md
@@ -0,0 +1,20 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-overview.html
+  - https://www.elastic.co/guide/en/beats/filebeat/current/index.html
+---
+
+# Filebeat overview [filebeat-overview]
+
+Filebeat is a lightweight shipper for forwarding and centralizing log data. Installed as an agent on your servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them either to [Elasticsearch](https://www.elastic.co/products/elasticsearch) or [Logstash](https://www.elastic.co/products/logstash) for indexing.
+
+Here’s how Filebeat works: When you start Filebeat, it starts one or more inputs that look in the locations you’ve specified for log data. For each log that Filebeat locates, Filebeat starts a harvester. Each harvester reads a single log for new content and sends the new log data to libbeat, which aggregates the events and sends the aggregated data to the output that you’ve configured for Filebeat.
+
+:::{image} images/filebeat.png
+:alt: Beats design
+:::
+
+For more information about inputs and harvesters, see [*How Filebeat works*](/reference/filebeat/how-filebeat-works.md).
+
+Filebeat is an Elastic [Beat](https://www.elastic.co/beats). It’s based on the `libbeat` framework. For more information, see the [Beats Platform Reference](/reference/index.md).
+
diff --git a/docs/reference/filebeat/filebeat-reference-yml.md b/docs/reference/filebeat/filebeat-reference-yml.md
new file mode 100644
index 000000000000..8e76d9cb432e
--- /dev/null
+++ b/docs/reference/filebeat/filebeat-reference-yml.md
@@ -0,0 +1,3031 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-reference-yml.html
+---
+
+# filebeat.reference.yml [filebeat-reference-yml]
+
+The following reference file is available with your Filebeat installation. It shows all non-deprecated Filebeat options. You can copy from this file and paste configurations into the `filebeat.yml` file to customize it.
+
+::::{tip}
+The reference file is located in the same directory as the `filebeat.yml` file. To locate the file, see [Directory layout](/reference/filebeat/directory-layout.md).
+::::
+
+
+The contents of the file are included here for your convenience.
+
+```yaml
+## Filebeat Configuration ############################
+
+# This file is a full configuration example documenting all non-deprecated
+# options in comments. For a shorter configuration example, that contains only
+# the most common options, please see filebeat.yml in the same directory.
+#
+# You can find the full configuration reference here:
+# https://www.elastic.co/guide/en/beats/filebeat/index.html
+
+
+#==========================  Modules configuration =============================
+filebeat.modules:
+
+#-------------------------------- System Module --------------------------------
+#- module: system
+  # Syslog
+  #syslog:
+    #enabled: true
+
+    # Set custom paths for the log files. If left empty,
+    # Filebeat will choose the paths depending on your OS.
+    #var.paths:
+
+    # Use journald to collect system logs
+    #var.use_journald: false
+
+    # Input configuration (advanced). Any input configuration option
+    # can be added under this section.
+    #input:
+
+  # Authorization logs
+  #auth:
+    #enabled: true
+
+    # Set custom paths for the log files. If left empty,
+    # Filebeat will choose the paths depending on your OS.
+    #var.paths:
+
+    # Use journald to collect auth logs
+    #var.use_journald: false
+
+    # Input configuration (advanced). Any input configuration option
+    # can be added under this section.
+    #input:
+
+#-------------------------------- Apache Module --------------------------------
+#- module: apache
+  # Access logs
+  #access:
+    #enabled: true
+
+    # Set custom paths for the log files. If left empty,
+    # Filebeat will choose the paths depending on your OS.
+    #var.paths:
+
+    # Input configuration (advanced). Any input configuration option
+    # can be added under this section.
+    #input:
+
+  # Error logs
+  #error:
+    #enabled: true
+
+    # Set custom paths for the log files. If left empty,
+    # Filebeat will choose the paths depending on your OS.
+    #var.paths:
+
+    # Input configuration (advanced). Any input configuration option
+    # can be added under this section.
+    #input:
+
+#-------------------------------- Auditd Module --------------------------------
+#- module: auditd
+  #log:
+    #enabled: true
+
+    # Set custom paths for the log files. If left empty,
+    # Filebeat will choose the paths depending on your OS.
+    #var.paths:
+
+    # Input configuration (advanced). Any input configuration option
+    # can be added under this section.
+    #input:
+
+#---------------------------- Elasticsearch Module ----------------------------
+- module: elasticsearch
+  # Server log
+  server:
+    enabled: false
+
+    # Set custom paths for the log files. If left empty,
+    # Filebeat will choose the paths depending on your OS.
+    #var.paths:
+
+  gc:
+    enabled: false
+    # Set custom paths for the log files. If left empty,
+    # Filebeat will choose the paths depending on your OS.
+    #var.paths:
+
+  audit:
+    enabled: false
+    # Set custom paths for the log files. If left empty,
+    # Filebeat will choose the paths depending on your OS.
+    #var.paths:
+
+  slowlog:
+    enabled: false
+    # Set custom paths for the log files. If left empty,
+    # Filebeat will choose the paths depending on your OS.
+    #var.paths:
+
+  deprecation:
+    enabled: false
+    # Set custom paths for the log files. If left empty,
+    # Filebeat will choose the paths depending on your OS.
+    #var.paths:
+
+#------------------------------- HAProxy Module -------------------------------
+- module: haproxy
+  # All logs
+  log:
+    enabled: false
+
+    # Set which input to use between syslog (default) or file.
+    #var.input:
+
+    # Set custom paths for the log files. If left empty,
+    # Filebeat will choose the paths depending on your OS.
+    #var.paths:
+
+#-------------------------------- Icinga Module --------------------------------
+#- module: icinga
+  # Main logs
+  #main:
+    #enabled: true
+
+    # Set custom paths for the log files. If left empty,
+    # Filebeat will choose the paths depending on your OS.
+    #var.paths:
+
+    # Input configuration (advanced). Any input configuration option
+    # can be added under this section.
+    #input:
+
+  # Debug logs
+  #debug:
+    #enabled: true
+
+    # Set custom paths for the log files. If left empty,
+    # Filebeat will choose the paths depending on your OS.
+    #var.paths:
+
+    # Input configuration (advanced). Any input configuration option
+    # can be added under this section.
+    #input:
+
+  # Startup logs
+  #startup:
+    #enabled: true
+
+    # Set custom paths for the log files. If left empty,
+    # Filebeat will choose the paths depending on your OS.
+    #var.paths:
+
+    # Input configuration (advanced). Any input configuration option
+    # can be added under this section.
+    #input:
+
+#--------------------------------- IIS Module ---------------------------------
+#- module: iis
+  # Access logs
+  #access:
+    #enabled: true
+
+    # Set custom paths for the log files. If left empty,
+    # Filebeat will choose the paths depending on your OS.
+    #var.paths:
+
+    # Input configuration (advanced). Any input configuration option
+    # can be added under this section.
+    #input:
+
+  # Error logs
+  #error:
+    #enabled: true
+
+    # Set custom paths for the log files. If left empty,
+    # Filebeat will choose the paths depending on your OS.
+    #var.paths:
+
+    # Input configuration (advanced). Any input configuration option
+    # can be added under this section.
+    #input:
+
+#-------------------------------- Kafka Module --------------------------------
+- module: kafka
+  # All logs
+  log:
+    enabled: false
+
+    # Set custom paths for Kafka. If left empty,
+    # Filebeat will look under /opt.
+    #var.kafka_home:
+
+    # Set custom paths for the log files. If left empty,
+    # Filebeat will choose the paths depending on your OS.
+    #var.paths:
+
+#-------------------------------- Kibana Module --------------------------------
+- module: kibana
+  # Server logs
+  log:
+    enabled: false
+
+    # Set custom paths for the log files. If left empty,
+    # Filebeat will choose the paths depending on your OS.
+    #var.paths:
+
+  # Audit logs
+  audit:
+    enabled: false
+
+    # Set custom paths for the log files. If left empty,
+    # Filebeat will choose the paths depending on your OS.
+    #var.paths:
+
+#------------------------------- Logstash Module -------------------------------
+#- module: logstash
+  # logs
+  #log:
+    #enabled: true
+
+    # Set custom paths for the log files. If left empty,
+    # Filebeat will choose the paths depending on your OS.
+    # var.paths:
+
+  # Slow logs
+  #slowlog:
+    #enabled: true
+
+    # Set custom paths for the log files. If left empty,
+    # Filebeat will choose the paths depending on your OS.
+    #var.paths:
+
+#------------------------------- Mongodb Module -------------------------------
+#- module: mongodb
+  # Logs
+  #log:
+    #enabled: true
+
+    # Set custom paths for the log files. If left empty,
+    # Filebeat will choose the paths depending on your OS.
+    #var.paths:
+
+    # Input configuration (advanced). Any input configuration option
+    # can be added under this section.
+    #input:
+
+#-------------------------------- MySQL Module --------------------------------
+#- module: mysql
+  # Error logs
+  #error:
+    #enabled: true
+
+    # Set custom paths for the log files. If left empty,
+    # Filebeat will choose the paths depending on your OS.
+    #var.paths:
+
+    # Input configuration (advanced). Any input configuration option
+    # can be added under this section.
+    #input:
+
+  # Slow logs
+  #slowlog:
+    #enabled: true
+
+    # Set custom paths for the log files. If left empty,
+    # Filebeat will choose the paths depending on your OS.
+    #var.paths:
+
+    # Input configuration (advanced). Any input configuration option
+    # can be added under this section.
+    #input:
+
+#--------------------------------- NATS Module ---------------------------------
+- module: nats
+  # All logs
+  log:
+    enabled: false
+
+    # Set custom paths for the log files. If left empty,
+    # Filebeat will choose the paths depending on your OS.
+    #var.paths:
+
+#-------------------------------- Nginx Module --------------------------------
+#- module: nginx
+  # Access logs
+  #access:
+    #enabled: true
+
+    # Set custom paths for the log files. If left empty,
+    # Filebeat will choose the paths depending on your OS.
+    #var.paths:
+
+    # Input configuration (advanced). Any input configuration option
+    # can be added under this section.
+    #input:
+
+  # Error logs
+  #error:
+    #enabled: true
+
+    # Set custom paths for the log files. If left empty,
+    # Filebeat will choose the paths depending on your OS.
+    #var.paths:
+
+    # Input configuration (advanced). Any input configuration option
+    # can be added under this section.
+    #input:
+
+  # Ingress-nginx controller logs. This is disabled by default. It could be used in Kubernetes environments to parse ingress-nginx logs
+  #ingress_controller:
+  #  enabled: false
+  #
+  #  # Set custom paths for the log files. If left empty,
+  #  # Filebeat will choose the paths depending on your OS.
+  #  #var.paths:
+
+#------------------------------- Osquery Module -------------------------------
+#- module: osquery
+  #result:
+    #enabled: true
+
+    # Set custom paths for the log files. If left empty,
+    # Filebeat will choose the paths depending on your OS.
+    #var.paths:
+
+    # If true, all fields created by this module are prefixed with
+    # `osquery.result`. Set to false to copy the fields in the root
+    # of the document. The default is true.
+    #var.use_namespace: true
+
+#------------------------------- Pensando Module -------------------------------
+- module: pensando
+# Firewall logs
+  dfw:
+    enabled: false
+    var.syslog_host: 0.0.0.0
+    var.syslog_port: 9001
+
+    # Set custom paths for the log files. If left empty,
+    # Filebeat will choose the paths depending on your OS.
+    # var.paths:
+
+#------------------------------ PostgreSQL Module ------------------------------
+#- module: postgresql
+  # Logs
+  #log:
+    #enabled: true
+
+    # Set custom paths for the log files. If left empty,
+    # Filebeat will choose the paths depending on your OS.
+    #var.paths:
+
+    # Input configuration (advanced). Any input configuration option
+    # can be added under this section.
+    #input:
+
+#-------------------------------- Redis Module --------------------------------
+#- module: redis
+  # Main logs
+  #log:
+    #enabled: true
+
+    # Set custom paths for the log files. If left empty,
+    # Filebeat will choose the paths depending on your OS.
+    #var.paths: ["/var/log/redis/redis-server.log*"]
+
+  # Slow logs, retrieved via the Redis API (SLOWLOG)
+  #slowlog:
+    #enabled: true
+
+    # The Redis hosts to connect to.
+    #var.hosts: ["localhost:6379"]
+
+    # Optional, the password to use when connecting to Redis.
+    #var.password:
+
+#----------------------------- Google Santa Module -----------------------------
+- module: santa
+  log:
+    enabled: false
+    # Set custom paths for the log files. If left empty,
+    # Filebeat will choose the the default path.
+    #var.paths:
+
+#------------------------------- Traefik Module -------------------------------
+#- module: traefik
+  # Access logs
+  #access:
+    #enabled: true
+
+    # Set custom paths for the log files. If left empty,
+    # Filebeat will choose the paths depending on your OS.
+    #var.paths:
+
+    # Input configuration (advanced). Any input configuration option
+    # can be added under this section.
+    #input:
+
+
+
+#=========================== Filebeat inputs =============================
+
+# List of inputs to fetch data.
+filebeat.inputs:
+# Each - is an input. Most options can be set at the input level, so
+# you can use different inputs for various configurations.
+# Below are the input specific configurations.
+
+# Type of the files. Based on this the way the file is read is decided.
+# The different types cannot be mixed in one input
+#
+# Possible options are:
+# * filestream: Reads every line of the log file
+# * log: Reads every line of the log file (deprecated)
+# * stdin: Reads the standard in
+
+#------------------------------ Log input --------------------------------
+- type: log
+
+  # Change to true to enable this input configuration.
+  enabled: false
+
+  # Paths that should be crawled and fetched. Glob based paths.
+  # To fetch all ".log" files from a specific level of subdirectories
+  # /var/log/*/*.log can be used.
+  # For each file found under this path, a harvester is started.
+  # Make sure no file is defined twice as this can lead to unexpected behaviour.
+  paths:
+    - /var/log/*.log
+    #- c:\programdata\elasticsearch\logs\*
+
+  # Configure the file encoding for reading files with international characters
+  # following the W3C recommendation for HTML5 (http://www.w3.org/TR/encoding).
+  # Some sample encodings:
+  #   plain, utf-8, utf-16be-bom, utf-16be, utf-16le, big5, gb18030, gbk,
+  #    hz-gb-2312, euc-kr, euc-jp, iso-2022-jp, shift-jis, ...
+  #encoding: plain
+
+
+  # Exclude lines. A list of regular expressions to match. It drops the lines that are
+  # matching any regular expression from the list. The include_lines is called before
+  # exclude_lines. By default, no lines are dropped.
+  #exclude_lines: ['^DBG']
+
+  # Include lines. A list of regular expressions to match. It exports the lines that are
+  # matching any regular expression from the list. The include_lines is called before
+  # exclude_lines. By default, all the lines are exported.
+  #include_lines: ['^ERR', '^WARN']
+
+  # Exclude files. A list of regular expressions to match. Filebeat drops the files that
+  # are matching any regular expression from the list. By default, no files are dropped.
+  #exclude_files: ['.gz$']
+
+  # Method to determine if two files are the same or not. By default
+  # the Beat considers two files the same if their inode and device id are the same.
+  #file_identity.native: ~
+
+  # Optional additional fields. These fields can be freely picked
+  # to add additional information to the crawled log files for filtering
+  #fields:
+  #  level: debug
+  #  review: 1
+
+  # Set to true to store the additional fields as top-level fields instead
+  # of under the "fields" sub-dictionary. In case of name conflicts with the
+  # fields added by Filebeat itself, the custom fields overwrite the default
+  # fields.
+  #fields_under_root: false
+
+  # Set to true to publish fields with null values in events.
+  #keep_null: false
+
+  # By default, all events contain `host.name`. This option can be set to true
+  # to disable the addition of this field to all events. The default value is
+  # false.
+  #publisher_pipeline.disable_host: false
+
+  # Ignore files that were modified more than the defined timespan in the past.
+  # ignore_older is disabled by default, so no files are ignored by setting it to 0.
+  # Time strings like 2h (2 hours), 5m (5 minutes) can be used.
+  #ignore_older: 0
+
+  # How often the input checks for new files in the paths that are specified
+  # for harvesting. Specify 1s to scan the directory as frequently as possible
+  # without causing Filebeat to scan too frequently. Default: 10s.
+  #scan_frequency: 10s
+
+  # Defines the buffer size every harvester uses when fetching the file
+  #harvester_buffer_size: 16384
+
+  # Maximum number of bytes a single log event can have
+  # All bytes after max_bytes are discarded and not sent. The default is 10MB.
+  # This is especially useful for multiline log messages which can get large.
+  #max_bytes: 10485760
+
+  # Characters that separate the lines. Valid values: auto, line_feed, vertical_tab, form_feed,
+  # carriage_return, carriage_return_line_feed, next_line, line_separator, paragraph_separator,
+  # null_terminator
+  #line_terminator: auto
+
+  ### Recursive glob configuration
+
+  # Expand "**" patterns into regular glob patterns.
+  #recursive_glob.enabled: true
+
+  ### JSON configuration
+
+  # Decode JSON options. Enable this if your logs are structured in JSON.
+  # JSON key on which to apply the line filtering and multiline settings. This key
+  # must be top level and its value must be string, otherwise it is ignored. If
+  # no text key is defined, the line filtering and multiline features cannot be used.
+  #json.message_key:
+
+  # By default, the decoded JSON is placed under a "json" key in the output document.
+  # If you enable this setting, the keys are copied top level in the output document.
+  #json.keys_under_root: false
+
+  # If keys_under_root and this setting are enabled, then the values from the decoded
+  # JSON object overwrites the fields that Filebeat normally adds (type, source, offset, etc.)
+  # in case of conflicts.
+  #json.overwrite_keys: false
+
+  # If this setting is enabled, then keys in the decoded JSON object will be recursively
+  # de-dotted, and expanded into a hierarchical object structure.
+  # For example, `{"a.b.c": 123}` would be expanded into `{"a":{"b":{"c":123}}}`.
+  #json.expand_keys: false
+
+  # If this setting is enabled, Filebeat adds an "error.message" and "error.key: json" key in case of JSON
+  # unmarshaling errors or when a text key is defined in the configuration but cannot
+  # be used.
+  #json.add_error_key: false
+
+  ### Multiline options
+
+  # Multiline can be used for log messages spanning multiple lines. This is common
+  # for Java Stack Traces or C-Line Continuation
+
+  # The regexp Pattern that has to be matched. The example pattern matches all lines starting with [
+  #multiline.pattern: ^\[
+
+  # Defines if the pattern set under the pattern should be negated or not. Default is false.
+  #multiline.negate: false
+
+  # Match can be set to "after" or "before". It is used to define if lines should be appended to a pattern
+  # that was (not) matched before or after or as long as a pattern is not matched based on negate.
+  # Note: After is the equivalent to previous and before is the equivalent to to next in Logstash
+  #multiline.match: after
+
+  # The maximum number of lines that are combined into one event.
+  # In case there are more the max_lines the additional lines are discarded.
+  # Default is 500
+  #multiline.max_lines: 500
+
+  # After the defined timeout, a multiline event is sent even if no new pattern was found to start a new event
+  # Default is 5s.
+  #multiline.timeout: 5s
+
+  # To aggregate constant number of lines into a single event use the count mode of multiline.
+  #multiline.type: count
+
+  # The number of lines to aggregate into a single event.
+  #multiline.count_lines: 3
+
+  # Do not add new line characters when concatenating lines.
+  #multiline.skip_newline: false
+
+  # Setting tail_files to true means filebeat starts reading new files at the end
+  # instead of the beginning. If this is used in combination with log rotation
+  # this can mean that the first entries of a new file are skipped.
+  #tail_files: false
+
+  # The ingest pipeline ID associated with this input. If this is set, it
+  # overwrites the pipeline option from the Elasticsearch output.
+  #pipeline:
+
+  # If symlinks is enabled, symlinks are opened and harvested. The harvester is opening the
+  # original for harvesting but will report the symlink name as the source.
+  #symlinks: false
+
+  # Backoff values define how aggressively filebeat crawls new files for updates
+  # The default values can be used in most cases. Backoff defines how long it has to wait
+  # to check a file again after EOF is reached. Default is 1s which means the file
+  # is checked every second if new lines were added. This leads to a near real-time crawling.
+  # Every time a new line appears, backoff is reset to the initial value.
+  #backoff: 1s
+
+  # Max backoff defines what the maximum backoff time is. After having backed off multiple times
+  # from checking the files, the waiting time will never exceed max_backoff independent of the
+  # backoff factor. Having it set to 10s means in the worst case a new line can be added to a log
+  # file after having backed off multiple times, it takes a maximum of 10s to read the new line
+  #max_backoff: 10s
+
+  # The backoff factor defines how fast the algorithm backs off. The bigger the backoff factor,
+  # the faster the max_backoff value is reached. If this value is set to 1, no backoff will happen.
+  # The backoff value will be multiplied each time with the backoff_factor until max_backoff is reached
+  #backoff_factor: 2
+
+  # Max number of harvesters that are started in parallel.
+  # Default is 0 which means unlimited
+  #harvester_limit: 0
+
+  ### Harvester closing options
+
+  # Close inactive closes the file handler after the predefined period.
+  # The period starts when the last line of the file was, not the file ModTime.
+  # Time strings like 2h (2 hours), and 5m (5 minutes) can be used.
+  #close_inactive: 5m
+
+  # Close renamed closes a file handler when the file is renamed or rotated.
+  # Note: Potential data loss. Make sure to read and understand the docs for this option.
+  #close_renamed: false
+
+  # When enabling this option, a file handler is closed immediately in case a file can't be found
+  # any more. In case the file shows up again later, harvesting will continue at the last known position
+  # after scan_frequency.
+  #close_removed: true
+
+  # Closes the file handler as soon as the harvesters reach the end of the file.
+  # By default this option is disabled.
+  # Note: Potential data loss. Make sure to read and understand the docs for this option.
+  #close_eof: false
+
+  ### State options
+
+  # Files for the modification data are older than clean_inactive the state from the registry is removed
+  # By default this is disabled.
+  #clean_inactive: 0
+
+  # Removes the state for files which cannot be found on disk anymore immediately
+  #clean_removed: true
+
+  # Close timeout closes the harvester after the predefined time.
+  # This is independent if the harvester did finish reading the file or not.
+  # By default this option is disabled.
+  # Note: Potential data loss. Make sure to read and understand the docs for this option.
+  #close_timeout: 0
+
+  # Defines if inputs are enabled
+  #enabled: true
+
+#--------------------------- Filestream input ----------------------------
+- type: filestream
+
+  # Unique ID among all inputs, an ID is required.
+  id: my-filestream-id
+
+  # Change to true to enable this input configuration.
+  enabled: false
+
+  # Paths that should be crawled and fetched. Glob based paths.
+  # To fetch all ".log" files from a specific level of subdirectories
+  # /var/log/*/*.log can be used.
+  # For each file found under this path, a harvester is started.
+  # Make sure not file is defined twice as this can lead to unexpected behaviour.
+  paths:
+    - /var/log/*.log
+    #- c:\programdata\elasticsearch\logs\*
+
+  # Configure the file encoding for reading files with international characters
+  # following the W3C recommendation for HTML5 (http://www.w3.org/TR/encoding).
+  # Some sample encodings:
+  #   plain, utf-8, utf-16be-bom, utf-16be, utf-16le, big5, gb18030, gbk,
+  #    hz-gb-2312, euc-kr, euc-jp, iso-2022-jp, shift-jis, ...
+  #encoding: plain
+
+
+  # Exclude lines. A list of regular expressions to match. It drops the lines that are
+  # matching any regular expression from the list. The include_lines is called before
+  # exclude_lines. By default, no lines are dropped.
+  # Line filtering happens after the parsers pipeline. If you would like to filter lines
+  # before parsers, use include_message parser.
+  #exclude_lines: ['^DBG']
+
+  # Include lines. A list of regular expressions to match. It exports the lines that are
+  # matching any regular expression from the list. The include_lines is called before
+  # exclude_lines. By default, all the lines are exported.
+  # Line filtering happens after the parsers pipeline. If you would like to filter lines
+  # before parsers, use include_message parser.
+  #include_lines: ['^ERR', '^WARN']
+
+  ### Prospector options
+
+  # How often the input checks for new files in the paths that are specified
+  # for harvesting. Specify 1s to scan the directory as frequently as possible
+  # without causing Filebeat to scan too frequently. Default: 10s.
+  #prospector.scanner.check_interval: 10s
+
+  # Exclude files. A list of regular expressions to match. Filebeat drops the files that
+  # are matching any regular expression from the list. By default, no files are dropped.
+  #prospector.scanner.exclude_files: ['.gz$']
+
+  # Include files. A list of regular expressions to match. Filebeat keeps only the files that
+  # are matching any regular expression from the list. By default, no files are dropped.
+  #prospector.scanner.include_files: ['/var/log/.*']
+
+  # Expand "**" patterns into regular glob patterns.
+  #prospector.scanner.recursive_glob: true
+
+  # If symlinks is enabled, symlinks are opened and harvested. The harvester is opening the
+  # original for harvesting but will report the symlink name as the source.
+  #prospector.scanner.symlinks: false
+
+  # If enabled, instead of relying on the device ID and inode values when comparing files,
+  # compare hashes of the given byte ranges in files. A file becomes an ingest target
+  # when its size grows larger than offset+length (see below). Until then it's ignored.
+  #prospector.scanner.fingerprint.enabled: true
+
+  # If fingerprint mode is enabled, sets the offset from the beginning of the file
+  # for the byte range used for computing the fingerprint value.
+  #prospector.scanner.fingerprint.offset: 0
+
+  # If fingerprint mode is enabled, sets the length of the byte range used for
+  # computing the fingerprint value. Cannot be less than 64 bytes.
+  #prospector.scanner.fingerprint.length: 1024
+
+  ### Parsers configuration
+
+  #### JSON configuration
+
+  #parsers:
+    #- ndjson:
+      # Decode JSON options. Enable this if your logs are structured in JSON.
+      # JSON key on which to apply the line filtering and multiline settings. This key
+      # must be top level and its value must be a string, otherwise it is ignored. If
+      # no text key is defined, the line filtering and multiline features cannot be used.
+      #message_key:
+
+      # By default, the decoded JSON is placed under a "json" key in the output document.
+      # If you enable this setting, the keys are copied to the top level of the output document.
+      #keys_under_root: false
+
+      # If keys_under_root and this setting are enabled, then the values from the decoded
+      # JSON object overwrite the fields that Filebeat normally adds (type, source, offset, etc.)
+      # in case of conflicts.
+      #overwrite_keys: false
+
+      # If this setting is enabled, then keys in the decoded JSON object will be recursively
+      # de-dotted, and expanded into a hierarchical object structure.
+      # For example, `{"a.b.c": 123}` would be expanded into `{"a":{"b":{"c":123}}}`.
+      #expand_keys: false
+
+      # If this setting is enabled, Filebeat adds an "error.message" and "error.key: json" key in case of JSON
+      # unmarshaling errors or when a text key is defined in the configuration but cannot
+      # be used.
+      #add_error_key: false
+
+  #### Filtering messages
+
+  # You can filter messsages in the parsers pipeline. Use this method if you would like to
+  # include or exclude lines before they are aggregated into multiline or the JSON contents
+  # are parsed.
+
+  #parsers:
+    #- include_message.patterns:
+      #- ["WARN", "ERR"]
+
+  #### Multiline options
+
+  # Multiline can be used for log messages spanning multiple lines. This is common
+  # for Java Stack Traces or C-Line Continuation
+
+  #parsers:
+    #- multiline:
+      #type: pattern
+      # The regexp Pattern that has to be matched. The example pattern matches all lines starting with [
+      #pattern: ^\[
+
+      # Defines if the pattern set under the pattern setting should be negated or not. Default is false.
+      #negate: false
+
+      # Match can be set to "after" or "before". It is used to define if lines should be appended to a pattern
+      # that was (not) matched before or after or as long as a pattern is not matched based on negate.
+      # Note: After is the equivalent to previous and before is the equivalent to next in Logstash
+      #match: after
+
+      # The maximum number of lines that are combined into one event.
+      # In case there are more than max_lines the additional lines are discarded.
+      # Default is 500
+      #max_lines: 500
+
+      # After the defined timeout, a multiline event is sent even if no new pattern was found to start a new event
+      # Default is 5s.
+      #timeout: 5s
+
+      # Do not add new line character when concatenating lines.
+      #skip_newline: false
+
+  # To aggregate constant number of lines into a single event use the count mode of multiline.
+
+  #parsers:
+    #- multiline:
+      #type: count
+
+      # The number of lines to aggregate into a single event.
+      #count_lines: 3
+
+      # The maximum number of lines that are combined into one event.
+      # In case there are more than max_lines the additional lines are discarded.
+      # Default is 500
+      #max_lines: 500
+
+      # After the defined timeout, a multiline event is sent even if no new pattern was found to start a new event
+      # Default is 5s.
+      #timeout: 5s
+
+      # Do not add new line characters when concatenating lines.
+      #skip_newline: false
+
+  #### Parsing container events
+
+  # You can parse container events with different formats from all streams.
+
+  #parsers:
+    #- container:
+       # Source of container events. Available options: all, stdin, stderr.
+       #stream: all
+
+       # Format of the container events. Available options: auto, cri, docker, json-file
+       #format: auto
+
+  ### Log rotation
+
+  # When an external tool rotates the input files with copytruncate strategy
+  # use this section to help the input find the rotated files.
+  #rotation.external.strategy.copytruncate:
+  # Regex that matches the rotated files.
+  #  suffix_regex: \.\d$
+  # If the rotated filename suffix is a datetime, set it here.
+  #  dateformat: -20060102
+
+  ### State options
+
+  # Files for the modification data is older than clean_inactive the state from the registry is removed
+  # By default this is disabled.
+  #clean_inactive: -1
+
+  # Removes the state for files which cannot be found on disk anymore immediately
+  #clean_removed: true
+
+  # Method to determine if two files are the same or not. By default
+  # a fingerprint is generated using the first 1024 bytes of the file,
+  # if the fingerprints match, then the files are considered equal.
+  #file_identity.fingerprint: ~
+
+  # Optional additional fields. These fields can be freely picked
+  # to add additional information to the crawled log files for filtering
+  #fields:
+  #  level: debug
+  #  review: 1
+
+  # Set to true to publish fields with null values in events.
+  #keep_null: false
+
+  # By default, all events contain `host.name`. This option can be set to true
+  # to disable the addition of this field to all events. The default value is
+  # false.
+  #publisher_pipeline.disable_host: false
+
+  # Ignore files that were modified more than the defined timespan in the past.
+  # ignore_older is disabled by default, so no files are ignored by setting it to 0.
+  # Time strings like 2h (2 hours) and 5m (5 minutes) can be used.
+  #ignore_older: 0
+
+  # Ignore files that have not been updated since the selected event.
+  # ignore_inactive is disabled by default, so no files are ignored by setting it to "".
+  # Available options: since_first_start, since_last_start.
+  #ignore_inactive: ""
+
+  # If `take_over` is set to `true`, this `filestream` will take over all files
+  # from `log` inputs if they match at least one of the `paths` set in the `filestream`.
+  # This functionality is still in beta.
+  #take_over: false
+
+  # Defines the buffer size every harvester uses when fetching the file
+  #harvester_buffer_size: 16384
+
+  # Maximum number of bytes a single log event can have
+  # All bytes after max_bytes are discarded and not sent. The default is 10MB.
+  # This is especially useful for multiline log messages which can get large.
+  #message_max_bytes: 10485760
+
+  # Characters that separate the lines. Valid values: auto, line_feed, vertical_tab, form_feed,
+  # carriage_return, carriage_return_line_feed, next_line, line_separator, paragraph_separator,
+  # null_terminator
+  #line_terminator: auto
+
+  # The ingest pipeline ID associated with this input. If this is set, it
+  # overwrites the pipeline option from the Elasticsearch output.
+  #pipeline:
+
+  # Backoff values define how aggressively filebeat crawls new files for updates
+  # The default values can be used in most cases. Backoff defines how long it has to wait
+  # to check a file again after EOF is reached. Default is 1s which means the file
+  # is checked every second if new lines were added. This leads to a near real-time crawling.
+  # Every time a new line appears, backoff is reset to the initial value.
+  #backoff.init: 1s
+
+  # Max backoff defines what the maximum backoff time is. After having backed off multiple times
+  # from checking the files, the waiting time will never exceed max_backoff independent of the
+  # backoff factor. Having it set to 10s means in the worst case a new line can be added to a log
+  # file after having backed off multiple times, it takes a maximum of 10s to read the new line
+  #backoff.max: 10s
+
+  ### Harvester closing options
+
+  # Close inactive closes the file handler after the predefined period.
+  # The period starts when the last line of the file was, not the file ModTime.
+  # Time strings like 2h (2 hours) and 5m (5 minutes) can be used.
+  #close.on_state_change.inactive: 5m
+
+  # Close renamed closes a file handler when the file is renamed or rotated.
+  # Note: Potential data loss. Make sure to read and understand the docs for this option.
+  #close.on_state_change.renamed: false
+
+  # When enabling this option, a file handler is closed immediately in case a file can't be found
+  # any more. In case the file shows up again later, harvesting will continue at the last known position
+  # after scan_frequency.
+  #close.on_state_change.removed: true
+
+  # Closes the file handler as soon as the harvesters reaches the end of the file.
+  # By default this option is disabled.
+  # Note: Potential data loss. Make sure to read and understand the docs for this option.
+  #close.reader.on_eof: false
+
+  # Close timeout closes the harvester after the predefined time.
+  # This is independent if the harvester did finish reading the file or not.
+  # By default this option is disabled.
+  # Note: Potential data loss. Make sure to read and understand the docs for this option.
+  #close.reader.after_interval: 0
+
+#----------------------------- Stdin input -------------------------------
+# Configuration to use stdin input
+#- type: stdin
+
+#------------------------- Redis slowlog input ---------------------------
+# Experimental: Config options for the redis slow log input
+#- type: redis
+  #enabled: false
+
+  # List of hosts to pool to retrieve the slow log information.
+  #hosts: ["localhost:6379"]
+
+  # How often the input checks for redis slow log.
+  #scan_frequency: 10s
+
+  # Timeout after which time the input should return an error
+  #timeout: 1s
+
+  # Network type to be used for redis connection. Default: tcp
+  #network: tcp
+
+  # Max number of concurrent connections. Default: 10
+  #maxconn: 10
+
+  # Redis AUTH password. Empty by default.
+  #password: foobared
+
+#------------------------------ Udp input --------------------------------
+# Experimental: Config options for the udp input
+#- type: udp
+  #enabled: false
+
+  # Maximum size of the message received over UDP
+  #max_message_size: 10KiB
+
+  # Size of the UDP read buffer in bytes
+  #read_buffer: 0
+
+
+#------------------------------ TCP input --------------------------------
+# Experimental: Config options for the TCP input
+#- type: tcp
+  #enabled: false
+
+  # The host and port to receive the new event
+  #host: "localhost:9000"
+
+  # Character used to split new message
+  #line_delimiter: "\n"
+
+  # Maximum size in bytes of the message received over TCP
+  #max_message_size: 20MiB
+
+  # Max number of concurrent connections, or 0 for no limit. Default: 0
+  #max_connections: 0
+
+  # The number of seconds of inactivity before a remote connection is closed.
+  #timeout: 300s
+
+  # Use SSL settings for TCP.
+  #ssl.enabled: true
+
+  # List of supported/valid TLS versions. By default all TLS versions 1.0 up to
+  # 1.2 are enabled.
+  #ssl.supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2]
+
+  # SSL configuration. By default is off.
+  # List of root certificates for client verifications
+  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
+
+  # Certificate for SSL server authentication.
+  #ssl.certificate: "/etc/pki/client/cert.pem"
+
+  # Server Certificate Key,
+  #ssl.key: "/etc/pki/client/cert.key"
+
+  # Optional passphrase for decrypting the Certificate Key.
+  #ssl.key_passphrase: ''
+
+  # Configure cipher suites to be used for SSL connections.
+  #ssl.cipher_suites: []
+
+  # Configure curve types for ECDHE based cipher suites.
+  #ssl.curve_types: []
+
+  # Configure what types of client authentication are supported. Valid options
+  # are `none`, `optional`, and `required`. When `certificate_authorities` is set it will
+  # default to `required` otherwise it will be set to `none`.
+  #ssl.client_authentication: "required"
+
+
+#------------------------------ Kafka input --------------------------------
+# Accept events from topics in a Kafka cluster.
+#- type: kafka
+  #enabled: false
+
+  # A list of hosts/ports for the initial Kafka brokers.
+  #hosts:
+    #- kafka-broker-1:9092
+    #- kafka-broker-2:9092
+
+  # A list of topics to read from.
+  #topics: ["my-topic", "important-logs"]
+
+  # The Kafka consumer group id to use when connecting.
+  #group_id: "filebeat"
+
+  # An optional Kafka client id to attach to Kafka requests.
+  #client_id: "my-client"
+
+  # The version of the Kafka protocol to use.
+  #version: 1.0
+
+  # Set to "newest" to start reading from the most recent message when connecting to a
+  # new topic, otherwise the input will begin reading at the oldest remaining event.
+  #initial_offset: oldest
+
+  # How long to wait before trying to reconnect to the kafka cluster after a fatal error.
+  #connect_backoff: 30s
+
+  # How long to wait before retrying a failed read.
+  #consume_backoff: 2s
+
+  # How long to wait for the minimum number of input bytes while reading.
+  #max_wait_time: 250ms
+
+  # The Kafka isolation level, "read_uncommitted" or "read_committed".
+  #isolation_level: read_uncommitted
+
+  # Some Kafka deployments such as Microsoft Azure can return multiple events packed into a
+  # single data field. Set this field to specify where events should be unpacked from.
+  #expand_event_list_from_field: "records"
+
+  # The minimum number of bytes to wait for.
+  #fetch.min: 1
+
+  # The default number of bytes to read per request.
+  #fetch.default: 1MB
+
+  # The maximum number of bytes to read per request (0 for no limit).
+  #fetch.max: 0
+
+  # Consumer rebalance strategy, "range" or "roundrobin"
+  #rebalance.strategy: "range"
+
+  # How long to wait for an attempted rebalance.
+  #rebalance.timeout: 60s
+
+  # How many times to retry if rebalancing fails.
+  #rebalance.max_retries: 4
+
+  # How long to wait after an unsuccessful rebalance attempt.
+  #rebalance.retry_backoff: 2s
+
+  # SASL authentication mechanism used. Can be one of PLAIN, SCRAM-SHA-256 or SCRAM-SHA-512.
+  # Defaults to PLAIN when `username` and `password` are configured.
+  #sasl.mechanism: ''
+
+  # Parsers can be used with the Kafka input. The available parsers are "ndjson" and
+  # "multiline". See the filestream input configuration for more details.
+  #parsers:
+  #- ndjson:
+  #   ...
+  #- multiline:
+  #   ...
+
+
+#------------------------------ Syslog input --------------------------------
+# Accept RFC3164 formatted syslog event via UDP.
+#- type: syslog
+  #enabled: false
+  #format: rfc3164
+  #protocol.udp:
+    # The host and port to receive the new event
+    #host: "localhost:9000"
+
+    # Maximum size of the message received over UDP
+    #max_message_size: 10KiB
+
+# Accept RFC5424 formatted syslog event via TCP.
+#- type: syslog
+  #enabled: false
+  #format: rfc5424
+
+  #protocol.tcp:
+    # The host and port to receive the new event
+    #host: "localhost:9000"
+
+    # Character used to split new message
+    #line_delimiter: "\n"
+
+    # Maximum size in bytes of the message received over TCP
+    #max_message_size: 20MiB
+
+    # The number of seconds of inactivity before a remote connection is closed.
+    #timeout: 300s
+
+    # Use SSL settings for TCP.
+    #ssl.enabled: true
+
+    # List of supported/valid TLS versions. By default all TLS versions 1.0 up to
+    # 1.2 are enabled.
+    #ssl.supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2]
+
+    # SSL configuration. By default is off.
+    # List of root certificates for client verifications
+    #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
+
+    # Certificate for SSL server authentication.
+    #ssl.certificate: "/etc/pki/client/cert.pem"
+
+    # Server Certificate Key,
+    #ssl.key: "/etc/pki/client/cert.key"
+
+    # Optional passphrase for decrypting the Certificate Key.
+    #ssl.key_passphrase: ''
+
+    # Configure cipher suites to be used for SSL connections.
+    #ssl.cipher_suites: []
+
+    # Configure curve types for ECDHE based cipher suites.
+    #ssl.curve_types: []
+
+    # Configure what types of client authentication are supported. Valid options
+    # are `none`, `optional`, and `required`. When `certificate_authorities` is set it will
+    # default to `required` otherwise it will be set to `none`.
+    #ssl.client_authentication: "required"
+
+#------------------------------ Container input --------------------------------
+#- type: container
+  #enabled: false
+
+  # Paths for container logs that should be crawled and fetched.
+  #paths:
+  #  -/var/lib/docker/containers/*/*.log
+
+  # Configure stream to filter to a specific stream: stdout, stderr or all (default)
+  #stream: all
+
+#------------------------------ Journald input --------------------------------
+# Journald input is experimental.
+#- type: journald
+  #enabled: true
+
+  # Unique ID among all inputs, if the ID changes, all entries
+  # will be re-ingested
+  id: my-journald-id
+
+  # Specify paths to read from custom journal files.
+  # Leave it unset to read the system's journal
+  # Glob based paths.
+  #paths:
+    #- /var/log/custom.journal
+
+  # The position to start reading from the journal, valid options are:
+  #  - head: Starts reading at the beginning of the journal.
+  #  - tail: Starts reading at the end of the journal.
+  #    This means that no events will be sent until a new message is written.
+  #  - since: Use also the `since` option to determine when to start reading from.
+  #seek: head
+
+  # A time offset from the current time to start reading from.
+  # To use since, seek option must be set to since.
+  #since: -24h
+
+  # Collect events from the service and messages about the service,
+  # including coredumps.
+  #units:
+    #- docker.service
+
+  # List of syslog identifiers
+  #syslog_identifiers: ["audit"]
+
+  # The list of transports (_TRANSPORT field of journald entries)
+  #transports: ["audit"]
+
+  # Filter logs by facilities, they must be specified using their numeric code.
+  #facilities:
+    #- 1
+    #- 2
+
+  # You may wish to have separate inputs for each service. You can use
+  # include_matches.or to specify a list of filter expressions that are
+  # applied as a logical OR.
+  #include_matches.match:
+    #- _SYSTEMD_UNIT=foo.service
+
+  # Uses the original hostname of the entry instead of the one
+  # from the host running jounrald
+  #save_remote_hostname: false
+
+  # Parsers are also supported, the possible parsers are:
+  # container, include_message, multiline, ndjson, syslog.
+  # Here is an example of the multiline
+  # parser.
+  #parsers:
+  #- multiline:
+    #type: count
+    #count_lines: 3
+
+# =========================== Filebeat autodiscover ============================
+
+# Autodiscover allows you to detect changes in the system and spawn new modules
+# or inputs as they happen.
+
+#filebeat.autodiscover:
+  # List of enabled autodiscover providers
+#  providers:
+#    - type: docker
+#      templates:
+#        - condition:
+#            equals.docker.container.image: busybox
+#          config:
+#            - type: container
+#              paths:
+#                - /var/log/containers/*.log
+
+#Example: for kubernetes container logs autodiscovery
+#  filebeat.autodiscover:
+#    providers:
+#      - type: kubernetes
+#        node: ${NODE_NAME}
+#        hints.enabled: true
+#        # By default requests to kubeadm config map are made in order to enrich cluster name by requesting /api/v1/namespaces/kube-system/configmaps/kubeadm-config API endpoint.
+#        use_kubeadm: true
+#        hints.default_config:
+#          type: filestream
+#          id: kubernetes-container-logs-${data.kubernetes.pod.name}-${data.kubernetes.container.id}
+#          paths:
+#          - /var/log/containers/*-${data.kubernetes.container.id}.log
+#          parsers:
+#          - container: ~
+#          prospector:
+#            scanner:
+#              fingerprint.enabled: true
+#              symlinks: true
+#          file_identity.fingerprint: ~
+
+#By default requests to kubeadm config map are made in order to enrich cluster name by requesting /api/v1/namespaces/kube-system/configmaps/kubeadm-config API endpoint.
+#  use_kubeadm: true
+
+# ========================== Filebeat global options ===========================
+
+# Registry data path. If a relative path is used, it is considered relative to the
+# data path.
+#filebeat.registry.path: ${path.data}/registry
+
+# The permissions mask to apply on registry data and meta files. The default
+# value is 0600.  Must be a valid Unix-style file permissions mask expressed in
+# octal notation.  This option is not supported on Windows.
+#filebeat.registry.file_permissions: 0600
+
+# The timeout value that controls when registry entries are written to the disk
+# (flushed). When an unwritten update exceeds this value, it triggers a write
+# to disk. When flush is set to 0s, the registry is written to disk after each
+# batch of events has been published successfully. The default value is 1s.
+#filebeat.registry.flush: 1s
+
+# The interval which to run the registry clean up
+#filebeat.registry.cleanup_interval: 5m
+
+# Starting with Filebeat 7.0, the registry uses a new directory format to store
+# Filebeat state. After you upgrade, Filebeat will automatically migrate a 6.x
+# registry file to use the new directory format. If you changed
+# filebeat.registry.path while upgrading, set filebeat.registry.migrate_file to
+# point to the old registry file.
+#filebeat.registry.migrate_file: ${path.data}/registry
+
+# By default Ingest pipelines are not updated if a pipeline with the same ID
+# already exists. If this option is enabled Filebeat overwrites pipelines
+# every time a new Elasticsearch connection is established.
+#filebeat.overwrite_pipelines: false
+
+# How long filebeat waits on shutdown for the publisher to finish.
+# Default is 0, not waiting.
+#filebeat.shutdown_timeout: 0
+
+# Enable filebeat config reloading
+#filebeat.config:
+  #inputs:
+    #enabled: false
+    #path: inputs.d/*.yml
+    #reload.enabled: true
+    #reload.period: 10s
+  #modules:
+    #enabled: true
+    #path: modules.d/*.yml
+    #reload.enabled: true
+    #reload.period: 10s
+
+
+# ================================== General ===================================
+
+# The name of the shipper that publishes the network data. It can be used to group
+# all the transactions sent by a single shipper in the web interface.
+# If this option is not defined, the hostname is used.
+#name:
+
+# The tags of the shipper are included in their field with each
+# transaction published. Tags make it easy to group servers by different
+# logical properties.
+#tags: ["service-X", "web-tier"]
+
+# Optional fields that you can specify to add additional information to the
+# output. Fields can be scalar values, arrays, dictionaries, or any nested
+# combination of these.
+#fields:
+#  env: staging
+
+# If this option is set to true, the custom fields are stored as top-level
+# fields in the output document instead of being grouped under a field
+# sub-dictionary. Default is false.
+#fields_under_root: false
+
+# Configure the precision of all timestamps in Filebeat.
+# Available options: millisecond, microsecond, nanosecond
+#timestamp.precision: millisecond
+
+# Internal queue configuration for buffering events to be published.
+# Queue settings may be overridden by performance presets in the
+# Elasticsearch output. To configure them manually use "preset: custom".
+#queue:
+  # Queue type by name (default 'mem')
+  # The memory queue will present all available events (up to the outputs
+  # bulk_max_size) to the output, the moment the output is ready to serve
+  # another batch of events.
+  #mem:
+    # Max number of events the queue can buffer.
+    #events: 3200
+
+    # Hints the minimum number of events stored in the queue,
+    # before providing a batch of events to the outputs.
+    # The default value is set to 2048.
+    # A value of 0 ensures events are immediately available
+    # to be sent to the outputs.
+    #flush.min_events: 1600
+
+    # Maximum duration after which events are available to the outputs,
+    # if the number of events stored in the queue is < `flush.min_events`.
+    #flush.timeout: 10s
+
+  # The disk queue stores incoming events on disk until the output is
+  # ready for them. This allows a higher event limit than the memory-only
+  # queue and lets pending events persist through a restart.
+  #disk:
+    # The directory path to store the queue's data.
+    #path: "${path.data}/diskqueue"
+
+    # The maximum space the queue should occupy on disk. Depending on
+    # input settings, events that exceed this limit are delayed or discarded.
+    #max_size: 10GB
+
+    # The maximum size of a single queue data file. Data in the queue is
+    # stored in smaller segments that are deleted after all their events
+    # have been processed.
+    #segment_size: 1GB
+
+    # The number of events to read from disk to memory while waiting for
+    # the output to request them.
+    #read_ahead: 512
+
+    # The number of events to accept from inputs while waiting for them
+    # to be written to disk. If event data arrives faster than it
+    # can be written to disk, this setting prevents it from overflowing
+    # main memory.
+    #write_ahead: 2048
+
+    # The duration to wait before retrying when the queue encounters a disk
+    # write error.
+    #retry_interval: 1s
+
+    # The maximum length of time to wait before retrying on a disk write
+    # error. If the queue encounters repeated errors, it will double the
+    # length of its retry interval each time, up to this maximum.
+    #max_retry_interval: 30s
+
+# Sets the maximum number of CPUs that can be executed simultaneously. The
+# default is the number of logical CPUs available in the system.
+#max_procs:
+
+# ================================= Processors =================================
+
+# Processors are used to reduce the number of fields in the exported event or to
+# enhance the event with external metadata. This section defines a list of
+# processors that are applied one by one and the first one receives the initial
+# event:
+#
+#   event -> filter1 -> event1 -> filter2 ->event2 ...
+#
+# The supported processors are drop_fields, drop_event, include_fields,
+# decode_json_fields, and add_cloud_metadata.
+#
+# For example, you can use the following processors to keep the fields that
+# contain CPU load percentages, but remove the fields that contain CPU ticks
+# values:
+#
+#processors:
+#  - include_fields:
+#      fields: ["cpu"]
+#  - drop_fields:
+#      fields: ["cpu.user", "cpu.system"]
+#
+# The following example drops the events that have the HTTP response code 200:
+#
+#processors:
+#  - drop_event:
+#      when:
+#        equals:
+#          http.code: 200
+#
+# The following example renames the field a to b:
+#
+#processors:
+#  - rename:
+#      fields:
+#        - from: "a"
+#          to: "b"
+#
+# The following example tokenizes the string into fields:
+#
+#processors:
+#  - dissect:
+#      tokenizer: "%{key1} - %{key2}"
+#      field: "message"
+#      target_prefix: "dissect"
+#
+# The following example enriches each event with metadata from the cloud
+# provider about the host machine. It works on EC2, GCE, DigitalOcean,
+# Tencent Cloud, and Alibaba Cloud.
+#
+#processors:
+#  - add_cloud_metadata: ~
+#
+# The following example enriches each event with the machine's local time zone
+# offset from UTC.
+#
+#processors:
+#  - add_locale:
+#      format: offset
+#
+# The following example enriches each event with docker metadata, it matches
+# given fields to an existing container id and adds info from that container:
+#
+#processors:
+#  - add_docker_metadata:
+#      host: "unix:///var/run/docker.sock"
+#      match_fields: ["system.process.cgroup.id"]
+#      match_pids: ["process.pid", "process.parent.pid"]
+#      match_source: true
+#      match_source_index: 4
+#      match_short_id: false
+#      cleanup_timeout: 60
+#      labels.dedot: false
+#      # To connect to Docker over TLS you must specify a client and CA certificate.
+#      #ssl:
+#      #  certificate_authority: "/etc/pki/root/ca.pem"
+#      #  certificate:           "/etc/pki/client/cert.pem"
+#      #  key:                   "/etc/pki/client/cert.key"
+#
+# The following example enriches each event with docker metadata, it matches
+# container id from log path available in `source` field (by default it expects
+# it to be /var/lib/docker/containers/*/*.log).
+#
+#processors:
+#  - add_docker_metadata: ~
+#
+# The following example enriches each event with host metadata.
+#
+#processors:
+#  - add_host_metadata: ~
+#
+# The following example enriches each event with process metadata using
+# process IDs included in the event.
+#
+#processors:
+#  - add_process_metadata:
+#      match_pids: ["system.process.ppid"]
+#      target: system.process.parent
+#
+# The following example decodes fields containing JSON strings
+# and replaces the strings with valid JSON objects.
+#
+#processors:
+#  - decode_json_fields:
+#      fields: ["field1", "field2", ...]
+#      process_array: false
+#      max_depth: 1
+#      target: ""
+#      overwrite_keys: false
+#
+#processors:
+#  - decompress_gzip_field:
+#      from: "field1"
+#      to: "field2"
+#      ignore_missing: false
+#      fail_on_error: true
+#
+# The following example copies the value of the message to message_copied
+#
+#processors:
+#  - copy_fields:
+#      fields:
+#        - from: message
+#          to: message_copied
+#      fail_on_error: true
+#      ignore_missing: false
+#
+# The following example truncates the value of the message to 1024 bytes
+#
+#processors:
+#  - truncate_fields:
+#      fields:
+#        - message
+#      max_bytes: 1024
+#      fail_on_error: false
+#      ignore_missing: true
+#
+# The following example preserves the raw message under event.original
+#
+#processors:
+#  - copy_fields:
+#      fields:
+#        - from: message
+#          to: event.original
+#      fail_on_error: false
+#      ignore_missing: true
+#  - truncate_fields:
+#      fields:
+#        - event.original
+#      max_bytes: 1024
+#      fail_on_error: false
+#      ignore_missing: true
+#
+# The following example URL-decodes the value of field1 to field2
+#
+#processors:
+#  - urldecode:
+#      fields:
+#        - from: "field1"
+#          to: "field2"
+#      ignore_missing: false
+#      fail_on_error: true
+
+# =============================== Elastic Cloud ================================
+
+# These settings simplify using Filebeat with the Elastic Cloud (https://cloud.elastic.co/).
+
+# The cloud.id setting overwrites the `output.elasticsearch.hosts` and
+# `setup.kibana.host` options.
+# You can find the `cloud.id` in the Elastic Cloud web UI.
+#cloud.id:
+
+# The cloud.auth setting overwrites the `output.elasticsearch.username` and
+# `output.elasticsearch.password` settings. The format is `<user>:<pass>`.
+#cloud.auth:
+
+# ================================== Outputs ===================================
+
+# Configure what output to use when sending the data collected by the beat.
+
+# ---------------------------- Elasticsearch Output ----------------------------
+output.elasticsearch:
+  # Boolean flag to enable or disable the output module.
+  #enabled: true
+
+  # Array of hosts to connect to.
+  # Scheme and port can be left out and will be set to the default (http and 9200)
+  # In case you specify and additional path, the scheme is required: http://localhost:9200/path
+  # IPv6 addresses should always be defined as: https://[2001:db8::1]:9200
+  hosts: ["localhost:9200"]
+
+  # Performance presets configure other output fields to recommended values
+  # based on a performance priority.
+  # Options are "balanced", "throughput", "scale", "latency" and "custom".
+  # Default if unspecified: "custom"
+  preset: balanced
+
+  # Set gzip compression level. Set to 0 to disable compression.
+  # This field may conflict with performance presets. To set it
+  # manually use "preset: custom".
+  # The default is 1.
+  #compression_level: 1
+
+  # Configure escaping HTML symbols in strings.
+  #escape_html: false
+
+  # Protocol - either `http` (default) or `https`.
+  #protocol: "https"
+
+  # Authentication credentials - either API key or username/password.
+  #api_key: "id:api_key"
+  #username: "elastic"
+  #password: "changeme"
+
+  # Dictionary of HTTP parameters to pass within the URL with index operations.
+  #parameters:
+    #param1: value1
+    #param2: value2
+
+  # Number of workers per Elasticsearch host.
+  # This field may conflict with performance presets. To set it
+  # manually use "preset: custom".
+  #worker: 1
+
+  # If set to true and multiple hosts are configured, the output plugin load
+  # balances published events onto all Elasticsearch hosts. If set to false,
+  # the output plugin sends all events to only one host (determined at random)
+  # and will switch to another host if the currently selected one becomes
+  # unreachable. The default value is true.
+  #loadbalance: true
+
+  # Optional data stream or index name. The default is "filebeat-%{[agent.version]}".
+  # In case you modify this pattern you must update setup.template.name and setup.template.pattern accordingly.
+  #index: "filebeat-%{[agent.version]}"
+
+  # Optional ingest pipeline. By default, no pipeline will be used.
+  #pipeline: ""
+
+  # Optional HTTP path
+  #path: "/elasticsearch"
+
+  # Custom HTTP headers to add to each request
+  #headers:
+  #  X-My-Header: Contents of the header
+
+  # Proxy server URL
+  #proxy_url: http://proxy:3128
+
+  # Whether to disable proxy settings for outgoing connections. If true, this
+  # takes precedence over both the proxy_url field and any environment settings
+  # (HTTP_PROXY, HTTPS_PROXY). The default is false.
+  #proxy_disable: false
+
+  # The number of times a particular Elasticsearch index operation is attempted. If
+  # the indexing operation doesn't succeed after this many retries, the events are
+  # dropped. The default is 3.
+  #max_retries: 3
+
+  # The maximum number of events to bulk in a single Elasticsearch bulk API index request.
+  # This field may conflict with performance presets. To set it
+  # manually use "preset: custom".
+  # The default is 1600.
+  #bulk_max_size: 1600
+
+  # The number of seconds to wait before trying to reconnect to Elasticsearch
+  # after a network error. After waiting backoff.init seconds, the Beat
+  # tries to reconnect. If the attempt fails, the backoff timer is increased
+  # exponentially up to backoff.max. After a successful connection, the backoff
+  # timer is reset. The default is 1s.
+  #backoff.init: 1s
+
+  # The maximum number of seconds to wait before attempting to connect to
+  # Elasticsearch after a network error. The default is 60s.
+  #backoff.max: 60s
+
+  # The maximum amount of time an idle connection will remain idle
+  # before closing itself.  Zero means use the default of 60s. The
+  # format is a Go language duration (example 60s is 60 seconds).
+  # This field may conflict with performance presets. To set it
+  # manually use "preset: custom".
+  # The default is 3s.
+  # idle_connection_timeout: 3s
+
+  # Configure HTTP request timeout before failing a request to Elasticsearch.
+  #timeout: 90
+
+  # Prevents filebeat from connecting to older Elasticsearch versions when set to `false`
+  #allow_older_versions: true
+
+  # Use SSL settings for HTTPS.
+  #ssl.enabled: true
+
+  # Controls the verification of certificates. Valid values are:
+  # * full, which verifies that the provided certificate is signed by a trusted
+  # authority (CA) and also verifies that the server's hostname (or IP address)
+  # matches the names identified within the certificate.
+  # * strict, which verifies that the provided certificate is signed by a trusted
+  # authority (CA) and also verifies that the server's hostname (or IP address)
+  # matches the names identified within the certificate. If the Subject Alternative
+  # Name is empty, it returns an error.
+  # * certificate, which verifies that the provided certificate is signed by a
+  # trusted authority (CA), but does not perform any hostname verification.
+  #  * none, which performs no verification of the server's certificate. This
+  # mode disables many of the security benefits of SSL/TLS and should only be used
+  # after very careful consideration. It is primarily intended as a temporary
+  # diagnostic mechanism when attempting to resolve TLS errors; its use in
+  # production environments is strongly discouraged.
+  # The default value is full.
+  #ssl.verification_mode: full
+
+  # List of supported/valid TLS versions. By default all TLS versions from 1.1
+  # up to 1.3 are enabled.
+  #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3]
+
+  # List of root certificates for HTTPS server verifications
+  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
+
+  # Certificate for SSL client authentication
+  #ssl.certificate: "/etc/pki/client/cert.pem"
+
+  # Client certificate key
+  #ssl.key: "/etc/pki/client/cert.key"
+
+  # Optional passphrase for decrypting the certificate key.
+  #ssl.key_passphrase: ''
+
+  # Configure cipher suites to be used for SSL connections
+  #ssl.cipher_suites: []
+
+  # Configure curve types for ECDHE-based cipher suites
+  #ssl.curve_types: []
+
+  # Configure what types of renegotiation are supported. Valid options are
+  # never, once, and freely. Default is never.
+  #ssl.renegotiation: never
+
+  # Configure a pin that can be used to do extra validation of the verified certificate chain,
+  # this allow you to ensure that a specific certificate is used to validate the chain of trust.
+  #
+  # The pin is a base64 encoded string of the SHA-256 fingerprint.
+  #ssl.ca_sha256: ""
+
+  # A root CA HEX encoded fingerprint. During the SSL handshake if the
+  # fingerprint matches the root CA certificate, it will be added to
+  # the provided list of root CAs (`certificate_authorities`), if the
+  # list is empty or not defined, the matching certificate will be the
+  # only one in the list. Then the normal SSL validation happens.
+  #ssl.ca_trusted_fingerprint: ""
+
+
+  # Enables restarting filebeat if any file listed by `key`,
+  # `certificate`, or `certificate_authorities` is modified.
+  # This feature IS NOT supported on Windows.
+  #ssl.restart_on_cert_change.enabled: false
+
+  # Period to scan for changes on CA certificate files
+  #ssl.restart_on_cert_change.period: 1m
+
+  # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set.
+  #kerberos.enabled: true
+
+  # Authentication type to use with Kerberos. Available options: keytab, password.
+  #kerberos.auth_type: password
+
+  # Path to the keytab file. It is used when auth_type is set to keytab.
+  #kerberos.keytab: /etc/elastic.keytab
+
+  # Path to the Kerberos configuration.
+  #kerberos.config_path: /etc/krb5.conf
+
+  # Name of the Kerberos user.
+  #kerberos.username: elastic
+
+  # Password of the Kerberos user. It is used when auth_type is set to password.
+  #kerberos.password: changeme
+
+  # Kerberos realm.
+  #kerberos.realm: ELASTIC
+
+
+# ------------------------------ Logstash Output -------------------------------
+#output.logstash:
+  # Boolean flag to enable or disable the output module.
+  #enabled: true
+
+  # The Logstash hosts
+  #hosts: ["localhost:5044"]
+
+  # Number of workers per Logstash host.
+  #worker: 1
+
+  # Set gzip compression level.
+  #compression_level: 3
+
+  # Configure escaping HTML symbols in strings.
+  #escape_html: false
+
+  # Optional maximum time to live for a connection to Logstash, after which the
+  # connection will be re-established.  A value of `0s` (the default) will
+  # disable this feature.
+  #
+  # Not yet supported for async connections (i.e. with the "pipelining" option set)
+  #ttl: 30s
+
+  # Optionally load-balance events between Logstash hosts. Default is false.
+  #loadbalance: false
+
+  # Number of batches to be sent asynchronously to Logstash while processing
+  # new batches.
+  #pipelining: 2
+
+  # If enabled only a subset of events in a batch of events is transferred per
+  # transaction.  The number of events to be sent increases up to `bulk_max_size`
+  # if no error is encountered.
+  #slow_start: false
+
+  # The number of seconds to wait before trying to reconnect to Logstash
+  # after a network error. After waiting backoff.init seconds, the Beat
+  # tries to reconnect. If the attempt fails, the backoff timer is increased
+  # exponentially up to backoff.max. After a successful connection, the backoff
+  # timer is reset. The default is 1s.
+  #backoff.init: 1s
+
+  # The maximum number of seconds to wait before attempting to connect to
+  # Logstash after a network error. The default is 60s.
+  #backoff.max: 60s
+
+  # Optional index name. The default index name is set to filebeat
+  # in all lowercase.
+  #index: 'filebeat'
+
+  # SOCKS5 proxy server URL
+  #proxy_url: socks5://user:password@socks5-server:2233
+
+  # Resolve names locally when using a proxy server. Defaults to false.
+  #proxy_use_local_resolver: false
+
+  # Use SSL settings for HTTPS.
+  #ssl.enabled: true
+
+  # Controls the verification of certificates. Valid values are:
+  # * full, which verifies that the provided certificate is signed by a trusted
+  # authority (CA) and also verifies that the server's hostname (or IP address)
+  # matches the names identified within the certificate.
+  # * strict, which verifies that the provided certificate is signed by a trusted
+  # authority (CA) and also verifies that the server's hostname (or IP address)
+  # matches the names identified within the certificate. If the Subject Alternative
+  # Name is empty, it returns an error.
+  # * certificate, which verifies that the provided certificate is signed by a
+  # trusted authority (CA), but does not perform any hostname verification.
+  #  * none, which performs no verification of the server's certificate. This
+  # mode disables many of the security benefits of SSL/TLS and should only be used
+  # after very careful consideration. It is primarily intended as a temporary
+  # diagnostic mechanism when attempting to resolve TLS errors; its use in
+  # production environments is strongly discouraged.
+  # The default value is full.
+  #ssl.verification_mode: full
+
+  # List of supported/valid TLS versions. By default all TLS versions from 1.1
+  # up to 1.3 are enabled.
+  #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3]
+
+  # List of root certificates for HTTPS server verifications
+  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
+
+  # Certificate for SSL client authentication
+  #ssl.certificate: "/etc/pki/client/cert.pem"
+
+  # Client certificate key
+  #ssl.key: "/etc/pki/client/cert.key"
+
+  # Optional passphrase for decrypting the certificate key.
+  #ssl.key_passphrase: ''
+
+  # Configure cipher suites to be used for SSL connections
+  #ssl.cipher_suites: []
+
+  # Configure curve types for ECDHE-based cipher suites
+  #ssl.curve_types: []
+
+  # Configure what types of renegotiation are supported. Valid options are
+  # never, once, and freely. Default is never.
+  #ssl.renegotiation: never
+
+  # Configure a pin that can be used to do extra validation of the verified certificate chain,
+  # this allow you to ensure that a specific certificate is used to validate the chain of trust.
+  #
+  # The pin is a base64 encoded string of the SHA-256 fingerprint.
+  #ssl.ca_sha256: ""
+
+  # A root CA HEX encoded fingerprint. During the SSL handshake if the
+  # fingerprint matches the root CA certificate, it will be added to
+  # the provided list of root CAs (`certificate_authorities`), if the
+  # list is empty or not defined, the matching certificate will be the
+  # only one in the list. Then the normal SSL validation happens.
+  #ssl.ca_trusted_fingerprint: ""
+
+  # Enables restarting filebeat if any file listed by `key`,
+  # `certificate`, or `certificate_authorities` is modified.
+  # This feature IS NOT supported on Windows.
+  #ssl.restart_on_cert_change.enabled: false
+
+  # Period to scan for changes on CA certificate files
+  #ssl.restart_on_cert_change.period: 1m
+
+  # The number of times to retry publishing an event after a publishing failure.
+  # After the specified number of retries, the events are typically dropped.
+  # Some Beats, such as Filebeat and Winlogbeat, ignore the max_retries setting
+  # and retry until all events are published.  Set max_retries to a value less
+  # than 0 to retry until all events are published. The default is 3.
+  #max_retries: 3
+
+  # The maximum number of events to bulk in a single Logstash request. The
+  # default is 2048.
+  #bulk_max_size: 2048
+
+  # The number of seconds to wait for responses from the Logstash server before
+  # timing out. The default is 30s.
+  #timeout: 30s
+
+# -------------------------------- Kafka Output --------------------------------
+#output.kafka:
+  # Boolean flag to enable or disable the output module.
+  #enabled: true
+
+  # The list of Kafka broker addresses from which to fetch the cluster metadata.
+  # The cluster metadata contain the actual Kafka brokers events are published
+  # to.
+  #hosts: ["localhost:9092"]
+
+  # The Kafka topic used for produced events. The setting can be a format string
+  # using any event field. To set the topic from document type use `%{[type]}`.
+  #topic: beats
+
+  # The Kafka event key setting. Use format string to create a unique event key.
+  # By default no event key will be generated.
+  #key: ''
+
+  # The Kafka event partitioning strategy. Default hashing strategy is `hash`
+  # using the `output.kafka.key` setting or randomly distributes events if
+  # `output.kafka.key` is not configured.
+  #partition.hash:
+    # If enabled, events will only be published to partitions with reachable
+    # leaders. Default is false.
+    #reachable_only: false
+
+    # Configure alternative event field names used to compute the hash value.
+    # If empty `output.kafka.key` setting will be used.
+    # Default value is empty list.
+    #hash: []
+
+  # Authentication details. Password is required if username is set.
+  #username: ''
+  #password: ''
+
+  # SASL authentication mechanism used. Can be one of PLAIN, SCRAM-SHA-256 or SCRAM-SHA-512.
+  # Defaults to PLAIN when `username` and `password` are configured.
+  #sasl.mechanism: ''
+
+  # Kafka version Filebeat is assumed to run against. Defaults to the "1.0.0".
+  #version: '1.0.0'
+
+  # Configure JSON encoding
+  #codec.json:
+    # Pretty-print JSON event
+    #pretty: false
+
+    # Configure escaping HTML symbols in strings.
+    #escape_html: false
+
+  # Metadata update configuration. Metadata contains leader information
+  # used to decide which broker to use when publishing.
+  #metadata:
+    # Max metadata request retry attempts when cluster is in middle of leader
+    # election. Defaults to 3 retries.
+    #retry.max: 3
+
+    # Wait time between retries during leader elections. Default is 250ms.
+    #retry.backoff: 250ms
+
+    # Refresh metadata interval. Defaults to every 10 minutes.
+    #refresh_frequency: 10m
+
+    # Strategy for fetching the topics metadata from the broker. Default is false.
+    #full: false
+
+  # The number of times to retry publishing an event after a publishing failure.
+  # After the specified number of retries, events are typically dropped.
+  # Some Beats, such as Filebeat, ignore the max_retries setting and retry until
+  # all events are published.  Set max_retries to a value less than 0 to retry
+  # until all events are published. The default is 3.
+  #max_retries: 3
+
+  # The number of seconds to wait before trying to republish to Kafka
+  # after a network error. After waiting backoff.init seconds, the Beat
+  # tries to republish. If the attempt fails, the backoff timer is increased
+  # exponentially up to backoff.max. After a successful publish, the backoff
+  # timer is reset. The default is 1s.
+  #backoff.init: 1s
+
+  # The maximum number of seconds to wait before attempting to republish to
+  # Kafka after a network error. The default is 60s.
+  #backoff.max: 60s
+
+  # The maximum number of events to bulk in a single Kafka request. The default
+  # is 2048.
+  #bulk_max_size: 2048
+
+  # Duration to wait before sending bulk Kafka request. 0 is no delay. The default
+  # is 0.
+  #bulk_flush_frequency: 0s
+
+  # The number of seconds to wait for responses from the Kafka brokers before
+  # timing out. The default is 30s.
+  #timeout: 30s
+
+  # The maximum duration a broker will wait for number of required ACKs. The
+  # default is 10s.
+  #broker_timeout: 10s
+
+  # The number of messages buffered for each Kafka broker. The default is 256.
+  #channel_buffer_size: 256
+
+  # The keep-alive period for an active network connection. If 0s, keep-alives
+  # are disabled. The default is 0 seconds.
+  #keep_alive: 0
+
+  # Sets the output compression codec. Must be one of none, snappy and gzip. The
+  # default is gzip.
+  #compression: gzip
+
+  # Set the compression level. Currently only gzip provides a compression level
+  # between 0 and 9. The default value is chosen by the compression algorithm.
+  #compression_level: 4
+
+  # The maximum permitted size of JSON-encoded messages. Bigger messages will be
+  # dropped. The default value is 1000000 (bytes). This value should be equal to
+  # or less than the broker's message.max.bytes.
+  #max_message_bytes: 1000000
+
+  # The ACK reliability level required from broker. 0=no response, 1=wait for
+  # local commit, -1=wait for all replicas to commit. The default is 1.  Note:
+  # If set to 0, no ACKs are returned by Kafka. Messages might be lost silently
+  # on error.
+  #required_acks: 1
+
+  # The configurable ClientID used for logging, debugging, and auditing
+  # purposes.  The default is "beats".
+  #client_id: beats
+
+  # Use SSL settings for HTTPS.
+  #ssl.enabled: true
+
+  # Controls the verification of certificates. Valid values are:
+  # * full, which verifies that the provided certificate is signed by a trusted
+  # authority (CA) and also verifies that the server's hostname (or IP address)
+  # matches the names identified within the certificate.
+  # * strict, which verifies that the provided certificate is signed by a trusted
+  # authority (CA) and also verifies that the server's hostname (or IP address)
+  # matches the names identified within the certificate. If the Subject Alternative
+  # Name is empty, it returns an error.
+  # * certificate, which verifies that the provided certificate is signed by a
+  # trusted authority (CA), but does not perform any hostname verification.
+  #  * none, which performs no verification of the server's certificate. This
+  # mode disables many of the security benefits of SSL/TLS and should only be used
+  # after very careful consideration. It is primarily intended as a temporary
+  # diagnostic mechanism when attempting to resolve TLS errors; its use in
+  # production environments is strongly discouraged.
+  # The default value is full.
+  #ssl.verification_mode: full
+
+  # List of supported/valid TLS versions. By default all TLS versions from 1.1
+  # up to 1.3 are enabled.
+  #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3]
+
+  # List of root certificates for HTTPS server verifications
+  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
+
+  # Certificate for SSL client authentication
+  #ssl.certificate: "/etc/pki/client/cert.pem"
+
+  # Client certificate key
+  #ssl.key: "/etc/pki/client/cert.key"
+
+  # Optional passphrase for decrypting the certificate key.
+  #ssl.key_passphrase: ''
+
+  # Configure cipher suites to be used for SSL connections
+  #ssl.cipher_suites: []
+
+  # Configure curve types for ECDHE-based cipher suites
+  #ssl.curve_types: []
+
+  # Configure what types of renegotiation are supported. Valid options are
+  # never, once, and freely. Default is never.
+  #ssl.renegotiation: never
+
+  # Configure a pin that can be used to do extra validation of the verified certificate chain,
+  # this allow you to ensure that a specific certificate is used to validate the chain of trust.
+  #
+  # The pin is a base64 encoded string of the SHA-256 fingerprint.
+  #ssl.ca_sha256: ""
+
+  # A root CA HEX encoded fingerprint. During the SSL handshake if the
+  # fingerprint matches the root CA certificate, it will be added to
+  # the provided list of root CAs (`certificate_authorities`), if the
+  # list is empty or not defined, the matching certificate will be the
+  # only one in the list. Then the normal SSL validation happens.
+  #ssl.ca_trusted_fingerprint: ""
+
+  # Enables restarting filebeat if any file listed by `key`,
+  # `certificate`, or `certificate_authorities` is modified.
+  # This feature IS NOT supported on Windows.
+  #ssl.restart_on_cert_change.enabled: false
+
+  # Period to scan for changes on CA certificate files
+  #ssl.restart_on_cert_change.period: 1m
+
+  # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set.
+  #kerberos.enabled: true
+
+  # Authentication type to use with Kerberos. Available options: keytab, password.
+  #kerberos.auth_type: password
+
+  # Path to the keytab file. It is used when auth_type is set to keytab.
+  #kerberos.keytab: /etc/security/keytabs/kafka.keytab
+
+  # Path to the Kerberos configuration.
+  #kerberos.config_path: /etc/krb5.conf
+
+  # The service name. Service principal name is contructed from
+  # service_name/hostname@realm.
+  #kerberos.service_name: kafka
+
+  # Name of the Kerberos user.
+  #kerberos.username: elastic
+
+  # Password of the Kerberos user. It is used when auth_type is set to password.
+  #kerberos.password: changeme
+
+  # Kerberos realm.
+  #kerberos.realm: ELASTIC
+
+  # Enables Kerberos FAST authentication. This may
+  # conflict with certain Active Directory configurations.
+  #kerberos.enable_krb5_fast: false
+
+# -------------------------------- Redis Output --------------------------------
+#output.redis:
+  # Boolean flag to enable or disable the output module.
+  #enabled: true
+
+  # Configure JSON encoding
+  #codec.json:
+    # Pretty print json event
+    #pretty: false
+
+    # Configure escaping HTML symbols in strings.
+    #escape_html: false
+
+  # The list of Redis servers to connect to. If load-balancing is enabled, the
+  # events are distributed to the servers in the list. If one server becomes
+  # unreachable, the events are distributed to the reachable servers only.
+  # The hosts setting supports redis and rediss urls with custom password like
+  # redis://:password@localhost:6379.
+  #hosts: ["localhost:6379"]
+
+  # The name of the Redis list or channel the events are published to. The
+  # default is filebeat.
+  #key: filebeat
+
+  # The password to authenticate to Redis with. The default is no authentication.
+  #password:
+
+  # The Redis database number where the events are published. The default is 0.
+  #db: 0
+
+  # The Redis data type to use for publishing events. If the data type is list,
+  # the Redis RPUSH command is used. If the data type is channel, the Redis
+  # PUBLISH command is used. The default value is list.
+  #datatype: list
+
+  # The number of workers to use for each host configured to publish events to
+  # Redis. Use this setting along with the loadbalance option. For example, if
+  # you have 2 hosts and 3 workers, in total 6 workers are started (3 for each
+  # host).
+  #worker: 1
+
+  # If set to true and multiple hosts or workers are configured, the output
+  # plugin load balances published events onto all Redis hosts. If set to false,
+  # the output plugin sends all events to only one host (determined at random)
+  # and will switch to another host if the currently selected one becomes
+  # unreachable. The default value is true.
+  #loadbalance: true
+
+  # The Redis connection timeout in seconds. The default is 5 seconds.
+  #timeout: 5s
+
+  # The number of times to retry publishing an event after a publishing failure.
+  # After the specified number of retries, the events are typically dropped.
+  # Some Beats, such as Filebeat, ignore the max_retries setting and retry until
+  # all events are published. Set max_retries to a value less than 0 to retry
+  # until all events are published. The default is 3.
+  #max_retries: 3
+
+  # The number of seconds to wait before trying to reconnect to Redis
+  # after a network error. After waiting backoff.init seconds, the Beat
+  # tries to reconnect. If the attempt fails, the backoff timer is increased
+  # exponentially up to backoff.max. After a successful connection, the backoff
+  # timer is reset. The default is 1s.
+  #backoff.init: 1s
+
+  # The maximum number of seconds to wait before attempting to connect to
+  # Redis after a network error. The default is 60s.
+  #backoff.max: 60s
+
+  # The maximum number of events to bulk in a single Redis request or pipeline.
+  # The default is 2048.
+  #bulk_max_size: 2048
+
+  # The URL of the SOCKS5 proxy to use when connecting to the Redis servers. The
+  # value must be a URL with a scheme of socks5://.
+  #proxy_url:
+
+  # This option determines whether Redis hostnames are resolved locally when
+  # using a proxy. The default value is false, which means that name resolution
+  # occurs on the proxy server.
+  #proxy_use_local_resolver: false
+
+  # Use SSL settings for HTTPS.
+  #ssl.enabled: true
+
+  # Controls the verification of certificates. Valid values are:
+  # * full, which verifies that the provided certificate is signed by a trusted
+  # authority (CA) and also verifies that the server's hostname (or IP address)
+  # matches the names identified within the certificate.
+  # * strict, which verifies that the provided certificate is signed by a trusted
+  # authority (CA) and also verifies that the server's hostname (or IP address)
+  # matches the names identified within the certificate. If the Subject Alternative
+  # Name is empty, it returns an error.
+  # * certificate, which verifies that the provided certificate is signed by a
+  # trusted authority (CA), but does not perform any hostname verification.
+  #  * none, which performs no verification of the server's certificate. This
+  # mode disables many of the security benefits of SSL/TLS and should only be used
+  # after very careful consideration. It is primarily intended as a temporary
+  # diagnostic mechanism when attempting to resolve TLS errors; its use in
+  # production environments is strongly discouraged.
+  # The default value is full.
+  #ssl.verification_mode: full
+
+  # List of supported/valid TLS versions. By default all TLS versions from 1.1
+  # up to 1.3 are enabled.
+  #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3]
+
+  # List of root certificates for HTTPS server verifications
+  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
+
+  # Certificate for SSL client authentication
+  #ssl.certificate: "/etc/pki/client/cert.pem"
+
+  # Client certificate key
+  #ssl.key: "/etc/pki/client/cert.key"
+
+  # Optional passphrase for decrypting the certificate key.
+  #ssl.key_passphrase: ''
+
+  # Configure cipher suites to be used for SSL connections
+  #ssl.cipher_suites: []
+
+  # Configure curve types for ECDHE-based cipher suites
+  #ssl.curve_types: []
+
+  # Configure what types of renegotiation are supported. Valid options are
+  # never, once, and freely. Default is never.
+  #ssl.renegotiation: never
+
+  # Configure a pin that can be used to do extra validation of the verified certificate chain,
+  # this allow you to ensure that a specific certificate is used to validate the chain of trust.
+  #
+  # The pin is a base64 encoded string of the SHA-256 fingerprint.
+  #ssl.ca_sha256: ""
+
+  # A root CA HEX encoded fingerprint. During the SSL handshake if the
+  # fingerprint matches the root CA certificate, it will be added to
+  # the provided list of root CAs (`certificate_authorities`), if the
+  # list is empty or not defined, the matching certificate will be the
+  # only one in the list. Then the normal SSL validation happens.
+  #ssl.ca_trusted_fingerprint: ""
+
+
+# -------------------------------- File Output ---------------------------------
+#output.file:
+  # Boolean flag to enable or disable the output module.
+  #enabled: true
+
+  # Configure JSON encoding
+  #codec.json:
+    # Pretty-print JSON event
+    #pretty: false
+
+    # Configure escaping HTML symbols in strings.
+    #escape_html: false
+
+  # Path to the directory where to save the generated files. The option is
+  # mandatory.
+  #path: "/tmp/filebeat"
+
+  # Name of the generated files. The default is `filebeat` and it generates
+  # files: `filebeat-{datetime}.ndjson`, `filebeat-{datetime}-1.ndjson`, etc.
+  #filename: filebeat
+
+  # Maximum size in kilobytes of each file. When this size is reached, and on
+  # every Filebeat restart, the files are rotated. The default value is 10240
+  # kB.
+  #rotate_every_kb: 10000
+
+  # Maximum number of files under path. When this number of files is reached,
+  # the oldest file is deleted and the rest are shifted from last to first. The
+  # default is 7 files.
+  #number_of_files: 7
+
+  # Permissions to use for file creation. The default is 0600.
+  #permissions: 0600
+
+  # Configure automatic file rotation on every startup. The default is true.
+  #rotate_on_startup: true
+
+# ------------------------------- Console Output -------------------------------
+#output.console:
+  # Boolean flag to enable or disable the output module.
+  #enabled: true
+
+  # Configure JSON encoding
+  #codec.json:
+    # Pretty-print JSON event
+    #pretty: false
+
+    # Configure escaping HTML symbols in strings.
+    #escape_html: false
+
+# =================================== Paths ====================================
+
+# The home path for the Filebeat installation. This is the default base path
+# for all other path settings and for miscellaneous files that come with the
+# distribution (for example, the sample dashboards).
+# If not set by a CLI flag or in the configuration file, the default for the
+# home path is the location of the binary.
+#path.home:
+
+# The configuration path for the Filebeat installation. This is the default
+# base path for configuration files, including the main YAML configuration file
+# and the Elasticsearch template file. If not set by a CLI flag or in the
+# configuration file, the default for the configuration path is the home path.
+#path.config: ${path.home}
+
+# The data path for the Filebeat installation. This is the default base path
+# for all the files in which Filebeat needs to store its data. If not set by a
+# CLI flag or in the configuration file, the default for the data path is a data
+# subdirectory inside the home path.
+#path.data: ${path.home}/data
+
+# The logs path for a Filebeat installation. This is the default location for
+# the Beat's log files. If not set by a CLI flag or in the configuration file,
+# the default for the logs path is a logs subdirectory inside the home path.
+#path.logs: ${path.home}/logs
+
+# ================================== Keystore ==================================
+
+# Location of the Keystore containing the keys and their sensitive values.
+#keystore.path: "${path.config}/beats.keystore"
+
+# ================================= Dashboards =================================
+
+# These settings control loading the sample dashboards to the Kibana index. Loading
+# the dashboards are disabled by default and can be enabled either by setting the
+# options here or by using the `-setup` CLI flag or the `setup` command.
+#setup.dashboards.enabled: false
+
+# The directory from where to read the dashboards. The default is the `kibana`
+# folder in the home path.
+#setup.dashboards.directory: ${path.home}/kibana
+
+# The URL from where to download the dashboard archive. It is used instead of
+# the directory if it has a value.
+#setup.dashboards.url:
+
+# The file archive (zip file) from where to read the dashboards. It is used instead
+# of the directory when it has a value.
+#setup.dashboards.file:
+
+# In case the archive contains the dashboards from multiple Beats, this lets you
+# select which one to load. You can load all the dashboards in the archive by
+# setting this to the empty string.
+#setup.dashboards.beat: filebeat
+
+# The name of the Kibana index to use for setting the configuration. Default is ".kibana"
+#setup.dashboards.kibana_index: .kibana
+
+# The Elasticsearch index name. This overwrites the index name defined in the
+# dashboards and index pattern. Example: testbeat-*
+#setup.dashboards.index:
+
+# Always use the Kibana API for loading the dashboards instead of autodetecting
+# how to install the dashboards by first querying Elasticsearch.
+#setup.dashboards.always_kibana: false
+
+# If true and Kibana is not reachable at the time when dashboards are loaded,
+# it will retry to reconnect to Kibana instead of exiting with an error.
+#setup.dashboards.retry.enabled: false
+
+# Duration interval between Kibana connection retries.
+#setup.dashboards.retry.interval: 1s
+
+# Maximum number of retries before exiting with an error, 0 for unlimited retrying.
+#setup.dashboards.retry.maximum: 0
+
+# ================================== Template ==================================
+
+# A template is used to set the mapping in Elasticsearch
+# By default template loading is enabled and the template is loaded.
+# These settings can be adjusted to load your own template or overwrite existing ones.
+
+# Set to false to disable template loading.
+#setup.template.enabled: true
+
+# Template name. By default the template name is "filebeat-%{[agent.version]}"
+# The template name and pattern has to be set in case the Elasticsearch index pattern is modified.
+#setup.template.name: "filebeat-%{[agent.version]}"
+
+# Template pattern. By default the template pattern is "filebeat-%{[agent.version]}" to apply to the default index settings.
+# The template name and pattern has to be set in case the Elasticsearch index pattern is modified.
+#setup.template.pattern: "filebeat-%{[agent.version]}"
+
+# Path to fields.yml file to generate the template
+#setup.template.fields: "${path.config}/fields.yml"
+
+# A list of fields to be added to the template and Kibana index pattern. Also
+# specify setup.template.overwrite: true to overwrite the existing template.
+#setup.template.append_fields:
+#- name: field_name
+#  type: field_type
+
+# Enable JSON template loading. If this is enabled, the fields.yml is ignored.
+#setup.template.json.enabled: false
+
+# Path to the JSON template file
+#setup.template.json.path: "${path.config}/template.json"
+
+# Name under which the template is stored in Elasticsearch
+#setup.template.json.name: ""
+
+# Set this option if the JSON template is a data stream.
+#setup.template.json.data_stream: false
+
+# Overwrite existing template
+# Do not enable this option for more than one instance of filebeat as it might
+# overload your Elasticsearch with too many update requests.
+#setup.template.overwrite: false
+
+# Elasticsearch template settings
+setup.template.settings:
+
+  # A dictionary of settings to place into the settings.index dictionary
+  # of the Elasticsearch template. For more details, please check
+  # https://www.elastic.co/guide/en/elasticsearch/reference/current/mapping.html
+  #index:
+    #number_of_shards: 1
+    #codec: best_compression
+
+  # A dictionary of settings for the _source field. For more details, please check
+  # https://www.elastic.co/guide/en/elasticsearch/reference/current/mapping-source-field.html
+  #_source:
+    #enabled: false
+
+# ====================== Index Lifecycle Management (ILM) ======================
+
+# Configure index lifecycle management (ILM) to manage the backing indices
+# of your data streams.
+
+# Enable ILM support. Valid values are true, or false.
+#setup.ilm.enabled: true
+
+# Set the lifecycle policy name. The default policy name is
+# 'beatname'.
+#setup.ilm.policy_name: "mypolicy"
+
+# The path to a JSON file that contains a lifecycle policy configuration. Used
+# to load your own lifecycle policy.
+#setup.ilm.policy_file:
+
+# Disable the check for an existing lifecycle policy. The default is true.
+# If you set this option to false, lifecycle policy will not be installed,
+# even if setup.ilm.overwrite is set to true.
+#setup.ilm.check_exists: true
+
+# Overwrite the lifecycle policy at startup. The default is false.
+#setup.ilm.overwrite: false
+
+# ======================== Data Stream Lifecycle (DSL) =========================
+
+# Configure Data Stream Lifecycle to manage data streams while connected to Serverless elasticsearch.
+# These settings are mutually exclusive with ILM settings which are not supported in Serverless projects.
+
+# Enable DSL support. Valid values are true, or false.
+#setup.dsl.enabled: true
+
+# Set the lifecycle policy name or pattern. For DSL, this name must match the data stream that the lifecycle is for.
+# The default data stream pattern is filebeat-%{[agent.version]}"
+# The template string `%{[agent.version]}` will resolve to the current stack version.
+# The other possible template value is `%{[beat.name]}`.
+#setup.dsl.data_stream_pattern: "filebeat-%{[agent.version]}"
+
+# The path to a JSON file that contains a lifecycle policy configuration. Used
+# to load your own lifecycle policy.
+# If no custom policy is specified, a default policy with a lifetime of 7 days will be created.
+#setup.dsl.policy_file:
+
+# Disable the check for an existing lifecycle policy. The default is true. If
+# you disable this check, set setup.dsl.overwrite: true so the lifecycle policy
+# can be installed.
+#setup.dsl.check_exists: true
+
+# Overwrite the lifecycle policy at startup. The default is false.
+#setup.dsl.overwrite: false
+
+# =================================== Kibana ===================================
+
+# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
+# This requires a Kibana endpoint configuration.
+setup.kibana:
+
+  # Kibana Host
+  # Scheme and port can be left out and will be set to the default (http and 5601)
+  # In case you specify and additional path, the scheme is required: http://localhost:5601/path
+  # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601
+  #host: "localhost:5601"
+
+  # Optional protocol and basic auth credentials.
+  #protocol: "https"
+  #username: "elastic"
+  #password: "changeme"
+
+  # Optional HTTP path
+  #path: ""
+
+  # Optional Kibana space ID.
+  #space.id: ""
+
+  # Custom HTTP headers to add to each request
+  #headers:
+  #  X-My-Header: Contents of the header
+
+  # Use SSL settings for HTTPS.
+  #ssl.enabled: true
+
+  # Controls the verification of certificates. Valid values are:
+  # * full, which verifies that the provided certificate is signed by a trusted
+  # authority (CA) and also verifies that the server's hostname (or IP address)
+  # matches the names identified within the certificate.
+  # * strict, which verifies that the provided certificate is signed by a trusted
+  # authority (CA) and also verifies that the server's hostname (or IP address)
+  # matches the names identified within the certificate. If the Subject Alternative
+  # Name is empty, it returns an error.
+  # * certificate, which verifies that the provided certificate is signed by a
+  # trusted authority (CA), but does not perform any hostname verification.
+  #  * none, which performs no verification of the server's certificate. This
+  # mode disables many of the security benefits of SSL/TLS and should only be used
+  # after very careful consideration. It is primarily intended as a temporary
+  # diagnostic mechanism when attempting to resolve TLS errors; its use in
+  # production environments is strongly discouraged.
+  # The default value is full.
+  #ssl.verification_mode: full
+
+  # List of supported/valid TLS versions. By default all TLS versions from 1.1
+  # up to 1.3 are enabled.
+  #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3]
+
+  # List of root certificates for HTTPS server verifications
+  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
+
+  # Certificate for SSL client authentication
+  #ssl.certificate: "/etc/pki/client/cert.pem"
+
+  # Client certificate key
+  #ssl.key: "/etc/pki/client/cert.key"
+
+  # Optional passphrase for decrypting the certificate key.
+  #ssl.key_passphrase: ''
+
+  # Configure cipher suites to be used for SSL connections
+  #ssl.cipher_suites: []
+
+  # Configure curve types for ECDHE-based cipher suites
+  #ssl.curve_types: []
+
+  # Configure what types of renegotiation are supported. Valid options are
+  # never, once, and freely. Default is never.
+  #ssl.renegotiation: never
+
+  # Configure a pin that can be used to do extra validation of the verified certificate chain,
+  # this allow you to ensure that a specific certificate is used to validate the chain of trust.
+  #
+  # The pin is a base64 encoded string of the SHA-256 fingerprint.
+  #ssl.ca_sha256: ""
+
+  # A root CA HEX encoded fingerprint. During the SSL handshake if the
+  # fingerprint matches the root CA certificate, it will be added to
+  # the provided list of root CAs (`certificate_authorities`), if the
+  # list is empty or not defined, the matching certificate will be the
+  # only one in the list. Then the normal SSL validation happens.
+  #ssl.ca_trusted_fingerprint: ""
+
+
+# ================================== Logging ===================================
+
+# There are four options for the log output: file, stderr, syslog, eventlog
+# The file output is the default.
+
+# Sets log level. The default log level is info.
+# Available log levels are: error, warning, info, debug
+#logging.level: info
+
+# Enable debug output for selected components. To enable all selectors use ["*"]
+# Other available selectors are "beat", "publisher", "service"
+# Multiple selectors can be chained.
+#logging.selectors: [ ]
+
+# Send all logging output to stderr. The default is false.
+#logging.to_stderr: false
+
+# Send all logging output to syslog. The default is false.
+#logging.to_syslog: false
+
+# Send all logging output to Windows Event Logs. The default is false.
+#logging.to_eventlog: false
+
+# If enabled, Filebeat periodically logs its internal metrics that have changed
+# in the last period. For each metric that changed, the delta from the value at
+# the beginning of the period is logged. Also, the total values for
+# all non-zero internal metrics are logged on shutdown. The default is true.
+#logging.metrics.enabled: true
+
+# The period after which to log the internal metrics. The default is 30s.
+#logging.metrics.period: 30s
+
+# A list of metrics namespaces to report in the logs. Defaults to [stats].
+# `stats` contains general Beat metrics. `dataset` may be present in some
+# Beats and contains module or input metrics.
+#logging.metrics.namespaces: [stats]
+
+# Logging to rotating files. Set logging.to_files to false to disable logging to
+# files.
+logging.to_files: true
+logging.files:
+  # Configure the path where the logs are written. The default is the logs directory
+  # under the home path (the binary location).
+  #path: /var/log/filebeat
+
+  # The name of the files where the logs are written to.
+  #name: filebeat
+
+  # Configure log file size limit. If the limit is reached, log file will be
+  # automatically rotated.
+  #rotateeverybytes: 10485760 # = 10MB
+
+  # Number of rotated log files to keep. The oldest files will be deleted first.
+  #keepfiles: 7
+
+  # The permissions mask to apply when rotating log files. The default value is 0600.
+  # Must be a valid Unix-style file permissions mask expressed in octal notation.
+  #permissions: 0600
+
+  # Enable log file rotation on time intervals in addition to the size-based rotation.
+  # Intervals must be at least 1s. Values of 1m, 1h, 24h, 7*24h, 30*24h, and 365*24h
+  # are boundary-aligned with minutes, hours, days, weeks, months, and years as
+  # reported by the local system clock. All other intervals are calculated from the
+  # Unix epoch. Defaults to disabled.
+  #interval: 0
+
+  # Rotate existing logs on startup rather than appending them to the existing
+  # file. Defaults to true.
+  # rotateonstartup: true
+
+#=============================== Events Logging ===============================
+# Some outputs will log raw events on errors like indexing errors in the
+# Elasticsearch output, to prevent logging raw events (that may contain
+# sensitive information) together with other log messages, a different
+# log file, only for log entries containing raw events, is used. It will
+# use the same level, selectors and all other configurations from the
+# default logger, but it will have it's own file configuration.
+#
+# Having a different log file for raw events also prevents event data
+# from drowning out the regular log files.
+#
+# IMPORTANT: No matter the default logger output configuration, raw events
+# will **always** be logged to a file configured by `logging.event_data.files`.
+
+# logging.event_data:
+# Logging to rotating files. Set logging.to_files to false to disable logging to
+# files.
+#logging.event_data.to_files: true
+#logging.event_data:
+  # Configure the path where the logs are written. The default is the logs directory
+  # under the home path (the binary location).
+  #path: /var/log/filebeat
+
+  # The name of the files where the logs are written to.
+  #name: filebeat-events-data
+
+  # Configure log file size limit. If the limit is reached, log file will be
+  # automatically rotated.
+  #rotateeverybytes: 5242880 # = 5MB
+
+  # Number of rotated log files to keep. The oldest files will be deleted first.
+  #keepfiles: 2
+
+  # The permissions mask to apply when rotating log files. The default value is 0600.
+  # Must be a valid Unix-style file permissions mask expressed in octal notation.
+  #permissions: 0600
+
+  # Enable log file rotation on time intervals in addition to the size-based rotation.
+  # Intervals must be at least 1s. Values of 1m, 1h, 24h, 7*24h, 30*24h, and 365*24h
+  # are boundary-aligned with minutes, hours, days, weeks, months, and years as
+  # reported by the local system clock. All other intervals are calculated from the
+  # Unix epoch. Defaults to disabled.
+  #interval: 0
+
+  # Rotate existing logs on startup rather than appending them to the existing
+  # file. Defaults to false.
+  # rotateonstartup: false
+
+# ============================= X-Pack Monitoring ==============================
+# Filebeat can export internal metrics to a central Elasticsearch monitoring
+# cluster.  This requires xpack monitoring to be enabled in Elasticsearch.  The
+# reporting is disabled by default.
+
+# Set to true to enable the monitoring reporter.
+#monitoring.enabled: false
+
+# Sets the UUID of the Elasticsearch cluster under which monitoring data for this
+# Filebeat instance will appear in the Stack Monitoring UI. If output.elasticsearch
+# is enabled, the UUID is derived from the Elasticsearch cluster referenced by output.elasticsearch.
+#monitoring.cluster_uuid:
+
+# Uncomment to send the metrics to Elasticsearch. Most settings from the
+# Elasticsearch output are accepted here as well.
+# Note that the settings should point to your Elasticsearch *monitoring* cluster.
+# Any setting that is not set is automatically inherited from the Elasticsearch
+# output configuration, so if you have the Elasticsearch output configured such
+# that it is pointing to your Elasticsearch monitoring cluster, you can simply
+# uncomment the following line.
+#monitoring.elasticsearch:
+
+  # Array of hosts to connect to.
+  # Scheme and port can be left out and will be set to the default (http and 9200)
+  # In case you specify an additional path, the scheme is required: http://localhost:9200/path
+  # IPv6 addresses should always be defined as: https://[2001:db8::1]:9200
+  #hosts: ["localhost:9200"]
+
+  # Set gzip compression level.
+  #compression_level: 0
+
+  # Protocol - either `http` (default) or `https`.
+  #protocol: "https"
+
+  # Authentication credentials - either API key or username/password.
+  #api_key: "id:api_key"
+  #username: "beats_system"
+  #password: "changeme"
+
+  # Dictionary of HTTP parameters to pass within the URL with index operations.
+  #parameters:
+    #param1: value1
+    #param2: value2
+
+  # Custom HTTP headers to add to each request
+  #headers:
+  #  X-My-Header: Contents of the header
+
+  # Proxy server url
+  #proxy_url: http://proxy:3128
+
+  # The number of times a particular Elasticsearch index operation is attempted. If
+  # the indexing operation doesn't succeed after this many retries, the events are
+  # dropped. The default is 3.
+  #max_retries: 3
+
+  # The maximum number of events to bulk in a single Elasticsearch bulk API index request.
+  # The default is 50.
+  #bulk_max_size: 50
+
+  # The number of seconds to wait before trying to reconnect to Elasticsearch
+  # after a network error. After waiting backoff.init seconds, the Beat
+  # tries to reconnect. If the attempt fails, the backoff timer is increased
+  # exponentially up to backoff.max. After a successful connection, the backoff
+  # timer is reset. The default is 1s.
+  #backoff.init: 1s
+
+  # The maximum number of seconds to wait before attempting to connect to
+  # Elasticsearch after a network error. The default is 60s.
+  #backoff.max: 60s
+
+  # Configure HTTP request timeout before failing a request to Elasticsearch.
+  #timeout: 90
+
+  # Use SSL settings for HTTPS.
+  #ssl.enabled: true
+
+  # Controls the verification of certificates. Valid values are:
+  # * full, which verifies that the provided certificate is signed by a trusted
+  # authority (CA) and also verifies that the server's hostname (or IP address)
+  # matches the names identified within the certificate.
+  # * strict, which verifies that the provided certificate is signed by a trusted
+  # authority (CA) and also verifies that the server's hostname (or IP address)
+  # matches the names identified within the certificate. If the Subject Alternative
+  # Name is empty, it returns an error.
+  # * certificate, which verifies that the provided certificate is signed by a
+  # trusted authority (CA), but does not perform any hostname verification.
+  #  * none, which performs no verification of the server's certificate. This
+  # mode disables many of the security benefits of SSL/TLS and should only be used
+  # after very careful consideration. It is primarily intended as a temporary
+  # diagnostic mechanism when attempting to resolve TLS errors; its use in
+  # production environments is strongly discouraged.
+  # The default value is full.
+  #ssl.verification_mode: full
+
+  # List of supported/valid TLS versions. By default all TLS versions from 1.1
+  # up to 1.3 are enabled.
+  #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3]
+
+  # List of root certificates for HTTPS server verifications
+  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
+
+  # Certificate for SSL client authentication
+  #ssl.certificate: "/etc/pki/client/cert.pem"
+
+  # Client certificate key
+  #ssl.key: "/etc/pki/client/cert.key"
+
+  # Optional passphrase for decrypting the certificate key.
+  #ssl.key_passphrase: ''
+
+  # Configure cipher suites to be used for SSL connections
+  #ssl.cipher_suites: []
+
+  # Configure curve types for ECDHE-based cipher suites
+  #ssl.curve_types: []
+
+  # Configure what types of renegotiation are supported. Valid options are
+  # never, once, and freely. Default is never.
+  #ssl.renegotiation: never
+
+  # Configure a pin that can be used to do extra validation of the verified certificate chain,
+  # this allow you to ensure that a specific certificate is used to validate the chain of trust.
+  #
+  # The pin is a base64 encoded string of the SHA-256 fingerprint.
+  #ssl.ca_sha256: ""
+
+  # A root CA HEX encoded fingerprint. During the SSL handshake if the
+  # fingerprint matches the root CA certificate, it will be added to
+  # the provided list of root CAs (`certificate_authorities`), if the
+  # list is empty or not defined, the matching certificate will be the
+  # only one in the list. Then the normal SSL validation happens.
+  #ssl.ca_trusted_fingerprint: ""
+
+  # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set.
+  #kerberos.enabled: true
+
+  # Authentication type to use with Kerberos. Available options: keytab, password.
+  #kerberos.auth_type: password
+
+  # Path to the keytab file. It is used when auth_type is set to keytab.
+  #kerberos.keytab: /etc/elastic.keytab
+
+  # Path to the Kerberos configuration.
+  #kerberos.config_path: /etc/krb5.conf
+
+  # Name of the Kerberos user.
+  #kerberos.username: elastic
+
+  # Password of the Kerberos user. It is used when auth_type is set to password.
+  #kerberos.password: changeme
+
+  # Kerberos realm.
+  #kerberos.realm: ELASTIC
+
+  #metrics.period: 10s
+  #state.period: 1m
+
+# The `monitoring.cloud.id` setting overwrites the `monitoring.elasticsearch.hosts`
+# setting. You can find the value for this setting in the Elastic Cloud web UI.
+#monitoring.cloud.id:
+
+# The `monitoring.cloud.auth` setting overwrites the `monitoring.elasticsearch.username`
+# and `monitoring.elasticsearch.password` settings. The format is `<user>:<pass>`.
+#monitoring.cloud.auth:
+
+# =============================== HTTP Endpoint ================================
+
+# Each beat can expose internal metrics through an HTTP endpoint. For security
+# reasons the endpoint is disabled by default. This feature is currently experimental.
+# Stats can be accessed through http://localhost:5066/stats. For pretty JSON output
+# append ?pretty to the URL.
+
+# Defines if the HTTP endpoint is enabled.
+#http.enabled: false
+
+# The HTTP endpoint will bind to this hostname, IP address, unix socket, or named pipe.
+# When using IP addresses, it is recommended to only use localhost.
+#http.host: localhost
+
+# Port on which the HTTP endpoint will bind. Default is 5066.
+#http.port: 5066
+
+# Define which user should be owning the named pipe.
+#http.named_pipe.user:
+
+# Define which permissions should be applied to the named pipe, use the Security
+# Descriptor Definition Language (SDDL) to define the permission. This option cannot be used with
+# `http.user`.
+#http.named_pipe.security_descriptor:
+
+# Defines if the HTTP pprof endpoints are enabled.
+# It is recommended that this is only enabled on localhost as these endpoints may leak data.
+#http.pprof.enabled: false
+
+# Controls the fraction of goroutine blocking events that are reported in the
+# blocking profile.
+#http.pprof.block_profile_rate: 0
+
+# Controls the fraction of memory allocations that are recorded and reported in
+# the memory profile.
+#http.pprof.mem_profile_rate: 524288
+
+# Controls the fraction of mutex contention events that are reported in the
+# mutex profile.
+#http.pprof.mutex_profile_rate: 0
+
+# ============================== Process Security ==============================
+
+# Enable or disable seccomp system call filtering on Linux. Default is enabled.
+#seccomp.enabled: true
+
+# ============================== Instrumentation ===============================
+
+# Instrumentation support for the filebeat.
+#instrumentation:
+    # Set to true to enable instrumentation of filebeat.
+    #enabled: false
+
+    # Environment in which filebeat is running on (eg: staging, production, etc.)
+    #environment: ""
+
+    # APM Server hosts to report instrumentation results to.
+    #hosts:
+    #  - http://localhost:8200
+
+    # API Key for the APM Server(s).
+    # If api_key is set then secret_token will be ignored.
+    #api_key:
+
+    # Secret token for the APM Server(s).
+    #secret_token:
+
+    # Enable profiling of the server, recording profile samples as events.
+    #
+    # This feature is experimental.
+    #profiling:
+        #cpu:
+            # Set to true to enable CPU profiling.
+            #enabled: false
+            #interval: 60s
+            #duration: 10s
+        #heap:
+            # Set to true to enable heap profiling.
+            #enabled: false
+            #interval: 60s
+
+# ================================= Migration ==================================
+
+# This allows to enable 6.7 migration aliases
+#migration.6_to_7.enabled: false
+
+# =============================== Feature Flags ================================
+
+# Enable and configure feature flags.
+#features:
+#  fqdn:
+#    enabled: true
+```
+
diff --git a/docs/reference/filebeat/filebeat-starting.md b/docs/reference/filebeat/filebeat-starting.md
new file mode 100644
index 000000000000..d79b47542b87
--- /dev/null
+++ b/docs/reference/filebeat/filebeat-starting.md
@@ -0,0 +1,72 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-starting.html
+---
+
+# Start Filebeat [filebeat-starting]
+
+Before starting Filebeat:
+
+* Follow the steps in [Quick start: installation and configuration](/reference/filebeat/filebeat-installation-configuration.md) to install, configure, and set up the Filebeat environment.
+* Make sure {{kib}} and {{es}} are running.
+* Make sure the user specified in `filebeat.yml` is [authorized to publish events](/reference/filebeat/privileges-to-publish-events.md).
+
+To start Filebeat, run:
+
+:::::::{tab-set}
+
+::::::{tab-item} DEB
+```sh
+sudo service filebeat start
+```
+
+::::{note}
+If you use an `init.d` script to start Filebeat, you can’t specify command line flags (see [Command reference](/reference/filebeat/command-line-options.md)). To specify flags, start Filebeat in the foreground.
+::::
+
+
+Also see [Filebeat and systemd](/reference/filebeat/running-with-systemd.md).
+::::::
+
+::::::{tab-item} RPM
+```sh
+sudo service filebeat start
+```
+
+::::{note}
+If you use an `init.d` script to start Filebeat, you can’t specify command line flags (see [Command reference](/reference/filebeat/command-line-options.md)). To specify flags, start Filebeat in the foreground.
+::::
+
+
+Also see [Filebeat and systemd](/reference/filebeat/running-with-systemd.md).
+::::::
+
+::::::{tab-item} MacOS
+```sh
+sudo chown root filebeat.yml <1>
+sudo chown root modules.d/{modulename}.yml <1>
+sudo ./filebeat -e
+```
+
+1. You’ll be running Filebeat as root, so you need to change ownership of the configuration file and any configurations enabled in the `modules.d` directory, or run Filebeat with `--strict.perms=false` specified. See [Config File Ownership and Permissions](/reference/libbeat/config-file-permissions.md).
+::::::
+
+::::::{tab-item} Linux
+```sh
+sudo chown root filebeat.yml <1>
+sudo chown root modules.d/{modulename}.yml <1>
+sudo ./filebeat -e
+```
+
+1. You’ll be running Filebeat as root, so you need to change ownership of the configuration file and any configurations enabled in the `modules.d` directory, or run Filebeat with `--strict.perms=false` specified. See [Config File Ownership and Permissions](/reference/libbeat/config-file-permissions.md).
+::::::
+
+::::::{tab-item} Windows
+```sh
+PS C:\Program Files\filebeat> Start-Service filebeat
+```
+
+By default, Windows log files are stored in `C:\ProgramData\filebeat\Logs`.
+::::::
+
+:::::::
diff --git a/docs/reference/filebeat/filebeat-template.md b/docs/reference/filebeat/filebeat-template.md
new file mode 100644
index 000000000000..f3e45fac7a70
--- /dev/null
+++ b/docs/reference/filebeat/filebeat-template.md
@@ -0,0 +1,228 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-template.html
+---
+
+# Load the Elasticsearch index template [filebeat-template]
+
+{{es}} uses [index templates](docs-content://manage-data/data-store/templates.md) to define:
+
+* Settings that control the behavior of your data stream and backing indices. The settings include the lifecycle policy used to manage backing indices as they grow and age.
+* Mappings that determine how fields are analyzed. Each mapping sets the [{{es}} datatype](elasticsearch://reference/elasticsearch/mapping-reference/field-data-types.md) to use for a specific data field.
+
+The recommended index template file for Filebeat is installed by the Filebeat packages. If you accept the default configuration in the `filebeat.yml` config file, Filebeat loads the template automatically after successfully connecting to {{es}}. If the template already exists, it’s not overwritten unless you configure Filebeat to do so.
+
+::::{note}
+A connection to {{es}} is required to load the index template. If the output is not {{es}} (or {{ess}}), you must [load the template manually](#load-template-manually).
+::::
+
+
+This page shows how to change the default template loading behavior to:
+
+* [Load your own index template](#load-custom-template)
+* [Overwrite an existing index template](#overwrite-template)
+* [Disable automatic index template loading](#disable-template-loading)
+* [Load the index template manually](#load-template-manually)
+
+For a full list of template setup options, see [Elasticsearch index template](/reference/filebeat/configuration-template.md).
+
+
+## Load your own index template [load-custom-template]
+
+To load your own index template, set the following options:
+
+```yaml
+setup.template.name: "your_template_name"
+setup.template.fields: "path/to/fields.yml"
+```
+
+If the template already exists, it’s not overwritten unless you configure Filebeat to do so.
+
+You can load templates for both data streams and indices.
+
+
+## Overwrite an existing index template [overwrite-template]
+
+::::{warning}
+Do not enable this option for more than one instance of Filebeat. If you start multiple instances at the same time, it can overload your {{es}} with too many template update requests.
+::::
+
+
+To overwrite a template that’s already loaded into {{es}}, set:
+
+```yaml
+setup.template.overwrite: true
+```
+
+
+## Disable automatic index template loading [disable-template-loading]
+
+You may want to disable automatic template loading if you’re using an output other than {{es}} and need to load the template manually. To disable automatic template loading, set:
+
+```yaml
+setup.template.enabled: false
+```
+
+If you disable automatic template loading, you must load the index template manually.
+
+
+## Load the index template manually [load-template-manually]
+
+To load the index template manually, run the [`setup`](/reference/filebeat/command-line-options.md#setup-command) command. A connection to {{es}} is required.  If another output is enabled, you need to temporarily disable that output and enable {{es}} by using the `-E` option. The examples here assume that Logstash output is enabled. You can omit the `-E` flags if {{es}} output is already enabled.
+
+If you are connecting to a secured {{es}} cluster, make sure you’ve configured credentials as described in the [Quick start: installation and configuration](/reference/filebeat/filebeat-installation-configuration.md).
+
+If the host running Filebeat does not have direct connectivity to {{es}}, see [Load the index template manually (alternate method)](#load-template-manually-alternate).
+
+To load the template, use the appropriate command for your system.
+
+**deb and rpm:**
+
+```sh
+filebeat setup --index-management -E output.logstash.enabled=false -E 'output.elasticsearch.hosts=["localhost:9200"]'
+```
+
+**mac:**
+
+```sh
+./filebeat setup --index-management -E output.logstash.enabled=false -E 'output.elasticsearch.hosts=["localhost:9200"]'
+```
+
+**linux:**
+
+```sh
+./filebeat setup --index-management -E output.logstash.enabled=false -E 'output.elasticsearch.hosts=["localhost:9200"]'
+```
+
+**docker:**
+
+```sh
+docker run --rm docker.elastic.co/beats/filebeat:9.0.0-beta1 setup --index-management -E output.logstash.enabled=false -E 'output.elasticsearch.hosts=["localhost:9200"]'
+```
+
+**win:**
+
+Open a PowerShell prompt as an Administrator (right-click the PowerShell icon and select **Run As Administrator**).
+
+From the PowerShell prompt, change to the directory where you installed Filebeat, and run:
+
+```sh
+PS > .\filebeat.exe setup --index-management -E output.logstash.enabled=false -E 'output.elasticsearch.hosts=["localhost:9200"]'
+```
+
+
+### Force Kibana to look at newest documents [force-kibana-new]
+
+If you’ve already used Filebeat to index data into {{es}}, the index may contain old documents. After you load the index template, you can delete the old documents from `filebeat-*` to force Kibana to look at the newest documents.
+
+Use this command:
+
+**deb and rpm:**
+
+```sh
+curl -XDELETE 'http://localhost:9200/filebeat-*'
+```
+
+**mac:**
+
+```sh
+curl -XDELETE 'http://localhost:9200/filebeat-*'
+```
+
+**linux:**
+
+```sh
+curl -XDELETE 'http://localhost:9200/filebeat-*'
+```
+
+**win:**
+
+```sh
+PS > Invoke-RestMethod -Method Delete "http://localhost:9200/filebeat-*"
+```
+
+This command deletes all indices that match the pattern `filebeat`. Before running this command, make sure you want to delete all indices that match the pattern.
+
+
+## Load the index template manually (alternate method) [load-template-manually-alternate]
+
+If the host running Filebeat does not have direct connectivity to {{es}}, you can export the index template to a file, move it to a machine that does have connectivity, and then install the template manually.
+
+To export the index template, run:
+
+**deb and rpm:**
+
+```sh
+filebeat export template > filebeat.template.json
+```
+
+**mac:**
+
+```sh
+./filebeat export template > filebeat.template.json
+```
+
+**linux:**
+
+```sh
+./filebeat export template > filebeat.template.json
+```
+
+**win:**
+
+```sh
+PS > .\filebeat.exe export template --es.version 9.0.0-beta1 | Out-File -Encoding UTF8 filebeat.template.json
+```
+
+To install the template, run:
+
+**deb and rpm:**
+
+```sh
+curl -XPUT -H 'Content-Type: application/json' http://localhost:9200/_index_template/filebeat-9.0.0-beta1 -d@filebeat.template.json
+```
+
+**mac:**
+
+```sh
+curl -XPUT -H 'Content-Type: application/json' http://localhost:9200/_index_template/filebeat-9.0.0-beta1 -d@filebeat.template.json
+```
+
+**linux:**
+
+```sh
+curl -XPUT -H 'Content-Type: application/json' http://localhost:9200/_index_template/filebeat-9.0.0-beta1 -d@filebeat.template.json
+```
+
+**win:**
+
+```sh
+PS > Invoke-RestMethod -Method Put -ContentType "application/json" -InFile filebeat.template.json -Uri http://localhost:9200/_index_template/filebeat-9.0.0-beta1
+```
+
+Once you have loaded the index template, load the data stream as well. If you do not load it, you have to give the publisher user `manage` permission on filebeat-9.0.0-beta1 index.
+
+**deb and rpm:**
+
+```sh
+curl -XPUT http://localhost:9200/_data_stream/filebeat-9.0.0-beta1
+```
+
+**mac:**
+
+```sh
+curl -XPUT http://localhost:9200/_data_stream/filebeat-9.0.0-beta1
+```
+
+**linux:**
+
+```sh
+curl -XPUT http://localhost:9200/_data_stream/filebeat-9.0.0-beta1
+```
+
+**win:**
+
+```sh
+PS > Invoke-RestMethod -Method Put -Uri http://localhost:9200/_data_stream/filebeat-9.0.0-beta1
+```
+
diff --git a/docs/reference/filebeat/filebeat.md b/docs/reference/filebeat/filebeat.md
new file mode 100644
index 000000000000..6954606dcc19
--- /dev/null
+++ b/docs/reference/filebeat/filebeat.md
@@ -0,0 +1,8 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/index.html
+---
+
+# Filebeat
+
+Just a placeholder for a top index page.
diff --git a/docs/reference/filebeat/filtering-enhancing-data.md b/docs/reference/filebeat/filtering-enhancing-data.md
new file mode 100644
index 000000000000..2747cb22ed5e
--- /dev/null
+++ b/docs/reference/filebeat/filtering-enhancing-data.md
@@ -0,0 +1,157 @@
+---
+navigation_title: "Processors"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html
+---
+
+# Filter and enhance data with processors [filtering-and-enhancing-data]
+
+
+Your use case might require only a subset of the data exported by Filebeat, or you might need to enhance the exported data (for example, by adding metadata). Filebeat provides a couple of options for filtering and enhancing exported data.
+
+You can configure each input to include or exclude specific lines or files. This allows you to specify different filtering criteria for each input. To do this, you use the `include_lines`, `exclude_lines`, and `exclude_files` options under the `filebeat.inputs` section of the config file (see [Inputs](/reference/filebeat/configuration-filebeat-options.md)). The disadvantage of this approach is that you need to implement a configuration option for each filtering criteria that you need.
+
+Another approach (the one described here) is to define processors to configure global processing across all data exported by Filebeat.
+
+
+## Processors [using-processors]
+
+You can [define processors](/reference/filebeat/defining-processors.md) in your configuration to process events before they are sent to the configured output. The libbeat library provides processors for:
+
+* reducing the number of exported fields
+* enhancing events with additional metadata
+* performing additional processing and decoding
+
+Each processor receives an event, applies a defined action to the event, and returns the event. If you define a list of processors, they are executed in the order they are defined in the Filebeat configuration file.
+
+```yaml
+event -> processor 1 -> event1 -> processor 2 -> event2 ...
+```
+
+::::{important}
+It’s recommended to do all drop and renaming of existing fields as the last step in a processor configuration. This is because dropping or renaming fields can remove data necessary for the next processor in the chain, for example dropping the `source.ip` field would remove one of the fields necessary for the `community_id` processor to function. If it’s necessary to remove, rename or overwrite an existing event field, please make sure it’s done by a corresponding processor ([`drop_fields`](/reference/filebeat/drop-fields.md), [`rename`](/reference/filebeat/rename-fields.md) or [`add_fields`](/reference/filebeat/add-fields.md)) placed at the end of the processor list defined in the input configuration.
+::::
+
+
+
+### Drop event example [drop-event-example]
+
+The following configuration drops all the DEBUG messages.
+
+```yaml
+processors:
+  - drop_event:
+      when:
+        regexp:
+          message: "^DBG:"
+```
+
+To drop all the log messages coming from a certain log file:
+
+```yaml
+processors:
+  - drop_event:
+      when:
+        contains:
+          source: "test"
+```
+
+
+### Decode JSON example [decode-json-example]
+
+In the following example, the fields exported by Filebeat include a field, `inner`, whose value is a JSON object encoded as a string:
+
+```json
+{ "outer": "value", "inner": "{\"data\": \"value\"}" }
+```
+
+The following configuration decodes the inner JSON object:
+
+```yaml
+filebeat.inputs:
+- type: filestream
+  paths:
+    - input.json
+  parsers:
+    - ndjson:
+        target: ""
+
+processors:
+  - decode_json_fields:
+      fields: ["inner"]
+
+output.console.pretty: true
+```
+
+The resulting output looks something like this:
+
+```json
+{
+  "@timestamp": "2016-12-06T17:38:11.541Z",
+  "beat": {
+    "hostname": "host.example.com",
+    "name": "host.example.com",
+    "version": "9.0.0-beta1"
+  },
+  "inner": {
+    "data": "value"
+  },
+  "input": {
+    "type": "log",
+  },
+  "offset": 55,
+  "outer": "value",
+  "source": "input.json",
+  "type": "log"
+}
+```
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/docs/reference/filebeat/fingerprint.md b/docs/reference/filebeat/fingerprint.md
new file mode 100644
index 000000000000..58c32dac7c51
--- /dev/null
+++ b/docs/reference/filebeat/fingerprint.md
@@ -0,0 +1,38 @@
+---
+navigation_title: "fingerprint"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/fingerprint.html
+---
+
+# Generate a fingerprint of an event [fingerprint]
+
+
+The `fingerprint` processor generates a fingerprint of an event based on a specified subset of its fields.
+
+The value that is hashed is constructed as a concatenation of the field name and field value separated by `|`. For example `|field1|value1|field2|value2|`.
+
+Nested fields are supported in the following format: `"field1.field2"` e.g: `["log.path.file", "foo"]`
+
+```yaml
+processors:
+  - fingerprint:
+      fields: ["field1", "field2", ...]
+```
+
+The following settings are supported:
+
+`fields`
+:   List of fields to use as the source for the fingerprint. The list will be alphabetically sorted by the processor.
+
+`ignore_missing`
+:   (Optional) Whether to ignore missing fields. Default is `false`.
+
+`target_field`
+:   (Optional) Field in which the generated fingerprint should be stored. Default is `fingerprint`.
+
+`method`
+:   (Optional) Algorithm to use for computing the fingerprint. Must be one of: `md5`, `sha1`, `sha256`, `sha384`, `sha512`, `xxhash`. Default is `sha256`.
+
+`encoding`
+:   (Optional) Encoding to use on the fingerprint value. Must be one of `hex`, `base32`, or `base64`. Default is `hex`.
+
diff --git a/docs/reference/filebeat/getting-help.md b/docs/reference/filebeat/getting-help.md
new file mode 100644
index 000000000000..538727dcaaab
--- /dev/null
+++ b/docs/reference/filebeat/getting-help.md
@@ -0,0 +1,16 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/getting-help.html
+---
+
+# Get help [getting-help]
+
+Start by searching the [Filebeat discussion forum](https://discuss.elastic.co/c/beats/filebeat) for your issue. If you can’t find a resolution, open a new issue or add a comment to an existing one. Make sure you provide the following information, and we’ll help you troubleshoot the problem:
+
+* Filebeat version
+* Operating System
+* Configuration
+* Any supporting information, such as debugging output, that will help us diagnose your problem. See [*Debug*](/reference/filebeat/enable-filebeat-debugging.md) for more details.
+
+If you’re sure you found a bug, you can open a ticket on [GitHub](https://github.com/elastic/beats/issues?state=open). Note, however, that we close GitHub issues containing questions or requests for help if they don’t indicate the presence of a bug.
+
diff --git a/docs/reference/filebeat/how-filebeat-works.md b/docs/reference/filebeat/how-filebeat-works.md
new file mode 100644
index 000000000000..6d394644c102
--- /dev/null
+++ b/docs/reference/filebeat/how-filebeat-works.md
@@ -0,0 +1,67 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/how-filebeat-works.html
+---
+
+# How Filebeat works [how-filebeat-works]
+
+In this topic, you learn about the key building blocks of Filebeat and how they work together. Understanding these concepts will help you make informed decisions about configuring Filebeat for specific use cases.
+
+Filebeat consists of two main components: [inputs](#input) and [harvesters](#harvester). These components work together to tail files and send event data to the output that you specify.
+
+
+## What is a harvester? [harvester]
+
+A harvester is responsible for reading the content of a single file. The harvester reads each file, line by line, and sends the content to the output. One harvester is started for each file. The harvester is responsible for opening and closing the file, which means that the file descriptor remains open while the harvester is running. If a file is removed or renamed while it’s being harvested, Filebeat continues to read the file. This has the side effect that the space on your disk is reserved until the harvester closes. By default, Filebeat keeps the file open until [`close.on_state_change.inactive`](/reference/filebeat/filebeat-input-filestream.md#filebeat-input-filestream-close-inactive) is reached.
+
+Closing a harvester has the following consequences:
+
+* The file handler is closed, freeing up the underlying resources if the file was deleted while the harvester was still reading the file.
+* The harvesting of the file will only be started again after [`prospector.scanner.check_interval`](/reference/filebeat/filebeat-input-filestream.md#filebeat-input-filestream-scan-frequency) has elapsed.
+* If the file is moved or removed while the harvester is closed, harvesting of the file will not continue.
+
+To control when a harvester is closed, use the [`close_*`](/reference/filebeat/filebeat-input-filestream.md#filebeat-input-filestream-close-options) configuration options.
+
+
+## What is an input? [input]
+
+An input is responsible for managing the harvesters and finding all sources to read from.
+
+If the input type is `filestream`, the input finds all files on the drive that match the defined glob paths and starts a harvester for each file. Each input runs in its own Go routine.
+
+The following example configures Filebeat to harvest lines from all log files that match the specified glob patterns:
+
+```yaml
+filebeat.inputs:
+- type: filestream
+  id: unique-ID
+  paths:
+    - /var/log/*.log
+    - /var/path2/*.log
+```
+
+Filebeat currently supports [several `input` types](/reference/filebeat/configuration-filebeat-options.md#filebeat-input-types). Each input type can be defined multiple times. The `filestream` input checks each file to see whether a harvester needs to be started, whether one is already running, or whether the file can be ignored (see [`ignore_older`](/reference/filebeat/filebeat-input-filestream.md#filebeat-input-filestream-ignore-older)). New lines are only picked up if the size of the file has changed since the harvester was closed.
+
+
+## How does Filebeat keep the state of files? [_how_does_filebeat_keep_the_state_of_files]
+
+Filebeat keeps the state of each file and frequently flushes the state to disk in the registry file. The state is used to remember the last offset a harvester was reading from and to ensure all log lines are sent. If the output, such as Elasticsearch or Logstash, is not reachable, Filebeat keeps track of the last lines sent and will continue reading the files as soon as the output becomes available again. While Filebeat is running, the state information is also kept in memory for each input. When Filebeat is restarted, data from the registry file is used to rebuild the state, and Filebeat continues each harvester at the last known position.
+
+For each input, Filebeat keeps a state of each file it finds. Because files can be renamed or moved, the filename and path are not enough to identify a file. For each file, Filebeat stores unique identifiers to detect whether a file was harvested previously.
+
+If your use case involves creating a large number of new files every day, you might find that the registry file grows to be too large. See [Registry file is too large](/reference/filebeat/reduce-registry-size.md) for details about configuration options that you can set to resolve this issue.
+
+
+## How does Filebeat ensure at-least-once delivery? [at-least-once-delivery]
+
+Filebeat guarantees that events will be delivered to the configured output at least once and with no data loss. Filebeat is able to achieve this behavior because it stores the delivery state of each event in the registry file.
+
+In situations where the defined output is blocked and has not confirmed all events, Filebeat will keep trying to send events until the output acknowledges that it has received the events.
+
+If Filebeat shuts down while it’s in the process of sending events, it does not wait for the output to acknowledge all events before shutting down. Any events that are sent to the output, but not acknowledged before Filebeat shuts down, are sent again when Filebeat is restarted. This ensures that each event is sent at least once, but you can end up with duplicate events being sent to the output. You can configure Filebeat to wait a specific amount of time before shutting down by setting the [`shutdown_timeout`](/reference/filebeat/configuration-general-options.md#shutdown-timeout) option.
+
+::::{note}
+There is a limitation to Filebeat’s at-least-once delivery guarantee involving log rotation and the deletion of old files. If log files are written to disk and rotated faster than they can be processed by Filebeat, or if files are deleted while the output is unavailable, data might be lost. On Linux, it’s also possible for Filebeat to skip lines as the result of inode reuse. See [*Common problems*](/reference/filebeat/faq.md) for more details about the inode reuse issue.
+::::
+
+
diff --git a/docs/reference/filebeat/howto-guides.md b/docs/reference/filebeat/howto-guides.md
new file mode 100644
index 000000000000..f70772c55205
--- /dev/null
+++ b/docs/reference/filebeat/howto-guides.md
@@ -0,0 +1,22 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/howto-guides.html
+---
+
+# How to guides [howto-guides]
+
+Learn how to perform common Filebeat configuration tasks.
+
+* [Override configuration settings](/reference/filebeat/override-filebeat-config-settings.md)
+* [*Load the {{es}} index template*](/reference/filebeat/filebeat-template.md)
+* [*Change the index name*](/reference/filebeat/change-index-name.md)
+* [*Load {{kib}} dashboards*](/reference/filebeat/load-kibana-dashboards.md)
+* [*Load ingest pipelines*](/reference/filebeat/load-ingest-pipelines.md)
+* [*Enrich events with geoIP information*](/reference/filebeat/filebeat-geoip.md)
+* [*Deduplicate data*](/reference/filebeat/filebeat-deduplication.md)
+* [*Parse data using an ingest pipeline*](/reference/filebeat/configuring-ingest-node.md)
+* [*Use environment variables in the configuration*](/reference/filebeat/using-environ-vars.md)
+* [*Avoid YAML formatting problems*](/reference/filebeat/yaml-tips.md)
+* [*Migrate `log` input configurations to `filestream`*](/reference/filebeat/migrate-to-filestream.md)
+* [*Migrating from a Deprecated Filebeat Module*](/reference/filebeat/migrate-from-deprecated-module.md)
+
diff --git a/docs/reference/filebeat/http-endpoint.md b/docs/reference/filebeat/http-endpoint.md
new file mode 100644
index 000000000000..14f920bd1c8f
--- /dev/null
+++ b/docs/reference/filebeat/http-endpoint.md
@@ -0,0 +1,200 @@
+---
+navigation_title: "HTTP endpoint"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/http-endpoint.html
+---
+
+# Configure an HTTP endpoint for metrics [http-endpoint]
+
+
+::::{warning}
+This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
+::::
+
+
+Filebeat can expose internal metrics through an HTTP endpoint. These are useful to monitor the internal state of the Beat. For security reasons the endpoint is disabled by default, as you may want to avoid exposing this info.
+
+The HTTP endpoint has the following configuration settings:
+
+`http.enabled`
+:   (Optional) Enable the HTTP endpoint. Default is `false`.
+
+`http.host`
+:   (Optional) Bind to this hostname, IP address, unix socket (unix:///var/run/filebeat.sock) or Windows named pipe (npipe:///filebeat). It is recommended to use only localhost. Default is `localhost`
+
+`http.port`
+:   (Optional) Port on which the HTTP endpoint will bind. Default is `5066`.
+
+`http.named_pipe.user`
+:   (Optional) User to use to create the named pipe, only work on Windows, Default to the current user.
+
+`http.named_pipe.security_descriptor`
+:   (Optional) Windows Security descriptor string defined in the SDDL format. Default to read and write permission for the current user.
+
+`http.pprof.enabled`
+:   (Optional) Enable the `/debug/pprof/` endpoints when serving HTTP. It is recommended that this is only enabled on localhost as these endpoints may leak data. Default is `false`.
+
+`http.pprof.block_profile_rate`
+:   (Optional) `block_profile_rate` controls the fraction of goroutine blocking events that are reported in the blocking profile available from `/debug/pprof/block`. The profiler aims to sample an average of one blocking event per rate nanoseconds spent blocked. To include every blocking event in the profile, pass rate = 1. To turn off profiling entirely, pass rate ⇐ 0. Defaults to 0.
+
+`http.pprof.mem_profile_rate`
+:   (Optional) `mem_profile_rate` controls the fraction of memory allocations that are recorded and reported in the memory profile available from `/debug/pprof/heap`. The profiler aims to sample an average of one allocation per `mem_profile_rate` bytes allocated. To include every allocated block in the profile, set `mem_profile_rate` to 1. To turn off profiling entirely, set `mem_profile_rate` to 0. Defaults to 524288.
+
+`http.pprof.mutex_profile_rate`
+:   (Optional) `mutex_profile_rate` controls the fraction of mutex contention events that are reported in the mutex profile available from `/debug/pprof/mutex`. On average 1/rate events are reported. To turn off profiling entirely, pass rate 0. The default value is 0.
+
+This is the list of paths you can access. For pretty JSON output append `?pretty` to the URL.
+
+You can query a unix socket using the `cURL` command and the `--unix-socket` flag.
+
+```js
+curl -XGET --unix-socket '/var/run/{beatname_lc}.sock' 'http:/stats/?pretty'
+```
+
+
+## Info [_info_2]
+
+`/` provides basic info from the Filebeat. Example:
+
+```js
+curl -XGET 'localhost:5066/?pretty'
+```
+
+```js
+{
+  "beat": "filebeat",
+  "hostname": "example.lan",
+  "name": "example.lan",
+  "uuid": "34f6c6e1-45a8-4b12-9125-11b3e6e89866",
+  "version": "9.0.0-beta1"
+}
+```
+
+
+## Stats [_stats]
+
+`/stats` reports internal metrics. Example:
+
+```js
+curl -XGET 'localhost:5066/stats?pretty'
+```
+
+```js
+{
+  "beat": {
+    "cpu": {
+      "system": {
+        "ticks": 1710,
+        "time": {
+          "ms": 1712
+        }
+      },
+      "total": {
+        "ticks": 3420,
+        "time": {
+          "ms": 3424
+        },
+        "value": 3420
+      },
+      "user": {
+        "ticks": 1710,
+        "time": {
+          "ms": 1712
+        }
+      }
+    },
+    "info": {
+      "ephemeral_id": "ab4287c4-d907-4d9d-b074-d8c3cec4a577",
+      "uptime": {
+        "ms": 195547
+      }
+    },
+    "memstats": {
+      "gc_next": 17855152,
+      "memory_alloc": 9433384,
+      "memory_total": 492478864,
+      "rss": 50405376
+    },
+    "runtime": {
+      "goroutines": 22
+    }
+  },
+  "libbeat": {
+    "config": {
+      "module": {
+        "running": 0,
+        "starts": 0,
+        "stops": 0
+      },
+      "scans": 1,
+      "reloads": 1
+    },
+    "output": {
+      "events": {
+        "acked": 0,
+        "active": 0,
+        "batches": 0,
+        "dropped": 0,
+        "duplicates": 0,
+        "failed": 0,
+        "total": 0
+      },
+      "read": {
+        "bytes": 0,
+        "errors": 0
+      },
+      "type": "elasticsearch",
+      "write": {
+        "bytes": 0,
+        "errors": 0
+      }
+    },
+    "pipeline": {
+      "clients": 6,
+      "events": {
+        "active": 716,
+        "dropped": 0,
+        "failed": 0,
+        "filtered": 0,
+        "published": 716,
+        "retry": 278,
+        "total": 716
+      },
+      "queue": {
+        "acked": 0
+      }
+    }
+  },
+  "system": {
+    "cpu": {
+      "cores": 4
+    },
+    "load": {
+      "1": 2.22,
+      "15": 1.8,
+      "5": 1.74,
+      "norm": {
+        "1": 0.555,
+        "15": 0.45,
+        "5": 0.435
+      }
+    }
+  }
+}
+```
+
+The actual output may contain more metrics specific to Filebeat
+
+
+## Inputs [_inputs]
+
+`/inputs/` returns metrics related to input instances. It returns a list of objects where each object contains metrics for an instance of an input. Each object will minimally contain an `input` field that identifies the type of input (e.g. `aws-s3`) and an `id` field that is the unique identifier for the input instance.
+
+A request may optionally specify a `type` query parameter to request metrics for a specific type of input. And `pretty` may be included to have the returned JSON be pretty formatted.
+
+```js
+curl 'http://localhost:5066/inputs/'
+curl 'http://localhost:5066/inputs/?pretty'
+curl 'http://localhost:5066/inputs/?type=aws-s3&pretty'
+```
+
diff --git a/docs/reference/filebeat/ilm.md b/docs/reference/filebeat/ilm.md
new file mode 100644
index 000000000000..a46b6ceaad2a
--- /dev/null
+++ b/docs/reference/filebeat/ilm.md
@@ -0,0 +1,58 @@
+---
+navigation_title: "Index lifecycle management (ILM)"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/ilm.html
+---
+
+# Configure index lifecycle management [ilm]
+
+
+Use the [index lifecycle management](docs-content://manage-data/lifecycle/index-lifecycle-management/tutorial-automate-rollover.md) (ILM) feature in {{es}} to manage your Filebeat their backing indices of your data streams as they age. Filebeat loads the default policy automatically and applies it to any data streams created by Filebeat.
+
+You can view and edit the policy in the **Index lifecycle policies** UI in {{kib}}. For more information about working with the UI, see [Index lifecyle policies](docs-content://manage-data/lifecycle/index-lifecycle-management.md).
+
+Example configuration:
+
+```yaml
+setup.ilm.enabled: true
+```
+
+::::{warning}
+If index lifecycle management is enabled (which is typically the default), `setup.template.name` and `setup.template.pattern` are ignored.
+::::
+
+
+
+## Configuration options [_configuration_options_33]
+
+You can specify the following settings in the `setup.ilm` section of the `filebeat.yml` config file:
+
+
+### `setup.ilm.enabled` [setup-ilm-option]
+
+Enables or disables index lifecycle management on any new indices created by Filebeat. Valid values are `true` and `false`.
+
+
+### `setup.ilm.policy_name` [setup-ilm-policy_name-option]
+
+The name to use for the lifecycle policy. The default is `filebeat`.
+
+
+### `setup.ilm.policy_file` [setup-ilm-policy_file-option]
+
+The path to a JSON file that contains a lifecycle policy configuration. Use this setting to load your own lifecycle policy.
+
+For more information about lifecycle policies, see [Set up index lifecycle management policy](docs-content://manage-data/lifecycle/index-lifecycle-management/configure-lifecycle-policy.md) in the *{{es}} Reference*.
+
+
+### `setup.ilm.check_exists` [setup-ilm-check_exists-option]
+
+When set to `false`, disables the check for an existing lifecycle policy. The default is `true`. You need to disable this check if the Filebeat user connecting to a secured cluster doesn’t have the `read_ilm` privilege.
+
+If you set this option to `false`, lifecycle policy will not be installed, even if `setup.ilm.overwrite` is set to `true`.
+
+
+### `setup.ilm.overwrite` [setup-ilm-overwrite-option]
+
+When set to `true`, the lifecycle policy is overwritten at startup. The default is `false`.
+
diff --git a/filebeat/docs/images/coordinate-map.png b/docs/reference/filebeat/images/coordinate-map.png
similarity index 100%
rename from filebeat/docs/images/coordinate-map.png
rename to docs/reference/filebeat/images/coordinate-map.png
diff --git a/filebeat/docs/images/false-after-multi.png b/docs/reference/filebeat/images/false-after-multi.png
similarity index 100%
rename from filebeat/docs/images/false-after-multi.png
rename to docs/reference/filebeat/images/false-after-multi.png
diff --git a/filebeat/docs/images/false-before-multi.png b/docs/reference/filebeat/images/false-before-multi.png
similarity index 100%
rename from filebeat/docs/images/false-before-multi.png
rename to docs/reference/filebeat/images/false-before-multi.png
diff --git a/filebeat/docs/images/filebeat-activemq-application-events.png b/docs/reference/filebeat/images/filebeat-activemq-application-events.png
similarity index 100%
rename from filebeat/docs/images/filebeat-activemq-application-events.png
rename to docs/reference/filebeat/images/filebeat-activemq-application-events.png
diff --git a/filebeat/docs/images/filebeat-activemq-audit-events.png b/docs/reference/filebeat/images/filebeat-activemq-audit-events.png
similarity index 100%
rename from filebeat/docs/images/filebeat-activemq-audit-events.png
rename to docs/reference/filebeat/images/filebeat-activemq-audit-events.png
diff --git a/filebeat/docs/images/filebeat-aws-cloudtrail.png b/docs/reference/filebeat/images/filebeat-aws-cloudtrail.png
similarity index 100%
rename from filebeat/docs/images/filebeat-aws-cloudtrail.png
rename to docs/reference/filebeat/images/filebeat-aws-cloudtrail.png
diff --git a/filebeat/docs/images/filebeat-aws-elb-overview.png b/docs/reference/filebeat/images/filebeat-aws-elb-overview.png
similarity index 100%
rename from filebeat/docs/images/filebeat-aws-elb-overview.png
rename to docs/reference/filebeat/images/filebeat-aws-elb-overview.png
diff --git a/filebeat/docs/images/filebeat-aws-s3access-overview.png b/docs/reference/filebeat/images/filebeat-aws-s3access-overview.png
similarity index 100%
rename from filebeat/docs/images/filebeat-aws-s3access-overview.png
rename to docs/reference/filebeat/images/filebeat-aws-s3access-overview.png
diff --git a/filebeat/docs/images/filebeat-aws-vpcflow-overview.png b/docs/reference/filebeat/images/filebeat-aws-vpcflow-overview.png
similarity index 100%
rename from filebeat/docs/images/filebeat-aws-vpcflow-overview.png
rename to docs/reference/filebeat/images/filebeat-aws-vpcflow-overview.png
diff --git a/filebeat/docs/images/filebeat-azure-overview.png b/docs/reference/filebeat/images/filebeat-azure-overview.png
similarity index 100%
rename from filebeat/docs/images/filebeat-azure-overview.png
rename to docs/reference/filebeat/images/filebeat-azure-overview.png
diff --git a/filebeat/docs/images/filebeat-cyberarkpas-overview.png b/docs/reference/filebeat/images/filebeat-cyberarkpas-overview.png
similarity index 100%
rename from filebeat/docs/images/filebeat-cyberarkpas-overview.png
rename to docs/reference/filebeat/images/filebeat-cyberarkpas-overview.png
diff --git a/filebeat/docs/images/filebeat-defender-atp-overview.png b/docs/reference/filebeat/images/filebeat-defender-atp-overview.png
similarity index 100%
rename from filebeat/docs/images/filebeat-defender-atp-overview.png
rename to docs/reference/filebeat/images/filebeat-defender-atp-overview.png
diff --git a/filebeat/docs/images/filebeat-gcp-audit.png b/docs/reference/filebeat/images/filebeat-gcp-audit.png
similarity index 100%
rename from filebeat/docs/images/filebeat-gcp-audit.png
rename to docs/reference/filebeat/images/filebeat-gcp-audit.png
diff --git a/filebeat/docs/images/filebeat-ibmmq.png b/docs/reference/filebeat/images/filebeat-ibmmq.png
similarity index 100%
rename from filebeat/docs/images/filebeat-ibmmq.png
rename to docs/reference/filebeat/images/filebeat-ibmmq.png
diff --git a/filebeat/docs/images/filebeat-kafka-logs-overview.png b/docs/reference/filebeat/images/filebeat-kafka-logs-overview.png
similarity index 100%
rename from filebeat/docs/images/filebeat-kafka-logs-overview.png
rename to docs/reference/filebeat/images/filebeat-kafka-logs-overview.png
diff --git a/filebeat/docs/images/filebeat-mongodb-overview.png b/docs/reference/filebeat/images/filebeat-mongodb-overview.png
similarity index 100%
rename from filebeat/docs/images/filebeat-mongodb-overview.png
rename to docs/reference/filebeat/images/filebeat-mongodb-overview.png
diff --git a/filebeat/docs/images/filebeat-o365-audit.png b/docs/reference/filebeat/images/filebeat-o365-audit.png
similarity index 100%
rename from filebeat/docs/images/filebeat-o365-audit.png
rename to docs/reference/filebeat/images/filebeat-o365-audit.png
diff --git a/filebeat/docs/images/filebeat-o365-azure-permissions.png b/docs/reference/filebeat/images/filebeat-o365-azure-permissions.png
similarity index 100%
rename from filebeat/docs/images/filebeat-o365-azure-permissions.png
rename to docs/reference/filebeat/images/filebeat-o365-azure-permissions.png
diff --git a/filebeat/docs/images/filebeat-okta-dashboard.png b/docs/reference/filebeat/images/filebeat-okta-dashboard.png
similarity index 100%
rename from filebeat/docs/images/filebeat-okta-dashboard.png
rename to docs/reference/filebeat/images/filebeat-okta-dashboard.png
diff --git a/filebeat/docs/images/filebeat-panw-threat.png b/docs/reference/filebeat/images/filebeat-panw-threat.png
similarity index 100%
rename from filebeat/docs/images/filebeat-panw-threat.png
rename to docs/reference/filebeat/images/filebeat-panw-threat.png
diff --git a/filebeat/docs/images/filebeat-panw-traffic.png b/docs/reference/filebeat/images/filebeat-panw-traffic.png
similarity index 100%
rename from filebeat/docs/images/filebeat-panw-traffic.png
rename to docs/reference/filebeat/images/filebeat-panw-traffic.png
diff --git a/filebeat/docs/images/filebeat-pensando-dfw.png b/docs/reference/filebeat/images/filebeat-pensando-dfw.png
similarity index 100%
rename from filebeat/docs/images/filebeat-pensando-dfw.png
rename to docs/reference/filebeat/images/filebeat-pensando-dfw.png
diff --git a/filebeat/docs/images/filebeat-postgresql-overview.png b/docs/reference/filebeat/images/filebeat-postgresql-overview.png
similarity index 100%
rename from filebeat/docs/images/filebeat-postgresql-overview.png
rename to docs/reference/filebeat/images/filebeat-postgresql-overview.png
diff --git a/filebeat/docs/images/filebeat-postgresql-slowlog-overview.png b/docs/reference/filebeat/images/filebeat-postgresql-slowlog-overview.png
similarity index 100%
rename from filebeat/docs/images/filebeat-postgresql-slowlog-overview.png
rename to docs/reference/filebeat/images/filebeat-postgresql-slowlog-overview.png
diff --git a/filebeat/docs/images/filebeat-suricata-alerts.png b/docs/reference/filebeat/images/filebeat-suricata-alerts.png
similarity index 100%
rename from filebeat/docs/images/filebeat-suricata-alerts.png
rename to docs/reference/filebeat/images/filebeat-suricata-alerts.png
diff --git a/filebeat/docs/images/filebeat-suricata-events.png b/docs/reference/filebeat/images/filebeat-suricata-events.png
similarity index 100%
rename from filebeat/docs/images/filebeat-suricata-events.png
rename to docs/reference/filebeat/images/filebeat-suricata-events.png
diff --git a/filebeat/docs/images/filebeat-threatintel-abuse-malware.png b/docs/reference/filebeat/images/filebeat-threatintel-abuse-malware.png
similarity index 100%
rename from filebeat/docs/images/filebeat-threatintel-abuse-malware.png
rename to docs/reference/filebeat/images/filebeat-threatintel-abuse-malware.png
diff --git a/filebeat/docs/images/filebeat-threatintel-abuse-url.png b/docs/reference/filebeat/images/filebeat-threatintel-abuse-url.png
similarity index 100%
rename from filebeat/docs/images/filebeat-threatintel-abuse-url.png
rename to docs/reference/filebeat/images/filebeat-threatintel-abuse-url.png
diff --git a/filebeat/docs/images/filebeat-threatintel-alienvault-otx.png b/docs/reference/filebeat/images/filebeat-threatintel-alienvault-otx.png
similarity index 100%
rename from filebeat/docs/images/filebeat-threatintel-alienvault-otx.png
rename to docs/reference/filebeat/images/filebeat-threatintel-alienvault-otx.png
diff --git a/filebeat/docs/images/filebeat-threatintel-anomali.png b/docs/reference/filebeat/images/filebeat-threatintel-anomali.png
similarity index 100%
rename from filebeat/docs/images/filebeat-threatintel-anomali.png
rename to docs/reference/filebeat/images/filebeat-threatintel-anomali.png
diff --git a/filebeat/docs/images/filebeat-threatintel-misp.png b/docs/reference/filebeat/images/filebeat-threatintel-misp.png
similarity index 100%
rename from filebeat/docs/images/filebeat-threatintel-misp.png
rename to docs/reference/filebeat/images/filebeat-threatintel-misp.png
diff --git a/filebeat/docs/images/filebeat-threatintel-overview.png b/docs/reference/filebeat/images/filebeat-threatintel-overview.png
similarity index 100%
rename from filebeat/docs/images/filebeat-threatintel-overview.png
rename to docs/reference/filebeat/images/filebeat-threatintel-overview.png
diff --git a/filebeat/docs/images/filebeat-threatintel-threatq.png b/docs/reference/filebeat/images/filebeat-threatintel-threatq.png
similarity index 100%
rename from filebeat/docs/images/filebeat-threatintel-threatq.png
rename to docs/reference/filebeat/images/filebeat-threatintel-threatq.png
diff --git a/filebeat/docs/images/filebeat.png b/docs/reference/filebeat/images/filebeat.png
similarity index 100%
rename from filebeat/docs/images/filebeat.png
rename to docs/reference/filebeat/images/filebeat.png
diff --git a/filebeat/docs/images/filebeat_nats_dashboard.png b/docs/reference/filebeat/images/filebeat_nats_dashboard.png
similarity index 100%
rename from filebeat/docs/images/filebeat_nats_dashboard.png
rename to docs/reference/filebeat/images/filebeat_nats_dashboard.png
diff --git a/filebeat/docs/images/go-playground.png b/docs/reference/filebeat/images/go-playground.png
similarity index 100%
rename from filebeat/docs/images/go-playground.png
rename to docs/reference/filebeat/images/go-playground.png
diff --git a/x-pack/filebeat/docs/inputs/images/input-httpjson-chain-lifecycle.png b/docs/reference/filebeat/images/input-httpjson-chain-lifecycle.png
similarity index 100%
rename from x-pack/filebeat/docs/inputs/images/input-httpjson-chain-lifecycle.png
rename to docs/reference/filebeat/images/input-httpjson-chain-lifecycle.png
diff --git a/x-pack/filebeat/docs/inputs/images/input-httpjson-lifecycle.png b/docs/reference/filebeat/images/input-httpjson-lifecycle.png
similarity index 100%
rename from x-pack/filebeat/docs/inputs/images/input-httpjson-lifecycle.png
rename to docs/reference/filebeat/images/input-httpjson-lifecycle.png
diff --git a/filebeat/docs/images/kibana-apache.png b/docs/reference/filebeat/images/kibana-apache.png
similarity index 100%
rename from filebeat/docs/images/kibana-apache.png
rename to docs/reference/filebeat/images/kibana-apache.png
diff --git a/filebeat/docs/images/kibana-audit-auditd.png b/docs/reference/filebeat/images/kibana-audit-auditd.png
similarity index 100%
rename from filebeat/docs/images/kibana-audit-auditd.png
rename to docs/reference/filebeat/images/kibana-audit-auditd.png
diff --git a/filebeat/docs/images/kibana-cisco-asa.png b/docs/reference/filebeat/images/kibana-cisco-asa.png
similarity index 100%
rename from filebeat/docs/images/kibana-cisco-asa.png
rename to docs/reference/filebeat/images/kibana-cisco-asa.png
diff --git a/filebeat/docs/images/kibana-coredns.jpg b/docs/reference/filebeat/images/kibana-coredns.jpg
similarity index 100%
rename from filebeat/docs/images/kibana-coredns.jpg
rename to docs/reference/filebeat/images/kibana-coredns.jpg
diff --git a/filebeat/docs/images/kibana-envoyproxy.jpg b/docs/reference/filebeat/images/kibana-envoyproxy.jpg
similarity index 100%
rename from filebeat/docs/images/kibana-envoyproxy.jpg
rename to docs/reference/filebeat/images/kibana-envoyproxy.jpg
diff --git a/filebeat/docs/images/kibana-haproxy-overview.png b/docs/reference/filebeat/images/kibana-haproxy-overview.png
similarity index 100%
rename from filebeat/docs/images/kibana-haproxy-overview.png
rename to docs/reference/filebeat/images/kibana-haproxy-overview.png
diff --git a/filebeat/docs/images/kibana-icinga-main.png b/docs/reference/filebeat/images/kibana-icinga-main.png
similarity index 100%
rename from filebeat/docs/images/kibana-icinga-main.png
rename to docs/reference/filebeat/images/kibana-icinga-main.png
diff --git a/filebeat/docs/images/kibana-iis.png b/docs/reference/filebeat/images/kibana-iis.png
similarity index 100%
rename from filebeat/docs/images/kibana-iis.png
rename to docs/reference/filebeat/images/kibana-iis.png
diff --git a/filebeat/docs/images/kibana-iptables-ubiquiti.png b/docs/reference/filebeat/images/kibana-iptables-ubiquiti.png
similarity index 100%
rename from filebeat/docs/images/kibana-iptables-ubiquiti.png
rename to docs/reference/filebeat/images/kibana-iptables-ubiquiti.png
diff --git a/filebeat/docs/images/kibana-iptables.png b/docs/reference/filebeat/images/kibana-iptables.png
similarity index 100%
rename from filebeat/docs/images/kibana-iptables.png
rename to docs/reference/filebeat/images/kibana-iptables.png
diff --git a/filebeat/docs/images/kibana-logstash-log.png b/docs/reference/filebeat/images/kibana-logstash-log.png
similarity index 100%
rename from filebeat/docs/images/kibana-logstash-log.png
rename to docs/reference/filebeat/images/kibana-logstash-log.png
diff --git a/filebeat/docs/images/kibana-logstash-slowlog.png b/docs/reference/filebeat/images/kibana-logstash-slowlog.png
similarity index 100%
rename from filebeat/docs/images/kibana-logstash-slowlog.png
rename to docs/reference/filebeat/images/kibana-logstash-slowlog.png
diff --git a/filebeat/docs/images/kibana-misp.png b/docs/reference/filebeat/images/kibana-misp.png
similarity index 100%
rename from filebeat/docs/images/kibana-misp.png
rename to docs/reference/filebeat/images/kibana-misp.png
diff --git a/filebeat/docs/images/kibana-mysql.png b/docs/reference/filebeat/images/kibana-mysql.png
similarity index 100%
rename from filebeat/docs/images/kibana-mysql.png
rename to docs/reference/filebeat/images/kibana-mysql.png
diff --git a/filebeat/docs/images/kibana-nginx.png b/docs/reference/filebeat/images/kibana-nginx.png
similarity index 100%
rename from filebeat/docs/images/kibana-nginx.png
rename to docs/reference/filebeat/images/kibana-nginx.png
diff --git a/filebeat/docs/images/kibana-osquery-compatibility.png b/docs/reference/filebeat/images/kibana-osquery-compatibility.png
similarity index 100%
rename from filebeat/docs/images/kibana-osquery-compatibility.png
rename to docs/reference/filebeat/images/kibana-osquery-compatibility.png
diff --git a/filebeat/docs/images/kibana-redis.png b/docs/reference/filebeat/images/kibana-redis.png
similarity index 100%
rename from filebeat/docs/images/kibana-redis.png
rename to docs/reference/filebeat/images/kibana-redis.png
diff --git a/filebeat/docs/images/kibana-santa-log-overview.png b/docs/reference/filebeat/images/kibana-santa-log-overview.png
similarity index 100%
rename from filebeat/docs/images/kibana-santa-log-overview.png
rename to docs/reference/filebeat/images/kibana-santa-log-overview.png
diff --git a/filebeat/docs/images/kibana-system.png b/docs/reference/filebeat/images/kibana-system.png
similarity index 100%
rename from filebeat/docs/images/kibana-system.png
rename to docs/reference/filebeat/images/kibana-system.png
diff --git a/filebeat/docs/images/kibana-traefik.png b/docs/reference/filebeat/images/kibana-traefik.png
similarity index 100%
rename from filebeat/docs/images/kibana-traefik.png
rename to docs/reference/filebeat/images/kibana-traefik.png
diff --git a/filebeat/docs/images/kibana-zeek.png b/docs/reference/filebeat/images/kibana-zeek.png
similarity index 100%
rename from filebeat/docs/images/kibana-zeek.png
rename to docs/reference/filebeat/images/kibana-zeek.png
diff --git a/filebeat/docs/images/siem-alerts-cs.jpg b/docs/reference/filebeat/images/siem-alerts-cs.jpg
similarity index 100%
rename from filebeat/docs/images/siem-alerts-cs.jpg
rename to docs/reference/filebeat/images/siem-alerts-cs.jpg
diff --git a/filebeat/docs/images/siem-events-cs.jpg b/docs/reference/filebeat/images/siem-events-cs.jpg
similarity index 100%
rename from filebeat/docs/images/siem-events-cs.jpg
rename to docs/reference/filebeat/images/siem-events-cs.jpg
diff --git a/filebeat/docs/images/true-after-multi.png b/docs/reference/filebeat/images/true-after-multi.png
similarity index 100%
rename from filebeat/docs/images/true-after-multi.png
rename to docs/reference/filebeat/images/true-after-multi.png
diff --git a/filebeat/docs/images/true-before-multi.png b/docs/reference/filebeat/images/true-before-multi.png
similarity index 100%
rename from filebeat/docs/images/true-before-multi.png
rename to docs/reference/filebeat/images/true-before-multi.png
diff --git a/docs/reference/filebeat/include-fields.md b/docs/reference/filebeat/include-fields.md
new file mode 100644
index 000000000000..b48eae8191ba
--- /dev/null
+++ b/docs/reference/filebeat/include-fields.md
@@ -0,0 +1,28 @@
+---
+navigation_title: "include_fields"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/include-fields.html
+---
+
+# Keep fields from events [include-fields]
+
+
+The `include_fields` processor specifies which fields to export if a certain condition is fulfilled. The condition is optional. If it’s missing, the specified fields are always exported. The `@timestamp`, `@metadata` and `type` fields are always exported, even if they are not defined in the `include_fields` list.
+
+```yaml
+processors:
+  - include_fields:
+      when:
+        condition
+      fields: ["field1", "field2", ...]
+```
+
+See [Conditions](/reference/filebeat/defining-processors.md#conditions) for a list of supported conditions.
+
+You can specify multiple `include_fields` processors under the `processors` section.
+
+::::{note}
+If you define an empty list of fields under `include_fields`, then only the required fields, `@timestamp` and `type`, are exported.
+::::
+
+
diff --git a/docs/reference/filebeat/inode-reuse-issue.md b/docs/reference/filebeat/inode-reuse-issue.md
new file mode 100644
index 000000000000..0bcee7f630d5
--- /dev/null
+++ b/docs/reference/filebeat/inode-reuse-issue.md
@@ -0,0 +1,15 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/inode-reuse-issue.html
+---
+
+# Inode reuse causes Filebeat to skip lines [inode-reuse-issue]
+
+On Linux file systems, Filebeat uses the inode and device to identify files. When a file is removed from disk, the inode may be assigned to a new file. In use cases involving file rotation, if an old file is removed and a new one is created immediately afterwards, the new file may have the exact same inode as the file that was removed. In this case, Filebeat assumes that the new file is the same as the old and tries to continue reading at the old position, which is not correct.
+
+By default states are never removed from the registry file. To resolve the inode reuse issue, we recommend that you use the [`clean_*`](/reference/filebeat/filebeat-input-log.md#filebeat-input-log-clean-options) options, especially [`clean_inactive`](/reference/filebeat/filebeat-input-log.md#filebeat-input-log-clean-inactive), to remove the state of inactive files. For example, if your files get rotated every 24 hours, and the rotated files are not updated anymore, you can set [`ignore_older`](/reference/filebeat/filebeat-input-log.md#filebeat-input-log-ignore-older) to 48 hours and [`clean_inactive`](/reference/filebeat/filebeat-input-log.md#filebeat-input-log-clean-inactive) to 72 hours.
+
+You can use [`clean_removed`](/reference/filebeat/filebeat-input-log.md#filebeat-input-log-clean-removed) for files that are removed from disk. Be aware that `clean_removed` cleans the file state from the registry whenever a file cannot be found during a scan. If the file shows up again later, it will be sent again from scratch.
+
+Aside from that you should also change the [`file_identity`](/reference/filebeat/filebeat-input-filestream.md#filebeat-input-filestream-file-identity) to [`fingerprint`](/reference/filebeat/filebeat-input-filestream.md#filebeat-input-filestream-file-identity-fingerprint). If you were using `native` (the default) or `path`, the state of the files will be automatically migrated to `fingerprint`.
+
diff --git a/docs/reference/filebeat/kafka-output.md b/docs/reference/filebeat/kafka-output.md
new file mode 100644
index 000000000000..738bc7242cc4
--- /dev/null
+++ b/docs/reference/filebeat/kafka-output.md
@@ -0,0 +1,327 @@
+---
+navigation_title: "Kafka"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/kafka-output.html
+---
+
+# Configure the Kafka output [kafka-output]
+
+
+The Kafka output sends events to Apache Kafka.
+
+To use this output, edit the Filebeat configuration file to disable the {{es}} output by commenting it out, and enable the Kafka output by uncommenting the Kafka section.
+
+::::{note}
+For Kafka version 0.10.0.0+ the message creation timestamp is set by beats and equals to the initial timestamp of the event. This affects the retention policy in Kafka: for example, if a beat event was created 2 weeks ago, the retention policy is set to 7 days and the message from beats arrives to Kafka today, it’s going to be immediately discarded since the timestamp value is before the last 7 days. It’s possible to change this behavior by setting timestamps on message arrival instead, so the message is not discarded but kept for 7 more days. To do that, please set `log.message.timestamp.type` to `LogAppendTime` (default `CreateTime`) in the Kafka configuration.
+::::
+
+
+Example configuration:
+
+```yaml
+output.kafka:
+  # initial brokers for reading cluster metadata
+  hosts: ["kafka1:9092", "kafka2:9092", "kafka3:9092"]
+
+  # message topic selection + partitioning
+  topic: '%{[fields.log_topic]}'
+  partition.round_robin:
+    reachable_only: false
+
+  required_acks: 1
+  compression: gzip
+  max_message_bytes: 1000000
+```
+
+::::{note}
+Events bigger than [`max_message_bytes`](#kafka-max_message_bytes) will be dropped. To avoid this problem, make sure Filebeat does not generate events bigger than [`max_message_bytes`](#kafka-max_message_bytes).
+::::
+
+
+## Compatibility [kafka-compatibility]
+
+This output can connect to Kafka version 0.8.2.0 and later. Older versions might work as well, but are not supported. When using Kafka 4.0 and newer, the version must be set to at least `"2.1.0"`
+
+
+## Configuration options [_configuration_options_27]
+
+You can specify the following options in the `kafka` section of the `filebeat.yml` config file:
+
+### `enabled` [_enabled_32]
+
+The `enabled` config is a boolean setting to enable or disable the output. If set to false, the output is disabled.
+
+The default value is `true`.
+
+
+### `hosts` [_hosts_2]
+
+The list of Kafka broker addresses from where to fetch the cluster metadata. The cluster metadata contain the actual Kafka brokers events are published to.
+
+
+### `version` [_version_4]
+
+Kafka protocol version that Filebeat will request when connecting. Defaults to 2.1.0. When using Kafka 4.0 and newer, the version must be set to at least `"2.1.0"`
+
+Valid values are all kafka releases in between `0.8.2.0` and `2.6.0`.
+
+The protocol version controls the Kafka client features available to Filebeat; it does not prevent Filebeat from connecting to Kafka versions newer than the protocol version.
+
+See [Compatibility](#kafka-compatibility) for information on supported versions.
+
+
+### `username` [_username_4]
+
+The username for connecting to Kafka. If username is configured, the password must be configured as well.
+
+
+### `password` [_password_4]
+
+The password for connecting to Kafka.
+
+
+### `sasl.mechanism` [_sasl_mechanism_2]
+
+The SASL mechanism to use when connecting to Kafka. It can be one of:
+
+* `PLAIN` for SASL/PLAIN.
+* `SCRAM-SHA-256` for SCRAM-SHA-256.
+* `SCRAM-SHA-512` for SCRAM-SHA-512.
+
+If `sasl.mechanism` is not set, `PLAIN` is used if `username` and `password` are provided. Otherwise, SASL authentication is disabled.
+
+To use `GSSAPI` mechanism to authenticate with Kerberos, you must leave this field empty, and use the [`kerberos`](#kerberos-option-kafka) options.
+
+
+### `topic` [topic-option-kafka]
+
+The Kafka topic used for produced events.
+
+You can set the topic dynamically by using a format string to access any event field. For example, this configuration uses a custom field, `fields.log_topic`, to set the topic for each event:
+
+```yaml
+topic: '%{[fields.log_topic]}'
+```
+
+::::{tip}
+To learn how to add custom fields to events, see the [`fields`](/reference/filebeat/configuration-general-options.md#libbeat-configuration-fields) option.
+::::
+
+
+See the [`topics`](#topics-option-kafka) setting for other ways to set the topic dynamically.
+
+
+### `topics` [topics-option-kafka]
+
+An array of topic selector rules. Each rule specifies the `topic` to use for events that match the rule. During publishing, Filebeat sets the `topic` for each event based on the first matching rule in the array. Rules can contain conditionals, format string-based fields, and name mappings. If the `topics` setting is missing or no rule matches, the [`topic`](#topic-option-kafka) field is used.
+
+Rule settings:
+
+**`topic`**
+:   The topic format string to use.  If this string contains field references, such as `%{[fields.name]}`, the fields must exist, or the rule fails.
+
+**`mappings`**
+:   A dictionary that takes the value returned by `topic` and maps it to a new name.
+
+**`default`**
+:   The default string value to use if `mappings` does not find a match.
+
+**`when`**
+:   A condition that must succeed in order to execute the current rule. All the [conditions](/reference/filebeat/defining-processors.md#conditions) supported by processors are also supported here.
+
+The following example sets the topic based on whether the message field contains the specified string:
+
+```yaml
+output.kafka:
+  hosts: ["localhost:9092"]
+  topic: "logs-%{[agent.version]}"
+  topics:
+    - topic: "critical-%{[agent.version]}"
+      when.contains:
+        message: "CRITICAL"
+    - topic: "error-%{[agent.version]}"
+      when.contains:
+        message: "ERR"
+```
+
+This configuration results in topics named `critical-9.0.0-beta1`, `error-9.0.0-beta1`, and `logs-9.0.0-beta1`.
+
+
+### `key` [_key_2]
+
+Optional formatted string specifying the Kafka event key. If configured, the event key can be extracted from the event using a format string.
+
+See the Kafka documentation for the implications of a particular choice of key; by default, the key is chosen by the Kafka cluster.
+
+
+### `partition` [_partition]
+
+Kafka output broker event partitioning strategy. Must be one of `random`, `round_robin`, or `hash`. By default the `hash` partitioner is used.
+
+**`random.group_events`**: Sets the number of events to be published to the same partition, before the partitioner selects a new partition by random. The default value is 1 meaning after each event a new partition is picked randomly.
+
+**`round_robin.group_events`**: Sets the number of events to be published to the same partition, before the partitioner selects the next partition. The default value is 1 meaning after each event the next partition will be selected.
+
+**`hash.hash`**: List of fields used to compute the partitioning hash value from. If no field is configured, the events `key` value will be used.
+
+**`hash.random`**: Randomly distribute events if no hash or key value can be computed.
+
+All partitioners will try to publish events to all partitions by default. If a partition’s leader becomes unreachable for the beat, the output might block. All partitioners support setting `reachable_only` to overwrite this behavior. If `reachable_only` is set to `true`, events will be published to available partitions only.
+
+::::{note}
+Publishing to a subset of available partitions potentially increases resource usage because events may become unevenly distributed.
+::::
+
+
+
+### `headers` [_headers_2]
+
+A header is a key-value pair, and multiple headers can be included with the same `key`. Only string values are supported. These headers will be included in each produced Kafka message.
+
+```yaml
+output.kafka:
+  hosts: ["localhost:9092"]
+  topic: "logs-%{[agent.version]}"
+  headers:
+    - key: "some-key"
+      value: "some value"
+    - key: "another-key"
+      value: "another value"
+```
+
+
+### `client_id` [_client_id_5]
+
+The configurable ClientID used for logging, debugging, and auditing purposes. The default is "beats".
+
+
+### `codec` [_codec]
+
+Output codec configuration. If the `codec` section is missing, events will be json encoded.
+
+See [Change the output codec](/reference/filebeat/configuration-output-codec.md) for more information.
+
+
+### `metadata` [_metadata]
+
+Kafka metadata update settings. The metadata do contain information about brokers, topics, partition, and active leaders to use for publishing.
+
+**`refresh_frequency`**
+:   Metadata refresh interval. Defaults to 10 minutes.
+
+**`full`**
+:   Strategy to use when fetching metadata, when this option is `true`, the client will maintain a full set of metadata for all the available topics, if the this option is set to `false` it will only refresh the metadata for the configured topics. The default is false.
+
+**`retry.max`**
+:   Total number of metadata update retries when cluster is in middle of leader election. The default is 3.
+
+**`retry.backoff`**
+:   Waiting time between retries during leader elections. Default is 250ms.
+
+
+### `max_retries` [_max_retries_3]
+
+Filebeat ignores the `max_retries` setting and retries indefinitely.
+
+
+### `backoff.init` [_backoff_init_3]
+
+The number of seconds to wait before trying to republish to Kafka after a network error. After waiting `backoff.init` seconds, Filebeat tries to republish. If the attempt fails, the backoff timer is increased exponentially up to `backoff.max`. After a successful publish, the backoff timer is reset. The default is 1s.
+
+
+### `backoff.max` [_backoff_max_3]
+
+The maximum number of seconds to wait before attempting to republish to Kafka after a network error. The default is 60s.
+
+
+### `bulk_max_size` [_bulk_max_size_2]
+
+The maximum number of events to bulk in a single Kafka request. The default is 2048.
+
+
+### `bulk_flush_frequency` [_bulk_flush_frequency]
+
+Duration to wait before sending bulk Kafka request. 0 is no delay. The default is 0.
+
+
+### `timeout` [_timeout_4]
+
+The number of seconds to wait for responses from the Kafka brokers before timing out. The default is 30 (seconds).
+
+
+### `broker_timeout` [_broker_timeout]
+
+The maximum duration a broker will wait for number of required ACKs. The default is 10s.
+
+
+### `channel_buffer_size` [_channel_buffer_size]
+
+Per Kafka broker number of messages buffered in output pipeline. The default is 256.
+
+
+### `keep_alive` [_keep_alive]
+
+The keep-alive period for an active network connection. If 0s, keep-alives are disabled. The default is 0 seconds.
+
+
+### `compression` [_compression]
+
+Sets the output compression codec. Must be one of `none`, `snappy`, `lz4`, `gzip` and `zstd`. The default is `gzip`.
+
+::::{admonition} Known issue with Azure Event Hub for Kafka
+:class: important
+
+When targeting Azure Event Hub for Kafka, set `compression` to `none` as the provided codecs are not supported.
+
+::::
+
+
+
+### `compression_level` [_compression_level_2]
+
+Sets the compression level used by gzip. Setting this value to 0 disables compression. The compression level must be in the range of 1 (best speed) to 9 (best compression).
+
+Increasing the compression level will reduce the network usage but will increase the cpu usage.
+
+The default value is 4.
+
+
+### `max_message_bytes` [kafka-max_message_bytes]
+
+The maximum permitted size of JSON-encoded messages. Bigger messages will be dropped. The default value is 1000000 (bytes). This value should be equal to or less than the broker’s `message.max.bytes`.
+
+
+### `required_acks` [_required_acks]
+
+The ACK reliability level required from broker. 0=no response, 1=wait for local commit, -1=wait for all replicas to commit. The default is 1.
+
+Note: If set to 0, no ACKs are returned by Kafka. Messages might be lost silently on error.
+
+
+### `ssl` [_ssl_6]
+
+Configuration options for SSL parameters like the root CA for Kafka connections. The Kafka host keystore should be created with the `-keyalg RSA` argument to ensure it uses a cipher supported by [Filebeat’s Kafka library](https://github.com/Shopify/sarama/wiki/Frequently-Asked-Questions#why-cant-sarama-connect-to-my-kafka-cluster-using-ssl). See [SSL](/reference/filebeat/configuration-ssl.md) for more information.
+
+
+### `kerberos` [kerberos-option-kafka]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+Configuration options for Kerberos authentication.
+
+See [Kerberos](/reference/filebeat/configuration-kerberos.md) for more information.
+
+
+### `queue` [_queue_3]
+
+Configuration options for internal queue.
+
+See [Internal queue](/reference/filebeat/configuring-internal-queue.md) for more information.
+
+Note:`queue` options can be set under `filebeat.yml` or the `output` section but not both.
+
+
+
diff --git a/docs/reference/filebeat/keystore.md b/docs/reference/filebeat/keystore.md
new file mode 100644
index 000000000000..6e6392b6c036
--- /dev/null
+++ b/docs/reference/filebeat/keystore.md
@@ -0,0 +1,87 @@
+---
+navigation_title: "Secrets keystore"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/keystore.html
+---
+
+# Secrets keystore for secure settings [keystore]
+
+
+When you configure Filebeat, you might need to specify sensitive settings, such as passwords. Rather than relying on file system permissions to protect these values, you can use the Filebeat keystore to obfuscate stored secret values for use in configuration settings.
+
+After adding a key and its secret value to the keystore, you can use the key in place of the secret value when you configure sensitive settings.
+
+The syntax for referencing keys is identical to the syntax for environment variables:
+
+`${KEY}`
+
+Where KEY is the name of the key.
+
+For example, imagine that the keystore contains a key called `ES_PWD` with the value `yourelasticsearchpassword`:
+
+* In the configuration file, use `output.elasticsearch.password: "${ES_PWD}"`
+* On the command line, use: `-E "output.elasticsearch.password=\${ES_PWD}"`
+
+When Filebeat unpacks the configuration, it resolves keys before resolving environment variables and other variables.
+
+Notice that the Filebeat keystore differs from the Elasticsearch keystore. Whereas the Elasticsearch keystore lets you store `elasticsearch.yml` values by name, the Filebeat keystore lets you specify arbitrary names that you can reference in the Filebeat configuration.
+
+To create and manage keys, use the `keystore` command. See the [command reference](/reference/filebeat/command-line-options.md#keystore-command) for the full command syntax, including optional flags.
+
+::::{note}
+The `keystore` command must be run by the same user who will run Filebeat.
+::::
+
+
+
+## Create a keystore [creating-keystore]
+
+To create a secrets keystore, use:
+
+```sh
+filebeat keystore create
+```
+
+Filebeat creates the keystore in the directory defined by the `path.data` configuration setting.
+
+
+## Add keys [add-keys-to-keystore]
+
+To store sensitive values, such as authentication credentials for Elasticsearch, use the `keystore add` command:
+
+```sh
+filebeat keystore add ES_PWD
+```
+
+When prompted, enter a value for the key.
+
+To overwrite an existing key’s value, use the `--force` flag:
+
+```sh
+filebeat keystore add ES_PWD --force
+```
+
+To pass the value through stdin, use the `--stdin` flag. You can also use `--force`:
+
+```sh
+cat /file/containing/setting/value | filebeat keystore add ES_PWD --stdin --force
+```
+
+
+## List keys [list-settings]
+
+To list the keys defined in the keystore, use:
+
+```sh
+filebeat keystore list
+```
+
+
+## Remove keys [remove-settings]
+
+To remove a key from the keystore, use:
+
+```sh
+filebeat keystore remove ES_PWD
+```
+
diff --git a/docs/reference/filebeat/kibana-user-privileges.md b/docs/reference/filebeat/kibana-user-privileges.md
new file mode 100644
index 000000000000..625d9f5cd9e3
--- /dev/null
+++ b/docs/reference/filebeat/kibana-user-privileges.md
@@ -0,0 +1,28 @@
+---
+navigation_title: "Create a _reader_ user"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/kibana-user-privileges.html
+---
+
+# Grant privileges and roles needed to read Filebeat data from {{kib}} [kibana-user-privileges]
+
+
+{{kib}} users typically need to view dashboards and visualizations that contain Filebeat data. These users might also need to create and edit dashboards and visualizations.
+
+To grant users the required privileges:
+
+1. Create a **reader role**, called something like `filebeat_reader`, that has the following privilege:
+
+    | Type | Privilege | Purpose |
+    | --- | --- | --- |
+    | Index | `read` on `filebeat-*` indices | Read data indexed by Filebeat |
+    | Spaces | `Read` or `All` on Dashboards, Visualize, and Discover | Allow the user to view, edit, and create dashboards, as well as browse data. |
+    | Spaces | `Read` or `All` on {{kib}} Logs | Allow the use of {{kib}} Logs |
+
+2. Assign the **reader role**, along with the following built-in roles, to users who need to read Filebeat data:
+
+    | Role | Purpose |
+    | --- | --- |
+    | `monitoring_user` | Allow users to monitor the health of Filebeat itself. Only assign this role to users who manage Filebeat. |
+
+
diff --git a/docs/reference/filebeat/learn-more-security.md b/docs/reference/filebeat/learn-more-security.md
new file mode 100644
index 000000000000..8070de0cf918
--- /dev/null
+++ b/docs/reference/filebeat/learn-more-security.md
@@ -0,0 +1,12 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/learn-more-security.html
+---
+
+# Learn more about privileges, roles, and users [learn-more-security]
+
+Want to learn more about creating users and roles? See [Secure a cluster](docs-content://deploy-manage/security.md). Also see:
+
+* [Security privileges](elasticsearch://reference/elasticsearch/security-privileges.md) for a description of available privileges
+* [Built-in roles](elasticsearch://reference/elasticsearch/roles.md) for a description of roles that you can assign to users
+
diff --git a/docs/reference/filebeat/linux-seccomp.md b/docs/reference/filebeat/linux-seccomp.md
new file mode 100644
index 000000000000..c3b522b93623
--- /dev/null
+++ b/docs/reference/filebeat/linux-seccomp.md
@@ -0,0 +1,75 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/linux-seccomp.html
+---
+
+# Use Linux Secure Computing Mode (seccomp) [linux-seccomp]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+On Linux 3.17 and later, Filebeat can take advantage of secure computing mode, also known as seccomp. Seccomp restricts the system calls that a process can issue. Specifically Filebeat can load a seccomp BPF filter at process start-up that drops the privileges to invoke specific system calls. Once a filter is loaded by the process it cannot be removed.
+
+The kernel exposes a large number of system calls that are not used by Filebeat. By installing a seccomp filter, you can limit the total kernel surface exposed to Filebeat (principle of least privilege). This minimizes the impact of unknown vulnerabilities that might be found in the process.
+
+The filter is expressed as a Berkeley Packet Filter (BPF) program. The BPF program is generated based on a policy defined by Filebeat. The policy can be customized through configuration as well.
+
+A seccomp policy is architecture specific due to the fact that system calls vary by architecture. Filebeat includes a whitelist seccomp policy for the amd64 and 386 architectures. You can view those policies [here](https://github.com/elastic/beats/tree/master/libbeat/common/seccomp).
+
+
+## Seccomp Policy Configuration [seccomp-policy-config]
+
+The seccomp policy can be customized through the configuration policy. This is an example blacklist policy that prohibits `execve`, `execveat`, `fork`, and `vfork` syscalls.
+
+```yaml
+seccomp:
+  default_action: allow <1>
+  syscalls:
+  - action: errno <2>
+    names: <3>
+    - execve
+    - execveat
+    - fork
+    - vfork
+```
+
+1. If the system call being invoked by the process does not match one of the names below then it will be allowed.
+2. If the system call being invoked matches one of the names below then an error will be returned to caller. This is known as a blacklist policy.
+3. These are system calls being prohibited.
+
+
+These are the configuration options for a seccomp policy.
+
+**`enabled`**
+:   On Linux, this option is enabled by default. To disable seccomp filter loading, set this option to `false`.
+
+**`default_action`**
+:   The default action to take when none of the defined system calls match. See [action](#seccomp-policy-config-action) for the full list of values. This is required.
+
+**`syscalls`**
+:   Each object in this list must contain an `action` and a list of system call `names`. The list must contain at least one item.
+
+**`names`**
+:   A list of system call names. The system call name must exist for the runtime architecture, otherwise an error will be logged and the filter will not be installed. At least one system call must be defined.
+
+$$$seccomp-policy-config-action$$$
+
+**`action`**
+:   The action to take when any of the system calls listed in `names` is executed. This is required. These are the available action values. The actions that are available depend on the kernel version.
+
+    * `errno` - The system call will return `EPERM` (permission denied) to the caller.
+    * `trace` - The kernel will notify a `ptrace` tracer. If no tracer is present then the system call fails with `ENOSYS` (function not implemented).
+    * `trap` - The kernel will send a `SIGSYS` signal to the calling thread and not execute the system call. The Go runtime will exit.
+    * `kill_thread` - The kernel will immediately terminate the thread. Other threads will continue to execute.
+    * `kill_process` - The kernel will terminate the process. Available in Linux 4.14 and later.
+    * `log` - The kernel will log the system call before executing it. Available in Linux 4.14 and later. (This does not go to the Beat’s log.)
+    * `allow` - The kernel will allow the system call to execute.
+
+
+
+## Auditbeat Reports Seccomp Violations [_auditbeat_reports_seccomp_violations]
+
+You can use Auditbeat to report any seccomp violations that occur on the system. The kernel generates an event for each violation and Auditbeat reports the event. The `event.action` value will be `violated-seccomp-policy` and the event will contain information about the process and system call.
+
diff --git a/docs/reference/filebeat/load-ingest-pipelines.md b/docs/reference/filebeat/load-ingest-pipelines.md
new file mode 100644
index 000000000000..476260b0c710
--- /dev/null
+++ b/docs/reference/filebeat/load-ingest-pipelines.md
@@ -0,0 +1,92 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/load-ingest-pipelines.html
+---
+
+# Load ingest pipelines [load-ingest-pipelines]
+
+The ingest pipelines used to parse log lines are set up automatically the first time you run Filebeat, assuming the {{es}} output is enabled. If you’re sending events to {{ls}} you need to load the ingest pipelines manually. To do this, run the `setup` command with the `--pipelines` option specified.  You also need to enable the modules and filesets, this can be accomplished several ways.
+
+First you can use the `--modules` option to enable the module, and the `-M` option to enable the fileset.  For example, the following command loads the access pipeline from the nginx module.
+
+**deb and rpm:**
+
+```sh
+filebeat setup --pipelines --modules nginx -M "nginx.access.enabled=true"
+```
+
+**mac:**
+
+```sh
+./filebeat setup --pipelines --modules nginx -M "nginx.access.enabled=true"
+```
+
+**linux:**
+
+```sh
+./filebeat setup --pipelines --modules nginx -M "nginx.access.enabled=true"
+```
+
+**win:**
+
+```sh
+PS > .\filebeat.exe setup --pipelines --modules nginx -M "nginx.access.enabled=true"
+```
+
+The second option is to use the `--modules` option to enable the module, and the `--force-enable-module-filesets` option to enable all the filesets in the module.  For example, the following command loads the access pipeline from the nginx module.
+
+**deb and rpm:**
+
+```sh
+filebeat setup --pipelines --modules nginx --force-enable-module-filesets
+```
+
+**mac:**
+
+```sh
+./filebeat setup --pipelines --modules nginx --force-enable-module-filesets
+```
+
+**linux:**
+
+```sh
+./filebeat setup --pipelines --modules nginx --force-enable-module-filesets
+```
+
+**win:**
+
+```sh
+PS > .\filebeat.exe setup --pipelines --modules nginx --force-enable-module-filesets
+```
+
+The third option is to use the `--enable-all-filesets` option to enable all the modules and all the filesets so all of the ingest pipelines are loaded.  For example, the following command loads all the ingest pipelines.
+
+**deb and rpm:**
+
+```sh
+filebeat setup --pipelines --enable-all-filesets
+```
+
+**mac:**
+
+```sh
+./filebeat setup --pipelines --enable-all-filesets
+```
+
+**linux:**
+
+```sh
+./filebeat setup --pipelines --enable-all-filesets
+```
+
+**win:**
+
+```sh
+PS > .\filebeat.exe setup --pipelines --enable-all-filesets
+```
+
+::::{tip}
+If you’re loading ingest pipelines manually because you want to send events to {{ls}}, also see [Working with Filebeat modules](logstash://reference/working-with-filebeat-modules.md).
+::::
+
+
diff --git a/docs/reference/filebeat/load-kibana-dashboards.md b/docs/reference/filebeat/load-kibana-dashboards.md
new file mode 100644
index 000000000000..b82c82bbb372
--- /dev/null
+++ b/docs/reference/filebeat/load-kibana-dashboards.md
@@ -0,0 +1,151 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/load-kibana-dashboards.html
+---
+
+# Load Kibana dashboards [load-kibana-dashboards]
+
+::::{tip}
+For deeper observability into your infrastructure, you can use the {{metrics-app}} and the {{logs-app}} in {{kib}}. For more details, see [Metrics monitoring](docs-content://solutions/observability/infra-and-hosts/analyze-infrastructure-host-metrics.md) and [Log monitoring](docs-content://solutions/observability/logs/explore-logs.md).
+::::
+
+
+Filebeat comes packaged with example Kibana dashboards, visualizations, and searches for visualizing Filebeat data in Kibana. Before you can use the dashboards, you need to create the index pattern, `filebeat-*`, and load the dashboards into Kibana.
+
+To do this, you can either run the `setup` command (as described here) or [configure dashboard loading](/reference/filebeat/configuration-dashboards.md) in the `filebeat.yml` config file. This requires a Kibana endpoint configuration. If you didn’t already configure a Kibana endpoint, see [{{kib}} endpoint](/reference/filebeat/setup-kibana-endpoint.md).
+
+
+## Load dashboards [load-dashboards]
+
+Make sure Kibana is running before you perform this step. If you are accessing a secured Kibana instance, make sure you’ve configured credentials as described in the [Quick start: installation and configuration](/reference/filebeat/filebeat-installation-configuration.md).
+
+To load the recommended index template for writing to {{es}} and deploy the sample dashboards for visualizing the data in {{kib}}, use the command that works with your system.
+
+:::::::{tab-set}
+
+::::::{tab-item} DEB
+```sh
+filebeat setup --dashboards
+```
+::::::
+
+::::::{tab-item} RPM
+```sh
+filebeat setup --dashboards
+```
+::::::
+
+::::::{tab-item} MacOS
+```sh
+./filebeat setup --dashboards
+```
+::::::
+
+::::::{tab-item} Linux
+```sh
+./filebeat setup --dashboards
+```
+::::::
+
+::::::{tab-item} Docker
+```sh
+docker run --rm --net="host" docker.elastic.co/beats/filebeat:9.0.0-beta1 setup --dashboards
+```
+::::::
+
+::::::{tab-item} Windows
+Open a PowerShell prompt as an Administrator (right-click the PowerShell icon and select **Run As Administrator**).
+
+From the PowerShell prompt, change to the directory where you installed Filebeat, and run:
+
+```sh
+PS > .\filebeat.exe setup --dashboards
+```
+::::::
+
+:::::::
+For more options, such as loading customized dashboards, see [Importing Existing Beat Dashboards](http://www.elastic.co/guide/en/beats/devguide/master/import-dashboards.md). If you’ve configured the Logstash output, see [Load dashboards for Logstash output](#load-dashboards-logstash).
+
+
+## Load dashboards for Logstash output [load-dashboards-logstash]
+
+During dashboard loading, Filebeat connects to Elasticsearch to check version information. To load dashboards when the Logstash output is enabled, you need to temporarily disable the Logstash output and enable Elasticsearch. To connect to a secured Elasticsearch cluster, you also need to pass Elasticsearch credentials.
+
+::::{tip}
+The example shows a hard-coded password, but you should store sensitive values in the [secrets keystore](/reference/filebeat/keystore.md).
+::::
+
+
+:::::::{tab-set}
+
+::::::{tab-item} DEB
+```sh
+filebeat setup -e \
+  -E output.logstash.enabled=false \
+  -E output.elasticsearch.hosts=['localhost:9200'] \
+  -E output.elasticsearch.username=filebeat_internal \
+  -E output.elasticsearch.password={pwd} \
+  -E setup.kibana.host=localhost:5601
+```
+::::::
+
+::::::{tab-item} RPM
+```sh
+filebeat setup -e \
+  -E output.logstash.enabled=false \
+  -E output.elasticsearch.hosts=['localhost:9200'] \
+  -E output.elasticsearch.username=filebeat_internal \
+  -E output.elasticsearch.password={pwd} \
+  -E setup.kibana.host=localhost:5601
+```
+::::::
+
+::::::{tab-item} MacOS
+```sh
+./filebeat setup -e \
+  -E output.logstash.enabled=false \
+  -E output.elasticsearch.hosts=['localhost:9200'] \
+  -E output.elasticsearch.username=filebeat_internal \
+  -E output.elasticsearch.password={pwd} \
+  -E setup.kibana.host=localhost:5601
+```
+::::::
+
+::::::{tab-item} Linux
+```sh
+./filebeat setup -e \
+  -E output.logstash.enabled=false \
+  -E output.elasticsearch.hosts=['localhost:9200'] \
+  -E output.elasticsearch.username=filebeat_internal \
+  -E output.elasticsearch.password={pwd} \
+  -E setup.kibana.host=localhost:5601
+```
+::::::
+
+::::::{tab-item} Docker
+```sh
+docker run --rm --net="host" docker.elastic.co/beats/filebeat:9.0.0-beta1 setup -e \
+  -E output.logstash.enabled=false \
+  -E output.elasticsearch.hosts=['localhost:9200'] \
+  -E output.elasticsearch.username=filebeat_internal \
+  -E output.elasticsearch.password={pwd} \
+  -E setup.kibana.host=localhost:5601
+```
+::::::
+
+::::::{tab-item} Windows
+Open a PowerShell prompt as an Administrator (right-click the PowerShell icon and select **Run As Administrator**).
+
+From the PowerShell prompt, change to the directory where you installed Filebeat, and run:
+
+```sh
+PS > .\filebeat.exe setup -e `
+  -E output.logstash.enabled=false `
+  -E output.elasticsearch.hosts=['localhost:9200'] `
+  -E output.elasticsearch.username=filebeat_internal `
+  -E output.elasticsearch.password={pwd} `
+  -E setup.kibana.host=localhost:5601
+```
+::::::
+
+:::::::
diff --git a/docs/reference/filebeat/logstash-output.md b/docs/reference/filebeat/logstash-output.md
new file mode 100644
index 000000000000..659773d05979
--- /dev/null
+++ b/docs/reference/filebeat/logstash-output.md
@@ -0,0 +1,243 @@
+---
+navigation_title: "Logstash"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/logstash-output.html
+---
+
+# Configure the Logstash output [logstash-output]
+
+
+The {{ls}} output sends events directly to {{ls}} by using the lumberjack protocol, which runs over TCP. {{ls}} allows for additional processing and routing of generated events.
+
+::::{admonition} Prerequisite
+:class: important
+
+To send events to {{ls}}, you also need to create a {{ls}} configuration pipeline that listens for incoming Beats connections and indexes the received events into {{es}}. For more information, see [Getting Started with {{ls}}](logstash://reference/getting-started-with-logstash.md). Also see the documentation for the [{{beats}} input](logstash://reference/plugins-inputs-beats.md) and [{{es}} output](logstash://reference/plugins-outputs-elasticsearch.md) plugins.
+::::
+
+
+If you want to use {{ls}} to perform additional processing on the data collected by Filebeat, you need to configure Filebeat to use {{ls}}.
+
+To do this, edit the Filebeat configuration file to disable the {{es}} output by commenting it out and enable the {{ls}} output by uncommenting the {{ls}} section:
+
+```yaml
+output.logstash:
+  hosts: ["127.0.0.1:5044"]
+```
+
+The `hosts` option specifies the {{ls}} server and the port (`5044`) where {{ls}} is configured to listen for incoming Beats connections.
+
+For this configuration, you must [load the index template into {{es}} manually](/reference/filebeat/filebeat-template.md#load-template-manually) because the options for auto loading the template are only available for the {{es}} output.
+
+Want to use [Filebeat modules](/reference/filebeat/filebeat-modules.md) with {{ls}}? You need to do some extra setup. For more information, see [Working with Filebeat modules](logstash://reference/working-with-filebeat-modules.md).
+
+## Accessing metadata fields [_accessing_metadata_fields]
+
+Every event sent to {{ls}} contains the following metadata fields that you can use in {{ls}} for indexing and filtering:
+
+```json
+{
+    ...
+    "@metadata": { <1>
+      "beat": "filebeat", <2>
+      "version": "9.0.0-beta1" <3>
+    }
+}
+```
+
+1. Filebeat uses the `@metadata` field to send metadata to {{ls}}. See the [{{ls}} documentation](logstash://reference/event-dependent-configuration.md#metadata) for more about the `@metadata` field.
+2. The default is filebeat. To change this value, set the [`index`](#logstash-index) option in the Filebeat config file.
+3. The current version of Filebeat.
+
+
+You can access this metadata from within the {{ls}} config file to set values dynamically based on the contents of the metadata.
+
+For example, the following {{ls}} configuration file tells {{ls}} to use the index reported by Filebeat for indexing events into {{es}}:
+
+```json
+input {
+  beats {
+    port => 5044
+  }
+}
+
+output {
+  elasticsearch {
+    hosts => ["http://localhost:9200"]
+    index => "%{[@metadata][beat]}-%{[@metadata][version]}" <1>
+    action => "create"
+  }
+}
+```
+
+1. `%{[@metadata][beat]}` sets the first part of the index name to the value of the `beat` metadata field and `%{[@metadata][version]}` sets the second part to the Beat’s version. For example: `filebeat-9.0.0-beta1`.
+
+
+Events indexed into {{es}} with the {{ls}} configuration shown here will be similar to events directly indexed by Filebeat into {{es}}.
+
+::::{note}
+If ILM is not being used, set `index` to `%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}` instead so {{ls}} creates an index per day, based on the `@timestamp` value of the events coming from Beats.
+::::
+
+
+
+## Compatibility [_compatibility_2]
+
+This output works with all compatible versions of {{ls}}. See the [Elastic Support Matrix](https://www.elastic.co/support/matrix#matrix_compatibility).
+
+
+## Configuration options [_configuration_options_26]
+
+You can specify the following options in the `logstash` section of the `filebeat.yml` config file:
+
+### `enabled` [_enabled_31]
+
+The enabled config is a boolean setting to enable or disable the output. If set to false, the output is disabled.
+
+The default value is `true`.
+
+
+### `hosts` [hosts]
+
+The list of known {{ls}} servers to connect to. If load balancing is disabled, but multiple hosts are configured, one host is selected randomly (there is no precedence). If one host becomes unreachable, another one is selected randomly.
+
+All entries in this list can contain a port number. The default port number 5044 will be used if no number is given.
+
+
+### `compression_level` [_compression_level]
+
+The gzip compression level. Setting this value to 0 disables compression. The compression level must be in the range of 1 (best speed) to 9 (best compression).
+
+Increasing the compression level will reduce the network usage but will increase the CPU usage.
+
+The default value is 3.
+
+
+### `escape_html` [_escape_html_2]
+
+Configure escaping of HTML in strings. Set to `true` to enable escaping.
+
+The default value is `false`.
+
+
+### `worker` or `workers` [_worker_or_workers]
+
+The number of workers per configured host publishing events to {{ls}}. This is best used with load balancing mode enabled. Example: If you have 2 hosts and 3 workers, in total 6 workers are started (3 for each host).
+
+
+### `loadbalance` [loadbalance]
+
+When `loadbalance: true` is set, Filebeat connects to all configured hosts and sends data through all connections in parallel. If a connection fails, data is sent to the remaining hosts until it can be reestablished. Data will still be sent as long as Filebeat can connect to at least one of its configured hosts.
+
+When `loadbalance: false` is set, Filebeat sends data to a single host at a time. The target host is chosen at random from the list of configured hosts, and all data is sent to that target until the connection fails, when a new target is selected. Data will still be sent as long as Filebeat can connect to at least one of its configured hosts. To rotate through the list of configured hosts over time, use this option in conjunction with the `ttl` setting to close the connection at the configured interval and choose a new target host.
+
+The default value is `false`.
+
+```yaml
+output.logstash:
+  hosts: ["localhost:5044", "localhost:5045"]
+  loadbalance: true
+  index: filebeat
+```
+
+
+### `ttl` [_ttl]
+
+Time to live for a connection to {{ls}} after which the connection will be re-established. Useful when {{ls}} hosts represent load balancers. Since the connections to {{ls}} hosts are sticky, operating behind load balancers can lead to uneven load distribution between the instances. Specifying a TTL on the connection allows to achieve equal connection distribution between the instances.  Specifying a TTL of 0 will disable this feature.
+
+The default value is 0. This setting accepts [duration](/reference/libbeat/config-file-format-type.md#_duration) data type values.
+
+::::{note}
+The "ttl" option is not yet supported on an async {{ls}} client (one with the "pipelining" option set).
+::::
+
+
+
+### `pipelining` [_pipelining]
+
+Configures the number of batches to be sent asynchronously to {{ls}} while waiting for ACK from {{ls}}. Output only becomes blocking once number of `pipelining` batches have been written. Pipelining is disabled if a value of 0 is configured. The default value is 2.
+
+
+### `proxy_url` [_proxy_url_3]
+
+The URL of the SOCKS5 proxy to use when connecting to the {{ls}} servers. The value must be a URL with a scheme of `socks5://`. The protocol used to communicate to {{ls}} is not based on HTTP so a web-proxy cannot be used.
+
+If the SOCKS5 proxy server requires client authentication, then a username and password can be embedded in the URL as shown in the example.
+
+When using a proxy, hostnames are resolved on the proxy server instead of on the client. You can change this behavior by setting the [`proxy_use_local_resolver`](#logstash-proxy-use-local-resolver) option.
+
+```yaml
+output.logstash:
+  hosts: ["remote-host:5044"]
+  proxy_url: socks5://user:password@socks5-proxy:2233
+```
+
+
+### `proxy_use_local_resolver` [logstash-proxy-use-local-resolver]
+
+The `proxy_use_local_resolver` option determines if {{ls}} hostnames are resolved locally when using a proxy. The default value is false, which means that when a proxy is used the name resolution occurs on the proxy server.
+
+
+### `index` [logstash-index]
+
+The index root name to write events to. The default is the Beat name. For example `"filebeat"` generates `"[filebeat-]9.0.0-beta1-YYYY.MM.DD"` indices (for example, `"filebeat-9.0.0-beta1-2017.04.26"`).
+
+::::{note}
+This parameter’s value will be assigned to the `metadata.beat` field. It can then be accessed in {{ls}}'s output section as `%{[@metadata][beat]}`.
+::::
+
+
+
+### `ssl` [_ssl_5]
+
+Configuration options for SSL parameters like the root CA for {{ls}} connections. See [SSL](/reference/filebeat/configuration-ssl.md) for more information. To use SSL, you must also configure the [Beats input plugin for Logstash](logstash://reference/plugins-inputs-beats.md) to use SSL/TLS.
+
+
+### `timeout` [_timeout_3]
+
+The number of seconds to wait for responses from the {{ls}} server before timing out. The default is 30 (seconds).
+
+
+### `max_retries` [_max_retries_2]
+
+Filebeat ignores the `max_retries` setting and retries indefinitely.
+
+
+### `bulk_max_size` [_bulk_max_size]
+
+The maximum number of events to bulk in a single {{ls}} request. The default is 2048.
+
+Events can be collected into batches. Filebeat will split batches read from the queue which are larger than `bulk_max_size` into multiple batches.
+
+Specifying a larger batch size can improve performance by lowering the overhead of sending events. However big batch sizes can also increase processing times, which might result in API errors, killed connections, timed-out publishing requests, and, ultimately, lower throughput.
+
+Setting `bulk_max_size` to values less than or equal to 0 disables the splitting of batches. When splitting is disabled, the queue decides on the number of events to be contained in a batch.
+
+
+### `slow_start` [_slow_start]
+
+If enabled, only a subset of events in a batch of events is transferred per transaction. The number of events to be sent increases up to `bulk_max_size` if no error is encountered. On error, the number of events per transaction is reduced again.
+
+The default is `false`.
+
+
+### `backoff.init` [_backoff_init_2]
+
+The number of seconds to wait before trying to reconnect to {{ls}} after a network error. After waiting `backoff.init` seconds, Filebeat tries to reconnect. If the attempt fails, the backoff timer is increased exponentially up to `backoff.max`. After a successful connection, the backoff timer is reset. The default is 1s.
+
+
+### `backoff.max` [_backoff_max_2]
+
+The maximum number of seconds to wait before attempting to connect to {{ls}} after a network error. The default is 60s.
+
+
+### `queue` [_queue_2]
+
+Configuration options for internal queue.
+
+See [Internal queue](/reference/filebeat/configuring-internal-queue.md) for more information.
+
+Note:`queue` options can be set under `filebeat.yml` or the `output` section but not both.
+
+
+
diff --git a/docs/reference/filebeat/madvdontneed-rss.md b/docs/reference/filebeat/madvdontneed-rss.md
new file mode 100644
index 000000000000..a1288bc8ce33
--- /dev/null
+++ b/docs/reference/filebeat/madvdontneed-rss.md
@@ -0,0 +1,9 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/madvdontneed-rss.html
+---
+
+# High RSS memory usage due to MADV settings [madvdontneed-rss]
+
+In versions of Filebeat prior to 7.10.2, the go runtime defaults to `MADV_FREE` by default. In some cases, this can lead to high RSS memory usage while the kernel waits to reclaim any pages assigned to Filebeat. On versions prior to 7.10.2, set the `GODEBUG="madvdontneed=1"` environment variable if you run into RSS usage issues.
+
diff --git a/docs/reference/filebeat/metadata-missing.md b/docs/reference/filebeat/metadata-missing.md
new file mode 100644
index 000000000000..93cb55ef0878
--- /dev/null
+++ b/docs/reference/filebeat/metadata-missing.md
@@ -0,0 +1,14 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/metadata-missing.html
+---
+
+# @metadata is missing in Logstash [metadata-missing]
+
+{{ls}} outputs remove `@metadata` fields automatically. Therefore, if {{ls}} instances are chained directly or via some message queue (for example, Redis or Kafka), the `@metadata` field will not be available in the final {{ls}} instance.
+
+::::{tip}
+To preserve `@metadata` fields, use the {{ls}} mutate filter with the rename setting to rename the fields to non-internal fields.
+::::
+
+
diff --git a/docs/reference/filebeat/migrate-from-deprecated-module.md b/docs/reference/filebeat/migrate-from-deprecated-module.md
new file mode 100644
index 000000000000..014a8cf0e23c
--- /dev/null
+++ b/docs/reference/filebeat/migrate-from-deprecated-module.md
@@ -0,0 +1,26 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/migrate-from-deprecated-module.html
+---
+
+# Migrating from a Deprecated Filebeat Module [migrate-from-deprecated-module]
+
+If a Filebeat module has been deprecated, there are a few options available for a path forward:
+
+1. Migrate to an Elastic integration, if available. The deprecation notice will link to an appropriate integration, if one exists.
+2. [Migrate to Elastic Agent](docs-content://reference/ingestion-tools/fleet/migrate-from-beats-to-elastic-agent.md) for ingesting logs. If a specific integration for the vendor/product does not exist, then one of the custom integrations can be used for ingesting events. A [custom pipeline](docs-content://reference/ingestion-tools/fleet/data-streams-pipeline-tutorial.md) may also be attached to the integration for further processing.
+
+    * [CEL Custom API](integration-docs://reference/cel.md) - Collect events from an API using CEL (Common Expression Language)
+    * [Custom API](integration-docs://reference/httpjson.md) - Collect events from an API using the HTTPJSON input
+    * [Custom Google Pub/Sub](integration-docs://reference/gcp_pubsub.md) - Collect events from Google Pub/Sub topics
+    * [Custom HTTP Endpoint](integration-docs://reference/http_endpoint.md) - Collect events from a listening HTTP port
+    * [Custom Journald](integration-docs://reference/journald.md) - Collect events from journald
+    * [Custom Kafka](integration-docs://reference/kafka_log.md) - Collect events from a Kafka topic
+    * [Custom Logs](integration-docs://reference/log.md) - Collect events from files
+    * [Custom TCP](integration-docs://reference/tcp.md) - Collect events from a listening TCP port
+    * [Custom UDP](integration-docs://reference/udp.md) - Collect events from a listening UDP port
+    * [Custom Windows Event](integration-docs://reference/winlog.md) - Collect events from a Windows Event Log channel
+
+3. Migrate to a different Filebeat module. In some cases, a Filebeat module may be superseded by a new module. The deprecation notice will link to an appropriate module, if one exists.
+4. Use a custom Filebeat input, processors, and ingest pipeline (if necessary).
+
diff --git a/docs/reference/filebeat/migrate-to-filestream.md b/docs/reference/filebeat/migrate-to-filestream.md
new file mode 100644
index 000000000000..303ed9ca137c
--- /dev/null
+++ b/docs/reference/filebeat/migrate-to-filestream.md
@@ -0,0 +1,69 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/migrate-to-filestream.html
+---
+
+# Migrate log input configurations to filestream [migrate-to-filestream]
+
+The `filestream` input has been generally available since 7.14 and it is highly recommended you migrate your existing `log` input configurations. The `filestream` input comes with many improvements over the old `log` input, such as configurable order for parsers and more.
+
+The `log` input is deprecated and will eventually be removed from Filebeat. We are not fixing new issues or adding any enhancements to the `log` input. Our focus is on `filestream`.
+
+This manual migration is required only if you’ve defined `log` inputs manually in your stand-alone Filebeat configuration. All the integrations or modules that are still using `log` inputs under the hood will be eventually migrated automatically without any additional actions required from the user.
+
+In this guide, you’ll learn how to migrate an existing `log` input configuration.
+
+::::{important}
+You must replace `log` inputs with `filestream` inputs, make sure you have removed all the old `log` inputs from the configuration before starting Filebeat with the new `filestream` inputs. Running old `log` inputs and new `filestream` inputs pointed to the same files will lead to data duplication.
+::::
+
+
+The following example shows three `log` inputs:
+
+```yaml
+filebeat.inputs:
+ - type: log
+   enabled: true
+   paths:
+     - /var/log/java-exceptions*.log
+   multiline:
+    pattern: '^\['
+    negate: true
+    match: after
+  close_removed: true
+  close_renamed: true
+
+- type: log
+  enabled: true
+  paths:
+    - /var/log/my-application*.json
+  scan_frequency: 1m
+  json.keys_under_root: true
+
+- type: log
+  enabled: true
+  paths:
+    - /var/log/my-old-files*.log
+  tail_files: true
+```
+
+For this example, let’s assume that the `log` input is used to collect logs from the following files. The progress of data collection is shown for each file.
+
+```sh
+/var/log/java-exceptions1.log (100%)
+/var/log/java-exceptions2.log (100%)
+/var/log/java-exceptions3.log (75%)
+/var/log/java-exceptions4.log (0%)
+/var/log/java-exceptions5.log (0%)
+/var/log/my-application1.json (100%)
+/var/log/my-application2.json (5%)
+/var/log/my-application3.json (0%)
+/var/log/my-old-files1.json (0%)
+```
+
+
+
+
+
+
+
diff --git a/docs/reference/filebeat/monitoring-internal-collection.md b/docs/reference/filebeat/monitoring-internal-collection.md
new file mode 100644
index 000000000000..e953db791e05
--- /dev/null
+++ b/docs/reference/filebeat/monitoring-internal-collection.md
@@ -0,0 +1,73 @@
+---
+navigation_title: "Use internal collection"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/monitoring-internal-collection.html
+---
+
+# Use internal collection to send monitoring data [monitoring-internal-collection]
+
+
+Use internal collectors to send {{beats}} monitoring data directly to your monitoring cluster. Or as an alternative to internal collection, use [Use {{metricbeat}} collection](/reference/filebeat/monitoring-metricbeat-collection.md). The benefit of using internal collection instead of {{metricbeat}} is that you have fewer pieces of software to install and maintain.
+
+1. Create an API key or user that has appropriate authority to send system-level monitoring data to {{es}}. For example, you can use the built-in `beats_system` user or assign the built-in `beats_system` role to another user. For more information on the required privileges, see [Create a *monitoring* user](/reference/filebeat/privileges-to-publish-monitoring.md). For more information on how to use API keys, see [*Grant access using API keys*](/reference/filebeat/beats-api-keys.md).
+2. Add the `monitoring` settings in the Filebeat configuration file. If you configured the {{es}} output and want to send Filebeat monitoring events to the same {{es}} cluster, specify the following minimal configuration:
+
+    ```yaml
+    monitoring:
+      enabled: true
+      elasticsearch:
+        api_key:  id:api_key <1>
+        username: beats_system
+        password: somepassword
+    ```
+
+    1. Specify one of `api_key` or `username`/`password`.
+
+
+    If you want to send monitoring events to an [{{ecloud}}](https://cloud.elastic.co/) monitoring cluster, you can use two simpler settings. When defined, these settings overwrite settings from other parts in the configuration. For example:
+
+    ```yaml
+    monitoring:
+      enabled: true
+      cloud.id: 'staging:dXMtZWFzdC0xLmF3cy5mb3VuZC5pbyRjZWM2ZjI2MWE3NGJmMjRjZTMzYmI4ODExYjg0Mjk0ZiRjNmMyY2E2ZDA0MjI0OWFmMGNjN2Q3YTllOTYyNTc0Mw=='
+      cloud.auth: 'elastic:{pwd}'
+    ```
+
+    If you configured a different output, such as {{ls}} or you want to send Filebeat monitoring events to a separate {{es}} cluster (referred to as the *monitoring cluster*), you must specify additional configuration options. For example:
+
+    ```yaml
+    monitoring:
+      enabled: true
+      cluster_uuid: PRODUCTION_ES_CLUSTER_UUID <1>
+      elasticsearch:
+        hosts: ["https://example.com:9200", "https://example2.com:9200"] <2>
+        api_key:  id:api_key <3>
+        username: beats_system
+        password: somepassword
+    ```
+
+    1. This setting identifies the {{es}} cluster under which the monitoring data for this Filebeat instance will appear in the Stack Monitoring UI. To get a cluster’s `cluster_uuid`, call the `GET /` API against that production cluster.
+    2. This setting identifies the hosts and port numbers of {{es}} nodes that are part of the monitoring cluster.
+    3. Specify one of `api_key` or `username`/`password`.
+
+
+    If you want to use PKI authentication to send monitoring events to {{es}}, you must specify a different set of configuration options. For example:
+
+    ```yaml
+    monitoring:
+      enabled: true
+      cluster_uuid: PRODUCTION_ES_CLUSTER_UUID
+      elasticsearch:
+        hosts: ["https://example.com:9200", "https://example2.com:9200"]
+        username: ""
+        ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
+        ssl.certificate: "/etc/pki/client/cert.pem"
+        ssl.key: "/etc/pki/client/cert.key"
+    ```
+
+    You must specify the `username` as `""` explicitly so that the username from the client certificate (`CN`) is used. See [SSL](/reference/filebeat/configuration-ssl.md) for more information about SSL settings.
+
+3. Start Filebeat.
+4. [View the monitoring data in {{kib}}](docs-content://deploy-manage/monitor/stack-monitoring/kibana-monitoring-data.md).
+
+
diff --git a/docs/reference/filebeat/monitoring-metricbeat-collection.md b/docs/reference/filebeat/monitoring-metricbeat-collection.md
new file mode 100644
index 000000000000..160e39ed12de
--- /dev/null
+++ b/docs/reference/filebeat/monitoring-metricbeat-collection.md
@@ -0,0 +1,163 @@
+---
+navigation_title: "Use {{metricbeat}} collection"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/monitoring-metricbeat-collection.html
+---
+
+# Use {{metricbeat}} to send monitoring data [monitoring-metricbeat-collection]
+
+
+In 7.3 and later, you can use {{metricbeat}} to collect data about Filebeat and ship it to the monitoring cluster. The benefit of using {{metricbeat}} instead of internal collection is that the monitoring agent remains active even if the Filebeat instance dies.
+
+To collect and ship monitoring data:
+
+1. [Configure the shipper you want to monitor](#configure-shipper)
+2. [Install and configure {{metricbeat}} to collect monitoring data](#configure-metricbeat)
+
+
+## Configure the shipper you want to monitor [configure-shipper]
+
+1. Enable the HTTP endpoint to allow external collection of monitoring data:
+
+    Add the following setting in the Filebeat configuration file (`filebeat.yml`):
+
+    ```yaml
+    http.enabled: true
+    ```
+
+    By default, metrics are exposed on port 5066. If you need to monitor multiple {{beats}} shippers running on the same server, set `http.port` to expose metrics for each shipper on a different port number:
+
+    ```yaml
+    http.port: 5067
+    ```
+
+2. Disable the default collection of Filebeat monitoring metrics.<br>
+
+    Add the following setting in the Filebeat configuration file (`filebeat.yml`):
+
+    ```yaml
+    monitoring.enabled: false
+    ```
+
+    For more information, see [Monitoring configuration options](/reference/filebeat/configuration-monitor.md).
+
+3. Configure host (optional).<br>
+
+    If you intend to get metrics using {{metricbeat}} installed on another server, you need to bind the Filebeat to host’s IP:
+
+    ```yaml
+    http.host: xxx.xxx.xxx.xxx
+    ```
+
+4. Configure cluster UUID.<br>
+
+    The cluster UUID is necessary if you want to see {{beats}} monitoring in the {{kib}} stack monitoring view. The monitoring data will be grouped under the cluster for that UUID. To associate Filebeat with the cluster UUID, set:
+
+    ```yaml
+    monitoring.cluster_uuid: "cluster-uuid"
+    ```
+
+5. Start Filebeat.
+
+
+## Install and configure {{metricbeat}} to collect monitoring data [configure-metricbeat]
+
+1. Install {{metricbeat}} on the same server as Filebeat. To learn how, see [Get started with {{metricbeat}}](/reference/metricbeat/metricbeat-installation-configuration.md). If you already have {{metricbeat}} installed on the server, skip this step.
+2. Enable the `beat-xpack` module in {{metricbeat}}.<br>
+
+    For example, to enable the default configuration in the `modules.d` directory, run the following command, using the correct command syntax for your OS:
+
+    ```sh
+    metricbeat modules enable beat-xpack
+    ```
+
+    For more information, see [Configure modules](/reference/metricbeat/configuration-metricbeat.md) and [beat module](/reference/metricbeat/metricbeat-module-beat.md).
+
+3. Configure the `beat-xpack` module in {{metricbeat}}.<br>
+
+    The `modules.d/beat-xpack.yml` file contains the following settings:
+
+    ```yaml
+    - module: beat
+      metricsets:
+        - stats
+        - state
+      period: 10s
+      hosts: ["http://localhost:5066"]
+      #username: "user"
+      #password: "secret"
+      xpack.enabled: true
+    ```
+
+    Set the `hosts`, `username`, and `password` settings as required by your environment. For other module settings, it’s recommended that you accept the defaults.
+
+    By default, the module collects Filebeat monitoring data from `localhost:5066`. If you exposed the metrics on a different host or port when you enabled the HTTP endpoint, update the `hosts` setting.
+
+    To monitor multiple {{beats}} agents, specify a list of hosts, for example:
+
+    ```yaml
+    hosts: ["http://localhost:5066","http://localhost:5067","http://localhost:5068"]
+    ```
+
+    If you configured Filebeat to use encrypted communications, you must access it via HTTPS. For example, use a `hosts` setting like `https://localhost:5066`.
+
+    If the Elastic {{security-features}} are enabled, you must also provide a user ID and password so that {{metricbeat}} can collect metrics successfully:
+
+    1. Create a user on the {{es}} cluster that has the `remote_monitoring_collector` [built-in role](elasticsearch://reference/elasticsearch/roles.md). Alternatively, if it’s available in your environment, use the `remote_monitoring_user` [built-in user](docs-content://deploy-manage/users-roles/cluster-or-deployment-auth/built-in-users.md).
+    2. Add the `username` and `password` settings to the beat module configuration file.
+
+4. Optional: Disable the system module in the {{metricbeat}}.
+
+    By default, the [system module](/reference/metricbeat/metricbeat-module-system.md) is enabled. The information it collects, however, is not shown on the **Stack Monitoring** page in {{kib}}. Unless you want to use that information for other purposes, run the following command:
+
+    ```sh
+    metricbeat modules disable system
+    ```
+
+5. Identify where to send the monitoring data.<br>
+
+    ::::{tip}
+    In production environments, we strongly recommend using a separate cluster (referred to as the *monitoring cluster*) to store the data. Using a separate monitoring cluster prevents production cluster outages from impacting your ability to access your monitoring data. It also prevents monitoring activities from impacting the performance of your production cluster.
+    ::::
+
+
+    For example, specify the {{es}} output information in the {{metricbeat}} configuration file (`metricbeat.yml`):
+
+    ```yaml
+    output.elasticsearch:
+      # Array of hosts to connect to.
+      hosts: ["http://es-mon-1:9200", "http://es-mon2:9200"] <1>
+
+      # Optional protocol and basic auth credentials.
+      #protocol: "https"
+      #api_key:  "id:api_key" <2>
+      #username: "elastic"
+      #password: "changeme"
+    ```
+
+    1. In this example, the data is stored on a monitoring cluster with nodes `es-mon-1` and `es-mon-2`.
+    2. Specify one of `api_key` or `username`/`password`.
+
+
+    If you configured the monitoring cluster to use encrypted communications, you must access it via HTTPS. For example, use a `hosts` setting like `https://es-mon-1:9200`.
+
+    ::::{important}
+    The {{es}} {{monitor-features}} use ingest pipelines. The cluster that stores the monitoring data must have at least one node with the `ingest` role.
+    ::::
+
+
+    If the {{es}} {{security-features}} are enabled on the monitoring cluster, you must provide a valid user ID and password so that {{metricbeat}} can send metrics successfully:
+
+    1. Create a user on the monitoring cluster that has the `remote_monitoring_agent` [built-in role](elasticsearch://reference/elasticsearch/roles.md). Alternatively, if it’s available in your environment, use the `remote_monitoring_user` [built-in user](docs-content://deploy-manage/users-roles/cluster-or-deployment-auth/built-in-users.md).
+
+        ::::{tip}
+        If you’re using index lifecycle management, the remote monitoring user requires additional privileges to create and read indices. For more information, see [*Grant users access to secured resources*](/reference/filebeat/feature-roles.md).
+        ::::
+
+    2. Add the `username` and `password` settings to the {{es}} output information in the {{metricbeat}} configuration file.
+
+    For more information about these configuration options, see [Configure the {{es}} output](/reference/metricbeat/elasticsearch-output.md).
+
+6. [Start {{metricbeat}}](/reference/metricbeat/metricbeat-starting.md) to begin collecting monitoring data.
+7. [View the monitoring data in {{kib}}](docs-content://deploy-manage/monitor/stack-monitoring/kibana-monitoring-data.md).
+
diff --git a/docs/reference/filebeat/monitoring-shows-fewer-than-expected-beats.md b/docs/reference/filebeat/monitoring-shows-fewer-than-expected-beats.md
new file mode 100644
index 000000000000..bf5e0f8fa136
--- /dev/null
+++ b/docs/reference/filebeat/monitoring-shows-fewer-than-expected-beats.md
@@ -0,0 +1,9 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/monitoring-shows-fewer-than-expected-beats.html
+---
+
+# Monitoring UI shows fewer Beats than expected [monitoring-shows-fewer-than-expected-beats]
+
+If you are running multiple Beat instances on the same host, make sure they each have a distinct `path.data` value.
+
diff --git a/docs/reference/filebeat/monitoring.md b/docs/reference/filebeat/monitoring.md
new file mode 100644
index 000000000000..b47bb9bf9613
--- /dev/null
+++ b/docs/reference/filebeat/monitoring.md
@@ -0,0 +1,16 @@
+---
+navigation_title: "Monitor"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/monitoring.html
+---
+
+# Monitor Filebeat [monitoring]
+
+
+You can use the {{stack}} {{monitor-features}} to gain insight into the health of Filebeat instances running in your environment.
+
+To monitor Filebeat, make sure monitoring is enabled on your {{es}} cluster, then configure the method used to collect Filebeat metrics. You can use one of following methods:
+
+* [Internal collection](/reference/filebeat/monitoring-internal-collection.md) - Internal collectors send monitoring data directly to your monitoring cluster.
+* [{{metricbeat}} collection](/reference/filebeat/monitoring-metricbeat-collection.md) - {{metricbeat}} collects monitoring data from your Filebeat instance and sends it directly to your monitoring cluster.
+
diff --git a/docs/reference/filebeat/move-fields.md b/docs/reference/filebeat/move-fields.md
new file mode 100644
index 000000000000..192df4476a42
--- /dev/null
+++ b/docs/reference/filebeat/move-fields.md
@@ -0,0 +1,93 @@
+---
+navigation_title: "move_fields"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/move-fields.html
+---
+
+# Move fields [move-fields]
+
+
+The `move_fields` processor moves event fields from one object into another. It can also rearrange fields or add a prefix to fields.
+
+The processor extracts fields from `from`, then uses `fields` and `exclude` as filters to choose which fields to move into the `to` field.
+
+For example, given the following event:
+
+```json
+{
+  "app": {
+    "method": "a",
+    "elapsed_time": 100,
+    "user_id": 100,
+    "message": "i'm a message"
+  }
+}
+```
+
+To move `method` and `elapsed_time` into another object, use this configuration:
+
+```yaml
+processors:
+  - move_fields:
+      from: "app"
+      fields: ["method", "elapsed_time"],
+      to: "rpc."
+```
+
+Your final event will be:
+
+```json
+{
+  "app": {
+    "user_id": 100,
+    "message": "i'm a message",
+    "rpc": {
+      "method": "a",
+      "elapsed_time": 100
+    }
+  }
+}
+```
+
+To add a prefix to the whole event:
+
+```json
+{
+  "app": { "method": "a"},
+  "cost": 100
+}
+```
+
+Use this configuration:
+
+```yaml
+processors:
+  - move_fields:
+      to: "my_prefix_"
+```
+
+Your final event will be:
+
+```json
+{
+  "my_prefix_app": { "method": "a"},
+  "my_prefix_cost": 100
+}
+```
+
+| Name | Required | Default | Description |  |
+| --- | --- | --- | --- | --- |
+| `from` | no |  | Which field you want extract. This field and any nested fields will be moved into `to` unless they are filtered out. If empty, indicates event root. |  |
+| `fields` | no |  | Which fields to extract from `from` and move to `to`. An empty list indicates all fields. |  |
+| `ignore_missing` | no | false | Ignore "not found" errors when extracting fields. |  |
+| `exclude` | no |  | A list of fields to exclude and not move. |  |
+| `to` | yes |  | These fields extract from `from` destination field prefix the `to` will base on fields root. |  |
+
+```yaml
+processors:
+  - move_fields:
+      from: "app"
+      fields: [ "method", "elapsed_time" ]
+      to: "rpc."
+```
+
diff --git a/docs/reference/filebeat/multiline-examples.md b/docs/reference/filebeat/multiline-examples.md
new file mode 100644
index 000000000000..c28f779559ae
--- /dev/null
+++ b/docs/reference/filebeat/multiline-examples.md
@@ -0,0 +1,297 @@
+---
+navigation_title: "Multiline messages"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/multiline-examples.html
+---
+
+# Manage multiline messages [multiline-examples]
+
+
+The files harvested by Filebeat may contain messages that span multiple lines of text. For example, multiline messages are common in files that contain Java stack traces. In order to correctly handle these multiline events, you need to configure `multiline` settings in the `filebeat.yml` file to specify which lines are part of a single event.
+
+::::{important}
+If you are sending multiline events to Logstash, use the options described here to handle multiline events before sending the event data to Logstash. Trying to implement multiline event handling in Logstash (for example, by using the Logstash multiline codec) may result in the mixing of streams and corrupted data.
+::::
+
+
+Also read [*Avoid YAML formatting problems*](/reference/filebeat/yaml-tips.md) and [Regular expression support](/reference/filebeat/regexp-support.md) to avoid common mistakes.
+
+
+### Configuration options [multiline]
+
+You can specify the following options in the `filebeat.inputs` section of the `filebeat.yml` config file to control how Filebeat deals with messages that span multiple lines.
+
+The following example shows how to configure `filestream` input in Filebeat to handle a multiline message where the first line of the message begins with a bracket (`[`).
+
+Please note that the example below only works with `filestream` input, and not with `log` input.
+
+```yaml
+parsers:
+- multiline:
+    type: pattern
+    pattern: '^\['
+    negate: true
+    match: after
+```
+
+If you still use the deprecated `log` input, there is no need to use `parsers`.
+
+```yaml
+multiline.type: pattern
+multiline.pattern: '^\['
+multiline.negate: true
+multiline.match: after
+```
+
+Filebeat takes all the lines that do not start with `[` and combines them with the previous line that does. For example, you could use this configuration to join the following lines of a multiline message into a single event:
+
+```sh
+[beat-logstash-some-name-832-2015.11.28] IndexNotFoundException[no such index]
+    at org.elasticsearch.cluster.metadata.IndexNameExpressionResolver$WildcardExpressionResolver.resolve(IndexNameExpressionResolver.java:566)
+    at org.elasticsearch.cluster.metadata.IndexNameExpressionResolver.concreteIndices(IndexNameExpressionResolver.java:133)
+    at org.elasticsearch.cluster.metadata.IndexNameExpressionResolver.concreteIndices(IndexNameExpressionResolver.java:77)
+    at org.elasticsearch.action.admin.indices.delete.TransportDeleteIndexAction.checkBlock(TransportDeleteIndexAction.java:75)
+```
+
+**`multiline.type`**
+:   Defines which aggregation method to use. The default is `pattern`. The other options are `count` which lets you aggregate constant number of lines and `while_pattern` which aggregate lines by pattern without match option.
+
+**`multiline.pattern`**
+:   Specifies the regular expression pattern to match. Note that the regexp patterns supported by Filebeat differ somewhat from the patterns supported by Logstash. See [Regular expression support](/reference/filebeat/regexp-support.md) for a list of supported regexp patterns. Depending on how you configure other multiline options, lines that match the specified regular expression are considered either continuations of a previous line or the start of a new multiline event. You can set the `negate` option to negate the pattern.
+
+**`multiline.negate`**
+:   Defines whether the pattern is negated. The default is `false`.
+
+**`multiline.match`**
+:   Specifies how Filebeat combines matching lines into an event. The settings are `after` or `before`. The behavior of these settings depends on what you specify for `negate`:
+
+    | Setting for `negate` | Setting for `match` | Result | Example `pattern: ^b` |
+    | --- | --- | --- | --- |
+    | `false` | `after` | Consecutive lines that match the pattern are appended to the previous line that doesn’t match. | ![Lines a b b c b b become "abb" and "cbb"](images/false-after-multi.png "") |
+    | `false` | `before` | Consecutive lines that match the pattern are prepended to the next line that doesn’t match. | ![Lines b b a b b c become "bba" and "bbc"](images/false-before-multi.png "") |
+    | `true` | `after` | Consecutive lines that don’t match the pattern are appended to the previous line that does match. | ![Lines b a c b d e become "bac" and "bde"](images/true-after-multi.png "") |
+    | `true` | `before` | Consecutive lines that don’t match the pattern are prepended to the next line that does match. | ![Lines a c b d e b become "acb" and "deb"](images/true-before-multi.png "") |
+
+    ::::{note}
+    The `after` setting is equivalent to `previous` in [Logstash](logstash://reference/plugins-codecs-multiline.md), and `before` is equivalent to `next`.
+    ::::
+
+
+**`multiline.flush_pattern`**
+:   Specifies a regular expression, in which the current multiline will be flushed from memory, ending the multiline-message. Work only with `pattern` type.
+
+**`multiline.max_lines`**
+:   The maximum number of lines that can be combined into one event. If the multiline message contains more than `max_lines`, any additional lines are discarded. The default is 500.
+
+**`multiline.timeout`**
+:   After the specified timeout, Filebeat sends the multiline event even if no new pattern is found to start a new event. The default is 5s.
+
+**`multiline.count_lines`**
+:   The number of lines to aggregate into a single event.
+
+**`multiline.skip_newline`**
+:   When set, multiline events are concatenated without a line separator.
+
+## Examples of multiline configuration [_examples_of_multiline_configuration]
+
+The examples in this section cover the following use cases:
+
+* Combining a Java stack trace into a single event
+* Combining C-style line continuations into a single event
+* Combining multiple lines from time-stamped events
+
+
+#### Java stack traces [_java_stack_traces]
+
+Java stack traces consist of multiple lines, with each line after the initial line beginning with whitespace, as in this example:
+
+```java
+Exception in thread "main" java.lang.NullPointerException
+        at com.example.myproject.Book.getTitle(Book.java:16)
+        at com.example.myproject.Author.getBookTitles(Author.java:25)
+        at com.example.myproject.Bootstrap.main(Bootstrap.java:14)
+```
+
+To consolidate these lines into a single event in Filebeat, use the following multiline configuration with `filestream`:
+
+```yaml
+parsers:
+- multiline:
+    type: pattern
+    pattern: '^[[:space:]]'
+    negate: false
+    match: after
+```
+
+Using `log` input:
+
+```yaml
+multiline.type: pattern
+multiline.pattern: '^[[:space:]]'
+multiline.negate: false
+multiline.match: after
+```
+
+This configuration merges any line that begins with whitespace up to the previous line.
+
+Here’s a Java stack trace that presents a slightly more complex example:
+
+```sh
+Exception in thread "main" java.lang.IllegalStateException: A book has a null property
+       at com.example.myproject.Author.getBookIds(Author.java:38)
+       at com.example.myproject.Bootstrap.main(Bootstrap.java:14)
+Caused by: java.lang.NullPointerException
+       at com.example.myproject.Book.getId(Book.java:22)
+       at com.example.myproject.Author.getBookIds(Author.java:35)
+       ... 1 more
+```
+
+To consolidate these lines into a single event in Filebeat, use the following multiline configuration with `filestream`:
+
+```yaml
+parsers:
+- multiline:
+    type: pattern
+    pattern: '^[[:space:]]+(at|\.{3})[[:space:]]+\b|^Caused by:'
+    negate: false
+    match: after
+```
+
+Using `log` input:
+
+```yaml
+multiline.type: pattern
+multiline.pattern: '^[[:space:]]+(at|\.{3})[[:space:]]+\b|^Caused by:'
+multiline.negate: false
+multiline.match: after
+```
+
+In this example, the pattern matches the following lines:
+
+* a line that begins with spaces followed by the word `at` or `...`
+* a line that begins with the words `Caused by:`
+
+
+#### Line continuations [_line_continuations]
+
+Several programming languages use the backslash (`\`) character at the end of a line to denote that the line continues, as in this example:
+
+```c
+printf ("%10.10ld  \t %10.10ld \t %s\
+  %f", w, x, y, z );
+```
+
+To consolidate these lines into a single event in Filebeat, use the following multiline configuration with `filestream`:
+
+```yaml
+parsers:
+- multiline:
+    type: pattern
+    pattern: '\\$'
+    negate: false
+    match: before
+```
+
+Using `log` input:
+
+```yaml
+multiline.type: pattern
+multiline.pattern: '\\$'
+multiline.negate: false
+multiline.match: before
+```
+
+This configuration merges any line that ends with the `\` character with the line that follows.
+
+
+#### Timestamps [_timestamps]
+
+Activity logs from services such as Elasticsearch typically begin with a timestamp, followed by information on the specific activity, as in this example:
+
+```shell
+[2015-08-24 11:49:14,389][INFO ][env                      ] [Letha] using [1] data paths, mounts [[/
+(/dev/disk1)]], net usable_space [34.5gb], net total_space [118.9gb], types [hfs]
+```
+
+To consolidate these lines into a single event in Filebeat, use the following multiline configuration with `filestream`:
+
+```yaml
+parsers:
+- multiline:
+    type: pattern
+    pattern: '^\[[0-9]{4}-[0-9]{2}-[0-9]{2}'
+    negate: true
+    match: after
+```
+
+Using `log` input:
+
+```yaml
+multiline.type: pattern
+multiline.pattern: '^\[[0-9]{4}-[0-9]{2}-[0-9]{2}'
+multiline.negate: true
+multiline.match: after
+```
+
+This configuration uses the `negate: true` and `match: after` settings to specify that any line that does not match the specified pattern belongs to the previous line.
+
+
+#### Application events [_application_events]
+
+Sometimes your application logs contain events, that begin and end with custom markers, such as the following example:
+
+```shell
+[2015-08-24 11:49:14,389] Start new event
+[2015-08-24 11:49:14,395] Content of processing something
+[2015-08-24 11:49:14,399] End event
+```
+
+To consolidate this as a single event in Filebeat, use the following multiline configuration with `filestream`:
+
+```yaml
+parsers:
+- multiline:
+    type: pattern
+    pattern: 'Start new event'
+    negate: true
+    match: after
+    flush_pattern: 'End event'
+```
+
+Using `log` input:
+
+```yaml
+multiline.type: pattern
+multiline.pattern: 'Start new event'
+multiline.negate: true
+multiline.match: after
+multiline.flush_pattern: 'End event'
+```
+
+The `flush_pattern` option, specifies a regex at which the current multiline will be flushed. If you think of the `pattern` option specifying the beginning of an event, the `flush_pattern` option will specify the end or last line of the event.
+
+::::{note}
+This example will not work correctly if start/end log blocks are mixed with non-multiline logs, or if different start/end log blocks overlap with each other. For instance, `Some other log` log lines in the following example will be merged into a *single* multiline document because they neither match `multiline.pattern` nor `multiline.flush_pattern`, and `multiline.negate` is set to `true`.
+::::
+
+
+```shell
+[2015-08-24 11:49:14,389] Start new event
+[2015-08-24 11:49:14,395] Content of processing something
+[2015-08-24 11:49:14,399] End event
+[2015-08-24 11:50:14,389] Some other log
+[2015-08-24 11:50:14,395] Some other log
+[2015-08-24 11:50:14,399] Some other log
+[2015-08-24 11:51:14,389] Start new event
+[2015-08-24 11:51:14,395] Content of processing something
+[2015-08-24 11:51:14,399] End event
+```
+
+
+## Test your regexp pattern for multiline [_test_your_regexp_pattern_for_multiline]
+
+To make it easier for you to test the regexp patterns in your multiline config, we’ve created a [Go Playground](https://play.golang.org/p/uAd5XHxscu). You can simply plug in the regexp pattern along with the `multiline.negate` setting that you plan to use, and paste a sample message between the content backticks (` `). Then click Run, and you’ll see which lines in the message match your specified configuration. For example:
+
+![go playground](images/go-playground.png "")
+
+
diff --git a/docs/reference/filebeat/newline-character-required-eof.md b/docs/reference/filebeat/newline-character-required-eof.md
new file mode 100644
index 000000000000..4921d39b455f
--- /dev/null
+++ b/docs/reference/filebeat/newline-character-required-eof.md
@@ -0,0 +1,9 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/newline-character-required-eof.html
+---
+
+# Filebeat isn���t shipping the last line of a file [newline-character-required-eof]
+
+Filebeat uses a newline character to detect the end of an event. If lines are added incrementally to a file that’s being harvested, a newline character is required after the last line, or Filebeat will not read the last line of the file.
+
diff --git a/docs/reference/filebeat/open-file-handlers.md b/docs/reference/filebeat/open-file-handlers.md
new file mode 100644
index 000000000000..10391356cabe
--- /dev/null
+++ b/docs/reference/filebeat/open-file-handlers.md
@@ -0,0 +1,21 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/open-file-handlers.html
+---
+
+# Too many open file handlers [open-file-handlers]
+
+Filebeat keeps the file handler open in case it reaches the end of a file so that it can read new log lines in near real time. If Filebeat is harvesting a large number of files, the number of open files can become an issue. In most environments, the number of files that are actively updated is low. The `close_inactive` configuration option should be set accordingly to close files that are no longer active.
+
+There are additional configuration options that you can use to close file handlers, but all of them should be used carefully because they can have side effects. The options are:
+
+* [`close_renamed`](/reference/filebeat/filebeat-input-log.md#filebeat-input-log-close-renamed)
+* [`close_removed`](/reference/filebeat/filebeat-input-log.md#filebeat-input-log-close-removed)
+* [`close_eof`](/reference/filebeat/filebeat-input-log.md#filebeat-input-log-close-eof)
+* [`close_timeout`](/reference/filebeat/filebeat-input-log.md#filebeat-input-log-close-timeout)
+* [`harvester_limit`](/reference/filebeat/filebeat-input-log.md#filebeat-input-log-harvester-limit)
+
+The `close_renamed` and `close_removed` options can be useful on Windows to resolve issues related to file rotation. See [Open file handlers cause issues with Windows file rotation](/reference/filebeat/windows-file-rotation.md). The `close_eof` option can be useful in environments with a large number of files that have only very few entries. The `close_timeout` option is useful in environments where closing file handlers is more important than sending all log lines. For more details, see [Inputs](/reference/filebeat/configuration-filebeat-options.md).
+
+Make sure that you read the documentation for these configuration options before using any of them.
+
diff --git a/docs/reference/filebeat/override-filebeat-config-settings.md b/docs/reference/filebeat/override-filebeat-config-settings.md
new file mode 100644
index 000000000000..35fb84c366be
--- /dev/null
+++ b/docs/reference/filebeat/override-filebeat-config-settings.md
@@ -0,0 +1,66 @@
+---
+navigation_title: "Override configuration settings"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/override-filebeat-config-settings.html
+---
+
+# Override configuration settings at the command line [override-filebeat-config-settings]
+
+
+::::{note}
+If you’re running Filebeat as a service, you can’t specify command-line flags. To specify flags, start Filebeat in the foreground.
+::::
+
+
+You can override any configuration setting from the command line by using flags:
+
+`-E, --E "SETTING_NAME=VALUE"`
+:   Overrides a specific configuration setting.
+
+`-M, --M "VAR_NAME=VALUE"`
+:   Overrides the default configuration for a module.
+
+You can specify multiple overrides. Overrides are applied to the currently running Filebeat process. The Filebeat configuration file is not changed.
+
+
+## Example: override configuration file settings [example-override-config]
+
+The following configuration sends logging output to files:
+
+```sh
+logging.level: info
+logging.to_files: true
+logging.files:
+  path: /var/log/filebeat
+  name: filebeat
+  keepfiles: 7
+  permissions: 0640
+```
+
+To override the logging level and send logging output to standard error instead of a file, use the `-E` flag when you run Filebeat:
+
+```sh
+-E "logging.to_files=false" -E "logging.to_stderr=true" -E "logging.level=error"
+```
+
+
+## Example: override module settings [example-override-module-setting]
+
+The following configuration sets the path to Nginx access logs:
+
+```yaml
+- module: nginx
+  access:
+    var.paths: ["/var/log/nginx/access.log*"]
+```
+
+To override the `var.paths` setting from the command line, use the `-M` flag when you run Filebeat. The variable name must include the module and fileset name. For example:
+
+```sh
+-M "nginx.access.var.paths=[/path/to/log/nginx/access.log*]"
+```
+
+You can specify multiple overrides. Each override must start with `-M`.
+
+For information about specific variables that you can set for each fileset, see the documentation under [Modules](/reference/filebeat/filebeat-modules.md).
+
diff --git a/docs/reference/filebeat/privileges-to-publish-events.md b/docs/reference/filebeat/privileges-to-publish-events.md
new file mode 100644
index 000000000000..bde7bbe140f2
--- /dev/null
+++ b/docs/reference/filebeat/privileges-to-publish-events.md
@@ -0,0 +1,38 @@
+---
+navigation_title: "Create a _publishing_ user"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/privileges-to-publish-events.html
+---
+
+# Grant privileges and roles needed for publishing [privileges-to-publish-events]
+
+
+Users who publish events to {{es}} need to create and write to Filebeat indices. To minimize the privileges required by the writer role, use the [setup role](/reference/filebeat/privileges-to-setup-beats.md) to pre-load dependencies. This section assumes that you’ve run the setup.
+
+When using ILM, turn off the ILM setup check in the Filebeat config file before running Filebeat to publish events:
+
+```yaml
+setup.ilm.check_exists: false
+```
+
+To grant the required privileges:
+
+1. Create a **writer role**, called something like `filebeat_writer`, that has the following privileges:
+
+    ::::{note}
+    The `monitor` cluster privilege and the `create_doc` and `auto_configure` privileges on `filebeat-*` indices are required in every configuration.
+    ::::
+
+
+    | Type | Privilege | Purpose |
+    | --- | --- | --- |
+    | Cluster | `monitor` | Retrieve cluster details (e.g. version) |
+    | Cluster | `read_ilm` | Read the ILM policy when connecting to clusters that support ILM.Not needed when `setup.ilm.check_exists` is `false`. |
+    | Cluster | `read_pipeline` | Check for ingest pipelines used by modules. Needed when using modules. |
+    | Index | `create_doc` on `filebeat-*` indices | Write events into {{es}} |
+    | Index | `auto_configure` on `filebeat-*` indices | Update the datastream mapping. Consider either disabling entirely or adding therule `-{{beat_default_index_prefix}}-*` to the cluster settings[action.auto_create_index](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-create)to prevent unwanted indices creations from the agents. |
+
+    Omit any privileges that aren’t relevant in your environment.
+
+2. Assign the **writer role** to users who will index events into {{es}}.
+
diff --git a/docs/reference/filebeat/privileges-to-publish-monitoring.md b/docs/reference/filebeat/privileges-to-publish-monitoring.md
new file mode 100644
index 000000000000..3ba7fd1a0477
--- /dev/null
+++ b/docs/reference/filebeat/privileges-to-publish-monitoring.md
@@ -0,0 +1,61 @@
+---
+navigation_title: "Create a _monitoring_ user"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/privileges-to-publish-monitoring.html
+---
+
+# Grant privileges and roles needed for monitoring [privileges-to-publish-monitoring]
+
+
+{{es-security-features}} provides built-in users and roles for monitoring. The privileges and roles needed depend on the method used to collect monitoring data.
+
+::::{admonition} Important note for {{ecloud}} users
+:class: important
+
+Built-in users are not available when running our [hosted {{ess}}](https://www.elastic.co/cloud/elasticsearch-service) on {{ecloud}}. To send monitoring data securely, create a monitoring user and grant it the roles described in the following sections.
+
+::::
+
+
+* If you’re using [internal collection](/reference/filebeat/monitoring-internal-collection.md) to collect metrics about Filebeat, {{es-security-features}} provides the `beats_system` [built-in user](docs-content://deploy-manage/users-roles/cluster-or-deployment-auth/built-in-users.md) and `beats_system` [built-in role](elasticsearch://reference/elasticsearch/roles.md) to send monitoring information. You can use the built-in user, if it’s available in your environment, or create a user who has the privileges needed to send monitoring information.
+
+    If you use the `beats_system` user, make sure you set the password.
+
+    If you don’t use the `beats_system` user:
+
+    1. Create a **monitoring role**, called something like `filebeat_monitoring`, that has the following privileges:
+
+        | Type | Privilege | Purpose |
+        | --- | --- | --- |
+        | Cluster | `monitor` | Retrieve cluster details (e.g. version) |
+        | Index | `create_index` on `.monitoring-beats-*` indices | Create monitoring indices in {{es}} |
+        | Index | `create_doc` on `.monitoring-beats-*` indices | Write monitoring events into {{es}} |
+
+    2. Assign the **monitoring role**, along with the following built-in roles, to users who need to monitor Filebeat:
+
+        | Role | Purpose |
+        | --- | --- |
+        | `kibana_admin` | Use {{kib}} |
+        | `monitoring_user` | Use **Stack Monitoring** in {{kib}} to monitor Filebeat |
+
+* If you’re [using {{metricbeat}}](/reference/filebeat/monitoring-metricbeat-collection.md) to collect metrics about Filebeat, {{es-security-features}} provides the `remote_monitoring_user` [built-in user](docs-content://deploy-manage/users-roles/cluster-or-deployment-auth/built-in-users.md), and the `remote_monitoring_collector` and `remote_monitoring_agent` [built-in roles](elasticsearch://reference/elasticsearch/roles.md) for collecting and sending monitoring information. You can use the built-in user, if it’s available in your environment, or create a user who has the privileges needed to collect and send monitoring information.
+
+    If you use the `remote_monitoring_user` user, make sure you set the password.
+
+    If you don’t use the `remote_monitoring_user` user:
+
+    1. Create a user on the production cluster who will collect and send monitoring information.
+    2. Assign the following roles to the user:
+
+        | Role | Purpose |
+        | --- | --- |
+        | `remote_monitoring_collector` | Collect monitoring metrics from Filebeat |
+        | `remote_monitoring_agent` | Send monitoring data to the monitoring cluster |
+
+    3. Assign the following role to users who will view the monitoring data in {{kib}}:
+
+        | Role | Purpose |
+        | --- | --- |
+        | `monitoring_user` | Use **Stack Monitoring** in {{kib}} to monitor Filebeat |
+
+
diff --git a/docs/reference/filebeat/privileges-to-setup-beats.md b/docs/reference/filebeat/privileges-to-setup-beats.md
new file mode 100644
index 000000000000..e65affe95f53
--- /dev/null
+++ b/docs/reference/filebeat/privileges-to-setup-beats.md
@@ -0,0 +1,42 @@
+---
+navigation_title: "Create a _setup_ user"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/privileges-to-setup-beats.html
+---
+
+# Grant privileges and roles needed for setup [privileges-to-setup-beats]
+
+
+::::{important}
+Setting up Filebeat is an admin-level task that requires extra privileges. As a best practice, grant the setup role to administrators only, and use a more restrictive role for event publishing.
+::::
+
+
+Administrators who set up Filebeat typically need to load mappings, dashboards, and other objects used to index data into {{es}} and visualize it in {{kib}}.
+
+To grant users the required privileges:
+
+1. Create a **setup role**, called something like `filebeat_setup`, that has the following privileges:
+
+    | Type | Privilege | Purpose |
+    | --- | --- | --- |
+    | Cluster | `monitor` | Retrieve cluster details (e.g. version) |
+    | Cluster | `manage_ilm` | Set up and manage index lifecycle management (ILM) policy |
+    | Index | `manage` on `filebeat-*` indices | Load data stream |
+
+    Omit any privileges that aren’t relevant in your environment.
+
+    ::::{note}
+    These instructions assume that you are using the default name for Filebeat indices. If `filebeat-*` is not listed, or you are using a custom name, enter it manually and modify the privileges to match your index naming pattern.
+    ::::
+
+2. Assign the **setup role**, along with the following built-in roles, to users who need to set up Filebeat:
+
+    | Role | Purpose |
+    | --- | --- |
+    | `kibana_admin` | Load dependencies, such as example dashboards, if available, into {{kib}} |
+    | `ingest_admin` | Set up index templates and, if available, ingest pipelines |
+
+    Omit any roles that aren’t relevant in your environment.
+
+
diff --git a/docs/reference/filebeat/processor-decode-cef.md b/docs/reference/filebeat/processor-decode-cef.md
new file mode 100644
index 000000000000..e05d981783d2
--- /dev/null
+++ b/docs/reference/filebeat/processor-decode-cef.md
@@ -0,0 +1,39 @@
+---
+navigation_title: "decode_cef"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/processor-decode-cef.html
+---
+
+# Decode CEF [processor-decode-cef]
+
+
+The `decode_cef` processor decodes Common Event Format (CEF) messages. It follows the specification defined in [ *Micro Focus Security ArcSight Common Event Format, Version 25*](https://archive.org/download/commoneventformatv25/CommonEventFormatV25.pdf). This processor is available in Filebeat. This is an example CEF message.
+
+`CEF:0|SomeVendor|TheProduct|1.0|100|connection to malware C2 successfully stopped|10|src=192.0.2.10 dst=203.0.113.2 spt=31224`
+
+Any content that precedes `CEF:` is ignored. This allows the processor to directly parse CEF content from messages that contain syslog headers.
+
+Below is an example configuration that decodes the `message` field as CEF after renaming it to `event.original`. It is best to rename `message` to `event.original` because the decoded CEF data contains its own `message` field.
+
+```yaml
+processors:
+  - rename:
+      fields:
+        - {from: "message", to: "event.original"}
+  - decode_cef:
+      field: event.original
+```
+
+The `decode_cef` processor has the following configuration settings.
+
+| Name | Required | Default | Description |  |
+| --- | --- | --- | --- | --- |
+| `field` | no | message | Source field containing the CEF message to be parsed. |  |
+| `target_field` | no | cef | Target field where the parsed CEF object will be written. |  |
+| `ecs` | no | true | Generate Elastic Common Schema (ECS) fields from the CEF data.                                               Certain CEF header and extension values will be used to populate ECS fields. |  |
+| `timezone` | no | UTC | IANA time zone name (e.g. `America/New_York`) or fixed time offset (e.g. `+0200`) to use when parsing times that do not contain a time zone. `Local` may be specified to use the machine’s local time zone. |  |
+| `ignore_missing` | no | false | Ignore errors when the source field is missing. |  |
+| `ignore_failure` | no | false | Ignore failures when the source field does not contain a CEF message. |  |
+| `ignore_empty_values` | no | false | Ignore CEF extensions with empty values (e.g. `spt= type=1`) |  |
+| `id` | no |  | An identifier for this processor instance. Useful for debugging. |  |
+
diff --git a/docs/reference/filebeat/processor-dns.md b/docs/reference/filebeat/processor-dns.md
new file mode 100644
index 000000000000..6a663a990e20
--- /dev/null
+++ b/docs/reference/filebeat/processor-dns.md
@@ -0,0 +1,102 @@
+---
+navigation_title: "dns"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/processor-dns.html
+---
+
+# DNS Reverse Lookup [processor-dns]
+
+
+The `dns` processor performs DNS queries. It caches the responses that it receives in accordance to the time-to-live (TTL) value contained in the response. It also caches failures that occur during lookups. Each instance of this processor maintains its own independent cache.
+
+The processor uses its own DNS resolver to send requests to nameservers and does not use the operating system’s resolver. It does not read any values contained in `/etc/hosts`.
+
+This processor can significantly slow down your pipeline’s throughput if you have a high latency network or slow upstream nameserver. The cache will help with performance, but if the addresses being resolved have a high cardinality then the cache benefits will be diminished due to the high miss ratio.
+
+By way of example, if each DNS lookup takes 2 milliseconds, the maximum throughput you can achieve is 500 events per second (1000 milliseconds / 2 milliseconds). If you have a high cache hit ratio then your throughput can be higher.
+
+The processor can send the following query types:
+
+* `A` - IPv4 addresses
+* `AAAA` - IPv6 addresses
+* `TXT` - arbitrary human-readable text data
+* `PTR` - reverse IP address lookups
+
+The output value is a list of strings for all query types except `PTR`. For `PTR` queries the output value is a string.
+
+This is a minimal configuration example that resolves the IP addresses contained in two fields.
+
+```yaml
+processors:
+  - dns:
+      type: reverse
+      fields:
+        source.ip: source.domain
+        destination.ip: destination.domain
+```
+
+Next is a configuration example showing all options.
+
+```yaml
+processors:
+- dns:
+    type: reverse
+    action: append
+    transport: tls
+    fields:
+      server.ip: server.domain
+      client.ip: client.domain
+    success_cache:
+      capacity.initial: 1000
+      capacity.max: 10000
+      min_ttl: 1m
+    failure_cache:
+      capacity.initial: 1000
+      capacity.max: 10000
+      ttl: 1m
+    nameservers: ['192.0.2.1', '203.0.113.1']
+    timeout: 500ms
+    tag_on_failure: [_dns_reverse_lookup_failed]
+```
+
+The `dns` processor has the following configuration settings:
+
+`type`
+:   The type of DNS query to perform. The supported types are `A`, `AAAA`, `PTR` (or `reverse`), and `TXT`.
+
+`action`
+:   This defines the behavior of the processor when the target field already exists in the event. The options are `append` (default) and `replace`.
+
+`fields`
+:   This is a mapping of source field names to target field names. The value of the source field will be used in the DNS query and result will be written to the target field.
+
+`success_cache.capacity.initial`
+:   The initial number of items that the success cache will be allocated to hold. When initialized the processor will allocate the memory for this number of items. Default value is `1000`.
+
+`success_cache.capacity.max`
+:   The maximum number of items that the success cache can hold. When the maximum capacity is reached a random item is evicted. Default value is `10000`.
+
+`success_cache.min_ttl`
+:   The duration of the minimum alternative cache TTL for successful DNS responses. Ensures that `TTL=0` successful reverse DNS responses can be cached. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". Default value is `1m`.
+
+`failure_cache.capacity.initial`
+:   The initial number of items that the failure cache will be allocated to hold. When initialized the processor will allocate the memory for this number of items. Default value is `1000`.
+
+`failure_cache.capacity.max`
+:   The maximum number of items that the failure cache can hold. When the maximum capacity is reached a random item is evicted. Default value is `10000`.
+
+`failure_cache.ttl`
+:   The duration for which failures are cached. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". Default value is `1m`.
+
+`nameservers`
+:   A list of nameservers to query. If there are multiple servers, the resolver queries them in the order listed. If none are specified then it will read the nameservers listed in `/etc/resolv.conf` once at initialization. On Windows you must always supply at least one nameserver.
+
+`timeout`
+:   The duration after which a DNS query will timeout. This is timeout for each DNS request so if you have 2 nameservers then the total timeout will be 2 times this value. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". Default value is `500ms`.
+
+`tag_on_failure`
+:   A list of tags to add to the event when any lookup fails. The tags are only added once even if multiple lookups fail. By default, no tags are added upon failure.
+
+`transport`
+:   The type of transport connection that should be used can either be `tls` (DNS over TLS) or `udp`. Defaults to `udp`.
+
diff --git a/docs/reference/filebeat/processor-parse-aws-vpc-flow-log.md b/docs/reference/filebeat/processor-parse-aws-vpc-flow-log.md
new file mode 100644
index 000000000000..6b4e5dba15de
--- /dev/null
+++ b/docs/reference/filebeat/processor-parse-aws-vpc-flow-log.md
@@ -0,0 +1,205 @@
+---
+navigation_title: "parse_aws_vpc_flow_log"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/processor-parse-aws-vpc-flow-log.html
+---
+
+# Parse AWS VPC Flow Log [processor-parse-aws-vpc-flow-log]
+
+
+The `parse_aws_vpc_flow_log` processor decodes AWS VPC Flow log messages.
+
+Below is an example configuration that decodes the `message` field using the default version 2 VPC flow log format.
+
+```yaml
+processors:
+  - parse_aws_vpc_flow_log:
+      format: version account-id interface-id srcaddr dstaddr srcport dstport protocol packets bytes start end action log-status
+      field: message
+```
+
+The `parse_aws_vpc_flow_log` processor has the following configuration settings.
+
+| Name | Required | Default | Description |  |
+| --- | --- | --- | --- | --- |
+| `field` | no | `message` | Source field containing the VPC flow log message. |  |
+| `target_field` | no | `aws.vpcflow` | Target field for the VPC flow log object. This applies only to the original VPC flow log fields. ECS fields are written to the standard location. |  |
+| `format` | yes |  | VPC flow log format. This supports VPC flow log fields from versions 2 through 5. It will accept a string or a list of strings. Each format must have a unique number of fields to enable matching it to a flow log message. |  |
+| `mode` | no | `ecs` | Mode controls what fields are generated. The available options are `original`, `ecs`, and `ecs_and_original`. `original` generates the fields specified in the format string. `ecs` maps the original fields to ECS and removes the original fields that are mapped to ECS. `ecs_and_original` maps the original fields to ECS and retains all the original fields. |  |
+| `ignore_missing` | no | false | Ignore missing source field. |  |
+| `ignore_failure` | no | false | Ignore failures while parsing and transforming the flow log message. |  |
+| `id` | no |  | Instance ID for debugging purposes. |  |
+
+
+## Modes [_modes]
+
+
+### Original [_original]
+
+This mode returns the same fields found in the `format` string. It will drop any fields whose value a dash (`-`). It converts the strings into the appropriate data types. These are the known field names and their data types.
+
+::::{note}
+The AWS VPC flow field names use underscores instead of dashes within Filebeat. You may configure the `format` using field names that contain either.
+::::
+
+
+| VPC Flow Log Field | Data Type |  |
+| --- | --- | --- |
+| account_id | string |  |
+| action | string |  |
+| az_id | string |  |
+| bytes | long |  |
+| dstaddr | ip |  |
+| dstport | integer |  |
+| end | timestamp |  |
+| flow_direction | string |  |
+| instance_id | string |  |
+| interface_id | string |  |
+| log_status | string |  |
+| packets | long |  |
+| pkt_dst_aws_service | string |  |
+| pkt_dstaddr | ip |  |
+| pkt_src_aws_service | string |  |
+| pkt_srcaddr | ip |  |
+| protocol | integer |  |
+| region | string |  |
+| srcaddr | ip |  |
+| srcport | integer |  |
+| start | timestamp |  |
+| sublocation_id | string |  |
+| sublocation_type | string |  |
+| subnet_id | string |  |
+| tcp_flags | integer |  |
+| tcp_flags_array* | integer |  |
+| traffic_path | integer |  |
+| type | string |  |
+| version | integer |  |
+| vpc_id | string |  |
+
+
+### ECS [_ecs]
+
+This mode maps the original VPC flow log fields into their associated Elastic Common Schema (ECS) fields. It removes the original fields that were mapped to ECS to reduced duplication. These are the field associations. There may be some transformations applied to derive the ECS field.
+
+| VPC Flow Log Field | ECS Field |  |
+| --- | --- | --- |
+| account_id | cloud.account.id |  |
+| action | event.outcome |  |
+| action | event.action |  |
+| action | event.type |  |
+| az_id | cloud.availability_zone |  |
+| bytes | network.bytes |  |
+| bytes | source.bytes |  |
+| dstaddr | destination.address |  |
+| dstaddr | destination.ip |  |
+| dstport | destination.port |  |
+| end | @timestamp |  |
+| end | event.end |  |
+| flow_direction | network.direction |  |
+| instance_id | cloud.instance.id |  |
+| packets | network.packets |  |
+| packets | source.packets |  |
+| protocol | network.iana_number |  |
+| protocol | network.transport |  |
+| region | cloud.region |  |
+| srcaddr | network.type |  |
+| srcaddr | source.address |  |
+| srcaddr | source.ip |  |
+| srcport | source.port |  |
+| start | event.start |  |
+
+
+### ECS and Original [_ecs_and_original]
+
+This mode maps the fields into ECS and retains all the original fields. Below is an example document produced using `ecs_and_orignal` mode.
+
+```json
+{
+  "@timestamp": "2021-03-26T03:29:09Z",
+  "aws": {
+    "vpcflow": {
+      "account_id": "64111117617",
+      "action": "REJECT",
+      "az_id": "use1-az5",
+      "bytes": 1,
+      "dstaddr": "10.200.0.0",
+      "dstport": 33004,
+      "end": "2021-03-26T03:29:09Z",
+      "flow_direction": "ingress",
+      "instance_id": "i-0axxxxxx1ad77",
+      "interface_id": "eni-069xxxxxb7a490",
+      "log_status": "OK",
+      "packets": 52,
+      "pkt_dst_aws_service": "CLOUDFRONT",
+      "pkt_dstaddr": "10.200.0.80",
+      "pkt_src_aws_service": "AMAZON",
+      "pkt_srcaddr": "89.160.20.156",
+      "protocol": 17,
+      "region": "us-east-1",
+      "srcaddr": "89.160.20.156",
+      "srcport": 50041,
+      "start": "2021-03-26T03:28:12Z",
+      "sublocation_id": "fake-id",
+      "sublocation_type": "wavelength",
+      "subnet_id": "subnet-02d645xxxxxxxdbc0",
+      "tcp_flags": 1,
+      "tcp_flags_array": [
+        "fin"
+      ],
+      "traffic_path": 1,
+      "type": "IPv4",
+      "version": 5,
+      "vpc_id": "vpc-09676f97xxxxxb8a7"
+    }
+  },
+  "cloud": {
+    "account": {
+      "id": "64111117617"
+    },
+    "availability_zone": "use1-az5",
+    "instance": {
+      "id": "i-0axxxxxx1ad77"
+    },
+    "region": "us-east-1"
+  },
+  "destination": {
+    "address": "10.200.0.0",
+    "ip": "10.200.0.0",
+    "port": 33004
+  },
+  "event": {
+    "action": "reject",
+    "end": "2021-03-26T03:29:09Z",
+    "outcome": "failure",
+    "start": "2021-03-26T03:28:12Z",
+    "type": [
+      "connection",
+      "denied"
+    ]
+  },
+  "message": "5 64111117617 eni-069xxxxxb7a490 89.160.20.156 10.200.0.0 50041 33004 17 52 1 1616729292 1616729349 REJECT OK vpc-09676f97xxxxxb8a7 subnet-02d645xxxxxxxdbc0 i-0axxxxxx1ad77 1 IPv4 89.160.20.156 10.200.0.80 us-east-1 use1-az5 wavelength fake-id AMAZON CLOUDFRONT ingress 1",
+  "network": {
+    "bytes": 1,
+    "direction": "ingress",
+    "iana_number": "17",
+    "packets": 52,
+    "transport": "udp",
+    "type": "ipv4"
+  },
+  "related": {
+    "ip": [
+      "89.160.20.156",
+      "10.200.0.0",
+      "10.200.0.80"
+    ]
+  },
+  "source": {
+    "address": "89.160.20.156",
+    "bytes": 1,
+    "ip": "89.160.20.156",
+    "packets": 52,
+    "port": 50041
+  }
+}
+```
+
diff --git a/docs/reference/filebeat/processor-registered-domain.md b/docs/reference/filebeat/processor-registered-domain.md
new file mode 100644
index 000000000000..97bf53789453
--- /dev/null
+++ b/docs/reference/filebeat/processor-registered-domain.md
@@ -0,0 +1,36 @@
+---
+navigation_title: "registered_domain"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/processor-registered-domain.html
+---
+
+# Registered Domain [processor-registered-domain]
+
+
+The `registered_domain` processor reads a field containing a hostname and then writes the "registered domain" contained in the hostname to the target field. For example, given `www.google.co.uk` the processor would output `google.co.uk`. In other words the "registered domain" is the effective top-level domain (`co.uk`) plus one level (`google`). Optionally, it can store the rest of the domain, the `subdomain` into another target field.
+
+This processor uses the Mozilla Public Suffix list to determine the value.
+
+```yaml
+processors:
+  - registered_domain:
+      field: dns.question.name
+      target_field: dns.question.registered_domain
+      target_etld_field: dns.question.top_level_domain
+      target_subdomain_field: dns.question.sudomain
+      ignore_missing: true
+      ignore_failure: true
+```
+
+The `registered_domain` processor has the following configuration settings:
+
+| Name | Required | Default | Description |  |
+| --- | --- | --- | --- | --- |
+| `field` | yes |  | Source field containing a fully qualified domain name (FQDN). |  |
+| `target_field` | yes |  | Target field for the registered domain value. |  |
+| `target_etld_field` | no |  | Target field for the effective top-level domain value. |  |
+| `target_subdomain_field` | no |  | Target subdomain field for the subdomain value. |  |
+| `ignore_missing` | no | false | Ignore errors when the source field is missing. |  |
+| `ignore_failure` | no | false | Ignore all errors produced by the processor. |  |
+| `id` | no |  | An identifier for this processor instance. Useful for debugging. |  |
+
diff --git a/docs/reference/filebeat/processor-script.md b/docs/reference/filebeat/processor-script.md
new file mode 100644
index 000000000000..ba9926231127
--- /dev/null
+++ b/docs/reference/filebeat/processor-script.md
@@ -0,0 +1,118 @@
+---
+navigation_title: "script"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/processor-script.html
+---
+
+# Script Processor [processor-script]
+
+
+The `script` processor executes Javascript code to process an event. The processor uses a pure Go implementation of ECMAScript 5.1 and has no external dependencies. This can be useful in situations where one of the other processors doesn’t provide the functionality you need to filter events.
+
+The processor can be configured by embedding Javascript in your configuration file or by pointing the processor at external file(s).
+
+```yaml
+processors:
+  - script:
+      lang: javascript
+      source: >
+        function process(event) {
+            event.Tag("js");
+        }
+```
+
+This loads `filter.js` from disk.
+
+```yaml
+processors:
+  - script:
+      lang: javascript
+      file: ${path.config}/filter.js
+```
+
+Parameters can be passed to the script by adding `params` to the config. This allows for a script to be made reusable. When using `params` the code must define a `register(params)` function to receive the parameters.
+
+```yaml
+processors:
+  - script:
+      lang: javascript
+      tag: my_filter
+      params:
+        threshold: 15
+      source: >
+        var params = {threshold: 42};
+        function register(scriptParams) {
+            params = scriptParams;
+        }
+        function process(event) {
+            if (event.Get("severity") < params.threshold) {
+                event.Cancel();
+            }
+        }
+```
+
+If the script defines a `test()` function it will be invoked when the processor is loaded. Any exceptions thrown will cause the processor to fail to load. This can be used to make assertions about the behavior of the script.
+
+```javascript
+function process(event) {
+    if (event.Get("event.code") === 1102) {
+        event.Put("event.action", "cleared");
+    }
+    return event;
+}
+
+function test() {
+    var event = process(new Event({event: {code: 1102}}));
+    if (event.Get("event.action") !== "cleared") {
+        throw "expected event.action === cleared";
+    }
+}
+```
+
+
+## Configuration options [_configuration_options_36]
+
+The `script` processor has the following configuration settings:
+
+`lang`
+:   This field is required and its value must be `javascript`.
+
+`tag`
+:   This is an optional identifier that is added to log messages. If defined it enables metrics logging for this instance of the processor. The metrics include the number of exceptions and a histogram of the execution times for the `process` function.
+
+`source`
+:   Inline Javascript source code.
+
+`file`
+:   Path to a script file to load. Relative paths are interpreted as relative to the `path.config` directory. Globs are expanded.
+
+`files`
+:   List of script files to load. The scripts are concatenated together. Relative paths are interpreted as relative to the `path.config` directory. And globs are expanded.
+
+`params`
+:   A dictionary of parameters that are passed to the `register` of the script.
+
+`tag_on_exception`
+:   Tag to add to events in case the Javascript code causes an exception while processing an event. Defaults to `_js_exception`.
+
+`timeout`
+:   This sets an execution timeout for the `process` function. When the `process` function takes longer than the `timeout` period the function is interrupted. You can set this option to prevent a script from running for too long (like preventing an infinite `while` loop). By default there is no timeout.
+
+`max_cached_sessions`
+:   This sets the maximum number of Javascript VM sessions that will be cached to avoid reallocation. The default is `4`.
+
+
+## Event API [_event_api]
+
+The `Event` object passed to the `process` method has the following API.
+
+| Method | Description |
+| --- | --- |
+| `Get(string)` | Get a value from the event (either a scalar or an object). If the key does notexist `null` is returned. If no key is provided then an object containing allfields is returned.<br>**Example**: `var value = event.Get(key);` |
+| `Put(string, value)` | Put a value into the event. If the key was already set then theprevious value is returned. It throws an exception if the key cannot be setbecause one of the intermediate values is not an object.<br>**Example**: `var old = event.Put(key, value);` |
+| `Rename(string, string)` | Rename a key in the event. The target key must not exist. Itreturns true if the source key was successfully renamed to the target key.<br>**Example**: `var success = event.Rename("source", "target");` |
+| `Delete(string)` | Delete a field from the event. It returns true on success.<br>**Example**: `var deleted = event.Delete("user.email");` |
+| `Cancel()` | Flag the event as cancelled which causes the processor to dropevent.<br>**Example**: `event.Cancel(); return;` |
+| `Tag(string)` | Append a tag to the `tags` field if the tag does not alreadyexist. Throws an exception if `tags` exists and is not a string or a list ofstrings.<br>**Example**: `event.Tag("user_event");` |
+| `AppendTo(string, string)` | `AppendTo` is a specialized `Put` method that converts the existing value to anarray and appends the value if it does not already exist. If there is anexisting value that’s not a string or array of strings then an exception isthrown.<br>**Example**: `event.AppendTo("error.message", "invalid file hash");` |
+
diff --git a/docs/reference/filebeat/processor-timestamp.md b/docs/reference/filebeat/processor-timestamp.md
new file mode 100644
index 000000000000..75ddeb0fbe0f
--- /dev/null
+++ b/docs/reference/filebeat/processor-timestamp.md
@@ -0,0 +1,64 @@
+---
+navigation_title: "timestamp"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/processor-timestamp.html
+---
+
+# Timestamp [processor-timestamp]
+
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+The `timestamp` processor parses a timestamp from a field. By default the timestamp processor writes the parsed result to the `@timestamp` field. You can specify a different field by setting the `target_field` parameter. The timestamp value is parsed according to the `layouts` parameter. Multiple layouts can be specified and they will be used sequentially to attempt parsing the timestamp field.
+
+::::{note}
+The timestamp layouts used by this processor are different than the formats supported by date processors in Logstash and Elasticsearch Ingest Node.
+::::
+
+
+The `layouts` are described using a reference time that is based on this specific time:
+
+```
+Mon Jan 2 15:04:05 MST 2006
+```
+Since MST is GMT-0700, the reference time is:
+
+```
+01/02 03:04:05PM '06 -0700
+```
+To define your own layout, rewrite the reference time in a format that matches the timestamps you expect to parse. For more layout examples and details see the [Go time package documentation](https://godoc.org/time#pkg-constants).
+
+If a layout does not contain a year then the current year in the specified `timezone` is added to the time value.
+
+| Name | Required | Default | Description |  |
+| --- | --- | --- | --- | --- |
+| `field` | yes |  | Source field containing the time to be parsed. |  |
+| `target_field` | no | @timestamp | Target field for the parsed time value. The target value is always written as UTC. |  |
+| `layouts` | yes |  | Timestamp layouts that define the expected time value format. In addition layouts, `UNIX` and `UNIX_MS` are accepted. |  |
+| `timezone` | no | UTC | IANA time zone name (e.g. `America/New_York`) or fixed time offset (e.g. `+0200`) to use when parsing times that do not contain a time zone. `Local` may be specified to use the machine’s local time zone. |  |
+| `ignore_missing` | no | false | Ignore errors when the source field is missing. |  |
+| `ignore_failure` | no | false | Ignore all errors produced by the processor. |  |
+| `test` | no |  | A list of timestamps that must parse successfully when loading the processor. |  |
+| `id` | no |  | An identifier for this processor instance. Useful for debugging. |  |
+
+Here is an example that parses the `start_time` field and writes the result to the `@timestamp` field then deletes the `start_time` field. When the processor is loaded, it will immediately validate that the two `test` timestamps parse with this configuration.
+
+```yaml
+processors:
+  - timestamp:
+      field: start_time
+      layouts:
+        - '2006-01-02T15:04:05Z'
+        - '2006-01-02T15:04:05.999Z'
+        - '2006-01-02T15:04:05.999-07:00'
+      test:
+        - '2019-06-22T16:33:51Z'
+        - '2019-11-18T04:59:51.123Z'
+        - '2020-08-03T07:10:20.123456+02:00'
+  - drop_fields:
+      fields: [start_time]
+```
+
diff --git a/docs/reference/filebeat/processor-translate-guid.md b/docs/reference/filebeat/processor-translate-guid.md
new file mode 100644
index 000000000000..d2872ac49481
--- /dev/null
+++ b/docs/reference/filebeat/processor-translate-guid.md
@@ -0,0 +1,79 @@
+---
+navigation_title: "translate_ldap_attribute"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/processor-translate-guid.html
+---
+
+# Translate GUID [processor-translate-guid]
+
+
+The `translate_ldap_attribute` processor translates an LDAP attributes between eachother. It is typically used to translate AD Global Unique Identifiers (GUID) into their common names.
+
+Every object on an Active Directory or an LDAP server is issued a GUID. Internal processes refer to their GUID’s rather than the object’s name and these values sometimes appear in logs.
+
+If the search attribute is invalid (malformed) or does not map to any object on the domain then this will result in the processor returning an error unless `ignore_failure` is set.
+
+The result of this operation is an array of values, given that a single attribute can hold multiple values.
+
+Note: the search attribute is expected to map to a single object. If it doesn’t, no error will be returned, but only results of the first entry will be added to the event.
+
+```yaml
+processors:
+  - translate_ldap_attribute:
+      field: winlog.event_data.ObjectGuid
+      ldap_address: "ldap://"
+      ldap_base_dn: "dc=example,dc=com"
+      ignore_missing: true
+      ignore_failure: true
+```
+
+The `translate_ldap_attribute` processor has the following configuration settings:
+
+| Name | Required | Default | Description |
+| --- | --- | --- | --- |
+| `field` | yes |  | Source field containing a GUID. |
+| `target_field` | no |  | Target field for the mapped attribute value. If not set it will be replaced in place. |
+| `ldap_address` | yes |  | LDAP server address. eg: `ldap://ds.example.com:389` |
+| `ldap_base_dn` | yes |  | LDAP base DN. eg: `dc=example,dc=com` |
+| `ldap_bind_user` | no |  | LDAP user. |
+| `ldap_bind_password` | no |  | LDAP password. |
+| `ldap_search_attribute` | yes | `objectGUID` | LDAP attribute to search by. |
+| `ldap_mapped_attribute` | yes | `cn` | LDAP attribute to map to. |
+| `ldap_search_time_limit` | no | 30 | LDAP search time limit in seconds. |
+| `ldap_ssl`* | no | 30 | LDAP TLS/SSL connection settings. |
+| `ignore_missing` | no | false | Ignore errors when the source field is missing. |
+| `ignore_failure` | no | false | Ignore all errors produced by the processor. |
+
+* Also see [SSL](/reference/filebeat/configuration-ssl.md) for a full description of the `ldap_ssl` options.
+
+If the searches are slow or you expect a high amount of different key attributes to be found, consider using a cache processor to speed processing:
+
+```yaml
+processors:
+  - cache:
+      backend:
+        memory:
+          id: ldapguids
+      get:
+        key_field: winlog.event_data.ObjectGuid
+        target_field: winlog.common_name
+      ignore_missing: true
+  - if:
+      not:
+        - has_fields: winlog.common_name
+    then:
+      - translate_ldap_attribute:
+          field: winlog.event_data.ObjectGuid
+          target_field: winlog.common_name
+          ldap_address: "ldap://"
+          ldap_base_dn: "dc=example,dc=com"
+      - cache:
+          backend:
+            memory:
+              id: ldapguids
+            capacity: 10000
+          put:
+            key_field: winlog.event_data.ObjectGuid
+            value_field: winlog.common_name
+```
+
diff --git a/docs/reference/filebeat/processor-translate-sid.md b/docs/reference/filebeat/processor-translate-sid.md
new file mode 100644
index 000000000000..1d507bb75f7c
--- /dev/null
+++ b/docs/reference/filebeat/processor-translate-sid.md
@@ -0,0 +1,38 @@
+---
+navigation_title: "translate_sid"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/processor-translate-sid.html
+---
+
+# Translate SID [processor-translate-sid]
+
+
+The `translate_sid` processor translates a Windows security identifier (SID) into an account name. It retrieves the name of the account associated with the SID, the first domain on which the SID is found, and the type of account. This is only available on Windows.
+
+Every account on a network is issued a unique SID when the account is first created. Internal processes in Windows refer to an account’s SID rather than the account’s user or group name and these values sometimes appear in logs.
+
+If the SID is invalid (malformed) or does not map to any account on the local system or domain then this will result in the processor returning an error unless `ignore_failure` is set.
+
+```yaml
+processors:
+  - translate_sid:
+      field: winlog.event_data.MemberSid
+      account_name_target: user.name
+      domain_target: user.domain
+      ignore_missing: true
+      ignore_failure: true
+```
+
+The `translate_sid` processor has the following configuration settings:
+
+| Name | Required | Default | Description |
+| --- | --- | --- | --- |
+| `field` | yes |  | Source field containing a Windows security identifier (SID). |
+| `account_name_target` | yes* |  | Target field for the account name value. |
+| `account_type_target` | yes* |  | Target field for the account type value. |
+| `domain_target` | yes* |  | Target field for the domain value. |
+| `ignore_missing` | no | false | Ignore errors when the source field is missing. |
+| `ignore_failure` | no | false | Ignore all errors produced by the processor. |
+
+* At least one of `account_name_target`, `account_type_target`, and `domain_target` is required to be configured.
+
diff --git a/docs/reference/filebeat/publishing-ls-fails-connection-reset-by-peer.md b/docs/reference/filebeat/publishing-ls-fails-connection-reset-by-peer.md
new file mode 100644
index 000000000000..238d9fff0bc8
--- /dev/null
+++ b/docs/reference/filebeat/publishing-ls-fails-connection-reset-by-peer.md
@@ -0,0 +1,18 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/publishing-ls-fails-connection-reset-by-peer.html
+---
+
+# Publishing to Logstash fails with "connection reset by peer" message [publishing-ls-fails-connection-reset-by-peer]
+
+Filebeat requires a persistent TCP connection to {{ls}}. If a firewall interferes with the connection, you might see errors like this:
+
+```shell
+Failed to publish events caused by: write tcp ... write: connection reset by peer
+```
+
+To solve the problem:
+
+* make sure the firewall is not closing connections between Filebeat and {{ls}}, or
+* set the `ttl` value in the [{{ls}} output](/reference/filebeat/logstash-output.md) to a value that’s lower than the maximum time allowed by the firewall, and set `pipelining` to 0 (pipelining cannot be enabled when `ttl` is used).
+
diff --git a/docs/reference/filebeat/rate-limit.md b/docs/reference/filebeat/rate-limit.md
new file mode 100644
index 000000000000..ce088aa63681
--- /dev/null
+++ b/docs/reference/filebeat/rate-limit.md
@@ -0,0 +1,43 @@
+---
+navigation_title: "rate_limit"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/rate-limit.html
+---
+
+# Rate limit the flow of events [rate-limit]
+
+
+The `rate_limit` processor limits the throughput of events based on the specified configuration.
+
+In the current implementation, rate-limited events are dropped. Future implementations may allow rate-limited events to be handled differently.
+
+```yaml
+processors:
+- rate_limit:
+   limit: "10000/m"
+```
+
+```yaml
+processors:
+- rate_limit:
+   fields:
+   - "cloudfoundry.org.name"
+   limit: "400/s"
+```
+
+```yaml
+processors:
+- if.equals.cloudfoundry.org.name: "acme"
+  then:
+  - rate_limit:
+      limit: "500/s"
+```
+
+The following settings are supported:
+
+`limit`
+:   The rate limit. Supported time units for the rate are `s` (per second), `m` (per minute), and `h` (per hour).
+
+`fields`
+:   (Optional) List of fields. The rate limit will be applied to each distinct value derived by combining the values of these fields.
+
diff --git a/docs/reference/filebeat/redis-output.md b/docs/reference/filebeat/redis-output.md
new file mode 100644
index 000000000000..71277ddce277
--- /dev/null
+++ b/docs/reference/filebeat/redis-output.md
@@ -0,0 +1,205 @@
+---
+navigation_title: "Redis"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/redis-output.html
+---
+
+# Configure the Redis output [redis-output]
+
+
+The Redis output inserts the events into a Redis list or a Redis channel. This output plugin is compatible with the [Redis input plugin](logstash://reference/plugins-inputs-redis.md) for Logstash.
+
+To use this output, edit the Filebeat configuration file to disable the {{es}} output by commenting it out, and enable the Redis output by adding `output.redis`.
+
+Example configuration:
+
+```yaml
+output.redis:
+  hosts: ["localhost"]
+  password: "my_password"
+  key: "filebeat"
+  db: 0
+  timeout: 5
+```
+
+## Compatibility [_compatibility_3]
+
+This output is expected to work with all Redis versions between 3.2.4 and 5.0.8. Other versions might work as well, but are not supported.
+
+
+## Configuration options [_configuration_options_28]
+
+You can specify the following `output.redis` options in the `filebeat.yml` config file:
+
+### `enabled` [_enabled_33]
+
+The enabled config is a boolean setting to enable or disable the output. If set to false, the output is disabled.
+
+The default value is `true`.
+
+
+### `hosts` [_hosts_3]
+
+The list of Redis servers to connect to. If load balancing is enabled, the events are distributed to the servers in the list. If one server becomes unreachable, the events are distributed to the reachable servers only. You can define each Redis server by specifying `HOST` or `HOST:PORT`. For example: `"192.15.3.2"` or `"test.redis.io:12345"`. If you don’t specify a port number, the value configured by `port` is used. Configure each Redis server with an `IP:PORT` pair or with a `URL`. For example: `redis://localhost:6379` or `rediss://localhost:6379`. URLs can include a server-specific password. For example: `redis://:password@localhost:6379`. The `redis` scheme will disable the `ssl` settings for the host, while `rediss` will enforce TLS.  If `rediss` is specified and no `ssl` settings are configured, the output uses the system certificate store.
+
+
+### `index` [_index_30]
+
+The index name added to the events metadata for use by Logstash. The default is "filebeat".
+
+
+### `key` [key-option-redis]
+
+The name of the Redis list or channel the events are published to. If not configured, the value of the `index` setting is used.
+
+You can set the key dynamically by using a format string to access any event field. For example, this configuration uses a custom field, `fields.list`, to set the Redis list key. If `fields.list` is missing, `fallback` is used:
+
+```yaml
+output.redis:
+  hosts: ["localhost"]
+  key: "%{[fields.list]:fallback}"
+```
+
+::::{tip}
+To learn how to add custom fields to events, see the [`fields`](/reference/filebeat/configuration-general-options.md#libbeat-configuration-fields) option.
+::::
+
+
+See the [`keys`](#keys-option-redis) setting for other ways to set the key dynamically.
+
+
+### `keys` [keys-option-redis]
+
+An array of key selector rules. Each rule specifies the `key` to use for events that match the rule. During publishing, Filebeat uses the first matching rule in the array. Rules can contain conditionals, format string-based fields, and name mappings. If the `keys` setting is missing or no rule matches, the [`key`](#key-option-redis) setting is used.
+
+Rule settings:
+
+**`index`**
+:   The key format string to use. If this string contains field references, such as `%{[fields.name]}`, the fields must exist, or the rule fails.
+
+**`mappings`**
+:   A dictionary that takes the value returned by `key` and maps it to a new name.
+
+**`default`**
+:   The default string value to use if `mappings` does not find a match.
+
+**`when`**
+:   A condition that must succeed in order to execute the current rule. All the [conditions](/reference/filebeat/defining-processors.md#conditions) supported by processors are also supported here.
+
+Example `keys` settings:
+
+```yaml
+output.redis:
+  hosts: ["localhost"]
+  key: "default_list"
+  keys:
+    - key: "info_list"   # send to info_list if `message` field contains INFO
+      when.contains:
+        message: "INFO"
+    - key: "debug_list"  # send to debug_list if `message` field contains DEBUG
+      when.contains:
+        message: "DEBUG"
+    - key: "%{[fields.list]}"
+      mappings:
+        http: "frontend_list"
+        nginx: "frontend_list"
+        mysql: "backend_list"
+```
+
+
+### `password` [_password_5]
+
+The password to authenticate with. The default is no authentication.
+
+
+### `db` [_db]
+
+The Redis database number where the events are published. The default is 0.
+
+
+### `datatype` [_datatype]
+
+The Redis data type to use for publishing events.If the data type is `list`, the Redis RPUSH command is used and all events are added to the list with the key defined under `key`. If the data type `channel` is used, the Redis `PUBLISH` command is used and means that all events are pushed to the pub/sub mechanism of Redis. The name of the channel is the one defined under `key`. The default value is `list`.
+
+
+### `codec` [_codec_2]
+
+Output codec configuration. If the `codec` section is missing, events will be json encoded.
+
+See [Change the output codec](/reference/filebeat/configuration-output-codec.md) for more information.
+
+
+### `worker` or `workers` [_worker_or_workers_2]
+
+The number of workers to use for each host configured to publish events to Redis. Use this setting along with the `loadbalance` option. For example, if you have 2 hosts and 3 workers, in total 6 workers are started (3 for each host).
+
+
+### `loadbalance` [_loadbalance_2]
+
+When `loadbalance: true` is set, Filebeat connects to all configured hosts and sends data through all connections in parallel. If a connection fails, data is sent to the remaining hosts until it can be reestablished. Data will still be sent as long as Filebeat can connect to at least one of its configured hosts.
+
+When `loadbalance: false` is set, Filebeat sends data to a single host at a time. The target host is chosen at random from the list of configured hosts, and all data is sent to that target until the connection fails, when a new target is selected. Data will still be sent as long as Filebeat can connect to at least one of its configured hosts.
+
+The default value is `true`.
+
+
+### `timeout` [_timeout_5]
+
+The Redis connection timeout in seconds. The default is 5 seconds.
+
+
+### `backoff.init` [_backoff_init_4]
+
+The number of seconds to wait before trying to reconnect to Redis after a network error. After waiting `backoff.init` seconds, Filebeat tries to reconnect. If the attempt fails, the backoff timer is increased exponentially up to `backoff.max`. After a successful connection, the backoff timer is reset. The default is 1s.
+
+
+### `backoff.max` [_backoff_max_4]
+
+The maximum number of seconds to wait before attempting to connect to Redis after a network error. The default is 60s.
+
+
+### `max_retries` [_max_retries_4]
+
+Filebeat ignores the `max_retries` setting and retries indefinitely.
+
+
+### `bulk_max_size` [_bulk_max_size_3]
+
+The maximum number of events to bulk in a single Redis request or pipeline. The default is 2048.
+
+Events can be collected into batches. Filebeat will split batches read from the queue which are larger than `bulk_max_size` into multiple batches.
+
+Specifying a larger batch size can improve performance by lowering the overhead of sending events. However big batch sizes can also increase processing times, which might result in API errors, killed connections, timed-out publishing requests, and, ultimately, lower throughput.
+
+Setting `bulk_max_size` to values less than or equal to 0 disables the splitting of batches. When splitting is disabled, the queue decides on the number of events to be contained in a batch.
+
+
+### `ssl` [_ssl_7]
+
+Configuration options for SSL parameters like the root CA for Redis connections guarded by SSL proxies (for example [stunnel](https://www.stunnel.org)). See [SSL](/reference/filebeat/configuration-ssl.md) for more information.
+
+
+### `proxy_url` [_proxy_url_4]
+
+The URL of the SOCKS5 proxy to use when connecting to the Redis servers. The value must be a URL with a scheme of `socks5://`. You cannot use a web proxy because the protocol used to communicate with Redis is not based on HTTP.
+
+If the SOCKS5 proxy server requires client authentication, you can embed a username and password in the URL.
+
+When using a proxy, hostnames are resolved on the proxy server instead of on the client. You can change this behavior by setting the [`proxy_use_local_resolver`](#redis-proxy-use-local-resolver) option.
+
+
+### `proxy_use_local_resolver` [redis-proxy-use-local-resolver]
+
+This option determines whether Redis hostnames are resolved locally when using a proxy. The default value is false, which means that name resolution occurs on the proxy server.
+
+
+### `queue` [_queue_4]
+
+Configuration options for internal queue.
+
+See [Internal queue](/reference/filebeat/configuring-internal-queue.md) for more information.
+
+Note:`queue` options can be set under `filebeat.yml` or the `output` section but not both.
+
+
+
diff --git a/docs/reference/filebeat/reduce-registry-size.md b/docs/reference/filebeat/reduce-registry-size.md
new file mode 100644
index 000000000000..379cb4ca4fab
--- /dev/null
+++ b/docs/reference/filebeat/reduce-registry-size.md
@@ -0,0 +1,11 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/reduce-registry-size.html
+---
+
+# Registry file is too large [reduce-registry-size]
+
+Filebeat keeps the state of each file and persists the state to disk in the registry file. The file state is used to continue file reading at a previous position when Filebeat is restarted. If a large number of new files are produced every day, the registry file might grow to be too large. To reduce the size of the registry file, there are two configuration options available: [`clean_removed`](/reference/filebeat/filebeat-input-log.md#filebeat-input-log-clean-removed) and [`clean_inactive`](/reference/filebeat/filebeat-input-log.md#filebeat-input-log-clean-inactive).
+
+For old files that you no longer touch and are ignored (see [`ignore_older`](/reference/filebeat/filebeat-input-log.md#filebeat-input-log-ignore-older)), we recommended that you use `clean_inactive`. If old files get removed from disk, then use the `clean_removed` option.
+
diff --git a/docs/reference/filebeat/regexp-support.md b/docs/reference/filebeat/regexp-support.md
new file mode 100644
index 000000000000..3bd0fe8ac91f
--- /dev/null
+++ b/docs/reference/filebeat/regexp-support.md
@@ -0,0 +1,113 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/regexp-support.html
+---
+
+# Regular expression support [regexp-support]
+
+Filebeat regular expression support is based on [RE2](https://godoc.org/regexp/syntax).
+
+Filebeat has several configuration options that accept regular expressions. For example, `multiline.pattern`, `include_lines`, `exclude_lines`, and `exclude_files` all accept regular expressions. Some options, however, such as the input `paths` option, accept only glob-based paths.
+
+Before using a regular expression in the config file, refer to the documentation to verify that the option you are setting accepts a regular expression.
+
+::::{note}
+We recommend that you wrap regular expressions in single quotation marks to work around YAML’s string escaping rules. For example, `'^\[?[0-9][0-9]:?[0-9][0-9]|^[[:graph:]]+'`.
+::::
+
+
+For more examples of supported regexp patterns, see [Managing Multiline Messages](/reference/filebeat/multiline-examples.md). Although the examples pertain to Filebeat, the regexp patterns are applicable to other use cases.
+
+The following patterns are supported:
+
+* [Single Characters](#single-characters)
+* [Composites](#composites)
+* [Repetitions](#repetitions)
+* [Groupings](#grouping)
+* [Empty Strings](#empty-strings)
+* [Escape Sequences](#escape-sequences)
+* [ASCII Character Classes](#ascii-character-classes)
+* [Perl Character Classes](#perl-character-classes)
+
+| Pattern | Description |
+| --- | --- |
+| $$$single-characters$$$**Single Characters** |  |
+| `x` | single character |
+| `.` | any character |
+| `[xyz]` | character class |
+| `[^xyz]` | negated character class |
+| `[[:alpha:]]` | ASCII character class |
+| `[[:^alpha:]]` | negated ASCII character class |
+| `\d` | Perl character class |
+| `\D` | negated Perl character class |
+| `\pN` | Unicode character class (one-letter name) |
+| `\p{{Greek}}` | Unicode character class |
+| `\PN` | negated Unicode character class (one-letter name) |
+| `\P{{Greek}}` | negated Unicode character class |
+| $$$composites$$$**Composites** |  |
+| `xy` | `x` followed by `y` |
+| `x&#124;y` | `x` or `y` (prefer `x`) |
+| $$$repetitions$$$**Repetitions** |  |
+| `x*` | zero or more `x` |
+| `x+` | one or more `x` |
+| `x?` | zero or one `x` |
+| `x{n,m}` | `n` or `n+1` or …​ or `m` `x`, prefer more |
+| `x{n,}` | `n` or more `x`, prefer more |
+| `x{{n}}` | exactly `n` `x` |
+| `x*?` | zero or more `x`, prefer fewer |
+| `x+?` | one or more `x`, prefer fewer |
+| `x??` | zero or one `x`, prefer zero |
+| `x{n,m}?` | `n` or `n+1` or …​ or `m` `x`, prefer fewer |
+| `x{n,}?` | `n` or more `x`, prefer fewer |
+| `x{{n}}?` | exactly `n` `x` |
+| $$$grouping$$$**Grouping** |  |
+| `(re)` | numbered capturing group (submatch) |
+| `(?P<name>re)` | named & numbered capturing group (submatch) |
+| `(?:re)` | non-capturing group |
+| `(?i)abc` | set flags within current group, non-capturing |
+| `(?i:re)` | set flags during re, non-capturing |
+| `(?i)PaTTeRN` | case-insensitive (default false) |
+| `(?m)multiline` | multi-line mode: `^` and `$` match begin/end line in addition to begin/end text (default false) |
+| `(?s)pattern.` | let `.` match `\n` (default false) |
+| `(?U)x*abc` | ungreedy: swap meaning of `x*` and `x*?`, `x+` and `x+?`, etc (default false) |
+| $$$empty-strings$$$**Empty Strings** |  |
+| `^` | at beginning of text or line (`m`=true) |
+| `$` | at end of text (like `\z` not `\Z`) or line (`m`=true) |
+| `\A` | at beginning of text |
+| `\b` | at ASCII word boundary (`\w` on one side and `\W`, `\A`, or `\z` on the other) |
+| `\B` | not at ASCII word boundary |
+| `\z` | at end of text |
+| $$$escape-sequences$$$**Escape Sequences** |  |
+| `\a` | bell (same as `\007`) |
+| `\f` | form feed (same as `\014`) |
+| `\t` | horizontal tab (same as `\011`) |
+| `\n` | newline (same as `\012`) |
+| `\r` | carriage return (same as `\015`) |
+| `\v` | vertical tab character (same as `\013`) |
+| `\*` | literal `*`, for any punctuation character `*` |
+| `\123` | octal character code (up to three digits) |
+| `\x7F` | two-digit hex character code |
+| `\x{{10FFFF}}` | hex character code |
+| `\Q...\E` | literal text `...` even if `...` has punctuation |
+| $$$ascii-character-classes$$$**ASCII Character Classes** |  |
+| `[[:alnum:]]` | alphanumeric (same as `[0-9A-Za-z]`) |
+| `[[:alpha:]]` | alphabetic (same as `[A-Za-z]`) |
+| `[[:ascii:]]` | ASCII (same as `\x00-\x7F]`) |
+| `[[:blank:]]` | blank (same as `[\t ]`) |
+| `[[:cntrl:]]` | control (same as `[\x00-\x1F\x7F]`) |
+| `[[:digit:]]` | digits (same as `[0-9]`) |
+| `[[:graph:]]` | graphical (same as ```[!-~] == [A-Za-z0-9!"#$%&'()*+,\-./:;<=>?@[\\\]^_` ``` ```{&#124;}~]```) |
+| `[[:lower:]]` | lower case (same as `[a-z]`) |
+| `[[:print:]]` | printable (same as `[ -~] == [ [:graph:]]`) |
+| `[[:punct:]]` | punctuation (same as ```[!-/:-@[-`{-~]```) |
+| `[[:space:]]` | whitespace (same as `[\t\n\v\f\r ]`) |
+| `[[:upper:]]` | upper case (same as `[A-Z]`) |
+| `[[:word:]]` | word characters (same as `[0-9A-Za-z_]`) |
+| `[[:xdigit:]]` | hex digit (same as `[0-9A-Fa-f]`) |
+| $$$perl-character-classes$$$**Supported Perl Character Classes** |  |
+| `\d` | digits (same as `[0-9]`) |
+| `\D` | not digits (same as `[^0-9]`) |
+| `\s` | whitespace (same as `[\t\n\f\r ]`) |
+| `\S` | not whitespace (same as `[^\t\n\f\r ]`) |
+| `\w` | word characters (same as `[0-9A-Za-z_]`) |
+| `\W` | not word characters (same as `[^0-9A-Za-z_]`) |
diff --git a/docs/reference/filebeat/rename-fields.md b/docs/reference/filebeat/rename-fields.md
new file mode 100644
index 000000000000..1379590806a2
--- /dev/null
+++ b/docs/reference/filebeat/rename-fields.md
@@ -0,0 +1,43 @@
+---
+navigation_title: "rename"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/rename-fields.html
+---
+
+# Rename fields from events [rename-fields]
+
+
+The `rename` processor specifies a list of fields to rename. Under the `fields` key, each entry contains a `from: old-key` and a `to: new-key` pair, where:
+
+* `from` is the original field name. It’s supported to use `@metadata.` prefix for `from` and rename keys in the event metadata instead of event fields.
+* `to` is the target field name
+
+The `rename` processor cannot be used to overwrite fields. To overwrite fields either first rename the target field, or use the `drop_fields` processor to drop the field and then rename the field.
+
+::::{tip}
+You can rename fields to resolve field name conflicts. For example, if an event has two fields, `c` and `c.b` (where `b` is a subfield of `c`), assigning scalar values results in an {{es}} error at ingest time. The assignment `{"c": 1, "c.b": 2}` would result in an error because `c` is an object and cannot be assigned a scalar value. To prevent this conflict, rename `c` to `c.value` before assigning values.
+::::
+
+
+```yaml
+processors:
+  - rename:
+      fields:
+        - from: "a.g"
+          to: "e.d"
+      ignore_missing: false
+      fail_on_error: true
+```
+
+The `rename` processor has the following configuration settings:
+
+`ignore_missing`
+:   (Optional) If set to true, no error is logged in case a key which should be renamed is missing. Default is `false`.
+
+`fail_on_error`
+:   (Optional) If set to true, in case of an error the renaming of fields is stopped and the original event is returned. If set to false, renaming continues also if an error happened during renaming. Default is `true`.
+
+See [Conditions](/reference/filebeat/defining-processors.md#conditions) for a list of supported conditions.
+
+You can specify multiple `rename` processors under the `processors` section.
+
diff --git a/docs/reference/filebeat/replace-fields.md b/docs/reference/filebeat/replace-fields.md
new file mode 100644
index 000000000000..4ade3f284b24
--- /dev/null
+++ b/docs/reference/filebeat/replace-fields.md
@@ -0,0 +1,44 @@
+---
+navigation_title: "replace"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/replace-fields.html
+---
+
+# Replace fields from events [replace-fields]
+
+
+The `replace` processor takes a list of fields to search for a matching value and replaces the matching value with a specified string.
+
+The `replace` processor cannot be used to create a completely new value.
+
+::::{tip}
+You can use this processor to truncate a field value or replace it with a new string value. You can also use this processor to mask PII information.
+::::
+
+
+
+## Example [_example]
+
+The following example changes the path from `/usr/bin` to `/usr/local/bin`:
+
+```yaml
+  - replace:
+      fields:
+        - field: "file.path"
+          pattern: "/usr/"
+          replacement: "/usr/local/"
+      ignore_missing: false
+      fail_on_error: true
+```
+
+
+## Configuration settings [_configuration_settings]
+
+| Name | Required | Default | Description |
+| --- | --- | --- | --- |
+| `fields` | Yes |  | List of one or more items. Each item contains a `field: field-name`, `pattern: regex-pattern`, and `replacement: replacement-string`, where:<br><br>* `field` is the original field name. You can use the `@metadata.` prefix in this field to replace values in the event metadata instead of event fields.<br>* `pattern` is the regex pattern to match the field’s value<br>* `replacement` is the replacement string to use to update the field’s value<br> |
+| `ignore_missing` | No | `false` | Whether to ignore missing fields. If `true`, no error is logged if the specified field is missing. |
+| `fail_on_error` | No | `true` | Whether to fail replacement of field values if an error occurs.If `true` and there’s an error, the replacement of field values is stopped, and the original event is returned.If `false`, replacement continues even if an error occurs during replacement. |
+
+See [Conditions](/reference/filebeat/defining-processors.md#conditions) for a list of supported conditions.
+
diff --git a/docs/reference/filebeat/running-on-cloudfoundry.md b/docs/reference/filebeat/running-on-cloudfoundry.md
new file mode 100644
index 000000000000..1d5c28b99686
--- /dev/null
+++ b/docs/reference/filebeat/running-on-cloudfoundry.md
@@ -0,0 +1,99 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/running-on-cloudfoundry.html
+---
+
+# Run Filebeat on Cloud Foundry [running-on-cloudfoundry]
+
+You can use Filebeat on Cloud Foundry to retrieve and ship logs.
+
+However, version 9.0.0-beta1 of Filebeat has not yet been released, no build is currently available for this version.
+
+## Create Cloud Foundry credentials [_create_cloud_foundry_credentials]
+
+To connect to loggregator and receive the logs, Filebeat requires credentials created with UAA. The `uaac` command creates the required credentials for connecting to loggregator.
+
+```sh
+uaac client add filebeat --name filebeat --secret changeme --authorized_grant_types client_credentials,refresh_token --authorities doppler.firehose,cloud_controller.admin_read_only
+```
+
+::::{warning}
+**Use a unique secret:** The `uaac` command shown here is an example. Remember to replace `changeme` with your secret, and update the `filebeat.yml` file to use your chosen secret.
+
+::::
+
+
+
+## Download Cloud Foundry deploy manifests [_download_cloud_foundry_deploy_manifests]
+
+You deploy Filebeat as an application with no route.
+
+Cloud Foundry requires that 3 files exist inside of a directory to allow Filebeat to be pushed. The commands below provide the basic steps for getting it up and running.
+
+```sh
+curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-9.0.0-beta1-linux-x86_64.tar.gz
+tar xzvf filebeat-9.0.0-beta1-linux-x86_64.tar.gz
+cd filebeat-9.0.0-beta1-linux-x86_64
+curl -L -O https://raw.githubusercontent.com/elastic/beats/master/deploy/cloudfoundry/filebeat/filebeat.yml
+curl -L -O https://raw.githubusercontent.com/elastic/beats/master/deploy/cloudfoundry/filebeat/manifest.yml
+```
+
+You need to modify the `filebeat.yml` file to set the `api_address`, `client_id` and `client_secret`.
+
+
+## Load {{kib}} dashboards [_load_kib_dashboards_2]
+
+Filebeat comes packaged with various pre-built {{kib}} dashboards that you can use to visualize data in {{kib}}.
+
+If these dashboards are not already loaded into {{kib}}, you must run the Filebeat `setup` command. To learn how, see [Load {{kib}} dashboards](/reference/filebeat/load-kibana-dashboards.md).
+
+The `setup` command does not load the ingest pipelines used to parse log lines. By default, ingest pipelines are set up automatically the first time you run Filebeat and connect to {{es}}.
+
+::::{important}
+If you are using a different output other than {{es}}, such as {{ls}}, you need to:
+
+* [Load the index template manually](/reference/filebeat/filebeat-template.md#load-template-manually)
+* [*Load {{kib}} dashboards*](/reference/filebeat/load-kibana-dashboards.md)
+* [*Load ingest pipelines*](/reference/filebeat/load-ingest-pipelines.md)
+
+::::
+
+
+
+## Deploy Filebeat [_deploy_filebeat]
+
+To deploy Filebeat to Cloud Foundry, run:
+
+```sh
+cf push
+```
+
+To check the status, run:
+
+```sh
+$ cf apps
+
+name       requested state   instances   memory   disk   urls
+filebeat   started           1/1         512M     1G
+```
+
+Log events should start flowing to Elasticsearch. The events are annotated with metadata added by the [add_cloudfoundry_metadata](/reference/filebeat/add-cloudfoundry-metadata.md) processor.
+
+
+## Scale Filebeat [_scale_filebeat]
+
+A single instance of Filebeat can ship more than a hundred thousand events per minute. If your Cloud Foundry deployment is producing more events than Filebeat can collect and ship, the Firehose will start dropping events, and it will mark Filebeat as a slow consumer. If the problems persist, Filebeat may be disconnected from the Firehose. In such cases, you will need to scale Filebeat to avoid losing events.
+
+The main settings you need to take into account are:
+
+* The `shard_id` specified in the [`cloudfoundry` input configuration](/reference/filebeat/filebeat-input-cloudfoundry.md). The Firehose will divide the events amongst all the Filebeat instances with the same value for this setting. All the instances with the same `shard_id` should have the same configuration.
+* Number of Filebeat instances. When Filebeat is deployed as a Cloud Foundry application, it can be scaled up and down like any other application, with `cf scale` or by specifying the number of instances in the manifest.
+* [Output configuration](/reference/filebeat/configuring-output.md). In some cases, you can fine-tune the output configuration to improve the events throughput. Some outputs support multiple workers. The number of workers can be changed to take better advantage of the available resources.
+
+Some basic recommendations to adjust these settings when Filebeat is not able to collect all events:
+
+* If Filebeat is hitting its CPU limits, you will need to increase the number of Filebeat instances deployed with the same `shard_id`.
+* If Filebeat has some spare CPU, there may be some backpressure from the output. Try to increase the number of workers in the output. If this doesn’t help, the bottleneck may be in the network or in the service receiving the events sent by Filebeat.
+* If you need to modify the memory limit of Filebeat, remember that CPU shares assigned to Cloud Foundry applications depend on the configured memory limit. You may need to check the other recommendations after that.
+
+
diff --git a/docs/reference/filebeat/running-on-docker.md b/docs/reference/filebeat/running-on-docker.md
new file mode 100644
index 000000000000..2158c95f8609
--- /dev/null
+++ b/docs/reference/filebeat/running-on-docker.md
@@ -0,0 +1,164 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html
+---
+
+# Run Filebeat on Docker [running-on-docker]
+
+Docker images for Filebeat are available from the Elastic Docker registry. The base image is [centos:7](https://hub.docker.com/_/centos/).
+
+A list of all published Docker images and tags is available at [www.docker.elastic.co](https://www.docker.elastic.co).
+
+These images are free to use under the Elastic license. They contain open source and free commercial features and access to paid commercial features. [Start a 30-day trial](docs-content://deploy-manage/license/manage-your-license-in-self-managed-cluster.md) to try out all of the paid commercial features. See the [Subscriptions](https://www.elastic.co/subscriptions) page for information about Elastic license levels.
+
+## Pull the image [_pull_the_image]
+
+Obtaining Filebeat for Docker is as simple as issuing a `docker pull` command against the Elastic Docker registry.
+
+::::{warning}
+Version 9.0.0-beta1 of Filebeat has not yet been released. No Docker image is currently available for Filebeat 9.0.0-beta1.
+::::
+
+
+```sh
+docker pull docker.elastic.co/beats/filebeat:9.0.0-beta1
+```
+
+Alternatively, you can download other Docker images that contain only features available under the Apache 2.0 license. To download the images, go to [www.docker.elastic.co](https://www.docker.elastic.co).
+
+As another option, you can use the hardened [Wolfi](https://wolfi.dev/) image. Using Wolfi images requires Docker version 20.10.10 or higher. For details about why the Wolfi images have been introduced, refer to our article [Reducing CVEs in Elastic container images](https://www.elastic.co/blog/reducing-cves-in-elastic-container-images).
+
+```bash
+docker pull docker.elastic.co/beats/filebeat-wolfi:9.0.0-beta1
+```
+
+
+## Optional: Verify the image [_optional_verify_the_image]
+
+You can use the [Cosign application](https://docs.sigstore.dev/cosign/installation/) to verify the Filebeat Docker image signature.
+
+::::{warning}
+Version 9.0.0-beta1 of Filebeat has not yet been released. No Docker image is currently available for Filebeat 9.0.0-beta1.
+::::
+
+
+```sh
+wget https://artifacts.elastic.co/cosign.pub
+cosign verify --key cosign.pub docker.elastic.co/beats/filebeat:9.0.0-beta1
+```
+
+The `cosign` command prints the check results and the signature payload in JSON format:
+
+```sh
+Verification for docker.elastic.co/beats/filebeat:9.0.0-beta1 --
+The following checks were performed on each of these signatures:
+  - The cosign claims were validated
+  - Existence of the claims in the transparency log was verified offline
+  - The signatures were verified against the specified public key
+```
+
+
+## Run the Filebeat setup [_run_the_filebeat_setup]
+
+::::{important}
+A [known issue](https://github.com/elastic/beats/issues/42038) in version 8.17.0 prevents {{beats}} Docker images from starting when no options are provided. When running an image on that version, add an `--environment container` parameter to avoid the problem. This is planned to be addressed in issue [#42060](https://github.com/elastic/beats/pull/42060).
+::::
+
+
+Running Filebeat with the setup command will create the index pattern and load visualizations , dashboards, and machine learning jobs.  Run this command:
+
+```sh
+docker run --rm \
+docker.elastic.co/beats/filebeat:9.0.0-beta1 \
+setup -E setup.kibana.host=kibana:5601 \
+-E output.elasticsearch.hosts=["elasticsearch:9200"] <1> <2>
+```
+
+1. Substitute your Kibana and Elasticsearch hosts and ports.
+2. If you are using the hosted {{ess}} in {{ecloud}}, replace the `-E output.elasticsearch.hosts` line with the Cloud ID and elastic password using this syntax:
+
+
+```shell
+-E cloud.id=<Cloud ID from Elasticsearch Service> \
+-E cloud.auth=elastic:<elastic password>
+```
+
+
+## Run Filebeat on a read-only file system [_run_filebeat_on_a_read_only_file_system]
+
+If you’d like to run Filebeat in a Docker container on a read-only file system, you can do so by specifying the `--read-only` option. Filebeat requires a stateful directory to store application data, so with the `--read-only` option you also need to use the `--mount` option to specify a path to where that data can be stored.
+
+For example:
+
+```sh
+docker run --rm \
+  --mount type=bind,source=$(pwd)/data,destination=/usr/share/filebeat/data \
+  --read-only \
+  docker.elastic.co/beats/filebeat:9.0.0-beta1
+```
+
+
+## Configure Filebeat on Docker [_configure_filebeat_on_docker]
+
+The Docker image provides several methods for configuring Filebeat. The conventional approach is to provide a configuration file via a volume mount, but it’s also possible to create a custom image with your configuration included.
+
+### Example configuration file [_example_configuration_file]
+
+Download this example configuration file as a starting point:
+
+```sh
+curl -L -O https://raw.githubusercontent.com/elastic/beats/master/deploy/docker/filebeat.docker.yml
+```
+
+
+### Volume-mounted configuration [_volume_mounted_configuration]
+
+One way to configure Filebeat on Docker is to provide `filebeat.docker.yml` via a volume mount. With `docker run`, the volume mount can be specified like this.
+
+```sh
+docker run -d \
+  --name=filebeat \
+  --user=root \
+  --volume="$(pwd)/filebeat.docker.yml:/usr/share/filebeat/filebeat.yml:ro" \
+  --volume="/var/lib/docker/containers:/var/lib/docker/containers:ro" \
+  --volume="/var/run/docker.sock:/var/run/docker.sock:ro" \
+  --volume="registry:/usr/share/filebeat/data:rw" \
+  docker.elastic.co/beats/filebeat:9.0.0-beta1 filebeat -e --strict.perms=false \
+  -E output.elasticsearch.hosts=["elasticsearch:9200"] <1> <2>
+```
+
+1. Substitute your Elasticsearch hosts and ports.
+2. If you are using the hosted {{ess}} in {{ecloud}}, replace the `-E output.elasticsearch.hosts` line with the Cloud ID and elastic password using the syntax shown earlier.
+
+
+
+### Customize your configuration [_customize_your_configuration]
+
+The `filebeat.docker.yml` file you downloaded earlier is configured to deploy Beats modules based on the Docker labels applied to your containers.  See [Hints based autodiscover](/reference/filebeat/configuration-autodiscover-hints.md) for more details. Add labels to your application Docker containers, and they will be picked up by the Beats autodiscover feature when they are deployed.  Here is an example command for an Apache HTTP Server container with labels to configure the Filebeat and Metricbeat modules for the Apache HTTP Server:
+
+```sh
+docker run \
+  --label co.elastic.logs/module=apache2 \
+  --label co.elastic.logs/fileset.stdout=access \
+  --label co.elastic.logs/fileset.stderr=error \
+  --label co.elastic.metrics/module=apache \
+  --label co.elastic.metrics/metricsets=status \
+  --label co.elastic.metrics/hosts='${data.host}:${data.port}' \
+  --detach=true \
+  --name my-apache-app \
+  -p 8080:80 \
+  httpd:2.4
+```
+
+
+### Custom image configuration [_custom_image_configuration]
+
+It’s possible to embed your Filebeat configuration in a custom image. Here is an example Dockerfile to achieve this:
+
+```dockerfile
+FROM docker.elastic.co/beats/filebeat:9.0.0-beta1
+COPY --chown=root:filebeat filebeat.yml /usr/share/filebeat/filebeat.yml
+```
+
+
+
diff --git a/docs/reference/filebeat/running-on-kubernetes.md b/docs/reference/filebeat/running-on-kubernetes.md
new file mode 100644
index 000000000000..1db49554009b
--- /dev/null
+++ b/docs/reference/filebeat/running-on-kubernetes.md
@@ -0,0 +1,236 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/running-on-kubernetes.html
+---
+
+# Run Filebeat on Kubernetes [running-on-kubernetes]
+
+You can use Filebeat [Docker images](/reference/filebeat/running-on-docker.md) on Kubernetes to retrieve and ship container logs.
+
+::::{tip}
+Running {{ecloud}} on Kubernetes? See [Run {{beats}} on ECK](docs-content://deploy-manage/deploy/cloud-on-k8s/beats.md).
+::::
+
+
+However, version 9.0.0-beta1 of Filebeat has not yet been released, so no Docker image is currently available for this version.
+
+
+## Kubernetes deploy manifests [_kubernetes_deploy_manifests]
+
+You deploy Filebeat as a [DaemonSet](https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/) to ensure there’s a running instance on each node of the cluster.
+
+The container logs host folder (`/var/log/containers`) is mounted on the Filebeat container. Filebeat starts an input for the files and begins harvesting them as soon as they appear in the folder.
+
+Everything is deployed under the `kube-system` namespace by default. To change the namespace, modify the manifest file.
+
+To download the manifest file, run:
+
+```sh
+curl -L -O https://raw.githubusercontent.com/elastic/beats/master/deploy/kubernetes/filebeat-kubernetes.yaml
+```
+
+::::{warning}
+**If you are using Kubernetes 1.7 or earlier:** Filebeat uses a hostPath volume to persist internal data. It’s located under `/var/lib/filebeat-data`. The manifest uses folder autocreation (`DirectoryOrCreate`), which was introduced in Kubernetes 1.8. You need to remove `type: DirectoryOrCreate` from the manifest and create the host folder yourself.
+
+::::
+
+
+
+## Settings [_settings]
+
+By default, Filebeat sends events to an existing Elasticsearch deployment, if present. To specify a different destination, change the following parameters in the manifest file:
+
+```yaml
+- name: ELASTICSEARCH_HOST
+  value: elasticsearch
+- name: ELASTICSEARCH_PORT
+  value: "9200"
+- name: ELASTICSEARCH_USERNAME
+  value: elastic
+- name: ELASTICSEARCH_PASSWORD
+  value: changeme
+```
+
+
+### Running Filebeat on control plane nodes [_running_filebeat_on_control_plane_nodes]
+
+Kubernetes control plane nodes can use [taints](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) to limit the workloads that can run on them. To run Filebeat on control plane nodes you may need to update the Daemonset spec to include proper tolerations:
+
+```yaml
+spec:
+ tolerations:
+ - key: node-role.kubernetes.io/control-plane
+   effect: NoSchedule
+```
+
+
+### Red Hat OpenShift configuration [_red_hat_openshift_configuration]
+
+If you are using Red Hat OpenShift, you need to specify additional settings in the manifest file and enable the container to run as privileged. Filebeat needs to run as a privileged container to mount logs written on the node (hostPath) and read them.
+
+1. Modify the `DaemonSet` container spec in the manifest file:
+
+    ```yaml
+      securityContext:
+        runAsUser: 0
+        privileged: true
+    ```
+
+2. Grant the `filebeat` service account access to the privileged SCC:
+
+    ```shell
+    oc adm policy add-scc-to-user privileged system:serviceaccount:kube-system:filebeat
+    ```
+
+    This command enables the container to be privileged as an administrator for OpenShift.
+
+3. Override the default node selector for the `kube-system` namespace (or your custom namespace) to allow for scheduling on any node:
+
+    ```shell
+    oc patch namespace kube-system -p \
+    '{"metadata": {"annotations": {"openshift.io/node-selector": ""}}}'
+    ```
+
+    This command sets the node selector for the project to an empty string. If you don’t run this command, the default node selector will skip control plane nodes.
+
+
+In order to support runtime environments with Openshift (eg. CRI-O, containerd) you need to configure following path:
+
+```yaml
+filebeat.inputs:
+- type: container
+  paths: <1>
+    - '/var/log/containers/*.log'
+```
+
+1. Same path needs to be configured in case autodiscovery needs to be enabled:
+
+```yaml
+filebeat.autodiscover:
+  providers:
+    - type: kubernetes
+      node: ${NODE_NAME}
+      hints.enabled: true
+      hints.default_config:
+        type: container
+        paths:
+          - /var/log/containers/*.log
+```
+
+::::{note}
+`/var/log/containers/\*.log` is normally a symlink to `/var/log/pods/*/*.log`, so above paths can be edited accordingly
+::::
+
+
+
+## Load {{kib}} dashboards [_load_kib_dashboards]
+
+Filebeat comes packaged with various pre-built {{kib}} dashboards that you can use to visualize logs from your Kubernetes environment.
+
+If these dashboards are not already loaded into {{kib}}, you must [install Filebeat](/reference/filebeat/filebeat-installation-configuration.md) on any system that can connect to the {{stack}}, and then run the `setup` command to load the dashboards. To learn how, see [Load {{kib}} dashboards](/reference/filebeat/load-kibana-dashboards.md).
+
+The `setup` command does not load the ingest pipelines used to parse log lines. By default, ingest pipelines are set up automatically the first time you run Filebeat and connect to {{es}}.
+
+::::{important}
+If you are using a different output other than {{es}}, such as {{ls}}, you need to:
+
+* [Load the index template manually](/reference/filebeat/filebeat-template.md#load-template-manually)
+* [*Load {{kib}} dashboards*](/reference/filebeat/load-kibana-dashboards.md)
+* [*Load ingest pipelines*](/reference/filebeat/load-ingest-pipelines.md)
+
+::::
+
+
+
+## Deploy [_deploy]
+
+To deploy Filebeat to Kubernetes, run:
+
+```sh
+kubectl create -f filebeat-kubernetes.yaml
+```
+
+To check the status, run:
+
+```sh
+$ kubectl --namespace=kube-system get ds/filebeat
+
+NAME       DESIRED   CURRENT   READY     UP-TO-DATE   AVAILABLE   NODE-SELECTOR   AGE
+filebeat   32        32        0         32           0           <none>          1m
+```
+
+Log events should start flowing to Elasticsearch. The events are annotated with metadata added by the [add_kubernetes_metadata](/reference/filebeat/add-kubernetes-metadata.md) processor.
+
+
+## Parsing json logs [_parsing_json_logs]
+
+It is common case when collecting logs from workloads running on Kubernetes that these applications are logging in json format. In these case, special handling can be applied so as to parse these json logs properly and decode them into fields. Bellow there are provided 2 different ways of configuring [filebeat’s autodiscover](/reference/filebeat/configuration-autodiscover.md) so as to identify and parse json logs. We will use an example of one Pod with 2 containers where only one of these logs in json format.
+
+Example log:
+
+```
+{"type":"log","@timestamp":"2020-11-16T14:30:13+00:00","tags":["warning","plugins","licensing"],"pid":7,"message":"License information could not be obtained from Elasticsearch due to Error: No Living connections error"}
+```
+
+1. Using `json.*` options with templates
+
+    ```yaml
+    filebeat.autodiscover:
+      providers:
+          - type: kubernetes
+            node: ${NODE_NAME}
+            templates:
+              - condition:
+                  contains:
+                    kubernetes.container.name: "no-json-logging"
+                config:
+                  - type: container
+                    paths:
+                      - "/var/log/containers/*-${data.kubernetes.container.id}.log"
+              - condition:
+                  contains:
+                    kubernetes.container.name: "json-logging"
+                config:
+                  - type: container
+                    paths:
+                      - "/var/log/containers/*-${data.kubernetes.container.id}.log"
+                    json.keys_under_root: true
+                    json.add_error_key: true
+                    json.message_key: message
+    ```
+
+2. Using `json.*` options with hints
+
+    Key part here is to properly annotate the Pod to only parse logs of the correct container as json logs. In this, annotation should be constructed like this:
+
+    `co.elastic.logs.<container_name>/json.keys_under_root: "true"`
+
+    Autodiscovery configuration:
+
+    ```yaml
+    filebeat.autodiscover:
+      providers:
+        - type: kubernetes
+          node: ${NODE_NAME}
+          hints.enabled: true
+          hints.default_config:
+            type: container
+            paths:
+              - /var/log/containers/*${data.kubernetes.container.id}.log
+    ```
+
+    Then annotate the pod properly:
+
+    ```yaml
+    annotations:
+        co.elastic.logs.json-logging/json.keys_under_root: "true"
+        co.elastic.logs.json-logging/json.add_error_key: "true"
+        co.elastic.logs.json-logging/json.message_key: "message"
+    ```
+
+
+
+## Logrotation [_logrotation]
+
+According to [kubernetes documentation](https://kubernetes.io/docs/concepts/cluster-administration/logging/#logging-at-the-node-level) *Kubernetes is not responsible for rotating logs, but rather a deployment tool should set up a solution to address that*. Different logrotation strategies can cause issues that might make Filebeat losing events or even duplicating events. Users can find more information about Filebeat’s logrotation best practises at Filebeat’s [log rotation specific documentation](/reference/filebeat/file-log-rotation.md)
+
diff --git a/docs/reference/filebeat/running-with-systemd.md b/docs/reference/filebeat/running-with-systemd.md
new file mode 100644
index 000000000000..1402e0aada7b
--- /dev/null
+++ b/docs/reference/filebeat/running-with-systemd.md
@@ -0,0 +1,86 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/running-with-systemd.html
+---
+
+# Filebeat and systemd [running-with-systemd]
+
+The DEB and RPM packages include a service unit for Linux systems with systemd. On these systems, you can manage Filebeat by using the usual systemd commands.
+
+The service unit is configured with `UMask=0027` which means the most permissive mask allowed for files created by Filebeat is `0640`. All configured file permissions higher than `0640` will be ignored. Please edit the unit file manually in case you need to change that.
+
+## Start and stop Filebeat [_start_and_stop_filebeat]
+
+Use `systemctl` to start or stop Filebeat:
+
+```sh
+sudo systemctl start filebeat
+```
+
+```sh
+sudo systemctl stop filebeat
+```
+
+By default, the Filebeat service starts automatically when the system boots. To enable or disable auto start use:
+
+```sh
+sudo systemctl enable filebeat
+```
+
+```sh
+sudo systemctl disable filebeat
+```
+
+
+## Filebeat status and logs [_filebeat_status_and_logs]
+
+To get the service status, use `systemctl`:
+
+```sh
+systemctl status filebeat
+```
+
+Logs are stored by default in journald. To view the Logs, use `journalctl`:
+
+```sh
+journalctl -u filebeat.service
+```
+
+
+## Customize systemd unit for Filebeat [_customize_systemd_unit_for_filebeat]
+
+The systemd service unit file includes environment variables that you can override to change the default options.
+
+| Variable | Description | Default value |
+| --- | --- | --- |
+| BEAT_LOG_OPTS | Log options |  |
+| BEAT_CONFIG_OPTS | Flags for configuration file path | ``-c /etc/filebeat/filebeat.yml`` |
+| BEAT_PATH_OPTS | Other paths | ``--path.home /usr/share/filebeat --path.config /etc/filebeat --path.data /var/lib/filebeat --path.logs /var/log/filebeat`` |
+
+::::{note}
+You can use `BEAT_LOG_OPTS` to set debug selectors for logging. However, to configure logging behavior, set the logging options described in [Configure logging](/reference/filebeat/configuration-logging.md).
+::::
+
+
+To override these variables, create a drop-in unit file in the `/etc/systemd/system/filebeat.service.d` directory.
+
+For example a file with the following content placed in `/etc/systemd/system/filebeat.service.d/debug.conf` would override `BEAT_LOG_OPTS` to enable debug for Elasticsearch output.
+
+```text
+[Service]
+Environment="BEAT_LOG_OPTS=-d elasticsearch"
+```
+
+To apply your changes, reload the systemd configuration and restart the service:
+
+```sh
+systemctl daemon-reload
+systemctl restart filebeat
+```
+
+::::{note}
+It is recommended that you use a configuration management tool to include drop-in unit files. If you need to add a drop-in manually, use `systemctl edit filebeat.service`.
+::::
+
+
+
diff --git a/docs/reference/filebeat/securing-communication-elasticsearch.md b/docs/reference/filebeat/securing-communication-elasticsearch.md
new file mode 100644
index 000000000000..8642bfbddedc
--- /dev/null
+++ b/docs/reference/filebeat/securing-communication-elasticsearch.md
@@ -0,0 +1,104 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/securing-communication-elasticsearch.html
+---
+
+# Secure communication with Elasticsearch [securing-communication-elasticsearch]
+
+When sending data to a secured cluster through the `elasticsearch` output, Filebeat can use any of the following authentication methods:
+
+* Basic authentication credentials (username and password).
+* Token-based API authentication.
+* A client certificate.
+
+Authentication is specified in the Filebeat configuration file:
+
+* To use **basic authentication**, specify the `username` and `password` settings under `output.elasticsearch`. For example:
+
+    ```yaml
+    output.elasticsearch:
+      hosts: ["https://myEShost:9200"]
+      username: "filebeat_writer" <1>
+      password: "{pwd}" <2>
+    ```
+
+    1. This user needs the privileges required to publish events to {{es}}. To create a user like this, see [Create a *publishing* user](/reference/filebeat/privileges-to-publish-events.md).
+    2. This example shows a hard-coded password, but you should store sensitive values in the [secrets keystore](/reference/filebeat/keystore.md).
+
+* To use token-based **API key authentication**, specify the `api_key` under `output.elasticsearch`. For example:
+
+    ```yaml
+    output.elasticsearch:
+      hosts: ["https://myEShost:9200"]
+      api_key: "ZCV7VnwBgnX0T19fN8Qe:KnR6yE41RrSowb0kQ0HWoA" <1>
+    ```
+
+    1. This API key must have the privileges required to publish events to {{es}}. To create an API key like this, see [*Grant access using API keys*](/reference/filebeat/beats-api-keys.md).
+
+
+* To use **Public Key Infrastructure (PKI) certificates** to authenticate users, specify the `certificate` and `key` settings under `output.elasticsearch`. For example:
+
+    ```yaml
+    output.elasticsearch:
+      hosts: ["https://myEShost:9200"]
+      ssl.certificate: "/etc/pki/client/cert.pem" <1>
+      ssl.key: "/etc/pki/client/cert.key" <2>
+    ```
+
+    1. The path to the certificate for SSL client authentication
+    2. The client certificate key
+
+
+    These settings assume that the distinguished name (DN) in the certificate is mapped to the appropriate roles in the `role_mapping.yml` file on each node in the {{es}} cluster. For more information, see [Using role mapping files](docs-content://deploy-manage/users-roles/cluster-or-deployment-auth/mapping-users-groups-to-roles.md#mapping-roles-file).
+
+    By default, Filebeat uses the list of trusted certificate authorities (CA) from the operating system where Filebeat is running. If the certificate authority that signed your node certificates is not in the host system’s trusted certificate authorities list, you need to add the path to the `.pem` file that contains your CA’s certificate to the Filebeat configuration. This will configure Filebeat to use a specific list of CA certificates instead of the default list from the OS.
+
+    Here is an example configuration:
+
+    ```yaml
+    output.elasticsearch:
+      hosts: ["https://myEShost:9200"]
+      ssl.certificate_authorities: <1>
+        - /etc/pki/my_root_ca.pem
+        - /etc/pki/my_other_ca.pem
+      ssl.certificate: "/etc/pki/client.pem" <2>
+      ssl.key: "/etc/pki/key.pem" <3>
+    ```
+
+    1. Specify the path to the local `.pem` file that contains your Certificate Authority’s certificate. This is needed if you use your own CA to sign your node certificates.
+    2. The path to the certificate for SSL client authentication
+    3. The client certificate key
+
+
+    ::::{note}
+    For any given connection, the SSL/TLS certificates must have a subject that matches the value specified for `hosts`, or the SSL handshake fails. For example, if you specify `hosts: ["foobar:9200"]`, the certificate MUST include `foobar` in the subject (`CN=foobar`) or as a subject alternative name (SAN). Make sure the hostname resolves to the correct IP address. If no DNS is available, then you can associate the IP address with your hostname in `/etc/hosts` (on Unix) or `C:\Windows\System32\drivers\etc\hosts` (on Windows).
+    ::::
+
+
+
+## Secure communication with the Kibana endpoint [securing-communication-kibana]
+
+If you’ve configured the [{{kib}} endpoint](/reference/filebeat/setup-kibana-endpoint.md), you can also specify credentials for authenticating with {{kib}} under `kibana.setup`. If no credentials are specified, Kibana will use the configured authentication method in the Elasticsearch output.
+
+For example, specify a unique username and password to connect to Kibana like this:
+
+```yaml
+setup.kibana:
+  host: "mykibanahost:5601"
+  username: "filebeat_kib_setup" <1>
+  password: "{pwd}" <2>
+```
+
+1. This user needs privileges required to set up dashboards. To create a user like this, see [Create a *setup* user](/reference/filebeat/privileges-to-setup-beats.md).
+2. This example shows a hard-coded password, but you should store sensitive values in the [secrets keystore](/reference/filebeat/keystore.md).
+
+
+
+## Learn more about secure communication [securing-communication-learn-more]
+
+More information on sending data to a secured cluster is available in the configuration reference:
+
+* [Elasticsearch](/reference/filebeat/elasticsearch-output.md)
+* [SSL](/reference/filebeat/configuration-ssl.md)
+* [{{kib}} endpoint](/reference/filebeat/setup-kibana-endpoint.md)
+
diff --git a/docs/reference/filebeat/securing-filebeat.md b/docs/reference/filebeat/securing-filebeat.md
new file mode 100644
index 000000000000..6027ff7512d2
--- /dev/null
+++ b/docs/reference/filebeat/securing-filebeat.md
@@ -0,0 +1,25 @@
+---
+navigation_title: "Secure"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/securing-filebeat.html
+---
+
+# Secure Filebeat [securing-filebeat]
+
+
+The following topics provide information about securing the Filebeat process and connecting to a cluster that has {{security-features}} enabled.
+
+You can use role-based access control and optionally, API keys to grant Filebeat users access to secured resources.
+
+* [*Grant users access to secured resources*](/reference/filebeat/feature-roles.md)
+* [*Grant access using API keys*](/reference/filebeat/beats-api-keys.md).
+
+After privileged users have been created, use authentication to connect to a secured Elastic cluster.
+
+* [*Secure communication with Elasticsearch*](/reference/filebeat/securing-communication-elasticsearch.md)
+* [*Secure communication with Logstash*](/reference/filebeat/configuring-ssl-logstash.md)
+
+On Linux, Filebeat can take advantage of secure computing mode to restrict the system calls that a process can issue.
+
+* [*Use Linux Secure Computing Mode (seccomp)*](/reference/filebeat/linux-seccomp.md)
+
diff --git a/docs/reference/filebeat/setting-up-running.md b/docs/reference/filebeat/setting-up-running.md
new file mode 100644
index 000000000000..6f2f44b24603
--- /dev/null
+++ b/docs/reference/filebeat/setting-up-running.md
@@ -0,0 +1,34 @@
+---
+navigation_title: "Set up and run"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html
+---
+
+# Set up and run Filebeat [setting-up-and-running]
+
+
+Before reading this section, see [Quick start: installation and configuration](/reference/filebeat/filebeat-installation-configuration.md) for basic installation instructions to get you started.
+
+This section includes additional information on how to install, set up, and run Filebeat, including:
+
+* [Directory layout](/reference/filebeat/directory-layout.md)
+* [Secrets keystore](/reference/filebeat/keystore.md)
+* [Command reference](/reference/filebeat/command-line-options.md)
+* [Repositories for APT and YUM](/reference/filebeat/setup-repositories.md)
+* [Run Filebeat on Docker](/reference/filebeat/running-on-docker.md)
+* [Run Filebeat on Kubernetes](/reference/filebeat/running-on-kubernetes.md)
+* [Run Filebeat on Cloud Foundry](/reference/filebeat/running-on-cloudfoundry.md)
+* [Filebeat and systemd](/reference/filebeat/running-with-systemd.md)
+* [Start Filebeat](/reference/filebeat/filebeat-starting.md)
+* [Stop Filebeat](/reference/filebeat/shutdown.md)
+
+
+
+
+
+
+
+
+
+
+
diff --git a/docs/reference/filebeat/setup-kibana-endpoint.md b/docs/reference/filebeat/setup-kibana-endpoint.md
new file mode 100644
index 000000000000..6396baa28e2e
--- /dev/null
+++ b/docs/reference/filebeat/setup-kibana-endpoint.md
@@ -0,0 +1,96 @@
+---
+navigation_title: "{{kib}} endpoint"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/setup-kibana-endpoint.html
+---
+
+# Configure the {{kib}} endpoint [setup-kibana-endpoint]
+
+
+{{kib}} dashboards are loaded into {{kib}} via the {{kib}} API. This requires a {{kib}} endpoint configuration. For details on authenticating to the {{kib}} API, see [Authentication](https://www.elastic.co/docs/api/doc/kibana/authentication).
+
+You configure the endpoint in the `setup.kibana` section of the `filebeat.yml` config file.
+
+Here is an example configuration:
+
+```yaml
+setup.kibana.host: "http://localhost:5601"
+```
+
+
+## Configuration options [_configuration_options_34]
+
+You can specify the following options in the `setup.kibana` section of the `filebeat.yml` config file:
+
+
+### `setup.kibana.host` [_setup_kibana_host]
+
+The {{kib}} host where the dashboards will be loaded. The default is `127.0.0.1:5601`. The value of `host` can be a `URL` or `IP:PORT`. For example: `http://192.15.3.2`, `192:15.3.2:5601` or `http://192.15.3.2:6701/path`. If no port is specified, `5601` is used.
+
+::::{note}
+When a node is defined as an `IP:PORT`, the *scheme* and *path* are taken from the [setup.kibana.protocol](#kibana-protocol-option) and [setup.kibana.path](#kibana-path-option) config options.
+::::
+
+
+IPv6 addresses must be defined using the following format: `https://[2001:db8::1]:5601`.
+
+
+### `setup.kibana.protocol` [kibana-protocol-option]
+
+The name of the protocol {{kib}} is reachable on. The options are: `http` or `https`. The default is `http`. However, if you specify a URL for host, the value of `protocol` is overridden by whatever scheme you specify in the URL.
+
+Example config:
+
+```yaml
+setup.kibana.host: "192.0.2.255:5601"
+setup.kibana.protocol: "http"
+setup.kibana.path: /kibana
+```
+
+
+### `setup.kibana.username` [_setup_kibana_username]
+
+The basic authentication username for connecting to {{kib}}. If you don’t specify a value for this setting, Filebeat uses the `username` specified for the {{es}} output.
+
+
+### `setup.kibana.password` [_setup_kibana_password]
+
+The basic authentication password for connecting to {{kib}}. If you don’t specify a value for this setting, Filebeat uses the `password` specified for the {{es}} output.
+
+
+### `setup.kibana.path` [kibana-path-option]
+
+An HTTP path prefix that is prepended to the HTTP API calls. This is useful for the cases where {{kib}} listens behind an HTTP reverse proxy that exports the API under a custom prefix.
+
+
+### `setup.kibana.space.id` [kibana-space-id-option]
+
+The [Kibana space](docs-content://deploy-manage/manage-spaces.md) ID to use. If specified, Filebeat loads {{kib}} assets into this {{kib}} space. Omit this option to use the default space.
+
+
+#### `setup.kibana.headers` [_setup_kibana_headers]
+
+Custom HTTP headers to add to each request sent to {{kib}}. Example:
+
+```yaml
+setup.kibana.headers:
+  X-My-Header: Header contents
+```
+
+
+### `setup.kibana.ssl.enabled` [_setup_kibana_ssl_enabled]
+
+Enables Filebeat to use SSL settings when connecting to {{kib}} via HTTPS. If you configure Filebeat to connect over HTTPS, this setting defaults to `true` and Filebeat uses the default SSL settings.
+
+Example configuration:
+
+```yaml
+setup.kibana.host: "https://192.0.2.255:5601"
+setup.kibana.ssl.enabled: true
+setup.kibana.ssl.certificate_authorities: ["/etc/client/ca.pem"]
+setup.kibana.ssl.certificate: "/etc/client/cert.pem"
+setup.kibana.ssl.key: "/etc/client/cert.key
+```
+
+See [SSL](/reference/filebeat/configuration-ssl.md) for more information.
+
diff --git a/docs/reference/filebeat/setup-repositories.md b/docs/reference/filebeat/setup-repositories.md
new file mode 100644
index 000000000000..db2ec3115329
--- /dev/null
+++ b/docs/reference/filebeat/setup-repositories.md
@@ -0,0 +1,26 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/setup-repositories.html
+---
+
+# Repositories for APT and YUM [setup-repositories]
+
+We have repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.
+
+We use the PGP key [D88E42B4](https://pgp.mit.edu/pks/lookup?op=vindex&search=0xD27D666CD88E42B4), Elasticsearch Signing Key, with fingerprint
+
+```
+4609 5ACC 8548 582C 1A26 99A9 D27D 666C D88E 42B4
+```
+to sign all our packages. It is available from [https://pgp.mit.edu](https://pgp.mit.edu).
+
+
+## APT [_apt]
+
+Version 9.0.0-beta1 of Beats has not yet been released.
+
+
+## YUM [_yum]
+
+Version 9.0.0-beta1 of Beats has not yet been released.
+
diff --git a/docs/reference/filebeat/shutdown.md b/docs/reference/filebeat/shutdown.md
new file mode 100644
index 000000000000..69f9cff247d5
--- /dev/null
+++ b/docs/reference/filebeat/shutdown.md
@@ -0,0 +1,13 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/shutdown.html
+---
+
+# Stop Filebeat [shutdown]
+
+An orderly shutdown of Filebeat ensures that it has a chance to clean up and close outstanding resources. You can help ensure an orderly shutdown by stopping Filebeat properly.
+
+If you’re running Filebeat as a service, you can stop it via the service management functionality provided by your installation.
+
+If you’re running Filebeat directly in the console, you can stop it by entering **Ctrl-C**. Alternatively, send SIGTERM to the Filebeat process on a POSIX system.
+
diff --git a/docs/reference/filebeat/ssl-client-fails.md b/docs/reference/filebeat/ssl-client-fails.md
new file mode 100644
index 000000000000..0034ab7ac7b5
--- /dev/null
+++ b/docs/reference/filebeat/ssl-client-fails.md
@@ -0,0 +1,71 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/ssl-client-fails.html
+---
+
+# SSL client fails to connect to Logstash [ssl-client-fails]
+
+The host running {{ls}} might be unreachable or the certificate may not be valid. To resolve your issue:
+
+* Make sure that {{ls}} is running and you can connect to it. First, try to ping the {{ls}} host to verify that you can reach it from the host running Filebeat. Then use either `nc` or `telnet` to make sure that the port is available. For example:
+
+    ```shell
+    ping <hostname or IP>
+    telnet <hostname or IP> 5044
+    ```
+
+* Verify that the certificate is valid and that the hostname and IP match.
+
+    ::::{tip}
+    For testing purposes only, you can set `verification_mode: none` to disable hostname checking.
+    ::::
+
+* Use OpenSSL to test connectivity to the {{ls}} server and diagnose problems. See the [OpenSSL documentation](https://www.openssl.org/docs/manmaster/man1/openssl-s_client.md) for more info.
+* Make sure that you have enabled SSL (set `ssl => true`) when configuring the [Beats input plugin for {{ls}}](logstash://reference/plugins-inputs-beats.md).
+
+## Common SSL-Related Errors and Resolutions [_common_ssl_related_errors_and_resolutions]
+
+Here are some common errors and ways to fix them:
+
+* [tls: failed to parse private key](#failed-to-parse-private-key)
+* [x509: cannot validate certificate](#cannot-validate-certificate)
+* [getsockopt: no route to host](#getsockopt-no-route-to-host)
+* [getsockopt: connection refused](#getsockopt-connection-refused)
+* [No connection could be made because the target machine actively refused it](#target-machine-refused-connection)
+
+### tls: failed to parse private key [failed-to-parse-private-key]
+
+This might occur for a few reasons:
+
+* The encrypted file is not recognized as an encrypted PEM block. Filebeat tries to use the encrypted content as the final key, which fails.
+* The file is correctly encrypted in a PEM block, but the decrypted content is not a key in a format that Filebeat recognizes. The key must be encoded as PEM format.
+* The passphrase is missing or has an error.
+
+
+### x509: cannot validate certificate for <IP address> because it doesn’t contain any IP SANs [cannot-validate-certificate]
+
+This happens because your certificate is only valid for the hostname present in the Subject field.
+
+To resolve this problem, try one of these solutions:
+
+* Create a DNS entry for the hostname mapping it to the server’s IP.
+* Create an entry in `/etc/hosts` for the hostname. Or on Windows add an entry to `C:\Windows\System32\drivers\etc\hosts`.
+* Re-create the server certificate and add a SubjectAltName (SAN) for the IP address of the server. This makes the server’s certificate valid for both the hostname and the IP address.
+
+
+### getsockopt: no route to host [getsockopt-no-route-to-host]
+
+This is not a SSL problem. It’s a networking problem. Make sure the two hosts can communicate.
+
+
+### getsockopt: connection refused [getsockopt-connection-refused]
+
+This is not a SSL problem. Make sure that {{ls}} is running and that there is no firewall blocking the traffic.
+
+
+### No connection could be made because the target machine actively refused it [target-machine-refused-connection]
+
+A firewall is refusing the connection. Check if a firewall is blocking the traffic on the client, the network, or the destination host.
+
+
+
diff --git a/docs/reference/filebeat/syslog.md b/docs/reference/filebeat/syslog.md
new file mode 100644
index 000000000000..455be8b8d7fa
--- /dev/null
+++ b/docs/reference/filebeat/syslog.md
@@ -0,0 +1,156 @@
+---
+navigation_title: "syslog"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/syslog.html
+---
+
+# Syslog [syslog]
+
+
+The syslog processor parses RFC 3146 and/or RFC 5424 formatted syslog messages that are stored in a field. The processor itself does not handle receiving syslog messages from external sources. This is done through an input, such as the TCP input. Certain integrations, when enabled through configuration, will embed the syslog processor to process syslog messages, such as Custom TCP Logs and Custom UDP Logs.
+
+
+## Configuration [_configuration_6]
+
+The `syslog` processor parses RFC 3146 and/or RFC 5424 formatted syslog messages that are stored under the `field` key.
+
+The supported configuration options are:
+
+`field`
+:   (Required) Source field containing the syslog message. Defaults to `message`.
+
+`format`
+:   (Optional) The syslog format to use, `rfc3164`, or `rfc5424`. To automatically detect the format from the log entries, set this option to `auto`. The default is `auto`.
+
+`timezone`
+:   (Optional) IANA time zone name(e.g. `America/New York`) or a fixed time offset (e.g. +0200) to use when parsing syslog timestamps that do not contain a time zone. `Local` may be specified to use the machine’s local time zone. Defaults to `Local`.
+
+`overwrite_keys`
+:   (Optional) A boolean that specifies whether keys that already exist in the event are overwritten by keys from the syslog message. The default value is `true`.
+
+`ignore_missing`
+:   (Optional) If `true` the processor will not return an error when a specified field does not exist. Defaults to `false`.
+
+`ignore_failure`
+:   (Optional) Ignore all errors produced by the processor. Defaults to `false`.
+
+`tag`
+:   (Optional) An identifier for this processor. Useful for debugging.
+
+Example:
+
+```yaml
+processors:
+  - syslog:
+      field: message
+```
+
+```json
+{
+  "message": "<165>1 2022-01-11T22:14:15.003Z mymachine.example.com eventslog 1024 ID47 [exampleSDID@32473 iut=\"3\" eventSource=\"Application\" eventID=\"1011\"][examplePriority@32473 class=\"high\"] this is the message"
+}
+```
+
+Will produce the following output:
+
+```json
+{
+  "@timestamp": "2022-01-11T22:14:15.003Z",
+  "log": {
+    "syslog": {
+      "priority": 165,
+      "facility": {
+        "code": 20,
+        "name": "local4"
+      },
+      "severity": {
+        "code": 5,
+        "name": "Notice"
+      },
+      "hostname": "mymachine.example.com",
+      "appname": "eventslog",
+      "procid": "1024",
+      "msgid": "ID47",
+      "version": 1,
+      "structured_data": {
+        "exampleSDID@32473": {
+          "iut":         "3",
+          "eventSource": "Application",
+          "eventID":     "1011"
+        },
+        "examplePriority@32473": {
+          "class": "high"
+        }
+      }
+    }
+  },
+  "message": "this is the message"
+}
+```
+
+
+## Timestamps [_timestamps_2]
+
+The RFC 3164 format accepts the following forms of timestamps:
+
+* Local timestamp (`Mmm dd hh:mm:ss`):
+
+    * `Jan 23 14:09:01`
+
+* RFC-3339*:
+
+    * `2003-10-11T22:14:15Z`
+    * `2003-10-11T22:14:15.123456Z`
+    * `2003-10-11T22:14:15-06:00`
+    * `2003-10-11T22:14:15.123456-06:00`
+
+
+**Note**: The local timestamp (for example, `Jan 23 14:09:01`) that accompanies an RFC 3164 message lacks year and time zone information. The time zone will be enriched using the `timezone` configuration option, and the year will be enriched using the Filebeat system’s local time (accounting for time zones). Because of this, it is possible for messages to appear in the future. An example of when this might happen is logs generated on December 31 2021 are ingested on January 1 2022. The logs would be enriched with the year 2022 instead of 2021.
+
+The RFC 5424 format accepts the following forms of timestamps:
+
+* RFC-3339:
+
+    * `2003-10-11T22:14:15Z`
+    * `2003-10-11T22:14:15.123456Z`
+    * `2003-10-11T22:14:15-06:00`
+    * `2003-10-11T22:14:15.123456-06:00`
+
+
+Formats with an asterisk (*) are a non-standard allowance.
+
+
+## Structured Data [_structured_data]
+
+For RFC 5424-formatted logs, if the structured data cannot be parsed according to RFC standards, the original structured data text will be prepended to the message field, separated by a space.
+
+
+## Metrics [_metrics_19]
+
+Internal metrics are available to assist with debugging efforts. The metrics are served from the metrics HTTP endpoint (for example: `http://localhost:5066/stats`) and are found under `processor.syslog.[instance ID]` or `processor.syslog.[tag]-[instance ID]` if a **tag** is provided. See [HTTP endpoint](/reference/filebeat/http-endpoint.md) for more information on configuration the metrics HTTP endpoint.
+
+For example, here are metrics from a processor with a **tag** of `log-input` and an **instance ID** of `1`:
+
+```json
+{
+  "processor": {
+    "syslog": {
+      "log-input-1": {
+        "failure": 10,
+        "missing": 0,
+        "success": 3
+      }
+    }
+  }
+}
+```
+
+`failure`
+:   Measures the number of occurrences where a message was unable to be parsed.
+
+`missing`
+:   Measures the number of occurrences where an event was missing the required input field.
+
+`success`
+:   Measures the number of successfully parsed syslog messages.
+
diff --git a/docs/reference/filebeat/troubleshooting.md b/docs/reference/filebeat/troubleshooting.md
new file mode 100644
index 000000000000..7732c60be90f
--- /dev/null
+++ b/docs/reference/filebeat/troubleshooting.md
@@ -0,0 +1,14 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/troubleshooting.html
+---
+
+# Troubleshoot [troubleshooting]
+
+If you have issues installing or running Filebeat, read the following tips:
+
+* [*Get help*](/reference/filebeat/getting-help.md)
+* [*Debug*](/reference/filebeat/enable-filebeat-debugging.md)
+* [Understand logged metrics](/reference/filebeat/understand-filebeat-logs.md)
+* [*Common problems*](/reference/filebeat/faq.md)
+
diff --git a/docs/reference/filebeat/truncate-fields.md b/docs/reference/filebeat/truncate-fields.md
new file mode 100644
index 000000000000..d2bdece53f3c
--- /dev/null
+++ b/docs/reference/filebeat/truncate-fields.md
@@ -0,0 +1,38 @@
+---
+navigation_title: "truncate_fields"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/truncate-fields.html
+---
+
+# Truncate fields [truncate-fields]
+
+
+The `truncate_fields` processor truncates a field to a given size. If the size of the field is smaller than the limit, the field is left as is.
+
+`fields`
+:   List of fields to truncate. It’s supported to use `@metadata.` prefix for the fields and truncate values in the event metadata instead of event fields.
+
+`max_bytes`
+:   Maximum number of bytes in a field. Mutually exclusive with `max_characters`.
+
+`max_characters`
+:   Maximum number of characters in a field. Mutually exclusive with `max_bytes`.
+
+`fail_on_error`
+:   (Optional) If set to true, in case of an error the changes to the event are reverted, and the original event is returned. If set to `false`, processing continues also if an error happens. Default is `true`.
+
+`ignore_missing`
+:   (Optional) Whether to ignore events that lack the source field. The default is `false`, which will fail processing of an event if a field is missing.
+
+For example, this configuration truncates the field named `message` to 5 characters:
+
+```yaml
+processors:
+  - truncate_fields:
+      fields:
+        - message
+      max_characters: 5
+      fail_on_error: false
+      ignore_missing: true
+```
+
diff --git a/docs/reference/filebeat/understand-filebeat-logs.md b/docs/reference/filebeat/understand-filebeat-logs.md
new file mode 100644
index 000000000000..73d33654e85b
--- /dev/null
+++ b/docs/reference/filebeat/understand-filebeat-logs.md
@@ -0,0 +1,261 @@
+---
+navigation_title: "Understand logged metrics"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/understand-filebeat-logs.html
+---
+
+# Understand metrics in Filebeat logs [understand-filebeat-logs]
+
+
+Every 30 seconds (by default), Filebeat collects a *snapshot* of metrics about itself. From this snapshot, Filebeat computes a *delta snapshot*; this delta snapshot contains any metrics that have *changed* since the last snapshot. Note that the values of the metrics are the values when the snapshot is taken, *NOT* the *difference* in values from the last snapshot.
+
+If this delta snapshot contains *any* metrics (indicating at least one metric that has changed since the last snapshot), this delta snapshot is serialized as JSON and emitted in Filebeat’s logs at the `INFO` log level. Most snapshot fields report the change in the metric since the last snapshot, however some fields are *gauges*, which always report the current value. Here is an example of such a log entry:
+
+```json
+{"log.level":"info","@timestamp":"2023-07-14T12:50:36.811Z","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cgroup":{"memory":{"mem":{"usage":{"bytes":0}}}},"cpu":{"system":{"ticks":692690,"time":{"ms":60}},"total":{"ticks":3167250,"time":{"ms":150},"value":3167250},"user":{"ticks":2474560,"time":{"ms":90}}},"handles":{"limit":{"hard":1048576,"soft":1048576},"open":32},"info":{"ephemeral_id":"2bab8688-34c0-4522-80af-db86948d547d","uptime":{"ms":617670096},"version":"8.6.2"},"memstats":{"gc_next":57189272,"memory_alloc":43589824,"memory_total":275281335792,"rss":183574528},"runtime":{"goroutines":212}},"filebeat":{"events":{"active":5,"added":52,"done":49},"harvester":{"open_files":6,"running":6,"started":1}},"libbeat":{"config":{"module":{"running":15}},"output":{"events":{"acked":48,"active":0,"batches":6,"total":48},"read":{"bytes":210},"write":{"bytes":26923}},"pipeline":{"clients":15,"events":{"active":5,"filtered":1,"published":51,"total":52},"queue":{"max_events":3500,"filled":{"events":5,"bytes":6425,"pct":0.0014},"added":{"events":52,"bytes":65702},"consumed":{"events":52,"bytes":65702},"removed":{"events":48,"bytes":59277},"acked":48}}},"registrar":{"states":{"current":14,"update":49},"writes":{"success":6,"total":6}},"system":{"load":{"1":0.91,"15":0.37,"5":0.4,"norm":{"1":0.1138,"15":0.0463,"5":0.05}}}},"ecs.version":"1.6.0"}}
+```
+
+
+## Details [_details_2]
+
+Focussing on the `.monitoring.metrics` field, and formatting the JSON, it’s value is:
+
+```json
+{
+  "beat": {
+    "cgroup": {
+      "memory": {
+        "mem": {
+          "usage": {
+            "bytes": 0
+          }
+        }
+      }
+    },
+    "cpu": {
+      "system": {
+        "ticks": 692690,
+        "time": {
+          "ms": 60
+        }
+      },
+      "total": {
+        "ticks": 3167250,
+        "time": {
+          "ms": 150
+        },
+        "value": 3167250
+      },
+      "user": {
+        "ticks": 2474560,
+        "time": {
+          "ms": 90
+        }
+      }
+    },
+    "handles": {
+      "limit": {
+        "hard": 1048576,
+        "soft": 1048576
+      },
+      "open": 32
+    },
+    "info": {
+      "ephemeral_id": "2bab8688-34c0-4522-80af-db86948d547d",
+      "uptime": {
+        "ms": 617670096
+      },
+      "version": "8.6.2"
+    },
+    "memstats": {
+      "gc_next": 57189272,
+      "memory_alloc": 43589824,
+      "memory_total": 275281335792,
+      "rss": 183574528
+    },
+    "runtime": {
+      "goroutines": 212
+    }
+  },
+  "filebeat": {
+    "events": {
+      "active": 5,
+      "added": 52,
+      "done": 49
+    },
+    "harvester": {
+      "open_files": 6,
+      "running": 6,
+      "started": 1
+    }
+  },
+  "libbeat": {
+    "config": {
+      "module": {
+        "running": 15
+      }
+    },
+    "output": {
+      "events": {
+        "acked": 48,
+        "active": 0,
+        "batches": 6,
+        "total": 48
+      },
+      "read": {
+        "bytes": 210
+      },
+      "write": {
+        "bytes": 26923
+      }
+    },
+    "pipeline": {
+      "clients": 15,
+      "events": {
+        "active": 5,
+        "filtered": 1,
+        "published": 51,
+        "total": 52
+      },
+      "queue": {
+        "max_events": 3500,
+        "filled": {
+          "events": 5,
+          "bytes": 6425,
+          "pct": 0.0014
+        },
+        "added": {
+          "events": 52,
+          "bytes": 65702
+        },
+        "consumed": {
+          "events": 52,
+          "bytes": 65702
+        },
+        "removed": {
+          "events": 48,
+          "bytes": 59277
+        },
+        "acked": 48
+      }
+    }
+  },
+  "registrar": {
+    "states": {
+      "current": 14,
+      "update": 49
+    },
+    "writes": {
+      "success": 6,
+      "total": 6
+    }
+  },
+  "system": {
+    "load": {
+      "1": 0.91,
+      "15": 0.37,
+      "5": 0.4,
+      "norm": {
+        "1": 0.1138,
+        "15": 0.0463,
+        "5": 0.05
+      }
+    }
+  }
+}
+```
+
+The following tables explain the meaning of the most important fields under `.monitoring.metrics` and also provide hints that might be helpful in troubleshooting Filebeat issues.
+
+| Field path (relative to `.monitoring.metrics`) | Type | Meaning | Troubleshooting hints |
+| --- | --- | --- | --- |
+| `.beat` | Object | Information that is common to all Beats, e.g. version, goroutines, file handles, CPU, memory |  |
+| `.libbeat` | Object | Information about the publisher pipeline and output, also common to all Beats |  |
+| `.filebeat` | Object | Information specific to {{filebeat}}, e.g. harvester, events |  |
+
+| Field path (relative to `.monitoring.metrics.beat`) | Type | Meaning | Troubleshooting hints |
+| --- | --- | --- | --- |
+| `.runtime.goroutines` | Integer | Number of goroutines running | If this number grows over time, it indicates a goroutine leak |
+
+| Field path (relative to `.monitoring.metrics.libbeat`) | Type | Meaning | Troubleshooting hints |
+| --- | --- | --- | --- |
+| `.pipeline.events.active` | Integer | Number of events currently in the libbeat publisher pipeline. | If this number grows over time, it may indicate that Filebeat is producing events faster than the output can consume them. Consider increasing the number of output workers (if this setting is supported by the output; {{es}} and {{ls}} outputs support this setting). The pipeline includes events currently being processed as well as events in the queue. So this metric can sometimes end up slightly higher than the queue size. If this metric reaches the maximum queue size (`queue.mem.events` for the in-memory queue), it almost certainly indicates backpressure on Filebeat, implying that Filebeat may need to temporarily stop ingesting more events from the source until this backpressure is relieved. |
+| `.output.events.total` | Integer | Number of events currently being processed by the output. | If this number grows over time, it may indicate that the output destination (e.g. {{ls}} pipeline or {{es}} cluster) is not able to accept events at the same or faster rate than what Filebeat is sending to it. |
+| `.output.events.acked` | Integer | Number of events acknowledged by the output destination. | Generally, we want this number to be the same as `.output.events.total` as this indicates that the output destination has reliably received all the events sent to it. |
+| `.output.events.failed` | Integer | Number of events that Filebeat tried to send to the output destination, but the destination failed to receive them. | Generally, we want this field to be absent or its value to be zero. When the value is greater than zero, it’s useful to check Filebeat’s logs right before this log entry’s `@timestamp` to see if there are any connectivity issues with the output destination. Note that failed events are not lost or dropped; they will be sent back to the publisher pipeline for retrying later. |
+| `.output.events.dropped` | Integer | Number of events that Filebeat gave up sending to the output destination because of a permanent (non-retryable) error. | `.output.events.dead_letter` |
+| Integer | Number of events that Filebeat successfully sent to a configured dead letter index after they failed to ingest in the primary index. | `.output.write.latency` | Object |
+
+| Field path (relative to `.monitoring.metrics.libbeat.pipeline`) | Type | Meaning | Troubleshooting hints |
+| --- | --- | --- | --- |
+| `.queue.max_events` | Integer (gauge) | The queue’s maximum event count if it has one, otherwise zero. | `.queue.max_bytes` |
+| Integer (gauge) | The queue’s maximum byte count if it has one, otherwise zero. | `.queue.filled.events` | Integer (gauge) |
+| Number of events currently stored by the queue. |  | `.queue.filled.bytes` | Integer (gauge) |
+| Number of bytes currently stored by the queue. |  | `.queue.filled.pct` | Float (gauge) |
+| How full the queue is relative to its maximum size, as a fraction from 0 to 1. | Low throughput while `queue.filled.pct` is low means congestion in the input. Low throughput while `queue.filled.pct` is high means congestion in the output. | `.queue.added.events` | Integer |
+| Number of events added to the queue by input workers. |  | `.queue.added.bytes` | Integer |
+| Number of bytes added to the queue by input workers. |  | `.queue.consumed.events` | Integer |
+| Number of events sent to output workers. |  | `.queue.consumed.bytes` | Integer |
+| Number of bytes sent to output workers. |  | `.queue.removed.events` | Integer |
+| Number of events removed from the queue after being processed by output workers. |  | `.queue.removed.bytes` | Integer |
+
+When using the memory queue, byte metrics are only set if the output supports them. Currently only the Elasticsearch output supports byte metrics.
+
+| Field path (relative to `.monitoring.metrics.filebeat`) | Type | Meaning | Troubleshooting hints |
+| --- | --- | --- | --- |
+| `.events.active` | Integer | Number of events being actively processed by {{filebeat}} (including events {{filebeat}} has already sent to the libbeat publisher pipeline, but not including events the pipeline has sent to the output). | If this number grows over time, it may indicate that {{filebeat}} inputs are harvesting events too fast for the pipeline and output to keep up. |
+
+
+## Useful commands [_useful_commands]
+
+
+### Parse monitoring metrics from unstructured Filebeat logs [_parse_monitoring_metrics_from_unstructured_filebeat_logs]
+
+For Filebeat versions that emit unstructured logs, the following script can be used to parse monitoring metrics from such logs: [https://github.com/elastic/beats/blob/main/script/metrics_from_log_file.sh](https://github.com/elastic/beats/blob/main/script/metrics_from_log_file.sh).
+
+
+### Check if {{filebeat}} is processing events [_check_if_filebeat_is_processing_events]
+
+```
+$ cat beat.log | jq -r '[.["@timestamp"],.monitoring.metrics.filebeat.events.active,.monitoring.metrics.libbeat.pipeline.events.active,.monitoring.metrics.libbeat.output.events.total,.monitoring.metrics.libbeat.output.events.acked,.monitoring.metrics.libbeat.output.events.failed//0] | @tsv' | sort
+```
+
+Example output:
+
+```
+2023-07-14T11:24:36.811Z	1	1	38033	38033	0
+2023-07-14T11:25:06.811Z	1	1	17	17	0
+2023-07-14T11:25:36.812Z	1	1	16	16	0
+2023-07-14T11:26:06.811Z	1	1	17	17	0
+2023-07-14T11:26:36.811Z	2	2	21	21	0
+2023-07-14T11:27:06.812Z	1	1	18	18	0
+2023-07-14T11:27:36.811Z	1	1	17	17	0
+2023-07-14T11:28:06.811Z	1	1	18	18	0
+2023-07-14T11:28:36.811Z	1	1	16	16	0
+2023-07-14T11:37:06.811Z	1	1	270	270	0
+2023-07-14T11:37:36.811Z	1	1	16	16	0
+2023-07-14T11:38:06.811Z	1	1	17	17	0
+2023-07-14T11:38:36.811Z	1	1	16	16	0
+2023-07-14T11:41:36.811Z	3	3	323	323	0
+2023-07-14T11:42:06.811Z	3	3	17	17	0
+2023-07-14T11:42:36.812Z	4	4	18	18	0
+2023-07-14T11:43:06.811Z	4	4	17	17	0
+2023-07-14T11:43:36.811Z	2	2	17	17	0
+2023-07-14T11:47:06.811Z	0	0	117	117	0
+2023-07-14T11:47:36.811Z	2	2	14	14	0
+2023-07-14T11:48:06.811Z	3	3	17	17	0
+2023-07-14T11:48:36.811Z	2	2	17	17	0
+2023-07-14T12:49:36.811Z	3	3	2008	1960	48
+2023-07-14T12:50:06.812Z	2	2	18	18	0
+2023-07-14T12:50:36.811Z	5	5	48	48	0
+```
+
+The columns here are:
+
+1. `.@timestamp`
+2. `.monitoring.metrics.filebeat.events.active`
+3. `.monitoring.metrics.libbeat.pipeline.events.active`
+4. `.monitoring.metrics.libbeat.output.events.total`
+5. `.monitoring.metrics.libbeat.output.events.acked`
+6. `.monitoring.metrics.libbeat.output.events.failed`
+
diff --git a/docs/reference/filebeat/upgrading-filebeat.md b/docs/reference/filebeat/upgrading-filebeat.md
new file mode 100644
index 000000000000..2c682c6932ee
--- /dev/null
+++ b/docs/reference/filebeat/upgrading-filebeat.md
@@ -0,0 +1,14 @@
+---
+navigation_title: "Upgrade"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/upgrading-filebeat.html
+---
+
+# Upgrade Filebeat [upgrading-filebeat]
+
+
+For information about upgrading to a new version, see:
+
+* [Breaking Changes](/release-notes/breaking-changes.md)
+* [Upgrade](/reference/libbeat/upgrading.md)
+
diff --git a/docs/reference/filebeat/urldecode.md b/docs/reference/filebeat/urldecode.md
new file mode 100644
index 000000000000..79d6f654e6ee
--- /dev/null
+++ b/docs/reference/filebeat/urldecode.md
@@ -0,0 +1,38 @@
+---
+navigation_title: "urldecode"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/urldecode.html
+---
+
+# URL Decode [urldecode]
+
+
+The `urldecode` processor specifies a list of fields to decode from URL encoded format. Under the `fields` key, each entry contains a `from: source-field` and a `to: target-field` pair, where:
+
+* `from` is the source field name
+* `to` is the target field name (defaults to the `from` value)
+
+```yaml
+processors:
+  - urldecode:
+      fields:
+        - from: "field1"
+          to: "field2"
+      ignore_missing: false
+      fail_on_error: true
+```
+
+In the example above:
+
+* field1 is decoded in field2
+
+The `urldecode` processor has the following configuration settings:
+
+`ignore_missing`
+:   (Optional) If set to true, no error is logged in case a key which should be URL-decoded is missing. Default is `false`.
+
+`fail_on_error`
+:   (Optional) If set to true, in case of an error the URL-decoding of fields is stopped and the original event is returned. If set to false, decoding continues also if an error happened during decoding. Default is `true`.
+
+See [Conditions](/reference/filebeat/defining-processors.md#conditions) for a list of supported conditions.
+
diff --git a/docs/reference/filebeat/using-environ-vars.md b/docs/reference/filebeat/using-environ-vars.md
new file mode 100644
index 000000000000..083cd3f61c99
--- /dev/null
+++ b/docs/reference/filebeat/using-environ-vars.md
@@ -0,0 +1,80 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/using-environ-vars.html
+---
+
+# Use environment variables in the configuration [using-environ-vars]
+
+You can use environment variable references in the config file to set values that need to be configurable during deployment. To do this, use:
+
+`${VAR}`
+
+Where `VAR` is the name of the environment variable.
+
+Each variable reference is replaced at startup by the value of the environment variable. The replacement is case-sensitive and occurs before the YAML file is parsed. References to undefined variables are replaced by empty strings unless you specify a default value or custom error text.
+
+To specify a default value, use:
+
+`${VAR:default_value}`
+
+Where `default_value` is the value to use if the environment variable is undefined.
+
+To specify custom error text, use:
+
+`${VAR:?error_text}`
+
+Where `error_text` is custom text that will be prepended to the error message if the environment variable cannot be expanded.
+
+If you need to use a special character in your configuration file, use `$` to escape the expansion. For example, you can escape `${` or `}` with `$${` or `$}`.
+
+After changing the value of an environment variable, you need to restart Filebeat to pick up the new value.
+
+::::{note}
+You can also specify environment variables when you override a config setting from the command line by using the `-E` option. For example:
+
+`-E name=${NAME}`
+
+::::
+
+
+
+## Examples [_examples]
+
+Here are some examples of configurations that use environment variables and what each configuration looks like after replacement:
+
+| Config source | Environment setting | Config after replacement |
+| --- | --- | --- |
+| `name: ${NAME}` | `export NAME=elastic` | `name: elastic` |
+| `name: ${NAME}` | no setting | `name:` |
+| `name: ${NAME:beats}` | no setting | `name: beats` |
+| `name: ${NAME:beats}` | `export NAME=elastic` | `name: elastic` |
+| `name: ${NAME:?You need to set the NAME environment variable}` | no setting | None. Returns an error message that’s prepended with the custom text. |
+| `name: ${NAME:?You need to set the NAME environment variable}` | `export NAME=elastic` | `name: elastic` |
+
+
+## Specify complex objects in environment variables [_specify_complex_objects_in_environment_variables]
+
+You can specify complex objects, such as lists or dictionaries, in environment variables by using a JSON-like syntax.
+
+As with JSON, dictionaries and lists are constructed using `{}` and `[]`. But unlike JSON, the syntax allows for trailing commas and slightly different string quotation rules. Strings can be unquoted, single-quoted, or double-quoted, as a convenience for simple settings and to make it easier for you to mix quotation usage in the shell. Arrays at the top-level do not require brackets (`[]`).
+
+For example, the following environment variable is set to a list:
+
+```yaml
+ES_HOSTS="10.45.3.2:9220,10.45.3.1:9230"
+```
+
+You can reference this variable in the config file:
+
+```yaml
+output.elasticsearch:
+  hosts: '${ES_HOSTS}'
+```
+
+When Filebeat loads the config file, it resolves the environment variable and replaces it with the specified list before reading the `hosts` setting.
+
+::::{note}
+Do not use double-quotes (`"`) to wrap regular expressions, or the backslash (`\`) will be interpreted as an escape character.
+::::
+
+
diff --git a/docs/reference/filebeat/windows-file-rotation.md b/docs/reference/filebeat/windows-file-rotation.md
new file mode 100644
index 000000000000..1ae3d8544c92
--- /dev/null
+++ b/docs/reference/filebeat/windows-file-rotation.md
@@ -0,0 +1,14 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/windows-file-rotation.html
+---
+
+# Open file handlers cause issues with Windows file rotation [windows-file-rotation]
+
+On Windows, you might have problems renaming or removing files because Filebeat keeps the file handlers open. This can lead to issues with the file rotating system. To avoid this issue, you can use the [`close_removed`](/reference/filebeat/filebeat-input-log.md#filebeat-input-log-close-removed) and [`close_renamed`](/reference/filebeat/filebeat-input-log.md#filebeat-input-log-close-renamed) options together.
+
+::::{important}
+When you configure these options, files may be closed before the harvester has finished reading the files. If the file cannot be picked up again by the input and the harvester hasn’t finish reading the file, the missing lines will never be sent to the output.
+::::
+
+
diff --git a/docs/reference/filebeat/yaml-tips.md b/docs/reference/filebeat/yaml-tips.md
new file mode 100644
index 000000000000..cfe9083fe190
--- /dev/null
+++ b/docs/reference/filebeat/yaml-tips.md
@@ -0,0 +1,60 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/filebeat/current/yaml-tips.html
+---
+
+# Avoid YAML formatting problems [yaml-tips]
+
+The configuration file uses [YAML](http://yaml.org/) for its syntax. When you edit the file to modify configuration settings, there are a few things that you should know.
+
+
+## Use spaces for indentation [_use_spaces_for_indentation]
+
+Indentation is meaningful in YAML. Make sure that you use spaces, rather than tab characters, to indent sections.
+
+In the default configuration files and in all the examples in the documentation, we use 2 spaces per indentation level. We recommend you do the same.
+
+
+## Look at the default config file for structure [_look_at_the_default_config_file_for_structure]
+
+The best way to understand where to define a configuration option is by looking at the provided sample configuration files. The configuration files contain most of the default configurations that are available for the Beat. To change a setting, simply uncomment the line and change the values.
+
+
+## Test your config file [_test_your_config_file]
+
+You can test your configuration file to verify that the structure is valid. Simply change to the directory where the binary is installed, and run the Beat in the foreground with the `test config` command specified. For example:
+
+```shell
+filebeat test config -c filebeat.yml
+```
+
+You’ll see a message if the Beat finds an error in the file.
+
+
+## Wrap regular expressions in single quotation marks [_wrap_regular_expressions_in_single_quotation_marks]
+
+If you need to specify a regular expression in a YAML file, it’s a good idea to wrap the regular expression in single quotation marks to work around YAML’s tricky rules for string escaping.
+
+For more information about YAML, see [http://yaml.org/](http://yaml.org/).
+
+
+## Wrap paths in single quotation marks [wrap-paths-in-quotes]
+
+Windows paths in particular sometimes contain spaces or characters, such as drive letters or triple dots, that may be misinterpreted by the YAML parser.
+
+To avoid this problem, it’s a good idea to wrap paths in single quotation marks.
+
+
+## Avoid using leading zeros in numeric values [avoid-leading-zeros]
+
+If you use a leading zero (for example, `09`) in a numeric field without wrapping the value in single quotation marks, the value may be interpreted incorrectly by the YAML parser. If the value is a valid octal, it’s converted to an integer. If not, it’s converted to a float.
+
+To prevent unwanted type conversions, avoid using leading zeros in field values, or wrap the values in single quotation marks.
+
+
+## Avoid accidental template variable resolution [dollar-sign-strings]
+
+The templating engine that allows the config to resolve data from environment variables can result in errors in strings with `$` characters. For example, if a password field contains `$$`, the engine will resolve this to `$`.
+
+To work around this, either use the [Secrets keystore](/reference/filebeat/keystore.md) or escape all instances of `$` with `$$`.
+
diff --git a/docs/reference/heartbeat/add-cloud-metadata.md b/docs/reference/heartbeat/add-cloud-metadata.md
new file mode 100644
index 000000000000..d6b286a2d0a4
--- /dev/null
+++ b/docs/reference/heartbeat/add-cloud-metadata.md
@@ -0,0 +1,205 @@
+---
+navigation_title: "add_cloud_metadata"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/add-cloud-metadata.html
+---
+
+# Add cloud metadata [add-cloud-metadata]
+
+
+The `add_cloud_metadata` processor enriches each event with instance metadata from the machine’s hosting provider. At startup it will query a list of hosting providers and cache the instance metadata.
+
+The following cloud providers are supported:
+
+* Amazon Web Services (AWS)
+* Digital Ocean
+* Google Compute Engine (GCE)
+* [Tencent Cloud](https://www.qcloud.com/?lang=en) (QCloud)
+* Alibaba Cloud (ECS)
+* Huawei Cloud (ECS)
+* Azure Virtual Machine
+* Openstack Nova
+* Hetzner Cloud
+
+
+## Special notes [_special_notes]
+
+`huawei` is an alias for `openstack`. Huawei cloud runs on OpenStack platform, and when viewed from a metadata API standpoint, it is impossible to differentiate it from OpenStack. If you know that your deployments run on Huawei Cloud exclusively, and you wish to have `cloud.provider` value as `huawei`, you can achieve this by overwriting the value using an `add_fields` processor.
+
+The Alibaba Cloud and Tencent cloud providers are disabled by default, because they require to access a remote host. The `providers` setting allows users to select a list of default providers to query.
+
+Cloud providers tend to maintain metadata services compliant with other cloud providers. For example, Openstack supports [EC2 compliant metadat service](https://docs.openstack.org/nova/latest/user/metadata.html#ec2-compatible-metadata). This makes it impossible to differentiate cloud provider (`cloud.provider` property) with auto discovery (when `providers` configuration is omitted). The processor implementation incorporates a priority mechanism where priority is given to some providers over others when there are multiple successful metadata results. Currently, `aws/ec2` and `azure` have priority over any other provider as their metadata retrival rely on SDKs. The expectation here is that SDK methods should fail if run in an environment not configured accordingly (ex:- missing configurations or credentials).
+
+
+## Configurations [_configurations]
+
+The simple configuration below enables the processor.
+
+```yaml
+processors:
+  - add_cloud_metadata: ~
+```
+
+The `add_cloud_metadata` processor has three optional configuration settings. The first one is `timeout` which specifies the maximum amount of time to wait for a successful response when detecting the hosting provider. The default timeout value is `3s`.
+
+If a timeout occurs then no instance metadata will be added to the events. This makes it possible to enable this processor for all your deployments (in the cloud or on-premise).
+
+The second optional setting is `providers`. The `providers` settings accepts a list of cloud provider names to be used. If `providers` is not configured, then all providers that do not access a remote endpoint are enabled by default. The list of providers may alternatively be configured with the environment variable `BEATS_ADD_CLOUD_METADATA_PROVIDERS`, by setting it to a comma-separated list of provider names.
+
+List of names the `providers` setting supports:
+
+* "alibaba", or "ecs" for the Alibaba Cloud provider (disabled by default).
+* "azure" for Azure Virtual Machine (enabled by default). If the virtual machine is part of an AKS managed cluster, the fields `orchestrator.cluster.name` and `orchestrator.cluster.id` can also be retrieved. "TENANT_ID", "CLIENT_ID" and "CLIENT_SECRET" environment variables need to be set for authentication purposes. If not set we fallback to [DefaultAzureCredential](https://learn.microsoft.com/en-us/azure/developer/go/azure-sdk-authentication?tabs=bash#2-authenticate-with-azure) and user can choose different authentication methods (e.g. workload identity).
+* "digitalocean" for Digital Ocean (enabled by default).
+* "aws", or "ec2" for Amazon Web Services (enabled by default).
+* "gcp" for Google Copmute Enging (enabled by default).
+* "openstack", "nova", or "huawei" for Openstack Nova (enabled by default).
+* "openstack-ssl", or "nova-ssl" for Openstack Nova when SSL metadata APIs are enabled (enabled by default).
+* "tencent", or "qcloud" for Tencent Cloud (disabled by default).
+* "hetzner" for Hetzner Cloud (enabled by default).
+
+For example, configuration below only utilize `aws` metadata retrival mechanism,
+
+```yaml
+processors:
+  - add_cloud_metadata:
+      providers:
+        aws
+```
+
+The third optional configuration setting is `overwrite`. When `overwrite` is `true`, `add_cloud_metadata` overwrites existing `cloud.*` fields (`false` by default).
+
+The `add_cloud_metadata` processor supports SSL options to configure the http client used to query cloud metadata. See [SSL](/reference/heartbeat/configuration-ssl.md) for more information.
+
+
+## Provided metadata [_provided_metadata]
+
+The metadata that is added to events varies by hosting provider. Below are examples for each of the supported providers.
+
+*AWS*
+
+Metadata given below are extracted from [instance identity document](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-identity-documents.html),
+
+```json
+{
+  "cloud": {
+    "account.id": "123456789012",
+    "availability_zone": "us-east-1c",
+    "instance.id": "i-4e123456",
+    "machine.type": "t2.medium",
+    "image.id": "ami-abcd1234",
+    "provider": "aws",
+    "region": "us-east-1"
+  }
+}
+```
+
+If the EC2 instance has IMDS enabled and if tags are allowed through IMDS endpoint, the processor will further append tags in metadata. Please refer official documentation on [IMDS endpoint](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html) for further details.
+
+```json
+{
+  "aws": {
+    "tags": {
+      "org" : "myOrg",
+      "owner": "userID"
+    }
+  }
+}
+```
+
+*Digital Ocean*
+
+```json
+{
+  "cloud": {
+    "instance.id": "1234567",
+    "provider": "digitalocean",
+    "region": "nyc2"
+  }
+}
+```
+
+*GCP*
+
+```json
+{
+  "cloud": {
+    "availability_zone": "us-east1-b",
+    "instance.id": "1234556778987654321",
+    "machine.type": "f1-micro",
+    "project.id": "my-dev",
+    "provider": "gcp"
+  }
+}
+```
+
+*Tencent Cloud*
+
+```json
+{
+  "cloud": {
+    "availability_zone": "gz-azone2",
+    "instance.id": "ins-qcloudv5",
+    "provider": "qcloud",
+    "region": "china-south-gz"
+  }
+}
+```
+
+*Alibaba Cloud*
+
+This metadata is only available when VPC is selected as the network type of the ECS instance.
+
+```json
+{
+  "cloud": {
+    "availability_zone": "cn-shenzhen",
+    "instance.id": "i-wz9g2hqiikg0aliyun2b",
+    "provider": "ecs",
+    "region": "cn-shenzhen-a"
+  }
+}
+```
+
+*Azure Virtual Machine*
+
+```json
+{
+  "cloud": {
+    "provider": "azure",
+    "instance.id": "04ab04c3-63de-4709-a9f9-9ab8c0411d5e",
+    "instance.name": "test-az-vm",
+    "machine.type": "Standard_D3_v2",
+    "region": "eastus2"
+  }
+}
+```
+
+*Openstack Nova*
+
+```json
+{
+  "cloud": {
+    "instance.name": "test-998d932195.mycloud.tld",
+    "instance.id": "i-00011a84",
+    "availability_zone": "xxxx-az-c",
+    "provider": "openstack",
+    "machine.type": "m2.large"
+  }
+}
+```
+
+*Hetzner Cloud*
+
+```json
+{
+  "cloud": {
+    "availability_zone": "hel1-dc2",
+    "instance.name": "my-hetzner-instance",
+    "instance.id": "111111",
+    "provider": "hetzner",
+    "region": "eu-central"
+  }
+}
+```
+
diff --git a/docs/reference/heartbeat/add-cloudfoundry-metadata.md b/docs/reference/heartbeat/add-cloudfoundry-metadata.md
new file mode 100644
index 000000000000..96ff8aa3ca52
--- /dev/null
+++ b/docs/reference/heartbeat/add-cloudfoundry-metadata.md
@@ -0,0 +1,70 @@
+---
+navigation_title: "add_cloudfoundry_metadata"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/add-cloudfoundry-metadata.html
+---
+
+# Add Cloud Foundry metadata [add-cloudfoundry-metadata]
+
+
+The `add_cloudfoundry_metadata` processor annotates each event with relevant metadata from Cloud Foundry applications. The events are annotated with Cloud Foundry metadata, only if the event contains a reference to a Cloud Foundry application (using field `cloudfoundry.app.id`) and the configured Cloud Foundry client is able to retrieve information for the application.
+
+Each event is annotated with:
+
+* Application Name
+* Space ID
+* Space Name
+* Organization ID
+* Organization Name
+
+::::{note}
+Pivotal Application Service and Tanzu Application Service include this metadata in all events from the firehose since version 2.8. In these cases the metadata in the events is used, and `add_cloudfoundry_metadata` processor doesn’t modify these fields.
+::::
+
+
+For efficient annotation, application metadata retrieved by the Cloud Foundry client is stored in a persistent cache on the filesystem under the `path.data` directory. This is done so the metadata can persist across restarts of Heartbeat. For control over this cache, use the `cache_duration` and `cache_retry_delay` settings.
+
+```yaml
+processors:
+  - add_cloudfoundry_metadata:
+      api_address: https://api.dev.cfdev.sh
+      client_id: uaa-filebeat
+      client_secret: verysecret
+      ssl:
+        verification_mode: none
+      # To connect to Cloud Foundry over verified TLS you can specify a client and CA certificate.
+      #ssl:
+      #  certificate_authorities: ["/etc/pki/cf/ca.pem"]
+      #  certificate:              "/etc/pki/cf/cert.pem"
+      #  key:                      "/etc/pki/cf/cert.key"
+```
+
+It has the following settings:
+
+`api_address`
+:   (Optional) The URL of the Cloud Foundry API. It uses `http://api.bosh-lite.com` by default.
+
+`doppler_address`
+:   (Optional) The URL of the Cloud Foundry Doppler Websocket. It uses value from ${api_address}/v2/info by default.
+
+`uaa_address`
+:   (Optional) The URL of the Cloud Foundry UAA API. It uses value from ${api_address}/v2/info by default.
+
+`rlp_address`
+:   (Optional) The URL of the Cloud Foundry RLP Gateway. It uses value from ${api_address}/v2/info by default.
+
+`client_id`
+:   Client ID to authenticate with Cloud Foundry.
+
+`client_secret`
+:   Client Secret to authenticate with Cloud Foundry.
+
+`cache_duration`
+:   (Optional) Maximum amount of time to cache an application’s metadata. Defaults to 120 seconds.
+
+`cache_retry_delay`
+:   (Optional) Time to wait before trying to obtain an application’s metadata again in case of error. Defaults to 20 seconds.
+
+`ssl`
+:   (Optional) SSL configuration to use when connecting to Cloud Foundry.
+
diff --git a/docs/reference/heartbeat/add-docker-metadata.md b/docs/reference/heartbeat/add-docker-metadata.md
new file mode 100644
index 000000000000..5193f12d720c
--- /dev/null
+++ b/docs/reference/heartbeat/add-docker-metadata.md
@@ -0,0 +1,80 @@
+---
+navigation_title: "add_docker_metadata"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/add-docker-metadata.html
+---
+
+# Add Docker metadata [add-docker-metadata]
+
+
+The `add_docker_metadata` processor annotates each event with relevant metadata from Docker containers. At startup it detects a docker environment and caches the metadata. The events are annotated with Docker metadata, only if a valid configuration is detected and the processor is able to reach Docker API.
+
+Each event is annotated with:
+
+* Container ID
+* Name
+* Image
+* Labels
+
+::::{note}
+When running Heartbeat in a container, you need to provide access to Docker’s unix socket in order for the `add_docker_metadata` processor to work. You can do this by mounting the socket inside the container. For example:
+
+`docker run -v /var/run/docker.sock:/var/run/docker.sock ...`
+
+To avoid privilege issues, you may also need to add `--user=root` to the `docker run` flags. Because the user must be part of the docker group in order to access `/var/run/docker.sock`, root access is required if Heartbeat is running as non-root inside the container.
+
+If Docker daemon is restarted the mounted socket will become invalid and metadata will stop working, in these situations there are two options:
+
+* Restart Heartbeat every time Docker is restarted
+* Mount the entire `/var/run` directory (instead of just the socket)
+
+::::
+
+
+```yaml
+processors:
+  - add_docker_metadata:
+      host: "unix:///var/run/docker.sock"
+      #match_fields: ["system.process.cgroup.id"]
+      #match_pids: ["process.pid", "process.parent.pid"]
+      #match_source: true
+      #match_source_index: 4
+      #match_short_id: true
+      #cleanup_timeout: 60
+      #labels.dedot: false
+      # To connect to Docker over TLS you must specify a client and CA certificate.
+      #ssl:
+      #  certificate_authority: "/etc/pki/root/ca.pem"
+      #  certificate:           "/etc/pki/client/cert.pem"
+      #  key:                   "/etc/pki/client/cert.key"
+```
+
+It has the following settings:
+
+`host`
+:   (Optional) Docker socket (UNIX or TCP socket). It uses `unix:///var/run/docker.sock` by default.
+
+`ssl`
+:   (Optional) SSL configuration to use when connecting to the Docker socket.
+
+`match_fields`
+:   (Optional) A list of fields to match a container ID, at least one of them should hold a container ID to get the event enriched.
+
+`match_pids`
+:   (Optional) A list of fields that contain process IDs. If the process is running in Docker then the event will be enriched. The default value is `["process.pid", "process.parent.pid"]`.
+
+`match_source`
+:   (Optional) Match container ID from a log path present in the `log.file.path` field. Enabled by default.
+
+`match_short_id`
+:   (Optional) Match container short ID from a log path present in the `log.file.path` field. Disabled by default. This allows to match directories names that have the first 12 characters of the container ID. For example, `/var/log/containers/b7e3460e2b21/*.log`.
+
+`match_source_index`
+:   (Optional) Index in the source path split by `/` to look for container ID. It defaults to 4 to match `/var/lib/docker/containers/<container_id>/*.log`
+
+`cleanup_timeout`
+:   (Optional) Time of inactivity to consider we can clean and forget metadata for a container, 60s by default.
+
+`labels.dedot`
+:   (Optional) Default to be false. If set to true, replace dots in labels with `_`.
+
diff --git a/docs/reference/heartbeat/add-fields.md b/docs/reference/heartbeat/add-fields.md
new file mode 100644
index 000000000000..e13d29089026
--- /dev/null
+++ b/docs/reference/heartbeat/add-fields.md
@@ -0,0 +1,51 @@
+---
+navigation_title: "add_fields"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/add-fields.html
+---
+
+# Add fields [add-fields]
+
+
+The `add_fields` processor adds additional fields to the event.  Fields can be scalar values, arrays, dictionaries, or any nested combination of these. The `add_fields` processor will overwrite the target field if it already exists. By default the fields that you specify will be grouped under the `fields` sub-dictionary in the event. To group the fields under a different sub-dictionary, use the `target` setting. To store the fields as top-level fields, set `target: ''`.
+
+`target`
+:   (Optional) Sub-dictionary to put all fields into. Defaults to `fields`. Setting this to `@metadata` will add values to the event metadata instead of fields.
+
+`fields`
+:   Fields to be added.
+
+For example, this configuration:
+
+```yaml
+processors:
+  - add_fields:
+      target: project
+      fields:
+        name: myproject
+        id: '574734885120952459'
+```
+
+Adds these fields to any event:
+
+```json
+{
+  "project": {
+    "name": "myproject",
+    "id": "574734885120952459"
+  }
+}
+```
+
+This configuration will alter the event metadata:
+
+```yaml
+processors:
+  - add_fields:
+      target: '@metadata'
+      fields:
+        op_type: "index"
+```
+
+When the event is ingested (e.g. by Elastisearch) the document will have `op_type: "index"` set as a metadata field.
+
diff --git a/docs/reference/heartbeat/add-host-metadata.md b/docs/reference/heartbeat/add-host-metadata.md
new file mode 100644
index 000000000000..9fdc7c9a08c5
--- /dev/null
+++ b/docs/reference/heartbeat/add-host-metadata.md
@@ -0,0 +1,92 @@
+---
+navigation_title: "add_host_metadata"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/add-host-metadata.html
+---
+
+# Add Host metadata [add-host-metadata]
+
+
+```yaml
+processors:
+  - add_host_metadata:
+      cache.ttl: 5m
+      geo:
+        name: nyc-dc1-rack1
+        location: 40.7128, -74.0060
+        continent_name: North America
+        country_iso_code: US
+        region_name: New York
+        region_iso_code: NY
+        city_name: New York
+```
+
+It has the following settings:
+
+`netinfo.enabled`
+:   (Optional) Default true. Include IP addresses and MAC addresses as fields host.ip and host.mac
+
+`cache.ttl`
+:   (Optional) The processor uses an internal cache for the host metadata. This sets the cache expiration time. The default is 5m, negative values disable caching altogether.
+
+`geo.name`
+:   (Optional) User definable token to be used for identifying a discrete location. Frequently a datacenter, rack, or similar.
+
+`geo.location`
+:   (Optional) Longitude and latitude in comma separated format.
+
+`geo.continent_name`
+:   (Optional) Name of the continent.
+
+`geo.country_name`
+:   (Optional) Name of the country.
+
+`geo.region_name`
+:   (Optional) Name of the region.
+
+`geo.city_name`
+:   (Optional) Name of the city.
+
+`geo.country_iso_code`
+:   (Optional) ISO country code.
+
+`geo.region_iso_code`
+:   (Optional) ISO region code.
+
+`replace_fields`
+:   (Optional) Default true. If set to false, original host fields from the event will not be replaced by host fields from `add_host_metadata`.
+
+The `add_host_metadata` processor annotates each event with relevant metadata from the host machine. The fields added to the event look like the following:
+
+```json
+{
+   "host":{
+      "architecture":"x86_64",
+      "name":"example-host",
+      "id":"",
+      "os":{
+         "family":"darwin",
+         "type":"macos",
+         "build":"16G1212",
+         "platform":"darwin",
+         "version":"10.12.6",
+         "kernel":"16.7.0",
+         "name":"Mac OS X"
+      },
+      "ip": ["192.168.0.1", "10.0.0.1"],
+      "mac": ["00:25:96:12:34:56", "72:00:06:ff:79:f1"],
+      "geo": {
+          "continent_name": "North America",
+          "country_iso_code": "US",
+          "region_name": "New York",
+          "region_iso_code": "NY",
+          "city_name": "New York",
+          "name": "nyc-dc1-rack1",
+          "location": "40.7128, -74.0060"
+        }
+   }
+}
+```
+
+Note: `add_host_metadata` processor will overwrite host fields if `host.*` fields already exist in the event from Beats by default with `replace_fields` equals to `true`. Please use `add_observer_metadata` if the beat is being used to monitor external systems.
+
diff --git a/docs/reference/heartbeat/add-id.md b/docs/reference/heartbeat/add-id.md
new file mode 100644
index 000000000000..8946898ef6ec
--- /dev/null
+++ b/docs/reference/heartbeat/add-id.md
@@ -0,0 +1,24 @@
+---
+navigation_title: "add_id"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/add-id.html
+---
+
+# Generate an ID for an event [add-id]
+
+
+The `add_id` processor generates a unique ID for an event.
+
+```yaml
+processors:
+  - add_id: ~
+```
+
+The following settings are supported:
+
+`target_field`
+:   (Optional) Field where the generated ID will be stored. Default is `@metadata._id`.
+
+`type`
+:   (Optional) Type of ID to generate. Currently only `elasticsearch` is supported and is the default. The `elasticsearch` type generates IDs using the same algorithm that Elasticsearch uses for auto-generating document IDs.
+
diff --git a/docs/reference/heartbeat/add-kubernetes-metadata.md b/docs/reference/heartbeat/add-kubernetes-metadata.md
new file mode 100644
index 000000000000..6f5c9f8ca71b
--- /dev/null
+++ b/docs/reference/heartbeat/add-kubernetes-metadata.md
@@ -0,0 +1,244 @@
+---
+navigation_title: "add_kubernetes_metadata"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/add-kubernetes-metadata.html
+---
+
+# Add Kubernetes metadata [add-kubernetes-metadata]
+
+
+The `add_kubernetes_metadata` processor annotates each event with relevant metadata based on which Kubernetes pod the event originated from. This processor only adds metadata to the events that do not have it yet present.
+
+At startup, it detects an `in_cluster` environment and caches the Kubernetes-related metadata. Events are only annotated if a valid configuration is detected. If it’s not able to detect a valid Kubernetes configuration, the events are not annotated with Kubernetes-related metadata.
+
+Each event is annotated with:
+
+* Pod Name
+* Pod UID
+* Namespace
+* Labels
+
+In addition, the node and namespace metadata are added to the pod metadata.
+
+The `add_kubernetes_metadata` processor has two basic building blocks:
+
+* Indexers
+* Matchers
+
+Indexers use pod metadata to create unique identifiers for each one of the pods. These identifiers help to correlate the metadata of the observed pods with actual events. For example, the `ip_port` indexer can take a Kubernetes pod and create identifiers for it based on all its `pod_ip:container_port` combinations.
+
+Matchers use information in events to construct lookup keys that match the identifiers created by the indexers. For example, when the `fields` matcher takes `["metricset.host"]` as a lookup field, it would construct a lookup key with the value of the field `metricset.host`. When one of these lookup keys matches with one of the identifiers, the event is enriched with the metadata of the identified pod.
+
+Each Beat can define its own default indexers and matchers which are enabled by default. For example, Filebeat enables the `container` indexer, which identifies pod metadata based on all container IDs, and a `logs_path` matcher, which takes the `log.file.path` field, extracts the container ID, and uses it to retrieve metadata.
+
+You can find more information about the available indexers and matchers, and some examples in [Indexers and matchers](#kubernetes-indexers-and-matchers).
+
+The configuration below enables the processor when heartbeat is run as a pod in Kubernetes.
+
+```yaml
+processors:
+  - add_kubernetes_metadata:
+      # Defining indexers and matchers manually is required for heartbeat, for instance:
+      #indexers:
+      #  - ip_port:
+      #matchers:
+      #  - fields:
+      #      lookup_fields: ["metricset.host"]
+      #labels.dedot: true
+      #annotations.dedot: true
+```
+
+The configuration below enables the processor on a Beat running as a process on the Kubernetes node.
+
+```yaml
+processors:
+  - add_kubernetes_metadata:
+      host: <hostname>
+      # If kube_config is not set, KUBECONFIG environment variable will be checked
+      # and if not present it will fall back to InCluster
+      kube_config: $Heartbeat Reference/.kube/config
+      # Defining indexers and matchers manually is required for heartbeat, for instance:
+      #indexers:
+      #  - ip_port:
+      #matchers:
+      #  - fields:
+      #      lookup_fields: ["metricset.host"]
+      #labels.dedot: true
+      #annotations.dedot: true
+```
+
+The configuration below has the default indexers and matchers disabled and enables ones that the user is interested in.
+
+```yaml
+processors:
+  - add_kubernetes_metadata:
+      host: <hostname>
+      # If kube_config is not set, KUBECONFIG environment variable will be checked
+      # and if not present it will fall back to InCluster
+      kube_config: ~/.kube/config
+      default_indexers.enabled: false
+      default_matchers.enabled: false
+      indexers:
+        - ip_port:
+      matchers:
+        - fields:
+            lookup_fields: ["metricset.host"]
+      #labels.dedot: true
+      #annotations.dedot: true
+```
+
+The `add_kubernetes_metadata` processor has the following configuration settings:
+
+`host`
+:   (Optional) Specify the node to scope heartbeat to in case it cannot be accurately detected, as when running heartbeat in host network mode.
+
+`scope`
+:   (Optional) Specify if the processor should have visibility at the node level or at the entire cluster level. Possible values are `node` and `cluster`. Scope is `node` by default.
+
+`namespace`
+:   (Optional) Select the namespace from which to collect the metadata. If it is not set, the processor collects metadata from all namespaces. It is unset by default.
+
+`add_resource_metadata`
+:   (Optional) Specify filters and configuration for the extra metadata, that will be added to the event. Configuration parameters:
+
+    * `node` or `namespace`: Specify labels and annotations filters for the extra metadata coming from node and namespace. By default all labels are included while annotations are not. To change default behaviour `include_labels`, `exclude_labels` and `include_annotations` can be defined. Those settings are useful when storing labels and annotations that require special handling to avoid overloading the storage output. Note: wildcards are not supported for those settings. The enrichment of `node` or `namespace` metadata can be individually disabled by setting `enabled: false`.
+    * `deployment`: If resource is `pod` and it is created from a `deployment`, by default the deployment name is added, this can be disabled by setting `deployment: false`.
+    * `cronjob`: If resource is `pod` and it is created from a `cronjob`, by default the cronjob name is added, this can be disabled by setting `cronjob: false`.
+
+        Example:
+
+
+```yaml
+      add_resource_metadata:
+        namespace:
+          include_labels: ["namespacelabel1"]
+          #labels.dedot: true
+          #annotations.dedot: true
+        node:
+          include_labels: ["nodelabel2"]
+          include_annotations: ["nodeannotation1"]
+          #labels.dedot: true
+          #annotations.dedot: true
+        deployment: false
+        cronjob: false
+```
+
+`kube_config`
+:   (Optional) Use given config file as configuration for Kubernetes client. It defaults to `KUBECONFIG` environment variable if present.
+
+`use_kubeadm`
+:   (Optional) Default true. By default requests to kubeadm config map are made in order to enrich cluster name by requesting /api/v1/namespaces/kube-system/configmaps/kubeadm-config API endpoint.
+
+`kube_client_options`
+:   (Optional) Additional options can be configured for Kubernetes client. Currently client QPS and burst are supported, if not set Kubernetes client’s [default QPS and burst](https://pkg.go.dev/k8s.io/client-go/rest#pkg-constants) will be used. Example:
+
+```yaml
+      kube_client_options:
+        qps: 5
+        burst: 10
+```
+
+`cleanup_timeout`
+:   (Optional) Specify the time of inactivity before stopping the running configuration for a container. This is `60s` by default.
+
+`sync_period`
+:   (Optional) Specify the timeout for listing historical resources.
+
+`default_indexers.enabled`
+:   (Optional) Enable or disable default pod indexers when you want to specify your own.
+
+`default_matchers.enabled`
+:   (Optional) Enable or disable default pod matchers when you want to specify your own.
+
+`labels.dedot`
+:   (Optional) Default to be true. If set to true, then `.` in labels will be replaced with `_`.
+
+`annotations.dedot`
+:   (Optional) Default to be true. If set to true, then `.` in labels will be replaced with `_`.
+
+
+## Indexers and matchers [kubernetes-indexers-and-matchers]
+
+## Indexers [_indexers]
+
+Indexers use pods metadata to create unique identifiers for each one of the pods.
+
+Available indexers are:
+
+`container`
+:   Identifies the pod metadata using the IDs of its containers.
+
+`ip_port`
+:   Identifies the pod metadata using combinations of its IP and its exposed ports. When using this indexer metadata is identified using the IP of the pods, and the combination if `ip:port` for each one of the ports exposed by its containers.
+
+`pod_name`
+:   Identifies the pod metadata using its namespace and its name as `namespace/pod_name`.
+
+`pod_uid`
+:   Identifies the pod metadata using the UID of the pod.
+
+
+## Matchers [_matchers]
+
+Matchers are used to construct the lookup keys that match with the identifiers created by indexes.
+
+### `field_format` [_field_format]
+
+Looks up pod metadata using a key created with a string format that can include event fields.
+
+This matcher has an option `format` to define the string format. This string format can contain placeholders for any field in the event.
+
+For example, the following configuration uses the `ip_port` indexer to identify the pod metadata by combinations of the pod IP and its exposed ports, and uses the destination IP and port in events as match keys:
+
+```yaml
+processors:
+- add_kubernetes_metadata:
+    ...
+    default_indexers.enabled: false
+    default_matchers.enabled: false
+    indexers:
+      - ip_port:
+    matchers:
+      - field_format:
+          format: '%{[destination.ip]}:%{[destination.port]}'
+```
+
+
+### `fields` [_fields]
+
+Looks up pod metadata using as key the value of some specific fields. When multiple fields are defined, the first one included in the event is used.
+
+This matcher has an option `lookup_fields` to define the files whose value will be used for lookup.
+
+For example, the following configuration uses the `ip_port` indexer to identify pods, and defines a matcher that uses the destination IP or the server IP for the lookup, the first it finds in the event:
+
+```yaml
+processors:
+- add_kubernetes_metadata:
+    ...
+    default_indexers.enabled: false
+    default_matchers.enabled: false
+    indexers:
+      - ip_port:
+    matchers:
+      - fields:
+          lookup_fields: ['destination.ip', 'server.ip']
+```
+
+It’s also possible to extract the matching key from fields using a regex pattern. The optional `regex_pattern` field can be used to set the pattern. The pattern **must** contain a capture group named `key`, whose value will be used as the matching key.
+
+For example, the following configuration uses the `container` indexer to identify containers by their id, and extracts the matching key from the cgroup id field added to system process metrics. This field has the form `cri-containerd-<id>.scope`, so we need a regex pattern to obtain the container id.
+
+```yaml
+processors:
+  - add_kubernetes_metadata:
+      indexers:
+        - container:
+      matchers:
+        - fields:
+            lookup_fields: ['system.process.cgroup.id']
+            regex_pattern: 'cri-containerd-(?P<key>[0-9a-z]+)\.scope'
+```
+
+
+
diff --git a/docs/reference/heartbeat/add-labels.md b/docs/reference/heartbeat/add-labels.md
new file mode 100644
index 000000000000..6d10f9d2e17e
--- /dev/null
+++ b/docs/reference/heartbeat/add-labels.md
@@ -0,0 +1,45 @@
+---
+navigation_title: "add_labels"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/add-labels.html
+---
+
+# Add labels [add-labels]
+
+
+The `add_labels` processors adds a set of key-value pairs to an event. The processor will flatten nested configuration objects like arrays or dictionaries into a fully qualified name by merging nested names with a `.`. Array entries create numeric names starting with 0.  Labels are always stored under the Elastic Common Schema compliant `labels` sub-dictionary.
+
+`labels`
+:   dictionaries of labels to be added.
+
+For example, this configuration:
+
+```yaml
+processors:
+  - add_labels:
+      labels:
+        number: 1
+        with.dots: test
+        nested:
+          with.dots: nested
+        array:
+          - do
+          - re
+          - with.field: mi
+```
+
+Adds these fields to every event:
+
+```json
+{
+  "labels": {
+    "number": 1,
+    "with.dots": "test",
+    "nested.with.dots": "nested",
+    "array.0": "do",
+    "array.1": "re",
+    "array.2.with.field": "mi"
+  }
+}
+```
+
diff --git a/docs/reference/heartbeat/add-locale.md b/docs/reference/heartbeat/add-locale.md
new file mode 100644
index 000000000000..ab73581f977f
--- /dev/null
+++ b/docs/reference/heartbeat/add-locale.md
@@ -0,0 +1,31 @@
+---
+navigation_title: "add_locale"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/add-locale.html
+---
+
+# Add the local time zone [add-locale]
+
+
+The `add_locale` processor enriches each event with the machine’s time zone offset from UTC or with the name of the time zone. It supports one configuration option named `format` that controls whether an offset or time zone abbreviation is added to the event. The default format is `offset`. The processor adds the a `event.timezone` value to each event.
+
+The configuration below enables the processor with the default settings.
+
+```yaml
+processors:
+  - add_locale: ~
+```
+
+This configuration enables the processor and configures it to add the time zone abbreviation to events.
+
+```yaml
+processors:
+  - add_locale:
+      format: abbreviation
+```
+
+::::{note}
+Please note that `add_locale` differentiates between daylight savings time (DST) and regular time. For example `CEST` indicates DST and and `CET` is regular time.
+::::
+
+
diff --git a/docs/reference/heartbeat/add-network-direction.md b/docs/reference/heartbeat/add-network-direction.md
new file mode 100644
index 000000000000..258c5ff7e465
--- /dev/null
+++ b/docs/reference/heartbeat/add-network-direction.md
@@ -0,0 +1,22 @@
+---
+navigation_title: "add_network_direction"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/add-network-direction.html
+---
+
+# Add network direction [add-network-direction]
+
+
+The `add_network_direction` processor attempts to compute the perimeter-based network direction given an a source and destination ip address and list of internal networks. The key `internal_networks` can contain either CIDR blocks or a list of special values enumerated in the network section of [Conditions](/reference/heartbeat/defining-processors.md#conditions).
+
+```yaml
+processors:
+  - add_network_direction:
+      source: source.ip
+      destination: destination.ip
+      target: network.direction
+      internal_networks: [ private ]
+```
+
+See [Conditions](/reference/heartbeat/defining-processors.md#conditions) for a list of supported conditions.
+
diff --git a/docs/reference/heartbeat/add-nomad-metadata.md b/docs/reference/heartbeat/add-nomad-metadata.md
new file mode 100644
index 000000000000..42e87129893a
--- /dev/null
+++ b/docs/reference/heartbeat/add-nomad-metadata.md
@@ -0,0 +1,137 @@
+---
+navigation_title: "add_nomad_metadata"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/add-nomad-metadata.html
+---
+
+# Add Nomad metadata [add-nomad-metadata]
+
+
+::::{warning}
+This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
+::::
+
+
+The `add_nomad_metadata` processor adds fields with relevant metadata for applications deployed in Nomad.
+
+Each event is annotated with the following information:
+
+* Allocation name, identifier and status.
+* Job name and type.
+* Namespace where the job is deployed.
+* Datacenter and region where the agent running the allocation is located.
+
+```yaml
+processors:
+  - add_nomad_metadata: ~
+```
+
+It has the following settings to configure the connection:
+
+`address`
+:   (Optional) The URL of the agent API used to request the metadata. It uses `http://127.0.0.1:4646` by default.
+
+`namespace`
+:   (Optional) Namespace to watch. If set, only events for allocations in this namespace will be annotated.
+
+`region`
+:   (Optional) Region to watch. If set, only events for allocations in this region will be annotated.
+
+`secret_id`
+:   (Optional) SecretID to use when connecting with the agent API. This is an example ACL policy to apply to the token.
+
+```json
+namespace "*" {
+  policy = "read"
+}
+node {
+  policy = "read"
+}
+agent {
+  policy = "read"
+}
+```
+
+`refresh_interval`
+:   (Optional) Interval used to update the cached metadata. It defaults to 30 seconds.
+
+`cleanup_timeout`
+:   (Optional) After an allocation has been removed, time to wait before cleaning up their associated resources. This is useful if you expect to receive events after an allocation has been removed, which can happen when collecting logs. It defaults to 60 seconds.
+
+You can decide if Heartbeat should annotate events related to allocations in local node or on the whole cluster configuring the scope with the following settings:
+
+`scope`
+:   (Optional) Scope of the resources to watch. It can be `node` to get metadata only for the allocations in a single agent, or `global`, to get metadata for allocations running on any agent. It defaults to `node`.
+
+`node`
+:   (Optional) When using `scope: node`, use `node` to specify the name of the local node if it cannot be discovered automatically.
+
+For example the following configuration could be used if Heartbeat is collecting events from all the allocations in the cluster:
+
+```yaml
+processors:
+  - add_nomad_metadata:
+      scope: global
+```
+
+## Indexers and matchers [_indexers_and_matchers]
+
+Indexers and matchers are used to correlate fields in events with actual metadata. Heartbeat uses this information to know what metadata to include in each event.
+
+### Indexers [_indexers_2]
+
+Indexers use allocation metadata to create unique identifiers for each one of the pods.
+
+Avaliable indexers are: `allocation_name`:: Identifies allocations by its name and namespace (as `<namespace>/<name>`) `allocation_uuid`:: Identifies allocations by its unique identifier.
+
+
+### Matchers [_matchers_2]
+
+Matchers are used to construct the lookup keys that match with the identifiers created by indexes.
+
+
+### `field_format` [_field_format_2]
+
+Looks up allocation metadata using a key created with a string format that can include event fields.
+
+This matcher has an option `format` to define the string format. This string format can contain placeholders for any field in the event.
+
+For example, the following configuration uses the `allocation_name` indexer to identify the allocation metadata by its name and namespace, and uses custom fields existing in the event as match keys:
+
+```yaml
+processors:
+- add_nomad_metadata:
+    ...
+    default_indexers.enabled: false
+    default_matchers.enabled: false
+    indexers:
+      - allocation_name:
+    matchers:
+      - field_format:
+          format: '%{[labels.nomad_namespace]}/%{[fields.nomad_alloc_name]}'
+```
+
+
+### `fields` [_fields_2]
+
+Looks up allocation metadata using as key the value of some specific fields. When multiple fields are defined, the first one included in the event is used.
+
+This matcher has an option `lookup_fields` to define the fields whose value will be used for lookup.
+
+For example, the following configuration uses the `allocation_uuid` indexer to identify allocations, and defines a matcher that uses some fields where the allocation UUID can be found for lookup, the first it finds in the event:
+
+```yaml
+processors:
+- add_nomad_metadata:
+    ...
+    default_indexers.enabled: false
+    default_matchers.enabled: false
+    indexers:
+      - allocation_uuid:
+    matchers:
+      - fields:
+          lookup_fields: ['host.name', 'fields.nomad_alloc_uuid']
+```
+
+
+
diff --git a/docs/reference/heartbeat/add-observer-metadata.md b/docs/reference/heartbeat/add-observer-metadata.md
new file mode 100644
index 000000000000..f1b0e43bf87b
--- /dev/null
+++ b/docs/reference/heartbeat/add-observer-metadata.md
@@ -0,0 +1,88 @@
+---
+navigation_title: "add_observer_metadata"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/add-observer-metadata.html
+---
+
+# Add Observer metadata [add-observer-metadata]
+
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+```yaml
+processors:
+  - add_observer_metadata:
+      cache.ttl: 5m
+      geo:
+        name: nyc-dc1-rack1
+        location: 40.7128, -74.0060
+        continent_name: North America
+        country_iso_code: US
+        region_name: New York
+        region_iso_code: NY
+        city_name: New York
+```
+
+It has the following settings:
+
+`netinfo.enabled`
+:   (Optional) Default true. Include IP addresses and MAC addresses as fields observer.ip and observer.mac
+
+`cache.ttl`
+:   (Optional) The processor uses an internal cache for the observer metadata. This sets the cache expiration time. The default is 5m, negative values disable caching altogether.
+
+`geo.name`
+:   (Optional) User definable token to be used for identifying a discrete location. Frequently a datacenter, rack, or similar.
+
+`geo.location`
+:   (Optional) Longitude and latitude in comma separated format.
+
+`geo.continent_name`
+:   (Optional) Name of the continent.
+
+`geo.country_name`
+:   (Optional) Name of the country.
+
+`geo.region_name`
+:   (Optional) Name of the region.
+
+`geo.city_name`
+:   (Optional) Name of the city.
+
+`geo.country_iso_code`
+:   (Optional) ISO country code.
+
+`geo.region_iso_code`
+:   (Optional) ISO region code.
+
+The `add_observer_metadata` processor annotates each event with relevant metadata from the observer machine. The fields added to the event look like the following:
+
+```json
+{
+  "observer" : {
+    "hostname" : "avce",
+    "type" : "heartbeat",
+    "vendor" : "elastic",
+    "ip" : [
+      "192.168.1.251",
+      "fe80::64b2:c3ff:fe5b:b974",
+    ],
+    "mac" : [
+      "dc:c1:02:6f:1b:ed",
+    ],
+    "geo": {
+      "continent_name": "North America",
+      "country_iso_code": "US",
+      "region_name": "New York",
+      "region_iso_code": "NY",
+      "city_name": "New York",
+      "name": "nyc-dc1-rack1",
+      "location": "40.7128, -74.0060"
+    }
+  }
+}
+```
+
diff --git a/docs/reference/heartbeat/add-process-metadata.md b/docs/reference/heartbeat/add-process-metadata.md
new file mode 100644
index 000000000000..991f7510d316
--- /dev/null
+++ b/docs/reference/heartbeat/add-process-metadata.md
@@ -0,0 +1,94 @@
+---
+navigation_title: "add_process_metadata"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/add-process-metadata.html
+---
+
+# Add process metadata [add-process-metadata]
+
+
+The `add_process_metadata` processor enriches events with information from running processes, identified by their process ID (PID).
+
+```yaml
+processors:
+  - add_process_metadata:
+      match_pids:
+        - process.pid
+```
+
+The fields added to the event look as follows:
+
+```json
+{
+  "container": {
+    "id": "b5285682fba7449c86452b89a800609440ecc88a7ba5f2d38bedfb85409b30b1"
+  },
+  "process": {
+    "args": [
+      "/usr/lib/systemd/systemd",
+      "--switched-root",
+      "--system",
+      "--deserialize",
+      "22"
+    ],
+    "executable": "/usr/lib/systemd/systemd",
+    "name": "systemd",
+    "owner": {
+      "id": "0",
+      "name": "root"
+    },
+    "parent": {
+      "pid": 0
+    },
+    "pid": 1,
+    "start_time": "2018-08-22T08:44:50.684Z",
+    "title": "/usr/lib/systemd/systemd --switched-root --system --deserialize 22"
+  }
+}
+```
+
+Optionally, the process environment can be included, too:
+
+```json
+  ...
+  "env": {
+    "HOME":       "/",
+    "TERM":       "linux",
+    "BOOT_IMAGE": "/boot/vmlinuz-4.11.8-300.fc26.x86_64",
+    "LANG":       "en_US.UTF-8",
+  }
+  ...
+```
+
+It has the following settings:
+
+`match_pids`
+:   List of fields to lookup for a PID. The processor will search the list sequentially until the field is found in the current event, and the PID lookup will be applied to the value of this field.
+
+`target`
+:   (Optional) Destination prefix where the `process` object will be created. The default is the event’s root.
+
+`include_fields`
+:   (Optional) List of fields to add. By default, the processor will add all the available fields except `process.env`.
+
+`ignore_missing`
+:   (Optional) When set to `false`, events that don’t contain any of the fields in match_pids will be discarded and an error will be generated. By default, this condition is ignored.
+
+`overwrite_keys`
+:   (Optional) By default, if a target field already exists, it will not be overwritten, and an error will be logged. If `overwrite_keys` is set to `true`, this condition will be ignored.
+
+`restricted_fields`
+:   (Optional) By default, the `process.env` field is not output, to avoid leaking sensitive data. If `restricted_fields` is `true`, the field will be present in the output.
+
+`host_path`
+:   (Optional) By default, the `host_path` field is set to the root directory of the host `/`. This is the path where `/proc` is mounted. For different runtime configurations of Kubernetes or Docker, the `host_path` can be set to overwrite the default.
+
+`cgroup_prefixes`
+:   (Optional) List of prefixes that will be matched against cgroup paths. When a cgroup path begins with a prefix in the list, then the last element of the path is returned as the container ID. Only one of `cgroup_prefixes` and `cgroup_rexex` should be configured. If neither are configured then a default `cgroup_regex` value is used that matches cgroup paths containing 64-character container IDs (like those from Docker, Kubernetes, and Podman).
+
+`cgroup_regex`
+:   (Optional) A regular expression that will be matched against cgroup paths. It must contain one capturing group. When a cgroup path matches the regular expression then the value of the capturing group is returned as the container ID.  Only one of `cgroup_prefixes` and `cgroup_rexex` should be configured. If neither are configured then a default `cgroup_regex` value is used that matches cgroup paths containing 64-character container IDs (like those from Docker, Kubernetes, and Podman).
+
+`cgroup_cache_expire_time`
+:   (Optional) By default, the `cgroup_cache_expire_time` is set to 30 seconds. This is the length of time before cgroup cache elements expire in seconds. It can be set to 0 to disable the cgroup cache. In some container runtimes technology like runc, the container’s process is also process in the host kernel, and will be affected by PID rollover/reuse. The expire time needs to set smaller than the PIDs wrap around time to avoid wrong container id.
+
diff --git a/docs/reference/heartbeat/add-tags.md b/docs/reference/heartbeat/add-tags.md
new file mode 100644
index 000000000000..3386b75693cc
--- /dev/null
+++ b/docs/reference/heartbeat/add-tags.md
@@ -0,0 +1,34 @@
+---
+navigation_title: "add_tags"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/add-tags.html
+---
+
+# Add tags [add-tags]
+
+
+The `add_tags` processor adds tags to a list of tags. If the target field already exists, the tags are appended to the existing list of tags.
+
+`tags`
+:   List of tags to add.
+
+`target`
+:   (Optional) Field the tags will be added to. Defaults to `tags`. Setting tags in `@metadata` is not supported.
+
+For example, this configuration:
+
+```yaml
+processors:
+  - add_tags:
+      tags: [web, production]
+      target: "environment"
+```
+
+Adds the environment field to every event:
+
+```json
+{
+  "environment": ["web", "production"]
+}
+```
+
diff --git a/docs/reference/heartbeat/append.md b/docs/reference/heartbeat/append.md
new file mode 100644
index 000000000000..46a0d5a16053
--- /dev/null
+++ b/docs/reference/heartbeat/append.md
@@ -0,0 +1,73 @@
+---
+navigation_title: "append"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/append.html
+---
+
+# Append Processor [append]
+
+
+The `append` processor appends one or more values to an existing array if the target field already exists and it is an array. Converts a scaler to an array and appends one or more values to it if the field exists and it is a scaler. Here the values can either be one or more static values or one or more values from the fields listed under *fields* key.
+
+`target_field`
+:   The field in which you want to append the data.
+
+`fields`
+:   (Optional) List of fields from which you want to copy data from. If the value is of a concrete type it will be appended directly to the target. However, if the value is an array, all the elements of the array are pushed individually to the target field.
+
+`values`
+:   (Optional) List of static values you want to append to target field.
+
+`ignore_empty_values`
+:   (Optional) If set to `true`, all the `""` and `nil` are omitted from being appended to the target field.
+
+`fail_on_error`
+:   (Optional) If set to `true` and an error occurs, the changes are reverted and the original is returned. If set to `false`, processing continues if an error occurs. Default is `true`.
+
+`allow_duplicate`
+:   (Optional) If set to `false`, the processor does not append values already present in the field. The default is `true`, which will append duplicate values in the array.
+
+`ignore_missing`
+:   (Optional) Indicates whether to ignore events that lack the source field. The default is `false`, which will fail processing of an event if a field is missing.
+
+note: If you want to use `fields` parameter with fields under `message`, make sure you use `decode_json_fields` first with `target: ""`.
+
+For example, this configuration:
+
+```yaml
+processors:
+  - decode_json_fields:
+      fields: message
+      target: ""
+  - append:
+      target_field: target-field
+      fields:
+        - concrete.field
+        - array.one
+      values:
+        - static-value
+        - ""
+      ignore_missing: true
+      fail_on_error: true
+      ignore_empty_values: true
+```
+
+Copies the values of `concrete.field`, `array.one` response fields and the static values to `target-field`:
+
+```json
+{
+  "concrete": {
+    "field": "val0"
+  },
+  "array": {
+      "one": [ "val1", "val2" ]
+  },
+  "target-field": [
+    "val0",
+    "val1",
+    "val2",
+    "static-value"
+  ]
+}
+```
+
diff --git a/docs/reference/heartbeat/bandwidth-throttling.md b/docs/reference/heartbeat/bandwidth-throttling.md
new file mode 100644
index 000000000000..c2981e4a02e9
--- /dev/null
+++ b/docs/reference/heartbeat/bandwidth-throttling.md
@@ -0,0 +1,20 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/bandwidth-throttling.html
+---
+
+# Heartbeat uses too much bandwidth [bandwidth-throttling]
+
+If you need to limit bandwidth usage, we recommend that you configure the network stack on your OS to perform bandwidth throttling.
+
+For example, the following Linux commands cap the connection between Heartbeat and Logstash by setting a limit of 50 kbps on TCP connections over port 5044:
+
+```shell
+tc qdisc add dev $DEV root handle 1: htb
+tc class add dev $DEV parent 1:1 classid 1:10 htb rate 50kbps ceil 50kbps
+tc filter add dev $DEV parent 1:0 prio 1 protocol ip handle 10 fw flowid 1:10
+iptables -A OUTPUT -t mangle -p tcp --dport 5044 -j MARK --set-mark 10
+```
+
+Using OS tools to perform bandwidth throttling gives you better control over policies. For example, you can use OS tools to cap bandwidth during the day, but not at night. Or you can leave the bandwidth uncapped, but assign a low priority to the traffic.
+
diff --git a/docs/reference/heartbeat/beats-api-keys.md b/docs/reference/heartbeat/beats-api-keys.md
new file mode 100644
index 000000000000..5db8749d99ac
--- /dev/null
+++ b/docs/reference/heartbeat/beats-api-keys.md
@@ -0,0 +1,142 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/beats-api-keys.html
+---
+
+# Grant access using API keys [beats-api-keys]
+
+Instead of using usernames and passwords, you can use API keys to grant access to {{es}} resources. You can set API keys to expire at a certain time, and you can explicitly invalidate them. Any user with the `manage_api_key` or `manage_own_api_key` cluster privilege can create API keys.
+
+Heartbeat instances typically send both collected data and monitoring information to {{es}}. If you are sending both to the same cluster, you can use the same API key. For different clusters, you need to use an API key per cluster.
+
+::::{note}
+For security reasons, we recommend using a unique API key per Heartbeat instance. You can create as many API keys per user as necessary.
+::::
+
+
+::::{important}
+Review [*Grant users access to secured resources*](/reference/heartbeat/feature-roles.md) before creating API keys for Heartbeat.
+::::
+
+
+
+## Create an API key for publishing [beats-api-key-publish]
+
+To create an API key to use for writing data to {{es}}, use the [Create API key API](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-create-api-key), for example:
+
+```console
+POST /_security/api_key
+{
+  "name": "heartbeat_host001", <1>
+  "role_descriptors": {
+    "heartbeat_writer": { <2>
+      "cluster": ["monitor", "read_ilm", "read_pipeline"],
+      "index": [
+        {
+          "names": ["heartbeat-*"],
+          "privileges": ["view_index_metadata", "create_doc", "auto_configure"]
+        }
+      ]
+    }
+  }
+}
+```
+
+1. Name of the API key
+2. Granted privileges, see [*Grant users access to secured resources*](/reference/heartbeat/feature-roles.md)
+
+
+::::{note}
+See [Create a *publishing* user](/reference/heartbeat/privileges-to-publish-events.md) for the list of privileges required to publish events.
+::::
+
+
+The return value will look something like this:
+
+```console-result
+{
+  "id":"TiNAGG4BaaMdaH1tRfuU", <1>
+  "name":"heartbeat_host001",
+  "api_key":"KnR6yE41RrSowb0kQ0HWoA" <2>
+}
+```
+
+1. Unique id for this API key
+2. Generated API key
+
+
+You can now use this API key in your `heartbeat.yml` configuration file like this:
+
+```yaml
+output.elasticsearch:
+  api_key: TiNAGG4BaaMdaH1tRfuU:KnR6yE41RrSowb0kQ0HWoA <1>
+```
+
+1. Format is `id:api_key` (as returned by [Create API key](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-create-api-key))
+
+
+
+## Create an API key for monitoring [beats-api-key-monitor]
+
+To create an API key to use for sending monitoring data to {{es}}, use the [Create API key API](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-create-api-key), for example:
+
+```console
+POST /_security/api_key
+{
+  "name": "heartbeat_host001", <1>
+  "role_descriptors": {
+    "heartbeat_monitoring": { <2>
+      "cluster": ["monitor"],
+      "index": [
+        {
+          "names": [".monitoring-beats-*"],
+          "privileges": ["create_index", "create"]
+        }
+      ]
+    }
+  }
+}
+```
+
+1. Name of the API key
+2. Granted privileges, see [*Grant users access to secured resources*](/reference/heartbeat/feature-roles.md)
+
+
+::::{note}
+See [Create a *monitoring* user](/reference/heartbeat/privileges-to-publish-monitoring.md) for the list of privileges required to send monitoring data.
+::::
+
+
+The return value will look something like this:
+
+```console-result
+{
+  "id":"TiNAGG4BaaMdaH1tRfuU", <1>
+  "name":"heartbeat_host001",
+  "api_key":"KnR6yE41RrSowb0kQ0HWoA" <2>
+}
+```
+
+1. Unique id for this API key
+2. Generated API key
+
+
+You can now use this API key in your `heartbeat.yml` configuration file like this:
+
+```yaml
+monitoring.elasticsearch:
+  api_key: TiNAGG4BaaMdaH1tRfuU:KnR6yE41RrSowb0kQ0HWoA <1>
+```
+
+1. Format is `id:api_key` (as returned by [Create API key](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-create-api-key))
+
+
+
+## Learn more about API keys [learn-more-api-keys]
+
+See the {{es}} API key documentation for more information:
+
+* [Create API key](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-create-api-key)
+* [Get API key information](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-get-api-key)
+* [Invalidate API key](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-invalidate-api-key)
+
diff --git a/docs/reference/heartbeat/change-index-name.md b/docs/reference/heartbeat/change-index-name.md
new file mode 100644
index 000000000000..a461173ae24d
--- /dev/null
+++ b/docs/reference/heartbeat/change-index-name.md
@@ -0,0 +1,19 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/change-index-name.html
+---
+
+# Change the index name [change-index-name]
+
+Heartbeat uses data streams named `heartbeat-9.0.0-beta1`. To use a different name, set the [`index`](/reference/heartbeat/elasticsearch-output.md#index-option-es) option in the {{es}} output. You also need to configure the `setup.template.name` and `setup.template.pattern` options to match the new name. For example:
+
+```sh
+output.elasticsearch.index: "customname-%{[agent.version]}"
+setup.template.name: "customname-%{[agent.version]}"
+setup.template.pattern: "customname-%{[agent.version]}"
+```
+
+For a full list of template setup options, see [Elasticsearch index template](/reference/heartbeat/configuration-template.md).
+
+Remember to change the index name when you load dashboards via the Kibana UI.
+
diff --git a/docs/reference/heartbeat/command-line-options.md b/docs/reference/heartbeat/command-line-options.md
new file mode 100644
index 000000000000..780f24d6cecb
--- /dev/null
+++ b/docs/reference/heartbeat/command-line-options.md
@@ -0,0 +1,339 @@
+---
+navigation_title: "Command reference"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/command-line-options.html
+---
+
+# Heartbeat command reference [command-line-options]
+
+
+Heartbeat provides a command-line interface for starting Heartbeat and performing common tasks, like testing configuration files.
+
+The command-line also supports [global flags](#global-flags) for controlling global behaviors.
+
+::::{tip}
+Use `sudo` to run the following commands if:
+
+* the config file is owned by `root`, or
+* Heartbeat is configured to capture data that requires `root` access
+
+::::
+
+
+Some of the features described here require an Elastic license. For more information, see [https://www.elastic.co/subscriptions](https://www.elastic.co/subscriptions) and [License Management](docs-content://deploy-manage/license/manage-your-license-in-self-managed-cluster.md).
+
+| Commands |  |
+| --- | --- |
+| [`export`](#export-command) | Exports the configuration, index template, or ILM policy to stdout. |
+| [`help`](#help-command) | Shows help for any command. |
+| [`keystore`](#keystore-command) | Manages the [secrets keystore](/reference/heartbeat/keystore.md). |
+| [`run`](#run-command) | Runs Heartbeat. This command is used by default if you start Heartbeat without specifying a command. |
+| [`setup`](#setup-command) | Sets up the initial environment, including the ES index template, and ILM policy and write alias. |
+| [`test`](#test-command) | Tests the configuration. |
+| [`version`](#version-command) | Shows information about the current version. |
+
+Also see [Global flags](#global-flags).
+
+## `export` command [export-command]
+
+Exports the configuration, index template, or ILM policy to stdout. You can use this command to quickly view your configuration or see the contents of the index template or the ILM policy.
+
+**SYNOPSIS**
+
+```sh
+heartbeat export SUBCOMMAND [FLAGS]
+```
+
+**SUBCOMMANDS**
+
+**`config`**
+:   Exports the current configuration to stdout. If you use the `-c` flag, this command exports the configuration that’s defined in the specified file.
+
+$$$template-subcommand$$$**`template`**
+:   Exports the index template to stdout. You can specify the `--es.version` flag to further define what gets exported. Furthermore you can export the template to a file instead of `stdout` by defining a directory via `--dir`.
+
+$$$ilm-policy-subcommand$$$
+
+**`ilm-policy`**
+:   Exports the index lifecycle management policy to stdout. You can specify the `--es.version` and a `--dir` to which the policy should be exported as a file rather than exporting to `stdout`.
+
+**FLAGS**
+
+**`--es.version VERSION`**
+:   When used with [`template`](#template-subcommand), exports an index template that is compatible with the specified version.  When used with [`ilm-policy`](#ilm-policy-subcommand), exports the ILM policy if the specified ES version is enabled for ILM.
+
+**`-h, --help`**
+:   Shows help for the `export` command.
+
+**`--dir DIRNAME`**
+:   Define a directory to which the template, pipelines, and ILM policy should be exported to as files instead of printing them to `stdout`.
+
+Also see [Global flags](#global-flags).
+
+**EXAMPLES**
+
+```sh
+heartbeat export config
+heartbeat export template --es.version 9.0.0-beta1
+```
+
+
+## `help` command [help-command]
+
+Shows help for any command. If no command is specified, shows help for the `run` command.
+
+**SYNOPSIS**
+
+```sh
+heartbeat help COMMAND_NAME [FLAGS]
+```
+
+**`COMMAND_NAME`**
+:   Specifies the name of the command to show help for.
+
+**FLAGS**
+
+**`-h, --help`**
+:   Shows help for the `help` command.
+
+Also see [Global flags](#global-flags).
+
+**EXAMPLE**
+
+```sh
+heartbeat help export
+```
+
+
+## `keystore` command [keystore-command]
+
+Manages the [secrets keystore](/reference/heartbeat/keystore.md).
+
+**SYNOPSIS**
+
+```sh
+heartbeat keystore SUBCOMMAND [FLAGS]
+```
+
+**SUBCOMMANDS**
+
+**`add KEY`**
+:   Adds the specified key to the keystore. Use the `--force` flag to overwrite an existing key. Use the `--stdin` flag to pass the value through `stdin`.
+
+**`create`**
+:   Creates a keystore to hold secrets. Use the `--force` flag to overwrite the existing keystore.
+
+**`list`**
+:   Lists the keys in the keystore.
+
+**`remove KEY`**
+:   Removes the specified key from the keystore.
+
+**FLAGS**
+
+**`--force`**
+:   Valid with the `add` and `create` subcommands. When used with `add`, overwrites the specified key. When used with `create`, overwrites the keystore.
+
+**`--stdin`**
+:   When used with `add`, uses the stdin as the source of the key’s value.
+
+**`-h, --help`**
+:   Shows help for the `keystore` command.
+
+Also see [Global flags](#global-flags).
+
+**EXAMPLES**
+
+```sh
+heartbeat keystore create
+heartbeat keystore add ES_PWD
+heartbeat keystore remove ES_PWD
+heartbeat keystore list
+```
+
+See [Secrets keystore](/reference/heartbeat/keystore.md) for more examples.
+
+
+## `run` command [run-command]
+
+Runs Heartbeat. This command is used by default if you start Heartbeat without specifying a command.
+
+**SYNOPSIS**
+
+```sh
+heartbeat run [FLAGS]
+```
+
+Or:
+
+```sh
+heartbeat [FLAGS]
+```
+
+**FLAGS**
+
+**`-N, --N`**
+:   Disables publishing for testing purposes. This option disables all outputs except the [File output](/reference/heartbeat/file-output.md).
+
+**`--cpuprofile FILE`**
+:   Writes CPU profile data to the specified file. This option is useful for troubleshooting Heartbeat.
+
+**`-h, --help`**
+:   Shows help for the `run` command.
+
+**`--httpprof [HOST]:PORT`**
+:   Starts an http server for profiling. This option is useful for troubleshooting and profiling Heartbeat.
+
+**`--memprofile FILE`**
+:   Writes memory profile data to the specified output file. This option is useful for troubleshooting Heartbeat.
+
+**`--system.hostfs MOUNT_POINT`**
+:   Specifies the mount point of the host’s filesystem for use in monitoring a host. This flag is depricated, and an alternate hostfs should be specified via the `hostfs` module config value.
+
+Also see [Global flags](#global-flags).
+
+**EXAMPLE**
+
+```sh
+heartbeat run -e
+```
+
+Or:
+
+```sh
+heartbeat -e
+```
+
+
+## `setup` command [setup-command]
+
+Sets up the initial environment, including the ES index template, and ILM policy and write alias
+
+* The index template ensures that fields are mapped correctly in Elasticsearch. If index lifecycle management is enabled it also ensures that the defined ILM policy and write alias are connected to the indices matching the index template. The ILM policy takes care of the lifecycle of an index, when to do a rollover, when to move an index from the hot phase to the next phase, etc.
+
+This command sets up the environment without actually running Heartbeat and ingesting data. Specify optional flags to set up a subset of assets.
+
+**SYNOPSIS**
+
+```sh
+heartbeat setup [FLAGS]
+```
+
+**FLAGS**
+
+**`-h, --help`**
+:   Shows help for the `setup` command.
+
+**`--index-management`**
+:   Sets up components related to Elasticsearch index management including template, ILM policy, and write alias (if supported and configured).
+
+Also see [Global flags](#global-flags).
+
+**EXAMPLES**
+
+```sh
+heartbeat setup --index-management
+```
+
+
+## `test` command [test-command]
+
+Tests the configuration.
+
+**SYNOPSIS**
+
+```sh
+heartbeat test SUBCOMMAND [FLAGS]
+```
+
+**SUBCOMMANDS**
+
+**`config`**
+:   Tests the configuration settings.
+
+**`output`**
+:   Tests that Heartbeat can connect to the output by using the current settings.
+
+**FLAGS**
+
+**`-h, --help`**
+:   Shows help for the `test` command.
+
+Also see [Global flags](#global-flags).
+
+**EXAMPLE**
+
+```sh
+heartbeat test config
+```
+
+
+## `version` command [version-command]
+
+Shows information about the current version.
+
+**SYNOPSIS**
+
+```sh
+heartbeat version [FLAGS]
+```
+
+**FLAGS**
+
+**`-h, --help`**
+:   Shows help for the `version` command.
+
+Also see [Global flags](#global-flags).
+
+**EXAMPLE**
+
+```sh
+heartbeat version
+```
+
+
+## Global flags [global-flags]
+
+These global flags are available whenever you run Heartbeat.
+
+**`-E, --E "SETTING_NAME=VALUE"`**
+:   Overrides a specific configuration setting. You can specify multiple overrides. For example:
+
+    ```sh
+    heartbeat -E "name=mybeat" -E "output.elasticsearch.hosts=['http://myhost:9200']"
+    ```
+
+    This setting is applied to the currently running Heartbeat process. The Heartbeat configuration file is not changed.
+
+
+**`-c, --c FILE`**
+:   Specifies the configuration file to use for Heartbeat. The file you specify here is relative to `path.config`. If the `-c` flag is not specified, the default config file, `heartbeat.yml`, is used.
+
+**`-d, --d SELECTORS`**
+:   Enables debugging for the specified selectors. For the selectors, you can specify a comma-separated list of components, or you can use `-d "*"` to enable debugging for all components. For example, `-d "publisher"` displays all the publisher-related messages.
+
+**`-e, --e`**
+:   Logs to stderr and disables syslog/file output.
+
+**`--environment`**
+:   For logging purposes, specifies the environment that Heartbeat is running in. This setting is used to select a default log output when no log output is configured. Supported values are: `systemd`, `container`, `macos_service`, and `windows_service`. If `systemd` or `container` is specified, Heartbeat will log to stdout and stderr by default.
+
+**`--path.config`**
+:   Sets the path for configuration files. See the [Directory layout](/reference/heartbeat/directory-layout.md) section for details.
+
+**`--path.data`**
+:   Sets the path for data files. See the [Directory layout](/reference/heartbeat/directory-layout.md) section for details.
+
+**`--path.home`**
+:   Sets the path for miscellaneous files. See the [Directory layout](/reference/heartbeat/directory-layout.md) section for details.
+
+**`--path.logs`**
+:   Sets the path for log files. See the [Directory layout](/reference/heartbeat/directory-layout.md) section for details.
+
+**`--strict.perms`**
+:   Sets strict permission checking on configuration files. The default is `--strict.perms=true`. See [Config file ownership and permissions](/reference/libbeat/config-file-permissions.md) for more information.
+
+**`-v, --v`**
+:   Logs INFO-level messages.
+
+
diff --git a/docs/reference/heartbeat/community-id.md b/docs/reference/heartbeat/community-id.md
new file mode 100644
index 000000000000..7e95ee36f0b2
--- /dev/null
+++ b/docs/reference/heartbeat/community-id.md
@@ -0,0 +1,41 @@
+---
+navigation_title: "community_id"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/community-id.html
+---
+
+# Community ID Network Flow Hash [community-id]
+
+
+The `community_id` processor computes a network flow hash according to the [Community ID Flow Hash specification](https://github.com/corelight/community-id-spec).
+
+The flow hash is useful for correlating all network events related to a single flow. For example you can filter on a community ID value and you might get back the Netflow records from multiple collectors and layer 7 protocol records from Packetbeat.
+
+By default the processor is configured to read the flow parameters from the appropriate Elastic Common Schema (ECS) fields. If you are processing ECS data then no parameters are required.
+
+```yaml
+processors:
+  - community_id:
+```
+
+If the data does not conform to ECS then you can customize the field names that the processor reads from. You can also change the `target` field which is where the computed hash is written to.
+
+```yaml
+processors:
+  - community_id:
+      fields:
+        source_ip: my_source_ip
+        source_port: my_source_port
+        destination_ip: my_dest_ip
+        destination_port: my_dest_port
+        iana_number: my_iana_number
+        transport: my_transport
+        icmp_type: my_icmp_type
+        icmp_code: my_icmp_code
+      target: network.community_id
+```
+
+If the necessary fields are not present in the event then the processor will silently continue without adding the target field.
+
+The processor also accepts an optional `seed` parameter that must be a 16-bit unsigned integer. This value gets incorporated into all generated hashes.
+
diff --git a/docs/reference/heartbeat/configuration-autodiscover-advanced.md b/docs/reference/heartbeat/configuration-autodiscover-advanced.md
new file mode 100644
index 000000000000..616029d2d75e
--- /dev/null
+++ b/docs/reference/heartbeat/configuration-autodiscover-advanced.md
@@ -0,0 +1,32 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/configuration-autodiscover-advanced.html
+---
+
+# Advanced usage [configuration-autodiscover-advanced]
+
+
+## Appenders [_appenders]
+
+Appenders allow users to append configuration that is already built with the help of either templates or builders. Appenders can be configured to be applied only when a required condition is matched. The kind of configuration that is applied is specific to each appender.
+
+
+### Config [_config_2]
+
+The config appender can apply a config on top of the config that was generated by templates or builders. The config is applied whenever a provided condition is matched. It is always applied if there is no condition provided.
+
+```yaml
+heartbeat.autodiscover:
+  providers:
+    - type: kubernetes
+      templates:
+        ...
+      appenders:
+        - type: config
+          condition.equals:
+            kubernetes.namespace: "prometheus"
+          config:
+            fields:
+              type: monitoring
+```
+
diff --git a/docs/reference/heartbeat/configuration-autodiscover-hints.md b/docs/reference/heartbeat/configuration-autodiscover-hints.md
new file mode 100644
index 000000000000..3d66c0510fef
--- /dev/null
+++ b/docs/reference/heartbeat/configuration-autodiscover-hints.md
@@ -0,0 +1,138 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/configuration-autodiscover-hints.html
+---
+
+# Hints based autodiscover [configuration-autodiscover-hints]
+
+Heartbeat supports autodiscover based on hints from the provider. The hints system looks for hints in Kubernetes Pod annotations or Docker labels that have the prefix `co.elastic.monitor`. As soon as the container starts, Heartbeat will check if it contains any hints and launch the proper config for it. Hints tell Heartbeat how to get logs for the given container. By default monitors will be created for the container that exposes the port being requested to be monitored. You can use hints to modify this behavior. This is the full list of supported hints:
+
+
+### `co.elastic.monitor/type` [_co_elastic_monitortype]
+
+Define the monitor type to use. Ex: http, tcp, icmp
+
+
+### `co.elastic.monitor/hosts` [_co_elastic_monitorhosts]
+
+The URIs to monitor. Example:
+
+```yaml
+co.elastic.monitor/type: icmp
+co.elastic.monitor/hosts: ${data.host}
+```
+
+This would ensure that each host has an ICMP monitor enabled on it.
+
+
+### `co.elastic.monitor/schedule` [_co_elastic_monitorschedule]
+
+Define the schedule on which the monitor should be executed.
+
+```
+co.elastic.monitor/schedule: "@every 5s"
+```
+
+
+### `co.elastic.monitor/processors` [_co_elastic_monitorprocessors]
+
+Define a processor to be added to the Heartbeat monitor configuration. See [Processors](/reference/heartbeat/filtering-enhancing-data.md) for the list of supported processors.
+
+In order to provide ordering of the processor definition, numbers can be provided. If not, the hints builder will do arbitrary ordering:
+
+```yaml
+co.elastic.monitor/processors.1.drop_fields.fields: "field1, field2"
+co.elastic.monitor/processors.drop_fields.fields: "field3"
+```
+
+In the above sample the processor definition tagged with `1` would be executed first.
+
+When hints are used along with templates, then hints will be evaluated only in case there is no template’s condition that resolves to true. For example:
+
+```yaml
+heartbeat.autodiscover:
+    - type: docker
+      hints.enabled: true
+      templates:
+        - condition:
+            contains:
+              docker.container.image: redis
+          config:
+            - type: tcp
+              hosts: ["${data.host}:${data.port}"]
+              schedule: "@every 1s"
+              timeout: 1s
+```
+
+In this example first the condition `docker.container.image: redis` is evaluated and if not matched the hints will be processed and if there is again no valid config the `hints.default_config` will be used.
+
+
+## Kubernetes [_kubernetes_2]
+
+Kubernetes autodiscover provider supports hints in Pod annotations. To enable it just set `hints.enabled`:
+
+```yaml
+heartbeat.autodiscover:
+  providers:
+    - type: kubernetes
+      hints.enabled: true
+```
+
+You can annotate Kubernetes Pods with useful info to spin up Heartbeat monitors:
+
+```yaml
+annotations:
+  co.elastic.monitor/type: icmp
+  co.elastic.monitor/hosts: ${data.host}
+  co.elastic.monitor/schedule: "@every 5s"
+```
+
+
+### Multiple containers [_multiple_containers]
+
+When a pod has multiple containers, the settings are shared unless you add the container name in the hint. For example, these hints configure the container exposing port 8080 to do a HTTP check and have the `sidecar` container to have an TCP check.
+
+```yaml
+annotations:
+  co.elastic.monitor/type: http
+  co.elastic.monitor/hosts: ${data.host}:8080/healthz
+  co.elastic.monitor/schedule: "@every 5s"
+  co.elastic.monitor.sidecar/type: tcp
+  co.elastic.monitor.sidecar/hosts: ${data.host}:8081
+  co.elastic.monitor.sidecar/schedule: "@every 5s"
+```
+
+
+### Multiple sets of hints [_multiple_sets_of_hints]
+
+When a container needs multiple monitors to be defined on it, sets of annotations can be provided with numeric prefixes. Annotations without numeric prefixes would default into a single monitor configuration.
+
+```yaml
+annotations:
+  co.elastic.monitor/type: http
+  co.elastic.monitor/hosts: ${data.host}:8080/healthz
+  co.elastic.monitor/schedule: "@every 5s"
+  co.elastic.monitor/1.type: tcp
+  co.elastic.monitor/1.hosts: ${data.host}:8080
+  co.elastic.monitor/1.schedule: "@every 5s"
+```
+
+
+## Docker [_docker_3]
+
+Docker autodiscover provider supports hints in labels. To enable it just set `hints.enabled`:
+
+```yaml
+heartbeat.autodiscover:
+  providers:
+    - type: docker
+      hints.enabled: true
+```
+
+You can label Docker containers with useful info to spin up Heartbeat monitors similar to the Kubernetes example:
+
+```
+LABEL co.elastic.monitor/1.type=tcp co.elastic.monitor/1.hosts='${data.host}:6379' co.elastic.monitor/1.schedule='@every 10s'
+LABEL co.elastic.monitor/2.type=icmp co.elastic.monitor/2.hosts='${data.host}' co.elastic.monitor/2.schedule='@every 10s'
+```
+
diff --git a/docs/reference/heartbeat/configuration-autodiscover.md b/docs/reference/heartbeat/configuration-autodiscover.md
new file mode 100644
index 000000000000..12522648dc80
--- /dev/null
+++ b/docs/reference/heartbeat/configuration-autodiscover.md
@@ -0,0 +1,580 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/configuration-autodiscover.html
+---
+
+# Autodiscover [configuration-autodiscover]
+
+When you run applications on containers, they become moving targets to the monitoring system. Autodiscover allows you to track them and adapt settings as changes happen. By defining configuration templates, the autodiscover subsystem can monitor services as they start running.
+
+You define autodiscover settings in the  `heartbeat.autodiscover` section of the `heartbeat.yml` config file. To enable autodiscover, you specify a list of providers.
+
+
+## Providers [_providers]
+
+Autodiscover providers work by watching for events on the system and translating those events into internal autodiscover events with a common format. When you configure the provider, you can optionally use fields from the autodiscover event to set conditions that, when met, launch specific configurations.
+
+On start, Heartbeat will scan existing containers and launch the proper configs for them. Then it will watch for new start/stop events. This ensures you don’t need to worry about state, but only define your desired configs.
+
+
+#### Docker [_docker_2]
+
+The Docker autodiscover provider watches for Docker containers to start and stop.
+
+It has the following settings:
+
+`host`
+:   (Optional) Docker socket (UNIX or TCP socket). It uses `unix:///var/run/docker.sock` by default.
+
+`ssl`
+:   (Optional) SSL configuration to use when connecting to the Docker socket.
+
+`cleanup_timeout`
+:   (Optional) Specify the time of inactivity before stopping the running configuration for a container, disabled by default.
+
+`labels.dedot`
+:   (Optional) Default to be false. If set to true, replace dots in labels with `_`.
+
+These are the fields available within config templating. The `docker.*` fields will be available on each emitted event. event:
+
+* host
+* port
+* docker.container.id
+* docker.container.image
+* docker.container.name
+* docker.container.labels
+
+For example:
+
+```yaml
+{
+  "host": "10.4.15.9",
+  "port": 6379,
+  "docker": {
+    "container": {
+      "id": "382184ecdb385cfd5d1f1a65f78911054c8511ae009635300ac28b4fc357ce51"
+      "name": "redis",
+      "image": "redis:3.2.11",
+      "labels": {
+        "io.kubernetes.pod.namespace": "default"
+        ...
+      }
+    }
+  }
+}
+```
+
+You can define a set of configuration templates to be applied when the condition matches an event. Templates define a condition to match on autodiscover events, together with the list of configurations to launch when this condition happens.
+
+Conditions match events from the provider. Providers use the same format for [Conditions](/reference/heartbeat/defining-processors.md#conditions) that processors use.
+
+Configuration templates can contain variables from the autodiscover event. They can be accessed under the `data` namespace. For example, with the example event, "`${data.port}`" resolves to `6379`.
+
+Heartbeat supports templates for modules:
+
+```yaml
+heartbeat.autodiscover:
+  providers:
+    - type: docker
+      templates:
+        - condition:
+            contains:
+              docker.container.image: redis
+          config:
+            - type: tcp
+              hosts: ["${data.host}:${data.port}"]
+              schedule: "@every 1s"
+              timeout: 1s
+```
+
+This configuration launches a `redis` monitor for all containers running an image with `redis` in the name.
+
+
+#### Kubernetes [_kubernetes]
+
+The Kubernetes autodiscover provider watches for Kubernetes nodes, pods, services to start, update, and stop.
+
+The `kubernetes` autodiscover provider has the following configuration settings:
+
+`node`
+:   (Optional) Specify the node to scope heartbeat to in case it cannot be accurately detected, as when running heartbeat in host network mode.
+
+`namespace`
+:   (Optional) Select the namespace from which to collect the events from the resources. If it is not set, the provider collects them from all namespaces. It is unset by default. The namespace configuration only applies to kubernetes resources that are namespace scoped and if `unique` field is set to `false`.
+
+`cleanup_timeout`
+:   (Optional) Specify the time of inactivity before stopping the running configuration for a container, disabled by default.
+
+`kube_config`
+:   (Optional) Use given config file as configuration for Kubernetes client. If kube_config is not set, KUBECONFIG environment variable will be checked and if not present it will fall back to InCluster.
+
+`kube_client_options`
+:   (Optional) Additional options can be configured for Kubernetes client. Currently client QPS and burst are supported, if not set Kubernetes client’s [default QPS and burst](https://pkg.go.dev/k8s.io/client-go/rest#pkg-constants) will be used. Example:
+
+```yaml
+      kube_client_options:
+        qps: 5
+        burst: 10
+```
+
+`resource`
+:   (Optional) Select the resource to do discovery on. Currently supported Kubernetes resources are `pod`, `service` and `node`. If not configured `resource` defaults to `pod`.
+
+`scope`
+:   (Optional) Specify at what level autodiscover needs to be done at. `scope` can either take `node` or `cluster` as values. `node` scope allows discovery of resources in the specified node. `cluster` scope allows cluster wide discovery. Only `pod` and `node` resources can be discovered at node scope.
+
+`add_resource_metadata`
+:   (Optional) Specify filters and configration for the extra metadata, that will be added to the event. Configuration parameters:
+
+    * `node` or `namespace`: Specify labels and annotations filters for the extra metadata coming from node and namespace. By default all labels are included while annotations are not. To change default behaviour `include_labels`, `exclude_labels` and `include_annotations` can be defined. Those settings are useful when storing labels and annotations that require special handling to avoid overloading the storage output. Note: wildcards are not supported for those settings. The enrichment of `node` or `namespace` metadata can be individually disabled by setting `enabled: false`.
+    * `deployment`: If resource is `pod` and it is created from a `deployment`, by default the deployment name isn’t added, this can be enabled by setting `deployment: true`.
+    * `cronjob`: If resource is `pod` and it is created from a `cronjob`, by default the cronjob name isn’t added, this can be enabled by setting `cronjob: true`.
+
+        Example:
+
+
+```yaml
+      add_resource_metadata:
+        namespace:
+          include_labels: ["namespacelabel1"]
+        node:
+          include_labels: ["nodelabel2"]
+          include_annotations: ["nodeannotation1"]
+        # deployment: false
+        # cronjob: false
+```
+
+`unique`
+:   (Optional) Defaults to `false`. Marking an autodiscover provider as unique results into making the provider to enable the provided templates only when it will gain the leader lease. This setting can only be combined with `cluster` scope. When `unique` is enabled, `resource` and `add_resource_metadata` settings are not taken into account.
+
+`leader_lease`
+:   (Optional) Defaults to `heartbeat-cluster-leader`. This will be name of the lock lease. One can monitor the status of the lease with `kubectl describe lease beats-cluster-leader`. Different Beats that refer to the same leader lease will be competitors in holding the lease and only one will be elected as leader each time.
+
+`leader_leaseduration`
+:   (Optional) Duration that non-leader candidates will wait to force acquire the lease leadership. Defaults to `15s`.
+
+`leader_renewdeadline`
+:   (Optional) Duration that the leader will retry refreshing its leadership before giving up. Defaults to `10s`.
+
+`leader_retryperiod`
+:   (Optional) Duration that the metricbeat instances running to acquire the lease should wait between tries of actions. Defaults to `2s`.
+
+Configuration templates can contain variables from the autodiscover event. These variables can be accessed under the `data` namespace, e.g. to access Pod IP: `${data.kubernetes.pod.ip}`.
+
+These are the fields available within config templating. The `kubernetes.*` fields will be available on each emitted event:
+
+
+##### Generic fields: [_generic_fields]
+
+* host
+
+
+##### Pod specific: [_pod_specific]
+
+| Key | Type | Description |
+| --- | --- | --- |
+| `port` | `string` | Pod port. If pod has multiple ports exposed should be used `ports.<port-name>` instead |
+| `kubernetes.namespace` | `string` | Namespace, where the Pod is running |
+| `kubernetes.namespace_uuid` | `string` | UUID of the Namespace, where the Pod is running |
+| `kubernetes.namespace_annotations.*` | `object` | Annotations of the Namespace, where the Pod is running. Annotations should be used in not dedoted format, e.g. `kubernetes.namespace_annotations.app.kubernetes.io/name` |
+| `kubernetes.pod.name` | `string` | Name of the Pod |
+| `kubernetes.pod.uid` | `string` | UID of the Pod |
+| `kubernetes.pod.ip` | `string` | IP of the Pod |
+| `kubernetes.labels.*` | `object` | Object of the Pod labels. Labels should be used in not dedoted format, e.g. `kubernetes.labels.app.kubernetes.io/name` |
+| `kubernetes.annotations.*` | `object` | Object of the Pod annotations. Annotations should be used in not dedoted format, e.g. `kubernetes.annotations.test.io/test` |
+| `kubernetes.container.name` | `string` | Name of the container |
+| `kubernetes.container.runtime` | `string` | Runtime of the container |
+| `kubernetes.container.id` | `string` | ID of the container |
+| `kubernetes.container.image` | `string` | Image of the container |
+| `kubernetes.node.name` | `string` | Name of the Node |
+| `kubernetes.node.uid` | `string` | UID of the Node |
+| `kubernetes.node.hostname` | `string` | Hostname of the Node |
+
+
+##### Node specific: [_node_specific]
+
+| Key | Type | Description |
+| --- | --- | --- |
+| `kubernetes.labels.*` | `object` | Object of labels of the Node |
+| `kubernetes.annotations.*` | `object` | Object of annotations of the Node |
+| `kubernetes.node.name` | `string` | Name of the Node |
+| `kubernetes.node.uid` | `string` | UID of the Node |
+| `kubernetes.node.hostname` | `string` | Hostname of the Node |
+
+
+##### Service specific: [_service_specific]
+
+| Key | Type | Description |
+| --- | --- | --- |
+| `port` | `string` | Service port |
+| `kubernetes.namespace` | `string` | Namespace of the Service |
+| `kubernetes.namespace_uuid` | `string` | UUID of the Namespace of the Service |
+| `kubernetes.namespace_annotations.*` | `object` | Annotations of the Namespace of the Service. Annotations should be used in not dedoted format, e.g. `kubernetes.namespace_annotations.app.kubernetes.io/name` |
+| `kubernetes.labels.*` | `object` | Object of the Service labels |
+| `kubernetes.annotations.*` | `object` | Object of the Service annotations |
+| `kubernetes.service.name` | `string` | Name of the Service |
+| `kubernetes.service.uid` | `string` | UID of the Service |
+
+If the `include_annotations` config is added to the provider config, then the list of annotations present in the config are added to the event.
+
+If the `include_labels` config is added to the provider config, then the list of labels present in the config will be added to the event.
+
+If the `exclude_labels` config is added to the provider config, then the list of labels present in the config will be excluded from the event.
+
+if the `labels.dedot` config is set to be `true` in the provider config, then `.` in labels will be replaced with `_`. By default it is `true`.
+
+if the `annotations.dedot` config is set to be `true` in the provider config, then `.` in annotations will be replaced with `_`. By default it is `true`.
+
+::::{note}
+Starting from 8.6 release `kubernetes.labels.*` used in config templating are not dedoted regardless of `labels.dedot` value. This config parameter only affects the fields added in the final Elasticsearch document. For example, for a pod with label `app.kubernetes.io/name=ingress-nginx` the matching condition should be `condition.equals: kubernetes.labels.app.kubernetes.io/name: "ingress-nginx"`. If `labels.dedot` is set to `true`(default value) the label will be stored in Elasticsearch as `kubernetes.labels.app_kubernetes_io/name`. The same applies for kubernetes annotations.
+::::
+
+
+For example:
+
+```yaml
+{
+  "host": "172.17.0.21",
+  "port": 9090,
+  "kubernetes": {
+    "container": {
+      "id": "bb3a50625c01b16a88aa224779c39262a9ad14264c3034669a50cd9a90af1527",
+      "image": "prom/prometheus",
+      "name": "prometheus"
+    },
+    "labels": {
+      "project": "prometheus",
+      ...
+    },
+    "namespace": "default",
+    "node": {
+      "name": "minikube"
+    },
+    "pod": {
+      "name": "prometheus-2657348378-k1pnh"
+    }
+  },
+}
+```
+
+Heartbeat supports templates for modules:
+
+```yaml
+heartbeat.autodiscover:
+  providers:
+    - type: kubernetes
+      include_annotations: ["prometheus.io.scrape"]
+      templates:
+        - condition:
+            contains:
+              kubernetes.annotations.prometheus.io/scrape: "true"
+          config:
+            - type: http
+              hosts: ["${data.host}:${data.port}"]
+              schedule: "@every 1s"
+              timeout: 1s
+```
+
+This configuration launches an `http` module for all containers of pods annotated with `prometheus.io/scrape=true`.
+
+
+#### Amazon ELBs (Deprecated) [_amazon_elbs_deprecated]
+
+**Note: This provider is now deprecated and will be removed in a future release.**
+
+The Amazon ELB autodiscover provider discovers [ELBs](https://aws.amazon.com/elasticloadbalancing/) and their listeners. This is useful when you don’t want to connect directly to a service, but rather to the ELB fronting a pool of services.
+
+This provider will yield one config block per ELB Listener. So, if you have one ELB exposing both ports 80 and 443, it will generate two configs, one for each port. Keep in mind that the beat will de-duplicate configs. So, if the generated configs are the same only one will actually run.
+
+This provider will load AWS credentials using the standard AWS environment variables and shared credentials files see [Best Practices for Managing AWS Access Keys](https://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html) for more information. If you do not wish to use these, you may explicitly set the `access_key_id` and `secret_access_key` variables.
+
+These are the available fields during within config templating. The `aws.elb.*` fields will be available on each emitted event.
+
+* host
+* port
+* cloud.availability_zone
+* cloud.provider
+* cloud.region
+* aws.elb.listener_arn
+* aws.elb.load_balancer_arn
+* aws.elb.protocol
+* aws.elb.type
+* aws.elb.scheme
+* aws.elb.availability_zones
+* aws.elb.created
+* aws.elb.state.code
+* aws.elb.state.reason
+* aws.elb.ip_address_type
+* aws.elb.security_groups
+* aws.elb.vpc_id
+* aws.elb.ssl_policy
+
+Heartbeat supports templates for modules:
+
+```yaml
+heartbeat.autodiscover:
+  providers:
+  - type: aws_elb
+    period: 1m
+    regions: ["us-east-1", "us-east-2"]
+    access_key_id: my-access-key
+    secret_access_key: my-secret-access-key
+    templates:
+    - condition:
+        equals.port: 8080
+      config:
+      - type: tcp
+        hosts: ["${data.host}:${data.port}"]
+        schedule: "@every 5s"
+        timeout: 1s
+```
+
+This configuration launches a `tcp` monitor for all ELBs that have a declared port.
+
+This autodiscover provider takes our standard [AWS credentials options](#aws-credentials-config).
+
+
+## AWS Credentials Configuration [aws-credentials-config]
+
+To configure AWS credentials, either put the credentials into the Heartbeat configuration, or use a shared credentials file, as shown in the following examples.
+
+
+### Configuration parameters [_configuration_parameters]
+
+* **access_key_id**: first part of access key.
+* **secret_access_key**: second part of access key.
+* **session_token**: required when using temporary security credentials.
+* **credential_profile_name**: profile name in shared credentials file.
+* **shared_credential_file**: directory of the shared credentials file.
+* **role_arn**: AWS IAM Role to assume.
+* **external_id**: external ID to use when assuming a role in another account, see [the AWS documentation for use of external IDs](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html).
+* **proxy_url**: URL of the proxy to use to connect to AWS web services. The syntax is `http(s)://<IP/Hostname>:<port>`
+* **fips_enabled**: Enabling this option instructs Heartbeat to use the FIPS endpoint of a service. All services used by Heartbeat are FIPS compatible except for `tagging` but only certain regions are FIPS compatible. See [https://aws.amazon.com/compliance/fips/](https://aws.amazon.com/compliance/fips/) or the appropriate service page, [https://docs.aws.amazon.com/general/latest/gr/aws-service-information.html](https://docs.aws.amazon.com/general/latest/gr/aws-service-information.html), for a full list of FIPS endpoints and regions.
+* **ssl**: This specifies SSL/TLS configuration. If the ssl section is missing, the host’s CAs are used for HTTPS connections. See [SSL](/reference/heartbeat/configuration-ssl.md) for more information.
+* **default_region**: Default region to query if no other region is set. Most AWS services offer a regional endpoint that can be used to make requests. Some services, such as IAM, do not support regions. If a region is not provided by any other way (environment variable, credential or instance profile), the value set here will be used.
+* **assume_role.duration**: The duration of the requested assume role session. Defaults to 15m when not set. AWS allows a maximum session duration between 1h and 12h depending on your maximum session duration policies.
+* **assume_role.expiry_window**: The expiry_window will allow refreshing the session prior to its expiration. This is beneficial to prevent expiring tokens from causing requests to fail with an ExpiredTokenException.
+
+
+### Supported Formats [_supported_formats]
+
+::::{note}
+The examples in this section refer to Metricbeat, but the credential options for authentication with AWS are the same no matter which Beat is being used.
+::::
+
+
+* Use `access_key_id`, `secret_access_key`, and/or `session_token`
+
+Users can either put the credentials into the Metricbeat module configuration or use environment variable `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY` and/or `AWS_SESSION_TOKEN` instead.
+
+If running on Docker, these environment variables should be added as a part of the docker command. For example, with Metricbeat:
+
+```bash
+$ docker run -e AWS_ACCESS_KEY_ID=abcd -e AWS_SECRET_ACCESS_KEY=abcd -d --name=metricbeat --user=root --volume="$(pwd)/metricbeat.aws.yml:/usr/share/metricbeat/metricbeat.yml:ro" docker.elastic.co/beats/metricbeat:7.11.1 metricbeat -e -E cloud.auth=elastic:1234 -E cloud.id=test-aws:1234
+```
+
+Sample `metricbeat.aws.yml` looks like:
+
+```yaml
+metricbeat.modules:
+- module: aws
+  period: 5m
+  access_key_id: ${AWS_ACCESS_KEY_ID}
+  secret_access_key: ${AWS_SECRET_ACCESS_KEY}
+  session_token: ${AWS_SESSION_TOKEN}
+  metricsets:
+    - ec2
+```
+
+Environment variables can also be added through a file. For example:
+
+```bash
+$ cat env.list
+AWS_ACCESS_KEY_ID=abcd
+AWS_SECRET_ACCESS_KEY=abcd
+
+$ docker run --env-file env.list -d --name=metricbeat --user=root --volume="$(pwd)/metricbeat.aws.yml:/usr/share/metricbeat/metricbeat.yml:ro" docker.elastic.co/beats/metricbeat:7.11.1 metricbeat -e -E cloud.auth=elastic:1234 -E cloud.id=test-aws:1234
+```
+
+* Use `credential_profile_name` and/or `shared_credential_file`
+
+If `access_key_id`, `secret_access_key` and `role_arn` are all not given, then heartbeat will check for `credential_profile_name`. If you use different credentials for different tools or applications, you can use profiles to configure multiple access keys in the same configuration file. If there is no `credential_profile_name` given, the default profile will be used.
+
+`shared_credential_file` is optional to specify the directory of your shared credentials file. If it’s empty, the default directory will be used. In Windows, shared credentials file is at `C:\Users\<yourUserName>\.aws\credentials`. For Linux, macOS or Unix, the file is located at `~/.aws/credentials`. When running as a service, the home path depends on the user that manages the service, so the `shared_credential_file` parameter can be used to avoid ambiguity. Please see [Create Shared Credentials File](https://docs.aws.amazon.com/ses/latest/DeveloperGuide/create-shared-credentials-file.md) for more details.
+
+* Use `role_arn`
+
+`role_arn` is used to specify which AWS IAM role to assume for generating temporary credentials. If `role_arn` is given, heartbeat will check if access keys are given. If not, heartbeat will check for credential profile name. If neither is given, default credential profile will be used. Please make sure credentials are given under either a credential profile or access keys.
+
+If running on Docker, the credential file needs to be provided via a volume mount. For example, with Metricbeat:
+
+```bash
+docker run -d --name=metricbeat --user=root --volume="$(pwd)/metricbeat.aws.yml:/usr/share/metricbeat/metricbeat.yml:ro" --volume="/Users/foo/.aws/credentials:/usr/share/metricbeat/credentials:ro" docker.elastic.co/beats/metricbeat:7.11.1 metricbeat -e -E cloud.auth=elastic:1234 -E cloud.id=test-aws:1234
+```
+
+Sample `metricbeat.aws.yml` looks like:
+
+```yaml
+metricbeat.modules:
+- module: aws
+  period: 5m
+  credential_profile_name: elastic-beats
+  shared_credential_file: /usr/share/metricbeat/credentials
+  metricsets:
+    - ec2
+```
+
+```yaml
+heartbeat.autodiscover:
+  providers:
+  - type: aws_elb
+    period: 1m
+    regions: ["us-east-1", "us-east-2"]
+    access_key_id: '<access_key_id>'
+    secret_access_key: '<secret_access_key>'
+    session_token: '<session_token>'
+    templates:
+    - type: tcp
+      hosts: ["${data.host}:${data.port}"]
+      schedule: "@every 5s"
+      timeout: 1s
+```
+
+or
+
+```yaml
+heartbeat.autodiscover:
+  providers:
+  - type: aws_elb
+    period: 1m
+    regions: ["us-east-1", "us-east-2"]
+    access_key_id: '${AWS_ACCESS_KEY_ID:""}'
+    secret_access_key: '${AWS_SECRET_ACCESS_KEY:""}'
+    session_token: '${AWS_SESSION_TOKEN:""}'
+    templates:
+    - type: tcp
+      hosts: ["${data.host}:${data.port}"]
+      schedule: "@every 5s"
+      timeout: 1s
+```
+
+* Use shared AWS credentials file
+
+```yaml
+heartbeat.autodiscover:
+  providers:
+  - type: aws_elb
+    period: 1m
+    regions: ["us-east-1", "us-east-2"]
+    credential_profile_name: test-hb
+    templates:
+    - type: tcp
+      hosts: ["${data.host}:${data.port}"]
+      schedule: "@every 5s"
+      timeout: 1s
+```
+
+
+### AWS Credentials Types [_aws_credentials_types]
+
+There are two different types of AWS credentials can be used: access keys and temporary security credentials.
+
+* Access keys
+
+`AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` are the two parts of access keys. They are long-term credentials for an IAM user or the AWS account root user. Please see [AWS Access Keys and Secret Access Keys](https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys) for more details.
+
+* IAM role ARN
+
+An IAM role is an IAM identity that you can create in your account that has specific permissions that determine what the identity can and cannot do in AWS. A role does not have standard long-term credentials such as a password or access keys associated with it. Instead, when you assume a role, it provides you with temporary security credentials for your role session. IAM role Amazon Resource Name (ARN) can be used to specify which AWS IAM role to assume to generate temporary credentials. Please see [AssumeRole API documentation](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) for more details.
+
+Here are the steps to set up IAM role using AWS CLI for Metricbeat. Please replace `123456789012` with your own account ID.
+
+Step 1. Create `example-policy.json` file to include all permissions:
+
+```yaml
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "VisualEditor0",
+            "Effect": "Allow",
+            "Action": [
+                "s3:GetObject",
+                "sqs:ReceiveMessage"
+            ],
+            "Resource": "*"
+        },
+        {
+            "Sid": "VisualEditor1",
+            "Effect": "Allow",
+            "Action": "sqs:ChangeMessageVisibility",
+            "Resource": "arn:aws:sqs:us-east-1:123456789012:test-fb-ks"
+        },
+        {
+            "Sid": "VisualEditor2",
+            "Effect": "Allow",
+            "Action": "sqs:DeleteMessage",
+            "Resource": "arn:aws:sqs:us-east-1:123456789012:test-fb-ks"
+        },
+        {
+            "Sid": "VisualEditor3",
+            "Effect": "Allow",
+            "Action": [
+                "sts:AssumeRole",
+                "sqs:ListQueues",
+                "tag:GetResources",
+                "ec2:DescribeInstances",
+                "cloudwatch:GetMetricData",
+                "ec2:DescribeRegions",
+                "iam:ListAccountAliases",
+                "sts:GetCallerIdentity",
+                "cloudwatch:ListMetrics"
+            ],
+            "Resource": "*"
+        }
+    ]
+}
+```
+
+Step 2. Create IAM policy using the `aws iam create-policy` command:
+
+```bash
+$ aws iam create-policy --policy-name example-policy --policy-document file://example-policy.json
+```
+
+Step 3. Create the JSON file `example-role-trust-policy.json` that defines the trust relationship of the IAM role
+
+```yaml
+{
+    "Version": "2012-10-17",
+    "Statement": {
+        "Effect": "Allow",
+        "Principal": { "AWS": "arn:aws:iam::123456789012:root" },
+        "Action": "sts:AssumeRole"
+    }
+}
+```
+
+Step 4. Create the IAM role and attach the policy:
+
+```bash
+$ aws iam create-role --role-name example-role --assume-role-policy-document file://example-role-trust-policy.json
+$ aws iam attach-role-policy --role-name example-role --policy-arn "arn:aws:iam::123456789012:policy/example-policy"
+```
+
+After these steps are done, IAM role ARN can be used for authentication in Metricbeat `aws` module.
+
+* Temporary security credentials
+
+Temporary security credentials has a limited lifetime and consists of an access key ID, a secret access key, and a security token which typically returned from `GetSessionToken`. MFA-enabled IAM users would need to submit an MFA code while calling `GetSessionToken`. Please see [Temporary Security Credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html) for more details. `sts get-session-token` AWS CLI can be used to generate temporary credentials. For example. with MFA-enabled:
+
+```bash
+aws> sts get-session-token --serial-number arn:aws:iam::1234:mfa/your-email@example.com --token-code 456789 --duration-seconds 129600
+```
+
+Because temporary security credentials are short term, after they expire, the user needs to generate new ones and modify the aws.yml config file with the new credentials. Unless [live reloading](/reference/metricbeat/_live_reloading.md) feature is enabled for Metricbeat, the user needs to manually restart Metricbeat after updating the config file in order to continue collecting Cloudwatch metrics. This will cause data loss if the config file is not updated with new credentials before the old ones expire. For Metricbeat, we recommend users to use access keys in config file to enable aws module making AWS api calls without have to generate new temporary credentials and update the config frequently.
+
+IAM policy is an entity that defines permissions to an object within your AWS environment. Specific permissions needs to be added into the IAM user’s policy to authorize Metricbeat to collect AWS monitoring metrics. Please see documentation under each metricset for required permissions.
+
+
+
diff --git a/docs/reference/heartbeat/configuration-feature-flags.md b/docs/reference/heartbeat/configuration-feature-flags.md
new file mode 100644
index 000000000000..2f5fd4d143c1
--- /dev/null
+++ b/docs/reference/heartbeat/configuration-feature-flags.md
@@ -0,0 +1,54 @@
+---
+navigation_title: "Feature flags"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/configuration-feature-flags.html
+---
+
+# Configure feature flags [configuration-feature-flags]
+
+
+The Feature Flags section of the `heartbeat.yml` config file contains settings in Heartbeat that are disabled by default. These may include experimental features, changes to behaviors within Heartbeat, or settings that could cause a breaking change. For example a setting that changes information included in events might be inconsistent with the naming pattern expected in your configured Heartbeat output.
+
+To enable any of the settings listed on this page, change the associated `enabled` flag from `false` to `true`.
+
+```yaml
+features:
+  mysetting:
+    enabled: true
+```
+
+
+## Configuration options [_configuration_options_15]
+
+You can specify the following options in the `features` section of the `heartbeat.yml` config file:
+
+
+### `fqdn` [_fqdn]
+
+Contains configuration for the FQDN reporting feature. When this feature is enabled, the fully-qualified domain name for the host is reported in the `host.name` field in events produced by Heartbeat.
+
+::::{warning}
+This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
+::::
+
+
+For FQDN reporting to work as expected, the hostname of the current host must either:
+
+* Have a CNAME entry defined in DNS.
+* Have one of its corresponding IP addresses respond successfully to a reverse DNS lookup.
+
+If neither pre-requisite is satisfied, `host.name` continues to report the hostname of the current host as if the FQDN feature flag were not enabled.
+
+Example configuration:
+
+```yaml
+features:
+  fqdn:
+    enabled: true
+```
+
+
+#### `enabled` [_enabled_10]
+
+Set to `true` to enable the FQDN reporting feature of Heartbeat. Defaults to `false`.
+
diff --git a/docs/reference/heartbeat/configuration-general-options.md b/docs/reference/heartbeat/configuration-general-options.md
new file mode 100644
index 000000000000..f75a6d9e8728
--- /dev/null
+++ b/docs/reference/heartbeat/configuration-general-options.md
@@ -0,0 +1,88 @@
+---
+navigation_title: "General settings"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/configuration-general-options.html
+---
+
+# Configure general settings [configuration-general-options]
+
+
+You can specify settings in the `heartbeat.yml` config file to control the general behavior of Heartbeat.
+
+
+## General configuration options [configuration-general]
+
+
+These options are supported by all Elastic Beats. Because they are common options, they are not namespaced.
+
+Here is an example configuration:
+
+```yaml
+name: "my-shipper"
+tags: ["service-X", "web-tier"]
+```
+
+
+### `name` [_name]
+
+The name of the Beat. If this option is empty, the `hostname` of the server is used. The name is included as the `agent.name` field in each published transaction. You can use the name to group all transactions sent by a single Beat.
+
+Example:
+
+```yaml
+name: "my-shipper"
+```
+
+
+### `tags` [_tags]
+
+A list of tags that the Beat includes in the `tags` field of each published transaction. Tags make it easy to group servers by different logical properties. For example, if you have a cluster of web servers, you can add the "webservers" tag to the Beat on each server, and then use filters and queries in the Kibana web interface to get visualisations for the whole group of servers.
+
+Example:
+
+```yaml
+tags: ["my-service", "hardware", "test"]
+```
+
+
+### `fields` [libbeat-configuration-fields]
+
+Optional fields that you can specify to add additional information to the output. Fields can be scalar values, arrays, dictionaries, or any nested combination of these. By default, the fields that you specify here will be grouped under a `fields` sub-dictionary in the output document. To store the custom fields as top-level fields, set the `fields_under_root` option to true.
+
+Example:
+
+```yaml
+fields: {project: "myproject", instance-id: "574734885120952459"}
+```
+
+
+### `fields_under_root` [_fields_under_root]
+
+If this option is set to true, the custom [fields](#libbeat-configuration-fields) are stored as top-level fields in the output document instead of being grouped under a `fields` sub-dictionary. If the custom field names conflict with other field names, then the custom fields overwrite the other fields.
+
+Example:
+
+```yaml
+fields_under_root: true
+fields:
+  instance_id: i-10a64379
+  region: us-east-1
+```
+
+
+### `processors` [_processors]
+
+A list of processors to apply to the data generated by the beat.
+
+See [Processors](/reference/heartbeat/filtering-enhancing-data.md) for information about specifying processors in your config.
+
+
+### `max_procs` [_max_procs]
+
+Sets the maximum number of CPUs that can be executing simultaneously. The default is the number of logical CPUs available in the system.
+
+
+### `timestamp.precision` [_timestamp_precision]
+
+Configure the precision of all timestamps. By default it is set to millisecond. Available options: millisecond, microsecond, nanosecond
+
diff --git a/docs/reference/heartbeat/configuration-heartbeat-options.md b/docs/reference/heartbeat/configuration-heartbeat-options.md
new file mode 100644
index 000000000000..47949dcd2926
--- /dev/null
+++ b/docs/reference/heartbeat/configuration-heartbeat-options.md
@@ -0,0 +1,97 @@
+---
+navigation_title: "Monitors"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/configuration-heartbeat-options.html
+---
+
+# Configure Heartbeat monitors [configuration-heartbeat-options]
+
+
+To configure Heartbeat define a set of `monitors` to check your remote hosts. Specify monitors either directly inside the `heartbeat.yml` config file, or in external dynamically loaded files located in the directory referenced by `heartbeat.config.monitors.path`. One advantage of using external files is that these can be automatically reloaded without stopping the Heartbeat process.
+
+Each `monitor` item is an entry in a yaml list, and so begins with a dash (-). You can define the type of monitor to use, the hosts to check, and other optional settings that control Heartbeat behavior.
+
+The following example configures three monitors checking via the `icmp`, `tcp`, and `http` protocols directly inside the `heartbeat.yml` file, and demonstrates how to use TCP Echo and HTTP response verification:
+
+```yaml
+# heartbeat.yml
+heartbeat.monitors:
+- type: icmp
+  id: ping-myhost
+  name: My Host Ping
+  hosts: ["myhost"]
+  schedule: '*/5 * * * * * *'
+- type: tcp
+  id: myhost-tcp-echo
+  name: My Host TCP Echo
+  hosts: ["myhost:777"]  # default TCP Echo Protocol
+  check.send: "Check"
+  check.receive: "Check"
+  schedule: '@every 5s'
+- type: http
+  id: service-status
+  name: Service Status
+  service.name: my-apm-service-name
+  hosts: ["http://localhost:80/service/status"]
+  check.response.status: [200]
+  schedule: '@every 5s'
+heartbeat.scheduler:
+  limit: 10
+```
+
+Using the `heartbeat.yml` configuration file is convenient, but has two drawbacks: it can become hard to manage with large numbers of monitors, and it will not reload heartbeat automatically when its contents changes.
+
+Define monitors via the `heartbeat.config.monitors` to prevent those issues from happening to you. To do so you would instead have your `heartbeat.yml` file contain the following:
+
+```yaml
+# heartbeat.yml
+heartbeat.config.monitors:
+  # Directory + glob pattern to search for configuration files
+  path: /path/to/my/monitors.d/*.yml
+  # If enabled, heartbeat will periodically check the config.monitors path for changes
+  reload.enabled: true
+  # How often to check for changes
+  reload.period: 1s
+```
+
+Then, define one or more files in the directory pointed to by `heartbeat.config.monitors.path`. You may specify multiple monitors in a given file if you like. The contents of these files is monitor definitions only, e.g. what is normally under the `heartbeat.monitors` section of `heartbeat.yml`. See below for an example
+
+```yaml
+# /path/to/my/monitors.d/localhost_service_check.yml
+- type: http
+  id: service-status
+  name: Service Status
+  hosts: ["http://localhost:80/service/status"]
+  check.response.status: [200]
+  schedule: '@every 5s'
+```
+
+
+## Monitor types [monitor-types]
+
+You can configure Heartbeat to use the following monitor types:
+
+**[`icmp`](/reference/heartbeat/monitor-icmp-options.md)**
+:   Uses an ICMP (v4 and v6) Echo Request to ping the configured hosts. Requires special permissions or root access.
+
+**[`tcp`](/reference/heartbeat/monitor-tcp-options.md)**
+:   Connects via TCP and optionally verifies the endpoint by sending and/or receiving a custom payload.
+
+**[`http`](/reference/heartbeat/monitor-http-options.md)**
+:   Connects via HTTP and optionally verifies that the host returns the expected response. Will use `Elastic-Heartbeat` as the user agent product.
+
+The `tcp` and `http` monitor types both support SSL/TLS and some proxy settings.
+
+::::{note}
+**Looking for browser monitor options?**  {{heartbeat}} browser checks are in beta and will never be made generally available.
+
+If you want to set up browser checks, we highly recommend using Synthetics via [Projects](docs-content://solutions/observability/apps/create-monitors-with-project-monitors.md) or the [Synthetics app in {{kib}}](docs-content://solutions/observability/apps/create-monitors-in-synthetics-app.md) to create and manage browser monitors.
+
+If you need to refer to how beta {{heartbeat}} browser checks were set up previously, refer to the [Browser options documentation for 8.7](https://www.elastic.co/guide/en/beats/heartbeat/8.7/monitor-browser-options.html).
+::::
+
+
+
+
+
+
diff --git a/docs/reference/heartbeat/configuration-instrumentation.md b/docs/reference/heartbeat/configuration-instrumentation.md
new file mode 100644
index 000000000000..5ba0e9e5015c
--- /dev/null
+++ b/docs/reference/heartbeat/configuration-instrumentation.md
@@ -0,0 +1,87 @@
+---
+navigation_title: "Instrumentation"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/configuration-instrumentation.html
+---
+
+# Configure APM instrumentation [configuration-instrumentation]
+
+
+Libbeat uses the Elastic APM Go Agent to instrument its publishing pipeline. Currently, only the Elasticsearch output is instrumented. To gain insight into the performance of Heartbeat, you can enable this instrumentation and send trace data to the APM Integration.
+
+Example configuration with instrumentation enabled:
+
+```yaml
+instrumentation:
+  enabled: true
+  environment: production
+  hosts:
+    - "http://localhost:8200"
+  api_key: L5ER6FEvjkmlfalBealQ3f3fLqf03fazfOV
+```
+
+
+## Configuration options [_configuration_options_14]
+
+You can specify the following options in the `instrumentation` section of the `heartbeat.yml` config file:
+
+
+### `enabled` [_enabled_9]
+
+Set to `true` to enable instrumentation of Heartbeat. Defaults to `false`.
+
+
+### `environment` [_environment]
+
+Set the environment in which Heartbeat is running, for example, `staging`, `production`, `dev`, etc. Environments can be filtered in the [APM app](docs-content://solutions/observability/apps/overviews.md).
+
+
+### `hosts` [_hosts_3]
+
+The APM integration [host](docs-content://reference/ingestion-tools/observability/apm-settings.md) to report instrumentation data to. Defaults to `http://localhost:8200`.
+
+
+### `api_key` [_api_key_2]
+
+The [API Key](docs-content://reference/ingestion-tools/observability/apm-settings.md) used to secure communication with the APM Integration. If `api_key` is set then `secret_token` will be ignored.
+
+
+### `secret_token` [_secret_token]
+
+The [Secret token](docs-content://reference/ingestion-tools/observability/apm-settings.md) used to secure communication with the APM Integration.
+
+
+### `profiling.cpu.enabled` [_profiling_cpu_enabled]
+
+Set to `true` to enable CPU profiling, where profile samples are recorded as events.
+
+This feature is experimental.
+
+
+### `profiling.cpu.interval` [_profiling_cpu_interval]
+
+Configure the CPU profiling interval. Defaults to `60s`.
+
+This feature is experimental.
+
+
+### `profiling.cpu.duration` [_profiling_cpu_duration]
+
+Configure the CPU profiling duration. Defaults to `10s`.
+
+This feature is experimental.
+
+
+### `profiling.heap.enabled` [_profiling_heap_enabled]
+
+Set to `true` to enable heap profiling.
+
+This feature is experimental.
+
+
+### `profiling.heap.interval` [_profiling_heap_interval]
+
+Configure the heap profiling interval. Defaults to `60s`.
+
+This feature is experimental.
+
diff --git a/docs/reference/heartbeat/configuration-kerberos.md b/docs/reference/heartbeat/configuration-kerberos.md
new file mode 100644
index 000000000000..02814fe9a4fc
--- /dev/null
+++ b/docs/reference/heartbeat/configuration-kerberos.md
@@ -0,0 +1,90 @@
+---
+navigation_title: "Kerberos"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/configuration-kerberos.html
+---
+
+# Configure Kerberos [configuration-kerberos]
+
+
+You can specify Kerberos options with any output or input that supports Kerberos, like {{es}}.
+
+The following encryption types are supported:
+
+* aes128-cts-hmac-sha1-96
+* aes128-cts-hmac-sha256-128
+* aes256-cts-hmac-sha1-96
+* aes256-cts-hmac-sha384-192
+* des3-cbc-sha1-kd
+* rc4-hmac
+
+Example output config with Kerberos password based authentication:
+
+```yaml
+output.elasticsearch.hosts: ["http://my-elasticsearch.elastic.co:9200"]
+output.elasticsearch.kerberos.auth_type: password
+output.elasticsearch.kerberos.username: "elastic"
+output.elasticsearch.kerberos.password: "changeme"
+output.elasticsearch.kerberos.config_path: "/etc/krb5.conf"
+output.elasticsearch.kerberos.realm: "ELASTIC.CO"
+```
+
+The service principal name for the Elasticsearch instance is contructed from these options. Based on this configuration it is going to be `HTTP/my-elasticsearch.elastic.co@ELASTIC.CO`.
+
+
+## Configuration options [_configuration_options_9]
+
+You can specify the following options in the `kerberos` section of the `heartbeat.yml` config file:
+
+
+### `enabled` [_enabled_8]
+
+The `enabled` setting can be used to enable the kerberos configuration by setting it to `false`. The default value is `true`.
+
+::::{note}
+Kerberos settings are disabled if either `enabled` is set to `false` or the `kerberos` section is missing.
+::::
+
+
+
+### `auth_type` [_auth_type]
+
+There are two options to authenticate with Kerberos KDC: `password` and `keytab`.
+
+`password` expects the principal name and its password. When choosing `keytab`, you have to specify a principal name and a path to a keytab. The keytab must contain the keys of the selected principal. Otherwise, authentication will fail.
+
+
+### `config_path` [_config_path]
+
+You need to set the path to the `krb5.conf`, so Heartbeat can find the Kerberos KDC to retrieve a ticket.
+
+
+### `username` [_username_3]
+
+Name of the principal used to connect to the output.
+
+
+### `password` [_password_4]
+
+If you configured `password` for `auth_type`, you have to provide a password for the selected principal.
+
+
+### `keytab` [_keytab]
+
+If you configured `keytab` for `auth_type`, you have to provide the path to the keytab of the selected principal.
+
+
+### `service_name` [_service_name]
+
+This option can only be configured for Kafka. It is the name of the Kafka service, usually `kafka`.
+
+
+### `realm` [_realm]
+
+Name of the realm where the output resides.
+
+
+### `enable_krb5_fast` [_enable_krb5_fast]
+
+Enable Kerberos FAST authentication. This may conflict with some Active Directory installations. The default is `false`.
+
diff --git a/docs/reference/heartbeat/configuration-logging.md b/docs/reference/heartbeat/configuration-logging.md
new file mode 100644
index 000000000000..bc427eb3cdcd
--- /dev/null
+++ b/docs/reference/heartbeat/configuration-logging.md
@@ -0,0 +1,253 @@
+---
+navigation_title: "Logging"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/configuration-logging.html
+---
+
+# Configure logging [configuration-logging]
+
+
+The `logging` section of the `heartbeat.yml` config file contains options for configuring the logging output. The logging system can write logs to the syslog or rotate log files. If logging is not explicitly configured the file output is used.
+
+```yaml
+logging.level: info
+logging.to_files: true
+logging.files:
+  path: /var/log/heartbeat
+  name: heartbeat
+  keepfiles: 7
+  permissions: 0640
+```
+
+::::{tip}
+In addition to setting logging options in the config file, you can modify the logging output configuration from the command line. See [Command reference](/reference/heartbeat/command-line-options.md).
+::::
+
+
+::::{warning}
+When Heartbeat is running on a Linux system with systemd, it uses by default the `-e` command line option, that makes it write all the logging output to stderr so it can be captured by journald. Other outputs are disabled. See [Heartbeat and systemd](/reference/heartbeat/running-with-systemd.md) to know more and learn how to change this.
+::::
+
+
+
+## Configuration options [_configuration_options_13]
+
+You can specify the following options in the `logging` section of the `heartbeat.yml` config file:
+
+
+### `logging.to_stderr` [_logging_to_stderr]
+
+When true, writes all logging output to standard error output. This is equivalent to using the `-e` command line option.
+
+
+### `logging.to_syslog` [_logging_to_syslog]
+
+When true, writes all logging output to the syslog.
+
+::::{note}
+This option is not supported on Windows.
+::::
+
+
+
+### `logging.to_eventlog` [_logging_to_eventlog]
+
+When true, writes all logging output to the Windows Event Log.
+
+
+### `logging.to_files` [_logging_to_files]
+
+When true, writes all logging output to files. The log files are automatically rotated when the log file size limit is reached.
+
+::::{note}
+Heartbeat only creates a log file if there is logging output. For example, if you set the log [`level`](#level) to `error` and there are no errors, there will be no log file in the directory specified for logs.
+::::
+
+
+
+### `logging.level` [level]
+
+Minimum log level. One of `debug`, `info`, `warning`, or `error`. The default log level is `info`.
+
+`debug`
+:   Logs debug messages, including a detailed printout of all events flushed. Also logs informational messages, warnings, errors, and critical errors. When the log level is `debug`, you can specify a list of [`selectors`](#selectors) to display debug messages for specific components. If no selectors are specified, the `*` selector is used to display debug messages for all components.
+
+`info`
+:   Logs informational messages, including the number of events that are published. Also logs any warnings, errors, or critical errors.
+
+`warning`
+:   Logs warnings, errors, and critical errors.
+
+`error`
+:   Logs errors and critical errors.
+
+
+### `logging.selectors` [selectors]
+
+The list of debugging-only selector tags used by different Heartbeat components. Use `*` to enable debug output for all components. Use `publisher` to display debug messages related to event publishing.
+
+::::{tip}
+The list of available selectors may change between releases, so avoid creating tests that depend on specific selectors.
+
+To see which selectors are available, run Heartbeat in debug mode (set `logging.level: debug` in the configuration). The selector name appears after the log level and is enclosed in brackets.
+
+::::
+
+
+To configure multiple selectors, use the following [YAML list syntax](/reference/libbeat/config-file-format.md):
+
+```yaml
+logging.selectors: [ harvester, input ]
+```
+
+To override selectors at the command line, use the `-d` global flag (`-d` also sets the debug log level). For more information, see [Command reference](/reference/heartbeat/command-line-options.md).
+
+
+### `logging.metrics.enabled` [_logging_metrics_enabled]
+
+By default, Heartbeat periodically logs its internal metrics that have changed in the last period. For each metric that changed, the delta from the value at the beginning of the period is logged. Also, the total values for all non-zero internal metrics are logged on shutdown. Set this to false to disable this behavior. The default is true.
+
+Here is an example log line:
+
+```shell
+2017-12-17T19:17:42.667-0500    INFO    [metrics]       log/log.go:110  Non-zero metrics in the last 30s: beat.info.uptime.ms=30004 beat.memstats.gc_next=5046416
+```
+
+Note that we currently offer no backwards compatible guarantees for the internal metrics and for this reason they are also not documented.
+
+
+### `logging.metrics.period` [_logging_metrics_period]
+
+The period after which to log the internal metrics. The default is 30s.
+
+
+### `logging.metrics.namespaces` [_logging_metrics_namespaces]
+
+A list of metrics namespaces to report in the logs. Defaults to `[stats]`. `stats` contains general Beat metrics. `dataset` and `inputs` may be present in some Beats and contains module or input metrics.
+
+
+### `logging.files.path` [_logging_files_path]
+
+The directory that log files are written to. The default is the logs path. See the [Directory layout](/reference/heartbeat/directory-layout.md) section for details.
+
+
+### `logging.files.name` [_logging_files_name]
+
+The name of the file that logs are written to. The default is *heartbeat*.
+
+
+### `logging.files.rotateeverybytes` [_logging_files_rotateeverybytes]
+
+The maximum size of a log file. If the limit is reached, a new log file is generated. The default size limit is 10485760 (10 MB).
+
+
+### `logging.files.keepfiles` [_logging_files_keepfiles]
+
+The number of most recent rotated log files to keep on disk. Older files are deleted during log rotation. The default value is 7. The `keepfiles` options has to be in the range of 2 to 1024 files.
+
+
+### `logging.files.permissions` [_logging_files_permissions]
+
+The permissions mask to apply when rotating log files. The default value is 0600. The `permissions` option must be a valid Unix-style file permissions mask expressed in octal notation. In Go, numbers in octal notation must start with *0*.
+
+The most permissive mask allowed is 0640. If a higher permissions mask is specified via this setting, it will be subject to an umask of 0027.
+
+This option is not supported on Windows.
+
+Examples:
+
+* 0640: give read and write access to the file owner, and read access to members of the group associated with the file.
+* 0600: give read and write access to the file owner, and no access to all others.
+
+
+### `logging.files.interval` [_logging_files_interval]
+
+Enable log file rotation on time intervals in addition to size-based rotation. Intervals must be at least 1s. Values of 1m, 1h, 24h, 7*24h, 30*24h, and 365*24h are boundary-aligned with minutes, hours, days, weeks, months, and years as reported by the local system clock. All other intervals are calculated from the unix epoch. Defaults to disabled.
+
+
+### `logging.files.rotateonstartup` [_logging_files_rotateonstartup]
+
+If the log file already exists on startup, immediately rotate it and start writing to a new file instead of appending to the existing one. Defaults to true.
+
+
+### `logging.files.redirect_stderr` [preview] [_logging_files_redirect_stderr]
+
+When true, diagnostic messages printed to Heartbeat’s standard error output will also be logged to the log file. This can be helpful in situations were Heartbeat terminates unexpectedly because an error has been detected by Go’s runtime but diagnostic information is not present in the log file. This feature is only available when logging to files (`logging.to_files` is true). Disabled by default.
+
+
+## Logging format [_logging_format]
+
+The logging format is generally the same for each logging output. The one exception is with the syslog output where the timestamp is not included in the message because syslog adds its own timestamp.
+
+Each log message consists of the following parts:
+
+* Timestamp in ISO8601 format
+* Level
+* Logger name contained in brackets (Optional)
+* File name and line number of the caller
+* Message
+* Structured data encoded in JSON (Optional)
+
+Below are some samples:
+
+`2017-12-17T18:54:16.241-0500	INFO	logp/core_test.go:13	unnamed global logger`
+
+`2017-12-17T18:54:16.242-0500	INFO	[example]	logp/core_test.go:16	some message`
+
+`2017-12-17T18:54:16.242-0500	INFO	[example]	logp/core_test.go:19	some message	{"x": 1}`
+
+
+## Configuration options for event_data logger [_configuration_options_for_event_data_logger]
+
+Some outputs will log raw events on errors like indexing errors in the Elasticsearch output, to prevent logging raw events (that may contain sensitive information) together with other log messages, a different log file, only for log entries containing raw events, is used. It will use the same level, selectors and all other configurations from the default logger, but it will have it’s own file configuration.
+
+Having a different log file for raw events also prevents event data from drowning out the regular log files.
+
+::::{important}
+No matter the default logger output configuration, raw events will **always** be logged to a file configured by `logging.event_data.files`.
+::::
+
+
+
+### `logging.event_data.files.path` [_logging_event_data_files_path]
+
+The directory that log files are written to. The default is the logs path. See the [Directory layout](/reference/heartbeat/directory-layout.md) section for details.
+
+
+### `logging.event_data.files.name` [_logging_event_data_files_name]
+
+The name of the file that logs are written to. The default is *heartbeat*-events-data.
+
+
+### `logging.event_data.files.rotateeverybytes` [_logging_event_data_files_rotateeverybytes]
+
+The maximum size of a log file. If the limit is reached, a new log file is generated. The default size limit is 5242880 (5 MB).
+
+
+### `logging.event_data.files.keepfiles` [_logging_event_data_files_keepfiles]
+
+The number of most recent rotated log files to keep on disk. Older files are deleted during log rotation. The default value is 2. The `keepfiles` options has to be in the range of 2 to 1024 files.
+
+
+### `logging.event_data.files.permissions` [_logging_event_data_files_permissions]
+
+The permissions mask to apply when rotating log files. The default value is 0600. The `permissions` option must be a valid Unix-style file permissions mask expressed in octal notation. In Go, numbers in octal notation must start with *0*.
+
+The most permissive mask allowed is 0640. If a higher permissions mask is specified via this setting, it will be subject to an umask of 0027.
+
+This option is not supported on Windows.
+
+Examples:
+
+* 0640: give read and write access to the file owner, and read access to members of the group associated with the file.
+* 0600: give read and write access to the file owner, and no access to all others.
+
+
+### `logging.event_data.files.interval` [_logging_event_data_files_interval]
+
+Enable log file rotation on time intervals in addition to size-based rotation. Intervals must be at least 1s. Values of 1m, 1h, 24h, 7*24h, 30*24h, and 365*24h are boundary-aligned with minutes, hours, days, weeks, months, and years as reported by the local system clock. All other intervals are calculated from the unix epoch. Defaults to disabled.
+
+
+### `logging.event_data.files.rotateonstartup` [_logging_event_data_files_rotateonstartup]
+
+If the log file already exists on startup, immediately rotate it and start writing to a new file instead of appending to the existing one. Defaults to false.
diff --git a/docs/reference/heartbeat/configuration-monitor.md b/docs/reference/heartbeat/configuration-monitor.md
new file mode 100644
index 000000000000..ec2d2c7e48e4
--- /dev/null
+++ b/docs/reference/heartbeat/configuration-monitor.md
@@ -0,0 +1,113 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/configuration-monitor.html
+---
+
+# Settings for internal collection [configuration-monitor]
+
+Use the following settings to configure internal collection when you are not using {{metricbeat}} to collect monitoring data.
+
+You specify these settings in the X-Pack monitoring section of the `heartbeat.yml` config file:
+
+## `monitoring.enabled` [_monitoring_enabled]
+
+The `monitoring.enabled` config is a boolean setting to enable or disable {{monitoring}}. If set to `true`, monitoring is enabled.
+
+The default value is `false`.
+
+
+## `monitoring.elasticsearch` [_monitoring_elasticsearch]
+
+The {{es}} instances that you want to ship your Heartbeat metrics to. This configuration option contains the following fields:
+
+
+## `monitoring.cluster_uuid` [_monitoring_cluster_uuid]
+
+The `monitoring.cluster_uuid` config identifies the {{es}} cluster under which the monitoring data will appear in the Stack Monitoring UI.
+
+### `api_key` [_api_key_3]
+
+The detail of the API key to be used to send monitoring information to {{es}}. See [*Grant access using API keys*](/reference/heartbeat/beats-api-keys.md) for more information.
+
+
+### `bulk_max_size` [_bulk_max_size_5]
+
+The maximum number of metrics to bulk in a single {{es}} bulk API index request. The default is `50`. For more information, see [Elasticsearch](/reference/heartbeat/elasticsearch-output.md).
+
+
+### `backoff.init` [_backoff_init_4]
+
+The number of seconds to wait before trying to reconnect to Elasticsearch after a network error. After waiting `backoff.init` seconds, Heartbeat tries to reconnect. If the attempt fails, the backoff timer is increased exponentially up to `backoff.max`. After a successful connection, the backoff timer is reset. The default is 1s.
+
+
+### `backoff.max` [_backoff_max_4]
+
+The maximum number of seconds to wait before attempting to connect to Elasticsearch after a network error. The default is 60s.
+
+
+### `compression_level` [_compression_level_3]
+
+The gzip compression level. Setting this value to `0` disables compression. The compression level must be in the range of `1` (best speed) to `9` (best compression). The default value is `0`. Increasing the compression level reduces the network usage but increases the CPU usage.
+
+
+### `headers` [_headers_3]
+
+Custom HTTP headers to add to each request. For more information, see [Elasticsearch](/reference/heartbeat/elasticsearch-output.md).
+
+
+### `hosts` [_hosts_4]
+
+The list of {{es}} nodes to connect to. Monitoring metrics are distributed to these nodes in round robin order. For more information, see [Elasticsearch](/reference/heartbeat/elasticsearch-output.md).
+
+
+### `max_retries` [_max_retries_5]
+
+The number of times to retry sending the monitoring metrics after a failure. After the specified number of retries, the metrics are typically dropped. The default value is `3`. For more information, see [Elasticsearch](/reference/heartbeat/elasticsearch-output.md).
+
+
+### `parameters` [_parameters_2]
+
+Dictionary of HTTP parameters to pass within the url with index operations.
+
+
+### `password` [_password_5]
+
+The password that Heartbeat uses to authenticate with the {{es}} instances for shipping monitoring data.
+
+
+### `metrics.period` [_metrics_period]
+
+The time interval (in seconds) when metrics are sent to the {{es}} cluster. A new snapshot of Heartbeat metrics is generated and scheduled for publishing each period. The default value is 10 * time.Second.
+
+
+### `state.period` [_state_period]
+
+The time interval (in seconds) when state information are sent to the {{es}} cluster. A new snapshot of Heartbeat state is generated and scheduled for publishing each period. The default value is 60 * time.Second.
+
+
+### `protocol` [_protocol]
+
+The name of the protocol to use when connecting to the {{es}} cluster. The options are: `http` or `https`. The default is `http`. If you specify a URL for `hosts`, however, the value of protocol is overridden by the scheme you specify in the URL.
+
+
+### `proxy_url` [_proxy_url_4]
+
+The URL of the proxy to use when connecting to the {{es}} cluster. For more information, see [Elasticsearch](/reference/heartbeat/elasticsearch-output.md).
+
+
+### `timeout` [_timeout_5]
+
+The HTTP request timeout in seconds for the {{es}} request. The default is `90`.
+
+
+### `ssl` [_ssl_5]
+
+Configuration options for Transport Layer Security (TLS) or Secure Sockets Layer (SSL) parameters like the certificate authority (CA) to use for HTTPS-based connections. If the `ssl` section is missing, the host CAs are used for HTTPS connections to {{es}}. For more information, see [SSL](/reference/heartbeat/configuration-ssl.md).
+
+
+### `username` [_username_4]
+
+The user ID that Heartbeat uses to authenticate with the {{es}} instances for shipping monitoring data.
+
+
+
diff --git a/docs/reference/heartbeat/configuration-observer-options.md b/docs/reference/heartbeat/configuration-observer-options.md
new file mode 100644
index 000000000000..50d0d4c3ee75
--- /dev/null
+++ b/docs/reference/heartbeat/configuration-observer-options.md
@@ -0,0 +1,31 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/configuration-observer-options.html
+---
+
+# Add observer and geo metadata [configuration-observer-options]
+
+Use the `heartbeat.run_from` option to set the geographic location fields relevant to a given heartbeat instance.
+
+The `run_from` option is used to label the geographic location where the monitor is running. Note, you can also set the `run_from` option on an individual monitor to apply a unique setting to just that monitor.
+
+The `run_from` option takes two top-level fields:
+
+* `id`: A string used to uniquely identify the geographic location. It is indexed as the `observer.name` field.
+* `geo`: A map conforming to [ECS geo fields](ecs://reference/ecs-geo.md). It is indexed under `observer.geo`.
+
+Example:
+
+```yaml
+heartbeat.run_from:
+  id: my-custom-geo
+  geo:
+	name: nyc-dc1-rack2
+	location: 40.7128, -74.0060
+	continent_name: North America
+	country_iso_code: US
+	region_name: New York
+	region_iso_code: NY
+	city_name: New York
+```
+
diff --git a/docs/reference/heartbeat/configuration-output-codec.md b/docs/reference/heartbeat/configuration-output-codec.md
new file mode 100644
index 000000000000..5d44f5798072
--- /dev/null
+++ b/docs/reference/heartbeat/configuration-output-codec.md
@@ -0,0 +1,32 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/configuration-output-codec.html
+---
+
+# Change the output codec [configuration-output-codec]
+
+For outputs that do not require a specific encoding, you can change the encoding by using the codec configuration. You can specify either the `json` or `format` codec. By default the `json` codec is used.
+
+**`json.pretty`**: If `pretty` is set to true, events will be nicely formatted. The default is false.
+
+**`json.escape_html`**: If `escape_html` is set to true, html symbols will be escaped in strings. The default is false.
+
+Example configuration that uses the `json` codec with pretty printing enabled to write events to the console:
+
+```yaml
+output.console:
+  codec.json:
+    pretty: true
+    escape_html: false
+```
+
+**`format.string`**: Configurable format string used to create a custom formatted message.
+
+Example configurable that uses the `format` codec to print the events timestamp and message field to console:
+
+```yaml
+output.console:
+  codec.format:
+    string: '%{[@timestamp]} %{[message]}'
+```
+
diff --git a/docs/reference/heartbeat/configuration-path.md b/docs/reference/heartbeat/configuration-path.md
new file mode 100644
index 000000000000..c46df5de1dce
--- /dev/null
+++ b/docs/reference/heartbeat/configuration-path.md
@@ -0,0 +1,78 @@
+---
+navigation_title: "Project paths"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/configuration-path.html
+---
+
+# Configure project paths [configuration-path]
+
+
+The `path` section of the `heartbeat.yml` config file contains configuration options that define where Heartbeat looks for its files. For example, Heartbeat looks for the Elasticsearch template file in the configuration path and writes log files in the logs path.
+
+Please see the [Directory layout](/reference/heartbeat/directory-layout.md) section for more details.
+
+Here is an example configuration:
+
+```yaml
+path.home: /usr/share/beat
+path.config: /etc/beat
+path.data: /var/lib/beat
+path.logs: /var/log/
+```
+
+Note that it is possible to override these options by using command line flags.
+
+
+## Configuration options [_configuration_options]
+
+You can specify the following options in the `path` section of the `heartbeat.yml` config file:
+
+
+### `home` [_home]
+
+The home path for the Heartbeat installation. This is the default base path for all other path settings and for miscellaneous files that come with the distribution (for example, the sample dashboards). If not set by a CLI flag or in the configuration file, the default for the home path is the location of the Heartbeat binary.
+
+Example:
+
+```yaml
+path.home: /usr/share/beats
+```
+
+
+### `config` [_config]
+
+The configuration path for the Heartbeat installation. This is the default base path for configuration files, including the main YAML configuration file and the Elasticsearch template file. If not set by a CLI flag or in the configuration file, the default for the configuration path is the home path.
+
+Example:
+
+```yaml
+path.config: /usr/share/beats/config
+```
+
+
+### `data` [_data]
+
+The data path for the Heartbeat installation. This is the default base path for all the files in which Heartbeat needs to store its data. If not set by a CLI flag or in the configuration file, the default for the data path is a `data` subdirectory inside the home path.
+
+Example:
+
+```yaml
+path.data: /var/lib/beats
+```
+
+::::{tip}
+When running multiple Heartbeat instances on the same host, make sure they each have a distinct `path.data` value.
+::::
+
+
+
+### `logs` [_logs]
+
+The logs path for a Heartbeat installation. This is the default location for Heartbeat’s log files. If not set by a CLI flag or in the configuration file, the default for the logs path is a `logs` subdirectory inside the home path.
+
+Example:
+
+```yaml
+path.logs: /var/log/beats
+```
+
diff --git a/docs/reference/heartbeat/configuration-ssl.md b/docs/reference/heartbeat/configuration-ssl.md
new file mode 100644
index 000000000000..748e094fbc56
--- /dev/null
+++ b/docs/reference/heartbeat/configuration-ssl.md
@@ -0,0 +1,499 @@
+---
+navigation_title: "SSL"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/configuration-ssl.html
+---
+
+# Configure SSL [configuration-ssl]
+
+
+You can specify SSL options when you configure:
+
+* [outputs](/reference/heartbeat/configuring-output.md) that support SSL
+* [Heartbeat monitors](/reference/heartbeat/configuration-heartbeat-options.md) that support SSL
+
+Example output config with SSL enabled:
+
+```yaml
+output.elasticsearch.hosts: ["https://192.168.1.42:9200"]
+output.elasticsearch.ssl.certificate_authorities: ["/etc/client/ca.pem"]
+output.elasticsearch.ssl.certificate: "/etc/client/cert.pem"
+output.elasticsearch.ssl.key: "/etc/client/cert.key"
+```
+
+Also see [*Secure communication with Logstash*](/reference/heartbeat/configuring-ssl-logstash.md).
+
+Example Kibana endpoint config with SSL enabled:
+
+```yaml
+setup.kibana.host: "https://192.0.2.255:5601"
+setup.kibana.ssl.enabled: true
+setup.kibana.ssl.certificate_authorities: ["/etc/client/ca.pem"]
+setup.kibana.ssl.certificate: "/etc/client/cert.pem"
+setup.kibana.ssl.key: "/etc/client/cert.key"
+```
+
+Example monitor with SSL enabled:
+
+```yaml
+heartbeat.monitors:
+- type: tcp
+  schedule: '@every 5s'
+  hosts: ["myhost"]
+  ports: [80, 9200, 5044]
+  ssl:
+    certificate_authorities: ['/etc/ca.crt']
+    supported_protocols: ["TLSv1.1", "TLSv1.2"]
+```
+
+There are a number of SSL configuration options available to you:
+
+* [Common configuration options](#ssl-common-config)
+* [Client configuration options](#ssl-client-config)
+* [Server configuration options](#ssl-server-config)
+
+
+## Common configuration options [ssl-common-config]
+
+Common SSL configuration options can be used in both client and server configurations. You can specify the following options in the `ssl` section of each subsystem that supports SSL.
+
+
+### `enabled` [enabled]
+
+To disable SSL configuration, set the value to `false`. The default value is `true`.
+
+::::{note}
+SSL settings are disabled if either `enabled` is set to `false` or the `ssl` section is missing.
+
+::::
+
+
+
+### `supported_protocols` [supported-protocols]
+
+List of allowed SSL/TLS versions. If SSL/TLS server decides for protocol versions not configured, the connection will be dropped during or after the handshake. The setting is a list of allowed protocol versions: `TLSv1.1`, `TLSv1.2`, and `TLSv1.3`.
+
+The default value is `[TLSv1.2, TLSv1.3]`.
+
+
+### `cipher_suites` [cipher-suites]
+
+The list of cipher suites to use. The first entry has the highest priority. If this option is omitted, the Go crypto library’s [default suites](https://golang.org/pkg/crypto/tls/) are used (recommended).
+
+Note that if TLS 1.3 is enabled (which is true by default), then the default TLS 1.3 cipher suites are always included, because Go’s standard library adds them to all connections. In order to exclude the default TLS 1.3 ciphers, TLS 1.3 must also be disabled, e.g. with the setting `ssl.supported_protocols = [TLSv1.2]`.
+
+The following cipher suites are available:
+
+| Cypher | Notes |
+| --- | --- |
+| ECDHE-ECDSA-AES-128-CBC-SHA |  |
+| ECDHE-ECDSA-AES-128-CBC-SHA256 | TLS 1.2 only. Disabled by default. |
+| ECDHE-ECDSA-AES-128-GCM-SHA256 | TLS 1.2 only. |
+| ECDHE-ECDSA-AES-256-CBC-SHA |  |
+| ECDHE-ECDSA-AES-256-GCM-SHA384 | TLS 1.2 only. |
+| ECDHE-ECDSA-CHACHA20-POLY1305 | TLS 1.2 only. |
+| ECDHE-ECDSA-RC4-128-SHA | Disabled by default. RC4 not recommended. |
+| ECDHE-RSA-3DES-CBC3-SHA |  |
+| ECDHE-RSA-AES-128-CBC-SHA |  |
+| ECDHE-RSA-AES-128-CBC-SHA256 | TLS 1.2 only. Disabled by default. |
+| ECDHE-RSA-AES-128-GCM-SHA256 | TLS 1.2 only. |
+| ECDHE-RSA-AES-256-CBC-SHA |  |
+| ECDHE-RSA-AES-256-GCM-SHA384 | TLS 1.2 only. |
+| ECDHE-RSA-CHACHA20-POLY1205 | TLS 1.2 only. |
+| ECDHE-RSA-RC4-128-SHA | Disabled by default. RC4 not recommended. |
+| RSA-3DES-CBC3-SHA |  |
+| RSA-AES-128-CBC-SHA |  |
+| RSA-AES-128-CBC-SHA256 | TLS 1.2 only. Disabled by default. |
+| RSA-AES-128-GCM-SHA256 | TLS 1.2 only. |
+| RSA-AES-256-CBC-SHA |  |
+| RSA-AES-256-GCM-SHA384 | TLS 1.2 only. |
+| RSA-RC4-128-SHA | Disabled by default. RC4 not recommended. |
+
+Here is a list of acronyms used in defining the cipher suites:
+
+* 3DES: Cipher suites using triple DES
+* AES-128/256: Cipher suites using AES with 128/256-bit keys.
+* CBC: Cipher using Cipher Block Chaining as block cipher mode.
+* ECDHE: Cipher suites using Elliptic Curve Diffie-Hellman (DH) ephemeral key exchange.
+* ECDSA: Cipher suites using Elliptic Curve Digital Signature Algorithm for authentication.
+* GCM: Galois/Counter mode is used for symmetric key cryptography.
+* RC4: Cipher suites using RC4.
+* RSA: Cipher suites using RSA.
+* SHA, SHA256, SHA384: Cipher suites using SHA-1, SHA-256 or SHA-384.
+
+
+### `curve_types` [curve-types]
+
+The list of curve types for ECDHE (Elliptic Curve Diffie-Hellman ephemeral key exchange).
+
+The following elliptic curve types are available:
+
+* P-256
+* P-384
+* P-521
+* X25519
+
+
+### `ca_sha256` [ca-sha256]
+
+This configures a certificate pin that you can use to ensure that a specific certificate is part of the verified chain.
+
+The pin is a base64 encoded string of the SHA-256 of the certificate.
+
+::::{note}
+This check is not a replacement for the normal SSL validation, but it adds additional validation. If this option is used with  `verification_mode` set to `none`, the check will always fail because it will not receive any verified chains.
+::::
+
+
+
+## Client configuration options [ssl-client-config]
+
+You can specify the following options in the `ssl` section of each subsystem that supports SSL.
+
+
+### `certificate_authorities` [client-certificate-authorities]
+
+The list of root certificates for verifications is required. If `certificate_authorities` is empty or not set, the system keystore is used. If `certificate_authorities` is self-signed, the host system needs to trust that CA cert as well.
+
+By default you can specify a list of files that `heartbeat` will read, but you can also embed a certificate directly in the `YAML` configuration:
+
+```yaml
+certificate_authorities:
+  - |
+    -----BEGIN CERTIFICATE-----
+    MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF
+    ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2
+    MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB
+    BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n
+    fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl
+    94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t
+    /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP
+    PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41
+    CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O
+    BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux
+    8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D
+    874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw
+    3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA
+    H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu
+    8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0
+    yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk
+    sxSmbIUfc2SGJGCJD4I=
+    -----END CERTIFICATE-----
+```
+
+
+### `certificate: "/etc/client/cert.pem"` [client-certificate]
+
+The path to the certificate for SSL client authentication is only required if `client_authentication` is specified. If the certificate is not specified, client authentication is not available. The connection might fail if the server requests client authentication. If the SSL server does not require client authentication, the certificate will be loaded, but not requested or used by the server.
+
+When this option is configured, the [`key`](#client-key) option is also required. The certificate option support embedding of the certificate:
+
+```yaml
+certificate: |
+    -----BEGIN CERTIFICATE-----
+    MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF
+    ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2
+    MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB
+    BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n
+    fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl
+    94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t
+    /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP
+    PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41
+    CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O
+    BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux
+    8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D
+    874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw
+    3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA
+    H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu
+    8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0
+    yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk
+    sxSmbIUfc2SGJGCJD4I=
+    -----END CERTIFICATE-----
+```
+
+
+### `key: "/etc/client/cert.key"` [client-key]
+
+The client certificate key used for client authentication and is only required if `client_authentication` is configured. The key option support embedding of the private key:
+
+```yaml
+key: |
+    -----BEGIN PRIVATE KEY-----
+    MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDXHufGPycpCOfI
+    sjl6cRn8NP4DLxdIVEAHFK0jMRDup32UQOPW+DleEsFpgN9/ebi9ngdjQfMvKnUP
+    Zrl1HTwVhOJfazGeoJn7vdDeQebhJfeDXHwX2DiotXyUPYu1ioU45UZDAoAZFj5F
+    KJLwWRUbfEbRe8yO+wUhKKxxkApPbfw+wUtBicn1RIX7W1nBRABt1UXKDIRe5FM2
+    MKfqhEqK4hUWC3g1r+vGTrxu3qFpzz7L2UrRFRIpo7yuTUhEhEGvcVsiTppTil4Z
+    HcprXFHf5158elEwhYJ5IM0nU1leNQiOgemifbLwkyNkLqCKth8V/4sezr1tYblZ
+    nMh1cclBAgMBAAECggEBAKdP5jyOicqknoG9/G564RcDsDyRt64NuO7I6hBg7SZx
+    Jn7UKWDdFuFP/RYtoabn6QOxkVVlydp5Typ3Xu7zmfOyss479Q/HIXxmmbkD0Kp0
+    eRm2KN3y0b6FySsS40KDRjKGQCuGGlNotW3crMw6vOvvsLTlcKgUHF054UVCHoK/
+    Piz7igkDU7NjvJeha53vXL4hIjb10UtJNaGPxIyFLYRZdRPyyBJX7Yt3w8dgz8WM
+    epOPu0dq3bUrY3WQXcxKZo6sQjE1h7kdl4TNji5jaFlvD01Y8LnyG0oThOzf0tve
+    Gaw+kuy17gTGZGMIfGVcdeb+SlioXMAAfOps+mNIwTECgYEA/gTO8W0hgYpOQJzn
+    BpWkic3LAoBXWNpvsQkkC3uba8Fcps7iiEzotXGfwYcb5Ewf5O3Lrz1EwLj7GTW8
+    VNhB3gb7bGOvuwI/6vYk2/dwo84bwW9qRWP5hqPhNZ2AWl8kxmZgHns6WTTxpkRU
+    zrfZ5eUrBDWjRU2R8uppgRImsxMCgYEA2MxuL/C/Ko0d7XsSX1kM4JHJiGpQDvb5
+    GUrlKjP/qVyUysNF92B9xAZZHxxfPWpdfGGBynhw7X6s+YeIoxTzFPZVV9hlkpAA
+    5igma0n8ZpZEqzttjVdpOQZK8o/Oni/Q2S10WGftQOOGw5Is8+LY30XnLvHBJhO7
+    TKMurJ4KCNsCgYAe5TDSVmaj3dGEtFC5EUxQ4nHVnQyCpxa8npL+vor5wSvmsfUF
+    hO0s3GQE4sz2qHecnXuPldEd66HGwC1m2GKygYDk/v7prO1fQ47aHi9aDQB9N3Li
+    e7Vmtdn3bm+lDjtn0h3Qt0YygWj+wwLZnazn9EaWHXv9OuEMfYxVgYKpdwKBgEze
+    Zy8+WDm5IWRjn8cI5wT1DBT/RPWZYgcyxABrwXmGZwdhp3wnzU/kxFLAl5BKF22T
+    kRZ+D+RVZvVutebE9c937BiilJkb0AXLNJwT9pdVLnHcN2LHHHronUhV7vetkop+
+    kGMMLlY0lkLfoGq1AxpfSbIea9KZam6o6VKxEnPDAoGAFDCJm+ZtsJK9nE5GEMav
+    NHy+PwkYsHhbrPl4dgStTNXLenJLIJ+Ke0Pcld4ZPfYdSyu/Tv4rNswZBNpNsW9K
+    0NwJlyMBfayoPNcJKXrH/csJY7hbKviAHr1eYy9/8OL0dHf85FV+9uY5YndLcsDc
+    nygO9KTJuUiBrLr0AHEnqko=
+    -----END PRIVATE KEY-----
+```
+
+
+### `key_passphrase` [client-key-passphrase]
+
+The passphrase used to decrypt an encrypted key stored in the configured `key` file.
+
+
+### `verification_mode` [client-verification-mode]
+
+Controls the verification of server certificates. Valid values are:
+
+`full`
+:   Verifies that the provided certificate is signed by a trusted authority (CA) and also verifies that the server’s hostname (or IP address) matches the names identified within the certificate.
+
+`strict`
+:   Verifies that the provided certificate is signed by a trusted authority (CA) and also verifies that the server’s hostname (or IP address) matches the names identified within the certificate. If the Subject Alternative Name is empty, it returns an error.
+
+`certificate`
+:   Verifies that the provided certificate is signed by a trusted authority (CA), but does not perform any hostname verification.
+
+`none`
+:   Performs *no verification* of the server’s certificate. This mode disables many of the security benefits of SSL/TLS and should only be used after cautious consideration. It is primarily intended as a temporary diagnostic mechanism when attempting to resolve TLS errors; its use in production environments is strongly discouraged.
+
+    The default value is `full`.
+
+
+
+### `ca_trusted_fingerprint` [ca_trusted_fingerprint]
+
+A HEX encoded SHA-256 of a CA certificate. If this certificate is present in the chain during the handshake, it will be added to the `certificate_authorities` list and the handshake will continue normaly.
+
+To get the fingerprint from a CA certificate on a Unix-like system, you can use the following command, where `ca.crt` is the certificate.
+
+```
+openssl x509 -fingerprint -sha256 -noout -in ./ca.crt | awk --field-separator="=" '{print $2}' | sed 's/://g'
+```
+
+
+## Server configuration options [ssl-server-config]
+
+You can specify the following options in the `ssl` section of each subsystem that supports SSL.
+
+
+### `certificate_authorities` [server-certificate-authorities]
+
+The list of root certificates for client verifications is only required if `client_authentication` is configured. If `certificate_authorities` is empty or not set, and `client_authentication` is configured, the system keystore is used.
+
+If `certificate_authorities` is self-signed, the host system needs to trust that CA cert as well. By default you can specify a list of files that `heartbeat` will read, but you can also embed a certificate directly in the `YAML` configuration:
+
+```yaml
+certificate_authorities:
+  - |
+    -----BEGIN CERTIFICATE-----
+    MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF
+    ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2
+    MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB
+    BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n
+    fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl
+    94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t
+    /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP
+    PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41
+    CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O
+    BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux
+    8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D
+    874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw
+    3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA
+    H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu
+    8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0
+    yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk
+    sxSmbIUfc2SGJGCJD4I=
+    -----END CERTIFICATE-----
+```
+
+
+### `certificate: "/etc/server/cert.pem"` [server-certificate]
+
+The end-entity (leaf) certificate that the server uses to identify itself. If the certificate is signed by a certificate authority (CA), then it should include intermediate CA certificates, sorted from leaf to root. For servers, a `certificate` and [`key`](#server-key) must be specified.
+
+The certificate option supports embedding of the PEM certificate content. This example contains the leaf certificate followed by issuer’s certificate.
+
+```yaml
+certificate: |
+  -----BEGIN CERTIFICATE-----
+  MIIF2jCCA8KgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBlMQswCQYDVQQGEwJVUzEW
+  MBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEcMBoGA1UECRMTV2VzdCBFbCBDYW1pbm8g
+  UmVhbDEOMAwGA1UEERMFOTQwNDAxEDAOBgNVBAoTB0VsYXN0aWMwHhcNMjMxMDMw
+  MTkyMzU4WhcNMjMxMDMxMTkyMzU4WjB2MQswCQYDVQQGEwJVUzEWMBQGA1UEBxMN
+  U2FuIEZyYW5jaXNjbzEcMBoGA1UECRMTV2VzdCBFbCBDYW1pbm8gUmVhbDEOMAwG
+  A1UEERMFOTQwNDAxEDAOBgNVBAoTB0VsYXN0aWMxDzANBgNVBAMTBnNlcnZlcjCC
+  AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALW37cart7l0KE3LCStFbiGm
+  Rr/QSkuPv+Y+SXFT4zXrMFP3mOfUCVsR4lugv+jmql9qjbwR9jKsgKXA1kSvNXSZ
+  lLYWRcNnQ+QzwKxJf/jy246nSfqb2FKvVMs580lDwKHHxn/FSpHV93O4Goy5cLfF
+  ACE7BSdJdxl5DVAMmmkzd6gBGgN8dQIbcyJYuIZYQt44PqSYh/BomTyOXKrmvX4y
+  t7/pF+ldJjWZq/6SfCq6WE0jSrpI1P/42Qd9h5Tsnl6qsUGA2Tz5ZqKz2cyxaIlK
+  wL9tYDionfFIl+jZcxkGPF2a14O1TycCI0B/z+0VL+HR/8fKAB0NdP+QRLaPWOrn
+  DvraAO+bVKC6VrQyUYNUOwtd2gMUqm6Hzrf4s3wjP754eSJkvnSoSAB6l7ZmJKe5
+  Pz5oDDOVPwKHv/MrhsCSMNFeXSEO+rq9TtYEAFQI5rFGHlURga8kA1T1pirHyEtS
+  2o8GUSPSHVulaPdFnHg4xfTexfRYLCqya75ISJuY2/+2GblCie/re1GFitZCZ46/
+  xiQQDOjgL96soDVZ+cTtMpXanslgDapTts9LPIJTd9FUJCY1omISGiSjABRuTlCV
+  8054ja4BKVahSd5BqqtVkWyV64SCut6kce2ndwBkyFvlZ6cteLCW7KtzYvba4XBb
+  YIAs+H+9e/bZUVhws5mFAgMBAAGjgYMwgYAwDgYDVR0PAQH/BAQDAgeAMB0GA1Ud
+  JQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAOBgNVHQ4EBwQFAQIDBAUwPwYDVR0R
+  BDgwNoIJbG9jYWxob3N0ghFiZWF0cy5leGFtcGxlLmNvbYcEfwAAAYcQAAAAAAAA
+  AAAAAAAAAAAAATANBgkqhkiG9w0BAQsFAAOCAgEAldSZOUi+OUR46ERQuINl1oED
+  mjNsQ9FNP/RDu8mPJaNb5v2sAbcpuZb9YdnScT+d+n0+LMd5uz2g67Qr73QCpXwL
+  9YJIs56i7qMTKXlVvRQrvF9P/zP3sm5Zfd2I/x+8oXgEeYsxAWipJ8RsbnN1dtu8
+  C4l+P0E58jjrjom11W90RiHYaT0SI2PPBTTRhYLz0HayThPZDMdFnIQqVxUYbQD5
+  ybWu77hnsvC/g2C8/N2LAdQGJJ67owMa5T3YRneiaSvvOf3I45oeLE+olGAPdrSq
+  5Sp0G7fcAKMRPxcwYeD7V5lfYMtb+RzECpYAHT8zHKLZl6/34q2k8P8EWEpAsD80
+  +zSbCkdvNiU5lU90rV8E2baTKCg871k4O8sT48eUyDps6ZUCfT1dgefXeyOTV5bY
+  864Zo6bWJhAJ7Qa2d4HJkqPzSbqsosHVobojgkOcMqkStLHd8sgtCoFmJMflbp7E
+  ghawl/RVFEkL9+TWy9fR8sJWRx13P8CUP6AL9kVmcU2c3gMNpvQfIii9QOnQrRsi
+  yZj9FKl+ZM49I6RQ6dY5JVgWtpVm/+GBVuy1Aj91JEjw7r1jAeir5K9LAXG8kEN9
+  irndx1SK2MMTY79lGHFGQRv3vnQGI0Wzjtn31YJ7qIFNJ1WWbAZLR9FBtzmMeXM6
+  puoJ9UYvfIcHUGPdZGU=
+  -----END CERTIFICATE-----
+  -----BEGIN CERTIFICATE-----
+  MIIFpjCCA46gAwIBAgIBATANBgkqhkiG9w0BAQsFADBlMQswCQYDVQQGEwJVUzEW
+  MBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEcMBoGA1UECRMTV2VzdCBFbCBDYW1pbm8g
+  UmVhbDEOMAwGA1UEERMFOTQwNDAxEDAOBgNVBAoTB0VsYXN0aWMwHhcNMjMxMDMw
+  MTkyMzU2WhcNMjMxMDMxMTkyMzU2WjBlMQswCQYDVQQGEwJVUzEWMBQGA1UEBxMN
+  U2FuIEZyYW5jaXNjbzEcMBoGA1UECRMTV2VzdCBFbCBDYW1pbm8gUmVhbDEOMAwG
+  A1UEERMFOTQwNDAxEDAOBgNVBAoTB0VsYXN0aWMwggIiMA0GCSqGSIb3DQEBAQUA
+  A4ICDwAwggIKAoICAQDQP3hJt4jTIo+tBXB/R4RuBTvv6OOago9joxlNDm0abseJ
+  ehE0V8FDi0SSpa7ZiqwCGq/deu5OIWVNpFCLHeH5YBriNmB7oPkNRCleu50JsUrG
+  RjSTtBIJcu/CVpD7Q5XMbhbhYcPArrxrSreo3ox8a+2X7b8nA1xPgIcWqSCgs9iV
+  lwKHaQWNTUXYwwZG7b9WG4EJaki6t1+1QbDDJU0oWrZNg23wQEBvEVRDQs7kadvm
+  9YtZLPULlSyV4Rk3yNW8dPXHjcz2wp3PBPIWIQe9mzYU608307TkUMVN2EEOImxl
+  Wm1RtXYvvVb1LiY0C2lYbN3jLZQzffK5RsS87ocqTQM+HvDBv/PupHDvW08wietu
+  RtRbdx/2cN0GLmOHnkWKx+GlYDZfAtIj958fTKl2hHyNqJ1pE7vksSYBwBxMFQem
+  eSGzw5pO53kmPcZO203YQ2qoJd7z1aLf7eAOqDn5zwlYNc00bZ6DwTZsyptGv9sZ
+  zcZuovppPgCN4f1I9ja/NPKep+sVKfQqR5HuOFOPFcr6oOioESJSgIvXXF9RhCVh
+  UMeZKWWSCNm1ea4h6q8OJdQfM7XXkXm+dEyF0TogC00CidZWuYMZcgXND5p/1Di5
+  PkCKPUMllCoK0oaTfFioNW7qtNbDGQrW+spwDa4kjJNKYtDD0jjPgFMgSzQ2MwID
+  AQABo2EwXzAOBgNVHQ8BAf8EBAMCAoQwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsG
+  AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFImOXc9Tv+mgn9jOsPig
+  9vlAUTa+MA0GCSqGSIb3DQEBCwUAA4ICAQBZ9tqU88Nmgf+vDgkKMKLmLMaRCRlV
+  HcYrm7WoWLX+q6VSbmvf5eD5OrzzbAnnp16iXap8ivsAEFTo8XWh/bjl7G/2jetR
+  xZD2WHtzmAg3s4SVsEHIyFUF1ERwnjO2ndHjoIsx8ktUk1aNrmgPI6s07fkULDm+
+  2aXyBSZ9/oimZM/s3IqYJecxwE+yyS+FiS6mSDCCVIyQXdtVAbFHegyiBYv8EbwF
+  Xz70QiqQtxotGlfts/3uN1s+xnEoWz5E6S5DQn4xQh0xiKSXPizMXou9xKzypeSW
+  qtNdwtg62jKWDaVriBfrvoCnyjjCIjmcTcvA2VLmeZShyTuIucd0lkg2NKIGeM7I
+  o33hmdiKaop1fVtj8zqXvCRa3ecmlvcxPKX0otVFORFNOfaPjH/CjW0CnP0LByGK
+  YW19w0ncJZa9cc1SlNL28lnBhW+i1+ViR02wtjabH9XO+mtxuaEPDZ1hLhhjktqI
+  Y2oFUso4C5xiTU/hrH8+cFv0dn/+zyQoLfJEQbUX9biFeytt7T4Yynwhdy7jryqH
+  fdy/QM26YnsE8D7l4mv99z+zII0IRGnQOuLTuNAIyGJUf69hCDubZFDeHV/IB9hU
+  6GA6lBpsJlTDgfJLbtKuAHxdn1DO+uGg0GxgwggH6Vh9x9yQK2E6BaepJisL/zNB
+  RQQmEyTn1hn/eA==
+  -----END CERTIFICATE-----
+```
+
+
+### `key: "/etc/server/cert.key"` [server-key]
+
+The server certificate key used for authentication is required. The key option supports embedding of the private key:
+
+```yaml
+key: |
+    -----BEGIN PRIVATE KEY-----
+    MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDXHufGPycpCOfI
+    sjl6cRn8NP4DLxdIVEAHFK0jMRDup32UQOPW+DleEsFpgN9/ebi9ngdjQfMvKnUP
+    Zrl1HTwVhOJfazGeoJn7vdDeQebhJfeDXHwX2DiotXyUPYu1ioU45UZDAoAZFj5F
+    KJLwWRUbfEbRe8yO+wUhKKxxkApPbfw+wUtBicn1RIX7W1nBRABt1UXKDIRe5FM2
+    MKfqhEqK4hUWC3g1r+vGTrxu3qFpzz7L2UrRFRIpo7yuTUhEhEGvcVsiTppTil4Z
+    HcprXFHf5158elEwhYJ5IM0nU1leNQiOgemifbLwkyNkLqCKth8V/4sezr1tYblZ
+    nMh1cclBAgMBAAECggEBAKdP5jyOicqknoG9/G564RcDsDyRt64NuO7I6hBg7SZx
+    Jn7UKWDdFuFP/RYtoabn6QOxkVVlydp5Typ3Xu7zmfOyss479Q/HIXxmmbkD0Kp0
+    eRm2KN3y0b6FySsS40KDRjKGQCuGGlNotW3crMw6vOvvsLTlcKgUHF054UVCHoK/
+    Piz7igkDU7NjvJeha53vXL4hIjb10UtJNaGPxIyFLYRZdRPyyBJX7Yt3w8dgz8WM
+    epOPu0dq3bUrY3WQXcxKZo6sQjE1h7kdl4TNji5jaFlvD01Y8LnyG0oThOzf0tve
+    Gaw+kuy17gTGZGMIfGVcdeb+SlioXMAAfOps+mNIwTECgYEA/gTO8W0hgYpOQJzn
+    BpWkic3LAoBXWNpvsQkkC3uba8Fcps7iiEzotXGfwYcb5Ewf5O3Lrz1EwLj7GTW8
+    VNhB3gb7bGOvuwI/6vYk2/dwo84bwW9qRWP5hqPhNZ2AWl8kxmZgHns6WTTxpkRU
+    zrfZ5eUrBDWjRU2R8uppgRImsxMCgYEA2MxuL/C/Ko0d7XsSX1kM4JHJiGpQDvb5
+    GUrlKjP/qVyUysNF92B9xAZZHxxfPWpdfGGBynhw7X6s+YeIoxTzFPZVV9hlkpAA
+    5igma0n8ZpZEqzttjVdpOQZK8o/Oni/Q2S10WGftQOOGw5Is8+LY30XnLvHBJhO7
+    TKMurJ4KCNsCgYAe5TDSVmaj3dGEtFC5EUxQ4nHVnQyCpxa8npL+vor5wSvmsfUF
+    hO0s3GQE4sz2qHecnXuPldEd66HGwC1m2GKygYDk/v7prO1fQ47aHi9aDQB9N3Li
+    e7Vmtdn3bm+lDjtn0h3Qt0YygWj+wwLZnazn9EaWHXv9OuEMfYxVgYKpdwKBgEze
+    Zy8+WDm5IWRjn8cI5wT1DBT/RPWZYgcyxABrwXmGZwdhp3wnzU/kxFLAl5BKF22T
+    kRZ+D+RVZvVutebE9c937BiilJkb0AXLNJwT9pdVLnHcN2LHHHronUhV7vetkop+
+    kGMMLlY0lkLfoGq1AxpfSbIea9KZam6o6VKxEnPDAoGAFDCJm+ZtsJK9nE5GEMav
+    NHy+PwkYsHhbrPl4dgStTNXLenJLIJ+Ke0Pcld4ZPfYdSyu/Tv4rNswZBNpNsW9K
+    0NwJlyMBfayoPNcJKXrH/csJY7hbKviAHr1eYy9/8OL0dHf85FV+9uY5YndLcsDc
+    nygO9KTJuUiBrLr0AHEnqko=
+    -----END PRIVATE KEY-----
+```
+
+
+### `key_passphrase` [server-key-passphrase]
+
+The passphrase is used to decrypt an encrypted key stored in the configured `key` file.
+
+
+### `verification_mode` [server-verification-mode]
+
+Controls the verification of client certificates. Valid values are:
+
+`full`
+:   Verifies that the provided certificate is signed by a trusted authority (CA) and also verifies that the server’s hostname (or IP address) matches the names identified within the certificate.
+
+`strict`
+:   Verifies that the provided certificate is signed by a trusted authority (CA) and also verifies that the server’s hostname (or IP address) matches the names identified within the certificate. If the Subject Alternative Name is empty, it returns an error.
+
+`certificate`
+:   Verifies that the provided certificate is signed by a trusted authority (CA), but does not perform any hostname verification.
+
+`none`
+:   Performs *no verification* of the server’s certificate. This mode disables many of the security benefits of SSL/TLS and should only be used after cautious consideration. It is primarily intended as a temporary diagnostic mechanism when attempting to resolve TLS errors; its use in production environments is strongly discouraged.
+
+    The default value is `full`.
+
+
+
+### `renegotiation` [server-renegotiation]
+
+This configures what types of TLS renegotiation are supported. The valid options are:
+
+`never`
+:   Disables renegotiation.
+
+`once`
+:   Allows a remote server to request renegotiation once per connection.
+
+`freely`
+:   Allows a remote server to request renegotiation repeatedly.
+
+    The default value is `never`.
+
+
+
+### `restart_on_cert_change.enabled` [exit_on_cert_change_enabled]
+
+If set to `true` Heartbeat will restart if any file listed by `key`, `certificate`, or `certificate_authorities` is modified.
+
+::::{note}
+This feature is NOT supported on Windows. The default value is `false`.
+::::
+
+
+::::{note}
+This feature requres the `execve` system call to be enabled. If you have a custom seccomp policy in place, make sure to allow for `execve`.
+::::
+
+
+
+### `restart_on_cert_change.period` [restart_on_cert_change_period]
+
+Specifies how often the files are checked for changes. Do not set the period to less than 1s because the modification time of files is often stored in seconds. Setting the period to less than 1s will result in validation error and Heartbeat will not start. The default value is 1m.
+
diff --git a/docs/reference/heartbeat/configuration-template.md b/docs/reference/heartbeat/configuration-template.md
new file mode 100644
index 000000000000..32545ac85a8a
--- /dev/null
+++ b/docs/reference/heartbeat/configuration-template.md
@@ -0,0 +1,112 @@
+---
+navigation_title: "Elasticsearch index template"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/configuration-template.html
+---
+
+# Configure Elasticsearch index template loading [configuration-template]
+
+
+The `setup.template` section of the `heartbeat.yml` config file specifies the [index template](docs-content://manage-data/data-store/templates.md) to use for setting mappings in Elasticsearch. If template loading is enabled (the default), Heartbeat loads the index template automatically after successfully connecting to Elasticsearch.
+
+::::{note}
+A connection to Elasticsearch is required to load the index template. If the configured output is not Elasticsearch (or {{ess}}), you must [load the template manually](/reference/heartbeat/heartbeat-template.md#load-template-manually).
+::::
+
+
+You can adjust the following settings to load your own template or overwrite an existing one.
+
+**`setup.template.enabled`**
+:   Set to false to disable template loading. If this is set to false, you must [load the template manually](/reference/heartbeat/heartbeat-template.md#load-template-manually).
+
+**`setup.template.name`**
+:   The name of the template. The default is `heartbeat`. The Heartbeat version is always appended to the given name, so the final name is `heartbeat-%{[agent.version]}`.
+
+**`setup.template.pattern`**
+:   The template pattern to apply to the default index settings. The default pattern is `heartbeat`. The Heartbeat version is always included in the pattern, so the final pattern is `heartbeat-%{[agent.version]}`.
+
+    Example:
+
+    ```yaml
+    setup.template.name: "heartbeat"
+    setup.template.pattern: "heartbeat"
+    ```
+
+
+**`setup.template.fields`**
+:   The path to the YAML file describing the fields. The default is `fields.yml`. If a relative path is set, it is considered relative to the config path. See the [Directory layout](/reference/heartbeat/directory-layout.md) section for details.
+
+**`setup.template.overwrite`**
+:   A boolean that specifies whether to overwrite the existing template. The default is false. Do not enable this option if you start more than one instance of Heartbeat at the same time. It can overload {{es}} by sending too many template update requests.
+
+**`setup.template.settings`**
+:   A dictionary of settings to place into the `settings.index` dictionary of the Elasticsearch template. For more details about the available Elasticsearch mapping options, please see the Elasticsearch [mapping reference](docs-content://manage-data/data-store/mapping.md).
+
+    Example:
+
+    ```yaml
+    setup.template.name: "heartbeat"
+    setup.template.fields: "fields.yml"
+    setup.template.overwrite: false
+    setup.template.settings:
+      index.number_of_shards: 1
+      index.number_of_replicas: 1
+    ```
+
+
+**`setup.template.settings._source`**
+:   A dictionary of settings for the `_source` field. For the available settings, please see the Elasticsearch [reference](elasticsearch://reference/elasticsearch/mapping-reference/mapping-source-field.md).
+
+    Example:
+
+    ```yaml
+    setup.template.name: "heartbeat"
+    setup.template.fields: "fields.yml"
+    setup.template.overwrite: false
+    setup.template.settings:
+      _source.enabled: false
+    ```
+
+
+**`setup.template.append_fields`**
+:   A list of fields to be added to the template and {{kib}} index pattern. This setting adds new fields. It does not overwrite or change existing fields.
+
+    This setting is useful when your data contains fields that Heartbeat doesn’t know about in advance.
+
+    If `append_fields` is specified along with `overwrite: true`, Heartbeat overwrites the existing template and applies the new template when creating new indices. Existing indices are not affected. If you’re running multiple instances of Heartbeat with different `append_fields` settings, the last one writing the template takes precedence.
+
+    Any changes to this setting also affect the {{kib}} index pattern.
+
+    Example config:
+
+    ```yaml
+    setup.template.overwrite: true
+    setup.template.append_fields:
+    - name: test.name
+      type: keyword
+    - name: test.hostname
+      type: long
+    ```
+
+
+**`setup.template.json.enabled`**
+:   Set to `true` to load a JSON-based template file. Specify the path to your {{es}} index template file and set the name of the template.
+
+    ```yaml
+    setup.template.json.enabled: true
+    setup.template.json.path: "template.json"
+    setup.template.json.name: "template-name"
+    setup.template.json.data_stream: false
+    ```
+
+
+::::{note}
+If the JSON template is used, the `fields.yml` is skipped for the template generation.
+::::
+
+
+::::{note}
+If the JSON template is a data stream, set `setup.template.json.data_stream`.
+::::
+
+
diff --git a/docs/reference/heartbeat/configure-cloud-id.md b/docs/reference/heartbeat/configure-cloud-id.md
new file mode 100644
index 000000000000..957a676e4af6
--- /dev/null
+++ b/docs/reference/heartbeat/configure-cloud-id.md
@@ -0,0 +1,34 @@
+---
+navigation_title: "{{ess}}"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/configure-cloud-id.html
+---
+
+# Configure the output for {{ess}} on {{ecloud}} [configure-cloud-id]
+
+
+Heartbeat comes with two settings that simplify the output configuration when used together with [{{ess}}](https://www.elastic.co/cloud/elasticsearch-service?page=docs&placement=docs-body). When defined, these setting overwrite settings from other parts in the configuration.
+
+Example:
+
+```yaml
+cloud.id: "staging:dXMtZWFzdC0xLmF3cy5mb3VuZC5pbyRjZWM2ZjI2MWE3NGJmMjRjZTMzYmI4ODExYjg0Mjk0ZiRjNmMyY2E2ZDA0MjI0OWFmMGNjN2Q3YTllOTYyNTc0Mw=="
+cloud.auth: "elastic:{pwd}"
+```
+
+These settings can be also specified at the command line, like this:
+
+```sh
+heartbeat -e -E cloud.id="<cloud-id>" -E cloud.auth="<cloud.auth>"
+```
+
+## `cloud.id` [_cloud_id]
+
+The Cloud ID, which can be found in the {{ess}} web console, is used by Heartbeat to resolve the {{es}} and {{kib}} URLs. This setting overwrites the `output.elasticsearch.hosts` and `setup.kibana.host` settings. For more on locating and configuring the Cloud ID, see [Configure Beats and Logstash with Cloud ID](docs-content://deploy-manage/deploy/cloud-enterprise/find-cloud-id.md).
+
+
+## `cloud.auth` [_cloud_auth]
+
+When specified, the `cloud.auth` overwrites the `output.elasticsearch.username` and `output.elasticsearch.password` settings. Because the Kibana settings inherit the username and password from the {{es}} output, this can also be used to set the `setup.kibana.username` and `setup.kibana.password` options.
+
+
diff --git a/docs/reference/heartbeat/configuring-howto-heartbeat.md b/docs/reference/heartbeat/configuring-howto-heartbeat.md
new file mode 100644
index 000000000000..4976ac35e992
--- /dev/null
+++ b/docs/reference/heartbeat/configuring-howto-heartbeat.md
@@ -0,0 +1,43 @@
+---
+navigation_title: "Configure"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/configuring-howto-heartbeat.html
+---
+
+# Configure Heartbeat [configuring-howto-heartbeat]
+
+
+::::{tip}
+To get started quickly, read [Quick start: installation and configuration](/reference/heartbeat/heartbeat-installation-configuration.md).
+::::
+
+
+To configure Heartbeat, edit the configuration file. The default configuration file is called  `heartbeat.yml`. The location of the file varies by platform. To locate the file, see [Directory layout](/reference/heartbeat/directory-layout.md).
+
+There’s also a full example configuration file called `heartbeat.reference.yml` that shows all non-deprecated options.
+
+::::{tip}
+See the [Config File Format](/reference/libbeat/config-file-format.md) for more about the structure of the config file.
+::::
+
+
+The following topics describe how to configure Heartbeat:
+
+* [Monitors](/reference/heartbeat/configuration-heartbeat-options.md)
+* [Task scheduler](/reference/heartbeat/monitors-scheduler.md)
+* [General settings](/reference/heartbeat/configuration-general-options.md)
+* [Project paths](/reference/heartbeat/configuration-path.md)
+* [Output](/reference/heartbeat/configuring-output.md)
+* [SSL](/reference/heartbeat/configuration-ssl.md)
+* [Index lifecycle management (ILM)](/reference/heartbeat/ilm.md)
+* [Elasticsearch index template](/reference/heartbeat/configuration-template.md)
+* [Processors](/reference/heartbeat/filtering-enhancing-data.md)
+* [*Autodiscover*](/reference/heartbeat/configuration-autodiscover.md)
+* [Internal queue](/reference/heartbeat/configuring-internal-queue.md)
+* [Logging](/reference/heartbeat/configuration-logging.md)
+* [HTTP endpoint](/reference/heartbeat/http-endpoint.md)
+* [*Regular expression support*](/reference/heartbeat/regexp-support.md)
+* [Instrumentation](/reference/heartbeat/configuration-instrumentation.md)
+* [Feature flags](/reference/heartbeat/configuration-feature-flags.md)
+* [*heartbeat.reference.yml*](/reference/heartbeat/heartbeat-reference-yml.md)
+
diff --git a/docs/reference/heartbeat/configuring-ingest-node.md b/docs/reference/heartbeat/configuring-ingest-node.md
new file mode 100644
index 000000000000..f1ff739a2e94
--- /dev/null
+++ b/docs/reference/heartbeat/configuring-ingest-node.md
@@ -0,0 +1,50 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/configuring-ingest-node.html
+---
+
+# Parse data using an ingest pipeline [configuring-ingest-node]
+
+When you use {{es}} for output, you can configure Heartbeat to use an [ingest pipeline](docs-content://manage-data/ingest/transform-enrich/ingest-pipelines.md) to pre-process documents before the actual indexing takes place in {{es}}. An ingest pipeline is a convenient processing option when you want to do some extra processing on your data, but you do not require the full power of {{ls}}. For example, you can create an ingest pipeline in {{es}} that consists of one processor that removes a field in a document followed by another processor that renames a field.
+
+After defining the pipeline in {{es}}, you simply configure Heartbeat to use the pipeline. To configure Heartbeat, you specify the pipeline ID in the `parameters` option under `elasticsearch` in the `heartbeat.yml` file:
+
+```yaml
+output.elasticsearch:
+  hosts: ["localhost:9200"]
+  pipeline: my_pipeline_id
+```
+
+For example, let’s say that you’ve defined the following pipeline in a file named `pipeline.json`:
+
+```json
+{
+    "description": "Test pipeline",
+    "processors": [
+        {
+            "lowercase": {
+                "field": "agent.name"
+            }
+        }
+    ]
+}
+```
+
+To add the pipeline in {{es}}, you would run:
+
+```shell
+curl -H 'Content-Type: application/json' -XPUT 'http://localhost:9200/_ingest/pipeline/test-pipeline' -d@pipeline.json
+```
+
+Then in the `heartbeat.yml` file, you would specify:
+
+```yaml
+output.elasticsearch:
+  hosts: ["localhost:9200"]
+  pipeline: "test-pipeline"
+```
+
+When you run Heartbeat, the value of `agent.name` is converted to lowercase before indexing.
+
+For more information about defining a pre-processing pipeline, see the [ingest pipeline](docs-content://manage-data/ingest/transform-enrich/ingest-pipelines.md) documentation.
+
diff --git a/docs/reference/heartbeat/configuring-internal-queue.md b/docs/reference/heartbeat/configuring-internal-queue.md
new file mode 100644
index 000000000000..e63dae38e80c
--- /dev/null
+++ b/docs/reference/heartbeat/configuring-internal-queue.md
@@ -0,0 +1,144 @@
+---
+navigation_title: "Internal queue"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/configuring-internal-queue.html
+---
+
+# Configure the internal queue [configuring-internal-queue]
+
+
+Heartbeat uses an internal queue to store events before publishing them. The queue is responsible for buffering and combining events into batches that can be consumed by the outputs. The outputs will use bulk operations to send a batch of events in one transaction.
+
+You can configure the type and behavior of the internal queue by setting options in the `queue` section of the `heartbeat.yml` config file or by setting options in the `queue` section of the output. Only one queue type can be configured.
+
+This sample configuration sets the memory queue to buffer up to 4096 events:
+
+```yaml
+queue.mem:
+  events: 4096
+```
+
+
+## Configure the memory queue [configuration-internal-queue-memory]
+
+The memory queue keeps all events in memory.
+
+The memory queue waits for the output to acknowledge or drop events. If the queue is full, no new events can be inserted into the memory queue. Only after the signal from the output will the queue free up space for more events to be accepted.
+
+The memory queue is controlled by the parameters `flush.min_events` and `flush.timeout`. `flush.min_events` gives a limit on the number of events that can be included in a single batch, and `flush.timeout` specifies how long the queue should wait to completely fill an event request. If the output supports a `bulk_max_size` parameter, the maximum batch size will be the smaller of `bulk_max_size` and `flush.min_events`.
+
+`flush.min_events` is a legacy parameter, and new configurations should prefer to control batch size with `bulk_max_size`. As of 8.13, there is never a performance advantage to limiting batch size with `flush.min_events` instead of `bulk_max_size`.
+
+In synchronous mode, an event request is always filled as soon as events are available, even if there are not enough events to fill the requested batch. This is useful when latency must be minimized. To use synchronous mode, set `flush.timeout` to 0.
+
+For backwards compatibility, synchronous mode can also be activated by setting `flush.min_events` to 0 or 1. In this case, batch size will be capped at 1/2 the queue capacity.
+
+In asynchronous mode, an event request will wait up to the specified timeout to try and fill the requested batch completely. If the timeout expires, the queue returns a partial batch with all available events. To use asynchronous mode, set `flush.timeout` to a positive duration, e.g. `5s`.
+
+This sample configuration forwards events to the output when there are enough events to fill the output’s request (usually controlled by `bulk_max_size`, and limited to at most 512 events by `flush.min_events`), or when events have been waiting for 5s without filling the requested size:
+
+```yaml
+queue.mem:
+  events: 4096
+  flush.min_events: 512
+  flush.timeout: 5s
+```
+
+
+## Configuration options [_configuration_options_12]
+
+You can specify the following options in the `queue.mem` section of the `heartbeat.yml` config file:
+
+
+#### `events` [queue-mem-events-option]
+
+Number of events the queue can store.
+
+The default value is 3200 events.
+
+
+#### `flush.min_events` [queue-mem-flush-min-events-option]
+
+If greater than 1, specifies the maximum number of events per batch. In this case the output must wait for the queue to accumulate the requested number of events or for `flush.timeout` to expire before publishing.
+
+If 0 or 1, sets the maximum number of events per batch to half the queue size, and sets the queue to synchronous mode (equivalent to `flush.timeout` of 0).
+
+The default value is 1600.
+
+
+#### `flush.timeout` [queue-mem-flush-timeout-option]
+
+Maximum wait time for event requests from the output to be fulfilled. If set to 0s, events are returned immediately.
+
+The default value is 10s.
+
+
+## Configure the disk queue [configuration-internal-queue-disk]
+
+The disk queue stores pending events on the disk rather than main memory. This allows Beats to queue a larger number of events than is possible with the memory queue, and to save events when a Beat or device is restarted. This increased reliability comes with a performance tradeoff, as every incoming event must be written and read from the device’s disk. However, for setups where the disk is not the main bottleneck, the disk queue gives a simple and relatively low-overhead way to add a layer of robustness to incoming event data.
+
+To enable the disk queue with default settings, specify a maximum size:
+
+```yaml
+queue.disk:
+  max_size: 10GB
+```
+
+The queue will use up to the specified maximum size on disk. It will only use as much space as required. For example, if the queue is only storing 1GB of events, then it will only occupy 1GB on disk no matter how high the maximum is. Queue data is deleted from disk after it has been successfully sent to the output.
+
+
+### Configuration options [configuration-internal-queue-disk-reference]
+
+You can specify the following options in the `queue.disk` section of the `heartbeat.yml` config file:
+
+
+#### `path` [_path]
+
+The path to the directory where the disk queue should store its data files. The directory is created on startup if it doesn’t exist.
+
+The default value is `"${path.data}/diskqueue"`.
+
+
+#### `max_size` (required) [_max_size_required]
+
+The maximum size the queue should use on disk. Events that exceed this maximum will either pause their input or be discarded, depending on the input’s configuration.
+
+A value of `0` means that no maximum size is enforced, and the queue can grow up to the amount of free space on the disk. This value should be used with caution, as completely filling a system’s main disk can make it inoperable. It is best to use this setting only with a dedicated data or backup partition that will not interfere with Heartbeat or the rest of the host system.
+
+The default value is `10GB`.
+
+
+#### `segment_size` [_segment_size]
+
+Data added to the queue is stored in segment files. Each segment contains some number of events waiting to be sent to the outputs, and is deleted when all its events are sent. By default, segment size is limited to 1/10 of the maximum queue size. Using a smaller size means that the queue will use more data files, but they will be deleted more quickly after use. Using a larger size means some data will take longer to delete, but the queue will use fewer auxiliary files. It is usually fine to leave this value unchanged.
+
+The default value is `max_size / 10`.
+
+
+#### `read_ahead` [_read_ahead]
+
+The number of events that should be read from disk into memory while waiting for an output to request them. If you find outputs are slowing down because they can’t read as many events at a time, adjusting this setting upward may help, at the cost of higher memory usage.
+
+The default value is `512`.
+
+
+#### `write_ahead` [_write_ahead]
+
+The number of events the queue should accept and store in memory while waiting for them to be written to disk. If you find the queue’s memory use is too high because events are waiting too long to be written to disk, adjusting this setting downward may help, at the cost of reduced event throughput. On the other hand, if inputs are waiting or discarding events because they are being produced faster than the disk can handle, adjusting this setting upward may help, at the cost of higher memory usage.
+
+The default value is `2048`.
+
+
+#### `retry_interval` [_retry_interval]
+
+Some disk errors may block operation of the queue, for example a permission error writing to the data directory, or a disk full error while writing an event. In this case, the queue reports the error and retries after pausing for the time specified in `retry_interval`.
+
+The default value is `1s` (one second).
+
+
+#### `max_retry_interval` [_max_retry_interval]
+
+When there are multiple consecutive errors writing to the disk, the queue increases the retry interval by factors of 2 up to a maximum of `max_retry_interval`. Increase this value if you are concerned about logging too many errors or overloading the host system if the target disk becomes unavailable for an extended time.
+
+The default value is `30s` (thirty seconds).
+
diff --git a/docs/reference/heartbeat/configuring-output.md b/docs/reference/heartbeat/configuring-output.md
new file mode 100644
index 000000000000..2dbb25368124
--- /dev/null
+++ b/docs/reference/heartbeat/configuring-output.md
@@ -0,0 +1,31 @@
+---
+navigation_title: "Output"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/configuring-output.html
+---
+
+# Configure the output [configuring-output]
+
+
+You configure Heartbeat to write to a specific output by setting options in the Outputs section of the `heartbeat.yml` config file. Only a single output may be defined.
+
+The following topics describe how to configure each supported output. If you’ve secured the {{stack}}, also read [Secure](/reference/heartbeat/securing-heartbeat.md) for more about security-related configuration options.
+
+* [{{ess}}](/reference/heartbeat/configure-cloud-id.md)
+* [Elasticsearch](/reference/heartbeat/elasticsearch-output.md)
+* [Logstash](/reference/heartbeat/logstash-output.md)
+* [Kafka](/reference/heartbeat/kafka-output.md)
+* [Redis](/reference/heartbeat/redis-output.md)
+* [File](/reference/heartbeat/file-output.md)
+* [Console](/reference/heartbeat/console-output.md)
+* [Discard](/reference/heartbeat/discard-output.md)
+
+
+
+
+
+
+
+
+
+
diff --git a/docs/reference/heartbeat/configuring-ssl-logstash.md b/docs/reference/heartbeat/configuring-ssl-logstash.md
new file mode 100644
index 000000000000..3aea9d3ebc7c
--- /dev/null
+++ b/docs/reference/heartbeat/configuring-ssl-logstash.md
@@ -0,0 +1,118 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/configuring-ssl-logstash.html
+---
+
+# Secure communication with Logstash [configuring-ssl-logstash]
+
+You can use SSL mutual authentication to secure connections between Heartbeat and Logstash. This ensures that Heartbeat sends encrypted data to trusted Logstash servers only, and that the Logstash server receives data from trusted Heartbeat clients only.
+
+To use SSL mutual authentication:
+
+1. Create a certificate authority (CA) and use it to sign the certificates that you plan to use for Heartbeat and Logstash. Creating a correct SSL/TLS infrastructure is outside the scope of this document. There are many online resources available that describe how to create certificates.
+
+    ::::{tip}
+    If you are using {{security-features}}, you can use the [elasticsearch-certutil tool](elasticsearch://reference/elasticsearch/command-line-tools/certutil.md) to generate certificates.
+    ::::
+
+2. Configure Heartbeat to use SSL. In the `heartbeat.yml` config file, specify the following settings under `ssl`:
+
+    * `certificate_authorities`: Configures Heartbeat to trust any certificates signed by the specified CA. If `certificate_authorities` is empty or not set, the trusted certificate authorities of the host system are used.
+    * `certificate` and `key`: Specifies the certificate and key that Heartbeat uses to authenticate with Logstash.
+
+        For example:
+
+        ```yaml
+        output.logstash:
+          hosts: ["logs.mycompany.com:5044"]
+          ssl.certificate_authorities: ["/etc/ca.crt"]
+          ssl.certificate: "/etc/client.crt"
+          ssl.key: "/etc/client.key"
+        ```
+
+        For more information about these configuration options, see [SSL](/reference/heartbeat/configuration-ssl.md).
+
+3. Configure Logstash to use SSL. In the Logstash config file, specify the following settings for the [Beats input plugin for Logstash](logstash://reference/plugins-inputs-beats.md):
+
+    * `ssl`: When set to true, enables Logstash to use SSL/TLS.
+    * `ssl_certificate_authorities`: Configures Logstash to trust any certificates signed by the specified CA.
+    * `ssl_certificate` and `ssl_key`: Specify the certificate and key that Logstash uses to authenticate with the client.
+    * `ssl_verify_mode`: Specifies whether the Logstash server verifies the client certificate against the CA. You need to specify either `peer` or `force_peer` to make the server ask for the certificate and validate it. If you specify `force_peer`, and Heartbeat doesn’t provide a certificate, the Logstash connection will be closed. If you choose not to use [certutil](elasticsearch://reference/elasticsearch/command-line-tools/certutil.md), the certificates that you obtain must allow for both `clientAuth` and `serverAuth` if the extended key usage extension is present.
+
+        For example:
+
+        ```json
+        input {
+          beats {
+            port => 5044
+            ssl => true
+            ssl_certificate_authorities => ["/etc/ca.crt"]
+            ssl_certificate => "/etc/server.crt"
+            ssl_key => "/etc/server.key"
+            ssl_verify_mode => "force_peer"
+          }
+        }
+        ```
+
+        For more information about these options, see the [documentation for the Beats input plugin](logstash://reference/plugins-inputs-beats.md).
+
+
+
+## Validate the Logstash server’s certificate [testing-ssl-logstash]
+
+Before running Heartbeat, you should validate the Logstash server’s certificate. You can use `curl` to validate the certificate even though the protocol used to communicate with Logstash is not based on HTTP. For example:
+
+```shell
+curl -v --cacert ca.crt https://logs.mycompany.com:5044
+```
+
+If the test is successful, you’ll receive an empty response error:
+
+```shell
+* Rebuilt URL to: https://logs.mycompany.com:5044/
+*   Trying 192.168.99.100...
+* Connected to logs.mycompany.com (192.168.99.100) port 5044 (#0)
+* TLS 1.2 connection using TLS_DHE_RSA_WITH_AES_256_CBC_SHA
+* Server certificate: logs.mycompany.com
+* Server certificate: mycompany.com
+> GET / HTTP/1.1
+> Host: logs.mycompany.com:5044
+> User-Agent: curl/7.43.0
+> Accept: */*
+>
+* Empty reply from server
+* Connection #0 to host logs.mycompany.com left intact
+curl: (52) Empty reply from server
+```
+
+The following example uses the IP address rather than the hostname to validate the certificate:
+
+```shell
+curl -v --cacert ca.crt https://192.168.99.100:5044
+```
+
+Validation for this test fails because the certificate is not valid for the specified IP address. It’s only valid for the `logs.mycompany.com`, the hostname that appears in the Subject field of the certificate.
+
+```shell
+* Rebuilt URL to: https://192.168.99.100:5044/
+*   Trying 192.168.99.100...
+* Connected to 192.168.99.100 (192.168.99.100) port 5044 (#0)
+* WARNING: using IP address, SNI is being disabled by the OS.
+* SSL: certificate verification failed (result: 5)
+* Closing connection 0
+curl: (51) SSL: certificate verification failed (result: 5)
+```
+
+See the [troubleshooting docs](/reference/heartbeat/ssl-client-fails.md) for info about resolving this issue.
+
+
+## Test the Heartbeat to Logstash connection [_test_the_heartbeat_to_logstash_connection]
+
+If you have Heartbeat running as a service, first stop the service. Then test your setup by running Heartbeat in the foreground so you can quickly see any errors that occur:
+
+```sh
+heartbeat -c heartbeat.yml -e -v
+```
+
+Any errors will be printed to the console. See the [troubleshooting docs](/reference/heartbeat/ssl-client-fails.md) for info about resolving common errors.
+
diff --git a/docs/reference/heartbeat/connection-problem.md b/docs/reference/heartbeat/connection-problem.md
new file mode 100644
index 000000000000..ae34b1010110
--- /dev/null
+++ b/docs/reference/heartbeat/connection-problem.md
@@ -0,0 +1,20 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/connection-problem.html
+---
+
+# Logstash connection doesn���t work [connection-problem]
+
+You may have configured {{ls}} or Heartbeat incorrectly. To resolve the issue:
+
+* Make sure that {{ls}} is running and you can connect to it. First, try to ping the {{ls}} host to verify that you can reach it from the host running Heartbeat. Then use either `nc` or `telnet` to make sure that the port is available. For example:
+
+    ```shell
+    ping <hostname or IP>
+    telnet <hostname or IP> 5044
+    ```
+
+* Verify that the config file for Heartbeat specifies the correct port where {{ls}} is running.
+* Make sure that the {{es}} output is commented out in the config file and the {{ls}} output is uncommented.
+* Confirm that the most recent [Beats input plugin for {{ls}}](logstash://reference/plugins-inputs-beats.md) is installed and configured. Note that Beats will not connect to the Lumberjack input plugin. To learn how to install and update plugins, see [Working with plugins](logstash://reference/working-with-plugins.md).
+
diff --git a/docs/reference/heartbeat/console-output.md b/docs/reference/heartbeat/console-output.md
new file mode 100644
index 000000000000..bf7f61d0a7ae
--- /dev/null
+++ b/docs/reference/heartbeat/console-output.md
@@ -0,0 +1,67 @@
+---
+navigation_title: "Console"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/console-output.html
+---
+
+# Configure the Console output [console-output]
+
+
+The Console output writes events in JSON format to stdout.
+
+::::{warning}
+The Console output should be used only for debugging issues as it can produce a large amount of logging data.
+::::
+
+
+To use this output, edit the Heartbeat configuration file to disable the {{es}} output by commenting it out, and enable the console output by adding `output.console`.
+
+Example configuration:
+
+```yaml
+output.console:
+  pretty: true
+```
+
+## Configuration options [_configuration_options_7]
+
+You can specify the following `output.console` options in the `heartbeat.yml` config file:
+
+### `enabled` [_enabled_6]
+
+The enabled config is a boolean setting to enable or disable the output. If set to false, the output is disabled.
+
+The default value is `true`.
+
+
+### `pretty` [_pretty]
+
+If `pretty` is set to true, events written to stdout will be nicely formatted. The default is false.
+
+
+### `codec` [_codec_4]
+
+Output codec configuration. If the `codec` section is missing, events will be json encoded using the `pretty` option.
+
+See [Change the output codec](/reference/heartbeat/configuration-output-codec.md) for more information.
+
+
+### `bulk_max_size` [_bulk_max_size_4]
+
+The maximum number of events to buffer internally during publishing. The default is 2048.
+
+Specifying a larger batch size may add some latency and buffering during publishing. However, for Console output, this setting does not affect how events are published.
+
+Setting `bulk_max_size` to values less than or equal to 0 disables the splitting of batches. When splitting is disabled, the queue decides on the number of events to be contained in a batch.
+
+
+### `queue` [_queue_6]
+
+Configuration options for internal queue.
+
+See [Internal queue](/reference/heartbeat/configuring-internal-queue.md) for more information.
+
+Note:`queue` options can be set under `heartbeat.yml` or the `output` section but not both.
+
+
+
diff --git a/docs/reference/heartbeat/contributing-to-beats.md b/docs/reference/heartbeat/contributing-to-beats.md
new file mode 100644
index 000000000000..b3c0051705b3
--- /dev/null
+++ b/docs/reference/heartbeat/contributing-to-beats.md
@@ -0,0 +1,13 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/contributing-to-beats.html
+---
+
+# Contribute to Beats [contributing-to-beats]
+
+The Beats are open source and we love to receive contributions from our community — you!
+
+There are many ways to contribute, from writing tutorials or blog posts, improving the documentation, submitting bug reports and feature requests, or writing code that implements a whole new protocol, module, or Beat.
+
+The [Beats Developer Guide](http://www.elastic.co/guide/en/beats/devguide/master/index.md) is your one-stop shop for everything related to developing code for the Beats project.
+
diff --git a/docs/reference/heartbeat/convert.md b/docs/reference/heartbeat/convert.md
new file mode 100644
index 000000000000..13c0d666740c
--- /dev/null
+++ b/docs/reference/heartbeat/convert.md
@@ -0,0 +1,42 @@
+---
+navigation_title: "convert"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/convert.html
+---
+
+# Convert [convert]
+
+
+The `convert` processor converts a field in the event to a different type, such as converting a string to an integer.
+
+The supported types include: `integer`, `long`, `float`, `double`, `string`, `boolean`, and `ip`.
+
+The `ip` type is effectively an alias for `string`, but with an added validation that the value is an IPv4 or IPv6 address.
+
+```yaml
+processors:
+  - convert:
+      fields:
+        - {from: "src_ip", to: "source.ip", type: "ip"}
+        - {from: "src_port", to: "source.port", type: "integer"}
+      ignore_missing: true
+      fail_on_error: false
+```
+
+The `convert` processor has the following configuration settings:
+
+`fields`
+:   (Required) This is the list of fields to convert. At least one item must be contained in the list. Each item in the list must have a `from` key that specifies the source field. The `to` key is optional and specifies where to assign the converted value. If `to` is omitted then the `from` field is updated in-place. The `type` key specifies the data type to convert the value to. If `type` is omitted then the processor copies or renames the field without any type conversion.
+
+`ignore_missing`
+:   (Optional) If `true` the processor continues to the next field when the `from` key is not found in the event. If false then the processor returns an error and does not process the remaining fields. Default is `false`.
+
+`fail_on_error`
+:   (Optional) If false type conversion failures are ignored and the processor continues to the next field. Default is `true`.
+
+`tag`
+:   (Optional) An identifier for this processor. Useful for debugging.
+
+`mode`
+:   (Optional) When both `from` and `to` are defined for a field then `mode` controls whether to `copy` or `rename` the field when the type conversion is successful. Default is `copy`.
+
diff --git a/docs/reference/heartbeat/copy-fields.md b/docs/reference/heartbeat/copy-fields.md
new file mode 100644
index 000000000000..423b5b833e7d
--- /dev/null
+++ b/docs/reference/heartbeat/copy-fields.md
@@ -0,0 +1,45 @@
+---
+navigation_title: "copy_fields"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/copy-fields.html
+---
+
+# Copy fields [copy-fields]
+
+
+The `copy_fields` processor takes the value of a field and copies it to a new field.
+
+You cannot use this processor to replace an existing field. If the target field already exists, you must [drop](/reference/heartbeat/drop-fields.md) or [rename](/reference/heartbeat/rename-fields.md) the field before using `copy_fields`.
+
+`fields`
+:   List of `from` and `to` pairs to copy from and to. It’s supported to use `@metadata.` prefix for `from` and `to` and copy values not just in/from/to the event fields but also in/from/to the event metadata.
+
+`fail_on_error`
+:   (Optional) If set to `true` and an error occurs, the changes are reverted and the original is returned. If set to `false`, processing continues if an error occurs. Default is `true`.
+
+`ignore_missing`
+:   (Optional) Indicates whether to ignore events that lack the source field. The default is `false`, which will fail processing of an event if a field is missing.
+
+For example, this configuration:
+
+```yaml
+processors:
+  - copy_fields:
+      fields:
+        - from: message
+          to: event.original
+      fail_on_error: false
+      ignore_missing: true
+```
+
+Copies the original `message` field to `event.original`:
+
+```json
+{
+  "message": "my-interesting-message",
+  "event": {
+      "original": "my-interesting-message"
+  }
+}
+```
+
diff --git a/docs/reference/heartbeat/decode-base64-field.md b/docs/reference/heartbeat/decode-base64-field.md
new file mode 100644
index 000000000000..c6c7368f252b
--- /dev/null
+++ b/docs/reference/heartbeat/decode-base64-field.md
@@ -0,0 +1,35 @@
+---
+navigation_title: "decode_base64_field"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/decode-base64-field.html
+---
+
+# Decode Base64 fields [decode-base64-field]
+
+
+The `decode_base64_field` processor specifies a field to base64 decode. The `field` key contains a `from: old-key` and a `to: new-key` pair. `from` is the origin and `to` the target name of the field.
+
+To overwrite fields either first rename the target field or use the `drop_fields` processor to drop the field and then rename the field.
+
+```yaml
+processors:
+  - decode_base64_field:
+      field:
+        from: "field1"
+        to: "field2"
+      ignore_missing: false
+      fail_on_error: true
+```
+
+In the example above: - field1 is decoded in field2
+
+The `decode_base64_field` processor has the following configuration settings:
+
+`ignore_missing`
+:   (Optional) If set to true, no error is logged in case a key which should be base64 decoded is missing. Default is `false`.
+
+`fail_on_error`
+:   (Optional) If set to true, in case of an error the base64 decode of fields is stopped and the original event is returned. If set to false, decoding continues also if an error happened during decoding. Default is `true`.
+
+See [Conditions](/reference/heartbeat/defining-processors.md#conditions) for a list of supported conditions.
+
diff --git a/docs/reference/heartbeat/decode-duration.md b/docs/reference/heartbeat/decode-duration.md
new file mode 100644
index 000000000000..0586e4bc5d37
--- /dev/null
+++ b/docs/reference/heartbeat/decode-duration.md
@@ -0,0 +1,25 @@
+---
+navigation_title: "decode_duration"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/decode-duration.html
+---
+
+# Decode duration [decode-duration]
+
+
+The `decode_duration` processor decodes a Go-style duration string into a specific `format`.
+
+For more information about the Go `time.Duration` string style, refer to the [Go documentation](https://pkg.go.dev/time#Duration).
+
+| Name | Required | Default | Description |  |
+| --- | --- | --- | --- | --- |
+| `field` | yes |  | Which field of event needs to be decoded as `time.Duration` |  |
+| `format` | yes | `milliseconds` | Supported formats: `milliseconds`/`seconds`/`minutes`/`hours` |  |
+
+```yaml
+processors:
+  - decode_duration:
+      field: "app.rpc.cost"
+      format: "milliseconds"
+```
+
diff --git a/docs/reference/heartbeat/decode-json-fields.md b/docs/reference/heartbeat/decode-json-fields.md
new file mode 100644
index 000000000000..77d02864cc1b
--- /dev/null
+++ b/docs/reference/heartbeat/decode-json-fields.md
@@ -0,0 +1,48 @@
+---
+navigation_title: "decode_json_fields"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/decode-json-fields.html
+---
+
+# Decode JSON fields [decode-json-fields]
+
+
+The `decode_json_fields` processor decodes fields containing JSON strings and replaces the strings with valid JSON objects.
+
+```yaml
+processors:
+  - decode_json_fields:
+      fields: ["field1", "field2", ...]
+      process_array: false
+      max_depth: 1
+      target: ""
+      overwrite_keys: false
+      add_error_key: true
+```
+
+The `decode_json_fields` processor has the following configuration settings:
+
+`fields`
+:   The fields containing JSON strings to decode.
+
+`process_array`
+:   (Optional) A Boolean value that specifies whether to process arrays. The default is `false`.
+
+`max_depth`
+:   (Optional) The maximum parsing depth. A value of `1`  will decode the JSON objects in fields indicated in `fields`, a value of `2` will also decode the objects embedded in the fields of these parsed documents. The default is `1`.
+
+`target`
+:   (Optional) The field under which the decoded JSON will be written. By default, the decoded JSON object replaces the string field from which it was read. To merge the decoded JSON fields into the root of the event, specify `target` with an empty string (`target: ""`). Note that the `null` value (`target:`) is treated as if the field was not set.
+
+`overwrite_keys`
+:   (Optional) A Boolean value that specifies whether existing keys in the event are overwritten by keys from the decoded JSON object. The default value is `false`.
+
+`expand_keys`
+:   (Optional) A Boolean value that specifies whether keys in the decoded JSON should be recursively de-dotted and expanded into a hierarchical object structure. For example, `{"a.b.c": 123}` would be expanded into `{"a":{"b":{"c":123}}}`.
+
+`add_error_key`
+:   (Optional) If set to `true` and an error occurs while decoding JSON keys, the `error` field will become a part of the event with the error message. If set to `false`, there will not be any error in the event’s field. The default value is `false`.
+
+`document_id`
+:   (Optional) JSON key that’s used as the document ID. If configured, the field will be removed from the original JSON document and stored in `@metadata._id`
+
diff --git a/docs/reference/heartbeat/decode-xml-wineventlog.md b/docs/reference/heartbeat/decode-xml-wineventlog.md
new file mode 100644
index 000000000000..8bc4a9f78bb1
--- /dev/null
+++ b/docs/reference/heartbeat/decode-xml-wineventlog.md
@@ -0,0 +1,162 @@
+---
+navigation_title: "decode_xml_wineventlog"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/decode-xml-wineventlog.html
+---
+
+# Decode XML Wineventlog [decode-xml-wineventlog]
+
+
+::::{warning}
+This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
+::::
+
+
+The `decode_xml_wineventlog` processor decodes Windows Event Log data in XML format that is stored under the `field` key. It outputs the result into the `target_field`.
+
+The output fields will be the same as the [winlogbeat winlog fields](/reference/winlogbeat/exported-fields-winlog.md#_winlog).
+
+The supported configuration options are:
+
+`field`
+:   (Required) Source field containing the XML. Defaults to `message`.
+
+`target_field`
+:   (Required) The field under which the decoded XML will be written. To merge the decoded XML fields into the root of the event specify `target_field` with an empty string (`target_field: ""`). The default value is `winlog`.
+
+`overwrite_keys`
+:   (Optional) A boolean that specifies whether keys that already exist in the event are overwritten by keys from the decoded XML object. The default value is `true`.
+
+`map_ecs_fields`
+:   (Optional) A boolean that specifies whether to map additional ECS fields when possible. Note that ECS field keys are placed outside of `target_field`. The default value is `true`.
+
+`ignore_missing`
+:   (Optional) If `true` the processor will not return an error when a specified field does not exist. Defaults to `false`.
+
+`ignore_failure`
+:   (Optional) Ignore all errors produced by the processor. Defaults to `false`.
+
+`language`
+:   (Optional) The language ID the events will be rendered in. The language will be forced regardless of the system language. Forwarded events will ignore this setting. A complete list of language IDs can be found [here](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-lcid/a9eac961-e77d-41a6-90a5-ce1a8b0cdb9c). It defaults to `0`, which indicates to use the system language.
+
+Example:
+
+```yaml
+processors:
+  - decode_xml_wineventlog:
+      field: event.original
+      target_field: winlog
+```
+
+```json
+{
+  "event": {
+    "original": "<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4672</EventID><Version>0</Version><Level>0</Level><Task>12548</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2021-03-23T09:56:13.137310000Z'/><EventRecordID>11303</EventRecordID><Correlation ActivityID='{ffb23523-1f32-0000-c335-b2ff321fd701}'/><Execution ProcessID='652' ThreadID='4660'/><Channel>Security</Channel><Computer>vagrant</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-5-18</Data><Data Name='SubjectUserName'>SYSTEM</Data><Data Name='SubjectDomainName'>NT AUTHORITY</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='PrivilegeList'>SeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege</Data></EventData><RenderingInfo Culture='en-US'><Message>Special privileges assigned to new logon.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3E7\n\nPrivileges:\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege</Message><Level>Information</Level><Task>Special Logon</Task><Opcode>Info</Opcode><Channel>Security</Channel><Provider>Microsoft Windows security auditing.</Provider><Keywords><Keyword>Audit Success</Keyword></Keywords></RenderingInfo></Event>"
+  }
+}
+```
+
+Will produce the following output:
+
+```json
+{
+  "event": {
+    "original": "<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4672</EventID><Version>0</Version><Level>0</Level><Task>12548</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2021-03-23T09:56:13.137310000Z'/><EventRecordID>11303</EventRecordID><Correlation ActivityID='{ffb23523-1f32-0000-c335-b2ff321fd701}'/><Execution ProcessID='652' ThreadID='4660'/><Channel>Security</Channel><Computer>vagrant</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-5-18</Data><Data Name='SubjectUserName'>SYSTEM</Data><Data Name='SubjectDomainName'>NT AUTHORITY</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='PrivilegeList'>SeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege</Data></EventData><RenderingInfo Culture='en-US'><Message>Special privileges assigned to new logon.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3E7\n\nPrivileges:\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege</Message><Level>Information</Level><Task>Special Logon</Task><Opcode>Info</Opcode><Channel>Security</Channel><Provider>Microsoft Windows security auditing.</Provider><Keywords><Keyword>Audit Success</Keyword></Keywords></RenderingInfo></Event>",
+    "action":   "Special Logon",
+		"code":     "4672",
+		"kind":     "event",
+		"outcome":  "success",
+		"provider": "Microsoft-Windows-Security-Auditing",
+  },
+	"host": {
+    "name": "vagrant",
+  },
+  "log": {
+    "level": "information",
+  },
+  "winlog": {
+    "channel": "Security",
+    "outcome": "success",
+    "activity_id": "{ffb23523-1f32-0000-c335-b2ff321fd701}",
+    "level": "information",
+    "event_id": 4672,
+    "provider_name": "Microsoft-Windows-Security-Auditing",
+    "record_id": 11303,
+    "computer_name": "vagrant",
+    "keywords_raw": 9232379236109516800,
+    "opcode": "Info",
+    "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+    "event_data": {
+      "SubjectUserSid": "S-1-5-18",
+      "SubjectUserName": "SYSTEM",
+      "SubjectDomainName": "NT AUTHORITY",
+      "SubjectLogonId": "0x3e7",
+      "PrivilegeList": "SeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege"
+    },
+    "task": "Special Logon",
+    "keywords": [
+      "Audit Success"
+    ],
+    "message": "Special privileges assigned to new logon.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3E7\n\nPrivileges:\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege",
+    "process": {
+      "pid": 652,
+      "thread": {
+        "id": 4660
+      }
+    }
+  }
+}
+```
+
+See [Conditions](/reference/heartbeat/defining-processors.md#conditions) for a list of supported conditions.
+
+The field mappings are as follows:
+
+| Event Field | Source XML Element | Notes |
+| --- | --- | --- |
+| `winlog.channel` | `<Event><System><Channel>` |  |
+| `winlog.event_id` | `<Event><System><EventID>` |  |
+| `winlog.provider_name` | `<Event><System><Provider>` | `Name` attribute |
+| `winlog.record_id` | `<Event><System><EventRecordID>` |  |
+| `winlog.task` | `<Event><System><Task>` |  |
+| `winlog.computer_name` | `<Event><System><Computer>` |  |
+| `winlog.keywords` | `<Event><RenderingInfo><Keywords>` | list of each `Keyword` |
+| `winlog.opcodes` | `<Event><RenderingInfo><Opcode>` |  |
+| `winlog.provider_guid` | `<Event><System><Provider>` | `Guid` attribute |
+| `winlog.version` | `<Event><System><Version>` |  |
+| `winlog.time_created` | `<Event><System><TimeCreated>` | `SystemTime` attribute |
+| `winlog.outcome` | `<Event><System><Keywords>` | "success" if bit 0x20000000000000 is set, "failure" if 0x10000000000000 is set |
+| `winlog.level` | `<Event><System><Level>` | converted to lowercase |
+| `winlog.message` | `<Event><RenderingInfo><Message>` | line endings removed |
+| `winlog.user.identifier` | `<Event><System><Security><UserID>` |  |
+| `winlog.user.domain` | `<Event><System><Security><Domain>` |  |
+| `winlog.user.name` | `<Event><System><Security><Name>` |  |
+| `winlog.user.type` | `<Event><System><Security><Type>` | converted from integer to String |
+| `winlog.event_data` | `<Event><EventData>` | map where `Name` attribute in Data element is key, and value is the value of the Data element |
+| `winlog.user_data` | `<Event><UserData>` | map where `Name` attribute in Data element is key, and value is the value of the Data element |
+| `winlog.activity_id` | `<Event><System><Correlation><ActivityID>` |  |
+| `winlog.related_activity_id` | `<Event><System><Correlation><RelatedActivityID>` |  |
+| `winlog.kernel_time` | `<Event><System><Execution><KernelTime>` |  |
+| `winlog.process.pid` | `<Event><System><Execution><ProcessID>` |  |
+| `winlog.process.thread.id` | `<Event><System><Execution><ThreadID>` |  |
+| `winlog.processor_id` | `<Event><System><Execution><ProcessorID>` |  |
+| `winlog.processor_time` | `<Event><System><Execution><ProcessorTime>` |  |
+| `winlog.session_id` | `<Event><System><Execution><SessionID>` |  |
+| `winlog.user_time` | `<Event><System><Execution><UserTime>` |  |
+| `winlog.error.code` | `<Event><ProcessingErrorData><ErrorCode>` |  |
+
+If `map_ecs_fields` is enabled then the following field mappings are also performed:
+
+| Event Field | Source XML or other field | Notes |
+| --- | --- | --- |
+| `event.code` | `winlog.event_id` |  |
+| `event.kind` | `"event"` |  |
+| `event.provider` | `<Event><System><Provider>` | `Name` attribute |
+| `event.action` | `<Event><RenderingInfo><Task>` |  |
+| `event.host.name` | `<Event><System><Computer>` |  |
+| `event.outcome` | `winlog.outcome` |  |
+| `log.level` | `winlog.level` |  |
+| `message` | `winlog.message` |  |
+| `error.code` | `winlog.error.code` |  |
+| `error.message` | `winlog.error.message` |  |
+
diff --git a/docs/reference/heartbeat/decode-xml.md b/docs/reference/heartbeat/decode-xml.md
new file mode 100644
index 000000000000..ea912de1d6f8
--- /dev/null
+++ b/docs/reference/heartbeat/decode-xml.md
@@ -0,0 +1,96 @@
+---
+navigation_title: "decode_xml"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/decode-xml.html
+---
+
+# Decode XML [decode-xml]
+
+
+The `decode_xml` processor decodes XML data that is stored under the `field` key. It outputs the result into the `target_field`.
+
+This example demonstrates how to decode an XML string contained in the `message` field and write the resulting fields into the root of the document. Any fields that already exist will be overwritten.
+
+```yaml
+processors:
+  - decode_xml:
+      field: message
+      target_field: ""
+      overwrite_keys: true
+```
+
+By default any decoding errors that occur will stop the processing chain and the error will be added to `error.message` field. To ignore all errors and continue to the next processor you can set `ignore_failure: true`. To specifically ignore failures caused by `field` not existing you can set `ignore_missing: true`.
+
+```yaml
+processors:
+  - decode_xml:
+      field: example
+      target_field: xml
+      ignore_missing: true
+      ignore_failure: true
+```
+
+By default all keys converted from XML will have the names converted to lowercase. If there is a need to disable this behavior it is possible to use the below example:
+
+```yaml
+processors:
+  - decode_xml:
+      field: message
+      target_field: xml
+      to_lower: false
+```
+
+Example XML input:
+
+```xml
+<catalog>
+  <book seq="1">
+    <author>William H. Gaddis</author>
+    <title>The Recognitions</title>
+    <review>One of the great seminal American novels of the 20th century.</review>
+  </book>
+</catalog>
+```
+
+Will produce the following output:
+
+```json
+{
+	"xml": {
+		"catalog": {
+			"book": {
+				"author": "William H. Gaddis",
+				"review": "One of the great seminal American novels of the 20th century.",
+				"seq": "1",
+				"title": "The Recognitions"
+			}
+		}
+	}
+}
+```
+
+The supported configuration options are:
+
+`field`
+:   (Required) Source field containing the XML. Defaults to `message`.
+
+`target_field`
+:   (Optional) The field under which the decoded XML will be written. By default the decoded XML object replaces the field from which it was read. To merge the decoded XML fields into the root of the event specify `target_field` with an empty string (`target_field: ""`). Note that the `null` value (`target_field:`) is treated as if the field was not set at all.
+
+`overwrite_keys`
+:   (Optional) A boolean that specifies whether keys that already exist in the event are overwritten by keys from the decoded XML object. The default value is `true`.
+
+`to_lower`
+:   (Optional) Converts all keys to lowercase. Accepts either `true` or `false`. The default value is `true`.
+
+`document_id`
+:   (Optional) XML key to use as the document ID. If configured, the field will be removed from the original XML document and stored in `@metadata._id`.
+
+`ignore_missing`
+:   (Optional) If `true` the processor will not return an error when a specified field does not exist. Defaults to `false`.
+
+`ignore_failure`
+:   (Optional) Ignore all errors produced by the processor. Defaults to `false`.
+
+See [Conditions](/reference/heartbeat/defining-processors.md#conditions) for a list of supported conditions.
+
diff --git a/docs/reference/heartbeat/decompress-gzip-field.md b/docs/reference/heartbeat/decompress-gzip-field.md
new file mode 100644
index 000000000000..1c6d81d34fc7
--- /dev/null
+++ b/docs/reference/heartbeat/decompress-gzip-field.md
@@ -0,0 +1,35 @@
+---
+navigation_title: "decompress_gzip_field"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/decompress-gzip-field.html
+---
+
+# Decompress gzip fields [decompress-gzip-field]
+
+
+The `decompress_gzip_field` processor specifies a field to gzip decompress. The `field` key contains a `from: old-key` and a `to: new-key` pair. `from` is the origin and `to` the target name of the field.
+
+To overwrite fields either first rename the target field or use the `drop_fields` processor to drop the field and then decompress the field.
+
+```yaml
+processors:
+  - decompress_gzip_field:
+      field:
+        from: "field1"
+        to: "field2"
+      ignore_missing: false
+      fail_on_error: true
+```
+
+In the example above: - field1 is decoded in field2
+
+The `decompress_gzip_field` processor has the following configuration settings:
+
+`ignore_missing`
+:   (Optional) If set to true, no error is logged in case a key which should be decompressed is missing. Default is `false`.
+
+`fail_on_error`
+:   (Optional) If set to true, in case of an error the decompression of fields is stopped and the original event is returned. If set to false, decompression continues also if an error happened during decoding. Default is `true`.
+
+See [Conditions](/reference/heartbeat/defining-processors.md#conditions) for a list of supported conditions.
+
diff --git a/docs/reference/heartbeat/defining-processors.md b/docs/reference/heartbeat/defining-processors.md
new file mode 100644
index 000000000000..cd66db794b57
--- /dev/null
+++ b/docs/reference/heartbeat/defining-processors.md
@@ -0,0 +1,329 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/defining-processors.html
+---
+
+# Define processors [defining-processors]
+
+You can use processors to filter and enhance data before sending it to the configured output. To define a processor, you specify the processor name, an optional condition, and a set of parameters:
+
+```yaml
+processors:
+  - <processor_name>:
+      when:
+        <condition>
+      <parameters>
+
+  - <processor_name>:
+      when:
+        <condition>
+      <parameters>
+
+...
+```
+
+Where:
+
+* `<processor_name>` specifies a [processor](#processors) that performs some kind of action, such as selecting the fields that are exported or adding metadata to the event.
+* `<condition>` specifies an optional [condition](#conditions). If the condition is present, then the action is executed only if the condition is fulfilled. If no condition is set, then the action is always executed.
+* `<parameters>` is the list of parameters to pass to the processor.
+
+More complex conditional processing can be accomplished by using the if-then-else processor configuration. This allows multiple processors to be executed based on a single condition.
+
+```yaml
+processors:
+  - if:
+      <condition>
+    then: <1>
+      - <processor_name>:
+          <parameters>
+      - <processor_name>:
+          <parameters>
+      ...
+    else: <2>
+      - <processor_name>:
+          <parameters>
+      - <processor_name>:
+          <parameters>
+      ...
+```
+
+1. `then` must contain a single processor or a list of one or more processors to execute when the condition evaluates to true.
+2. `else` is optional. It can contain a single processor or a list of processors to execute when the conditional evaluate to false.
+
+
+## Where are processors valid? [where-valid]
+
+Processors are valid:
+
+* At the top-level in the configuration. The processor is applied to all data collected by Heartbeat.
+* Under a specific monitor. The processor is applied to the data collected for that monitor.
+
+    ```yaml
+    heartbeat.monitors:
+    - type: <monitor_type>
+      processors:
+        - <processor_name>:
+            when:
+              <condition>
+            <parameters>
+    ```
+
+
+
+## Processors [processors]
+
+The supported processors are:
+
+* [`add_cloud_metadata`](/reference/heartbeat/add-cloud-metadata.md)
+* [`add_cloudfoundry_metadata`](/reference/heartbeat/add-cloudfoundry-metadata.md)
+* [`add_docker_metadata`](/reference/heartbeat/add-docker-metadata.md)
+* [`add_fields`](/reference/heartbeat/add-fields.md)
+* [`add_host_metadata`](/reference/heartbeat/add-host-metadata.md)
+* [`add_id`](/reference/heartbeat/add-id.md)
+* [`add_kubernetes_metadata`](/reference/heartbeat/add-kubernetes-metadata.md)
+* [`add_labels`](/reference/heartbeat/add-labels.md)
+* [`add_locale`](/reference/heartbeat/add-locale.md)
+* [`add_nomad_metadata`](/reference/heartbeat/add-nomad-metadata.md)
+* [`add_observer_metadata`](/reference/heartbeat/add-observer-metadata.md)
+* [`add_process_metadata`](/reference/heartbeat/add-process-metadata.md)
+* [`add_tags`](/reference/heartbeat/add-tags.md)
+* [`append`](/reference/heartbeat/append.md)
+* [`community_id`](/reference/heartbeat/community-id.md)
+* [`convert`](/reference/heartbeat/convert.md)
+* [`copy_fields`](/reference/heartbeat/copy-fields.md)
+* [`decode_base64_field`](/reference/heartbeat/decode-base64-field.md)
+* [`decode_duration`](/reference/heartbeat/decode-duration.md)
+* [`decode_json_fields`](/reference/heartbeat/decode-json-fields.md)
+* [`decode_xml`](/reference/heartbeat/decode-xml.md)
+* [`decode_xml_wineventlog`](/reference/heartbeat/decode-xml-wineventlog.md)
+* [`decompress_gzip_field`](/reference/heartbeat/decompress-gzip-field.md)
+* [`detect_mime_type`](/reference/heartbeat/detect-mime-type.md)
+* [`dissect`](/reference/heartbeat/dissect.md)
+* [`dns`](/reference/heartbeat/processor-dns.md)
+* [`drop_event`](/reference/heartbeat/drop-event.md)
+* [`drop_fields`](/reference/heartbeat/drop-fields.md)
+* [`extract_array`](/reference/heartbeat/extract-array.md)
+* [`fingerprint`](/reference/heartbeat/fingerprint.md)
+* [`include_fields`](/reference/heartbeat/include-fields.md)
+* [`move-fields`](/reference/heartbeat/move-fields.md)
+* [`rate_limit`](/reference/heartbeat/rate-limit.md)
+* [`registered_domain`](/reference/heartbeat/processor-registered-domain.md)
+* [`rename`](/reference/heartbeat/rename-fields.md)
+* [`replace`](/reference/heartbeat/replace-fields.md)
+* [`script`](/reference/heartbeat/processor-script.md)
+* [`syslog`](/reference/heartbeat/syslog.md)
+* [`translate_ldap_attribute`](/reference/heartbeat/processor-translate-guid.md)
+* [`translate_sid`](/reference/heartbeat/processor-translate-sid.md)
+* [`truncate_fields`](/reference/heartbeat/truncate-fields.md)
+* [`urldecode`](/reference/heartbeat/urldecode.md)
+
+
+## Conditions [conditions]
+
+Each condition receives a field to compare. You can specify multiple fields under the same condition by using `AND` between the fields (for example, `field1 AND field2`).
+
+For each field, you can specify a simple field name or a nested map, for example `dns.question.name`.
+
+See [Exported fields](/reference/heartbeat/exported-fields.md) for a list of all the fields that are exported by Heartbeat.
+
+The supported conditions are:
+
+* [`equals`](#condition-equals)
+* [`contains`](#condition-contains)
+* [`regexp`](#condition-regexp)
+* [`range`](#condition-range)
+* [`network`](#condition-network)
+* [`has_fields`](#condition-has_fields)
+* [`or`](#condition-or)
+* [`and`](#condition-and)
+* [`not`](#condition-not)
+
+
+#### `equals` [condition-equals]
+
+With the `equals` condition, you can compare if a field has a certain value. The condition accepts only an integer or a string value.
+
+For example, the following condition checks if the response code of the HTTP transaction is 200:
+
+```yaml
+equals:
+  http.response.code: 200
+```
+
+
+#### `contains` [condition-contains]
+
+The `contains` condition checks if a value is part of a field. The field can be a string or an array of strings. The condition accepts only a string value.
+
+For example, the following condition checks if an error is part of the transaction status:
+
+```yaml
+contains:
+  status: "Specific error"
+```
+
+
+#### `regexp` [condition-regexp]
+
+The `regexp` condition checks the field against a regular expression. The condition accepts only strings.
+
+For example, the following condition checks if the process name starts with `foo`:
+
+```yaml
+regexp:
+  system.process.name: "^foo.*"
+```
+
+
+#### `range` [condition-range]
+
+The `range` condition checks if the field is in a certain range of values. The condition supports `lt`, `lte`, `gt` and `gte`. The condition accepts only integer, float, or strings that can be converted to either of these as values.
+
+For example, the following condition checks for failed HTTP transactions by comparing the `http.response.code` field with 400.
+
+```yaml
+range:
+  http.response.code:
+    gte: 400
+```
+
+This can also be written as:
+
+```yaml
+range:
+  http.response.code.gte: 400
+```
+
+The following condition checks if the CPU usage in percentage has a value between 0.5 and 0.8.
+
+```yaml
+range:
+  system.cpu.user.pct.gte: 0.5
+  system.cpu.user.pct.lt: 0.8
+```
+
+
+#### `network` [condition-network]
+
+The `network` condition checks whether a field’s value falls within a specified IP network range. If multiple fields are provided, each field value must match its corresponding network range. You can specify multiple network ranges for a single field, and a match occurs if any one of the ranges matches. If the field value is an array of IPs, it will match if any of the IPs fall within any of the given ranges. Both IPv4 and IPv6 addresses are supported.
+
+The network range may be specified using CIDR notation, like "192.0.2.0/24" or "2001:db8::/32", or by using one of these named ranges:
+
+* `loopback` - Matches loopback addresses in the range of `127.0.0.0/8` or `::1/128`.
+* `unicast` - Matches global unicast addresses defined in RFC 1122, RFC 4632, and RFC 4291 with the exception of the IPv4 broadcast address (`255.255.255.255`). This includes private address ranges.
+* `multicast` - Matches multicast addresses.
+* `interface_local_multicast` - Matches IPv6 interface-local multicast addresses.
+* `link_local_unicast` - Matches link-local unicast addresses.
+* `link_local_multicast` - Matches link-local multicast addresses.
+* `private` - Matches private address ranges defined in RFC 1918 (IPv4) and RFC 4193 (IPv6).
+* `public` - Matches addresses that are not loopback, unspecified, IPv4 broadcast, link local unicast, link local multicast, interface local multicast, or private.
+* `unspecified` - Matches unspecified addresses (either the IPv4 address "0.0.0.0" or the IPv6 address "::").
+
+The following condition returns true if the `source.ip` value is within the private address space.
+
+```yaml
+network:
+  source.ip: private
+```
+
+This condition returns true if the `destination.ip` value is within the IPv4 range of `192.168.1.0` - `192.168.1.255`.
+
+```yaml
+network:
+  destination.ip: '192.168.1.0/24'
+```
+
+And this condition returns true when `destination.ip` is within any of the given subnets.
+
+```yaml
+network:
+  destination.ip: ['192.168.1.0/24', '10.0.0.0/8', loopback]
+```
+
+
+#### `has_fields` [condition-has_fields]
+
+The `has_fields` condition checks if all the given fields exist in the event. The condition accepts a list of string values denoting the field names.
+
+For example, the following condition checks if the `http.response.code` field is present in the event.
+
+```yaml
+has_fields: ['http.response.code']
+```
+
+
+#### `or` [condition-or]
+
+The `or` operator receives a list of conditions.
+
+```yaml
+or:
+  - <condition1>
+  - <condition2>
+  - <condition3>
+  ...
+```
+
+For example, to configure the condition `http.response.code = 304 OR http.response.code = 404`:
+
+```yaml
+or:
+  - equals:
+      http.response.code: 304
+  - equals:
+      http.response.code: 404
+```
+
+
+#### `and` [condition-and]
+
+The `and` operator receives a list of conditions.
+
+```yaml
+and:
+  - <condition1>
+  - <condition2>
+  - <condition3>
+  ...
+```
+
+For example, to configure the condition `http.response.code = 200 AND status = OK`:
+
+```yaml
+and:
+  - equals:
+      http.response.code: 200
+  - equals:
+      status: OK
+```
+
+To configure a condition like `<condition1> OR <condition2> AND <condition3>`:
+
+```yaml
+or:
+  - <condition1>
+  - and:
+    - <condition2>
+    - <condition3>
+```
+
+
+#### `not` [condition-not]
+
+The `not` operator receives the condition to negate.
+
+```yaml
+not:
+  <condition>
+```
+
+For example, to configure the condition `NOT status = OK`:
+
+```yaml
+not:
+  equals:
+    status: OK
+```
+
+
diff --git a/docs/reference/heartbeat/detect-mime-type.md b/docs/reference/heartbeat/detect-mime-type.md
new file mode 100644
index 000000000000..dba5116120f8
--- /dev/null
+++ b/docs/reference/heartbeat/detect-mime-type.md
@@ -0,0 +1,22 @@
+---
+navigation_title: "detect_mime_type"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/detect-mime-type.html
+---
+
+# Detect mime type [detect-mime-type]
+
+
+The `detect_mime_type` processor attempts to detect a mime type for a field that contains a given stream of bytes. The `field` key contains the field used as the data source and the `target` key contains the field to populate with the detected type. It’s supported to use `@metadata.` prefix for `target` and set the value in the event metadata instead of fields.
+
+```yaml
+processors:
+  - detect_mime_type:
+      field: http.request.body.content
+      target: http.request.mime_type
+```
+
+In the example above: - http.request.body.content is used as the source and http.request.mime_type is set to the detected mime type
+
+See [Conditions](/reference/heartbeat/defining-processors.md#conditions) for a list of supported conditions.
+
diff --git a/docs/reference/heartbeat/diff-logstash-beats.md b/docs/reference/heartbeat/diff-logstash-beats.md
new file mode 100644
index 000000000000..ba02e631ec51
--- /dev/null
+++ b/docs/reference/heartbeat/diff-logstash-beats.md
@@ -0,0 +1,13 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/diff-logstash-beats.html
+---
+
+# Not sure whether to use Logstash or Beats [diff-logstash-beats]
+
+Beats are lightweight data shippers that you install as agents on your servers to send specific types of operational data to {{es}}. Beats have a small footprint and use fewer system resources than {{ls}}.
+
+{{ls}} has a larger footprint, but provides a broad array of input, filter, and output plugins for collecting, enriching, and transforming data from a variety of sources.
+
+For more information, see the [{{ls}} Introduction](logstash://reference/index.md) and the [Beats Overview](/reference/index.md).
+
diff --git a/docs/reference/heartbeat/directory-layout.md b/docs/reference/heartbeat/directory-layout.md
new file mode 100644
index 000000000000..565556d03fda
--- /dev/null
+++ b/docs/reference/heartbeat/directory-layout.md
@@ -0,0 +1,70 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/directory-layout.html
+---
+
+# Directory layout [directory-layout]
+
+The directory layout of an installation is as follows:
+
+::::{tip}
+Archive installation has a different layout. See [zip, tar.gz, or tgz](#directory-layout-archive).
+::::
+
+
+| Type | Description | Default Location | Config Option |
+| --- | --- | --- | --- |
+| home | Home of the Heartbeat installation. |  | `path.home` |
+| bin | The location for the binary files. | `{path.home}/bin` |  |
+| config | The location for configuration files. | `{path.home}` | `path.config` |
+| data | The location for persistent data files. | `{path.home}/data` | `path.data` |
+| logs | The location for the logs created by Heartbeat. | `{path.home}/logs` | `path.logs` |
+
+You can change these settings by using CLI flags or setting [path options](/reference/heartbeat/configuration-path.md) in the configuration file.
+
+## Default paths [_default_paths]
+
+Heartbeat uses the following default paths unless you explicitly change them.
+
+
+#### deb and rpm [_deb_and_rpm]
+
+| Type | Description | Location |
+| --- | --- | --- |
+| home | Home of the Heartbeat installation. | `/usr/share/heartbeat` |
+| bin | The location for the binary files. | `/usr/share/heartbeat/bin` |
+| config | The location for configuration files. | `/etc/heartbeat` |
+| data | The location for persistent data files. | `/var/lib/heartbeat` |
+| logs | The location for the logs created by Heartbeat. | `/var/log/heartbeat` |
+
+For the deb and rpm distributions, these paths are set in the init script or in the systemd unit file.  Make sure that you start the Heartbeat service by using the preferred operating system method (init scripts or `systemctl`). Otherwise the paths might be set incorrectly.
+
+
+#### docker [_docker]
+
+| Type | Description | Location |
+| --- | --- | --- |
+| home | Home of the Heartbeat installation. | `/usr/share/heartbeat` |
+| bin | The location for the binary files. | `/usr/share/heartbeat` |
+| config | The location for configuration files. | `/usr/share/heartbeat` |
+| data | The location for persistent data files. | `/usr/share/heartbeat/data` |
+| logs | The location for the logs created by Heartbeat. | `/usr/share/heartbeat/logs` |
+
+
+#### zip, tar.gz, or tgz [directory-layout-archive]
+
+| Type | Description | Location |
+| --- | --- | --- |
+| home | Home of the Heartbeat installation. | `{extract.path}` |
+| bin | The location for the binary files. | `{extract.path}` |
+| config | The location for configuration files. | `{extract.path}` |
+| data | The location for persistent data files. | `{extract.path}/data` |
+| logs | The location for the logs created by Heartbeat. | `{extract.path}/logs` |
+
+For the zip, tar.gz, or tgz distributions, these paths are based on the location of the extracted binary file. This means that if you start Heartbeat with the following simple command, all paths are set correctly:
+
+```sh
+./heartbeat
+```
+
+
diff --git a/docs/reference/heartbeat/discard-output.md b/docs/reference/heartbeat/discard-output.md
new file mode 100644
index 000000000000..2c9a41262819
--- /dev/null
+++ b/docs/reference/heartbeat/discard-output.md
@@ -0,0 +1,37 @@
+---
+navigation_title: "Discard"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/discard-output.html
+---
+
+# Configure the Discard output [discard-output]
+
+
+The Discard output throws away data.
+
+::::{warning}
+The Discard output should be used only for development or debugging issues. Data is lost.
+::::
+
+
+This can be useful if you want to work on your input configuration without needing to configure an output. It can also be useful to test how changes in input and processor configuration affect performance.
+
+Example configuration:
+
+```yaml
+output.discard:
+  enabled: true
+```
+
+## Configuration options [_configuration_options_8]
+
+You can specify the following `output.discard` options in the `heartbeat.yml` config file:
+
+### `enabled` [_enabled_7]
+
+The enabled config is a boolean setting to enable or disable the output. If set to false, the output is disabled.
+
+The default value is `true`.
+
+
+
diff --git a/docs/reference/heartbeat/dissect.md b/docs/reference/heartbeat/dissect.md
new file mode 100644
index 000000000000..ac0c3c7b5655
--- /dev/null
+++ b/docs/reference/heartbeat/dissect.md
@@ -0,0 +1,95 @@
+---
+navigation_title: "dissect"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/dissect.html
+---
+
+# Dissect strings [dissect]
+
+
+The `dissect` processor tokenizes incoming strings using defined patterns.
+
+```yaml
+processors:
+  - dissect:
+      tokenizer: "%{key1} %{key2} %{key3|convert_datatype}"
+      field: "message"
+      target_prefix: "dissect"
+```
+
+The `dissect` processor has the following configuration settings:
+
+`tokenizer`
+:   The field used to define the **dissection** pattern. Optional convert datatype can be provided after the key using `|` as separator to convert the value from string to integer, long, float, double, boolean or ip.
+
+`field`
+:   (Optional) The event field to tokenize. Default is `message`.
+
+`target_prefix`
+:   (Optional) The name of the field where the values will be extracted. When an empty string is defined, the processor will create the keys at the root of the event. Default is `dissect`. When the target key already exists in the event, the processor won’t replace it and log an error; you need to either drop or rename the key before using dissect, or enable the `overwrite_keys` flag.
+
+`ignore_failure`
+:   (Optional) Flag to control whether the processor returns an error if the tokenizer fails to match the message field. If set to true, the processor will silently restore the original event, allowing execution of subsequent processors (if any). If set to false (default), the processor will log an error, preventing execution of other processors.
+
+`overwrite_keys`
+:   (Optional) When set to true, the processor will overwrite existing keys in the event. The default is false, which causes the processor to fail when a key already exists.
+
+`trim_values`
+:   (Optional) Enables the trimming of the extracted values. Useful to remove leading and/or trailing spaces. Possible values are:
+
+    * `none`: (default) no trimming is performed.
+    * `left`: values are trimmed on the left (leading).
+    * `right`: values are trimmed on the right (trailing).
+    * `all`: values are trimmed for leading and trailing.
+
+
+`trim_chars`
+:   (Optional) Set of characters to trim from values, when trimming is enabled. The default is to trim the space character (`" "`). To trim multiple characters, simply set it to a string containing all characters to trim. For example, `trim_chars: " \t"` will trim spaces and/or tabs.
+
+For tokenization to be successful, all keys must be found and extracted, if one of them cannot be found an error will be logged and no modification is done on the original event.
+
+::::{note}
+A key can contain any characters except reserved suffix or prefix modifiers:  `/`,`&`, `+`, `#` and `?`.
+::::
+
+
+See [Conditions](/reference/heartbeat/defining-processors.md#conditions) for a list of supported conditions.
+
+## Dissect example [dissect-example]
+
+For this example, imagine that an application generates the following messages:
+
+```sh
+"321 - App01 - WebServer is starting"
+"321 - App01 - WebServer is up and running"
+"321 - App01 - WebServer is scaling 2 pods"
+"789 - App02 - Database is will be restarted in 5 minutes"
+"789 - App02 - Database is up and running"
+"789 - App02 - Database is refreshing tables"
+```
+
+Use the `dissect` processor to split each message into three fields, for example, `service.pid`, `service.name` and `service.status`:
+
+```yaml
+processors:
+  - dissect:
+      tokenizer: '"%{service.pid|integer} - %{service.name} - %{service.status}"'
+      field: "message"
+      target_prefix: ""
+```
+
+This configuration produces fields like:
+
+```json
+"service": {
+  "pid": 321,
+  "name": "App01",
+  "status": "WebServer is up and running"
+},
+```
+
+`service.name` is an ECS [keyword field](elasticsearch://reference/elasticsearch/mapping-reference/keyword.md), which means that you can use it in {{es}} for filtering, sorting, and aggregations.
+
+When possible, use ECS-compatible field names. For more information, see the [Elastic Common Schema](ecs://reference/index.md) documentation.
+
+
diff --git a/docs/reference/heartbeat/drop-event.md b/docs/reference/heartbeat/drop-event.md
new file mode 100644
index 000000000000..56da50afc4fb
--- /dev/null
+++ b/docs/reference/heartbeat/drop-event.md
@@ -0,0 +1,20 @@
+---
+navigation_title: "drop_event"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/drop-event.html
+---
+
+# Drop events [drop-event]
+
+
+The `drop_event` processor drops the entire event if the associated condition is fulfilled. The condition is mandatory, because without one, all the events are dropped.
+
+```yaml
+processors:
+  - drop_event:
+      when:
+        condition
+```
+
+See [Conditions](/reference/heartbeat/defining-processors.md#conditions) for a list of supported conditions.
+
diff --git a/docs/reference/heartbeat/drop-fields.md b/docs/reference/heartbeat/drop-fields.md
new file mode 100644
index 000000000000..6290aca86cff
--- /dev/null
+++ b/docs/reference/heartbeat/drop-fields.md
@@ -0,0 +1,35 @@
+---
+navigation_title: "drop_fields"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/drop-fields.html
+---
+
+# Drop fields from events [drop-fields]
+
+
+The `drop_fields` processor specifies which fields to drop if a certain condition is fulfilled. The condition is optional. If it’s missing, the specified fields are always dropped. The `@timestamp` and `type` fields cannot be dropped, even if they show up in the `drop_fields` list.
+
+```yaml
+processors:
+  - drop_fields:
+      when:
+        condition
+      fields: ["field1", "field2", ...]
+      ignore_missing: false
+```
+
+See [Conditions](/reference/heartbeat/defining-processors.md#conditions) for a list of supported conditions.
+
+::::{note}
+If you define an empty list of fields under `drop_fields`, then no fields are dropped.
+::::
+
+
+The `drop_fields` processor has the following configuration settings:
+
+`fields`
+:   If non-empty, a list of matching field names will be removed. Any element in array can contain a regular expression delimited by two slashes (*/reg_exp/*), in order to match (name) and remove more than one field.
+
+`ignore_missing`
+:   (Optional) If `true` the processor will not return an error when a specified field does not exist. Defaults to `false`.
+
diff --git a/docs/reference/heartbeat/elasticsearch-output.md b/docs/reference/heartbeat/elasticsearch-output.md
new file mode 100644
index 000000000000..9f216862fb6a
--- /dev/null
+++ b/docs/reference/heartbeat/elasticsearch-output.md
@@ -0,0 +1,518 @@
+---
+navigation_title: "Elasticsearch"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/elasticsearch-output.html
+---
+
+# Configure the Elasticsearch output [elasticsearch-output]
+
+
+The Elasticsearch output sends events directly to Elasticsearch using the Elasticsearch HTTP API.
+
+Example configuration:
+
+```yaml
+output.elasticsearch:
+  hosts: ["https://myEShost:9200"] <1>
+```
+
+1. To enable SSL, add `https` to all URLs defined under *hosts*.
+
+
+When sending data to a secured cluster through the `elasticsearch` output, Heartbeat can use any of the following authentication methods:
+
+* Basic authentication credentials (username and password).
+* Token-based (API key) authentication.
+* Public Key Infrastructure (PKI) certificates.
+
+**Basic authentication:**
+
+```yaml
+output.elasticsearch:
+  hosts: ["https://myEShost:9200"]
+  username: "heartbeat_writer"
+  password: "{pwd}"
+```
+
+**API key authentication:**
+
+```yaml
+output.elasticsearch:
+  hosts: ["https://myEShost:9200"]
+  api_key: "ZCV7VnwBgnX0T19fN8Qe:KnR6yE41RrSowb0kQ0HWoA"
+```
+
+**PKI certificate authentication:**
+
+```yaml
+output.elasticsearch:
+  hosts: ["https://myEShost:9200"]
+  ssl.certificate: "/etc/pki/client/cert.pem"
+  ssl.key: "/etc/pki/client/cert.key"
+```
+
+See [*Secure communication with Elasticsearch*](/reference/heartbeat/securing-communication-elasticsearch.md) for details on each authentication method.
+
+## Compatibility [_compatibility]
+
+This output works with all compatible versions of Elasticsearch. See the [Elastic Support Matrix](https://www.elastic.co/support/matrix#matrix_compatibility).
+
+Optionally, you can set Heartbeat to only connect to instances that are at least on the same version as the Beat. The check can be enabled by setting `output.elasticsearch.allow_older_versions` to `false`. Leaving the setting at it’s default value of `true` avoids an issue where Heartbeat cannot connect to {{es}} after having been upgraded to a version higher than the {{stack}}.
+
+
+## Configuration options [_configuration_options_2]
+
+You can specify the following options in the `elasticsearch` section of the `heartbeat.yml` config file:
+
+### `enabled` [_enabled]
+
+The enabled config is a boolean setting to enable or disable the output. If set to `false`, the output is disabled.
+
+The default value is `true`.
+
+
+### `hosts` [hosts-option]
+
+The list of Elasticsearch nodes to connect to. The events are distributed to these nodes in round robin order. If one node becomes unreachable, the event is automatically sent to another node. Each Elasticsearch node can be defined as a `URL` or `IP:PORT`. For example: `http://192.15.3.2`, `https://es.found.io:9230` or `192.24.3.2:9300`. If no port is specified, `9200` is used.
+
+::::{note}
+When a node is defined as an `IP:PORT`, the *scheme* and *path* are taken from the [`protocol`](#protocol-option) and [`path`](#path-option) config options.
+::::
+
+
+```yaml
+output.elasticsearch:
+  hosts: ["10.45.3.2:9220", "10.45.3.1:9230"]
+  protocol: https
+  path: /elasticsearch
+```
+
+In the previous example, the Elasticsearch nodes are available at `https://10.45.3.2:9220/elasticsearch` and `https://10.45.3.1:9230/elasticsearch`.
+
+
+### `compression_level` [compression-level-option]
+
+The gzip compression level. Setting this value to `0` disables compression. The compression level must be in the range of `1` (best speed) to `9` (best compression).
+
+Increasing the compression level will reduce the network usage but will increase the cpu usage.
+
+The default value is `1`.
+
+
+### `escape_html` [_escape_html]
+
+Configure escaping of HTML in strings. Set to `true` to enable escaping.
+
+The default value is `false`.
+
+
+### `worker` or `workers` [worker-option]
+
+The number of workers per configured host publishing events to Elasticsearch. This is best used with load balancing mode enabled. Example: If you have 2 hosts and 3 workers, in total 6 workers are started (3 for each host).
+
+The default value is `1`.
+
+
+### `loadbalance` [_loadbalance]
+
+When `loadbalance: true` is set, Heartbeat connects to all configured hosts and sends data through all connections in parallel. If a connection fails, data is sent to the remaining hosts until it can be reestablished. Data will still be sent as long as Heartbeat can connect to at least one of its configured hosts.
+
+When `loadbalance: false` is set, Heartbeat sends data to a single host at a time. The target host is chosen at random from the list of configured hosts, and all data is sent to that target until the connection fails, when a new target is selected. Data will still be sent as long as Heartbeat can connect to at least one of its configured hosts.
+
+The default value is `true`.
+
+```yaml
+output.elasticsearch:
+  hosts: ["localhost:9200", "localhost:9201"]
+  loadbalance: true
+```
+
+
+### `api_key` [_api_key]
+
+Instead of using a username and password, you can use API keys to secure communication with {{es}}. The value must be the ID of the API key and the API key joined by a colon: `id:api_key`.
+
+See [*Grant access using API keys*](/reference/heartbeat/beats-api-keys.md) for more information.
+
+
+### `username` [_username]
+
+The basic authentication username for connecting to Elasticsearch.
+
+This user needs the privileges required to publish events to {{es}}. To create a user like this, see [Create a *publishing* user](/reference/heartbeat/privileges-to-publish-events.md).
+
+
+### `password` [_password]
+
+The basic authentication password for connecting to Elasticsearch.
+
+
+### `parameters` [_parameters]
+
+Dictionary of HTTP parameters to pass within the url with index operations.
+
+
+### `protocol` [protocol-option]
+
+The name of the protocol Elasticsearch is reachable on. The options are: `http` or `https`. The default is `http`. However, if you specify a URL for [`hosts`](#hosts-option), the value of `protocol` is overridden by whatever scheme you specify in the URL.
+
+
+### `path` [path-option]
+
+An HTTP path prefix that is prepended to the HTTP API calls. This is useful for the cases where Elasticsearch listens behind an HTTP reverse proxy that exports the API under a custom prefix.
+
+
+### `headers` [_headers]
+
+Custom HTTP headers to add to each request created by the Elasticsearch output. Example:
+
+```yaml
+output.elasticsearch.headers:
+  X-My-Header: Header contents
+```
+
+It is possible to specify multiple header values for the same header name by separating them with a comma.
+
+
+### `proxy_disable` [_proxy_disable]
+
+If set to `true` all proxy settings, including `HTTP_PROXY` and `HTTPS_PROXY` variables are ignored.
+
+
+### `proxy_url` [_proxy_url]
+
+The URL of the proxy to use when connecting to the Elasticsearch servers. The value must be a complete URL. If a value is not specified through the configuration file then proxy environment variables are used. See the [Go documentation](https://golang.org/pkg/net/http/#ProxyFromEnvironment) for more information about the environment variables.
+
+
+### `proxy_headers` [_proxy_headers]
+
+Additional headers to send to proxies during CONNECT requests.
+
+
+### `index` [index-option-es]
+
+The indexing target to write events to. Can point to an [index](https://www.elastic.co/guide/en/elasticsearch/reference/current/index-mgmt.html), [alias](docs-content://manage-data/data-store/aliases.md), or [data stream](docs-content://manage-data/data-store/data-streams.md). When using daily indices, this will be the index name. The default is `"heartbeat-%{[agent.version]}-%{+yyyy.MM.dd}"`, for example, `"heartbeat-9.0.0-beta1-2025-01-30"`. If you change this setting, you also need to configure the `setup.template.name` and `setup.template.pattern` options (see [Elasticsearch index template](/reference/heartbeat/configuration-template.md)).
+
+When [index lifecycle management (ILM)](/reference/heartbeat/ilm.md) is enabled, the default `index` is `"heartbeat-%{[agent.version]}-%{+yyyy.MM.dd}-%{{index_num}}"`, for example, `"heartbeat-9.0.0-beta1-2025-01-30-000001"`. Custom `index` settings are ignored when ILM is enabled. If you’re sending events to a cluster that supports index lifecycle management, see [Index lifecycle management (ILM)](/reference/heartbeat/ilm.md) to learn how to change the index name.
+
+You can set the index dynamically by using a format string to access any event field. For example, this configuration uses a custom field, `fields.log_type`, to set the index:
+
+```yaml
+output.elasticsearch:
+  hosts: ["http://localhost:9200"]
+  index: "%{[fields.log_type]}-%{[agent.version]}-%{+yyyy.MM.dd}" <1>
+```
+
+1. We recommend including `agent.version` in the name to avoid mapping issues when you upgrade.
+
+
+With this configuration, all events with `log_type: normal` are sent to an index named `normal-9.0.0-beta1-2025-01-30`, and all events with `log_type: critical` are sent to an index named `critical-9.0.0-beta1-2025-01-30`.
+
+::::{tip}
+To learn how to add custom fields to events, see the [`fields`](/reference/heartbeat/configuration-general-options.md#libbeat-configuration-fields) option.
+::::
+
+
+See the [`indices`](#indices-option-es) setting for other ways to set the index dynamically.
+
+
+### `indices` [indices-option-es]
+
+An array of index selector rules. Each rule specifies the index to use for events that match the rule. During publishing, Heartbeat uses the first matching rule in the array. Rules can contain conditionals, format string-based fields, and name mappings. If the `indices` setting is missing or no rule matches, the [`index`](#index-option-es) setting is used.
+
+Similar to `index`, defining custom `indices` will disable [Index lifecycle management (ILM)](/reference/heartbeat/ilm.md).
+
+Rule settings:
+
+**`index`**
+:   The index format string to use. If this string contains field references, such as `%{[fields.name]}`, the fields must exist, or the rule fails.
+
+**`mappings`**
+:   A dictionary that takes the value returned by `index` and maps it to a new name.
+
+**`default`**
+:   The default string value to use if `mappings` does not find a match.
+
+**`when`**
+:   A condition that must succeed in order to execute the current rule. All the [conditions](/reference/heartbeat/defining-processors.md#conditions) supported by processors are also supported here.
+
+The following example sets the index based on whether the `message` field contains the specified string:
+
+```yaml
+output.elasticsearch:
+  hosts: ["http://localhost:9200"]
+  indices:
+    - index: "warning-%{[agent.version]}-%{+yyyy.MM.dd}"
+      when.contains:
+        message: "WARN"
+    - index: "error-%{[agent.version]}-%{+yyyy.MM.dd}"
+      when.contains:
+        message: "ERR"
+```
+
+This configuration results in indices named `warning-9.0.0-beta1-2025-01-30` and `error-9.0.0-beta1-2025-01-30` (plus the default index if no matches are found).
+
+The following example sets the index by taking the name returned by the `index` format string and mapping it to a new name that’s used for the index:
+
+```yaml
+output.elasticsearch:
+  hosts: ["http://localhost:9200"]
+  indices:
+    - index: "%{[fields.log_type]}"
+      mappings:
+        critical: "sev1"
+        normal: "sev2"
+      default: "sev3"
+```
+
+This configuration results in indices named `sev1`, `sev2`, and `sev3`.
+
+The `mappings` setting simplifies the configuration, but is limited to string values. You cannot specify format strings within the mapping pairs.
+
+
+### `ilm` [ilm-es]
+
+Configuration options for index lifecycle management.
+
+See [Index lifecycle management (ILM)](/reference/heartbeat/ilm.md) for more information.
+
+
+### `pipeline` [pipeline-option-es]
+
+A format string value that specifies the ingest pipeline to write events to.
+
+```yaml
+output.elasticsearch:
+  hosts: ["http://localhost:9200"]
+  pipeline: my_pipeline_id
+```
+
+::::{important}
+The `pipeline` is always lowercased. If `pipeline: Foo-Bar`, then the pipeline name in {{es}} needs to be defined as `foo-bar`.
+::::
+
+
+For more information, see [*Parse data using an ingest pipeline*](/reference/heartbeat/configuring-ingest-node.md).
+
+You can set the ingest pipeline dynamically by using a format string to access any event field. For example, this configuration uses a custom field, `fields.log_type`, to set the pipeline for each event:
+
+```yaml
+output.elasticsearch:
+  hosts: ["http://localhost:9200"]
+  pipeline: "%{[fields.log_type]}_pipeline"
+```
+
+With this configuration, all events with `log_type: normal` are sent to a pipeline named `normal_pipeline`, and all events with `log_type: critical` are sent to a pipeline named `critical_pipeline`.
+
+::::{tip}
+To learn how to add custom fields to events, see the [`fields`](/reference/heartbeat/configuration-general-options.md#libbeat-configuration-fields) option.
+::::
+
+
+See the [`pipelines`](#pipelines-option-es) setting for other ways to set the ingest pipeline dynamically.
+
+
+### `pipelines` [pipelines-option-es]
+
+An array of pipeline selector rules. Each rule specifies the ingest pipeline to use for events that match the rule. During publishing, Heartbeat uses the first matching rule in the array. Rules can contain conditionals, format string-based fields, and name mappings. If the `pipelines` setting is missing or no rule matches, the [`pipeline`](#pipeline-option-es) setting is used.
+
+Rule settings:
+
+**`pipeline`**
+:   The pipeline format string to use. If this string contains field references, such as `%{[fields.name]}`, the fields must exist, or the rule fails.
+
+**`mappings`**
+:   A dictionary that takes the value returned by `pipeline` and maps it to a new name.
+
+**`default`**
+:   The default string value to use if `mappings` does not find a match.
+
+**`when`**
+:   A condition that must succeed in order to execute the current rule. All the [conditions](/reference/heartbeat/defining-processors.md#conditions) supported by processors are also supported here.
+
+The following example sends events to a specific pipeline based on whether the `message` field contains the specified string:
+
+```yaml
+output.elasticsearch:
+  hosts: ["http://localhost:9200"]
+  pipelines:
+    - pipeline: "warning_pipeline"
+      when.contains:
+        message: "WARN"
+    - pipeline: "error_pipeline"
+      when.contains:
+        message: "ERR"
+```
+
+The following example sets the pipeline by taking the name returned by the `pipeline` format string and mapping it to a new name that’s used for the pipeline:
+
+```yaml
+output.elasticsearch:
+  hosts: ["http://localhost:9200"]
+  pipelines:
+    - pipeline: "%{[fields.log_type]}"
+      mappings:
+        critical: "sev1_pipeline"
+        normal: "sev2_pipeline"
+      default: "sev3_pipeline"
+```
+
+With this configuration, all events with `log_type: critical` are sent to `sev1_pipeline`, all events with `log_type: normal` are sent to a `sev2_pipeline`, and all other events are sent to `sev3_pipeline`.
+
+For more information about ingest pipelines, see [*Parse data using an ingest pipeline*](/reference/heartbeat/configuring-ingest-node.md).
+
+
+### `max_retries` [_max_retries]
+
+The number of times to retry publishing an event after a publishing failure. After the specified number of retries, the events are typically dropped.
+
+Set `max_retries` to a value less than 0 to retry until all events are published.
+
+The default is 3.
+
+
+### `bulk_max_size` [bulk-max-size-option]
+
+The maximum number of events to bulk in a single Elasticsearch bulk API index request. The default is 1600.
+
+Events can be collected into batches. Heartbeat will split batches read from the queue which are larger than `bulk_max_size` into multiple batches.
+
+Specifying a larger batch size can improve performance by lowering the overhead of sending events. However big batch sizes can also increase processing times, which might result in API errors, killed connections, timed-out publishing requests, and, ultimately, lower throughput.
+
+Setting `bulk_max_size` to values less than or equal to 0 disables the splitting of batches. When splitting is disabled, the queue decides on the number of events to be contained in a batch.
+
+
+### `backoff.init` [backoff-init-option]
+
+The number of seconds to wait before trying to reconnect to Elasticsearch after a network error. After waiting `backoff.init` seconds, Heartbeat tries to reconnect. If the attempt fails, the backoff timer is increased exponentially up to `backoff.max`. After a successful connection, the backoff timer is reset. The default is `1s`.
+
+
+### `backoff.max` [backoff-max-option]
+
+The maximum number of seconds to wait before attempting to connect to Elasticsearch after a network error. The default is `60s`.
+
+
+### `idle_connection_timeout` [idle-connection-timeout-option]
+
+The maximum amount of time an idle connection will remain idle before closing itself. Zero means no limit. The format is a Go language duration (example 60s is 60 seconds). The default is 3s.
+
+
+### `timeout` [_timeout]
+
+The http request timeout in seconds for the Elasticsearch request. The default is 90.
+
+
+### `allow_older_versions` [_allow_older_versions]
+
+By default, Heartbeat expects the Elasticsearch instance to be on the same or newer version to provide optimal experience. We suggest you connect to the same version to make sure all features Heartbeat is using are available in your Elasticsearch instance.
+
+You can disable the check for example during updating the Elastic Stack, so data collection can go on.
+
+
+### `ssl` [_ssl]
+
+Configuration options for SSL parameters like the certificate authority to use for HTTPS-based connections. If the `ssl` section is missing, the host CAs are used for HTTPS connections to Elasticsearch.
+
+See the [secure communication with {{es}}](/reference/heartbeat/securing-communication-elasticsearch.md) guide or [SSL configuration reference](/reference/heartbeat/configuration-ssl.md) for more information.
+
+
+### `kerberos` [_kerberos]
+
+Configuration options for Kerberos authentication.
+
+See [Kerberos](/reference/heartbeat/configuration-kerberos.md) for more information.
+
+
+### `queue` [_queue]
+
+Configuration options for internal queue.
+
+See [Internal queue](/reference/heartbeat/configuring-internal-queue.md) for more information.
+
+Note:`queue` options can be set under `heartbeat.yml` or the `output` section but not both. ===== `non_indexable_policy`
+
+Specifies the behavior when the elasticsearch cluster explicitly rejects documents, for example on mapping conflicts.
+
+#### `drop` [_drop]
+
+The default behaviour, when an event is explicitly rejected by elasticsearch it is dropped.
+
+```yaml
+output.elasticsearch:
+  hosts: ["http://localhost:9200"]
+  non_indexable_policy.drop: ~
+```
+
+
+#### `dead_letter_index` [_dead_letter_index]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+On an explicit rejection, this policy will retry the event in the next batch. However, the target index will change to index specified. In addition, the structure of the event will be change to the following fields:
+
+message
+:   Contains the escaped json of the original event.
+
+error.type
+:   Contains the status code
+
+error.message
+:   Contains status returned by elasticsearch, describing the reason
+
+`index`
+:   The index to send rejected events to.
+
+```yaml
+output.elasticsearch:
+  hosts: ["http://localhost:9200"]
+  non_indexable_policy.dead_letter_index:
+    index: "my-dead-letter-index"
+```
+
+
+
+### `preset` [_preset]
+
+The performance preset to apply to the output configuration.
+
+```yaml
+output.elasticsearch:
+  hosts: ["http://localhost:9200"]
+  preset: balanced
+```
+
+Performance presets apply a set of configuration overrides based on a desired performance goal. If set, a performance preset will override other configuration flags to match the recommended settings for that preset. If a preset doesn’t set a value for a particular field, the user-specified value will be used if present, otherwise the default. Valid options are: * `balanced`: good starting point for general efficiency * `throughput`: good for high data volumes, may increase cpu and memory requirements * `scale`: reduces ambient resource use in large low-throughput deployments * `latency`: minimize the time for fresh data to become visible in Elasticsearch * `custom`: apply user configuration directly with no overrides
+
+The default if unspecified is `custom`.
+
+Presets represent current recommendations based on the intended goal; their effect may change between versions to better suit those goals. Currently the presets have the following effects:
+
+| preset | balanced | throughput | scale | latency |
+| --- | --- | --- | --- | --- |
+| [`bulk_max_size`](#bulk-max-size-option) | 1600 | 1600 | 1600 | 50 |
+| [`worker`](#worker-option) | 1 | 4 | 1 | 1 |
+| [`queue.mem.events`](/reference/heartbeat/configuring-internal-queue.md#queue-mem-events-option) | 3200 | 12800 | 3200 | 4100 |
+| [`queue.mem.flush.min_events`](/reference/heartbeat/configuring-internal-queue.md#queue-mem-flush-min-events-option) | 1600 | 1600 | 1600 | 2050 |
+| [`queue.mem.flush.timeout`](/reference/heartbeat/configuring-internal-queue.md#queue-mem-flush-timeout-option) | `10s` | `5s` | `20s` | `1s` |
+| [`compression_level`](#compression-level-option) | 1 | 1 | 1 | 1 |
+| [`idle_connection_timeout`](#idle-connection-timeout-option) | `3s` | `15s` | `1s` | `60s` |
+| [`backoff.init`](#backoff-init-option) | none | none | `5s` | none |
+| [`backoff.max`](#backoff-max-option) | none | none | `300s` | none |
+
+
+
+## Elasticsearch APIs [es-apis]
+
+Heartbeat will use the `_bulk` API from {{es}}, the events are sent in the order they arrive to the publishing pipeline, a single `_bulk` request may contain events from different inputs/modules. Temporary failures are re-tried.
+
+The status code for each event is checked and handled as:
+
+* `< 300`: The event is counted as `events.acked`
+* `409` (Conflict): The event is counted as `events.duplicates`
+* `429` (Too Many Requests): The event is counted as `events.toomany`
+* `> 399 and < 500`: The `non_indexable_policy` is applied.
+
+
diff --git a/docs/reference/heartbeat/enable-heartbeat-debugging.md b/docs/reference/heartbeat/enable-heartbeat-debugging.md
new file mode 100644
index 000000000000..07e32347ba5b
--- /dev/null
+++ b/docs/reference/heartbeat/enable-heartbeat-debugging.md
@@ -0,0 +1,31 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/enable-heartbeat-debugging.html
+---
+
+# Debug [enable-heartbeat-debugging]
+
+By default, Heartbeat sends all its output to syslog. When you run Heartbeat in the foreground, you can use the `-e` command line flag to redirect the output to standard error instead. For example:
+
+```sh
+heartbeat -e
+```
+
+The default configuration file is heartbeat.yml (the location of the file varies by platform). You can use a different configuration file by specifying the `-c` flag. For example:
+
+```sh
+heartbeat -e -c myheartbeatconfig.yml
+```
+
+You can increase the verbosity of debug messages by enabling one or more debug selectors. For example, to view publisher-related messages, start Heartbeat with the `publisher` selector:
+
+```sh
+heartbeat -e -d "publisher"
+```
+
+If you want all the debugging output (fair warning, it’s quite a lot), you can use `*`, like this:
+
+```sh
+heartbeat -e -d "*"
+```
+
diff --git a/docs/reference/heartbeat/error-found-unexpected-character.md b/docs/reference/heartbeat/error-found-unexpected-character.md
new file mode 100644
index 000000000000..1d5e4cf8817a
--- /dev/null
+++ b/docs/reference/heartbeat/error-found-unexpected-character.md
@@ -0,0 +1,13 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/error-found-unexpected-character.html
+---
+
+# Found unexpected or unknown characters [error-found-unexpected-character]
+
+Either there is a problem with the structure of your config file, or you have used a path or expression that the YAML parser cannot resolve because the config file contains characters that aren’t properly escaped.
+
+If the YAML file contains paths with spaces or unusual characters, wrap the paths in single quotation marks (see [Wrap paths in single quotation marks](/reference/heartbeat/yaml-tips.md#wrap-paths-in-quotes)).
+
+Also see the general advice under [*Avoid YAML formatting problems*](/reference/heartbeat/yaml-tips.md).
+
diff --git a/docs/reference/heartbeat/error-loading-config.md b/docs/reference/heartbeat/error-loading-config.md
new file mode 100644
index 000000000000..264fbf45a133
--- /dev/null
+++ b/docs/reference/heartbeat/error-loading-config.md
@@ -0,0 +1,14 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/error-loading-config.html
+---
+
+# Error loading config file [error-loading-config]
+
+You may encounter errors loading the config file on POSIX operating systems if:
+
+* an unauthorized user tries to load the config file, or
+* the config file has the wrong permissions.
+
+See [Config File Ownership and Permissions](/reference/libbeat/config-file-permissions.md) for more about resolving these errors.
+
diff --git a/docs/reference/heartbeat/exported-fields-beat-common.md b/docs/reference/heartbeat/exported-fields-beat-common.md
new file mode 100644
index 000000000000..f48f6093737b
--- /dev/null
+++ b/docs/reference/heartbeat/exported-fields-beat-common.md
@@ -0,0 +1,47 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/exported-fields-beat-common.html
+---
+
+# Beat fields [exported-fields-beat-common]
+
+Contains common beat fields available in all event types.
+
+**`agent.hostname`**
+:   Deprecated - use agent.name or agent.id to identify an agent.
+
+type: alias
+
+alias to: agent.name
+
+
+**`beat.timezone`**
+:   type: alias
+
+alias to: event.timezone
+
+
+**`fields`**
+:   Contains user configurable fields.
+
+type: object
+
+
+**`beat.name`**
+:   type: alias
+
+alias to: host.name
+
+
+**`beat.hostname`**
+:   type: alias
+
+alias to: agent.name
+
+
+**`timeseries.instance`**
+:   Time series instance id
+
+type: keyword
+
+
diff --git a/docs/reference/heartbeat/exported-fields-browser.md b/docs/reference/heartbeat/exported-fields-browser.md
new file mode 100644
index 000000000000..476142650835
--- /dev/null
+++ b/docs/reference/heartbeat/exported-fields-browser.md
@@ -0,0 +1,102 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/exported-fields-browser.html
+---
+
+# Synthetics browser metrics fields [exported-fields-browser]
+
+None
+
+
+## browser [_browser]
+
+Browser metrics and traces
+
+
+## experience [_experience]
+
+Absolute values of all user experience metrics in the browser relative to the navigation start event in microseconds
+
+
+## fcp [_fcp]
+
+duration of First contentful paint metric
+
+**`browser.experience.fcp.us`**
+:   type: integer
+
+
+
+## lcp [_lcp]
+
+duration of Largest contentful paint metric
+
+**`browser.experience.lcp.us`**
+:   type: integer
+
+
+
+## dcl [_dcl]
+
+duration of Document content loaded end event
+
+**`browser.experience.dcl.us`**
+:   type: integer
+
+
+
+## load [_load]
+
+duration of Load end event
+
+**`browser.experience.load.duration`**
+:   type: integer
+
+
+**`browser.experience.cls`**
+:   culumative layout shift score across all frames
+
+type: integer
+
+
+
+## relative_trace [_relative_trace]
+
+trace event with timing information that are realtive to journey timings in microseconds
+
+**`browser.relative_trace.name`**
+:   name of the trace event
+
+type: keyword
+
+
+**`browser.relative_trace.type`**
+:   could be one of mark or measure event types
+
+type: text
+
+
+
+## start [_start]
+
+monotonically increasing trace start time in microseconds
+
+**`browser.relative_trace.start.us`**
+:   type: long
+
+
+
+## duration [_duration]
+
+duration of the trace event in microseconds.
+
+**`browser.relative_trace.duration.us`**
+:   type: integer
+
+
+**`browser.relative_trace.score`**
+:   weighted score of the layout shift event
+
+type: integer
+
+
diff --git a/docs/reference/heartbeat/exported-fields-cloud.md b/docs/reference/heartbeat/exported-fields-cloud.md
new file mode 100644
index 000000000000..d905617a9508
--- /dev/null
+++ b/docs/reference/heartbeat/exported-fields-cloud.md
@@ -0,0 +1,57 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/exported-fields-cloud.html
+---
+
+# Cloud provider metadata fields [exported-fields-cloud]
+
+Metadata from cloud providers added by the add_cloud_metadata processor.
+
+**`cloud.image.id`**
+:   Image ID for the cloud instance.
+
+example: ami-abcd1234
+
+
+**`meta.cloud.provider`**
+:   type: alias
+
+alias to: cloud.provider
+
+
+**`meta.cloud.instance_id`**
+:   type: alias
+
+alias to: cloud.instance.id
+
+
+**`meta.cloud.instance_name`**
+:   type: alias
+
+alias to: cloud.instance.name
+
+
+**`meta.cloud.machine_type`**
+:   type: alias
+
+alias to: cloud.machine.type
+
+
+**`meta.cloud.availability_zone`**
+:   type: alias
+
+alias to: cloud.availability_zone
+
+
+**`meta.cloud.project_id`**
+:   type: alias
+
+alias to: cloud.project.id
+
+
+**`meta.cloud.region`**
+:   type: alias
+
+alias to: cloud.region
+
+
diff --git a/docs/reference/heartbeat/exported-fields-common.md b/docs/reference/heartbeat/exported-fields-common.md
new file mode 100644
index 000000000000..6d939c7ab60d
--- /dev/null
+++ b/docs/reference/heartbeat/exported-fields-common.md
@@ -0,0 +1,116 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/exported-fields-common.html
+---
+
+# Common heartbeat monitor fields [exported-fields-common]
+
+None
+
+
+## monitor [_monitor]
+
+Common monitor fields.
+
+**`monitor.type`**
+:   The monitor type.
+
+type: keyword
+
+
+**`monitor.name`**
+:   The monitors configured name
+
+type: keyword
+
+
+**`monitor.name.text`**
+:   type: text
+
+
+**`monitor.id`**
+:   The monitors full job ID as used by heartbeat.
+
+type: keyword
+
+
+**`monitor.id.text`**
+:   type: text
+
+
+
+## duration [_duration_2]
+
+Total monitoring test duration
+
+**`monitor.duration.us`**
+:   Duration in microseconds
+
+type: long
+
+
+**`monitor.scheme`**
+:   Address url scheme. For example `tcp`, `tls`, `http`, and `https`.
+
+type: alias
+
+alias to: url.scheme
+
+
+**`monitor.host`**
+:   Hostname of service being monitored. Can be missing, if service is monitored by IP.
+
+type: alias
+
+alias to: url.domain
+
+
+**`monitor.ip`**
+:   IP of service being monitored. If service is monitored by hostname, the `ip` field contains the resolved ip address for the current host.
+
+type: ip
+
+
+**`monitor.status`**
+:   Indicator if monitor could validate the service to be available.
+
+type: keyword
+
+required: True
+
+
+**`monitor.check_group`**
+:   A token unique to a simultaneously invoked group of checks as in the case where multiple IPs are checked for a single DNS entry.
+
+type: keyword
+
+
+**`monitor.timespan`**
+:   Time range this ping reported starting at the instant the check was started, ending at the start of the next scheduled check.
+
+type: date_range
+
+
+**`monitor.origin`**
+:   The origin of this monitor configuration, usually either "ui", or "project"
+
+type: keyword
+
+
+
+## project [_project]
+
+Project info for this monitor
+
+**`monitor.project.id`**
+:   Project ID
+
+type: keyword
+
+
+**`monitor.project.name`**
+:   Project name
+
+type: keyword
+
+
diff --git a/docs/reference/heartbeat/exported-fields-docker-processor.md b/docs/reference/heartbeat/exported-fields-docker-processor.md
new file mode 100644
index 000000000000..c985d77d8c1d
--- /dev/null
+++ b/docs/reference/heartbeat/exported-fields-docker-processor.md
@@ -0,0 +1,33 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/exported-fields-docker-processor.html
+---
+
+# Docker fields [exported-fields-docker-processor]
+
+Docker stats collected from Docker.
+
+**`docker.container.id`**
+:   type: alias
+
+alias to: container.id
+
+
+**`docker.container.image`**
+:   type: alias
+
+alias to: container.image.name
+
+
+**`docker.container.name`**
+:   type: alias
+
+alias to: container.name
+
+
+**`docker.container.labels`**
+:   Image labels.
+
+type: object
+
+
diff --git a/docs/reference/heartbeat/exported-fields-ecs.md b/docs/reference/heartbeat/exported-fields-ecs.md
new file mode 100644
index 000000000000..fbe86dfcdbd2
--- /dev/null
+++ b/docs/reference/heartbeat/exported-fields-ecs.md
@@ -0,0 +1,10423 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/exported-fields-ecs.html
+---
+
+# ECS fields [exported-fields-ecs]
+
+This section defines Elastic Common Schema (ECS) fields—a common set of fields to be used when storing event data in {{es}}.
+
+This is an exhaustive list, and fields listed here are not necessarily used by Heartbeat. The goal of ECS is to enable and encourage users of {{es}} to normalize their event data, so that they can better analyze, visualize, and correlate the data represented in their events.
+
+See the [ECS reference](ecs://reference/index.md) for more information.
+
+**`@timestamp`**
+:   Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events.
+
+type: date
+
+example: 2016-05-23T08:05:34.853Z
+
+required: True
+
+
+**`labels`**
+:   Custom key/value pairs. Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. Example: `docker` and `k8s` labels.
+
+type: object
+
+example: {"application": "foo-bar", "env": "production"}
+
+
+**`message`**
+:   For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message.
+
+type: match_only_text
+
+example: Hello World
+
+
+**`tags`**
+:   List of keywords used to tag each event.
+
+type: keyword
+
+example: ["production", "env2"]
+
+
+
+## agent [_agent]
+
+The agent fields contain the data about the software entity, if any, that collects, detects, or observes events on a host, or takes measurements on a host. Examples include Beats. Agents may also run on observers. ECS agent.* fields shall be populated with details of the agent running on the host or observer where the event happened or the measurement was taken.
+
+**`agent.build.original`**
+:   Extended build information for the agent. This field is intended to contain any build information that a data source may provide, no specific formatting is required.
+
+type: keyword
+
+example: metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]
+
+
+**`agent.ephemeral_id`**
+:   Ephemeral identifier of this agent (if one exists). This id normally changes across restarts, but `agent.id` does not.
+
+type: keyword
+
+example: 8a4f500f
+
+
+**`agent.id`**
+:   Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id.
+
+type: keyword
+
+example: 8a4f500d
+
+
+**`agent.name`**
+:   Custom name of the agent. This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. If no name is given, the name is often left empty.
+
+type: keyword
+
+example: foo
+
+
+**`agent.type`**
+:   Type of the agent. The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine.
+
+type: keyword
+
+example: filebeat
+
+
+**`agent.version`**
+:   Version of the agent.
+
+type: keyword
+
+example: 6.0.0-rc2
+
+
+
+## as [_as]
+
+An autonomous system (AS) is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators on behalf of a single administrative entity or domain that presents a common, clearly defined routing policy to the internet.
+
+**`as.number`**
+:   Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+
+type: long
+
+example: 15169
+
+
+**`as.organization.name`**
+:   Organization name.
+
+type: keyword
+
+example: Google LLC
+
+
+**`as.organization.name.text`**
+:   type: match_only_text
+
+
+
+## client [_client]
+
+A client is defined as the initiator of a network connection for events regarding sessions, connections, or bidirectional flow records. For TCP events, the client is the initiator of the TCP connection that sends the SYN packet(s). For other protocols, the client is generally the initiator or requestor in the network transaction. Some systems use the term "originator" to refer the client in TCP connections. The client fields describe details about the system acting as the client in the network event. Client fields are usually populated in conjunction with server fields. Client fields are generally not populated for packet-level events. Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately.
+
+**`client.address`**
+:   Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
+
+type: keyword
+
+
+**`client.as.number`**
+:   Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+
+type: long
+
+example: 15169
+
+
+**`client.as.organization.name`**
+:   Organization name.
+
+type: keyword
+
+example: Google LLC
+
+
+**`client.as.organization.name.text`**
+:   type: match_only_text
+
+
+**`client.bytes`**
+:   Bytes sent from the client to the server.
+
+type: long
+
+example: 184
+
+format: bytes
+
+
+**`client.domain`**
+:   The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.
+
+type: keyword
+
+example: foo.example.com
+
+
+**`client.geo.city_name`**
+:   City name.
+
+type: keyword
+
+example: Montreal
+
+
+**`client.geo.continent_code`**
+:   Two-letter code representing continent’s name.
+
+type: keyword
+
+example: NA
+
+
+**`client.geo.continent_name`**
+:   Name of the continent.
+
+type: keyword
+
+example: North America
+
+
+**`client.geo.country_iso_code`**
+:   Country ISO code.
+
+type: keyword
+
+example: CA
+
+
+**`client.geo.country_name`**
+:   Country name.
+
+type: keyword
+
+example: Canada
+
+
+**`client.geo.location`**
+:   Longitude and latitude.
+
+type: geo_point
+
+example: { "lon": -73.614830, "lat": 45.505918 }
+
+
+**`client.geo.name`**
+:   User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.
+
+type: keyword
+
+example: boston-dc
+
+
+**`client.geo.postal_code`**
+:   Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.
+
+type: keyword
+
+example: 94040
+
+
+**`client.geo.region_iso_code`**
+:   Region ISO code.
+
+type: keyword
+
+example: CA-QC
+
+
+**`client.geo.region_name`**
+:   Region name.
+
+type: keyword
+
+example: Quebec
+
+
+**`client.geo.timezone`**
+:   The time zone of the location, such as IANA time zone name.
+
+type: keyword
+
+example: America/Argentina/Buenos_Aires
+
+
+**`client.ip`**
+:   IP address of the client (IPv4 or IPv6).
+
+type: ip
+
+
+**`client.mac`**
+:   MAC address of the client. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.
+
+type: keyword
+
+example: 00-00-5E-00-53-23
+
+
+**`client.nat.ip`**
+:   Translated IP of source based NAT sessions (e.g. internal client to internet). Typically connections traversing load balancers, firewalls, or routers.
+
+type: ip
+
+
+**`client.nat.port`**
+:   Translated port of source based NAT sessions (e.g. internal client to internet). Typically connections traversing load balancers, firewalls, or routers.
+
+type: long
+
+format: string
+
+
+**`client.packets`**
+:   Packets sent from the client to the server.
+
+type: long
+
+example: 12
+
+
+**`client.port`**
+:   Port of the client.
+
+type: long
+
+format: string
+
+
+**`client.registered_domain`**
+:   The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
+
+type: keyword
+
+example: example.com
+
+
+**`client.subdomain`**
+:   The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
+
+type: keyword
+
+example: east
+
+
+**`client.top_level_domain`**
+:   The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".
+
+type: keyword
+
+example: co.uk
+
+
+**`client.user.domain`**
+:   Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`client.user.email`**
+:   User email address.
+
+type: keyword
+
+
+**`client.user.full_name`**
+:   User’s full name, if available.
+
+type: keyword
+
+example: Albert Einstein
+
+
+**`client.user.full_name.text`**
+:   type: match_only_text
+
+
+**`client.user.group.domain`**
+:   Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`client.user.group.id`**
+:   Unique identifier for the group on the system/platform.
+
+type: keyword
+
+
+**`client.user.group.name`**
+:   Name of the group.
+
+type: keyword
+
+
+**`client.user.hash`**
+:   Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used.
+
+type: keyword
+
+
+**`client.user.id`**
+:   Unique identifier of the user.
+
+type: keyword
+
+example: S-1-5-21-202424912787-2692429404-2351956786-1000
+
+
+**`client.user.name`**
+:   Short name or login of the user.
+
+type: keyword
+
+example: a.einstein
+
+
+**`client.user.name.text`**
+:   type: match_only_text
+
+
+**`client.user.roles`**
+:   Array of user roles at the time of the event.
+
+type: keyword
+
+example: ["kibana_admin", "reporting_user"]
+
+
+
+## cloud [_cloud]
+
+Fields related to the cloud or infrastructure the events are coming from.
+
+**`cloud.account.id`**
+:   The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.
+
+type: keyword
+
+example: 666777888999
+
+
+**`cloud.account.name`**
+:   The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name.
+
+type: keyword
+
+example: elastic-dev
+
+
+**`cloud.availability_zone`**
+:   Availability zone in which this host, resource, or service is located.
+
+type: keyword
+
+example: us-east-1c
+
+
+**`cloud.instance.id`**
+:   Instance ID of the host machine.
+
+type: keyword
+
+example: i-1234567890abcdef0
+
+
+**`cloud.instance.name`**
+:   Instance name of the host machine.
+
+type: keyword
+
+
+**`cloud.machine.type`**
+:   Machine type of the host machine.
+
+type: keyword
+
+example: t2.medium
+
+
+**`cloud.origin.account.id`**
+:   The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.
+
+type: keyword
+
+example: 666777888999
+
+
+**`cloud.origin.account.name`**
+:   The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name.
+
+type: keyword
+
+example: elastic-dev
+
+
+**`cloud.origin.availability_zone`**
+:   Availability zone in which this host, resource, or service is located.
+
+type: keyword
+
+example: us-east-1c
+
+
+**`cloud.origin.instance.id`**
+:   Instance ID of the host machine.
+
+type: keyword
+
+example: i-1234567890abcdef0
+
+
+**`cloud.origin.instance.name`**
+:   Instance name of the host machine.
+
+type: keyword
+
+
+**`cloud.origin.machine.type`**
+:   Machine type of the host machine.
+
+type: keyword
+
+example: t2.medium
+
+
+**`cloud.origin.project.id`**
+:   The cloud project identifier. Examples: Google Cloud Project id, Azure Project id.
+
+type: keyword
+
+example: my-project
+
+
+**`cloud.origin.project.name`**
+:   The cloud project name. Examples: Google Cloud Project name, Azure Project name.
+
+type: keyword
+
+example: my project
+
+
+**`cloud.origin.provider`**
+:   Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
+
+type: keyword
+
+example: aws
+
+
+**`cloud.origin.region`**
+:   Region in which this host, resource, or service is located.
+
+type: keyword
+
+example: us-east-1
+
+
+**`cloud.origin.service.name`**
+:   The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda.
+
+type: keyword
+
+example: lambda
+
+
+**`cloud.project.id`**
+:   The cloud project identifier. Examples: Google Cloud Project id, Azure Project id.
+
+type: keyword
+
+example: my-project
+
+
+**`cloud.project.name`**
+:   The cloud project name. Examples: Google Cloud Project name, Azure Project name.
+
+type: keyword
+
+example: my project
+
+
+**`cloud.provider`**
+:   Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
+
+type: keyword
+
+example: aws
+
+
+**`cloud.region`**
+:   Region in which this host, resource, or service is located.
+
+type: keyword
+
+example: us-east-1
+
+
+**`cloud.service.name`**
+:   The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda.
+
+type: keyword
+
+example: lambda
+
+
+**`cloud.target.account.id`**
+:   The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.
+
+type: keyword
+
+example: 666777888999
+
+
+**`cloud.target.account.name`**
+:   The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name.
+
+type: keyword
+
+example: elastic-dev
+
+
+**`cloud.target.availability_zone`**
+:   Availability zone in which this host, resource, or service is located.
+
+type: keyword
+
+example: us-east-1c
+
+
+**`cloud.target.instance.id`**
+:   Instance ID of the host machine.
+
+type: keyword
+
+example: i-1234567890abcdef0
+
+
+**`cloud.target.instance.name`**
+:   Instance name of the host machine.
+
+type: keyword
+
+
+**`cloud.target.machine.type`**
+:   Machine type of the host machine.
+
+type: keyword
+
+example: t2.medium
+
+
+**`cloud.target.project.id`**
+:   The cloud project identifier. Examples: Google Cloud Project id, Azure Project id.
+
+type: keyword
+
+example: my-project
+
+
+**`cloud.target.project.name`**
+:   The cloud project name. Examples: Google Cloud Project name, Azure Project name.
+
+type: keyword
+
+example: my project
+
+
+**`cloud.target.provider`**
+:   Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
+
+type: keyword
+
+example: aws
+
+
+**`cloud.target.region`**
+:   Region in which this host, resource, or service is located.
+
+type: keyword
+
+example: us-east-1
+
+
+**`cloud.target.service.name`**
+:   The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda.
+
+type: keyword
+
+example: lambda
+
+
+
+## code_signature [_code_signature]
+
+These fields contain information about binary code signatures.
+
+**`code_signature.digest_algorithm`**
+:   The hashing algorithm used to sign the process. This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm.
+
+type: keyword
+
+example: sha256
+
+
+**`code_signature.exists`**
+:   Boolean to capture if a signature is present.
+
+type: boolean
+
+example: true
+
+
+**`code_signature.signing_id`**
+:   The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.
+
+type: keyword
+
+example: com.apple.xpc.proxy
+
+
+**`code_signature.status`**
+:   Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.
+
+type: keyword
+
+example: ERROR_UNTRUSTED_ROOT
+
+
+**`code_signature.subject_name`**
+:   Subject name of the code signer
+
+type: keyword
+
+example: Microsoft Corporation
+
+
+**`code_signature.team_id`**
+:   The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.
+
+type: keyword
+
+example: EQHXZ8M8AV
+
+
+**`code_signature.timestamp`**
+:   Date and time when the code signature was generated and signed.
+
+type: date
+
+example: 2021-01-01T12:10:30Z
+
+
+**`code_signature.trusted`**
+:   Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.
+
+type: boolean
+
+example: true
+
+
+**`code_signature.valid`**
+:   Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.
+
+type: boolean
+
+example: true
+
+
+
+## container [_container]
+
+Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.
+
+**`container.cpu.usage`**
+:   Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000.
+
+type: scaled_float
+
+
+**`container.disk.read.bytes`**
+:   The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection.
+
+type: long
+
+
+**`container.disk.write.bytes`**
+:   The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection.
+
+type: long
+
+
+**`container.id`**
+:   Unique container id.
+
+type: keyword
+
+
+**`container.image.name`**
+:   Name of the image the container was built on.
+
+type: keyword
+
+
+**`container.image.tag`**
+:   Container image tags.
+
+type: keyword
+
+
+**`container.labels`**
+:   Image labels.
+
+type: object
+
+
+**`container.memory.usage`**
+:   Memory usage percentage and it ranges from 0 to 1. Scaling factor: 1000.
+
+type: scaled_float
+
+
+**`container.name`**
+:   Container name.
+
+type: keyword
+
+
+**`container.network.egress.bytes`**
+:   The number of bytes (gauge) sent out on all network interfaces by the container since the last metric collection.
+
+type: long
+
+
+**`container.network.ingress.bytes`**
+:   The number of bytes received (gauge) on all network interfaces by the container since the last metric collection.
+
+type: long
+
+
+**`container.runtime`**
+:   Runtime managing this container.
+
+type: keyword
+
+example: docker
+
+
+
+## data_stream [_data_stream]
+
+The data_stream fields take part in defining the new data stream naming scheme. In the new data stream naming scheme the value of the data stream fields combine to the name of the actual data stream in the following manner: `{data_stream.type}-{data_stream.dataset}-{data_stream.namespace}`. This means the fields can only contain characters that are valid as part of names of data streams. More details about this can be found in this [blog post](https://www.elastic.co/blog/an-introduction-to-the-elastic-data-stream-naming-scheme). An Elasticsearch data stream consists of one or more backing indices, and a data stream name forms part of the backing indices names. Due to this convention, data streams must also follow index naming restrictions. For example, data stream names cannot include `\`, `/`, `*`, `?`, `"`, `<`, `>`, `|`, ` ` (space character), `,`, or `#`. Please see the Elasticsearch reference for additional [restrictions](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-indices-create).
+
+**`data_stream.dataset`**
+:   The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: * Must not contain `-` * No longer than 100 characters
+
+type: constant_keyword
+
+example: nginx.access
+
+
+**`data_stream.namespace`**
+:   A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: * Must not contain `-` * No longer than 100 characters
+
+type: constant_keyword
+
+example: production
+
+
+**`data_stream.type`**
+:   An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future.
+
+type: constant_keyword
+
+example: logs
+
+
+
+## destination [_destination]
+
+Destination fields capture details about the receiver of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction. Destination fields are usually populated in conjunction with source fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated.
+
+**`destination.address`**
+:   Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
+
+type: keyword
+
+
+**`destination.as.number`**
+:   Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+
+type: long
+
+example: 15169
+
+
+**`destination.as.organization.name`**
+:   Organization name.
+
+type: keyword
+
+example: Google LLC
+
+
+**`destination.as.organization.name.text`**
+:   type: match_only_text
+
+
+**`destination.bytes`**
+:   Bytes sent from the destination to the source.
+
+type: long
+
+example: 184
+
+format: bytes
+
+
+**`destination.domain`**
+:   The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.
+
+type: keyword
+
+example: foo.example.com
+
+
+**`destination.geo.city_name`**
+:   City name.
+
+type: keyword
+
+example: Montreal
+
+
+**`destination.geo.continent_code`**
+:   Two-letter code representing continent’s name.
+
+type: keyword
+
+example: NA
+
+
+**`destination.geo.continent_name`**
+:   Name of the continent.
+
+type: keyword
+
+example: North America
+
+
+**`destination.geo.country_iso_code`**
+:   Country ISO code.
+
+type: keyword
+
+example: CA
+
+
+**`destination.geo.country_name`**
+:   Country name.
+
+type: keyword
+
+example: Canada
+
+
+**`destination.geo.location`**
+:   Longitude and latitude.
+
+type: geo_point
+
+example: { "lon": -73.614830, "lat": 45.505918 }
+
+
+**`destination.geo.name`**
+:   User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.
+
+type: keyword
+
+example: boston-dc
+
+
+**`destination.geo.postal_code`**
+:   Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.
+
+type: keyword
+
+example: 94040
+
+
+**`destination.geo.region_iso_code`**
+:   Region ISO code.
+
+type: keyword
+
+example: CA-QC
+
+
+**`destination.geo.region_name`**
+:   Region name.
+
+type: keyword
+
+example: Quebec
+
+
+**`destination.geo.timezone`**
+:   The time zone of the location, such as IANA time zone name.
+
+type: keyword
+
+example: America/Argentina/Buenos_Aires
+
+
+**`destination.ip`**
+:   IP address of the destination (IPv4 or IPv6).
+
+type: ip
+
+
+**`destination.mac`**
+:   MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.
+
+type: keyword
+
+example: 00-00-5E-00-53-23
+
+
+**`destination.nat.ip`**
+:   Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers.
+
+type: ip
+
+
+**`destination.nat.port`**
+:   Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers.
+
+type: long
+
+format: string
+
+
+**`destination.packets`**
+:   Packets sent from the destination to the source.
+
+type: long
+
+example: 12
+
+
+**`destination.port`**
+:   Port of the destination.
+
+type: long
+
+format: string
+
+
+**`destination.registered_domain`**
+:   The highest registered destination domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
+
+type: keyword
+
+example: example.com
+
+
+**`destination.subdomain`**
+:   The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
+
+type: keyword
+
+example: east
+
+
+**`destination.top_level_domain`**
+:   The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".
+
+type: keyword
+
+example: co.uk
+
+
+**`destination.user.domain`**
+:   Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`destination.user.email`**
+:   User email address.
+
+type: keyword
+
+
+**`destination.user.full_name`**
+:   User’s full name, if available.
+
+type: keyword
+
+example: Albert Einstein
+
+
+**`destination.user.full_name.text`**
+:   type: match_only_text
+
+
+**`destination.user.group.domain`**
+:   Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`destination.user.group.id`**
+:   Unique identifier for the group on the system/platform.
+
+type: keyword
+
+
+**`destination.user.group.name`**
+:   Name of the group.
+
+type: keyword
+
+
+**`destination.user.hash`**
+:   Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used.
+
+type: keyword
+
+
+**`destination.user.id`**
+:   Unique identifier of the user.
+
+type: keyword
+
+example: S-1-5-21-202424912787-2692429404-2351956786-1000
+
+
+**`destination.user.name`**
+:   Short name or login of the user.
+
+type: keyword
+
+example: a.einstein
+
+
+**`destination.user.name.text`**
+:   type: match_only_text
+
+
+**`destination.user.roles`**
+:   Array of user roles at the time of the event.
+
+type: keyword
+
+example: ["kibana_admin", "reporting_user"]
+
+
+
+## dll [_dll]
+
+These fields contain information about code libraries dynamically loaded into processes.
+
+Many operating systems refer to "shared code libraries" with different names, but this field set refers to all of the following: * Dynamic-link library (`.dll`) commonly used on Windows * Shared Object (`.so`) commonly used on Unix-like operating systems * Dynamic library (`.dylib`) commonly used on macOS
+
+**`dll.code_signature.digest_algorithm`**
+:   The hashing algorithm used to sign the process. This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm.
+
+type: keyword
+
+example: sha256
+
+
+**`dll.code_signature.exists`**
+:   Boolean to capture if a signature is present.
+
+type: boolean
+
+example: true
+
+
+**`dll.code_signature.signing_id`**
+:   The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.
+
+type: keyword
+
+example: com.apple.xpc.proxy
+
+
+**`dll.code_signature.status`**
+:   Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.
+
+type: keyword
+
+example: ERROR_UNTRUSTED_ROOT
+
+
+**`dll.code_signature.subject_name`**
+:   Subject name of the code signer
+
+type: keyword
+
+example: Microsoft Corporation
+
+
+**`dll.code_signature.team_id`**
+:   The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.
+
+type: keyword
+
+example: EQHXZ8M8AV
+
+
+**`dll.code_signature.timestamp`**
+:   Date and time when the code signature was generated and signed.
+
+type: date
+
+example: 2021-01-01T12:10:30Z
+
+
+**`dll.code_signature.trusted`**
+:   Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.
+
+type: boolean
+
+example: true
+
+
+**`dll.code_signature.valid`**
+:   Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.
+
+type: boolean
+
+example: true
+
+
+**`dll.hash.md5`**
+:   MD5 hash.
+
+type: keyword
+
+
+**`dll.hash.sha1`**
+:   SHA1 hash.
+
+type: keyword
+
+
+**`dll.hash.sha256`**
+:   SHA256 hash.
+
+type: keyword
+
+
+**`dll.hash.sha512`**
+:   SHA512 hash.
+
+type: keyword
+
+
+**`dll.hash.ssdeep`**
+:   SSDEEP hash.
+
+type: keyword
+
+
+**`dll.name`**
+:   Name of the library. This generally maps to the name of the file on disk.
+
+type: keyword
+
+example: kernel32.dll
+
+
+**`dll.path`**
+:   Full file path of the library.
+
+type: keyword
+
+example: C:\Windows\System32\kernel32.dll
+
+
+**`dll.pe.architecture`**
+:   CPU architecture target for the file.
+
+type: keyword
+
+example: x64
+
+
+**`dll.pe.company`**
+:   Internal company name of the file, provided at compile-time.
+
+type: keyword
+
+example: Microsoft Corporation
+
+
+**`dll.pe.description`**
+:   Internal description of the file, provided at compile-time.
+
+type: keyword
+
+example: Paint
+
+
+**`dll.pe.file_version`**
+:   Internal version of the file, provided at compile-time.
+
+type: keyword
+
+example: 6.3.9600.17415
+
+
+**`dll.pe.imphash`**
+:   A hash of the imports in a PE file. An imphash — or import hash — can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at [https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html](https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html).
+
+type: keyword
+
+example: 0c6803c4e922103c4dca5963aad36ddf
+
+
+**`dll.pe.original_file_name`**
+:   Internal name of the file, provided at compile-time.
+
+type: keyword
+
+example: MSPAINT.EXE
+
+
+**`dll.pe.product`**
+:   Internal product name of the file, provided at compile-time.
+
+type: keyword
+
+example: Microsoft® Windows® Operating System
+
+
+
+## dns [_dns]
+
+Fields describing DNS queries and answers. DNS events should either represent a single DNS query prior to getting answers (`dns.type:query`) or they should represent a full exchange and contain the query details as well as all of the answers that were provided for this query (`dns.type:answer`).
+
+**`dns.answers`**
+:   An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields.
+
+type: object
+
+
+**`dns.answers.class`**
+:   The class of DNS data contained in this resource record.
+
+type: keyword
+
+example: IN
+
+
+**`dns.answers.data`**
+:   The data describing the resource. The meaning of this data depends on the type and class of the resource record.
+
+type: keyword
+
+example: 10.10.10.10
+
+
+**`dns.answers.name`**
+:   The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer’s `name` should be the one that corresponds with the answer’s `data`. It should not simply be the original `question.name` repeated.
+
+type: keyword
+
+example: www.example.com
+
+
+**`dns.answers.ttl`**
+:   The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached.
+
+type: long
+
+example: 180
+
+
+**`dns.answers.type`**
+:   The type of data contained in this resource record.
+
+type: keyword
+
+example: CNAME
+
+
+**`dns.header_flags`**
+:   Array of 2 letter DNS header flags. Expected values are: AA, TC, RD, RA, AD, CD, DO.
+
+type: keyword
+
+example: ["RD", "RA"]
+
+
+**`dns.id`**
+:   The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.
+
+type: keyword
+
+example: 62111
+
+
+**`dns.op_code`**
+:   The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response.
+
+type: keyword
+
+example: QUERY
+
+
+**`dns.question.class`**
+:   The class of records being queried.
+
+type: keyword
+
+example: IN
+
+
+**`dns.question.name`**
+:   The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively.
+
+type: keyword
+
+example: www.example.com
+
+
+**`dns.question.registered_domain`**
+:   The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
+
+type: keyword
+
+example: example.com
+
+
+**`dns.question.subdomain`**
+:   The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
+
+type: keyword
+
+example: www
+
+
+**`dns.question.top_level_domain`**
+:   The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".
+
+type: keyword
+
+example: co.uk
+
+
+**`dns.question.type`**
+:   The type of record being queried.
+
+type: keyword
+
+example: AAAA
+
+
+**`dns.resolved_ip`**
+:   Array containing all IPs seen in `answers.data`. The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for.
+
+type: ip
+
+example: ["10.10.10.10", "10.10.10.11"]
+
+
+**`dns.response_code`**
+:   The DNS response code.
+
+type: keyword
+
+example: NOERROR
+
+
+**`dns.type`**
+:   The type of DNS event captured, query or answer. If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers.
+
+type: keyword
+
+example: answer
+
+
+
+## ecs [_ecs]
+
+Meta-information specific to ECS.
+
+**`ecs.version`**
+:   ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices — which may conform to slightly different ECS versions — this field lets integrations adjust to the schema version of the events.
+
+type: keyword
+
+example: 1.0.0
+
+required: True
+
+
+
+## elf [_elf]
+
+These fields contain Linux Executable Linkable Format (ELF) metadata.
+
+**`elf.architecture`**
+:   Machine architecture of the ELF file.
+
+type: keyword
+
+example: x86-64
+
+
+**`elf.byte_order`**
+:   Byte sequence of ELF file.
+
+type: keyword
+
+example: Little Endian
+
+
+**`elf.cpu_type`**
+:   CPU type of the ELF file.
+
+type: keyword
+
+example: Intel
+
+
+**`elf.creation_date`**
+:   Extracted when possible from the file’s metadata. Indicates when it was built or compiled. It can also be faked by malware creators.
+
+type: date
+
+
+**`elf.exports`**
+:   List of exported element names and types.
+
+type: flattened
+
+
+**`elf.header.abi_version`**
+:   Version of the ELF Application Binary Interface (ABI).
+
+type: keyword
+
+
+**`elf.header.class`**
+:   Header class of the ELF file.
+
+type: keyword
+
+
+**`elf.header.data`**
+:   Data table of the ELF header.
+
+type: keyword
+
+
+**`elf.header.entrypoint`**
+:   Header entrypoint of the ELF file.
+
+type: long
+
+format: string
+
+
+**`elf.header.object_version`**
+:   "0x1" for original ELF files.
+
+type: keyword
+
+
+**`elf.header.os_abi`**
+:   Application Binary Interface (ABI) of the Linux OS.
+
+type: keyword
+
+
+**`elf.header.type`**
+:   Header type of the ELF file.
+
+type: keyword
+
+
+**`elf.header.version`**
+:   Version of the ELF header.
+
+type: keyword
+
+
+**`elf.imports`**
+:   List of imported element names and types.
+
+type: flattened
+
+
+**`elf.sections`**
+:   An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`.
+
+type: nested
+
+
+**`elf.sections.chi2`**
+:   Chi-square probability distribution of the section.
+
+type: long
+
+format: number
+
+
+**`elf.sections.entropy`**
+:   Shannon entropy calculation from the section.
+
+type: long
+
+format: number
+
+
+**`elf.sections.flags`**
+:   ELF Section List flags.
+
+type: keyword
+
+
+**`elf.sections.name`**
+:   ELF Section List name.
+
+type: keyword
+
+
+**`elf.sections.physical_offset`**
+:   ELF Section List offset.
+
+type: keyword
+
+
+**`elf.sections.physical_size`**
+:   ELF Section List physical size.
+
+type: long
+
+format: bytes
+
+
+**`elf.sections.type`**
+:   ELF Section List type.
+
+type: keyword
+
+
+**`elf.sections.virtual_address`**
+:   ELF Section List virtual address.
+
+type: long
+
+format: string
+
+
+**`elf.sections.virtual_size`**
+:   ELF Section List virtual size.
+
+type: long
+
+format: string
+
+
+**`elf.segments`**
+:   An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`.
+
+type: nested
+
+
+**`elf.segments.sections`**
+:   ELF object segment sections.
+
+type: keyword
+
+
+**`elf.segments.type`**
+:   ELF object segment type.
+
+type: keyword
+
+
+**`elf.shared_libraries`**
+:   List of shared libraries used by this ELF object.
+
+type: keyword
+
+
+**`elf.telfhash`**
+:   telfhash symbol hash for ELF file.
+
+type: keyword
+
+
+
+## error [_error]
+
+These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error.
+
+**`error.code`**
+:   Error code describing the error.
+
+type: keyword
+
+
+**`error.id`**
+:   Unique identifier for the error.
+
+type: keyword
+
+
+**`error.message`**
+:   Error message.
+
+type: match_only_text
+
+
+**`error.stack_trace`**
+:   The stack trace of this error in plain text.
+
+type: wildcard
+
+
+**`error.stack_trace.text`**
+:   type: match_only_text
+
+
+**`error.type`**
+:   The type of the error, for example the class name of the exception.
+
+type: keyword
+
+example: java.lang.NullPointerException
+
+
+
+## event [_event]
+
+The event fields are used for context information about the log or metric event itself. A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host and device temperature. See the `event.kind` definition in this section for additional details about metric and state events.
+
+**`event.action`**
+:   The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer.
+
+type: keyword
+
+example: user-password-change
+
+
+**`event.agent_id_status`**
+:   Agents are normally responsible for populating the `agent.id` field value. If the system receiving events is capable of validating the value based on authentication information for the client then this field can be used to reflect the outcome of that validation. For example if the agent’s connection is authenticated with mTLS and the client cert contains the ID of the agent to which the cert was issued then the `agent.id` value in events can be checked against the certificate. If the values match then `event.agent_id_status: verified` is added to the event, otherwise one of the other allowed values should be used. If no validation is performed then the field should be omitted. The allowed values are: `verified` - The `agent.id` field value matches expected value obtained from auth metadata. `mismatch` - The `agent.id` field value does not match the expected value obtained from auth metadata. `missing` - There was no `agent.id` field in the event to validate. `auth_metadata_missing` - There was no auth metadata or it was missing information about the agent ID.
+
+type: keyword
+
+example: verified
+
+
+**`event.category`**
+:   This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories.
+
+type: keyword
+
+example: authentication
+
+
+**`event.code`**
+:   Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID.
+
+type: keyword
+
+example: 4648
+
+
+**`event.created`**
+:   event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent’s or pipeline’s ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used.
+
+type: date
+
+example: 2016-05-23T08:05:34.857Z
+
+
+**`event.dataset`**
+:   Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It’s recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name.
+
+type: keyword
+
+example: apache.access
+
+
+**`event.duration`**
+:   Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time.
+
+type: long
+
+format: duration
+
+
+**`event.end`**
+:   event.end contains the date when the event ended or when the activity was last observed.
+
+type: date
+
+
+**`event.hash`**
+:   Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity.
+
+type: keyword
+
+example: 123456789012345678901234567890ABCD
+
+
+**`event.id`**
+:   Unique ID to describe the event.
+
+type: keyword
+
+example: 8a4f500d
+
+
+**`event.ingested`**
+:   Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred.  It’s also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`.
+
+type: date
+
+example: 2016-05-23T08:05:35.101Z
+
+
+**`event.kind`**
+:   This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not.
+
+type: keyword
+
+example: alert
+
+
+**`event.module`**
+:   Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module.
+
+type: keyword
+
+example: apache
+
+
+**`event.original`**
+:   Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`.
+
+type: keyword
+
+example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232
+
+Field is not indexed.
+
+
+**`event.outcome`**
+:   This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense.
+
+type: keyword
+
+example: success
+
+
+**`event.provider`**
+:   Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing).
+
+type: keyword
+
+example: kernel
+
+
+**`event.reason`**
+:   Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`).
+
+type: keyword
+
+example: Terminated an unexpected process
+
+
+**`event.reference`**
+:   Reference URL linking to additional information about this event. This URL links to a static definition of this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field.
+
+type: keyword
+
+example: [https://system.example.com/event/#0001234](https://system.example.com/event/#0001234)
+
+
+**`event.risk_score`**
+:   Risk score or priority of the event (e.g. security solutions). Use your system’s original value here.
+
+type: float
+
+
+**`event.risk_score_norm`**
+:   Normalized risk score or priority of the event, on a scale of 0 to 100. This is mainly useful if you use more than one system that assigns risk scores, and you want to see a normalized value across all systems.
+
+type: float
+
+
+**`event.sequence`**
+:   Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision.
+
+type: long
+
+format: string
+
+
+**`event.severity`**
+:   The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It’s up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`.
+
+type: long
+
+example: 7
+
+format: string
+
+
+**`event.start`**
+:   event.start contains the date when the event started or when the activity was first observed.
+
+type: date
+
+
+**`event.timezone`**
+:   This field should be populated when the event’s timestamp does not include timezone information already (e.g. default Syslog timestamps). It’s optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00").
+
+type: keyword
+
+
+**`event.type`**
+:   This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types.
+
+type: keyword
+
+
+**`event.url`**
+:   URL linking to an external system to continue investigation of this event. This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field.
+
+type: keyword
+
+example: [https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe](https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe)
+
+
+
+## faas [_faas]
+
+The user fields describe information about the function as a service that is relevant to the event.
+
+**`faas.coldstart`**
+:   Boolean value indicating a cold start of a function.
+
+type: boolean
+
+
+**`faas.execution`**
+:   The execution ID of the current function execution.
+
+type: keyword
+
+example: af9d5aa4-a685-4c5f-a22b-444f80b3cc28
+
+
+**`faas.trigger`**
+:   Details about the function trigger.
+
+type: nested
+
+
+**`faas.trigger.request_id`**
+:   The ID of the trigger request , message, event, etc.
+
+type: keyword
+
+example: 123456789
+
+
+**`faas.trigger.type`**
+:   The trigger for the function execution. Expected values are: * http * pubsub * datasource * timer * other
+
+type: keyword
+
+example: http
+
+
+
+## file [_file]
+
+A file is defined as a set of information that has been created on, or has existed on a filesystem. File objects can be associated with host events, network events, and/or file events (e.g., those produced by File Integrity Monitoring [FIM] products or services). File fields provide details about the affected file associated with the event or metric.
+
+**`file.accessed`**
+:   Last time the file was accessed. Note that not all filesystems keep track of access time.
+
+type: date
+
+
+**`file.attributes`**
+:   Array of file attributes. Attributes names will vary by platform. Here’s a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write.
+
+type: keyword
+
+example: ["readonly", "system"]
+
+
+**`file.code_signature.digest_algorithm`**
+:   The hashing algorithm used to sign the process. This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm.
+
+type: keyword
+
+example: sha256
+
+
+**`file.code_signature.exists`**
+:   Boolean to capture if a signature is present.
+
+type: boolean
+
+example: true
+
+
+**`file.code_signature.signing_id`**
+:   The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.
+
+type: keyword
+
+example: com.apple.xpc.proxy
+
+
+**`file.code_signature.status`**
+:   Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.
+
+type: keyword
+
+example: ERROR_UNTRUSTED_ROOT
+
+
+**`file.code_signature.subject_name`**
+:   Subject name of the code signer
+
+type: keyword
+
+example: Microsoft Corporation
+
+
+**`file.code_signature.team_id`**
+:   The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.
+
+type: keyword
+
+example: EQHXZ8M8AV
+
+
+**`file.code_signature.timestamp`**
+:   Date and time when the code signature was generated and signed.
+
+type: date
+
+example: 2021-01-01T12:10:30Z
+
+
+**`file.code_signature.trusted`**
+:   Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.
+
+type: boolean
+
+example: true
+
+
+**`file.code_signature.valid`**
+:   Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.
+
+type: boolean
+
+example: true
+
+
+**`file.created`**
+:   File creation time. Note that not all filesystems store the creation time.
+
+type: date
+
+
+**`file.ctime`**
+:   Last time the file attributes or metadata changed. Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file.
+
+type: date
+
+
+**`file.device`**
+:   Device that is the source of the file.
+
+type: keyword
+
+example: sda
+
+
+**`file.directory`**
+:   Directory where the file is located. It should include the drive letter, when appropriate.
+
+type: keyword
+
+example: /home/alice
+
+
+**`file.drive_letter`**
+:   Drive letter where the file is located. This field is only relevant on Windows. The value should be uppercase, and not include the colon.
+
+type: keyword
+
+example: C
+
+
+**`file.elf.architecture`**
+:   Machine architecture of the ELF file.
+
+type: keyword
+
+example: x86-64
+
+
+**`file.elf.byte_order`**
+:   Byte sequence of ELF file.
+
+type: keyword
+
+example: Little Endian
+
+
+**`file.elf.cpu_type`**
+:   CPU type of the ELF file.
+
+type: keyword
+
+example: Intel
+
+
+**`file.elf.creation_date`**
+:   Extracted when possible from the file’s metadata. Indicates when it was built or compiled. It can also be faked by malware creators.
+
+type: date
+
+
+**`file.elf.exports`**
+:   List of exported element names and types.
+
+type: flattened
+
+
+**`file.elf.header.abi_version`**
+:   Version of the ELF Application Binary Interface (ABI).
+
+type: keyword
+
+
+**`file.elf.header.class`**
+:   Header class of the ELF file.
+
+type: keyword
+
+
+**`file.elf.header.data`**
+:   Data table of the ELF header.
+
+type: keyword
+
+
+**`file.elf.header.entrypoint`**
+:   Header entrypoint of the ELF file.
+
+type: long
+
+format: string
+
+
+**`file.elf.header.object_version`**
+:   "0x1" for original ELF files.
+
+type: keyword
+
+
+**`file.elf.header.os_abi`**
+:   Application Binary Interface (ABI) of the Linux OS.
+
+type: keyword
+
+
+**`file.elf.header.type`**
+:   Header type of the ELF file.
+
+type: keyword
+
+
+**`file.elf.header.version`**
+:   Version of the ELF header.
+
+type: keyword
+
+
+**`file.elf.imports`**
+:   List of imported element names and types.
+
+type: flattened
+
+
+**`file.elf.sections`**
+:   An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`.
+
+type: nested
+
+
+**`file.elf.sections.chi2`**
+:   Chi-square probability distribution of the section.
+
+type: long
+
+format: number
+
+
+**`file.elf.sections.entropy`**
+:   Shannon entropy calculation from the section.
+
+type: long
+
+format: number
+
+
+**`file.elf.sections.flags`**
+:   ELF Section List flags.
+
+type: keyword
+
+
+**`file.elf.sections.name`**
+:   ELF Section List name.
+
+type: keyword
+
+
+**`file.elf.sections.physical_offset`**
+:   ELF Section List offset.
+
+type: keyword
+
+
+**`file.elf.sections.physical_size`**
+:   ELF Section List physical size.
+
+type: long
+
+format: bytes
+
+
+**`file.elf.sections.type`**
+:   ELF Section List type.
+
+type: keyword
+
+
+**`file.elf.sections.virtual_address`**
+:   ELF Section List virtual address.
+
+type: long
+
+format: string
+
+
+**`file.elf.sections.virtual_size`**
+:   ELF Section List virtual size.
+
+type: long
+
+format: string
+
+
+**`file.elf.segments`**
+:   An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`.
+
+type: nested
+
+
+**`file.elf.segments.sections`**
+:   ELF object segment sections.
+
+type: keyword
+
+
+**`file.elf.segments.type`**
+:   ELF object segment type.
+
+type: keyword
+
+
+**`file.elf.shared_libraries`**
+:   List of shared libraries used by this ELF object.
+
+type: keyword
+
+
+**`file.elf.telfhash`**
+:   telfhash symbol hash for ELF file.
+
+type: keyword
+
+
+**`file.extension`**
+:   File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").
+
+type: keyword
+
+example: png
+
+
+**`file.fork_name`**
+:   A fork is additional data associated with a filesystem object. On Linux, a resource fork is used to store additional data with a filesystem object. A file always has at least one fork for the data portion, and additional forks may exist. On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default data stream for a file is just called $DATA. Zone.Identifier is commonly used by Windows to track contents downloaded from the Internet. An ADS is typically of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name` is the value that should populate `fork_name`. `filename.extension` should populate `file.name`, and `extension` should populate `file.extension`. The full path, `file.path`, will include the fork name.
+
+type: keyword
+
+example: Zone.Identifer
+
+
+**`file.gid`**
+:   Primary group ID (GID) of the file.
+
+type: keyword
+
+example: 1001
+
+
+**`file.group`**
+:   Primary group name of the file.
+
+type: keyword
+
+example: alice
+
+
+**`file.hash.md5`**
+:   MD5 hash.
+
+type: keyword
+
+
+**`file.hash.sha1`**
+:   SHA1 hash.
+
+type: keyword
+
+
+**`file.hash.sha256`**
+:   SHA256 hash.
+
+type: keyword
+
+
+**`file.hash.sha512`**
+:   SHA512 hash.
+
+type: keyword
+
+
+**`file.hash.ssdeep`**
+:   SSDEEP hash.
+
+type: keyword
+
+
+**`file.inode`**
+:   Inode representing the file in the filesystem.
+
+type: keyword
+
+example: 256383
+
+
+**`file.mime_type`**
+:   MIME type should identify the format of the file or stream of bytes using [IANA official types](https://www.iana.org/assignments/media-types/media-types.xhtml), where possible. When more than one type is applicable, the most specific type should be used.
+
+type: keyword
+
+
+**`file.mode`**
+:   Mode of the file in octal representation.
+
+type: keyword
+
+example: 0640
+
+
+**`file.mtime`**
+:   Last time the file content was modified.
+
+type: date
+
+
+**`file.name`**
+:   Name of the file including the extension, without the directory.
+
+type: keyword
+
+example: example.png
+
+
+**`file.owner`**
+:   File owner’s username.
+
+type: keyword
+
+example: alice
+
+
+**`file.path`**
+:   Full path to the file, including the file name. It should include the drive letter, when appropriate.
+
+type: keyword
+
+example: /home/alice/example.png
+
+
+**`file.path.text`**
+:   type: match_only_text
+
+
+**`file.pe.architecture`**
+:   CPU architecture target for the file.
+
+type: keyword
+
+example: x64
+
+
+**`file.pe.company`**
+:   Internal company name of the file, provided at compile-time.
+
+type: keyword
+
+example: Microsoft Corporation
+
+
+**`file.pe.description`**
+:   Internal description of the file, provided at compile-time.
+
+type: keyword
+
+example: Paint
+
+
+**`file.pe.file_version`**
+:   Internal version of the file, provided at compile-time.
+
+type: keyword
+
+example: 6.3.9600.17415
+
+
+**`file.pe.imphash`**
+:   A hash of the imports in a PE file. An imphash — or import hash — can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at [https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html](https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html).
+
+type: keyword
+
+example: 0c6803c4e922103c4dca5963aad36ddf
+
+
+**`file.pe.original_file_name`**
+:   Internal name of the file, provided at compile-time.
+
+type: keyword
+
+example: MSPAINT.EXE
+
+
+**`file.pe.product`**
+:   Internal product name of the file, provided at compile-time.
+
+type: keyword
+
+example: Microsoft® Windows® Operating System
+
+
+**`file.size`**
+:   File size in bytes. Only relevant when `file.type` is "file".
+
+type: long
+
+example: 16384
+
+
+**`file.target_path`**
+:   Target path for symlinks.
+
+type: keyword
+
+
+**`file.target_path.text`**
+:   type: match_only_text
+
+
+**`file.type`**
+:   File type (file, dir, or symlink).
+
+type: keyword
+
+example: file
+
+
+**`file.uid`**
+:   The user ID (UID) or security identifier (SID) of the file owner.
+
+type: keyword
+
+example: 1001
+
+
+**`file.x509.alternative_names`**
+:   List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.
+
+type: keyword
+
+example: *.elastic.co
+
+
+**`file.x509.issuer.common_name`**
+:   List of common name (CN) of issuing certificate authority.
+
+type: keyword
+
+example: Example SHA2 High Assurance Server CA
+
+
+**`file.x509.issuer.country`**
+:   List of country © codes
+
+type: keyword
+
+example: US
+
+
+**`file.x509.issuer.distinguished_name`**
+:   Distinguished name (DN) of issuing certificate authority.
+
+type: keyword
+
+example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA
+
+
+**`file.x509.issuer.locality`**
+:   List of locality names (L)
+
+type: keyword
+
+example: Mountain View
+
+
+**`file.x509.issuer.organization`**
+:   List of organizations (O) of issuing certificate authority.
+
+type: keyword
+
+example: Example Inc
+
+
+**`file.x509.issuer.organizational_unit`**
+:   List of organizational units (OU) of issuing certificate authority.
+
+type: keyword
+
+example: www.example.com
+
+
+**`file.x509.issuer.state_or_province`**
+:   List of state or province names (ST, S, or P)
+
+type: keyword
+
+example: California
+
+
+**`file.x509.not_after`**
+:   Time at which the certificate is no longer considered valid.
+
+type: date
+
+example: 2020-07-16 03:15:39+00:00
+
+
+**`file.x509.not_before`**
+:   Time at which the certificate is first considered valid.
+
+type: date
+
+example: 2019-08-16 01:40:25+00:00
+
+
+**`file.x509.public_key_algorithm`**
+:   Algorithm used to generate the public key.
+
+type: keyword
+
+example: RSA
+
+
+**`file.x509.public_key_curve`**
+:   The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+
+type: keyword
+
+example: nistp521
+
+
+**`file.x509.public_key_exponent`**
+:   Exponent used to derive the public key. This is algorithm specific.
+
+type: long
+
+example: 65537
+
+Field is not indexed.
+
+
+**`file.x509.public_key_size`**
+:   The size of the public key space in bits.
+
+type: long
+
+example: 2048
+
+
+**`file.x509.serial_number`**
+:   Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.
+
+type: keyword
+
+example: 55FBB9C7DEBF09809D12CCAA
+
+
+**`file.x509.signature_algorithm`**
+:   Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See [https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353](https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353).
+
+type: keyword
+
+example: SHA256-RSA
+
+
+**`file.x509.subject.common_name`**
+:   List of common names (CN) of subject.
+
+type: keyword
+
+example: shared.global.example.net
+
+
+**`file.x509.subject.country`**
+:   List of country © code
+
+type: keyword
+
+example: US
+
+
+**`file.x509.subject.distinguished_name`**
+:   Distinguished name (DN) of the certificate subject entity.
+
+type: keyword
+
+example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
+
+
+**`file.x509.subject.locality`**
+:   List of locality names (L)
+
+type: keyword
+
+example: San Francisco
+
+
+**`file.x509.subject.organization`**
+:   List of organizations (O) of subject.
+
+type: keyword
+
+example: Example, Inc.
+
+
+**`file.x509.subject.organizational_unit`**
+:   List of organizational units (OU) of subject.
+
+type: keyword
+
+
+**`file.x509.subject.state_or_province`**
+:   List of state or province names (ST, S, or P)
+
+type: keyword
+
+example: California
+
+
+**`file.x509.version_number`**
+:   Version of x509 format.
+
+type: keyword
+
+example: 3
+
+
+
+## geo [_geo]
+
+Geo fields can carry data about a specific location related to an event. This geolocation information can be derived from techniques such as Geo IP, or be user-supplied.
+
+**`geo.city_name`**
+:   City name.
+
+type: keyword
+
+example: Montreal
+
+
+**`geo.continent_code`**
+:   Two-letter code representing continent’s name.
+
+type: keyword
+
+example: NA
+
+
+**`geo.continent_name`**
+:   Name of the continent.
+
+type: keyword
+
+example: North America
+
+
+**`geo.country_iso_code`**
+:   Country ISO code.
+
+type: keyword
+
+example: CA
+
+
+**`geo.country_name`**
+:   Country name.
+
+type: keyword
+
+example: Canada
+
+
+**`geo.location`**
+:   Longitude and latitude.
+
+type: geo_point
+
+example: { "lon": -73.614830, "lat": 45.505918 }
+
+
+**`geo.name`**
+:   User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.
+
+type: keyword
+
+example: boston-dc
+
+
+**`geo.postal_code`**
+:   Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.
+
+type: keyword
+
+example: 94040
+
+
+**`geo.region_iso_code`**
+:   Region ISO code.
+
+type: keyword
+
+example: CA-QC
+
+
+**`geo.region_name`**
+:   Region name.
+
+type: keyword
+
+example: Quebec
+
+
+**`geo.timezone`**
+:   The time zone of the location, such as IANA time zone name.
+
+type: keyword
+
+example: America/Argentina/Buenos_Aires
+
+
+
+## group [_group]
+
+The group fields are meant to represent groups that are relevant to the event.
+
+**`group.domain`**
+:   Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`group.id`**
+:   Unique identifier for the group on the system/platform.
+
+type: keyword
+
+
+**`group.name`**
+:   Name of the group.
+
+type: keyword
+
+
+
+## hash [_hash]
+
+The hash fields represent different bitwise hash algorithms and their values. Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for other hashes by lowercasing the hash algorithm name and using underscore separators as appropriate (snake case, e.g. sha3_512). Note that this fieldset is used for common hashes that may be computed over a range of generic bytes. Entity-specific hashes such as ja3 or imphash are placed in the fieldsets to which they relate (tls and pe, respectively).
+
+**`hash.md5`**
+:   MD5 hash.
+
+type: keyword
+
+
+**`hash.sha1`**
+:   SHA1 hash.
+
+type: keyword
+
+
+**`hash.sha256`**
+:   SHA256 hash.
+
+type: keyword
+
+
+**`hash.sha512`**
+:   SHA512 hash.
+
+type: keyword
+
+
+**`hash.ssdeep`**
+:   SSDEEP hash.
+
+type: keyword
+
+
+
+## host [_host]
+
+A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.
+
+**`host.architecture`**
+:   Operating system architecture.
+
+type: keyword
+
+example: x86_64
+
+
+**`host.cpu.usage`**
+:   Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1.
+
+type: scaled_float
+
+
+**`host.disk.read.bytes`**
+:   The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection.
+
+type: long
+
+
+**`host.disk.write.bytes`**
+:   The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection.
+
+type: long
+
+
+**`host.domain`**
+:   Name of the domain of which the host is a member. For example, on Windows this could be the host’s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host’s LDAP provider.
+
+type: keyword
+
+example: CONTOSO
+
+
+**`host.geo.city_name`**
+:   City name.
+
+type: keyword
+
+example: Montreal
+
+
+**`host.geo.continent_code`**
+:   Two-letter code representing continent’s name.
+
+type: keyword
+
+example: NA
+
+
+**`host.geo.continent_name`**
+:   Name of the continent.
+
+type: keyword
+
+example: North America
+
+
+**`host.geo.country_iso_code`**
+:   Country ISO code.
+
+type: keyword
+
+example: CA
+
+
+**`host.geo.country_name`**
+:   Country name.
+
+type: keyword
+
+example: Canada
+
+
+**`host.geo.location`**
+:   Longitude and latitude.
+
+type: geo_point
+
+example: { "lon": -73.614830, "lat": 45.505918 }
+
+
+**`host.geo.name`**
+:   User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.
+
+type: keyword
+
+example: boston-dc
+
+
+**`host.geo.postal_code`**
+:   Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.
+
+type: keyword
+
+example: 94040
+
+
+**`host.geo.region_iso_code`**
+:   Region ISO code.
+
+type: keyword
+
+example: CA-QC
+
+
+**`host.geo.region_name`**
+:   Region name.
+
+type: keyword
+
+example: Quebec
+
+
+**`host.geo.timezone`**
+:   The time zone of the location, such as IANA time zone name.
+
+type: keyword
+
+example: America/Argentina/Buenos_Aires
+
+
+**`host.hostname`**
+:   Hostname of the host. It normally contains what the `hostname` command returns on the host machine.
+
+type: keyword
+
+
+**`host.id`**
+:   Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.
+
+type: keyword
+
+
+**`host.ip`**
+:   Host ip addresses.
+
+type: ip
+
+
+**`host.mac`**
+:   Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.
+
+type: keyword
+
+example: ["00-00-5E-00-53-23", "00-00-5E-00-53-24"]
+
+
+**`host.name`**
+:   Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.
+
+type: keyword
+
+
+**`host.network.egress.bytes`**
+:   The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection.
+
+type: long
+
+
+**`host.network.egress.packets`**
+:   The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection.
+
+type: long
+
+
+**`host.network.ingress.bytes`**
+:   The number of bytes received (gauge) on all network interfaces by the host since the last metric collection.
+
+type: long
+
+
+**`host.network.ingress.packets`**
+:   The number of packets (gauge) received on all network interfaces by the host since the last metric collection.
+
+type: long
+
+
+**`host.os.family`**
+:   OS family (such as redhat, debian, freebsd, windows).
+
+type: keyword
+
+example: debian
+
+
+**`host.os.full`**
+:   Operating system name, including the version or code name.
+
+type: keyword
+
+example: Mac OS Mojave
+
+
+**`host.os.full.text`**
+:   type: match_only_text
+
+
+**`host.os.kernel`**
+:   Operating system kernel version as a raw string.
+
+type: keyword
+
+example: 4.4.0-112-generic
+
+
+**`host.os.name`**
+:   Operating system name, without the version.
+
+type: keyword
+
+example: Mac OS X
+
+
+**`host.os.name.text`**
+:   type: match_only_text
+
+
+**`host.os.platform`**
+:   Operating system platform (such centos, ubuntu, windows).
+
+type: keyword
+
+example: darwin
+
+
+**`host.os.type`**
+:   Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you’re dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.
+
+type: keyword
+
+example: macos
+
+
+**`host.os.version`**
+:   Operating system version as a raw string.
+
+type: keyword
+
+example: 10.14.1
+
+
+**`host.type`**
+:   Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.
+
+type: keyword
+
+
+**`host.uptime`**
+:   Seconds the host has been up.
+
+type: long
+
+example: 1325
+
+
+
+## http [_http]
+
+Fields related to HTTP activity. Use the `url` field set to store the url of the request.
+
+**`http.request.body.bytes`**
+:   Size in bytes of the request body.
+
+type: long
+
+example: 887
+
+format: bytes
+
+
+**`http.request.body.content`**
+:   The full HTTP request body.
+
+type: wildcard
+
+example: Hello world
+
+
+**`http.request.body.content.text`**
+:   type: match_only_text
+
+
+**`http.request.bytes`**
+:   Total size in bytes of the request (body and headers).
+
+type: long
+
+example: 1437
+
+format: bytes
+
+
+**`http.request.id`**
+:   A unique identifier for each HTTP request to correlate logs between clients and servers in transactions. The id may be contained in a non-standard HTTP header, such as `X-Request-ID` or `X-Correlation-ID`.
+
+type: keyword
+
+example: 123e4567-e89b-12d3-a456-426614174000
+
+
+**`http.request.method`**
+:   HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field.
+
+type: keyword
+
+example: POST
+
+
+**`http.request.mime_type`**
+:   Mime type of the body of the request. This value must only be populated based on the content of the request body, not on the `Content-Type` header. Comparing the mime type of a request with the request’s Content-Type header can be helpful in detecting threats or misconfigured clients.
+
+type: keyword
+
+example: image/gif
+
+
+**`http.request.referrer`**
+:   Referrer for this HTTP request.
+
+type: keyword
+
+example: [https://blog.example.com/](https://blog.example.com/)
+
+
+**`http.response.body.bytes`**
+:   Size in bytes of the response body.
+
+type: long
+
+example: 887
+
+format: bytes
+
+
+**`http.response.body.content`**
+:   The full HTTP response body.
+
+type: wildcard
+
+example: Hello world
+
+
+**`http.response.body.content.text`**
+:   type: match_only_text
+
+
+**`http.response.bytes`**
+:   Total size in bytes of the response (body and headers).
+
+type: long
+
+example: 1437
+
+format: bytes
+
+
+**`http.response.mime_type`**
+:   Mime type of the body of the response. This value must only be populated based on the content of the response body, not on the `Content-Type` header. Comparing the mime type of a response with the response’s Content-Type header can be helpful in detecting misconfigured servers.
+
+type: keyword
+
+example: image/gif
+
+
+**`http.response.status_code`**
+:   HTTP response status code.
+
+type: long
+
+example: 404
+
+format: string
+
+
+**`http.version`**
+:   HTTP version.
+
+type: keyword
+
+example: 1.1
+
+
+
+## interface [_interface]
+
+The interface fields are used to record ingress and egress interface information when reported by an observer (e.g. firewall, router, load balancer) in the context of the observer handling a network connection.  In the case of a single observer interface (e.g. network sensor on a span port) only the observer.ingress information should be populated.
+
+**`interface.alias`**
+:   Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming.
+
+type: keyword
+
+example: outside
+
+
+**`interface.id`**
+:   Interface ID as reported by an observer (typically SNMP interface ID).
+
+type: keyword
+
+example: 10
+
+
+**`interface.name`**
+:   Interface name as reported by the system.
+
+type: keyword
+
+example: eth0
+
+
+
+## log [_log]
+
+Details about the event’s logging mechanism or logging transport. The log.* fields are typically populated with details about the logging mechanism used to create and/or transport the event. For example, syslog details belong under `log.syslog.*`. The details specific to your event source are typically not logged under `log.*`, but rather in `event.*` or in other ECS fields.
+
+**`log.file.path`**
+:   Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn’t read from a log file, do not populate this field.
+
+type: keyword
+
+example: /var/log/fun-times.log
+
+
+**`log.level`**
+:   Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn’t specify one, you may put your event transport’s severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`.
+
+type: keyword
+
+example: error
+
+
+**`log.logger`**
+:   The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name.
+
+type: keyword
+
+example: org.elasticsearch.bootstrap.Bootstrap
+
+
+**`log.origin.file.line`**
+:   The line number of the file containing the source code which originated the log event.
+
+type: long
+
+example: 42
+
+
+**`log.origin.file.name`**
+:   The name of the file containing the source code which originated the log event. Note that this field is not meant to capture the log file. The correct field to capture the log file is `log.file.path`.
+
+type: keyword
+
+example: Bootstrap.java
+
+
+**`log.origin.function`**
+:   The name of the function or method which originated the log event.
+
+type: keyword
+
+example: init
+
+
+**`log.syslog`**
+:   The Syslog metadata of the event, if the event was transmitted via Syslog. Please see RFCs 5424 or 3164.
+
+type: object
+
+
+**`log.syslog.facility.code`**
+:   The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23.
+
+type: long
+
+example: 23
+
+format: string
+
+
+**`log.syslog.facility.name`**
+:   The Syslog text-based facility of the log event, if available.
+
+type: keyword
+
+example: local7
+
+
+**`log.syslog.priority`**
+:   Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191.
+
+type: long
+
+example: 135
+
+format: string
+
+
+**`log.syslog.severity.code`**
+:   The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source’s numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`.
+
+type: long
+
+example: 3
+
+
+**`log.syslog.severity.name`**
+:   The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source’s text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`.
+
+type: keyword
+
+example: Error
+
+
+
+## network [_network]
+
+The network is defined as the communication path over which a host or network event happens. The network.* fields should be populated with details about the network activity associated with an event.
+
+**`network.application`**
+:   When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application’s or service’s name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying.
+
+type: keyword
+
+example: aim
+
+
+**`network.bytes`**
+:   Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum.
+
+type: long
+
+example: 368
+
+format: bytes
+
+
+**`network.community_id`**
+:   A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at [https://github.com/corelight/community-id-spec](https://github.com/corelight/community-id-spec).
+
+type: keyword
+
+example: 1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=
+
+
+**`network.direction`**
+:   Direction of the network traffic. Recommended values are: * ingress * egress * inbound * outbound * internal * external * unknown
+
+When mapping events from a host-based monitoring context, populate this field from the host’s point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers.
+
+type: keyword
+
+example: inbound
+
+
+**`network.forwarded_ip`**
+:   Host IP address when the source IP address is the proxy.
+
+type: ip
+
+example: 192.1.1.2
+
+
+**`network.iana_number`**
+:   IANA Protocol Number ([https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml](https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml)). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number.
+
+type: keyword
+
+example: 6
+
+
+**`network.inner`**
+:   Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.)
+
+type: object
+
+
+**`network.inner.vlan.id`**
+:   VLAN ID as reported by the observer.
+
+type: keyword
+
+example: 10
+
+
+**`network.inner.vlan.name`**
+:   Optional VLAN name as reported by the observer.
+
+type: keyword
+
+example: outside
+
+
+**`network.name`**
+:   Name given by operators to sections of their network.
+
+type: keyword
+
+example: Guest Wifi
+
+
+**`network.packets`**
+:   Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum.
+
+type: long
+
+example: 24
+
+
+**`network.protocol`**
+:   In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying.
+
+type: keyword
+
+example: http
+
+
+**`network.transport`**
+:   Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying.
+
+type: keyword
+
+example: tcp
+
+
+**`network.type`**
+:   In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying.
+
+type: keyword
+
+example: ipv4
+
+
+**`network.vlan.id`**
+:   VLAN ID as reported by the observer.
+
+type: keyword
+
+example: 10
+
+
+**`network.vlan.name`**
+:   Optional VLAN name as reported by the observer.
+
+type: keyword
+
+example: outside
+
+
+
+## observer [_observer]
+
+An observer is defined as a special network, security, or application device used to detect, observe, or create network, security, or application-related events and metrics. This could be a custom hardware appliance or a server that has been configured to run special network, security, or application software. Examples include firewalls, web proxies, intrusion detection/prevention systems, network monitoring sensors, web application firewalls, data loss prevention systems, and APM servers. The observer.* fields shall be populated with details of the system, if any, that detects, observes and/or creates a network, security, or application event or metric. Message queues and ETL components used in processing events or metrics are not considered observers in ECS.
+
+**`observer.egress`**
+:   Observer.egress holds information like interface number and name, vlan, and zone information to classify egress traffic.  Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic.
+
+type: object
+
+
+**`observer.egress.interface.alias`**
+:   Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming.
+
+type: keyword
+
+example: outside
+
+
+**`observer.egress.interface.id`**
+:   Interface ID as reported by an observer (typically SNMP interface ID).
+
+type: keyword
+
+example: 10
+
+
+**`observer.egress.interface.name`**
+:   Interface name as reported by the system.
+
+type: keyword
+
+example: eth0
+
+
+**`observer.egress.vlan.id`**
+:   VLAN ID as reported by the observer.
+
+type: keyword
+
+example: 10
+
+
+**`observer.egress.vlan.name`**
+:   Optional VLAN name as reported by the observer.
+
+type: keyword
+
+example: outside
+
+
+**`observer.egress.zone`**
+:   Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc.
+
+type: keyword
+
+example: Public_Internet
+
+
+**`observer.geo.city_name`**
+:   City name.
+
+type: keyword
+
+example: Montreal
+
+
+**`observer.geo.continent_code`**
+:   Two-letter code representing continent’s name.
+
+type: keyword
+
+example: NA
+
+
+**`observer.geo.continent_name`**
+:   Name of the continent.
+
+type: keyword
+
+example: North America
+
+
+**`observer.geo.country_iso_code`**
+:   Country ISO code.
+
+type: keyword
+
+example: CA
+
+
+**`observer.geo.country_name`**
+:   Country name.
+
+type: keyword
+
+example: Canada
+
+
+**`observer.geo.location`**
+:   Longitude and latitude.
+
+type: geo_point
+
+example: { "lon": -73.614830, "lat": 45.505918 }
+
+
+**`observer.geo.name`**
+:   User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.
+
+type: keyword
+
+example: boston-dc
+
+
+**`observer.geo.postal_code`**
+:   Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.
+
+type: keyword
+
+example: 94040
+
+
+**`observer.geo.region_iso_code`**
+:   Region ISO code.
+
+type: keyword
+
+example: CA-QC
+
+
+**`observer.geo.region_name`**
+:   Region name.
+
+type: keyword
+
+example: Quebec
+
+
+**`observer.geo.timezone`**
+:   The time zone of the location, such as IANA time zone name.
+
+type: keyword
+
+example: America/Argentina/Buenos_Aires
+
+
+**`observer.hostname`**
+:   Hostname of the observer.
+
+type: keyword
+
+
+**`observer.ingress`**
+:   Observer.ingress holds information like interface number and name, vlan, and zone information to classify ingress traffic.  Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic.
+
+type: object
+
+
+**`observer.ingress.interface.alias`**
+:   Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming.
+
+type: keyword
+
+example: outside
+
+
+**`observer.ingress.interface.id`**
+:   Interface ID as reported by an observer (typically SNMP interface ID).
+
+type: keyword
+
+example: 10
+
+
+**`observer.ingress.interface.name`**
+:   Interface name as reported by the system.
+
+type: keyword
+
+example: eth0
+
+
+**`observer.ingress.vlan.id`**
+:   VLAN ID as reported by the observer.
+
+type: keyword
+
+example: 10
+
+
+**`observer.ingress.vlan.name`**
+:   Optional VLAN name as reported by the observer.
+
+type: keyword
+
+example: outside
+
+
+**`observer.ingress.zone`**
+:   Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc.
+
+type: keyword
+
+example: DMZ
+
+
+**`observer.ip`**
+:   IP addresses of the observer.
+
+type: ip
+
+
+**`observer.mac`**
+:   MAC addresses of the observer. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.
+
+type: keyword
+
+example: ["00-00-5E-00-53-23", "00-00-5E-00-53-24"]
+
+
+**`observer.name`**
+:   Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty.
+
+type: keyword
+
+example: 1_proxySG
+
+
+**`observer.os.family`**
+:   OS family (such as redhat, debian, freebsd, windows).
+
+type: keyword
+
+example: debian
+
+
+**`observer.os.full`**
+:   Operating system name, including the version or code name.
+
+type: keyword
+
+example: Mac OS Mojave
+
+
+**`observer.os.full.text`**
+:   type: match_only_text
+
+
+**`observer.os.kernel`**
+:   Operating system kernel version as a raw string.
+
+type: keyword
+
+example: 4.4.0-112-generic
+
+
+**`observer.os.name`**
+:   Operating system name, without the version.
+
+type: keyword
+
+example: Mac OS X
+
+
+**`observer.os.name.text`**
+:   type: match_only_text
+
+
+**`observer.os.platform`**
+:   Operating system platform (such centos, ubuntu, windows).
+
+type: keyword
+
+example: darwin
+
+
+**`observer.os.type`**
+:   Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you’re dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.
+
+type: keyword
+
+example: macos
+
+
+**`observer.os.version`**
+:   Operating system version as a raw string.
+
+type: keyword
+
+example: 10.14.1
+
+
+**`observer.product`**
+:   The product name of the observer.
+
+type: keyword
+
+example: s200
+
+
+**`observer.serial_number`**
+:   Observer serial number.
+
+type: keyword
+
+
+**`observer.type`**
+:   The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`.
+
+type: keyword
+
+example: firewall
+
+
+**`observer.vendor`**
+:   Vendor name of the observer.
+
+type: keyword
+
+example: Symantec
+
+
+**`observer.version`**
+:   Observer version.
+
+type: keyword
+
+
+
+## orchestrator [_orchestrator]
+
+Fields that describe the resources which container orchestrators manage or act upon.
+
+**`orchestrator.api_version`**
+:   API version being used to carry out the action
+
+type: keyword
+
+example: v1beta1
+
+
+**`orchestrator.cluster.name`**
+:   Name of the cluster.
+
+type: keyword
+
+
+**`orchestrator.cluster.url`**
+:   URL of the API used to manage the cluster.
+
+type: keyword
+
+
+**`orchestrator.cluster.version`**
+:   The version of the cluster.
+
+type: keyword
+
+
+**`orchestrator.namespace`**
+:   Namespace in which the action is taking place.
+
+type: keyword
+
+example: kube-system
+
+
+**`orchestrator.organization`**
+:   Organization affected by the event (for multi-tenant orchestrator setups).
+
+type: keyword
+
+example: elastic
+
+
+**`orchestrator.resource.name`**
+:   Name of the resource being acted upon.
+
+type: keyword
+
+example: test-pod-cdcws
+
+
+**`orchestrator.resource.type`**
+:   Type of resource being acted upon.
+
+type: keyword
+
+example: service
+
+
+**`orchestrator.type`**
+:   Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry).
+
+type: keyword
+
+example: kubernetes
+
+
+
+## organization [_organization]
+
+The organization fields enrich data with information about the company or entity the data is associated with. These fields help you arrange or filter data stored in an index by one or multiple organizations.
+
+**`organization.id`**
+:   Unique identifier for the organization.
+
+type: keyword
+
+
+**`organization.name`**
+:   Organization name.
+
+type: keyword
+
+
+**`organization.name.text`**
+:   type: match_only_text
+
+
+
+## os [_os]
+
+The OS fields contain information about the operating system.
+
+**`os.family`**
+:   OS family (such as redhat, debian, freebsd, windows).
+
+type: keyword
+
+example: debian
+
+
+**`os.full`**
+:   Operating system name, including the version or code name.
+
+type: keyword
+
+example: Mac OS Mojave
+
+
+**`os.full.text`**
+:   type: match_only_text
+
+
+**`os.kernel`**
+:   Operating system kernel version as a raw string.
+
+type: keyword
+
+example: 4.4.0-112-generic
+
+
+**`os.name`**
+:   Operating system name, without the version.
+
+type: keyword
+
+example: Mac OS X
+
+
+**`os.name.text`**
+:   type: match_only_text
+
+
+**`os.platform`**
+:   Operating system platform (such centos, ubuntu, windows).
+
+type: keyword
+
+example: darwin
+
+
+**`os.type`**
+:   Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you’re dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.
+
+type: keyword
+
+example: macos
+
+
+**`os.version`**
+:   Operating system version as a raw string.
+
+type: keyword
+
+example: 10.14.1
+
+
+
+## package [_package]
+
+These fields contain information about an installed software package. It contains general information about a package, such as name, version or size. It also contains installation details, such as time or location.
+
+**`package.architecture`**
+:   Package architecture.
+
+type: keyword
+
+example: x86_64
+
+
+**`package.build_version`**
+:   Additional information about the build version of the installed package. For example use the commit SHA of a non-released package.
+
+type: keyword
+
+example: 36f4f7e89dd61b0988b12ee000b98966867710cd
+
+
+**`package.checksum`**
+:   Checksum of the installed package for verification.
+
+type: keyword
+
+example: 68b329da9893e34099c7d8ad5cb9c940
+
+
+**`package.description`**
+:   Description of the package.
+
+type: keyword
+
+example: Open source programming language to build simple/reliable/efficient software.
+
+
+**`package.install_scope`**
+:   Indicating how the package was installed, e.g. user-local, global.
+
+type: keyword
+
+example: global
+
+
+**`package.installed`**
+:   Time when package was installed.
+
+type: date
+
+
+**`package.license`**
+:   License under which the package was released. Use a short name, e.g. the license identifier from SPDX License List where possible ([https://spdx.org/licenses/](https://spdx.org/licenses/)).
+
+type: keyword
+
+example: Apache License 2.0
+
+
+**`package.name`**
+:   Package name
+
+type: keyword
+
+example: go
+
+
+**`package.path`**
+:   Path where the package is installed.
+
+type: keyword
+
+example: /usr/local/Cellar/go/1.12.9/
+
+
+**`package.reference`**
+:   Home page or reference URL of the software in this package, if available.
+
+type: keyword
+
+example: [https://golang.org](https://golang.org)
+
+
+**`package.size`**
+:   Package size in bytes.
+
+type: long
+
+example: 62231
+
+format: string
+
+
+**`package.type`**
+:   Type of package. This should contain the package file type, rather than the package manager name. Examples: rpm, dpkg, brew, npm, gem, nupkg, jar.
+
+type: keyword
+
+example: rpm
+
+
+**`package.version`**
+:   Package version
+
+type: keyword
+
+example: 1.12.9
+
+
+
+## pe [_pe]
+
+These fields contain Windows Portable Executable (PE) metadata.
+
+**`pe.architecture`**
+:   CPU architecture target for the file.
+
+type: keyword
+
+example: x64
+
+
+**`pe.company`**
+:   Internal company name of the file, provided at compile-time.
+
+type: keyword
+
+example: Microsoft Corporation
+
+
+**`pe.description`**
+:   Internal description of the file, provided at compile-time.
+
+type: keyword
+
+example: Paint
+
+
+**`pe.file_version`**
+:   Internal version of the file, provided at compile-time.
+
+type: keyword
+
+example: 6.3.9600.17415
+
+
+**`pe.imphash`**
+:   A hash of the imports in a PE file. An imphash — or import hash — can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at [https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html](https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html).
+
+type: keyword
+
+example: 0c6803c4e922103c4dca5963aad36ddf
+
+
+**`pe.original_file_name`**
+:   Internal name of the file, provided at compile-time.
+
+type: keyword
+
+example: MSPAINT.EXE
+
+
+**`pe.product`**
+:   Internal product name of the file, provided at compile-time.
+
+type: keyword
+
+example: Microsoft® Windows® Operating System
+
+
+
+## process [_process]
+
+These fields contain information about a process. These fields can help you correlate metrics information with a process id/name from a log message.  The `process.pid` often stays in the metric itself and is copied to the global field for correlation.
+
+**`process.args`**
+:   Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information.
+
+type: keyword
+
+example: ["/usr/bin/ssh", "-l", "user", "10.0.0.16"]
+
+
+**`process.args_count`**
+:   Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity.
+
+type: long
+
+example: 4
+
+
+**`process.code_signature.digest_algorithm`**
+:   The hashing algorithm used to sign the process. This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm.
+
+type: keyword
+
+example: sha256
+
+
+**`process.code_signature.exists`**
+:   Boolean to capture if a signature is present.
+
+type: boolean
+
+example: true
+
+
+**`process.code_signature.signing_id`**
+:   The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.
+
+type: keyword
+
+example: com.apple.xpc.proxy
+
+
+**`process.code_signature.status`**
+:   Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.
+
+type: keyword
+
+example: ERROR_UNTRUSTED_ROOT
+
+
+**`process.code_signature.subject_name`**
+:   Subject name of the code signer
+
+type: keyword
+
+example: Microsoft Corporation
+
+
+**`process.code_signature.team_id`**
+:   The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.
+
+type: keyword
+
+example: EQHXZ8M8AV
+
+
+**`process.code_signature.timestamp`**
+:   Date and time when the code signature was generated and signed.
+
+type: date
+
+example: 2021-01-01T12:10:30Z
+
+
+**`process.code_signature.trusted`**
+:   Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.
+
+type: boolean
+
+example: true
+
+
+**`process.code_signature.valid`**
+:   Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.
+
+type: boolean
+
+example: true
+
+
+**`process.command_line`**
+:   Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information.
+
+type: wildcard
+
+example: /usr/bin/ssh -l user 10.0.0.16
+
+
+**`process.command_line.text`**
+:   type: match_only_text
+
+
+**`process.elf.architecture`**
+:   Machine architecture of the ELF file.
+
+type: keyword
+
+example: x86-64
+
+
+**`process.elf.byte_order`**
+:   Byte sequence of ELF file.
+
+type: keyword
+
+example: Little Endian
+
+
+**`process.elf.cpu_type`**
+:   CPU type of the ELF file.
+
+type: keyword
+
+example: Intel
+
+
+**`process.elf.creation_date`**
+:   Extracted when possible from the file’s metadata. Indicates when it was built or compiled. It can also be faked by malware creators.
+
+type: date
+
+
+**`process.elf.exports`**
+:   List of exported element names and types.
+
+type: flattened
+
+
+**`process.elf.header.abi_version`**
+:   Version of the ELF Application Binary Interface (ABI).
+
+type: keyword
+
+
+**`process.elf.header.class`**
+:   Header class of the ELF file.
+
+type: keyword
+
+
+**`process.elf.header.data`**
+:   Data table of the ELF header.
+
+type: keyword
+
+
+**`process.elf.header.entrypoint`**
+:   Header entrypoint of the ELF file.
+
+type: long
+
+format: string
+
+
+**`process.elf.header.object_version`**
+:   "0x1" for original ELF files.
+
+type: keyword
+
+
+**`process.elf.header.os_abi`**
+:   Application Binary Interface (ABI) of the Linux OS.
+
+type: keyword
+
+
+**`process.elf.header.type`**
+:   Header type of the ELF file.
+
+type: keyword
+
+
+**`process.elf.header.version`**
+:   Version of the ELF header.
+
+type: keyword
+
+
+**`process.elf.imports`**
+:   List of imported element names and types.
+
+type: flattened
+
+
+**`process.elf.sections`**
+:   An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`.
+
+type: nested
+
+
+**`process.elf.sections.chi2`**
+:   Chi-square probability distribution of the section.
+
+type: long
+
+format: number
+
+
+**`process.elf.sections.entropy`**
+:   Shannon entropy calculation from the section.
+
+type: long
+
+format: number
+
+
+**`process.elf.sections.flags`**
+:   ELF Section List flags.
+
+type: keyword
+
+
+**`process.elf.sections.name`**
+:   ELF Section List name.
+
+type: keyword
+
+
+**`process.elf.sections.physical_offset`**
+:   ELF Section List offset.
+
+type: keyword
+
+
+**`process.elf.sections.physical_size`**
+:   ELF Section List physical size.
+
+type: long
+
+format: bytes
+
+
+**`process.elf.sections.type`**
+:   ELF Section List type.
+
+type: keyword
+
+
+**`process.elf.sections.virtual_address`**
+:   ELF Section List virtual address.
+
+type: long
+
+format: string
+
+
+**`process.elf.sections.virtual_size`**
+:   ELF Section List virtual size.
+
+type: long
+
+format: string
+
+
+**`process.elf.segments`**
+:   An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`.
+
+type: nested
+
+
+**`process.elf.segments.sections`**
+:   ELF object segment sections.
+
+type: keyword
+
+
+**`process.elf.segments.type`**
+:   ELF object segment type.
+
+type: keyword
+
+
+**`process.elf.shared_libraries`**
+:   List of shared libraries used by this ELF object.
+
+type: keyword
+
+
+**`process.elf.telfhash`**
+:   telfhash symbol hash for ELF file.
+
+type: keyword
+
+
+**`process.end`**
+:   The time the process ended.
+
+type: date
+
+example: 2016-05-23T08:05:34.853Z
+
+
+**`process.entity_id`**
+:   Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.
+
+type: keyword
+
+example: c2c455d9f99375d
+
+
+**`process.executable`**
+:   Absolute path to the process executable.
+
+type: keyword
+
+example: /usr/bin/ssh
+
+
+**`process.executable.text`**
+:   type: match_only_text
+
+
+**`process.exit_code`**
+:   The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start).
+
+type: long
+
+example: 137
+
+
+**`process.hash.md5`**
+:   MD5 hash.
+
+type: keyword
+
+
+**`process.hash.sha1`**
+:   SHA1 hash.
+
+type: keyword
+
+
+**`process.hash.sha256`**
+:   SHA256 hash.
+
+type: keyword
+
+
+**`process.hash.sha512`**
+:   SHA512 hash.
+
+type: keyword
+
+
+**`process.hash.ssdeep`**
+:   SSDEEP hash.
+
+type: keyword
+
+
+**`process.name`**
+:   Process name. Sometimes called program name or similar.
+
+type: keyword
+
+example: ssh
+
+
+**`process.name.text`**
+:   type: match_only_text
+
+
+**`process.parent.args`**
+:   Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information.
+
+type: keyword
+
+example: ["/usr/bin/ssh", "-l", "user", "10.0.0.16"]
+
+
+**`process.parent.args_count`**
+:   Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity.
+
+type: long
+
+example: 4
+
+
+**`process.parent.code_signature.digest_algorithm`**
+:   The hashing algorithm used to sign the process. This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm.
+
+type: keyword
+
+example: sha256
+
+
+**`process.parent.code_signature.exists`**
+:   Boolean to capture if a signature is present.
+
+type: boolean
+
+example: true
+
+
+**`process.parent.code_signature.signing_id`**
+:   The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.
+
+type: keyword
+
+example: com.apple.xpc.proxy
+
+
+**`process.parent.code_signature.status`**
+:   Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.
+
+type: keyword
+
+example: ERROR_UNTRUSTED_ROOT
+
+
+**`process.parent.code_signature.subject_name`**
+:   Subject name of the code signer
+
+type: keyword
+
+example: Microsoft Corporation
+
+
+**`process.parent.code_signature.team_id`**
+:   The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.
+
+type: keyword
+
+example: EQHXZ8M8AV
+
+
+**`process.parent.code_signature.timestamp`**
+:   Date and time when the code signature was generated and signed.
+
+type: date
+
+example: 2021-01-01T12:10:30Z
+
+
+**`process.parent.code_signature.trusted`**
+:   Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.
+
+type: boolean
+
+example: true
+
+
+**`process.parent.code_signature.valid`**
+:   Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.
+
+type: boolean
+
+example: true
+
+
+**`process.parent.command_line`**
+:   Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information.
+
+type: wildcard
+
+example: /usr/bin/ssh -l user 10.0.0.16
+
+
+**`process.parent.command_line.text`**
+:   type: match_only_text
+
+
+**`process.parent.elf.architecture`**
+:   Machine architecture of the ELF file.
+
+type: keyword
+
+example: x86-64
+
+
+**`process.parent.elf.byte_order`**
+:   Byte sequence of ELF file.
+
+type: keyword
+
+example: Little Endian
+
+
+**`process.parent.elf.cpu_type`**
+:   CPU type of the ELF file.
+
+type: keyword
+
+example: Intel
+
+
+**`process.parent.elf.creation_date`**
+:   Extracted when possible from the file’s metadata. Indicates when it was built or compiled. It can also be faked by malware creators.
+
+type: date
+
+
+**`process.parent.elf.exports`**
+:   List of exported element names and types.
+
+type: flattened
+
+
+**`process.parent.elf.header.abi_version`**
+:   Version of the ELF Application Binary Interface (ABI).
+
+type: keyword
+
+
+**`process.parent.elf.header.class`**
+:   Header class of the ELF file.
+
+type: keyword
+
+
+**`process.parent.elf.header.data`**
+:   Data table of the ELF header.
+
+type: keyword
+
+
+**`process.parent.elf.header.entrypoint`**
+:   Header entrypoint of the ELF file.
+
+type: long
+
+format: string
+
+
+**`process.parent.elf.header.object_version`**
+:   "0x1" for original ELF files.
+
+type: keyword
+
+
+**`process.parent.elf.header.os_abi`**
+:   Application Binary Interface (ABI) of the Linux OS.
+
+type: keyword
+
+
+**`process.parent.elf.header.type`**
+:   Header type of the ELF file.
+
+type: keyword
+
+
+**`process.parent.elf.header.version`**
+:   Version of the ELF header.
+
+type: keyword
+
+
+**`process.parent.elf.imports`**
+:   List of imported element names and types.
+
+type: flattened
+
+
+**`process.parent.elf.sections`**
+:   An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`.
+
+type: nested
+
+
+**`process.parent.elf.sections.chi2`**
+:   Chi-square probability distribution of the section.
+
+type: long
+
+format: number
+
+
+**`process.parent.elf.sections.entropy`**
+:   Shannon entropy calculation from the section.
+
+type: long
+
+format: number
+
+
+**`process.parent.elf.sections.flags`**
+:   ELF Section List flags.
+
+type: keyword
+
+
+**`process.parent.elf.sections.name`**
+:   ELF Section List name.
+
+type: keyword
+
+
+**`process.parent.elf.sections.physical_offset`**
+:   ELF Section List offset.
+
+type: keyword
+
+
+**`process.parent.elf.sections.physical_size`**
+:   ELF Section List physical size.
+
+type: long
+
+format: bytes
+
+
+**`process.parent.elf.sections.type`**
+:   ELF Section List type.
+
+type: keyword
+
+
+**`process.parent.elf.sections.virtual_address`**
+:   ELF Section List virtual address.
+
+type: long
+
+format: string
+
+
+**`process.parent.elf.sections.virtual_size`**
+:   ELF Section List virtual size.
+
+type: long
+
+format: string
+
+
+**`process.parent.elf.segments`**
+:   An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`.
+
+type: nested
+
+
+**`process.parent.elf.segments.sections`**
+:   ELF object segment sections.
+
+type: keyword
+
+
+**`process.parent.elf.segments.type`**
+:   ELF object segment type.
+
+type: keyword
+
+
+**`process.parent.elf.shared_libraries`**
+:   List of shared libraries used by this ELF object.
+
+type: keyword
+
+
+**`process.parent.elf.telfhash`**
+:   telfhash symbol hash for ELF file.
+
+type: keyword
+
+
+**`process.parent.end`**
+:   The time the process ended.
+
+type: date
+
+example: 2016-05-23T08:05:34.853Z
+
+
+**`process.parent.entity_id`**
+:   Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.
+
+type: keyword
+
+example: c2c455d9f99375d
+
+
+**`process.parent.executable`**
+:   Absolute path to the process executable.
+
+type: keyword
+
+example: /usr/bin/ssh
+
+
+**`process.parent.executable.text`**
+:   type: match_only_text
+
+
+**`process.parent.exit_code`**
+:   The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start).
+
+type: long
+
+example: 137
+
+
+**`process.parent.hash.md5`**
+:   MD5 hash.
+
+type: keyword
+
+
+**`process.parent.hash.sha1`**
+:   SHA1 hash.
+
+type: keyword
+
+
+**`process.parent.hash.sha256`**
+:   SHA256 hash.
+
+type: keyword
+
+
+**`process.parent.hash.sha512`**
+:   SHA512 hash.
+
+type: keyword
+
+
+**`process.parent.hash.ssdeep`**
+:   SSDEEP hash.
+
+type: keyword
+
+
+**`process.parent.name`**
+:   Process name. Sometimes called program name or similar.
+
+type: keyword
+
+example: ssh
+
+
+**`process.parent.name.text`**
+:   type: match_only_text
+
+
+**`process.parent.pe.architecture`**
+:   CPU architecture target for the file.
+
+type: keyword
+
+example: x64
+
+
+**`process.parent.pe.company`**
+:   Internal company name of the file, provided at compile-time.
+
+type: keyword
+
+example: Microsoft Corporation
+
+
+**`process.parent.pe.description`**
+:   Internal description of the file, provided at compile-time.
+
+type: keyword
+
+example: Paint
+
+
+**`process.parent.pe.file_version`**
+:   Internal version of the file, provided at compile-time.
+
+type: keyword
+
+example: 6.3.9600.17415
+
+
+**`process.parent.pe.imphash`**
+:   A hash of the imports in a PE file. An imphash — or import hash — can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at [https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html](https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html).
+
+type: keyword
+
+example: 0c6803c4e922103c4dca5963aad36ddf
+
+
+**`process.parent.pe.original_file_name`**
+:   Internal name of the file, provided at compile-time.
+
+type: keyword
+
+example: MSPAINT.EXE
+
+
+**`process.parent.pe.product`**
+:   Internal product name of the file, provided at compile-time.
+
+type: keyword
+
+example: Microsoft® Windows® Operating System
+
+
+**`process.parent.pgid`**
+:   Identifier of the group of processes the process belongs to.
+
+type: long
+
+format: string
+
+
+**`process.parent.pid`**
+:   Process id.
+
+type: long
+
+example: 4242
+
+format: string
+
+
+**`process.parent.start`**
+:   The time the process started.
+
+type: date
+
+example: 2016-05-23T08:05:34.853Z
+
+
+**`process.parent.thread.id`**
+:   Thread ID.
+
+type: long
+
+example: 4242
+
+format: string
+
+
+**`process.parent.thread.name`**
+:   Thread name.
+
+type: keyword
+
+example: thread-0
+
+
+**`process.parent.title`**
+:   Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened.
+
+type: keyword
+
+
+**`process.parent.title.text`**
+:   type: match_only_text
+
+
+**`process.parent.uptime`**
+:   Seconds the process has been up.
+
+type: long
+
+example: 1325
+
+
+**`process.parent.working_directory`**
+:   The working directory of the process.
+
+type: keyword
+
+example: /home/alice
+
+
+**`process.parent.working_directory.text`**
+:   type: match_only_text
+
+
+**`process.pe.architecture`**
+:   CPU architecture target for the file.
+
+type: keyword
+
+example: x64
+
+
+**`process.pe.company`**
+:   Internal company name of the file, provided at compile-time.
+
+type: keyword
+
+example: Microsoft Corporation
+
+
+**`process.pe.description`**
+:   Internal description of the file, provided at compile-time.
+
+type: keyword
+
+example: Paint
+
+
+**`process.pe.file_version`**
+:   Internal version of the file, provided at compile-time.
+
+type: keyword
+
+example: 6.3.9600.17415
+
+
+**`process.pe.imphash`**
+:   A hash of the imports in a PE file. An imphash — or import hash — can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at [https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html](https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html).
+
+type: keyword
+
+example: 0c6803c4e922103c4dca5963aad36ddf
+
+
+**`process.pe.original_file_name`**
+:   Internal name of the file, provided at compile-time.
+
+type: keyword
+
+example: MSPAINT.EXE
+
+
+**`process.pe.product`**
+:   Internal product name of the file, provided at compile-time.
+
+type: keyword
+
+example: Microsoft® Windows® Operating System
+
+
+**`process.pgid`**
+:   Identifier of the group of processes the process belongs to.
+
+type: long
+
+format: string
+
+
+**`process.pid`**
+:   Process id.
+
+type: long
+
+example: 4242
+
+format: string
+
+
+**`process.start`**
+:   The time the process started.
+
+type: date
+
+example: 2016-05-23T08:05:34.853Z
+
+
+**`process.thread.id`**
+:   Thread ID.
+
+type: long
+
+example: 4242
+
+format: string
+
+
+**`process.thread.name`**
+:   Thread name.
+
+type: keyword
+
+example: thread-0
+
+
+**`process.title`**
+:   Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened.
+
+type: keyword
+
+
+**`process.title.text`**
+:   type: match_only_text
+
+
+**`process.uptime`**
+:   Seconds the process has been up.
+
+type: long
+
+example: 1325
+
+
+**`process.working_directory`**
+:   The working directory of the process.
+
+type: keyword
+
+example: /home/alice
+
+
+**`process.working_directory.text`**
+:   type: match_only_text
+
+
+
+## registry [_registry]
+
+Fields related to Windows Registry operations.
+
+**`registry.data.bytes`**
+:   Original bytes written with base64 encoding. For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values.
+
+type: keyword
+
+example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA=
+
+
+**`registry.data.strings`**
+:   Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`).
+
+type: wildcard
+
+example: ["C:\rta\red_ttp\bin\myapp.exe"]
+
+
+**`registry.data.type`**
+:   Standard registry type for encoding contents
+
+type: keyword
+
+example: REG_SZ
+
+
+**`registry.hive`**
+:   Abbreviated name for the hive.
+
+type: keyword
+
+example: HKLM
+
+
+**`registry.key`**
+:   Hive-relative path of keys.
+
+type: keyword
+
+example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe
+
+
+**`registry.path`**
+:   Full path, including hive, key and value
+
+type: keyword
+
+example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger
+
+
+**`registry.value`**
+:   Name of the value written.
+
+type: keyword
+
+example: Debugger
+
+
+
+## related [_related]
+
+This field set is meant to facilitate pivoting around a piece of data. Some pieces of information can be seen in many places in an ECS event. To facilitate searching for them, store an array of all seen values to their corresponding field in `related.`. A concrete example is IP addresses, which can be under host, observer, source, destination, client, server, and network.forwarded_ip. If you append all IPs to `related.ip`, you can then search for a given IP trivially, no matter where it appeared, by querying `related.ip:192.0.2.15`.
+
+**`related.hash`**
+:   All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you’re unsure what the hash algorithm is (and therefore which key name to search).
+
+type: keyword
+
+
+**`related.hosts`**
+:   All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases.
+
+type: keyword
+
+
+**`related.ip`**
+:   All of the IPs seen on your event.
+
+type: ip
+
+
+**`related.user`**
+:   All the user names or other user identifiers seen on the event.
+
+type: keyword
+
+
+
+## rule [_rule]
+
+Rule fields are used to capture the specifics of any observer or agent rules that generate alerts or other notable events. Examples of data sources that would populate the rule fields include: network admission control platforms, network or host IDS/IPS, network firewalls, web application firewalls, url filters, endpoint detection and response (EDR) systems, etc.
+
+**`rule.author`**
+:   Name, organization, or pseudonym of the author or authors who created the rule used to generate this event.
+
+type: keyword
+
+example: ["Star-Lord"]
+
+
+**`rule.category`**
+:   A categorization value keyword used by the entity using the rule for detection of this event.
+
+type: keyword
+
+example: Attempted Information Leak
+
+
+**`rule.description`**
+:   The description of the rule generating the event.
+
+type: keyword
+
+example: Block requests to public DNS over HTTPS / TLS protocols
+
+
+**`rule.id`**
+:   A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event.
+
+type: keyword
+
+example: 101
+
+
+**`rule.license`**
+:   Name of the license under which the rule used to generate this event is made available.
+
+type: keyword
+
+example: Apache 2.0
+
+
+**`rule.name`**
+:   The name of the rule or signature generating the event.
+
+type: keyword
+
+example: BLOCK_DNS_over_TLS
+
+
+**`rule.reference`**
+:   Reference URL to additional information about the rule used to generate this event. The URL can point to the vendor’s documentation about the rule. If that’s not available, it can also be a link to a more general page describing this type of alert.
+
+type: keyword
+
+example: [https://en.wikipedia.org/wiki/DNS_over_TLS](https://en.wikipedia.org/wiki/DNS_over_TLS)
+
+
+**`rule.ruleset`**
+:   Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member.
+
+type: keyword
+
+example: Standard_Protocol_Filters
+
+
+**`rule.uuid`**
+:   A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event.
+
+type: keyword
+
+example: 1100110011
+
+
+**`rule.version`**
+:   The version / revision of the rule being used for analysis.
+
+type: keyword
+
+example: 1.1
+
+
+
+## server [_server]
+
+A Server is defined as the responder in a network connection for events regarding sessions, connections, or bidirectional flow records. For TCP events, the server is the receiver of the initial SYN packet(s) of the TCP connection. For other protocols, the server is generally the responder in the network transaction. Some systems actually use the term "responder" to refer the server in TCP connections. The server fields describe details about the system acting as the server in the network event. Server fields are usually populated in conjunction with client fields. Server fields are generally not populated for packet-level events. Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately.
+
+**`server.address`**
+:   Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
+
+type: keyword
+
+
+**`server.as.number`**
+:   Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+
+type: long
+
+example: 15169
+
+
+**`server.as.organization.name`**
+:   Organization name.
+
+type: keyword
+
+example: Google LLC
+
+
+**`server.as.organization.name.text`**
+:   type: match_only_text
+
+
+**`server.bytes`**
+:   Bytes sent from the server to the client.
+
+type: long
+
+example: 184
+
+format: bytes
+
+
+**`server.domain`**
+:   The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.
+
+type: keyword
+
+example: foo.example.com
+
+
+**`server.geo.city_name`**
+:   City name.
+
+type: keyword
+
+example: Montreal
+
+
+**`server.geo.continent_code`**
+:   Two-letter code representing continent’s name.
+
+type: keyword
+
+example: NA
+
+
+**`server.geo.continent_name`**
+:   Name of the continent.
+
+type: keyword
+
+example: North America
+
+
+**`server.geo.country_iso_code`**
+:   Country ISO code.
+
+type: keyword
+
+example: CA
+
+
+**`server.geo.country_name`**
+:   Country name.
+
+type: keyword
+
+example: Canada
+
+
+**`server.geo.location`**
+:   Longitude and latitude.
+
+type: geo_point
+
+example: { "lon": -73.614830, "lat": 45.505918 }
+
+
+**`server.geo.name`**
+:   User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.
+
+type: keyword
+
+example: boston-dc
+
+
+**`server.geo.postal_code`**
+:   Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.
+
+type: keyword
+
+example: 94040
+
+
+**`server.geo.region_iso_code`**
+:   Region ISO code.
+
+type: keyword
+
+example: CA-QC
+
+
+**`server.geo.region_name`**
+:   Region name.
+
+type: keyword
+
+example: Quebec
+
+
+**`server.geo.timezone`**
+:   The time zone of the location, such as IANA time zone name.
+
+type: keyword
+
+example: America/Argentina/Buenos_Aires
+
+
+**`server.ip`**
+:   IP address of the server (IPv4 or IPv6).
+
+type: ip
+
+
+**`server.mac`**
+:   MAC address of the server. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.
+
+type: keyword
+
+example: 00-00-5E-00-53-23
+
+
+**`server.nat.ip`**
+:   Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers.
+
+type: ip
+
+
+**`server.nat.port`**
+:   Translated port of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers.
+
+type: long
+
+format: string
+
+
+**`server.packets`**
+:   Packets sent from the server to the client.
+
+type: long
+
+example: 12
+
+
+**`server.port`**
+:   Port of the server.
+
+type: long
+
+format: string
+
+
+**`server.registered_domain`**
+:   The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
+
+type: keyword
+
+example: example.com
+
+
+**`server.subdomain`**
+:   The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
+
+type: keyword
+
+example: east
+
+
+**`server.top_level_domain`**
+:   The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".
+
+type: keyword
+
+example: co.uk
+
+
+**`server.user.domain`**
+:   Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`server.user.email`**
+:   User email address.
+
+type: keyword
+
+
+**`server.user.full_name`**
+:   User’s full name, if available.
+
+type: keyword
+
+example: Albert Einstein
+
+
+**`server.user.full_name.text`**
+:   type: match_only_text
+
+
+**`server.user.group.domain`**
+:   Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`server.user.group.id`**
+:   Unique identifier for the group on the system/platform.
+
+type: keyword
+
+
+**`server.user.group.name`**
+:   Name of the group.
+
+type: keyword
+
+
+**`server.user.hash`**
+:   Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used.
+
+type: keyword
+
+
+**`server.user.id`**
+:   Unique identifier of the user.
+
+type: keyword
+
+example: S-1-5-21-202424912787-2692429404-2351956786-1000
+
+
+**`server.user.name`**
+:   Short name or login of the user.
+
+type: keyword
+
+example: a.einstein
+
+
+**`server.user.name.text`**
+:   type: match_only_text
+
+
+**`server.user.roles`**
+:   Array of user roles at the time of the event.
+
+type: keyword
+
+example: ["kibana_admin", "reporting_user"]
+
+
+
+## service [_service]
+
+The service fields describe the service for or from which the data was collected. These fields help you find and correlate logs for a specific service and version.
+
+**`service.address`**
+:   Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets).
+
+type: keyword
+
+example: 172.26.0.2:5432
+
+
+**`service.environment`**
+:   Identifies the environment where the service is running. If the same service runs in different environments (production, staging, QA, development, etc.), the environment can identify other instances of the same service. Can also group services and applications from the same environment.
+
+type: keyword
+
+example: production
+
+
+**`service.ephemeral_id`**
+:   Ephemeral identifier of this service (if one exists). This id normally changes across restarts, but `service.id` does not.
+
+type: keyword
+
+example: 8a4f500f
+
+
+**`service.id`**
+:   Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes. This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event. Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead.
+
+type: keyword
+
+example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6
+
+
+**`service.name`**
+:   Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified.
+
+type: keyword
+
+example: elasticsearch-metrics
+
+
+**`service.node.name`**
+:   Name of a service node. This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn’t have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set.
+
+type: keyword
+
+example: instance-0000000016
+
+
+**`service.origin.address`**
+:   Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets).
+
+type: keyword
+
+example: 172.26.0.2:5432
+
+
+**`service.origin.environment`**
+:   Identifies the environment where the service is running. If the same service runs in different environments (production, staging, QA, development, etc.), the environment can identify other instances of the same service. Can also group services and applications from the same environment.
+
+type: keyword
+
+example: production
+
+
+**`service.origin.ephemeral_id`**
+:   Ephemeral identifier of this service (if one exists). This id normally changes across restarts, but `service.id` does not.
+
+type: keyword
+
+example: 8a4f500f
+
+
+**`service.origin.id`**
+:   Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes. This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event. Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead.
+
+type: keyword
+
+example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6
+
+
+**`service.origin.name`**
+:   Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified.
+
+type: keyword
+
+example: elasticsearch-metrics
+
+
+**`service.origin.node.name`**
+:   Name of a service node. This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn’t have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set.
+
+type: keyword
+
+example: instance-0000000016
+
+
+**`service.origin.state`**
+:   Current state of the service.
+
+type: keyword
+
+
+**`service.origin.type`**
+:   The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`.
+
+type: keyword
+
+example: elasticsearch
+
+
+**`service.origin.version`**
+:   Version of the service the data was collected from. This allows to look at a data set only for a specific version of a service.
+
+type: keyword
+
+example: 3.2.4
+
+
+**`service.state`**
+:   Current state of the service.
+
+type: keyword
+
+
+**`service.target.address`**
+:   Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets).
+
+type: keyword
+
+example: 172.26.0.2:5432
+
+
+**`service.target.environment`**
+:   Identifies the environment where the service is running. If the same service runs in different environments (production, staging, QA, development, etc.), the environment can identify other instances of the same service. Can also group services and applications from the same environment.
+
+type: keyword
+
+example: production
+
+
+**`service.target.ephemeral_id`**
+:   Ephemeral identifier of this service (if one exists). This id normally changes across restarts, but `service.id` does not.
+
+type: keyword
+
+example: 8a4f500f
+
+
+**`service.target.id`**
+:   Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes. This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event. Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead.
+
+type: keyword
+
+example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6
+
+
+**`service.target.name`**
+:   Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified.
+
+type: keyword
+
+example: elasticsearch-metrics
+
+
+**`service.target.node.name`**
+:   Name of a service node. This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn’t have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set.
+
+type: keyword
+
+example: instance-0000000016
+
+
+**`service.target.state`**
+:   Current state of the service.
+
+type: keyword
+
+
+**`service.target.type`**
+:   The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`.
+
+type: keyword
+
+example: elasticsearch
+
+
+**`service.target.version`**
+:   Version of the service the data was collected from. This allows to look at a data set only for a specific version of a service.
+
+type: keyword
+
+example: 3.2.4
+
+
+**`service.type`**
+:   The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`.
+
+type: keyword
+
+example: elasticsearch
+
+
+**`service.version`**
+:   Version of the service the data was collected from. This allows to look at a data set only for a specific version of a service.
+
+type: keyword
+
+example: 3.2.4
+
+
+
+## source [_source]
+
+Source fields capture details about the sender of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction. Source fields are usually populated in conjunction with destination fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated.
+
+**`source.address`**
+:   Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
+
+type: keyword
+
+
+**`source.as.number`**
+:   Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+
+type: long
+
+example: 15169
+
+
+**`source.as.organization.name`**
+:   Organization name.
+
+type: keyword
+
+example: Google LLC
+
+
+**`source.as.organization.name.text`**
+:   type: match_only_text
+
+
+**`source.bytes`**
+:   Bytes sent from the source to the destination.
+
+type: long
+
+example: 184
+
+format: bytes
+
+
+**`source.domain`**
+:   The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.
+
+type: keyword
+
+example: foo.example.com
+
+
+**`source.geo.city_name`**
+:   City name.
+
+type: keyword
+
+example: Montreal
+
+
+**`source.geo.continent_code`**
+:   Two-letter code representing continent’s name.
+
+type: keyword
+
+example: NA
+
+
+**`source.geo.continent_name`**
+:   Name of the continent.
+
+type: keyword
+
+example: North America
+
+
+**`source.geo.country_iso_code`**
+:   Country ISO code.
+
+type: keyword
+
+example: CA
+
+
+**`source.geo.country_name`**
+:   Country name.
+
+type: keyword
+
+example: Canada
+
+
+**`source.geo.location`**
+:   Longitude and latitude.
+
+type: geo_point
+
+example: { "lon": -73.614830, "lat": 45.505918 }
+
+
+**`source.geo.name`**
+:   User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.
+
+type: keyword
+
+example: boston-dc
+
+
+**`source.geo.postal_code`**
+:   Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.
+
+type: keyword
+
+example: 94040
+
+
+**`source.geo.region_iso_code`**
+:   Region ISO code.
+
+type: keyword
+
+example: CA-QC
+
+
+**`source.geo.region_name`**
+:   Region name.
+
+type: keyword
+
+example: Quebec
+
+
+**`source.geo.timezone`**
+:   The time zone of the location, such as IANA time zone name.
+
+type: keyword
+
+example: America/Argentina/Buenos_Aires
+
+
+**`source.ip`**
+:   IP address of the source (IPv4 or IPv6).
+
+type: ip
+
+
+**`source.mac`**
+:   MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.
+
+type: keyword
+
+example: 00-00-5E-00-53-23
+
+
+**`source.nat.ip`**
+:   Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers.
+
+type: ip
+
+
+**`source.nat.port`**
+:   Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers.
+
+type: long
+
+format: string
+
+
+**`source.packets`**
+:   Packets sent from the source to the destination.
+
+type: long
+
+example: 12
+
+
+**`source.port`**
+:   Port of the source.
+
+type: long
+
+format: string
+
+
+**`source.registered_domain`**
+:   The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
+
+type: keyword
+
+example: example.com
+
+
+**`source.subdomain`**
+:   The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
+
+type: keyword
+
+example: east
+
+
+**`source.top_level_domain`**
+:   The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".
+
+type: keyword
+
+example: co.uk
+
+
+**`source.user.domain`**
+:   Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`source.user.email`**
+:   User email address.
+
+type: keyword
+
+
+**`source.user.full_name`**
+:   User’s full name, if available.
+
+type: keyword
+
+example: Albert Einstein
+
+
+**`source.user.full_name.text`**
+:   type: match_only_text
+
+
+**`source.user.group.domain`**
+:   Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`source.user.group.id`**
+:   Unique identifier for the group on the system/platform.
+
+type: keyword
+
+
+**`source.user.group.name`**
+:   Name of the group.
+
+type: keyword
+
+
+**`source.user.hash`**
+:   Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used.
+
+type: keyword
+
+
+**`source.user.id`**
+:   Unique identifier of the user.
+
+type: keyword
+
+example: S-1-5-21-202424912787-2692429404-2351956786-1000
+
+
+**`source.user.name`**
+:   Short name or login of the user.
+
+type: keyword
+
+example: a.einstein
+
+
+**`source.user.name.text`**
+:   type: match_only_text
+
+
+**`source.user.roles`**
+:   Array of user roles at the time of the event.
+
+type: keyword
+
+example: ["kibana_admin", "reporting_user"]
+
+
+
+## threat [_threat]
+
+Fields to classify events and alerts according to a threat taxonomy such as the MITRE ATT&CK® framework. These fields are for users to classify alerts from all of their sources (e.g. IDS, NGFW, etc.) within a common taxonomy. The threat.tactic.* fields are meant to capture the high level category of the threat (e.g. "impact"). The threat.technique.* fields are meant to capture which kind of approach is used by this detected threat, to accomplish the goal (e.g. "endpoint denial of service").
+
+**`threat.enrichments`**
+:   A list of associated indicators objects enriching the event, and the context of that association/enrichment.
+
+type: nested
+
+
+**`threat.enrichments.indicator`**
+:   Object containing associated indicators enriching the event.
+
+type: object
+
+
+**`threat.enrichments.indicator.as.number`**
+:   Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+
+type: long
+
+example: 15169
+
+
+**`threat.enrichments.indicator.as.organization.name`**
+:   Organization name.
+
+type: keyword
+
+example: Google LLC
+
+
+**`threat.enrichments.indicator.as.organization.name.text`**
+:   type: match_only_text
+
+
+**`threat.enrichments.indicator.confidence`**
+:   Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. Expected values are: * Not Specified * None * Low * Medium * High
+
+type: keyword
+
+example: Medium
+
+
+**`threat.enrichments.indicator.description`**
+:   Describes the type of action conducted by the threat.
+
+type: keyword
+
+example: IP x.x.x.x was observed delivering the Angler EK.
+
+
+**`threat.enrichments.indicator.email.address`**
+:   Identifies a threat indicator as an email address (irrespective of direction).
+
+type: keyword
+
+example: `phish@example.com`
+
+
+**`threat.enrichments.indicator.file.accessed`**
+:   Last time the file was accessed. Note that not all filesystems keep track of access time.
+
+type: date
+
+
+**`threat.enrichments.indicator.file.attributes`**
+:   Array of file attributes. Attributes names will vary by platform. Here’s a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write.
+
+type: keyword
+
+example: ["readonly", "system"]
+
+
+**`threat.enrichments.indicator.file.code_signature.digest_algorithm`**
+:   The hashing algorithm used to sign the process. This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm.
+
+type: keyword
+
+example: sha256
+
+
+**`threat.enrichments.indicator.file.code_signature.exists`**
+:   Boolean to capture if a signature is present.
+
+type: boolean
+
+example: true
+
+
+**`threat.enrichments.indicator.file.code_signature.signing_id`**
+:   The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.
+
+type: keyword
+
+example: com.apple.xpc.proxy
+
+
+**`threat.enrichments.indicator.file.code_signature.status`**
+:   Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.
+
+type: keyword
+
+example: ERROR_UNTRUSTED_ROOT
+
+
+**`threat.enrichments.indicator.file.code_signature.subject_name`**
+:   Subject name of the code signer
+
+type: keyword
+
+example: Microsoft Corporation
+
+
+**`threat.enrichments.indicator.file.code_signature.team_id`**
+:   The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.
+
+type: keyword
+
+example: EQHXZ8M8AV
+
+
+**`threat.enrichments.indicator.file.code_signature.timestamp`**
+:   Date and time when the code signature was generated and signed.
+
+type: date
+
+example: 2021-01-01T12:10:30Z
+
+
+**`threat.enrichments.indicator.file.code_signature.trusted`**
+:   Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.
+
+type: boolean
+
+example: true
+
+
+**`threat.enrichments.indicator.file.code_signature.valid`**
+:   Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.
+
+type: boolean
+
+example: true
+
+
+**`threat.enrichments.indicator.file.created`**
+:   File creation time. Note that not all filesystems store the creation time.
+
+type: date
+
+
+**`threat.enrichments.indicator.file.ctime`**
+:   Last time the file attributes or metadata changed. Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file.
+
+type: date
+
+
+**`threat.enrichments.indicator.file.device`**
+:   Device that is the source of the file.
+
+type: keyword
+
+example: sda
+
+
+**`threat.enrichments.indicator.file.directory`**
+:   Directory where the file is located. It should include the drive letter, when appropriate.
+
+type: keyword
+
+example: /home/alice
+
+
+**`threat.enrichments.indicator.file.drive_letter`**
+:   Drive letter where the file is located. This field is only relevant on Windows. The value should be uppercase, and not include the colon.
+
+type: keyword
+
+example: C
+
+
+**`threat.enrichments.indicator.file.elf.architecture`**
+:   Machine architecture of the ELF file.
+
+type: keyword
+
+example: x86-64
+
+
+**`threat.enrichments.indicator.file.elf.byte_order`**
+:   Byte sequence of ELF file.
+
+type: keyword
+
+example: Little Endian
+
+
+**`threat.enrichments.indicator.file.elf.cpu_type`**
+:   CPU type of the ELF file.
+
+type: keyword
+
+example: Intel
+
+
+**`threat.enrichments.indicator.file.elf.creation_date`**
+:   Extracted when possible from the file’s metadata. Indicates when it was built or compiled. It can also be faked by malware creators.
+
+type: date
+
+
+**`threat.enrichments.indicator.file.elf.exports`**
+:   List of exported element names and types.
+
+type: flattened
+
+
+**`threat.enrichments.indicator.file.elf.header.abi_version`**
+:   Version of the ELF Application Binary Interface (ABI).
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.elf.header.class`**
+:   Header class of the ELF file.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.elf.header.data`**
+:   Data table of the ELF header.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.elf.header.entrypoint`**
+:   Header entrypoint of the ELF file.
+
+type: long
+
+format: string
+
+
+**`threat.enrichments.indicator.file.elf.header.object_version`**
+:   "0x1" for original ELF files.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.elf.header.os_abi`**
+:   Application Binary Interface (ABI) of the Linux OS.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.elf.header.type`**
+:   Header type of the ELF file.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.elf.header.version`**
+:   Version of the ELF header.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.elf.imports`**
+:   List of imported element names and types.
+
+type: flattened
+
+
+**`threat.enrichments.indicator.file.elf.sections`**
+:   An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`.
+
+type: nested
+
+
+**`threat.enrichments.indicator.file.elf.sections.chi2`**
+:   Chi-square probability distribution of the section.
+
+type: long
+
+format: number
+
+
+**`threat.enrichments.indicator.file.elf.sections.entropy`**
+:   Shannon entropy calculation from the section.
+
+type: long
+
+format: number
+
+
+**`threat.enrichments.indicator.file.elf.sections.flags`**
+:   ELF Section List flags.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.elf.sections.name`**
+:   ELF Section List name.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.elf.sections.physical_offset`**
+:   ELF Section List offset.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.elf.sections.physical_size`**
+:   ELF Section List physical size.
+
+type: long
+
+format: bytes
+
+
+**`threat.enrichments.indicator.file.elf.sections.type`**
+:   ELF Section List type.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.elf.sections.virtual_address`**
+:   ELF Section List virtual address.
+
+type: long
+
+format: string
+
+
+**`threat.enrichments.indicator.file.elf.sections.virtual_size`**
+:   ELF Section List virtual size.
+
+type: long
+
+format: string
+
+
+**`threat.enrichments.indicator.file.elf.segments`**
+:   An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`.
+
+type: nested
+
+
+**`threat.enrichments.indicator.file.elf.segments.sections`**
+:   ELF object segment sections.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.elf.segments.type`**
+:   ELF object segment type.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.elf.shared_libraries`**
+:   List of shared libraries used by this ELF object.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.elf.telfhash`**
+:   telfhash symbol hash for ELF file.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.extension`**
+:   File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").
+
+type: keyword
+
+example: png
+
+
+**`threat.enrichments.indicator.file.fork_name`**
+:   A fork is additional data associated with a filesystem object. On Linux, a resource fork is used to store additional data with a filesystem object. A file always has at least one fork for the data portion, and additional forks may exist. On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default data stream for a file is just called $DATA. Zone.Identifier is commonly used by Windows to track contents downloaded from the Internet. An ADS is typically of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name` is the value that should populate `fork_name`. `filename.extension` should populate `file.name`, and `extension` should populate `file.extension`. The full path, `file.path`, will include the fork name.
+
+type: keyword
+
+example: Zone.Identifer
+
+
+**`threat.enrichments.indicator.file.gid`**
+:   Primary group ID (GID) of the file.
+
+type: keyword
+
+example: 1001
+
+
+**`threat.enrichments.indicator.file.group`**
+:   Primary group name of the file.
+
+type: keyword
+
+example: alice
+
+
+**`threat.enrichments.indicator.file.hash.md5`**
+:   MD5 hash.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.hash.sha1`**
+:   SHA1 hash.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.hash.sha256`**
+:   SHA256 hash.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.hash.sha512`**
+:   SHA512 hash.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.hash.ssdeep`**
+:   SSDEEP hash.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.inode`**
+:   Inode representing the file in the filesystem.
+
+type: keyword
+
+example: 256383
+
+
+**`threat.enrichments.indicator.file.mime_type`**
+:   MIME type should identify the format of the file or stream of bytes using [IANA official types](https://www.iana.org/assignments/media-types/media-types.xhtml), where possible. When more than one type is applicable, the most specific type should be used.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.mode`**
+:   Mode of the file in octal representation.
+
+type: keyword
+
+example: 0640
+
+
+**`threat.enrichments.indicator.file.mtime`**
+:   Last time the file content was modified.
+
+type: date
+
+
+**`threat.enrichments.indicator.file.name`**
+:   Name of the file including the extension, without the directory.
+
+type: keyword
+
+example: example.png
+
+
+**`threat.enrichments.indicator.file.owner`**
+:   File owner’s username.
+
+type: keyword
+
+example: alice
+
+
+**`threat.enrichments.indicator.file.path`**
+:   Full path to the file, including the file name. It should include the drive letter, when appropriate.
+
+type: keyword
+
+example: /home/alice/example.png
+
+
+**`threat.enrichments.indicator.file.path.text`**
+:   type: match_only_text
+
+
+**`threat.enrichments.indicator.file.pe.architecture`**
+:   CPU architecture target for the file.
+
+type: keyword
+
+example: x64
+
+
+**`threat.enrichments.indicator.file.pe.company`**
+:   Internal company name of the file, provided at compile-time.
+
+type: keyword
+
+example: Microsoft Corporation
+
+
+**`threat.enrichments.indicator.file.pe.description`**
+:   Internal description of the file, provided at compile-time.
+
+type: keyword
+
+example: Paint
+
+
+**`threat.enrichments.indicator.file.pe.file_version`**
+:   Internal version of the file, provided at compile-time.
+
+type: keyword
+
+example: 6.3.9600.17415
+
+
+**`threat.enrichments.indicator.file.pe.imphash`**
+:   A hash of the imports in a PE file. An imphash — or import hash — can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at [https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html](https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html).
+
+type: keyword
+
+example: 0c6803c4e922103c4dca5963aad36ddf
+
+
+**`threat.enrichments.indicator.file.pe.original_file_name`**
+:   Internal name of the file, provided at compile-time.
+
+type: keyword
+
+example: MSPAINT.EXE
+
+
+**`threat.enrichments.indicator.file.pe.product`**
+:   Internal product name of the file, provided at compile-time.
+
+type: keyword
+
+example: Microsoft® Windows® Operating System
+
+
+**`threat.enrichments.indicator.file.size`**
+:   File size in bytes. Only relevant when `file.type` is "file".
+
+type: long
+
+example: 16384
+
+
+**`threat.enrichments.indicator.file.target_path`**
+:   Target path for symlinks.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.target_path.text`**
+:   type: match_only_text
+
+
+**`threat.enrichments.indicator.file.type`**
+:   File type (file, dir, or symlink).
+
+type: keyword
+
+example: file
+
+
+**`threat.enrichments.indicator.file.uid`**
+:   The user ID (UID) or security identifier (SID) of the file owner.
+
+type: keyword
+
+example: 1001
+
+
+**`threat.enrichments.indicator.file.x509.alternative_names`**
+:   List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.
+
+type: keyword
+
+example: *.elastic.co
+
+
+**`threat.enrichments.indicator.file.x509.issuer.common_name`**
+:   List of common name (CN) of issuing certificate authority.
+
+type: keyword
+
+example: Example SHA2 High Assurance Server CA
+
+
+**`threat.enrichments.indicator.file.x509.issuer.country`**
+:   List of country © codes
+
+type: keyword
+
+example: US
+
+
+**`threat.enrichments.indicator.file.x509.issuer.distinguished_name`**
+:   Distinguished name (DN) of issuing certificate authority.
+
+type: keyword
+
+example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA
+
+
+**`threat.enrichments.indicator.file.x509.issuer.locality`**
+:   List of locality names (L)
+
+type: keyword
+
+example: Mountain View
+
+
+**`threat.enrichments.indicator.file.x509.issuer.organization`**
+:   List of organizations (O) of issuing certificate authority.
+
+type: keyword
+
+example: Example Inc
+
+
+**`threat.enrichments.indicator.file.x509.issuer.organizational_unit`**
+:   List of organizational units (OU) of issuing certificate authority.
+
+type: keyword
+
+example: www.example.com
+
+
+**`threat.enrichments.indicator.file.x509.issuer.state_or_province`**
+:   List of state or province names (ST, S, or P)
+
+type: keyword
+
+example: California
+
+
+**`threat.enrichments.indicator.file.x509.not_after`**
+:   Time at which the certificate is no longer considered valid.
+
+type: date
+
+example: 2020-07-16 03:15:39+00:00
+
+
+**`threat.enrichments.indicator.file.x509.not_before`**
+:   Time at which the certificate is first considered valid.
+
+type: date
+
+example: 2019-08-16 01:40:25+00:00
+
+
+**`threat.enrichments.indicator.file.x509.public_key_algorithm`**
+:   Algorithm used to generate the public key.
+
+type: keyword
+
+example: RSA
+
+
+**`threat.enrichments.indicator.file.x509.public_key_curve`**
+:   The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+
+type: keyword
+
+example: nistp521
+
+
+**`threat.enrichments.indicator.file.x509.public_key_exponent`**
+:   Exponent used to derive the public key. This is algorithm specific.
+
+type: long
+
+example: 65537
+
+Field is not indexed.
+
+
+**`threat.enrichments.indicator.file.x509.public_key_size`**
+:   The size of the public key space in bits.
+
+type: long
+
+example: 2048
+
+
+**`threat.enrichments.indicator.file.x509.serial_number`**
+:   Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.
+
+type: keyword
+
+example: 55FBB9C7DEBF09809D12CCAA
+
+
+**`threat.enrichments.indicator.file.x509.signature_algorithm`**
+:   Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See [https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353](https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353).
+
+type: keyword
+
+example: SHA256-RSA
+
+
+**`threat.enrichments.indicator.file.x509.subject.common_name`**
+:   List of common names (CN) of subject.
+
+type: keyword
+
+example: shared.global.example.net
+
+
+**`threat.enrichments.indicator.file.x509.subject.country`**
+:   List of country © code
+
+type: keyword
+
+example: US
+
+
+**`threat.enrichments.indicator.file.x509.subject.distinguished_name`**
+:   Distinguished name (DN) of the certificate subject entity.
+
+type: keyword
+
+example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
+
+
+**`threat.enrichments.indicator.file.x509.subject.locality`**
+:   List of locality names (L)
+
+type: keyword
+
+example: San Francisco
+
+
+**`threat.enrichments.indicator.file.x509.subject.organization`**
+:   List of organizations (O) of subject.
+
+type: keyword
+
+example: Example, Inc.
+
+
+**`threat.enrichments.indicator.file.x509.subject.organizational_unit`**
+:   List of organizational units (OU) of subject.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.x509.subject.state_or_province`**
+:   List of state or province names (ST, S, or P)
+
+type: keyword
+
+example: California
+
+
+**`threat.enrichments.indicator.file.x509.version_number`**
+:   Version of x509 format.
+
+type: keyword
+
+example: 3
+
+
+**`threat.enrichments.indicator.first_seen`**
+:   The date and time when intelligence source first reported sighting this indicator.
+
+type: date
+
+example: 2020-11-05T17:25:47.000Z
+
+
+**`threat.enrichments.indicator.geo.city_name`**
+:   City name.
+
+type: keyword
+
+example: Montreal
+
+
+**`threat.enrichments.indicator.geo.continent_code`**
+:   Two-letter code representing continent’s name.
+
+type: keyword
+
+example: NA
+
+
+**`threat.enrichments.indicator.geo.continent_name`**
+:   Name of the continent.
+
+type: keyword
+
+example: North America
+
+
+**`threat.enrichments.indicator.geo.country_iso_code`**
+:   Country ISO code.
+
+type: keyword
+
+example: CA
+
+
+**`threat.enrichments.indicator.geo.country_name`**
+:   Country name.
+
+type: keyword
+
+example: Canada
+
+
+**`threat.enrichments.indicator.geo.location`**
+:   Longitude and latitude.
+
+type: geo_point
+
+example: { "lon": -73.614830, "lat": 45.505918 }
+
+
+**`threat.enrichments.indicator.geo.name`**
+:   User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.
+
+type: keyword
+
+example: boston-dc
+
+
+**`threat.enrichments.indicator.geo.postal_code`**
+:   Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.
+
+type: keyword
+
+example: 94040
+
+
+**`threat.enrichments.indicator.geo.region_iso_code`**
+:   Region ISO code.
+
+type: keyword
+
+example: CA-QC
+
+
+**`threat.enrichments.indicator.geo.region_name`**
+:   Region name.
+
+type: keyword
+
+example: Quebec
+
+
+**`threat.enrichments.indicator.geo.timezone`**
+:   The time zone of the location, such as IANA time zone name.
+
+type: keyword
+
+example: America/Argentina/Buenos_Aires
+
+
+**`threat.enrichments.indicator.ip`**
+:   Identifies a threat indicator as an IP address (irrespective of direction).
+
+type: ip
+
+example: 1.2.3.4
+
+
+**`threat.enrichments.indicator.last_seen`**
+:   The date and time when intelligence source last reported sighting this indicator.
+
+type: date
+
+example: 2020-11-05T17:25:47.000Z
+
+
+**`threat.enrichments.indicator.marking.tlp`**
+:   Traffic Light Protocol sharing markings. Recommended values are: * WHITE * GREEN * AMBER * RED
+
+type: keyword
+
+example: White
+
+
+**`threat.enrichments.indicator.modified_at`**
+:   The date and time when intelligence source last modified information for this indicator.
+
+type: date
+
+example: 2020-11-05T17:25:47.000Z
+
+
+**`threat.enrichments.indicator.port`**
+:   Identifies a threat indicator as a port number (irrespective of direction).
+
+type: long
+
+example: 443
+
+
+**`threat.enrichments.indicator.provider`**
+:   The name of the indicator’s provider.
+
+type: keyword
+
+example: lrz_urlhaus
+
+
+**`threat.enrichments.indicator.reference`**
+:   Reference URL linking to additional information about this indicator.
+
+type: keyword
+
+example: [https://system.example.com/indicator/0001234](https://system.example.com/indicator/0001234)
+
+
+**`threat.enrichments.indicator.registry.data.bytes`**
+:   Original bytes written with base64 encoding. For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values.
+
+type: keyword
+
+example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA=
+
+
+**`threat.enrichments.indicator.registry.data.strings`**
+:   Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`).
+
+type: wildcard
+
+example: ["C:\rta\red_ttp\bin\myapp.exe"]
+
+
+**`threat.enrichments.indicator.registry.data.type`**
+:   Standard registry type for encoding contents
+
+type: keyword
+
+example: REG_SZ
+
+
+**`threat.enrichments.indicator.registry.hive`**
+:   Abbreviated name for the hive.
+
+type: keyword
+
+example: HKLM
+
+
+**`threat.enrichments.indicator.registry.key`**
+:   Hive-relative path of keys.
+
+type: keyword
+
+example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe
+
+
+**`threat.enrichments.indicator.registry.path`**
+:   Full path, including hive, key and value
+
+type: keyword
+
+example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger
+
+
+**`threat.enrichments.indicator.registry.value`**
+:   Name of the value written.
+
+type: keyword
+
+example: Debugger
+
+
+**`threat.enrichments.indicator.scanner_stats`**
+:   Count of AV/EDR vendors that successfully detected malicious file or URL.
+
+type: long
+
+example: 4
+
+
+**`threat.enrichments.indicator.sightings`**
+:   Number of times this indicator was observed conducting threat activity.
+
+type: long
+
+example: 20
+
+
+**`threat.enrichments.indicator.type`**
+:   Type of indicator as represented by Cyber Observable in STIX 2.0. Recommended values: * autonomous-system * artifact * directory * domain-name * email-addr * file * ipv4-addr * ipv6-addr * mac-addr * mutex * port * process * software * url * user-account * windows-registry-key * x509-certificate
+
+type: keyword
+
+example: ipv4-addr
+
+
+**`threat.enrichments.indicator.url.domain`**
+:   Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field.
+
+type: keyword
+
+example: www.elastic.co
+
+
+**`threat.enrichments.indicator.url.extension`**
+:   The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").
+
+type: keyword
+
+example: png
+
+
+**`threat.enrichments.indicator.url.fragment`**
+:   Portion of the url after the `#`, such as "top". The `#` is not part of the fragment.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.url.full`**
+:   If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source.
+
+type: wildcard
+
+example: [https://www.elastic.co:443/search?q=elasticsearch#top](https://www.elastic.co:443/search?q=elasticsearch#top)
+
+
+**`threat.enrichments.indicator.url.full.text`**
+:   type: match_only_text
+
+
+**`threat.enrichments.indicator.url.original`**
+:   Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not.
+
+type: wildcard
+
+example: [https://www.elastic.co:443/search?q=elasticsearch#top](https://www.elastic.co:443/search?q=elasticsearch#top) or /search?q=elasticsearch
+
+
+**`threat.enrichments.indicator.url.original.text`**
+:   type: match_only_text
+
+
+**`threat.enrichments.indicator.url.password`**
+:   Password of the request.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.url.path`**
+:   Path of the request, such as "/search".
+
+type: wildcard
+
+
+**`threat.enrichments.indicator.url.port`**
+:   Port of the request, such as 443.
+
+type: long
+
+example: 443
+
+format: string
+
+
+**`threat.enrichments.indicator.url.query`**
+:   The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.url.registered_domain`**
+:   The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
+
+type: keyword
+
+example: example.com
+
+
+**`threat.enrichments.indicator.url.scheme`**
+:   Scheme of the request, such as "https". Note: The `:` is not part of the scheme.
+
+type: keyword
+
+example: https
+
+
+**`threat.enrichments.indicator.url.subdomain`**
+:   The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
+
+type: keyword
+
+example: east
+
+
+**`threat.enrichments.indicator.url.top_level_domain`**
+:   The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".
+
+type: keyword
+
+example: co.uk
+
+
+**`threat.enrichments.indicator.url.username`**
+:   Username of the request.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.x509.alternative_names`**
+:   List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.
+
+type: keyword
+
+example: *.elastic.co
+
+
+**`threat.enrichments.indicator.x509.issuer.common_name`**
+:   List of common name (CN) of issuing certificate authority.
+
+type: keyword
+
+example: Example SHA2 High Assurance Server CA
+
+
+**`threat.enrichments.indicator.x509.issuer.country`**
+:   List of country © codes
+
+type: keyword
+
+example: US
+
+
+**`threat.enrichments.indicator.x509.issuer.distinguished_name`**
+:   Distinguished name (DN) of issuing certificate authority.
+
+type: keyword
+
+example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA
+
+
+**`threat.enrichments.indicator.x509.issuer.locality`**
+:   List of locality names (L)
+
+type: keyword
+
+example: Mountain View
+
+
+**`threat.enrichments.indicator.x509.issuer.organization`**
+:   List of organizations (O) of issuing certificate authority.
+
+type: keyword
+
+example: Example Inc
+
+
+**`threat.enrichments.indicator.x509.issuer.organizational_unit`**
+:   List of organizational units (OU) of issuing certificate authority.
+
+type: keyword
+
+example: www.example.com
+
+
+**`threat.enrichments.indicator.x509.issuer.state_or_province`**
+:   List of state or province names (ST, S, or P)
+
+type: keyword
+
+example: California
+
+
+**`threat.enrichments.indicator.x509.not_after`**
+:   Time at which the certificate is no longer considered valid.
+
+type: date
+
+example: 2020-07-16 03:15:39+00:00
+
+
+**`threat.enrichments.indicator.x509.not_before`**
+:   Time at which the certificate is first considered valid.
+
+type: date
+
+example: 2019-08-16 01:40:25+00:00
+
+
+**`threat.enrichments.indicator.x509.public_key_algorithm`**
+:   Algorithm used to generate the public key.
+
+type: keyword
+
+example: RSA
+
+
+**`threat.enrichments.indicator.x509.public_key_curve`**
+:   The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+
+type: keyword
+
+example: nistp521
+
+
+**`threat.enrichments.indicator.x509.public_key_exponent`**
+:   Exponent used to derive the public key. This is algorithm specific.
+
+type: long
+
+example: 65537
+
+Field is not indexed.
+
+
+**`threat.enrichments.indicator.x509.public_key_size`**
+:   The size of the public key space in bits.
+
+type: long
+
+example: 2048
+
+
+**`threat.enrichments.indicator.x509.serial_number`**
+:   Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.
+
+type: keyword
+
+example: 55FBB9C7DEBF09809D12CCAA
+
+
+**`threat.enrichments.indicator.x509.signature_algorithm`**
+:   Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See [https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353](https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353).
+
+type: keyword
+
+example: SHA256-RSA
+
+
+**`threat.enrichments.indicator.x509.subject.common_name`**
+:   List of common names (CN) of subject.
+
+type: keyword
+
+example: shared.global.example.net
+
+
+**`threat.enrichments.indicator.x509.subject.country`**
+:   List of country © code
+
+type: keyword
+
+example: US
+
+
+**`threat.enrichments.indicator.x509.subject.distinguished_name`**
+:   Distinguished name (DN) of the certificate subject entity.
+
+type: keyword
+
+example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
+
+
+**`threat.enrichments.indicator.x509.subject.locality`**
+:   List of locality names (L)
+
+type: keyword
+
+example: San Francisco
+
+
+**`threat.enrichments.indicator.x509.subject.organization`**
+:   List of organizations (O) of subject.
+
+type: keyword
+
+example: Example, Inc.
+
+
+**`threat.enrichments.indicator.x509.subject.organizational_unit`**
+:   List of organizational units (OU) of subject.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.x509.subject.state_or_province`**
+:   List of state or province names (ST, S, or P)
+
+type: keyword
+
+example: California
+
+
+**`threat.enrichments.indicator.x509.version_number`**
+:   Version of x509 format.
+
+type: keyword
+
+example: 3
+
+
+**`threat.enrichments.matched.atomic`**
+:   Identifies the atomic indicator value that matched a local environment endpoint or network event.
+
+type: keyword
+
+example: bad-domain.com
+
+
+**`threat.enrichments.matched.field`**
+:   Identifies the field of the atomic indicator that matched a local environment endpoint or network event.
+
+type: keyword
+
+example: file.hash.sha256
+
+
+**`threat.enrichments.matched.id`**
+:   Identifies the _id of the indicator document enriching the event.
+
+type: keyword
+
+example: ff93aee5-86a1-4a61-b0e6-0cdc313d01b5
+
+
+**`threat.enrichments.matched.index`**
+:   Identifies the _index of the indicator document enriching the event.
+
+type: keyword
+
+example: filebeat-8.0.0-2021.05.23-000011
+
+
+**`threat.enrichments.matched.type`**
+:   Identifies the type of match that caused the event to be enriched with the given indicator
+
+type: keyword
+
+example: indicator_match_rule
+
+
+**`threat.framework`**
+:   Name of the threat framework used to further categorize and classify the tactic and technique of the reported threat. Framework classification can be provided by detecting systems, evaluated at ingest time, or retrospectively tagged to events.
+
+type: keyword
+
+example: MITRE ATT&CK
+
+
+**`threat.group.alias`**
+:   The alias(es) of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group alias(es).
+
+type: keyword
+
+example: [ "Magecart Group 6" ]
+
+
+**`threat.group.id`**
+:   The id of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group id.
+
+type: keyword
+
+example: G0037
+
+
+**`threat.group.name`**
+:   The name of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group name.
+
+type: keyword
+
+example: FIN6
+
+
+**`threat.group.reference`**
+:   The reference URL of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group reference URL.
+
+type: keyword
+
+example: [https://attack.mitre.org/groups/G0037/](https://attack.mitre.org/groups/G0037/)
+
+
+**`threat.indicator.as.number`**
+:   Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+
+type: long
+
+example: 15169
+
+
+**`threat.indicator.as.organization.name`**
+:   Organization name.
+
+type: keyword
+
+example: Google LLC
+
+
+**`threat.indicator.as.organization.name.text`**
+:   type: match_only_text
+
+
+**`threat.indicator.confidence`**
+:   Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. Expected values are: * Not Specified * None * Low * Medium * High
+
+type: keyword
+
+example: Medium
+
+
+**`threat.indicator.description`**
+:   Describes the type of action conducted by the threat.
+
+type: keyword
+
+example: IP x.x.x.x was observed delivering the Angler EK.
+
+
+**`threat.indicator.email.address`**
+:   Identifies a threat indicator as an email address (irrespective of direction).
+
+type: keyword
+
+example: `phish@example.com`
+
+
+**`threat.indicator.file.accessed`**
+:   Last time the file was accessed. Note that not all filesystems keep track of access time.
+
+type: date
+
+
+**`threat.indicator.file.attributes`**
+:   Array of file attributes. Attributes names will vary by platform. Here’s a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write.
+
+type: keyword
+
+example: ["readonly", "system"]
+
+
+**`threat.indicator.file.code_signature.digest_algorithm`**
+:   The hashing algorithm used to sign the process. This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm.
+
+type: keyword
+
+example: sha256
+
+
+**`threat.indicator.file.code_signature.exists`**
+:   Boolean to capture if a signature is present.
+
+type: boolean
+
+example: true
+
+
+**`threat.indicator.file.code_signature.signing_id`**
+:   The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.
+
+type: keyword
+
+example: com.apple.xpc.proxy
+
+
+**`threat.indicator.file.code_signature.status`**
+:   Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.
+
+type: keyword
+
+example: ERROR_UNTRUSTED_ROOT
+
+
+**`threat.indicator.file.code_signature.subject_name`**
+:   Subject name of the code signer
+
+type: keyword
+
+example: Microsoft Corporation
+
+
+**`threat.indicator.file.code_signature.team_id`**
+:   The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.
+
+type: keyword
+
+example: EQHXZ8M8AV
+
+
+**`threat.indicator.file.code_signature.timestamp`**
+:   Date and time when the code signature was generated and signed.
+
+type: date
+
+example: 2021-01-01T12:10:30Z
+
+
+**`threat.indicator.file.code_signature.trusted`**
+:   Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.
+
+type: boolean
+
+example: true
+
+
+**`threat.indicator.file.code_signature.valid`**
+:   Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.
+
+type: boolean
+
+example: true
+
+
+**`threat.indicator.file.created`**
+:   File creation time. Note that not all filesystems store the creation time.
+
+type: date
+
+
+**`threat.indicator.file.ctime`**
+:   Last time the file attributes or metadata changed. Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file.
+
+type: date
+
+
+**`threat.indicator.file.device`**
+:   Device that is the source of the file.
+
+type: keyword
+
+example: sda
+
+
+**`threat.indicator.file.directory`**
+:   Directory where the file is located. It should include the drive letter, when appropriate.
+
+type: keyword
+
+example: /home/alice
+
+
+**`threat.indicator.file.drive_letter`**
+:   Drive letter where the file is located. This field is only relevant on Windows. The value should be uppercase, and not include the colon.
+
+type: keyword
+
+example: C
+
+
+**`threat.indicator.file.elf.architecture`**
+:   Machine architecture of the ELF file.
+
+type: keyword
+
+example: x86-64
+
+
+**`threat.indicator.file.elf.byte_order`**
+:   Byte sequence of ELF file.
+
+type: keyword
+
+example: Little Endian
+
+
+**`threat.indicator.file.elf.cpu_type`**
+:   CPU type of the ELF file.
+
+type: keyword
+
+example: Intel
+
+
+**`threat.indicator.file.elf.creation_date`**
+:   Extracted when possible from the file’s metadata. Indicates when it was built or compiled. It can also be faked by malware creators.
+
+type: date
+
+
+**`threat.indicator.file.elf.exports`**
+:   List of exported element names and types.
+
+type: flattened
+
+
+**`threat.indicator.file.elf.header.abi_version`**
+:   Version of the ELF Application Binary Interface (ABI).
+
+type: keyword
+
+
+**`threat.indicator.file.elf.header.class`**
+:   Header class of the ELF file.
+
+type: keyword
+
+
+**`threat.indicator.file.elf.header.data`**
+:   Data table of the ELF header.
+
+type: keyword
+
+
+**`threat.indicator.file.elf.header.entrypoint`**
+:   Header entrypoint of the ELF file.
+
+type: long
+
+format: string
+
+
+**`threat.indicator.file.elf.header.object_version`**
+:   "0x1" for original ELF files.
+
+type: keyword
+
+
+**`threat.indicator.file.elf.header.os_abi`**
+:   Application Binary Interface (ABI) of the Linux OS.
+
+type: keyword
+
+
+**`threat.indicator.file.elf.header.type`**
+:   Header type of the ELF file.
+
+type: keyword
+
+
+**`threat.indicator.file.elf.header.version`**
+:   Version of the ELF header.
+
+type: keyword
+
+
+**`threat.indicator.file.elf.imports`**
+:   List of imported element names and types.
+
+type: flattened
+
+
+**`threat.indicator.file.elf.sections`**
+:   An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`.
+
+type: nested
+
+
+**`threat.indicator.file.elf.sections.chi2`**
+:   Chi-square probability distribution of the section.
+
+type: long
+
+format: number
+
+
+**`threat.indicator.file.elf.sections.entropy`**
+:   Shannon entropy calculation from the section.
+
+type: long
+
+format: number
+
+
+**`threat.indicator.file.elf.sections.flags`**
+:   ELF Section List flags.
+
+type: keyword
+
+
+**`threat.indicator.file.elf.sections.name`**
+:   ELF Section List name.
+
+type: keyword
+
+
+**`threat.indicator.file.elf.sections.physical_offset`**
+:   ELF Section List offset.
+
+type: keyword
+
+
+**`threat.indicator.file.elf.sections.physical_size`**
+:   ELF Section List physical size.
+
+type: long
+
+format: bytes
+
+
+**`threat.indicator.file.elf.sections.type`**
+:   ELF Section List type.
+
+type: keyword
+
+
+**`threat.indicator.file.elf.sections.virtual_address`**
+:   ELF Section List virtual address.
+
+type: long
+
+format: string
+
+
+**`threat.indicator.file.elf.sections.virtual_size`**
+:   ELF Section List virtual size.
+
+type: long
+
+format: string
+
+
+**`threat.indicator.file.elf.segments`**
+:   An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`.
+
+type: nested
+
+
+**`threat.indicator.file.elf.segments.sections`**
+:   ELF object segment sections.
+
+type: keyword
+
+
+**`threat.indicator.file.elf.segments.type`**
+:   ELF object segment type.
+
+type: keyword
+
+
+**`threat.indicator.file.elf.shared_libraries`**
+:   List of shared libraries used by this ELF object.
+
+type: keyword
+
+
+**`threat.indicator.file.elf.telfhash`**
+:   telfhash symbol hash for ELF file.
+
+type: keyword
+
+
+**`threat.indicator.file.extension`**
+:   File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").
+
+type: keyword
+
+example: png
+
+
+**`threat.indicator.file.fork_name`**
+:   A fork is additional data associated with a filesystem object. On Linux, a resource fork is used to store additional data with a filesystem object. A file always has at least one fork for the data portion, and additional forks may exist. On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default data stream for a file is just called $DATA. Zone.Identifier is commonly used by Windows to track contents downloaded from the Internet. An ADS is typically of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name` is the value that should populate `fork_name`. `filename.extension` should populate `file.name`, and `extension` should populate `file.extension`. The full path, `file.path`, will include the fork name.
+
+type: keyword
+
+example: Zone.Identifer
+
+
+**`threat.indicator.file.gid`**
+:   Primary group ID (GID) of the file.
+
+type: keyword
+
+example: 1001
+
+
+**`threat.indicator.file.group`**
+:   Primary group name of the file.
+
+type: keyword
+
+example: alice
+
+
+**`threat.indicator.file.hash.md5`**
+:   MD5 hash.
+
+type: keyword
+
+
+**`threat.indicator.file.hash.sha1`**
+:   SHA1 hash.
+
+type: keyword
+
+
+**`threat.indicator.file.hash.sha256`**
+:   SHA256 hash.
+
+type: keyword
+
+
+**`threat.indicator.file.hash.sha512`**
+:   SHA512 hash.
+
+type: keyword
+
+
+**`threat.indicator.file.hash.ssdeep`**
+:   SSDEEP hash.
+
+type: keyword
+
+
+**`threat.indicator.file.inode`**
+:   Inode representing the file in the filesystem.
+
+type: keyword
+
+example: 256383
+
+
+**`threat.indicator.file.mime_type`**
+:   MIME type should identify the format of the file or stream of bytes using [IANA official types](https://www.iana.org/assignments/media-types/media-types.xhtml), where possible. When more than one type is applicable, the most specific type should be used.
+
+type: keyword
+
+
+**`threat.indicator.file.mode`**
+:   Mode of the file in octal representation.
+
+type: keyword
+
+example: 0640
+
+
+**`threat.indicator.file.mtime`**
+:   Last time the file content was modified.
+
+type: date
+
+
+**`threat.indicator.file.name`**
+:   Name of the file including the extension, without the directory.
+
+type: keyword
+
+example: example.png
+
+
+**`threat.indicator.file.owner`**
+:   File owner’s username.
+
+type: keyword
+
+example: alice
+
+
+**`threat.indicator.file.path`**
+:   Full path to the file, including the file name. It should include the drive letter, when appropriate.
+
+type: keyword
+
+example: /home/alice/example.png
+
+
+**`threat.indicator.file.path.text`**
+:   type: match_only_text
+
+
+**`threat.indicator.file.pe.architecture`**
+:   CPU architecture target for the file.
+
+type: keyword
+
+example: x64
+
+
+**`threat.indicator.file.pe.company`**
+:   Internal company name of the file, provided at compile-time.
+
+type: keyword
+
+example: Microsoft Corporation
+
+
+**`threat.indicator.file.pe.description`**
+:   Internal description of the file, provided at compile-time.
+
+type: keyword
+
+example: Paint
+
+
+**`threat.indicator.file.pe.file_version`**
+:   Internal version of the file, provided at compile-time.
+
+type: keyword
+
+example: 6.3.9600.17415
+
+
+**`threat.indicator.file.pe.imphash`**
+:   A hash of the imports in a PE file. An imphash — or import hash — can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at [https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html](https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html).
+
+type: keyword
+
+example: 0c6803c4e922103c4dca5963aad36ddf
+
+
+**`threat.indicator.file.pe.original_file_name`**
+:   Internal name of the file, provided at compile-time.
+
+type: keyword
+
+example: MSPAINT.EXE
+
+
+**`threat.indicator.file.pe.product`**
+:   Internal product name of the file, provided at compile-time.
+
+type: keyword
+
+example: Microsoft® Windows® Operating System
+
+
+**`threat.indicator.file.size`**
+:   File size in bytes. Only relevant when `file.type` is "file".
+
+type: long
+
+example: 16384
+
+
+**`threat.indicator.file.target_path`**
+:   Target path for symlinks.
+
+type: keyword
+
+
+**`threat.indicator.file.target_path.text`**
+:   type: match_only_text
+
+
+**`threat.indicator.file.type`**
+:   File type (file, dir, or symlink).
+
+type: keyword
+
+example: file
+
+
+**`threat.indicator.file.uid`**
+:   The user ID (UID) or security identifier (SID) of the file owner.
+
+type: keyword
+
+example: 1001
+
+
+**`threat.indicator.file.x509.alternative_names`**
+:   List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.
+
+type: keyword
+
+example: *.elastic.co
+
+
+**`threat.indicator.file.x509.issuer.common_name`**
+:   List of common name (CN) of issuing certificate authority.
+
+type: keyword
+
+example: Example SHA2 High Assurance Server CA
+
+
+**`threat.indicator.file.x509.issuer.country`**
+:   List of country © codes
+
+type: keyword
+
+example: US
+
+
+**`threat.indicator.file.x509.issuer.distinguished_name`**
+:   Distinguished name (DN) of issuing certificate authority.
+
+type: keyword
+
+example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA
+
+
+**`threat.indicator.file.x509.issuer.locality`**
+:   List of locality names (L)
+
+type: keyword
+
+example: Mountain View
+
+
+**`threat.indicator.file.x509.issuer.organization`**
+:   List of organizations (O) of issuing certificate authority.
+
+type: keyword
+
+example: Example Inc
+
+
+**`threat.indicator.file.x509.issuer.organizational_unit`**
+:   List of organizational units (OU) of issuing certificate authority.
+
+type: keyword
+
+example: www.example.com
+
+
+**`threat.indicator.file.x509.issuer.state_or_province`**
+:   List of state or province names (ST, S, or P)
+
+type: keyword
+
+example: California
+
+
+**`threat.indicator.file.x509.not_after`**
+:   Time at which the certificate is no longer considered valid.
+
+type: date
+
+example: 2020-07-16 03:15:39+00:00
+
+
+**`threat.indicator.file.x509.not_before`**
+:   Time at which the certificate is first considered valid.
+
+type: date
+
+example: 2019-08-16 01:40:25+00:00
+
+
+**`threat.indicator.file.x509.public_key_algorithm`**
+:   Algorithm used to generate the public key.
+
+type: keyword
+
+example: RSA
+
+
+**`threat.indicator.file.x509.public_key_curve`**
+:   The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+
+type: keyword
+
+example: nistp521
+
+
+**`threat.indicator.file.x509.public_key_exponent`**
+:   Exponent used to derive the public key. This is algorithm specific.
+
+type: long
+
+example: 65537
+
+Field is not indexed.
+
+
+**`threat.indicator.file.x509.public_key_size`**
+:   The size of the public key space in bits.
+
+type: long
+
+example: 2048
+
+
+**`threat.indicator.file.x509.serial_number`**
+:   Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.
+
+type: keyword
+
+example: 55FBB9C7DEBF09809D12CCAA
+
+
+**`threat.indicator.file.x509.signature_algorithm`**
+:   Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See [https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353](https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353).
+
+type: keyword
+
+example: SHA256-RSA
+
+
+**`threat.indicator.file.x509.subject.common_name`**
+:   List of common names (CN) of subject.
+
+type: keyword
+
+example: shared.global.example.net
+
+
+**`threat.indicator.file.x509.subject.country`**
+:   List of country © code
+
+type: keyword
+
+example: US
+
+
+**`threat.indicator.file.x509.subject.distinguished_name`**
+:   Distinguished name (DN) of the certificate subject entity.
+
+type: keyword
+
+example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
+
+
+**`threat.indicator.file.x509.subject.locality`**
+:   List of locality names (L)
+
+type: keyword
+
+example: San Francisco
+
+
+**`threat.indicator.file.x509.subject.organization`**
+:   List of organizations (O) of subject.
+
+type: keyword
+
+example: Example, Inc.
+
+
+**`threat.indicator.file.x509.subject.organizational_unit`**
+:   List of organizational units (OU) of subject.
+
+type: keyword
+
+
+**`threat.indicator.file.x509.subject.state_or_province`**
+:   List of state or province names (ST, S, or P)
+
+type: keyword
+
+example: California
+
+
+**`threat.indicator.file.x509.version_number`**
+:   Version of x509 format.
+
+type: keyword
+
+example: 3
+
+
+**`threat.indicator.first_seen`**
+:   The date and time when intelligence source first reported sighting this indicator.
+
+type: date
+
+example: 2020-11-05T17:25:47.000Z
+
+
+**`threat.indicator.geo.city_name`**
+:   City name.
+
+type: keyword
+
+example: Montreal
+
+
+**`threat.indicator.geo.continent_code`**
+:   Two-letter code representing continent’s name.
+
+type: keyword
+
+example: NA
+
+
+**`threat.indicator.geo.continent_name`**
+:   Name of the continent.
+
+type: keyword
+
+example: North America
+
+
+**`threat.indicator.geo.country_iso_code`**
+:   Country ISO code.
+
+type: keyword
+
+example: CA
+
+
+**`threat.indicator.geo.country_name`**
+:   Country name.
+
+type: keyword
+
+example: Canada
+
+
+**`threat.indicator.geo.location`**
+:   Longitude and latitude.
+
+type: geo_point
+
+example: { "lon": -73.614830, "lat": 45.505918 }
+
+
+**`threat.indicator.geo.name`**
+:   User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.
+
+type: keyword
+
+example: boston-dc
+
+
+**`threat.indicator.geo.postal_code`**
+:   Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.
+
+type: keyword
+
+example: 94040
+
+
+**`threat.indicator.geo.region_iso_code`**
+:   Region ISO code.
+
+type: keyword
+
+example: CA-QC
+
+
+**`threat.indicator.geo.region_name`**
+:   Region name.
+
+type: keyword
+
+example: Quebec
+
+
+**`threat.indicator.geo.timezone`**
+:   The time zone of the location, such as IANA time zone name.
+
+type: keyword
+
+example: America/Argentina/Buenos_Aires
+
+
+**`threat.indicator.ip`**
+:   Identifies a threat indicator as an IP address (irrespective of direction).
+
+type: ip
+
+example: 1.2.3.4
+
+
+**`threat.indicator.last_seen`**
+:   The date and time when intelligence source last reported sighting this indicator.
+
+type: date
+
+example: 2020-11-05T17:25:47.000Z
+
+
+**`threat.indicator.marking.tlp`**
+:   Traffic Light Protocol sharing markings. Recommended values are: * WHITE * GREEN * AMBER * RED
+
+type: keyword
+
+example: WHITE
+
+
+**`threat.indicator.modified_at`**
+:   The date and time when intelligence source last modified information for this indicator.
+
+type: date
+
+example: 2020-11-05T17:25:47.000Z
+
+
+**`threat.indicator.port`**
+:   Identifies a threat indicator as a port number (irrespective of direction).
+
+type: long
+
+example: 443
+
+
+**`threat.indicator.provider`**
+:   The name of the indicator’s provider.
+
+type: keyword
+
+example: lrz_urlhaus
+
+
+**`threat.indicator.reference`**
+:   Reference URL linking to additional information about this indicator.
+
+type: keyword
+
+example: [https://system.example.com/indicator/0001234](https://system.example.com/indicator/0001234)
+
+
+**`threat.indicator.registry.data.bytes`**
+:   Original bytes written with base64 encoding. For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values.
+
+type: keyword
+
+example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA=
+
+
+**`threat.indicator.registry.data.strings`**
+:   Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`).
+
+type: wildcard
+
+example: ["C:\rta\red_ttp\bin\myapp.exe"]
+
+
+**`threat.indicator.registry.data.type`**
+:   Standard registry type for encoding contents
+
+type: keyword
+
+example: REG_SZ
+
+
+**`threat.indicator.registry.hive`**
+:   Abbreviated name for the hive.
+
+type: keyword
+
+example: HKLM
+
+
+**`threat.indicator.registry.key`**
+:   Hive-relative path of keys.
+
+type: keyword
+
+example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe
+
+
+**`threat.indicator.registry.path`**
+:   Full path, including hive, key and value
+
+type: keyword
+
+example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger
+
+
+**`threat.indicator.registry.value`**
+:   Name of the value written.
+
+type: keyword
+
+example: Debugger
+
+
+**`threat.indicator.scanner_stats`**
+:   Count of AV/EDR vendors that successfully detected malicious file or URL.
+
+type: long
+
+example: 4
+
+
+**`threat.indicator.sightings`**
+:   Number of times this indicator was observed conducting threat activity.
+
+type: long
+
+example: 20
+
+
+**`threat.indicator.type`**
+:   Type of indicator as represented by Cyber Observable in STIX 2.0. Recommended values: * autonomous-system * artifact * directory * domain-name * email-addr * file * ipv4-addr * ipv6-addr * mac-addr * mutex * port * process * software * url * user-account * windows-registry-key * x509-certificate
+
+type: keyword
+
+example: ipv4-addr
+
+
+**`threat.indicator.url.domain`**
+:   Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field.
+
+type: keyword
+
+example: www.elastic.co
+
+
+**`threat.indicator.url.extension`**
+:   The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").
+
+type: keyword
+
+example: png
+
+
+**`threat.indicator.url.fragment`**
+:   Portion of the url after the `#`, such as "top". The `#` is not part of the fragment.
+
+type: keyword
+
+
+**`threat.indicator.url.full`**
+:   If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source.
+
+type: wildcard
+
+example: [https://www.elastic.co:443/search?q=elasticsearch#top](https://www.elastic.co:443/search?q=elasticsearch#top)
+
+
+**`threat.indicator.url.full.text`**
+:   type: match_only_text
+
+
+**`threat.indicator.url.original`**
+:   Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not.
+
+type: wildcard
+
+example: [https://www.elastic.co:443/search?q=elasticsearch#top](https://www.elastic.co:443/search?q=elasticsearch#top) or /search?q=elasticsearch
+
+
+**`threat.indicator.url.original.text`**
+:   type: match_only_text
+
+
+**`threat.indicator.url.password`**
+:   Password of the request.
+
+type: keyword
+
+
+**`threat.indicator.url.path`**
+:   Path of the request, such as "/search".
+
+type: wildcard
+
+
+**`threat.indicator.url.port`**
+:   Port of the request, such as 443.
+
+type: long
+
+example: 443
+
+format: string
+
+
+**`threat.indicator.url.query`**
+:   The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.
+
+type: keyword
+
+
+**`threat.indicator.url.registered_domain`**
+:   The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
+
+type: keyword
+
+example: example.com
+
+
+**`threat.indicator.url.scheme`**
+:   Scheme of the request, such as "https". Note: The `:` is not part of the scheme.
+
+type: keyword
+
+example: https
+
+
+**`threat.indicator.url.subdomain`**
+:   The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
+
+type: keyword
+
+example: east
+
+
+**`threat.indicator.url.top_level_domain`**
+:   The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".
+
+type: keyword
+
+example: co.uk
+
+
+**`threat.indicator.url.username`**
+:   Username of the request.
+
+type: keyword
+
+
+**`threat.indicator.x509.alternative_names`**
+:   List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.
+
+type: keyword
+
+example: *.elastic.co
+
+
+**`threat.indicator.x509.issuer.common_name`**
+:   List of common name (CN) of issuing certificate authority.
+
+type: keyword
+
+example: Example SHA2 High Assurance Server CA
+
+
+**`threat.indicator.x509.issuer.country`**
+:   List of country © codes
+
+type: keyword
+
+example: US
+
+
+**`threat.indicator.x509.issuer.distinguished_name`**
+:   Distinguished name (DN) of issuing certificate authority.
+
+type: keyword
+
+example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA
+
+
+**`threat.indicator.x509.issuer.locality`**
+:   List of locality names (L)
+
+type: keyword
+
+example: Mountain View
+
+
+**`threat.indicator.x509.issuer.organization`**
+:   List of organizations (O) of issuing certificate authority.
+
+type: keyword
+
+example: Example Inc
+
+
+**`threat.indicator.x509.issuer.organizational_unit`**
+:   List of organizational units (OU) of issuing certificate authority.
+
+type: keyword
+
+example: www.example.com
+
+
+**`threat.indicator.x509.issuer.state_or_province`**
+:   List of state or province names (ST, S, or P)
+
+type: keyword
+
+example: California
+
+
+**`threat.indicator.x509.not_after`**
+:   Time at which the certificate is no longer considered valid.
+
+type: date
+
+example: 2020-07-16 03:15:39+00:00
+
+
+**`threat.indicator.x509.not_before`**
+:   Time at which the certificate is first considered valid.
+
+type: date
+
+example: 2019-08-16 01:40:25+00:00
+
+
+**`threat.indicator.x509.public_key_algorithm`**
+:   Algorithm used to generate the public key.
+
+type: keyword
+
+example: RSA
+
+
+**`threat.indicator.x509.public_key_curve`**
+:   The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+
+type: keyword
+
+example: nistp521
+
+
+**`threat.indicator.x509.public_key_exponent`**
+:   Exponent used to derive the public key. This is algorithm specific.
+
+type: long
+
+example: 65537
+
+Field is not indexed.
+
+
+**`threat.indicator.x509.public_key_size`**
+:   The size of the public key space in bits.
+
+type: long
+
+example: 2048
+
+
+**`threat.indicator.x509.serial_number`**
+:   Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.
+
+type: keyword
+
+example: 55FBB9C7DEBF09809D12CCAA
+
+
+**`threat.indicator.x509.signature_algorithm`**
+:   Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See [https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353](https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353).
+
+type: keyword
+
+example: SHA256-RSA
+
+
+**`threat.indicator.x509.subject.common_name`**
+:   List of common names (CN) of subject.
+
+type: keyword
+
+example: shared.global.example.net
+
+
+**`threat.indicator.x509.subject.country`**
+:   List of country © code
+
+type: keyword
+
+example: US
+
+
+**`threat.indicator.x509.subject.distinguished_name`**
+:   Distinguished name (DN) of the certificate subject entity.
+
+type: keyword
+
+example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
+
+
+**`threat.indicator.x509.subject.locality`**
+:   List of locality names (L)
+
+type: keyword
+
+example: San Francisco
+
+
+**`threat.indicator.x509.subject.organization`**
+:   List of organizations (O) of subject.
+
+type: keyword
+
+example: Example, Inc.
+
+
+**`threat.indicator.x509.subject.organizational_unit`**
+:   List of organizational units (OU) of subject.
+
+type: keyword
+
+
+**`threat.indicator.x509.subject.state_or_province`**
+:   List of state or province names (ST, S, or P)
+
+type: keyword
+
+example: California
+
+
+**`threat.indicator.x509.version_number`**
+:   Version of x509 format.
+
+type: keyword
+
+example: 3
+
+
+**`threat.software.alias`**
+:   The alias(es) of the software for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® associated software description.
+
+type: keyword
+
+example: [ "X-Agent" ]
+
+
+**`threat.software.id`**
+:   The id of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software id.
+
+type: keyword
+
+example: S0552
+
+
+**`threat.software.name`**
+:   The name of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software name.
+
+type: keyword
+
+example: AdFind
+
+
+**`threat.software.platforms`**
+:   The platforms of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. Recommended Values: * AWS * Azure * Azure AD * GCP * Linux * macOS * Network * Office 365 * SaaS * Windows
+
+While not required, you can use a MITRE ATT&CK® software platforms.
+
+type: keyword
+
+example: [ "Windows" ]
+
+
+**`threat.software.reference`**
+:   The reference URL of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software reference URL.
+
+type: keyword
+
+example: [https://attack.mitre.org/software/S0552/](https://attack.mitre.org/software/S0552/)
+
+
+**`threat.software.type`**
+:   The type of software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. Recommended values * Malware * Tool
+
+```
+While not required, you can use a MITRE ATT&CK® software type.
+```
+type: keyword
+
+example: Tool
+
+
+**`threat.tactic.id`**
+:   The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. [https://attack.mitre.org/tactics/TA0002/](https://attack.mitre.org/tactics/TA0002/) )
+
+type: keyword
+
+example: TA0002
+
+
+**`threat.tactic.name`**
+:   Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. [https://attack.mitre.org/tactics/TA0002/](https://attack.mitre.org/tactics/TA0002/))
+
+type: keyword
+
+example: Execution
+
+
+**`threat.tactic.reference`**
+:   The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. [https://attack.mitre.org/tactics/TA0002/](https://attack.mitre.org/tactics/TA0002/) )
+
+type: keyword
+
+example: [https://attack.mitre.org/tactics/TA0002/](https://attack.mitre.org/tactics/TA0002/)
+
+
+**`threat.technique.id`**
+:   The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. [https://attack.mitre.org/techniques/T1059/](https://attack.mitre.org/techniques/T1059/))
+
+type: keyword
+
+example: T1059
+
+
+**`threat.technique.name`**
+:   The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. [https://attack.mitre.org/techniques/T1059/](https://attack.mitre.org/techniques/T1059/))
+
+type: keyword
+
+example: Command and Scripting Interpreter
+
+
+**`threat.technique.name.text`**
+:   type: match_only_text
+
+
+**`threat.technique.reference`**
+:   The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. [https://attack.mitre.org/techniques/T1059/](https://attack.mitre.org/techniques/T1059/))
+
+type: keyword
+
+example: [https://attack.mitre.org/techniques/T1059/](https://attack.mitre.org/techniques/T1059/)
+
+
+**`threat.technique.subtechnique.id`**
+:   The full id of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. [https://attack.mitre.org/techniques/T1059/001/](https://attack.mitre.org/techniques/T1059/001/))
+
+type: keyword
+
+example: T1059.001
+
+
+**`threat.technique.subtechnique.name`**
+:   The name of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. [https://attack.mitre.org/techniques/T1059/001/](https://attack.mitre.org/techniques/T1059/001/))
+
+type: keyword
+
+example: PowerShell
+
+
+**`threat.technique.subtechnique.name.text`**
+:   type: match_only_text
+
+
+**`threat.technique.subtechnique.reference`**
+:   The reference url of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. [https://attack.mitre.org/techniques/T1059/001/](https://attack.mitre.org/techniques/T1059/001/))
+
+type: keyword
+
+example: [https://attack.mitre.org/techniques/T1059/001/](https://attack.mitre.org/techniques/T1059/001/)
+
+
+
+## tls [_tls]
+
+Fields related to a TLS connection. These fields focus on the TLS protocol itself and intentionally avoids in-depth analysis of the related x.509 certificate files.
+
+**`tls.cipher`**
+:   String indicating the cipher used during the current connection.
+
+type: keyword
+
+example: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+
+
+**`tls.client.certificate`**
+:   PEM-encoded stand-alone certificate offered by the client. This is usually mutually-exclusive of `client.certificate_chain` since this value also exists in that list.
+
+type: keyword
+
+example: MII…​
+
+
+**`tls.client.certificate_chain`**
+:   Array of PEM-encoded certificates that make up the certificate chain offered by the client. This is usually mutually-exclusive of `client.certificate` since that value should be the first certificate in the chain.
+
+type: keyword
+
+example: ["MII…​", "MII…​"]
+
+
+**`tls.client.hash.md5`**
+:   Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash.
+
+type: keyword
+
+example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC
+
+
+**`tls.client.hash.sha1`**
+:   Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash.
+
+type: keyword
+
+example: 9E393D93138888D288266C2D915214D1D1CCEB2A
+
+
+**`tls.client.hash.sha256`**
+:   Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash.
+
+type: keyword
+
+example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0
+
+
+**`tls.client.issuer`**
+:   Distinguished name of subject of the issuer of the x.509 certificate presented by the client.
+
+type: keyword
+
+example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com
+
+
+**`tls.client.ja3`**
+:   A hash that identifies clients based on how they perform an SSL/TLS handshake.
+
+type: keyword
+
+example: d4e5b18d6b55c71272893221c96ba240
+
+
+**`tls.client.not_after`**
+:   Date/Time indicating when client certificate is no longer considered valid.
+
+type: date
+
+example: 2021-01-01T00:00:00.000Z
+
+
+**`tls.client.not_before`**
+:   Date/Time indicating when client certificate is first considered valid.
+
+type: date
+
+example: 1970-01-01T00:00:00.000Z
+
+
+**`tls.client.server_name`**
+:   Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`.
+
+type: keyword
+
+example: www.elastic.co
+
+
+**`tls.client.subject`**
+:   Distinguished name of subject of the x.509 certificate presented by the client.
+
+type: keyword
+
+example: CN=myclient, OU=Documentation Team, DC=example, DC=com
+
+
+**`tls.client.supported_ciphers`**
+:   Array of ciphers offered by the client during the client hello.
+
+type: keyword
+
+example: ["TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "…​"]
+
+
+**`tls.client.x509.alternative_names`**
+:   List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.
+
+type: keyword
+
+example: *.elastic.co
+
+
+**`tls.client.x509.issuer.common_name`**
+:   List of common name (CN) of issuing certificate authority.
+
+type: keyword
+
+example: Example SHA2 High Assurance Server CA
+
+
+**`tls.client.x509.issuer.country`**
+:   List of country © codes
+
+type: keyword
+
+example: US
+
+
+**`tls.client.x509.issuer.distinguished_name`**
+:   Distinguished name (DN) of issuing certificate authority.
+
+type: keyword
+
+example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA
+
+
+**`tls.client.x509.issuer.locality`**
+:   List of locality names (L)
+
+type: keyword
+
+example: Mountain View
+
+
+**`tls.client.x509.issuer.organization`**
+:   List of organizations (O) of issuing certificate authority.
+
+type: keyword
+
+example: Example Inc
+
+
+**`tls.client.x509.issuer.organizational_unit`**
+:   List of organizational units (OU) of issuing certificate authority.
+
+type: keyword
+
+example: www.example.com
+
+
+**`tls.client.x509.issuer.state_or_province`**
+:   List of state or province names (ST, S, or P)
+
+type: keyword
+
+example: California
+
+
+**`tls.client.x509.not_after`**
+:   Time at which the certificate is no longer considered valid.
+
+type: date
+
+example: 2020-07-16 03:15:39+00:00
+
+
+**`tls.client.x509.not_before`**
+:   Time at which the certificate is first considered valid.
+
+type: date
+
+example: 2019-08-16 01:40:25+00:00
+
+
+**`tls.client.x509.public_key_algorithm`**
+:   Algorithm used to generate the public key.
+
+type: keyword
+
+example: RSA
+
+
+**`tls.client.x509.public_key_curve`**
+:   The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+
+type: keyword
+
+example: nistp521
+
+
+**`tls.client.x509.public_key_exponent`**
+:   Exponent used to derive the public key. This is algorithm specific.
+
+type: long
+
+example: 65537
+
+Field is not indexed.
+
+
+**`tls.client.x509.public_key_size`**
+:   The size of the public key space in bits.
+
+type: long
+
+example: 2048
+
+
+**`tls.client.x509.serial_number`**
+:   Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.
+
+type: keyword
+
+example: 55FBB9C7DEBF09809D12CCAA
+
+
+**`tls.client.x509.signature_algorithm`**
+:   Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See [https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353](https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353).
+
+type: keyword
+
+example: SHA256-RSA
+
+
+**`tls.client.x509.subject.common_name`**
+:   List of common names (CN) of subject.
+
+type: keyword
+
+example: shared.global.example.net
+
+
+**`tls.client.x509.subject.country`**
+:   List of country © code
+
+type: keyword
+
+example: US
+
+
+**`tls.client.x509.subject.distinguished_name`**
+:   Distinguished name (DN) of the certificate subject entity.
+
+type: keyword
+
+example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
+
+
+**`tls.client.x509.subject.locality`**
+:   List of locality names (L)
+
+type: keyword
+
+example: San Francisco
+
+
+**`tls.client.x509.subject.organization`**
+:   List of organizations (O) of subject.
+
+type: keyword
+
+example: Example, Inc.
+
+
+**`tls.client.x509.subject.organizational_unit`**
+:   List of organizational units (OU) of subject.
+
+type: keyword
+
+
+**`tls.client.x509.subject.state_or_province`**
+:   List of state or province names (ST, S, or P)
+
+type: keyword
+
+example: California
+
+
+**`tls.client.x509.version_number`**
+:   Version of x509 format.
+
+type: keyword
+
+example: 3
+
+
+**`tls.curve`**
+:   String indicating the curve used for the given cipher, when applicable.
+
+type: keyword
+
+example: secp256r1
+
+
+**`tls.established`**
+:   Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel.
+
+type: boolean
+
+
+**`tls.next_protocol`**
+:   String indicating the protocol being tunneled. Per the values in the IANA registry ([https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids](https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids)), this string should be lower case.
+
+type: keyword
+
+example: http/1.1
+
+
+**`tls.resumed`**
+:   Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation.
+
+type: boolean
+
+
+**`tls.server.certificate`**
+:   PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list.
+
+type: keyword
+
+example: MII…​
+
+
+**`tls.server.certificate_chain`**
+:   Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain.
+
+type: keyword
+
+example: ["MII…​", "MII…​"]
+
+
+**`tls.server.hash.md5`**
+:   Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash.
+
+type: keyword
+
+example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC
+
+
+**`tls.server.hash.sha1`**
+:   Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash.
+
+type: keyword
+
+example: 9E393D93138888D288266C2D915214D1D1CCEB2A
+
+
+**`tls.server.hash.sha256`**
+:   Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash.
+
+type: keyword
+
+example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0
+
+
+**`tls.server.issuer`**
+:   Subject of the issuer of the x.509 certificate presented by the server.
+
+type: keyword
+
+example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com
+
+
+**`tls.server.ja3s`**
+:   A hash that identifies servers based on how they perform an SSL/TLS handshake.
+
+type: keyword
+
+example: 394441ab65754e2207b1e1b457b3641d
+
+
+**`tls.server.not_after`**
+:   Timestamp indicating when server certificate is no longer considered valid.
+
+type: date
+
+example: 2021-01-01T00:00:00.000Z
+
+
+**`tls.server.not_before`**
+:   Timestamp indicating when server certificate is first considered valid.
+
+type: date
+
+example: 1970-01-01T00:00:00.000Z
+
+
+**`tls.server.subject`**
+:   Subject of the x.509 certificate presented by the server.
+
+type: keyword
+
+example: CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com
+
+
+**`tls.server.x509.alternative_names`**
+:   List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.
+
+type: keyword
+
+example: *.elastic.co
+
+
+**`tls.server.x509.issuer.common_name`**
+:   List of common name (CN) of issuing certificate authority.
+
+type: keyword
+
+example: Example SHA2 High Assurance Server CA
+
+
+**`tls.server.x509.issuer.country`**
+:   List of country © codes
+
+type: keyword
+
+example: US
+
+
+**`tls.server.x509.issuer.distinguished_name`**
+:   Distinguished name (DN) of issuing certificate authority.
+
+type: keyword
+
+example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA
+
+
+**`tls.server.x509.issuer.locality`**
+:   List of locality names (L)
+
+type: keyword
+
+example: Mountain View
+
+
+**`tls.server.x509.issuer.organization`**
+:   List of organizations (O) of issuing certificate authority.
+
+type: keyword
+
+example: Example Inc
+
+
+**`tls.server.x509.issuer.organizational_unit`**
+:   List of organizational units (OU) of issuing certificate authority.
+
+type: keyword
+
+example: www.example.com
+
+
+**`tls.server.x509.issuer.state_or_province`**
+:   List of state or province names (ST, S, or P)
+
+type: keyword
+
+example: California
+
+
+**`tls.server.x509.not_after`**
+:   Time at which the certificate is no longer considered valid.
+
+type: date
+
+example: 2020-07-16 03:15:39+00:00
+
+
+**`tls.server.x509.not_before`**
+:   Time at which the certificate is first considered valid.
+
+type: date
+
+example: 2019-08-16 01:40:25+00:00
+
+
+**`tls.server.x509.public_key_algorithm`**
+:   Algorithm used to generate the public key.
+
+type: keyword
+
+example: RSA
+
+
+**`tls.server.x509.public_key_curve`**
+:   The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+
+type: keyword
+
+example: nistp521
+
+
+**`tls.server.x509.public_key_exponent`**
+:   Exponent used to derive the public key. This is algorithm specific.
+
+type: long
+
+example: 65537
+
+Field is not indexed.
+
+
+**`tls.server.x509.public_key_size`**
+:   The size of the public key space in bits.
+
+type: long
+
+example: 2048
+
+
+**`tls.server.x509.serial_number`**
+:   Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.
+
+type: keyword
+
+example: 55FBB9C7DEBF09809D12CCAA
+
+
+**`tls.server.x509.signature_algorithm`**
+:   Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See [https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353](https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353).
+
+type: keyword
+
+example: SHA256-RSA
+
+
+**`tls.server.x509.subject.common_name`**
+:   List of common names (CN) of subject.
+
+type: keyword
+
+example: shared.global.example.net
+
+
+**`tls.server.x509.subject.country`**
+:   List of country © code
+
+type: keyword
+
+example: US
+
+
+**`tls.server.x509.subject.distinguished_name`**
+:   Distinguished name (DN) of the certificate subject entity.
+
+type: keyword
+
+example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
+
+
+**`tls.server.x509.subject.locality`**
+:   List of locality names (L)
+
+type: keyword
+
+example: San Francisco
+
+
+**`tls.server.x509.subject.organization`**
+:   List of organizations (O) of subject.
+
+type: keyword
+
+example: Example, Inc.
+
+
+**`tls.server.x509.subject.organizational_unit`**
+:   List of organizational units (OU) of subject.
+
+type: keyword
+
+
+**`tls.server.x509.subject.state_or_province`**
+:   List of state or province names (ST, S, or P)
+
+type: keyword
+
+example: California
+
+
+**`tls.server.x509.version_number`**
+:   Version of x509 format.
+
+type: keyword
+
+example: 3
+
+
+**`tls.version`**
+:   Numeric part of the version parsed from the original string.
+
+type: keyword
+
+example: 1.2
+
+
+**`tls.version_protocol`**
+:   Normalized lowercase protocol name parsed from original string.
+
+type: keyword
+
+example: tls
+
+
+**`span.id`**
+:   Unique identifier of the span within the scope of its trace. A span represents an operation within a transaction, such as a request to another service, or a database query.
+
+type: keyword
+
+example: 3ff9a8981b7ccd5a
+
+
+**`trace.id`**
+:   Unique identifier of the trace. A trace groups multiple events like transactions that belong together. For example, a user request handled by multiple inter-connected services.
+
+type: keyword
+
+example: 4bf92f3577b34da6a3ce929d0e0e4736
+
+
+**`transaction.id`**
+:   Unique identifier of the transaction within the scope of its trace. A transaction is the highest level of work measured within a service, such as a request to a server.
+
+type: keyword
+
+example: 00f067aa0ba902b7
+
+
+
+## url [_url]
+
+URL fields provide support for complete or partial URLs, and supports the breaking down into scheme, domain, path, and so on.
+
+**`url.domain`**
+:   Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field.
+
+type: keyword
+
+example: www.elastic.co
+
+
+**`url.extension`**
+:   The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").
+
+type: keyword
+
+example: png
+
+
+**`url.fragment`**
+:   Portion of the url after the `#`, such as "top". The `#` is not part of the fragment.
+
+type: keyword
+
+
+**`url.full`**
+:   If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source.
+
+type: wildcard
+
+example: [https://www.elastic.co:443/search?q=elasticsearch#top](https://www.elastic.co:443/search?q=elasticsearch#top)
+
+
+**`url.full.text`**
+:   type: match_only_text
+
+
+**`url.original`**
+:   Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not.
+
+type: wildcard
+
+example: [https://www.elastic.co:443/search?q=elasticsearch#top](https://www.elastic.co:443/search?q=elasticsearch#top) or /search?q=elasticsearch
+
+
+**`url.original.text`**
+:   type: match_only_text
+
+
+**`url.password`**
+:   Password of the request.
+
+type: keyword
+
+
+**`url.path`**
+:   Path of the request, such as "/search".
+
+type: wildcard
+
+
+**`url.port`**
+:   Port of the request, such as 443.
+
+type: long
+
+example: 443
+
+format: string
+
+
+**`url.query`**
+:   The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.
+
+type: keyword
+
+
+**`url.registered_domain`**
+:   The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
+
+type: keyword
+
+example: example.com
+
+
+**`url.scheme`**
+:   Scheme of the request, such as "https". Note: The `:` is not part of the scheme.
+
+type: keyword
+
+example: https
+
+
+**`url.subdomain`**
+:   The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
+
+type: keyword
+
+example: east
+
+
+**`url.top_level_domain`**
+:   The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".
+
+type: keyword
+
+example: co.uk
+
+
+**`url.username`**
+:   Username of the request.
+
+type: keyword
+
+
+
+## user [_user]
+
+The user fields describe information about the user that is relevant to the event. Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them.
+
+**`user.changes.domain`**
+:   Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`user.changes.email`**
+:   User email address.
+
+type: keyword
+
+
+**`user.changes.full_name`**
+:   User’s full name, if available.
+
+type: keyword
+
+example: Albert Einstein
+
+
+**`user.changes.full_name.text`**
+:   type: match_only_text
+
+
+**`user.changes.group.domain`**
+:   Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`user.changes.group.id`**
+:   Unique identifier for the group on the system/platform.
+
+type: keyword
+
+
+**`user.changes.group.name`**
+:   Name of the group.
+
+type: keyword
+
+
+**`user.changes.hash`**
+:   Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used.
+
+type: keyword
+
+
+**`user.changes.id`**
+:   Unique identifier of the user.
+
+type: keyword
+
+example: S-1-5-21-202424912787-2692429404-2351956786-1000
+
+
+**`user.changes.name`**
+:   Short name or login of the user.
+
+type: keyword
+
+example: a.einstein
+
+
+**`user.changes.name.text`**
+:   type: match_only_text
+
+
+**`user.changes.roles`**
+:   Array of user roles at the time of the event.
+
+type: keyword
+
+example: ["kibana_admin", "reporting_user"]
+
+
+**`user.domain`**
+:   Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`user.effective.domain`**
+:   Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`user.effective.email`**
+:   User email address.
+
+type: keyword
+
+
+**`user.effective.full_name`**
+:   User’s full name, if available.
+
+type: keyword
+
+example: Albert Einstein
+
+
+**`user.effective.full_name.text`**
+:   type: match_only_text
+
+
+**`user.effective.group.domain`**
+:   Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`user.effective.group.id`**
+:   Unique identifier for the group on the system/platform.
+
+type: keyword
+
+
+**`user.effective.group.name`**
+:   Name of the group.
+
+type: keyword
+
+
+**`user.effective.hash`**
+:   Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used.
+
+type: keyword
+
+
+**`user.effective.id`**
+:   Unique identifier of the user.
+
+type: keyword
+
+example: S-1-5-21-202424912787-2692429404-2351956786-1000
+
+
+**`user.effective.name`**
+:   Short name or login of the user.
+
+type: keyword
+
+example: a.einstein
+
+
+**`user.effective.name.text`**
+:   type: match_only_text
+
+
+**`user.effective.roles`**
+:   Array of user roles at the time of the event.
+
+type: keyword
+
+example: ["kibana_admin", "reporting_user"]
+
+
+**`user.email`**
+:   User email address.
+
+type: keyword
+
+
+**`user.full_name`**
+:   User’s full name, if available.
+
+type: keyword
+
+example: Albert Einstein
+
+
+**`user.full_name.text`**
+:   type: match_only_text
+
+
+**`user.group.domain`**
+:   Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`user.group.id`**
+:   Unique identifier for the group on the system/platform.
+
+type: keyword
+
+
+**`user.group.name`**
+:   Name of the group.
+
+type: keyword
+
+
+**`user.hash`**
+:   Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used.
+
+type: keyword
+
+
+**`user.id`**
+:   Unique identifier of the user.
+
+type: keyword
+
+example: S-1-5-21-202424912787-2692429404-2351956786-1000
+
+
+**`user.name`**
+:   Short name or login of the user.
+
+type: keyword
+
+example: a.einstein
+
+
+**`user.name.text`**
+:   type: match_only_text
+
+
+**`user.roles`**
+:   Array of user roles at the time of the event.
+
+type: keyword
+
+example: ["kibana_admin", "reporting_user"]
+
+
+**`user.target.domain`**
+:   Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`user.target.email`**
+:   User email address.
+
+type: keyword
+
+
+**`user.target.full_name`**
+:   User’s full name, if available.
+
+type: keyword
+
+example: Albert Einstein
+
+
+**`user.target.full_name.text`**
+:   type: match_only_text
+
+
+**`user.target.group.domain`**
+:   Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`user.target.group.id`**
+:   Unique identifier for the group on the system/platform.
+
+type: keyword
+
+
+**`user.target.group.name`**
+:   Name of the group.
+
+type: keyword
+
+
+**`user.target.hash`**
+:   Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used.
+
+type: keyword
+
+
+**`user.target.id`**
+:   Unique identifier of the user.
+
+type: keyword
+
+example: S-1-5-21-202424912787-2692429404-2351956786-1000
+
+
+**`user.target.name`**
+:   Short name or login of the user.
+
+type: keyword
+
+example: a.einstein
+
+
+**`user.target.name.text`**
+:   type: match_only_text
+
+
+**`user.target.roles`**
+:   Array of user roles at the time of the event.
+
+type: keyword
+
+example: ["kibana_admin", "reporting_user"]
+
+
+
+## user_agent [_user_agent]
+
+The user_agent fields normally come from a browser request. They often show up in web service logs coming from the parsed user agent string.
+
+**`user_agent.device.name`**
+:   Name of the device.
+
+type: keyword
+
+example: iPhone
+
+
+**`user_agent.name`**
+:   Name of the user agent.
+
+type: keyword
+
+example: Safari
+
+
+**`user_agent.original`**
+:   Unparsed user_agent string.
+
+type: keyword
+
+example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1
+
+
+**`user_agent.original.text`**
+:   type: match_only_text
+
+
+**`user_agent.os.family`**
+:   OS family (such as redhat, debian, freebsd, windows).
+
+type: keyword
+
+example: debian
+
+
+**`user_agent.os.full`**
+:   Operating system name, including the version or code name.
+
+type: keyword
+
+example: Mac OS Mojave
+
+
+**`user_agent.os.full.text`**
+:   type: match_only_text
+
+
+**`user_agent.os.kernel`**
+:   Operating system kernel version as a raw string.
+
+type: keyword
+
+example: 4.4.0-112-generic
+
+
+**`user_agent.os.name`**
+:   Operating system name, without the version.
+
+type: keyword
+
+example: Mac OS X
+
+
+**`user_agent.os.name.text`**
+:   type: match_only_text
+
+
+**`user_agent.os.platform`**
+:   Operating system platform (such centos, ubuntu, windows).
+
+type: keyword
+
+example: darwin
+
+
+**`user_agent.os.type`**
+:   Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you’re dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.
+
+type: keyword
+
+example: macos
+
+
+**`user_agent.os.version`**
+:   Operating system version as a raw string.
+
+type: keyword
+
+example: 10.14.1
+
+
+**`user_agent.version`**
+:   Version of the user agent.
+
+type: keyword
+
+example: 12.0
+
+
+
+## vlan [_vlan]
+
+The VLAN fields are used to identify 802.1q tag(s) of a packet, as well as ingress and egress VLAN associations of an observer in relation to a specific packet or connection. Network.vlan fields are used to record a single VLAN tag, or the outer tag in the case of q-in-q encapsulations, for a packet or connection as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. Network.inner VLAN fields are used to report inner q-in-q 802.1q tags (multiple 802.1q encapsulations) as observed, typically provided by a network sensor  (e.g. Zeek, Wireshark) passively reporting on traffic. Network.inner VLAN fields should only be used in addition to network.vlan fields to indicate q-in-q tagging. Observer.ingress and observer.egress VLAN values are used to record observer specific information when observer events contain discrete ingress and egress VLAN information, typically provided by firewalls, routers, or load balancers.
+
+**`vlan.id`**
+:   VLAN ID as reported by the observer.
+
+type: keyword
+
+example: 10
+
+
+**`vlan.name`**
+:   Optional VLAN name as reported by the observer.
+
+type: keyword
+
+example: outside
+
+
+
+## vulnerability [_vulnerability]
+
+The vulnerability fields describe information about a vulnerability that is relevant to an event.
+
+**`vulnerability.category`**
+:   The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example ([Qualys vulnerability categories](https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm)) This field must be an array.
+
+type: keyword
+
+example: ["Firewall"]
+
+
+**`vulnerability.classification`**
+:   The classification of the vulnerability scoring system. For example ([https://www.first.org/cvss/](https://www.first.org/cvss/))
+
+type: keyword
+
+example: CVSS
+
+
+**`vulnerability.description`**
+:   The description of the vulnerability that provides additional context of the vulnerability. For example ([Common Vulnerabilities and Exposure CVE description](https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created))
+
+type: keyword
+
+example: In macOS before 2.12.6, there is a vulnerability in the RPC…​
+
+
+**`vulnerability.description.text`**
+:   type: match_only_text
+
+
+**`vulnerability.enumeration`**
+:   The type of identifier used for this vulnerability. For example ([https://cve.mitre.org/about/](https://cve.mitre.org/about/))
+
+type: keyword
+
+example: CVE
+
+
+**`vulnerability.id`**
+:   The identification (ID) is the number portion of a vulnerability entry. It includes a unique identification number for the vulnerability. For example ([Common Vulnerabilities and Exposure CVE ID](https://cve.mitre.org/about/faqs.html#what_is_cve_id))
+
+type: keyword
+
+example: CVE-2019-00001
+
+
+**`vulnerability.reference`**
+:   A resource that provides additional information, context, and mitigations for the identified vulnerability.
+
+type: keyword
+
+example: [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111)
+
+
+**`vulnerability.report_id`**
+:   The report or scan identification number.
+
+type: keyword
+
+example: 20191018.0001
+
+
+**`vulnerability.scanner.vendor`**
+:   The name of the vulnerability scanner vendor.
+
+type: keyword
+
+example: Tenable
+
+
+**`vulnerability.score.base`**
+:   Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentiality, integrity, and availability), and scope. For example ([https://www.first.org/cvss/specification-document](https://www.first.org/cvss/specification-document))
+
+type: float
+
+example: 5.5
+
+
+**`vulnerability.score.environmental`**
+:   Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Environmental scores cover an assessment for any modified Base metrics, confidentiality, integrity, and availability requirements. For example ([https://www.first.org/cvss/specification-document](https://www.first.org/cvss/specification-document))
+
+type: float
+
+example: 5.5
+
+
+**`vulnerability.score.temporal`**
+:   Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Temporal scores cover an assessment for code maturity, remediation level, and confidence. For example ([https://www.first.org/cvss/specification-document](https://www.first.org/cvss/specification-document))
+
+type: float
+
+
+**`vulnerability.score.version`**
+:   The National Vulnerability Database (NVD) provides qualitative severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges in addition to the severity ratings for CVSS v3.0 as they are defined in the CVSS v3.0 specification. CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit organization, whose mission is to help computer security incident response teams across the world. For example ([https://nvd.nist.gov/vuln-metrics/cvss](https://nvd.nist.gov/vuln-metrics/cvss))
+
+type: keyword
+
+example: 2.0
+
+
+**`vulnerability.severity`**
+:   The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example ([https://nvd.nist.gov/vuln-metrics/cvss](https://nvd.nist.gov/vuln-metrics/cvss))
+
+type: keyword
+
+example: Critical
+
+
+
+## x509 [_x509]
+
+This implements the common core fields for x509 certificates. This information is likely logged with TLS sessions, digital signatures found in executable binaries, S/MIME information in email bodies, or analysis of files on disk. When the certificate relates to a file, use the fields at `file.x509`. When hashes of the DER-encoded certificate are available, the `hash` data set should be populated as well (e.g. `file.hash.sha256`). Events that contain certificate information about network connections, should use the x509 fields under the relevant TLS fields: `tls.server.x509` and/or `tls.client.x509`.
+
+**`x509.alternative_names`**
+:   List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.
+
+type: keyword
+
+example: *.elastic.co
+
+
+**`x509.issuer.common_name`**
+:   List of common name (CN) of issuing certificate authority.
+
+type: keyword
+
+example: Example SHA2 High Assurance Server CA
+
+
+**`x509.issuer.country`**
+:   List of country © codes
+
+type: keyword
+
+example: US
+
+
+**`x509.issuer.distinguished_name`**
+:   Distinguished name (DN) of issuing certificate authority.
+
+type: keyword
+
+example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA
+
+
+**`x509.issuer.locality`**
+:   List of locality names (L)
+
+type: keyword
+
+example: Mountain View
+
+
+**`x509.issuer.organization`**
+:   List of organizations (O) of issuing certificate authority.
+
+type: keyword
+
+example: Example Inc
+
+
+**`x509.issuer.organizational_unit`**
+:   List of organizational units (OU) of issuing certificate authority.
+
+type: keyword
+
+example: www.example.com
+
+
+**`x509.issuer.state_or_province`**
+:   List of state or province names (ST, S, or P)
+
+type: keyword
+
+example: California
+
+
+**`x509.not_after`**
+:   Time at which the certificate is no longer considered valid.
+
+type: date
+
+example: 2020-07-16 03:15:39+00:00
+
+
+**`x509.not_before`**
+:   Time at which the certificate is first considered valid.
+
+type: date
+
+example: 2019-08-16 01:40:25+00:00
+
+
+**`x509.public_key_algorithm`**
+:   Algorithm used to generate the public key.
+
+type: keyword
+
+example: RSA
+
+
+**`x509.public_key_curve`**
+:   The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+
+type: keyword
+
+example: nistp521
+
+
+**`x509.public_key_exponent`**
+:   Exponent used to derive the public key. This is algorithm specific.
+
+type: long
+
+example: 65537
+
+Field is not indexed.
+
+
+**`x509.public_key_size`**
+:   The size of the public key space in bits.
+
+type: long
+
+example: 2048
+
+
+**`x509.serial_number`**
+:   Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.
+
+type: keyword
+
+example: 55FBB9C7DEBF09809D12CCAA
+
+
+**`x509.signature_algorithm`**
+:   Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See [https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353](https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353).
+
+type: keyword
+
+example: SHA256-RSA
+
+
+**`x509.subject.common_name`**
+:   List of common names (CN) of subject.
+
+type: keyword
+
+example: shared.global.example.net
+
+
+**`x509.subject.country`**
+:   List of country © code
+
+type: keyword
+
+example: US
+
+
+**`x509.subject.distinguished_name`**
+:   Distinguished name (DN) of the certificate subject entity.
+
+type: keyword
+
+example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
+
+
+**`x509.subject.locality`**
+:   List of locality names (L)
+
+type: keyword
+
+example: San Francisco
+
+
+**`x509.subject.organization`**
+:   List of organizations (O) of subject.
+
+type: keyword
+
+example: Example, Inc.
+
+
+**`x509.subject.organizational_unit`**
+:   List of organizational units (OU) of subject.
+
+type: keyword
+
+
+**`x509.subject.state_or_province`**
+:   List of state or province names (ST, S, or P)
+
+type: keyword
+
+example: California
+
+
+**`x509.version_number`**
+:   Version of x509 format.
+
+type: keyword
+
+example: 3
+
+
diff --git a/docs/reference/heartbeat/exported-fields-host-processor.md b/docs/reference/heartbeat/exported-fields-host-processor.md
new file mode 100644
index 000000000000..f665ac1f259f
--- /dev/null
+++ b/docs/reference/heartbeat/exported-fields-host-processor.md
@@ -0,0 +1,31 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/exported-fields-host-processor.html
+---
+
+# Host fields [exported-fields-host-processor]
+
+Info collected for the host machine.
+
+**`host.containerized`**
+:   If the host is a container.
+
+type: boolean
+
+
+**`host.os.build`**
+:   OS build information.
+
+type: keyword
+
+example: 18D109
+
+
+**`host.os.codename`**
+:   OS codename, if any.
+
+type: keyword
+
+example: stretch
+
+
diff --git a/docs/reference/heartbeat/exported-fields-http.md b/docs/reference/heartbeat/exported-fields-http.md
new file mode 100644
index 000000000000..7017f693ad2e
--- /dev/null
+++ b/docs/reference/heartbeat/exported-fields-http.md
@@ -0,0 +1,114 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/exported-fields-http.html
+---
+
+# HTTP monitor fields [exported-fields-http]
+
+None
+
+
+## http [_http_2]
+
+HTTP related fields.
+
+**`http.url`**
+:   Service url used by monitor.
+
+type: alias
+
+alias to: url.full
+
+
+**`http.response.body.hash`**
+:   Hash of the full response body. Can be used to group responses with identical hashes.
+
+type: keyword
+
+
+**`http.response.redirects`**
+:   List of redirects followed to arrive at final content. Last item on the list is the URL for which body content is shown.
+
+type: keyword
+
+
+**`http.response.headers.*`**
+:   The canonical headers of the monitored HTTP response.
+
+type: object
+
+Object is not enabled.
+
+
+
+## rtt [_rtt]
+
+HTTP layer round trip times.
+
+
+## validate [_validate]
+
+Duration between first byte of HTTP request being written and response being processed by validator. Duration based on already available network connection.
+
+Note: if validator is not reading body or only a prefix, this number does not fully represent the total time needed to read the body.
+
+**`http.rtt.validate.us`**
+:   Duration in microseconds
+
+type: long
+
+
+
+## validate_body [_validate_body]
+
+Duration of validator required to read and validate the response body.
+
+Note: if validator is not reading body or only a prefix, this number does not fully represent the total time needed to read the body.
+
+**`http.rtt.validate_body.us`**
+:   Duration in microseconds
+
+type: long
+
+
+
+## write_request [_write_request]
+
+Duration of sending the complete HTTP request. Duration based on already available network connection.
+
+**`http.rtt.write_request.us`**
+:   Duration in microseconds
+
+type: long
+
+
+
+## response_header [_response_header]
+
+Time required between sending the start of sending the HTTP request and first byte from HTTP response being read. Duration based on already available network connection.
+
+**`http.rtt.response_header.us`**
+:   Duration in microseconds
+
+type: long
+
+
+**`http.rtt.content.us`**
+:   Time required to retrieved the content in micro seconds.
+
+type: long
+
+
+
+## total [_total]
+
+Duration required to process the HTTP transaction. Starts with the initial TCP connection attempt. Ends with after validator did check the response.
+
+Note: if validator is not reading body or only a prefix, this number does not fully represent the total time needed.
+
+**`http.rtt.total.us`**
+:   Duration in microseconds
+
+type: long
+
+
diff --git a/docs/reference/heartbeat/exported-fields-icmp.md b/docs/reference/heartbeat/exported-fields-icmp.md
new file mode 100644
index 000000000000..db28a3a11af8
--- /dev/null
+++ b/docs/reference/heartbeat/exported-fields-icmp.md
@@ -0,0 +1,31 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/exported-fields-icmp.html
+---
+
+# ICMP fields [exported-fields-icmp]
+
+None
+
+
+## icmp [_icmp]
+
+IP ping fields.
+
+**`icmp.requests`**
+:   Number if ICMP EchoRequests send.
+
+type: integer
+
+
+
+## rtt [_rtt_2]
+
+ICMP Echo Request and Reply round trip time
+
+**`icmp.rtt.us`**
+:   Duration in microseconds
+
+type: long
+
+
diff --git a/docs/reference/heartbeat/exported-fields-jolokia-autodiscover.md b/docs/reference/heartbeat/exported-fields-jolokia-autodiscover.md
new file mode 100644
index 000000000000..3e623efe1407
--- /dev/null
+++ b/docs/reference/heartbeat/exported-fields-jolokia-autodiscover.md
@@ -0,0 +1,51 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/exported-fields-jolokia-autodiscover.html
+---
+
+# Jolokia Discovery autodiscover provider fields [exported-fields-jolokia-autodiscover]
+
+Metadata from Jolokia Discovery added by the jolokia provider.
+
+**`jolokia.agent.version`**
+:   Version number of jolokia agent.
+
+type: keyword
+
+
+**`jolokia.agent.id`**
+:   Each agent has a unique id which can be either provided during startup of the agent in form of a configuration parameter or being autodetected. If autodected, the id has several parts: The IP, the process id, hashcode of the agent and its type.
+
+type: keyword
+
+
+**`jolokia.server.product`**
+:   The container product if detected.
+
+type: keyword
+
+
+**`jolokia.server.version`**
+:   The container’s version (if detected).
+
+type: keyword
+
+
+**`jolokia.server.vendor`**
+:   The vendor of the container the agent is running in.
+
+type: keyword
+
+
+**`jolokia.url`**
+:   The URL how this agent can be contacted.
+
+type: keyword
+
+
+**`jolokia.secured`**
+:   Whether the agent was configured for authentication or not.
+
+type: boolean
+
+
diff --git a/docs/reference/heartbeat/exported-fields-kubernetes-processor.md b/docs/reference/heartbeat/exported-fields-kubernetes-processor.md
new file mode 100644
index 000000000000..db83915e2423
--- /dev/null
+++ b/docs/reference/heartbeat/exported-fields-kubernetes-processor.md
@@ -0,0 +1,87 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/exported-fields-kubernetes-processor.html
+---
+
+# Kubernetes fields [exported-fields-kubernetes-processor]
+
+Kubernetes metadata added by the kubernetes processor
+
+**`kubernetes.pod.name`**
+:   Kubernetes pod name
+
+type: keyword
+
+
+**`kubernetes.pod.uid`**
+:   Kubernetes Pod UID
+
+type: keyword
+
+
+**`kubernetes.pod.ip`**
+:   Kubernetes Pod IP
+
+type: ip
+
+
+**`kubernetes.namespace`**
+:   Kubernetes namespace
+
+type: keyword
+
+
+**`kubernetes.node.name`**
+:   Kubernetes node name
+
+type: keyword
+
+
+**`kubernetes.node.hostname`**
+:   Kubernetes hostname as reported by the node’s kernel
+
+type: keyword
+
+
+**`kubernetes.labels.*`**
+:   Kubernetes labels map
+
+type: object
+
+
+**`kubernetes.annotations.*`**
+:   Kubernetes annotations map
+
+type: object
+
+
+**`kubernetes.selectors.*`**
+:   Kubernetes selectors map
+
+type: object
+
+
+**`kubernetes.replicaset.name`**
+:   Kubernetes replicaset name
+
+type: keyword
+
+
+**`kubernetes.deployment.name`**
+:   Kubernetes deployment name
+
+type: keyword
+
+
+**`kubernetes.statefulset.name`**
+:   Kubernetes statefulset name
+
+type: keyword
+
+
+**`kubernetes.container.name`**
+:   Kubernetes container name (different than the name from the runtime)
+
+type: keyword
+
+
diff --git a/docs/reference/heartbeat/exported-fields-process.md b/docs/reference/heartbeat/exported-fields-process.md
new file mode 100644
index 000000000000..ed06dc6435dd
--- /dev/null
+++ b/docs/reference/heartbeat/exported-fields-process.md
@@ -0,0 +1,38 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/exported-fields-process.html
+---
+
+# Process fields [exported-fields-process]
+
+Process metadata fields
+
+**`process.exe`**
+:   type: alias
+
+alias to: process.executable
+
+
+
+## owner [_owner]
+
+Process owner information.
+
+**`process.owner.id`**
+:   Unique identifier of the user.
+
+type: keyword
+
+
+**`process.owner.name`**
+:   Short name or login of the user.
+
+type: keyword
+
+example: albert
+
+
+**`process.owner.name.text`**
+:   type: text
+
+
diff --git a/docs/reference/heartbeat/exported-fields-resolve.md b/docs/reference/heartbeat/exported-fields-resolve.md
new file mode 100644
index 000000000000..1beef91c6cf1
--- /dev/null
+++ b/docs/reference/heartbeat/exported-fields-resolve.md
@@ -0,0 +1,39 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/exported-fields-resolve.html
+---
+
+# Host lookup fields [exported-fields-resolve]
+
+None
+
+
+## resolve [_resolve]
+
+Host lookup fields.
+
+**`resolve.host`**
+:   Hostname of service being monitored.
+
+type: alias
+
+alias to: url.domain
+
+
+**`resolve.ip`**
+:   IP address found for the given host.
+
+type: ip
+
+
+
+## rtt [_rtt_3]
+
+Duration required to resolve an IP from hostname.
+
+**`resolve.rtt.us`**
+:   Duration in microseconds
+
+type: long
+
+
diff --git a/docs/reference/heartbeat/exported-fields-service.md b/docs/reference/heartbeat/exported-fields-service.md
new file mode 100644
index 000000000000..794fd2fb8a80
--- /dev/null
+++ b/docs/reference/heartbeat/exported-fields-service.md
@@ -0,0 +1,15 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/exported-fields-service.html
+---
+
+# APM Service fields [exported-fields-service]
+
+None
+
+**`name`**
+:   APM service name this monitor is linked to
+
+type: keyword
+
+
diff --git a/docs/reference/heartbeat/exported-fields-socks5.md b/docs/reference/heartbeat/exported-fields-socks5.md
new file mode 100644
index 000000000000..47e74c33eb57
--- /dev/null
+++ b/docs/reference/heartbeat/exported-fields-socks5.md
@@ -0,0 +1,30 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/exported-fields-socks5.html
+---
+
+# SOCKS5 proxy fields [exported-fields-socks5]
+
+None
+
+
+## socks5 [_socks5]
+
+SOCKS5 proxy related fields:
+
+
+## rtt [_rtt_4]
+
+TLS layer round trip times.
+
+
+## connect [_connect]
+
+Time required to establish a connection via SOCKS5 to endpoint based on available connection to SOCKS5 proxy.
+
+**`socks5.rtt.connect.us`**
+:   Duration in microseconds
+
+type: long
+
+
diff --git a/docs/reference/heartbeat/exported-fields-state.md b/docs/reference/heartbeat/exported-fields-state.md
new file mode 100644
index 000000000000..e1f507a02292
--- /dev/null
+++ b/docs/reference/heartbeat/exported-fields-state.md
@@ -0,0 +1,66 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/exported-fields-state.html
+---
+
+# Monitor state fields [exported-fields-state]
+
+state related fields
+
+
+## state [_state]
+
+Present in the last event emitted during a check. If a monitor checks multiple endpoints, as is the case with `mode: all`.
+
+**`state.id`**
+:   ID of this state
+
+type: keyword
+
+
+**`state.started_at`**
+:   First time state with this ID was seen
+
+type: date
+
+
+**`state.duration_ms`**
+:   Length of time this state has existed in millis
+
+type: long
+
+
+**`state.status`**
+:   The current status, "up", "down", or "flapping" any state can change into flapping.
+
+type: keyword
+
+
+**`state.checks`**
+:   total checks run
+
+type: integer
+
+
+**`state.up`**
+:   total up checks run
+
+type: integer
+
+
+**`state.down`**
+:   total down checks run
+
+type: integer
+
+
+**`state.flap_history`**
+:   Object is not enabled.
+
+
+**`state.ends`**
+:   the state that was ended by this state
+
+type: object
+
+
diff --git a/docs/reference/heartbeat/exported-fields-summary.md b/docs/reference/heartbeat/exported-fields-summary.md
new file mode 100644
index 000000000000..ab96ab08496c
--- /dev/null
+++ b/docs/reference/heartbeat/exported-fields-summary.md
@@ -0,0 +1,56 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/exported-fields-summary.html
+---
+
+# Monitor summary fields [exported-fields-summary]
+
+None
+
+
+## summary [_summary]
+
+Present in the last event emitted during a check. If a monitor checks multiple endpoints, as is the case with `mode: all`.
+
+**`summary.up`**
+:   The number of endpoints that succeeded
+
+type: integer
+
+
+**`summary.down`**
+:   The number of endpoints that failed
+
+type: integer
+
+
+**`summary.status`**
+:   The status of this check as a whole. Either up or down.
+
+type: keyword
+
+
+**`summary.attempt`**
+:   When performing a check this number is 1 for the first check, and increments in the event of a retry.
+
+type: short
+
+
+**`summary.max_attempts`**
+:   The maximum number of checks that may be performed. Note, the actual number may be smaller.
+
+type: short
+
+
+**`summary.final_attempt`**
+:   True if no further checks will be performed in this retry group.
+
+type: boolean
+
+
+**`summary.retry_group`**
+:   A unique token used to group checks across attempts.
+
+type: keyword
+
+
diff --git a/docs/reference/heartbeat/exported-fields-synthetics.md b/docs/reference/heartbeat/exported-fields-synthetics.md
new file mode 100644
index 000000000000..c526d492904b
--- /dev/null
+++ b/docs/reference/heartbeat/exported-fields-synthetics.md
@@ -0,0 +1,133 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/exported-fields-synthetics.html
+---
+
+# Synthetics types fields [exported-fields-synthetics]
+
+None
+
+
+## synthetics [_synthetics]
+
+Synthetics related fields.
+
+**`synthetics.type`**
+:   type: keyword
+
+
+**`synthetics.package_version`**
+:   type: keyword
+
+
+**`synthetics.index`**
+:   Index count used for creating total order of all events during invocation.
+
+type: integer
+
+
+**`synthetics.payload`**
+:   type: object
+
+Object is not enabled.
+
+
+**`synthetics.blob`**
+:   binary data payload
+
+type: binary
+
+
+**`synthetics.blob_mime`**
+:   mime type of blob data
+
+type: keyword
+
+
+**`synthetics.step.name`**
+:   type: text
+
+
+**`synthetics.step.name.keyword`**
+:   type: keyword
+
+
+**`synthetics.step.index`**
+:   type: integer
+
+
+**`synthetics.step.status`**
+:   type: keyword
+
+
+
+## duration [_duration_3]
+
+Duration required to complete the step.
+
+**`synthetics.step.duration.us`**
+:   Duration in microseconds
+
+type: integer
+
+
+**`synthetics.journey.name`**
+:   type: text
+
+
+**`synthetics.journey.id`**
+:   type: keyword
+
+
+**`synthetics.journey.tags`**
+:   Tags used for grouping journeys
+
+type: keyword
+
+
+
+## duration [_duration_4]
+
+Duration required to complete the journey.
+
+**`synthetics.journey.duration.us`**
+:   Duration in microseconds
+
+type: integer
+
+
+**`synthetics.error.name`**
+:   type: keyword
+
+
+**`synthetics.error.message`**
+:   type: text
+
+
+**`synthetics.error.stack`**
+:   type: text
+
+
+**`synthetics.screenshot_ref.width`**
+:   Width of the full screenshot in pixels.
+
+type: integer
+
+
+**`synthetics.screenshot_ref.height`**
+:   Height of the full screenshot in pixels
+
+type: integer
+
+
+
+## blocks [_blocks]
+
+Attributes representing individual screenshot blocks. Only hash is indexed since it’s the only one we’d query on.
+
+**`synthetics.screenshot_ref.blocks.hash`**
+:   Hash that uniquely identifies this image by content. Corresponds to block document id.
+
+type: keyword
+
+
diff --git a/docs/reference/heartbeat/exported-fields-tcp.md b/docs/reference/heartbeat/exported-fields-tcp.md
new file mode 100644
index 000000000000..719608b9a9f8
--- /dev/null
+++ b/docs/reference/heartbeat/exported-fields-tcp.md
@@ -0,0 +1,49 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/exported-fields-tcp.html
+---
+
+# TCP layer fields [exported-fields-tcp]
+
+None
+
+
+## tcp [_tcp]
+
+TCP network layer related fields.
+
+**`tcp.port`**
+:   Service port number.
+
+type: alias
+
+alias to: url.port
+
+
+
+## rtt [_rtt_5]
+
+TCP layer round trip times.
+
+
+## connect [_connect_2]
+
+Duration required to establish a TCP connection based on already available IP address.
+
+**`tcp.rtt.connect.us`**
+:   Duration in microseconds
+
+type: long
+
+
+
+## validate [_validate_2]
+
+Duration of validation step based on existing TCP connection.
+
+**`tcp.rtt.validate.us`**
+:   Duration in microseconds
+
+type: long
+
+
diff --git a/docs/reference/heartbeat/exported-fields-tls.md b/docs/reference/heartbeat/exported-fields-tls.md
new file mode 100644
index 000000000000..513beb76504a
--- /dev/null
+++ b/docs/reference/heartbeat/exported-fields-tls.md
@@ -0,0 +1,59 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/exported-fields-tls.html
+---
+
+# TLS encryption layer fields [exported-fields-tls]
+
+None
+
+
+## tls [_tls_2]
+
+TLS layer related fields.
+
+**`tls.certificate_not_valid_before`**
+:   [7.8.0]
+
+Deprecated in favor of `tls.server.x509.not_before`. Earliest time at which the connection’s certificates are valid.
+
+type: date
+
+
+**`tls.certificate_not_valid_after`**
+:   [7.8.0]
+
+Deprecated in favor of `tls.server.x509.not_after`. Latest time at which the connection’s certificates are valid.
+
+type: date
+
+
+
+## rtt [_rtt_6]
+
+TLS layer round trip times.
+
+
+## handshake [_handshake]
+
+Time required to finish TLS handshake based on already available network connection.
+
+**`tls.rtt.handshake.us`**
+:   Duration in microseconds
+
+type: long
+
+
+
+## server [_server_2]
+
+Detailed x509 certificate metadata
+
+**`tls.server.version_number`**
+:   Version of x509 format.
+
+type: keyword
+
+example: 3
+
+
diff --git a/docs/reference/heartbeat/exported-fields.md b/docs/reference/heartbeat/exported-fields.md
new file mode 100644
index 000000000000..f6d149c41ed4
--- /dev/null
+++ b/docs/reference/heartbeat/exported-fields.md
@@ -0,0 +1,30 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/exported-fields.html
+---
+
+# Exported fields [exported-fields]
+
+This document describes the fields that are exported by Heartbeat. They are grouped in the following categories:
+
+* [*Beat fields*](/reference/heartbeat/exported-fields-beat-common.md)
+* [*Synthetics browser metrics fields*](/reference/heartbeat/exported-fields-browser.md)
+* [*Cloud provider metadata fields*](/reference/heartbeat/exported-fields-cloud.md)
+* [*Common heartbeat monitor fields*](/reference/heartbeat/exported-fields-common.md)
+* [*Docker fields*](/reference/heartbeat/exported-fields-docker-processor.md)
+* [*ECS fields*](/reference/heartbeat/exported-fields-ecs.md)
+* [*Host fields*](/reference/heartbeat/exported-fields-host-processor.md)
+* [*HTTP monitor fields*](/reference/heartbeat/exported-fields-http.md)
+* [*ICMP fields*](/reference/heartbeat/exported-fields-icmp.md)
+* [*Jolokia Discovery autodiscover provider fields*](/reference/heartbeat/exported-fields-jolokia-autodiscover.md)
+* [*Kubernetes fields*](/reference/heartbeat/exported-fields-kubernetes-processor.md)
+* [*Process fields*](/reference/heartbeat/exported-fields-process.md)
+* [*Host lookup fields*](/reference/heartbeat/exported-fields-resolve.md)
+* [*APM Service fields*](/reference/heartbeat/exported-fields-service.md)
+* [*SOCKS5 proxy fields*](/reference/heartbeat/exported-fields-socks5.md)
+* [*Monitor state fields*](/reference/heartbeat/exported-fields-state.md)
+* [*Monitor summary fields*](/reference/heartbeat/exported-fields-summary.md)
+* [*Synthetics types fields*](/reference/heartbeat/exported-fields-synthetics.md)
+* [*TCP layer fields*](/reference/heartbeat/exported-fields-tcp.md)
+* [*TLS encryption layer fields*](/reference/heartbeat/exported-fields-tls.md)
+
diff --git a/docs/reference/heartbeat/extract-array.md b/docs/reference/heartbeat/extract-array.md
new file mode 100644
index 000000000000..5e3bffde1d8e
--- /dev/null
+++ b/docs/reference/heartbeat/extract-array.md
@@ -0,0 +1,46 @@
+---
+navigation_title: "extract_array"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/extract-array.html
+---
+
+# Extract array [extract-array]
+
+
+::::{warning}
+This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
+::::
+
+
+The `extract_array` processor populates fields with values read from an array field. The following example will populate `source.ip` with the first element of the `my_array` field, `destination.ip` with the second element, and `network.transport` with the third.
+
+```yaml
+processors:
+  - extract_array:
+      field: my_array
+      mappings:
+        source.ip: 0
+        destination.ip: 1
+        network.transport: 2
+```
+
+The following settings are supported:
+
+`field`
+:   The array field whose elements are to be extracted.
+
+`mappings`
+:   Maps each field name to an array index. Use 0 for the first element in the array. Multiple fields can be mapped to the same array element.
+
+`ignore_missing`
+:   (Optional) Whether to ignore events where the array field is missing. The default is `false`, which will fail processing of an event if the specified field does not exist. Set it to `true` to ignore this condition.
+
+`overwrite_keys`
+:   Whether the target fields specified in the mapping are overwritten if they already exist. The default is `false`, which will fail processing if a target field already exists.
+
+`fail_on_error`
+:   (Optional) If set to `true` and an error happens, changes to the event are reverted, and the original event is returned. If set to `false`, processing continues despite errors. Default is `true`.
+
+`omit_empty`
+:   (Optional) Whether empty values are extracted from the array. If set to `true`, instead of the target field being set to an empty value, it is left unset. The empty string (`""`), an empty array (`[]`) or an empty object (`{}`) are considered empty values. Default is `false`.
+
diff --git a/docs/reference/heartbeat/faq.md b/docs/reference/heartbeat/faq.md
new file mode 100644
index 000000000000..c165b438c4ca
--- /dev/null
+++ b/docs/reference/heartbeat/faq.md
@@ -0,0 +1,19 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/faq.html
+---
+
+# Common problems [faq]
+
+This section describes common problems you might encounter with Heartbeat. Also check out the [Heartbeat discussion forum](https://discuss.elastic.co/c/beats/heartbeat).
+
+
+
+
+
+
+
+
+
+
+
diff --git a/docs/reference/heartbeat/feature-roles.md b/docs/reference/heartbeat/feature-roles.md
new file mode 100644
index 000000000000..75b8cd61d567
--- /dev/null
+++ b/docs/reference/heartbeat/feature-roles.md
@@ -0,0 +1,25 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/feature-roles.html
+---
+
+# Grant users access to secured resources [feature-roles]
+
+You can use role-based access control to grant users access to secured resources. The roles that you set up depend on your organization’s security requirements and the minimum privileges required to use specific features.
+
+Typically you need the create the following separate roles:
+
+* [setup role](/reference/heartbeat/privileges-to-setup-beats.md) for setting up index templates and other dependencies
+* [monitoring role](/reference/heartbeat/privileges-to-publish-monitoring.md) for sending monitoring information
+* [writer role](/reference/heartbeat/privileges-to-publish-events.md)  for publishing events collected by Heartbeat
+* [reader role](/reference/heartbeat/kibana-user-privileges.md) for {{kib}} users who need to view and create visualizations that access Heartbeat data
+
+{{es-security-features}} provides [built-in roles](elasticsearch://reference/elasticsearch/roles.md) that grant a subset of the privileges needed by Heartbeat users. When possible, use the built-in roles to minimize the affect of future changes on your security strategy.
+
+Instead of using usernames and passwords, roles and privileges can be assigned to API keys to grant access to Elasticsearch resources. See [*Grant access using API keys*](/reference/heartbeat/beats-api-keys.md) for more information.
+
+
+
+
+
+
diff --git a/docs/reference/heartbeat/file-output.md b/docs/reference/heartbeat/file-output.md
new file mode 100644
index 000000000000..61fa173768b6
--- /dev/null
+++ b/docs/reference/heartbeat/file-output.md
@@ -0,0 +1,89 @@
+---
+navigation_title: "File"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/file-output.html
+---
+
+# Configure the File output [file-output]
+
+
+The File output dumps the transactions into a file where each transaction is in a JSON format. Currently, this output is used for testing, but it can be used as input for Logstash.
+
+To use this output, edit the Heartbeat configuration file to disable the {{es}} output by commenting it out, and enable the file output by adding `output.file`.
+
+Example configuration:
+
+```yaml
+output.file:
+  path: "/tmp/heartbeat"
+  filename: heartbeat
+  #rotate_every_kb: 10000
+  #number_of_files: 7
+  #permissions: 0600
+  #rotate_on_startup: true
+```
+
+## Configuration options [_configuration_options_6]
+
+You can specify the following `output.file` options in the `heartbeat.yml` config file:
+
+### `enabled` [_enabled_5]
+
+The enabled config is a boolean setting to enable or disable the output. If set to false, the output is disabled.
+
+The default value is `true`.
+
+
+### `path` [path]
+
+The path to the directory where the generated files will be saved. This option is mandatory.
+
+The path may include the timestamp when the file output is initialized using the `+FORMAT` syntax where `FORMAT` is a valid [time format](https://github.com/elastic/beats/blob/main/libbeat/common/dtfmt/doc.go), and enclosed with expansion braces: `%{+FORMAT}`. For example:
+
+```
+path: 'fileoutput-%{+yyyy.MM.dd}'
+```
+
+
+### `filename` [_filename]
+
+The name of the generated files. The default is set to the Beat name. For example, the files generated by default for Heartbeat would be `"heartbeat-{{datetime}}.ndjson"`, `"heartbeat-{{datetime}}-1.ndjson"`, `"heartbeat-{{datetime}}-2.ndjson"`, and so on.
+
+
+### `rotate_every_kb` [_rotate_every_kb]
+
+The maximum size in kilobytes of each file. When this size is reached, the files are rotated. The default value is 10240 KB.
+
+
+### `number_of_files` [_number_of_files]
+
+The maximum number of files to save under [`path`](#path). When this number of files is reached, the oldest file is deleted, and the rest of the files are shifted from last to first. The number of files must be between 2 and 1024. The default is 7.
+
+
+### `permissions` [_permissions]
+
+Permissions to use for file creation. The default is 0600.
+
+
+### `rotate_on_startup` [_rotate_on_startup]
+
+If the output file already exists on startup, immediately rotate it and start writing to a new file instead of appending to the existing one. Defaults to true.
+
+
+### `codec` [_codec_3]
+
+Output codec configuration. If the `codec` section is missing, events will be json encoded.
+
+See [Change the output codec](/reference/heartbeat/configuration-output-codec.md) for more information.
+
+
+### `queue` [_queue_5]
+
+Configuration options for internal queue.
+
+See [Internal queue](/reference/heartbeat/configuring-internal-queue.md) for more information.
+
+Note:`queue` options can be set under `heartbeat.yml` or the `output` section but not both.
+
+
+
diff --git a/docs/reference/heartbeat/filtering-enhancing-data.md b/docs/reference/heartbeat/filtering-enhancing-data.md
new file mode 100644
index 000000000000..7ab88e2f8854
--- /dev/null
+++ b/docs/reference/heartbeat/filtering-enhancing-data.md
@@ -0,0 +1,70 @@
+---
+navigation_title: "Processors"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/filtering-and-enhancing-data.html
+---
+
+# Filter and enhance data with processors [filtering-and-enhancing-data]
+
+
+You can [define processors](/reference/heartbeat/defining-processors.md) in your configuration to process events before they are sent to the configured output. The libbeat library provides processors for:
+
+* reducing the number of exported fields
+* enhancing events with additional metadata
+* performing additional processing and decoding
+
+Each processor receives an event, applies a defined action to the event, and returns the event. If you define a list of processors, they are executed in the order they are defined in the Heartbeat configuration file.
+
+```yaml
+event -> processor 1 -> event1 -> processor 2 -> event2 ...
+```
+
+::::{important}
+It’s recommended to do all drop and renaming of existing fields as the last step in a processor configuration. This is because dropping or renaming fields can remove data necessary for the next processor in the chain, for example dropping the `source.ip` field would remove one of the fields necessary for the `community_id` processor to function. If it’s necessary to remove, rename or overwrite an existing event field, please make sure it’s done by a corresponding processor ([`drop_fields`](/reference/heartbeat/drop-fields.md), [`rename`](/reference/heartbeat/rename-fields.md) or [`add_fields`](/reference/heartbeat/add-fields.md)) placed at the end of the processor list defined in the input configuration.
+::::
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/docs/reference/heartbeat/fingerprint.md b/docs/reference/heartbeat/fingerprint.md
new file mode 100644
index 000000000000..0c6d8a8e49a6
--- /dev/null
+++ b/docs/reference/heartbeat/fingerprint.md
@@ -0,0 +1,38 @@
+---
+navigation_title: "fingerprint"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/fingerprint.html
+---
+
+# Generate a fingerprint of an event [fingerprint]
+
+
+The `fingerprint` processor generates a fingerprint of an event based on a specified subset of its fields.
+
+The value that is hashed is constructed as a concatenation of the field name and field value separated by `|`. For example `|field1|value1|field2|value2|`.
+
+Nested fields are supported in the following format: `"field1.field2"` e.g: `["log.path.file", "foo"]`
+
+```yaml
+processors:
+  - fingerprint:
+      fields: ["field1", "field2", ...]
+```
+
+The following settings are supported:
+
+`fields`
+:   List of fields to use as the source for the fingerprint. The list will be alphabetically sorted by the processor.
+
+`ignore_missing`
+:   (Optional) Whether to ignore missing fields. Default is `false`.
+
+`target_field`
+:   (Optional) Field in which the generated fingerprint should be stored. Default is `fingerprint`.
+
+`method`
+:   (Optional) Algorithm to use for computing the fingerprint. Must be one of: `md5`, `sha1`, `sha256`, `sha384`, `sha512`, `xxhash`. Default is `sha256`.
+
+`encoding`
+:   (Optional) Encoding to use on the fingerprint value. Must be one of `hex`, `base32`, or `base64`. Default is `hex`.
+
diff --git a/docs/reference/heartbeat/getting-help.md b/docs/reference/heartbeat/getting-help.md
new file mode 100644
index 000000000000..d5d193c7fb79
--- /dev/null
+++ b/docs/reference/heartbeat/getting-help.md
@@ -0,0 +1,16 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/getting-help.html
+---
+
+# Get help [getting-help]
+
+Start by searching the [Heartbeat discussion forum](https://discuss.elastic.co/c/beats/heartbeat) for your issue. If you can’t find a resolution, open a new issue or add a comment to an existing one. Make sure you provide the following information, and we’ll help you troubleshoot the problem:
+
+* Heartbeat version
+* Operating System
+* Configuration
+* Any supporting information, such as debugging output, that will help us diagnose your problem. See [*Debug*](/reference/heartbeat/enable-heartbeat-debugging.md) for more details.
+
+If you’re sure you found a bug, you can open a ticket on [GitHub](https://github.com/elastic/beats/issues?state=open). Note, however, that we close GitHub issues containing questions or requests for help if they don’t indicate the presence of a bug.
+
diff --git a/docs/reference/heartbeat/heartbeat-geoip.md b/docs/reference/heartbeat/heartbeat-geoip.md
new file mode 100644
index 000000000000..bfd34669c4ad
--- /dev/null
+++ b/docs/reference/heartbeat/heartbeat-geoip.md
@@ -0,0 +1,206 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/heartbeat-geoip.html
+---
+
+# Enrich events with geoIP information [heartbeat-geoip]
+
+You can use Heartbeat along with the [GeoIP Processor](elasticsearch://reference/ingestion-tools/enrich-processor/geoip-processor.md) in {{es}} to export geographic location information based on IP addresses. Then you can use this information to visualize the location of IP addresses on a map in {{kib}}.
+
+The `geoip` processor adds information about the geographical location of IP addresses, based on data from the Maxmind GeoLite2 City Database. Because the processor uses a geoIP database that’s installed on {{es}}, you don’t need to install a geoIP database on the machines running Heartbeat.
+
+::::{note}
+If your use case involves using {{ls}}, you can use the [GeoIP filter](logstash://reference/plugins-filters-geoip.md) available in {{ls}} instead of using the `geoip` processor. However, using the `geoip` processor is the simplest approach when you don’t require the additional processing power of {{ls}}.
+::::
+
+
+
+## Configure the `geoip` processor [heartbeat-configuring-geoip]
+
+To configure Heartbeat and the `geoip` processor:
+
+1. Define an ingest pipeline that uses one or more `geoip` processors to add location information to the event. For example, you can use the Console in {{kib}} to create the following pipeline:
+
+    ```console
+    PUT _ingest/pipeline/geoip-info
+    {
+      "description": "Add geoip info",
+      "processors": [
+        {
+          "geoip": {
+            "field": "client.ip",
+            "target_field": "client.geo",
+            "ignore_missing": true
+          }
+        },
+        {
+          "geoip": {
+            "database_file": "GeoLite2-ASN.mmdb",
+            "field": "client.ip",
+            "target_field": "client.as",
+            "properties": [
+              "asn",
+              "organization_name"
+            ],
+            "ignore_missing": true
+          }
+        },
+        {
+          "geoip": {
+            "field": "source.ip",
+            "target_field": "source.geo",
+            "ignore_missing": true
+          }
+        },
+        {
+          "geoip": {
+            "database_file": "GeoLite2-ASN.mmdb",
+            "field": "source.ip",
+            "target_field": "source.as",
+            "properties": [
+              "asn",
+              "organization_name"
+            ],
+            "ignore_missing": true
+          }
+        },
+        {
+          "geoip": {
+            "field": "destination.ip",
+            "target_field": "destination.geo",
+            "ignore_missing": true
+          }
+        },
+        {
+          "geoip": {
+            "database_file": "GeoLite2-ASN.mmdb",
+            "field": "destination.ip",
+            "target_field": "destination.as",
+            "properties": [
+              "asn",
+              "organization_name"
+            ],
+            "ignore_missing": true
+          }
+        },
+        {
+          "geoip": {
+            "field": "server.ip",
+            "target_field": "server.geo",
+            "ignore_missing": true
+          }
+        },
+        {
+          "geoip": {
+            "database_file": "GeoLite2-ASN.mmdb",
+            "field": "server.ip",
+            "target_field": "server.as",
+            "properties": [
+              "asn",
+              "organization_name"
+            ],
+            "ignore_missing": true
+          }
+        },
+        {
+          "geoip": {
+            "field": "host.ip",
+            "target_field": "host.geo",
+            "ignore_missing": true
+          }
+        },
+        {
+          "rename": {
+            "field": "server.as.asn",
+            "target_field": "server.as.number",
+            "ignore_missing": true
+          }
+        },
+        {
+          "rename": {
+            "field": "server.as.organization_name",
+            "target_field": "server.as.organization.name",
+            "ignore_missing": true
+          }
+        },
+        {
+          "rename": {
+            "field": "client.as.asn",
+            "target_field": "client.as.number",
+            "ignore_missing": true
+          }
+        },
+        {
+          "rename": {
+            "field": "client.as.organization_name",
+            "target_field": "client.as.organization.name",
+            "ignore_missing": true
+          }
+        },
+        {
+          "rename": {
+            "field": "source.as.asn",
+            "target_field": "source.as.number",
+            "ignore_missing": true
+          }
+        },
+        {
+          "rename": {
+            "field": "source.as.organization_name",
+            "target_field": "source.as.organization.name",
+            "ignore_missing": true
+          }
+        },
+        {
+          "rename": {
+            "field": "destination.as.asn",
+            "target_field": "destination.as.number",
+            "ignore_missing": true
+          }
+        },
+        {
+          "rename": {
+            "field": "destination.as.organization_name",
+            "target_field": "destination.as.organization.name",
+            "ignore_missing": true
+          }
+        }
+      ]
+    }
+    ```
+
+    In this example, the pipeline ID is `geoip-info`. `field` specifies the field that contains the IP address to use for the geographical lookup, and `target_field` is the field that will hold the geographical information. `"ignore_missing": true` configures the pipeline to continue processing when it encounters an event that doesn’t have the specified field.
+
+    See [GeoIP Processor](elasticsearch://reference/ingestion-tools/enrich-processor/geoip-processor.md) for more options.
+
+    To learn more about adding host information to an event, see [add_host_metadata](/reference/heartbeat/add-host-metadata.md).
+
+2. In the Heartbeat config file, configure the {{es}} output to use the pipeline. Specify the pipeline ID in the `pipeline` option under `output.elasticsearch`. For example:
+
+    ```yaml
+    output.elasticsearch:
+      hosts: ["localhost:9200"]
+      pipeline: geoip-info
+    ```
+
+3. Run Heartbeat. Remember to use `sudo` if the config file is owned by root.
+
+    ```sh
+    ./heartbeat -e
+    ```
+
+    If the lookups succeed, the events are enriched with `geo_point` fields, such as `client.geo.location` and `host.geo.location`, that you can use to populate visualizations in {{kib}}.
+
+
+If you add a field that’s not already defined as a `geo_point` in the index template, add a mapping so the field gets indexed correctly.
+
+
+## Visualize locations [heartbeat-visualizing-location]
+
+To visualize the location of IP addresses, you can create a new [coordinate map](docs-content://explore-analyze/visualize/maps.md) in {{kib}} and select the location field, for example `client.geo.location` or `host.geo.location`, as the Geohash.
+
+:::{image} images/coordinate-map.png
+:alt: Coordinate map in {kib}
+:class: screenshot
+:::
+
diff --git a/docs/reference/heartbeat/heartbeat-installation-configuration.md b/docs/reference/heartbeat/heartbeat-installation-configuration.md
new file mode 100644
index 000000000000..7a97542347e0
--- /dev/null
+++ b/docs/reference/heartbeat/heartbeat-installation-configuration.md
@@ -0,0 +1,390 @@
+---
+navigation_title: "Quick start"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/heartbeat-installation-configuration.html
+---
+
+# Heartbeat quick start: installation and configuration [heartbeat-installation-configuration]
+
+
+This guide describes how to get started quickly collecting uptime data about your hosts. You’ll learn how to:
+
+* install Heartbeat
+* specify the protocols to monitor
+* send uptime data to {es}
+* visualize the uptime data in {kib}
+
+:::{image} images/heartbeat-statistics.png
+:alt: Heartbeat HTTP monitoring dashboard
+:class: screenshot
+:::
+
+
+## Before you begin [_before_you_begin]
+
+You need {{es}} for storing and searching your data, and {{kib}} for visualizing and managing it.
+
+:::::::{tab-set}
+
+::::::{tab-item} Elasticsearch Service
+To get started quickly, spin up a deployment of our [hosted {{ess}}](https://www.elastic.co/cloud/elasticsearch-service). The {{ess}} is available on AWS, GCP, and Azure. [Try it out for free](https://cloud.elastic.co/registration?page=docs&placement=docs-body).
+::::::
+
+::::::{tab-item} Self-managed
+To install and run {{es}} and {{kib}}, see [Installing the {{stack}}](docs-content://deploy-manage/deploy/self-managed/deploy-cluster.md).
+::::::
+
+:::::::
+
+## Step 1: Install Heartbeat [installation]
+
+Unlike most Beats, which you install on edge nodes, you typically install Heartbeat as part of a monitoring service that runs on a separate machine and possibly even outside of the network where the services that you want to monitor are running.
+
+To download and install Heartbeat, use the commands that work with your system:
+
+:::::::{tab-set}
+
+::::::{tab-item} DEB
+Version 9.0.0-beta1 of Heartbeat has not yet been released.
+::::::
+
+::::::{tab-item} RPM
+Version 9.0.0-beta1 of Heartbeat has not yet been released.
+::::::
+
+::::::{tab-item} MacOS
+Version 9.0.0-beta1 of Heartbeat has not yet been released.
+::::::
+
+::::::{tab-item} Linux
+Version 9.0.0-beta1 of Heartbeat has not yet been released.
+::::::
+
+::::::{tab-item} Windows
+Version 9.0.0-beta1 of Heartbeat has not yet been released.
+::::::
+
+:::::::
+The commands shown are for AMD platforms, but ARM packages are also available. Refer to the [download page](https://www.elastic.co/downloads/beats/heartbeat) for the full list of available packages.
+
+
+### Other installation options [other-installation-options]
+
+* [APT or YUM](/reference/heartbeat/setup-repositories.md)
+* [Download page](https://www.elastic.co/downloads/beats/heartbeat)
+* [Docker](/reference/heartbeat/running-on-docker.md)
+
+
+## Step 2: Connect to the {{stack}} [set-connection]
+
+Connections to {{es}} and {{kib}} are required to set up Heartbeat.
+
+Set the connection information in `heartbeat.yml`. To locate this configuration file, see [Directory layout](/reference/heartbeat/directory-layout.md).
+
+:::::::{tab-set}
+
+::::::{tab-item} Elasticsearch Service
+Specify the [cloud.id](/reference/heartbeat/configure-cloud-id.md) of your {{ess}}, and set [cloud.auth](/reference/heartbeat/configure-cloud-id.md) to a user who is authorized to set up Heartbeat. For example:
+
+```yaml
+cloud.id: "staging:dXMtZWFzdC0xLmF3cy5mb3VuZC5pbyRjZWM2ZjI2MWE3NGJmMjRjZTMzYmI4ODExYjg0Mjk0ZiRjNmMyY2E2ZDA0MjI0OWFmMGNjN2Q3YTllOTYyNTc0Mw=="
+cloud.auth: "heartbeat_setup:{pwd}" <1>
+```
+
+1. This examples shows a hard-coded password, but you should store sensitive values in the [secrets keystore](/reference/heartbeat/keystore.md).
+::::::
+
+::::::{tab-item} Self-managed
+1. Set the host and port where Heartbeat can find the {{es}} installation, and set the username and password of a user who is authorized to set up Heartbeat. For example:
+
+    ```yaml
+    output.elasticsearch:
+      hosts: ["https://myEShost:9200"]
+      username: "heartbeat_internal"
+      password: "{pwd}" <1>
+      ssl:
+        enabled: true
+        ca_trusted_fingerprint: "b9a10bbe64ee9826abeda6546fc988c8bf798b41957c33d05db736716513dc9c" <2>
+    ```
+
+    1. This example shows a hard-coded password, but you should store sensitive values in the [secrets keystore](/reference/heartbeat/keystore.md).
+    2. This example shows a hard-coded fingerprint, but you should store sensitive values in the [secrets keystore](/reference/heartbeat/keystore.md). The fingerprint is a HEX encoded SHA-256 of a CA certificate, when you start {{es}} for the first time, security features such as network encryption (TLS) for {{es}} are enabled by default. If you are using the self-signed certificate generated by {{es}} when it is started for the first time, you will need to add its fingerprint here. The fingerprint is printed on {{es}} start up logs, or you can refer to [connect clients to {{es}} documentation](docs-content://deploy-manage/security/security-certificates-keys.md#_connect_clients_to_es_5) for other options on retrieving it. If you are providing your own SSL certificate to {{es}} refer to [Heartbeat documentation on how to setup SSL](/reference/heartbeat/configuration-ssl.md#ssl-client-config).
+
+2. If you plan to use our pre-built {{kib}} dashboards, configure the {{kib}} endpoint. Skip this step if {{kib}} is running on the same host as {{es}}.
+
+    ```yaml
+      setup.kibana:
+        host: "mykibanahost:5601" <1>
+        username: "my_kibana_user" <2> <3>
+        password: "{pwd}"
+    ```
+
+    1. The hostname and port of the machine where {{kib}} is running, for example, `mykibanahost:5601`. If you specify a path after the port number, include the scheme and port: `http://mykibanahost:5601/path`.
+    2. The `username` and `password` settings for {{kib}} are optional. If you don’t specify credentials for {{kib}}, Heartbeat uses the `username` and `password` specified for the {{es}} output.
+    3. To use the pre-built {{kib}} dashboards, this user must be authorized to view dashboards or have the `kibana_admin` [built-in role](elasticsearch://reference/elasticsearch/roles.md).
+::::::
+
+:::::::
+To learn more about required roles and privileges, see [*Grant users access to secured resources*](/reference/heartbeat/feature-roles.md).
+
+::::{note}
+You can send data to other [outputs](/reference/heartbeat/configuring-output.md), such as {{ls}}, but that requires additional configuration and setup.
+::::
+
+
+
+## Step 3: Configure Heartbeat monitors [configuration]
+
+Heartbeat provides monitors to check the status of hosts at set intervals. Heartbeat currently provides monitors for ICMP, TCP, and HTTP (see [*Heartbeat overview*](/reference/heartbeat/heartbeat-overview.md) for more about these monitors).
+
+You configure each monitor individually. In `heartbeat.yml`, specify the list of monitors that you want to enable. Each item in the list begins with a dash (-). The following example configures Heartbeat to use three monitors: an `icmp` monitor, a `tcp` monitor, and an `http` monitor.
+
+```yaml
+heartbeat.monitors:
+- type: icmp
+  schedule: '*/5 * * * * * *' <1>
+  hosts: ["myhost"]
+  id: my-icmp-service
+  name: My ICMP Service
+- type: tcp
+  schedule: '@every 5s' <2>
+  hosts: ["myhost:12345"]
+  mode: any <3>
+  id: my-tcp-service
+- type: http
+  schedule: '@every 5s'
+  urls: ["http://example.net"]
+  service.name: apm-service-name <4>
+  id: my-http-service
+  name: My HTTP Service
+```
+
+1. The `icmp` monitor is scheduled to run exactly every 5 seconds (10:00:00, 10:00:05, and so on). The `schedule` option uses a cron-like syntax based on [this `cronexpr` implementation](https://github.com/gorhill/cronexpr#implementation).
+2. The `tcp` monitor is set to run every 5 seconds from the time when Heartbeat was started. Heartbeat adds the `@every` keyword to the syntax provided by the `cronexpr` package.
+3. The `mode` specifies whether to ping one IP (`any`) or all resolvable IPs
+4. The `service.name` field can be used to integrate heartbeat with elastic APM via the Uptime UI.
+
+
+::::{tip}
+To test your configuration file, change to the directory where the Heartbeat binary is installed, and run Heartbeat in the foreground with the following options specified: `./heartbeat test config -e`. Make sure your config files are in the path expected by Heartbeat (see [Directory layout](/reference/heartbeat/directory-layout.md)), or use the `-c` flag to specify the path to the config file.
+::::
+
+
+For more information about configuring Heartbeat, also see:
+
+* [Configure Heartbeat](/reference/heartbeat/configuring-howto-heartbeat.md)
+* [Config file format](/reference/libbeat/config-file-format.md)
+* [`heartbeat.reference.yml`](/reference/heartbeat/heartbeat-reference-yml.md): This reference configuration file shows all non-deprecated options. You’ll find it in the same location as `heartbeat.yml`.
+
+
+## Step 4: Configure the Heartbeat location [configurelocation]
+
+Heartbeat can be deployed in multiple locations so that you can detect differences in availability and response times across those locations. Configure the Heartbeat location to allow {{kib}} to display location-specific information on Uptime maps and perform Uptime anomaly detection based on location.
+
+To configure the location of a Heartbeat instance, modify the `add_observer_metadata` processor in `heartbeat.yml`.  The following example specifies the `geo.name` of the `add_observer_metadata` processor as `us-east-1a`:
+
+```yaml
+# ============================ Processors ============================
+
+processors:
+  - add_observer_metadata:
+      # Optional, but recommended geo settings for the location Heartbeat is running in
+      geo: <1>
+        # Token describing this location
+        name: us-east-1a <2>
+        # Lat, Lon "
+        #location: "37.926868, -78.024902" <3>
+```
+
+1. Uncomment the `geo` setting.
+2. Uncomment `name` and assign the name of the location of the Heartbeat server.
+3. Optionally uncomment `location` and assign the latitude and longitude.
+
+
+::::{tip}
+To test your configuration file, change to the directory where the Heartbeat binary is installed, and run Heartbeat in the foreground with the following options specified: `./heartbeat test config -e`. Make sure your config files are in the path expected by Heartbeat (see [Directory layout](/reference/heartbeat/directory-layout.md)), or use the `-c` flag to specify the path to the config file.
+::::
+
+
+For more information about configuring Heartbeat, also see:
+
+* [Configure Heartbeat](/reference/heartbeat/configuring-howto-heartbeat.md)
+* [Config file format](/reference/libbeat/config-file-format.md)
+* [`heartbeat.reference.yml`](/reference/heartbeat/heartbeat-reference-yml.md): This reference configuration file shows all non-deprecated options. You’ll find it in the same location as `heartbeat.yml`.
+
+
+## Step 5: Set up assets [setup-assets]
+
+Heartbeat comes with predefined assets for parsing, indexing, and visualizing your data. To load these assets:
+
+1. Make sure the user specified in `heartbeat.yml` is [authorized to set up Heartbeat](/reference/heartbeat/privileges-to-setup-beats.md).
+2. From the installation directory, run:
+
+    :::::::{tab-set}
+
+::::::{tab-item} DEB
+```sh
+    heartbeat setup -e
+    ```
+::::::
+
+::::::{tab-item} RPM
+```sh
+    heartbeat setup -e
+    ```
+::::::
+
+::::::{tab-item} MacOS
+```sh
+    ./heartbeat setup -e
+    ```
+::::::
+
+::::::{tab-item} Linux
+```sh
+    ./heartbeat setup -e
+    ```
+::::::
+
+::::::{tab-item} Windows
+```sh
+    PS > .\heartbeat.exe setup -e
+    ```
+::::::
+
+::::::{tab-item} DEB
+```sh
+sudo service heartbeat-elastic start
+```
+
+::::{note}
+If you use an `init.d` script to start Heartbeat, you can’t specify command line flags (see [Command reference](/reference/heartbeat/command-line-options.md)). To specify flags, start Heartbeat in the foreground.
+::::
+
+
+Also see [Heartbeat and systemd](/reference/heartbeat/running-with-systemd.md).
+::::::
+
+::::::{tab-item} RPM
+```sh
+sudo service heartbeat-elastic start
+```
+
+::::{note}
+If you use an `init.d` script to start Heartbeat, you can’t specify command line flags (see [Command reference](/reference/heartbeat/command-line-options.md)). To specify flags, start Heartbeat in the foreground.
+::::
+
+
+Also see [Heartbeat and systemd](/reference/heartbeat/running-with-systemd.md).
+::::::
+
+::::::{tab-item} MacOS
+```sh
+sudo chown root heartbeat.yml <1>
+sudo ./heartbeat -e
+```
+
+1. You’ll be running Heartbeat as root, so you need to change ownership of the configuration file, or run Heartbeat with `--strict.perms=false` specified. See [Config File Ownership and Permissions](/reference/libbeat/config-file-permissions.md).
+::::::
+
+::::::{tab-item} Linux
+```sh
+sudo chown root heartbeat.yml <1>
+sudo ./heartbeat -e
+```
+
+1. You’ll be running Heartbeat as root, so you need to change ownership of the configuration file, or run Heartbeat with `--strict.perms=false` specified. See [Config File Ownership and Permissions](/reference/libbeat/config-file-permissions.md).
+::::::
+
+::::::{tab-item} Windows
+```sh
+PS C:\Program Files\heartbeat> Start-Service heartbeat
+```
+
+By default, Windows log files are stored in `C:\ProgramData\heartbeat\Logs`.
+::::::
+
+:::::::
+Heartbeat is now ready to check the status of your services and send events to your defined output.
+
+
+## Step 7: View your data in {{kib}} [view-data]
+
+Heartbeat comes with pre-built {{kib}} dashboards and UIs for visualizing the status of your services. The dashboards are available in the [uptime-contrib](https://github.com/elastic/uptime-contrib) GitHub repository.
+
+If you loaded the dashboards earlier, open them now.
+
+To open the dashboards:
+
+1. Launch {{kib}}:
+
+    <div class="tabs" data-tab-group="host">
+      <div role="tablist" aria-label="Open Kibana">
+        <button role="tab"
+                aria-selected="true"
+                aria-controls="cloud-tab-open-kibana"
+                id="cloud-open-kibana">
+          Elasticsearch Service
+        </button>
+        <button role="tab"
+                aria-selected="false"
+                aria-controls="self-managed-tab-open-kibana"
+                id="self-managed-open-kibana"
+                tabindex="-1">
+          Self-managed
+        </button>
+      </div>
+      <div tabindex="0"
+           role="tabpanel"
+           id="cloud-tab-open-kibana"
+           aria-labelledby="cloud-open-kibana">
+    1. [Log in](https://cloud.elastic.co/) to your {{ecloud}} account.
+    2. Navigate to the {{kib}} endpoint in your deployment.
+
+      </div>
+      <div tabindex="0"
+           role="tabpanel"
+           id="self-managed-tab-open-kibana"
+           aria-labelledby="self-managed-open-kibana"
+           hidden="">
+    Point your browser to [http://localhost:5601](http://localhost:5601), replacing `localhost` with the name of the {{kib}} host.
+
+      </div>
+    </div>
+
+2. In the side navigation, click **Discover**. To see Heartbeat data, make sure the predefined `heartbeat-*` data view is selected.
+
+    ::::{tip}
+    If you don’t see data in {{kib}}, try changing the time filter to a larger range. By default, {{kib}} shows the last 15 minutes.
+    ::::
+
+3. In the side navigation, click **Dashboard**, then select the dashboard that you want to open.
+
+The dashboards are provided as examples. We recommend that you [customize](docs-content://explore-analyze/dashboards.md) them to meet your needs.
+
+
+## What’s next? [_whats_next]
+
+Now that you have your uptime data streaming into {{es}}, learn how to unify your logs, metrics, uptime, and application performance data.
+
+1. Ingest data from other sources by installing and configuring other Elastic {{beats}}:
+
+    | Elastic {{beats}} | To capture |
+    | --- | --- |
+    | [{{metricbeat}}](/reference/metricbeat/metricbeat-installation-configuration.md) | Infrastructure metrics |
+    | [{{filebeat}}](/reference/filebeat/filebeat-installation-configuration.md) | Logs |
+    | [{{winlogbeat}}](/reference/winlogbeat/winlogbeat-installation-configuration.md) | Windows event logs |
+    | [APM](docs-content://solutions/observability/apps/application-performance-monitoring-apm.md) | Application performance metrics |
+    | [{{auditbeat}}](/reference/auditbeat/auditbeat-installation-configuration.md) | Audit events |
+
+2. Use the Observability apps in {{kib}} to search across all your data:
+
+    | Elastic apps | Use to |
+    | --- | --- |
+    | [{{metrics-app}}](docs-content://solutions/observability/infra-and-hosts/analyze-infrastructure-host-metrics.md) | Explore metrics about systems and services across your ecosystem |
+    | [{{logs-app}}](docs-content://solutions/observability/logs/explore-logs.md) | Tail related log data in real time |
+    | [{{uptime-app}}](docs-content://solutions/observability/apps/synthetic-monitoring.md#monitoring-uptime) | Monitor availability issues across your apps and services |
+    | [APM app](docs-content://solutions/observability/apps/overviews.md) | Monitor application performance |
+    | [{{siem-app}}](docs-content://solutions/security.md) | Analyze security events |
+
+
diff --git a/docs/reference/heartbeat/heartbeat-overview.md b/docs/reference/heartbeat/heartbeat-overview.md
new file mode 100644
index 000000000000..d55a0ab09e7e
--- /dev/null
+++ b/docs/reference/heartbeat/heartbeat-overview.md
@@ -0,0 +1,26 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/heartbeat-overview.html
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/index.html
+---
+
+# Heartbeat overview [heartbeat-overview]
+
+Heartbeat is a lightweight daemon that you install on a remote server to periodically check the status of your services and determine whether they are available. Unlike [Metricbeat](/reference/metricbeat/metricbeat.md), which only tells you if your servers are up or down, Heartbeat tells you whether your services are reachable.
+
+Heartbeat is useful when you need to verify that you’re meeting your service level agreements for service uptime. It’s also useful for other scenarios, such as security use cases, when you need to verify that no one from the outside can access services on your private enterprise server.
+
+You can configure Heartbeat to ping all DNS-resolvable IP addresses for a specified hostname. That way, you can check all services that are load-balanced to see if they are available.
+
+When you configure Heartbeat, you specify monitors that identify the hostnames that you want to check. Each monitor runs based on the schedule that you specify. For example, you can configure one monitor to run every 10 minutes, and a different monitor to run between the hours of 9:00 and 17:00.
+
+Heartbeat currently supports monitors for checking hosts via:
+
+* ICMP (v4 and v6) Echo Requests. Use the `icmp` monitor when you simply want to check whether a service is available. This monitor requires root access.
+* TCP. Use the `tcp` monitor to connect via TCP. You can optionally configure this monitor to verify the endpoint by sending and/or receiving a custom payload.
+* HTTP. Use the `http` monitor to connect via HTTP. You can optionally configure this monitor to verify that the service returns the expected response, such as a specific status code, response header, or content.
+
+The `tcp` and `http` monitors both support SSL/TLS and some proxy settings.
+
+Heartbeat is an Elastic [Beat](https://www.elastic.co/beats). It’s based on the `libbeat` framework. For more information, see the [Beats Platform Reference](/reference/index.md).
+
diff --git a/docs/reference/heartbeat/heartbeat-reference-yml.md b/docs/reference/heartbeat/heartbeat-reference-yml.md
new file mode 100644
index 000000000000..8b434a2d3253
--- /dev/null
+++ b/docs/reference/heartbeat/heartbeat-reference-yml.md
@@ -0,0 +1,1963 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/heartbeat-reference-yml.html
+---
+
+# heartbeat.reference.yml [heartbeat-reference-yml]
+
+The following reference file is available with your Heartbeat installation. It shows all non-deprecated Heartbeat options. You can copy from this file and paste configurations into the `heartbeat.yml` file to customize it.
+
+::::{tip}
+The reference file is located in the same directory as the `heartbeat.yml` file. To locate the file, see [Directory layout](/reference/heartbeat/directory-layout.md).
+::::
+
+
+The contents of the file are included here for your convenience.
+
+```yaml
+## Heartbeat Configuration Example #########################
+
+# This file is a full configuration example documenting all non-deprecated
+# options in comments. For a shorter configuration example, that contains
+# only some common options, please see heartbeat.yml in the same directory.
+#
+# You can find the full configuration reference here:
+# https://www.elastic.co/guide/en/beats/heartbeat/index.html
+
+############ Heartbeat ######################################
+
+
+# Define a directory from which to load monitor definitions. Definitions take the form
+# of individual yaml files.
+heartbeat.config.monitors:
+  # Directory + glob pattern to search for configuration files
+  path: ${path.config}/monitors.d/*.yml
+  # If enabled, heartbeat will periodically check the config.monitors path for changes
+  reload.enabled: false
+  # How often to check for changes
+  reload.period: 5s
+
+# Configure monitors
+heartbeat.monitors:
+- type: icmp # monitor type `icmp` (requires root) uses ICMP Echo Request to ping
+             # configured hosts
+
+  # ID used to uniquely identify this monitor in Elasticsearch even if the config changes
+  id: my-monitor
+
+  # Human readable display name for this service in Uptime UI and elsewhere
+  name: my-icmp-monitor
+
+  # Name of corresponding APM service, if Elastic APM is in use for the monitored service.
+  # service.name: my-apm-service-name
+
+  # Enable/Disable monitor
+  #enabled: true
+
+  # Configure task schedule using cron-like syntax
+  schedule: '*/5 * * * * * *' # exactly every 5 seconds like 10:00:00, 10:00:05, ...
+
+  # List of hosts to ping
+  hosts: ["localhost"]
+
+  # Configure IP protocol types to ping if hostnames are configured.
+  # Ping all resolvable IPs if `mode` is `all`, or only one IP if `mode` is `any`.
+  ipv4: true
+  ipv6: true
+  mode: any
+
+  # Total running time per ping test.
+  timeout: 16s
+
+  # Waiting duration until another ICMP Echo Request is emitted.
+  wait: 1s
+
+  # The tags of the monitors are included in their field with each
+  # transaction published. Tags make it easy to group servers by different
+  # logical properties.
+  #tags: ["service-X", "web-tier"]
+
+  # Optional fields that you can specify to add additional information to the
+  # monitor output. Fields can be scalar values, arrays, dictionaries, or any nested
+  # combination of these.
+  #fields:
+  #  env: staging
+
+  # If this option is set to true, the custom fields are stored as top-level
+  # fields in the output document instead of being grouped under a fields
+  # sub-dictionary. Default is false.
+  #fields_under_root: false
+
+# Define a directory to load monitor definitions from. Definitions take the form
+# of individual yaml files.
+# heartbeat.config.monitors:
+  # Directory + glob pattern to search for configuration files
+  #path: /path/to/my/monitors.d/*.yml
+  # If enabled, heartbeat will periodically check the config.monitors path for changes
+  #reload.enabled: true
+  # How often to check for changes
+  #reload.period: 1s
+
+- type: tcp # monitor type `tcp`. Connect via TCP and optionally verify the endpoint
+            # by sending/receiving a custom payload
+  # ID used to uniquely identify this monitor in Elasticsearch even if the config changes
+  id: my-monitor
+
+  # Human readable display name for this service in Uptime UI and elsewhere
+  name: my-tcp-monitor
+
+  # Enable/Disable monitor
+  #enabled: true
+
+  # Configure task schedule
+  schedule: '@every 5s' # every 5 seconds from start of beat
+
+  # configure hosts to ping.
+  # Entries can be:
+  #   - plain hostname or IP like `localhost`:
+  #       Requires ports configs to be checked. If ssl is configured,
+  #       an SSL/TLS based connection will be established. Otherwise plain tcp connection
+  #       will be established
+  #   - hostname + port like `localhost:12345`:
+  #       Connect to port on a given host. If ssl is configured,
+  #       an SSL/TLS based connection will be established. Otherwise plain tcp connection
+  #       will be established
+  #   - full url syntax. `scheme://<host>:[port]`. The `<scheme>` can be one of
+  #     `tcp`, `plain`, `ssl`, and `tls`. If `tcp`, `plain` is configured, a plain
+  #     tcp connection will be established, even if ssl is configured.
+  #     Using `tls`/`ssl`, an SSL connection is established. If no ssl is configured,
+  #     system defaults will be used (not supported on windows).
+  #     If `port` is missing in url, the port setting is required.
+  hosts: ["localhost:9200"]
+
+  # Configure IP protocol types to ping if hostnames are configured.
+  # Ping all resolvable IPs if `mode` is `all`, or only one IP if `mode` is `any`.
+  ipv4: true
+  ipv6: true
+  mode: any
+
+  # List of ports to ping if host does not contain a port number
+  # ports: [80, 9200, 5044]
+
+  # Total test connection and data exchange timeout
+  #timeout: 16s
+
+  # Optional payload string to send to remote and expected answer. If none is
+  # configured, the endpoint is expected to be up if a connection attempt was
+  # successful. If only `send_string` is configured, any response will be
+  # accepted as ok. If only `receive_string` is configured, no payload will be
+  # send, but the client expects to receive the expected payload on connect.
+  #check:
+    #send: ''
+    #receive: ''
+
+  # SOCKS5 proxy url
+  # proxy_url: ''
+
+  # Resolve hostnames locally instead on SOCKS5 server:
+  #proxy_use_local_resolver: false
+
+  # TLS/SSL connection settings:
+  #ssl:
+    # Certificate Authorities
+    #certificate_authorities: ['']
+
+    # Required TLS protocols
+    #supported_protocols: ["TLSv1.0", "TLSv1.1", "TLSv1.2"]
+
+  # The ingest pipeline ID associated with this input. If this is set, it
+  # overwrites the pipeline option from the Elasticsearch output.
+  #pipeline:
+
+  # The index name associated with this input. If this is set, it
+  # overwrites the index option from the Elasticsearch output.
+  #index:
+
+  # Set to true to publish fields with null values in events.
+  #keep_null: false
+
+- type: http # monitor type `http`. Connect via HTTP and optionally verify the response
+  # ID used to uniquely identify this monitor in Elasticsearch even if the config changes.
+  id: my-http-monitor
+
+  # Human readable display name for this service in Uptime UI and elsewhere
+  name: My Monitor
+
+  # Enable/Disable monitor
+  #enabled: true
+
+  # Configure task schedule
+  schedule: '@every 5s' # every 5 seconds from the start of beat
+
+  # Configure URLs to ping
+  urls: ["http://localhost:9200"]
+
+  # Configure IP protocol types to ping if hostnames are configured.
+  # Ping all resolvable IPs if `mode` is `all`, or only one IP if `mode` is `any`.
+  ipv4: true
+  ipv6: true
+  mode: any
+
+  # Optional HTTP proxy url.
+  #proxy_url: ''
+
+  # Total test connection and data exchange timeout
+  #timeout: 16s
+
+  # Optional Authentication Credentials
+  #username: ''
+  #password: ''
+
+  # TLS/SSL connection settings for use with HTTPS endpoint. If not configured,
+  # system defaults will be used.
+  #ssl:
+    # Certificate Authorities
+    #certificate_authorities: ['']
+
+    # Required TLS protocols
+    #supported_protocols: ["TLSv1.0", "TLSv1.1", "TLSv1.2"]
+
+  # Request settings:
+  #check.request:
+    # Configure HTTP method to use. Only 'HEAD', 'GET', and 'POST' methods are allowed.
+    #method: "GET"
+
+    # Dictionary of additional HTTP headers to send:
+    #headers:
+
+    # Optional request body content
+    #body:
+
+  # Expected response settings
+  #check.response:
+    # Expected status code. If not configured or set to 0 any status code not
+    # being 404 is accepted.
+    #status: 0
+
+    # Required response headers.
+    #headers:
+
+    # Required response contents.
+    #body:
+
+    # Parses the body as JSON, then checks against the given expression
+    #json:
+    #- description: Explanation of what the check does
+    #  expression: 'myField == "expectedValue"'
+
+    # (Deprecated: see 'expression' above) Parses the body as JSON, then checks against the given condition expression
+    #json:
+    #- description: Explanation of what the check does
+    #  condition:
+    #    equals:
+    #      myField: expectedValue
+
+  # The ingest pipeline ID associated with this input. If this is set, it
+  # overwrites the pipeline option from the Elasticsearch output.
+  #pipeline:
+
+  # The index name associated with this input. If this is set, it
+  # overwrites the index option from the Elasticsearch output.
+  #index:
+
+  # Set to true to publish fields with null values in events.
+  #keep_null: false
+
+heartbeat.scheduler:
+  # Limit the number of concurrent tasks executed by heartbeat. The task limit if
+  # disabled if set to 0. The default is 0.
+  #limit: 0
+
+  # Set the scheduler to its time zone
+  #location: ''
+
+heartbeat.jobs:
+  # Limit the number of concurrent monitors executed by heartbeat. This differs from
+  # heartbeat.scheduler.limit in that it maps to individual monitors rather than the
+  # subtasks of monitors. For non-browser monitors, a subtask usually corresponds to a
+  # single file descriptor.
+  # This feature is most useful for the browser type
+  #browser.limit: 1
+  #http.limit: 10
+  #tcp.limit: 10
+  #icmp.limit: 10
+# ================================== General ===================================
+
+# The name of the shipper that publishes the network data. It can be used to group
+# all the transactions sent by a single shipper in the web interface.
+# If this option is not defined, the hostname is used.
+#name:
+
+# The tags of the shipper are included in their field with each
+# transaction published. Tags make it easy to group servers by different
+# logical properties.
+#tags: ["service-X", "web-tier"]
+
+# Optional fields that you can specify to add additional information to the
+# output. Fields can be scalar values, arrays, dictionaries, or any nested
+# combination of these.
+#fields:
+#  env: staging
+
+# If this option is set to true, the custom fields are stored as top-level
+# fields in the output document instead of being grouped under a field
+# sub-dictionary. Default is false.
+#fields_under_root: false
+
+# Configure the precision of all timestamps in Heartbeat.
+# Available options: millisecond, microsecond, nanosecond
+#timestamp.precision: millisecond
+
+# Internal queue configuration for buffering events to be published.
+# Queue settings may be overridden by performance presets in the
+# Elasticsearch output. To configure them manually use "preset: custom".
+#queue:
+  # Queue type by name (default 'mem')
+  # The memory queue will present all available events (up to the outputs
+  # bulk_max_size) to the output, the moment the output is ready to serve
+  # another batch of events.
+  #mem:
+    # Max number of events the queue can buffer.
+    #events: 3200
+
+    # Hints the minimum number of events stored in the queue,
+    # before providing a batch of events to the outputs.
+    # The default value is set to 2048.
+    # A value of 0 ensures events are immediately available
+    # to be sent to the outputs.
+    #flush.min_events: 1600
+
+    # Maximum duration after which events are available to the outputs,
+    # if the number of events stored in the queue is < `flush.min_events`.
+    #flush.timeout: 10s
+
+  # The disk queue stores incoming events on disk until the output is
+  # ready for them. This allows a higher event limit than the memory-only
+  # queue and lets pending events persist through a restart.
+  #disk:
+    # The directory path to store the queue's data.
+    #path: "${path.data}/diskqueue"
+
+    # The maximum space the queue should occupy on disk. Depending on
+    # input settings, events that exceed this limit are delayed or discarded.
+    #max_size: 10GB
+
+    # The maximum size of a single queue data file. Data in the queue is
+    # stored in smaller segments that are deleted after all their events
+    # have been processed.
+    #segment_size: 1GB
+
+    # The number of events to read from disk to memory while waiting for
+    # the output to request them.
+    #read_ahead: 512
+
+    # The number of events to accept from inputs while waiting for them
+    # to be written to disk. If event data arrives faster than it
+    # can be written to disk, this setting prevents it from overflowing
+    # main memory.
+    #write_ahead: 2048
+
+    # The duration to wait before retrying when the queue encounters a disk
+    # write error.
+    #retry_interval: 1s
+
+    # The maximum length of time to wait before retrying on a disk write
+    # error. If the queue encounters repeated errors, it will double the
+    # length of its retry interval each time, up to this maximum.
+    #max_retry_interval: 30s
+
+# Sets the maximum number of CPUs that can be executed simultaneously. The
+# default is the number of logical CPUs available in the system.
+#max_procs:
+
+# ================================= Processors =================================
+
+# Processors are used to reduce the number of fields in the exported event or to
+# enhance the event with external metadata. This section defines a list of
+# processors that are applied one by one and the first one receives the initial
+# event:
+#
+#   event -> filter1 -> event1 -> filter2 ->event2 ...
+#
+# The supported processors are drop_fields, drop_event, include_fields,
+# decode_json_fields, and add_cloud_metadata.
+#
+# For example, you can use the following processors to keep the fields that
+# contain CPU load percentages, but remove the fields that contain CPU ticks
+# values:
+#
+#processors:
+#  - include_fields:
+#      fields: ["cpu"]
+#  - drop_fields:
+#      fields: ["cpu.user", "cpu.system"]
+#
+# The following example drops the events that have the HTTP response code 200:
+#
+#processors:
+#  - drop_event:
+#      when:
+#        equals:
+#          http.code: 200
+#
+# The following example renames the field a to b:
+#
+#processors:
+#  - rename:
+#      fields:
+#        - from: "a"
+#          to: "b"
+#
+# The following example tokenizes the string into fields:
+#
+#processors:
+#  - dissect:
+#      tokenizer: "%{key1} - %{key2}"
+#      field: "message"
+#      target_prefix: "dissect"
+#
+# The following example enriches each event with metadata from the cloud
+# provider about the host machine. It works on EC2, GCE, DigitalOcean,
+# Tencent Cloud, and Alibaba Cloud.
+#
+#processors:
+#  - add_cloud_metadata: ~
+#
+# The following example enriches each event with the machine's local time zone
+# offset from UTC.
+#
+#processors:
+#  - add_locale:
+#      format: offset
+#
+# The following example enriches each event with docker metadata, it matches
+# given fields to an existing container id and adds info from that container:
+#
+#processors:
+#  - add_docker_metadata:
+#      host: "unix:///var/run/docker.sock"
+#      match_fields: ["system.process.cgroup.id"]
+#      match_pids: ["process.pid", "process.parent.pid"]
+#      match_source: true
+#      match_source_index: 4
+#      match_short_id: false
+#      cleanup_timeout: 60
+#      labels.dedot: false
+#      # To connect to Docker over TLS you must specify a client and CA certificate.
+#      #ssl:
+#      #  certificate_authority: "/etc/pki/root/ca.pem"
+#      #  certificate:           "/etc/pki/client/cert.pem"
+#      #  key:                   "/etc/pki/client/cert.key"
+#
+# The following example enriches each event with docker metadata, it matches
+# container id from log path available in `source` field (by default it expects
+# it to be /var/lib/docker/containers/*/*.log).
+#
+#processors:
+#  - add_docker_metadata: ~
+#
+# The following example enriches each event with host metadata.
+#
+#processors:
+#  - add_host_metadata: ~
+#
+# The following example enriches each event with process metadata using
+# process IDs included in the event.
+#
+#processors:
+#  - add_process_metadata:
+#      match_pids: ["system.process.ppid"]
+#      target: system.process.parent
+#
+# The following example decodes fields containing JSON strings
+# and replaces the strings with valid JSON objects.
+#
+#processors:
+#  - decode_json_fields:
+#      fields: ["field1", "field2", ...]
+#      process_array: false
+#      max_depth: 1
+#      target: ""
+#      overwrite_keys: false
+#
+#processors:
+#  - decompress_gzip_field:
+#      from: "field1"
+#      to: "field2"
+#      ignore_missing: false
+#      fail_on_error: true
+#
+# The following example copies the value of the message to message_copied
+#
+#processors:
+#  - copy_fields:
+#      fields:
+#        - from: message
+#          to: message_copied
+#      fail_on_error: true
+#      ignore_missing: false
+#
+# The following example truncates the value of the message to 1024 bytes
+#
+#processors:
+#  - truncate_fields:
+#      fields:
+#        - message
+#      max_bytes: 1024
+#      fail_on_error: false
+#      ignore_missing: true
+#
+# The following example preserves the raw message under event.original
+#
+#processors:
+#  - copy_fields:
+#      fields:
+#        - from: message
+#          to: event.original
+#      fail_on_error: false
+#      ignore_missing: true
+#  - truncate_fields:
+#      fields:
+#        - event.original
+#      max_bytes: 1024
+#      fail_on_error: false
+#      ignore_missing: true
+#
+# The following example URL-decodes the value of field1 to field2
+#
+#processors:
+#  - urldecode:
+#      fields:
+#        - from: "field1"
+#          to: "field2"
+#      ignore_missing: false
+#      fail_on_error: true
+
+# =============================== Elastic Cloud ================================
+
+# These settings simplify using Heartbeat with the Elastic Cloud (https://cloud.elastic.co/).
+
+# The cloud.id setting overwrites the `output.elasticsearch.hosts` and
+# `setup.kibana.host` options.
+# You can find the `cloud.id` in the Elastic Cloud web UI.
+#cloud.id:
+
+# The cloud.auth setting overwrites the `output.elasticsearch.username` and
+# `output.elasticsearch.password` settings. The format is `<user>:<pass>`.
+#cloud.auth:
+
+# ================================== Outputs ===================================
+
+# Configure what output to use when sending the data collected by the beat.
+
+# ---------------------------- Elasticsearch Output ----------------------------
+output.elasticsearch:
+  # Boolean flag to enable or disable the output module.
+  #enabled: true
+
+  # Array of hosts to connect to.
+  # Scheme and port can be left out and will be set to the default (http and 9200)
+  # In case you specify and additional path, the scheme is required: http://localhost:9200/path
+  # IPv6 addresses should always be defined as: https://[2001:db8::1]:9200
+  hosts: ["localhost:9200"]
+
+  # Performance presets configure other output fields to recommended values
+  # based on a performance priority.
+  # Options are "balanced", "throughput", "scale", "latency" and "custom".
+  # Default if unspecified: "custom"
+  preset: balanced
+
+  # Set gzip compression level. Set to 0 to disable compression.
+  # This field may conflict with performance presets. To set it
+  # manually use "preset: custom".
+  # The default is 1.
+  #compression_level: 1
+
+  # Configure escaping HTML symbols in strings.
+  #escape_html: false
+
+  # Protocol - either `http` (default) or `https`.
+  #protocol: "https"
+
+  # Authentication credentials - either API key or username/password.
+  #api_key: "id:api_key"
+  #username: "elastic"
+  #password: "changeme"
+
+  # Dictionary of HTTP parameters to pass within the URL with index operations.
+  #parameters:
+    #param1: value1
+    #param2: value2
+
+  # Number of workers per Elasticsearch host.
+  # This field may conflict with performance presets. To set it
+  # manually use "preset: custom".
+  #worker: 1
+
+  # If set to true and multiple hosts are configured, the output plugin load
+  # balances published events onto all Elasticsearch hosts. If set to false,
+  # the output plugin sends all events to only one host (determined at random)
+  # and will switch to another host if the currently selected one becomes
+  # unreachable. The default value is true.
+  #loadbalance: true
+
+  # Optional data stream or index name. The default is "heartbeat-%{[agent.version]}".
+  # In case you modify this pattern you must update setup.template.name and setup.template.pattern accordingly.
+  #index: "heartbeat-%{[agent.version]}"
+
+  # Optional ingest pipeline. By default, no pipeline will be used.
+  #pipeline: ""
+
+  # Optional HTTP path
+  #path: "/elasticsearch"
+
+  # Custom HTTP headers to add to each request
+  #headers:
+  #  X-My-Header: Contents of the header
+
+  # Proxy server URL
+  #proxy_url: http://proxy:3128
+
+  # Whether to disable proxy settings for outgoing connections. If true, this
+  # takes precedence over both the proxy_url field and any environment settings
+  # (HTTP_PROXY, HTTPS_PROXY). The default is false.
+  #proxy_disable: false
+
+  # The number of times a particular Elasticsearch index operation is attempted. If
+  # the indexing operation doesn't succeed after this many retries, the events are
+  # dropped. The default is 3.
+  #max_retries: 3
+
+  # The maximum number of events to bulk in a single Elasticsearch bulk API index request.
+  # This field may conflict with performance presets. To set it
+  # manually use "preset: custom".
+  # The default is 1600.
+  #bulk_max_size: 1600
+
+  # The number of seconds to wait before trying to reconnect to Elasticsearch
+  # after a network error. After waiting backoff.init seconds, the Beat
+  # tries to reconnect. If the attempt fails, the backoff timer is increased
+  # exponentially up to backoff.max. After a successful connection, the backoff
+  # timer is reset. The default is 1s.
+  #backoff.init: 1s
+
+  # The maximum number of seconds to wait before attempting to connect to
+  # Elasticsearch after a network error. The default is 60s.
+  #backoff.max: 60s
+
+  # The maximum amount of time an idle connection will remain idle
+  # before closing itself.  Zero means use the default of 60s. The
+  # format is a Go language duration (example 60s is 60 seconds).
+  # This field may conflict with performance presets. To set it
+  # manually use "preset: custom".
+  # The default is 3s.
+  # idle_connection_timeout: 3s
+
+  # Configure HTTP request timeout before failing a request to Elasticsearch.
+  #timeout: 90
+
+  # Prevents heartbeat from connecting to older Elasticsearch versions when set to `false`
+  #allow_older_versions: true
+
+  # Use SSL settings for HTTPS.
+  #ssl.enabled: true
+
+  # Controls the verification of certificates. Valid values are:
+  # * full, which verifies that the provided certificate is signed by a trusted
+  # authority (CA) and also verifies that the server's hostname (or IP address)
+  # matches the names identified within the certificate.
+  # * strict, which verifies that the provided certificate is signed by a trusted
+  # authority (CA) and also verifies that the server's hostname (or IP address)
+  # matches the names identified within the certificate. If the Subject Alternative
+  # Name is empty, it returns an error.
+  # * certificate, which verifies that the provided certificate is signed by a
+  # trusted authority (CA), but does not perform any hostname verification.
+  #  * none, which performs no verification of the server's certificate. This
+  # mode disables many of the security benefits of SSL/TLS and should only be used
+  # after very careful consideration. It is primarily intended as a temporary
+  # diagnostic mechanism when attempting to resolve TLS errors; its use in
+  # production environments is strongly discouraged.
+  # The default value is full.
+  #ssl.verification_mode: full
+
+  # List of supported/valid TLS versions. By default all TLS versions from 1.1
+  # up to 1.3 are enabled.
+  #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3]
+
+  # List of root certificates for HTTPS server verifications
+  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
+
+  # Certificate for SSL client authentication
+  #ssl.certificate: "/etc/pki/client/cert.pem"
+
+  # Client certificate key
+  #ssl.key: "/etc/pki/client/cert.key"
+
+  # Optional passphrase for decrypting the certificate key.
+  #ssl.key_passphrase: ''
+
+  # Configure cipher suites to be used for SSL connections
+  #ssl.cipher_suites: []
+
+  # Configure curve types for ECDHE-based cipher suites
+  #ssl.curve_types: []
+
+  # Configure what types of renegotiation are supported. Valid options are
+  # never, once, and freely. Default is never.
+  #ssl.renegotiation: never
+
+  # Configure a pin that can be used to do extra validation of the verified certificate chain,
+  # this allow you to ensure that a specific certificate is used to validate the chain of trust.
+  #
+  # The pin is a base64 encoded string of the SHA-256 fingerprint.
+  #ssl.ca_sha256: ""
+
+  # A root CA HEX encoded fingerprint. During the SSL handshake if the
+  # fingerprint matches the root CA certificate, it will be added to
+  # the provided list of root CAs (`certificate_authorities`), if the
+  # list is empty or not defined, the matching certificate will be the
+  # only one in the list. Then the normal SSL validation happens.
+  #ssl.ca_trusted_fingerprint: ""
+
+
+  # Enables restarting heartbeat if any file listed by `key`,
+  # `certificate`, or `certificate_authorities` is modified.
+  # This feature IS NOT supported on Windows.
+  #ssl.restart_on_cert_change.enabled: false
+
+  # Period to scan for changes on CA certificate files
+  #ssl.restart_on_cert_change.period: 1m
+
+  # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set.
+  #kerberos.enabled: true
+
+  # Authentication type to use with Kerberos. Available options: keytab, password.
+  #kerberos.auth_type: password
+
+  # Path to the keytab file. It is used when auth_type is set to keytab.
+  #kerberos.keytab: /etc/elastic.keytab
+
+  # Path to the Kerberos configuration.
+  #kerberos.config_path: /etc/krb5.conf
+
+  # Name of the Kerberos user.
+  #kerberos.username: elastic
+
+  # Password of the Kerberos user. It is used when auth_type is set to password.
+  #kerberos.password: changeme
+
+  # Kerberos realm.
+  #kerberos.realm: ELASTIC
+
+
+# ------------------------------ Logstash Output -------------------------------
+#output.logstash:
+  # Boolean flag to enable or disable the output module.
+  #enabled: true
+
+  # The Logstash hosts
+  #hosts: ["localhost:5044"]
+
+  # Number of workers per Logstash host.
+  #worker: 1
+
+  # Set gzip compression level.
+  #compression_level: 3
+
+  # Configure escaping HTML symbols in strings.
+  #escape_html: false
+
+  # Optional maximum time to live for a connection to Logstash, after which the
+  # connection will be re-established.  A value of `0s` (the default) will
+  # disable this feature.
+  #
+  # Not yet supported for async connections (i.e. with the "pipelining" option set)
+  #ttl: 30s
+
+  # Optionally load-balance events between Logstash hosts. Default is false.
+  #loadbalance: false
+
+  # Number of batches to be sent asynchronously to Logstash while processing
+  # new batches.
+  #pipelining: 2
+
+  # If enabled only a subset of events in a batch of events is transferred per
+  # transaction.  The number of events to be sent increases up to `bulk_max_size`
+  # if no error is encountered.
+  #slow_start: false
+
+  # The number of seconds to wait before trying to reconnect to Logstash
+  # after a network error. After waiting backoff.init seconds, the Beat
+  # tries to reconnect. If the attempt fails, the backoff timer is increased
+  # exponentially up to backoff.max. After a successful connection, the backoff
+  # timer is reset. The default is 1s.
+  #backoff.init: 1s
+
+  # The maximum number of seconds to wait before attempting to connect to
+  # Logstash after a network error. The default is 60s.
+  #backoff.max: 60s
+
+  # Optional index name. The default index name is set to heartbeat
+  # in all lowercase.
+  #index: 'heartbeat'
+
+  # SOCKS5 proxy server URL
+  #proxy_url: socks5://user:password@socks5-server:2233
+
+  # Resolve names locally when using a proxy server. Defaults to false.
+  #proxy_use_local_resolver: false
+
+  # Use SSL settings for HTTPS.
+  #ssl.enabled: true
+
+  # Controls the verification of certificates. Valid values are:
+  # * full, which verifies that the provided certificate is signed by a trusted
+  # authority (CA) and also verifies that the server's hostname (or IP address)
+  # matches the names identified within the certificate.
+  # * strict, which verifies that the provided certificate is signed by a trusted
+  # authority (CA) and also verifies that the server's hostname (or IP address)
+  # matches the names identified within the certificate. If the Subject Alternative
+  # Name is empty, it returns an error.
+  # * certificate, which verifies that the provided certificate is signed by a
+  # trusted authority (CA), but does not perform any hostname verification.
+  #  * none, which performs no verification of the server's certificate. This
+  # mode disables many of the security benefits of SSL/TLS and should only be used
+  # after very careful consideration. It is primarily intended as a temporary
+  # diagnostic mechanism when attempting to resolve TLS errors; its use in
+  # production environments is strongly discouraged.
+  # The default value is full.
+  #ssl.verification_mode: full
+
+  # List of supported/valid TLS versions. By default all TLS versions from 1.1
+  # up to 1.3 are enabled.
+  #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3]
+
+  # List of root certificates for HTTPS server verifications
+  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
+
+  # Certificate for SSL client authentication
+  #ssl.certificate: "/etc/pki/client/cert.pem"
+
+  # Client certificate key
+  #ssl.key: "/etc/pki/client/cert.key"
+
+  # Optional passphrase for decrypting the certificate key.
+  #ssl.key_passphrase: ''
+
+  # Configure cipher suites to be used for SSL connections
+  #ssl.cipher_suites: []
+
+  # Configure curve types for ECDHE-based cipher suites
+  #ssl.curve_types: []
+
+  # Configure what types of renegotiation are supported. Valid options are
+  # never, once, and freely. Default is never.
+  #ssl.renegotiation: never
+
+  # Configure a pin that can be used to do extra validation of the verified certificate chain,
+  # this allow you to ensure that a specific certificate is used to validate the chain of trust.
+  #
+  # The pin is a base64 encoded string of the SHA-256 fingerprint.
+  #ssl.ca_sha256: ""
+
+  # A root CA HEX encoded fingerprint. During the SSL handshake if the
+  # fingerprint matches the root CA certificate, it will be added to
+  # the provided list of root CAs (`certificate_authorities`), if the
+  # list is empty or not defined, the matching certificate will be the
+  # only one in the list. Then the normal SSL validation happens.
+  #ssl.ca_trusted_fingerprint: ""
+
+  # Enables restarting heartbeat if any file listed by `key`,
+  # `certificate`, or `certificate_authorities` is modified.
+  # This feature IS NOT supported on Windows.
+  #ssl.restart_on_cert_change.enabled: false
+
+  # Period to scan for changes on CA certificate files
+  #ssl.restart_on_cert_change.period: 1m
+
+  # The number of times to retry publishing an event after a publishing failure.
+  # After the specified number of retries, the events are typically dropped.
+  # Some Beats, such as Filebeat and Winlogbeat, ignore the max_retries setting
+  # and retry until all events are published.  Set max_retries to a value less
+  # than 0 to retry until all events are published. The default is 3.
+  #max_retries: 3
+
+  # The maximum number of events to bulk in a single Logstash request. The
+  # default is 2048.
+  #bulk_max_size: 2048
+
+  # The number of seconds to wait for responses from the Logstash server before
+  # timing out. The default is 30s.
+  #timeout: 30s
+
+# -------------------------------- Kafka Output --------------------------------
+#output.kafka:
+  # Boolean flag to enable or disable the output module.
+  #enabled: true
+
+  # The list of Kafka broker addresses from which to fetch the cluster metadata.
+  # The cluster metadata contain the actual Kafka brokers events are published
+  # to.
+  #hosts: ["localhost:9092"]
+
+  # The Kafka topic used for produced events. The setting can be a format string
+  # using any event field. To set the topic from document type use `%{[type]}`.
+  #topic: beats
+
+  # The Kafka event key setting. Use format string to create a unique event key.
+  # By default no event key will be generated.
+  #key: ''
+
+  # The Kafka event partitioning strategy. Default hashing strategy is `hash`
+  # using the `output.kafka.key` setting or randomly distributes events if
+  # `output.kafka.key` is not configured.
+  #partition.hash:
+    # If enabled, events will only be published to partitions with reachable
+    # leaders. Default is false.
+    #reachable_only: false
+
+    # Configure alternative event field names used to compute the hash value.
+    # If empty `output.kafka.key` setting will be used.
+    # Default value is empty list.
+    #hash: []
+
+  # Authentication details. Password is required if username is set.
+  #username: ''
+  #password: ''
+
+  # SASL authentication mechanism used. Can be one of PLAIN, SCRAM-SHA-256 or SCRAM-SHA-512.
+  # Defaults to PLAIN when `username` and `password` are configured.
+  #sasl.mechanism: ''
+
+  # Kafka version Heartbeat is assumed to run against. Defaults to the "1.0.0".
+  #version: '1.0.0'
+
+  # Configure JSON encoding
+  #codec.json:
+    # Pretty-print JSON event
+    #pretty: false
+
+    # Configure escaping HTML symbols in strings.
+    #escape_html: false
+
+  # Metadata update configuration. Metadata contains leader information
+  # used to decide which broker to use when publishing.
+  #metadata:
+    # Max metadata request retry attempts when cluster is in middle of leader
+    # election. Defaults to 3 retries.
+    #retry.max: 3
+
+    # Wait time between retries during leader elections. Default is 250ms.
+    #retry.backoff: 250ms
+
+    # Refresh metadata interval. Defaults to every 10 minutes.
+    #refresh_frequency: 10m
+
+    # Strategy for fetching the topics metadata from the broker. Default is false.
+    #full: false
+
+  # The number of times to retry publishing an event after a publishing failure.
+  # After the specified number of retries, events are typically dropped.
+  # Some Beats, such as Filebeat, ignore the max_retries setting and retry until
+  # all events are published.  Set max_retries to a value less than 0 to retry
+  # until all events are published. The default is 3.
+  #max_retries: 3
+
+  # The number of seconds to wait before trying to republish to Kafka
+  # after a network error. After waiting backoff.init seconds, the Beat
+  # tries to republish. If the attempt fails, the backoff timer is increased
+  # exponentially up to backoff.max. After a successful publish, the backoff
+  # timer is reset. The default is 1s.
+  #backoff.init: 1s
+
+  # The maximum number of seconds to wait before attempting to republish to
+  # Kafka after a network error. The default is 60s.
+  #backoff.max: 60s
+
+  # The maximum number of events to bulk in a single Kafka request. The default
+  # is 2048.
+  #bulk_max_size: 2048
+
+  # Duration to wait before sending bulk Kafka request. 0 is no delay. The default
+  # is 0.
+  #bulk_flush_frequency: 0s
+
+  # The number of seconds to wait for responses from the Kafka brokers before
+  # timing out. The default is 30s.
+  #timeout: 30s
+
+  # The maximum duration a broker will wait for number of required ACKs. The
+  # default is 10s.
+  #broker_timeout: 10s
+
+  # The number of messages buffered for each Kafka broker. The default is 256.
+  #channel_buffer_size: 256
+
+  # The keep-alive period for an active network connection. If 0s, keep-alives
+  # are disabled. The default is 0 seconds.
+  #keep_alive: 0
+
+  # Sets the output compression codec. Must be one of none, snappy and gzip. The
+  # default is gzip.
+  #compression: gzip
+
+  # Set the compression level. Currently only gzip provides a compression level
+  # between 0 and 9. The default value is chosen by the compression algorithm.
+  #compression_level: 4
+
+  # The maximum permitted size of JSON-encoded messages. Bigger messages will be
+  # dropped. The default value is 1000000 (bytes). This value should be equal to
+  # or less than the broker's message.max.bytes.
+  #max_message_bytes: 1000000
+
+  # The ACK reliability level required from broker. 0=no response, 1=wait for
+  # local commit, -1=wait for all replicas to commit. The default is 1.  Note:
+  # If set to 0, no ACKs are returned by Kafka. Messages might be lost silently
+  # on error.
+  #required_acks: 1
+
+  # The configurable ClientID used for logging, debugging, and auditing
+  # purposes.  The default is "beats".
+  #client_id: beats
+
+  # Use SSL settings for HTTPS.
+  #ssl.enabled: true
+
+  # Controls the verification of certificates. Valid values are:
+  # * full, which verifies that the provided certificate is signed by a trusted
+  # authority (CA) and also verifies that the server's hostname (or IP address)
+  # matches the names identified within the certificate.
+  # * strict, which verifies that the provided certificate is signed by a trusted
+  # authority (CA) and also verifies that the server's hostname (or IP address)
+  # matches the names identified within the certificate. If the Subject Alternative
+  # Name is empty, it returns an error.
+  # * certificate, which verifies that the provided certificate is signed by a
+  # trusted authority (CA), but does not perform any hostname verification.
+  #  * none, which performs no verification of the server's certificate. This
+  # mode disables many of the security benefits of SSL/TLS and should only be used
+  # after very careful consideration. It is primarily intended as a temporary
+  # diagnostic mechanism when attempting to resolve TLS errors; its use in
+  # production environments is strongly discouraged.
+  # The default value is full.
+  #ssl.verification_mode: full
+
+  # List of supported/valid TLS versions. By default all TLS versions from 1.1
+  # up to 1.3 are enabled.
+  #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3]
+
+  # List of root certificates for HTTPS server verifications
+  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
+
+  # Certificate for SSL client authentication
+  #ssl.certificate: "/etc/pki/client/cert.pem"
+
+  # Client certificate key
+  #ssl.key: "/etc/pki/client/cert.key"
+
+  # Optional passphrase for decrypting the certificate key.
+  #ssl.key_passphrase: ''
+
+  # Configure cipher suites to be used for SSL connections
+  #ssl.cipher_suites: []
+
+  # Configure curve types for ECDHE-based cipher suites
+  #ssl.curve_types: []
+
+  # Configure what types of renegotiation are supported. Valid options are
+  # never, once, and freely. Default is never.
+  #ssl.renegotiation: never
+
+  # Configure a pin that can be used to do extra validation of the verified certificate chain,
+  # this allow you to ensure that a specific certificate is used to validate the chain of trust.
+  #
+  # The pin is a base64 encoded string of the SHA-256 fingerprint.
+  #ssl.ca_sha256: ""
+
+  # A root CA HEX encoded fingerprint. During the SSL handshake if the
+  # fingerprint matches the root CA certificate, it will be added to
+  # the provided list of root CAs (`certificate_authorities`), if the
+  # list is empty or not defined, the matching certificate will be the
+  # only one in the list. Then the normal SSL validation happens.
+  #ssl.ca_trusted_fingerprint: ""
+
+  # Enables restarting heartbeat if any file listed by `key`,
+  # `certificate`, or `certificate_authorities` is modified.
+  # This feature IS NOT supported on Windows.
+  #ssl.restart_on_cert_change.enabled: false
+
+  # Period to scan for changes on CA certificate files
+  #ssl.restart_on_cert_change.period: 1m
+
+  # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set.
+  #kerberos.enabled: true
+
+  # Authentication type to use with Kerberos. Available options: keytab, password.
+  #kerberos.auth_type: password
+
+  # Path to the keytab file. It is used when auth_type is set to keytab.
+  #kerberos.keytab: /etc/security/keytabs/kafka.keytab
+
+  # Path to the Kerberos configuration.
+  #kerberos.config_path: /etc/krb5.conf
+
+  # The service name. Service principal name is contructed from
+  # service_name/hostname@realm.
+  #kerberos.service_name: kafka
+
+  # Name of the Kerberos user.
+  #kerberos.username: elastic
+
+  # Password of the Kerberos user. It is used when auth_type is set to password.
+  #kerberos.password: changeme
+
+  # Kerberos realm.
+  #kerberos.realm: ELASTIC
+
+  # Enables Kerberos FAST authentication. This may
+  # conflict with certain Active Directory configurations.
+  #kerberos.enable_krb5_fast: false
+
+# -------------------------------- Redis Output --------------------------------
+#output.redis:
+  # Boolean flag to enable or disable the output module.
+  #enabled: true
+
+  # Configure JSON encoding
+  #codec.json:
+    # Pretty print json event
+    #pretty: false
+
+    # Configure escaping HTML symbols in strings.
+    #escape_html: false
+
+  # The list of Redis servers to connect to. If load-balancing is enabled, the
+  # events are distributed to the servers in the list. If one server becomes
+  # unreachable, the events are distributed to the reachable servers only.
+  # The hosts setting supports redis and rediss urls with custom password like
+  # redis://:password@localhost:6379.
+  #hosts: ["localhost:6379"]
+
+  # The name of the Redis list or channel the events are published to. The
+  # default is heartbeat.
+  #key: heartbeat
+
+  # The password to authenticate to Redis with. The default is no authentication.
+  #password:
+
+  # The Redis database number where the events are published. The default is 0.
+  #db: 0
+
+  # The Redis data type to use for publishing events. If the data type is list,
+  # the Redis RPUSH command is used. If the data type is channel, the Redis
+  # PUBLISH command is used. The default value is list.
+  #datatype: list
+
+  # The number of workers to use for each host configured to publish events to
+  # Redis. Use this setting along with the loadbalance option. For example, if
+  # you have 2 hosts and 3 workers, in total 6 workers are started (3 for each
+  # host).
+  #worker: 1
+
+  # If set to true and multiple hosts or workers are configured, the output
+  # plugin load balances published events onto all Redis hosts. If set to false,
+  # the output plugin sends all events to only one host (determined at random)
+  # and will switch to another host if the currently selected one becomes
+  # unreachable. The default value is true.
+  #loadbalance: true
+
+  # The Redis connection timeout in seconds. The default is 5 seconds.
+  #timeout: 5s
+
+  # The number of times to retry publishing an event after a publishing failure.
+  # After the specified number of retries, the events are typically dropped.
+  # Some Beats, such as Filebeat, ignore the max_retries setting and retry until
+  # all events are published. Set max_retries to a value less than 0 to retry
+  # until all events are published. The default is 3.
+  #max_retries: 3
+
+  # The number of seconds to wait before trying to reconnect to Redis
+  # after a network error. After waiting backoff.init seconds, the Beat
+  # tries to reconnect. If the attempt fails, the backoff timer is increased
+  # exponentially up to backoff.max. After a successful connection, the backoff
+  # timer is reset. The default is 1s.
+  #backoff.init: 1s
+
+  # The maximum number of seconds to wait before attempting to connect to
+  # Redis after a network error. The default is 60s.
+  #backoff.max: 60s
+
+  # The maximum number of events to bulk in a single Redis request or pipeline.
+  # The default is 2048.
+  #bulk_max_size: 2048
+
+  # The URL of the SOCKS5 proxy to use when connecting to the Redis servers. The
+  # value must be a URL with a scheme of socks5://.
+  #proxy_url:
+
+  # This option determines whether Redis hostnames are resolved locally when
+  # using a proxy. The default value is false, which means that name resolution
+  # occurs on the proxy server.
+  #proxy_use_local_resolver: false
+
+  # Use SSL settings for HTTPS.
+  #ssl.enabled: true
+
+  # Controls the verification of certificates. Valid values are:
+  # * full, which verifies that the provided certificate is signed by a trusted
+  # authority (CA) and also verifies that the server's hostname (or IP address)
+  # matches the names identified within the certificate.
+  # * strict, which verifies that the provided certificate is signed by a trusted
+  # authority (CA) and also verifies that the server's hostname (or IP address)
+  # matches the names identified within the certificate. If the Subject Alternative
+  # Name is empty, it returns an error.
+  # * certificate, which verifies that the provided certificate is signed by a
+  # trusted authority (CA), but does not perform any hostname verification.
+  #  * none, which performs no verification of the server's certificate. This
+  # mode disables many of the security benefits of SSL/TLS and should only be used
+  # after very careful consideration. It is primarily intended as a temporary
+  # diagnostic mechanism when attempting to resolve TLS errors; its use in
+  # production environments is strongly discouraged.
+  # The default value is full.
+  #ssl.verification_mode: full
+
+  # List of supported/valid TLS versions. By default all TLS versions from 1.1
+  # up to 1.3 are enabled.
+  #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3]
+
+  # List of root certificates for HTTPS server verifications
+  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
+
+  # Certificate for SSL client authentication
+  #ssl.certificate: "/etc/pki/client/cert.pem"
+
+  # Client certificate key
+  #ssl.key: "/etc/pki/client/cert.key"
+
+  # Optional passphrase for decrypting the certificate key.
+  #ssl.key_passphrase: ''
+
+  # Configure cipher suites to be used for SSL connections
+  #ssl.cipher_suites: []
+
+  # Configure curve types for ECDHE-based cipher suites
+  #ssl.curve_types: []
+
+  # Configure what types of renegotiation are supported. Valid options are
+  # never, once, and freely. Default is never.
+  #ssl.renegotiation: never
+
+  # Configure a pin that can be used to do extra validation of the verified certificate chain,
+  # this allow you to ensure that a specific certificate is used to validate the chain of trust.
+  #
+  # The pin is a base64 encoded string of the SHA-256 fingerprint.
+  #ssl.ca_sha256: ""
+
+  # A root CA HEX encoded fingerprint. During the SSL handshake if the
+  # fingerprint matches the root CA certificate, it will be added to
+  # the provided list of root CAs (`certificate_authorities`), if the
+  # list is empty or not defined, the matching certificate will be the
+  # only one in the list. Then the normal SSL validation happens.
+  #ssl.ca_trusted_fingerprint: ""
+
+
+# -------------------------------- File Output ---------------------------------
+#output.file:
+  # Boolean flag to enable or disable the output module.
+  #enabled: true
+
+  # Configure JSON encoding
+  #codec.json:
+    # Pretty-print JSON event
+    #pretty: false
+
+    # Configure escaping HTML symbols in strings.
+    #escape_html: false
+
+  # Path to the directory where to save the generated files. The option is
+  # mandatory.
+  #path: "/tmp/heartbeat"
+
+  # Name of the generated files. The default is `heartbeat` and it generates
+  # files: `heartbeat-{datetime}.ndjson`, `heartbeat-{datetime}-1.ndjson`, etc.
+  #filename: heartbeat
+
+  # Maximum size in kilobytes of each file. When this size is reached, and on
+  # every Heartbeat restart, the files are rotated. The default value is 10240
+  # kB.
+  #rotate_every_kb: 10000
+
+  # Maximum number of files under path. When this number of files is reached,
+  # the oldest file is deleted and the rest are shifted from last to first. The
+  # default is 7 files.
+  #number_of_files: 7
+
+  # Permissions to use for file creation. The default is 0600.
+  #permissions: 0600
+
+  # Configure automatic file rotation on every startup. The default is true.
+  #rotate_on_startup: true
+
+# ------------------------------- Console Output -------------------------------
+#output.console:
+  # Boolean flag to enable or disable the output module.
+  #enabled: true
+
+  # Configure JSON encoding
+  #codec.json:
+    # Pretty-print JSON event
+    #pretty: false
+
+    # Configure escaping HTML symbols in strings.
+    #escape_html: false
+
+# =================================== Paths ====================================
+
+# The home path for the Heartbeat installation. This is the default base path
+# for all other path settings and for miscellaneous files that come with the
+# distribution (for example, the sample dashboards).
+# If not set by a CLI flag or in the configuration file, the default for the
+# home path is the location of the binary.
+#path.home:
+
+# The configuration path for the Heartbeat installation. This is the default
+# base path for configuration files, including the main YAML configuration file
+# and the Elasticsearch template file. If not set by a CLI flag or in the
+# configuration file, the default for the configuration path is the home path.
+#path.config: ${path.home}
+
+# The data path for the Heartbeat installation. This is the default base path
+# for all the files in which Heartbeat needs to store its data. If not set by a
+# CLI flag or in the configuration file, the default for the data path is a data
+# subdirectory inside the home path.
+#path.data: ${path.home}/data
+
+# The logs path for a Heartbeat installation. This is the default location for
+# the Beat's log files. If not set by a CLI flag or in the configuration file,
+# the default for the logs path is a logs subdirectory inside the home path.
+#path.logs: ${path.home}/logs
+
+# ================================== Keystore ==================================
+
+# Location of the Keystore containing the keys and their sensitive values.
+#keystore.path: "${path.config}/beats.keystore"
+
+# ================================= Dashboards =================================
+
+# These settings control loading the sample dashboards to the Kibana index. Loading
+# the dashboards are disabled by default and can be enabled either by setting the
+# options here or by using the `-setup` CLI flag or the `setup` command.
+#setup.dashboards.enabled: false
+
+# The directory from where to read the dashboards. The default is the `kibana`
+# folder in the home path.
+#setup.dashboards.directory: ${path.home}/kibana
+
+# The URL from where to download the dashboard archive. It is used instead of
+# the directory if it has a value.
+#setup.dashboards.url:
+
+# The file archive (zip file) from where to read the dashboards. It is used instead
+# of the directory when it has a value.
+#setup.dashboards.file:
+
+# In case the archive contains the dashboards from multiple Beats, this lets you
+# select which one to load. You can load all the dashboards in the archive by
+# setting this to the empty string.
+#setup.dashboards.beat: heartbeat
+
+# The name of the Kibana index to use for setting the configuration. Default is ".kibana"
+#setup.dashboards.kibana_index: .kibana
+
+# The Elasticsearch index name. This overwrites the index name defined in the
+# dashboards and index pattern. Example: testbeat-*
+#setup.dashboards.index:
+
+# Always use the Kibana API for loading the dashboards instead of autodetecting
+# how to install the dashboards by first querying Elasticsearch.
+#setup.dashboards.always_kibana: false
+
+# If true and Kibana is not reachable at the time when dashboards are loaded,
+# it will retry to reconnect to Kibana instead of exiting with an error.
+#setup.dashboards.retry.enabled: false
+
+# Duration interval between Kibana connection retries.
+#setup.dashboards.retry.interval: 1s
+
+# Maximum number of retries before exiting with an error, 0 for unlimited retrying.
+#setup.dashboards.retry.maximum: 0
+
+# ================================== Template ==================================
+
+# A template is used to set the mapping in Elasticsearch
+# By default template loading is enabled and the template is loaded.
+# These settings can be adjusted to load your own template or overwrite existing ones.
+
+# Set to false to disable template loading.
+#setup.template.enabled: true
+
+# Template name. By default the template name is "heartbeat-%{[agent.version]}"
+# The template name and pattern has to be set in case the Elasticsearch index pattern is modified.
+#setup.template.name: "heartbeat-%{[agent.version]}"
+
+# Template pattern. By default the template pattern is "heartbeat-%{[agent.version]}" to apply to the default index settings.
+# The template name and pattern has to be set in case the Elasticsearch index pattern is modified.
+#setup.template.pattern: "heartbeat-%{[agent.version]}"
+
+# Path to fields.yml file to generate the template
+#setup.template.fields: "${path.config}/fields.yml"
+
+# A list of fields to be added to the template and Kibana index pattern. Also
+# specify setup.template.overwrite: true to overwrite the existing template.
+#setup.template.append_fields:
+#- name: field_name
+#  type: field_type
+
+# Enable JSON template loading. If this is enabled, the fields.yml is ignored.
+#setup.template.json.enabled: false
+
+# Path to the JSON template file
+#setup.template.json.path: "${path.config}/template.json"
+
+# Name under which the template is stored in Elasticsearch
+#setup.template.json.name: ""
+
+# Set this option if the JSON template is a data stream.
+#setup.template.json.data_stream: false
+
+# Overwrite existing template
+# Do not enable this option for more than one instance of heartbeat as it might
+# overload your Elasticsearch with too many update requests.
+#setup.template.overwrite: false
+
+# Elasticsearch template settings
+setup.template.settings:
+
+  # A dictionary of settings to place into the settings.index dictionary
+  # of the Elasticsearch template. For more details, please check
+  # https://www.elastic.co/guide/en/elasticsearch/reference/current/mapping.html
+  #index:
+    #number_of_shards: 1
+    #codec: best_compression
+
+  # A dictionary of settings for the _source field. For more details, please check
+  # https://www.elastic.co/guide/en/elasticsearch/reference/current/mapping-source-field.html
+  #_source:
+    #enabled: false
+
+# ====================== Index Lifecycle Management (ILM) ======================
+
+# Configure index lifecycle management (ILM) to manage the backing indices
+# of your data streams.
+
+# Enable ILM support. Valid values are true, or false.
+#setup.ilm.enabled: true
+
+# Set the lifecycle policy name. The default policy name is
+# 'beatname'.
+#setup.ilm.policy_name: "mypolicy"
+
+# The path to a JSON file that contains a lifecycle policy configuration. Used
+# to load your own lifecycle policy.
+#setup.ilm.policy_file:
+
+# Disable the check for an existing lifecycle policy. The default is true.
+# If you set this option to false, lifecycle policy will not be installed,
+# even if setup.ilm.overwrite is set to true.
+#setup.ilm.check_exists: true
+
+# Overwrite the lifecycle policy at startup. The default is false.
+#setup.ilm.overwrite: false
+
+# ======================== Data Stream Lifecycle (DSL) =========================
+
+# Configure Data Stream Lifecycle to manage data streams while connected to Serverless elasticsearch.
+# These settings are mutually exclusive with ILM settings which are not supported in Serverless projects.
+
+# Enable DSL support. Valid values are true, or false.
+#setup.dsl.enabled: true
+
+# Set the lifecycle policy name or pattern. For DSL, this name must match the data stream that the lifecycle is for.
+# The default data stream pattern is heartbeat-%{[agent.version]}"
+# The template string `%{[agent.version]}` will resolve to the current stack version.
+# The other possible template value is `%{[beat.name]}`.
+#setup.dsl.data_stream_pattern: "heartbeat-%{[agent.version]}"
+
+# The path to a JSON file that contains a lifecycle policy configuration. Used
+# to load your own lifecycle policy.
+# If no custom policy is specified, a default policy with a lifetime of 7 days will be created.
+#setup.dsl.policy_file:
+
+# Disable the check for an existing lifecycle policy. The default is true. If
+# you disable this check, set setup.dsl.overwrite: true so the lifecycle policy
+# can be installed.
+#setup.dsl.check_exists: true
+
+# Overwrite the lifecycle policy at startup. The default is false.
+#setup.dsl.overwrite: false
+
+# =================================== Kibana ===================================
+
+# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
+# This requires a Kibana endpoint configuration.
+setup.kibana:
+
+  # Kibana Host
+  # Scheme and port can be left out and will be set to the default (http and 5601)
+  # In case you specify and additional path, the scheme is required: http://localhost:5601/path
+  # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601
+  #host: "localhost:5601"
+
+  # Optional protocol and basic auth credentials.
+  #protocol: "https"
+  #username: "elastic"
+  #password: "changeme"
+
+  # Optional HTTP path
+  #path: ""
+
+  # Optional Kibana space ID.
+  #space.id: ""
+
+  # Custom HTTP headers to add to each request
+  #headers:
+  #  X-My-Header: Contents of the header
+
+  # Use SSL settings for HTTPS.
+  #ssl.enabled: true
+
+  # Controls the verification of certificates. Valid values are:
+  # * full, which verifies that the provided certificate is signed by a trusted
+  # authority (CA) and also verifies that the server's hostname (or IP address)
+  # matches the names identified within the certificate.
+  # * strict, which verifies that the provided certificate is signed by a trusted
+  # authority (CA) and also verifies that the server's hostname (or IP address)
+  # matches the names identified within the certificate. If the Subject Alternative
+  # Name is empty, it returns an error.
+  # * certificate, which verifies that the provided certificate is signed by a
+  # trusted authority (CA), but does not perform any hostname verification.
+  #  * none, which performs no verification of the server's certificate. This
+  # mode disables many of the security benefits of SSL/TLS and should only be used
+  # after very careful consideration. It is primarily intended as a temporary
+  # diagnostic mechanism when attempting to resolve TLS errors; its use in
+  # production environments is strongly discouraged.
+  # The default value is full.
+  #ssl.verification_mode: full
+
+  # List of supported/valid TLS versions. By default all TLS versions from 1.1
+  # up to 1.3 are enabled.
+  #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3]
+
+  # List of root certificates for HTTPS server verifications
+  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
+
+  # Certificate for SSL client authentication
+  #ssl.certificate: "/etc/pki/client/cert.pem"
+
+  # Client certificate key
+  #ssl.key: "/etc/pki/client/cert.key"
+
+  # Optional passphrase for decrypting the certificate key.
+  #ssl.key_passphrase: ''
+
+  # Configure cipher suites to be used for SSL connections
+  #ssl.cipher_suites: []
+
+  # Configure curve types for ECDHE-based cipher suites
+  #ssl.curve_types: []
+
+  # Configure what types of renegotiation are supported. Valid options are
+  # never, once, and freely. Default is never.
+  #ssl.renegotiation: never
+
+  # Configure a pin that can be used to do extra validation of the verified certificate chain,
+  # this allow you to ensure that a specific certificate is used to validate the chain of trust.
+  #
+  # The pin is a base64 encoded string of the SHA-256 fingerprint.
+  #ssl.ca_sha256: ""
+
+  # A root CA HEX encoded fingerprint. During the SSL handshake if the
+  # fingerprint matches the root CA certificate, it will be added to
+  # the provided list of root CAs (`certificate_authorities`), if the
+  # list is empty or not defined, the matching certificate will be the
+  # only one in the list. Then the normal SSL validation happens.
+  #ssl.ca_trusted_fingerprint: ""
+
+
+# ================================== Logging ===================================
+
+# There are four options for the log output: file, stderr, syslog, eventlog
+# The file output is the default.
+
+# Sets log level. The default log level is info.
+# Available log levels are: error, warning, info, debug
+#logging.level: info
+
+# Enable debug output for selected components. To enable all selectors use ["*"]
+# Other available selectors are "beat", "publisher", "service"
+# Multiple selectors can be chained.
+#logging.selectors: [ ]
+
+# Send all logging output to stderr. The default is false.
+#logging.to_stderr: false
+
+# Send all logging output to syslog. The default is false.
+#logging.to_syslog: false
+
+# Send all logging output to Windows Event Logs. The default is false.
+#logging.to_eventlog: false
+
+# If enabled, Heartbeat periodically logs its internal metrics that have changed
+# in the last period. For each metric that changed, the delta from the value at
+# the beginning of the period is logged. Also, the total values for
+# all non-zero internal metrics are logged on shutdown. The default is true.
+#logging.metrics.enabled: true
+
+# The period after which to log the internal metrics. The default is 30s.
+#logging.metrics.period: 30s
+
+# A list of metrics namespaces to report in the logs. Defaults to [stats].
+# `stats` contains general Beat metrics. `dataset` may be present in some
+# Beats and contains module or input metrics.
+#logging.metrics.namespaces: [stats]
+
+# Logging to rotating files. Set logging.to_files to false to disable logging to
+# files.
+logging.to_files: true
+logging.files:
+  # Configure the path where the logs are written. The default is the logs directory
+  # under the home path (the binary location).
+  #path: /var/log/heartbeat
+
+  # The name of the files where the logs are written to.
+  #name: heartbeat
+
+  # Configure log file size limit. If the limit is reached, log file will be
+  # automatically rotated.
+  #rotateeverybytes: 10485760 # = 10MB
+
+  # Number of rotated log files to keep. The oldest files will be deleted first.
+  #keepfiles: 7
+
+  # The permissions mask to apply when rotating log files. The default value is 0600.
+  # Must be a valid Unix-style file permissions mask expressed in octal notation.
+  #permissions: 0600
+
+  # Enable log file rotation on time intervals in addition to the size-based rotation.
+  # Intervals must be at least 1s. Values of 1m, 1h, 24h, 7*24h, 30*24h, and 365*24h
+  # are boundary-aligned with minutes, hours, days, weeks, months, and years as
+  # reported by the local system clock. All other intervals are calculated from the
+  # Unix epoch. Defaults to disabled.
+  #interval: 0
+
+  # Rotate existing logs on startup rather than appending them to the existing
+  # file. Defaults to true.
+  # rotateonstartup: true
+
+#=============================== Events Logging ===============================
+# Some outputs will log raw events on errors like indexing errors in the
+# Elasticsearch output, to prevent logging raw events (that may contain
+# sensitive information) together with other log messages, a different
+# log file, only for log entries containing raw events, is used. It will
+# use the same level, selectors and all other configurations from the
+# default logger, but it will have it's own file configuration.
+#
+# Having a different log file for raw events also prevents event data
+# from drowning out the regular log files.
+#
+# IMPORTANT: No matter the default logger output configuration, raw events
+# will **always** be logged to a file configured by `logging.event_data.files`.
+
+# logging.event_data:
+# Logging to rotating files. Set logging.to_files to false to disable logging to
+# files.
+#logging.event_data.to_files: true
+#logging.event_data:
+  # Configure the path where the logs are written. The default is the logs directory
+  # under the home path (the binary location).
+  #path: /var/log/heartbeat
+
+  # The name of the files where the logs are written to.
+  #name: heartbeat-events-data
+
+  # Configure log file size limit. If the limit is reached, log file will be
+  # automatically rotated.
+  #rotateeverybytes: 5242880 # = 5MB
+
+  # Number of rotated log files to keep. The oldest files will be deleted first.
+  #keepfiles: 2
+
+  # The permissions mask to apply when rotating log files. The default value is 0600.
+  # Must be a valid Unix-style file permissions mask expressed in octal notation.
+  #permissions: 0600
+
+  # Enable log file rotation on time intervals in addition to the size-based rotation.
+  # Intervals must be at least 1s. Values of 1m, 1h, 24h, 7*24h, 30*24h, and 365*24h
+  # are boundary-aligned with minutes, hours, days, weeks, months, and years as
+  # reported by the local system clock. All other intervals are calculated from the
+  # Unix epoch. Defaults to disabled.
+  #interval: 0
+
+  # Rotate existing logs on startup rather than appending them to the existing
+  # file. Defaults to false.
+  # rotateonstartup: false
+
+# ============================= X-Pack Monitoring ==============================
+# Heartbeat can export internal metrics to a central Elasticsearch monitoring
+# cluster.  This requires xpack monitoring to be enabled in Elasticsearch.  The
+# reporting is disabled by default.
+
+# Set to true to enable the monitoring reporter.
+#monitoring.enabled: false
+
+# Sets the UUID of the Elasticsearch cluster under which monitoring data for this
+# Heartbeat instance will appear in the Stack Monitoring UI. If output.elasticsearch
+# is enabled, the UUID is derived from the Elasticsearch cluster referenced by output.elasticsearch.
+#monitoring.cluster_uuid:
+
+# Uncomment to send the metrics to Elasticsearch. Most settings from the
+# Elasticsearch output are accepted here as well.
+# Note that the settings should point to your Elasticsearch *monitoring* cluster.
+# Any setting that is not set is automatically inherited from the Elasticsearch
+# output configuration, so if you have the Elasticsearch output configured such
+# that it is pointing to your Elasticsearch monitoring cluster, you can simply
+# uncomment the following line.
+#monitoring.elasticsearch:
+
+  # Array of hosts to connect to.
+  # Scheme and port can be left out and will be set to the default (http and 9200)
+  # In case you specify an additional path, the scheme is required: http://localhost:9200/path
+  # IPv6 addresses should always be defined as: https://[2001:db8::1]:9200
+  #hosts: ["localhost:9200"]
+
+  # Set gzip compression level.
+  #compression_level: 0
+
+  # Protocol - either `http` (default) or `https`.
+  #protocol: "https"
+
+  # Authentication credentials - either API key or username/password.
+  #api_key: "id:api_key"
+  #username: "beats_system"
+  #password: "changeme"
+
+  # Dictionary of HTTP parameters to pass within the URL with index operations.
+  #parameters:
+    #param1: value1
+    #param2: value2
+
+  # Custom HTTP headers to add to each request
+  #headers:
+  #  X-My-Header: Contents of the header
+
+  # Proxy server url
+  #proxy_url: http://proxy:3128
+
+  # The number of times a particular Elasticsearch index operation is attempted. If
+  # the indexing operation doesn't succeed after this many retries, the events are
+  # dropped. The default is 3.
+  #max_retries: 3
+
+  # The maximum number of events to bulk in a single Elasticsearch bulk API index request.
+  # The default is 50.
+  #bulk_max_size: 50
+
+  # The number of seconds to wait before trying to reconnect to Elasticsearch
+  # after a network error. After waiting backoff.init seconds, the Beat
+  # tries to reconnect. If the attempt fails, the backoff timer is increased
+  # exponentially up to backoff.max. After a successful connection, the backoff
+  # timer is reset. The default is 1s.
+  #backoff.init: 1s
+
+  # The maximum number of seconds to wait before attempting to connect to
+  # Elasticsearch after a network error. The default is 60s.
+  #backoff.max: 60s
+
+  # Configure HTTP request timeout before failing a request to Elasticsearch.
+  #timeout: 90
+
+  # Use SSL settings for HTTPS.
+  #ssl.enabled: true
+
+  # Controls the verification of certificates. Valid values are:
+  # * full, which verifies that the provided certificate is signed by a trusted
+  # authority (CA) and also verifies that the server's hostname (or IP address)
+  # matches the names identified within the certificate.
+  # * strict, which verifies that the provided certificate is signed by a trusted
+  # authority (CA) and also verifies that the server's hostname (or IP address)
+  # matches the names identified within the certificate. If the Subject Alternative
+  # Name is empty, it returns an error.
+  # * certificate, which verifies that the provided certificate is signed by a
+  # trusted authority (CA), but does not perform any hostname verification.
+  #  * none, which performs no verification of the server's certificate. This
+  # mode disables many of the security benefits of SSL/TLS and should only be used
+  # after very careful consideration. It is primarily intended as a temporary
+  # diagnostic mechanism when attempting to resolve TLS errors; its use in
+  # production environments is strongly discouraged.
+  # The default value is full.
+  #ssl.verification_mode: full
+
+  # List of supported/valid TLS versions. By default all TLS versions from 1.1
+  # up to 1.3 are enabled.
+  #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3]
+
+  # List of root certificates for HTTPS server verifications
+  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
+
+  # Certificate for SSL client authentication
+  #ssl.certificate: "/etc/pki/client/cert.pem"
+
+  # Client certificate key
+  #ssl.key: "/etc/pki/client/cert.key"
+
+  # Optional passphrase for decrypting the certificate key.
+  #ssl.key_passphrase: ''
+
+  # Configure cipher suites to be used for SSL connections
+  #ssl.cipher_suites: []
+
+  # Configure curve types for ECDHE-based cipher suites
+  #ssl.curve_types: []
+
+  # Configure what types of renegotiation are supported. Valid options are
+  # never, once, and freely. Default is never.
+  #ssl.renegotiation: never
+
+  # Configure a pin that can be used to do extra validation of the verified certificate chain,
+  # this allow you to ensure that a specific certificate is used to validate the chain of trust.
+  #
+  # The pin is a base64 encoded string of the SHA-256 fingerprint.
+  #ssl.ca_sha256: ""
+
+  # A root CA HEX encoded fingerprint. During the SSL handshake if the
+  # fingerprint matches the root CA certificate, it will be added to
+  # the provided list of root CAs (`certificate_authorities`), if the
+  # list is empty or not defined, the matching certificate will be the
+  # only one in the list. Then the normal SSL validation happens.
+  #ssl.ca_trusted_fingerprint: ""
+
+  # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set.
+  #kerberos.enabled: true
+
+  # Authentication type to use with Kerberos. Available options: keytab, password.
+  #kerberos.auth_type: password
+
+  # Path to the keytab file. It is used when auth_type is set to keytab.
+  #kerberos.keytab: /etc/elastic.keytab
+
+  # Path to the Kerberos configuration.
+  #kerberos.config_path: /etc/krb5.conf
+
+  # Name of the Kerberos user.
+  #kerberos.username: elastic
+
+  # Password of the Kerberos user. It is used when auth_type is set to password.
+  #kerberos.password: changeme
+
+  # Kerberos realm.
+  #kerberos.realm: ELASTIC
+
+  #metrics.period: 10s
+  #state.period: 1m
+
+# The `monitoring.cloud.id` setting overwrites the `monitoring.elasticsearch.hosts`
+# setting. You can find the value for this setting in the Elastic Cloud web UI.
+#monitoring.cloud.id:
+
+# The `monitoring.cloud.auth` setting overwrites the `monitoring.elasticsearch.username`
+# and `monitoring.elasticsearch.password` settings. The format is `<user>:<pass>`.
+#monitoring.cloud.auth:
+
+# =============================== HTTP Endpoint ================================
+
+# Each beat can expose internal metrics through an HTTP endpoint. For security
+# reasons the endpoint is disabled by default. This feature is currently experimental.
+# Stats can be accessed through http://localhost:5066/stats. For pretty JSON output
+# append ?pretty to the URL.
+
+# Defines if the HTTP endpoint is enabled.
+#http.enabled: false
+
+# The HTTP endpoint will bind to this hostname, IP address, unix socket, or named pipe.
+# When using IP addresses, it is recommended to only use localhost.
+#http.host: localhost
+
+# Port on which the HTTP endpoint will bind. Default is 5066.
+#http.port: 5066
+
+# Define which user should be owning the named pipe.
+#http.named_pipe.user:
+
+# Define which permissions should be applied to the named pipe, use the Security
+# Descriptor Definition Language (SDDL) to define the permission. This option cannot be used with
+# `http.user`.
+#http.named_pipe.security_descriptor:
+
+# Defines if the HTTP pprof endpoints are enabled.
+# It is recommended that this is only enabled on localhost as these endpoints may leak data.
+#http.pprof.enabled: false
+
+# Controls the fraction of goroutine blocking events that are reported in the
+# blocking profile.
+#http.pprof.block_profile_rate: 0
+
+# Controls the fraction of memory allocations that are recorded and reported in
+# the memory profile.
+#http.pprof.mem_profile_rate: 524288
+
+# Controls the fraction of mutex contention events that are reported in the
+# mutex profile.
+#http.pprof.mutex_profile_rate: 0
+
+# ============================== Process Security ==============================
+
+# Enable or disable seccomp system call filtering on Linux. Default is enabled.
+#seccomp.enabled: true
+
+# ============================== Instrumentation ===============================
+
+# Instrumentation support for the heartbeat.
+#instrumentation:
+    # Set to true to enable instrumentation of heartbeat.
+    #enabled: false
+
+    # Environment in which heartbeat is running on (eg: staging, production, etc.)
+    #environment: ""
+
+    # APM Server hosts to report instrumentation results to.
+    #hosts:
+    #  - http://localhost:8200
+
+    # API Key for the APM Server(s).
+    # If api_key is set then secret_token will be ignored.
+    #api_key:
+
+    # Secret token for the APM Server(s).
+    #secret_token:
+
+    # Enable profiling of the server, recording profile samples as events.
+    #
+    # This feature is experimental.
+    #profiling:
+        #cpu:
+            # Set to true to enable CPU profiling.
+            #enabled: false
+            #interval: 60s
+            #duration: 10s
+        #heap:
+            # Set to true to enable heap profiling.
+            #enabled: false
+            #interval: 60s
+
+# ================================= Migration ==================================
+
+# This allows to enable 6.7 migration aliases
+#migration.6_to_7.enabled: false
+
+# =============================== Feature Flags ================================
+
+# Enable and configure feature flags.
+#features:
+#  fqdn:
+#    enabled: true
+```
+
diff --git a/docs/reference/heartbeat/heartbeat-template.md b/docs/reference/heartbeat/heartbeat-template.md
new file mode 100644
index 000000000000..28942479cb5e
--- /dev/null
+++ b/docs/reference/heartbeat/heartbeat-template.md
@@ -0,0 +1,228 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/heartbeat-template.html
+---
+
+# Load the Elasticsearch index template [heartbeat-template]
+
+{{es}} uses [index templates](docs-content://manage-data/data-store/templates.md) to define:
+
+* Settings that control the behavior of your data stream and backing indices. The settings include the lifecycle policy used to manage backing indices as they grow and age.
+* Mappings that determine how fields are analyzed. Each mapping sets the [{{es}} datatype](elasticsearch://reference/elasticsearch/mapping-reference/field-data-types.md) to use for a specific data field.
+
+The recommended index template file for Heartbeat is installed by the Heartbeat packages. If you accept the default configuration in the `heartbeat.yml` config file, Heartbeat loads the template automatically after successfully connecting to {{es}}. If the template already exists, it’s not overwritten unless you configure Heartbeat to do so.
+
+::::{note}
+A connection to {{es}} is required to load the index template. If the output is not {{es}} (or {{ess}}), you must [load the template manually](#load-template-manually).
+::::
+
+
+This page shows how to change the default template loading behavior to:
+
+* [Load your own index template](#load-custom-template)
+* [Overwrite an existing index template](#overwrite-template)
+* [Disable automatic index template loading](#disable-template-loading)
+* [Load the index template manually](#load-template-manually)
+
+For a full list of template setup options, see [Elasticsearch index template](/reference/heartbeat/configuration-template.md).
+
+
+## Load your own index template [load-custom-template]
+
+To load your own index template, set the following options:
+
+```yaml
+setup.template.name: "your_template_name"
+setup.template.fields: "path/to/fields.yml"
+```
+
+If the template already exists, it’s not overwritten unless you configure Heartbeat to do so.
+
+You can load templates for both data streams and indices.
+
+
+## Overwrite an existing index template [overwrite-template]
+
+::::{warning}
+Do not enable this option for more than one instance of Heartbeat. If you start multiple instances at the same time, it can overload your {{es}} with too many template update requests.
+::::
+
+
+To overwrite a template that’s already loaded into {{es}}, set:
+
+```yaml
+setup.template.overwrite: true
+```
+
+
+## Disable automatic index template loading [disable-template-loading]
+
+You may want to disable automatic template loading if you’re using an output other than {{es}} and need to load the template manually. To disable automatic template loading, set:
+
+```yaml
+setup.template.enabled: false
+```
+
+If you disable automatic template loading, you must load the index template manually.
+
+
+## Load the index template manually [load-template-manually]
+
+To load the index template manually, run the [`setup`](/reference/heartbeat/command-line-options.md#setup-command) command. A connection to {{es}} is required.  If another output is enabled, you need to temporarily disable that output and enable {{es}} by using the `-E` option. The examples here assume that Logstash output is enabled. You can omit the `-E` flags if {{es}} output is already enabled.
+
+If you are connecting to a secured {{es}} cluster, make sure you’ve configured credentials as described in the [Quick start: installation and configuration](/reference/heartbeat/heartbeat-installation-configuration.md).
+
+If the host running Heartbeat does not have direct connectivity to {{es}}, see [Load the index template manually (alternate method)](#load-template-manually-alternate).
+
+To load the template, use the appropriate command for your system.
+
+**deb and rpm:**
+
+```sh
+heartbeat setup --index-management -E output.logstash.enabled=false -E 'output.elasticsearch.hosts=["localhost:9200"]'
+```
+
+**mac:**
+
+```sh
+./heartbeat setup --index-management -E output.logstash.enabled=false -E 'output.elasticsearch.hosts=["localhost:9200"]'
+```
+
+**linux:**
+
+```sh
+./heartbeat setup --index-management -E output.logstash.enabled=false -E 'output.elasticsearch.hosts=["localhost:9200"]'
+```
+
+**docker:**
+
+```sh
+docker run --rm docker.elastic.co/beats/heartbeat:9.0.0-beta1 setup --index-management -E output.logstash.enabled=false -E 'output.elasticsearch.hosts=["localhost:9200"]'
+```
+
+**win:**
+
+Open a PowerShell prompt as an Administrator (right-click the PowerShell icon and select **Run As Administrator**).
+
+From the PowerShell prompt, change to the directory where you installed Heartbeat, and run:
+
+```sh
+PS > .\heartbeat.exe setup --index-management -E output.logstash.enabled=false -E 'output.elasticsearch.hosts=["localhost:9200"]'
+```
+
+
+### Force Kibana to look at newest documents [force-kibana-new]
+
+If you’ve already used Heartbeat to index data into {{es}}, the index may contain old documents. After you load the index template, you can delete the old documents from `heartbeat-*` to force Kibana to look at the newest documents.
+
+Use this command:
+
+**deb and rpm:**
+
+```sh
+curl -XDELETE 'http://localhost:9200/heartbeat-*'
+```
+
+**mac:**
+
+```sh
+curl -XDELETE 'http://localhost:9200/heartbeat-*'
+```
+
+**linux:**
+
+```sh
+curl -XDELETE 'http://localhost:9200/heartbeat-*'
+```
+
+**win:**
+
+```sh
+PS > Invoke-RestMethod -Method Delete "http://localhost:9200/heartbeat-*"
+```
+
+This command deletes all indices that match the pattern `heartbeat`. Before running this command, make sure you want to delete all indices that match the pattern.
+
+
+## Load the index template manually (alternate method) [load-template-manually-alternate]
+
+If the host running Heartbeat does not have direct connectivity to {{es}}, you can export the index template to a file, move it to a machine that does have connectivity, and then install the template manually.
+
+To export the index template, run:
+
+**deb and rpm:**
+
+```sh
+heartbeat export template > heartbeat.template.json
+```
+
+**mac:**
+
+```sh
+./heartbeat export template > heartbeat.template.json
+```
+
+**linux:**
+
+```sh
+./heartbeat export template > heartbeat.template.json
+```
+
+**win:**
+
+```sh
+PS > .\heartbeat.exe export template --es.version 9.0.0-beta1 | Out-File -Encoding UTF8 heartbeat.template.json
+```
+
+To install the template, run:
+
+**deb and rpm:**
+
+```sh
+curl -XPUT -H 'Content-Type: application/json' http://localhost:9200/_index_template/heartbeat-9.0.0-beta1 -d@heartbeat.template.json
+```
+
+**mac:**
+
+```sh
+curl -XPUT -H 'Content-Type: application/json' http://localhost:9200/_index_template/heartbeat-9.0.0-beta1 -d@heartbeat.template.json
+```
+
+**linux:**
+
+```sh
+curl -XPUT -H 'Content-Type: application/json' http://localhost:9200/_index_template/heartbeat-9.0.0-beta1 -d@heartbeat.template.json
+```
+
+**win:**
+
+```sh
+PS > Invoke-RestMethod -Method Put -ContentType "application/json" -InFile heartbeat.template.json -Uri http://localhost:9200/_index_template/heartbeat-9.0.0-beta1
+```
+
+Once you have loaded the index template, load the data stream as well. If you do not load it, you have to give the publisher user `manage` permission on heartbeat-9.0.0-beta1 index.
+
+**deb and rpm:**
+
+```sh
+curl -XPUT http://localhost:9200/_data_stream/heartbeat-9.0.0-beta1
+```
+
+**mac:**
+
+```sh
+curl -XPUT http://localhost:9200/_data_stream/heartbeat-9.0.0-beta1
+```
+
+**linux:**
+
+```sh
+curl -XPUT http://localhost:9200/_data_stream/heartbeat-9.0.0-beta1
+```
+
+**win:**
+
+```sh
+PS > Invoke-RestMethod -Method Put -Uri http://localhost:9200/_data_stream/heartbeat-9.0.0-beta1
+```
+
diff --git a/docs/reference/heartbeat/heartbeat.md b/docs/reference/heartbeat/heartbeat.md
new file mode 100644
index 000000000000..d4197e3728bf
--- /dev/null
+++ b/docs/reference/heartbeat/heartbeat.md
@@ -0,0 +1,8 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/index.html
+---
+
+# Heartbeat
+
+Just a placeholder for a top index page.
diff --git a/docs/reference/heartbeat/howto-guides.md b/docs/reference/heartbeat/howto-guides.md
new file mode 100644
index 000000000000..0bb8eefed6fe
--- /dev/null
+++ b/docs/reference/heartbeat/howto-guides.md
@@ -0,0 +1,17 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/howto-guides.html
+---
+
+# How to guides [howto-guides]
+
+Learn how to perform common Heartbeat configuration tasks.
+
+* [*Add observer and geo metadata*](/reference/heartbeat/configuration-observer-options.md)
+* [*Load the {{es}} index template*](/reference/heartbeat/heartbeat-template.md)
+* [*Change the index name*](/reference/heartbeat/change-index-name.md)
+* [*Enrich events with geoIP information*](/reference/heartbeat/heartbeat-geoip.md)
+* [*Use environment variables in the configuration*](/reference/heartbeat/using-environ-vars.md)
+* [*Parse data using an ingest pipeline*](/reference/heartbeat/configuring-ingest-node.md)
+* [*Avoid YAML formatting problems*](/reference/heartbeat/yaml-tips.md)
+
diff --git a/docs/reference/heartbeat/http-endpoint.md b/docs/reference/heartbeat/http-endpoint.md
new file mode 100644
index 000000000000..2715aed28f12
--- /dev/null
+++ b/docs/reference/heartbeat/http-endpoint.md
@@ -0,0 +1,187 @@
+---
+navigation_title: "HTTP endpoint"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/http-endpoint.html
+---
+
+# Configure an HTTP endpoint for metrics [http-endpoint]
+
+
+::::{warning}
+This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
+::::
+
+
+Heartbeat can expose internal metrics through an HTTP endpoint. These are useful to monitor the internal state of the Beat. For security reasons the endpoint is disabled by default, as you may want to avoid exposing this info.
+
+The HTTP endpoint has the following configuration settings:
+
+`http.enabled`
+:   (Optional) Enable the HTTP endpoint. Default is `false`.
+
+`http.host`
+:   (Optional) Bind to this hostname, IP address, unix socket (unix:///var/run/heartbeat.sock) or Windows named pipe (npipe:///heartbeat). It is recommended to use only localhost. Default is `localhost`
+
+`http.port`
+:   (Optional) Port on which the HTTP endpoint will bind. Default is `5066`.
+
+`http.named_pipe.user`
+:   (Optional) User to use to create the named pipe, only work on Windows, Default to the current user.
+
+`http.named_pipe.security_descriptor`
+:   (Optional) Windows Security descriptor string defined in the SDDL format. Default to read and write permission for the current user.
+
+`http.pprof.enabled`
+:   (Optional) Enable the `/debug/pprof/` endpoints when serving HTTP. It is recommended that this is only enabled on localhost as these endpoints may leak data. Default is `false`.
+
+`http.pprof.block_profile_rate`
+:   (Optional) `block_profile_rate` controls the fraction of goroutine blocking events that are reported in the blocking profile available from `/debug/pprof/block`. The profiler aims to sample an average of one blocking event per rate nanoseconds spent blocked. To include every blocking event in the profile, pass rate = 1. To turn off profiling entirely, pass rate ⇐ 0. Defaults to 0.
+
+`http.pprof.mem_profile_rate`
+:   (Optional) `mem_profile_rate` controls the fraction of memory allocations that are recorded and reported in the memory profile available from `/debug/pprof/heap`. The profiler aims to sample an average of one allocation per `mem_profile_rate` bytes allocated. To include every allocated block in the profile, set `mem_profile_rate` to 1. To turn off profiling entirely, set `mem_profile_rate` to 0. Defaults to 524288.
+
+`http.pprof.mutex_profile_rate`
+:   (Optional) `mutex_profile_rate` controls the fraction of mutex contention events that are reported in the mutex profile available from `/debug/pprof/mutex`. On average 1/rate events are reported. To turn off profiling entirely, pass rate 0. The default value is 0.
+
+This is the list of paths you can access. For pretty JSON output append `?pretty` to the URL.
+
+You can query a unix socket using the `cURL` command and the `--unix-socket` flag.
+
+```js
+curl -XGET --unix-socket '/var/run/{beatname_lc}.sock' 'http:/stats/?pretty'
+```
+
+
+## Info [_info]
+
+`/` provides basic info from the Heartbeat. Example:
+
+```js
+curl -XGET 'localhost:5066/?pretty'
+```
+
+```js
+{
+  "beat": "heartbeat",
+  "hostname": "example.lan",
+  "name": "example.lan",
+  "uuid": "34f6c6e1-45a8-4b12-9125-11b3e6e89866",
+  "version": "9.0.0-beta1"
+}
+```
+
+
+## Stats [_stats]
+
+`/stats` reports internal metrics. Example:
+
+```js
+curl -XGET 'localhost:5066/stats?pretty'
+```
+
+```js
+{
+  "beat": {
+    "cpu": {
+      "system": {
+        "ticks": 1710,
+        "time": {
+          "ms": 1712
+        }
+      },
+      "total": {
+        "ticks": 3420,
+        "time": {
+          "ms": 3424
+        },
+        "value": 3420
+      },
+      "user": {
+        "ticks": 1710,
+        "time": {
+          "ms": 1712
+        }
+      }
+    },
+    "info": {
+      "ephemeral_id": "ab4287c4-d907-4d9d-b074-d8c3cec4a577",
+      "uptime": {
+        "ms": 195547
+      }
+    },
+    "memstats": {
+      "gc_next": 17855152,
+      "memory_alloc": 9433384,
+      "memory_total": 492478864,
+      "rss": 50405376
+    },
+    "runtime": {
+      "goroutines": 22
+    }
+  },
+  "libbeat": {
+    "config": {
+      "module": {
+        "running": 0,
+        "starts": 0,
+        "stops": 0
+      },
+      "scans": 1,
+      "reloads": 1
+    },
+    "output": {
+      "events": {
+        "acked": 0,
+        "active": 0,
+        "batches": 0,
+        "dropped": 0,
+        "duplicates": 0,
+        "failed": 0,
+        "total": 0
+      },
+      "read": {
+        "bytes": 0,
+        "errors": 0
+      },
+      "type": "elasticsearch",
+      "write": {
+        "bytes": 0,
+        "errors": 0
+      }
+    },
+    "pipeline": {
+      "clients": 6,
+      "events": {
+        "active": 716,
+        "dropped": 0,
+        "failed": 0,
+        "filtered": 0,
+        "published": 716,
+        "retry": 278,
+        "total": 716
+      },
+      "queue": {
+        "acked": 0
+      }
+    }
+  },
+  "system": {
+    "cpu": {
+      "cores": 4
+    },
+    "load": {
+      "1": 2.22,
+      "15": 1.8,
+      "5": 1.74,
+      "norm": {
+        "1": 0.555,
+        "15": 0.45,
+        "5": 0.435
+      }
+    }
+  }
+}
+```
+
+The actual output may contain more metrics specific to Heartbeat
+
diff --git a/docs/reference/heartbeat/ilm.md b/docs/reference/heartbeat/ilm.md
new file mode 100644
index 000000000000..4aa83bb23565
--- /dev/null
+++ b/docs/reference/heartbeat/ilm.md
@@ -0,0 +1,58 @@
+---
+navigation_title: "Index lifecycle management (ILM)"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/ilm.html
+---
+
+# Configure index lifecycle management [ilm]
+
+
+Use the [index lifecycle management](docs-content://manage-data/lifecycle/index-lifecycle-management/tutorial-automate-rollover.md) (ILM) feature in {{es}} to manage your Heartbeat their backing indices of your data streams as they age. Heartbeat loads the default policy automatically and applies it to any data streams created by Heartbeat.
+
+You can view and edit the policy in the **Index lifecycle policies** UI in {{kib}}. For more information about working with the UI, see [Index lifecyle policies](docs-content://manage-data/lifecycle/index-lifecycle-management.md).
+
+Example configuration:
+
+```yaml
+setup.ilm.enabled: true
+```
+
+::::{warning}
+If index lifecycle management is enabled (which is typically the default), `setup.template.name` and `setup.template.pattern` are ignored.
+::::
+
+
+
+## Configuration options [_configuration_options_10]
+
+You can specify the following settings in the `setup.ilm` section of the `heartbeat.yml` config file:
+
+
+### `setup.ilm.enabled` [setup-ilm-option]
+
+Enables or disables index lifecycle management on any new indices created by Heartbeat. Valid values are `true` and `false`.
+
+
+### `setup.ilm.policy_name` [setup-ilm-policy_name-option]
+
+The name to use for the lifecycle policy. The default is `heartbeat`.
+
+
+### `setup.ilm.policy_file` [setup-ilm-policy_file-option]
+
+The path to a JSON file that contains a lifecycle policy configuration. Use this setting to load your own lifecycle policy.
+
+For more information about lifecycle policies, see [Set up index lifecycle management policy](docs-content://manage-data/lifecycle/index-lifecycle-management/configure-lifecycle-policy.md) in the *{{es}} Reference*.
+
+
+### `setup.ilm.check_exists` [setup-ilm-check_exists-option]
+
+When set to `false`, disables the check for an existing lifecycle policy. The default is `true`. You need to disable this check if the Heartbeat user connecting to a secured cluster doesn’t have the `read_ilm` privilege.
+
+If you set this option to `false`, lifecycle policy will not be installed, even if `setup.ilm.overwrite` is set to `true`.
+
+
+### `setup.ilm.overwrite` [setup-ilm-overwrite-option]
+
+When set to `true`, the lifecycle policy is overwritten at startup. The default is `false`.
+
diff --git a/heartbeat/docs/images/coordinate-map.png b/docs/reference/heartbeat/images/coordinate-map.png
similarity index 100%
rename from heartbeat/docs/images/coordinate-map.png
rename to docs/reference/heartbeat/images/coordinate-map.png
diff --git a/heartbeat/docs/images/heartbeat-statistics.png b/docs/reference/heartbeat/images/heartbeat-statistics.png
similarity index 100%
rename from heartbeat/docs/images/heartbeat-statistics.png
rename to docs/reference/heartbeat/images/heartbeat-statistics.png
diff --git a/docs/reference/heartbeat/include-fields.md b/docs/reference/heartbeat/include-fields.md
new file mode 100644
index 000000000000..581281d7eea5
--- /dev/null
+++ b/docs/reference/heartbeat/include-fields.md
@@ -0,0 +1,28 @@
+---
+navigation_title: "include_fields"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/include-fields.html
+---
+
+# Keep fields from events [include-fields]
+
+
+The `include_fields` processor specifies which fields to export if a certain condition is fulfilled. The condition is optional. If it’s missing, the specified fields are always exported. The `@timestamp`, `@metadata` and `type` fields are always exported, even if they are not defined in the `include_fields` list.
+
+```yaml
+processors:
+  - include_fields:
+      when:
+        condition
+      fields: ["field1", "field2", ...]
+```
+
+See [Conditions](/reference/heartbeat/defining-processors.md#conditions) for a list of supported conditions.
+
+You can specify multiple `include_fields` processors under the `processors` section.
+
+::::{note}
+If you define an empty list of fields under `include_fields`, then only the required fields, `@timestamp` and `type`, are exported.
+::::
+
+
diff --git a/docs/reference/heartbeat/kafka-output.md b/docs/reference/heartbeat/kafka-output.md
new file mode 100644
index 000000000000..8e4c6cc9f47a
--- /dev/null
+++ b/docs/reference/heartbeat/kafka-output.md
@@ -0,0 +1,331 @@
+---
+navigation_title: "Kafka"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/kafka-output.html
+---
+
+# Configure the Kafka output [kafka-output]
+
+
+The Kafka output sends events to Apache Kafka.
+
+To use this output, edit the Heartbeat configuration file to disable the {{es}} output by commenting it out, and enable the Kafka output by uncommenting the Kafka section.
+
+::::{note}
+For Kafka version 0.10.0.0+ the message creation timestamp is set by beats and equals to the initial timestamp of the event. This affects the retention policy in Kafka: for example, if a beat event was created 2 weeks ago, the retention policy is set to 7 days and the message from beats arrives to Kafka today, it’s going to be immediately discarded since the timestamp value is before the last 7 days. It’s possible to change this behavior by setting timestamps on message arrival instead, so the message is not discarded but kept for 7 more days. To do that, please set `log.message.timestamp.type` to `LogAppendTime` (default `CreateTime`) in the Kafka configuration.
+::::
+
+
+Example configuration:
+
+```yaml
+output.kafka:
+  # initial brokers for reading cluster metadata
+  hosts: ["kafka1:9092", "kafka2:9092", "kafka3:9092"]
+
+  # message topic selection + partitioning
+  topic: '%{[fields.log_topic]}'
+  partition.round_robin:
+    reachable_only: false
+
+  required_acks: 1
+  compression: gzip
+  max_message_bytes: 1000000
+```
+
+::::{note}
+Events bigger than [`max_message_bytes`](#kafka-max_message_bytes) will be dropped. To avoid this problem, make sure Heartbeat does not generate events bigger than [`max_message_bytes`](#kafka-max_message_bytes).
+::::
+
+
+## Compatibility [kafka-compatibility]
+
+This output can connect to Kafka version 0.8.2.0 and later. Older versions might work as well, but are not supported. When using Kafka 4.0 and newer, the version must be set to at least `"2.1.0"`
+
+
+## Configuration options [_configuration_options_4]
+
+You can specify the following options in the `kafka` section of the `heartbeat.yml` config file:
+
+### `enabled` [_enabled_3]
+
+The `enabled` config is a boolean setting to enable or disable the output. If set to false, the output is disabled.
+
+The default value is `true`.
+
+
+### `hosts` [_hosts]
+
+The list of Kafka broker addresses from where to fetch the cluster metadata. The cluster metadata contain the actual Kafka brokers events are published to.
+
+
+### `version` [_version]
+
+Kafka protocol version that Heartbeat will request when connecting. Defaults to 2.1.0. When using Kafka 4.0 and newer, the version must be set to at least `"2.1.0"`
+
+Valid values are all kafka releases in between `0.8.2.0` and `2.6.0`.
+
+The protocol version controls the Kafka client features available to Heartbeat; it does not prevent Heartbeat from connecting to Kafka versions newer than the protocol version.
+
+See [Compatibility](#kafka-compatibility) for information on supported versions.
+
+
+### `username` [_username_2]
+
+The username for connecting to Kafka. If username is configured, the password must be configured as well.
+
+
+### `password` [_password_2]
+
+The password for connecting to Kafka.
+
+
+### `sasl.mechanism` [_sasl_mechanism]
+
+The SASL mechanism to use when connecting to Kafka. It can be one of:
+
+* `PLAIN` for SASL/PLAIN.
+* `SCRAM-SHA-256` for SCRAM-SHA-256.
+* `SCRAM-SHA-512` for SCRAM-SHA-512.
+
+If `sasl.mechanism` is not set, `PLAIN` is used if `username` and `password` are provided. Otherwise, SASL authentication is disabled.
+
+To use `GSSAPI` mechanism to authenticate with Kerberos, you must leave this field empty, and use the [`kerberos`](#kerberos-option-kafka) options.
+
+
+### `topic` [topic-option-kafka]
+
+The Kafka topic used for produced events.
+
+You can set the topic dynamically by using a format string to access any event field. For example, this configuration uses a custom field, `fields.log_topic`, to set the topic for each event:
+
+```yaml
+topic: '%{[fields.log_topic]}'
+```
+
+::::{tip}
+To learn how to add custom fields to events, see the [`fields`](/reference/heartbeat/configuration-general-options.md#libbeat-configuration-fields) option.
+::::
+
+
+See the [`topics`](#topics-option-kafka) setting for other ways to set the topic dynamically.
+
+
+### `topics` [topics-option-kafka]
+
+An array of topic selector rules. Each rule specifies the `topic` to use for events that match the rule. During publishing, Heartbeat sets the `topic` for each event based on the first matching rule in the array. Rules can contain conditionals, format string-based fields, and name mappings. If the `topics` setting is missing or no rule matches, the [`topic`](#topic-option-kafka) field is used.
+
+Rule settings:
+
+**`topic`**
+:   The topic format string to use.  If this string contains field references, such as `%{[fields.name]}`, the fields must exist, or the rule fails.
+
+**`mappings`**
+:   A dictionary that takes the value returned by `topic` and maps it to a new name.
+
+**`default`**
+:   The default string value to use if `mappings` does not find a match.
+
+**`when`**
+:   A condition that must succeed in order to execute the current rule. All the [conditions](/reference/heartbeat/defining-processors.md#conditions) supported by processors are also supported here.
+
+The following example sets the topic based on whether the message field contains the specified string:
+
+```yaml
+output.kafka:
+  hosts: ["localhost:9092"]
+  topic: "logs-%{[agent.version]}"
+  topics:
+    - topic: "critical-%{[agent.version]}"
+      when.contains:
+        message: "CRITICAL"
+    - topic: "error-%{[agent.version]}"
+      when.contains:
+        message: "ERR"
+```
+
+This configuration results in topics named `critical-9.0.0-beta1`, `error-9.0.0-beta1`, and `logs-9.0.0-beta1`.
+
+
+### `key` [_key]
+
+Optional formatted string specifying the Kafka event key. If configured, the event key can be extracted from the event using a format string.
+
+See the Kafka documentation for the implications of a particular choice of key; by default, the key is chosen by the Kafka cluster.
+
+
+### `partition` [_partition]
+
+Kafka output broker event partitioning strategy. Must be one of `random`, `round_robin`, or `hash`. By default the `hash` partitioner is used.
+
+**`random.group_events`**: Sets the number of events to be published to the same partition, before the partitioner selects a new partition by random. The default value is 1 meaning after each event a new partition is picked randomly.
+
+**`round_robin.group_events`**: Sets the number of events to be published to the same partition, before the partitioner selects the next partition. The default value is 1 meaning after each event the next partition will be selected.
+
+**`hash.hash`**: List of fields used to compute the partitioning hash value from. If no field is configured, the events `key` value will be used.
+
+**`hash.random`**: Randomly distribute events if no hash or key value can be computed.
+
+All partitioners will try to publish events to all partitions by default. If a partition’s leader becomes unreachable for the beat, the output might block. All partitioners support setting `reachable_only` to overwrite this behavior. If `reachable_only` is set to `true`, events will be published to available partitions only.
+
+::::{note}
+Publishing to a subset of available partitions potentially increases resource usage because events may become unevenly distributed.
+::::
+
+
+
+### `headers` [_headers_2]
+
+A header is a key-value pair, and multiple headers can be included with the same `key`. Only string values are supported. These headers will be included in each produced Kafka message.
+
+```yaml
+output.kafka:
+  hosts: ["localhost:9092"]
+  topic: "logs-%{[agent.version]}"
+  headers:
+    - key: "some-key"
+      value: "some value"
+    - key: "another-key"
+      value: "another value"
+```
+
+
+### `client_id` [_client_id]
+
+The configurable ClientID used for logging, debugging, and auditing purposes. The default is "beats".
+
+
+### `codec` [_codec]
+
+Output codec configuration. If the `codec` section is missing, events will be json encoded.
+
+See [Change the output codec](/reference/heartbeat/configuration-output-codec.md) for more information.
+
+
+### `metadata` [_metadata]
+
+Kafka metadata update settings. The metadata do contain information about brokers, topics, partition, and active leaders to use for publishing.
+
+**`refresh_frequency`**
+:   Metadata refresh interval. Defaults to 10 minutes.
+
+**`full`**
+:   Strategy to use when fetching metadata, when this option is `true`, the client will maintain a full set of metadata for all the available topics, if the this option is set to `false` it will only refresh the metadata for the configured topics. The default is false.
+
+**`retry.max`**
+:   Total number of metadata update retries when cluster is in middle of leader election. The default is 3.
+
+**`retry.backoff`**
+:   Waiting time between retries during leader elections. Default is 250ms.
+
+
+### `max_retries` [_max_retries_3]
+
+The number of times to retry publishing an event after a publishing failure. After the specified number of retries, the events are typically dropped.
+
+Set `max_retries` to a value less than 0 to retry until all events are published.
+
+The default is 3.
+
+
+### `backoff.init` [_backoff_init_2]
+
+The number of seconds to wait before trying to republish to Kafka after a network error. After waiting `backoff.init` seconds, Heartbeat tries to republish. If the attempt fails, the backoff timer is increased exponentially up to `backoff.max`. After a successful publish, the backoff timer is reset. The default is 1s.
+
+
+### `backoff.max` [_backoff_max_2]
+
+The maximum number of seconds to wait before attempting to republish to Kafka after a network error. The default is 60s.
+
+
+### `bulk_max_size` [_bulk_max_size_2]
+
+The maximum number of events to bulk in a single Kafka request. The default is 2048.
+
+
+### `bulk_flush_frequency` [_bulk_flush_frequency]
+
+Duration to wait before sending bulk Kafka request. 0 is no delay. The default is 0.
+
+
+### `timeout` [_timeout_3]
+
+The number of seconds to wait for responses from the Kafka brokers before timing out. The default is 30 (seconds).
+
+
+### `broker_timeout` [_broker_timeout]
+
+The maximum duration a broker will wait for number of required ACKs. The default is 10s.
+
+
+### `channel_buffer_size` [_channel_buffer_size]
+
+Per Kafka broker number of messages buffered in output pipeline. The default is 256.
+
+
+### `keep_alive` [_keep_alive]
+
+The keep-alive period for an active network connection. If 0s, keep-alives are disabled. The default is 0 seconds.
+
+
+### `compression` [_compression]
+
+Sets the output compression codec. Must be one of `none`, `snappy`, `lz4`, `gzip` and `zstd`. The default is `gzip`.
+
+::::{admonition} Known issue with Azure Event Hub for Kafka
+:class: important
+
+When targeting Azure Event Hub for Kafka, set `compression` to `none` as the provided codecs are not supported.
+
+::::
+
+
+
+### `compression_level` [_compression_level_2]
+
+Sets the compression level used by gzip. Setting this value to 0 disables compression. The compression level must be in the range of 1 (best speed) to 9 (best compression).
+
+Increasing the compression level will reduce the network usage but will increase the cpu usage.
+
+The default value is 4.
+
+
+### `max_message_bytes` [kafka-max_message_bytes]
+
+The maximum permitted size of JSON-encoded messages. Bigger messages will be dropped. The default value is 1000000 (bytes). This value should be equal to or less than the broker’s `message.max.bytes`.
+
+
+### `required_acks` [_required_acks]
+
+The ACK reliability level required from broker. 0=no response, 1=wait for local commit, -1=wait for all replicas to commit. The default is 1.
+
+Note: If set to 0, no ACKs are returned by Kafka. Messages might be lost silently on error.
+
+
+### `ssl` [_ssl_3]
+
+Configuration options for SSL parameters like the root CA for Kafka connections. The Kafka host keystore should be created with the `-keyalg RSA` argument to ensure it uses a cipher supported by [Filebeat’s Kafka library](https://github.com/Shopify/sarama/wiki/Frequently-Asked-Questions#why-cant-sarama-connect-to-my-kafka-cluster-using-ssl). See [SSL](/reference/heartbeat/configuration-ssl.md) for more information.
+
+
+### `kerberos` [kerberos-option-kafka]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+Configuration options for Kerberos authentication.
+
+See [Kerberos](/reference/heartbeat/configuration-kerberos.md) for more information.
+
+
+### `queue` [_queue_3]
+
+Configuration options for internal queue.
+
+See [Internal queue](/reference/heartbeat/configuring-internal-queue.md) for more information.
+
+Note:`queue` options can be set under `heartbeat.yml` or the `output` section but not both.
+
+
+
diff --git a/docs/reference/heartbeat/keystore.md b/docs/reference/heartbeat/keystore.md
new file mode 100644
index 000000000000..56c40986e867
--- /dev/null
+++ b/docs/reference/heartbeat/keystore.md
@@ -0,0 +1,87 @@
+---
+navigation_title: "Secrets keystore"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/keystore.html
+---
+
+# Secrets keystore for secure settings [keystore]
+
+
+When you configure Heartbeat, you might need to specify sensitive settings, such as passwords. Rather than relying on file system permissions to protect these values, you can use the Heartbeat keystore to obfuscate stored secret values for use in configuration settings.
+
+After adding a key and its secret value to the keystore, you can use the key in place of the secret value when you configure sensitive settings.
+
+The syntax for referencing keys is identical to the syntax for environment variables:
+
+`${KEY}`
+
+Where KEY is the name of the key.
+
+For example, imagine that the keystore contains a key called `ES_PWD` with the value `yourelasticsearchpassword`:
+
+* In the configuration file, use `output.elasticsearch.password: "${ES_PWD}"`
+* On the command line, use: `-E "output.elasticsearch.password=\${ES_PWD}"`
+
+When Heartbeat unpacks the configuration, it resolves keys before resolving environment variables and other variables.
+
+Notice that the Heartbeat keystore differs from the Elasticsearch keystore. Whereas the Elasticsearch keystore lets you store `elasticsearch.yml` values by name, the Heartbeat keystore lets you specify arbitrary names that you can reference in the Heartbeat configuration.
+
+To create and manage keys, use the `keystore` command. See the [command reference](/reference/heartbeat/command-line-options.md#keystore-command) for the full command syntax, including optional flags.
+
+::::{note}
+The `keystore` command must be run by the same user who will run Heartbeat.
+::::
+
+
+
+## Create a keystore [creating-keystore]
+
+To create a secrets keystore, use:
+
+```sh
+heartbeat keystore create
+```
+
+Heartbeat creates the keystore in the directory defined by the `path.data` configuration setting.
+
+
+## Add keys [add-keys-to-keystore]
+
+To store sensitive values, such as authentication credentials for Elasticsearch, use the `keystore add` command:
+
+```sh
+heartbeat keystore add ES_PWD
+```
+
+When prompted, enter a value for the key.
+
+To overwrite an existing key’s value, use the `--force` flag:
+
+```sh
+heartbeat keystore add ES_PWD --force
+```
+
+To pass the value through stdin, use the `--stdin` flag. You can also use `--force`:
+
+```sh
+cat /file/containing/setting/value | heartbeat keystore add ES_PWD --stdin --force
+```
+
+
+## List keys [list-settings]
+
+To list the keys defined in the keystore, use:
+
+```sh
+heartbeat keystore list
+```
+
+
+## Remove keys [remove-settings]
+
+To remove a key from the keystore, use:
+
+```sh
+heartbeat keystore remove ES_PWD
+```
+
diff --git a/docs/reference/heartbeat/kibana-user-privileges.md b/docs/reference/heartbeat/kibana-user-privileges.md
new file mode 100644
index 000000000000..8965cfef13f8
--- /dev/null
+++ b/docs/reference/heartbeat/kibana-user-privileges.md
@@ -0,0 +1,28 @@
+---
+navigation_title: "Create a _reader_ user"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/kibana-user-privileges.html
+---
+
+# Grant privileges and roles needed to read Heartbeat data from {{kib}} [kibana-user-privileges]
+
+
+{{kib}} users typically need to view dashboards and visualizations that contain Heartbeat data. These users might also need to create and edit dashboards and visualizations.
+
+To grant users the required privileges:
+
+1. Create a **reader role**, called something like `heartbeat_reader`, that has the following privilege:
+
+    | Type | Privilege | Purpose |
+    | --- | --- | --- |
+    | Index | `read` on `heartbeat-*` indices | Read data indexed by Heartbeat |
+    | Spaces | `Read` or `All` on Dashboards, Visualize, and Discover | Allow the user to view, edit, and create dashboards, as well as browse data. |
+    | Spaces | `Read` or `All` on {{kib}} Uptime | Allow the use of {{kib}} Uptime |
+
+2. Assign the **reader role**, along with the following built-in roles, to users who need to read Heartbeat data:
+
+    | Role | Purpose |
+    | --- | --- |
+    | `monitoring_user` | Allow users to monitor the health of Heartbeat itself. Only assign this role to users who manage Heartbeat. |
+
+
diff --git a/docs/reference/heartbeat/learn-more-security.md b/docs/reference/heartbeat/learn-more-security.md
new file mode 100644
index 000000000000..5bb85b66e6f5
--- /dev/null
+++ b/docs/reference/heartbeat/learn-more-security.md
@@ -0,0 +1,12 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/learn-more-security.html
+---
+
+# Learn more about privileges, roles, and users [learn-more-security]
+
+Want to learn more about creating users and roles? See [Secure a cluster](docs-content://deploy-manage/security.md). Also see:
+
+* [Security privileges](elasticsearch://reference/elasticsearch/security-privileges.md) for a description of available privileges
+* [Built-in roles](elasticsearch://reference/elasticsearch/roles.md) for a description of roles that you can assign to users
+
diff --git a/docs/reference/heartbeat/linux-seccomp.md b/docs/reference/heartbeat/linux-seccomp.md
new file mode 100644
index 000000000000..58386e06907e
--- /dev/null
+++ b/docs/reference/heartbeat/linux-seccomp.md
@@ -0,0 +1,75 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/linux-seccomp.html
+---
+
+# Use Linux Secure Computing Mode (seccomp) [linux-seccomp]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+On Linux 3.17 and later, Heartbeat can take advantage of secure computing mode, also known as seccomp. Seccomp restricts the system calls that a process can issue. Specifically Heartbeat can load a seccomp BPF filter at process start-up that drops the privileges to invoke specific system calls. Once a filter is loaded by the process it cannot be removed.
+
+The kernel exposes a large number of system calls that are not used by Heartbeat. By installing a seccomp filter, you can limit the total kernel surface exposed to Heartbeat (principle of least privilege). This minimizes the impact of unknown vulnerabilities that might be found in the process.
+
+The filter is expressed as a Berkeley Packet Filter (BPF) program. The BPF program is generated based on a policy defined by Heartbeat. The policy can be customized through configuration as well.
+
+A seccomp policy is architecture specific due to the fact that system calls vary by architecture. Heartbeat includes a whitelist seccomp policy for the amd64 and 386 architectures. You can view those policies [here](https://github.com/elastic/beats/tree/master/libbeat/common/seccomp).
+
+
+## Seccomp Policy Configuration [seccomp-policy-config]
+
+The seccomp policy can be customized through the configuration policy. This is an example blacklist policy that prohibits `execve`, `execveat`, `fork`, and `vfork` syscalls.
+
+```yaml
+seccomp:
+  default_action: allow <1>
+  syscalls:
+  - action: errno <2>
+    names: <3>
+    - execve
+    - execveat
+    - fork
+    - vfork
+```
+
+1. If the system call being invoked by the process does not match one of the names below then it will be allowed.
+2. If the system call being invoked matches one of the names below then an error will be returned to caller. This is known as a blacklist policy.
+3. These are system calls being prohibited.
+
+
+These are the configuration options for a seccomp policy.
+
+**`enabled`**
+:   On Linux, this option is enabled by default. To disable seccomp filter loading, set this option to `false`.
+
+**`default_action`**
+:   The default action to take when none of the defined system calls match. See [action](#seccomp-policy-config-action) for the full list of values. This is required.
+
+**`syscalls`**
+:   Each object in this list must contain an `action` and a list of system call `names`. The list must contain at least one item.
+
+**`names`**
+:   A list of system call names. The system call name must exist for the runtime architecture, otherwise an error will be logged and the filter will not be installed. At least one system call must be defined.
+
+$$$seccomp-policy-config-action$$$
+
+**`action`**
+:   The action to take when any of the system calls listed in `names` is executed. This is required. These are the available action values. The actions that are available depend on the kernel version.
+
+    * `errno` - The system call will return `EPERM` (permission denied) to the caller.
+    * `trace` - The kernel will notify a `ptrace` tracer. If no tracer is present then the system call fails with `ENOSYS` (function not implemented).
+    * `trap` - The kernel will send a `SIGSYS` signal to the calling thread and not execute the system call. The Go runtime will exit.
+    * `kill_thread` - The kernel will immediately terminate the thread. Other threads will continue to execute.
+    * `kill_process` - The kernel will terminate the process. Available in Linux 4.14 and later.
+    * `log` - The kernel will log the system call before executing it. Available in Linux 4.14 and later. (This does not go to the Beat’s log.)
+    * `allow` - The kernel will allow the system call to execute.
+
+
+
+## Auditbeat Reports Seccomp Violations [_auditbeat_reports_seccomp_violations]
+
+You can use Auditbeat to report any seccomp violations that occur on the system. The kernel generates an event for each violation and Auditbeat reports the event. The `event.action` value will be `violated-seccomp-policy` and the event will contain information about the process and system call.
+
diff --git a/docs/reference/heartbeat/logstash-output.md b/docs/reference/heartbeat/logstash-output.md
new file mode 100644
index 000000000000..8fa3e64fae77
--- /dev/null
+++ b/docs/reference/heartbeat/logstash-output.md
@@ -0,0 +1,245 @@
+---
+navigation_title: "Logstash"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/logstash-output.html
+---
+
+# Configure the Logstash output [logstash-output]
+
+
+The {{ls}} output sends events directly to {{ls}} by using the lumberjack protocol, which runs over TCP. {{ls}} allows for additional processing and routing of generated events.
+
+::::{admonition} Prerequisite
+:class: important
+
+To send events to {{ls}}, you also need to create a {{ls}} configuration pipeline that listens for incoming Beats connections and indexes the received events into {{es}}. For more information, see [Getting Started with {{ls}}](logstash://reference/getting-started-with-logstash.md). Also see the documentation for the [{{beats}} input](logstash://reference/plugins-inputs-beats.md) and [{{es}} output](logstash://reference/plugins-outputs-elasticsearch.md) plugins.
+::::
+
+
+If you want to use {{ls}} to perform additional processing on the data collected by Heartbeat, you need to configure Heartbeat to use {{ls}}.
+
+To do this, edit the Heartbeat configuration file to disable the {{es}} output by commenting it out and enable the {{ls}} output by uncommenting the {{ls}} section:
+
+```yaml
+output.logstash:
+  hosts: ["127.0.0.1:5044"]
+```
+
+The `hosts` option specifies the {{ls}} server and the port (`5044`) where {{ls}} is configured to listen for incoming Beats connections.
+
+For this configuration, you must [load the index template into {{es}} manually](/reference/heartbeat/heartbeat-template.md#load-template-manually) because the options for auto loading the template are only available for the {{es}} output.
+
+## Accessing metadata fields [_accessing_metadata_fields]
+
+Every event sent to {{ls}} contains the following metadata fields that you can use in {{ls}} for indexing and filtering:
+
+```json
+{
+    ...
+    "@metadata": { <1>
+      "beat": "heartbeat", <2>
+      "version": "9.0.0-beta1" <3>
+    }
+}
+```
+
+1. Heartbeat uses the `@metadata` field to send metadata to {{ls}}. See the [{{ls}} documentation](logstash://reference/event-dependent-configuration.md#metadata) for more about the `@metadata` field.
+2. The default is heartbeat. To change this value, set the [`index`](#logstash-index) option in the Heartbeat config file.
+3. The current version of Heartbeat.
+
+
+You can access this metadata from within the {{ls}} config file to set values dynamically based on the contents of the metadata.
+
+For example, the following {{ls}} configuration file tells {{ls}} to use the index reported by Heartbeat for indexing events into {{es}}:
+
+```json
+input {
+  beats {
+    port => 5044
+  }
+}
+
+output {
+  elasticsearch {
+    hosts => ["http://localhost:9200"]
+    index => "%{[@metadata][beat]}-%{[@metadata][version]}" <1>
+    action => "create"
+  }
+}
+```
+
+1. `%{[@metadata][beat]}` sets the first part of the index name to the value of the `beat` metadata field and `%{[@metadata][version]}` sets the second part to the Beat’s version. For example: `heartbeat-9.0.0-beta1`.
+
+
+Events indexed into {{es}} with the {{ls}} configuration shown here will be similar to events directly indexed by Heartbeat into {{es}}.
+
+::::{note}
+If ILM is not being used, set `index` to `%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}` instead so {{ls}} creates an index per day, based on the `@timestamp` value of the events coming from Beats.
+::::
+
+
+
+## Compatibility [_compatibility_2]
+
+This output works with all compatible versions of {{ls}}. See the [Elastic Support Matrix](https://www.elastic.co/support/matrix#matrix_compatibility).
+
+
+## Configuration options [_configuration_options_3]
+
+You can specify the following options in the `logstash` section of the `heartbeat.yml` config file:
+
+### `enabled` [_enabled_2]
+
+The enabled config is a boolean setting to enable or disable the output. If set to false, the output is disabled.
+
+The default value is `true`.
+
+
+### `hosts` [hosts]
+
+The list of known {{ls}} servers to connect to. If load balancing is disabled, but multiple hosts are configured, one host is selected randomly (there is no precedence). If one host becomes unreachable, another one is selected randomly.
+
+All entries in this list can contain a port number. The default port number 5044 will be used if no number is given.
+
+
+### `compression_level` [_compression_level]
+
+The gzip compression level. Setting this value to 0 disables compression. The compression level must be in the range of 1 (best speed) to 9 (best compression).
+
+Increasing the compression level will reduce the network usage but will increase the CPU usage.
+
+The default value is 3.
+
+
+### `escape_html` [_escape_html_2]
+
+Configure escaping of HTML in strings. Set to `true` to enable escaping.
+
+The default value is `false`.
+
+
+### `worker` or `workers` [_worker_or_workers]
+
+The number of workers per configured host publishing events to {{ls}}. This is best used with load balancing mode enabled. Example: If you have 2 hosts and 3 workers, in total 6 workers are started (3 for each host).
+
+
+### `loadbalance` [loadbalance]
+
+When `loadbalance: true` is set, Heartbeat connects to all configured hosts and sends data through all connections in parallel. If a connection fails, data is sent to the remaining hosts until it can be reestablished. Data will still be sent as long as Heartbeat can connect to at least one of its configured hosts.
+
+When `loadbalance: false` is set, Heartbeat sends data to a single host at a time. The target host is chosen at random from the list of configured hosts, and all data is sent to that target until the connection fails, when a new target is selected. Data will still be sent as long as Heartbeat can connect to at least one of its configured hosts. To rotate through the list of configured hosts over time, use this option in conjunction with the `ttl` setting to close the connection at the configured interval and choose a new target host.
+
+The default value is `false`.
+
+```yaml
+output.logstash:
+  hosts: ["localhost:5044", "localhost:5045"]
+  loadbalance: true
+  index: heartbeat
+```
+
+
+### `ttl` [_ttl]
+
+Time to live for a connection to {{ls}} after which the connection will be re-established. Useful when {{ls}} hosts represent load balancers. Since the connections to {{ls}} hosts are sticky, operating behind load balancers can lead to uneven load distribution between the instances. Specifying a TTL on the connection allows to achieve equal connection distribution between the instances.  Specifying a TTL of 0 will disable this feature.
+
+The default value is 0. This setting accepts [duration](/reference/libbeat/config-file-format-type.md#_duration) data type values.
+
+::::{note}
+The "ttl" option is not yet supported on an async {{ls}} client (one with the "pipelining" option set).
+::::
+
+
+
+### `pipelining` [_pipelining]
+
+Configures the number of batches to be sent asynchronously to {{ls}} while waiting for ACK from {{ls}}. Output only becomes blocking once number of `pipelining` batches have been written. Pipelining is disabled if a value of 0 is configured. The default value is 2.
+
+
+### `proxy_url` [_proxy_url_2]
+
+The URL of the SOCKS5 proxy to use when connecting to the {{ls}} servers. The value must be a URL with a scheme of `socks5://`. The protocol used to communicate to {{ls}} is not based on HTTP so a web-proxy cannot be used.
+
+If the SOCKS5 proxy server requires client authentication, then a username and password can be embedded in the URL as shown in the example.
+
+When using a proxy, hostnames are resolved on the proxy server instead of on the client. You can change this behavior by setting the [`proxy_use_local_resolver`](#logstash-proxy-use-local-resolver) option.
+
+```yaml
+output.logstash:
+  hosts: ["remote-host:5044"]
+  proxy_url: socks5://user:password@socks5-proxy:2233
+```
+
+
+### `proxy_use_local_resolver` [logstash-proxy-use-local-resolver]
+
+The `proxy_use_local_resolver` option determines if {{ls}} hostnames are resolved locally when using a proxy. The default value is false, which means that when a proxy is used the name resolution occurs on the proxy server.
+
+
+### `index` [logstash-index]
+
+The index root name to write events to. The default is the Beat name. For example `"heartbeat"` generates `"[heartbeat-]9.0.0-beta1-YYYY.MM.DD"` indices (for example, `"heartbeat-9.0.0-beta1-2017.04.26"`).
+
+::::{note}
+This parameter’s value will be assigned to the `metadata.beat` field. It can then be accessed in {{ls}}'s output section as `%{[@metadata][beat]}`.
+::::
+
+
+
+### `ssl` [_ssl_2]
+
+Configuration options for SSL parameters like the root CA for {{ls}} connections. See [SSL](/reference/heartbeat/configuration-ssl.md) for more information. To use SSL, you must also configure the [Beats input plugin for Logstash](logstash://reference/plugins-inputs-beats.md) to use SSL/TLS.
+
+
+### `timeout` [_timeout_2]
+
+The number of seconds to wait for responses from the {{ls}} server before timing out. The default is 30 (seconds).
+
+
+### `max_retries` [_max_retries_2]
+
+The number of times to retry publishing an event after a publishing failure. After the specified number of retries, the events are typically dropped.
+
+Set `max_retries` to a value less than 0 to retry until all events are published.
+
+The default is 3.
+
+
+### `bulk_max_size` [_bulk_max_size]
+
+The maximum number of events to bulk in a single {{ls}} request. The default is 2048.
+
+Events can be collected into batches. Heartbeat will split batches read from the queue which are larger than `bulk_max_size` into multiple batches.
+
+Specifying a larger batch size can improve performance by lowering the overhead of sending events. However big batch sizes can also increase processing times, which might result in API errors, killed connections, timed-out publishing requests, and, ultimately, lower throughput.
+
+Setting `bulk_max_size` to values less than or equal to 0 disables the splitting of batches. When splitting is disabled, the queue decides on the number of events to be contained in a batch.
+
+
+### `slow_start` [_slow_start]
+
+If enabled, only a subset of events in a batch of events is transferred per transaction. The number of events to be sent increases up to `bulk_max_size` if no error is encountered. On error, the number of events per transaction is reduced again.
+
+The default is `false`.
+
+
+### `backoff.init` [_backoff_init]
+
+The number of seconds to wait before trying to reconnect to {{ls}} after a network error. After waiting `backoff.init` seconds, Heartbeat tries to reconnect. If the attempt fails, the backoff timer is increased exponentially up to `backoff.max`. After a successful connection, the backoff timer is reset. The default is 1s.
+
+
+### `backoff.max` [_backoff_max]
+
+The maximum number of seconds to wait before attempting to connect to {{ls}} after a network error. The default is 60s.
+
+
+### `queue` [_queue_2]
+
+Configuration options for internal queue.
+
+See [Internal queue](/reference/heartbeat/configuring-internal-queue.md) for more information.
+
+Note:`queue` options can be set under `heartbeat.yml` or the `output` section but not both.
+
+
+
diff --git a/docs/reference/heartbeat/madvdontneed-rss.md b/docs/reference/heartbeat/madvdontneed-rss.md
new file mode 100644
index 000000000000..deefc29cd492
--- /dev/null
+++ b/docs/reference/heartbeat/madvdontneed-rss.md
@@ -0,0 +1,9 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/madvdontneed-rss.html
+---
+
+# High RSS memory usage due to MADV settings [madvdontneed-rss]
+
+In versions of Heartbeat prior to 7.10.2, the go runtime defaults to `MADV_FREE` by default. In some cases, this can lead to high RSS memory usage while the kernel waits to reclaim any pages assigned to Heartbeat. On versions prior to 7.10.2, set the `GODEBUG="madvdontneed=1"` environment variable if you run into RSS usage issues.
+
diff --git a/docs/reference/heartbeat/metadata-missing.md b/docs/reference/heartbeat/metadata-missing.md
new file mode 100644
index 000000000000..429773238ac3
--- /dev/null
+++ b/docs/reference/heartbeat/metadata-missing.md
@@ -0,0 +1,14 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/metadata-missing.html
+---
+
+# @metadata is missing in Logstash [metadata-missing]
+
+{{ls}} outputs remove `@metadata` fields automatically. Therefore, if {{ls}} instances are chained directly or via some message queue (for example, Redis or Kafka), the `@metadata` field will not be available in the final {{ls}} instance.
+
+::::{tip}
+To preserve `@metadata` fields, use the {{ls}} mutate filter with the rename setting to rename the fields to non-internal fields.
+::::
+
+
diff --git a/docs/reference/heartbeat/monitor-http-options.md b/docs/reference/heartbeat/monitor-http-options.md
new file mode 100644
index 000000000000..3e951ac561b5
--- /dev/null
+++ b/docs/reference/heartbeat/monitor-http-options.md
@@ -0,0 +1,355 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/monitor-http-options.html
+---
+
+# HTTP options [monitor-http-options]
+
+Also see [Common monitor options](/reference/heartbeat/monitor-options.md).
+
+The options described here configure Heartbeat to connect via HTTP and optionally verify that the host returns the expected response.
+
+Example configuration:
+
+```yaml
+- type: http
+  id: myhost
+  name: My HTTP Host
+  schedule: '@every 5s'
+  hosts: ["http://myhost:80"]
+```
+
+
+### `hosts` [monitor-http-urls]
+
+A list of URLs to ping.
+
+
+### `max_redirects` [monitor-http-max-redirects]
+
+The total number of redirections Heartbeat will follow. Defaults to 0, meaning heartbeat will not follow redirects, but will report the status of the redirect. If set to a number greater than 0 heartbeat will follow that number of redirects.
+
+When this option is set to a value greater than zero the `monitor.ip` field will no longer be reported, as multiple DNS requests across multiple IPs may return multiple IPs. Fine grained network timing data will also not be recorded, as with redirects that data will span multiple requests. Specifically the fields `http.rtt.content.us`, `http.rtt.response_header.us`, `http.rtt.total.us`, `http.rtt.validate.us`, `http.rtt.write_request.us` and `dns.rtt.us` will be omitted.
+
+
+### `proxy_url` [monitor-http-proxy-url]
+
+The HTTP proxy URL. This setting is optional. Example `http://proxy.mydomain.com:3128`
+
+
+### `proxy_headers` [monitor-http-proxy-headers]
+
+Additional headers to send to proxies during CONNECT requests.
+
+
+### `username` [monitor-http-username]
+
+The username for authenticating with the server. The credentials are passed with the request. This setting is optional.
+
+You need to specify credentials when your `check.response` settings require it. For example, you can check for a 403 response (`check.response.status: [403]`) without setting credentials.
+
+
+### `password` [monitor-http-password]
+
+The password for authenticating with the server. This setting is optional.
+
+
+### `ssl` [monitor-http-tls-ssl]
+
+The TLS/SSL connection settings for use with the HTTPS endpoint. If you don’t specify settings, the system defaults are used.
+
+Example configuration:
+
+```yaml
+- type: http
+  id: my-http-service
+  name: My HTTP Service
+  hosts: ["https://myhost:443"]
+  schedule: '@every 5s'
+  ssl:
+    certificate_authorities: ['/etc/ca.crt']
+    supported_protocols: ["TLSv1.0", "TLSv1.1", "TLSv1.2"]
+```
+
+Also see [SSL](/reference/heartbeat/configuration-ssl.md) for a full description of the `ssl` options.
+
+
+## `headers` [monitor-http-headers]
+
+Controls the indexing of the HTTP response headers `http.response.body.headers` field.
+
+On by default. Set `response.include_headers` to `false` to disable.
+
+
+## `response` [monitor-http-response]
+
+Controls the indexing of the HTTP response body contents to the `http.response.body.contents` field.
+
+Set `response.include_body` to one of the options listed below.
+
+**`on_error`**
+:   Include the body if an error is encountered during the check. This is the default.
+
+**`never`**
+:   Never include the body.
+
+**`always`**
+:   Always include the body with checks.
+
+Set `response.include_body_max_bytes` to control the maximum size of the stored body contents. Defaults to 1024 bytes.
+
+
+### `check` [monitor-http-check]
+
+An optional `request` to send to the remote host and the expected `response`.
+
+Example configuration:
+
+```yaml
+- type: http
+  id: my-http-host
+  name: My HTTP Service
+  hosts: ["http://myhost:80"]
+  check.request.method: HEAD
+  check.response.status: [200]
+  schedule: '@every 5s'
+```
+
+Under `check.request`, specify these options:
+
+**`method`**
+:   The HTTP method to use. Valid values are `"HEAD"`, `"GET"`, `"POST"`, `"PUT"`, `"DELETE"`, `"CONNECT"`, `"TRACE"` and `"OPTIONS"`.
+
+**`headers`**
+:   A dictionary of additional HTTP headers to send. By default heartbeat will set the *User-Agent* header to identify itself.
+
+**`body`**
+:   Optional request body content.
+
+Example configuration: This monitor POSTs an `x-www-form-urlencoded` string to the endpoint `/demo/add`
+
+```yaml
+- type: http
+  id: demo-service
+  name: Demo Service
+  schedule: '@every 5s'
+  urls: ["http://localhost:8080/demo/add"]
+  check.request:
+    method: POST
+    headers:
+      'Content-Type': 'application/x-www-form-urlencoded'
+    # urlencode the body:
+    body: "name=first&email=someemail%40someemailprovider.com"
+  check.response:
+    status: [200]
+    body:
+      - Saved
+      - saved
+```
+
+Under `check.response`, specify these options:
+
+**`status`**
+:   A list of expected status codes. 4xx and 5xx codes are considered `down` by default. Other codes are considered `up`.
+
+**`headers`**
+:   The required response headers.
+
+**`body`**
+:   A list of regular expressions to match the body output. Only a single expression needs to match. HTTP response bodies of up to 100MiB are supported.
+
+Example configuration: This monitor examines the response body for the strings `saved` or `Saved` and expects 200 or 201 status codes
+
+```yaml
+- type: http
+  id: demo-service
+  name: Demo Service
+  schedule: '@every 5s'
+  urls: ["http://localhost:8080/demo/add"]
+  check.request:
+    method: POST
+    headers:
+      'Content-Type': 'application/x-www-form-urlencoded'
+    # urlencode the body:
+    body: "name=first&email=someemail%40someemailprovider.com"
+  check.response:
+    status: [200, 201]
+    body:
+      - Saved
+      - saved
+```
+
+Under `check.response.body`, specify these options: **`positive`**:: This option has the same behavior as given a list of regular expressions under `check.response.body`. **`negative`**:: A list of regular expressions to match the the body output negatively. Return match failed if single expression matches. HTTP response bodies of up to 100MiB are supported.
+
+Example configuration: This monitor examines the response body for the strings *foo* or *Foo*
+
+```yaml
+- type: http
+  id: demo-service
+  name: Demo Service
+  schedule: '@every 5s'
+  urls: ["http://localhost:8080/demo/add"]
+  check.request:
+    method: POST
+    headers:
+      'Content-Type': 'application/x-www-form-urlencoded'
+    # urlencode the body:
+    body: "name=first&email=someemail%40someemailprovider.com"
+  check.response:
+    body:
+      positive:
+        - foo
+        - Foo
+```
+
+Example configuration: This monitor examines match successfully if there is no *bar* or *Bar* at all, examines match failed if there is *bar* or *Bar* in the response body
+
+```yaml
+- type: http
+  id: demo-service
+  name: Demo Service
+  schedule: '@every 5s'
+  urls: ["http://localhost:8080/demo/add"]
+  check.request:
+    method: POST
+    headers:
+      'Content-Type': 'application/x-www-form-urlencoded'
+    # urlencode the body:
+    body: "name=first&email=someemail%40someemailprovider.com"
+  check.response:
+    status: [200, 201]
+    body:
+      negative:
+        - bar
+        - Bar
+```
+
+Example configuration: This monitor examines match successfully only when *foo* or *Foo* in body AND no *bar* or *Bar* in body
+
+```yaml
+- type: http
+  id: demo-service
+  name: Demo Service
+  schedule: '@every 5s'
+  urls: ["http://localhost:8080/demo/add"]
+  check.response:
+    status: [200, 201]
+    body:
+      positive:
+        - foo
+        - Foo
+      negative:
+        - bar
+        - Bar
+```
+
+**`json`**
+:   A list of expressions or [condition](/reference/heartbeat/defining-processors.md#conditions) statements (now deprecated) executed against the body when parsed as JSON. Body sizes must be less than or equal to 100 MiB.
+
+The following configuration shows how to check the response using [gval](https://github.com/PaesslerAG/gval/blob/master/README.md) expressions when the body contains JSON:
+
+```yaml
+- type: http
+  id: demo-service
+  name: Demo Service
+  schedule: '@every 5s'
+  hosts: ["https://localhost:9200/_/nodes/stats"]
+  username: elastic
+  password: changeme
+  check.response:
+    status: [200]
+    json:
+      - description: check status
+        expression: 'foo.bar == "myValue"'
+```
+
+Expressions can be much more complex than simple equality. They can also use [jsonpath](https://goessner.net/articles/JsonPath/) syntax. Note that strings must be double quoted with `"` rather than single quoted with `'` in the `gval` variant of jsonpath. Please note that jsonpath sub-expressions must start with `$.`, for instance `'$.nodes[?(@.name=="myname")] != []'` will check that the `nodes` map has at least one value with the name *myname*.
+
+When working with responses that are returned in the form of a JSON array at the root rather than an object jsonpath can be used as well. As an example `$.[0].foo == "bar"` tests that the first item in the response has an attribute `foo` that has the value "bar".
+
+JSON bodies can also be checked via the now deprecated `condition` option, which is not as powerful as `expression`. The following configuration shows how to check the response using a `condition` statement when the body contains JSON:
+
+```yaml
+- type: http
+  id: demo-service
+  name: Demo Service
+  schedule: '@every 5s'
+  hosts: ["https://myhost:80"]
+  check.request:
+    method: GET
+    headers:
+      'X-API-Key': '12345-mykey-67890'
+  check.response:
+    status: [200]
+    json:
+      - description: check status
+        condition:
+          equals:
+            status: ok
+```
+
+The following configuration shows how to check the response for multiple regex patterns:
+
+```yaml
+- type: http
+  id: demo-service
+  name: Demo Service
+  schedule: '@every 5s'
+  hosts: ["https://myhost:80"]
+  check.request:
+    method: GET
+    headers:
+      'X-API-Key': '12345-mykey-67890'
+  check.response:
+    status: [200]
+    body:
+      - hello
+      - world
+```
+
+The following configuration shows how to check the response with a multiline regex:
+
+```yaml
+- type: http
+  id: demo-service
+  name: Demo Service
+  schedule: '@every 5s'
+  hosts: ["https://myhost:80"]
+  check.request:
+    method: GET
+    headers:
+      'X-API-Key': '12345-mykey-67890'
+  check.response:
+    status: [200]
+    body: '(?s)first.*second.*third'
+```
+
+
+## Run Once Mode (Experimental) [run-once-mode]
+
+You can configure Heartbeat run monitors exactly once then exit, bypassing the scheduler. This is referred to as running Heartbeat in "run once" mode by setting `heartbeat.run_once: true`. All Heartbeat monitors will ignore their schedules and run exactly once at startup. This is an experimental feature and is subject to change.
+
+Note, the `schedule` field is still required and is used by Heartbeat to set the expectation around when the next run will occur. That duration is encoded in the `monitor.timespan` field in the Heartbeat output.
+
+```yaml
+# heartbeat.yml
+heartbeat.run_once: true
+heartbeat.monitors:
+# your monitor config here...
+```
+
+
+## Publish timeout (Experimental) [publish-timeout]
+
+You can configure Heartbeat to exit after an elapsed timeout if unable to publish pending events. This is an experimental feature and is subject to change.
+
+Note, the `heartbeat.run_once` flag is required for `publish_timeout` to take effect.
+
+```yaml
+# heartbeat.yml
+heartbeat.publish_timeout: 30s
+heartbeat.run_once: true
+heartbeat.monitors:
+# your monitor config here...
+```
+
diff --git a/docs/reference/heartbeat/monitor-icmp-options.md b/docs/reference/heartbeat/monitor-icmp-options.md
new file mode 100644
index 000000000000..4b762bc8566f
--- /dev/null
+++ b/docs/reference/heartbeat/monitor-icmp-options.md
@@ -0,0 +1,37 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/monitor-icmp-options.html
+---
+
+# ICMP options [monitor-icmp-options]
+
+Also see [Common monitor options](/reference/heartbeat/monitor-options.md).
+
+The options described here configure Heartbeat to use ICMP (v4 and v6) Echo Requests to check the configured hosts. Please note that on most platforms you must execute Heartbeat with elevated permissions to perform ICMP pings.
+
+On Linux, regular users may perform pings if the right file capabilities are set. Run `sudo setcap cap_net_raw+eip /path/to/heartbeat` to  grant Heartbeat ping capabilities on Linux.
+
+The binary has the correct capabilities already set on the container image, however your container runtime must allow the use of these privileges for them to be used. On docker this can be achieved with `--cap-add=NET_RAW`.
+
+Other platforms may require Heartbeat to run as root or administrator to execute pings.
+
+Example configuration:
+
+```yaml
+- type: icmp
+  id: ping-myhost
+  name: My Host Ping
+  hosts: ["myhost"]
+  schedule: '*/5 * * * * * *'
+```
+
+
+## `hosts` [monitor-icmp-hosts]
+
+A list of hosts to ping.
+
+
+## `wait` [monitor-icmp-wait]
+
+The duration to wait before emitting another ICMP Echo Request if no response is received. The default is 1 second (1s).
+
diff --git a/docs/reference/heartbeat/monitor-options.md b/docs/reference/heartbeat/monitor-options.md
new file mode 100644
index 000000000000..8e68363618be
--- /dev/null
+++ b/docs/reference/heartbeat/monitor-options.md
@@ -0,0 +1,170 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/monitor-options.html
+---
+
+# Common monitor options [monitor-options]
+
+You can specify the following options when defining a Heartbeat monitor in any location. These options are the same for all monitors. Each monitor type has additional configuration options that are specific to that monitor type.
+
+
+### `type` [monitor-type]
+
+The type of monitor to run. See [Monitor types](/reference/heartbeat/configuration-heartbeat-options.md#monitor-types).
+
+
+### `id` [monitor-id]
+
+A unique identifier for this configuration. This should not change with edits to the monitor configuration regardless of changes to any config fields. Examples: `uploader-service`, `http://example.net`, `us-west-loadbalancer`. Note that this uniqueness is only within a given beat instance. If you want to monitor the same endpoint from multiple locations it is recommended that those heartbeat instances use the same IDs so that their results can be correlated. You can use the `host.geo.name` property to disambiguate them.
+
+When querying against indexed monitor data this is the field you will be aggregating with. Appears in the [exported fields](/reference/heartbeat/exported-fields.md) as `monitor.id`.
+
+If you do not set this explicitly the monitor’s config will be hashed and a generated value used. This value will change with any options change to this monitor making aggregations over time between changes impossible. For this reason it is recommended that you set this manually.
+
+
+### `name` [monitor-name]
+
+Optional human readable name for this monitor. This value appears in the [exported fields](/reference/heartbeat/exported-fields.md) as `monitor.name`.
+
+
+### `service.name` [service-name]
+
+Optional APM service name for this monitor. Corresponds to the `service.name` ECS field. Set this when monitoring an app that is also using APM to enable integrations between Uptime and APM data in Kibana.
+
+
+### `enabled` [monitor-enabled]
+
+A Boolean value that specifies whether the module is enabled. If the `enabled` option is missing from the configuration block, the module is enabled by default.
+
+
+### `schedule` [monitor-schedule]
+
+A cron-like expression that specifies the task schedule. For example:
+
+* `*/5 * * * * * *` runs the task every 5 seconds (for example, at 10:00:00, 10:00:05, and so on).
+* `@every 5s` runs the task every 5 seconds from the time when Heartbeat was started.
+
+The `schedule` option uses a cron-like syntax based on [this `cronexpr` implementation](https://github.com/gorhill/cronexpr#implementation), but adds the `@every` keyword.
+
+For stats on the execution of scheduled tasks you can enable the HTTP stats server with `http.enabled: true` in heartbeat.yml, then run `curl http://localhost:5066/stats | jq .heartbeat.scheduler` to view the scheduler’s stats. Stats are provided for both jobs and tasks. Each time a monitor is scheduled is considered to be a single job, while portions of the work a job does, like DNS lookups and executing network requests are defined as tasks. The stats provided are:
+
+* **jobs.active:** The number of actively running jobs/monitors.
+* **jobs.missed_deadline:** The number of jobs that executed after their scheduled time. This can be caused either by overlong long timeouts from the previous job or high load preventing heartbeat from keeping up with work.
+* **tasks.active:** The number of tasks currently running.
+* **tasks.waiting:** If the global `schedule.limit` option is set, this number will reflect the number of tasks that are ready to execute, but have not been started in order to prevent exceeding `schedule.limit`.
+
+Also see the [task scheduler](/reference/heartbeat/monitors-scheduler.md) settings.
+
+
+### `ipv4` [monitor-ipv4]
+
+A Boolean value that specifies whether to ping using the ipv4 protocol if hostnames are configured. The default is `true`.
+
+
+### `ipv6` [monitor-ipv6]
+
+A Boolean value that specifies whether to ping using the ipv6 protocol if hostnames are configured. The default is `true`.
+
+
+### `mode` [monitor-mode]
+
+If `mode` is `any`, the monitor pings only one IP address for a hostname. If `mode` is `all`, the monitor pings all resolvable IPs for a hostname. The `mode: all` setting is useful if you are using a DNS-load balancer and want to ping every IP address for the specified hostname. The default is `any`.
+
+
+### `timeout` [monitor-timeout]
+
+The total running time for each ping test. This is the total time allowed for testing the connection and exchanging data. The default is 16 seconds (16s).
+
+If the timeout is exceeded, Heartbeat publishes a `service-down` event. If the value specified for `timeout` is greater than `schedule`, intermediate checks will not be executed by the scheduler.
+
+
+## `run_from` [monitor-run-from]
+
+Use the `run_from` option to set the geographic location fields relevant to a given heartbeat monitor.
+
+The `run_from` option is used to label the geographic location where the monitor is running. Note, you can also set the `run_from` option on all monitors via the `heartbeat.run_from` option.
+
+The `run_from` option takes two top-level fields:
+
+* `id`: A string used to uniquely identify the geographic location. It is indexed as the `observer.name` field.
+* `geo`: A map conforming to [ECS geo fields](ecs://reference/ecs-geo.md). It is indexed under `observer.geo`.
+
+Example:
+
+```yaml
+- type: http
+  # Set enabled to true (or delete the following line) to enable this example monitor
+  enabled: true
+  # ID used to uniquely identify this monitor in elasticsearch even if the config changes
+  id: geo-test
+  # Human readable display name for this service in Uptime UI and elsewhere
+  name: Geo Test
+  # List or urls to query
+  urls: ["http://example.net"]
+  # Configure task schedule
+  schedule: '@every 10s'
+  run_from:
+    id: my-custom-geo
+    geo:
+      name: nyc-dc1-rack1
+      location: 40.7128, -74.0060
+      continent_name: North America
+      country_iso_code: US
+      region_name: New York
+      region_iso_code: NY
+      city_name: New York
+```
+
+
+### `fields` [monitor-fields]
+
+Optional fields that you can specify to add additional information to the output. For example, you might add fields that you can use for filtering log data. Fields can be scalar values, arrays, dictionaries, or any nested combination of these. By default, the fields that you specify here will be grouped under a `fields` sub-dictionary in the output document. To store the custom fields as top-level fields, set the `fields_under_root` option to true. If a duplicate field is declared in the general configuration, then its value will be overwritten by the value declared here.
+
+
+### `fields_under_root` [monitor-fields-under-root]
+
+If this option is set to true, the custom [fields](#monitor-fields) are stored as top-level fields in the output document instead of being grouped under a `fields` sub-dictionary. If the custom field names conflict with other field names added by Heartbeat, then the custom fields overwrite the other fields.
+
+
+### `tags` [monitor-tags]
+
+A list of tags that will be sent with the monitor event. This setting is optional.
+
+
+### `processors` [monitor-processors]
+
+A list of processors to apply to the data generated by the monitor.
+
+See [Processors](/reference/heartbeat/filtering-enhancing-data.md) for information about specifying processors in your config.
+
+
+### `data_stream` [monitor-data-stream]
+
+Contains options pertaining to data stream naming, following the conventions followed by [Fleet Data Streams](docs-content://reference/ingestion-tools/fleet/data-streams.md). By default Heartbeat will write to a datastream named `heartbeat-VERSION`.
+
+```yaml
+# To enable data streams with the default namespace
+data_stream.namespace: default
+```
+
+
+#### `pipeline` [monitor-pipeline]
+
+The {{es}} ingest pipeline ID to set for the events generated by this input.
+
+::::{note}
+The pipeline ID can also be configured in the Elasticsearch output, but this option usually results in simpler configuration files. If the pipeline is configured both in the input and output, the option from the input is used.
+::::
+
+
+
+#### `index` (deprecated) [monitor-index]
+
+This setting is now deprecated in favor of the `data_stream` option. If present, this formatted string overrides the index for events from this input (for elasticsearch outputs), or sets the `raw_index` field of the event’s metadata (for other outputs). This string can only refer to the agent name and version and the event timestamp; for access to dynamic fields, use `output.elasticsearch.index` or a processor.
+
+Example value: `"%{[agent.name]}-myindex-%{+yyyy.MM.dd}"` might expand to `"heartbeat-myindex-2019.11.01"`.
+
+
+### `keep_null` [monitor-keep-null]
+
+If this option is set to true, fields with `null` values will be published in the output document. By default, `keep_null` is set to `false`.
diff --git a/docs/reference/heartbeat/monitor-tcp-options.md b/docs/reference/heartbeat/monitor-tcp-options.md
new file mode 100644
index 000000000000..be64415b718c
--- /dev/null
+++ b/docs/reference/heartbeat/monitor-tcp-options.md
@@ -0,0 +1,98 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/monitor-tcp-options.html
+---
+
+# TCP options [monitor-tcp-options]
+
+Also see [Common monitor options](/reference/heartbeat/monitor-options.md).
+
+The options described here configure Heartbeat to connect via TCP and optionally verify the endpoint by sending and/or receiving a custom payload.
+
+Example configuration:
+
+```yaml
+- type: tcp
+  id: my-host-services
+  name: My Host Services
+  hosts: ["myhost"]
+  ports: [80, 9200, 5044]
+  schedule: '@every 5s'
+```
+
+
+## `hosts` [monitor-tcp-hosts]
+
+A list of hosts to ping. The entries in the list can be:
+
+* A plain host name, such as `localhost`, or an IP address. If you specify this option, you must also specify a value for [`ports`](#monitor-tcp-ports).  If the monitor is [configured to use SSL](/reference/heartbeat/configuration-ssl.md), Heartbeat establishes an SSL/TLS-based connection. Otherwise, it establishes a plain TCP connection.
+* A hostname and port, such as `localhost:12345`. Heartbeat connects to the port on the specified host. If the monitor is [configured to use SSL](/reference/heartbeat/configuration-ssl.md), Heartbeat establishes an SSL/TLS-based connection. Otherwise, it establishes a TCP connection.
+* A full URL using the syntax `scheme://<host>:[port]`, where:
+
+    * `scheme` is one of `tcp`, `plain`, `ssl` or `tls`. If `tcp` or `plain` is specified, Heartbeat establishes a TCP connection even if the monitor is configured to use SSL. If `tls` or `ssl` is specified, Heartbeat establishes an SSL connection. However, if the monitor is not configured to use SSL, the system defaults are used (currently not supported on Windows).
+    * `host` is the hostname.
+    * `port` is the port number. If `port` is missing in the URL, the [`ports`](#monitor-tcp-ports) setting is required.
+
+
+
+## `ports` [monitor-tcp-ports]
+
+A list of ports to ping if the host specified in [`hosts`](#monitor-tcp-hosts) does not contain a port number. It is generally preferable to use a single value here, since each port will be monitored using a separate `id`, with the given `id` value, used as a prefix in the Heartbeat data, and the configured `name` shared across events sent via this check.
+
+
+## `check` [monitor-tcp-check]
+
+An optional payload string to send to the remote host and the expected answer. If no payload is specified, the endpoint is assumed to be available if the connection attempt was successful. If `send` is specified without `receive`, any response is accepted as OK. If `receive` is specified without `send`, no payload is sent, but the client expects to receive a payload in the form of a "hello message" or "banner" on connect.
+
+Example configuration:
+
+```yaml
+- type: tcp
+  id: echo-service
+  name: Echo Service
+  hosts: ["myhost"]
+  ports: [7]
+  check.send: 'Hello World'
+  check.receive: 'Hello World'
+  schedule: '@every 5s'
+```
+
+
+## `proxy_url` [monitor-tcp-proxy-url]
+
+The URL of the SOCKS5 proxy to use when connecting to the server. The value must be a URL with a scheme of socks5://.
+
+If the SOCKS5 proxy server requires client authentication, then a username and password can be embedded in the URL as shown in the example.
+
+```yaml
+  proxy_url: socks5://user:password@socks5-proxy:2233
+```
+
+When using a proxy, hostnames are resolved on the proxy server instead of on the client. You can change this behavior by setting the `proxy_use_local_resolver` option.
+
+
+## `proxy_use_local_resolver` [monitor-tcp-proxy-use-local-resolver]
+
+A Boolean value that determines whether hostnames are resolved locally instead of being resolved on the proxy server. The default value is false, which means that name resolution occurs on the proxy server.
+
+
+## `ssl` [monitor-tcp-tls-ssl]
+
+The TLS/SSL connection settings.  If the monitor is [configured to use SSL](/reference/heartbeat/configuration-ssl.md), it will attempt an SSL handshake. If `check` is not configured, the monitor will only check to see if it can establish an SSL/TLS connection. This check can fail either at TCP level or during certificate validation.
+
+Example configuration:
+
+```yaml
+- type: tcp
+  id: tls-mail
+  name: TLS Mail
+  hosts: ["mail.example.net"]
+  ports: [465]
+  schedule: '@every 5s'
+  ssl:
+    certificate_authorities: ['/etc/ca.crt']
+    supported_protocols: ["TLSv1.0", "TLSv1.1", "TLSv1.2"]
+```
+
+Also see [SSL](/reference/heartbeat/configuration-ssl.md) for a full description of the `ssl` options.
+
diff --git a/docs/reference/heartbeat/monitoring-internal-collection.md b/docs/reference/heartbeat/monitoring-internal-collection.md
new file mode 100644
index 000000000000..7b475fdd8666
--- /dev/null
+++ b/docs/reference/heartbeat/monitoring-internal-collection.md
@@ -0,0 +1,73 @@
+---
+navigation_title: "Use internal collection"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/monitoring-internal-collection.html
+---
+
+# Use internal collection to send monitoring data [monitoring-internal-collection]
+
+
+Use internal collectors to send {{beats}} monitoring data directly to your monitoring cluster. Or as an alternative to internal collection, use [Use {{metricbeat}} collection](/reference/heartbeat/monitoring-metricbeat-collection.md). The benefit of using internal collection instead of {{metricbeat}} is that you have fewer pieces of software to install and maintain.
+
+1. Create an API key or user that has appropriate authority to send system-level monitoring data to {{es}}. For example, you can use the built-in `beats_system` user or assign the built-in `beats_system` role to another user. For more information on the required privileges, see [Create a *monitoring* user](/reference/heartbeat/privileges-to-publish-monitoring.md). For more information on how to use API keys, see [*Grant access using API keys*](/reference/heartbeat/beats-api-keys.md).
+2. Add the `monitoring` settings in the Heartbeat configuration file. If you configured the {{es}} output and want to send Heartbeat monitoring events to the same {{es}} cluster, specify the following minimal configuration:
+
+    ```yaml
+    monitoring:
+      enabled: true
+      elasticsearch:
+        api_key:  id:api_key <1>
+        username: beats_system
+        password: somepassword
+    ```
+
+    1. Specify one of `api_key` or `username`/`password`.
+
+
+    If you want to send monitoring events to an [{{ecloud}}](https://cloud.elastic.co/) monitoring cluster, you can use two simpler settings. When defined, these settings overwrite settings from other parts in the configuration. For example:
+
+    ```yaml
+    monitoring:
+      enabled: true
+      cloud.id: 'staging:dXMtZWFzdC0xLmF3cy5mb3VuZC5pbyRjZWM2ZjI2MWE3NGJmMjRjZTMzYmI4ODExYjg0Mjk0ZiRjNmMyY2E2ZDA0MjI0OWFmMGNjN2Q3YTllOTYyNTc0Mw=='
+      cloud.auth: 'elastic:{pwd}'
+    ```
+
+    If you configured a different output, such as {{ls}} or you want to send Heartbeat monitoring events to a separate {{es}} cluster (referred to as the *monitoring cluster*), you must specify additional configuration options. For example:
+
+    ```yaml
+    monitoring:
+      enabled: true
+      cluster_uuid: PRODUCTION_ES_CLUSTER_UUID <1>
+      elasticsearch:
+        hosts: ["https://example.com:9200", "https://example2.com:9200"] <2>
+        api_key:  id:api_key <3>
+        username: beats_system
+        password: somepassword
+    ```
+
+    1. This setting identifies the {{es}} cluster under which the monitoring data for this Heartbeat instance will appear in the Stack Monitoring UI. To get a cluster’s `cluster_uuid`, call the `GET /` API against that production cluster.
+    2. This setting identifies the hosts and port numbers of {{es}} nodes that are part of the monitoring cluster.
+    3. Specify one of `api_key` or `username`/`password`.
+
+
+    If you want to use PKI authentication to send monitoring events to {{es}}, you must specify a different set of configuration options. For example:
+
+    ```yaml
+    monitoring:
+      enabled: true
+      cluster_uuid: PRODUCTION_ES_CLUSTER_UUID
+      elasticsearch:
+        hosts: ["https://example.com:9200", "https://example2.com:9200"]
+        username: ""
+        ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
+        ssl.certificate: "/etc/pki/client/cert.pem"
+        ssl.key: "/etc/pki/client/cert.key"
+    ```
+
+    You must specify the `username` as `""` explicitly so that the username from the client certificate (`CN`) is used. See [SSL](/reference/heartbeat/configuration-ssl.md) for more information about SSL settings.
+
+3. Start Heartbeat.
+4. [View the monitoring data in {{kib}}](docs-content://deploy-manage/monitor/stack-monitoring/kibana-monitoring-data.md).
+
+
diff --git a/docs/reference/heartbeat/monitoring-metricbeat-collection.md b/docs/reference/heartbeat/monitoring-metricbeat-collection.md
new file mode 100644
index 000000000000..b47a9e4cbd5d
--- /dev/null
+++ b/docs/reference/heartbeat/monitoring-metricbeat-collection.md
@@ -0,0 +1,163 @@
+---
+navigation_title: "Use {{metricbeat}} collection"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/monitoring-metricbeat-collection.html
+---
+
+# Use {{metricbeat}} to send monitoring data [monitoring-metricbeat-collection]
+
+
+In 7.3 and later, you can use {{metricbeat}} to collect data about Heartbeat and ship it to the monitoring cluster. The benefit of using {{metricbeat}} instead of internal collection is that the monitoring agent remains active even if the Heartbeat instance dies.
+
+To collect and ship monitoring data:
+
+1. [Configure the shipper you want to monitor](#configure-shipper)
+2. [Install and configure {{metricbeat}} to collect monitoring data](#configure-metricbeat)
+
+
+## Configure the shipper you want to monitor [configure-shipper]
+
+1. Enable the HTTP endpoint to allow external collection of monitoring data:
+
+    Add the following setting in the Heartbeat configuration file (`heartbeat.yml`):
+
+    ```yaml
+    http.enabled: true
+    ```
+
+    By default, metrics are exposed on port 5066. If you need to monitor multiple {{beats}} shippers running on the same server, set `http.port` to expose metrics for each shipper on a different port number:
+
+    ```yaml
+    http.port: 5067
+    ```
+
+2. Disable the default collection of Heartbeat monitoring metrics.<br>
+
+    Add the following setting in the Heartbeat configuration file (`heartbeat.yml`):
+
+    ```yaml
+    monitoring.enabled: false
+    ```
+
+    For more information, see [Monitoring configuration options](/reference/heartbeat/configuration-monitor.md).
+
+3. Configure host (optional).<br>
+
+    If you intend to get metrics using {{metricbeat}} installed on another server, you need to bind the Heartbeat to host’s IP:
+
+    ```yaml
+    http.host: xxx.xxx.xxx.xxx
+    ```
+
+4. Configure cluster UUID.<br>
+
+    The cluster UUID is necessary if you want to see {{beats}} monitoring in the {{kib}} stack monitoring view. The monitoring data will be grouped under the cluster for that UUID. To associate Heartbeat with the cluster UUID, set:
+
+    ```yaml
+    monitoring.cluster_uuid: "cluster-uuid"
+    ```
+
+5. Start Heartbeat.
+
+
+## Install and configure {{metricbeat}} to collect monitoring data [configure-metricbeat]
+
+1. Install {{metricbeat}} on the same server as Heartbeat. To learn how, see [Get started with {{metricbeat}}](/reference/metricbeat/metricbeat-installation-configuration.md). If you already have {{metricbeat}} installed on the server, skip this step.
+2. Enable the `beat-xpack` module in {{metricbeat}}.<br>
+
+    For example, to enable the default configuration in the `modules.d` directory, run the following command, using the correct command syntax for your OS:
+
+    ```sh
+    metricbeat modules enable beat-xpack
+    ```
+
+    For more information, see [Configure modules](/reference/metricbeat/configuration-metricbeat.md) and [beat module](/reference/metricbeat/metricbeat-module-beat.md).
+
+3. Configure the `beat-xpack` module in {{metricbeat}}.<br>
+
+    The `modules.d/beat-xpack.yml` file contains the following settings:
+
+    ```yaml
+    - module: beat
+      metricsets:
+        - stats
+        - state
+      period: 10s
+      hosts: ["http://localhost:5066"]
+      #username: "user"
+      #password: "secret"
+      xpack.enabled: true
+    ```
+
+    Set the `hosts`, `username`, and `password` settings as required by your environment. For other module settings, it’s recommended that you accept the defaults.
+
+    By default, the module collects Heartbeat monitoring data from `localhost:5066`. If you exposed the metrics on a different host or port when you enabled the HTTP endpoint, update the `hosts` setting.
+
+    To monitor multiple {{beats}} agents, specify a list of hosts, for example:
+
+    ```yaml
+    hosts: ["http://localhost:5066","http://localhost:5067","http://localhost:5068"]
+    ```
+
+    If you configured Heartbeat to use encrypted communications, you must access it via HTTPS. For example, use a `hosts` setting like `https://localhost:5066`.
+
+    If the Elastic {{security-features}} are enabled, you must also provide a user ID and password so that {{metricbeat}} can collect metrics successfully:
+
+    1. Create a user on the {{es}} cluster that has the `remote_monitoring_collector` [built-in role](elasticsearch://reference/elasticsearch/roles.md). Alternatively, if it’s available in your environment, use the `remote_monitoring_user` [built-in user](docs-content://deploy-manage/users-roles/cluster-or-deployment-auth/built-in-users.md).
+    2. Add the `username` and `password` settings to the beat module configuration file.
+
+4. Optional: Disable the system module in the {{metricbeat}}.
+
+    By default, the [system module](/reference/metricbeat/metricbeat-module-system.md) is enabled. The information it collects, however, is not shown on the **Stack Monitoring** page in {{kib}}. Unless you want to use that information for other purposes, run the following command:
+
+    ```sh
+    metricbeat modules disable system
+    ```
+
+5. Identify where to send the monitoring data.<br>
+
+    ::::{tip}
+    In production environments, we strongly recommend using a separate cluster (referred to as the *monitoring cluster*) to store the data. Using a separate monitoring cluster prevents production cluster outages from impacting your ability to access your monitoring data. It also prevents monitoring activities from impacting the performance of your production cluster.
+    ::::
+
+
+    For example, specify the {{es}} output information in the {{metricbeat}} configuration file (`metricbeat.yml`):
+
+    ```yaml
+    output.elasticsearch:
+      # Array of hosts to connect to.
+      hosts: ["http://es-mon-1:9200", "http://es-mon2:9200"] <1>
+
+      # Optional protocol and basic auth credentials.
+      #protocol: "https"
+      #api_key:  "id:api_key" <2>
+      #username: "elastic"
+      #password: "changeme"
+    ```
+
+    1. In this example, the data is stored on a monitoring cluster with nodes `es-mon-1` and `es-mon-2`.
+    2. Specify one of `api_key` or `username`/`password`.
+
+
+    If you configured the monitoring cluster to use encrypted communications, you must access it via HTTPS. For example, use a `hosts` setting like `https://es-mon-1:9200`.
+
+    ::::{important}
+    The {{es}} {{monitor-features}} use ingest pipelines. The cluster that stores the monitoring data must have at least one node with the `ingest` role.
+    ::::
+
+
+    If the {{es}} {{security-features}} are enabled on the monitoring cluster, you must provide a valid user ID and password so that {{metricbeat}} can send metrics successfully:
+
+    1. Create a user on the monitoring cluster that has the `remote_monitoring_agent` [built-in role](elasticsearch://reference/elasticsearch/roles.md). Alternatively, if it’s available in your environment, use the `remote_monitoring_user` [built-in user](docs-content://deploy-manage/users-roles/cluster-or-deployment-auth/built-in-users.md).
+
+        ::::{tip}
+        If you’re using index lifecycle management, the remote monitoring user requires additional privileges to create and read indices. For more information, see [*Grant users access to secured resources*](/reference/heartbeat/feature-roles.md).
+        ::::
+
+    2. Add the `username` and `password` settings to the {{es}} output information in the {{metricbeat}} configuration file.
+
+    For more information about these configuration options, see [Configure the {{es}} output](/reference/metricbeat/elasticsearch-output.md).
+
+6. [Start {{metricbeat}}](/reference/metricbeat/metricbeat-starting.md) to begin collecting monitoring data.
+7. [View the monitoring data in {{kib}}](docs-content://deploy-manage/monitor/stack-monitoring/kibana-monitoring-data.md).
+
diff --git a/docs/reference/heartbeat/monitoring-shows-fewer-than-expected-beats.md b/docs/reference/heartbeat/monitoring-shows-fewer-than-expected-beats.md
new file mode 100644
index 000000000000..bc267c133986
--- /dev/null
+++ b/docs/reference/heartbeat/monitoring-shows-fewer-than-expected-beats.md
@@ -0,0 +1,10 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/monitoring-shows-fewer-than-expected-beats.html
+---
+
+# Monitoring UI shows fewer Beats than expected [monitoring-shows-fewer-than-expected-beats]
+
+If you are running multiple Beat instances on the same host, make sure they each have a distinct `path.data` value.
+
+
diff --git a/docs/reference/heartbeat/monitoring.md b/docs/reference/heartbeat/monitoring.md
new file mode 100644
index 000000000000..738e2b632fb2
--- /dev/null
+++ b/docs/reference/heartbeat/monitoring.md
@@ -0,0 +1,16 @@
+---
+navigation_title: "Monitor"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/monitoring.html
+---
+
+# Monitor Heartbeat [monitoring]
+
+
+You can use the {{stack}} {{monitor-features}} to gain insight into the health of Heartbeat instances running in your environment.
+
+To monitor Heartbeat, make sure monitoring is enabled on your {{es}} cluster, then configure the method used to collect Heartbeat metrics. You can use one of following methods:
+
+* [Internal collection](/reference/heartbeat/monitoring-internal-collection.md) - Internal collectors send monitoring data directly to your monitoring cluster.
+* [{{metricbeat}} collection](/reference/heartbeat/monitoring-metricbeat-collection.md) - {{metricbeat}} collects monitoring data from your Heartbeat instance and sends it directly to your monitoring cluster.
+
diff --git a/docs/reference/heartbeat/monitors-scheduler.md b/docs/reference/heartbeat/monitors-scheduler.md
new file mode 100644
index 000000000000..6a5e91e8de04
--- /dev/null
+++ b/docs/reference/heartbeat/monitors-scheduler.md
@@ -0,0 +1,50 @@
+---
+navigation_title: "Task scheduler"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/monitors-scheduler.html
+---
+
+# Configure the task scheduler [monitors-scheduler]
+
+
+You specify options under `heartbeat.scheduler` to control the behavior of the task scheduler.
+
+Example configuration:
+
+```yaml
+heartbeat.scheduler:
+  limit: 10
+  location: 'UTC-08:00'
+```
+
+In the example, setting `limit` to 10 guarantees that only 10 concurrent I/O tasks will be active. An I/O task can be the actual check or resolving an address via DNS.
+
+
+## `limit` [heartbeat-scheduler-limit]
+
+The number of concurrent I/O tasks that Heartbeat is allowed to execute. If set to 0, there is no limit. The default is 0.
+
+Most operating systems set a file descriptor limit of 1024. For Heartbeat to operate correctly and not accidentally block libbeat output, the value that you specify for `limit` should be below the configured ulimit.
+
+
+## `location` [heartbeat-scheduler-location]
+
+The time zone for the scheduler. By default the scheduler uses localtime.
+
+
+## `job.limit` [heartbeat-job-limit]
+
+On top of the scheduler level limit, Heartbeat allows limiting the number of concurrent tasks per monitor/job type.
+
+Example configuration:
+
+```yaml
+heartbeat.jobs:
+  http:
+    limit: 10
+```
+
+In the example, at any given time Heartbeat guarantees that only 10 concurrent `http` tasks will be active.
+
+These limits can also be set via the environment variables `SYNTHETICS_LIMIT_{{TYPE}}`, where `{{TYPE}}` is one of `HTTP`, `TCP`, and `ICMP`.
+
diff --git a/docs/reference/heartbeat/move-fields.md b/docs/reference/heartbeat/move-fields.md
new file mode 100644
index 000000000000..ad046dffb05a
--- /dev/null
+++ b/docs/reference/heartbeat/move-fields.md
@@ -0,0 +1,93 @@
+---
+navigation_title: "move_fields"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/move-fields.html
+---
+
+# Move fields [move-fields]
+
+
+The `move_fields` processor moves event fields from one object into another. It can also rearrange fields or add a prefix to fields.
+
+The processor extracts fields from `from`, then uses `fields` and `exclude` as filters to choose which fields to move into the `to` field.
+
+For example, given the following event:
+
+```json
+{
+  "app": {
+    "method": "a",
+    "elapsed_time": 100,
+    "user_id": 100,
+    "message": "i'm a message"
+  }
+}
+```
+
+To move `method` and `elapsed_time` into another object, use this configuration:
+
+```yaml
+processors:
+  - move_fields:
+      from: "app"
+      fields: ["method", "elapsed_time"],
+      to: "rpc."
+```
+
+Your final event will be:
+
+```json
+{
+  "app": {
+    "user_id": 100,
+    "message": "i'm a message",
+    "rpc": {
+      "method": "a",
+      "elapsed_time": 100
+    }
+  }
+}
+```
+
+To add a prefix to the whole event:
+
+```json
+{
+  "app": { "method": "a"},
+  "cost": 100
+}
+```
+
+Use this configuration:
+
+```yaml
+processors:
+  - move_fields:
+      to: "my_prefix_"
+```
+
+Your final event will be:
+
+```json
+{
+  "my_prefix_app": { "method": "a"},
+  "my_prefix_cost": 100
+}
+```
+
+| Name | Required | Default | Description |  |
+| --- | --- | --- | --- | --- |
+| `from` | no |  | Which field you want extract. This field and any nested fields will be moved into `to` unless they are filtered out. If empty, indicates event root. |  |
+| `fields` | no |  | Which fields to extract from `from` and move to `to`. An empty list indicates all fields. |  |
+| `ignore_missing` | no | false | Ignore "not found" errors when extracting fields. |  |
+| `exclude` | no |  | A list of fields to exclude and not move. |  |
+| `to` | yes |  | These fields extract from `from` destination field prefix the `to` will base on fields root. |  |
+
+```yaml
+processors:
+  - move_fields:
+      from: "app"
+      fields: [ "method", "elapsed_time" ]
+      to: "rpc."
+```
+
diff --git a/docs/reference/heartbeat/privileges-to-publish-events.md b/docs/reference/heartbeat/privileges-to-publish-events.md
new file mode 100644
index 000000000000..e6a5346fff46
--- /dev/null
+++ b/docs/reference/heartbeat/privileges-to-publish-events.md
@@ -0,0 +1,37 @@
+---
+navigation_title: "Create a _publishing_ user"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/privileges-to-publish-events.html
+---
+
+# Grant privileges and roles needed for publishing [privileges-to-publish-events]
+
+
+Users who publish events to {{es}} need to create and write to Heartbeat indices. To minimize the privileges required by the writer role, use the [setup role](/reference/heartbeat/privileges-to-setup-beats.md) to pre-load dependencies. This section assumes that you’ve run the setup.
+
+When using ILM, turn off the ILM setup check in the Heartbeat config file before running Heartbeat to publish events:
+
+```yaml
+setup.ilm.check_exists: false
+```
+
+To grant the required privileges:
+
+1. Create a **writer role**, called something like `heartbeat_writer`, that has the following privileges:
+
+    ::::{note}
+    The `monitor` cluster privilege and the `create_doc` and `auto_configure` privileges on `heartbeat-*` indices are required in every configuration.
+    ::::
+
+
+    | Type | Privilege | Purpose |
+    | --- | --- | --- |
+    | Cluster | `monitor` | Retrieve cluster details (e.g. version) |
+    | Cluster | `read_ilm` | Read the ILM policy when connecting to clusters that support ILM.Not needed when `setup.ilm.check_exists` is `false`. |
+    | Index | `create_doc` on `heartbeat-*` indices | Write events into {{es}} |
+    | Index | `auto_configure` on `heartbeat-*` indices | Update the datastream mapping. Consider either disabling entirely or adding therule `-{{beat_default_index_prefix}}-*` to the cluster settings[action.auto_create_index](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-create)to prevent unwanted indices creations from the agents. |
+
+    Omit any privileges that aren’t relevant in your environment.
+
+2. Assign the **writer role** to users who will index events into {{es}}.
+
diff --git a/docs/reference/heartbeat/privileges-to-publish-monitoring.md b/docs/reference/heartbeat/privileges-to-publish-monitoring.md
new file mode 100644
index 000000000000..068887cf625c
--- /dev/null
+++ b/docs/reference/heartbeat/privileges-to-publish-monitoring.md
@@ -0,0 +1,61 @@
+---
+navigation_title: "Create a _monitoring_ user"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/privileges-to-publish-monitoring.html
+---
+
+# Grant privileges and roles needed for monitoring [privileges-to-publish-monitoring]
+
+
+{{es-security-features}} provides built-in users and roles for monitoring. The privileges and roles needed depend on the method used to collect monitoring data.
+
+::::{admonition} Important note for {{ecloud}} users
+:class: important
+
+Built-in users are not available when running our [hosted {{ess}}](https://www.elastic.co/cloud/elasticsearch-service) on {{ecloud}}. To send monitoring data securely, create a monitoring user and grant it the roles described in the following sections.
+
+::::
+
+
+* If you’re using [internal collection](/reference/heartbeat/monitoring-internal-collection.md) to collect metrics about Heartbeat, {{es-security-features}} provides the `beats_system` [built-in user](docs-content://deploy-manage/users-roles/cluster-or-deployment-auth/built-in-users.md) and `beats_system` [built-in role](elasticsearch://reference/elasticsearch/roles.md) to send monitoring information. You can use the built-in user, if it’s available in your environment, or create a user who has the privileges needed to send monitoring information.
+
+    If you use the `beats_system` user, make sure you set the password.
+
+    If you don’t use the `beats_system` user:
+
+    1. Create a **monitoring role**, called something like `heartbeat_monitoring`, that has the following privileges:
+
+        | Type | Privilege | Purpose |
+        | --- | --- | --- |
+        | Cluster | `monitor` | Retrieve cluster details (e.g. version) |
+        | Index | `create_index` on `.monitoring-beats-*` indices | Create monitoring indices in {{es}} |
+        | Index | `create_doc` on `.monitoring-beats-*` indices | Write monitoring events into {{es}} |
+
+    2. Assign the **monitoring role**, along with the following built-in roles, to users who need to monitor Heartbeat:
+
+        | Role | Purpose |
+        | --- | --- |
+        | `kibana_admin` | Use {{kib}} |
+        | `monitoring_user` | Use **Stack Monitoring** in {{kib}} to monitor Heartbeat |
+
+* If you’re [using {{metricbeat}}](/reference/heartbeat/monitoring-metricbeat-collection.md) to collect metrics about Heartbeat, {{es-security-features}} provides the `remote_monitoring_user` [built-in user](docs-content://deploy-manage/users-roles/cluster-or-deployment-auth/built-in-users.md), and the `remote_monitoring_collector` and `remote_monitoring_agent` [built-in roles](elasticsearch://reference/elasticsearch/roles.md) for collecting and sending monitoring information. You can use the built-in user, if it’s available in your environment, or create a user who has the privileges needed to collect and send monitoring information.
+
+    If you use the `remote_monitoring_user` user, make sure you set the password.
+
+    If you don’t use the `remote_monitoring_user` user:
+
+    1. Create a user on the production cluster who will collect and send monitoring information.
+    2. Assign the following roles to the user:
+
+        | Role | Purpose |
+        | --- | --- |
+        | `remote_monitoring_collector` | Collect monitoring metrics from Heartbeat |
+        | `remote_monitoring_agent` | Send monitoring data to the monitoring cluster |
+
+    3. Assign the following role to users who will view the monitoring data in {{kib}}:
+
+        | Role | Purpose |
+        | --- | --- |
+        | `monitoring_user` | Use **Stack Monitoring** in {{kib}} to monitor Heartbeat |
+
+
diff --git a/docs/reference/heartbeat/privileges-to-setup-beats.md b/docs/reference/heartbeat/privileges-to-setup-beats.md
new file mode 100644
index 000000000000..45ff70da6eb5
--- /dev/null
+++ b/docs/reference/heartbeat/privileges-to-setup-beats.md
@@ -0,0 +1,42 @@
+---
+navigation_title: "Create a _setup_ user"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/privileges-to-setup-beats.html
+---
+
+# Grant privileges and roles needed for setup [privileges-to-setup-beats]
+
+
+::::{important}
+Setting up Heartbeat is an admin-level task that requires extra privileges. As a best practice, grant the setup role to administrators only, and use a more restrictive role for event publishing.
+::::
+
+
+Administrators who set up Heartbeat typically need to load mappings, dashboards, and other objects used to index data into {{es}} and visualize it in {{kib}}.
+
+To grant users the required privileges:
+
+1. Create a **setup role**, called something like `heartbeat_setup`, that has the following privileges:
+
+    | Type | Privilege | Purpose |
+    | --- | --- | --- |
+    | Cluster | `monitor` | Retrieve cluster details (e.g. version) |
+    | Cluster | `manage_ilm` | Set up and manage index lifecycle management (ILM) policy |
+    | Index | `manage` on `heartbeat-*` indices | Load data stream |
+
+    Omit any privileges that aren’t relevant in your environment.
+
+    ::::{note}
+    These instructions assume that you are using the default name for Heartbeat indices. If `heartbeat-*` is not listed, or you are using a custom name, enter it manually and modify the privileges to match your index naming pattern.
+    ::::
+
+2. Assign the **setup role**, along with the following built-in roles, to users who need to set up Heartbeat:
+
+    | Role | Purpose |
+    | --- | --- |
+    | `kibana_admin` | Load dependencies, such as example dashboards, if available, into {{kib}} |
+    | `ingest_admin` | Set up index templates and, if available, ingest pipelines |
+
+    Omit any roles that aren’t relevant in your environment.
+
+
diff --git a/docs/reference/heartbeat/processor-dns.md b/docs/reference/heartbeat/processor-dns.md
new file mode 100644
index 000000000000..ba88677aa606
--- /dev/null
+++ b/docs/reference/heartbeat/processor-dns.md
@@ -0,0 +1,102 @@
+---
+navigation_title: "dns"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/processor-dns.html
+---
+
+# DNS Reverse Lookup [processor-dns]
+
+
+The `dns` processor performs DNS queries. It caches the responses that it receives in accordance to the time-to-live (TTL) value contained in the response. It also caches failures that occur during lookups. Each instance of this processor maintains its own independent cache.
+
+The processor uses its own DNS resolver to send requests to nameservers and does not use the operating system’s resolver. It does not read any values contained in `/etc/hosts`.
+
+This processor can significantly slow down your pipeline’s throughput if you have a high latency network or slow upstream nameserver. The cache will help with performance, but if the addresses being resolved have a high cardinality then the cache benefits will be diminished due to the high miss ratio.
+
+By way of example, if each DNS lookup takes 2 milliseconds, the maximum throughput you can achieve is 500 events per second (1000 milliseconds / 2 milliseconds). If you have a high cache hit ratio then your throughput can be higher.
+
+The processor can send the following query types:
+
+* `A` - IPv4 addresses
+* `AAAA` - IPv6 addresses
+* `TXT` - arbitrary human-readable text data
+* `PTR` - reverse IP address lookups
+
+The output value is a list of strings for all query types except `PTR`. For `PTR` queries the output value is a string.
+
+This is a minimal configuration example that resolves the IP addresses contained in two fields.
+
+```yaml
+processors:
+  - dns:
+      type: reverse
+      fields:
+        source.ip: source.domain
+        destination.ip: destination.domain
+```
+
+Next is a configuration example showing all options.
+
+```yaml
+processors:
+- dns:
+    type: reverse
+    action: append
+    transport: tls
+    fields:
+      server.ip: server.domain
+      client.ip: client.domain
+    success_cache:
+      capacity.initial: 1000
+      capacity.max: 10000
+      min_ttl: 1m
+    failure_cache:
+      capacity.initial: 1000
+      capacity.max: 10000
+      ttl: 1m
+    nameservers: ['192.0.2.1', '203.0.113.1']
+    timeout: 500ms
+    tag_on_failure: [_dns_reverse_lookup_failed]
+```
+
+The `dns` processor has the following configuration settings:
+
+`type`
+:   The type of DNS query to perform. The supported types are `A`, `AAAA`, `PTR` (or `reverse`), and `TXT`.
+
+`action`
+:   This defines the behavior of the processor when the target field already exists in the event. The options are `append` (default) and `replace`.
+
+`fields`
+:   This is a mapping of source field names to target field names. The value of the source field will be used in the DNS query and result will be written to the target field.
+
+`success_cache.capacity.initial`
+:   The initial number of items that the success cache will be allocated to hold. When initialized the processor will allocate the memory for this number of items. Default value is `1000`.
+
+`success_cache.capacity.max`
+:   The maximum number of items that the success cache can hold. When the maximum capacity is reached a random item is evicted. Default value is `10000`.
+
+`success_cache.min_ttl`
+:   The duration of the minimum alternative cache TTL for successful DNS responses. Ensures that `TTL=0` successful reverse DNS responses can be cached. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". Default value is `1m`.
+
+`failure_cache.capacity.initial`
+:   The initial number of items that the failure cache will be allocated to hold. When initialized the processor will allocate the memory for this number of items. Default value is `1000`.
+
+`failure_cache.capacity.max`
+:   The maximum number of items that the failure cache can hold. When the maximum capacity is reached a random item is evicted. Default value is `10000`.
+
+`failure_cache.ttl`
+:   The duration for which failures are cached. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". Default value is `1m`.
+
+`nameservers`
+:   A list of nameservers to query. If there are multiple servers, the resolver queries them in the order listed. If none are specified then it will read the nameservers listed in `/etc/resolv.conf` once at initialization. On Windows you must always supply at least one nameserver.
+
+`timeout`
+:   The duration after which a DNS query will timeout. This is timeout for each DNS request so if you have 2 nameservers then the total timeout will be 2 times this value. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". Default value is `500ms`.
+
+`tag_on_failure`
+:   A list of tags to add to the event when any lookup fails. The tags are only added once even if multiple lookups fail. By default, no tags are added upon failure.
+
+`transport`
+:   The type of transport connection that should be used can either be `tls` (DNS over TLS) or `udp`. Defaults to `udp`.
+
diff --git a/docs/reference/heartbeat/processor-registered-domain.md b/docs/reference/heartbeat/processor-registered-domain.md
new file mode 100644
index 000000000000..4c6a684cd4fd
--- /dev/null
+++ b/docs/reference/heartbeat/processor-registered-domain.md
@@ -0,0 +1,36 @@
+---
+navigation_title: "registered_domain"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/processor-registered-domain.html
+---
+
+# Registered Domain [processor-registered-domain]
+
+
+The `registered_domain` processor reads a field containing a hostname and then writes the "registered domain" contained in the hostname to the target field. For example, given `www.google.co.uk` the processor would output `google.co.uk`. In other words the "registered domain" is the effective top-level domain (`co.uk`) plus one level (`google`). Optionally, it can store the rest of the domain, the `subdomain` into another target field.
+
+This processor uses the Mozilla Public Suffix list to determine the value.
+
+```yaml
+processors:
+  - registered_domain:
+      field: dns.question.name
+      target_field: dns.question.registered_domain
+      target_etld_field: dns.question.top_level_domain
+      target_subdomain_field: dns.question.sudomain
+      ignore_missing: true
+      ignore_failure: true
+```
+
+The `registered_domain` processor has the following configuration settings:
+
+| Name | Required | Default | Description |  |
+| --- | --- | --- | --- | --- |
+| `field` | yes |  | Source field containing a fully qualified domain name (FQDN). |  |
+| `target_field` | yes |  | Target field for the registered domain value. |  |
+| `target_etld_field` | no |  | Target field for the effective top-level domain value. |  |
+| `target_subdomain_field` | no |  | Target subdomain field for the subdomain value. |  |
+| `ignore_missing` | no | false | Ignore errors when the source field is missing. |  |
+| `ignore_failure` | no | false | Ignore all errors produced by the processor. |  |
+| `id` | no |  | An identifier for this processor instance. Useful for debugging. |  |
+
diff --git a/docs/reference/heartbeat/processor-script.md b/docs/reference/heartbeat/processor-script.md
new file mode 100644
index 000000000000..7ee32fd02bd8
--- /dev/null
+++ b/docs/reference/heartbeat/processor-script.md
@@ -0,0 +1,118 @@
+---
+navigation_title: "script"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/processor-script.html
+---
+
+# Script Processor [processor-script]
+
+
+The `script` processor executes Javascript code to process an event. The processor uses a pure Go implementation of ECMAScript 5.1 and has no external dependencies. This can be useful in situations where one of the other processors doesn’t provide the functionality you need to filter events.
+
+The processor can be configured by embedding Javascript in your configuration file or by pointing the processor at external file(s).
+
+```yaml
+processors:
+  - script:
+      lang: javascript
+      source: >
+        function process(event) {
+            event.Tag("js");
+        }
+```
+
+This loads `filter.js` from disk.
+
+```yaml
+processors:
+  - script:
+      lang: javascript
+      file: ${path.config}/filter.js
+```
+
+Parameters can be passed to the script by adding `params` to the config. This allows for a script to be made reusable. When using `params` the code must define a `register(params)` function to receive the parameters.
+
+```yaml
+processors:
+  - script:
+      lang: javascript
+      tag: my_filter
+      params:
+        threshold: 15
+      source: >
+        var params = {threshold: 42};
+        function register(scriptParams) {
+            params = scriptParams;
+        }
+        function process(event) {
+            if (event.Get("severity") < params.threshold) {
+                event.Cancel();
+            }
+        }
+```
+
+If the script defines a `test()` function it will be invoked when the processor is loaded. Any exceptions thrown will cause the processor to fail to load. This can be used to make assertions about the behavior of the script.
+
+```javascript
+function process(event) {
+    if (event.Get("event.code") === 1102) {
+        event.Put("event.action", "cleared");
+    }
+    return event;
+}
+
+function test() {
+    var event = process(new Event({event: {code: 1102}}));
+    if (event.Get("event.action") !== "cleared") {
+        throw "expected event.action === cleared";
+    }
+}
+```
+
+
+## Configuration options [_configuration_options_11]
+
+The `script` processor has the following configuration settings:
+
+`lang`
+:   This field is required and its value must be `javascript`.
+
+`tag`
+:   This is an optional identifier that is added to log messages. If defined it enables metrics logging for this instance of the processor. The metrics include the number of exceptions and a histogram of the execution times for the `process` function.
+
+`source`
+:   Inline Javascript source code.
+
+`file`
+:   Path to a script file to load. Relative paths are interpreted as relative to the `path.config` directory. Globs are expanded.
+
+`files`
+:   List of script files to load. The scripts are concatenated together. Relative paths are interpreted as relative to the `path.config` directory. And globs are expanded.
+
+`params`
+:   A dictionary of parameters that are passed to the `register` of the script.
+
+`tag_on_exception`
+:   Tag to add to events in case the Javascript code causes an exception while processing an event. Defaults to `_js_exception`.
+
+`timeout`
+:   This sets an execution timeout for the `process` function. When the `process` function takes longer than the `timeout` period the function is interrupted. You can set this option to prevent a script from running for too long (like preventing an infinite `while` loop). By default there is no timeout.
+
+`max_cached_sessions`
+:   This sets the maximum number of Javascript VM sessions that will be cached to avoid reallocation. The default is `4`.
+
+
+## Event API [_event_api]
+
+The `Event` object passed to the `process` method has the following API.
+
+| Method | Description |
+| --- | --- |
+| `Get(string)` | Get a value from the event (either a scalar or an object). If the key does notexist `null` is returned. If no key is provided then an object containing allfields is returned.<br>**Example**: `var value = event.Get(key);` |
+| `Put(string, value)` | Put a value into the event. If the key was already set then theprevious value is returned. It throws an exception if the key cannot be setbecause one of the intermediate values is not an object.<br>**Example**: `var old = event.Put(key, value);` |
+| `Rename(string, string)` | Rename a key in the event. The target key must not exist. Itreturns true if the source key was successfully renamed to the target key.<br>**Example**: `var success = event.Rename("source", "target");` |
+| `Delete(string)` | Delete a field from the event. It returns true on success.<br>**Example**: `var deleted = event.Delete("user.email");` |
+| `Cancel()` | Flag the event as cancelled which causes the processor to dropevent.<br>**Example**: `event.Cancel(); return;` |
+| `Tag(string)` | Append a tag to the `tags` field if the tag does not alreadyexist. Throws an exception if `tags` exists and is not a string or a list ofstrings.<br>**Example**: `event.Tag("user_event");` |
+| `AppendTo(string, string)` | `AppendTo` is a specialized `Put` method that converts the existing value to anarray and appends the value if it does not already exist. If there is anexisting value that’s not a string or array of strings then an exception isthrown.<br>**Example**: `event.AppendTo("error.message", "invalid file hash");` |
+
diff --git a/docs/reference/heartbeat/processor-translate-guid.md b/docs/reference/heartbeat/processor-translate-guid.md
new file mode 100644
index 000000000000..3407e78d3794
--- /dev/null
+++ b/docs/reference/heartbeat/processor-translate-guid.md
@@ -0,0 +1,79 @@
+---
+navigation_title: "translate_ldap_attribute"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/processor-translate-guid.html
+---
+
+# Translate GUID [processor-translate-guid]
+
+
+The `translate_ldap_attribute` processor translates an LDAP attributes between eachother. It is typically used to translate AD Global Unique Identifiers (GUID) into their common names.
+
+Every object on an Active Directory or an LDAP server is issued a GUID. Internal processes refer to their GUID’s rather than the object’s name and these values sometimes appear in logs.
+
+If the search attribute is invalid (malformed) or does not map to any object on the domain then this will result in the processor returning an error unless `ignore_failure` is set.
+
+The result of this operation is an array of values, given that a single attribute can hold multiple values.
+
+Note: the search attribute is expected to map to a single object. If it doesn’t, no error will be returned, but only results of the first entry will be added to the event.
+
+```yaml
+processors:
+  - translate_ldap_attribute:
+      field: winlog.event_data.ObjectGuid
+      ldap_address: "ldap://"
+      ldap_base_dn: "dc=example,dc=com"
+      ignore_missing: true
+      ignore_failure: true
+```
+
+The `translate_ldap_attribute` processor has the following configuration settings:
+
+| Name | Required | Default | Description |
+| --- | --- | --- | --- |
+| `field` | yes |  | Source field containing a GUID. |
+| `target_field` | no |  | Target field for the mapped attribute value. If not set it will be replaced in place. |
+| `ldap_address` | yes |  | LDAP server address. eg: `ldap://ds.example.com:389` |
+| `ldap_base_dn` | yes |  | LDAP base DN. eg: `dc=example,dc=com` |
+| `ldap_bind_user` | no |  | LDAP user. |
+| `ldap_bind_password` | no |  | LDAP password. |
+| `ldap_search_attribute` | yes | `objectGUID` | LDAP attribute to search by. |
+| `ldap_mapped_attribute` | yes | `cn` | LDAP attribute to map to. |
+| `ldap_search_time_limit` | no | 30 | LDAP search time limit in seconds. |
+| `ldap_ssl`* | no | 30 | LDAP TLS/SSL connection settings. |
+| `ignore_missing` | no | false | Ignore errors when the source field is missing. |
+| `ignore_failure` | no | false | Ignore all errors produced by the processor. |
+
+* Also see [SSL](/reference/heartbeat/configuration-ssl.md) for a full description of the `ldap_ssl` options.
+
+If the searches are slow or you expect a high amount of different key attributes to be found, consider using a cache processor to speed processing:
+
+```yaml
+processors:
+  - cache:
+      backend:
+        memory:
+          id: ldapguids
+      get:
+        key_field: winlog.event_data.ObjectGuid
+        target_field: winlog.common_name
+      ignore_missing: true
+  - if:
+      not:
+        - has_fields: winlog.common_name
+    then:
+      - translate_ldap_attribute:
+          field: winlog.event_data.ObjectGuid
+          target_field: winlog.common_name
+          ldap_address: "ldap://"
+          ldap_base_dn: "dc=example,dc=com"
+      - cache:
+          backend:
+            memory:
+              id: ldapguids
+            capacity: 10000
+          put:
+            key_field: winlog.event_data.ObjectGuid
+            value_field: winlog.common_name
+```
+
diff --git a/docs/reference/heartbeat/processor-translate-sid.md b/docs/reference/heartbeat/processor-translate-sid.md
new file mode 100644
index 000000000000..461b915b88c9
--- /dev/null
+++ b/docs/reference/heartbeat/processor-translate-sid.md
@@ -0,0 +1,38 @@
+---
+navigation_title: "translate_sid"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/processor-translate-sid.html
+---
+
+# Translate SID [processor-translate-sid]
+
+
+The `translate_sid` processor translates a Windows security identifier (SID) into an account name. It retrieves the name of the account associated with the SID, the first domain on which the SID is found, and the type of account. This is only available on Windows.
+
+Every account on a network is issued a unique SID when the account is first created. Internal processes in Windows refer to an account’s SID rather than the account’s user or group name and these values sometimes appear in logs.
+
+If the SID is invalid (malformed) or does not map to any account on the local system or domain then this will result in the processor returning an error unless `ignore_failure` is set.
+
+```yaml
+processors:
+  - translate_sid:
+      field: winlog.event_data.MemberSid
+      account_name_target: user.name
+      domain_target: user.domain
+      ignore_missing: true
+      ignore_failure: true
+```
+
+The `translate_sid` processor has the following configuration settings:
+
+| Name | Required | Default | Description |
+| --- | --- | --- | --- |
+| `field` | yes |  | Source field containing a Windows security identifier (SID). |
+| `account_name_target` | yes* |  | Target field for the account name value. |
+| `account_type_target` | yes* |  | Target field for the account type value. |
+| `domain_target` | yes* |  | Target field for the domain value. |
+| `ignore_missing` | no | false | Ignore errors when the source field is missing. |
+| `ignore_failure` | no | false | Ignore all errors produced by the processor. |
+
+* At least one of `account_name_target`, `account_type_target`, and `domain_target` is required to be configured.
+
diff --git a/docs/reference/heartbeat/publishing-ls-fails-connection-reset-by-peer.md b/docs/reference/heartbeat/publishing-ls-fails-connection-reset-by-peer.md
new file mode 100644
index 000000000000..2736e2c5d538
--- /dev/null
+++ b/docs/reference/heartbeat/publishing-ls-fails-connection-reset-by-peer.md
@@ -0,0 +1,18 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/publishing-ls-fails-connection-reset-by-peer.html
+---
+
+# Publishing to Logstash fails with "connection reset by peer" message [publishing-ls-fails-connection-reset-by-peer]
+
+Heartbeat requires a persistent TCP connection to {{ls}}. If a firewall interferes with the connection, you might see errors like this:
+
+```shell
+Failed to publish events caused by: write tcp ... write: connection reset by peer
+```
+
+To solve the problem:
+
+* make sure the firewall is not closing connections between Heartbeat and {{ls}}, or
+* set the `ttl` value in the [{{ls}} output](/reference/heartbeat/logstash-output.md) to a value that’s lower than the maximum time allowed by the firewall, and set `pipelining` to 0 (pipelining cannot be enabled when `ttl` is used).
+
diff --git a/docs/reference/heartbeat/rate-limit.md b/docs/reference/heartbeat/rate-limit.md
new file mode 100644
index 000000000000..0cbeb578ab35
--- /dev/null
+++ b/docs/reference/heartbeat/rate-limit.md
@@ -0,0 +1,43 @@
+---
+navigation_title: "rate_limit"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/rate-limit.html
+---
+
+# Rate limit the flow of events [rate-limit]
+
+
+The `rate_limit` processor limits the throughput of events based on the specified configuration.
+
+In the current implementation, rate-limited events are dropped. Future implementations may allow rate-limited events to be handled differently.
+
+```yaml
+processors:
+- rate_limit:
+   limit: "10000/m"
+```
+
+```yaml
+processors:
+- rate_limit:
+   fields:
+   - "cloudfoundry.org.name"
+   limit: "400/s"
+```
+
+```yaml
+processors:
+- if.equals.cloudfoundry.org.name: "acme"
+  then:
+  - rate_limit:
+      limit: "500/s"
+```
+
+The following settings are supported:
+
+`limit`
+:   The rate limit. Supported time units for the rate are `s` (per second), `m` (per minute), and `h` (per hour).
+
+`fields`
+:   (Optional) List of fields. The rate limit will be applied to each distinct value derived by combining the values of these fields.
+
diff --git a/docs/reference/heartbeat/redis-output.md b/docs/reference/heartbeat/redis-output.md
new file mode 100644
index 000000000000..a6ffa2e5f947
--- /dev/null
+++ b/docs/reference/heartbeat/redis-output.md
@@ -0,0 +1,209 @@
+---
+navigation_title: "Redis"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/redis-output.html
+---
+
+# Configure the Redis output [redis-output]
+
+
+The Redis output inserts the events into a Redis list or a Redis channel. This output plugin is compatible with the [Redis input plugin](logstash://reference/plugins-inputs-redis.md) for Logstash.
+
+To use this output, edit the Heartbeat configuration file to disable the {{es}} output by commenting it out, and enable the Redis output by adding `output.redis`.
+
+Example configuration:
+
+```yaml
+output.redis:
+  hosts: ["localhost"]
+  password: "my_password"
+  key: "heartbeat"
+  db: 0
+  timeout: 5
+```
+
+## Compatibility [_compatibility_3]
+
+This output is expected to work with all Redis versions between 3.2.4 and 5.0.8. Other versions might work as well, but are not supported.
+
+
+## Configuration options [_configuration_options_5]
+
+You can specify the following `output.redis` options in the `heartbeat.yml` config file:
+
+### `enabled` [_enabled_4]
+
+The enabled config is a boolean setting to enable or disable the output. If set to false, the output is disabled.
+
+The default value is `true`.
+
+
+### `hosts` [_hosts_2]
+
+The list of Redis servers to connect to. If load balancing is enabled, the events are distributed to the servers in the list. If one server becomes unreachable, the events are distributed to the reachable servers only. You can define each Redis server by specifying `HOST` or `HOST:PORT`. For example: `"192.15.3.2"` or `"test.redis.io:12345"`. If you don’t specify a port number, the value configured by `port` is used. Configure each Redis server with an `IP:PORT` pair or with a `URL`. For example: `redis://localhost:6379` or `rediss://localhost:6379`. URLs can include a server-specific password. For example: `redis://:password@localhost:6379`. The `redis` scheme will disable the `ssl` settings for the host, while `rediss` will enforce TLS.  If `rediss` is specified and no `ssl` settings are configured, the output uses the system certificate store.
+
+
+### `index` [_index]
+
+The index name added to the events metadata for use by Logstash. The default is "heartbeat".
+
+
+### `key` [key-option-redis]
+
+The name of the Redis list or channel the events are published to. If not configured, the value of the `index` setting is used.
+
+You can set the key dynamically by using a format string to access any event field. For example, this configuration uses a custom field, `fields.list`, to set the Redis list key. If `fields.list` is missing, `fallback` is used:
+
+```yaml
+output.redis:
+  hosts: ["localhost"]
+  key: "%{[fields.list]:fallback}"
+```
+
+::::{tip}
+To learn how to add custom fields to events, see the [`fields`](/reference/heartbeat/configuration-general-options.md#libbeat-configuration-fields) option.
+::::
+
+
+See the [`keys`](#keys-option-redis) setting for other ways to set the key dynamically.
+
+
+### `keys` [keys-option-redis]
+
+An array of key selector rules. Each rule specifies the `key` to use for events that match the rule. During publishing, Heartbeat uses the first matching rule in the array. Rules can contain conditionals, format string-based fields, and name mappings. If the `keys` setting is missing or no rule matches, the [`key`](#key-option-redis) setting is used.
+
+Rule settings:
+
+**`index`**
+:   The key format string to use. If this string contains field references, such as `%{[fields.name]}`, the fields must exist, or the rule fails.
+
+**`mappings`**
+:   A dictionary that takes the value returned by `key` and maps it to a new name.
+
+**`default`**
+:   The default string value to use if `mappings` does not find a match.
+
+**`when`**
+:   A condition that must succeed in order to execute the current rule. All the [conditions](/reference/heartbeat/defining-processors.md#conditions) supported by processors are also supported here.
+
+Example `keys` settings:
+
+```yaml
+output.redis:
+  hosts: ["localhost"]
+  key: "default_list"
+  keys:
+    - key: "info_list"   # send to info_list if `message` field contains INFO
+      when.contains:
+        message: "INFO"
+    - key: "debug_list"  # send to debug_list if `message` field contains DEBUG
+      when.contains:
+        message: "DEBUG"
+    - key: "%{[fields.list]}"
+      mappings:
+        http: "frontend_list"
+        nginx: "frontend_list"
+        mysql: "backend_list"
+```
+
+
+### `password` [_password_3]
+
+The password to authenticate with. The default is no authentication.
+
+
+### `db` [_db]
+
+The Redis database number where the events are published. The default is 0.
+
+
+### `datatype` [_datatype]
+
+The Redis data type to use for publishing events.If the data type is `list`, the Redis RPUSH command is used and all events are added to the list with the key defined under `key`. If the data type `channel` is used, the Redis `PUBLISH` command is used and means that all events are pushed to the pub/sub mechanism of Redis. The name of the channel is the one defined under `key`. The default value is `list`.
+
+
+### `codec` [_codec_2]
+
+Output codec configuration. If the `codec` section is missing, events will be json encoded.
+
+See [Change the output codec](/reference/heartbeat/configuration-output-codec.md) for more information.
+
+
+### `worker` or `workers` [_worker_or_workers_2]
+
+The number of workers to use for each host configured to publish events to Redis. Use this setting along with the `loadbalance` option. For example, if you have 2 hosts and 3 workers, in total 6 workers are started (3 for each host).
+
+
+### `loadbalance` [_loadbalance_2]
+
+When `loadbalance: true` is set, Heartbeat connects to all configured hosts and sends data through all connections in parallel. If a connection fails, data is sent to the remaining hosts until it can be reestablished. Data will still be sent as long as Heartbeat can connect to at least one of its configured hosts.
+
+When `loadbalance: false` is set, Heartbeat sends data to a single host at a time. The target host is chosen at random from the list of configured hosts, and all data is sent to that target until the connection fails, when a new target is selected. Data will still be sent as long as Heartbeat can connect to at least one of its configured hosts.
+
+The default value is `true`.
+
+
+### `timeout` [_timeout_4]
+
+The Redis connection timeout in seconds. The default is 5 seconds.
+
+
+### `backoff.init` [_backoff_init_3]
+
+The number of seconds to wait before trying to reconnect to Redis after a network error. After waiting `backoff.init` seconds, Heartbeat tries to reconnect. If the attempt fails, the backoff timer is increased exponentially up to `backoff.max`. After a successful connection, the backoff timer is reset. The default is 1s.
+
+
+### `backoff.max` [_backoff_max_3]
+
+The maximum number of seconds to wait before attempting to connect to Redis after a network error. The default is 60s.
+
+
+### `max_retries` [_max_retries_4]
+
+The number of times to retry publishing an event after a publishing failure. After the specified number of retries, the events are typically dropped.
+
+Set `max_retries` to a value less than 0 to retry until all events are published.
+
+The default is 3.
+
+
+### `bulk_max_size` [_bulk_max_size_3]
+
+The maximum number of events to bulk in a single Redis request or pipeline. The default is 2048.
+
+Events can be collected into batches. Heartbeat will split batches read from the queue which are larger than `bulk_max_size` into multiple batches.
+
+Specifying a larger batch size can improve performance by lowering the overhead of sending events. However big batch sizes can also increase processing times, which might result in API errors, killed connections, timed-out publishing requests, and, ultimately, lower throughput.
+
+Setting `bulk_max_size` to values less than or equal to 0 disables the splitting of batches. When splitting is disabled, the queue decides on the number of events to be contained in a batch.
+
+
+### `ssl` [_ssl_4]
+
+Configuration options for SSL parameters like the root CA for Redis connections guarded by SSL proxies (for example [stunnel](https://www.stunnel.org)). See [SSL](/reference/heartbeat/configuration-ssl.md) for more information.
+
+
+### `proxy_url` [_proxy_url_3]
+
+The URL of the SOCKS5 proxy to use when connecting to the Redis servers. The value must be a URL with a scheme of `socks5://`. You cannot use a web proxy because the protocol used to communicate with Redis is not based on HTTP.
+
+If the SOCKS5 proxy server requires client authentication, you can embed a username and password in the URL.
+
+When using a proxy, hostnames are resolved on the proxy server instead of on the client. You can change this behavior by setting the [`proxy_use_local_resolver`](#redis-proxy-use-local-resolver) option.
+
+
+### `proxy_use_local_resolver` [redis-proxy-use-local-resolver]
+
+This option determines whether Redis hostnames are resolved locally when using a proxy. The default value is false, which means that name resolution occurs on the proxy server.
+
+
+### `queue` [_queue_4]
+
+Configuration options for internal queue.
+
+See [Internal queue](/reference/heartbeat/configuring-internal-queue.md) for more information.
+
+Note:`queue` options can be set under `heartbeat.yml` or the `output` section but not both.
+
+
+
diff --git a/docs/reference/heartbeat/regexp-support.md b/docs/reference/heartbeat/regexp-support.md
new file mode 100644
index 000000000000..f77263002234
--- /dev/null
+++ b/docs/reference/heartbeat/regexp-support.md
@@ -0,0 +1,111 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/regexp-support.html
+---
+
+# Regular expression support [regexp-support]
+
+Heartbeat regular expression support is based on [RE2](https://godoc.org/regexp/syntax).
+
+Before using a regular expression in the config file, refer to the documentation to verify that the option you are setting accepts a regular expression.
+
+::::{note}
+We recommend that you wrap regular expressions in single quotation marks to work around YAML’s string escaping rules. For example, `'^\[?[0-9][0-9]:?[0-9][0-9]|^[[:graph:]]+'`.
+::::
+
+
+For more examples of supported regexp patterns, see [Managing Multiline Messages](/reference/filebeat/multiline-examples.md). Although the examples pertain to Filebeat, the regexp patterns are applicable to other use cases.
+
+The following patterns are supported:
+
+* [Single Characters](#single-characters)
+* [Composites](#composites)
+* [Repetitions](#repetitions)
+* [Groupings](#grouping)
+* [Empty Strings](#empty-strings)
+* [Escape Sequences](#escape-sequences)
+* [ASCII Character Classes](#ascii-character-classes)
+* [Perl Character Classes](#perl-character-classes)
+
+| Pattern | Description |
+| --- | --- |
+| $$$single-characters$$$**Single Characters** |  |
+| `x` | single character |
+| `.` | any character |
+| `[xyz]` | character class |
+| `[^xyz]` | negated character class |
+| `[[:alpha:]]` | ASCII character class |
+| `[[:^alpha:]]` | negated ASCII character class |
+| `\d` | Perl character class |
+| `\D` | negated Perl character class |
+| `\pN` | Unicode character class (one-letter name) |
+| `\p{{Greek}}` | Unicode character class |
+| `\PN` | negated Unicode character class (one-letter name) |
+| `\P{{Greek}}` | negated Unicode character class |
+| $$$composites$$$**Composites** |  |
+| `xy` | `x` followed by `y` |
+| `x&#124;y` | `x` or `y` (prefer `x`) |
+| $$$repetitions$$$**Repetitions** |  |
+| `x*` | zero or more `x` |
+| `x+` | one or more `x` |
+| `x?` | zero or one `x` |
+| `x{n,m}` | `n` or `n+1` or …​ or `m` `x`, prefer more |
+| `x{n,}` | `n` or more `x`, prefer more |
+| `x{{n}}` | exactly `n` `x` |
+| `x*?` | zero or more `x`, prefer fewer |
+| `x+?` | one or more `x`, prefer fewer |
+| `x??` | zero or one `x`, prefer zero |
+| `x{n,m}?` | `n` or `n+1` or …​ or `m` `x`, prefer fewer |
+| `x{n,}?` | `n` or more `x`, prefer fewer |
+| `x{{n}}?` | exactly `n` `x` |
+| $$$grouping$$$**Grouping** |  |
+| `(re)` | numbered capturing group (submatch) |
+| `(?P<name>re)` | named & numbered capturing group (submatch) |
+| `(?:re)` | non-capturing group |
+| `(?i)abc` | set flags within current group, non-capturing |
+| `(?i:re)` | set flags during re, non-capturing |
+| `(?i)PaTTeRN` | case-insensitive (default false) |
+| `(?m)multiline` | multi-line mode: `^` and `$` match begin/end line in addition to begin/end text (default false) |
+| `(?s)pattern.` | let `.` match `\n` (default false) |
+| `(?U)x*abc` | ungreedy: swap meaning of `x*` and `x*?`, `x+` and `x+?`, etc (default false) |
+| $$$empty-strings$$$**Empty Strings** |  |
+| `^` | at beginning of text or line (`m`=true) |
+| `$` | at end of text (like `\z` not `\Z`) or line (`m`=true) |
+| `\A` | at beginning of text |
+| `\b` | at ASCII word boundary (`\w` on one side and `\W`, `\A`, or `\z` on the other) |
+| `\B` | not at ASCII word boundary |
+| `\z` | at end of text |
+| $$$escape-sequences$$$**Escape Sequences** |  |
+| `\a` | bell (same as `\007`) |
+| `\f` | form feed (same as `\014`) |
+| `\t` | horizontal tab (same as `\011`) |
+| `\n` | newline (same as `\012`) |
+| `\r` | carriage return (same as `\015`) |
+| `\v` | vertical tab character (same as `\013`) |
+| `\*` | literal `*`, for any punctuation character `*` |
+| `\123` | octal character code (up to three digits) |
+| `\x7F` | two-digit hex character code |
+| `\x{{10FFFF}}` | hex character code |
+| `\Q...\E` | literal text `...` even if `...` has punctuation |
+| $$$ascii-character-classes$$$**ASCII Character Classes** |  |
+| `[[:alnum:]]` | alphanumeric (same as `[0-9A-Za-z]`) |
+| `[[:alpha:]]` | alphabetic (same as `[A-Za-z]`) |
+| `[[:ascii:]]` | ASCII (same as `\x00-\x7F]`) |
+| `[[:blank:]]` | blank (same as `[\t ]`) |
+| `[[:cntrl:]]` | control (same as `[\x00-\x1F\x7F]`) |
+| `[[:digit:]]` | digits (same as `[0-9]`) |
+| `[[:graph:]]` | graphical (same as ```[!-~] == [A-Za-z0-9!"#$%&'()*+,\-./:;<=>?@[\\\]^_` ``` ```{&#124;}~]```) |
+| `[[:lower:]]` | lower case (same as `[a-z]`) |
+| `[[:print:]]` | printable (same as `[ -~] == [ [:graph:]]`) |
+| `[[:punct:]]` | punctuation (same as ```[!-/:-@[-`{-~]```) |
+| `[[:space:]]` | whitespace (same as `[\t\n\v\f\r ]`) |
+| `[[:upper:]]` | upper case (same as `[A-Z]`) |
+| `[[:word:]]` | word characters (same as `[0-9A-Za-z_]`) |
+| `[[:xdigit:]]` | hex digit (same as `[0-9A-Fa-f]`) |
+| $$$perl-character-classes$$$**Supported Perl Character Classes** |  |
+| `\d` | digits (same as `[0-9]`) |
+| `\D` | not digits (same as `[^0-9]`) |
+| `\s` | whitespace (same as `[\t\n\f\r ]`) |
+| `\S` | not whitespace (same as `[^\t\n\f\r ]`) |
+| `\w` | word characters (same as `[0-9A-Za-z_]`) |
+| `\W` | not word characters (same as `[^0-9A-Za-z_]`) |
diff --git a/docs/reference/heartbeat/rename-fields.md b/docs/reference/heartbeat/rename-fields.md
new file mode 100644
index 000000000000..d7d95744f8f2
--- /dev/null
+++ b/docs/reference/heartbeat/rename-fields.md
@@ -0,0 +1,43 @@
+---
+navigation_title: "rename"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/rename-fields.html
+---
+
+# Rename fields from events [rename-fields]
+
+
+The `rename` processor specifies a list of fields to rename. Under the `fields` key, each entry contains a `from: old-key` and a `to: new-key` pair, where:
+
+* `from` is the original field name. It’s supported to use `@metadata.` prefix for `from` and rename keys in the event metadata instead of event fields.
+* `to` is the target field name
+
+The `rename` processor cannot be used to overwrite fields. To overwrite fields either first rename the target field, or use the `drop_fields` processor to drop the field and then rename the field.
+
+::::{tip}
+You can rename fields to resolve field name conflicts. For example, if an event has two fields, `c` and `c.b` (where `b` is a subfield of `c`), assigning scalar values results in an {{es}} error at ingest time. The assignment `{"c": 1, "c.b": 2}` would result in an error because `c` is an object and cannot be assigned a scalar value. To prevent this conflict, rename `c` to `c.value` before assigning values.
+::::
+
+
+```yaml
+processors:
+  - rename:
+      fields:
+        - from: "a.g"
+          to: "e.d"
+      ignore_missing: false
+      fail_on_error: true
+```
+
+The `rename` processor has the following configuration settings:
+
+`ignore_missing`
+:   (Optional) If set to true, no error is logged in case a key which should be renamed is missing. Default is `false`.
+
+`fail_on_error`
+:   (Optional) If set to true, in case of an error the renaming of fields is stopped and the original event is returned. If set to false, renaming continues also if an error happened during renaming. Default is `true`.
+
+See [Conditions](/reference/heartbeat/defining-processors.md#conditions) for a list of supported conditions.
+
+You can specify multiple `rename` processors under the `processors` section.
+
diff --git a/docs/reference/heartbeat/replace-fields.md b/docs/reference/heartbeat/replace-fields.md
new file mode 100644
index 000000000000..2ef1d09a6584
--- /dev/null
+++ b/docs/reference/heartbeat/replace-fields.md
@@ -0,0 +1,44 @@
+---
+navigation_title: "replace"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/replace-fields.html
+---
+
+# Replace fields from events [replace-fields]
+
+
+The `replace` processor takes a list of fields to search for a matching value and replaces the matching value with a specified string.
+
+The `replace` processor cannot be used to create a completely new value.
+
+::::{tip}
+You can use this processor to truncate a field value or replace it with a new string value. You can also use this processor to mask PII information.
+::::
+
+
+
+## Example [_example]
+
+The following example changes the path from `/usr/bin` to `/usr/local/bin`:
+
+```yaml
+  - replace:
+      fields:
+        - field: "file.path"
+          pattern: "/usr/"
+          replacement: "/usr/local/"
+      ignore_missing: false
+      fail_on_error: true
+```
+
+
+## Configuration settings [_configuration_settings]
+
+| Name | Required | Default | Description |
+| --- | --- | --- | --- |
+| `fields` | Yes |  | List of one or more items. Each item contains a `field: field-name`, `pattern: regex-pattern`, and `replacement: replacement-string`, where:<br><br>* `field` is the original field name. You can use the `@metadata.` prefix in this field to replace values in the event metadata instead of event fields.<br>* `pattern` is the regex pattern to match the field’s value<br>* `replacement` is the replacement string to use to update the field’s value<br> |
+| `ignore_missing` | No | `false` | Whether to ignore missing fields. If `true`, no error is logged if the specified field is missing. |
+| `fail_on_error` | No | `true` | Whether to fail replacement of field values if an error occurs.If `true` and there’s an error, the replacement of field values is stopped, and the original event is returned.If `false`, replacement continues even if an error occurs during replacement. |
+
+See [Conditions](/reference/heartbeat/defining-processors.md#conditions) for a list of supported conditions.
+
diff --git a/docs/reference/heartbeat/running-on-docker.md b/docs/reference/heartbeat/running-on-docker.md
new file mode 100644
index 000000000000..6008253058c2
--- /dev/null
+++ b/docs/reference/heartbeat/running-on-docker.md
@@ -0,0 +1,159 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/running-on-docker.html
+---
+
+# Run Heartbeat on Docker [running-on-docker]
+
+Docker images for Heartbeat are available from the Elastic Docker registry. The base image is [centos:7](https://hub.docker.com/_/centos/).
+
+A list of all published Docker images and tags is available at [www.docker.elastic.co](https://www.docker.elastic.co).
+
+These images are free to use under the Elastic license. They contain open source and free commercial features and access to paid commercial features. [Start a 30-day trial](docs-content://deploy-manage/license/manage-your-license-in-self-managed-cluster.md) to try out all of the paid commercial features. See the [Subscriptions](https://www.elastic.co/subscriptions) page for information about Elastic license levels.
+
+## Pull the image [_pull_the_image]
+
+Obtaining Heartbeat for Docker is as simple as issuing a `docker pull` command against the Elastic Docker registry.
+
+::::{warning}
+Version 9.0.0-beta1 of Heartbeat has not yet been released. No Docker image is currently available for Heartbeat 9.0.0-beta1.
+::::
+
+
+```sh
+docker pull docker.elastic.co/beats/heartbeat:9.0.0-beta1
+```
+
+Alternatively, you can download other Docker images that contain only features available under the Apache 2.0 license. To download the images, go to [www.docker.elastic.co](https://www.docker.elastic.co).
+
+As another option, you can use the hardened [Wolfi](https://wolfi.dev/) image. Using Wolfi images requires Docker version 20.10.10 or higher. For details about why the Wolfi images have been introduced, refer to our article [Reducing CVEs in Elastic container images](https://www.elastic.co/blog/reducing-cves-in-elastic-container-images).
+
+```bash
+docker pull docker.elastic.co/beats/heartbeat-wolfi:9.0.0-beta1
+```
+
+
+## Optional: Verify the image [_optional_verify_the_image]
+
+You can use the [Cosign application](https://docs.sigstore.dev/cosign/installation/) to verify the Heartbeat Docker image signature.
+
+::::{warning}
+Version 9.0.0-beta1 of Heartbeat has not yet been released. No Docker image is currently available for Heartbeat 9.0.0-beta1.
+::::
+
+
+```sh
+wget https://artifacts.elastic.co/cosign.pub
+cosign verify --key cosign.pub docker.elastic.co/beats/heartbeat:9.0.0-beta1
+```
+
+The `cosign` command prints the check results and the signature payload in JSON format:
+
+```sh
+Verification for docker.elastic.co/beats/heartbeat:9.0.0-beta1 --
+The following checks were performed on each of these signatures:
+  - The cosign claims were validated
+  - Existence of the claims in the transparency log was verified offline
+  - The signatures were verified against the specified public key
+```
+
+
+## Run the Heartbeat setup [_run_the_heartbeat_setup]
+
+::::{important}
+A [known issue](https://github.com/elastic/beats/issues/42038) in version 8.17.0 prevents {{beats}} Docker images from starting when no options are provided. When running an image on that version, add an `--environment container` parameter to avoid the problem. This is planned to be addressed in issue [#42060](https://github.com/elastic/beats/pull/42060).
+::::
+
+
+Running Heartbeat with the setup command will create the index pattern and load visualizations and machine learning jobs.  Run this command:
+
+```sh
+docker run --rm \
+--cap-add=NET_RAW \
+docker.elastic.co/beats/heartbeat:9.0.0-beta1 \
+setup -E setup.kibana.host=kibana:5601 \
+-E output.elasticsearch.hosts=["elasticsearch:9200"] <1> <2>
+```
+
+1. Substitute your Kibana and Elasticsearch hosts and ports.
+2. If you are using the hosted {{ess}} in {{ecloud}}, replace the `-E output.elasticsearch.hosts` line with the Cloud ID and elastic password using this syntax:
+
+
+```shell
+-E cloud.id=<Cloud ID from Elasticsearch Service> \
+-E cloud.auth=elastic:<elastic password>
+```
+
+
+## Run Heartbeat on a read-only file system [_run_heartbeat_on_a_read_only_file_system]
+
+If you’d like to run Heartbeat in a Docker container on a read-only file system, you can do so by specifying the `--read-only` option. Heartbeat requires a stateful directory to store application data, so with the `--read-only` option you also need to use the `--mount` option to specify a path to where that data can be stored.
+
+For example:
+
+```sh
+docker run --rm \
+  --mount type=bind,source=$(pwd)/data,destination=/usr/share/heartbeat/data \
+  --read-only \
+  docker.elastic.co/beats/heartbeat:9.0.0-beta1
+```
+
+
+## Configure Heartbeat on Docker [_configure_heartbeat_on_docker]
+
+The Docker image provides several methods for configuring Heartbeat. The conventional approach is to provide a configuration file via a volume mount, but it’s also possible to create a custom image with your configuration included.
+
+### Example configuration file [_example_configuration_file]
+
+Download this example configuration file as a starting point:
+
+```sh
+curl -L -O https://raw.githubusercontent.com/elastic/beats/master/deploy/docker/heartbeat.docker.yml
+```
+
+
+### Volume-mounted configuration [_volume_mounted_configuration]
+
+One way to configure Heartbeat on Docker is to provide `heartbeat.docker.yml` via a volume mount. With `docker run`, the volume mount can be specified like this.
+
+```sh
+docker run -d \
+  --name=heartbeat \
+  --user=heartbeat \
+  --volume="$(pwd)/heartbeat.docker.yml:/usr/share/heartbeat/heartbeat.yml:ro" \
+  --cap-add=NET_RAW \
+  docker.elastic.co/beats/heartbeat:9.0.0-beta1 \
+  --strict.perms=false -e \
+  -E output.elasticsearch.hosts=["elasticsearch:9200"] <1> <2>
+```
+
+1. Substitute your Elasticsearch hosts and ports.
+2. If you are using the hosted {{ess}} in {{ecloud}}, replace the `-E output.elasticsearch.hosts` line with the Cloud ID and elastic password using the syntax shown earlier.
+
+
+
+### Customize your configuration [_customize_your_configuration]
+
+The `heartbeat.docker.yml` downloaded earlier should be customized for your environment. See [Configure](/reference/heartbeat/configuring-howto-heartbeat.md) for more details. Edit the configuration file and customize it to match your environment then re-deploy your Heartbeat container.
+
+
+### Custom image configuration [_custom_image_configuration]
+
+It’s possible to embed your Heartbeat configuration in a custom image. Here is an example Dockerfile to achieve this:
+
+```dockerfile
+FROM docker.elastic.co/beats/heartbeat:9.0.0-beta1
+COPY --chown=root:heartbeat heartbeat.yml /usr/share/heartbeat/heartbeat.yml
+```
+
+
+### Required network capabilities [_required_network_capabilities]
+
+Under Docker, Heartbeat runs as a non-root user, but requires some privileged network capabilities to operate correctly. Ensure that the `NET_RAW` capability is available to the container.
+
+```sh
+docker run --cap-add=NET_RAW docker.elastic.co/beats/heartbeat:9.0.0-beta1
+```
+
+
+
diff --git a/docs/reference/heartbeat/running-on-kubernetes.md b/docs/reference/heartbeat/running-on-kubernetes.md
new file mode 100644
index 000000000000..b613bed82211
--- /dev/null
+++ b/docs/reference/heartbeat/running-on-kubernetes.md
@@ -0,0 +1,85 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/running-on-kubernetes.html
+---
+
+# Running Heartbeat on Kubernetes [running-on-kubernetes]
+
+Heartbeat [Docker images](/reference/heartbeat/running-on-docker.md) can be used on Kubernetes to check resources uptime.
+
+::::{tip}
+Running {{ecloud}} on Kubernetes? See [Run {{beats}} on ECK](docs-content://deploy-manage/deploy/cloud-on-k8s/beats.md)
+::::
+
+
+However, version 9.0.0-beta1 of Heartbeat has not yet been released, so no Docker image is currently available for this version.
+
+
+## Kubernetes deploy manifests [_kubernetes_deploy_manifests]
+
+A single Heartbeat can check for uptime of the whole cluster.
+
+Everything is deployed under `kube-system` namespace, you can change that by updating the YAML file.
+
+To get the manifests just run:
+
+```sh
+curl -L -O https://raw.githubusercontent.com/elastic/beats/master/deploy/kubernetes/heartbeat-kubernetes.yaml
+```
+
+::::{warning}
+If you are using Kubernetes 1.7 or earlier: Heartbeat uses a hostPath volume to persist internal data, it’s located under /var/lib/heartbeat-data. The manifest uses folder autocreation (`DirectoryOrCreate`), which was introduced in Kubernetes 1.8. You will need to remove `type: DirectoryOrCreate` from the manifest and create the host folder yourself.
+
+::::
+
+
+
+## Settings [_settings]
+
+Some parameters are exposed in the manifest to configure logs destination, by default they will use an existing Elasticsearch deploy if it’s present, but you may want to change that behavior, so just edit the YAML file and modify them:
+
+```yaml
+- name: ELASTICSEARCH_HOST
+  value: elasticsearch
+- name: ELASTICSEARCH_PORT
+  value: "9200"
+- name: ELASTICSEARCH_USERNAME
+  value: elastic
+- name: ELASTICSEARCH_PASSWORD
+  value: changeme
+```
+
+
+## Deploy [_deploy]
+
+To deploy Heartbeat to Kubernetes just run:
+
+```sh
+kubectl create -f heartbeat-kubernetes.yaml
+```
+
+Then you should be able to check the status by running:
+
+```sh
+$ kubectl --namespace=kube-system get deployment/heartbeat
+
+NAME        READY   UP-TO-DATE   AVAILABLE   AGE
+heartbeat   1/1     1            1           1m
+```
+
+
+## Running Heartbeat as unprivileged user [_running_heartbeat_as_unprivileged_user]
+
+Under Kubernetes, Heartbeat can run as a non-root user, but requires some privileged network capabilities to operate correctly. Ensure that the `NET_RAW` capability is available to the container.
+
+```yaml
+containers:
+- name: heartbeat
+  image: docker.elastic.co/beats/heartbeat:9.0.0-beta1
+  securityContext:
+    runAsUser: 1000
+    runAsGroup: 1000
+    capabilities:
+      add: [ NET_RAW ]
+```
+
diff --git a/docs/reference/heartbeat/running-with-systemd.md b/docs/reference/heartbeat/running-with-systemd.md
new file mode 100644
index 000000000000..fe08e3c5d80b
--- /dev/null
+++ b/docs/reference/heartbeat/running-with-systemd.md
@@ -0,0 +1,86 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/running-with-systemd.html
+---
+
+# Heartbeat and systemd [running-with-systemd]
+
+The DEB and RPM packages include a service unit for Linux systems with systemd. On these systems, you can manage Heartbeat by using the usual systemd commands.
+
+The service unit is configured with `UMask=0027` which means the most permissive mask allowed for files created by Heartbeat is `0640`. All configured file permissions higher than `0640` will be ignored. Please edit the unit file manually in case you need to change that.
+
+## Start and stop Heartbeat [_start_and_stop_heartbeat]
+
+Use `systemctl` to start or stop Heartbeat:
+
+```sh
+sudo systemctl start heartbeat-elastic
+```
+
+```sh
+sudo systemctl stop heartbeat-elastic
+```
+
+By default, the Heartbeat service starts automatically when the system boots. To enable or disable auto start use:
+
+```sh
+sudo systemctl enable heartbeat-elastic
+```
+
+```sh
+sudo systemctl disable heartbeat-elastic
+```
+
+
+## Heartbeat status and logs [_heartbeat_status_and_logs]
+
+To get the service status, use `systemctl`:
+
+```sh
+systemctl status heartbeat-elastic
+```
+
+Logs are stored by default in journald. To view the Logs, use `journalctl`:
+
+```sh
+journalctl -u heartbeat-elastic.service
+```
+
+
+## Customize systemd unit for Heartbeat [_customize_systemd_unit_for_heartbeat]
+
+The systemd service unit file includes environment variables that you can override to change the default options.
+
+| Variable | Description | Default value |
+| --- | --- | --- |
+| BEAT_LOG_OPTS | Log options |  |
+| BEAT_CONFIG_OPTS | Flags for configuration file path | ``-c /etc/heartbeat/heartbeat.yml`` |
+| BEAT_PATH_OPTS | Other paths | ``--path.home /usr/share/heartbeat --path.config /etc/heartbeat --path.data /var/lib/heartbeat --path.logs /var/log/heartbeat`` |
+
+::::{note}
+You can use `BEAT_LOG_OPTS` to set debug selectors for logging. However, to configure logging behavior, set the logging options described in [Configure logging](/reference/heartbeat/configuration-logging.md).
+::::
+
+
+To override these variables, create a drop-in unit file in the `/etc/systemd/system/heartbeat-elastic.service.d` directory.
+
+For example a file with the following content placed in `/etc/systemd/system/heartbeat-elastic.service.d/debug.conf` would override `BEAT_LOG_OPTS` to enable debug for Elasticsearch output.
+
+```text
+[Service]
+Environment="BEAT_LOG_OPTS=-d elasticsearch"
+```
+
+To apply your changes, reload the systemd configuration and restart the service:
+
+```sh
+systemctl daemon-reload
+systemctl restart heartbeat-elastic
+```
+
+::::{note}
+It is recommended that you use a configuration management tool to include drop-in unit files. If you need to add a drop-in manually, use `systemctl edit heartbeat-elastic.service`.
+::::
+
+
+
diff --git a/docs/reference/heartbeat/securing-communication-elasticsearch.md b/docs/reference/heartbeat/securing-communication-elasticsearch.md
new file mode 100644
index 000000000000..1d6bdc0cdd65
--- /dev/null
+++ b/docs/reference/heartbeat/securing-communication-elasticsearch.md
@@ -0,0 +1,86 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/securing-communication-elasticsearch.html
+---
+
+# Secure communication with Elasticsearch [securing-communication-elasticsearch]
+
+When sending data to a secured cluster through the `elasticsearch` output, Heartbeat can use any of the following authentication methods:
+
+* Basic authentication credentials (username and password).
+* Token-based API authentication.
+* A client certificate.
+
+Authentication is specified in the Heartbeat configuration file:
+
+* To use **basic authentication**, specify the `username` and `password` settings under `output.elasticsearch`. For example:
+
+    ```yaml
+    output.elasticsearch:
+      hosts: ["https://myEShost:9200"]
+      username: "heartbeat_writer" <1>
+      password: "{pwd}" <2>
+    ```
+
+    1. This user needs the privileges required to publish events to {{es}}. To create a user like this, see [Create a *publishing* user](/reference/heartbeat/privileges-to-publish-events.md).
+    2. This example shows a hard-coded password, but you should store sensitive values in the [secrets keystore](/reference/heartbeat/keystore.md).
+
+* To use token-based **API key authentication**, specify the `api_key` under `output.elasticsearch`. For example:
+
+    ```yaml
+    output.elasticsearch:
+      hosts: ["https://myEShost:9200"]
+      api_key: "ZCV7VnwBgnX0T19fN8Qe:KnR6yE41RrSowb0kQ0HWoA" <1>
+    ```
+
+    1. This API key must have the privileges required to publish events to {{es}}. To create an API key like this, see [*Grant access using API keys*](/reference/heartbeat/beats-api-keys.md).
+
+
+* To use **Public Key Infrastructure (PKI) certificates** to authenticate users, specify the `certificate` and `key` settings under `output.elasticsearch`. For example:
+
+    ```yaml
+    output.elasticsearch:
+      hosts: ["https://myEShost:9200"]
+      ssl.certificate: "/etc/pki/client/cert.pem" <1>
+      ssl.key: "/etc/pki/client/cert.key" <2>
+    ```
+
+    1. The path to the certificate for SSL client authentication
+    2. The client certificate key
+
+
+    These settings assume that the distinguished name (DN) in the certificate is mapped to the appropriate roles in the `role_mapping.yml` file on each node in the {{es}} cluster. For more information, see [Using role mapping files](docs-content://deploy-manage/users-roles/cluster-or-deployment-auth/mapping-users-groups-to-roles.md#mapping-roles-file).
+
+    By default, Heartbeat uses the list of trusted certificate authorities (CA) from the operating system where Heartbeat is running. If the certificate authority that signed your node certificates is not in the host system’s trusted certificate authorities list, you need to add the path to the `.pem` file that contains your CA’s certificate to the Heartbeat configuration. This will configure Heartbeat to use a specific list of CA certificates instead of the default list from the OS.
+
+    Here is an example configuration:
+
+    ```yaml
+    output.elasticsearch:
+      hosts: ["https://myEShost:9200"]
+      ssl.certificate_authorities: <1>
+        - /etc/pki/my_root_ca.pem
+        - /etc/pki/my_other_ca.pem
+      ssl.certificate: "/etc/pki/client.pem" <2>
+      ssl.key: "/etc/pki/key.pem" <3>
+    ```
+
+    1. Specify the path to the local `.pem` file that contains your Certificate Authority’s certificate. This is needed if you use your own CA to sign your node certificates.
+    2. The path to the certificate for SSL client authentication
+    3. The client certificate key
+
+
+    ::::{note}
+    For any given connection, the SSL/TLS certificates must have a subject that matches the value specified for `hosts`, or the SSL handshake fails. For example, if you specify `hosts: ["foobar:9200"]`, the certificate MUST include `foobar` in the subject (`CN=foobar`) or as a subject alternative name (SAN). Make sure the hostname resolves to the correct IP address. If no DNS is available, then you can associate the IP address with your hostname in `/etc/hosts` (on Unix) or `C:\Windows\System32\drivers\etc\hosts` (on Windows).
+    ::::
+
+
+
+
+## Learn more about secure communication [securing-communication-learn-more]
+
+More information on sending data to a secured cluster is available in the configuration reference:
+
+* [Elasticsearch](/reference/heartbeat/elasticsearch-output.md)
+* [SSL](/reference/heartbeat/configuration-ssl.md)
+
diff --git a/docs/reference/heartbeat/securing-heartbeat.md b/docs/reference/heartbeat/securing-heartbeat.md
new file mode 100644
index 000000000000..f8b502de3fd6
--- /dev/null
+++ b/docs/reference/heartbeat/securing-heartbeat.md
@@ -0,0 +1,25 @@
+---
+navigation_title: "Secure"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/securing-heartbeat.html
+---
+
+# Secure Heartbeat [securing-heartbeat]
+
+
+The following topics provide information about securing the Heartbeat process and connecting to a cluster that has {{security-features}} enabled.
+
+You can use role-based access control and optionally, API keys to grant Heartbeat users access to secured resources.
+
+* [*Grant users access to secured resources*](/reference/heartbeat/feature-roles.md)
+* [*Grant access using API keys*](/reference/heartbeat/beats-api-keys.md).
+
+After privileged users have been created, use authentication to connect to a secured Elastic cluster.
+
+* [*Secure communication with Elasticsearch*](/reference/heartbeat/securing-communication-elasticsearch.md)
+* [*Secure communication with Logstash*](/reference/heartbeat/configuring-ssl-logstash.md)
+
+On Linux, Heartbeat can take advantage of secure computing mode to restrict the system calls that a process can issue.
+
+* [*Use Linux Secure Computing Mode (seccomp)*](/reference/heartbeat/linux-seccomp.md)
+
diff --git a/docs/reference/heartbeat/setting-up-running.md b/docs/reference/heartbeat/setting-up-running.md
new file mode 100644
index 000000000000..cb5f994e3322
--- /dev/null
+++ b/docs/reference/heartbeat/setting-up-running.md
@@ -0,0 +1,29 @@
+---
+navigation_title: "Set up and run"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/setting-up-and-running.html
+---
+
+# Set up and run Heartbeat [setting-up-and-running]
+
+
+Before reading this section, see [Quick start: installation and configuration](/reference/heartbeat/heartbeat-installation-configuration.md) for basic installation instructions to get you started.
+
+This section includes additional information on how to install, set up, and run Heartbeat, including:
+
+* [Directory layout](/reference/heartbeat/directory-layout.md)
+* [Secrets keystore](/reference/heartbeat/keystore.md)
+* [Command reference](/reference/heartbeat/command-line-options.md)
+* [Repositories for APT and YUM](/reference/heartbeat/setup-repositories.md)
+* [Run Heartbeat on Docker](/reference/heartbeat/running-on-docker.md)
+* [Running Heartbeat on Kubernetes](/reference/heartbeat/running-on-kubernetes.md)
+* [Heartbeat and systemd](/reference/heartbeat/running-with-systemd.md)
+
+
+
+
+
+
+
+
+
diff --git a/docs/reference/heartbeat/setup-repositories.md b/docs/reference/heartbeat/setup-repositories.md
new file mode 100644
index 000000000000..17ab036720b9
--- /dev/null
+++ b/docs/reference/heartbeat/setup-repositories.md
@@ -0,0 +1,26 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/setup-repositories.html
+---
+
+# Repositories for APT and YUM [setup-repositories]
+
+We have repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.
+
+We use the PGP key [D88E42B4](https://pgp.mit.edu/pks/lookup?op=vindex&search=0xD27D666CD88E42B4), Elasticsearch Signing Key, with fingerprint
+
+```
+4609 5ACC 8548 582C 1A26 99A9 D27D 666C D88E 42B4
+```
+to sign all our packages. It is available from [https://pgp.mit.edu](https://pgp.mit.edu).
+
+
+## APT [_apt]
+
+Version 9.0.0-beta1 of Beats has not yet been released.
+
+
+## YUM [_yum]
+
+Version 9.0.0-beta1 of Beats has not yet been released.
+
diff --git a/docs/reference/heartbeat/shutdown.md b/docs/reference/heartbeat/shutdown.md
new file mode 100644
index 000000000000..31ec35f02569
--- /dev/null
+++ b/docs/reference/heartbeat/shutdown.md
@@ -0,0 +1,13 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/shutdown.html
+---
+
+# Stop Heartbeat [shutdown]
+
+An orderly shutdown of Heartbeat ensures that it has a chance to clean up and close outstanding resources. You can help ensure an orderly shutdown by stopping Heartbeat properly.
+
+If you’re running Heartbeat as a service, you can stop it via the service management functionality provided by your installation.
+
+If you’re running Heartbeat directly in the console, you can stop it by entering **Ctrl-C**. Alternatively, send SIGTERM to the Heartbeat process on a POSIX system.
+
diff --git a/docs/reference/heartbeat/ssl-client-fails.md b/docs/reference/heartbeat/ssl-client-fails.md
new file mode 100644
index 000000000000..090f0bbb52ec
--- /dev/null
+++ b/docs/reference/heartbeat/ssl-client-fails.md
@@ -0,0 +1,71 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/ssl-client-fails.html
+---
+
+# SSL client fails to connect to Logstash [ssl-client-fails]
+
+The host running {{ls}} might be unreachable or the certificate may not be valid. To resolve your issue:
+
+* Make sure that {{ls}} is running and you can connect to it. First, try to ping the {{ls}} host to verify that you can reach it from the host running Heartbeat. Then use either `nc` or `telnet` to make sure that the port is available. For example:
+
+    ```shell
+    ping <hostname or IP>
+    telnet <hostname or IP> 5044
+    ```
+
+* Verify that the certificate is valid and that the hostname and IP match.
+
+    ::::{tip}
+    For testing purposes only, you can set `verification_mode: none` to disable hostname checking.
+    ::::
+
+* Use OpenSSL to test connectivity to the {{ls}} server and diagnose problems. See the [OpenSSL documentation](https://www.openssl.org/docs/manmaster/man1/openssl-s_client.md) for more info.
+* Make sure that you have enabled SSL (set `ssl => true`) when configuring the [Beats input plugin for {{ls}}](logstash://reference/plugins-inputs-beats.md).
+
+## Common SSL-Related Errors and Resolutions [_common_ssl_related_errors_and_resolutions]
+
+Here are some common errors and ways to fix them:
+
+* [tls: failed to parse private key](#failed-to-parse-private-key)
+* [x509: cannot validate certificate](#cannot-validate-certificate)
+* [getsockopt: no route to host](#getsockopt-no-route-to-host)
+* [getsockopt: connection refused](#getsockopt-connection-refused)
+* [No connection could be made because the target machine actively refused it](#target-machine-refused-connection)
+
+### tls: failed to parse private key [failed-to-parse-private-key]
+
+This might occur for a few reasons:
+
+* The encrypted file is not recognized as an encrypted PEM block. Heartbeat tries to use the encrypted content as the final key, which fails.
+* The file is correctly encrypted in a PEM block, but the decrypted content is not a key in a format that Heartbeat recognizes. The key must be encoded as PEM format.
+* The passphrase is missing or has an error.
+
+
+### x509: cannot validate certificate for <IP address> because it doesn’t contain any IP SANs [cannot-validate-certificate]
+
+This happens because your certificate is only valid for the hostname present in the Subject field.
+
+To resolve this problem, try one of these solutions:
+
+* Create a DNS entry for the hostname mapping it to the server’s IP.
+* Create an entry in `/etc/hosts` for the hostname. Or on Windows add an entry to `C:\Windows\System32\drivers\etc\hosts`.
+* Re-create the server certificate and add a SubjectAltName (SAN) for the IP address of the server. This makes the server’s certificate valid for both the hostname and the IP address.
+
+
+### getsockopt: no route to host [getsockopt-no-route-to-host]
+
+This is not a SSL problem. It’s a networking problem. Make sure the two hosts can communicate.
+
+
+### getsockopt: connection refused [getsockopt-connection-refused]
+
+This is not a SSL problem. Make sure that {{ls}} is running and that there is no firewall blocking the traffic.
+
+
+### No connection could be made because the target machine actively refused it [target-machine-refused-connection]
+
+A firewall is refusing the connection. Check if a firewall is blocking the traffic on the client, the network, or the destination host.
+
+
+
diff --git a/docs/reference/heartbeat/syslog.md b/docs/reference/heartbeat/syslog.md
new file mode 100644
index 000000000000..0c8ad720db5e
--- /dev/null
+++ b/docs/reference/heartbeat/syslog.md
@@ -0,0 +1,156 @@
+---
+navigation_title: "syslog"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/syslog.html
+---
+
+# Syslog [syslog]
+
+
+The syslog processor parses RFC 3146 and/or RFC 5424 formatted syslog messages that are stored in a field. The processor itself does not handle receiving syslog messages from external sources. This is done through an input, such as the TCP input. Certain integrations, when enabled through configuration, will embed the syslog processor to process syslog messages, such as Custom TCP Logs and Custom UDP Logs.
+
+
+## Configuration [_configuration]
+
+The `syslog` processor parses RFC 3146 and/or RFC 5424 formatted syslog messages that are stored under the `field` key.
+
+The supported configuration options are:
+
+`field`
+:   (Required) Source field containing the syslog message. Defaults to `message`.
+
+`format`
+:   (Optional) The syslog format to use, `rfc3164`, or `rfc5424`. To automatically detect the format from the log entries, set this option to `auto`. The default is `auto`.
+
+`timezone`
+:   (Optional) IANA time zone name(e.g. `America/New York`) or a fixed time offset (e.g. +0200) to use when parsing syslog timestamps that do not contain a time zone. `Local` may be specified to use the machine’s local time zone. Defaults to `Local`.
+
+`overwrite_keys`
+:   (Optional) A boolean that specifies whether keys that already exist in the event are overwritten by keys from the syslog message. The default value is `true`.
+
+`ignore_missing`
+:   (Optional) If `true` the processor will not return an error when a specified field does not exist. Defaults to `false`.
+
+`ignore_failure`
+:   (Optional) Ignore all errors produced by the processor. Defaults to `false`.
+
+`tag`
+:   (Optional) An identifier for this processor. Useful for debugging.
+
+Example:
+
+```yaml
+processors:
+  - syslog:
+      field: message
+```
+
+```json
+{
+  "message": "<165>1 2022-01-11T22:14:15.003Z mymachine.example.com eventslog 1024 ID47 [exampleSDID@32473 iut=\"3\" eventSource=\"Application\" eventID=\"1011\"][examplePriority@32473 class=\"high\"] this is the message"
+}
+```
+
+Will produce the following output:
+
+```json
+{
+  "@timestamp": "2022-01-11T22:14:15.003Z",
+  "log": {
+    "syslog": {
+      "priority": 165,
+      "facility": {
+        "code": 20,
+        "name": "local4"
+      },
+      "severity": {
+        "code": 5,
+        "name": "Notice"
+      },
+      "hostname": "mymachine.example.com",
+      "appname": "eventslog",
+      "procid": "1024",
+      "msgid": "ID47",
+      "version": 1,
+      "structured_data": {
+        "exampleSDID@32473": {
+          "iut":         "3",
+          "eventSource": "Application",
+          "eventID":     "1011"
+        },
+        "examplePriority@32473": {
+          "class": "high"
+        }
+      }
+    }
+  },
+  "message": "this is the message"
+}
+```
+
+
+## Timestamps [_timestamps]
+
+The RFC 3164 format accepts the following forms of timestamps:
+
+* Local timestamp (`Mmm dd hh:mm:ss`):
+
+    * `Jan 23 14:09:01`
+
+* RFC-3339*:
+
+    * `2003-10-11T22:14:15Z`
+    * `2003-10-11T22:14:15.123456Z`
+    * `2003-10-11T22:14:15-06:00`
+    * `2003-10-11T22:14:15.123456-06:00`
+
+
+**Note**: The local timestamp (for example, `Jan 23 14:09:01`) that accompanies an RFC 3164 message lacks year and time zone information. The time zone will be enriched using the `timezone` configuration option, and the year will be enriched using the Heartbeat system’s local time (accounting for time zones). Because of this, it is possible for messages to appear in the future. An example of when this might happen is logs generated on December 31 2021 are ingested on January 1 2022. The logs would be enriched with the year 2022 instead of 2021.
+
+The RFC 5424 format accepts the following forms of timestamps:
+
+* RFC-3339:
+
+    * `2003-10-11T22:14:15Z`
+    * `2003-10-11T22:14:15.123456Z`
+    * `2003-10-11T22:14:15-06:00`
+    * `2003-10-11T22:14:15.123456-06:00`
+
+
+Formats with an asterisk (*) are a non-standard allowance.
+
+
+## Structured Data [_structured_data]
+
+For RFC 5424-formatted logs, if the structured data cannot be parsed according to RFC standards, the original structured data text will be prepended to the message field, separated by a space.
+
+
+## Metrics [_metrics]
+
+Internal metrics are available to assist with debugging efforts. The metrics are served from the metrics HTTP endpoint (for example: `http://localhost:5066/stats`) and are found under `processor.syslog.[instance ID]` or `processor.syslog.[tag]-[instance ID]` if a **tag** is provided. See [HTTP endpoint](/reference/heartbeat/http-endpoint.md) for more information on configuration the metrics HTTP endpoint.
+
+For example, here are metrics from a processor with a **tag** of `log-input` and an **instance ID** of `1`:
+
+```json
+{
+  "processor": {
+    "syslog": {
+      "log-input-1": {
+        "failure": 10,
+        "missing": 0,
+        "success": 3
+      }
+    }
+  }
+}
+```
+
+`failure`
+:   Measures the number of occurrences where a message was unable to be parsed.
+
+`missing`
+:   Measures the number of occurrences where an event was missing the required input field.
+
+`success`
+:   Measures the number of successfully parsed syslog messages.
+
diff --git a/docs/reference/heartbeat/troubleshooting.md b/docs/reference/heartbeat/troubleshooting.md
new file mode 100644
index 000000000000..7def5b344a24
--- /dev/null
+++ b/docs/reference/heartbeat/troubleshooting.md
@@ -0,0 +1,14 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/troubleshooting.html
+---
+
+# Troubleshoot [troubleshooting]
+
+If you have issues installing or running Heartbeat, read the following tips:
+
+* [*Get help*](/reference/heartbeat/getting-help.md)
+* [*Debug*](/reference/heartbeat/enable-heartbeat-debugging.md)
+* [Understand logged metrics](/reference/heartbeat/understand-heartbeat-logs.md)
+* [*Common problems*](/reference/heartbeat/faq.md)
+
diff --git a/docs/reference/heartbeat/truncate-fields.md b/docs/reference/heartbeat/truncate-fields.md
new file mode 100644
index 000000000000..9f22d2b07462
--- /dev/null
+++ b/docs/reference/heartbeat/truncate-fields.md
@@ -0,0 +1,38 @@
+---
+navigation_title: "truncate_fields"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/truncate-fields.html
+---
+
+# Truncate fields [truncate-fields]
+
+
+The `truncate_fields` processor truncates a field to a given size. If the size of the field is smaller than the limit, the field is left as is.
+
+`fields`
+:   List of fields to truncate. It’s supported to use `@metadata.` prefix for the fields and truncate values in the event metadata instead of event fields.
+
+`max_bytes`
+:   Maximum number of bytes in a field. Mutually exclusive with `max_characters`.
+
+`max_characters`
+:   Maximum number of characters in a field. Mutually exclusive with `max_bytes`.
+
+`fail_on_error`
+:   (Optional) If set to true, in case of an error the changes to the event are reverted, and the original event is returned. If set to `false`, processing continues also if an error happens. Default is `true`.
+
+`ignore_missing`
+:   (Optional) Whether to ignore events that lack the source field. The default is `false`, which will fail processing of an event if a field is missing.
+
+For example, this configuration truncates the field named `message` to 5 characters:
+
+```yaml
+processors:
+  - truncate_fields:
+      fields:
+        - message
+      max_characters: 5
+      fail_on_error: false
+      ignore_missing: true
+```
+
diff --git a/docs/reference/heartbeat/understand-heartbeat-logs.md b/docs/reference/heartbeat/understand-heartbeat-logs.md
new file mode 100644
index 000000000000..055a3fbbad09
--- /dev/null
+++ b/docs/reference/heartbeat/understand-heartbeat-logs.md
@@ -0,0 +1,210 @@
+---
+navigation_title: "Understand logged metrics"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/understand-heartbeat-logs.html
+---
+
+# Understand metrics in Heartbeat logs [understand-heartbeat-logs]
+
+
+Every 30 seconds (by default), Heartbeat collects a *snapshot* of metrics about itself. From this snapshot, Heartbeat computes a *delta snapshot*; this delta snapshot contains any metrics that have *changed* since the last snapshot. Note that the values of the metrics are the values when the snapshot is taken, *NOT* the *difference* in values from the last snapshot.
+
+If this delta snapshot contains *any* metrics (indicating at least one metric that has changed since the last snapshot), this delta snapshot is serialized as JSON and emitted in Heartbeat’s logs at the `INFO` log level. Most snapshot fields report the change in the metric since the last snapshot, however some fields are *gauges*, which always report the current value. Here is an example of such a log entry:
+
+```json
+{"log.level":"info","@timestamp":"2023-07-14T12:50:36.811Z","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cgroup":{"memory":{"mem":{"usage":{"bytes":0}}}},"cpu":{"system":{"ticks":692690,"time":{"ms":60}},"total":{"ticks":3167250,"time":{"ms":150},"value":3167250},"user":{"ticks":2474560,"time":{"ms":90}}},"handles":{"limit":{"hard":1048576,"soft":1048576},"open":32},"info":{"ephemeral_id":"2bab8688-34c0-4522-80af-db86948d547d","uptime":{"ms":617670096},"version":"8.6.2"},"memstats":{"gc_next":57189272,"memory_alloc":43589824,"memory_total":275281335792,"rss":183574528},"runtime":{"goroutines":212}},"filebeat":{"events":{"active":5,"added":52,"done":49},"harvester":{"open_files":6,"running":6,"started":1}},"libbeat":{"config":{"module":{"running":15}},"output":{"events":{"acked":48,"active":0,"batches":6,"total":48},"read":{"bytes":210},"write":{"bytes":26923}},"pipeline":{"clients":15,"events":{"active":5,"filtered":1,"published":51,"total":52},"queue":{"max_events":3500,"filled":{"events":5,"bytes":6425,"pct":0.0014},"added":{"events":52,"bytes":65702},"consumed":{"events":52,"bytes":65702},"removed":{"events":48,"bytes":59277},"acked":48}}},"registrar":{"states":{"current":14,"update":49},"writes":{"success":6,"total":6}},"system":{"load":{"1":0.91,"15":0.37,"5":0.4,"norm":{"1":0.1138,"15":0.0463,"5":0.05}}}},"ecs.version":"1.6.0"}}
+```
+
+
+## Details [_details]
+
+Focussing on the `.monitoring.metrics` field, and formatting the JSON, it’s value is:
+
+```json
+{
+  "beat": {
+    "cgroup": {
+      "memory": {
+        "mem": {
+          "usage": {
+            "bytes": 0
+          }
+        }
+      }
+    },
+    "cpu": {
+      "system": {
+        "ticks": 692690,
+        "time": {
+          "ms": 60
+        }
+      },
+      "total": {
+        "ticks": 3167250,
+        "time": {
+          "ms": 150
+        },
+        "value": 3167250
+      },
+      "user": {
+        "ticks": 2474560,
+        "time": {
+          "ms": 90
+        }
+      }
+    },
+    "handles": {
+      "limit": {
+        "hard": 1048576,
+        "soft": 1048576
+      },
+      "open": 32
+    },
+    "info": {
+      "ephemeral_id": "2bab8688-34c0-4522-80af-db86948d547d",
+      "uptime": {
+        "ms": 617670096
+      },
+      "version": "8.6.2"
+    },
+    "memstats": {
+      "gc_next": 57189272,
+      "memory_alloc": 43589824,
+      "memory_total": 275281335792,
+      "rss": 183574528
+    },
+    "runtime": {
+      "goroutines": 212
+    }
+  },
+  "filebeat": {
+    "events": {
+      "active": 5,
+      "added": 52,
+      "done": 49
+    },
+    "harvester": {
+      "open_files": 6,
+      "running": 6,
+      "started": 1
+    }
+  },
+  "libbeat": {
+    "config": {
+      "module": {
+        "running": 15
+      }
+    },
+    "output": {
+      "events": {
+        "acked": 48,
+        "active": 0,
+        "batches": 6,
+        "total": 48
+      },
+      "read": {
+        "bytes": 210
+      },
+      "write": {
+        "bytes": 26923
+      }
+    },
+    "pipeline": {
+      "clients": 15,
+      "events": {
+        "active": 5,
+        "filtered": 1,
+        "published": 51,
+        "total": 52
+      },
+      "queue": {
+        "max_events": 3500,
+        "filled": {
+          "events": 5,
+          "bytes": 6425,
+          "pct": 0.0014
+        },
+        "added": {
+          "events": 52,
+          "bytes": 65702
+        },
+        "consumed": {
+          "events": 52,
+          "bytes": 65702
+        },
+        "removed": {
+          "events": 48,
+          "bytes": 59277
+        },
+        "acked": 48
+      }
+    }
+  },
+  "registrar": {
+    "states": {
+      "current": 14,
+      "update": 49
+    },
+    "writes": {
+      "success": 6,
+      "total": 6
+    }
+  },
+  "system": {
+    "load": {
+      "1": 0.91,
+      "15": 0.37,
+      "5": 0.4,
+      "norm": {
+        "1": 0.1138,
+        "15": 0.0463,
+        "5": 0.05
+      }
+    }
+  }
+}
+```
+
+The following tables explain the meaning of the most important fields under `.monitoring.metrics` and also provide hints that might be helpful in troubleshooting Heartbeat issues.
+
+| Field path (relative to `.monitoring.metrics`) | Type | Meaning | Troubleshooting hints |
+| --- | --- | --- | --- |
+| `.beat` | Object | Information that is common to all Beats, e.g. version, goroutines, file handles, CPU, memory |  |
+| `.libbeat` | Object | Information about the publisher pipeline and output, also common to all Beats |  |
+
+| Field path (relative to `.monitoring.metrics.beat`) | Type | Meaning | Troubleshooting hints |
+| --- | --- | --- | --- |
+| `.runtime.goroutines` | Integer | Number of goroutines running | If this number grows over time, it indicates a goroutine leak |
+
+| Field path (relative to `.monitoring.metrics.libbeat`) | Type | Meaning | Troubleshooting hints |
+| --- | --- | --- | --- |
+| `.pipeline.events.active` | Integer | Number of events currently in the libbeat publisher pipeline. | If this number grows over time, it may indicate that Heartbeat is producing events faster than the output can consume them. Consider increasing the number of output workers (if this setting is supported by the output; {{es}} and {{ls}} outputs support this setting). The pipeline includes events currently being processed as well as events in the queue. So this metric can sometimes end up slightly higher than the queue size. If this metric reaches the maximum queue size (`queue.mem.events` for the in-memory queue), it almost certainly indicates backpressure on Heartbeat, implying that Heartbeat may need to temporarily stop ingesting more events from the source until this backpressure is relieved. |
+| `.output.events.total` | Integer | Number of events currently being processed by the output. | If this number grows over time, it may indicate that the output destination (e.g. {{ls}} pipeline or {{es}} cluster) is not able to accept events at the same or faster rate than what Heartbeat is sending to it. |
+| `.output.events.acked` | Integer | Number of events acknowledged by the output destination. | Generally, we want this number to be the same as `.output.events.total` as this indicates that the output destination has reliably received all the events sent to it. |
+| `.output.events.failed` | Integer | Number of events that Heartbeat tried to send to the output destination, but the destination failed to receive them. | Generally, we want this field to be absent or its value to be zero. When the value is greater than zero, it’s useful to check Heartbeat’s logs right before this log entry’s `@timestamp` to see if there are any connectivity issues with the output destination. Note that failed events are not lost or dropped; they will be sent back to the publisher pipeline for retrying later. |
+| `.output.events.dropped` | Integer | Number of events that Heartbeat gave up sending to the output destination because of a permanent (non-retryable) error. | `.output.events.dead_letter` |
+| Integer | Number of events that Heartbeat successfully sent to a configured dead letter index after they failed to ingest in the primary index. | `.output.write.latency` | Object |
+
+| Field path (relative to `.monitoring.metrics.libbeat.pipeline`) | Type | Meaning | Troubleshooting hints |
+| --- | --- | --- | --- |
+| `.queue.max_events` | Integer (gauge) | The queue’s maximum event count if it has one, otherwise zero. | `.queue.max_bytes` |
+| Integer (gauge) | The queue’s maximum byte count if it has one, otherwise zero. | `.queue.filled.events` | Integer (gauge) |
+| Number of events currently stored by the queue. |  | `.queue.filled.bytes` | Integer (gauge) |
+| Number of bytes currently stored by the queue. |  | `.queue.filled.pct` | Float (gauge) |
+| How full the queue is relative to its maximum size, as a fraction from 0 to 1. | Low throughput while `queue.filled.pct` is low means congestion in the input. Low throughput while `queue.filled.pct` is high means congestion in the output. | `.queue.added.events` | Integer |
+| Number of events added to the queue by input workers. |  | `.queue.added.bytes` | Integer |
+| Number of bytes added to the queue by input workers. |  | `.queue.consumed.events` | Integer |
+| Number of events sent to output workers. |  | `.queue.consumed.bytes` | Integer |
+| Number of bytes sent to output workers. |  | `.queue.removed.events` | Integer |
+| Number of events removed from the queue after being processed by output workers. |  | `.queue.removed.bytes` | Integer |
+
+When using the memory queue, byte metrics are only set if the output supports them. Currently only the Elasticsearch output supports byte metrics.
+
+
+## Useful commands [_useful_commands]
+
+
+### Parse monitoring metrics from unstructured Heartbeat logs [_parse_monitoring_metrics_from_unstructured_heartbeat_logs]
+
+For Heartbeat versions that emit unstructured logs, the following script can be used to parse monitoring metrics from such logs: [https://github.com/elastic/beats/blob/main/script/metrics_from_log_file.sh](https://github.com/elastic/beats/blob/main/script/metrics_from_log_file.sh).
+
diff --git a/docs/reference/heartbeat/urldecode.md b/docs/reference/heartbeat/urldecode.md
new file mode 100644
index 000000000000..42f8000b06d5
--- /dev/null
+++ b/docs/reference/heartbeat/urldecode.md
@@ -0,0 +1,38 @@
+---
+navigation_title: "urldecode"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/urldecode.html
+---
+
+# URL Decode [urldecode]
+
+
+The `urldecode` processor specifies a list of fields to decode from URL encoded format. Under the `fields` key, each entry contains a `from: source-field` and a `to: target-field` pair, where:
+
+* `from` is the source field name
+* `to` is the target field name (defaults to the `from` value)
+
+```yaml
+processors:
+  - urldecode:
+      fields:
+        - from: "field1"
+          to: "field2"
+      ignore_missing: false
+      fail_on_error: true
+```
+
+In the example above:
+
+* field1 is decoded in field2
+
+The `urldecode` processor has the following configuration settings:
+
+`ignore_missing`
+:   (Optional) If set to true, no error is logged in case a key which should be URL-decoded is missing. Default is `false`.
+
+`fail_on_error`
+:   (Optional) If set to true, in case of an error the URL-decoding of fields is stopped and the original event is returned. If set to false, decoding continues also if an error happened during decoding. Default is `true`.
+
+See [Conditions](/reference/heartbeat/defining-processors.md#conditions) for a list of supported conditions.
+
diff --git a/docs/reference/heartbeat/using-environ-vars.md b/docs/reference/heartbeat/using-environ-vars.md
new file mode 100644
index 000000000000..3547f5677732
--- /dev/null
+++ b/docs/reference/heartbeat/using-environ-vars.md
@@ -0,0 +1,80 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/using-environ-vars.html
+---
+
+# Use environment variables in the configuration [using-environ-vars]
+
+You can use environment variable references in the config file to set values that need to be configurable during deployment. To do this, use:
+
+`${VAR}`
+
+Where `VAR` is the name of the environment variable.
+
+Each variable reference is replaced at startup by the value of the environment variable. The replacement is case-sensitive and occurs before the YAML file is parsed. References to undefined variables are replaced by empty strings unless you specify a default value or custom error text.
+
+To specify a default value, use:
+
+`${VAR:default_value}`
+
+Where `default_value` is the value to use if the environment variable is undefined.
+
+To specify custom error text, use:
+
+`${VAR:?error_text}`
+
+Where `error_text` is custom text that will be prepended to the error message if the environment variable cannot be expanded.
+
+If you need to use a special character in your configuration file, use `$` to escape the expansion. For example, you can escape `${` or `}` with `$${` or `$}`.
+
+After changing the value of an environment variable, you need to restart Heartbeat to pick up the new value.
+
+::::{note}
+You can also specify environment variables when you override a config setting from the command line by using the `-E` option. For example:
+
+`-E name=${NAME}`
+
+::::
+
+
+
+## Examples [_examples]
+
+Here are some examples of configurations that use environment variables and what each configuration looks like after replacement:
+
+| Config source | Environment setting | Config after replacement |
+| --- | --- | --- |
+| `name: ${NAME}` | `export NAME=elastic` | `name: elastic` |
+| `name: ${NAME}` | no setting | `name:` |
+| `name: ${NAME:beats}` | no setting | `name: beats` |
+| `name: ${NAME:beats}` | `export NAME=elastic` | `name: elastic` |
+| `name: ${NAME:?You need to set the NAME environment variable}` | no setting | None. Returns an error message that’s prepended with the custom text. |
+| `name: ${NAME:?You need to set the NAME environment variable}` | `export NAME=elastic` | `name: elastic` |
+
+
+## Specify complex objects in environment variables [_specify_complex_objects_in_environment_variables]
+
+You can specify complex objects, such as lists or dictionaries, in environment variables by using a JSON-like syntax.
+
+As with JSON, dictionaries and lists are constructed using `{}` and `[]`. But unlike JSON, the syntax allows for trailing commas and slightly different string quotation rules. Strings can be unquoted, single-quoted, or double-quoted, as a convenience for simple settings and to make it easier for you to mix quotation usage in the shell. Arrays at the top-level do not require brackets (`[]`).
+
+For example, the following environment variable is set to a list:
+
+```yaml
+ES_HOSTS="10.45.3.2:9220,10.45.3.1:9230"
+```
+
+You can reference this variable in the config file:
+
+```yaml
+output.elasticsearch:
+  hosts: '${ES_HOSTS}'
+```
+
+When Heartbeat loads the config file, it resolves the environment variable and replaces it with the specified list before reading the `hosts` setting.
+
+::::{note}
+Do not use double-quotes (`"`) to wrap regular expressions, or the backslash (`\`) will be interpreted as an escape character.
+::::
+
+
diff --git a/docs/reference/heartbeat/yaml-tips.md b/docs/reference/heartbeat/yaml-tips.md
new file mode 100644
index 000000000000..2fc7c911b1c4
--- /dev/null
+++ b/docs/reference/heartbeat/yaml-tips.md
@@ -0,0 +1,60 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/heartbeat/current/yaml-tips.html
+---
+
+# Avoid YAML formatting problems [yaml-tips]
+
+The configuration file uses [YAML](http://yaml.org/) for its syntax. When you edit the file to modify configuration settings, there are a few things that you should know.
+
+
+## Use spaces for indentation [_use_spaces_for_indentation]
+
+Indentation is meaningful in YAML. Make sure that you use spaces, rather than tab characters, to indent sections.
+
+In the default configuration files and in all the examples in the documentation, we use 2 spaces per indentation level. We recommend you do the same.
+
+
+## Look at the default config file for structure [_look_at_the_default_config_file_for_structure]
+
+The best way to understand where to define a configuration option is by looking at the provided sample configuration files. The configuration files contain most of the default configurations that are available for the Beat. To change a setting, simply uncomment the line and change the values.
+
+
+## Test your config file [_test_your_config_file]
+
+You can test your configuration file to verify that the structure is valid. Simply change to the directory where the binary is installed, and run the Beat in the foreground with the `test config` command specified. For example:
+
+```shell
+heartbeat test config -c heartbeat.yml
+```
+
+You’ll see a message if the Beat finds an error in the file.
+
+
+## Wrap regular expressions in single quotation marks [_wrap_regular_expressions_in_single_quotation_marks]
+
+If you need to specify a regular expression in a YAML file, it’s a good idea to wrap the regular expression in single quotation marks to work around YAML’s tricky rules for string escaping.
+
+For more information about YAML, see [http://yaml.org/](http://yaml.org/).
+
+
+## Wrap paths in single quotation marks [wrap-paths-in-quotes]
+
+Windows paths in particular sometimes contain spaces or characters, such as drive letters or triple dots, that may be misinterpreted by the YAML parser.
+
+To avoid this problem, it’s a good idea to wrap paths in single quotation marks.
+
+
+## Avoid using leading zeros in numeric values [avoid-leading-zeros]
+
+If you use a leading zero (for example, `09`) in a numeric field without wrapping the value in single quotation marks, the value may be interpreted incorrectly by the YAML parser. If the value is a valid octal, it’s converted to an integer. If not, it’s converted to a float.
+
+To prevent unwanted type conversions, avoid using leading zeros in field values, or wrap the values in single quotation marks.
+
+
+## Avoid accidental template variable resolution [dollar-sign-strings]
+
+The templating engine that allows the config to resolve data from environment variables can result in errors in strings with `$` characters. For example, if a password field contains `$$`, the engine will resolve this to `$`.
+
+To work around this, either use the [Secrets keystore](/reference/heartbeat/keystore.md) or escape all instances of `$` with `$$`.
+
diff --git a/docs/reference/index.md b/docs/reference/index.md
new file mode 100644
index 000000000000..0ebb9cfde97e
--- /dev/null
+++ b/docs/reference/index.md
@@ -0,0 +1,42 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/libbeat/current/index.html
+  - https://www.elastic.co/guide/en/beats/libbeat/current/beats-reference.html
+  - https://www.elastic.co/guide/en/beats/libbeat/current/getting-started.html
+  - https://www.elastic.co/guide/en/serverless/current/elasticsearch-ingest-data-through-beats.html
+---
+
+# Beats [beats-reference]
+
+{{beats}} are open source data shippers that you install as agents on your servers to send operational data to [{{es}}](https://www.elastic.co/products/elasticsearch). Elastic provides {{beats}} for capturing:
+
+Audit data
+:   [Auditbeat](https://www.elastic.co/products/beats/auditbeat)
+
+Log files and journals
+:   [Filebeat](https://www.elastic.co/products/beats/filebeat)
+
+Availability
+:   [Heartbeat](https://www.elastic.co/products/beats/heartbeat)
+
+Metrics
+:   [Metricbeat](https://www.elastic.co/products/beats/metricbeat)
+
+Network traffic
+:   [Packetbeat](https://www.elastic.co/products/beats/packetbeat)
+
+Windows event logs
+:   [Winlogbeat](https://www.elastic.co/products/beats/winlogbeat)
+
+{{beats}} can send data directly to {{es}} or via [{{ls}}](https://www.elastic.co/products/logstash), where you can further process and enhance the data, before visualizing it in [{{kib}}](https://www.elastic.co/products/logstash).
+
+:::{image} libbeat/images/beats-platform.png
+:alt: Beats Platform
+:::
+
+Want to get up and running quickly with infrastructure metrics monitoring and centralized log analytics? Try out the {{metrics-app}} and the {{logs-app}} in {{kib}}. For more details, see [Analyze metrics](docs-content://solutions/observability/infra-and-hosts/analyze-infrastructure-host-metrics.md) and [Monitor logs](docs-content://solutions/observability/logs/explore-logs.md).
+
+
+## Need to capture other kinds of data? [_need_to_capture_other_kinds_of_data]
+
+If you have a specific use case to solve, we encourage you to create a [community Beat](/reference/libbeat/community-beats.md). We’ve created an infrastructure to simplify the process. The *libbeat* library, written entirely in Go, offers the API that all Beats use to ship data to Elasticsearch, configure the input options, implement logging, and more. To learn how to create a new Beat, see the [Beats Developer Guide](http://www.elastic.co/guide/en/beats/devguide/master/index.md).
diff --git a/docs/reference/libbeat/community-beats.md b/docs/reference/libbeat/community-beats.md
new file mode 100644
index 000000000000..0ee69f438ad4
--- /dev/null
+++ b/docs/reference/libbeat/community-beats.md
@@ -0,0 +1,338 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/libbeat/current/community-beats.html
+---
+
+# Community Beats [community-beats]
+
+::::{admonition}
+**Custom Beat generator code no longer available in 8.0 and later**
+
+The custom Beat generator was a helper tool that allowed developers to bootstrap their custom {{beats}}. This tool was deprecated in 7.16 and is no longer available starting in 8.0.
+
+Developers can continue to create custom {{beats}} to address specific and targeted use cases. If you need to create a Beat from scratch, you can use the custom Beat generator tool available in version 7.16 or 7.17 to generate the custom Beat, then upgrade its various components to the 8.x release.
+
+::::
+
+
+This page lists some of the {{beats}} developed by the open source community.
+
+Have a question about developing a community Beat? You can post questions and discuss issues in the [{{beats}} discussion forum](https://discuss.elastic.co/tags/c/elastic-stack/beats/28/beats-development).
+
+Have you created a Beat that’s not listed? Add the name and description of your Beat to the source document for [Community {{beats}}](https://github.com/elastic/beats/blob/main/libbeat/docs/communitybeats.asciidoc) and [open a pull request](https://help.github.com/articles/using-pull-requests) in the [{{beats}} GitHub repository](https://github.com/elastic/beats) to get your change merged. When you’re ready, go ahead and [announce](https://discuss.elastic.co/c/announcements) your new Beat in the Elastic discussion forum.
+
+Want to contribute? See [Appendix A, *Contribute to Beats*](/reference/libbeat/contributing-to-beats.md).
+
+::::{note}
+Elastic provides no warranty or support for community-sourced {{beats}}.
+::::
+
+
+[amazonbeat](https://github.com/awormuth/amazonbeat)
+:   Reads data from a specified Amazon product.
+
+[apachebeat](https://github.com/radoondas/apachebeat)
+:   Reads status from Apache HTTPD server-status.
+
+[apexbeat](https://github.com/verticle-io/apexbeat)
+:   Extracts configurable contextual data and metrics from Java applications via the  [APEX](http://toolkits.verticle.io) toolkit.
+
+[browserbeat](https://github.com/MelonSmasher/browserbeat)
+:   Reads and ships browser history (Chrome, Firefox, & Safari) to an Elastic output.
+
+[cborbeat](https://github.com/toravir/cborbeat)
+:   Reads from cbor encoded files (specifically log files). More: [CBOR Encoding](https://cbor.io) [Decoder](https://github.com/toravir/csd)
+
+[cloudflarebeat](https://github.com/hartfordfive/cloudflarebeat)
+:   Indexes log entries from the Cloudflare Enterprise Log Share API.
+
+[cloudfrontbeat](https://github.com/jarl-tornroos/cloudfrontbeat)
+:   Reads log events from Amazon Web Services [CloudFront](https://aws.amazon.com/cloudfront/).
+
+[cloudtrailbeat](https://github.com/aidan-/cloudtrailbeat)
+:   Reads events from Amazon Web Services' [CloudTrail](https://aws.amazon.com/cloudtrail/).
+
+[cloudwatchmetricbeat](https://github.com/narmitech/cloudwatchmetricbeat)
+:   A beat for Amazon Web Services' [CloudWatch Metrics](https://aws.amazon.com/cloudwatch/details/#other-aws-resource-monitoring).
+
+[cloudwatchlogsbeat](https://github.com/e-travel/cloudwatchlogsbeat)
+:   Reads log events from Amazon Web Services' [CloudWatch Logs](https://aws.amazon.com/cloudwatch/details/#log-monitoring).
+
+[collectbeat](https://github.com/eBay/collectbeat)
+:   Adds discovery on top of Filebeat and Metricbeat in environments like Kubernetes.
+
+[connbeat](https://github.com/raboof/connbeat)
+:   Exposes metadata about TCP connections.
+
+[consulbeat](https://github.com/Pravoru/consulbeat)
+:   Reads services health checks from consul and pushes them to Elastic.
+
+[discobeat](https://github.com/hellmouthengine/discobeat)
+:   Reads messages from Discord and indexes them in Elasticsearch
+
+[dockbeat](https://github.com/Ingensi/dockbeat)
+:   Reads Docker container statistics and indexes them in Elasticsearch.
+
+[earthquakebeat](https://github.com/radoondas/earthquakebeat)
+:   Pulls data from [USGS](https://earthquake.usgs.gov/fdsnws/event/1/) earthquake API.
+
+[elasticbeat](https://github.com/radoondas/elasticbeat)
+:   Reads status from an Elasticsearch cluster and indexes them in Elasticsearch.
+
+[envoyproxybeat](https://github.com/berfinsari/envoyproxybeat)
+:   Reads stats from the Envoy Proxy and indexes them into Elasticsearch.
+
+[etcdbeat](https://github.com/gamegos/etcdbeat)
+:   Reads stats from the Etcd v2 API and indexes them into Elasticsearch.
+
+[etherbeat](https://gitlab.com/hatricker/etherbeat)
+:   Reads blocks from Ethereum compatible blockchain and indexes them into Elasticsearch.
+
+[execbeat](https://github.com/christiangalsterer/execbeat)
+:   Periodically executes shell commands and sends the standard output and standard error to Logstash or Elasticsearch.
+
+[factbeat](https://github.com/jarpy/factbeat)
+:   Collects facts from [Facter](https://github.com/puppetlabs/facter).
+
+[fastcombeat](https://github.com/ctindel/fastcombeat)
+:   Periodically gather internet download speed from  [fast.com](https://fast.com).
+
+[fileoccurencebeat](https://github.com/cloudronics/fileoccurancebeat)
+:   Checks for file existence recurssively under a given directory, handy while handling queues/pipeline buffers.
+
+[flowbeat](https://github.com/FStelzer/flowbeat)
+:   Collects, parses, and indexes [sflow](http://www.sflow.org/index.php) samples.
+
+[gabeat](https://github.com/GeneralElectric/GABeat)
+:   Collects data from Google Analytics Realtime API.
+
+[gcsbeat](https://github.com/GoogleCloudPlatform/gcsbeat)
+:   Reads data from [Google Cloud Storage](https://cloud.google.com/storage/) buckets.
+
+[gelfbeat](https://github.com/threatstack/gelfbeat)
+:   Collects and parses GELF-encoded UDP messages.
+
+[githubbeat](https://github.com/josephlewis42/githubbeat)
+:   Easily monitors GitHub repository activity.
+
+[gpfsbeat](https://github.com/hpcugent/gpfsbeat)
+:   Collects GPFS metric and quota information.
+
+[hackerbeat](https://github.com/ullaakut/hackerbeat)
+:   Indexes the top stories of HackerNews into an ElasticSearch instance.
+
+[hsbeat](https://github.com/YaSuenag/hsbeat)
+:   Reads all performance counters in Java HotSpot VM.
+
+[httpbeat](https://github.com/christiangalsterer/httpbeat)
+:   Polls multiple HTTP(S) endpoints and sends the data to Logstash or Elasticsearch. Supports all HTTP methods and proxies.
+
+[hsnburrowbeat](https://github.com/hsngerami/hsnburrowbeat)
+:   Monitors Kafka consumer lag for Burrow V1.0.0(API V3).
+
+[hwsensorsbeat](https://github.com/jasperla/hwsensorsbeat)
+:   Reads sensors information from OpenBSD.
+
+[icingabeat](https://github.com/icinga/icingabeat)
+:   Icingabeat ships events and states from Icinga 2 to Elasticsearch or Logstash.
+
+[IIBBeat](https://github.com/visasimbu/IIBBeat)
+:   Periodically executes shell commands or batch commands to collect IBM Integration node, Integration server, app status, bar file deployment time and bar file location to Logstash or Elasticsearch.
+
+[iobeat](https://github.com/devopsmakers/iobeat)
+:   Reads IO stats from /proc/diskstats on Linux.
+
+[jmxproxybeat](https://github.com/radoondas/jmxproxybeat)
+:   Reads Tomcat JMX metrics exposed over *JMX Proxy Servlet* to HTTP.
+
+[journalbeat](https://github.com/mheese/journalbeat)
+:   Used for log shipping from systemd/journald based Linux systems.
+
+[kafkabeat](https://github.com/justsocialapps/kafkabeat)
+:   Reads data from Kafka topics.
+
+[kafkabeat2](https://github.com/arkady-emelyanov/kafkabeat)
+:   Reads data (json or plain) from Kafka topics.
+
+[krakenbeat](https://github.com/PPACI/krakenbeat)
+:   Collect information on each transaction on the Kraken crypto platform.
+
+[lmsensorsbeat](https://github.com/eskibars/lmsensorsbeat)
+:   Collects data from lm-sensors (such as CPU temperatures, fan speeds, and voltages from i2c and smbus).
+
+[logstashbeat](https://github.com/consulthys/logstashbeat)
+:   Collects data from Logstash monitoring API (v5 onwards) and indexes them in Elasticsearch.
+
+[macwifibeat](https://github.com/bozdag/macwifibeat)
+:   Reads various indicators for a MacBook’s WiFi Signal Strength
+
+[mcqbeat](https://github.com/yedamao/mcqbeat)
+:   Reads the status of queues from memcacheq.
+
+[merakibeat](https://developer.cisco.com/codeexchange/github/repo/CiscoDevNet/merakibeat)
+:   Collects [wireless health](https://dashboard.meraki.com/api_docs#wireless-health) and users [location analytics](https://documentation.meraki.com/MR/Monitoring_and_Reporting/Scanning_API) data using Cisco  Meraki APIs.
+
+[mesosbeat](https://github.com/berfinsari/mesosbeat)
+:   Reads stats from the Mesos API and indexes them into Elasticsearch.
+
+[mongobeat](https://github.com/scottcrespo/mongobeat)
+:   Monitors MongoDB instances and can be configured to send multiple document types to Elasticsearch.
+
+[mqttbeat](https://github.com/nathan-K-/mqttbeat)
+:   Add messages from mqtt topics to Elasticsearch.
+
+[mysqlbeat](https://github.com/adibendahan/mysqlbeat)
+:   Run any query on MySQL and send results to Elasticsearch.
+
+[nagioscheckbeat](https://github.com/PhaedrusTheGreek/nagioscheckbeat)
+:   For Nagios checks and performance data.
+
+[natsbeat](https://github.com/nfvsap/natsbeat)
+:   Collects data from NATS monitoring endpoints
+
+[netatmobeat](https://github.com/radoondas/netatmobeat)
+:   Reads data from Netatmo weather station.
+
+[netbeat](https://github.com/hmschreck/netbeat)
+:   Reads configurable data from SNMP-enabled devices.
+
+[nginxbeat](https://github.com/mrkschan/nginxbeat)
+:   Reads status from Nginx.
+
+[nginxupstreambeat](https://github.com/2Fast2BCn/nginxupstreambeat)
+:   Reads upstream status from nginx upstream module.
+
+[nsqbeat](https://github.com/mschneider82/nsqbeat)
+:   Reads data from a NSQ topic.
+
+[nvidiagpubeat](https://github.com/eBay/nvidiagpubeat)
+:   Uses nvidia-smi to grab metrics of NVIDIA GPUs.
+
+[o365beat](https://github.com/counteractive/o365beat)
+:   Ships Office 365 logs from the O365 Management Activities API
+
+[openconfigbeat](https://github.com/aristanetworks/openconfigbeat)
+:   Streams data from [OpenConfig](http://openconfig.net)-enabled network devices
+
+[openvpnbeat](https://github.com/nabeel-shakeel/openvpnbeat)
+:   Collects OpenVPN connection metrics
+
+[owmbeat](https://github.com/radoondas/owmbeat)
+:   Open Weather Map beat to pull weather data from all around the world and store and visualize them in Elastic Stack
+
+[packagebeat](https://github.com/joehillen/packagebeat)
+:   Collects information about system packages from package managers.
+
+[perfstatbeat](https://github.com/WuerthIT/perfstatbeat)
+:   Collects performance metrics on the AIX operating system.
+
+[phishbeat](https://github.com/stric-co/phishbeat)
+:   Monitors Certificate Transparency logs for phishing and defamatory domains.
+
+[phpfpmbeat](https://github.com/kozlice/phpfpmbeat)
+:   Reads status from PHP-FPM.
+
+[pingbeat](https://github.com/joshuar/pingbeat)
+:   Sends ICMP pings to a list of targets and stores the round trip time (RTT) in Elasticsearch.
+
+[powermaxbeat](https://github.com/kckecheng/powermaxbeat)
+:   Collects performance metrics from Dell EMC PowerMax storage array.
+
+[processbeat](https://github.com/pawankt/processbeat)
+:   Collects process health status and performance.
+
+[prombeat](https://github.com/carlpett/prombeat)
+:   Indexes [Prometheus](https://prometheus.io) metrics.
+
+[prometheusbeat](https://github.com/infonova/prometheusbeat)
+:   Send Prometheus metrics to Elasticsearch via the remote write feature.
+
+[protologbeat](https://github.com/hartfordfive/protologbeat)
+:   Accepts structured and unstructured logs via UDP or TCP.  Can also be used to receive syslog messages or GELF formatted messages. (To be used as a successor to udplogbeat)
+
+[pubsubbeat](https://github.com/GoogleCloudPlatform/pubsubbeat)
+:   Reads data from [Google Cloud Pub/Sub](https://cloud.google.com/pubsub/).
+
+[redditbeat](https://github.com/voigt/redditbeat)
+:   Collects new Reddit Submissions of one or multiple Subreddits.
+
+[redisbeat](https://github.com/chrsblck/redisbeat)
+:   Used for Redis monitoring.
+
+[retsbeat](https://github.com/consulthys/retsbeat)
+:   Collects counts of [RETS](http://www.reso.org) resource/class records from [Multiple Listing Service](https://en.wikipedia.org/wiki/Multiple_listing_service) (MLS) servers.
+
+[rsbeat](https://github.com/yourdream/rsbeat)
+:   Ships redis slow logs to elasticsearch and analyze by Kibana.
+
+[safecastbeat](https://github.com/radoondas/safecastbeat)
+:   Pulls data from Safecast API and store them in Elasticsearch.
+
+[saltbeat](https://github.com/martinhoefling/saltbeat)
+:   Reads events from salt master event bus.
+
+[serialbeat](https://github.com/benben/serialbeat)
+:   Reads from a serial device.
+
+[servicebeat](https://github.com/Corwind/servicebeat)
+:   Send services status to Elasticsearch
+
+[springbeat](https://github.com/consulthys/springbeat)
+:   Collects health and metrics data from Spring Boot applications running with the actuator module.
+
+[springboot2beat](https://github.com/philkra/springboot2beat)
+:   Query and accumulate all metrics endpoints of a Spring Boot 2 web app via the web channel, leveraging the [mircometer.io](http://micrometer.io/) metrics facade.
+
+[statsdbeat](https://github.com/sentient/statsdbeat)
+:   Receives UDP [statsd](https://github.com/etsy/statsd/wiki) events from a statsd client.
+
+[supervisorctlbeat](https://github.com/Corwind/supervisorctlbeat.git)
+:   This beat aims to parse the supervisorctl status command output and send it to elasticsearch for indexation
+
+[terminalbeat](https://github.com/live-wire/terminalbeat)
+:   Runs an external command and forwards the [stdout](https://www.computerhope.com/jargon/s/stdout.htm) for the same to Elasticsearch/Logstash.
+
+[timebeat](https://timebeat.app/download.php)
+:   NTP and PTP clock synchonisation beat that reports accuracy metrics to elastic. Includes Kibana dashboards.
+
+[tracebeat](https://github.com/berfinsari/tracebeat)
+:   Reads traceroute output and indexes them into Elasticsearch.
+
+[trivybeat](https://github.com/DmitryZ-outten/trivybeat)
+:   Fetches Docker containers which are running on the same machine, scan CVEs of those containers using Trivy server and index them into Elasticsearch.
+
+[twitterbeat](https://github.com/buehler/go-elastic-twitterbeat)
+:   Reads tweets for specified screen names.
+
+[udpbeat](https://github.com/gravitational/udpbeat)
+:   Ships structured logs via UDP.
+
+[udplogbeat](https://github.com/hartfordfive/udplogbeat)
+:   Accept events via local UDP socket (in plain-text or JSON with ability to enforce schemas).  Can also be used for applications only supporting syslog logging.
+
+[unifiedbeat](https://github.com/cleesmith/unifiedbeat)
+:   Reads records from Unified2 binary files generated by network intrusion detection software and indexes the records in Elasticsearch.
+
+[unitybeat](https://github.com/kckecheng/unitybeat)
+:   Collects performance metrics from Dell EMC Unity storage array.
+
+[uwsgibeat](https://github.com/mrkschan/uwsgibeat)
+:   Reads stats from uWSGI.
+
+[varnishlogbeat](https://github.com/phenomenes/varnishlogbeat)
+:   Reads log data from a Varnish instance and ships it to Elasticsearch.
+
+[varnishstatbeat](https://github.com/phenomenes/varnishstatbeat)
+:   Reads stats data from a Varnish instance and ships it to Elasticsearch.
+
+[vaultbeat](https://gitlab.com/msvechla/vaultbeat)
+:   Collects performance metrics and statistics from Hashicorp’s Vault.
+
+[wmibeat](https://github.com/eskibars/wmibeat)
+:   Uses WMI to grab your favorite, configurable Windows metrics.
+
+[yarnbeat](https://github.com/IBM/yarnbeat)
+:   Polls YARN and MapReduce APIs for cluster and application metrics.
+
+[zfsbeat](https://github.com/maireanu/zfsbeat)
+:   Querying ZFS Storage and Pool Status
diff --git a/docs/reference/libbeat/config-file-format-cli.md b/docs/reference/libbeat/config-file-format-cli.md
new file mode 100644
index 000000000000..162806bc19da
--- /dev/null
+++ b/docs/reference/libbeat/config-file-format-cli.md
@@ -0,0 +1,41 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/libbeat/current/config-file-format-cli.html
+---
+
+# Command line arguments [config-file-format-cli]
+
+Config files to load are set using the `-c` flag on command line. If no flag is given, a beat and OS-specific default file path will be assumed.
+
+You can specify multiple configuration files by repeating the `-c` flag. You can use this, for example, for setting defaults in a base configuration file, and overwrite settings via local configuration files.
+
+In addition to overwriting settings using multiple configuration files, individual settings can be overwritten using `-E <setting>=<value>`. The `<value>` can be either a single value or a complex object, such as a list or dictionary.
+
+For example, given the following configuration:
+
+```yaml
+output.elasticsearch:
+  hosts: ["http://localhost:9200"]
+  username: username
+  password: password
+```
+
+You can disable the Elasticsearch output and write all events to the console by setting:
+
+```sh
+-E output='{elasticsearch.enabled: false, console.pretty: true}'
+```
+
+Any complex objects that you specify at the command line are merged with the original configuration, and the following configuration is passed to the Beat:
+
+```yaml
+output.elasticsearch:
+  enabled: false
+  hosts: ["http://localhost:9200"]
+  username: username
+  password: password
+
+output.console:
+  pretty: true
+```
+
diff --git a/docs/reference/libbeat/config-file-format-env-vars.md b/docs/reference/libbeat/config-file-format-env-vars.md
new file mode 100644
index 000000000000..6dcb25579a22
--- /dev/null
+++ b/docs/reference/libbeat/config-file-format-env-vars.md
@@ -0,0 +1,80 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/libbeat/current/config-file-format-env-vars.html
+---
+
+# Environment variables [config-file-format-env-vars]
+
+You can use environment variable references in the config file to set values that need to be configurable during deployment. To do this, use:
+
+`${VAR}`
+
+Where `VAR` is the name of the environment variable.
+
+Each variable reference is replaced at startup by the value of the environment variable. The replacement is case-sensitive and occurs before the YAML file is parsed. References to undefined variables are replaced by empty strings unless you specify a default value or custom error text.
+
+To specify a default value, use:
+
+`${VAR:default_value}`
+
+Where `default_value` is the value to use if the environment variable is undefined.
+
+To specify custom error text, use:
+
+`${VAR:?error_text}`
+
+Where `error_text` is custom text that will be prepended to the error message if the environment variable cannot be expanded.
+
+If you need to use a special character in your configuration file, use `$` to escape the expansion. For example, you can escape `${` or `}` with `$${` or `$}`.
+
+After changing the value of an environment variable, you need to restart a Beat to pick up the new value.
+
+::::{note}
+You can also specify environment variables when you override a config setting from the command line by using the `-E` option. For example:
+
+`-E name=${NAME}`
+
+::::
+
+
+
+## Examples [_examples]
+
+Here are some examples of configurations that use environment variables and what each configuration looks like after replacement:
+
+| Config source | Environment setting | Config after replacement |
+| --- | --- | --- |
+| `name: ${NAME}` | `export NAME=elastic` | `name: elastic` |
+| `name: ${NAME}` | no setting | `name:` |
+| `name: ${NAME:beats}` | no setting | `name: beats` |
+| `name: ${NAME:beats}` | `export NAME=elastic` | `name: elastic` |
+| `name: ${NAME:?You need to set the NAME environment variable}` | no setting | None. Returns an error message that’s prepended with the custom text. |
+| `name: ${NAME:?You need to set the NAME environment variable}` | `export NAME=elastic` | `name: elastic` |
+
+
+## Specify complex objects in environment variables [_specify_complex_objects_in_environment_variables]
+
+You can specify complex objects, such as lists or dictionaries, in environment variables by using a JSON-like syntax.
+
+As with JSON, dictionaries and lists are constructed using `{}` and `[]`. But unlike JSON, the syntax allows for trailing commas and slightly different string quotation rules. Strings can be unquoted, single-quoted, or double-quoted, as a convenience for simple settings and to make it easier for you to mix quotation usage in the shell. Arrays at the top-level do not require brackets (`[]`).
+
+For example, the following environment variable is set to a list:
+
+```yaml
+ES_HOSTS="10.45.3.2:9220,10.45.3.1:9230"
+```
+
+You can reference this variable in the config file:
+
+```yaml
+output.elasticsearch:
+  hosts: '${ES_HOSTS}'
+```
+
+When a Beat loads the config file, it resolves the environment variable and replaces it with the specified list before reading the `hosts` setting.
+
+::::{note}
+Do not use double-quotes (`"`) to wrap regular expressions, or the backslash (`\`) will be interpreted as an escape character.
+::::
+
+
diff --git a/docs/reference/libbeat/config-file-format-namespacing.md b/docs/reference/libbeat/config-file-format-namespacing.md
new file mode 100644
index 000000000000..6343462d2d19
--- /dev/null
+++ b/docs/reference/libbeat/config-file-format-namespacing.md
@@ -0,0 +1,47 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/libbeat/current/config-file-format-namespacing.html
+---
+
+# Namespacing [config-file-format-namespacing]
+
+All settings are structured using dictionaries and lists. Those are collapsed into "namespaced" settings, by creating a setting using the full path of the settings name and it’s parent structures names, when reading the configuration file.
+
+For example this setting:
+
+```yaml
+output:
+  elasticsearch:
+    index: 'beat-%{[agent.version]}-%{+yyyy.MM.dd}'
+```
+
+gets collapsed into `output.elasticsearch.index: 'beat-%{[agent.version]}-%{+yyyy.MM.dd}'`. The full name of a setting is based on all parent structures involved.
+
+Lists create numeric names starting with 0.
+
+For example this filebeat setting:
+
+```yaml
+filebeat:
+  inputs:
+    - type: log
+```
+
+Gets collapsed into `filebeat.inputs.0.type: log`.
+
+Alternatively to using indentation, setting names can be used in collapsed form too.
+
+Note: having two settings with same fully collapsed path is invalid.
+
+Simple filebeat example with partially collapsed setting names and use of compact form:
+
+```yaml
+filebeat.inputs:
+- type: log
+  paths: ["/var/log/*.log"]
+  multiline.pattern: '^['
+  multiline.match: after
+
+output.elasticsearch.hosts: ["http://localhost:9200"]
+```
+
diff --git a/docs/reference/libbeat/config-file-format-tips.md b/docs/reference/libbeat/config-file-format-tips.md
new file mode 100644
index 000000000000..59e1df4ad3e8
--- /dev/null
+++ b/docs/reference/libbeat/config-file-format-tips.md
@@ -0,0 +1,60 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/libbeat/current/config-file-format-tips.html
+---
+
+# YAML tips and gotchas [config-file-format-tips]
+
+The configuration file uses [YAML](http://yaml.org/) for its syntax. When you edit the file to modify configuration settings, there are a few things that you should know.
+
+
+## Use spaces for indentation [_use_spaces_for_indentation]
+
+Indentation is meaningful in YAML. Make sure that you use spaces, rather than tab characters, to indent sections.
+
+In the default configuration files and in all the examples in the documentation, we use 2 spaces per indentation level. We recommend you do the same.
+
+
+## Look at the default config file for structure [_look_at_the_default_config_file_for_structure]
+
+The best way to understand where to define a configuration option is by looking at the provided sample configuration files. The configuration files contain most of the default configurations that are available for the Beat. To change a setting, simply uncomment the line and change the values.
+
+
+## Test your config file [_test_your_config_file]
+
+You can test your configuration file to verify that the structure is valid. Simply change to the directory where the binary is installed, and run the Beat in the foreground with the `test config` command specified. For example:
+
+```shell
+beatname test config -c beatname.yml
+```
+
+You’ll see a message if the Beat finds an error in the file.
+
+
+## Wrap regular expressions in single quotation marks [_wrap_regular_expressions_in_single_quotation_marks]
+
+If you need to specify a regular expression in a YAML file, it’s a good idea to wrap the regular expression in single quotation marks to work around YAML’s tricky rules for string escaping.
+
+For more information about YAML, see [http://yaml.org/](http://yaml.org/).
+
+
+## Wrap paths in single quotation marks [wrap-paths-in-quotes]
+
+Windows paths in particular sometimes contain spaces or characters, such as drive letters or triple dots, that may be misinterpreted by the YAML parser.
+
+To avoid this problem, it’s a good idea to wrap paths in single quotation marks.
+
+
+## Avoid using leading zeros in numeric values [avoid-leading-zeros]
+
+If you use a leading zero (for example, `09`) in a numeric field without wrapping the value in single quotation marks, the value may be interpreted incorrectly by the YAML parser. If the value is a valid octal, it’s converted to an integer. If not, it’s converted to a float.
+
+To prevent unwanted type conversions, avoid using leading zeros in field values, or wrap the values in single quotation marks.
+
+
+## Avoid accidental template variable resolution [dollar-sign-strings]
+
+The templating engine that allows the config to resolve data from environment variables can result in errors in strings with `$` characters. For example, if a password field contains `$$`, the engine will resolve this to `$`.
+
+To work around this, either use the [keystore](/reference/filebeat/keystore.md) or escape all instances of `$` with `$$`.
+
diff --git a/docs/reference/libbeat/config-file-format-type.md b/docs/reference/libbeat/config-file-format-type.md
new file mode 100644
index 000000000000..9d5a3d094d52
--- /dev/null
+++ b/docs/reference/libbeat/config-file-format-type.md
@@ -0,0 +1,74 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/libbeat/current/config-file-format-type.html
+---
+
+# Config file data types [config-file-format-type]
+
+Values of configuration settings are interpreted as required by beats. If a value can not be correctly interpreted as the required type - for example a string is given when a number is required - the beat will fail to start up.
+
+## Boolean [_boolean]
+
+Boolean values can be either `true` or `false`. Alternative names for `true` are `yes` and `on`. Instead of `false` the values `no` and `off` can be used.
+
+```yaml
+enabled: true
+disabled: false
+```
+
+
+## Number [_number]
+
+Number values require you to enter the number to use without using single or double quotes. Some settings only support a restricted number range though.
+
+```yaml
+integer: 123
+negative: -1
+float: 5.4
+```
+
+
+## String [_string]
+
+In YAML[[http://www.yaml.org](http://www.yaml.org)], multiple styles of string definitions are supported: double-quoted, single-quoted, unquoted.
+
+The double-quoted style is specified by surrounding the string with `"`. This style provides support for escaping unprintable characters using `\`, but comes at the cost of having to escape `\` and `"` characters.
+
+The single-quoted style is specified by surrounding the string with `'`. This style supports no escaping (use `''` to quote a single quote). Only printable characters can be used when using this form.
+
+Unquoted style requires no quotes, but does not support any escaping plus care needs to be taken to not use any symbol that has a special meaning in YAML.
+
+Note: Single-quoted style is recommended when defining regular expressions, event format strings, windows file paths, or non-alphabetical symbolic characters.
+
+
+## Duration [_duration]
+
+Durations require a numeric value with optional fraction and required unit. Valid time units are `ns`, `us`, `ms`, `s`, `m`, `h`. Sometimes features based on durations can be disabled by using zero or negative durations.
+
+```yaml
+duration1: 2.5s
+duration2: 6h
+duration_disabled: -1s
+```
+
+
+## Regular expression [_regular_expression]
+
+Regular expressions are special strings getting compiled into regular expressions at load time.
+
+As regular expressions and YAML use `\` for escaping characters in strings, it’s highly recommended to use single quoted strings when defining regular expressions. When single quoted strings are used, `\` character is not interpreted by YAML parser as escape symbol.
+
+
+## Format String (sprintf) [_format_string_sprintf]
+
+Format strings enable you to refer to event field values creating a string based on the current event being processed. Variable expansions are enclosed in expansion braces `%{<accessor>:default value}`. Event fields are accessed using field references `[fieldname]`. Optional default values can be specified in case the field name is missing from the event.
+
+You can also format time stored in the `@timestamp` field using the `+FORMAT` syntax where FORMAT is a valid [time format](https://godoc.org/github.com/elastic/beats/libbeat/common/dtfmt).
+
+```yaml
+constant-format-string: 'constant string'
+field-format-string: '%{[fieldname]} string'
+format-string-with-date: '%{[fieldname]}-%{+yyyy.MM.dd}'
+```
+
+
diff --git a/docs/reference/libbeat/config-file-format.md b/docs/reference/libbeat/config-file-format.md
new file mode 100644
index 000000000000..7ed005ecee58
--- /dev/null
+++ b/docs/reference/libbeat/config-file-format.md
@@ -0,0 +1,64 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/libbeat/current/config-file-format.html
+---
+
+# Config file format [config-file-format]
+
+Beats config files are based on [YAML](http://www.yaml.org), a file format that is easier to read and write than other common data formats like XML or JSON. Config files must be encoded in UTF-8.
+
+In beats all YAML files start with a dictionary, an unordered collection of name/value pairs. In addition to dictionaries, YAML also supports lists, numbers, strings, and many other data types. All members of the same list or dictionary must have the same indentation level.
+
+Dictionaries are represented by simple `key: value` pairs all having the same indentation level. The colon after `key` must be followed by a space.
+
+```yaml
+name: John Doe
+age: 34
+country: Canada
+```
+
+Lists are introduced by dashes `- `. All list members will be lines beginning with `- ` at the same indentation level.
+
+```yaml
+- Red
+- Green
+- Blue
+```
+
+Lists and dictionaries are used in beats to build structured configurations.
+
+```yaml
+filebeat:
+  inputs:
+    - type: log
+      paths:
+        - /var/log/*.log
+      multiline:
+        pattern: '^['
+        match: after
+```
+
+Lists and dictionaries can also be represented in abbreviated form. Abbreviated form is somewhat similar to JSON using `{}` for dictionaries and `[]` for lists:
+
+```yaml
+person: {name: "John Doe", age: 34, country: "Canada"}
+colors: ["Red", "Green", "Blue"]
+```
+
+The following topics provide more detail to help you understand and work with config files in YAML:
+
+* [Namespacing](/reference/libbeat/config-file-format-namespacing.md)
+* [Config file data types](/reference/libbeat/config-file-format-type.md)
+* [Environment variables](/reference/libbeat/config-file-format-env-vars.md)
+* [Reference variables](/reference/libbeat/config-gile-format-refs.md)
+* [Config file ownership and permissions](/reference/libbeat/config-file-permissions.md)
+* [Command line arguments](/reference/libbeat/config-file-format-cli.md)
+* [YAML tips and gotchas](/reference/libbeat/config-file-format-tips.md)
+
+
+
+
+
+
+
+
diff --git a/docs/reference/libbeat/config-file-permissions.md b/docs/reference/libbeat/config-file-permissions.md
new file mode 100644
index 000000000000..b3e8bc8af395
--- /dev/null
+++ b/docs/reference/libbeat/config-file-permissions.md
@@ -0,0 +1,40 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/libbeat/current/config-file-permissions.html
+---
+
+# Config file ownership and permissions [config-file-permissions]
+
+::::{note}
+This section does not apply to Windows or other non-POSIX operating systems.
+::::
+
+
+On systems with POSIX file permissions, all Beats configuration files are subject to ownership and file permission checks. The purpose of these checks is to prevent unauthorized users from providing or modifying configurations that are run by the Beat. The owner of the configuration files must be either `root` or the user who is executing the Beat process. The permissions on each file must disallow writes by anyone other than the owner.
+
+When installed via an RPM or DEB package, the config file at `/etc/{{beatname}}/{beatname}.yml` will have the proper owner and permissions. The file is owned by `root` and has file permissions of `0644` (`-rw-r--r--`).
+
+You may encounter the following errors if your config file fails these checks:
+
+```sh
+Exiting: error loading config file: config file ("{beatname}.yml") must be
+owned by the beat user (uid=501) or root
+```
+
+To correct this problem you can use either `chown root {{beatname}}.yml` or `chown 501 {{beatname}}.yml` to change the owner of the configuration file.
+
+```sh
+Exiting: error loading config file: config file ("{beatname}.yml") can only be
+writable by the owner but the permissions are "-rw-rw-r--" (to fix the
+permissions use: 'chmod go-w /etc/{beatname}/{beatname}.yml')
+```
+
+To correct this problem, use `chmod go-w /etc/{{beatname}}/{beatname}.yml` to remove write privileges from anyone other than the owner.
+
+Other config files, such as the files in the `modules.d` directory, are subject to the same ownership and file permission checks.
+
+## Disabling strict permission checks [_disabling_strict_permission_checks]
+
+You can disable strict permission checks from the command line by using `--strict.perms=false`, but we strongly encourage you to leave the checks enabled.
+
+
diff --git a/docs/reference/libbeat/config-gile-format-refs.md b/docs/reference/libbeat/config-gile-format-refs.md
new file mode 100644
index 000000000000..08a48de1692d
--- /dev/null
+++ b/docs/reference/libbeat/config-gile-format-refs.md
@@ -0,0 +1,58 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/libbeat/current/config-gile-format-refs.html
+---
+
+# Reference variables [config-gile-format-refs]
+
+Beats settings can reference other settings splicing multiple optionally custom named settings into new values. References use the same syntax as [Environment variables](/reference/libbeat/config-file-format-env-vars.md) do. Only fully collapsed setting names can be referenced to.
+
+For example the filebeat registry file defaults to:
+
+```yaml
+filebeat.registry: ${path.data}/registry
+```
+
+With `path.data` being an implicit config setting, that is overridable from command line, as well as in the configuration file.
+
+Example referencing `es.host` in `output.elasticsearch.hosts`:
+
+```yaml
+es.host: '${ES_HOST:localhost}'
+
+output.elasticsearch:
+  hosts: ['http://${es.host}:9200']
+```
+
+Introducing `es.host`, the host can be overwritten from command line using `-E es.host=another-host`.
+
+Plain references, having no default value and are not spliced with other references or strings can reference complete namespaces.
+
+These setting with duplicate content:
+
+```yaml
+namespace1:
+  subnamespace:
+    host: localhost
+    sleep: 1s
+
+namespace2:
+  subnamespace:
+    host: localhost
+    sleep: 1s
+```
+
+can be rewritten to
+
+```yaml
+namespace1: ${shared}
+namespace2: ${shared}
+
+shared:
+  subnamespace:
+    host: localhost
+    sleep: 1s
+```
+
+when using plain references.
+
diff --git a/docs/reference/libbeat/contributing-to-beats.md b/docs/reference/libbeat/contributing-to-beats.md
new file mode 100644
index 000000000000..ff4d226eba87
--- /dev/null
+++ b/docs/reference/libbeat/contributing-to-beats.md
@@ -0,0 +1,13 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/libbeat/current/contributing-to-beats.html
+---
+
+# Contribute to Beats [contributing-to-beats]
+
+The Beats are open source and we love to receive contributions from our community — you!
+
+There are many ways to contribute, from writing tutorials or blog posts, improving the documentation, submitting bug reports and feature requests, or writing code that implements a whole new protocol, module, or Beat.
+
+The [Beats Developer Guide](http://www.elastic.co/guide/en/beats/devguide/master/index.md) is your one-stop shop for everything related to developing code for the Beats project.
+
diff --git a/libbeat/docs/images/beats-platform.png b/docs/reference/libbeat/images/beats-platform.png
similarity index 100%
rename from libbeat/docs/images/beats-platform.png
rename to docs/reference/libbeat/images/beats-platform.png
diff --git a/libbeat/docs/images/confirm-index-template.png b/docs/reference/libbeat/images/confirm-index-template.png
similarity index 100%
rename from libbeat/docs/images/confirm-index-template.png
rename to docs/reference/libbeat/images/confirm-index-template.png
diff --git a/docs/reference/libbeat/upgrading.md b/docs/reference/libbeat/upgrading.md
new file mode 100644
index 000000000000..56951b8151bc
--- /dev/null
+++ b/docs/reference/libbeat/upgrading.md
@@ -0,0 +1,258 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/libbeat/current/upgrading.html
+---
+
+# Upgrade [upgrading]
+
+This section gives general recommendations for upgrading {{beats}} shippers:
+
+* [Upgrade between minor versions](#upgrade-minor-versions)
+* [Upgrade from 7.x to 8.x](#upgrade-7-to-8)
+* [Troubleshoot {{beats}} upgrade issues](#troubleshooting-upgrade)
+
+If you’re upgrading other products in the stack, also read the [Elastic Stack Installation and Upgrade Guide](docs-content://deploy-manage/index.md).
+
+
+## Upgrade between minor versions [upgrade-minor-versions]
+
+As a general rule, you can upgrade between minor versions (for example, 8.x to 8.y, where x < y) by simply installing the new release and restarting the Beat process. {{beats}} typically maintain backwards compatibility for configuration settings and exported fields. Please review the [release notes](/release-notes/index.md) for potential exceptions.
+
+Upgrading between non-consecutive major versions (e.g. 6.x to 8.x) is not supported.
+
+
+## Upgrade from 7.x to 8.x [upgrade-7-to-8]
+
+Before upgrading your {{beats}}, review the [breaking changes](/release-notes/breaking-changes.md) and the [*Release notes*](/release-notes/index.md).
+
+If you’re upgrading other products in the stack, also read the [Elastic Stack Installation and Upgrade Guide](docs-content://deploy-manage/index.md).
+
+We recommend that you fully upgrade {{es}} and {{kib}} to version 8.0 before upgrading {{beats}}. The {{beats}} version must be lower than or equal to the {{es}} version. {{beats}} cannot send data to older versions of {{es}}.
+
+If you use the Uptime app in {{kib}}, make sure you add `heartbeat-8*` and `synthetics-*` to **Uptime indices** on the [Settings page](docs-content://solutions/observability/apps/configure-settings.md). The first index is used by newer versions of a Beat, while the latter is used by {{fleet}}.
+
+If you’re on {{beats}} 7.0 through 7.16, upgrade the {{stack}} and {{beats}} to version 7.17 **before** proceeding with the 8.0 upgrade.
+
+Upgrading between non-consecutive major versions (e.g. 6.x to 8.x) is not supported.
+
+::::{important}
+Please read through all upgrade steps before proceeding. These steps are required before running the software for the first time.
+::::
+
+
+
+### Upgrade to {{beats}} 7.17 before upgrading to 8.0 [upgrade-to-7.17]
+
+The upgrade procedure assumes that you have {{beats}} 7.17 installed. If you’re on a previous 7.x version of {{beats}}, **upgrade to version 7.17 first**. If you’re using other products in the {{stack}}, upgrade {{beats}} as part of the [{{stack}} upgrade process](docs-content://deploy-manage/upgrade/deployment-or-cluster.md).
+
+After upgrading to 7.17, go to **Index Management** in {{kib}} and verify that the 7.17 index template has been loaded into {{es}}.
+
+:::{image} images/confirm-index-template.png
+:alt: Screen capture showing that metricbeat-1.17.0 index template is loaded
+:class: screenshot
+:::
+
+If the 7.17 index template is not loaded, load it now.
+
+If you created custom dashboards prior to version 7.17, you must upgrade them to 7.17 before proceeding. Otherwise, the dashboards will stop working because {{kib}} no longer provides the API used for dashboards in 7.x.
+
+
+### Upgrade {{beats}} binaries to 8.0 [upgrade-beats-binaries]
+
+Before upgrading:
+
+1. Stop the existing {{beats}} process by using the appropriate command for your system.
+2. Back up the `data` and `config` directories by copying them to another location.
+
+    ::::{tip}
+    The location of these directories depends on the installation method. To see the current paths, start the Beat from a terminal, and the `data` and `config` paths are printed at startup.
+    ::::
+
+
+To upgrade using a Debian or RPM package:
+
+* Use `rpm` or `dpkg` to install the new package. All files are installed in the appropriate location for the operating system and {{beats}} config files are not overwritten.
+
+To upgrade using a zip or compressed tarball:
+
+1. Extract the zip or tarball to a *new* directory. This is critical if you are not using external `config` and `data` directories.
+2. Set the following options in the {{beats}} configuration file:
+
+    * Set `path.config` to point to your external `config` directory. If you are not using an external `config` directory, copy your old configuration over to the new installation.
+    * Set `path.data` to point to your external data directory. If you are not using an external `data` directory, copy your old data directory over to the new installation.
+    * Set `path.logs` to point to the location where you want to store your logs. If you do not specify this setting, logs are stored in the directory you extracted the archive to.
+
+
+Complete the upgrade tasks described in the following sections **before** restarting the {{beats}} process.
+
+
+### Migrate configuration files [migrate-config-files]
+
+{{beats}} 8.0 comes with several backwards incompatible configuration changes. Before upgrading, review the [8.0](https://www.elastic.co/guide/en/beats/libbeat/8.x/breaking-changes-8.0.html) document. Also review the full list of breaking changes in the [Beats version 8.0.0](https://www.elastic.co/guide/en/beats/libbeat/8.x/release-notes-8.0.0.html).
+
+Where possible, we kept the old configuration options working, but deprecated them. However, deprecation was not always possible, so if you use any of the settings described under breaking changes, make sure you understand the alternatives that we provide.
+
+
+### Load the 8.0 {{es}} index templates [upgrade-index-template]
+
+Starting in version 8.0, the default {{es}} index templates configure data streams instead of traditional {{es}} indices. Data streams are optimized for storing append-only time series data. They are well-suited for logs, events, metrics, and other continuously generated data. However, unlike traditional {{es}} indices, data streams support create operations only; they do not support update and delete operations.
+
+To use data streams, load the default index templates **before** ingesting any data into {{es}}.
+
+:::::::{tab-set}
+
+::::::{tab-item} DEB
+```sh
+beatname setup --index-management
+```
+::::::
+
+::::::{tab-item} RPM
+```sh
+beatname setup --index-management
+```
+::::::
+
+::::::{tab-item} MacOS
+```sh
+./beatname setup --index-management
+```
+::::::
+
+::::::{tab-item} Linux
+```sh
+./beatname setup --index-management
+```
+::::::
+
+::::::{tab-item} Docker
+```sh
+docker run --rm --net="host" docker.elastic.co/beats/beatname:9.0.0-beta1 setup --index-management
+```
+::::::
+
+::::::{tab-item} Windows
+Open a PowerShell prompt as an Administrator (right-click the PowerShell icon and select **Run As Administrator**).
+
+From the PowerShell prompt, change to the directory where you installed a Beat, and run:
+
+```sh
+PS > .\beatname.exe setup --index-management
+```
+::::::
+
+:::::::
+If you’re not collecting time series data, you can continue to use {{beats}} to send data to aliases and indices. To do this, create a custom index template and load it manually. To learn more about creating index templates, refer to [Index templates](docs-content://manage-data/data-store/templates.md).
+
+
+### Load 8.0 dashboards [load-8.0-dashboards]
+
+We recommend that you load the 8.0 {{kib}} dashboards after upgrading {{kib}} and {{beats}}. That way, you can take advantage of improvements added in 8.0. To load the dashboards, run:
+
+:::::::{tab-set}
+
+::::::{tab-item} DEB
+```sh
+beatname setup --dashboards
+```
+::::::
+
+::::::{tab-item} RPM
+```sh
+beatname setup --dashboards
+```
+::::::
+
+::::::{tab-item} MacOS
+```sh
+./beatname setup --dashboards
+```
+::::::
+
+::::::{tab-item} Linux
+```sh
+./beatname setup --dashboards
+```
+::::::
+
+::::::{tab-item} Docker
+```sh
+docker run --rm --net="host" docker.elastic.co/beats/beatname:9.0.0-beta1 setup --dashboards
+```
+::::::
+
+::::::{tab-item} Windows
+Open a PowerShell prompt as an Administrator (right-click the PowerShell icon and select **Run As Administrator**).
+
+From the PowerShell prompt, change to the directory where you installed a Beat, and run:
+
+```sh
+PS > .\beatname.exe setup --dashboards
+```
+::::::
+
+:::::::
+
+### Migrate custom dashboards and visualizations [migrate-custom-dashboards]
+
+All Elastic {{beats}} send events with ECS-compliant field names. If you have any custom {{kib}} dashboards or visualizations that use old fields, adjust them now to use ECS field names.
+
+To learn more about ECS, refer to the [ECS overview](ecs://reference/index.md).
+
+::::{note}
+If you enabled the compatibility layer in 7.x (that is, if you set `migration.6_to_7.enabled: true`), make sure your custom dashboards no longer rely on the old aliases created by that setting. The old aliases are no longer supported. They may continue to work, but will be removed without notice in a future release.
+::::
+
+
+
+### Start your upgraded {{beats}} [start-beats]
+
+After you’ve completed the migration, start the upgraded Beat. Use the command that works with your system.
+
+Check the console and logs for errors.
+
+In {{kib}}, go to **Discover** and verify that events are streaming into {{es}}.
+
+
+## Troubleshoot {{beats}} upgrade issues [troubleshooting-upgrade]
+
+This section describes common problems you might encounter when upgrading to {{beats}} 8.x.
+
+You can avoid some of these problems by reading [Upgrade from 7.x to 8.x](#upgrade-7-to-8) before upgrading {{beats}}.
+
+
+### {{beats}} is unable to send update or deletion requests to a data stream [unable-to-update-or-delete]
+
+Data streams are designed for use cases where existing data is rarely, if ever, updated. You cannot send update or deletion requests for existing documents directly to a data stream.
+
+If needed, you can update or delete documents by submitting requests directly to the document’s backing index. To learn how, refer to the docs about [using a data stream](docs-content://manage-data/data-store/data-streams/use-data-stream.md).
+
+
+### Timestamp field is missing [missing-timestamp-field]
+
+{{beats}} requires a timestamp field to send data to data streams. If the timestamp field added by {{beats}} is inadvertently removed by a processor, {{beats}} will be unable to index the event. To fix the problem, modify your processor configuration to avoid removing the timestamp field.
+
+
+### Missing fields or too many fields in the index [missing-fields]
+
+You may have run the Beat before loading the required index template. To clean up and start again:
+
+1. Delete the index that was created when you ran the Beat. For example:
+
+    ```sh
+    DELETE metricbeat-9.0.0-beta1-2019.04.02*
+    ```
+
+    ::::{warning}
+    Be careful when using wildcards to delete indices. Make sure the pattern matches only the indices you want to delete. The example shown here deletes all data indexed into the metricbeat-9.0.0-beta1 indices on 2019.04.02.
+    ::::
+
+2. Delete the index template that was loaded earlier. For example:
+
+    ```sh
+    DELETE /_index_template/metricbeat-9.0.0-beta1
+    ```
+
+3. Load the correct index template. See [Load the 8.0 {{es}} index templates](#upgrade-index-template).
+4. Restart {{beats}}.
+
diff --git a/docs/reference/loggingplugin/elastic-logging-plugin-for-docker.md b/docs/reference/loggingplugin/elastic-logging-plugin-for-docker.md
new file mode 100644
index 000000000000..2be0dd40b9c8
--- /dev/null
+++ b/docs/reference/loggingplugin/elastic-logging-plugin-for-docker.md
@@ -0,0 +1,14 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/loggingplugin/current/log-driver-overview.html
+  - https://www.elastic.co/guide/en/beats/loggingplugin/current/index.html
+---
+
+# Elastic logging plugin for Docker [log-driver-overview]
+
+The Elastic Logging Plugin is a Docker plugin that sends container logs to the [{{stack}}](https://www.elastic.co/elastic-stack), where you can search, analyze, and visualize the data in real time.
+
+The Elastic Logging Plugin is built on top of the [{{beats}}](https://www.elastic.co/beats) platform and supports many of the features and outputs supported by the {{beats}} shippers.
+
+Beat users: see [*Known problems and limitations*](/reference/loggingplugin/log-driver-limitations.md).
+
diff --git a/docs/reference/loggingplugin/log-driver-configuration.md b/docs/reference/loggingplugin/log-driver-configuration.md
new file mode 100644
index 000000000000..e6563c941812
--- /dev/null
+++ b/docs/reference/loggingplugin/log-driver-configuration.md
@@ -0,0 +1,126 @@
+---
+navigation_title: "Configuration options"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/loggingplugin/current/log-driver-configuration.html
+---
+
+# Elastic Logging Plugin configuration options [log-driver-configuration]
+
+
+Use the following options to configure the Elastic Logging Plugin for Docker. You can pass these options with the `--log-opt` flag when you start a container, or you can set them in the `daemon.json` file for all containers.
+
+* [{{ecloud}} options](#cloud-options)
+* [{{es}} output options](#es-output-options)
+
+
+## Usage examples [_usage_examples]
+
+To set configuration options when you start a container:
+
+```sh
+docker run --log-driver=elastic/elastic-logging-plugin:9.0.0-beta1 \
+           --log-opt hosts="https://myhost:9200" \
+           --log-opt user="myusername" \
+           --log-opt password="mypassword" \
+           -it debian:jessie /bin/bash
+```
+
+To set configuration options for all containers in the `daemon.json` file:
+
+```json
+{
+  "log-driver" : "elastic/elastic-logging-plugin:9.0.0-beta1",
+  "log-opts" : {
+    "hosts" : "https://myhost:9200",
+    "user" : "myusername",
+    "password" : "mypassword"
+  }
+}
+```
+
+For more examples, see [Usage examples](/reference/loggingplugin/log-driver-usage-examples.md).
+
+
+## {{ecloud}} options [cloud-options]
+
+| Option | Description |
+| --- | --- |
+| `cloud_id` | The Cloud ID found in the Elastic Cloud web console. This ID isused to resolve the {{stack}} URLs when connecting to {{ess}} on {{ecloud}}. |
+| `cloud_auth` | The username and password combination for connecting to {{ess}} on {{ecloud}}. Theformat is `"username:password"`. |
+
+
+## {{es}} output options [es-output-options]
+
+| Option | Default | Description |
+| --- | --- | --- |
+| `hosts` | `"localhost:9200"` | The list of {{es}} nodes to connect to. Specify each node as a `URL` or`IP:PORT`. For example: `http://192.0.2.0`, `https://myhost:9230` or`192.0.2.0:9300`. If no port is specified, the default is `9200`. |
+| `user` |  | The basic authentication username for connecting to {{es}}. |
+| `password` |  | The basic authentication password for connecting to {{es}}. |
+| `index` |  | A [format string](/reference/libbeat/config-file-format-type.md#_format_string_sprintf)value that specifies the index to write events to when you’re using dailyindices. For example: `"dockerlogs-%{+yyyy.MM.dd}"`. |
+| **Advanced:** |
+| `name` | `testbeat` | A custom value that will be inserted into the document as `agent.name`.If not set, it will be the hostname of Docker host. |
+| `backoff_init` | `1s` | The number of seconds to wait before trying to reconnect to {{es}} aftera network error. After waiting `backoff.init` seconds, the Elastic Logging Plugintries to reconnect. If the attempt fails, the backoff timer is increasedexponentially up to `backoff.max`. After a successful connection, the backofftimer is reset. |
+| `backoff_max` | `60s` | The maximum number of seconds to wait before attempting to connect to{{es}} after a network error. |
+| `api_key` |  | Instead of using usernames and passwords,you can use API keys to secure communication with {{es}}. |
+| `pipeline` |  | A format string value that specifies the {{es}} ingest pipeline to write events to. |
+| `timeout` | `90` | The http request timeout in seconds for the Elasticsearch request. |
+| `proxy_url` |  | The URL of the proxy to use when connecting to the Elasticsearch servers. Thevalue may be either a complete URL or a `host[:port]`, in which case the `http`scheme is assumed. If a value is not specified through the configuration filethen proxy environment variables are used. See the[Go documentation](https://golang.org/pkg/net/http/#ProxyFromEnvironment)for more information about the environment variables. |
+
+
+## Configuring the local log [local-log-opts]
+
+This plugin fully supports `docker logs`, and it maintains a local copy of logs that can be read without a connection to Elasticsearch. The plugin mounts the `/var/lib/docker` directory on the host to write logs to `/var/log/containers` on the host. If you want to change the log location on the host, you must change the mount inside the plugin:
+
+1. Disable the plugin:
+
+    ```sh
+    docker plugin disable elastic/elastic-logging-plugin:9.0.0-beta1
+    ```
+
+2. Set the bindmount directory:
+
+    ```sh
+    docker plugin set elastic/elastic-logging-plugin:9.0.0-beta1 LOG_DIR.source=NEW_LOG_LOCATION
+    ```
+
+3. Enable the plugin:
+
+    ```sh
+    docker plugin enable elastic/elastic-logging-plugin:9.0.0-beta1
+    ```
+
+
+The local log also supports the `max-file`, `max-size` and `compress` options that are [a part of the Docker default file logger](https://docs.docker.com/config/containers/logging/json-file/#options). For example:
+
+```sh
+docker run --log-driver=elastic/elastic-logging-plugin:9.0.0-beta1 \
+           --log-opt hosts="myhost:9200" \
+           --log-opt user="myusername" \
+           --log-opt password="mypassword" \
+           --log-opt max-file=10 \
+           --log-opt max-size=5M \
+           --log-opt compress=true \
+           -it debian:jessie /bin/bash
+```
+
+In situations where logs can’t be easily managed, for example, you can also configure the plugin to remove log files when a container is stopped. This will prevent you from reading logs on a stopped container, but it will rotate logs without user intervention. To enable removal of logs for stopped containers, you must change the `DESTROY_LOGS_ON_STOP` environment variable:
+
+1. Disable the plugin:
+
+    ```sh
+    docker plugin disable elastic/elastic-logging-plugin:9.0.0-beta1
+    ```
+
+2. Enable log removal:
+
+    ```sh
+    docker plugin set elastic/elastic-logging-plugin:9.0.0-beta1 DESTROY_LOGS_ON_STOP=true
+    ```
+
+3. Enable the plugin:
+
+    ```sh
+    docker plugin enable elastic/elastic-logging-plugin:9.0.0-beta1
+    ```
+
+
diff --git a/docs/reference/loggingplugin/log-driver-installation.md b/docs/reference/loggingplugin/log-driver-installation.md
new file mode 100644
index 000000000000..ec565e44a629
--- /dev/null
+++ b/docs/reference/loggingplugin/log-driver-installation.md
@@ -0,0 +1,94 @@
+---
+navigation_title: "Install and configure"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/loggingplugin/current/log-driver-installation.html
+---
+
+# Install and configure the Elastic Logging Plugin [log-driver-installation]
+
+
+
+## Before you begin [_before_you_begin]
+
+Make sure your system meets the following prerequisites:
+
+* Docker: Engine API 1.25 or later
+* {{stack}}: Version 7.6.0 or later
+
+
+## Step 1: Install the Elastic Logging Plugin plugin [_step_1_install_the_elastic_logging_plugin_plugin]
+
+1. Install the plugin. You can install it from the Docker store (recommended), or build and install the plugin from source in the [beats](https://github.com/elastic/beats) GitHub repo.
+
+    **To install from the Docker store:**
+
+    ```sh
+    docker plugin install elastic/elastic-logging-plugin:9.0.0-beta1
+    ```
+
+    **To build and install from source:**
+
+    [Set up your development environment](/extend/index.md#setting-up-dev-environment) as described in the *Beats Developer Guide* then run:
+
+    ```shell
+    cd x-pack/dockerlogbeat
+    mage BuildAndInstall
+    ```
+
+2. If necessary, enable the plugin:
+
+    ```sh
+    docker plugin enable elastic/elastic-logging-plugin:9.0.0-beta1
+    ```
+
+3. Verify that the plugin is installed and enabled:
+
+    ```shell
+    docker plugin ls
+    ```
+
+    The output should say something like:
+
+    ```sh
+    ID                  NAME                                   DESCRIPTION              ENABLED
+    c2ff9d2cf090        elastic/elastic-logging-plugin:9.0.0-beta1   A beat for docker logs   true
+    ```
+
+
+
+## Step 2: Configure the Elastic Logging Plugin [_step_2_configure_the_elastic_logging_plugin]
+
+You can set configuration options for a single container, or for all containers running on the host. See [Configuration options](/reference/loggingplugin/log-driver-configuration.md) for a list of supported configuration options.
+
+**To configure a single container:**
+
+Pass configuration options at run time when you start the container. For example:
+
+```sh
+docker run --log-driver=elastic/elastic-logging-plugin:9.0.0-beta1 \
+           --log-opt hosts="https://myhost:9200" \
+           --log-opt user="myusername" \
+           --log-opt password="mypassword" \
+           -it debian:jessie /bin/bash
+```
+
+**To configure all containers running on the host:**
+
+Set configuration options in the Docker `daemon.json` configuration file. For example:
+
+```json
+{
+  "log-driver" : "elastic/elastic-logging-plugin:9.0.0-beta1",
+  "log-opts" : {
+    "hosts" : "https://myhost:9200",
+    "user" : "myusername",
+    "password" : "mypassword"
+  }
+}
+```
+
+::::{note}
+The default location of the `daemon.json` file varies by platform. On Linux, the default location is `/etc/docker/daemon.json`. For more information, see the [Docker docs](https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-configuration-file).
+::::
+
+
diff --git a/docs/reference/loggingplugin/log-driver-limitations.md b/docs/reference/loggingplugin/log-driver-limitations.md
new file mode 100644
index 000000000000..eef1d5bc82a0
--- /dev/null
+++ b/docs/reference/loggingplugin/log-driver-limitations.md
@@ -0,0 +1,12 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/loggingplugin/current/log-driver-limitations.html
+---
+
+# Known problems and limitations [log-driver-limitations]
+
+This release of the Elastic Logging Plugin has the following known problems and limitations:
+
+* Spool to disk (beta) is not supported.
+* Mapping templates and other assets that are normally installed by the {{beats}} setup are not available.
+
diff --git a/docs/reference/loggingplugin/log-driver-usage-examples.md b/docs/reference/loggingplugin/log-driver-usage-examples.md
new file mode 100644
index 000000000000..801029b94899
--- /dev/null
+++ b/docs/reference/loggingplugin/log-driver-usage-examples.md
@@ -0,0 +1,90 @@
+---
+navigation_title: "Usage examples"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/loggingplugin/current/log-driver-usage-examples.html
+---
+
+# Elastic Logging Plugin usage examples [log-driver-usage-examples]
+
+
+The following examples show common configurations for the Elastic Logging Plugin.
+
+
+## Send Docker logs to {{es}} [_send_docker_logs_to_es]
+
+**Docker run command:**
+
+```sh
+docker run --log-driver=elastic/elastic-logging-plugin:9.0.0-beta1 \
+           --log-opt hosts="myhost:9200" \
+           --log-opt user="myusername" \
+           --log-opt password="mypassword" \
+           -it debian:jessie /bin/bash
+```
+
+**Daemon configuration:**
+
+```json
+{
+  "log-driver" : "elastic/elastic-logging-plugin:9.0.0-beta1",
+  "log-opts" : {
+    "hosts" : "myhost:9200",
+    "user" : "myusername",
+    "password" : "mypassword",
+  }
+}
+```
+
+
+## Send Docker logs to {{ess}} on {{ecloud}} [_send_docker_logs_to_ess_on_ecloud]
+
+**Docker run command:**
+
+```sh
+docker run --log-driver=elastic/elastic-logging-plugin:9.0.0-beta1 \
+           --log-opt cloud_id="MyElasticStack:daMbY2VudHJhbDekZ2NwLmN4b3VkLmVzLmliJDVkYmQwtGJiYjs0NTRiN4Q5ODJmNGUwm1IxZmFkNjM5JDFiNjdkMDE4MTgxMTQzNTM5ZGFiYWJjZmY0OWIyYWE5" \
+           --log-opt cloud_auth="myusername:mypassword" \
+           -it debian:jessie /bin/bash
+```
+
+**Daemon configuration:**
+
+```json
+{
+  "log-driver" : "elastic/elastic-logging-plugin:9.0.0-beta1",
+  "log-opts" : {
+    "cloud_id" : "MyElasticStack:daMbY2VudHJhbDekZ2NwLmN4b3VkLmVzLmliJDVkYmQwtGJiYjs0NTRiN4Q5ODJmNGUwm1IxZmFkNjM5JDFiNjdkMDE4MTgxMTQzNTM5ZGFiYWJjZmY0OWIyYWE5",
+    "cloud_auth" : "myusername:mypassword",
+    "output.elasticsearch.index" : "elastic-log-driver-%{+yyyy.MM.dd}"
+  }
+}
+```
+
+
+## Specify a custom index and template [_specify_a_custom_index_and_template]
+
+**Docker run command:**
+
+```sh
+docker run --log-driver=elastic/elastic-logging-plugin:9.0.0-beta1 \
+           --log-opt hosts="myhost:9200" \
+           --log-opt user="myusername" \
+           --log-opt password="mypassword" \
+           --log-opt index="eld-%{[agent.version]}-%{+yyyy.MM.dd}" \
+           -it debian:jessie /bin/bash
+```
+
+**Daemon configuration:**
+
+```json
+{
+  "log-driver" : "elastic/elastic-logging-plugin:9.0.0-beta1",
+  "log-opts" : {
+    "hosts" : "myhost:9200",
+    "user" : "myusername",
+    "index" : "eld-%{[agent.version]}-%{+yyyy.MM.dd}",
+    "password" : "mypassword",
+  }
+}
+```
+
diff --git a/docs/reference/metricbeat/_galera_status_metricset.md b/docs/reference/metricbeat/_galera_status_metricset.md
new file mode 100644
index 000000000000..047231b7d285
--- /dev/null
+++ b/docs/reference/metricbeat/_galera_status_metricset.md
@@ -0,0 +1,102 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/_galera_status_metricset.html
+---
+
+# galera status MetricSet [_galera_status_metricset]
+
+This is the status metricset of the module galera.
+
+Note: The galera_status metricset is in beta as we might merge it with the status metricset and we don’t have tests for it yet.
+
+## Fields [_fields_184]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-mysql.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp":"2016-05-23T08:05:34.853Z",
+    "beat":{
+        "hostname":"host.example.com",
+        "name":"host.example.com"
+    },
+    "metricset":{
+        "host":"localhost:3306",
+        "module":"mysql",
+        "name":"galera_status",
+        "rtt":44269
+    },
+    "mysql":{
+        "galera_status":{
+            "apply": {
+                "oooe": 0,
+                "oool": 0,
+                "window": 1
+            },
+            "connected": "ON",
+            "flow_ctl": {
+                "recv": 0,
+                "sent": 0,
+                "paused": 0,
+                "paused_ns": 0
+            },
+            "ready": "ON",
+            "received": {
+                "count": 173,
+                "bytes": 152425
+            },
+            "local": {
+                "state": "Synced",
+                "bf_aborts": 0,
+                "cert_failures": 0,
+                "commits": 1325,
+                "recv": {
+                    "queue_max": 2,
+                    "queue_min": 0,
+                    "queue": 0,
+                    "queue_avg": 0.011561
+                },
+                "replays": 0,
+                "send": {
+                    "queue_min": 0,
+                    "queue": 0,
+                    "queue_avg": 0,
+                    "queue_max": 1
+                }
+            },
+            "evs": {
+                "evict": "",
+                "state": "OPERATIONAL"
+            },
+            "repl": {
+                "bytes": 1689804,
+                "data_bytes": 1540647,
+                "keys": 4170,
+                "keys_bytes": 63973,
+                "other_bytes": 0,
+                "count": 1331
+            },
+            "commit": {
+                "oooe": 0,
+                "window": 1
+            },
+            "cluster": {
+                "conf_id": 930,
+                "size": 3,
+                "status": "Primary"
+            },
+            "last_committed": 23944,
+            "cert": {
+                "deps_distance": 43.524557,
+                "index_size": 22,
+                "interval": 0
+            }
+        }
+    },
+    "type":"metricsets"
+}
+```
+
+
diff --git a/docs/reference/metricbeat/_host_setup.md b/docs/reference/metricbeat/_host_setup.md
new file mode 100644
index 000000000000..641681b55c13
--- /dev/null
+++ b/docs/reference/metricbeat/_host_setup.md
@@ -0,0 +1,115 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/_host_setup.html
+---
+
+# Host Setup [_host_setup]
+
+Some drivers require additional configuration to work. Find here instructions for these drivers.
+
+## Oracle Database Connection Pre-requisites [_oracle_database_connection_pre_requisites]
+
+To get connected with the Oracle Database `ORACLE_SID`, `ORACLE_BASE`, `ORACLE_HOME` environment variables should be set.
+
+For example: Let us consider Oracle Database 21c installation using RPM manually by following [this](https://docs.oracle.com/en/database/oracle/oracle-database/21/ladbi/running-rpm-packages-to-install-oracle-database.html) link, environment variables should be set as follows:
+
+```bash
+export ORACLE_BASE=/opt/oracle/oradata
+export ORACLE_HOME=/opt/oracle/product/21c/dbhome_1
+```
+
+Also, add `ORACLE_HOME/bin` to the `PATH` environment variable.
+
+### Oracle Instant Client Installation [_oracle_instant_client_installation]
+
+Oracle Instant Client enables the development and deployment of applications that connect to the Oracle Database. The Instant Client libraries provide the necessary network connectivity and advanced data features to make full use of the Oracle Database. If you have an OCI Oracle server which comes with these libraries pre-installed, you don’t need a separate client installation.
+
+The OCI library installs a few Client Shared Libraries that must be referenced on the machine where Metricbeat is installed. Please follow [this](https://docs.oracle.com/en/database/oracle/oracle-database/21/lacli/install-instant-client-using-zip.html#GUID-D3DCB4FB-D3CA-4C25-BE48-3A1FB5A22E84) link for OCI Instant Client set up. The OCI Instant Client is available with the Oracle Universal Installer, RPM file or ZIP file. Download links can be found at [here](https://www.oracle.com/database/technologies/instant-client/downloads.html).
+
+
+### Enable Oracle Listener [_enable_oracle_listener]
+
+The Oracle listener is a service that runs on the database host and receives requests from Oracle clients. Make sure that [listener](https://docs.oracle.com/cd/B19306_01/network.102/b14213/lsnrctl.htm) should be running. To check if the listener is running or not, run:
+
+```bash
+lsnrctl STATUS
+```
+
+If the listener is not running, use the command to start:
+
+```bash
+lsnrctl START
+```
+
+Then, Metricbeat can be launched.
+
+
+### Host Configuration for Oracle [_host_configuration_for_oracle]
+
+The following types of host configuration are supported:
+
+1. An old-style Oracle connection string, for backwards compatibility:
+
+    1. `hosts: ["user/pass@0.0.0.0:1521/ORCLPDB1.localdomain"]`
+    2. `hosts: ["user/password@0.0.0.0:1521/ORCLPDB1.localdomain as sysdba"]`
+
+2. DSN configuration as a URL:
+
+    1. `hosts: ["oracle://user:pass@0.0.0.0:1521/ORCLPDB1.localdomain?sysdba=1"]`
+
+3. DSN configuration as a logfmt-encoded parameter list:
+
+    1. `hosts: ['user="user" password="pass" connectString="0.0.0.0:1521/ORCLPDB1.localdomain"']`
+    2. `hosts: ['user="user" password="password" connectString="host:port/service_name" sysdba=true']`
+
+
+DSN host configuration is the recommended configuration type as it supports the use of special characters in the password.
+
+In a URL any special characters should be URL encoded.
+
+In the logfmt-encoded DSN format, if the password contains a backslash character (`\`), it must be escaped with another backslash. For example, if the password is `my\_password`, it must be written as `my\\_password`.
+
+The username and password to connect to the database can be provided as values to the `username` and `password` keys of `sql.yml`.
+
+```yaml
+- module: sql
+  metricsets:
+    - query
+  period: 10s
+  driver: "oracle"
+  enabled: true
+  hosts: ['user="" password="" connectString="0.0.0.0:1521/ORCLCDB.localdomain" sysdba=true']
+  username: sys
+  password: password
+  sql_queries:
+  - query: SELECT METRIC_NAME, VALUE FROM V$SYSMETRIC WHERE GROUP_ID = 2 and METRIC_NAME LIKE '%'
+    response_format: variables
+```
+
+
+## Example configuration [_example_configuration_59]
+
+The SQL module supports the standard configuration options that are described in [Modules](/reference/metricbeat/configuration-metricbeat.md). Here is an example configuration:
+
+```yaml
+metricbeat.modules:
+- module: sql
+  metricsets:
+    - query
+  period: 10s
+  hosts: ["user=myuser password=mypassword dbname=mydb sslmode=disable"]
+
+  driver: "postgres"
+  sql_query: "select now()"
+  sql_response_format: table
+```
+
+
+## Metricsets [_metricsets_68]
+
+The following metricsets are available:
+
+* [query](/reference/metricbeat/metricbeat-metricset-sql-query.md)
+
+
+
diff --git a/docs/reference/metricbeat/_live_reloading.md b/docs/reference/metricbeat/_live_reloading.md
new file mode 100644
index 000000000000..93f9745a732a
--- /dev/null
+++ b/docs/reference/metricbeat/_live_reloading.md
@@ -0,0 +1,37 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/_live_reloading.html
+---
+
+# Live reloading [_live_reloading]
+
+You can configure Metricbeat to dynamically reload configuration files when there are changes. To do this, you specify a path ([Glob](https://golang.org/pkg/path/filepath/#Glob)) to watch for module configuration changes. When the files found by the Glob change, new modules are started/stopped according to changes in the configuration files.
+
+This feature is especially useful in container environments where one container is used to monitor all services running in other containers on the same host. Because new containers appear and disappear dynamically, you may need to change the Metricbeat configuration frequently to specify which modules are needed and which hosts must be monitored.
+
+To enable dynamic config reloading, you specify the `path` and `reload` options under `metricbeat.config.modules` in the main `metricbeat.yml` config file. For example:
+
+```yaml
+metricbeat.config.modules:
+  path: ${path.config}/modules.d/*.yml
+  reload.enabled: true
+  reload.period: 10s
+```
+
+`path`
+:   A Glob that defines the files to check for changes.
+
+    This setting must point to the `modules.d` directory if you want to use the [`modules`](/reference/metricbeat/command-line-options.md#modules-command) command to enable and disable module configurations.
+
+
+`reload.enabled`
+:   When set to `true`, enables dynamic config reload.
+
+`reload.period`
+:   Specifies how often the files are checked for changes. Do not set the `period` to less than 1s because the modification time of files is often stored in seconds. Setting the `period` to less than 1s will result in unnecessary overhead.
+
+::::{note}
+On systems with POSIX file permissions, all Beats configuration files are subject to ownership and file permission checks. For more information, see [Config File Ownership and Permissions](/reference/libbeat/config-file-permissions.md).
+::::
+
+
diff --git a/docs/reference/metricbeat/_metricsets_70.md b/docs/reference/metricbeat/_metricsets_70.md
new file mode 100644
index 000000000000..8e43f833c491
--- /dev/null
+++ b/docs/reference/metricbeat/_metricsets_70.md
@@ -0,0 +1,35 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/master/_metricsets_70.html
+---
+
+# Metricsets [_metricsets_70]
+
+Currently, there is only `server` metricset in `statsd` module.
+
+
+### `server` [_server]
+
+The metricset collects metric data sent using UDP and publishes them under the `statsd` prefix.
+
+
+## Example configuration [_example_configuration_61]
+
+The Statsd module supports the standard configuration options that are described in [Modules](configuration-metricbeat.md). Here is an example configuration:
+
+```yaml
+metricbeat.modules:
+- module: statsd
+  host: "localhost"
+  port: "8125"
+  enabled: false
+  #ttl: "30s"
+```
+
+
+## Metricsets [_metricsets_71]
+
+The following metricsets are available:
+
+* [server](metricbeat-metricset-statsd-server.md)
+
diff --git a/docs/reference/metricbeat/add-cloud-metadata.md b/docs/reference/metricbeat/add-cloud-metadata.md
new file mode 100644
index 000000000000..48b11c646f25
--- /dev/null
+++ b/docs/reference/metricbeat/add-cloud-metadata.md
@@ -0,0 +1,205 @@
+---
+navigation_title: "add_cloud_metadata"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/add-cloud-metadata.html
+---
+
+# Add cloud metadata [add-cloud-metadata]
+
+
+The `add_cloud_metadata` processor enriches each event with instance metadata from the machine’s hosting provider. At startup it will query a list of hosting providers and cache the instance metadata.
+
+The following cloud providers are supported:
+
+* Amazon Web Services (AWS)
+* Digital Ocean
+* Google Compute Engine (GCE)
+* [Tencent Cloud](https://www.qcloud.com/?lang=en) (QCloud)
+* Alibaba Cloud (ECS)
+* Huawei Cloud (ECS)
+* Azure Virtual Machine
+* Openstack Nova
+* Hetzner Cloud
+
+
+## Special notes [_special_notes]
+
+`huawei` is an alias for `openstack`. Huawei cloud runs on OpenStack platform, and when viewed from a metadata API standpoint, it is impossible to differentiate it from OpenStack. If you know that your deployments run on Huawei Cloud exclusively, and you wish to have `cloud.provider` value as `huawei`, you can achieve this by overwriting the value using an `add_fields` processor.
+
+The Alibaba Cloud and Tencent cloud providers are disabled by default, because they require to access a remote host. The `providers` setting allows users to select a list of default providers to query.
+
+Cloud providers tend to maintain metadata services compliant with other cloud providers. For example, Openstack supports [EC2 compliant metadat service](https://docs.openstack.org/nova/latest/user/metadata.html#ec2-compatible-metadata). This makes it impossible to differentiate cloud provider (`cloud.provider` property) with auto discovery (when `providers` configuration is omitted). The processor implementation incorporates a priority mechanism where priority is given to some providers over others when there are multiple successful metadata results. Currently, `aws/ec2` and `azure` have priority over any other provider as their metadata retrival rely on SDKs. The expectation here is that SDK methods should fail if run in an environment not configured accordingly (ex:- missing configurations or credentials).
+
+
+## Configurations [_configurations]
+
+The simple configuration below enables the processor.
+
+```yaml
+processors:
+  - add_cloud_metadata: ~
+```
+
+The `add_cloud_metadata` processor has three optional configuration settings. The first one is `timeout` which specifies the maximum amount of time to wait for a successful response when detecting the hosting provider. The default timeout value is `3s`.
+
+If a timeout occurs then no instance metadata will be added to the events. This makes it possible to enable this processor for all your deployments (in the cloud or on-premise).
+
+The second optional setting is `providers`. The `providers` settings accepts a list of cloud provider names to be used. If `providers` is not configured, then all providers that do not access a remote endpoint are enabled by default. The list of providers may alternatively be configured with the environment variable `BEATS_ADD_CLOUD_METADATA_PROVIDERS`, by setting it to a comma-separated list of provider names.
+
+List of names the `providers` setting supports:
+
+* "alibaba", or "ecs" for the Alibaba Cloud provider (disabled by default).
+* "azure" for Azure Virtual Machine (enabled by default). If the virtual machine is part of an AKS managed cluster, the fields `orchestrator.cluster.name` and `orchestrator.cluster.id` can also be retrieved. "TENANT_ID", "CLIENT_ID" and "CLIENT_SECRET" environment variables need to be set for authentication purposes. If not set we fallback to [DefaultAzureCredential](https://learn.microsoft.com/en-us/azure/developer/go/azure-sdk-authentication?tabs=bash#2-authenticate-with-azure) and user can choose different authentication methods (e.g. workload identity).
+* "digitalocean" for Digital Ocean (enabled by default).
+* "aws", or "ec2" for Amazon Web Services (enabled by default).
+* "gcp" for Google Copmute Enging (enabled by default).
+* "openstack", "nova", or "huawei" for Openstack Nova (enabled by default).
+* "openstack-ssl", or "nova-ssl" for Openstack Nova when SSL metadata APIs are enabled (enabled by default).
+* "tencent", or "qcloud" for Tencent Cloud (disabled by default).
+* "hetzner" for Hetzner Cloud (enabled by default).
+
+For example, configuration below only utilize `aws` metadata retrival mechanism,
+
+```yaml
+processors:
+  - add_cloud_metadata:
+      providers:
+        aws
+```
+
+The third optional configuration setting is `overwrite`. When `overwrite` is `true`, `add_cloud_metadata` overwrites existing `cloud.*` fields (`false` by default).
+
+The `add_cloud_metadata` processor supports SSL options to configure the http client used to query cloud metadata. See [SSL](/reference/metricbeat/configuration-ssl.md) for more information.
+
+
+## Provided metadata [_provided_metadata]
+
+The metadata that is added to events varies by hosting provider. Below are examples for each of the supported providers.
+
+*AWS*
+
+Metadata given below are extracted from [instance identity document](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-identity-documents.html),
+
+```json
+{
+  "cloud": {
+    "account.id": "123456789012",
+    "availability_zone": "us-east-1c",
+    "instance.id": "i-4e123456",
+    "machine.type": "t2.medium",
+    "image.id": "ami-abcd1234",
+    "provider": "aws",
+    "region": "us-east-1"
+  }
+}
+```
+
+If the EC2 instance has IMDS enabled and if tags are allowed through IMDS endpoint, the processor will further append tags in metadata. Please refer official documentation on [IMDS endpoint](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html) for further details.
+
+```json
+{
+  "aws": {
+    "tags": {
+      "org" : "myOrg",
+      "owner": "userID"
+    }
+  }
+}
+```
+
+*Digital Ocean*
+
+```json
+{
+  "cloud": {
+    "instance.id": "1234567",
+    "provider": "digitalocean",
+    "region": "nyc2"
+  }
+}
+```
+
+*GCP*
+
+```json
+{
+  "cloud": {
+    "availability_zone": "us-east1-b",
+    "instance.id": "1234556778987654321",
+    "machine.type": "f1-micro",
+    "project.id": "my-dev",
+    "provider": "gcp"
+  }
+}
+```
+
+*Tencent Cloud*
+
+```json
+{
+  "cloud": {
+    "availability_zone": "gz-azone2",
+    "instance.id": "ins-qcloudv5",
+    "provider": "qcloud",
+    "region": "china-south-gz"
+  }
+}
+```
+
+*Alibaba Cloud*
+
+This metadata is only available when VPC is selected as the network type of the ECS instance.
+
+```json
+{
+  "cloud": {
+    "availability_zone": "cn-shenzhen",
+    "instance.id": "i-wz9g2hqiikg0aliyun2b",
+    "provider": "ecs",
+    "region": "cn-shenzhen-a"
+  }
+}
+```
+
+*Azure Virtual Machine*
+
+```json
+{
+  "cloud": {
+    "provider": "azure",
+    "instance.id": "04ab04c3-63de-4709-a9f9-9ab8c0411d5e",
+    "instance.name": "test-az-vm",
+    "machine.type": "Standard_D3_v2",
+    "region": "eastus2"
+  }
+}
+```
+
+*Openstack Nova*
+
+```json
+{
+  "cloud": {
+    "instance.name": "test-998d932195.mycloud.tld",
+    "instance.id": "i-00011a84",
+    "availability_zone": "xxxx-az-c",
+    "provider": "openstack",
+    "machine.type": "m2.large"
+  }
+}
+```
+
+*Hetzner Cloud*
+
+```json
+{
+  "cloud": {
+    "availability_zone": "hel1-dc2",
+    "instance.name": "my-hetzner-instance",
+    "instance.id": "111111",
+    "provider": "hetzner",
+    "region": "eu-central"
+  }
+}
+```
+
diff --git a/docs/reference/metricbeat/add-cloudfoundry-metadata.md b/docs/reference/metricbeat/add-cloudfoundry-metadata.md
new file mode 100644
index 000000000000..cd439e861ca0
--- /dev/null
+++ b/docs/reference/metricbeat/add-cloudfoundry-metadata.md
@@ -0,0 +1,70 @@
+---
+navigation_title: "add_cloudfoundry_metadata"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/add-cloudfoundry-metadata.html
+---
+
+# Add Cloud Foundry metadata [add-cloudfoundry-metadata]
+
+
+The `add_cloudfoundry_metadata` processor annotates each event with relevant metadata from Cloud Foundry applications. The events are annotated with Cloud Foundry metadata, only if the event contains a reference to a Cloud Foundry application (using field `cloudfoundry.app.id`) and the configured Cloud Foundry client is able to retrieve information for the application.
+
+Each event is annotated with:
+
+* Application Name
+* Space ID
+* Space Name
+* Organization ID
+* Organization Name
+
+::::{note}
+Pivotal Application Service and Tanzu Application Service include this metadata in all events from the firehose since version 2.8. In these cases the metadata in the events is used, and `add_cloudfoundry_metadata` processor doesn’t modify these fields.
+::::
+
+
+For efficient annotation, application metadata retrieved by the Cloud Foundry client is stored in a persistent cache on the filesystem under the `path.data` directory. This is done so the metadata can persist across restarts of Metricbeat. For control over this cache, use the `cache_duration` and `cache_retry_delay` settings.
+
+```yaml
+processors:
+  - add_cloudfoundry_metadata:
+      api_address: https://api.dev.cfdev.sh
+      client_id: uaa-filebeat
+      client_secret: verysecret
+      ssl:
+        verification_mode: none
+      # To connect to Cloud Foundry over verified TLS you can specify a client and CA certificate.
+      #ssl:
+      #  certificate_authorities: ["/etc/pki/cf/ca.pem"]
+      #  certificate:              "/etc/pki/cf/cert.pem"
+      #  key:                      "/etc/pki/cf/cert.key"
+```
+
+It has the following settings:
+
+`api_address`
+:   (Optional) The URL of the Cloud Foundry API. It uses `http://api.bosh-lite.com` by default.
+
+`doppler_address`
+:   (Optional) The URL of the Cloud Foundry Doppler Websocket. It uses value from ${api_address}/v2/info by default.
+
+`uaa_address`
+:   (Optional) The URL of the Cloud Foundry UAA API. It uses value from ${api_address}/v2/info by default.
+
+`rlp_address`
+:   (Optional) The URL of the Cloud Foundry RLP Gateway. It uses value from ${api_address}/v2/info by default.
+
+`client_id`
+:   Client ID to authenticate with Cloud Foundry.
+
+`client_secret`
+:   Client Secret to authenticate with Cloud Foundry.
+
+`cache_duration`
+:   (Optional) Maximum amount of time to cache an application’s metadata. Defaults to 120 seconds.
+
+`cache_retry_delay`
+:   (Optional) Time to wait before trying to obtain an application’s metadata again in case of error. Defaults to 20 seconds.
+
+`ssl`
+:   (Optional) SSL configuration to use when connecting to Cloud Foundry.
+
diff --git a/docs/reference/metricbeat/add-docker-metadata.md b/docs/reference/metricbeat/add-docker-metadata.md
new file mode 100644
index 000000000000..ea5bfb9bf372
--- /dev/null
+++ b/docs/reference/metricbeat/add-docker-metadata.md
@@ -0,0 +1,80 @@
+---
+navigation_title: "add_docker_metadata"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/add-docker-metadata.html
+---
+
+# Add Docker metadata [add-docker-metadata]
+
+
+The `add_docker_metadata` processor annotates each event with relevant metadata from Docker containers. At startup it detects a docker environment and caches the metadata. The events are annotated with Docker metadata, only if a valid configuration is detected and the processor is able to reach Docker API.
+
+Each event is annotated with:
+
+* Container ID
+* Name
+* Image
+* Labels
+
+::::{note}
+When running Metricbeat in a container, you need to provide access to Docker’s unix socket in order for the `add_docker_metadata` processor to work. You can do this by mounting the socket inside the container. For example:
+
+`docker run -v /var/run/docker.sock:/var/run/docker.sock ...`
+
+To avoid privilege issues, you may also need to add `--user=root` to the `docker run` flags. Because the user must be part of the docker group in order to access `/var/run/docker.sock`, root access is required if Metricbeat is running as non-root inside the container.
+
+If Docker daemon is restarted the mounted socket will become invalid and metadata will stop working, in these situations there are two options:
+
+* Restart Metricbeat every time Docker is restarted
+* Mount the entire `/var/run` directory (instead of just the socket)
+
+::::
+
+
+```yaml
+processors:
+  - add_docker_metadata:
+      host: "unix:///var/run/docker.sock"
+      #match_fields: ["system.process.cgroup.id"]
+      #match_pids: ["process.pid", "process.parent.pid"]
+      #match_source: true
+      #match_source_index: 4
+      #match_short_id: true
+      #cleanup_timeout: 60
+      #labels.dedot: false
+      # To connect to Docker over TLS you must specify a client and CA certificate.
+      #ssl:
+      #  certificate_authority: "/etc/pki/root/ca.pem"
+      #  certificate:           "/etc/pki/client/cert.pem"
+      #  key:                   "/etc/pki/client/cert.key"
+```
+
+It has the following settings:
+
+`host`
+:   (Optional) Docker socket (UNIX or TCP socket). It uses `unix:///var/run/docker.sock` by default.
+
+`ssl`
+:   (Optional) SSL configuration to use when connecting to the Docker socket.
+
+`match_fields`
+:   (Optional) A list of fields to match a container ID, at least one of them should hold a container ID to get the event enriched.
+
+`match_pids`
+:   (Optional) A list of fields that contain process IDs. If the process is running in Docker then the event will be enriched. The default value is `["process.pid", "process.parent.pid"]`.
+
+`match_source`
+:   (Optional) Match container ID from a log path present in the `log.file.path` field. Enabled by default.
+
+`match_short_id`
+:   (Optional) Match container short ID from a log path present in the `log.file.path` field. Disabled by default. This allows to match directories names that have the first 12 characters of the container ID. For example, `/var/log/containers/b7e3460e2b21/*.log`.
+
+`match_source_index`
+:   (Optional) Index in the source path split by `/` to look for container ID. It defaults to 4 to match `/var/lib/docker/containers/<container_id>/*.log`
+
+`cleanup_timeout`
+:   (Optional) Time of inactivity to consider we can clean and forget metadata for a container, 60s by default.
+
+`labels.dedot`
+:   (Optional) Default to be false. If set to true, replace dots in labels with `_`.
+
diff --git a/docs/reference/metricbeat/add-fields.md b/docs/reference/metricbeat/add-fields.md
new file mode 100644
index 000000000000..049a60884617
--- /dev/null
+++ b/docs/reference/metricbeat/add-fields.md
@@ -0,0 +1,51 @@
+---
+navigation_title: "add_fields"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/add-fields.html
+---
+
+# Add fields [add-fields]
+
+
+The `add_fields` processor adds additional fields to the event.  Fields can be scalar values, arrays, dictionaries, or any nested combination of these. The `add_fields` processor will overwrite the target field if it already exists. By default the fields that you specify will be grouped under the `fields` sub-dictionary in the event. To group the fields under a different sub-dictionary, use the `target` setting. To store the fields as top-level fields, set `target: ''`.
+
+`target`
+:   (Optional) Sub-dictionary to put all fields into. Defaults to `fields`. Setting this to `@metadata` will add values to the event metadata instead of fields.
+
+`fields`
+:   Fields to be added.
+
+For example, this configuration:
+
+```yaml
+processors:
+  - add_fields:
+      target: project
+      fields:
+        name: myproject
+        id: '574734885120952459'
+```
+
+Adds these fields to any event:
+
+```json
+{
+  "project": {
+    "name": "myproject",
+    "id": "574734885120952459"
+  }
+}
+```
+
+This configuration will alter the event metadata:
+
+```yaml
+processors:
+  - add_fields:
+      target: '@metadata'
+      fields:
+        op_type: "index"
+```
+
+When the event is ingested (e.g. by Elastisearch) the document will have `op_type: "index"` set as a metadata field.
+
diff --git a/docs/reference/metricbeat/add-host-metadata.md b/docs/reference/metricbeat/add-host-metadata.md
new file mode 100644
index 000000000000..aae4044acb15
--- /dev/null
+++ b/docs/reference/metricbeat/add-host-metadata.md
@@ -0,0 +1,92 @@
+---
+navigation_title: "add_host_metadata"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/add-host-metadata.html
+---
+
+# Add Host metadata [add-host-metadata]
+
+
+```yaml
+processors:
+  - add_host_metadata:
+      cache.ttl: 5m
+      geo:
+        name: nyc-dc1-rack1
+        location: 40.7128, -74.0060
+        continent_name: North America
+        country_iso_code: US
+        region_name: New York
+        region_iso_code: NY
+        city_name: New York
+```
+
+It has the following settings:
+
+`netinfo.enabled`
+:   (Optional) Default true. Include IP addresses and MAC addresses as fields host.ip and host.mac
+
+`cache.ttl`
+:   (Optional) The processor uses an internal cache for the host metadata. This sets the cache expiration time. The default is 5m, negative values disable caching altogether.
+
+`geo.name`
+:   (Optional) User definable token to be used for identifying a discrete location. Frequently a datacenter, rack, or similar.
+
+`geo.location`
+:   (Optional) Longitude and latitude in comma separated format.
+
+`geo.continent_name`
+:   (Optional) Name of the continent.
+
+`geo.country_name`
+:   (Optional) Name of the country.
+
+`geo.region_name`
+:   (Optional) Name of the region.
+
+`geo.city_name`
+:   (Optional) Name of the city.
+
+`geo.country_iso_code`
+:   (Optional) ISO country code.
+
+`geo.region_iso_code`
+:   (Optional) ISO region code.
+
+`replace_fields`
+:   (Optional) Default true. If set to false, original host fields from the event will not be replaced by host fields from `add_host_metadata`.
+
+The `add_host_metadata` processor annotates each event with relevant metadata from the host machine. The fields added to the event look like the following:
+
+```json
+{
+   "host":{
+      "architecture":"x86_64",
+      "name":"example-host",
+      "id":"",
+      "os":{
+         "family":"darwin",
+         "type":"macos",
+         "build":"16G1212",
+         "platform":"darwin",
+         "version":"10.12.6",
+         "kernel":"16.7.0",
+         "name":"Mac OS X"
+      },
+      "ip": ["192.168.0.1", "10.0.0.1"],
+      "mac": ["00:25:96:12:34:56", "72:00:06:ff:79:f1"],
+      "geo": {
+          "continent_name": "North America",
+          "country_iso_code": "US",
+          "region_name": "New York",
+          "region_iso_code": "NY",
+          "city_name": "New York",
+          "name": "nyc-dc1-rack1",
+          "location": "40.7128, -74.0060"
+        }
+   }
+}
+```
+
+Note: `add_host_metadata` processor will overwrite host fields if `host.*` fields already exist in the event from Beats by default with `replace_fields` equals to `true`. Please use `add_observer_metadata` if the beat is being used to monitor external systems.
+
diff --git a/docs/reference/metricbeat/add-id.md b/docs/reference/metricbeat/add-id.md
new file mode 100644
index 000000000000..93993db950da
--- /dev/null
+++ b/docs/reference/metricbeat/add-id.md
@@ -0,0 +1,24 @@
+---
+navigation_title: "add_id"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/add-id.html
+---
+
+# Generate an ID for an event [add-id]
+
+
+The `add_id` processor generates a unique ID for an event.
+
+```yaml
+processors:
+  - add_id: ~
+```
+
+The following settings are supported:
+
+`target_field`
+:   (Optional) Field where the generated ID will be stored. Default is `@metadata._id`.
+
+`type`
+:   (Optional) Type of ID to generate. Currently only `elasticsearch` is supported and is the default. The `elasticsearch` type generates IDs using the same algorithm that Elasticsearch uses for auto-generating document IDs.
+
diff --git a/docs/reference/metricbeat/add-kubernetes-metadata.md b/docs/reference/metricbeat/add-kubernetes-metadata.md
new file mode 100644
index 000000000000..3b9dad7a6628
--- /dev/null
+++ b/docs/reference/metricbeat/add-kubernetes-metadata.md
@@ -0,0 +1,241 @@
+---
+navigation_title: "add_kubernetes_metadata"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/add-kubernetes-metadata.html
+---
+
+# Add Kubernetes metadata [add-kubernetes-metadata]
+
+
+The `add_kubernetes_metadata` processor annotates each event with relevant metadata based on which Kubernetes pod the event originated from. This processor only adds metadata to the events that do not have it yet present.
+
+At startup, it detects an `in_cluster` environment and caches the Kubernetes-related metadata. Events are only annotated if a valid configuration is detected. If it’s not able to detect a valid Kubernetes configuration, the events are not annotated with Kubernetes-related metadata.
+
+Each event is annotated with:
+
+* Pod Name
+* Pod UID
+* Namespace
+* Labels
+
+In addition, the node and namespace metadata are added to the pod metadata.
+
+The `add_kubernetes_metadata` processor has two basic building blocks:
+
+* Indexers
+* Matchers
+
+Indexers use pod metadata to create unique identifiers for each one of the pods. These identifiers help to correlate the metadata of the observed pods with actual events. For example, the `ip_port` indexer can take a Kubernetes pod and create identifiers for it based on all its `pod_ip:container_port` combinations.
+
+Matchers use information in events to construct lookup keys that match the identifiers created by the indexers. For example, when the `fields` matcher takes `["metricset.host"]` as a lookup field, it would construct a lookup key with the value of the field `metricset.host`. When one of these lookup keys matches with one of the identifiers, the event is enriched with the metadata of the identified pod.
+
+When `add_kubernetes_metadata` is used with Metricbeat, it uses the `ip_port` indexer and the `fields` matcher with the `metricset.host` field. So events that contain a `metricset.host` field are enriched with metadata of the pods that exposes the same port in the same IP.
+
+This behaviour can be disabled by disabling default indexers and matchers in the configuration:
+
+```yaml
+processors:
+  - add_kubernetes_metadata:
+      default_indexers.enabled: false
+      default_matchers.enabled: false
+```
+
+You can find more information about the available indexers and matchers, and some examples in [Indexers and matchers](#kubernetes-indexers-and-matchers).
+
+The configuration below enables the processor when metricbeat is run as a pod in Kubernetes.
+
+```yaml
+processors:
+  - add_kubernetes_metadata:
+      #labels.dedot: true
+      #annotations.dedot: true
+```
+
+The configuration below enables the processor on a Beat running as a process on the Kubernetes node.
+
+```yaml
+processors:
+  - add_kubernetes_metadata:
+      host: <hostname>
+      # If kube_config is not set, KUBECONFIG environment variable will be checked
+      # and if not present it will fall back to InCluster
+      kube_config: $Metricbeat Reference/.kube/config
+      #labels.dedot: true
+      #annotations.dedot: true
+```
+
+The configuration below has the default indexers and matchers disabled and enables ones that the user is interested in.
+
+```yaml
+processors:
+  - add_kubernetes_metadata:
+      host: <hostname>
+      # If kube_config is not set, KUBECONFIG environment variable will be checked
+      # and if not present it will fall back to InCluster
+      kube_config: ~/.kube/config
+      default_indexers.enabled: false
+      default_matchers.enabled: false
+      indexers:
+        - ip_port:
+      matchers:
+        - fields:
+            lookup_fields: ["metricset.host"]
+      #labels.dedot: true
+      #annotations.dedot: true
+```
+
+The `add_kubernetes_metadata` processor has the following configuration settings:
+
+`host`
+:   (Optional) Specify the node to scope metricbeat to in case it cannot be accurately detected, as when running metricbeat in host network mode.
+
+`scope`
+:   (Optional) Specify if the processor should have visibility at the node level or at the entire cluster level. Possible values are `node` and `cluster`. Scope is `node` by default.
+
+`namespace`
+:   (Optional) Select the namespace from which to collect the metadata. If it is not set, the processor collects metadata from all namespaces. It is unset by default.
+
+`add_resource_metadata`
+:   (Optional) Specify filters and configuration for the extra metadata, that will be added to the event. Configuration parameters:
+
+    * `node` or `namespace`: Specify labels and annotations filters for the extra metadata coming from node and namespace. By default all labels are included while annotations are not. To change default behaviour `include_labels`, `exclude_labels` and `include_annotations` can be defined. Those settings are useful when storing labels and annotations that require special handling to avoid overloading the storage output. Note: wildcards are not supported for those settings. The enrichment of `node` or `namespace` metadata can be individually disabled by setting `enabled: false`.
+    * `deployment`: If resource is `pod` and it is created from a `deployment`, by default the deployment name is added, this can be disabled by setting `deployment: false`.
+    * `cronjob`: If resource is `pod` and it is created from a `cronjob`, by default the cronjob name is added, this can be disabled by setting `cronjob: false`.
+
+        Example:
+
+
+```yaml
+      add_resource_metadata:
+        namespace:
+          include_labels: ["namespacelabel1"]
+          #labels.dedot: true
+          #annotations.dedot: true
+        node:
+          include_labels: ["nodelabel2"]
+          include_annotations: ["nodeannotation1"]
+          #labels.dedot: true
+          #annotations.dedot: true
+        deployment: false
+        cronjob: false
+```
+
+`kube_config`
+:   (Optional) Use given config file as configuration for Kubernetes client. It defaults to `KUBECONFIG` environment variable if present.
+
+`use_kubeadm`
+:   (Optional) Default true. By default requests to kubeadm config map are made in order to enrich cluster name by requesting /api/v1/namespaces/kube-system/configmaps/kubeadm-config API endpoint.
+
+`kube_client_options`
+:   (Optional) Additional options can be configured for Kubernetes client. Currently client QPS and burst are supported, if not set Kubernetes client’s [default QPS and burst](https://pkg.go.dev/k8s.io/client-go/rest#pkg-constants) will be used. Example:
+
+```yaml
+      kube_client_options:
+        qps: 5
+        burst: 10
+```
+
+`cleanup_timeout`
+:   (Optional) Specify the time of inactivity before stopping the running configuration for a container. This is `60s` by default.
+
+`sync_period`
+:   (Optional) Specify the timeout for listing historical resources.
+
+`default_indexers.enabled`
+:   (Optional) Enable or disable default pod indexers when you want to specify your own.
+
+`default_matchers.enabled`
+:   (Optional) Enable or disable default pod matchers when you want to specify your own.
+
+`labels.dedot`
+:   (Optional) Default to be true. If set to true, then `.` in labels will be replaced with `_`.
+
+`annotations.dedot`
+:   (Optional) Default to be true. If set to true, then `.` in labels will be replaced with `_`.
+
+
+## Indexers and matchers [kubernetes-indexers-and-matchers]
+
+## Indexers [_indexers]
+
+Indexers use pods metadata to create unique identifiers for each one of the pods.
+
+Available indexers are:
+
+`container`
+:   Identifies the pod metadata using the IDs of its containers.
+
+`ip_port`
+:   Identifies the pod metadata using combinations of its IP and its exposed ports. When using this indexer metadata is identified using the IP of the pods, and the combination if `ip:port` for each one of the ports exposed by its containers.
+
+`pod_name`
+:   Identifies the pod metadata using its namespace and its name as `namespace/pod_name`.
+
+`pod_uid`
+:   Identifies the pod metadata using the UID of the pod.
+
+
+## Matchers [_matchers]
+
+Matchers are used to construct the lookup keys that match with the identifiers created by indexes.
+
+### `field_format` [_field_format]
+
+Looks up pod metadata using a key created with a string format that can include event fields.
+
+This matcher has an option `format` to define the string format. This string format can contain placeholders for any field in the event.
+
+For example, the following configuration uses the `ip_port` indexer to identify the pod metadata by combinations of the pod IP and its exposed ports, and uses the destination IP and port in events as match keys:
+
+```yaml
+processors:
+- add_kubernetes_metadata:
+    ...
+    default_indexers.enabled: false
+    default_matchers.enabled: false
+    indexers:
+      - ip_port:
+    matchers:
+      - field_format:
+          format: '%{[destination.ip]}:%{[destination.port]}'
+```
+
+
+### `fields` [_fields_2]
+
+Looks up pod metadata using as key the value of some specific fields. When multiple fields are defined, the first one included in the event is used.
+
+This matcher has an option `lookup_fields` to define the files whose value will be used for lookup.
+
+For example, the following configuration uses the `ip_port` indexer to identify pods, and defines a matcher that uses the destination IP or the server IP for the lookup, the first it finds in the event:
+
+```yaml
+processors:
+- add_kubernetes_metadata:
+    ...
+    default_indexers.enabled: false
+    default_matchers.enabled: false
+    indexers:
+      - ip_port:
+    matchers:
+      - fields:
+          lookup_fields: ['destination.ip', 'server.ip']
+```
+
+It’s also possible to extract the matching key from fields using a regex pattern. The optional `regex_pattern` field can be used to set the pattern. The pattern **must** contain a capture group named `key`, whose value will be used as the matching key.
+
+For example, the following configuration uses the `container` indexer to identify containers by their id, and extracts the matching key from the cgroup id field added to system process metrics. This field has the form `cri-containerd-<id>.scope`, so we need a regex pattern to obtain the container id.
+
+```yaml
+processors:
+  - add_kubernetes_metadata:
+      indexers:
+        - container:
+      matchers:
+        - fields:
+            lookup_fields: ['system.process.cgroup.id']
+            regex_pattern: 'cri-containerd-(?P<key>[0-9a-z]+)\.scope'
+```
+
+
+
diff --git a/docs/reference/metricbeat/add-labels.md b/docs/reference/metricbeat/add-labels.md
new file mode 100644
index 000000000000..72a9ffd0d583
--- /dev/null
+++ b/docs/reference/metricbeat/add-labels.md
@@ -0,0 +1,45 @@
+---
+navigation_title: "add_labels"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/add-labels.html
+---
+
+# Add labels [add-labels]
+
+
+The `add_labels` processors adds a set of key-value pairs to an event. The processor will flatten nested configuration objects like arrays or dictionaries into a fully qualified name by merging nested names with a `.`. Array entries create numeric names starting with 0.  Labels are always stored under the Elastic Common Schema compliant `labels` sub-dictionary.
+
+`labels`
+:   dictionaries of labels to be added.
+
+For example, this configuration:
+
+```yaml
+processors:
+  - add_labels:
+      labels:
+        number: 1
+        with.dots: test
+        nested:
+          with.dots: nested
+        array:
+          - do
+          - re
+          - with.field: mi
+```
+
+Adds these fields to every event:
+
+```json
+{
+  "labels": {
+    "number": 1,
+    "with.dots": "test",
+    "nested.with.dots": "nested",
+    "array.0": "do",
+    "array.1": "re",
+    "array.2.with.field": "mi"
+  }
+}
+```
+
diff --git a/docs/reference/metricbeat/add-locale.md b/docs/reference/metricbeat/add-locale.md
new file mode 100644
index 000000000000..50d805334c05
--- /dev/null
+++ b/docs/reference/metricbeat/add-locale.md
@@ -0,0 +1,31 @@
+---
+navigation_title: "add_locale"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/add-locale.html
+---
+
+# Add the local time zone [add-locale]
+
+
+The `add_locale` processor enriches each event with the machine’s time zone offset from UTC or with the name of the time zone. It supports one configuration option named `format` that controls whether an offset or time zone abbreviation is added to the event. The default format is `offset`. The processor adds the a `event.timezone` value to each event.
+
+The configuration below enables the processor with the default settings.
+
+```yaml
+processors:
+  - add_locale: ~
+```
+
+This configuration enables the processor and configures it to add the time zone abbreviation to events.
+
+```yaml
+processors:
+  - add_locale:
+      format: abbreviation
+```
+
+::::{note}
+Please note that `add_locale` differentiates between daylight savings time (DST) and regular time. For example `CEST` indicates DST and and `CET` is regular time.
+::::
+
+
diff --git a/docs/reference/metricbeat/add-network-direction.md b/docs/reference/metricbeat/add-network-direction.md
new file mode 100644
index 000000000000..fb803c0cc881
--- /dev/null
+++ b/docs/reference/metricbeat/add-network-direction.md
@@ -0,0 +1,22 @@
+---
+navigation_title: "add_network_direction"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/add-network-direction.html
+---
+
+# Add network direction [add-network-direction]
+
+
+The `add_network_direction` processor attempts to compute the perimeter-based network direction given an a source and destination ip address and list of internal networks. The key `internal_networks` can contain either CIDR blocks or a list of special values enumerated in the network section of [Conditions](/reference/metricbeat/defining-processors.md#conditions).
+
+```yaml
+processors:
+  - add_network_direction:
+      source: source.ip
+      destination: destination.ip
+      target: network.direction
+      internal_networks: [ private ]
+```
+
+See [Conditions](/reference/metricbeat/defining-processors.md#conditions) for a list of supported conditions.
+
diff --git a/docs/reference/metricbeat/add-nomad-metadata.md b/docs/reference/metricbeat/add-nomad-metadata.md
new file mode 100644
index 000000000000..636734ba50d1
--- /dev/null
+++ b/docs/reference/metricbeat/add-nomad-metadata.md
@@ -0,0 +1,137 @@
+---
+navigation_title: "add_nomad_metadata"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/add-nomad-metadata.html
+---
+
+# Add Nomad metadata [add-nomad-metadata]
+
+
+::::{warning}
+This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
+::::
+
+
+The `add_nomad_metadata` processor adds fields with relevant metadata for applications deployed in Nomad.
+
+Each event is annotated with the following information:
+
+* Allocation name, identifier and status.
+* Job name and type.
+* Namespace where the job is deployed.
+* Datacenter and region where the agent running the allocation is located.
+
+```yaml
+processors:
+  - add_nomad_metadata: ~
+```
+
+It has the following settings to configure the connection:
+
+`address`
+:   (Optional) The URL of the agent API used to request the metadata. It uses `http://127.0.0.1:4646` by default.
+
+`namespace`
+:   (Optional) Namespace to watch. If set, only events for allocations in this namespace will be annotated.
+
+`region`
+:   (Optional) Region to watch. If set, only events for allocations in this region will be annotated.
+
+`secret_id`
+:   (Optional) SecretID to use when connecting with the agent API. This is an example ACL policy to apply to the token.
+
+```json
+namespace "*" {
+  policy = "read"
+}
+node {
+  policy = "read"
+}
+agent {
+  policy = "read"
+}
+```
+
+`refresh_interval`
+:   (Optional) Interval used to update the cached metadata. It defaults to 30 seconds.
+
+`cleanup_timeout`
+:   (Optional) After an allocation has been removed, time to wait before cleaning up their associated resources. This is useful if you expect to receive events after an allocation has been removed, which can happen when collecting logs. It defaults to 60 seconds.
+
+You can decide if Metricbeat should annotate events related to allocations in local node or on the whole cluster configuring the scope with the following settings:
+
+`scope`
+:   (Optional) Scope of the resources to watch. It can be `node` to get metadata only for the allocations in a single agent, or `global`, to get metadata for allocations running on any agent. It defaults to `node`.
+
+`node`
+:   (Optional) When using `scope: node`, use `node` to specify the name of the local node if it cannot be discovered automatically.
+
+For example the following configuration could be used if Metricbeat is collecting events from all the allocations in the cluster:
+
+```yaml
+processors:
+  - add_nomad_metadata:
+      scope: global
+```
+
+## Indexers and matchers [_indexers_and_matchers]
+
+Indexers and matchers are used to correlate fields in events with actual metadata. Metricbeat uses this information to know what metadata to include in each event.
+
+### Indexers [_indexers_2]
+
+Indexers use allocation metadata to create unique identifiers for each one of the pods.
+
+Avaliable indexers are: `allocation_name`:: Identifies allocations by its name and namespace (as `<namespace>/<name>`) `allocation_uuid`:: Identifies allocations by its unique identifier.
+
+
+### Matchers [_matchers_2]
+
+Matchers are used to construct the lookup keys that match with the identifiers created by indexes.
+
+
+### `field_format` [_field_format_2]
+
+Looks up allocation metadata using a key created with a string format that can include event fields.
+
+This matcher has an option `format` to define the string format. This string format can contain placeholders for any field in the event.
+
+For example, the following configuration uses the `allocation_name` indexer to identify the allocation metadata by its name and namespace, and uses custom fields existing in the event as match keys:
+
+```yaml
+processors:
+- add_nomad_metadata:
+    ...
+    default_indexers.enabled: false
+    default_matchers.enabled: false
+    indexers:
+      - allocation_name:
+    matchers:
+      - field_format:
+          format: '%{[labels.nomad_namespace]}/%{[fields.nomad_alloc_name]}'
+```
+
+
+### `fields` [_fields_3]
+
+Looks up allocation metadata using as key the value of some specific fields. When multiple fields are defined, the first one included in the event is used.
+
+This matcher has an option `lookup_fields` to define the fields whose value will be used for lookup.
+
+For example, the following configuration uses the `allocation_uuid` indexer to identify allocations, and defines a matcher that uses some fields where the allocation UUID can be found for lookup, the first it finds in the event:
+
+```yaml
+processors:
+- add_nomad_metadata:
+    ...
+    default_indexers.enabled: false
+    default_matchers.enabled: false
+    indexers:
+      - allocation_uuid:
+    matchers:
+      - fields:
+          lookup_fields: ['host.name', 'fields.nomad_alloc_uuid']
+```
+
+
+
diff --git a/docs/reference/metricbeat/add-observer-metadata.md b/docs/reference/metricbeat/add-observer-metadata.md
new file mode 100644
index 000000000000..a9244d28f07a
--- /dev/null
+++ b/docs/reference/metricbeat/add-observer-metadata.md
@@ -0,0 +1,88 @@
+---
+navigation_title: "add_observer_metadata"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/add-observer-metadata.html
+---
+
+# Add Observer metadata [add-observer-metadata]
+
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+```yaml
+processors:
+  - add_observer_metadata:
+      cache.ttl: 5m
+      geo:
+        name: nyc-dc1-rack1
+        location: 40.7128, -74.0060
+        continent_name: North America
+        country_iso_code: US
+        region_name: New York
+        region_iso_code: NY
+        city_name: New York
+```
+
+It has the following settings:
+
+`netinfo.enabled`
+:   (Optional) Default true. Include IP addresses and MAC addresses as fields observer.ip and observer.mac
+
+`cache.ttl`
+:   (Optional) The processor uses an internal cache for the observer metadata. This sets the cache expiration time. The default is 5m, negative values disable caching altogether.
+
+`geo.name`
+:   (Optional) User definable token to be used for identifying a discrete location. Frequently a datacenter, rack, or similar.
+
+`geo.location`
+:   (Optional) Longitude and latitude in comma separated format.
+
+`geo.continent_name`
+:   (Optional) Name of the continent.
+
+`geo.country_name`
+:   (Optional) Name of the country.
+
+`geo.region_name`
+:   (Optional) Name of the region.
+
+`geo.city_name`
+:   (Optional) Name of the city.
+
+`geo.country_iso_code`
+:   (Optional) ISO country code.
+
+`geo.region_iso_code`
+:   (Optional) ISO region code.
+
+The `add_observer_metadata` processor annotates each event with relevant metadata from the observer machine. The fields added to the event look like the following:
+
+```json
+{
+  "observer" : {
+    "hostname" : "avce",
+    "type" : "heartbeat",
+    "vendor" : "elastic",
+    "ip" : [
+      "192.168.1.251",
+      "fe80::64b2:c3ff:fe5b:b974",
+    ],
+    "mac" : [
+      "dc:c1:02:6f:1b:ed",
+    ],
+    "geo": {
+      "continent_name": "North America",
+      "country_iso_code": "US",
+      "region_name": "New York",
+      "region_iso_code": "NY",
+      "city_name": "New York",
+      "name": "nyc-dc1-rack1",
+      "location": "40.7128, -74.0060"
+    }
+  }
+}
+```
+
diff --git a/docs/reference/metricbeat/add-process-metadata.md b/docs/reference/metricbeat/add-process-metadata.md
new file mode 100644
index 000000000000..1d8776645dcd
--- /dev/null
+++ b/docs/reference/metricbeat/add-process-metadata.md
@@ -0,0 +1,94 @@
+---
+navigation_title: "add_process_metadata"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/add-process-metadata.html
+---
+
+# Add process metadata [add-process-metadata]
+
+
+The `add_process_metadata` processor enriches events with information from running processes, identified by their process ID (PID).
+
+```yaml
+processors:
+  - add_process_metadata:
+      match_pids:
+        - process.pid
+```
+
+The fields added to the event look as follows:
+
+```json
+{
+  "container": {
+    "id": "b5285682fba7449c86452b89a800609440ecc88a7ba5f2d38bedfb85409b30b1"
+  },
+  "process": {
+    "args": [
+      "/usr/lib/systemd/systemd",
+      "--switched-root",
+      "--system",
+      "--deserialize",
+      "22"
+    ],
+    "executable": "/usr/lib/systemd/systemd",
+    "name": "systemd",
+    "owner": {
+      "id": "0",
+      "name": "root"
+    },
+    "parent": {
+      "pid": 0
+    },
+    "pid": 1,
+    "start_time": "2018-08-22T08:44:50.684Z",
+    "title": "/usr/lib/systemd/systemd --switched-root --system --deserialize 22"
+  }
+}
+```
+
+Optionally, the process environment can be included, too:
+
+```json
+  ...
+  "env": {
+    "HOME":       "/",
+    "TERM":       "linux",
+    "BOOT_IMAGE": "/boot/vmlinuz-4.11.8-300.fc26.x86_64",
+    "LANG":       "en_US.UTF-8",
+  }
+  ...
+```
+
+It has the following settings:
+
+`match_pids`
+:   List of fields to lookup for a PID. The processor will search the list sequentially until the field is found in the current event, and the PID lookup will be applied to the value of this field.
+
+`target`
+:   (Optional) Destination prefix where the `process` object will be created. The default is the event’s root.
+
+`include_fields`
+:   (Optional) List of fields to add. By default, the processor will add all the available fields except `process.env`.
+
+`ignore_missing`
+:   (Optional) When set to `false`, events that don’t contain any of the fields in match_pids will be discarded and an error will be generated. By default, this condition is ignored.
+
+`overwrite_keys`
+:   (Optional) By default, if a target field already exists, it will not be overwritten, and an error will be logged. If `overwrite_keys` is set to `true`, this condition will be ignored.
+
+`restricted_fields`
+:   (Optional) By default, the `process.env` field is not output, to avoid leaking sensitive data. If `restricted_fields` is `true`, the field will be present in the output.
+
+`host_path`
+:   (Optional) By default, the `host_path` field is set to the root directory of the host `/`. This is the path where `/proc` is mounted. For different runtime configurations of Kubernetes or Docker, the `host_path` can be set to overwrite the default.
+
+`cgroup_prefixes`
+:   (Optional) List of prefixes that will be matched against cgroup paths. When a cgroup path begins with a prefix in the list, then the last element of the path is returned as the container ID. Only one of `cgroup_prefixes` and `cgroup_rexex` should be configured. If neither are configured then a default `cgroup_regex` value is used that matches cgroup paths containing 64-character container IDs (like those from Docker, Kubernetes, and Podman).
+
+`cgroup_regex`
+:   (Optional) A regular expression that will be matched against cgroup paths. It must contain one capturing group. When a cgroup path matches the regular expression then the value of the capturing group is returned as the container ID.  Only one of `cgroup_prefixes` and `cgroup_rexex` should be configured. If neither are configured then a default `cgroup_regex` value is used that matches cgroup paths containing 64-character container IDs (like those from Docker, Kubernetes, and Podman).
+
+`cgroup_cache_expire_time`
+:   (Optional) By default, the `cgroup_cache_expire_time` is set to 30 seconds. This is the length of time before cgroup cache elements expire in seconds. It can be set to 0 to disable the cgroup cache. In some container runtimes technology like runc, the container’s process is also process in the host kernel, and will be affected by PID rollover/reuse. The expire time needs to set smaller than the PIDs wrap around time to avoid wrong container id.
+
diff --git a/docs/reference/metricbeat/add-tags.md b/docs/reference/metricbeat/add-tags.md
new file mode 100644
index 000000000000..b2c7b89effb7
--- /dev/null
+++ b/docs/reference/metricbeat/add-tags.md
@@ -0,0 +1,34 @@
+---
+navigation_title: "add_tags"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/add-tags.html
+---
+
+# Add tags [add-tags]
+
+
+The `add_tags` processor adds tags to a list of tags. If the target field already exists, the tags are appended to the existing list of tags.
+
+`tags`
+:   List of tags to add.
+
+`target`
+:   (Optional) Field the tags will be added to. Defaults to `tags`. Setting tags in `@metadata` is not supported.
+
+For example, this configuration:
+
+```yaml
+processors:
+  - add_tags:
+      tags: [web, production]
+      target: "environment"
+```
+
+Adds the environment field to every event:
+
+```json
+{
+  "environment": ["web", "production"]
+}
+```
+
diff --git a/docs/reference/metricbeat/append.md b/docs/reference/metricbeat/append.md
new file mode 100644
index 000000000000..7168064f1ab8
--- /dev/null
+++ b/docs/reference/metricbeat/append.md
@@ -0,0 +1,73 @@
+---
+navigation_title: "append"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/append.html
+---
+
+# Append Processor [append]
+
+
+The `append` processor appends one or more values to an existing array if the target field already exists and it is an array. Converts a scaler to an array and appends one or more values to it if the field exists and it is a scaler. Here the values can either be one or more static values or one or more values from the fields listed under *fields* key.
+
+`target_field`
+:   The field in which you want to append the data.
+
+`fields`
+:   (Optional) List of fields from which you want to copy data from. If the value is of a concrete type it will be appended directly to the target. However, if the value is an array, all the elements of the array are pushed individually to the target field.
+
+`values`
+:   (Optional) List of static values you want to append to target field.
+
+`ignore_empty_values`
+:   (Optional) If set to `true`, all the `""` and `nil` are omitted from being appended to the target field.
+
+`fail_on_error`
+:   (Optional) If set to `true` and an error occurs, the changes are reverted and the original is returned. If set to `false`, processing continues if an error occurs. Default is `true`.
+
+`allow_duplicate`
+:   (Optional) If set to `false`, the processor does not append values already present in the field. The default is `true`, which will append duplicate values in the array.
+
+`ignore_missing`
+:   (Optional) Indicates whether to ignore events that lack the source field. The default is `false`, which will fail processing of an event if a field is missing.
+
+note: If you want to use `fields` parameter with fields under `message`, make sure you use `decode_json_fields` first with `target: ""`.
+
+For example, this configuration:
+
+```yaml
+processors:
+  - decode_json_fields:
+      fields: message
+      target: ""
+  - append:
+      target_field: target-field
+      fields:
+        - concrete.field
+        - array.one
+      values:
+        - static-value
+        - ""
+      ignore_missing: true
+      fail_on_error: true
+      ignore_empty_values: true
+```
+
+Copies the values of `concrete.field`, `array.one` response fields and the static values to `target-field`:
+
+```json
+{
+  "concrete": {
+    "field": "val0"
+  },
+  "array": {
+      "one": [ "val1", "val2" ]
+  },
+  "target-field": [
+    "val0",
+    "val1",
+    "val2",
+    "static-value"
+  ]
+}
+```
+
diff --git a/docs/reference/metricbeat/bandwidth-throttling.md b/docs/reference/metricbeat/bandwidth-throttling.md
new file mode 100644
index 000000000000..88bddd19c81c
--- /dev/null
+++ b/docs/reference/metricbeat/bandwidth-throttling.md
@@ -0,0 +1,20 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/bandwidth-throttling.html
+---
+
+# Metricbeat uses too much bandwidth [bandwidth-throttling]
+
+If you need to limit bandwidth usage, we recommend that you configure the network stack on your OS to perform bandwidth throttling.
+
+For example, the following Linux commands cap the connection between Metricbeat and Logstash by setting a limit of 50 kbps on TCP connections over port 5044:
+
+```shell
+tc qdisc add dev $DEV root handle 1: htb
+tc class add dev $DEV parent 1:1 classid 1:10 htb rate 50kbps ceil 50kbps
+tc filter add dev $DEV parent 1:0 prio 1 protocol ip handle 10 fw flowid 1:10
+iptables -A OUTPUT -t mangle -p tcp --dport 5044 -j MARK --set-mark 10
+```
+
+Using OS tools to perform bandwidth throttling gives you better control over policies. For example, you can use OS tools to cap bandwidth during the day, but not at night. Or you can leave the bandwidth uncapped, but assign a low priority to the traffic.
+
diff --git a/docs/reference/metricbeat/beats-api-keys.md b/docs/reference/metricbeat/beats-api-keys.md
new file mode 100644
index 000000000000..4f806fa90dd9
--- /dev/null
+++ b/docs/reference/metricbeat/beats-api-keys.md
@@ -0,0 +1,142 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/beats-api-keys.html
+---
+
+# Grant access using API keys [beats-api-keys]
+
+Instead of using usernames and passwords, you can use API keys to grant access to {{es}} resources. You can set API keys to expire at a certain time, and you can explicitly invalidate them. Any user with the `manage_api_key` or `manage_own_api_key` cluster privilege can create API keys.
+
+Metricbeat instances typically send both collected data and monitoring information to {{es}}. If you are sending both to the same cluster, you can use the same API key. For different clusters, you need to use an API key per cluster.
+
+::::{note}
+For security reasons, we recommend using a unique API key per Metricbeat instance. You can create as many API keys per user as necessary.
+::::
+
+
+::::{important}
+Review [*Grant users access to secured resources*](/reference/metricbeat/feature-roles.md) before creating API keys for Metricbeat.
+::::
+
+
+
+## Create an API key for publishing [beats-api-key-publish]
+
+To create an API key to use for writing data to {{es}}, use the [Create API key API](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-create-api-key), for example:
+
+```console
+POST /_security/api_key
+{
+  "name": "metricbeat_host001", <1>
+  "role_descriptors": {
+    "metricbeat_writer": { <2>
+      "cluster": ["monitor", "read_ilm", "read_pipeline"],
+      "index": [
+        {
+          "names": ["metricbeat-*"],
+          "privileges": ["view_index_metadata", "create_doc", "auto_configure"]
+        }
+      ]
+    }
+  }
+}
+```
+
+1. Name of the API key
+2. Granted privileges, see [*Grant users access to secured resources*](/reference/metricbeat/feature-roles.md)
+
+
+::::{note}
+See [Create a *publishing* user](/reference/metricbeat/privileges-to-publish-events.md) for the list of privileges required to publish events.
+::::
+
+
+The return value will look something like this:
+
+```console-result
+{
+  "id":"TiNAGG4BaaMdaH1tRfuU", <1>
+  "name":"metricbeat_host001",
+  "api_key":"KnR6yE41RrSowb0kQ0HWoA" <2>
+}
+```
+
+1. Unique id for this API key
+2. Generated API key
+
+
+You can now use this API key in your `metricbeat.yml` configuration file like this:
+
+```yaml
+output.elasticsearch:
+  api_key: TiNAGG4BaaMdaH1tRfuU:KnR6yE41RrSowb0kQ0HWoA <1>
+```
+
+1. Format is `id:api_key` (as returned by [Create API key](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-create-api-key))
+
+
+
+## Create an API key for monitoring [beats-api-key-monitor]
+
+To create an API key to use for sending monitoring data to {{es}}, use the [Create API key API](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-create-api-key), for example:
+
+```console
+POST /_security/api_key
+{
+  "name": "metricbeat_host001", <1>
+  "role_descriptors": {
+    "metricbeat_monitoring": { <2>
+      "cluster": ["monitor"],
+      "index": [
+        {
+          "names": [".monitoring-beats-*"],
+          "privileges": ["create_index", "create"]
+        }
+      ]
+    }
+  }
+}
+```
+
+1. Name of the API key
+2. Granted privileges, see [*Grant users access to secured resources*](/reference/metricbeat/feature-roles.md)
+
+
+::::{note}
+See [Create a *monitoring* user](/reference/metricbeat/privileges-to-publish-monitoring.md) for the list of privileges required to send monitoring data.
+::::
+
+
+The return value will look something like this:
+
+```console-result
+{
+  "id":"TiNAGG4BaaMdaH1tRfuU", <1>
+  "name":"metricbeat_host001",
+  "api_key":"KnR6yE41RrSowb0kQ0HWoA" <2>
+}
+```
+
+1. Unique id for this API key
+2. Generated API key
+
+
+You can now use this API key in your `metricbeat.yml` configuration file like this:
+
+```yaml
+monitoring.elasticsearch:
+  api_key: TiNAGG4BaaMdaH1tRfuU:KnR6yE41RrSowb0kQ0HWoA <1>
+```
+
+1. Format is `id:api_key` (as returned by [Create API key](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-create-api-key))
+
+
+
+## Learn more about API keys [learn-more-api-keys]
+
+See the {{es}} API key documentation for more information:
+
+* [Create API key](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-create-api-key)
+* [Get API key information](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-get-api-key)
+* [Invalidate API key](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-invalidate-api-key)
+
diff --git a/docs/reference/metricbeat/change-index-name.md b/docs/reference/metricbeat/change-index-name.md
new file mode 100644
index 000000000000..1845a0eef892
--- /dev/null
+++ b/docs/reference/metricbeat/change-index-name.md
@@ -0,0 +1,23 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/change-index-name.html
+---
+
+# Change the index name [change-index-name]
+
+Metricbeat uses data streams named `metricbeat-9.0.0-beta1`. To use a different name, set the [`index`](/reference/metricbeat/elasticsearch-output.md#index-option-es) option in the {{es}} output. You also need to configure the `setup.template.name` and `setup.template.pattern` options to match the new name. For example:
+
+```sh
+output.elasticsearch.index: "customname-%{[agent.version]}"
+setup.template.name: "customname-%{[agent.version]}"
+setup.template.pattern: "customname-%{[agent.version]}"
+```
+
+If you’re using pre-built Kibana dashboards, also set the `setup.dashboards.index` option. For example:
+
+```yaml
+setup.dashboards.index: "customname-*"
+```
+
+For a full list of template setup options, see [Elasticsearch index template](/reference/metricbeat/configuration-template.md).
+
diff --git a/docs/reference/metricbeat/command-line-options.md b/docs/reference/metricbeat/command-line-options.md
new file mode 100644
index 000000000000..2da25bfbe235
--- /dev/null
+++ b/docs/reference/metricbeat/command-line-options.md
@@ -0,0 +1,405 @@
+---
+navigation_title: "Command reference"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/command-line-options.html
+---
+
+# Metricbeat command reference [command-line-options]
+
+
+Metricbeat provides a command-line interface for starting Metricbeat and performing common tasks, like testing configuration files and loading dashboards.
+
+The command-line also supports [global flags](#global-flags) for controlling global behaviors.
+
+::::{tip}
+Use `sudo` to run the following commands if:
+
+* the config file is owned by `root`, or
+* Metricbeat is configured to capture data that requires `root` access
+
+::::
+
+
+Some of the features described here require an Elastic license. For more information, see [https://www.elastic.co/subscriptions](https://www.elastic.co/subscriptions) and [License Management](docs-content://deploy-manage/license/manage-your-license-in-self-managed-cluster.md).
+
+| Commands |  |
+| --- | --- |
+| [`export`](#export-command) | Exports the configuration, index template, ILM policy, or a dashboard to stdout. |
+| [`help`](#help-command) | Shows help for any command. |
+| [`keystore`](#keystore-command) | Manages the [secrets keystore](/reference/metricbeat/keystore.md). |
+| [`modules`](#modules-command) | Manages configured modules. |
+| [`run`](#run-command) | Runs Metricbeat. This command is used by default if you start Metricbeat without specifying a command. |
+| [`setup`](#setup-command) | Sets up the initial environment, including the index template, ILM policy and write alias, and {{kib}} dashboards (when available). |
+| [`test`](#test-command) | Tests the configuration. |
+| [`version`](#version-command) | Shows information about the current version. |
+
+Also see [Global flags](#global-flags).
+
+## `export` command [export-command]
+
+Exports the configuration, index template, ILM policy, or a dashboard to stdout. You can use this command to quickly view your configuration, see the contents of the index template and the ILM policy, or export a dashboard from {{kib}}.
+
+**SYNOPSIS**
+
+```sh
+metricbeat export SUBCOMMAND [FLAGS]
+```
+
+**SUBCOMMANDS**
+
+**`config`**
+:   Exports the current configuration to stdout. If you use the `-c` flag, this command exports the configuration that’s defined in the specified file.
+
+$$$dashboard-subcommand$$$**`dashboard`**
+:   Exports a dashboard. You can use this option to store a dashboard on disk in a module and load it automatically. For example, to export the dashboard to a JSON file, run:
+
+    ```shell
+    metricbeat export dashboard --id="DASHBOARD_ID" > dashboard.json
+    ```
+
+    To find the `DASHBOARD_ID`, look at the URL for the dashboard in {{kib}}. By default, `export dashboard` writes the dashboard to stdout. The example shows how to write the dashboard to a JSON file so that you can import it later. The JSON file will contain the dashboard with all visualizations and searches. You must load the index pattern separately for Metricbeat.
+
+    To load the dashboard, copy the generated `dashboard.json` file into the `kibana/6/dashboard` directory of Metricbeat, and run `metricbeat setup --dashboards` to import the dashboard.
+
+    If {{kib}} is not running on `localhost:5061`, you must also adjust the Metricbeat configuration under `setup.kibana`.
+
+
+$$$template-subcommand$$$**`template`**
+:   Exports the index template to stdout. You can specify the `--es.version` flag to further define what gets exported. Furthermore you can export the template to a file instead of `stdout` by defining a directory via `--dir`.
+
+$$$ilm-policy-subcommand$$$
+
+**`ilm-policy`**
+:   Exports the index lifecycle management policy to stdout. You can specify the `--es.version` and a `--dir` to which the policy should be exported as a file rather than exporting to `stdout`.
+
+**FLAGS**
+
+**`--es.version VERSION`**
+:   When used with [`template`](#template-subcommand), exports an index template that is compatible with the specified version.  When used with [`ilm-policy`](#ilm-policy-subcommand), exports the ILM policy if the specified ES version is enabled for ILM.
+
+**`-h, --help`**
+:   Shows help for the `export` command.
+
+**`--dir DIRNAME`**
+:   Define a directory to which the template, pipelines, and ILM policy should be exported to as files instead of printing them to `stdout`.
+
+**`--id DASHBOARD_ID`**
+:   When used with [`dashboard`](#dashboard-subcommand), specifies the dashboard ID.
+
+Also see [Global flags](#global-flags).
+
+**EXAMPLES**
+
+```sh
+metricbeat export config
+metricbeat export template --es.version 9.0.0-beta1
+metricbeat export dashboard --id="a7b35890-8baa-11e8-9676-ef67484126fb" > dashboard.json
+```
+
+
+## `help` command [help-command]
+
+Shows help for any command. If no command is specified, shows help for the `run` command.
+
+**SYNOPSIS**
+
+```sh
+metricbeat help COMMAND_NAME [FLAGS]
+```
+
+**`COMMAND_NAME`**
+:   Specifies the name of the command to show help for.
+
+**FLAGS**
+
+**`-h, --help`**
+:   Shows help for the `help` command.
+
+Also see [Global flags](#global-flags).
+
+**EXAMPLE**
+
+```sh
+metricbeat help export
+```
+
+
+## `keystore` command [keystore-command]
+
+Manages the [secrets keystore](/reference/metricbeat/keystore.md).
+
+**SYNOPSIS**
+
+```sh
+metricbeat keystore SUBCOMMAND [FLAGS]
+```
+
+**SUBCOMMANDS**
+
+**`add KEY`**
+:   Adds the specified key to the keystore. Use the `--force` flag to overwrite an existing key. Use the `--stdin` flag to pass the value through `stdin`.
+
+**`create`**
+:   Creates a keystore to hold secrets. Use the `--force` flag to overwrite the existing keystore.
+
+**`list`**
+:   Lists the keys in the keystore.
+
+**`remove KEY`**
+:   Removes the specified key from the keystore.
+
+**FLAGS**
+
+**`--force`**
+:   Valid with the `add` and `create` subcommands. When used with `add`, overwrites the specified key. When used with `create`, overwrites the keystore.
+
+**`--stdin`**
+:   When used with `add`, uses the stdin as the source of the key’s value.
+
+**`-h, --help`**
+:   Shows help for the `keystore` command.
+
+Also see [Global flags](#global-flags).
+
+**EXAMPLES**
+
+```sh
+metricbeat keystore create
+metricbeat keystore add ES_PWD
+metricbeat keystore remove ES_PWD
+metricbeat keystore list
+```
+
+See [Secrets keystore](/reference/metricbeat/keystore.md) for more examples.
+
+
+## `modules` command [modules-command]
+
+Manages configured modules. You can use this command to enable and disable specific module configurations defined in the `modules.d` directory. The changes you make with this command are persisted and used for subsequent runs of Metricbeat.
+
+To see which modules are enabled and disabled, run the `list` subcommand.
+
+**SYNOPSIS**
+
+```sh
+metricbeat modules SUBCOMMAND [FLAGS]
+```
+
+**SUBCOMMANDS**
+
+**`disable MODULE_LIST`**
+:   Disables the modules specified in the space-separated list.
+
+**`enable MODULE_LIST`**
+:   Enables the modules specified in the space-separated list.
+
+**`list`**
+:   Lists the modules that are currently enabled and disabled.
+
+**FLAGS**
+
+**`-h, --help`**
+:   Shows help for the `modules` command.
+
+Also see [Global flags](#global-flags).
+
+**EXAMPLES**
+
+```sh
+metricbeat modules list
+metricbeat modules enable apache nginx system
+```
+
+
+## `run` command [run-command]
+
+Runs Metricbeat. This command is used by default if you start Metricbeat without specifying a command.
+
+**SYNOPSIS**
+
+```sh
+metricbeat run [FLAGS]
+```
+
+Or:
+
+```sh
+metricbeat [FLAGS]
+```
+
+**FLAGS**
+
+**`-N, --N`**
+:   Disables publishing for testing purposes. This option disables all outputs except the [File output](/reference/metricbeat/file-output.md).
+
+**`--cpuprofile FILE`**
+:   Writes CPU profile data to the specified file. This option is useful for troubleshooting Metricbeat.
+
+**`-h, --help`**
+:   Shows help for the `run` command.
+
+**`--httpprof [HOST]:PORT`**
+:   Starts an http server for profiling. This option is useful for troubleshooting and profiling Metricbeat.
+
+**`--memprofile FILE`**
+:   Writes memory profile data to the specified output file. This option is useful for troubleshooting Metricbeat.
+
+**`--system.hostfs MOUNT_POINT`**
+:   Specifies the mount point of the host’s filesystem for use in monitoring a host. This flag is depricated, and an alternate hostfs should be specified via the `hostfs` module config value.
+
+Also see [Global flags](#global-flags).
+
+**EXAMPLE**
+
+```sh
+metricbeat run -e
+```
+
+Or:
+
+```sh
+metricbeat -e
+```
+
+
+## `setup` command [setup-command]
+
+Sets up the initial environment, including the index template, ILM policy and write alias, and {{kib}} dashboards (when available)
+
+* The index template ensures that fields are mapped correctly in Elasticsearch. If index lifecycle management is enabled it also ensures that the defined ILM policy and write alias are connected to the indices matching the index template. The ILM policy takes care of the lifecycle of an index, when to do a rollover, when to move an index from the hot phase to the next phase, etc.
+* The {{kib}} dashboards make it easier for you to visualize Metricbeat data in {{kib}}.
+
+This command sets up the environment without actually running Metricbeat and ingesting data. Specify optional flags to set up a subset of assets.
+
+**SYNOPSIS**
+
+```sh
+metricbeat setup [FLAGS]
+```
+
+**FLAGS**
+
+**`--dashboards`**
+:   Sets up the {{kib}} dashboards (when available). This option loads the dashboards from the Metricbeat package. For more options, such as loading customized dashboards, see [Importing Existing Beat Dashboards](http://www.elastic.co/guide/en/beats/devguide/master/import-dashboards.md) in the *Beats Developer Guide*.
+
+**`-h, --help`**
+:   Shows help for the `setup` command.
+
+**`--index-management`**
+:   Sets up components related to Elasticsearch index management including template, ILM policy, and write alias (if supported and configured).
+
+Also see [Global flags](#global-flags).
+
+**EXAMPLES**
+
+```sh
+metricbeat setup --dashboards
+metricbeat setup --index-management
+```
+
+
+## `test` command [test-command]
+
+Tests the configuration.
+
+**SYNOPSIS**
+
+```sh
+metricbeat test SUBCOMMAND [FLAGS]
+```
+
+**SUBCOMMANDS**
+
+**`config`**
+:   Tests the configuration settings.
+
+**`modules [MODULE_NAME] [METRICSET_NAME]`**
+:   Tests module settings for all configured modules. When you run this command, Metricbeat does a test run that applies the current settings, retrieves the metrics, and shows them as output. To test the settings for a specific module, specify `MODULE_NAME`. To test the settings for a specific metricset in the module, also specify `METRICSET_NAME`.
+
+**`output`**
+:   Tests that Metricbeat can connect to the output by using the current settings.
+
+**FLAGS**
+
+**`-h, --help`**
+:   Shows help for the `test` command.
+
+Also see [Global flags](#global-flags).
+
+**EXAMPLES**
+
+```sh
+metricbeat test config
+metricbeat test modules system cpu
+```
+
+
+## `version` command [version-command]
+
+Shows information about the current version.
+
+**SYNOPSIS**
+
+```sh
+metricbeat version [FLAGS]
+```
+
+**FLAGS**
+
+**`-h, --help`**
+:   Shows help for the `version` command.
+
+Also see [Global flags](#global-flags).
+
+**EXAMPLE**
+
+```sh
+metricbeat version
+```
+
+
+## Global flags [global-flags]
+
+These global flags are available whenever you run Metricbeat.
+
+**`-E, --E "SETTING_NAME=VALUE"`**
+:   Overrides a specific configuration setting. You can specify multiple overrides. For example:
+
+    ```sh
+    metricbeat -E "name=mybeat" -E "output.elasticsearch.hosts=['http://myhost:9200']"
+    ```
+
+    This setting is applied to the currently running Metricbeat process. The Metricbeat configuration file is not changed.
+
+
+**`-c, --c FILE`**
+:   Specifies the configuration file to use for Metricbeat. The file you specify here is relative to `path.config`. If the `-c` flag is not specified, the default config file, `metricbeat.yml`, is used.
+
+**`-d, --d SELECTORS`**
+:   Enables debugging for the specified selectors. For the selectors, you can specify a comma-separated list of components, or you can use `-d "*"` to enable debugging for all components. For example, `-d "publisher"` displays all the publisher-related messages.
+
+**`-e, --e`**
+:   Logs to stderr and disables syslog/file output.
+
+**`--environment`**
+:   For logging purposes, specifies the environment that Metricbeat is running in. This setting is used to select a default log output when no log output is configured. Supported values are: `systemd`, `container`, `macos_service`, and `windows_service`. If `systemd` or `container` is specified, Metricbeat will log to stdout and stderr by default.
+
+**`--path.config`**
+:   Sets the path for configuration files. See the [Directory layout](/reference/metricbeat/directory-layout.md) section for details.
+
+**`--path.data`**
+:   Sets the path for data files. See the [Directory layout](/reference/metricbeat/directory-layout.md) section for details.
+
+**`--path.home`**
+:   Sets the path for miscellaneous files. See the [Directory layout](/reference/metricbeat/directory-layout.md) section for details.
+
+**`--path.logs`**
+:   Sets the path for log files. See the [Directory layout](/reference/metricbeat/directory-layout.md) section for details.
+
+**`--strict.perms`**
+:   Sets strict permission checking on configuration files. The default is `--strict.perms=true`. See [Config file ownership and permissions](/reference/libbeat/config-file-permissions.md) for more information.
+
+**`-v, --v`**
+:   Logs INFO-level messages.
+
+
diff --git a/docs/reference/metricbeat/community-id.md b/docs/reference/metricbeat/community-id.md
new file mode 100644
index 000000000000..fec3df4fd9e1
--- /dev/null
+++ b/docs/reference/metricbeat/community-id.md
@@ -0,0 +1,41 @@
+---
+navigation_title: "community_id"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/community-id.html
+---
+
+# Community ID Network Flow Hash [community-id]
+
+
+The `community_id` processor computes a network flow hash according to the [Community ID Flow Hash specification](https://github.com/corelight/community-id-spec).
+
+The flow hash is useful for correlating all network events related to a single flow. For example you can filter on a community ID value and you might get back the Netflow records from multiple collectors and layer 7 protocol records from Packetbeat.
+
+By default the processor is configured to read the flow parameters from the appropriate Elastic Common Schema (ECS) fields. If you are processing ECS data then no parameters are required.
+
+```yaml
+processors:
+  - community_id:
+```
+
+If the data does not conform to ECS then you can customize the field names that the processor reads from. You can also change the `target` field which is where the computed hash is written to.
+
+```yaml
+processors:
+  - community_id:
+      fields:
+        source_ip: my_source_ip
+        source_port: my_source_port
+        destination_ip: my_dest_ip
+        destination_port: my_dest_port
+        iana_number: my_iana_number
+        transport: my_transport
+        icmp_type: my_icmp_type
+        icmp_code: my_icmp_code
+      target: network.community_id
+```
+
+If the necessary fields are not present in the event then the processor will silently continue without adding the target field.
+
+The processor also accepts an optional `seed` parameter that must be a 16-bit unsigned integer. This value gets incorporated into all generated hashes.
+
diff --git a/docs/reference/metricbeat/configuration-autodiscover-advanced.md b/docs/reference/metricbeat/configuration-autodiscover-advanced.md
new file mode 100644
index 000000000000..209275beadff
--- /dev/null
+++ b/docs/reference/metricbeat/configuration-autodiscover-advanced.md
@@ -0,0 +1,32 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/configuration-autodiscover-advanced.html
+---
+
+# Advanced usage [configuration-autodiscover-advanced]
+
+
+## Appenders [_appenders]
+
+Appenders allow users to append configuration that is already built with the help of either templates or builders. Appenders can be configured to be applied only when a required condition is matched. The kind of configuration that is applied is specific to each appender.
+
+
+### Config [_config_2]
+
+The config appender can apply a config on top of the config that was generated by templates or builders. The config is applied whenever a provided condition is matched. It is always applied if there is no condition provided.
+
+```yaml
+metricbeat.autodiscover:
+  providers:
+    - type: kubernetes
+      templates:
+        ...
+      appenders:
+        - type: config
+          condition.equals:
+            kubernetes.namespace: "prometheus"
+          config:
+            fields:
+              type: monitoring
+```
+
diff --git a/docs/reference/metricbeat/configuration-autodiscover-hints.md b/docs/reference/metricbeat/configuration-autodiscover-hints.md
new file mode 100644
index 000000000000..fddc38899541
--- /dev/null
+++ b/docs/reference/metricbeat/configuration-autodiscover-hints.md
@@ -0,0 +1,203 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/configuration-autodiscover-hints.html
+---
+
+# Hints based autodiscover [configuration-autodiscover-hints]
+
+Metricbeat supports autodiscover based on hints from the provider. The `hints` system looks for hints in Kubernetes Pod annotations or Docker labels which have the prefix `co.elastic.metrics`. As soon as the container starts, Metricbeat will check if it contains any hints and launch the proper config for it. Hints tell Metricbeat how to get metrics for the given container. This is the full list of supported hints:
+
+
+#### `co.elastic.metrics/module` [_co_elastic_metricsmodule]
+
+Metricbeat module to use to fetch metrics. See [Modules](/reference/metricbeat/metricbeat-modules.md) for the list of supported modules.
+
+
+#### `co.elastic.metrics/hosts` [_co_elastic_metricshosts]
+
+Hosts setting to use with the given module. Hosts can include `${data.host}`, `${data.port}`, `${data.ports.<port_name>}` values from the autodiscover event, ie: `${data.host}:80`. For Kuberentes autodiscover events users can leverage port names as well, like `http://${data.host}:${data.ports.prometheus}/metrics`. In the last one we refer to the container port with name `prometheus`.
+
+In order to target one specific exposed port `localhost:{data.ports.8222}` can be used in template config, where `8222` is the internal container port of the exposed targeted port.
+
+
+#### `co.elastic.metrics/metricsets` [_co_elastic_metricsmetricsets]
+
+List of metricsets to use, comma separated. If no metricsets are provided, default metricsets for the module are used.
+
+
+#### `co.elastic.metrics/metrics_path` [_co_elastic_metricsmetrics_path]
+
+The path to retrieve the metrics from (/metrics by default) for [Prometheus module](/reference/metricbeat/metricbeat-module-prometheus.md#prometheus-module).
+
+
+#### `co.elastic.metrics/period` [_co_elastic_metricsperiod]
+
+The time interval for metrics retrieval, ie: 10s
+
+
+#### `co.elastic.metrics/timeout` [_co_elastic_metricstimeout]
+
+Metrics retrieval timeout, default: 3s
+
+
+#### `co.elastic.metrics/username` [_co_elastic_metricsusername]
+
+The username to use for authentication
+
+
+#### `co.elastic.metrics/password` [_co_elastic_metricspassword]
+
+The password to use for authentication. It is recommended to retrieve this sensitive information from an ENV variable and avoid placing passwords in plain text. Unlike static autodiscover configuration, hints based autodiscover has no access to the keystore of Metricbeat since it could be a potential security issue. However hints based autodiscover can make use of Kuberentes Secrets as described in [Metricbeat Autodiscover Secret Management](/reference/metricbeat/configuration-autodiscover.md#kubernetes-secrets).
+
+
+#### `co.elastic.metrics/ssl.*` [_co_elastic_metricsssl]
+
+SSL parameters, as seen in [SSL](/reference/metricbeat/configuration-ssl.md).
+
+
+#### `co.elastic.metrics/metrics_filters.*` [_co_elastic_metricsmetrics_filters]
+
+Metrics filters (for prometheus module only).
+
+```yaml
+co.elastic.metrics/module: prometheus
+co.elastic.metrics/metrics_filters.include: node_filesystem_*
+co.elastic.metrics/metrics_filters.exclude: node_filesystem_device_foo,node_filesystem_device_bar
+```
+
+
+#### `co.elastic.metrics/raw` [_co_elastic_metricsraw]
+
+When an entire module configuration needs to be completely set the `raw` hint can be used. You can provide a stringified JSON of the input configuration. `raw` overrides every other hint and can be used to create both a single or a list of configurations.
+
+```yaml
+co.elastic.metrics/raw: "[{\"enabled\":true,\"metricsets\":[\"default\"],\"module\":\"mockmoduledefaults\",\"period\":\"1m\",\"timeout\":\"3s\"}]"
+```
+
+
+#### `co.elastic.metrics/processors` [_co_elastic_metricsprocessors]
+
+Define a processor to be added to the Metricbeat module configuration. See [Processors](/reference/metricbeat/filtering-enhancing-data.md) for the list of supported processors.
+
+In order to provide ordering of the processor definition, numbers can be provided. If not, the hints builder will do arbitrary ordering:
+
+```yaml
+co.elastic.logs/processors.1.add_locale.abbrevation: "MST"
+co.elastic.logs/processors.add_locale.abbrevation: "PST"
+```
+
+In the above sample the processor definition tagged with `1` would be executed first.
+
+When hints are used along with templates, then hints will be evaluated only in case there is no template’s condition that resolves to true. For example:
+
+```yaml
+metricbeat.autodiscover.providers:
+  - type: kubernetes
+    hints.enabled: true
+    templates:
+        - condition:
+            contains:
+              kubernetes.annotations.prometheus.io/scrape: "true"
+          config:
+            - module: prometheus
+              metricsets: ["collector"]
+              hosts: "${data.host}:${data.port}"
+```
+
+In this example first the condition `kubernetes.annotations.prometheus.io/scrape: "true"` is evaluated and if not matched the hints will be processed.
+
+
+## Kubernetes [_kubernetes_2]
+
+Kubernetes autodiscover provider supports hints in Pod annotations. To enable it just set `hints.enabled`:
+
+```yaml
+metricbeat.autodiscover:
+  providers:
+    - type: kubernetes
+      hints.enabled: true
+```
+
+This configuration enables the `hints` autodiscover for Kubernetes. The `hints` system looks for hints in Kubernetes annotations or Docker labels which have the prefix `co.elastic.metrics`.
+
+You can annotate Kubernetes Pods with useful info to spin up Metricbeat modules:
+
+```yaml
+annotations:
+  co.elastic.metrics/module: prometheus
+  co.elastic.metrics/metricsets: collector
+  co.elastic.metrics/hosts: '${data.host}:9090'
+  co.elastic.metrics/period: 1m
+```
+
+The above annotations are used to spin up a Prometheus collector metricset and it polls the parent container on port `9090` at a 1 minute interval.
+
+
+#### Multiple containers [_multiple_containers]
+
+When a Pod has multiple containers, these settings are shared. To set hints specific to a container in the pod you can put the container name in the hint.
+
+When a pod has multiple containers, the settings are shared unless you put the container name in the hint. For example, these hints configure a common behavior for all containers in the Pod, and sets a specific `hosts` hint for the container called `sidecar`.
+
+```yaml
+annotations:
+  co.elastic.metrics/module: apache
+  co.elastic.metrics/hosts: '${data.host}:80'
+  co.elastic.metrics.sidecar/hosts: '${data.host}:8080'
+```
+
+
+#### Multiple sets of hints [_multiple_sets_of_hints]
+
+When a container port needs multiple modules to be defined on it, sets of annotations can be provided with numeric prefixes. If there are hints that don’t have a numeric prefix then they get grouped together into a single configuration.
+
+```yaml
+annotations:
+  co.elastic.metrics/1.module: prometheus
+  co.elastic.metrics/1.hosts: '${data.host}:80/metrics'
+  co.elastic.metrics/1.period: 60s
+  co.elastic.metrics/module: prometheus
+  co.elastic.metrics/hosts: '${data.host}:80/metrics/p1'
+  co.elastic.metrics/period: 5s
+```
+
+The above configuration would spin up two metricbeat module configurations to ensure that the endpoint "/metrics/p1" is polled every 5s whereas the "/metrics" endpoint is polled every 60s.
+
+
+#### Namespace Defaults [_namespace_defaults]
+
+Hints can be configured on the Namespace’s annotations as defaults to use when Pod level annotations are missing. The resultant hints are a combination of Pod annotations and Namespace annotations with the Pod’s taking precedence. To enable Namespace defaults configure the `add_resource_metadata` for Namespace objects as follows:
+
+```yaml
+metricbeat.autodiscover:
+  providers:
+    - type: kubernetes
+      hints.enabled: true
+      add_resource_metadata:
+        namespace:
+          include_annotations: ["nsannotation1"]
+```
+
+
+## Docker [_docker_3]
+
+Docker autodiscover provider supports hints in labels. To enable it just set `hints.enabled`:
+
+```yaml
+metricbeat.autodiscover:
+  providers:
+    - type: docker
+      hints.enabled: true
+```
+
+You can label Docker containers with useful info to spin up Metricbeat modules, for example:
+
+```yaml
+  co.elastic.metrics/module: nginx
+  co.elastic.metrics/metricsets: stubstatus
+  co.elastic.metrics/hosts: '${data.host}:80'
+  co.elastic.metrics/period: 10s
+```
+
+The above labels would allow Metricbeat to run the nginx module and poll port `80` of the Docker container every 10 seconds.
+
diff --git a/docs/reference/metricbeat/configuration-autodiscover.md b/docs/reference/metricbeat/configuration-autodiscover.md
new file mode 100644
index 000000000000..4415dd6ccc68
--- /dev/null
+++ b/docs/reference/metricbeat/configuration-autodiscover.md
@@ -0,0 +1,555 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/configuration-autodiscover.html
+---
+
+# Autodiscover [configuration-autodiscover]
+
+When you run applications on containers, they become moving targets to the monitoring system. Autodiscover allows you to track them and adapt settings as changes happen. By defining configuration templates, the autodiscover subsystem can monitor services as they start running.
+
+You define autodiscover settings in the  `metricbeat.autodiscover` section of the `metricbeat.yml` config file. To enable autodiscover, you specify a list of providers.
+
+
+## Providers [_providers]
+
+Autodiscover providers work by watching for events on the system and translating those events into internal autodiscover events with a common format. When you configure the provider, you can optionally use fields from the autodiscover event to set conditions that, when met, launch specific configurations.
+
+On start, Metricbeat will scan existing containers and launch the proper configs for them. Then it will watch for new start/stop events. This ensures you don’t need to worry about state, but only define your desired configs.
+
+
+#### Docker [_docker_2]
+
+The Docker autodiscover provider watches for Docker containers to start and stop.
+
+It has the following settings:
+
+`host`
+:   (Optional) Docker socket (UNIX or TCP socket). It uses `unix:///var/run/docker.sock` by default.
+
+`ssl`
+:   (Optional) SSL configuration to use when connecting to the Docker socket.
+
+`cleanup_timeout`
+:   (Optional) Specify the time of inactivity before stopping the running configuration for a container, disabled by default.
+
+`labels.dedot`
+:   (Optional) Default to be false. If set to true, replace dots in labels with `_`.
+
+These are the fields available within config templating. The `docker.*` fields will be available on each emitted event. event:
+
+* host
+* port
+* docker.container.id
+* docker.container.image
+* docker.container.name
+* docker.container.labels
+
+For example:
+
+```yaml
+{
+  "host": "10.4.15.9",
+  "port": 6379,
+  "docker": {
+    "container": {
+      "id": "382184ecdb385cfd5d1f1a65f78911054c8511ae009635300ac28b4fc357ce51"
+      "name": "redis",
+      "image": "redis:3.2.11",
+      "labels": {
+        "io.kubernetes.pod.namespace": "default"
+        ...
+      }
+    }
+  }
+}
+```
+
+You can define a set of configuration templates to be applied when the condition matches an event. Templates define a condition to match on autodiscover events, together with the list of configurations to launch when this condition happens.
+
+Conditions match events from the provider. Providers use the same format for [Conditions](/reference/metricbeat/defining-processors.md#conditions) that processors use.
+
+Configuration templates can contain variables from the autodiscover event. They can be accessed under the `data` namespace. For example, with the example event, "`${data.port}`" resolves to `6379`.
+
+Metricbeat supports templates for modules:
+
+```yaml
+metricbeat.autodiscover:
+  providers:
+    - type: docker
+      labels.dedot: true
+      templates:
+        - condition:
+            contains:
+              docker.container.image: redis
+          config:
+            - module: redis
+              metricsets: ["info", "keyspace"]
+              hosts: "${data.host}:6379"
+```
+
+This configuration launches a `redis` module for all containers running an image with `redis` in the name. `labels.dedot` defaults to be `true` for docker autodiscover, which means dots in docker labels are replaced with *_* by default.
+
+Also Metricbeat autodiscover supports leveraging [Secrets keystore](/reference/metricbeat/keystore.md) in order to retrieve sensitive data like passwords. Here is an example of how a configuration using keystore would look like:
+
+```yaml
+metricbeat.autodiscover:
+  providers:
+    - type: docker
+      labels.dedot: true
+      templates:
+        - condition:
+            contains:
+              docker.container.image: redis
+          config:
+            - module: redis
+              metricsets: ["info", "keyspace"]
+              hosts: "${data.host}:6379"
+              password: "${REDIS_PASSWORD}"
+```
+
+where `REDIS_PASSWORD` is a key stored in local keystore of Metricbeat.
+
+
+#### Kubernetes [_kubernetes]
+
+The Kubernetes autodiscover provider watches for Kubernetes nodes, pods, services to start, update, and stop.
+
+The `kubernetes` autodiscover provider has the following configuration settings:
+
+`node`
+:   (Optional) Specify the node to scope metricbeat to in case it cannot be accurately detected, as when running metricbeat in host network mode.
+
+`namespace`
+:   (Optional) Select the namespace from which to collect the events from the resources. If it is not set, the provider collects them from all namespaces. It is unset by default. The namespace configuration only applies to kubernetes resources that are namespace scoped and if `unique` field is set to `false`.
+
+`cleanup_timeout`
+:   (Optional) Specify the time of inactivity before stopping the running configuration for a container, disabled by default.
+
+`kube_config`
+:   (Optional) Use given config file as configuration for Kubernetes client. If kube_config is not set, KUBECONFIG environment variable will be checked and if not present it will fall back to InCluster.
+
+`kube_client_options`
+:   (Optional) Additional options can be configured for Kubernetes client. Currently client QPS and burst are supported, if not set Kubernetes client’s [default QPS and burst](https://pkg.go.dev/k8s.io/client-go/rest#pkg-constants) will be used. Example:
+
+```yaml
+      kube_client_options:
+        qps: 5
+        burst: 10
+```
+
+`resource`
+:   (Optional) Select the resource to do discovery on. Currently supported Kubernetes resources are `pod`, `service` and `node`. If not configured `resource` defaults to `pod`.
+
+`scope`
+:   (Optional) Specify at what level autodiscover needs to be done at. `scope` can either take `node` or `cluster` as values. `node` scope allows discovery of resources in the specified node. `cluster` scope allows cluster wide discovery. Only `pod` and `node` resources can be discovered at node scope.
+
+`add_resource_metadata`
+:   (Optional) Specify filters and configration for the extra metadata, that will be added to the event. Configuration parameters:
+
+    * `node` or `namespace`: Specify labels and annotations filters for the extra metadata coming from node and namespace. By default all labels are included while annotations are not. To change default behaviour `include_labels`, `exclude_labels` and `include_annotations` can be defined. Those settings are useful when storing labels and annotations that require special handling to avoid overloading the storage output. Note: wildcards are not supported for those settings. The enrichment of `node` or `namespace` metadata can be individually disabled by setting `enabled: false`.
+    * `deployment`: If resource is `pod` and it is created from a `deployment`, by default the deployment name isn’t added, this can be enabled by setting `deployment: true`.
+    * `cronjob`: If resource is `pod` and it is created from a `cronjob`, by default the cronjob name isn’t added, this can be enabled by setting `cronjob: true`.
+
+        Example:
+
+
+```yaml
+      add_resource_metadata:
+        namespace:
+          include_labels: ["namespacelabel1"]
+        node:
+          include_labels: ["nodelabel2"]
+          include_annotations: ["nodeannotation1"]
+        # deployment: false
+        # cronjob: false
+```
+
+`unique`
+:   (Optional) Defaults to `false`. Marking an autodiscover provider as unique results into making the provider to enable the provided templates only when it will gain the leader lease. This setting can only be combined with `cluster` scope. When `unique` is enabled, `resource` and `add_resource_metadata` settings are not taken into account.
+
+`leader_lease`
+:   (Optional) Defaults to `metricbeat-cluster-leader`. This will be name of the lock lease. One can monitor the status of the lease with `kubectl describe lease beats-cluster-leader`. Different Beats that refer to the same leader lease will be competitors in holding the lease and only one will be elected as leader each time.
+
+`leader_leaseduration`
+:   (Optional) Duration that non-leader candidates will wait to force acquire the lease leadership. Defaults to `15s`.
+
+`leader_renewdeadline`
+:   (Optional) Duration that the leader will retry refreshing its leadership before giving up. Defaults to `10s`.
+
+`leader_retryperiod`
+:   (Optional) Duration that the metricbeat instances running to acquire the lease should wait between tries of actions. Defaults to `2s`.
+
+Configuration templates can contain variables from the autodiscover event. These variables can be accessed under the `data` namespace, e.g. to access Pod IP: `${data.kubernetes.pod.ip}`.
+
+These are the fields available within config templating. The `kubernetes.*` fields will be available on each emitted event:
+
+
+##### Generic fields: [_generic_fields]
+
+* host
+
+
+##### Pod specific: [_pod_specific]
+
+| Key | Type | Description |
+| --- | --- | --- |
+| `port` | `string` | Pod port. If pod has multiple ports exposed should be used `ports.<port-name>` instead |
+| `kubernetes.namespace` | `string` | Namespace, where the Pod is running |
+| `kubernetes.namespace_uuid` | `string` | UUID of the Namespace, where the Pod is running |
+| `kubernetes.namespace_annotations.*` | `object` | Annotations of the Namespace, where the Pod is running. Annotations should be used in not dedoted format, e.g. `kubernetes.namespace_annotations.app.kubernetes.io/name` |
+| `kubernetes.pod.name` | `string` | Name of the Pod |
+| `kubernetes.pod.uid` | `string` | UID of the Pod |
+| `kubernetes.pod.ip` | `string` | IP of the Pod |
+| `kubernetes.labels.*` | `object` | Object of the Pod labels. Labels should be used in not dedoted format, e.g. `kubernetes.labels.app.kubernetes.io/name` |
+| `kubernetes.annotations.*` | `object` | Object of the Pod annotations. Annotations should be used in not dedoted format, e.g. `kubernetes.annotations.test.io/test` |
+| `kubernetes.container.name` | `string` | Name of the container |
+| `kubernetes.container.runtime` | `string` | Runtime of the container |
+| `kubernetes.container.id` | `string` | ID of the container |
+| `kubernetes.container.image` | `string` | Image of the container |
+| `kubernetes.node.name` | `string` | Name of the Node |
+| `kubernetes.node.uid` | `string` | UID of the Node |
+| `kubernetes.node.hostname` | `string` | Hostname of the Node |
+
+
+##### Node specific: [_node_specific]
+
+| Key | Type | Description |
+| --- | --- | --- |
+| `kubernetes.labels.*` | `object` | Object of labels of the Node |
+| `kubernetes.annotations.*` | `object` | Object of annotations of the Node |
+| `kubernetes.node.name` | `string` | Name of the Node |
+| `kubernetes.node.uid` | `string` | UID of the Node |
+| `kubernetes.node.hostname` | `string` | Hostname of the Node |
+
+
+##### Service specific: [_service_specific]
+
+| Key | Type | Description |
+| --- | --- | --- |
+| `port` | `string` | Service port |
+| `kubernetes.namespace` | `string` | Namespace of the Service |
+| `kubernetes.namespace_uuid` | `string` | UUID of the Namespace of the Service |
+| `kubernetes.namespace_annotations.*` | `object` | Annotations of the Namespace of the Service. Annotations should be used in not dedoted format, e.g. `kubernetes.namespace_annotations.app.kubernetes.io/name` |
+| `kubernetes.labels.*` | `object` | Object of the Service labels |
+| `kubernetes.annotations.*` | `object` | Object of the Service annotations |
+| `kubernetes.service.name` | `string` | Name of the Service |
+| `kubernetes.service.uid` | `string` | UID of the Service |
+
+If the `include_annotations` config is added to the provider config, then the list of annotations present in the config are added to the event.
+
+If the `include_labels` config is added to the provider config, then the list of labels present in the config will be added to the event.
+
+If the `exclude_labels` config is added to the provider config, then the list of labels present in the config will be excluded from the event.
+
+if the `labels.dedot` config is set to be `true` in the provider config, then `.` in labels will be replaced with `_`. By default it is `true`.
+
+if the `annotations.dedot` config is set to be `true` in the provider config, then `.` in annotations will be replaced with `_`. By default it is `true`.
+
+::::{note}
+Starting from 8.6 release `kubernetes.labels.*` used in config templating are not dedoted regardless of `labels.dedot` value. This config parameter only affects the fields added in the final Elasticsearch document. For example, for a pod with label `app.kubernetes.io/name=ingress-nginx` the matching condition should be `condition.equals: kubernetes.labels.app.kubernetes.io/name: "ingress-nginx"`. If `labels.dedot` is set to `true`(default value) the label will be stored in Elasticsearch as `kubernetes.labels.app_kubernetes_io/name`. The same applies for kubernetes annotations.
+::::
+
+
+For example:
+
+```yaml
+{
+  "host": "172.17.0.21",
+  "port": 9090,
+  "kubernetes": {
+    "container": {
+      "id": "bb3a50625c01b16a88aa224779c39262a9ad14264c3034669a50cd9a90af1527",
+      "image": "prom/prometheus",
+      "name": "prometheus"
+    },
+    "labels": {
+      "project": "prometheus",
+      ...
+    },
+    "namespace": "default",
+    "node": {
+      "name": "minikube"
+    },
+    "pod": {
+      "name": "prometheus-2657348378-k1pnh"
+    }
+  },
+}
+```
+
+Example:
+
+```yaml
+metricbeat.autodiscover:
+  providers:
+    - type: kubernetes
+      scope: cluster
+      node: ${NODE_NAME}
+      unique: true
+      identifier: leader-election-metricbeat
+      templates:
+        - config:
+            - module: kubernetes
+              hosts: ["kube-state-metrics:8080"]
+              period: 10s
+              add_metadata: true
+              metricsets:
+                - state_node
+```
+
+The above configuration when deployed on one or more Metribceat instances will enable `state_node` metricset only for the Metricbeat instance that will gain the leader lease/lock. With this deployment strategy we can ensure that cluster-wide metricsets are only enabled by one Beat instance when deploying a Beat as DaemonSet.
+
+Metricbeat supports templates for modules:
+
+```yaml
+metricbeat.autodiscover:
+  providers:
+    - type: kubernetes
+      include_annotations: ["prometheus.io.scrape"]
+      templates:
+        - condition:
+            contains:
+              kubernetes.annotations.prometheus.io/scrape: "true"
+          config:
+            - module: prometheus
+              metricsets: ["collector"]
+              hosts: "${data.host}:${data.port}"
+```
+
+This configuration launches a `prometheus` module for all containers of pods annotated `prometheus.io/scrape=true`.
+
+
+#### Manually Defining Ports with Kubernetes [_manually_defining_ports_with_kubernetes]
+
+Declare exposed ports in your pod spec if possible. Otherwise, you will need to use multiple templates with complex filtering rules. The `{port}` variable will not be present, and you will need to hardcode ports. Example: `{data.host}:1234`
+
+When ports are not declared, Autodiscover generates a config using your provided template once per pod, and once per container. These generated configs are de-duplicated after they are generated. If the generated configs for multiple containers are identical, they will be merged into one config.
+
+Pods share an identical host. If only the `{data.host}` variable is interpolated, then one config will be generated per host. The configs will be identical. After they are de-duplicated, only one will be used.
+
+In order to target one specific exposed port `{data.host}:{data.ports.web}` can be used in template config, where `web` is the name of the exposed container port.
+
+
+#### Metricbeat Autodiscover Secret Management [kubernetes-secrets]
+
+
+##### Local Keystore [_local_keystore]
+
+Metricbeat autodiscover supports leveraging [Secrets keystore](/reference/metricbeat/keystore.md) in order to retrieve sensitive data like passwords. Here is an example of how a configuration using keystore would look like:
+
+```yaml
+metricbeat.autodiscover:
+  providers:
+    - type: kubernetes
+      templates:
+        - condition:
+            contains:
+              kubernetes.labels.app: "redis"
+          config:
+            - module: redis
+              metricsets: ["info", "keyspace"]
+              hosts: "${data.host}:6379"
+              password: "${REDIS_PASSWORD}"
+```
+
+where `REDIS_PASSWORD` is a key stored in local keystore of Metricbeat.
+
+
+#### Kubernetes Secrets [_kubernetes_secrets]
+
+Metricbeat autodiscover supports leveraging [Kubernetes secrets](https://kubernetes.io/docs/concepts/configuration/secret/) in order to retrieve sensitive data like passwords. In order to enable this feature add the following section in Metricbeat’s `ClusterRole` rules:
+
+```yaml
+- apiGroups: [""]
+  resources:
+    - secrets
+  verbs: ["get"]
+```
+
+::::{warning}
+The above rule will give permission to Metricbeat Pod to access Kubernetes Secrets API. This means that anyone who have access to Metricbeat Pod (`kubectl exec` for example) will be able to access Kubernetes Secrets API and get a specific secret no matter which namespace it belongs to. This option should be carefully considered, specially when used with hints.
+::::
+
+
+One option to give permissions only for one namespace, and not cluster-scoped, is to use a specific Role for a targeted namespace so as to better control access:
+
+```yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  namespace: marketing-team
+  name: secret-reader
+rules:
+- apiGroups: [""] # "" indicates the core API group
+  resources: ["secrets"]
+  verbs: ["get"]
+```
+
+One can find more info about Role and ClusterRole in the official Kubernetes [documentation](https://kubernetes.io/docs/reference/access-authn-authz/rbac/).
+
+Here is an example of how a configuration using Kubernetes secrets would look like:
+
+```yaml
+metricbeat.autodiscover:
+  providers:
+    - type: kubernetes
+      templates:
+        - condition:
+            contains:
+              kubernetes.labels.app: "redis"
+          config:
+            - module: redis
+              metricsets: ["info", "keyspace"]
+              hosts: "${data.host}:6379"
+              password: "${kubernetes.default.somesecret.value}"
+```
+
+where `kubernetes.default.somesecret.value` specifies a key stored as Kubernetes secret as following:
+
+1. Kubernetes Namespace: `default`
+2. Kubernetes Secret Name: `somesecret`
+3. Secret Data Key: `value`
+
+This secret can be created in a Kubernetes environment using the following command:
+
+```yaml
+cat << EOF | kubectl apply -f -
+apiVersion: v1
+kind: Secret
+metadata:
+  name: somesecret
+type: Opaque
+data:
+  value: $(echo -n "passpass" | base64)
+EOF
+```
+
+Note that Pods can only consume secrets that belong to the same Kubernetes namespace. For instance if Pod `my-redis` is running under `staging` namespace, it cannot access a secret under `testing` namespace for example `kubernetes.testing.xxx.yyy`.
+
+
+#### Jolokia [_jolokia]
+
+The Jolokia autodiscover provider uses Jolokia Discovery to find agents running in your host or your network.
+
+The configuration of this provider consists in a set of network interfaces, as well as a set of templates as in other providers. The network interfaces will be the ones used for discovery probes, each item of `interfaces` has these settings:
+
+`name`
+:   the name of the interface (e.g. `br0`), it can contain a wildcard as suffix to apply the same settings to multiple network interfaces of the same type (e.g. `br*`).
+
+`interval`
+:   time between probes (defaults to 10s)
+
+`grace_period`
+:   time since the last reply to consider an instance stopped (defaults to 30s)
+
+`probe_timeout`
+:   max time to wait for responses since a probe is sent (defaults to 1s)
+
+Jolokia Discovery mechanism is supported by any Jolokia agent since version 1.2.0, it is enabled by default when Jolokia is included in the application as a JVM agent, but disabled in other cases as the OSGI or WAR (Java EE) agents. In any case, this feature is controlled with two properties:
+
+* `discoveryEnabled`, to enable the feature
+* `discoveryAgentUrl`, if set, this is the URL announced by the agent when being discovered, setting this parameter implicitly enables the feature
+
+There are multiple ways of setting these properties, and they can vary from application to application, please refer to the documentation of your application to find the more suitable way to set them in your case.
+
+Jolokia Discovery is based on UDP multicast requests. Agents join the multicast group 239.192.48.84, port 24884, and discovery is done by sending queries to this group. You have to take into account that UDP traffic between Metricbeat and the Jolokia agents has to be allowed. Also notice that this multicast address is in the 239.0.0.0/8 range, that is reserved for private use within an organization, so it can only be used in private networks.
+
+These are the available fields during within config templating. The `jolokia.*` fields will be available on each emitted event.
+
+* jolokia.agent.id
+* jolokia.agent.version
+* jolokia.secured
+* jolokia.server.product
+* jolokia.server.vendor
+* jolokia.server.version
+* jolokia.url
+
+Metricbeat supports templates for modules:
+
+```yaml
+metricbeat.autodiscover:
+  providers:
+    - type: jolokia
+      interfaces:
+      - name: br*
+        interval: 5s
+        grace_period: 10s
+      - name: en*
+      templates:
+      - condition:
+          contains:
+            jolokia.server.product: "tomcat"
+        config:
+        - module: jolokia
+          metricsets: ["jmx"]
+          hosts: "${data.jolokia.url}"
+          namespace: test
+          jmx.mappings:
+          - mbean: "java.lang:type=Runtime"
+            attributes:
+            - attr: Uptime
+              field: uptime
+```
+
+This configuration starts a jolokia module that collects the uptime of each `tomcat` instance discovered. Discovery probes are sent using all interfaces starting with `br` and `en`, for the `br` interfaces the `interval` and `grace_period` is reduced to 5 and 10 seconds respectively.
+
+
+#### Amazon EC2s [_amazon_ec2s]
+
+::::{warning}
+This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
+::::
+
+
+The Amazon EC2 autodiscover provider discovers [EC2 instances](https://aws.amazon.com/ec2/). This is useful for users to launch Metricbeat modules to monitor services running on AWS EC2 instances.
+
+For example, you can use this provider to gather MySQL metrics from MySQL servers running on EC2 instances that have a specific tag, `service: mysql`.
+
+This provider will load AWS credentials using the standard AWS environment variables and shared credentials files see [Best Practices for Managing AWS Access Keys](https://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html) for more information. If you do not wish to use these, you may explicitly set the `access_key_id` and `secret_access_key` variables.
+
+These are the available fields during within config templating. The `aws.ec2.*` fields and `cloud.*` fields will be available on each emitted event.
+
+* cloud.availability_zone
+* cloud.instance.id
+* cloud.machine.type
+* cloud.provider
+* cloud.region
+* aws.ec2.architecture
+* aws.ec2.image.id
+* aws.ec2.kernel.id
+* aws.ec2.monitoring.state
+* aws.ec2.private.dns_name
+* aws.ec2.private.ip
+* aws.ec2.public.dns_name
+* aws.ec2.public.ip
+* aws.ec2.root_device_name
+* aws.ec2.state.code
+* aws.ec2.state.name
+* aws.ec2.subnet.id
+* aws.ec2.tags
+* aws.ec2.vpc.id
+
+Metricbeat supports templates for modules:
+
+```yaml
+metricbeat.autodiscover:
+  providers:
+    - type: aws_ec2
+      period: 1m
+      credential_profile_name: elastic-beats
+      templates:
+        - condition:
+            equals:
+              aws.ec2.tags.service: "mysql"
+          config:
+            - module: mysql
+              metricsets: ["status", "galera_status"]
+              period: 10s
+              hosts: ["root:password@tcp(${data.aws.ec2.public.ip}:3306)/"]
+              username: root
+              password: password
+```
+
+This autodiscover provider takes our standard AWS credentials options. With this configuration, `mysql` metricbeat module will be launched for all EC2 instances that have `service: mysql` as a tag.
+
+This autodiscover provider takes our standard [AWS credentials options](/reference/metricbeat/metricbeat-module-aws.md#aws-credentials-config).
diff --git a/docs/reference/metricbeat/configuration-dashboards.md b/docs/reference/metricbeat/configuration-dashboards.md
new file mode 100644
index 000000000000..2c6a1612d0ac
--- /dev/null
+++ b/docs/reference/metricbeat/configuration-dashboards.md
@@ -0,0 +1,103 @@
+---
+navigation_title: "Kibana dashboards"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/configuration-dashboards.html
+---
+
+# Configure Kibana dashboard loading [configuration-dashboards]
+
+
+Metricbeat comes packaged with example Kibana dashboards, visualizations, and searches for visualizing Metricbeat data in Kibana.
+
+To load the dashboards, you can either enable dashboard loading in the `setup.dashboards` section of the `metricbeat.yml` config file, or you can run the `setup` command. Dashboard loading is disabled by default.
+
+When dashboard loading is enabled, Metricbeat uses the Kibana API to load the sample dashboards. Dashboard loading is only attempted when Metricbeat starts up. If Kibana is not available at startup, Metricbeat will stop with an error.
+
+To enable dashboard loading, add the following setting to the config file:
+
+```yaml
+setup.dashboards.enabled: true
+```
+
+
+## Configuration options [_configuration_options_12]
+
+You can specify the following options in the `setup.dashboards` section of the `metricbeat.yml` config file:
+
+
+### `setup.dashboards.enabled` [_setup_dashboards_enabled]
+
+If this option is set to true, Metricbeat loads the sample Kibana dashboards from the local `kibana` directory in the home path of the Metricbeat installation.
+
+::::{note}
+Metricbeat loads dashboards on startup if either `enabled` is set to `true` or the `setup.dashboards` section is included in the configuration.
+::::
+
+
+::::{note}
+When dashboard loading is enabled, Metricbeat overwrites any existing dashboards that match the names of the dashboards you are loading. This happens every time Metricbeat starts.
+::::
+
+
+If no other options are set, the dashboard are loaded from the local `kibana` directory in the home path of the Metricbeat installation. To load dashboards from a different location, you can configure one of the following options: [`setup.dashboards.directory`](#directory-option), [`setup.dashboards.url`](#url-option), or [`setup.dashboards.file`](#file-option).
+
+
+### `setup.dashboards.directory` [directory-option]
+
+The directory that contains the dashboards to load. The default is the `kibana` folder in the home path.
+
+
+### `setup.dashboards.url` [url-option]
+
+The URL to use for downloading the dashboard archive. If this option is set, Metricbeat downloads the dashboard archive from the specified URL instead of using the local directory.
+
+
+### `setup.dashboards.file` [file-option]
+
+The file archive (zip file) that contains the dashboards to load. If this option is set, Metricbeat looks for a dashboard archive in the specified path instead of using the local directory.
+
+
+### `setup.dashboards.beat` [_setup_dashboards_beat]
+
+In case the archive contains the dashboards for multiple Beats, this setting lets you select the Beat for which you want to load dashboards. To load all the dashboards in the archive, set this option to an empty string. The default is `"metricbeat"`.
+
+
+### `setup.dashboards.kibana_index` [_setup_dashboards_kibana_index]
+
+The name of the Kibana index to use for setting the configuration. The default is `".kibana"`
+
+
+### `setup.dashboards.index` [_setup_dashboards_index]
+
+The Elasticsearch index name. This setting overwrites the index name defined in the dashboards and index pattern. Example: `"testbeat-*"`
+
+::::{note}
+This setting only works for Kibana 6.0 and newer.
+::::
+
+
+
+### `setup.dashboards.always_kibana` [_setup_dashboards_always_kibana]
+
+Force loading of dashboards using the Kibana API without querying Elasticsearch for the version. The default is `false`.
+
+
+### `setup.dashboards.retry.enabled` [_setup_dashboards_retry_enabled]
+
+If this option is set to true, and Kibana is not reachable at the time when dashboards are loaded, Metricbeat will retry to reconnect to Kibana instead of exiting with an error. Disabled by default.
+
+
+### `setup.dashboards.retry.interval` [_setup_dashboards_retry_interval]
+
+Duration interval between Kibana connection retries. Defaults to 1 second.
+
+
+### `setup.dashboards.retry.maximum` [_setup_dashboards_retry_maximum]
+
+Maximum number of retries before exiting with an error. Set to 0 for unlimited retrying. Default is unlimited.
+
+
+### `setup.dashboards.string_replacements` [_setup_dashboards_string_replacements]
+
+The needle and replacements string map, which is used to replace needle string in dashboards and their references contents.
+
diff --git a/docs/reference/metricbeat/configuration-feature-flags.md b/docs/reference/metricbeat/configuration-feature-flags.md
new file mode 100644
index 000000000000..47af63b8a5ac
--- /dev/null
+++ b/docs/reference/metricbeat/configuration-feature-flags.md
@@ -0,0 +1,54 @@
+---
+navigation_title: "Feature flags"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/configuration-feature-flags.html
+---
+
+# Configure feature flags [configuration-feature-flags]
+
+
+The Feature Flags section of the `metricbeat.yml` config file contains settings in Metricbeat that are disabled by default. These may include experimental features, changes to behaviors within Metricbeat, or settings that could cause a breaking change. For example a setting that changes information included in events might be inconsistent with the naming pattern expected in your configured Metricbeat output.
+
+To enable any of the settings listed on this page, change the associated `enabled` flag from `false` to `true`.
+
+```yaml
+features:
+  mysetting:
+    enabled: true
+```
+
+
+## Configuration options [_configuration_options_17]
+
+You can specify the following options in the `features` section of the `metricbeat.yml` config file:
+
+
+### `fqdn` [_fqdn]
+
+Contains configuration for the FQDN reporting feature. When this feature is enabled, the fully-qualified domain name for the host is reported in the `host.name` field in events produced by Metricbeat.
+
+::::{warning}
+This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
+::::
+
+
+For FQDN reporting to work as expected, the hostname of the current host must either:
+
+* Have a CNAME entry defined in DNS.
+* Have one of its corresponding IP addresses respond successfully to a reverse DNS lookup.
+
+If neither pre-requisite is satisfied, `host.name` continues to report the hostname of the current host as if the FQDN feature flag were not enabled.
+
+Example configuration:
+
+```yaml
+features:
+  fqdn:
+    enabled: true
+```
+
+
+#### `enabled` [_enabled_11]
+
+Set to `true` to enable the FQDN reporting feature of Metricbeat. Defaults to `false`.
+
diff --git a/docs/reference/metricbeat/configuration-general-options.md b/docs/reference/metricbeat/configuration-general-options.md
new file mode 100644
index 000000000000..88897322033d
--- /dev/null
+++ b/docs/reference/metricbeat/configuration-general-options.md
@@ -0,0 +1,112 @@
+---
+navigation_title: "General settings"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/configuration-general-options.html
+---
+
+# Configure general settings [configuration-general-options]
+
+
+You can specify settings in the `metricbeat.yml` config file to control the general behavior of Metricbeat. This includes:
+
+* [Global options](#configuration-global-options) that control things like the maximum random delay to apply to the startup of a metricset.
+* [General options](#configuration-general) that are supported by all Elastic Beats.
+
+
+## Global Metricbeat configuration options [configuration-global-options]
+
+
+### `metricbeat.max_start_delay` [_metricbeat_max_start_delay]
+
+The maximum random delay to apply to the startup of a metricset. Random delays ranging from [0, *max_start_delay*) are applied to reduce the thundering herd effect that can occur if a fleet of machines running Metricbeat are restarted at the same time. Specifying a value of 0 disables the startup delay. The default is 10s.
+
+```yaml
+metricbeat.max_start_delay: 10s
+```
+
+
+### `timeseries.enabled` [_timeseries_enabled]
+
+Setting this to true (false by default) will add a `timeseries.instance` field to all events generated by Metricbeat. For a given metricset, this field will be unique for every single item being monitored.
+
+```yaml
+timeseries.enabled: true
+```
+
+
+## General configuration options [configuration-general]
+
+
+These options are supported by all Elastic Beats. Because they are common options, they are not namespaced.
+
+Here is an example configuration:
+
+```yaml
+name: "my-shipper"
+tags: ["service-X", "web-tier"]
+```
+
+
+### `name` [_name]
+
+The name of the Beat. If this option is empty, the `hostname` of the server is used. The name is included as the `agent.name` field in each published transaction. You can use the name to group all transactions sent by a single Beat.
+
+Example:
+
+```yaml
+name: "my-shipper"
+```
+
+
+### `tags` [_tags_2]
+
+A list of tags that the Beat includes in the `tags` field of each published transaction. Tags make it easy to group servers by different logical properties. For example, if you have a cluster of web servers, you can add the "webservers" tag to the Beat on each server, and then use filters and queries in the Kibana web interface to get visualisations for the whole group of servers.
+
+Example:
+
+```yaml
+tags: ["my-service", "hardware", "test"]
+```
+
+
+### `fields` [libbeat-configuration-fields]
+
+Optional fields that you can specify to add additional information to the output. Fields can be scalar values, arrays, dictionaries, or any nested combination of these. By default, the fields that you specify here will be grouped under a `fields` sub-dictionary in the output document. To store the custom fields as top-level fields, set the `fields_under_root` option to true.
+
+Example:
+
+```yaml
+fields: {project: "myproject", instance-id: "574734885120952459"}
+```
+
+
+### `fields_under_root` [_fields_under_root]
+
+If this option is set to true, the custom [fields](#libbeat-configuration-fields) are stored as top-level fields in the output document instead of being grouped under a `fields` sub-dictionary. If the custom field names conflict with other field names, then the custom fields overwrite the other fields.
+
+Example:
+
+```yaml
+fields_under_root: true
+fields:
+  instance_id: i-10a64379
+  region: us-east-1
+```
+
+
+### `processors` [_processors_2]
+
+A list of processors to apply to the data generated by the beat.
+
+See [Processors](/reference/metricbeat/filtering-enhancing-data.md) for information about specifying processors in your config.
+
+
+### `max_procs` [_max_procs]
+
+Sets the maximum number of CPUs that can be executing simultaneously. The default is the number of logical CPUs available in the system.
+
+
+### `timestamp.precision` [_timestamp_precision]
+
+Configure the precision of all timestamps. By default it is set to millisecond. Available options: millisecond, microsecond, nanosecond
+
diff --git a/docs/reference/metricbeat/configuration-instrumentation.md b/docs/reference/metricbeat/configuration-instrumentation.md
new file mode 100644
index 000000000000..b4f7dc59b54c
--- /dev/null
+++ b/docs/reference/metricbeat/configuration-instrumentation.md
@@ -0,0 +1,87 @@
+---
+navigation_title: "Instrumentation"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/configuration-instrumentation.html
+---
+
+# Configure APM instrumentation [configuration-instrumentation]
+
+
+Libbeat uses the Elastic APM Go Agent to instrument its publishing pipeline. Currently, only the Elasticsearch output is instrumented. To gain insight into the performance of Metricbeat, you can enable this instrumentation and send trace data to the APM Integration.
+
+Example configuration with instrumentation enabled:
+
+```yaml
+instrumentation:
+  enabled: true
+  environment: production
+  hosts:
+    - "http://localhost:8200"
+  api_key: L5ER6FEvjkmlfalBealQ3f3fLqf03fazfOV
+```
+
+
+## Configuration options [_configuration_options_16]
+
+You can specify the following options in the `instrumentation` section of the `metricbeat.yml` config file:
+
+
+### `enabled` [_enabled_10]
+
+Set to `true` to enable instrumentation of Metricbeat. Defaults to `false`.
+
+
+### `environment` [_environment]
+
+Set the environment in which Metricbeat is running, for example, `staging`, `production`, `dev`, etc. Environments can be filtered in the [APM app](docs-content://solutions/observability/apps/overviews.md).
+
+
+### `hosts` [_hosts_4]
+
+The APM integration [host](docs-content://reference/ingestion-tools/observability/apm-settings.md) to report instrumentation data to. Defaults to `http://localhost:8200`.
+
+
+### `api_key` [_api_key_2]
+
+The [API Key](docs-content://reference/ingestion-tools/observability/apm-settings.md) used to secure communication with the APM Integration. If `api_key` is set then `secret_token` will be ignored.
+
+
+### `secret_token` [_secret_token]
+
+The [Secret token](docs-content://reference/ingestion-tools/observability/apm-settings.md) used to secure communication with the APM Integration.
+
+
+### `profiling.cpu.enabled` [_profiling_cpu_enabled]
+
+Set to `true` to enable CPU profiling, where profile samples are recorded as events.
+
+This feature is experimental.
+
+
+### `profiling.cpu.interval` [_profiling_cpu_interval]
+
+Configure the CPU profiling interval. Defaults to `60s`.
+
+This feature is experimental.
+
+
+### `profiling.cpu.duration` [_profiling_cpu_duration]
+
+Configure the CPU profiling duration. Defaults to `10s`.
+
+This feature is experimental.
+
+
+### `profiling.heap.enabled` [_profiling_heap_enabled]
+
+Set to `true` to enable heap profiling.
+
+This feature is experimental.
+
+
+### `profiling.heap.interval` [_profiling_heap_interval]
+
+Configure the heap profiling interval. Defaults to `60s`.
+
+This feature is experimental.
+
diff --git a/docs/reference/metricbeat/configuration-kerberos.md b/docs/reference/metricbeat/configuration-kerberos.md
new file mode 100644
index 000000000000..b260b3e5174d
--- /dev/null
+++ b/docs/reference/metricbeat/configuration-kerberos.md
@@ -0,0 +1,90 @@
+---
+navigation_title: "Kerberos"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/configuration-kerberos.html
+---
+
+# Configure Kerberos [configuration-kerberos]
+
+
+You can specify Kerberos options with any output or input that supports Kerberos, like {{es}}.
+
+The following encryption types are supported:
+
+* aes128-cts-hmac-sha1-96
+* aes128-cts-hmac-sha256-128
+* aes256-cts-hmac-sha1-96
+* aes256-cts-hmac-sha384-192
+* des3-cbc-sha1-kd
+* rc4-hmac
+
+Example output config with Kerberos password based authentication:
+
+```yaml
+output.elasticsearch.hosts: ["http://my-elasticsearch.elastic.co:9200"]
+output.elasticsearch.kerberos.auth_type: password
+output.elasticsearch.kerberos.username: "elastic"
+output.elasticsearch.kerberos.password: "changeme"
+output.elasticsearch.kerberos.config_path: "/etc/krb5.conf"
+output.elasticsearch.kerberos.realm: "ELASTIC.CO"
+```
+
+The service principal name for the Elasticsearch instance is contructed from these options. Based on this configuration it is going to be `HTTP/my-elasticsearch.elastic.co@ELASTIC.CO`.
+
+
+## Configuration options [_configuration_options_9]
+
+You can specify the following options in the `kerberos` section of the `metricbeat.yml` config file:
+
+
+### `enabled` [_enabled_9]
+
+The `enabled` setting can be used to enable the kerberos configuration by setting it to `false`. The default value is `true`.
+
+::::{note}
+Kerberos settings are disabled if either `enabled` is set to `false` or the `kerberos` section is missing.
+::::
+
+
+
+### `auth_type` [_auth_type]
+
+There are two options to authenticate with Kerberos KDC: `password` and `keytab`.
+
+`password` expects the principal name and its password. When choosing `keytab`, you have to specify a principal name and a path to a keytab. The keytab must contain the keys of the selected principal. Otherwise, authentication will fail.
+
+
+### `config_path` [_config_path]
+
+You need to set the path to the `krb5.conf`, so Metricbeat can find the Kerberos KDC to retrieve a ticket.
+
+
+### `username` [_username_4]
+
+Name of the principal used to connect to the output.
+
+
+### `password` [_password_5]
+
+If you configured `password` for `auth_type`, you have to provide a password for the selected principal.
+
+
+### `keytab` [_keytab]
+
+If you configured `keytab` for `auth_type`, you have to provide the path to the keytab of the selected principal.
+
+
+### `service_name` [_service_name_2]
+
+This option can only be configured for Kafka. It is the name of the Kafka service, usually `kafka`.
+
+
+### `realm` [_realm]
+
+Name of the realm where the output resides.
+
+
+### `enable_krb5_fast` [_enable_krb5_fast]
+
+Enable Kerberos FAST authentication. This may conflict with some Active Directory installations. The default is `false`.
+
diff --git a/docs/reference/metricbeat/configuration-logging.md b/docs/reference/metricbeat/configuration-logging.md
new file mode 100644
index 000000000000..0a87ca039b5e
--- /dev/null
+++ b/docs/reference/metricbeat/configuration-logging.md
@@ -0,0 +1,253 @@
+---
+navigation_title: "Logging"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/configuration-logging.html
+---
+
+# Configure logging [configuration-logging]
+
+
+The `logging` section of the `metricbeat.yml` config file contains options for configuring the logging output. The logging system can write logs to the syslog or rotate log files. If logging is not explicitly configured the file output is used.
+
+```yaml
+logging.level: info
+logging.to_files: true
+logging.files:
+  path: /var/log/metricbeat
+  name: metricbeat
+  keepfiles: 7
+  permissions: 0640
+```
+
+::::{tip}
+In addition to setting logging options in the config file, you can modify the logging output configuration from the command line. See [Command reference](/reference/metricbeat/command-line-options.md).
+::::
+
+
+::::{warning}
+When Metricbeat is running on a Linux system with systemd, it uses by default the `-e` command line option, that makes it write all the logging output to stderr so it can be captured by journald. Other outputs are disabled. See [Metricbeat and systemd](/reference/metricbeat/running-with-systemd.md) to know more and learn how to change this.
+::::
+
+
+
+## Configuration options [_configuration_options_15]
+
+You can specify the following options in the `logging` section of the `metricbeat.yml` config file:
+
+
+### `logging.to_stderr` [_logging_to_stderr]
+
+When true, writes all logging output to standard error output. This is equivalent to using the `-e` command line option.
+
+
+### `logging.to_syslog` [_logging_to_syslog]
+
+When true, writes all logging output to the syslog.
+
+::::{note}
+This option is not supported on Windows.
+::::
+
+
+
+### `logging.to_eventlog` [_logging_to_eventlog]
+
+When true, writes all logging output to the Windows Event Log.
+
+
+### `logging.to_files` [_logging_to_files]
+
+When true, writes all logging output to files. The log files are automatically rotated when the log file size limit is reached.
+
+::::{note}
+Metricbeat only creates a log file if there is logging output. For example, if you set the log [`level`](#level) to `error` and there are no errors, there will be no log file in the directory specified for logs.
+::::
+
+
+
+### `logging.level` [level]
+
+Minimum log level. One of `debug`, `info`, `warning`, or `error`. The default log level is `info`.
+
+`debug`
+:   Logs debug messages, including a detailed printout of all events flushed. Also logs informational messages, warnings, errors, and critical errors. When the log level is `debug`, you can specify a list of [`selectors`](#selectors) to display debug messages for specific components. If no selectors are specified, the `*` selector is used to display debug messages for all components.
+
+`info`
+:   Logs informational messages, including the number of events that are published. Also logs any warnings, errors, or critical errors.
+
+`warning`
+:   Logs warnings, errors, and critical errors.
+
+`error`
+:   Logs errors and critical errors.
+
+
+### `logging.selectors` [selectors]
+
+The list of debugging-only selector tags used by different Metricbeat components. Use `*` to enable debug output for all components. Use `publisher` to display debug messages related to event publishing.
+
+::::{tip}
+The list of available selectors may change between releases, so avoid creating tests that depend on specific selectors.
+
+To see which selectors are available, run Metricbeat in debug mode (set `logging.level: debug` in the configuration). The selector name appears after the log level and is enclosed in brackets.
+
+::::
+
+
+To configure multiple selectors, use the following [YAML list syntax](/reference/libbeat/config-file-format.md):
+
+```yaml
+logging.selectors: [ harvester, input ]
+```
+
+To override selectors at the command line, use the `-d` global flag (`-d` also sets the debug log level). For more information, see [Command reference](/reference/metricbeat/command-line-options.md).
+
+
+### `logging.metrics.enabled` [_logging_metrics_enabled]
+
+By default, Metricbeat periodically logs its internal metrics that have changed in the last period. For each metric that changed, the delta from the value at the beginning of the period is logged. Also, the total values for all non-zero internal metrics are logged on shutdown. Set this to false to disable this behavior. The default is true.
+
+Here is an example log line:
+
+```shell
+2017-12-17T19:17:42.667-0500    INFO    [metrics]       log/log.go:110  Non-zero metrics in the last 30s: beat.info.uptime.ms=30004 beat.memstats.gc_next=5046416
+```
+
+Note that we currently offer no backwards compatible guarantees for the internal metrics and for this reason they are also not documented.
+
+
+### `logging.metrics.period` [_logging_metrics_period]
+
+The period after which to log the internal metrics. The default is 30s.
+
+
+### `logging.metrics.namespaces` [_logging_metrics_namespaces]
+
+A list of metrics namespaces to report in the logs. Defaults to `[stats]`. `stats` contains general Beat metrics. `dataset` and `inputs` may be present in some Beats and contains module or input metrics.
+
+
+### `logging.files.path` [_logging_files_path]
+
+The directory that log files are written to. The default is the logs path. See the [Directory layout](/reference/metricbeat/directory-layout.md) section for details.
+
+
+### `logging.files.name` [_logging_files_name]
+
+The name of the file that logs are written to. The default is *metricbeat*.
+
+
+### `logging.files.rotateeverybytes` [_logging_files_rotateeverybytes]
+
+The maximum size of a log file. If the limit is reached, a new log file is generated. The default size limit is 10485760 (10 MB).
+
+
+### `logging.files.keepfiles` [_logging_files_keepfiles]
+
+The number of most recent rotated log files to keep on disk. Older files are deleted during log rotation. The default value is 7. The `keepfiles` options has to be in the range of 2 to 1024 files.
+
+
+### `logging.files.permissions` [_logging_files_permissions]
+
+The permissions mask to apply when rotating log files. The default value is 0600. The `permissions` option must be a valid Unix-style file permissions mask expressed in octal notation. In Go, numbers in octal notation must start with *0*.
+
+The most permissive mask allowed is 0640. If a higher permissions mask is specified via this setting, it will be subject to an umask of 0027.
+
+This option is not supported on Windows.
+
+Examples:
+
+* 0640: give read and write access to the file owner, and read access to members of the group associated with the file.
+* 0600: give read and write access to the file owner, and no access to all others.
+
+
+### `logging.files.interval` [_logging_files_interval]
+
+Enable log file rotation on time intervals in addition to size-based rotation. Intervals must be at least 1s. Values of 1m, 1h, 24h, 7*24h, 30*24h, and 365*24h are boundary-aligned with minutes, hours, days, weeks, months, and years as reported by the local system clock. All other intervals are calculated from the unix epoch. Defaults to disabled.
+
+
+### `logging.files.rotateonstartup` [_logging_files_rotateonstartup]
+
+If the log file already exists on startup, immediately rotate it and start writing to a new file instead of appending to the existing one. Defaults to true.
+
+
+### `logging.files.redirect_stderr` [preview] [_logging_files_redirect_stderr]
+
+When true, diagnostic messages printed to Metricbeat’s standard error output will also be logged to the log file. This can be helpful in situations were Metricbeat terminates unexpectedly because an error has been detected by Go’s runtime but diagnostic information is not present in the log file. This feature is only available when logging to files (`logging.to_files` is true). Disabled by default.
+
+
+## Logging format [_logging_format]
+
+The logging format is generally the same for each logging output. The one exception is with the syslog output where the timestamp is not included in the message because syslog adds its own timestamp.
+
+Each log message consists of the following parts:
+
+* Timestamp in ISO8601 format
+* Level
+* Logger name contained in brackets (Optional)
+* File name and line number of the caller
+* Message
+* Structured data encoded in JSON (Optional)
+
+Below are some samples:
+
+`2017-12-17T18:54:16.241-0500	INFO	logp/core_test.go:13	unnamed global logger`
+
+`2017-12-17T18:54:16.242-0500	INFO	[example]	logp/core_test.go:16	some message`
+
+`2017-12-17T18:54:16.242-0500	INFO	[example]	logp/core_test.go:19	some message	{"x": 1}`
+
+
+## Configuration options for event_data logger [_configuration_options_for_event_data_logger]
+
+Some outputs will log raw events on errors like indexing errors in the Elasticsearch output, to prevent logging raw events (that may contain sensitive information) together with other log messages, a different log file, only for log entries containing raw events, is used. It will use the same level, selectors and all other configurations from the default logger, but it will have it’s own file configuration.
+
+Having a different log file for raw events also prevents event data from drowning out the regular log files.
+
+::::{important}
+No matter the default logger output configuration, raw events will **always** be logged to a file configured by `logging.event_data.files`.
+::::
+
+
+
+### `logging.event_data.files.path` [_logging_event_data_files_path]
+
+The directory that log files are written to. The default is the logs path. See the [Directory layout](/reference/metricbeat/directory-layout.md) section for details.
+
+
+### `logging.event_data.files.name` [_logging_event_data_files_name]
+
+The name of the file that logs are written to. The default is *metricbeat*-events-data.
+
+
+### `logging.event_data.files.rotateeverybytes` [_logging_event_data_files_rotateeverybytes]
+
+The maximum size of a log file. If the limit is reached, a new log file is generated. The default size limit is 5242880 (5 MB).
+
+
+### `logging.event_data.files.keepfiles` [_logging_event_data_files_keepfiles]
+
+The number of most recent rotated log files to keep on disk. Older files are deleted during log rotation. The default value is 2. The `keepfiles` options has to be in the range of 2 to 1024 files.
+
+
+### `logging.event_data.files.permissions` [_logging_event_data_files_permissions]
+
+The permissions mask to apply when rotating log files. The default value is 0600. The `permissions` option must be a valid Unix-style file permissions mask expressed in octal notation. In Go, numbers in octal notation must start with *0*.
+
+The most permissive mask allowed is 0640. If a higher permissions mask is specified via this setting, it will be subject to an umask of 0027.
+
+This option is not supported on Windows.
+
+Examples:
+
+* 0640: give read and write access to the file owner, and read access to members of the group associated with the file.
+* 0600: give read and write access to the file owner, and no access to all others.
+
+
+### `logging.event_data.files.interval` [_logging_event_data_files_interval]
+
+Enable log file rotation on time intervals in addition to size-based rotation. Intervals must be at least 1s. Values of 1m, 1h, 24h, 7*24h, 30*24h, and 365*24h are boundary-aligned with minutes, hours, days, weeks, months, and years as reported by the local system clock. All other intervals are calculated from the unix epoch. Defaults to disabled.
+
+
+### `logging.event_data.files.rotateonstartup` [_logging_event_data_files_rotateonstartup]
+
+If the log file already exists on startup, immediately rotate it and start writing to a new file instead of appending to the existing one. Defaults to false.
diff --git a/docs/reference/metricbeat/configuration-metricbeat.md b/docs/reference/metricbeat/configuration-metricbeat.md
new file mode 100644
index 000000000000..1fe5ea981765
--- /dev/null
+++ b/docs/reference/metricbeat/configuration-metricbeat.md
@@ -0,0 +1,319 @@
+---
+navigation_title: "Modules"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/configuration-metricbeat.html
+---
+
+# Configure modules [configuration-metricbeat]
+
+
+You can configure modules in the `modules.d` directory (recommended), or in the Metricbeat configuration file. Settings for enabled modules in the `modules.d` directory take precedence over module settings in the Metricbeat configuration file.
+
+Before running Metricbeat with modules enabled, make sure you also set up the environment to use {{kib}} dashboards. See [Quick start: installation and configuration](/reference/metricbeat/metricbeat-installation-configuration.md) for more information.
+
+::::{note}
+On systems with POSIX file permissions, all Beats configuration files are subject to ownership and file permission checks. For more information, see [Config File Ownership and Permissions](/reference/libbeat/config-file-permissions.md).
+::::
+
+
+
+### Configure modules in the `modules.d` directory [configure-modules-d-configs]
+
+The `modules.d` directory contains default configurations for all the modules available in Metricbeat. To enable or disable specific module configurations under `modules.d`, run the [`modules enable` or `modules disable`](/reference/metricbeat/command-line-options.md#modules-command) command. For example:
+
+:::::::{tab-set}
+
+::::::{tab-item} DEB
+```sh
+metricbeat modules enable apache mysql
+```
+::::::
+
+::::::{tab-item} RPM
+```sh
+metricbeat modules enable apache mysql
+```
+::::::
+
+::::::{tab-item} MacOS
+```sh
+./metricbeat modules enable apache mysql
+```
+::::::
+
+::::::{tab-item} Linux
+```sh
+./metricbeat modules enable apache mysql
+```
+::::::
+
+::::::{tab-item} Windows
+```sh
+PS > .\metricbeat.exe modules enable apache mysql
+```
+::::::
+
+:::::::
+Then when you run Metricbeat, it loads the corresponding module configurations specified in the `modules.d` directory (for example, `modules.d/apache.yml` and `modules.d/mysql.yml`).
+
+To see a list of enabled and disabled modules, run:
+
+:::::::{tab-set}
+
+::::::{tab-item} DEB
+```sh
+metricbeat modules list
+```
+::::::
+
+::::::{tab-item} RPM
+```sh
+metricbeat modules list
+```
+::::::
+
+::::::{tab-item} MacOS
+```sh
+./metricbeat modules list
+```
+::::::
+
+::::::{tab-item} Linux
+```sh
+./metricbeat modules list
+```
+::::::
+
+::::::{tab-item} Windows
+```sh
+PS > .\metricbeat.exe modules list
+```
+::::::
+
+:::::::
+To change the default module configurations, modify the `.yml` files in the `modules.d` directory.
+
+The following example shows a basic configuration for the Apache module:
+
+```yaml
+- module: apache
+  metricsets: ["status"]
+  hosts: ["http://127.0.0.1/"]
+  period: 10s
+  fields:
+    dc: west
+  tags: ["tag"]
+  processors:
+  ....
+```
+
+See [Configuration combinations](#config-combos) for additional configuration examples.
+
+
+### Configure modules in the `metricbeat.yml` file [configure-modules-config-file]
+
+When possible, you should use the config files in the `modules.d` directory.
+
+However, configuring [modules](/reference/metricbeat/metricbeat-modules.md) directly in the config file is a practical approach if you have upgraded from a previous version of Metricbeat and don’t want to move your module configs to the `modules.d` directory. You can continue to configure modules in the `metricbeat.yml` file, but you won’t be able to use the `modules` command to enable and disable configurations because the command requires the `modules.d` layout.
+
+To enable specific modules and metricsets in the `metricbeat.yml` config file, add entries to the `metricbeat.modules` list. Each entry in the list begins with a dash (-) and is followed by settings for that module.
+
+::::{tip}
+Check the `modules.d` directory to verify that the modules you’ve specified in `metricbeat.yml` are disabled (filename ends with `.disabled`). If they aren’t, disable them now by running `metricbeat modules disable <modulename>`.
+::::
+
+
+The following example shows a configuration where the `apache` and `mysql` modules are enabled:
+
+```yaml
+metricbeat.modules:
+
+#---------------------------- Apache Status Module ---------------------------
+- module: apache
+  metricsets: ["status"]
+  period: 1s
+  hosts: ["http://127.0.0.1/"]
+
+#---------------------------- MySQL Status Module ----------------------------
+- module: mysql
+  metricsets: ["status"]
+  period: 2s
+  hosts: ["root@tcp(127.0.0.1:3306)/"]
+```
+
+In the following example, the Redis host is crawled for `stats` information every second because this is critical data, but the full list of Apache metricsets is only fetched every 30 seconds because the metrics are less critical.
+
+```yaml
+metricbeat.modules:
+- module: redis
+  metricsets: ["info"]
+  hosts: ["host1"]
+  period: 1s
+- module: apache
+  metricsets: ["info"]
+  hosts: ["host1"]
+  period: 30s
+```
+
+
+## Configuration variants [config-variants]
+
+Every module comes with a default configuration file. Some modules also come with one or more variant configuration files containing common alternative configurations for that module.
+
+When you see the list of enabled and disabled modules, those modules with configuration variants will be shown as `<module_name>-<variant_name>`. You can enable or disable specific configuration variants of a module by specifying `metricbeat modules enable <module_name>-<variant_name>` and `metricbeat modules disable <module_name>-<variant_name>` respectively.
+
+
+## Configuration combinations [config-combos]
+
+You can specify a module configuration that uses different combinations of metricsets, periods, and hosts.
+
+For a module with multiple metricsets defined, it’s possible to define the module twice and specify a different period to use for each metricset. For the following example, the `set1` metricset will be fetched every 10 seconds, while the `set2` metricset will be fetched every 2 minutes:
+
+```yaml
+- module: example
+  metricsets: ["set1"]
+  hosts: ["host1"]
+  period: 10s
+- module: example
+  metricsets: ["set2"]
+  hosts: ["host1"]
+  period: 2m
+```
+
+
+### Standard config options [module-config-options]
+
+You can specify the following options for any Metricbeat module. Some modules require additional configuration settings. See the [Modules](/reference/metricbeat/metricbeat-modules.md) section for more information.
+
+
+#### `module` [_module]
+
+The name of the module to run. For documentation about each module, see the [Modules](/reference/metricbeat/metricbeat-modules.md) section.
+
+
+#### `metricsets` [_metricsets]
+
+A list of metricsets to execute. Make sure that you only list metricsets that are available in the module. It is not possible to reference metricsets from other modules. For a list of available metricsets, see [Modules](/reference/metricbeat/metricbeat-modules.md).
+
+
+#### `enabled` [_enabled]
+
+A Boolean value that specifies whether the module is enabled. If you use the default config file, `metricbeat.yml`, the System module is enabled (set to `enabled: true`) by default. If the `enabled` option is missing from the configuration block, the module is enabled by default.
+
+
+#### `period` [metricset-period]
+
+How often the metricsets are executed. If a system is not reachable, Metricbeat returns an error for each period. This setting is required.
+
+
+#### `hosts` [_hosts]
+
+A list of hosts to fetch information from. For some metricsets, such as the System module, this setting is optional.
+
+
+#### `fields` [_fields]
+
+A dictionary of fields that will be sent with the metricset event. This setting is optional.
+
+
+#### `tags` [_tags]
+
+A list of tags that will be sent with the metricset event. This setting is optional.
+
+
+#### `processors` [_processors]
+
+A list of processors to apply to the data generated by the metricset.
+
+See [Processors](/reference/metricbeat/filtering-enhancing-data.md) for information about specifying processors in your config.
+
+
+#### `index` [_index]
+
+If present, this formatted string overrides the index for events from this module (for elasticsearch outputs), or sets the `raw_index` field of the event’s metadata (for other outputs). This string can only refer to the agent name and version and the event timestamp; for access to dynamic fields, use `output.elasticsearch.index` or a processor.
+
+Example value: `"%{[agent.name]}-myindex-%{+yyyy.MM.dd}"` might expand to `"metricbeat-myindex-2019.12.13"`.
+
+
+#### `keep_null` [_keep_null]
+
+If this option is set to true, fields with `null` values will be published in the output document. By default, `keep_null` is set to `false`.
+
+
+#### `service.name` [_service_name]
+
+A name given by the user to the service the data is collected from. It can be used for example to identify information collected from nodes of different clusters with the same `service.type`.
+
+
+### Standard HTTP config options [module-http-config-options]
+
+Modules and metricsets that define the host as an HTTP URL can use the standard schemes for HTTP (`http://` and `https://`) and the following schemes to connect to local pipes:
+
+* `http+unix://` to connect to UNIX sockets.
+* `http+npipe://` to connect to Windows named pipes.
+
+The following options are available for modules and metricsets that define the host as an HTTP URL:
+
+
+#### `username` [_username]
+
+The username to use for basic authentication.
+
+
+#### `password` [_password]
+
+The password to use for basic authentication.
+
+
+#### `connect_timeout` [_connect_timeout]
+
+Total time limit for an HTTP connection to be completed (Default: 2 seconds).
+
+
+#### `timeout` [_timeout]
+
+Total time limit for HTTP requests made by the module (Default: 10 seconds).
+
+
+#### `ssl` [_ssl]
+
+Configuration options for SSL parameters like the certificate authority to use for HTTPS-based connections.
+
+See [SSL](/reference/metricbeat/configuration-ssl.md) for more information.
+
+
+#### `headers` [_headers]
+
+A list of headers to use with the HTTP request. For example:
+
+```yaml
+headers:
+  Cookie: abcdef=123456
+  My-Custom-Header: my-custom-value
+```
+
+
+#### `bearer_token_file` [_bearer_token_file]
+
+If defined, Metricbeat will read the contents of the file once at initialization and then use the value in an HTTP Authorization header.
+
+
+#### `basepath` [_basepath]
+
+An optional base path to be used in HTTP URIs. If defined, Metricbeat will insert this value as the first segment in the HTTP URI path.
+
+
+#### `query` [_query]
+
+An optional value to pass common query params in YAML. Instead of setting the query params within hosts values using the syntax `?key=value&key2&value2`, you can set it here like this:
+
+```yaml
+query:
+  key: value
+  key2: value2
+  list:
+  - 1.1
+  - 2.95
+  - -15
+```
+
diff --git a/docs/reference/metricbeat/configuration-monitor.md b/docs/reference/metricbeat/configuration-monitor.md
new file mode 100644
index 000000000000..54399daa1898
--- /dev/null
+++ b/docs/reference/metricbeat/configuration-monitor.md
@@ -0,0 +1,113 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/configuration-monitor.html
+---
+
+# Settings for internal collection [configuration-monitor]
+
+Use the following settings to configure internal collection when you are not using {{metricbeat}} to collect monitoring data.
+
+You specify these settings in the X-Pack monitoring section of the `metricbeat.yml` config file:
+
+## `monitoring.enabled` [_monitoring_enabled]
+
+The `monitoring.enabled` config is a boolean setting to enable or disable {{monitoring}}. If set to `true`, monitoring is enabled.
+
+The default value is `false`.
+
+
+## `monitoring.elasticsearch` [_monitoring_elasticsearch]
+
+The {{es}} instances that you want to ship your Metricbeat metrics to. This configuration option contains the following fields:
+
+
+## `monitoring.cluster_uuid` [_monitoring_cluster_uuid]
+
+The `monitoring.cluster_uuid` config identifies the {{es}} cluster under which the monitoring data will appear in the Stack Monitoring UI.
+
+### `api_key` [_api_key_3]
+
+The detail of the API key to be used to send monitoring information to {{es}}. See [*Grant access using API keys*](/reference/metricbeat/beats-api-keys.md) for more information.
+
+
+### `bulk_max_size` [_bulk_max_size_5]
+
+The maximum number of metrics to bulk in a single {{es}} bulk API index request. The default is `50`. For more information, see [Elasticsearch](/reference/metricbeat/elasticsearch-output.md).
+
+
+### `backoff.init` [_backoff_init_4]
+
+The number of seconds to wait before trying to reconnect to Elasticsearch after a network error. After waiting `backoff.init` seconds, Metricbeat tries to reconnect. If the attempt fails, the backoff timer is increased exponentially up to `backoff.max`. After a successful connection, the backoff timer is reset. The default is 1s.
+
+
+### `backoff.max` [_backoff_max_4]
+
+The maximum number of seconds to wait before attempting to connect to Elasticsearch after a network error. The default is 60s.
+
+
+### `compression_level` [_compression_level_3]
+
+The gzip compression level. Setting this value to `0` disables compression. The compression level must be in the range of `1` (best speed) to `9` (best compression). The default value is `0`. Increasing the compression level reduces the network usage but increases the CPU usage.
+
+
+### `headers` [_headers_4]
+
+Custom HTTP headers to add to each request. For more information, see [Elasticsearch](/reference/metricbeat/elasticsearch-output.md).
+
+
+### `hosts` [_hosts_5]
+
+The list of {{es}} nodes to connect to. Monitoring metrics are distributed to these nodes in round robin order. For more information, see [Elasticsearch](/reference/metricbeat/elasticsearch-output.md).
+
+
+### `max_retries` [_max_retries_5]
+
+The number of times to retry sending the monitoring metrics after a failure. After the specified number of retries, the metrics are typically dropped. The default value is `3`. For more information, see [Elasticsearch](/reference/metricbeat/elasticsearch-output.md).
+
+
+### `parameters` [_parameters_2]
+
+Dictionary of HTTP parameters to pass within the url with index operations.
+
+
+### `password` [_password_6]
+
+The password that Metricbeat uses to authenticate with the {{es}} instances for shipping monitoring data.
+
+
+### `metrics.period` [_metrics_period]
+
+The time interval (in seconds) when metrics are sent to the {{es}} cluster. A new snapshot of Metricbeat metrics is generated and scheduled for publishing each period. The default value is 10 * time.Second.
+
+
+### `state.period` [_state_period]
+
+The time interval (in seconds) when state information are sent to the {{es}} cluster. A new snapshot of Metricbeat state is generated and scheduled for publishing each period. The default value is 60 * time.Second.
+
+
+### `protocol` [_protocol]
+
+The name of the protocol to use when connecting to the {{es}} cluster. The options are: `http` or `https`. The default is `http`. If you specify a URL for `hosts`, however, the value of protocol is overridden by the scheme you specify in the URL.
+
+
+### `proxy_url` [_proxy_url_4]
+
+The URL of the proxy to use when connecting to the {{es}} cluster. For more information, see [Elasticsearch](/reference/metricbeat/elasticsearch-output.md).
+
+
+### `timeout` [_timeout_6]
+
+The HTTP request timeout in seconds for the {{es}} request. The default is `90`.
+
+
+### `ssl` [_ssl_9]
+
+Configuration options for Transport Layer Security (TLS) or Secure Sockets Layer (SSL) parameters like the certificate authority (CA) to use for HTTPS-based connections. If the `ssl` section is missing, the host CAs are used for HTTPS connections to {{es}}. For more information, see [SSL](/reference/metricbeat/configuration-ssl.md).
+
+
+### `username` [_username_5]
+
+The user ID that Metricbeat uses to authenticate with the {{es}} instances for shipping monitoring data.
+
+
+
diff --git a/docs/reference/metricbeat/configuration-output-codec.md b/docs/reference/metricbeat/configuration-output-codec.md
new file mode 100644
index 000000000000..e0117af0b7a7
--- /dev/null
+++ b/docs/reference/metricbeat/configuration-output-codec.md
@@ -0,0 +1,32 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/configuration-output-codec.html
+---
+
+# Change the output codec [configuration-output-codec]
+
+For outputs that do not require a specific encoding, you can change the encoding by using the codec configuration. You can specify either the `json` or `format` codec. By default the `json` codec is used.
+
+**`json.pretty`**: If `pretty` is set to true, events will be nicely formatted. The default is false.
+
+**`json.escape_html`**: If `escape_html` is set to true, html symbols will be escaped in strings. The default is false.
+
+Example configuration that uses the `json` codec with pretty printing enabled to write events to the console:
+
+```yaml
+output.console:
+  codec.json:
+    pretty: true
+    escape_html: false
+```
+
+**`format.string`**: Configurable format string used to create a custom formatted message.
+
+Example configurable that uses the `format` codec to print the events timestamp and message field to console:
+
+```yaml
+output.console:
+  codec.format:
+    string: '%{[@timestamp]} %{[message]}'
+```
+
diff --git a/docs/reference/metricbeat/configuration-path.md b/docs/reference/metricbeat/configuration-path.md
new file mode 100644
index 000000000000..0a0a1a0cf79c
--- /dev/null
+++ b/docs/reference/metricbeat/configuration-path.md
@@ -0,0 +1,91 @@
+---
+navigation_title: "Project paths"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/configuration-path.html
+---
+
+# Configure project paths [configuration-path]
+
+
+The `path` section of the `metricbeat.yml` config file contains configuration options that define where Metricbeat looks for its files. For example, Metricbeat looks for the Elasticsearch template file in the configuration path and writes log files in the logs path.
+
+Please see the [Directory layout](/reference/metricbeat/directory-layout.md) section for more details.
+
+Here is an example configuration:
+
+```yaml
+path.home: /usr/share/beat
+path.config: /etc/beat
+path.data: /var/lib/beat
+path.logs: /var/log/
+```
+
+Note that it is possible to override these options by using command line flags.
+
+
+## Configuration options [_configuration_options]
+
+You can specify the following options in the `path` section of the `metricbeat.yml` config file:
+
+
+### `home` [_home]
+
+The home path for the Metricbeat installation. This is the default base path for all other path settings and for miscellaneous files that come with the distribution (for example, the sample dashboards). If not set by a CLI flag or in the configuration file, the default for the home path is the location of the Metricbeat binary.
+
+Example:
+
+```yaml
+path.home: /usr/share/beats
+```
+
+
+### `config` [_config]
+
+The configuration path for the Metricbeat installation. This is the default base path for configuration files, including the main YAML configuration file and the Elasticsearch template file. If not set by a CLI flag or in the configuration file, the default for the configuration path is the home path.
+
+Example:
+
+```yaml
+path.config: /usr/share/beats/config
+```
+
+
+### `data` [_data]
+
+The data path for the Metricbeat installation. This is the default base path for all the files in which Metricbeat needs to store its data. If not set by a CLI flag or in the configuration file, the default for the data path is a `data` subdirectory inside the home path.
+
+Example:
+
+```yaml
+path.data: /var/lib/beats
+```
+
+::::{tip}
+When running multiple Metricbeat instances on the same host, make sure they each have a distinct `path.data` value.
+::::
+
+
+
+### `logs` [_logs]
+
+The logs path for a Metricbeat installation. This is the default location for Metricbeat’s log files. If not set by a CLI flag or in the configuration file, the default for the logs path is a `logs` subdirectory inside the home path.
+
+Example:
+
+```yaml
+path.logs: /var/log/beats
+```
+
+
+### `system.hostfs` [_system_hostfs]
+
+Specifies the mount point of the host’s filesystem for use in monitoring a host. This can either be set in the config, or with the `--system.hostfs` CLI flag. This is used for cgroup self-monitoring.
+
+This is also used by the system module to read files from `/proc` and `/sys`. This option is deprecated and will be removed in a future release. To set the filesystem root, use the `hostfs` flag inside the module-level config.
+
+Example:
+
+```yaml
+system.hostfs: /mount/rootfs
+```
+
diff --git a/docs/reference/metricbeat/configuration-ssl.md b/docs/reference/metricbeat/configuration-ssl.md
new file mode 100644
index 000000000000..77ef29faad9d
--- /dev/null
+++ b/docs/reference/metricbeat/configuration-ssl.md
@@ -0,0 +1,501 @@
+---
+navigation_title: "SSL"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/configuration-ssl.html
+---
+
+# Configure SSL [configuration-ssl]
+
+
+You can specify SSL options when you configure:
+
+* [outputs](/reference/metricbeat/configuring-output.md) that support SSL
+* the [Kibana endpoint](/reference/metricbeat/setup-kibana-endpoint.md)
+* [modules](/reference/metricbeat/metricbeat-modules.md) that define the host as an HTTP URL
+
+Example output config with SSL enabled:
+
+```yaml
+output.elasticsearch.hosts: ["https://192.168.1.42:9200"]
+output.elasticsearch.ssl.certificate_authorities: ["/etc/client/ca.pem"]
+output.elasticsearch.ssl.certificate: "/etc/client/cert.pem"
+output.elasticsearch.ssl.key: "/etc/client/cert.key"
+```
+
+Also see [*Secure communication with Logstash*](/reference/metricbeat/configuring-ssl-logstash.md).
+
+Example Kibana endpoint config with SSL enabled:
+
+```yaml
+setup.kibana.host: "https://192.0.2.255:5601"
+setup.kibana.ssl.enabled: true
+setup.kibana.ssl.certificate_authorities: ["/etc/client/ca.pem"]
+setup.kibana.ssl.certificate: "/etc/client/cert.pem"
+setup.kibana.ssl.key: "/etc/client/cert.key"
+```
+
+Example module with SSL enabled:
+
+```yaml
+- module: http
+  namespace: "myservice"
+  enabled: true
+  period: 10s
+  hosts: ["https://localhost"]
+  path: "/stats"
+  headers:
+    Authorization: "Bearer test123"
+  ssl.verification_mode: "none"
+```
+
+There are a number of SSL configuration options available to you:
+
+* [Common configuration options](#ssl-common-config)
+* [Client configuration options](#ssl-client-config)
+* [Server configuration options](#ssl-server-config)
+
+
+## Common configuration options [ssl-common-config]
+
+Common SSL configuration options can be used in both client and server configurations. You can specify the following options in the `ssl` section of each subsystem that supports SSL.
+
+
+### `enabled` [enabled]
+
+To disable SSL configuration, set the value to `false`. The default value is `true`.
+
+::::{note}
+SSL settings are disabled if either `enabled` is set to `false` or the `ssl` section is missing.
+
+::::
+
+
+
+### `supported_protocols` [supported-protocols]
+
+List of allowed SSL/TLS versions. If SSL/TLS server decides for protocol versions not configured, the connection will be dropped during or after the handshake. The setting is a list of allowed protocol versions: `TLSv1.1`, `TLSv1.2`, and `TLSv1.3`.
+
+The default value is `[TLSv1.2, TLSv1.3]`.
+
+
+### `cipher_suites` [cipher-suites]
+
+The list of cipher suites to use. The first entry has the highest priority. If this option is omitted, the Go crypto library’s [default suites](https://golang.org/pkg/crypto/tls/) are used (recommended).
+
+Note that if TLS 1.3 is enabled (which is true by default), then the default TLS 1.3 cipher suites are always included, because Go’s standard library adds them to all connections. In order to exclude the default TLS 1.3 ciphers, TLS 1.3 must also be disabled, e.g. with the setting `ssl.supported_protocols = [TLSv1.2]`.
+
+The following cipher suites are available:
+
+| Cypher | Notes |
+| --- | --- |
+| ECDHE-ECDSA-AES-128-CBC-SHA |  |
+| ECDHE-ECDSA-AES-128-CBC-SHA256 | TLS 1.2 only. Disabled by default. |
+| ECDHE-ECDSA-AES-128-GCM-SHA256 | TLS 1.2 only. |
+| ECDHE-ECDSA-AES-256-CBC-SHA |  |
+| ECDHE-ECDSA-AES-256-GCM-SHA384 | TLS 1.2 only. |
+| ECDHE-ECDSA-CHACHA20-POLY1305 | TLS 1.2 only. |
+| ECDHE-ECDSA-RC4-128-SHA | Disabled by default. RC4 not recommended. |
+| ECDHE-RSA-3DES-CBC3-SHA |  |
+| ECDHE-RSA-AES-128-CBC-SHA |  |
+| ECDHE-RSA-AES-128-CBC-SHA256 | TLS 1.2 only. Disabled by default. |
+| ECDHE-RSA-AES-128-GCM-SHA256 | TLS 1.2 only. |
+| ECDHE-RSA-AES-256-CBC-SHA |  |
+| ECDHE-RSA-AES-256-GCM-SHA384 | TLS 1.2 only. |
+| ECDHE-RSA-CHACHA20-POLY1205 | TLS 1.2 only. |
+| ECDHE-RSA-RC4-128-SHA | Disabled by default. RC4 not recommended. |
+| RSA-3DES-CBC3-SHA |  |
+| RSA-AES-128-CBC-SHA |  |
+| RSA-AES-128-CBC-SHA256 | TLS 1.2 only. Disabled by default. |
+| RSA-AES-128-GCM-SHA256 | TLS 1.2 only. |
+| RSA-AES-256-CBC-SHA |  |
+| RSA-AES-256-GCM-SHA384 | TLS 1.2 only. |
+| RSA-RC4-128-SHA | Disabled by default. RC4 not recommended. |
+
+Here is a list of acronyms used in defining the cipher suites:
+
+* 3DES: Cipher suites using triple DES
+* AES-128/256: Cipher suites using AES with 128/256-bit keys.
+* CBC: Cipher using Cipher Block Chaining as block cipher mode.
+* ECDHE: Cipher suites using Elliptic Curve Diffie-Hellman (DH) ephemeral key exchange.
+* ECDSA: Cipher suites using Elliptic Curve Digital Signature Algorithm for authentication.
+* GCM: Galois/Counter mode is used for symmetric key cryptography.
+* RC4: Cipher suites using RC4.
+* RSA: Cipher suites using RSA.
+* SHA, SHA256, SHA384: Cipher suites using SHA-1, SHA-256 or SHA-384.
+
+
+### `curve_types` [curve-types]
+
+The list of curve types for ECDHE (Elliptic Curve Diffie-Hellman ephemeral key exchange).
+
+The following elliptic curve types are available:
+
+* P-256
+* P-384
+* P-521
+* X25519
+
+
+### `ca_sha256` [ca-sha256]
+
+This configures a certificate pin that you can use to ensure that a specific certificate is part of the verified chain.
+
+The pin is a base64 encoded string of the SHA-256 of the certificate.
+
+::::{note}
+This check is not a replacement for the normal SSL validation, but it adds additional validation. If this option is used with  `verification_mode` set to `none`, the check will always fail because it will not receive any verified chains.
+::::
+
+
+
+## Client configuration options [ssl-client-config]
+
+You can specify the following options in the `ssl` section of each subsystem that supports SSL.
+
+
+### `certificate_authorities` [client-certificate-authorities]
+
+The list of root certificates for verifications is required. If `certificate_authorities` is empty or not set, the system keystore is used. If `certificate_authorities` is self-signed, the host system needs to trust that CA cert as well.
+
+By default you can specify a list of files that `metricbeat` will read, but you can also embed a certificate directly in the `YAML` configuration:
+
+```yaml
+certificate_authorities:
+  - |
+    -----BEGIN CERTIFICATE-----
+    MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF
+    ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2
+    MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB
+    BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n
+    fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl
+    94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t
+    /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP
+    PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41
+    CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O
+    BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux
+    8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D
+    874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw
+    3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA
+    H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu
+    8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0
+    yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk
+    sxSmbIUfc2SGJGCJD4I=
+    -----END CERTIFICATE-----
+```
+
+
+### `certificate: "/etc/client/cert.pem"` [client-certificate]
+
+The path to the certificate for SSL client authentication is only required if `client_authentication` is specified. If the certificate is not specified, client authentication is not available. The connection might fail if the server requests client authentication. If the SSL server does not require client authentication, the certificate will be loaded, but not requested or used by the server.
+
+When this option is configured, the [`key`](#client-key) option is also required. The certificate option support embedding of the certificate:
+
+```yaml
+certificate: |
+    -----BEGIN CERTIFICATE-----
+    MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF
+    ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2
+    MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB
+    BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n
+    fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl
+    94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t
+    /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP
+    PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41
+    CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O
+    BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux
+    8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D
+    874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw
+    3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA
+    H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu
+    8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0
+    yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk
+    sxSmbIUfc2SGJGCJD4I=
+    -----END CERTIFICATE-----
+```
+
+
+### `key: "/etc/client/cert.key"` [client-key]
+
+The client certificate key used for client authentication and is only required if `client_authentication` is configured. The key option support embedding of the private key:
+
+```yaml
+key: |
+    -----BEGIN PRIVATE KEY-----
+    MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDXHufGPycpCOfI
+    sjl6cRn8NP4DLxdIVEAHFK0jMRDup32UQOPW+DleEsFpgN9/ebi9ngdjQfMvKnUP
+    Zrl1HTwVhOJfazGeoJn7vdDeQebhJfeDXHwX2DiotXyUPYu1ioU45UZDAoAZFj5F
+    KJLwWRUbfEbRe8yO+wUhKKxxkApPbfw+wUtBicn1RIX7W1nBRABt1UXKDIRe5FM2
+    MKfqhEqK4hUWC3g1r+vGTrxu3qFpzz7L2UrRFRIpo7yuTUhEhEGvcVsiTppTil4Z
+    HcprXFHf5158elEwhYJ5IM0nU1leNQiOgemifbLwkyNkLqCKth8V/4sezr1tYblZ
+    nMh1cclBAgMBAAECggEBAKdP5jyOicqknoG9/G564RcDsDyRt64NuO7I6hBg7SZx
+    Jn7UKWDdFuFP/RYtoabn6QOxkVVlydp5Typ3Xu7zmfOyss479Q/HIXxmmbkD0Kp0
+    eRm2KN3y0b6FySsS40KDRjKGQCuGGlNotW3crMw6vOvvsLTlcKgUHF054UVCHoK/
+    Piz7igkDU7NjvJeha53vXL4hIjb10UtJNaGPxIyFLYRZdRPyyBJX7Yt3w8dgz8WM
+    epOPu0dq3bUrY3WQXcxKZo6sQjE1h7kdl4TNji5jaFlvD01Y8LnyG0oThOzf0tve
+    Gaw+kuy17gTGZGMIfGVcdeb+SlioXMAAfOps+mNIwTECgYEA/gTO8W0hgYpOQJzn
+    BpWkic3LAoBXWNpvsQkkC3uba8Fcps7iiEzotXGfwYcb5Ewf5O3Lrz1EwLj7GTW8
+    VNhB3gb7bGOvuwI/6vYk2/dwo84bwW9qRWP5hqPhNZ2AWl8kxmZgHns6WTTxpkRU
+    zrfZ5eUrBDWjRU2R8uppgRImsxMCgYEA2MxuL/C/Ko0d7XsSX1kM4JHJiGpQDvb5
+    GUrlKjP/qVyUysNF92B9xAZZHxxfPWpdfGGBynhw7X6s+YeIoxTzFPZVV9hlkpAA
+    5igma0n8ZpZEqzttjVdpOQZK8o/Oni/Q2S10WGftQOOGw5Is8+LY30XnLvHBJhO7
+    TKMurJ4KCNsCgYAe5TDSVmaj3dGEtFC5EUxQ4nHVnQyCpxa8npL+vor5wSvmsfUF
+    hO0s3GQE4sz2qHecnXuPldEd66HGwC1m2GKygYDk/v7prO1fQ47aHi9aDQB9N3Li
+    e7Vmtdn3bm+lDjtn0h3Qt0YygWj+wwLZnazn9EaWHXv9OuEMfYxVgYKpdwKBgEze
+    Zy8+WDm5IWRjn8cI5wT1DBT/RPWZYgcyxABrwXmGZwdhp3wnzU/kxFLAl5BKF22T
+    kRZ+D+RVZvVutebE9c937BiilJkb0AXLNJwT9pdVLnHcN2LHHHronUhV7vetkop+
+    kGMMLlY0lkLfoGq1AxpfSbIea9KZam6o6VKxEnPDAoGAFDCJm+ZtsJK9nE5GEMav
+    NHy+PwkYsHhbrPl4dgStTNXLenJLIJ+Ke0Pcld4ZPfYdSyu/Tv4rNswZBNpNsW9K
+    0NwJlyMBfayoPNcJKXrH/csJY7hbKviAHr1eYy9/8OL0dHf85FV+9uY5YndLcsDc
+    nygO9KTJuUiBrLr0AHEnqko=
+    -----END PRIVATE KEY-----
+```
+
+
+### `key_passphrase` [client-key-passphrase]
+
+The passphrase used to decrypt an encrypted key stored in the configured `key` file.
+
+
+### `verification_mode` [client-verification-mode]
+
+Controls the verification of server certificates. Valid values are:
+
+`full`
+:   Verifies that the provided certificate is signed by a trusted authority (CA) and also verifies that the server’s hostname (or IP address) matches the names identified within the certificate.
+
+`strict`
+:   Verifies that the provided certificate is signed by a trusted authority (CA) and also verifies that the server’s hostname (or IP address) matches the names identified within the certificate. If the Subject Alternative Name is empty, it returns an error.
+
+`certificate`
+:   Verifies that the provided certificate is signed by a trusted authority (CA), but does not perform any hostname verification.
+
+`none`
+:   Performs *no verification* of the server’s certificate. This mode disables many of the security benefits of SSL/TLS and should only be used after cautious consideration. It is primarily intended as a temporary diagnostic mechanism when attempting to resolve TLS errors; its use in production environments is strongly discouraged.
+
+    The default value is `full`.
+
+
+
+### `ca_trusted_fingerprint` [ca_trusted_fingerprint]
+
+A HEX encoded SHA-256 of a CA certificate. If this certificate is present in the chain during the handshake, it will be added to the `certificate_authorities` list and the handshake will continue normaly.
+
+To get the fingerprint from a CA certificate on a Unix-like system, you can use the following command, where `ca.crt` is the certificate.
+
+```
+openssl x509 -fingerprint -sha256 -noout -in ./ca.crt | awk --field-separator="=" '{print $2}' | sed 's/://g'
+```
+
+
+## Server configuration options [ssl-server-config]
+
+You can specify the following options in the `ssl` section of each subsystem that supports SSL.
+
+
+### `certificate_authorities` [server-certificate-authorities]
+
+The list of root certificates for client verifications is only required if `client_authentication` is configured. If `certificate_authorities` is empty or not set, and `client_authentication` is configured, the system keystore is used.
+
+If `certificate_authorities` is self-signed, the host system needs to trust that CA cert as well. By default you can specify a list of files that `metricbeat` will read, but you can also embed a certificate directly in the `YAML` configuration:
+
+```yaml
+certificate_authorities:
+  - |
+    -----BEGIN CERTIFICATE-----
+    MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF
+    ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2
+    MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB
+    BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n
+    fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl
+    94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t
+    /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP
+    PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41
+    CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O
+    BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux
+    8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D
+    874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw
+    3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA
+    H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu
+    8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0
+    yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk
+    sxSmbIUfc2SGJGCJD4I=
+    -----END CERTIFICATE-----
+```
+
+
+### `certificate: "/etc/server/cert.pem"` [server-certificate]
+
+The end-entity (leaf) certificate that the server uses to identify itself. If the certificate is signed by a certificate authority (CA), then it should include intermediate CA certificates, sorted from leaf to root. For servers, a `certificate` and [`key`](#server-key) must be specified.
+
+The certificate option supports embedding of the PEM certificate content. This example contains the leaf certificate followed by issuer’s certificate.
+
+```yaml
+certificate: |
+  -----BEGIN CERTIFICATE-----
+  MIIF2jCCA8KgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBlMQswCQYDVQQGEwJVUzEW
+  MBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEcMBoGA1UECRMTV2VzdCBFbCBDYW1pbm8g
+  UmVhbDEOMAwGA1UEERMFOTQwNDAxEDAOBgNVBAoTB0VsYXN0aWMwHhcNMjMxMDMw
+  MTkyMzU4WhcNMjMxMDMxMTkyMzU4WjB2MQswCQYDVQQGEwJVUzEWMBQGA1UEBxMN
+  U2FuIEZyYW5jaXNjbzEcMBoGA1UECRMTV2VzdCBFbCBDYW1pbm8gUmVhbDEOMAwG
+  A1UEERMFOTQwNDAxEDAOBgNVBAoTB0VsYXN0aWMxDzANBgNVBAMTBnNlcnZlcjCC
+  AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALW37cart7l0KE3LCStFbiGm
+  Rr/QSkuPv+Y+SXFT4zXrMFP3mOfUCVsR4lugv+jmql9qjbwR9jKsgKXA1kSvNXSZ
+  lLYWRcNnQ+QzwKxJf/jy246nSfqb2FKvVMs580lDwKHHxn/FSpHV93O4Goy5cLfF
+  ACE7BSdJdxl5DVAMmmkzd6gBGgN8dQIbcyJYuIZYQt44PqSYh/BomTyOXKrmvX4y
+  t7/pF+ldJjWZq/6SfCq6WE0jSrpI1P/42Qd9h5Tsnl6qsUGA2Tz5ZqKz2cyxaIlK
+  wL9tYDionfFIl+jZcxkGPF2a14O1TycCI0B/z+0VL+HR/8fKAB0NdP+QRLaPWOrn
+  DvraAO+bVKC6VrQyUYNUOwtd2gMUqm6Hzrf4s3wjP754eSJkvnSoSAB6l7ZmJKe5
+  Pz5oDDOVPwKHv/MrhsCSMNFeXSEO+rq9TtYEAFQI5rFGHlURga8kA1T1pirHyEtS
+  2o8GUSPSHVulaPdFnHg4xfTexfRYLCqya75ISJuY2/+2GblCie/re1GFitZCZ46/
+  xiQQDOjgL96soDVZ+cTtMpXanslgDapTts9LPIJTd9FUJCY1omISGiSjABRuTlCV
+  8054ja4BKVahSd5BqqtVkWyV64SCut6kce2ndwBkyFvlZ6cteLCW7KtzYvba4XBb
+  YIAs+H+9e/bZUVhws5mFAgMBAAGjgYMwgYAwDgYDVR0PAQH/BAQDAgeAMB0GA1Ud
+  JQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAOBgNVHQ4EBwQFAQIDBAUwPwYDVR0R
+  BDgwNoIJbG9jYWxob3N0ghFiZWF0cy5leGFtcGxlLmNvbYcEfwAAAYcQAAAAAAAA
+  AAAAAAAAAAAAATANBgkqhkiG9w0BAQsFAAOCAgEAldSZOUi+OUR46ERQuINl1oED
+  mjNsQ9FNP/RDu8mPJaNb5v2sAbcpuZb9YdnScT+d+n0+LMd5uz2g67Qr73QCpXwL
+  9YJIs56i7qMTKXlVvRQrvF9P/zP3sm5Zfd2I/x+8oXgEeYsxAWipJ8RsbnN1dtu8
+  C4l+P0E58jjrjom11W90RiHYaT0SI2PPBTTRhYLz0HayThPZDMdFnIQqVxUYbQD5
+  ybWu77hnsvC/g2C8/N2LAdQGJJ67owMa5T3YRneiaSvvOf3I45oeLE+olGAPdrSq
+  5Sp0G7fcAKMRPxcwYeD7V5lfYMtb+RzECpYAHT8zHKLZl6/34q2k8P8EWEpAsD80
+  +zSbCkdvNiU5lU90rV8E2baTKCg871k4O8sT48eUyDps6ZUCfT1dgefXeyOTV5bY
+  864Zo6bWJhAJ7Qa2d4HJkqPzSbqsosHVobojgkOcMqkStLHd8sgtCoFmJMflbp7E
+  ghawl/RVFEkL9+TWy9fR8sJWRx13P8CUP6AL9kVmcU2c3gMNpvQfIii9QOnQrRsi
+  yZj9FKl+ZM49I6RQ6dY5JVgWtpVm/+GBVuy1Aj91JEjw7r1jAeir5K9LAXG8kEN9
+  irndx1SK2MMTY79lGHFGQRv3vnQGI0Wzjtn31YJ7qIFNJ1WWbAZLR9FBtzmMeXM6
+  puoJ9UYvfIcHUGPdZGU=
+  -----END CERTIFICATE-----
+  -----BEGIN CERTIFICATE-----
+  MIIFpjCCA46gAwIBAgIBATANBgkqhkiG9w0BAQsFADBlMQswCQYDVQQGEwJVUzEW
+  MBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEcMBoGA1UECRMTV2VzdCBFbCBDYW1pbm8g
+  UmVhbDEOMAwGA1UEERMFOTQwNDAxEDAOBgNVBAoTB0VsYXN0aWMwHhcNMjMxMDMw
+  MTkyMzU2WhcNMjMxMDMxMTkyMzU2WjBlMQswCQYDVQQGEwJVUzEWMBQGA1UEBxMN
+  U2FuIEZyYW5jaXNjbzEcMBoGA1UECRMTV2VzdCBFbCBDYW1pbm8gUmVhbDEOMAwG
+  A1UEERMFOTQwNDAxEDAOBgNVBAoTB0VsYXN0aWMwggIiMA0GCSqGSIb3DQEBAQUA
+  A4ICDwAwggIKAoICAQDQP3hJt4jTIo+tBXB/R4RuBTvv6OOago9joxlNDm0abseJ
+  ehE0V8FDi0SSpa7ZiqwCGq/deu5OIWVNpFCLHeH5YBriNmB7oPkNRCleu50JsUrG
+  RjSTtBIJcu/CVpD7Q5XMbhbhYcPArrxrSreo3ox8a+2X7b8nA1xPgIcWqSCgs9iV
+  lwKHaQWNTUXYwwZG7b9WG4EJaki6t1+1QbDDJU0oWrZNg23wQEBvEVRDQs7kadvm
+  9YtZLPULlSyV4Rk3yNW8dPXHjcz2wp3PBPIWIQe9mzYU608307TkUMVN2EEOImxl
+  Wm1RtXYvvVb1LiY0C2lYbN3jLZQzffK5RsS87ocqTQM+HvDBv/PupHDvW08wietu
+  RtRbdx/2cN0GLmOHnkWKx+GlYDZfAtIj958fTKl2hHyNqJ1pE7vksSYBwBxMFQem
+  eSGzw5pO53kmPcZO203YQ2qoJd7z1aLf7eAOqDn5zwlYNc00bZ6DwTZsyptGv9sZ
+  zcZuovppPgCN4f1I9ja/NPKep+sVKfQqR5HuOFOPFcr6oOioESJSgIvXXF9RhCVh
+  UMeZKWWSCNm1ea4h6q8OJdQfM7XXkXm+dEyF0TogC00CidZWuYMZcgXND5p/1Di5
+  PkCKPUMllCoK0oaTfFioNW7qtNbDGQrW+spwDa4kjJNKYtDD0jjPgFMgSzQ2MwID
+  AQABo2EwXzAOBgNVHQ8BAf8EBAMCAoQwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsG
+  AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFImOXc9Tv+mgn9jOsPig
+  9vlAUTa+MA0GCSqGSIb3DQEBCwUAA4ICAQBZ9tqU88Nmgf+vDgkKMKLmLMaRCRlV
+  HcYrm7WoWLX+q6VSbmvf5eD5OrzzbAnnp16iXap8ivsAEFTo8XWh/bjl7G/2jetR
+  xZD2WHtzmAg3s4SVsEHIyFUF1ERwnjO2ndHjoIsx8ktUk1aNrmgPI6s07fkULDm+
+  2aXyBSZ9/oimZM/s3IqYJecxwE+yyS+FiS6mSDCCVIyQXdtVAbFHegyiBYv8EbwF
+  Xz70QiqQtxotGlfts/3uN1s+xnEoWz5E6S5DQn4xQh0xiKSXPizMXou9xKzypeSW
+  qtNdwtg62jKWDaVriBfrvoCnyjjCIjmcTcvA2VLmeZShyTuIucd0lkg2NKIGeM7I
+  o33hmdiKaop1fVtj8zqXvCRa3ecmlvcxPKX0otVFORFNOfaPjH/CjW0CnP0LByGK
+  YW19w0ncJZa9cc1SlNL28lnBhW+i1+ViR02wtjabH9XO+mtxuaEPDZ1hLhhjktqI
+  Y2oFUso4C5xiTU/hrH8+cFv0dn/+zyQoLfJEQbUX9biFeytt7T4Yynwhdy7jryqH
+  fdy/QM26YnsE8D7l4mv99z+zII0IRGnQOuLTuNAIyGJUf69hCDubZFDeHV/IB9hU
+  6GA6lBpsJlTDgfJLbtKuAHxdn1DO+uGg0GxgwggH6Vh9x9yQK2E6BaepJisL/zNB
+  RQQmEyTn1hn/eA==
+  -----END CERTIFICATE-----
+```
+
+
+### `key: "/etc/server/cert.key"` [server-key]
+
+The server certificate key used for authentication is required. The key option supports embedding of the private key:
+
+```yaml
+key: |
+    -----BEGIN PRIVATE KEY-----
+    MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDXHufGPycpCOfI
+    sjl6cRn8NP4DLxdIVEAHFK0jMRDup32UQOPW+DleEsFpgN9/ebi9ngdjQfMvKnUP
+    Zrl1HTwVhOJfazGeoJn7vdDeQebhJfeDXHwX2DiotXyUPYu1ioU45UZDAoAZFj5F
+    KJLwWRUbfEbRe8yO+wUhKKxxkApPbfw+wUtBicn1RIX7W1nBRABt1UXKDIRe5FM2
+    MKfqhEqK4hUWC3g1r+vGTrxu3qFpzz7L2UrRFRIpo7yuTUhEhEGvcVsiTppTil4Z
+    HcprXFHf5158elEwhYJ5IM0nU1leNQiOgemifbLwkyNkLqCKth8V/4sezr1tYblZ
+    nMh1cclBAgMBAAECggEBAKdP5jyOicqknoG9/G564RcDsDyRt64NuO7I6hBg7SZx
+    Jn7UKWDdFuFP/RYtoabn6QOxkVVlydp5Typ3Xu7zmfOyss479Q/HIXxmmbkD0Kp0
+    eRm2KN3y0b6FySsS40KDRjKGQCuGGlNotW3crMw6vOvvsLTlcKgUHF054UVCHoK/
+    Piz7igkDU7NjvJeha53vXL4hIjb10UtJNaGPxIyFLYRZdRPyyBJX7Yt3w8dgz8WM
+    epOPu0dq3bUrY3WQXcxKZo6sQjE1h7kdl4TNji5jaFlvD01Y8LnyG0oThOzf0tve
+    Gaw+kuy17gTGZGMIfGVcdeb+SlioXMAAfOps+mNIwTECgYEA/gTO8W0hgYpOQJzn
+    BpWkic3LAoBXWNpvsQkkC3uba8Fcps7iiEzotXGfwYcb5Ewf5O3Lrz1EwLj7GTW8
+    VNhB3gb7bGOvuwI/6vYk2/dwo84bwW9qRWP5hqPhNZ2AWl8kxmZgHns6WTTxpkRU
+    zrfZ5eUrBDWjRU2R8uppgRImsxMCgYEA2MxuL/C/Ko0d7XsSX1kM4JHJiGpQDvb5
+    GUrlKjP/qVyUysNF92B9xAZZHxxfPWpdfGGBynhw7X6s+YeIoxTzFPZVV9hlkpAA
+    5igma0n8ZpZEqzttjVdpOQZK8o/Oni/Q2S10WGftQOOGw5Is8+LY30XnLvHBJhO7
+    TKMurJ4KCNsCgYAe5TDSVmaj3dGEtFC5EUxQ4nHVnQyCpxa8npL+vor5wSvmsfUF
+    hO0s3GQE4sz2qHecnXuPldEd66HGwC1m2GKygYDk/v7prO1fQ47aHi9aDQB9N3Li
+    e7Vmtdn3bm+lDjtn0h3Qt0YygWj+wwLZnazn9EaWHXv9OuEMfYxVgYKpdwKBgEze
+    Zy8+WDm5IWRjn8cI5wT1DBT/RPWZYgcyxABrwXmGZwdhp3wnzU/kxFLAl5BKF22T
+    kRZ+D+RVZvVutebE9c937BiilJkb0AXLNJwT9pdVLnHcN2LHHHronUhV7vetkop+
+    kGMMLlY0lkLfoGq1AxpfSbIea9KZam6o6VKxEnPDAoGAFDCJm+ZtsJK9nE5GEMav
+    NHy+PwkYsHhbrPl4dgStTNXLenJLIJ+Ke0Pcld4ZPfYdSyu/Tv4rNswZBNpNsW9K
+    0NwJlyMBfayoPNcJKXrH/csJY7hbKviAHr1eYy9/8OL0dHf85FV+9uY5YndLcsDc
+    nygO9KTJuUiBrLr0AHEnqko=
+    -----END PRIVATE KEY-----
+```
+
+
+### `key_passphrase` [server-key-passphrase]
+
+The passphrase is used to decrypt an encrypted key stored in the configured `key` file.
+
+
+### `verification_mode` [server-verification-mode]
+
+Controls the verification of client certificates. Valid values are:
+
+`full`
+:   Verifies that the provided certificate is signed by a trusted authority (CA) and also verifies that the server’s hostname (or IP address) matches the names identified within the certificate.
+
+`strict`
+:   Verifies that the provided certificate is signed by a trusted authority (CA) and also verifies that the server’s hostname (or IP address) matches the names identified within the certificate. If the Subject Alternative Name is empty, it returns an error.
+
+`certificate`
+:   Verifies that the provided certificate is signed by a trusted authority (CA), but does not perform any hostname verification.
+
+`none`
+:   Performs *no verification* of the server’s certificate. This mode disables many of the security benefits of SSL/TLS and should only be used after cautious consideration. It is primarily intended as a temporary diagnostic mechanism when attempting to resolve TLS errors; its use in production environments is strongly discouraged.
+
+    The default value is `full`.
+
+
+
+### `renegotiation` [server-renegotiation]
+
+This configures what types of TLS renegotiation are supported. The valid options are:
+
+`never`
+:   Disables renegotiation.
+
+`once`
+:   Allows a remote server to request renegotiation once per connection.
+
+`freely`
+:   Allows a remote server to request renegotiation repeatedly.
+
+    The default value is `never`.
+
+
+
+### `restart_on_cert_change.enabled` [exit_on_cert_change_enabled]
+
+If set to `true` Metricbeat will restart if any file listed by `key`, `certificate`, or `certificate_authorities` is modified.
+
+::::{note}
+This feature is NOT supported on Windows. The default value is `false`.
+::::
+
+
+::::{note}
+This feature requres the `execve` system call to be enabled. If you have a custom seccomp policy in place, make sure to allow for `execve`.
+::::
+
+
+
+### `restart_on_cert_change.period` [restart_on_cert_change_period]
+
+Specifies how often the files are checked for changes. Do not set the period to less than 1s because the modification time of files is often stored in seconds. Setting the period to less than 1s will result in validation error and Metricbeat will not start. The default value is 1m.
+
diff --git a/docs/reference/metricbeat/configuration-template.md b/docs/reference/metricbeat/configuration-template.md
new file mode 100644
index 000000000000..1503baf33d0a
--- /dev/null
+++ b/docs/reference/metricbeat/configuration-template.md
@@ -0,0 +1,112 @@
+---
+navigation_title: "Elasticsearch index template"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/configuration-template.html
+---
+
+# Configure Elasticsearch index template loading [configuration-template]
+
+
+The `setup.template` section of the `metricbeat.yml` config file specifies the [index template](docs-content://manage-data/data-store/templates.md) to use for setting mappings in Elasticsearch. If template loading is enabled (the default), Metricbeat loads the index template automatically after successfully connecting to Elasticsearch.
+
+::::{note}
+A connection to Elasticsearch is required to load the index template. If the configured output is not Elasticsearch (or {{ess}}), you must [load the template manually](/reference/metricbeat/metricbeat-template.md#load-template-manually).
+::::
+
+
+You can adjust the following settings to load your own template or overwrite an existing one.
+
+**`setup.template.enabled`**
+:   Set to false to disable template loading. If this is set to false, you must [load the template manually](/reference/metricbeat/metricbeat-template.md#load-template-manually).
+
+**`setup.template.name`**
+:   The name of the template. The default is `metricbeat`. The Metricbeat version is always appended to the given name, so the final name is `metricbeat-%{[agent.version]}`.
+
+**`setup.template.pattern`**
+:   The template pattern to apply to the default index settings. The default pattern is `metricbeat`. The Metricbeat version is always included in the pattern, so the final pattern is `metricbeat-%{[agent.version]}`.
+
+    Example:
+
+    ```yaml
+    setup.template.name: "metricbeat"
+    setup.template.pattern: "metricbeat"
+    ```
+
+
+**`setup.template.fields`**
+:   The path to the YAML file describing the fields. The default is `fields.yml`. If a relative path is set, it is considered relative to the config path. See the [Directory layout](/reference/metricbeat/directory-layout.md) section for details.
+
+**`setup.template.overwrite`**
+:   A boolean that specifies whether to overwrite the existing template. The default is false. Do not enable this option if you start more than one instance of Metricbeat at the same time. It can overload {{es}} by sending too many template update requests.
+
+**`setup.template.settings`**
+:   A dictionary of settings to place into the `settings.index` dictionary of the Elasticsearch template. For more details about the available Elasticsearch mapping options, please see the Elasticsearch [mapping reference](docs-content://manage-data/data-store/mapping.md).
+
+    Example:
+
+    ```yaml
+    setup.template.name: "metricbeat"
+    setup.template.fields: "fields.yml"
+    setup.template.overwrite: false
+    setup.template.settings:
+      index.number_of_shards: 1
+      index.number_of_replicas: 1
+    ```
+
+
+**`setup.template.settings._source`**
+:   A dictionary of settings for the `_source` field. For the available settings, please see the Elasticsearch [reference](elasticsearch://reference/elasticsearch/mapping-reference/mapping-source-field.md).
+
+    Example:
+
+    ```yaml
+    setup.template.name: "metricbeat"
+    setup.template.fields: "fields.yml"
+    setup.template.overwrite: false
+    setup.template.settings:
+      _source.enabled: false
+    ```
+
+
+**`setup.template.append_fields`**
+:   A list of fields to be added to the template and {{kib}} index pattern. This setting adds new fields. It does not overwrite or change existing fields.
+
+    This setting is useful when your data contains fields that Metricbeat doesn’t know about in advance. For example, you might want to append fields to the template when you’re using a metricset, such as the [HTTP json metricset](/reference/metricbeat/metricbeat-metricset-http-json.md), and the full data structure is not known in advance.
+
+    If `append_fields` is specified along with `overwrite: true`, Metricbeat overwrites the existing template and applies the new template when creating new indices. Existing indices are not affected. If you’re running multiple instances of Metricbeat with different `append_fields` settings, the last one writing the template takes precedence.
+
+    Any changes to this setting also affect the {{kib}} index pattern.
+
+    Example config:
+
+    ```yaml
+    setup.template.overwrite: true
+    setup.template.append_fields:
+    - name: test.name
+      type: keyword
+    - name: test.hostname
+      type: long
+    ```
+
+
+**`setup.template.json.enabled`**
+:   Set to `true` to load a JSON-based template file. Specify the path to your {{es}} index template file and set the name of the template.
+
+    ```yaml
+    setup.template.json.enabled: true
+    setup.template.json.path: "template.json"
+    setup.template.json.name: "template-name"
+    setup.template.json.data_stream: false
+    ```
+
+
+::::{note}
+If the JSON template is used, the `fields.yml` is skipped for the template generation.
+::::
+
+
+::::{note}
+If the JSON template is a data stream, set `setup.template.json.data_stream`.
+::::
+
+
diff --git a/docs/reference/metricbeat/configure-cloud-id.md b/docs/reference/metricbeat/configure-cloud-id.md
new file mode 100644
index 000000000000..4892a37a2d5e
--- /dev/null
+++ b/docs/reference/metricbeat/configure-cloud-id.md
@@ -0,0 +1,34 @@
+---
+navigation_title: "{{ess}}"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/configure-cloud-id.html
+---
+
+# Configure the output for {{ess}} on {{ecloud}} [configure-cloud-id]
+
+
+Metricbeat comes with two settings that simplify the output configuration when used together with [{{ess}}](https://www.elastic.co/cloud/elasticsearch-service?page=docs&placement=docs-body). When defined, these setting overwrite settings from other parts in the configuration.
+
+Example:
+
+```yaml
+cloud.id: "staging:dXMtZWFzdC0xLmF3cy5mb3VuZC5pbyRjZWM2ZjI2MWE3NGJmMjRjZTMzYmI4ODExYjg0Mjk0ZiRjNmMyY2E2ZDA0MjI0OWFmMGNjN2Q3YTllOTYyNTc0Mw=="
+cloud.auth: "elastic:{pwd}"
+```
+
+These settings can be also specified at the command line, like this:
+
+```sh
+metricbeat -e -E cloud.id="<cloud-id>" -E cloud.auth="<cloud.auth>"
+```
+
+## `cloud.id` [_cloud_id]
+
+The Cloud ID, which can be found in the {{ess}} web console, is used by Metricbeat to resolve the {{es}} and {{kib}} URLs. This setting overwrites the `output.elasticsearch.hosts` and `setup.kibana.host` settings. For more on locating and configuring the Cloud ID, see [Configure Beats and Logstash with Cloud ID](docs-content://deploy-manage/deploy/cloud-enterprise/find-cloud-id.md).
+
+
+## `cloud.auth` [_cloud_auth]
+
+When specified, the `cloud.auth` overwrites the `output.elasticsearch.username` and `output.elasticsearch.password` settings. Because the Kibana settings inherit the username and password from the {{es}} output, this can also be used to set the `setup.kibana.username` and `setup.kibana.password` options.
+
+
diff --git a/docs/reference/metricbeat/configuring-howto-metricbeat.md b/docs/reference/metricbeat/configuring-howto-metricbeat.md
new file mode 100644
index 000000000000..785ba51999da
--- /dev/null
+++ b/docs/reference/metricbeat/configuring-howto-metricbeat.md
@@ -0,0 +1,45 @@
+---
+navigation_title: "Configure"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/configuring-howto-metricbeat.html
+---
+
+# Configure Metricbeat [configuring-howto-metricbeat]
+
+
+::::{tip}
+To get started quickly, read [Quick start: installation and configuration](/reference/metricbeat/metricbeat-installation-configuration.md).
+::::
+
+
+To configure Metricbeat, edit the configuration file. The default configuration file is called  `metricbeat.yml`. The location of the file varies by platform. To locate the file, see [Directory layout](/reference/metricbeat/directory-layout.md).
+
+There’s also a full example configuration file called `metricbeat.reference.yml` that shows all non-deprecated options.
+
+::::{tip}
+See the [Config File Format](/reference/libbeat/config-file-format.md) for more about the structure of the config file.
+::::
+
+
+The following topics describe how to configure Metricbeat:
+
+* [Modules](/reference/metricbeat/configuration-metricbeat.md)
+* [General settings](/reference/metricbeat/configuration-general-options.md)
+* [Project paths](/reference/metricbeat/configuration-path.md)
+* [Config file loading](/reference/metricbeat/metricbeat-configuration-reloading.md)
+* [Output](/reference/metricbeat/configuring-output.md)
+* [SSL](/reference/metricbeat/configuration-ssl.md)
+* [Index lifecycle management (ILM)](/reference/metricbeat/ilm.md)
+* [Elasticsearch index template](/reference/metricbeat/configuration-template.md)
+* [{{kib}} endpoint](/reference/metricbeat/setup-kibana-endpoint.md)
+* [Kibana dashboards](/reference/metricbeat/configuration-dashboards.md)
+* [Processors](/reference/metricbeat/filtering-enhancing-data.md)
+* [*Autodiscover*](/reference/metricbeat/configuration-autodiscover.md)
+* [Internal queue](/reference/metricbeat/configuring-internal-queue.md)
+* [Logging](/reference/metricbeat/configuration-logging.md)
+* [HTTP endpoint](/reference/metricbeat/http-endpoint.md)
+* [*Regular expression support*](/reference/metricbeat/regexp-support.md)
+* [Instrumentation](/reference/metricbeat/configuration-instrumentation.md)
+* [Feature flags](/reference/metricbeat/configuration-feature-flags.md)
+* [*metricbeat.reference.yml*](/reference/metricbeat/metricbeat-reference-yml.md)
+
diff --git a/docs/reference/metricbeat/configuring-ingest-node.md b/docs/reference/metricbeat/configuring-ingest-node.md
new file mode 100644
index 000000000000..ae7414b5c312
--- /dev/null
+++ b/docs/reference/metricbeat/configuring-ingest-node.md
@@ -0,0 +1,50 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/configuring-ingest-node.html
+---
+
+# Parse data using an ingest pipeline [configuring-ingest-node]
+
+When you use {{es}} for output, you can configure Metricbeat to use an [ingest pipeline](docs-content://manage-data/ingest/transform-enrich/ingest-pipelines.md) to pre-process documents before the actual indexing takes place in {{es}}. An ingest pipeline is a convenient processing option when you want to do some extra processing on your data, but you do not require the full power of {{ls}}. For example, you can create an ingest pipeline in {{es}} that consists of one processor that removes a field in a document followed by another processor that renames a field.
+
+After defining the pipeline in {{es}}, you simply configure Metricbeat to use the pipeline. To configure Metricbeat, you specify the pipeline ID in the `parameters` option under `elasticsearch` in the `metricbeat.yml` file:
+
+```yaml
+output.elasticsearch:
+  hosts: ["localhost:9200"]
+  pipeline: my_pipeline_id
+```
+
+For example, let’s say that you’ve defined the following pipeline in a file named `pipeline.json`:
+
+```json
+{
+    "description": "Test pipeline",
+    "processors": [
+        {
+            "lowercase": {
+                "field": "agent.name"
+            }
+        }
+    ]
+}
+```
+
+To add the pipeline in {{es}}, you would run:
+
+```shell
+curl -H 'Content-Type: application/json' -XPUT 'http://localhost:9200/_ingest/pipeline/test-pipeline' -d@pipeline.json
+```
+
+Then in the `metricbeat.yml` file, you would specify:
+
+```yaml
+output.elasticsearch:
+  hosts: ["localhost:9200"]
+  pipeline: "test-pipeline"
+```
+
+When you run Metricbeat, the value of `agent.name` is converted to lowercase before indexing.
+
+For more information about defining a pre-processing pipeline, see the [ingest pipeline](docs-content://manage-data/ingest/transform-enrich/ingest-pipelines.md) documentation.
+
diff --git a/docs/reference/metricbeat/configuring-internal-queue.md b/docs/reference/metricbeat/configuring-internal-queue.md
new file mode 100644
index 000000000000..f1854e538eb5
--- /dev/null
+++ b/docs/reference/metricbeat/configuring-internal-queue.md
@@ -0,0 +1,144 @@
+---
+navigation_title: "Internal queue"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/configuring-internal-queue.html
+---
+
+# Configure the internal queue [configuring-internal-queue]
+
+
+Metricbeat uses an internal queue to store events before publishing them. The queue is responsible for buffering and combining events into batches that can be consumed by the outputs. The outputs will use bulk operations to send a batch of events in one transaction.
+
+You can configure the type and behavior of the internal queue by setting options in the `queue` section of the `metricbeat.yml` config file or by setting options in the `queue` section of the output. Only one queue type can be configured.
+
+This sample configuration sets the memory queue to buffer up to 4096 events:
+
+```yaml
+queue.mem:
+  events: 4096
+```
+
+
+## Configure the memory queue [configuration-internal-queue-memory]
+
+The memory queue keeps all events in memory.
+
+The memory queue waits for the output to acknowledge or drop events. If the queue is full, no new events can be inserted into the memory queue. Only after the signal from the output will the queue free up space for more events to be accepted.
+
+The memory queue is controlled by the parameters `flush.min_events` and `flush.timeout`. `flush.min_events` gives a limit on the number of events that can be included in a single batch, and `flush.timeout` specifies how long the queue should wait to completely fill an event request. If the output supports a `bulk_max_size` parameter, the maximum batch size will be the smaller of `bulk_max_size` and `flush.min_events`.
+
+`flush.min_events` is a legacy parameter, and new configurations should prefer to control batch size with `bulk_max_size`. As of 8.13, there is never a performance advantage to limiting batch size with `flush.min_events` instead of `bulk_max_size`.
+
+In synchronous mode, an event request is always filled as soon as events are available, even if there are not enough events to fill the requested batch. This is useful when latency must be minimized. To use synchronous mode, set `flush.timeout` to 0.
+
+For backwards compatibility, synchronous mode can also be activated by setting `flush.min_events` to 0 or 1. In this case, batch size will be capped at 1/2 the queue capacity.
+
+In asynchronous mode, an event request will wait up to the specified timeout to try and fill the requested batch completely. If the timeout expires, the queue returns a partial batch with all available events. To use asynchronous mode, set `flush.timeout` to a positive duration, e.g. `5s`.
+
+This sample configuration forwards events to the output when there are enough events to fill the output’s request (usually controlled by `bulk_max_size`, and limited to at most 512 events by `flush.min_events`), or when events have been waiting for 5s without filling the requested size:
+
+```yaml
+queue.mem:
+  events: 4096
+  flush.min_events: 512
+  flush.timeout: 5s
+```
+
+
+## Configuration options [_configuration_options_14]
+
+You can specify the following options in the `queue.mem` section of the `metricbeat.yml` config file:
+
+
+#### `events` [queue-mem-events-option]
+
+Number of events the queue can store.
+
+The default value is 3200 events.
+
+
+#### `flush.min_events` [queue-mem-flush-min-events-option]
+
+If greater than 1, specifies the maximum number of events per batch. In this case the output must wait for the queue to accumulate the requested number of events or for `flush.timeout` to expire before publishing.
+
+If 0 or 1, sets the maximum number of events per batch to half the queue size, and sets the queue to synchronous mode (equivalent to `flush.timeout` of 0).
+
+The default value is 1600.
+
+
+#### `flush.timeout` [queue-mem-flush-timeout-option]
+
+Maximum wait time for event requests from the output to be fulfilled. If set to 0s, events are returned immediately.
+
+The default value is 10s.
+
+
+## Configure the disk queue [configuration-internal-queue-disk]
+
+The disk queue stores pending events on the disk rather than main memory. This allows Beats to queue a larger number of events than is possible with the memory queue, and to save events when a Beat or device is restarted. This increased reliability comes with a performance tradeoff, as every incoming event must be written and read from the device’s disk. However, for setups where the disk is not the main bottleneck, the disk queue gives a simple and relatively low-overhead way to add a layer of robustness to incoming event data.
+
+To enable the disk queue with default settings, specify a maximum size:
+
+```yaml
+queue.disk:
+  max_size: 10GB
+```
+
+The queue will use up to the specified maximum size on disk. It will only use as much space as required. For example, if the queue is only storing 1GB of events, then it will only occupy 1GB on disk no matter how high the maximum is. Queue data is deleted from disk after it has been successfully sent to the output.
+
+
+### Configuration options [configuration-internal-queue-disk-reference]
+
+You can specify the following options in the `queue.disk` section of the `metricbeat.yml` config file:
+
+
+#### `path` [_path]
+
+The path to the directory where the disk queue should store its data files. The directory is created on startup if it doesn’t exist.
+
+The default value is `"${path.data}/diskqueue"`.
+
+
+#### `max_size` (required) [_max_size_required]
+
+The maximum size the queue should use on disk. Events that exceed this maximum will either pause their input or be discarded, depending on the input’s configuration.
+
+A value of `0` means that no maximum size is enforced, and the queue can grow up to the amount of free space on the disk. This value should be used with caution, as completely filling a system’s main disk can make it inoperable. It is best to use this setting only with a dedicated data or backup partition that will not interfere with Metricbeat or the rest of the host system.
+
+The default value is `10GB`.
+
+
+#### `segment_size` [_segment_size]
+
+Data added to the queue is stored in segment files. Each segment contains some number of events waiting to be sent to the outputs, and is deleted when all its events are sent. By default, segment size is limited to 1/10 of the maximum queue size. Using a smaller size means that the queue will use more data files, but they will be deleted more quickly after use. Using a larger size means some data will take longer to delete, but the queue will use fewer auxiliary files. It is usually fine to leave this value unchanged.
+
+The default value is `max_size / 10`.
+
+
+#### `read_ahead` [_read_ahead]
+
+The number of events that should be read from disk into memory while waiting for an output to request them. If you find outputs are slowing down because they can’t read as many events at a time, adjusting this setting upward may help, at the cost of higher memory usage.
+
+The default value is `512`.
+
+
+#### `write_ahead` [_write_ahead]
+
+The number of events the queue should accept and store in memory while waiting for them to be written to disk. If you find the queue’s memory use is too high because events are waiting too long to be written to disk, adjusting this setting downward may help, at the cost of reduced event throughput. On the other hand, if inputs are waiting or discarding events because they are being produced faster than the disk can handle, adjusting this setting upward may help, at the cost of higher memory usage.
+
+The default value is `2048`.
+
+
+#### `retry_interval` [_retry_interval]
+
+Some disk errors may block operation of the queue, for example a permission error writing to the data directory, or a disk full error while writing an event. In this case, the queue reports the error and retries after pausing for the time specified in `retry_interval`.
+
+The default value is `1s` (one second).
+
+
+#### `max_retry_interval` [_max_retry_interval]
+
+When there are multiple consecutive errors writing to the disk, the queue increases the retry interval by factors of 2 up to a maximum of `max_retry_interval`. Increase this value if you are concerned about logging too many errors or overloading the host system if the target disk becomes unavailable for an extended time.
+
+The default value is `30s` (thirty seconds).
+
diff --git a/docs/reference/metricbeat/configuring-output.md b/docs/reference/metricbeat/configuring-output.md
new file mode 100644
index 000000000000..d307d7d81693
--- /dev/null
+++ b/docs/reference/metricbeat/configuring-output.md
@@ -0,0 +1,31 @@
+---
+navigation_title: "Output"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/configuring-output.html
+---
+
+# Configure the output [configuring-output]
+
+
+You configure Metricbeat to write to a specific output by setting options in the Outputs section of the `metricbeat.yml` config file. Only a single output may be defined.
+
+The following topics describe how to configure each supported output. If you’ve secured the {{stack}}, also read [Secure](/reference/metricbeat/securing-metricbeat.md) for more about security-related configuration options.
+
+* [{{ess}}](/reference/metricbeat/configure-cloud-id.md)
+* [Elasticsearch](/reference/metricbeat/elasticsearch-output.md)
+* [Logstash](/reference/metricbeat/logstash-output.md)
+* [Kafka](/reference/metricbeat/kafka-output.md)
+* [Redis](/reference/metricbeat/redis-output.md)
+* [File](/reference/metricbeat/file-output.md)
+* [Console](/reference/metricbeat/console-output.md)
+* [Discard](/reference/metricbeat/discard-output.md)
+
+
+
+
+
+
+
+
+
+
diff --git a/docs/reference/metricbeat/configuring-ssl-logstash.md b/docs/reference/metricbeat/configuring-ssl-logstash.md
new file mode 100644
index 000000000000..c0e51b0783d8
--- /dev/null
+++ b/docs/reference/metricbeat/configuring-ssl-logstash.md
@@ -0,0 +1,118 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/configuring-ssl-logstash.html
+---
+
+# Secure communication with Logstash [configuring-ssl-logstash]
+
+You can use SSL mutual authentication to secure connections between Metricbeat and Logstash. This ensures that Metricbeat sends encrypted data to trusted Logstash servers only, and that the Logstash server receives data from trusted Metricbeat clients only.
+
+To use SSL mutual authentication:
+
+1. Create a certificate authority (CA) and use it to sign the certificates that you plan to use for Metricbeat and Logstash. Creating a correct SSL/TLS infrastructure is outside the scope of this document. There are many online resources available that describe how to create certificates.
+
+    ::::{tip}
+    If you are using {{security-features}}, you can use the [elasticsearch-certutil tool](elasticsearch://reference/elasticsearch/command-line-tools/certutil.md) to generate certificates.
+    ::::
+
+2. Configure Metricbeat to use SSL. In the `metricbeat.yml` config file, specify the following settings under `ssl`:
+
+    * `certificate_authorities`: Configures Metricbeat to trust any certificates signed by the specified CA. If `certificate_authorities` is empty or not set, the trusted certificate authorities of the host system are used.
+    * `certificate` and `key`: Specifies the certificate and key that Metricbeat uses to authenticate with Logstash.
+
+        For example:
+
+        ```yaml
+        output.logstash:
+          hosts: ["logs.mycompany.com:5044"]
+          ssl.certificate_authorities: ["/etc/ca.crt"]
+          ssl.certificate: "/etc/client.crt"
+          ssl.key: "/etc/client.key"
+        ```
+
+        For more information about these configuration options, see [SSL](/reference/metricbeat/configuration-ssl.md).
+
+3. Configure Logstash to use SSL. In the Logstash config file, specify the following settings for the [Beats input plugin for Logstash](logstash://reference/plugins-inputs-beats.md):
+
+    * `ssl`: When set to true, enables Logstash to use SSL/TLS.
+    * `ssl_certificate_authorities`: Configures Logstash to trust any certificates signed by the specified CA.
+    * `ssl_certificate` and `ssl_key`: Specify the certificate and key that Logstash uses to authenticate with the client.
+    * `ssl_verify_mode`: Specifies whether the Logstash server verifies the client certificate against the CA. You need to specify either `peer` or `force_peer` to make the server ask for the certificate and validate it. If you specify `force_peer`, and Metricbeat doesn’t provide a certificate, the Logstash connection will be closed. If you choose not to use [certutil](elasticsearch://reference/elasticsearch/command-line-tools/certutil.md), the certificates that you obtain must allow for both `clientAuth` and `serverAuth` if the extended key usage extension is present.
+
+        For example:
+
+        ```json
+        input {
+          beats {
+            port => 5044
+            ssl => true
+            ssl_certificate_authorities => ["/etc/ca.crt"]
+            ssl_certificate => "/etc/server.crt"
+            ssl_key => "/etc/server.key"
+            ssl_verify_mode => "force_peer"
+          }
+        }
+        ```
+
+        For more information about these options, see the [documentation for the Beats input plugin](logstash://reference/plugins-inputs-beats.md).
+
+
+
+## Validate the Logstash server’s certificate [testing-ssl-logstash]
+
+Before running Metricbeat, you should validate the Logstash server’s certificate. You can use `curl` to validate the certificate even though the protocol used to communicate with Logstash is not based on HTTP. For example:
+
+```shell
+curl -v --cacert ca.crt https://logs.mycompany.com:5044
+```
+
+If the test is successful, you’ll receive an empty response error:
+
+```shell
+* Rebuilt URL to: https://logs.mycompany.com:5044/
+*   Trying 192.168.99.100...
+* Connected to logs.mycompany.com (192.168.99.100) port 5044 (#0)
+* TLS 1.2 connection using TLS_DHE_RSA_WITH_AES_256_CBC_SHA
+* Server certificate: logs.mycompany.com
+* Server certificate: mycompany.com
+> GET / HTTP/1.1
+> Host: logs.mycompany.com:5044
+> User-Agent: curl/7.43.0
+> Accept: */*
+>
+* Empty reply from server
+* Connection #0 to host logs.mycompany.com left intact
+curl: (52) Empty reply from server
+```
+
+The following example uses the IP address rather than the hostname to validate the certificate:
+
+```shell
+curl -v --cacert ca.crt https://192.168.99.100:5044
+```
+
+Validation for this test fails because the certificate is not valid for the specified IP address. It’s only valid for the `logs.mycompany.com`, the hostname that appears in the Subject field of the certificate.
+
+```shell
+* Rebuilt URL to: https://192.168.99.100:5044/
+*   Trying 192.168.99.100...
+* Connected to 192.168.99.100 (192.168.99.100) port 5044 (#0)
+* WARNING: using IP address, SNI is being disabled by the OS.
+* SSL: certificate verification failed (result: 5)
+* Closing connection 0
+curl: (51) SSL: certificate verification failed (result: 5)
+```
+
+See the [troubleshooting docs](/reference/metricbeat/ssl-client-fails.md) for info about resolving this issue.
+
+
+## Test the Metricbeat to Logstash connection [_test_the_metricbeat_to_logstash_connection]
+
+If you have Metricbeat running as a service, first stop the service. Then test your setup by running Metricbeat in the foreground so you can quickly see any errors that occur:
+
+```sh
+metricbeat -c metricbeat.yml -e -v
+```
+
+Any errors will be printed to the console. See the [troubleshooting docs](/reference/metricbeat/ssl-client-fails.md) for info about resolving common errors.
+
diff --git a/docs/reference/metricbeat/connection-problem.md b/docs/reference/metricbeat/connection-problem.md
new file mode 100644
index 000000000000..da21f19c0bfe
--- /dev/null
+++ b/docs/reference/metricbeat/connection-problem.md
@@ -0,0 +1,20 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/connection-problem.html
+---
+
+# Logstash connection doesn���t work [connection-problem]
+
+You may have configured {{ls}} or Metricbeat incorrectly. To resolve the issue:
+
+* Make sure that {{ls}} is running and you can connect to it. First, try to ping the {{ls}} host to verify that you can reach it from the host running Metricbeat. Then use either `nc` or `telnet` to make sure that the port is available. For example:
+
+    ```shell
+    ping <hostname or IP>
+    telnet <hostname or IP> 5044
+    ```
+
+* Verify that the config file for Metricbeat specifies the correct port where {{ls}} is running.
+* Make sure that the {{es}} output is commented out in the config file and the {{ls}} output is uncommented.
+* Confirm that the most recent [Beats input plugin for {{ls}}](logstash://reference/plugins-inputs-beats.md) is installed and configured. Note that Beats will not connect to the Lumberjack input plugin. To learn how to install and update plugins, see [Working with plugins](logstash://reference/working-with-plugins.md).
+
diff --git a/docs/reference/metricbeat/console-output.md b/docs/reference/metricbeat/console-output.md
new file mode 100644
index 000000000000..8206cced3b9b
--- /dev/null
+++ b/docs/reference/metricbeat/console-output.md
@@ -0,0 +1,67 @@
+---
+navigation_title: "Console"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/console-output.html
+---
+
+# Configure the Console output [console-output]
+
+
+The Console output writes events in JSON format to stdout.
+
+::::{warning}
+The Console output should be used only for debugging issues as it can produce a large amount of logging data.
+::::
+
+
+To use this output, edit the Metricbeat configuration file to disable the {{es}} output by commenting it out, and enable the console output by adding `output.console`.
+
+Example configuration:
+
+```yaml
+output.console:
+  pretty: true
+```
+
+## Configuration options [_configuration_options_7]
+
+You can specify the following `output.console` options in the `metricbeat.yml` config file:
+
+### `enabled` [_enabled_7]
+
+The enabled config is a boolean setting to enable or disable the output. If set to false, the output is disabled.
+
+The default value is `true`.
+
+
+### `pretty` [_pretty]
+
+If `pretty` is set to true, events written to stdout will be nicely formatted. The default is false.
+
+
+### `codec` [_codec_4]
+
+Output codec configuration. If the `codec` section is missing, events will be json encoded using the `pretty` option.
+
+See [Change the output codec](/reference/metricbeat/configuration-output-codec.md) for more information.
+
+
+### `bulk_max_size` [_bulk_max_size_4]
+
+The maximum number of events to buffer internally during publishing. The default is 2048.
+
+Specifying a larger batch size may add some latency and buffering during publishing. However, for Console output, this setting does not affect how events are published.
+
+Setting `bulk_max_size` to values less than or equal to 0 disables the splitting of batches. When splitting is disabled, the queue decides on the number of events to be contained in a batch.
+
+
+### `queue` [_queue_6]
+
+Configuration options for internal queue.
+
+See [Internal queue](/reference/metricbeat/configuring-internal-queue.md) for more information.
+
+Note:`queue` options can be set under `metricbeat.yml` or the `output` section but not both.
+
+
+
diff --git a/docs/reference/metricbeat/contributing-to-beats.md b/docs/reference/metricbeat/contributing-to-beats.md
new file mode 100644
index 000000000000..08f1dfc3333c
--- /dev/null
+++ b/docs/reference/metricbeat/contributing-to-beats.md
@@ -0,0 +1,13 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/contributing-to-beats.html
+---
+
+# Contribute to Beats [contributing-to-beats]
+
+The Beats are open source and we love to receive contributions from our community — you!
+
+There are many ways to contribute, from writing tutorials or blog posts, improving the documentation, submitting bug reports and feature requests, or writing code that implements a whole new protocol, module, or Beat.
+
+The [Beats Developer Guide](http://www.elastic.co/guide/en/beats/devguide/master/index.md) is your one-stop shop for everything related to developing code for the Beats project.
+
diff --git a/docs/reference/metricbeat/convert.md b/docs/reference/metricbeat/convert.md
new file mode 100644
index 000000000000..7f158cecbae3
--- /dev/null
+++ b/docs/reference/metricbeat/convert.md
@@ -0,0 +1,42 @@
+---
+navigation_title: "convert"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/convert.html
+---
+
+# Convert [convert]
+
+
+The `convert` processor converts a field in the event to a different type, such as converting a string to an integer.
+
+The supported types include: `integer`, `long`, `float`, `double`, `string`, `boolean`, and `ip`.
+
+The `ip` type is effectively an alias for `string`, but with an added validation that the value is an IPv4 or IPv6 address.
+
+```yaml
+processors:
+  - convert:
+      fields:
+        - {from: "src_ip", to: "source.ip", type: "ip"}
+        - {from: "src_port", to: "source.port", type: "integer"}
+      ignore_missing: true
+      fail_on_error: false
+```
+
+The `convert` processor has the following configuration settings:
+
+`fields`
+:   (Required) This is the list of fields to convert. At least one item must be contained in the list. Each item in the list must have a `from` key that specifies the source field. The `to` key is optional and specifies where to assign the converted value. If `to` is omitted then the `from` field is updated in-place. The `type` key specifies the data type to convert the value to. If `type` is omitted then the processor copies or renames the field without any type conversion.
+
+`ignore_missing`
+:   (Optional) If `true` the processor continues to the next field when the `from` key is not found in the event. If false then the processor returns an error and does not process the remaining fields. Default is `false`.
+
+`fail_on_error`
+:   (Optional) If false type conversion failures are ignored and the processor continues to the next field. Default is `true`.
+
+`tag`
+:   (Optional) An identifier for this processor. Useful for debugging.
+
+`mode`
+:   (Optional) When both `from` and `to` are defined for a field then `mode` controls whether to `copy` or `rename` the field when the type conversion is successful. Default is `copy`.
+
diff --git a/docs/reference/metricbeat/copy-fields.md b/docs/reference/metricbeat/copy-fields.md
new file mode 100644
index 000000000000..6864ef95c752
--- /dev/null
+++ b/docs/reference/metricbeat/copy-fields.md
@@ -0,0 +1,45 @@
+---
+navigation_title: "copy_fields"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/copy-fields.html
+---
+
+# Copy fields [copy-fields]
+
+
+The `copy_fields` processor takes the value of a field and copies it to a new field.
+
+You cannot use this processor to replace an existing field. If the target field already exists, you must [drop](/reference/metricbeat/drop-fields.md) or [rename](/reference/metricbeat/rename-fields.md) the field before using `copy_fields`.
+
+`fields`
+:   List of `from` and `to` pairs to copy from and to. It’s supported to use `@metadata.` prefix for `from` and `to` and copy values not just in/from/to the event fields but also in/from/to the event metadata.
+
+`fail_on_error`
+:   (Optional) If set to `true` and an error occurs, the changes are reverted and the original is returned. If set to `false`, processing continues if an error occurs. Default is `true`.
+
+`ignore_missing`
+:   (Optional) Indicates whether to ignore events that lack the source field. The default is `false`, which will fail processing of an event if a field is missing.
+
+For example, this configuration:
+
+```yaml
+processors:
+  - copy_fields:
+      fields:
+        - from: message
+          to: event.original
+      fail_on_error: false
+      ignore_missing: true
+```
+
+Copies the original `message` field to `event.original`:
+
+```json
+{
+  "message": "my-interesting-message",
+  "event": {
+      "original": "my-interesting-message"
+  }
+}
+```
+
diff --git a/docs/reference/metricbeat/could-not-locate-index-pattern.md b/docs/reference/metricbeat/could-not-locate-index-pattern.md
new file mode 100644
index 000000000000..6a5591cb444d
--- /dev/null
+++ b/docs/reference/metricbeat/could-not-locate-index-pattern.md
@@ -0,0 +1,20 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/could-not-locate-index-pattern.html
+---
+
+# Dashboard could not locate the index-pattern [could-not-locate-index-pattern]
+
+Typically Metricbeat sets up the index pattern automatically when it loads the index template. However, if for some reason Metricbeat loads the index template, but the index pattern does not get created correctly, you’ll see a "could not locate that index-pattern" error. To resolve this problem:
+
+1. Try running the `setup` command again. For example: `./metricbeat setup`.
+2. If that doesn’t work, go to the Management app in {{kib}}, and under **Index Patterns**, look for the pattern.
+
+    1. If the pattern doesn’t exist, create it manually.
+
+        * Set the **Time filter field name** to `@timestamp`.
+        * Set the **Custom index pattern ID** advanced option. For example, if your custom index name is `metricbeat-customname`, set the custom index pattern ID to `metricbeat-customname-*`.
+
+
+For more information, see [Creating an index pattern](docs-content://explore-analyze/find-and-organize/data-views.md) in the {{kib}} docs.
+
diff --git a/docs/reference/metricbeat/decode-base64-field.md b/docs/reference/metricbeat/decode-base64-field.md
new file mode 100644
index 000000000000..cbf3e2a0f870
--- /dev/null
+++ b/docs/reference/metricbeat/decode-base64-field.md
@@ -0,0 +1,35 @@
+---
+navigation_title: "decode_base64_field"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/decode-base64-field.html
+---
+
+# Decode Base64 fields [decode-base64-field]
+
+
+The `decode_base64_field` processor specifies a field to base64 decode. The `field` key contains a `from: old-key` and a `to: new-key` pair. `from` is the origin and `to` the target name of the field.
+
+To overwrite fields either first rename the target field or use the `drop_fields` processor to drop the field and then rename the field.
+
+```yaml
+processors:
+  - decode_base64_field:
+      field:
+        from: "field1"
+        to: "field2"
+      ignore_missing: false
+      fail_on_error: true
+```
+
+In the example above: - field1 is decoded in field2
+
+The `decode_base64_field` processor has the following configuration settings:
+
+`ignore_missing`
+:   (Optional) If set to true, no error is logged in case a key which should be base64 decoded is missing. Default is `false`.
+
+`fail_on_error`
+:   (Optional) If set to true, in case of an error the base64 decode of fields is stopped and the original event is returned. If set to false, decoding continues also if an error happened during decoding. Default is `true`.
+
+See [Conditions](/reference/metricbeat/defining-processors.md#conditions) for a list of supported conditions.
+
diff --git a/docs/reference/metricbeat/decode-duration.md b/docs/reference/metricbeat/decode-duration.md
new file mode 100644
index 000000000000..559a185d7e09
--- /dev/null
+++ b/docs/reference/metricbeat/decode-duration.md
@@ -0,0 +1,25 @@
+---
+navigation_title: "decode_duration"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/decode-duration.html
+---
+
+# Decode duration [decode-duration]
+
+
+The `decode_duration` processor decodes a Go-style duration string into a specific `format`.
+
+For more information about the Go `time.Duration` string style, refer to the [Go documentation](https://pkg.go.dev/time#Duration).
+
+| Name | Required | Default | Description |  |
+| --- | --- | --- | --- | --- |
+| `field` | yes |  | Which field of event needs to be decoded as `time.Duration` |  |
+| `format` | yes | `milliseconds` | Supported formats: `milliseconds`/`seconds`/`minutes`/`hours` |  |
+
+```yaml
+processors:
+  - decode_duration:
+      field: "app.rpc.cost"
+      format: "milliseconds"
+```
+
diff --git a/docs/reference/metricbeat/decode-json-fields.md b/docs/reference/metricbeat/decode-json-fields.md
new file mode 100644
index 000000000000..a68730bc7100
--- /dev/null
+++ b/docs/reference/metricbeat/decode-json-fields.md
@@ -0,0 +1,48 @@
+---
+navigation_title: "decode_json_fields"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/decode-json-fields.html
+---
+
+# Decode JSON fields [decode-json-fields]
+
+
+The `decode_json_fields` processor decodes fields containing JSON strings and replaces the strings with valid JSON objects.
+
+```yaml
+processors:
+  - decode_json_fields:
+      fields: ["field1", "field2", ...]
+      process_array: false
+      max_depth: 1
+      target: ""
+      overwrite_keys: false
+      add_error_key: true
+```
+
+The `decode_json_fields` processor has the following configuration settings:
+
+`fields`
+:   The fields containing JSON strings to decode.
+
+`process_array`
+:   (Optional) A Boolean value that specifies whether to process arrays. The default is `false`.
+
+`max_depth`
+:   (Optional) The maximum parsing depth. A value of `1`  will decode the JSON objects in fields indicated in `fields`, a value of `2` will also decode the objects embedded in the fields of these parsed documents. The default is `1`.
+
+`target`
+:   (Optional) The field under which the decoded JSON will be written. By default, the decoded JSON object replaces the string field from which it was read. To merge the decoded JSON fields into the root of the event, specify `target` with an empty string (`target: ""`). Note that the `null` value (`target:`) is treated as if the field was not set.
+
+`overwrite_keys`
+:   (Optional) A Boolean value that specifies whether existing keys in the event are overwritten by keys from the decoded JSON object. The default value is `false`.
+
+`expand_keys`
+:   (Optional) A Boolean value that specifies whether keys in the decoded JSON should be recursively de-dotted and expanded into a hierarchical object structure. For example, `{"a.b.c": 123}` would be expanded into `{"a":{"b":{"c":123}}}`.
+
+`add_error_key`
+:   (Optional) If set to `true` and an error occurs while decoding JSON keys, the `error` field will become a part of the event with the error message. If set to `false`, there will not be any error in the event’s field. The default value is `false`.
+
+`document_id`
+:   (Optional) JSON key that’s used as the document ID. If configured, the field will be removed from the original JSON document and stored in `@metadata._id`
+
diff --git a/docs/reference/metricbeat/decode-xml-wineventlog.md b/docs/reference/metricbeat/decode-xml-wineventlog.md
new file mode 100644
index 000000000000..1665c3c53377
--- /dev/null
+++ b/docs/reference/metricbeat/decode-xml-wineventlog.md
@@ -0,0 +1,162 @@
+---
+navigation_title: "decode_xml_wineventlog"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/decode-xml-wineventlog.html
+---
+
+# Decode XML Wineventlog [decode-xml-wineventlog]
+
+
+::::{warning}
+This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
+::::
+
+
+The `decode_xml_wineventlog` processor decodes Windows Event Log data in XML format that is stored under the `field` key. It outputs the result into the `target_field`.
+
+The output fields will be the same as the [winlogbeat winlog fields](/reference/winlogbeat/exported-fields-winlog.md#_winlog).
+
+The supported configuration options are:
+
+`field`
+:   (Required) Source field containing the XML. Defaults to `message`.
+
+`target_field`
+:   (Required) The field under which the decoded XML will be written. To merge the decoded XML fields into the root of the event specify `target_field` with an empty string (`target_field: ""`). The default value is `winlog`.
+
+`overwrite_keys`
+:   (Optional) A boolean that specifies whether keys that already exist in the event are overwritten by keys from the decoded XML object. The default value is `true`.
+
+`map_ecs_fields`
+:   (Optional) A boolean that specifies whether to map additional ECS fields when possible. Note that ECS field keys are placed outside of `target_field`. The default value is `true`.
+
+`ignore_missing`
+:   (Optional) If `true` the processor will not return an error when a specified field does not exist. Defaults to `false`.
+
+`ignore_failure`
+:   (Optional) Ignore all errors produced by the processor. Defaults to `false`.
+
+`language`
+:   (Optional) The language ID the events will be rendered in. The language will be forced regardless of the system language. Forwarded events will ignore this setting. A complete list of language IDs can be found [here](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-lcid/a9eac961-e77d-41a6-90a5-ce1a8b0cdb9c). It defaults to `0`, which indicates to use the system language.
+
+Example:
+
+```yaml
+processors:
+  - decode_xml_wineventlog:
+      field: event.original
+      target_field: winlog
+```
+
+```json
+{
+  "event": {
+    "original": "<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4672</EventID><Version>0</Version><Level>0</Level><Task>12548</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2021-03-23T09:56:13.137310000Z'/><EventRecordID>11303</EventRecordID><Correlation ActivityID='{ffb23523-1f32-0000-c335-b2ff321fd701}'/><Execution ProcessID='652' ThreadID='4660'/><Channel>Security</Channel><Computer>vagrant</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-5-18</Data><Data Name='SubjectUserName'>SYSTEM</Data><Data Name='SubjectDomainName'>NT AUTHORITY</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='PrivilegeList'>SeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege</Data></EventData><RenderingInfo Culture='en-US'><Message>Special privileges assigned to new logon.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3E7\n\nPrivileges:\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege</Message><Level>Information</Level><Task>Special Logon</Task><Opcode>Info</Opcode><Channel>Security</Channel><Provider>Microsoft Windows security auditing.</Provider><Keywords><Keyword>Audit Success</Keyword></Keywords></RenderingInfo></Event>"
+  }
+}
+```
+
+Will produce the following output:
+
+```json
+{
+  "event": {
+    "original": "<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4672</EventID><Version>0</Version><Level>0</Level><Task>12548</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2021-03-23T09:56:13.137310000Z'/><EventRecordID>11303</EventRecordID><Correlation ActivityID='{ffb23523-1f32-0000-c335-b2ff321fd701}'/><Execution ProcessID='652' ThreadID='4660'/><Channel>Security</Channel><Computer>vagrant</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-5-18</Data><Data Name='SubjectUserName'>SYSTEM</Data><Data Name='SubjectDomainName'>NT AUTHORITY</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='PrivilegeList'>SeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege</Data></EventData><RenderingInfo Culture='en-US'><Message>Special privileges assigned to new logon.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3E7\n\nPrivileges:\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege</Message><Level>Information</Level><Task>Special Logon</Task><Opcode>Info</Opcode><Channel>Security</Channel><Provider>Microsoft Windows security auditing.</Provider><Keywords><Keyword>Audit Success</Keyword></Keywords></RenderingInfo></Event>",
+    "action":   "Special Logon",
+		"code":     "4672",
+		"kind":     "event",
+		"outcome":  "success",
+		"provider": "Microsoft-Windows-Security-Auditing",
+  },
+	"host": {
+    "name": "vagrant",
+  },
+  "log": {
+    "level": "information",
+  },
+  "winlog": {
+    "channel": "Security",
+    "outcome": "success",
+    "activity_id": "{ffb23523-1f32-0000-c335-b2ff321fd701}",
+    "level": "information",
+    "event_id": 4672,
+    "provider_name": "Microsoft-Windows-Security-Auditing",
+    "record_id": 11303,
+    "computer_name": "vagrant",
+    "keywords_raw": 9232379236109516800,
+    "opcode": "Info",
+    "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+    "event_data": {
+      "SubjectUserSid": "S-1-5-18",
+      "SubjectUserName": "SYSTEM",
+      "SubjectDomainName": "NT AUTHORITY",
+      "SubjectLogonId": "0x3e7",
+      "PrivilegeList": "SeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege"
+    },
+    "task": "Special Logon",
+    "keywords": [
+      "Audit Success"
+    ],
+    "message": "Special privileges assigned to new logon.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3E7\n\nPrivileges:\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege",
+    "process": {
+      "pid": 652,
+      "thread": {
+        "id": 4660
+      }
+    }
+  }
+}
+```
+
+See [Conditions](/reference/metricbeat/defining-processors.md#conditions) for a list of supported conditions.
+
+The field mappings are as follows:
+
+| Event Field | Source XML Element | Notes |
+| --- | --- | --- |
+| `winlog.channel` | `<Event><System><Channel>` |  |
+| `winlog.event_id` | `<Event><System><EventID>` |  |
+| `winlog.provider_name` | `<Event><System><Provider>` | `Name` attribute |
+| `winlog.record_id` | `<Event><System><EventRecordID>` |  |
+| `winlog.task` | `<Event><System><Task>` |  |
+| `winlog.computer_name` | `<Event><System><Computer>` |  |
+| `winlog.keywords` | `<Event><RenderingInfo><Keywords>` | list of each `Keyword` |
+| `winlog.opcodes` | `<Event><RenderingInfo><Opcode>` |  |
+| `winlog.provider_guid` | `<Event><System><Provider>` | `Guid` attribute |
+| `winlog.version` | `<Event><System><Version>` |  |
+| `winlog.time_created` | `<Event><System><TimeCreated>` | `SystemTime` attribute |
+| `winlog.outcome` | `<Event><System><Keywords>` | "success" if bit 0x20000000000000 is set, "failure" if 0x10000000000000 is set |
+| `winlog.level` | `<Event><System><Level>` | converted to lowercase |
+| `winlog.message` | `<Event><RenderingInfo><Message>` | line endings removed |
+| `winlog.user.identifier` | `<Event><System><Security><UserID>` |  |
+| `winlog.user.domain` | `<Event><System><Security><Domain>` |  |
+| `winlog.user.name` | `<Event><System><Security><Name>` |  |
+| `winlog.user.type` | `<Event><System><Security><Type>` | converted from integer to String |
+| `winlog.event_data` | `<Event><EventData>` | map where `Name` attribute in Data element is key, and value is the value of the Data element |
+| `winlog.user_data` | `<Event><UserData>` | map where `Name` attribute in Data element is key, and value is the value of the Data element |
+| `winlog.activity_id` | `<Event><System><Correlation><ActivityID>` |  |
+| `winlog.related_activity_id` | `<Event><System><Correlation><RelatedActivityID>` |  |
+| `winlog.kernel_time` | `<Event><System><Execution><KernelTime>` |  |
+| `winlog.process.pid` | `<Event><System><Execution><ProcessID>` |  |
+| `winlog.process.thread.id` | `<Event><System><Execution><ThreadID>` |  |
+| `winlog.processor_id` | `<Event><System><Execution><ProcessorID>` |  |
+| `winlog.processor_time` | `<Event><System><Execution><ProcessorTime>` |  |
+| `winlog.session_id` | `<Event><System><Execution><SessionID>` |  |
+| `winlog.user_time` | `<Event><System><Execution><UserTime>` |  |
+| `winlog.error.code` | `<Event><ProcessingErrorData><ErrorCode>` |  |
+
+If `map_ecs_fields` is enabled then the following field mappings are also performed:
+
+| Event Field | Source XML or other field | Notes |
+| --- | --- | --- |
+| `event.code` | `winlog.event_id` |  |
+| `event.kind` | `"event"` |  |
+| `event.provider` | `<Event><System><Provider>` | `Name` attribute |
+| `event.action` | `<Event><RenderingInfo><Task>` |  |
+| `event.host.name` | `<Event><System><Computer>` |  |
+| `event.outcome` | `winlog.outcome` |  |
+| `log.level` | `winlog.level` |  |
+| `message` | `winlog.message` |  |
+| `error.code` | `winlog.error.code` |  |
+| `error.message` | `winlog.error.message` |  |
+
diff --git a/docs/reference/metricbeat/decode-xml.md b/docs/reference/metricbeat/decode-xml.md
new file mode 100644
index 000000000000..c52586af1da6
--- /dev/null
+++ b/docs/reference/metricbeat/decode-xml.md
@@ -0,0 +1,96 @@
+---
+navigation_title: "decode_xml"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/decode-xml.html
+---
+
+# Decode XML [decode-xml]
+
+
+The `decode_xml` processor decodes XML data that is stored under the `field` key. It outputs the result into the `target_field`.
+
+This example demonstrates how to decode an XML string contained in the `message` field and write the resulting fields into the root of the document. Any fields that already exist will be overwritten.
+
+```yaml
+processors:
+  - decode_xml:
+      field: message
+      target_field: ""
+      overwrite_keys: true
+```
+
+By default any decoding errors that occur will stop the processing chain and the error will be added to `error.message` field. To ignore all errors and continue to the next processor you can set `ignore_failure: true`. To specifically ignore failures caused by `field` not existing you can set `ignore_missing: true`.
+
+```yaml
+processors:
+  - decode_xml:
+      field: example
+      target_field: xml
+      ignore_missing: true
+      ignore_failure: true
+```
+
+By default all keys converted from XML will have the names converted to lowercase. If there is a need to disable this behavior it is possible to use the below example:
+
+```yaml
+processors:
+  - decode_xml:
+      field: message
+      target_field: xml
+      to_lower: false
+```
+
+Example XML input:
+
+```xml
+<catalog>
+  <book seq="1">
+    <author>William H. Gaddis</author>
+    <title>The Recognitions</title>
+    <review>One of the great seminal American novels of the 20th century.</review>
+  </book>
+</catalog>
+```
+
+Will produce the following output:
+
+```json
+{
+	"xml": {
+		"catalog": {
+			"book": {
+				"author": "William H. Gaddis",
+				"review": "One of the great seminal American novels of the 20th century.",
+				"seq": "1",
+				"title": "The Recognitions"
+			}
+		}
+	}
+}
+```
+
+The supported configuration options are:
+
+`field`
+:   (Required) Source field containing the XML. Defaults to `message`.
+
+`target_field`
+:   (Optional) The field under which the decoded XML will be written. By default the decoded XML object replaces the field from which it was read. To merge the decoded XML fields into the root of the event specify `target_field` with an empty string (`target_field: ""`). Note that the `null` value (`target_field:`) is treated as if the field was not set at all.
+
+`overwrite_keys`
+:   (Optional) A boolean that specifies whether keys that already exist in the event are overwritten by keys from the decoded XML object. The default value is `true`.
+
+`to_lower`
+:   (Optional) Converts all keys to lowercase. Accepts either `true` or `false`. The default value is `true`.
+
+`document_id`
+:   (Optional) XML key to use as the document ID. If configured, the field will be removed from the original XML document and stored in `@metadata._id`.
+
+`ignore_missing`
+:   (Optional) If `true` the processor will not return an error when a specified field does not exist. Defaults to `false`.
+
+`ignore_failure`
+:   (Optional) Ignore all errors produced by the processor. Defaults to `false`.
+
+See [Conditions](/reference/metricbeat/defining-processors.md#conditions) for a list of supported conditions.
+
diff --git a/docs/reference/metricbeat/decompress-gzip-field.md b/docs/reference/metricbeat/decompress-gzip-field.md
new file mode 100644
index 000000000000..53b502a8a801
--- /dev/null
+++ b/docs/reference/metricbeat/decompress-gzip-field.md
@@ -0,0 +1,35 @@
+---
+navigation_title: "decompress_gzip_field"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/decompress-gzip-field.html
+---
+
+# Decompress gzip fields [decompress-gzip-field]
+
+
+The `decompress_gzip_field` processor specifies a field to gzip decompress. The `field` key contains a `from: old-key` and a `to: new-key` pair. `from` is the origin and `to` the target name of the field.
+
+To overwrite fields either first rename the target field or use the `drop_fields` processor to drop the field and then decompress the field.
+
+```yaml
+processors:
+  - decompress_gzip_field:
+      field:
+        from: "field1"
+        to: "field2"
+      ignore_missing: false
+      fail_on_error: true
+```
+
+In the example above: - field1 is decoded in field2
+
+The `decompress_gzip_field` processor has the following configuration settings:
+
+`ignore_missing`
+:   (Optional) If set to true, no error is logged in case a key which should be decompressed is missing. Default is `false`.
+
+`fail_on_error`
+:   (Optional) If set to true, in case of an error the decompression of fields is stopped and the original event is returned. If set to false, decompression continues also if an error happened during decoding. Default is `true`.
+
+See [Conditions](/reference/metricbeat/defining-processors.md#conditions) for a list of supported conditions.
+
diff --git a/docs/reference/metricbeat/defining-processors.md b/docs/reference/metricbeat/defining-processors.md
new file mode 100644
index 000000000000..40ca4780dab7
--- /dev/null
+++ b/docs/reference/metricbeat/defining-processors.md
@@ -0,0 +1,329 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/defining-processors.html
+---
+
+# Define processors [defining-processors]
+
+You can use processors to filter and enhance data before sending it to the configured output. To define a processor, you specify the processor name, an optional condition, and a set of parameters:
+
+```yaml
+processors:
+  - <processor_name>:
+      when:
+        <condition>
+      <parameters>
+
+  - <processor_name>:
+      when:
+        <condition>
+      <parameters>
+
+...
+```
+
+Where:
+
+* `<processor_name>` specifies a [processor](#processors) that performs some kind of action, such as selecting the fields that are exported or adding metadata to the event.
+* `<condition>` specifies an optional [condition](#conditions). If the condition is present, then the action is executed only if the condition is fulfilled. If no condition is set, then the action is always executed.
+* `<parameters>` is the list of parameters to pass to the processor.
+
+More complex conditional processing can be accomplished by using the if-then-else processor configuration. This allows multiple processors to be executed based on a single condition.
+
+```yaml
+processors:
+  - if:
+      <condition>
+    then: <1>
+      - <processor_name>:
+          <parameters>
+      - <processor_name>:
+          <parameters>
+      ...
+    else: <2>
+      - <processor_name>:
+          <parameters>
+      - <processor_name>:
+          <parameters>
+      ...
+```
+
+1. `then` must contain a single processor or a list of one or more processors to execute when the condition evaluates to true.
+2. `else` is optional. It can contain a single processor or a list of processors to execute when the conditional evaluate to false.
+
+
+## Where are processors valid? [where-valid]
+
+Processors are valid:
+
+* At the top-level in the configuration. The processor is applied to all data collected by Metricbeat.
+* Under a specific module. The processor is applied to the data collected for that module.
+
+    ```yaml
+    - module: <module_name>
+      metricsets: ["<metricset_name>"]
+      processors:
+        - <processor_name>:
+            when:
+              <condition>
+            <parameters>
+    ```
+
+
+
+## Processors [processors]
+
+The supported processors are:
+
+* [`add_cloud_metadata`](/reference/metricbeat/add-cloud-metadata.md)
+* [`add_cloudfoundry_metadata`](/reference/metricbeat/add-cloudfoundry-metadata.md)
+* [`add_docker_metadata`](/reference/metricbeat/add-docker-metadata.md)
+* [`add_fields`](/reference/metricbeat/add-fields.md)
+* [`add_host_metadata`](/reference/metricbeat/add-host-metadata.md)
+* [`add_id`](/reference/metricbeat/add-id.md)
+* [`add_kubernetes_metadata`](/reference/metricbeat/add-kubernetes-metadata.md)
+* [`add_labels`](/reference/metricbeat/add-labels.md)
+* [`add_locale`](/reference/metricbeat/add-locale.md)
+* [`add_nomad_metadata`](/reference/metricbeat/add-nomad-metadata.md)
+* [`add_observer_metadata`](/reference/metricbeat/add-observer-metadata.md)
+* [`add_process_metadata`](/reference/metricbeat/add-process-metadata.md)
+* [`add_tags`](/reference/metricbeat/add-tags.md)
+* [`append`](/reference/metricbeat/append.md)
+* [`community_id`](/reference/metricbeat/community-id.md)
+* [`convert`](/reference/metricbeat/convert.md)
+* [`copy_fields`](/reference/metricbeat/copy-fields.md)
+* [`decode_base64_field`](/reference/metricbeat/decode-base64-field.md)
+* [`decode_duration`](/reference/metricbeat/decode-duration.md)
+* [`decode_json_fields`](/reference/metricbeat/decode-json-fields.md)
+* [`decode_xml`](/reference/metricbeat/decode-xml.md)
+* [`decode_xml_wineventlog`](/reference/metricbeat/decode-xml-wineventlog.md)
+* [`decompress_gzip_field`](/reference/metricbeat/decompress-gzip-field.md)
+* [`detect_mime_type`](/reference/metricbeat/detect-mime-type.md)
+* [`dissect`](/reference/metricbeat/dissect.md)
+* [`dns`](/reference/metricbeat/processor-dns.md)
+* [`drop_event`](/reference/metricbeat/drop-event.md)
+* [`drop_fields`](/reference/metricbeat/drop-fields.md)
+* [`extract_array`](/reference/metricbeat/extract-array.md)
+* [`fingerprint`](/reference/metricbeat/fingerprint.md)
+* [`include_fields`](/reference/metricbeat/include-fields.md)
+* [`move-fields`](/reference/metricbeat/move-fields.md)
+* [`rate_limit`](/reference/metricbeat/rate-limit.md)
+* [`registered_domain`](/reference/metricbeat/processor-registered-domain.md)
+* [`rename`](/reference/metricbeat/rename-fields.md)
+* [`replace`](/reference/metricbeat/replace-fields.md)
+* [`script`](/reference/metricbeat/processor-script.md)
+* [`syslog`](/reference/metricbeat/syslog.md)
+* [`translate_ldap_attribute`](/reference/metricbeat/processor-translate-guid.md)
+* [`translate_sid`](/reference/metricbeat/processor-translate-sid.md)
+* [`truncate_fields`](/reference/metricbeat/truncate-fields.md)
+* [`urldecode`](/reference/metricbeat/urldecode.md)
+
+
+## Conditions [conditions]
+
+Each condition receives a field to compare. You can specify multiple fields under the same condition by using `AND` between the fields (for example, `field1 AND field2`).
+
+For each field, you can specify a simple field name or a nested map, for example `dns.question.name`.
+
+See [Exported fields](/reference/metricbeat/exported-fields.md) for a list of all the fields that are exported by Metricbeat.
+
+The supported conditions are:
+
+* [`equals`](#condition-equals)
+* [`contains`](#condition-contains)
+* [`regexp`](#condition-regexp)
+* [`range`](#condition-range)
+* [`network`](#condition-network)
+* [`has_fields`](#condition-has_fields)
+* [`or`](#condition-or)
+* [`and`](#condition-and)
+* [`not`](#condition-not)
+
+
+#### `equals` [condition-equals]
+
+With the `equals` condition, you can compare if a field has a certain value. The condition accepts only an integer or a string value.
+
+For example, the following condition checks if the response code of the HTTP transaction is 200:
+
+```yaml
+equals:
+  http.response.code: 200
+```
+
+
+#### `contains` [condition-contains]
+
+The `contains` condition checks if a value is part of a field. The field can be a string or an array of strings. The condition accepts only a string value.
+
+For example, the following condition checks if an error is part of the transaction status:
+
+```yaml
+contains:
+  status: "Specific error"
+```
+
+
+#### `regexp` [condition-regexp]
+
+The `regexp` condition checks the field against a regular expression. The condition accepts only strings.
+
+For example, the following condition checks if the process name starts with `foo`:
+
+```yaml
+regexp:
+  system.process.name: "^foo.*"
+```
+
+
+#### `range` [condition-range]
+
+The `range` condition checks if the field is in a certain range of values. The condition supports `lt`, `lte`, `gt` and `gte`. The condition accepts only integer, float, or strings that can be converted to either of these as values.
+
+For example, the following condition checks for failed HTTP transactions by comparing the `http.response.code` field with 400.
+
+```yaml
+range:
+  http.response.code:
+    gte: 400
+```
+
+This can also be written as:
+
+```yaml
+range:
+  http.response.code.gte: 400
+```
+
+The following condition checks if the CPU usage in percentage has a value between 0.5 and 0.8.
+
+```yaml
+range:
+  system.cpu.user.pct.gte: 0.5
+  system.cpu.user.pct.lt: 0.8
+```
+
+
+#### `network` [condition-network]
+
+The `network` condition checks whether a field’s value falls within a specified IP network range. If multiple fields are provided, each field value must match its corresponding network range. You can specify multiple network ranges for a single field, and a match occurs if any one of the ranges matches. If the field value is an array of IPs, it will match if any of the IPs fall within any of the given ranges. Both IPv4 and IPv6 addresses are supported.
+
+The network range may be specified using CIDR notation, like "192.0.2.0/24" or "2001:db8::/32", or by using one of these named ranges:
+
+* `loopback` - Matches loopback addresses in the range of `127.0.0.0/8` or `::1/128`.
+* `unicast` - Matches global unicast addresses defined in RFC 1122, RFC 4632, and RFC 4291 with the exception of the IPv4 broadcast address (`255.255.255.255`). This includes private address ranges.
+* `multicast` - Matches multicast addresses.
+* `interface_local_multicast` - Matches IPv6 interface-local multicast addresses.
+* `link_local_unicast` - Matches link-local unicast addresses.
+* `link_local_multicast` - Matches link-local multicast addresses.
+* `private` - Matches private address ranges defined in RFC 1918 (IPv4) and RFC 4193 (IPv6).
+* `public` - Matches addresses that are not loopback, unspecified, IPv4 broadcast, link local unicast, link local multicast, interface local multicast, or private.
+* `unspecified` - Matches unspecified addresses (either the IPv4 address "0.0.0.0" or the IPv6 address "::").
+
+The following condition returns true if the `source.ip` value is within the private address space.
+
+```yaml
+network:
+  source.ip: private
+```
+
+This condition returns true if the `destination.ip` value is within the IPv4 range of `192.168.1.0` - `192.168.1.255`.
+
+```yaml
+network:
+  destination.ip: '192.168.1.0/24'
+```
+
+And this condition returns true when `destination.ip` is within any of the given subnets.
+
+```yaml
+network:
+  destination.ip: ['192.168.1.0/24', '10.0.0.0/8', loopback]
+```
+
+
+#### `has_fields` [condition-has_fields]
+
+The `has_fields` condition checks if all the given fields exist in the event. The condition accepts a list of string values denoting the field names.
+
+For example, the following condition checks if the `http.response.code` field is present in the event.
+
+```yaml
+has_fields: ['http.response.code']
+```
+
+
+#### `or` [condition-or]
+
+The `or` operator receives a list of conditions.
+
+```yaml
+or:
+  - <condition1>
+  - <condition2>
+  - <condition3>
+  ...
+```
+
+For example, to configure the condition `http.response.code = 304 OR http.response.code = 404`:
+
+```yaml
+or:
+  - equals:
+      http.response.code: 304
+  - equals:
+      http.response.code: 404
+```
+
+
+#### `and` [condition-and]
+
+The `and` operator receives a list of conditions.
+
+```yaml
+and:
+  - <condition1>
+  - <condition2>
+  - <condition3>
+  ...
+```
+
+For example, to configure the condition `http.response.code = 200 AND status = OK`:
+
+```yaml
+and:
+  - equals:
+      http.response.code: 200
+  - equals:
+      status: OK
+```
+
+To configure a condition like `<condition1> OR <condition2> AND <condition3>`:
+
+```yaml
+or:
+  - <condition1>
+  - and:
+    - <condition2>
+    - <condition3>
+```
+
+
+#### `not` [condition-not]
+
+The `not` operator receives the condition to negate.
+
+```yaml
+not:
+  <condition>
+```
+
+For example, to configure the condition `NOT status = OK`:
+
+```yaml
+not:
+  equals:
+    status: OK
+```
+
+
diff --git a/docs/reference/metricbeat/detect-mime-type.md b/docs/reference/metricbeat/detect-mime-type.md
new file mode 100644
index 000000000000..9b2e910eabd2
--- /dev/null
+++ b/docs/reference/metricbeat/detect-mime-type.md
@@ -0,0 +1,22 @@
+---
+navigation_title: "detect_mime_type"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/detect-mime-type.html
+---
+
+# Detect mime type [detect-mime-type]
+
+
+The `detect_mime_type` processor attempts to detect a mime type for a field that contains a given stream of bytes. The `field` key contains the field used as the data source and the `target` key contains the field to populate with the detected type. It’s supported to use `@metadata.` prefix for `target` and set the value in the event metadata instead of fields.
+
+```yaml
+processors:
+  - detect_mime_type:
+      field: http.request.body.content
+      target: http.request.mime_type
+```
+
+In the example above: - http.request.body.content is used as the source and http.request.mime_type is set to the detected mime type
+
+See [Conditions](/reference/metricbeat/defining-processors.md#conditions) for a list of supported conditions.
+
diff --git a/docs/reference/metricbeat/diff-logstash-beats.md b/docs/reference/metricbeat/diff-logstash-beats.md
new file mode 100644
index 000000000000..82d6c11f3ada
--- /dev/null
+++ b/docs/reference/metricbeat/diff-logstash-beats.md
@@ -0,0 +1,13 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/diff-logstash-beats.html
+---
+
+# Not sure whether to use Logstash or Beats [diff-logstash-beats]
+
+Beats are lightweight data shippers that you install as agents on your servers to send specific types of operational data to {{es}}. Beats have a small footprint and use fewer system resources than {{ls}}.
+
+{{ls}} has a larger footprint, but provides a broad array of input, filter, and output plugins for collecting, enriching, and transforming data from a variety of sources.
+
+For more information, see the [{{ls}} Introduction](logstash://reference/index.md) and the [Beats Overview](/reference/index.md).
+
diff --git a/docs/reference/metricbeat/directory-layout.md b/docs/reference/metricbeat/directory-layout.md
new file mode 100644
index 000000000000..b8fbfdc78b96
--- /dev/null
+++ b/docs/reference/metricbeat/directory-layout.md
@@ -0,0 +1,70 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/directory-layout.html
+---
+
+# Directory layout [directory-layout]
+
+The directory layout of an installation is as follows:
+
+::::{tip}
+Archive installation has a different layout. See [zip, tar.gz, or tgz](#directory-layout-archive).
+::::
+
+
+| Type | Description | Default Location | Config Option |
+| --- | --- | --- | --- |
+| home | Home of the Metricbeat installation. |  | `path.home` |
+| bin | The location for the binary files. | `{path.home}/bin` |  |
+| config | The location for configuration files. | `{path.home}` | `path.config` |
+| data | The location for persistent data files. | `{path.home}/data` | `path.data` |
+| logs | The location for the logs created by Metricbeat. | `{path.home}/logs` | `path.logs` |
+
+You can change these settings by using CLI flags or setting [path options](/reference/metricbeat/configuration-path.md) in the configuration file.
+
+## Default paths [_default_paths]
+
+Metricbeat uses the following default paths unless you explicitly change them.
+
+
+#### deb and rpm [_deb_and_rpm]
+
+| Type | Description | Location |
+| --- | --- | --- |
+| home | Home of the Metricbeat installation. | `/usr/share/metricbeat` |
+| bin | The location for the binary files. | `/usr/share/metricbeat/bin` |
+| config | The location for configuration files. | `/etc/metricbeat` |
+| data | The location for persistent data files. | `/var/lib/metricbeat` |
+| logs | The location for the logs created by Metricbeat. | `/var/log/metricbeat` |
+
+For the deb and rpm distributions, these paths are set in the init script or in the systemd unit file.  Make sure that you start the Metricbeat service by using the preferred operating system method (init scripts or `systemctl`). Otherwise the paths might be set incorrectly.
+
+
+#### docker [_docker]
+
+| Type | Description | Location |
+| --- | --- | --- |
+| home | Home of the Metricbeat installation. | `/usr/share/metricbeat` |
+| bin | The location for the binary files. | `/usr/share/metricbeat` |
+| config | The location for configuration files. | `/usr/share/metricbeat` |
+| data | The location for persistent data files. | `/usr/share/metricbeat/data` |
+| logs | The location for the logs created by Metricbeat. | `/usr/share/metricbeat/logs` |
+
+
+#### zip, tar.gz, or tgz [directory-layout-archive]
+
+| Type | Description | Location |
+| --- | --- | --- |
+| home | Home of the Metricbeat installation. | `{extract.path}` |
+| bin | The location for the binary files. | `{extract.path}` |
+| config | The location for configuration files. | `{extract.path}` |
+| data | The location for persistent data files. | `{extract.path}/data` |
+| logs | The location for the logs created by Metricbeat. | `{extract.path}/logs` |
+
+For the zip, tar.gz, or tgz distributions, these paths are based on the location of the extracted binary file. This means that if you start Metricbeat with the following simple command, all paths are set correctly:
+
+```sh
+./metricbeat
+```
+
+
diff --git a/docs/reference/metricbeat/discard-output.md b/docs/reference/metricbeat/discard-output.md
new file mode 100644
index 000000000000..d5e0427389d5
--- /dev/null
+++ b/docs/reference/metricbeat/discard-output.md
@@ -0,0 +1,37 @@
+---
+navigation_title: "Discard"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/discard-output.html
+---
+
+# Configure the Discard output [discard-output]
+
+
+The Discard output throws away data.
+
+::::{warning}
+The Discard output should be used only for development or debugging issues. Data is lost.
+::::
+
+
+This can be useful if you want to work on your input configuration without needing to configure an output. It can also be useful to test how changes in input and processor configuration affect performance.
+
+Example configuration:
+
+```yaml
+output.discard:
+  enabled: true
+```
+
+## Configuration options [_configuration_options_8]
+
+You can specify the following `output.discard` options in the `metricbeat.yml` config file:
+
+### `enabled` [_enabled_8]
+
+The enabled config is a boolean setting to enable or disable the output. If set to false, the output is disabled.
+
+The default value is `true`.
+
+
+
diff --git a/docs/reference/metricbeat/dissect.md b/docs/reference/metricbeat/dissect.md
new file mode 100644
index 000000000000..d6c2b66f1bdc
--- /dev/null
+++ b/docs/reference/metricbeat/dissect.md
@@ -0,0 +1,95 @@
+---
+navigation_title: "dissect"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/dissect.html
+---
+
+# Dissect strings [dissect]
+
+
+The `dissect` processor tokenizes incoming strings using defined patterns.
+
+```yaml
+processors:
+  - dissect:
+      tokenizer: "%{key1} %{key2} %{key3|convert_datatype}"
+      field: "message"
+      target_prefix: "dissect"
+```
+
+The `dissect` processor has the following configuration settings:
+
+`tokenizer`
+:   The field used to define the **dissection** pattern. Optional convert datatype can be provided after the key using `|` as separator to convert the value from string to integer, long, float, double, boolean or ip.
+
+`field`
+:   (Optional) The event field to tokenize. Default is `message`.
+
+`target_prefix`
+:   (Optional) The name of the field where the values will be extracted. When an empty string is defined, the processor will create the keys at the root of the event. Default is `dissect`. When the target key already exists in the event, the processor won’t replace it and log an error; you need to either drop or rename the key before using dissect, or enable the `overwrite_keys` flag.
+
+`ignore_failure`
+:   (Optional) Flag to control whether the processor returns an error if the tokenizer fails to match the message field. If set to true, the processor will silently restore the original event, allowing execution of subsequent processors (if any). If set to false (default), the processor will log an error, preventing execution of other processors.
+
+`overwrite_keys`
+:   (Optional) When set to true, the processor will overwrite existing keys in the event. The default is false, which causes the processor to fail when a key already exists.
+
+`trim_values`
+:   (Optional) Enables the trimming of the extracted values. Useful to remove leading and/or trailing spaces. Possible values are:
+
+    * `none`: (default) no trimming is performed.
+    * `left`: values are trimmed on the left (leading).
+    * `right`: values are trimmed on the right (trailing).
+    * `all`: values are trimmed for leading and trailing.
+
+
+`trim_chars`
+:   (Optional) Set of characters to trim from values, when trimming is enabled. The default is to trim the space character (`" "`). To trim multiple characters, simply set it to a string containing all characters to trim. For example, `trim_chars: " \t"` will trim spaces and/or tabs.
+
+For tokenization to be successful, all keys must be found and extracted, if one of them cannot be found an error will be logged and no modification is done on the original event.
+
+::::{note}
+A key can contain any characters except reserved suffix or prefix modifiers:  `/`,`&`, `+`, `#` and `?`.
+::::
+
+
+See [Conditions](/reference/metricbeat/defining-processors.md#conditions) for a list of supported conditions.
+
+## Dissect example [dissect-example]
+
+For this example, imagine that an application generates the following messages:
+
+```sh
+"321 - App01 - WebServer is starting"
+"321 - App01 - WebServer is up and running"
+"321 - App01 - WebServer is scaling 2 pods"
+"789 - App02 - Database is will be restarted in 5 minutes"
+"789 - App02 - Database is up and running"
+"789 - App02 - Database is refreshing tables"
+```
+
+Use the `dissect` processor to split each message into three fields, for example, `service.pid`, `service.name` and `service.status`:
+
+```yaml
+processors:
+  - dissect:
+      tokenizer: '"%{service.pid|integer} - %{service.name} - %{service.status}"'
+      field: "message"
+      target_prefix: ""
+```
+
+This configuration produces fields like:
+
+```json
+"service": {
+  "pid": 321,
+  "name": "App01",
+  "status": "WebServer is up and running"
+},
+```
+
+`service.name` is an ECS [keyword field](elasticsearch://reference/elasticsearch/mapping-reference/keyword.md), which means that you can use it in {{es}} for filtering, sorting, and aggregations.
+
+When possible, use ECS-compatible field names. For more information, see the [Elastic Common Schema](ecs://reference/index.md) documentation.
+
+
diff --git a/docs/reference/metricbeat/drop-event.md b/docs/reference/metricbeat/drop-event.md
new file mode 100644
index 000000000000..f3cfcfab001d
--- /dev/null
+++ b/docs/reference/metricbeat/drop-event.md
@@ -0,0 +1,20 @@
+---
+navigation_title: "drop_event"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/drop-event.html
+---
+
+# Drop events [drop-event]
+
+
+The `drop_event` processor drops the entire event if the associated condition is fulfilled. The condition is mandatory, because without one, all the events are dropped.
+
+```yaml
+processors:
+  - drop_event:
+      when:
+        condition
+```
+
+See [Conditions](/reference/metricbeat/defining-processors.md#conditions) for a list of supported conditions.
+
diff --git a/docs/reference/metricbeat/drop-fields.md b/docs/reference/metricbeat/drop-fields.md
new file mode 100644
index 000000000000..7a4563721b0b
--- /dev/null
+++ b/docs/reference/metricbeat/drop-fields.md
@@ -0,0 +1,35 @@
+---
+navigation_title: "drop_fields"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/drop-fields.html
+---
+
+# Drop fields from events [drop-fields]
+
+
+The `drop_fields` processor specifies which fields to drop if a certain condition is fulfilled. The condition is optional. If it’s missing, the specified fields are always dropped. The `@timestamp` and `type` fields cannot be dropped, even if they show up in the `drop_fields` list.
+
+```yaml
+processors:
+  - drop_fields:
+      when:
+        condition
+      fields: ["field1", "field2", ...]
+      ignore_missing: false
+```
+
+See [Conditions](/reference/metricbeat/defining-processors.md#conditions) for a list of supported conditions.
+
+::::{note}
+If you define an empty list of fields under `drop_fields`, then no fields are dropped.
+::::
+
+
+The `drop_fields` processor has the following configuration settings:
+
+`fields`
+:   If non-empty, a list of matching field names will be removed. Any element in array can contain a regular expression delimited by two slashes (*/reg_exp/*), in order to match (name) and remove more than one field.
+
+`ignore_missing`
+:   (Optional) If `true` the processor will not return an error when a specified field does not exist. Defaults to `false`.
+
diff --git a/docs/reference/metricbeat/elasticsearch-output.md b/docs/reference/metricbeat/elasticsearch-output.md
new file mode 100644
index 000000000000..a9b81a8ba1f7
--- /dev/null
+++ b/docs/reference/metricbeat/elasticsearch-output.md
@@ -0,0 +1,520 @@
+---
+navigation_title: "Elasticsearch"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/elasticsearch-output.html
+---
+
+# Configure the Elasticsearch output [elasticsearch-output]
+
+
+The Elasticsearch output sends events directly to Elasticsearch using the Elasticsearch HTTP API.
+
+Example configuration:
+
+```yaml
+output.elasticsearch:
+  hosts: ["https://myEShost:9200"] <1>
+```
+
+1. To enable SSL, add `https` to all URLs defined under *hosts*.
+
+
+When sending data to a secured cluster through the `elasticsearch` output, Metricbeat can use any of the following authentication methods:
+
+* Basic authentication credentials (username and password).
+* Token-based (API key) authentication.
+* Public Key Infrastructure (PKI) certificates.
+
+**Basic authentication:**
+
+```yaml
+output.elasticsearch:
+  hosts: ["https://myEShost:9200"]
+  username: "metricbeat_writer"
+  password: "{pwd}"
+```
+
+**API key authentication:**
+
+```yaml
+output.elasticsearch:
+  hosts: ["https://myEShost:9200"]
+  api_key: "ZCV7VnwBgnX0T19fN8Qe:KnR6yE41RrSowb0kQ0HWoA"
+```
+
+**PKI certificate authentication:**
+
+```yaml
+output.elasticsearch:
+  hosts: ["https://myEShost:9200"]
+  ssl.certificate: "/etc/pki/client/cert.pem"
+  ssl.key: "/etc/pki/client/cert.key"
+```
+
+See [*Secure communication with Elasticsearch*](/reference/metricbeat/securing-communication-elasticsearch.md) for details on each authentication method.
+
+## Compatibility [_compatibility]
+
+This output works with all compatible versions of Elasticsearch. See the [Elastic Support Matrix](https://www.elastic.co/support/matrix#matrix_compatibility).
+
+Optionally, you can set Metricbeat to only connect to instances that are at least on the same version as the Beat. The check can be enabled by setting `output.elasticsearch.allow_older_versions` to `false`. Leaving the setting at it’s default value of `true` avoids an issue where Metricbeat cannot connect to {{es}} after having been upgraded to a version higher than the {{stack}}.
+
+
+## Configuration options [_configuration_options_2]
+
+You can specify the following options in the `elasticsearch` section of the `metricbeat.yml` config file:
+
+### `enabled` [_enabled_2]
+
+The enabled config is a boolean setting to enable or disable the output. If set to `false`, the output is disabled.
+
+The default value is `true`.
+
+
+### `hosts` [hosts-option]
+
+The list of Elasticsearch nodes to connect to. The events are distributed to these nodes in round robin order. If one node becomes unreachable, the event is automatically sent to another node. Each Elasticsearch node can be defined as a `URL` or `IP:PORT`. For example: `http://192.15.3.2`, `https://es.found.io:9230` or `192.24.3.2:9300`. If no port is specified, `9200` is used.
+
+::::{note}
+When a node is defined as an `IP:PORT`, the *scheme* and *path* are taken from the [`protocol`](#protocol-option) and [`path`](#path-option) config options.
+::::
+
+
+```yaml
+output.elasticsearch:
+  hosts: ["10.45.3.2:9220", "10.45.3.1:9230"] <1>
+  protocol: https
+  path: /elasticsearch
+```
+
+1. In the previous example, the Elasticsearch nodes are available at `https://10.45.3.2:9220/elasticsearch` and `https://10.45.3.1:9230/elasticsearch`.
+
+
+### `compression_level` [compression-level-option]
+
+The gzip compression level. Setting this value to `0` disables compression. The compression level must be in the range of `1` (best speed) to `9` (best compression).
+
+Increasing the compression level will reduce the network usage but will increase the cpu usage.
+
+The default value is `1`.
+
+
+### `escape_html` [_escape_html]
+
+Configure escaping of HTML in strings. Set to `true` to enable escaping.
+
+The default value is `false`.
+
+
+### `worker` or `workers` [worker-option]
+
+The number of workers per configured host publishing events to Elasticsearch. This is best used with load balancing mode enabled. Example: If you have 2 hosts and 3 workers, in total 6 workers are started (3 for each host).
+
+The default value is `1`.
+
+
+### `loadbalance` [_loadbalance]
+
+When `loadbalance: true` is set, Metricbeat connects to all configured hosts and sends data through all connections in parallel. If a connection fails, data is sent to the remaining hosts until it can be reestablished. Data will still be sent as long as Metricbeat can connect to at least one of its configured hosts.
+
+When `loadbalance: false` is set, Metricbeat sends data to a single host at a time. The target host is chosen at random from the list of configured hosts, and all data is sent to that target until the connection fails, when a new target is selected. Data will still be sent as long as Metricbeat can connect to at least one of its configured hosts.
+
+The default value is `true`.
+
+```yaml
+output.elasticsearch:
+  hosts: ["localhost:9200", "localhost:9201"]
+  loadbalance: true
+```
+
+
+### `api_key` [_api_key]
+
+Instead of using a username and password, you can use API keys to secure communication with {{es}}. The value must be the ID of the API key and the API key joined by a colon: `id:api_key`.
+
+See [*Grant access using API keys*](/reference/metricbeat/beats-api-keys.md) for more information.
+
+
+### `username` [_username_2]
+
+The basic authentication username for connecting to Elasticsearch.
+
+This user needs the privileges required to publish events to {{es}}. To create a user like this, see [Create a *publishing* user](/reference/metricbeat/privileges-to-publish-events.md).
+
+
+### `password` [_password_2]
+
+The basic authentication password for connecting to Elasticsearch.
+
+
+### `parameters` [_parameters]
+
+Dictionary of HTTP parameters to pass within the url with index operations.
+
+
+### `protocol` [protocol-option]
+
+The name of the protocol Elasticsearch is reachable on. The options are: `http` or `https`. The default is `http`. However, if you specify a URL for [`hosts`](#hosts-option), the value of `protocol` is overridden by whatever scheme you specify in the URL.
+
+
+### `path` [path-option]
+
+An HTTP path prefix that is prepended to the HTTP API calls. This is useful for the cases where Elasticsearch listens behind an HTTP reverse proxy that exports the API under a custom prefix.
+
+
+### `headers` [_headers_2]
+
+Custom HTTP headers to add to each request created by the Elasticsearch output. Example:
+
+```yaml
+output.elasticsearch.headers:
+  X-My-Header: Header contents
+```
+
+It is possible to specify multiple header values for the same header name by separating them with a comma.
+
+
+### `proxy_disable` [_proxy_disable]
+
+If set to `true` all proxy settings, including `HTTP_PROXY` and `HTTPS_PROXY` variables are ignored.
+
+
+### `proxy_url` [_proxy_url]
+
+The URL of the proxy to use when connecting to the Elasticsearch servers. The value must be a complete URL. If a value is not specified through the configuration file then proxy environment variables are used. See the [Go documentation](https://golang.org/pkg/net/http/#ProxyFromEnvironment) for more information about the environment variables.
+
+
+### `proxy_headers` [_proxy_headers]
+
+Additional headers to send to proxies during CONNECT requests.
+
+
+### `index` [index-option-es]
+
+The indexing target to write events to. Can point to an [index](https://www.elastic.co/guide/en/elasticsearch/reference/current/index-mgmt.html), [alias](docs-content://manage-data/data-store/aliases.md), or [data stream](docs-content://manage-data/data-store/data-streams.md). When using daily indices, this will be the index name. The default is `"metricbeat-%{[agent.version]}-%{+yyyy.MM.dd}"`, for example, `"metricbeat-9.0.0-beta1-2025-01-30"`. If you change this setting, you also need to configure the `setup.template.name` and `setup.template.pattern` options (see [Elasticsearch index template](/reference/metricbeat/configuration-template.md)).
+
+If you are using the pre-built Kibana dashboards, you also need to set the `setup.dashboards.index` option (see [Kibana dashboards](/reference/metricbeat/configuration-dashboards.md)).
+
+When [index lifecycle management (ILM)](/reference/metricbeat/ilm.md) is enabled, the default `index` is `"metricbeat-%{[agent.version]}-%{+yyyy.MM.dd}-%{{index_num}}"`, for example, `"metricbeat-9.0.0-beta1-2025-01-30-000001"`. Custom `index` settings are ignored when ILM is enabled. If you’re sending events to a cluster that supports index lifecycle management, see [Index lifecycle management (ILM)](/reference/metricbeat/ilm.md) to learn how to change the index name.
+
+You can set the index dynamically by using a format string to access any event field. For example, this configuration uses a custom field, `fields.log_type`, to set the index:
+
+```yaml
+output.elasticsearch:
+  hosts: ["http://localhost:9200"]
+  index: "%{[fields.log_type]}-%{[agent.version]}-%{+yyyy.MM.dd}" <1>
+```
+
+1. We recommend including `agent.version` in the name to avoid mapping issues when you upgrade.
+
+
+With this configuration, all events with `log_type: normal` are sent to an index named `normal-9.0.0-beta1-2025-01-30`, and all events with `log_type: critical` are sent to an index named `critical-9.0.0-beta1-2025-01-30`.
+
+::::{tip}
+To learn how to add custom fields to events, see the [`fields`](/reference/metricbeat/configuration-general-options.md#libbeat-configuration-fields) option.
+::::
+
+
+See the [`indices`](#indices-option-es) setting for other ways to set the index dynamically.
+
+
+### `indices` [indices-option-es]
+
+An array of index selector rules. Each rule specifies the index to use for events that match the rule. During publishing, Metricbeat uses the first matching rule in the array. Rules can contain conditionals, format string-based fields, and name mappings. If the `indices` setting is missing or no rule matches, the [`index`](#index-option-es) setting is used.
+
+Similar to `index`, defining custom `indices` will disable [Index lifecycle management (ILM)](/reference/metricbeat/ilm.md).
+
+Rule settings:
+
+**`index`**
+:   The index format string to use. If this string contains field references, such as `%{[fields.name]}`, the fields must exist, or the rule fails.
+
+**`mappings`**
+:   A dictionary that takes the value returned by `index` and maps it to a new name.
+
+**`default`**
+:   The default string value to use if `mappings` does not find a match.
+
+**`when`**
+:   A condition that must succeed in order to execute the current rule. All the [conditions](/reference/metricbeat/defining-processors.md#conditions) supported by processors are also supported here.
+
+The following example sets the index based on whether the `message` field contains the specified string:
+
+```yaml
+output.elasticsearch:
+  hosts: ["http://localhost:9200"]
+  indices:
+    - index: "warning-%{[agent.version]}-%{+yyyy.MM.dd}"
+      when.contains:
+        message: "WARN"
+    - index: "error-%{[agent.version]}-%{+yyyy.MM.dd}"
+      when.contains:
+        message: "ERR"
+```
+
+This configuration results in indices named `warning-9.0.0-beta1-2025-01-30` and `error-9.0.0-beta1-2025-01-30` (plus the default index if no matches are found).
+
+The following example sets the index by taking the name returned by the `index` format string and mapping it to a new name that’s used for the index:
+
+```yaml
+output.elasticsearch:
+  hosts: ["http://localhost:9200"]
+  indices:
+    - index: "%{[fields.log_type]}"
+      mappings:
+        critical: "sev1"
+        normal: "sev2"
+      default: "sev3"
+```
+
+This configuration results in indices named `sev1`, `sev2`, and `sev3`.
+
+The `mappings` setting simplifies the configuration, but is limited to string values. You cannot specify format strings within the mapping pairs.
+
+
+### `ilm` [ilm-es]
+
+Configuration options for index lifecycle management.
+
+See [Index lifecycle management (ILM)](/reference/metricbeat/ilm.md) for more information.
+
+
+### `pipeline` [pipeline-option-es]
+
+A format string value that specifies the ingest pipeline to write events to.
+
+```yaml
+output.elasticsearch:
+  hosts: ["http://localhost:9200"]
+  pipeline: my_pipeline_id
+```
+
+::::{important}
+The `pipeline` is always lowercased. If `pipeline: Foo-Bar`, then the pipeline name in {{es}} needs to be defined as `foo-bar`.
+::::
+
+
+For more information, see [*Parse data using an ingest pipeline*](/reference/metricbeat/configuring-ingest-node.md).
+
+You can set the ingest pipeline dynamically by using a format string to access any event field. For example, this configuration uses a custom field, `fields.log_type`, to set the pipeline for each event:
+
+```yaml
+output.elasticsearch:
+  hosts: ["http://localhost:9200"]
+  pipeline: "%{[fields.log_type]}_pipeline"
+```
+
+With this configuration, all events with `log_type: normal` are sent to a pipeline named `normal_pipeline`, and all events with `log_type: critical` are sent to a pipeline named `critical_pipeline`.
+
+::::{tip}
+To learn how to add custom fields to events, see the [`fields`](/reference/metricbeat/configuration-general-options.md#libbeat-configuration-fields) option.
+::::
+
+
+See the [`pipelines`](#pipelines-option-es) setting for other ways to set the ingest pipeline dynamically.
+
+
+### `pipelines` [pipelines-option-es]
+
+An array of pipeline selector rules. Each rule specifies the ingest pipeline to use for events that match the rule. During publishing, Metricbeat uses the first matching rule in the array. Rules can contain conditionals, format string-based fields, and name mappings. If the `pipelines` setting is missing or no rule matches, the [`pipeline`](#pipeline-option-es) setting is used.
+
+Rule settings:
+
+**`pipeline`**
+:   The pipeline format string to use. If this string contains field references, such as `%{[fields.name]}`, the fields must exist, or the rule fails.
+
+**`mappings`**
+:   A dictionary that takes the value returned by `pipeline` and maps it to a new name.
+
+**`default`**
+:   The default string value to use if `mappings` does not find a match.
+
+**`when`**
+:   A condition that must succeed in order to execute the current rule. All the [conditions](/reference/metricbeat/defining-processors.md#conditions) supported by processors are also supported here.
+
+The following example sends events to a specific pipeline based on whether the `message` field contains the specified string:
+
+```yaml
+output.elasticsearch:
+  hosts: ["http://localhost:9200"]
+  pipelines:
+    - pipeline: "warning_pipeline"
+      when.contains:
+        message: "WARN"
+    - pipeline: "error_pipeline"
+      when.contains:
+        message: "ERR"
+```
+
+The following example sets the pipeline by taking the name returned by the `pipeline` format string and mapping it to a new name that’s used for the pipeline:
+
+```yaml
+output.elasticsearch:
+  hosts: ["http://localhost:9200"]
+  pipelines:
+    - pipeline: "%{[fields.log_type]}"
+      mappings:
+        critical: "sev1_pipeline"
+        normal: "sev2_pipeline"
+      default: "sev3_pipeline"
+```
+
+With this configuration, all events with `log_type: critical` are sent to `sev1_pipeline`, all events with `log_type: normal` are sent to a `sev2_pipeline`, and all other events are sent to `sev3_pipeline`.
+
+For more information about ingest pipelines, see [*Parse data using an ingest pipeline*](/reference/metricbeat/configuring-ingest-node.md).
+
+
+### `max_retries` [_max_retries]
+
+The number of times to retry publishing an event after a publishing failure. After the specified number of retries, the events are typically dropped.
+
+Set `max_retries` to a value less than 0 to retry until all events are published.
+
+The default is 3.
+
+
+### `bulk_max_size` [bulk-max-size-option]
+
+The maximum number of events to bulk in a single Elasticsearch bulk API index request. The default is 1600.
+
+Events can be collected into batches. Metricbeat will split batches read from the queue which are larger than `bulk_max_size` into multiple batches.
+
+Specifying a larger batch size can improve performance by lowering the overhead of sending events. However big batch sizes can also increase processing times, which might result in API errors, killed connections, timed-out publishing requests, and, ultimately, lower throughput.
+
+Setting `bulk_max_size` to values less than or equal to 0 disables the splitting of batches. When splitting is disabled, the queue decides on the number of events to be contained in a batch.
+
+
+### `backoff.init` [backoff-init-option]
+
+The number of seconds to wait before trying to reconnect to Elasticsearch after a network error. After waiting `backoff.init` seconds, Metricbeat tries to reconnect. If the attempt fails, the backoff timer is increased exponentially up to `backoff.max`. After a successful connection, the backoff timer is reset. The default is `1s`.
+
+
+### `backoff.max` [backoff-max-option]
+
+The maximum number of seconds to wait before attempting to connect to Elasticsearch after a network error. The default is `60s`.
+
+
+### `idle_connection_timeout` [idle-connection-timeout-option]
+
+The maximum amount of time an idle connection will remain idle before closing itself. Zero means no limit. The format is a Go language duration (example 60s is 60 seconds). The default is 3s.
+
+
+### `timeout` [_timeout_2]
+
+The http request timeout in seconds for the Elasticsearch request. The default is 90.
+
+
+### `allow_older_versions` [_allow_older_versions]
+
+By default, Metricbeat expects the Elasticsearch instance to be on the same or newer version to provide optimal experience. We suggest you connect to the same version to make sure all features Metricbeat is using are available in your Elasticsearch instance.
+
+You can disable the check for example during updating the Elastic Stack, so data collection can go on.
+
+
+### `ssl` [_ssl_2]
+
+Configuration options for SSL parameters like the certificate authority to use for HTTPS-based connections. If the `ssl` section is missing, the host CAs are used for HTTPS connections to Elasticsearch.
+
+See the [secure communication with {{es}}](/reference/metricbeat/securing-communication-elasticsearch.md) guide or [SSL configuration reference](/reference/metricbeat/configuration-ssl.md) for more information.
+
+
+### `kerberos` [_kerberos]
+
+Configuration options for Kerberos authentication.
+
+See [Kerberos](/reference/metricbeat/configuration-kerberos.md) for more information.
+
+
+### `queue` [_queue]
+
+Configuration options for internal queue.
+
+See [Internal queue](/reference/metricbeat/configuring-internal-queue.md) for more information.
+
+Note:`queue` options can be set under `metricbeat.yml` or the `output` section but not both. ===== `non_indexable_policy`
+
+Specifies the behavior when the elasticsearch cluster explicitly rejects documents, for example on mapping conflicts.
+
+#### `drop` [_drop]
+
+The default behaviour, when an event is explicitly rejected by elasticsearch it is dropped.
+
+```yaml
+output.elasticsearch:
+  hosts: ["http://localhost:9200"]
+  non_indexable_policy.drop: ~
+```
+
+
+#### `dead_letter_index` [_dead_letter_index]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+On an explicit rejection, this policy will retry the event in the next batch. However, the target index will change to index specified. In addition, the structure of the event will be change to the following fields:
+
+message
+:   Contains the escaped json of the original event.
+
+error.type
+:   Contains the status code
+
+error.message
+:   Contains status returned by elasticsearch, describing the reason
+
+`index`
+:   The index to send rejected events to.
+
+```yaml
+output.elasticsearch:
+  hosts: ["http://localhost:9200"]
+  non_indexable_policy.dead_letter_index:
+    index: "my-dead-letter-index"
+```
+
+
+
+### `preset` [_preset]
+
+The performance preset to apply to the output configuration.
+
+```yaml
+output.elasticsearch:
+  hosts: ["http://localhost:9200"]
+  preset: balanced
+```
+
+Performance presets apply a set of configuration overrides based on a desired performance goal. If set, a performance preset will override other configuration flags to match the recommended settings for that preset. If a preset doesn’t set a value for a particular field, the user-specified value will be used if present, otherwise the default. Valid options are: * `balanced`: good starting point for general efficiency * `throughput`: good for high data volumes, may increase cpu and memory requirements * `scale`: reduces ambient resource use in large low-throughput deployments * `latency`: minimize the time for fresh data to become visible in Elasticsearch * `custom`: apply user configuration directly with no overrides
+
+The default if unspecified is `custom`.
+
+Presets represent current recommendations based on the intended goal; their effect may change between versions to better suit those goals. Currently the presets have the following effects:
+
+| preset | balanced | throughput | scale | latency |
+| --- | --- | --- | --- | --- |
+| [`bulk_max_size`](#bulk-max-size-option) | 1600 | 1600 | 1600 | 50 |
+| [`worker`](#worker-option) | 1 | 4 | 1 | 1 |
+| [`queue.mem.events`](/reference/metricbeat/configuring-internal-queue.md#queue-mem-events-option) | 3200 | 12800 | 3200 | 4100 |
+| [`queue.mem.flush.min_events`](/reference/metricbeat/configuring-internal-queue.md#queue-mem-flush-min-events-option) | 1600 | 1600 | 1600 | 2050 |
+| [`queue.mem.flush.timeout`](/reference/metricbeat/configuring-internal-queue.md#queue-mem-flush-timeout-option) | `10s` | `5s` | `20s` | `1s` |
+| [`compression_level`](#compression-level-option) | 1 | 1 | 1 | 1 |
+| [`idle_connection_timeout`](#idle-connection-timeout-option) | `3s` | `15s` | `1s` | `60s` |
+| [`backoff.init`](#backoff-init-option) | none | none | `5s` | none |
+| [`backoff.max`](#backoff-max-option) | none | none | `300s` | none |
+
+
+
+## Elasticsearch APIs [es-apis]
+
+Metricbeat will use the `_bulk` API from {{es}}, the events are sent in the order they arrive to the publishing pipeline, a single `_bulk` request may contain events from different inputs/modules. Temporary failures are re-tried.
+
+The status code for each event is checked and handled as:
+
+* `< 300`: The event is counted as `events.acked`
+* `409` (Conflict): The event is counted as `events.duplicates`
+* `429` (Too Many Requests): The event is counted as `events.toomany`
+* `> 399 and < 500`: The `non_indexable_policy` is applied.
+
+
diff --git a/docs/reference/metricbeat/enable-metricbeat-debugging.md b/docs/reference/metricbeat/enable-metricbeat-debugging.md
new file mode 100644
index 000000000000..638003414837
--- /dev/null
+++ b/docs/reference/metricbeat/enable-metricbeat-debugging.md
@@ -0,0 +1,31 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/enable-metricbeat-debugging.html
+---
+
+# Debug [enable-metricbeat-debugging]
+
+By default, Metricbeat sends all its output to syslog. When you run Metricbeat in the foreground, you can use the `-e` command line flag to redirect the output to standard error instead. For example:
+
+```sh
+metricbeat -e
+```
+
+The default configuration file is metricbeat.yml (the location of the file varies by platform). You can use a different configuration file by specifying the `-c` flag. For example:
+
+```sh
+metricbeat -e -c mymetricbeatconfig.yml
+```
+
+You can increase the verbosity of debug messages by enabling one or more debug selectors. For example, to view publisher-related messages, start Metricbeat with the `publisher` selector:
+
+```sh
+metricbeat -e -d "publisher"
+```
+
+If you want all the debugging output (fair warning, it’s quite a lot), you can use `*`, like this:
+
+```sh
+metricbeat -e -d "*"
+```
+
diff --git a/docs/reference/metricbeat/error-event-structure.md b/docs/reference/metricbeat/error-event-structure.md
new file mode 100644
index 000000000000..fa262190569e
--- /dev/null
+++ b/docs/reference/metricbeat/error-event-structure.md
@@ -0,0 +1,34 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/error-event-structure.html
+---
+
+# Error event structure [error-event-structure]
+
+Metricbeat sends an error event when the service is not reachable. The error event has the same structure as the [base event](/reference/metricbeat/metricbeat-event-structure.md), but also has an error field that contains an error string. This makes it possible to check for errors across all metric events.
+
+The following example shows an error event sent when the Apache server is not reachable:
+
+```json
+{
+  "@timestamp": "2016-03-18T12:18:57.124Z",
+  "apache-status": {},
+  "beat": {
+    "hostname": "host.example.com",
+    "name": "host.example.com"
+  },
+  "error": {
+    "message": "Get http://127.0.0.1/server-status?auto: dial tcp 127.0.0.1:80: getsockopt: connection refused",
+  },
+  "metricset": {
+    "module": "apache",
+    "name": "status",
+    "rtt": 1082
+  },
+  .
+  .
+  .
+
+  "type": "metricsets"
+```
+
diff --git a/docs/reference/metricbeat/error-found-unexpected-character.md b/docs/reference/metricbeat/error-found-unexpected-character.md
new file mode 100644
index 000000000000..a8d4c9453fa9
--- /dev/null
+++ b/docs/reference/metricbeat/error-found-unexpected-character.md
@@ -0,0 +1,13 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/error-found-unexpected-character.html
+---
+
+# Found unexpected or unknown characters [error-found-unexpected-character]
+
+Either there is a problem with the structure of your config file, or you have used a path or expression that the YAML parser cannot resolve because the config file contains characters that aren’t properly escaped.
+
+If the YAML file contains paths with spaces or unusual characters, wrap the paths in single quotation marks (see [Wrap paths in single quotation marks](/reference/metricbeat/yaml-tips.md#wrap-paths-in-quotes)).
+
+Also see the general advice under [*Avoid YAML formatting problems*](/reference/metricbeat/yaml-tips.md).
+
diff --git a/docs/reference/metricbeat/error-loading-config.md b/docs/reference/metricbeat/error-loading-config.md
new file mode 100644
index 000000000000..b9a56ad342c0
--- /dev/null
+++ b/docs/reference/metricbeat/error-loading-config.md
@@ -0,0 +1,14 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/error-loading-config.html
+---
+
+# Error loading config file [error-loading-config]
+
+You may encounter errors loading the config file on POSIX operating systems if:
+
+* an unauthorized user tries to load the config file, or
+* the config file has the wrong permissions.
+
+See [Config File Ownership and Permissions](/reference/libbeat/config-file-permissions.md) for more about resolving these errors.
+
diff --git a/docs/reference/metricbeat/exported-fields-activemq.md b/docs/reference/metricbeat/exported-fields-activemq.md
new file mode 100644
index 000000000000..6314fea4f7b6
--- /dev/null
+++ b/docs/reference/metricbeat/exported-fields-activemq.md
@@ -0,0 +1,277 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-activemq.html
+---
+
+# ActiveMQ fields [exported-fields-activemq]
+
+activemq module
+
+
+## activemq [_activemq]
+
+
+## broker [_broker]
+
+Broker metrics from org.apache.activemq:brokerName=*,type=Broker
+
+**`activemq.broker.mbean`**
+:   Mbean that this event is related to
+
+type: keyword
+
+
+**`activemq.broker.name`**
+:   Broker name
+
+type: keyword
+
+
+**`activemq.broker.memory.broker.pct`**
+:   The percentage of the memory limit used.
+
+type: scaled_float
+
+format: percent
+
+
+**`activemq.broker.memory.store.pct`**
+:   Percent of store limit used.
+
+type: scaled_float
+
+format: percent
+
+
+**`activemq.broker.memory.temp.pct`**
+:   The percentage of the temp usage limit used.
+
+type: scaled_float
+
+format: percent
+
+
+**`activemq.broker.connections.count`**
+:   Total number of connections.
+
+type: long
+
+
+**`activemq.broker.consumers.count`**
+:   Number of message consumers.
+
+type: long
+
+
+**`activemq.broker.messages.dequeue.count`**
+:   Number of messages that have been acknowledged on the broker.
+
+type: long
+
+
+**`activemq.broker.messages.enqueue.count`**
+:   Number of messages that have been sent to the destination.
+
+type: long
+
+
+**`activemq.broker.messages.count`**
+:   Number of unacknowledged messages on the broker.
+
+type: long
+
+
+**`activemq.broker.producers.count`**
+:   Number of message producers active on destinations on the broker.
+
+type: long
+
+
+
+## queue [_queue_7]
+
+Queue metrics from org.apache.activemq:brokerName=**,destinationName=**,destinationType=Queue,type=Broker
+
+**`activemq.queue.mbean`**
+:   Mbean that this event is related to
+
+type: keyword
+
+
+**`activemq.queue.name`**
+:   Queue name
+
+type: keyword
+
+
+**`activemq.queue.size`**
+:   Queue size
+
+type: long
+
+
+**`activemq.queue.messages.enqueue.time.avg`**
+:   Average time a message was held on this destination.
+
+type: double
+
+
+**`activemq.queue.messages.size.avg`**
+:   Average message size on this destination.
+
+type: long
+
+
+**`activemq.queue.consumers.count`**
+:   Number of consumers subscribed to this destination.
+
+type: long
+
+
+**`activemq.queue.messages.dequeue.count`**
+:   Number of messages that has been acknowledged (and removed) from the destination.
+
+type: long
+
+
+**`activemq.queue.messages.dispatch.count`**
+:   Number of messages that has been delivered to consumers, including those not acknowledged.
+
+type: long
+
+
+**`activemq.queue.messages.enqueue.count`**
+:   Number of messages that have been sent to the destination.
+
+type: long
+
+
+**`activemq.queue.messages.expired.count`**
+:   Number of messages that have been expired.
+
+type: long
+
+
+**`activemq.queue.messages.inflight.count`**
+:   Number of messages that have been dispatched to, but not acknowledged by, consumers.
+
+type: long
+
+
+**`activemq.queue.messages.enqueue.time.max`**
+:   The longest time a message was held on this destination.
+
+type: long
+
+
+**`activemq.queue.memory.broker.pct`**
+:   Percent of memory limit used.
+
+type: scaled_float
+
+format: percent
+
+
+**`activemq.queue.messages.enqueue.time.min`**
+:   The shortest time a message was held on this destination.
+
+type: long
+
+
+**`activemq.queue.producers.count`**
+:   Number of producers attached to this destination.
+
+type: long
+
+
+
+## topic [_topic]
+
+Topic metrics from org.apache.activemq:brokerName=**,destinationName=**,destinationType=Topic,type=Broker
+
+**`activemq.topic.mbean`**
+:   Mbean that this event is related to
+
+type: keyword
+
+
+**`activemq.topic.name`**
+:   Topic name
+
+type: keyword
+
+
+**`activemq.topic.messages.enqueue.time.avg`**
+:   Average time a message was held on this destination.
+
+type: double
+
+
+**`activemq.topic.messages.size.avg`**
+:   Average message size on this destination.
+
+type: long
+
+
+**`activemq.topic.consumers.count`**
+:   Number of consumers subscribed to this destination.
+
+type: long
+
+
+**`activemq.topic.messages.dequeue.count`**
+:   Number of messages that has been acknowledged (and removed) from the destination.
+
+type: long
+
+
+**`activemq.topic.messages.dispatch.count`**
+:   Number of messages that has been delivered to consumers, including those not acknowledged.
+
+type: long
+
+
+**`activemq.topic.messages.enqueue.count`**
+:   Number of messages that have been sent to the destination.
+
+type: long
+
+
+**`activemq.topic.messages.expired.count`**
+:   Number of messages that have been expired.
+
+type: long
+
+
+**`activemq.topic.messages.inflight.count`**
+:   Number of messages that have been dispatched to, but not acknowledged by, consumers.
+
+type: long
+
+
+**`activemq.topic.messages.enqueue.time.max`**
+:   The longest time a message was held on this destination.
+
+type: long
+
+
+**`activemq.topic.memory.broker.pct`**
+:   Percent of memory limit used.
+
+type: scaled_float
+
+format: percent
+
+
+**`activemq.topic.messages.enqueue.time.min`**
+:   The shortest time a message was held on this destination.
+
+type: long
+
+
+**`activemq.topic.producers.count`**
+:   Number of producers attached to this destination.
+
+type: long
+
+
diff --git a/docs/reference/metricbeat/exported-fields-aerospike.md b/docs/reference/metricbeat/exported-fields-aerospike.md
new file mode 100644
index 000000000000..76252fa9a4cd
--- /dev/null
+++ b/docs/reference/metricbeat/exported-fields-aerospike.md
@@ -0,0 +1,232 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-aerospike.html
+---
+
+# Aerospike fields [exported-fields-aerospike]
+
+Aerospike module
+
+
+## aerospike [_aerospike]
+
+
+## namespace [_namespace]
+
+namespace
+
+
+## client [_client]
+
+Client stats.
+
+
+## delete [_delete]
+
+Client delete transactions stats.
+
+**`aerospike.namespace.client.delete.error`**
+:   Number of client delete transactions that failed with an error.
+
+type: long
+
+
+**`aerospike.namespace.client.delete.not_found`**
+:   Number of client delete transactions that resulted in a not found.
+
+type: long
+
+
+**`aerospike.namespace.client.delete.success`**
+:   Number of successful client delete transactions.
+
+type: long
+
+
+**`aerospike.namespace.client.delete.timeout`**
+:   Number of client delete transactions that timed out.
+
+type: long
+
+
+
+## read [_read]
+
+Client read transactions stats.
+
+**`aerospike.namespace.client.read.error`**
+:   Number of client read transaction errors.
+
+type: long
+
+
+**`aerospike.namespace.client.read.not_found`**
+:   Number of client read transaction that resulted in not found.
+
+type: long
+
+
+**`aerospike.namespace.client.read.success`**
+:   Number of successful client read transactions.
+
+type: long
+
+
+**`aerospike.namespace.client.read.timeout`**
+:   Number of client read transaction that timed out.
+
+type: long
+
+
+
+## write [_write]
+
+Client write transactions stats.
+
+**`aerospike.namespace.client.write.error`**
+:   Number of client write transactions that failed with an error.
+
+type: long
+
+
+**`aerospike.namespace.client.write.success`**
+:   Number of successful client write transactions.
+
+type: long
+
+
+**`aerospike.namespace.client.write.timeout`**
+:   Number of client write transactions that timed out.
+
+type: long
+
+
+
+## device [_device]
+
+Disk storage stats
+
+**`aerospike.namespace.device.available.pct`**
+:   Measures the minimum contiguous disk space across all disks in a namespace.
+
+type: scaled_float
+
+format: percent
+
+
+**`aerospike.namespace.device.free.pct`**
+:   Percentage of disk capacity free for this namespace.
+
+type: scaled_float
+
+format: percent
+
+
+**`aerospike.namespace.device.total.bytes`**
+:   Total bytes of disk space allocated to this namespace on this node.
+
+type: long
+
+format: bytes
+
+
+**`aerospike.namespace.device.used.bytes`**
+:   Total bytes of disk space used by this namespace on this node.
+
+type: long
+
+format: bytes
+
+
+**`aerospike.namespace.hwm_breached`**
+:   If true, Aerospike has breached *high-water-[disk|memory]-pct* for this namespace.
+
+type: boolean
+
+
+
+## memory [_memory_2]
+
+Memory storage stats.
+
+**`aerospike.namespace.memory.free.pct`**
+:   Percentage of memory capacity free for this namespace on this node.
+
+type: scaled_float
+
+format: percent
+
+
+**`aerospike.namespace.memory.used.data.bytes`**
+:   Amount of memory occupied by data for this namespace on this node.
+
+type: long
+
+format: bytes
+
+
+**`aerospike.namespace.memory.used.index.bytes`**
+:   Amount of memory occupied by the index for this namespace on this node.
+
+type: long
+
+format: bytes
+
+
+**`aerospike.namespace.memory.used.sindex.bytes`**
+:   Amount of memory occupied by secondary indexes for this namespace on this node.
+
+type: long
+
+format: bytes
+
+
+**`aerospike.namespace.memory.used.total.bytes`**
+:   Total bytes of memory used by this namespace on this node.
+
+type: long
+
+format: bytes
+
+
+**`aerospike.namespace.name`**
+:   Namespace name
+
+type: keyword
+
+
+**`aerospike.namespace.node.host`**
+:   Node host
+
+type: keyword
+
+
+**`aerospike.namespace.node.name`**
+:   Node name
+
+type: keyword
+
+
+
+## objects [_objects]
+
+Records stats.
+
+**`aerospike.namespace.objects.master`**
+:   Number of records on this node which are active masters.
+
+type: long
+
+
+**`aerospike.namespace.objects.total`**
+:   Number of records in this namespace for this node.
+
+type: long
+
+
+**`aerospike.namespace.stop_writes`**
+:   If true this namespace is currently not allowing writes.
+
+type: boolean
+
+
diff --git a/docs/reference/metricbeat/exported-fields-airflow.md b/docs/reference/metricbeat/exported-fields-airflow.md
new file mode 100644
index 000000000000..6c2365248a42
--- /dev/null
+++ b/docs/reference/metricbeat/exported-fields-airflow.md
@@ -0,0 +1,141 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-airflow.html
+---
+
+# Airflow fields [exported-fields-airflow]
+
+Airflow module
+
+**`airflow.*.1m_rate`**
+:   Airflow 1m rate timers metric
+
+type: object
+
+
+**`airflow.*.5m_rate`**
+:   Airflow 5m rate timers metric
+
+type: object
+
+
+**`airflow.*.15m_rate`**
+:   Airflow 15 rate timers metric
+
+type: object
+
+
+**`airflow.*.count`**
+:   Airflow counters
+
+type: object
+
+
+**`airflow.*.max`**
+:   Airflow max timers metric
+
+type: object
+
+
+**`airflow.*.mean_rate`**
+:   Airflow mean rate timers metric
+
+type: object
+
+
+**`airflow.*.mean`**
+:   Airflow mean timers metric
+
+type: object
+
+
+**`airflow.*.median`**
+:   Airflow median timers metric
+
+type: object
+
+
+**`airflow.*.min`**
+:   Airflow min timers metric
+
+type: object
+
+
+**`airflow.*.p75`**
+:   Airflow 75 percentile timers metric
+
+type: object
+
+
+**`airflow.*.p95`**
+:   Airflow 95 percentile timers metric
+
+type: object
+
+
+**`airflow.*.p99_9`**
+:   Airflow 99.9 percentile timers metric
+
+type: object
+
+
+**`airflow.*.p99`**
+:   Airflow 99 percentile timers metric
+
+type: object
+
+
+**`airflow.*.stddev`**
+:   Airflow standard deviation timers metric
+
+type: object
+
+
+**`airflow.*.value`**
+:   Airflow gauges
+
+type: object
+
+
+**`airflow.dag_file`**
+:   Airflow dag file metadata
+
+type: keyword
+
+
+**`airflow.dag_id`**
+:   Airflow dag id metadata
+
+type: keyword
+
+
+**`airflow.job_name`**
+:   Airflow job name metadata
+
+type: keyword
+
+
+**`airflow.operator_name`**
+:   Airflow operator name metadata
+
+type: keyword
+
+
+**`airflow.pool_name`**
+:   Airflow pool name metadata
+
+type: keyword
+
+
+**`airflow.status`**
+:   Airflow status metadata
+
+type: keyword
+
+
+**`airflow.task_id`**
+:   Airflow task id metadata
+
+type: keyword
+
+
diff --git a/docs/reference/metricbeat/exported-fields-apache.md b/docs/reference/metricbeat/exported-fields-apache.md
new file mode 100644
index 000000000000..9b43c1d93f38
--- /dev/null
+++ b/docs/reference/metricbeat/exported-fields-apache.md
@@ -0,0 +1,248 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-apache.html
+---
+
+# Apache fields [exported-fields-apache]
+
+Apache HTTPD server metricsets collected from the Apache web server.
+
+
+## apache [_apache]
+
+`apache` contains the metrics that were scraped from Apache.
+
+
+## status [_status]
+
+`status` contains the metrics that were scraped from the Apache status page.
+
+**`apache.status.hostname`**
+:   Apache hostname.
+
+type: keyword
+
+
+**`apache.status.total_accesses`**
+:   Total number of access requests.
+
+type: long
+
+
+**`apache.status.total_kbytes`**
+:   Total number of kilobytes served.
+
+type: long
+
+
+**`apache.status.requests_per_sec`**
+:   Requests per second.
+
+type: scaled_float
+
+
+**`apache.status.bytes_per_sec`**
+:   Bytes per second.
+
+type: scaled_float
+
+
+**`apache.status.bytes_per_request`**
+:   Bytes per request.
+
+type: scaled_float
+
+
+**`apache.status.workers.busy`**
+:   Number of busy workers.
+
+type: long
+
+
+**`apache.status.workers.idle`**
+:   Number of idle workers.
+
+type: long
+
+
+
+## uptime [_uptime_2]
+
+Uptime stats.
+
+**`apache.status.uptime.server_uptime`**
+:   Server uptime in seconds.
+
+type: long
+
+
+**`apache.status.uptime.uptime`**
+:   Server uptime.
+
+type: long
+
+
+
+## cpu [_cpu_2]
+
+CPU stats.
+
+**`apache.status.cpu.load`**
+:   CPU Load.
+
+type: scaled_float
+
+
+**`apache.status.cpu.user`**
+:   CPU user load.
+
+type: scaled_float
+
+
+**`apache.status.cpu.system`**
+:   System cpu.
+
+type: scaled_float
+
+
+**`apache.status.cpu.children_user`**
+:   CPU of children user.
+
+type: scaled_float
+
+
+**`apache.status.cpu.children_system`**
+:   CPU of children system.
+
+type: scaled_float
+
+
+
+## connections [_connections]
+
+Connection stats.
+
+**`apache.status.connections.total`**
+:   Total connections.
+
+type: long
+
+
+**`apache.status.connections.async.writing`**
+:   Async connection writing.
+
+type: long
+
+
+**`apache.status.connections.async.keep_alive`**
+:   Async keeped alive connections.
+
+type: long
+
+
+**`apache.status.connections.async.closing`**
+:   Async closed connections.
+
+type: long
+
+
+
+## load [_load_2]
+
+Load averages.
+
+**`apache.status.load.1`**
+:   Load average for the last minute.
+
+type: scaled_float
+
+
+**`apache.status.load.5`**
+:   Load average for the last 5 minutes.
+
+type: scaled_float
+
+
+**`apache.status.load.15`**
+:   Load average for the last 15 minutes.
+
+type: scaled_float
+
+
+
+## scoreboard [_scoreboard]
+
+Scoreboard metrics.
+
+**`apache.status.scoreboard.starting_up`**
+:   Starting up.
+
+type: long
+
+
+**`apache.status.scoreboard.reading_request`**
+:   Reading requests.
+
+type: long
+
+
+**`apache.status.scoreboard.sending_reply`**
+:   Sending Reply.
+
+type: long
+
+
+**`apache.status.scoreboard.keepalive`**
+:   Keep alive.
+
+type: long
+
+
+**`apache.status.scoreboard.dns_lookup`**
+:   Dns Lookups.
+
+type: long
+
+
+**`apache.status.scoreboard.closing_connection`**
+:   Closing connections.
+
+type: long
+
+
+**`apache.status.scoreboard.logging`**
+:   Logging
+
+type: long
+
+
+**`apache.status.scoreboard.gracefully_finishing`**
+:   Gracefully finishing.
+
+type: long
+
+
+**`apache.status.scoreboard.idle_cleanup`**
+:   Idle cleanups.
+
+type: long
+
+
+**`apache.status.scoreboard.open_slot`**
+:   Open slots.
+
+type: long
+
+
+**`apache.status.scoreboard.waiting_for_connection`**
+:   Waiting for connections.
+
+type: long
+
+
+**`apache.status.scoreboard.total`**
+:   Total.
+
+type: long
+
+
diff --git a/docs/reference/metricbeat/exported-fields-aws.md b/docs/reference/metricbeat/exported-fields-aws.md
new file mode 100644
index 000000000000..4c262d9eba84
--- /dev/null
+++ b/docs/reference/metricbeat/exported-fields-aws.md
@@ -0,0 +1,2290 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-aws.html
+---
+
+# AWS fields [exported-fields-aws]
+
+`aws` module collects AWS monitoring metrics from AWS Cloudwatch.
+
+
+## aws [_aws]
+
+**`aws.tags.*`**
+:   Tag key value pairs from aws resources.
+
+type: object
+
+
+**`aws.s3.bucket.name`**
+:   Name of a S3 bucket.
+
+type: keyword
+
+
+**`aws.dimensions.*`**
+:   Metric dimensions.
+
+type: object
+
+
+**`aws.*.metrics.*.*`**
+:   Metrics that returned from Cloudwatch API query.
+
+type: object
+
+
+**`aws.linked_account.id`**
+:   ID used to identify linked account.
+
+type: keyword
+
+
+**`aws.linked_account.name`**
+:   Name or alias used to identify linked account.
+
+type: keyword
+
+
+
+## awshealth [_awshealth]
+
+AWS Health metrics
+
+**`aws.awshealth.affected_entities_others`**
+:   The number of affected resources related to the event whose status cannot be verified.
+
+type: float
+
+
+**`aws.awshealth.affected_entities_pending`**
+:   The number of affected resources that may require action.
+
+type: float
+
+
+**`aws.awshealth.affected_entities_resolved`**
+:   The number of affected resources that do not require any action.
+
+type: float
+
+
+**`aws.awshealth.end_time`**
+:   The date and time when the event ended. Some events may not have an end date.
+
+type: date
+
+
+**`aws.awshealth.event_arn`**
+:   The unique identifier for the event. The event ARN has the format arn:aws:health:event-region::event/SERVICE/EVENT_TYPE_CODE/EVENT_TYPE_PLUS_ID.
+
+type: keyword
+
+
+**`aws.awshealth.event_scope_code`**
+:   This parameter specifies whether the Health event is a public Amazon Web Service event or an account-specific event. Allowed values are PUBLIC, ACCOUNT_SPECIFIC, or NONE.
+
+type: keyword
+
+
+**`aws.awshealth.event_type_category`**
+:   The event type category code. Possible values are issue, accountNotification, or scheduledChange.
+
+type: keyword
+
+
+**`aws.awshealth.event_type_code`**
+:   The unique identifier for the event type. The format is AWS_SERVICE_DESCRIPTION.
+
+type: keyword
+
+
+**`aws.awshealth.last_updated_time`**
+:   The most recent date and time when the event was updated.
+
+type: date
+
+
+**`aws.awshealth.region`**
+:   The Amazon Web Services Region name of the event.
+
+type: keyword
+
+
+**`aws.awshealth.service`**
+:   The Amazon Web Service affected by the event. For example, EC2 or RDS.
+
+type: keyword
+
+
+**`aws.awshealth.start_time`**
+:   The date and time when the event began.
+
+type: date
+
+
+**`aws.awshealth.status_code`**
+:   The most recent status of the event. Possible values are open, closed, and upcoming.
+
+type: keyword
+
+
+**`aws.awshealth.event_description`**
+:   The detailed description of the event.
+
+type: text
+
+
+**`aws.awshealth.affected_entities`**
+:   Information about an entity affected by a AWS Health event.
+
+type: array
+
+
+**`aws.awshealth.affected_entities.aws_account_id`**
+:   The Amazon Web Services account number that contains the affected entity.
+
+type: keyword
+
+
+**`aws.awshealth.affected_entities.entity_url`**
+:   The URL of the affected entity.
+
+type: keyword
+
+
+**`aws.awshealth.affected_entities.entity_value`**
+:   The ID of the affected entity.
+
+type: keyword
+
+
+**`aws.awshealth.affected_entities.last_updated_time`**
+:   The most recent time that the entity was updated.
+
+type: date
+
+
+**`aws.awshealth.affected_entities.status_code`**
+:   The most recent status of the event. Possible values are open, closed, and upcoming.
+
+type: keyword
+
+
+**`aws.awshealth.affected_entities.entity_arn`**
+:   The unique identifier for the entity. The entity ARN has the format: arn:aws:health:entity-region:aws-account:entity/entity-id.
+
+type: keyword
+
+
+
+## billing [_billing_4]
+
+`billing` contains the estimated charges for your AWS account in Cloudwatch.
+
+**`aws.billing.EstimatedCharges`**
+:   Maximum estimated charges for AWS acccount.
+
+type: long
+
+
+**`aws.billing.Currency`**
+:   Estimated charges currency unit.
+
+type: keyword
+
+
+**`aws.billing.ServiceName`**
+:   Service name for the maximum estimated charges.
+
+type: keyword
+
+
+**`aws.billing.AmortizedCost.amount`**
+:   Amortized cost amount
+
+type: double
+
+
+**`aws.billing.AmortizedCost.unit`**
+:   Amortized cost unit
+
+type: keyword
+
+
+**`aws.billing.BlendedCost.amount`**
+:   Blended cost amount
+
+type: double
+
+
+**`aws.billing.BlendedCost.unit`**
+:   Blended cost unit
+
+type: keyword
+
+
+**`aws.billing.NormalizedUsageAmount.amount`**
+:   Normalized usage amount
+
+type: double
+
+
+**`aws.billing.NormalizedUsageAmount.unit`**
+:   Normalized usage amount unit
+
+type: keyword
+
+
+**`aws.billing.UnblendedCost.amount`**
+:   Unblended cost amount
+
+type: double
+
+
+**`aws.billing.UnblendedCost.unit`**
+:   Unblended cost unit
+
+type: keyword
+
+
+**`aws.billing.UsageQuantity.amount`**
+:   Usage quantity amount
+
+type: double
+
+
+**`aws.billing.UsageQuantity.unit`**
+:   Usage quantity unit
+
+type: keyword
+
+
+**`aws.billing.start_date`**
+:   Start date for retrieving AWS costs
+
+type: keyword
+
+
+**`aws.billing.end_date`**
+:   End date for retrieving AWS costs
+
+type: keyword
+
+
+**`aws.billing.group_definition.key`**
+:   The string that represents a key for a specified group
+
+type: keyword
+
+
+**`aws.billing.group_definition.type`**
+:   The string that represents the type of group
+
+type: keyword
+
+
+**`aws.billing.group_by.*`**
+:   Cost explorer group by key values
+
+type: object
+
+
+
+## cloudwatch [_cloudwatch_2]
+
+`cloudwatch` contains the metrics that were scraped from AWS CloudWatch which contains monitoring metrics sent by different namespaces.
+
+**`aws.cloudwatch.namespace`**
+:   The namespace specified when query cloudwatch api.
+
+type: keyword
+
+
+
+## dynamodb [_dynamodb_2]
+
+`dynamodb` contains the metrics that were scraped from AWS CloudWatch which contains monitoring metrics sent by AWS DynamoDB.
+
+**`aws.dynamodb.metrics.SuccessfulRequestLatency.avg`**
+:   The average latency of successful requests to DynamoDB or Amazon DynamoDB Streams during the specified time period.
+
+type: double
+
+
+**`aws.dynamodb.metrics.SuccessfulRequestLatency.max`**
+:   The maximum latency of successful requests to DynamoDB or Amazon DynamoDB Streams during the specified time period.
+
+type: double
+
+
+**`aws.dynamodb.metrics.OnlineIndexPercentageProgress.avg`**
+:   The percentage of completion when a new global secondary index is being added to a table.
+
+type: double
+
+
+**`aws.dynamodb.metrics.ProvisionedWriteCapacityUnits.avg`**
+:   The number of provisioned write capacity units for a table or a global secondary index.
+
+type: double
+
+
+**`aws.dynamodb.metrics.ProvisionedReadCapacityUnits.avg`**
+:   The number of provisioned read capacity units for a table or a global secondary index.
+
+type: double
+
+
+**`aws.dynamodb.metrics.ConsumedReadCapacityUnits.avg`**
+:   The average number of read capacity units consumed over the specified time period, so you can track how much of your provisioned throughput is used.
+
+type: double
+
+
+**`aws.dynamodb.metrics.ConsumedReadCapacityUnits.sum`**
+:   The sum of read capacity units consumed over the specified time period, so you can track how much of your provisioned throughput is used.
+
+type: long
+
+
+**`aws.dynamodb.metrics.ConsumedWriteCapacityUnits.avg`**
+:   The average number of write capacity units consumed over the specified time period, so you can track how much of your provisioned throughput is used.
+
+type: double
+
+
+**`aws.dynamodb.metrics.ConsumedWriteCapacityUnits.sum`**
+:   The sum of write capacity units consumed over the specified time period, so you can track how much of your provisioned throughput is used.
+
+type: long
+
+
+**`aws.dynamodb.metrics.ReplicationLatency.avg`**
+:   The average elapsed time between an updated item appearing in the DynamoDB stream for one replica table, and that item appearing in another replica in the global table.
+
+type: double
+
+
+**`aws.dynamodb.metrics.ReplicationLatency.max`**
+:   The maximum elapsed time between an updated item appearing in the DynamoDB stream for one replica table, and that item appearing in another replica in the global table.
+
+type: double
+
+
+**`aws.dynamodb.metrics.TransactionConflict.avg`**
+:   Average rejected item-level requests due to transactional conflicts between concurrent requests on the same items.
+
+type: double
+
+
+**`aws.dynamodb.metrics.TransactionConflict.sum`**
+:   Total rejected item-level requests due to transactional conflicts between concurrent requests on the same items.
+
+type: long
+
+
+**`aws.dynamodb.metrics.AccountProvisionedReadCapacityUtilization.avg`**
+:   The average percentage of provisioned read capacity units utilized by the account.
+
+type: double
+
+
+**`aws.dynamodb.metrics.AccountProvisionedWriteCapacityUtilization.avg`**
+:   The average percentage of provisioned write capacity units utilized by the account.
+
+type: double
+
+
+**`aws.dynamodb.metrics.SystemErrors.sum`**
+:   The requests to DynamoDB or Amazon DynamoDB Streams that generate an HTTP 500 status code during the specified time period.
+
+type: long
+
+
+**`aws.dynamodb.metrics.ConditionalCheckFailedRequests.sum`**
+:   The number of failed attempts to perform conditional writes.
+
+type: long
+
+
+**`aws.dynamodb.metrics.PendingReplicationCount.sum`**
+:   The number of item updates that are written to one replica table, but that have not yet been written to another replica in the global table.
+
+type: long
+
+
+**`aws.dynamodb.metrics.ReadThrottleEvents.sum`**
+:   Requests to DynamoDB that exceed the provisioned read capacity units for a table or a global secondary index.
+
+type: long
+
+
+**`aws.dynamodb.metrics.ThrottledRequests.sum`**
+:   Requests to DynamoDB that exceed the provisioned throughput limits on a resource (such as a table or an index).
+
+type: long
+
+
+**`aws.dynamodb.metrics.WriteThrottleEvents.sum`**
+:   Requests to DynamoDB that exceed the provisioned write capacity units for a table or a global secondary index.
+
+type: long
+
+
+**`aws.dynamodb.metrics.AccountMaxReads.max`**
+:   The maximum number of read capacity units that can be used by an account. This limit does not apply to on-demand tables or global secondary indexes.
+
+type: long
+
+
+**`aws.dynamodb.metrics.AccountMaxTableLevelReads.max`**
+:   The maximum number of read capacity units that can be used by a table or global secondary index of an account. For on-demand tables this limit caps the maximum read request units a table or a global secondary index can use.
+
+type: long
+
+
+**`aws.dynamodb.metrics.AccountMaxTableLevelWrites.max`**
+:   The maximum number of write capacity units that can be used by a table or global secondary index of an account. For on-demand tables this limit caps the maximum write request units a table or a global secondary index can use.
+
+type: long
+
+
+**`aws.dynamodb.metrics.AccountMaxWrites.max`**
+:   The maximum number of write capacity units that can be used by an account. This limit does not apply to on-demand tables or global secondary indexes.
+
+type: long
+
+
+**`aws.dynamodb.metrics.MaxProvisionedTableReadCapacityUtilization.max`**
+:   The percentage of provisioned read capacity units utilized by the highest provisioned read table or global secondary index of an account.
+
+type: double
+
+
+**`aws.dynamodb.metrics.MaxProvisionedTableWriteCapacityUtilization.max`**
+:   The percentage of provisioned write capacity utilized by the highest provisioned write table or global secondary index of an account.
+
+type: double
+
+
+
+## ebs [_ebs_2]
+
+`ebs` contains the metrics that were scraped from AWS CloudWatch which contains monitoring metrics sent by AWS EBS.
+
+**`aws.ebs.metrics.VolumeReadBytes.avg`**
+:   Average size of each read operation during the period, except on volumes attached to a Nitro-based instance, where the average represents the average over the specified period.
+
+type: double
+
+
+**`aws.ebs.metrics.VolumeWriteBytes.avg`**
+:   Average size of each write operation during the period, except on volumes attached to a Nitro-based instance, where the average represents the average over the specified period.
+
+type: double
+
+
+**`aws.ebs.metrics.VolumeReadOps.avg`**
+:   The total number of read operations in a specified period of time.
+
+type: double
+
+
+**`aws.ebs.metrics.VolumeWriteOps.avg`**
+:   The total number of write operations in a specified period of time.
+
+type: double
+
+
+**`aws.ebs.metrics.VolumeQueueLength.avg`**
+:   The number of read and write operation requests waiting to be completed in a specified period of time.
+
+type: double
+
+
+**`aws.ebs.metrics.VolumeThroughputPercentage.avg`**
+:   The percentage of I/O operations per second (IOPS) delivered of the total IOPS provisioned for an Amazon EBS volume. Used with Provisioned IOPS SSD volumes only.
+
+type: double
+
+
+**`aws.ebs.metrics.VolumeConsumedReadWriteOps.avg`**
+:   The total amount of read and write operations (normalized to 256K capacity units) consumed in a specified period of time. Used with Provisioned IOPS SSD volumes only.
+
+type: double
+
+
+**`aws.ebs.metrics.BurstBalance.avg`**
+:   Used with General Purpose SSD (gp2), Throughput Optimized HDD (st1), and Cold HDD (sc1) volumes only. Provides information about the percentage of I/O credits (for gp2) or throughput credits (for st1 and sc1) remaining in the burst bucket.
+
+type: double
+
+
+**`aws.ebs.metrics.VolumeTotalReadTime.sum`**
+:   The total number of seconds spent by all read operations that completed in a specified period of time.
+
+type: double
+
+
+**`aws.ebs.metrics.VolumeTotalWriteTime.sum`**
+:   The total number of seconds spent by all write operations that completed in a specified period of time.
+
+type: double
+
+
+**`aws.ebs.metrics.VolumeIdleTime.sum`**
+:   The total number of seconds in a specified period of time when no read or write operations were submitted.
+
+type: double
+
+
+
+## ec2 [_ec2_2]
+
+`ec2` contains the metrics that were scraped from AWS CloudWatch which contains monitoring metrics sent by AWS EC2.
+
+**`aws.ec2.cpu.total.pct`**
+:   The percentage of allocated EC2 compute units that are currently in use on the instance.
+
+type: scaled_float
+
+
+**`aws.ec2.cpu.credit_usage`**
+:   The number of CPU credits spent by the instance for CPU utilization.
+
+type: long
+
+
+**`aws.ec2.cpu.credit_balance`**
+:   The number of earned CPU credits that an instance has accrued since it was launched or started.
+
+type: long
+
+
+**`aws.ec2.cpu.surplus_credit_balance`**
+:   The number of surplus credits that have been spent by an unlimited instance when its CPUCreditBalance value is zero.
+
+type: long
+
+
+**`aws.ec2.cpu.surplus_credits_charged`**
+:   The number of spent surplus credits that are not paid down by earned CPU credits, and which thus incur an additional charge.
+
+type: long
+
+
+**`aws.ec2.network.in.packets`**
+:   The total number of packets received on all network interfaces by the instance in collection period.
+
+type: long
+
+
+**`aws.ec2.network.in.packets_per_sec`**
+:   The number of packets per second sent out on all network interfaces by the instance.
+
+type: scaled_float
+
+
+**`aws.ec2.network.out.packets`**
+:   The total number of packets sent out on all network interfaces by the instance in collection period.
+
+type: long
+
+
+**`aws.ec2.network.out.packets_per_sec`**
+:   The number of packets per second sent out on all network interfaces by the instance.
+
+type: scaled_float
+
+
+**`aws.ec2.network.in.bytes`**
+:   The total number of bytes received on all network interfaces by the instance in collection period.
+
+type: long
+
+format: bytes
+
+
+**`aws.ec2.network.in.bytes_per_sec`**
+:   The number of bytes per second received on all network interfaces by the instance.
+
+type: scaled_float
+
+
+**`aws.ec2.network.out.bytes`**
+:   The total number of bytes sent out on all network interfaces by the instance in collection period.
+
+type: long
+
+format: bytes
+
+
+**`aws.ec2.network.out.bytes_per_sec`**
+:   The number of bytes per second sent out on all network interfaces by the instance.
+
+type: scaled_float
+
+
+**`aws.ec2.diskio.read.bytes`**
+:   Total bytes read from all instance store volumes available to the instance in collection period.
+
+type: long
+
+format: bytes
+
+
+**`aws.ec2.diskio.read.bytes_per_sec`**
+:   Bytes read per second from all instance store volumes available to the instance.
+
+type: scaled_float
+
+
+**`aws.ec2.diskio.write.bytes`**
+:   Total bytes written to all instance store volumes available to the instance in collection period.
+
+type: long
+
+format: bytes
+
+
+**`aws.ec2.diskio.write.bytes_per_sec`**
+:   Bytes written per second to all instance store volumes available to the instance.
+
+type: scaled_float
+
+
+**`aws.ec2.diskio.read.count`**
+:   Total completed read operations from all instance store volumes available to the instance in collection period.
+
+type: long
+
+
+**`aws.ec2.diskio.read.count_per_sec`**
+:   Completed read operations per second from all instance store volumes available to the instance in a specified period of time.
+
+type: long
+
+
+**`aws.ec2.diskio.write.count`**
+:   Total completed write operations to all instance store volumes available to the instance in collection period.
+
+type: long
+
+
+**`aws.ec2.diskio.write.count_per_sec`**
+:   Completed write operations per second to all instance store volumes available to the instance in a specified period of time.
+
+type: long
+
+
+**`aws.ec2.status.check_failed`**
+:   Reports whether the instance has passed both the instance status check and the system status check in the last minute.
+
+type: long
+
+
+**`aws.ec2.status.check_failed_system`**
+:   Reports whether the instance has passed the system status check in the last minute.
+
+type: long
+
+
+**`aws.ec2.status.check_failed_instance`**
+:   Reports whether the instance has passed the instance status check in the last minute.
+
+type: long
+
+
+**`aws.ec2.instance.core.count`**
+:   The number of CPU cores for the instance.
+
+type: integer
+
+
+**`aws.ec2.instance.image.id`**
+:   The ID of the image used to launch the instance.
+
+type: keyword
+
+
+**`aws.ec2.instance.monitoring.state`**
+:   Indicates whether detailed monitoring is enabled.
+
+type: keyword
+
+
+**`aws.ec2.instance.private.dns_name`**
+:   The private DNS name of the network interface.
+
+type: keyword
+
+
+**`aws.ec2.instance.private.ip`**
+:   The private IPv4 address associated with the network interface.
+
+type: ip
+
+
+**`aws.ec2.instance.public.dns_name`**
+:   The public DNS name of the instance.
+
+type: keyword
+
+
+**`aws.ec2.instance.public.ip`**
+:   The address of the Elastic IP address (IPv4) bound to the network interface.
+
+type: ip
+
+
+**`aws.ec2.instance.state.code`**
+:   The state of the instance, as a 16-bit unsigned integer.
+
+type: integer
+
+
+**`aws.ec2.instance.state.name`**
+:   The state of the instance (pending | running | shutting-down | terminated | stopping | stopped).
+
+type: keyword
+
+
+**`aws.ec2.instance.threads_per_core`**
+:   The number of threads per CPU core.
+
+type: integer
+
+
+
+## elb [_elb_2]
+
+`elb` contains the metrics that were scraped from AWS CloudWatch which contains monitoring metrics sent by AWS ELB.
+
+**`aws.elb.metrics.BackendConnectionErrors.sum`**
+:   The number of connections that were not successfully established between the load balancer and the registered instances.
+
+type: long
+
+
+**`aws.elb.metrics.HTTPCode_Backend_2XX.sum`**
+:   The number of HTTP 2XX response code generated by registered instances.
+
+type: long
+
+
+**`aws.elb.metrics.HTTPCode_Backend_3XX.sum`**
+:   The number of HTTP 3XX response code generated by registered instances.
+
+type: long
+
+
+**`aws.elb.metrics.HTTPCode_Backend_4XX.sum`**
+:   The number of HTTP 4XX response code generated by registered instances.
+
+type: long
+
+
+**`aws.elb.metrics.HTTPCode_Backend_5XX.sum`**
+:   The number of HTTP 5XX response code generated by registered instances.
+
+type: long
+
+
+**`aws.elb.metrics.HTTPCode_ELB_4XX.sum`**
+:   The number of HTTP 4XX client error codes generated by the load balancer.
+
+type: long
+
+
+**`aws.elb.metrics.HTTPCode_ELB_5XX.sum`**
+:   The number of HTTP 5XX server error codes generated by the load balancer.
+
+type: long
+
+
+**`aws.elb.metrics.RequestCount.sum`**
+:   The number of requests completed or connections made during the specified interval.
+
+type: long
+
+
+**`aws.elb.metrics.SpilloverCount.sum`**
+:   The total number of requests that were rejected because the surge queue is full.
+
+type: long
+
+
+**`aws.elb.metrics.HealthyHostCount.max`**
+:   The number of healthy instances registered with your load balancer.
+
+type: long
+
+
+**`aws.elb.metrics.SurgeQueueLength.max`**
+:   The total number of requests (HTTP listener) or connections (TCP listener) that are pending routing to a healthy instance.
+
+type: long
+
+
+**`aws.elb.metrics.UnHealthyHostCount.max`**
+:   The number of unhealthy instances registered with your load balancer.
+
+type: long
+
+
+**`aws.elb.metrics.Latency.avg`**
+:   The total time elapsed, in seconds, from the time the load balancer sent the request to a registered instance until the instance started to send the response headers.
+
+type: double
+
+
+**`aws.elb.metrics.EstimatedALBActiveConnectionCount.avg`**
+:   The estimated number of concurrent TCP connections active from clients to the load balancer and from the load balancer to targets.
+
+type: double
+
+
+**`aws.elb.metrics.EstimatedALBConsumedLCUs.avg`**
+:   The estimated number of load balancer capacity units (LCU) used by an Application Load Balancer.
+
+type: double
+
+
+**`aws.elb.metrics.EstimatedALBNewConnectionCount.avg`**
+:   The estimated number of new TCP connections established from clients to the load balancer and from the load balancer to targets.
+
+type: double
+
+
+**`aws.elb.metrics.EstimatedProcessedBytes.avg`**
+:   The estimated number of bytes processed by an Application Load Balancer.
+
+type: double
+
+
+
+## applicationelb [_applicationelb]
+
+`applicationelb` contains the metrics that were scraped from AWS CloudWatch which contains monitoring metrics sent by AWS ApplicationELB.
+
+**`aws.applicationelb.metrics.ActiveConnectionCount.sum`**
+:   The total number of concurrent TCP connections active from clients to the load balancer and from the load balancer to targets.
+
+type: long
+
+
+**`aws.applicationelb.metrics.ClientTLSNegotiationErrorCount.sum`**
+:   The number of TLS connections initiated by the client that did not establish a session with the load balancer due to a TLS error.
+
+type: long
+
+
+**`aws.applicationelb.metrics.HTTP_Fixed_Response_Count.sum`**
+:   The number of fixed-response actions that were successful.
+
+type: long
+
+
+**`aws.applicationelb.metrics.HTTP_Redirect_Count.sum`**
+:   The number of redirect actions that were successful.
+
+type: long
+
+
+**`aws.applicationelb.metrics.HTTP_Redirect_Url_Limit_Exceeded_Count.sum`**
+:   The number of redirect actions that couldn’t be completed because the URL in the response location header is larger than 8K.
+
+type: long
+
+
+**`aws.applicationelb.metrics.HTTPCode_ELB_3XX_Count.sum`**
+:   The number of HTTP 3XX redirection codes that originate from the load balancer.
+
+type: long
+
+
+**`aws.applicationelb.metrics.HTTPCode_ELB_4XX_Count.sum`**
+:   The number of HTTP 4XX client error codes that originate from the load balancer.
+
+type: long
+
+
+**`aws.applicationelb.metrics.HTTPCode_ELB_5XX_Count.sum`**
+:   The number of HTTP 5XX server error codes that originate from the load balancer.
+
+type: long
+
+
+**`aws.applicationelb.metrics.HTTPCode_ELB_500_Count.sum`**
+:   The number of HTTP 500 error codes that originate from the load balancer.
+
+type: long
+
+
+**`aws.applicationelb.metrics.HTTPCode_ELB_502_Count.sum`**
+:   The number of HTTP 502 error codes that originate from the load balancer.
+
+type: long
+
+
+**`aws.applicationelb.metrics.HTTPCode_ELB_503_Count.sum`**
+:   The number of HTTP 503 error codes that originate from the load balancer.
+
+type: long
+
+
+**`aws.applicationelb.metrics.HTTPCode_ELB_504_Count.sum`**
+:   The number of HTTP 504 error codes that originate from the load balancer.
+
+type: long
+
+
+**`aws.applicationelb.metrics.IPv6ProcessedBytes.sum`**
+:   The total number of bytes processed by the load balancer over IPv6.
+
+type: long
+
+
+**`aws.applicationelb.metrics.IPv6RequestCount.sum`**
+:   The number of IPv6 requests received by the load balancer.
+
+type: long
+
+
+**`aws.applicationelb.metrics.NewConnectionCount.sum`**
+:   The total number of new TCP connections established from clients to the load balancer and from the load balancer to targets.
+
+type: long
+
+
+**`aws.applicationelb.metrics.ProcessedBytes.sum`**
+:   The total number of bytes processed by the load balancer over IPv4 and IPv6.
+
+type: long
+
+
+**`aws.applicationelb.metrics.RejectedConnectionCount.sum`**
+:   The number of connections that were rejected because the load balancer had reached its maximum number of connections.
+
+type: long
+
+
+**`aws.applicationelb.metrics.RequestCount.sum`**
+:   The number of requests processed over IPv4 and IPv6.
+
+type: long
+
+
+**`aws.applicationelb.metrics.RuleEvaluations.sum`**
+:   The number of rules processed by the load balancer given a request rate averaged over an hour.
+
+type: long
+
+
+**`aws.applicationelb.metrics.ConsumedLCUs.avg`**
+:   The number of load balancer capacity units (LCU) used by your load balancer.
+
+type: double
+
+
+**`aws.applicationelb.metrics.HealthyHostCount.max`**
+:   The number of targets that are considered healthy.
+
+type: long
+
+
+**`aws.applicationelb.metrics.UnHealthyHostCount.max`**
+:   The number of targets that are considered unhealthy.
+
+type: long
+
+
+
+## networkelb [_networkelb]
+
+`networkelb` contains the metrics that were scraped from AWS CloudWatch which contains monitoring metrics sent by AWS NetworkELB.
+
+**`aws.networkelb.metrics.ActiveFlowCount.avg`**
+:   The total number of concurrent flows (or connections) from clients to targets.
+
+type: double
+
+
+**`aws.networkelb.metrics.ActiveFlowCount_TCP.avg`**
+:   The total number of concurrent TCP flows (or connections) from clients to targets.
+
+type: double
+
+
+**`aws.networkelb.metrics.ActiveFlowCount_TLS.avg`**
+:   The total number of concurrent TLS flows (or connections) from clients to targets.
+
+type: double
+
+
+**`aws.networkelb.metrics.ActiveFlowCount_UDP.avg`**
+:   The total number of concurrent UDP flows (or connections) from clients to targets.
+
+type: double
+
+
+**`aws.networkelb.metrics.ConsumedLCUs.avg`**
+:   The number of load balancer capacity units (LCU) used by your load balancer.
+
+type: double
+
+
+**`aws.networkelb.metrics.ClientTLSNegotiationErrorCount.sum`**
+:   The total number of TLS handshakes that failed during negotiation between a client and a TLS listener.
+
+type: long
+
+
+**`aws.networkelb.metrics.NewFlowCount.sum`**
+:   The total number of new flows (or connections) established from clients to targets in the time period.
+
+type: long
+
+
+**`aws.networkelb.metrics.NewFlowCount_TLS.sum`**
+:   The total number of new TLS flows (or connections) established from clients to targets in the time period.
+
+type: long
+
+
+**`aws.networkelb.metrics.ProcessedBytes.sum`**
+:   The total number of bytes processed by the load balancer, including TCP/IP headers.
+
+type: long
+
+
+**`aws.networkelb.metrics.ProcessedBytes_TLS.sum`**
+:   The total number of bytes processed by TLS listeners.
+
+type: long
+
+
+**`aws.networkelb.metrics.TargetTLSNegotiationErrorCount.sum`**
+:   The total number of TLS handshakes that failed during negotiation between a TLS listener and a target.
+
+type: long
+
+
+**`aws.networkelb.metrics.TCP_Client_Reset_Count.sum`**
+:   The total number of reset (RST) packets sent from a client to a target.
+
+type: long
+
+
+**`aws.networkelb.metrics.TCP_ELB_Reset_Count.sum`**
+:   The total number of reset (RST) packets generated by the load balancer.
+
+type: long
+
+
+**`aws.networkelb.metrics.TCP_Target_Reset_Count.sum`**
+:   The total number of reset (RST) packets sent from a target to a client.
+
+type: long
+
+
+**`aws.networkelb.metrics.HealthyHostCount.max`**
+:   The number of targets that are considered healthy.
+
+type: long
+
+
+**`aws.networkelb.metrics.UnHealthyHostCount.max`**
+:   The number of targets that are considered unhealthy.
+
+type: long
+
+
+
+## kinesis [_kinesis]
+
+`kinesis` contains the metrics that were scraped from AWS CloudWatch which contains monitoring metrics sent by Amazon Kinesis.
+
+**`aws.kinesis.metrics.GetRecords_Bytes.avg`**
+:   The average number of bytes retrieved from the Kinesis stream, measured over the specified time period.
+
+type: double
+
+
+**`aws.kinesis.metrics.GetRecords_IteratorAgeMilliseconds.avg`**
+:   The age of the last record in all GetRecords calls made against a Kinesis stream, measured over the specified time period. Age is the difference between the current time and when the last record of the GetRecords call was written to the stream.
+
+type: double
+
+
+**`aws.kinesis.metrics.GetRecords_Latency.avg`**
+:   The time taken per GetRecords operation, measured over the specified time period.
+
+type: double
+
+
+**`aws.kinesis.metrics.GetRecords_Records.sum`**
+:   The number of records retrieved from the shard, measured over the specified time period.
+
+type: long
+
+
+**`aws.kinesis.metrics.GetRecords_Success.sum`**
+:   The number of successful GetRecords operations per stream, measured over the specified time period.
+
+type: long
+
+
+**`aws.kinesis.metrics.IncomingBytes.avg`**
+:   The number of bytes successfully put to the Kinesis stream over the specified time period. This metric includes bytes from PutRecord and PutRecords operations.
+
+type: double
+
+
+**`aws.kinesis.metrics.IncomingRecords.avg`**
+:   The number of records successfully put to the Kinesis stream over the specified time period. This metric includes record counts from PutRecord and PutRecords operations.
+
+type: double
+
+
+**`aws.kinesis.metrics.PutRecord_Bytes.avg`**
+:   The number of bytes put to the Kinesis stream using the PutRecord operation over the specified time period.
+
+type: double
+
+
+**`aws.kinesis.metrics.PutRecord_Latency.avg`**
+:   The time taken per PutRecord operation, measured over the specified time period.
+
+type: double
+
+
+**`aws.kinesis.metrics.PutRecord_Success.avg`**
+:   The percentage of successful writes to a Kinesis stream, measured over the specified time period.
+
+type: double
+
+
+**`aws.kinesis.metrics.PutRecords_Bytes.avg`**
+:   The average number of bytes put to the Kinesis stream using the PutRecords operation over the specified time period.
+
+type: double
+
+
+**`aws.kinesis.metrics.PutRecords_Latency.avg`**
+:   The average time taken per PutRecords operation, measured over the specified time period.
+
+type: double
+
+
+**`aws.kinesis.metrics.PutRecords_Success.avg`**
+:   The total number of PutRecords operations where at least one record succeeded, per Kinesis stream, measured over the specified time period.
+
+type: long
+
+
+**`aws.kinesis.metrics.PutRecords_TotalRecords.sum`**
+:   The total number of records sent in a PutRecords operation per Kinesis data stream, measured over the specified time period.
+
+type: long
+
+
+**`aws.kinesis.metrics.PutRecords_SuccessfulRecords.sum`**
+:   The number of successful records in a PutRecords operation per Kinesis data stream, measured over the specified time period.
+
+type: long
+
+
+**`aws.kinesis.metrics.PutRecords_FailedRecords.sum`**
+:   The number of records rejected due to internal failures in a PutRecords operation per Kinesis data stream, measured over the specified time period.
+
+type: long
+
+
+**`aws.kinesis.metrics.PutRecords_ThrottledRecords.sum`**
+:   The number of records rejected due to throttling in a PutRecords operation per Kinesis data stream, measured over the specified time period.
+
+type: long
+
+
+**`aws.kinesis.metrics.ReadProvisionedThroughputExceeded.avg`**
+:   The number of GetRecords calls throttled for the stream over the specified time period.
+
+type: long
+
+
+**`aws.kinesis.metrics.SubscribeToShard_RateExceeded.avg`**
+:   This metric is emitted when a new subscription attempt fails because there already is an active subscription by the same consumer or if you exceed the number of calls per second allowed for this operation.
+
+type: long
+
+
+**`aws.kinesis.metrics.SubscribeToShard_Success.avg`**
+:   This metric records whether the SubscribeToShard subscription was successfully established.
+
+type: long
+
+
+**`aws.kinesis.metrics.SubscribeToShardEvent_Bytes.avg`**
+:   The number of bytes received from the shard, measured over the specified time period.
+
+type: long
+
+
+**`aws.kinesis.metrics.SubscribeToShardEvent_MillisBehindLatest.avg`**
+:   The difference between the current time and when the last record of the SubscribeToShard event was written to the stream.
+
+type: long
+
+
+**`aws.kinesis.metrics.SubscribeToShardEvent_Records.sum`**
+:   The number of records received from the shard, measured over the specified time period.
+
+type: long
+
+
+**`aws.kinesis.metrics.SubscribeToShardEvent_Success.avg`**
+:   This metric is emitted every time an event is published successfully. It is only emitted when there’s an active subscription.
+
+type: long
+
+
+**`aws.kinesis.metrics.WriteProvisionedThroughputExceeded.avg`**
+:   The number of records rejected due to throttling for the stream over the specified time period. This metric includes throttling from PutRecord and PutRecords operations.
+
+type: long
+
+
+
+## lambda [_lambda_2]
+
+`lambda` contains the metrics that were scraped from AWS CloudWatch which contains monitoring metrics sent by AWS Lambda.
+
+**`aws.lambda.metrics.Invocations.avg`**
+:   The number of times your function code is executed, including successful executions and executions that result in a function error.
+
+type: double
+
+
+**`aws.lambda.metrics.Errors.avg`**
+:   The number of invocations that result in a function error.
+
+type: double
+
+
+**`aws.lambda.metrics.DeadLetterErrors.avg`**
+:   For asynchronous invocation, the number of times Lambda attempts to send an event to a dead-letter queue but fails.
+
+type: double
+
+
+**`aws.lambda.metrics.DestinationDeliveryFailures.avg`**
+:   For asynchronous invocation, the number of times Lambda attempts to send an event to a destination but fails.
+
+type: double
+
+
+**`aws.lambda.metrics.Duration.avg`**
+:   The amount of time that your function code spends processing an event.
+
+type: double
+
+
+**`aws.lambda.metrics.Throttles.avg`**
+:   The number of invocation requests that are throttled.
+
+type: double
+
+
+**`aws.lambda.metrics.IteratorAge.avg`**
+:   For event source mappings that read from streams, the age of the last record in the event.
+
+type: double
+
+
+**`aws.lambda.metrics.ConcurrentExecutions.avg`**
+:   The number of function instances that are processing events.
+
+type: double
+
+
+**`aws.lambda.metrics.UnreservedConcurrentExecutions.avg`**
+:   For an AWS Region, the number of events that are being processed by functions that don’t have reserved concurrency.
+
+type: double
+
+
+**`aws.lambda.metrics.ProvisionedConcurrentExecutions.max`**
+:   The number of function instances that are processing events on provisioned concurrency.
+
+type: long
+
+
+**`aws.lambda.metrics.ProvisionedConcurrencyUtilization.max`**
+:   For a version or alias, the value of ProvisionedConcurrentExecutions divided by the total amount of provisioned concurrency allocated.
+
+type: long
+
+
+**`aws.lambda.metrics.ProvisionedConcurrencyInvocations.sum`**
+:   The number of times your function code is executed on provisioned concurrency.
+
+type: long
+
+
+**`aws.lambda.metrics.ProvisionedConcurrencySpilloverInvocations.sum`**
+:   The number of times your function code is executed on standard concurrency when all provisioned concurrency is in use.
+
+type: long
+
+
+
+## natgateway [_natgateway_2]
+
+`natgateway` contains the metrics from Cloudwatch to track usage of NAT gateway related resources.
+
+**`aws.natgateway.metrics.BytesInFromDestination.sum`**
+:   The number of bytes received by the NAT gateway from the destination.
+
+type: long
+
+
+**`aws.natgateway.metrics.BytesInFromSource.sum`**
+:   The number of bytes received by the NAT gateway from clients in your VPC.
+
+type: long
+
+
+**`aws.natgateway.metrics.BytesOutToDestination.sum`**
+:   The number of bytes sent out through the NAT gateway to the destination.
+
+type: long
+
+
+**`aws.natgateway.metrics.BytesOutToSource.sum`**
+:   The number of bytes sent through the NAT gateway to the clients in your VPC.
+
+type: long
+
+
+**`aws.natgateway.metrics.ConnectionAttemptCount.sum`**
+:   The number of connection attempts made through the NAT gateway.
+
+type: long
+
+
+**`aws.natgateway.metrics.ConnectionEstablishedCount.sum`**
+:   The number of connections established through the NAT gateway.
+
+type: long
+
+
+**`aws.natgateway.metrics.ErrorPortAllocation.sum`**
+:   The number of times the NAT gateway could not allocate a source port.
+
+type: long
+
+
+**`aws.natgateway.metrics.IdleTimeoutCount.sum`**
+:   The number of connections that transitioned from the active state to the idle state.
+
+type: long
+
+
+**`aws.natgateway.metrics.PacketsDropCount.sum`**
+:   The number of packets dropped by the NAT gateway.
+
+type: long
+
+
+**`aws.natgateway.metrics.PacketsInFromDestination.sum`**
+:   The number of packets received by the NAT gateway from the destination.
+
+type: long
+
+
+**`aws.natgateway.metrics.PacketsInFromSource.sum`**
+:   The number of packets received by the NAT gateway from clients in your VPC.
+
+type: long
+
+
+**`aws.natgateway.metrics.PacketsOutToDestination.sum`**
+:   The number of packets sent out through the NAT gateway to the destination.
+
+type: long
+
+
+**`aws.natgateway.metrics.PacketsOutToSource.sum`**
+:   The number of packets sent through the NAT gateway to the clients in your VPC.
+
+type: long
+
+
+**`aws.natgateway.metrics.ActiveConnectionCount.max`**
+:   The total number of concurrent active TCP connections through the NAT gateway.
+
+type: long
+
+
+
+## rds [_rds_2]
+
+`rds` contains the metrics that were scraped from AWS CloudWatch which contains monitoring metrics sent by AWS RDS.
+
+**`aws.rds.burst_balance.pct`**
+:   The percent of General Purpose SSD (gp2) burst-bucket I/O credits available.
+
+type: scaled_float
+
+format: percent
+
+
+**`aws.rds.cpu.total.pct`**
+:   CPU utilization with value range from 0 to 1.
+
+type: scaled_float
+
+format: percent
+
+
+**`aws.rds.cpu.credit_usage`**
+:   The number of CPU credits spent by the instance for CPU utilization.
+
+type: long
+
+
+**`aws.rds.cpu.credit_balance`**
+:   The number of earned CPU credits that an instance has accrued since it was launched or started.
+
+type: long
+
+
+**`aws.rds.database_connections`**
+:   The number of database connections in use.
+
+type: long
+
+
+**`aws.rds.db_instance.arn`**
+:   Amazon Resource Name(ARN) for each rds.
+
+type: keyword
+
+
+**`aws.rds.db_instance.class`**
+:   Contains the name of the compute and memory capacity class of the DB instance.
+
+type: keyword
+
+
+**`aws.rds.db_instance.identifier`**
+:   Contains a user-supplied database identifier. This identifier is the unique key that identifies a DB instance.
+
+type: keyword
+
+
+**`aws.rds.db_instance.status`**
+:   Specifies the current state of this database.
+
+type: keyword
+
+
+**`aws.rds.disk_queue_depth`**
+:   The number of outstanding IOs (read/write requests) waiting to access the disk.
+
+type: float
+
+
+**`aws.rds.failed_sql_server_agent_jobs`**
+:   The number of failed SQL Server Agent jobs during the last minute.
+
+type: long
+
+
+**`aws.rds.freeable_memory.bytes`**
+:   The amount of available random access memory.
+
+type: long
+
+format: bytes
+
+
+**`aws.rds.free_storage.bytes`**
+:   The amount of available storage space.
+
+type: long
+
+format: bytes
+
+
+**`aws.rds.maximum_used_transaction_ids`**
+:   The maximum transaction ID that has been used. Applies to PostgreSQL.
+
+type: long
+
+
+**`aws.rds.oldest_replication_slot_lag.mb`**
+:   The lagging size of the replica lagging the most in terms of WAL data received. Applies to PostgreSQL.
+
+type: long
+
+
+**`aws.rds.read.iops`**
+:   The average number of disk read I/O operations per second.
+
+type: float
+
+
+**`aws.rds.replica_lag.sec`**
+:   The amount of time a Read Replica DB instance lags behind the source DB instance. Applies to MySQL, MariaDB, and PostgreSQL Read Replicas.
+
+type: long
+
+format: duration
+
+
+**`aws.rds.swap_usage.bytes`**
+:   The amount of swap space used on the DB instance. This metric is not available for SQL Server.
+
+type: long
+
+format: bytes
+
+
+**`aws.rds.transaction_logs_generation`**
+:   The disk space used by transaction logs. Applies to PostgreSQL.
+
+type: long
+
+
+**`aws.rds.write.iops`**
+:   The average number of disk write I/O operations per second.
+
+type: float
+
+
+**`aws.rds.queries`**
+:   The average number of queries executed per second.
+
+type: long
+
+
+**`aws.rds.deadlocks`**
+:   The average number of deadlocks in the database per second.
+
+type: long
+
+
+**`aws.rds.volume_used.bytes`**
+:   The amount of storage used by your Aurora DB instance, in bytes.
+
+type: long
+
+format: bytes
+
+
+**`aws.rds.volume.read.iops`**
+:   The number of billed read I/O operations from a cluster volume, reported at 5-minute intervals.
+
+type: long
+
+format: bytes
+
+
+**`aws.rds.volume.write.iops`**
+:   The number of write disk I/O operations to the cluster volume, reported at 5-minute intervals.
+
+type: long
+
+format: bytes
+
+
+**`aws.rds.free_local_storage.bytes`**
+:   The amount of storage available for temporary tables and logs, in bytes.
+
+type: long
+
+format: bytes
+
+
+**`aws.rds.login_failures`**
+:   The average number of failed login attempts per second.
+
+type: long
+
+
+**`aws.rds.throughput.commit`**
+:   The average number of commit operations per second.
+
+type: float
+
+
+**`aws.rds.throughput.delete`**
+:   The average number of delete queries per second.
+
+type: float
+
+
+**`aws.rds.throughput.ddl`**
+:   The average number of DDL requests per second.
+
+type: float
+
+
+**`aws.rds.throughput.dml`**
+:   The average number of inserts, updates, and deletes per second.
+
+type: float
+
+
+**`aws.rds.throughput.insert`**
+:   The average number of insert queries per second.
+
+type: float
+
+
+**`aws.rds.throughput.network`**
+:   The amount of network throughput both received from and transmitted to clients by each instance in the Aurora MySQL DB cluster, in bytes per second.
+
+type: float
+
+
+**`aws.rds.throughput.network_receive`**
+:   The incoming (Receive) network traffic on the DB instance, including both customer database traffic and Amazon RDS traffic used for monitoring and replication.
+
+type: float
+
+
+**`aws.rds.throughput.network_transmit`**
+:   The outgoing (Transmit) network traffic on the DB instance, including both customer database traffic and Amazon RDS traffic used for monitoring and replication.
+
+type: float
+
+
+**`aws.rds.throughput.read`**
+:   The average amount of time taken per disk I/O operation.
+
+type: float
+
+
+**`aws.rds.throughput.select`**
+:   The average number of select queries per second.
+
+type: float
+
+
+**`aws.rds.throughput.update`**
+:   The average number of update queries per second.
+
+type: float
+
+
+**`aws.rds.throughput.write`**
+:   The average number of bytes written to disk per second.
+
+type: float
+
+
+**`aws.rds.latency.commit`**
+:   The amount of latency for commit operations, in milliseconds.
+
+type: float
+
+format: duration
+
+
+**`aws.rds.latency.ddl`**
+:   The amount of latency for data definition language (DDL) requests, in milliseconds.
+
+type: float
+
+format: duration
+
+
+**`aws.rds.latency.dml`**
+:   The amount of latency for inserts, updates, and deletes, in milliseconds.
+
+type: float
+
+format: duration
+
+
+**`aws.rds.latency.insert`**
+:   The amount of latency for insert queries, in milliseconds.
+
+type: float
+
+format: duration
+
+
+**`aws.rds.latency.read`**
+:   The average amount of time taken per disk I/O operation.
+
+type: float
+
+format: duration
+
+
+**`aws.rds.latency.select`**
+:   The amount of latency for select queries, in milliseconds.
+
+type: float
+
+format: duration
+
+
+**`aws.rds.latency.update`**
+:   The amount of latency for update queries, in milliseconds.
+
+type: float
+
+format: duration
+
+
+**`aws.rds.latency.write`**
+:   The average amount of time taken per disk I/O operation.
+
+type: float
+
+format: duration
+
+
+**`aws.rds.latency.delete`**
+:   The amount of latency for delete queries, in milliseconds.
+
+type: float
+
+format: duration
+
+
+**`aws.rds.disk_usage.bin_log.bytes`**
+:   The amount of disk space occupied by binary logs on the master. Applies to MySQL read replicas.
+
+type: long
+
+format: bytes
+
+
+**`aws.rds.disk_usage.replication_slot.mb`**
+:   The disk space used by replication slot files. Applies to PostgreSQL.
+
+type: long
+
+
+**`aws.rds.disk_usage.transaction_logs.mb`**
+:   The disk space used by transaction logs. Applies to PostgreSQL.
+
+type: long
+
+
+**`aws.rds.transactions.active`**
+:   The average number of current transactions executing on an Aurora database instance per second.
+
+type: long
+
+
+**`aws.rds.transactions.blocked`**
+:   The average number of transactions in the database that are blocked per second.
+
+type: long
+
+
+**`aws.rds.db_instance.db_cluster_identifier`**
+:   This identifier is the unique key that identifies a DB cluster specifically for Amazon Aurora DB cluster.
+
+type: keyword
+
+
+**`aws.rds.db_instance.role`**
+:   DB roles like WRITER or READER, specifically for Amazon Aurora DB cluster.
+
+type: keyword
+
+
+**`aws.rds.db_instance.engine_name`**
+:   Each DB instance runs a DB engine, like MySQL, MariaDB, PostgreSQL and etc.
+
+type: keyword
+
+
+**`aws.rds.aurora_bin_log_replica_lag`**
+:   The amount of time a replica DB cluster running on Aurora with MySQL compatibility lags behind the source DB cluster.
+
+type: long
+
+
+**`aws.rds.aurora_global_db.replicated_write_io.bytes`**
+:   In an Aurora Global Database, the number of write I/O operations replicated from the primary AWS Region to the cluster volume in a secondary AWS Region.
+
+type: long
+
+
+**`aws.rds.aurora_global_db.data_transfer.bytes`**
+:   In an Aurora Global Database, the amount of redo log data transferred from the master AWS Region to a secondary AWS Region.
+
+type: long
+
+
+**`aws.rds.aurora_global_db.replication_lag.ms`**
+:   For an Aurora Global Database, the amount of lag when replicating updates from the primary AWS Region, in milliseconds.
+
+type: long
+
+
+**`aws.rds.aurora_replica.lag.ms`**
+:   For an Aurora Replica, the amount of lag when replicating updates from the primary instance, in milliseconds.
+
+type: long
+
+
+**`aws.rds.aurora_replica.lag_max.ms`**
+:   The maximum amount of lag between the primary instance and each Aurora DB instance in the DB cluster, in milliseconds.
+
+type: long
+
+
+**`aws.rds.aurora_replica.lag_min.ms`**
+:   The minimum amount of lag between the primary instance and each Aurora DB instance in the DB cluster, in milliseconds.
+
+type: long
+
+
+**`aws.rds.backtrack_change_records.creation_rate`**
+:   The number of backtrack change records created over five minutes for your DB cluster.
+
+type: long
+
+
+**`aws.rds.backtrack_change_records.stored`**
+:   The actual number of backtrack change records used by your DB cluster.
+
+type: long
+
+
+**`aws.rds.backtrack_window.actual`**
+:   The difference between the target backtrack window and the actual backtrack window.
+
+type: long
+
+
+**`aws.rds.backtrack_window.alert`**
+:   The number of times that the actual backtrack window is smaller than the target backtrack window for a given period of time.
+
+type: long
+
+
+**`aws.rds.storage_used.backup_retention_period.bytes`**
+:   The total amount of backup storage in bytes used to support the point-in-time restore feature within the Aurora DB cluster’s backup retention window.
+
+type: long
+
+
+**`aws.rds.storage_used.snapshot.bytes`**
+:   The total amount of backup storage in bytes consumed by all Aurora snapshots for an Aurora DB cluster outside its backup retention window.
+
+type: long
+
+
+**`aws.rds.cache_hit_ratio.buffer`**
+:   The percentage of requests that are served by the buffer cache.
+
+type: long
+
+
+**`aws.rds.cache_hit_ratio.result_set`**
+:   The percentage of requests that are served by the Resultset cache.
+
+type: long
+
+
+**`aws.rds.engine_uptime.sec`**
+:   The amount of time that the instance has been running, in seconds.
+
+type: long
+
+
+**`aws.rds.rds_to_aurora_postgresql_replica_lag.sec`**
+:   The amount of lag in seconds when replicating updates from the primary RDS PostgreSQL instance to other nodes in the cluster.
+
+type: long
+
+
+**`aws.rds.backup_storage_billed_total.bytes`**
+:   The total amount of backup storage in bytes for which you are billed for a given Aurora DB cluster.
+
+type: long
+
+
+**`aws.rds.aurora_volume_left_total.bytes`**
+:   The remaining available space for the cluster volume, measured in bytes.
+
+type: long
+
+
+
+## s3_daily_storage [_s3_daily_storage_2]
+
+`s3_daily_storage` contains the daily storage metrics that were scraped from AWS CloudWatch which contains monitoring metrics sent by AWS S3.
+
+**`aws.s3_daily_storage.bucket.size.bytes`**
+:   The amount of data in bytes stored in a bucket.
+
+type: long
+
+format: bytes
+
+
+**`aws.s3_daily_storage.number_of_objects`**
+:   The total number of objects stored in a bucket for all storage classes.
+
+type: long
+
+
+
+## s3_request [_s3_request_2]
+
+`s3_request` contains request metrics that were scraped from AWS CloudWatch which contains monitoring metrics sent by AWS S3.
+
+**`aws.s3_request.requests.total`**
+:   The total number of HTTP requests made to an Amazon S3 bucket, regardless of type.
+
+type: long
+
+
+**`aws.s3_request.requests.get`**
+:   The number of HTTP GET requests made for objects in an Amazon S3 bucket.
+
+type: long
+
+
+**`aws.s3_request.requests.put`**
+:   The number of HTTP PUT requests made for objects in an Amazon S3 bucket.
+
+type: long
+
+
+**`aws.s3_request.requests.delete`**
+:   The number of HTTP DELETE requests made for objects in an Amazon S3 bucket.
+
+type: long
+
+
+**`aws.s3_request.requests.head`**
+:   The number of HTTP HEAD requests made to an Amazon S3 bucket.
+
+type: long
+
+
+**`aws.s3_request.requests.post`**
+:   The number of HTTP POST requests made to an Amazon S3 bucket.
+
+type: long
+
+
+**`aws.s3_request.requests.select`**
+:   The number of Amazon S3 SELECT Object Content requests made for objects in an Amazon S3 bucket.
+
+type: long
+
+
+**`aws.s3_request.requests.select_scanned.bytes`**
+:   The number of bytes of data scanned with Amazon S3 SELECT Object Content requests in an Amazon S3 bucket.
+
+type: long
+
+format: bytes
+
+
+**`aws.s3_request.requests.select_returned.bytes`**
+:   The number of bytes of data returned with Amazon S3 SELECT Object Content requests in an Amazon S3 bucket.
+
+type: long
+
+format: bytes
+
+
+**`aws.s3_request.requests.list`**
+:   The number of HTTP requests that list the contents of a bucket.
+
+type: long
+
+
+**`aws.s3_request.downloaded.bytes`**
+:   The number bytes downloaded for requests made to an Amazon S3 bucket, where the response includes a body.
+
+type: long
+
+format: bytes
+
+
+**`aws.s3_request.uploaded.bytes`**
+:   The number bytes uploaded that contain a request body, made to an Amazon S3 bucket.
+
+type: long
+
+format: bytes
+
+
+**`aws.s3_request.errors.4xx`**
+:   The number of HTTP 4xx client error status code requests made to an Amazon S3 bucket with a value of either 0 or 1.
+
+type: long
+
+
+**`aws.s3_request.errors.5xx`**
+:   The number of HTTP 5xx server error status code requests made to an Amazon S3 bucket with a value of either 0 or 1.
+
+type: long
+
+
+**`aws.s3_request.latency.first_byte.ms`**
+:   The per-request time from the complete request being received by an Amazon S3 bucket to when the response starts to be returned.
+
+type: long
+
+format: duration
+
+
+**`aws.s3_request.latency.total_request.ms`**
+:   The elapsed per-request time from the first byte received to the last byte sent to an Amazon S3 bucket.
+
+type: long
+
+format: duration
+
+
+
+## sns [_sns]
+
+`sns` contains the metrics that were scraped from AWS CloudWatch which contains monitoring metrics sent by AWS SNS.
+
+**`aws.sns.metrics.PublishSize.avg`**
+:   The size of messages published.
+
+type: double
+
+
+**`aws.sns.metrics.SMSSuccessRate.avg`**
+:   The rate of successful SMS message deliveries.
+
+type: double
+
+
+**`aws.sns.metrics.NumberOfMessagesPublished.sum`**
+:   The number of messages published to your Amazon SNS topics.
+
+type: long
+
+
+**`aws.sns.metrics.NumberOfNotificationsDelivered.sum`**
+:   The number of messages successfully delivered from your Amazon SNS topics to subscribing endpoints.
+
+type: long
+
+
+**`aws.sns.metrics.NumberOfNotificationsFailed.sum`**
+:   The number of messages that Amazon SNS failed to deliver.
+
+type: long
+
+
+**`aws.sns.metrics.NumberOfNotificationsFilteredOut.sum`**
+:   The number of messages that were rejected by subscription filter policies.
+
+type: long
+
+
+**`aws.sns.metrics.NumberOfNotificationsFilteredOut-InvalidAttributes.sum`**
+:   The number of messages that were rejected by subscription filter policies because the messages' attributes are invalid - for example, because the attribute JSON is incorrectly formatted.
+
+type: long
+
+
+**`aws.sns.metrics.NumberOfNotificationsFilteredOut-NoMessageAttributes.sum`**
+:   The number of messages that were rejected by subscription filter policies because the messages have no attributes.
+
+type: long
+
+
+**`aws.sns.metrics.NumberOfNotificationsRedrivenToDlq.sum`**
+:   The number of messages that have been moved to a dead-letter queue.
+
+type: long
+
+
+**`aws.sns.metrics.NumberOfNotificationsFailedToRedriveToDlq.sum`**
+:   The number of messages that couldn’t be moved to a dead-letter queue.
+
+type: long
+
+
+**`aws.sns.metrics.SMSMonthToDateSpentUSD.sum`**
+:   The charges you have accrued since the start of the current calendar month for sending SMS messages.
+
+type: long
+
+
+
+## sqs [_sqs_2]
+
+`sqs` contains the metrics that were scraped from AWS CloudWatch which contains monitoring metrics sent by AWS SQS.
+
+**`aws.sqs.oldest_message_age.sec`**
+:   The maximum approximate age of the oldest non-deleted message in the queue.
+
+type: long
+
+format: duration
+
+
+**`aws.sqs.messages.delayed`**
+:   TThe number of messages in the queue that are delayed and not available for reading immediately.
+
+type: long
+
+
+**`aws.sqs.messages.not_visible`**
+:   The number of messages that are in flight.
+
+type: long
+
+
+**`aws.sqs.messages.visible`**
+:   The number of messages available for retrieval from the queue.
+
+type: long
+
+
+**`aws.sqs.messages.deleted`**
+:   The total number of messages deleted from the queue.
+
+type: long
+
+
+**`aws.sqs.messages.received`**
+:   The total number of messages returned by calls to the ReceiveMessage action.
+
+type: long
+
+
+**`aws.sqs.messages.sent`**
+:   The total number of messages added to a queue.
+
+type: long
+
+
+**`aws.sqs.empty_receives`**
+:   The total number of ReceiveMessage API calls that did not return a message.
+
+type: long
+
+
+**`aws.sqs.sent_message_size.bytes`**
+:   The size of messages added to a queue.
+
+type: long
+
+format: bytes
+
+
+**`aws.sqs.queue.name`**
+:   SQS queue name
+
+type: keyword
+
+
+
+## transitgateway [_transitgateway_2]
+
+`transitgateway` contains the metrics from Cloudwatch to track usage of transit gateway related resources.
+
+**`aws.transitgateway.metrics.BytesIn.sum`**
+:   The number of bytes received by the transit gateway.
+
+type: long
+
+
+**`aws.transitgateway.metrics.BytesOut.sum`**
+:   The number of bytes sent from the transit gateway.
+
+type: long
+
+
+**`aws.transitgateway.metrics.PacketsIn.sum`**
+:   The number of packets received by the transit gateway.
+
+type: long
+
+
+**`aws.transitgateway.metrics.PacketsOut.sum`**
+:   The number of packets sent by the transit gateway.
+
+type: long
+
+
+**`aws.transitgateway.metrics.PacketDropCountBlackhole.sum`**
+:   The number of packets dropped because they matched a blackhole route.
+
+type: long
+
+
+**`aws.transitgateway.metrics.PacketDropCountNoRoute.sum`**
+:   The number of packets dropped because they did not match a route.
+
+type: long
+
+
+**`aws.transitgateway.metrics.BytesDropCountNoRoute.sum`**
+:   The number of bytes dropped because they did not match a route.
+
+type: long
+
+
+**`aws.transitgateway.metrics.BytesDropCountBlackhole.sum`**
+:   The number of bytes dropped because they matched a blackhole route.
+
+type: long
+
+
+
+## usage [_usage_10]
+
+`usage` contains the metrics from Cloudwatch to track usage of some AWS resources.
+
+**`aws.usage.metrics.CallCount.sum`**
+:   The number of specified API operations performed in your account.
+
+type: long
+
+
+**`aws.usage.metrics.ResourceCount.sum`**
+:   The number of the specified resources running in your account. The resources are defined by the dimensions associated with the metric.
+
+type: long
+
+
+
+## vpn [_vpn_2]
+
+`vpn` contains the metrics from Cloudwatch to track usage of VPN related resources.
+
+**`aws.vpn.metrics.TunnelState.avg`**
+:   The state of the tunnel. For static VPNs, 0 indicates DOWN and 1 indicates UP. For BGP VPNs, 1 indicates ESTABLISHED and 0 is used for all other states.
+
+type: double
+
+
+**`aws.vpn.metrics.TunnelDataIn.sum`**
+:   The bytes received through the VPN tunnel.
+
+type: double
+
+
+**`aws.vpn.metrics.TunnelDataOut.sum`**
+:   The bytes sent through the VPN tunnel.
+
+type: double
+
+
diff --git a/docs/reference/metricbeat/exported-fields-awsfargate.md b/docs/reference/metricbeat/exported-fields-awsfargate.md
new file mode 100644
index 000000000000..709f663231ce
--- /dev/null
+++ b/docs/reference/metricbeat/exported-fields-awsfargate.md
@@ -0,0 +1,473 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-awsfargate.html
+---
+
+# AWS Fargate fields [exported-fields-awsfargate]
+
+`awsfargate` module collects AWS fargate metrics from task metadata endpoint.
+
+**`awsfargate.container.labels.com_amazonaws_ecs_cluster`**
+:   ECS Cluster name
+
+type: keyword
+
+
+**`awsfargate.container.labels.com_amazonaws_ecs_container-name`**
+:   ECS container name
+
+type: keyword
+
+
+**`awsfargate.container.labels.com_amazonaws_ecs_task-arn`**
+:   ECS task ARN
+
+type: keyword
+
+
+**`awsfargate.container.labels.com_amazonaws_ecs_task-definition-family`**
+:   ECS task definition family
+
+type: keyword
+
+
+**`awsfargate.container.labels.com_amazonaws_ecs_task-definition-version`**
+:   ECS task definition version
+
+type: keyword
+
+
+
+## task_stats [_task_stats_2]
+
+`task_stats` contains the metrics that were scraped from AWS fargate task stats ${ECS_CONTAINER_METADATA_URI_V4}/task/stats metadata endpoint.
+
+**`awsfargate.task_stats.cluster_name`**
+:   Cluster name (Pippero)
+
+type: keyword
+
+
+**`awsfargate.task_stats.task_name`**
+:   ECS task name
+
+type: keyword
+
+
+**`awsfargate.task_stats.identifier`**
+:   Container identifier across tasks and clusters, which equals to container.name + */* + container.id.
+
+type: keyword
+
+
+**`awsfargate.task_stats.task_desired_status`**
+:   The desired status for the task from Amazon ECS.
+
+type: keyword
+
+
+**`awsfargate.task_stats.task_known_status`**
+:   The known status for the task from Amazon ECS.
+
+type: keyword
+
+
+**`awsfargate.task_stats.memory_hard_limit`**
+:   The Hard Memory Limit for the task from Amazon ECS.
+
+type: scaled_float
+
+
+
+## cpu [_cpu_3]
+
+Runtime CPU metrics.
+
+**`awsfargate.task_stats.cpu.kernel.pct`**
+:   Percentage of time in kernel space, expressed as a value between 0 and 1.
+
+type: scaled_float
+
+format: percent
+
+
+**`awsfargate.task_stats.cpu.kernel.norm.pct`**
+:   Percentage of time in kernel space normalized by the number of CPU cores, expressed as a value between 0 and 1.
+
+type: scaled_float
+
+format: percent
+
+
+**`awsfargate.task_stats.cpu.kernel.ticks`**
+:   CPU ticks in kernel space.
+
+type: long
+
+
+**`awsfargate.task_stats.cpu.system.pct`**
+:   Percentage of total CPU time in the system, expressed as a value between 0 and 1.
+
+type: scaled_float
+
+format: percent
+
+
+**`awsfargate.task_stats.cpu.system.norm.pct`**
+:   Percentage of total CPU time in the system normalized by the number of CPU cores, expressed as a value between 0 and 1.
+
+type: scaled_float
+
+format: percent
+
+
+**`awsfargate.task_stats.cpu.system.ticks`**
+:   CPU system ticks.
+
+type: long
+
+
+**`awsfargate.task_stats.cpu.user.pct`**
+:   Percentage of time in user space, expressed as a value between 0 and 1.
+
+type: scaled_float
+
+format: percent
+
+
+**`awsfargate.task_stats.cpu.user.norm.pct`**
+:   Percentage of time in user space normalized by the number of CPU cores, expressed as a value between 0 and 1.
+
+type: scaled_float
+
+format: percent
+
+
+**`awsfargate.task_stats.cpu.user.ticks`**
+:   CPU ticks in user space.
+
+type: long
+
+
+**`awsfargate.task_stats.cpu.total.pct`**
+:   Total CPU usage, expressed as a value between 0 and 1.
+
+type: scaled_float
+
+format: percent
+
+
+**`awsfargate.task_stats.cpu.total.norm.pct`**
+:   Total CPU usage normalized by the number of CPU cores, expressed as a value between 0 and 1.
+
+type: scaled_float
+
+format: percent
+
+
+
+## diskio [_diskio_2]
+
+Disk I/O metrics.
+
+
+## read [_read_2]
+
+Accumulated reads during the life of the container
+
+**`awsfargate.task_stats.diskio.read.ops`**
+:   Number of reads during the life of the container
+
+type: long
+
+
+**`awsfargate.task_stats.diskio.read.bytes`**
+:   Bytes read during the life of the container
+
+type: long
+
+format: bytes
+
+
+**`awsfargate.task_stats.diskio.read.rate`**
+:   Number of current reads per second
+
+type: long
+
+
+**`awsfargate.task_stats.diskio.read.service_time`**
+:   Total time to service IO requests, in nanoseconds
+
+type: long
+
+
+**`awsfargate.task_stats.diskio.read.wait_time`**
+:   Total time requests spent waiting in queues for service, in nanoseconds
+
+type: long
+
+
+**`awsfargate.task_stats.diskio.read.queued`**
+:   Total number of queued requests
+
+type: long
+
+
+**`awsfargate.task_stats.diskio.reads`**
+:   [6.4]
+
+Number of current reads per second
+
+type: scaled_float
+
+
+
+## write [_write_2]
+
+Accumulated writes during the life of the container
+
+**`awsfargate.task_stats.diskio.write.ops`**
+:   Number of writes during the life of the container
+
+type: long
+
+
+**`awsfargate.task_stats.diskio.write.bytes`**
+:   Bytes written during the life of the container
+
+type: long
+
+format: bytes
+
+
+**`awsfargate.task_stats.diskio.write.rate`**
+:   Number of current writes per second
+
+type: long
+
+
+**`awsfargate.task_stats.diskio.write.service_time`**
+:   Total time to service IO requests, in nanoseconds
+
+type: long
+
+
+**`awsfargate.task_stats.diskio.write.wait_time`**
+:   Total time requests spent waiting in queues for service, in nanoseconds
+
+type: long
+
+
+**`awsfargate.task_stats.diskio.write.queued`**
+:   Total number of queued requests
+
+type: long
+
+
+**`awsfargate.task_stats.diskio.writes`**
+:   [6.4]
+
+Number of current writes per second
+
+type: scaled_float
+
+
+
+## summary [_summary]
+
+Accumulated reads and writes during the life of the container
+
+**`awsfargate.task_stats.diskio.summary.ops`**
+:   Number of I/O operations during the life of the container
+
+type: long
+
+
+**`awsfargate.task_stats.diskio.summary.bytes`**
+:   Bytes read and written during the life of the container
+
+type: long
+
+format: bytes
+
+
+**`awsfargate.task_stats.diskio.summary.rate`**
+:   Number of current operations per second
+
+type: long
+
+
+**`awsfargate.task_stats.diskio.summary.service_time`**
+:   Total time to service IO requests, in nanoseconds
+
+type: long
+
+
+**`awsfargate.task_stats.diskio.summary.wait_time`**
+:   Total time requests spent waiting in queues for service, in nanoseconds
+
+type: long
+
+
+**`awsfargate.task_stats.diskio.summary.queued`**
+:   Total number of queued requests
+
+type: long
+
+
+**`awsfargate.task_stats.diskio.total`**
+:   [6.4]
+
+Number of reads and writes per second
+
+type: scaled_float
+
+
+
+## memory [_memory_3]
+
+Memory metrics.
+
+**`awsfargate.task_stats.memory.stats`**
+:   Raw memory stats from the cgroups memory.stat interface
+
+type: object
+
+
+
+## commit [_commit]
+
+Committed bytes on Windows
+
+**`awsfargate.task_stats.memory.commit.total`**
+:   Total bytes
+
+type: long
+
+format: bytes
+
+
+**`awsfargate.task_stats.memory.commit.peak`**
+:   Peak committed bytes on Windows
+
+type: long
+
+format: bytes
+
+
+**`awsfargate.task_stats.memory.private_working_set.total`**
+:   private working sets on Windows
+
+type: long
+
+format: bytes
+
+
+**`awsfargate.task_stats.memory.fail.count`**
+:   Fail counter.
+
+type: scaled_float
+
+
+**`awsfargate.task_stats.memory.limit`**
+:   Memory limit.
+
+type: long
+
+format: bytes
+
+
+
+## rss [_rss]
+
+RSS memory stats.
+
+**`awsfargate.task_stats.memory.rss.total`**
+:   Total memory resident set size.
+
+type: long
+
+format: bytes
+
+
+**`awsfargate.task_stats.memory.rss.pct`**
+:   Memory resident set size percentage, expressed as a value between 0 and 1.
+
+type: scaled_float
+
+format: percent
+
+
+
+## usage [_usage_11]
+
+Usage memory stats.
+
+**`awsfargate.task_stats.memory.usage.max`**
+:   Max memory usage.
+
+type: long
+
+format: bytes
+
+
+**`awsfargate.task_stats.memory.usage.total`**
+:   Total memory usage.
+
+type: long
+
+format: bytes
+
+
+**`awsfargate.task_stats.network.*.inbound.bytes`**
+:   Total number of incoming bytes.
+
+type: long
+
+format: bytes
+
+
+**`awsfargate.task_stats.network.*.inbound.dropped`**
+:   Total number of dropped incoming packets.
+
+type: long
+
+
+**`awsfargate.task_stats.network.*.inbound.errors`**
+:   Total errors on incoming packets.
+
+type: long
+
+
+**`awsfargate.task_stats.network.*.inbound.packets`**
+:   Total number of incoming packets.
+
+type: long
+
+
+**`awsfargate.task_stats.network.*.outbound.bytes`**
+:   Total number of incoming bytes.
+
+type: long
+
+format: bytes
+
+
+**`awsfargate.task_stats.network.*.outbound.dropped`**
+:   Total number of dropped incoming packets.
+
+type: long
+
+
+**`awsfargate.task_stats.network.*.outbound.errors`**
+:   Total errors on incoming packets.
+
+type: long
+
+
+**`awsfargate.task_stats.network.*.outbound.packets`**
+:   Total number of incoming packets.
+
+type: long
+
+
diff --git a/docs/reference/metricbeat/exported-fields-azure.md b/docs/reference/metricbeat/exported-fields-azure.md
new file mode 100644
index 000000000000..4f3249593743
--- /dev/null
+++ b/docs/reference/metricbeat/exported-fields-azure.md
@@ -0,0 +1,370 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-azure.html
+---
+
+# Azure fields [exported-fields-azure]
+
+azure module
+
+**`azure.timegrain`**
+:   The Azure metric timegrain
+
+type: keyword
+
+
+
+## resource [_resource]
+
+The resource specified
+
+**`azure.resource.type`**
+:   The type of the resource
+
+type: keyword
+
+
+**`azure.resource.name`**
+:   The name of the resource
+
+type: keyword
+
+
+**`azure.resource.group`**
+:   The resource group
+
+type: keyword
+
+
+**`azure.resource.tags.*`**
+:   Azure resource tags.
+
+type: object
+
+
+**`azure.namespace`**
+:   The namespace selected
+
+type: keyword
+
+
+**`azure.subscription_id`**
+:   The subscription ID
+
+type: keyword
+
+
+**`azure.subscription_name`**
+:   The subscription name
+
+type: keyword
+
+
+**`azure.application_id`**
+:   The application ID
+
+type: keyword
+
+
+**`azure.dimensions.*`**
+:   Azure metric dimensions.
+
+type: object
+
+
+**`azure.metrics.*.*`**
+:   Metrics returned.
+
+type: object
+
+
+
+## app_insights [_app_insights_2]
+
+application insights
+
+**`azure.app_insights.start_date`**
+:   The start date
+
+type: date
+
+
+**`azure.app_insights.end_date`**
+:   The end date
+
+type: date
+
+
+**`azure.app_insights.metrics.*.*`**
+:   The metrics
+
+type: object
+
+
+
+## app_state [_app_state_2]
+
+application state
+
+**`azure.app_state.start_date`**
+:   The start date
+
+type: date
+
+
+**`azure.app_state.end_date`**
+:   The end date
+
+type: date
+
+
+**`azure.app_state.requests_count.sum`**
+:   Request count
+
+type: float
+
+
+**`azure.app_state.requests_failed.sum`**
+:   Request failed count
+
+type: float
+
+
+**`azure.app_state.users_count.unique`**
+:   User count
+
+type: float
+
+
+**`azure.app_state.sessions_count.unique`**
+:   Session count
+
+type: float
+
+
+**`azure.app_state.users_authenticated.unique`**
+:   Authenticated users count
+
+type: float
+
+
+**`azure.app_state.browser_timings_network_duration.avg`**
+:   Browser timings network duration
+
+type: float
+
+
+**`azure.app_state.browser_timings_send_duration.avg`**
+:   Browser timings send duration
+
+type: float
+
+
+**`azure.app_state.browser_timings_receive_uration.avg`**
+:   Browser timings receive duration
+
+type: float
+
+
+**`azure.app_state.browser_timings_processing_duration.avg`**
+:   Browser timings processing duration
+
+type: float
+
+
+**`azure.app_state.browser_timings_total_duration.avg`**
+:   Browser timings total duration
+
+type: float
+
+
+**`azure.app_state.exceptions_count.sum`**
+:   Exception count
+
+type: float
+
+
+**`azure.app_state.exceptions_browser.sum`**
+:   Exception count at browser level
+
+type: float
+
+
+**`azure.app_state.exceptions_server.sum`**
+:   Exception count at server level
+
+type: float
+
+
+**`azure.app_state.performance_counters_memory_available_bytes.avg`**
+:   Performance counters memory available bytes
+
+type: float
+
+
+**`azure.app_state.performance_counters_process_private_bytes.avg`**
+:   Performance counters process private bytes
+
+type: float
+
+
+**`azure.app_state.performance_counters_process_cpu_percentage_total.avg`**
+:   Performance counters process cpu percentage total
+
+type: float
+
+
+**`azure.app_state.performance_counters_process_cpu_percentage.avg`**
+:   Performance counters process cpu percentage
+
+type: float
+
+
+**`azure.app_state.performance_counters_processiobytes_per_second.avg`**
+:   Performance counters process IO bytes per second
+
+type: float
+
+
+
+## billing [_billing_5]
+
+billing and usage details
+
+**`azure.billing.currency`**
+:   Billing Currency.
+
+type: keyword
+
+
+**`azure.billing.pretax_cost`**
+:   The amount of cost before tax.
+
+type: float
+
+
+**`azure.billing.unit_price`**
+:   Unit Price is the price applicable to you. (your EA or other contract price).
+
+type: float
+
+
+**`azure.billing.quantity`**
+:   Measure the quantity purchased or consumed. The amount of the meter used during the billing period.
+
+type: float
+
+
+**`azure.billing.department_name`**
+:   The department name
+
+type: keyword
+
+
+**`azure.billing.product`**
+:   Product name for the consumed service or purchase.
+
+type: keyword
+
+
+**`azure.billing.usage_start`**
+:   The usage start date
+
+type: date
+
+
+**`azure.billing.usage_end`**
+:   The usage end date
+
+type: date
+
+
+**`azure.billing.billing_period_id`**
+:   The billing period id.
+
+type: keyword
+
+
+**`azure.billing.account_name`**
+:   Name of the Billing Account.
+
+type: keyword
+
+
+**`azure.billing.account_id`**
+:   Billing Account identifier.
+
+type: keyword
+
+
+**`azure.billing.actual_cost`**
+:   The actual cost
+
+type: float
+
+
+**`azure.billing.forecast_cost`**
+:   The forecast cost
+
+type: float
+
+
+**`azure.billing.usage_date`**
+:   The usage date
+
+type: date
+
+
+**`azure.compute_vm.*.*`**
+:   compute_vm
+
+type: object
+
+
+**`azure.compute_vm_scaleset.*.*`**
+:   compute_vm_scaleset
+
+type: object
+
+
+**`azure.container_instance.*.*`**
+:   container instance
+
+type: object
+
+
+**`azure.container_registry.*.*`**
+:   container registry
+
+type: object
+
+
+**`azure.container_service.*.*`**
+:   container service
+
+type: object
+
+
+**`azure.database_account.*.*`**
+:   database account
+
+type: object
+
+
+
+## monitor [_monitor_2]
+
+monitor
+
+**`azure.storage.*.*`**
+:   storage account
+
+type: object
+
+
+**`azure.storage_account.*.*`**
+:   storage account
+
+type: object
+
+
diff --git a/docs/reference/metricbeat/exported-fields-beat-common.md b/docs/reference/metricbeat/exported-fields-beat-common.md
new file mode 100644
index 000000000000..d09edf82cab3
--- /dev/null
+++ b/docs/reference/metricbeat/exported-fields-beat-common.md
@@ -0,0 +1,47 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-beat-common.html
+---
+
+# Beat fields [exported-fields-beat-common]
+
+Contains common beat fields available in all event types.
+
+**`agent.hostname`**
+:   Deprecated - use agent.name or agent.id to identify an agent.
+
+type: alias
+
+alias to: agent.name
+
+
+**`beat.timezone`**
+:   type: alias
+
+alias to: event.timezone
+
+
+**`fields`**
+:   Contains user configurable fields.
+
+type: object
+
+
+**`beat.name`**
+:   type: alias
+
+alias to: host.name
+
+
+**`beat.hostname`**
+:   type: alias
+
+alias to: agent.name
+
+
+**`timeseries.instance`**
+:   Time series instance id
+
+type: keyword
+
+
diff --git a/docs/reference/metricbeat/exported-fields-beat.md b/docs/reference/metricbeat/exported-fields-beat.md
new file mode 100644
index 000000000000..e865338da5ca
--- /dev/null
+++ b/docs/reference/metricbeat/exported-fields-beat.md
@@ -0,0 +1,2401 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-beat.html
+---
+
+# Beat fields [exported-fields-beat]
+
+Beat module
+
+**`beats_stats.apm-server.acm.request.count`**
+:   type: alias
+
+alias to: beat.stats.apm_server.acm.request.count
+
+
+**`beats_stats.apm-server.acm.response.count`**
+:   type: alias
+
+alias to: beat.stats.apm_server.acm.response.count
+
+
+**`beats_stats.apm-server.acm.response.errors.closed`**
+:   type: alias
+
+alias to: beat.stats.apm_server.acm.response.errors.closed
+
+
+**`beats_stats.apm-server.acm.response.errors.count`**
+:   type: alias
+
+alias to: beat.stats.apm_server.acm.response.errors.count
+
+
+**`beats_stats.apm-server.acm.response.errors.decode`**
+:   type: alias
+
+alias to: beat.stats.apm_server.acm.response.errors.decode
+
+
+**`beats_stats.apm-server.acm.response.errors.forbidden`**
+:   type: alias
+
+alias to: beat.stats.apm_server.acm.response.errors.forbidden
+
+
+**`beats_stats.apm-server.acm.response.errors.internal`**
+:   type: alias
+
+alias to: beat.stats.apm_server.acm.response.errors.internal
+
+
+**`beats_stats.apm-server.acm.response.errors.invalidquery`**
+:   type: alias
+
+alias to: beat.stats.apm_server.acm.response.errors.invalidquery
+
+
+**`beats_stats.apm-server.acm.response.errors.method`**
+:   type: alias
+
+alias to: beat.stats.apm_server.acm.response.errors.method
+
+
+**`beats_stats.apm-server.acm.response.errors.notfound`**
+:   type: alias
+
+alias to: beat.stats.apm_server.acm.response.errors.notfound
+
+
+**`beats_stats.apm-server.acm.response.errors.queue`**
+:   type: alias
+
+alias to: beat.stats.apm_server.acm.response.errors.queue
+
+
+**`beats_stats.apm-server.acm.response.errors.ratelimit`**
+:   type: alias
+
+alias to: beat.stats.apm_server.acm.response.errors.ratelimit
+
+
+**`beats_stats.apm-server.acm.response.errors.timeout`**
+:   type: alias
+
+alias to: beat.stats.apm_server.acm.response.errors.timeout
+
+
+**`beats_stats.apm-server.acm.response.errors.toolarge`**
+:   type: alias
+
+alias to: beat.stats.apm_server.acm.response.errors.toolarge
+
+
+**`beats_stats.apm-server.acm.response.errors.unauthorized`**
+:   type: alias
+
+alias to: beat.stats.apm_server.acm.response.errors.unauthorized
+
+
+**`beats_stats.apm-server.acm.response.errors.unavailable`**
+:   type: alias
+
+alias to: beat.stats.apm_server.acm.response.errors.unavailable
+
+
+**`beats_stats.apm-server.acm.response.errors.validate`**
+:   type: alias
+
+alias to: beat.stats.apm_server.acm.response.errors.validate
+
+
+**`beats_stats.apm-server.acm.response.valid.accepted`**
+:   type: alias
+
+alias to: beat.stats.apm_server.acm.response.valid.accepted
+
+
+**`beats_stats.apm-server.acm.response.valid.count`**
+:   type: alias
+
+alias to: beat.stats.apm_server.acm.response.valid.count
+
+
+**`beats_stats.apm-server.acm.response.valid.notmodified`**
+:   type: alias
+
+alias to: beat.stats.apm_server.acm.response.valid.notmodified
+
+
+**`beats_stats.apm-server.acm.response.valid.ok`**
+:   type: alias
+
+alias to: beat.stats.apm_server.acm.response.valid.ok
+
+
+**`beats_stats.apm-server.acm.unset`**
+:   type: alias
+
+alias to: beat.stats.apm_server.acm.unset
+
+
+**`beats_stats.apm-server.agentcfg.elasticsearch.cache.entries.count`**
+:   type: alias
+
+alias to: beat.stats.apm_server.agentcfg.elasticsearch.cache.entries.count
+
+
+**`beats_stats.apm-server.agentcfg.elasticsearch.cache.refresh.failures`**
+:   type: alias
+
+alias to: beat.stats.apm_server.agentcfg.elasticsearch.cache.refresh.failures
+
+
+**`beats_stats.apm-server.agentcfg.elasticsearch.cache.refresh.successes`**
+:   type: alias
+
+alias to: beat.stats.apm_server.agentcfg.elasticsearch.cache.refresh.successes
+
+
+**`beats_stats.apm-server.agentcfg.elasticsearch.fetch.es`**
+:   type: alias
+
+alias to: beat.stats.apm_server.agentcfg.elasticsearch.fetch.es
+
+
+**`beats_stats.apm-server.agentcfg.elasticsearch.fetch.fallback`**
+:   type: alias
+
+alias to: beat.stats.apm_server.agentcfg.elasticsearch.fetch.fallback
+
+
+**`beats_stats.apm-server.agentcfg.elasticsearch.fetch.invalid`**
+:   type: alias
+
+alias to: beat.stats.apm_server.agentcfg.elasticsearch.fetch.invalid
+
+
+**`beats_stats.apm-server.agentcfg.elasticsearch.fetch.unavailable`**
+:   type: alias
+
+alias to: beat.stats.apm_server.agentcfg.elasticsearch.fetch.unavailable
+
+
+**`beats_stats.apm-server.jaeger.grpc.collect.request.count`**
+:   type: alias
+
+alias to: beat.stats.apm_server.jaeger.grpc.collect.request.count
+
+
+**`beats_stats.apm-server.jaeger.grpc.collect.response.count`**
+:   type: alias
+
+alias to: beat.stats.apm_server.jaeger.grpc.collect.response.count
+
+
+**`beats_stats.apm-server.jaeger.grpc.collect.response.errors.count`**
+:   type: alias
+
+alias to: beat.stats.apm_server.jaeger.grpc.collect.response.errors.count
+
+
+**`beats_stats.apm-server.jaeger.grpc.collect.response.errors.ratelimit`**
+:   type: alias
+
+alias to: beat.stats.apm_server.jaeger.grpc.collect.response.errors.ratelimit
+
+
+**`beats_stats.apm-server.jaeger.grpc.collect.response.errors.timeout`**
+:   type: alias
+
+alias to: beat.stats.apm_server.jaeger.grpc.collect.response.errors.timeout
+
+
+**`beats_stats.apm-server.jaeger.grpc.collect.response.errors.unauthorized`**
+:   type: alias
+
+alias to: beat.stats.apm_server.jaeger.grpc.collect.response.errors.unauthorized
+
+
+**`beats_stats.apm-server.jaeger.grpc.collect.response.valid.count`**
+:   type: alias
+
+alias to: beat.stats.apm_server.jaeger.grpc.collect.response.valid.count
+
+
+**`beats_stats.apm-server.jaeger.grpc.sampling.event.received.count`**
+:   type: alias
+
+alias to: beat.stats.apm_server.jaeger.grpc.sampling.event.received.count
+
+
+**`beats_stats.apm-server.jaeger.grpc.sampling.request.count`**
+:   type: alias
+
+alias to: beat.stats.apm_server.jaeger.grpc.sampling.request.count
+
+
+**`beats_stats.apm-server.jaeger.grpc.sampling.response.count`**
+:   type: alias
+
+alias to: beat.stats.apm_server.jaeger.grpc.sampling.response.count
+
+
+**`beats_stats.apm-server.jaeger.grpc.sampling.response.errors.count`**
+:   type: alias
+
+alias to: beat.stats.apm_server.jaeger.grpc.sampling.response.errors.count
+
+
+**`beats_stats.apm-server.jaeger.grpc.sampling.response.valid.count`**
+:   type: alias
+
+alias to: beat.stats.apm_server.jaeger.grpc.sampling.response.valid.count
+
+
+**`beats_stats.apm-server.otlp.grpc.logs.request.count`**
+:   type: alias
+
+alias to: beat.stats.apm_server.otlp.grpc.logs.request.count
+
+
+**`beats_stats.apm-server.otlp.grpc.logs.response.count`**
+:   type: alias
+
+alias to: beat.stats.apm_server.otlp.grpc.logs.response.count
+
+
+**`beats_stats.apm-server.otlp.grpc.logs.response.errors.count`**
+:   type: alias
+
+alias to: beat.stats.apm_server.otlp.grpc.logs.response.errors.count
+
+
+**`beats_stats.apm-server.otlp.grpc.logs.response.errors.ratelimit`**
+:   type: alias
+
+alias to: beat.stats.apm_server.otlp.grpc.logs.response.errors.ratelimit
+
+
+**`beats_stats.apm-server.otlp.grpc.logs.response.errors.timeout`**
+:   type: alias
+
+alias to: beat.stats.apm_server.otlp.grpc.logs.response.errors.timeout
+
+
+**`beats_stats.apm-server.otlp.grpc.logs.response.errors.unauthorized`**
+:   type: alias
+
+alias to: beat.stats.apm_server.otlp.grpc.logs.response.errors.unauthorized
+
+
+**`beats_stats.apm-server.otlp.grpc.logs.response.valid.count`**
+:   type: alias
+
+alias to: beat.stats.apm_server.otlp.grpc.logs.response.valid.count
+
+
+**`beats_stats.apm-server.otlp.grpc.metrics.consumer.unsupported_dropped`**
+:   type: alias
+
+alias to: beat.stats.apm_server.otlp.grpc.metrics.consumer.unsupported_dropped
+
+
+**`beats_stats.apm-server.otlp.grpc.metrics.request.count`**
+:   type: alias
+
+alias to: beat.stats.apm_server.otlp.grpc.metrics.request.count
+
+
+**`beats_stats.apm-server.otlp.grpc.metrics.response.count`**
+:   type: alias
+
+alias to: beat.stats.apm_server.otlp.grpc.metrics.response.count
+
+
+**`beats_stats.apm-server.otlp.grpc.metrics.response.errors.count`**
+:   type: alias
+
+alias to: beat.stats.apm_server.otlp.grpc.metrics.response.errors.count
+
+
+**`beats_stats.apm-server.otlp.grpc.metrics.response.errors.ratelimit`**
+:   type: alias
+
+alias to: beat.stats.apm_server.otlp.grpc.metrics.response.errors.ratelimit
+
+
+**`beats_stats.apm-server.otlp.grpc.metrics.response.errors.timeout`**
+:   type: alias
+
+alias to: beat.stats.apm_server.otlp.grpc.metrics.response.errors.timeout
+
+
+**`beats_stats.apm-server.otlp.grpc.metrics.response.errors.unauthorized`**
+:   type: alias
+
+alias to: beat.stats.apm_server.otlp.grpc.metrics.response.errors.unauthorized
+
+
+**`beats_stats.apm-server.otlp.grpc.metrics.response.valid.count`**
+:   type: alias
+
+alias to: beat.stats.apm_server.otlp.grpc.metrics.response.valid.count
+
+
+**`beats_stats.apm-server.otlp.grpc.traces.request.count`**
+:   type: alias
+
+alias to: beat.stats.apm_server.otlp.grpc.traces.request.count
+
+
+**`beats_stats.apm-server.otlp.grpc.traces.response.count`**
+:   type: alias
+
+alias to: beat.stats.apm_server.otlp.grpc.traces.response.count
+
+
+**`beats_stats.apm-server.otlp.grpc.traces.response.errors.count`**
+:   type: alias
+
+alias to: beat.stats.apm_server.otlp.grpc.traces.response.errors.count
+
+
+**`beats_stats.apm-server.otlp.grpc.traces.response.errors.ratelimit`**
+:   type: alias
+
+alias to: beat.stats.apm_server.otlp.grpc.traces.response.errors.ratelimit
+
+
+**`beats_stats.apm-server.otlp.grpc.traces.response.errors.timeout`**
+:   type: alias
+
+alias to: beat.stats.apm_server.otlp.grpc.traces.response.errors.timeout
+
+
+**`beats_stats.apm-server.otlp.grpc.traces.response.errors.unauthorized`**
+:   type: alias
+
+alias to: beat.stats.apm_server.otlp.grpc.traces.response.errors.unauthorized
+
+
+**`beats_stats.apm-server.otlp.grpc.traces.response.valid.count`**
+:   type: alias
+
+alias to: beat.stats.apm_server.otlp.grpc.traces.response.valid.count
+
+
+**`beats_stats.apm-server.otlp.http.logs.request.count`**
+:   type: alias
+
+alias to: beat.stats.apm_server.otlp.http.logs.request.count
+
+
+**`beats_stats.apm-server.otlp.http.logs.response.count`**
+:   type: alias
+
+alias to: beat.stats.apm_server.otlp.http.logs.response.count
+
+
+**`beats_stats.apm-server.otlp.http.logs.response.errors.count`**
+:   type: alias
+
+alias to: beat.stats.apm_server.otlp.http.logs.response.errors.count
+
+
+**`beats_stats.apm-server.otlp.http.logs.response.errors.ratelimit`**
+:   type: alias
+
+alias to: beat.stats.apm_server.otlp.http.logs.response.errors.ratelimit
+
+
+**`beats_stats.apm-server.otlp.http.logs.response.errors.timeout`**
+:   type: alias
+
+alias to: beat.stats.apm_server.otlp.http.logs.response.errors.timeout
+
+
+**`beats_stats.apm-server.otlp.http.logs.response.errors.unauthorized`**
+:   type: alias
+
+alias to: beat.stats.apm_server.otlp.http.logs.response.errors.unauthorized
+
+
+**`beats_stats.apm-server.otlp.http.logs.response.valid.count`**
+:   type: alias
+
+alias to: beat.stats.apm_server.otlp.http.logs.response.valid.count
+
+
+**`beats_stats.apm-server.otlp.http.metrics.consumer.unsupported_dropped`**
+:   type: alias
+
+alias to: beat.stats.apm_server.otlp.http.metrics.consumer.unsupported_dropped
+
+
+**`beats_stats.apm-server.otlp.http.metrics.request.count`**
+:   type: alias
+
+alias to: beat.stats.apm_server.otlp.http.metrics.request.count
+
+
+**`beats_stats.apm-server.otlp.http.metrics.response.count`**
+:   type: alias
+
+alias to: beat.stats.apm_server.otlp.http.metrics.response.count
+
+
+**`beats_stats.apm-server.otlp.http.metrics.response.errors.count`**
+:   type: alias
+
+alias to: beat.stats.apm_server.otlp.http.metrics.response.errors.count
+
+
+**`beats_stats.apm-server.otlp.http.metrics.response.errors.ratelimit`**
+:   type: alias
+
+alias to: beat.stats.apm_server.otlp.http.metrics.response.errors.ratelimit
+
+
+**`beats_stats.apm-server.otlp.http.metrics.response.errors.timeout`**
+:   type: alias
+
+alias to: beat.stats.apm_server.otlp.http.metrics.response.errors.timeout
+
+
+**`beats_stats.apm-server.otlp.http.metrics.response.errors.unauthorized`**
+:   type: alias
+
+alias to: beat.stats.apm_server.otlp.http.metrics.response.errors.unauthorized
+
+
+**`beats_stats.apm-server.otlp.http.metrics.response.valid.count`**
+:   type: alias
+
+alias to: beat.stats.apm_server.otlp.http.metrics.response.valid.count
+
+
+**`beats_stats.apm-server.otlp.http.traces.request.count`**
+:   type: alias
+
+alias to: beat.stats.apm_server.otlp.http.traces.request.count
+
+
+**`beats_stats.apm-server.otlp.http.traces.response.count`**
+:   type: alias
+
+alias to: beat.stats.apm_server.otlp.http.traces.response.count
+
+
+**`beats_stats.apm-server.otlp.http.traces.response.errors.count`**
+:   type: alias
+
+alias to: beat.stats.apm_server.otlp.http.traces.response.errors.count
+
+
+**`beats_stats.apm-server.otlp.http.traces.response.errors.ratelimit`**
+:   type: alias
+
+alias to: beat.stats.apm_server.otlp.http.traces.response.errors.ratelimit
+
+
+**`beats_stats.apm-server.otlp.http.traces.response.errors.timeout`**
+:   type: alias
+
+alias to: beat.stats.apm_server.otlp.http.traces.response.errors.timeout
+
+
+**`beats_stats.apm-server.otlp.http.traces.response.errors.unauthorized`**
+:   type: alias
+
+alias to: beat.stats.apm_server.otlp.http.traces.response.errors.unauthorized
+
+
+**`beats_stats.apm-server.otlp.http.traces.response.valid.count`**
+:   type: alias
+
+alias to: beat.stats.apm_server.otlp.http.traces.response.valid.count
+
+
+**`beats_stats.apm-server.processor.error.transformations`**
+:   type: alias
+
+alias to: beat.stats.apm_server.processor.error.transformations
+
+
+**`beats_stats.apm-server.processor.metric.transformations`**
+:   type: alias
+
+alias to: beat.stats.apm_server.processor.metric.transformations
+
+
+**`beats_stats.apm-server.processor.span.transformations`**
+:   type: alias
+
+alias to: beat.stats.apm_server.processor.span.transformations
+
+
+**`beats_stats.apm-server.processor.stream.accepted`**
+:   type: alias
+
+alias to: beat.stats.apm_server.processor.stream.accepted
+
+
+**`beats_stats.apm-server.processor.stream.errors.invalid`**
+:   type: alias
+
+alias to: beat.stats.apm_server.processor.stream.errors.invalid
+
+
+**`beats_stats.apm-server.processor.stream.errors.toolarge`**
+:   type: alias
+
+alias to: beat.stats.apm_server.processor.stream.errors.toolarge
+
+
+**`beats_stats.apm-server.processor.transaction.transformations`**
+:   type: alias
+
+alias to: beat.stats.apm_server.processor.transaction.transformations
+
+
+**`beats_stats.apm-server.root.request.count`**
+:   type: alias
+
+alias to: beat.stats.apm_server.root.request.count
+
+
+**`beats_stats.apm-server.root.response.count`**
+:   type: alias
+
+alias to: beat.stats.apm_server.root.response.count
+
+
+**`beats_stats.apm-server.root.response.errors.closed`**
+:   type: alias
+
+alias to: beat.stats.apm_server.root.response.errors.closed
+
+
+**`beats_stats.apm-server.root.response.errors.count`**
+:   type: alias
+
+alias to: beat.stats.apm_server.root.response.errors.count
+
+
+**`beats_stats.apm-server.root.response.errors.decode`**
+:   type: alias
+
+alias to: beat.stats.apm_server.root.response.errors.decode
+
+
+**`beats_stats.apm-server.root.response.errors.forbidden`**
+:   type: alias
+
+alias to: beat.stats.apm_server.root.response.errors.forbidden
+
+
+**`beats_stats.apm-server.root.response.errors.internal`**
+:   type: alias
+
+alias to: beat.stats.apm_server.root.response.errors.internal
+
+
+**`beats_stats.apm-server.root.response.errors.invalidquery`**
+:   type: alias
+
+alias to: beat.stats.apm_server.root.response.errors.invalidquery
+
+
+**`beats_stats.apm-server.root.response.errors.method`**
+:   type: alias
+
+alias to: beat.stats.apm_server.root.response.errors.method
+
+
+**`beats_stats.apm-server.root.response.errors.notfound`**
+:   type: alias
+
+alias to: beat.stats.apm_server.root.response.errors.notfound
+
+
+**`beats_stats.apm-server.root.response.errors.queue`**
+:   type: alias
+
+alias to: beat.stats.apm_server.root.response.errors.queue
+
+
+**`beats_stats.apm-server.root.response.errors.ratelimit`**
+:   type: alias
+
+alias to: beat.stats.apm_server.root.response.errors.ratelimit
+
+
+**`beats_stats.apm-server.root.response.errors.timeout`**
+:   type: alias
+
+alias to: beat.stats.apm_server.root.response.errors.timeout
+
+
+**`beats_stats.apm-server.root.response.errors.toolarge`**
+:   type: alias
+
+alias to: beat.stats.apm_server.root.response.errors.toolarge
+
+
+**`beats_stats.apm-server.root.response.errors.unauthorized`**
+:   type: alias
+
+alias to: beat.stats.apm_server.root.response.errors.unauthorized
+
+
+**`beats_stats.apm-server.root.response.errors.unavailable`**
+:   type: alias
+
+alias to: beat.stats.apm_server.root.response.errors.unavailable
+
+
+**`beats_stats.apm-server.root.response.errors.validate`**
+:   type: alias
+
+alias to: beat.stats.apm_server.root.response.errors.validate
+
+
+**`beats_stats.apm-server.root.response.valid.accepted`**
+:   type: alias
+
+alias to: beat.stats.apm_server.root.response.valid.accepted
+
+
+**`beats_stats.apm-server.root.response.valid.count`**
+:   type: alias
+
+alias to: beat.stats.apm_server.root.response.valid.count
+
+
+**`beats_stats.apm-server.root.response.valid.notmodified`**
+:   type: alias
+
+alias to: beat.stats.apm_server.root.response.valid.notmodified
+
+
+**`beats_stats.apm-server.root.response.valid.ok`**
+:   type: alias
+
+alias to: beat.stats.apm_server.root.response.valid.ok
+
+
+**`beats_stats.apm-server.root.unset`**
+:   type: alias
+
+alias to: beat.stats.apm_server.root.unset
+
+
+**`beats_stats.apm-server.sampling.transactions_dropped`**
+:   type: alias
+
+alias to: beat.stats.apm_server.sampling.transactions_dropped
+
+
+**`beats_stats.apm-server.server.request.count`**
+:   type: alias
+
+alias to: beat.stats.apm_server.server.request.count
+
+
+**`beats_stats.apm-server.server.response.count`**
+:   type: alias
+
+alias to: beat.stats.apm_server.server.response.count
+
+
+**`beats_stats.apm-server.server.response.errors.closed`**
+:   type: alias
+
+alias to: beat.stats.apm_server.server.response.errors.closed
+
+
+**`beats_stats.apm-server.server.response.errors.count`**
+:   type: alias
+
+alias to: beat.stats.apm_server.server.response.errors.count
+
+
+**`beats_stats.apm-server.server.response.errors.decode`**
+:   type: alias
+
+alias to: beat.stats.apm_server.server.response.errors.decode
+
+
+**`beats_stats.apm-server.server.response.errors.forbidden`**
+:   type: alias
+
+alias to: beat.stats.apm_server.server.response.errors.forbidden
+
+
+**`beats_stats.apm-server.server.response.errors.internal`**
+:   type: alias
+
+alias to: beat.stats.apm_server.server.response.errors.internal
+
+
+**`beats_stats.apm-server.server.response.errors.invalidquery`**
+:   type: alias
+
+alias to: beat.stats.apm_server.server.response.errors.invalidquery
+
+
+**`beats_stats.apm-server.server.response.errors.method`**
+:   type: alias
+
+alias to: beat.stats.apm_server.server.response.errors.method
+
+
+**`beats_stats.apm-server.server.response.errors.notfound`**
+:   type: alias
+
+alias to: beat.stats.apm_server.server.response.errors.notfound
+
+
+**`beats_stats.apm-server.server.response.errors.queue`**
+:   type: alias
+
+alias to: beat.stats.apm_server.server.response.errors.queue
+
+
+**`beats_stats.apm-server.server.response.errors.ratelimit`**
+:   type: alias
+
+alias to: beat.stats.apm_server.server.response.errors.ratelimit
+
+
+**`beats_stats.apm-server.server.response.errors.timeout`**
+:   type: alias
+
+alias to: beat.stats.apm_server.server.response.errors.timeout
+
+
+**`beats_stats.apm-server.server.response.errors.toolarge`**
+:   type: alias
+
+alias to: beat.stats.apm_server.server.response.errors.toolarge
+
+
+**`beats_stats.apm-server.server.response.errors.unauthorized`**
+:   type: alias
+
+alias to: beat.stats.apm_server.server.response.errors.unauthorized
+
+
+**`beats_stats.apm-server.server.response.errors.unavailable`**
+:   type: alias
+
+alias to: beat.stats.apm_server.server.response.errors.unavailable
+
+
+**`beats_stats.apm-server.server.response.errors.validate`**
+:   type: alias
+
+alias to: beat.stats.apm_server.server.response.errors.validate
+
+
+**`beats_stats.apm-server.server.response.valid.accepted`**
+:   type: alias
+
+alias to: beat.stats.apm_server.server.response.valid.accepted
+
+
+**`beats_stats.apm-server.server.response.valid.count`**
+:   type: alias
+
+alias to: beat.stats.apm_server.server.response.valid.count
+
+
+**`beats_stats.apm-server.server.response.valid.notmodified`**
+:   type: alias
+
+alias to: beat.stats.apm_server.server.response.valid.notmodified
+
+
+**`beats_stats.apm-server.server.response.valid.ok`**
+:   type: alias
+
+alias to: beat.stats.apm_server.server.response.valid.ok
+
+
+**`beats_stats.apm-server.server.unset`**
+:   type: alias
+
+alias to: beat.stats.apm_server.server.unset
+
+
+**`beats_stats.beat.host`**
+:   type: alias
+
+alias to: beat.stats.info.host
+
+
+**`beats_stats.beat.name`**
+:   type: alias
+
+alias to: beat.stats.info.name
+
+
+**`beats_stats.beat.type`**
+:   type: alias
+
+alias to: beat.stats.info.type
+
+
+**`beats_stats.beat.uuid`**
+:   type: alias
+
+alias to: beat.stats.info.uuid
+
+
+**`beats_stats.beat.version`**
+:   type: alias
+
+alias to: beat.stats.info.version
+
+
+**`beats_stats.metrics.system.cpu.cores`**
+:   type: alias
+
+alias to: beat.stats.system.cpu.cores
+
+
+**`beats_stats.metrics.system.load.1`**
+:   type: alias
+
+alias to: beat.stats.system.load.1
+
+
+**`beats_stats.metrics.system.load.5`**
+:   type: alias
+
+alias to: beat.stats.system.load.5
+
+
+**`beats_stats.metrics.system.load.15`**
+:   type: alias
+
+alias to: beat.stats.system.load.15
+
+
+**`beats_stats.metrics.system.load.norm.1`**
+:   type: alias
+
+alias to: beat.stats.system.load.norm.1
+
+
+**`beats_stats.metrics.system.load.norm.15`**
+:   type: alias
+
+alias to: beat.stats.system.load.norm.15
+
+
+**`beats_stats.metrics.system.load.norm.5`**
+:   type: alias
+
+alias to: beat.stats.system.load.norm.5
+
+
+**`beats_stats.metrics.libbeat.pipeline.clients`**
+:   type: alias
+
+alias to: beat.stats.libbeat.pipeline.clients
+
+
+**`beats_stats.metrics.libbeat.pipeline.queue.acked`**
+:   type: alias
+
+alias to: beat.stats.libbeat.pipeline.queue.acked
+
+
+**`beats_stats.metrics.libbeat.pipeline.event.active`**
+:   type: alias
+
+alias to: beat.stats.libbeat.pipeline.events.active
+
+
+**`beats_stats.metrics.libbeat.pipeline.event.dropped`**
+:   type: alias
+
+alias to: beat.stats.libbeat.pipeline.events.dropped
+
+
+**`beats_stats.metrics.libbeat.pipeline.event.failed`**
+:   type: alias
+
+alias to: beat.stats.libbeat.pipeline.events.failed
+
+
+**`beats_stats.metrics.libbeat.pipeline.event.filtered`**
+:   type: alias
+
+alias to: beat.stats.libbeat.pipeline.events.filtered
+
+
+**`beats_stats.metrics.libbeat.pipeline.event.published`**
+:   type: alias
+
+alias to: beat.stats.libbeat.pipeline.events.published
+
+
+**`beats_stats.metrics.libbeat.pipeline.event.retry`**
+:   type: alias
+
+alias to: beat.stats.libbeat.pipeline.events.retry
+
+
+**`beats_stats.metrics.libbeat.pipeline.event.total`**
+:   type: alias
+
+alias to: beat.stats.libbeat.pipeline.events.total
+
+
+**`beats_stats.metrics.libbeat.output.events.acked`**
+:   type: alias
+
+alias to: beat.stats.libbeat.output.events.acked
+
+
+**`beats_stats.metrics.libbeat.output.events.active`**
+:   type: alias
+
+alias to: beat.stats.libbeat.output.events.active
+
+
+**`beats_stats.metrics.libbeat.output.events.batches`**
+:   type: alias
+
+alias to: beat.stats.libbeat.output.events.batches
+
+
+**`beats_stats.metrics.libbeat.output.events.dropped`**
+:   type: alias
+
+alias to: beat.stats.libbeat.output.events.dropped
+
+
+**`beats_stats.metrics.libbeat.output.events.duplicated`**
+:   type: alias
+
+alias to: beat.stats.libbeat.output.events.duplicates
+
+
+**`beats_stats.metrics.libbeat.output.events.failed`**
+:   type: alias
+
+alias to: beat.stats.libbeat.output.events.failed
+
+
+**`beats_stats.metrics.libbeat.output.events.toomany`**
+:   type: alias
+
+alias to: beat.stats.libbeat.output.events.toomany
+
+
+**`beats_stats.metrics.libbeat.output.events.total`**
+:   type: alias
+
+alias to: beat.stats.libbeat.output.events.total
+
+
+**`beats_stats.metrics.libbeat.output.read.bytes`**
+:   type: alias
+
+alias to: beat.stats.libbeat.output.read.bytes
+
+
+**`beats_stats.metrics.libbeat.output.read.errors`**
+:   type: alias
+
+alias to: beat.stats.libbeat.output.read.errors
+
+
+**`beats_stats.metrics.libbeat.output.type`**
+:   type: alias
+
+alias to: beat.stats.libbeat.output.type
+
+
+**`beats_stats.metrics.libbeat.output.write.bytes`**
+:   type: alias
+
+alias to: beat.stats.libbeat.output.write.bytes
+
+
+**`beats_stats.metrics.libbeat.output.write.errors`**
+:   type: alias
+
+alias to: beat.stats.libbeat.output.write.errors
+
+
+**`beats_stats.metrics.libbeat.config.module.running`**
+:   type: alias
+
+alias to: beat.stats.libbeat.config.running
+
+
+**`beats_stats.metrics.libbeat.config.module.starts`**
+:   type: alias
+
+alias to: beat.stats.libbeat.config.starts
+
+
+**`beats_stats.metrics.libbeat.config.module.stops`**
+:   type: alias
+
+alias to: beat.stats.libbeat.config.stops
+
+
+**`beats_stats.metrics.beat.info.ephemeral_id`**
+:   type: alias
+
+alias to: beat.stats.info.ephemeral_id
+
+
+**`beats_stats.metrics.beat.info.uptime.ms`**
+:   type: alias
+
+alias to: beat.stats.info.uptime.ms
+
+
+**`beats_stats.metrics.beat.handles.limit.hard`**
+:   type: alias
+
+alias to: beat.stats.handles.limit.hard
+
+
+**`beats_stats.metrics.beat.handles.limit.soft`**
+:   type: alias
+
+alias to: beat.stats.handles.limit.soft
+
+
+**`beats_stats.metrics.beat.handles.open`**
+:   type: alias
+
+alias to: beat.stats.handles.open
+
+
+**`beats_stats.metrics.beat.memstats.gc_next`**
+:   type: alias
+
+alias to: beat.stats.memstats.gc_next
+
+
+**`beats_stats.metrics.beat.memstats.memory_alloc`**
+:   type: alias
+
+alias to: beat.stats.memstats.memory.alloc
+
+
+**`beats_stats.metrics.beat.memstats.memory_total`**
+:   type: alias
+
+alias to: beat.stats.memstats.memory.total
+
+
+**`beats_stats.metrics.beat.memstats.rss`**
+:   type: alias
+
+alias to: beat.stats.memstats.rss
+
+
+**`beats_stats.metrics.beat.cgroup.cpu.id`**
+:   type: alias
+
+alias to: beat.stats.cgroup.cpu.id
+
+
+**`beats_stats.metrics.beat.cgroup.cpu.cfs.period.us`**
+:   type: alias
+
+alias to: beat.stats.cgroup.cpu.cfs.period.us
+
+
+**`beats_stats.metrics.beat.cgroup.cpu.cfs.quota.us`**
+:   type: alias
+
+alias to: beat.stats.cgroup.cpu.cfs.quota.us
+
+
+**`beats_stats.metrics.beat.cgroup.cpu.stats.periods`**
+:   type: alias
+
+alias to: beat.stats.cgroup.cpu.stats.periods
+
+
+**`beats_stats.metrics.beat.cgroup.cpu.stats.throttled.periods`**
+:   type: alias
+
+alias to: beat.stats.cgroup.cpu.stats.throttled.periods
+
+
+**`beats_stats.metrics.beat.cgroup.cpu.stats.throttled.ns`**
+:   type: alias
+
+alias to: beat.stats.cgroup.cpu.stats.throttled.ns
+
+
+**`beats_stats.metrics.beat.cgroup.cpuacct.id`**
+:   type: alias
+
+alias to: beat.stats.cgroup.cpuacct.id
+
+
+**`beats_stats.metrics.beat.cgroup.cpuacct.total.ns`**
+:   type: alias
+
+alias to: beat.stats.cgroup.cpuacct.total.ns
+
+
+**`beats_stats.metrics.beat.cgroup.memory.id`**
+:   type: alias
+
+alias to: beat.stats.cgroup.memory.id
+
+
+**`beats_stats.metrics.beat.cgroup.mem.limit.bytes`**
+:   type: alias
+
+alias to: beat.stats.cgroup.memory.mem.limit.bytes
+
+
+**`beats_stats.metrics.beat.cgroup.mem.usage.bytes`**
+:   type: alias
+
+alias to: beat.stats.cgroup.memory.mem.usage.bytes
+
+
+**`beats_stats.metrics.beat.cpu.system.ticks`**
+:   type: alias
+
+alias to: beat.stats.cpu.system.ticks
+
+
+**`beats_stats.metrics.beat.cpu.system.time.ms`**
+:   type: alias
+
+alias to: beat.stats.cpu.system.time.ms
+
+
+**`beats_stats.metrics.beat.cpu.total.value`**
+:   type: alias
+
+alias to: beat.stats.cpu.total.value
+
+
+**`beats_stats.metrics.beat.cpu.total.ticks`**
+:   type: alias
+
+alias to: beat.stats.cpu.total.ticks
+
+
+**`beats_stats.metrics.beat.cpu.total.time.ms`**
+:   type: alias
+
+alias to: beat.stats.cpu.total.time.ms
+
+
+**`beats_stats.metrics.beat.cpu.user.ticks`**
+:   type: alias
+
+alias to: beat.stats.cpu.user.ticks
+
+
+**`beats_stats.metrics.beat.cpu.user.time.ms`**
+:   type: alias
+
+alias to: beat.stats.cpu.user.time.ms
+
+
+**`beats_stats.output.elasticsearch.bulk_requests.available`**
+:   type: alias
+
+alias to: beat.stats.output.elasticsearch.bulk_requests.available
+
+
+**`beats_stats.output.elasticsearch.bulk_requests.completed`**
+:   type: alias
+
+alias to: beat.stats.output.elasticsearch.bulk_requests.completed
+
+
+**`beats_stats.output.elasticsearch.indexers.active`**
+:   type: alias
+
+alias to: beat.stats.output.elasticsearch.indexers.active
+
+
+**`beats_stats.output.elasticsearch.indexers.created`**
+:   type: alias
+
+alias to: beat.stats.output.elasticsearch.indexers.created
+
+
+**`beats_stats.output.elasticsearch.indexers.destroyed`**
+:   type: alias
+
+alias to: beat.stats.output.elasticsearch.indexers.destroyed
+
+
+**`beats_state.beat.host`**
+:   type: alias
+
+alias to: beat.state.beat.host
+
+
+**`beats_state.beat.name`**
+:   type: alias
+
+alias to: beat.state.beat.name
+
+
+**`beats_state.beat.type`**
+:   type: alias
+
+alias to: beat.state.beat.type
+
+
+**`beats_state.beat.uuid`**
+:   type: alias
+
+alias to: beat.state.beat.uuid
+
+
+**`beats_state.beat.version`**
+:   type: alias
+
+alias to: beat.state.beat.version
+
+
+**`beats_state.timestamp`**
+:   type: alias
+
+alias to: @timestamp
+
+
+**`beats_state.state.beat.name`**
+:   type: alias
+
+alias to: beat.state.beat.name
+
+
+**`beats_state.state.host.architecture`**
+:   type: alias
+
+alias to: host.architecture
+
+
+**`beats_state.state.host.hostname`**
+:   type: alias
+
+alias to: host.hostname
+
+
+**`beats_state.state.host.name`**
+:   type: alias
+
+alias to: host.name
+
+
+**`beats_state.state.host.os.platform`**
+:   type: alias
+
+alias to: beat.state.host.os.platform
+
+
+**`beats_state.state.host.os.version`**
+:   type: alias
+
+alias to: beat.state.host.os.version
+
+
+**`beats_state.state.input.count`**
+:   type: alias
+
+alias to: beat.state.input.count
+
+
+**`beats_state.state.input.names`**
+:   type: alias
+
+alias to: beat.state.input.names
+
+
+**`beats_state.state.module.count`**
+:   type: alias
+
+alias to: beat.state.module.count
+
+
+**`beats_state.state.module.names`**
+:   type: alias
+
+alias to: beat.state.module.names
+
+
+**`beats_state.state.output.name`**
+:   type: alias
+
+alias to: beat.state.output.name
+
+
+**`beats_state.state.service.id`**
+:   type: alias
+
+alias to: beat.state.service.id
+
+
+**`beats_state.state.service.name`**
+:   type: alias
+
+alias to: beat.state.service.name
+
+
+**`beats_state.state.service.version`**
+:   type: alias
+
+alias to: beat.state.service.version
+
+
+
+## beat [_beat]
+
+**`beat.id`**
+:   Beat ID.
+
+type: keyword
+
+
+**`beat.type`**
+:   Beat type.
+
+type: keyword
+
+
+**`beat.elasticsearch.cluster.id`**
+:   type: keyword
+
+
+
+## state [_state]
+
+Beat state
+
+**`beat.state.service.id`**
+:   type: keyword
+
+
+**`beat.state.service.name`**
+:   type: keyword
+
+
+**`beat.state.service.version`**
+:   type: keyword
+
+
+**`beat.state.input.count`**
+:   type: long
+
+
+**`beat.state.input.names`**
+:   type: keyword
+
+
+**`beat.state.beat.host`**
+:   type: keyword
+
+
+**`beat.state.beat.name`**
+:   type: keyword
+
+
+**`beat.state.beat.type`**
+:   type: keyword
+
+
+**`beat.state.beat.uuid`**
+:   type: keyword
+
+
+**`beat.state.beat.version`**
+:   type: keyword
+
+
+**`beat.state.cluster.uuid`**
+:   type: keyword
+
+
+**`beat.state.host.containerized`**
+:   type: keyword
+
+
+**`beat.state.host.os.kernel`**
+:   type: keyword
+
+
+**`beat.state.host.os.name`**
+:   type: keyword
+
+
+**`beat.state.host.os.platform`**
+:   type: keyword
+
+
+**`beat.state.host.os.version`**
+:   type: keyword
+
+
+**`beat.state.management.enabled`**
+:   Is central management enabled?
+
+type: boolean
+
+
+**`beat.state.module.count`**
+:   Number of modules enabled
+
+type: integer
+
+
+**`beat.state.module.names`**
+:   type: keyword
+
+
+**`beat.state.output.name`**
+:   Name of output used by Beat
+
+type: keyword
+
+
+**`beat.state.queue.name`**
+:   Name of queue being used by Beat
+
+type: keyword
+
+
+
+## stats [_stats_2]
+
+Beat stats
+
+**`beat.stats.apm_server.acm.request.count`**
+:   type: long
+
+
+**`beat.stats.apm_server.acm.response.count`**
+:   type: long
+
+
+**`beat.stats.apm_server.acm.response.errors.closed`**
+:   type: long
+
+
+**`beat.stats.apm_server.acm.response.errors.count`**
+:   type: long
+
+
+**`beat.stats.apm_server.acm.response.errors.decode`**
+:   type: long
+
+
+**`beat.stats.apm_server.acm.response.errors.forbidden`**
+:   type: long
+
+
+**`beat.stats.apm_server.acm.response.errors.internal`**
+:   type: long
+
+
+**`beat.stats.apm_server.acm.response.errors.invalidquery`**
+:   type: long
+
+
+**`beat.stats.apm_server.acm.response.errors.method`**
+:   type: long
+
+
+**`beat.stats.apm_server.acm.response.errors.notfound`**
+:   type: long
+
+
+**`beat.stats.apm_server.acm.response.errors.queue`**
+:   type: long
+
+
+**`beat.stats.apm_server.acm.response.errors.ratelimit`**
+:   type: long
+
+
+**`beat.stats.apm_server.acm.response.errors.timeout`**
+:   type: long
+
+
+**`beat.stats.apm_server.acm.response.errors.toolarge`**
+:   type: long
+
+
+**`beat.stats.apm_server.acm.response.errors.unauthorized`**
+:   type: long
+
+
+**`beat.stats.apm_server.acm.response.errors.unavailable`**
+:   type: long
+
+
+**`beat.stats.apm_server.acm.response.errors.validate`**
+:   type: long
+
+
+**`beat.stats.apm_server.acm.response.valid.accepted`**
+:   type: long
+
+
+**`beat.stats.apm_server.acm.response.valid.count`**
+:   type: long
+
+
+**`beat.stats.apm_server.acm.response.valid.notmodified`**
+:   type: long
+
+
+**`beat.stats.apm_server.acm.response.valid.ok`**
+:   type: long
+
+
+**`beat.stats.apm_server.acm.unset`**
+:   type: long
+
+
+**`beat.stats.apm_server.agentcfg.elasticsearch.cache.entries.count`**
+:   type: long
+
+
+**`beat.stats.apm_server.agentcfg.elasticsearch.cache.refresh.failures`**
+:   type: long
+
+
+**`beat.stats.apm_server.agentcfg.elasticsearch.cache.refresh.successes`**
+:   type: long
+
+
+**`beat.stats.apm_server.agentcfg.elasticsearch.fetch.es`**
+:   type: long
+
+
+**`beat.stats.apm_server.agentcfg.elasticsearch.fetch.fallback`**
+:   type: long
+
+
+**`beat.stats.apm_server.agentcfg.elasticsearch.fetch.invalid`**
+:   type: long
+
+
+**`beat.stats.apm_server.agentcfg.elasticsearch.fetch.unavailable`**
+:   type: long
+
+
+**`beat.stats.apm_server.jaeger.grpc.collect.request.count`**
+:   type: long
+
+
+**`beat.stats.apm_server.jaeger.grpc.collect.response.count`**
+:   type: long
+
+
+**`beat.stats.apm_server.jaeger.grpc.collect.response.errors.count`**
+:   type: long
+
+
+**`beat.stats.apm_server.jaeger.grpc.collect.response.errors.ratelimit`**
+:   type: long
+
+
+**`beat.stats.apm_server.jaeger.grpc.collect.response.errors.timeout`**
+:   type: long
+
+
+**`beat.stats.apm_server.jaeger.grpc.collect.response.errors.unauthorized`**
+:   type: long
+
+
+**`beat.stats.apm_server.jaeger.grpc.collect.response.valid.count`**
+:   type: long
+
+
+**`beat.stats.apm_server.jaeger.grpc.sampling.event.received.count`**
+:   type: long
+
+
+**`beat.stats.apm_server.jaeger.grpc.sampling.request.count`**
+:   type: long
+
+
+**`beat.stats.apm_server.jaeger.grpc.sampling.response.count`**
+:   type: long
+
+
+**`beat.stats.apm_server.jaeger.grpc.sampling.response.errors.count`**
+:   type: long
+
+
+**`beat.stats.apm_server.jaeger.grpc.sampling.response.valid.count`**
+:   type: long
+
+
+**`beat.stats.apm_server.otlp.grpc.logs.request.count`**
+:   type: long
+
+
+**`beat.stats.apm_server.otlp.grpc.logs.response.count`**
+:   type: long
+
+
+**`beat.stats.apm_server.otlp.grpc.logs.response.errors.count`**
+:   type: long
+
+
+**`beat.stats.apm_server.otlp.grpc.logs.response.errors.ratelimit`**
+:   type: long
+
+
+**`beat.stats.apm_server.otlp.grpc.logs.response.errors.timeout`**
+:   type: long
+
+
+**`beat.stats.apm_server.otlp.grpc.logs.response.errors.unauthorized`**
+:   type: long
+
+
+**`beat.stats.apm_server.otlp.grpc.logs.response.valid.count`**
+:   type: long
+
+
+**`beat.stats.apm_server.otlp.grpc.metrics.consumer.unsupported_dropped`**
+:   type: long
+
+
+**`beat.stats.apm_server.otlp.grpc.metrics.request.count`**
+:   type: long
+
+
+**`beat.stats.apm_server.otlp.grpc.metrics.response.count`**
+:   type: long
+
+
+**`beat.stats.apm_server.otlp.grpc.metrics.response.errors.count`**
+:   type: long
+
+
+**`beat.stats.apm_server.otlp.grpc.metrics.response.errors.ratelimit`**
+:   type: long
+
+
+**`beat.stats.apm_server.otlp.grpc.metrics.response.errors.timeout`**
+:   type: long
+
+
+**`beat.stats.apm_server.otlp.grpc.metrics.response.errors.unauthorized`**
+:   type: long
+
+
+**`beat.stats.apm_server.otlp.grpc.metrics.response.valid.count`**
+:   type: long
+
+
+**`beat.stats.apm_server.otlp.grpc.traces.request.count`**
+:   type: long
+
+
+**`beat.stats.apm_server.otlp.grpc.traces.response.count`**
+:   type: long
+
+
+**`beat.stats.apm_server.otlp.grpc.traces.response.errors.count`**
+:   type: long
+
+
+**`beat.stats.apm_server.otlp.grpc.traces.response.errors.ratelimit`**
+:   type: long
+
+
+**`beat.stats.apm_server.otlp.grpc.traces.response.errors.timeout`**
+:   type: long
+
+
+**`beat.stats.apm_server.otlp.grpc.traces.response.errors.unauthorized`**
+:   type: long
+
+
+**`beat.stats.apm_server.otlp.grpc.traces.response.valid.count`**
+:   type: long
+
+
+**`beat.stats.apm_server.otlp.http.logs.request.count`**
+:   type: long
+
+
+**`beat.stats.apm_server.otlp.http.logs.response.count`**
+:   type: long
+
+
+**`beat.stats.apm_server.otlp.http.logs.response.errors.count`**
+:   type: long
+
+
+**`beat.stats.apm_server.otlp.http.logs.response.errors.ratelimit`**
+:   type: long
+
+
+**`beat.stats.apm_server.otlp.http.logs.response.errors.timeout`**
+:   type: long
+
+
+**`beat.stats.apm_server.otlp.http.logs.response.errors.unauthorized`**
+:   type: long
+
+
+**`beat.stats.apm_server.otlp.http.logs.response.valid.count`**
+:   type: long
+
+
+**`beat.stats.apm_server.otlp.http.metrics.consumer.unsupported_dropped`**
+:   type: long
+
+
+**`beat.stats.apm_server.otlp.http.metrics.request.count`**
+:   type: long
+
+
+**`beat.stats.apm_server.otlp.http.metrics.response.count`**
+:   type: long
+
+
+**`beat.stats.apm_server.otlp.http.metrics.response.errors.count`**
+:   type: long
+
+
+**`beat.stats.apm_server.otlp.http.metrics.response.errors.ratelimit`**
+:   type: long
+
+
+**`beat.stats.apm_server.otlp.http.metrics.response.errors.timeout`**
+:   type: long
+
+
+**`beat.stats.apm_server.otlp.http.metrics.response.errors.unauthorized`**
+:   type: long
+
+
+**`beat.stats.apm_server.otlp.http.metrics.response.valid.count`**
+:   type: long
+
+
+**`beat.stats.apm_server.otlp.http.traces.request.count`**
+:   type: long
+
+
+**`beat.stats.apm_server.otlp.http.traces.response.count`**
+:   type: long
+
+
+**`beat.stats.apm_server.otlp.http.traces.response.errors.count`**
+:   type: long
+
+
+**`beat.stats.apm_server.otlp.http.traces.response.errors.ratelimit`**
+:   type: long
+
+
+**`beat.stats.apm_server.otlp.http.traces.response.errors.timeout`**
+:   type: long
+
+
+**`beat.stats.apm_server.otlp.http.traces.response.errors.unauthorized`**
+:   type: long
+
+
+**`beat.stats.apm_server.otlp.http.traces.response.valid.count`**
+:   type: long
+
+
+**`beat.stats.apm_server.processor.error.transformations`**
+:   type: long
+
+
+**`beat.stats.apm_server.processor.metric.transformations`**
+:   type: long
+
+
+**`beat.stats.apm_server.processor.span.transformations`**
+:   type: long
+
+
+**`beat.stats.apm_server.processor.stream.accepted`**
+:   type: long
+
+
+**`beat.stats.apm_server.processor.stream.errors.invalid`**
+:   type: long
+
+
+**`beat.stats.apm_server.processor.stream.errors.toolarge`**
+:   type: long
+
+
+**`beat.stats.apm_server.processor.transaction.transformations`**
+:   type: long
+
+
+**`beat.stats.apm_server.root.request.count`**
+:   type: long
+
+
+**`beat.stats.apm_server.root.response.count`**
+:   type: long
+
+
+**`beat.stats.apm_server.root.response.errors.closed`**
+:   type: long
+
+
+**`beat.stats.apm_server.root.response.errors.count`**
+:   type: long
+
+
+**`beat.stats.apm_server.root.response.errors.decode`**
+:   type: long
+
+
+**`beat.stats.apm_server.root.response.errors.forbidden`**
+:   type: long
+
+
+**`beat.stats.apm_server.root.response.errors.internal`**
+:   type: long
+
+
+**`beat.stats.apm_server.root.response.errors.invalidquery`**
+:   type: long
+
+
+**`beat.stats.apm_server.root.response.errors.method`**
+:   type: long
+
+
+**`beat.stats.apm_server.root.response.errors.notfound`**
+:   type: long
+
+
+**`beat.stats.apm_server.root.response.errors.queue`**
+:   type: long
+
+
+**`beat.stats.apm_server.root.response.errors.ratelimit`**
+:   type: long
+
+
+**`beat.stats.apm_server.root.response.errors.timeout`**
+:   type: long
+
+
+**`beat.stats.apm_server.root.response.errors.toolarge`**
+:   type: long
+
+
+**`beat.stats.apm_server.root.response.errors.unauthorized`**
+:   type: long
+
+
+**`beat.stats.apm_server.root.response.errors.unavailable`**
+:   type: long
+
+
+**`beat.stats.apm_server.root.response.errors.validate`**
+:   type: long
+
+
+**`beat.stats.apm_server.root.response.valid.accepted`**
+:   type: long
+
+
+**`beat.stats.apm_server.root.response.valid.count`**
+:   type: long
+
+
+**`beat.stats.apm_server.root.response.valid.notmodified`**
+:   type: long
+
+
+**`beat.stats.apm_server.root.response.valid.ok`**
+:   type: long
+
+
+**`beat.stats.apm_server.root.unset`**
+:   type: long
+
+
+**`beat.stats.apm_server.sampling.transactions_dropped`**
+:   type: long
+
+
+**`beat.stats.apm_server.server.request.count`**
+:   type: long
+
+
+**`beat.stats.apm_server.server.response.count`**
+:   type: long
+
+
+**`beat.stats.apm_server.server.response.errors.closed`**
+:   type: long
+
+
+**`beat.stats.apm_server.server.response.errors.count`**
+:   type: long
+
+
+**`beat.stats.apm_server.server.response.errors.decode`**
+:   type: long
+
+
+**`beat.stats.apm_server.server.response.errors.forbidden`**
+:   type: long
+
+
+**`beat.stats.apm_server.server.response.errors.internal`**
+:   type: long
+
+
+**`beat.stats.apm_server.server.response.errors.invalidquery`**
+:   type: long
+
+
+**`beat.stats.apm_server.server.response.errors.method`**
+:   type: long
+
+
+**`beat.stats.apm_server.server.response.errors.notfound`**
+:   type: long
+
+
+**`beat.stats.apm_server.server.response.errors.queue`**
+:   type: long
+
+
+**`beat.stats.apm_server.server.response.errors.ratelimit`**
+:   type: long
+
+
+**`beat.stats.apm_server.server.response.errors.timeout`**
+:   type: long
+
+
+**`beat.stats.apm_server.server.response.errors.toolarge`**
+:   type: long
+
+
+**`beat.stats.apm_server.server.response.errors.unauthorized`**
+:   type: long
+
+
+**`beat.stats.apm_server.server.response.errors.unavailable`**
+:   type: long
+
+
+**`beat.stats.apm_server.server.response.errors.validate`**
+:   type: long
+
+
+**`beat.stats.apm_server.server.response.valid.accepted`**
+:   type: long
+
+
+**`beat.stats.apm_server.server.response.valid.count`**
+:   type: long
+
+
+**`beat.stats.apm_server.server.response.valid.notmodified`**
+:   type: long
+
+
+**`beat.stats.apm_server.server.response.valid.ok`**
+:   type: long
+
+
+**`beat.stats.apm_server.server.unset`**
+:   type: long
+
+
+**`beat.stats.info.name`**
+:   type: keyword
+
+
+**`beat.stats.info.host`**
+:   type: keyword
+
+
+**`beat.stats.info.type`**
+:   type: keyword
+
+
+**`beat.stats.info.uuid`**
+:   type: keyword
+
+
+**`beat.stats.info.version`**
+:   type: keyword
+
+
+**`beat.stats.beat.name`**
+:   type: keyword
+
+
+**`beat.stats.beat.host`**
+:   type: keyword
+
+
+**`beat.stats.beat.type`**
+:   type: keyword
+
+
+**`beat.stats.beat.uuid`**
+:   type: keyword
+
+
+**`beat.stats.beat.version`**
+:   type: keyword
+
+
+**`beat.stats.system.cpu.cores`**
+:   type: long
+
+
+**`beat.stats.system.load.1`**
+:   type: double
+
+
+**`beat.stats.system.load.15`**
+:   type: double
+
+
+**`beat.stats.system.load.5`**
+:   type: double
+
+
+**`beat.stats.system.load.norm.1`**
+:   type: double
+
+
+**`beat.stats.system.load.norm.15`**
+:   type: double
+
+
+**`beat.stats.system.load.norm.5`**
+:   type: double
+
+
+**`beat.stats.cpu.system.ticks`**
+:   type: long
+
+
+**`beat.stats.cpu.system.time.ms`**
+:   type: long
+
+
+**`beat.stats.cpu.total.value`**
+:   type: long
+
+
+**`beat.stats.cpu.total.ticks`**
+:   type: long
+
+
+**`beat.stats.cpu.total.time.ms`**
+:   type: long
+
+
+**`beat.stats.cpu.user.ticks`**
+:   type: long
+
+
+**`beat.stats.cpu.user.time.ms`**
+:   type: long
+
+
+**`beat.stats.info.ephemeral_id`**
+:   type: keyword
+
+
+**`beat.stats.info.uptime.ms`**
+:   type: long
+
+
+**`beat.stats.cgroup.cpu.cfs.period.us`**
+:   type: long
+
+
+**`beat.stats.cgroup.cpu.cfs.quota.us`**
+:   type: long
+
+
+**`beat.stats.cgroup.cpu.id`**
+:   type: keyword
+
+
+**`beat.stats.cgroup.cpu.stats.periods`**
+:   type: long
+
+
+**`beat.stats.cgroup.cpu.stats.throttled.periods`**
+:   type: long
+
+
+**`beat.stats.cgroup.cpu.stats.throttled.ns`**
+:   type: long
+
+
+**`beat.stats.cgroup.cpuacct.id`**
+:   type: keyword
+
+
+**`beat.stats.cgroup.cpuacct.total.ns`**
+:   type: long
+
+
+**`beat.stats.cgroup.memory.id`**
+:   type: keyword
+
+
+**`beat.stats.cgroup.memory.mem.limit.bytes`**
+:   type: long
+
+
+**`beat.stats.cgroup.memory.mem.usage.bytes`**
+:   type: long
+
+
+**`beat.stats.memstats.gc_next`**
+:   type: long
+
+
+**`beat.stats.memstats.memory.alloc`**
+:   type: long
+
+
+**`beat.stats.memstats.memory.total`**
+:   type: long
+
+
+**`beat.stats.memstats.rss`**
+:   type: long
+
+
+**`beat.stats.handles.open`**
+:   type: long
+
+
+**`beat.stats.handles.limit.hard`**
+:   type: long
+
+
+**`beat.stats.handles.limit.soft`**
+:   type: long
+
+
+**`beat.stats.uptime.ms`**
+:   Beat uptime
+
+type: long
+
+
+**`beat.stats.runtime.goroutines`**
+:   Number of goroutines running in Beat
+
+type: long
+
+
+
+## libbeat [_libbeat]
+
+Fields common to all Beats
+
+**`beat.stats.libbeat.pipeline.clients`**
+:   type: long
+
+
+**`beat.stats.libbeat.pipeline.queue.acked`**
+:   type: long
+
+
+**`beat.stats.libbeat.pipeline.queue.max_events`**
+:   type: long
+
+
+**`beat.stats.libbeat.pipeline.events.active`**
+:   type: long
+
+
+**`beat.stats.libbeat.pipeline.events.dropped`**
+:   type: long
+
+
+**`beat.stats.libbeat.pipeline.events.failed`**
+:   type: long
+
+
+**`beat.stats.libbeat.pipeline.events.filtered`**
+:   type: long
+
+
+**`beat.stats.libbeat.pipeline.events.published`**
+:   type: long
+
+
+**`beat.stats.libbeat.pipeline.events.retry`**
+:   type: long
+
+
+**`beat.stats.libbeat.pipeline.events.total`**
+:   type: long
+
+
+**`beat.stats.libbeat.config.running`**
+:   type: long
+
+
+**`beat.stats.libbeat.config.starts`**
+:   type: long
+
+
+**`beat.stats.libbeat.config.stops`**
+:   type: long
+
+
+**`beat.stats.libbeat.config.reloads`**
+:   type: long
+
+
+
+## output [_output]
+
+Output stats
+
+**`beat.stats.libbeat.output.type`**
+:   Type of output
+
+type: keyword
+
+
+
+## events [_events]
+
+Event counters
+
+**`beat.stats.libbeat.output.events.acked`**
+:   Number of events acknowledged
+
+type: long
+
+
+**`beat.stats.libbeat.output.events.active`**
+:   Number of active events
+
+type: long
+
+
+**`beat.stats.libbeat.output.events.batches`**
+:   Number of event batches
+
+type: long
+
+
+**`beat.stats.libbeat.output.events.dropped`**
+:   Number of events dropped
+
+type: long
+
+
+**`beat.stats.libbeat.output.events.duplicates`**
+:   Number of events duplicated
+
+type: long
+
+
+**`beat.stats.libbeat.output.events.failed`**
+:   Number of events failed
+
+type: long
+
+
+**`beat.stats.libbeat.output.events.toomany`**
+:   Number of too many events
+
+type: long
+
+
+**`beat.stats.libbeat.output.events.total`**
+:   Total number of events
+
+type: long
+
+
+
+## read [_read_3]
+
+Read stats
+
+**`beat.stats.libbeat.output.read.bytes`**
+:   Number of bytes read
+
+type: long
+
+
+**`beat.stats.libbeat.output.read.errors`**
+:   Number of read errors
+
+type: long
+
+
+
+## write [_write_3]
+
+Write stats
+
+**`beat.stats.libbeat.output.write.bytes`**
+:   Number of bytes written
+
+type: long
+
+
+**`beat.stats.libbeat.output.write.errors`**
+:   Number of write errors
+
+type: long
+
+
+**`beat.stats.output.elasticsearch.bulk_requests.available`**
+:   type: long
+
+
+**`beat.stats.output.elasticsearch.bulk_requests.completed`**
+:   type: long
+
+
+**`beat.stats.output.elasticsearch.indexers.active`**
+:   type: long
+
+
+**`beat.stats.output.elasticsearch.indexers.created`**
+:   type: long
+
+
+**`beat.stats.output.elasticsearch.indexers.destroyed`**
+:   type: long
+
+
diff --git a/docs/reference/metricbeat/exported-fields-benchmark.md b/docs/reference/metricbeat/exported-fields-benchmark.md
new file mode 100644
index 000000000000..296189356c1c
--- /dev/null
+++ b/docs/reference/metricbeat/exported-fields-benchmark.md
@@ -0,0 +1,23 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/master/exported-fields-benchmark.html
+---
+
+# Benchmark fields [exported-fields-benchmark]
+
+benchmark module
+
+
+## benchmark [_benchmark]
+
+
+## info [_info_3]
+
+info
+
+**`benchmark.info.counter`**
+:   The nth info metric emitted by the benchmark module
+
+type: keyword
+
+
diff --git a/docs/reference/metricbeat/exported-fields-ceph.md b/docs/reference/metricbeat/exported-fields-ceph.md
new file mode 100644
index 000000000000..9f0b72e29500
--- /dev/null
+++ b/docs/reference/metricbeat/exported-fields-ceph.md
@@ -0,0 +1,595 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-ceph.html
+---
+
+# Ceph fields [exported-fields-ceph]
+
+Ceph module
+
+
+## ceph [_ceph]
+
+`ceph` contains the metrics that were scraped from CEPH.
+
+
+## cluster_disk [_cluster_disk]
+
+cluster_disk
+
+**`ceph.cluster_disk.available.bytes`**
+:   Available bytes of the cluster
+
+type: long
+
+format: bytes
+
+
+**`ceph.cluster_disk.total.bytes`**
+:   Total bytes of the cluster
+
+type: long
+
+format: bytes
+
+
+**`ceph.cluster_disk.used.bytes`**
+:   Used bytes of the cluster
+
+type: long
+
+format: bytes
+
+
+
+## cluster_health [_cluster_health]
+
+cluster_health
+
+**`ceph.cluster_health.overall_status`**
+:   Overall status of the cluster
+
+type: keyword
+
+
+**`ceph.cluster_health.timechecks.epoch`**
+:   Map version
+
+type: long
+
+
+**`ceph.cluster_health.timechecks.round.value`**
+:   timecheck round
+
+type: long
+
+
+**`ceph.cluster_health.timechecks.round.status`**
+:   Status of the round
+
+type: keyword
+
+
+
+## cluster_status [_cluster_status]
+
+cluster_status
+
+**`ceph.cluster_status.version`**
+:   Ceph Status version
+
+type: long
+
+
+**`ceph.cluster_status.traffic.read_bytes`**
+:   Cluster read throughput per second
+
+type: long
+
+format: bytes
+
+
+**`ceph.cluster_status.traffic.write_bytes`**
+:   Cluster write throughput per second
+
+type: long
+
+format: bytes
+
+
+**`ceph.cluster_status.traffic.read_op_per_sec`**
+:   Cluster read iops per second
+
+type: long
+
+
+**`ceph.cluster_status.traffic.write_op_per_sec`**
+:   Cluster write iops per second
+
+type: long
+
+
+**`ceph.cluster_status.misplace.total`**
+:   Cluster misplace pg number
+
+type: long
+
+
+**`ceph.cluster_status.misplace.objects`**
+:   Cluster misplace objects number
+
+type: long
+
+
+**`ceph.cluster_status.misplace.ratio`**
+:   Cluster misplace ratio
+
+type: scaled_float
+
+format: percent
+
+
+**`ceph.cluster_status.degraded.total`**
+:   Cluster degraded pg number
+
+type: long
+
+
+**`ceph.cluster_status.degraded.objects`**
+:   Cluster degraded objects number
+
+type: long
+
+
+**`ceph.cluster_status.degraded.ratio`**
+:   Cluster degraded ratio
+
+type: scaled_float
+
+format: percent
+
+
+**`ceph.cluster_status.pg.data_bytes`**
+:   Cluster pg data bytes
+
+type: long
+
+format: bytes
+
+
+**`ceph.cluster_status.pg.avail_bytes`**
+:   Cluster available bytes
+
+type: long
+
+format: bytes
+
+
+**`ceph.cluster_status.pg.total_bytes`**
+:   Cluster total bytes
+
+type: long
+
+format: bytes
+
+
+**`ceph.cluster_status.pg.used_bytes`**
+:   Cluster used bytes
+
+type: long
+
+format: bytes
+
+
+**`ceph.cluster_status.pg_state.state_name`**
+:   Pg state description
+
+type: long
+
+
+**`ceph.cluster_status.pg_state.count`**
+:   Shows how many pgs are in state of pg_state.state_name
+
+type: long
+
+
+**`ceph.cluster_status.pg_state.version`**
+:   Cluster status version
+
+type: long
+
+
+**`ceph.cluster_status.osd.full`**
+:   Is osd full
+
+type: boolean
+
+
+**`ceph.cluster_status.osd.nearfull`**
+:   Is osd near full
+
+type: boolean
+
+
+**`ceph.cluster_status.osd.num_osds`**
+:   Shows how many osds in the cluster
+
+type: long
+
+
+**`ceph.cluster_status.osd.num_up_osds`**
+:   Shows how many osds are on the state of UP
+
+type: long
+
+
+**`ceph.cluster_status.osd.num_in_osds`**
+:   Shows how many osds are on the state of IN
+
+type: long
+
+
+**`ceph.cluster_status.osd.num_remapped_pgs`**
+:   Shows how many osds are on the state of REMAPPED
+
+type: long
+
+
+**`ceph.cluster_status.osd.epoch`**
+:   epoch number
+
+type: long
+
+
+
+## mgr_cluster_disk [_mgr_cluster_disk]
+
+see: cluster_disk
+
+
+## mgr_cluster_health [_mgr_cluster_health]
+
+see: cluster_health
+
+
+## mgr_osd_perf [_mgr_osd_perf]
+
+OSD performance metrics of Ceph cluster
+
+**`ceph.mgr_osd_perf.id`**
+:   OSD ID
+
+type: long
+
+
+**`ceph.mgr_osd_perf.stats.commit_latency_ms`**
+:   Commit latency in ms
+
+type: long
+
+
+**`ceph.mgr_osd_perf.stats.apply_latency_ms`**
+:   Apply latency in ms
+
+type: long
+
+
+**`ceph.mgr_osd_perf.stats.commit_latency_ns`**
+:   Commit latency in ns
+
+type: long
+
+
+**`ceph.mgr_osd_perf.stats.apply_latency_ns`**
+:   Apply latency in ns
+
+type: long
+
+
+
+## mgr_osd_pool_stats [_mgr_osd_pool_stats]
+
+OSD pool stats of Ceph cluster
+
+**`ceph.mgr_osd_pool_stats.pool_name`**
+:   Pool name
+
+type: keyword
+
+
+**`ceph.mgr_osd_pool_stats.pool_id`**
+:   Pool ID
+
+type: long
+
+
+**`ceph.mgr_osd_pool_stats.client_io_rate`**
+:   Client I/O rates
+
+type: object
+
+
+
+## mgr_osd_tree [_mgr_osd_tree]
+
+see: osd_tree
+
+
+## mgr_pool_disk [_mgr_pool_disk]
+
+see: pool_disk
+
+
+## monitor_health [_monitor_health]
+
+monitor_health stats data
+
+**`ceph.monitor_health.available.pct`**
+:   Available percent of the MON
+
+type: long
+
+
+**`ceph.monitor_health.health`**
+:   Health of the MON
+
+type: keyword
+
+
+**`ceph.monitor_health.available.kb`**
+:   Available KB of the MON
+
+type: long
+
+
+**`ceph.monitor_health.total.kb`**
+:   Total KB of the MON
+
+type: long
+
+
+**`ceph.monitor_health.used.kb`**
+:   Used KB of the MON
+
+type: long
+
+
+**`ceph.monitor_health.last_updated`**
+:   Time when was updated
+
+type: date
+
+
+**`ceph.monitor_health.name`**
+:   Name of the MON
+
+type: keyword
+
+
+**`ceph.monitor_health.store_stats.log.bytes`**
+:   Log bytes of MON
+
+type: long
+
+format: bytes
+
+
+**`ceph.monitor_health.store_stats.misc.bytes`**
+:   Misc bytes of MON
+
+type: long
+
+format: bytes
+
+
+**`ceph.monitor_health.store_stats.sst.bytes`**
+:   SST bytes of MON
+
+type: long
+
+format: bytes
+
+
+**`ceph.monitor_health.store_stats.total.bytes`**
+:   Total bytes of MON
+
+type: long
+
+format: bytes
+
+
+**`ceph.monitor_health.store_stats.last_updated`**
+:   Last updated
+
+type: long
+
+
+
+## osd_df [_osd_df]
+
+ceph osd disk usage information
+
+**`ceph.osd_df.id`**
+:   osd node id
+
+type: long
+
+
+**`ceph.osd_df.name`**
+:   osd node name
+
+type: keyword
+
+
+**`ceph.osd_df.device_class`**
+:   osd node type, illegal type include hdd, ssd etc.
+
+type: keyword
+
+
+**`ceph.osd_df.total.byte`**
+:   osd disk total volume
+
+type: long
+
+format: bytes
+
+
+**`ceph.osd_df.used.byte`**
+:   osd disk usage volume
+
+type: long
+
+format: bytes
+
+
+**`ceph.osd_df.available.bytes`**
+:   osd disk available volume
+
+type: long
+
+format: bytes
+
+
+**`ceph.osd_df.pg_num`**
+:   shows how many pg located on this osd
+
+type: long
+
+
+**`ceph.osd_df.used.pct`**
+:   osd disk usage percentage
+
+type: scaled_float
+
+format: percent
+
+
+
+## osd_tree [_osd_tree]
+
+ceph osd tree info
+
+**`ceph.osd_tree.id`**
+:   osd or bucket node id
+
+type: long
+
+
+**`ceph.osd_tree.name`**
+:   osd or bucket node name
+
+type: keyword
+
+
+**`ceph.osd_tree.type`**
+:   osd or bucket node type, illegal type include osd, host, root etc.
+
+type: keyword
+
+
+**`ceph.osd_tree.type_id`**
+:   osd or bucket node typeID
+
+type: long
+
+
+**`ceph.osd_tree.children`**
+:   bucket children list, separated by comma.
+
+type: keyword
+
+
+**`ceph.osd_tree.crush_weight`**
+:   osd node crush weight
+
+type: float
+
+
+**`ceph.osd_tree.depth`**
+:   node depth
+
+type: long
+
+
+**`ceph.osd_tree.exists`**
+:   is node still exist or not(1-yes, 0-no)
+
+type: boolean
+
+
+**`ceph.osd_tree.primary_affinity`**
+:   the weight of reading data from primary osd
+
+type: float
+
+
+**`ceph.osd_tree.reweight`**
+:   the reweight of osd
+
+type: long
+
+
+**`ceph.osd_tree.status`**
+:   status of osd, it should be up or down
+
+type: keyword
+
+
+**`ceph.osd_tree.device_class`**
+:   the device class of osd, like hdd, ssd etc.
+
+type: keyword
+
+
+**`ceph.osd_tree.father`**
+:   the parent node of this osd or bucket node
+
+type: keyword
+
+
+
+## pool_disk [_pool_disk]
+
+pool_disk
+
+**`ceph.pool_disk.id`**
+:   Id of the pool
+
+type: long
+
+
+**`ceph.pool_disk.name`**
+:   Name of the pool
+
+type: keyword
+
+
+**`ceph.pool_disk.stats.available.bytes`**
+:   Available bytes of the pool
+
+type: long
+
+format: bytes
+
+
+**`ceph.pool_disk.stats.objects`**
+:   Number of objects of the pool
+
+type: long
+
+
+**`ceph.pool_disk.stats.used.bytes`**
+:   Used bytes of the pool
+
+type: long
+
+format: bytes
+
+
+**`ceph.pool_disk.stats.used.kb`**
+:   Used kb of the pool
+
+type: long
+
+
diff --git a/docs/reference/metricbeat/exported-fields-cloud.md b/docs/reference/metricbeat/exported-fields-cloud.md
new file mode 100644
index 000000000000..be2ab5bb5ff5
--- /dev/null
+++ b/docs/reference/metricbeat/exported-fields-cloud.md
@@ -0,0 +1,57 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-cloud.html
+---
+
+# Cloud provider metadata fields [exported-fields-cloud]
+
+Metadata from cloud providers added by the add_cloud_metadata processor.
+
+**`cloud.image.id`**
+:   Image ID for the cloud instance.
+
+example: ami-abcd1234
+
+
+**`meta.cloud.provider`**
+:   type: alias
+
+alias to: cloud.provider
+
+
+**`meta.cloud.instance_id`**
+:   type: alias
+
+alias to: cloud.instance.id
+
+
+**`meta.cloud.instance_name`**
+:   type: alias
+
+alias to: cloud.instance.name
+
+
+**`meta.cloud.machine_type`**
+:   type: alias
+
+alias to: cloud.machine.type
+
+
+**`meta.cloud.availability_zone`**
+:   type: alias
+
+alias to: cloud.availability_zone
+
+
+**`meta.cloud.project_id`**
+:   type: alias
+
+alias to: cloud.project.id
+
+
+**`meta.cloud.region`**
+:   type: alias
+
+alias to: cloud.region
+
+
diff --git a/docs/reference/metricbeat/exported-fields-cloudfoundry.md b/docs/reference/metricbeat/exported-fields-cloudfoundry.md
new file mode 100644
index 000000000000..201c8060a6b6
--- /dev/null
+++ b/docs/reference/metricbeat/exported-fields-cloudfoundry.md
@@ -0,0 +1,116 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-cloudfoundry.html
+---
+
+# Cloudfoundry fields [exported-fields-cloudfoundry]
+
+Cloud Foundry module
+
+
+## cloudfoundry [_cloudfoundry]
+
+**`cloudfoundry.type`**
+:   The type of event from Cloud Foundry. Possible values include *container*, *counter* and *value*.
+
+type: keyword
+
+
+
+## app [_app]
+
+The application the metric is associated with.
+
+**`cloudfoundry.app.id`**
+:   The ID of the application.
+
+type: keyword
+
+
+
+## container [_container_2]
+
+`container` contains container metrics from Cloud Foundry.
+
+**`cloudfoundry.container.instance_index`**
+:   Index of the instance the metric belongs to.
+
+type: long
+
+
+**`cloudfoundry.container.cpu.pct`**
+:   CPU usage percentage.
+
+type: scaled_float
+
+
+**`cloudfoundry.container.memory.bytes`**
+:   Bytes of used memory.
+
+type: long
+
+
+**`cloudfoundry.container.memory.quota.bytes`**
+:   Bytes of available memory.
+
+type: long
+
+
+**`cloudfoundry.container.disk.bytes`**
+:   Bytes of used storage.
+
+type: long
+
+
+**`cloudfoundry.container.disk.quota.bytes`**
+:   Bytes of available storage.
+
+type: long
+
+
+
+## counter [_counter_2]
+
+`counter` contains counter metrics from Cloud Foundry.
+
+**`cloudfoundry.counter.name`**
+:   The name of the counter.
+
+type: keyword
+
+
+**`cloudfoundry.counter.delta`**
+:   The difference between the last time the counter event occurred.
+
+type: long
+
+
+**`cloudfoundry.counter.total`**
+:   The total value for the counter.
+
+type: long
+
+
+
+## value [_value_2]
+
+`value` contains counter metrics from Cloud Foundry.
+
+**`cloudfoundry.value.name`**
+:   The name of the value.
+
+type: keyword
+
+
+**`cloudfoundry.value.unit`**
+:   The unit of the value.
+
+type: keyword
+
+
+**`cloudfoundry.value.value`**
+:   The value of the value.
+
+type: float
+
+
diff --git a/docs/reference/metricbeat/exported-fields-cockroachdb.md b/docs/reference/metricbeat/exported-fields-cockroachdb.md
new file mode 100644
index 000000000000..2fd3394ac80c
--- /dev/null
+++ b/docs/reference/metricbeat/exported-fields-cockroachdb.md
@@ -0,0 +1,9 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-cockroachdb.html
+---
+
+# CockroachDB fields [exported-fields-cockroachdb]
+
+CockroachDB module scrape metrics using Prometheus endpoint.
+
diff --git a/docs/reference/metricbeat/exported-fields-common.md b/docs/reference/metricbeat/exported-fields-common.md
new file mode 100644
index 000000000000..eab670f9a5b1
--- /dev/null
+++ b/docs/reference/metricbeat/exported-fields-common.md
@@ -0,0 +1,51 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-common.html
+---
+
+# Common fields [exported-fields-common]
+
+Contains common fields available in all event types.
+
+**`metricset.module`**
+:   The name of the module that generated the event.
+
+type: alias
+
+alias to: event.module
+
+
+**`metricset.name`**
+:   The name of the metricset that generated the event.
+
+
+**`metricset.period`**
+:   Current data collection period for this event in milliseconds.
+
+type: integer
+
+
+**`service.hostname`**
+:   Host name of the machine where the service is running.
+
+
+**`type`**
+:   The document type. Always set to "doc".
+
+example: metricsets
+
+required: True
+
+
+**`systemd.fragment_path`**
+:   the location of the systemd unit path
+
+type: keyword
+
+
+**`systemd.unit`**
+:   the unit name of the systemd service
+
+type: keyword
+
+
diff --git a/docs/reference/metricbeat/exported-fields-consul.md b/docs/reference/metricbeat/exported-fields-consul.md
new file mode 100644
index 000000000000..c26855c47010
--- /dev/null
+++ b/docs/reference/metricbeat/exported-fields-consul.md
@@ -0,0 +1,83 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-consul.html
+---
+
+# Consul fields [exported-fields-consul]
+
+Consul module
+
+
+## agent [_agent]
+
+Agent Metricset fetches metrics information from a Consul instance running as Agent
+
+**`consul.agent.autopilot.healthy`**
+:   Overall health of the local server cluster
+
+type: boolean
+
+
+
+## runtime [_runtime]
+
+Runtime related metrics
+
+**`consul.agent.runtime.sys.bytes`**
+:   Number of bytes of memory obtained from the OS.
+
+type: long
+
+
+**`consul.agent.runtime.malloc_count`**
+:   Heap objects allocated
+
+type: long
+
+
+**`consul.agent.runtime.heap_objects`**
+:   Objects allocated on the heap and is a general memory pressure indicator. This may burst from time to time but should return to a steady state value.
+
+type: long
+
+
+**`consul.agent.runtime.goroutines`**
+:   Running goroutines and is a general load pressure indicator. This may burst from time to time but should return to a steady state value.
+
+type: long
+
+
+**`consul.agent.runtime.alloc.bytes`**
+:   Bytes allocated by the Consul process.
+
+type: long
+
+
+
+## garbage_collector [_garbage_collector]
+
+Garbage collector metrics
+
+**`consul.agent.runtime.garbage_collector.runs`**
+:   Garbage collector total executions
+
+type: long
+
+
+
+## pause [_pause]
+
+Time that the garbage collector has paused the app
+
+**`consul.agent.runtime.garbage_collector.pause.current.ns`**
+:   Garbage collector pause time in nanoseconds
+
+type: long
+
+
+**`consul.agent.runtime.garbage_collector.pause.total.ns`**
+:   Nanoseconds consumed by stop-the-world garbage collection pauses since Consul started.
+
+type: long
+
+
diff --git a/docs/reference/metricbeat/exported-fields-containerd.md b/docs/reference/metricbeat/exported-fields-containerd.md
new file mode 100644
index 000000000000..2dae15cd7942
--- /dev/null
+++ b/docs/reference/metricbeat/exported-fields-containerd.md
@@ -0,0 +1,305 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-containerd.html
+---
+
+# Containerd fields [exported-fields-containerd]
+
+Containerd stats collected from containerd
+
+
+## containerd [_containerd]
+
+Information and statistics about containerd’s running containers.
+
+**`containerd.namespace`**
+:   Containerd namespace
+
+type: keyword
+
+
+
+## blkio [_blkio]
+
+Block I/O metrics.
+
+**`containerd.blkio.device`**
+:   Name of block device
+
+type: keyword
+
+
+
+## read [_read_4]
+
+Accumulated reads during the life of the container
+
+**`containerd.blkio.read.ops`**
+:   Number of reads during the life of the container
+
+type: long
+
+
+**`containerd.blkio.read.bytes`**
+:   Bytes read during the life of the container
+
+type: long
+
+format: bytes
+
+
+
+## write [_write_4]
+
+Accumulated writes during the life of the container
+
+**`containerd.blkio.write.ops`**
+:   Number of writes during the life of the container
+
+type: long
+
+
+**`containerd.blkio.write.bytes`**
+:   Bytes written during the life of the container
+
+type: long
+
+format: bytes
+
+
+
+## summary [_summary_2]
+
+Accumulated reads and writes during the life of the container
+
+**`containerd.blkio.summary.ops`**
+:   Number of I/O operations during the life of the container
+
+type: long
+
+
+**`containerd.blkio.summary.bytes`**
+:   Bytes read and written during the life of the container
+
+type: long
+
+format: bytes
+
+
+
+## cpu [_cpu_4]
+
+Containerd Runtime CPU metrics.
+
+**`containerd.cpu.system.total`**
+:   Total user and system CPU time spent in seconds.
+
+type: double
+
+
+**`containerd.cpu.usage.kernel.ns`**
+:   CPU Kernel usage nanoseconds
+
+type: double
+
+
+**`containerd.cpu.usage.user.ns`**
+:   CPU User usage nanoseconds
+
+type: double
+
+
+**`containerd.cpu.usage.total.ns`**
+:   CPU total usage nanoseconds
+
+type: double
+
+
+**`containerd.cpu.usage.total.pct`**
+:   Percentage of total CPU time normalized by the number of CPU cores, expressed as a value between 0 and 1.
+
+type: scaled_float
+
+format: percent
+
+
+**`containerd.cpu.usage.kernel.pct`**
+:   Percentage of time in kernel space normalized by the number of CPU cores, expressed as a value between 0 and 1.
+
+type: scaled_float
+
+format: percent
+
+
+**`containerd.cpu.usage.user.pct`**
+:   Percentage of time in user space normalized by the number of CPU cores, expressed as a value between 0 and 1.
+
+type: scaled_float
+
+format: percent
+
+
+**`containerd.cpu.usage.cpu.*.ns`**
+:   CPU usage nanoseconds in this cpu.
+
+type: object
+
+
+
+## memory [_memory_4]
+
+memory
+
+**`containerd.memory.workingset.pct`**
+:   Memory working set percentage.
+
+type: scaled_float
+
+format: percent
+
+
+**`containerd.memory.rss`**
+:   Total memory resident set size.
+
+type: long
+
+format: bytes
+
+
+**`containerd.memory.activeFiles`**
+:   Total active file bytes.
+
+type: long
+
+format: bytes
+
+
+**`containerd.memory.cache`**
+:   Total cache bytes.
+
+type: long
+
+format: bytes
+
+
+**`containerd.memory.inactiveFiles`**
+:   Total inactive file bytes.
+
+type: long
+
+format: bytes
+
+
+
+## usage [_usage_12]
+
+Usage memory stats.
+
+**`containerd.memory.usage.max`**
+:   Max memory usage.
+
+type: long
+
+format: bytes
+
+
+**`containerd.memory.usage.pct`**
+:   Total allocated memory percentage.
+
+type: scaled_float
+
+format: percent
+
+
+**`containerd.memory.usage.total`**
+:   Total memory usage.
+
+type: long
+
+format: bytes
+
+
+**`containerd.memory.usage.fail.count`**
+:   Fail counter.
+
+type: scaled_float
+
+
+**`containerd.memory.usage.limit`**
+:   Memory usage limit.
+
+type: long
+
+format: bytes
+
+
+
+## kernel [_kernel]
+
+Kernel memory stats.
+
+**`containerd.memory.kernel.max`**
+:   Kernel max memory usage.
+
+type: long
+
+format: bytes
+
+
+**`containerd.memory.kernel.total`**
+:   Kernel total memory usage.
+
+type: long
+
+format: bytes
+
+
+**`containerd.memory.kernel.fail.count`**
+:   Kernel fail counter.
+
+type: scaled_float
+
+
+**`containerd.memory.kernel.limit`**
+:   Kernel memory limit.
+
+type: long
+
+format: bytes
+
+
+
+## swap [_swap]
+
+Swap memory stats.
+
+**`containerd.memory.swap.max`**
+:   Swap max memory usage.
+
+type: long
+
+format: bytes
+
+
+**`containerd.memory.swap.total`**
+:   Swap total memory usage.
+
+type: long
+
+format: bytes
+
+
+**`containerd.memory.swap.fail.count`**
+:   Swap fail counter.
+
+type: scaled_float
+
+
+**`containerd.memory.swap.limit`**
+:   Swap memory limit.
+
+type: long
+
+format: bytes
+
+
diff --git a/docs/reference/metricbeat/exported-fields-coredns.md b/docs/reference/metricbeat/exported-fields-coredns.md
new file mode 100644
index 000000000000..0af9562ea21d
--- /dev/null
+++ b/docs/reference/metricbeat/exported-fields-coredns.md
@@ -0,0 +1,153 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-coredns.html
+---
+
+# Coredns fields [exported-fields-coredns]
+
+coredns Module
+
+
+## coredns [_coredns]
+
+`coredns` contains statistics that were read from coreDNS
+
+
+## stats [_stats_3]
+
+Contains statistics related to the coreDNS service
+
+**`coredns.stats.panic.count`**
+:   Total number of panics
+
+type: long
+
+
+**`coredns.stats.dns.request.count`**
+:   Total query count
+
+type: long
+
+
+**`coredns.stats.dns.request.duration.ns.bucket.*`**
+:   Request duration histogram buckets in nanoseconds
+
+type: object
+
+
+**`coredns.stats.dns.request.duration.ns.sum`**
+:   Requests duration, sum of durations in nanoseconds
+
+type: long
+
+format: duration
+
+
+**`coredns.stats.dns.request.duration.ns.count`**
+:   Requests duration, number of requests
+
+type: long
+
+
+**`coredns.stats.dns.request.size.bytes.bucket.*`**
+:   Request Size histogram buckets
+
+type: object
+
+
+**`coredns.stats.dns.request.size.bytes.sum`**
+:   Request Size histogram sum
+
+type: long
+
+
+**`coredns.stats.dns.request.size.bytes.count`**
+:   Request Size histogram count
+
+type: long
+
+
+**`coredns.stats.dns.request.do.count`**
+:   Number of queries that have the DO bit set
+
+type: long
+
+
+**`coredns.stats.dns.request.type.count`**
+:   Counter of queries per zone and type
+
+type: long
+
+
+**`coredns.stats.type`**
+:   Holds the query type of the request
+
+type: keyword
+
+
+**`coredns.stats.dns.response.rcode.count`**
+:   Counter of responses per zone and rcode
+
+type: long
+
+
+**`coredns.stats.rcode`**
+:   Holds the rcode of the response
+
+type: keyword
+
+
+**`coredns.stats.family`**
+:   The address family of the transport (1 = IP (IP version 4), 2 = IP6 (IP version 6))
+
+type: keyword
+
+
+**`coredns.stats.dns.response.size.bytes.bucket.*`**
+:   Response Size histogram buckets
+
+type: object
+
+
+**`coredns.stats.dns.response.size.bytes.sum`**
+:   Response Size histogram sum
+
+type: long
+
+
+**`coredns.stats.dns.response.size.bytes.count`**
+:   Response Size histogram count
+
+type: long
+
+
+**`coredns.stats.server`**
+:   The server responsible for the request
+
+type: keyword
+
+
+**`coredns.stats.zone`**
+:   The zonename used for the request/response
+
+type: keyword
+
+
+**`coredns.stats.proto`**
+:   The transport of the response ("udp" or "tcp")
+
+type: keyword
+
+
+**`coredns.stats.dns.cache.hits.count`**
+:   Cache hits count for the cache plugin
+
+type: long
+
+
+**`coredns.stats.dns.cache.misses.count`**
+:   Cache misses count for the cache plugin
+
+type: long
+
+
diff --git a/docs/reference/metricbeat/exported-fields-couchbase.md b/docs/reference/metricbeat/exported-fields-couchbase.md
new file mode 100644
index 000000000000..d9c1122a5f84
--- /dev/null
+++ b/docs/reference/metricbeat/exported-fields-couchbase.md
@@ -0,0 +1,357 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-couchbase.html
+---
+
+# Couchbase fields [exported-fields-couchbase]
+
+Metrics collected from Couchbase servers.
+
+
+## couchbase [_couchbase]
+
+`couchbase` contains the metrics that were scraped from Couchbase.
+
+
+## bucket [_bucket]
+
+Couchbase bucket metrics.
+
+**`couchbase.bucket.name`**
+:   Name of the bucket.
+
+type: keyword
+
+
+**`couchbase.bucket.type`**
+:   Type of the bucket.
+
+type: keyword
+
+
+**`couchbase.bucket.data.used.bytes`**
+:   Size of user data within buckets of the specified state that are resident in RAM.
+
+type: long
+
+format: bytes
+
+
+**`couchbase.bucket.disk.fetches`**
+:   Number of disk fetches.
+
+type: double
+
+
+**`couchbase.bucket.disk.used.bytes`**
+:   Amount of disk used (bytes).
+
+type: long
+
+format: bytes
+
+
+**`couchbase.bucket.memory.used.bytes`**
+:   Amount of memory used by the bucket (bytes).
+
+type: long
+
+format: bytes
+
+
+**`couchbase.bucket.quota.ram.bytes`**
+:   Amount of RAM used by the bucket (bytes).
+
+type: long
+
+format: bytes
+
+
+**`couchbase.bucket.quota.use.pct`**
+:   Percentage of RAM used (for active objects) against the configured bucket size (%).
+
+type: scaled_float
+
+format: percent
+
+
+**`couchbase.bucket.ops_per_sec`**
+:   Number of operations per second.
+
+type: double
+
+
+**`couchbase.bucket.item_count`**
+:   Number of items associated with the bucket.
+
+type: long
+
+
+
+## cluster [_cluster]
+
+Couchbase cluster metrics.
+
+**`couchbase.cluster.hdd.free.bytes`**
+:   Free hard drive space in the cluster (bytes).
+
+type: long
+
+format: bytes
+
+
+**`couchbase.cluster.hdd.quota.total.bytes`**
+:   Hard drive quota total for the cluster (bytes).
+
+type: long
+
+format: bytes
+
+
+**`couchbase.cluster.hdd.total.bytes`**
+:   Total hard drive space available to the cluster (bytes).
+
+type: long
+
+format: bytes
+
+
+**`couchbase.cluster.hdd.used.value.bytes`**
+:   Hard drive space used by the cluster (bytes).
+
+type: long
+
+format: bytes
+
+
+**`couchbase.cluster.hdd.used.by_data.bytes`**
+:   Hard drive space used by the data in the cluster (bytes).
+
+type: long
+
+format: bytes
+
+
+**`couchbase.cluster.max_bucket_count`**
+:   Max bucket count setting.
+
+type: long
+
+
+**`couchbase.cluster.quota.index_memory.mb`**
+:   Memory quota setting for the Index service (Mbyte).
+
+type: double
+
+
+**`couchbase.cluster.quota.memory.mb`**
+:   Memory quota setting for the cluster (Mbyte).
+
+type: double
+
+
+**`couchbase.cluster.ram.quota.total.value.bytes`**
+:   RAM quota total for the cluster (bytes).
+
+type: long
+
+format: bytes
+
+
+**`couchbase.cluster.ram.quota.total.per_node.bytes`**
+:   RAM quota used by the current node in the cluster (bytes).
+
+type: long
+
+format: bytes
+
+
+**`couchbase.cluster.ram.quota.used.value.bytes`**
+:   RAM quota used by the cluster (bytes).
+
+type: long
+
+format: bytes
+
+
+**`couchbase.cluster.ram.quota.used.per_node.bytes`**
+:   Ram quota used by the current node in the cluster (bytes)
+
+type: long
+
+format: bytes
+
+
+**`couchbase.cluster.ram.total.bytes`**
+:   Total RAM available to cluster (bytes).
+
+type: long
+
+format: bytes
+
+
+**`couchbase.cluster.ram.used.value.bytes`**
+:   RAM used by the cluster (bytes).
+
+type: long
+
+format: bytes
+
+
+**`couchbase.cluster.ram.used.by_data.bytes`**
+:   RAM used by the data in the cluster (bytes).
+
+type: long
+
+format: bytes
+
+
+
+## node [_node]
+
+Couchbase node metrics.
+
+**`couchbase.node.cmd_get`**
+:   Number of get commands
+
+type: double
+
+
+**`couchbase.node.couch.docs.disk_size.bytes`**
+:   Amount of disk space used by Couch docs (bytes).
+
+type: long
+
+format: bytes
+
+
+**`couchbase.node.couch.docs.data_size.bytes`**
+:   Data size of Couch docs associated with a node (bytes).
+
+type: long
+
+format: bytes
+
+
+**`couchbase.node.couch.spatial.data_size.bytes`**
+:   Size of object data for spatial views (bytes).
+
+type: long
+
+
+**`couchbase.node.couch.spatial.disk_size.bytes`**
+:   Amount of disk space used by spatial views (bytes).
+
+type: long
+
+
+**`couchbase.node.couch.views.disk_size.bytes`**
+:   Amount of disk space used by Couch views (bytes).
+
+type: long
+
+
+**`couchbase.node.couch.views.data_size.bytes`**
+:   Size of object data for Couch views (bytes).
+
+type: long
+
+
+**`couchbase.node.cpu_utilization_rate.pct`**
+:   The CPU utilization rate (%).
+
+type: scaled_float
+
+
+**`couchbase.node.current_items.value`**
+:   Number of current items.
+
+type: long
+
+
+**`couchbase.node.current_items.total`**
+:   Total number of items associated with the node.
+
+type: long
+
+
+**`couchbase.node.ep_bg_fetched`**
+:   Number of disk fetches performed since the server was started.
+
+type: long
+
+
+**`couchbase.node.get_hits`**
+:   Number of get hits.
+
+type: double
+
+
+**`couchbase.node.hostname`**
+:   The hostname of the node.
+
+type: keyword
+
+
+**`couchbase.node.mcd_memory.allocated.bytes`**
+:   Amount of memcached memory allocated (bytes).
+
+type: long
+
+format: bytes
+
+
+**`couchbase.node.mcd_memory.reserved.bytes`**
+:   Amount of memcached memory reserved (bytes).
+
+type: long
+
+
+**`couchbase.node.memory.free.bytes`**
+:   Amount of memory free for the node (bytes).
+
+type: long
+
+
+**`couchbase.node.memory.total.bytes`**
+:   Total memory available to the node (bytes).
+
+type: long
+
+
+**`couchbase.node.memory.used.bytes`**
+:   Memory used by the node (bytes).
+
+type: long
+
+
+**`couchbase.node.ops`**
+:   Number of operations performed on Couchbase.
+
+type: double
+
+
+**`couchbase.node.swap.total.bytes`**
+:   Total swap size allocated (bytes).
+
+type: long
+
+
+**`couchbase.node.swap.used.bytes`**
+:   Amount of swap space used (bytes).
+
+type: long
+
+
+**`couchbase.node.uptime.sec`**
+:   Time during which the node was in operation (sec).
+
+type: long
+
+
+**`couchbase.node.vb_replica_curr_items`**
+:   Number of items/documents that are replicas.
+
+type: long
+
+
diff --git a/docs/reference/metricbeat/exported-fields-couchdb.md b/docs/reference/metricbeat/exported-fields-couchdb.md
new file mode 100644
index 000000000000..08c746288edd
--- /dev/null
+++ b/docs/reference/metricbeat/exported-fields-couchdb.md
@@ -0,0 +1,225 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-couchdb.html
+---
+
+# CouchDB fields [exported-fields-couchdb]
+
+couchdb module
+
+
+## couchdb [_couchdb]
+
+Couchdb metrics
+
+
+## server [_server_2]
+
+Contains CouchDB server stats
+
+
+## httpd [_httpd]
+
+HTTP statistics
+
+**`couchdb.server.httpd.view_reads`**
+:   Number of view reads
+
+type: long
+
+
+**`couchdb.server.httpd.bulk_requests`**
+:   Number of bulk requests
+
+type: long
+
+
+**`couchdb.server.httpd.clients_requesting_changes`**
+:   Number of clients for continuous _changes
+
+type: long
+
+
+**`couchdb.server.httpd.temporary_view_reads`**
+:   Number of temporary view reads
+
+type: long
+
+
+**`couchdb.server.httpd.requests`**
+:   Number of HTTP requests
+
+type: long
+
+
+
+## httpd_request_methods [_httpd_request_methods]
+
+HTTP request methods
+
+**`couchdb.server.httpd_request_methods.COPY`**
+:   Number of HTTP COPY requests
+
+type: long
+
+
+**`couchdb.server.httpd_request_methods.HEAD`**
+:   Number of HTTP HEAD requests
+
+type: long
+
+
+**`couchdb.server.httpd_request_methods.POST`**
+:   Number of HTTP POST requests
+
+type: long
+
+
+**`couchdb.server.httpd_request_methods.DELETE`**
+:   Number of HTTP DELETE requests
+
+type: long
+
+
+**`couchdb.server.httpd_request_methods.GET`**
+:   Number of HTTP GET requests
+
+type: long
+
+
+**`couchdb.server.httpd_request_methods.PUT`**
+:   Number of HTTP PUT requests
+
+type: long
+
+
+
+## httpd_status_codes [_httpd_status_codes]
+
+HTTP status codes statistics
+
+**`couchdb.server.httpd_status_codes.200`**
+:   Number of HTTP 200 OK responses
+
+type: long
+
+
+**`couchdb.server.httpd_status_codes.201`**
+:   Number of HTTP 201 Created responses
+
+type: long
+
+
+**`couchdb.server.httpd_status_codes.202`**
+:   Number of HTTP 202 Accepted responses
+
+type: long
+
+
+**`couchdb.server.httpd_status_codes.301`**
+:   Number of HTTP 301 Moved Permanently responses
+
+type: long
+
+
+**`couchdb.server.httpd_status_codes.304`**
+:   Number of HTTP 304 Not Modified responses
+
+type: long
+
+
+**`couchdb.server.httpd_status_codes.400`**
+:   Number of HTTP 400 Bad Request responses
+
+type: long
+
+
+**`couchdb.server.httpd_status_codes.401`**
+:   Number of HTTP 401 Unauthorized responses
+
+type: long
+
+
+**`couchdb.server.httpd_status_codes.403`**
+:   Number of HTTP 403 Forbidden responses
+
+type: long
+
+
+**`couchdb.server.httpd_status_codes.404`**
+:   Number of HTTP 404 Not Found responses
+
+type: long
+
+
+**`couchdb.server.httpd_status_codes.405`**
+:   Number of HTTP 405 Method Not Allowed responses
+
+type: long
+
+
+**`couchdb.server.httpd_status_codes.409`**
+:   Number of HTTP 409 Conflict responses
+
+type: long
+
+
+**`couchdb.server.httpd_status_codes.412`**
+:   Number of HTTP 412 Precondition Failed responses
+
+type: long
+
+
+**`couchdb.server.httpd_status_codes.500`**
+:   Number of HTTP 500 Internal Server Error responses
+
+type: long
+
+
+
+## couchdb [_couchdb_2]
+
+couchdb statistics
+
+**`couchdb.server.couchdb.database_writes`**
+:   Number of times a database was changed
+
+type: long
+
+
+**`couchdb.server.couchdb.open_databases`**
+:   Number of open databases
+
+type: long
+
+
+**`couchdb.server.couchdb.auth_cache_misses`**
+:   Number of authentication cache misses
+
+type: long
+
+
+**`couchdb.server.couchdb.request_time`**
+:   Length of a request inside CouchDB without MochiWeb
+
+type: long
+
+
+**`couchdb.server.couchdb.database_reads`**
+:   Number of times a document was read from a database
+
+type: long
+
+
+**`couchdb.server.couchdb.auth_cache_hits`**
+:   Number of authentication cache hits
+
+type: long
+
+
+**`couchdb.server.couchdb.open_os_files`**
+:   Number of file descriptors CouchDB has open
+
+type: long
+
+
diff --git a/docs/reference/metricbeat/exported-fields-docker-processor.md b/docs/reference/metricbeat/exported-fields-docker-processor.md
new file mode 100644
index 000000000000..4d19f0d9fc89
--- /dev/null
+++ b/docs/reference/metricbeat/exported-fields-docker-processor.md
@@ -0,0 +1,33 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-docker-processor.html
+---
+
+# Docker fields [exported-fields-docker-processor]
+
+Docker stats collected from Docker.
+
+**`docker.container.id`**
+:   type: alias
+
+alias to: container.id
+
+
+**`docker.container.image`**
+:   type: alias
+
+alias to: container.image.name
+
+
+**`docker.container.name`**
+:   type: alias
+
+alias to: container.name
+
+
+**`docker.container.labels`**
+:   Image labels.
+
+type: object
+
+
diff --git a/docs/reference/metricbeat/exported-fields-docker.md b/docs/reference/metricbeat/exported-fields-docker.md
new file mode 100644
index 000000000000..2bd2882cb2d1
--- /dev/null
+++ b/docs/reference/metricbeat/exported-fields-docker.md
@@ -0,0 +1,796 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-docker.html
+---
+
+# Docker fields [exported-fields-docker]
+
+Docker stats collected from Docker.
+
+
+## docker [_docker_4]
+
+Information and statistics about docker’s running containers.
+
+
+## container [_container_3]
+
+Docker container metrics.
+
+**`docker.container.command`**
+:   Command that was executed in the Docker container.
+
+type: keyword
+
+
+**`docker.container.created`**
+:   Date when the container was created.
+
+type: date
+
+
+**`docker.container.status`**
+:   Container status.
+
+type: keyword
+
+
+**`docker.container.ip_addresses`**
+:   Container IP addresses.
+
+type: ip
+
+
+
+## size [_size]
+
+Container size metrics.
+
+**`docker.container.size.root_fs`**
+:   Total size of all the files in the container.
+
+type: long
+
+
+**`docker.container.size.rw`**
+:   Size of the files that have been created or changed since creation.
+
+type: long
+
+
+**`docker.container.tags`**
+:   Image tags.
+
+type: keyword
+
+
+
+## cpu [_cpu_5]
+
+Runtime CPU metrics.
+
+**`docker.cpu.kernel.pct`**
+:   Percentage of time in kernel space, expressed as a value between 0 and 1.
+
+type: scaled_float
+
+format: percent
+
+
+**`docker.cpu.kernel.norm.pct`**
+:   Percentage of time in kernel space normalized by the number of CPU cores, expressed as a value between 0 and 1.
+
+type: scaled_float
+
+format: percent
+
+
+**`docker.cpu.kernel.ticks`**
+:   CPU ticks in kernel space.
+
+type: long
+
+
+**`docker.cpu.system.pct`**
+:   Percentage of total CPU time in the system, expressed as a value between 0 and 1.
+
+type: scaled_float
+
+format: percent
+
+
+**`docker.cpu.system.norm.pct`**
+:   Percentage of total CPU time in the system normalized by the number of CPU cores, expressed as a value between 0 and 1.
+
+type: scaled_float
+
+format: percent
+
+
+**`docker.cpu.system.ticks`**
+:   CPU system ticks.
+
+type: long
+
+
+**`docker.cpu.user.pct`**
+:   Percentage of time in user space, expressed as a value between 0 and 1.
+
+type: scaled_float
+
+format: percent
+
+
+**`docker.cpu.user.norm.pct`**
+:   Percentage of time in user space normalized by the number of CPU cores, expressed as a value between 0 and 1.
+
+type: scaled_float
+
+format: percent
+
+
+**`docker.cpu.user.ticks`**
+:   CPU ticks in user space.
+
+type: long
+
+
+**`docker.cpu.total.pct`**
+:   Total CPU usage.
+
+type: scaled_float
+
+format: percent
+
+
+**`docker.cpu.total.norm.pct`**
+:   Total CPU usage normalized by the number of CPU cores.
+
+type: scaled_float
+
+format: percent
+
+
+**`docker.cpu.core.*.pct`**
+:   Percentage of CPU time in this core, expressed as a value between 0 and 1.
+
+type: object
+
+format: percent
+
+
+**`docker.cpu.core.*.norm.pct`**
+:   Percentage of CPU time in this core normalized by the number of CPU cores, expressed as a value between 0 and 1.
+
+type: object
+
+format: percent
+
+
+**`docker.cpu.core.*.ticks`**
+:   Number of CPU ticks in this core.
+
+type: object
+
+
+
+## diskio [_diskio_3]
+
+Disk I/O metrics.
+
+
+## read [_read_5]
+
+Accumulated reads during the life of the container
+
+**`docker.diskio.read.ops`**
+:   Number of reads during the life of the container
+
+type: long
+
+
+**`docker.diskio.read.bytes`**
+:   Bytes read during the life of the container
+
+type: long
+
+format: bytes
+
+
+**`docker.diskio.read.rate`**
+:   Number of current reads per second
+
+type: long
+
+
+**`docker.diskio.read.service_time`**
+:   Total time to service IO requests, in nanoseconds
+
+type: long
+
+
+**`docker.diskio.read.wait_time`**
+:   Total time requests spent waiting in queues for service, in nanoseconds
+
+type: long
+
+
+**`docker.diskio.read.queued`**
+:   Total number of queued requests
+
+type: long
+
+
+
+## write [_write_5]
+
+Accumulated writes during the life of the container
+
+**`docker.diskio.write.ops`**
+:   Number of writes during the life of the container
+
+type: long
+
+
+**`docker.diskio.write.bytes`**
+:   Bytes written during the life of the container
+
+type: long
+
+format: bytes
+
+
+**`docker.diskio.write.rate`**
+:   Number of current writes per second
+
+type: long
+
+
+**`docker.diskio.write.service_time`**
+:   Total time to service IO requests, in nanoseconds
+
+type: long
+
+
+**`docker.diskio.write.wait_time`**
+:   Total time requests spent waiting in queues for service, in nanoseconds
+
+type: long
+
+
+**`docker.diskio.write.queued`**
+:   Total number of queued requests
+
+type: long
+
+
+
+## summary [_summary_3]
+
+Accumulated reads and writes during the life of the container
+
+**`docker.diskio.summary.ops`**
+:   Number of I/O operations during the life of the container
+
+type: long
+
+
+**`docker.diskio.summary.bytes`**
+:   Bytes read and written during the life of the container
+
+type: long
+
+format: bytes
+
+
+**`docker.diskio.summary.rate`**
+:   Number of current operations per second
+
+type: long
+
+
+**`docker.diskio.summary.service_time`**
+:   Total time to service IO requests, in nanoseconds
+
+type: long
+
+
+**`docker.diskio.summary.wait_time`**
+:   Total time requests spent waiting in queues for service, in nanoseconds
+
+type: long
+
+
+**`docker.diskio.summary.queued`**
+:   Total number of queued requests
+
+type: long
+
+
+
+## event [_event]
+
+Docker event
+
+**`docker.event.status`**
+:   Event status
+
+type: keyword
+
+
+**`docker.event.id`**
+:   Event id when available
+
+type: keyword
+
+
+**`docker.event.from`**
+:   Event source
+
+type: keyword
+
+
+**`docker.event.type`**
+:   The type of object emitting the event
+
+type: keyword
+
+
+**`docker.event.action`**
+:   The type of event
+
+type: keyword
+
+
+
+## actor [_actor]
+
+Actor
+
+**`docker.event.actor.id`**
+:   The ID of the object emitting the event
+
+type: keyword
+
+
+**`docker.event.actor.attributes`**
+:   Various key/value attributes of the object, depending on its type
+
+type: object
+
+
+
+## healthcheck [_healthcheck]
+
+Docker healthcheck metrics. Healthcheck data will only be available from docker containers where the docker `HEALTHCHECK` instruction has been used to build the docker image.
+
+**`docker.healthcheck.failingstreak`**
+:   concurent failed check
+
+type: integer
+
+
+**`docker.healthcheck.status`**
+:   Healthcheck status code
+
+type: keyword
+
+
+
+## event [_event_2]
+
+event fields.
+
+**`docker.healthcheck.event.end_date`**
+:   Healthcheck end date
+
+type: date
+
+
+**`docker.healthcheck.event.start_date`**
+:   Healthcheck start date
+
+type: date
+
+
+**`docker.healthcheck.event.output`**
+:   Healthcheck output
+
+type: keyword
+
+
+**`docker.healthcheck.event.exit_code`**
+:   Healthcheck status code
+
+type: integer
+
+
+
+## image [_image]
+
+Docker image metrics.
+
+
+## id [_id]
+
+The image layers identifier.
+
+**`docker.image.id.current`**
+:   Unique image identifier given upon its creation.
+
+type: keyword
+
+
+**`docker.image.id.parent`**
+:   Identifier of the image, if it exists, from which the current image directly descends.
+
+type: keyword
+
+
+**`docker.image.created`**
+:   Date and time when the image was created.
+
+type: date
+
+
+
+## size [_size_2]
+
+Image size layers.
+
+**`docker.image.size.virtual`**
+:   Size of the image.
+
+type: long
+
+
+**`docker.image.size.regular`**
+:   Total size of the all cached images associated to the current image.
+
+type: long
+
+
+**`docker.image.labels`**
+:   Image labels.
+
+type: object
+
+
+**`docker.image.tags`**
+:   Image tags.
+
+type: keyword
+
+
+
+## info [_info_4]
+
+Info metrics based on [https://docs.docker.com/engine/reference/api/docker_remote_api_v1.24/#/display-system-wide-information](https://docs.docker.com/engine/reference/api/docker_remote_api_v1.24/#/display-system-wide-information).
+
+
+## containers [_containers]
+
+Overall container stats.
+
+**`docker.info.containers.paused`**
+:   Total number of paused containers.
+
+type: long
+
+
+**`docker.info.containers.running`**
+:   Total number of running containers.
+
+type: long
+
+
+**`docker.info.containers.stopped`**
+:   Total number of stopped containers.
+
+type: long
+
+
+**`docker.info.containers.total`**
+:   Total number of existing containers.
+
+type: long
+
+
+**`docker.info.id`**
+:   Unique Docker host identifier.
+
+type: keyword
+
+
+**`docker.info.images`**
+:   Total number of existing images.
+
+type: long
+
+
+
+## memory [_memory_5]
+
+Memory metrics.
+
+**`docker.memory.stats.*`**
+:   Raw memory stats from the cgroups memory.stat interface
+
+type: object
+
+
+
+## commit [_commit_2]
+
+Committed bytes on Windows
+
+**`docker.memory.commit.total`**
+:   Total bytes
+
+type: long
+
+format: bytes
+
+
+**`docker.memory.commit.peak`**
+:   Peak committed bytes on Windows
+
+type: long
+
+format: bytes
+
+
+**`docker.memory.private_working_set.total`**
+:   private working sets on Windows
+
+type: long
+
+format: bytes
+
+
+**`docker.memory.fail.count`**
+:   Fail counter.
+
+type: scaled_float
+
+
+**`docker.memory.limit`**
+:   Memory limit.
+
+type: long
+
+format: bytes
+
+
+
+## rss [_rss_2]
+
+RSS memory stats.
+
+**`docker.memory.rss.total`**
+:   Total memory resident set size.
+
+type: long
+
+format: bytes
+
+
+**`docker.memory.rss.pct`**
+:   Memory resident set size percentage, expressed as a value between 0 and 1.
+
+type: scaled_float
+
+format: percent
+
+
+
+## usage [_usage_13]
+
+Usage memory stats.
+
+**`docker.memory.usage.max`**
+:   Max memory usage.
+
+type: long
+
+format: bytes
+
+
+**`docker.memory.usage.pct`**
+:   Memory usage percentage, expressed as a value between 0 and 1.
+
+type: scaled_float
+
+format: percent
+
+
+**`docker.memory.usage.total`**
+:   Total memory usage.
+
+type: long
+
+format: bytes
+
+
+
+## network [_network_2]
+
+Network metrics.
+
+**`docker.network.interface`**
+:   Network interface name.
+
+type: keyword
+
+
+
+## in [_in]
+
+Incoming network stats per second.
+
+**`docker.network.in.bytes`**
+:   Incoming bytes per seconds.
+
+type: long
+
+format: bytes
+
+
+**`docker.network.in.dropped`**
+:   Dropped incoming packets per second.
+
+type: scaled_float
+
+
+**`docker.network.in.errors`**
+:   Errors on incoming packets per second.
+
+type: long
+
+
+**`docker.network.in.packets`**
+:   Incoming packets per second.
+
+type: long
+
+
+
+## out [_out]
+
+Outgoing network stats per second.
+
+**`docker.network.out.bytes`**
+:   Outgoing bytes per second.
+
+type: long
+
+format: bytes
+
+
+**`docker.network.out.dropped`**
+:   Dropped outgoing packets per second.
+
+type: scaled_float
+
+
+**`docker.network.out.errors`**
+:   Errors on outgoing packets per second.
+
+type: long
+
+
+**`docker.network.out.packets`**
+:   Outgoing packets per second.
+
+type: long
+
+
+
+## inbound [_inbound]
+
+Incoming network stats since the container started.
+
+**`docker.network.inbound.bytes`**
+:   Total number of incoming bytes.
+
+type: long
+
+format: bytes
+
+
+**`docker.network.inbound.dropped`**
+:   Total number of dropped incoming packets.
+
+type: long
+
+
+**`docker.network.inbound.errors`**
+:   Total errors on incoming packets.
+
+type: long
+
+
+**`docker.network.inbound.packets`**
+:   Total number of incoming packets.
+
+type: long
+
+
+
+## outbound [_outbound]
+
+Outgoing network stats since the container started.
+
+**`docker.network.outbound.bytes`**
+:   Total number of outgoing bytes.
+
+type: long
+
+format: bytes
+
+
+**`docker.network.outbound.dropped`**
+:   Total number of dropped outgoing packets.
+
+type: long
+
+
+**`docker.network.outbound.errors`**
+:   Total errors on outgoing packets.
+
+type: long
+
+
+**`docker.network.outbound.packets`**
+:   Total number of outgoing packets.
+
+type: long
+
+
+
+## network_summary [_network_summary]
+
+network_summary
+
+**`docker.network_summary.ip.*`**
+:   IP counters
+
+type: object
+
+
+**`docker.network_summary.tcp.*`**
+:   TCP counters
+
+type: object
+
+
+**`docker.network_summary.udp.*`**
+:   UDP counters
+
+type: object
+
+
+**`docker.network_summary.udp_lite.*`**
+:   UDP Lite counters
+
+type: object
+
+
+**`docker.network_summary.icmp.*`**
+:   ICMP counters
+
+type: object
+
+
+**`docker.network_summary.namespace.pid`**
+:   The root PID of the container, corresponding to /proc/[pid]/net
+
+type: long
+
+
+**`docker.network_summary.namespace.id`**
+:   The ID of the network namespace used by the container, corresponding to /proc/[pid]/ns/net
+
+type: long
+
+
diff --git a/docs/reference/metricbeat/exported-fields-dropwizard.md b/docs/reference/metricbeat/exported-fields-dropwizard.md
new file mode 100644
index 000000000000..96776bec7149
--- /dev/null
+++ b/docs/reference/metricbeat/exported-fields-dropwizard.md
@@ -0,0 +1,12 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-dropwizard.html
+---
+
+# Dropwizard fields [exported-fields-dropwizard]
+
+Stats collected from Dropwizard.
+
+
+## dropwizard [_dropwizard]
+
diff --git a/docs/reference/metricbeat/exported-fields-ecs.md b/docs/reference/metricbeat/exported-fields-ecs.md
new file mode 100644
index 000000000000..db94c2c0ad86
--- /dev/null
+++ b/docs/reference/metricbeat/exported-fields-ecs.md
@@ -0,0 +1,10423 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-ecs.html
+---
+
+# ECS fields [exported-fields-ecs]
+
+This section defines Elastic Common Schema (ECS) fields—a common set of fields to be used when storing event data in {{es}}.
+
+This is an exhaustive list, and fields listed here are not necessarily used by Metricbeat. The goal of ECS is to enable and encourage users of {{es}} to normalize their event data, so that they can better analyze, visualize, and correlate the data represented in their events.
+
+See the [ECS reference](ecs://reference/index.md) for more information.
+
+**`@timestamp`**
+:   Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events.
+
+type: date
+
+example: 2016-05-23T08:05:34.853Z
+
+required: True
+
+
+**`labels`**
+:   Custom key/value pairs. Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. Example: `docker` and `k8s` labels.
+
+type: object
+
+example: {"application": "foo-bar", "env": "production"}
+
+
+**`message`**
+:   For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message.
+
+type: match_only_text
+
+example: Hello World
+
+
+**`tags`**
+:   List of keywords used to tag each event.
+
+type: keyword
+
+example: ["production", "env2"]
+
+
+
+## agent [_agent_2]
+
+The agent fields contain the data about the software entity, if any, that collects, detects, or observes events on a host, or takes measurements on a host. Examples include Beats. Agents may also run on observers. ECS agent.* fields shall be populated with details of the agent running on the host or observer where the event happened or the measurement was taken.
+
+**`agent.build.original`**
+:   Extended build information for the agent. This field is intended to contain any build information that a data source may provide, no specific formatting is required.
+
+type: keyword
+
+example: metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]
+
+
+**`agent.ephemeral_id`**
+:   Ephemeral identifier of this agent (if one exists). This id normally changes across restarts, but `agent.id` does not.
+
+type: keyword
+
+example: 8a4f500f
+
+
+**`agent.id`**
+:   Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id.
+
+type: keyword
+
+example: 8a4f500d
+
+
+**`agent.name`**
+:   Custom name of the agent. This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. If no name is given, the name is often left empty.
+
+type: keyword
+
+example: foo
+
+
+**`agent.type`**
+:   Type of the agent. The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine.
+
+type: keyword
+
+example: filebeat
+
+
+**`agent.version`**
+:   Version of the agent.
+
+type: keyword
+
+example: 6.0.0-rc2
+
+
+
+## as [_as]
+
+An autonomous system (AS) is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators on behalf of a single administrative entity or domain that presents a common, clearly defined routing policy to the internet.
+
+**`as.number`**
+:   Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+
+type: long
+
+example: 15169
+
+
+**`as.organization.name`**
+:   Organization name.
+
+type: keyword
+
+example: Google LLC
+
+
+**`as.organization.name.text`**
+:   type: match_only_text
+
+
+
+## client [_client_2]
+
+A client is defined as the initiator of a network connection for events regarding sessions, connections, or bidirectional flow records. For TCP events, the client is the initiator of the TCP connection that sends the SYN packet(s). For other protocols, the client is generally the initiator or requestor in the network transaction. Some systems use the term "originator" to refer the client in TCP connections. The client fields describe details about the system acting as the client in the network event. Client fields are usually populated in conjunction with server fields. Client fields are generally not populated for packet-level events. Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately.
+
+**`client.address`**
+:   Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
+
+type: keyword
+
+
+**`client.as.number`**
+:   Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+
+type: long
+
+example: 15169
+
+
+**`client.as.organization.name`**
+:   Organization name.
+
+type: keyword
+
+example: Google LLC
+
+
+**`client.as.organization.name.text`**
+:   type: match_only_text
+
+
+**`client.bytes`**
+:   Bytes sent from the client to the server.
+
+type: long
+
+example: 184
+
+format: bytes
+
+
+**`client.domain`**
+:   The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.
+
+type: keyword
+
+example: foo.example.com
+
+
+**`client.geo.city_name`**
+:   City name.
+
+type: keyword
+
+example: Montreal
+
+
+**`client.geo.continent_code`**
+:   Two-letter code representing continent’s name.
+
+type: keyword
+
+example: NA
+
+
+**`client.geo.continent_name`**
+:   Name of the continent.
+
+type: keyword
+
+example: North America
+
+
+**`client.geo.country_iso_code`**
+:   Country ISO code.
+
+type: keyword
+
+example: CA
+
+
+**`client.geo.country_name`**
+:   Country name.
+
+type: keyword
+
+example: Canada
+
+
+**`client.geo.location`**
+:   Longitude and latitude.
+
+type: geo_point
+
+example: { "lon": -73.614830, "lat": 45.505918 }
+
+
+**`client.geo.name`**
+:   User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.
+
+type: keyword
+
+example: boston-dc
+
+
+**`client.geo.postal_code`**
+:   Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.
+
+type: keyword
+
+example: 94040
+
+
+**`client.geo.region_iso_code`**
+:   Region ISO code.
+
+type: keyword
+
+example: CA-QC
+
+
+**`client.geo.region_name`**
+:   Region name.
+
+type: keyword
+
+example: Quebec
+
+
+**`client.geo.timezone`**
+:   The time zone of the location, such as IANA time zone name.
+
+type: keyword
+
+example: America/Argentina/Buenos_Aires
+
+
+**`client.ip`**
+:   IP address of the client (IPv4 or IPv6).
+
+type: ip
+
+
+**`client.mac`**
+:   MAC address of the client. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.
+
+type: keyword
+
+example: 00-00-5E-00-53-23
+
+
+**`client.nat.ip`**
+:   Translated IP of source based NAT sessions (e.g. internal client to internet). Typically connections traversing load balancers, firewalls, or routers.
+
+type: ip
+
+
+**`client.nat.port`**
+:   Translated port of source based NAT sessions (e.g. internal client to internet). Typically connections traversing load balancers, firewalls, or routers.
+
+type: long
+
+format: string
+
+
+**`client.packets`**
+:   Packets sent from the client to the server.
+
+type: long
+
+example: 12
+
+
+**`client.port`**
+:   Port of the client.
+
+type: long
+
+format: string
+
+
+**`client.registered_domain`**
+:   The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
+
+type: keyword
+
+example: example.com
+
+
+**`client.subdomain`**
+:   The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
+
+type: keyword
+
+example: east
+
+
+**`client.top_level_domain`**
+:   The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".
+
+type: keyword
+
+example: co.uk
+
+
+**`client.user.domain`**
+:   Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`client.user.email`**
+:   User email address.
+
+type: keyword
+
+
+**`client.user.full_name`**
+:   User’s full name, if available.
+
+type: keyword
+
+example: Albert Einstein
+
+
+**`client.user.full_name.text`**
+:   type: match_only_text
+
+
+**`client.user.group.domain`**
+:   Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`client.user.group.id`**
+:   Unique identifier for the group on the system/platform.
+
+type: keyword
+
+
+**`client.user.group.name`**
+:   Name of the group.
+
+type: keyword
+
+
+**`client.user.hash`**
+:   Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used.
+
+type: keyword
+
+
+**`client.user.id`**
+:   Unique identifier of the user.
+
+type: keyword
+
+example: S-1-5-21-202424912787-2692429404-2351956786-1000
+
+
+**`client.user.name`**
+:   Short name or login of the user.
+
+type: keyword
+
+example: a.einstein
+
+
+**`client.user.name.text`**
+:   type: match_only_text
+
+
+**`client.user.roles`**
+:   Array of user roles at the time of the event.
+
+type: keyword
+
+example: ["kibana_admin", "reporting_user"]
+
+
+
+## cloud [_cloud]
+
+Fields related to the cloud or infrastructure the events are coming from.
+
+**`cloud.account.id`**
+:   The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.
+
+type: keyword
+
+example: 666777888999
+
+
+**`cloud.account.name`**
+:   The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name.
+
+type: keyword
+
+example: elastic-dev
+
+
+**`cloud.availability_zone`**
+:   Availability zone in which this host, resource, or service is located.
+
+type: keyword
+
+example: us-east-1c
+
+
+**`cloud.instance.id`**
+:   Instance ID of the host machine.
+
+type: keyword
+
+example: i-1234567890abcdef0
+
+
+**`cloud.instance.name`**
+:   Instance name of the host machine.
+
+type: keyword
+
+
+**`cloud.machine.type`**
+:   Machine type of the host machine.
+
+type: keyword
+
+example: t2.medium
+
+
+**`cloud.origin.account.id`**
+:   The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.
+
+type: keyword
+
+example: 666777888999
+
+
+**`cloud.origin.account.name`**
+:   The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name.
+
+type: keyword
+
+example: elastic-dev
+
+
+**`cloud.origin.availability_zone`**
+:   Availability zone in which this host, resource, or service is located.
+
+type: keyword
+
+example: us-east-1c
+
+
+**`cloud.origin.instance.id`**
+:   Instance ID of the host machine.
+
+type: keyword
+
+example: i-1234567890abcdef0
+
+
+**`cloud.origin.instance.name`**
+:   Instance name of the host machine.
+
+type: keyword
+
+
+**`cloud.origin.machine.type`**
+:   Machine type of the host machine.
+
+type: keyword
+
+example: t2.medium
+
+
+**`cloud.origin.project.id`**
+:   The cloud project identifier. Examples: Google Cloud Project id, Azure Project id.
+
+type: keyword
+
+example: my-project
+
+
+**`cloud.origin.project.name`**
+:   The cloud project name. Examples: Google Cloud Project name, Azure Project name.
+
+type: keyword
+
+example: my project
+
+
+**`cloud.origin.provider`**
+:   Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
+
+type: keyword
+
+example: aws
+
+
+**`cloud.origin.region`**
+:   Region in which this host, resource, or service is located.
+
+type: keyword
+
+example: us-east-1
+
+
+**`cloud.origin.service.name`**
+:   The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda.
+
+type: keyword
+
+example: lambda
+
+
+**`cloud.project.id`**
+:   The cloud project identifier. Examples: Google Cloud Project id, Azure Project id.
+
+type: keyword
+
+example: my-project
+
+
+**`cloud.project.name`**
+:   The cloud project name. Examples: Google Cloud Project name, Azure Project name.
+
+type: keyword
+
+example: my project
+
+
+**`cloud.provider`**
+:   Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
+
+type: keyword
+
+example: aws
+
+
+**`cloud.region`**
+:   Region in which this host, resource, or service is located.
+
+type: keyword
+
+example: us-east-1
+
+
+**`cloud.service.name`**
+:   The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda.
+
+type: keyword
+
+example: lambda
+
+
+**`cloud.target.account.id`**
+:   The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.
+
+type: keyword
+
+example: 666777888999
+
+
+**`cloud.target.account.name`**
+:   The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name.
+
+type: keyword
+
+example: elastic-dev
+
+
+**`cloud.target.availability_zone`**
+:   Availability zone in which this host, resource, or service is located.
+
+type: keyword
+
+example: us-east-1c
+
+
+**`cloud.target.instance.id`**
+:   Instance ID of the host machine.
+
+type: keyword
+
+example: i-1234567890abcdef0
+
+
+**`cloud.target.instance.name`**
+:   Instance name of the host machine.
+
+type: keyword
+
+
+**`cloud.target.machine.type`**
+:   Machine type of the host machine.
+
+type: keyword
+
+example: t2.medium
+
+
+**`cloud.target.project.id`**
+:   The cloud project identifier. Examples: Google Cloud Project id, Azure Project id.
+
+type: keyword
+
+example: my-project
+
+
+**`cloud.target.project.name`**
+:   The cloud project name. Examples: Google Cloud Project name, Azure Project name.
+
+type: keyword
+
+example: my project
+
+
+**`cloud.target.provider`**
+:   Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
+
+type: keyword
+
+example: aws
+
+
+**`cloud.target.region`**
+:   Region in which this host, resource, or service is located.
+
+type: keyword
+
+example: us-east-1
+
+
+**`cloud.target.service.name`**
+:   The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda.
+
+type: keyword
+
+example: lambda
+
+
+
+## code_signature [_code_signature]
+
+These fields contain information about binary code signatures.
+
+**`code_signature.digest_algorithm`**
+:   The hashing algorithm used to sign the process. This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm.
+
+type: keyword
+
+example: sha256
+
+
+**`code_signature.exists`**
+:   Boolean to capture if a signature is present.
+
+type: boolean
+
+example: true
+
+
+**`code_signature.signing_id`**
+:   The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.
+
+type: keyword
+
+example: com.apple.xpc.proxy
+
+
+**`code_signature.status`**
+:   Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.
+
+type: keyword
+
+example: ERROR_UNTRUSTED_ROOT
+
+
+**`code_signature.subject_name`**
+:   Subject name of the code signer
+
+type: keyword
+
+example: Microsoft Corporation
+
+
+**`code_signature.team_id`**
+:   The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.
+
+type: keyword
+
+example: EQHXZ8M8AV
+
+
+**`code_signature.timestamp`**
+:   Date and time when the code signature was generated and signed.
+
+type: date
+
+example: 2021-01-01T12:10:30Z
+
+
+**`code_signature.trusted`**
+:   Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.
+
+type: boolean
+
+example: true
+
+
+**`code_signature.valid`**
+:   Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.
+
+type: boolean
+
+example: true
+
+
+
+## container [_container_4]
+
+Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.
+
+**`container.cpu.usage`**
+:   Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000.
+
+type: scaled_float
+
+
+**`container.disk.read.bytes`**
+:   The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection.
+
+type: long
+
+
+**`container.disk.write.bytes`**
+:   The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection.
+
+type: long
+
+
+**`container.id`**
+:   Unique container id.
+
+type: keyword
+
+
+**`container.image.name`**
+:   Name of the image the container was built on.
+
+type: keyword
+
+
+**`container.image.tag`**
+:   Container image tags.
+
+type: keyword
+
+
+**`container.labels`**
+:   Image labels.
+
+type: object
+
+
+**`container.memory.usage`**
+:   Memory usage percentage and it ranges from 0 to 1. Scaling factor: 1000.
+
+type: scaled_float
+
+
+**`container.name`**
+:   Container name.
+
+type: keyword
+
+
+**`container.network.egress.bytes`**
+:   The number of bytes (gauge) sent out on all network interfaces by the container since the last metric collection.
+
+type: long
+
+
+**`container.network.ingress.bytes`**
+:   The number of bytes received (gauge) on all network interfaces by the container since the last metric collection.
+
+type: long
+
+
+**`container.runtime`**
+:   Runtime managing this container.
+
+type: keyword
+
+example: docker
+
+
+
+## data_stream [_data_stream]
+
+The data_stream fields take part in defining the new data stream naming scheme. In the new data stream naming scheme the value of the data stream fields combine to the name of the actual data stream in the following manner: `{data_stream.type}-{data_stream.dataset}-{data_stream.namespace}`. This means the fields can only contain characters that are valid as part of names of data streams. More details about this can be found in this [blog post](https://www.elastic.co/blog/an-introduction-to-the-elastic-data-stream-naming-scheme). An Elasticsearch data stream consists of one or more backing indices, and a data stream name forms part of the backing indices names. Due to this convention, data streams must also follow index naming restrictions. For example, data stream names cannot include `\`, `/`, `*`, `?`, `"`, `<`, `>`, `|`, ` ` (space character), `,`, or `#`. Please see the Elasticsearch reference for additional [restrictions](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-indices-create).
+
+**`data_stream.dataset`**
+:   The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: * Must not contain `-` * No longer than 100 characters
+
+type: constant_keyword
+
+example: nginx.access
+
+
+**`data_stream.namespace`**
+:   A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: * Must not contain `-` * No longer than 100 characters
+
+type: constant_keyword
+
+example: production
+
+
+**`data_stream.type`**
+:   An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future.
+
+type: constant_keyword
+
+example: logs
+
+
+
+## destination [_destination]
+
+Destination fields capture details about the receiver of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction. Destination fields are usually populated in conjunction with source fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated.
+
+**`destination.address`**
+:   Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
+
+type: keyword
+
+
+**`destination.as.number`**
+:   Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+
+type: long
+
+example: 15169
+
+
+**`destination.as.organization.name`**
+:   Organization name.
+
+type: keyword
+
+example: Google LLC
+
+
+**`destination.as.organization.name.text`**
+:   type: match_only_text
+
+
+**`destination.bytes`**
+:   Bytes sent from the destination to the source.
+
+type: long
+
+example: 184
+
+format: bytes
+
+
+**`destination.domain`**
+:   The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.
+
+type: keyword
+
+example: foo.example.com
+
+
+**`destination.geo.city_name`**
+:   City name.
+
+type: keyword
+
+example: Montreal
+
+
+**`destination.geo.continent_code`**
+:   Two-letter code representing continent’s name.
+
+type: keyword
+
+example: NA
+
+
+**`destination.geo.continent_name`**
+:   Name of the continent.
+
+type: keyword
+
+example: North America
+
+
+**`destination.geo.country_iso_code`**
+:   Country ISO code.
+
+type: keyword
+
+example: CA
+
+
+**`destination.geo.country_name`**
+:   Country name.
+
+type: keyword
+
+example: Canada
+
+
+**`destination.geo.location`**
+:   Longitude and latitude.
+
+type: geo_point
+
+example: { "lon": -73.614830, "lat": 45.505918 }
+
+
+**`destination.geo.name`**
+:   User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.
+
+type: keyword
+
+example: boston-dc
+
+
+**`destination.geo.postal_code`**
+:   Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.
+
+type: keyword
+
+example: 94040
+
+
+**`destination.geo.region_iso_code`**
+:   Region ISO code.
+
+type: keyword
+
+example: CA-QC
+
+
+**`destination.geo.region_name`**
+:   Region name.
+
+type: keyword
+
+example: Quebec
+
+
+**`destination.geo.timezone`**
+:   The time zone of the location, such as IANA time zone name.
+
+type: keyword
+
+example: America/Argentina/Buenos_Aires
+
+
+**`destination.ip`**
+:   IP address of the destination (IPv4 or IPv6).
+
+type: ip
+
+
+**`destination.mac`**
+:   MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.
+
+type: keyword
+
+example: 00-00-5E-00-53-23
+
+
+**`destination.nat.ip`**
+:   Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers.
+
+type: ip
+
+
+**`destination.nat.port`**
+:   Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers.
+
+type: long
+
+format: string
+
+
+**`destination.packets`**
+:   Packets sent from the destination to the source.
+
+type: long
+
+example: 12
+
+
+**`destination.port`**
+:   Port of the destination.
+
+type: long
+
+format: string
+
+
+**`destination.registered_domain`**
+:   The highest registered destination domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
+
+type: keyword
+
+example: example.com
+
+
+**`destination.subdomain`**
+:   The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
+
+type: keyword
+
+example: east
+
+
+**`destination.top_level_domain`**
+:   The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".
+
+type: keyword
+
+example: co.uk
+
+
+**`destination.user.domain`**
+:   Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`destination.user.email`**
+:   User email address.
+
+type: keyword
+
+
+**`destination.user.full_name`**
+:   User’s full name, if available.
+
+type: keyword
+
+example: Albert Einstein
+
+
+**`destination.user.full_name.text`**
+:   type: match_only_text
+
+
+**`destination.user.group.domain`**
+:   Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`destination.user.group.id`**
+:   Unique identifier for the group on the system/platform.
+
+type: keyword
+
+
+**`destination.user.group.name`**
+:   Name of the group.
+
+type: keyword
+
+
+**`destination.user.hash`**
+:   Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used.
+
+type: keyword
+
+
+**`destination.user.id`**
+:   Unique identifier of the user.
+
+type: keyword
+
+example: S-1-5-21-202424912787-2692429404-2351956786-1000
+
+
+**`destination.user.name`**
+:   Short name or login of the user.
+
+type: keyword
+
+example: a.einstein
+
+
+**`destination.user.name.text`**
+:   type: match_only_text
+
+
+**`destination.user.roles`**
+:   Array of user roles at the time of the event.
+
+type: keyword
+
+example: ["kibana_admin", "reporting_user"]
+
+
+
+## dll [_dll]
+
+These fields contain information about code libraries dynamically loaded into processes.
+
+Many operating systems refer to "shared code libraries" with different names, but this field set refers to all of the following: * Dynamic-link library (`.dll`) commonly used on Windows * Shared Object (`.so`) commonly used on Unix-like operating systems * Dynamic library (`.dylib`) commonly used on macOS
+
+**`dll.code_signature.digest_algorithm`**
+:   The hashing algorithm used to sign the process. This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm.
+
+type: keyword
+
+example: sha256
+
+
+**`dll.code_signature.exists`**
+:   Boolean to capture if a signature is present.
+
+type: boolean
+
+example: true
+
+
+**`dll.code_signature.signing_id`**
+:   The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.
+
+type: keyword
+
+example: com.apple.xpc.proxy
+
+
+**`dll.code_signature.status`**
+:   Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.
+
+type: keyword
+
+example: ERROR_UNTRUSTED_ROOT
+
+
+**`dll.code_signature.subject_name`**
+:   Subject name of the code signer
+
+type: keyword
+
+example: Microsoft Corporation
+
+
+**`dll.code_signature.team_id`**
+:   The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.
+
+type: keyword
+
+example: EQHXZ8M8AV
+
+
+**`dll.code_signature.timestamp`**
+:   Date and time when the code signature was generated and signed.
+
+type: date
+
+example: 2021-01-01T12:10:30Z
+
+
+**`dll.code_signature.trusted`**
+:   Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.
+
+type: boolean
+
+example: true
+
+
+**`dll.code_signature.valid`**
+:   Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.
+
+type: boolean
+
+example: true
+
+
+**`dll.hash.md5`**
+:   MD5 hash.
+
+type: keyword
+
+
+**`dll.hash.sha1`**
+:   SHA1 hash.
+
+type: keyword
+
+
+**`dll.hash.sha256`**
+:   SHA256 hash.
+
+type: keyword
+
+
+**`dll.hash.sha512`**
+:   SHA512 hash.
+
+type: keyword
+
+
+**`dll.hash.ssdeep`**
+:   SSDEEP hash.
+
+type: keyword
+
+
+**`dll.name`**
+:   Name of the library. This generally maps to the name of the file on disk.
+
+type: keyword
+
+example: kernel32.dll
+
+
+**`dll.path`**
+:   Full file path of the library.
+
+type: keyword
+
+example: C:\Windows\System32\kernel32.dll
+
+
+**`dll.pe.architecture`**
+:   CPU architecture target for the file.
+
+type: keyword
+
+example: x64
+
+
+**`dll.pe.company`**
+:   Internal company name of the file, provided at compile-time.
+
+type: keyword
+
+example: Microsoft Corporation
+
+
+**`dll.pe.description`**
+:   Internal description of the file, provided at compile-time.
+
+type: keyword
+
+example: Paint
+
+
+**`dll.pe.file_version`**
+:   Internal version of the file, provided at compile-time.
+
+type: keyword
+
+example: 6.3.9600.17415
+
+
+**`dll.pe.imphash`**
+:   A hash of the imports in a PE file. An imphash — or import hash — can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at [https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html](https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html).
+
+type: keyword
+
+example: 0c6803c4e922103c4dca5963aad36ddf
+
+
+**`dll.pe.original_file_name`**
+:   Internal name of the file, provided at compile-time.
+
+type: keyword
+
+example: MSPAINT.EXE
+
+
+**`dll.pe.product`**
+:   Internal product name of the file, provided at compile-time.
+
+type: keyword
+
+example: Microsoft® Windows® Operating System
+
+
+
+## dns [_dns]
+
+Fields describing DNS queries and answers. DNS events should either represent a single DNS query prior to getting answers (`dns.type:query`) or they should represent a full exchange and contain the query details as well as all of the answers that were provided for this query (`dns.type:answer`).
+
+**`dns.answers`**
+:   An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields.
+
+type: object
+
+
+**`dns.answers.class`**
+:   The class of DNS data contained in this resource record.
+
+type: keyword
+
+example: IN
+
+
+**`dns.answers.data`**
+:   The data describing the resource. The meaning of this data depends on the type and class of the resource record.
+
+type: keyword
+
+example: 10.10.10.10
+
+
+**`dns.answers.name`**
+:   The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer’s `name` should be the one that corresponds with the answer’s `data`. It should not simply be the original `question.name` repeated.
+
+type: keyword
+
+example: www.example.com
+
+
+**`dns.answers.ttl`**
+:   The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached.
+
+type: long
+
+example: 180
+
+
+**`dns.answers.type`**
+:   The type of data contained in this resource record.
+
+type: keyword
+
+example: CNAME
+
+
+**`dns.header_flags`**
+:   Array of 2 letter DNS header flags. Expected values are: AA, TC, RD, RA, AD, CD, DO.
+
+type: keyword
+
+example: ["RD", "RA"]
+
+
+**`dns.id`**
+:   The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.
+
+type: keyword
+
+example: 62111
+
+
+**`dns.op_code`**
+:   The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response.
+
+type: keyword
+
+example: QUERY
+
+
+**`dns.question.class`**
+:   The class of records being queried.
+
+type: keyword
+
+example: IN
+
+
+**`dns.question.name`**
+:   The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively.
+
+type: keyword
+
+example: www.example.com
+
+
+**`dns.question.registered_domain`**
+:   The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
+
+type: keyword
+
+example: example.com
+
+
+**`dns.question.subdomain`**
+:   The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
+
+type: keyword
+
+example: www
+
+
+**`dns.question.top_level_domain`**
+:   The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".
+
+type: keyword
+
+example: co.uk
+
+
+**`dns.question.type`**
+:   The type of record being queried.
+
+type: keyword
+
+example: AAAA
+
+
+**`dns.resolved_ip`**
+:   Array containing all IPs seen in `answers.data`. The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for.
+
+type: ip
+
+example: ["10.10.10.10", "10.10.10.11"]
+
+
+**`dns.response_code`**
+:   The DNS response code.
+
+type: keyword
+
+example: NOERROR
+
+
+**`dns.type`**
+:   The type of DNS event captured, query or answer. If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers.
+
+type: keyword
+
+example: answer
+
+
+
+## ecs [_ecs]
+
+Meta-information specific to ECS.
+
+**`ecs.version`**
+:   ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices — which may conform to slightly different ECS versions — this field lets integrations adjust to the schema version of the events.
+
+type: keyword
+
+example: 1.0.0
+
+required: True
+
+
+
+## elf [_elf]
+
+These fields contain Linux Executable Linkable Format (ELF) metadata.
+
+**`elf.architecture`**
+:   Machine architecture of the ELF file.
+
+type: keyword
+
+example: x86-64
+
+
+**`elf.byte_order`**
+:   Byte sequence of ELF file.
+
+type: keyword
+
+example: Little Endian
+
+
+**`elf.cpu_type`**
+:   CPU type of the ELF file.
+
+type: keyword
+
+example: Intel
+
+
+**`elf.creation_date`**
+:   Extracted when possible from the file’s metadata. Indicates when it was built or compiled. It can also be faked by malware creators.
+
+type: date
+
+
+**`elf.exports`**
+:   List of exported element names and types.
+
+type: flattened
+
+
+**`elf.header.abi_version`**
+:   Version of the ELF Application Binary Interface (ABI).
+
+type: keyword
+
+
+**`elf.header.class`**
+:   Header class of the ELF file.
+
+type: keyword
+
+
+**`elf.header.data`**
+:   Data table of the ELF header.
+
+type: keyword
+
+
+**`elf.header.entrypoint`**
+:   Header entrypoint of the ELF file.
+
+type: long
+
+format: string
+
+
+**`elf.header.object_version`**
+:   "0x1" for original ELF files.
+
+type: keyword
+
+
+**`elf.header.os_abi`**
+:   Application Binary Interface (ABI) of the Linux OS.
+
+type: keyword
+
+
+**`elf.header.type`**
+:   Header type of the ELF file.
+
+type: keyword
+
+
+**`elf.header.version`**
+:   Version of the ELF header.
+
+type: keyword
+
+
+**`elf.imports`**
+:   List of imported element names and types.
+
+type: flattened
+
+
+**`elf.sections`**
+:   An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`.
+
+type: nested
+
+
+**`elf.sections.chi2`**
+:   Chi-square probability distribution of the section.
+
+type: long
+
+format: number
+
+
+**`elf.sections.entropy`**
+:   Shannon entropy calculation from the section.
+
+type: long
+
+format: number
+
+
+**`elf.sections.flags`**
+:   ELF Section List flags.
+
+type: keyword
+
+
+**`elf.sections.name`**
+:   ELF Section List name.
+
+type: keyword
+
+
+**`elf.sections.physical_offset`**
+:   ELF Section List offset.
+
+type: keyword
+
+
+**`elf.sections.physical_size`**
+:   ELF Section List physical size.
+
+type: long
+
+format: bytes
+
+
+**`elf.sections.type`**
+:   ELF Section List type.
+
+type: keyword
+
+
+**`elf.sections.virtual_address`**
+:   ELF Section List virtual address.
+
+type: long
+
+format: string
+
+
+**`elf.sections.virtual_size`**
+:   ELF Section List virtual size.
+
+type: long
+
+format: string
+
+
+**`elf.segments`**
+:   An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`.
+
+type: nested
+
+
+**`elf.segments.sections`**
+:   ELF object segment sections.
+
+type: keyword
+
+
+**`elf.segments.type`**
+:   ELF object segment type.
+
+type: keyword
+
+
+**`elf.shared_libraries`**
+:   List of shared libraries used by this ELF object.
+
+type: keyword
+
+
+**`elf.telfhash`**
+:   telfhash symbol hash for ELF file.
+
+type: keyword
+
+
+
+## error [_error]
+
+These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error.
+
+**`error.code`**
+:   Error code describing the error.
+
+type: keyword
+
+
+**`error.id`**
+:   Unique identifier for the error.
+
+type: keyword
+
+
+**`error.message`**
+:   Error message.
+
+type: match_only_text
+
+
+**`error.stack_trace`**
+:   The stack trace of this error in plain text.
+
+type: wildcard
+
+
+**`error.stack_trace.text`**
+:   type: match_only_text
+
+
+**`error.type`**
+:   The type of the error, for example the class name of the exception.
+
+type: keyword
+
+example: java.lang.NullPointerException
+
+
+
+## event [_event_3]
+
+The event fields are used for context information about the log or metric event itself. A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host and device temperature. See the `event.kind` definition in this section for additional details about metric and state events.
+
+**`event.action`**
+:   The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer.
+
+type: keyword
+
+example: user-password-change
+
+
+**`event.agent_id_status`**
+:   Agents are normally responsible for populating the `agent.id` field value. If the system receiving events is capable of validating the value based on authentication information for the client then this field can be used to reflect the outcome of that validation. For example if the agent’s connection is authenticated with mTLS and the client cert contains the ID of the agent to which the cert was issued then the `agent.id` value in events can be checked against the certificate. If the values match then `event.agent_id_status: verified` is added to the event, otherwise one of the other allowed values should be used. If no validation is performed then the field should be omitted. The allowed values are: `verified` - The `agent.id` field value matches expected value obtained from auth metadata. `mismatch` - The `agent.id` field value does not match the expected value obtained from auth metadata. `missing` - There was no `agent.id` field in the event to validate. `auth_metadata_missing` - There was no auth metadata or it was missing information about the agent ID.
+
+type: keyword
+
+example: verified
+
+
+**`event.category`**
+:   This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories.
+
+type: keyword
+
+example: authentication
+
+
+**`event.code`**
+:   Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID.
+
+type: keyword
+
+example: 4648
+
+
+**`event.created`**
+:   event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent’s or pipeline’s ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used.
+
+type: date
+
+example: 2016-05-23T08:05:34.857Z
+
+
+**`event.dataset`**
+:   Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It’s recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name.
+
+type: keyword
+
+example: apache.access
+
+
+**`event.duration`**
+:   Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time.
+
+type: long
+
+format: duration
+
+
+**`event.end`**
+:   event.end contains the date when the event ended or when the activity was last observed.
+
+type: date
+
+
+**`event.hash`**
+:   Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity.
+
+type: keyword
+
+example: 123456789012345678901234567890ABCD
+
+
+**`event.id`**
+:   Unique ID to describe the event.
+
+type: keyword
+
+example: 8a4f500d
+
+
+**`event.ingested`**
+:   Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred.  It’s also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`.
+
+type: date
+
+example: 2016-05-23T08:05:35.101Z
+
+
+**`event.kind`**
+:   This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not.
+
+type: keyword
+
+example: alert
+
+
+**`event.module`**
+:   Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module.
+
+type: keyword
+
+example: apache
+
+
+**`event.original`**
+:   Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`.
+
+type: keyword
+
+example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232
+
+Field is not indexed.
+
+
+**`event.outcome`**
+:   This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense.
+
+type: keyword
+
+example: success
+
+
+**`event.provider`**
+:   Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing).
+
+type: keyword
+
+example: kernel
+
+
+**`event.reason`**
+:   Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`).
+
+type: keyword
+
+example: Terminated an unexpected process
+
+
+**`event.reference`**
+:   Reference URL linking to additional information about this event. This URL links to a static definition of this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field.
+
+type: keyword
+
+example: [https://system.example.com/event/#0001234](https://system.example.com/event/#0001234)
+
+
+**`event.risk_score`**
+:   Risk score or priority of the event (e.g. security solutions). Use your system’s original value here.
+
+type: float
+
+
+**`event.risk_score_norm`**
+:   Normalized risk score or priority of the event, on a scale of 0 to 100. This is mainly useful if you use more than one system that assigns risk scores, and you want to see a normalized value across all systems.
+
+type: float
+
+
+**`event.sequence`**
+:   Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision.
+
+type: long
+
+format: string
+
+
+**`event.severity`**
+:   The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It’s up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`.
+
+type: long
+
+example: 7
+
+format: string
+
+
+**`event.start`**
+:   event.start contains the date when the event started or when the activity was first observed.
+
+type: date
+
+
+**`event.timezone`**
+:   This field should be populated when the event’s timestamp does not include timezone information already (e.g. default Syslog timestamps). It’s optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00").
+
+type: keyword
+
+
+**`event.type`**
+:   This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types.
+
+type: keyword
+
+
+**`event.url`**
+:   URL linking to an external system to continue investigation of this event. This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field.
+
+type: keyword
+
+example: [https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe](https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe)
+
+
+
+## faas [_faas]
+
+The user fields describe information about the function as a service that is relevant to the event.
+
+**`faas.coldstart`**
+:   Boolean value indicating a cold start of a function.
+
+type: boolean
+
+
+**`faas.execution`**
+:   The execution ID of the current function execution.
+
+type: keyword
+
+example: af9d5aa4-a685-4c5f-a22b-444f80b3cc28
+
+
+**`faas.trigger`**
+:   Details about the function trigger.
+
+type: nested
+
+
+**`faas.trigger.request_id`**
+:   The ID of the trigger request , message, event, etc.
+
+type: keyword
+
+example: 123456789
+
+
+**`faas.trigger.type`**
+:   The trigger for the function execution. Expected values are: * http * pubsub * datasource * timer * other
+
+type: keyword
+
+example: http
+
+
+
+## file [_file]
+
+A file is defined as a set of information that has been created on, or has existed on a filesystem. File objects can be associated with host events, network events, and/or file events (e.g., those produced by File Integrity Monitoring [FIM] products or services). File fields provide details about the affected file associated with the event or metric.
+
+**`file.accessed`**
+:   Last time the file was accessed. Note that not all filesystems keep track of access time.
+
+type: date
+
+
+**`file.attributes`**
+:   Array of file attributes. Attributes names will vary by platform. Here’s a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write.
+
+type: keyword
+
+example: ["readonly", "system"]
+
+
+**`file.code_signature.digest_algorithm`**
+:   The hashing algorithm used to sign the process. This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm.
+
+type: keyword
+
+example: sha256
+
+
+**`file.code_signature.exists`**
+:   Boolean to capture if a signature is present.
+
+type: boolean
+
+example: true
+
+
+**`file.code_signature.signing_id`**
+:   The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.
+
+type: keyword
+
+example: com.apple.xpc.proxy
+
+
+**`file.code_signature.status`**
+:   Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.
+
+type: keyword
+
+example: ERROR_UNTRUSTED_ROOT
+
+
+**`file.code_signature.subject_name`**
+:   Subject name of the code signer
+
+type: keyword
+
+example: Microsoft Corporation
+
+
+**`file.code_signature.team_id`**
+:   The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.
+
+type: keyword
+
+example: EQHXZ8M8AV
+
+
+**`file.code_signature.timestamp`**
+:   Date and time when the code signature was generated and signed.
+
+type: date
+
+example: 2021-01-01T12:10:30Z
+
+
+**`file.code_signature.trusted`**
+:   Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.
+
+type: boolean
+
+example: true
+
+
+**`file.code_signature.valid`**
+:   Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.
+
+type: boolean
+
+example: true
+
+
+**`file.created`**
+:   File creation time. Note that not all filesystems store the creation time.
+
+type: date
+
+
+**`file.ctime`**
+:   Last time the file attributes or metadata changed. Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file.
+
+type: date
+
+
+**`file.device`**
+:   Device that is the source of the file.
+
+type: keyword
+
+example: sda
+
+
+**`file.directory`**
+:   Directory where the file is located. It should include the drive letter, when appropriate.
+
+type: keyword
+
+example: /home/alice
+
+
+**`file.drive_letter`**
+:   Drive letter where the file is located. This field is only relevant on Windows. The value should be uppercase, and not include the colon.
+
+type: keyword
+
+example: C
+
+
+**`file.elf.architecture`**
+:   Machine architecture of the ELF file.
+
+type: keyword
+
+example: x86-64
+
+
+**`file.elf.byte_order`**
+:   Byte sequence of ELF file.
+
+type: keyword
+
+example: Little Endian
+
+
+**`file.elf.cpu_type`**
+:   CPU type of the ELF file.
+
+type: keyword
+
+example: Intel
+
+
+**`file.elf.creation_date`**
+:   Extracted when possible from the file’s metadata. Indicates when it was built or compiled. It can also be faked by malware creators.
+
+type: date
+
+
+**`file.elf.exports`**
+:   List of exported element names and types.
+
+type: flattened
+
+
+**`file.elf.header.abi_version`**
+:   Version of the ELF Application Binary Interface (ABI).
+
+type: keyword
+
+
+**`file.elf.header.class`**
+:   Header class of the ELF file.
+
+type: keyword
+
+
+**`file.elf.header.data`**
+:   Data table of the ELF header.
+
+type: keyword
+
+
+**`file.elf.header.entrypoint`**
+:   Header entrypoint of the ELF file.
+
+type: long
+
+format: string
+
+
+**`file.elf.header.object_version`**
+:   "0x1" for original ELF files.
+
+type: keyword
+
+
+**`file.elf.header.os_abi`**
+:   Application Binary Interface (ABI) of the Linux OS.
+
+type: keyword
+
+
+**`file.elf.header.type`**
+:   Header type of the ELF file.
+
+type: keyword
+
+
+**`file.elf.header.version`**
+:   Version of the ELF header.
+
+type: keyword
+
+
+**`file.elf.imports`**
+:   List of imported element names and types.
+
+type: flattened
+
+
+**`file.elf.sections`**
+:   An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`.
+
+type: nested
+
+
+**`file.elf.sections.chi2`**
+:   Chi-square probability distribution of the section.
+
+type: long
+
+format: number
+
+
+**`file.elf.sections.entropy`**
+:   Shannon entropy calculation from the section.
+
+type: long
+
+format: number
+
+
+**`file.elf.sections.flags`**
+:   ELF Section List flags.
+
+type: keyword
+
+
+**`file.elf.sections.name`**
+:   ELF Section List name.
+
+type: keyword
+
+
+**`file.elf.sections.physical_offset`**
+:   ELF Section List offset.
+
+type: keyword
+
+
+**`file.elf.sections.physical_size`**
+:   ELF Section List physical size.
+
+type: long
+
+format: bytes
+
+
+**`file.elf.sections.type`**
+:   ELF Section List type.
+
+type: keyword
+
+
+**`file.elf.sections.virtual_address`**
+:   ELF Section List virtual address.
+
+type: long
+
+format: string
+
+
+**`file.elf.sections.virtual_size`**
+:   ELF Section List virtual size.
+
+type: long
+
+format: string
+
+
+**`file.elf.segments`**
+:   An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`.
+
+type: nested
+
+
+**`file.elf.segments.sections`**
+:   ELF object segment sections.
+
+type: keyword
+
+
+**`file.elf.segments.type`**
+:   ELF object segment type.
+
+type: keyword
+
+
+**`file.elf.shared_libraries`**
+:   List of shared libraries used by this ELF object.
+
+type: keyword
+
+
+**`file.elf.telfhash`**
+:   telfhash symbol hash for ELF file.
+
+type: keyword
+
+
+**`file.extension`**
+:   File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").
+
+type: keyword
+
+example: png
+
+
+**`file.fork_name`**
+:   A fork is additional data associated with a filesystem object. On Linux, a resource fork is used to store additional data with a filesystem object. A file always has at least one fork for the data portion, and additional forks may exist. On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default data stream for a file is just called $DATA. Zone.Identifier is commonly used by Windows to track contents downloaded from the Internet. An ADS is typically of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name` is the value that should populate `fork_name`. `filename.extension` should populate `file.name`, and `extension` should populate `file.extension`. The full path, `file.path`, will include the fork name.
+
+type: keyword
+
+example: Zone.Identifer
+
+
+**`file.gid`**
+:   Primary group ID (GID) of the file.
+
+type: keyword
+
+example: 1001
+
+
+**`file.group`**
+:   Primary group name of the file.
+
+type: keyword
+
+example: alice
+
+
+**`file.hash.md5`**
+:   MD5 hash.
+
+type: keyword
+
+
+**`file.hash.sha1`**
+:   SHA1 hash.
+
+type: keyword
+
+
+**`file.hash.sha256`**
+:   SHA256 hash.
+
+type: keyword
+
+
+**`file.hash.sha512`**
+:   SHA512 hash.
+
+type: keyword
+
+
+**`file.hash.ssdeep`**
+:   SSDEEP hash.
+
+type: keyword
+
+
+**`file.inode`**
+:   Inode representing the file in the filesystem.
+
+type: keyword
+
+example: 256383
+
+
+**`file.mime_type`**
+:   MIME type should identify the format of the file or stream of bytes using [IANA official types](https://www.iana.org/assignments/media-types/media-types.xhtml), where possible. When more than one type is applicable, the most specific type should be used.
+
+type: keyword
+
+
+**`file.mode`**
+:   Mode of the file in octal representation.
+
+type: keyword
+
+example: 0640
+
+
+**`file.mtime`**
+:   Last time the file content was modified.
+
+type: date
+
+
+**`file.name`**
+:   Name of the file including the extension, without the directory.
+
+type: keyword
+
+example: example.png
+
+
+**`file.owner`**
+:   File owner’s username.
+
+type: keyword
+
+example: alice
+
+
+**`file.path`**
+:   Full path to the file, including the file name. It should include the drive letter, when appropriate.
+
+type: keyword
+
+example: /home/alice/example.png
+
+
+**`file.path.text`**
+:   type: match_only_text
+
+
+**`file.pe.architecture`**
+:   CPU architecture target for the file.
+
+type: keyword
+
+example: x64
+
+
+**`file.pe.company`**
+:   Internal company name of the file, provided at compile-time.
+
+type: keyword
+
+example: Microsoft Corporation
+
+
+**`file.pe.description`**
+:   Internal description of the file, provided at compile-time.
+
+type: keyword
+
+example: Paint
+
+
+**`file.pe.file_version`**
+:   Internal version of the file, provided at compile-time.
+
+type: keyword
+
+example: 6.3.9600.17415
+
+
+**`file.pe.imphash`**
+:   A hash of the imports in a PE file. An imphash — or import hash — can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at [https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html](https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html).
+
+type: keyword
+
+example: 0c6803c4e922103c4dca5963aad36ddf
+
+
+**`file.pe.original_file_name`**
+:   Internal name of the file, provided at compile-time.
+
+type: keyword
+
+example: MSPAINT.EXE
+
+
+**`file.pe.product`**
+:   Internal product name of the file, provided at compile-time.
+
+type: keyword
+
+example: Microsoft® Windows® Operating System
+
+
+**`file.size`**
+:   File size in bytes. Only relevant when `file.type` is "file".
+
+type: long
+
+example: 16384
+
+
+**`file.target_path`**
+:   Target path for symlinks.
+
+type: keyword
+
+
+**`file.target_path.text`**
+:   type: match_only_text
+
+
+**`file.type`**
+:   File type (file, dir, or symlink).
+
+type: keyword
+
+example: file
+
+
+**`file.uid`**
+:   The user ID (UID) or security identifier (SID) of the file owner.
+
+type: keyword
+
+example: 1001
+
+
+**`file.x509.alternative_names`**
+:   List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.
+
+type: keyword
+
+example: *.elastic.co
+
+
+**`file.x509.issuer.common_name`**
+:   List of common name (CN) of issuing certificate authority.
+
+type: keyword
+
+example: Example SHA2 High Assurance Server CA
+
+
+**`file.x509.issuer.country`**
+:   List of country © codes
+
+type: keyword
+
+example: US
+
+
+**`file.x509.issuer.distinguished_name`**
+:   Distinguished name (DN) of issuing certificate authority.
+
+type: keyword
+
+example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA
+
+
+**`file.x509.issuer.locality`**
+:   List of locality names (L)
+
+type: keyword
+
+example: Mountain View
+
+
+**`file.x509.issuer.organization`**
+:   List of organizations (O) of issuing certificate authority.
+
+type: keyword
+
+example: Example Inc
+
+
+**`file.x509.issuer.organizational_unit`**
+:   List of organizational units (OU) of issuing certificate authority.
+
+type: keyword
+
+example: www.example.com
+
+
+**`file.x509.issuer.state_or_province`**
+:   List of state or province names (ST, S, or P)
+
+type: keyword
+
+example: California
+
+
+**`file.x509.not_after`**
+:   Time at which the certificate is no longer considered valid.
+
+type: date
+
+example: 2020-07-16 03:15:39+00:00
+
+
+**`file.x509.not_before`**
+:   Time at which the certificate is first considered valid.
+
+type: date
+
+example: 2019-08-16 01:40:25+00:00
+
+
+**`file.x509.public_key_algorithm`**
+:   Algorithm used to generate the public key.
+
+type: keyword
+
+example: RSA
+
+
+**`file.x509.public_key_curve`**
+:   The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+
+type: keyword
+
+example: nistp521
+
+
+**`file.x509.public_key_exponent`**
+:   Exponent used to derive the public key. This is algorithm specific.
+
+type: long
+
+example: 65537
+
+Field is not indexed.
+
+
+**`file.x509.public_key_size`**
+:   The size of the public key space in bits.
+
+type: long
+
+example: 2048
+
+
+**`file.x509.serial_number`**
+:   Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.
+
+type: keyword
+
+example: 55FBB9C7DEBF09809D12CCAA
+
+
+**`file.x509.signature_algorithm`**
+:   Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See [https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353](https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353).
+
+type: keyword
+
+example: SHA256-RSA
+
+
+**`file.x509.subject.common_name`**
+:   List of common names (CN) of subject.
+
+type: keyword
+
+example: shared.global.example.net
+
+
+**`file.x509.subject.country`**
+:   List of country © code
+
+type: keyword
+
+example: US
+
+
+**`file.x509.subject.distinguished_name`**
+:   Distinguished name (DN) of the certificate subject entity.
+
+type: keyword
+
+example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
+
+
+**`file.x509.subject.locality`**
+:   List of locality names (L)
+
+type: keyword
+
+example: San Francisco
+
+
+**`file.x509.subject.organization`**
+:   List of organizations (O) of subject.
+
+type: keyword
+
+example: Example, Inc.
+
+
+**`file.x509.subject.organizational_unit`**
+:   List of organizational units (OU) of subject.
+
+type: keyword
+
+
+**`file.x509.subject.state_or_province`**
+:   List of state or province names (ST, S, or P)
+
+type: keyword
+
+example: California
+
+
+**`file.x509.version_number`**
+:   Version of x509 format.
+
+type: keyword
+
+example: 3
+
+
+
+## geo [_geo]
+
+Geo fields can carry data about a specific location related to an event. This geolocation information can be derived from techniques such as Geo IP, or be user-supplied.
+
+**`geo.city_name`**
+:   City name.
+
+type: keyword
+
+example: Montreal
+
+
+**`geo.continent_code`**
+:   Two-letter code representing continent’s name.
+
+type: keyword
+
+example: NA
+
+
+**`geo.continent_name`**
+:   Name of the continent.
+
+type: keyword
+
+example: North America
+
+
+**`geo.country_iso_code`**
+:   Country ISO code.
+
+type: keyword
+
+example: CA
+
+
+**`geo.country_name`**
+:   Country name.
+
+type: keyword
+
+example: Canada
+
+
+**`geo.location`**
+:   Longitude and latitude.
+
+type: geo_point
+
+example: { "lon": -73.614830, "lat": 45.505918 }
+
+
+**`geo.name`**
+:   User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.
+
+type: keyword
+
+example: boston-dc
+
+
+**`geo.postal_code`**
+:   Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.
+
+type: keyword
+
+example: 94040
+
+
+**`geo.region_iso_code`**
+:   Region ISO code.
+
+type: keyword
+
+example: CA-QC
+
+
+**`geo.region_name`**
+:   Region name.
+
+type: keyword
+
+example: Quebec
+
+
+**`geo.timezone`**
+:   The time zone of the location, such as IANA time zone name.
+
+type: keyword
+
+example: America/Argentina/Buenos_Aires
+
+
+
+## group [_group]
+
+The group fields are meant to represent groups that are relevant to the event.
+
+**`group.domain`**
+:   Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`group.id`**
+:   Unique identifier for the group on the system/platform.
+
+type: keyword
+
+
+**`group.name`**
+:   Name of the group.
+
+type: keyword
+
+
+
+## hash [_hash]
+
+The hash fields represent different bitwise hash algorithms and their values. Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for other hashes by lowercasing the hash algorithm name and using underscore separators as appropriate (snake case, e.g. sha3_512). Note that this fieldset is used for common hashes that may be computed over a range of generic bytes. Entity-specific hashes such as ja3 or imphash are placed in the fieldsets to which they relate (tls and pe, respectively).
+
+**`hash.md5`**
+:   MD5 hash.
+
+type: keyword
+
+
+**`hash.sha1`**
+:   SHA1 hash.
+
+type: keyword
+
+
+**`hash.sha256`**
+:   SHA256 hash.
+
+type: keyword
+
+
+**`hash.sha512`**
+:   SHA512 hash.
+
+type: keyword
+
+
+**`hash.ssdeep`**
+:   SSDEEP hash.
+
+type: keyword
+
+
+
+## host [_host]
+
+A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.
+
+**`host.architecture`**
+:   Operating system architecture.
+
+type: keyword
+
+example: x86_64
+
+
+**`host.cpu.usage`**
+:   Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1.
+
+type: scaled_float
+
+
+**`host.disk.read.bytes`**
+:   The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection.
+
+type: long
+
+
+**`host.disk.write.bytes`**
+:   The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection.
+
+type: long
+
+
+**`host.domain`**
+:   Name of the domain of which the host is a member. For example, on Windows this could be the host’s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host’s LDAP provider.
+
+type: keyword
+
+example: CONTOSO
+
+
+**`host.geo.city_name`**
+:   City name.
+
+type: keyword
+
+example: Montreal
+
+
+**`host.geo.continent_code`**
+:   Two-letter code representing continent’s name.
+
+type: keyword
+
+example: NA
+
+
+**`host.geo.continent_name`**
+:   Name of the continent.
+
+type: keyword
+
+example: North America
+
+
+**`host.geo.country_iso_code`**
+:   Country ISO code.
+
+type: keyword
+
+example: CA
+
+
+**`host.geo.country_name`**
+:   Country name.
+
+type: keyword
+
+example: Canada
+
+
+**`host.geo.location`**
+:   Longitude and latitude.
+
+type: geo_point
+
+example: { "lon": -73.614830, "lat": 45.505918 }
+
+
+**`host.geo.name`**
+:   User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.
+
+type: keyword
+
+example: boston-dc
+
+
+**`host.geo.postal_code`**
+:   Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.
+
+type: keyword
+
+example: 94040
+
+
+**`host.geo.region_iso_code`**
+:   Region ISO code.
+
+type: keyword
+
+example: CA-QC
+
+
+**`host.geo.region_name`**
+:   Region name.
+
+type: keyword
+
+example: Quebec
+
+
+**`host.geo.timezone`**
+:   The time zone of the location, such as IANA time zone name.
+
+type: keyword
+
+example: America/Argentina/Buenos_Aires
+
+
+**`host.hostname`**
+:   Hostname of the host. It normally contains what the `hostname` command returns on the host machine.
+
+type: keyword
+
+
+**`host.id`**
+:   Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.
+
+type: keyword
+
+
+**`host.ip`**
+:   Host ip addresses.
+
+type: ip
+
+
+**`host.mac`**
+:   Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.
+
+type: keyword
+
+example: ["00-00-5E-00-53-23", "00-00-5E-00-53-24"]
+
+
+**`host.name`**
+:   Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.
+
+type: keyword
+
+
+**`host.network.egress.bytes`**
+:   The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection.
+
+type: long
+
+
+**`host.network.egress.packets`**
+:   The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection.
+
+type: long
+
+
+**`host.network.ingress.bytes`**
+:   The number of bytes received (gauge) on all network interfaces by the host since the last metric collection.
+
+type: long
+
+
+**`host.network.ingress.packets`**
+:   The number of packets (gauge) received on all network interfaces by the host since the last metric collection.
+
+type: long
+
+
+**`host.os.family`**
+:   OS family (such as redhat, debian, freebsd, windows).
+
+type: keyword
+
+example: debian
+
+
+**`host.os.full`**
+:   Operating system name, including the version or code name.
+
+type: keyword
+
+example: Mac OS Mojave
+
+
+**`host.os.full.text`**
+:   type: match_only_text
+
+
+**`host.os.kernel`**
+:   Operating system kernel version as a raw string.
+
+type: keyword
+
+example: 4.4.0-112-generic
+
+
+**`host.os.name`**
+:   Operating system name, without the version.
+
+type: keyword
+
+example: Mac OS X
+
+
+**`host.os.name.text`**
+:   type: match_only_text
+
+
+**`host.os.platform`**
+:   Operating system platform (such centos, ubuntu, windows).
+
+type: keyword
+
+example: darwin
+
+
+**`host.os.type`**
+:   Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you’re dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.
+
+type: keyword
+
+example: macos
+
+
+**`host.os.version`**
+:   Operating system version as a raw string.
+
+type: keyword
+
+example: 10.14.1
+
+
+**`host.type`**
+:   Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.
+
+type: keyword
+
+
+**`host.uptime`**
+:   Seconds the host has been up.
+
+type: long
+
+example: 1325
+
+
+
+## http [_http]
+
+Fields related to HTTP activity. Use the `url` field set to store the url of the request.
+
+**`http.request.body.bytes`**
+:   Size in bytes of the request body.
+
+type: long
+
+example: 887
+
+format: bytes
+
+
+**`http.request.body.content`**
+:   The full HTTP request body.
+
+type: wildcard
+
+example: Hello world
+
+
+**`http.request.body.content.text`**
+:   type: match_only_text
+
+
+**`http.request.bytes`**
+:   Total size in bytes of the request (body and headers).
+
+type: long
+
+example: 1437
+
+format: bytes
+
+
+**`http.request.id`**
+:   A unique identifier for each HTTP request to correlate logs between clients and servers in transactions. The id may be contained in a non-standard HTTP header, such as `X-Request-ID` or `X-Correlation-ID`.
+
+type: keyword
+
+example: 123e4567-e89b-12d3-a456-426614174000
+
+
+**`http.request.method`**
+:   HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field.
+
+type: keyword
+
+example: POST
+
+
+**`http.request.mime_type`**
+:   Mime type of the body of the request. This value must only be populated based on the content of the request body, not on the `Content-Type` header. Comparing the mime type of a request with the request’s Content-Type header can be helpful in detecting threats or misconfigured clients.
+
+type: keyword
+
+example: image/gif
+
+
+**`http.request.referrer`**
+:   Referrer for this HTTP request.
+
+type: keyword
+
+example: [https://blog.example.com/](https://blog.example.com/)
+
+
+**`http.response.body.bytes`**
+:   Size in bytes of the response body.
+
+type: long
+
+example: 887
+
+format: bytes
+
+
+**`http.response.body.content`**
+:   The full HTTP response body.
+
+type: wildcard
+
+example: Hello world
+
+
+**`http.response.body.content.text`**
+:   type: match_only_text
+
+
+**`http.response.bytes`**
+:   Total size in bytes of the response (body and headers).
+
+type: long
+
+example: 1437
+
+format: bytes
+
+
+**`http.response.mime_type`**
+:   Mime type of the body of the response. This value must only be populated based on the content of the response body, not on the `Content-Type` header. Comparing the mime type of a response with the response’s Content-Type header can be helpful in detecting misconfigured servers.
+
+type: keyword
+
+example: image/gif
+
+
+**`http.response.status_code`**
+:   HTTP response status code.
+
+type: long
+
+example: 404
+
+format: string
+
+
+**`http.version`**
+:   HTTP version.
+
+type: keyword
+
+example: 1.1
+
+
+
+## interface [_interface]
+
+The interface fields are used to record ingress and egress interface information when reported by an observer (e.g. firewall, router, load balancer) in the context of the observer handling a network connection.  In the case of a single observer interface (e.g. network sensor on a span port) only the observer.ingress information should be populated.
+
+**`interface.alias`**
+:   Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming.
+
+type: keyword
+
+example: outside
+
+
+**`interface.id`**
+:   Interface ID as reported by an observer (typically SNMP interface ID).
+
+type: keyword
+
+example: 10
+
+
+**`interface.name`**
+:   Interface name as reported by the system.
+
+type: keyword
+
+example: eth0
+
+
+
+## log [_log]
+
+Details about the event’s logging mechanism or logging transport. The log.* fields are typically populated with details about the logging mechanism used to create and/or transport the event. For example, syslog details belong under `log.syslog.*`. The details specific to your event source are typically not logged under `log.*`, but rather in `event.*` or in other ECS fields.
+
+**`log.file.path`**
+:   Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn’t read from a log file, do not populate this field.
+
+type: keyword
+
+example: /var/log/fun-times.log
+
+
+**`log.level`**
+:   Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn’t specify one, you may put your event transport’s severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`.
+
+type: keyword
+
+example: error
+
+
+**`log.logger`**
+:   The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name.
+
+type: keyword
+
+example: org.elasticsearch.bootstrap.Bootstrap
+
+
+**`log.origin.file.line`**
+:   The line number of the file containing the source code which originated the log event.
+
+type: long
+
+example: 42
+
+
+**`log.origin.file.name`**
+:   The name of the file containing the source code which originated the log event. Note that this field is not meant to capture the log file. The correct field to capture the log file is `log.file.path`.
+
+type: keyword
+
+example: Bootstrap.java
+
+
+**`log.origin.function`**
+:   The name of the function or method which originated the log event.
+
+type: keyword
+
+example: init
+
+
+**`log.syslog`**
+:   The Syslog metadata of the event, if the event was transmitted via Syslog. Please see RFCs 5424 or 3164.
+
+type: object
+
+
+**`log.syslog.facility.code`**
+:   The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23.
+
+type: long
+
+example: 23
+
+format: string
+
+
+**`log.syslog.facility.name`**
+:   The Syslog text-based facility of the log event, if available.
+
+type: keyword
+
+example: local7
+
+
+**`log.syslog.priority`**
+:   Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191.
+
+type: long
+
+example: 135
+
+format: string
+
+
+**`log.syslog.severity.code`**
+:   The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source’s numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`.
+
+type: long
+
+example: 3
+
+
+**`log.syslog.severity.name`**
+:   The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source’s text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`.
+
+type: keyword
+
+example: Error
+
+
+
+## network [_network_3]
+
+The network is defined as the communication path over which a host or network event happens. The network.* fields should be populated with details about the network activity associated with an event.
+
+**`network.application`**
+:   When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application’s or service’s name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying.
+
+type: keyword
+
+example: aim
+
+
+**`network.bytes`**
+:   Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum.
+
+type: long
+
+example: 368
+
+format: bytes
+
+
+**`network.community_id`**
+:   A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at [https://github.com/corelight/community-id-spec](https://github.com/corelight/community-id-spec).
+
+type: keyword
+
+example: 1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=
+
+
+**`network.direction`**
+:   Direction of the network traffic. Recommended values are: * ingress * egress * inbound * outbound * internal * external * unknown
+
+When mapping events from a host-based monitoring context, populate this field from the host’s point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers.
+
+type: keyword
+
+example: inbound
+
+
+**`network.forwarded_ip`**
+:   Host IP address when the source IP address is the proxy.
+
+type: ip
+
+example: 192.1.1.2
+
+
+**`network.iana_number`**
+:   IANA Protocol Number ([https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml](https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml)). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number.
+
+type: keyword
+
+example: 6
+
+
+**`network.inner`**
+:   Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.)
+
+type: object
+
+
+**`network.inner.vlan.id`**
+:   VLAN ID as reported by the observer.
+
+type: keyword
+
+example: 10
+
+
+**`network.inner.vlan.name`**
+:   Optional VLAN name as reported by the observer.
+
+type: keyword
+
+example: outside
+
+
+**`network.name`**
+:   Name given by operators to sections of their network.
+
+type: keyword
+
+example: Guest Wifi
+
+
+**`network.packets`**
+:   Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum.
+
+type: long
+
+example: 24
+
+
+**`network.protocol`**
+:   In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying.
+
+type: keyword
+
+example: http
+
+
+**`network.transport`**
+:   Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying.
+
+type: keyword
+
+example: tcp
+
+
+**`network.type`**
+:   In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying.
+
+type: keyword
+
+example: ipv4
+
+
+**`network.vlan.id`**
+:   VLAN ID as reported by the observer.
+
+type: keyword
+
+example: 10
+
+
+**`network.vlan.name`**
+:   Optional VLAN name as reported by the observer.
+
+type: keyword
+
+example: outside
+
+
+
+## observer [_observer]
+
+An observer is defined as a special network, security, or application device used to detect, observe, or create network, security, or application-related events and metrics. This could be a custom hardware appliance or a server that has been configured to run special network, security, or application software. Examples include firewalls, web proxies, intrusion detection/prevention systems, network monitoring sensors, web application firewalls, data loss prevention systems, and APM servers. The observer.* fields shall be populated with details of the system, if any, that detects, observes and/or creates a network, security, or application event or metric. Message queues and ETL components used in processing events or metrics are not considered observers in ECS.
+
+**`observer.egress`**
+:   Observer.egress holds information like interface number and name, vlan, and zone information to classify egress traffic.  Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic.
+
+type: object
+
+
+**`observer.egress.interface.alias`**
+:   Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming.
+
+type: keyword
+
+example: outside
+
+
+**`observer.egress.interface.id`**
+:   Interface ID as reported by an observer (typically SNMP interface ID).
+
+type: keyword
+
+example: 10
+
+
+**`observer.egress.interface.name`**
+:   Interface name as reported by the system.
+
+type: keyword
+
+example: eth0
+
+
+**`observer.egress.vlan.id`**
+:   VLAN ID as reported by the observer.
+
+type: keyword
+
+example: 10
+
+
+**`observer.egress.vlan.name`**
+:   Optional VLAN name as reported by the observer.
+
+type: keyword
+
+example: outside
+
+
+**`observer.egress.zone`**
+:   Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc.
+
+type: keyword
+
+example: Public_Internet
+
+
+**`observer.geo.city_name`**
+:   City name.
+
+type: keyword
+
+example: Montreal
+
+
+**`observer.geo.continent_code`**
+:   Two-letter code representing continent’s name.
+
+type: keyword
+
+example: NA
+
+
+**`observer.geo.continent_name`**
+:   Name of the continent.
+
+type: keyword
+
+example: North America
+
+
+**`observer.geo.country_iso_code`**
+:   Country ISO code.
+
+type: keyword
+
+example: CA
+
+
+**`observer.geo.country_name`**
+:   Country name.
+
+type: keyword
+
+example: Canada
+
+
+**`observer.geo.location`**
+:   Longitude and latitude.
+
+type: geo_point
+
+example: { "lon": -73.614830, "lat": 45.505918 }
+
+
+**`observer.geo.name`**
+:   User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.
+
+type: keyword
+
+example: boston-dc
+
+
+**`observer.geo.postal_code`**
+:   Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.
+
+type: keyword
+
+example: 94040
+
+
+**`observer.geo.region_iso_code`**
+:   Region ISO code.
+
+type: keyword
+
+example: CA-QC
+
+
+**`observer.geo.region_name`**
+:   Region name.
+
+type: keyword
+
+example: Quebec
+
+
+**`observer.geo.timezone`**
+:   The time zone of the location, such as IANA time zone name.
+
+type: keyword
+
+example: America/Argentina/Buenos_Aires
+
+
+**`observer.hostname`**
+:   Hostname of the observer.
+
+type: keyword
+
+
+**`observer.ingress`**
+:   Observer.ingress holds information like interface number and name, vlan, and zone information to classify ingress traffic.  Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic.
+
+type: object
+
+
+**`observer.ingress.interface.alias`**
+:   Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming.
+
+type: keyword
+
+example: outside
+
+
+**`observer.ingress.interface.id`**
+:   Interface ID as reported by an observer (typically SNMP interface ID).
+
+type: keyword
+
+example: 10
+
+
+**`observer.ingress.interface.name`**
+:   Interface name as reported by the system.
+
+type: keyword
+
+example: eth0
+
+
+**`observer.ingress.vlan.id`**
+:   VLAN ID as reported by the observer.
+
+type: keyword
+
+example: 10
+
+
+**`observer.ingress.vlan.name`**
+:   Optional VLAN name as reported by the observer.
+
+type: keyword
+
+example: outside
+
+
+**`observer.ingress.zone`**
+:   Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc.
+
+type: keyword
+
+example: DMZ
+
+
+**`observer.ip`**
+:   IP addresses of the observer.
+
+type: ip
+
+
+**`observer.mac`**
+:   MAC addresses of the observer. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.
+
+type: keyword
+
+example: ["00-00-5E-00-53-23", "00-00-5E-00-53-24"]
+
+
+**`observer.name`**
+:   Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty.
+
+type: keyword
+
+example: 1_proxySG
+
+
+**`observer.os.family`**
+:   OS family (such as redhat, debian, freebsd, windows).
+
+type: keyword
+
+example: debian
+
+
+**`observer.os.full`**
+:   Operating system name, including the version or code name.
+
+type: keyword
+
+example: Mac OS Mojave
+
+
+**`observer.os.full.text`**
+:   type: match_only_text
+
+
+**`observer.os.kernel`**
+:   Operating system kernel version as a raw string.
+
+type: keyword
+
+example: 4.4.0-112-generic
+
+
+**`observer.os.name`**
+:   Operating system name, without the version.
+
+type: keyword
+
+example: Mac OS X
+
+
+**`observer.os.name.text`**
+:   type: match_only_text
+
+
+**`observer.os.platform`**
+:   Operating system platform (such centos, ubuntu, windows).
+
+type: keyword
+
+example: darwin
+
+
+**`observer.os.type`**
+:   Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you’re dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.
+
+type: keyword
+
+example: macos
+
+
+**`observer.os.version`**
+:   Operating system version as a raw string.
+
+type: keyword
+
+example: 10.14.1
+
+
+**`observer.product`**
+:   The product name of the observer.
+
+type: keyword
+
+example: s200
+
+
+**`observer.serial_number`**
+:   Observer serial number.
+
+type: keyword
+
+
+**`observer.type`**
+:   The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`.
+
+type: keyword
+
+example: firewall
+
+
+**`observer.vendor`**
+:   Vendor name of the observer.
+
+type: keyword
+
+example: Symantec
+
+
+**`observer.version`**
+:   Observer version.
+
+type: keyword
+
+
+
+## orchestrator [_orchestrator]
+
+Fields that describe the resources which container orchestrators manage or act upon.
+
+**`orchestrator.api_version`**
+:   API version being used to carry out the action
+
+type: keyword
+
+example: v1beta1
+
+
+**`orchestrator.cluster.name`**
+:   Name of the cluster.
+
+type: keyword
+
+
+**`orchestrator.cluster.url`**
+:   URL of the API used to manage the cluster.
+
+type: keyword
+
+
+**`orchestrator.cluster.version`**
+:   The version of the cluster.
+
+type: keyword
+
+
+**`orchestrator.namespace`**
+:   Namespace in which the action is taking place.
+
+type: keyword
+
+example: kube-system
+
+
+**`orchestrator.organization`**
+:   Organization affected by the event (for multi-tenant orchestrator setups).
+
+type: keyword
+
+example: elastic
+
+
+**`orchestrator.resource.name`**
+:   Name of the resource being acted upon.
+
+type: keyword
+
+example: test-pod-cdcws
+
+
+**`orchestrator.resource.type`**
+:   Type of resource being acted upon.
+
+type: keyword
+
+example: service
+
+
+**`orchestrator.type`**
+:   Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry).
+
+type: keyword
+
+example: kubernetes
+
+
+
+## organization [_organization]
+
+The organization fields enrich data with information about the company or entity the data is associated with. These fields help you arrange or filter data stored in an index by one or multiple organizations.
+
+**`organization.id`**
+:   Unique identifier for the organization.
+
+type: keyword
+
+
+**`organization.name`**
+:   Organization name.
+
+type: keyword
+
+
+**`organization.name.text`**
+:   type: match_only_text
+
+
+
+## os [_os]
+
+The OS fields contain information about the operating system.
+
+**`os.family`**
+:   OS family (such as redhat, debian, freebsd, windows).
+
+type: keyword
+
+example: debian
+
+
+**`os.full`**
+:   Operating system name, including the version or code name.
+
+type: keyword
+
+example: Mac OS Mojave
+
+
+**`os.full.text`**
+:   type: match_only_text
+
+
+**`os.kernel`**
+:   Operating system kernel version as a raw string.
+
+type: keyword
+
+example: 4.4.0-112-generic
+
+
+**`os.name`**
+:   Operating system name, without the version.
+
+type: keyword
+
+example: Mac OS X
+
+
+**`os.name.text`**
+:   type: match_only_text
+
+
+**`os.platform`**
+:   Operating system platform (such centos, ubuntu, windows).
+
+type: keyword
+
+example: darwin
+
+
+**`os.type`**
+:   Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you’re dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.
+
+type: keyword
+
+example: macos
+
+
+**`os.version`**
+:   Operating system version as a raw string.
+
+type: keyword
+
+example: 10.14.1
+
+
+
+## package [_package]
+
+These fields contain information about an installed software package. It contains general information about a package, such as name, version or size. It also contains installation details, such as time or location.
+
+**`package.architecture`**
+:   Package architecture.
+
+type: keyword
+
+example: x86_64
+
+
+**`package.build_version`**
+:   Additional information about the build version of the installed package. For example use the commit SHA of a non-released package.
+
+type: keyword
+
+example: 36f4f7e89dd61b0988b12ee000b98966867710cd
+
+
+**`package.checksum`**
+:   Checksum of the installed package for verification.
+
+type: keyword
+
+example: 68b329da9893e34099c7d8ad5cb9c940
+
+
+**`package.description`**
+:   Description of the package.
+
+type: keyword
+
+example: Open source programming language to build simple/reliable/efficient software.
+
+
+**`package.install_scope`**
+:   Indicating how the package was installed, e.g. user-local, global.
+
+type: keyword
+
+example: global
+
+
+**`package.installed`**
+:   Time when package was installed.
+
+type: date
+
+
+**`package.license`**
+:   License under which the package was released. Use a short name, e.g. the license identifier from SPDX License List where possible ([https://spdx.org/licenses/](https://spdx.org/licenses/)).
+
+type: keyword
+
+example: Apache License 2.0
+
+
+**`package.name`**
+:   Package name
+
+type: keyword
+
+example: go
+
+
+**`package.path`**
+:   Path where the package is installed.
+
+type: keyword
+
+example: /usr/local/Cellar/go/1.12.9/
+
+
+**`package.reference`**
+:   Home page or reference URL of the software in this package, if available.
+
+type: keyword
+
+example: [https://golang.org](https://golang.org)
+
+
+**`package.size`**
+:   Package size in bytes.
+
+type: long
+
+example: 62231
+
+format: string
+
+
+**`package.type`**
+:   Type of package. This should contain the package file type, rather than the package manager name. Examples: rpm, dpkg, brew, npm, gem, nupkg, jar.
+
+type: keyword
+
+example: rpm
+
+
+**`package.version`**
+:   Package version
+
+type: keyword
+
+example: 1.12.9
+
+
+
+## pe [_pe]
+
+These fields contain Windows Portable Executable (PE) metadata.
+
+**`pe.architecture`**
+:   CPU architecture target for the file.
+
+type: keyword
+
+example: x64
+
+
+**`pe.company`**
+:   Internal company name of the file, provided at compile-time.
+
+type: keyword
+
+example: Microsoft Corporation
+
+
+**`pe.description`**
+:   Internal description of the file, provided at compile-time.
+
+type: keyword
+
+example: Paint
+
+
+**`pe.file_version`**
+:   Internal version of the file, provided at compile-time.
+
+type: keyword
+
+example: 6.3.9600.17415
+
+
+**`pe.imphash`**
+:   A hash of the imports in a PE file. An imphash — or import hash — can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at [https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html](https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html).
+
+type: keyword
+
+example: 0c6803c4e922103c4dca5963aad36ddf
+
+
+**`pe.original_file_name`**
+:   Internal name of the file, provided at compile-time.
+
+type: keyword
+
+example: MSPAINT.EXE
+
+
+**`pe.product`**
+:   Internal product name of the file, provided at compile-time.
+
+type: keyword
+
+example: Microsoft® Windows® Operating System
+
+
+
+## process [_process_2]
+
+These fields contain information about a process. These fields can help you correlate metrics information with a process id/name from a log message.  The `process.pid` often stays in the metric itself and is copied to the global field for correlation.
+
+**`process.args`**
+:   Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information.
+
+type: keyword
+
+example: ["/usr/bin/ssh", "-l", "user", "10.0.0.16"]
+
+
+**`process.args_count`**
+:   Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity.
+
+type: long
+
+example: 4
+
+
+**`process.code_signature.digest_algorithm`**
+:   The hashing algorithm used to sign the process. This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm.
+
+type: keyword
+
+example: sha256
+
+
+**`process.code_signature.exists`**
+:   Boolean to capture if a signature is present.
+
+type: boolean
+
+example: true
+
+
+**`process.code_signature.signing_id`**
+:   The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.
+
+type: keyword
+
+example: com.apple.xpc.proxy
+
+
+**`process.code_signature.status`**
+:   Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.
+
+type: keyword
+
+example: ERROR_UNTRUSTED_ROOT
+
+
+**`process.code_signature.subject_name`**
+:   Subject name of the code signer
+
+type: keyword
+
+example: Microsoft Corporation
+
+
+**`process.code_signature.team_id`**
+:   The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.
+
+type: keyword
+
+example: EQHXZ8M8AV
+
+
+**`process.code_signature.timestamp`**
+:   Date and time when the code signature was generated and signed.
+
+type: date
+
+example: 2021-01-01T12:10:30Z
+
+
+**`process.code_signature.trusted`**
+:   Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.
+
+type: boolean
+
+example: true
+
+
+**`process.code_signature.valid`**
+:   Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.
+
+type: boolean
+
+example: true
+
+
+**`process.command_line`**
+:   Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information.
+
+type: wildcard
+
+example: /usr/bin/ssh -l user 10.0.0.16
+
+
+**`process.command_line.text`**
+:   type: match_only_text
+
+
+**`process.elf.architecture`**
+:   Machine architecture of the ELF file.
+
+type: keyword
+
+example: x86-64
+
+
+**`process.elf.byte_order`**
+:   Byte sequence of ELF file.
+
+type: keyword
+
+example: Little Endian
+
+
+**`process.elf.cpu_type`**
+:   CPU type of the ELF file.
+
+type: keyword
+
+example: Intel
+
+
+**`process.elf.creation_date`**
+:   Extracted when possible from the file’s metadata. Indicates when it was built or compiled. It can also be faked by malware creators.
+
+type: date
+
+
+**`process.elf.exports`**
+:   List of exported element names and types.
+
+type: flattened
+
+
+**`process.elf.header.abi_version`**
+:   Version of the ELF Application Binary Interface (ABI).
+
+type: keyword
+
+
+**`process.elf.header.class`**
+:   Header class of the ELF file.
+
+type: keyword
+
+
+**`process.elf.header.data`**
+:   Data table of the ELF header.
+
+type: keyword
+
+
+**`process.elf.header.entrypoint`**
+:   Header entrypoint of the ELF file.
+
+type: long
+
+format: string
+
+
+**`process.elf.header.object_version`**
+:   "0x1" for original ELF files.
+
+type: keyword
+
+
+**`process.elf.header.os_abi`**
+:   Application Binary Interface (ABI) of the Linux OS.
+
+type: keyword
+
+
+**`process.elf.header.type`**
+:   Header type of the ELF file.
+
+type: keyword
+
+
+**`process.elf.header.version`**
+:   Version of the ELF header.
+
+type: keyword
+
+
+**`process.elf.imports`**
+:   List of imported element names and types.
+
+type: flattened
+
+
+**`process.elf.sections`**
+:   An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`.
+
+type: nested
+
+
+**`process.elf.sections.chi2`**
+:   Chi-square probability distribution of the section.
+
+type: long
+
+format: number
+
+
+**`process.elf.sections.entropy`**
+:   Shannon entropy calculation from the section.
+
+type: long
+
+format: number
+
+
+**`process.elf.sections.flags`**
+:   ELF Section List flags.
+
+type: keyword
+
+
+**`process.elf.sections.name`**
+:   ELF Section List name.
+
+type: keyword
+
+
+**`process.elf.sections.physical_offset`**
+:   ELF Section List offset.
+
+type: keyword
+
+
+**`process.elf.sections.physical_size`**
+:   ELF Section List physical size.
+
+type: long
+
+format: bytes
+
+
+**`process.elf.sections.type`**
+:   ELF Section List type.
+
+type: keyword
+
+
+**`process.elf.sections.virtual_address`**
+:   ELF Section List virtual address.
+
+type: long
+
+format: string
+
+
+**`process.elf.sections.virtual_size`**
+:   ELF Section List virtual size.
+
+type: long
+
+format: string
+
+
+**`process.elf.segments`**
+:   An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`.
+
+type: nested
+
+
+**`process.elf.segments.sections`**
+:   ELF object segment sections.
+
+type: keyword
+
+
+**`process.elf.segments.type`**
+:   ELF object segment type.
+
+type: keyword
+
+
+**`process.elf.shared_libraries`**
+:   List of shared libraries used by this ELF object.
+
+type: keyword
+
+
+**`process.elf.telfhash`**
+:   telfhash symbol hash for ELF file.
+
+type: keyword
+
+
+**`process.end`**
+:   The time the process ended.
+
+type: date
+
+example: 2016-05-23T08:05:34.853Z
+
+
+**`process.entity_id`**
+:   Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.
+
+type: keyword
+
+example: c2c455d9f99375d
+
+
+**`process.executable`**
+:   Absolute path to the process executable.
+
+type: keyword
+
+example: /usr/bin/ssh
+
+
+**`process.executable.text`**
+:   type: match_only_text
+
+
+**`process.exit_code`**
+:   The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start).
+
+type: long
+
+example: 137
+
+
+**`process.hash.md5`**
+:   MD5 hash.
+
+type: keyword
+
+
+**`process.hash.sha1`**
+:   SHA1 hash.
+
+type: keyword
+
+
+**`process.hash.sha256`**
+:   SHA256 hash.
+
+type: keyword
+
+
+**`process.hash.sha512`**
+:   SHA512 hash.
+
+type: keyword
+
+
+**`process.hash.ssdeep`**
+:   SSDEEP hash.
+
+type: keyword
+
+
+**`process.name`**
+:   Process name. Sometimes called program name or similar.
+
+type: keyword
+
+example: ssh
+
+
+**`process.name.text`**
+:   type: match_only_text
+
+
+**`process.parent.args`**
+:   Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information.
+
+type: keyword
+
+example: ["/usr/bin/ssh", "-l", "user", "10.0.0.16"]
+
+
+**`process.parent.args_count`**
+:   Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity.
+
+type: long
+
+example: 4
+
+
+**`process.parent.code_signature.digest_algorithm`**
+:   The hashing algorithm used to sign the process. This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm.
+
+type: keyword
+
+example: sha256
+
+
+**`process.parent.code_signature.exists`**
+:   Boolean to capture if a signature is present.
+
+type: boolean
+
+example: true
+
+
+**`process.parent.code_signature.signing_id`**
+:   The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.
+
+type: keyword
+
+example: com.apple.xpc.proxy
+
+
+**`process.parent.code_signature.status`**
+:   Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.
+
+type: keyword
+
+example: ERROR_UNTRUSTED_ROOT
+
+
+**`process.parent.code_signature.subject_name`**
+:   Subject name of the code signer
+
+type: keyword
+
+example: Microsoft Corporation
+
+
+**`process.parent.code_signature.team_id`**
+:   The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.
+
+type: keyword
+
+example: EQHXZ8M8AV
+
+
+**`process.parent.code_signature.timestamp`**
+:   Date and time when the code signature was generated and signed.
+
+type: date
+
+example: 2021-01-01T12:10:30Z
+
+
+**`process.parent.code_signature.trusted`**
+:   Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.
+
+type: boolean
+
+example: true
+
+
+**`process.parent.code_signature.valid`**
+:   Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.
+
+type: boolean
+
+example: true
+
+
+**`process.parent.command_line`**
+:   Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information.
+
+type: wildcard
+
+example: /usr/bin/ssh -l user 10.0.0.16
+
+
+**`process.parent.command_line.text`**
+:   type: match_only_text
+
+
+**`process.parent.elf.architecture`**
+:   Machine architecture of the ELF file.
+
+type: keyword
+
+example: x86-64
+
+
+**`process.parent.elf.byte_order`**
+:   Byte sequence of ELF file.
+
+type: keyword
+
+example: Little Endian
+
+
+**`process.parent.elf.cpu_type`**
+:   CPU type of the ELF file.
+
+type: keyword
+
+example: Intel
+
+
+**`process.parent.elf.creation_date`**
+:   Extracted when possible from the file’s metadata. Indicates when it was built or compiled. It can also be faked by malware creators.
+
+type: date
+
+
+**`process.parent.elf.exports`**
+:   List of exported element names and types.
+
+type: flattened
+
+
+**`process.parent.elf.header.abi_version`**
+:   Version of the ELF Application Binary Interface (ABI).
+
+type: keyword
+
+
+**`process.parent.elf.header.class`**
+:   Header class of the ELF file.
+
+type: keyword
+
+
+**`process.parent.elf.header.data`**
+:   Data table of the ELF header.
+
+type: keyword
+
+
+**`process.parent.elf.header.entrypoint`**
+:   Header entrypoint of the ELF file.
+
+type: long
+
+format: string
+
+
+**`process.parent.elf.header.object_version`**
+:   "0x1" for original ELF files.
+
+type: keyword
+
+
+**`process.parent.elf.header.os_abi`**
+:   Application Binary Interface (ABI) of the Linux OS.
+
+type: keyword
+
+
+**`process.parent.elf.header.type`**
+:   Header type of the ELF file.
+
+type: keyword
+
+
+**`process.parent.elf.header.version`**
+:   Version of the ELF header.
+
+type: keyword
+
+
+**`process.parent.elf.imports`**
+:   List of imported element names and types.
+
+type: flattened
+
+
+**`process.parent.elf.sections`**
+:   An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`.
+
+type: nested
+
+
+**`process.parent.elf.sections.chi2`**
+:   Chi-square probability distribution of the section.
+
+type: long
+
+format: number
+
+
+**`process.parent.elf.sections.entropy`**
+:   Shannon entropy calculation from the section.
+
+type: long
+
+format: number
+
+
+**`process.parent.elf.sections.flags`**
+:   ELF Section List flags.
+
+type: keyword
+
+
+**`process.parent.elf.sections.name`**
+:   ELF Section List name.
+
+type: keyword
+
+
+**`process.parent.elf.sections.physical_offset`**
+:   ELF Section List offset.
+
+type: keyword
+
+
+**`process.parent.elf.sections.physical_size`**
+:   ELF Section List physical size.
+
+type: long
+
+format: bytes
+
+
+**`process.parent.elf.sections.type`**
+:   ELF Section List type.
+
+type: keyword
+
+
+**`process.parent.elf.sections.virtual_address`**
+:   ELF Section List virtual address.
+
+type: long
+
+format: string
+
+
+**`process.parent.elf.sections.virtual_size`**
+:   ELF Section List virtual size.
+
+type: long
+
+format: string
+
+
+**`process.parent.elf.segments`**
+:   An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`.
+
+type: nested
+
+
+**`process.parent.elf.segments.sections`**
+:   ELF object segment sections.
+
+type: keyword
+
+
+**`process.parent.elf.segments.type`**
+:   ELF object segment type.
+
+type: keyword
+
+
+**`process.parent.elf.shared_libraries`**
+:   List of shared libraries used by this ELF object.
+
+type: keyword
+
+
+**`process.parent.elf.telfhash`**
+:   telfhash symbol hash for ELF file.
+
+type: keyword
+
+
+**`process.parent.end`**
+:   The time the process ended.
+
+type: date
+
+example: 2016-05-23T08:05:34.853Z
+
+
+**`process.parent.entity_id`**
+:   Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.
+
+type: keyword
+
+example: c2c455d9f99375d
+
+
+**`process.parent.executable`**
+:   Absolute path to the process executable.
+
+type: keyword
+
+example: /usr/bin/ssh
+
+
+**`process.parent.executable.text`**
+:   type: match_only_text
+
+
+**`process.parent.exit_code`**
+:   The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start).
+
+type: long
+
+example: 137
+
+
+**`process.parent.hash.md5`**
+:   MD5 hash.
+
+type: keyword
+
+
+**`process.parent.hash.sha1`**
+:   SHA1 hash.
+
+type: keyword
+
+
+**`process.parent.hash.sha256`**
+:   SHA256 hash.
+
+type: keyword
+
+
+**`process.parent.hash.sha512`**
+:   SHA512 hash.
+
+type: keyword
+
+
+**`process.parent.hash.ssdeep`**
+:   SSDEEP hash.
+
+type: keyword
+
+
+**`process.parent.name`**
+:   Process name. Sometimes called program name or similar.
+
+type: keyword
+
+example: ssh
+
+
+**`process.parent.name.text`**
+:   type: match_only_text
+
+
+**`process.parent.pe.architecture`**
+:   CPU architecture target for the file.
+
+type: keyword
+
+example: x64
+
+
+**`process.parent.pe.company`**
+:   Internal company name of the file, provided at compile-time.
+
+type: keyword
+
+example: Microsoft Corporation
+
+
+**`process.parent.pe.description`**
+:   Internal description of the file, provided at compile-time.
+
+type: keyword
+
+example: Paint
+
+
+**`process.parent.pe.file_version`**
+:   Internal version of the file, provided at compile-time.
+
+type: keyword
+
+example: 6.3.9600.17415
+
+
+**`process.parent.pe.imphash`**
+:   A hash of the imports in a PE file. An imphash — or import hash — can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at [https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html](https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html).
+
+type: keyword
+
+example: 0c6803c4e922103c4dca5963aad36ddf
+
+
+**`process.parent.pe.original_file_name`**
+:   Internal name of the file, provided at compile-time.
+
+type: keyword
+
+example: MSPAINT.EXE
+
+
+**`process.parent.pe.product`**
+:   Internal product name of the file, provided at compile-time.
+
+type: keyword
+
+example: Microsoft® Windows® Operating System
+
+
+**`process.parent.pgid`**
+:   Identifier of the group of processes the process belongs to.
+
+type: long
+
+format: string
+
+
+**`process.parent.pid`**
+:   Process id.
+
+type: long
+
+example: 4242
+
+format: string
+
+
+**`process.parent.start`**
+:   The time the process started.
+
+type: date
+
+example: 2016-05-23T08:05:34.853Z
+
+
+**`process.parent.thread.id`**
+:   Thread ID.
+
+type: long
+
+example: 4242
+
+format: string
+
+
+**`process.parent.thread.name`**
+:   Thread name.
+
+type: keyword
+
+example: thread-0
+
+
+**`process.parent.title`**
+:   Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened.
+
+type: keyword
+
+
+**`process.parent.title.text`**
+:   type: match_only_text
+
+
+**`process.parent.uptime`**
+:   Seconds the process has been up.
+
+type: long
+
+example: 1325
+
+
+**`process.parent.working_directory`**
+:   The working directory of the process.
+
+type: keyword
+
+example: /home/alice
+
+
+**`process.parent.working_directory.text`**
+:   type: match_only_text
+
+
+**`process.pe.architecture`**
+:   CPU architecture target for the file.
+
+type: keyword
+
+example: x64
+
+
+**`process.pe.company`**
+:   Internal company name of the file, provided at compile-time.
+
+type: keyword
+
+example: Microsoft Corporation
+
+
+**`process.pe.description`**
+:   Internal description of the file, provided at compile-time.
+
+type: keyword
+
+example: Paint
+
+
+**`process.pe.file_version`**
+:   Internal version of the file, provided at compile-time.
+
+type: keyword
+
+example: 6.3.9600.17415
+
+
+**`process.pe.imphash`**
+:   A hash of the imports in a PE file. An imphash — or import hash — can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at [https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html](https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html).
+
+type: keyword
+
+example: 0c6803c4e922103c4dca5963aad36ddf
+
+
+**`process.pe.original_file_name`**
+:   Internal name of the file, provided at compile-time.
+
+type: keyword
+
+example: MSPAINT.EXE
+
+
+**`process.pe.product`**
+:   Internal product name of the file, provided at compile-time.
+
+type: keyword
+
+example: Microsoft® Windows® Operating System
+
+
+**`process.pgid`**
+:   Identifier of the group of processes the process belongs to.
+
+type: long
+
+format: string
+
+
+**`process.pid`**
+:   Process id.
+
+type: long
+
+example: 4242
+
+format: string
+
+
+**`process.start`**
+:   The time the process started.
+
+type: date
+
+example: 2016-05-23T08:05:34.853Z
+
+
+**`process.thread.id`**
+:   Thread ID.
+
+type: long
+
+example: 4242
+
+format: string
+
+
+**`process.thread.name`**
+:   Thread name.
+
+type: keyword
+
+example: thread-0
+
+
+**`process.title`**
+:   Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened.
+
+type: keyword
+
+
+**`process.title.text`**
+:   type: match_only_text
+
+
+**`process.uptime`**
+:   Seconds the process has been up.
+
+type: long
+
+example: 1325
+
+
+**`process.working_directory`**
+:   The working directory of the process.
+
+type: keyword
+
+example: /home/alice
+
+
+**`process.working_directory.text`**
+:   type: match_only_text
+
+
+
+## registry [_registry]
+
+Fields related to Windows Registry operations.
+
+**`registry.data.bytes`**
+:   Original bytes written with base64 encoding. For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values.
+
+type: keyword
+
+example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA=
+
+
+**`registry.data.strings`**
+:   Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`).
+
+type: wildcard
+
+example: ["C:\rta\red_ttp\bin\myapp.exe"]
+
+
+**`registry.data.type`**
+:   Standard registry type for encoding contents
+
+type: keyword
+
+example: REG_SZ
+
+
+**`registry.hive`**
+:   Abbreviated name for the hive.
+
+type: keyword
+
+example: HKLM
+
+
+**`registry.key`**
+:   Hive-relative path of keys.
+
+type: keyword
+
+example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe
+
+
+**`registry.path`**
+:   Full path, including hive, key and value
+
+type: keyword
+
+example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger
+
+
+**`registry.value`**
+:   Name of the value written.
+
+type: keyword
+
+example: Debugger
+
+
+
+## related [_related]
+
+This field set is meant to facilitate pivoting around a piece of data. Some pieces of information can be seen in many places in an ECS event. To facilitate searching for them, store an array of all seen values to their corresponding field in `related.`. A concrete example is IP addresses, which can be under host, observer, source, destination, client, server, and network.forwarded_ip. If you append all IPs to `related.ip`, you can then search for a given IP trivially, no matter where it appeared, by querying `related.ip:192.0.2.15`.
+
+**`related.hash`**
+:   All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you’re unsure what the hash algorithm is (and therefore which key name to search).
+
+type: keyword
+
+
+**`related.hosts`**
+:   All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases.
+
+type: keyword
+
+
+**`related.ip`**
+:   All of the IPs seen on your event.
+
+type: ip
+
+
+**`related.user`**
+:   All the user names or other user identifiers seen on the event.
+
+type: keyword
+
+
+
+## rule [_rule]
+
+Rule fields are used to capture the specifics of any observer or agent rules that generate alerts or other notable events. Examples of data sources that would populate the rule fields include: network admission control platforms, network or host IDS/IPS, network firewalls, web application firewalls, url filters, endpoint detection and response (EDR) systems, etc.
+
+**`rule.author`**
+:   Name, organization, or pseudonym of the author or authors who created the rule used to generate this event.
+
+type: keyword
+
+example: ["Star-Lord"]
+
+
+**`rule.category`**
+:   A categorization value keyword used by the entity using the rule for detection of this event.
+
+type: keyword
+
+example: Attempted Information Leak
+
+
+**`rule.description`**
+:   The description of the rule generating the event.
+
+type: keyword
+
+example: Block requests to public DNS over HTTPS / TLS protocols
+
+
+**`rule.id`**
+:   A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event.
+
+type: keyword
+
+example: 101
+
+
+**`rule.license`**
+:   Name of the license under which the rule used to generate this event is made available.
+
+type: keyword
+
+example: Apache 2.0
+
+
+**`rule.name`**
+:   The name of the rule or signature generating the event.
+
+type: keyword
+
+example: BLOCK_DNS_over_TLS
+
+
+**`rule.reference`**
+:   Reference URL to additional information about the rule used to generate this event. The URL can point to the vendor’s documentation about the rule. If that’s not available, it can also be a link to a more general page describing this type of alert.
+
+type: keyword
+
+example: [https://en.wikipedia.org/wiki/DNS_over_TLS](https://en.wikipedia.org/wiki/DNS_over_TLS)
+
+
+**`rule.ruleset`**
+:   Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member.
+
+type: keyword
+
+example: Standard_Protocol_Filters
+
+
+**`rule.uuid`**
+:   A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event.
+
+type: keyword
+
+example: 1100110011
+
+
+**`rule.version`**
+:   The version / revision of the rule being used for analysis.
+
+type: keyword
+
+example: 1.1
+
+
+
+## server [_server_3]
+
+A Server is defined as the responder in a network connection for events regarding sessions, connections, or bidirectional flow records. For TCP events, the server is the receiver of the initial SYN packet(s) of the TCP connection. For other protocols, the server is generally the responder in the network transaction. Some systems actually use the term "responder" to refer the server in TCP connections. The server fields describe details about the system acting as the server in the network event. Server fields are usually populated in conjunction with client fields. Server fields are generally not populated for packet-level events. Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately.
+
+**`server.address`**
+:   Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
+
+type: keyword
+
+
+**`server.as.number`**
+:   Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+
+type: long
+
+example: 15169
+
+
+**`server.as.organization.name`**
+:   Organization name.
+
+type: keyword
+
+example: Google LLC
+
+
+**`server.as.organization.name.text`**
+:   type: match_only_text
+
+
+**`server.bytes`**
+:   Bytes sent from the server to the client.
+
+type: long
+
+example: 184
+
+format: bytes
+
+
+**`server.domain`**
+:   The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.
+
+type: keyword
+
+example: foo.example.com
+
+
+**`server.geo.city_name`**
+:   City name.
+
+type: keyword
+
+example: Montreal
+
+
+**`server.geo.continent_code`**
+:   Two-letter code representing continent’s name.
+
+type: keyword
+
+example: NA
+
+
+**`server.geo.continent_name`**
+:   Name of the continent.
+
+type: keyword
+
+example: North America
+
+
+**`server.geo.country_iso_code`**
+:   Country ISO code.
+
+type: keyword
+
+example: CA
+
+
+**`server.geo.country_name`**
+:   Country name.
+
+type: keyword
+
+example: Canada
+
+
+**`server.geo.location`**
+:   Longitude and latitude.
+
+type: geo_point
+
+example: { "lon": -73.614830, "lat": 45.505918 }
+
+
+**`server.geo.name`**
+:   User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.
+
+type: keyword
+
+example: boston-dc
+
+
+**`server.geo.postal_code`**
+:   Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.
+
+type: keyword
+
+example: 94040
+
+
+**`server.geo.region_iso_code`**
+:   Region ISO code.
+
+type: keyword
+
+example: CA-QC
+
+
+**`server.geo.region_name`**
+:   Region name.
+
+type: keyword
+
+example: Quebec
+
+
+**`server.geo.timezone`**
+:   The time zone of the location, such as IANA time zone name.
+
+type: keyword
+
+example: America/Argentina/Buenos_Aires
+
+
+**`server.ip`**
+:   IP address of the server (IPv4 or IPv6).
+
+type: ip
+
+
+**`server.mac`**
+:   MAC address of the server. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.
+
+type: keyword
+
+example: 00-00-5E-00-53-23
+
+
+**`server.nat.ip`**
+:   Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers.
+
+type: ip
+
+
+**`server.nat.port`**
+:   Translated port of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers.
+
+type: long
+
+format: string
+
+
+**`server.packets`**
+:   Packets sent from the server to the client.
+
+type: long
+
+example: 12
+
+
+**`server.port`**
+:   Port of the server.
+
+type: long
+
+format: string
+
+
+**`server.registered_domain`**
+:   The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
+
+type: keyword
+
+example: example.com
+
+
+**`server.subdomain`**
+:   The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
+
+type: keyword
+
+example: east
+
+
+**`server.top_level_domain`**
+:   The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".
+
+type: keyword
+
+example: co.uk
+
+
+**`server.user.domain`**
+:   Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`server.user.email`**
+:   User email address.
+
+type: keyword
+
+
+**`server.user.full_name`**
+:   User’s full name, if available.
+
+type: keyword
+
+example: Albert Einstein
+
+
+**`server.user.full_name.text`**
+:   type: match_only_text
+
+
+**`server.user.group.domain`**
+:   Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`server.user.group.id`**
+:   Unique identifier for the group on the system/platform.
+
+type: keyword
+
+
+**`server.user.group.name`**
+:   Name of the group.
+
+type: keyword
+
+
+**`server.user.hash`**
+:   Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used.
+
+type: keyword
+
+
+**`server.user.id`**
+:   Unique identifier of the user.
+
+type: keyword
+
+example: S-1-5-21-202424912787-2692429404-2351956786-1000
+
+
+**`server.user.name`**
+:   Short name or login of the user.
+
+type: keyword
+
+example: a.einstein
+
+
+**`server.user.name.text`**
+:   type: match_only_text
+
+
+**`server.user.roles`**
+:   Array of user roles at the time of the event.
+
+type: keyword
+
+example: ["kibana_admin", "reporting_user"]
+
+
+
+## service [_service_2]
+
+The service fields describe the service for or from which the data was collected. These fields help you find and correlate logs for a specific service and version.
+
+**`service.address`**
+:   Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets).
+
+type: keyword
+
+example: 172.26.0.2:5432
+
+
+**`service.environment`**
+:   Identifies the environment where the service is running. If the same service runs in different environments (production, staging, QA, development, etc.), the environment can identify other instances of the same service. Can also group services and applications from the same environment.
+
+type: keyword
+
+example: production
+
+
+**`service.ephemeral_id`**
+:   Ephemeral identifier of this service (if one exists). This id normally changes across restarts, but `service.id` does not.
+
+type: keyword
+
+example: 8a4f500f
+
+
+**`service.id`**
+:   Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes. This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event. Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead.
+
+type: keyword
+
+example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6
+
+
+**`service.name`**
+:   Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified.
+
+type: keyword
+
+example: elasticsearch-metrics
+
+
+**`service.node.name`**
+:   Name of a service node. This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn’t have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set.
+
+type: keyword
+
+example: instance-0000000016
+
+
+**`service.origin.address`**
+:   Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets).
+
+type: keyword
+
+example: 172.26.0.2:5432
+
+
+**`service.origin.environment`**
+:   Identifies the environment where the service is running. If the same service runs in different environments (production, staging, QA, development, etc.), the environment can identify other instances of the same service. Can also group services and applications from the same environment.
+
+type: keyword
+
+example: production
+
+
+**`service.origin.ephemeral_id`**
+:   Ephemeral identifier of this service (if one exists). This id normally changes across restarts, but `service.id` does not.
+
+type: keyword
+
+example: 8a4f500f
+
+
+**`service.origin.id`**
+:   Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes. This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event. Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead.
+
+type: keyword
+
+example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6
+
+
+**`service.origin.name`**
+:   Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified.
+
+type: keyword
+
+example: elasticsearch-metrics
+
+
+**`service.origin.node.name`**
+:   Name of a service node. This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn’t have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set.
+
+type: keyword
+
+example: instance-0000000016
+
+
+**`service.origin.state`**
+:   Current state of the service.
+
+type: keyword
+
+
+**`service.origin.type`**
+:   The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`.
+
+type: keyword
+
+example: elasticsearch
+
+
+**`service.origin.version`**
+:   Version of the service the data was collected from. This allows to look at a data set only for a specific version of a service.
+
+type: keyword
+
+example: 3.2.4
+
+
+**`service.state`**
+:   Current state of the service.
+
+type: keyword
+
+
+**`service.target.address`**
+:   Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets).
+
+type: keyword
+
+example: 172.26.0.2:5432
+
+
+**`service.target.environment`**
+:   Identifies the environment where the service is running. If the same service runs in different environments (production, staging, QA, development, etc.), the environment can identify other instances of the same service. Can also group services and applications from the same environment.
+
+type: keyword
+
+example: production
+
+
+**`service.target.ephemeral_id`**
+:   Ephemeral identifier of this service (if one exists). This id normally changes across restarts, but `service.id` does not.
+
+type: keyword
+
+example: 8a4f500f
+
+
+**`service.target.id`**
+:   Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes. This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event. Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead.
+
+type: keyword
+
+example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6
+
+
+**`service.target.name`**
+:   Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified.
+
+type: keyword
+
+example: elasticsearch-metrics
+
+
+**`service.target.node.name`**
+:   Name of a service node. This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn’t have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set.
+
+type: keyword
+
+example: instance-0000000016
+
+
+**`service.target.state`**
+:   Current state of the service.
+
+type: keyword
+
+
+**`service.target.type`**
+:   The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`.
+
+type: keyword
+
+example: elasticsearch
+
+
+**`service.target.version`**
+:   Version of the service the data was collected from. This allows to look at a data set only for a specific version of a service.
+
+type: keyword
+
+example: 3.2.4
+
+
+**`service.type`**
+:   The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`.
+
+type: keyword
+
+example: elasticsearch
+
+
+**`service.version`**
+:   Version of the service the data was collected from. This allows to look at a data set only for a specific version of a service.
+
+type: keyword
+
+example: 3.2.4
+
+
+
+## source [_source]
+
+Source fields capture details about the sender of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction. Source fields are usually populated in conjunction with destination fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated.
+
+**`source.address`**
+:   Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
+
+type: keyword
+
+
+**`source.as.number`**
+:   Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+
+type: long
+
+example: 15169
+
+
+**`source.as.organization.name`**
+:   Organization name.
+
+type: keyword
+
+example: Google LLC
+
+
+**`source.as.organization.name.text`**
+:   type: match_only_text
+
+
+**`source.bytes`**
+:   Bytes sent from the source to the destination.
+
+type: long
+
+example: 184
+
+format: bytes
+
+
+**`source.domain`**
+:   The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.
+
+type: keyword
+
+example: foo.example.com
+
+
+**`source.geo.city_name`**
+:   City name.
+
+type: keyword
+
+example: Montreal
+
+
+**`source.geo.continent_code`**
+:   Two-letter code representing continent’s name.
+
+type: keyword
+
+example: NA
+
+
+**`source.geo.continent_name`**
+:   Name of the continent.
+
+type: keyword
+
+example: North America
+
+
+**`source.geo.country_iso_code`**
+:   Country ISO code.
+
+type: keyword
+
+example: CA
+
+
+**`source.geo.country_name`**
+:   Country name.
+
+type: keyword
+
+example: Canada
+
+
+**`source.geo.location`**
+:   Longitude and latitude.
+
+type: geo_point
+
+example: { "lon": -73.614830, "lat": 45.505918 }
+
+
+**`source.geo.name`**
+:   User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.
+
+type: keyword
+
+example: boston-dc
+
+
+**`source.geo.postal_code`**
+:   Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.
+
+type: keyword
+
+example: 94040
+
+
+**`source.geo.region_iso_code`**
+:   Region ISO code.
+
+type: keyword
+
+example: CA-QC
+
+
+**`source.geo.region_name`**
+:   Region name.
+
+type: keyword
+
+example: Quebec
+
+
+**`source.geo.timezone`**
+:   The time zone of the location, such as IANA time zone name.
+
+type: keyword
+
+example: America/Argentina/Buenos_Aires
+
+
+**`source.ip`**
+:   IP address of the source (IPv4 or IPv6).
+
+type: ip
+
+
+**`source.mac`**
+:   MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.
+
+type: keyword
+
+example: 00-00-5E-00-53-23
+
+
+**`source.nat.ip`**
+:   Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers.
+
+type: ip
+
+
+**`source.nat.port`**
+:   Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers.
+
+type: long
+
+format: string
+
+
+**`source.packets`**
+:   Packets sent from the source to the destination.
+
+type: long
+
+example: 12
+
+
+**`source.port`**
+:   Port of the source.
+
+type: long
+
+format: string
+
+
+**`source.registered_domain`**
+:   The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
+
+type: keyword
+
+example: example.com
+
+
+**`source.subdomain`**
+:   The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
+
+type: keyword
+
+example: east
+
+
+**`source.top_level_domain`**
+:   The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".
+
+type: keyword
+
+example: co.uk
+
+
+**`source.user.domain`**
+:   Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`source.user.email`**
+:   User email address.
+
+type: keyword
+
+
+**`source.user.full_name`**
+:   User’s full name, if available.
+
+type: keyword
+
+example: Albert Einstein
+
+
+**`source.user.full_name.text`**
+:   type: match_only_text
+
+
+**`source.user.group.domain`**
+:   Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`source.user.group.id`**
+:   Unique identifier for the group on the system/platform.
+
+type: keyword
+
+
+**`source.user.group.name`**
+:   Name of the group.
+
+type: keyword
+
+
+**`source.user.hash`**
+:   Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used.
+
+type: keyword
+
+
+**`source.user.id`**
+:   Unique identifier of the user.
+
+type: keyword
+
+example: S-1-5-21-202424912787-2692429404-2351956786-1000
+
+
+**`source.user.name`**
+:   Short name or login of the user.
+
+type: keyword
+
+example: a.einstein
+
+
+**`source.user.name.text`**
+:   type: match_only_text
+
+
+**`source.user.roles`**
+:   Array of user roles at the time of the event.
+
+type: keyword
+
+example: ["kibana_admin", "reporting_user"]
+
+
+
+## threat [_threat]
+
+Fields to classify events and alerts according to a threat taxonomy such as the MITRE ATT&CK® framework. These fields are for users to classify alerts from all of their sources (e.g. IDS, NGFW, etc.) within a common taxonomy. The threat.tactic.* fields are meant to capture the high level category of the threat (e.g. "impact"). The threat.technique.* fields are meant to capture which kind of approach is used by this detected threat, to accomplish the goal (e.g. "endpoint denial of service").
+
+**`threat.enrichments`**
+:   A list of associated indicators objects enriching the event, and the context of that association/enrichment.
+
+type: nested
+
+
+**`threat.enrichments.indicator`**
+:   Object containing associated indicators enriching the event.
+
+type: object
+
+
+**`threat.enrichments.indicator.as.number`**
+:   Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+
+type: long
+
+example: 15169
+
+
+**`threat.enrichments.indicator.as.organization.name`**
+:   Organization name.
+
+type: keyword
+
+example: Google LLC
+
+
+**`threat.enrichments.indicator.as.organization.name.text`**
+:   type: match_only_text
+
+
+**`threat.enrichments.indicator.confidence`**
+:   Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. Expected values are: * Not Specified * None * Low * Medium * High
+
+type: keyword
+
+example: Medium
+
+
+**`threat.enrichments.indicator.description`**
+:   Describes the type of action conducted by the threat.
+
+type: keyword
+
+example: IP x.x.x.x was observed delivering the Angler EK.
+
+
+**`threat.enrichments.indicator.email.address`**
+:   Identifies a threat indicator as an email address (irrespective of direction).
+
+type: keyword
+
+example: `phish@example.com`
+
+
+**`threat.enrichments.indicator.file.accessed`**
+:   Last time the file was accessed. Note that not all filesystems keep track of access time.
+
+type: date
+
+
+**`threat.enrichments.indicator.file.attributes`**
+:   Array of file attributes. Attributes names will vary by platform. Here’s a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write.
+
+type: keyword
+
+example: ["readonly", "system"]
+
+
+**`threat.enrichments.indicator.file.code_signature.digest_algorithm`**
+:   The hashing algorithm used to sign the process. This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm.
+
+type: keyword
+
+example: sha256
+
+
+**`threat.enrichments.indicator.file.code_signature.exists`**
+:   Boolean to capture if a signature is present.
+
+type: boolean
+
+example: true
+
+
+**`threat.enrichments.indicator.file.code_signature.signing_id`**
+:   The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.
+
+type: keyword
+
+example: com.apple.xpc.proxy
+
+
+**`threat.enrichments.indicator.file.code_signature.status`**
+:   Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.
+
+type: keyword
+
+example: ERROR_UNTRUSTED_ROOT
+
+
+**`threat.enrichments.indicator.file.code_signature.subject_name`**
+:   Subject name of the code signer
+
+type: keyword
+
+example: Microsoft Corporation
+
+
+**`threat.enrichments.indicator.file.code_signature.team_id`**
+:   The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.
+
+type: keyword
+
+example: EQHXZ8M8AV
+
+
+**`threat.enrichments.indicator.file.code_signature.timestamp`**
+:   Date and time when the code signature was generated and signed.
+
+type: date
+
+example: 2021-01-01T12:10:30Z
+
+
+**`threat.enrichments.indicator.file.code_signature.trusted`**
+:   Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.
+
+type: boolean
+
+example: true
+
+
+**`threat.enrichments.indicator.file.code_signature.valid`**
+:   Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.
+
+type: boolean
+
+example: true
+
+
+**`threat.enrichments.indicator.file.created`**
+:   File creation time. Note that not all filesystems store the creation time.
+
+type: date
+
+
+**`threat.enrichments.indicator.file.ctime`**
+:   Last time the file attributes or metadata changed. Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file.
+
+type: date
+
+
+**`threat.enrichments.indicator.file.device`**
+:   Device that is the source of the file.
+
+type: keyword
+
+example: sda
+
+
+**`threat.enrichments.indicator.file.directory`**
+:   Directory where the file is located. It should include the drive letter, when appropriate.
+
+type: keyword
+
+example: /home/alice
+
+
+**`threat.enrichments.indicator.file.drive_letter`**
+:   Drive letter where the file is located. This field is only relevant on Windows. The value should be uppercase, and not include the colon.
+
+type: keyword
+
+example: C
+
+
+**`threat.enrichments.indicator.file.elf.architecture`**
+:   Machine architecture of the ELF file.
+
+type: keyword
+
+example: x86-64
+
+
+**`threat.enrichments.indicator.file.elf.byte_order`**
+:   Byte sequence of ELF file.
+
+type: keyword
+
+example: Little Endian
+
+
+**`threat.enrichments.indicator.file.elf.cpu_type`**
+:   CPU type of the ELF file.
+
+type: keyword
+
+example: Intel
+
+
+**`threat.enrichments.indicator.file.elf.creation_date`**
+:   Extracted when possible from the file’s metadata. Indicates when it was built or compiled. It can also be faked by malware creators.
+
+type: date
+
+
+**`threat.enrichments.indicator.file.elf.exports`**
+:   List of exported element names and types.
+
+type: flattened
+
+
+**`threat.enrichments.indicator.file.elf.header.abi_version`**
+:   Version of the ELF Application Binary Interface (ABI).
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.elf.header.class`**
+:   Header class of the ELF file.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.elf.header.data`**
+:   Data table of the ELF header.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.elf.header.entrypoint`**
+:   Header entrypoint of the ELF file.
+
+type: long
+
+format: string
+
+
+**`threat.enrichments.indicator.file.elf.header.object_version`**
+:   "0x1" for original ELF files.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.elf.header.os_abi`**
+:   Application Binary Interface (ABI) of the Linux OS.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.elf.header.type`**
+:   Header type of the ELF file.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.elf.header.version`**
+:   Version of the ELF header.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.elf.imports`**
+:   List of imported element names and types.
+
+type: flattened
+
+
+**`threat.enrichments.indicator.file.elf.sections`**
+:   An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`.
+
+type: nested
+
+
+**`threat.enrichments.indicator.file.elf.sections.chi2`**
+:   Chi-square probability distribution of the section.
+
+type: long
+
+format: number
+
+
+**`threat.enrichments.indicator.file.elf.sections.entropy`**
+:   Shannon entropy calculation from the section.
+
+type: long
+
+format: number
+
+
+**`threat.enrichments.indicator.file.elf.sections.flags`**
+:   ELF Section List flags.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.elf.sections.name`**
+:   ELF Section List name.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.elf.sections.physical_offset`**
+:   ELF Section List offset.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.elf.sections.physical_size`**
+:   ELF Section List physical size.
+
+type: long
+
+format: bytes
+
+
+**`threat.enrichments.indicator.file.elf.sections.type`**
+:   ELF Section List type.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.elf.sections.virtual_address`**
+:   ELF Section List virtual address.
+
+type: long
+
+format: string
+
+
+**`threat.enrichments.indicator.file.elf.sections.virtual_size`**
+:   ELF Section List virtual size.
+
+type: long
+
+format: string
+
+
+**`threat.enrichments.indicator.file.elf.segments`**
+:   An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`.
+
+type: nested
+
+
+**`threat.enrichments.indicator.file.elf.segments.sections`**
+:   ELF object segment sections.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.elf.segments.type`**
+:   ELF object segment type.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.elf.shared_libraries`**
+:   List of shared libraries used by this ELF object.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.elf.telfhash`**
+:   telfhash symbol hash for ELF file.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.extension`**
+:   File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").
+
+type: keyword
+
+example: png
+
+
+**`threat.enrichments.indicator.file.fork_name`**
+:   A fork is additional data associated with a filesystem object. On Linux, a resource fork is used to store additional data with a filesystem object. A file always has at least one fork for the data portion, and additional forks may exist. On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default data stream for a file is just called $DATA. Zone.Identifier is commonly used by Windows to track contents downloaded from the Internet. An ADS is typically of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name` is the value that should populate `fork_name`. `filename.extension` should populate `file.name`, and `extension` should populate `file.extension`. The full path, `file.path`, will include the fork name.
+
+type: keyword
+
+example: Zone.Identifer
+
+
+**`threat.enrichments.indicator.file.gid`**
+:   Primary group ID (GID) of the file.
+
+type: keyword
+
+example: 1001
+
+
+**`threat.enrichments.indicator.file.group`**
+:   Primary group name of the file.
+
+type: keyword
+
+example: alice
+
+
+**`threat.enrichments.indicator.file.hash.md5`**
+:   MD5 hash.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.hash.sha1`**
+:   SHA1 hash.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.hash.sha256`**
+:   SHA256 hash.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.hash.sha512`**
+:   SHA512 hash.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.hash.ssdeep`**
+:   SSDEEP hash.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.inode`**
+:   Inode representing the file in the filesystem.
+
+type: keyword
+
+example: 256383
+
+
+**`threat.enrichments.indicator.file.mime_type`**
+:   MIME type should identify the format of the file or stream of bytes using [IANA official types](https://www.iana.org/assignments/media-types/media-types.xhtml), where possible. When more than one type is applicable, the most specific type should be used.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.mode`**
+:   Mode of the file in octal representation.
+
+type: keyword
+
+example: 0640
+
+
+**`threat.enrichments.indicator.file.mtime`**
+:   Last time the file content was modified.
+
+type: date
+
+
+**`threat.enrichments.indicator.file.name`**
+:   Name of the file including the extension, without the directory.
+
+type: keyword
+
+example: example.png
+
+
+**`threat.enrichments.indicator.file.owner`**
+:   File owner’s username.
+
+type: keyword
+
+example: alice
+
+
+**`threat.enrichments.indicator.file.path`**
+:   Full path to the file, including the file name. It should include the drive letter, when appropriate.
+
+type: keyword
+
+example: /home/alice/example.png
+
+
+**`threat.enrichments.indicator.file.path.text`**
+:   type: match_only_text
+
+
+**`threat.enrichments.indicator.file.pe.architecture`**
+:   CPU architecture target for the file.
+
+type: keyword
+
+example: x64
+
+
+**`threat.enrichments.indicator.file.pe.company`**
+:   Internal company name of the file, provided at compile-time.
+
+type: keyword
+
+example: Microsoft Corporation
+
+
+**`threat.enrichments.indicator.file.pe.description`**
+:   Internal description of the file, provided at compile-time.
+
+type: keyword
+
+example: Paint
+
+
+**`threat.enrichments.indicator.file.pe.file_version`**
+:   Internal version of the file, provided at compile-time.
+
+type: keyword
+
+example: 6.3.9600.17415
+
+
+**`threat.enrichments.indicator.file.pe.imphash`**
+:   A hash of the imports in a PE file. An imphash — or import hash — can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at [https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html](https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html).
+
+type: keyword
+
+example: 0c6803c4e922103c4dca5963aad36ddf
+
+
+**`threat.enrichments.indicator.file.pe.original_file_name`**
+:   Internal name of the file, provided at compile-time.
+
+type: keyword
+
+example: MSPAINT.EXE
+
+
+**`threat.enrichments.indicator.file.pe.product`**
+:   Internal product name of the file, provided at compile-time.
+
+type: keyword
+
+example: Microsoft® Windows® Operating System
+
+
+**`threat.enrichments.indicator.file.size`**
+:   File size in bytes. Only relevant when `file.type` is "file".
+
+type: long
+
+example: 16384
+
+
+**`threat.enrichments.indicator.file.target_path`**
+:   Target path for symlinks.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.target_path.text`**
+:   type: match_only_text
+
+
+**`threat.enrichments.indicator.file.type`**
+:   File type (file, dir, or symlink).
+
+type: keyword
+
+example: file
+
+
+**`threat.enrichments.indicator.file.uid`**
+:   The user ID (UID) or security identifier (SID) of the file owner.
+
+type: keyword
+
+example: 1001
+
+
+**`threat.enrichments.indicator.file.x509.alternative_names`**
+:   List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.
+
+type: keyword
+
+example: *.elastic.co
+
+
+**`threat.enrichments.indicator.file.x509.issuer.common_name`**
+:   List of common name (CN) of issuing certificate authority.
+
+type: keyword
+
+example: Example SHA2 High Assurance Server CA
+
+
+**`threat.enrichments.indicator.file.x509.issuer.country`**
+:   List of country © codes
+
+type: keyword
+
+example: US
+
+
+**`threat.enrichments.indicator.file.x509.issuer.distinguished_name`**
+:   Distinguished name (DN) of issuing certificate authority.
+
+type: keyword
+
+example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA
+
+
+**`threat.enrichments.indicator.file.x509.issuer.locality`**
+:   List of locality names (L)
+
+type: keyword
+
+example: Mountain View
+
+
+**`threat.enrichments.indicator.file.x509.issuer.organization`**
+:   List of organizations (O) of issuing certificate authority.
+
+type: keyword
+
+example: Example Inc
+
+
+**`threat.enrichments.indicator.file.x509.issuer.organizational_unit`**
+:   List of organizational units (OU) of issuing certificate authority.
+
+type: keyword
+
+example: www.example.com
+
+
+**`threat.enrichments.indicator.file.x509.issuer.state_or_province`**
+:   List of state or province names (ST, S, or P)
+
+type: keyword
+
+example: California
+
+
+**`threat.enrichments.indicator.file.x509.not_after`**
+:   Time at which the certificate is no longer considered valid.
+
+type: date
+
+example: 2020-07-16 03:15:39+00:00
+
+
+**`threat.enrichments.indicator.file.x509.not_before`**
+:   Time at which the certificate is first considered valid.
+
+type: date
+
+example: 2019-08-16 01:40:25+00:00
+
+
+**`threat.enrichments.indicator.file.x509.public_key_algorithm`**
+:   Algorithm used to generate the public key.
+
+type: keyword
+
+example: RSA
+
+
+**`threat.enrichments.indicator.file.x509.public_key_curve`**
+:   The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+
+type: keyword
+
+example: nistp521
+
+
+**`threat.enrichments.indicator.file.x509.public_key_exponent`**
+:   Exponent used to derive the public key. This is algorithm specific.
+
+type: long
+
+example: 65537
+
+Field is not indexed.
+
+
+**`threat.enrichments.indicator.file.x509.public_key_size`**
+:   The size of the public key space in bits.
+
+type: long
+
+example: 2048
+
+
+**`threat.enrichments.indicator.file.x509.serial_number`**
+:   Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.
+
+type: keyword
+
+example: 55FBB9C7DEBF09809D12CCAA
+
+
+**`threat.enrichments.indicator.file.x509.signature_algorithm`**
+:   Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See [https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353](https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353).
+
+type: keyword
+
+example: SHA256-RSA
+
+
+**`threat.enrichments.indicator.file.x509.subject.common_name`**
+:   List of common names (CN) of subject.
+
+type: keyword
+
+example: shared.global.example.net
+
+
+**`threat.enrichments.indicator.file.x509.subject.country`**
+:   List of country © code
+
+type: keyword
+
+example: US
+
+
+**`threat.enrichments.indicator.file.x509.subject.distinguished_name`**
+:   Distinguished name (DN) of the certificate subject entity.
+
+type: keyword
+
+example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
+
+
+**`threat.enrichments.indicator.file.x509.subject.locality`**
+:   List of locality names (L)
+
+type: keyword
+
+example: San Francisco
+
+
+**`threat.enrichments.indicator.file.x509.subject.organization`**
+:   List of organizations (O) of subject.
+
+type: keyword
+
+example: Example, Inc.
+
+
+**`threat.enrichments.indicator.file.x509.subject.organizational_unit`**
+:   List of organizational units (OU) of subject.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.x509.subject.state_or_province`**
+:   List of state or province names (ST, S, or P)
+
+type: keyword
+
+example: California
+
+
+**`threat.enrichments.indicator.file.x509.version_number`**
+:   Version of x509 format.
+
+type: keyword
+
+example: 3
+
+
+**`threat.enrichments.indicator.first_seen`**
+:   The date and time when intelligence source first reported sighting this indicator.
+
+type: date
+
+example: 2020-11-05T17:25:47.000Z
+
+
+**`threat.enrichments.indicator.geo.city_name`**
+:   City name.
+
+type: keyword
+
+example: Montreal
+
+
+**`threat.enrichments.indicator.geo.continent_code`**
+:   Two-letter code representing continent’s name.
+
+type: keyword
+
+example: NA
+
+
+**`threat.enrichments.indicator.geo.continent_name`**
+:   Name of the continent.
+
+type: keyword
+
+example: North America
+
+
+**`threat.enrichments.indicator.geo.country_iso_code`**
+:   Country ISO code.
+
+type: keyword
+
+example: CA
+
+
+**`threat.enrichments.indicator.geo.country_name`**
+:   Country name.
+
+type: keyword
+
+example: Canada
+
+
+**`threat.enrichments.indicator.geo.location`**
+:   Longitude and latitude.
+
+type: geo_point
+
+example: { "lon": -73.614830, "lat": 45.505918 }
+
+
+**`threat.enrichments.indicator.geo.name`**
+:   User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.
+
+type: keyword
+
+example: boston-dc
+
+
+**`threat.enrichments.indicator.geo.postal_code`**
+:   Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.
+
+type: keyword
+
+example: 94040
+
+
+**`threat.enrichments.indicator.geo.region_iso_code`**
+:   Region ISO code.
+
+type: keyword
+
+example: CA-QC
+
+
+**`threat.enrichments.indicator.geo.region_name`**
+:   Region name.
+
+type: keyword
+
+example: Quebec
+
+
+**`threat.enrichments.indicator.geo.timezone`**
+:   The time zone of the location, such as IANA time zone name.
+
+type: keyword
+
+example: America/Argentina/Buenos_Aires
+
+
+**`threat.enrichments.indicator.ip`**
+:   Identifies a threat indicator as an IP address (irrespective of direction).
+
+type: ip
+
+example: 1.2.3.4
+
+
+**`threat.enrichments.indicator.last_seen`**
+:   The date and time when intelligence source last reported sighting this indicator.
+
+type: date
+
+example: 2020-11-05T17:25:47.000Z
+
+
+**`threat.enrichments.indicator.marking.tlp`**
+:   Traffic Light Protocol sharing markings. Recommended values are: * WHITE * GREEN * AMBER * RED
+
+type: keyword
+
+example: White
+
+
+**`threat.enrichments.indicator.modified_at`**
+:   The date and time when intelligence source last modified information for this indicator.
+
+type: date
+
+example: 2020-11-05T17:25:47.000Z
+
+
+**`threat.enrichments.indicator.port`**
+:   Identifies a threat indicator as a port number (irrespective of direction).
+
+type: long
+
+example: 443
+
+
+**`threat.enrichments.indicator.provider`**
+:   The name of the indicator’s provider.
+
+type: keyword
+
+example: lrz_urlhaus
+
+
+**`threat.enrichments.indicator.reference`**
+:   Reference URL linking to additional information about this indicator.
+
+type: keyword
+
+example: [https://system.example.com/indicator/0001234](https://system.example.com/indicator/0001234)
+
+
+**`threat.enrichments.indicator.registry.data.bytes`**
+:   Original bytes written with base64 encoding. For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values.
+
+type: keyword
+
+example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA=
+
+
+**`threat.enrichments.indicator.registry.data.strings`**
+:   Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`).
+
+type: wildcard
+
+example: ["C:\rta\red_ttp\bin\myapp.exe"]
+
+
+**`threat.enrichments.indicator.registry.data.type`**
+:   Standard registry type for encoding contents
+
+type: keyword
+
+example: REG_SZ
+
+
+**`threat.enrichments.indicator.registry.hive`**
+:   Abbreviated name for the hive.
+
+type: keyword
+
+example: HKLM
+
+
+**`threat.enrichments.indicator.registry.key`**
+:   Hive-relative path of keys.
+
+type: keyword
+
+example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe
+
+
+**`threat.enrichments.indicator.registry.path`**
+:   Full path, including hive, key and value
+
+type: keyword
+
+example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger
+
+
+**`threat.enrichments.indicator.registry.value`**
+:   Name of the value written.
+
+type: keyword
+
+example: Debugger
+
+
+**`threat.enrichments.indicator.scanner_stats`**
+:   Count of AV/EDR vendors that successfully detected malicious file or URL.
+
+type: long
+
+example: 4
+
+
+**`threat.enrichments.indicator.sightings`**
+:   Number of times this indicator was observed conducting threat activity.
+
+type: long
+
+example: 20
+
+
+**`threat.enrichments.indicator.type`**
+:   Type of indicator as represented by Cyber Observable in STIX 2.0. Recommended values: * autonomous-system * artifact * directory * domain-name * email-addr * file * ipv4-addr * ipv6-addr * mac-addr * mutex * port * process * software * url * user-account * windows-registry-key * x509-certificate
+
+type: keyword
+
+example: ipv4-addr
+
+
+**`threat.enrichments.indicator.url.domain`**
+:   Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field.
+
+type: keyword
+
+example: www.elastic.co
+
+
+**`threat.enrichments.indicator.url.extension`**
+:   The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").
+
+type: keyword
+
+example: png
+
+
+**`threat.enrichments.indicator.url.fragment`**
+:   Portion of the url after the `#`, such as "top". The `#` is not part of the fragment.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.url.full`**
+:   If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source.
+
+type: wildcard
+
+example: [https://www.elastic.co:443/search?q=elasticsearch#top](https://www.elastic.co:443/search?q=elasticsearch#top)
+
+
+**`threat.enrichments.indicator.url.full.text`**
+:   type: match_only_text
+
+
+**`threat.enrichments.indicator.url.original`**
+:   Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not.
+
+type: wildcard
+
+example: [https://www.elastic.co:443/search?q=elasticsearch#top](https://www.elastic.co:443/search?q=elasticsearch#top) or /search?q=elasticsearch
+
+
+**`threat.enrichments.indicator.url.original.text`**
+:   type: match_only_text
+
+
+**`threat.enrichments.indicator.url.password`**
+:   Password of the request.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.url.path`**
+:   Path of the request, such as "/search".
+
+type: wildcard
+
+
+**`threat.enrichments.indicator.url.port`**
+:   Port of the request, such as 443.
+
+type: long
+
+example: 443
+
+format: string
+
+
+**`threat.enrichments.indicator.url.query`**
+:   The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.url.registered_domain`**
+:   The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
+
+type: keyword
+
+example: example.com
+
+
+**`threat.enrichments.indicator.url.scheme`**
+:   Scheme of the request, such as "https". Note: The `:` is not part of the scheme.
+
+type: keyword
+
+example: https
+
+
+**`threat.enrichments.indicator.url.subdomain`**
+:   The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
+
+type: keyword
+
+example: east
+
+
+**`threat.enrichments.indicator.url.top_level_domain`**
+:   The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".
+
+type: keyword
+
+example: co.uk
+
+
+**`threat.enrichments.indicator.url.username`**
+:   Username of the request.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.x509.alternative_names`**
+:   List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.
+
+type: keyword
+
+example: *.elastic.co
+
+
+**`threat.enrichments.indicator.x509.issuer.common_name`**
+:   List of common name (CN) of issuing certificate authority.
+
+type: keyword
+
+example: Example SHA2 High Assurance Server CA
+
+
+**`threat.enrichments.indicator.x509.issuer.country`**
+:   List of country © codes
+
+type: keyword
+
+example: US
+
+
+**`threat.enrichments.indicator.x509.issuer.distinguished_name`**
+:   Distinguished name (DN) of issuing certificate authority.
+
+type: keyword
+
+example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA
+
+
+**`threat.enrichments.indicator.x509.issuer.locality`**
+:   List of locality names (L)
+
+type: keyword
+
+example: Mountain View
+
+
+**`threat.enrichments.indicator.x509.issuer.organization`**
+:   List of organizations (O) of issuing certificate authority.
+
+type: keyword
+
+example: Example Inc
+
+
+**`threat.enrichments.indicator.x509.issuer.organizational_unit`**
+:   List of organizational units (OU) of issuing certificate authority.
+
+type: keyword
+
+example: www.example.com
+
+
+**`threat.enrichments.indicator.x509.issuer.state_or_province`**
+:   List of state or province names (ST, S, or P)
+
+type: keyword
+
+example: California
+
+
+**`threat.enrichments.indicator.x509.not_after`**
+:   Time at which the certificate is no longer considered valid.
+
+type: date
+
+example: 2020-07-16 03:15:39+00:00
+
+
+**`threat.enrichments.indicator.x509.not_before`**
+:   Time at which the certificate is first considered valid.
+
+type: date
+
+example: 2019-08-16 01:40:25+00:00
+
+
+**`threat.enrichments.indicator.x509.public_key_algorithm`**
+:   Algorithm used to generate the public key.
+
+type: keyword
+
+example: RSA
+
+
+**`threat.enrichments.indicator.x509.public_key_curve`**
+:   The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+
+type: keyword
+
+example: nistp521
+
+
+**`threat.enrichments.indicator.x509.public_key_exponent`**
+:   Exponent used to derive the public key. This is algorithm specific.
+
+type: long
+
+example: 65537
+
+Field is not indexed.
+
+
+**`threat.enrichments.indicator.x509.public_key_size`**
+:   The size of the public key space in bits.
+
+type: long
+
+example: 2048
+
+
+**`threat.enrichments.indicator.x509.serial_number`**
+:   Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.
+
+type: keyword
+
+example: 55FBB9C7DEBF09809D12CCAA
+
+
+**`threat.enrichments.indicator.x509.signature_algorithm`**
+:   Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See [https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353](https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353).
+
+type: keyword
+
+example: SHA256-RSA
+
+
+**`threat.enrichments.indicator.x509.subject.common_name`**
+:   List of common names (CN) of subject.
+
+type: keyword
+
+example: shared.global.example.net
+
+
+**`threat.enrichments.indicator.x509.subject.country`**
+:   List of country © code
+
+type: keyword
+
+example: US
+
+
+**`threat.enrichments.indicator.x509.subject.distinguished_name`**
+:   Distinguished name (DN) of the certificate subject entity.
+
+type: keyword
+
+example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
+
+
+**`threat.enrichments.indicator.x509.subject.locality`**
+:   List of locality names (L)
+
+type: keyword
+
+example: San Francisco
+
+
+**`threat.enrichments.indicator.x509.subject.organization`**
+:   List of organizations (O) of subject.
+
+type: keyword
+
+example: Example, Inc.
+
+
+**`threat.enrichments.indicator.x509.subject.organizational_unit`**
+:   List of organizational units (OU) of subject.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.x509.subject.state_or_province`**
+:   List of state or province names (ST, S, or P)
+
+type: keyword
+
+example: California
+
+
+**`threat.enrichments.indicator.x509.version_number`**
+:   Version of x509 format.
+
+type: keyword
+
+example: 3
+
+
+**`threat.enrichments.matched.atomic`**
+:   Identifies the atomic indicator value that matched a local environment endpoint or network event.
+
+type: keyword
+
+example: bad-domain.com
+
+
+**`threat.enrichments.matched.field`**
+:   Identifies the field of the atomic indicator that matched a local environment endpoint or network event.
+
+type: keyword
+
+example: file.hash.sha256
+
+
+**`threat.enrichments.matched.id`**
+:   Identifies the _id of the indicator document enriching the event.
+
+type: keyword
+
+example: ff93aee5-86a1-4a61-b0e6-0cdc313d01b5
+
+
+**`threat.enrichments.matched.index`**
+:   Identifies the _index of the indicator document enriching the event.
+
+type: keyword
+
+example: filebeat-8.0.0-2021.05.23-000011
+
+
+**`threat.enrichments.matched.type`**
+:   Identifies the type of match that caused the event to be enriched with the given indicator
+
+type: keyword
+
+example: indicator_match_rule
+
+
+**`threat.framework`**
+:   Name of the threat framework used to further categorize and classify the tactic and technique of the reported threat. Framework classification can be provided by detecting systems, evaluated at ingest time, or retrospectively tagged to events.
+
+type: keyword
+
+example: MITRE ATT&CK
+
+
+**`threat.group.alias`**
+:   The alias(es) of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group alias(es).
+
+type: keyword
+
+example: [ "Magecart Group 6" ]
+
+
+**`threat.group.id`**
+:   The id of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group id.
+
+type: keyword
+
+example: G0037
+
+
+**`threat.group.name`**
+:   The name of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group name.
+
+type: keyword
+
+example: FIN6
+
+
+**`threat.group.reference`**
+:   The reference URL of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group reference URL.
+
+type: keyword
+
+example: [https://attack.mitre.org/groups/G0037/](https://attack.mitre.org/groups/G0037/)
+
+
+**`threat.indicator.as.number`**
+:   Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+
+type: long
+
+example: 15169
+
+
+**`threat.indicator.as.organization.name`**
+:   Organization name.
+
+type: keyword
+
+example: Google LLC
+
+
+**`threat.indicator.as.organization.name.text`**
+:   type: match_only_text
+
+
+**`threat.indicator.confidence`**
+:   Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. Expected values are: * Not Specified * None * Low * Medium * High
+
+type: keyword
+
+example: Medium
+
+
+**`threat.indicator.description`**
+:   Describes the type of action conducted by the threat.
+
+type: keyword
+
+example: IP x.x.x.x was observed delivering the Angler EK.
+
+
+**`threat.indicator.email.address`**
+:   Identifies a threat indicator as an email address (irrespective of direction).
+
+type: keyword
+
+example: `phish@example.com`
+
+
+**`threat.indicator.file.accessed`**
+:   Last time the file was accessed. Note that not all filesystems keep track of access time.
+
+type: date
+
+
+**`threat.indicator.file.attributes`**
+:   Array of file attributes. Attributes names will vary by platform. Here’s a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write.
+
+type: keyword
+
+example: ["readonly", "system"]
+
+
+**`threat.indicator.file.code_signature.digest_algorithm`**
+:   The hashing algorithm used to sign the process. This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm.
+
+type: keyword
+
+example: sha256
+
+
+**`threat.indicator.file.code_signature.exists`**
+:   Boolean to capture if a signature is present.
+
+type: boolean
+
+example: true
+
+
+**`threat.indicator.file.code_signature.signing_id`**
+:   The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.
+
+type: keyword
+
+example: com.apple.xpc.proxy
+
+
+**`threat.indicator.file.code_signature.status`**
+:   Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.
+
+type: keyword
+
+example: ERROR_UNTRUSTED_ROOT
+
+
+**`threat.indicator.file.code_signature.subject_name`**
+:   Subject name of the code signer
+
+type: keyword
+
+example: Microsoft Corporation
+
+
+**`threat.indicator.file.code_signature.team_id`**
+:   The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.
+
+type: keyword
+
+example: EQHXZ8M8AV
+
+
+**`threat.indicator.file.code_signature.timestamp`**
+:   Date and time when the code signature was generated and signed.
+
+type: date
+
+example: 2021-01-01T12:10:30Z
+
+
+**`threat.indicator.file.code_signature.trusted`**
+:   Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.
+
+type: boolean
+
+example: true
+
+
+**`threat.indicator.file.code_signature.valid`**
+:   Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.
+
+type: boolean
+
+example: true
+
+
+**`threat.indicator.file.created`**
+:   File creation time. Note that not all filesystems store the creation time.
+
+type: date
+
+
+**`threat.indicator.file.ctime`**
+:   Last time the file attributes or metadata changed. Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file.
+
+type: date
+
+
+**`threat.indicator.file.device`**
+:   Device that is the source of the file.
+
+type: keyword
+
+example: sda
+
+
+**`threat.indicator.file.directory`**
+:   Directory where the file is located. It should include the drive letter, when appropriate.
+
+type: keyword
+
+example: /home/alice
+
+
+**`threat.indicator.file.drive_letter`**
+:   Drive letter where the file is located. This field is only relevant on Windows. The value should be uppercase, and not include the colon.
+
+type: keyword
+
+example: C
+
+
+**`threat.indicator.file.elf.architecture`**
+:   Machine architecture of the ELF file.
+
+type: keyword
+
+example: x86-64
+
+
+**`threat.indicator.file.elf.byte_order`**
+:   Byte sequence of ELF file.
+
+type: keyword
+
+example: Little Endian
+
+
+**`threat.indicator.file.elf.cpu_type`**
+:   CPU type of the ELF file.
+
+type: keyword
+
+example: Intel
+
+
+**`threat.indicator.file.elf.creation_date`**
+:   Extracted when possible from the file’s metadata. Indicates when it was built or compiled. It can also be faked by malware creators.
+
+type: date
+
+
+**`threat.indicator.file.elf.exports`**
+:   List of exported element names and types.
+
+type: flattened
+
+
+**`threat.indicator.file.elf.header.abi_version`**
+:   Version of the ELF Application Binary Interface (ABI).
+
+type: keyword
+
+
+**`threat.indicator.file.elf.header.class`**
+:   Header class of the ELF file.
+
+type: keyword
+
+
+**`threat.indicator.file.elf.header.data`**
+:   Data table of the ELF header.
+
+type: keyword
+
+
+**`threat.indicator.file.elf.header.entrypoint`**
+:   Header entrypoint of the ELF file.
+
+type: long
+
+format: string
+
+
+**`threat.indicator.file.elf.header.object_version`**
+:   "0x1" for original ELF files.
+
+type: keyword
+
+
+**`threat.indicator.file.elf.header.os_abi`**
+:   Application Binary Interface (ABI) of the Linux OS.
+
+type: keyword
+
+
+**`threat.indicator.file.elf.header.type`**
+:   Header type of the ELF file.
+
+type: keyword
+
+
+**`threat.indicator.file.elf.header.version`**
+:   Version of the ELF header.
+
+type: keyword
+
+
+**`threat.indicator.file.elf.imports`**
+:   List of imported element names and types.
+
+type: flattened
+
+
+**`threat.indicator.file.elf.sections`**
+:   An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`.
+
+type: nested
+
+
+**`threat.indicator.file.elf.sections.chi2`**
+:   Chi-square probability distribution of the section.
+
+type: long
+
+format: number
+
+
+**`threat.indicator.file.elf.sections.entropy`**
+:   Shannon entropy calculation from the section.
+
+type: long
+
+format: number
+
+
+**`threat.indicator.file.elf.sections.flags`**
+:   ELF Section List flags.
+
+type: keyword
+
+
+**`threat.indicator.file.elf.sections.name`**
+:   ELF Section List name.
+
+type: keyword
+
+
+**`threat.indicator.file.elf.sections.physical_offset`**
+:   ELF Section List offset.
+
+type: keyword
+
+
+**`threat.indicator.file.elf.sections.physical_size`**
+:   ELF Section List physical size.
+
+type: long
+
+format: bytes
+
+
+**`threat.indicator.file.elf.sections.type`**
+:   ELF Section List type.
+
+type: keyword
+
+
+**`threat.indicator.file.elf.sections.virtual_address`**
+:   ELF Section List virtual address.
+
+type: long
+
+format: string
+
+
+**`threat.indicator.file.elf.sections.virtual_size`**
+:   ELF Section List virtual size.
+
+type: long
+
+format: string
+
+
+**`threat.indicator.file.elf.segments`**
+:   An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`.
+
+type: nested
+
+
+**`threat.indicator.file.elf.segments.sections`**
+:   ELF object segment sections.
+
+type: keyword
+
+
+**`threat.indicator.file.elf.segments.type`**
+:   ELF object segment type.
+
+type: keyword
+
+
+**`threat.indicator.file.elf.shared_libraries`**
+:   List of shared libraries used by this ELF object.
+
+type: keyword
+
+
+**`threat.indicator.file.elf.telfhash`**
+:   telfhash symbol hash for ELF file.
+
+type: keyword
+
+
+**`threat.indicator.file.extension`**
+:   File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").
+
+type: keyword
+
+example: png
+
+
+**`threat.indicator.file.fork_name`**
+:   A fork is additional data associated with a filesystem object. On Linux, a resource fork is used to store additional data with a filesystem object. A file always has at least one fork for the data portion, and additional forks may exist. On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default data stream for a file is just called $DATA. Zone.Identifier is commonly used by Windows to track contents downloaded from the Internet. An ADS is typically of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name` is the value that should populate `fork_name`. `filename.extension` should populate `file.name`, and `extension` should populate `file.extension`. The full path, `file.path`, will include the fork name.
+
+type: keyword
+
+example: Zone.Identifer
+
+
+**`threat.indicator.file.gid`**
+:   Primary group ID (GID) of the file.
+
+type: keyword
+
+example: 1001
+
+
+**`threat.indicator.file.group`**
+:   Primary group name of the file.
+
+type: keyword
+
+example: alice
+
+
+**`threat.indicator.file.hash.md5`**
+:   MD5 hash.
+
+type: keyword
+
+
+**`threat.indicator.file.hash.sha1`**
+:   SHA1 hash.
+
+type: keyword
+
+
+**`threat.indicator.file.hash.sha256`**
+:   SHA256 hash.
+
+type: keyword
+
+
+**`threat.indicator.file.hash.sha512`**
+:   SHA512 hash.
+
+type: keyword
+
+
+**`threat.indicator.file.hash.ssdeep`**
+:   SSDEEP hash.
+
+type: keyword
+
+
+**`threat.indicator.file.inode`**
+:   Inode representing the file in the filesystem.
+
+type: keyword
+
+example: 256383
+
+
+**`threat.indicator.file.mime_type`**
+:   MIME type should identify the format of the file or stream of bytes using [IANA official types](https://www.iana.org/assignments/media-types/media-types.xhtml), where possible. When more than one type is applicable, the most specific type should be used.
+
+type: keyword
+
+
+**`threat.indicator.file.mode`**
+:   Mode of the file in octal representation.
+
+type: keyword
+
+example: 0640
+
+
+**`threat.indicator.file.mtime`**
+:   Last time the file content was modified.
+
+type: date
+
+
+**`threat.indicator.file.name`**
+:   Name of the file including the extension, without the directory.
+
+type: keyword
+
+example: example.png
+
+
+**`threat.indicator.file.owner`**
+:   File owner’s username.
+
+type: keyword
+
+example: alice
+
+
+**`threat.indicator.file.path`**
+:   Full path to the file, including the file name. It should include the drive letter, when appropriate.
+
+type: keyword
+
+example: /home/alice/example.png
+
+
+**`threat.indicator.file.path.text`**
+:   type: match_only_text
+
+
+**`threat.indicator.file.pe.architecture`**
+:   CPU architecture target for the file.
+
+type: keyword
+
+example: x64
+
+
+**`threat.indicator.file.pe.company`**
+:   Internal company name of the file, provided at compile-time.
+
+type: keyword
+
+example: Microsoft Corporation
+
+
+**`threat.indicator.file.pe.description`**
+:   Internal description of the file, provided at compile-time.
+
+type: keyword
+
+example: Paint
+
+
+**`threat.indicator.file.pe.file_version`**
+:   Internal version of the file, provided at compile-time.
+
+type: keyword
+
+example: 6.3.9600.17415
+
+
+**`threat.indicator.file.pe.imphash`**
+:   A hash of the imports in a PE file. An imphash — or import hash — can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at [https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html](https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html).
+
+type: keyword
+
+example: 0c6803c4e922103c4dca5963aad36ddf
+
+
+**`threat.indicator.file.pe.original_file_name`**
+:   Internal name of the file, provided at compile-time.
+
+type: keyword
+
+example: MSPAINT.EXE
+
+
+**`threat.indicator.file.pe.product`**
+:   Internal product name of the file, provided at compile-time.
+
+type: keyword
+
+example: Microsoft® Windows® Operating System
+
+
+**`threat.indicator.file.size`**
+:   File size in bytes. Only relevant when `file.type` is "file".
+
+type: long
+
+example: 16384
+
+
+**`threat.indicator.file.target_path`**
+:   Target path for symlinks.
+
+type: keyword
+
+
+**`threat.indicator.file.target_path.text`**
+:   type: match_only_text
+
+
+**`threat.indicator.file.type`**
+:   File type (file, dir, or symlink).
+
+type: keyword
+
+example: file
+
+
+**`threat.indicator.file.uid`**
+:   The user ID (UID) or security identifier (SID) of the file owner.
+
+type: keyword
+
+example: 1001
+
+
+**`threat.indicator.file.x509.alternative_names`**
+:   List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.
+
+type: keyword
+
+example: *.elastic.co
+
+
+**`threat.indicator.file.x509.issuer.common_name`**
+:   List of common name (CN) of issuing certificate authority.
+
+type: keyword
+
+example: Example SHA2 High Assurance Server CA
+
+
+**`threat.indicator.file.x509.issuer.country`**
+:   List of country © codes
+
+type: keyword
+
+example: US
+
+
+**`threat.indicator.file.x509.issuer.distinguished_name`**
+:   Distinguished name (DN) of issuing certificate authority.
+
+type: keyword
+
+example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA
+
+
+**`threat.indicator.file.x509.issuer.locality`**
+:   List of locality names (L)
+
+type: keyword
+
+example: Mountain View
+
+
+**`threat.indicator.file.x509.issuer.organization`**
+:   List of organizations (O) of issuing certificate authority.
+
+type: keyword
+
+example: Example Inc
+
+
+**`threat.indicator.file.x509.issuer.organizational_unit`**
+:   List of organizational units (OU) of issuing certificate authority.
+
+type: keyword
+
+example: www.example.com
+
+
+**`threat.indicator.file.x509.issuer.state_or_province`**
+:   List of state or province names (ST, S, or P)
+
+type: keyword
+
+example: California
+
+
+**`threat.indicator.file.x509.not_after`**
+:   Time at which the certificate is no longer considered valid.
+
+type: date
+
+example: 2020-07-16 03:15:39+00:00
+
+
+**`threat.indicator.file.x509.not_before`**
+:   Time at which the certificate is first considered valid.
+
+type: date
+
+example: 2019-08-16 01:40:25+00:00
+
+
+**`threat.indicator.file.x509.public_key_algorithm`**
+:   Algorithm used to generate the public key.
+
+type: keyword
+
+example: RSA
+
+
+**`threat.indicator.file.x509.public_key_curve`**
+:   The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+
+type: keyword
+
+example: nistp521
+
+
+**`threat.indicator.file.x509.public_key_exponent`**
+:   Exponent used to derive the public key. This is algorithm specific.
+
+type: long
+
+example: 65537
+
+Field is not indexed.
+
+
+**`threat.indicator.file.x509.public_key_size`**
+:   The size of the public key space in bits.
+
+type: long
+
+example: 2048
+
+
+**`threat.indicator.file.x509.serial_number`**
+:   Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.
+
+type: keyword
+
+example: 55FBB9C7DEBF09809D12CCAA
+
+
+**`threat.indicator.file.x509.signature_algorithm`**
+:   Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See [https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353](https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353).
+
+type: keyword
+
+example: SHA256-RSA
+
+
+**`threat.indicator.file.x509.subject.common_name`**
+:   List of common names (CN) of subject.
+
+type: keyword
+
+example: shared.global.example.net
+
+
+**`threat.indicator.file.x509.subject.country`**
+:   List of country © code
+
+type: keyword
+
+example: US
+
+
+**`threat.indicator.file.x509.subject.distinguished_name`**
+:   Distinguished name (DN) of the certificate subject entity.
+
+type: keyword
+
+example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
+
+
+**`threat.indicator.file.x509.subject.locality`**
+:   List of locality names (L)
+
+type: keyword
+
+example: San Francisco
+
+
+**`threat.indicator.file.x509.subject.organization`**
+:   List of organizations (O) of subject.
+
+type: keyword
+
+example: Example, Inc.
+
+
+**`threat.indicator.file.x509.subject.organizational_unit`**
+:   List of organizational units (OU) of subject.
+
+type: keyword
+
+
+**`threat.indicator.file.x509.subject.state_or_province`**
+:   List of state or province names (ST, S, or P)
+
+type: keyword
+
+example: California
+
+
+**`threat.indicator.file.x509.version_number`**
+:   Version of x509 format.
+
+type: keyword
+
+example: 3
+
+
+**`threat.indicator.first_seen`**
+:   The date and time when intelligence source first reported sighting this indicator.
+
+type: date
+
+example: 2020-11-05T17:25:47.000Z
+
+
+**`threat.indicator.geo.city_name`**
+:   City name.
+
+type: keyword
+
+example: Montreal
+
+
+**`threat.indicator.geo.continent_code`**
+:   Two-letter code representing continent’s name.
+
+type: keyword
+
+example: NA
+
+
+**`threat.indicator.geo.continent_name`**
+:   Name of the continent.
+
+type: keyword
+
+example: North America
+
+
+**`threat.indicator.geo.country_iso_code`**
+:   Country ISO code.
+
+type: keyword
+
+example: CA
+
+
+**`threat.indicator.geo.country_name`**
+:   Country name.
+
+type: keyword
+
+example: Canada
+
+
+**`threat.indicator.geo.location`**
+:   Longitude and latitude.
+
+type: geo_point
+
+example: { "lon": -73.614830, "lat": 45.505918 }
+
+
+**`threat.indicator.geo.name`**
+:   User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.
+
+type: keyword
+
+example: boston-dc
+
+
+**`threat.indicator.geo.postal_code`**
+:   Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.
+
+type: keyword
+
+example: 94040
+
+
+**`threat.indicator.geo.region_iso_code`**
+:   Region ISO code.
+
+type: keyword
+
+example: CA-QC
+
+
+**`threat.indicator.geo.region_name`**
+:   Region name.
+
+type: keyword
+
+example: Quebec
+
+
+**`threat.indicator.geo.timezone`**
+:   The time zone of the location, such as IANA time zone name.
+
+type: keyword
+
+example: America/Argentina/Buenos_Aires
+
+
+**`threat.indicator.ip`**
+:   Identifies a threat indicator as an IP address (irrespective of direction).
+
+type: ip
+
+example: 1.2.3.4
+
+
+**`threat.indicator.last_seen`**
+:   The date and time when intelligence source last reported sighting this indicator.
+
+type: date
+
+example: 2020-11-05T17:25:47.000Z
+
+
+**`threat.indicator.marking.tlp`**
+:   Traffic Light Protocol sharing markings. Recommended values are: * WHITE * GREEN * AMBER * RED
+
+type: keyword
+
+example: WHITE
+
+
+**`threat.indicator.modified_at`**
+:   The date and time when intelligence source last modified information for this indicator.
+
+type: date
+
+example: 2020-11-05T17:25:47.000Z
+
+
+**`threat.indicator.port`**
+:   Identifies a threat indicator as a port number (irrespective of direction).
+
+type: long
+
+example: 443
+
+
+**`threat.indicator.provider`**
+:   The name of the indicator’s provider.
+
+type: keyword
+
+example: lrz_urlhaus
+
+
+**`threat.indicator.reference`**
+:   Reference URL linking to additional information about this indicator.
+
+type: keyword
+
+example: [https://system.example.com/indicator/0001234](https://system.example.com/indicator/0001234)
+
+
+**`threat.indicator.registry.data.bytes`**
+:   Original bytes written with base64 encoding. For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values.
+
+type: keyword
+
+example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA=
+
+
+**`threat.indicator.registry.data.strings`**
+:   Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`).
+
+type: wildcard
+
+example: ["C:\rta\red_ttp\bin\myapp.exe"]
+
+
+**`threat.indicator.registry.data.type`**
+:   Standard registry type for encoding contents
+
+type: keyword
+
+example: REG_SZ
+
+
+**`threat.indicator.registry.hive`**
+:   Abbreviated name for the hive.
+
+type: keyword
+
+example: HKLM
+
+
+**`threat.indicator.registry.key`**
+:   Hive-relative path of keys.
+
+type: keyword
+
+example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe
+
+
+**`threat.indicator.registry.path`**
+:   Full path, including hive, key and value
+
+type: keyword
+
+example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger
+
+
+**`threat.indicator.registry.value`**
+:   Name of the value written.
+
+type: keyword
+
+example: Debugger
+
+
+**`threat.indicator.scanner_stats`**
+:   Count of AV/EDR vendors that successfully detected malicious file or URL.
+
+type: long
+
+example: 4
+
+
+**`threat.indicator.sightings`**
+:   Number of times this indicator was observed conducting threat activity.
+
+type: long
+
+example: 20
+
+
+**`threat.indicator.type`**
+:   Type of indicator as represented by Cyber Observable in STIX 2.0. Recommended values: * autonomous-system * artifact * directory * domain-name * email-addr * file * ipv4-addr * ipv6-addr * mac-addr * mutex * port * process * software * url * user-account * windows-registry-key * x509-certificate
+
+type: keyword
+
+example: ipv4-addr
+
+
+**`threat.indicator.url.domain`**
+:   Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field.
+
+type: keyword
+
+example: www.elastic.co
+
+
+**`threat.indicator.url.extension`**
+:   The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").
+
+type: keyword
+
+example: png
+
+
+**`threat.indicator.url.fragment`**
+:   Portion of the url after the `#`, such as "top". The `#` is not part of the fragment.
+
+type: keyword
+
+
+**`threat.indicator.url.full`**
+:   If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source.
+
+type: wildcard
+
+example: [https://www.elastic.co:443/search?q=elasticsearch#top](https://www.elastic.co:443/search?q=elasticsearch#top)
+
+
+**`threat.indicator.url.full.text`**
+:   type: match_only_text
+
+
+**`threat.indicator.url.original`**
+:   Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not.
+
+type: wildcard
+
+example: [https://www.elastic.co:443/search?q=elasticsearch#top](https://www.elastic.co:443/search?q=elasticsearch#top) or /search?q=elasticsearch
+
+
+**`threat.indicator.url.original.text`**
+:   type: match_only_text
+
+
+**`threat.indicator.url.password`**
+:   Password of the request.
+
+type: keyword
+
+
+**`threat.indicator.url.path`**
+:   Path of the request, such as "/search".
+
+type: wildcard
+
+
+**`threat.indicator.url.port`**
+:   Port of the request, such as 443.
+
+type: long
+
+example: 443
+
+format: string
+
+
+**`threat.indicator.url.query`**
+:   The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.
+
+type: keyword
+
+
+**`threat.indicator.url.registered_domain`**
+:   The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
+
+type: keyword
+
+example: example.com
+
+
+**`threat.indicator.url.scheme`**
+:   Scheme of the request, such as "https". Note: The `:` is not part of the scheme.
+
+type: keyword
+
+example: https
+
+
+**`threat.indicator.url.subdomain`**
+:   The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
+
+type: keyword
+
+example: east
+
+
+**`threat.indicator.url.top_level_domain`**
+:   The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".
+
+type: keyword
+
+example: co.uk
+
+
+**`threat.indicator.url.username`**
+:   Username of the request.
+
+type: keyword
+
+
+**`threat.indicator.x509.alternative_names`**
+:   List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.
+
+type: keyword
+
+example: *.elastic.co
+
+
+**`threat.indicator.x509.issuer.common_name`**
+:   List of common name (CN) of issuing certificate authority.
+
+type: keyword
+
+example: Example SHA2 High Assurance Server CA
+
+
+**`threat.indicator.x509.issuer.country`**
+:   List of country © codes
+
+type: keyword
+
+example: US
+
+
+**`threat.indicator.x509.issuer.distinguished_name`**
+:   Distinguished name (DN) of issuing certificate authority.
+
+type: keyword
+
+example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA
+
+
+**`threat.indicator.x509.issuer.locality`**
+:   List of locality names (L)
+
+type: keyword
+
+example: Mountain View
+
+
+**`threat.indicator.x509.issuer.organization`**
+:   List of organizations (O) of issuing certificate authority.
+
+type: keyword
+
+example: Example Inc
+
+
+**`threat.indicator.x509.issuer.organizational_unit`**
+:   List of organizational units (OU) of issuing certificate authority.
+
+type: keyword
+
+example: www.example.com
+
+
+**`threat.indicator.x509.issuer.state_or_province`**
+:   List of state or province names (ST, S, or P)
+
+type: keyword
+
+example: California
+
+
+**`threat.indicator.x509.not_after`**
+:   Time at which the certificate is no longer considered valid.
+
+type: date
+
+example: 2020-07-16 03:15:39+00:00
+
+
+**`threat.indicator.x509.not_before`**
+:   Time at which the certificate is first considered valid.
+
+type: date
+
+example: 2019-08-16 01:40:25+00:00
+
+
+**`threat.indicator.x509.public_key_algorithm`**
+:   Algorithm used to generate the public key.
+
+type: keyword
+
+example: RSA
+
+
+**`threat.indicator.x509.public_key_curve`**
+:   The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+
+type: keyword
+
+example: nistp521
+
+
+**`threat.indicator.x509.public_key_exponent`**
+:   Exponent used to derive the public key. This is algorithm specific.
+
+type: long
+
+example: 65537
+
+Field is not indexed.
+
+
+**`threat.indicator.x509.public_key_size`**
+:   The size of the public key space in bits.
+
+type: long
+
+example: 2048
+
+
+**`threat.indicator.x509.serial_number`**
+:   Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.
+
+type: keyword
+
+example: 55FBB9C7DEBF09809D12CCAA
+
+
+**`threat.indicator.x509.signature_algorithm`**
+:   Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See [https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353](https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353).
+
+type: keyword
+
+example: SHA256-RSA
+
+
+**`threat.indicator.x509.subject.common_name`**
+:   List of common names (CN) of subject.
+
+type: keyword
+
+example: shared.global.example.net
+
+
+**`threat.indicator.x509.subject.country`**
+:   List of country © code
+
+type: keyword
+
+example: US
+
+
+**`threat.indicator.x509.subject.distinguished_name`**
+:   Distinguished name (DN) of the certificate subject entity.
+
+type: keyword
+
+example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
+
+
+**`threat.indicator.x509.subject.locality`**
+:   List of locality names (L)
+
+type: keyword
+
+example: San Francisco
+
+
+**`threat.indicator.x509.subject.organization`**
+:   List of organizations (O) of subject.
+
+type: keyword
+
+example: Example, Inc.
+
+
+**`threat.indicator.x509.subject.organizational_unit`**
+:   List of organizational units (OU) of subject.
+
+type: keyword
+
+
+**`threat.indicator.x509.subject.state_or_province`**
+:   List of state or province names (ST, S, or P)
+
+type: keyword
+
+example: California
+
+
+**`threat.indicator.x509.version_number`**
+:   Version of x509 format.
+
+type: keyword
+
+example: 3
+
+
+**`threat.software.alias`**
+:   The alias(es) of the software for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® associated software description.
+
+type: keyword
+
+example: [ "X-Agent" ]
+
+
+**`threat.software.id`**
+:   The id of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software id.
+
+type: keyword
+
+example: S0552
+
+
+**`threat.software.name`**
+:   The name of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software name.
+
+type: keyword
+
+example: AdFind
+
+
+**`threat.software.platforms`**
+:   The platforms of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. Recommended Values: * AWS * Azure * Azure AD * GCP * Linux * macOS * Network * Office 365 * SaaS * Windows
+
+While not required, you can use a MITRE ATT&CK® software platforms.
+
+type: keyword
+
+example: [ "Windows" ]
+
+
+**`threat.software.reference`**
+:   The reference URL of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software reference URL.
+
+type: keyword
+
+example: [https://attack.mitre.org/software/S0552/](https://attack.mitre.org/software/S0552/)
+
+
+**`threat.software.type`**
+:   The type of software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. Recommended values * Malware * Tool
+
+```
+While not required, you can use a MITRE ATT&CK® software type.
+```
+type: keyword
+
+example: Tool
+
+
+**`threat.tactic.id`**
+:   The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. [https://attack.mitre.org/tactics/TA0002/](https://attack.mitre.org/tactics/TA0002/) )
+
+type: keyword
+
+example: TA0002
+
+
+**`threat.tactic.name`**
+:   Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. [https://attack.mitre.org/tactics/TA0002/](https://attack.mitre.org/tactics/TA0002/))
+
+type: keyword
+
+example: Execution
+
+
+**`threat.tactic.reference`**
+:   The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. [https://attack.mitre.org/tactics/TA0002/](https://attack.mitre.org/tactics/TA0002/) )
+
+type: keyword
+
+example: [https://attack.mitre.org/tactics/TA0002/](https://attack.mitre.org/tactics/TA0002/)
+
+
+**`threat.technique.id`**
+:   The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. [https://attack.mitre.org/techniques/T1059/](https://attack.mitre.org/techniques/T1059/))
+
+type: keyword
+
+example: T1059
+
+
+**`threat.technique.name`**
+:   The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. [https://attack.mitre.org/techniques/T1059/](https://attack.mitre.org/techniques/T1059/))
+
+type: keyword
+
+example: Command and Scripting Interpreter
+
+
+**`threat.technique.name.text`**
+:   type: match_only_text
+
+
+**`threat.technique.reference`**
+:   The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. [https://attack.mitre.org/techniques/T1059/](https://attack.mitre.org/techniques/T1059/))
+
+type: keyword
+
+example: [https://attack.mitre.org/techniques/T1059/](https://attack.mitre.org/techniques/T1059/)
+
+
+**`threat.technique.subtechnique.id`**
+:   The full id of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. [https://attack.mitre.org/techniques/T1059/001/](https://attack.mitre.org/techniques/T1059/001/))
+
+type: keyword
+
+example: T1059.001
+
+
+**`threat.technique.subtechnique.name`**
+:   The name of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. [https://attack.mitre.org/techniques/T1059/001/](https://attack.mitre.org/techniques/T1059/001/))
+
+type: keyword
+
+example: PowerShell
+
+
+**`threat.technique.subtechnique.name.text`**
+:   type: match_only_text
+
+
+**`threat.technique.subtechnique.reference`**
+:   The reference url of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. [https://attack.mitre.org/techniques/T1059/001/](https://attack.mitre.org/techniques/T1059/001/))
+
+type: keyword
+
+example: [https://attack.mitre.org/techniques/T1059/001/](https://attack.mitre.org/techniques/T1059/001/)
+
+
+
+## tls [_tls]
+
+Fields related to a TLS connection. These fields focus on the TLS protocol itself and intentionally avoids in-depth analysis of the related x.509 certificate files.
+
+**`tls.cipher`**
+:   String indicating the cipher used during the current connection.
+
+type: keyword
+
+example: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+
+
+**`tls.client.certificate`**
+:   PEM-encoded stand-alone certificate offered by the client. This is usually mutually-exclusive of `client.certificate_chain` since this value also exists in that list.
+
+type: keyword
+
+example: MII…​
+
+
+**`tls.client.certificate_chain`**
+:   Array of PEM-encoded certificates that make up the certificate chain offered by the client. This is usually mutually-exclusive of `client.certificate` since that value should be the first certificate in the chain.
+
+type: keyword
+
+example: ["MII…​", "MII…​"]
+
+
+**`tls.client.hash.md5`**
+:   Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash.
+
+type: keyword
+
+example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC
+
+
+**`tls.client.hash.sha1`**
+:   Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash.
+
+type: keyword
+
+example: 9E393D93138888D288266C2D915214D1D1CCEB2A
+
+
+**`tls.client.hash.sha256`**
+:   Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash.
+
+type: keyword
+
+example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0
+
+
+**`tls.client.issuer`**
+:   Distinguished name of subject of the issuer of the x.509 certificate presented by the client.
+
+type: keyword
+
+example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com
+
+
+**`tls.client.ja3`**
+:   A hash that identifies clients based on how they perform an SSL/TLS handshake.
+
+type: keyword
+
+example: d4e5b18d6b55c71272893221c96ba240
+
+
+**`tls.client.not_after`**
+:   Date/Time indicating when client certificate is no longer considered valid.
+
+type: date
+
+example: 2021-01-01T00:00:00.000Z
+
+
+**`tls.client.not_before`**
+:   Date/Time indicating when client certificate is first considered valid.
+
+type: date
+
+example: 1970-01-01T00:00:00.000Z
+
+
+**`tls.client.server_name`**
+:   Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`.
+
+type: keyword
+
+example: www.elastic.co
+
+
+**`tls.client.subject`**
+:   Distinguished name of subject of the x.509 certificate presented by the client.
+
+type: keyword
+
+example: CN=myclient, OU=Documentation Team, DC=example, DC=com
+
+
+**`tls.client.supported_ciphers`**
+:   Array of ciphers offered by the client during the client hello.
+
+type: keyword
+
+example: ["TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "…​"]
+
+
+**`tls.client.x509.alternative_names`**
+:   List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.
+
+type: keyword
+
+example: *.elastic.co
+
+
+**`tls.client.x509.issuer.common_name`**
+:   List of common name (CN) of issuing certificate authority.
+
+type: keyword
+
+example: Example SHA2 High Assurance Server CA
+
+
+**`tls.client.x509.issuer.country`**
+:   List of country © codes
+
+type: keyword
+
+example: US
+
+
+**`tls.client.x509.issuer.distinguished_name`**
+:   Distinguished name (DN) of issuing certificate authority.
+
+type: keyword
+
+example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA
+
+
+**`tls.client.x509.issuer.locality`**
+:   List of locality names (L)
+
+type: keyword
+
+example: Mountain View
+
+
+**`tls.client.x509.issuer.organization`**
+:   List of organizations (O) of issuing certificate authority.
+
+type: keyword
+
+example: Example Inc
+
+
+**`tls.client.x509.issuer.organizational_unit`**
+:   List of organizational units (OU) of issuing certificate authority.
+
+type: keyword
+
+example: www.example.com
+
+
+**`tls.client.x509.issuer.state_or_province`**
+:   List of state or province names (ST, S, or P)
+
+type: keyword
+
+example: California
+
+
+**`tls.client.x509.not_after`**
+:   Time at which the certificate is no longer considered valid.
+
+type: date
+
+example: 2020-07-16 03:15:39+00:00
+
+
+**`tls.client.x509.not_before`**
+:   Time at which the certificate is first considered valid.
+
+type: date
+
+example: 2019-08-16 01:40:25+00:00
+
+
+**`tls.client.x509.public_key_algorithm`**
+:   Algorithm used to generate the public key.
+
+type: keyword
+
+example: RSA
+
+
+**`tls.client.x509.public_key_curve`**
+:   The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+
+type: keyword
+
+example: nistp521
+
+
+**`tls.client.x509.public_key_exponent`**
+:   Exponent used to derive the public key. This is algorithm specific.
+
+type: long
+
+example: 65537
+
+Field is not indexed.
+
+
+**`tls.client.x509.public_key_size`**
+:   The size of the public key space in bits.
+
+type: long
+
+example: 2048
+
+
+**`tls.client.x509.serial_number`**
+:   Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.
+
+type: keyword
+
+example: 55FBB9C7DEBF09809D12CCAA
+
+
+**`tls.client.x509.signature_algorithm`**
+:   Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See [https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353](https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353).
+
+type: keyword
+
+example: SHA256-RSA
+
+
+**`tls.client.x509.subject.common_name`**
+:   List of common names (CN) of subject.
+
+type: keyword
+
+example: shared.global.example.net
+
+
+**`tls.client.x509.subject.country`**
+:   List of country © code
+
+type: keyword
+
+example: US
+
+
+**`tls.client.x509.subject.distinguished_name`**
+:   Distinguished name (DN) of the certificate subject entity.
+
+type: keyword
+
+example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
+
+
+**`tls.client.x509.subject.locality`**
+:   List of locality names (L)
+
+type: keyword
+
+example: San Francisco
+
+
+**`tls.client.x509.subject.organization`**
+:   List of organizations (O) of subject.
+
+type: keyword
+
+example: Example, Inc.
+
+
+**`tls.client.x509.subject.organizational_unit`**
+:   List of organizational units (OU) of subject.
+
+type: keyword
+
+
+**`tls.client.x509.subject.state_or_province`**
+:   List of state or province names (ST, S, or P)
+
+type: keyword
+
+example: California
+
+
+**`tls.client.x509.version_number`**
+:   Version of x509 format.
+
+type: keyword
+
+example: 3
+
+
+**`tls.curve`**
+:   String indicating the curve used for the given cipher, when applicable.
+
+type: keyword
+
+example: secp256r1
+
+
+**`tls.established`**
+:   Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel.
+
+type: boolean
+
+
+**`tls.next_protocol`**
+:   String indicating the protocol being tunneled. Per the values in the IANA registry ([https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids](https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids)), this string should be lower case.
+
+type: keyword
+
+example: http/1.1
+
+
+**`tls.resumed`**
+:   Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation.
+
+type: boolean
+
+
+**`tls.server.certificate`**
+:   PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list.
+
+type: keyword
+
+example: MII…​
+
+
+**`tls.server.certificate_chain`**
+:   Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain.
+
+type: keyword
+
+example: ["MII…​", "MII…​"]
+
+
+**`tls.server.hash.md5`**
+:   Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash.
+
+type: keyword
+
+example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC
+
+
+**`tls.server.hash.sha1`**
+:   Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash.
+
+type: keyword
+
+example: 9E393D93138888D288266C2D915214D1D1CCEB2A
+
+
+**`tls.server.hash.sha256`**
+:   Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash.
+
+type: keyword
+
+example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0
+
+
+**`tls.server.issuer`**
+:   Subject of the issuer of the x.509 certificate presented by the server.
+
+type: keyword
+
+example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com
+
+
+**`tls.server.ja3s`**
+:   A hash that identifies servers based on how they perform an SSL/TLS handshake.
+
+type: keyword
+
+example: 394441ab65754e2207b1e1b457b3641d
+
+
+**`tls.server.not_after`**
+:   Timestamp indicating when server certificate is no longer considered valid.
+
+type: date
+
+example: 2021-01-01T00:00:00.000Z
+
+
+**`tls.server.not_before`**
+:   Timestamp indicating when server certificate is first considered valid.
+
+type: date
+
+example: 1970-01-01T00:00:00.000Z
+
+
+**`tls.server.subject`**
+:   Subject of the x.509 certificate presented by the server.
+
+type: keyword
+
+example: CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com
+
+
+**`tls.server.x509.alternative_names`**
+:   List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.
+
+type: keyword
+
+example: *.elastic.co
+
+
+**`tls.server.x509.issuer.common_name`**
+:   List of common name (CN) of issuing certificate authority.
+
+type: keyword
+
+example: Example SHA2 High Assurance Server CA
+
+
+**`tls.server.x509.issuer.country`**
+:   List of country © codes
+
+type: keyword
+
+example: US
+
+
+**`tls.server.x509.issuer.distinguished_name`**
+:   Distinguished name (DN) of issuing certificate authority.
+
+type: keyword
+
+example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA
+
+
+**`tls.server.x509.issuer.locality`**
+:   List of locality names (L)
+
+type: keyword
+
+example: Mountain View
+
+
+**`tls.server.x509.issuer.organization`**
+:   List of organizations (O) of issuing certificate authority.
+
+type: keyword
+
+example: Example Inc
+
+
+**`tls.server.x509.issuer.organizational_unit`**
+:   List of organizational units (OU) of issuing certificate authority.
+
+type: keyword
+
+example: www.example.com
+
+
+**`tls.server.x509.issuer.state_or_province`**
+:   List of state or province names (ST, S, or P)
+
+type: keyword
+
+example: California
+
+
+**`tls.server.x509.not_after`**
+:   Time at which the certificate is no longer considered valid.
+
+type: date
+
+example: 2020-07-16 03:15:39+00:00
+
+
+**`tls.server.x509.not_before`**
+:   Time at which the certificate is first considered valid.
+
+type: date
+
+example: 2019-08-16 01:40:25+00:00
+
+
+**`tls.server.x509.public_key_algorithm`**
+:   Algorithm used to generate the public key.
+
+type: keyword
+
+example: RSA
+
+
+**`tls.server.x509.public_key_curve`**
+:   The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+
+type: keyword
+
+example: nistp521
+
+
+**`tls.server.x509.public_key_exponent`**
+:   Exponent used to derive the public key. This is algorithm specific.
+
+type: long
+
+example: 65537
+
+Field is not indexed.
+
+
+**`tls.server.x509.public_key_size`**
+:   The size of the public key space in bits.
+
+type: long
+
+example: 2048
+
+
+**`tls.server.x509.serial_number`**
+:   Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.
+
+type: keyword
+
+example: 55FBB9C7DEBF09809D12CCAA
+
+
+**`tls.server.x509.signature_algorithm`**
+:   Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See [https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353](https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353).
+
+type: keyword
+
+example: SHA256-RSA
+
+
+**`tls.server.x509.subject.common_name`**
+:   List of common names (CN) of subject.
+
+type: keyword
+
+example: shared.global.example.net
+
+
+**`tls.server.x509.subject.country`**
+:   List of country © code
+
+type: keyword
+
+example: US
+
+
+**`tls.server.x509.subject.distinguished_name`**
+:   Distinguished name (DN) of the certificate subject entity.
+
+type: keyword
+
+example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
+
+
+**`tls.server.x509.subject.locality`**
+:   List of locality names (L)
+
+type: keyword
+
+example: San Francisco
+
+
+**`tls.server.x509.subject.organization`**
+:   List of organizations (O) of subject.
+
+type: keyword
+
+example: Example, Inc.
+
+
+**`tls.server.x509.subject.organizational_unit`**
+:   List of organizational units (OU) of subject.
+
+type: keyword
+
+
+**`tls.server.x509.subject.state_or_province`**
+:   List of state or province names (ST, S, or P)
+
+type: keyword
+
+example: California
+
+
+**`tls.server.x509.version_number`**
+:   Version of x509 format.
+
+type: keyword
+
+example: 3
+
+
+**`tls.version`**
+:   Numeric part of the version parsed from the original string.
+
+type: keyword
+
+example: 1.2
+
+
+**`tls.version_protocol`**
+:   Normalized lowercase protocol name parsed from original string.
+
+type: keyword
+
+example: tls
+
+
+**`span.id`**
+:   Unique identifier of the span within the scope of its trace. A span represents an operation within a transaction, such as a request to another service, or a database query.
+
+type: keyword
+
+example: 3ff9a8981b7ccd5a
+
+
+**`trace.id`**
+:   Unique identifier of the trace. A trace groups multiple events like transactions that belong together. For example, a user request handled by multiple inter-connected services.
+
+type: keyword
+
+example: 4bf92f3577b34da6a3ce929d0e0e4736
+
+
+**`transaction.id`**
+:   Unique identifier of the transaction within the scope of its trace. A transaction is the highest level of work measured within a service, such as a request to a server.
+
+type: keyword
+
+example: 00f067aa0ba902b7
+
+
+
+## url [_url]
+
+URL fields provide support for complete or partial URLs, and supports the breaking down into scheme, domain, path, and so on.
+
+**`url.domain`**
+:   Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field.
+
+type: keyword
+
+example: www.elastic.co
+
+
+**`url.extension`**
+:   The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").
+
+type: keyword
+
+example: png
+
+
+**`url.fragment`**
+:   Portion of the url after the `#`, such as "top". The `#` is not part of the fragment.
+
+type: keyword
+
+
+**`url.full`**
+:   If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source.
+
+type: wildcard
+
+example: [https://www.elastic.co:443/search?q=elasticsearch#top](https://www.elastic.co:443/search?q=elasticsearch#top)
+
+
+**`url.full.text`**
+:   type: match_only_text
+
+
+**`url.original`**
+:   Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not.
+
+type: wildcard
+
+example: [https://www.elastic.co:443/search?q=elasticsearch#top](https://www.elastic.co:443/search?q=elasticsearch#top) or /search?q=elasticsearch
+
+
+**`url.original.text`**
+:   type: match_only_text
+
+
+**`url.password`**
+:   Password of the request.
+
+type: keyword
+
+
+**`url.path`**
+:   Path of the request, such as "/search".
+
+type: wildcard
+
+
+**`url.port`**
+:   Port of the request, such as 443.
+
+type: long
+
+example: 443
+
+format: string
+
+
+**`url.query`**
+:   The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.
+
+type: keyword
+
+
+**`url.registered_domain`**
+:   The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
+
+type: keyword
+
+example: example.com
+
+
+**`url.scheme`**
+:   Scheme of the request, such as "https". Note: The `:` is not part of the scheme.
+
+type: keyword
+
+example: https
+
+
+**`url.subdomain`**
+:   The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
+
+type: keyword
+
+example: east
+
+
+**`url.top_level_domain`**
+:   The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".
+
+type: keyword
+
+example: co.uk
+
+
+**`url.username`**
+:   Username of the request.
+
+type: keyword
+
+
+
+## user [_user]
+
+The user fields describe information about the user that is relevant to the event. Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them.
+
+**`user.changes.domain`**
+:   Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`user.changes.email`**
+:   User email address.
+
+type: keyword
+
+
+**`user.changes.full_name`**
+:   User’s full name, if available.
+
+type: keyword
+
+example: Albert Einstein
+
+
+**`user.changes.full_name.text`**
+:   type: match_only_text
+
+
+**`user.changes.group.domain`**
+:   Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`user.changes.group.id`**
+:   Unique identifier for the group on the system/platform.
+
+type: keyword
+
+
+**`user.changes.group.name`**
+:   Name of the group.
+
+type: keyword
+
+
+**`user.changes.hash`**
+:   Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used.
+
+type: keyword
+
+
+**`user.changes.id`**
+:   Unique identifier of the user.
+
+type: keyword
+
+example: S-1-5-21-202424912787-2692429404-2351956786-1000
+
+
+**`user.changes.name`**
+:   Short name or login of the user.
+
+type: keyword
+
+example: a.einstein
+
+
+**`user.changes.name.text`**
+:   type: match_only_text
+
+
+**`user.changes.roles`**
+:   Array of user roles at the time of the event.
+
+type: keyword
+
+example: ["kibana_admin", "reporting_user"]
+
+
+**`user.domain`**
+:   Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`user.effective.domain`**
+:   Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`user.effective.email`**
+:   User email address.
+
+type: keyword
+
+
+**`user.effective.full_name`**
+:   User’s full name, if available.
+
+type: keyword
+
+example: Albert Einstein
+
+
+**`user.effective.full_name.text`**
+:   type: match_only_text
+
+
+**`user.effective.group.domain`**
+:   Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`user.effective.group.id`**
+:   Unique identifier for the group on the system/platform.
+
+type: keyword
+
+
+**`user.effective.group.name`**
+:   Name of the group.
+
+type: keyword
+
+
+**`user.effective.hash`**
+:   Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used.
+
+type: keyword
+
+
+**`user.effective.id`**
+:   Unique identifier of the user.
+
+type: keyword
+
+example: S-1-5-21-202424912787-2692429404-2351956786-1000
+
+
+**`user.effective.name`**
+:   Short name or login of the user.
+
+type: keyword
+
+example: a.einstein
+
+
+**`user.effective.name.text`**
+:   type: match_only_text
+
+
+**`user.effective.roles`**
+:   Array of user roles at the time of the event.
+
+type: keyword
+
+example: ["kibana_admin", "reporting_user"]
+
+
+**`user.email`**
+:   User email address.
+
+type: keyword
+
+
+**`user.full_name`**
+:   User’s full name, if available.
+
+type: keyword
+
+example: Albert Einstein
+
+
+**`user.full_name.text`**
+:   type: match_only_text
+
+
+**`user.group.domain`**
+:   Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`user.group.id`**
+:   Unique identifier for the group on the system/platform.
+
+type: keyword
+
+
+**`user.group.name`**
+:   Name of the group.
+
+type: keyword
+
+
+**`user.hash`**
+:   Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used.
+
+type: keyword
+
+
+**`user.id`**
+:   Unique identifier of the user.
+
+type: keyword
+
+example: S-1-5-21-202424912787-2692429404-2351956786-1000
+
+
+**`user.name`**
+:   Short name or login of the user.
+
+type: keyword
+
+example: a.einstein
+
+
+**`user.name.text`**
+:   type: match_only_text
+
+
+**`user.roles`**
+:   Array of user roles at the time of the event.
+
+type: keyword
+
+example: ["kibana_admin", "reporting_user"]
+
+
+**`user.target.domain`**
+:   Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`user.target.email`**
+:   User email address.
+
+type: keyword
+
+
+**`user.target.full_name`**
+:   User’s full name, if available.
+
+type: keyword
+
+example: Albert Einstein
+
+
+**`user.target.full_name.text`**
+:   type: match_only_text
+
+
+**`user.target.group.domain`**
+:   Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`user.target.group.id`**
+:   Unique identifier for the group on the system/platform.
+
+type: keyword
+
+
+**`user.target.group.name`**
+:   Name of the group.
+
+type: keyword
+
+
+**`user.target.hash`**
+:   Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used.
+
+type: keyword
+
+
+**`user.target.id`**
+:   Unique identifier of the user.
+
+type: keyword
+
+example: S-1-5-21-202424912787-2692429404-2351956786-1000
+
+
+**`user.target.name`**
+:   Short name or login of the user.
+
+type: keyword
+
+example: a.einstein
+
+
+**`user.target.name.text`**
+:   type: match_only_text
+
+
+**`user.target.roles`**
+:   Array of user roles at the time of the event.
+
+type: keyword
+
+example: ["kibana_admin", "reporting_user"]
+
+
+
+## user_agent [_user_agent]
+
+The user_agent fields normally come from a browser request. They often show up in web service logs coming from the parsed user agent string.
+
+**`user_agent.device.name`**
+:   Name of the device.
+
+type: keyword
+
+example: iPhone
+
+
+**`user_agent.name`**
+:   Name of the user agent.
+
+type: keyword
+
+example: Safari
+
+
+**`user_agent.original`**
+:   Unparsed user_agent string.
+
+type: keyword
+
+example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1
+
+
+**`user_agent.original.text`**
+:   type: match_only_text
+
+
+**`user_agent.os.family`**
+:   OS family (such as redhat, debian, freebsd, windows).
+
+type: keyword
+
+example: debian
+
+
+**`user_agent.os.full`**
+:   Operating system name, including the version or code name.
+
+type: keyword
+
+example: Mac OS Mojave
+
+
+**`user_agent.os.full.text`**
+:   type: match_only_text
+
+
+**`user_agent.os.kernel`**
+:   Operating system kernel version as a raw string.
+
+type: keyword
+
+example: 4.4.0-112-generic
+
+
+**`user_agent.os.name`**
+:   Operating system name, without the version.
+
+type: keyword
+
+example: Mac OS X
+
+
+**`user_agent.os.name.text`**
+:   type: match_only_text
+
+
+**`user_agent.os.platform`**
+:   Operating system platform (such centos, ubuntu, windows).
+
+type: keyword
+
+example: darwin
+
+
+**`user_agent.os.type`**
+:   Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you’re dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.
+
+type: keyword
+
+example: macos
+
+
+**`user_agent.os.version`**
+:   Operating system version as a raw string.
+
+type: keyword
+
+example: 10.14.1
+
+
+**`user_agent.version`**
+:   Version of the user agent.
+
+type: keyword
+
+example: 12.0
+
+
+
+## vlan [_vlan]
+
+The VLAN fields are used to identify 802.1q tag(s) of a packet, as well as ingress and egress VLAN associations of an observer in relation to a specific packet or connection. Network.vlan fields are used to record a single VLAN tag, or the outer tag in the case of q-in-q encapsulations, for a packet or connection as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. Network.inner VLAN fields are used to report inner q-in-q 802.1q tags (multiple 802.1q encapsulations) as observed, typically provided by a network sensor  (e.g. Zeek, Wireshark) passively reporting on traffic. Network.inner VLAN fields should only be used in addition to network.vlan fields to indicate q-in-q tagging. Observer.ingress and observer.egress VLAN values are used to record observer specific information when observer events contain discrete ingress and egress VLAN information, typically provided by firewalls, routers, or load balancers.
+
+**`vlan.id`**
+:   VLAN ID as reported by the observer.
+
+type: keyword
+
+example: 10
+
+
+**`vlan.name`**
+:   Optional VLAN name as reported by the observer.
+
+type: keyword
+
+example: outside
+
+
+
+## vulnerability [_vulnerability]
+
+The vulnerability fields describe information about a vulnerability that is relevant to an event.
+
+**`vulnerability.category`**
+:   The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example ([Qualys vulnerability categories](https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm)) This field must be an array.
+
+type: keyword
+
+example: ["Firewall"]
+
+
+**`vulnerability.classification`**
+:   The classification of the vulnerability scoring system. For example ([https://www.first.org/cvss/](https://www.first.org/cvss/))
+
+type: keyword
+
+example: CVSS
+
+
+**`vulnerability.description`**
+:   The description of the vulnerability that provides additional context of the vulnerability. For example ([Common Vulnerabilities and Exposure CVE description](https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created))
+
+type: keyword
+
+example: In macOS before 2.12.6, there is a vulnerability in the RPC…​
+
+
+**`vulnerability.description.text`**
+:   type: match_only_text
+
+
+**`vulnerability.enumeration`**
+:   The type of identifier used for this vulnerability. For example ([https://cve.mitre.org/about/](https://cve.mitre.org/about/))
+
+type: keyword
+
+example: CVE
+
+
+**`vulnerability.id`**
+:   The identification (ID) is the number portion of a vulnerability entry. It includes a unique identification number for the vulnerability. For example ([Common Vulnerabilities and Exposure CVE ID](https://cve.mitre.org/about/faqs.html#what_is_cve_id))
+
+type: keyword
+
+example: CVE-2019-00001
+
+
+**`vulnerability.reference`**
+:   A resource that provides additional information, context, and mitigations for the identified vulnerability.
+
+type: keyword
+
+example: [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111)
+
+
+**`vulnerability.report_id`**
+:   The report or scan identification number.
+
+type: keyword
+
+example: 20191018.0001
+
+
+**`vulnerability.scanner.vendor`**
+:   The name of the vulnerability scanner vendor.
+
+type: keyword
+
+example: Tenable
+
+
+**`vulnerability.score.base`**
+:   Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentiality, integrity, and availability), and scope. For example ([https://www.first.org/cvss/specification-document](https://www.first.org/cvss/specification-document))
+
+type: float
+
+example: 5.5
+
+
+**`vulnerability.score.environmental`**
+:   Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Environmental scores cover an assessment for any modified Base metrics, confidentiality, integrity, and availability requirements. For example ([https://www.first.org/cvss/specification-document](https://www.first.org/cvss/specification-document))
+
+type: float
+
+example: 5.5
+
+
+**`vulnerability.score.temporal`**
+:   Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Temporal scores cover an assessment for code maturity, remediation level, and confidence. For example ([https://www.first.org/cvss/specification-document](https://www.first.org/cvss/specification-document))
+
+type: float
+
+
+**`vulnerability.score.version`**
+:   The National Vulnerability Database (NVD) provides qualitative severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges in addition to the severity ratings for CVSS v3.0 as they are defined in the CVSS v3.0 specification. CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit organization, whose mission is to help computer security incident response teams across the world. For example ([https://nvd.nist.gov/vuln-metrics/cvss](https://nvd.nist.gov/vuln-metrics/cvss))
+
+type: keyword
+
+example: 2.0
+
+
+**`vulnerability.severity`**
+:   The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example ([https://nvd.nist.gov/vuln-metrics/cvss](https://nvd.nist.gov/vuln-metrics/cvss))
+
+type: keyword
+
+example: Critical
+
+
+
+## x509 [_x509]
+
+This implements the common core fields for x509 certificates. This information is likely logged with TLS sessions, digital signatures found in executable binaries, S/MIME information in email bodies, or analysis of files on disk. When the certificate relates to a file, use the fields at `file.x509`. When hashes of the DER-encoded certificate are available, the `hash` data set should be populated as well (e.g. `file.hash.sha256`). Events that contain certificate information about network connections, should use the x509 fields under the relevant TLS fields: `tls.server.x509` and/or `tls.client.x509`.
+
+**`x509.alternative_names`**
+:   List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.
+
+type: keyword
+
+example: *.elastic.co
+
+
+**`x509.issuer.common_name`**
+:   List of common name (CN) of issuing certificate authority.
+
+type: keyword
+
+example: Example SHA2 High Assurance Server CA
+
+
+**`x509.issuer.country`**
+:   List of country © codes
+
+type: keyword
+
+example: US
+
+
+**`x509.issuer.distinguished_name`**
+:   Distinguished name (DN) of issuing certificate authority.
+
+type: keyword
+
+example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA
+
+
+**`x509.issuer.locality`**
+:   List of locality names (L)
+
+type: keyword
+
+example: Mountain View
+
+
+**`x509.issuer.organization`**
+:   List of organizations (O) of issuing certificate authority.
+
+type: keyword
+
+example: Example Inc
+
+
+**`x509.issuer.organizational_unit`**
+:   List of organizational units (OU) of issuing certificate authority.
+
+type: keyword
+
+example: www.example.com
+
+
+**`x509.issuer.state_or_province`**
+:   List of state or province names (ST, S, or P)
+
+type: keyword
+
+example: California
+
+
+**`x509.not_after`**
+:   Time at which the certificate is no longer considered valid.
+
+type: date
+
+example: 2020-07-16 03:15:39+00:00
+
+
+**`x509.not_before`**
+:   Time at which the certificate is first considered valid.
+
+type: date
+
+example: 2019-08-16 01:40:25+00:00
+
+
+**`x509.public_key_algorithm`**
+:   Algorithm used to generate the public key.
+
+type: keyword
+
+example: RSA
+
+
+**`x509.public_key_curve`**
+:   The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+
+type: keyword
+
+example: nistp521
+
+
+**`x509.public_key_exponent`**
+:   Exponent used to derive the public key. This is algorithm specific.
+
+type: long
+
+example: 65537
+
+Field is not indexed.
+
+
+**`x509.public_key_size`**
+:   The size of the public key space in bits.
+
+type: long
+
+example: 2048
+
+
+**`x509.serial_number`**
+:   Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.
+
+type: keyword
+
+example: 55FBB9C7DEBF09809D12CCAA
+
+
+**`x509.signature_algorithm`**
+:   Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See [https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353](https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353).
+
+type: keyword
+
+example: SHA256-RSA
+
+
+**`x509.subject.common_name`**
+:   List of common names (CN) of subject.
+
+type: keyword
+
+example: shared.global.example.net
+
+
+**`x509.subject.country`**
+:   List of country © code
+
+type: keyword
+
+example: US
+
+
+**`x509.subject.distinguished_name`**
+:   Distinguished name (DN) of the certificate subject entity.
+
+type: keyword
+
+example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
+
+
+**`x509.subject.locality`**
+:   List of locality names (L)
+
+type: keyword
+
+example: San Francisco
+
+
+**`x509.subject.organization`**
+:   List of organizations (O) of subject.
+
+type: keyword
+
+example: Example, Inc.
+
+
+**`x509.subject.organizational_unit`**
+:   List of organizational units (OU) of subject.
+
+type: keyword
+
+
+**`x509.subject.state_or_province`**
+:   List of state or province names (ST, S, or P)
+
+type: keyword
+
+example: California
+
+
+**`x509.version_number`**
+:   Version of x509 format.
+
+type: keyword
+
+example: 3
+
+
diff --git a/docs/reference/metricbeat/exported-fields-elasticsearch.md b/docs/reference/metricbeat/exported-fields-elasticsearch.md
new file mode 100644
index 000000000000..6c4a03aecfdb
--- /dev/null
+++ b/docs/reference/metricbeat/exported-fields-elasticsearch.md
@@ -0,0 +1,2919 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-elasticsearch.html
+---
+
+# Elasticsearch fields [exported-fields-elasticsearch]
+
+Elasticsearch module
+
+**`cluster_settings.cluster.metadata.display_name`**
+:   type: keyword
+
+
+**`index_recovery.shards.start_time_in_millis`**
+:   type: alias
+
+alias to: elasticsearch.index.recovery.start_time.ms
+
+
+**`index_recovery.shards.stop_time_in_millis`**
+:   type: alias
+
+alias to: elasticsearch.index.recovery.stop_time.ms
+
+
+**`index_recovery.shards.total_time_in_millis`**
+:   type: alias
+
+alias to: elasticsearch.index.recovery.total_time.ms
+
+
+**`stack_stats.apm.found`**
+:   type: alias
+
+alias to: elasticsearch.cluster.stats.stack.apm.found
+
+
+**`stack_stats.xpack.ccr.enabled`**
+:   type: alias
+
+alias to: elasticsearch.cluster.stats.stack.xpack.ccr.enabled
+
+
+**`stack_stats.xpack.ccr.available`**
+:   type: alias
+
+alias to: elasticsearch.cluster.stats.stack.xpack.ccr.available
+
+
+**`license.status`**
+:   type: alias
+
+alias to: elasticsearch.cluster.stats.license.status
+
+
+**`license.type`**
+:   type: alias
+
+alias to: elasticsearch.cluster.stats.license.type
+
+
+**`shard.primary`**
+:   type: alias
+
+alias to: elasticsearch.shard.primary
+
+
+**`shard.state`**
+:   type: alias
+
+alias to: elasticsearch.shard.state
+
+
+**`shard.index`**
+:   type: alias
+
+alias to: elasticsearch.index.name
+
+
+**`shard.node`**
+:   type: alias
+
+alias to: elasticsearch.node.id
+
+
+**`shard.shard`**
+:   type: alias
+
+alias to: elasticsearch.shard.number
+
+
+**`cluster_stats.indices.count`**
+:   type: alias
+
+alias to: elasticsearch.cluster.stats.indices.total
+
+
+**`cluster_stats.indices.shards.total`**
+:   type: alias
+
+alias to: elasticsearch.cluster.stats.indices.shards.count
+
+
+**`cluster_stats.nodes.count.total`**
+:   type: alias
+
+alias to: elasticsearch.cluster.stats.nodes.count
+
+
+**`cluster_stats.nodes.jvm.max_uptime_in_millis`**
+:   type: alias
+
+alias to: elasticsearch.cluster.stats.nodes.jvm.max_uptime.ms
+
+
+**`cluster_stats.nodes.jvm.mem.heap_used_in_bytes`**
+:   type: alias
+
+alias to: elasticsearch.cluster.stats.nodes.jvm.memory.heap.used.bytes
+
+
+**`cluster_stats.nodes.jvm.mem.heap_max_in_bytes`**
+:   type: alias
+
+alias to: elasticsearch.cluster.stats.nodes.jvm.memory.heap.max.bytes
+
+
+**`cluster_state.nodes_hash`**
+:   type: alias
+
+alias to: elasticsearch.cluster.stats.state.nodes_hash
+
+
+**`cluster_state.version`**
+:   type: alias
+
+alias to: elasticsearch.cluster.stats.state.version
+
+
+**`cluster_state.master_node`**
+:   type: alias
+
+alias to: elasticsearch.cluster.stats.state.master_node
+
+
+**`cluster_state.state_uuid`**
+:   type: alias
+
+alias to: elasticsearch.cluster.stats.state.state_uuid
+
+
+**`cluster_state.status`**
+:   type: alias
+
+alias to: elasticsearch.cluster.stats.status
+
+
+**`timestamp`**
+:   type: alias
+
+alias to: @timestamp
+
+
+**`cluster_uuid`**
+:   type: alias
+
+alias to: elasticsearch.cluster.id
+
+
+**`source_node.uuid`**
+:   type: alias
+
+alias to: elasticsearch.node.id
+
+
+**`source_node.name`**
+:   type: alias
+
+alias to: elasticsearch.node.name
+
+
+**`job_stats.job_id`**
+:   type: alias
+
+alias to: elasticsearch.ml.job.id
+
+
+**`job_stats.forecasts_stats.total`**
+:   type: alias
+
+alias to: elasticsearch.ml.job.forecasts_stats.total
+
+
+**`index_stats.index`**
+:   type: alias
+
+alias to: elasticsearch.index.name
+
+
+**`index_stats.primaries.store.size_in_bytes`**
+:   type: alias
+
+alias to: elasticsearch.index.primaries.store.size_in_bytes
+
+
+**`index_stats.primaries.docs.count`**
+:   type: alias
+
+alias to: elasticsearch.index.primaries.docs.count
+
+
+**`index_stats.primaries.segments.count`**
+:   type: alias
+
+alias to: elasticsearch.index.primaries.segments.count
+
+
+**`index_stats.primaries.refresh.total_time_in_millis`**
+:   type: alias
+
+alias to: elasticsearch.index.primaries.refresh.total_time_in_millis
+
+
+**`index_stats.primaries.merges.total_size_in_bytes`**
+:   type: alias
+
+alias to: elasticsearch.index.primaries.merges.total_size_in_bytes
+
+
+**`index_stats.primaries.indexing.index_total`**
+:   type: alias
+
+alias to: elasticsearch.index.primaries.indexing.index_total
+
+
+**`index_stats.primaries.indexing.index_time_in_millis`**
+:   type: alias
+
+alias to: elasticsearch.index.primaries.indexing.index_time_in_millis
+
+
+**`index_stats.primaries.indexing.throttle_time_in_millis`**
+:   type: alias
+
+alias to: elasticsearch.index.primaries.indexing.throttle_time_in_millis
+
+
+**`index_stats.total.query_cache.memory_size_in_bytes`**
+:   type: alias
+
+alias to: elasticsearch.index.total.query_cache.memory_size_in_bytes
+
+
+**`index_stats.total.fielddata.memory_size_in_bytes`**
+:   type: alias
+
+alias to: elasticsearch.index.total.fielddata.memory_size_in_bytes
+
+
+**`index_stats.total.request_cache.memory_size_in_bytes`**
+:   type: alias
+
+alias to: elasticsearch.index.total.request_cache.memory_size_in_bytes
+
+
+**`index_stats.total.merges.total_size_in_bytes`**
+:   type: alias
+
+alias to: elasticsearch.index.total.merges.total_size_in_bytes
+
+
+**`index_stats.total.refresh.total_time_in_millis`**
+:   type: alias
+
+alias to: elasticsearch.index.total.refresh.total_time_in_millis
+
+
+**`index_stats.total.store.size_in_bytes`**
+:   type: alias
+
+alias to: elasticsearch.index.total.store.size_in_bytes
+
+
+**`index_stats.total.indexing.index_total`**
+:   type: alias
+
+alias to: elasticsearch.index.total.indexing.index_total
+
+
+**`index_stats.total.indexing.index_time_in_millis`**
+:   type: alias
+
+alias to: elasticsearch.index.total.indexing.index_time_in_millis
+
+
+**`index_stats.total.indexing.throttle_time_in_millis`**
+:   type: alias
+
+alias to: elasticsearch.index.total.indexing.throttle_time_in_millis
+
+
+**`index_stats.total.search.query_total`**
+:   type: alias
+
+alias to: elasticsearch.index.total.search.query_total
+
+
+**`index_stats.total.search.query_time_in_millis`**
+:   type: alias
+
+alias to: elasticsearch.index.total.search.query_time_in_millis
+
+
+**`index_stats.total.segments.terms_memory_in_bytes`**
+:   type: alias
+
+alias to: elasticsearch.index.total.segments.terms_memory_in_bytes
+
+
+**`index_stats.total.segments.points_memory_in_bytes`**
+:   type: alias
+
+alias to: elasticsearch.index.total.segments.points_memory_in_bytes
+
+
+**`index_stats.total.segments.count`**
+:   type: alias
+
+alias to: elasticsearch.index.total.segments.count
+
+
+**`index_stats.total.segments.doc_values_memory_in_bytes`**
+:   type: alias
+
+alias to: elasticsearch.index.total.segments.doc_values_memory_in_bytes
+
+
+**`index_stats.total.segments.norms_memory_in_bytes`**
+:   type: alias
+
+alias to: elasticsearch.index.total.segments.norms_memory_in_bytes
+
+
+**`index_stats.total.segments.stored_fields_memory_in_bytes`**
+:   type: alias
+
+alias to: elasticsearch.index.total.segments.stored_fields_memory_in_bytes
+
+
+**`index_stats.total.segments.fixed_bit_set_memory_in_bytes`**
+:   type: alias
+
+alias to: elasticsearch.index.total.segments.fixed_bit_set_memory_in_bytes
+
+
+**`index_stats.total.segments.term_vectors_memory_in_bytes`**
+:   type: alias
+
+alias to: elasticsearch.index.total.segments.term_vectors_memory_in_bytes
+
+
+**`index_stats.total.segments.version_map_memory_in_bytes`**
+:   type: alias
+
+alias to: elasticsearch.index.total.segments.version_map_memory_in_bytes
+
+
+**`index_stats.total.segments.index_writer_memory_in_bytes`**
+:   type: alias
+
+alias to: elasticsearch.index.total.segments.index_writer_memory_in_bytes
+
+
+**`index_stats.total.segments.memory_in_bytes`**
+:   type: alias
+
+alias to: elasticsearch.index.total.segments.memory_in_bytes
+
+
+**`ccr_auto_follow_stats.number_of_failed_follow_indices`**
+:   type: alias
+
+alias to: elasticsearch.ccr.auto_follow.failed.follow_indices.count
+
+
+**`ccr_auto_follow_stats.number_of_failed_remote_cluster_state_requests`**
+:   type: alias
+
+alias to: elasticsearch.ccr.auto_follow.failed.remote_cluster_state_requests.count
+
+
+**`ccr_auto_follow_stats.number_of_successful_follow_indices`**
+:   type: alias
+
+alias to: elasticsearch.ccr.auto_follow.success.follow_indices.count
+
+
+**`ccr_auto_follow_stats.follower.failed_read_requests`**
+:   type: alias
+
+alias to: elasticsearch.ccr.requests.failed.read.count
+
+
+**`ccr_stats.shard_id`**
+:   type: alias
+
+alias to: elasticsearch.ccr.follower.shard.number
+
+
+**`ccr_stats.remote_cluster`**
+:   type: alias
+
+alias to: elasticsearch.ccr.remote_cluster
+
+
+**`ccr_stats.leader_index`**
+:   type: alias
+
+alias to: elasticsearch.ccr.leader.index
+
+
+**`ccr_stats.follower_index`**
+:   type: alias
+
+alias to: elasticsearch.ccr.follower.index
+
+
+**`ccr_stats.leader_global_checkpoint`**
+:   type: alias
+
+alias to: elasticsearch.ccr.leader.global_checkpoint
+
+
+**`ccr_stats.leader_max_seq_no`**
+:   type: alias
+
+alias to: elasticsearch.ccr.leader.max_seq_no
+
+
+**`ccr_stats.follower_global_checkpoint`**
+:   type: alias
+
+alias to: elasticsearch.ccr.follower.global_checkpoint
+
+
+**`ccr_stats.follower_max_seq_no`**
+:   type: alias
+
+alias to: elasticsearch.ccr.follower.max_seq_no
+
+
+**`ccr_stats.last_requested_seq_no`**
+:   type: alias
+
+alias to: elasticsearch.ccr.last_requested_seq_no
+
+
+**`ccr_stats.outstanding_read_requests`**
+:   type: alias
+
+alias to: elasticsearch.ccr.requests.outstanding.read.count
+
+
+**`ccr_stats.outstanding_write_requests`**
+:   type: alias
+
+alias to: elasticsearch.ccr.requests.outstanding.write.count
+
+
+**`ccr_stats.write_buffer_operation_count`**
+:   type: alias
+
+alias to: elasticsearch.ccr.write_buffer.operation.count
+
+
+**`ccr_stats.write_buffer_size_in_bytes`**
+:   type: alias
+
+alias to: elasticsearch.ccr.write_buffer.size.bytes
+
+
+**`ccr_stats.follower_mapping_version`**
+:   type: alias
+
+alias to: elasticsearch.ccr.follower.mapping_version
+
+
+**`ccr_stats.follower_settings_version`**
+:   type: alias
+
+alias to: elasticsearch.ccr.follower.settings_version
+
+
+**`ccr_stats.follower_aliases_version`**
+:   type: alias
+
+alias to: elasticsearch.ccr.follower.aliases_version
+
+
+**`ccr_stats.total_read_time_millis`**
+:   type: alias
+
+alias to: elasticsearch.ccr.total_time.read.ms
+
+
+**`ccr_stats.total_read_remote_exec_time_millis`**
+:   type: alias
+
+alias to: elasticsearch.ccr.total_time.read.remote_exec.ms
+
+
+**`ccr_stats.successful_read_requests`**
+:   type: alias
+
+alias to: elasticsearch.ccr.requests.successful.read.count
+
+
+**`ccr_stats.failed_read_requests`**
+:   type: alias
+
+alias to: elasticsearch.ccr.requests.failed.read.count
+
+
+**`ccr_stats.operations_read`**
+:   type: alias
+
+alias to: elasticsearch.ccr.follower.operations.read.count
+
+
+**`ccr_stats.operations_written`**
+:   type: alias
+
+alias to: elasticsearch.ccr.follower.operations_written
+
+
+**`ccr_stats.bytes_read`**
+:   type: alias
+
+alias to: elasticsearch.ccr.bytes_read
+
+
+**`ccr_stats.total_write_time_millis`**
+:   type: alias
+
+alias to: elasticsearch.ccr.total_time.write.ms
+
+
+**`ccr_stats.successful_write_requests`**
+:   type: alias
+
+alias to: elasticsearch.ccr.requests.successful.write.count
+
+
+**`ccr_stats.failed_write_requests`**
+:   type: alias
+
+alias to: elasticsearch.ccr.requests.failed.write.count
+
+
+**`node_stats.fs.total.available_in_bytes`**
+:   type: alias
+
+alias to: elasticsearch.node.stats.fs.summary.available.bytes
+
+
+**`node_stats.fs.total.total_in_bytes`**
+:   type: alias
+
+alias to: elasticsearch.node.stats.fs.summary.total.bytes
+
+
+**`node_stats.fs.summary.available.bytes`**
+:   type: alias
+
+alias to: elasticsearch.node.stats.fs.summary.available.bytes
+
+
+**`node_stats.fs.summary.total.bytes`**
+:   type: alias
+
+alias to: elasticsearch.node.stats.fs.summary.total.bytes
+
+
+**`node_stats.fs.io_stats.total.operations`**
+:   type: alias
+
+alias to: elasticsearch.node.stats.fs.io_stats.total.operations.count
+
+
+**`node_stats.fs.io_stats.total.read_operations`**
+:   type: alias
+
+alias to: elasticsearch.node.stats.fs.io_stats.total.read.operations.count
+
+
+**`node_stats.fs.io_stats.total.write_operations`**
+:   type: alias
+
+alias to: elasticsearch.node.stats.fs.io_stats.total.write.operations.count
+
+
+**`node_stats.indices.store.size_in_bytes`**
+:   type: alias
+
+alias to: elasticsearch.node.stats.indices.store.size.bytes
+
+
+**`node_stats.indices.store.size.bytes`**
+:   type: alias
+
+alias to: elasticsearch.node.stats.indices.store.size.bytes
+
+
+**`node_stats.indices.docs.count`**
+:   type: alias
+
+alias to: elasticsearch.node.stats.indices.docs.count
+
+
+**`node_stats.indices.indexing.index_time_in_millis`**
+:   type: alias
+
+alias to: elasticsearch.node.stats.indices.indexing.index_time.ms
+
+
+**`node_stats.indices.indexing.index_total`**
+:   type: alias
+
+alias to: elasticsearch.node.stats.indices.indexing.index_total.count
+
+
+**`node_stats.indices.indexing.throttle_time_in_millis`**
+:   type: alias
+
+alias to: elasticsearch.node.stats.indices.indexing.throttle_time.ms
+
+
+**`node_stats.indices.fielddata.memory_size_in_bytes`**
+:   type: alias
+
+alias to: elasticsearch.node.stats.indices.fielddata.memory.bytes
+
+
+**`node_stats.indices.query_cache.memory_size_in_bytes`**
+:   type: alias
+
+alias to: elasticsearch.node.stats.indices.query_cache.memory.bytes
+
+
+**`node_stats.indices.request_cache.memory_size_in_bytes`**
+:   type: alias
+
+alias to: elasticsearch.node.stats.indices.request_cache.memory.bytes
+
+
+**`node_stats.indices.search.query_time_in_millis`**
+:   type: alias
+
+alias to: elasticsearch.node.stats.indices.search.query_time.ms
+
+
+**`node_stats.indices.search.query_total`**
+:   type: alias
+
+alias to: elasticsearch.node.stats.indices.search.query_total.count
+
+
+**`node_stats.indices.segments.count`**
+:   type: alias
+
+alias to: elasticsearch.node.stats.indices.segments.count
+
+
+**`node_stats.indices.segments.doc_values_memory_in_bytes`**
+:   type: alias
+
+alias to: elasticsearch.node.stats.indices.segments.doc_values.memory.bytes
+
+
+**`node_stats.indices.segments.fixed_bit_set_memory_in_bytes`**
+:   type: alias
+
+alias to: elasticsearch.node.stats.indices.segments.fixed_bit_set.memory.bytes
+
+
+**`node_stats.indices.segments.index_writer_memory_in_bytes`**
+:   type: alias
+
+alias to: elasticsearch.node.stats.indices.segments.index_writer.memory.bytes
+
+
+**`node_stats.indices.segments.memory_in_bytes`**
+:   type: alias
+
+alias to: elasticsearch.node.stats.indices.segments.memory.bytes
+
+
+**`node_stats.indices.segments.norms_memory_in_bytes`**
+:   type: alias
+
+alias to: elasticsearch.node.stats.indices.segments.norms.memory.bytes
+
+
+**`node_stats.indices.segments.points_memory_in_bytes`**
+:   type: alias
+
+alias to: elasticsearch.node.stats.indices.segments.points.memory.bytes
+
+
+**`node_stats.indices.segments.stored_fields_memory_in_bytes`**
+:   type: alias
+
+alias to: elasticsearch.node.stats.indices.segments.stored_fields.memory.bytes
+
+
+**`node_stats.indices.segments.term_vectors_memory_in_bytes`**
+:   type: alias
+
+alias to: elasticsearch.node.stats.indices.segments.term_vectors.memory.bytes
+
+
+**`node_stats.indices.segments.terms_memory_in_bytes`**
+:   type: alias
+
+alias to: elasticsearch.node.stats.indices.segments.terms.memory.bytes
+
+
+**`node_stats.indices.segments.version_map_memory_in_bytes`**
+:   type: alias
+
+alias to: elasticsearch.node.stats.indices.segments.version_map.memory.bytes
+
+
+**`node_stats.jvm.gc.collectors.old.collection_count`**
+:   type: alias
+
+alias to: elasticsearch.node.stats.jvm.gc.collectors.old.collection.count
+
+
+**`node_stats.jvm.gc.collectors.old.collection_time_in_millis`**
+:   type: alias
+
+alias to: elasticsearch.node.stats.jvm.gc.collectors.old.collection.ms
+
+
+**`node_stats.jvm.gc.collectors.young.collection_count`**
+:   type: alias
+
+alias to: elasticsearch.node.stats.jvm.gc.collectors.young.collection.count
+
+
+**`node_stats.jvm.gc.collectors.young.collection_time_in_millis`**
+:   type: alias
+
+alias to: elasticsearch.node.stats.jvm.gc.collectors.young.collection.ms
+
+
+**`node_stats.jvm.mem.heap_max_in_bytes`**
+:   type: alias
+
+alias to: elasticsearch.node.stats.jvm.mem.heap.max.bytes
+
+
+**`node_stats.jvm.mem.heap_used_in_bytes`**
+:   type: alias
+
+alias to: elasticsearch.node.stats.jvm.mem.heap.used.bytes
+
+
+**`node_stats.jvm.mem.heap_used_percent`**
+:   type: alias
+
+alias to: elasticsearch.node.stats.jvm.mem.heap.used.pct
+
+
+**`node_stats.node_id`**
+:   type: alias
+
+alias to: elasticsearch.node.id
+
+
+**`node_stats.os.cpu.load_average.1m`**
+:   type: alias
+
+alias to: elasticsearch.node.stats.os.cpu.load_avg.1m
+
+
+**`node_stats.os.cgroup.cpuacct.usage_nanos`**
+:   type: alias
+
+alias to: elasticsearch.node.stats.os.cgroup.cpuacct.usage.ns
+
+
+**`node_stats.os.cgroup.cpu.cfs_quota_micros`**
+:   type: alias
+
+alias to: elasticsearch.node.stats.os.cgroup.cpu.cfs.quota.us
+
+
+**`node_stats.os.cgroup.cpu.stat.number_of_elapsed_periods`**
+:   type: alias
+
+alias to: elasticsearch.node.stats.os.cgroup.cpu.stat.elapsed_periods.count
+
+
+**`node_stats.os.cgroup.cpu.stat.number_of_times_throttled`**
+:   type: alias
+
+alias to: elasticsearch.node.stats.os.cgroup.cpu.stat.times_throttled.count
+
+
+**`node_stats.os.cgroup.cpu.stat.time_throttled_nanos`**
+:   type: alias
+
+alias to: elasticsearch.node.stats.os.cgroup.cpu.stat.time_throttled.ns
+
+
+**`node_stats.os.cgroup.memory.control_group`**
+:   type: alias
+
+alias to: elasticsearch.node.stats.os.cgroup.memory.control_group
+
+
+**`node_stats.os.cgroup.memory.limit_in_bytes`**
+:   type: alias
+
+alias to: elasticsearch.node.stats.os.cgroup.memory.limit.bytes
+
+
+**`node_stats.os.cgroup.memory.usage_in_bytes`**
+:   type: alias
+
+alias to: elasticsearch.node.stats.os.cgroup.memory.usage.bytes
+
+
+**`node_stats.process.cpu.percent`**
+:   type: alias
+
+alias to: elasticsearch.node.stats.process.cpu.pct
+
+
+**`node_stats.thread_pool.bulk.queue`**
+:   type: alias
+
+alias to: elasticsearch.node.stats.thread_pool.bulk.queue.count
+
+
+**`node_stats.thread_pool.bulk.rejected`**
+:   type: alias
+
+alias to: elasticsearch.node.stats.thread_pool.bulk.rejected.count
+
+
+**`node_stats.thread_pool.get.queue`**
+:   type: alias
+
+alias to: elasticsearch.node.stats.thread_pool.get.queue.count
+
+
+**`node_stats.thread_pool.get.rejected`**
+:   type: alias
+
+alias to: elasticsearch.node.stats.thread_pool.get.rejected.count
+
+
+**`node_stats.thread_pool.index.queue`**
+:   type: alias
+
+alias to: elasticsearch.node.stats.thread_pool.index.queue.count
+
+
+**`node_stats.thread_pool.index.rejected`**
+:   type: alias
+
+alias to: elasticsearch.node.stats.thread_pool.index.rejected.count
+
+
+**`node_stats.thread_pool.search.queue`**
+:   type: alias
+
+alias to: elasticsearch.node.stats.thread_pool.search.queue.count
+
+
+**`node_stats.thread_pool.search.rejected`**
+:   type: alias
+
+alias to: elasticsearch.node.stats.thread_pool.search.rejected.count
+
+
+**`node_stats.thread_pool.write.queue`**
+:   type: alias
+
+alias to: elasticsearch.node.stats.thread_pool.write.queue.count
+
+
+**`node_stats.thread_pool.write.rejected`**
+:   type: alias
+
+alias to: elasticsearch.node.stats.thread_pool.write.rejected.count
+
+
+**`indices_stats._all.primaries.indexing.index_total`**
+:   type: alias
+
+alias to: elasticsearch.index.summary.primaries.indexing.index.count
+
+
+**`indices_stats._all.primaries.indexing.index_time_in_millis`**
+:   type: alias
+
+alias to: elasticsearch.index.summary.primaries.indexing.index.time.ms
+
+
+**`indices_stats._all.total.search.query_total`**
+:   type: alias
+
+alias to: elasticsearch.index.summary.total.search.query.count
+
+
+**`indices_stats._all.total.search.query_time_in_millis`**
+:   type: alias
+
+alias to: elasticsearch.index.summary.total.search.query.time.ms
+
+
+**`indices_stats._all.total.indexing.index_total`**
+:   type: alias
+
+alias to: elasticsearch.index.summary.total.indexing.index.count
+
+
+**`elasticsearch.cluster.name`**
+:   Elasticsearch cluster name.
+
+type: keyword
+
+
+**`elasticsearch.cluster.id`**
+:   Elasticsearch cluster id.
+
+type: keyword
+
+
+**`elasticsearch.cluster.state.id`**
+:   Elasticsearch state id.
+
+type: keyword
+
+
+**`elasticsearch.node.id`**
+:   Node ID
+
+type: keyword
+
+
+**`elasticsearch.node.name`**
+:   Node name.
+
+type: keyword
+
+
+**`elasticsearch.node.roles`**
+:   Node roles.
+
+type: keyword
+
+
+**`elasticsearch.node.master`**
+:   Is the node the master node?
+
+type: boolean
+
+
+**`elasticsearch.node.mlockall`**
+:   Is mlockall enabled on the node?
+
+type: boolean
+
+
+
+## ccr [_ccr]
+
+Cross-cluster replication stats
+
+**`elasticsearch.ccr.remote_cluster`**
+:   type: keyword
+
+
+**`elasticsearch.ccr.bytes_read`**
+:   type: long
+
+
+**`elasticsearch.ccr.last_requested_seq_no`**
+:   type: long
+
+
+**`elasticsearch.ccr.shard_id`**
+:   type: integer
+
+
+**`elasticsearch.ccr.total_time.read.ms`**
+:   type: long
+
+
+**`elasticsearch.ccr.total_time.read.remote_exec.ms`**
+:   type: long
+
+
+**`elasticsearch.ccr.total_time.write.ms`**
+:   type: long
+
+
+**`elasticsearch.ccr.read_exceptions`**
+:   type: nested
+
+
+**`elasticsearch.ccr.requests.successful.read.count`**
+:   type: long
+
+
+**`elasticsearch.ccr.requests.successful.write.count`**
+:   type: long
+
+
+**`elasticsearch.ccr.requests.failed.read.count`**
+:   type: long
+
+
+**`elasticsearch.ccr.requests.failed.write.count`**
+:   type: long
+
+
+**`elasticsearch.ccr.requests.outstanding.read.count`**
+:   type: long
+
+
+**`elasticsearch.ccr.requests.outstanding.write.count`**
+:   type: long
+
+
+**`elasticsearch.ccr.write_buffer.size.bytes`**
+:   type: long
+
+
+**`elasticsearch.ccr.write_buffer.operation.count`**
+:   type: long
+
+
+**`elasticsearch.ccr.auto_follow.failed.follow_indices.count`**
+:   type: long
+
+
+**`elasticsearch.ccr.auto_follow.failed.remote_cluster_state_requests.count`**
+:   type: long
+
+
+**`elasticsearch.ccr.auto_follow.success.follow_indices.count`**
+:   type: long
+
+
+**`elasticsearch.ccr.leader.index`**
+:   Name of leader index
+
+type: keyword
+
+
+**`elasticsearch.ccr.leader.max_seq_no`**
+:   Maximum sequence number of operation on the leader shard
+
+type: long
+
+
+**`elasticsearch.ccr.leader.global_checkpoint`**
+:   type: long
+
+
+**`elasticsearch.ccr.follower.index`**
+:   Name of follower index
+
+type: keyword
+
+
+**`elasticsearch.ccr.follower.shard.number`**
+:   Number of the shard within the index
+
+type: long
+
+
+**`elasticsearch.ccr.follower.operations_written`**
+:   Number of operations indexed (replicated) into the follower shard from the leader shard
+
+type: long
+
+
+**`elasticsearch.ccr.follower.time_since_last_read.ms`**
+:   Time, in ms, since the follower last fetched from the leader
+
+type: long
+
+
+**`elasticsearch.ccr.follower.global_checkpoint`**
+:   Global checkpoint value on follower shard
+
+type: long
+
+
+**`elasticsearch.ccr.follower.max_seq_no`**
+:   Maximum sequence number of operation on the follower shard
+
+type: long
+
+
+**`elasticsearch.ccr.follower.mapping_version`**
+:   type: long
+
+
+**`elasticsearch.ccr.follower.settings_version`**
+:   type: long
+
+
+**`elasticsearch.ccr.follower.aliases_version`**
+:   type: long
+
+
+**`elasticsearch.ccr.follower.operations.read.count`**
+:   type: long
+
+
+
+## cluster.stats [_cluster_stats]
+
+Cluster stats
+
+**`elasticsearch.cluster.stats.version`**
+:   type: keyword
+
+
+**`elasticsearch.cluster.stats.state.nodes_hash`**
+:   type: keyword
+
+
+**`elasticsearch.cluster.stats.state.master_node`**
+:   type: keyword
+
+
+**`elasticsearch.cluster.stats.state.version`**
+:   type: keyword
+
+
+**`elasticsearch.cluster.stats.state.state_uuid`**
+:   type: keyword
+
+
+**`elasticsearch.cluster.stats.state.nodes`**
+:   type: flattened
+
+
+**`elasticsearch.cluster.stats.status`**
+:   Cluster status (green, yellow, red).
+
+type: keyword
+
+
+
+## nodes [_nodes]
+
+Nodes statistics.
+
+**`elasticsearch.cluster.stats.nodes.fs.total.bytes`**
+:   type: long
+
+
+**`elasticsearch.cluster.stats.nodes.fs.available.bytes`**
+:   type: long
+
+
+**`elasticsearch.cluster.stats.nodes.count`**
+:   Total number of nodes in cluster.
+
+type: long
+
+
+**`elasticsearch.cluster.stats.nodes.master`**
+:   Number of master-eligible nodes in cluster.
+
+type: long
+
+
+**`elasticsearch.cluster.stats.nodes.data`**
+:   Number of data nodes in cluster.
+
+type: long
+
+
+**`elasticsearch.cluster.stats.nodes.jvm.max_uptime.ms`**
+:   type: long
+
+
+**`elasticsearch.cluster.stats.nodes.jvm.memory.heap.max.bytes`**
+:   type: long
+
+
+**`elasticsearch.cluster.stats.nodes.jvm.memory.heap.used.bytes`**
+:   type: long
+
+
+
+## indices [_indices]
+
+Indices statistics.
+
+**`elasticsearch.cluster.stats.indices.store.size.bytes`**
+:   type: long
+
+
+**`elasticsearch.cluster.stats.indices.store.total_data_set_size.bytes`**
+:   type: long
+
+
+**`elasticsearch.cluster.stats.indices.total`**
+:   Total number of indices in cluster.
+
+type: long
+
+
+
+## shards [_shards]
+
+Shard statistics.
+
+**`elasticsearch.cluster.stats.indices.shards.docs.total`**
+:   type: long
+
+
+**`elasticsearch.cluster.stats.indices.shards.count`**
+:   Total number of shards in cluster.
+
+type: long
+
+
+**`elasticsearch.cluster.stats.indices.shards.primaries`**
+:   Total number of primary shards in cluster.
+
+type: long
+
+
+**`elasticsearch.cluster.stats.indices.fielddata.memory.bytes`**
+:   Memory used for fielddata.
+
+type: long
+
+
+**`elasticsearch.cluster.stats.license.expiry_date_in_millis`**
+:   type: long
+
+
+**`elasticsearch.cluster.stats.license.status`**
+:   type: keyword
+
+
+**`elasticsearch.cluster.stats.license.type`**
+:   type: keyword
+
+
+**`elasticsearch.cluster.stats.stack.apm.found`**
+:   type: boolean
+
+
+**`elasticsearch.cluster.stats.stack.xpack.ccr.available`**
+:   type: boolean
+
+
+**`elasticsearch.cluster.stats.stack.xpack.ccr.enabled`**
+:   type: boolean
+
+
+
+## enrich [_enrich]
+
+Enrich stats
+
+**`elasticsearch.enrich.executing_policy.name`**
+:   type: keyword
+
+
+**`elasticsearch.enrich.executing_policy.task.id`**
+:   type: long
+
+
+**`elasticsearch.enrich.executing_policy.task.task`**
+:   type: keyword
+
+
+**`elasticsearch.enrich.executing_policy.task.action`**
+:   type: keyword
+
+
+**`elasticsearch.enrich.executing_policy.task.cancellable`**
+:   type: boolean
+
+
+**`elasticsearch.enrich.executing_policy.task.parent_task_id`**
+:   type: keyword
+
+
+**`elasticsearch.enrich.executing_policy.task.time.start.ms`**
+:   type: long
+
+
+**`elasticsearch.enrich.executing_policy.task.time.running.nano`**
+:   type: long
+
+
+**`elasticsearch.enrich.queue.size`**
+:   Number of search requests in the queue.
+
+type: long
+
+
+**`elasticsearch.enrich.executed_searches.total`**
+:   Number of search requests that enrich processors have executed since node startup.
+
+type: long
+
+
+**`elasticsearch.enrich.remote_requests.current`**
+:   Current number of outstanding remote requests.
+
+type: long
+
+
+**`elasticsearch.enrich.remote_requests.total`**
+:   Number of outstanding remote requests executed since node startup.
+
+type: long
+
+
+
+## index [_index_3]
+
+index
+
+**`elasticsearch.index.hidden`**
+:   type: boolean
+
+
+**`elasticsearch.index.shards.total`**
+:   type: long
+
+
+**`elasticsearch.index.shards.primaries`**
+:   type: long
+
+
+**`elasticsearch.index.uuid`**
+:   type: keyword
+
+
+**`elasticsearch.index.status`**
+:   type: keyword
+
+
+**`elasticsearch.index.tier_preference`**
+:   type: keyword
+
+
+**`elasticsearch.index.creation_date`**
+:   type: date
+
+
+**`elasticsearch.index.version`**
+:   type: keyword
+
+
+**`elasticsearch.index.name`**
+:   Index name.
+
+type: keyword
+
+
+**`elasticsearch.index.primaries.search.query_total`**
+:   type: long
+
+
+**`elasticsearch.index.primaries.search.query_time_in_millis`**
+:   type: long
+
+
+**`elasticsearch.index.primaries.request_cache.memory_size_in_bytes`**
+:   type: long
+
+
+**`elasticsearch.index.primaries.request_cache.evictions`**
+:   type: long
+
+
+**`elasticsearch.index.primaries.request_cache.hit_count`**
+:   type: long
+
+
+**`elasticsearch.index.primaries.request_cache.miss_count`**
+:   type: long
+
+
+**`elasticsearch.index.primaries.query_cache.memory_size_in_bytes`**
+:   type: long
+
+
+**`elasticsearch.index.primaries.query_cache.hit_count`**
+:   type: long
+
+
+**`elasticsearch.index.primaries.query_cache.miss_count`**
+:   type: long
+
+
+**`elasticsearch.index.primaries.store.size_in_bytes`**
+:   type: long
+
+
+**`elasticsearch.index.primaries.store.total_data_set_size_in_bytes`**
+:   type: long
+
+
+**`elasticsearch.index.primaries.docs.count`**
+:   type: long
+
+
+**`elasticsearch.index.primaries.docs.deleted`**
+:   type: long
+
+
+**`elasticsearch.index.primaries.segments.count`**
+:   type: long
+
+
+**`elasticsearch.index.primaries.segments.memory_in_bytes`**
+:   type: long
+
+
+**`elasticsearch.index.primaries.segments.terms_memory_in_bytes`**
+:   type: long
+
+
+**`elasticsearch.index.primaries.segments.stored_fields_memory_in_bytes`**
+:   type: long
+
+
+**`elasticsearch.index.primaries.segments.term_vectors_memory_in_bytes`**
+:   type: long
+
+
+**`elasticsearch.index.primaries.segments.norms_memory_in_bytes`**
+:   type: long
+
+
+**`elasticsearch.index.primaries.segments.points_memory_in_bytes`**
+:   type: long
+
+
+**`elasticsearch.index.primaries.segments.doc_values_memory_in_bytes`**
+:   type: long
+
+
+**`elasticsearch.index.primaries.segments.index_writer_memory_in_bytes`**
+:   type: long
+
+
+**`elasticsearch.index.primaries.segments.version_map_memory_in_bytes`**
+:   type: long
+
+
+**`elasticsearch.index.primaries.segments.fixed_bit_set_memory_in_bytes`**
+:   type: long
+
+
+**`elasticsearch.index.primaries.refresh.total_time_in_millis`**
+:   type: long
+
+
+**`elasticsearch.index.primaries.refresh.external_total_time_in_millis`**
+:   type: long
+
+
+**`elasticsearch.index.primaries.merges.total_size_in_bytes`**
+:   type: long
+
+
+**`elasticsearch.index.primaries.indexing.index_total`**
+:   type: long
+
+
+**`elasticsearch.index.primaries.indexing.index_time_in_millis`**
+:   type: long
+
+
+**`elasticsearch.index.primaries.indexing.throttle_time_in_millis`**
+:   type: long
+
+
+**`elasticsearch.index.total.docs.count`**
+:   Total number of documents in the index.
+
+type: long
+
+
+**`elasticsearch.index.total.docs.deleted`**
+:   Total number of deleted documents in the index.
+
+type: long
+
+
+**`elasticsearch.index.total.store.size_in_bytes`**
+:   Total size of the index in bytes.
+
+type: long
+
+format: bytes
+
+
+**`elasticsearch.index.total.store.total_data_set_size_in_bytes`**
+:   Total size of the index in bytes including backing data for partially mounted indices.
+
+type: long
+
+format: bytes
+
+
+**`elasticsearch.index.total.query_cache.memory_size_in_bytes`**
+:   type: long
+
+
+**`elasticsearch.index.total.query_cache.evictions`**
+:   type: long
+
+
+**`elasticsearch.index.total.query_cache.hit_count`**
+:   type: long
+
+
+**`elasticsearch.index.total.query_cache.miss_count`**
+:   type: long
+
+
+**`elasticsearch.index.total.fielddata.memory_size_in_bytes`**
+:   type: long
+
+
+**`elasticsearch.index.total.fielddata.evictions`**
+:   type: long
+
+
+**`elasticsearch.index.total.request_cache.memory_size_in_bytes`**
+:   type: long
+
+
+**`elasticsearch.index.total.request_cache.evictions`**
+:   type: long
+
+
+**`elasticsearch.index.total.request_cache.hit_count`**
+:   type: long
+
+
+**`elasticsearch.index.total.request_cache.miss_count`**
+:   type: long
+
+
+**`elasticsearch.index.total.merges.total_size_in_bytes`**
+:   type: long
+
+
+**`elasticsearch.index.total.refresh.total_time_in_millis`**
+:   type: long
+
+
+**`elasticsearch.index.total.refresh.external_total_time_in_millis`**
+:   type: long
+
+
+**`elasticsearch.index.total.segments.memory_in_bytes`**
+:   Total number of memory used by the segments in bytes.
+
+type: long
+
+format: bytes
+
+
+**`elasticsearch.index.total.segments.terms_memory_in_bytes`**
+:   type: long
+
+
+**`elasticsearch.index.total.segments.points_memory_in_bytes`**
+:   type: long
+
+
+**`elasticsearch.index.total.segments.count`**
+:   Total number of index segments.
+
+type: long
+
+
+**`elasticsearch.index.total.segments.doc_values_memory_in_bytes`**
+:   type: long
+
+
+**`elasticsearch.index.total.segments.norms_memory_in_bytes`**
+:   type: long
+
+
+**`elasticsearch.index.total.segments.stored_fields_memory_in_bytes`**
+:   type: long
+
+
+**`elasticsearch.index.total.segments.fixed_bit_set_memory_in_bytes`**
+:   type: long
+
+
+**`elasticsearch.index.total.segments.term_vectors_memory_in_bytes`**
+:   type: long
+
+
+**`elasticsearch.index.total.segments.version_map_memory_in_bytes`**
+:   type: long
+
+
+**`elasticsearch.index.total.segments.index_writer_memory_in_bytes`**
+:   type: long
+
+
+**`elasticsearch.index.total.search.query_total`**
+:   type: long
+
+
+**`elasticsearch.index.total.search.query_time_in_millis`**
+:   type: long
+
+
+**`elasticsearch.index.total.indexing.index_total`**
+:   type: long
+
+
+**`elasticsearch.index.total.indexing.index_time_in_millis`**
+:   type: long
+
+
+**`elasticsearch.index.total.indexing.throttle_time_in_millis`**
+:   type: long
+
+
+**`elasticsearch.index.total.bulk.total_size_in_bytes`**
+:   type: long
+
+
+**`elasticsearch.index.total.bulk.avg_size_in_bytes`**
+:   type: long
+
+
+**`elasticsearch.index.total.bulk.avg_time_in_millis`**
+:   type: long
+
+
+**`elasticsearch.index.total.bulk.total_operations`**
+:   type: long
+
+
+**`elasticsearch.index.total.bulk.total_time_in_millis`**
+:   type: long
+
+
+
+## index.recovery [_index_recovery]
+
+index
+
+**`elasticsearch.index.recovery.index.files.percent`**
+:   type: keyword
+
+
+**`elasticsearch.index.recovery.index.files.recovered`**
+:   type: long
+
+
+**`elasticsearch.index.recovery.index.files.reused`**
+:   type: long
+
+
+**`elasticsearch.index.recovery.index.files.total`**
+:   type: long
+
+
+**`elasticsearch.index.recovery.index.size.recovered_in_bytes`**
+:   type: long
+
+
+**`elasticsearch.index.recovery.index.size.reused_in_bytes`**
+:   type: long
+
+
+**`elasticsearch.index.recovery.index.size.total_in_bytes`**
+:   type: long
+
+
+**`elasticsearch.index.recovery.name`**
+:   type: keyword
+
+
+**`elasticsearch.index.recovery.total_time.ms`**
+:   type: long
+
+
+**`elasticsearch.index.recovery.stop_time.ms`**
+:   type: long
+
+
+**`elasticsearch.index.recovery.start_time.ms`**
+:   type: long
+
+
+**`elasticsearch.index.recovery.id`**
+:   Shard recovery id.
+
+type: long
+
+
+**`elasticsearch.index.recovery.type`**
+:   Shard recovery type.
+
+type: keyword
+
+
+**`elasticsearch.index.recovery.primary`**
+:   True if primary shard.
+
+type: boolean
+
+
+**`elasticsearch.index.recovery.stage`**
+:   Recovery stage.
+
+type: keyword
+
+
+**`elasticsearch.index.recovery.translog.percent`**
+:   type: keyword
+
+
+**`elasticsearch.index.recovery.translog.total`**
+:   type: long
+
+
+**`elasticsearch.index.recovery.translog.total_on_start`**
+:   type: long
+
+
+**`elasticsearch.index.recovery.target.transport_address`**
+:   type: keyword
+
+
+**`elasticsearch.index.recovery.target.id`**
+:   Target node id.
+
+type: keyword
+
+
+**`elasticsearch.index.recovery.target.host`**
+:   Target node host address (could be IP address or hostname).
+
+type: keyword
+
+
+**`elasticsearch.index.recovery.target.name`**
+:   Target node name.
+
+type: keyword
+
+
+**`elasticsearch.index.recovery.source.transport_address`**
+:   type: keyword
+
+
+**`elasticsearch.index.recovery.source.id`**
+:   Source node id.
+
+type: keyword
+
+
+**`elasticsearch.index.recovery.source.host`**
+:   Source node host address (could be IP address or hostname).
+
+type: keyword
+
+
+**`elasticsearch.index.recovery.source.name`**
+:   Source node name.
+
+type: keyword
+
+
+**`elasticsearch.index.recovery.verify_index.check_index_time.ms`**
+:   type: long
+
+
+**`elasticsearch.index.recovery.verify_index.total_time.ms`**
+:   type: long
+
+
+
+## index.summary [_index_summary]
+
+index
+
+**`elasticsearch.index.summary.primaries.docs.count`**
+:   Total number of documents in the index.
+
+type: long
+
+
+**`elasticsearch.index.summary.primaries.docs.deleted`**
+:   Total number of deleted documents in the index.
+
+type: long
+
+
+**`elasticsearch.index.summary.primaries.store.size.bytes`**
+:   Total size of the index in bytes.
+
+type: long
+
+format: bytes
+
+
+**`elasticsearch.index.summary.primaries.store.total_data_set_size.bytes`**
+:   Total size of the index in bytes including backing data for partially mounted indices.
+
+type: long
+
+format: bytes
+
+
+**`elasticsearch.index.summary.primaries.segments.count`**
+:   Total number of index segments.
+
+type: long
+
+
+**`elasticsearch.index.summary.primaries.segments.memory.bytes`**
+:   Total number of memory used by the segments in bytes.
+
+type: long
+
+format: bytes
+
+
+**`elasticsearch.index.summary.primaries.indexing.index.count`**
+:   type: long
+
+
+**`elasticsearch.index.summary.primaries.indexing.index.time.ms`**
+:   type: long
+
+
+**`elasticsearch.index.summary.primaries.search.query.count`**
+:   type: long
+
+
+**`elasticsearch.index.summary.primaries.search.query.time.ms`**
+:   type: long
+
+
+**`elasticsearch.index.summary.primaries.bulk.operations.count`**
+:   type: long
+
+
+**`elasticsearch.index.summary.primaries.bulk.size.bytes`**
+:   type: long
+
+
+**`elasticsearch.index.summary.primaries.bulk.time.count.ms`**
+:   type: long
+
+
+**`elasticsearch.index.summary.primaries.bulk.time.avg.ms`**
+:   type: long
+
+
+**`elasticsearch.index.summary.primaries.bulk.time.avg.bytes`**
+:   type: long
+
+
+**`elasticsearch.index.summary.total.docs.count`**
+:   Total number of documents in the index.
+
+type: long
+
+
+**`elasticsearch.index.summary.total.docs.deleted`**
+:   Total number of deleted documents in the index.
+
+type: long
+
+
+**`elasticsearch.index.summary.total.store.size.bytes`**
+:   Total size of the index in bytes.
+
+type: long
+
+format: bytes
+
+
+**`elasticsearch.index.summary.total.store.total_data_set_size.bytes`**
+:   Total size of the index in bytes including backing data for partially mounted indices.
+
+type: long
+
+format: bytes
+
+
+**`elasticsearch.index.summary.total.segments.count`**
+:   Total number of index segments.
+
+type: long
+
+
+**`elasticsearch.index.summary.total.segments.memory.bytes`**
+:   Total number of memory used by the segments in bytes.
+
+type: long
+
+format: bytes
+
+
+**`elasticsearch.index.summary.total.indexing.index.count`**
+:   type: long
+
+
+**`elasticsearch.index.summary.total.indexing.is_throttled`**
+:   type: boolean
+
+
+**`elasticsearch.index.summary.total.indexing.throttle_time.ms`**
+:   type: long
+
+
+**`elasticsearch.index.summary.total.indexing.index.time.ms`**
+:   type: long
+
+
+**`elasticsearch.index.summary.total.search.query.count`**
+:   type: long
+
+
+**`elasticsearch.index.summary.total.search.query.time.ms`**
+:   type: long
+
+
+**`elasticsearch.index.summary.total.bulk.operations.count`**
+:   type: long
+
+
+**`elasticsearch.index.summary.total.bulk.size.bytes`**
+:   type: long
+
+
+**`elasticsearch.index.summary.total.bulk.time.avg.ms`**
+:   type: long
+
+
+**`elasticsearch.index.summary.total.bulk.time.avg.bytes`**
+:   type: long
+
+
+
+## ingest_pipeline [_ingest_pipeline]
+
+Runtime metrics on ingest pipeline execution
+
+**`elasticsearch.ingest_pipeline.name`**
+:   Name / id of the ingest pipeline
+
+type: wildcard
+
+
+
+## total [_total]
+
+Metrics on the total ingest pipeline execution, including all processors.
+
+**`elasticsearch.ingest_pipeline.total.count`**
+:   Number of documents processed by this pipeline
+
+type: long
+
+
+**`elasticsearch.ingest_pipeline.total.failed`**
+:   Number of documented failed to process by this pipeline
+
+type: long
+
+
+**`elasticsearch.ingest_pipeline.total.time.total.ms`**
+:   Total time spent processing documents through this pipeline, inclusive of other pipelines called
+
+type: long
+
+
+**`elasticsearch.ingest_pipeline.total.time.self.ms`**
+:   Time spent processing documents through this pipeline, exclusive of other pipelines called
+
+type: long
+
+
+**`elasticsearch.ingest_pipeline.processor.type`**
+:   The type of ingest processor
+
+type: keyword
+
+
+**`elasticsearch.ingest_pipeline.processor.type_tag`**
+:   The type and the tag for this processor in the format "<type>:<tag>"
+
+type: keyword
+
+
+**`elasticsearch.ingest_pipeline.processor.order_index`**
+:   The order this processor appears in the pipeline definition
+
+type: long
+
+
+**`elasticsearch.ingest_pipeline.processor.count`**
+:   Number of documents processed by this processor
+
+type: long
+
+
+**`elasticsearch.ingest_pipeline.processor.failed`**
+:   Number of documented failed to process by this processor
+
+type: long
+
+
+**`elasticsearch.ingest_pipeline.processor.time.total.ms`**
+:   Total time spent processing documents through this processor
+
+type: long
+
+
+
+## ml.job [_ml_job]
+
+ml
+
+**`elasticsearch.ml.job.id`**
+:   Unique ml job id.
+
+type: keyword
+
+
+**`elasticsearch.ml.job.state`**
+:   Job state.
+
+type: keyword
+
+
+**`elasticsearch.ml.job.forecasts_stats.total`**
+:   type: long
+
+
+**`elasticsearch.ml.job.model_size.memory_status`**
+:   type: keyword
+
+
+**`elasticsearch.ml.job.data_counts.invalid_date_count`**
+:   type: long
+
+
+**`elasticsearch.ml.job.data_counts.processed_record_count`**
+:   Processed data events.
+
+type: long
+
+
+**`elasticsearch.ml.job.data.invalid_date.count`**
+:   The number of records with either a missing date field or a date that could not be parsed.
+
+type: long
+
+
+
+## node [_node_2]
+
+node
+
+**`elasticsearch.node.version`**
+:   Node version.
+
+type: keyword
+
+
+
+## jvm [_jvm]
+
+JVM Info.
+
+**`elasticsearch.node.jvm.version`**
+:   JVM version.
+
+type: keyword
+
+
+**`elasticsearch.node.jvm.memory.heap.init.bytes`**
+:   Heap init used by the JVM in bytes.
+
+type: long
+
+format: bytes
+
+
+**`elasticsearch.node.jvm.memory.heap.max.bytes`**
+:   Heap max used by the JVM in bytes.
+
+type: long
+
+format: bytes
+
+
+**`elasticsearch.node.jvm.memory.nonheap.init.bytes`**
+:   Non-Heap init used by the JVM in bytes.
+
+type: long
+
+format: bytes
+
+
+**`elasticsearch.node.jvm.memory.nonheap.max.bytes`**
+:   Non-Heap max used by the JVM in bytes.
+
+type: long
+
+format: bytes
+
+
+**`elasticsearch.node.process.mlockall`**
+:   If process locked in memory.
+
+type: boolean
+
+
+
+## node.stats [_node_stats]
+
+Statistics about each node in a Elasticsearch cluster
+
+**`elasticsearch.node.stats.ingest.total.count`**
+:   type: long
+
+
+**`elasticsearch.node.stats.ingest.total.time_in_millis`**
+:   type: long
+
+
+**`elasticsearch.node.stats.ingest.total.current`**
+:   type: long
+
+
+**`elasticsearch.node.stats.ingest.total.failed`**
+:   type: long
+
+
+**`elasticsearch.node.stats.indices.bulk.avg_time.ms`**
+:   type: long
+
+
+**`elasticsearch.node.stats.indices.bulk.total_time.ms`**
+:   type: long
+
+
+**`elasticsearch.node.stats.indices.bulk.total_size.bytes`**
+:   type: long
+
+
+**`elasticsearch.node.stats.indices.bulk.avg_size.bytes`**
+:   type: long
+
+
+**`elasticsearch.node.stats.indices.bulk.operations.total.count`**
+:   type: long
+
+
+**`elasticsearch.node.stats.indices.docs.count`**
+:   Total number of existing documents.
+
+type: long
+
+
+**`elasticsearch.node.stats.indices.docs.deleted`**
+:   Total number of deleted documents.
+
+type: long
+
+
+**`elasticsearch.node.stats.indices.segments.count`**
+:   Total number of segments.
+
+type: long
+
+
+**`elasticsearch.node.stats.indices.segments.memory.bytes`**
+:   Total size of segments in bytes.
+
+type: long
+
+format: bytes
+
+
+**`elasticsearch.node.stats.indices.store.size.bytes`**
+:   Total size of all shards assigned to this node in bytes.
+
+type: long
+
+
+**`elasticsearch.node.stats.indices.store.total_data_set_size.bytes`**
+:   Total size of shards in bytes assigned to this node including backing data for partially mounted indices.
+
+type: long
+
+
+**`elasticsearch.node.stats.indices.fielddata.evictions.count`**
+:   type: long
+
+
+**`elasticsearch.node.stats.indices.fielddata.memory.bytes`**
+:   type: long
+
+format: bytes
+
+
+**`elasticsearch.node.stats.indices.flush.total_time.ms`**
+:   type: long
+
+
+**`elasticsearch.node.stats.indices.flush.total.count`**
+:   type: long
+
+
+**`elasticsearch.node.stats.indices.get.time.ms`**
+:   type: long
+
+
+**`elasticsearch.node.stats.indices.get.total.count`**
+:   type: long
+
+
+**`elasticsearch.node.stats.indices.indexing.index_time.ms`**
+:   type: long
+
+
+**`elasticsearch.node.stats.indices.indexing.index_total.count`**
+:   type: long
+
+
+**`elasticsearch.node.stats.indices.indexing.throttle_time.ms`**
+:   type: long
+
+
+**`elasticsearch.node.stats.indices.merges.total_time.ms`**
+:   type: long
+
+
+**`elasticsearch.node.stats.indices.merges.total.count`**
+:   type: long
+
+
+**`elasticsearch.node.stats.indices.query_cache.memory.bytes`**
+:   type: long
+
+format: bytes
+
+
+**`elasticsearch.node.stats.indices.refresh.total_time.ms`**
+:   type: long
+
+
+**`elasticsearch.node.stats.indices.refresh.total.count`**
+:   type: long
+
+
+**`elasticsearch.node.stats.indices.request_cache.memory.bytes`**
+:   type: long
+
+format: bytes
+
+
+**`elasticsearch.node.stats.indices.search.query_time.ms`**
+:   type: long
+
+
+**`elasticsearch.node.stats.indices.search.query_total.count`**
+:   type: long
+
+
+**`elasticsearch.node.stats.indices.search.fetch_time.ms`**
+:   type: long
+
+
+**`elasticsearch.node.stats.indices.search.fetch_total.count`**
+:   type: long
+
+
+**`elasticsearch.node.stats.indices.shard_stats.total_count`**
+:   type: long
+
+
+**`elasticsearch.node.stats.indices.segments.doc_values.memory.bytes`**
+:   type: long
+
+format: bytes
+
+
+**`elasticsearch.node.stats.indices.segments.fixed_bit_set.memory.bytes`**
+:   type: long
+
+format: bytes
+
+
+**`elasticsearch.node.stats.indices.segments.index_writer.memory.bytes`**
+:   type: long
+
+format: bytes
+
+
+**`elasticsearch.node.stats.indices.segments.norms.memory.bytes`**
+:   type: long
+
+format: bytes
+
+
+**`elasticsearch.node.stats.indices.segments.points.memory.bytes`**
+:   type: long
+
+format: bytes
+
+
+**`elasticsearch.node.stats.indices.segments.stored_fields.memory.bytes`**
+:   type: long
+
+format: bytes
+
+
+**`elasticsearch.node.stats.indices.segments.term_vectors.memory.bytes`**
+:   type: long
+
+format: bytes
+
+
+**`elasticsearch.node.stats.indices.segments.terms.memory.bytes`**
+:   type: long
+
+format: bytes
+
+
+**`elasticsearch.node.stats.indices.segments.version_map.memory.bytes`**
+:   type: long
+
+format: bytes
+
+
+**`elasticsearch.node.stats.indices.translog.size.bytes`**
+:   type: long
+
+
+**`elasticsearch.node.stats.indices.translog.operations.count`**
+:   type: long
+
+
+**`elasticsearch.node.stats.jvm.mem.heap.max.bytes`**
+:   type: long
+
+format: bytes
+
+
+**`elasticsearch.node.stats.jvm.mem.heap.used.bytes`**
+:   type: long
+
+format: bytes
+
+
+**`elasticsearch.node.stats.jvm.mem.heap.used.pct`**
+:   type: double
+
+format: percent
+
+
+**`elasticsearch.node.stats.jvm.threads.count`**
+:   type: long
+
+
+**`elasticsearch.node.stats.jvm.mem.pools.old.max.bytes`**
+:   Max bytes.
+
+type: long
+
+format: bytes
+
+
+**`elasticsearch.node.stats.jvm.mem.pools.old.peak.bytes`**
+:   Peak bytes.
+
+type: long
+
+format: bytes
+
+
+**`elasticsearch.node.stats.jvm.mem.pools.old.peak_max.bytes`**
+:   Peak max bytes.
+
+type: long
+
+format: bytes
+
+
+**`elasticsearch.node.stats.jvm.mem.pools.old.used.bytes`**
+:   Used bytes.
+
+type: long
+
+format: bytes
+
+
+**`elasticsearch.node.stats.jvm.mem.pools.young.max.bytes`**
+:   Max bytes.
+
+type: long
+
+format: bytes
+
+
+**`elasticsearch.node.stats.jvm.mem.pools.young.peak.bytes`**
+:   Peak bytes.
+
+type: long
+
+format: bytes
+
+
+**`elasticsearch.node.stats.jvm.mem.pools.young.peak_max.bytes`**
+:   Peak max bytes.
+
+type: long
+
+format: bytes
+
+
+**`elasticsearch.node.stats.jvm.mem.pools.young.used.bytes`**
+:   Used bytes.
+
+type: long
+
+format: bytes
+
+
+**`elasticsearch.node.stats.jvm.mem.pools.survivor.max.bytes`**
+:   Max bytes.
+
+type: long
+
+format: bytes
+
+
+**`elasticsearch.node.stats.jvm.mem.pools.survivor.peak.bytes`**
+:   Peak bytes.
+
+type: long
+
+format: bytes
+
+
+**`elasticsearch.node.stats.jvm.mem.pools.survivor.peak_max.bytes`**
+:   Peak max bytes.
+
+type: long
+
+format: bytes
+
+
+**`elasticsearch.node.stats.jvm.mem.pools.survivor.used.bytes`**
+:   Used bytes.
+
+type: long
+
+format: bytes
+
+
+**`elasticsearch.node.stats.jvm.gc.collectors.old.collection.count`**
+:   type: long
+
+
+**`elasticsearch.node.stats.jvm.gc.collectors.old.collection.ms`**
+:   type: long
+
+
+**`elasticsearch.node.stats.jvm.gc.collectors.young.collection.count`**
+:   type: long
+
+
+**`elasticsearch.node.stats.jvm.gc.collectors.young.collection.ms`**
+:   type: long
+
+
+**`elasticsearch.node.stats.fs.total.total_in_bytes`**
+:   type: long
+
+
+**`elasticsearch.node.stats.fs.total.available_in_bytes`**
+:   type: long
+
+
+
+## summary [_summary_4]
+
+File system summary
+
+**`elasticsearch.node.stats.fs.summary.total.bytes`**
+:   type: long
+
+format: bytes
+
+
+**`elasticsearch.node.stats.fs.summary.free.bytes`**
+:   type: long
+
+format: bytes
+
+
+**`elasticsearch.node.stats.fs.summary.available.bytes`**
+:   type: long
+
+format: bytes
+
+
+**`elasticsearch.node.stats.fs.io_stats.total.operations.count`**
+:   type: long
+
+
+**`elasticsearch.node.stats.fs.io_stats.total.read.operations.count`**
+:   type: long
+
+
+**`elasticsearch.node.stats.fs.io_stats.total.write.operations.count`**
+:   type: long
+
+
+**`elasticsearch.node.stats.os.cpu.load_avg.1m`**
+:   type: half_float
+
+
+**`elasticsearch.node.stats.os.cgroup.cpuacct.usage.ns`**
+:   type: long
+
+
+**`elasticsearch.node.stats.os.cgroup.cpu.cfs.quota.us`**
+:   type: long
+
+
+**`elasticsearch.node.stats.os.cgroup.cpu.stat.elapsed_periods.count`**
+:   type: long
+
+
+**`elasticsearch.node.stats.os.cgroup.cpu.stat.times_throttled.count`**
+:   type: long
+
+
+**`elasticsearch.node.stats.os.cgroup.cpu.stat.time_throttled.ns`**
+:   type: long
+
+
+**`elasticsearch.node.stats.os.cgroup.memory.control_group`**
+:   type: keyword
+
+
+**`elasticsearch.node.stats.os.cgroup.memory.limit.bytes`**
+:   type: keyword
+
+
+**`elasticsearch.node.stats.os.cgroup.memory.usage.bytes`**
+:   type: keyword
+
+
+**`elasticsearch.node.stats.process.cpu.pct`**
+:   type: double
+
+format: percent
+
+
+**`elasticsearch.node.stats.process.mem.total_virtual.bytes`**
+:   type: long
+
+
+**`elasticsearch.node.stats.process.open_file_descriptors`**
+:   type: long
+
+
+**`elasticsearch.node.stats.transport.rx.count`**
+:   type: long
+
+
+**`elasticsearch.node.stats.transport.rx.size.bytes`**
+:   type: long
+
+
+**`elasticsearch.node.stats.transport.tx.count`**
+:   type: long
+
+
+**`elasticsearch.node.stats.transport.tx.size.bytes`**
+:   type: long
+
+
+**`elasticsearch.node.stats.thread_pool.bulk.active.count`**
+:   type: long
+
+
+**`elasticsearch.node.stats.thread_pool.bulk.queue.count`**
+:   type: long
+
+
+**`elasticsearch.node.stats.thread_pool.bulk.rejected.count`**
+:   type: long
+
+
+**`elasticsearch.node.stats.thread_pool.esql_worker.active.count`**
+:   type: long
+
+
+**`elasticsearch.node.stats.thread_pool.esql_worker.queue.count`**
+:   type: long
+
+
+**`elasticsearch.node.stats.thread_pool.esql_worker.rejected.count`**
+:   type: long
+
+
+**`elasticsearch.node.stats.thread_pool.force_merge.active.count`**
+:   type: long
+
+
+**`elasticsearch.node.stats.thread_pool.force_merge.queue.count`**
+:   type: long
+
+
+**`elasticsearch.node.stats.thread_pool.force_merge.rejected.count`**
+:   type: long
+
+
+**`elasticsearch.node.stats.thread_pool.flush.active.count`**
+:   type: long
+
+
+**`elasticsearch.node.stats.thread_pool.flush.queue.count`**
+:   type: long
+
+
+**`elasticsearch.node.stats.thread_pool.flush.rejected.count`**
+:   type: long
+
+
+**`elasticsearch.node.stats.thread_pool.get.active.count`**
+:   type: long
+
+
+**`elasticsearch.node.stats.thread_pool.get.queue.count`**
+:   type: long
+
+
+**`elasticsearch.node.stats.thread_pool.get.rejected.count`**
+:   type: long
+
+
+**`elasticsearch.node.stats.thread_pool.index.active.count`**
+:   type: long
+
+
+**`elasticsearch.node.stats.thread_pool.index.queue.count`**
+:   type: long
+
+
+**`elasticsearch.node.stats.thread_pool.index.rejected.count`**
+:   type: long
+
+
+**`elasticsearch.node.stats.thread_pool.search.active.count`**
+:   type: long
+
+
+**`elasticsearch.node.stats.thread_pool.search.queue.count`**
+:   type: long
+
+
+**`elasticsearch.node.stats.thread_pool.search.rejected.count`**
+:   type: long
+
+
+**`elasticsearch.node.stats.thread_pool.search_worker.active.count`**
+:   type: long
+
+
+**`elasticsearch.node.stats.thread_pool.search_worker.queue.count`**
+:   type: long
+
+
+**`elasticsearch.node.stats.thread_pool.search_worker.rejected.count`**
+:   type: long
+
+
+**`elasticsearch.node.stats.thread_pool.snapshot.active.count`**
+:   type: long
+
+
+**`elasticsearch.node.stats.thread_pool.snapshot.queue.count`**
+:   type: long
+
+
+**`elasticsearch.node.stats.thread_pool.snapshot.rejected.count`**
+:   type: long
+
+
+**`elasticsearch.node.stats.thread_pool.system_read.active.count`**
+:   type: long
+
+
+**`elasticsearch.node.stats.thread_pool.system_read.queue.count`**
+:   type: long
+
+
+**`elasticsearch.node.stats.thread_pool.system_read.rejected.count`**
+:   type: long
+
+
+**`elasticsearch.node.stats.thread_pool.system_write.active.count`**
+:   type: long
+
+
+**`elasticsearch.node.stats.thread_pool.system_write.queue.count`**
+:   type: long
+
+
+**`elasticsearch.node.stats.thread_pool.system_write.rejected.count`**
+:   type: long
+
+
+**`elasticsearch.node.stats.thread_pool.write.active.count`**
+:   type: long
+
+
+**`elasticsearch.node.stats.thread_pool.write.queue.count`**
+:   type: long
+
+
+**`elasticsearch.node.stats.thread_pool.write.rejected.count`**
+:   type: long
+
+
+**`elasticsearch.node.stats.indexing_pressure.memory.current.combined_coordinating_and_primary.bytes`**
+:   type: long
+
+format: bytes
+
+
+**`elasticsearch.node.stats.indexing_pressure.memory.total.primary.rejections`**
+:   type: long
+
+format: bytes
+
+
+**`elasticsearch.node.stats.indexing_pressure.memory.total.primary.bytes`**
+:   type: long
+
+format: bytes
+
+
+**`elasticsearch.node.stats.indexing_pressure.memory.total.coordinating.rejections`**
+:   type: long
+
+format: bytes
+
+
+**`elasticsearch.node.stats.indexing_pressure.memory.total.coordinating.bytes`**
+:   type: long
+
+format: bytes
+
+
+**`elasticsearch.node.stats.indexing_pressure.memory.total.replica.rejections`**
+:   type: long
+
+format: bytes
+
+
+**`elasticsearch.node.stats.indexing_pressure.memory.total.replica.bytes`**
+:   type: long
+
+format: bytes
+
+
+**`elasticsearch.node.stats.indexing_pressure.memory.total.combined_coordinating_and_primary.bytes`**
+:   type: long
+
+format: bytes
+
+
+**`elasticsearch.node.stats.indexing_pressure.memory.current.coordinating.bytes`**
+:   type: long
+
+format: bytes
+
+
+**`elasticsearch.node.stats.indexing_pressure.memory.current.primary.bytes`**
+:   type: long
+
+format: bytes
+
+
+**`elasticsearch.node.stats.indexing_pressure.memory.current.replica.bytes`**
+:   type: long
+
+format: bytes
+
+
+**`elasticsearch.node.stats.indexing_pressure.memory.current.all.bytes`**
+:   type: long
+
+format: bytes
+
+
+**`elasticsearch.node.stats.indexing_pressure.memory.total.all.bytes`**
+:   type: long
+
+format: bytes
+
+
+**`elasticsearch.node.stats.indexing_pressure.memory.limit_in_bytes`**
+:   type: long
+
+format: bytes
+
+
+
+## cluster.pending_task [_cluster_pending_task]
+
+`cluster.pending_task` contains a pending task description.
+
+**`elasticsearch.cluster.pending_task.insert_order`**
+:   Insert order
+
+type: long
+
+
+**`elasticsearch.cluster.pending_task.priority`**
+:   Priority
+
+type: long
+
+
+**`elasticsearch.cluster.pending_task.source`**
+:   Source. For example: put-mapping
+
+type: keyword
+
+
+**`elasticsearch.cluster.pending_task.time_in_queue.ms`**
+:   Time in queue
+
+type: long
+
+
+
+## shard [_shard]
+
+shard fields
+
+**`elasticsearch.shard.primary`**
+:   True if this is the primary shard.
+
+type: boolean
+
+
+**`elasticsearch.shard.number`**
+:   The number of this shard.
+
+type: long
+
+
+**`elasticsearch.shard.state`**
+:   The state of this shard.
+
+type: keyword
+
+
+**`elasticsearch.shard.relocating_node.name`**
+:   The node the shard was relocated from.
+
+type: keyword
+
+
+**`elasticsearch.shard.relocating_node.id`**
+:   The node the shard was relocated from. It has the exact same value than relocating_node.name for compatibility purposes.
+
+type: keyword
+
+
+**`elasticsearch.shard.source_node.name`**
+:   type: keyword
+
+
+**`elasticsearch.shard.source_node.uuid`**
+:   type: keyword
+
+
diff --git a/docs/reference/metricbeat/exported-fields-envoyproxy.md b/docs/reference/metricbeat/exported-fields-envoyproxy.md
new file mode 100644
index 000000000000..8f67827a3a70
--- /dev/null
+++ b/docs/reference/metricbeat/exported-fields-envoyproxy.md
@@ -0,0 +1,351 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-envoyproxy.html
+---
+
+# Envoyproxy fields [exported-fields-envoyproxy]
+
+envoyproxy module
+
+
+## envoyproxy [_envoyproxy]
+
+
+## server [_server_4]
+
+Contains envoy proxy server stats
+
+**`envoyproxy.server.cluster_manager.active_clusters`**
+:   Number of currently active (warmed) clusters
+
+type: integer
+
+
+**`envoyproxy.server.cluster_manager.cluster_added`**
+:   Total clusters added (either via static config or CDS)
+
+type: integer
+
+
+**`envoyproxy.server.cluster_manager.cluster_modified`**
+:   Total clusters modified (via CDS)
+
+type: integer
+
+
+**`envoyproxy.server.cluster_manager.cluster_removed`**
+:   Total clusters removed (via CDS)
+
+type: integer
+
+
+**`envoyproxy.server.cluster_manager.warming_clusters`**
+:   Number of currently warming (not active) clusters
+
+type: integer
+
+
+**`envoyproxy.server.cluster_manager.cluster_updated`**
+:   Total cluster updates
+
+type: integer
+
+
+**`envoyproxy.server.cluster_manager.cluster_updated_via_merge`**
+:   Total cluster updates applied as merged updates
+
+type: integer
+
+
+**`envoyproxy.server.cluster_manager.update_merge_cancelled`**
+:   Total merged updates that got cancelled and delivered early
+
+type: integer
+
+
+**`envoyproxy.server.cluster_manager.update_out_of_merge_window`**
+:   Total updates which arrived out of a merge window
+
+type: integer
+
+
+**`envoyproxy.server.filesystem.flushed_by_timer`**
+:   Total number of times internal flush buffers are written to a file due to flush timeout
+
+type: integer
+
+
+**`envoyproxy.server.filesystem.reopen_failed`**
+:   Total number of times a file was failed to be opened
+
+type: integer
+
+
+**`envoyproxy.server.filesystem.write_buffered`**
+:   Total number of times file data is moved to Envoys internal flush buffer
+
+type: integer
+
+
+**`envoyproxy.server.filesystem.write_completed`**
+:   Total number of times a file was written
+
+type: integer
+
+
+**`envoyproxy.server.filesystem.write_total_buffered`**
+:   Current total size of internal flush buffer in bytes
+
+type: integer
+
+
+**`envoyproxy.server.filesystem.write_failed`**
+:   Total number of times an error occurred during a file write operation
+
+type: integer
+
+
+**`envoyproxy.server.runtime.load_error`**
+:   Total number of load attempts that resulted in an error in any layer
+
+type: integer
+
+
+**`envoyproxy.server.runtime.load_success`**
+:   Total number of load attempts that were successful at all layers
+
+type: integer
+
+
+**`envoyproxy.server.runtime.num_keys`**
+:   Number of keys currently loaded
+
+type: integer
+
+
+**`envoyproxy.server.runtime.override_dir_exists`**
+:   Total number of loads that did use an override directory
+
+type: integer
+
+
+**`envoyproxy.server.runtime.override_dir_not_exists`**
+:   Total number of loads that did not use an override directory
+
+type: integer
+
+
+**`envoyproxy.server.runtime.admin_overrides_active`**
+:   1 if any admin overrides are active otherwise 0
+
+type: integer
+
+
+**`envoyproxy.server.runtime.deprecated_feature_use`**
+:   Total number of times deprecated features were used.
+
+type: integer
+
+
+**`envoyproxy.server.runtime.num_layers`**
+:   Number of layers currently active (without loading errors)
+
+type: integer
+
+
+**`envoyproxy.server.listener_manager.listener_added`**
+:   Total listeners added (either via static config or LDS)
+
+type: integer
+
+
+**`envoyproxy.server.listener_manager.listener_create_failure`**
+:   Total failed listener object additions to workers
+
+type: integer
+
+
+**`envoyproxy.server.listener_manager.listener_create_success`**
+:   Total listener objects successfully added to workers
+
+type: integer
+
+
+**`envoyproxy.server.listener_manager.listener_modified`**
+:   Total listeners modified (via LDS)
+
+type: integer
+
+
+**`envoyproxy.server.listener_manager.listener_removed`**
+:   Total listeners removed (via LDS)
+
+type: integer
+
+
+**`envoyproxy.server.listener_manager.total_listeners_active`**
+:   Number of currently active listeners
+
+type: integer
+
+
+**`envoyproxy.server.listener_manager.total_listeners_draining`**
+:   Number of currently draining listeners
+
+type: integer
+
+
+**`envoyproxy.server.listener_manager.total_listeners_warming`**
+:   Number of currently warming listeners
+
+type: integer
+
+
+**`envoyproxy.server.listener_manager.listener_stopped`**
+:   Total listeners stopped
+
+type: integer
+
+
+**`envoyproxy.server.stats.overflow`**
+:   Total number of times Envoy cannot allocate a statistic due to a shortage of shared memory
+
+type: integer
+
+
+**`envoyproxy.server.server.days_until_first_cert_expiring`**
+:   Number of days until the next certificate being managed will expire
+
+type: integer
+
+
+**`envoyproxy.server.server.live`**
+:   1 if the server is not currently draining, 0 otherwise
+
+type: integer
+
+
+**`envoyproxy.server.server.memory_allocated`**
+:   Current amount of allocated memory in bytes
+
+type: integer
+
+
+**`envoyproxy.server.server.memory_heap_size`**
+:   Current reserved heap size in bytes
+
+type: integer
+
+
+**`envoyproxy.server.server.parent_connections`**
+:   Total connections of the old Envoy process on hot restart
+
+type: integer
+
+
+**`envoyproxy.server.server.total_connections`**
+:   Total connections of both new and old Envoy processes
+
+type: integer
+
+
+**`envoyproxy.server.server.uptime`**
+:   Current server uptime in seconds
+
+type: integer
+
+
+**`envoyproxy.server.server.version`**
+:   Integer represented version number based on SCM revision
+
+type: integer
+
+
+**`envoyproxy.server.server.watchdog_mega_miss`**
+:   type: integer
+
+
+**`envoyproxy.server.server.watchdog_miss`**
+:   type: integer
+
+
+**`envoyproxy.server.server.hot_restart_epoch`**
+:   Current hot restart epoch
+
+type: integer
+
+
+**`envoyproxy.server.server.concurrency`**
+:   Number of worker threads
+
+type: integer
+
+
+**`envoyproxy.server.server.debug_assertion_failures`**
+:   type: integer
+
+
+**`envoyproxy.server.server.dynamic_unknown_fields`**
+:   Number of messages in dynamic configuration with unknown fields
+
+type: integer
+
+
+**`envoyproxy.server.server.state`**
+:   Current state of the Server
+
+type: integer
+
+
+**`envoyproxy.server.server.static_unknown_fields`**
+:   Number of messages in static configuration with unknown fields
+
+type: integer
+
+
+**`envoyproxy.server.server.stats_recent_lookups`**
+:   type: integer
+
+
+**`envoyproxy.server.http2.header_overflow`**
+:   Total number of connections reset due to the headers being larger than Envoy::Http::Http2::ConnectionImpl::StreamImpl::MAX_HEADER_SIZE (63k)
+
+type: integer
+
+
+**`envoyproxy.server.http2.headers_cb_no_stream`**
+:   Total number of errors where a header callback is called without an associated stream. This tracks an unexpected occurrence due to an as yet undiagnosed bug
+
+type: integer
+
+
+**`envoyproxy.server.http2.rx_messaging_error`**
+:   Total number of invalid received frames that violated section 8 of the HTTP/2 spec. This will result in a tx_reset
+
+type: integer
+
+
+**`envoyproxy.server.http2.rx_reset`**
+:   Total number of reset stream frames received by Envoy
+
+type: integer
+
+
+**`envoyproxy.server.http2.too_many_header_frames`**
+:   Total number of times an HTTP2 connection is reset due to receiving too many headers frames. Envoy currently supports proxying at most one header frame for 100-Continue one non-100 response code header frame and one frame with trailers
+
+type: integer
+
+
+**`envoyproxy.server.http2.trailers`**
+:   Total number of trailers seen on requests coming from downstream
+
+type: integer
+
+
+**`envoyproxy.server.http2.tx_reset`**
+:   Total number of reset stream frames transmitted by Envoy
+
+type: integer
+
+
diff --git a/docs/reference/metricbeat/exported-fields-etcd.md b/docs/reference/metricbeat/exported-fields-etcd.md
new file mode 100644
index 000000000000..c1baff76ecb9
--- /dev/null
+++ b/docs/reference/metricbeat/exported-fields-etcd.md
@@ -0,0 +1,345 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-etcd.html
+---
+
+# Etcd fields [exported-fields-etcd]
+
+etcd Module
+
+
+## etcd [_etcd]
+
+`etcd` contains statistics that were read from Etcd
+
+**`etcd.api_version`**
+:   Etcd API version for metrics retrieval
+
+type: keyword
+
+
+
+## leader [_leader]
+
+Contains etcd leader statistics.
+
+
+## follower [_follower]
+
+Contains follower statistics.
+
+**`etcd.leader.follower.id`**
+:   ID of follower
+
+type: keyword
+
+
+
+## latency [_latency]
+
+latency to each peer in the cluster
+
+**`etcd.leader.follower.latency.ms`**
+:   type: scaled_float
+
+
+**`etcd.leader.follower.success_operations`**
+:   successful Raft RPC requests
+
+type: integer
+
+
+**`etcd.leader.follower.failed_operations`**
+:   failed Raft RPC requests
+
+type: integer
+
+
+**`etcd.leader.follower.leader`**
+:   ID of actual leader
+
+type: keyword
+
+
+
+## server [_server_5]
+
+Server metrics from the Etcd V3 /metrics endpoint
+
+**`etcd.server.has_leader`**
+:   Whether a leader exists in the cluster
+
+type: byte
+
+
+**`etcd.server.leader_changes.count`**
+:   Number of leader changes seen at the cluster
+
+type: long
+
+
+**`etcd.server.proposals_committed.count`**
+:   Number of consensus proposals commited
+
+type: long
+
+
+**`etcd.server.proposals_pending.count`**
+:   Number of consensus proposals pending
+
+type: long
+
+
+**`etcd.server.proposals_failed.count`**
+:   Number of consensus proposals failed
+
+type: long
+
+
+**`etcd.server.grpc_started.count`**
+:   Number of sent gRPC requests
+
+type: long
+
+
+**`etcd.server.grpc_handled.count`**
+:   Number of received gRPC requests
+
+type: long
+
+
+
+## disk [_disk]
+
+Disk metrics from the Etcd V3 /metrics endpoint
+
+**`etcd.disk.mvcc_db_total_size.bytes`**
+:   Size of stored data at MVCC
+
+type: long
+
+format: bytes
+
+
+**`etcd.disk.wal_fsync_duration.ns.bucket.*`**
+:   Latency for writing ahead logs to disk
+
+type: object
+
+
+**`etcd.disk.wal_fsync_duration.ns.count`**
+:   Write ahead logs count
+
+type: long
+
+
+**`etcd.disk.wal_fsync_duration.ns.sum`**
+:   Write ahead logs latency sum
+
+type: long
+
+
+**`etcd.disk.backend_commit_duration.ns.bucket.*`**
+:   Latency for writing backend changes to disk
+
+type: object
+
+
+**`etcd.disk.backend_commit_duration.ns.count`**
+:   Backend commits count
+
+type: long
+
+
+**`etcd.disk.backend_commit_duration.ns.sum`**
+:   Backend commits latency sum
+
+type: long
+
+
+
+## memory [_memory_6]
+
+Memory metrics from the Etcd V3 /metrics endpoint
+
+**`etcd.memory.go_memstats_alloc.bytes`**
+:   Memory allocated bytes as of MemStats Go
+
+type: long
+
+format: bytes
+
+
+
+## network [_network_5]
+
+Network metrics from the Etcd V3 /metrics endpoint
+
+**`etcd.network.client_grpc_sent.bytes`**
+:   gRPC sent bytes total
+
+type: long
+
+format: bytes
+
+
+**`etcd.network.client_grpc_received.bytes`**
+:   gRPC received bytes total
+
+type: long
+
+format: bytes
+
+
+
+## self [_self]
+
+Contains etcd self statistics.
+
+**`etcd.self.id`**
+:   the unique identifier for the member
+
+type: keyword
+
+
+**`etcd.self.leaderinfo.leader`**
+:   id of the current leader member
+
+type: keyword
+
+
+**`etcd.self.leaderinfo.starttime`**
+:   the time when this node was started
+
+type: keyword
+
+
+**`etcd.self.leaderinfo.uptime`**
+:   amount of time the leader has been leader
+
+type: keyword
+
+
+**`etcd.self.name`**
+:   this member’s name
+
+type: keyword
+
+
+**`etcd.self.recv.appendrequest.count`**
+:   number of append requests this node has processed
+
+type: integer
+
+
+**`etcd.self.recv.bandwidthrate`**
+:   number of bytes per second this node is receiving (follower only)
+
+type: scaled_float
+
+
+**`etcd.self.recv.pkgrate`**
+:   number of requests per second this node is receiving (follower only)
+
+type: scaled_float
+
+
+**`etcd.self.send.appendrequest.count`**
+:   number of requests that this node has sent
+
+type: integer
+
+
+**`etcd.self.send.bandwidthrate`**
+:   number of bytes per second this node is sending (leader only). This value is undefined on single member clusters.
+
+type: scaled_float
+
+
+**`etcd.self.send.pkgrate`**
+:   number of requests per second this node is sending (leader only). This value is undefined on single member clusters.
+
+type: scaled_float
+
+
+**`etcd.self.starttime`**
+:   the time when this node was started
+
+type: keyword
+
+
+**`etcd.self.state`**
+:   either leader or follower
+
+type: keyword
+
+
+
+## store [_store]
+
+The store statistics include information about the operations that this node has handled.
+
+**`etcd.store.gets.success`**
+:   type: integer
+
+
+**`etcd.store.gets.fail`**
+:   type: integer
+
+
+**`etcd.store.sets.success`**
+:   type: integer
+
+
+**`etcd.store.sets.fail`**
+:   type: integer
+
+
+**`etcd.store.delete.success`**
+:   type: integer
+
+
+**`etcd.store.delete.fail`**
+:   type: integer
+
+
+**`etcd.store.update.success`**
+:   type: integer
+
+
+**`etcd.store.update.fail`**
+:   type: integer
+
+
+**`etcd.store.create.success`**
+:   type: integer
+
+
+**`etcd.store.create.fail`**
+:   type: integer
+
+
+**`etcd.store.compareandswap.success`**
+:   type: integer
+
+
+**`etcd.store.compareandswap.fail`**
+:   type: integer
+
+
+**`etcd.store.compareanddelete.success`**
+:   type: integer
+
+
+**`etcd.store.compareanddelete.fail`**
+:   type: integer
+
+
+**`etcd.store.expire.count`**
+:   type: integer
+
+
+**`etcd.store.watchers`**
+:   type: integer
+
+
diff --git a/docs/reference/metricbeat/exported-fields-gcp.md b/docs/reference/metricbeat/exported-fields-gcp.md
new file mode 100644
index 000000000000..c12f1f0d6098
--- /dev/null
+++ b/docs/reference/metricbeat/exported-fields-gcp.md
@@ -0,0 +1,1206 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-gcp.html
+---
+
+# Google Cloud Platform fields [exported-fields-gcp]
+
+GCP module
+
+**`gcp.labels`**
+:   GCP monitoring metrics labels
+
+type: object
+
+
+**`gcp.metrics.*.*.*.*`**
+:   Metrics that returned from Google Cloud API query.
+
+type: object
+
+
+
+## billing [_billing_6]
+
+Google Cloud Billing metrics
+
+**`gcp.billing.cost_type`**
+:   Cost types include regular, tax, adjustment, and rounding_error.
+
+type: keyword
+
+
+**`gcp.billing.invoice_month`**
+:   Billing report month.
+
+type: keyword
+
+
+**`gcp.billing.project_id`**
+:   Project ID of the billing report belongs to.
+
+type: keyword
+
+
+**`gcp.billing.total`**
+:   Total billing amount.
+
+type: float
+
+
+**`gcp.billing.sku_id`**
+:   The ID of the resource used by the service.
+
+type: keyword
+
+
+**`gcp.billing.sku_description`**
+:   A description of the resource type used by the service. For example, a resource type for Cloud Storage is Standard Storage US.
+
+type: keyword
+
+
+**`gcp.billing.service_id`**
+:   The ID of the service that the usage is associated with.
+
+type: keyword
+
+
+**`gcp.billing.service_description`**
+:   The Google Cloud service that reported the Cloud Billing data.
+
+type: keyword
+
+
+**`gcp.billing.tags`**
+:   A collection of key-value pairs that provide additional metadata.
+
+type: nested
+
+
+**`gcp.billing.effective_price`**
+:   The charged price for usage of the Google Cloud SKUs and SKU tiers. Reflects contract pricing if applicable, otherwise, it’s the list price.
+
+type: float
+
+
+
+## carbon [_carbon]
+
+Google Cloud Carbon Footprint metrics
+
+**`gcp.carbon.project_id`**
+:   Project ID the carbon footprint report belongs to.
+
+type: keyword
+
+
+**`gcp.carbon.project_name`**
+:   Project name the carbon footprint report belongs to.
+
+type: keyword
+
+
+**`gcp.carbon.service_id`**
+:   Service ID for the carbon footprint usage.
+
+type: keyword
+
+
+**`gcp.carbon.service_description`**
+:   Service description for the carbon footprint usage.
+
+type: keyword
+
+
+**`gcp.carbon.region`**
+:   Region for the carbon fooprint usage.
+
+type: keyword
+
+
+**`gcp.carbon.footprint.scope1`**
+:   Scope 1 carbon footprint.
+
+type: float
+
+
+**`gcp.carbon.footprint.scope2.location`**
+:   Scope 2 carbon footprint using location-based methodology.
+
+type: float
+
+
+**`gcp.carbon.footprint.scope2.market`**
+:   Scope 2 carbon footprint using market-based methodology.
+
+type: float
+
+
+**`gcp.carbon.footprint.scope3`**
+:   Scope 3 carbon footprint.
+
+type: float
+
+
+**`gcp.carbon.footprint.offsets`**
+:   Total carbon offsets.
+
+type: float
+
+
+
+## compute [_compute_2]
+
+Google Cloud Compute metrics
+
+**`gcp.compute.firewall.dropped.bytes`**
+:   Incoming bytes dropped by the firewall
+
+type: long
+
+
+**`gcp.compute.firewall.dropped_packets_count.value`**
+:   Incoming packets dropped by the firewall
+
+type: long
+
+
+**`gcp.compute.instance.cpu.reserved_cores.value`**
+:   Number of cores reserved on the host of the instance
+
+type: double
+
+
+**`gcp.compute.instance.cpu.usage_time.sec`**
+:   Usage for all cores in seconds
+
+type: double
+
+
+**`gcp.compute.instance.cpu.usage.pct`**
+:   The fraction of the allocated CPU that is currently in use on the instance
+
+type: double
+
+
+**`gcp.compute.instance.disk.read.bytes`**
+:   Count of bytes read from disk
+
+type: long
+
+
+**`gcp.compute.instance.disk.read_ops_count.value`**
+:   Count of disk read IO operations
+
+type: long
+
+
+**`gcp.compute.instance.disk.write.bytes`**
+:   Count of bytes written to disk
+
+type: long
+
+
+**`gcp.compute.instance.disk.write_ops_count.value`**
+:   Count of disk write IO operations
+
+type: long
+
+
+**`gcp.compute.instance.memory.balloon.ram_size.value`**
+:   The total amount of memory in the VM. This metric is only available for VMs that belong to the e2 family.
+
+type: long
+
+
+**`gcp.compute.instance.memory.balloon.ram_used.value`**
+:   Memory currently used in the VM. This metric is only available for VMs that belong to the e2 family.
+
+type: long
+
+
+**`gcp.compute.instance.memory.balloon.swap_in.bytes`**
+:   The amount of memory read into the guest from its own swap space. This metric is only available for VMs that belong to the e2 family.
+
+type: long
+
+
+**`gcp.compute.instance.memory.balloon.swap_out.bytes`**
+:   The amount of memory written from the guest to its own swap space. This metric is only available for VMs that belong to the e2 family.
+
+type: long
+
+
+**`gcp.compute.instance.network.ingress.bytes`**
+:   Count of bytes received from the network
+
+type: long
+
+
+**`gcp.compute.instance.network.ingress.packets.count`**
+:   Count of packets received from the network
+
+type: long
+
+
+**`gcp.compute.instance.network.egress.bytes`**
+:   Count of bytes sent over the network
+
+type: long
+
+
+**`gcp.compute.instance.network.egress.packets.count`**
+:   Count of packets sent over the network
+
+type: long
+
+
+**`gcp.compute.instance.uptime.sec`**
+:   Number of seconds the VM has been running.
+
+type: long
+
+
+**`gcp.compute.instance.uptime_total.sec`**
+:   Elapsed time since the VM was started, in seconds. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds.
+
+type: long
+
+
+
+## dataproc [_dataproc]
+
+Google Cloud Dataproc metrics
+
+**`gcp.dataproc.cluster.hdfs.datanodes.count`**
+:   Indicates the number of HDFS DataNodes that are running inside a cluster.
+
+type: long
+
+
+**`gcp.dataproc.cluster.hdfs.storage_capacity.value`**
+:   Indicates capacity of HDFS system running on cluster in GB.
+
+type: double
+
+
+**`gcp.dataproc.cluster.hdfs.storage_utilization.value`**
+:   The percentage of HDFS storage currently used.
+
+type: double
+
+
+**`gcp.dataproc.cluster.hdfs.unhealthy_blocks.count`**
+:   Indicates the number of unhealthy blocks inside the cluster.
+
+type: long
+
+
+**`gcp.dataproc.cluster.job.failed.count`**
+:   Indicates the number of jobs that have failed on a cluster.
+
+type: long
+
+
+**`gcp.dataproc.cluster.job.running.count`**
+:   Indicates the number of jobs that are running on a cluster.
+
+type: long
+
+
+**`gcp.dataproc.cluster.job.submitted.count`**
+:   Indicates the number of jobs that have been submitted to a cluster.
+
+type: long
+
+
+**`gcp.dataproc.cluster.operation.failed.count`**
+:   Indicates the number of operations that have failed on a cluster.
+
+type: long
+
+
+**`gcp.dataproc.cluster.operation.running.count`**
+:   Indicates the number of operations that are running on a cluster.
+
+type: long
+
+
+**`gcp.dataproc.cluster.operation.submitted.count`**
+:   Indicates the number of operations that have been submitted to a cluster.
+
+type: long
+
+
+**`gcp.dataproc.cluster.yarn.allocated_memory_percentage.value`**
+:   The percentage of YARN memory is allocated.
+
+type: double
+
+
+**`gcp.dataproc.cluster.yarn.apps.count`**
+:   Indicates the number of active YARN applications.
+
+type: long
+
+
+**`gcp.dataproc.cluster.yarn.containers.count`**
+:   Indicates the number of YARN containers.
+
+type: long
+
+
+**`gcp.dataproc.cluster.yarn.memory_size.value`**
+:   Indicates the YARN memory size in GB.
+
+type: double
+
+
+**`gcp.dataproc.cluster.yarn.nodemanagers.count`**
+:   Indicates the number of YARN NodeManagers running inside cluster.
+
+type: long
+
+
+**`gcp.dataproc.cluster.yarn.pending_memory_size.value`**
+:   The current memory request, in GB, that is pending to be fulfilled by the scheduler.
+
+type: double
+
+
+**`gcp.dataproc.cluster.yarn.virtual_cores.count`**
+:   Indicates the number of virtual cores in YARN.
+
+type: long
+
+
+**`gcp.dataproc.cluster.job.completion_time.value`**
+:   The time jobs took to complete from the time the user submits a job to the time Dataproc reports it is completed.
+
+type: object
+
+
+**`gcp.dataproc.cluster.job.duration.value`**
+:   The time jobs have spent in a given state.
+
+type: object
+
+
+**`gcp.dataproc.cluster.operation.completion_time.value`**
+:   The time operations took to complete from the time the user submits a operation to the time Dataproc reports it is completed.
+
+type: object
+
+
+**`gcp.dataproc.cluster.operation.duration.value`**
+:   The time operations have spent in a given state.
+
+type: object
+
+
+
+## firestore [_firestore]
+
+Google Cloud Firestore metrics
+
+**`gcp.firestore.document.delete.count`**
+:   The number of successful document deletes.
+
+type: long
+
+
+**`gcp.firestore.document.read.count`**
+:   The number of successful document reads from queries or lookups.
+
+type: long
+
+
+**`gcp.firestore.document.write.count`**
+:   The number of successful document writes.
+
+type: long
+
+
+
+## gke [_gke_2]
+
+`gke` contains the metrics that we scraped from GCP Stackdriver API containing monitoring metrics for GCP GKE
+
+**`gcp.gke.container.cpu.core_usage_time.sec`**
+:   Cumulative CPU usage on all cores used by the container in seconds. Sampled every 60 seconds.
+
+type: double
+
+
+**`gcp.gke.container.cpu.limit_cores.value`**
+:   CPU cores limit of the container. Sampled every 60 seconds.
+
+type: double
+
+
+**`gcp.gke.container.cpu.limit_utilization.pct`**
+:   The fraction of the CPU limit that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed the limit. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds.
+
+type: double
+
+
+**`gcp.gke.container.cpu.request_cores.value`**
+:   Number of CPU cores requested by the container. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds.
+
+type: double
+
+
+**`gcp.gke.container.cpu.request_utilization.pct`**
+:   The fraction of the requested CPU that is currently in use on the instance. This value can be greater than 1 as usage can exceed the request. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds.
+
+type: double
+
+
+**`gcp.gke.container.ephemeral_storage.limit.bytes`**
+:   Local ephemeral storage limit in bytes. Sampled every 60 seconds.
+
+type: long
+
+
+**`gcp.gke.container.ephemeral_storage.request.bytes`**
+:   Local ephemeral storage request in bytes. Sampled every 60 seconds.
+
+type: long
+
+
+**`gcp.gke.container.ephemeral_storage.used.bytes`**
+:   Local ephemeral storage usage in bytes. Sampled every 60 seconds.
+
+type: long
+
+
+**`gcp.gke.container.memory.limit.bytes`**
+:   Memory limit of the container in bytes. Sampled every 60 seconds.
+
+type: long
+
+
+**`gcp.gke.container.memory.limit_utilization.pct`**
+:   The fraction of the memory limit that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed the limit. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds.
+
+type: double
+
+
+**`gcp.gke.container.memory.page_fault.count`**
+:   Number of page faults, broken down by type, major and minor.
+
+type: long
+
+
+**`gcp.gke.container.memory.request.bytes`**
+:   Memory request of the container in bytes. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds.
+
+type: long
+
+
+**`gcp.gke.container.memory.request_utilization.pct`**
+:   The fraction of the requested memory that is currently in use on the instance. This value can be greater than 1 as usage can exceed the request. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds.
+
+type: double
+
+
+**`gcp.gke.container.memory.used.bytes`**
+:   Memory usage in bytes. Sampled every 60 seconds.
+
+type: long
+
+
+**`gcp.gke.container.restart.count`**
+:   Number of times the container has restarted. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds.
+
+type: long
+
+
+**`gcp.gke.container.uptime.sec`**
+:   Time in seconds that the container has been running. Sampled every 60 seconds.
+
+type: double
+
+
+**`gcp.gke.node.cpu.allocatable_cores.value`**
+:   Number of allocatable CPU cores on the node. Sampled every 60 seconds.
+
+type: double
+
+
+**`gcp.gke.node.cpu.allocatable_utilization.pct`**
+:   The fraction of the allocatable CPU that is currently in use on the instance. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds.
+
+type: double
+
+
+**`gcp.gke.node.cpu.core_usage_time.sec`**
+:   Cumulative CPU usage on all cores used on the node in seconds. Sampled every 60 seconds.
+
+type: double
+
+
+**`gcp.gke.node.cpu.total_cores.value`**
+:   Total number of CPU cores on the node. Sampled every 60 seconds.
+
+type: double
+
+
+**`gcp.gke.node.ephemeral_storage.allocatable.bytes`**
+:   Local ephemeral storage bytes allocatable on the node. Sampled every 60 seconds.
+
+type: long
+
+
+**`gcp.gke.node.ephemeral_storage.inodes_free.value`**
+:   Free number of inodes on local ephemeral storage. Sampled every 60 seconds.
+
+type: long
+
+
+**`gcp.gke.node.ephemeral_storage.inodes_total.value`**
+:   Total number of inodes on local ephemeral storage. Sampled every 60 seconds.
+
+type: long
+
+
+**`gcp.gke.node.ephemeral_storage.total.bytes`**
+:   Total ephemeral storage bytes on the node. Sampled every 60 seconds.
+
+type: long
+
+
+**`gcp.gke.node.ephemeral_storage.used.bytes`**
+:   Local ephemeral storage bytes used by the node. Sampled every 60 seconds.
+
+type: long
+
+
+**`gcp.gke.node.memory.allocatable.bytes`**
+:   Cumulative memory bytes used by the node. Sampled every 60 seconds.
+
+type: long
+
+
+**`gcp.gke.node.memory.allocatable_utilization.pct`**
+:   The fraction of the allocatable memory that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed allocatable memory bytes. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds.
+
+type: double
+
+
+**`gcp.gke.node.memory.total.bytes`**
+:   Number of bytes of memory allocatable on the node. Sampled every 60 seconds.
+
+type: long
+
+
+**`gcp.gke.node.memory.used.bytes`**
+:   Cumulative memory bytes used by the node. Sampled every 60 seconds.
+
+type: long
+
+
+**`gcp.gke.node.network.received_bytes.count`**
+:   Cumulative number of bytes received by the node over the network. Sampled every 60 seconds.
+
+type: long
+
+
+**`gcp.gke.node.network.sent_bytes.count`**
+:   Cumulative number of bytes transmitted by the node over the network. Sampled every 60 seconds.
+
+type: long
+
+
+**`gcp.gke.node.pid_limit.value`**
+:   The max PID of OS on the node. Sampled every 60 seconds.
+
+type: long
+
+
+**`gcp.gke.node.pid_used.value`**
+:   The number of running process in the OS on the node. Sampled every 60 seconds.
+
+type: long
+
+
+**`gcp.gke.node_daemon.cpu.core_usage_time.sec`**
+:   Cumulative CPU usage on all cores used by the node level system daemon in seconds. Sampled every 60 seconds.
+
+type: double
+
+
+**`gcp.gke.node_daemon.memory.used.bytes`**
+:   Memory usage by the system daemon in bytes. Sampled every 60 seconds.
+
+type: long
+
+
+**`gcp.gke.pod.network.received.bytes`**
+:   Cumulative number of bytes received by the pod over the network. Sampled every 60 seconds.
+
+type: long
+
+
+**`gcp.gke.pod.network.sent.bytes`**
+:   Cumulative number of bytes transmitted by the pod over the network. Sampled every 60 seconds.
+
+type: long
+
+
+**`gcp.gke.pod.volume.total.bytes`**
+:   Total number of disk bytes available to the pod. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds.
+
+type: long
+
+
+**`gcp.gke.pod.volume.used.bytes`**
+:   Number of disk bytes used by the pod. Sampled every 60 seconds.
+
+type: long
+
+
+**`gcp.gke.pod.volume.utilization.pct`**
+:   The fraction of the volume that is currently being used by the instance. This value cannot be greater than 1 as usage cannot exceed the total available volume space. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds.
+
+type: double
+
+
+
+## loadbalancing [_loadbalancing_2]
+
+Google Cloud Load Balancing metrics
+
+**`gcp.loadbalancing.https.backend_request.bytes`**
+:   The number of bytes sent as requests from HTTP/S load balancer to backends.
+
+type: long
+
+
+**`gcp.loadbalancing.https.backend_request.count`**
+:   The number of requests served by backends of HTTP/S load balancer.
+
+type: long
+
+
+**`gcp.loadbalancing.https.backend_response.bytes`**
+:   The number of bytes sent as responses from backends (or cache) to external HTTP(S) load balancer.
+
+type: long
+
+
+**`gcp.loadbalancing.https.request.bytes`**
+:   The number of bytes sent as requests from clients to HTTP/S load balancer.
+
+type: long
+
+
+**`gcp.loadbalancing.https.request.count`**
+:   The number of requests served by HTTP/S load balancer.
+
+type: long
+
+
+**`gcp.loadbalancing.https.response.bytes`**
+:   The number of bytes sent as responses from HTTP/S load balancer to clients.
+
+type: long
+
+
+**`gcp.loadbalancing.l3.external.egress.bytes`**
+:   The number of bytes sent from external TCP/UDP network load balancer backend to client of the flow. For TCP flows it’s counting bytes on application stream only.
+
+type: long
+
+
+**`gcp.loadbalancing.l3.external.egress_packets.count`**
+:   The number of packets sent from external TCP/UDP network load balancer backend to client of the flow.
+
+type: long
+
+
+**`gcp.loadbalancing.l3.external.ingress.bytes`**
+:   The number of bytes sent from client to external TCP/UDP network load balancer backend. For TCP flows it’s counting bytes on application stream only.
+
+type: long
+
+
+**`gcp.loadbalancing.l3.external.ingress_packets.count`**
+:   The number of packets sent from client to external TCP/UDP network load balancer backend.
+
+type: long
+
+
+**`gcp.loadbalancing.l3.internal.egress.bytes`**
+:   The number of bytes sent from ILB backend to client (for TCP flows it’s counting bytes on application stream only).
+
+type: long
+
+
+**`gcp.loadbalancing.l3.internal.egress_packets.count`**
+:   The number of packets sent from ILB backend to client of the flow.
+
+type: long
+
+
+**`gcp.loadbalancing.l3.internal.ingress.bytes`**
+:   The number of bytes sent from client to ILB backend (for TCP flows it’s counting bytes on application stream only).
+
+type: long
+
+
+**`gcp.loadbalancing.l3.internal.ingress_packets.count`**
+:   The number of packets sent from client to ILB backend.
+
+type: long
+
+
+**`gcp.loadbalancing.tcp_ssl_proxy.closed_connections.value`**
+:   Number of connections that were terminated over TCP/SSL proxy.
+
+type: long
+
+
+**`gcp.loadbalancing.tcp_ssl_proxy.egress.bytes`**
+:   Number of bytes sent from VM to client using proxy.
+
+type: long
+
+
+**`gcp.loadbalancing.tcp_ssl_proxy.ingress.bytes`**
+:   Number of bytes sent from client to VM using proxy.
+
+type: long
+
+
+**`gcp.loadbalancing.tcp_ssl_proxy.new_connections.value`**
+:   Number of connections that were created over TCP/SSL proxy.
+
+type: long
+
+
+**`gcp.loadbalancing.tcp_ssl_proxy.open_connections.value`**
+:   Current number of outstanding connections through the TCP/SSL proxy.
+
+type: long
+
+
+**`gcp.loadbalancing.https.backend_latencies.value`**
+:   A distribution of the latency calculated from when the request was sent by the proxy to the backend until the proxy received from the backend the last byte of response.
+
+type: object
+
+
+**`gcp.loadbalancing.https.external.regional.backend_latencies.value`**
+:   A distribution of the latency calculated from when the request was sent by the proxy to the backend until the proxy received from the backend the last byte of response.
+
+type: object
+
+
+**`gcp.loadbalancing.https.external.regional.total_latencies.value`**
+:   A distribution of the latency calculated from when the request was received by the proxy until the proxy got ACK from client on last response byte.
+
+type: object
+
+
+**`gcp.loadbalancing.https.frontend_tcp_rtt.value`**
+:   A distribution of the RTT measured for each connection between client and proxy.
+
+type: object
+
+
+**`gcp.loadbalancing.https.internal.backend_latencies.value`**
+:   A distribution of the latency calculated from when the request was sent by the internal HTTP/S load balancer proxy to the backend until the proxy received from the backend the last byte of response.
+
+type: object
+
+
+**`gcp.loadbalancing.https.internal.total_latencies.value`**
+:   A distribution of the latency calculated from when the request was received by the internal HTTP/S load balancer proxy until the proxy got ACK from client on last response byte.
+
+type: object
+
+
+**`gcp.loadbalancing.https.total_latencies.value`**
+:   A distribution of the latency calculated from when the request was received by the external HTTP/S load balancer proxy until the proxy got ACK from client on last response byte.
+
+type: object
+
+
+**`gcp.loadbalancing.l3.external.rtt_latencies.value`**
+:   A distribution of the round trip time latency, measured over TCP connections for the external network load balancer.
+
+type: object
+
+
+**`gcp.loadbalancing.l3.internal.rtt_latencies.value`**
+:   A distribution of RTT measured over TCP connections for internal TCP/UDP load balancer flows.
+
+type: object
+
+
+**`gcp.loadbalancing.tcp_ssl_proxy.frontend_tcp_rtt.value`**
+:   A distribution of the smoothed RTT (in ms) measured by the proxy’s TCP stack, each minute application layer bytes pass from proxy to client.
+
+type: object
+
+
+
+## pubsub [_pubsub_2]
+
+Google Cloud PubSub metrics
+
+**`gcp.pubsub.snapshot.backlog.bytes`**
+:   Total byte size of the messages retained in a snapshot.
+
+type: long
+
+
+**`gcp.pubsub.snapshot.backlog_bytes_by_region.bytes`**
+:   Total byte size of the messages retained in a snapshot, broken down by Cloud region.
+
+type: long
+
+
+**`gcp.pubsub.snapshot.config_updates.count`**
+:   Cumulative count of configuration changes, grouped by operation type and result.
+
+type: long
+
+
+**`gcp.pubsub.snapshot.num_messages.value`**
+:   Number of messages retained in a snapshot.
+
+type: long
+
+
+**`gcp.pubsub.snapshot.num_messages_by_region.value`**
+:   Number of messages retained in a snapshot, broken down by Cloud region.
+
+type: long
+
+
+**`gcp.pubsub.snapshot.oldest_message_age.sec`**
+:   Age (in seconds) of the oldest message retained in a snapshot.
+
+type: long
+
+
+**`gcp.pubsub.snapshot.oldest_message_age_by_region.sec`**
+:   Age (in seconds) of the oldest message retained in a snapshot, broken down by Cloud region.
+
+type: long
+
+
+**`gcp.pubsub.subscription.ack_message.count`**
+:   Cumulative count of messages acknowledged by Acknowledge requests, grouped by delivery type.
+
+type: long
+
+
+**`gcp.pubsub.subscription.backlog.bytes`**
+:   Total byte size of the unacknowledged messages (a.k.a. backlog messages) in a subscription.
+
+type: long
+
+
+**`gcp.pubsub.subscription.byte_cost.bytes`**
+:   Cumulative cost of operations, measured in bytes. This is used to measure quota utilization.
+
+type: long
+
+
+**`gcp.pubsub.subscription.config_updates.count`**
+:   Cumulative count of configuration changes for each subscription, grouped by operation type and result.
+
+type: long
+
+
+**`gcp.pubsub.subscription.dead_letter_message.count`**
+:   Cumulative count of messages published to dead letter topic, grouped by result.
+
+type: long
+
+
+**`gcp.pubsub.subscription.mod_ack_deadline_message.count`**
+:   Cumulative count of messages whose deadline was updated by ModifyAckDeadline requests, grouped by delivery type.
+
+type: long
+
+
+**`gcp.pubsub.subscription.mod_ack_deadline_message_operation.count`**
+:   Cumulative count of ModifyAckDeadline message operations, grouped by result.
+
+type: long
+
+
+**`gcp.pubsub.subscription.mod_ack_deadline_request.count`**
+:   Cumulative count of ModifyAckDeadline requests, grouped by result.
+
+type: long
+
+
+**`gcp.pubsub.subscription.num_outstanding_messages.value`**
+:   Number of messages delivered to a subscription’s push endpoint, but not yet acknowledged.
+
+type: long
+
+
+**`gcp.pubsub.subscription.num_undelivered_messages.value`**
+:   Number of unacknowledged messages (a.k.a. backlog messages) in a subscription.
+
+type: long
+
+
+**`gcp.pubsub.subscription.oldest_retained_acked_message_age.sec`**
+:   Age (in seconds) of the oldest acknowledged message retained in a subscription.
+
+type: long
+
+
+**`gcp.pubsub.subscription.oldest_retained_acked_message_age_by_region.value`**
+:   Age (in seconds) of the oldest acknowledged message retained in a subscription, broken down by Cloud region.
+
+type: long
+
+
+**`gcp.pubsub.subscription.oldest_unacked_message_age.sec`**
+:   Age (in seconds) of the oldest unacknowledged message (a.k.a. backlog message) in a subscription.
+
+type: long
+
+
+**`gcp.pubsub.subscription.oldest_unacked_message_age_by_region.value`**
+:   Age (in seconds) of the oldest unacknowledged message in a subscription, broken down by Cloud region.
+
+type: long
+
+
+**`gcp.pubsub.subscription.pull_ack_message_operation.count`**
+:   Cumulative count of acknowledge message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count.
+
+type: long
+
+
+**`gcp.pubsub.subscription.pull_ack_request.count`**
+:   Cumulative count of acknowledge requests, grouped by result.
+
+type: long
+
+
+**`gcp.pubsub.subscription.pull_message_operation.count`**
+:   Cumulative count of pull message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count.
+
+type: long
+
+
+**`gcp.pubsub.subscription.pull_request.count`**
+:   Cumulative count of pull requests, grouped by result.
+
+type: long
+
+
+**`gcp.pubsub.subscription.push_request.count`**
+:   Cumulative count of push attempts, grouped by result. Unlike pulls, the push server implementation does not batch user messages. So each request only contains one user message. The push server retries on errors, so a given user message can appear multiple times.
+
+type: long
+
+
+**`gcp.pubsub.subscription.retained_acked.bytes`**
+:   Total byte size of the acknowledged messages retained in a subscription.
+
+type: long
+
+
+**`gcp.pubsub.subscription.retained_acked_bytes_by_region.bytes`**
+:   Total byte size of the acknowledged messages retained in a subscription, broken down by Cloud region.
+
+type: long
+
+
+**`gcp.pubsub.subscription.seek_request.count`**
+:   Cumulative count of seek attempts, grouped by result.
+
+type: long
+
+
+**`gcp.pubsub.subscription.sent_message.count`**
+:   Cumulative count of messages sent by Cloud Pub/Sub to subscriber clients, grouped by delivery type.
+
+type: long
+
+
+**`gcp.pubsub.subscription.streaming_pull_ack_message_operation.count`**
+:   Cumulative count of StreamingPull acknowledge message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count.
+
+type: long
+
+
+**`gcp.pubsub.subscription.streaming_pull_ack_request.count`**
+:   Cumulative count of streaming pull requests with non-empty acknowledge ids, grouped by result.
+
+type: long
+
+
+**`gcp.pubsub.subscription.streaming_pull_message_operation.count`**
+:   Cumulative count of streaming pull message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric <code>subscription/mod_ack_deadline_message_operation_count
+
+type: long
+
+
+**`gcp.pubsub.subscription.streaming_pull_mod_ack_deadline_message_operation.count`**
+:   Cumulative count of StreamingPull ModifyAckDeadline operations, grouped by result.
+
+type: long
+
+
+**`gcp.pubsub.subscription.streaming_pull_mod_ack_deadline_request.count`**
+:   Cumulative count of streaming pull requests with non-empty ModifyAckDeadline fields, grouped by result.
+
+type: long
+
+
+**`gcp.pubsub.subscription.streaming_pull_response.count`**
+:   Cumulative count of streaming pull responses, grouped by result.
+
+type: long
+
+
+**`gcp.pubsub.subscription.unacked_bytes_by_region.bytes`**
+:   Total byte size of the unacknowledged messages in a subscription, broken down by Cloud region.
+
+type: long
+
+
+**`gcp.pubsub.topic.byte_cost.bytes`**
+:   Cost of operations, measured in bytes. This is used to measure utilization for quotas.
+
+type: long
+
+
+**`gcp.pubsub.topic.config_updates.count`**
+:   Cumulative count of configuration changes, grouped by operation type and result.
+
+type: long
+
+
+**`gcp.pubsub.topic.message_sizes.bytes`**
+:   Distribution of publish message sizes (in bytes)
+
+type: object
+
+
+**`gcp.pubsub.topic.oldest_retained_acked_message_age_by_region.value`**
+:   Age (in seconds) of the oldest acknowledged message retained in a topic, broken down by Cloud region.
+
+type: long
+
+
+**`gcp.pubsub.topic.oldest_unacked_message_age_by_region.value`**
+:   Age (in seconds) of the oldest unacknowledged message in a topic, broken down by Cloud region.
+
+type: long
+
+
+**`gcp.pubsub.topic.retained_acked_bytes_by_region.bytes`**
+:   Total byte size of the acknowledged messages retained in a topic, broken down by Cloud region.
+
+type: long
+
+
+**`gcp.pubsub.topic.send_message_operation.count`**
+:   Cumulative count of publish message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count.
+
+type: long
+
+
+**`gcp.pubsub.topic.send_request.count`**
+:   Cumulative count of publish requests, grouped by result.
+
+type: long
+
+
+**`gcp.pubsub.topic.streaming_pull_response.count`**
+:   Cumulative count of streaming pull responses, grouped by result.
+
+type: long
+
+
+**`gcp.pubsub.topic.unacked_bytes_by_region.bytes`**
+:   Total byte size of the unacknowledged messages in a topic, broken down by Cloud region.
+
+type: long
+
+
+**`gcp.pubsub.subscription.ack_latencies.value`**
+:   Distribution of ack latencies in milliseconds. The ack latency is the time between when Cloud Pub/Sub sends a message to a subscriber client and when Cloud Pub/Sub receives an Acknowledge request for that message.
+
+type: object
+
+
+**`gcp.pubsub.subscription.push_request_latencies.value`**
+:   Distribution of push request latencies (in microseconds), grouped by result.
+
+type: object
+
+
+
+## storage [_storage_3]
+
+Google Cloud Storage metrics
+
+**`gcp.storage.api.request.count`**
+:   Delta count of API calls, grouped by the API method name and response code.
+
+type: long
+
+
+**`gcp.storage.authz.acl_based_object_access.count`**
+:   Delta count of requests that result in an object being granted access solely due to object ACLs.
+
+type: long
+
+
+**`gcp.storage.authz.acl_operations.count`**
+:   Usage of ACL operations broken down by type.
+
+type: long
+
+
+**`gcp.storage.authz.object_specific_acl_mutation.count`**
+:   Delta count of changes made to object specific ACLs.
+
+type: long
+
+
+**`gcp.storage.network.received.bytes`**
+:   Delta count of bytes received over the network, grouped by the API method name and response code.
+
+type: long
+
+
+**`gcp.storage.network.sent.bytes`**
+:   Delta count of bytes sent over the network, grouped by the API method name and response code.
+
+type: long
+
+
+**`gcp.storage.storage.object.count`**
+:   Total number of objects per bucket, grouped by storage class. This value is measured once per day, and the value is repeated at each sampling interval throughout the day.
+
+type: long
+
+
+**`gcp.storage.storage.total_byte_seconds.bytes`**
+:   Delta count of bytes received over the network, grouped by the API method name and response code.
+
+type: long
+
+
+**`gcp.storage.storage.total.bytes`**
+:   Total size of all objects in the bucket, grouped by storage class. This value is measured once per day, and the value is repeated at each sampling interval throughout the day.
+
+type: long
+
+
diff --git a/docs/reference/metricbeat/exported-fields-golang.md b/docs/reference/metricbeat/exported-fields-golang.md
new file mode 100644
index 000000000000..b2963222e5a8
--- /dev/null
+++ b/docs/reference/metricbeat/exported-fields-golang.md
@@ -0,0 +1,206 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-golang.html
+---
+
+# Golang fields [exported-fields-golang]
+
+Golang module
+
+
+## golang [_golang]
+
+
+## expvar [_expvar]
+
+expvar
+
+**`golang.expvar.cmdline`**
+:   The cmdline of this Go program start with.
+
+type: keyword
+
+
+
+## heap [_heap]
+
+The Go program heap information exposed by expvar.
+
+**`golang.heap.cmdline`**
+:   The cmdline of this Go program start with.
+
+type: keyword
+
+
+
+## gc [_gc_2]
+
+Garbage collector summary.
+
+
+## total_pause [_total_pause]
+
+Total GC pause duration over lifetime of process.
+
+**`golang.heap.gc.total_pause.ns`**
+:   Duration in Ns.
+
+type: long
+
+
+**`golang.heap.gc.total_count`**
+:   Total number of GC was happened.
+
+type: long
+
+
+**`golang.heap.gc.next_gc_limit`**
+:   Next collection will happen when HeapAlloc > this amount.
+
+type: long
+
+format: bytes
+
+
+**`golang.heap.gc.cpu_fraction`**
+:   Fraction of CPU time used by GC.
+
+type: float
+
+
+
+## pause [_pause_2]
+
+Last GC pause durations during the monitoring period.
+
+**`golang.heap.gc.pause.count`**
+:   Count of GC pause duration during this collect period.
+
+type: long
+
+
+
+## sum [_sum]
+
+Total GC pause duration during this collect period.
+
+**`golang.heap.gc.pause.sum.ns`**
+:   Duration in Ns.
+
+type: long
+
+
+
+## max [_max]
+
+Max GC pause duration during this collect period.
+
+**`golang.heap.gc.pause.max.ns`**
+:   Duration in Ns.
+
+type: long
+
+
+
+## avg [_avg]
+
+Average GC pause duration during this collect period.
+
+**`golang.heap.gc.pause.avg.ns`**
+:   Duration in Ns.
+
+type: long
+
+
+
+## system [_system_2]
+
+Heap summary,which bytes was obtained from system.
+
+**`golang.heap.system.total`**
+:   Total bytes obtained from system (sum of XxxSys below).
+
+type: long
+
+format: bytes
+
+
+**`golang.heap.system.obtained`**
+:   Via HeapSys, bytes obtained from system. heap_sys = heap_idle + heap_inuse.
+
+type: long
+
+format: bytes
+
+
+**`golang.heap.system.stack`**
+:   Bytes used by stack allocator, and these bytes was obtained from system.
+
+type: long
+
+format: bytes
+
+
+**`golang.heap.system.released`**
+:   Bytes released to the OS.
+
+type: long
+
+format: bytes
+
+
+
+## allocations [_allocations]
+
+Heap allocations summary.
+
+**`golang.heap.allocations.mallocs`**
+:   Number of mallocs.
+
+type: long
+
+
+**`golang.heap.allocations.frees`**
+:   Number of frees.
+
+type: long
+
+
+**`golang.heap.allocations.objects`**
+:   Total number of allocated objects.
+
+type: long
+
+
+**`golang.heap.allocations.total`**
+:   Bytes allocated (even if freed) throughout the lifetime.
+
+type: long
+
+format: bytes
+
+
+**`golang.heap.allocations.allocated`**
+:   Bytes allocated and not yet freed (same as Alloc above).
+
+type: long
+
+format: bytes
+
+
+**`golang.heap.allocations.idle`**
+:   Bytes in idle spans.
+
+type: long
+
+format: bytes
+
+
+**`golang.heap.allocations.active`**
+:   Bytes in non-idle span.
+
+type: long
+
+format: bytes
+
+
diff --git a/docs/reference/metricbeat/exported-fields-graphite.md b/docs/reference/metricbeat/exported-fields-graphite.md
new file mode 100644
index 000000000000..432face2eba4
--- /dev/null
+++ b/docs/reference/metricbeat/exported-fields-graphite.md
@@ -0,0 +1,23 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-graphite.html
+---
+
+# Graphite fields [exported-fields-graphite]
+
+graphite Module
+
+
+## graphite [_graphite]
+
+
+## server [_server_6]
+
+server
+
+**`graphite.server.example`**
+:   Example field
+
+type: keyword
+
+
diff --git a/docs/reference/metricbeat/exported-fields-haproxy.md b/docs/reference/metricbeat/exported-fields-haproxy.md
new file mode 100644
index 000000000000..af6399f090d1
--- /dev/null
+++ b/docs/reference/metricbeat/exported-fields-haproxy.md
@@ -0,0 +1,1017 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-haproxy.html
+---
+
+# HAProxy fields [exported-fields-haproxy]
+
+HAProxy Module
+
+
+## haproxy [_haproxy]
+
+HAProxy metrics.
+
+
+## info [_info_5]
+
+General information about HAProxy processes.
+
+**`haproxy.info.processes`**
+:   Number of processes.
+
+type: long
+
+
+**`haproxy.info.process_num`**
+:   Process number.
+
+type: long
+
+
+**`haproxy.info.threads`**
+:   Number of threads.
+
+type: long
+
+
+**`haproxy.info.pid`**
+:   Process ID.
+
+type: alias
+
+alias to: process.pid
+
+
+**`haproxy.info.run_queue`**
+:   type: long
+
+
+**`haproxy.info.stopping`**
+:   Number of stopping jobs.
+
+type: long
+
+
+**`haproxy.info.jobs`**
+:   Number of all jobs.
+
+type: long
+
+
+**`haproxy.info.unstoppable_jobs`**
+:   Number of unstoppable jobs.
+
+type: long
+
+
+**`haproxy.info.listeners`**
+:   Number of listeners.
+
+type: long
+
+
+**`haproxy.info.dropped_logs`**
+:   Number of dropped logs.
+
+type: long
+
+
+**`haproxy.info.busy_polling`**
+:   Number of busy polling.
+
+type: long
+
+
+**`haproxy.info.failed_resolutions`**
+:   Number of failed resolutions.
+
+type: long
+
+
+**`haproxy.info.tasks`**
+:   type: long
+
+
+**`haproxy.info.uptime.sec`**
+:   Current uptime in seconds.
+
+type: long
+
+
+**`haproxy.info.memory.max.bytes`**
+:   Maximum amount of memory usage in bytes (the *Memmax_MB* value converted to bytes).
+
+type: long
+
+format: bytes
+
+
+**`haproxy.info.bytes.out.total`**
+:   Number of bytes sent out.
+
+type: long
+
+
+**`haproxy.info.bytes.out.rate`**
+:   Average bytes output rate.
+
+type: long
+
+
+**`haproxy.info.peers.active`**
+:   Number of active peers.
+
+type: long
+
+
+**`haproxy.info.peers.connected`**
+:   Number of connected peers.
+
+type: long
+
+
+**`haproxy.info.pool.allocated`**
+:   Size of the allocated pool.
+
+type: long
+
+
+**`haproxy.info.pool.used`**
+:   Number of members used from the allocated pool.
+
+type: long
+
+
+**`haproxy.info.pool.failed`**
+:   Number of failed connections to pool members.
+
+type: long
+
+
+**`haproxy.info.ulimit_n`**
+:   Maximum number of open files for the process.
+
+type: long
+
+
+
+## compress [_compress]
+
+
+## bps [_bps]
+
+**`haproxy.info.compress.bps.in`**
+:   Incoming compressed data in bits per second.
+
+type: long
+
+
+**`haproxy.info.compress.bps.out`**
+:   Outgoing compressed data in bits per second.
+
+type: long
+
+
+**`haproxy.info.compress.bps.rate_limit`**
+:   Rate limit of compressed data in bits per second.
+
+type: long
+
+
+
+## connection [_connection]
+
+
+## rate [_rate]
+
+**`haproxy.info.connection.rate.value`**
+:   Number of connections in the last second.
+
+type: long
+
+
+**`haproxy.info.connection.rate.limit`**
+:   Rate limit of connections.
+
+type: long
+
+
+**`haproxy.info.connection.rate.max`**
+:   Maximum rate of connections.
+
+type: long
+
+
+**`haproxy.info.connection.current`**
+:   Current connections.
+
+type: long
+
+
+**`haproxy.info.connection.total`**
+:   Total connections.
+
+type: long
+
+
+**`haproxy.info.connection.ssl.current`**
+:   Current SSL connections.
+
+type: long
+
+
+**`haproxy.info.connection.ssl.total`**
+:   Total SSL connections.
+
+type: long
+
+
+**`haproxy.info.connection.ssl.max`**
+:   Maximum SSL connections.
+
+type: long
+
+
+**`haproxy.info.connection.max`**
+:   Maximum connections.
+
+type: long
+
+
+**`haproxy.info.connection.hard_max`**
+:   type: long
+
+
+**`haproxy.info.requests.total`**
+:   Total number of requests.
+
+type: long
+
+
+**`haproxy.info.sockets.max`**
+:   Maximum number of sockets.
+
+type: long
+
+
+**`haproxy.info.requests.max`**
+:   Maximum number of requests.
+
+type: long
+
+
+
+## pipes [_pipes]
+
+**`haproxy.info.pipes.used`**
+:   Number of used pipes during kernel-based tcp splicing.
+
+type: integer
+
+
+**`haproxy.info.pipes.free`**
+:   Number of free pipes.
+
+type: integer
+
+
+**`haproxy.info.pipes.max`**
+:   Maximum number of used pipes.
+
+type: integer
+
+
+
+## session [_session]
+
+None
+
+**`haproxy.info.session.rate.value`**
+:   Rate of session per seconds.
+
+type: integer
+
+
+**`haproxy.info.session.rate.limit`**
+:   Rate limit of sessions.
+
+type: integer
+
+
+**`haproxy.info.session.rate.max`**
+:   Maximum rate of sessions.
+
+type: integer
+
+
+
+## ssl [_ssl_7]
+
+None
+
+**`haproxy.info.ssl.rate.value`**
+:   Rate of SSL requests.
+
+type: integer
+
+
+**`haproxy.info.ssl.rate.limit`**
+:   Rate limit of SSL requests.
+
+type: integer
+
+
+**`haproxy.info.ssl.rate.max`**
+:   Maximum rate of SSL requests.
+
+type: integer
+
+
+
+## frontend [_frontend]
+
+None
+
+**`haproxy.info.ssl.frontend.key_rate.value`**
+:   Key rate of SSL frontend.
+
+type: integer
+
+
+**`haproxy.info.ssl.frontend.key_rate.max`**
+:   Maximum key rate of SSL frontend.
+
+type: integer
+
+
+**`haproxy.info.ssl.frontend.session_reuse.pct`**
+:   Rate of reuse of SSL frontend sessions.
+
+type: scaled_float
+
+format: percent
+
+
+
+## backend [_backend]
+
+None
+
+**`haproxy.info.ssl.backend.key_rate.value`**
+:   Key rate of SSL backend sessions.
+
+type: integer
+
+
+**`haproxy.info.ssl.backend.key_rate.max`**
+:   Maximum key rate of SSL backend sessions.
+
+type: integer
+
+
+**`haproxy.info.ssl.cached_lookups`**
+:   Number of SSL cache lookups.
+
+type: long
+
+
+**`haproxy.info.ssl.cache_misses`**
+:   Number of SSL cache misses.
+
+type: long
+
+
+
+## zlib_mem_usage [_zlib_mem_usage]
+
+**`haproxy.info.zlib_mem_usage.value`**
+:   Memory usage of zlib.
+
+type: integer
+
+
+**`haproxy.info.zlib_mem_usage.max`**
+:   Maximum memory usage of zlib.
+
+type: integer
+
+
+**`haproxy.info.idle.pct`**
+:   Percentage of idle time.
+
+type: scaled_float
+
+format: percent
+
+
+
+## stat [_stat]
+
+Stats collected from HAProxy processes.
+
+**`haproxy.stat.status`**
+:   Status (UP, DOWN, NOLB, MAINT, or MAINT(via)…​).
+
+type: keyword
+
+
+**`haproxy.stat.weight`**
+:   Total weight (for backends), or server weight (for servers).
+
+type: long
+
+
+**`haproxy.stat.downtime`**
+:   Total downtime (in seconds). For backends, this value is the downtime for the whole backend, not the sum of the downtime for the servers.
+
+type: long
+
+
+**`haproxy.stat.component_type`**
+:   Component type (0=frontend, 1=backend, 2=server, or 3=socket/listener).
+
+type: integer
+
+
+**`haproxy.stat.process_id`**
+:   Process ID (0 for first instance, 1 for second, and so on).
+
+type: alias
+
+alias to: process.pid
+
+
+**`haproxy.stat.service_name`**
+:   Service name (FRONTEND for frontend, BACKEND for backend, or any name for server/listener).
+
+type: keyword
+
+
+**`haproxy.stat.in.bytes`**
+:   Bytes in.
+
+type: long
+
+format: bytes
+
+
+**`haproxy.stat.out.bytes`**
+:   Bytes out.
+
+type: long
+
+format: bytes
+
+
+**`haproxy.stat.last_change`**
+:   Number of seconds since the last UP→DOWN or DOWN→UP transition.
+
+type: integer
+
+
+**`haproxy.stat.throttle.pct`**
+:   Current throttle percentage for the server when slowstart is active, or no value if slowstart is inactive.
+
+type: scaled_float
+
+format: percent
+
+
+**`haproxy.stat.selected.total`**
+:   Total number of times a server was selected, either for new sessions, or when re-dispatching. For servers, this field reports the the number of times the server was selected.
+
+type: long
+
+
+**`haproxy.stat.tracked.id`**
+:   ID of the proxy/server if tracking is enabled.
+
+type: long
+
+
+**`haproxy.stat.cookie`**
+:   Cookie value of the server or the name of the cookie of the backend.
+
+type: keyword
+
+
+**`haproxy.stat.load_balancing_algorithm`**
+:   Load balancing algorithm.
+
+type: keyword
+
+
+**`haproxy.stat.connection.total`**
+:   Cumulative number of connections.
+
+type: long
+
+
+**`haproxy.stat.connection.retried`**
+:   Number of times a connection to a server was retried.
+
+type: long
+
+
+**`haproxy.stat.connection.time.avg`**
+:   Average connect time in ms over the last 1024 requests.
+
+type: long
+
+
+**`haproxy.stat.connection.rate`**
+:   Number of connections over the last second.
+
+type: long
+
+
+**`haproxy.stat.connection.rate_max`**
+:   Highest value of connection.rate.
+
+type: long
+
+
+**`haproxy.stat.connection.attempt.total`**
+:   Number of connection establishment attempts.
+
+type: long
+
+
+**`haproxy.stat.connection.reuse.total`**
+:   Number of connection reuses.
+
+type: long
+
+
+**`haproxy.stat.connection.idle.total`**
+:   Number of idle connections available for reuse.
+
+type: long
+
+
+**`haproxy.stat.connection.idle.limit`**
+:   Limit on idle connections available for reuse.
+
+type: long
+
+
+**`haproxy.stat.connection.cache.lookup.total`**
+:   Number of cache lookups.
+
+type: long
+
+
+**`haproxy.stat.connection.cache.hits`**
+:   Number of cache hits.
+
+type: long
+
+
+**`haproxy.stat.request.denied`**
+:   Requests denied because of security concerns.
+
+* For TCP this is because of a matched tcp-request content rule.
+* For HTTP this is because of a matched http-request or tarpit rule.
+
+type: long
+
+
+**`haproxy.stat.request.denied_by_connection_rules`**
+:   Requests denied because of TCP request connection rules.
+
+type: long
+
+
+**`haproxy.stat.request.denied_by_session_rules`**
+:   Requests denied because of TCP request session rules.
+
+type: long
+
+
+**`haproxy.stat.request.queued.current`**
+:   Current queued requests. For backends, this field reports the number of requests queued without a server assigned.
+
+type: long
+
+
+**`haproxy.stat.request.queued.max`**
+:   Maximum value of queued.current.
+
+type: long
+
+
+**`haproxy.stat.request.errors`**
+:   Request errors. Some of the possible causes are:
+
+* early termination from the client, before the request has been sent
+* read error from the client
+* client timeout
+* client closed connection
+* various bad requests from the client.
+* request was tarpitted.
+
+type: long
+
+
+**`haproxy.stat.request.redispatched`**
+:   Number of times a request was redispatched to another server. For servers, this field reports the number of times the server was switched away from.
+
+type: long
+
+
+**`haproxy.stat.request.connection.errors`**
+:   Number of requests that encountered an error trying to connect to a server. For backends, this field reports the sum of the stat for all backend servers, plus any connection errors not associated with a particular server (such as the backend having no active servers).
+
+type: long
+
+
+
+## rate [_rate_2]
+
+**`haproxy.stat.request.rate.value`**
+:   Number of HTTP requests per second over the last elapsed second.
+
+type: long
+
+
+**`haproxy.stat.request.rate.max`**
+:   Maximum number of HTTP requests per second.
+
+type: long
+
+
+**`haproxy.stat.request.total`**
+:   Total number of HTTP requests received.
+
+type: long
+
+
+**`haproxy.stat.request.intercepted`**
+:   Number of intercepted requests.
+
+type: long
+
+
+**`haproxy.stat.response.errors`**
+:   Number of response errors. This value includes the number of data transfers aborted by the server (haproxy.stat.server.aborted). Some other errors are: * write errors on the client socket (won’t be counted for the server stat) * failure applying filters to the response
+
+type: long
+
+
+**`haproxy.stat.response.time.avg`**
+:   Average response time in ms over the last 1024 requests (0 for TCP).
+
+type: long
+
+
+**`haproxy.stat.response.denied`**
+:   Responses denied because of security concerns. For HTTP this is because of a matched http-request rule, or "option checkcache".
+
+type: integer
+
+
+
+## http [_http_3]
+
+**`haproxy.stat.response.http.1xx`**
+:   HTTP responses with 1xx code.
+
+type: long
+
+
+**`haproxy.stat.response.http.2xx`**
+:   HTTP responses with 2xx code.
+
+type: long
+
+
+**`haproxy.stat.response.http.3xx`**
+:   HTTP responses with 3xx code.
+
+type: long
+
+
+**`haproxy.stat.response.http.4xx`**
+:   HTTP responses with 4xx code.
+
+type: long
+
+
+**`haproxy.stat.response.http.5xx`**
+:   HTTP responses with 5xx code.
+
+type: long
+
+
+**`haproxy.stat.response.http.other`**
+:   HTTP responses with other codes (protocol error).
+
+type: long
+
+
+**`haproxy.stat.header.rewrite.failed.total`**
+:   Number of failed header rewrite warnings.
+
+type: long
+
+
+**`haproxy.stat.session.current`**
+:   Number of current sessions.
+
+type: long
+
+
+**`haproxy.stat.session.max`**
+:   Maximum number of sessions.
+
+type: long
+
+
+**`haproxy.stat.session.limit`**
+:   Configured session limit.
+
+type: long
+
+
+**`haproxy.stat.session.total`**
+:   Number of all sessions.
+
+type: long
+
+
+**`haproxy.stat.session.rate.value`**
+:   Number of sessions per second over the last elapsed second.
+
+type: integer
+
+
+**`haproxy.stat.session.rate.limit`**
+:   Configured limit on new sessions per second.
+
+type: integer
+
+
+**`haproxy.stat.session.rate.max`**
+:   Maximum number of new sessions per second.
+
+type: integer
+
+
+
+## check [_check]
+
+**`haproxy.stat.check.status`**
+:   Status of the last health check. One of:
+
+```
+UNK     -> unknown
+INI     -> initializing
+SOCKERR -> socket error
+L4OK    -> check passed on layer 4, no upper layers testing enabled
+L4TOUT  -> layer 1-4 timeout
+L4CON   -> layer 1-4 connection problem, for example
+          "Connection refused" (tcp rst) or "No route to host" (icmp)
+L6OK    -> check passed on layer 6
+L6TOUT  -> layer 6 (SSL) timeout
+L6RSP   -> layer 6 invalid response - protocol error
+L7OK    -> check passed on layer 7
+L7OKC   -> check conditionally passed on layer 7, for example 404 with
+          disable-on-404
+L7TOUT  -> layer 7 (HTTP/SMTP) timeout
+L7RSP   -> layer 7 invalid response - protocol error
+L7STS   -> layer 7 response error, for example HTTP 5xx
+```
+type: keyword
+
+
+**`haproxy.stat.check.code`**
+:   Layer 5-7 code, if available.
+
+type: long
+
+
+**`haproxy.stat.check.duration`**
+:   Time in ms that it took to finish the last health check.
+
+type: long
+
+
+**`haproxy.stat.check.health.last`**
+:   The result of the last health check.
+
+type: keyword
+
+
+**`haproxy.stat.check.health.fail`**
+:   Number of failed checks.
+
+type: long
+
+
+**`haproxy.stat.check.agent.last`**
+:   type: integer
+
+
+**`haproxy.stat.check.failed`**
+:   Number of checks that failed while the server was up.
+
+type: long
+
+
+**`haproxy.stat.check.down`**
+:   Number of UP→DOWN transitions. For backends, this value is the number of transitions to the whole backend being down, rather than the sum of the transitions for each server.
+
+type: long
+
+
+**`haproxy.stat.client.aborted`**
+:   Number of data transfers aborted by the client.
+
+type: integer
+
+
+
+## server [_server_7]
+
+**`haproxy.stat.server.id`**
+:   Server ID (unique inside a proxy).
+
+type: integer
+
+
+**`haproxy.stat.server.aborted`**
+:   Number of data transfers aborted by the server. This value is included in haproxy.stat.response.errors.
+
+type: integer
+
+
+**`haproxy.stat.server.active`**
+:   Number of backend servers that are active, meaning that they are healthy and can receive requests from the load balancer.
+
+type: integer
+
+
+**`haproxy.stat.server.backup`**
+:   Number of backend servers that are backup servers.
+
+type: integer
+
+
+
+## compressor [_compressor]
+
+**`haproxy.stat.compressor.in.bytes`**
+:   Number of HTTP response bytes fed to the compressor.
+
+type: long
+
+format: bytes
+
+
+**`haproxy.stat.compressor.out.bytes`**
+:   Number of HTTP response bytes emitted by the compressor.
+
+type: integer
+
+format: bytes
+
+
+**`haproxy.stat.compressor.bypassed.bytes`**
+:   Number of bytes that bypassed the HTTP compressor (CPU/BW limit).
+
+type: long
+
+format: bytes
+
+
+**`haproxy.stat.compressor.response.bytes`**
+:   Number of HTTP responses that were compressed.
+
+type: long
+
+format: bytes
+
+
+
+## proxy [_proxy_2]
+
+**`haproxy.stat.proxy.id`**
+:   Unique proxy ID.
+
+type: integer
+
+
+**`haproxy.stat.proxy.name`**
+:   Proxy name.
+
+type: keyword
+
+
+**`haproxy.stat.proxy.mode`**
+:   Proxy mode (tcp, http, health, unknown).
+
+type: keyword
+
+
+
+## queue [_queue_8]
+
+**`haproxy.stat.queue.limit`**
+:   Configured queue limit (maxqueue) for the server, or nothing if the value of maxqueue is 0 (meaning no limit).
+
+type: integer
+
+
+**`haproxy.stat.queue.time.avg`**
+:   The average queue time in ms over the last 1024 requests.
+
+type: integer
+
+
+
+## agent [_agent_3]
+
+**`haproxy.stat.agent.status`**
+:   Status of the last health check. One of:
+
+```
+UNK     -> unknown
+INI     -> initializing
+SOCKERR -> socket error
+L4OK    -> check passed on layer 4, no upper layers enabled
+L4TOUT  -> layer 1-4 timeout
+L4CON   -> layer 1-4 connection problem, for example
+          "Connection refused" (tcp rst) or "No route to host" (icmp)
+L7OK    -> agent reported "up"
+L7STS   -> agent reported "fail", "stop" or "down"
+```
+type: keyword
+
+
+**`haproxy.stat.agent.description`**
+:   Human readable version of agent.status.
+
+type: keyword
+
+
+**`haproxy.stat.agent.code`**
+:   Value reported by agent.
+
+type: integer
+
+
+**`haproxy.stat.agent.rise`**
+:   Rise value of agent.
+
+type: integer
+
+
+**`haproxy.stat.agent.fall`**
+:   Fall value of agent.
+
+type: integer
+
+
+**`haproxy.stat.agent.health`**
+:   Health parameter of agent. Between 0 and `agent.rise`+`agent.fall`-1.
+
+type: integer
+
+
+**`haproxy.stat.agent.duration`**
+:   Duration of the last check in ms.
+
+type: integer
+
+
+**`haproxy.stat.agent.check.rise`**
+:   Rise value of server.
+
+type: integer
+
+
+**`haproxy.stat.agent.check.fall`**
+:   Fall value of server.
+
+type: integer
+
+
+**`haproxy.stat.agent.check.health`**
+:   Health parameter of server. Between 0 and `agent.check.rise`+`agent.check.fall`-1.
+
+type: integer
+
+
+**`haproxy.stat.agent.check.description`**
+:   Human readable version of check.
+
+type: keyword
+
+
+**`haproxy.stat.source.address`**
+:   Address of the source.
+
+type: text
+
+
diff --git a/docs/reference/metricbeat/exported-fields-host-processor.md b/docs/reference/metricbeat/exported-fields-host-processor.md
new file mode 100644
index 000000000000..b28c0947cf12
--- /dev/null
+++ b/docs/reference/metricbeat/exported-fields-host-processor.md
@@ -0,0 +1,31 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-host-processor.html
+---
+
+# Host fields [exported-fields-host-processor]
+
+Info collected for the host machine.
+
+**`host.containerized`**
+:   If the host is a container.
+
+type: boolean
+
+
+**`host.os.build`**
+:   OS build information.
+
+type: keyword
+
+example: 18D109
+
+
+**`host.os.codename`**
+:   OS codename, if any.
+
+type: keyword
+
+example: stretch
+
+
diff --git a/docs/reference/metricbeat/exported-fields-http.md b/docs/reference/metricbeat/exported-fields-http.md
new file mode 100644
index 000000000000..1665693925dd
--- /dev/null
+++ b/docs/reference/metricbeat/exported-fields-http.md
@@ -0,0 +1,60 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-http.html
+---
+
+# HTTP fields [exported-fields-http]
+
+HTTP module
+
+
+## http [_http_4]
+
+
+## request [_request]
+
+HTTP request information
+
+**`http.request.headers`**
+:   The HTTP headers sent
+
+type: object
+
+
+
+## response [_response]
+
+HTTP response information
+
+**`http.response.headers`**
+:   The HTTP headers received
+
+type: object
+
+
+**`http.response.code`**
+:   The HTTP status code
+
+type: keyword
+
+example: 404
+
+
+**`http.response.phrase`**
+:   The HTTP status phrase
+
+type: keyword
+
+example: Not found
+
+
+
+## json [_json]
+
+json metricset
+
+
+## server [_server_8]
+
+server
+
diff --git a/docs/reference/metricbeat/exported-fields-ibmmq.md b/docs/reference/metricbeat/exported-fields-ibmmq.md
new file mode 100644
index 000000000000..73f40789a0cb
--- /dev/null
+++ b/docs/reference/metricbeat/exported-fields-ibmmq.md
@@ -0,0 +1,9 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-ibmmq.html
+---
+
+# IBM MQ fields [exported-fields-ibmmq]
+
+IBM MQ module
+
diff --git a/docs/reference/metricbeat/exported-fields-iis.md b/docs/reference/metricbeat/exported-fields-iis.md
new file mode 100644
index 000000000000..3162f43435e5
--- /dev/null
+++ b/docs/reference/metricbeat/exported-fields-iis.md
@@ -0,0 +1,647 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-iis.html
+---
+
+# IIS fields [exported-fields-iis]
+
+iis module
+
+
+## iis [_iis]
+
+
+## application_pool [_application_pool_2]
+
+Application pool process stats.
+
+**`iis.application_pool.name`**
+:   application pool name
+
+type: keyword
+
+
+
+## process [_process_4]
+
+Worker process overview.
+
+**`iis.application_pool.process.handle_count`**
+:   The number of handles.
+
+type: long
+
+
+**`iis.application_pool.process.io_read_operations_per_sec`**
+:   IO read operations per sec.
+
+type: float
+
+
+**`iis.application_pool.process.io_write_operations_per_sec`**
+:   IO write operations per sec.
+
+type: float
+
+
+**`iis.application_pool.process.virtual_bytes`**
+:   Memory virtual bytes.
+
+type: float
+
+
+**`iis.application_pool.process.cpu_usage_perc`**
+:   The CPU usage percentage.
+
+type: float
+
+
+**`iis.application_pool.process.thread_count`**
+:   The number of threats.
+
+type: long
+
+
+**`iis.application_pool.process.working_set`**
+:   Memory working set.
+
+type: float
+
+
+**`iis.application_pool.process.private_bytes`**
+:   Memory private bytes.
+
+type: float
+
+
+**`iis.application_pool.process.page_faults_per_sec`**
+:   Memory page faults.
+
+type: float
+
+
+
+## net_clr [_net_clr]
+
+Common Language Runtime overview.
+
+**`iis.application_pool.net_clr.finallys_per_sec`**
+:   The number of finallys per sec.
+
+type: float
+
+
+**`iis.application_pool.net_clr.throw_to_catch_depth_per_sec`**
+:   Throw to catch depth count per sec.
+
+type: float
+
+
+**`iis.application_pool.net_clr.total_exceptions_thrown`**
+:   Total number of exceptions thrown.
+
+type: long
+
+
+**`iis.application_pool.net_clr.filters_per_sec`**
+:   Number of filters per sec.
+
+type: float
+
+
+**`iis.application_pool.net_clr.exceptions_thrown_per_sec`**
+:   Number of Exceptions Thrown / sec.
+
+type: float
+
+
+
+## memory [_memory_7]
+
+Memory overview.
+
+**`iis.application_pool.net_clr.memory.bytes_in_all_heaps`**
+:   Number of bytes in all heaps.
+
+type: float
+
+
+**`iis.application_pool.net_clr.memory.gen_0_collections`**
+:   Number of Gen 0 Collections.
+
+type: float
+
+
+**`iis.application_pool.net_clr.memory.gen_1_collections`**
+:   Number of Gen 1 Collections.
+
+type: float
+
+
+**`iis.application_pool.net_clr.memory.gen_2_collections`**
+:   Number of Gen 2 Collections.
+
+type: float
+
+
+**`iis.application_pool.net_clr.memory.total_committed_bytes`**
+:   Number of total committed bytes.
+
+type: float
+
+
+**`iis.application_pool.net_clr.memory.allocated_bytes_per_sec`**
+:   Allocated Bytes/sec.
+
+type: float
+
+
+**`iis.application_pool.net_clr.memory.gen_0_heap_size`**
+:   Gen 0 heap size.
+
+type: float
+
+
+**`iis.application_pool.net_clr.memory.gen_1_heap_size`**
+:   Gen 1 heap size.
+
+type: float
+
+
+**`iis.application_pool.net_clr.memory.gen_2_heap_size`**
+:   Gen 2 heap size.
+
+type: float
+
+
+**`iis.application_pool.net_clr.memory.large_object_heap_size`**
+:   Large Object Heap size.
+
+type: float
+
+
+**`iis.application_pool.net_clr.memory.time_in_gc_perc`**
+:   % Time in GC.
+
+type: float
+
+
+
+## locks_and_threads [_locks_and_threads]
+
+LocksAndThreads overview.
+
+**`iis.application_pool.net_clr.locks_and_threads.contention_rate_per_sec`**
+:   Contention Rate / sec.
+
+type: float
+
+
+**`iis.application_pool.net_clr.locks_and_threads.current_queue_length`**
+:   Current Queue Length.
+
+type: float
+
+
+
+## webserver [_webserver_2]
+
+Webserver related metrics.
+
+
+## process [_process_5]
+
+The process related stats.
+
+**`iis.webserver.process.cpu_usage_perc`**
+:   The CPU usage percentage.
+
+type: float
+
+
+**`iis.webserver.process.handle_count`**
+:   The number of handles.
+
+type: float
+
+
+**`iis.webserver.process.virtual_bytes`**
+:   Memory virtual bytes.
+
+type: float
+
+
+**`iis.webserver.process.thread_count`**
+:   The number of threads.
+
+type: long
+
+
+**`iis.webserver.process.working_set`**
+:   Memory working set.
+
+type: float
+
+
+**`iis.webserver.process.private_bytes`**
+:   Memory private bytes.
+
+type: float
+
+
+**`iis.webserver.process.worker_process_count`**
+:   Number of worker processes running.
+
+type: float
+
+
+**`iis.webserver.process.page_faults_per_sec`**
+:   Memory page faults.
+
+type: float
+
+
+**`iis.webserver.process.io_read_operations_per_sec`**
+:   IO read operations per sec.
+
+type: float
+
+
+**`iis.webserver.process.io_write_operations_per_sec`**
+:   IO write operations per sec.
+
+type: float
+
+
+
+## asp_net [_asp_net]
+
+Common Language Runtime overview.
+
+**`iis.webserver.asp_net.application_restarts`**
+:   Number of applications restarts.
+
+type: float
+
+
+**`iis.webserver.asp_net.request_wait_time`**
+:   Request wait time.
+
+type: long
+
+
+
+## asp_net_application [_asp_net_application]
+
+ASP.NET application overview.
+
+**`iis.webserver.asp_net_application.errors_total_per_sec`**
+:   Total number of errors per sec.
+
+type: float
+
+
+**`iis.webserver.asp_net_application.pipeline_instance_count`**
+:   The pipeline instance count.
+
+type: float
+
+
+**`iis.webserver.asp_net_application.requests_per_sec`**
+:   Number of requests per sec.
+
+type: float
+
+
+**`iis.webserver.asp_net_application.requests_executing`**
+:   Number of requests executing.
+
+type: float
+
+
+**`iis.webserver.asp_net_application.requests_in_application_queue`**
+:   Number of requests in the application queue.
+
+type: float
+
+
+
+## cache [_cache]
+
+The cache overview.
+
+**`iis.webserver.cache.current_file_cache_memory_usage`**
+:   The current file cache memory usage size.
+
+type: float
+
+
+**`iis.webserver.cache.current_files_cached`**
+:   The number of current files cached.
+
+type: float
+
+
+**`iis.webserver.cache.current_uris_cached`**
+:   The number of current uris cached.
+
+type: float
+
+
+**`iis.webserver.cache.file_cache_hits`**
+:   The number of file cache hits.
+
+type: float
+
+
+**`iis.webserver.cache.file_cache_misses`**
+:   The number of file cache misses.
+
+type: float
+
+
+**`iis.webserver.cache.maximum_file_cache_memory_usage`**
+:   The max file cache size.
+
+type: float
+
+
+**`iis.webserver.cache.output_cache_current_items`**
+:   The number of output cache current items.
+
+type: float
+
+
+**`iis.webserver.cache.output_cache_current_memory_usage`**
+:   The output cache memory usage size.
+
+type: float
+
+
+**`iis.webserver.cache.output_cache_total_hits`**
+:   The output cache total hits count.
+
+type: float
+
+
+**`iis.webserver.cache.output_cache_total_misses`**
+:   The output cache total misses count.
+
+type: float
+
+
+**`iis.webserver.cache.total_files_cached`**
+:   the total number of files cached.
+
+type: float
+
+
+**`iis.webserver.cache.total_uris_cached`**
+:   The total number of URIs cached.
+
+type: float
+
+
+**`iis.webserver.cache.uri_cache_hits`**
+:   The number of URIs cached hits.
+
+type: float
+
+
+**`iis.webserver.cache.uri_cache_misses`**
+:   The number of URIs cache misses.
+
+type: float
+
+
+
+## network [_network_6]
+
+The network related stats.
+
+**`iis.webserver.network.anonymous_users_per_sec`**
+:   The number of anonymous users per sec.
+
+type: float
+
+
+**`iis.webserver.network.bytes_received_per_sec`**
+:   The size of bytes received per sec.
+
+type: float
+
+
+**`iis.webserver.network.bytes_sent_per_sec`**
+:   The size of bytes sent per sec.
+
+type: float
+
+
+**`iis.webserver.network.current_anonymous_users`**
+:   The number of current anonymous users.
+
+type: float
+
+
+**`iis.webserver.network.current_connections`**
+:   The number of current connections.
+
+type: float
+
+
+**`iis.webserver.network.current_non_anonymous_users`**
+:   The number of current non anonymous users.
+
+type: float
+
+
+**`iis.webserver.network.delete_requests_per_sec`**
+:   Number of DELETE requests per sec.
+
+type: float
+
+
+**`iis.webserver.network.get_requests_per_sec`**
+:   Number of GET requests per sec.
+
+type: float
+
+
+**`iis.webserver.network.maximum_connections`**
+:   Number of maximum connections.
+
+type: float
+
+
+**`iis.webserver.network.post_requests_per_sec`**
+:   Number of POST requests per sec.
+
+type: float
+
+
+**`iis.webserver.network.service_uptime`**
+:   Service uptime.
+
+type: float
+
+
+**`iis.webserver.network.total_anonymous_users`**
+:   Total number of anonymous users.
+
+type: float
+
+
+**`iis.webserver.network.total_bytes_received`**
+:   Total size of bytes received.
+
+type: float
+
+
+**`iis.webserver.network.total_bytes_sent`**
+:   Total size of bytes sent.
+
+type: float
+
+
+**`iis.webserver.network.total_connection_attempts`**
+:   The total number of connection attempts.
+
+type: float
+
+
+**`iis.webserver.network.total_delete_requests`**
+:   The total number of DELETE requests.
+
+type: float
+
+
+**`iis.webserver.network.total_get_requests`**
+:   The total number of GET requests.
+
+type: float
+
+
+**`iis.webserver.network.total_non_anonymous_users`**
+:   The total number of non anonymous users.
+
+type: float
+
+
+**`iis.webserver.network.total_post_requests`**
+:   The total number of POST requests.
+
+type: float
+
+
+
+## website [_website_2]
+
+Website related metrics.
+
+**`iis.website.name`**
+:   website name
+
+type: keyword
+
+
+
+## network [_network_7]
+
+The network overview.
+
+**`iis.website.network.bytes_received_per_sec`**
+:   The bytes received per sec size.
+
+type: float
+
+
+**`iis.website.network.bytes_sent_per_sec`**
+:   The bytes sent per sec size.
+
+type: float
+
+
+**`iis.website.network.current_connections`**
+:   The number of current connections.
+
+type: float
+
+
+**`iis.website.network.delete_requests_per_sec`**
+:   The number of DELETE requests per sec.
+
+type: float
+
+
+**`iis.website.network.get_requests_per_sec`**
+:   The number of GET requests per sec.
+
+type: float
+
+
+**`iis.website.network.maximum_connections`**
+:   The number of maximum connections.
+
+type: float
+
+
+**`iis.website.network.post_requests_per_sec`**
+:   The number of POST requests per sec.
+
+type: float
+
+
+**`iis.website.network.put_requests_per_sec`**
+:   The number of PUT requests per sec.
+
+type: float
+
+
+**`iis.website.network.service_uptime`**
+:   The service uptime.
+
+type: float
+
+
+**`iis.website.network.total_bytes_received`**
+:   The total number of bytes received.
+
+type: float
+
+
+**`iis.website.network.total_bytes_sent`**
+:   The  total number of bytes sent.
+
+type: float
+
+
+**`iis.website.network.total_connection_attempts`**
+:   The total number of connection attempts.
+
+type: float
+
+
+**`iis.website.network.total_delete_requests`**
+:   The total number of DELETE requests.
+
+type: float
+
+
+**`iis.website.network.total_get_requests`**
+:   The total number of GET requests.
+
+type: float
+
+
+**`iis.website.network.total_post_requests`**
+:   The total number of POST requests.
+
+type: float
+
+
+**`iis.website.network.total_put_requests`**
+:   The total number of PUT requests.
+
+type: float
+
+
diff --git a/docs/reference/metricbeat/exported-fields-istio.md b/docs/reference/metricbeat/exported-fields-istio.md
new file mode 100644
index 000000000000..c28b0521b6bd
--- /dev/null
+++ b/docs/reference/metricbeat/exported-fields-istio.md
@@ -0,0 +1,749 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-istio.html
+---
+
+# Istio fields [exported-fields-istio]
+
+istio Module
+
+
+## istio [_istio]
+
+`istio` contains statistics that were read from Istio
+
+
+## citadel [_citadel]
+
+Contains statistics related to the Istio Citadel service
+
+**`istio.citadel.grpc.method`**
+:   The grpc method
+
+type: keyword
+
+
+**`istio.citadel.grpc.service`**
+:   The grpc service
+
+type: keyword
+
+
+**`istio.citadel.grpc.type`**
+:   The type of the respective grpc service
+
+type: keyword
+
+
+**`istio.citadel.secret_controller_svc_acc_created_cert.count`**
+:   The number of certificates created due to service account creation.
+
+type: long
+
+
+**`istio.citadel.server_root_cert_expiry_seconds`**
+:   The unix timestamp, in seconds, when Citadel root cert will expire. We set it to negative in case of internal error.
+
+type: float
+
+
+**`istio.citadel.grpc.server.handled`**
+:   Total number of RPCs completed on the server, regardless of success or failure.
+
+type: long
+
+
+**`istio.citadel.grpc.server.msg.received`**
+:   Total number of RPC stream messages received on the server.
+
+type: long
+
+
+**`istio.citadel.grpc.server.msg.sent`**
+:   Total number of gRPC stream messages sent by the server.
+
+type: long
+
+
+**`istio.citadel.grpc.server.started`**
+:   Total number of RPCs started on the server.
+
+type: long
+
+
+**`istio.citadel.grpc.server.handling.latency.ms.bucket.*`**
+:   The response latency (milliseconds) of gRPC that had been application-level handled by the server.
+
+type: object
+
+
+**`istio.citadel.grpc.server.handling.latency.ms.sum`**
+:   The response latency of gRPC, sum of latencies in milliseconds
+
+type: long
+
+format: duration
+
+
+**`istio.citadel.grpc.server.handling.latency.ms.count`**
+:   The response latency of gRPC, number of metrics
+
+type: long
+
+
+
+## galley [_galley]
+
+Contains statistics related to the Istio galley service
+
+**`istio.galley.name`**
+:   The name of the resource the metric is related to
+
+type: keyword
+
+
+**`istio.galley.namespace`**
+:   The Kubernetes namespace of the resource
+
+type: keyword
+
+
+**`istio.galley.version`**
+:   The version of the object
+
+type: keyword
+
+
+**`istio.galley.collection`**
+:   The collection of the instance
+
+type: keyword
+
+
+**`istio.galley.istio.authentication.meshpolicies`**
+:   The number of valid istio/authentication/meshpolicies known to galley at a point in time
+
+type: long
+
+
+**`istio.galley.istio.authentication.policies`**
+:   The number of valid istio/authentication/policies known to galley at a point in time
+
+type: long
+
+
+**`istio.galley.istio.mesh.MeshConfig`**
+:   The number of valid istio/mesh/MeshConfig known to galley at a point in time
+
+type: long
+
+
+**`istio.galley.istio.networking.destinationrules`**
+:   The number of valid istio/networking/destinationrules known to galley at a point in time
+
+type: long
+
+
+**`istio.galley.istio.networking.envoyfilters`**
+:   The number of valid istio/networking/envoyfilters known to galley at a point in time
+
+type: long
+
+
+**`istio.galley.istio.networking.gateways`**
+:   The number of valid istio/networking/gateways known to galley at a point in time
+
+type: long
+
+
+**`istio.galley.istio.networking.sidecars`**
+:   The number of valid istio/networking/sidecars known to galley at a point in time
+
+type: long
+
+
+**`istio.galley.istio.networking.virtualservices`**
+:   The number of valid istio/networking/virtualservices known to galley at a point in time
+
+type: long
+
+
+**`istio.galley.istio.policy.attributemanifests`**
+:   The number of valid istio/policy/attributemanifests known to galley at a point in time
+
+type: long
+
+
+**`istio.galley.istio.policy.handlers`**
+:   The number of valid istio/policy/handlers known to galley at a point in time
+
+type: long
+
+
+**`istio.galley.istio.policy.instances`**
+:   The number of valid istio/policy/instances known to galley at a point in time
+
+type: long
+
+
+**`istio.galley.istio.policy.rules`**
+:   The number of valid istio/policy/rules known to galley at a point in time
+
+type: long
+
+
+**`istio.galley.runtime.processor.event_span.duration.ms.bucket.*`**
+:   The duration between each incoming event as histogram buckets in milliseconds
+
+type: object
+
+
+**`istio.galley.runtime.processor.event_span.duration.ms.sum`**
+:   The duration between each incoming event, sum of durations in milliseconds
+
+type: long
+
+format: duration
+
+
+**`istio.galley.runtime.processor.event_span.duration.ms.count`**
+:   The duration between each incoming event, number of metrics
+
+type: long
+
+
+**`istio.galley.runtime.processor.snapshot_events.bucket.*`**
+:   The number of events that have been processed as histogram buckets
+
+type: object
+
+
+**`istio.galley.runtime.processor.snapshot_events.sum`**
+:   The number of events that have been processed, sum of events
+
+type: long
+
+
+**`istio.galley.runtime.processor.snapshot_events.count`**
+:   The duration between each incoming event, number of metrics
+
+type: long
+
+
+**`istio.galley.runtime.processor.snapshot_lifetime.duration.ms.bucket.*`**
+:   The duration of each snapshot as histogram buckets in milliseconds
+
+type: object
+
+
+**`istio.galley.runtime.processor.snapshot_lifetime.duration.ms.sum`**
+:   The duration of each snapshot, sum of durations in milliseconds
+
+type: long
+
+format: duration
+
+
+**`istio.galley.runtime.processor.snapshot_lifetime.duration.ms.count`**
+:   The duration of each snapshot, number of metrics
+
+type: long
+
+
+**`istio.galley.runtime.state_type_instances`**
+:   The number of type instances per type URL
+
+type: long
+
+
+**`istio.galley.runtime.strategy.on_change`**
+:   The number of times the strategy’s onChange has been called
+
+type: long
+
+
+**`istio.galley.runtime.strategy.timer_quiesce_reached`**
+:   The number of times a quiesce has been reached
+
+type: long
+
+
+**`istio.galley.source_kube_event_success_total`**
+:   The number of times a kubernetes source successfully handled an event
+
+type: long
+
+
+**`istio.galley.validation.cert_key.updates`**
+:   Galley validation webhook certificate updates
+
+type: long
+
+
+**`istio.galley.validation.config.load`**
+:   k8s webhook configuration (re)loads
+
+type: long
+
+
+**`istio.galley.validation.config.updates`**
+:   k8s webhook configuration updates
+
+type: long
+
+
+
+## mesh [_mesh]
+
+Contains statistics related to the Istio mesh service
+
+**`istio.mesh.instance`**
+:   The prometheus instance
+
+type: text
+
+
+**`istio.mesh.job`**
+:   The prometheus job
+
+type: keyword
+
+
+**`istio.mesh.requests`**
+:   Total requests handled by an Istio proxy
+
+type: long
+
+
+**`istio.mesh.request.duration.ms.bucket.*`**
+:   Request duration histogram buckets in milliseconds
+
+type: object
+
+
+**`istio.mesh.request.duration.ms.sum`**
+:   Requests duration, sum of durations in milliseconds
+
+type: long
+
+format: duration
+
+
+**`istio.mesh.request.duration.ms.count`**
+:   Requests duration, number of requests
+
+type: long
+
+
+**`istio.mesh.request.size.bytes.bucket.*`**
+:   Request Size histogram buckets
+
+type: object
+
+
+**`istio.mesh.request.size.bytes.sum`**
+:   Request Size histogram sum
+
+type: long
+
+
+**`istio.mesh.request.size.bytes.count`**
+:   Request Size histogram count
+
+type: long
+
+
+**`istio.mesh.response.size.bytes.bucket.*`**
+:   Request Size histogram buckets
+
+type: object
+
+
+**`istio.mesh.response.size.bytes.sum`**
+:   Request Size histogram sum
+
+type: long
+
+
+**`istio.mesh.response.size.bytes.count`**
+:   Request Size histogram count
+
+type: long
+
+
+**`istio.mesh.reporter`**
+:   Reporter identifies the reporter of the request. It is set to destination if report is from a server Istio proxy and source if report is from a client Istio proxy.
+
+type: keyword
+
+
+**`istio.mesh.source.workload.name`**
+:   This identifies the name of source workload which controls the source.
+
+type: keyword
+
+
+**`istio.mesh.source.workload.namespace`**
+:   This identifies the namespace of the source workload.
+
+type: keyword
+
+
+**`istio.mesh.source.principal`**
+:   This identifies the peer principal of the traffic source. It is set when peer authentication is used.
+
+type: keyword
+
+
+**`istio.mesh.source.app`**
+:   This identifies the source app based on app label of the source workload.
+
+type: keyword
+
+
+**`istio.mesh.source.version`**
+:   This identifies the version of the source workload.
+
+type: keyword
+
+
+**`istio.mesh.destination.workload.name`**
+:   This identifies the name of destination workload.
+
+type: keyword
+
+
+**`istio.mesh.destination.workload.namespace`**
+:   This identifies the namespace of the destination workload.
+
+type: keyword
+
+
+**`istio.mesh.destination.principal`**
+:   This identifies the peer principal of the traffic destination. It is set when peer authentication is used.
+
+type: keyword
+
+
+**`istio.mesh.destination.app`**
+:   This identifies the destination app based on app label of the destination workload..
+
+type: keyword
+
+
+**`istio.mesh.destination.version`**
+:   This identifies the version of the destination workload.
+
+type: keyword
+
+
+**`istio.mesh.destination.service.host`**
+:   This identifies destination service host responsible for an incoming request.
+
+type: keyword
+
+
+**`istio.mesh.destination.service.name`**
+:   This identifies the destination service name.
+
+type: keyword
+
+
+**`istio.mesh.destination.service.namespace`**
+:   This identifies the namespace of destination service.
+
+type: keyword
+
+
+**`istio.mesh.request.protocol`**
+:   This identifies the protocol of the request. It is set to API protocol if provided, otherwise request or connection protocol.
+
+type: keyword
+
+
+**`istio.mesh.response.code`**
+:   This identifies the response code of the request. This label is present only on HTTP metrics.
+
+type: long
+
+
+**`istio.mesh.connection.security.policy`**
+:   This identifies the service authentication policy of the request. It is set to mutual_tls when Istio is used to make communication secure and report is from destination. It is set to unknown when report is from source since security policy cannot be properly populated.
+
+type: keyword
+
+
+
+## mixer [_mixer]
+
+Contains statistics related to the Istio mixer service
+
+**`istio.mixer.istio.mcp.request.acks`**
+:   The number of request acks received by the source.
+
+type: long
+
+
+**`istio.mixer.config.adapter.info.errors.config`**
+:   The number of errors encountered during processing of the adapter info configuration.
+
+type: long
+
+
+**`istio.mixer.config.adapter.info.configs`**
+:   The number of known adapters in the current config.
+
+type: long
+
+
+**`istio.mixer.config.attributes`**
+:   The number of known attributes in the current config.
+
+type: long
+
+
+**`istio.mixer.config.handler.configs`**
+:   The number of known handlers in the current config.
+
+type: long
+
+
+**`istio.mixer.config.handler.errors.validation`**
+:   The number of errors encountered because handler validation returned error.
+
+type: long
+
+
+**`istio.mixer.config.instance.errors.config`**
+:   The number of errors encountered during processing of the instance configuration.
+
+type: long
+
+
+**`istio.mixer.config.instance.configs`**
+:   The number of known instances in the current config.
+
+type: long
+
+
+**`istio.mixer.config.rule.errors.config`**
+:   The number of errors encountered during processing of the rule configuration.
+
+type: long
+
+
+**`istio.mixer.config.rule.errors.match`**
+:   The number of rule conditions that was not parseable.
+
+type: long
+
+
+**`istio.mixer.config.rule.configs`**
+:   The number of known rules in the current config.
+
+type: long
+
+
+**`istio.mixer.config.template.errors.config`**
+:   The number of errors encountered during processing of the template configuration.
+
+type: long
+
+
+**`istio.mixer.config.template.configs`**
+:   The number of known templates in the current config.
+
+type: long
+
+
+**`istio.mixer.config.unsatisfied.action_handler`**
+:   The number of actions that failed due to handlers being unavailable.
+
+type: long
+
+
+**`istio.mixer.dispatcher_destinations_per_variety_total`**
+:   The number of Mixer adapter destinations by template variety type.
+
+type: long
+
+
+**`istio.mixer.handler.handlers.closed`**
+:   The number of handlers that were closed during config transition.
+
+type: long
+
+
+**`istio.mixer.handler.daemons`**
+:   The current number of active daemon routines in a given adapter environment.
+
+type: long
+
+
+**`istio.mixer.handler.failures.build`**
+:   The number of handlers that failed creation during config transition.
+
+type: long
+
+
+**`istio.mixer.handler.failures.close`**
+:   The number of errors encountered while closing handlers during config transition.
+
+type: long
+
+
+**`istio.mixer.handler.handlers.new`**
+:   The number of handlers that were newly created during config transition.
+
+type: long
+
+
+**`istio.mixer.handler.handlers.reused`**
+:   The number of handlers that were re-used during config transition.
+
+type: long
+
+
+**`istio.mixer.handler.name`**
+:   The name of the daemon  handler
+
+type: keyword
+
+
+**`istio.mixer.variety`**
+:   The name of the variety
+
+type: keyword
+
+
+
+## pilot [_pilot]
+
+Contains statistics related to the Istio pilot service
+
+**`istio.pilot.xds.count`**
+:   Count of concurrent xDS client connections for Pilot.
+
+type: long
+
+
+**`istio.pilot.xds.pushes`**
+:   Count of xDS messages sent, as well as errors building or sending xDS messages for lds, rds, cds and eds.
+
+type: long
+
+
+**`istio.pilot.xds.push.time.ms.bucket.*`**
+:   Total time Pilot takes to push lds, rds, cds and eds, histogram buckets in milliseconds.
+
+type: object
+
+
+**`istio.pilot.xds.push.time.ms.sum`**
+:   Total time Pilot takes to push lds, rds, cds and eds, histogram sum of times in milliseconds.
+
+type: long
+
+
+**`istio.pilot.xds.push.time.ms.count`**
+:   Total time Pilot takes to push lds, rds, cds and eds, histogram count of times.
+
+type: long
+
+
+**`istio.pilot.xds.eds.instances`**
+:   Instances for each cluster, as of last push. Zero instances is an error.
+
+type: long
+
+
+**`istio.pilot.xds.push.context.errors`**
+:   Number of errors (timeouts) initiating push context.
+
+type: long
+
+
+**`istio.pilot.xds.internal.errors`**
+:   Total number of internal XDS errors in pilot.
+
+type: long
+
+
+**`istio.pilot.conflict.listener.inbound`**
+:   Number of conflicting inbound listeners.
+
+type: long
+
+
+**`istio.pilot.conflict.listener.outbound.http.over.current.tcp`**
+:   Number of conflicting wildcard http listeners with current wildcard tcp listener.
+
+type: long
+
+
+**`istio.pilot.conflict.listener.outbound.http.over.https`**
+:   Number of conflicting HTTP listeners with well known HTTPS ports.
+
+type: long
+
+
+**`istio.pilot.conflict.listener.outbound.tcp.over.current.http`**
+:   Number of conflicting wildcard tcp listeners with current wildcard http listener.
+
+type: long
+
+
+**`istio.pilot.conflict.listener.outbound.tcp.over.current.tcp`**
+:   Number of conflicting tcp listeners with current tcp listener.
+
+type: long
+
+
+**`istio.pilot.proxy.conv.ms.bucket.*`**
+:   Time needed by Pilot to push Envoy configurations, histogram buckets in milliseconds.
+
+type: object
+
+
+**`istio.pilot.proxy.conv.ms.sum`**
+:   Time needed by Pilot to push Envoy configurations, histogram sum of times in milliseconds.
+
+type: long
+
+
+**`istio.pilot.proxy.conv.ms.count`**
+:   Time needed by Pilot to push Envoy configurations, histogram count of times.
+
+type: long
+
+
+**`istio.pilot.services`**
+:   Total services known to pilot.
+
+type: integer
+
+
+**`istio.pilot.virt.services`**
+:   Total virtual services known to pilot.
+
+type: long
+
+
+**`istio.pilot.no.ip`**
+:   Pods not found in the endpoint table, possibly invalid.
+
+type: long
+
+
+**`istio.pilot.cluster`**
+:   The instance FQDN.
+
+type: text
+
+
+**`istio.pilot.type`**
+:   The Envoy proxy configuration type.
+
+type: text
+
+
diff --git a/docs/reference/metricbeat/exported-fields-jolokia-autodiscover.md b/docs/reference/metricbeat/exported-fields-jolokia-autodiscover.md
new file mode 100644
index 000000000000..e5d2ca256440
--- /dev/null
+++ b/docs/reference/metricbeat/exported-fields-jolokia-autodiscover.md
@@ -0,0 +1,51 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-jolokia-autodiscover.html
+---
+
+# Jolokia Discovery autodiscover provider fields [exported-fields-jolokia-autodiscover]
+
+Metadata from Jolokia Discovery added by the jolokia provider.
+
+**`jolokia.agent.version`**
+:   Version number of jolokia agent.
+
+type: keyword
+
+
+**`jolokia.agent.id`**
+:   Each agent has a unique id which can be either provided during startup of the agent in form of a configuration parameter or being autodetected. If autodected, the id has several parts: The IP, the process id, hashcode of the agent and its type.
+
+type: keyword
+
+
+**`jolokia.server.product`**
+:   The container product if detected.
+
+type: keyword
+
+
+**`jolokia.server.version`**
+:   The container’s version (if detected).
+
+type: keyword
+
+
+**`jolokia.server.vendor`**
+:   The vendor of the container the agent is running in.
+
+type: keyword
+
+
+**`jolokia.url`**
+:   The URL how this agent can be contacted.
+
+type: keyword
+
+
+**`jolokia.secured`**
+:   Whether the agent was configured for authentication or not.
+
+type: boolean
+
+
diff --git a/docs/reference/metricbeat/exported-fields-jolokia.md b/docs/reference/metricbeat/exported-fields-jolokia.md
new file mode 100644
index 000000000000..f18714841b01
--- /dev/null
+++ b/docs/reference/metricbeat/exported-fields-jolokia.md
@@ -0,0 +1,14 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-jolokia.html
+---
+
+# Jolokia fields [exported-fields-jolokia]
+
+Jolokia module
+
+
+## jolokia [_jolokia_2]
+
+jolokia contains metrics exposed via jolokia agent
+
diff --git a/docs/reference/metricbeat/exported-fields-kafka.md b/docs/reference/metricbeat/exported-fields-kafka.md
new file mode 100644
index 000000000000..a335e34d41d2
--- /dev/null
+++ b/docs/reference/metricbeat/exported-fields-kafka.md
@@ -0,0 +1,459 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-kafka.html
+---
+
+# Kafka fields [exported-fields-kafka]
+
+Kafka module
+
+
+## kafka [_kafka]
+
+
+## broker [_broker_2]
+
+Broker Consumer Group Information have been read from (Broker handling the consumer group).
+
+**`kafka.broker.id`**
+:   Broker id
+
+type: long
+
+
+**`kafka.broker.address`**
+:   Broker advertised address
+
+type: keyword
+
+
+**`kafka.topic.name`**
+:   Topic name
+
+type: keyword
+
+
+**`kafka.topic.error.code`**
+:   Topic error code.
+
+type: long
+
+
+**`kafka.partition.id`**
+:   Partition id.
+
+type: long
+
+
+**`kafka.partition.topic_id`**
+:   Unique id of the partition in the topic.
+
+type: keyword
+
+
+**`kafka.partition.topic_broker_id`**
+:   Unique id of the partition in the topic and the broker.
+
+type: keyword
+
+
+
+## broker [_broker_3]
+
+Broker metrics from Kafka Broker JMX
+
+**`kafka.broker.mbean`**
+:   Mbean that this event is related to
+
+type: keyword
+
+
+**`kafka.broker.request.channel.queue.size`**
+:   The size of the request queue
+
+type: long
+
+
+**`kafka.broker.request.produce.failed_per_second`**
+:   The rate of failed produce requests per second
+
+type: float
+
+
+**`kafka.broker.request.fetch.failed_per_second`**
+:   The rate of client fetch request failures per second
+
+type: float
+
+
+**`kafka.broker.request.produce.failed`**
+:   The number of failed produce requests
+
+type: float
+
+
+**`kafka.broker.request.fetch.failed`**
+:   The number of client fetch request failures
+
+type: float
+
+
+**`kafka.broker.replication.leader_elections`**
+:   The leader election rate
+
+type: float
+
+
+**`kafka.broker.replication.unclean_leader_elections`**
+:   The unclean leader election rate
+
+type: float
+
+
+**`kafka.broker.session.zookeeper.disconnect`**
+:   The ZooKeeper closed sessions per second
+
+type: float
+
+
+**`kafka.broker.session.zookeeper.expire`**
+:   The ZooKeeper expired sessions per second
+
+type: float
+
+
+**`kafka.broker.session.zookeeper.readonly`**
+:   The ZooKeeper readonly sessions per second
+
+type: float
+
+
+**`kafka.broker.session.zookeeper.sync`**
+:   The ZooKeeper client connections per second
+
+type: float
+
+
+**`kafka.broker.log.flush_rate`**
+:   The log flush rate
+
+type: float
+
+
+**`kafka.broker.topic.net.in.bytes_per_sec`**
+:   The incoming byte rate per topic
+
+type: float
+
+
+**`kafka.broker.topic.net.out.bytes_per_sec`**
+:   The outgoing byte rate per topic
+
+type: float
+
+
+**`kafka.broker.topic.net.rejected.bytes_per_sec`**
+:   The rejected byte rate per topic
+
+type: float
+
+
+**`kafka.broker.topic.messages_in`**
+:   The incoming message rate per topic
+
+type: float
+
+
+**`kafka.broker.net.in.bytes_per_sec`**
+:   The incoming byte rate
+
+type: float
+
+
+**`kafka.broker.net.out.bytes_per_sec`**
+:   The outgoing byte rate
+
+type: float
+
+
+**`kafka.broker.net.rejected.bytes_per_sec`**
+:   The rejected byte rate
+
+type: float
+
+
+**`kafka.broker.messages_in`**
+:   The incoming message rate
+
+type: float
+
+
+
+## consumer [_consumer]
+
+Consumer metrics from Kafka Consumer JMX
+
+**`kafka.consumer.mbean`**
+:   Mbean that this event is related to
+
+type: keyword
+
+
+**`kafka.consumer.fetch_rate`**
+:   The minimum rate at which the consumer sends fetch requests to a broker
+
+type: float
+
+
+**`kafka.consumer.bytes_consumed`**
+:   The average number of bytes consumed for a specific topic per second
+
+type: float
+
+
+**`kafka.consumer.records_consumed`**
+:   The average number of records consumed per second for a specific topic
+
+type: float
+
+
+**`kafka.consumer.in.bytes_per_sec`**
+:   The rate of bytes coming in to the consumer
+
+type: float
+
+
+**`kafka.consumer.max_lag`**
+:   The maximum consumer lag
+
+type: float
+
+
+**`kafka.consumer.zookeeper_commits`**
+:   The rate of offset commits to ZooKeeper
+
+type: float
+
+
+**`kafka.consumer.kafka_commits`**
+:   The rate of offset commits to Kafka
+
+type: float
+
+
+**`kafka.consumer.messages_in`**
+:   The rate of consumer message consumption
+
+type: float
+
+
+
+## consumergroup [_consumergroup]
+
+consumergroup
+
+**`kafka.consumergroup.id`**
+:   Consumer Group ID
+
+type: keyword
+
+
+**`kafka.consumergroup.offset`**
+:   consumer offset into partition being read
+
+type: long
+
+
+**`kafka.consumergroup.meta`**
+:   custom consumer meta data string
+
+type: keyword
+
+
+**`kafka.consumergroup.consumer_lag`**
+:   consumer lag for partition/topic calculated as the difference between the partition offset and consumer offset
+
+type: long
+
+
+**`kafka.consumergroup.error.code`**
+:   kafka consumer/partition error code.
+
+type: long
+
+
+
+## client [_client_3]
+
+Assigned client reading events from partition
+
+**`kafka.consumergroup.client.id`**
+:   Client ID (kafka setting client.id)
+
+type: keyword
+
+
+**`kafka.consumergroup.client.host`**
+:   Client host
+
+type: keyword
+
+
+**`kafka.consumergroup.client.member_id`**
+:   internal consumer group member ID
+
+type: keyword
+
+
+
+## partition [_partition_2]
+
+partition
+
+
+## offset [_offset]
+
+Available offsets of the given partition.
+
+**`kafka.partition.offset.newest`**
+:   Newest offset of the partition.
+
+type: long
+
+
+**`kafka.partition.offset.oldest`**
+:   Oldest offset of the partition.
+
+type: long
+
+
+
+## partition [_partition_3]
+
+Partition data.
+
+**`kafka.partition.partition.leader`**
+:   Leader id (broker).
+
+type: long
+
+
+**`kafka.partition.partition.replica`**
+:   Replica id (broker).
+
+type: long
+
+
+**`kafka.partition.partition.insync_replica`**
+:   Indicates if replica is included in the in-sync replicate set (ISR).
+
+type: boolean
+
+
+**`kafka.partition.partition.is_leader`**
+:   Indicates if replica is the leader
+
+type: boolean
+
+
+**`kafka.partition.partition.error.code`**
+:   Error code from fetching partition.
+
+type: long
+
+
+
+## producer [_producer]
+
+Producer metrics from Kafka Producer JMX
+
+**`kafka.producer.mbean`**
+:   Mbean that this event is related to
+
+type: keyword
+
+
+**`kafka.producer.available_buffer_bytes`**
+:   The total amount of buffer memory
+
+type: float
+
+
+**`kafka.producer.batch_size_avg`**
+:   The average number of bytes sent
+
+type: float
+
+
+**`kafka.producer.batch_size_max`**
+:   The maximum number of bytes sent
+
+type: long
+
+
+**`kafka.producer.record_send_rate`**
+:   The average number of records sent per second
+
+type: float
+
+
+**`kafka.producer.record_retry_rate`**
+:   The average number of retried record sends per second
+
+type: float
+
+
+**`kafka.producer.record_error_rate`**
+:   The average number of retried record sends per second
+
+type: float
+
+
+**`kafka.producer.records_per_request`**
+:   The average number of records sent per second
+
+type: float
+
+
+**`kafka.producer.record_size_avg`**
+:   The average record size
+
+type: float
+
+
+**`kafka.producer.record_size_max`**
+:   The maximum record size
+
+type: long
+
+
+**`kafka.producer.request_rate`**
+:   The number of producer requests per second
+
+type: float
+
+
+**`kafka.producer.response_rate`**
+:   The number of producer responses per second
+
+type: float
+
+
+**`kafka.producer.io_wait`**
+:   The producer I/O wait time
+
+type: float
+
+
+**`kafka.producer.out.bytes_per_sec`**
+:   The rate of bytes going out for the producer
+
+type: float
+
+
+**`kafka.producer.message_rate`**
+:   The producer message rate
+
+type: float
+
+
diff --git a/docs/reference/metricbeat/exported-fields-kibana.md b/docs/reference/metricbeat/exported-fields-kibana.md
new file mode 100644
index 000000000000..c9fb6b102b51
--- /dev/null
+++ b/docs/reference/metricbeat/exported-fields-kibana.md
@@ -0,0 +1,646 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-kibana.html
+---
+
+# Kibana fields [exported-fields-kibana]
+
+Kibana module
+
+**`kibana_stats.timestamp`**
+:   type: alias
+
+alias to: @timestamp
+
+
+**`kibana_stats.kibana.response_time.max`**
+:   type: alias
+
+alias to: kibana.stats.response_time.max.ms
+
+
+**`kibana_stats.kibana.status`**
+:   type: alias
+
+alias to: kibana.stats.kibana.status
+
+
+**`kibana_stats.os.memory.free_in_bytes`**
+:   type: alias
+
+alias to: kibana.stats.os.memory.free_in_bytes
+
+
+**`kibana_stats.process.uptime_in_millis`**
+:   type: alias
+
+alias to: kibana.stats.process.uptime.ms
+
+
+**`kibana_stats.process.memory.heap.size_limit`**
+:   type: alias
+
+alias to: kibana.stats.process.memory.heap.size_limit.bytes
+
+
+**`kibana_stats.concurrent_connections`**
+:   type: alias
+
+alias to: kibana.stats.concurrent_connections
+
+
+**`kibana_stats.process.memory.resident_set_size_in_bytes`**
+:   type: alias
+
+alias to: kibana.stats.process.memory.resident_set_size.bytes
+
+
+**`kibana_stats.os.load.1m`**
+:   type: alias
+
+alias to: kibana.stats.os.load.1m
+
+
+**`kibana_stats.os.load.5m`**
+:   type: alias
+
+alias to: kibana.stats.os.load.5m
+
+
+**`kibana_stats.os.load.15m`**
+:   type: alias
+
+alias to: kibana.stats.os.load.15m
+
+
+**`kibana_stats.process.event_loop_delay`**
+:   type: alias
+
+alias to: kibana.stats.process.event_loop_delay.ms
+
+
+**`kibana_stats.process.event_loop_utilization.active`**
+:   type: alias
+
+alias to: kibana.stats.process.event_loop_utilization.active
+
+
+**`kibana_stats.process.event_loop_utilization.idle`**
+:   type: alias
+
+alias to: kibana.stats.process.event_loop_utilization.idle
+
+
+**`kibana_stats.process.event_loop_utilization.utilization`**
+:   type: alias
+
+alias to: kibana.stats.process.event_loop_utilization.utilization
+
+
+**`kibana_stats.requests.total`**
+:   type: alias
+
+alias to: kibana.stats.request.total
+
+
+**`kibana_stats.requests.disconnects`**
+:   type: alias
+
+alias to: kibana.stats.request.disconnects
+
+
+**`kibana_stats.response_times.max`**
+:   type: alias
+
+alias to: kibana.stats.response_time.max.ms
+
+
+**`kibana_stats.response_times.average`**
+:   type: alias
+
+alias to: kibana.stats.response_time.avg.ms
+
+
+**`kibana_stats.kibana.uuid`**
+:   type: alias
+
+alias to: service.id
+
+
+**`kibana.elasticsearch.cluster.id`**
+:   type: keyword
+
+
+
+## cluster_actions [_cluster_actions]
+
+Kibana cluster actions metrics.
+
+**`kibana.cluster_actions.kibana.status`**
+:   type: keyword
+
+
+**`kibana.cluster_actions.overdue.count`**
+:   type: long
+
+
+**`kibana.cluster_actions.overdue.delay.p50`**
+:   type: float
+
+
+**`kibana.cluster_actions.overdue.delay.p99`**
+:   type: float
+
+
+
+## cluster_rules [_cluster_rules]
+
+Kibana cluster rule metrics.
+
+**`kibana.cluster_rules.kibana.status`**
+:   type: keyword
+
+
+**`kibana.cluster_rules.overdue.count`**
+:   type: long
+
+
+**`kibana.cluster_rules.overdue.delay.p50`**
+:   type: float
+
+
+**`kibana.cluster_rules.overdue.delay.p99`**
+:   type: float
+
+
+
+## node_actions [_node_actions]
+
+Kibana node actions metrics.
+
+**`kibana.node_actions.kibana.status`**
+:   type: keyword
+
+
+**`kibana.node_actions.failures`**
+:   type: long
+
+
+**`kibana.node_actions.executions`**
+:   type: long
+
+
+**`kibana.node_actions.timeouts`**
+:   type: long
+
+
+
+## node_rules [_node_rules]
+
+Kibana node rule metrics.
+
+**`kibana.node_rules.kibana.status`**
+:   type: keyword
+
+
+**`kibana.node_rules.failures`**
+:   type: long
+
+
+**`kibana.node_rules.executions`**
+:   type: long
+
+
+**`kibana.node_rules.timeouts`**
+:   type: long
+
+
+
+## settings [_settings_2]
+
+Kibana stats and run-time metrics.
+
+**`kibana.settings.uuid`**
+:   Kibana instance UUID
+
+type: keyword
+
+
+**`kibana.settings.name`**
+:   Kibana instance name
+
+type: keyword
+
+
+**`kibana.settings.index`**
+:   Name of Kibana’s internal index
+
+type: keyword
+
+
+**`kibana.settings.host`**
+:   Kibana instance hostname
+
+type: keyword
+
+
+**`kibana.settings.transport_address`**
+:   Kibana server’s hostname and port
+
+type: keyword
+
+
+**`kibana.settings.version`**
+:   Kibana version
+
+type: keyword
+
+
+**`kibana.settings.snapshot`**
+:   Whether the Kibana build is a snapshot build
+
+type: boolean
+
+
+**`kibana.settings.status`**
+:   Kibana instance’s health status
+
+type: keyword
+
+
+**`kibana.settings.locale`**
+:   type: keyword
+
+
+**`kibana.settings.port`**
+:   type: integer
+
+
+
+## stats [_stats_5]
+
+Kibana stats and run-time metrics.
+
+**`kibana.stats.kibana.status`**
+:   type: keyword
+
+
+**`kibana.stats.usage.index`**
+:   type: keyword
+
+
+**`kibana.stats.uuid`**
+:   Kibana instance UUID
+
+type: alias
+
+alias to: service.id
+
+
+**`kibana.stats.name`**
+:   Kibana instance name
+
+type: keyword
+
+
+**`kibana.stats.index`**
+:   Name of Kibana’s internal index
+
+type: keyword
+
+
+**`kibana.stats.host.name`**
+:   Kibana instance hostname
+
+type: keyword
+
+
+**`kibana.stats.transport_address`**
+:   Kibana server’s hostname and port
+
+type: alias
+
+alias to: service.address
+
+
+**`kibana.stats.version`**
+:   Kibana version
+
+type: alias
+
+alias to: service.version
+
+
+**`kibana.stats.snapshot`**
+:   Whether the Kibana build is a snapshot build
+
+type: boolean
+
+
+**`kibana.stats.status`**
+:   Kibana instance’s health status
+
+type: keyword
+
+
+**`kibana.stats.os.distro`**
+:   type: keyword
+
+
+**`kibana.stats.os.distroRelease`**
+:   type: keyword
+
+
+**`kibana.stats.os.platform`**
+:   type: keyword
+
+
+**`kibana.stats.os.platformRelease`**
+:   type: keyword
+
+
+**`kibana.stats.os.memory.free_in_bytes`**
+:   type: long
+
+
+**`kibana.stats.os.memory.total_in_bytes`**
+:   type: long
+
+
+**`kibana.stats.os.memory.used_in_bytes`**
+:   type: long
+
+
+**`kibana.stats.os.cpuacct.control_group`**
+:   type: keyword
+
+
+**`kibana.stats.os.cpuacct.usage_nanos`**
+:   type: long
+
+
+**`kibana.stats.os.cgroup_memory.current_in_bytes`**
+:   type: long
+
+
+**`kibana.stats.os.cgroup_memory.swap_current_in_bytes`**
+:   type: long
+
+
+**`kibana.stats.os.load.1m`**
+:   type: half_float
+
+
+**`kibana.stats.os.load.5m`**
+:   type: half_float
+
+
+**`kibana.stats.os.load.15m`**
+:   type: half_float
+
+
+**`kibana.stats.concurrent_connections`**
+:   Number of client connections made to the server. Note that browsers can send multiple simultaneous connections to request multiple server assets at once, and they can re-use established connections.
+
+type: long
+
+
+
+## process [_process_6]
+
+Process metrics
+
+**`kibana.stats.process.memory.resident_set_size.bytes`**
+:   type: long
+
+
+**`kibana.stats.process.memory.array_buffers.bytes`**
+:   type: long
+
+
+**`kibana.stats.process.memory.external.bytes`**
+:   type: long
+
+
+**`kibana.stats.process.uptime.ms`**
+:   type: long
+
+
+**`kibana.stats.process.event_loop_delay.ms`**
+:   Event loop delay in milliseconds
+
+type: scaled_float
+
+
+
+## event_loop_utilization [_event_loop_utilization]
+
+The ratio of time the event loop is not idling in the event provider to the total time the event loop is running.
+
+**`kibana.stats.process.event_loop_utilization.active`**
+:   Duration of time event loop has been active since last measurement.
+
+type: scaled_float
+
+
+**`kibana.stats.process.event_loop_utilization.idle`**
+:   Duration of time event loop has been idle since last measurement.
+
+type: scaled_float
+
+
+**`kibana.stats.process.event_loop_utilization.utilization`**
+:   Computed utilization value representing ratio of active to idle time since last measurement.
+
+type: scaled_float
+
+
+
+## memory.heap [_memory_heap]
+
+Process heap metrics
+
+**`kibana.stats.process.memory.heap.total.bytes`**
+:   Total heap allocated to process in bytes
+
+type: long
+
+format: bytes
+
+
+**`kibana.stats.process.memory.heap.used.bytes`**
+:   Heap used by process in bytes
+
+type: long
+
+format: bytes
+
+
+**`kibana.stats.process.memory.heap.size_limit.bytes`**
+:   Max. old space size allocated to Node.js process, in bytes
+
+type: long
+
+format: bytes
+
+
+**`kibana.stats.process.memory.heap.uptime.ms`**
+:   Uptime of process in milliseconds
+
+type: long
+
+
+
+## request [_request_2]
+
+Request count metrics
+
+**`kibana.stats.request.disconnects`**
+:   Number of requests that were disconnected
+
+type: long
+
+
+**`kibana.stats.request.total`**
+:   Total number of requests
+
+type: long
+
+
+
+## response_time [_response_time]
+
+Response times metrics
+
+**`kibana.stats.response_time.avg.ms`**
+:   Average response time in milliseconds
+
+type: long
+
+
+**`kibana.stats.response_time.max.ms`**
+:   Maximum response time in milliseconds
+
+type: long
+
+
+
+## elasticsearch_client [_elasticsearch_client]
+
+Elasticsearch Client’s stats
+
+**`kibana.stats.elasticsearch_client.total_active_sockets`**
+:   Total number of active sockets
+
+type: integer
+
+
+**`kibana.stats.elasticsearch_client.total_idle_sockets`**
+:   Total number of idle sockets
+
+type: integer
+
+
+**`kibana.stats.elasticsearch_client.total_queued_requests`**
+:   Total number of queued requests
+
+type: integer
+
+
+
+## status [_status_2]
+
+Status fields
+
+**`kibana.status.name`**
+:   Kibana instance name.
+
+type: keyword
+
+
+**`kibana.status.uuid`**
+:   Kibana instance uuid.
+
+type: alias
+
+alias to: service.id
+
+
+**`kibana.status.version.number`**
+:   Kibana version number.
+
+type: alias
+
+alias to: service.version
+
+
+**`kibana.status.status.overall.state`**
+:   Kibana overall state (v7 format).
+
+type: keyword
+
+
+**`kibana.status.status.overall.level`**
+:   Kibana overall level (v8 format).
+
+type: keyword
+
+
+**`kibana.status.status.overall.summary`**
+:   Kibana overall state in a human-readable format.
+
+type: text
+
+
+**`kibana.status.status.core.elasticsearch.level`**
+:   Kibana Elasticsearch client’s status
+
+type: keyword
+
+
+**`kibana.status.status.core.elasticsearch.summary`**
+:   Kibana Elasticsearch client’s status in a human-readable format.
+
+type: text
+
+
+**`kibana.status.status.core.savedObjects.level`**
+:   Kibana Saved Objects client’s status
+
+type: keyword
+
+
+**`kibana.status.status.core.savedObjects.summary`**
+:   Kibana Saved Objects client’s status in a human-readable format.
+
+type: text
+
+
+
+## metrics [_metrics_8]
+
+Metrics fields
+
+**`kibana.status.metrics.concurrent_connections`**
+:   Current concurrent connections.
+
+type: long
+
+
+
+## requests [_requests]
+
+Request statistics.
+
+**`kibana.status.metrics.requests.disconnects`**
+:   Total number of disconnected connections.
+
+type: long
+
+
+**`kibana.status.metrics.requests.total`**
+:   Total number of connections.
+
+type: long
+
+
diff --git a/docs/reference/metricbeat/exported-fields-kubernetes-processor.md b/docs/reference/metricbeat/exported-fields-kubernetes-processor.md
new file mode 100644
index 000000000000..bc518e6594e0
--- /dev/null
+++ b/docs/reference/metricbeat/exported-fields-kubernetes-processor.md
@@ -0,0 +1,87 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-kubernetes-processor.html
+---
+
+# Kubernetes fields [exported-fields-kubernetes-processor]
+
+Kubernetes metadata added by the kubernetes processor
+
+**`kubernetes.pod.name`**
+:   Kubernetes pod name
+
+type: keyword
+
+
+**`kubernetes.pod.uid`**
+:   Kubernetes Pod UID
+
+type: keyword
+
+
+**`kubernetes.pod.ip`**
+:   Kubernetes Pod IP
+
+type: ip
+
+
+**`kubernetes.namespace`**
+:   Kubernetes namespace
+
+type: keyword
+
+
+**`kubernetes.node.name`**
+:   Kubernetes node name
+
+type: keyword
+
+
+**`kubernetes.node.hostname`**
+:   Kubernetes hostname as reported by the node’s kernel
+
+type: keyword
+
+
+**`kubernetes.labels.*`**
+:   Kubernetes labels map
+
+type: object
+
+
+**`kubernetes.annotations.*`**
+:   Kubernetes annotations map
+
+type: object
+
+
+**`kubernetes.selectors.*`**
+:   Kubernetes selectors map
+
+type: object
+
+
+**`kubernetes.replicaset.name`**
+:   Kubernetes replicaset name
+
+type: keyword
+
+
+**`kubernetes.deployment.name`**
+:   Kubernetes deployment name
+
+type: keyword
+
+
+**`kubernetes.statefulset.name`**
+:   Kubernetes statefulset name
+
+type: keyword
+
+
+**`kubernetes.container.name`**
+:   Kubernetes container name (different than the name from the runtime)
+
+type: keyword
+
+
diff --git a/docs/reference/metricbeat/exported-fields-kubernetes.md b/docs/reference/metricbeat/exported-fields-kubernetes.md
new file mode 100644
index 000000000000..86249959c9ef
--- /dev/null
+++ b/docs/reference/metricbeat/exported-fields-kubernetes.md
@@ -0,0 +1,2444 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-kubernetes.html
+---
+
+# Kubernetes fields [exported-fields-kubernetes]
+
+Kubernetes metrics
+
+
+## kubernetes [_kubernetes_3]
+
+Information and statistics of pods managed by kubernetes.
+
+
+## apiserver [_apiserver_2]
+
+Kubernetes API server metrics
+
+**`kubernetes.apiserver.major.version`**
+:   API Server major version.
+
+type: keyword
+
+
+**`kubernetes.apiserver.minor.version`**
+:   API Server minor version.
+
+type: keyword
+
+
+**`kubernetes.apiserver.request.resource`**
+:   Requested resource
+
+type: keyword
+
+
+**`kubernetes.apiserver.request.subresource`**
+:   Requested subresource
+
+type: keyword
+
+
+**`kubernetes.apiserver.request.scope`**
+:   Request scope (cluster, namespace, resource)
+
+type: keyword
+
+
+**`kubernetes.apiserver.request.verb`**
+:   HTTP verb
+
+type: keyword
+
+
+**`kubernetes.apiserver.request.code`**
+:   HTTP code
+
+type: keyword
+
+
+**`kubernetes.apiserver.request.content_type`**
+:   Request HTTP content type
+
+type: keyword
+
+
+**`kubernetes.apiserver.request.dry_run`**
+:   Wether the request uses dry run
+
+type: keyword
+
+
+**`kubernetes.apiserver.request.kind`**
+:   Kind of request
+
+type: keyword
+
+
+**`kubernetes.apiserver.request.component`**
+:   Component handling the request
+
+type: keyword
+
+
+**`kubernetes.apiserver.request.group`**
+:   API group for the resource
+
+type: keyword
+
+
+**`kubernetes.apiserver.request.version`**
+:   version for the group
+
+type: keyword
+
+
+**`kubernetes.apiserver.request.handler`**
+:   Request handler
+
+type: keyword
+
+
+**`kubernetes.apiserver.request.method`**
+:   HTTP method
+
+type: keyword
+
+
+**`kubernetes.apiserver.request.host`**
+:   Request host
+
+type: keyword
+
+
+**`kubernetes.apiserver.process.cpu.sec`**
+:   CPU seconds
+
+type: double
+
+
+**`kubernetes.apiserver.process.memory.resident.bytes`**
+:   Bytes in resident memory
+
+type: long
+
+format: bytes
+
+
+**`kubernetes.apiserver.process.memory.virtual.bytes`**
+:   Bytes in virtual memory
+
+type: long
+
+format: bytes
+
+
+**`kubernetes.apiserver.process.fds.open.count`**
+:   Number of open file descriptors
+
+type: long
+
+
+**`kubernetes.apiserver.process.started.sec`**
+:   Seconds since the process started
+
+type: double
+
+
+**`kubernetes.apiserver.watch.events.size.bytes.bucket.*`**
+:   Watch event size distribution in bytes
+
+type: object
+
+
+**`kubernetes.apiserver.watch.events.size.bytes.sum`**
+:   Sum of watch events sizes in bytes
+
+type: long
+
+format: bytes
+
+
+**`kubernetes.apiserver.watch.events.size.bytes.count`**
+:   Number of watch events
+
+type: long
+
+
+**`kubernetes.apiserver.watch.events.kind`**
+:   Resource kind of the watch event
+
+type: keyword
+
+
+**`kubernetes.apiserver.response.size.bytes.bucket.*`**
+:   Response size distribution in bytes for each group, version, verb, resource, subresource, scope and component.
+
+type: object
+
+
+**`kubernetes.apiserver.response.size.bytes.sum`**
+:   Sum of responses sizes in bytes
+
+type: long
+
+format: bytes
+
+
+**`kubernetes.apiserver.response.size.bytes.count`**
+:   Number of responses to requests
+
+type: long
+
+
+**`kubernetes.apiserver.client.request.count`**
+:   Number of requests as client
+
+type: long
+
+
+**`kubernetes.apiserver.request.count`**
+:   Number of requests
+
+type: long
+
+
+**`kubernetes.apiserver.request.duration.us.sum`**
+:   Request duration, sum in microseconds
+
+type: long
+
+
+**`kubernetes.apiserver.request.duration.us.count`**
+:   Request duration, number of operations
+
+type: long
+
+
+**`kubernetes.apiserver.request.duration.us.bucket.*`**
+:   Response latency distribution, histogram buckets
+
+type: object
+
+
+**`kubernetes.apiserver.request.current.count`**
+:   Inflight requests
+
+type: long
+
+
+**`kubernetes.apiserver.request.longrunning.count`**
+:   Number of requests active long running requests
+
+type: long
+
+
+**`kubernetes.apiserver.etcd.object.count`**
+:   Number of kubernetes objects at etcd
+
+type: long
+
+
+**`kubernetes.apiserver.audit.event.count`**
+:   Number of audit events
+
+type: long
+
+
+**`kubernetes.apiserver.audit.rejected.count`**
+:   Number of audit rejected events
+
+type: long
+
+
+
+## container [_container_5]
+
+kubernetes container metrics
+
+**`kubernetes.container.start_time`**
+:   Start time
+
+type: date
+
+
+
+## cpu [_cpu_6]
+
+CPU usage metrics
+
+**`kubernetes.container.cpu.usage.core.ns`**
+:   Container CPU Core usage nanoseconds
+
+type: double
+
+
+**`kubernetes.container.cpu.usage.nanocores`**
+:   CPU used nanocores
+
+type: double
+
+
+**`kubernetes.container.cpu.usage.node.pct`**
+:   CPU usage as a percentage of the total node allocatable CPU
+
+type: scaled_float
+
+format: percent
+
+
+**`kubernetes.container.cpu.usage.limit.pct`**
+:   CPU usage as a percentage of the defined limit for the container (or total node allocatable CPU if unlimited). If the container CPU limits are missing and the `node` and `state_node` metricsets are both disabled on that node, this metric will be missing entirely.
+
+type: scaled_float
+
+format: percent
+
+
+
+## logs [_logs_2]
+
+Logs info
+
+**`kubernetes.container.logs.available.bytes`**
+:   Logs available capacity in bytes
+
+type: double
+
+format: bytes
+
+
+**`kubernetes.container.logs.capacity.bytes`**
+:   Logs total capacity in bytes
+
+type: double
+
+format: bytes
+
+
+**`kubernetes.container.logs.used.bytes`**
+:   Logs used capacity in bytes
+
+type: double
+
+format: bytes
+
+
+**`kubernetes.container.logs.inodes.count`**
+:   Total available inodes
+
+type: double
+
+
+**`kubernetes.container.logs.inodes.free`**
+:   Total free inodes
+
+type: double
+
+
+**`kubernetes.container.logs.inodes.used`**
+:   Total used inodes
+
+type: double
+
+
+**`kubernetes.container.memory.available.bytes`**
+:   Total available memory
+
+type: double
+
+format: bytes
+
+
+**`kubernetes.container.memory.usage.bytes`**
+:   Total memory usage
+
+type: double
+
+format: bytes
+
+
+**`kubernetes.container.memory.usage.node.pct`**
+:   Memory usage as a percentage of the total node allocatable memory
+
+type: scaled_float
+
+format: percent
+
+
+**`kubernetes.container.memory.usage.limit.pct`**
+:   Memory usage as a percentage of the defined limit for the container (or total node allocatable memory if unlimited). If the container Memory limits are missing and the `node` and `state_node` metricsets are both disabled on that node, this metric will be missing entirely.
+
+type: scaled_float
+
+format: percent
+
+
+**`kubernetes.container.memory.rss.bytes`**
+:   RSS memory usage
+
+type: double
+
+format: bytes
+
+
+**`kubernetes.container.memory.workingset.bytes`**
+:   Working set memory usage
+
+type: double
+
+format: bytes
+
+
+**`kubernetes.container.memory.workingset.limit.pct`**
+:   Working set memory usage as a percentage of the defined limit for the container (or total node allocatable memory if unlimited)
+
+type: scaled_float
+
+format: percent
+
+
+**`kubernetes.container.memory.pagefaults`**
+:   Number of page faults
+
+type: double
+
+
+**`kubernetes.container.memory.majorpagefaults`**
+:   Number of major page faults
+
+type: double
+
+
+**`kubernetes.container.rootfs.capacity.bytes`**
+:   Root filesystem total capacity in bytes
+
+type: double
+
+format: bytes
+
+
+**`kubernetes.container.rootfs.available.bytes`**
+:   Root filesystem total available in bytes
+
+type: double
+
+format: bytes
+
+
+**`kubernetes.container.rootfs.used.bytes`**
+:   Root filesystem total used in bytes
+
+type: double
+
+format: bytes
+
+
+**`kubernetes.container.rootfs.inodes.used`**
+:   Used inodes
+
+type: double
+
+
+
+## controllermanager [_controllermanager]
+
+Controller manager metrics
+
+**`kubernetes.controllermanager.verb`**
+:   HTTP verb
+
+type: keyword
+
+
+**`kubernetes.controllermanager.code`**
+:   HTTP code
+
+type: keyword
+
+
+**`kubernetes.controllermanager.method`**
+:   HTTP method
+
+type: keyword
+
+
+**`kubernetes.controllermanager.host`**
+:   HTTP host
+
+type: keyword
+
+
+**`kubernetes.controllermanager.name`**
+:   Name for the resource
+
+type: keyword
+
+
+**`kubernetes.controllermanager.zone`**
+:   Infrastructure zone
+
+type: keyword
+
+
+**`kubernetes.controllermanager.process.cpu.sec`**
+:   Total user and system CPU time spent in seconds
+
+type: double
+
+
+**`kubernetes.controllermanager.process.memory.resident.bytes`**
+:   Bytes in resident memory
+
+type: long
+
+format: bytes
+
+
+**`kubernetes.controllermanager.process.memory.virtual.bytes`**
+:   Bytes in virtual memory
+
+type: long
+
+format: bytes
+
+
+**`kubernetes.controllermanager.process.fds.open.count`**
+:   Number of open file descriptors
+
+type: long
+
+
+**`kubernetes.controllermanager.process.fds.max.count`**
+:   Limit for open file descriptors
+
+type: long
+
+
+**`kubernetes.controllermanager.process.started.sec`**
+:   Start time of the process since unix epoch in seconds
+
+type: double
+
+
+**`kubernetes.controllermanager.client.request.count`**
+:   Number of HTTP requests to API server, broken down by status code, method and host
+
+type: long
+
+
+**`kubernetes.controllermanager.client.request.duration.us.sum`**
+:   Sum of requests latency in microseconds, broken down by verb and host
+
+type: long
+
+
+**`kubernetes.controllermanager.client.request.duration.us.count`**
+:   Number of request duration operations to API server, broken down by verb and host
+
+type: long
+
+
+**`kubernetes.controllermanager.client.request.duration.us.bucket.*`**
+:   Requests latency distribution in histogram buckets, broken down by verb and host
+
+type: object
+
+
+**`kubernetes.controllermanager.client.request.size.bytes.sum`**
+:   Requests size sum in bytes, broken down by verb and host
+
+type: long
+
+format: bytes
+
+
+**`kubernetes.controllermanager.client.request.size.bytes.count`**
+:   Number of requests, broken down by verb and host
+
+type: long
+
+
+**`kubernetes.controllermanager.client.request.size.bytes.bucket.*`**
+:   Requests size distribution in histogram buckets, broken down by verb and host
+
+type: object
+
+
+**`kubernetes.controllermanager.client.response.size.bytes.count`**
+:   Number of responses, broken down by verb and host
+
+type: long
+
+
+**`kubernetes.controllermanager.client.response.size.bytes.sum`**
+:   Responses size sum in bytes, broken down by verb and host
+
+type: long
+
+format: bytes
+
+
+**`kubernetes.controllermanager.client.response.size.bytes.bucket.*`**
+:   Responses size distribution in histogram buckets, broken down by verb and host
+
+type: object
+
+
+**`kubernetes.controllermanager.workqueue.longestrunning.sec`**
+:   How many seconds has the longest running processor been running, broken down by workqueue name
+
+type: double
+
+
+**`kubernetes.controllermanager.workqueue.unfinished.sec`**
+:   How many seconds of work has done that is in progress and hasn’t been considered in the longest running processor, broken down by workqueue name
+
+type: double
+
+
+**`kubernetes.controllermanager.workqueue.adds.count`**
+:   Workqueue add count, broken down by workqueue name
+
+type: long
+
+
+**`kubernetes.controllermanager.workqueue.depth.count`**
+:   Workqueue current depth, broken down by workqueue name
+
+type: long
+
+
+**`kubernetes.controllermanager.workqueue.retries.count`**
+:   Workqueue number of retries, broken down by workqueue name
+
+type: long
+
+
+**`kubernetes.controllermanager.node.collector.eviction.count`**
+:   Number of node evictions, broken down by zone
+
+type: long
+
+
+**`kubernetes.controllermanager.node.collector.unhealthy.count`**
+:   Number of unhealthy nodes, broken down by zone
+
+type: long
+
+
+**`kubernetes.controllermanager.node.collector.count`**
+:   Number of nodes, broken down by zone
+
+type: long
+
+
+**`kubernetes.controllermanager.node.collector.health.pct`**
+:   Percentage of healthy nodes, broken down by zone
+
+type: long
+
+
+**`kubernetes.controllermanager.leader.is_master`**
+:   Whether the controller manager instance is leader
+
+type: boolean
+
+
+
+## event [_event_4]
+
+The Kubernetes events metricset collects events that are generated by objects running inside of Kubernetes
+
+**`kubernetes.event.count`**
+:   Count field records the number of times the particular event has occurred
+
+type: long
+
+
+**`kubernetes.event.timestamp.first_occurrence`**
+:   Timestamp of first occurrence of event
+
+type: date
+
+
+**`kubernetes.event.timestamp.last_occurrence`**
+:   Timestamp of last occurrence of event
+
+type: date
+
+
+**`kubernetes.event.message`**
+:   Message recorded for the given event
+
+type: text
+
+
+**`kubernetes.event.reason`**
+:   Reason recorded for the given event
+
+type: keyword
+
+
+**`kubernetes.event.type`**
+:   Type of the given event
+
+type: keyword
+
+
+
+## source [_source_2]
+
+The component reporting this event
+
+**`kubernetes.event.source.component`**
+:   Component from which the event is generated
+
+type: keyword
+
+
+**`kubernetes.event.source.host`**
+:   Node name on which the event is generated
+
+type: keyword
+
+
+
+## metadata [_metadata_2]
+
+Metadata associated with the given event
+
+**`kubernetes.event.metadata.timestamp.created`**
+:   Timestamp of creation of the given event
+
+type: date
+
+
+**`kubernetes.event.metadata.generate_name`**
+:   Generate name of the event
+
+type: keyword
+
+
+**`kubernetes.event.metadata.name`**
+:   Name of the event
+
+type: keyword
+
+
+**`kubernetes.event.metadata.namespace`**
+:   Namespace in which event was generated
+
+type: keyword
+
+
+**`kubernetes.event.metadata.resource_version`**
+:   Version of the event resource
+
+type: keyword
+
+
+**`kubernetes.event.metadata.uid`**
+:   Unique identifier to the event object
+
+type: keyword
+
+
+**`kubernetes.event.metadata.self_link`**
+:   URL representing the event
+
+type: keyword
+
+
+
+## involved_object [_involved_object]
+
+Metadata associated with the given involved object
+
+**`kubernetes.event.involved_object.api_version`**
+:   API version of the object
+
+type: keyword
+
+
+**`kubernetes.event.involved_object.kind`**
+:   API kind of the object
+
+type: keyword
+
+
+**`kubernetes.event.involved_object.name`**
+:   name of the object
+
+type: keyword
+
+
+**`kubernetes.event.involved_object.resource_version`**
+:   resource version of the object
+
+type: keyword
+
+
+**`kubernetes.event.involved_object.uid`**
+:   UUID version of the object
+
+type: keyword
+
+
+
+## node [_node_4]
+
+kubernetes node metrics
+
+**`kubernetes.node.start_time`**
+:   Start time
+
+type: date
+
+
+
+## cpu [_cpu_7]
+
+CPU usage metrics
+
+**`kubernetes.node.cpu.usage.core.ns`**
+:   Node CPU Core usage nanoseconds
+
+type: double
+
+
+**`kubernetes.node.cpu.usage.nanocores`**
+:   CPU used nanocores
+
+type: double
+
+
+**`kubernetes.node.memory.available.bytes`**
+:   Total available memory
+
+type: double
+
+format: bytes
+
+
+**`kubernetes.node.memory.usage.bytes`**
+:   Total memory usage
+
+type: double
+
+format: bytes
+
+
+**`kubernetes.node.memory.rss.bytes`**
+:   RSS memory usage
+
+type: double
+
+format: bytes
+
+
+**`kubernetes.node.memory.workingset.bytes`**
+:   Working set memory usage
+
+type: double
+
+format: bytes
+
+
+**`kubernetes.node.memory.pagefaults`**
+:   Number of page faults
+
+type: double
+
+
+**`kubernetes.node.memory.majorpagefaults`**
+:   Number of major page faults
+
+type: double
+
+
+**`kubernetes.node.network.rx.bytes`**
+:   Received bytes on the default interface. If default interface is not defined, will be reported not correct value `0`
+
+type: double
+
+format: bytes
+
+
+**`kubernetes.node.network.rx.errors`**
+:   Rx errors on the default interface. If default interface is not defined, will be reported not correct value `0`
+
+type: double
+
+
+**`kubernetes.node.network.tx.bytes`**
+:   Transmitted bytes on the default interface. If default interface is not defined, will be reported not correct value `0`
+
+type: double
+
+format: bytes
+
+
+**`kubernetes.node.network.tx.errors`**
+:   Tx errors on the default interface. If default interface is not defined, will be reported not correct value `0`
+
+type: double
+
+
+**`kubernetes.node.fs.capacity.bytes`**
+:   Filesystem total capacity in bytes
+
+type: double
+
+format: bytes
+
+
+**`kubernetes.node.fs.available.bytes`**
+:   Filesystem total available in bytes
+
+type: double
+
+format: bytes
+
+
+**`kubernetes.node.fs.used.bytes`**
+:   Filesystem total used in bytes
+
+type: double
+
+format: bytes
+
+
+**`kubernetes.node.fs.inodes.used`**
+:   Number of used inodes
+
+type: double
+
+
+**`kubernetes.node.fs.inodes.count`**
+:   Number of inodes
+
+type: double
+
+
+**`kubernetes.node.fs.inodes.free`**
+:   Number of free inodes
+
+type: double
+
+
+**`kubernetes.node.runtime.imagefs.capacity.bytes`**
+:   Image filesystem total capacity in bytes
+
+type: double
+
+format: bytes
+
+
+**`kubernetes.node.runtime.imagefs.available.bytes`**
+:   Image filesystem total available in bytes
+
+type: double
+
+format: bytes
+
+
+**`kubernetes.node.runtime.imagefs.used.bytes`**
+:   Image filesystem total used in bytes
+
+type: double
+
+format: bytes
+
+
+
+## pod [_pod]
+
+kubernetes pod metrics
+
+**`kubernetes.pod.start_time`**
+:   Start time
+
+type: date
+
+
+**`kubernetes.pod.network.rx.bytes`**
+:   Received bytes
+
+type: double
+
+format: bytes
+
+
+**`kubernetes.pod.network.rx.errors`**
+:   Rx errors
+
+type: double
+
+
+**`kubernetes.pod.network.tx.bytes`**
+:   Transmitted bytes
+
+type: double
+
+format: bytes
+
+
+**`kubernetes.pod.network.tx.errors`**
+:   Tx errors
+
+type: double
+
+
+
+## cpu [_cpu_8]
+
+CPU usage metrics
+
+**`kubernetes.pod.cpu.usage.nanocores`**
+:   CPU used nanocores
+
+type: double
+
+
+**`kubernetes.pod.cpu.usage.node.pct`**
+:   CPU usage as a percentage of the total node CPU
+
+type: scaled_float
+
+format: percent
+
+
+**`kubernetes.pod.cpu.usage.limit.pct`**
+:   CPU usage as a percentage of the defined cpu limits sum of the pod containers. If any container is missing a limit the metric is not emitted.
+
+type: scaled_float
+
+format: percent
+
+
+**`kubernetes.pod.memory.usage.bytes`**
+:   Total memory usage
+
+type: double
+
+format: bytes
+
+
+**`kubernetes.pod.memory.usage.node.pct`**
+:   Memory usage as a percentage of the total node allocatable memory
+
+type: scaled_float
+
+format: percent
+
+
+**`kubernetes.pod.memory.usage.limit.pct`**
+:   Memory usage as a percentage of the defined memory limits sum of the pod containers. If any container is missing a limit the metric is not emitted.
+
+type: scaled_float
+
+format: percent
+
+
+**`kubernetes.pod.memory.available.bytes`**
+:   Total memory available
+
+type: double
+
+format: bytes
+
+
+**`kubernetes.pod.memory.working_set.bytes`**
+:   Total working set memory
+
+type: double
+
+format: bytes
+
+
+**`kubernetes.pod.memory.working_set.limit.pct`**
+:   Working set memory usage as a percentage of the defined limits sum of the pod containers. If any container is missing a limit the metric is not emitted.
+
+type: scaled_float
+
+format: percent
+
+
+**`kubernetes.pod.memory.rss.bytes`**
+:   Total resident set size memory
+
+type: double
+
+format: bytes
+
+
+**`kubernetes.pod.memory.page_faults`**
+:   Total page faults
+
+type: double
+
+
+**`kubernetes.pod.memory.major_page_faults`**
+:   Total major page faults
+
+type: double
+
+
+
+## proxy [_proxy_3]
+
+Kubernetes proxy server metrics
+
+**`kubernetes.proxy.code`**
+:   HTTP code
+
+type: keyword
+
+
+**`kubernetes.proxy.method`**
+:   HTTP method
+
+type: keyword
+
+
+**`kubernetes.proxy.host`**
+:   HTTP host
+
+type: keyword
+
+
+**`kubernetes.proxy.verb`**
+:   HTTP verb
+
+type: keyword
+
+
+**`kubernetes.proxy.process.cpu.sec`**
+:   Total user and system CPU time spent in seconds
+
+type: double
+
+
+**`kubernetes.proxy.process.memory.resident.bytes`**
+:   Bytes in resident memory
+
+type: long
+
+format: bytes
+
+
+**`kubernetes.proxy.process.memory.virtual.bytes`**
+:   Bytes in virtual memory
+
+type: long
+
+format: bytes
+
+
+**`kubernetes.proxy.process.fds.open.count`**
+:   Number of open file descriptors
+
+type: long
+
+
+**`kubernetes.proxy.process.fds.max.count`**
+:   Limit for open file descriptors
+
+type: long
+
+
+**`kubernetes.proxy.process.started.sec`**
+:   Start time of the process since unix epoch in seconds
+
+type: double
+
+
+**`kubernetes.proxy.client.request.count`**
+:   Number of HTTP requests to API server, broken down by status code, method and host
+
+type: long
+
+
+**`kubernetes.proxy.client.request.duration.us.sum`**
+:   Sum of requests latency in microseconds, broken down by verb and host
+
+type: long
+
+
+**`kubernetes.proxy.client.request.duration.us.count`**
+:   Number of request duration operations to API server, broken down by verb and host
+
+type: long
+
+
+**`kubernetes.proxy.client.request.duration.us.bucket.*`**
+:   Requests latency distribution in histogram buckets, broken down by verb and host
+
+type: object
+
+
+**`kubernetes.proxy.client.request.size.bytes.sum`**
+:   Requests size sum in bytes, broken down by verb and host
+
+type: long
+
+format: bytes
+
+
+**`kubernetes.proxy.client.request.size.bytes.count`**
+:   Number of requests, broken down by verb and host
+
+type: long
+
+
+**`kubernetes.proxy.client.request.size.bytes.bucket.*`**
+:   Requests size distribution in histogram buckets, broken down by verb and host
+
+type: object
+
+
+**`kubernetes.proxy.client.response.size.bytes.count`**
+:   Number of responses, broken down by verb and host
+
+type: long
+
+
+**`kubernetes.proxy.client.response.size.bytes.sum`**
+:   Responses size sum in bytes, broken down by verb and host
+
+type: long
+
+format: bytes
+
+
+**`kubernetes.proxy.client.response.size.bytes.bucket.*`**
+:   Responses size distribution in histogram buckets, broken down by verb and host
+
+type: object
+
+
+
+## sync [_sync]
+
+kubeproxy proxy sync metrics
+
+**`kubernetes.proxy.sync.rules.duration.us.sum`**
+:   SyncProxyRules latency sum in microseconds
+
+type: long
+
+
+**`kubernetes.proxy.sync.rules.duration.us.count`**
+:   Number of SyncProxyRules latency operations
+
+type: long
+
+
+**`kubernetes.proxy.sync.rules.duration.us.bucket.*`**
+:   SyncProxyRules latency distribution in histogram buckets
+
+type: object
+
+
+**`kubernetes.proxy.sync.networkprogramming.duration.us.sum`**
+:   Sum of network programming latency in microseconds
+
+type: long
+
+
+**`kubernetes.proxy.sync.networkprogramming.duration.us.count`**
+:   Number of network programming latency operations
+
+type: long
+
+
+**`kubernetes.proxy.sync.networkprogramming.duration.us.bucket.*`**
+:   Network programming latency distribution in histogram buckets
+
+type: object
+
+
+
+## scheduler [_scheduler]
+
+Kubernetes scheduler metrics
+
+**`kubernetes.scheduler.verb`**
+:   HTTP verb
+
+type: keyword
+
+
+**`kubernetes.scheduler.host`**
+:   HTTP host
+
+type: keyword
+
+
+**`kubernetes.scheduler.code`**
+:   HTTP code
+
+type: keyword
+
+
+**`kubernetes.scheduler.method`**
+:   HTTP method
+
+type: keyword
+
+
+**`kubernetes.scheduler.queue`**
+:   Scheduling queue
+
+type: keyword
+
+
+**`kubernetes.scheduler.event`**
+:   Scheduling event
+
+type: keyword
+
+
+**`kubernetes.scheduler.profile`**
+:   Scheduling profile
+
+type: keyword
+
+
+**`kubernetes.scheduler.result`**
+:   Attempt result to schedule pod
+
+type: keyword
+
+
+**`kubernetes.scheduler.name`**
+:   Name for the resource
+
+type: keyword
+
+
+**`kubernetes.scheduler.leader.is_master`**
+:   Whether the scheduler instance is leader
+
+type: boolean
+
+
+**`kubernetes.scheduler.process.cpu.sec`**
+:   Total user and system CPU time spent in seconds
+
+type: double
+
+
+**`kubernetes.scheduler.process.memory.resident.bytes`**
+:   Bytes in resident memory
+
+type: long
+
+format: bytes
+
+
+**`kubernetes.scheduler.process.memory.virtual.bytes`**
+:   Bytes in virtual memory
+
+type: long
+
+format: bytes
+
+
+**`kubernetes.scheduler.process.fds.open.count`**
+:   Number of open file descriptors
+
+type: long
+
+
+**`kubernetes.scheduler.process.fds.max.count`**
+:   Limit for open file descriptors
+
+type: long
+
+
+**`kubernetes.scheduler.process.started.sec`**
+:   Start time of the process since unix epoch in seconds
+
+type: double
+
+
+**`kubernetes.scheduler.client.request.count`**
+:   Number of HTTP requests to API server, broken down by status code, method and host
+
+type: long
+
+
+**`kubernetes.scheduler.client.request.duration.us.sum`**
+:   Sum of requests latency in microseconds, broken down by verb and host
+
+type: long
+
+
+**`kubernetes.scheduler.client.request.duration.us.count`**
+:   Number of request duration operations to API server, broken down by verb and host
+
+type: long
+
+
+**`kubernetes.scheduler.client.request.duration.us.bucket.*`**
+:   Requests latency distribution in histogram buckets, broken down by verb and host
+
+type: object
+
+
+**`kubernetes.scheduler.client.request.size.bytes.sum`**
+:   Requests size sum in bytes, broken down by verb and host
+
+type: long
+
+format: bytes
+
+
+**`kubernetes.scheduler.client.request.size.bytes.count`**
+:   Number of requests, broken down by verb and host
+
+type: long
+
+
+**`kubernetes.scheduler.client.request.size.bytes.bucket.*`**
+:   Requests size distribution in histogram buckets, broken down by verb and host
+
+type: object
+
+
+**`kubernetes.scheduler.client.response.size.bytes.count`**
+:   Number of responses, broken down by verb and host
+
+type: long
+
+
+**`kubernetes.scheduler.client.response.size.bytes.sum`**
+:   Responses size sum in bytes, broken down by verb and host
+
+type: long
+
+format: bytes
+
+
+**`kubernetes.scheduler.client.response.size.bytes.bucket.*`**
+:   Responses size distribution in histogram buckets, broken down by verb and host
+
+type: object
+
+
+**`kubernetes.scheduler.workqueue.longestrunning.sec`**
+:   How many seconds has the longest running processor been running, broken down by workqueue name
+
+type: double
+
+
+**`kubernetes.scheduler.workqueue.unfinished.sec`**
+:   How many seconds of work has done that is in progress and hasn’t been considered in the longest running processor, broken down by workqueue name
+
+type: double
+
+
+**`kubernetes.scheduler.workqueue.adds.count`**
+:   Workqueue add count, broken down by workqueue name
+
+type: long
+
+
+**`kubernetes.scheduler.workqueue.depth.count`**
+:   Workqueue current depth, broken down by workqueue name
+
+type: long
+
+
+**`kubernetes.scheduler.workqueue.retries.count`**
+:   Workqueue number of retries, broken down by workqueue name
+
+type: long
+
+
+**`kubernetes.scheduler.scheduling.pending.pods.count`**
+:   Number of current pending pods, broken down by the queue type
+
+type: long
+
+
+**`kubernetes.scheduler.scheduling.preemption.victims.bucket.*`**
+:   Number of preemption victims distribution in histogram buckets
+
+type: object
+
+
+**`kubernetes.scheduler.scheduling.preemption.victims.sum`**
+:   Preemption victims sum
+
+type: long
+
+
+**`kubernetes.scheduler.scheduling.preemption.victims.count`**
+:   Number of preemption victims
+
+type: long
+
+
+**`kubernetes.scheduler.scheduling.preemption.attempts.count`**
+:   Total preemption attempts in the cluster so far
+
+type: long
+
+
+**`kubernetes.scheduler.scheduling.attempts.duration.us.bucket.*`**
+:   Scheduling attempt latency distribution in histogram buckets, broken down by profile and result
+
+type: object
+
+
+**`kubernetes.scheduler.scheduling.attempts.duration.us.sum`**
+:   Sum of scheduling attempt latency in microseconds, broken down by profile and result
+
+type: long
+
+
+**`kubernetes.scheduler.scheduling.attempts.duration.us.count`**
+:   Number of scheduling attempts, broken down by profile and result
+
+type: long
+
+
+
+## container [_container_6]
+
+kubernetes container metrics
+
+**`kubernetes.container.id`**
+:   Container id
+
+type: keyword
+
+
+**`kubernetes.container.status.phase`**
+:   Container phase (running, waiting, terminated)
+
+type: keyword
+
+
+**`kubernetes.container.status.ready`**
+:   Container ready status
+
+type: boolean
+
+
+**`kubernetes.container.status.restarts`**
+:   Container restarts count
+
+type: integer
+
+
+**`kubernetes.container.status.reason`**
+:   The reason the container is currently in waiting (ContainerCreating, CrashLoopBackoff, ErrImagePull, ImagePullBackoff) or terminated (Completed, ContainerCannotRun, Error, OOMKilled) state.
+
+type: keyword
+
+
+**`kubernetes.container.status.last_terminated_reason`**
+:   The last reason the container was in terminated state (Completed, ContainerCannotRun, Error or OOMKilled).
+
+type: keyword
+
+
+**`kubernetes.container.status.last_terminated_timestamp`**
+:   Last terminated time (epoch) of the container
+
+type: double
+
+
+**`kubernetes.container.cpu.limit.cores`**
+:   Container CPU cores limit
+
+type: float
+
+
+**`kubernetes.container.cpu.request.cores`**
+:   Container CPU requested cores
+
+type: float
+
+
+**`kubernetes.container.memory.limit.bytes`**
+:   Container memory limit in bytes
+
+type: long
+
+format: bytes
+
+
+**`kubernetes.container.memory.request.bytes`**
+:   Container requested memory in bytes
+
+type: long
+
+format: bytes
+
+
+
+## cronjob [_cronjob]
+
+kubernetes cronjob metrics
+
+**`kubernetes.cronjob.name`**
+:   Cronjob name
+
+type: keyword
+
+
+**`kubernetes.cronjob.schedule`**
+:   Cronjob schedule
+
+type: keyword
+
+
+**`kubernetes.cronjob.concurrency`**
+:   Concurrency policy
+
+type: keyword
+
+
+**`kubernetes.cronjob.active.count`**
+:   Number of active pods for the cronjob
+
+type: long
+
+
+**`kubernetes.cronjob.is_suspended`**
+:   Whether the cronjob is suspended
+
+type: boolean
+
+
+**`kubernetes.cronjob.created.sec`**
+:   Epoch seconds since the cronjob was created
+
+type: double
+
+
+**`kubernetes.cronjob.last_schedule.sec`**
+:   Epoch seconds for last cronjob run
+
+type: double
+
+
+**`kubernetes.cronjob.next_schedule.sec`**
+:   Epoch seconds for next cronjob run
+
+type: double
+
+
+**`kubernetes.cronjob.deadline.sec`**
+:   Deadline seconds after schedule for considering failed
+
+type: long
+
+
+
+## daemonset [_daemonset]
+
+Kubernetes DaemonSet metrics
+
+**`kubernetes.daemonset.name`**
+:   type: keyword
+
+
+
+## replicas [_replicas]
+
+Kubernetes DaemonSet replica metrics
+
+**`kubernetes.daemonset.replicas.available`**
+:   The number of available replicas per DaemonSet
+
+type: long
+
+
+**`kubernetes.daemonset.replicas.desired`**
+:   The desired number of replicas per DaemonSet
+
+type: long
+
+
+**`kubernetes.daemonset.replicas.ready`**
+:   The number of ready replicas per DaemonSet
+
+type: long
+
+
+**`kubernetes.daemonset.replicas.unavailable`**
+:   The number of unavailable replicas per DaemonSet
+
+type: long
+
+
+
+## deployment [_deployment_2]
+
+kubernetes deployment metrics
+
+**`kubernetes.deployment.paused`**
+:   Kubernetes deployment paused status
+
+type: boolean
+
+
+**`kubernetes.deployment.status.available`**
+:   Deployment Available Condition status (true, false or unknown)
+
+type: keyword
+
+
+**`kubernetes.deployment.status.progressing`**
+:   Deployment Progresing Condition status (true, false or unknown)
+
+type: keyword
+
+
+
+## replicas [_replicas_2]
+
+Kubernetes deployment replicas info
+
+**`kubernetes.deployment.replicas.desired`**
+:   Deployment number of desired replicas (spec)
+
+type: integer
+
+
+**`kubernetes.deployment.replicas.available`**
+:   Deployment available replicas
+
+type: integer
+
+
+**`kubernetes.deployment.replicas.unavailable`**
+:   Deployment unavailable replicas
+
+type: integer
+
+
+**`kubernetes.deployment.replicas.updated`**
+:   Deployment updated replicas
+
+type: integer
+
+
+
+## job [_job]
+
+Kubernetes job metrics
+
+**`kubernetes.job.name`**
+:   The name of the job resource
+
+type: keyword
+
+
+
+## pods [_pods]
+
+Pod metrics for the job
+
+**`kubernetes.job.pods.active`**
+:   Number of active pods
+
+type: long
+
+
+**`kubernetes.job.pods.failed`**
+:   Number of failed pods
+
+type: long
+
+
+**`kubernetes.job.pods.succeeded`**
+:   Number of successful pods
+
+type: long
+
+
+
+## time [_time]
+
+Kubernetes job timestamps
+
+**`kubernetes.job.time.created`**
+:   The time at which the job was created
+
+type: date
+
+
+**`kubernetes.job.time.completed`**
+:   The time at which the job completed
+
+type: date
+
+
+
+## completions [_completions]
+
+Kubernetes job completion settings
+
+**`kubernetes.job.completions.desired`**
+:   The configured completion count for the job (Spec)
+
+type: long
+
+
+
+## parallelism [_parallelism]
+
+Kubernetes job parallelism settings
+
+**`kubernetes.job.parallelism.desired`**
+:   The configured parallelism of the job (Spec)
+
+type: long
+
+
+
+## owner [_owner]
+
+Kubernetes job owner information
+
+**`kubernetes.job.owner.name`**
+:   The name of the resource that owns this job
+
+type: keyword
+
+
+**`kubernetes.job.owner.kind`**
+:   The kind of resource that owns this job (eg. "CronJob")
+
+type: keyword
+
+
+**`kubernetes.job.owner.is_controller`**
+:   Owner is controller ("true", "false", or "<none>")
+
+type: keyword
+
+
+
+## status [_status_3]
+
+Kubernetes job status information
+
+**`kubernetes.job.status.complete`**
+:   Whether the job completed ("true", "false", or "unknown")
+
+type: keyword
+
+
+**`kubernetes.job.status.failed`**
+:   Whether the job failed ("true", "false", or "unknown")
+
+type: keyword
+
+
+
+## state_namespace [_state_namespace]
+
+Kubernetes namespace metrics.
+
+**`kubernetes.state_namespace.created.sec`**
+:   Unix creation timestamp.
+
+type: double
+
+
+**`kubernetes.state_namespace.status.active`**
+:   Whether the namespace is active (true or false).
+
+type: boolean
+
+
+**`kubernetes.state_namespace.status.terminating`**
+:   Whether the namespace is terminating (true or false).
+
+type: boolean
+
+
+
+## node [_node_5]
+
+kubernetes node metrics
+
+**`kubernetes.node.status.ready`**
+:   Node ready status (true, false or unknown)
+
+type: keyword
+
+
+**`kubernetes.node.status.unschedulable`**
+:   Node unschedulable status
+
+type: boolean
+
+
+**`kubernetes.node.status.memory_pressure`**
+:   Node MemoryPressure status (true, false or unknown)
+
+type: keyword
+
+
+**`kubernetes.node.status.disk_pressure`**
+:   Node DiskPressure status (true, false or unknown)
+
+type: keyword
+
+
+**`kubernetes.node.status.out_of_disk`**
+:   Node OutOfDisk status (true, false or unknown)
+
+type: keyword
+
+
+**`kubernetes.node.status.pid_pressure`**
+:   Node PIDPressure status (true, false or unknown)
+
+type: keyword
+
+
+**`kubernetes.node.status.network_unavailable`**
+:   Node NetworkUnavailable status (true, false or unknown)
+
+type: keyword
+
+
+**`kubernetes.node.cpu.allocatable.cores`**
+:   The allocatable CPU cores of a node that are available for pods scheduling
+
+type: float
+
+
+**`kubernetes.node.cpu.capacity.cores`**
+:   Node CPU capacity cores
+
+type: long
+
+
+**`kubernetes.node.memory.allocatable.bytes`**
+:   The allocatable memory of a node in bytes that is available for pods scheduling
+
+type: long
+
+format: bytes
+
+
+**`kubernetes.node.memory.capacity.bytes`**
+:   Node memory capacity in bytes
+
+type: long
+
+format: bytes
+
+
+**`kubernetes.node.pod.allocatable.total`**
+:   Node allocatable pods
+
+type: long
+
+
+**`kubernetes.node.pod.capacity.total`**
+:   Node pod capacity
+
+type: long
+
+
+**`kubernetes.node.kubelet.version`**
+:   Kubelet version.
+
+type: keyword
+
+
+
+## persistentvolume [_persistentvolume]
+
+kubernetes persistent volume metrics from kube-state-metrics
+
+**`kubernetes.persistentvolume.name`**
+:   Volume name.
+
+type: keyword
+
+
+**`kubernetes.persistentvolume.capacity.bytes`**
+:   Volume capacity
+
+type: long
+
+
+**`kubernetes.persistentvolume.phase`**
+:   Volume phase according to kubernetes
+
+type: keyword
+
+
+**`kubernetes.persistentvolume.storage_class`**
+:   Storage class for the volume
+
+type: keyword
+
+
+
+## persistentvolumeclaim [_persistentvolumeclaim]
+
+kubernetes persistent volume claim metrics from kube-state-metrics
+
+**`kubernetes.persistentvolumeclaim.name`**
+:   PVC name.
+
+type: keyword
+
+
+**`kubernetes.persistentvolumeclaim.volume_name`**
+:   Binded volume name.
+
+type: keyword
+
+
+**`kubernetes.persistentvolumeclaim.request_storage.bytes`**
+:   Requested capacity.
+
+type: long
+
+
+**`kubernetes.persistentvolumeclaim.phase`**
+:   PVC phase.
+
+type: keyword
+
+
+**`kubernetes.persistentvolumeclaim.access_mode`**
+:   Access mode.
+
+type: keyword
+
+
+**`kubernetes.persistentvolumeclaim.storage_class`**
+:   Storage class for the PVC.
+
+type: keyword
+
+
+**`kubernetes.persistentvolumeclaim.created`**
+:   PersistentVolumeClaim creation date
+
+type: date
+
+
+
+## pod [_pod_2]
+
+kubernetes pod metrics
+
+**`kubernetes.pod.host_ip`**
+:   Kubernetes pod host IP
+
+type: ip
+
+
+
+## status [_status_4]
+
+Kubernetes pod status metrics
+
+**`kubernetes.pod.status.phase`**
+:   Kubernetes pod phase (Running, Pending…​)
+
+type: keyword
+
+
+**`kubernetes.pod.status.ready`**
+:   Kubernetes pod ready status (true, false or unknown)
+
+type: keyword
+
+
+**`kubernetes.pod.status.scheduled`**
+:   Kubernetes pod scheduled status (true, false, unknown)
+
+type: keyword
+
+
+**`kubernetes.pod.status.reason`**
+:   The reason the pod is in its current state (Evicted, NodeAffinity, NodeLost, Shutdown or UnexpectedAdmissionError)
+
+type: keyword
+
+
+**`kubernetes.pod.status.ready_time`**
+:   Readiness achieved time in unix timestamp for a pod
+
+type: double
+
+
+
+## replicaset [_replicaset]
+
+kubernetes replica set metrics
+
+
+## replicas [_replicas_3]
+
+Kubernetes replica set paused status
+
+**`kubernetes.replicaset.replicas.available`**
+:   The number of replicas per ReplicaSet
+
+type: long
+
+
+**`kubernetes.replicaset.replicas.desired`**
+:   The number of replicas per ReplicaSet
+
+type: long
+
+
+**`kubernetes.replicaset.replicas.ready`**
+:   The number of ready replicas per ReplicaSet
+
+type: long
+
+
+**`kubernetes.replicaset.replicas.observed`**
+:   The generation observed by the ReplicaSet controller
+
+type: long
+
+
+**`kubernetes.replicaset.replicas.labeled`**
+:   The number of fully labeled replicas per ReplicaSet
+
+type: long
+
+
+
+## resourcequota [_resourcequota]
+
+kubernetes resourcequota metrics
+
+**`kubernetes.resourcequota.created.sec`**
+:   Epoch seconds since the ResourceQuota was created
+
+type: double
+
+
+**`kubernetes.resourcequota.quota`**
+:   Quota informed (hard or used) for the resource
+
+type: double
+
+
+**`kubernetes.resourcequota.name`**
+:   ResourceQuota name
+
+type: keyword
+
+
+**`kubernetes.resourcequota.type`**
+:   Quota information type, `hard` or `used`
+
+type: keyword
+
+
+**`kubernetes.resourcequota.resource`**
+:   Resource name the quota applies to
+
+type: keyword
+
+
+
+## service [_service_3]
+
+kubernetes service metrics
+
+**`kubernetes.service.name`**
+:   Service name.
+
+type: keyword
+
+
+**`kubernetes.service.cluster_ip`**
+:   Internal IP for the service.
+
+type: keyword
+
+
+**`kubernetes.service.external_name`**
+:   Service external DNS name
+
+type: keyword
+
+
+**`kubernetes.service.external_ip`**
+:   Service external IP
+
+type: keyword
+
+
+**`kubernetes.service.load_balancer_ip`**
+:   Load Balancer service IP
+
+type: keyword
+
+
+**`kubernetes.service.type`**
+:   Service type
+
+type: keyword
+
+
+**`kubernetes.service.ingress_ip`**
+:   Ingress IP
+
+type: keyword
+
+
+**`kubernetes.service.ingress_hostname`**
+:   Ingress Hostname
+
+type: keyword
+
+
+**`kubernetes.service.created`**
+:   Service creation date
+
+type: date
+
+
+
+## statefulset [_statefulset]
+
+kubernetes stateful set metrics
+
+**`kubernetes.statefulset.created`**
+:   The creation timestamp (epoch) for StatefulSet
+
+type: long
+
+
+
+## replicas [_replicas_4]
+
+Kubernetes stateful set replicas status
+
+**`kubernetes.statefulset.replicas.observed`**
+:   The number of observed replicas per StatefulSet
+
+type: long
+
+
+**`kubernetes.statefulset.replicas.desired`**
+:   The number of desired replicas per StatefulSet
+
+type: long
+
+
+**`kubernetes.statefulset.replicas.ready`**
+:   The number of ready replicas per StatefulSet
+
+type: long
+
+
+
+## generation [_generation]
+
+Kubernetes stateful set generation information
+
+**`kubernetes.statefulset.generation.observed`**
+:   The observed generation per StatefulSet
+
+type: long
+
+
+**`kubernetes.statefulset.generation.desired`**
+:   The desired generation per StatefulSet
+
+type: long
+
+
+
+## storageclass [_storageclass]
+
+kubernetes storage class metrics
+
+**`kubernetes.storageclass.name`**
+:   Storage class name.
+
+type: keyword
+
+
+**`kubernetes.storageclass.provisioner`**
+:   Volume provisioner for the storage class.
+
+type: keyword
+
+
+**`kubernetes.storageclass.reclaim_policy`**
+:   Reclaim policy for dynamically created volumes
+
+type: keyword
+
+
+**`kubernetes.storageclass.volume_binding_mode`**
+:   Mode for default provisioning and binding
+
+type: keyword
+
+
+**`kubernetes.storageclass.created`**
+:   Storage class creation date
+
+type: date
+
+
+
+## system [_system_3]
+
+kubernetes system containers metrics
+
+**`kubernetes.system.container`**
+:   Container name
+
+type: keyword
+
+
+**`kubernetes.system.start_time`**
+:   Start time
+
+type: date
+
+
+
+## cpu [_cpu_9]
+
+CPU usage metrics
+
+**`kubernetes.system.cpu.usage.core.ns`**
+:   CPU Core usage nanoseconds
+
+type: double
+
+
+**`kubernetes.system.cpu.usage.nanocores`**
+:   CPU used nanocores
+
+type: double
+
+
+**`kubernetes.system.memory.usage.bytes`**
+:   Total memory usage
+
+type: double
+
+format: bytes
+
+
+**`kubernetes.system.memory.rss.bytes`**
+:   RSS memory usage
+
+type: double
+
+format: bytes
+
+
+**`kubernetes.system.memory.workingset.bytes`**
+:   Working set memory usage
+
+type: double
+
+format: bytes
+
+
+**`kubernetes.system.memory.pagefaults`**
+:   Number of page faults
+
+type: double
+
+
+**`kubernetes.system.memory.majorpagefaults`**
+:   Number of major page faults
+
+type: double
+
+
+
+## volume [_volume]
+
+kubernetes volume metrics
+
+**`kubernetes.volume.name`**
+:   Volume name
+
+type: keyword
+
+
+**`kubernetes.volume.fs.capacity.bytes`**
+:   Filesystem total capacity in bytes
+
+type: double
+
+format: bytes
+
+
+**`kubernetes.volume.fs.available.bytes`**
+:   Filesystem total available in bytes
+
+type: double
+
+format: bytes
+
+
+**`kubernetes.volume.fs.used.bytes`**
+:   Filesystem total used in bytes
+
+type: double
+
+format: bytes
+
+
+**`kubernetes.volume.fs.used.pct`**
+:   Percentage of used storage
+
+type: scaled_float
+
+format: percent
+
+
+**`kubernetes.volume.fs.inodes.used`**
+:   Used inodes
+
+type: double
+
+
+**`kubernetes.volume.fs.inodes.free`**
+:   Free inodes
+
+type: double
+
+
+**`kubernetes.volume.fs.inodes.count`**
+:   Total inodes
+
+type: double
+
+
+**`kubernetes.volume.fs.inodes.pct`**
+:   Percentage of used inodes
+
+type: scaled_float
+
+format: percent
+
+
diff --git a/docs/reference/metricbeat/exported-fields-kvm.md b/docs/reference/metricbeat/exported-fields-kvm.md
new file mode 100644
index 000000000000..c02920daa77b
--- /dev/null
+++ b/docs/reference/metricbeat/exported-fields-kvm.md
@@ -0,0 +1,69 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-kvm.html
+---
+
+# KVM fields [exported-fields-kvm]
+
+kvm module
+
+**`kvm.id`**
+:   Domain id
+
+type: long
+
+
+**`kvm.name`**
+:   Domain name
+
+type: keyword
+
+
+
+## kvm [_kvm]
+
+
+## dommemstat [_dommemstat]
+
+dommemstat
+
+
+## stat [_stat_2]
+
+Memory stat
+
+**`kvm.dommemstat.stat.name`**
+:   Memory stat name
+
+type: keyword
+
+
+**`kvm.dommemstat.stat.value`**
+:   Memory stat value
+
+type: long
+
+
+**`kvm.dommemstat.id`**
+:   Domain id
+
+type: long
+
+
+**`kvm.dommemstat.name`**
+:   Domain name
+
+type: keyword
+
+
+
+## status [_status_5]
+
+status
+
+**`kvm.status.state`**
+:   Domain state
+
+type: keyword
+
+
diff --git a/docs/reference/metricbeat/exported-fields-linux.md b/docs/reference/metricbeat/exported-fields-linux.md
new file mode 100644
index 000000000000..324f983de475
--- /dev/null
+++ b/docs/reference/metricbeat/exported-fields-linux.md
@@ -0,0 +1,694 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-linux.html
+---
+
+# Linux fields [exported-fields-linux]
+
+linux module
+
+
+## linux [_linux]
+
+linux system metrics
+
+
+## conntrack [_conntrack]
+
+conntrack
+
+
+## summary [_summary_5]
+
+summary of nf_conntrack statistics, summed across CPU cores
+
+**`linux.conntrack.summary.drop`**
+:   packets dropped due to conntrack failiure
+
+type: long
+
+
+**`linux.conntrack.summary.early_drop`**
+:   conntrack entries dropped to make room for new ones
+
+type: long
+
+
+**`linux.conntrack.summary.entries`**
+:   entries in the conntrack table
+
+type: long
+
+
+**`linux.conntrack.summary.found`**
+:   successfully searched entries
+
+type: long
+
+
+**`linux.conntrack.summary.ignore`**
+:   packets seen already connected to a conntrack entry
+
+type: long
+
+
+**`linux.conntrack.summary.insert_failed`**
+:   Number of entries where list insert insert failed
+
+type: long
+
+
+**`linux.conntrack.summary.invalid`**
+:   packets seen that cannot be tracked
+
+type: long
+
+
+**`linux.conntrack.summary.search_restart`**
+:   table lookups which had to be restarted due to table resizes
+
+type: long
+
+
+
+## iostat [_iostat]
+
+iostat
+
+**`linux.iostat.read.request.merges_per_sec`**
+:   The number of read requests merged per second that were queued to the device.
+
+type: float
+
+
+**`linux.iostat.write.request.merges_per_sec`**
+:   The number of write requests merged per second that were queued to the device.
+
+type: float
+
+
+**`linux.iostat.read.request.per_sec`**
+:   The number of read requests that were issued to the device per second
+
+type: float
+
+
+**`linux.iostat.write.request.per_sec`**
+:   The number of write requests that were issued to the device per second
+
+type: float
+
+
+**`linux.iostat.read.per_sec.bytes`**
+:   The number of Bytes read from the device per second.
+
+type: float
+
+format: bytes
+
+
+**`linux.iostat.read.await`**
+:   The average time spent for read requests issued to the device to be served.
+
+type: float
+
+
+**`linux.iostat.write.per_sec.bytes`**
+:   The number of Bytes write from the device per second.
+
+type: float
+
+format: bytes
+
+
+**`linux.iostat.write.await`**
+:   The average time spent for write requests issued to the device to be served.
+
+type: float
+
+
+**`linux.iostat.request.avg_size`**
+:   The average size (in bytes) of the requests that were issued to the device.
+
+type: float
+
+
+**`linux.iostat.queue.avg_size`**
+:   The average queue length of the requests that were issued to the device.
+
+type: float
+
+
+**`linux.iostat.await`**
+:   The average time spent for requests issued to the device to be served.
+
+type: float
+
+
+**`linux.iostat.service_time`**
+:   The average service time (in milliseconds) for I/O requests that were issued to the device.
+
+type: float
+
+
+**`linux.iostat.busy`**
+:   Percentage of CPU time during which I/O requests were issued to the device (bandwidth utilization for the device). Device saturation occurs when this value is close to 100%.
+
+type: float
+
+
+
+## ksm [_ksm]
+
+ksm
+
+
+## stats [_stats_6]
+
+KSM statistics
+
+**`linux.ksm.stats.pages_shared`**
+:   Shared pages in use.
+
+type: long
+
+
+**`linux.ksm.stats.pages_sharing`**
+:   Sites sharing pages.
+
+type: long
+
+
+**`linux.ksm.stats.pages_unshared`**
+:   Unique pages.
+
+type: long
+
+
+**`linux.ksm.stats.full_scans`**
+:   Number of times mergable pages have been scanned.
+
+type: long
+
+
+**`linux.ksm.stats.stable_node_chains`**
+:   Pages that have reached max_page_sharing.
+
+type: long
+
+
+**`linux.ksm.stats.stable_node_dups`**
+:   Number of duplicated KSM pages.
+
+type: long
+
+
+
+## memory [_memory_8]
+
+Linux memory data
+
+
+## page_stats [_page_stats]
+
+memory page statistics
+
+**`linux.memory.page_stats.pgscan_kswapd.pages`**
+:   pages scanned by kswapd
+
+type: long
+
+format: number
+
+
+**`linux.memory.page_stats.pgscan_direct.pages`**
+:   pages scanned directly
+
+type: long
+
+format: number
+
+
+**`linux.memory.page_stats.pgfree.pages`**
+:   pages freed by the system
+
+type: long
+
+format: number
+
+
+**`linux.memory.page_stats.pgsteal_kswapd.pages`**
+:   number of pages reclaimed by kswapd
+
+type: long
+
+format: number
+
+
+**`linux.memory.page_stats.pgsteal_direct.pages`**
+:   number of pages reclaimed directly
+
+type: long
+
+format: number
+
+
+**`linux.memory.page_stats.direct_efficiency.pct`**
+:   direct reclaim efficiency percentage. A lower percentage indicates the system is struggling to reclaim memory.
+
+type: scaled_float
+
+format: percent
+
+
+**`linux.memory.page_stats.kswapd_efficiency.pct`**
+:   kswapd reclaim efficiency percentage. A lower percentage indicates the system is struggling to reclaim memory.
+
+type: scaled_float
+
+format: percent
+
+
+
+## hugepages [_hugepages]
+
+This group contains statistics related to huge pages usage on the system.
+
+**`linux.memory.hugepages.total`**
+:   Number of huge pages in the pool.
+
+type: long
+
+format: number
+
+
+**`linux.memory.hugepages.used.bytes`**
+:   Memory used in allocated huge pages.
+
+type: long
+
+format: bytes
+
+
+**`linux.memory.hugepages.used.pct`**
+:   Percentage of huge pages used.
+
+type: long
+
+format: percent
+
+
+**`linux.memory.hugepages.free`**
+:   Number of available huge pages in the pool.
+
+type: long
+
+format: number
+
+
+**`linux.memory.hugepages.reserved`**
+:   Number of reserved but not allocated huge pages in the pool.
+
+type: long
+
+format: number
+
+
+**`linux.memory.hugepages.surplus`**
+:   Number of overcommited huge pages.
+
+type: long
+
+format: number
+
+
+**`linux.memory.hugepages.default_size`**
+:   Default size for huge pages.
+
+type: long
+
+format: bytes
+
+
+
+## swap [_swap_2]
+
+This group contains statistics related to the swap memory usage on the system.
+
+**`linux.memory.swap.total`**
+:   Total swap memory.
+
+type: long
+
+format: bytes
+
+
+**`linux.memory.swap.used.bytes`**
+:   Used swap memory.
+
+type: long
+
+format: bytes
+
+
+**`linux.memory.swap.free`**
+:   Available swap memory.
+
+type: long
+
+format: bytes
+
+
+**`linux.memory.swap.used.pct`**
+:   The percentage of used swap memory.
+
+type: scaled_float
+
+format: percent
+
+
+**`linux.memory.swap.in.pages`**
+:   Pages swapped in.
+
+type: long
+
+
+**`linux.memory.swap.out.pages`**
+:   Pages swapped out.
+
+type: long
+
+
+**`linux.memory.swap.readahead.cached`**
+:   Swap readahead pages hit from swap_ra_hit.
+
+type: long
+
+
+**`linux.memory.swap.readahead.pages`**
+:   Pages swapped based on readahead predictions.
+
+type: long
+
+
+
+## pageinfo [_pageinfo]
+
+pageinfo
+
+
+## buddy_info [_buddy_info]
+
+Data from /proc/buddyinfo grouping used pages by order
+
+
+## DMA [_dma]
+
+DMA page Data
+
+**`linux.pageinfo.buddy_info.DMA.0`**
+:   free chunks of 2^0*PAGE_SIZE
+
+type: long
+
+
+**`linux.pageinfo.buddy_info.DMA.1`**
+:   free chunks of 2^1*PAGE_SIZE
+
+type: long
+
+
+**`linux.pageinfo.buddy_info.DMA.2`**
+:   free chunks of 2^2*PAGE_SIZE
+
+type: long
+
+
+**`linux.pageinfo.buddy_info.DMA.3`**
+:   free chunks of 2^3*PAGE_SIZE
+
+type: long
+
+
+**`linux.pageinfo.buddy_info.DMA.4`**
+:   free chunks of 2^4*PAGE_SIZE
+
+type: long
+
+
+**`linux.pageinfo.buddy_info.DMA.5`**
+:   free chunks of 2^5*PAGE_SIZE
+
+type: long
+
+
+**`linux.pageinfo.buddy_info.DMA.6`**
+:   free chunks of 2^6*PAGE_SIZE
+
+type: long
+
+
+**`linux.pageinfo.buddy_info.DMA.7`**
+:   free chunks of 2^7*PAGE_SIZE
+
+type: long
+
+
+**`linux.pageinfo.buddy_info.DMA.8`**
+:   free chunks of 2^8*PAGE_SIZE
+
+type: long
+
+
+**`linux.pageinfo.buddy_info.DMA.9`**
+:   free chunks of 2^9*PAGE_SIZE
+
+type: long
+
+
+**`linux.pageinfo.buddy_info.DMA.10`**
+:   free chunks of 2^10*PAGE_SIZE
+
+type: long
+
+
+**`linux.pageinfo.nodes.*`**
+:   Raw allocation info from /proc/pagetypeinfo
+
+type: object
+
+
+
+## pressure [_pressure]
+
+Linux pressure stall information metrics for cpu, memory, and io
+
+**`linux.pressure.cpu.some.10.pct`**
+:   The average share of time in which at least some tasks were stalled on CPU over a ten second window.
+
+type: float
+
+format: percent
+
+
+**`linux.pressure.cpu.some.60.pct`**
+:   The average share of time in which at least some tasks were stalled on CPU over a sixty second window.
+
+type: float
+
+format: percent
+
+
+**`linux.pressure.cpu.some.300.pct`**
+:   The average share of time in which at least some tasks were stalled on CPU over a three hundred second window.
+
+type: float
+
+format: percent
+
+
+**`linux.pressure.cpu.some.total.time.us`**
+:   The total absolute stall time (in microseconds) in which at least some tasks were stalled on CPU.
+
+type: long
+
+
+**`linux.pressure.memory.some.10.pct`**
+:   The average share of time in which at least some tasks were stalled on Memory over a ten second window.
+
+type: float
+
+format: percent
+
+
+**`linux.pressure.memory.some.60.pct`**
+:   The average share of time in which at least some tasks were stalled on Memory over a sixty second window.
+
+type: float
+
+format: percent
+
+
+**`linux.pressure.memory.some.300.pct`**
+:   The average share of time in which at least some tasks were stalled on Memory over a three hundred second window.
+
+type: float
+
+format: percent
+
+
+**`linux.pressure.memory.some.total.time.us`**
+:   The total absolute stall time (in microseconds) in which at least some tasks were stalled on memory.
+
+type: long
+
+
+**`linux.pressure.memory.full.10.pct`**
+:   The average share of time in which in which all non-idle tasks were stalled on memory simultaneously over a ten second window.
+
+type: float
+
+format: percent
+
+
+**`linux.pressure.memory.full.60.pct`**
+:   The average share of time in which in which all non-idle tasks were stalled on memory simultaneously over a sixty second window.
+
+type: float
+
+format: percent
+
+
+**`linux.pressure.memory.full.300.pct`**
+:   The average share of time in which in which all non-idle tasks were stalled on memory simultaneously over a three hundred second window.
+
+type: float
+
+format: percent
+
+
+**`linux.pressure.memory.full.total.time.us`**
+:   The total absolute stall time (in microseconds) in which in which all non-idle tasks were stalled on memory.
+
+type: long
+
+
+**`linux.pressure.io.some.10.pct`**
+:   The average share of time in which at least some tasks were stalled on io over a ten second window.
+
+type: float
+
+format: percent
+
+
+**`linux.pressure.io.some.60.pct`**
+:   The average share of time in which at least some tasks were stalled on io over a sixty second window.
+
+type: float
+
+format: percent
+
+
+**`linux.pressure.io.some.300.pct`**
+:   The average share of time in which at least some tasks were stalled on io over a three hundred second window.
+
+type: float
+
+format: percent
+
+
+**`linux.pressure.io.some.total.time.us`**
+:   The total absolute stall time (in microseconds) in which at least some tasks were stalled on io.
+
+type: long
+
+
+**`linux.pressure.io.full.10.pct`**
+:   The average share of time in which in which all non-idle tasks were stalled on io simultaneously over a ten second window.
+
+type: float
+
+format: percent
+
+
+**`linux.pressure.io.full.60.pct`**
+:   The average share of time in which in which all non-idle tasks were stalled on io simultaneously over a sixty second window.
+
+type: float
+
+format: percent
+
+
+**`linux.pressure.io.full.300.pct`**
+:   The average share of time in which in which all non-idle tasks were stalled on io simultaneously over a three hundred second window.
+
+type: float
+
+format: percent
+
+
+**`linux.pressure.io.full.total.time.us`**
+:   The total absolute stall time (in microseconds) in which in which all non-idle tasks were stalled on io.
+
+type: long
+
+
+
+## rapl [_rapl]
+
+Wattage as reported by Intel RAPL
+
+**`linux.rapl.core`**
+:   The core where the RAPL request originated from. Only one core is queried per hardware CPU.
+
+type: long
+
+
+**`linux.rapl.dram.watts`**
+:   Power usage in watts on the DRAM RAPL domain
+
+type: float
+
+
+**`linux.rapl.dram.joules`**
+:   Raw power usage counter for the DRAM domain
+
+type: float
+
+
+**`linux.rapl.pp0.watts`**
+:   Power usage in watts on the PP0 RAPL domain
+
+type: float
+
+
+**`linux.rapl.pp0.joules`**
+:   Raw power usage counter for the PP0 domain
+
+type: float
+
+
+**`linux.rapl.pp1.watts`**
+:   Power usage in watts on the PP1 RAPL domain
+
+type: float
+
+
+**`linux.rapl.pp1.joules`**
+:   Raw power usage counter for the PP1 domain
+
+type: float
+
+
+**`linux.rapl.package.watts`**
+:   Power usage in watts on the Package RAPL domain
+
+type: float
+
+
+**`linux.rapl.package.joules`**
+:   Raw power usage counter for the package domain
+
+type: float
+
+
diff --git a/docs/reference/metricbeat/exported-fields-logstash.md b/docs/reference/metricbeat/exported-fields-logstash.md
new file mode 100644
index 000000000000..1397796d7938
--- /dev/null
+++ b/docs/reference/metricbeat/exported-fields-logstash.md
@@ -0,0 +1,327 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-logstash.html
+---
+
+# Logstash fields [exported-fields-logstash]
+
+Logstash module
+
+**`logstash_stats.timestamp`**
+:   type: alias
+
+alias to: @timestamp
+
+
+**`logstash_stats.jvm.mem.heap_used_in_bytes`**
+:   type: alias
+
+alias to: logstash.node.stats.jvm.mem.heap_used_in_bytes
+
+
+**`logstash_stats.jvm.mem.heap_max_in_bytes`**
+:   type: alias
+
+alias to: logstash.node.stats.jvm.mem.heap_max_in_bytes
+
+
+**`logstash_stats.jvm.uptime_in_millis`**
+:   type: alias
+
+alias to: logstash.node.stats.jvm.uptime_in_millis
+
+
+**`logstash_stats.events.in`**
+:   type: alias
+
+alias to: logstash.node.stats.events.in
+
+
+**`logstash_stats.events.out`**
+:   type: alias
+
+alias to: logstash.node.stats.events.out
+
+
+**`logstash_stats.events.duration_in_millis`**
+:   type: alias
+
+alias to: logstash.node.stats.events.duration_in_millis
+
+
+**`logstash_stats.logstash.uuid`**
+:   type: alias
+
+alias to: logstash.node.stats.logstash.uuid
+
+
+**`logstash_stats.logstash.version`**
+:   type: alias
+
+alias to: logstash.node.stats.logstash.version
+
+
+**`logstash_stats.pipelines`**
+:   type: nested
+
+
+**`logstash_stats.os.cpu.load_average.15m`**
+:   type: alias
+
+alias to: logstash.node.stats.os.cpu.load_average.15m
+
+
+**`logstash_stats.os.cpu.load_average.1m`**
+:   type: alias
+
+alias to: logstash.node.stats.os.cpu.load_average.1m
+
+
+**`logstash_stats.os.cpu.load_average.5m`**
+:   type: alias
+
+alias to: logstash.node.stats.os.cpu.load_average.5m
+
+
+**`logstash_stats.os.cgroup.cpuacct.usage_nanos`**
+:   type: alias
+
+alias to: logstash.node.stats.os.cgroup.cpuacct.usage_nanos
+
+
+**`logstash_stats.os.cgroup.cpu.cfs_quota_micros`**
+:   type: alias
+
+alias to: logstash.node.stats.os.cgroup.cpu.cfs_quota_micros
+
+
+**`logstash_stats.os.cgroup.cpu.stat.number_of_elapsed_periods`**
+:   type: alias
+
+alias to: logstash.node.stats.os.cgroup.cpu.stat.number_of_elapsed_periods
+
+
+**`logstash_stats.os.cgroup.cpu.stat.time_throttled_nanos`**
+:   type: alias
+
+alias to: logstash.node.stats.os.cgroup.cpu.stat.time_throttled_nanos
+
+
+**`logstash_stats.os.cgroup.cpu.stat.number_of_times_throttled`**
+:   type: alias
+
+alias to: logstash.node.stats.os.cgroup.cpu.stat.number_of_times_throttled
+
+
+**`logstash_stats.process.cpu.percent`**
+:   type: alias
+
+alias to: logstash.node.stats.process.cpu.percent
+
+
+**`logstash_stats.queue.events_count`**
+:   type: alias
+
+alias to: logstash.node.stats.queue.events_count
+
+
+**`logstash_state.pipeline.id`**
+:   type: alias
+
+alias to: logstash.node.state.pipeline.id
+
+
+**`logstash_state.pipeline.hash`**
+:   type: alias
+
+alias to: logstash.node.state.pipeline.hash
+
+
+**`logstash.elasticsearch.cluster.id`**
+:   type: keyword
+
+
+
+## node [_node_6]
+
+node
+
+
+## node [_node_7]
+
+node_stats metrics.
+
+**`logstash.node.id`**
+:   type: keyword
+
+
+**`logstash.node.state.pipeline.id`**
+:   type: keyword
+
+
+**`logstash.node.state.pipeline.hash`**
+:   type: keyword
+
+
+**`logstash.node.state.pipeline.ephemeral_id`**
+:   type: keyword
+
+
+**`logstash.node.state.pipeline.batch_size`**
+:   type: long
+
+
+**`logstash.node.state.pipeline.workers`**
+:   type: long
+
+
+**`logstash.node.state.pipeline.representation.hash`**
+:   type: keyword
+
+
+**`logstash.node.state.pipeline.representation.type`**
+:   type: keyword
+
+
+**`logstash.node.state.pipeline.representation.version`**
+:   type: keyword
+
+
+**`logstash.node.state.pipeline.representation.graph.edges`**
+:   type: object
+
+
+**`logstash.node.state.pipeline.representation.graph.vertices`**
+:   type: object
+
+
+**`logstash.node.host`**
+:   Host name
+
+type: alias
+
+alias to: host.hostname
+
+
+**`logstash.node.version`**
+:   Logstash Version
+
+type: alias
+
+alias to: service.version
+
+
+
+## jvm [_jvm_3]
+
+JVM Info
+
+**`logstash.node.jvm.version`**
+:   Version
+
+type: keyword
+
+
+**`logstash.node.jvm.pid`**
+:   Process ID
+
+type: alias
+
+alias to: process.pid
+
+
+**`logstash.node.stats.timestamp`**
+:   type: date
+
+
+**`logstash.node.stats.jvm.uptime_in_millis`**
+:   type: long
+
+
+**`logstash.node.stats.jvm.mem.heap_used_in_bytes`**
+:   type: long
+
+
+**`logstash.node.stats.jvm.mem.heap_max_in_bytes`**
+:   type: long
+
+
+
+## events [_events_2]
+
+Events stats
+
+**`logstash.node.stats.events.in`**
+:   Incoming events counter.
+
+type: long
+
+
+**`logstash.node.stats.events.out`**
+:   Outgoing events counter.
+
+type: long
+
+
+**`logstash.node.stats.events.filtered`**
+:   Filtered events counter.
+
+type: long
+
+
+**`logstash.node.stats.events.duration_in_millis`**
+:   type: long
+
+
+**`logstash.node.stats.logstash.uuid`**
+:   type: keyword
+
+
+**`logstash.node.stats.logstash.version`**
+:   type: keyword
+
+
+**`logstash.node.stats.os.cpu.load_average.15m`**
+:   type: half_float
+
+
+**`logstash.node.stats.os.cpu.load_average.1m`**
+:   type: half_float
+
+
+**`logstash.node.stats.os.cpu.load_average.5m`**
+:   type: half_float
+
+
+**`logstash.node.stats.os.cgroup.cpuacct.usage_nanos`**
+:   type: long
+
+
+**`logstash.node.stats.os.cgroup.cpu.cfs_quota_micros`**
+:   type: long
+
+
+**`logstash.node.stats.os.cgroup.cpu.stat.number_of_elapsed_periods`**
+:   type: long
+
+
+**`logstash.node.stats.os.cgroup.cpu.stat.time_throttled_nanos`**
+:   type: long
+
+
+**`logstash.node.stats.os.cgroup.cpu.stat.number_of_times_throttled`**
+:   type: long
+
+
+**`logstash.node.stats.process.cpu.percent`**
+:   type: double
+
+
+**`logstash.node.stats.pipelines`**
+:   type: nested
+
+
+**`logstash.node.stats.queue.events_count`**
+:   type: long
+
+
diff --git a/docs/reference/metricbeat/exported-fields-memcached.md b/docs/reference/metricbeat/exported-fields-memcached.md
new file mode 100644
index 000000000000..3c579956990c
--- /dev/null
+++ b/docs/reference/metricbeat/exported-fields-memcached.md
@@ -0,0 +1,119 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-memcached.html
+---
+
+# Memcached fields [exported-fields-memcached]
+
+Memcached module
+
+
+## memcached [_memcached]
+
+
+## stats [_stats_7]
+
+stats
+
+**`memcached.stats.pid`**
+:   Current process ID of the Memcached task.
+
+type: long
+
+
+**`memcached.stats.uptime.sec`**
+:   Memcached server uptime.
+
+type: long
+
+
+**`memcached.stats.threads`**
+:   Number of threads used by the current Memcached server process.
+
+type: long
+
+
+**`memcached.stats.connections.current`**
+:   Number of open connections to this Memcached server, should be the same value on all servers during normal operation.
+
+type: long
+
+
+**`memcached.stats.connections.total`**
+:   Numer of successful connect attempts to this server since it has been started.
+
+type: long
+
+
+**`memcached.stats.get.hits`**
+:   Number of successful "get" commands (cache hits) since startup, divide them by the "cmd_get" value to get the cache hitrate.
+
+type: long
+
+
+**`memcached.stats.get.misses`**
+:   Number of failed "get" requests because nothing was cached for this key or the cached value was too old.
+
+type: long
+
+
+**`memcached.stats.cmd.get`**
+:   Number of "get" commands received since server startup not counting if they were successful or not.
+
+type: long
+
+
+**`memcached.stats.cmd.set`**
+:   Number of "set" commands serviced since startup.
+
+type: long
+
+
+**`memcached.stats.read.bytes`**
+:   Total number of bytes received from the network by this server.
+
+type: long
+
+
+**`memcached.stats.written.bytes`**
+:   Total number of bytes send to the network by this server.
+
+type: long
+
+
+**`memcached.stats.items.current`**
+:   Number of items currently in this server’s cache.
+
+type: long
+
+
+**`memcached.stats.items.total`**
+:   Number of items stored ever stored on this server. This is no "maximum item count" value but a counted increased by every new item stored in the cache.
+
+type: long
+
+
+**`memcached.stats.evictions`**
+:   Number of objects removed from the cache to free up memory for new items because Memcached reached it’s maximum memory setting (limit_maxbytes).
+
+type: long
+
+
+**`memcached.stats.bytes.current`**
+:   Number of bytes currently used for caching items.
+
+type: long
+
+
+**`memcached.stats.bytes.limit`**
+:   Number of bytes this server is allowed to use for storage.
+
+type: long
+
+
+$$$exported-fields-meraki$$$
+
+**`meraki.device.serial`**
+:   type: keyword
+
+
diff --git a/docs/reference/metricbeat/exported-fields-mongodb.md b/docs/reference/metricbeat/exported-fields-mongodb.md
new file mode 100644
index 000000000000..c9932548e87d
--- /dev/null
+++ b/docs/reference/metricbeat/exported-fields-mongodb.md
@@ -0,0 +1,2100 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-mongodb.html
+---
+
+# MongoDB fields [exported-fields-mongodb]
+
+Metrics collected from MongoDB servers.
+
+
+## mongodb [_mongodb]
+
+MongoDB metrics.
+
+
+## collstats [_collstats]
+
+MongoDB collection statistics metrics.
+
+**`mongodb.collstats.db`**
+:   Database name.
+
+type: keyword
+
+
+**`mongodb.collstats.collection`**
+:   Collection name.
+
+type: keyword
+
+
+**`mongodb.collstats.name`**
+:   Combination of database and collection name.
+
+type: keyword
+
+
+**`mongodb.collstats.total.time.us`**
+:   Total waiting time for locks in microseconds.
+
+type: long
+
+
+**`mongodb.collstats.total.count`**
+:   Total number of lock wait events.
+
+type: long
+
+
+**`mongodb.collstats.lock.read.time.us`**
+:   Time waiting for read locks in microseconds.
+
+type: long
+
+
+**`mongodb.collstats.lock.read.count`**
+:   Number of read lock wait events.
+
+type: long
+
+
+**`mongodb.collstats.lock.write.time.us`**
+:   Time waiting for write locks in microseconds.
+
+type: long
+
+
+**`mongodb.collstats.lock.write.count`**
+:   Number of write lock wait events.
+
+type: long
+
+
+**`mongodb.collstats.queries.time.us`**
+:   Time running queries in microseconds.
+
+type: long
+
+
+**`mongodb.collstats.queries.count`**
+:   Number of queries executed.
+
+type: long
+
+
+**`mongodb.collstats.getmore.time.us`**
+:   Time asking for more cursor rows in microseconds.
+
+type: long
+
+
+**`mongodb.collstats.getmore.count`**
+:   Number of times a cursor asked for more data.
+
+type: long
+
+
+**`mongodb.collstats.insert.time.us`**
+:   Time inserting new documents in microseconds.
+
+type: long
+
+
+**`mongodb.collstats.insert.count`**
+:   Number of document insert events.
+
+type: long
+
+
+**`mongodb.collstats.update.time.us`**
+:   Time updating documents in microseconds.
+
+type: long
+
+
+**`mongodb.collstats.update.count`**
+:   Number of document update events.
+
+type: long
+
+
+**`mongodb.collstats.remove.time.us`**
+:   Time deleting documents in microseconds.
+
+type: long
+
+
+**`mongodb.collstats.remove.count`**
+:   Number of document delete events.
+
+type: long
+
+
+**`mongodb.collstats.commands.time.us`**
+:   Time executing database commands in microseconds.
+
+type: long
+
+
+**`mongodb.collstats.commands.count`**
+:   Number of database commands executed.
+
+type: long
+
+
+**`mongodb.collstats.stats.stats.size`**
+:   The total uncompressed size in memory of all records in a collection.
+
+type: long
+
+
+**`mongodb.collstats.stats.stats.count`**
+:   The number of objects or documents in this collection.
+
+type: long
+
+
+**`mongodb.collstats.stats.stats.avgObjSize`**
+:   The average size of an object in the collection (in bytes).
+
+type: long
+
+
+**`mongodb.collstats.stats.stats.storageSize`**
+:   The total amount of storage allocated to this collection for document storage (in bytes).
+
+type: long
+
+
+**`mongodb.collstats.stats.stats.totalIndexSize`**
+:   The total size of all indexes (in bytes).
+
+type: long
+
+
+**`mongodb.collstats.stats.stats.totalSize`**
+:   The sum of the storageSize and totalIndexSize (in bytes).
+
+type: long
+
+
+**`mongodb.collstats.stats.stats.max`**
+:   Shows the maximum number of documents that may be present in a capped collection.
+
+type: long
+
+
+**`mongodb.collstats.stats.stats.nindexes`**
+:   The number of indexes on the collection. All collections have at least one index on the _id field.
+
+type: long
+
+
+
+## dbstats [_dbstats]
+
+dbstats provides an overview of a particular mongo database. This document is most concerned with data volumes of a database.
+
+**`mongodb.dbstats.avg_obj_size.bytes`**
+:   type: long
+
+format: bytes
+
+
+**`mongodb.dbstats.collections`**
+:   type: integer
+
+
+**`mongodb.dbstats.data_size.bytes`**
+:   type: long
+
+format: bytes
+
+
+**`mongodb.dbstats.db`**
+:   type: keyword
+
+
+**`mongodb.dbstats.file_size.bytes`**
+:   type: long
+
+format: bytes
+
+
+**`mongodb.dbstats.index_size.bytes`**
+:   type: long
+
+format: bytes
+
+
+**`mongodb.dbstats.indexes`**
+:   type: long
+
+
+**`mongodb.dbstats.num_extents`**
+:   type: long
+
+
+**`mongodb.dbstats.objects`**
+:   type: long
+
+
+**`mongodb.dbstats.storage_size.bytes`**
+:   type: long
+
+format: bytes
+
+
+**`mongodb.dbstats.ns_size_mb.mb`**
+:   type: long
+
+
+**`mongodb.dbstats.data_file_version.major`**
+:   type: long
+
+
+**`mongodb.dbstats.data_file_version.minor`**
+:   type: long
+
+
+**`mongodb.dbstats.extent_free_list.num`**
+:   type: long
+
+
+**`mongodb.dbstats.extent_free_list.size.bytes`**
+:   type: long
+
+format: bytes
+
+
+
+## metrics [_metrics_9]
+
+Statistics that reflect the current use and state of a running `mongod` instance for more information, take a look at [https://docs.mongodb.com/manual/reference/command/serverStatus/#serverstatus.metrics](https://docs.mongodb.com/manual/reference/command/serverStatus/#serverstatus.metrics)
+
+
+## commands [_commands]
+
+Reports on the use of database commands. The fields in metrics.commands are the names of database commands and each value is a document that reports the total number of commands executed as well as the number of failed executions. metrics.commands.<command>.failed shows the number of times <command> failed on this mongod. metrics.commands.<command>.total shows the number of times <command> executed on this mongod.
+
+**`mongodb.metrics.commands.is_self.failed`**
+:   type: long
+
+
+**`mongodb.metrics.commands.is_self.total`**
+:   type: long
+
+
+**`mongodb.metrics.commands.aggregate.failed`**
+:   type: long
+
+
+**`mongodb.metrics.commands.aggregate.total`**
+:   type: long
+
+
+**`mongodb.metrics.commands.build_info.failed`**
+:   type: long
+
+
+**`mongodb.metrics.commands.build_info.total`**
+:   type: long
+
+
+**`mongodb.metrics.commands.coll_stats.failed`**
+:   type: long
+
+
+**`mongodb.metrics.commands.coll_stats.total`**
+:   type: long
+
+
+**`mongodb.metrics.commands.connection_pool_stats.failed`**
+:   type: long
+
+
+**`mongodb.metrics.commands.connection_pool_stats.total`**
+:   type: long
+
+
+**`mongodb.metrics.commands.count.failed`**
+:   type: long
+
+
+**`mongodb.metrics.commands.count.total`**
+:   type: long
+
+
+**`mongodb.metrics.commands.db_stats.failed`**
+:   type: long
+
+
+**`mongodb.metrics.commands.db_stats.total`**
+:   type: long
+
+
+**`mongodb.metrics.commands.distinct.failed`**
+:   type: long
+
+
+**`mongodb.metrics.commands.distinct.total`**
+:   type: long
+
+
+**`mongodb.metrics.commands.find.failed`**
+:   type: long
+
+
+**`mongodb.metrics.commands.find.total`**
+:   type: long
+
+
+**`mongodb.metrics.commands.get_cmd_line_opts.failed`**
+:   type: long
+
+
+**`mongodb.metrics.commands.get_cmd_line_opts.total`**
+:   type: long
+
+
+**`mongodb.metrics.commands.get_last_error.failed`**
+:   type: long
+
+
+**`mongodb.metrics.commands.get_last_error.total`**
+:   type: long
+
+
+**`mongodb.metrics.commands.get_log.failed`**
+:   type: long
+
+
+**`mongodb.metrics.commands.get_log.total`**
+:   type: long
+
+
+**`mongodb.metrics.commands.get_more.failed`**
+:   type: long
+
+
+**`mongodb.metrics.commands.get_more.total`**
+:   type: long
+
+
+**`mongodb.metrics.commands.get_parameter.failed`**
+:   type: long
+
+
+**`mongodb.metrics.commands.get_parameter.total`**
+:   type: long
+
+
+**`mongodb.metrics.commands.host_info.failed`**
+:   type: long
+
+
+**`mongodb.metrics.commands.host_info.total`**
+:   type: long
+
+
+**`mongodb.metrics.commands.insert.failed`**
+:   type: long
+
+
+**`mongodb.metrics.commands.insert.total`**
+:   type: long
+
+
+**`mongodb.metrics.commands.is_master.failed`**
+:   type: long
+
+
+**`mongodb.metrics.commands.is_master.total`**
+:   type: long
+
+
+**`mongodb.metrics.commands.last_collections.failed`**
+:   type: long
+
+
+**`mongodb.metrics.commands.last_collections.total`**
+:   type: long
+
+
+**`mongodb.metrics.commands.last_commands.failed`**
+:   type: long
+
+
+**`mongodb.metrics.commands.last_commands.total`**
+:   type: long
+
+
+**`mongodb.metrics.commands.list_databased.failed`**
+:   type: long
+
+
+**`mongodb.metrics.commands.list_databased.total`**
+:   type: long
+
+
+**`mongodb.metrics.commands.list_indexes.failed`**
+:   type: long
+
+
+**`mongodb.metrics.commands.list_indexes.total`**
+:   type: long
+
+
+**`mongodb.metrics.commands.ping.failed`**
+:   type: long
+
+
+**`mongodb.metrics.commands.ping.total`**
+:   type: long
+
+
+**`mongodb.metrics.commands.profile.failed`**
+:   type: long
+
+
+**`mongodb.metrics.commands.profile.total`**
+:   type: long
+
+
+**`mongodb.metrics.commands.replset_get_rbid.failed`**
+:   type: long
+
+
+**`mongodb.metrics.commands.replset_get_rbid.total`**
+:   type: long
+
+
+**`mongodb.metrics.commands.replset_get_status.failed`**
+:   type: long
+
+
+**`mongodb.metrics.commands.replset_get_status.total`**
+:   type: long
+
+
+**`mongodb.metrics.commands.replset_heartbeat.failed`**
+:   type: long
+
+
+**`mongodb.metrics.commands.replset_heartbeat.total`**
+:   type: long
+
+
+**`mongodb.metrics.commands.replset_update_position.failed`**
+:   type: long
+
+
+**`mongodb.metrics.commands.replset_update_position.total`**
+:   type: long
+
+
+**`mongodb.metrics.commands.server_status.failed`**
+:   type: long
+
+
+**`mongodb.metrics.commands.server_status.total`**
+:   type: long
+
+
+**`mongodb.metrics.commands.update.failed`**
+:   type: long
+
+
+**`mongodb.metrics.commands.update.total`**
+:   type: long
+
+
+**`mongodb.metrics.commands.whatsmyuri.failed`**
+:   type: long
+
+
+**`mongodb.metrics.commands.whatsmyuri.total`**
+:   type: long
+
+
+
+## cursor [_cursor]
+
+Contains data regarding cursor state and use.
+
+**`mongodb.metrics.cursor.timed_out`**
+:   The total number of cursors that have timed out since the server process started.
+
+type: long
+
+
+
+## open [_open]
+
+Contains data regarding open cursors.
+
+**`mongodb.metrics.cursor.open.no_timeout`**
+:   The number of open cursors with the option DBQuery.Option.noTimeout set to prevent timeout.
+
+type: long
+
+
+**`mongodb.metrics.cursor.open.pinned`**
+:   The number of `pinned` open cursors.
+
+type: long
+
+
+**`mongodb.metrics.cursor.open.total`**
+:   The number of cursors that MongoDB is maintaining for clients.
+
+type: long
+
+
+
+## document [_document]
+
+Reflects document access and modification patterns.
+
+**`mongodb.metrics.document.deleted`**
+:   The total number of documents deleted.
+
+type: long
+
+
+**`mongodb.metrics.document.inserted`**
+:   The total number of documents inserted.
+
+type: long
+
+
+**`mongodb.metrics.document.returned`**
+:   The total number of documents returned by queries.
+
+type: long
+
+
+**`mongodb.metrics.document.updated`**
+:   The total number of documents updated.
+
+type: long
+
+
+
+## get_last_error [_get_last_error]
+
+Returns the error status of the preceding write operation on the current connection.
+
+**`mongodb.metrics.get_last_error.write_wait.ms`**
+:   The total amount of time in milliseconds that the mongod has spent performing getLastError operations with write concern (i.e. w) greater than 1.
+
+type: long
+
+
+**`mongodb.metrics.get_last_error.write_wait.count`**
+:   The total number of getLastError operations with a specified write concern (i.e. w) greater than 1.
+
+type: long
+
+
+**`mongodb.metrics.get_last_error.write_timeouts`**
+:   The number of times that write concern operations have timed out as a result of the wtimeout threshold to getLastError.
+
+type: long
+
+
+
+## operation [_operation]
+
+Holds counters for several types of update and query operations that MongoDB handles using special operation types.
+
+**`mongodb.metrics.operation.scan_and_order`**
+:   The total number of queries that return sorted numbers that cannot perform the sort operation using an index.
+
+type: long
+
+
+**`mongodb.metrics.operation.write_conflicts`**
+:   The total number of queries that encountered write conflicts.
+
+type: long
+
+
+
+## query_executor [_query_executor]
+
+Reports data from the query execution system.
+
+**`mongodb.metrics.query_executor.scanned_indexes.count`**
+:   The total number of index items scanned during queries and query-plan evaluation.
+
+type: long
+
+
+**`mongodb.metrics.query_executor.scanned_documents.count`**
+:   The total number of documents scanned during queries and query-plan evaluation.
+
+type: long
+
+
+
+## replication [_replication]
+
+Reports metrics related to the replication process. metrics.replication appears on all mongod instances, even those that aren’t members of replica sets.
+
+
+## executor [_executor]
+
+Reports on various statistics for the replication executor.
+
+**`mongodb.metrics.replication.executor.counters.event_created`**
+:   type: long
+
+
+**`mongodb.metrics.replication.executor.counters.event_wait`**
+:   type: long
+
+
+**`mongodb.metrics.replication.executor.counters.cancels`**
+:   type: long
+
+
+**`mongodb.metrics.replication.executor.counters.waits`**
+:   type: long
+
+
+**`mongodb.metrics.replication.executor.counters.scheduled.netcmd`**
+:   type: long
+
+
+**`mongodb.metrics.replication.executor.counters.scheduled.dbwork`**
+:   type: long
+
+
+**`mongodb.metrics.replication.executor.counters.scheduled.exclusive`**
+:   type: long
+
+
+**`mongodb.metrics.replication.executor.counters.scheduled.work_at`**
+:   type: long
+
+
+**`mongodb.metrics.replication.executor.counters.scheduled.work`**
+:   type: long
+
+
+**`mongodb.metrics.replication.executor.counters.scheduled.failures`**
+:   type: long
+
+
+**`mongodb.metrics.replication.executor.queues.in_progress.network`**
+:   type: long
+
+
+**`mongodb.metrics.replication.executor.queues.in_progress.dbwork`**
+:   type: long
+
+
+**`mongodb.metrics.replication.executor.queues.in_progress.exclusive`**
+:   type: long
+
+
+**`mongodb.metrics.replication.executor.queues.sleepers`**
+:   type: long
+
+
+**`mongodb.metrics.replication.executor.queues.ready`**
+:   type: long
+
+
+**`mongodb.metrics.replication.executor.queues.free`**
+:   type: long
+
+
+**`mongodb.metrics.replication.executor.unsignaled_events`**
+:   type: long
+
+
+**`mongodb.metrics.replication.executor.event_waiters`**
+:   type: long
+
+
+**`mongodb.metrics.replication.executor.shutting_down`**
+:   type: boolean
+
+
+**`mongodb.metrics.replication.executor.network_interface`**
+:   type: keyword
+
+
+
+## apply [_apply]
+
+Reports on the application of operations from the replication oplog.
+
+**`mongodb.metrics.replication.apply.attempts_to_become_secondary`**
+:   type: long
+
+
+
+## batches [_batches]
+
+Reports on the oplog application process on secondaries members of replica sets.
+
+**`mongodb.metrics.replication.apply.batches.count`**
+:   The total number of batches applied across all databases.
+
+type: long
+
+
+**`mongodb.metrics.replication.apply.batches.time.ms`**
+:   The total amount of time in milliseconds the mongod has spent applying operations from the oplog.
+
+type: long
+
+
+**`mongodb.metrics.replication.apply.ops`**
+:   The total number of oplog operations applied.
+
+type: long
+
+
+
+## buffer [_buffer]
+
+MongoDB buffers oplog operations from the replication sync source buffer before applying oplog entries in a batch. metrics.replication.buffer provides a way to track the oplog buffer.
+
+**`mongodb.metrics.replication.buffer.count`**
+:   The current number of operations in the oplog buffer.
+
+type: long
+
+
+**`mongodb.metrics.replication.buffer.max_size.bytes`**
+:   The maximum size of the buffer. This value is a constant setting in the mongod, and is not configurable.
+
+type: long
+
+
+**`mongodb.metrics.replication.buffer.size.bytes`**
+:   The current size of the contents of the oplog buffer.
+
+type: long
+
+
+
+## initial_sync [_initial_sync]
+
+Report initial sync status
+
+**`mongodb.metrics.replication.initial_sync.completed`**
+:   type: long
+
+
+**`mongodb.metrics.replication.initial_sync.failed_attempts`**
+:   type: long
+
+
+**`mongodb.metrics.replication.initial_sync.failures`**
+:   type: long
+
+
+
+## network [_network_8]
+
+Reports network use by the replication process.
+
+**`mongodb.metrics.replication.network.bytes`**
+:   The total amount of data read from the replication sync source.
+
+type: long
+
+
+
+## getmores [_getmores]
+
+Reports on the getmore operations, which are requests for additional results from the oplog cursor as part of the oplog replication process.
+
+**`mongodb.metrics.replication.network.getmores.count`**
+:   The total number of getmore operations
+
+type: long
+
+
+**`mongodb.metrics.replication.network.getmores.time.ms`**
+:   The total amount of time required to collect data from getmore operations.
+
+type: long
+
+
+**`mongodb.metrics.replication.network.ops`**
+:   The total number of operations read from the replication source.
+
+type: long
+
+
+**`mongodb.metrics.replication.network.reders_created`**
+:   The total number of oplog query processes created.
+
+type: long
+
+
+
+## preload [_preload]
+
+Reports on the `pre-fetch` stage, where MongoDB loads documents and indexes into RAM to improve replication throughput.
+
+
+## docs [_docs]
+
+Reports on the documents loaded into memory during the pre-fetch stage.
+
+**`mongodb.metrics.replication.preload.docs.count`**
+:   The total number of documents loaded during the pre-fetch stage of replication.
+
+type: long
+
+
+**`mongodb.metrics.replication.preload.docs.time.ms`**
+:   type: long
+
+
+
+## indexes [_indexes]
+
+Reports on the index items loaded into memory during the pre-fetch stage of replication.
+
+**`mongodb.metrics.replication.preload.indexes.count`**
+:   The total number of index entries loaded by members before updating documents as part of the pre-fetch stage of replication.
+
+type: long
+
+
+**`mongodb.metrics.replication.preload.indexes.time.ms`**
+:   The total amount of time, in milliseconds, spent loading index entries as part of the pre-fetch stage of replication.
+
+type: long
+
+
+**`mongodb.metrics.storage.free_list.search.bucket_exhausted`**
+:   The number of times that mongod has checked the free list without finding a suitably large record allocation.
+
+type: long
+
+
+**`mongodb.metrics.storage.free_list.search.requests`**
+:   The number of times mongod has searched for available record allocations.
+
+type: long
+
+
+**`mongodb.metrics.storage.free_list.search.scanned`**
+:   The number of available record allocations mongod has searched.
+
+type: long
+
+
+
+## ttl [_ttl_2]
+
+Reports on the operation of the resource use of the ttl index process.
+
+**`mongodb.metrics.ttl.deleted_documents.count`**
+:   The total number of documents deleted from collections with a ttl index.
+
+type: long
+
+
+**`mongodb.metrics.ttl.passes.count`**
+:   The number of times the background process removes documents from collections with a ttl index.
+
+type: long
+
+
+
+## replstatus [_replstatus]
+
+replstatus provides an overview of replica set status.
+
+
+## oplog [_oplog]
+
+oplog provides an overview of replication oplog status, which is retrieved from db.getReplicationInfo().
+
+**`mongodb.replstatus.oplog.size.allocated`**
+:   The total amount of space used by the replstatus in bytes.
+
+type: long
+
+format: bytes
+
+
+**`mongodb.replstatus.oplog.size.used`**
+:   total amount of space allocated to the replstatus in bytes.
+
+type: long
+
+format: bytes
+
+
+**`mongodb.replstatus.oplog.first.timestamp`**
+:   Timestamp of the first (i.e. earliest) operation in the replstatus
+
+type: long
+
+
+**`mongodb.replstatus.oplog.last.timestamp`**
+:   Timestamp of the last (i.e. latest) operation in the replstatus
+
+type: long
+
+
+**`mongodb.replstatus.oplog.window`**
+:   The difference between the first and last operation in the replstatus.
+
+type: long
+
+
+**`mongodb.replstatus.set_name`**
+:   The name of the replica set.
+
+type: keyword
+
+
+**`mongodb.replstatus.server_date`**
+:   Reflects the current time according to the server that processed the replSetGetStatus command.
+
+type: date
+
+
+**`mongodb.replstatus.optimes.last_committed`**
+:   Information, from the viewpoint of this member, regarding the most recent operation that has been written to a majority of replica set members.
+
+type: long
+
+
+**`mongodb.replstatus.optimes.applied`**
+:   Information, from the viewpoint of this member, regarding the most recent operation that has been applied to this member of the replica set.
+
+type: long
+
+
+**`mongodb.replstatus.optimes.durable`**
+:   Information, from the viewpoint of this member, regarding the most recent operation that has been written to the journal of this member of the replica set.
+
+type: long
+
+
+
+## lag [_lag]
+
+Delay between a write operation on the primary and its copy to a secondary
+
+**`mongodb.replstatus.lag.max`**
+:   Difference between optime of primary and slowest secondary
+
+type: long
+
+format: duration
+
+
+**`mongodb.replstatus.lag.min`**
+:   Difference between optime of primary and fastest secondary
+
+type: long
+
+format: duration
+
+
+
+## headroom [_headroom]
+
+Difference between the primary’s oplog window and the replication lag of the secondary
+
+**`mongodb.replstatus.headroom.max`**
+:   Difference between primary’s oplog window and the replication lag of the fastest secondary
+
+type: long
+
+format: duration
+
+
+**`mongodb.replstatus.headroom.min`**
+:   Difference between primary’s oplog window and the replication lag of the slowest secondary
+
+type: long
+
+format: duration
+
+
+
+## members [_members]
+
+Provides information about members of replica set grouped by their state
+
+**`mongodb.replstatus.members.primary.host`**
+:   Host address of the primary
+
+type: keyword
+
+
+**`mongodb.replstatus.members.primary.optime`**
+:   Optime of primary
+
+type: keyword
+
+
+**`mongodb.replstatus.members.secondary.hosts`**
+:   List of secondary hosts
+
+type: keyword
+
+
+**`mongodb.replstatus.members.secondary.optimes`**
+:   Optimes of secondaries
+
+type: keyword
+
+
+**`mongodb.replstatus.members.secondary.count`**
+:   type: long
+
+
+**`mongodb.replstatus.members.recovering.hosts`**
+:   List of recovering members hosts
+
+type: keyword
+
+
+**`mongodb.replstatus.members.recovering.count`**
+:   Count of members in the `recovering` state
+
+type: long
+
+
+**`mongodb.replstatus.members.unknown.hosts`**
+:   List of members' hosts in the `unknown` state
+
+type: keyword
+
+
+**`mongodb.replstatus.members.unknown.count`**
+:   Count of members with `unknown` state
+
+type: long
+
+
+**`mongodb.replstatus.members.startup2.hosts`**
+:   List of initializing members hosts
+
+type: keyword
+
+
+**`mongodb.replstatus.members.startup2.count`**
+:   Count of members in the `startup2` state
+
+type: long
+
+
+**`mongodb.replstatus.members.arbiter.hosts`**
+:   List of arbiters hosts
+
+type: keyword
+
+
+**`mongodb.replstatus.members.arbiter.count`**
+:   Count of arbiters
+
+type: long
+
+
+**`mongodb.replstatus.members.down.hosts`**
+:   List of `down` members hosts
+
+type: keyword
+
+
+**`mongodb.replstatus.members.down.count`**
+:   Count of `down` members
+
+type: long
+
+
+**`mongodb.replstatus.members.rollback.hosts`**
+:   List of members in the `rollback` state
+
+type: keyword
+
+
+**`mongodb.replstatus.members.rollback.count`**
+:   Count of members in the `rollback` state
+
+type: long
+
+
+**`mongodb.replstatus.members.unhealthy.hosts`**
+:   List of members' hosts with healthy = false
+
+type: keyword
+
+
+**`mongodb.replstatus.members.unhealthy.count`**
+:   Count of unhealthy members
+
+type: long
+
+
+
+## status [_status_6]
+
+MongoDB server status metrics.
+
+**`mongodb.status.version`**
+:   Instance version.
+
+type: alias
+
+alias to: service.version
+
+
+**`mongodb.status.process`**
+:   The current MongoDB process. Possible values are mongos or mongod.
+
+type: alias
+
+alias to: process.name
+
+
+**`mongodb.status.uptime.ms`**
+:   Instance uptime in milliseconds.
+
+type: long
+
+
+**`mongodb.status.local_time`**
+:   Local time as reported by the MongoDB instance.
+
+type: date
+
+
+**`mongodb.status.asserts.regular`**
+:   Number of regular assertions produced by the server.
+
+type: long
+
+
+**`mongodb.status.asserts.warning`**
+:   Number of warning assertions produced by the server.
+
+type: long
+
+
+**`mongodb.status.asserts.msg`**
+:   Number of msg assertions produced by the server.
+
+type: long
+
+
+**`mongodb.status.asserts.user`**
+:   Number of user assertions produced by the server.
+
+type: long
+
+
+**`mongodb.status.asserts.rollovers`**
+:   Number of rollovers assertions produced by the server.
+
+type: long
+
+
+
+## connections [_connections_3]
+
+Data regarding the current status of incoming connections and availability of the database server.
+
+**`mongodb.status.connections.current`**
+:   The number of connections to the database server from clients. This number includes the current shell session. Consider the value of `available` to add more context to this datum.
+
+type: long
+
+
+**`mongodb.status.connections.available`**
+:   The number of unused available incoming connections the database can provide.
+
+type: long
+
+
+**`mongodb.status.connections.total_created`**
+:   A count of all incoming connections created to the server. This number includes connections that have since closed.
+
+type: long
+
+
+
+## extra_info [_extra_info]
+
+Platform specific data.
+
+**`mongodb.status.extra_info.heap_usage.bytes`**
+:   The total size in bytes of heap space used by the database process. Only available on Unix/Linux.
+
+type: long
+
+format: bytes
+
+
+**`mongodb.status.extra_info.page_faults`**
+:   The total number of page faults that require disk operations. Page faults refer to operations that require the database server to access data that isn’t available in active memory.
+
+type: long
+
+
+
+## global_lock [_global_lock]
+
+Reports on lock state of the database.
+
+**`mongodb.status.global_lock.total_time.us`**
+:   The time, in microseconds, since the database last started and created the globalLock. This is roughly equivalent to total server uptime.
+
+type: long
+
+
+
+## current_queue [_current_queue]
+
+The number of operations queued because of a lock.
+
+**`mongodb.status.global_lock.current_queue.total`**
+:   The total number of operations queued waiting for the lock (i.e., the sum of current_queue.readers and current_queue.writers).
+
+type: long
+
+
+**`mongodb.status.global_lock.current_queue.readers`**
+:   The number of operations that are currently queued and waiting for the read lock.
+
+type: long
+
+
+**`mongodb.status.global_lock.current_queue.writers`**
+:   The number of operations that are currently queued and waiting for the write lock.
+
+type: long
+
+
+
+## active_clients [_active_clients]
+
+The number of connected clients and the read and write operations performed by these clients.
+
+**`mongodb.status.global_lock.active_clients.total`**
+:   Total number of the active client connections performing read or write operations.
+
+type: long
+
+
+**`mongodb.status.global_lock.active_clients.readers`**
+:   The number of the active client connections performing read operations.
+
+type: long
+
+
+**`mongodb.status.global_lock.active_clients.writers`**
+:   The number of the active client connections performing write operations.
+
+type: long
+
+
+
+## locks [_locks]
+
+A document that reports for each lock <type>, data on lock <mode>s. The possible lock <type>s are global, database, collection, metadata and oplog. The possible <mode>s are r, w, R and W which respresent shared, exclusive, intent shared and intent exclusive. locks.<type>.acquire.count.<mode> shows the number of times the lock was acquired in the specified mode. locks.<type>.wait.count.<mode> shows the number of times the locks.acquireCount lock acquisitions encountered waits because the locks were held in a conflicting mode. locks.<type>.wait.us.<mode> shows the cumulative wait time in microseconds for the lock acquisitions. locks.<type>.deadlock.count.<mode> shows the number of times the lock acquisitions encountered deadlocks.
+
+**`mongodb.status.locks.global.acquire.count.r`**
+:   type: long
+
+
+**`mongodb.status.locks.global.acquire.count.w`**
+:   type: long
+
+
+**`mongodb.status.locks.global.acquire.count.R`**
+:   type: long
+
+
+**`mongodb.status.locks.global.acquire.count.W`**
+:   type: long
+
+
+**`mongodb.status.locks.global.wait.count.r`**
+:   type: long
+
+
+**`mongodb.status.locks.global.wait.count.w`**
+:   type: long
+
+
+**`mongodb.status.locks.global.wait.count.R`**
+:   type: long
+
+
+**`mongodb.status.locks.global.wait.count.W`**
+:   type: long
+
+
+**`mongodb.status.locks.global.wait.us.r`**
+:   type: long
+
+
+**`mongodb.status.locks.global.wait.us.w`**
+:   type: long
+
+
+**`mongodb.status.locks.global.wait.us.R`**
+:   type: long
+
+
+**`mongodb.status.locks.global.wait.us.W`**
+:   type: long
+
+
+**`mongodb.status.locks.global.deadlock.count.r`**
+:   type: long
+
+
+**`mongodb.status.locks.global.deadlock.count.w`**
+:   type: long
+
+
+**`mongodb.status.locks.global.deadlock.count.R`**
+:   type: long
+
+
+**`mongodb.status.locks.global.deadlock.count.W`**
+:   type: long
+
+
+**`mongodb.status.locks.database.acquire.count.r`**
+:   type: long
+
+
+**`mongodb.status.locks.database.acquire.count.w`**
+:   type: long
+
+
+**`mongodb.status.locks.database.acquire.count.R`**
+:   type: long
+
+
+**`mongodb.status.locks.database.acquire.count.W`**
+:   type: long
+
+
+**`mongodb.status.locks.database.wait.count.r`**
+:   type: long
+
+
+**`mongodb.status.locks.database.wait.count.w`**
+:   type: long
+
+
+**`mongodb.status.locks.database.wait.count.R`**
+:   type: long
+
+
+**`mongodb.status.locks.database.wait.count.W`**
+:   type: long
+
+
+**`mongodb.status.locks.database.wait.us.r`**
+:   type: long
+
+
+**`mongodb.status.locks.database.wait.us.w`**
+:   type: long
+
+
+**`mongodb.status.locks.database.wait.us.R`**
+:   type: long
+
+
+**`mongodb.status.locks.database.wait.us.W`**
+:   type: long
+
+
+**`mongodb.status.locks.database.deadlock.count.r`**
+:   type: long
+
+
+**`mongodb.status.locks.database.deadlock.count.w`**
+:   type: long
+
+
+**`mongodb.status.locks.database.deadlock.count.R`**
+:   type: long
+
+
+**`mongodb.status.locks.database.deadlock.count.W`**
+:   type: long
+
+
+**`mongodb.status.locks.collection.acquire.count.r`**
+:   type: long
+
+
+**`mongodb.status.locks.collection.acquire.count.w`**
+:   type: long
+
+
+**`mongodb.status.locks.collection.acquire.count.R`**
+:   type: long
+
+
+**`mongodb.status.locks.collection.acquire.count.W`**
+:   type: long
+
+
+**`mongodb.status.locks.collection.wait.count.r`**
+:   type: long
+
+
+**`mongodb.status.locks.collection.wait.count.w`**
+:   type: long
+
+
+**`mongodb.status.locks.collection.wait.count.R`**
+:   type: long
+
+
+**`mongodb.status.locks.collection.wait.count.W`**
+:   type: long
+
+
+**`mongodb.status.locks.collection.wait.us.r`**
+:   type: long
+
+
+**`mongodb.status.locks.collection.wait.us.w`**
+:   type: long
+
+
+**`mongodb.status.locks.collection.wait.us.R`**
+:   type: long
+
+
+**`mongodb.status.locks.collection.wait.us.W`**
+:   type: long
+
+
+**`mongodb.status.locks.collection.deadlock.count.r`**
+:   type: long
+
+
+**`mongodb.status.locks.collection.deadlock.count.w`**
+:   type: long
+
+
+**`mongodb.status.locks.collection.deadlock.count.R`**
+:   type: long
+
+
+**`mongodb.status.locks.collection.deadlock.count.W`**
+:   type: long
+
+
+**`mongodb.status.locks.meta_data.acquire.count.r`**
+:   type: long
+
+
+**`mongodb.status.locks.meta_data.acquire.count.w`**
+:   type: long
+
+
+**`mongodb.status.locks.meta_data.acquire.count.R`**
+:   type: long
+
+
+**`mongodb.status.locks.meta_data.acquire.count.W`**
+:   type: long
+
+
+**`mongodb.status.locks.meta_data.wait.count.r`**
+:   type: long
+
+
+**`mongodb.status.locks.meta_data.wait.count.w`**
+:   type: long
+
+
+**`mongodb.status.locks.meta_data.wait.count.R`**
+:   type: long
+
+
+**`mongodb.status.locks.meta_data.wait.count.W`**
+:   type: long
+
+
+**`mongodb.status.locks.meta_data.wait.us.r`**
+:   type: long
+
+
+**`mongodb.status.locks.meta_data.wait.us.w`**
+:   type: long
+
+
+**`mongodb.status.locks.meta_data.wait.us.R`**
+:   type: long
+
+
+**`mongodb.status.locks.meta_data.wait.us.W`**
+:   type: long
+
+
+**`mongodb.status.locks.meta_data.deadlock.count.r`**
+:   type: long
+
+
+**`mongodb.status.locks.meta_data.deadlock.count.w`**
+:   type: long
+
+
+**`mongodb.status.locks.meta_data.deadlock.count.R`**
+:   type: long
+
+
+**`mongodb.status.locks.meta_data.deadlock.count.W`**
+:   type: long
+
+
+**`mongodb.status.locks.oplog.acquire.count.r`**
+:   type: long
+
+
+**`mongodb.status.locks.oplog.acquire.count.w`**
+:   type: long
+
+
+**`mongodb.status.locks.oplog.acquire.count.R`**
+:   type: long
+
+
+**`mongodb.status.locks.oplog.acquire.count.W`**
+:   type: long
+
+
+**`mongodb.status.locks.oplog.wait.count.r`**
+:   type: long
+
+
+**`mongodb.status.locks.oplog.wait.count.w`**
+:   type: long
+
+
+**`mongodb.status.locks.oplog.wait.count.R`**
+:   type: long
+
+
+**`mongodb.status.locks.oplog.wait.count.W`**
+:   type: long
+
+
+**`mongodb.status.locks.oplog.wait.us.r`**
+:   type: long
+
+
+**`mongodb.status.locks.oplog.wait.us.w`**
+:   type: long
+
+
+**`mongodb.status.locks.oplog.wait.us.R`**
+:   type: long
+
+
+**`mongodb.status.locks.oplog.wait.us.W`**
+:   type: long
+
+
+**`mongodb.status.locks.oplog.deadlock.count.r`**
+:   type: long
+
+
+**`mongodb.status.locks.oplog.deadlock.count.w`**
+:   type: long
+
+
+**`mongodb.status.locks.oplog.deadlock.count.R`**
+:   type: long
+
+
+**`mongodb.status.locks.oplog.deadlock.count.W`**
+:   type: long
+
+
+
+## network [_network_9]
+
+Platform specific data.
+
+**`mongodb.status.network.in.bytes`**
+:   The amount of network traffic, in bytes, received by this database.
+
+type: long
+
+format: bytes
+
+
+**`mongodb.status.network.out.bytes`**
+:   The amount of network traffic, in bytes, sent from this database.
+
+type: long
+
+format: bytes
+
+
+**`mongodb.status.network.requests`**
+:   The total number of requests received by the server.
+
+type: long
+
+
+
+## ops.latencies [_ops_latencies]
+
+Operation latencies for the database as a whole. Only mongod instances report this metric.
+
+**`mongodb.status.ops.latencies.reads.latency`**
+:   Total combined latency in microseconds.
+
+type: long
+
+
+**`mongodb.status.ops.latencies.reads.count`**
+:   Total number of read operations performed on the collection since startup.
+
+type: long
+
+
+**`mongodb.status.ops.latencies.writes.latency`**
+:   Total combined latency in microseconds.
+
+type: long
+
+
+**`mongodb.status.ops.latencies.writes.count`**
+:   Total number of write operations performed on the collection since startup.
+
+type: long
+
+
+**`mongodb.status.ops.latencies.commands.latency`**
+:   Total combined latency in microseconds.
+
+type: long
+
+
+**`mongodb.status.ops.latencies.commands.count`**
+:   Total number of commands performed on the collection since startup.
+
+type: long
+
+
+
+## ops.counters [_ops_counters]
+
+An overview of database operations by type.
+
+**`mongodb.status.ops.counters.insert`**
+:   The total number of insert operations received since the mongod instance last started.
+
+type: long
+
+
+**`mongodb.status.ops.counters.query`**
+:   The total number of queries received since the mongod instance last started.
+
+type: long
+
+
+**`mongodb.status.ops.counters.update`**
+:   The total number of update operations received since the mongod instance last started.
+
+type: long
+
+
+**`mongodb.status.ops.counters.delete`**
+:   The total number of delete operations received since the mongod instance last started.
+
+type: long
+
+
+**`mongodb.status.ops.counters.getmore`**
+:   The total number of getmore operations received since the mongod instance last started.
+
+type: long
+
+
+**`mongodb.status.ops.counters.command`**
+:   The total number of commands issued to the database since the mongod instance last started.
+
+type: long
+
+
+
+## ops.replicated [_ops_replicated]
+
+An overview of database replication operations by type.
+
+**`mongodb.status.ops.replicated.insert`**
+:   The total number of replicated insert operations received since the mongod instance last started.
+
+type: long
+
+
+**`mongodb.status.ops.replicated.query`**
+:   The total number of replicated queries received since the mongod instance last started.
+
+type: long
+
+
+**`mongodb.status.ops.replicated.update`**
+:   The total number of replicated update operations received since the mongod instance last started.
+
+type: long
+
+
+**`mongodb.status.ops.replicated.delete`**
+:   The total number of replicated delete operations received since the mongod instance last started.
+
+type: long
+
+
+**`mongodb.status.ops.replicated.getmore`**
+:   The total number of replicated getmore operations received since the mongod instance last started.
+
+type: long
+
+
+**`mongodb.status.ops.replicated.command`**
+:   The total number of replicated commands issued to the database since the mongod instance last started.
+
+type: long
+
+
+
+## memory [_memory_9]
+
+Data about the current memory usage of the mongod server.
+
+**`mongodb.status.memory.bits`**
+:   Either 64 or 32, depending on which target architecture was specified during the mongod compilation process.
+
+type: long
+
+
+**`mongodb.status.memory.resident.mb`**
+:   The amount of RAM, in megabytes (MB), currently used by the database process.
+
+type: long
+
+
+**`mongodb.status.memory.virtual.mb`**
+:   The amount, in megabytes (MB), of virtual memory used by the mongod process.
+
+type: long
+
+
+**`mongodb.status.memory.mapped.mb`**
+:   The amount of mapped memory, in megabytes (MB), used by the database. Because MongoDB uses memory-mapped files, this value is likely to be to be roughly equivalent to the total size of your database or databases.
+
+type: long
+
+
+**`mongodb.status.memory.mapped_with_journal.mb`**
+:   The amount of mapped memory, in megabytes (MB), including the memory used for journaling.
+
+type: long
+
+
+**`mongodb.status.write_backs_queued`**
+:   True when there are operations from a mongos instance queued for retrying.
+
+type: boolean
+
+
+**`mongodb.status.storage_engine.name`**
+:   A string that represents the name of the current storage engine.
+
+type: keyword
+
+
+
+## wired_tiger [_wired_tiger]
+
+Statistics about the WiredTiger storage engine.
+
+
+## concurrent_transactions [_concurrent_transactions]
+
+Statistics about the transactions currently in progress.
+
+**`mongodb.status.wired_tiger.concurrent_transactions.write.out`**
+:   Number of concurrent write transaction in progress.
+
+type: long
+
+
+**`mongodb.status.wired_tiger.concurrent_transactions.write.available`**
+:   Number of concurrent write tickets available.
+
+type: long
+
+
+**`mongodb.status.wired_tiger.concurrent_transactions.write.total_tickets`**
+:   Number of total write tickets.
+
+type: long
+
+
+**`mongodb.status.wired_tiger.concurrent_transactions.read.out`**
+:   Number of concurrent read transaction in progress.
+
+type: long
+
+
+**`mongodb.status.wired_tiger.concurrent_transactions.read.available`**
+:   Number of concurrent read tickets available.
+
+type: long
+
+
+**`mongodb.status.wired_tiger.concurrent_transactions.read.total_tickets`**
+:   Number of total read tickets.
+
+type: long
+
+
+
+## cache [_cache_2]
+
+Statistics about the cache and page evictions from the cache.
+
+**`mongodb.status.wired_tiger.cache.maximum.bytes`**
+:   Maximum cache size.
+
+type: long
+
+format: bytes
+
+
+**`mongodb.status.wired_tiger.cache.used.bytes`**
+:   Size in byte of the data currently in cache.
+
+type: long
+
+format: bytes
+
+
+**`mongodb.status.wired_tiger.cache.dirty.bytes`**
+:   Size in bytes of the dirty data in the cache.
+
+type: long
+
+format: bytes
+
+
+**`mongodb.status.wired_tiger.cache.pages.read`**
+:   Number of pages read into the cache.
+
+type: long
+
+
+**`mongodb.status.wired_tiger.cache.pages.write`**
+:   Number of pages written from the cache.
+
+type: long
+
+
+**`mongodb.status.wired_tiger.cache.pages.evicted`**
+:   Number of pages evicted from the cache.
+
+type: long
+
+
+
+## log [_log_2]
+
+Statistics about the write ahead log used by WiredTiger.
+
+**`mongodb.status.wired_tiger.log.size.bytes`**
+:   Total log size in bytes.
+
+type: long
+
+format: bytes
+
+
+**`mongodb.status.wired_tiger.log.write.bytes`**
+:   Number of bytes written into the log.
+
+type: long
+
+format: bytes
+
+
+**`mongodb.status.wired_tiger.log.max_file_size.bytes`**
+:   Maximum file size.
+
+type: long
+
+format: bytes
+
+
+**`mongodb.status.wired_tiger.log.flushes`**
+:   Number of flush operations.
+
+type: long
+
+
+**`mongodb.status.wired_tiger.log.writes`**
+:   Number of write operations.
+
+type: long
+
+
+**`mongodb.status.wired_tiger.log.scans`**
+:   Number of scan operations.
+
+type: long
+
+
+**`mongodb.status.wired_tiger.log.syncs`**
+:   Number of sync operations.
+
+type: long
+
+
+
+## background_flushing [_background_flushing]
+
+Data about the process MongoDB uses to write data to disk. This data is only available for instances that use the MMAPv1 storage engine.
+
+**`mongodb.status.background_flushing.flushes`**
+:   A counter that collects the number of times the database has flushed all writes to disk.
+
+type: long
+
+
+**`mongodb.status.background_flushing.total.ms`**
+:   The total number of milliseconds (ms) that the mongod processes have spent writing (i.e. flushing) data to disk. Because this is an absolute value, consider the value of `flushes` and `average_ms` to provide better context for this datum.
+
+type: long
+
+
+**`mongodb.status.background_flushing.average.ms`**
+:   The average time spent flushing to disk per flush event.
+
+type: long
+
+
+**`mongodb.status.background_flushing.last.ms`**
+:   The amount of time, in milliseconds, that the last flush operation took to complete.
+
+type: long
+
+
+**`mongodb.status.background_flushing.last_finished`**
+:   A timestamp of the last completed flush operation.
+
+type: date
+
+
+
+## journaling [_journaling]
+
+Data about the journaling-related operations and performance. Journaling information only appears for mongod instances that use the MMAPv1 storage engine and have journaling enabled.
+
+**`mongodb.status.journaling.commits`**
+:   The number of transactions written to the journal during the last journal group commit interval.
+
+type: long
+
+
+**`mongodb.status.journaling.journaled.mb`**
+:   The amount of data in megabytes (MB) written to journal during the last journal group commit interval.
+
+type: long
+
+
+**`mongodb.status.journaling.write_to_data_files.mb`**
+:   The amount of data in megabytes (MB) written from journal to the data files during the last journal group commit interval.
+
+type: long
+
+
+**`mongodb.status.journaling.compression`**
+:   The compression ratio of the data written to the journal.
+
+type: long
+
+
+**`mongodb.status.journaling.commits_in_write_lock`**
+:   Count of the commits that occurred while a write lock was held. Commits in a write lock indicate a MongoDB node under a heavy write load and call for further diagnosis.
+
+type: long
+
+
+**`mongodb.status.journaling.early_commits`**
+:   The number of times MongoDB requested a commit before the scheduled journal group commit interval.
+
+type: long
+
+
+
+## times [_times]
+
+Information about the performance of the mongod instance during the various phases of journaling in the last journal group commit interval.
+
+**`mongodb.status.journaling.times.dt.ms`**
+:   The amount of time over which MongoDB collected the times data. Use this field to provide context to the other times field values.
+
+type: long
+
+
+**`mongodb.status.journaling.times.prep_log_buffer.ms`**
+:   The amount of time spent preparing to write to the journal. Smaller values indicate better journal performance.
+
+type: long
+
+
+**`mongodb.status.journaling.times.write_to_journal.ms`**
+:   The amount of time spent actually writing to the journal. File system speeds and device interfaces can affect performance.
+
+type: long
+
+
+**`mongodb.status.journaling.times.write_to_data_files.ms`**
+:   The amount of time spent writing to data files after journaling. File system speeds and device interfaces can affect performance.
+
+type: long
+
+
+**`mongodb.status.journaling.times.remap_private_view.ms`**
+:   The amount of time spent remapping copy-on-write memory mapped views. Smaller values indicate better journal performance.
+
+type: long
+
+
+**`mongodb.status.journaling.times.commits.ms`**
+:   The amount of time spent for commits.
+
+type: long
+
+
+**`mongodb.status.journaling.times.commits_in_write_lock.ms`**
+:   The amount of time spent for commits that occurred while a write lock was held.
+
+type: long
+
+
diff --git a/docs/reference/metricbeat/exported-fields-mssql.md b/docs/reference/metricbeat/exported-fields-mssql.md
new file mode 100644
index 000000000000..208b43627b29
--- /dev/null
+++ b/docs/reference/metricbeat/exported-fields-mssql.md
@@ -0,0 +1,246 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-mssql.html
+---
+
+# MSSQL fields [exported-fields-mssql]
+
+MS SQL module
+
+
+## mssql [_mssql]
+
+The root field containing all MSSQL fields
+
+
+## database [_database]
+
+The database that the metrics is being referred to
+
+**`mssql.database.id`**
+:   Unique ID of the database inside MSSQL
+
+type: long
+
+
+**`mssql.database.name`**
+:   Name of the database
+
+type: keyword
+
+
+
+## performance [_performance_3]
+
+performance metricset fetches information about the Performance Counters
+
+**`mssql.performance.page_splits_per_sec`**
+:   Number of page splits per second that occur as the result of overflowing index pages.
+
+type: long
+
+
+**`mssql.performance.lock_waits_per_sec`**
+:   Number of lock requests per second that required the caller to wait.
+
+type: long
+
+
+**`mssql.performance.user_connections`**
+:   Total number of user connections
+
+type: long
+
+
+**`mssql.performance.transactions`**
+:   Total number of transactions
+
+type: long
+
+
+**`mssql.performance.active_temp_tables`**
+:   Number of temporary tables/table variables in use.
+
+type: long
+
+
+**`mssql.performance.connections_reset_per_sec`**
+:   Total number of logins started from the connection pool.
+
+type: long
+
+
+**`mssql.performance.logins_per_sec`**
+:   Total number of logins started per second. This does not include pooled connections.
+
+type: long
+
+
+**`mssql.performance.logouts_per_sec`**
+:   Total number of logout operations started per second.
+
+type: long
+
+
+**`mssql.performance.recompilations_per_sec`**
+:   Number of statement recompiles per second. Counts the number of times statement recompiles are triggered. Generally, you want the recompiles to be low.
+
+type: long
+
+
+**`mssql.performance.compilations_per_sec`**
+:   Number of SQL compilations per second. Indicates the number of times the compile code path is entered. Includes compiles caused by statement-level recompilations in SQL Server. After SQL Server user activity is stable, this value reaches a steady state.
+
+type: long
+
+
+**`mssql.performance.batch_requests_per_sec`**
+:   Number of Transact-SQL command batches received per second. This statistic is affected by all constraints (such as I/O, number of users, cache size, complexity of requests, and so on). High batch requests mean good throughput.
+
+type: long
+
+
+
+## cache_hit [_cache_hit]
+
+Indicates the percentage of pages found in the buffer cache without having to read from disk.
+
+**`mssql.performance.buffer.cache_hit.pct`**
+:   The ratio is the total number of cache hits divided by the total number of cache lookups over the last few thousand page accesses. After a long period of time, the ratio moves very little. Because reading from the cache is much less expensive than reading from disk, you want this ratio to be high
+
+type: double
+
+
+
+## page_life_expectancy [_page_life_expectancy]
+
+Indicates the number of seconds a page will stay in the buffer pool without references.
+
+**`mssql.performance.buffer.page_life_expectancy.sec`**
+:   Indicates the number of seconds a page will stay in the buffer pool without references (in seconds).
+
+type: long
+
+
+**`mssql.performance.buffer.checkpoint_pages_per_sec`**
+:   Indicates the number of pages flushed to disk per second by a checkpoint or other operation that require all dirty pages to be flushed.
+
+type: long
+
+
+**`mssql.performance.buffer.database_pages`**
+:   Indicates the number of pages in the buffer pool with database content.
+
+type: long
+
+
+**`mssql.performance.buffer.target_pages`**
+:   Ideal number of pages in the buffer pool.
+
+type: long
+
+
+
+## transaction_log [_transaction_log_2]
+
+transaction_log metricset will fetch information about the operation and transaction log of each database from a MSSQL instance
+
+
+## space_usage [_space_usage]
+
+Space usage information for the transaction log
+
+
+## since_last_backup [_since_last_backup]
+
+The amount of space used since the last log backup
+
+**`mssql.transaction_log.space_usage.since_last_backup.bytes`**
+:   The amount of space used since the last log backup in bytes
+
+type: long
+
+
+
+## total [_total_2]
+
+The size of the log
+
+**`mssql.transaction_log.space_usage.total.bytes`**
+:   The size of the log in bytes
+
+type: long
+
+
+
+## used [_used]
+
+The occupied size of the log
+
+**`mssql.transaction_log.space_usage.used.bytes`**
+:   The occupied size of the log in bytes
+
+type: long
+
+
+**`mssql.transaction_log.space_usage.used.pct`**
+:   A percentage of the occupied size of the log as a percent of the total log size
+
+type: float
+
+
+
+## stats [_stats_8]
+
+Returns summary level attributes and information on transaction log files of databases. Use this information for monitoring and diagnostics of transaction log health.
+
+
+## active_size [_active_size]
+
+Total active transaction log size.
+
+**`mssql.transaction_log.stats.active_size.bytes`**
+:   Total active transaction log size in bytes
+
+type: long
+
+
+**`mssql.transaction_log.stats.backup_time`**
+:   Last transaction log backup time.
+
+type: date
+
+
+
+## recovery_size [_recovery_size]
+
+Log size since log recovery log sequence number (LSN).
+
+**`mssql.transaction_log.stats.recovery_size.bytes`**
+:   Log size in bytes since log recovery log sequence number (LSN).
+
+type: long
+
+
+
+## since_last_checkpoint [_since_last_checkpoint]
+
+Log size since last checkpoint log sequence number (LSN).
+
+**`mssql.transaction_log.stats.since_last_checkpoint.bytes`**
+:   Log size in bytes since last checkpoint log sequence number (LSN).
+
+type: long
+
+
+
+## total_size [_total_size]
+
+Total transaction log size.
+
+**`mssql.transaction_log.stats.total_size.bytes`**
+:   Total transaction log size in bytes.
+
+type: long
+
+
diff --git a/docs/reference/metricbeat/exported-fields-munin.md b/docs/reference/metricbeat/exported-fields-munin.md
new file mode 100644
index 000000000000..7799314a41c1
--- /dev/null
+++ b/docs/reference/metricbeat/exported-fields-munin.md
@@ -0,0 +1,21 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-munin.html
+---
+
+# Munin fields [exported-fields-munin]
+
+Munin node metrics exporter
+
+**`munin.metrics.*`**
+:   Metrics exposed by a plugin of a munin node agent.
+
+type: object
+
+
+**`munin.plugin.name`**
+:   Name of the plugin collecting these metrics.
+
+type: keyword
+
+
diff --git a/docs/reference/metricbeat/exported-fields-mysql.md b/docs/reference/metricbeat/exported-fields-mysql.md
new file mode 100644
index 000000000000..2d58d538e977
--- /dev/null
+++ b/docs/reference/metricbeat/exported-fields-mysql.md
@@ -0,0 +1,948 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-mysql.html
+---
+
+# MySQL fields [exported-fields-mysql]
+
+MySQL server status metrics collected from MySQL.
+
+
+## mysql [_mysql]
+
+`mysql` contains the metrics that were obtained from MySQL query.
+
+
+## galera_status [_galera_status]
+
+`galera_status` contains the metrics that were obtained by the status SQL query on Galera.
+
+
+## apply [_apply_2]
+
+Apply status fields.
+
+**`mysql.galera_status.apply.oooe`**
+:   How often applier started write-set applying out-of-order (parallelization efficiency).
+
+type: double
+
+
+**`mysql.galera_status.apply.oool`**
+:   How often write-set was so slow to apply that write-set with higher seqno’s were applied earlier. Values closer to 0 refer to a greater gap between slow and fast write-sets.
+
+type: double
+
+
+**`mysql.galera_status.apply.window`**
+:   Average distance between highest and lowest concurrently applied seqno.
+
+type: double
+
+
+
+## cert [_cert]
+
+Certification status fields.
+
+**`mysql.galera_status.cert.deps_distance`**
+:   Average distance between highest and lowest seqno value that can be possibly applied in parallel (potential degree of parallelization).
+
+type: double
+
+
+**`mysql.galera_status.cert.index_size`**
+:   The number of entries in the certification index.
+
+type: long
+
+
+**`mysql.galera_status.cert.interval`**
+:   Average number of transactions received while a transaction replicates.
+
+type: double
+
+
+
+## cluster [_cluster_2]
+
+Cluster status fields.
+
+**`mysql.galera_status.cluster.conf_id`**
+:   Total number of cluster membership changes happened.
+
+type: long
+
+
+**`mysql.galera_status.cluster.size`**
+:   Current number of members in the cluster.
+
+type: long
+
+
+**`mysql.galera_status.cluster.status`**
+:   Status of this cluster component. That is, whether the node is part of a PRIMARY or NON_PRIMARY component.
+
+type: keyword
+
+
+
+## commit [_commit_3]
+
+Commit status fields.
+
+**`mysql.galera_status.commit.oooe`**
+:   How often a transaction was committed out of order.
+
+type: double
+
+
+**`mysql.galera_status.commit.window`**
+:   Average distance between highest and lowest concurrently committed seqno.
+
+type: long
+
+
+**`mysql.galera_status.connected`**
+:   If the value is OFF, the node has not yet connected to any of the cluster components. This may be due to misconfiguration. Check the error log for proper diagnostics.
+
+type: keyword
+
+
+
+## evs [_evs]
+
+Evs Fields.
+
+**`mysql.galera_status.evs.evict`**
+:   Lists the UUID’s of all nodes evicted from the cluster. Evicted nodes cannot rejoin the cluster until you restart their mysqld processes.
+
+type: keyword
+
+
+**`mysql.galera_status.evs.state`**
+:   Shows the internal state of the EVS Protocol.
+
+type: keyword
+
+
+
+## flow_ctl [_flow_ctl]
+
+Flow Control fields.
+
+**`mysql.galera_status.flow_ctl.paused`**
+:   The fraction of time since the last FLUSH STATUS command that replication was paused due to flow control. In other words, how much the slave lag is slowing down the cluster.
+
+type: double
+
+
+**`mysql.galera_status.flow_ctl.paused_ns`**
+:   The total time spent in a paused state measured in nanoseconds.
+
+type: long
+
+
+**`mysql.galera_status.flow_ctl.recv`**
+:   Returns the number of FC_PAUSE events the node has received, including those the node has sent. Unlike most status variables, the counter for this one does not reset every time you run the query.
+
+type: long
+
+
+**`mysql.galera_status.flow_ctl.sent`**
+:   Returns the number of FC_PAUSE events the node has sent. Unlike most status variables, the counter for this one does not reset every time you run the query.
+
+type: long
+
+
+**`mysql.galera_status.last_committed`**
+:   The sequence number, or seqno, of the last committed transaction.
+
+type: long
+
+
+
+## local [_local]
+
+Node specific Cluster status fields.
+
+**`mysql.galera_status.local.bf_aborts`**
+:   Total number of local transactions that were aborted by slave transactions while in execution.
+
+type: long
+
+
+**`mysql.galera_status.local.cert_failures`**
+:   Total number of local transactions that failed certification test.
+
+type: long
+
+
+**`mysql.galera_status.local.commits`**
+:   Total number of local transactions committed.
+
+type: long
+
+
+
+## recv [_recv]
+
+Node specific recv fields.
+
+**`mysql.galera_status.local.recv.queue`**
+:   Current (instantaneous) length of the recv queue.
+
+type: long
+
+
+**`mysql.galera_status.local.recv.queue_avg`**
+:   Recv queue length averaged over interval since the last FLUSH STATUS command. Values considerably larger than 0.0 mean that the node cannot apply write-sets as fast as they are received and will generate a lot of replication throttling.
+
+type: double
+
+
+**`mysql.galera_status.local.recv.queue_max`**
+:   The maximum length of the recv queue since the last FLUSH STATUS command.
+
+type: long
+
+
+**`mysql.galera_status.local.recv.queue_min`**
+:   The minimum length of the recv queue since the last FLUSH STATUS command.
+
+type: long
+
+
+**`mysql.galera_status.local.replays`**
+:   Total number of transaction replays due to asymmetric lock granularity.
+
+type: long
+
+
+
+## send [_send]
+
+Node specific sent fields.
+
+**`mysql.galera_status.local.send.queue`**
+:   Current (instantaneous) length of the send queue.
+
+type: long
+
+
+**`mysql.galera_status.local.send.queue_avg`**
+:   Send queue length averaged over time since the last FLUSH STATUS command. Values considerably larger than 0.0 indicate replication throttling or network throughput issue.
+
+type: double
+
+
+**`mysql.galera_status.local.send.queue_max`**
+:   The maximum length of the send queue since the last FLUSH STATUS command.
+
+type: long
+
+
+**`mysql.galera_status.local.send.queue_min`**
+:   The minimum length of the send queue since the last FLUSH STATUS command.
+
+type: long
+
+
+**`mysql.galera_status.local.state`**
+:   Internal Galera Cluster FSM state number.
+
+type: keyword
+
+
+**`mysql.galera_status.ready`**
+:   Whether the server is ready to accept queries.
+
+type: keyword
+
+
+
+## received [_received]
+
+Write-Set receive status fields.
+
+**`mysql.galera_status.received.count`**
+:   Total number of write-sets received from other nodes.
+
+type: long
+
+
+**`mysql.galera_status.received.bytes`**
+:   Total size of write-sets received from other nodes.
+
+type: long
+
+
+
+## repl [_repl]
+
+Replication status fields.
+
+**`mysql.galera_status.repl.data_bytes`**
+:   Total size of data replicated.
+
+type: long
+
+
+**`mysql.galera_status.repl.keys`**
+:   Total number of keys replicated.
+
+type: long
+
+
+**`mysql.galera_status.repl.keys_bytes`**
+:   Total size of keys replicated.
+
+type: long
+
+
+**`mysql.galera_status.repl.other_bytes`**
+:   Total size of other bits replicated.
+
+type: long
+
+
+**`mysql.galera_status.repl.count`**
+:   Total number of write-sets replicated (sent to other nodes).
+
+type: long
+
+
+**`mysql.galera_status.repl.bytes`**
+:   Total size of write-sets replicated.
+
+type: long
+
+
+
+## performance [_performance_4]
+
+`performance` contains metrics related to the performance of a MySQL instance
+
+
+## events_statements [_events_statements]
+
+Records statement events summarized by schema and digest
+
+**`mysql.performance.events_statements.max.timer.wait`**
+:   Maximum wait time of the summarized events that are timed
+
+type: long
+
+
+**`mysql.performance.events_statements.last.seen`**
+:   Time at which the digest was most recently seen
+
+type: date
+
+
+**`mysql.performance.events_statements.quantile.95`**
+:   The 95th percentile of the statement latency, in picoseconds
+
+type: long
+
+
+**`mysql.performance.events_statements.digest`**
+:   Performance schema digest
+
+type: text
+
+
+**`mysql.performance.events_statements.count.star`**
+:   Number of summarized events
+
+type: long
+
+
+**`mysql.performance.events_statements.avg.timer.wait`**
+:   Average wait time of the summarized events that are timed
+
+type: long
+
+
+**`mysql.performance.events_statements.schemaname`**
+:   Schema name.
+
+type: keyword
+
+
+
+## table_io_waits [_table_io_waits]
+
+Records table I/O waits by index
+
+**`mysql.performance.table_io_waits.object.schema`**
+:   Schema name
+
+type: keyword
+
+
+**`mysql.performance.table_io_waits.object.name`**
+:   Table name
+
+type: keyword
+
+
+**`mysql.performance.table_io_waits.index.name`**
+:   Name of the index that was used when the table I/O wait event was recorded. PRIMARY indicates that table I/O used the primary index. NULL means that table I/O used no index. Inserts are counted against INDEX_NAME = NULL
+
+type: keyword
+
+
+**`mysql.performance.table_io_waits.count.fetch`**
+:   Number of all fetch operations > 0
+
+type: long
+
+
+
+## query [_query_2]
+
+`query` metricset fetches custom queries from the user to a MySQL instance.
+
+
+## status [_status_7]
+
+`status` contains the metrics that were obtained by the status SQL query.
+
+
+## aborted [_aborted]
+
+Aborted status fields.
+
+**`mysql.status.aborted.clients`**
+:   The number of connections that were aborted because the client died without closing the connection properly.
+
+type: long
+
+
+**`mysql.status.aborted.connects`**
+:   The number of failed attempts to connect to the MySQL server.
+
+type: long
+
+
+
+## connection [_connection_2]
+
+
+## errors [_errors]
+
+**`mysql.status.connection.errors.peer_address`**
+:   The number of errors that occurred while searching for connecting client IP addresses.
+
+type: long
+
+
+**`mysql.status.connection.errors.accept`**
+:   The number of errors that occurred during calls to accept() on the listening port.
+
+type: long
+
+
+**`mysql.status.connection.errors.internal`**
+:   The number of connections refused due to internal errors in the server, such as failure to start a new thread or an out-of-memory condition.
+
+type: long
+
+
+**`mysql.status.connection.errors.max`**
+:   The number of connections refused because the server max_connections limit was reached. thread or an out-of-memory condition.
+
+type: long
+
+
+**`mysql.status.connection.errors.tcpwrap`**
+:   The number of connections refused by the libwrap library.
+
+type: long
+
+
+**`mysql.status.connection.errors.select`**
+:   The number of errors that occurred during calls to select() or poll() on the listening port. (Failure of this operation does not necessarily means a client connection was rejected.)
+
+type: long
+
+
+
+## cache [_cache_3]
+
+
+## ssl [_ssl_8]
+
+SSL session cache hits and misses.
+
+**`mysql.status.cache.ssl.hits`**
+:   The number of SSL session cache hits.
+
+type: long
+
+
+**`mysql.status.cache.ssl.misses`**
+:   The number of SSL session cache misses.
+
+type: long
+
+
+**`mysql.status.cache.ssl.size`**
+:   The SSL session cache size.
+
+type: long
+
+
+
+## table [_table]
+
+
+## open_cache [_open_cache]
+
+**`mysql.status.cache.table.open_cache.hits`**
+:   The number of hits for open tables cache lookups.
+
+type: long
+
+
+**`mysql.status.cache.table.open_cache.misses`**
+:   The number of misses for open tables cache lookups.
+
+type: long
+
+
+**`mysql.status.cache.table.open_cache.overflows`**
+:   Number of times, after a table is opened or closed, a cache instance has an unused entry and the size of the instance is larger than table_open_cache / table_open_cache_instances
+
+type: long
+
+
+
+## binlog [_binlog]
+
+**`mysql.status.binlog.cache.disk_use`**
+:   type: long
+
+
+**`mysql.status.binlog.cache.use`**
+:   type: long
+
+
+
+## bytes [_bytes]
+
+Bytes stats.
+
+**`mysql.status.bytes.received`**
+:   The number of bytes received from all clients.
+
+type: long
+
+format: bytes
+
+
+**`mysql.status.bytes.sent`**
+:   The number of bytes sent to all clients.
+
+type: long
+
+format: bytes
+
+
+
+## threads [_threads_2]
+
+Threads stats.
+
+**`mysql.status.threads.cached`**
+:   The number of cached threads.
+
+type: long
+
+
+**`mysql.status.threads.created`**
+:   The number of created threads.
+
+type: long
+
+
+**`mysql.status.threads.connected`**
+:   The number of connected threads.
+
+type: long
+
+
+**`mysql.status.threads.running`**
+:   The number of running threads.
+
+type: long
+
+
+**`mysql.status.connections`**
+:   type: long
+
+
+
+## created [_created]
+
+**`mysql.status.created.tmp.disk_tables`**
+:   type: long
+
+
+**`mysql.status.created.tmp.files`**
+:   type: long
+
+
+**`mysql.status.created.tmp.tables`**
+:   type: long
+
+
+
+## delayed [_delayed]
+
+**`mysql.status.delayed.errors`**
+:   type: long
+
+
+**`mysql.status.delayed.insert_threads`**
+:   type: long
+
+
+**`mysql.status.delayed.writes`**
+:   type: long
+
+
+**`mysql.status.flush_commands`**
+:   type: long
+
+
+**`mysql.status.max_used_connections`**
+:   type: long
+
+
+
+## open [_open_2]
+
+**`mysql.status.open.files`**
+:   type: long
+
+
+**`mysql.status.open.streams`**
+:   type: long
+
+
+**`mysql.status.open.tables`**
+:   type: long
+
+
+**`mysql.status.opened_tables`**
+:   type: long
+
+
+
+## command [_command]
+
+**`mysql.status.command.delete`**
+:   The number of DELETE queries since startup.
+
+type: long
+
+
+**`mysql.status.command.insert`**
+:   The number of INSERT queries since startup.
+
+type: long
+
+
+**`mysql.status.command.select`**
+:   The number of SELECT queries since startup.
+
+type: long
+
+
+**`mysql.status.command.update`**
+:   The number of UPDATE queries since startup.
+
+type: long
+
+
+**`mysql.status.queries`**
+:   The number of statements executed by the server. This variable includes statements executed within stored programs, unlike the Questions variable. It does not count COM_PING or COM_STATISTICS commands.
+
+type: long
+
+
+**`mysql.status.questions`**
+:   The number of statements executed by the server. This includes only statements sent to the server by clients and not statements executed within stored programs, unlike the Queries variable. This variable does not count COM_PING, COM_STATISTICS, COM_STMT_PREPARE, COM_STMT_CLOSE, or COM_STMT_RESET commands.
+
+type: long
+
+
+
+## handler [_handler]
+
+**`mysql.status.handler.commit`**
+:   The number of internal COMMIT statements.
+
+type: long
+
+
+**`mysql.status.handler.delete`**
+:   The number of times that rows have been deleted from tables.
+
+type: long
+
+
+**`mysql.status.handler.external_lock`**
+:   The server increments this variable for each call to its external_lock() function, which generally occurs at the beginning and end of access to a table instance.
+
+type: long
+
+
+**`mysql.status.handler.mrr_init`**
+:   The number of times the server uses a storage engine’s own Multi-Range Read implementation for table access.
+
+type: long
+
+
+**`mysql.status.handler.prepare`**
+:   A counter for the prepare phase of two-phase commit operations.
+
+type: long
+
+
+
+## read [_read_6]
+
+**`mysql.status.handler.read.first`**
+:   The number of times the first entry in an index was read.
+
+type: long
+
+
+**`mysql.status.handler.read.key`**
+:   The number of requests to read a row based on a key.
+
+type: long
+
+
+**`mysql.status.handler.read.last`**
+:   The number of requests to read the last key in an index.
+
+type: long
+
+
+**`mysql.status.handler.read.next`**
+:   The number of requests to read the next row in key order.
+
+type: long
+
+
+**`mysql.status.handler.read.prev`**
+:   The number of requests to read the previous row in key order.
+
+type: long
+
+
+**`mysql.status.handler.read.rnd`**
+:   The number of requests to read a row based on a fixed position.
+
+type: long
+
+
+**`mysql.status.handler.read.rnd_next`**
+:   The number of requests to read the next row in the data file.
+
+type: long
+
+
+**`mysql.status.handler.rollback`**
+:   The number of requests for a storage engine to perform a rollback operation.
+
+type: long
+
+
+**`mysql.status.handler.savepoint`**
+:   The number of requests for a storage engine to place a savepoint.
+
+type: long
+
+
+**`mysql.status.handler.savepoint_rollback`**
+:   The number of requests for a storage engine to roll back to a savepoint.
+
+type: long
+
+
+**`mysql.status.handler.update`**
+:   The number of requests to update a row in a table.
+
+type: long
+
+
+**`mysql.status.handler.write`**
+:   The number of requests to insert a row in a table.
+
+type: long
+
+
+
+## innodb [_innodb]
+
+
+## rows [_rows]
+
+**`mysql.status.innodb.rows.reads`**
+:   The number of rows reads into InnoDB tables.
+
+type: long
+
+
+**`mysql.status.innodb.rows.inserted`**
+:   The number of rows inserted into InnoDB tables.
+
+type: long
+
+
+**`mysql.status.innodb.rows.deleted`**
+:   The number of rows deleted into InnoDB tables.
+
+type: long
+
+
+**`mysql.status.innodb.rows.updated`**
+:   The number of rows updated into InnoDB tables.
+
+type: long
+
+
+
+## buffer_pool [_buffer_pool]
+
+**`mysql.status.innodb.buffer_pool.dump_status`**
+:   The progress of an operation to record the pages held in the InnoDB buffer pool, triggered by the setting of innodb_buffer_pool_dump_at_shutdown or innodb_buffer_pool_dump_now.
+
+type: long
+
+
+**`mysql.status.innodb.buffer_pool.load_status`**
+:   The progress of an operation to warm up the InnoDB buffer pool by reading in a set of pages corresponding to an earlier point in time, triggered by the setting of innodb_buffer_pool_load_at_startup or innodb_buffer_pool_load_now.
+
+type: long
+
+
+
+## bytes [_bytes_2]
+
+**`mysql.status.innodb.buffer_pool.bytes.data`**
+:   The total number of bytes in the InnoDB buffer pool containing data.
+
+type: long
+
+
+**`mysql.status.innodb.buffer_pool.bytes.dirty`**
+:   The total current number of bytes held in dirty pages in the InnoDB buffer pool.
+
+type: long
+
+
+
+## pages [_pages]
+
+**`mysql.status.innodb.buffer_pool.pages.data`**
+:   The number of pages in the InnoDB buffer pool containing data.
+
+type: long
+
+
+**`mysql.status.innodb.buffer_pool.pages.dirty`**
+:   The current number of dirty pages in the InnoDB buffer pool.
+
+type: long
+
+
+**`mysql.status.innodb.buffer_pool.pages.flushed`**
+:   The number of requests to flush pages from the InnoDB buffer pool.
+
+type: long
+
+
+**`mysql.status.innodb.buffer_pool.pages.free`**
+:   The number of free pages in the InnoDB buffer pool.
+
+type: long
+
+
+**`mysql.status.innodb.buffer_pool.pages.latched`**
+:   The number of latched pages in the InnoDB buffer pool.
+
+type: long
+
+
+**`mysql.status.innodb.buffer_pool.pages.misc`**
+:   The number of pages in the InnoDB buffer pool that are busy because they have been allocated for administrative overhead, such as row locks or the adaptive hash index.
+
+type: long
+
+
+**`mysql.status.innodb.buffer_pool.pages.total`**
+:   The total size of the InnoDB buffer pool, in pages.
+
+type: long
+
+
+
+## read [_read_7]
+
+**`mysql.status.innodb.buffer_pool.read.ahead`**
+:   The number of pages read into the InnoDB buffer pool by the read-ahead background thread.
+
+type: long
+
+
+**`mysql.status.innodb.buffer_pool.read.ahead_evicted`**
+:   The number of pages read into the InnoDB buffer pool by the read-ahead background thread that were subsequently evicted without having been accessed by queries.
+
+type: long
+
+
+**`mysql.status.innodb.buffer_pool.read.ahead_rnd`**
+:   The number of "random" read-aheads initiated by InnoDB.
+
+type: long
+
+
+**`mysql.status.innodb.buffer_pool.read.requests`**
+:   The number of logical read requests.
+
+type: long
+
+
+
+## pool [_pool_2]
+
+**`mysql.status.innodb.buffer_pool.pool.reads`**
+:   The number of logical reads that InnoDB could not satisfy from the buffer pool, and had to read directly from disk.
+
+type: long
+
+
+**`mysql.status.innodb.buffer_pool.pool.resize_status`**
+:   The status of an operation to resize the InnoDB buffer pool dynamically, triggered by setting the innodb_buffer_pool_size parameter dynamically.
+
+type: long
+
+
+**`mysql.status.innodb.buffer_pool.pool.wait_free`**
+:   Normally, writes to the InnoDB buffer pool happen in the background. When InnoDB needs to read or create a page and no clean pages are available, InnoDB flushes some dirty pages first and waits for that operation to finish. This counter counts instances of these waits.
+
+type: long
+
+
+**`mysql.status.innodb.buffer_pool.write_requests`**
+:   The number of writes done to the InnoDB buffer pool.
+
+type: long
+
+
diff --git a/docs/reference/metricbeat/exported-fields-nats.md b/docs/reference/metricbeat/exported-fields-nats.md
new file mode 100644
index 000000000000..0c85bb471b9a
--- /dev/null
+++ b/docs/reference/metricbeat/exported-fields-nats.md
@@ -0,0 +1,393 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-nats.html
+---
+
+# NATS fields [exported-fields-nats]
+
+nats Module
+
+
+## nats [_nats]
+
+`nats` contains statistics that were read from Nats
+
+**`nats.server.id`**
+:   The server ID
+
+type: keyword
+
+
+**`nats.server.time`**
+:   [8.0.0]
+
+Server time of metric creation
+
+type: date
+
+
+
+## connection [_connection_3]
+
+Contains nats connection related metrics
+
+**`nats.connection.name`**
+:   The name of the connection
+
+type: keyword
+
+
+**`nats.connection.subscriptions`**
+:   The number of subscriptions in this connection
+
+type: integer
+
+
+**`nats.connection.pending_bytes`**
+:   The number of pending bytes of this connection
+
+type: long
+
+format: bytes
+
+
+**`nats.connection.uptime`**
+:   The period the connection is up (sec)
+
+type: long
+
+format: duration
+
+
+**`nats.connection.idle_time`**
+:   The period the connection is idle (sec)
+
+type: long
+
+format: duration
+
+
+
+## in [_in_2]
+
+The amount of incoming data
+
+**`nats.connection.in.messages`**
+:   The amount of incoming messages
+
+type: long
+
+
+**`nats.connection.in.bytes`**
+:   The amount of incoming bytes
+
+type: long
+
+format: bytes
+
+
+
+## out [_out_2]
+
+The amount of outgoing data
+
+**`nats.connection.out.messages`**
+:   The amount of outgoing messages
+
+type: long
+
+
+**`nats.connection.out.bytes`**
+:   The amount of outgoing bytes
+
+type: long
+
+format: bytes
+
+
+
+## connections [_connections_4]
+
+Contains nats connection related metrics
+
+**`nats.connections.total`**
+:   The number of currently active clients
+
+type: integer
+
+
+
+## route [_route]
+
+Contains nats route related metrics
+
+**`nats.route.subscriptions`**
+:   The number of subscriptions in this connection
+
+type: integer
+
+
+**`nats.route.remote_id`**
+:   The remote id on which the route is connected to
+
+type: keyword
+
+
+**`nats.route.pending_size`**
+:   The number of pending routes
+
+type: long
+
+
+**`nats.route.port`**
+:   The port of the route
+
+type: integer
+
+
+**`nats.route.ip`**
+:   The ip of the route
+
+type: ip
+
+
+
+## in [_in_3]
+
+The amount of incoming data
+
+**`nats.route.in.messages`**
+:   The amount of incoming messages
+
+type: long
+
+
+**`nats.route.in.bytes`**
+:   The amount of incoming bytes
+
+type: long
+
+format: bytes
+
+
+
+## out [_out_3]
+
+The amount of outgoing data
+
+**`nats.route.out.messages`**
+:   The amount of outgoing messages
+
+type: long
+
+
+**`nats.route.out.bytes`**
+:   The amount of outgoing bytes
+
+type: long
+
+format: bytes
+
+
+
+## routes [_routes]
+
+Contains nats route related metrics
+
+**`nats.routes.total`**
+:   The number of registered routes
+
+type: integer
+
+
+
+## stats [_stats_9]
+
+Contains nats var related metrics
+
+**`nats.stats.uptime`**
+:   The period the server is up (sec)
+
+type: long
+
+format: duration
+
+
+**`nats.stats.mem.bytes`**
+:   The current memory usage of NATS process
+
+type: long
+
+format: bytes
+
+
+**`nats.stats.cores`**
+:   The number of logical cores the NATS process runs on
+
+type: integer
+
+
+**`nats.stats.cpu`**
+:   The current cpu usage of NATs process
+
+type: scaled_float
+
+format: percent
+
+
+**`nats.stats.total_connections`**
+:   The number of totally created clients
+
+type: long
+
+
+**`nats.stats.remotes`**
+:   The number of registered remotes
+
+type: integer
+
+
+
+## in [_in_4]
+
+The amount of incoming data
+
+**`nats.stats.in.messages`**
+:   The amount of incoming messages
+
+type: long
+
+
+**`nats.stats.in.bytes`**
+:   The amount of incoming bytes
+
+type: long
+
+format: bytes
+
+
+
+## out [_out_4]
+
+The amount of outgoing data
+
+**`nats.stats.out.messages`**
+:   The amount of outgoing messages
+
+type: long
+
+
+**`nats.stats.out.bytes`**
+:   The amount of outgoing bytes
+
+type: long
+
+format: bytes
+
+
+**`nats.stats.slow_consumers`**
+:   The number of slow consumers currently on NATS
+
+type: long
+
+
+
+## http [_http_5]
+
+The http metrics of NATS server
+
+
+## req_stats [_req_stats]
+
+The requests statistics
+
+
+## uri [_uri]
+
+The request distribution on monitoring URIS
+
+**`nats.stats.http.req_stats.uri.routez`**
+:   The number of hits on routez monitoring uri
+
+type: long
+
+
+**`nats.stats.http.req_stats.uri.connz`**
+:   The number of hits on connz monitoring uri
+
+type: long
+
+
+**`nats.stats.http.req_stats.uri.varz`**
+:   The number of hits on varz monitoring uri
+
+type: long
+
+
+**`nats.stats.http.req_stats.uri.subsz`**
+:   The number of hits on subsz monitoring uri
+
+type: long
+
+
+**`nats.stats.http.req_stats.uri.root`**
+:   The number of hits on root monitoring uri
+
+type: long
+
+
+
+## subscriptions [_subscriptions]
+
+Contains nats subscriptions related metrics
+
+**`nats.subscriptions.total`**
+:   The number of active subscriptions
+
+type: integer
+
+
+**`nats.subscriptions.inserts`**
+:   The number of insert operations in subscriptions list
+
+type: long
+
+
+**`nats.subscriptions.removes`**
+:   The number of remove operations in subscriptions list
+
+type: long
+
+
+**`nats.subscriptions.matches`**
+:   The number of times a match is found for a subscription
+
+type: long
+
+
+**`nats.subscriptions.cache.size`**
+:   The number of result sets in the cache
+
+type: integer
+
+
+**`nats.subscriptions.cache.hit_rate`**
+:   The rate matches are being retrieved from cache
+
+type: scaled_float
+
+format: percent
+
+
+**`nats.subscriptions.cache.fanout.max`**
+:   The maximum fanout served by cache
+
+type: integer
+
+
+**`nats.subscriptions.cache.fanout.avg`**
+:   The average fanout served by cache
+
+type: double
+
+
diff --git a/docs/reference/metricbeat/exported-fields-nginx.md b/docs/reference/metricbeat/exported-fields-nginx.md
new file mode 100644
index 000000000000..5ee22d09a571
--- /dev/null
+++ b/docs/reference/metricbeat/exported-fields-nginx.md
@@ -0,0 +1,79 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-nginx.html
+---
+
+# Nginx fields [exported-fields-nginx]
+
+Nginx server status metrics collected from various modules.
+
+
+## nginx [_nginx]
+
+`nginx` contains the metrics that were scraped from nginx.
+
+
+## stubstatus [_stubstatus]
+
+`stubstatus` contains the metrics that were scraped from the ngx_http_stub_status_module status page.
+
+**`nginx.stubstatus.hostname`**
+:   Nginx hostname.
+
+type: keyword
+
+
+**`nginx.stubstatus.active`**
+:   The current number of active client connections including Waiting connections.
+
+type: long
+
+
+**`nginx.stubstatus.accepts`**
+:   The total number of accepted client connections.
+
+type: long
+
+
+**`nginx.stubstatus.handled`**
+:   The total number of handled client connections.
+
+type: long
+
+
+**`nginx.stubstatus.dropped`**
+:   The total number of dropped client connections.
+
+type: long
+
+
+**`nginx.stubstatus.requests`**
+:   The total number of client requests.
+
+type: long
+
+
+**`nginx.stubstatus.current`**
+:   The current number of client requests.
+
+type: long
+
+
+**`nginx.stubstatus.reading`**
+:   The current number of connections where Nginx is reading the request header.
+
+type: long
+
+
+**`nginx.stubstatus.writing`**
+:   The current number of connections where Nginx is writing the response back to the client.
+
+type: long
+
+
+**`nginx.stubstatus.waiting`**
+:   The current number of idle client connections waiting for a request.
+
+type: long
+
+
diff --git a/docs/reference/metricbeat/exported-fields-openai.md b/docs/reference/metricbeat/exported-fields-openai.md
new file mode 100644
index 000000000000..36833398e693
--- /dev/null
+++ b/docs/reference/metricbeat/exported-fields-openai.md
@@ -0,0 +1,250 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/master/exported-fields-openai.html
+---
+
+# openai fields [exported-fields-openai]
+
+openai module
+
+
+## openai [_openai]
+
+
+## usage [_usage_14]
+
+OpenAI API usage metrics and statistics
+
+**`openai.usage.organization_id`**
+:   Organization identifier
+
+type: keyword
+
+
+**`openai.usage.organization_name`**
+:   Organization name
+
+type: keyword
+
+
+**`openai.usage.api_key_id`**
+:   API key identifier
+
+type: keyword
+
+
+**`openai.usage.api_key_name`**
+:   API key name
+
+type: keyword
+
+
+**`openai.usage.api_key_redacted`**
+:   Redacted API key
+
+type: keyword
+
+
+**`openai.usage.api_key_type`**
+:   Type of API key
+
+type: keyword
+
+
+**`openai.usage.project_id`**
+:   Project identifier
+
+type: keyword
+
+
+**`openai.usage.project_name`**
+:   Project name
+
+type: keyword
+
+
+
+## data [_data_2]
+
+General usage data metrics
+
+**`openai.usage.data.requests_total`**
+:   Number of requests made
+
+type: long
+
+
+**`openai.usage.data.operation`**
+:   Operation type
+
+type: keyword
+
+
+**`openai.usage.data.snapshot_id`**
+:   Snapshot identifier
+
+type: keyword
+
+
+**`openai.usage.data.context_tokens_total`**
+:   Total number of context tokens used
+
+type: long
+
+
+**`openai.usage.data.generated_tokens_total`**
+:   Total number of generated tokens
+
+type: long
+
+
+**`openai.usage.data.cached_context_tokens_total`**
+:   Total number of cached context tokens
+
+type: long
+
+
+**`openai.usage.data.email`**
+:   User email
+
+type: keyword
+
+
+**`openai.usage.data.request_type`**
+:   Type of request
+
+type: keyword
+
+
+
+## dalle [_dalle]
+
+DALL-E API usage metrics
+
+**`openai.usage.dalle.num_images`**
+:   Number of images generated
+
+type: long
+
+
+**`openai.usage.dalle.requests_total`**
+:   Number of requests
+
+type: long
+
+
+**`openai.usage.dalle.image_size`**
+:   Size of generated images
+
+type: keyword
+
+
+**`openai.usage.dalle.operation`**
+:   Operation type
+
+type: keyword
+
+
+**`openai.usage.dalle.user_id`**
+:   User identifier
+
+type: keyword
+
+
+**`openai.usage.dalle.model_id`**
+:   Model identifier
+
+type: keyword
+
+
+
+## whisper [_whisper]
+
+Whisper API usage metrics
+
+**`openai.usage.whisper.model_id`**
+:   Model identifier
+
+type: keyword
+
+
+**`openai.usage.whisper.num_seconds`**
+:   Number of seconds processed
+
+type: long
+
+
+**`openai.usage.whisper.requests_total`**
+:   Number of requests
+
+type: long
+
+
+**`openai.usage.whisper.user_id`**
+:   User identifier
+
+type: keyword
+
+
+
+## tts [_tts]
+
+Text-to-Speech API usage metrics
+
+**`openai.usage.tts.model_id`**
+:   Model identifier
+
+type: keyword
+
+
+**`openai.usage.tts.num_characters`**
+:   Number of characters processed
+
+type: long
+
+
+**`openai.usage.tts.requests_total`**
+:   Number of requests
+
+type: long
+
+
+**`openai.usage.tts.user_id`**
+:   User identifier
+
+type: keyword
+
+
+
+## ft_data [_ft_data]
+
+Fine-tuning data metrics
+
+**`openai.usage.ft_data.original`**
+:   Raw fine-tuning data
+
+type: object
+
+
+
+## assistant_code_interpreter [_assistant_code_interpreter]
+
+Assistant Code Interpreter usage metrics
+
+**`openai.usage.assistant_code_interpreter.original`**
+:   Raw assistant code interpreter data
+
+type: object
+
+
+
+## retrieval_storage [_retrieval_storage]
+
+Retrieval storage usage metrics
+
+**`openai.usage.retrieval_storage.original`**
+:   Raw retrieval storage data
+
+type: object
+
+
diff --git a/docs/reference/metricbeat/exported-fields-openmetrics.md b/docs/reference/metricbeat/exported-fields-openmetrics.md
new file mode 100644
index 000000000000..b04d237f2bb0
--- /dev/null
+++ b/docs/reference/metricbeat/exported-fields-openmetrics.md
@@ -0,0 +1,56 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-openmetrics.html
+---
+
+# Openmetrics fields [exported-fields-openmetrics]
+
+Openmetrics module
+
+
+## openmetrics [_openmetrics]
+
+`openmetrics` contains metrics from endpoints that are following Openmetrics format.
+
+**`openmetrics.help`**
+:   Brief description of the MetricFamily
+
+type: keyword
+
+
+**`openmetrics.type`**
+:   Metric type
+
+type: keyword
+
+
+**`openmetrics.unit`**
+:   Metric unit
+
+type: keyword
+
+
+**`openmetrics.labels.*`**
+:   Openmetrics metric labels
+
+type: object
+
+
+**`openmetrics.metrics.*`**
+:   Openmetrics metric
+
+type: object
+
+
+**`openmetrics.exemplar.*`**
+:   Openmetrics exemplars
+
+type: object
+
+
+**`openmetrics.exemplar.labels.*`**
+:   Openmetrics metric exemplar labels
+
+type: object
+
+
diff --git a/docs/reference/metricbeat/exported-fields-oracle.md b/docs/reference/metricbeat/exported-fields-oracle.md
new file mode 100644
index 000000000000..e3057836b4e9
--- /dev/null
+++ b/docs/reference/metricbeat/exported-fields-oracle.md
@@ -0,0 +1,351 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-oracle.html
+---
+
+# Oracle fields [exported-fields-oracle]
+
+Oracle database module
+
+
+## oracle [_oracle]
+
+Oracle module
+
+
+## performance [_performance_5]
+
+Performance related metrics on a single database instance
+
+**`oracle.performance.machine`**
+:   Operating system machine name
+
+type: keyword
+
+
+**`oracle.performance.buffer_pool`**
+:   Name of the buffer pool in the instance
+
+type: keyword
+
+
+**`oracle.performance.username`**
+:   Oracle username
+
+type: keyword
+
+
+**`oracle.performance.io_reloads`**
+:   Reloads / Pins ratio. A Reload is any PIN of an object that is not the first PIN performed since the object handle was created, and which requires loading the object from disk. Pins are the number of times a PIN was requested for objects of this namespace
+
+type: double
+
+
+**`oracle.performance.lock_requests`**
+:   Average of the ratio between *gethits* and *gets* being *Gethits* the number of times an object’s handle was found in memory and *gets* the number of times a lock was requested for objects of this namespace.
+
+type: long
+
+
+**`oracle.performance.pin_requests`**
+:   Average of all pinhits/pins ratios being *PinHits* the number of times all of the metadata pieces of the library object were found in memory and *pins* the number of times a PIN was requested for objects of this namespace
+
+type: double
+
+
+
+## cache [_cache_4]
+
+Statistics about all buffer pools available for the instance
+
+**`oracle.performance.cache.buffer.hit.pct`**
+:   The cache hit ratio of the specified buffer pool.
+
+type: double
+
+
+**`oracle.performance.cache.physical_reads`**
+:   Physical reads
+
+type: long
+
+
+
+## get [_get]
+
+Buffer pool *get* statistics
+
+**`oracle.performance.cache.get.consistent`**
+:   Consistent gets statistic
+
+type: long
+
+
+**`oracle.performance.cache.get.db_blocks`**
+:   Database blocks gotten
+
+type: long
+
+
+
+## cursors [_cursors]
+
+Cursors information
+
+**`oracle.performance.cursors.avg`**
+:   Average cursors opened by username and machine
+
+type: double
+
+
+**`oracle.performance.cursors.max`**
+:   Max cursors opened by username and machine
+
+type: double
+
+
+**`oracle.performance.cursors.total`**
+:   Total opened cursors by username and machine
+
+type: double
+
+
+
+## opened [_opened]
+
+Opened cursors statistic
+
+**`oracle.performance.cursors.opened.current`**
+:   Total number of current open cursors
+
+type: long
+
+
+**`oracle.performance.cursors.opened.total`**
+:   Total number of cursors opened since the instance started
+
+type: long
+
+
+
+## parse [_parse]
+
+Parses statistic information that occured in the current session
+
+**`oracle.performance.cursors.parse.real`**
+:   Real number of parses that occurred: session cursor cache hits - parse count (total)
+
+type: long
+
+
+**`oracle.performance.cursors.parse.total`**
+:   Total number of parse calls (hard and soft). A soft parse is a check on an object already in the shared pool, to verify that the permissions on the underlying object have not changed.
+
+type: long
+
+
+**`oracle.performance.cursors.session.cache_hits`**
+:   Number of hits in the session cursor cache. A hit means that the SQL statement did not have to be reparsed.
+
+type: long
+
+
+**`oracle.performance.cursors.cache_hit.pct`**
+:   Ratio of session cursor cache hits from total number of cursors
+
+type: double
+
+
+
+## sysmetric [_sysmetric_2]
+
+Sysmetric related metrics.
+
+**`oracle.sysmetric.session_count`**
+:   Session Count.
+
+type: long
+
+
+**`oracle.sysmetric.average_active_sessions`**
+:   Average Active Sessions.
+
+type: double
+
+
+**`oracle.sysmetric.current_os_load`**
+:   Current OS Load.
+
+type: double
+
+
+**`oracle.sysmetric.physical_reads_per_sec`**
+:   Physical Reads Per Second.
+
+type: double
+
+
+**`oracle.sysmetric.user_transaction_per_sec`**
+:   User Transaction Per Second.
+
+type: double
+
+
+**`oracle.sysmetric.total_table_scans_per_txn`**
+:   Total Table Scans Per Transaction.
+
+type: double
+
+
+**`oracle.sysmetric.physical_writes_per_sec`**
+:   Physical Writes Per Second.
+
+type: double
+
+
+**`oracle.sysmetric.total_index_scans_per_txn`**
+:   Total Index Scans Per Transaction.
+
+type: double
+
+
+**`oracle.sysmetric.host_cpu_utilization_pct`**
+:   Host CPU Utilization (%).
+
+type: double
+
+
+**`oracle.sysmetric.network_traffic_volume_per_sec`**
+:   Network Traffic Volume Per Second.
+
+type: double
+
+
+**`oracle.sysmetric.user_rollbacks_per_sec`**
+:   User Rollbacks Per Second.
+
+type: long
+
+
+**`oracle.sysmetric.cpu_usage_per_sec`**
+:   CPU Usage Per Second.
+
+type: double
+
+
+**`oracle.sysmetric.db_block_changes_per_sec`**
+:   DB Block Changes Per Second.
+
+type: double
+
+
+**`oracle.sysmetric.physical_read_total_bytes_per_sec`**
+:   Physical Read Total Bytes Per Second.
+
+type: double
+
+
+**`oracle.sysmetric.response_time_per_txn`**
+:   Response Time Per Transaction.
+
+type: double
+
+
+
+## tablespace [_tablespace]
+
+tablespace
+
+**`oracle.tablespace.name`**
+:   Tablespace name
+
+type: keyword
+
+
+
+## data_file [_data_file]
+
+Database files information
+
+**`oracle.tablespace.data_file.id`**
+:   Tablespace unique identifier
+
+type: long
+
+
+**`oracle.tablespace.data_file.name`**
+:   Filename of the data file
+
+type: keyword
+
+
+
+## size [_size_3]
+
+Size information about the file
+
+**`oracle.tablespace.data_file.size.max.bytes`**
+:   Maximum file size in bytes
+
+type: long
+
+format: bytes
+
+
+**`oracle.tablespace.data_file.size.bytes`**
+:   Size of the file in bytes
+
+type: long
+
+format: bytes
+
+
+**`oracle.tablespace.data_file.size.free.bytes`**
+:   The size of the file available for user data. The actual size of the file minus this value is used to store file related metadata.
+
+type: long
+
+format: bytes
+
+
+**`oracle.tablespace.data_file.status`**
+:   *File status: AVAILABLE or INVALID (INVALID means that the file number is not in use, for example, a file in a tablespace that was dropped)*
+
+type: keyword
+
+
+**`oracle.tablespace.data_file.online_status`**
+:   Last known online status of the data file. One of SYSOFF, SYSTEM, OFFLINE, ONLINE or RECOVER.
+
+type: keyword
+
+
+
+## space [_space]
+
+Tablespace space usage information
+
+**`oracle.tablespace.space.free.bytes`**
+:   Tablespace total free space available, in bytes.
+
+type: long
+
+format: bytes
+
+
+**`oracle.tablespace.space.used.bytes`**
+:   Tablespace used space, in bytes.
+
+type: long
+
+format: bytes
+
+
+**`oracle.tablespace.space.total.bytes`**
+:   Tablespace total size, in bytes.
+
+type: long
+
+format: bytes
+
+
diff --git a/docs/reference/metricbeat/exported-fields-panw.md b/docs/reference/metricbeat/exported-fields-panw.md
new file mode 100644
index 000000000000..9f8ad3e84004
--- /dev/null
+++ b/docs/reference/metricbeat/exported-fields-panw.md
@@ -0,0 +1,30 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-panw.html
+---
+
+# Panw fields [exported-fields-panw]
+
+PAN-OS module
+
+
+## panw [_panw]
+
+PAN-OS module
+
+**`panw.interfaces.example`**
+:   type: keyword
+
+
+**`panw.routing.example`**
+:   type: keyword
+
+
+**`panw.system.example`**
+:   type: keyword
+
+
+**`panw.vpn.example`**
+:   type: keyword
+
+
diff --git a/docs/reference/metricbeat/exported-fields-php_fpm.md b/docs/reference/metricbeat/exported-fields-php_fpm.md
new file mode 100644
index 000000000000..b26a687f8656
--- /dev/null
+++ b/docs/reference/metricbeat/exported-fields-php_fpm.md
@@ -0,0 +1,211 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-php_fpm.html
+---
+
+# PHP_FPM fields [exported-fields-php_fpm]
+
+PHP-FPM server status metrics collected from PHP-FPM.
+
+
+## php_fpm [_php_fpm]
+
+`php_fpm` contains the metrics that were obtained from PHP-FPM status page call.
+
+
+## pool [_pool_3]
+
+`pool` contains the metrics that were obtained from the PHP-FPM process pool.
+
+**`php_fpm.pool.name`**
+:   The name of the pool.
+
+type: keyword
+
+
+
+## pool [_pool_4]
+
+`pool` contains the metrics that were obtained from the PHP-FPM process pool.
+
+**`php_fpm.pool.process_manager`**
+:   Static, dynamic or ondemand.
+
+type: keyword
+
+
+
+## connections [_connections_5]
+
+Connection state specific statistics.
+
+**`php_fpm.pool.connections.accepted`**
+:   The number of incoming requests that the PHP-FPM server has accepted; when a connection is accepted it is removed from the listen queue.
+
+type: long
+
+
+**`php_fpm.pool.connections.queued`**
+:   The current number of connections that have been initiated, but not yet accepted. If this value is non-zero it typically means that all the available server processes are currently busy, and there are no processes available to serve the next request. Raising `pm.max_children` (provided the server can handle it) should help keep this number low. This property follows from the fact that PHP-FPM listens via a socket (TCP or file based), and thus inherits some of the characteristics of sockets.
+
+type: long
+
+
+**`php_fpm.pool.connections.max_listen_queue`**
+:   The maximum number of requests in the queue of pending connections since FPM has started.
+
+type: long
+
+
+**`php_fpm.pool.connections.listen_queue_len`**
+:   The size of the socket queue of pending connections.
+
+type: long
+
+
+
+## processes [_processes]
+
+Process state specific statistics.
+
+**`php_fpm.pool.processes.idle`**
+:   The number of servers in the `waiting to process` state (i.e. not currently serving a page). This value should fall between the `pm.min_spare_servers` and `pm.max_spare_servers` values when the process manager is `dynamic`.
+
+type: long
+
+
+**`php_fpm.pool.processes.active`**
+:   The number of servers current processing a page - the minimum is `1` (so even on a fully idle server, the result will be not read `0`).
+
+type: long
+
+
+**`php_fpm.pool.processes.total`**
+:   The number of idle + active processes.
+
+type: long
+
+
+**`php_fpm.pool.processes.max_active`**
+:   The maximum number of active processes since FPM has started.
+
+type: long
+
+
+**`php_fpm.pool.processes.max_children_reached`**
+:   Number of times, the process limit has been reached, when pm tries to start more children (works only for pm *dynamic* and *ondemand*).
+
+type: long
+
+
+**`php_fpm.pool.slow_requests`**
+:   The number of times a request execution time has exceeded `request_slowlog_timeout`.
+
+type: long
+
+
+**`php_fpm.pool.start_since`**
+:   Number of seconds since FPM has started.
+
+type: long
+
+
+**`php_fpm.pool.start_time`**
+:   The date and time FPM has started.
+
+type: date
+
+
+
+## process [_process_7]
+
+process contains the metrics that were obtained from the PHP-FPM process.
+
+**`php_fpm.process.pid`**
+:   The PID of the process
+
+type: alias
+
+alias to: process.pid
+
+
+**`php_fpm.process.state`**
+:   The state of the process (Idle, Running, etc)
+
+type: keyword
+
+
+**`php_fpm.process.start_time`**
+:   The date and time the process has started
+
+type: date
+
+
+**`php_fpm.process.start_since`**
+:   The number of seconds since the process has started
+
+type: integer
+
+
+**`php_fpm.process.requests`**
+:   The number of requests the process has served
+
+type: integer
+
+
+**`php_fpm.process.request_duration`**
+:   The duration in microseconds (1 million in a second) of the current request (my own definition)
+
+type: integer
+
+
+**`php_fpm.process.request_method`**
+:   The request method (GET, POST, etc) (of the current request)
+
+type: alias
+
+alias to: http.request.method
+
+
+**`php_fpm.process.request_uri`**
+:   The request URI with the query string (of the current request)
+
+type: alias
+
+alias to: url.original
+
+
+**`php_fpm.process.content_length`**
+:   The content length of the request (only with POST) (of the current request)
+
+type: alias
+
+alias to: http.response.body.bytes
+
+
+**`php_fpm.process.user`**
+:   The user (PHP_AUTH_USER) (or - if not set) (for the current request)
+
+type: alias
+
+alias to: user.name
+
+
+**`php_fpm.process.script`**
+:   The main script called (or - if not set) (for the current request)
+
+type: keyword
+
+
+**`php_fpm.process.last_request_cpu`**
+:   The CPU percentage the last request consumed. It’s always 0 if the process is not in Idle state because CPU calculation is done when the request processing has terminated
+
+type: long
+
+
+**`php_fpm.process.last_request_memory`**
+:   The max amount of memory the last request consumed. It’s always 0 if the process is not in Idle state because memory calculation is done when the request processing has terminated
+
+type: integer
+
+
diff --git a/docs/reference/metricbeat/exported-fields-postgresql.md b/docs/reference/metricbeat/exported-fields-postgresql.md
new file mode 100644
index 000000000000..bdb13a4984ca
--- /dev/null
+++ b/docs/reference/metricbeat/exported-fields-postgresql.md
@@ -0,0 +1,441 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-postgresql.html
+---
+
+# PostgreSQL fields [exported-fields-postgresql]
+
+Metrics collected from PostgreSQL servers.
+
+
+## postgresql [_postgresql]
+
+PostgreSQL metrics.
+
+
+## activity [_activity]
+
+One document per server process, showing information related to the current activity of that process, such as state and current query. Collected by querying pg_stat_activity.
+
+**`postgresql.activity.database.oid`**
+:   OID of the database this backend is connected to.
+
+type: long
+
+
+**`postgresql.activity.database.name`**
+:   Name of the database this backend is connected to.
+
+type: keyword
+
+
+**`postgresql.activity.pid`**
+:   Process ID of this backend.
+
+type: long
+
+
+**`postgresql.activity.user.id`**
+:   OID of the user logged into this backend.
+
+type: long
+
+
+**`postgresql.activity.user.name`**
+:   Name of the user logged into this backend.
+
+
+**`postgresql.activity.application_name`**
+:   Name of the application that is connected to this backend.
+
+
+**`postgresql.activity.client.address`**
+:   IP address of the client connected to this backend.
+
+
+**`postgresql.activity.client.hostname`**
+:   Host name of the connected client, as reported by a reverse DNS lookup of client_addr.
+
+
+**`postgresql.activity.client.port`**
+:   TCP port number that the client is using for communication with this backend, or -1 if a Unix socket is used.
+
+type: long
+
+
+**`postgresql.activity.backend_type`**
+:   Type of the current backend. Possible types are autovacuum launcher, autovacuum worker, logical replication launcher, logical replication worker, parallel worker, background writer, client backend, checkpointer, startup, walreceiver, walsender and walwriter. Extensions may register workers with additional backend types.
+
+
+**`postgresql.activity.backend_start`**
+:   Time when this process was started, i.e., when the client connected to the server.
+
+type: date
+
+
+**`postgresql.activity.transaction_start`**
+:   Time when this process' current transaction was started.
+
+type: date
+
+
+**`postgresql.activity.query_start`**
+:   Time when the currently active query was started, or if state is not active, when the last query was started.
+
+type: date
+
+
+**`postgresql.activity.state_change`**
+:   Time when the state was last changed.
+
+type: date
+
+
+**`postgresql.activity.waiting`**
+:   True if this backend is currently waiting on a lock.
+
+type: boolean
+
+
+**`postgresql.activity.state`**
+:   Current overall state of this backend. Possible values are:
+
+* active: The backend is executing a query.
+* idle: The backend is waiting for a new client command.
+* idle in transaction: The backend is in a transaction, but is not currently executing a query.
+* idle in transaction (aborted): This state is similar to idle in transaction, except one of the statements in the transaction caused an error.
+* fastpath function call: The backend is executing a fast-path function.
+* disabled: This state is reported if track_activities is disabled in this backend.
+
+
+**`postgresql.activity.query`**
+:   Text of this backend’s most recent query. If state is active this field shows the currently executing query. In all other states, it shows the last query that was executed.
+
+
+**`postgresql.activity.wait_event`**
+:   Wait event name if the backend is currently waiting.
+
+
+**`postgresql.activity.wait_event_type`**
+:   The type of event for which the backend is waiting.
+
+
+
+## bgwriter [_bgwriter]
+
+Statistics about the background writer process’s activity. Collected using the pg_stat_bgwriter query.
+
+**`postgresql.bgwriter.checkpoints.scheduled`**
+:   Number of scheduled checkpoints that have been performed.
+
+type: long
+
+
+**`postgresql.bgwriter.checkpoints.requested`**
+:   Number of requested checkpoints that have been performed.
+
+type: long
+
+
+**`postgresql.bgwriter.checkpoints.times.write.ms`**
+:   Total amount of time that has been spent in the portion of checkpoint processing where files are written to disk, in milliseconds.
+
+type: float
+
+
+**`postgresql.bgwriter.checkpoints.times.sync.ms`**
+:   Total amount of time that has been spent in the portion of checkpoint processing where files are synchronized to disk, in milliseconds.
+
+type: float
+
+
+**`postgresql.bgwriter.buffers.checkpoints`**
+:   Number of buffers written during checkpoints.
+
+type: long
+
+
+**`postgresql.bgwriter.buffers.clean`**
+:   Number of buffers written by the background writer.
+
+type: long
+
+
+**`postgresql.bgwriter.buffers.clean_full`**
+:   Number of times the background writer stopped a cleaning scan because it had written too many buffers.
+
+type: long
+
+
+**`postgresql.bgwriter.buffers.backend`**
+:   Number of buffers written directly by a backend.
+
+type: long
+
+
+**`postgresql.bgwriter.buffers.backend_fsync`**
+:   Number of times a backend had to execute its own fsync call (normally the background writer handles those even when the backend does its own write)
+
+type: long
+
+
+**`postgresql.bgwriter.buffers.allocated`**
+:   Number of buffers allocated.
+
+type: long
+
+
+**`postgresql.bgwriter.stats_reset`**
+:   Time at which these statistics were last reset.
+
+type: date
+
+
+
+## database [_database_2]
+
+One row per database, showing database-wide statistics. Collected by querying pg_stat_database
+
+**`postgresql.database.oid`**
+:   OID of the database this backend is connected to, or 0 for shared resources.
+
+type: long
+
+
+**`postgresql.database.name`**
+:   Name of the database this backend is connected to, empty for shared resources.
+
+type: keyword
+
+
+**`postgresql.database.number_of_backends`**
+:   Number of backends currently connected to this database.
+
+type: long
+
+
+**`postgresql.database.transactions.commit`**
+:   Number of transactions in this database that have been committed.
+
+type: long
+
+
+**`postgresql.database.transactions.rollback`**
+:   Number of transactions in this database that have been rolled back.
+
+type: long
+
+
+**`postgresql.database.blocks.read`**
+:   Number of disk blocks read in this database.
+
+type: long
+
+
+**`postgresql.database.blocks.hit`**
+:   Number of times disk blocks were found already in the buffer cache, so that a read was not necessary (this only includes hits in the PostgreSQL buffer cache, not the operating system’s file system cache).
+
+type: long
+
+
+**`postgresql.database.blocks.time.read.ms`**
+:   Time spent reading data file blocks by backends in this database, in milliseconds.
+
+type: double
+
+
+**`postgresql.database.blocks.time.write.ms`**
+:   Time spent writing data file blocks by backends in this database, in milliseconds.
+
+type: double
+
+
+**`postgresql.database.rows.returned`**
+:   Number of rows returned by queries in this database.
+
+type: long
+
+
+**`postgresql.database.rows.fetched`**
+:   Number of rows fetched by queries in this database.
+
+type: long
+
+
+**`postgresql.database.rows.inserted`**
+:   Number of rows inserted by queries in this database.
+
+type: long
+
+
+**`postgresql.database.rows.updated`**
+:   Number of rows updated by queries in this database.
+
+type: long
+
+
+**`postgresql.database.rows.deleted`**
+:   Number of rows deleted by queries in this database.
+
+type: long
+
+
+**`postgresql.database.conflicts`**
+:   Number of queries canceled due to conflicts with recovery in this database.
+
+type: long
+
+
+**`postgresql.database.temporary.files`**
+:   Number of temporary files created by queries in this database. All temporary files are counted, regardless of why the temporary file was created (e.g., sorting or hashing), and regardless of the log_temp_files setting.
+
+type: long
+
+
+**`postgresql.database.temporary.bytes`**
+:   Total amount of data written to temporary files by queries in this database. All temporary files are counted, regardless of why the temporary file was created, and regardless of the log_temp_files setting.
+
+type: long
+
+
+**`postgresql.database.deadlocks`**
+:   Number of deadlocks detected in this database.
+
+type: long
+
+
+**`postgresql.database.stats_reset`**
+:   Time at which these statistics were last reset.
+
+type: date
+
+
+
+## statement [_statement]
+
+One document per query per user per database, showing information related invocation of that query, such as cpu usage and total time. Collected by querying pg_stat_statements.
+
+**`postgresql.statement.user.id`**
+:   OID of the user logged into the backend that ran the query.
+
+type: long
+
+
+**`postgresql.statement.database.oid`**
+:   OID of the database the query was run on.
+
+type: long
+
+
+**`postgresql.statement.query.id`**
+:   ID of the statement.
+
+type: long
+
+
+**`postgresql.statement.query.text`**
+:   Query text
+
+
+**`postgresql.statement.query.calls`**
+:   Number of times the query has been run.
+
+type: long
+
+
+**`postgresql.statement.query.rows`**
+:   Total number of rows returned by query.
+
+type: long
+
+
+**`postgresql.statement.query.time.total.ms`**
+:   Total number of milliseconds spent running query.
+
+type: float
+
+
+**`postgresql.statement.query.time.min.ms`**
+:   Minimum number of milliseconds spent running query.
+
+type: float
+
+
+**`postgresql.statement.query.time.max.ms`**
+:   Maximum number of milliseconds spent running query.
+
+type: float
+
+
+**`postgresql.statement.query.time.mean.ms`**
+:   Mean number of milliseconds spent running query.
+
+type: long
+
+
+**`postgresql.statement.query.time.stddev.ms`**
+:   Population standard deviation of time spent running query, in milliseconds.
+
+type: long
+
+
+**`postgresql.statement.query.memory.shared.hit`**
+:   Total number of shared block cache hits by the query.
+
+type: long
+
+
+**`postgresql.statement.query.memory.shared.read`**
+:   Total number of shared block cache read by the query.
+
+type: long
+
+
+**`postgresql.statement.query.memory.shared.dirtied`**
+:   Total number of shared block cache dirtied by the query.
+
+type: long
+
+
+**`postgresql.statement.query.memory.shared.written`**
+:   Total number of shared block cache written by the query.
+
+type: long
+
+
+**`postgresql.statement.query.memory.local.hit`**
+:   Total number of local block cache hits by the query.
+
+type: long
+
+
+**`postgresql.statement.query.memory.local.read`**
+:   Total number of local block cache read by the query.
+
+type: long
+
+
+**`postgresql.statement.query.memory.local.dirtied`**
+:   Total number of local block cache dirtied by the query.
+
+type: long
+
+
+**`postgresql.statement.query.memory.local.written`**
+:   Total number of local block cache written by the query.
+
+type: long
+
+
+**`postgresql.statement.query.memory.temp.read`**
+:   Total number of temp block cache read by the query.
+
+type: long
+
+
+**`postgresql.statement.query.memory.temp.written`**
+:   Total number of temp block cache written by the query.
+
+type: long
+
+
diff --git a/docs/reference/metricbeat/exported-fields-process.md b/docs/reference/metricbeat/exported-fields-process.md
new file mode 100644
index 000000000000..c1d1a224216c
--- /dev/null
+++ b/docs/reference/metricbeat/exported-fields-process.md
@@ -0,0 +1,38 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-process.html
+---
+
+# Process fields [exported-fields-process]
+
+Process metadata fields
+
+**`process.exe`**
+:   type: alias
+
+alias to: process.executable
+
+
+
+## owner [_owner_2]
+
+Process owner information.
+
+**`process.owner.id`**
+:   Unique identifier of the user.
+
+type: keyword
+
+
+**`process.owner.name`**
+:   Short name or login of the user.
+
+type: keyword
+
+example: albert
+
+
+**`process.owner.name.text`**
+:   type: text
+
+
diff --git a/docs/reference/metricbeat/exported-fields-prometheus-xpack.md b/docs/reference/metricbeat/exported-fields-prometheus-xpack.md
new file mode 100644
index 000000000000..a55f5b671107
--- /dev/null
+++ b/docs/reference/metricbeat/exported-fields-prometheus-xpack.md
@@ -0,0 +1,33 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-prometheus-xpack.html
+---
+
+# Prometheus typed metrics fields [exported-fields-prometheus-xpack]
+
+Stats scraped from a Prometheus endpoint.
+
+**`prometheus.*.value`**
+:   Prometheus gauge metric
+
+type: object
+
+
+**`prometheus.*.counter`**
+:   Prometheus counter metric
+
+type: object
+
+
+**`prometheus.*.rate`**
+:   Prometheus rated counter metric
+
+type: object
+
+
+**`prometheus.*.histogram`**
+:   Prometheus histogram metric - release: ga
+
+type: object
+
+
diff --git a/docs/reference/metricbeat/exported-fields-prometheus.md b/docs/reference/metricbeat/exported-fields-prometheus.md
new file mode 100644
index 000000000000..3e1944dbbcf6
--- /dev/null
+++ b/docs/reference/metricbeat/exported-fields-prometheus.md
@@ -0,0 +1,43 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-prometheus.html
+---
+
+# Prometheus fields [exported-fields-prometheus]
+
+Stats scraped from a Prometheus endpoint.
+
+**`metrics_count`**
+:   Number of metrics per Elasticsearch document.
+
+type: long
+
+
+**`prometheus.labels.*`**
+:   Prometheus metric labels
+
+type: object
+
+
+**`prometheus.metrics.*`**
+:   Prometheus metric
+
+type: object
+
+
+**`prometheus.query.*`**
+:   Prometheus value resulted from PromQL
+
+type: object
+
+
+
+## query [_query_3]
+
+query metricset
+
+
+## remote_write [_remote_write]
+
+remote write metrics from Prometheus server
+
diff --git a/docs/reference/metricbeat/exported-fields-rabbitmq.md b/docs/reference/metricbeat/exported-fields-rabbitmq.md
new file mode 100644
index 000000000000..580a2241447b
--- /dev/null
+++ b/docs/reference/metricbeat/exported-fields-rabbitmq.md
@@ -0,0 +1,625 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-rabbitmq.html
+---
+
+# RabbitMQ fields [exported-fields-rabbitmq]
+
+RabbitMQ module
+
+
+## rabbitmq [_rabbitmq]
+
+**`rabbitmq.vhost`**
+:   Virtual host name with non-ASCII characters escaped as in C.
+
+type: keyword
+
+
+
+## connection [_connection_4]
+
+connection
+
+**`rabbitmq.connection.name`**
+:   The name of the connection with non-ASCII characters escaped as in C.
+
+type: keyword
+
+
+**`rabbitmq.connection.vhost`**
+:   Virtual host name with non-ASCII characters escaped as in C.
+
+type: alias
+
+alias to: rabbitmq.vhost
+
+
+**`rabbitmq.connection.user`**
+:   User name.
+
+type: alias
+
+alias to: user.name
+
+
+**`rabbitmq.connection.node`**
+:   Node name.
+
+type: alias
+
+alias to: rabbitmq.node.name
+
+
+**`rabbitmq.connection.state`**
+:   Connection state.
+
+type: keyword
+
+
+**`rabbitmq.connection.channels`**
+:   The number of channels on the connection.
+
+type: long
+
+
+**`rabbitmq.connection.channel_max`**
+:   The maximum number of channels allowed on the connection.
+
+type: long
+
+
+**`rabbitmq.connection.frame_max`**
+:   Maximum permissible size of a frame (in bytes) to negotiate with clients.
+
+type: long
+
+format: bytes
+
+
+**`rabbitmq.connection.type`**
+:   Type of the connection.
+
+type: keyword
+
+
+**`rabbitmq.connection.host`**
+:   Server hostname obtained via reverse DNS, or its IP address if reverse DNS failed or was disabled.
+
+type: keyword
+
+
+**`rabbitmq.connection.peer.host`**
+:   Peer hostname obtained via reverse DNS, or its IP address if reverse DNS failed or was not enabled.
+
+type: keyword
+
+
+**`rabbitmq.connection.port`**
+:   Server port.
+
+type: long
+
+
+**`rabbitmq.connection.peer.port`**
+:   Peer port.
+
+type: long
+
+
+**`rabbitmq.connection.packet_count.sent`**
+:   Number of packets sent on the connection.
+
+type: long
+
+
+**`rabbitmq.connection.packet_count.received`**
+:   Number of packets received on the connection.
+
+type: long
+
+
+**`rabbitmq.connection.packet_count.pending`**
+:   Number of packets pending on the connection.
+
+type: long
+
+
+**`rabbitmq.connection.octet_count.sent`**
+:   Number of octets sent on the connection.
+
+type: long
+
+
+**`rabbitmq.connection.octet_count.received`**
+:   Number of octets received on the connection.
+
+type: long
+
+
+**`rabbitmq.connection.client_provided.name`**
+:   User specified connection name.
+
+type: keyword
+
+
+
+## exchange [_exchange]
+
+exchange
+
+**`rabbitmq.exchange.name`**
+:   The name of the queue with non-ASCII characters escaped as in C.
+
+type: keyword
+
+
+**`rabbitmq.exchange.vhost`**
+:   Virtual host name with non-ASCII characters escaped as in C.
+
+type: alias
+
+alias to: rabbitmq.vhost
+
+
+**`rabbitmq.exchange.durable`**
+:   Whether or not the queue survives server restarts.
+
+type: boolean
+
+
+**`rabbitmq.exchange.auto_delete`**
+:   Whether the queue will be deleted automatically when no longer used.
+
+type: boolean
+
+
+**`rabbitmq.exchange.internal`**
+:   Whether the exchange is internal, i.e. cannot be directly published to by a client.
+
+type: boolean
+
+
+**`rabbitmq.exchange.user`**
+:   User who created the exchange.
+
+type: alias
+
+alias to: user.name
+
+
+**`rabbitmq.exchange.messages.publish_in.count`**
+:   Count of messages published "in" to an exchange, i.e. not taking account of routing.
+
+type: long
+
+
+**`rabbitmq.exchange.messages.publish_in.details.rate`**
+:   How much the exchange publish-in count has changed per second in the most recent sampling interval.
+
+type: float
+
+
+**`rabbitmq.exchange.messages.publish_out.count`**
+:   Count of messages published "out" of an exchange, i.e. taking account of routing.
+
+type: long
+
+
+**`rabbitmq.exchange.messages.publish_out.details.rate`**
+:   How much the exchange publish-out count has changed per second in the most recent sampling interval.
+
+type: float
+
+
+
+## node [_node_8]
+
+node
+
+**`rabbitmq.node.disk.free.bytes`**
+:   Disk free space in bytes.
+
+type: long
+
+format: bytes
+
+
+**`rabbitmq.node.disk.free.limit.bytes`**
+:   Point at which the disk alarm will go off.
+
+type: long
+
+format: bytes
+
+
+**`rabbitmq.node.fd.total`**
+:   File descriptors available.
+
+type: long
+
+
+**`rabbitmq.node.fd.used`**
+:   Used file descriptors.
+
+type: long
+
+
+**`rabbitmq.node.gc.num.count`**
+:   Number of GC operations.
+
+type: long
+
+
+**`rabbitmq.node.gc.reclaimed.bytes`**
+:   GC bytes reclaimed.
+
+type: long
+
+format: bytes
+
+
+**`rabbitmq.node.io.file_handle.open_attempt.avg.ms`**
+:   File handle open avg time
+
+type: long
+
+
+**`rabbitmq.node.io.file_handle.open_attempt.count`**
+:   File handle open attempts
+
+type: long
+
+
+**`rabbitmq.node.io.read.avg.ms`**
+:   File handle read avg time
+
+type: long
+
+
+**`rabbitmq.node.io.read.bytes`**
+:   Data read in bytes
+
+type: long
+
+format: bytes
+
+
+**`rabbitmq.node.io.read.count`**
+:   Data read operations
+
+type: long
+
+
+**`rabbitmq.node.io.reopen.count`**
+:   Data reopen operations
+
+type: long
+
+
+**`rabbitmq.node.io.seek.avg.ms`**
+:   Data seek avg time
+
+type: long
+
+
+**`rabbitmq.node.io.seek.count`**
+:   Data seek operations
+
+type: long
+
+
+**`rabbitmq.node.io.sync.avg.ms`**
+:   Data sync avg time
+
+type: long
+
+
+**`rabbitmq.node.io.sync.count`**
+:   Data sync operations
+
+type: long
+
+
+**`rabbitmq.node.io.write.avg.ms`**
+:   Data write avg time
+
+type: long
+
+
+**`rabbitmq.node.io.write.bytes`**
+:   Data write in bytes
+
+type: long
+
+format: bytes
+
+
+**`rabbitmq.node.io.write.count`**
+:   Data write operations
+
+type: long
+
+
+**`rabbitmq.node.mem.limit.bytes`**
+:   Point at which the memory alarm will go off.
+
+type: long
+
+format: bytes
+
+
+**`rabbitmq.node.mem.used.bytes`**
+:   Memory used in bytes.
+
+type: long
+
+
+**`rabbitmq.node.mnesia.disk.tx.count`**
+:   Number of Mnesia transactions which have been performed that required writes to disk.
+
+type: long
+
+
+**`rabbitmq.node.mnesia.ram.tx.count`**
+:   Number of Mnesia transactions which have been performed that did not require writes to disk.
+
+type: long
+
+
+**`rabbitmq.node.msg.store_read.count`**
+:   Number of messages which have been read from the message store.
+
+type: long
+
+
+**`rabbitmq.node.msg.store_write.count`**
+:   Number of messages which have been written to the message store.
+
+type: long
+
+
+**`rabbitmq.node.name`**
+:   Node name
+
+type: keyword
+
+
+**`rabbitmq.node.proc.total`**
+:   Maximum number of Erlang processes.
+
+type: long
+
+
+**`rabbitmq.node.proc.used`**
+:   Number of Erlang processes in use.
+
+type: long
+
+
+**`rabbitmq.node.processors`**
+:   Number of cores detected and usable by Erlang.
+
+type: long
+
+
+**`rabbitmq.node.queue.index.journal_write.count`**
+:   Number of records written to the queue index journal.
+
+type: long
+
+
+**`rabbitmq.node.queue.index.read.count`**
+:   Number of records read from the queue index.
+
+type: long
+
+
+**`rabbitmq.node.queue.index.write.count`**
+:   Number of records written to the queue index.
+
+type: long
+
+
+**`rabbitmq.node.run.queue`**
+:   Average number of Erlang processes waiting to run.
+
+type: long
+
+
+**`rabbitmq.node.socket.total`**
+:   File descriptors available for use as sockets.
+
+type: long
+
+
+**`rabbitmq.node.socket.used`**
+:   File descriptors used as sockets.
+
+type: long
+
+
+**`rabbitmq.node.type`**
+:   Node type.
+
+type: keyword
+
+
+**`rabbitmq.node.uptime`**
+:   Node uptime.
+
+type: long
+
+
+
+## queue [_queue_9]
+
+queue
+
+**`rabbitmq.queue.name`**
+:   The name of the queue with non-ASCII characters escaped as in C.
+
+type: keyword
+
+
+**`rabbitmq.queue.vhost`**
+:   Virtual host name with non-ASCII characters escaped as in C.
+
+type: alias
+
+alias to: rabbitmq.vhost
+
+
+**`rabbitmq.queue.durable`**
+:   Whether or not the queue survives server restarts.
+
+type: boolean
+
+
+**`rabbitmq.queue.auto_delete`**
+:   Whether the queue will be deleted automatically when no longer used.
+
+type: boolean
+
+
+**`rabbitmq.queue.exclusive`**
+:   Whether the queue is exclusive (i.e. has owner_pid).
+
+type: boolean
+
+
+**`rabbitmq.queue.node`**
+:   Node name.
+
+type: alias
+
+alias to: rabbitmq.node.name
+
+
+**`rabbitmq.queue.state`**
+:   The state of the queue. Normally *running*, but may be "{syncing, MsgCount}" if the queue is synchronising. Queues which are located on cluster nodes that are currently down will be shown with a status of *down*.
+
+type: keyword
+
+
+**`rabbitmq.queue.arguments.max_priority`**
+:   Maximum number of priority levels for the queue to support.
+
+type: long
+
+
+**`rabbitmq.queue.consumers.count`**
+:   Number of consumers.
+
+type: long
+
+
+**`rabbitmq.queue.consumers.utilisation.pct`**
+:   Fraction of the time (between 0.0 and 1.0) that the queue is able to immediately deliver messages to consumers. This can be less than 1.0 if consumers are limited by network congestion or prefetch count.
+
+type: scaled_float
+
+format: percent
+
+
+**`rabbitmq.queue.messages.total.count`**
+:   Sum of ready and unacknowledged messages (queue depth).
+
+type: long
+
+
+**`rabbitmq.queue.messages.total.details.rate`**
+:   How much the queue depth has changed per second in the most recent sampling interval.
+
+type: float
+
+
+**`rabbitmq.queue.messages.ready.count`**
+:   Number of messages ready to be delivered to clients.
+
+type: long
+
+
+**`rabbitmq.queue.messages.ready.details.rate`**
+:   How much the count of messages ready has changed per second in the most recent sampling interval.
+
+type: float
+
+
+**`rabbitmq.queue.messages.unacknowledged.count`**
+:   Number of messages delivered to clients but not yet acknowledged.
+
+type: long
+
+
+**`rabbitmq.queue.messages.unacknowledged.details.rate`**
+:   How much the count of unacknowledged messages has changed per second in the most recent sampling interval.
+
+type: float
+
+
+**`rabbitmq.queue.messages.persistent.count`**
+:   Total number of persistent messages in the queue (will always be 0 for transient queues).
+
+type: long
+
+
+**`rabbitmq.queue.memory.bytes`**
+:   Bytes of memory consumed by the Erlang process associated with the queue, including stack, heap and internal structures.
+
+type: long
+
+format: bytes
+
+
+**`rabbitmq.queue.disk.reads.count`**
+:   Total number of times messages have been read from disk by this queue since it started.
+
+type: long
+
+
+**`rabbitmq.queue.disk.writes.count`**
+:   Total number of times messages have been written to disk by this queue since it started.
+
+type: long
+
+
+
+## shovel [_shovel]
+
+shovel
+
+**`rabbitmq.shovel.name`**
+:   The name of the shovel with non-ASCII characters escaped as in C.
+
+type: keyword
+
+
+**`rabbitmq.shovel.vhost`**
+:   Virtual host name with non-ASCII characters escaped as in C.
+
+type: alias
+
+alias to: rabbitmq.vhost
+
+
+**`rabbitmq.shovel.node`**
+:   Node name.
+
+type: alias
+
+alias to: rabbitmq.node.name
+
+
+**`rabbitmq.shovel.state`**
+:   The state of the shovel. Normally *running*, but could be *starting* or *terminated*.
+
+type: keyword
+
+
+**`rabbitmq.shovel.type`**
+:   The type of the shovel. Either *static* or *dynamic*.
+
+type: keyword
+
+
diff --git a/docs/reference/metricbeat/exported-fields-redis.md b/docs/reference/metricbeat/exported-fields-redis.md
new file mode 100644
index 000000000000..3f4b6e51c014
--- /dev/null
+++ b/docs/reference/metricbeat/exported-fields-redis.md
@@ -0,0 +1,860 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-redis.html
+---
+
+# Redis fields [exported-fields-redis]
+
+Redis metrics collected from Redis.
+
+
+## redis [_redis]
+
+`redis` contains the information and statistics from Redis.
+
+
+## info [_info_6]
+
+`info` contains the information and statistics returned by the `INFO` command.
+
+
+## clients [_clients]
+
+Redis client stats.
+
+**`redis.info.clients.connected`**
+:   Number of client connections (excluding connections from slaves).
+
+type: long
+
+
+**`redis.info.clients.max_output_buffer`**
+:   Longest output list among current client connections.
+
+type: long
+
+
+**`redis.info.clients.max_input_buffer`**
+:   Biggest input buffer among current client connections (on redis 5.0).
+
+type: long
+
+
+**`redis.info.clients.blocked`**
+:   Number of clients pending on a blocking call (BLPOP, BRPOP, BRPOPLPUSH).
+
+type: long
+
+
+
+## cluster [_cluster_3]
+
+Redis cluster information.
+
+**`redis.info.cluster.enabled`**
+:   Indicates that the Redis cluster is enabled.
+
+type: boolean
+
+
+
+## cpu [_cpu_10]
+
+Redis CPU stats
+
+**`redis.info.cpu.used.sys`**
+:   System CPU consumed by the Redis server.
+
+type: scaled_float
+
+
+**`redis.info.cpu.used.sys_children`**
+:   System CPU consumed by the background processes.
+
+type: scaled_float
+
+
+**`redis.info.cpu.used.user`**
+:   User CPU consumed by the Redis server.
+
+type: scaled_float
+
+
+**`redis.info.cpu.used.user_children`**
+:   User CPU consumed by the background processes.
+
+type: scaled_float
+
+
+
+## memory [_memory_10]
+
+Redis memory stats.
+
+**`redis.info.memory.used.value`**
+:   Total number of bytes allocated by Redis.
+
+type: long
+
+format: bytes
+
+
+**`redis.info.memory.used.rss`**
+:   Number of bytes that Redis allocated as seen by the operating system (a.k.a resident set size).
+
+type: long
+
+format: bytes
+
+
+**`redis.info.memory.used.peak`**
+:   Peak memory consumed by Redis.
+
+type: long
+
+format: bytes
+
+
+**`redis.info.memory.used.lua`**
+:   Used memory by the Lua engine.
+
+type: long
+
+format: bytes
+
+
+**`redis.info.memory.used.dataset`**
+:   The size in bytes of the dataset
+
+type: long
+
+format: bytes
+
+
+**`redis.info.memory.max.value`**
+:   Memory limit.
+
+type: long
+
+format: bytes
+
+
+**`redis.info.memory.max.policy`**
+:   Eviction policy to use when memory limit is reached.
+
+type: keyword
+
+
+**`redis.info.memory.fragmentation.ratio`**
+:   Ratio between used_memory_rss and used_memory
+
+type: float
+
+
+**`redis.info.memory.fragmentation.bytes`**
+:   Bytes between used_memory_rss and used_memory
+
+type: long
+
+format: bytes
+
+
+**`redis.info.memory.active_defrag.is_running`**
+:   Flag indicating if active defragmentation is active
+
+type: boolean
+
+
+**`redis.info.memory.allocator`**
+:   Memory allocator.
+
+type: keyword
+
+
+**`redis.info.memory.allocator_stats.allocated`**
+:   Allocated memory
+
+type: long
+
+format: bytes
+
+
+**`redis.info.memory.allocator_stats.active`**
+:   Active memory
+
+type: long
+
+format: bytes
+
+
+**`redis.info.memory.allocator_stats.resident`**
+:   Resident memory
+
+type: long
+
+format: bytes
+
+
+**`redis.info.memory.allocator_stats.fragmentation.ratio`**
+:   Fragmentation ratio
+
+type: float
+
+
+**`redis.info.memory.allocator_stats.fragmentation.bytes`**
+:   Fragmented bytes
+
+type: long
+
+format: bytes
+
+
+**`redis.info.memory.allocator_stats.rss.ratio`**
+:   Resident ratio
+
+type: float
+
+
+**`redis.info.memory.allocator_stats.rss.bytes`**
+:   Resident bytes
+
+type: long
+
+format: bytes
+
+
+
+## persistence [_persistence]
+
+Redis CPU stats.
+
+**`redis.info.persistence.loading`**
+:   Flag indicating if the load of a dump file is on-going
+
+type: boolean
+
+
+
+## rdb [_rdb]
+
+Provides information about RDB persistence
+
+**`redis.info.persistence.rdb.last_save.changes_since`**
+:   Number of changes since the last dump
+
+type: long
+
+
+**`redis.info.persistence.rdb.last_save.time`**
+:   Epoch-based timestamp of last successful RDB save
+
+type: long
+
+
+**`redis.info.persistence.rdb.bgsave.in_progress`**
+:   Flag indicating a RDB save is on-going
+
+type: boolean
+
+
+**`redis.info.persistence.rdb.bgsave.last_status`**
+:   Status of the last RDB save operation
+
+type: keyword
+
+
+**`redis.info.persistence.rdb.bgsave.last_time.sec`**
+:   Duration of the last RDB save operation in seconds
+
+type: long
+
+format: duration
+
+
+**`redis.info.persistence.rdb.bgsave.current_time.sec`**
+:   Duration of the on-going RDB save operation if any
+
+type: long
+
+format: duration
+
+
+**`redis.info.persistence.rdb.copy_on_write.last_size`**
+:   The size in bytes of copy-on-write allocations during the last RBD save operation
+
+type: long
+
+format: bytes
+
+
+
+## aof [_aof]
+
+Provides information about AOF persitence
+
+**`redis.info.persistence.aof.enabled`**
+:   Flag indicating AOF logging is activated
+
+type: boolean
+
+
+**`redis.info.persistence.aof.rewrite.in_progress`**
+:   Flag indicating a AOF rewrite operation is on-going
+
+type: boolean
+
+
+**`redis.info.persistence.aof.rewrite.scheduled`**
+:   Flag indicating an AOF rewrite operation will be scheduled once the on-going RDB save is complete.
+
+type: boolean
+
+
+**`redis.info.persistence.aof.rewrite.last_time.sec`**
+:   Duration of the last AOF rewrite operation in seconds
+
+type: long
+
+format: duration
+
+
+**`redis.info.persistence.aof.rewrite.current_time.sec`**
+:   Duration of the on-going AOF rewrite operation if any
+
+type: long
+
+format: duration
+
+
+**`redis.info.persistence.aof.rewrite.buffer.size`**
+:   Size of the AOF rewrite buffer
+
+type: long
+
+format: bytes
+
+
+**`redis.info.persistence.aof.bgrewrite.last_status`**
+:   Status of the last AOF rewrite operatio
+
+type: keyword
+
+
+**`redis.info.persistence.aof.write.last_status`**
+:   Status of the last write operation to the AOF
+
+type: keyword
+
+
+**`redis.info.persistence.aof.copy_on_write.last_size`**
+:   The size in bytes of copy-on-write allocations during the last RBD save operation
+
+type: long
+
+format: bytes
+
+
+**`redis.info.persistence.aof.buffer.size`**
+:   Size of the AOF buffer
+
+type: long
+
+format: bytes
+
+
+**`redis.info.persistence.aof.size.current`**
+:   AOF current file size
+
+type: long
+
+format: bytes
+
+
+**`redis.info.persistence.aof.size.base`**
+:   AOF file size on latest startup or rewrite
+
+type: long
+
+format: bytes
+
+
+**`redis.info.persistence.aof.fsync.pending`**
+:   Number of fsync pending jobs in background I/O queue
+
+type: long
+
+
+**`redis.info.persistence.aof.fsync.delayed`**
+:   Delayed fsync counter
+
+type: long
+
+
+
+## replication [_replication_2]
+
+Replication
+
+**`redis.info.replication.role`**
+:   Role of the instance (can be "master", or "slave").
+
+type: keyword
+
+
+**`redis.info.replication.connected_slaves`**
+:   Number of connected slaves
+
+type: long
+
+
+**`redis.info.replication.backlog.active`**
+:   Flag indicating replication backlog is active
+
+type: long
+
+
+**`redis.info.replication.backlog.size`**
+:   Total size in bytes of the replication backlog buffer
+
+type: long
+
+format: bytes
+
+
+**`redis.info.replication.backlog.first_byte_offset`**
+:   The master offset of the replication backlog buffer
+
+type: long
+
+
+**`redis.info.replication.backlog.histlen`**
+:   Size in bytes of the data in the replication backlog buffer
+
+type: long
+
+
+**`redis.info.replication.master.offset`**
+:   The server’s current replication offset
+
+type: long
+
+
+**`redis.info.replication.master.second_offset`**
+:   The offset up to which replication IDs are accepted
+
+type: long
+
+
+**`redis.info.replication.master.link_status`**
+:   Status of the link (up/down)
+
+type: keyword
+
+
+**`redis.info.replication.master.last_io_seconds_ago`**
+:   Number of seconds since the last interaction with master
+
+type: long
+
+format: duration
+
+
+**`redis.info.replication.master.sync.in_progress`**
+:   Indicate the master is syncing to the slave
+
+type: boolean
+
+
+**`redis.info.replication.master.sync.left_bytes`**
+:   Number of bytes left before syncing is complete
+
+type: long
+
+format: bytes
+
+
+**`redis.info.replication.master.sync.last_io_seconds_ago`**
+:   Number of seconds since last transfer I/O during a SYNC operation
+
+type: long
+
+format: duration
+
+
+**`redis.info.replication.slave.offset`**
+:   The replication offset of the slave instance
+
+type: long
+
+
+**`redis.info.replication.slave.priority`**
+:   The priority of the instance as a candidate for failover
+
+type: long
+
+
+**`redis.info.replication.slave.is_readonly`**
+:   Flag indicating if the slave is read-only
+
+type: boolean
+
+
+
+## server [_server_9]
+
+Server info
+
+**`redis.info.server.version`**
+:   None
+
+type: alias
+
+alias to: service.version
+
+
+**`redis.info.server.git_sha1`**
+:   None
+
+type: keyword
+
+
+**`redis.info.server.git_dirty`**
+:   None
+
+type: keyword
+
+
+**`redis.info.server.build_id`**
+:   None
+
+type: keyword
+
+
+**`redis.info.server.mode`**
+:   None
+
+type: keyword
+
+
+**`redis.info.server.os`**
+:   None
+
+type: alias
+
+alias to: os.full
+
+
+**`redis.info.server.arch_bits`**
+:   None
+
+type: keyword
+
+
+**`redis.info.server.multiplexing_api`**
+:   None
+
+type: keyword
+
+
+**`redis.info.server.gcc_version`**
+:   None
+
+type: keyword
+
+
+**`redis.info.server.process_id`**
+:   None
+
+type: alias
+
+alias to: process.pid
+
+
+**`redis.info.server.run_id`**
+:   None
+
+type: keyword
+
+
+**`redis.info.server.tcp_port`**
+:   None
+
+type: long
+
+
+**`redis.info.server.uptime`**
+:   None
+
+type: long
+
+
+**`redis.info.server.hz`**
+:   None
+
+type: long
+
+
+**`redis.info.server.lru_clock`**
+:   None
+
+type: long
+
+
+**`redis.info.server.config_file`**
+:   None
+
+type: keyword
+
+
+
+## stats [_stats_10]
+
+Redis stats.
+
+**`redis.info.stats.connections.received`**
+:   Total number of connections received.
+
+type: long
+
+
+**`redis.info.stats.connections.rejected`**
+:   Total number of connections rejected.
+
+type: long
+
+
+**`redis.info.stats.commands_processed`**
+:   Total number of commands processed.
+
+type: long
+
+
+**`redis.info.stats.net.input.bytes`**
+:   Total network input in bytes.
+
+type: long
+
+
+**`redis.info.stats.net.output.bytes`**
+:   Total network output in bytes.
+
+type: long
+
+
+**`redis.info.stats.instantaneous.ops_per_sec`**
+:   Number of commands processed per second
+
+type: long
+
+
+**`redis.info.stats.instantaneous.input_kbps`**
+:   The network’s read rate per second in KB/sec
+
+type: scaled_float
+
+
+**`redis.info.stats.instantaneous.output_kbps`**
+:   The network’s write rate per second in KB/sec
+
+type: scaled_float
+
+
+**`redis.info.stats.sync.full`**
+:   The number of full resyncs with slaves
+
+type: long
+
+
+**`redis.info.stats.sync.partial.ok`**
+:   The number of accepted partial resync requests
+
+type: long
+
+
+**`redis.info.stats.sync.partial.err`**
+:   The number of denied partial resync requests
+
+type: long
+
+
+**`redis.info.stats.keys.expired`**
+:   Total number of key expiration events
+
+type: long
+
+
+**`redis.info.stats.keys.evicted`**
+:   Number of evicted keys due to maxmemory limit
+
+type: long
+
+
+**`redis.info.stats.keyspace.hits`**
+:   Number of successful lookup of keys in the main dictionary
+
+type: long
+
+
+**`redis.info.stats.keyspace.misses`**
+:   Number of failed lookup of keys in the main dictionary
+
+type: long
+
+
+**`redis.info.stats.pubsub.channels`**
+:   Global number of pub/sub channels with client subscriptions
+
+type: long
+
+
+**`redis.info.stats.pubsub.patterns`**
+:   Global number of pub/sub pattern with client subscriptions
+
+type: long
+
+
+**`redis.info.stats.latest_fork_usec`**
+:   Duration of the latest fork operation in microseconds
+
+type: long
+
+
+**`redis.info.stats.migrate_cached_sockets`**
+:   The number of sockets open for MIGRATE purposes
+
+type: long
+
+
+**`redis.info.stats.slave_expires_tracked_keys`**
+:   The number of keys tracked for expiry purposes (applicable only to writable slaves)
+
+type: long
+
+
+**`redis.info.stats.active_defrag.hits`**
+:   Number of value reallocations performed by active the defragmentation process
+
+type: long
+
+
+**`redis.info.stats.active_defrag.misses`**
+:   Number of aborted value reallocations started by the active defragmentation process
+
+type: long
+
+
+**`redis.info.stats.active_defrag.key_hits`**
+:   Number of keys that were actively defragmented
+
+type: long
+
+
+**`redis.info.stats.active_defrag.key_misses`**
+:   Number of keys that were skipped by the active defragmentation process
+
+type: long
+
+
+**`redis.info.slowlog.count`**
+:   Count of slow operations
+
+type: long
+
+
+
+## commandstats [_commandstats]
+
+Redis command statistics
+
+**`redis.info.commandstats.*.calls`**
+:   The number of calls that reached command execution (not rejected).
+
+type: long
+
+
+**`redis.info.commandstats.*.usec`**
+:   The total CPU time consumed by these commands.
+
+type: long
+
+
+**`redis.info.commandstats.*.usec_per_call`**
+:   The average CPU consumed per command execution.
+
+type: float
+
+
+**`redis.info.commandstats.*.rejected_calls`**
+:   The number of rejected calls (on redis 6.2-rc2).
+
+type: long
+
+
+**`redis.info.commandstats.*.failed_calls`**
+:   The number of failed calls (on redis 6.2-rc2).
+
+type: long
+
+
+
+## key [_key_2]
+
+`key` contains information about keys.
+
+**`redis.key.name`**
+:   Key name.
+
+type: keyword
+
+
+**`redis.key.id`**
+:   Unique id for this key (With the form <keyspace>:<name>).
+
+type: keyword
+
+
+**`redis.key.type`**
+:   Key type as shown by `TYPE` command.
+
+type: keyword
+
+
+**`redis.key.length`**
+:   Length of the key (Number of elements for lists, length for strings, cardinality for sets).
+
+type: long
+
+
+**`redis.key.expire.ttl`**
+:   Seconds to expire.
+
+type: long
+
+
+
+## keyspace [_keyspace]
+
+`keyspace` contains the information about the keyspaces returned by the `INFO` command.
+
+**`redis.keyspace.id`**
+:   Keyspace identifier.
+
+type: keyword
+
+
+**`redis.keyspace.avg_ttl`**
+:   Average ttl.
+
+type: long
+
+
+**`redis.keyspace.keys`**
+:   Number of keys in the keyspace.
+
+type: long
+
+
+**`redis.keyspace.expires`**
+:   type: long
+
+
diff --git a/docs/reference/metricbeat/exported-fields-redisenterprise.md b/docs/reference/metricbeat/exported-fields-redisenterprise.md
new file mode 100644
index 000000000000..a131fb0cefc3
--- /dev/null
+++ b/docs/reference/metricbeat/exported-fields-redisenterprise.md
@@ -0,0 +1,14 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-redisenterprise.html
+---
+
+# Redis Enterprise fields [exported-fields-redisenterprise]
+
+Redis metrics collected from Redis Enterprise Server.
+
+
+## redisenterprise [_redisenterprise]
+
+`redisenterprise` contains the information and statistics from Redis Enterprise Server.
+
diff --git a/docs/reference/metricbeat/exported-fields-sql.md b/docs/reference/metricbeat/exported-fields-sql.md
new file mode 100644
index 000000000000..f8a2f5955faa
--- /dev/null
+++ b/docs/reference/metricbeat/exported-fields-sql.md
@@ -0,0 +1,39 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-sql.html
+---
+
+# SQL fields [exported-fields-sql]
+
+SQL module fetches metrics from a SQL database
+
+**`sql.driver`**
+:   Driver used to execute the query.
+
+type: keyword
+
+
+**`sql.query`**
+:   Query executed to collect metrics.
+
+type: keyword
+
+
+**`sql.metrics.numeric.*`**
+:   Numeric metrics collected.
+
+type: object
+
+
+**`sql.metrics.string.*`**
+:   Non-numeric values collected.
+
+type: object
+
+
+**`sql.metrics.boolean.*`**
+:   Boolean values collected.
+
+type: object
+
+
diff --git a/docs/reference/metricbeat/exported-fields-stan.md b/docs/reference/metricbeat/exported-fields-stan.md
new file mode 100644
index 000000000000..d698ba934d31
--- /dev/null
+++ b/docs/reference/metricbeat/exported-fields-stan.md
@@ -0,0 +1,161 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-stan.html
+---
+
+# Stan fields [exported-fields-stan]
+
+stan Module
+
+
+## stan [_stan]
+
+`stan` contains statistics that were read from Nats Streaming server (STAN)
+
+**`stan.server.id`**
+:   The server ID
+
+type: keyword
+
+
+**`stan.cluster.id`**
+:   The cluster ID
+
+type: keyword
+
+
+
+## channels [_channels]
+
+Contains stan / nats streaming/serverz endpoint metrics
+
+**`stan.channels.name`**
+:   The name of the STAN streaming channel
+
+type: keyword
+
+
+**`stan.channels.messages`**
+:   The number of STAN streaming messages
+
+type: long
+
+
+**`stan.channels.bytes`**
+:   The number of STAN bytes in the channel
+
+type: long
+
+
+**`stan.channels.first_seq`**
+:   First sequence number stored in the channel. If first_seq > min([seq in subscriptions]) data loss has possibly occurred
+
+type: long
+
+
+**`stan.channels.last_seq`**
+:   Last sequence number stored in the channel
+
+type: long
+
+
+**`stan.channels.depth`**
+:   Queue depth based upon current sequence number and highest reported subscriber sequence number
+
+type: long
+
+
+
+## stats [_stats_11]
+
+Contains only high-level stan / nats streaming server related metrics
+
+**`stan.stats.state`**
+:   The cluster / streaming configuration state (STANDALONE, CLUSTERED)
+
+type: keyword
+
+
+**`stan.stats.role`**
+:   If clustered, role of this node in the cluster (Leader, Follower, Candidate)
+
+type: keyword
+
+
+**`stan.stats.clients`**
+:   The number of STAN clients
+
+type: integer
+
+
+**`stan.stats.subscriptions`**
+:   The number of STAN streaming subscriptions
+
+type: integer
+
+
+**`stan.stats.channels`**
+:   The number of STAN channels
+
+type: integer
+
+
+**`stan.stats.messages`**
+:   Number of messages across all STAN queues
+
+type: long
+
+
+**`stan.stats.bytes`**
+:   Number of bytes consumed across all STAN queues
+
+type: long
+
+
+
+## subscriptions [_subscriptions_2]
+
+Contains stan / nats streaming/serverz endpoint subscription metrics
+
+**`stan.subscriptions.id`**
+:   The name of the STAN channel subscription (client_id)
+
+type: keyword
+
+
+**`stan.subscriptions.channel`**
+:   The name of the STAN channel the subscription is associated with
+
+type: keyword
+
+
+**`stan.subscriptions.queue`**
+:   The name of the NATS queue that the STAN channel subscription is associated with, if any
+
+type: keyword
+
+
+**`stan.subscriptions.last_sent`**
+:   Last known sequence number of the subscription that was acked
+
+type: long
+
+
+**`stan.subscriptions.pending`**
+:   Number of pending messages from / to the subscriber
+
+type: long
+
+
+**`stan.subscriptions.offline`**
+:   Is the subscriber marked as offline?
+
+type: boolean
+
+
+**`stan.subscriptions.stalled`**
+:   Is the subscriber known to be stalled?
+
+type: boolean
+
+
diff --git a/docs/reference/metricbeat/exported-fields-statsd.md b/docs/reference/metricbeat/exported-fields-statsd.md
new file mode 100644
index 000000000000..1cf413573f8a
--- /dev/null
+++ b/docs/reference/metricbeat/exported-fields-statsd.md
@@ -0,0 +1,21 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-statsd.html
+---
+
+# Statsd fields [exported-fields-statsd]
+
+Statsd module
+
+**`statsd.*.count`**
+:   Statsd counters
+
+type: object
+
+
+**`statsd.*.*`**
+:   Statsd metrics
+
+type: object
+
+
diff --git a/docs/reference/metricbeat/exported-fields-syncgateway.md b/docs/reference/metricbeat/exported-fields-syncgateway.md
new file mode 100644
index 000000000000..888b51e8c734
--- /dev/null
+++ b/docs/reference/metricbeat/exported-fields-syncgateway.md
@@ -0,0 +1,671 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-syncgateway.html
+---
+
+# SyncGateway fields [exported-fields-syncgateway]
+
+SyncGateway metrics
+
+
+## syncgateway [_syncgateway]
+
+`syncgateway` contains the information and statistics from SyncGateway.
+
+
+## syncgateway [_syncgateway_2]
+
+Couchbase Sync Gateway metrics.
+
+**`syncgateway.syncgateway.name`**
+:   Name of the database on when field `couchbase.syncgateway.type` is `db_stats`.
+
+type: keyword
+
+
+
+## metrics [_metrics_10]
+
+Metrics of all databases contained in the config file of the SyncGateway instance.
+
+**`syncgateway.syncgateway.metrics.docs.writes.conflict.count`**
+:   type: long
+
+
+**`syncgateway.syncgateway.metrics.docs.writes.count`**
+:   type: long
+
+
+**`syncgateway.syncgateway.metrics.docs.writes.bytes`**
+:   type: long
+
+
+**`syncgateway.syncgateway.metrics.replications.active`**
+:   Number of active replications
+
+type: long
+
+
+**`syncgateway.syncgateway.metrics.replications.total`**
+:   Total number of replications (active or not)
+
+type: long
+
+
+**`syncgateway.syncgateway.gsi.views.tombstones.query.count`**
+:   type: double
+
+
+**`syncgateway.syncgateway.gsi.views.tombstones.query.time`**
+:   type: double
+
+
+**`syncgateway.syncgateway.gsi.views.tombstones.query.error.count`**
+:   type: double
+
+
+**`syncgateway.syncgateway.gsi.views.access.query.count`**
+:   type: double
+
+
+**`syncgateway.syncgateway.gsi.views.access.query.error.count`**
+:   type: double
+
+
+**`syncgateway.syncgateway.gsi.views.access.query.time`**
+:   type: double
+
+
+**`syncgateway.syncgateway.gsi.views.channels.query.count`**
+:   type: double
+
+
+**`syncgateway.syncgateway.gsi.views.channels.query.error.count`**
+:   type: double
+
+
+**`syncgateway.syncgateway.gsi.views.channels.query.time`**
+:   type: double
+
+
+**`syncgateway.syncgateway.gsi.views.channels.star.query.time`**
+:   type: double
+
+
+**`syncgateway.syncgateway.gsi.views.channels.star.query.count`**
+:   type: double
+
+
+**`syncgateway.syncgateway.gsi.views.channels.star.query.error.count`**
+:   type: double
+
+
+**`syncgateway.syncgateway.gsi.views.role_access.query.count`**
+:   type: double
+
+
+**`syncgateway.syncgateway.gsi.views.role_access.query.error.count`**
+:   type: double
+
+
+**`syncgateway.syncgateway.gsi.views.role_access.query.time`**
+:   type: double
+
+
+**`syncgateway.syncgateway.gsi.views.sequences.query.count`**
+:   type: double
+
+
+**`syncgateway.syncgateway.gsi.views.sequences.query.error.count`**
+:   type: double
+
+
+**`syncgateway.syncgateway.gsi.views.sequences.query.time`**
+:   type: double
+
+
+**`syncgateway.syncgateway.gsi.views.all_docs.query.count`**
+:   type: double
+
+
+**`syncgateway.syncgateway.gsi.views.all_docs.query.error.count`**
+:   type: double
+
+
+**`syncgateway.syncgateway.gsi.views.all_docs.query.time`**
+:   type: double
+
+
+**`syncgateway.syncgateway.gsi.views.principals.query.count`**
+:   type: double
+
+
+**`syncgateway.syncgateway.gsi.views.principals.query.error.count`**
+:   type: double
+
+
+**`syncgateway.syncgateway.gsi.views.principals.query.time`**
+:   type: double
+
+
+**`syncgateway.syncgateway.gsi.views.resync.query.count`**
+:   type: double
+
+
+**`syncgateway.syncgateway.gsi.views.resync.query.error.count`**
+:   type: double
+
+
+**`syncgateway.syncgateway.gsi.views.resync.query.time`**
+:   type: double
+
+
+**`syncgateway.syncgateway.gsi.views.sessions.query.count`**
+:   type: double
+
+
+**`syncgateway.syncgateway.gsi.views.sessions.query.error.count`**
+:   type: double
+
+
+**`syncgateway.syncgateway.gsi.views.sessions.query.time`**
+:   type: double
+
+
+**`syncgateway.syncgateway.security.access_errors.count`**
+:   type: double
+
+
+**`syncgateway.syncgateway.security.auth.failed.count`**
+:   type: double
+
+
+**`syncgateway.syncgateway.security.docs_rejected.count`**
+:   type: double
+
+
+**`syncgateway.syncgateway.cache.channel.revs.active`**
+:   type: double
+
+
+**`syncgateway.syncgateway.cache.channel.revs.removal`**
+:   type: double
+
+
+**`syncgateway.syncgateway.cache.channel.revs.tombstone`**
+:   type: double
+
+
+**`syncgateway.syncgateway.cache.channel.hits`**
+:   type: double
+
+
+**`syncgateway.syncgateway.cache.channel.misses`**
+:   type: double
+
+
+**`syncgateway.syncgateway.cache.revs.hits`**
+:   type: double
+
+
+**`syncgateway.syncgateway.cache.revs.misses`**
+:   type: double
+
+
+**`syncgateway.syncgateway.cbl.replication.pull.caught_up`**
+:   type: double
+
+
+**`syncgateway.syncgateway.cbl.replication.pull.since_zero`**
+:   type: double
+
+
+**`syncgateway.syncgateway.cbl.replication.pull.total.continuous`**
+:   type: double
+
+
+**`syncgateway.syncgateway.cbl.replication.pull.total.one_shot`**
+:   type: double
+
+
+**`syncgateway.syncgateway.cbl.replication.pull.active.continuous`**
+:   type: double
+
+
+**`syncgateway.syncgateway.cbl.replication.pull.active.count`**
+:   type: double
+
+
+**`syncgateway.syncgateway.cbl.replication.pull.active.one_shot`**
+:   type: double
+
+
+**`syncgateway.syncgateway.cbl.replication.pull.attachment.bytes`**
+:   type: long
+
+
+**`syncgateway.syncgateway.cbl.replication.pull.attachment.count`**
+:   type: long
+
+
+**`syncgateway.syncgateway.cbl.replication.pull.request_changes.count`**
+:   type: double
+
+
+**`syncgateway.syncgateway.cbl.replication.pull.request_changes.time`**
+:   type: double
+
+
+**`syncgateway.syncgateway.cbl.replication.pull.rev.processing_time`**
+:   type: double
+
+
+**`syncgateway.syncgateway.cbl.replication.pull.rev.send.count`**
+:   type: double
+
+
+**`syncgateway.syncgateway.cbl.replication.pull.rev.send.latency`**
+:   type: double
+
+
+**`syncgateway.syncgateway.cbl.replication.push.attachment.bytes`**
+:   type: double
+
+
+**`syncgateway.syncgateway.cbl.replication.push.attachment.count`**
+:   type: double
+
+
+**`syncgateway.syncgateway.cbl.replication.push.doc_push_count`**
+:   type: double
+
+
+**`syncgateway.syncgateway.cbl.replication.push.propose_change.count`**
+:   type: double
+
+
+**`syncgateway.syncgateway.cbl.replication.push.propose_change.time`**
+:   type: double
+
+
+**`syncgateway.syncgateway.cbl.replication.push.sync_function.count`**
+:   type: double
+
+
+**`syncgateway.syncgateway.cbl.replication.push.sync_function.time`**
+:   type: double
+
+
+**`syncgateway.syncgateway.cbl.replication.push.write_processing_time`**
+:   type: double
+
+
+
+## memstats [_memstats]
+
+Dumps a large amount of information about the memory heap and garbage collector
+
+**`syncgateway.syncgateway.memstats.BuckHashSys`**
+:   type: double
+
+
+**`syncgateway.syncgateway.memstats.Mallocs`**
+:   type: double
+
+
+**`syncgateway.syncgateway.memstats.PauseTotalNs`**
+:   type: double
+
+
+**`syncgateway.syncgateway.memstats.TotalAlloc`**
+:   type: double
+
+
+**`syncgateway.syncgateway.memstats.Alloc`**
+:   type: double
+
+
+**`syncgateway.syncgateway.memstats.GCSys`**
+:   type: double
+
+
+**`syncgateway.syncgateway.memstats.LastGC`**
+:   type: double
+
+
+**`syncgateway.syncgateway.memstats.MSpanSys`**
+:   type: double
+
+
+**`syncgateway.syncgateway.memstats.GCCPUFraction`**
+:   type: double
+
+
+**`syncgateway.syncgateway.memstats.HeapReleased`**
+:   type: double
+
+
+**`syncgateway.syncgateway.memstats.HeapSys`**
+:   type: double
+
+
+**`syncgateway.syncgateway.memstats.DebugGC`**
+:   type: long
+
+
+**`syncgateway.syncgateway.memstats.HeapIdle`**
+:   type: double
+
+
+**`syncgateway.syncgateway.memstats.Lookups`**
+:   type: double
+
+
+**`syncgateway.syncgateway.memstats.HeapObjects`**
+:   type: double
+
+
+**`syncgateway.syncgateway.memstats.MSpanInuse`**
+:   type: double
+
+
+**`syncgateway.syncgateway.memstats.NumForcedGC`**
+:   type: double
+
+
+**`syncgateway.syncgateway.memstats.OtherSys`**
+:   type: double
+
+
+**`syncgateway.syncgateway.memstats.Frees`**
+:   type: double
+
+
+**`syncgateway.syncgateway.memstats.NextGC`**
+:   type: double
+
+
+**`syncgateway.syncgateway.memstats.StackInuse`**
+:   type: double
+
+
+**`syncgateway.syncgateway.memstats.Sys`**
+:   type: double
+
+
+**`syncgateway.syncgateway.memstats.NumGC`**
+:   type: double
+
+
+**`syncgateway.syncgateway.memstats.EnableGC`**
+:   type: long
+
+
+**`syncgateway.syncgateway.memstats.HeapAlloc`**
+:   type: double
+
+
+**`syncgateway.syncgateway.memstats.MCacheInuse`**
+:   type: double
+
+
+**`syncgateway.syncgateway.memstats.MCacheSys`**
+:   type: double
+
+
+**`syncgateway.syncgateway.memstats.HeapInuse`**
+:   type: double
+
+
+**`syncgateway.syncgateway.memstats.StackSys`**
+:   type: double
+
+
+
+## memory [_memory_11]
+
+SyncGateway memory metrics. It dumps a large amount of information about the memory heap and garbage collector
+
+**`syncgateway.memory.BuckHashSys`**
+:   type: double
+
+
+**`syncgateway.memory.Mallocs`**
+:   type: double
+
+
+**`syncgateway.memory.PauseTotalNs`**
+:   type: double
+
+
+**`syncgateway.memory.TotalAlloc`**
+:   type: double
+
+
+**`syncgateway.memory.Alloc`**
+:   type: double
+
+
+**`syncgateway.memory.GCSys`**
+:   type: double
+
+
+**`syncgateway.memory.LastGC`**
+:   type: double
+
+
+**`syncgateway.memory.MSpanSys`**
+:   type: double
+
+
+**`syncgateway.memory.GCCPUFraction`**
+:   type: double
+
+
+**`syncgateway.memory.HeapReleased`**
+:   type: double
+
+
+**`syncgateway.memory.HeapSys`**
+:   type: double
+
+
+**`syncgateway.memory.DebugGC`**
+:   type: long
+
+
+**`syncgateway.memory.HeapIdle`**
+:   type: double
+
+
+**`syncgateway.memory.Lookups`**
+:   type: double
+
+
+**`syncgateway.memory.HeapObjects`**
+:   type: double
+
+
+**`syncgateway.memory.MSpanInuse`**
+:   type: double
+
+
+**`syncgateway.memory.NumForcedGC`**
+:   type: double
+
+
+**`syncgateway.memory.OtherSys`**
+:   type: double
+
+
+**`syncgateway.memory.Frees`**
+:   type: double
+
+
+**`syncgateway.memory.NextGC`**
+:   type: double
+
+
+**`syncgateway.memory.StackInuse`**
+:   type: double
+
+
+**`syncgateway.memory.Sys`**
+:   type: double
+
+
+**`syncgateway.memory.NumGC`**
+:   type: double
+
+
+**`syncgateway.memory.EnableGC`**
+:   type: long
+
+
+**`syncgateway.memory.HeapAlloc`**
+:   type: double
+
+
+**`syncgateway.memory.MCacheInuse`**
+:   type: double
+
+
+**`syncgateway.memory.MCacheSys`**
+:   type: double
+
+
+**`syncgateway.memory.HeapInuse`**
+:   type: double
+
+
+**`syncgateway.memory.StackSys`**
+:   type: double
+
+
+
+## replication [_replication_3]
+
+SyncGateway per replication metrics.
+
+
+## metrics [_metrics_11]
+
+Metrics related with data replication.
+
+**`syncgateway.replication.metrics.attachment.transferred.bytes`**
+:   Number of attachment bytes transferred for this replica.
+
+type: long
+
+
+**`syncgateway.replication.metrics.attachment.transferred.count`**
+:   The total number of attachments transferred since replication started.
+
+type: long
+
+
+**`syncgateway.replication.metrics.docs.checked_sent`**
+:   The total number of documents checked for changes since replication started.
+
+type: double
+
+
+**`syncgateway.replication.metrics.docs.pushed.count`**
+:   The total number of documents checked for changes since replication started.
+
+type: long
+
+
+**`syncgateway.replication.metrics.docs.pushed.failed`**
+:   The total number of documents that failed to be pushed since replication started.
+
+type: long
+
+
+**`syncgateway.replication.id`**
+:   ID of the replica.
+
+type: keyword
+
+
+
+## resources [_resources]
+
+SyncGateway global resource utilization
+
+**`syncgateway.resources.error_count`**
+:   type: long
+
+
+**`syncgateway.resources.goroutines_high_watermark`**
+:   type: long
+
+
+**`syncgateway.resources.num_goroutines`**
+:   type: long
+
+
+**`syncgateway.resources.process.cpu_percent_utilization`**
+:   type: long
+
+
+**`syncgateway.resources.process.memory_resident`**
+:   type: long
+
+
+**`syncgateway.resources.pub_net.recv.bytes`**
+:   type: long
+
+
+**`syncgateway.resources.pub_net.sent.bytes`**
+:   type: long
+
+
+**`syncgateway.resources.admin_net_bytes.recv`**
+:   type: long
+
+
+**`syncgateway.resources.admin_net_bytes.sent`**
+:   type: long
+
+
+**`syncgateway.resources.go_memstats.heap.alloc`**
+:   type: long
+
+
+**`syncgateway.resources.go_memstats.heap.idle`**
+:   type: long
+
+
+**`syncgateway.resources.go_memstats.heap.inuse`**
+:   type: long
+
+
+**`syncgateway.resources.go_memstats.heap.released`**
+:   type: long
+
+
+**`syncgateway.resources.go_memstats.pause.ns`**
+:   type: long
+
+
+**`syncgateway.resources.go_memstats.stack.inuse`**
+:   type: long
+
+
+**`syncgateway.resources.go_memstats.stack.sys`**
+:   type: long
+
+
+**`syncgateway.resources.go_memstats.sys`**
+:   type: long
+
+
+**`syncgateway.resources.system_memory_total`**
+:   type: long
+
+
+**`syncgateway.resources.warn_count`**
+:   type: long
+
+
diff --git a/docs/reference/metricbeat/exported-fields-system.md b/docs/reference/metricbeat/exported-fields-system.md
new file mode 100644
index 000000000000..a5045b932fb5
--- /dev/null
+++ b/docs/reference/metricbeat/exported-fields-system.md
@@ -0,0 +1,2547 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-system.html
+---
+
+# System fields [exported-fields-system]
+
+System status metrics, like CPU and memory usage, that are collected from the operating system.
+
+
+## process [_process_8]
+
+Process metrics.
+
+**`process.state`**
+:   The process state. For example: "running".
+
+type: keyword
+
+
+**`process.cpu.pct`**
+:   The percentage of CPU time spent by the process since the last event. This value is normalized by the number of CPU cores and it ranges from 0 to 1.
+
+type: scaled_float
+
+format: percent
+
+
+**`process.cpu.start_time`**
+:   The time when the process was started.
+
+type: date
+
+
+**`process.memory.pct`**
+:   The percentage of memory the process occupied in main memory (RAM).
+
+type: scaled_float
+
+format: percent
+
+
+
+## system [_system_4]
+
+`system` contains local system metrics.
+
+
+## core [_core_2]
+
+`system-core` contains CPU metrics for a single core of a multi-core system.
+
+**`system.core.id`**
+:   CPU Core number.
+
+type: long
+
+
+**`system.core.total.pct`**
+:   Total active time spent by the core
+
+type: scaled_float
+
+format: percent
+
+
+**`system.core.user.pct`**
+:   The percentage of CPU time spent in user space.
+
+type: scaled_float
+
+format: percent
+
+
+**`system.core.user.ticks`**
+:   The amount of CPU time spent in user space.
+
+type: long
+
+
+**`system.core.system.pct`**
+:   The percentage of CPU time spent in kernel space.
+
+type: scaled_float
+
+format: percent
+
+
+**`system.core.system.ticks`**
+:   The amount of CPU time spent in kernel space.
+
+type: long
+
+
+**`system.core.nice.pct`**
+:   The percentage of CPU time spent on low-priority processes.
+
+type: scaled_float
+
+format: percent
+
+
+**`system.core.nice.ticks`**
+:   The amount of CPU time spent on low-priority processes.
+
+type: long
+
+
+**`system.core.idle.pct`**
+:   The percentage of CPU time spent idle.
+
+type: scaled_float
+
+format: percent
+
+
+**`system.core.idle.ticks`**
+:   The amount of CPU time spent idle.
+
+type: long
+
+
+**`system.core.iowait.pct`**
+:   The percentage of CPU time spent in wait (on disk).
+
+type: scaled_float
+
+format: percent
+
+
+**`system.core.iowait.ticks`**
+:   The amount of CPU time spent in wait (on disk).
+
+type: long
+
+
+**`system.core.irq.pct`**
+:   The percentage of CPU time spent servicing and handling hardware interrupts.
+
+type: scaled_float
+
+format: percent
+
+
+**`system.core.irq.ticks`**
+:   The amount of CPU time spent servicing and handling hardware interrupts.
+
+type: long
+
+
+**`system.core.softirq.pct`**
+:   The percentage of CPU time spent servicing and handling software interrupts.
+
+type: scaled_float
+
+format: percent
+
+
+**`system.core.softirq.ticks`**
+:   The amount of CPU time spent servicing and handling software interrupts.
+
+type: long
+
+
+**`system.core.steal.pct`**
+:   The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix.
+
+type: scaled_float
+
+format: percent
+
+
+**`system.core.steal.ticks`**
+:   The amount of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix.
+
+type: long
+
+
+**`system.core.model_number`**
+:   CPU model number. Only availabe on Linux
+
+type: keyword
+
+
+**`system.core.model_name`**
+:   CPU model name. Only availabe on Linux
+
+type: keyword
+
+
+**`system.core.mhz`**
+:   CPU core current clock. Only availabe on Linux
+
+type: float
+
+
+**`system.core.core_id`**
+:   CPU physical core ID. One core might might execute multiple threads, hence more than one `system.core.id` can share the same `system.core.core_id`. Only availabe on Linux
+
+type: keyword
+
+
+**`system.core.physical_id`**
+:   CPU core physical ID. Only availabe on Linux
+
+type: keyword
+
+
+
+## cpu [_cpu_11]
+
+`cpu` contains local CPU stats.
+
+**`system.cpu.cores`**
+:   The number of CPU cores present on the host. The non-normalized percentages will have a maximum value of `100% * cores`. The normalized percentages already take this value into account and have a maximum value of 100%.
+
+type: long
+
+
+**`system.cpu.user.pct`**
+:   The percentage of CPU time spent in user space. On multi-core systems, you can have percentages that are greater than 100%. For example, if 3 cores are at 60% use, then the `system.cpu.user.pct` will be 180%.
+
+type: scaled_float
+
+format: percent
+
+
+**`system.cpu.system.pct`**
+:   The percentage of CPU time spent in kernel space.
+
+type: scaled_float
+
+format: percent
+
+
+**`system.cpu.nice.pct`**
+:   The percentage of CPU time spent on low-priority processes.
+
+type: scaled_float
+
+format: percent
+
+
+**`system.cpu.idle.pct`**
+:   The percentage of CPU time spent idle.
+
+type: scaled_float
+
+format: percent
+
+
+**`system.cpu.iowait.pct`**
+:   The percentage of CPU time spent in wait (on disk).
+
+type: scaled_float
+
+format: percent
+
+
+**`system.cpu.irq.pct`**
+:   The percentage of CPU time spent servicing and handling hardware interrupts.
+
+type: scaled_float
+
+format: percent
+
+
+**`system.cpu.softirq.pct`**
+:   The percentage of CPU time spent servicing and handling software interrupts.
+
+type: scaled_float
+
+format: percent
+
+
+**`system.cpu.steal.pct`**
+:   The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix.
+
+type: scaled_float
+
+format: percent
+
+
+**`system.cpu.total.pct`**
+:   The percentage of CPU time spent in states other than Idle and IOWait.
+
+type: scaled_float
+
+format: percent
+
+
+**`system.cpu.user.norm.pct`**
+:   The percentage of CPU time spent in user space.
+
+type: scaled_float
+
+format: percent
+
+
+**`system.cpu.system.norm.pct`**
+:   The percentage of CPU time spent in kernel space.
+
+type: scaled_float
+
+format: percent
+
+
+**`system.cpu.nice.norm.pct`**
+:   The percentage of CPU time spent on low-priority processes.
+
+type: scaled_float
+
+format: percent
+
+
+**`system.cpu.idle.norm.pct`**
+:   The percentage of CPU time spent idle.
+
+type: scaled_float
+
+format: percent
+
+
+**`system.cpu.iowait.norm.pct`**
+:   The percentage of CPU time spent in wait (on disk).
+
+type: scaled_float
+
+format: percent
+
+
+**`system.cpu.irq.norm.pct`**
+:   The percentage of CPU time spent servicing and handling hardware interrupts.
+
+type: scaled_float
+
+format: percent
+
+
+**`system.cpu.softirq.norm.pct`**
+:   The percentage of CPU time spent servicing and handling software interrupts.
+
+type: scaled_float
+
+format: percent
+
+
+**`system.cpu.steal.norm.pct`**
+:   The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix.
+
+type: scaled_float
+
+format: percent
+
+
+**`system.cpu.total.norm.pct`**
+:   The percentage of CPU time in states other than Idle and IOWait, normalised by the number of cores.
+
+type: scaled_float
+
+format: percent
+
+
+**`system.cpu.user.ticks`**
+:   The amount of CPU time spent in user space.
+
+type: long
+
+
+**`system.cpu.system.ticks`**
+:   The amount of CPU time spent in kernel space.
+
+type: long
+
+
+**`system.cpu.nice.ticks`**
+:   The amount of CPU time spent on low-priority processes.
+
+type: long
+
+
+**`system.cpu.idle.ticks`**
+:   The amount of CPU time spent idle.
+
+type: long
+
+
+**`system.cpu.iowait.ticks`**
+:   The amount of CPU time spent in wait (on disk).
+
+type: long
+
+
+**`system.cpu.irq.ticks`**
+:   The amount of CPU time spent servicing and handling hardware interrupts.
+
+type: long
+
+
+**`system.cpu.softirq.ticks`**
+:   The amount of CPU time spent servicing and handling software interrupts.
+
+type: long
+
+
+**`system.cpu.steal.ticks`**
+:   The amount of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix.
+
+type: long
+
+
+
+## diskio [_diskio_4]
+
+`disk` contains disk IO metrics collected from the operating system.
+
+**`system.diskio.name`**
+:   The disk name.
+
+type: keyword
+
+example: sda1
+
+
+**`system.diskio.serial_number`**
+:   The disk’s serial number. This may not be provided by all operating systems.
+
+type: keyword
+
+
+**`system.diskio.read.count`**
+:   The total number of reads completed successfully.
+
+type: long
+
+
+**`system.diskio.write.count`**
+:   The total number of writes completed successfully.
+
+type: long
+
+
+**`system.diskio.read.bytes`**
+:   The total number of bytes read successfully. On Linux this is the number of sectors read multiplied by an assumed sector size of 512.
+
+type: long
+
+format: bytes
+
+
+**`system.diskio.write.bytes`**
+:   The total number of bytes written successfully. On Linux this is the number of sectors written multiplied by an assumed sector size of 512.
+
+type: long
+
+format: bytes
+
+
+**`system.diskio.read.time`**
+:   The total number of milliseconds spent by all reads.
+
+type: long
+
+
+**`system.diskio.write.time`**
+:   The total number of milliseconds spent by all writes.
+
+type: long
+
+
+**`system.diskio.io.time`**
+:   The total number of of milliseconds spent doing I/Os.
+
+type: long
+
+
+**`system.diskio.io.ops`**
+:   The total number of I/Os in progress.
+
+type: long
+
+
+
+## entropy [_entropy_2]
+
+Available system entropy
+
+**`system.entropy.available_bits`**
+:   The available bits of entropy
+
+type: long
+
+
+**`system.entropy.pct`**
+:   The percentage of available entropy, relative to the pool size of 4096
+
+type: scaled_float
+
+format: percent
+
+
+
+## filesystem [_filesystem_3]
+
+`filesystem` contains local filesystem stats.
+
+**`system.filesystem.available`**
+:   The disk space available to an unprivileged user in bytes.
+
+type: long
+
+format: bytes
+
+
+**`system.filesystem.device_name`**
+:   The disk name. For example: `/dev/disk1`
+
+type: keyword
+
+
+**`system.filesystem.type`**
+:   The disk type. For example: `ext4`. In some case for Windows OS the value will be `unavailable` as access to this information is not allowed (ex. external disks).
+
+type: keyword
+
+
+**`system.filesystem.mount_point`**
+:   The mounting point. For example: `/`
+
+type: keyword
+
+
+**`system.filesystem.files`**
+:   Total number of inodes on the system, which will be a combination of files, folders, symlinks, and devices.
+
+type: long
+
+
+**`system.filesystem.options`**
+:   The options present on the filesystem mount.
+
+type: keyword
+
+
+**`system.filesystem.free`**
+:   The disk space available in bytes.
+
+type: long
+
+format: bytes
+
+
+**`system.filesystem.free_files`**
+:   The number of free inodes in the file system.
+
+type: long
+
+
+**`system.filesystem.total`**
+:   The total disk space in bytes.
+
+type: long
+
+format: bytes
+
+
+**`system.filesystem.used.bytes`**
+:   The used disk space in bytes.
+
+type: long
+
+format: bytes
+
+
+**`system.filesystem.used.pct`**
+:   The percentage of used disk space.
+
+type: scaled_float
+
+format: percent
+
+
+
+## fsstat [_fsstat_2]
+
+`system.fsstat` contains filesystem metrics aggregated from all mounted filesystems.
+
+**`system.fsstat.count`**
+:   Number of file systems found.
+
+type: long
+
+
+**`system.fsstat.total_files`**
+:   Total number of inodes on the system, which will be a combination of files, folders, symlinks, and devices. Not on Windows.
+
+type: long
+
+
+
+## total_size [_total_size_2]
+
+Nested file system docs.
+
+**`system.fsstat.total_size.free`**
+:   Total free space.
+
+type: long
+
+format: bytes
+
+
+**`system.fsstat.total_size.used`**
+:   Total used space.
+
+type: long
+
+format: bytes
+
+
+**`system.fsstat.total_size.total`**
+:   Total space (used plus free).
+
+type: long
+
+format: bytes
+
+
+
+## load [_load_3]
+
+CPU load averages.
+
+**`system.load.1`**
+:   Load average for the last minute.
+
+type: scaled_float
+
+
+**`system.load.5`**
+:   Load average for the last 5 minutes.
+
+type: scaled_float
+
+
+**`system.load.15`**
+:   Load average for the last 15 minutes.
+
+type: scaled_float
+
+
+**`system.load.norm.1`**
+:   Load for the last minute divided by the number of cores.
+
+type: scaled_float
+
+
+**`system.load.norm.5`**
+:   Load for the last 5 minutes divided by the number of cores.
+
+type: scaled_float
+
+
+**`system.load.norm.15`**
+:   Load for the last 15 minutes divided by the number of cores.
+
+type: scaled_float
+
+
+**`system.load.cores`**
+:   The number of CPU cores present on the host.
+
+type: long
+
+
+
+## memory [_memory_12]
+
+`memory` contains local memory stats.
+
+**`system.memory.total`**
+:   Total memory.
+
+type: long
+
+format: bytes
+
+
+**`system.memory.used.bytes`**
+:   Used memory.
+
+type: long
+
+format: bytes
+
+
+**`system.memory.free`**
+:   The total amount of free memory in bytes. This value does not include memory consumed by system caches and buffers (see system.memory.actual.free).
+
+type: long
+
+format: bytes
+
+
+**`system.memory.cached`**
+:   Total Cached memory on system.
+
+type: long
+
+format: bytes
+
+
+**`system.memory.used.pct`**
+:   The percentage of used memory.
+
+type: scaled_float
+
+format: percent
+
+
+
+## actual [_actual]
+
+Actual memory used and free.
+
+**`system.memory.actual.used.bytes`**
+:   Actual used memory in bytes. It represents the difference between the total and the available memory. The available memory depends on the OS. For more details, please check `system.actual.free`.
+
+type: long
+
+format: bytes
+
+
+**`system.memory.actual.free`**
+:   Actual free memory in bytes. It is calculated based on the OS. On Linux this value will be MemAvailable from /proc/meminfo,  or calculated from free memory plus caches and buffers if /proc/meminfo is not available. On OSX it is a sum of free memory and the inactive memory. On Windows, it is equal to `system.memory.free`.
+
+type: long
+
+format: bytes
+
+
+**`system.memory.actual.used.pct`**
+:   The percentage of actual used memory.
+
+type: scaled_float
+
+format: percent
+
+
+
+## swap [_swap_3]
+
+This group contains statistics related to the swap memory usage on the system.
+
+**`system.memory.swap.total`**
+:   Total swap memory.
+
+type: long
+
+format: bytes
+
+
+**`system.memory.swap.used.bytes`**
+:   Used swap memory.
+
+type: long
+
+format: bytes
+
+
+**`system.memory.swap.free`**
+:   Available swap memory.
+
+type: long
+
+format: bytes
+
+
+**`system.memory.swap.used.pct`**
+:   The percentage of used swap memory.
+
+type: scaled_float
+
+format: percent
+
+
+
+## network [_network_10]
+
+`network` contains network IO metrics for a single network interface.
+
+**`system.network.name`**
+:   The network interface name.
+
+type: keyword
+
+example: eth0
+
+
+**`system.network.out.bytes`**
+:   The number of bytes sent.
+
+type: long
+
+format: bytes
+
+
+**`system.network.in.bytes`**
+:   The number of bytes received.
+
+type: long
+
+format: bytes
+
+
+**`system.network.out.packets`**
+:   The number of packets sent.
+
+type: long
+
+
+**`system.network.in.packets`**
+:   The number or packets received.
+
+type: long
+
+
+**`system.network.in.errors`**
+:   The number of errors while receiving.
+
+type: long
+
+
+**`system.network.out.errors`**
+:   The number of errors while sending.
+
+type: long
+
+
+**`system.network.in.dropped`**
+:   The number of incoming packets that were dropped.
+
+type: long
+
+
+**`system.network.out.dropped`**
+:   The number of outgoing packets that were dropped. This value is always 0 on Darwin and BSD because it is not reported by the operating system.
+
+type: long
+
+
+
+## network_summary [_network_summary_2]
+
+Metrics relating to global network activity
+
+**`system.network_summary.ip.*`**
+:   IP counters
+
+type: object
+
+
+**`system.network_summary.tcp.*`**
+:   TCP counters
+
+type: object
+
+
+**`system.network_summary.udp.*`**
+:   UDP counters
+
+type: object
+
+
+**`system.network_summary.udp_lite.*`**
+:   UDP Lite counters
+
+type: object
+
+
+**`system.network_summary.icmp.*`**
+:   ICMP counters
+
+type: object
+
+
+
+## process [_process_9]
+
+`process` contains process metadata, CPU metrics, and memory metrics.
+
+**`system.process.name`**
+:   type: alias
+
+alias to: process.name
+
+
+**`system.process.state`**
+:   The process state. For example: "running".
+
+type: keyword
+
+
+**`system.process.pid`**
+:   type: alias
+
+alias to: process.pid
+
+
+**`system.process.ppid`**
+:   type: alias
+
+alias to: process.parent.pid
+
+
+**`system.process.pgid`**
+:   type: alias
+
+alias to: process.pgid
+
+
+**`system.process.num_threads`**
+:   Number of threads in the process
+
+type: integer
+
+
+**`system.process.cmdline`**
+:   The full command-line used to start the process, including the arguments separated by space.
+
+type: keyword
+
+
+**`system.process.username`**
+:   type: alias
+
+alias to: user.name
+
+
+**`system.process.cwd`**
+:   type: alias
+
+alias to: process.working_directory
+
+
+**`system.process.env`**
+:   The environment variables used to start the process. The data is available on FreeBSD, Linux, and OS X.
+
+type: object
+
+
+
+## cpu [_cpu_12]
+
+CPU-specific statistics per process.
+
+**`system.process.cpu.user.ticks`**
+:   The amount of CPU time the process spent in user space.
+
+type: long
+
+
+**`system.process.cpu.total.value`**
+:   The value of CPU usage since starting the process.
+
+type: long
+
+
+**`system.process.cpu.total.pct`**
+:   The percentage of CPU time spent by the process since the last update. Its value is similar to the %CPU value of the process displayed by the top command on Unix systems.
+
+type: scaled_float
+
+format: percent
+
+
+**`system.process.cpu.total.norm.pct`**
+:   The percentage of CPU time spent by the process since the last event. This value is normalized by the number of CPU cores and it ranges from 0 to 100%.
+
+type: scaled_float
+
+format: percent
+
+
+**`system.process.cpu.system.ticks`**
+:   The amount of CPU time the process spent in kernel space.
+
+type: long
+
+
+**`system.process.cpu.total.ticks`**
+:   The total CPU time spent by the process.
+
+type: long
+
+
+**`system.process.cpu.start_time`**
+:   The time when the process was started.
+
+type: date
+
+
+
+## memory [_memory_13]
+
+Memory-specific statistics per process.
+
+**`system.process.memory.size`**
+:   The total virtual memory the process has. On Windows this represents the Commit Charge (the total amount of memory that the memory manager has committed for a running process) value in bytes for this process.
+
+type: long
+
+format: bytes
+
+
+**`system.process.memory.rss.bytes`**
+:   The Resident Set Size. The amount of memory the process occupied in main memory (RAM). On Windows this represents the current working set size, in bytes.
+
+type: long
+
+format: bytes
+
+
+**`system.process.memory.rss.pct`**
+:   The percentage of memory the process occupied in main memory (RAM).
+
+type: scaled_float
+
+format: percent
+
+
+**`system.process.memory.share`**
+:   The shared memory the process uses.
+
+type: long
+
+format: bytes
+
+
+
+## io [_io]
+
+Disk I/O Metrics, as forwarded from /proc/[PID]/io. Available on Linux only.
+
+**`system.process.io.cancelled_write_bytes`**
+:   The number of bytes this process cancelled, or caused not to be written.
+
+type: long
+
+
+**`system.process.io.read_bytes`**
+:   The number of bytes fetched from the storage layer.
+
+type: long
+
+
+**`system.process.io.write_bytes`**
+:   The number of bytes written to the storage layer.
+
+type: long
+
+
+**`system.process.io.read_char`**
+:   The number of bytes read from read(2) and similar syscalls.
+
+type: long
+
+
+**`system.process.io.write_char`**
+:   The number of bytes sent to syscalls for writing.
+
+type: long
+
+
+**`system.process.io.read_ops`**
+:   The count of read-related syscalls.
+
+type: long
+
+
+**`system.process.io.write_ops`**
+:   The count of write-related syscalls.
+
+type: long
+
+
+
+## fd [_fd]
+
+File descriptor usage metrics. This set of metrics is available for Linux and FreeBSD.
+
+**`system.process.fd.open`**
+:   The number of file descriptors open by the process.
+
+type: long
+
+
+**`system.process.fd.limit.soft`**
+:   The soft limit on the number of file descriptors opened by the process. The soft limit can be changed by the process at any time.
+
+type: long
+
+
+**`system.process.fd.limit.hard`**
+:   The hard limit on the number of file descriptors opened by the process. The hard limit can only be raised by root.
+
+type: long
+
+
+
+## cgroup [_cgroup]
+
+Metrics and limits from the cgroup of which the task is a member. cgroup metrics are reported when the process has membership in a non-root cgroup. These metrics are only available on Linux.
+
+**`system.process.cgroup.id`**
+:   The ID common to all cgroups associated with this task. If there isn’t a common ID used by all cgroups this field will be absent.
+
+type: keyword
+
+
+**`system.process.cgroup.path`**
+:   The path to the cgroup relative to the cgroup subsystem’s mountpoint. If there isn’t a common path used by all cgroups this field will be absent.
+
+type: keyword
+
+
+**`system.process.cgroup.cgroups_version`**
+:   The version of cgroups reported for the process
+
+type: long
+
+
+
+## cpu [_cpu_13]
+
+The cpu subsystem schedules CPU access for tasks in the cgroup. Access can be controlled by two separate schedulers, CFS and RT. CFS stands for completely fair scheduler which proportionally divides the CPU time between cgroups based on weight. RT stands for real time scheduler which sets a maximum amount of CPU time that processes in the cgroup can consume during a given period. In CPU under cgroups V2, the cgroup is merged with many of the metrics from cpuacct. In addition, per-scheduler metrics are gone in V2.
+
+**`system.process.cgroup.cpu.id`**
+:   ID of the cgroup.
+
+type: keyword
+
+
+**`system.process.cgroup.cpu.path`**
+:   Path to the cgroup relative to the cgroup subsystem’s mountpoint.
+
+type: keyword
+
+
+
+## stats [_stats_12]
+
+cgroupv2 stats
+
+**`system.process.cgroup.cpu.stats.usage.ns`**
+:   cgroups v2 usage in nanoseconds
+
+type: long
+
+
+**`system.process.cgroup.cpu.stats.usage.pct`**
+:   cgroups v2 usage
+
+type: float
+
+
+**`system.process.cgroup.cpu.stats.usage.norm.pct`**
+:   cgroups v2 normalized usage
+
+type: float
+
+
+**`system.process.cgroup.cpu.stats.user.ns`**
+:   cgroups v2 cpu user time in nanoseconds
+
+type: long
+
+
+**`system.process.cgroup.cpu.stats.user.pct`**
+:   cgroups v2 cpu user time
+
+type: float
+
+
+**`system.process.cgroup.cpu.stats.user.norm.pct`**
+:   cgroups v2 normalized cpu user time
+
+type: float
+
+
+**`system.process.cgroup.cpu.stats.system.ns`**
+:   cgroups v2 system time in nanoseconds
+
+type: long
+
+
+**`system.process.cgroup.cpu.stats.system.pct`**
+:   cgroups v2 system time
+
+type: float
+
+
+**`system.process.cgroup.cpu.stats.system.norm.pct`**
+:   cgroups v2 normalized system time
+
+type: float
+
+
+**`system.process.cgroup.cpu.cfs.period.us`**
+:   Period of time in microseconds for how regularly a cgroup’s access to CPU resources should be reallocated.
+
+type: long
+
+
+**`system.process.cgroup.cpu.cfs.quota.us`**
+:   Total amount of time in microseconds for which all tasks in a cgroup can run during one period (as defined by cfs.period.us).
+
+type: long
+
+
+**`system.process.cgroup.cpu.cfs.shares`**
+:   An integer value that specifies a relative share of CPU time available to the tasks in a cgroup. The value specified in the cpu.shares file must be 2 or higher.
+
+type: long
+
+
+**`system.process.cgroup.cpu.rt.period.us`**
+:   Period of time in microseconds for how regularly a cgroup’s access to CPU resources is reallocated.
+
+type: long
+
+
+**`system.process.cgroup.cpu.rt.runtime.us`**
+:   Period of time in microseconds for the longest continuous period in which the tasks in a cgroup have access to CPU resources.
+
+type: long
+
+
+**`system.process.cgroup.cpu.stats.periods`**
+:   Number of period intervals (as specified in cpu.cfs.period.us) that have elapsed.
+
+type: long
+
+
+**`system.process.cgroup.cpu.stats.throttled.periods`**
+:   Number of times tasks in a cgroup have been throttled (that is, not allowed to run because they have exhausted all of the available time as specified by their quota).
+
+type: long
+
+
+**`system.process.cgroup.cpu.stats.throttled.us`**
+:   The total time duration (in microseconds) for which tasks in a cgroup have been throttled, as reported by cgroupsv2
+
+type: long
+
+
+**`system.process.cgroup.cpu.stats.throttled.ns`**
+:   The total time duration (in nanoseconds) for which tasks in a cgroup have been throttled.
+
+type: long
+
+
+
+## pressure [_pressure_2]
+
+Pressure (resource contention) stats.
+
+
+## some [_some]
+
+Share of time in which at least some tasks are stalled on a given resource
+
+**`system.process.cgroup.cpu.pressure.some.10.pct`**
+:   Pressure over 10 seconds
+
+type: float
+
+format: percent
+
+
+**`system.process.cgroup.cpu.pressure.some.60.pct`**
+:   Pressure over 60 seconds
+
+type: float
+
+format: percent
+
+
+**`system.process.cgroup.cpu.pressure.some.300.pct`**
+:   Pressure over 300 seconds
+
+type: float
+
+format: percent
+
+
+**`system.process.cgroup.cpu.pressure.some.total`**
+:   total Some pressure time
+
+type: long
+
+format: percent
+
+
+
+## full [_full]
+
+Share of time in which all non-idle tasks are stalled on a given resource simultaneously
+
+**`system.process.cgroup.cpu.pressure.full.10.pct`**
+:   Pressure over 10 seconds
+
+type: float
+
+format: percent
+
+
+**`system.process.cgroup.cpu.pressure.full.60.pct`**
+:   Pressure over 60 seconds
+
+type: float
+
+format: percent
+
+
+**`system.process.cgroup.cpu.pressure.full.300.pct`**
+:   Pressure over 300 seconds
+
+type: float
+
+format: percent
+
+
+**`system.process.cgroup.cpu.pressure.full.total`**
+:   total Full pressure time
+
+type: long
+
+
+
+## cpuacct [_cpuacct]
+
+CPU accounting metrics.
+
+**`system.process.cgroup.cpuacct.id`**
+:   ID of the cgroup.
+
+type: keyword
+
+
+**`system.process.cgroup.cpuacct.path`**
+:   Path to the cgroup relative to the cgroup subsystem’s mountpoint.
+
+type: keyword
+
+
+**`system.process.cgroup.cpuacct.total.ns`**
+:   Total CPU time in nanoseconds consumed by all tasks in the cgroup.
+
+type: long
+
+
+**`system.process.cgroup.cpuacct.total.pct`**
+:   CPU time of the cgroup as a percentage of overall CPU time.
+
+type: scaled_float
+
+
+**`system.process.cgroup.cpuacct.total.norm.pct`**
+:   CPU time of the cgroup as a percentage of overall CPU time, normalized by CPU count. This is functionally an average of time spent across individual CPUs.
+
+type: scaled_float
+
+
+**`system.process.cgroup.cpuacct.stats.user.ns`**
+:   CPU time consumed by tasks in user mode.
+
+type: long
+
+
+**`system.process.cgroup.cpuacct.stats.user.pct`**
+:   time the cgroup spent in user space, as a percentage of total CPU time
+
+type: scaled_float
+
+
+**`system.process.cgroup.cpuacct.stats.user.norm.pct`**
+:   time the cgroup spent in user space, as a percentage of total CPU time, normalized by CPU count.
+
+type: scaled_float
+
+
+**`system.process.cgroup.cpuacct.stats.system.ns`**
+:   CPU time consumed by tasks in user (kernel) mode.
+
+type: long
+
+
+**`system.process.cgroup.cpuacct.stats.system.pct`**
+:   Time the cgroup spent in kernel space, as a percentage of total CPU time
+
+type: scaled_float
+
+
+**`system.process.cgroup.cpuacct.stats.system.norm.pct`**
+:   Time the cgroup spent in kernel space, as a percentage of total CPU time, normalized by CPU count.
+
+type: scaled_float
+
+
+**`system.process.cgroup.cpuacct.percpu`**
+:   CPU time (in nanoseconds) consumed on each CPU by all tasks in this cgroup.
+
+type: object
+
+
+
+## memory [_memory_14]
+
+Memory limits and metrics.
+
+**`system.process.cgroup.memory.id`**
+:   ID of the cgroup.
+
+type: keyword
+
+
+**`system.process.cgroup.memory.path`**
+:   Path to the cgroup relative to the cgroup subsystem’s mountpoint.
+
+type: keyword
+
+
+**`system.process.cgroup.memory.mem.usage.bytes`**
+:   Total memory usage by processes in the cgroup (in bytes).
+
+type: long
+
+format: bytes
+
+
+**`system.process.cgroup.memory.mem.usage.max.bytes`**
+:   The maximum memory used by processes in the cgroup (in bytes).
+
+type: long
+
+format: bytes
+
+
+**`system.process.cgroup.memory.mem.limit.bytes`**
+:   The maximum amount of user memory in bytes (including file cache) that tasks in the cgroup are allowed to use.
+
+type: long
+
+format: bytes
+
+
+**`system.process.cgroup.memory.mem.failures`**
+:   The number of times that the memory limit (mem.limit.bytes) was reached.
+
+type: long
+
+
+**`system.process.cgroup.memory.mem.low.bytes`**
+:   memory low threshhold
+
+type: long
+
+format: bytes
+
+
+**`system.process.cgroup.memory.mem.high.bytes`**
+:   memory high threshhold
+
+type: long
+
+format: bytes
+
+
+**`system.process.cgroup.memory.mem.max.bytes`**
+:   memory max threshhold
+
+type: long
+
+format: bytes
+
+
+
+## mem.events [_mem_events]
+
+number of times the controller tripped a given usage level
+
+**`system.process.cgroup.memory.mem.events.low`**
+:   low threshold
+
+type: long
+
+
+**`system.process.cgroup.memory.mem.events.high`**
+:   high threshold
+
+type: long
+
+
+**`system.process.cgroup.memory.mem.events.max`**
+:   max threshold
+
+type: long
+
+
+**`system.process.cgroup.memory.mem.events.oom`**
+:   oom threshold
+
+type: long
+
+
+**`system.process.cgroup.memory.mem.events.oom_kill`**
+:   oom killer threshold
+
+type: long
+
+
+**`system.process.cgroup.memory.mem.events.fail`**
+:   failed threshold
+
+type: long
+
+
+**`system.process.cgroup.memory.memsw.usage.bytes`**
+:   The sum of current memory usage plus swap space used by processes in the cgroup (in bytes).
+
+type: long
+
+format: bytes
+
+
+**`system.process.cgroup.memory.memsw.usage.max.bytes`**
+:   The maximum amount of memory and swap space used by processes in the cgroup (in bytes).
+
+type: long
+
+format: bytes
+
+
+**`system.process.cgroup.memory.memsw.limit.bytes`**
+:   The maximum amount for the sum of memory and swap usage that tasks in the cgroup are allowed to use.
+
+type: long
+
+format: bytes
+
+
+**`system.process.cgroup.memory.memsw.low.bytes`**
+:   memory low threshhold
+
+type: long
+
+format: bytes
+
+
+**`system.process.cgroup.memory.memsw.high.bytes`**
+:   memory high threshhold
+
+type: long
+
+format: bytes
+
+
+**`system.process.cgroup.memory.memsw.max.bytes`**
+:   memory max threshhold
+
+type: long
+
+format: bytes
+
+
+**`system.process.cgroup.memory.memsw.failures`**
+:   The number of times that the memory plus swap space limit (memsw.limit.bytes) was reached.
+
+type: long
+
+
+
+## memsw.events [_memsw_events]
+
+number of times the controller tripped a given usage level
+
+**`system.process.cgroup.memory.memsw.events.low`**
+:   low threshold
+
+type: long
+
+
+**`system.process.cgroup.memory.memsw.events.high`**
+:   high threshold
+
+type: long
+
+
+**`system.process.cgroup.memory.memsw.events.max`**
+:   max threshold
+
+type: long
+
+
+**`system.process.cgroup.memory.memsw.events.oom`**
+:   oom threshold
+
+type: long
+
+
+**`system.process.cgroup.memory.memsw.events.oom_kill`**
+:   oom killer threshold
+
+type: long
+
+
+**`system.process.cgroup.memory.memsw.events.fail`**
+:   failed threshold
+
+type: long
+
+
+**`system.process.cgroup.memory.kmem.usage.bytes`**
+:   Total kernel memory usage by processes in the cgroup (in bytes).
+
+type: long
+
+format: bytes
+
+
+**`system.process.cgroup.memory.kmem.usage.max.bytes`**
+:   The maximum kernel memory used by processes in the cgroup (in bytes).
+
+type: long
+
+format: bytes
+
+
+**`system.process.cgroup.memory.kmem.limit.bytes`**
+:   The maximum amount of kernel memory that tasks in the cgroup are allowed to use.
+
+type: long
+
+format: bytes
+
+
+**`system.process.cgroup.memory.kmem.failures`**
+:   The number of times that the memory limit (kmem.limit.bytes) was reached.
+
+type: long
+
+
+**`system.process.cgroup.memory.kmem_tcp.usage.bytes`**
+:   Total memory usage for TCP buffers in bytes.
+
+type: long
+
+format: bytes
+
+
+**`system.process.cgroup.memory.kmem_tcp.usage.max.bytes`**
+:   The maximum memory used for TCP buffers by processes in the cgroup (in bytes).
+
+type: long
+
+format: bytes
+
+
+**`system.process.cgroup.memory.kmem_tcp.limit.bytes`**
+:   The maximum amount of memory for TCP buffers that tasks in the cgroup are allowed to use.
+
+type: long
+
+format: bytes
+
+
+**`system.process.cgroup.memory.kmem_tcp.failures`**
+:   The number of times that the memory limit (kmem_tcp.limit.bytes) was reached.
+
+type: long
+
+
+**`system.process.cgroup.memory.stats.*`**
+:   detailed memory IO stats
+
+type: object
+
+
+**`system.process.cgroup.memory.stats.*.bytes`**
+:   detailed memory IO stats
+
+type: object
+
+
+**`system.process.cgroup.memory.stats.active_anon.bytes`**
+:   Anonymous and swap cache on active least-recently-used (LRU) list, including tmpfs (shmem), in bytes.
+
+type: long
+
+format: bytes
+
+
+**`system.process.cgroup.memory.stats.active_file.bytes`**
+:   File-backed memory on active LRU list, in bytes.
+
+type: long
+
+format: bytes
+
+
+**`system.process.cgroup.memory.stats.cache.bytes`**
+:   Page cache, including tmpfs (shmem), in bytes.
+
+type: long
+
+format: bytes
+
+
+**`system.process.cgroup.memory.stats.hierarchical_memory_limit.bytes`**
+:   Memory limit for the hierarchy that contains the memory cgroup, in bytes.
+
+type: long
+
+format: bytes
+
+
+**`system.process.cgroup.memory.stats.hierarchical_memsw_limit.bytes`**
+:   Memory plus swap limit for the hierarchy that contains the memory cgroup, in bytes.
+
+type: long
+
+format: bytes
+
+
+**`system.process.cgroup.memory.stats.inactive_anon.bytes`**
+:   Anonymous and swap cache on inactive LRU list, including tmpfs (shmem), in bytes
+
+type: long
+
+format: bytes
+
+
+**`system.process.cgroup.memory.stats.inactive_file.bytes`**
+:   File-backed memory on inactive LRU list, in bytes.
+
+type: long
+
+format: bytes
+
+
+**`system.process.cgroup.memory.stats.mapped_file.bytes`**
+:   Size of memory-mapped mapped files, including tmpfs (shmem), in bytes.
+
+type: long
+
+format: bytes
+
+
+**`system.process.cgroup.memory.stats.page_faults`**
+:   Number of times that a process in the cgroup triggered a page fault.
+
+type: long
+
+
+**`system.process.cgroup.memory.stats.major_page_faults`**
+:   Number of times that a process in the cgroup triggered a major fault. "Major" faults happen when the kernel actually has to read the data from disk.
+
+type: long
+
+
+**`system.process.cgroup.memory.stats.pages_in`**
+:   Number of pages paged into memory. This is a counter.
+
+type: long
+
+
+**`system.process.cgroup.memory.stats.pages_out`**
+:   Number of pages paged out of memory. This is a counter.
+
+type: long
+
+
+**`system.process.cgroup.memory.stats.rss.bytes`**
+:   Anonymous and swap cache (includes transparent hugepages), not including tmpfs (shmem), in bytes.
+
+type: long
+
+format: bytes
+
+
+**`system.process.cgroup.memory.stats.rss_huge.bytes`**
+:   Number of bytes of anonymous transparent hugepages.
+
+type: long
+
+format: bytes
+
+
+**`system.process.cgroup.memory.stats.swap.bytes`**
+:   Swap usage, in bytes.
+
+type: long
+
+format: bytes
+
+
+**`system.process.cgroup.memory.stats.unevictable.bytes`**
+:   Memory that cannot be reclaimed, in bytes.
+
+type: long
+
+format: bytes
+
+
+
+## blkio [_blkio_2]
+
+Block IO metrics.
+
+**`system.process.cgroup.blkio.id`**
+:   ID of the cgroup.
+
+type: keyword
+
+
+**`system.process.cgroup.blkio.path`**
+:   Path to the cgroup relative to the cgroup subsystems mountpoint.
+
+type: keyword
+
+
+**`system.process.cgroup.blkio.total.bytes`**
+:   Total number of bytes transferred to and from all block devices by processes in the cgroup.
+
+type: long
+
+format: bytes
+
+
+**`system.process.cgroup.blkio.total.ios`**
+:   Total number of I/O operations performed on all devices by processes in the cgroup as seen by the throttling policy.
+
+type: long
+
+
+
+## io [_io_2]
+
+cgroup V2 IO Metrics, replacing blkio.
+
+**`system.process.cgroup.io.id`**
+:   ID of the cgroup.
+
+type: keyword
+
+
+**`system.process.cgroup.io.path`**
+:   Path to the cgroup relative to the cgroup subsystems mountpoint.
+
+type: keyword
+
+
+**`system.process.cgroup.io.stats.*`**
+:   per-device IO usage stats
+
+type: object
+
+
+**`system.process.cgroup.io.stats.*.*`**
+:   type: object
+
+
+**`system.process.cgroup.io.stats.*.*.bytes`**
+:   per-device IO usage stats
+
+type: object
+
+
+**`system.process.cgroup.io.stats.*.*.ios`**
+:   per-device IO usage stats
+
+type: object
+
+
+
+## pressure [_pressure_3]
+
+Pressure (resource contention) stats.
+
+
+## full [_full_2]
+
+Share of time in which at least some tasks are stalled on a given resource
+
+**`system.process.cgroup.io.pressure.full.10.pct`**
+:   Pressure over 10 seconds
+
+type: float
+
+format: percent
+
+
+**`system.process.cgroup.io.pressure.full.60.pct`**
+:   Pressure over 60 seconds
+
+type: float
+
+format: percent
+
+
+**`system.process.cgroup.io.pressure.full.300.pct`**
+:   Pressure over 300 seconds
+
+type: float
+
+format: percent
+
+
+**`system.process.cgroup.io.pressure.full.total`**
+:   total Some pressure time
+
+type: long
+
+
+
+## some [_some_2]
+
+Share of time in which all tasks are stalled on a given resource
+
+**`system.process.cgroup.io.pressure.some.10.pct`**
+:   Pressure over 10 seconds
+
+type: float
+
+format: percent
+
+
+**`system.process.cgroup.io.pressure.some.60.pct`**
+:   Pressure over 60 seconds
+
+type: float
+
+format: percent
+
+
+**`system.process.cgroup.io.pressure.some.300.pct`**
+:   Pressure over 300 seconds
+
+type: float
+
+
+**`system.process.cgroup.io.pressure.some.total`**
+:   total Some pressure time
+
+type: long
+
+
+
+## process.summary [_process_summary_2]
+
+Summary metrics for the processes running on the host.
+
+**`system.process.summary.total`**
+:   Total number of processes on this host.
+
+type: long
+
+
+**`system.process.summary.running`**
+:   Number of running processes on this host.
+
+type: long
+
+
+**`system.process.summary.idle`**
+:   Number of idle processes on this host.
+
+type: long
+
+
+**`system.process.summary.sleeping`**
+:   Number of sleeping processes on this host.
+
+type: long
+
+
+**`system.process.summary.stopped`**
+:   Number of stopped processes on this host.
+
+type: long
+
+
+**`system.process.summary.zombie`**
+:   Number of zombie processes on this host.
+
+type: long
+
+
+**`system.process.summary.dead`**
+:   Number of dead processes on this host. It’s very unlikely that it will appear but in some special situations it may happen.
+
+type: long
+
+
+**`system.process.summary.wakekill`**
+:   Number of wakekill-state processes on this host. Only found on older Linux Kernel versions.
+
+type: long
+
+
+**`system.process.summary.wake`**
+:   Number of wake-state processes on this host. Only found on older Linux Kernel versions.
+
+type: long
+
+
+**`system.process.summary.parked`**
+:   Number of parked-state processes on this host. Only found on older Linux Kernel versions, or under certain conditions.
+
+type: long
+
+
+**`system.process.summary.unknown`**
+:   Number of processes for which the state couldn’t be retrieved or is unknown.
+
+type: long
+
+
+
+## threads [_threads_3]
+
+Counts of individual threads on a system.
+
+**`system.process.summary.threads.running`**
+:   Count of currently running threads.
+
+type: long
+
+
+**`system.process.summary.threads.blocked`**
+:   Count of threads blocked by I/O.
+
+type: long
+
+
+
+## raid [_raid_2]
+
+raid
+
+**`system.raid.name`**
+:   Name of the device.
+
+type: keyword
+
+
+**`system.raid.status`**
+:   activity-state of the device.
+
+type: keyword
+
+
+**`system.raid.level`**
+:   The raid level of the device
+
+type: keyword
+
+
+**`system.raid.sync_action`**
+:   Current sync action, if the RAID array is redundant
+
+type: keyword
+
+
+**`system.raid.disks.active`**
+:   Number of active disks.
+
+type: long
+
+
+**`system.raid.disks.total`**
+:   Total number of disks the device consists of.
+
+type: long
+
+
+**`system.raid.disks.spare`**
+:   Number of spared disks.
+
+type: long
+
+
+**`system.raid.disks.failed`**
+:   Number of failed disks.
+
+type: long
+
+
+**`system.raid.disks.states.*`**
+:   map of raw disk states
+
+type: object
+
+
+**`system.raid.blocks.total`**
+:   Number of blocks the device holds, in 1024-byte blocks.
+
+type: long
+
+
+**`system.raid.blocks.synced`**
+:   Number of blocks on the device that are in sync, in 1024-byte blocks.
+
+type: long
+
+
+
+## service [_service_4]
+
+metrics for system services
+
+**`system.service.name`**
+:   The name of the service
+
+type: keyword
+
+
+**`system.service.load_state`**
+:   The load state of the service
+
+type: keyword
+
+
+**`system.service.state`**
+:   The activity state of the service
+
+type: keyword
+
+
+**`system.service.sub_state`**
+:   The sub-state of the service
+
+type: keyword
+
+
+**`system.service.state_since`**
+:   The timestamp of the last state change. If the service is active and running, this is its uptime.
+
+type: date
+
+
+**`system.service.exec_code`**
+:   The SIGCHLD code from the service’s main process
+
+type: keyword
+
+
+**`system.service.unit_file.state`**
+:   The state of the unit file
+
+type: keyword
+
+
+**`system.service.unit_file.vendor_preset`**
+:   The default state of the unit file
+
+type: keyword
+
+
+
+## resources [_resources_2]
+
+system metrics associated with the service
+
+**`system.service.resources.cpu.usage.ns`**
+:   CPU usage in nanoseconds
+
+type: long
+
+
+**`system.service.resources.memory.usage.bytes`**
+:   memory usage in bytes
+
+type: long
+
+
+**`system.service.resources.tasks.count`**
+:   number of tasks associated with the service
+
+type: long
+
+
+
+## network [_network_11]
+
+network resource usage
+
+**`system.service.resources.network.in.bytes`**
+:   bytes in
+
+type: long
+
+format: bytes
+
+
+**`system.service.resources.network.in.packets`**
+:   packets in
+
+type: long
+
+format: bytes
+
+
+**`system.service.resources.network.out.packets`**
+:   packets out
+
+type: long
+
+
+**`system.service.resources.network.out.bytes`**
+:   bytes out
+
+type: long
+
+
+
+## socket [_socket_2]
+
+TCP sockets that are active.
+
+**`system.socket.direction`**
+:   type: alias
+
+alias to: network.direction
+
+
+**`system.socket.family`**
+:   type: alias
+
+alias to: network.type
+
+
+**`system.socket.local.ip`**
+:   Local IP address. This can be an IPv4 or IPv6 address.
+
+type: ip
+
+example: 192.0.2.1 or 2001:0DB8:ABED:8536::1
+
+
+**`system.socket.local.port`**
+:   Local port.
+
+type: long
+
+example: 22
+
+
+**`system.socket.remote.ip`**
+:   Remote IP address. This can be an IPv4 or IPv6 address.
+
+type: ip
+
+example: 192.0.2.1 or 2001:0DB8:ABED:8536::1
+
+
+**`system.socket.remote.port`**
+:   Remote port.
+
+type: long
+
+example: 22
+
+
+**`system.socket.remote.host`**
+:   PTR record associated with the remote IP. It is obtained via reverse IP lookup.
+
+type: keyword
+
+example: 76-211-117-36.nw.example.com.
+
+
+**`system.socket.remote.etld_plus_one`**
+:   The effective top-level domain (eTLD) of the remote host plus one more label. For example, the eTLD+1 for "foo.bar.golang.org." is "golang.org.". The data for determining the eTLD comes from an embedded copy of the data from [http://publicsuffix.org](http://publicsuffix.org).
+
+type: keyword
+
+example: example.com.
+
+
+**`system.socket.remote.host_error`**
+:   Error describing the cause of the reverse lookup failure.
+
+type: keyword
+
+
+**`system.socket.process.pid`**
+:   type: alias
+
+alias to: process.pid
+
+
+**`system.socket.process.command`**
+:   type: alias
+
+alias to: process.name
+
+
+**`system.socket.process.cmdline`**
+:   Full command line
+
+type: keyword
+
+
+**`system.socket.process.exe`**
+:   type: alias
+
+alias to: process.executable
+
+
+**`system.socket.user.id`**
+:   type: alias
+
+alias to: user.id
+
+
+**`system.socket.user.name`**
+:   type: alias
+
+alias to: user.full_name
+
+
+
+## socket.summary [_socket_summary_2]
+
+Summary metrics of open sockets in the host system
+
+
+## all [_all]
+
+All connections
+
+**`system.socket.summary.all.count`**
+:   All open connections
+
+type: integer
+
+
+**`system.socket.summary.all.listening`**
+:   All listening ports
+
+type: integer
+
+
+
+## tcp [_tcp]
+
+All TCP connections
+
+**`system.socket.summary.tcp.memory`**
+:   Memory used by TCP sockets in bytes, based on number of allocated pages and system page size. Corresponds to limits set in /proc/sys/net/ipv4/tcp_mem. Only available on Linux.
+
+type: integer
+
+format: bytes
+
+
+
+## all [_all_2]
+
+All TCP connections
+
+**`system.socket.summary.tcp.all.orphan`**
+:   A count of all orphaned tcp sockets. Only available on Linux.
+
+type: integer
+
+
+**`system.socket.summary.tcp.all.count`**
+:   All open TCP connections
+
+type: integer
+
+
+**`system.socket.summary.tcp.all.listening`**
+:   All TCP listening ports
+
+type: integer
+
+
+**`system.socket.summary.tcp.all.established`**
+:   Number of established TCP connections
+
+type: integer
+
+
+**`system.socket.summary.tcp.all.close_wait`**
+:   Number of TCP connections in *close_wait* state
+
+type: integer
+
+
+**`system.socket.summary.tcp.all.time_wait`**
+:   Number of TCP connections in *time_wait* state
+
+type: integer
+
+
+**`system.socket.summary.tcp.all.syn_sent`**
+:   Number of TCP connections in *syn_sent* state
+
+type: integer
+
+
+**`system.socket.summary.tcp.all.syn_recv`**
+:   Number of TCP connections in *syn_recv* state
+
+type: integer
+
+
+**`system.socket.summary.tcp.all.fin_wait1`**
+:   Number of TCP connections in *fin_wait1* state
+
+type: integer
+
+
+**`system.socket.summary.tcp.all.fin_wait2`**
+:   Number of TCP connections in *fin_wait2* state
+
+type: integer
+
+
+**`system.socket.summary.tcp.all.last_ack`**
+:   Number of TCP connections in *last_ack* state
+
+type: integer
+
+
+**`system.socket.summary.tcp.all.closing`**
+:   Number of TCP connections in *closing* state
+
+type: integer
+
+
+
+## udp [_udp]
+
+All UDP connections
+
+**`system.socket.summary.udp.memory`**
+:   Memory used by UDP sockets in bytes, based on number of allocated pages and system page size. Corresponds to limits set in /proc/sys/net/ipv4/udp_mem. Only available on Linux.
+
+type: integer
+
+format: bytes
+
+
+
+## all [_all_3]
+
+All UDP connections
+
+**`system.socket.summary.udp.all.count`**
+:   All open UDP connections
+
+type: integer
+
+
+
+## uptime [_uptime_3]
+
+`uptime` contains the operating system uptime metric.
+
+**`system.uptime.duration.ms`**
+:   The OS uptime in milliseconds.
+
+type: long
+
+format: duration
+
+
+
+## users [_users]
+
+Logged-in user session data
+
+**`system.users.id`**
+:   The ID of the session
+
+type: keyword
+
+
+**`system.users.seat`**
+:   An associated logind seat
+
+type: keyword
+
+
+**`system.users.path`**
+:   The DBus object path of the session
+
+type: keyword
+
+
+**`system.users.type`**
+:   The type of the user session
+
+type: keyword
+
+
+**`system.users.service`**
+:   A session associated with the service
+
+type: keyword
+
+
+**`system.users.remote`**
+:   A bool indicating a remote session
+
+type: boolean
+
+
+**`system.users.state`**
+:   The current state of the session
+
+type: keyword
+
+
+**`system.users.scope`**
+:   The associated systemd scope
+
+type: keyword
+
+
+**`system.users.leader`**
+:   The root PID of the session
+
+type: long
+
+
+**`system.users.remote_host`**
+:   A remote host address for the session
+
+type: keyword
+
+
diff --git a/docs/reference/metricbeat/exported-fields-tomcat.md b/docs/reference/metricbeat/exported-fields-tomcat.md
new file mode 100644
index 000000000000..64145e8341a5
--- /dev/null
+++ b/docs/reference/metricbeat/exported-fields-tomcat.md
@@ -0,0 +1,215 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-tomcat.html
+---
+
+# Tomcat fields [exported-fields-tomcat]
+
+Tomcat module
+
+
+## cache [_cache_5]
+
+Catalina Cache metrics from the WebResourceRoot
+
+**`tomcat.cache.mbean`**
+:   Mbean that this event is related to
+
+type: keyword
+
+
+**`tomcat.cache.hit.total`**
+:   The number of requests for resources that were served from the cache
+
+type: long
+
+
+**`tomcat.cache.size.total.kb`**
+:   The current estimate of the cache size in kilobytes
+
+type: long
+
+
+**`tomcat.cache.size.max.kb`**
+:   The maximum permitted size of the cache in kilobytes
+
+type: long
+
+
+**`tomcat.cache.lookup.total`**
+:   The number of requests for resources
+
+type: long
+
+
+**`tomcat.cache.ttl.ms`**
+:   The time-to-live for cache entries in milliseconds
+
+type: long
+
+
+
+## memory [_memory_15]
+
+Memory metrics from java.lang JMX
+
+**`tomcat.memory.mbean`**
+:   Mbean that this event is related to
+
+type: keyword
+
+
+**`tomcat.memory.heap.usage.committed`**
+:   Committed heap memory usage
+
+type: long
+
+
+**`tomcat.memory.heap.usage.max`**
+:   Max heap memory usage
+
+type: long
+
+
+**`tomcat.memory.heap.usage.used`**
+:   Used heap memory usage
+
+type: long
+
+
+**`tomcat.memory.heap.usage.init`**
+:   Initial heap memory usage
+
+type: long
+
+
+**`tomcat.memory.other.usage.committed`**
+:   Committed non-heap memory usage
+
+type: long
+
+
+**`tomcat.memory.other.usage.max`**
+:   Max non-heap memory usage
+
+type: long
+
+
+**`tomcat.memory.other.usage.used`**
+:   Used non-heap memory usage
+
+type: long
+
+
+**`tomcat.memory.other.usage.init`**
+:   Initial non-heap memory usage
+
+type: long
+
+
+
+## requests [_requests_2]
+
+Requests processor metrics from GlobalRequestProcessor JMX
+
+**`tomcat.requests.mbean`**
+:   Mbean that this event is related to
+
+type: keyword
+
+
+**`tomcat.requests.total`**
+:   Number of requests processed
+
+type: long
+
+
+**`tomcat.requests.bytes.received`**
+:   Amount of data received, in bytes
+
+type: long
+
+
+**`tomcat.requests.bytes.sent`**
+:   Amount of data sent, in bytes
+
+type: long
+
+
+**`tomcat.requests.processing.ms`**
+:   Total time to process the requests
+
+type: long
+
+
+**`tomcat.requests.errors.total`**
+:   Number of errors
+
+type: long
+
+
+
+## threading [_threading]
+
+Threading metrics from the Catalina’s ThreadPool JMX
+
+**`tomcat.threading.busy`**
+:   Current busy threads from the ThreadPool
+
+type: long
+
+
+**`tomcat.threading.max`**
+:   Max threads from the ThreadPool
+
+type: long
+
+
+**`tomcat.threading.current`**
+:   Current number of threads, taken from the ThreadPool
+
+type: long
+
+
+**`tomcat.threading.keep_alive.total`**
+:   Total keep alive on the ThreadPool
+
+type: long
+
+
+**`tomcat.threading.keep_alive.timeout.ms`**
+:   Keep alive timeout on the ThreadPool
+
+type: long
+
+
+**`tomcat.threading.started.total`**
+:   Current started threads at JVM level (from java.lang:type=Threading)
+
+type: long
+
+
+**`tomcat.threading.user.time.ms`**
+:   User time in milliseconds (from java.lang:type=Threading)
+
+type: long
+
+
+**`tomcat.threading.cpu.time.ms`**
+:   CPU time in milliseconds (from java.lang:type=Threading)
+
+type: long
+
+
+**`tomcat.threading.total`**
+:   Total threads at the JVM level (from java.lang:type=Threading)
+
+type: long
+
+
+**`tomcat.threading.peak`**
+:   Peak number of threads at JVM level (from java.lang:type=Threading)
+
+type: long
+
+
diff --git a/docs/reference/metricbeat/exported-fields-traefik.md b/docs/reference/metricbeat/exported-fields-traefik.md
new file mode 100644
index 000000000000..422ec05f2872
--- /dev/null
+++ b/docs/reference/metricbeat/exported-fields-traefik.md
@@ -0,0 +1,48 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-traefik.html
+---
+
+# Traefik fields [exported-fields-traefik]
+
+Traefik reverse proxy / load balancer metrics
+
+
+## traefik [_traefik]
+
+Traefik reverse proxy / load balancer metrics
+
+
+## health [_health_2]
+
+Metrics obtained from Traefik’s health API endpoint
+
+**`traefik.health.uptime.sec`**
+:   Uptime of Traefik instance in seconds
+
+type: long
+
+
+
+## response [_response_2]
+
+Response metrics
+
+**`traefik.health.response.count`**
+:   Number of responses
+
+type: long
+
+
+**`traefik.health.response.avg_time.us`**
+:   Average response time in microseconds
+
+type: long
+
+
+**`traefik.health.response.status_codes.*`**
+:   Number of responses per status code
+
+type: object
+
+
diff --git a/docs/reference/metricbeat/exported-fields-uwsgi.md b/docs/reference/metricbeat/exported-fields-uwsgi.md
new file mode 100644
index 000000000000..badc2d5785fe
--- /dev/null
+++ b/docs/reference/metricbeat/exported-fields-uwsgi.md
@@ -0,0 +1,191 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-uwsgi.html
+---
+
+# uWSGI fields [exported-fields-uwsgi]
+
+uwsgi module
+
+
+## uwsgi [_uwsgi]
+
+
+## status [_status_8]
+
+uwsgi.status metricset fields
+
+**`uwsgi.status.total.requests`**
+:   Total requests handled
+
+type: long
+
+
+**`uwsgi.status.total.exceptions`**
+:   Total exceptions
+
+type: long
+
+
+**`uwsgi.status.total.write_errors`**
+:   Total requests write errors
+
+type: long
+
+
+**`uwsgi.status.total.read_errors`**
+:   Total read errors
+
+type: long
+
+
+**`uwsgi.status.total.pid`**
+:   Process id
+
+type: long
+
+
+**`uwsgi.status.worker.id`**
+:   Worker id
+
+type: long
+
+
+**`uwsgi.status.worker.pid`**
+:   Worker process id
+
+type: long
+
+
+**`uwsgi.status.worker.accepting`**
+:   State of worker, 1 if still accepting new requests otherwise 0
+
+type: long
+
+
+**`uwsgi.status.worker.requests`**
+:   Number of requests served by this worker
+
+type: long
+
+
+**`uwsgi.status.worker.delta_requests`**
+:   Number of requests served by this worker after worker is reloaded when reached MAX_REQUESTS
+
+type: long
+
+
+**`uwsgi.status.worker.exceptions`**
+:   Exceptions raised
+
+type: long
+
+
+**`uwsgi.status.worker.harakiri_count`**
+:   Dropped requests by timeout
+
+type: long
+
+
+**`uwsgi.status.worker.signals`**
+:   Emitted signals count
+
+type: long
+
+
+**`uwsgi.status.worker.signal_queue`**
+:   Number of signals waiting to be handled
+
+type: long
+
+
+**`uwsgi.status.worker.status`**
+:   Worker status (cheap, pause, sig, busy, idle)
+
+type: keyword
+
+
+**`uwsgi.status.worker.rss`**
+:   Resident Set Size. memory currently used by a process. if always zero try `--memory-report` option of uwsgi
+
+type: long
+
+
+**`uwsgi.status.worker.vsz`**
+:   Virtual Set Size. memory size assigned to a process. if always zero try `--memory-report` option of uwsgi
+
+type: long
+
+
+**`uwsgi.status.worker.running_time`**
+:   Process running time
+
+type: long
+
+
+**`uwsgi.status.worker.respawn_count`**
+:   Respawn count
+
+type: long
+
+
+**`uwsgi.status.worker.tx`**
+:   Transmitted size
+
+type: long
+
+
+**`uwsgi.status.worker.avg_rt`**
+:   Average response time
+
+type: long
+
+
+**`uwsgi.status.core.id`**
+:   worker ID
+
+type: long
+
+
+**`uwsgi.status.core.worker_pid`**
+:   Parent worker PID
+
+type: long
+
+
+**`uwsgi.status.core.requests.total`**
+:   Number of total requests served
+
+type: long
+
+
+**`uwsgi.status.core.requests.static`**
+:   Number of static file serves
+
+type: long
+
+
+**`uwsgi.status.core.requests.routed`**
+:   Routed requests
+
+type: long
+
+
+**`uwsgi.status.core.requests.offloaded`**
+:   Offloaded requests
+
+type: long
+
+
+**`uwsgi.status.core.write_errors`**
+:   Number of failed writes
+
+type: long
+
+
+**`uwsgi.status.core.read_errors`**
+:   Number of failed reads
+
+type: long
+
+
diff --git a/docs/reference/metricbeat/exported-fields-vsphere.md b/docs/reference/metricbeat/exported-fields-vsphere.md
new file mode 100644
index 000000000000..f4b4847cf880
--- /dev/null
+++ b/docs/reference/metricbeat/exported-fields-vsphere.md
@@ -0,0 +1,893 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-vsphere.html
+---
+
+# vSphere fields [exported-fields-vsphere]
+
+vSphere module
+
+
+## vsphere [_vsphere]
+
+
+## cluster [_cluster_4]
+
+Cluster information.
+
+**`vsphere.cluster.datastore.names`**
+:   List of all the datastore names associated with the cluster.
+
+type: keyword
+
+
+**`vsphere.cluster.datastore.count`**
+:   Number of datastores associated with the cluster.
+
+type: long
+
+
+**`vsphere.cluster.das_config.admission.control.enabled`**
+:   Indicates whether strict admission control is enabled.
+
+type: boolean
+
+
+**`vsphere.cluster.das_config.enabled`**
+:   Indicates whether vSphere HA feature is enabled.
+
+type: boolean
+
+
+**`vsphere.cluster.host.count`**
+:   Number of hosts associated with the cluster.
+
+type: long
+
+
+**`vsphere.cluster.host.names`**
+:   List of all the host names associated with the cluster.
+
+type: keyword
+
+
+**`vsphere.cluster.id`**
+:   Unique cluster ID.
+
+type: keyword
+
+
+**`vsphere.cluster.name`**
+:   Cluster name.
+
+type: keyword
+
+
+**`vsphere.cluster.network.count`**
+:   Number of networks associated with the cluster.
+
+type: long
+
+
+**`vsphere.cluster.network.names`**
+:   List of all the network names associated with the cluster.
+
+type: keyword
+
+
+**`vsphere.cluster.triggered_alarms.*`**
+:   List of all the triggered alarms.
+
+type: object
+
+
+
+## datastore [_datastore]
+
+datastore
+
+**`vsphere.datastore.capacity.free.bytes`**
+:   Free bytes of the datastore.
+
+type: long
+
+format: bytes
+
+
+**`vsphere.datastore.capacity.total.bytes`**
+:   Total bytes of the datastore.
+
+type: long
+
+format: bytes
+
+
+**`vsphere.datastore.capacity.used.bytes`**
+:   Used bytes of the datastore.
+
+type: long
+
+format: bytes
+
+
+**`vsphere.datastore.capacity.used.pct`**
+:   Percentage of datastore capacity used.
+
+type: scaled_float
+
+format: percent
+
+
+**`vsphere.datastore.disk.capacity.bytes`**
+:   Configured size of the datastore.
+
+type: long
+
+format: bytes
+
+
+**`vsphere.datastore.disk.capacity.usage.bytes`**
+:   The amount of storage capacity currently being consumed by datastore.
+
+type: long
+
+format: bytes
+
+
+**`vsphere.datastore.disk.provisioned.bytes`**
+:   Amount of storage set aside for use by a datastore.
+
+type: long
+
+format: bytes
+
+
+**`vsphere.datastore.fstype`**
+:   Filesystem type.
+
+type: keyword
+
+
+**`vsphere.datastore.host.count`**
+:   Number of hosts.
+
+type: long
+
+
+**`vsphere.datastore.host.names`**
+:   List of all the host names.
+
+type: keyword
+
+
+**`vsphere.datastore.id`**
+:   Unique datastore ID.
+
+type: keyword
+
+
+**`vsphere.datastore.name`**
+:   Datastore name.
+
+type: keyword
+
+
+**`vsphere.datastore.read.bytes`**
+:   Rate of reading data from the datastore.
+
+type: long
+
+format: bytes
+
+
+**`vsphere.datastore.status`**
+:   Status of the datastore.
+
+type: keyword
+
+
+**`vsphere.datastore.triggered_alarms.*`**
+:   List of all the triggered alarms.
+
+type: object
+
+
+**`vsphere.datastore.vm.count`**
+:   Number of VMs.
+
+type: long
+
+
+**`vsphere.datastore.vm.names`**
+:   List of all the VM names.
+
+type: keyword
+
+
+**`vsphere.datastore.write.bytes`**
+:   Rate of writing data to the datastore.
+
+type: long
+
+format: bytes
+
+
+
+## datastorecluster [_datastorecluster]
+
+Datastore Cluster
+
+**`vsphere.datastorecluster.id`**
+:   Unique datastore cluster ID.
+
+type: keyword
+
+
+**`vsphere.datastorecluster.name`**
+:   The datastore cluster name.
+
+type: keyword
+
+
+**`vsphere.datastorecluster.capacity.bytes`**
+:   Total capacity of this storage pod, in bytes.
+
+type: long
+
+format: bytes
+
+
+**`vsphere.datastorecluster.free_space.bytes`**
+:   Total free space on this storage pod, in bytes.
+
+type: long
+
+format: bytes
+
+
+**`vsphere.datastorecluster.datastore.names`**
+:   List of all the datastore names associated with the datastore cluster.
+
+type: keyword
+
+
+**`vsphere.datastorecluster.datastore.count`**
+:   Number of datastores in the datastore cluster.
+
+type: long
+
+
+**`vsphere.datastorecluster.triggered_alarms.*`**
+:   List of all the triggered alarms.
+
+type: object
+
+
+
+## host [_host_2]
+
+Host information from vSphere environment.
+
+**`vsphere.host.cpu.used.mhz`**
+:   Used CPU in MHz.
+
+type: long
+
+
+**`vsphere.host.cpu.total.mhz`**
+:   Total CPU in MHz.
+
+type: long
+
+
+**`vsphere.host.cpu.free.mhz`**
+:   Free CPU in MHz.
+
+type: long
+
+
+**`vsphere.host.datastore.names`**
+:   List of all the datastore names.
+
+type: keyword
+
+
+**`vsphere.host.datastore.count`**
+:   Number of datastores on the host.
+
+type: long
+
+
+**`vsphere.host.disk.capacity.usage.bytes`**
+:   The amount of storage capacity currently being consumed by or on the entity.
+
+type: long
+
+format: bytes
+
+
+**`vsphere.host.disk.devicelatency.average.ms`**
+:   Average amount of time it takes to complete an SCSI command from physical device in milliseconds.
+
+type: long
+
+
+**`vsphere.host.disk.latency.total.ms`**
+:   Highest latency value across all disks used by the host in milliseconds.
+
+type: long
+
+
+**`vsphere.host.disk.read.bytes`**
+:   Average number of bytes read from the disk each second.
+
+type: long
+
+format: bytes
+
+
+**`vsphere.host.disk.write.bytes`**
+:   Average number of bytes written to the disk each second.
+
+type: long
+
+format: bytes
+
+
+**`vsphere.host.disk.total.bytes`**
+:   Sum of disk read and write rates each second in bytes.
+
+type: long
+
+format: bytes
+
+
+**`vsphere.host.id`**
+:   Unique host ID.
+
+type: keyword
+
+
+**`vsphere.host.memory.free.bytes`**
+:   Free Memory in bytes.
+
+type: long
+
+format: bytes
+
+
+**`vsphere.host.memory.total.bytes`**
+:   Total Memory in bytes.
+
+type: long
+
+format: bytes
+
+
+**`vsphere.host.memory.used.bytes`**
+:   Used Memory in bytes.
+
+type: long
+
+format: bytes
+
+
+**`vsphere.host.name`**
+:   Host name.
+
+type: keyword
+
+
+**`vsphere.host.network_names`**
+:   Network names.
+
+type: keyword
+
+
+**`vsphere.host.network.names`**
+:   List of all the network names.
+
+type: keyword
+
+
+**`vsphere.host.network.count`**
+:   Number of networks on the host.
+
+type: long
+
+
+**`vsphere.host.network.bandwidth.transmitted.bytes`**
+:   Average rate at which data was transmitted during the interval. This represents the bandwidth of the network.
+
+type: long
+
+format: bytes
+
+
+**`vsphere.host.network.bandwidth.received.bytes`**
+:   Average rate at which data was received during the interval. This represents the bandwidth of the network.
+
+type: long
+
+format: bytes
+
+
+**`vsphere.host.network.bandwidth.total.bytes`**
+:   Sum of network transmitted and received rates in bytes during the interval.
+
+type: long
+
+format: bytes
+
+
+**`vsphere.host.network.packets.transmitted.count`**
+:   Number of packets transmitted.
+
+type: long
+
+
+**`vsphere.host.network.packets.received.count`**
+:   Number of packets received.
+
+type: long
+
+
+**`vsphere.host.network.packets.errors.transmitted.count`**
+:   Number of packets with errors transmitted.
+
+type: long
+
+
+**`vsphere.host.network.packets.errors.received.count`**
+:   Number of packets with errors received.
+
+type: long
+
+
+**`vsphere.host.network.packets.errors.total.count`**
+:   Total number of packets with errors.
+
+type: long
+
+
+**`vsphere.host.network.packets.multicast.transmitted.count`**
+:   Number of multicast packets transmitted.
+
+type: long
+
+
+**`vsphere.host.network.packets.multicast.received.count`**
+:   Number of multicast packets received.
+
+type: long
+
+
+**`vsphere.host.network.packets.multicast.total.count`**
+:   Total number of multicast packets.
+
+type: long
+
+
+**`vsphere.host.network.packets.dropped.transmitted.count`**
+:   Number of transmitted packets dropped.
+
+type: long
+
+
+**`vsphere.host.network.packets.dropped.received.count`**
+:   Number of received packets dropped.
+
+type: long
+
+
+**`vsphere.host.network.packets.dropped.total.count`**
+:   Total number of packets dropped.
+
+type: long
+
+
+**`vsphere.host.status`**
+:   The overall health status of a host in the vSphere environment.
+
+type: keyword
+
+
+**`vsphere.host.triggered_alarms.*`**
+:   List of all the triggered alarms.
+
+type: object
+
+
+**`vsphere.host.uptime`**
+:   The total uptime of a host in seconds within the vSphere environment.
+
+type: long
+
+
+**`vsphere.host.vm.names`**
+:   List of all the VM names.
+
+type: keyword
+
+
+**`vsphere.host.vm.count`**
+:   Number of virtual machines on the host.
+
+type: long
+
+
+
+## network [_network_12]
+
+Network-related information.
+
+**`vsphere.network.accessible`**
+:   Indicates whether at least one host is configured to provide this network.
+
+type: boolean
+
+
+**`vsphere.network.config.status`**
+:   Indicates whether the system has detected a configuration issue.
+
+type: keyword
+
+
+**`vsphere.network.host.names`**
+:   Names of the hosts connected to this network.
+
+type: keyword
+
+
+**`vsphere.network.host.count`**
+:   Number of hosts connected to this network.
+
+type: long
+
+
+**`vsphere.network.id`**
+:   Unique network ID.
+
+type: keyword
+
+
+**`vsphere.network.name`**
+:   Name of the network.
+
+type: keyword
+
+
+**`vsphere.network.status`**
+:   General health of the network.
+
+type: keyword
+
+
+**`vsphere.network.type`**
+:   Type of the network (e.g., Network(Standard), DistributedVirtualport).
+
+type: keyword
+
+
+**`vsphere.network.vm.names`**
+:   Names of the virtual machines connected to this network.
+
+type: keyword
+
+
+**`vsphere.network.vm.count`**
+:   Number of virtual machines connected to this network.
+
+type: long
+
+
+**`vsphere.network.triggered_alarms.*`**
+:   List of all the triggered alarms.
+
+type: object
+
+
+
+## resourcepool [_resourcepool]
+
+Resource pool information from vSphere environment.
+
+**`vsphere.resourcepool.cpu.usage.mhz`**
+:   Basic CPU performance statistics, in MHz.
+
+type: long
+
+
+**`vsphere.resourcepool.cpu.demand.mhz`**
+:   Basic CPU performance statistics, in MHz.
+
+type: long
+
+
+**`vsphere.resourcepool.cpu.entitlement.mhz`**
+:   The amount of CPU resource, in MHz, that this VM is entitled to, as calculated by DRS.
+
+type: long
+
+
+**`vsphere.resourcepool.cpu.entitlement.static.mhz`**
+:   The static CPU resource entitlement for a virtual machine.
+
+type: long
+
+
+**`vsphere.resourcepool.id`**
+:   Unique resource pool ID.
+
+type: keyword
+
+
+**`vsphere.resourcepool.memory.usage.guest.bytes`**
+:   Guest memory utilization statistics, in bytes.
+
+type: long
+
+format: bytes
+
+
+**`vsphere.resourcepool.memory.usage.host.bytes`**
+:   Host memory utilization statistics, in bytes.
+
+type: long
+
+format: bytes
+
+
+**`vsphere.resourcepool.memory.entitlement.bytes`**
+:   The amount of memory, in bytes, that this VM is entitled to, as calculated by DRS.
+
+type: long
+
+format: bytes
+
+
+**`vsphere.resourcepool.memory.entitlement.static.bytes`**
+:   The static memory resource entitlement for a virtual machine, in bytes.
+
+type: long
+
+format: bytes
+
+
+**`vsphere.resourcepool.memory.private.bytes`**
+:   The portion of memory, in bytes, that is granted to a virtual machine from non-shared host memory.
+
+type: long
+
+format: bytes
+
+
+**`vsphere.resourcepool.memory.shared.bytes`**
+:   The portion of memory, in bytes, that is granted to a virtual machine from host memory that is shared between VMs.
+
+type: long
+
+format: bytes
+
+
+**`vsphere.resourcepool.memory.swapped.bytes`**
+:   The portion of memory, in bytes, that is granted to a virtual machine from the host’s swap space.
+
+type: long
+
+format: bytes
+
+
+**`vsphere.resourcepool.memory.ballooned.bytes`**
+:   The size of the balloon driver in a virtual machine, in bytes.
+
+type: long
+
+format: bytes
+
+
+**`vsphere.resourcepool.memory.overhead.bytes`**
+:   The amount of memory resource (in bytes) that will be used by a virtual machine above its guest memory requirements.
+
+type: long
+
+format: bytes
+
+
+**`vsphere.resourcepool.memory.overhead.consumed.bytes`**
+:   The amount of overhead memory, in bytes, currently being consumed to run a VM.
+
+type: long
+
+format: bytes
+
+
+**`vsphere.resourcepool.memory.compressed.bytes`**
+:   The amount of compressed memory currently consumed by VM, in bytes.
+
+type: long
+
+format: bytes
+
+
+**`vsphere.resourcepool.name`**
+:   The name of the resource pool.
+
+type: keyword
+
+
+**`vsphere.resourcepool.status`**
+:   The overall health status of a host in the vSphere environment.
+
+type: keyword
+
+
+**`vsphere.resourcepool.vm.count`**
+:   Number of virtual machines on the resource pool.
+
+type: long
+
+
+**`vsphere.resourcepool.vm.names`**
+:   Names of virtual machines on the resource pool.
+
+type: keyword
+
+
+**`vsphere.resourcepool.triggered_alarms.*`**
+:   List of all the triggered alarms.
+
+type: object
+
+
+
+## virtualmachine [_virtualmachine]
+
+virtualmachine
+
+**`vsphere.virtualmachine.host.id`**
+:   Host id.
+
+type: keyword
+
+
+**`vsphere.virtualmachine.host.hostname`**
+:   Hostname of the host.
+
+type: keyword
+
+
+**`vsphere.virtualmachine.id`**
+:   Unique virtual machine ID.
+
+type: keyword
+
+
+**`vsphere.virtualmachine.name`**
+:   Virtual machine name.
+
+type: keyword
+
+
+**`vsphere.virtualmachine.os`**
+:   Virtual machine Operating System name.
+
+type: keyword
+
+
+**`vsphere.virtualmachine.cpu.used.mhz`**
+:   Used CPU in Mhz.
+
+type: long
+
+
+**`vsphere.virtualmachine.cpu.total.mhz`**
+:   Total Reserved CPU in Mhz.
+
+type: long
+
+
+**`vsphere.virtualmachine.cpu.free.mhz`**
+:   Available CPU in Mhz.
+
+type: long
+
+
+**`vsphere.virtualmachine.memory.used.guest.bytes`**
+:   Used memory of Guest in bytes.
+
+type: long
+
+format: bytes
+
+
+**`vsphere.virtualmachine.memory.used.host.bytes`**
+:   Used memory of Host in bytes.
+
+type: long
+
+format: bytes
+
+
+**`vsphere.virtualmachine.memory.total.guest.bytes`**
+:   Total memory of Guest in bytes.
+
+type: long
+
+format: bytes
+
+
+**`vsphere.virtualmachine.memory.free.guest.bytes`**
+:   Free memory of Guest in bytes.
+
+type: long
+
+format: bytes
+
+
+**`vsphere.virtualmachine.custom_fields`**
+:   Custom fields.
+
+type: object
+
+
+**`vsphere.virtualmachine.network_names`**
+:   Network names.
+
+type: keyword
+
+
+**`vsphere.virtualmachine.datastore.names`**
+:   Names of the datastore associated to this virtualmachine.
+
+type: keyword
+
+
+**`vsphere.virtualmachine.datastore.count`**
+:   Number of datastores associated to this virtualmachine.
+
+type: long
+
+
+**`vsphere.virtualmachine.network.names`**
+:   Names of the networks associated to this virtualmachine.
+
+type: keyword
+
+
+**`vsphere.virtualmachine.network.count`**
+:   Number of networks associated to this virtualmachine.
+
+type: long
+
+
+**`vsphere.virtualmachine.status`**
+:   Overall health and status of a virtual machine.
+
+type: keyword
+
+
+**`vsphere.virtualmachine.uptime`**
+:   The uptime of the VM in seconds.
+
+type: long
+
+
+**`vsphere.virtualmachine.snapshot.info.*`**
+:   Details of the snapshots of this virtualmachine.
+
+type: object
+
+
+**`vsphere.virtualmachine.snapshot.count`**
+:   The number of snapshots of this virtualmachine.
+
+type: long
+
+
+**`vsphere.virtualmachine.triggered_alarms.*`**
+:   List of all the triggered alarms.
+
+type: object
+
+
diff --git a/docs/reference/metricbeat/exported-fields-windows.md b/docs/reference/metricbeat/exported-fields-windows.md
new file mode 100644
index 000000000000..ecd6b2a9bc93
--- /dev/null
+++ b/docs/reference/metricbeat/exported-fields-windows.md
@@ -0,0 +1,113 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-windows.html
+---
+
+# Windows fields [exported-fields-windows]
+
+Module for Windows
+
+
+## windows [_windows]
+
+
+## perfmon [_perfmon]
+
+perfmon
+
+**`windows.perfmon.instance`**
+:   Instance value.
+
+type: keyword
+
+
+**`windows.perfmon.metrics.*.*`**
+:   Metric values returned.
+
+type: object
+
+
+
+## service [_service_5]
+
+`service` contains the status for Windows services.
+
+**`windows.service.id`**
+:   A unique ID for the service. It is a hash of the machine’s GUID and the service name.
+
+type: keyword
+
+example: hW3NJFc1Ap
+
+
+**`windows.service.name`**
+:   The service name.
+
+type: keyword
+
+example: Wecsvc
+
+
+**`windows.service.display_name`**
+:   The display name of the service.
+
+type: keyword
+
+example: Windows Event Collector
+
+
+**`windows.service.start_type`**
+:   The startup type of the service. The possible values are `Automatic`, `Boot`, `Disabled`, `Manual`, and `System`.
+
+type: keyword
+
+
+**`windows.service.start_name`**
+:   Account name under which a service runs.
+
+type: keyword
+
+example: NT AUTHORITY\LocalService
+
+
+**`windows.service.path_name`**
+:   Fully qualified path to the file that implements the service, including arguments.
+
+type: keyword
+
+example: C:\WINDOWS\system32\svchost.exe -k LocalService -p
+
+
+**`windows.service.state`**
+:   The actual state of the service. The possible values are `Continuing`, `Pausing`, `Paused`, `Running`, `Starting`, `Stopping`, and `Stopped`.
+
+type: keyword
+
+
+**`windows.service.exit_code`**
+:   For `Stopped` services this is the error code that service reports when starting to stopping. This will be the generic Windows service error code unless the service provides a service-specific error code.
+
+type: keyword
+
+
+**`windows.service.pid`**
+:   For `Running` services this is the associated process PID.
+
+type: long
+
+example: 1092
+
+
+**`windows.service.uptime.ms`**
+:   The service’s uptime specified in milliseconds.
+
+type: long
+
+format: duration
+
+
+
+## wmi [_wmi]
+
+wmi
+
diff --git a/docs/reference/metricbeat/exported-fields-zookeeper.md b/docs/reference/metricbeat/exported-fields-zookeeper.md
new file mode 100644
index 000000000000..7bc6400d647d
--- /dev/null
+++ b/docs/reference/metricbeat/exported-fields-zookeeper.md
@@ -0,0 +1,247 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-zookeeper.html
+---
+
+# ZooKeeper fields [exported-fields-zookeeper]
+
+ZooKeeper metrics collected by the four-letter monitoring commands.
+
+
+## zookeeper [_zookeeper]
+
+`zookeeper` contains the metrics reported by ZooKeeper commands.
+
+
+## connection [_connection_5]
+
+connections
+
+**`zookeeper.connection.interest_ops`**
+:   Interest ops
+
+type: long
+
+
+**`zookeeper.connection.queued`**
+:   Queued connections
+
+type: long
+
+
+**`zookeeper.connection.received`**
+:   Received connections
+
+type: long
+
+
+**`zookeeper.connection.sent`**
+:   Connections sent
+
+type: long
+
+
+
+## mntr [_mntr]
+
+`mntr` contains the metrics reported by the four-letter `mntr` command.
+
+**`zookeeper.mntr.approximate_data_size`**
+:   Approximate size of ZooKeeper data.
+
+type: long
+
+
+**`zookeeper.mntr.latency.avg`**
+:   Average latency between ensemble hosts in milliseconds.
+
+type: long
+
+
+**`zookeeper.mntr.ephemerals_count`**
+:   Number of ephemeral znodes.
+
+type: long
+
+
+**`zookeeper.mntr.followers`**
+:   Number of followers seen by the current host (Up to ZooKeeper 3.5.9).
+
+type: long
+
+
+**`zookeeper.mntr.max_file_descriptor_count`**
+:   Maximum number of file descriptors allowed for the ZooKeeper process.
+
+type: long
+
+
+**`zookeeper.mntr.latency.max`**
+:   Maximum latency in milliseconds.
+
+type: long
+
+
+**`zookeeper.mntr.latency.min`**
+:   Minimum latency in milliseconds.
+
+type: long
+
+
+**`zookeeper.mntr.num_alive_connections`**
+:   Number of connections to ZooKeeper that are currently alive.
+
+type: long
+
+
+**`zookeeper.mntr.open_file_descriptor_count`**
+:   Number of file descriptors open by the ZooKeeper process.
+
+type: long
+
+
+**`zookeeper.mntr.outstanding_requests`**
+:   Number of outstanding requests that need to be processed by the cluster.
+
+type: long
+
+
+**`zookeeper.mntr.packets.received`**
+:   Number of ZooKeeper network packets received.
+
+type: long
+
+
+**`zookeeper.mntr.packets.sent`**
+:   Number of ZooKeeper network packets sent.
+
+type: long
+
+
+**`zookeeper.mntr.pending_syncs`**
+:   Number of pending syncs to carry out to ZooKeeper ensemble followers.
+
+type: long
+
+
+**`zookeeper.mntr.server_state`**
+:   Role in the ZooKeeper ensemble.
+
+type: keyword
+
+
+**`zookeeper.mntr.synced_followers`**
+:   Number of synced followers reported when a node server_state is leader.
+
+type: long
+
+
+**`zookeeper.mntr.version`**
+:   ZooKeeper version and build string reported.
+
+type: alias
+
+alias to: service.version
+
+
+**`zookeeper.mntr.watch_count`**
+:   Number of watches currently set on the local ZooKeeper process.
+
+type: long
+
+
+**`zookeeper.mntr.znode_count`**
+:   Number of znodes reported by the local ZooKeeper process.
+
+type: long
+
+
+**`zookeeper.mntr.learners`**
+:   Number of learners (either followers or observers) seen by the current host (From ZooKeeper 3.6.0)
+
+type: long
+
+
+
+## server [_server_10]
+
+server contains the metrics reported by the four-letter `srvr` command.
+
+**`zookeeper.server.connections`**
+:   Number of clients currently connected to the server
+
+type: long
+
+
+**`zookeeper.server.latency.avg`**
+:   Average amount of time taken for the server to respond to a client request
+
+type: long
+
+
+**`zookeeper.server.latency.max`**
+:   Maximum amount of time taken for the server to respond to a client request
+
+type: long
+
+
+**`zookeeper.server.latency.min`**
+:   Minimum amount of time taken for the server to respond to a client request
+
+type: long
+
+
+**`zookeeper.server.mode`**
+:   Mode of the server. In an ensemble, this may either be leader or follower. Otherwise, it is standalone
+
+type: keyword
+
+
+**`zookeeper.server.node_count`**
+:   Total number of nodes
+
+type: long
+
+
+**`zookeeper.server.outstanding`**
+:   Number of requests queued at the server. This exceeds zero when the server receives more requests than it is able to process
+
+type: long
+
+
+**`zookeeper.server.received`**
+:   Number of requests received by the server
+
+type: long
+
+
+**`zookeeper.server.sent`**
+:   Number of requests sent by the server
+
+type: long
+
+
+**`zookeeper.server.version_date`**
+:   Date of the Zookeeper release currently in use
+
+type: date
+
+
+**`zookeeper.server.zxid`**
+:   Unique value of the Zookeeper transaction ID. The zxid consists of an epoch and a counter. It is established by the leader and is used to determine the temporal ordering of changes
+
+type: keyword
+
+
+**`zookeeper.server.count`**
+:   Total transactions of the leader in epoch
+
+type: long
+
+
+**`zookeeper.server.epoch`**
+:   Epoch value of the Zookeeper transaction ID. An epoch signifies the period in which a server is a leader
+
+type: long
+
+
diff --git a/docs/reference/metricbeat/exported-fields.md b/docs/reference/metricbeat/exported-fields.md
new file mode 100644
index 000000000000..cc8fb541868c
--- /dev/null
+++ b/docs/reference/metricbeat/exported-fields.md
@@ -0,0 +1,86 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields.html
+---
+
+# Exported fields [exported-fields]
+
+This document describes the fields that are exported by Metricbeat. They are grouped in the following categories:
+
+* [*ActiveMQ fields*](/reference/metricbeat/exported-fields-activemq.md)
+* [*Aerospike fields*](/reference/metricbeat/exported-fields-aerospike.md)
+* [*Airflow fields*](/reference/metricbeat/exported-fields-airflow.md)
+* [*Apache fields*](/reference/metricbeat/exported-fields-apache.md)
+* [*AWS fields*](/reference/metricbeat/exported-fields-aws.md)
+* [*AWS Fargate fields*](/reference/metricbeat/exported-fields-awsfargate.md)
+* [*Azure fields*](/reference/metricbeat/exported-fields-azure.md)
+* [*Beat fields*](/reference/metricbeat/exported-fields-beat-common.md)
+* [*Beat fields*](/reference/metricbeat/exported-fields-beat.md)
+* [*Benchmark fields*](/reference/metricbeat/exported-fields-benchmark.md)
+* [*Ceph fields*](/reference/metricbeat/exported-fields-ceph.md)
+* [*Cloud provider metadata fields*](/reference/metricbeat/exported-fields-cloud.md)
+* [*Cloudfoundry fields*](/reference/metricbeat/exported-fields-cloudfoundry.md)
+* [*CockroachDB fields*](/reference/metricbeat/exported-fields-cockroachdb.md)
+* [*Common fields*](/reference/metricbeat/exported-fields-common.md)
+* [*Consul fields*](/reference/metricbeat/exported-fields-consul.md)
+* [*Containerd fields*](/reference/metricbeat/exported-fields-containerd.md)
+* [*Coredns fields*](/reference/metricbeat/exported-fields-coredns.md)
+* [*Couchbase fields*](/reference/metricbeat/exported-fields-couchbase.md)
+* [*CouchDB fields*](/reference/metricbeat/exported-fields-couchdb.md)
+* [*Docker fields*](/reference/metricbeat/exported-fields-docker-processor.md)
+* [*Docker fields*](/reference/metricbeat/exported-fields-docker.md)
+* [*Dropwizard fields*](/reference/metricbeat/exported-fields-dropwizard.md)
+* [*ECS fields*](/reference/metricbeat/exported-fields-ecs.md)
+* [*Elasticsearch fields*](/reference/metricbeat/exported-fields-elasticsearch.md)
+* [*Envoyproxy fields*](/reference/metricbeat/exported-fields-envoyproxy.md)
+* [*Etcd fields*](/reference/metricbeat/exported-fields-etcd.md)
+* [*Google Cloud Platform fields*](/reference/metricbeat/exported-fields-gcp.md)
+* [*Golang fields*](/reference/metricbeat/exported-fields-golang.md)
+* [*Graphite fields*](/reference/metricbeat/exported-fields-graphite.md)
+* [*HAProxy fields*](/reference/metricbeat/exported-fields-haproxy.md)
+* [*Host fields*](/reference/metricbeat/exported-fields-host-processor.md)
+* [*HTTP fields*](/reference/metricbeat/exported-fields-http.md)
+* [*IBM MQ fields*](/reference/metricbeat/exported-fields-ibmmq.md)
+* [*IIS fields*](/reference/metricbeat/exported-fields-iis.md)
+* [*Istio fields*](/reference/metricbeat/exported-fields-istio.md)
+* [*Jolokia fields*](/reference/metricbeat/exported-fields-jolokia.md)
+* [*Jolokia Discovery autodiscover provider fields*](/reference/metricbeat/exported-fields-jolokia-autodiscover.md)
+* [*Kafka fields*](/reference/metricbeat/exported-fields-kafka.md)
+* [*Kibana fields*](/reference/metricbeat/exported-fields-kibana.md)
+* [*Kubernetes fields*](/reference/metricbeat/exported-fields-kubernetes-processor.md)
+* [*Kubernetes fields*](/reference/metricbeat/exported-fields-kubernetes.md)
+* [*KVM fields*](/reference/metricbeat/exported-fields-kvm.md)
+* [*Linux fields*](/reference/metricbeat/exported-fields-linux.md)
+* [*Logstash fields*](/reference/metricbeat/exported-fields-logstash.md)
+* [*Memcached fields*](/reference/metricbeat/exported-fields-memcached.md)
+* [Memcached fields](/reference/metricbeat/exported-fields-memcached.md#exported-fields-meraki)
+* [*MongoDB fields*](/reference/metricbeat/exported-fields-mongodb.md)
+* [*MSSQL fields*](/reference/metricbeat/exported-fields-mssql.md)
+* [*Munin fields*](/reference/metricbeat/exported-fields-munin.md)
+* [*MySQL fields*](/reference/metricbeat/exported-fields-mysql.md)
+* [*NATS fields*](/reference/metricbeat/exported-fields-nats.md)
+* [*Nginx fields*](/reference/metricbeat/exported-fields-nginx.md)
+* [*openai fields*](/reference/metricbeat/exported-fields-openai.md)
+* [*Openmetrics fields*](/reference/metricbeat/exported-fields-openmetrics.md)
+* [*Oracle fields*](/reference/metricbeat/exported-fields-oracle.md)
+* [*Panw fields*](/reference/metricbeat/exported-fields-panw.md)
+* [*PHP_FPM fields*](/reference/metricbeat/exported-fields-php_fpm.md)
+* [*PostgreSQL fields*](/reference/metricbeat/exported-fields-postgresql.md)
+* [*Process fields*](/reference/metricbeat/exported-fields-process.md)
+* [*Prometheus fields*](/reference/metricbeat/exported-fields-prometheus.md)
+* [*Prometheus typed metrics fields*](/reference/metricbeat/exported-fields-prometheus-xpack.md)
+* [*RabbitMQ fields*](/reference/metricbeat/exported-fields-rabbitmq.md)
+* [*Redis fields*](/reference/metricbeat/exported-fields-redis.md)
+* [*Redis Enterprise fields*](/reference/metricbeat/exported-fields-redisenterprise.md)
+* [*SQL fields*](/reference/metricbeat/exported-fields-sql.md)
+* [*Stan fields*](/reference/metricbeat/exported-fields-stan.md)
+* [*Statsd fields*](/reference/metricbeat/exported-fields-statsd.md)
+* [*SyncGateway fields*](/reference/metricbeat/exported-fields-syncgateway.md)
+* [*System fields*](/reference/metricbeat/exported-fields-system.md)
+* [*Tomcat fields*](/reference/metricbeat/exported-fields-tomcat.md)
+* [*Traefik fields*](/reference/metricbeat/exported-fields-traefik.md)
+* [*uWSGI fields*](/reference/metricbeat/exported-fields-uwsgi.md)
+* [*vSphere fields*](/reference/metricbeat/exported-fields-vsphere.md)
+* [*Windows fields*](/reference/metricbeat/exported-fields-windows.md)
+* [*ZooKeeper fields*](/reference/metricbeat/exported-fields-zookeeper.md)
+
diff --git a/docs/reference/metricbeat/extract-array.md b/docs/reference/metricbeat/extract-array.md
new file mode 100644
index 000000000000..9fb33eb24f4f
--- /dev/null
+++ b/docs/reference/metricbeat/extract-array.md
@@ -0,0 +1,46 @@
+---
+navigation_title: "extract_array"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/extract-array.html
+---
+
+# Extract array [extract-array]
+
+
+::::{warning}
+This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
+::::
+
+
+The `extract_array` processor populates fields with values read from an array field. The following example will populate `source.ip` with the first element of the `my_array` field, `destination.ip` with the second element, and `network.transport` with the third.
+
+```yaml
+processors:
+  - extract_array:
+      field: my_array
+      mappings:
+        source.ip: 0
+        destination.ip: 1
+        network.transport: 2
+```
+
+The following settings are supported:
+
+`field`
+:   The array field whose elements are to be extracted.
+
+`mappings`
+:   Maps each field name to an array index. Use 0 for the first element in the array. Multiple fields can be mapped to the same array element.
+
+`ignore_missing`
+:   (Optional) Whether to ignore events where the array field is missing. The default is `false`, which will fail processing of an event if the specified field does not exist. Set it to `true` to ignore this condition.
+
+`overwrite_keys`
+:   Whether the target fields specified in the mapping are overwritten if they already exist. The default is `false`, which will fail processing if a target field already exists.
+
+`fail_on_error`
+:   (Optional) If set to `true` and an error happens, changes to the event are reverted, and the original event is returned. If set to `false`, processing continues despite errors. Default is `true`.
+
+`omit_empty`
+:   (Optional) Whether empty values are extracted from the array. If set to `true`, instead of the target field being set to an empty value, it is left unset. The empty string (`""`), an empty array (`[]`) or an empty object (`{}`) are considered empty values. Default is `false`.
+
diff --git a/docs/reference/metricbeat/faq-unexpected-metrics.md b/docs/reference/metricbeat/faq-unexpected-metrics.md
new file mode 100644
index 000000000000..177f3f1a4539
--- /dev/null
+++ b/docs/reference/metricbeat/faq-unexpected-metrics.md
@@ -0,0 +1,30 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/faq-unexpected-metrics.html
+---
+
+# Metricbeat collects system metrics for interfaces you didn���t configure [faq-unexpected-metrics]
+
+The [System](/reference/metricbeat/metricbeat-module-system.md) module specifies several metricsets that are enabled by default unless you explicitly disable them. To disable a default metricset, comment it out in the `modules.d/system.yml` configuration file. If *all* metricsets are commented out and the System module is enabled, Metricbeat uses the default metricsets.
+
+For example, to disable the `network` metricset, comment it out:
+
+```yaml
+  - module: system
+    period: 10s
+    metricsets:
+      - cpu
+      - load
+      - memory
+      #- network
+      - process
+      - process_summary
+      - socket_summary
+      #- entropy
+      #- core
+      #- diskio
+      #- socket
+```
+
+You cannot override the default configuration by adding another module definition to the configuration. There is no concept of inheritance. Metricbeat combines all module configurations at runtime. This enables you to specify module definitions that use different combinations of metricsets, periods, and hosts.
+
diff --git a/docs/reference/metricbeat/faq.md b/docs/reference/metricbeat/faq.md
new file mode 100644
index 000000000000..c489de7780e1
--- /dev/null
+++ b/docs/reference/metricbeat/faq.md
@@ -0,0 +1,22 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/faq.html
+---
+
+# Common problems [faq]
+
+This section describes common problems you might encounter with Metricbeat. Also check out the [Metricbeat discussion forum](https://discuss.elastic.co/c/beats/metricbeat).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/docs/reference/metricbeat/feature-roles.md b/docs/reference/metricbeat/feature-roles.md
new file mode 100644
index 000000000000..1d3561c1308b
--- /dev/null
+++ b/docs/reference/metricbeat/feature-roles.md
@@ -0,0 +1,25 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/feature-roles.html
+---
+
+# Grant users access to secured resources [feature-roles]
+
+You can use role-based access control to grant users access to secured resources. The roles that you set up depend on your organization’s security requirements and the minimum privileges required to use specific features.
+
+Typically you need the create the following separate roles:
+
+* [setup role](/reference/metricbeat/privileges-to-setup-beats.md) for setting up index templates and other dependencies
+* [monitoring role](/reference/metricbeat/privileges-to-publish-monitoring.md) for sending monitoring information
+* [writer role](/reference/metricbeat/privileges-to-publish-events.md)  for publishing events collected by Metricbeat
+* [reader role](/reference/metricbeat/kibana-user-privileges.md) for {{kib}} users who need to view and create visualizations that access Metricbeat data
+
+{{es-security-features}} provides [built-in roles](elasticsearch://reference/elasticsearch/roles.md) that grant a subset of the privileges needed by Metricbeat users. When possible, use the built-in roles to minimize the affect of future changes on your security strategy.
+
+Instead of using usernames and passwords, roles and privileges can be assigned to API keys to grant access to Elasticsearch resources. See [*Grant access using API keys*](/reference/metricbeat/beats-api-keys.md) for more information.
+
+
+
+
+
+
diff --git a/docs/reference/metricbeat/file-output.md b/docs/reference/metricbeat/file-output.md
new file mode 100644
index 000000000000..14dba6bd1be7
--- /dev/null
+++ b/docs/reference/metricbeat/file-output.md
@@ -0,0 +1,89 @@
+---
+navigation_title: "File"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/file-output.html
+---
+
+# Configure the File output [file-output]
+
+
+The File output dumps the transactions into a file where each transaction is in a JSON format. Currently, this output is used for testing, but it can be used as input for Logstash.
+
+To use this output, edit the Metricbeat configuration file to disable the {{es}} output by commenting it out, and enable the file output by adding `output.file`.
+
+Example configuration:
+
+```yaml
+output.file:
+  path: "/tmp/metricbeat"
+  filename: metricbeat
+  #rotate_every_kb: 10000
+  #number_of_files: 7
+  #permissions: 0600
+  #rotate_on_startup: true
+```
+
+## Configuration options [_configuration_options_6]
+
+You can specify the following `output.file` options in the `metricbeat.yml` config file:
+
+### `enabled` [_enabled_6]
+
+The enabled config is a boolean setting to enable or disable the output. If set to false, the output is disabled.
+
+The default value is `true`.
+
+
+### `path` [path]
+
+The path to the directory where the generated files will be saved. This option is mandatory.
+
+The path may include the timestamp when the file output is initialized using the `+FORMAT` syntax where `FORMAT` is a valid [time format](https://github.com/elastic/beats/blob/main/libbeat/common/dtfmt/doc.go), and enclosed with expansion braces: `%{+FORMAT}`. For example:
+
+```
+path: 'fileoutput-%{+yyyy.MM.dd}'
+```
+
+
+### `filename` [_filename]
+
+The name of the generated files. The default is set to the Beat name. For example, the files generated by default for Metricbeat would be `"metricbeat-{{datetime}}.ndjson"`, `"metricbeat-{{datetime}}-1.ndjson"`, `"metricbeat-{{datetime}}-2.ndjson"`, and so on.
+
+
+### `rotate_every_kb` [_rotate_every_kb]
+
+The maximum size in kilobytes of each file. When this size is reached, the files are rotated. The default value is 10240 KB.
+
+
+### `number_of_files` [_number_of_files]
+
+The maximum number of files to save under [`path`](#path). When this number of files is reached, the oldest file is deleted, and the rest of the files are shifted from last to first. The number of files must be between 2 and 1024. The default is 7.
+
+
+### `permissions` [_permissions]
+
+Permissions to use for file creation. The default is 0600.
+
+
+### `rotate_on_startup` [_rotate_on_startup]
+
+If the output file already exists on startup, immediately rotate it and start writing to a new file instead of appending to the existing one. Defaults to true.
+
+
+### `codec` [_codec_3]
+
+Output codec configuration. If the `codec` section is missing, events will be json encoded.
+
+See [Change the output codec](/reference/metricbeat/configuration-output-codec.md) for more information.
+
+
+### `queue` [_queue_5]
+
+Configuration options for internal queue.
+
+See [Internal queue](/reference/metricbeat/configuring-internal-queue.md) for more information.
+
+Note:`queue` options can be set under `metricbeat.yml` or the `output` section but not both.
+
+
+
diff --git a/docs/reference/metricbeat/filtering-enhancing-data.md b/docs/reference/metricbeat/filtering-enhancing-data.md
new file mode 100644
index 000000000000..dfbc8b346964
--- /dev/null
+++ b/docs/reference/metricbeat/filtering-enhancing-data.md
@@ -0,0 +1,78 @@
+---
+navigation_title: "Processors"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/filtering-and-enhancing-data.html
+---
+
+# Filter and enhance data with processors [filtering-and-enhancing-data]
+
+
+You can [define processors](/reference/metricbeat/defining-processors.md) in your configuration to process events before they are sent to the configured output. The libbeat library provides processors for:
+
+* reducing the number of exported fields
+* enhancing events with additional metadata
+* performing additional processing and decoding
+
+Each processor receives an event, applies a defined action to the event, and returns the event. If you define a list of processors, they are executed in the order they are defined in the Metricbeat configuration file.
+
+```yaml
+event -> processor 1 -> event1 -> processor 2 -> event2 ...
+```
+
+::::{important}
+It’s recommended to do all drop and renaming of existing fields as the last step in a processor configuration. This is because dropping or renaming fields can remove data necessary for the next processor in the chain, for example dropping the `source.ip` field would remove one of the fields necessary for the `community_id` processor to function. If it’s necessary to remove, rename or overwrite an existing event field, please make sure it’s done by a corresponding processor ([`drop_fields`](/reference/metricbeat/drop-fields.md), [`rename`](/reference/metricbeat/rename-fields.md) or [`add_fields`](/reference/metricbeat/add-fields.md)) placed at the end of the processor list defined in the input configuration.
+::::
+
+
+For example, the following configuration reduces the exported fields by dropping the `agent.name` and `agent.version` fields under `beat` from all documents.
+
+```yaml
+processors:
+  - drop_fields:
+      fields: ['agent']
+```
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/docs/reference/metricbeat/fingerprint.md b/docs/reference/metricbeat/fingerprint.md
new file mode 100644
index 000000000000..d4576a938eb7
--- /dev/null
+++ b/docs/reference/metricbeat/fingerprint.md
@@ -0,0 +1,38 @@
+---
+navigation_title: "fingerprint"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/fingerprint.html
+---
+
+# Generate a fingerprint of an event [fingerprint]
+
+
+The `fingerprint` processor generates a fingerprint of an event based on a specified subset of its fields.
+
+The value that is hashed is constructed as a concatenation of the field name and field value separated by `|`. For example `|field1|value1|field2|value2|`.
+
+Nested fields are supported in the following format: `"field1.field2"` e.g: `["log.path.file", "foo"]`
+
+```yaml
+processors:
+  - fingerprint:
+      fields: ["field1", "field2", ...]
+```
+
+The following settings are supported:
+
+`fields`
+:   List of fields to use as the source for the fingerprint. The list will be alphabetically sorted by the processor.
+
+`ignore_missing`
+:   (Optional) Whether to ignore missing fields. Default is `false`.
+
+`target_field`
+:   (Optional) Field in which the generated fingerprint should be stored. Default is `fingerprint`.
+
+`method`
+:   (Optional) Algorithm to use for computing the fingerprint. Must be one of: `md5`, `sha1`, `sha256`, `sha384`, `sha512`, `xxhash`. Default is `sha256`.
+
+`encoding`
+:   (Optional) Encoding to use on the fingerprint value. Must be one of `hex`, `base32`, or `base64`. Default is `hex`.
+
diff --git a/docs/reference/metricbeat/freebsd-no-such-file.md b/docs/reference/metricbeat/freebsd-no-such-file.md
new file mode 100644
index 000000000000..59299445d36b
--- /dev/null
+++ b/docs/reference/metricbeat/freebsd-no-such-file.md
@@ -0,0 +1,15 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/freebsd-no-such-file.html
+---
+
+# open /compat/linux/proc: no such file or directory error on FreeBSD [freebsd-no-such-file]
+
+The system metricsets rely on a Linux compatibility layer to retrieve metrics on FreeBSD. You need to mount the Linux procfs filesystem using the following commands. You may want to add these filesystems to your `/etc/fstab` so they are mounted automatically.
+
+```sh
+sudo mount -t procfs proc /proc
+sudo mkdir -p /compat/linux/proc
+sudo mount -t linprocfs /dev/null /compat/linux/proc
+```
+
diff --git a/docs/reference/metricbeat/getting-help.md b/docs/reference/metricbeat/getting-help.md
new file mode 100644
index 000000000000..10f3ceab1d05
--- /dev/null
+++ b/docs/reference/metricbeat/getting-help.md
@@ -0,0 +1,16 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/getting-help.html
+---
+
+# Get help [getting-help]
+
+Start by searching the [Metricbeat discussion forum](https://discuss.elastic.co/c/beats/metricbeat) for your issue. If you can’t find a resolution, open a new issue or add a comment to an existing one. Make sure you provide the following information, and we’ll help you troubleshoot the problem:
+
+* Metricbeat version
+* Operating System
+* Configuration
+* Any supporting information, such as debugging output, that will help us diagnose your problem. See [*Debug*](/reference/metricbeat/enable-metricbeat-debugging.md) for more details.
+
+If you’re sure you found a bug, you can open a ticket on [GitHub](https://github.com/elastic/beats/issues?state=open). Note, however, that we close GitHub issues containing questions or requests for help if they don’t indicate the presence of a bug.
+
diff --git a/docs/reference/metricbeat/how-metricbeat-works.md b/docs/reference/metricbeat/how-metricbeat-works.md
new file mode 100644
index 000000000000..4fa9877b974a
--- /dev/null
+++ b/docs/reference/metricbeat/how-metricbeat-works.md
@@ -0,0 +1,31 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/how-metricbeat-works.html
+---
+
+# How Metricbeat works [how-metricbeat-works]
+
+Metricbeat consists of modules and metricsets. A Metricbeat *module* defines the basic logic for collecting data from a specific service, such as Redis, MySQL, and so on. The module specifies details about the service, including how to connect, how often to collect metrics, and which metrics to collect.
+
+Each module has one or more metricsets. A *metricset* is the part of the module that fetches and structures the data. Rather than collecting each metric as a separate event, metricsets retrieve a list of multiple related metrics in a single request to the remote system. So, for example, the Redis module provides an `info` metricset that collects information and statistics from Redis by running the [`INFO`](http://redis.io/commands/INFO) command and parsing the returned result.
+
+:::{image} images/module-overview.png
+:alt: Modules and metricsets
+:::
+
+Likewise, the MySQL module provides a `status` metricset that collects data from MySQL by running a [`SHOW GLOBAL STATUS`](http://dev.mysql.com/doc/refman/5.7/en/show-status.md) SQL query. Metricsets make it easier for you by grouping sets of related metrics together in a single request returned by the remote server. Most modules have default metricsets that are enabled if there are no user-enabled metricsets.
+
+Metricbeat retrieves metrics by periodically interrogating the host system based on the `period` value that you specify when you configure the module. Because multiple metricsets can send requests to the same service, Metricbeat reuses connections whenever possible. If Metricbeat cannot connect to the host system within the time specified by the `timeout` config setting, it returns an error. Metricbeat sends the events asynchronously, which means the event retrieval is not acknowledged. If the configured output is not available, events may be lost.
+
+When Metricbeat encounters an error (for example, when it cannot connect to the host system), it sends an event error to the specified output. This means that Metricbeat always sends an event, even when there is a failure. This allows you to monitor for errors and see debug messages to help you diagnose what went wrong.
+
+The following topics provide more detail about the structure of Metricbeat events:
+
+* [Event structure](/reference/metricbeat/metricbeat-event-structure.md)
+* [Error event structure](/reference/metricbeat/error-event-structure.md)
+
+For more about the benefits of using Metricbeat, see [Key metricbeat features](/reference/metricbeat/key-features.md).
+
+
+
+
diff --git a/docs/reference/metricbeat/howto-guides.md b/docs/reference/metricbeat/howto-guides.md
new file mode 100644
index 000000000000..c9522d52b7a4
--- /dev/null
+++ b/docs/reference/metricbeat/howto-guides.md
@@ -0,0 +1,17 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/howto-guides.html
+---
+
+# How to guides [howto-guides]
+
+Learn how to perform common Metricbeat configuration tasks.
+
+* [*Load the {{es}} index template*](/reference/metricbeat/metricbeat-template.md)
+* [*Change the index name*](/reference/metricbeat/change-index-name.md)
+* [*Load {{kib}} dashboards*](/reference/metricbeat/load-kibana-dashboards.md)
+* [*Enrich events with geoIP information*](/reference/metricbeat/metricbeat-geoip.md)
+* [*Use environment variables in the configuration*](/reference/metricbeat/using-environ-vars.md)
+* [*Parse data using an ingest pipeline*](/reference/metricbeat/configuring-ingest-node.md)
+* [*Avoid YAML formatting problems*](/reference/metricbeat/yaml-tips.md)
+
diff --git a/docs/reference/metricbeat/http-endpoint.md b/docs/reference/metricbeat/http-endpoint.md
new file mode 100644
index 000000000000..925d58331d2a
--- /dev/null
+++ b/docs/reference/metricbeat/http-endpoint.md
@@ -0,0 +1,187 @@
+---
+navigation_title: "HTTP endpoint"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/http-endpoint.html
+---
+
+# Configure an HTTP endpoint for metrics [http-endpoint]
+
+
+::::{warning}
+This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
+::::
+
+
+Metricbeat can expose internal metrics through an HTTP endpoint. These are useful to monitor the internal state of the Beat. For security reasons the endpoint is disabled by default, as you may want to avoid exposing this info.
+
+The HTTP endpoint has the following configuration settings:
+
+`http.enabled`
+:   (Optional) Enable the HTTP endpoint. Default is `false`.
+
+`http.host`
+:   (Optional) Bind to this hostname, IP address, unix socket (unix:///var/run/metricbeat.sock) or Windows named pipe (npipe:///metricbeat). It is recommended to use only localhost. Default is `localhost`
+
+`http.port`
+:   (Optional) Port on which the HTTP endpoint will bind. Default is `5066`.
+
+`http.named_pipe.user`
+:   (Optional) User to use to create the named pipe, only work on Windows, Default to the current user.
+
+`http.named_pipe.security_descriptor`
+:   (Optional) Windows Security descriptor string defined in the SDDL format. Default to read and write permission for the current user.
+
+`http.pprof.enabled`
+:   (Optional) Enable the `/debug/pprof/` endpoints when serving HTTP. It is recommended that this is only enabled on localhost as these endpoints may leak data. Default is `false`.
+
+`http.pprof.block_profile_rate`
+:   (Optional) `block_profile_rate` controls the fraction of goroutine blocking events that are reported in the blocking profile available from `/debug/pprof/block`. The profiler aims to sample an average of one blocking event per rate nanoseconds spent blocked. To include every blocking event in the profile, pass rate = 1. To turn off profiling entirely, pass rate ⇐ 0. Defaults to 0.
+
+`http.pprof.mem_profile_rate`
+:   (Optional) `mem_profile_rate` controls the fraction of memory allocations that are recorded and reported in the memory profile available from `/debug/pprof/heap`. The profiler aims to sample an average of one allocation per `mem_profile_rate` bytes allocated. To include every allocated block in the profile, set `mem_profile_rate` to 1. To turn off profiling entirely, set `mem_profile_rate` to 0. Defaults to 524288.
+
+`http.pprof.mutex_profile_rate`
+:   (Optional) `mutex_profile_rate` controls the fraction of mutex contention events that are reported in the mutex profile available from `/debug/pprof/mutex`. On average 1/rate events are reported. To turn off profiling entirely, pass rate 0. The default value is 0.
+
+This is the list of paths you can access. For pretty JSON output append `?pretty` to the URL.
+
+You can query a unix socket using the `cURL` command and the `--unix-socket` flag.
+
+```js
+curl -XGET --unix-socket '/var/run/{beatname_lc}.sock' 'http:/stats/?pretty'
+```
+
+
+## Info [_info]
+
+`/` provides basic info from the Metricbeat. Example:
+
+```js
+curl -XGET 'localhost:5066/?pretty'
+```
+
+```js
+{
+  "beat": "metricbeat",
+  "hostname": "example.lan",
+  "name": "example.lan",
+  "uuid": "34f6c6e1-45a8-4b12-9125-11b3e6e89866",
+  "version": "9.0.0-beta1"
+}
+```
+
+
+## Stats [_stats]
+
+`/stats` reports internal metrics. Example:
+
+```js
+curl -XGET 'localhost:5066/stats?pretty'
+```
+
+```js
+{
+  "beat": {
+    "cpu": {
+      "system": {
+        "ticks": 1710,
+        "time": {
+          "ms": 1712
+        }
+      },
+      "total": {
+        "ticks": 3420,
+        "time": {
+          "ms": 3424
+        },
+        "value": 3420
+      },
+      "user": {
+        "ticks": 1710,
+        "time": {
+          "ms": 1712
+        }
+      }
+    },
+    "info": {
+      "ephemeral_id": "ab4287c4-d907-4d9d-b074-d8c3cec4a577",
+      "uptime": {
+        "ms": 195547
+      }
+    },
+    "memstats": {
+      "gc_next": 17855152,
+      "memory_alloc": 9433384,
+      "memory_total": 492478864,
+      "rss": 50405376
+    },
+    "runtime": {
+      "goroutines": 22
+    }
+  },
+  "libbeat": {
+    "config": {
+      "module": {
+        "running": 0,
+        "starts": 0,
+        "stops": 0
+      },
+      "scans": 1,
+      "reloads": 1
+    },
+    "output": {
+      "events": {
+        "acked": 0,
+        "active": 0,
+        "batches": 0,
+        "dropped": 0,
+        "duplicates": 0,
+        "failed": 0,
+        "total": 0
+      },
+      "read": {
+        "bytes": 0,
+        "errors": 0
+      },
+      "type": "elasticsearch",
+      "write": {
+        "bytes": 0,
+        "errors": 0
+      }
+    },
+    "pipeline": {
+      "clients": 6,
+      "events": {
+        "active": 716,
+        "dropped": 0,
+        "failed": 0,
+        "filtered": 0,
+        "published": 716,
+        "retry": 278,
+        "total": 716
+      },
+      "queue": {
+        "acked": 0
+      }
+    }
+  },
+  "system": {
+    "cpu": {
+      "cores": 4
+    },
+    "load": {
+      "1": 2.22,
+      "15": 1.8,
+      "5": 1.74,
+      "norm": {
+        "1": 0.555,
+        "15": 0.45,
+        "5": 0.435
+      }
+    }
+  }
+}
+```
+
+The actual output may contain more metrics specific to Metricbeat
+
diff --git a/docs/reference/metricbeat/ilm.md b/docs/reference/metricbeat/ilm.md
new file mode 100644
index 000000000000..acfcf88c35ae
--- /dev/null
+++ b/docs/reference/metricbeat/ilm.md
@@ -0,0 +1,58 @@
+---
+navigation_title: "Index lifecycle management (ILM)"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/ilm.html
+---
+
+# Configure index lifecycle management [ilm]
+
+
+Use the [index lifecycle management](docs-content://manage-data/lifecycle/index-lifecycle-management/tutorial-automate-rollover.md) (ILM) feature in {{es}} to manage your Metricbeat their backing indices of your data streams as they age. Metricbeat loads the default policy automatically and applies it to any data streams created by Metricbeat.
+
+You can view and edit the policy in the **Index lifecycle policies** UI in {{kib}}. For more information about working with the UI, see [Index lifecyle policies](docs-content://manage-data/lifecycle/index-lifecycle-management.md).
+
+Example configuration:
+
+```yaml
+setup.ilm.enabled: true
+```
+
+::::{warning}
+If index lifecycle management is enabled (which is typically the default), `setup.template.name` and `setup.template.pattern` are ignored.
+::::
+
+
+
+## Configuration options [_configuration_options_10]
+
+You can specify the following settings in the `setup.ilm` section of the `metricbeat.yml` config file:
+
+
+### `setup.ilm.enabled` [setup-ilm-option]
+
+Enables or disables index lifecycle management on any new indices created by Metricbeat. Valid values are `true` and `false`.
+
+
+### `setup.ilm.policy_name` [setup-ilm-policy_name-option]
+
+The name to use for the lifecycle policy. The default is `metricbeat`.
+
+
+### `setup.ilm.policy_file` [setup-ilm-policy_file-option]
+
+The path to a JSON file that contains a lifecycle policy configuration. Use this setting to load your own lifecycle policy.
+
+For more information about lifecycle policies, see [Set up index lifecycle management policy](docs-content://manage-data/lifecycle/index-lifecycle-management/configure-lifecycle-policy.md) in the *{{es}} Reference*.
+
+
+### `setup.ilm.check_exists` [setup-ilm-check_exists-option]
+
+When set to `false`, disables the check for an existing lifecycle policy. The default is `true`. You need to disable this check if the Metricbeat user connecting to a secured cluster doesn’t have the `read_ilm` privilege.
+
+If you set this option to `false`, lifecycle policy will not be installed, even if `setup.ilm.overwrite` is set to `true`.
+
+
+### `setup.ilm.overwrite` [setup-ilm-overwrite-option]
+
+When set to `true`, the lifecycle policy is overwritten at startup. The default is `false`.
+
diff --git a/metricbeat/docs/images/apache_httpd_server_status.png b/docs/reference/metricbeat/images/apache_httpd_server_status.png
similarity index 100%
rename from metricbeat/docs/images/apache_httpd_server_status.png
rename to docs/reference/metricbeat/images/apache_httpd_server_status.png
diff --git a/metricbeat/docs/images/ceph-overview-dashboard.png b/docs/reference/metricbeat/images/ceph-overview-dashboard.png
similarity index 100%
rename from metricbeat/docs/images/ceph-overview-dashboard.png
rename to docs/reference/metricbeat/images/ceph-overview-dashboard.png
diff --git a/metricbeat/docs/images/coordinate-map.png b/docs/reference/metricbeat/images/coordinate-map.png
similarity index 100%
rename from metricbeat/docs/images/coordinate-map.png
rename to docs/reference/metricbeat/images/coordinate-map.png
diff --git a/metricbeat/docs/images/icon-no.png b/docs/reference/metricbeat/images/icon-no.png
similarity index 100%
rename from metricbeat/docs/images/icon-no.png
rename to docs/reference/metricbeat/images/icon-no.png
diff --git a/metricbeat/docs/images/icon-yes.png b/docs/reference/metricbeat/images/icon-yes.png
similarity index 100%
rename from metricbeat/docs/images/icon-yes.png
rename to docs/reference/metricbeat/images/icon-yes.png
diff --git a/metricbeat/docs/images/metricbeat-activemq-broker-overview.png b/docs/reference/metricbeat/images/metricbeat-activemq-broker-overview.png
similarity index 100%
rename from metricbeat/docs/images/metricbeat-activemq-broker-overview.png
rename to docs/reference/metricbeat/images/metricbeat-activemq-broker-overview.png
diff --git a/metricbeat/docs/images/metricbeat-activemq-queues-overview.png b/docs/reference/metricbeat/images/metricbeat-activemq-queues-overview.png
similarity index 100%
rename from metricbeat/docs/images/metricbeat-activemq-queues-overview.png
rename to docs/reference/metricbeat/images/metricbeat-activemq-queues-overview.png
diff --git a/metricbeat/docs/images/metricbeat-activemq-topics-overview.png b/docs/reference/metricbeat/images/metricbeat-activemq-topics-overview.png
similarity index 100%
rename from metricbeat/docs/images/metricbeat-activemq-topics-overview.png
rename to docs/reference/metricbeat/images/metricbeat-activemq-topics-overview.png
diff --git a/metricbeat/docs/images/metricbeat-aerospike-overview.png b/docs/reference/metricbeat/images/metricbeat-aerospike-overview.png
similarity index 100%
rename from metricbeat/docs/images/metricbeat-aerospike-overview.png
rename to docs/reference/metricbeat/images/metricbeat-aerospike-overview.png
diff --git a/metricbeat/docs/images/metricbeat-aws-billing-overview.png b/docs/reference/metricbeat/images/metricbeat-aws-billing-overview.png
similarity index 100%
rename from metricbeat/docs/images/metricbeat-aws-billing-overview.png
rename to docs/reference/metricbeat/images/metricbeat-aws-billing-overview.png
diff --git a/metricbeat/docs/images/metricbeat-aws-dynamodb-overview.png b/docs/reference/metricbeat/images/metricbeat-aws-dynamodb-overview.png
similarity index 100%
rename from metricbeat/docs/images/metricbeat-aws-dynamodb-overview.png
rename to docs/reference/metricbeat/images/metricbeat-aws-dynamodb-overview.png
diff --git a/metricbeat/docs/images/metricbeat-aws-ebs-overview.png b/docs/reference/metricbeat/images/metricbeat-aws-ebs-overview.png
similarity index 100%
rename from metricbeat/docs/images/metricbeat-aws-ebs-overview.png
rename to docs/reference/metricbeat/images/metricbeat-aws-ebs-overview.png
diff --git a/metricbeat/docs/images/metricbeat-aws-ec2-overview.png b/docs/reference/metricbeat/images/metricbeat-aws-ec2-overview.png
similarity index 100%
rename from metricbeat/docs/images/metricbeat-aws-ec2-overview.png
rename to docs/reference/metricbeat/images/metricbeat-aws-ec2-overview.png
diff --git a/metricbeat/docs/images/metricbeat-aws-elb-overview.png b/docs/reference/metricbeat/images/metricbeat-aws-elb-overview.png
similarity index 100%
rename from metricbeat/docs/images/metricbeat-aws-elb-overview.png
rename to docs/reference/metricbeat/images/metricbeat-aws-elb-overview.png
diff --git a/metricbeat/docs/images/metricbeat-aws-kinesis-overview.png b/docs/reference/metricbeat/images/metricbeat-aws-kinesis-overview.png
similarity index 100%
rename from metricbeat/docs/images/metricbeat-aws-kinesis-overview.png
rename to docs/reference/metricbeat/images/metricbeat-aws-kinesis-overview.png
diff --git a/metricbeat/docs/images/metricbeat-aws-lambda-overview.png b/docs/reference/metricbeat/images/metricbeat-aws-lambda-overview.png
similarity index 100%
rename from metricbeat/docs/images/metricbeat-aws-lambda-overview.png
rename to docs/reference/metricbeat/images/metricbeat-aws-lambda-overview.png
diff --git a/metricbeat/docs/images/metricbeat-aws-natgateway-overview.png b/docs/reference/metricbeat/images/metricbeat-aws-natgateway-overview.png
similarity index 100%
rename from metricbeat/docs/images/metricbeat-aws-natgateway-overview.png
rename to docs/reference/metricbeat/images/metricbeat-aws-natgateway-overview.png
diff --git a/metricbeat/docs/images/metricbeat-aws-overview.png b/docs/reference/metricbeat/images/metricbeat-aws-overview.png
similarity index 100%
rename from metricbeat/docs/images/metricbeat-aws-overview.png
rename to docs/reference/metricbeat/images/metricbeat-aws-overview.png
diff --git a/metricbeat/docs/images/metricbeat-aws-rds-overview.png b/docs/reference/metricbeat/images/metricbeat-aws-rds-overview.png
similarity index 100%
rename from metricbeat/docs/images/metricbeat-aws-rds-overview.png
rename to docs/reference/metricbeat/images/metricbeat-aws-rds-overview.png
diff --git a/metricbeat/docs/images/metricbeat-aws-s3-overview.png b/docs/reference/metricbeat/images/metricbeat-aws-s3-overview.png
similarity index 100%
rename from metricbeat/docs/images/metricbeat-aws-s3-overview.png
rename to docs/reference/metricbeat/images/metricbeat-aws-s3-overview.png
diff --git a/metricbeat/docs/images/metricbeat-aws-sns-overview.png b/docs/reference/metricbeat/images/metricbeat-aws-sns-overview.png
similarity index 100%
rename from metricbeat/docs/images/metricbeat-aws-sns-overview.png
rename to docs/reference/metricbeat/images/metricbeat-aws-sns-overview.png
diff --git a/metricbeat/docs/images/metricbeat-aws-sqs-overview.png b/docs/reference/metricbeat/images/metricbeat-aws-sqs-overview.png
similarity index 100%
rename from metricbeat/docs/images/metricbeat-aws-sqs-overview.png
rename to docs/reference/metricbeat/images/metricbeat-aws-sqs-overview.png
diff --git a/metricbeat/docs/images/metricbeat-aws-transitgateway-overview.png b/docs/reference/metricbeat/images/metricbeat-aws-transitgateway-overview.png
similarity index 100%
rename from metricbeat/docs/images/metricbeat-aws-transitgateway-overview.png
rename to docs/reference/metricbeat/images/metricbeat-aws-transitgateway-overview.png
diff --git a/metricbeat/docs/images/metricbeat-aws-usage-overview.png b/docs/reference/metricbeat/images/metricbeat-aws-usage-overview.png
similarity index 100%
rename from metricbeat/docs/images/metricbeat-aws-usage-overview.png
rename to docs/reference/metricbeat/images/metricbeat-aws-usage-overview.png
diff --git a/metricbeat/docs/images/metricbeat-aws-vpn-overview.png b/docs/reference/metricbeat/images/metricbeat-aws-vpn-overview.png
similarity index 100%
rename from metricbeat/docs/images/metricbeat-aws-vpn-overview.png
rename to docs/reference/metricbeat/images/metricbeat-aws-vpn-overview.png
diff --git a/metricbeat/docs/images/metricbeat-awsfargate-overview.png b/docs/reference/metricbeat/images/metricbeat-awsfargate-overview.png
similarity index 100%
rename from metricbeat/docs/images/metricbeat-awsfargate-overview.png
rename to docs/reference/metricbeat/images/metricbeat-awsfargate-overview.png
diff --git a/metricbeat/docs/images/metricbeat-azure-app-state-overview.png b/docs/reference/metricbeat/images/metricbeat-azure-app-state-overview.png
similarity index 100%
rename from metricbeat/docs/images/metricbeat-azure-app-state-overview.png
rename to docs/reference/metricbeat/images/metricbeat-azure-app-state-overview.png
diff --git a/metricbeat/docs/images/metricbeat-azure-billing-overview.png b/docs/reference/metricbeat/images/metricbeat-azure-billing-overview.png
similarity index 100%
rename from metricbeat/docs/images/metricbeat-azure-billing-overview.png
rename to docs/reference/metricbeat/images/metricbeat-azure-billing-overview.png
diff --git a/metricbeat/docs/images/metricbeat-azure-database-account-overview.png b/docs/reference/metricbeat/images/metricbeat-azure-database-account-overview.png
similarity index 100%
rename from metricbeat/docs/images/metricbeat-azure-database-account-overview.png
rename to docs/reference/metricbeat/images/metricbeat-azure-database-account-overview.png
diff --git a/metricbeat/docs/images/metricbeat-azure-storage-overview.png b/docs/reference/metricbeat/images/metricbeat-azure-storage-overview.png
similarity index 100%
rename from metricbeat/docs/images/metricbeat-azure-storage-overview.png
rename to docs/reference/metricbeat/images/metricbeat-azure-storage-overview.png
diff --git a/metricbeat/docs/images/metricbeat-azure-vm-guestmetrics-overview.png b/docs/reference/metricbeat/images/metricbeat-azure-vm-guestmetrics-overview.png
similarity index 100%
rename from metricbeat/docs/images/metricbeat-azure-vm-guestmetrics-overview.png
rename to docs/reference/metricbeat/images/metricbeat-azure-vm-guestmetrics-overview.png
diff --git a/metricbeat/docs/images/metricbeat-azure-vm-overview.png b/docs/reference/metricbeat/images/metricbeat-azure-vm-overview.png
similarity index 100%
rename from metricbeat/docs/images/metricbeat-azure-vm-overview.png
rename to docs/reference/metricbeat/images/metricbeat-azure-vm-overview.png
diff --git a/metricbeat/docs/images/metricbeat-azure-vmss-overview.png b/docs/reference/metricbeat/images/metricbeat-azure-vmss-overview.png
similarity index 100%
rename from metricbeat/docs/images/metricbeat-azure-vmss-overview.png
rename to docs/reference/metricbeat/images/metricbeat-azure-vmss-overview.png
diff --git a/metricbeat/docs/images/metricbeat-cloudfoundry-overview.png b/docs/reference/metricbeat/images/metricbeat-cloudfoundry-overview.png
similarity index 100%
rename from metricbeat/docs/images/metricbeat-cloudfoundry-overview.png
rename to docs/reference/metricbeat/images/metricbeat-cloudfoundry-overview.png
diff --git a/metricbeat/docs/images/metricbeat-cloudfoundry-platform-health.png b/docs/reference/metricbeat/images/metricbeat-cloudfoundry-platform-health.png
similarity index 100%
rename from metricbeat/docs/images/metricbeat-cloudfoundry-platform-health.png
rename to docs/reference/metricbeat/images/metricbeat-cloudfoundry-platform-health.png
diff --git a/metricbeat/docs/images/metricbeat-cockroachdb-overview.png b/docs/reference/metricbeat/images/metricbeat-cockroachdb-overview.png
similarity index 100%
rename from metricbeat/docs/images/metricbeat-cockroachdb-overview.png
rename to docs/reference/metricbeat/images/metricbeat-cockroachdb-overview.png
diff --git a/metricbeat/docs/images/metricbeat-consul.png b/docs/reference/metricbeat/images/metricbeat-consul.png
similarity index 100%
rename from metricbeat/docs/images/metricbeat-consul.png
rename to docs/reference/metricbeat/images/metricbeat-consul.png
diff --git a/metricbeat/docs/images/metricbeat-couchbase-overview.png b/docs/reference/metricbeat/images/metricbeat-couchbase-overview.png
similarity index 100%
rename from metricbeat/docs/images/metricbeat-couchbase-overview.png
rename to docs/reference/metricbeat/images/metricbeat-couchbase-overview.png
diff --git a/metricbeat/docs/images/metricbeat-couchdb-overview.png b/docs/reference/metricbeat/images/metricbeat-couchdb-overview.png
similarity index 100%
rename from metricbeat/docs/images/metricbeat-couchdb-overview.png
rename to docs/reference/metricbeat/images/metricbeat-couchdb-overview.png
diff --git a/metricbeat/docs/images/metricbeat-gcp-billing-overview.png b/docs/reference/metricbeat/images/metricbeat-gcp-billing-overview.png
similarity index 100%
rename from metricbeat/docs/images/metricbeat-gcp-billing-overview.png
rename to docs/reference/metricbeat/images/metricbeat-gcp-billing-overview.png
diff --git a/metricbeat/docs/images/metricbeat-gcp-compute-overview.png b/docs/reference/metricbeat/images/metricbeat-gcp-compute-overview.png
similarity index 100%
rename from metricbeat/docs/images/metricbeat-gcp-compute-overview.png
rename to docs/reference/metricbeat/images/metricbeat-gcp-compute-overview.png
diff --git a/metricbeat/docs/images/metricbeat-gcp-gke-overview.png b/docs/reference/metricbeat/images/metricbeat-gcp-gke-overview.png
similarity index 100%
rename from metricbeat/docs/images/metricbeat-gcp-gke-overview.png
rename to docs/reference/metricbeat/images/metricbeat-gcp-gke-overview.png
diff --git a/metricbeat/docs/images/metricbeat-gcp-pubsub-overview.png b/docs/reference/metricbeat/images/metricbeat-gcp-pubsub-overview.png
similarity index 100%
rename from metricbeat/docs/images/metricbeat-gcp-pubsub-overview.png
rename to docs/reference/metricbeat/images/metricbeat-gcp-pubsub-overview.png
diff --git a/metricbeat/docs/images/metricbeat-gcp-storage-overview.png b/docs/reference/metricbeat/images/metricbeat-gcp-storage-overview.png
similarity index 100%
rename from metricbeat/docs/images/metricbeat-gcp-storage-overview.png
rename to docs/reference/metricbeat/images/metricbeat-gcp-storage-overview.png
diff --git a/metricbeat/docs/images/metricbeat-ibmmq-calls.png b/docs/reference/metricbeat/images/metricbeat-ibmmq-calls.png
similarity index 100%
rename from metricbeat/docs/images/metricbeat-ibmmq-calls.png
rename to docs/reference/metricbeat/images/metricbeat-ibmmq-calls.png
diff --git a/metricbeat/docs/images/metricbeat-ibmmq-messages.png b/docs/reference/metricbeat/images/metricbeat-ibmmq-messages.png
similarity index 100%
rename from metricbeat/docs/images/metricbeat-ibmmq-messages.png
rename to docs/reference/metricbeat/images/metricbeat-ibmmq-messages.png
diff --git a/metricbeat/docs/images/metricbeat-ibmmq-subscriptions.png b/docs/reference/metricbeat/images/metricbeat-ibmmq-subscriptions.png
similarity index 100%
rename from metricbeat/docs/images/metricbeat-ibmmq-subscriptions.png
rename to docs/reference/metricbeat/images/metricbeat-ibmmq-subscriptions.png
diff --git a/metricbeat/docs/images/metricbeat-iis-application-pool-overview.png b/docs/reference/metricbeat/images/metricbeat-iis-application-pool-overview.png
similarity index 100%
rename from metricbeat/docs/images/metricbeat-iis-application-pool-overview.png
rename to docs/reference/metricbeat/images/metricbeat-iis-application-pool-overview.png
diff --git a/metricbeat/docs/images/metricbeat-iis-webserver-overview.png b/docs/reference/metricbeat/images/metricbeat-iis-webserver-overview.png
similarity index 100%
rename from metricbeat/docs/images/metricbeat-iis-webserver-overview.png
rename to docs/reference/metricbeat/images/metricbeat-iis-webserver-overview.png
diff --git a/metricbeat/docs/images/metricbeat-iis-webserver-process.png b/docs/reference/metricbeat/images/metricbeat-iis-webserver-process.png
similarity index 100%
rename from metricbeat/docs/images/metricbeat-iis-webserver-process.png
rename to docs/reference/metricbeat/images/metricbeat-iis-webserver-process.png
diff --git a/metricbeat/docs/images/metricbeat-iis-website-overview.png b/docs/reference/metricbeat/images/metricbeat-iis-website-overview.png
similarity index 100%
rename from metricbeat/docs/images/metricbeat-iis-website-overview.png
rename to docs/reference/metricbeat/images/metricbeat-iis-website-overview.png
diff --git a/metricbeat/docs/images/metricbeat-istio-overview.png b/docs/reference/metricbeat/images/metricbeat-istio-overview.png
similarity index 100%
rename from metricbeat/docs/images/metricbeat-istio-overview.png
rename to docs/reference/metricbeat/images/metricbeat-istio-overview.png
diff --git a/metricbeat/docs/images/metricbeat-istio-traffic.png b/docs/reference/metricbeat/images/metricbeat-istio-traffic.png
similarity index 100%
rename from metricbeat/docs/images/metricbeat-istio-traffic.png
rename to docs/reference/metricbeat/images/metricbeat-istio-traffic.png
diff --git a/metricbeat/docs/images/metricbeat-kubernetes-clusteroverview.png b/docs/reference/metricbeat/images/metricbeat-kubernetes-clusteroverview.png
similarity index 100%
rename from metricbeat/docs/images/metricbeat-kubernetes-clusteroverview.png
rename to docs/reference/metricbeat/images/metricbeat-kubernetes-clusteroverview.png
diff --git a/metricbeat/docs/images/metricbeat-kubernetes-controllermanager.png b/docs/reference/metricbeat/images/metricbeat-kubernetes-controllermanager.png
similarity index 100%
rename from metricbeat/docs/images/metricbeat-kubernetes-controllermanager.png
rename to docs/reference/metricbeat/images/metricbeat-kubernetes-controllermanager.png
diff --git a/metricbeat/docs/images/metricbeat-kubernetes-proxy.png b/docs/reference/metricbeat/images/metricbeat-kubernetes-proxy.png
similarity index 100%
rename from metricbeat/docs/images/metricbeat-kubernetes-proxy.png
rename to docs/reference/metricbeat/images/metricbeat-kubernetes-proxy.png
diff --git a/metricbeat/docs/images/metricbeat-mysql.png b/docs/reference/metricbeat/images/metricbeat-mysql.png
similarity index 100%
rename from metricbeat/docs/images/metricbeat-mysql.png
rename to docs/reference/metricbeat/images/metricbeat-mysql.png
diff --git a/metricbeat/docs/images/metricbeat-nginx.png b/docs/reference/metricbeat/images/metricbeat-nginx.png
similarity index 100%
rename from metricbeat/docs/images/metricbeat-nginx.png
rename to docs/reference/metricbeat/images/metricbeat-nginx.png
diff --git a/metricbeat/docs/images/metricbeat-oracle-overview.png b/docs/reference/metricbeat/images/metricbeat-oracle-overview.png
similarity index 100%
rename from metricbeat/docs/images/metricbeat-oracle-overview.png
rename to docs/reference/metricbeat/images/metricbeat-oracle-overview.png
diff --git a/metricbeat/docs/images/metricbeat-postgresql-overview.png b/docs/reference/metricbeat/images/metricbeat-postgresql-overview.png
similarity index 100%
rename from metricbeat/docs/images/metricbeat-postgresql-overview.png
rename to docs/reference/metricbeat/images/metricbeat-postgresql-overview.png
diff --git a/metricbeat/docs/images/metricbeat-prometheus-overview.png b/docs/reference/metricbeat/images/metricbeat-prometheus-overview.png
similarity index 100%
rename from metricbeat/docs/images/metricbeat-prometheus-overview.png
rename to docs/reference/metricbeat/images/metricbeat-prometheus-overview.png
diff --git a/metricbeat/docs/images/metricbeat-redisenterprise-overview.png b/docs/reference/metricbeat/images/metricbeat-redisenterprise-overview.png
similarity index 100%
rename from metricbeat/docs/images/metricbeat-redisenterprise-overview.png
rename to docs/reference/metricbeat/images/metricbeat-redisenterprise-overview.png
diff --git a/metricbeat/docs/images/metricbeat-services-host.png b/docs/reference/metricbeat/images/metricbeat-services-host.png
similarity index 100%
rename from metricbeat/docs/images/metricbeat-services-host.png
rename to docs/reference/metricbeat/images/metricbeat-services-host.png
diff --git a/metricbeat/docs/images/metricbeat-stan-overview.png b/docs/reference/metricbeat/images/metricbeat-stan-overview.png
similarity index 100%
rename from metricbeat/docs/images/metricbeat-stan-overview.png
rename to docs/reference/metricbeat/images/metricbeat-stan-overview.png
diff --git a/metricbeat/docs/images/metricbeat-system-dashboard.png b/docs/reference/metricbeat/images/metricbeat-system-dashboard.png
similarity index 100%
rename from metricbeat/docs/images/metricbeat-system-dashboard.png
rename to docs/reference/metricbeat/images/metricbeat-system-dashboard.png
diff --git a/metricbeat/docs/images/metricbeat-tomcat-overview.png b/docs/reference/metricbeat/images/metricbeat-tomcat-overview.png
similarity index 100%
rename from metricbeat/docs/images/metricbeat-tomcat-overview.png
rename to docs/reference/metricbeat/images/metricbeat-tomcat-overview.png
diff --git a/metricbeat/docs/images/metricbeat-windows-service.png b/docs/reference/metricbeat/images/metricbeat-windows-service.png
similarity index 100%
rename from metricbeat/docs/images/metricbeat-windows-service.png
rename to docs/reference/metricbeat/images/metricbeat-windows-service.png
diff --git a/metricbeat/docs/images/metricbeat-zookeeper.png b/docs/reference/metricbeat/images/metricbeat-zookeeper.png
similarity index 100%
rename from metricbeat/docs/images/metricbeat-zookeeper.png
rename to docs/reference/metricbeat/images/metricbeat-zookeeper.png
diff --git a/metricbeat/docs/images/metricbeat_coredns_dashboard.png b/docs/reference/metricbeat/images/metricbeat_coredns_dashboard.png
similarity index 100%
rename from metricbeat/docs/images/metricbeat_coredns_dashboard.png
rename to docs/reference/metricbeat/images/metricbeat_coredns_dashboard.png
diff --git a/metricbeat/docs/images/metricbeat_kafka_dashboard.png b/docs/reference/metricbeat/images/metricbeat_kafka_dashboard.png
similarity index 100%
rename from metricbeat/docs/images/metricbeat_kafka_dashboard.png
rename to docs/reference/metricbeat/images/metricbeat_kafka_dashboard.png
diff --git a/metricbeat/docs/images/metricbeat_kubernetes_scheduler.png b/docs/reference/metricbeat/images/metricbeat_kubernetes_scheduler.png
similarity index 100%
rename from metricbeat/docs/images/metricbeat_kubernetes_scheduler.png
rename to docs/reference/metricbeat/images/metricbeat_kubernetes_scheduler.png
diff --git a/metricbeat/docs/images/metricbeat_nats_dashboard.png b/docs/reference/metricbeat/images/metricbeat_nats_dashboard.png
similarity index 100%
rename from metricbeat/docs/images/metricbeat_nats_dashboard.png
rename to docs/reference/metricbeat/images/metricbeat_nats_dashboard.png
diff --git a/metricbeat/docs/images/metricbeat_redis_key_dashboard.png b/docs/reference/metricbeat/images/metricbeat_redis_key_dashboard.png
similarity index 100%
rename from metricbeat/docs/images/metricbeat_redis_key_dashboard.png
rename to docs/reference/metricbeat/images/metricbeat_redis_key_dashboard.png
diff --git a/metricbeat/docs/images/metricbeat_system_dashboard.png b/docs/reference/metricbeat/images/metricbeat_system_dashboard.png
similarity index 100%
rename from metricbeat/docs/images/metricbeat_system_dashboard.png
rename to docs/reference/metricbeat/images/metricbeat_system_dashboard.png
diff --git a/metricbeat/docs/images/metricbeat_vsphere_dashboard.png b/docs/reference/metricbeat/images/metricbeat_vsphere_dashboard.png
similarity index 100%
rename from metricbeat/docs/images/metricbeat_vsphere_dashboard.png
rename to docs/reference/metricbeat/images/metricbeat_vsphere_dashboard.png
diff --git a/metricbeat/docs/images/metricbeat_vsphere_vm_dashboard.png b/docs/reference/metricbeat/images/metricbeat_vsphere_vm_dashboard.png
similarity index 100%
rename from metricbeat/docs/images/metricbeat_vsphere_vm_dashboard.png
rename to docs/reference/metricbeat/images/metricbeat_vsphere_vm_dashboard.png
diff --git a/metricbeat/docs/images/module-overview.png b/docs/reference/metricbeat/images/module-overview.png
similarity index 100%
rename from metricbeat/docs/images/module-overview.png
rename to docs/reference/metricbeat/images/module-overview.png
diff --git a/metricbeat/docs/images/uwsgi_dashboard.png b/docs/reference/metricbeat/images/uwsgi_dashboard.png
similarity index 100%
rename from metricbeat/docs/images/uwsgi_dashboard.png
rename to docs/reference/metricbeat/images/uwsgi_dashboard.png
diff --git a/docs/reference/metricbeat/include-fields.md b/docs/reference/metricbeat/include-fields.md
new file mode 100644
index 000000000000..04d5653ff02d
--- /dev/null
+++ b/docs/reference/metricbeat/include-fields.md
@@ -0,0 +1,28 @@
+---
+navigation_title: "include_fields"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/include-fields.html
+---
+
+# Keep fields from events [include-fields]
+
+
+The `include_fields` processor specifies which fields to export if a certain condition is fulfilled. The condition is optional. If it’s missing, the specified fields are always exported. The `@timestamp`, `@metadata` and `type` fields are always exported, even if they are not defined in the `include_fields` list.
+
+```yaml
+processors:
+  - include_fields:
+      when:
+        condition
+      fields: ["field1", "field2", ...]
+```
+
+See [Conditions](/reference/metricbeat/defining-processors.md#conditions) for a list of supported conditions.
+
+You can specify multiple `include_fields` processors under the `processors` section.
+
+::::{note}
+If you define an empty list of fields under `include_fields`, then only the required fields, `@timestamp` and `type`, are exported.
+::::
+
+
diff --git a/docs/reference/metricbeat/kafka-output.md b/docs/reference/metricbeat/kafka-output.md
new file mode 100644
index 000000000000..8f3002be3295
--- /dev/null
+++ b/docs/reference/metricbeat/kafka-output.md
@@ -0,0 +1,331 @@
+---
+navigation_title: "Kafka"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/kafka-output.html
+---
+
+# Configure the Kafka output [kafka-output]
+
+
+The Kafka output sends events to Apache Kafka.
+
+To use this output, edit the Metricbeat configuration file to disable the {{es}} output by commenting it out, and enable the Kafka output by uncommenting the Kafka section.
+
+::::{note}
+For Kafka version 0.10.0.0+ the message creation timestamp is set by beats and equals to the initial timestamp of the event. This affects the retention policy in Kafka: for example, if a beat event was created 2 weeks ago, the retention policy is set to 7 days and the message from beats arrives to Kafka today, it’s going to be immediately discarded since the timestamp value is before the last 7 days. It’s possible to change this behavior by setting timestamps on message arrival instead, so the message is not discarded but kept for 7 more days. To do that, please set `log.message.timestamp.type` to `LogAppendTime` (default `CreateTime`) in the Kafka configuration.
+::::
+
+
+Example configuration:
+
+```yaml
+output.kafka:
+  # initial brokers for reading cluster metadata
+  hosts: ["kafka1:9092", "kafka2:9092", "kafka3:9092"]
+
+  # message topic selection + partitioning
+  topic: '%{[fields.log_topic]}'
+  partition.round_robin:
+    reachable_only: false
+
+  required_acks: 1
+  compression: gzip
+  max_message_bytes: 1000000
+```
+
+::::{note}
+Events bigger than [`max_message_bytes`](#kafka-max_message_bytes) will be dropped. To avoid this problem, make sure Metricbeat does not generate events bigger than [`max_message_bytes`](#kafka-max_message_bytes).
+::::
+
+
+## Compatibility [kafka-compatibility]
+
+This output can connect to Kafka version 0.8.2.0 and later. Older versions might work as well, but are not supported. When using Kafka 4.0 and newer, the version must be set to at least `"2.1.0"`
+
+
+## Configuration options [_configuration_options_4]
+
+You can specify the following options in the `kafka` section of the `metricbeat.yml` config file:
+
+### `enabled` [_enabled_4]
+
+The `enabled` config is a boolean setting to enable or disable the output. If set to false, the output is disabled.
+
+The default value is `true`.
+
+
+### `hosts` [_hosts_2]
+
+The list of Kafka broker addresses from where to fetch the cluster metadata. The cluster metadata contain the actual Kafka brokers events are published to.
+
+
+### `version` [_version]
+
+Kafka protocol version that Metricbeat will request when connecting. Defaults to 2.1.0. When using Kafka 4.0 and newer, the version must be set to at least `"2.1.0"`
+
+Valid values are all kafka releases in between `0.8.2.0` and `2.6.0`.
+
+The protocol version controls the Kafka client features available to Metricbeat; it does not prevent Metricbeat from connecting to Kafka versions newer than the protocol version.
+
+See [Compatibility](#kafka-compatibility) for information on supported versions.
+
+
+### `username` [_username_3]
+
+The username for connecting to Kafka. If username is configured, the password must be configured as well.
+
+
+### `password` [_password_3]
+
+The password for connecting to Kafka.
+
+
+### `sasl.mechanism` [_sasl_mechanism]
+
+The SASL mechanism to use when connecting to Kafka. It can be one of:
+
+* `PLAIN` for SASL/PLAIN.
+* `SCRAM-SHA-256` for SCRAM-SHA-256.
+* `SCRAM-SHA-512` for SCRAM-SHA-512.
+
+If `sasl.mechanism` is not set, `PLAIN` is used if `username` and `password` are provided. Otherwise, SASL authentication is disabled.
+
+To use `GSSAPI` mechanism to authenticate with Kerberos, you must leave this field empty, and use the [`kerberos`](#kerberos-option-kafka) options.
+
+
+### `topic` [topic-option-kafka]
+
+The Kafka topic used for produced events.
+
+You can set the topic dynamically by using a format string to access any event field. For example, this configuration uses a custom field, `fields.log_topic`, to set the topic for each event:
+
+```yaml
+topic: '%{[fields.log_topic]}'
+```
+
+::::{tip}
+To learn how to add custom fields to events, see the [`fields`](/reference/metricbeat/configuration-general-options.md#libbeat-configuration-fields) option.
+::::
+
+
+See the [`topics`](#topics-option-kafka) setting for other ways to set the topic dynamically.
+
+
+### `topics` [topics-option-kafka]
+
+An array of topic selector rules. Each rule specifies the `topic` to use for events that match the rule. During publishing, Metricbeat sets the `topic` for each event based on the first matching rule in the array. Rules can contain conditionals, format string-based fields, and name mappings. If the `topics` setting is missing or no rule matches, the [`topic`](#topic-option-kafka) field is used.
+
+Rule settings:
+
+**`topic`**
+:   The topic format string to use.  If this string contains field references, such as `%{[fields.name]}`, the fields must exist, or the rule fails.
+
+**`mappings`**
+:   A dictionary that takes the value returned by `topic` and maps it to a new name.
+
+**`default`**
+:   The default string value to use if `mappings` does not find a match.
+
+**`when`**
+:   A condition that must succeed in order to execute the current rule. All the [conditions](/reference/metricbeat/defining-processors.md#conditions) supported by processors are also supported here.
+
+The following example sets the topic based on whether the message field contains the specified string:
+
+```yaml
+output.kafka:
+  hosts: ["localhost:9092"]
+  topic: "logs-%{[agent.version]}"
+  topics:
+    - topic: "critical-%{[agent.version]}"
+      when.contains:
+        message: "CRITICAL"
+    - topic: "error-%{[agent.version]}"
+      when.contains:
+        message: "ERR"
+```
+
+This configuration results in topics named `critical-9.0.0-beta1`, `error-9.0.0-beta1`, and `logs-9.0.0-beta1`.
+
+
+### `key` [_key]
+
+Optional formatted string specifying the Kafka event key. If configured, the event key can be extracted from the event using a format string.
+
+See the Kafka documentation for the implications of a particular choice of key; by default, the key is chosen by the Kafka cluster.
+
+
+### `partition` [_partition]
+
+Kafka output broker event partitioning strategy. Must be one of `random`, `round_robin`, or `hash`. By default the `hash` partitioner is used.
+
+**`random.group_events`**: Sets the number of events to be published to the same partition, before the partitioner selects a new partition by random. The default value is 1 meaning after each event a new partition is picked randomly.
+
+**`round_robin.group_events`**: Sets the number of events to be published to the same partition, before the partitioner selects the next partition. The default value is 1 meaning after each event the next partition will be selected.
+
+**`hash.hash`**: List of fields used to compute the partitioning hash value from. If no field is configured, the events `key` value will be used.
+
+**`hash.random`**: Randomly distribute events if no hash or key value can be computed.
+
+All partitioners will try to publish events to all partitions by default. If a partition’s leader becomes unreachable for the beat, the output might block. All partitioners support setting `reachable_only` to overwrite this behavior. If `reachable_only` is set to `true`, events will be published to available partitions only.
+
+::::{note}
+Publishing to a subset of available partitions potentially increases resource usage because events may become unevenly distributed.
+::::
+
+
+
+### `headers` [_headers_3]
+
+A header is a key-value pair, and multiple headers can be included with the same `key`. Only string values are supported. These headers will be included in each produced Kafka message.
+
+```yaml
+output.kafka:
+  hosts: ["localhost:9092"]
+  topic: "logs-%{[agent.version]}"
+  headers:
+    - key: "some-key"
+      value: "some value"
+    - key: "another-key"
+      value: "another value"
+```
+
+
+### `client_id` [_client_id]
+
+The configurable ClientID used for logging, debugging, and auditing purposes. The default is "beats".
+
+
+### `codec` [_codec]
+
+Output codec configuration. If the `codec` section is missing, events will be json encoded.
+
+See [Change the output codec](/reference/metricbeat/configuration-output-codec.md) for more information.
+
+
+### `metadata` [_metadata]
+
+Kafka metadata update settings. The metadata do contain information about brokers, topics, partition, and active leaders to use for publishing.
+
+**`refresh_frequency`**
+:   Metadata refresh interval. Defaults to 10 minutes.
+
+**`full`**
+:   Strategy to use when fetching metadata, when this option is `true`, the client will maintain a full set of metadata for all the available topics, if the this option is set to `false` it will only refresh the metadata for the configured topics. The default is false.
+
+**`retry.max`**
+:   Total number of metadata update retries when cluster is in middle of leader election. The default is 3.
+
+**`retry.backoff`**
+:   Waiting time between retries during leader elections. Default is 250ms.
+
+
+### `max_retries` [_max_retries_3]
+
+The number of times to retry publishing an event after a publishing failure. After the specified number of retries, the events are typically dropped.
+
+Set `max_retries` to a value less than 0 to retry until all events are published.
+
+The default is 3.
+
+
+### `backoff.init` [_backoff_init_2]
+
+The number of seconds to wait before trying to republish to Kafka after a network error. After waiting `backoff.init` seconds, Metricbeat tries to republish. If the attempt fails, the backoff timer is increased exponentially up to `backoff.max`. After a successful publish, the backoff timer is reset. The default is 1s.
+
+
+### `backoff.max` [_backoff_max_2]
+
+The maximum number of seconds to wait before attempting to republish to Kafka after a network error. The default is 60s.
+
+
+### `bulk_max_size` [_bulk_max_size_2]
+
+The maximum number of events to bulk in a single Kafka request. The default is 2048.
+
+
+### `bulk_flush_frequency` [_bulk_flush_frequency]
+
+Duration to wait before sending bulk Kafka request. 0 is no delay. The default is 0.
+
+
+### `timeout` [_timeout_4]
+
+The number of seconds to wait for responses from the Kafka brokers before timing out. The default is 30 (seconds).
+
+
+### `broker_timeout` [_broker_timeout]
+
+The maximum duration a broker will wait for number of required ACKs. The default is 10s.
+
+
+### `channel_buffer_size` [_channel_buffer_size]
+
+Per Kafka broker number of messages buffered in output pipeline. The default is 256.
+
+
+### `keep_alive` [_keep_alive]
+
+The keep-alive period for an active network connection. If 0s, keep-alives are disabled. The default is 0 seconds.
+
+
+### `compression` [_compression]
+
+Sets the output compression codec. Must be one of `none`, `snappy`, `lz4`, `gzip` and `zstd`. The default is `gzip`.
+
+::::{admonition} Known issue with Azure Event Hub for Kafka
+:class: important
+
+When targeting Azure Event Hub for Kafka, set `compression` to `none` as the provided codecs are not supported.
+
+::::
+
+
+
+### `compression_level` [_compression_level_2]
+
+Sets the compression level used by gzip. Setting this value to 0 disables compression. The compression level must be in the range of 1 (best speed) to 9 (best compression).
+
+Increasing the compression level will reduce the network usage but will increase the cpu usage.
+
+The default value is 4.
+
+
+### `max_message_bytes` [kafka-max_message_bytes]
+
+The maximum permitted size of JSON-encoded messages. Bigger messages will be dropped. The default value is 1000000 (bytes). This value should be equal to or less than the broker’s `message.max.bytes`.
+
+
+### `required_acks` [_required_acks]
+
+The ACK reliability level required from broker. 0=no response, 1=wait for local commit, -1=wait for all replicas to commit. The default is 1.
+
+Note: If set to 0, no ACKs are returned by Kafka. Messages might be lost silently on error.
+
+
+### `ssl` [_ssl_4]
+
+Configuration options for SSL parameters like the root CA for Kafka connections. The Kafka host keystore should be created with the `-keyalg RSA` argument to ensure it uses a cipher supported by [Filebeat’s Kafka library](https://github.com/Shopify/sarama/wiki/Frequently-Asked-Questions#why-cant-sarama-connect-to-my-kafka-cluster-using-ssl). See [SSL](/reference/metricbeat/configuration-ssl.md) for more information.
+
+
+### `kerberos` [kerberos-option-kafka]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+Configuration options for Kerberos authentication.
+
+See [Kerberos](/reference/metricbeat/configuration-kerberos.md) for more information.
+
+
+### `queue` [_queue_3]
+
+Configuration options for internal queue.
+
+See [Internal queue](/reference/metricbeat/configuring-internal-queue.md) for more information.
+
+Note:`queue` options can be set under `metricbeat.yml` or the `output` section but not both.
+
+
+
diff --git a/docs/reference/metricbeat/key-features.md b/docs/reference/metricbeat/key-features.md
new file mode 100644
index 000000000000..9ff6532c297c
--- /dev/null
+++ b/docs/reference/metricbeat/key-features.md
@@ -0,0 +1,46 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/key-features.html
+---
+
+# Key metricbeat features [key-features]
+
+Metricbeat has some key features that are critical to how it works:
+
+* [Metricbeat error events](#metricbeat-error-events)
+* [No aggregations when data is fetched](#no-aggregations)
+* [Sends more than just numbers](#more-than-numbers)
+* [Multiple metrics in one event](#multiple-events-in-one)
+
+## Metricbeat error events [metricbeat-error-events]
+
+Metricbeat sends more than just metrics. When it cannot retrieve metrics, it sends error events. The error is not simply a flag, but a full error string that is created during fetching from the host systems. This enables you to monitor not only the metrics, but also any errors that occur during metrics monitoring.
+
+Because you see the full error message, you can track down the error faster. Metricbeat is installed locally on the host machine, which means that you can differentiate errors that happen locally from other issues, such as network problems.
+
+Each metricset is retrieved based on a predefined period, so when Metricbeat fails to retrieve metrics for more than one interval, you can infer that there is potentially something wrong with the host or host connectivity.
+
+
+## No aggregations when data is fetched [no-aggregations]
+
+Metricbeat doesn’t do aggregations like gauge, sum, counters, and so on. Metricbeat sends the raw data retrieved from the host to the output for processing. When using Elasticsearch, this has the advantage that all raw data is available on the Elasticsearch host for drilling down into the details, and the data can be reprocessed at any time. It also reduces the complexity of Metricbeat.
+
+
+## Sends more than just numbers [more-than-numbers]
+
+Metricbeat sends more than just numbers. The metrics that Metricbeat sends can also contain strings to report status information. This is useful when you’re using Elasticsearch to store the metrics data. Because each metricset has a predefined structure, Elasticsearch knows in advance which types will be stored in Elasticsearch, and it can optimize storage.
+
+Basic meta information about each metric (such as the host) is also sent as part of each event.
+
+
+## Multiple metrics in one event [multiple-events-in-one]
+
+Rather than containing a single metric, each event created by Metricbeat contains a list of metrics. This means that you can retrieve all the metrics in a single request to the host system, resulting in less load on the host system. If you are sending the metrics to Elasticsearch as the output, Elasticsearch can directly store and query the metrics as a nested JSON document, making it very efficient for sending metrics data to Elasticsearch.
+
+Because the full raw event data is available, Metricbeat or Elasticsearch can do any required transformations on the data later. For example, if you need to store data in the [Metrics2.0](http://metrics20.org/) format, you could generate the format out of the existing event by splitting up the full event into multiple metrics2.0 events.
+
+Meta information about the type of each metric is stored in the mapping template. Meta information that is common to all metric events, such as host and timestamp, is part of the event structure itself  and is only stored once for all events in the metricset.
+
+Having all the related metrics in a single event also makes it easier to look at other values when one of the metrics for a service seems off.
+
+
diff --git a/docs/reference/metricbeat/keystore.md b/docs/reference/metricbeat/keystore.md
new file mode 100644
index 000000000000..b1b91f3d629d
--- /dev/null
+++ b/docs/reference/metricbeat/keystore.md
@@ -0,0 +1,87 @@
+---
+navigation_title: "Secrets keystore"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/keystore.html
+---
+
+# Secrets keystore for secure settings [keystore]
+
+
+When you configure Metricbeat, you might need to specify sensitive settings, such as passwords. Rather than relying on file system permissions to protect these values, you can use the Metricbeat keystore to obfuscate stored secret values for use in configuration settings.
+
+After adding a key and its secret value to the keystore, you can use the key in place of the secret value when you configure sensitive settings.
+
+The syntax for referencing keys is identical to the syntax for environment variables:
+
+`${KEY}`
+
+Where KEY is the name of the key.
+
+For example, imagine that the keystore contains a key called `ES_PWD` with the value `yourelasticsearchpassword`:
+
+* In the configuration file, use `output.elasticsearch.password: "${ES_PWD}"`
+* On the command line, use: `-E "output.elasticsearch.password=\${ES_PWD}"`
+
+When Metricbeat unpacks the configuration, it resolves keys before resolving environment variables and other variables.
+
+Notice that the Metricbeat keystore differs from the Elasticsearch keystore. Whereas the Elasticsearch keystore lets you store `elasticsearch.yml` values by name, the Metricbeat keystore lets you specify arbitrary names that you can reference in the Metricbeat configuration.
+
+To create and manage keys, use the `keystore` command. See the [command reference](/reference/metricbeat/command-line-options.md#keystore-command) for the full command syntax, including optional flags.
+
+::::{note}
+The `keystore` command must be run by the same user who will run Metricbeat.
+::::
+
+
+
+## Create a keystore [creating-keystore]
+
+To create a secrets keystore, use:
+
+```sh
+metricbeat keystore create
+```
+
+Metricbeat creates the keystore in the directory defined by the `path.data` configuration setting.
+
+
+## Add keys [add-keys-to-keystore]
+
+To store sensitive values, such as authentication credentials for Elasticsearch, use the `keystore add` command:
+
+```sh
+metricbeat keystore add ES_PWD
+```
+
+When prompted, enter a value for the key.
+
+To overwrite an existing key’s value, use the `--force` flag:
+
+```sh
+metricbeat keystore add ES_PWD --force
+```
+
+To pass the value through stdin, use the `--stdin` flag. You can also use `--force`:
+
+```sh
+cat /file/containing/setting/value | metricbeat keystore add ES_PWD --stdin --force
+```
+
+
+## List keys [list-settings]
+
+To list the keys defined in the keystore, use:
+
+```sh
+metricbeat keystore list
+```
+
+
+## Remove keys [remove-settings]
+
+To remove a key from the keystore, use:
+
+```sh
+metricbeat keystore remove ES_PWD
+```
+
diff --git a/docs/reference/metricbeat/kibana-user-privileges.md b/docs/reference/metricbeat/kibana-user-privileges.md
new file mode 100644
index 000000000000..26cdb67bf08a
--- /dev/null
+++ b/docs/reference/metricbeat/kibana-user-privileges.md
@@ -0,0 +1,28 @@
+---
+navigation_title: "Create a _reader_ user"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/kibana-user-privileges.html
+---
+
+# Grant privileges and roles needed to read Metricbeat data from {{kib}} [kibana-user-privileges]
+
+
+{{kib}} users typically need to view dashboards and visualizations that contain Metricbeat data. These users might also need to create and edit dashboards and visualizations.
+
+To grant users the required privileges:
+
+1. Create a **reader role**, called something like `metricbeat_reader`, that has the following privilege:
+
+    | Type | Privilege | Purpose |
+    | --- | --- | --- |
+    | Index | `read` on `metricbeat-*` indices | Read data indexed by Metricbeat |
+    | Spaces | `Read` or `All` on Dashboards, Visualize, and Discover | Allow the user to view, edit, and create dashboards, as well as browse data. |
+    | Spaces | `Read` or `All` on {{kib}} Metrics | Allow the use of {{kib}} Metrics |
+
+2. Assign the **reader role**, along with the following built-in roles, to users who need to read Metricbeat data:
+
+    | Role | Purpose |
+    | --- | --- |
+    | `monitoring_user` | Allow users to monitor the health of Metricbeat itself. Only assign this role to users who manage Metricbeat. |
+
+
diff --git a/docs/reference/metricbeat/learn-more-security.md b/docs/reference/metricbeat/learn-more-security.md
new file mode 100644
index 000000000000..1b3338548ae9
--- /dev/null
+++ b/docs/reference/metricbeat/learn-more-security.md
@@ -0,0 +1,12 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/learn-more-security.html
+---
+
+# Learn more about privileges, roles, and users [learn-more-security]
+
+Want to learn more about creating users and roles? See [Secure a cluster](docs-content://deploy-manage/security.md). Also see:
+
+* [Security privileges](elasticsearch://reference/elasticsearch/security-privileges.md) for a description of available privileges
+* [Built-in roles](elasticsearch://reference/elasticsearch/roles.md) for a description of roles that you can assign to users
+
diff --git a/docs/reference/metricbeat/linux-seccomp.md b/docs/reference/metricbeat/linux-seccomp.md
new file mode 100644
index 000000000000..12931d70dd6a
--- /dev/null
+++ b/docs/reference/metricbeat/linux-seccomp.md
@@ -0,0 +1,75 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/linux-seccomp.html
+---
+
+# Use Linux Secure Computing Mode (seccomp) [linux-seccomp]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+On Linux 3.17 and later, Metricbeat can take advantage of secure computing mode, also known as seccomp. Seccomp restricts the system calls that a process can issue. Specifically Metricbeat can load a seccomp BPF filter at process start-up that drops the privileges to invoke specific system calls. Once a filter is loaded by the process it cannot be removed.
+
+The kernel exposes a large number of system calls that are not used by Metricbeat. By installing a seccomp filter, you can limit the total kernel surface exposed to Metricbeat (principle of least privilege). This minimizes the impact of unknown vulnerabilities that might be found in the process.
+
+The filter is expressed as a Berkeley Packet Filter (BPF) program. The BPF program is generated based on a policy defined by Metricbeat. The policy can be customized through configuration as well.
+
+A seccomp policy is architecture specific due to the fact that system calls vary by architecture. Metricbeat includes a whitelist seccomp policy for the amd64 and 386 architectures. You can view those policies [here](https://github.com/elastic/beats/tree/master/libbeat/common/seccomp).
+
+
+## Seccomp Policy Configuration [seccomp-policy-config]
+
+The seccomp policy can be customized through the configuration policy. This is an example blacklist policy that prohibits `execve`, `execveat`, `fork`, and `vfork` syscalls.
+
+```yaml
+seccomp:
+  default_action: allow <1>
+  syscalls:
+  - action: errno <2>
+    names: <3>
+    - execve
+    - execveat
+    - fork
+    - vfork
+```
+
+1. If the system call being invoked by the process does not match one of the names below then it will be allowed.
+2. If the system call being invoked matches one of the names below then an error will be returned to caller. This is known as a blacklist policy.
+3. These are system calls being prohibited.
+
+
+These are the configuration options for a seccomp policy.
+
+**`enabled`**
+:   On Linux, this option is enabled by default. To disable seccomp filter loading, set this option to `false`.
+
+**`default_action`**
+:   The default action to take when none of the defined system calls match. See [action](#seccomp-policy-config-action) for the full list of values. This is required.
+
+**`syscalls`**
+:   Each object in this list must contain an `action` and a list of system call `names`. The list must contain at least one item.
+
+**`names`**
+:   A list of system call names. The system call name must exist for the runtime architecture, otherwise an error will be logged and the filter will not be installed. At least one system call must be defined.
+
+$$$seccomp-policy-config-action$$$
+
+**`action`**
+:   The action to take when any of the system calls listed in `names` is executed. This is required. These are the available action values. The actions that are available depend on the kernel version.
+
+    * `errno` - The system call will return `EPERM` (permission denied) to the caller.
+    * `trace` - The kernel will notify a `ptrace` tracer. If no tracer is present then the system call fails with `ENOSYS` (function not implemented).
+    * `trap` - The kernel will send a `SIGSYS` signal to the calling thread and not execute the system call. The Go runtime will exit.
+    * `kill_thread` - The kernel will immediately terminate the thread. Other threads will continue to execute.
+    * `kill_process` - The kernel will terminate the process. Available in Linux 4.14 and later.
+    * `log` - The kernel will log the system call before executing it. Available in Linux 4.14 and later. (This does not go to the Beat’s log.)
+    * `allow` - The kernel will allow the system call to execute.
+
+
+
+## Auditbeat Reports Seccomp Violations [_auditbeat_reports_seccomp_violations]
+
+You can use Auditbeat to report any seccomp violations that occur on the system. The kernel generates an event for each violation and Auditbeat reports the event. The `event.action` value will be `violated-seccomp-policy` and the event will contain information about the process and system call.
+
diff --git a/docs/reference/metricbeat/load-kibana-dashboards.md b/docs/reference/metricbeat/load-kibana-dashboards.md
new file mode 100644
index 000000000000..d4c69e286b66
--- /dev/null
+++ b/docs/reference/metricbeat/load-kibana-dashboards.md
@@ -0,0 +1,151 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/load-kibana-dashboards.html
+---
+
+# Load Kibana dashboards [load-kibana-dashboards]
+
+::::{tip}
+For deeper observability into your infrastructure, you can use the {{metrics-app}} and the {{logs-app}} in {{kib}}. For more details, see [Metrics monitoring](docs-content://solutions/observability/infra-and-hosts/analyze-infrastructure-host-metrics.md) and [Log monitoring](docs-content://solutions/observability/logs/explore-logs.md).
+::::
+
+
+Metricbeat comes packaged with example Kibana dashboards, visualizations, and searches for visualizing Metricbeat data in Kibana. Before you can use the dashboards, you need to create the index pattern, `metricbeat-*`, and load the dashboards into Kibana.
+
+To do this, you can either run the `setup` command (as described here) or [configure dashboard loading](/reference/metricbeat/configuration-dashboards.md) in the `metricbeat.yml` config file. This requires a Kibana endpoint configuration. If you didn’t already configure a Kibana endpoint, see [{{kib}} endpoint](/reference/metricbeat/setup-kibana-endpoint.md).
+
+
+## Load dashboards [load-dashboards]
+
+Make sure Kibana is running before you perform this step. If you are accessing a secured Kibana instance, make sure you’ve configured credentials as described in the [Quick start: installation and configuration](/reference/metricbeat/metricbeat-installation-configuration.md).
+
+To load the recommended index template for writing to {{es}} and deploy the sample dashboards for visualizing the data in {{kib}}, use the command that works with your system.
+
+:::::::{tab-set}
+
+::::::{tab-item} DEB
+```sh
+metricbeat setup --dashboards
+```
+::::::
+
+::::::{tab-item} RPM
+```sh
+metricbeat setup --dashboards
+```
+::::::
+
+::::::{tab-item} MacOS
+```sh
+./metricbeat setup --dashboards
+```
+::::::
+
+::::::{tab-item} Linux
+```sh
+./metricbeat setup --dashboards
+```
+::::::
+
+::::::{tab-item} Docker
+```sh
+docker run --rm --net="host" docker.elastic.co/beats/metricbeat:9.0.0-beta1 setup --dashboards
+```
+::::::
+
+::::::{tab-item} Windows
+Open a PowerShell prompt as an Administrator (right-click the PowerShell icon and select **Run As Administrator**).
+
+From the PowerShell prompt, change to the directory where you installed Metricbeat, and run:
+
+```sh
+PS > .\metricbeat.exe setup --dashboards
+```
+::::::
+
+:::::::
+For more options, such as loading customized dashboards, see [Importing Existing Beat Dashboards](http://www.elastic.co/guide/en/beats/devguide/master/import-dashboards.md). If you’ve configured the Logstash output, see [Load dashboards for Logstash output](#load-dashboards-logstash).
+
+
+## Load dashboards for Logstash output [load-dashboards-logstash]
+
+During dashboard loading, Metricbeat connects to Elasticsearch to check version information. To load dashboards when the Logstash output is enabled, you need to temporarily disable the Logstash output and enable Elasticsearch. To connect to a secured Elasticsearch cluster, you also need to pass Elasticsearch credentials.
+
+::::{tip}
+The example shows a hard-coded password, but you should store sensitive values in the [secrets keystore](/reference/metricbeat/keystore.md).
+::::
+
+
+:::::::{tab-set}
+
+::::::{tab-item} DEB
+```sh
+metricbeat setup -e \
+  -E output.logstash.enabled=false \
+  -E output.elasticsearch.hosts=['localhost:9200'] \
+  -E output.elasticsearch.username=metricbeat_internal \
+  -E output.elasticsearch.password={pwd} \
+  -E setup.kibana.host=localhost:5601
+```
+::::::
+
+::::::{tab-item} RPM
+```sh
+metricbeat setup -e \
+  -E output.logstash.enabled=false \
+  -E output.elasticsearch.hosts=['localhost:9200'] \
+  -E output.elasticsearch.username=metricbeat_internal \
+  -E output.elasticsearch.password={pwd} \
+  -E setup.kibana.host=localhost:5601
+```
+::::::
+
+::::::{tab-item} MacOS
+```sh
+./metricbeat setup -e \
+  -E output.logstash.enabled=false \
+  -E output.elasticsearch.hosts=['localhost:9200'] \
+  -E output.elasticsearch.username=metricbeat_internal \
+  -E output.elasticsearch.password={pwd} \
+  -E setup.kibana.host=localhost:5601
+```
+::::::
+
+::::::{tab-item} Linux
+```sh
+./metricbeat setup -e \
+  -E output.logstash.enabled=false \
+  -E output.elasticsearch.hosts=['localhost:9200'] \
+  -E output.elasticsearch.username=metricbeat_internal \
+  -E output.elasticsearch.password={pwd} \
+  -E setup.kibana.host=localhost:5601
+```
+::::::
+
+::::::{tab-item} Docker
+```sh
+docker run --rm --net="host" docker.elastic.co/beats/metricbeat:9.0.0-beta1 setup -e \
+  -E output.logstash.enabled=false \
+  -E output.elasticsearch.hosts=['localhost:9200'] \
+  -E output.elasticsearch.username=metricbeat_internal \
+  -E output.elasticsearch.password={pwd} \
+  -E setup.kibana.host=localhost:5601
+```
+::::::
+
+::::::{tab-item} Windows
+Open a PowerShell prompt as an Administrator (right-click the PowerShell icon and select **Run As Administrator**).
+
+From the PowerShell prompt, change to the directory where you installed Metricbeat, and run:
+
+```sh
+PS > .\metricbeat.exe setup -e `
+  -E output.logstash.enabled=false `
+  -E output.elasticsearch.hosts=['localhost:9200'] `
+  -E output.elasticsearch.username=metricbeat_internal `
+  -E output.elasticsearch.password={pwd} `
+  -E setup.kibana.host=localhost:5601
+```
+::::::
+
+:::::::
diff --git a/docs/reference/metricbeat/logstash-output.md b/docs/reference/metricbeat/logstash-output.md
new file mode 100644
index 000000000000..477504334503
--- /dev/null
+++ b/docs/reference/metricbeat/logstash-output.md
@@ -0,0 +1,245 @@
+---
+navigation_title: "Logstash"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/logstash-output.html
+---
+
+# Configure the Logstash output [logstash-output]
+
+
+The {{ls}} output sends events directly to {{ls}} by using the lumberjack protocol, which runs over TCP. {{ls}} allows for additional processing and routing of generated events.
+
+::::{admonition} Prerequisite
+:class: important
+
+To send events to {{ls}}, you also need to create a {{ls}} configuration pipeline that listens for incoming Beats connections and indexes the received events into {{es}}. For more information, see [Getting Started with {{ls}}](logstash://reference/getting-started-with-logstash.md). Also see the documentation for the [{{beats}} input](logstash://reference/plugins-inputs-beats.md) and [{{es}} output](logstash://reference/plugins-outputs-elasticsearch.md) plugins.
+::::
+
+
+If you want to use {{ls}} to perform additional processing on the data collected by Metricbeat, you need to configure Metricbeat to use {{ls}}.
+
+To do this, edit the Metricbeat configuration file to disable the {{es}} output by commenting it out and enable the {{ls}} output by uncommenting the {{ls}} section:
+
+```yaml
+output.logstash:
+  hosts: ["127.0.0.1:5044"]
+```
+
+The `hosts` option specifies the {{ls}} server and the port (`5044`) where {{ls}} is configured to listen for incoming Beats connections.
+
+For this configuration, you must [load the index template into {{es}} manually](/reference/metricbeat/metricbeat-template.md#load-template-manually) because the options for auto loading the template are only available for the {{es}} output.
+
+## Accessing metadata fields [_accessing_metadata_fields]
+
+Every event sent to {{ls}} contains the following metadata fields that you can use in {{ls}} for indexing and filtering:
+
+```json
+{
+    ...
+    "@metadata": { <1>
+      "beat": "metricbeat", <2>
+      "version": "9.0.0-beta1" <3>
+    }
+}
+```
+
+1. Metricbeat uses the `@metadata` field to send metadata to {{ls}}. See the [{{ls}} documentation](logstash://reference/event-dependent-configuration.md#metadata) for more about the `@metadata` field.
+2. The default is metricbeat. To change this value, set the [`index`](#logstash-index) option in the Metricbeat config file.
+3. The current version of Metricbeat.
+
+
+You can access this metadata from within the {{ls}} config file to set values dynamically based on the contents of the metadata.
+
+For example, the following {{ls}} configuration file tells {{ls}} to use the index reported by Metricbeat for indexing events into {{es}}:
+
+```json
+input {
+  beats {
+    port => 5044
+  }
+}
+
+output {
+  elasticsearch {
+    hosts => ["http://localhost:9200"]
+    index => "%{[@metadata][beat]}-%{[@metadata][version]}" <1>
+    action => "create"
+  }
+}
+```
+
+1. `%{[@metadata][beat]}` sets the first part of the index name to the value of the `beat` metadata field and `%{[@metadata][version]}` sets the second part to the Beat’s version. For example: `metricbeat-9.0.0-beta1`.
+
+
+Events indexed into {{es}} with the {{ls}} configuration shown here will be similar to events directly indexed by Metricbeat into {{es}}.
+
+::::{note}
+If ILM is not being used, set `index` to `%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}` instead so {{ls}} creates an index per day, based on the `@timestamp` value of the events coming from Beats.
+::::
+
+
+
+## Compatibility [_compatibility_2]
+
+This output works with all compatible versions of {{ls}}. See the [Elastic Support Matrix](https://www.elastic.co/support/matrix#matrix_compatibility).
+
+
+## Configuration options [_configuration_options_3]
+
+You can specify the following options in the `logstash` section of the `metricbeat.yml` config file:
+
+### `enabled` [_enabled_3]
+
+The enabled config is a boolean setting to enable or disable the output. If set to false, the output is disabled.
+
+The default value is `true`.
+
+
+### `hosts` [hosts]
+
+The list of known {{ls}} servers to connect to. If load balancing is disabled, but multiple hosts are configured, one host is selected randomly (there is no precedence). If one host becomes unreachable, another one is selected randomly.
+
+All entries in this list can contain a port number. The default port number 5044 will be used if no number is given.
+
+
+### `compression_level` [_compression_level]
+
+The gzip compression level. Setting this value to 0 disables compression. The compression level must be in the range of 1 (best speed) to 9 (best compression).
+
+Increasing the compression level will reduce the network usage but will increase the CPU usage.
+
+The default value is 3.
+
+
+### `escape_html` [_escape_html_2]
+
+Configure escaping of HTML in strings. Set to `true` to enable escaping.
+
+The default value is `false`.
+
+
+### `worker` or `workers` [_worker_or_workers]
+
+The number of workers per configured host publishing events to {{ls}}. This is best used with load balancing mode enabled. Example: If you have 2 hosts and 3 workers, in total 6 workers are started (3 for each host).
+
+
+### `loadbalance` [loadbalance]
+
+When `loadbalance: true` is set, Metricbeat connects to all configured hosts and sends data through all connections in parallel. If a connection fails, data is sent to the remaining hosts until it can be reestablished. Data will still be sent as long as Metricbeat can connect to at least one of its configured hosts.
+
+When `loadbalance: false` is set, Metricbeat sends data to a single host at a time. The target host is chosen at random from the list of configured hosts, and all data is sent to that target until the connection fails, when a new target is selected. Data will still be sent as long as Metricbeat can connect to at least one of its configured hosts. To rotate through the list of configured hosts over time, use this option in conjunction with the `ttl` setting to close the connection at the configured interval and choose a new target host.
+
+The default value is `false`.
+
+```yaml
+output.logstash:
+  hosts: ["localhost:5044", "localhost:5045"]
+  loadbalance: true
+  index: metricbeat
+```
+
+
+### `ttl` [_ttl]
+
+Time to live for a connection to {{ls}} after which the connection will be re-established. Useful when {{ls}} hosts represent load balancers. Since the connections to {{ls}} hosts are sticky, operating behind load balancers can lead to uneven load distribution between the instances. Specifying a TTL on the connection allows to achieve equal connection distribution between the instances.  Specifying a TTL of 0 will disable this feature.
+
+The default value is 0. This setting accepts [duration](/reference/libbeat/config-file-format-type.md#_duration) data type values.
+
+::::{note}
+The "ttl" option is not yet supported on an async {{ls}} client (one with the "pipelining" option set).
+::::
+
+
+
+### `pipelining` [_pipelining]
+
+Configures the number of batches to be sent asynchronously to {{ls}} while waiting for ACK from {{ls}}. Output only becomes blocking once number of `pipelining` batches have been written. Pipelining is disabled if a value of 0 is configured. The default value is 2.
+
+
+### `proxy_url` [_proxy_url_2]
+
+The URL of the SOCKS5 proxy to use when connecting to the {{ls}} servers. The value must be a URL with a scheme of `socks5://`. The protocol used to communicate to {{ls}} is not based on HTTP so a web-proxy cannot be used.
+
+If the SOCKS5 proxy server requires client authentication, then a username and password can be embedded in the URL as shown in the example.
+
+When using a proxy, hostnames are resolved on the proxy server instead of on the client. You can change this behavior by setting the [`proxy_use_local_resolver`](#logstash-proxy-use-local-resolver) option.
+
+```yaml
+output.logstash:
+  hosts: ["remote-host:5044"]
+  proxy_url: socks5://user:password@socks5-proxy:2233
+```
+
+
+### `proxy_use_local_resolver` [logstash-proxy-use-local-resolver]
+
+The `proxy_use_local_resolver` option determines if {{ls}} hostnames are resolved locally when using a proxy. The default value is false, which means that when a proxy is used the name resolution occurs on the proxy server.
+
+
+### `index` [logstash-index]
+
+The index root name to write events to. The default is the Beat name. For example `"metricbeat"` generates `"[metricbeat-]9.0.0-beta1-YYYY.MM.DD"` indices (for example, `"metricbeat-9.0.0-beta1-2017.04.26"`).
+
+::::{note}
+This parameter’s value will be assigned to the `metadata.beat` field. It can then be accessed in {{ls}}'s output section as `%{[@metadata][beat]}`.
+::::
+
+
+
+### `ssl` [_ssl_3]
+
+Configuration options for SSL parameters like the root CA for {{ls}} connections. See [SSL](/reference/metricbeat/configuration-ssl.md) for more information. To use SSL, you must also configure the [Beats input plugin for Logstash](logstash://reference/plugins-inputs-beats.md) to use SSL/TLS.
+
+
+### `timeout` [_timeout_3]
+
+The number of seconds to wait for responses from the {{ls}} server before timing out. The default is 30 (seconds).
+
+
+### `max_retries` [_max_retries_2]
+
+The number of times to retry publishing an event after a publishing failure. After the specified number of retries, the events are typically dropped.
+
+Set `max_retries` to a value less than 0 to retry until all events are published.
+
+The default is 3.
+
+
+### `bulk_max_size` [_bulk_max_size]
+
+The maximum number of events to bulk in a single {{ls}} request. The default is 2048.
+
+Events can be collected into batches. Metricbeat will split batches read from the queue which are larger than `bulk_max_size` into multiple batches.
+
+Specifying a larger batch size can improve performance by lowering the overhead of sending events. However big batch sizes can also increase processing times, which might result in API errors, killed connections, timed-out publishing requests, and, ultimately, lower throughput.
+
+Setting `bulk_max_size` to values less than or equal to 0 disables the splitting of batches. When splitting is disabled, the queue decides on the number of events to be contained in a batch.
+
+
+### `slow_start` [_slow_start]
+
+If enabled, only a subset of events in a batch of events is transferred per transaction. The number of events to be sent increases up to `bulk_max_size` if no error is encountered. On error, the number of events per transaction is reduced again.
+
+The default is `false`.
+
+
+### `backoff.init` [_backoff_init]
+
+The number of seconds to wait before trying to reconnect to {{ls}} after a network error. After waiting `backoff.init` seconds, Metricbeat tries to reconnect. If the attempt fails, the backoff timer is increased exponentially up to `backoff.max`. After a successful connection, the backoff timer is reset. The default is 1s.
+
+
+### `backoff.max` [_backoff_max]
+
+The maximum number of seconds to wait before attempting to connect to {{ls}} after a network error. The default is 60s.
+
+
+### `queue` [_queue_2]
+
+Configuration options for internal queue.
+
+See [Internal queue](/reference/metricbeat/configuring-internal-queue.md) for more information.
+
+Note:`queue` options can be set under `metricbeat.yml` or the `output` section but not both.
+
+
+
diff --git a/docs/reference/metricbeat/madvdontneed-rss.md b/docs/reference/metricbeat/madvdontneed-rss.md
new file mode 100644
index 000000000000..46f94b0b5554
--- /dev/null
+++ b/docs/reference/metricbeat/madvdontneed-rss.md
@@ -0,0 +1,9 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/madvdontneed-rss.html
+---
+
+# High RSS memory usage due to MADV settings [madvdontneed-rss]
+
+In versions of Metricbeat prior to 7.10.2, the go runtime defaults to `MADV_FREE` by default. In some cases, this can lead to high RSS memory usage while the kernel waits to reclaim any pages assigned to Metricbeat. On versions prior to 7.10.2, set the `GODEBUG="madvdontneed=1"` environment variable if you run into RSS usage issues.
+
diff --git a/docs/reference/metricbeat/metadata-missing.md b/docs/reference/metricbeat/metadata-missing.md
new file mode 100644
index 000000000000..8261b89f2976
--- /dev/null
+++ b/docs/reference/metricbeat/metadata-missing.md
@@ -0,0 +1,14 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metadata-missing.html
+---
+
+# @metadata is missing in Logstash [metadata-missing]
+
+{{ls}} outputs remove `@metadata` fields automatically. Therefore, if {{ls}} instances are chained directly or via some message queue (for example, Redis or Kafka), the `@metadata` field will not be available in the final {{ls}} instance.
+
+::::{tip}
+To preserve `@metadata` fields, use the {{ls}} mutate filter with the rename setting to rename the fields to non-internal fields.
+::::
+
+
diff --git a/docs/reference/metricbeat/metricbeat-configuration-reloading.md b/docs/reference/metricbeat/metricbeat-configuration-reloading.md
new file mode 100644
index 000000000000..d2e43bf9c7f4
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-configuration-reloading.md
@@ -0,0 +1,42 @@
+---
+navigation_title: "Config file loading"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-configuration-reloading.html
+---
+
+# Load external configuration files [metricbeat-configuration-reloading]
+
+
+Metricbeat can load external configuration files for modules, which allows you to separate your configuration into multiple smaller configuration files. To use this, you specify the `path` option under `metricbeat.config.modules` in the main `metricbeat.yml` configuration file. By default, Metricbeat loads the module configurations enabled in the [`modules.d`](/reference/metricbeat/configuration-metricbeat.md#configure-modules-d-configs) directory. For example:
+
+```yaml
+metricbeat.config.modules:
+  path: ${path.config}/modules.d/*.yml
+```
+
+`path`
+:   A Glob that defines the files to check for changes.
+
+    This setting must point to the `modules.d` directory if you want to use the [`modules`](/reference/metricbeat/command-line-options.md#modules-command) command to enable and disable module configurations.
+
+
+Each file found by the Glob must contain a list of one or more module definitions. For example:
+
+```yaml
+- module: system
+  metricsets: ["cpu"]
+  enabled: false
+  period: 1s
+
+- module: system
+  metricsets: ["network"]
+  enabled: true
+  period: 10s
+```
+
+::::{note}
+On systems with POSIX file permissions, all Beats configuration files are subject to ownership and file permission checks. For more information, see [Config File Ownership and Permissions](/reference/libbeat/config-file-permissions.md).
+::::
+
+
+
diff --git a/docs/reference/metricbeat/metricbeat-event-structure.md b/docs/reference/metricbeat/metricbeat-event-structure.md
new file mode 100644
index 000000000000..e734248458c6
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-event-structure.md
@@ -0,0 +1,49 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-event-structure.html
+---
+
+# Event structure [metricbeat-event-structure]
+
+Every event sent by Metricbeat has the same basic structure. It contains the following fields:
+
+**`@timestamp`**
+:   Time when the event was captured
+
+**`host.hostname`**
+:   Hostname of the server on which the Beat is running
+
+**`agent.type`**
+:   Name given to the Beat
+
+**`event.module`**
+:   Name of the module that the data is from
+
+**`event.dataset`**
+:   Name of the module that the data is from
+
+For example:
+
+```json
+{
+  "@timestamp": "2016-06-22T22:05:53.291Z",
+  "agent": {
+    "type": "metricbeat"
+  },
+  "host": {
+     "hostname": "host.example.com",
+   },
+  "event": {
+    "dataset": "system.process",
+    "module": process
+  },
+  .
+  .
+  .
+
+  "type": "metricsets"
+}
+```
+
+For more information about the exported fields, see [Exported fields](/reference/metricbeat/exported-fields.md).
+
diff --git a/docs/reference/metricbeat/metricbeat-geoip.md b/docs/reference/metricbeat/metricbeat-geoip.md
new file mode 100644
index 000000000000..ad9a6e85a934
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-geoip.md
@@ -0,0 +1,206 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-geoip.html
+---
+
+# Enrich events with geoIP information [metricbeat-geoip]
+
+You can use Metricbeat along with the [GeoIP Processor](elasticsearch://reference/ingestion-tools/enrich-processor/geoip-processor.md) in {{es}} to export geographic location information based on IP addresses. Then you can use this information to visualize the location of IP addresses on a map in {{kib}}.
+
+The `geoip` processor adds information about the geographical location of IP addresses, based on data from the Maxmind GeoLite2 City Database. Because the processor uses a geoIP database that’s installed on {{es}}, you don’t need to install a geoIP database on the machines running Metricbeat.
+
+::::{note}
+If your use case involves using {{ls}}, you can use the [GeoIP filter](logstash://reference/plugins-filters-geoip.md) available in {{ls}} instead of using the `geoip` processor. However, using the `geoip` processor is the simplest approach when you don’t require the additional processing power of {{ls}}.
+::::
+
+
+
+## Configure the `geoip` processor [metricbeat-configuring-geoip]
+
+To configure Metricbeat and the `geoip` processor:
+
+1. Define an ingest pipeline that uses one or more `geoip` processors to add location information to the event. For example, you can use the Console in {{kib}} to create the following pipeline:
+
+    ```console
+    PUT _ingest/pipeline/geoip-info
+    {
+      "description": "Add geoip info",
+      "processors": [
+        {
+          "geoip": {
+            "field": "client.ip",
+            "target_field": "client.geo",
+            "ignore_missing": true
+          }
+        },
+        {
+          "geoip": {
+            "database_file": "GeoLite2-ASN.mmdb",
+            "field": "client.ip",
+            "target_field": "client.as",
+            "properties": [
+              "asn",
+              "organization_name"
+            ],
+            "ignore_missing": true
+          }
+        },
+        {
+          "geoip": {
+            "field": "source.ip",
+            "target_field": "source.geo",
+            "ignore_missing": true
+          }
+        },
+        {
+          "geoip": {
+            "database_file": "GeoLite2-ASN.mmdb",
+            "field": "source.ip",
+            "target_field": "source.as",
+            "properties": [
+              "asn",
+              "organization_name"
+            ],
+            "ignore_missing": true
+          }
+        },
+        {
+          "geoip": {
+            "field": "destination.ip",
+            "target_field": "destination.geo",
+            "ignore_missing": true
+          }
+        },
+        {
+          "geoip": {
+            "database_file": "GeoLite2-ASN.mmdb",
+            "field": "destination.ip",
+            "target_field": "destination.as",
+            "properties": [
+              "asn",
+              "organization_name"
+            ],
+            "ignore_missing": true
+          }
+        },
+        {
+          "geoip": {
+            "field": "server.ip",
+            "target_field": "server.geo",
+            "ignore_missing": true
+          }
+        },
+        {
+          "geoip": {
+            "database_file": "GeoLite2-ASN.mmdb",
+            "field": "server.ip",
+            "target_field": "server.as",
+            "properties": [
+              "asn",
+              "organization_name"
+            ],
+            "ignore_missing": true
+          }
+        },
+        {
+          "geoip": {
+            "field": "host.ip",
+            "target_field": "host.geo",
+            "ignore_missing": true
+          }
+        },
+        {
+          "rename": {
+            "field": "server.as.asn",
+            "target_field": "server.as.number",
+            "ignore_missing": true
+          }
+        },
+        {
+          "rename": {
+            "field": "server.as.organization_name",
+            "target_field": "server.as.organization.name",
+            "ignore_missing": true
+          }
+        },
+        {
+          "rename": {
+            "field": "client.as.asn",
+            "target_field": "client.as.number",
+            "ignore_missing": true
+          }
+        },
+        {
+          "rename": {
+            "field": "client.as.organization_name",
+            "target_field": "client.as.organization.name",
+            "ignore_missing": true
+          }
+        },
+        {
+          "rename": {
+            "field": "source.as.asn",
+            "target_field": "source.as.number",
+            "ignore_missing": true
+          }
+        },
+        {
+          "rename": {
+            "field": "source.as.organization_name",
+            "target_field": "source.as.organization.name",
+            "ignore_missing": true
+          }
+        },
+        {
+          "rename": {
+            "field": "destination.as.asn",
+            "target_field": "destination.as.number",
+            "ignore_missing": true
+          }
+        },
+        {
+          "rename": {
+            "field": "destination.as.organization_name",
+            "target_field": "destination.as.organization.name",
+            "ignore_missing": true
+          }
+        }
+      ]
+    }
+    ```
+
+    In this example, the pipeline ID is `geoip-info`. `field` specifies the field that contains the IP address to use for the geographical lookup, and `target_field` is the field that will hold the geographical information. `"ignore_missing": true` configures the pipeline to continue processing when it encounters an event that doesn’t have the specified field.
+
+    See [GeoIP Processor](elasticsearch://reference/ingestion-tools/enrich-processor/geoip-processor.md) for more options.
+
+    To learn more about adding host information to an event, see [add_host_metadata](/reference/metricbeat/add-host-metadata.md).
+
+2. In the Metricbeat config file, configure the {{es}} output to use the pipeline. Specify the pipeline ID in the `pipeline` option under `output.elasticsearch`. For example:
+
+    ```yaml
+    output.elasticsearch:
+      hosts: ["localhost:9200"]
+      pipeline: geoip-info
+    ```
+
+3. Run Metricbeat. Remember to use `sudo` if the config file is owned by root.
+
+    ```sh
+    ./metricbeat -e
+    ```
+
+    If the lookups succeed, the events are enriched with `geo_point` fields, such as `client.geo.location` and `host.geo.location`, that you can use to populate visualizations in {{kib}}.
+
+
+If you add a field that’s not already defined as a `geo_point` in the index template, add a mapping so the field gets indexed correctly.
+
+
+## Visualize locations [metricbeat-visualizing-location]
+
+To visualize the location of IP addresses, you can create a new [coordinate map](docs-content://explore-analyze/visualize/maps.md) in {{kib}} and select the location field, for example `client.geo.location` or `host.geo.location`, as the Geohash.
+
+:::{image} images/coordinate-map.png
+:alt: Coordinate map in {kib}
+:class: screenshot
+:::
+
diff --git a/docs/reference/metricbeat/metricbeat-installation-configuration.md b/docs/reference/metricbeat/metricbeat-installation-configuration.md
new file mode 100644
index 000000000000..db055d0a79e8
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-installation-configuration.md
@@ -0,0 +1,377 @@
+---
+navigation_title: "Quick start"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-installation-configuration.html
+---
+
+# Metricbeat quick start: installation and configuration [metricbeat-installation-configuration]
+
+
+Metricbeat helps you monitor your servers and the services they host by collecting metrics from the operating system and services.
+
+This guide describes how to get started quickly with metrics collection. You’ll learn how to:
+
+* install Metricbeat on each system you want to monitor
+* specify the metrics you want to collect
+* send the metrics to {es}
+* visualize the metrics data in {kib}
+
+:::{image} images/metricbeat-system-dashboard.png
+:alt: Metricbeat System dashboard
+:class: screenshot
+:::
+
+
+## Before you begin [_before_you_begin]
+
+You need {{es}} for storing and searching your data, and {{kib}} for visualizing and managing it.
+
+:::::::{tab-set}
+
+::::::{tab-item} Elasticsearch Service
+To get started quickly, spin up a deployment of our [hosted {{ess}}](https://www.elastic.co/cloud/elasticsearch-service). The {{ess}} is available on AWS, GCP, and Azure. [Try it out for free](https://cloud.elastic.co/registration?page=docs&placement=docs-body).
+::::::
+
+::::::{tab-item} Self-managed
+To install and run {{es}} and {{kib}}, see [Installing the {{stack}}](docs-content://deploy-manage/deploy/self-managed/deploy-cluster.md).
+::::::
+
+:::::::
+
+## Step 1: Install Metricbeat [install]
+
+Install Metricbeat as close as possible to the service you want to monitor. For example, if you have four servers with MySQL running, it’s recommended that you run Metricbeat on each server. This allows Metricbeat to access your service from localhost and does not cause any additional network traffic or prevent Metricbeat from collecting metrics when there are network problems. Metrics from multiple Metricbeat instances will be combined on the Elasticsearch server.
+
+To download and install Metricbeat, use the commands that work with your system:
+
+:::::::{tab-set}
+
+::::::{tab-item} DEB
+Version 9.0.0-beta1 of Metricbeat has not yet been released.
+::::::
+
+::::::{tab-item} RPM
+Version 9.0.0-beta1 of Metricbeat has not yet been released.
+::::::
+
+::::::{tab-item} MacOS
+Version 9.0.0-beta1 of Metricbeat has not yet been released.
+::::::
+
+::::::{tab-item} Linux
+Version 9.0.0-beta1 of Metricbeat has not yet been released.
+::::::
+
+::::::{tab-item} Windows
+Version 9.0.0-beta1 of Metricbeat has not yet been released.
+::::::
+
+:::::::
+The commands shown are for AMD platforms, but ARM packages are also available. Refer to the [download page](https://www.elastic.co/downloads/beats/metricbeat) for the full list of available packages.
+
+
+### Other installation options [other-installation-options]
+
+* [APT or YUM](/reference/metricbeat/setup-repositories.md)
+* [Download page](https://www.elastic.co/downloads/beats/metricbeat)
+* [Docker](/reference/metricbeat/running-on-docker.md)
+* [Kubernetes](/reference/metricbeat/running-on-kubernetes.md)
+* [Cloud Foundry](/reference/metricbeat/running-on-cloudfoundry.md)
+
+
+## Step 2: Connect to the {{stack}} [set-connection]
+
+Connections to {{es}} and {{kib}} are required to set up Metricbeat.
+
+Set the connection information in `metricbeat.yml`. To locate this configuration file, see [Directory layout](/reference/metricbeat/directory-layout.md).
+
+:::::::{tab-set}
+
+::::::{tab-item} Elasticsearch Service
+Specify the [cloud.id](/reference/metricbeat/configure-cloud-id.md) of your {{ess}}, and set [cloud.auth](/reference/metricbeat/configure-cloud-id.md) to a user who is authorized to set up Metricbeat. For example:
+
+```yaml
+cloud.id: "staging:dXMtZWFzdC0xLmF3cy5mb3VuZC5pbyRjZWM2ZjI2MWE3NGJmMjRjZTMzYmI4ODExYjg0Mjk0ZiRjNmMyY2E2ZDA0MjI0OWFmMGNjN2Q3YTllOTYyNTc0Mw=="
+cloud.auth: "metricbeat_setup:{pwd}" <1>
+```
+
+1. This examples shows a hard-coded password, but you should store sensitive values in the [secrets keystore](/reference/metricbeat/keystore.md).
+::::::
+
+::::::{tab-item} Self-managed
+1. Set the host and port where Metricbeat can find the {{es}} installation, and set the username and password of a user who is authorized to set up Metricbeat. For example:
+
+    ```yaml
+    output.elasticsearch:
+      hosts: ["https://myEShost:9200"]
+      username: "metricbeat_internal"
+      password: "{pwd}" <1>
+      ssl:
+        enabled: true
+        ca_trusted_fingerprint: "b9a10bbe64ee9826abeda6546fc988c8bf798b41957c33d05db736716513dc9c" <2>
+    ```
+
+    1. This example shows a hard-coded password, but you should store sensitive values in the [secrets keystore](/reference/metricbeat/keystore.md).
+    2. This example shows a hard-coded fingerprint, but you should store sensitive values in the [secrets keystore](/reference/metricbeat/keystore.md). The fingerprint is a HEX encoded SHA-256 of a CA certificate, when you start {{es}} for the first time, security features such as network encryption (TLS) for {{es}} are enabled by default. If you are using the self-signed certificate generated by {{es}} when it is started for the first time, you will need to add its fingerprint here. The fingerprint is printed on {{es}} start up logs, or you can refer to [connect clients to {{es}} documentation](docs-content://deploy-manage/security/security-certificates-keys.md#_connect_clients_to_es_5) for other options on retrieving it. If you are providing your own SSL certificate to {{es}} refer to [Metricbeat documentation on how to setup SSL](/reference/metricbeat/configuration-ssl.md#ssl-client-config).
+
+2. If you plan to use our pre-built {{kib}} dashboards, configure the {{kib}} endpoint. Skip this step if {{kib}} is running on the same host as {{es}}.
+
+    ```yaml
+      setup.kibana:
+        host: "mykibanahost:5601" <1>
+        username: "my_kibana_user" <2> <3>
+        password: "{pwd}"
+    ```
+
+    1. The hostname and port of the machine where {{kib}} is running, for example, `mykibanahost:5601`. If you specify a path after the port number, include the scheme and port: `http://mykibanahost:5601/path`.
+    2. The `username` and `password` settings for {{kib}} are optional. If you don’t specify credentials for {{kib}}, Metricbeat uses the `username` and `password` specified for the {{es}} output.
+    3. To use the pre-built {{kib}} dashboards, this user must be authorized to view dashboards or have the `kibana_admin` [built-in role](elasticsearch://reference/elasticsearch/roles.md).
+::::::
+
+:::::::
+To learn more about required roles and privileges, see [*Grant users access to secured resources*](/reference/metricbeat/feature-roles.md).
+
+::::{note}
+You can send data to other [outputs](/reference/metricbeat/configuring-output.md), such as {{ls}}, but that requires additional configuration and setup.
+::::
+
+
+
+## Step 3: Enable and configure metrics collection modules [enable-modules]
+
+Metricbeat uses modules to collect metrics. Each module defines the basic logic for collecting data from a specific service, such as Redis or MySQL. A module consists of metricsets that fetch and structure the data. Read [*How Metricbeat works*](/reference/metricbeat/how-metricbeat-works.md) to learn more.
+
+1. Identify the modules you need to enable. To see the list of available [modules](/reference/metricbeat/metricbeat-modules.md), run:
+
+    :::::::{tab-set}
+
+::::::{tab-item} DEB
+```sh
+    metricbeat modules list
+    ```
+::::::
+
+::::::{tab-item} RPM
+```sh
+    metricbeat modules list
+    ```
+::::::
+
+::::::{tab-item} MacOS
+```sh
+    ./metricbeat modules list
+    ```
+::::::
+
+::::::{tab-item} Linux
+```sh
+    ./metricbeat modules list
+    ```
+::::::
+
+::::::{tab-item} Windows
+```sh
+    PS > .\metricbeat.exe modules list
+    ```
+::::::
+
+::::::{tab-item} DEB
+```sh
+    metricbeat modules enable nginx
+    ```
+::::::
+
+::::::{tab-item} RPM
+```sh
+    metricbeat modules enable nginx
+    ```
+::::::
+
+::::::{tab-item} MacOS
+```sh
+    ./metricbeat modules enable nginx
+    ```
+::::::
+
+::::::{tab-item} Linux
+```sh
+    ./metricbeat modules enable nginx
+    ```
+::::::
+
+::::::{tab-item} Windows
+```sh
+    PS > .\metricbeat.exe modules enable nginx
+    ```
+::::::
+
+::::::{tab-item} DEB
+```sh
+    metricbeat setup -e
+    ```
+::::::
+
+::::::{tab-item} RPM
+```sh
+    metricbeat setup -e
+    ```
+::::::
+
+::::::{tab-item} MacOS
+```sh
+    ./metricbeat setup -e
+    ```
+::::::
+
+::::::{tab-item} Linux
+```sh
+    ./metricbeat setup -e
+    ```
+::::::
+
+::::::{tab-item} Windows
+```sh
+    PS > .\metricbeat.exe setup -e
+    ```
+::::::
+
+::::::{tab-item} DEB
+```sh
+sudo service metricbeat start
+```
+
+::::{note}
+If you use an `init.d` script to start Metricbeat, you can’t specify command line flags (see [Command reference](/reference/metricbeat/command-line-options.md)). To specify flags, start Metricbeat in the foreground.
+::::
+
+
+Also see [Metricbeat and systemd](/reference/metricbeat/running-with-systemd.md).
+::::::
+
+::::::{tab-item} RPM
+```sh
+sudo service metricbeat start
+```
+
+::::{note}
+If you use an `init.d` script to start Metricbeat, you can’t specify command line flags (see [Command reference](/reference/metricbeat/command-line-options.md)). To specify flags, start Metricbeat in the foreground.
+::::
+
+
+Also see [Metricbeat and systemd](/reference/metricbeat/running-with-systemd.md).
+::::::
+
+::::::{tab-item} MacOS
+```sh
+sudo chown root metricbeat.yml <1>
+sudo chown root modules.d/nginx.yml <1>
+sudo ./metricbeat -e
+```
+
+1. You’ll be running Metricbeat as root, so you need to change ownership of the configuration file and any configurations enabled in the `modules.d` directory, or run Metricbeat with `--strict.perms=false` specified. See [Config File Ownership and Permissions](/reference/libbeat/config-file-permissions.md).
+::::::
+
+::::::{tab-item} Linux
+```sh
+sudo chown root metricbeat.yml <1>
+sudo chown root modules.d/nginx.yml <1>
+sudo ./metricbeat -e
+```
+
+1. You’ll be running Metricbeat as root, so you need to change ownership of the configuration file and any configurations enabled in the `modules.d` directory, or run Metricbeat with `--strict.perms=false` specified. See [Config File Ownership and Permissions](/reference/libbeat/config-file-permissions.md).
+::::::
+
+::::::{tab-item} Windows
+```sh
+PS C:\Program Files\metricbeat> Start-Service metricbeat
+```
+
+By default, Windows log files are stored in `C:\ProgramData\metricbeat\Logs`.
+
+::::{note}
+On Windows, statistics about system load and swap usage are currently not captured
+::::
+::::::
+
+:::::::
+Metricbeat should begin streaming metrics to {{es}}.
+
+
+## Step 6: View your data in {{kib}} [view-data]
+
+Metricbeat comes with pre-built {{kib}} dashboards and UIs for visualizing log data. You loaded the dashboards earlier when you ran the `setup` command.
+
+To open the dashboards:
+
+1. Launch {{kib}}:
+
+    <div class="tabs" data-tab-group="host">
+      <div role="tablist" aria-label="Open Kibana">
+        <button role="tab"
+                aria-selected="true"
+                aria-controls="cloud-tab-open-kibana"
+                id="cloud-open-kibana">
+          Elasticsearch Service
+        </button>
+        <button role="tab"
+                aria-selected="false"
+                aria-controls="self-managed-tab-open-kibana"
+                id="self-managed-open-kibana"
+                tabindex="-1">
+          Self-managed
+        </button>
+      </div>
+      <div tabindex="0"
+           role="tabpanel"
+           id="cloud-tab-open-kibana"
+           aria-labelledby="cloud-open-kibana">
+    1. [Log in](https://cloud.elastic.co/) to your {{ecloud}} account.
+    2. Navigate to the {{kib}} endpoint in your deployment.
+
+      </div>
+      <div tabindex="0"
+           role="tabpanel"
+           id="self-managed-tab-open-kibana"
+           aria-labelledby="self-managed-open-kibana"
+           hidden="">
+    Point your browser to [http://localhost:5601](http://localhost:5601), replacing `localhost` with the name of the {{kib}} host.
+
+      </div>
+    </div>
+
+2. In the side navigation, click **Discover**. To see Metricbeat data, make sure the predefined `metricbeat-*` data view is selected.
+
+    ::::{tip}
+    If you don’t see data in {{kib}}, try changing the time filter to a larger range. By default, {{kib}} shows the last 15 minutes.
+    ::::
+
+3. In the side navigation, click **Dashboard**, then select the dashboard that you want to open.
+
+The dashboards are provided as examples. We recommend that you [customize](docs-content://explore-analyze/dashboards.md) them to meet your needs.
+
+
+## What’s next? [_whats_next]
+
+Now that you have your infrastructure metrics streaming into {{es}}, learn how to unify your logs, metrics, uptime, and application performance data.
+
+1. Ingest data from other sources by installing and configuring other Elastic {{beats}}:
+
+    | Elastic {{beats}} | To capture |
+    | --- | --- |
+    | [{{filebeat}}](/reference/filebeat/filebeat-installation-configuration.md) | Logs |
+    | [{{winlogbeat}}](/reference/winlogbeat/winlogbeat-installation-configuration.md) | Windows event logs |
+    | [{{heartbeat}}](/reference/heartbeat/heartbeat-installation-configuration.md) | Uptime information |
+    | [APM](docs-content://solutions/observability/apps/application-performance-monitoring-apm.md) | Application performance metrics |
+    | [{{auditbeat}}](/reference/auditbeat/auditbeat-installation-configuration.md) | Audit events |
+
+2. Use the Observability apps in {{kib}} to search across all your data:
+
+    | Elastic apps | Use to |
+    | --- | --- |
+    | [{{metrics-app}}](docs-content://solutions/observability/infra-and-hosts/analyze-infrastructure-host-metrics.md) | Explore metrics about systems and services across your ecosystem |
+    | [{{logs-app}}](docs-content://solutions/observability/logs/explore-logs.md) | Tail related log data in real time |
+    | [{{uptime-app}}](docs-content://solutions/observability/apps/synthetic-monitoring.md#monitoring-uptime) | Monitor availability issues across your apps and services |
+    | [APM app](docs-content://solutions/observability/apps/overviews.md) | Monitor application performance |
+    | [{{siem-app}}](docs-content://solutions/security.md) | Analyze security events |
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-activemq-broker.md b/docs/reference/metricbeat/metricbeat-metricset-activemq-broker.md
new file mode 100644
index 000000000000..f2a25c3ce962
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-activemq-broker.md
@@ -0,0 +1,100 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-activemq-broker.html
+---
+
+# ActiveMQ broker metricset [metricbeat-metricset-activemq-broker]
+
+This is the `broker` metricset of the ActiveMQ module.
+
+The metricset provides metrics describing the monitored ActiveMQ broker, especially connected consumers, producers, memory usage, active connections and exchanged messages.
+
+To collect data, the module communicates with a Jolokia HTTP/REST endpoint that exposes the JMX metrics over HTTP/REST/JSON (JMX key: `org.apache.activemq:brokerName=*,type=Broker`).
+
+The broker metricset comes with a predefined dashboard:
+
+:::{image} images/metricbeat-activemq-broker-overview.png
+:alt: metricbeat activemq broker overview
+:::
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_4]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-activemq.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2019-11-19T13:14:17.425Z",
+    "@metadata": {
+        "beat": "metricbeat",
+        "type": "_doc",
+        "version": "8.0.0"
+    },
+    "event": {
+        "duration": 100756657,
+        "dataset": "activemq.broker",
+        "module": "activemq"
+    },
+    "metricset": {
+        "name": "broker",
+        "period": 5000
+    },
+    "service": {
+        "address": "localhost:33051",
+        "type": "activemq"
+    },
+    "activemq": {
+        "broker": {
+            "mbean": "org.apache.activemq:brokerName=localhost,type=Broker",
+            "memory": {
+                "store": {
+                    "pct": 0
+                },
+                "temp": {
+                    "pct": 0
+                },
+                "broker": {
+                    "pct": 0
+                }
+            },
+            "messages": {
+                "dequeue": {
+                    "count": 0
+                },
+                "enqueue": {
+                    "count": 1
+                },
+                "count": 0
+            },
+            "producers": {
+                "count": 0
+            },
+            "connections": {
+                "count": 0
+            },
+            "consumers": {
+                "count": 0
+            },
+            "name": "localhost"
+        }
+    },
+    "ecs": {
+        "version": "1.2.0"
+    },
+    "host": {
+        "name": "macbook.local"
+    },
+    "agent": {
+        "hostname": "macbook.local",
+        "id": "8d20f9a9-b24d-419b-97e6-bcccfb64679c",
+        "version": "8.0.0",
+        "type": "metricbeat",
+        "ephemeral_id": "aa9fb858-9b48-4028-a5e6-d46d83982572"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-activemq-queue.md b/docs/reference/metricbeat/metricbeat-metricset-activemq-queue.md
new file mode 100644
index 000000000000..a54e9d5955b6
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-activemq-queue.md
@@ -0,0 +1,108 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-activemq-queue.html
+---
+
+# ActiveMQ queue metricset [metricbeat-metricset-activemq-queue]
+
+This is the `queue` metricset of the ActiveMQ module.
+
+The metricset provides metrics describing the available ActiveMQ queues, especially exchanged messages (enqueued, dequeued, expired, in-flight), connected consumers, producers and its current length.
+
+To collect data, the module communicates with a Jolokia HTTP/REST endpoint that exposes the JMX metrics over HTTP/REST/JSON (JMX key: `org.apache.activemq:brokerName=localhost,destinationName=sample_queue,destinationType=Queue,type=Broker`).
+
+The queue metricset comes with a predefined dashboard:
+
+:::{image} images/metricbeat-activemq-queues-overview.png
+:alt: metricbeat activemq queues overview
+:::
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_5]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-activemq.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2019-11-19T13:13:56.283Z",
+    "@metadata": {
+        "beat": "metricbeat",
+        "type": "_doc",
+        "version": "8.0.0"
+    },
+    "metricset": {
+        "name": "queue",
+        "period": 5000
+    },
+    "ecs": {
+        "version": "1.2.0"
+    },
+    "host": {
+        "name": "macbook.local"
+    },
+    "agent": {
+        "ephemeral_id": "e830f069-d442-498c-af73-6b02fa8b0f90",
+        "hostname": "macbook.local",
+        "id": "8d20f9a9-b24d-419b-97e6-bcccfb64679c",
+        "version": "8.0.0",
+        "type": "metricbeat"
+    },
+    "service": {
+        "type": "activemq",
+        "address": "localhost:33049"
+    },
+    "activemq": {
+        "queue": {
+            "producers": {
+                "count": 0
+            },
+            "name": "sample_queue",
+            "memory": {
+                "broker": {
+                    "pct": 0
+                }
+            },
+            "size": 2,
+            "consumers": {
+                "count": 0
+            },
+            "mbean": "org.apache.activemq:brokerName=localhost,destinationName=sample_queue,destinationType=Queue,type=Broker",
+            "messages": {
+                "size": {
+                    "avg": 1037
+                },
+                "expired": {
+                    "count": 0
+                },
+                "dequeue": {
+                    "count": 0
+                },
+                "inflight": {
+                    "count": 0
+                },
+                "dispatch": {
+                    "count": 0
+                },
+                "enqueue": {
+                    "time": {
+                        "avg": 0,
+                        "min": 0,
+                        "max": 0
+                    },
+                    "count": 2
+                }
+            }
+        }
+    },
+    "event": {
+        "dataset": "activemq.queue",
+        "module": "activemq",
+        "duration": 16081129
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-activemq-topic.md b/docs/reference/metricbeat/metricbeat-metricset-activemq-topic.md
new file mode 100644
index 000000000000..6646e11de6e5
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-activemq-topic.md
@@ -0,0 +1,107 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-activemq-topic.html
+---
+
+# ActiveMQ topic metricset [metricbeat-metricset-activemq-topic]
+
+This is the `topic` metricset of the ActiveMQ module.
+
+The metricset provides metrics describing the available ActiveMQ topics, especially exchanged messages (enqueued, dequeued, expired, in-flight), connected consumers and producers.
+
+To collect data, the module communicates with a Jolokia HTTP/REST endpoint that exposes the JMX metrics over HTTP/REST/JSON (JMX key: `org.apache.activemq:brokerName=localhost,destinationName=sample_queue,destinationType=Queue,type=Broker`).
+
+The topic metricset comes with a predefined dashboard:
+
+:::{image} images/metricbeat-activemq-topics-overview.png
+:alt: metricbeat activemq topics overview
+:::
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_6]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-activemq.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2019-11-19T13:14:29.796Z",
+    "@metadata": {
+        "beat": "metricbeat",
+        "type": "_doc",
+        "version": "8.0.0"
+    },
+    "service": {
+        "type": "activemq",
+        "address": "localhost:33051"
+    },
+    "activemq": {
+        "topic": {
+            "name": "sample_topic",
+            "memory": {
+                "broker": {
+                    "pct": 0
+                }
+            },
+            "mbean": "org.apache.activemq:brokerName=localhost,destinationName=sample_topic,destinationType=Topic,type=Broker",
+            "producers": {
+                "count": 0
+            },
+            "consumers": {
+                "count": 0
+            },
+            "messages": {
+                "inflight": {
+                    "count": 0
+                },
+                "expired": {
+                    "count": 0
+                },
+                "enqueue": {
+                    "time": {
+                        "max": 0,
+                        "avg": 0,
+                        "min": 0
+                    },
+                    "count": 2
+                },
+                "dequeue": {
+                    "count": 0
+                },
+                "dispatch": {
+                    "count": 0
+                },
+                "size": {
+                    "avg": 1037
+                }
+            }
+        }
+    },
+    "ecs": {
+        "version": "1.2.0"
+    },
+    "host": {
+        "name": "macbook.local"
+    },
+    "agent": {
+        "version": "8.0.0",
+        "type": "metricbeat",
+        "ephemeral_id": "99de94c0-c183-438d-9751-428e3ea3bbbd",
+        "hostname": "macbook.local",
+        "id": "8d20f9a9-b24d-419b-97e6-bcccfb64679c"
+    },
+    "event": {
+        "dataset": "activemq.topic",
+        "module": "activemq",
+        "duration": 34431327
+    },
+    "metricset": {
+        "period": 5000,
+        "name": "topic"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-aerospike-namespace.md b/docs/reference/metricbeat/metricbeat-metricset-aerospike-namespace.md
new file mode 100644
index 000000000000..3a65a76793c1
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-aerospike-namespace.md
@@ -0,0 +1,103 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-aerospike-namespace.html
+---
+
+# Aerospike namespace metricset [metricbeat-metricset-aerospike-namespace]
+
+This is the `namespace` metricset of the Aerospike module.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_7]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-aerospike.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "aerospike": {
+        "namespace": {
+            "client": {
+                "delete": {
+                    "error": 0,
+                    "not_found": 0,
+                    "success": 0,
+                    "timeout": 0
+                },
+                "read": {
+                    "error": 0,
+                    "not_found": 0,
+                    "success": 0,
+                    "timeout": 0
+                },
+                "write": {
+                    "error": 0,
+                    "success": 0,
+                    "timeout": 0
+                }
+            },
+            "device": {
+                "available": {
+                    "pct": 99
+                },
+                "free": {
+                    "pct": 100
+                },
+                "total": {
+                    "bytes": 4294967296
+                },
+                "used": {
+                    "bytes": 0
+                }
+            },
+            "hwm_breached": false,
+            "memory": {
+                "free": {
+                    "pct": 100
+                },
+                "used": {
+                    "data": {
+                        "bytes": 0
+                    },
+                    "index": {
+                        "bytes": 0
+                    },
+                    "sindex": {
+                        "bytes": 0
+                    },
+                    "total": {
+                        "bytes": 0
+                    }
+                }
+            },
+            "name": "test",
+            "node": {
+                "host": "172.26.0.2:3000",
+                "name": "BB902001AAC4202"
+            },
+            "objects": {
+                "master": 0,
+                "total": 0
+            },
+            "stop_writes": false
+        }
+    },
+    "event": {
+        "dataset": "aerospike.namespace",
+        "duration": 115000,
+        "module": "aerospike"
+    },
+    "metricset": {
+        "name": "namespace"
+    },
+    "service": {
+        "address": "172.26.0.2:3000",
+        "type": "aerospike"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-airflow-statsd.md b/docs/reference/metricbeat/metricbeat-metricset-airflow-statsd.md
new file mode 100644
index 000000000000..443b97e5670d
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-airflow-statsd.md
@@ -0,0 +1,60 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-airflow-statsd.html
+---
+
+# Airflow statsd metricset [metricbeat-metricset-airflow-statsd]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+Statsd Metricset retrieves the Airflow metrics using Statsd.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_8]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-airflow.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "airflow": {
+        "dag_duration": {
+            "15m_rate": 0,
+            "1m_rate": 0,
+            "5m_rate": 0,
+            "count": 1,
+            "max": 200,
+            "mean": 200,
+            "mean_rate": 38960.532980091164,
+            "median": 200,
+            "min": 200,
+            "p75": 200,
+            "p95": 200,
+            "p99": 200,
+            "p99_9": 200,
+            "stddev": 0
+        },
+        "dag_id": "a_dagid",
+        "status": "failure"
+    },
+    "event": {
+        "dataset": "statsd",
+        "module": "airflow"
+    },
+    "labels": {
+        "k1": "v1",
+        "k2": "v2"
+    },
+    "service": {
+        "type": "airflow"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-apache-status.md b/docs/reference/metricbeat/metricbeat-metricset-apache-status.md
new file mode 100644
index 000000000000..66b01f1feb52
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-apache-status.md
@@ -0,0 +1,88 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-apache-status.html
+---
+
+# Apache status metricset [metricbeat-metricset-apache-status]
+
+The Apache `status` metricset collects data from the Apache [mod_status](https://httpd.apache.org/docs/current/mod/mod_status.html) module. It scrapes the server status data from the web page generated by mod_status.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_9]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-apache.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2019-03-01T08:05:34.853Z",
+    "apache": {
+        "status": {
+            "bytes_per_request": 112.913,
+            "bytes_per_sec": 103.832,
+            "connections": {
+                "async": {
+                    "closing": 0,
+                    "keep_alive": 0,
+                    "writing": 0
+                },
+                "total": 0
+            },
+            "cpu": {
+                "children_system": 0,
+                "children_user": 0,
+                "load": 0.125874,
+                "system": 0.2,
+                "user": 0.16
+            },
+            "load": {
+                "1": 2,
+                "15": 1.91,
+                "5": 1.85
+            },
+            "requests_per_sec": 0.91958,
+            "scoreboard": {
+                "closing_connection": 0,
+                "dns_lookup": 0,
+                "gracefully_finishing": 0,
+                "idle_cleanup": 0,
+                "keepalive": 0,
+                "logging": 0,
+                "open_slot": 325,
+                "reading_request": 0,
+                "sending_reply": 1,
+                "starting_up": 0,
+                "total": 400,
+                "waiting_for_connection": 74
+            },
+            "total_accesses": 263,
+            "total_kbytes": 29,
+            "uptime": {
+                "server_uptime": 286,
+                "uptime": 286
+            },
+            "workers": {
+                "busy": 1,
+                "idle": 74
+            }
+        }
+    },
+    "event": {
+        "dataset": "apache.status",
+        "duration": 115000,
+        "module": "apache"
+    },
+    "metricset": {
+        "name": "status",
+        "period": 10000
+    },
+    "service": {
+        "address": "127.0.0.1:55555",
+        "type": "apache"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-aws-awshealth.md b/docs/reference/metricbeat/metricbeat-metricset-aws-awshealth.md
new file mode 100644
index 000000000000..477d17c02a84
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-aws-awshealth.md
@@ -0,0 +1,91 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-aws-awshealth.html
+---
+
+# AWS awshealth metricset [metricbeat-metricset-aws-awshealth]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+AWS Health metrics provide insights into the health of your AWS environment by monitoring various aspects such as open issues, scheduled maintenance events, security advisories, compliance status, notification counts, and service disruptions. These metrics help you proactively identify and address issues impacting your AWS resources, ensuring the reliability, security, and compliance of your infrastructure.
+
+
+## AWS Permissions [_aws_permissions]
+
+To collect AWS Health metrics using Elastic Metricbeat, you would need specific AWS permissions to access the necessary data. Here’s a list of permissions required for an IAM user to collect AWS Health metrics:
+
+```
+health:DescribeAffectedEntities
+health:DescribeEventDetails
+health:DescribeEvents
+```
+
+
+## Configuration example [_configuration_example]
+
+```yaml
+- module: aws
+  period: 24h
+  metricsets:
+    - awshealth
+```
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_10]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-aws.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "aws": {
+        "awshealth": {
+            "affected_entities": [
+                {
+                    "aws_account_id": "12301234013123",
+                    "entity_url": "",
+                    "entity_value": "arn:aws:eks:us-east-2:627286350134:cluster/XXXXXXXXXXXXX",
+                    "last_updated_time": "2024-04-12T12:56:29.7Z",
+                    "status_code": "PENDING",
+                    "entity_arn": "arn:aws:health:us-east-2:627286350134:entity/YYYYYYYYYYYYYYYYYYYY"
+                }
+            ],
+            "affected_entities_others": 0,
+            "affected_entities_pending": 1,
+            "affected_entities_resolved": 0,
+            "end_time": "0001-01-01T00:00:00Z",
+            "event_arn": "arn:aws:health:us-east-2::event/EKS/AWS_EKS_PLANNED_LIFECYCLE_EVENT/AWS_EKS_PLANNED_LIFECYCLE_EVENT_a7e64e77680080d19971a80f0131ff2239909cdbe7647dd57710b764b988f476",
+            "event_description": "On May 1, 2024, standard support for Kubernetes version 1.25 in Amazon EKS will end. From May 2, 2024 all Amazon EKS clusters running on 1.25 will enter extended support and will remain in extended support until May 1, 2025.\n\nAfter May 1, 2025, Kubernetes 1.25 will no longer be supported on Amazon EKS, and all Amazon EKS clusters running on 1.25 will be automatically updated to Kubernetes version 1.26.\n\nYou are receiving this message because you currently have 1 or more Amazon EKS clusters running on Kubernetes version 1.25. A list of your impacted clusters can be found in the \"Affected resources\" tab.\n\nExtended support is currently in free preview and is available to all customers. Effective April 1 2024, your Amazon EKS clusters running on a Kubernetes version in extended support will be charged at $0.60 per cluster hour.\n\nIf you do not want to use extended support, we recommend that you update your 1.25 clusters to Kubernetes version 1.26 or newer before May 1, 2024. To learn more about the extended support for Kubernetes versions pricing, see our announcement [1]. For instructions on how to update your cluster(s), see the Amazon EKS service 'Updating an Amazon EKS cluster Kubernetes version' documentation [2].\n\nTo learn more on Kubernetes version support, see the 'Amazon EKS Kubernetes versions' documentation [3].\n\nFor any questions or assistance, please contact AWS Support [4].\n\n\n[1] https://aws.amazon.com/blogs/containers/amazon-eks-extended-support-for-kubernetes-versions-pricing/\n[2] https://docs.aws.amazon.com/eks/latest/userguide/update-cluster.html\n[3] https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html\n[4] https://aws.amazon.com/support",
+            "event_scope_code": "ACCOUNT_SPECIFIC",
+            "event_type_category": "scheduledChange",
+            "event_type_code": "AWS_EKS_PLANNED_LIFECYCLE_EVENT",
+            "last_updated_time": "2024-04-12T13:12:39.273Z",
+            "region": "us-east-2",
+            "service": "EKS",
+            "start_time": "2024-05-01T07:00:00Z",
+            "status_code": "upcoming"
+        }
+    },
+    "cloud.provider": "aws",
+    "event": {
+        "dataset": "aws.awshealth",
+        "duration": 115000,
+        "module": "aws"
+    },
+    "metricset": {
+        "name": "awshealth",
+        "period": 10000
+    },
+    "service": {
+        "type": "aws-health"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-aws-billing.md b/docs/reference/metricbeat/metricbeat-metricset-aws-billing.md
new file mode 100644
index 000000000000..e75d14ac3726
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-aws-billing.md
@@ -0,0 +1,107 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-aws-billing.html
+---
+
+# AWS billing metricset [metricbeat-metricset-aws-billing]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+You can monitor your estimated AWS charges by using Amazon CloudWatch and Cost Explorer.
+
+This aws `billing` metricset collects metrics both from Cloudwatch and cost explorer for monitoring purposes.
+
+
+## AWS Permissions [_aws_permissions_2]
+
+Some specific AWS permissions are required for IAM user to collect estimated billing metrics.
+
+```
+cloudwatch:GetMetricData
+cloudwatch:ListMetrics
+tag:getResources
+sts:GetCallerIdentity
+iam:ListAccountAliases
+ce:GetCostAndUsage
+organizations:ListAccounts
+```
+
+
+## Dashboard [_dashboard_3]
+
+The aws billing metricset comes with a predefined dashboard. For example:
+
+:::{image} images/metricbeat-aws-billing-overview.png
+:alt: metricbeat aws billing overview
+:::
+
+
+## Configuration example [_configuration_example_2]
+
+```yaml
+- module: aws
+  period: 24h
+  metricsets:
+    - billing
+  credential_profile_name: elastic-beats
+  cost_explorer_config:
+    group_by_dimension_keys:
+      - "AZ"
+      - "INSTANCE_TYPE"
+      - "SERVICE"
+    group_by_tag_keys:
+      - "aws:createdBy"
+```
+
+
+## Metricset-specific configuration notes [_metricset_specific_configuration_notes]
+
+When querying AWS Cost Explorer API, you can group AWS costs using up to two different groups, either dimensions, tag keys, or both. Right now we support group by type dimension and type tag with separate config parameters:
+
+* **group_by_dimension_keys**: A list of keys used in Cost Explorer to group by dimensions. Valid values are AZ, INSTANCE_TYPE, LINKED_ACCOUNT, OPERATION, PURCHASE_TYPE, REGION, SERVICE, USAGE_TYPE, USAGE_TYPE_GROUP, RECORD_TYPE, OPERATING_SYSTEM, TENANCY, SCOPE, PLATFORM, SUBSCRIPTION_ID, LEGAL_ENTITY_NAME, DEPLOYMENT_OPTION, DATABASE_ENGINE, CACHE_ENGINE, INSTANCE_TYPE_FAMILY, BILLING_ENTITY and RESERVATION_ID.
+* **group_by_tag_keys**: A list of keys used in Cost Explorer to group by tags.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_11]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-aws.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "aws": {
+        "billing": {
+            "Currency": "USD",
+            "EstimatedCharges": 39.26,
+            "ServiceName": "AmazonEKS"
+        }
+    },
+    "cloud": {
+        "account": {
+            "id": "428152502467",
+            "name": "elastic-beats"
+        },
+        "provider": "aws"
+    },
+    "event": {
+        "dataset": "aws.billing",
+        "duration": 115000,
+        "module": "aws"
+    },
+    "metricset": {
+        "name": "billing",
+        "period": 10000
+    },
+    "service": {
+        "type": "aws"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-aws-cloudwatch.md b/docs/reference/metricbeat/metricbeat-metricset-aws-cloudwatch.md
new file mode 100644
index 000000000000..f2f6a59182d0
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-aws-cloudwatch.md
@@ -0,0 +1,605 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-aws-cloudwatch.html
+---
+
+# AWS cloudwatch metricset [metricbeat-metricset-aws-cloudwatch]
+
+The cloudwatch metricset of aws module allows you to monitor various services on AWS. `cloudwatch` metricset fetches metrics from given namespace periodically by calling `GetMetricData` api.
+
+
+## AWS Permissions [_aws_permissions_3]
+
+Some specific AWS permissions are required for IAM user to collect AWS Cloudwatch metrics.
+
+```
+ec2:DescribeRegions
+cloudwatch:GetMetricData
+cloudwatch:ListMetrics
+tag:getResources
+sts:GetCallerIdentity
+iam:ListAccountAliases
+```
+
+
+## Metricset-specific configuration notes [_metricset_specific_configuration_notes_2]
+
+* **namespace**: The namespace used by ListMetrics API to filter against. For example, AWS/EC2, AWS/S3. If wildcard * is given for namespace, metrics from all namespaces will be collected automatically.
+* **name**: The name of the metric to filter against. For example, CPUUtilization for EC2 instance.
+* **dimensions**: The dimensions to filter against. For example, InstanceId=i-123.
+* **resource_type**: The constraints on the resources that you want returned. The format of each resource type is service[:resourceType]. For example, specifying a resource type of ec2 returns all Amazon EC2 resources (which includes EC2 instances). Specifying a resource type of ec2:instance returns only EC2 instances.
+* **statistic**: Statistics are metric data aggregations over specified periods of time. By default, statistic includes Average, Sum, Count, Maximum and Minimum.
+
+
+## Configuration examples [_configuration_examples]
+
+To be more focused on `cloudwatch` metricset use cases, the examples below do not include configurations on AWS credentials. Please see [AWS credentials options](/reference/metricbeat/metricbeat-module-aws.md#aws-credentials-config) for more details on setting AWS credentials in configurations in order for this metricset to make proper AWS API calls.
+
+
+### Example 1 [_example_1]
+
+```yaml
+- module: aws
+  period: 300s
+  metricsets:
+    - cloudwatch
+  tags_filter: <3>
+    - key: "Organization"
+      value: "Engineering"
+  metrics:
+    - namespace: AWS/EBS <1>
+    - namespace: AWS/ELB <2>
+      resource_type: elasticloadbalancing
+    - namespace: AWS/EC2 <4>
+      name: CPUUtilization
+      statistic: ["Average"]
+      dimensions:
+        - name: InstanceId
+          value: i-0686946e22cf9494a
+```
+
+1. Users can configure the `cloudwatch` metricset to collect all metrics from one specific namespace, such as `AWS/EBS`.
+2. `cloudwatch` metricset also has the ability to collect tags from AWS resources. If `resource_type` is specified, then tags will be collected and stored as a part of the event. Please see [AWS API GetResources](https://docs.aws.amazon.com/resourcegroupstagging/latest/APIReference/API_GetResources.html) for more details about `resource_type`.
+3. If tags are collected (for metricsets with `resource_type` specified), events can also be filtered by tag, using the `tags_filter` field in the module-specific configuration.
+4. If users knows exactly what are the cloudwatch metrics they want to collect, this configuration format can be used. `namespace` and `metricname` need to be specified and `dimensions` can be used to filter cloudwatch metrics. Please see [AWS List Metrics](https://docs.aws.amazon.com/cli/latest/reference/cloudwatch/list-metrics.html) for more details.
+
+
+
+### Example 2 [_example_2]
+
+```yaml
+- module: aws
+  period: 300s
+  metricsets:
+    - cloudwatch
+  metrics:
+    - namespace: "*"
+```
+
+With this config, metrics from all namespaces will be collected from Cloudwatch. The limitation here is the collection period for all namespaces are all set to be the same, which in this case is 300 second. This will cause extra costs for API calls or data loss. For example, metrics from namespace AWS/Usage are sent to Cloudwatch every 1 minute. With the collection period equals to 300 seconds, data points in between will get lost. Metrics from namespace AWS/Billing are sent to Cloudwatch every several hours. By querying from AWS/Billing namespace every 300 seconds, additional costs will occur.
+
+
+### Example 3 [_example_3]
+
+Depends on the configuration and number of services in the AWS account, the number of API calls may get too big to cause high API cost. In order to reduce the number of API calls, we recommend users to use this configuration below as an example.
+
+* **metrics.name**: Only collect a sub list of metrics that are useful to your use case.
+* **metrics.statistic**: By default, cloudwatch metricset will make API calls to get all stats like average, max, min, sum and etc. If the user knows which statistics method is most useful, specify it in the configuration.
+* **metrics.dimensions**: Different AWS services report different dimensions in their CloudWatch metrics. For example, [EMR metrics](https://docs.aws.amazon.com/emr/latest/ManagementGuide/UsingEMR_ViewingMetrics.html) can have either `JobFlowId` dimension or `JobId` dimension. If user knows which specific dimension is useful, it can be specified in this configuration option.
+
+```yaml
+- module: aws
+  period: 5m
+  metricsets:
+    - cloudwatch
+  regions: us-east-1
+  metrics:
+    - namespace: AWS/ElasticMapReduce
+      name: ["S3BytesWritten", "S3BytesRead", "HDFSUtilization", "TotalLoad"]
+      resource_type: elasticmapreduce
+      statistic: ["Average"]
+      dimensions:
+        - name: JobId
+          value: "*"
+```
+
+
+## More examples [_more_examples]
+
+With the configuration below, users will be able to collect cloudwatch metrics from EBS, ELB and EC2 without tag information.
+
+```yaml
+- module: aws
+  period: 300s
+  metricsets:
+    - cloudwatch
+  metrics:
+    - namespace: AWS/EBS
+    - namespace: AWS/ELB
+    - namespace: AWS/EC2
+```
+
+With the configuration below, users will be able to collect cloudwatch metrics from EBS, ELB and EC2 with tags from these services.
+
+```yaml
+- module: aws
+  period: 300s
+  metricsets:
+    - cloudwatch
+  metrics:
+    - namespace: AWS/EBS
+      resource_type: ebs
+    - namespace: AWS/ELB
+      resource_type: elasticloadbalancing
+    - namespace: AWS/EC2
+      resource_type: ec2:instance
+```
+
+With the configuration below, users will be able to collect specific cloudwatch metrics. For example CPUUtilization metric(average) from EC2 instance i-123 and NetworkIn metric(average) from EC2 instance i-456.
+
+```yaml
+- module: aws
+  period: 300s
+  metricsets:
+    - cloudwatch
+  metrics:
+    - namespace: AWS/EC2
+      name: ["CPUUtilization"]
+      resource_type: ec2:instance
+      dimensions:
+        - name: InstanceId
+          value: i-123
+      statistic: ["Average"]
+    - namespace: AWS/EC2
+      name: ["NetworkIn"]
+      dimensions:
+        - name: InstanceId
+          value: i-456
+      statistic: ["Average"]
+```
+
+With the configuration below, user can filter out only `LoadBalacer` and `TargetGroup` dimension metircs with the metric name `UnHealthyHostCount`, `LoadBalacer` and `TargetGroup` value could be any.
+
+```yaml
+- module: aws
+  period: 300s
+  metricsets:
+    - cloudwatch
+  metrics:
+    - namespace: AWS/ApplicationELB
+      statistic: ['Maximum']
+      name: ['UnHealthyHostCount']
+      dimensions:
+        - name: LoadBalancer
+          value: "*"
+        - name: TargetGroup
+          value: "*"
+      resource_type: elasticloadbalancing
+```
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_12]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-aws.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "aws": {
+        "cloudwatch": {
+            "namespace": "AWS/RDS"
+        },
+        "dimensions": {
+            "DBClusterIdentifier": "database-1",
+            "Role": "READER"
+        },
+        "rds": {
+            "metrics": {
+                "AbortedClients": {
+                    "avg": 0,
+                    "count": 5,
+                    "max": 0,
+                    "min": 0,
+                    "sum": 0
+                },
+                "ActiveTransactions": {
+                    "avg": 0,
+                    "count": 5,
+                    "max": 0,
+                    "min": 0,
+                    "sum": 0
+                },
+                "AuroraBinlogReplicaLag": {
+                    "avg": 0,
+                    "count": 5,
+                    "max": 0,
+                    "min": 0,
+                    "sum": 0
+                },
+                "AuroraReplicaLag": {
+                    "avg": 18.4158,
+                    "count": 5,
+                    "max": 23.787,
+                    "min": 10.634,
+                    "sum": 92.07900000000001
+                },
+                "AuroraVolumeBytesLeftTotal": {
+                    "avg": 70007366615040,
+                    "count": 5,
+                    "max": 70007366615040,
+                    "min": 70007366615040,
+                    "sum": 350036833075200
+                },
+                "Aurora_pq_request_attempted": {
+                    "avg": 0,
+                    "count": 5,
+                    "max": 0,
+                    "min": 0,
+                    "sum": 0
+                },
+                "Aurora_pq_request_executed": {
+                    "avg": 0,
+                    "count": 5,
+                    "max": 0,
+                    "min": 0,
+                    "sum": 0
+                },
+                "Aurora_pq_request_failed": {
+                    "avg": 0,
+                    "count": 5,
+                    "max": 0,
+                    "min": 0,
+                    "sum": 0
+                },
+                "Aurora_pq_request_in_progress": {
+                    "avg": 0,
+                    "count": 5,
+                    "max": 0,
+                    "min": 0,
+                    "sum": 0
+                },
+                "Aurora_pq_request_not_chosen": {
+                    "avg": 0,
+                    "count": 5,
+                    "max": 0,
+                    "min": 0,
+                    "sum": 0
+                },
+                "Aurora_pq_request_not_chosen_below_min_rows": {
+                    "avg": 0,
+                    "count": 5,
+                    "max": 0,
+                    "min": 0,
+                    "sum": 0
+                },
+                "Aurora_pq_request_not_chosen_few_pages_outside_buffer_pool": {
+                    "avg": 0,
+                    "count": 5,
+                    "max": 0,
+                    "min": 0,
+                    "sum": 0
+                },
+                "Aurora_pq_request_not_chosen_long_trx": {
+                    "avg": 0,
+                    "count": 5,
+                    "max": 0,
+                    "min": 0,
+                    "sum": 0
+                },
+                "Aurora_pq_request_not_chosen_pq_high_buffer_pool_pct": {
+                    "avg": 0,
+                    "count": 5,
+                    "max": 0,
+                    "min": 0,
+                    "sum": 0
+                },
+                "Aurora_pq_request_not_chosen_small_table": {
+                    "avg": 0,
+                    "count": 5,
+                    "max": 0,
+                    "min": 0,
+                    "sum": 0
+                },
+                "Aurora_pq_request_not_chosen_unsupported_access": {
+                    "avg": 0,
+                    "count": 5,
+                    "max": 0,
+                    "min": 0,
+                    "sum": 0
+                },
+                "Aurora_pq_request_throttled": {
+                    "avg": 0,
+                    "count": 5,
+                    "max": 0,
+                    "min": 0,
+                    "sum": 0
+                },
+                "BlockedTransactions": {
+                    "avg": 0,
+                    "count": 5,
+                    "max": 0,
+                    "min": 0,
+                    "sum": 0
+                },
+                "BufferCacheHitRatio": {
+                    "avg": 100,
+                    "count": 5,
+                    "max": 100,
+                    "min": 100,
+                    "sum": 500
+                },
+                "CPUUtilization": {
+                    "avg": 6.051666111792592,
+                    "count": 5,
+                    "max": 6.216563057282379,
+                    "min": 5.808333333333334,
+                    "sum": 30.25833055896296
+                },
+                "CommitLatency": {
+                    "avg": 0,
+                    "count": 5,
+                    "max": 0,
+                    "min": 0,
+                    "sum": 0
+                },
+                "CommitThroughput": {
+                    "avg": 0,
+                    "count": 5,
+                    "max": 0,
+                    "min": 0,
+                    "sum": 0
+                },
+                "ConnectionAttempts": {
+                    "avg": 0,
+                    "count": 5,
+                    "max": 0,
+                    "min": 0,
+                    "sum": 0
+                },
+                "DDLLatency": {
+                    "avg": 0,
+                    "count": 5,
+                    "max": 0,
+                    "min": 0,
+                    "sum": 0
+                },
+                "DDLThroughput": {
+                    "avg": 0,
+                    "count": 5,
+                    "max": 0,
+                    "min": 0,
+                    "sum": 0
+                },
+                "DMLLatency": {
+                    "avg": 0,
+                    "count": 5,
+                    "max": 0,
+                    "min": 0,
+                    "sum": 0
+                },
+                "DMLThroughput": {
+                    "avg": 0,
+                    "count": 5,
+                    "max": 0,
+                    "min": 0,
+                    "sum": 0
+                },
+                "DatabaseConnections": {
+                    "avg": 0,
+                    "count": 5,
+                    "max": 0,
+                    "min": 0,
+                    "sum": 0
+                },
+                "Deadlocks": {
+                    "avg": 0,
+                    "count": 5,
+                    "max": 0,
+                    "min": 0,
+                    "sum": 0
+                },
+                "DeleteLatency": {
+                    "avg": 0,
+                    "count": 5,
+                    "max": 0,
+                    "min": 0,
+                    "sum": 0
+                },
+                "DeleteThroughput": {
+                    "avg": 0,
+                    "count": 5,
+                    "max": 0,
+                    "min": 0,
+                    "sum": 0
+                },
+                "EBSByteBalance%": {
+                    "avg": 99,
+                    "count": 1,
+                    "max": 99,
+                    "min": 99,
+                    "sum": 99
+                },
+                "EBSIOBalance%": {
+                    "avg": 99,
+                    "count": 1,
+                    "max": 99,
+                    "min": 99,
+                    "sum": 99
+                },
+                "EngineUptime": {
+                    "avg": 20800826,
+                    "count": 5,
+                    "max": 20800946,
+                    "min": 20800706,
+                    "sum": 104004130
+                },
+                "FreeLocalStorage": {
+                    "avg": 29682751078.4,
+                    "count": 5,
+                    "max": 29682819072,
+                    "min": 29682675712,
+                    "sum": 148413755392
+                },
+                "FreeableMemory": {
+                    "avg": 4639068160,
+                    "count": 5,
+                    "max": 4639838208,
+                    "min": 4638638080,
+                    "sum": 23195340800
+                },
+                "InsertLatency": {
+                    "avg": 0,
+                    "count": 5,
+                    "max": 0,
+                    "min": 0,
+                    "sum": 0
+                },
+                "InsertThroughput": {
+                    "avg": 0,
+                    "count": 5,
+                    "max": 0,
+                    "min": 0,
+                    "sum": 0
+                },
+                "LoginFailures": {
+                    "avg": 0,
+                    "count": 5,
+                    "max": 0,
+                    "min": 0,
+                    "sum": 0
+                },
+                "NetworkReceiveThroughput": {
+                    "avg": 0.8399323667305664,
+                    "count": 5,
+                    "max": 1.399556807011113,
+                    "min": 0.6999533364442371,
+                    "sum": 4.199661833652832
+                },
+                "NetworkThroughput": {
+                    "avg": 1.6798647334611327,
+                    "count": 5,
+                    "max": 2.799113614022226,
+                    "min": 1.3999066728884741,
+                    "sum": 8.399323667305664
+                },
+                "NetworkTransmitThroughput": {
+                    "avg": 0.8399323667305664,
+                    "count": 5,
+                    "max": 1.399556807011113,
+                    "min": 0.6999533364442371,
+                    "sum": 4.199661833652832
+                },
+                "NumBinaryLogFiles": {
+                    "avg": 0,
+                    "count": 5,
+                    "max": 0,
+                    "min": 0,
+                    "sum": 0
+                },
+                "Queries": {
+                    "avg": 6.3836833181909265,
+                    "count": 5,
+                    "max": 6.53289780681288,
+                    "min": 6.184260972479205,
+                    "sum": 31.91841659095463
+                },
+                "ReadLatency": {
+                    "avg": 0,
+                    "count": 5,
+                    "max": 0,
+                    "min": 0,
+                    "sum": 0
+                },
+                "ResultSetCacheHitRatio": {
+                    "avg": 0,
+                    "count": 5,
+                    "max": 0,
+                    "min": 0,
+                    "sum": 0
+                },
+                "RollbackSegmentHistoryListLength": {
+                    "avg": 0,
+                    "count": 5,
+                    "max": 0,
+                    "min": 0,
+                    "sum": 0
+                },
+                "RowLockTime": {
+                    "avg": 0,
+                    "count": 5,
+                    "max": 0,
+                    "min": 0,
+                    "sum": 0
+                },
+                "SelectLatency": {
+                    "avg": 0.2519199153394592,
+                    "count": 5,
+                    "max": 0.2609050632911392,
+                    "min": 0.24367924528301885,
+                    "sum": 1.2595995766972958
+                },
+                "SelectThroughput": {
+                    "avg": 2.6002296989354514,
+                    "count": 5,
+                    "max": 2.650618477644784,
+                    "min": 2.5335866920025336,
+                    "sum": 13.001148494677256
+                },
+                "SumBinaryLogSize": {
+                    "avg": 0,
+                    "count": 5,
+                    "max": 0,
+                    "min": 0,
+                    "sum": 0
+                },
+                "UpdateLatency": {
+                    "avg": 0,
+                    "count": 5,
+                    "max": 0,
+                    "min": 0,
+                    "sum": 0
+                },
+                "UpdateThroughput": {
+                    "avg": 0,
+                    "count": 5,
+                    "max": 0,
+                    "min": 0,
+                    "sum": 0
+                },
+                "WriteLatency": {
+                    "avg": 0,
+                    "count": 5,
+                    "max": 0,
+                    "min": 0,
+                    "sum": 0
+                }
+            }
+        }
+    },
+    "cloud": {
+        "account": {
+            "id": "428152502467",
+            "name": "elastic-beats"
+        },
+        "provider": "aws",
+        "region": "eu-west-1"
+    },
+    "event": {
+        "dataset": "aws.cloudwatch",
+        "duration": 115000,
+        "module": "aws"
+    },
+    "metricset": {
+        "name": "cloudwatch",
+        "period": 10000
+    },
+    "service": {
+        "type": "aws"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-aws-dynamodb.md b/docs/reference/metricbeat/metricbeat-metricset-aws-dynamodb.md
new file mode 100644
index 000000000000..c3f3aa2448b3
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-aws-dynamodb.md
@@ -0,0 +1,155 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-aws-dynamodb.html
+---
+
+# AWS dynamodb metricset [metricbeat-metricset-aws-dynamodb]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+The `dynamodb` metricset of aws module allows you to monitor your AWS DynamoDB database. `dynamodb` metricset fetches a set of values from [Amazon DynamoDB Metrics](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/metrics-dimensions.html). For all other DynamoDB metrics, the aggregation granularity is five minutes.
+
+
+## Configuration example [_configuration_example_3]
+
+```yaml
+- module: aws
+  period: 300s
+  metricsets:
+    - dynamodb
+  # This module uses the aws cloudwatch metricset, all
+  # the options for this metricset are also available here.
+```
+
+
+## Dashboard [_dashboard_4]
+
+The aws dynamodb metricset comes with a predefined dashboard. For example:
+
+:::{image} images/metricbeat-aws-dynamodb-overview.png
+:alt: metricbeat aws dynamodb overview
+:::
+
+
+## Metrics [_metrics_2]
+
+Please see more details for each metric in [Amazon DynamoDB Metrics](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/metrics-dimensions.html).
+
+|     |     |
+| --- | --- |
+| Metric Name | Statistic Method |
+| SuccessfulRequestLatency | Average |
+| OnlineIndexPercentageProgress | Average |
+| ProvisionedWriteCapacityUnits | Average |
+| ProvisionedReadCapacityUnits | Average |
+| ConsumedReadCapacityUnits | Average |
+| ConsumedWriteCapacityUnits | Average |
+| ReplicationLatency | Average |
+| TransactionConflict | Average |
+| AccountProvisionedReadCapacityUtilization | Average |
+| AccountProvisionedWriteCapacityUtilization | Average |
+| SystemErrors | Sum |
+| ConsumedReadCapacityUnits | Sum |
+| ConsumedWriteCapacityUnits | Sum |
+| ConditionalCheckFailedRequests | Sum |
+| PendingReplicationCount | Sum |
+| TransactionConflict | Sum |
+| ReadThrottleEvents | Sum |
+| ThrottledRequests | Sum |
+| WriteThrottleEvents | Sum |
+| SuccessfulRequestLatency | Maximum |
+| ReplicationLatency | Maximum |
+| AccountMaxReads | Maximum |
+| AccountMaxTableLevelReads | Maximum |
+| AccountMaxTableLevelWrites | Maximum |
+| AccountMaxWrites | Maximum |
+| MaxProvisionedTableReadCapacityUtilization | Maximum |
+| MaxProvisionedTableWriteCapacityUtilization | Maximum |
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_13]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-aws.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2020-01-10T11:01:22.612Z",
+    "@metadata": {
+        "beat": "metricbeat",
+        "type": "_doc",
+        "version": "8.0.0"
+    },
+    "host": {
+        "id": "883134FF-0EC4-5E1B-9F9E-FD06FB681D84",
+        "hostname": "vm1",
+        "architecture": "x86_64",
+        "name": "vm1",
+        "os": {
+            "family": "darwin",
+            "name": "Mac OS X",
+            "kernel": "18.7.0",
+            "build": "18G95",
+            "platform": "darwin",
+            "version": "10.14.6"
+        }
+    },
+    "agent": {
+        "hostname": "vm1",
+        "id": "fbaf40e4-c9f2-4d9f-840f-b3d8de51b42c",
+        "version": "8.0.0",
+        "type": "metricbeat",
+        "ephemeral_id": "ccb69319-4fbd-4881-996a-4c710322da8b"
+    },
+    "cloud": {
+        "region": "eu-central-1",
+        "account": {
+            "name": "elastic-beats",
+            "id": "428152502467"
+        },
+        "provider": "aws"
+    },
+    "aws": {
+        "dimensions": {
+            "TableName": "TryDaxTable",
+            "Operation": "Query"
+        },
+        "dynamodb": {
+            "metrics": {
+                "SuccessfulRequestLatency": {
+                    "avg": 1.6592021822660081,
+                    "max": 2.883089
+                },
+                "ThrottledRequests": {
+                    "sum": 112
+                }
+            }
+        },
+        "cloudwatch": {
+            "namespace": "AWS/DynamoDB"
+        }
+    },
+    "event": {
+        "duration": 1447079629,
+        "dataset": "aws.dynamodb",
+        "module": "aws"
+    },
+    "metricset": {
+        "name": "dynamodb",
+        "period": 60000
+    },
+    "service": {
+        "type": "aws"
+    },
+    "ecs": {
+        "version": "1.2.0"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-aws-ebs.md b/docs/reference/metricbeat/metricbeat-metricset-aws-ebs.md
new file mode 100644
index 000000000000..abf9cd061238
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-aws-ebs.md
@@ -0,0 +1,129 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-aws-ebs.html
+---
+
+# AWS ebs metricset [metricbeat-metricset-aws-ebs]
+
+Amazon Elastic Block Store (Amazon EBS) sends data points to CloudWatch for several metrics. Most EBS volumes automatically send five-minute metrics to CloudWatch only when the volume is attached to an instance. This aws `ebs` metricset collects these Cloudwatch metrics for monitoring purposes.
+
+
+## AWS Permissions [_aws_permissions_4]
+
+Some specific AWS permissions are required for IAM user to collect AWS EBS metrics.
+
+```
+ec2:DescribeRegions
+cloudwatch:GetMetricData
+cloudwatch:ListMetrics
+tag:getResources
+sts:GetCallerIdentity
+iam:ListAccountAliases
+```
+
+
+## Dashboard [_dashboard_5]
+
+The aws ebs metricset comes with a predefined dashboard. For example:
+
+:::{image} images/metricbeat-aws-ebs-overview.png
+:alt: metricbeat aws ebs overview
+:::
+
+
+## Configuration example [_configuration_example_4]
+
+```yaml
+- module: aws
+  period: 300s
+  metricsets:
+    - ebs
+  # This module uses the aws cloudwatch metricset, all
+  # the options for this metricset are also available here.
+```
+
+
+## Metrics [_metrics_3]
+
+Please see more details for each metric in [ebs-cloudwatch-metric](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using_cloudwatch_ebs.html).
+
+|     |     |
+| --- | --- |
+| Metric Name | Statistic Method |
+| VolumeReadBytes | Average |
+| VolumeWriteBytes | Average |
+| VolumeReadOps | Average |
+| VolumeWriteOps | Average |
+| VolumeQueueLength | Average |
+| VolumeThroughputPercentage | Average |
+| VolumeConsumedReadWriteOps | Average |
+| BurstBalance | Average |
+| VolumeTotalReadTime | Sum |
+| VolumeTotalWriteTime | Sum |
+| VolumeIdleTime | Sum |
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_14]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-aws.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "aws": {
+        "cloudwatch": {
+            "namespace": "AWS/EBS"
+        },
+        "dimensions": {
+            "VolumeId": "vol-0dac7d6bb8e24ba7c"
+        },
+        "ebs": {
+            "metrics": {
+                "VolumeIdleTime": {
+                    "sum": 299.97
+                },
+                "VolumeQueueLength": {
+                    "avg": 0.000166666666666667
+                },
+                "VolumeReadOps": {
+                    "avg": 0
+                },
+                "VolumeTotalWriteTime": {
+                    "sum": 0.05
+                },
+                "VolumeWriteBytes": {
+                    "avg": 4915.2
+                },
+                "VolumeWriteOps": {
+                    "avg": 30
+                }
+            }
+        }
+    },
+    "cloud": {
+        "account": {
+            "id": "627959692251",
+            "name": "elastic-test"
+        },
+        "provider": "aws",
+        "region": "eu-central-1"
+    },
+    "event": {
+        "dataset": "aws.ebs",
+        "duration": 115000,
+        "module": "aws"
+    },
+    "metricset": {
+        "name": "ebs",
+        "period": 10000
+    },
+    "service": {
+        "type": "aws"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-aws-ec2.md b/docs/reference/metricbeat/metricbeat-metricset-aws-ec2.md
new file mode 100644
index 000000000000..9465cd4789fc
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-aws-ec2.md
@@ -0,0 +1,210 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-aws-ec2.html
+---
+
+# AWS ec2 metricset [metricbeat-metricset-aws-ec2]
+
+The ec2 metricset of aws module allows you to monitor your AWS EC2 instances, including `cpu`, `network`, `disk` and `status`. `ec2` metricset fetches a set of values from [Cloudwatch AWS EC2 Metrics](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/viewing_metrics_with_cloudwatch.html#ec2-cloudwatch-metrics).
+
+We fetch the following data:
+
+* **cpu.total.pct**: The percentage of allocated EC2 compute units that are currently in use on the instance.
+* **cpu.credit_usage**: The number of CPU credits spent by the instance for CPU utilization.
+* **cpu.credit_balance**: The number of earned CPU credits that an instance has accrued since it was launched or started.
+* **cpu.surplus_credit_balance**: The number of surplus credits that have been spent by an unlimited instance when its CPUCreditBalance value is zero.
+* **cpu.surplus_credits_charged**: The number of spent surplus credits that are not paid down by earned CPU credits, and which thus incur an additional charge.
+* **network.in.packets**: The number of packets received on all network interfaces by the instance.
+* **network.out.packets**: The number of packets sent out on all network interfaces by the instance.
+* **network.in.bytes**: The number of bytes received on all network interfaces by the instance.
+* **network.out.bytes**: The number of bytes sent out on all network interfaces by the instance.
+* **diskio.read.bytes**: Bytes read from all instance store volumes available to the instance.
+* **diskio.write.bytes**: Bytes written to all instance store volumes available to the instance.
+* **diskio.read.ops**: Completed read operations from all instance store volumes available to the instance in a specified period of time.
+* **diskio.write.ops**: Completed write operations to all instance store volumes available to the instance in a specified period of time.
+* **status.check_failed**: Reports whether the instance has passed both the instance status check and the system status check in the last minute.
+* **status.check_failed_system**: Reports whether the instance has passed the system status check in the last minute.
+* **status.check_failed_instance**: Reports whether the instance has passed the instance status check in the last minute.
+* **instance.core.count**: The number of CPU cores for the instance.
+* **instance.image.id**: The ID of the image used to launch the instance.
+* **instance.monitoring.state**: Indicates whether detailed monitoring is enabled.
+* **instance.private.dns_name**: The private DNS name of the network interface.
+* **instance.private.ip**: The private IPv4 address associated with the network interface.
+* **instance.public.dns_name**: The public DNS name of the instance.
+* **instance.public.ip**: The address of the Elastic IP address (IPv4) bound to the network interface.
+* **instance.state.code**: The state of the instance, as a 16-bit unsigned integer.
+* **instance.threads_per_core**: The state of the instance (pending | running | shutting-down | terminated | stopping | stopped).
+
+
+## AWS Permissions [_aws_permissions_5]
+
+Some specific AWS permissions are required for IAM user to collect AWS EC2 metrics.
+
+```
+ec2:DescribeInstances
+ec2:DescribeRegions
+cloudwatch:GetMetricData
+cloudwatch:ListMetrics
+sts:GetCallerIdentity
+iam:ListAccountAliases
+```
+
+
+## Dashboard [_dashboard_6]
+
+The aws ec2 metricset comes with a predefined dashboard. For example:
+
+:::{image} images/metricbeat-aws-ec2-overview.png
+:alt: metricbeat aws ec2 overview
+:::
+
+
+## Configuration example [_configuration_example_5]
+
+```yaml
+- module: aws
+  period: 300s
+  metricsets:
+    - ec2
+  access_key_id: '<access_key_id>'
+  secret_access_key: '<secret_access_key>'
+  session_token: '<session_token>'
+  tags_filter:
+    - key: "Organization"
+      value: ["Engineering", "Product"]
+```
+
+`tags_filter` can be specified to only collect metrics with certain tag keys/values. For example, with the configuration example above, ec2 metricset will only collect metrics from EC2 instances that have tag key equals "Organization" and tag value equals to "Engineering" or "Product".
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_15]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-aws.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "aws": {
+        "cloudwatch": {
+            "namespace": "AWS/EC2"
+        },
+        "dimensions": {
+            "InstanceId": "i-05b6228ff8d8c5d49"
+        },
+        "ec2": {
+            "cpu": {
+                "credit_balance": 144,
+                "credit_usage": 0.007318,
+                "surplus_credit_balance": 0,
+                "surplus_credits_charged": 0
+            },
+            "diskio": {
+                "read": {
+                    "bytes_per_sec": 0,
+                    "count_per_sec": 0
+                },
+                "write": {
+                    "bytes_per_sec": 0,
+                    "count_per_sec": 0
+                }
+            },
+            "instance": {
+                "core": {
+                    "count": 1
+                },
+                "image": {
+                    "id": "ami-058b1b7fe545997ae"
+                },
+                "monitoring": {
+                    "state": "disabled"
+                },
+                "private": {
+                    "dns_name": "ip-172-31-31-247.eu-west-1.compute.internal",
+                    "ip": "172.31.31.247"
+                },
+                "public": {
+                    "dns_name": "ec2-54-194-39-129.eu-west-1.compute.amazonaws.com",
+                    "ip": "54.194.39.129"
+                },
+                "state": {
+                    "code": 16,
+                    "name": "running"
+                },
+                "threads_per_core": 1
+            },
+            "network": {
+                "in": {
+                    "bytes_per_sec": 18.343333333333334,
+                    "packets_per_sec": 0.15666666666666668
+                },
+                "out": {
+                    "bytes_per_sec": 15.326666666666666,
+                    "packets_per_sec": 0.16
+                }
+            },
+            "status": {
+                "check_failed": 0,
+                "check_failed_instance": 0,
+                "check_failed_system": 0
+            }
+        }
+    },
+    "cloud": {
+        "account": {
+            "id": "428152502467",
+            "name": "elastic-beats"
+        },
+        "availability_zone": "eu-west-1a",
+        "instance": {
+            "id": "i-05b6228ff8d8c5d49"
+        },
+        "machine": {
+            "type": "t2.micro"
+        },
+        "provider": "aws",
+        "region": "eu-west-1"
+    },
+    "event": {
+        "dataset": "aws.ec2",
+        "duration": 115000,
+        "module": "aws"
+    },
+    "host": {
+        "cpu": {
+            "usage": 0.1005649717511616
+        },
+        "disk": {
+            "read": {
+                "bytes": 0
+            },
+            "write": {
+                "bytes": 0
+            }
+        },
+        "id": "i-05b6228ff8d8c5d49",
+        "name": "i-05b6228ff8d8c5d49",
+        "network": {
+            "egress": {
+                "bytes": 4598,
+                "packets": 48
+            },
+            "ingress": {
+                "bytes": 5503,
+                "packets": 47
+            }
+        }
+    },
+    "metricset": {
+        "name": "ec2",
+        "period": 10000
+    },
+    "service": {
+        "type": "aws"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-aws-elb.md b/docs/reference/metricbeat/metricbeat-metricset-aws-elb.md
new file mode 100644
index 000000000000..36d3d280e67f
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-aws-elb.md
@@ -0,0 +1,195 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-aws-elb.html
+---
+
+# AWS elb metricset [metricbeat-metricset-aws-elb]
+
+Elastic Load Balancing publishes data points to Amazon CloudWatch for your load balancers and your back-end instances. This aws `elb` metricset collects these Cloudwatch metrics for monitoring purposes.
+
+
+## AWS Permissions [_aws_permissions_6]
+
+Some specific AWS permissions are required for IAM user to collect AWS ELB metrics.
+
+```
+ec2:DescribeRegions
+cloudwatch:GetMetricData
+cloudwatch:ListMetrics
+tag:getResources
+sts:GetCallerIdentity
+iam:ListAccountAliases
+```
+
+
+## Dashboard [_dashboard_7]
+
+The aws elb metricset comes with a predefined dashboard for classic ELB. For example:
+
+:::{image} images/metricbeat-aws-elb-overview.png
+:alt: metricbeat aws elb overview
+:::
+
+
+## Configuration example [_configuration_example_6]
+
+```yaml
+- module: aws
+  period: 300s
+  metricsets:
+    - elb
+  access_key_id: '${AWS_ACCESS_KEY_ID:""}'
+  secret_access_key: '${AWS_SECRET_ACCESS_KEY:""}'
+  session_token: '${AWS_SESSION_TOKEN:""}'
+  # This module uses the aws cloudwatch metricset, all
+  # the options for this metricset are also available here.
+```
+
+
+## Metrics [_metrics_4]
+
+elb metricset collects Cloudwatch metrics from [classic ELB](https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-cloudwatch-metrics.html), [application ELB](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-cloudwatch-metrics.html) and [network ELB](https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-cloudwatch-metrics.html).
+
+
+### Metrics for Classic ELB [_metrics_for_classic_elb]
+
+|     |     |
+| --- | --- |
+| Metric Name | Statistic Method |
+| BackendConnectionErrors | Sum |
+| HealthyHostCount | Maximum |
+| HTTPCode_Backend_2XX | Sum |
+| HTTPCode_Backend_3XX | Sum |
+| HTTPCode_Backend_4XX | Sum |
+| HTTPCode_Backend_5XX | Sum |
+| HTTPCode_ELB_4XX | Sum |
+| HTTPCode_ELB_5XX | Sum |
+| Latency | Average |
+| RequestCount | Sum |
+| SpilloverCount | Sum |
+| SurgeQueueLength | Maximum |
+| UnHealthyHostCount | Maximum |
+| EstimatedALBActiveConnectionCount | Average |
+| EstimatedALBConsumedLCUs | Average |
+| EstimatedALBNewConnectionCount | Average |
+| EstimatedProcessedBytes | Average |
+
+
+### Metrics for Application ELB [_metrics_for_application_elb]
+
+|     |     |
+| --- | --- |
+| Metric Name | Statistic Method |
+| ActiveConnectionCount | Sum |
+| ClientTLSNegotiationErrorCount | Sum |
+| ConsumedLCUs | Average |
+| HTTP_Fixed_Response_Count | Sum |
+| HTTP_Redirect_Count | Sum |
+| HTTP_Redirect_Url_Limit_Exceeded_Count | Sum |
+| HTTPCode_ELB_3XX_Count | Sum |
+| HTTPCode_ELB_4XX_Count | Sum |
+| HTTPCode_ELB_5XX_Count | Sum |
+| HTTPCode_ELB_500_Count | Sum |
+| HTTPCode_ELB_502_Count | Sum |
+| HTTPCode_ELB_503_Count | Sum |
+| HTTPCode_ELB_504_Count | Sum |
+| IPv6ProcessedBytes | Sum |
+| IPv6RequestCount | Sum |
+| NewConnectionCount | Sum |
+| ProcessedBytes | Sum |
+| RejectedConnectionCount | Sum |
+| RequestCount | Sum |
+| RuleEvaluations | Sum |
+
+
+### Metrics for Network ELB [_metrics_for_network_elb]
+
+|     |     |
+| --- | --- |
+| Metric Name | Statistic Method |
+| ActiveFlowCount | Average |
+| ActiveFlowCount_TLS | Average |
+| ActiveFlowCount_TCP | Average |
+| ActiveFlowCount_UDP | Average |
+| ConsumedLCUs | Average |
+| ConsumedLCUs_TCP | Average |
+| ConsumedLCUs_TLS | Average |
+| ConsumedLCUs_UDP | Average |
+| ClientTLSNegotiationErrorCount | Sum |
+| NewFlowCount | Sum |
+| NewFlowCount_TLS | Sum |
+| NewFlowCount_TCP | Sum |
+| NewFlowCount_UDP | Sum |
+| ProcessedBytes | Sum |
+| ProcessedBytes_TCP | Sum |
+| ProcessedBytes_TLS | Sum |
+| ProcessedBytes_UDP | Sum |
+| TargetTLSNegotiationErrorCount | Sum |
+| TCP_Client_Reset_Count | Sum |
+| TCP_ELB_Reset_Count | Sum |
+| TCP_Target_Reset_Count | Sum |
+| UnHealthyHostCount | Maximum |
+| HealthyHostCount | Maximum |
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_16]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-aws.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "aws": {
+        "cloudwatch": {
+            "namespace": "AWS/ELB"
+        },
+        "dimensions": {
+            "Namespace": "AWS"
+        },
+        "elb": {
+            "metrics": {
+                "HealthyHostCount": {
+                    "max": 2
+                },
+                "Latency": {
+                    "avg": 0.000005960464477539062
+                },
+                "RequestCount": {
+                    "sum": 1
+                },
+                "SurgeQueueLength": {
+                    "max": 1
+                },
+                "UnHealthyHostCount": {
+                    "max": 0
+                }
+            }
+        }
+    },
+    "cloud": {
+        "account": {
+            "id": "428152502467",
+            "name": "elastic-beats"
+        },
+        "provider": "aws",
+        "region": "us-east-1"
+    },
+    "event": {
+        "dataset": "aws.elb",
+        "duration": 115000,
+        "module": "aws"
+    },
+    "metricset": {
+        "name": "elb",
+        "period": 10000
+    },
+    "service": {
+        "type": "aws"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-aws-kinesis.md b/docs/reference/metricbeat/metricbeat-metricset-aws-kinesis.md
new file mode 100644
index 000000000000..7dcb5cdba0f6
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-aws-kinesis.md
@@ -0,0 +1,117 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-aws-kinesis.html
+---
+
+# AWS kinesis metricset [metricbeat-metricset-aws-kinesis]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+Amazon Kinesis Data Streams sends data points to CloudWatch for monitoring purpose, such as to track shard usage, monitor incoming bytes and outgoing bytes. These metrics are automatically collected and pushed to CloudWatch every minute. There are two different levels of monitoring metrics:
+
+* **Basic(stream-level)**: Stream-level data is sent automatically every minute at no charge.
+* **Enhanced(shard-level)**: Shard-level data is sent every minute for an additional cost. To get this level of data, you must specifically enable it for the stream using the [EnableEnhancedMonitoring](https://docs.aws.amazon.com/kinesis/latest/APIReference/API_EnableEnhancedMonitoring.html) operation.
+
+
+## AWS Permissions [_aws_permissions_7]
+
+Some specific AWS permissions are required for IAM user to collect AWS EBS metrics.
+
+```
+ec2:DescribeRegions
+cloudwatch:GetMetricData
+cloudwatch:ListMetrics
+tag:getResources
+sts:GetCallerIdentity
+iam:ListAccountAliases
+```
+
+
+## Dashboard [_dashboard_8]
+
+The kinesis metricset comes with a predefined dashboard. For example:
+
+:::{image} images/metricbeat-aws-kinesis-overview.png
+:alt: metricbeat aws kinesis overview
+:::
+
+
+## Configuration example [_configuration_example_7]
+
+```yaml
+- module: aws
+  period: 1m
+  metricsets:
+    - kinesis
+  # This module uses the aws cloudwatch metricset, all
+  # the options for this metricset are also available here.
+```
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_17]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-aws.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "aws": {
+        "cloudwatch": {
+            "namespace": "AWS/Kinesis"
+        },
+        "dimensions": {
+            "StreamName": "fb-test"
+        },
+        "kinesis": {
+            "metrics": {
+                "GetRecords_Bytes": {
+                    "avg": 0
+                },
+                "GetRecords_IteratorAgeMilliseconds": {
+                    "avg": 0
+                },
+                "GetRecords_Latency": {
+                    "avg": 9.46
+                },
+                "GetRecords_Records": {
+                    "sum": 0
+                },
+                "GetRecords_Success": {
+                    "sum": 150
+                },
+                "ReadProvisionedThroughputExceeded": {
+                    "avg": 0
+                }
+            }
+        }
+    },
+    "cloud": {
+        "account": {
+            "id": "428152502467",
+            "name": "elastic-beats"
+        },
+        "provider": "aws",
+        "region": "us-west-1"
+    },
+    "event": {
+        "dataset": "aws.kinesis",
+        "duration": 115000,
+        "module": "aws"
+    },
+    "metricset": {
+        "name": "kinesis",
+        "period": 10000
+    },
+    "service": {
+        "type": "aws"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-aws-lambda.md b/docs/reference/metricbeat/metricbeat-metricset-aws-lambda.md
new file mode 100644
index 000000000000..164f84811c94
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-aws-lambda.md
@@ -0,0 +1,126 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-aws-lambda.html
+---
+
+# AWS lambda metricset [metricbeat-metricset-aws-lambda]
+
+AWS Lambda monitors functions and sends metrics to Amazon CloudWatch. These metrics include total invocations, errors, duration, throttles, dead-letter queue errors, and iterator age for stream-based invocations.
+
+
+## AWS Permissions [_aws_permissions_8]
+
+Some specific AWS permissions are required for IAM user to collect AWS EBS metrics.
+
+```
+ec2:DescribeRegions
+cloudwatch:GetMetricData
+cloudwatch:ListMetrics
+tag:getResources
+sts:GetCallerIdentity
+iam:ListAccountAliases
+```
+
+
+## Dashboard [_dashboard_9]
+
+The aws lambda metricset comes with a predefined dashboard. For example:
+
+:::{image} images/metricbeat-aws-lambda-overview.png
+:alt: metricbeat aws lambda overview
+:::
+
+
+## Configuration example [_configuration_example_8]
+
+```yaml
+- module: aws
+  period: 300s
+  metricsets:
+    - lambda
+  # This module uses the aws cloudwatch metricset, all
+  # the options for this metricset are also available here.
+```
+
+
+## Metrics [_metrics_5]
+
+Please see more details for each metric in [lambda-cloudwatch-metric](https://docs.aws.amazon.com/lambda/latest/dg/monitoring-functions-metrics.html).
+
+|     |     |
+| --- | --- |
+| Metric Name | Statistic Method |
+| Invocations | Average |
+| Errors | Average |
+| DeadLetterErrors | Average |
+| DestinationDeliveryFailures | Average |
+| Duration | Average |
+| Throttles | Average |
+| IteratorAge | Average |
+| ConcurrentExecutions | Average |
+| UnreservedConcurrentExecutions | Average |
+| ProvisionedConcurrentExecutions | Maximum |
+| ProvisionedConcurrencyInvocations | Sum |
+| ProvisionedConcurrencySpilloverInvocations | Sum |
+| ProvisionedConcurrencyUtilization | Maximum |
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_18]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-aws.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "aws": {
+        "cloudwatch": {
+            "namespace": "AWS/Lambda"
+        },
+        "dimensions": {
+            "FunctionName": "ec2-owner-tagger-serverless",
+            "Resource": "ec2-owner-tagger-serverless"
+        },
+        "lambda": {
+            "metrics": {
+                "Duration": {
+                    "avg": 8218.073333333334
+                },
+                "Errors": {
+                    "avg": 1
+                },
+                "Invocations": {
+                    "avg": 1
+                },
+                "Throttles": {
+                    "avg": 0
+                }
+            }
+        }
+    },
+    "cloud": {
+        "account": {
+            "id": "627959692251",
+            "name": "elastic-test"
+        },
+        "provider": "aws",
+        "region": "us-west-2"
+    },
+    "event": {
+        "dataset": "aws.lambda",
+        "duration": 115000,
+        "module": "aws"
+    },
+    "metricset": {
+        "name": "lambda",
+        "period": 10000
+    },
+    "service": {
+        "type": "aws"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-aws-natgateway.md b/docs/reference/metricbeat/metricbeat-metricset-aws-natgateway.md
new file mode 100644
index 000000000000..7920adf16f43
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-aws-natgateway.md
@@ -0,0 +1,167 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-aws-natgateway.html
+---
+
+# AWS natgateway metricset [metricbeat-metricset-aws-natgateway]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+The natgateway metricset of aws module allows users to monitor NAT gateway services. NAT gateway metric data can be used to monitor and troubleshoot NAT gateways and the data is provided at 1-minute intervals to CloudWatch. Users can use these metrics to gain a better perspective on how the web application or service is performing.
+
+
+## AWS Permissions [_aws_permissions_9]
+
+Some specific AWS permissions are required for IAM user to collect usage metrics.
+
+```
+ec2:DescribeRegions
+cloudwatch:GetMetricData
+cloudwatch:ListMetrics
+tag:getResources
+sts:GetCallerIdentity
+iam:ListAccountAliases
+```
+
+
+## Dashboard [_dashboard_10]
+
+The aws natgateway metricset comes with a predefined dashboard. For example:
+
+:::{image} images/metricbeat-aws-natgateway-overview.png
+:alt: metricbeat aws natgateway overview
+:::
+
+
+## Configuration example [_configuration_example_9]
+
+```yaml
+- module: aws
+  period: 1m
+  metricsets:
+    - natgateway
+  # This module uses the aws cloudwatch metricset, all
+  # the options for this metricset are also available here.
+```
+
+
+## Metrics and Dimensions for NAT gateway [_metrics_and_dimensions_for_nat_gateway]
+
+Metrics:
+
+|     |     |     |
+| --- | --- | --- |
+| Metric Name | Statistic Method | Description |
+| ActiveConnectionCount | Max | The total number of concurrent active TCP connections through the NAT gateway. |
+| BytesInFromDestination | Sum | The number of bytes received by the NAT gateway from the destination. |
+| BytesInFromSource | Sum | The number of bytes received by the NAT gateway from clients in your VPC. |
+| BytesOutToDestination | Sum | The number of bytes sent out through the NAT gateway to the destination. |
+| BytesOutToSource | Sum | The number of bytes sent through the NAT gateway to the clients in your VPC. |
+| ConnectionAttemptCount | Sum | The number of connection attempts made through the NAT gateway. |
+| ConnectionEstablishedCount | Sum | The number of connections established through the NAT gateway. |
+| ErrorPortAllocation | Sum | The number of times the NAT gateway could not allocate a source port. |
+| IdleTimeoutCount | Sum | The number of connections that transitioned from the active state to the idle state. |
+| PacketsDropCount | Sum | The number of packets dropped by the NAT gateway. |
+| PacketsInFromDestination | Sum | The number of packets received by the NAT gateway from the destination. |
+| PacketsInFromSource | Sum | The number of packets received by the NAT gateway from clients in your VPC. |
+| PacketsOutToDestination | Sum | The number of packets sent out through the NAT gateway to the destination. |
+| PacketsOutToSource | Sum | The number of packets sent through the NAT gateway to the clients in your VPC. |
+
+Dimensions:
+
+|     |     |
+| --- | --- |
+| Dimension Name | Description |
+| NatGatewayId | Filter the metric data by the NAT gateway ID. |
+
+Please see [NAT Gateway CloudWatch Metrics](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway-cloudwatch.html) for more details.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_19]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-aws.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "aws": {
+        "cloudwatch": {
+            "namespace": "AWS/NATGateway"
+        },
+        "dimensions": {
+            "NatGatewayId": "nat-0a5cb7b9807908cc0"
+        },
+        "natgateway": {
+            "metrics": {
+                "ActiveConnectionCount": {
+                    "max": 0
+                },
+                "BytesInFromDestination": {
+                    "sum": 0
+                },
+                "BytesInFromSource": {
+                    "sum": 0
+                },
+                "BytesOutToDestination": {
+                    "sum": 0
+                },
+                "BytesOutToSource": {
+                    "sum": 0
+                },
+                "ConnectionAttemptCount": {
+                    "sum": 0
+                },
+                "ConnectionEstablishedCount": {
+                    "sum": 0
+                },
+                "ErrorPortAllocation": {
+                    "sum": 0
+                },
+                "PacketsDropCount": {
+                    "sum": 0
+                },
+                "PacketsInFromDestination": {
+                    "sum": 0
+                },
+                "PacketsInFromSource": {
+                    "sum": 0
+                },
+                "PacketsOutToDestination": {
+                    "sum": 0
+                },
+                "PacketsOutToSource": {
+                    "sum": 0
+                }
+            }
+        }
+    },
+    "cloud": {
+        "account": {
+            "id": "627959692251",
+            "name": "elastic-test"
+        },
+        "provider": "aws",
+        "region": "us-west-2"
+    },
+    "event": {
+        "dataset": "aws.natgateway",
+        "duration": 115000,
+        "module": "aws"
+    },
+    "metricset": {
+        "name": "natgateway",
+        "period": 10000
+    },
+    "service": {
+        "type": "aws"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-aws-rds.md b/docs/reference/metricbeat/metricbeat-metricset-aws-rds.md
new file mode 100644
index 000000000000..9dc6519ad345
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-aws-rds.md
@@ -0,0 +1,154 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-aws-rds.html
+---
+
+# AWS rds metricset [metricbeat-metricset-aws-rds]
+
+The rds metricset of aws module allows you to monitor your AWS RDS service. `rds` metricset fetches a set of metrics from [Amazon RDS](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/MonitoringOverview.html) and [Amazon Aurora DB](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Aurora.Monitoring.html). with Amazon RDS, users can monitor network throughput, I/O for read, write, and/or metadata operations, client connections, and burst credit balances for their DB instances. Amazon RDS sends metrics and dimensions to Amazon CloudWatch every minute. Amazon Aurora provides a variety of Amazon CloudWatch metrics that users can use to monitor health and performance of their Aurora DB cluster. This metricset by default collects all tags from AWS RDS.
+
+
+## AWS Permissions [_aws_permissions_10]
+
+Some specific AWS permissions are required for IAM user to collect AWS RDS metrics.
+
+```
+cloudwatch:GetMetricData
+ec2:DescribeRegions
+rds:DescribeDBInstances
+rds:ListTagsForResource
+sts:GetCallerIdentity
+iam:ListAccountAliases
+```
+
+
+## Dashboard [_dashboard_11]
+
+The aws rds metricset comes with a predefined dashboard.
+
+:::{image} images/metricbeat-aws-rds-overview.png
+:alt: metricbeat aws rds overview
+:::
+
+
+## Configuration example [_configuration_example_10]
+
+```yaml
+- module: aws
+  period: 60s
+  metricsets:
+    - rds
+  access_key_id: '<access_key_id>'
+  secret_access_key: '<secret_access_key>'
+  session_token: '<session_token>'
+```
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_20]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-aws.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "aws": {
+        "cloudwatch": {
+            "namespace": "AWS/RDS"
+        },
+        "dimensions": {
+            "DatabaseClass": "db.r5.large"
+        },
+        "rds": {
+            "aurora_bin_log_replica_lag": 0,
+            "aurora_replica": {
+                "lag": {
+                    "ms": 19.9485
+                },
+                "lag_max": {
+                    "ms": 21.318500518798828
+                },
+                "lag_min": {
+                    "ms": 21.318500518798828
+                }
+            },
+            "aurora_volume_left_total": {
+                "bytes": 70007366615040
+            },
+            "cache_hit_ratio": {
+                "buffer": 100,
+                "result_set": 0
+            },
+            "cpu": {
+                "total": {
+                    "pct": 0.06552109062928828
+                }
+            },
+            "database_connections": 0,
+            "deadlocks": 0,
+            "engine_uptime": {
+                "sec": 33121208
+            },
+            "free_local_storage": {
+                "bytes": 27275925504
+            },
+            "freeable_memory": {
+                "bytes": 4604928000
+            },
+            "latency": {
+                "commit": 3.2349916666666667,
+                "ddl": 0,
+                "delete": 0,
+                "dml": 0.09888333333333334,
+                "insert": 0.09888333333333334,
+                "read": 0,
+                "select": 0.2432811228126595,
+                "update": 0,
+                "write": 0.0005787267919438727
+            },
+            "login_failures": 0,
+            "queries": 7.862475898034027,
+            "throughput": {
+                "commit": 0.24950762724254,
+                "ddl": 0,
+                "delete": 0,
+                "dml": 0.24950762724254,
+                "insert": 0.24950762724254,
+                "network": 1.3985171580449323,
+                "network_receive": 0.6992585790224661,
+                "network_transmit": 0.6992585790224661,
+                "select": 2.9299395125804084,
+                "update": 0
+            },
+            "transactions": {
+                "active": 0,
+                "blocked": 0
+            }
+        }
+    },
+    "cloud": {
+        "account": {
+            "id": "428152502467",
+            "name": "elastic-beats"
+        },
+        "provider": "aws",
+        "region": "eu-west-1"
+    },
+    "event": {
+        "dataset": "aws.rds",
+        "duration": 115000,
+        "module": "aws"
+    },
+    "metricset": {
+        "name": "rds",
+        "period": 10000
+    },
+    "service": {
+        "type": "aws"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-aws-s3_daily_storage.md b/docs/reference/metricbeat/metricbeat-metricset-aws-s3_daily_storage.md
new file mode 100644
index 000000000000..d494632a4eaf
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-aws-s3_daily_storage.md
@@ -0,0 +1,101 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-aws-s3_daily_storage.html
+---
+
+# AWS s3_daily_storage metricset [metricbeat-metricset-aws-s3_daily_storage]
+
+The s3_daily_storage metricset of aws module allows you to monitor your AWS S3 buckets. `s3_daily_storage` metricset fetches Cloudwatch daily storage metrics for each S3 bucket from [S3 CloudWatch Daily Storage Metrics for Buckets](https://docs.aws.amazon.com/AmazonS3/latest/dev/cloudwatch-monitoring.html).
+
+
+## AWS Permissions [_aws_permissions_11]
+
+Some specific AWS permissions are required for IAM user to collect AWS s3_daily_storage metrics.
+
+```
+ec2:DescribeRegions
+cloudwatch:GetMetricData
+cloudwatch:ListMetrics
+sts:GetCallerIdentity
+iam:ListAccountAliases
+```
+
+
+## Dashboard [_dashboard_12]
+
+The aws s3_daily_storage metricset and s3_request metricset shares one predefined dashboard. For example:
+
+:::{image} images/metricbeat-aws-s3-overview.png
+:alt: metricbeat aws s3 overview
+:::
+
+Note: If only `s3_daily_storage` metricset is enabled or s3 request metrics are not enabled for the specific S3 bucket, some visualizations in this dashboard will be empty.
+
+
+## Configuration example [_configuration_example_11]
+
+```yaml
+- module: aws
+  period: 86400s
+  metricsets:
+    - s3_daily_storage
+  access_key_id: '<access_key_id>'
+  secret_access_key: '<secret_access_key>'
+  session_token: '<session_token>'
+```
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_21]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-aws.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "aws": {
+        "cloudwatch": {
+            "namespace": "AWS/S3"
+        },
+        "dimensions": {
+            "StorageType": "StandardStorage"
+        },
+        "s3": {
+            "bucket": {
+                "name": "filebeat-aws-elb-test"
+            }
+        },
+        "s3_daily_storage": {
+            "bucket": {
+                "size": {
+                    "bytes": 76353832
+                }
+            }
+        }
+    },
+    "cloud": {
+        "account": {
+            "id": "428152502467",
+            "name": "elastic-beats"
+        },
+        "provider": "aws",
+        "region": "eu-central-1"
+    },
+    "event": {
+        "dataset": "aws.s3_daily_storage",
+        "duration": 115000,
+        "module": "aws"
+    },
+    "metricset": {
+        "name": "s3_daily_storage",
+        "period": 10000
+    },
+    "service": {
+        "type": "aws"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-aws-s3_request.md b/docs/reference/metricbeat/metricbeat-metricset-aws-s3_request.md
new file mode 100644
index 000000000000..7bb4934cac35
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-aws-s3_request.md
@@ -0,0 +1,117 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-aws-s3_request.html
+---
+
+# AWS s3_request metricset [metricbeat-metricset-aws-s3_request]
+
+The s3_request metricset of aws module allows you to monitor your AWS S3 buckets. `s3_request` metricset fetches Cloudwatch daily storage metrics for each S3 bucket from [S3 CloudWatch Request Metrics for Buckets](https://docs.aws.amazon.com/AmazonS3/latest/dev/cloudwatch-monitoring.html).
+
+Note: Request metrics are not enabled by default. You must opt into request metrics by configuring them in the console or using the Amazon S3 API. Please see [How to Configure Request Metrics for S3](https://docs.aws.amazon.com/AmazonS3/latest/user-guide/configure-metrics.html) for instructions on how to enable request metrics for each S3 bucket.
+
+
+## AWS Permissions [_aws_permissions_12]
+
+Some specific AWS permissions are required for IAM user to collect AWS s3_request metrics.
+
+```
+ec2:DescribeRegions
+cloudwatch:GetMetricData
+cloudwatch:ListMetrics
+sts:GetCallerIdentity
+iam:ListAccountAliases
+```
+
+
+## Dashboard [_dashboard_13]
+
+The aws s3_request metricset and s3_daily_storage metricset shares one predefined dashboard. For example:
+
+:::{image} images/metricbeat-aws-s3-overview.png
+:alt: metricbeat aws s3 overview
+:::
+
+Note: If s3 request metrics are not enabled for the specific S3 bucket, some visualizations in this dashboard will be empty.
+
+
+## Configuration example [_configuration_example_12]
+
+```yaml
+- module: aws
+  period: 86400s
+  metricsets:
+    - s3_request
+  access_key_id: '<access_key_id>'
+  secret_access_key: '<secret_access_key>'
+  session_token: '<session_token>'
+```
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_22]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-aws.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "aws": {
+        "cloudwatch": {
+            "namespace": "AWS/S3"
+        },
+        "dimensions": {
+            "FilterId": "request-metrics"
+        },
+        "s3": {
+            "bucket": {
+                "name": "test-ks-1"
+            }
+        },
+        "s3_request": {
+            "errors": {
+                "4xx": 0,
+                "5xx": 0
+            },
+            "latency": {
+                "first_byte": {
+                    "ms": 47.25
+                },
+                "total_request": {
+                    "ms": 57.75
+                }
+            },
+            "requests": {
+                "put": 1,
+                "total": 1
+            },
+            "uploaded": {
+                "bytes": 463
+            }
+        }
+    },
+    "cloud": {
+        "account": {
+            "id": "428152502467",
+            "name": "elastic-beats"
+        },
+        "provider": "aws",
+        "region": "us-east-1"
+    },
+    "event": {
+        "dataset": "aws.s3_request",
+        "duration": 115000,
+        "module": "aws"
+    },
+    "metricset": {
+        "name": "s3_request",
+        "period": 10000
+    },
+    "service": {
+        "type": "aws"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-aws-sns.md b/docs/reference/metricbeat/metricbeat-metricset-aws-sns.md
new file mode 100644
index 000000000000..2d438b4e2224
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-aws-sns.md
@@ -0,0 +1,128 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-aws-sns.html
+---
+
+# AWS sns metricset [metricbeat-metricset-aws-sns]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+The `sns` metricset of aws module allows you to monitor your AWS SNS topic. `sns` metricset fetches a set of values from [Amazon SNS Metrics](https://docs.aws.amazon.com/sns/latest/dg/sns-monitoring-using-cloudwatch.html#SNS_ViewMetrics). CloudWatch metrics for Amazon SNS topics are automatically collected and pushed to CloudWatch every five minutes.
+
+
+## AWS Permissions [_aws_permissions_13]
+
+Some specific AWS permissions are required for IAM user to collect AWS SNS metrics.
+
+```
+cloudwatch:GetMetricData
+cloudwatch:ListMetrics
+ec2:DescribeRegions
+sns:ListTopics
+sts:GetCallerIdentity
+iam:ListAccountAliases
+```
+
+
+## Dashboard [_dashboard_14]
+
+The `aws sns` metricset comes with a predefined dashboard. For example:
+
+:::{image} images/metricbeat-aws-sns-overview.png
+:alt: metricbeat aws sns overview
+:::
+
+
+## Configuration example [_configuration_example_13]
+
+```yaml
+- module: aws
+  period: 300s
+  metricsets:
+    - sns
+  # This module uses the aws cloudwatch metricset, all
+  # the options for this metricset are also available here.
+```
+
+
+## Metrics [_metrics_6]
+
+Please see more details for each metric in [CloudWatch SNS Metrics](https://docs.aws.amazon.com/sns/latest/dg/sns-monitoring-using-cloudwatch.html#SNS_ViewMetrics).
+
+|     |     |
+| --- | --- |
+| Metric Name | Statistic Method |
+| NumberOfMessagesPublished | Sum |
+| NumberOfNotificationsDelivered | Sum |
+| NumberOfNotificationsFailed | Sum |
+| NumberOfNotificationsFilteredOut | Sum |
+| NumberOfNotificationsFilteredOut-InvalidAttributes | Sum |
+| NumberOfNotificationsFilteredOut-NoMessageAttributes | Sum |
+| NumberOfNotificationsRedrivenToDlq | Sum |
+| NumberOfNotificationsFailedToRedriveToDlq | Sum |
+| PublishSize | Average |
+| SMSMonthToDateSpentUSD | Sum |
+| SMSSuccessRate | Average |
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_23]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-aws.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "aws": {
+        "cloudwatch": {
+            "namespace": "AWS/SNS"
+        },
+        "dimensions": {
+            "TopicName": "test-sns-ks"
+        },
+        "sns": {
+            "metrics": {
+                "NumberOfMessagesPublished": {
+                    "sum": 1
+                },
+                "NumberOfNotificationsFailed": {
+                    "sum": 1
+                },
+                "PublishSize": {
+                    "avg": 5
+                }
+            }
+        },
+        "tags": {
+            "created-by": "ks"
+        }
+    },
+    "cloud": {
+        "account": {
+            "id": "428152502467",
+            "name": "elastic-beats"
+        },
+        "provider": "aws",
+        "region": "us-east-1"
+    },
+    "event": {
+        "dataset": "aws.sns",
+        "duration": 115000,
+        "module": "aws"
+    },
+    "metricset": {
+        "name": "sns",
+        "period": 10000
+    },
+    "service": {
+        "type": "aws"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-aws-sqs.md b/docs/reference/metricbeat/metricbeat-metricset-aws-sqs.md
new file mode 100644
index 000000000000..7a6b53a82f2d
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-aws-sqs.md
@@ -0,0 +1,108 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-aws-sqs.html
+---
+
+# AWS sqs metricset [metricbeat-metricset-aws-sqs]
+
+The sqs metricset of aws module allows you to monitor your AWS SQS queues. `sqs` metricset fetches a set of values from [Amazon SQS Metrics](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-available-cloudwatch-metrics.html). CloudWatch metrics for Amazon SQS queues are automatically collected and pushed to CloudWatch every five minutes.
+
+
+## AWS Permissions [_aws_permissions_14]
+
+Some specific AWS permissions are required for IAM user to collect AWS SQS metrics.
+
+```
+cloudwatch:GetMetricData
+cloudwatch:ListMetrics
+ec2:DescribeRegions
+sqs:ListQueues
+sts:GetCallerIdentity
+iam:ListAccountAliases
+```
+
+
+## Dashboard [_dashboard_15]
+
+The aws sqs metricset comes with a predefined dashboard. For example:
+
+:::{image} images/metricbeat-aws-sqs-overview.png
+:alt: metricbeat aws sqs overview
+:::
+
+
+## Configuration example [_configuration_example_14]
+
+```yaml
+- module: aws
+  period: 300s
+  metricsets:
+    - sqs
+  access_key_id: '<access_key_id>'
+  secret_access_key: '<secret_access_key>'
+  session_token: '<session_token>'
+```
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_24]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-aws.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "aws": {
+        "cloudwatch": {
+            "namespace": "AWS/SQS"
+        },
+        "dimensions": {
+            "QueueName": "filebeat-aws-elb-test"
+        },
+        "sqs": {
+            "empty_receives": 0,
+            "messages": {
+                "delayed": 0,
+                "deleted": 0,
+                "not_visible": 0,
+                "received": 0,
+                "sent": 0,
+                "visible": 1577.8
+            },
+            "oldest_message_age": {
+                "sec": 345603.2
+            },
+            "queue": {
+                "name": "filebeat-aws-elb-test"
+            }
+        },
+        "tags": {
+            "created-by": "kaiyan"
+        }
+    },
+    "cloud": {
+        "account": {
+            "id": "428152502467",
+            "name": "elastic-beats"
+        },
+        "provider": "aws",
+        "region": "eu-central-1"
+    },
+    "event": {
+        "dataset": "aws.sqs",
+        "duration": 115000,
+        "module": "aws"
+    },
+    "metricset": {
+        "name": "sqs",
+        "period": 10000
+    },
+    "service": {
+        "type": "aws"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-aws-transitgateway.md b/docs/reference/metricbeat/metricbeat-metricset-aws-transitgateway.md
new file mode 100644
index 000000000000..89c31ba31ed6
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-aws-transitgateway.md
@@ -0,0 +1,138 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-aws-transitgateway.html
+---
+
+# AWS transitgateway metricset [metricbeat-metricset-aws-transitgateway]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+The transitgateway metricset of aws module allows users to monitor transit gateway. Transit gateway metrics are sent to CloudWatch by VPC only when requests are flowing through the gateway. If there are requests flowing through the transit gateway, Amazon VPC measures and sends its metrics in 1-minute intervals. Users can use these metrics to gain a better perspective on how the web application or service is performing.
+
+
+## AWS Permissions [_aws_permissions_15]
+
+Some specific AWS permissions are required for IAM user to collect usage metrics.
+
+```
+ec2:DescribeRegions
+cloudwatch:GetMetricData
+cloudwatch:ListMetrics
+tag:getResources
+sts:GetCallerIdentity
+iam:ListAccountAliases
+```
+
+
+## Dashboard [_dashboard_16]
+
+The aws transitgateway metricset comes with a predefined dashboard. For example:
+
+:::{image} images/metricbeat-aws-transitgateway-overview.png
+:alt: metricbeat aws transitgateway overview
+:::
+
+
+## Configuration example [_configuration_example_15]
+
+```yaml
+- module: aws
+  period: 1m
+  metricsets:
+    - transitgateway
+  # This module uses the aws cloudwatch metricset, all
+  # the options for this metricset are also available here.
+```
+
+
+## Metrics and Dimensions for Transit gateway [_metrics_and_dimensions_for_transit_gateway]
+
+Metrics:
+
+|     |     |     |
+| --- | --- | --- |
+| Metric Name | Statistic Method | Description |
+| BytesIn | Sum | The number of bytes received by the transit gateway. |
+| BytesOut | Sum | The number of bytes sent from the transit gateway. |
+| PacketsIn | Sum | The number of packets received by the transit gateway. |
+| PacketsOut | Sum | The number of packets sent by the transit gateway. |
+| PacketDropCountBlackhole | Sum | The number of packets dropped because they matched a blackhole route. |
+| PacketDropCountNoRoute | Sum | The number of packets dropped because they did not match a route. |
+
+Dimensions:
+
+|     |     |
+| --- | --- |
+| Dimension Name | Description |
+| TransitGateway | Filters the metric data by transit gateway. |
+
+Please see [Transit Gateway Metrics](https://docs.aws.amazon.com/vpc/latest/tgw/transit-gateway-cloudwatch-metrics.html) for more details.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_25]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-aws.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "aws": {
+        "cloudwatch": {
+            "namespace": "AWS/TransitGateway"
+        },
+        "dimensions": {
+            "TransitGateway": "tgw-0630672a32f12808a"
+        },
+        "transitgateway": {
+            "metrics": {
+                "BytesIn": {
+                    "sum": 0
+                },
+                "BytesOut": {
+                    "sum": 0
+                },
+                "PacketDropCountBlackhole": {
+                    "sum": 0
+                },
+                "PacketDropCountNoRoute": {
+                    "sum": 0
+                },
+                "PacketsIn": {
+                    "sum": 0
+                },
+                "PacketsOut": {
+                    "sum": 0
+                }
+            }
+        }
+    },
+    "cloud": {
+        "account": {
+            "id": "428152502467",
+            "name": "elastic-beats"
+        },
+        "provider": "aws",
+        "region": "us-west-2"
+    },
+    "event": {
+        "dataset": "aws.transitgateway",
+        "duration": 115000,
+        "module": "aws"
+    },
+    "metricset": {
+        "name": "transitgateway",
+        "period": 10000
+    },
+    "service": {
+        "type": "aws"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-aws-usage.md b/docs/reference/metricbeat/metricbeat-metricset-aws-usage.md
new file mode 100644
index 000000000000..53b5900e4846
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-aws-usage.md
@@ -0,0 +1,124 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-aws-usage.html
+---
+
+# AWS usage metricset [metricbeat-metricset-aws-usage]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+The usage metricset of aws module allows you to collects metrics that track the usage of some AWS resources by querying AWS Cloudwatch API. Usage metrics correspond to AWS service quotas and tracking these metrics can help users to manage quotas proactively. Service quota usage metrics are collected by Cloudwatch every minute. Therefore, 1-minute is the recommended period for this metricset.
+
+
+## AWS Permissions [_aws_permissions_16]
+
+Some specific AWS permissions are required for IAM user to collect usage metrics.
+
+```
+ec2:DescribeRegions
+cloudwatch:GetMetricData
+cloudwatch:ListMetrics
+tag:getResources
+sts:GetCallerIdentity
+iam:ListAccountAliases
+```
+
+
+## Dashboard [_dashboard_17]
+
+The aws usage metricset comes with a predefined dashboard. For example:
+
+:::{image} images/metricbeat-aws-usage-overview.png
+:alt: metricbeat aws usage overview
+:::
+
+
+## Configuration example [_configuration_example_16]
+
+```yaml
+- module: aws
+  period: 1m
+  metricsets:
+    - usage
+  # This module uses the aws cloudwatch metricset, all
+  # the options for this metricset are also available here.
+```
+
+
+## Metrics and Dimensions [_metrics_and_dimensions]
+
+Metrics:
+
+|     |     |     |
+| --- | --- | --- |
+| Metric Name | Statistic Method | Description |
+| CallCount | Sum | The number of specified operations performed in your account. |
+
+Dimensions:
+
+|     |     |
+| --- | --- |
+| Dimension Name | Description |
+| Resource | The name of the API operation. |
+| Service | The name of the AWS service containing the resource. |
+| Type | The type of resource being tracked. Currently, the only valid value is API. |
+| Class | The class of resource being tracked. CloudWatch API usage metrics use this dimension with a value of None. |
+
+Please see [CloudWatch Usage Metrics](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Usage-Metrics.html) for more details.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_26]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-aws.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "aws": {
+        "cloudwatch": {
+            "namespace": "AWS/Usage"
+        },
+        "dimensions": {
+            "Class": "None",
+            "Resource": "AccountProvisionedWriteCapacityUnits",
+            "Service": "DynamoDB",
+            "Type": "Resource"
+        },
+        "usage": {
+            "metrics": {
+                "ResourceCount": {
+                    "sum": 45
+                }
+            }
+        }
+    },
+    "cloud": {
+        "account": {
+            "id": "428152502467",
+            "name": "elastic-beats"
+        },
+        "provider": "aws",
+        "region": "eu-central-1"
+    },
+    "event": {
+        "dataset": "aws.usage",
+        "duration": 115000,
+        "module": "aws"
+    },
+    "metricset": {
+        "name": "usage",
+        "period": 10000
+    },
+    "service": {
+        "type": "aws"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-aws-vpn.md b/docs/reference/metricbeat/metricbeat-metricset-aws-vpn.md
new file mode 100644
index 000000000000..4884765ab6d7
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-aws-vpn.md
@@ -0,0 +1,127 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-aws-vpn.html
+---
+
+# AWS vpn metricset [metricbeat-metricset-aws-vpn]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+The vpn metricset of aws module allows users to monitor VPN tunnels. VPN metric data is automatically sent to CloudWatch as it becomes available. Users can use these metrics to gain a better perspective on how the web application or service is performing.
+
+
+## AWS Permissions [_aws_permissions_17]
+
+Some specific AWS permissions are required for IAM user to collect usage metrics.
+
+```
+ec2:DescribeRegions
+cloudwatch:GetMetricData
+cloudwatch:ListMetrics
+tag:getResources
+sts:GetCallerIdentity
+iam:ListAccountAliases
+```
+
+
+## Dashboard [_dashboard_18]
+
+The aws vpn metricset comes with a predefined dashboard. For example:
+
+:::{image} images/metricbeat-aws-vpn-overview.png
+:alt: metricbeat aws vpn overview
+:::
+
+
+## Configuration example [_configuration_example_17]
+
+```yaml
+- module: aws
+  period: 1m
+  metricsets:
+    - vpn
+  # This module uses the aws cloudwatch metricset, all
+  # the options for this metricset are also available here.
+```
+
+
+## Metrics and Dimensions for VPN [_metrics_and_dimensions_for_vpn]
+
+Metrics:
+
+|     |     |     |
+| --- | --- | --- |
+| Metric Name | Statistic Method | Description |
+| TunnelState | Max | The state of the tunnel. For static VPNs, 0 indicates DOWN and 1 indicates UP. For BGP VPNs, 1 indicates ESTABLISHED and 0 is used for all other states. |
+| TunnelDataIn | Sum | The bytes received through the VPN tunnel. |
+| TunnelDataOut | Sum | The bytes sent through the VPN tunnel. |
+
+Dimensions:
+
+|     |     |
+| --- | --- |
+| Dimension Name | Description |
+| VpnId | Filters the metric data by the Site-to-Site VPN connection ID. |
+| TunnelIpAddress | Filters the metric data by the IP address of the tunnel for the virtual private gateway. |
+
+Please see [VPN Tunnel CloudWatch Metrics](https://docs.aws.amazon.com/vpn/latest/s2svpn/monitoring-cloudwatch-vpn.html) for more details.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_27]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-aws.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "aws": {
+        "cloudwatch": {
+            "namespace": "AWS/VPN"
+        },
+        "dimensions": {
+            "TunnelIpAddress": "52.41.186.45"
+        },
+        "vpn": {
+            "metrics": {
+                "TunnelDataIn": {
+                    "sum": 0
+                },
+                "TunnelDataOut": {
+                    "sum": 0
+                },
+                "TunnelState": {
+                    "avg": 0
+                }
+            }
+        }
+    },
+    "cloud": {
+        "account": {
+            "id": "428152502467",
+            "name": "elastic-beats"
+        },
+        "provider": "aws",
+        "region": "us-west-2"
+    },
+    "event": {
+        "dataset": "aws.vpn",
+        "duration": 115000,
+        "module": "aws"
+    },
+    "metricset": {
+        "name": "vpn",
+        "period": 10000
+    },
+    "service": {
+        "type": "aws"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-awsfargate-task_stats.md b/docs/reference/metricbeat/metricbeat-metricset-awsfargate-task_stats.md
new file mode 100644
index 000000000000..b831acc52aef
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-awsfargate-task_stats.md
@@ -0,0 +1,359 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-awsfargate-task_stats.html
+---
+
+# AWS Fargate task_stats metricset [metricbeat-metricset-awsfargate-task_stats]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+The `task_stats` metricset in `awsfargate` module allows users to monitor containers inside the same AWS Fargate task. It fetches runtime CPU metrics, disk I/O metrics, memory metrics, network metrics and container metadata from both endpoint `${ECS_CONTAINER_METADATA_URI_V4}/task/stats` and `${ECS_CONTAINER_METADATA_URI_V4}/task`.
+
+
+## Configuration Example [_configuration_example_18]
+
+This metricset should be ran as a sidecar inside the same AWS Fargate task definition, and the default configuration file should work.
+
+```yaml
+- module: awsfargate
+  period: 10s
+  metricsets:
+    - task_stats
+```
+
+
+## Setup Metricbeat Using AWS Fargate [_setup_metricbeat_using_aws_fargate]
+
+This section is to provide users an AWS native way of configuring Fargate task definition to run application containers and Metricbeat container using AWS CloudFormation.
+
+
+### Store Elastic Cloud Credentials into AWS Secret Manager [_store_elastic_cloud_credentials_into_aws_secret_manager]
+
+If users are using Elastic Cloud, it’s recommended to store cloud id and cloud auth into AWS secret manager. Here are the AWS CLI example:
+
+Create secret ELASTIC_CLOUD_AUTH:
+
+```
+aws --region us-east-1 secretsmanager create-secret --name ELASTIC_CLOUD_AUTH --secret-string XXX
+```
+
+Create secret ELASTIC_CLOUD_ID:
+
+```
+aws --region us-east-1 secretsmanager create-secret --name ELASTIC_CLOUD_ID --secret-string YYYY
+```
+
+
+### AWS CloudFormation Template Example [_aws_cloudformation_template_example]
+
+Here is an example of AWS CloudFormation template for testing purpose only. Please replace this with actual applications. This template shows how to define a new cluster, how to create a task definition with multiple containers(including Metricbeat), and how to start the service.
+
+```yaml
+AWSTemplateFormatVersion: "2010-09-09"
+Parameters:
+  SubnetID:
+    Type: String
+  CloudIDArn:
+    Type: String
+  CloudAuthArn:
+    Type: String
+  ClusterName:
+    Type: String
+  RoleName:
+    Type: String
+  TaskName:
+    Type: String
+  ServiceName:
+    Type: String
+  LogGroupName:
+    Type: String
+Resources:
+  Cluster:
+    Type: AWS::ECS::Cluster
+    Properties:
+      ClusterName: !Ref ClusterName
+      ClusterSettings:
+        - Name: containerInsights
+          Value: enabled
+  LogGroup:
+    Type: AWS::Logs::LogGroup
+    Properties:
+      LogGroupName: !Ref LogGroupName
+  ExecutionRole:
+    Type: AWS::IAM::Role
+    Properties:
+      RoleName: !Ref RoleName
+      AssumeRolePolicyDocument:
+        Statement:
+          - Effect: Allow
+            Principal:
+              Service: ecs-tasks.amazonaws.com
+            Action: sts:AssumeRole
+      ManagedPolicyArns:
+        - arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy
+      Policies:
+        - PolicyName: !Sub 'EcsTaskExecutionRole-${AWS::StackName}'
+          PolicyDocument:
+            Version: 2012-10-17
+            Statement:
+              - Effect: Allow
+                Action:
+                  - secretsmanager:GetSecretValue
+                Resource:
+                  - !Ref CloudIDArn
+                  - !Ref CloudAuthArn
+  TaskDefinition:
+    Type: AWS::ECS::TaskDefinition
+    Properties:
+      Family: !Ref TaskName
+      Cpu: 256
+      Memory: 512
+      NetworkMode: awsvpc
+      ExecutionRoleArn: !Ref ExecutionRole
+      ContainerDefinitions:
+        - Name: metricbeat-container
+          Image: docker.elastic.co/beats/metricbeat:8.0.0-SNAPSHOT
+          Secrets:
+            - Name: ELASTIC_CLOUD_ID
+              ValueFrom: !Ref CloudIDArn
+            - Name: ELASTIC_CLOUD_AUTH
+              ValueFrom: !Ref CloudAuthArn
+          LogConfiguration:
+            LogDriver: awslogs
+            Options:
+              awslogs-region: !Ref AWS::Region
+              awslogs-group: !Ref LogGroup
+              awslogs-stream-prefix: ecs
+          EntryPoint:
+            - sh
+            - -c
+          Command:
+            - ./metricbeat setup -E cloud.id=$ELASTIC_CLOUD_ID -E cloud.auth=$ELASTIC_CLOUD_AUTH && ./metricbeat modules disable system && ./metricbeat modules enable awsfargate && ./metricbeat -e -E cloud.id=$ELASTIC_CLOUD_ID -E cloud.auth=$ELASTIC_CLOUD_AUTH
+        - Name: stress-test
+          Image: containerstack/alpine-stress
+          Essential: false
+          DependsOn:
+            - ContainerName: metricbeat-container
+              Condition: START
+          EntryPoint:
+            - sh
+            - -c
+          Command:
+            - stress --cpu 8 --io 4 --vm 2 --vm-bytes 128M --timeout 6000s
+      RequiresCompatibilities:
+        - EC2
+        - FARGATE
+  Service:
+    Type: AWS::ECS::Service
+    Properties:
+      ServiceName: !Ref ServiceName
+      Cluster: !Ref Cluster
+      TaskDefinition: !Ref TaskDefinition
+      DesiredCount: 1
+      LaunchType: FARGATE
+      NetworkConfiguration:
+        AwsvpcConfiguration:
+          AssignPublicIp: ENABLED
+          Subnets:
+            - !Ref SubnetID
+```
+
+
+### Create CloudFormation Stack [_create_cloudformation_stack]
+
+When copying the CloudFormation template, please make sure the Metricbeat container image is the correct version. Once the template is saved locally into `clouformation.yml`, AWS CLI can be used to create a stack using one command:
+
+```
+aws --region us-east-1 cloudformation create-stack --stack-name <your-stack-name> --template-body file://./cloudformation.yml --capabilities CAPABILITY_NAMED_IAM --parameters ParameterKey=SubnetID,ParameterValue=<subnet-id> ParameterKey=CloudAuthArn,ParameterValue=<cloud-auth-arn> ParameterKey=CloudIDArn,ParameterValue=<cloud-id-arn> ParameterKey=ClusterName,ParameterValue=<cluster-name> ParameterKey=RoleName,ParameterValue=<role-name> ParameterKey=TaskName,ParameterValue=<task-name> ParameterKey=ServiceName,ParameterValue=<service-name> ParameterKey=LogGroupName,ParameterValue=<log-group-name>
+```
+
+Make sure to replace `<subnet-id>` with your own subnet in this command. Please go to Services → VPC → Subnets to find subnet ID to use. You can also add several more containers under the TaskDefinition section.
+
+
+### Delete CloudFormation Stack [_delete_cloudformation_stack]
+
+Here is the AWS CLI to delete a stack including the cluster, task definition and all containers:
+
+```
+aws --region us-east-1 cloudformation delete-stack --stack-name <your-stack-name>
+```
+
+
+## Dashboard [_dashboard_19]
+
+The task_stats metricset comes with a predefined dashboard. For example:
+
+:::{image} images/metricbeat-awsfargate-overview.png
+:alt: metricbeat awsfargate overview
+:::
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_28]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-awsfargate.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "awsfargate": {
+        "task_stats": {
+            "cluster_name": "default",
+            "cpu": {
+                "core": null,
+                "kernel": {
+                    "norm": {
+                        "pct": 0
+                    },
+                    "pct": 0,
+                    "ticks": 1520000000
+                },
+                "system": {
+                    "norm": {
+                        "pct": 1
+                    },
+                    "pct": 2,
+                    "ticks": 1420180000000
+                },
+                "total": {
+                    "norm": {
+                        "pct": 0.2
+                    },
+                    "pct": 0.4
+                },
+                "user": {
+                    "norm": {
+                        "pct": 0
+                    },
+                    "pct": 0,
+                    "ticks": 490000000
+                }
+            },
+            "diskio": {
+                "read": {
+                    "bytes": 3452928,
+                    "ops": 118,
+                    "queued": 0,
+                    "rate": 0,
+                    "service_time": 0,
+                    "wait_time": 0
+                },
+                "reads": 0,
+                "summary": {
+                    "bytes": 3452928,
+                    "ops": 118,
+                    "queued": 0,
+                    "rate": 0,
+                    "service_time": 0,
+                    "wait_time": 0
+                },
+                "total": 0,
+                "write": {
+                    "bytes": 0,
+                    "ops": 0,
+                    "queued": 0,
+                    "rate": 0,
+                    "service_time": 0,
+                    "wait_time": 0
+                },
+                "writes": 0
+            },
+            "identifier": "query-metadata/1234",
+            "memory": {
+                "fail": {
+                    "count": 0
+                },
+                "limit": 0,
+                "rss": {
+                    "pct": 0.0010557805807105247,
+                    "total": 4157440
+                },
+                "stats": {
+                    "active_anon": 4157440,
+                    "active_file": 4497408,
+                    "cache": 6000640,
+                    "dirty": 16384,
+                    "hierarchical_memory_limit": 2147483648,
+                    "hierarchical_memsw_limit": 9223372036854772000,
+                    "inactive_anon": 0,
+                    "inactive_file": 1503232,
+                    "mapped_file": 2183168,
+                    "pgfault": 6668,
+                    "pgmajfault": 52,
+                    "pgpgin": 5925,
+                    "pgpgout": 3445,
+                    "rss": 4157440,
+                    "rss_huge": 0,
+                    "total_active_anon": 4157440,
+                    "total_active_file": 4497408,
+                    "total_cache": 600064,
+                    "total_dirty": 16384,
+                    "total_inactive_anon": 0,
+                    "total_inactive_file": 4497408,
+                    "total_mapped_file": 2183168,
+                    "total_pgfault": 6668,
+                    "total_pgmajfault": 52,
+                    "total_pgpgin": 5925,
+                    "total_pgpgout": 3445,
+                    "total_rss": 4157440,
+                    "total_rss_huge": 0,
+                    "total_unevictable": 0,
+                    "total_writeback": 0,
+                    "unevictable": 0,
+                    "writeback": 0
+                },
+                "usage": {
+                    "max": 15294464,
+                    "total": 12349440
+                }
+            },
+            "network": {
+                "eth0": {
+                    "inbound": {
+                        "bytes": 137315578,
+                        "dropped": 0,
+                        "errors": 0,
+                        "packets": 94338
+                    },
+                    "outbound": {
+                        "bytes": 1086811,
+                        "dropped": 0,
+                        "errors": 0,
+                        "packets": 25857
+                    }
+                }
+            },
+            "task_desired_status": "RUNNING",
+            "task_known_status": "ACTIVATING",
+            "task_name": "query-metadata-1"
+        }
+    },
+    "cloud": {
+        "region": "us-west-2"
+    },
+    "container": {
+        "id": "1234",
+        "image": {
+            "name": "mreferre/eksutils"
+        },
+        "labels": {
+            "com_amazonaws_ecs_cluster": "arn:aws:ecs:us-west-2:111122223333:cluster/default",
+            "com_amazonaws_ecs_container-name": "query-metadata",
+            "com_amazonaws_ecs_task-arn": "arn:aws:ecs:us-west-2:111122223333:task/default/febee046097849aba589d4435207c04a",
+            "com_amazonaws_ecs_task-definition-family": "query-metadata",
+            "com_amazonaws_ecs_task-definition-version": "7"
+        },
+        "name": "query-metadata"
+    },
+    "service": {
+        "type": "awsfargate"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-azure-app_insights.md b/docs/reference/metricbeat/metricbeat-metricset-azure-app_insights.md
new file mode 100644
index 000000000000..383ab710e735
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-azure-app_insights.md
@@ -0,0 +1,101 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-azure-app_insights.html
+---
+
+# Azure app_insights metricset [metricbeat-metricset-azure-app_insights]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+This is the app_insights metricset.
+
+This metricset allows users to retrieve application insights metrics from specified applications.
+
+
+### Config options to identify resources [_config_options_to_identify_resources]
+
+`application_id`
+:   (*[]string*) ID of the application. This is Application ID from the API Access settings blade in the Azure portal.
+
+`api_key`
+:   (*[]string*) The API key which will be generated, more on the steps here [https://dev.applicationinsights.io/documentation/Authorization/API-key-and-App-ID](https://dev.applicationinsights.io/documentation/Authorization/API-key-and-App-ID).
+
+
+### App insights metric configurations [_app_insights_metric_configurations]
+
+`metrics`
+:   List of different metrics to collect information
+
+`id`
+:   (*[]string*) IDs of the metrics that’s being reported. Usually, the id is descriptive enough to help identify what’s measured. A list of metric names can be entered as well. Default metricsets include: `requests/count` `requests/duration` `requests/failed` `users/count``users/authenticated` `pageViews/count` `pageViews/duration` `customEvents/count` `browserTimings/processingDuration` `browserTimings/receiveDuration` `browserTimings/networkDuration` `browserTimings/sendDuration` `browserTimings/totalDuration` `dependencies/count` `dependencies/duration` `dependencies/failed` `exceptions/count` `exceptions/browser` `exceptions/server` `sessions/count` `performanceCounters/requestExecutionTime` `performanceCounters/requestsPerSecond` `performanceCounters/requestsInQueue` `performanceCounters/memoryAvailableBytes` `performanceCounters/exceptionsPerSecond` `performanceCounters/processCpuPercentage` `performanceCounters/processIOBytesPerSecond` `performanceCounters/processPrivateBytes` `performanceCounters/processorCpuPercentage` `availabilityResults/count` `availabilityResults/availabilityPercentage` `availabilityResults/duration`
+
+`interval`
+:   (*string*) The time interval to use when retrieving metric values. This is an ISO8601 duration. If interval is omitted, the metric value is aggregated across the entire timespan. If interval is supplied, the result may adjust the interval to a more appropriate size based on the timespan used for the query.
+
+`aggregation`
+:   (*[]string*) The aggregation to use when computing the metric values. To retrieve more than one aggregation at a time, separate them with a comma. If no aggregation is specified, then the default aggregation for the metric is used.
+
+`segment`
+:   (*[]string*) The name of the dimension to segment the metric values by. This dimension must be applicable to the metric you are retrieving. In this case, the metric data will be segmented in the order the dimensions are listed in the parameter.
+
+`top`
+:   (*int*) The number of segments to return. This value is only valid when segment is specified.
+
+`order_by`
+:   (*string*) The aggregation function and direction to sort the segments by. This value is only valid when segment is specified.
+
+`filter`
+:   (*string*) An expression used to filter the results. This value should be a valid OData filter expression where the keys of each clause should be applicable dimensions for the metric you are retrieving.
+
+Example configuration:
+
+```yaml
+metrics:
+ - id: ["requests/count", "requests/failed"]
+   segment: "request/name"
+   aggregation: ["sum"]
+```
+
+## Fields [_fields_29]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-azure.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "azure": {
+        "app_insights": {
+            "end_date": "2020-10-02T13:17:45.691Z",
+            "start_date": "2020-10-02T13:12:45.691Z"
+        },
+        "application_id": "42cb59a9-d5be-400b-a5c4-69b0a00434fdf4",
+        "metrics": {
+            "requests_count": {
+                "sum": 0
+            }
+        }
+    },
+    "cloud": {
+        "provider": "azure"
+    },
+    "event": {
+        "dataset": "azure.app_insights",
+        "duration": 115000,
+        "module": "azure"
+    },
+    "metricset": {
+        "name": "app_insights",
+        "period": 10000
+    },
+    "service": {
+        "type": "azure"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-azure-app_state.md b/docs/reference/metricbeat/metricbeat-metricset-azure-app_state.md
new file mode 100644
index 000000000000..29a57112bc43
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-azure-app_state.md
@@ -0,0 +1,67 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-azure-app_state.html
+---
+
+# Azure app_state metricset [metricbeat-metricset-azure-app_state]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+This is the app_state metricset of the module azure.
+
+This metricset allows users to retrieve application insights metrics from specified applications.
+
+
+### Config options to identify resources [_config_options_to_identify_resources_2]
+
+`application_id`
+:   (*[]string*) ID of the application. This is Application ID from the API Access settings blade in the Azure portal.
+
+`api_key`
+:   (*[]string*) The API key which will be generated, more on the steps here [https://dev.applicationinsights.io/documentation/Authorization/API-key-and-App-ID](https://dev.applicationinsights.io/documentation/Authorization/API-key-and-App-ID).
+
+## Fields [_fields_30]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-azure.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "azure": {
+        "app_state": {
+            "end_date": "2020-10-02T13:23:11.221Z",
+            "requests_count": {
+                "sum": 16
+            },
+            "start_date": "2020-10-01T13:23:11.221Z"
+        },
+        "application_id": "42cb59a9-d5be-400b-a5c4-69b0a00434fdf4",
+        "dimensions": {
+            "request_name": "GET /auth",
+            "request_url_host": "demoapplogobs.azurewebsites.net"
+        }
+    },
+    "cloud": {
+        "provider": "azure"
+    },
+    "event": {
+        "dataset": "azure.app_state",
+        "duration": 115000,
+        "module": "azure"
+    },
+    "metricset": {
+        "name": "app_state",
+        "period": 10000
+    },
+    "service": {
+        "type": "azure"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-azure-billing.md b/docs/reference/metricbeat/metricbeat-metricset-azure-billing.md
new file mode 100644
index 000000000000..183f70d10a08
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-azure-billing.md
@@ -0,0 +1,85 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-azure-billing.html
+---
+
+# Azure billing metricset [metricbeat-metricset-azure-billing]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+This is the billing metricset of the module azure.
+
+This metricset allows users to retrieve usage details and forecast information of the subscription configured.
+
+
+## Metricset-specific configuration notes [_metricset_specific_configuration_notes_3]
+
+`refresh_list_interval`
+:   Resources will be retrieved at each fetch call (`period` interval), this means a number of Azure REST calls will be executed each time. This will be helpful if the azure users will be adding/removing resources that could match the configuration options so they will not added/removed to the list. To reduce on the number of API calls we are executing to retrieve the resources each time, users can configure this setting and make sure the list or resources will not be refreshed as often. This is also beneficial for performance and rate/ cost reasons ([https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-request-limits](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-request-limits)).
+
+`resources`
+:   This will contain all options for identifying resources and configuring the desired metrics
+
+
+### Config options to identify resources [_config_options_to_identify_resources_3]
+
+`billing_scope_department`
+:   (*string*) Retrieve usage details based on the department scope.
+
+`billing_scope_account_id`
+:   (*string*) Retrieve usage details based on the billing account ID scope.
+
+If none of the 2 options are entered then the subscription ID will be used as scope.
+
+## Fields [_fields_31]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-azure.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2020-07-08T08:05:34.853Z",
+    "azure": {
+        "billing" : {
+            "product" : "Tables - LRS Data Stored",
+            "usage_start" : "2020-07-08T00:00:00.000Z",
+            "usage_end" : "2020-07-08T23:59:59.000Z",
+            "currency" : "USD",
+            "billing_period_id" : "/subscriptions/fd675b6f-b5e5-426e-ac45-d1f876d0ffa6/providers/Microsoft.Billing/billingPeriods/20200701",
+            "account_name" : "Eng1",
+            "pretax_cost" : "0.000004175936293",
+            "department_name" : "Eng"
+        },
+        "resource": {
+            "group": "obs-infrastructure"
+        },
+        "subscription_id": "fd675b6f-b5e5-426e-ac45-d1f876d0ffa6"
+    },
+    "cloud": {
+        "instance": {
+            "id": "/subscriptions/fd675b6f-b5e5-426e-ac45-d1f876d0ffa6/resourceGroups/obs-infrastructure/providers/Microsoft.DocumentDb/databaseAccounts/obsaccount",
+            "name": "obsaccount"
+        },
+        "provider": "azure",
+        "region": "westeurope"
+    },
+    "event": {
+        "dataset": "azure.monitor",
+        "duration": 115000,
+        "module": "azure"
+    },
+    "metricset": {
+        "name": "monitor",
+        "period": 10000
+    },
+    "service": {
+        "type": "azure"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-azure-compute_vm.md b/docs/reference/metricbeat/metricbeat-metricset-azure-compute_vm.md
new file mode 100644
index 000000000000..d0a5339e44ff
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-azure-compute_vm.md
@@ -0,0 +1,216 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-azure-compute_vm.html
+---
+
+# Azure compute_vm metricset [metricbeat-metricset-azure-compute_vm]
+
+This is the compute_vm metricset of the module azure.
+
+This metricset allows users to retrieve all metrics from specified virtual machines.
+
+
+## Metricset-specific configuration notes [_metricset_specific_configuration_notes_4]
+
+`refresh_list_interval`
+:   Resources will be retrieved at each fetch call (`period` interval), this means a number of Azure REST calls will be executed each time. This will be helpful if the azure users will be adding/removing resources that could match the configuration options so they will not added/removed to the list. To reduce on the number of API calls we are executing to retrieve the resources each time, users can configure this setting and make sure the list or resources will not be refreshed as often. This is also beneficial for performance and rate/ cost reasons ([https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-request-limits](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-request-limits)).
+
+`resources`
+:   This will contain all options for identifying resources and configuring the desired metrics
+
+
+### Config options to identify resources [_config_options_to_identify_resources_4]
+
+`resource_id`
+:   (*[]string*) The fully qualified ID’s of the resource, including the resource name and resource type. Has the format `/subscriptions/{{guid}}/resourceGroups/{{resource-group-name}}/providers/{{resource-provider-namespace}}/{resource-type}/{{resource-name}}`. Should return a list of resources.
+
+`resource_group`
+:   (*[]string*) This option will select all virtual machines inside the resource group.
+
+If none of the options are entered then all virtual machine inside the subscription are taken in account. For each metric the primary aggregation assigned will be retrieved. A default non configurable timegrain of 5 min is set so users are advised to configure an interval of 300s or  a multiply of it.
+
+To populate the VM Guest Metrics Overview dashboard, users will have to enable the Virtual Machine Guest namespace for the monitored resources. More on sending guest OS metrics to Azure Monitor here [https://docs.microsoft.com/en-us/azure/azure-monitor/platform/collect-custom-metrics-guestos-resource-manager-vm](https://docs.microsoft.com/en-us/azure/azure-monitor/platform/collect-custom-metrics-guestos-resource-manager-vm).
+
+:::{image} images/metricbeat-azure-vm-guestmetrics-overview.png
+:alt: metricbeat azure vm guestmetrics overview
+:::
+
+## Fields [_fields_32]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-azure.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "azure": {
+        "compute_vm": {
+            "cpu_credits_consumed": {
+                "avg": 0.02
+            },
+            "cpu_credits_remaining": {
+                "avg": 288
+            },
+            "disk_read_bytes": {
+                "total": 3886082.75
+            },
+            "disk_read_operations_per_sec": {
+                "avg": 0.0665
+            },
+            "disk_write_bytes": {
+                "total": 14418893.74
+            },
+            "disk_write_operations_per_sec": {
+                "avg": 1.636
+            },
+            "inbound_flows": {
+                "avg": 97.2
+            },
+            "inbound_flows_maximum_creation_rate": {
+                "avg": 264
+            },
+            "network_in": {
+                "total": 1157992
+            },
+            "network_in_total": {
+                "total": 1211091
+            },
+            "network_out": {
+                "total": 1908414
+            },
+            "network_out_total": {
+                "total": 2340880
+            },
+            "os_disk_bandwidth_consumed_percentage": {
+                "avg": 0
+            },
+            "os_disk_iops_consumed_percentage": {
+                "avg": 0
+            },
+            "os_disk_max_burst_bandwidth": {
+                "avg": 170000000
+            },
+            "os_disk_max_burst_iops": {
+                "avg": 3500
+            },
+            "os_disk_queue_depth": {
+                "avg": 0
+            },
+            "os_disk_read_bytes_per_sec": {
+                "avg": 12953.607
+            },
+            "os_disk_read_operations_per_sec": {
+                "avg": 0.133
+            },
+            "os_disk_target_bandwidth": {
+                "avg": 100000000
+            },
+            "os_disk_target_iops": {
+                "avg": 500
+            },
+            "os_disk_used_burst_bps_credits_percentage": {
+                "avg": 2
+            },
+            "os_disk_used_burst_io_credits_percentage": {
+                "avg": 0
+            },
+            "os_disk_write_bytes_per_sec": {
+                "avg": 48062.975
+            },
+            "os_disk_write_operations_per_sec": {
+                "avg": 3.272
+            },
+            "outbound_flows": {
+                "avg": 97.2
+            },
+            "outbound_flows_maximum_creation_rate": {
+                "avg": 264
+            },
+            "percentage_cpu": {
+                "avg": 2.548
+            },
+            "premium_os_disk_cache_read_hit": {
+                "avg": 100
+            },
+            "premium_os_disk_cache_read_miss": {
+                "avg": 0
+            },
+            "vm_cached_bandwidth_consumed_percentage": {
+                "avg": 0
+            },
+            "vm_cached_iops_consumed_percentage": {
+                "avg": 0
+            },
+            "vm_uncached_bandwidth_consumed_percentage": {
+                "avg": 0
+            },
+            "vm_uncached_iops_consumed_percentage": {
+                "avg": 0
+            }
+        },
+        "namespace": "Microsoft.Compute/virtualMachines",
+        "resource": {
+            "group": "obs-test",
+            "id": "/subscriptions/7657426d-c4c3-44ac-88a2-3b2cd59e6dba/resourceGroups/obs-test/providers/Microsoft.Compute/virtualMachines/perfmon-test",
+            "name": "perfmon-test",
+            "type": "Microsoft.Compute/virtualMachines"
+        },
+        "subscription_id": "7657426d-c4c3-44ac-88a2-3b2cd59e6dba",
+        "timegrain": "PT5M"
+    },
+    "cloud": {
+        "account": {
+            "id": "7657426d-c4c3-44ac-88a2-3b2cd59e6dba"
+        },
+        "instance": {
+            "id": "23d5541a-ad41-4bef-b217-1d992c51ae07",
+            "name": "perfmon-test"
+        },
+        "machine": {
+            "type": "Standard_B1ms"
+        },
+        "provider": "azure",
+        "region": "westeurope"
+    },
+    "event": {
+        "dataset": "azure.compute_vm",
+        "duration": 115000,
+        "module": "azure"
+    },
+    "host": {
+        "cpu": {
+            "usage": 0.02548
+        },
+        "disk": {
+            "read": {
+                "bytes": 3886082.75
+            },
+            "write": {
+                "bytes": 14418893.74
+            }
+        },
+        "id": "23d5541a-ad41-4bef-b217-1d992c51ae07",
+        "name": "perfmon-test",
+        "network": {
+            "egress": {
+                "bytes": 2340880,
+                "packets": 1908414
+            },
+            "ingress": {
+                "bytes": 1211091,
+                "packets": 1157992
+            }
+        }
+    },
+    "metricset": {
+        "name": "compute_vm",
+        "period": 10000
+    },
+    "service": {
+        "type": "azure"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-azure-compute_vm_scaleset.md b/docs/reference/metricbeat/metricbeat-metricset-azure-compute_vm_scaleset.md
new file mode 100644
index 000000000000..c98e92d0bd8b
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-azure-compute_vm_scaleset.md
@@ -0,0 +1,106 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-azure-compute_vm_scaleset.html
+---
+
+# Azure compute_vm_scaleset metricset [metricbeat-metricset-azure-compute_vm_scaleset]
+
+This is the compute_vm_scaleset metricset of the module azure.
+
+This metricset allows users to retrieve all metrics from specified virtual machine scalesets.
+
+
+## Metricset-specific configuration notes [_metricset_specific_configuration_notes_5]
+
+`refresh_list_interval`
+:   Resources will be retrieved at each fetch call (`period` interval), this means a number of Azure REST calls will be executed each time. This will be helpful if the azure users will be adding/removing resources that could match the configuration options so they will not added/removed to the list. To reduce on the number of API calls we are executing to retrieve the resources each time, users can configure this setting and make sure the list or resources will not be refreshed as often. This is also beneficial for performance and rate/ cost reasons ([https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-request-limits](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-request-limits)).
+
+`resources`
+:   This will contain all options for identifying resources and configuring the desired metrics
+
+
+### Config options to identify resources [_config_options_to_identify_resources_5]
+
+`resource_id`
+:   (*[]string*) The fully qualified ID’s of the resource, including the resource name and resource type. Has the format `/subscriptions/{{guid}}/resourceGroups/{{resource-group-name}}/providers/{{resource-provider-namespace}}/{resource-type}/{{resource-name}}`. Should return a list of resources.
+
+`resource_group`
+:   (*[]string*) This option will return all virtual machine scalesets inside the resource group.
+
+If none of the options are entered then all virtual machine scalesets inside the subscription are taken in account. For each metric the primary aggregation assigned will be retrieved. A default non configurable timegrain of 5 min is set so users are advised to configure an interval of 300s or  a multiply of it.
+
+## Fields [_fields_33]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-azure.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "azure": {
+        "compute_vm_scaleset": {
+            "cpu_credits_consumed": {
+                "avg": 0.006999999999999999
+            },
+            "cpu_credits_remaining": {
+                "avg": 84.72
+            },
+            "os_per_disk_qd": {
+                "avg": 0
+            },
+            "os_per_disk_read_bytes_per_sec": {
+                "avg": 0
+            },
+            "os_per_disk_read_operations_per_sec": {
+                "avg": 0
+            },
+            "os_per_disk_write_bytes_per_sec": {
+                "avg": 3846.531
+            },
+            "os_per_disk_write_operations_per_sec": {
+                "avg": 0.5519999999999999
+            }
+        },
+        "namespace": "Microsoft.Compute/virtualMachineScaleSets",
+        "resource": {
+            "group": "obs-infrastructure",
+            "id": "/subscriptions/fd675b6f-b5e5-426e-ac45-d1f876d0ffa6/resourceGroups/obs-infrastructure/providers/Microsoft.Compute/virtualMachineScaleSets/obslinuxvmss",
+            "name": "obslinuxvmss",
+            "type": "Microsoft.Compute/virtualMachineScaleSets"
+        },
+        "subscription_id": "fd675b6f-b5e5-426e-ac45-d1f876d0ffa6",
+        "timegrain": "PT5M"
+    },
+    "cloud": {
+        "account": {
+            "id": "fd675b6f-b5e5-426e-ac45-d1f876d0ffa6"
+        },
+        "instance": {
+            "name": "obslinuxvmss"
+        },
+        "machine": {
+            "type": "Standard_B1ls"
+        },
+        "provider": "azure",
+        "region": "westeurope"
+    },
+    "event": {
+        "dataset": "azure.compute_vm_scaleset",
+        "duration": 115000,
+        "module": "azure"
+    },
+    "host": {
+        "name": "obslinuxvmss"
+    },
+    "metricset": {
+        "name": "compute_vm_scaleset",
+        "period": 10000
+    },
+    "service": {
+        "type": "azure"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-azure-container_instance.md b/docs/reference/metricbeat/metricbeat-metricset-azure-container_instance.md
new file mode 100644
index 000000000000..21f503a88703
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-azure-container_instance.md
@@ -0,0 +1,84 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-azure-container_instance.html
+---
+
+# Azure container_instance metricset [metricbeat-metricset-azure-container_instance]
+
+This is the container_instance metricset of the module azure.
+
+This metricset allows users to retrieve all metrics from specified container groups.
+
+
+## Metricset-specific configuration notes [_metricset_specific_configuration_notes_6]
+
+`refresh_list_interval`
+:   Resources will be retrieved at each fetch call (`period` interval), this means a number of Azure REST calls will be executed each time. This will be helpful if the azure users will be adding/removing resources that could match the configuration options so they will not added/removed to the list. To reduce on the number of API calls we are executing to retrieve the resources each time, users can configure this setting and make sure the list or resources will not be refreshed as often. This is also beneficial for performance and rate/ cost reasons ([https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-request-limits](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-request-limits)).
+
+`resources`
+:   This will contain all options for identifying resources and configuring the desired metrics
+
+
+### Config options to identify resources [_config_options_to_identify_resources_6]
+
+`resource_id`
+:   (*[]string*) The fully qualified ID’s of the resource, including the resource name and resource type. Has the format `/subscriptions/{{guid}}/resourceGroups/{{resource-group-name}}/providers/{{resource-provider-namespace}}/{resource-type}/{{resource-name}}`. Should return a list of resources.
+
+`resource_group`
+:   (*[]string*) This option will return all container groups inside the resource group.
+
+If none of the options are entered then all the container groups inside the subscription are taken in account. For each metric the primary aggregation assigned will be retrieved. A default non configurable timegrain of 5 min is set so users are advised to configure an interval of 300s or  a multiply of it.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_34]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-azure.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "azure": {
+        "container_instance": {
+            "cpu_usage": {
+                "avg": 0
+            },
+            "memory_usage": {
+                "avg": 2666496
+            }
+        },
+        "dimensions": {
+            "container_name": "anothercontainer"
+        },
+        "namespace": "Microsoft.ContainerInstance/containerGroups",
+        "resource": {
+            "group": "obs-infrastructure",
+            "id": "/subscriptions/70bd6e64-4b1e-4835-8896-db77b8eef364/resourceGroups/obs-infrastructure/providers/Microsoft.ContainerInstance/containerGroups/anothercontainer",
+            "name": "anothercontainer",
+            "type": "Microsoft.ContainerInstance/containerGroups"
+        },
+        "subscription_id": "70bd6e64-4b1e-4835-8896-db77b8eef364",
+        "timegrain": "PT5M"
+    },
+    "cloud": {
+        "provider": "azure",
+        "region": "westeurope"
+    },
+    "event": {
+        "dataset": "azure.container_instance",
+        "duration": 115000,
+        "module": "azure"
+    },
+    "metricset": {
+        "name": "container_instance",
+        "period": 10000
+    },
+    "service": {
+        "type": "azure"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-azure-container_registry.md b/docs/reference/metricbeat/metricbeat-metricset-azure-container_registry.md
new file mode 100644
index 000000000000..8e17f0d1ae56
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-azure-container_registry.md
@@ -0,0 +1,87 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-azure-container_registry.html
+---
+
+# Azure container_registry metricset [metricbeat-metricset-azure-container_registry]
+
+This is the container_registry metricset of the module azure.
+
+This metricset allows users to retrieve all metrics from specified container registries.
+
+
+## Metricset-specific configuration notes [_metricset_specific_configuration_notes_7]
+
+`refresh_list_interval`
+:   Resources will be retrieved at each fetch call (`period` interval), this means a number of Azure REST calls will be executed each time. This will be helpful if the azure users will be adding/removing resources that could match the configuration options so they will not added/removed to the list. To reduce on the number of API calls we are executing to retrieve the resources each time, users can configure this setting and make sure the list or resources will not be refreshed as often. This is also beneficial for performance and rate/ cost reasons ([https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-request-limits](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-request-limits)).
+
+`resources`
+:   This will contain all options for identifying resources and configuring the desired metrics
+
+
+### Config options to identify resources [_config_options_to_identify_resources_7]
+
+`resource_id`
+:   (*[]string*) The fully qualified ID’s of the resource, including the resource name and resource type. Has the format `/subscriptions/{{guid}}/resourceGroups/{{resource-group-name}}/providers/{{resource-provider-namespace}}/{resource-type}/{{resource-name}}`. Should return a list of resources.
+
+`resource_group`
+:   (*[]string*) This option will return all container registries inside the resource group.
+
+If none of the options are entered then all container registries from the entire subscription are taken in account. For each metric the primary aggregation assigned will be retrieved. A default non configurable timegrain of 5 min is set so users are advised to configure an interval of 300s or  a multiply of it.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_35]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-azure.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "azure": {
+        "container_registry": {
+            "successful_pull_count": {
+                "avg": 1
+            },
+            "successful_push_count": {
+                "avg": 1
+            },
+            "total_pull_count": {
+                "avg": 1
+            },
+            "total_push_count": {
+                "avg": 1
+            }
+        },
+        "namespace": "Microsoft.ContainerRegistry/registries",
+        "resource": {
+            "group": "obs-infrastructure",
+            "type": "Microsoft.ContainerRegistry/registries",
+            "id": "/subscriptions/fd675b6f-b5e5-426e-ac45-d1f876d0ffa6/resourceGroups/obs-infrastructure/providers/Microsoft.ContainerRegistry/registries/obstest",
+            "name": "obstest"
+        },
+        "subscription_id": "fd675b6f-b5e5-426e-ac45-d1f876d0ffa6",
+        "timegrain": "PT5M"
+    },
+    "cloud": {
+        "provider": "azure",
+        "region": "westeurope"
+    },
+    "event": {
+        "dataset": "azure.container_registry",
+        "duration": 115000,
+        "module": "azure"
+    },
+    "metricset": {
+        "name": "container_registry",
+        "period": 10000
+    },
+    "service": {
+        "type": "azure"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-azure-container_service.md b/docs/reference/metricbeat/metricbeat-metricset-azure-container_service.md
new file mode 100644
index 000000000000..95a68ae651d8
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-azure-container_service.md
@@ -0,0 +1,83 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-azure-container_service.html
+---
+
+# Azure container_service metricset [metricbeat-metricset-azure-container_service]
+
+This is the container_service metricset of the module azure.
+
+This metricset allows users to retrieve all metrics from specified container services.
+
+
+## Metricset-specific configuration notes [_metricset_specific_configuration_notes_8]
+
+`refresh_list_interval`
+:   Resources will be retrieved at each fetch call (`period` interval), this means a number of Azure REST calls will be executed each time. This will be helpful if the azure users will be adding/removing resources that could match the configuration options so they will not added/removed to the list. To reduce on the number of API calls we are executing to retrieve the resources each time, users can configure this setting and make sure the list or resources will not be refreshed as often. This is also beneficial for performance and rate/ cost reasons ([https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-request-limits](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-request-limits)).
+
+`resources`
+:   This will contain all options for identifying resources and configuring the desired metrics
+
+
+### Config options to identify resources [_config_options_to_identify_resources_8]
+
+`resource_id`
+:   (*[]string*) The fully qualified ID’s of the resource, including the resource name and resource type. Has the format `/subscriptions/{{guid}}/resourceGroups/{{resource-group-name}}/providers/{{resource-provider-namespace}}/{resource-type}/{{resource-name}}`. Should return a list of resources.
+
+`resource_group`
+:   (*[]string*) This option will return all container services inside the resource group.
+
+If none of the options are entered then all container services inside the subscription are taken in account. For each metric the primary aggregation assigned will be retrieved. A default non configurable timegrain of 5 min is set so users are advised to configure an interval of 300s or  a multiply of it.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_36]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-azure.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "azure": {
+        "container_service": {
+            "kube_node_status_condition": {
+                "avg": 1
+            }
+        },
+        "dimensions": {
+            "condition": "PIDPressure",
+            "node": "aks-agentpool-38582116-vmss000000",
+            "status": "false"
+        },
+        "namespace": "Microsoft.ContainerService/managedClusters",
+        "resource": {
+            "group": "obs-infrastructure",
+            "id": "/subscriptions/70bd6e64-4b1e-4835-8896-db77b8eef364/resourceGroups/obs-infrastructure/providers/Microsoft.ContainerService/managedClusters/obskube",
+            "name": "obskube",
+            "type": "Microsoft.ContainerService/managedClusters"
+        },
+        "subscription_id": "70bd6e64-4b1e-4835-8896-db77b8eef364",
+        "timegrain": "PT5M"
+    },
+    "cloud": {
+        "provider": "azure",
+        "region": "westeurope"
+    },
+    "event": {
+        "dataset": "azure.container_service",
+        "duration": 115000,
+        "module": "azure"
+    },
+    "metricset": {
+        "name": "container_service",
+        "period": 10000
+    },
+    "service": {
+        "type": "azure"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-azure-database_account.md b/docs/reference/metricbeat/metricbeat-metricset-azure-database_account.md
new file mode 100644
index 000000000000..27ca2d03a8c8
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-azure-database_account.md
@@ -0,0 +1,85 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-azure-database_account.html
+---
+
+# Azure database_account metricset [metricbeat-metricset-azure-database_account]
+
+This is the database_account metricset of the module azure.
+
+This metricset allows users to retrieve relevant metrics from specified database accounts and comes with a predefined dashboard:
+
+:::{image} images/metricbeat-azure-database-account-overview.png
+:alt: metricbeat azure database account overview
+:::
+
+
+## Metricset-specific configuration notes [_metricset_specific_configuration_notes_9]
+
+`refresh_list_interval`
+:   Resources will be retrieved at each fetch call (`period` interval), this means a number of Azure REST calls will be executed each time. This will be helpful if the azure users will be adding/removing resources that could match the configuration options so they will not added/removed to the list. To reduce on the number of API calls we are executing to retrieve the resources each time, users can configure this setting and make sure the list or resources will not be refreshed as often. This is also beneficial for performance and rate/ cost reasons ([https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-request-limits](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-request-limits)).
+
+`resources`
+:   This will contain all options for identifying resources and configuring the desired metrics
+
+
+### Config options to identify resources [_config_options_to_identify_resources_9]
+
+`resource_id`
+:   (*[]string*) The fully qualified ID’s of the resource, including the resource name and resource type. Has the format `/subscriptions/{{guid}}/resourceGroups/{{resource-group-name}}/providers/{{resource-provider-namespace}}/{resource-type}/{{resource-name}}`. Should return a list of resources.
+
+`resource_group`
+:   (*[]string*) This option will select all database accounts inside the resource group.
+
+If none of the options are entered then all database accounts inside the subscription are taken in account. For each metric the primary aggregation assigned will be retrieved. A default non configurable timegrain of 5 min is set so users are advised to configure an interval of 300s or  a multiply of it.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_37]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-azure.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "azure": {
+        "database_account": {
+            "service_availability": {
+                "avg": 100
+            }
+        },
+        "namespace": "Microsoft.DocumentDb/databaseAccounts",
+        "resource": {
+            "group": "obs-infrastructure",
+            "id": "/subscriptions/70bd6e64-4b1e-4835-8896-db77b8eef364/resourceGroups/obs-infrastructure/providers/Microsoft.DocumentDb/databaseAccounts/obsaccount",
+            "name": "obsaccount",
+            "tags": {
+                "defaultExperience": "Core (SQL)"
+            },
+            "type": "Microsoft.DocumentDb/databaseAccounts"
+        },
+        "subscription_id": "70bd6e64-4b1e-4835-8896-db77b8eef364",
+        "timegrain": "PT1H"
+    },
+    "cloud": {
+        "provider": "azure",
+        "region": "westeurope"
+    },
+    "event": {
+        "dataset": "azure.database_account",
+        "duration": 115000,
+        "module": "azure"
+    },
+    "metricset": {
+        "name": "database_account",
+        "period": 10000
+    },
+    "service": {
+        "type": "azure"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-azure-monitor.md b/docs/reference/metricbeat/metricbeat-metricset-azure-monitor.md
new file mode 100644
index 000000000000..36f8c6c11c0d
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-azure-monitor.md
@@ -0,0 +1,124 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-azure-monitor.html
+---
+
+# Azure monitor metricset [metricbeat-metricset-azure-monitor]
+
+This is the monitor metricset of the module azure.
+
+This metricset allows users to retrieve metrics from specified resources. Added filters can apply here as the interval of retrieving these metrics, metric names, aggregation list, namespaces and metric dimensions.
+
+
+## Metricset-specific configuration notes [_metricset_specific_configuration_notes_10]
+
+`refresh_list_interval`
+:   Resources will be retrieved at each fetch call (`period` interval), this means a number of Azure REST calls will be executed each time. This will be helpful if the azure users will be adding/removing resources that could match the configuration options so they will not added/removed to the list. To reduce on the number of API calls we are executing to retrieve the resources each time, users can configure this setting and make sure the list or resources will not be refreshed as often. This is also beneficial for performance and rate/ cost reasons ([https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-request-limits](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-request-limits)).
+
+`resources`
+:   This will contain all options for identifying resources and configuring the desired metrics
+
+
+### Config options to identify resources [_config_options_to_identify_resources_10]
+
+`resource_id`
+:   (*[]string*) The fully qualified ID’s of the resource, including the resource name and resource type. Has the format `/subscriptions/{{guid}}/resourceGroups/{{resource-group-name}}/providers/{{resource-provider-namespace}}/{resource-type}/{{resource-name}}`. Should return a list of resources.
+
+But users might have large number of resources they would like to gather metrics from so, in order to reduce the verbosity users will have the options of entering a resource group and filtering by resource type, or type in a “resource_query” where the user can filter resources from their entire subscription. Source for the resource API’s: [https://docs.microsoft.com/en-us/rest/api/resources/resources/list](https://docs.microsoft.com/en-us/rest/api/resources/resources/list) [https://docs.microsoft.com/en-us/rest/api/resources/resources/listbyresourcegroup](https://docs.microsoft.com/en-us/rest/api/resources/resources/listbyresourcegroup)
+
+`resource_group`
+:   (*[]string*) Using the resource_type configuration option as a filter is required for the resource groups entered. This option should return a list resources we want to apply our metric configuration options on.
+
+`resource_type`
+:   (*string*) As mentioned above this will be a filter option for the resource group api, will check for all resources under the specified group that are the type under this configuration.
+
+`resource_query`
+:   (*string*) Should contain a filter entered by the user, the output will be a list of resources
+
+
+### Resource metric configurations [_resource_metric_configurations]
+
+`metrics`
+:   List of different metrics to collect information
+
+`namespace`
+:   (*string*) Namespaces are a way to categorize or group similar metrics together. By using namespaces, users can achieve isolation between groups of metrics that might collect different insights or performance indicators.
+
+`name`
+:   (*[]string*) Name of the metrics that’s being reported. Usually, the name is descriptive enough to help identify what’s measured. A list of metric names can be entered as well
+
+`aggregations`
+:   (*[]string*) List of supported aggregations. Azure Monitor stores all metrics at one-minute granularity intervals. During a given minute, a metric might need to be sampled several times or it might need to be measured for many discrete events. To limit the number of raw values we have to emit and pay for in Azure Monitor, they will locally pre-aggregate and emit the values: Minimum: The minimum observed value from all the samples and measurements during the minute. Maximum: The maximum observed value from all the samples and measurements during the minute. Sum: The summation of all the observed values from all the samples and measurements during the minute. Count: The number of samples and measurements taken during the minute. Total: The total number of all the observed values from all the samples and measurements during the minute.
+
+`dimensions`
+:   List of metric dimensions. Dimensions are optional, not all metrics may have dimensions. A custom metric can have up to 10 dimensions. A dimension is a key or value pair that helps describe additional characteristics about the metric being collected. By using the additional characteristics, you can collect more information about the metric, which allows for deeper insights. By using this key, you can filter the metric to see how much memory specific processes use or to identify the top five processes by memory usage. Metrics with dimensions are exported as flattened single dimensional metrics, aggregated across dimension values.
+
+`name`
+:   Dimension key
+
+`value`
+:   Dimension value. (Users can select * to return metric values for each dimension)
+
+`ignore_unsupported`
+:   (*bool*) Namespaces can be unsupported by some resources and supported in some, this configuration option makes sure no error messages are returned if the namespace is unsupported. The same will go for the metrics configured, some can be removed from Azure Monitor and it should not affect the state of the module.
+
+Users can select the options to retrieve all metrics from a specific namespace using the following:
+
+```yaml
+ metrics:
+ - name: ["*"]
+   namespace: "Microsoft.Storage/storageAccounts"
+```
+
+If no aggregations are entered under a metric level the metricset will retrieve the primary aggregation assigned for this metric.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_38]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-azure.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "azure": {
+        "dimensions": {
+            "activity_name": "secretlist"
+        },
+        "metrics": {
+            "availability": {
+                "avg": 100
+            }
+        },
+        "namespace": "Microsoft.KeyVault/vaults",
+        "resource": {
+            "group": "some-rg",
+            "id": "/subscriptions/70f046a0-a299-ab73-9950-88ac8b5ac454/resourceGroups/some-rg/providers/Microsoft.KeyVault/vaults/somekeyvault",
+            "name": "somekeyvault",
+            "type": "Microsoft.KeyVault/vaults"
+        },
+        "subscription_id": "70bd6e64-4b1e-4835-8896-db77b8eef364",
+        "timegrain": "PT1M"
+    },
+    "cloud": {
+        "provider": "azure",
+        "region": "westeurope"
+    },
+    "event": {
+        "dataset": "azure.monitor",
+        "duration": 115000,
+        "module": "azure"
+    },
+    "metricset": {
+        "name": "monitor",
+        "period": 10000
+    },
+    "service": {
+        "type": "azure"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-azure-storage.md b/docs/reference/metricbeat/metricbeat-metricset-azure-storage.md
new file mode 100644
index 000000000000..728fce70ea53
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-azure-storage.md
@@ -0,0 +1,99 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-azure-storage.html
+---
+
+# Azure storage metricset [metricbeat-metricset-azure-storage]
+
+This is the storage metricset of the module azure.
+
+This metricset allows users to retrieve all metrics from specified storage accounts.
+
+
+## Metricset-specific configuration notes [_metricset_specific_configuration_notes_11]
+
+`refresh_list_interval`
+:   Resources will be retrieved at each fetch call (`period` interval), this means a number of Azure REST calls will be executed each time. This will be helpful if the azure users will be adding/removing resources that could match the configuration options so they will not added/removed to the list. To reduce on the number of API calls we are executing to retrieve the resources each time, users can configure this setting and make sure the list or resources will not be refreshed as often. This is also beneficial for performance and rate/ cost reasons ([https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-request-limits](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-request-limits)).
+
+`resources`
+:   This will contain all options for identifying resources and configuring the desired metrics
+
+
+### Config options to identify resources [_config_options_to_identify_resources_11]
+
+`resource_id`
+:   (*[]string*) The fully qualified ID’s of the resource, including the resource name and resource type. Has the format `/subscriptions/{{guid}}/resourceGroups/{{resource-group-name}}/providers/{{resource-provider-namespace}}/{resource-type}/{{resource-name}}`. Should return a list of resources.
+
+`resource_group`
+:   (*[]string*) This option will return all storage accounts inside the resource group.
+
+`service_type`
+:   (*[]string*) This configuration key can be used with any of the 2 options above, for example:
+
+```
+resources:
+    - resource_id: ""
+      service_type: ["blob", "table"]
+    - resource_group: ""
+      service_type: ["queue", "file"]
+```
+
+it will filter the metric values to be returned by specific metric namespaces. The supported metrics and namespaces can be found here [https://docs.microsoft.com/en-us/azure/azure-monitor/platform/metrics-supported#microsoftstoragestorageaccounts](https://docs.microsoft.com/en-us/azure/azure-monitor/platform/metrics-supported#microsoftstoragestorageaccounts). The service type values allowed are `blob`, `table`, `queue`, `file` based on the namespaces  `Microsoft.Storage/storageAccounts/blobServices`,`Microsoft.Storage/storageAccounts/tableServices`,`Microsoft.Storage/storageAccounts/fileServices`,`Microsoft.Storage/storageAccounts/queueServices`. If no service_type is specified all values are applied.
+
+Also, if the `resources` option is not specified, then all the storage accounts from the entire subscription will be selected. The primary aggregation value will be retrieved for all the metrics contained in the namespaces. The aggregation options are `avg`, `sum`, `min`, `max`, `total`, `count`.
+
+A default non configurable timegrain of 5 min is set so users are advised to configure an interval of 300s or  a multiply of it.
+
+## Fields [_fields_39]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-azure.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "azure": {
+        "namespace": "Microsoft.Storage/storageAccounts/queueServices",
+        "resource": {
+            "group": "obs-infrastructure",
+            "type": "Microsoft.Storage/storageAccounts"
+        },
+        "storage": {
+            "queue_capacity": {
+                "avg": 0
+            },
+            "queue_count": {
+                "avg": 0
+            },
+            "queue_message_count": {
+                "avg": 0
+            }
+        },
+        "subscription_id": "fd675b6f-b5e5-426e-ac45-d1f876d0ffa6",
+        "timegrain": "PT1H"
+    },
+    "cloud": {
+        "instance": {
+            "id": "/subscriptions/fd675b6f-b5e5-426e-ac45-d1f876d0ffa6/resourceGroups/obs-infrastructure/providers/Microsoft.Storage/storageAccounts/urcbyscmrkbygsawinvm/queueServices/default",
+            "name": "urcbyscmrkbygsawinvm"
+        },
+        "provider": "azure",
+        "region": "westeurope"
+    },
+    "event": {
+        "dataset": "azure.storage",
+        "duration": 115000,
+        "module": "azure"
+    },
+    "metricset": {
+        "name": "storage",
+        "period": 10000
+    },
+    "service": {
+        "type": "azure"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-beat-state.md b/docs/reference/metricbeat/metricbeat-metricset-beat-state.md
new file mode 100644
index 000000000000..8e9d5df74e04
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-beat-state.md
@@ -0,0 +1,85 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-beat-state.html
+---
+
+# Beat state metricset [metricbeat-metricset-beat-state]
+
+This is the state metricset of the beat module.
+
+## Fields [_fields_40]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-beat.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "beat": {
+        "elasticsearch": {
+            "cluster": {
+                "id": "foobar"
+            }
+        },
+        "state": {
+            "beat": {
+                "host": "2963d991095f",
+                "name": "2963d991095f",
+                "type": "metricbeat",
+                "uuid": "c4c9bc08-e990-4529-8bf5-715c00fa6615",
+                "version": "7.12.0"
+            },
+            "cluster": {
+                "uuid": "foobar"
+            },
+            "host": {
+                "containerized": "containerized",
+                "os": {
+                    "kernel": "5.14.13-200.fc34.x86_64",
+                    "name": "CentOS Linux",
+                    "platform": "centos",
+                    "version": "7 (Core)"
+                }
+            },
+            "management": {
+                "enabled": false
+            },
+            "module": {
+                "count": 10
+            },
+            "output": {
+                "name": "elasticsearch"
+            },
+            "queue": {
+                "name": "mem"
+            },
+            "service": {
+                "id": "c4c9bc08-e990-4529-8bf5-715c00fa6615",
+                "name": "metricbeat",
+                "version": "7.12.0"
+            }
+        }
+    },
+    "event": {
+        "dataset": "beat.state",
+        "duration": 115000,
+        "module": "beat"
+    },
+    "host": {
+        "architecture": "x86_64",
+        "hostname": "2963d991095f",
+        "id": "44ccc339d95bd51386fcfc5d8f041927"
+    },
+    "metricset": {
+        "name": "state",
+        "period": 10000
+    },
+    "service": {
+        "address": "172.19.0.2:5066",
+        "type": "beat"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-beat-stats.md b/docs/reference/metricbeat/metricbeat-metricset-beat-stats.md
new file mode 100644
index 000000000000..cad01bc0805c
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-beat-stats.md
@@ -0,0 +1,162 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-beat-stats.html
+---
+
+# Beat stats metricset [metricbeat-metricset-beat-stats]
+
+This is the stats metricset of the beat module.
+
+## Fields [_fields_41]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-beat.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "beat": {
+        "id": "c4c9bc08-e990-4529-8bf5-715c00fa6615",
+        "elasticsearch": {
+            "cluster": {
+                "id": "foobar"
+            }
+        },
+        "stats": {
+            "beat": {
+                "host": "2963d991095f",
+                "name": "2963d991095f",
+                "type": "metricbeat",
+                "uuid": "c4c9bc08-e990-4529-8bf5-715c00fa6615",
+                "version": "7.12.0"
+            },
+            "cpu": {
+                "system": {
+                    "ticks": 60,
+                    "time": {
+                        "ms": 65
+                    }
+                },
+                "total": {
+                    "ticks": 170,
+                    "time": {
+                        "ms": 178
+                    },
+                    "value": 170
+                },
+                "user": {
+                    "ticks": 110,
+                    "time": {
+                        "ms": 113
+                    }
+                }
+            },
+            "handles": {
+                "limit": {
+                    "hard": 1024,
+                    "soft": 1024
+                },
+                "open": 17
+            },
+            "info": {
+                "ephemeral_id": "16f5a19a-8ed6-4bfa-ae0a-85530262b63e",
+                "uptime": {
+                    "ms": 3260
+                }
+            },
+            "libbeat": {
+                "config": {
+                    "running": 3,
+                    "starts": 3,
+                    "stops": 0,
+                    "reloads": 1
+                },
+                "output": {
+                    "events": {
+                        "acked": 0,
+                        "active": 0,
+                        "batches": 0,
+                        "dropped": 0,
+                        "duplicates": 0,
+                        "failed": 0,
+                        "toomany": 0,
+                        "total": 0
+                    },
+                    "read": {
+                        "bytes": 0,
+                        "errors": 0
+                    },
+                    "type": "elasticsearch",
+                    "write": {
+                        "bytes": 0,
+                        "errors": 0
+                    }
+                },
+                "pipeline": {
+                    "clients": 10,
+                    "events": {
+                        "active": 11,
+                        "dropped": 0,
+                        "failed": 0,
+                        "filtered": 0,
+                        "published": 11,
+                        "retry": 0,
+                        "total": 11
+                    },
+                    "queue": {
+                        "acked": 0,
+                        "max_events": 0
+                    }
+                }
+            },
+            "memstats": {
+                "gc_next": 16263952,
+                "memory": {
+                    "alloc": 12278440,
+                    "total": 31749920
+                },
+                "rss": 83816448
+            },
+            "runtime": {
+                "goroutines": 63
+            },
+            "system": {
+                "cpu": {
+                    "cores": 12
+                },
+                "load": {
+                    "1": 2.14,
+                    "15": 1.5,
+                    "5": 1.44,
+                    "norm": {
+                        "1": 0.1783,
+                        "15": 0.125,
+                        "5": 0.12
+                    }
+                }
+            },
+            "uptime": {
+                "ms": 3260
+            }
+        },
+        "type": "metricbeat"
+    },
+    "event": {
+        "dataset": "beat.stats",
+        "duration": 115000,
+        "module": "beat"
+    },
+    "metricset": {
+        "name": "stats",
+        "period": 10000
+    },
+    "service": {
+        "address": "172.19.0.2:5066",
+        "name": "beat",
+        "type": "beat"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-benchmark-info.md b/docs/reference/metricbeat/metricbeat-metricset-benchmark-info.md
new file mode 100644
index 000000000000..e9a171693fbb
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-benchmark-info.md
@@ -0,0 +1,47 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/master/metricbeat-metricset-benchmark-info.html
+---
+
+# Benchmark info metricset [metricbeat-metricset-benchmark-info]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+This is the info metricset of the module benchmark.
+
+## Fields [_fields_42]
+
+For a description of each field in the metricset, see the [exported fields](exported-fields-benchmark.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+  "@timestamp": "2016-05-23T08:05:34.853Z",
+  "metricset": {
+    "name": "info",
+    "period": 1000
+  },
+  "event": {
+    "duration": 27000,
+    "dataset": "benchmark.info",
+    "module": "benchmark"
+  },
+  "service": {
+    "type": "benchmark"
+  },
+  "service": {
+    "type": "benchmark"
+  },
+  "benchmark": {
+    "info": {
+      "counter": 42
+    }
+  }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-ceph-cluster_disk.md b/docs/reference/metricbeat/metricbeat-metricset-ceph-cluster_disk.md
new file mode 100644
index 000000000000..d77690b65cb9
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-ceph-cluster_disk.md
@@ -0,0 +1,53 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-ceph-cluster_disk.html
+---
+
+# Ceph cluster_disk metricset [metricbeat-metricset-ceph-cluster_disk]
+
+This is the `cluster_disk` metricset of the Ceph module.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_43]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-ceph.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "agent": {
+        "hostname": "host.example.com",
+        "name": "host.example.com"
+    },
+    "ceph": {
+        "cluster_disk": {
+            "available": {
+                "bytes": 0
+            },
+            "total": {
+                "bytes": 0
+            },
+            "used": {
+                "bytes": 0
+            }
+        }
+    },
+    "event": {
+        "dataset": "ceph.cluster_disk",
+        "duration": 115000,
+        "module": "ceph"
+    },
+    "metricset": {
+        "name": "cluster_disk"
+    },
+    "service": {
+        "address": "127.0.0.1:5000",
+        "type": "ceph"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-ceph-cluster_health.md b/docs/reference/metricbeat/metricbeat-metricset-ceph-cluster_health.md
new file mode 100644
index 000000000000..0afa11652ec2
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-ceph-cluster_health.md
@@ -0,0 +1,52 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-ceph-cluster_health.html
+---
+
+# Ceph cluster_health metricset [metricbeat-metricset-ceph-cluster_health]
+
+This is the `cluster_health` metricset of the Ceph module.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_44]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-ceph.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "agent": {
+        "hostname": "host.example.com",
+        "name": "host.example.com"
+    },
+    "ceph": {
+        "cluster_health": {
+            "overall_status": "HEALTH_OK",
+            "timechecks": {
+                "epoch": 3,
+                "round": {
+                    "status": "finished",
+                    "value": 0
+                }
+            }
+        }
+    },
+    "event": {
+        "dataset": "ceph.cluster_health",
+        "duration": 115000,
+        "module": "ceph"
+    },
+    "metricset": {
+        "name": "cluster_health"
+    },
+    "service": {
+        "address": "127.0.0.1:5000",
+        "type": "ceph"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-ceph-cluster_status.md b/docs/reference/metricbeat/metricbeat-metricset-ceph-cluster_status.md
new file mode 100644
index 000000000000..39480f4572f1
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-ceph-cluster_status.md
@@ -0,0 +1,76 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-ceph-cluster_status.html
+---
+
+# Ceph cluster_status metricset [metricbeat-metricset-ceph-cluster_status]
+
+This is the `cluster_status` metricset of the Ceph module.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_45]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-ceph.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "agent": {
+        "hostname": "host.example.com",
+        "name": "host.example.com"
+    },
+    "ceph": {
+        "cluster_status": {
+            "degraded": {
+                "objects": 0,
+                "pct": 0,
+                "total": 0
+            },
+            "misplace": {
+                "objects": 0,
+                "pct": 0,
+                "total": 0
+            },
+            "osd": {
+                "epoch": 3,
+                "full": false,
+                "in_osd_count": 0,
+                "nearfull": false,
+                "osd_count": 1,
+                "remapped_pg_count": 0,
+                "up_osd_count": 0
+            },
+            "pg": {
+                "avail_bytes": 0,
+                "data_bytes": 0,
+                "total_bytes": 0,
+                "used_bytes": 0
+            },
+            "traffic": {
+                "read_bytes": 0,
+                "read_op_per_sec": 0,
+                "write_bytes": 0,
+                "write_op_per_sec": 0
+            },
+            "version": 4
+        }
+    },
+    "event": {
+        "dataset": "ceph.cluster_status",
+        "duration": 115000,
+        "module": "ceph"
+    },
+    "metricset": {
+        "name": "cluster_status"
+    },
+    "service": {
+        "address": "127.0.0.1:5000",
+        "type": "ceph"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-ceph-mgr_cluster_disk.md b/docs/reference/metricbeat/metricbeat-metricset-ceph-mgr_cluster_disk.md
new file mode 100644
index 000000000000..b930a4bf1515
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-ceph-mgr_cluster_disk.md
@@ -0,0 +1,56 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-ceph-mgr_cluster_disk.html
+---
+
+# Ceph mgr_cluster_disk metricset [metricbeat-metricset-ceph-mgr_cluster_disk]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+This is the `mgr_cluster_disk` metricset of the Ceph module.
+
+## Fields [_fields_46]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-ceph.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "agent": {
+        "hostname": "host.example.com",
+        "name": "host.example.com"
+    },
+    "ceph": {
+        "cluster_disk": {
+            "available": {
+                "bytes": 0
+            },
+            "total": {
+                "bytes": 0
+            },
+            "used": {
+                "bytes": 0
+            }
+        }
+    },
+    "event": {
+        "dataset": "ceph.mgr_cluster_disk",
+        "duration": 115000,
+        "module": "ceph"
+    },
+    "metricset": {
+        "name": "mgr_cluster_disk"
+    },
+    "service": {
+        "address": "localhost:8003",
+        "type": "ceph"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-ceph-mgr_cluster_health.md b/docs/reference/metricbeat/metricbeat-metricset-ceph-mgr_cluster_health.md
new file mode 100644
index 000000000000..dd6f4abc1c2b
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-ceph-mgr_cluster_health.md
@@ -0,0 +1,55 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-ceph-mgr_cluster_health.html
+---
+
+# Ceph mgr_cluster_health metricset [metricbeat-metricset-ceph-mgr_cluster_health]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+This is the `mgr_cluster_health` metricset of the Ceph module.
+
+## Fields [_fields_47]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-ceph.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "agent": {
+        "hostname": "host.example.com",
+        "name": "host.example.com"
+    },
+    "ceph": {
+        "cluster_health": {
+            "overall_status": "HEALTH_OK",
+            "timechecks": {
+                "epoch": 3,
+                "round": {
+                    "status": "finished",
+                    "value": 0
+                }
+            }
+        }
+    },
+    "event": {
+        "dataset": "ceph.mgr_cluster_health",
+        "duration": 115000,
+        "module": "ceph"
+    },
+    "metricset": {
+        "name": "mgr_cluster_health"
+    },
+    "service": {
+        "address": "127.0.0.1:8003",
+        "type": "ceph"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-ceph-mgr_osd_perf.md b/docs/reference/metricbeat/metricbeat-metricset-ceph-mgr_osd_perf.md
new file mode 100644
index 000000000000..a12007e0b87c
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-ceph-mgr_osd_perf.md
@@ -0,0 +1,50 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-ceph-mgr_osd_perf.html
+---
+
+# Ceph mgr_osd_perf metricset [metricbeat-metricset-ceph-mgr_osd_perf]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+This is the `mgr_osd_perf` metricset of the Ceph module.
+
+## Fields [_fields_48]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-ceph.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "ceph": {
+        "mgr_osd_perf": {
+            "id": 0,
+            "stats": {
+                "commit_latency_ms": 23,
+                "apply_latency_ms": 23,
+                "commit_latency_ns": 23000000,
+                "apply_latency_ns": 23000000
+            }
+        }
+    },
+    "event": {
+        "dataset": "ceph.mgr_osd_perf",
+        "duration": 115000,
+        "module": "ceph"
+    },
+    "metricset": {
+        "name": "mgr_osd_perf"
+    },
+    "service": {
+        "address": "127.0.0.1:8003",
+        "type": "ceph"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-ceph-mgr_osd_pool_stats.md b/docs/reference/metricbeat/metricbeat-metricset-ceph-mgr_osd_pool_stats.md
new file mode 100644
index 000000000000..76beebd4cf87
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-ceph-mgr_osd_pool_stats.md
@@ -0,0 +1,51 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-ceph-mgr_osd_pool_stats.html
+---
+
+# Ceph mgr_osd_pool_stats metricset [metricbeat-metricset-ceph-mgr_osd_pool_stats]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+This is the `mgr_osd_pool_stats` metricset of the Ceph module.
+
+## Fields [_fields_49]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-ceph.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "ceph": {
+        "mgr_osd_pool_stats": {
+            "pool_id": "9",
+            "pool_name": "scbench",
+            "client_io_rate": {
+                "read_bytes_sec": "85",
+                "write_bytes_sec": "802631707",
+                "read_op_per_sec": "0",
+                "write_op_per_sec": "336"
+            }
+        }
+    },
+    "event": {
+        "dataset": "ceph.mgr_osd_pool_stats",
+        "duration": 115000,
+        "module": "ceph"
+    },
+    "metricset": {
+        "name": "mgr_osd_pool_stats"
+    },
+    "service": {
+        "address": "127.0.0.1:8003",
+        "type": "ceph"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-ceph-mgr_osd_tree.md b/docs/reference/metricbeat/metricbeat-metricset-ceph-mgr_osd_tree.md
new file mode 100644
index 000000000000..e4791023d532
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-ceph-mgr_osd_tree.md
@@ -0,0 +1,51 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-ceph-mgr_osd_tree.html
+---
+
+# Ceph mgr_osd_tree metricset [metricbeat-metricset-ceph-mgr_osd_tree]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+This is the `mgr_osd_tree` metricset of the Ceph module.
+
+## Fields [_fields_50]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-ceph.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "ceph": {
+        "osd_tree": {
+            "children": [
+                "-2"
+            ],
+            "father": "",
+            "id": -1,
+            "name": "default",
+            "type": "root",
+            "type_id": 10
+        }
+    },
+    "event": {
+        "dataset": "ceph.mgr_osd_tree",
+        "duration": 115000,
+        "module": "ceph"
+    },
+    "metricset": {
+        "name": "mgr_osd_tree"
+    },
+    "service": {
+        "address": "127.0.0.1:8003",
+        "type": "ceph"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-ceph-mgr_pool_disk.md b/docs/reference/metricbeat/metricbeat-metricset-ceph-mgr_pool_disk.md
new file mode 100644
index 000000000000..0f549148a409
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-ceph-mgr_pool_disk.md
@@ -0,0 +1,55 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-ceph-mgr_pool_disk.html
+---
+
+# Ceph mgr_pool_disk metricset [metricbeat-metricset-ceph-mgr_pool_disk]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+This is the `mgr_osd_disk` metricset of the Ceph module.
+
+## Fields [_fields_51]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-ceph.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "ceph": {
+        "pool_disk": {
+            "id": 0,
+            "name": "rbd",
+            "stats": {
+                "available": {
+                    "bytes": 0
+                },
+                "objects": 0,
+                "used": {
+                    "bytes": 0,
+                    "kb": 0
+                }
+            }
+        }
+    },
+    "event": {
+        "dataset": "ceph.mgr_pool_disk",
+        "duration": 115000,
+        "module": "ceph"
+    },
+    "metricset": {
+        "name": "mgr_pool_disk"
+    },
+    "service": {
+        "address": "127.0.0.1:8003",
+        "type": "ceph"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-ceph-monitor_health.md b/docs/reference/metricbeat/metricbeat-metricset-ceph-monitor_health.md
new file mode 100644
index 000000000000..686526de340e
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-ceph-monitor_health.md
@@ -0,0 +1,69 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-ceph-monitor_health.html
+---
+
+# Ceph monitor_health metricset [metricbeat-metricset-ceph-monitor_health]
+
+This is the `monitor_health` metricset of the Ceph module.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_52]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-ceph.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2019-03-01T08:05:34.853Z",
+    "ceph": {
+        "monitor_health": {
+            "available": {
+                "kb": 773013080,
+                "pct": 82
+            },
+            "health": "HEALTH_OK",
+            "last_updated": "2019-03-13T11:21:24.667025Z",
+            "name": "26c372192772",
+            "store_stats": {
+                "last_updated": "0.000000",
+                "log": {
+                    "bytes": 4128768
+                },
+                "misc": {
+                    "bytes": 65552
+                },
+                "sst": {
+                    "bytes": 1087
+                },
+                "total": {
+                    "bytes": 4195407
+                }
+            },
+            "total": {
+                "kb": 936145620
+            },
+            "used": {
+                "kb": 115509168
+            }
+        }
+    },
+    "event": {
+        "dataset": "ceph.monitor_health",
+        "duration": 115000,
+        "module": "ceph"
+    },
+    "metricset": {
+        "name": "monitor_health",
+        "period": 10000
+    },
+    "service": {
+        "address": "127.0.0.1:55555",
+        "type": "ceph"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-ceph-osd_df.md b/docs/reference/metricbeat/metricbeat-metricset-ceph-osd_df.md
new file mode 100644
index 000000000000..60372d3a6659
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-ceph-osd_df.md
@@ -0,0 +1,51 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-ceph-osd_df.html
+---
+
+# Ceph osd_df metricset [metricbeat-metricset-ceph-osd_df]
+
+This is the `osd_df` metricset of the Ceph module.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_53]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-ceph.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "agent": {
+        "hostname": "host.example.com",
+        "name": "host.example.com"
+    },
+    "ceph": {
+        "osd_df": {
+            "available.byte": 0,
+            "device_class": "",
+            "id": 0,
+            "name": "osd.0",
+            "pg_num": 0,
+            "total.byte": 0,
+            "used.byte": 0
+        }
+    },
+    "event": {
+        "dataset": "ceph.osd_df",
+        "duration": 115000,
+        "module": "ceph"
+    },
+    "metricset": {
+        "name": "osd_df"
+    },
+    "service": {
+        "address": "127.0.0.1:5000",
+        "type": "ceph"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-ceph-osd_tree.md b/docs/reference/metricbeat/metricbeat-metricset-ceph-osd_tree.md
new file mode 100644
index 000000000000..4917349299e0
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-ceph-osd_tree.md
@@ -0,0 +1,48 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-ceph-osd_tree.html
+---
+
+# Ceph osd_tree metricset [metricbeat-metricset-ceph-osd_tree]
+
+This is the `osd_tree` metricset of the Ceph module.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_54]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-ceph.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "ceph": {
+        "osd_tree": {
+            "children": [
+                "-2"
+            ],
+            "father": "",
+            "id": -1,
+            "name": "default",
+            "type": "root",
+            "type_id": 10
+        }
+    },
+    "event": {
+        "dataset": "ceph.osd_tree",
+        "duration": 115000,
+        "module": "ceph"
+    },
+    "metricset": {
+        "name": "osd_tree"
+    },
+    "service": {
+        "address": "127.0.0.1:5000",
+        "type": "ceph"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-ceph-pool_disk.md b/docs/reference/metricbeat/metricbeat-metricset-ceph-pool_disk.md
new file mode 100644
index 000000000000..af655118526e
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-ceph-pool_disk.md
@@ -0,0 +1,52 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-ceph-pool_disk.html
+---
+
+# Ceph pool_disk metricset [metricbeat-metricset-ceph-pool_disk]
+
+This is the `pool_disk` metricset of the Ceph module.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_55]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-ceph.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "ceph": {
+        "pool_disk": {
+            "id": 0,
+            "name": "rbd",
+            "stats": {
+                "available": {
+                    "bytes": 0
+                },
+                "objects": 0,
+                "used": {
+                    "bytes": 0,
+                    "kb": 0
+                }
+            }
+        }
+    },
+    "event": {
+        "dataset": "ceph.pool_disk",
+        "duration": 115000,
+        "module": "ceph"
+    },
+    "metricset": {
+        "name": "pool_disk"
+    },
+    "service": {
+        "address": "127.0.0.1:5000",
+        "type": "ceph"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-cloudfoundry-container.md b/docs/reference/metricbeat/metricbeat-metricset-cloudfoundry-container.md
new file mode 100644
index 000000000000..048c9b9037a8
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-cloudfoundry-container.md
@@ -0,0 +1,70 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-cloudfoundry-container.html
+---
+
+# Cloudfoundry container metricset [metricbeat-metricset-cloudfoundry-container]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+The container metricset of Cloud Foundry module allows you to collect container metrics that the loggregator sends to metricbeat.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_56]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-cloudfoundry.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "cloudfoundry": {
+        "app": {
+            "id": "8d165a12-fbd8-40cb-b71a-5bc6086df04c",
+            "name": "log-gen"
+        },
+        "container": {
+            "cpu.pct": 4.231873716293137,
+            "disk.bytes": 122691584,
+            "disk.quota.bytes": 1073741824,
+            "instance_index": 3,
+            "memory.bytes": 52250065,
+            "memory.quota.bytes": 1073741824
+        },
+        "envelope": {
+            "deployment": "cf-9c11cd01425665e2ed6d",
+            "index": "9e1a45be-f8a4-44ef-9c34-22f6e51ce4c7",
+            "ip": "192.168.16.37",
+            "job": "diego_cell",
+            "origin": "rep"
+        },
+        "org": {
+            "id": "4af89198-dd33-4542-9915-f489542bc058",
+            "name": "elastic-logging-org"
+        },
+        "space": {
+            "id": "10ed1559-e399-4034-babf-6424ef888dc1",
+            "name": "logging-space"
+        },
+        "tags": {
+            "instance_id": "3",
+            "process_id": "8d165a12-fbd8-40cb-b71a-5bc6086df04c",
+            "process_instance_id": "75568c86-b9e0-4330-4784-928b",
+            "process_type": "web",
+            "product": "VMware Tanzu Application Service",
+            "source_id": "8d165a12-fbd8-40cb-b71a-5bc6086df04c"
+        },
+        "type": "container"
+    },
+    "service": {
+        "type": "cloudfoundry"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-cloudfoundry-counter.md b/docs/reference/metricbeat/metricbeat-metricset-cloudfoundry-counter.md
new file mode 100644
index 000000000000..d9b6982f74c7
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-cloudfoundry-counter.md
@@ -0,0 +1,53 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-cloudfoundry-counter.html
+---
+
+# Cloudfoundry counter metricset [metricbeat-metricset-cloudfoundry-counter]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+The counter metricset of Cloud Foundry module allows you to collect counter metrics that the loggregator sends to metricbeat.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_57]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-cloudfoundry.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "cloudfoundry": {
+        "counter": {
+            "delta": 0,
+            "name": "dropped",
+            "total": 0
+        },
+        "envelope": {
+            "deployment": "cf-6b7aee31c8d07637ad78",
+            "index": "995eb273-f871-4fea-a834-dbc0a4a72efc",
+            "ip": "192.168.16.37",
+            "job": "syslog_adapter",
+            "origin": "loggregator.metron"
+        },
+        "tags": {
+            "direction": "ingress",
+            "metric_version": "2.0",
+            "product": "Pivotal Application Service",
+            "source_id": "metron"
+        },
+        "type": "counter"
+    },
+    "service": {
+        "type": "cloudfoundry"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-cloudfoundry-value.md b/docs/reference/metricbeat/metricbeat-metricset-cloudfoundry-value.md
new file mode 100644
index 000000000000..75019b8b1e89
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-cloudfoundry-value.md
@@ -0,0 +1,50 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-cloudfoundry-value.html
+---
+
+# Cloudfoundry value metricset [metricbeat-metricset-cloudfoundry-value]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+The value metricset of Cloud Foundry module allows you to collect value metrics that the loggregator sends to metricbeat.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_58]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-cloudfoundry.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "cloudfoundry": {
+        "envelope": {
+            "deployment": "cf-6b7aee31c8d07637ad78",
+            "index": "dffd1799-d03a-405a-9309-3fcce23f536f",
+            "ip": "192.168.16.15",
+            "job": "diego_database",
+            "origin": "silk-controller"
+        },
+        "tags": {
+            "source_id": "silk-controller"
+        },
+        "type": "value",
+        "value": {
+            "name": "LeasesIndexRequestTime",
+            "unit": "ms",
+            "value": 0.681265
+        }
+    },
+    "service": {
+        "type": "cloudfoundry"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-cockroachdb-status.md b/docs/reference/metricbeat/metricbeat-metricset-cockroachdb-status.md
new file mode 100644
index 000000000000..2405d717d572
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-cockroachdb-status.md
@@ -0,0 +1,75 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-cockroachdb-status.html
+---
+
+# CockroachDB status metricset [metricbeat-metricset-cockroachdb-status]
+
+The CockroachDB `status` metricset collects metrics exposed by the [Prometheus endpoint](https://www.cockroachlabs.com/docs/v2.1/monitoring-and-alerting.html#prometheus-endpoint) of CockroachDB.
+
+::::{warning}
+This metricset collects a large number of metrics, what can significantly impact disk usage. Processors can be used to drop unused metrics before they are stored. For example the following configuration will drop all histogram buckets:
+::::
+
+
+```yaml
+- module: cockroachdb
+  metricsets: ['status']
+  hosts: ['${data.host}:8080']
+  processors:
+    - drop_event.when.has_fields: ['prometheus.labels.le']
+```
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_59]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-cockroachdb.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp" : "2022-04-08T15:45:24.609Z",
+    "agent" : {
+      "type" : "metricbeat",
+      "version" : "8.2.0",
+      "ephemeral_id" : "f5d8484e-b5dd-4045-ab8d-dca751582fae",
+      "id" : "ab4d7e17-f770-4672-8e51-acd1386317fb",
+      "name" : "example"
+    },
+    "ecs" : {
+      "version" : "8.0.0"
+    },
+    "prometheus" : {
+      "labels" : {
+        "instance" : "localhost:8080",
+        "job" : "cockroachdb",
+        "le" : "8126463"
+      },
+      "metrics" : {
+        "round_trip_latency_bucket" : 22344,
+        "exec_latency_bucket" : 279099,
+        "sql_txn_latency_internal_bucket" : 19400,
+        "sql_exec_latency_internal_bucket" : 62609,
+        "sql_service_latency_internal_bucket" : 59879,
+        "txn_durations_bucket" : 51573
+      }
+    },
+    "event" : {
+      "dataset" : "cockroachdb.status",
+      "module" : "cockroachdb",
+      "duration" : 48386125
+    },
+    "metricset" : {
+      "name" : "status",
+      "period" : 10000
+    },
+    "service" : {
+      "address" : "http://localhost:8080/_status/vars",
+      "type" : "cockroachdb"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-consul-agent.md b/docs/reference/metricbeat/metricbeat-metricset-consul-agent.md
new file mode 100644
index 000000000000..099efc99d08a
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-consul-agent.md
@@ -0,0 +1,88 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-consul-agent.html
+---
+
+# Consul agent metricset [metricbeat-metricset-consul-agent]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+The `agent` metricset fetches information from a Hashicorp Consul agent in *Client* mode. It fetches information about the health of the autopilot, runtime metrics, and raft data.
+
+* **agent.autopilot.healthy**: Tracks the overall health of the local server cluster. If all servers are considered healthy by Autopilot, this will be set to 1. If any are unhealthy, this will be 0.
+* **agent.raft.apply**: This metric gives the number of logs committed since the last interval.
+* **agent.raft.commit_time.ms**: This tracks the average time in milliseconds it takes to commit a new entry to the transaction log of the leader
+* **agent.runtime.alloc.bytes**: This measures the number of bytes allocated by the Consul process.
+* **agent.runtime.garbage_collector.pause.current.ns**: Garbage collector pause time in nanoseconds
+* **agent.runtime.garbage_collector.pause.total.ns**: Number of nanoseconds consumed by stop-the-world garbage collection pauses since Consul started.
+* **agent.runtime.garbage_collector.runs**: Garbage collector total executions
+* **agent.runtime.goroutines**: Number of running goroutines and is a general load pressure indicator. This may burst from time to time but should return to a steady state value.
+* **agent.runtime.heap_objects**: This measures the number of objects allocated on the heap and is a general memory pressure indicator. This may burst from time to time but should return to a steady state value.
+* **agent.runtime.malloc_count**: Heap objects allocated
+* **agent.runtime.sys.bytes**: Total number of bytes of memory obtained from the OS.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_60]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-consul.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "agent": {
+        "hostname": "host.example.com",
+        "name": "host.example.com"
+    },
+    "consul": {
+        "agent": {
+            "autopilot": {
+                "healthy": true
+            },
+            "raft": {
+                "commit_time": {
+                    "ms": 0.04560700058937073
+                }
+            },
+            "runtime": {
+                "alloc": {
+                    "bytes": 6900784
+                },
+                "garbage_collector": {
+                    "pause": {
+                        "total": {
+                            "ns": 99490250
+                        }
+                    },
+                    "runs": 287
+                },
+                "goroutines": 77,
+                "heap_objects": 42590,
+                "malloc_count": 7087169,
+                "sys": {
+                    "bytes": 74119416
+                }
+            }
+        }
+    },
+    "event": {
+        "dataset": "consul.agent",
+        "duration": 115000,
+        "module": "consul"
+    },
+    "metricset": {
+        "name": "agent"
+    },
+    "service": {
+        "address": "localhost:8500",
+        "type": "consul"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-containerd-blkio.md b/docs/reference/metricbeat/metricbeat-metricset-containerd-blkio.md
new file mode 100644
index 000000000000..52e2bcd44464
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-containerd-blkio.md
@@ -0,0 +1,63 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-containerd-blkio.html
+---
+
+# Containerd blkio metricset [metricbeat-metricset-containerd-blkio]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+This is the blkio metricset of the module containerd.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_61]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-containerd.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2019-03-01T08:05:34.853Z",
+    "container": {
+        "id": "7434687dbe3684407afa899582f2909203b9dc5537632b512f76798db5c0787d"
+    },
+    "containerd": {
+        "blkio": {
+            "device": "/dev/vda",
+            "read": {
+                "bytes": 69246976,
+                "ops": 830
+            },
+            "summary": {
+                "bytes": 69271552,
+                "ops": 832
+            },
+            "write": {
+                "bytes": 24576,
+                "ops": 2
+            }
+        },
+        "namespace": "k8s.io"
+    },
+    "event": {
+        "dataset": "containerd.blkio",
+        "duration": 115000,
+        "module": "containerd"
+    },
+    "metricset": {
+        "name": "blkio",
+        "period": 10000
+    },
+    "service": {
+        "address": "127.0.0.1:55555",
+        "type": "containerd"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-containerd-cpu.md b/docs/reference/metricbeat/metricbeat-metricset-containerd-cpu.md
new file mode 100644
index 000000000000..d149e9d57729
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-containerd-cpu.md
@@ -0,0 +1,103 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-containerd-cpu.html
+---
+
+# Containerd cpu metricset [metricbeat-metricset-containerd-cpu]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+This is the cpu metricset of the module containerd.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_62]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-containerd.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2019-03-01T08:05:34.853Z",
+    "container": {
+        "id": "7434687dbe3684407afa899582f2909203b9dc5537632b512f76798db5c0787d"
+    },
+    "containerd": {
+        "cpu": {
+            "usage": {
+                "cpu": {
+                    "0": {
+                        "ns": 99137817570
+                    },
+                    "1": {
+                        "ns": 116475261138
+                    },
+                    "10": {
+                        "ns": 106709905770
+                    },
+                    "11": {
+                        "ns": 104878380370
+                    },
+                    "2": {
+                        "ns": 105305653633
+                    },
+                    "3": {
+                        "ns": 101195506344
+                    },
+                    "4": {
+                        "ns": 105731762224
+                    },
+                    "5": {
+                        "ns": 98155683224
+                    },
+                    "6": {
+                        "ns": 95075348914
+                    },
+                    "7": {
+                        "ns": 97134782770
+                    },
+                    "8": {
+                        "ns": 104266711568
+                    },
+                    "9": {
+                        "ns": 102272190459
+                    }
+                },
+                "kernel": {
+                    "ns": 532180000000,
+                    "pct": 0
+                },
+                "percpu": {},
+                "total": {
+                    "ns": 1236339003984,
+                    "pct": 0
+                },
+                "user": {
+                    "ns": 525470000000,
+                    "pct": 0
+                }
+            }
+        },
+        "namespace": "k8s.io"
+    },
+    "event": {
+        "dataset": "containerd.cpu",
+        "duration": 115000,
+        "module": "containerd"
+    },
+    "metricset": {
+        "name": "cpu",
+        "period": 10000
+    },
+    "service": {
+        "address": "127.0.0.1:55555",
+        "type": "containerd"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-containerd-memory.md b/docs/reference/metricbeat/metricbeat-metricset-containerd-memory.md
new file mode 100644
index 000000000000..8d4e8dbb6fa7
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-containerd-memory.md
@@ -0,0 +1,82 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-containerd-memory.html
+---
+
+# Containerd memory metricset [metricbeat-metricset-containerd-memory]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+This is the memory metricset of the module containerd.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_63]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-containerd.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2019-03-01T08:05:34.853Z",
+    "container": {
+        "id": "7434687dbe3684407afa899582f2909203b9dc5537632b512f76798db5c0787d"
+    },
+    "containerd": {
+        "memory": {
+            "activeFiles": 1216512,
+            "cache": 140980224,
+            "inactiveFiles": 139284480,
+            "kernel": {
+                "fail": {
+                    "count": 0
+                },
+                "limit": 9223372036854772000,
+                "max": 6496256,
+                "total": 6459392
+            },
+            "rss": 43794432,
+            "swap": {
+                "fail": {
+                    "count": 0
+                },
+                "limit": 9223372036854772000,
+                "max": 209727488,
+                "total": 191959040
+            },
+            "usage": {
+                "fail": {
+                    "count": 0
+                },
+                "limit": 209715200,
+                "max": 209608704,
+                "pct": 0.9148046875,
+                "total": 191848448
+            },
+            "workingset": {
+                "pct": 0.25064453125
+            }
+        },
+        "namespace": "k8s.io"
+    },
+    "event": {
+        "dataset": "containerd.memory",
+        "duration": 115000,
+        "module": "containerd"
+    },
+    "metricset": {
+        "name": "memory",
+        "period": 10000
+    },
+    "service": {
+        "address": "127.0.0.1:55555",
+        "type": "containerd"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-coredns-stats.md b/docs/reference/metricbeat/metricbeat-metricset-coredns-stats.md
new file mode 100644
index 000000000000..324da37ae043
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-coredns-stats.md
@@ -0,0 +1,94 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-coredns-stats.html
+---
+
+# Coredns stats metricset [metricbeat-metricset-coredns-stats]
+
+This is the stats metricset of the module coredns.
+
+## Fields [_fields_64]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-coredns.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2019-03-01T08:05:34.853Z",
+    "coredns": {
+        "stats": {
+            "dns": {
+                "request": {
+                    "size": {
+                        "bytes": {
+                            "bucket": {
+                                "+Inf": 440,
+                                "0": 0,
+                                "100": 440,
+                                "1023": 440,
+                                "16000": 440,
+                                "200": 440,
+                                "2047": 440,
+                                "300": 440,
+                                "32000": 440,
+                                "400": 440,
+                                "4095": 440,
+                                "48000": 440,
+                                "511": 440,
+                                "64000": 440,
+                                "8291": 440
+                            },
+                            "count": 440,
+                            "sum": 22880
+                        }
+                    }
+                },
+                "response": {
+                    "size": {
+                        "bytes": {
+                            "bucket": {
+                                "+Inf": 440,
+                                "0": 0,
+                                "100": 440,
+                                "1023": 440,
+                                "16000": 440,
+                                "200": 440,
+                                "2047": 440,
+                                "300": 440,
+                                "32000": 440,
+                                "400": 440,
+                                "4095": 440,
+                                "48000": 440,
+                                "511": 440,
+                                "64000": 440,
+                                "8291": 440
+                            },
+                            "count": 440,
+                            "sum": 29480
+                        }
+                    }
+                }
+            },
+            "proto": "udp",
+            "server": "dns://:53",
+            "zone": "."
+        }
+    },
+    "event": {
+        "dataset": "coredns.stats",
+        "duration": 115000,
+        "module": "coredns"
+    },
+    "metricset": {
+        "name": "stats",
+        "period": 10000
+    },
+    "service": {
+        "address": "127.0.0.1:55555",
+        "type": "coredns"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-couchbase-bucket.md b/docs/reference/metricbeat/metricbeat-metricset-couchbase-bucket.md
new file mode 100644
index 000000000000..f913b0069496
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-couchbase-bucket.md
@@ -0,0 +1,68 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-couchbase-bucket.html
+---
+
+# Couchbase bucket metricset [metricbeat-metricset-couchbase-bucket]
+
+The Couchbase `bucket` metricset collects data from the Couchbase Buckets Rest API `http://couchbasehost:8091/pools/default/buckets`.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_65]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-couchbase.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "couchbase": {
+        "bucket": {
+            "data": {
+                "used": {
+                    "bytes": 3371588
+                }
+            },
+            "disk": {
+                "fetches": 0,
+                "used": {
+                    "bytes": 9473
+                }
+            },
+            "item_count": 0,
+            "memory": {
+                "used": {
+                    "bytes": 49976304
+                }
+            },
+            "name": "beer-sample",
+            "ops_per_sec": 0,
+            "quota": {
+                "ram": {
+                    "bytes": 104857600
+                },
+                "use": {
+                    "pct": 47.66111755371094
+                }
+            },
+            "type": "membase"
+        }
+    },
+    "event": {
+        "dataset": "couchbase.bucket",
+        "duration": 115000,
+        "module": "couchbase"
+    },
+    "metricset": {
+        "name": "bucket"
+    },
+    "service": {
+        "address": "192.168.160.7:8091",
+        "type": "couchbase"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-couchbase-cluster.md b/docs/reference/metricbeat/metricbeat-metricset-couchbase-cluster.md
new file mode 100644
index 000000000000..17b55da08d2d
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-couchbase-cluster.md
@@ -0,0 +1,102 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-couchbase-cluster.html
+---
+
+# Couchbase cluster metricset [metricbeat-metricset-couchbase-cluster]
+
+The Couchbase `cluster` metricset collects data from Couchbase pools Rest API `http://couchbasehost:8091/pools/default` and creates an event containing cluster metrics.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_66]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-couchbase.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2019-03-01T08:05:34.853Z",
+    "couchbase": {
+        "cluster": {
+            "hdd": {
+                "free": {
+                    "bytes": 46902679716
+                },
+                "quota": {
+                    "total": {
+                        "bytes": 63381999616
+                    }
+                },
+                "total": {
+                    "bytes": 63381999616
+                },
+                "used": {
+                    "by_data": {
+                        "bytes": 16369010
+                    },
+                    "value": {
+                        "bytes": 16479319900
+                    }
+                }
+            },
+            "max_bucket_count": 10,
+            "quota": {
+                "index_memory": {
+                    "mb": 300
+                },
+                "memory": {
+                    "mb": 300
+                }
+            },
+            "ram": {
+                "quota": {
+                    "total": {
+                        "per_node": {
+                            "bytes": 314572800
+                        },
+                        "value": {
+                            "bytes": 314572800
+                        }
+                    },
+                    "used": {
+                        "per_node": {
+                            "bytes": 104857600
+                        },
+                        "value": {
+                            "bytes": 104857600
+                        }
+                    }
+                },
+                "total": {
+                    "bytes": 8359174144
+                },
+                "used": {
+                    "by_data": {
+                        "bytes": 53962016
+                    },
+                    "value": {
+                        "bytes": 8004751360
+                    }
+                }
+            }
+        }
+    },
+    "event": {
+        "dataset": "couchbase.cluster",
+        "duration": 115000,
+        "module": "couchbase"
+    },
+    "metricset": {
+        "name": "cluster",
+        "period": 10000
+    },
+    "service": {
+        "address": "127.0.0.1:55555",
+        "type": "couchbase"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-couchbase-node.md b/docs/reference/metricbeat/metricbeat-metricset-couchbase-node.md
new file mode 100644
index 000000000000..5f28bd9252ff
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-couchbase-node.md
@@ -0,0 +1,110 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-couchbase-node.html
+---
+
+# Couchbase node metricset [metricbeat-metricset-couchbase-node]
+
+The Couchbase `node` metricset collects data from Couchbase pools Rest API `http://couchbasehost:8091/pools/default` and creates an event for each node in the cluster.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_67]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-couchbase.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2019-03-01T08:05:34.853Z",
+    "couchbase": {
+        "node": {
+            "cmd_get": 0,
+            "couch": {
+                "docs": {
+                    "data_size": {
+                        "bytes": 9792512
+                    },
+                    "disk_size": {
+                        "bytes": 13563791
+                    }
+                },
+                "spatial": {
+                    "data_size": {
+                        "bytes": 0
+                    },
+                    "disk_size": {
+                        "bytes": 0
+                    }
+                },
+                "views": {
+                    "data_size": {
+                        "bytes": 2805219
+                    },
+                    "disk_size": {
+                        "bytes": 2805219
+                    }
+                }
+            },
+            "cpu_utilization_rate": {
+                "pct": 29.64705882352941
+            },
+            "current_items": {
+                "total": 7303,
+                "value": 7303
+            },
+            "ep_bg_fetched": 0,
+            "get_hits": 1.1,
+            "hostname": "172.17.0.2:8091",
+            "mcd_memory": {
+                "allocated": {
+                    "bytes": 6377
+                },
+                "reserved": {
+                    "bytes": 6377
+                }
+            },
+            "memory": {
+                "free": {
+                    "bytes": 4678324224
+                },
+                "total": {
+                    "bytes": 8359174144
+                },
+                "used": {
+                    "bytes": 53962016
+                }
+            },
+            "ops": 1.1,
+            "swap": {
+                "total": {
+                    "bytes": 4189057024
+                },
+                "used": {
+                    "bytes": 135168
+                }
+            },
+            "uptime": {
+                "sec": 7260
+            },
+            "vb_replica_curr_items": 0
+        }
+    },
+    "event": {
+        "dataset": "couchbase.node",
+        "duration": 115000,
+        "module": "couchbase"
+    },
+    "metricset": {
+        "name": "node",
+        "period": 10000
+    },
+    "service": {
+        "address": "127.0.0.1:55555",
+        "type": "couchbase"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-couchdb-server.md b/docs/reference/metricbeat/metricbeat-metricset-couchdb-server.md
new file mode 100644
index 000000000000..42e4243d274b
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-couchdb-server.md
@@ -0,0 +1,82 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-couchdb-server.html
+---
+
+# CouchDB server metricset [metricbeat-metricset-couchdb-server]
+
+This is the server metricset of the module couchdb.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_68]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-couchdb.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "couchdb": {
+        "server": {
+            "couchdb": {
+                "auth_cache_hits": 0,
+                "auth_cache_misses": 0,
+                "database_reads": 0,
+                "database_writes": 0,
+                "open_databases": 0,
+                "open_os_files": 0,
+                "request_time": 12.667
+            },
+            "httpd": {
+                "bulk_requests": 0,
+                "clients_requesting_changes": 0,
+                "requests": 4,
+                "temporary_view_reads": 0,
+                "view_reads": 0
+            },
+            "httpd_request_methods": {
+                "COPY": 0,
+                "DELETE": 0,
+                "GET": 4,
+                "HEAD": 0,
+                "POST": 0,
+                "PUT": 0
+            },
+            "httpd_status_codes": {
+                "200": 4,
+                "201": 0,
+                "202": 0,
+                "301": 0,
+                "304": 0,
+                "400": 0,
+                "401": 0,
+                "403": 0,
+                "404": 0,
+                "405": 0,
+                "409": 0,
+                "412": 0,
+                "500": 0
+            }
+        }
+    },
+    "event": {
+        "dataset": "couchdb.server",
+        "duration": 115000,
+        "module": "couchdb"
+    },
+    "metricset": {
+        "name": "server",
+        "period": 10000
+    },
+    "service": {
+        "address": "172.19.0.2:5984",
+        "id": "7021f7f554d9dd612adf13a6987d1358",
+        "type": "couchdb",
+        "version": "1.7.2"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-docker-container.md b/docs/reference/metricbeat/metricbeat-metricset-docker-container.md
new file mode 100644
index 000000000000..b13df55b7a22
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-docker-container.md
@@ -0,0 +1,80 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-docker-container.html
+---
+
+# Docker container metricset [metricbeat-metricset-docker-container]
+
+The Docker `container` metricset collects information and statistics about running Docker containers.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_69]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-docker.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "agent": {
+        "hostname": "host.example.com",
+        "name": "host.example.com"
+    },
+    "container": {
+        "id": "cc78e58acfda4501105dc4de8e3ae218f2da616213e6e3af168c40103829302a",
+        "image": {
+            "name": "metricbeat_elasticsearch"
+        },
+        "name": "metricbeat_elasticsearch_1_df866b3a7b3d",
+        "runtime": "docker"
+    },
+    "docker": {
+        "container": {
+            "command": "/usr/local/bin/docker-entrypoint.sh eswrapper",
+            "created": "2019-02-25T10:18:10.000Z",
+            "ip_addresses": [
+                "172.23.0.2"
+            ],
+            "labels": {
+                "com_docker_compose_config-hash": "e3e0a2c6e5d1afb741bc8b1ecb09cda0395886b7a3e5084a9fd110be46d70f78",
+                "com_docker_compose_container-number": "1",
+                "com_docker_compose_oneoff": "False",
+                "com_docker_compose_project": "metricbeat",
+                "com_docker_compose_service": "elasticsearch",
+                "com_docker_compose_slug": "df866b3a7b3d50c0802350cbe58ee5b34fa32b7f6ba7fe9e48cde2c12dd0201d",
+                "com_docker_compose_version": "1.23.1",
+                "license": "Elastic License",
+                "org_label-schema_build-date": "20181006",
+                "org_label-schema_license": "GPLv2",
+                "org_label-schema_name": "elasticsearch",
+                "org_label-schema_schema-version": "1.0",
+                "org_label-schema_url": "https://www.elastic.co/products/elasticsearch",
+                "org_label-schema_vcs-url": "https://github.com/elastic/elasticsearch-docker",
+                "org_label-schema_vendor": "Elastic",
+                "org_label-schema_version": "6.5.1"
+            },
+            "size": {
+                "root_fs": 0,
+                "rw": 0
+            },
+            "status": "Up 7 minutes (healthy)"
+        }
+    },
+    "event": {
+        "dataset": "docker.container",
+        "duration": 115000,
+        "module": "docker"
+    },
+    "metricset": {
+        "name": "container"
+    },
+    "service": {
+        "address": "/var/run/docker.sock",
+        "type": "docker"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-docker-cpu.md b/docs/reference/metricbeat/metricbeat-metricset-docker-cpu.md
new file mode 100644
index 000000000000..bc4ac2e5e7ab
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-docker-cpu.md
@@ -0,0 +1,143 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-docker-cpu.html
+---
+
+# Docker cpu metricset [metricbeat-metricset-docker-cpu]
+
+The Docker `cpu` metricset collects runtime CPU metrics.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_70]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-docker.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "container": {
+        "id": "7f3ca1f1b2b310362e90f700d2b2e52ebd46ef6ddf10c0704f22b25686c466ab",
+        "image": {
+            "name": "metricbeat_beat"
+        },
+        "name": "metricbeat_beat_run_8ba23fa682a6",
+        "runtime": "docker"
+    },
+    "docker": {
+        "container": {
+            "labels": {
+                "com_docker_compose_oneoff": "True",
+                "com_docker_compose_project": "metricbeat",
+                "com_docker_compose_service": "beat",
+                "com_docker_compose_slug": "8ba23fa682a68e2dc082536da22f59eb2d200b3534909fe934807dd5d847424",
+                "com_docker_compose_version": "1.24.1"
+            }
+        },
+        "cpu": {
+            "core": {
+                "0": {
+                    "norm": {
+                        "pct": 0.00105707400990099
+                    },
+                    "pct": 0.00845659207920792,
+                    "ticks": 7410396430
+                },
+                "1": {
+                    "norm": {
+                        "pct": 0.004389216831683168
+                    },
+                    "pct": 0.035113734653465345,
+                    "ticks": 7079258391
+                },
+                "2": {
+                    "norm": {
+                        "pct": 0.003178435024752475
+                    },
+                    "pct": 0.0254274801980198,
+                    "ticks": 7140978706
+                },
+                "3": {
+                    "norm": {
+                        "pct": 0.0033261257425742574
+                    },
+                    "pct": 0.02660900594059406,
+                    "ticks": 7705738146
+                },
+                "4": {
+                    "norm": {
+                        "pct": 0.0016827236386138613
+                    },
+                    "pct": 0.01346178910891089,
+                    "ticks": 8131054429
+                },
+                "5": {
+                    "norm": {
+                        "pct": 0.000781541707920792
+                    },
+                    "pct": 0.006252333663366336,
+                    "ticks": 7213899699
+                },
+                "6": {
+                    "norm": {
+                        "pct": 0.0005364748762376238
+                    },
+                    "pct": 0.00429179900990099,
+                    "ticks": 7961016581
+                },
+                "7": {
+                    "norm": {
+                        "pct": 0.0005079449257425743
+                    },
+                    "pct": 0.004063559405940594,
+                    "ticks": 7946529895
+                }
+            },
+            "kernel": {
+                "norm": {
+                    "pct": 0.007425742574257425
+                },
+                "pct": 0.0594059405940594,
+                "ticks": 26810000000
+            },
+            "system": {
+                "norm": {
+                    "pct": 1
+                },
+                "pct": 8,
+                "ticks": 65836400000000
+            },
+            "total": {
+                "norm": {
+                    "pct": 0.015459536757425743
+                },
+                "pct": 0.12367629405940594
+            },
+            "user": {
+                "norm": {
+                    "pct": 0.006188118811881188
+                },
+                "pct": 0.04950495049504951,
+                "ticks": 35720000000
+            }
+        }
+    },
+    "event": {
+        "dataset": "docker.cpu",
+        "duration": 115000,
+        "module": "docker"
+    },
+    "metricset": {
+        "name": "cpu",
+        "period": 10000
+    },
+    "service": {
+        "address": "/var/run/docker.sock",
+        "type": "docker"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-docker-diskio.md b/docs/reference/metricbeat/metricbeat-metricset-docker-diskio.md
new file mode 100644
index 000000000000..660a39a8e0d6
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-docker-diskio.md
@@ -0,0 +1,73 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-docker-diskio.html
+---
+
+# Docker diskio metricset [metricbeat-metricset-docker-diskio]
+
+The Docker `diskio` metricset collects disk I/O metrics.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_71]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-docker.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "container": {
+        "id": "3f2af516565acd770488bc82f55d8ed17b335988f13bb7c5cd3e2dc9abdac6f4",
+        "image": {
+            "name": "docker.elastic.co/elasticsearch/elasticsearch:8.2.0-SNAPSHOT"
+        },
+        "name": "elastic-package-stack_elasticsearch_1",
+        "runtime": "docker"
+    },
+    "docker": {
+        "diskio": {
+            "read": {
+                "bytes": 65941504,
+                "ops": 0,
+                "queued": 0,
+                "rate": 0,
+                "service_time": 0,
+                "wait_time": 0
+            },
+            "summary": {
+                "bytes": 0,
+                "ops": 0,
+                "queued": 0,
+                "rate": 0,
+                "service_time": 0,
+                "wait_time": 0
+            },
+            "write": {
+                "bytes": 182902059008,
+                "ops": 0,
+                "queued": 0,
+                "rate": 0,
+                "service_time": 0,
+                "wait_time": 0
+            }
+        }
+    },
+    "event": {
+        "dataset": "docker.diskio",
+        "duration": 115000,
+        "module": "docker"
+    },
+    "metricset": {
+        "name": "diskio",
+        "period": 10000
+    },
+    "service": {
+        "address": "/var/run/docker.sock",
+        "type": "docker"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-docker-event.md b/docs/reference/metricbeat/metricbeat-metricset-docker-event.md
new file mode 100644
index 000000000000..e791da9d1dc4
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-docker-event.md
@@ -0,0 +1,50 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-docker-event.html
+---
+
+# Docker event metricset [metricbeat-metricset-docker-event]
+
+This is the event metricset of the module docker.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_72]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-docker.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "agent": {
+        "hostname": "host.example.com",
+        "name": "host.example.com"
+    },
+    "docker": {
+        "event": {
+            "action": "pull",
+            "actor": {
+                "attributes": {
+                    "name": "busybox"
+                },
+                "id": "busybox:latest"
+            },
+            "from": "",
+            "id": "busybox:latest",
+            "status": "pull",
+            "type": "image"
+        }
+    },
+    "event": {
+        "dataset": "event",
+        "module": "docker"
+    },
+    "service": {
+        "type": "docker"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-docker-healthcheck.md b/docs/reference/metricbeat/metricbeat-metricset-docker-healthcheck.md
new file mode 100644
index 000000000000..e174f15e18b2
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-docker-healthcheck.md
@@ -0,0 +1,82 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-docker-healthcheck.html
+---
+
+# Docker healthcheck metricset [metricbeat-metricset-docker-healthcheck]
+
+The Docker `healthcheck` metricset collects healthcheck status metrics about running Docker containers.
+
+Healthcheck data will only be available from docker containers where the docker `HEALTHCHECK` instruction has been used to build the docker image.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_73]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-docker.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "agent": {
+        "hostname": "host.example.com",
+        "name": "host.example.com"
+    },
+    "container": {
+        "id": "cc78e58acfda4501105dc4de8e3ae218f2da616213e6e3af168c40103829302a",
+        "image": {
+            "name": "metricbeat_elasticsearch"
+        },
+        "name": "metricbeat_elasticsearch_1_df866b3a7b3d",
+        "runtime": "docker"
+    },
+    "docker": {
+        "container": {
+            "labels": {
+                "com_docker_compose_config-hash": "e3e0a2c6e5d1afb741bc8b1ecb09cda0395886b7a3e5084a9fd110be46d70f78",
+                "com_docker_compose_container-number": "1",
+                "com_docker_compose_oneoff": "False",
+                "com_docker_compose_project": "metricbeat",
+                "com_docker_compose_service": "elasticsearch",
+                "com_docker_compose_slug": "df866b3a7b3d50c0802350cbe58ee5b34fa32b7f6ba7fe9e48cde2c12dd0201d",
+                "com_docker_compose_version": "1.23.1",
+                "license": "Elastic License",
+                "org_label-schema_build-date": "20181006",
+                "org_label-schema_license": "GPLv2",
+                "org_label-schema_name": "elasticsearch",
+                "org_label-schema_schema-version": "1.0",
+                "org_label-schema_url": "https://www.elastic.co/products/elasticsearch",
+                "org_label-schema_vcs-url": "https://github.com/elastic/elasticsearch-docker",
+                "org_label-schema_vendor": "Elastic",
+                "org_label-schema_version": "6.5.1"
+            }
+        },
+        "healthcheck": {
+            "event": {
+                "end_date": "2019-02-25T10:59:07.472Z",
+                "exit_code": 0,
+                "output": "  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current\n                                 Dload  Upload   Total   Spent    Left  Speed\n\r  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0\r100   338  100   338    0     0  13188      0 --:--:-- --:--:-- --:--:-- 13520\n{\n  \"license\" : {\n    \"status\" : \"active\",\n    \"uid\" : \"ea5a516e-d9ee-4131-8eec-b39741e80869\",\n    \"type\" : \"basic\",\n    \"issue_date\" : \"2019-02-25T10:18:24.885Z\",\n    \"issue_date_in_millis\" : 1551089904885,\n    \"max_nodes\" : 1000,\n    \"issued_to\" : \"docker-cluster\",\n    \"issuer\" : \"elasticsearch\",\n    \"start_date_in_millis\" : -1\n  }\n}\n",
+                "start_date": "2019-02-25T10:59:07.342Z"
+            },
+            "failingstreak": 0,
+            "status": "healthy"
+        }
+    },
+    "event": {
+        "dataset": "docker.healthcheck",
+        "duration": 115000,
+        "module": "docker"
+    },
+    "metricset": {
+        "name": "healthcheck"
+    },
+    "service": {
+        "address": "/var/run/docker.sock",
+        "type": "docker"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-docker-image.md b/docs/reference/metricbeat/metricbeat-metricset-docker-image.md
new file mode 100644
index 000000000000..b487bbfe3c66
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-docker-image.md
@@ -0,0 +1,61 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-docker-image.html
+---
+
+# Docker image metricset [metricbeat-metricset-docker-image]
+
+This is the `image` metricset of the Docker module.
+
+## Fields [_fields_74]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-docker.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "docker": {
+        "image": {
+            "created": "2019-03-25T09:57:14.000Z",
+            "id": {
+                "current": "sha256:fa96dbd9baead0b3a4550c861cc871f40c0c7482889fb5f09c705e7d0622358f",
+                "parent": ""
+            },
+            "labels": {
+                "license": "Elastic License",
+                "org_label-schema_build-date": "20190305",
+                "org_label-schema_license": "GPLv2",
+                "org_label-schema_name": "logstash",
+                "org_label-schema_schema-version": "1.0",
+                "org_label-schema_url": "https://www.elastic.co/products/logstash",
+                "org_label-schema_vcs-url": "https://github.com/elastic/logstash-docker",
+                "org_label-schema_vendor": "Elastic",
+                "org_label-schema_version": "8.0.0-SNAPSHOT"
+            },
+            "size": {
+                "regular": 770558778,
+                "virtual": 770558778
+            },
+            "tags": [
+                "docker.elastic.co/logstash/logstash:8.0.0-SNAPSHOT"
+            ]
+        }
+    },
+    "event": {
+        "dataset": "docker.image",
+        "duration": 115000,
+        "module": "docker"
+    },
+    "metricset": {
+        "name": "image"
+    },
+    "service": {
+        "address": "/var/run/docker.sock",
+        "type": "docker"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-docker-info.md b/docs/reference/metricbeat/metricbeat-metricset-docker-info.md
new file mode 100644
index 000000000000..b904b0ecdf6c
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-docker-info.md
@@ -0,0 +1,49 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-docker-info.html
+---
+
+# Docker info metricset [metricbeat-metricset-docker-info]
+
+The Docker `info` metricset collects system-wide information based on the [Docker Remote API](https://docs.docker.com/engine/reference/api/docker_remote_api_v1.24/#/display-system-wide-information).
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_75]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-docker.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "docker": {
+        "info": {
+            "containers": {
+                "paused": 0,
+                "running": 2,
+                "stopped": 12,
+                "total": 14
+            },
+            "id": "VF5E:SKD6:YFIG:VDGO:JU3M:ZT2N:4E6B:7IOL:5QOS:M3HT:EM7E:VL22",
+            "images": 425
+        }
+    },
+    "event": {
+        "dataset": "docker.info",
+        "duration": 115000,
+        "module": "docker"
+    },
+    "metricset": {
+        "name": "info",
+        "period": 10000
+    },
+    "service": {
+        "address": "/var/run/docker.sock",
+        "type": "docker"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-docker-memory.md b/docs/reference/metricbeat/metricbeat-metricset-docker-memory.md
new file mode 100644
index 000000000000..20066a6df37e
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-docker-memory.md
@@ -0,0 +1,134 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-docker-memory.html
+---
+
+# Docker memory metricset [metricbeat-metricset-docker-memory]
+
+The Docker `memory` metricset collects memory metrics.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_76]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-docker.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "container": {
+        "id": "3ebfd3aebc686af21efccc552aabceb4303b70ef4bc2be7fffbb616000f824b4",
+        "image": {
+            "name": "docker.elastic.co/elastic-agent/elastic-agent-complete:8.15.3"
+        },
+        "memory": {
+            "usage": 0.0012028823743718271
+        },
+        "name": "elastic-package-stack-elastic-agent-1",
+        "runtime": "docker"
+    },
+    "docker": {
+        "container": {
+            "labels": {
+                "com_docker_compose_config-hash": "34d3699c997ecee19f466a3a5be2c73b86a5f4a89c362301412d9cc03e41d62d",
+                "com_docker_compose_container-number": "1",
+                "com_docker_compose_depends_on": "fleet-server:service_healthy:false",
+                "com_docker_compose_image": "sha256:37bd3034b35d10da7c806226eb2956b6c998745da9dc15ed3e920d214a59bcec",
+                "com_docker_compose_oneoff": "False",
+                "com_docker_compose_project": "elastic-package-stack",
+                "com_docker_compose_project_config_files": "/home/alexk/.elastic-package/profiles/default/stack/docker-compose.yml",
+                "com_docker_compose_project_working_dir": "/home/alexk/.elastic-package/profiles/default/stack",
+                "com_docker_compose_service": "elastic-agent",
+                "com_docker_compose_version": "2.29.2",
+                "description": "Elastic Agent - single, unified way to add monitoring for logs, metrics, and other types of data to a host.",
+                "io_k8s_description": "Elastic Agent - single, unified way to add monitoring for logs, metrics, and other types of data to a host.",
+                "io_k8s_display-name": "Elastic-Agent image",
+                "license": "Elastic License",
+                "maintainer": "infra@elastic.co",
+                "name": "elastic-agent",
+                "org_label-schema_build-date": "2024-10-10T10:08:37Z",
+                "org_label-schema_license": "Elastic License",
+                "org_label-schema_name": "elastic-agent",
+                "org_label-schema_schema-version": "1.0",
+                "org_label-schema_url": "https://www.elastic.co/elastic-agent",
+                "org_label-schema_vcs-ref": "61975895b1409449db21ddca0405e7b71bfc1c46",
+                "org_label-schema_vcs-url": "github.com/elastic/elastic-agent",
+                "org_label-schema_vendor": "Elastic",
+                "org_label-schema_version": "8.15.3",
+                "org_opencontainers_image_created": "2024-10-10T10:08:37Z",
+                "org_opencontainers_image_licenses": "Elastic License",
+                "org_opencontainers_image_ref_name": "ubuntu",
+                "org_opencontainers_image_title": "Elastic-Agent",
+                "org_opencontainers_image_vendor": "Elastic",
+                "org_opencontainers_image_version": "20.04",
+                "release": "1",
+                "summary": "elastic-agent",
+                "url": "https://www.elastic.co/elastic-agent",
+                "vendor": "Elastic",
+                "version": "8.15.3"
+            }
+        },
+        "memory": {
+            "fail": {
+                "count": 0
+            },
+            "limit": 33537363968,
+            "stats": {
+                "active_anon": 10223616,
+                "active_file": 19795968,
+                "anon": 19140608,
+                "anon_thp": 0,
+                "file": 36466688,
+                "file_dirty": 0,
+                "file_mapped": 585728,
+                "file_writeback": 0,
+                "inactive_anon": 8921088,
+                "inactive_file": 16670720,
+                "kernel_stack": 212992,
+                "pgactivate": 4810,
+                "pgdeactivate": 0,
+                "pgfault": 703936010,
+                "pglazyfree": 0,
+                "pglazyfreed": 0,
+                "pgmajfault": 729,
+                "pgrefill": 170270,
+                "pgscan": 12002,
+                "pgsteal": 10536,
+                "shmem": 0,
+                "slab": 513312,
+                "slab_reclaimable": 194680,
+                "slab_unreclaimable": 318632,
+                "sock": 0,
+                "thp_collapse_alloc": 0,
+                "thp_fault_alloc": 0,
+                "unevictable": 0,
+                "workingset_activate": 0,
+                "workingset_nodereclaim": 0,
+                "workingset_refault": 0
+            },
+            "usage": {
+                "max": 0,
+                "pct": 0.0012028823743718271,
+                "total": 40341504
+            }
+        }
+    },
+    "event": {
+        "dataset": "docker.memory",
+        "duration": 115000,
+        "module": "docker"
+    },
+    "metricset": {
+        "name": "memory",
+        "period": 10000
+    },
+    "service": {
+        "address": "/var/run/docker.sock",
+        "type": "docker"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-docker-network.md b/docs/reference/metricbeat/metricbeat-metricset-docker-network.md
new file mode 100644
index 000000000000..cd43d2497688
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-docker-network.md
@@ -0,0 +1,110 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-docker-network.html
+---
+
+# Docker network metricset [metricbeat-metricset-docker-network]
+
+The Docker `network` metricset collects network metrics.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_77]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-docker.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "container": {
+        "id": "b1c3118fb2087e499c421aa20e28847ad4c185be6c1864166b1a03cc2affaf80",
+        "image": {
+            "name": "docker.elastic.co/beats/elastic-agent:7.13.0-SNAPSHOT"
+        },
+        "name": "elastic-package-stack_elastic-agent_1",
+        "runtime": "docker"
+    },
+    "docker": {
+        "container": {
+            "labels": {
+                "com_docker_compose_config-hash": "fdad7f67fafe5a242b9b9d27bff78bef4b96c683a2bb1412d91c32fb5981f2b3",
+                "com_docker_compose_container-number": "1",
+                "com_docker_compose_oneoff": "False",
+                "com_docker_compose_project": "elastic-package-stack",
+                "com_docker_compose_project_config_files": "/home/alexk/.elastic-package/stack/openport/snapshot.yml",
+                "com_docker_compose_project_working_dir": "/home/alexk/.elastic-package/stack/openport",
+                "com_docker_compose_service": "elastic-agent",
+                "com_docker_compose_version": "1.27.4",
+                "description": "Agent manages other beats based on configuration provided.",
+                "io_k8s_description": "Agent manages other beats based on configuration provided.",
+                "io_k8s_display-name": "Elastic-Agent image",
+                "license": "Elastic License",
+                "maintainer": "infra@elastic.co",
+                "name": "elastic-agent",
+                "org_label-schema_build-date": "2021-04-21T06:45:43Z",
+                "org_label-schema_license": "Elastic License",
+                "org_label-schema_name": "elastic-agent",
+                "org_label-schema_schema-version": "1.0",
+                "org_label-schema_url": "https://www.elastic.co/beats/elastic-agent",
+                "org_label-schema_vcs-ref": "c52c43963ca8416dc92c7d3dbf6cb6e89dd00acf",
+                "org_label-schema_vcs-url": "github.com/elastic/beats/v7",
+                "org_label-schema_vendor": "Elastic",
+                "org_label-schema_version": "7.13.0-SNAPSHOT",
+                "org_opencontainers_image_created": "2021-04-21T06:45:43Z",
+                "org_opencontainers_image_licenses": "Elastic License",
+                "org_opencontainers_image_title": "Elastic-Agent",
+                "org_opencontainers_image_vendor": "Elastic",
+                "release": "1",
+                "summary": "elastic-agent",
+                "url": "https://www.elastic.co/beats/elastic-agent",
+                "vendor": "Elastic",
+                "version": "7.13.0-SNAPSHOT"
+            }
+        },
+        "network": {
+            "in": {
+                "bytes": 0,
+                "dropped": 0,
+                "errors": 0,
+                "packets": 0
+            },
+            "inbound": {
+                "bytes": 156469392,
+                "dropped": 0,
+                "errors": 0,
+                "packets": 710866
+            },
+            "interface": "eth0",
+            "out": {
+                "bytes": 0,
+                "dropped": 0,
+                "errors": 0,
+                "packets": 0
+            },
+            "outbound": {
+                "bytes": 3150916813,
+                "dropped": 0,
+                "errors": 0,
+                "packets": 1059447
+            }
+        }
+    },
+    "event": {
+        "dataset": "docker.network",
+        "duration": 115000,
+        "module": "docker"
+    },
+    "metricset": {
+        "name": "network",
+        "period": 10000
+    },
+    "service": {
+        "address": "/var/run/docker.sock",
+        "type": "docker"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-docker-network_summary.md b/docs/reference/metricbeat/metricbeat-metricset-docker-network_summary.md
new file mode 100644
index 000000000000..6b883b7bf209
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-docker-network_summary.md
@@ -0,0 +1,322 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-docker-network_summary.html
+---
+
+# Docker network_summary metricset [metricbeat-metricset-docker-network_summary]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+The `network_summary` metricset collects detailed network metrics from the processes associated with a container. These stats come from `/proc/[PID]/net`, and are summed across the different namespaces found across the PIDs.
+
+Because this metricset will try to access network counters from procfs, it is only available on linux.
+
+## Fields [_fields_78]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-docker.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "container": {
+        "id": "b1c3118fb2087e499c421aa20e28847ad4c185be6c1864166b1a03cc2affaf80",
+        "image": {
+            "name": "docker.elastic.co/beats/elastic-agent:7.13.0-SNAPSHOT"
+        },
+        "name": "elastic-package-stack_elastic-agent_1",
+        "runtime": "docker"
+    },
+    "docker": {
+        "container": {
+            "labels": {
+                "com_docker_compose_config-hash": "fdad7f67fafe5a242b9b9d27bff78bef4b96c683a2bb1412d91c32fb5981f2b3",
+                "com_docker_compose_container-number": "1",
+                "com_docker_compose_oneoff": "False",
+                "com_docker_compose_project": "elastic-package-stack",
+                "com_docker_compose_project_config_files": "/home/alexk/.elastic-package/stack/openport/snapshot.yml",
+                "com_docker_compose_project_working_dir": "/home/alexk/.elastic-package/stack/openport",
+                "com_docker_compose_service": "elastic-agent",
+                "com_docker_compose_version": "1.27.4",
+                "description": "Agent manages other beats based on configuration provided.",
+                "io_k8s_description": "Agent manages other beats based on configuration provided.",
+                "io_k8s_display-name": "Elastic-Agent image",
+                "license": "Elastic License",
+                "maintainer": "infra@elastic.co",
+                "name": "elastic-agent",
+                "org_label-schema_build-date": "2021-04-21T06:45:43Z",
+                "org_label-schema_license": "Elastic License",
+                "org_label-schema_name": "elastic-agent",
+                "org_label-schema_schema-version": "1.0",
+                "org_label-schema_url": "https://www.elastic.co/beats/elastic-agent",
+                "org_label-schema_vcs-ref": "c52c43963ca8416dc92c7d3dbf6cb6e89dd00acf",
+                "org_label-schema_vcs-url": "github.com/elastic/beats/v7",
+                "org_label-schema_vendor": "Elastic",
+                "org_label-schema_version": "7.13.0-SNAPSHOT",
+                "org_opencontainers_image_created": "2021-04-21T06:45:43Z",
+                "org_opencontainers_image_licenses": "Elastic License",
+                "org_opencontainers_image_title": "Elastic-Agent",
+                "org_opencontainers_image_vendor": "Elastic",
+                "release": "1",
+                "summary": "elastic-agent",
+                "url": "https://www.elastic.co/beats/elastic-agent",
+                "vendor": "Elastic",
+                "version": "7.13.0-SNAPSHOT"
+            }
+        },
+        "network_summary": {
+            "icmp": {
+                "InAddrMaskReps": 0,
+                "InAddrMasks": 0,
+                "InCsumErrors": 0,
+                "InDestUnreachs": 0,
+                "InEchoReps": 0,
+                "InEchos": 0,
+                "InErrors": 0,
+                "InMsgs": 0,
+                "InParmProbs": 0,
+                "InRedirects": 0,
+                "InSrcQuenchs": 0,
+                "InTimeExcds": 0,
+                "InTimestampReps": 0,
+                "InTimestamps": 0,
+                "OutAddrMaskReps": 0,
+                "OutAddrMasks": 0,
+                "OutDestUnreachs": 0,
+                "OutEchoReps": 0,
+                "OutEchos": 0,
+                "OutErrors": 0,
+                "OutMsgs": 0,
+                "OutParmProbs": 0,
+                "OutRedirects": 0,
+                "OutSrcQuenchs": 0,
+                "OutTimeExcds": 0,
+                "OutTimestampReps": 0,
+                "OutTimestamps": 0
+            },
+            "ip": {
+                "DefaultTTL": 64,
+                "ForwDatagrams": 0,
+                "Forwarding": 1,
+                "FragCreates": 0,
+                "FragFails": 0,
+                "FragOKs": 0,
+                "InAddrErrors": 0,
+                "InBcastOctets": 0,
+                "InBcastPkts": 0,
+                "InCEPkts": 0,
+                "InCsumErrors": 0,
+                "InDelivers": 1246323,
+                "InDiscards": 0,
+                "InECT0Pkts": 0,
+                "InECT1Pkts": 0,
+                "InHdrErrors": 0,
+                "InMcastOctets": 0,
+                "InMcastPkts": 0,
+                "InNoECTPkts": 1246337,
+                "InNoRoutes": 0,
+                "InOctets": 172967508,
+                "InReceives": 1246323,
+                "InTruncatedPkts": 0,
+                "InUnknownProtos": 0,
+                "OutBcastOctets": 0,
+                "OutBcastPkts": 0,
+                "OutDiscards": 0,
+                "OutMcastOctets": 0,
+                "OutMcastPkts": 0,
+                "OutNoRoutes": 0,
+                "OutOctets": 2783525210,
+                "OutRequests": 1550542,
+                "ReasmFails": 0,
+                "ReasmOKs": 0,
+                "ReasmOverlaps": 0,
+                "ReasmReqds": 0,
+                "ReasmTimeout": 0
+            },
+            "namespace": {
+                "ID": 4026532414,
+                "pid": 2240728
+            },
+            "tcp": {
+                "ActiveOpens": 742,
+                "ArpFilter": 0,
+                "AttemptFails": 0,
+                "BusyPollRxPackets": 0,
+                "CurrEstab": 12,
+                "DelayedACKLocked": 0,
+                "DelayedACKLost": 1,
+                "DelayedACKs": 23466,
+                "EmbryonicRsts": 0,
+                "EstabResets": 0,
+                "IPReversePathFilter": 0,
+                "InCsumErrors": 0,
+                "InErrs": 0,
+                "InSegs": 1243467,
+                "ListenDrops": 0,
+                "ListenOverflows": 0,
+                "LockDroppedIcmps": 0,
+                "MaxConn": -1,
+                "OfoPruned": 0,
+                "OutOfWindowIcmps": 0,
+                "OutRsts": 709,
+                "OutSegs": 2936174,
+                "PAWSActive": 0,
+                "PAWSEstab": 19,
+                "PFMemallocDrop": 0,
+                "PassiveOpens": 4,
+                "PruneCalled": 0,
+                "RcvPruned": 0,
+                "RetransSegs": 1613,
+                "RtoAlgorithm": 1,
+                "RtoMax": 120000,
+                "RtoMin": 200,
+                "SyncookiesFailed": 0,
+                "SyncookiesRecv": 0,
+                "SyncookiesSent": 0,
+                "TCPACKSkippedChallenge": 0,
+                "TCPACKSkippedFinWait2": 0,
+                "TCPACKSkippedPAWS": 0,
+                "TCPACKSkippedSeq": 0,
+                "TCPACKSkippedSynRecv": 0,
+                "TCPACKSkippedTimeWait": 0,
+                "TCPAbortFailed": 0,
+                "TCPAbortOnClose": 0,
+                "TCPAbortOnData": 705,
+                "TCPAbortOnLinger": 0,
+                "TCPAbortOnMemory": 0,
+                "TCPAbortOnTimeout": 0,
+                "TCPAckCompressed": 0,
+                "TCPAutoCorking": 763,
+                "TCPBacklogCoalesce": 1358,
+                "TCPBacklogDrop": 0,
+                "TCPChallengeACK": 0,
+                "TCPDSACKIgnoredDubious": 0,
+                "TCPDSACKIgnoredNoUndo": 1498,
+                "TCPDSACKIgnoredOld": 0,
+                "TCPDSACKOfoRecv": 0,
+                "TCPDSACKOfoSent": 0,
+                "TCPDSACKOldSent": 1,
+                "TCPDSACKRecv": 1586,
+                "TCPDSACKRecvSegs": 1589,
+                "TCPDSACKUndo": 2,
+                "TCPDeferAcceptDrop": 0,
+                "TCPDelivered": 2275375,
+                "TCPDeliveredCE": 0,
+                "TCPFastOpenActive": 0,
+                "TCPFastOpenActiveFail": 0,
+                "TCPFastOpenBlackhole": 0,
+                "TCPFastOpenCookieReqd": 0,
+                "TCPFastOpenListenOverflow": 0,
+                "TCPFastOpenPassive": 0,
+                "TCPFastOpenPassiveAltKey": 0,
+                "TCPFastOpenPassiveFail": 0,
+                "TCPFastRetrans": 7,
+                "TCPFromZeroWindowAdv": 0,
+                "TCPFullUndo": 1,
+                "TCPHPAcks": 537452,
+                "TCPHPHits": 144087,
+                "TCPHystartDelayCwnd": 0,
+                "TCPHystartDelayDetect": 0,
+                "TCPHystartTrainCwnd": 36,
+                "TCPHystartTrainDetect": 2,
+                "TCPKeepAlive": 171573,
+                "TCPLossFailures": 0,
+                "TCPLossProbeRecovery": 0,
+                "TCPLossProbes": 2183,
+                "TCPLossUndo": 0,
+                "TCPLostRetransmit": 0,
+                "TCPMD5Failure": 0,
+                "TCPMD5NotFound": 0,
+                "TCPMD5Unexpected": 0,
+                "TCPMTUPFail": 0,
+                "TCPMTUPSuccess": 0,
+                "TCPMemoryPressures": 0,
+                "TCPMemoryPressuresChrono": 0,
+                "TCPMinTTLDrop": 0,
+                "TCPOFODrop": 0,
+                "TCPOFOMerge": 0,
+                "TCPOFOQueue": 0,
+                "TCPOrigDataSent": 2273068,
+                "TCPPartialUndo": 1,
+                "TCPPureAcks": 215589,
+                "TCPRcvCoalesce": 10,
+                "TCPRcvCollapsed": 0,
+                "TCPRcvQDrop": 0,
+                "TCPRenoFailures": 0,
+                "TCPRenoRecovery": 0,
+                "TCPRenoRecoveryFail": 0,
+                "TCPRenoReorder": 0,
+                "TCPReqQFullDoCookies": 0,
+                "TCPReqQFullDrop": 0,
+                "TCPRetransFail": 0,
+                "TCPSACKDiscard": 0,
+                "TCPSACKReneging": 0,
+                "TCPSACKReorder": 256,
+                "TCPSYNChallenge": 0,
+                "TCPSackFailures": 0,
+                "TCPSackMerged": 5,
+                "TCPSackRecovery": 4,
+                "TCPSackRecoveryFail": 0,
+                "TCPSackShiftFallback": 160,
+                "TCPSackShifted": 0,
+                "TCPSlowStartRetrans": 0,
+                "TCPSpuriousRTOs": 0,
+                "TCPSpuriousRtxHostQueues": 2,
+                "TCPSynRetrans": 24,
+                "TCPTSReorder": 1,
+                "TCPTimeWaitOverflow": 0,
+                "TCPTimeouts": 24,
+                "TCPToZeroWindowAdv": 0,
+                "TCPWantZeroWindowAdv": 0,
+                "TCPWinProbe": 0,
+                "TCPWqueueTooBig": 0,
+                "TCPZeroWindowDrop": 0,
+                "TW": 3,
+                "TWKilled": 0,
+                "TWRecycled": 0,
+                "TcpDuplicateDataRehash": 0,
+                "TcpTimeoutRehash": 24
+            },
+            "udp": {
+                "IgnoredMulti": 0,
+                "InCsumErrors": 0,
+                "InDatagrams": 2856,
+                "InErrors": 0,
+                "NoPorts": 0,
+                "OutDatagrams": 2856,
+                "RcvbufErrors": 0,
+                "SndbufErrors": 0
+            },
+            "udp_lite": {
+                "IgnoredMulti": 0,
+                "InCsumErrors": 0,
+                "InDatagrams": 0,
+                "InErrors": 0,
+                "NoPorts": 0,
+                "OutDatagrams": 0,
+                "RcvbufErrors": 0,
+                "SndbufErrors": 0
+            }
+        }
+    },
+    "event": {
+        "dataset": "docker.network_summary",
+        "duration": 115000,
+        "module": "docker"
+    },
+    "metricset": {
+        "name": "network_summary",
+        "period": 10000
+    },
+    "service": {
+        "address": "unix:///var/run/docker.sock",
+        "type": "docker"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-dropwizard-collector.md b/docs/reference/metricbeat/metricbeat-metricset-dropwizard-collector.md
new file mode 100644
index 000000000000..d32b40cd9d1e
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-dropwizard-collector.md
@@ -0,0 +1,74 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-dropwizard-collector.html
+---
+
+# Dropwizard collector metricset [metricbeat-metricset-dropwizard-collector]
+
+This is the `collector` metricset of the Dropwizard module.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_79]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-dropwizard.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2019-03-01T08:05:34.853Z",
+    "dropwizard": {
+        "testnamespace": {
+            "my_gauge": {},
+            "my_histogram": {
+                "count": 0,
+                "max": 0,
+                "mean": 0,
+                "min": 0,
+                "p50": 0,
+                "p75": 0,
+                "p95": 0,
+                "p98": 0,
+                "p99": 0,
+                "p999": 0,
+                "stddev": 0
+            },
+            "my_timer": {
+                "count": 0,
+                "duration_units": "seconds",
+                "m15_rate": 0,
+                "m1_rate": 0,
+                "m5_rate": 0,
+                "max": 0,
+                "mean": 0,
+                "mean_rate": 0,
+                "min": 0,
+                "p50": 0,
+                "p75": 0,
+                "p95": 0,
+                "p98": 0,
+                "p99": 0,
+                "p999": 0,
+                "rate_units": "calls/second",
+                "stddev": 0
+            }
+        }
+    },
+    "event": {
+        "dataset": "dropwizard.testnamespace",
+        "duration": 115000,
+        "module": "dropwizard"
+    },
+    "metricset": {
+        "name": "collector",
+        "period": 10000
+    },
+    "service": {
+        "address": "127.0.0.1:55555",
+        "type": "dropwizard"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-elasticsearch-ccr.md b/docs/reference/metricbeat/metricbeat-metricset-elasticsearch-ccr.md
new file mode 100644
index 000000000000..ddf628d4a812
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-elasticsearch-ccr.md
@@ -0,0 +1,132 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-elasticsearch-ccr.html
+---
+
+# Elasticsearch ccr metricset [metricbeat-metricset-elasticsearch-ccr]
+
+This is the `ccr` metricset of the {{es}} module. It uses the Cross-Cluster Replication Stats API endpoint to fetch metrics about cross-cluster replication from the {{es}} clusters that are participating in cross-cluster replication.
+
+If the {{es}} cluster does not have cross-cluster replication enabled, this metricset will not collect metrics. A DEBUG log message about this will be emitted in the Metricbeat log.
+
+## Fields [_fields_80]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-elasticsearch.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "elasticsearch": {
+        "ccr": {
+            "auto_follow": {
+                "failed": {
+                    "follow_indices": {
+                        "count": 0
+                    },
+                    "remote_cluster_state_requests": {
+                        "count": 0
+                    }
+                },
+                "success": {
+                    "follow_indices": {
+                        "count": 0
+                    }
+                }
+            },
+            "bytes_read": 0,
+            "follower": {
+                "aliases_version": 1,
+                "global_checkpoint": -1,
+                "index": "rats",
+                "max_seq_no": -1,
+                "operations": {
+                    "read": {
+                        "count": 0
+                    }
+                },
+                "operations_written": 0,
+                "settings_version": 1,
+                "shard": {
+                    "number": 0
+                },
+                "time_since_last_read": {
+                    "ms": 3095
+                }
+            },
+            "leader": {
+                "global_checkpoint": -1,
+                "index": "pied_piper",
+                "max_seq_no": -1
+            },
+            "read_exceptions": [],
+            "requests": {
+                "failed": {
+                    "read": {
+                        "count": 0
+                    },
+                    "write": {
+                        "count": 0
+                    }
+                },
+                "outstanding": {
+                    "read": {
+                        "count": 1
+                    },
+                    "write": {
+                        "count": 0
+                    }
+                },
+                "successful": {
+                    "read": {
+                        "count": 0
+                    },
+                    "write": {
+                        "count": 0
+                    }
+                }
+            },
+            "total_time": {
+                "read": {
+                    "ms": 0,
+                    "remote_exec": {
+                        "ms": 0
+                    }
+                },
+                "write": {
+                    "ms": 0
+                }
+            },
+            "write_buffer": {
+                "operation": {
+                    "count": 0
+                },
+                "size": {
+                    "bytes": 0
+                }
+            }
+        },
+        "cluster": {
+            "id": "WocBBA0QRma0sGpdQ7vLfQ",
+            "name": "docker-cluster"
+        }
+    },
+    "event": {
+        "dataset": "elasticsearch.ccr",
+        "duration": 115000,
+        "module": "elasticsearch"
+    },
+    "metricset": {
+        "name": "ccr",
+        "period": 10000
+    },
+    "service": {
+        "address": "172.19.0.2:9200",
+        "name": "elasticsearch",
+        "type": "elasticsearch"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-elasticsearch-cluster_stats.md b/docs/reference/metricbeat/metricbeat-metricset-elasticsearch-cluster_stats.md
new file mode 100644
index 000000000000..acfbfce1a952
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-elasticsearch-cluster_stats.md
@@ -0,0 +1,165 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-elasticsearch-cluster_stats.html
+---
+
+# Elasticsearch cluster_stats metricset [metricbeat-metricset-elasticsearch-cluster_stats]
+
+This is the `cluster_stats` metricset of the Elasticsearch module. It interrogates the [Cluster Stats API endpoint](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-cluster-stats) to fetch information about the Elasticsearch cluster.
+
+## Fields [_fields_81]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-elasticsearch.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2022-09-29T15:29:10.126Z",
+    "agent": {
+      "ephemeral_id": "a5d48d51-ae7e-4d92-8322-480f92a13ad1",
+      "id": "baa161a5-42b3-4ecc-8d2d-578df730f8f2",
+      "name": "host.example.com",
+      "type": "metricbeat",
+      "version": "8.6.0"
+    },
+    "ecs": {
+      "version": "8.0.0"
+    },
+    "service": {
+      "address": "http://localhost:9200",
+      "type": "elasticsearch"
+    },
+    "event": {
+      "duration": 21179060,
+      "dataset": "elasticsearch.cluster.stats",
+      "module": "elasticsearch"
+    },
+    "metricset": {
+      "name": "cluster_stats",
+      "period": 10000
+    },
+    "elasticsearch": {
+      "cluster": {
+        "id": "C69Yz6KEQwqRB3UM6eAw9Q",
+        "stats": {
+          "indices": {
+            "total": 13,
+            "shards": {
+              "count": 13,
+              "primaries": 13
+            },
+            "store": {
+              "size": {
+                "bytes": 215309570
+              }
+            },
+            "fielddata": {
+              "memory": {
+                "bytes": 856
+              }
+            },
+            "docs": {
+              "total": 346281
+            }
+          },
+          "status": "yellow",
+          "nodes": {
+            "fs": {
+              "total": {
+                "bytes": 1000240963584
+              },
+              "available": {
+                "bytes": 748824121344
+              }
+            },
+            "jvm": {
+              "memory": {
+                "heap": {
+                  "used": {
+                    "bytes": 940384488
+                  },
+                  "max": {
+                    "bytes": 1610612736
+                  }
+                }
+              },
+              "max_uptime": {
+                "ms": 276638325
+              }
+            },
+            "versions": [
+              "8.6.0"
+            ],
+            "count": 1,
+            "master": 1,
+            "data": 1
+          },
+          "stack": {
+            "xpack": {
+              "ccr": {
+                "enabled": true,
+                "available": false
+              }
+            },
+            "apm": {
+              "found": false
+            }
+          },
+          "license": {
+            "issuer": "elasticsearch",
+            "uid": "b7b2528a-2420-40a7-9901-27cd17038417",
+            "issue_date": "2022-09-26T10:38:48.488Z",
+            "issue_date_in_millis": 1664188728488,
+            "type": "basic",
+            "status": "active",
+            "start_date_in_millis": -1,
+            "max_nodes": 1000,
+            "issued_to": "elasticsearch",
+            "cluster_needs_tls": false
+          },
+          "state": {
+            "state_uuid": "k33Hi1zfQKyWy5bo1eDIeg",
+            "nodes": {
+              "5zxFRfJuQke2wVTtnREDWQ": {
+                "external_id": "host.example.com",
+                "attributes": {
+                  "ml.allocated_processors_double": "16.0",
+                  "ml.max_jvm_size": "1610612736",
+                  "ml.allocated_processors": "16",
+                  "ml.machine_memory": "68719476736",
+                  "xpack.installed": "true"
+                },
+                "roles": [
+                  "data",
+                  "data_cold",
+                  "data_content",
+                  "data_frozen",
+                  "data_hot",
+                  "data_warm",
+                  "ingest",
+                  "master",
+                  "ml",
+                  "remote_cluster_client",
+                  "transform"
+                ],
+                "name": "host.example.com",
+                "ephemeral_id": "lLzvxF39RpG5SRDFbyzbGw",
+                "transport_address": "127.0.0.1:9300"
+              }
+            },
+            "nodes_hash": 104095561,
+            "master_node": "5zxFRfJuQke2wVTtnREDWQ"
+          }
+        },
+        "name": "elasticsearch"
+      },
+      "version": 96
+    },
+    "host": {
+      "name": "host.example.com"
+    }
+  }
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-elasticsearch-enrich.md b/docs/reference/metricbeat/metricbeat-metricset-elasticsearch-enrich.md
new file mode 100644
index 000000000000..d3a0e8d41c61
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-elasticsearch-enrich.md
@@ -0,0 +1,56 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-elasticsearch-enrich.html
+---
+
+# Elasticsearch enrich metricset [metricbeat-metricset-elasticsearch-enrich]
+
+This is the `enrich` metricset of the Elasticsearch module. It interrogates the Enrich Stats API endpoint to fetch information about Enrich coordinator nodes in the Elasticsearch cluster that are participating in ingest-time enrichment.
+
+## Fields [_fields_82]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-elasticsearch.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "elasticsearch": {
+        "cluster": {
+            "id": "WocBBA0QRma0sGpdQ7vLfQ",
+            "name": "docker-cluster"
+        },
+        "enrich": {
+            "executed_searches": {
+                "total": 1
+            },
+            "queue": {
+                "size": 0
+            },
+            "remote_requests": {
+                "current": 0,
+                "total": 1
+            }
+        },
+        "node": {
+            "id": "f5i3v9hMT_q__q6B9WOo5A"
+        }
+    },
+    "event": {
+        "dataset": "elasticsearch.enrich",
+        "duration": 115000,
+        "module": "elasticsearch"
+    },
+    "metricset": {
+        "name": "enrich",
+        "period": 10000
+    },
+    "service": {
+        "address": "172.19.0.2:9200",
+        "type": "elasticsearch"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-elasticsearch-index.md b/docs/reference/metricbeat/metricbeat-metricset-elasticsearch-index.md
new file mode 100644
index 000000000000..ee2a61fd354f
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-elasticsearch-index.md
@@ -0,0 +1,181 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-elasticsearch-index.html
+---
+
+# Elasticsearch index metricset [metricbeat-metricset-elasticsearch-index]
+
+This is the index metricset of the module elasticsearch.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_83]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-elasticsearch.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2022-09-28T15:49:31.830Z",
+    "agent": {
+      "name": "host.example.com",
+      "type": "metricbeat",
+      "version": "8.6.0",
+      "ephemeral_id": "fc15d33f-c1e8-4e8a-ab69-3c0ea00c3c3e",
+      "id": "baa161a5-42b3-4ecc-8d2d-578df730f8f2"
+    },
+    "ecs": {
+      "version": "8.0.0"
+    },
+    "event": {
+      "module": "elasticsearch",
+      "duration": 5974079,
+      "dataset": "elasticsearch.index"
+    },
+    "metricset": {
+      "name": "index",
+      "period": 10000
+    },
+    "service": {
+      "address": "http://localhost:9200",
+      "type": "elasticsearch"
+    },
+    "elasticsearch": {
+      "cluster": {
+        "id": "C69Yz6KEQwqRB3UM6eAw9Q",
+        "name": "elasticsearch"
+      },
+      "index": {
+        "name": ".kibana_task_manager_8.6.0_001",
+        "uuid": "LSnJxMuITNyjGmTxHcpTdA",
+        "primaries": {
+          "segments": {
+            "memory_in_bytes": 0,
+            "term_vectors_memory_in_bytes": 0,
+            "version_map_memory_in_bytes": 0,
+            "fixed_bit_set_memory_in_bytes": 21072,
+            "index_writer_memory_in_bytes": 0,
+            "norms_memory_in_bytes": 0,
+            "doc_values_memory_in_bytes": 0,
+            "count": 5,
+            "terms_memory_in_bytes": 0,
+            "stored_fields_memory_in_bytes": 0,
+            "points_memory_in_bytes": 0
+          },
+          "search": {
+            "query_total": 421083,
+            "query_time_in_millis": 2456214
+          },
+          "store": {
+            "size_in_bytes": 17759832,
+            "total_data_set_size_in_bytes": 17759832
+          },
+          "query_cache": {
+            "memory_size_in_bytes": 21120,
+            "hit_count": 546992,
+            "miss_count": 12462882
+          },
+          "merges": {
+            "total_size_in_bytes": 2199683211
+          },
+          "request_cache": {
+            "hit_count": 0,
+            "miss_count": 11,
+            "evictions": 0,
+            "memory_size_in_bytes": 0
+          },
+          "docs": {
+            "count": 26,
+            "deleted": 166775
+          },
+          "indexing": {
+            "index_time_in_millis": 117187,
+            "throttle_time_in_millis": 0,
+            "index_total": 166797
+          },
+          "refresh": {
+            "total_time_in_millis": 2562826,
+            "external_total_time_in_millis": 2679779
+          }
+        },
+        "total": {
+          "fielddata": {
+            "memory_size_in_bytes": 0,
+            "evictions": 0
+          },
+          "merges": {
+            "total_size_in_bytes": 2199683211
+          },
+          "store": {
+            "size_in_bytes": 17759832,
+            "total_data_set_size_in_bytes": 17759832
+          },
+          "indexing": {
+            "index_time_in_millis": 117187,
+            "throttle_time_in_millis": 0,
+            "index_total": 166797
+          },
+          "bulk": {
+            "total_operations": 123015,
+            "total_time_in_millis": 226600,
+            "total_size_in_bytes": 88785707,
+            "avg_time_in_millis": 1,
+            "avg_size_in_bytes": 848
+          },
+          "segments": {
+            "term_vectors_memory_in_bytes": 0,
+            "version_map_memory_in_bytes": 0,
+            "norms_memory_in_bytes": 0,
+            "index_writer_memory_in_bytes": 0,
+            "fixed_bit_set_memory_in_bytes": 21072,
+            "stored_fields_memory_in_bytes": 0,
+            "count": 5,
+            "memory_in_bytes": 0,
+            "terms_memory_in_bytes": 0,
+            "doc_values_memory_in_bytes": 0,
+            "points_memory_in_bytes": 0
+          },
+          "search": {
+            "query_total": 421083,
+            "query_time_in_millis": 2456214
+          },
+          "query_cache": {
+            "memory_size_in_bytes": 21120,
+            "hit_count": 546992,
+            "miss_count": 12462882,
+            "evictions": 20
+          },
+          "docs": {
+            "count": 26,
+            "deleted": 166775
+          },
+          "refresh": {
+            "external_total_time_in_millis": 2679779,
+            "total_time_in_millis": 2562826
+          },
+          "request_cache": {
+            "memory_size_in_bytes": 0,
+            "hit_count": 0,
+            "miss_count": 11,
+            "evictions": 0
+          }
+        },
+        "status": "green",
+        "tier_preference": "data_content",
+        "creation_date": 1731657995821,
+        "version": "8505000",
+        "hidden": true,
+        "shards": {
+          "total": 1,
+          "primaries": 1
+        }
+      }
+    },
+    "host": {
+      "name": "host.example.com"
+    }
+  }
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-elasticsearch-index_recovery.md b/docs/reference/metricbeat/metricbeat-metricset-elasticsearch-index_recovery.md
new file mode 100644
index 000000000000..4ff43204cc6e
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-elasticsearch-index_recovery.md
@@ -0,0 +1,93 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-elasticsearch-index_recovery.html
+---
+
+# Elasticsearch index_recovery metricset [metricbeat-metricset-elasticsearch-index_recovery]
+
+This is the index_recovery metricset of the module Elasticsearch.
+
+By default data about all indices are fetched. To gather data about indices that are under active recovery only, set `index_recovery.active_only: true`:
+
+```yaml
+- module: elasticsearch
+  metricsets:
+    - index_recovery
+  hosts: ["localhost:9200"]
+  index_recovery.active_only: false
+```
+
+## Fields [_fields_84]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-elasticsearch.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "elasticsearch": {
+        "cluster": {
+            "id": "WocBBA0QRma0sGpdQ7vLfQ",
+            "name": "docker-cluster"
+        },
+        "index": {
+            "name": "users",
+            "recovery": {
+                "id": 0,
+                "index": {
+                    "files": {
+                        "percent": "0.0%",
+                        "recovered": 0,
+                        "reused": 0,
+                        "total": 0
+                    },
+                    "size": {
+                        "recovered_in_bytes": 0,
+                        "reused_in_bytes": 0,
+                        "total_in_bytes": 0
+                    }
+                },
+                "name": "users",
+                "primary": true,
+                "source": {},
+                "stage": "DONE",
+                "start_time": {
+                    "ms": 1635956540240
+                },
+                "stop_time": {
+                    "ms": 1635956540265
+                },
+                "target": {
+                    "host": "127.0.0.1",
+                    "id": "f5i3v9hMT_q__q6B9WOo5A",
+                    "name": "27fb1c2fd783",
+                    "transport_address": "127.0.0.1:9300"
+                },
+                "translog": {
+                    "percent": "100.0%",
+                    "total": 0,
+                    "total_on_start": 0
+                },
+                "type": "EMPTY_STORE"
+            }
+        }
+    },
+    "event": {
+        "dataset": "elasticsearch.index.recovery",
+        "duration": 115000,
+        "module": "elasticsearch"
+    },
+    "metricset": {
+        "name": "index_recovery",
+        "period": 10000
+    },
+    "service": {
+        "address": "172.19.0.2:9200",
+        "name": "elasticsearch",
+        "type": "elasticsearch"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-elasticsearch-index_summary.md b/docs/reference/metricbeat/metricbeat-metricset-elasticsearch-index_summary.md
new file mode 100644
index 000000000000..682c6b5091ea
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-elasticsearch-index_summary.md
@@ -0,0 +1,106 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-elasticsearch-index_summary.html
+---
+
+# Elasticsearch index_summary metricset [metricbeat-metricset-elasticsearch-index_summary]
+
+This is the index summary metricset of the module elasticsearch.
+
+## Fields [_fields_85]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-elasticsearch.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "elasticsearch": {
+        "cluster": {
+            "id": "WocBBA0QRma0sGpdQ7vLfQ",
+            "name": "docker-cluster"
+        },
+        "index": {
+            "summary": {
+                "primaries": {
+                    "docs": {
+                        "count": 74,
+                        "deleted": 1424
+                    },
+                    "indexing": {
+                        "index": {
+                            "count": 1495
+                        }
+                    },
+                    "search": {
+                        "query": {
+                            "count": 15307,
+                            "time": {
+                                "ms": 2912
+                            }
+                        }
+                    },
+                    "segments": {
+                        "count": 21,
+                        "memory": {
+                            "bytes": 70532
+                        }
+                    },
+                    "store": {
+                        "size": {
+                            "bytes": 44131181
+                        }
+                    }
+                },
+                "total": {
+                    "docs": {
+                        "count": 74,
+                        "deleted": 1424
+                    },
+                    "indexing": {
+                        "index": {
+                            "count": 1495
+                        }
+                    },
+                    "search": {
+                        "query": {
+                            "count": 15307,
+                            "time": {
+                                "ms": 2912
+                            }
+                        }
+                    },
+                    "segments": {
+                        "count": 21,
+                        "memory": {
+                            "bytes": 70532
+                        }
+                    },
+                    "store": {
+                        "size": {
+                            "bytes": 44131181
+                        }
+                    }
+                }
+            }
+        }
+    },
+    "event": {
+        "dataset": "elasticsearch.index.summary",
+        "duration": 115000,
+        "module": "elasticsearch"
+    },
+    "metricset": {
+        "name": "index_summary",
+        "period": 10000
+    },
+    "service": {
+        "address": "172.19.0.2:9200",
+        "name": "elasticsearch",
+        "type": "elasticsearch"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-elasticsearch-ingest_pipeline.md b/docs/reference/metricbeat/metricbeat-metricset-elasticsearch-ingest_pipeline.md
new file mode 100644
index 000000000000..006f3f6282ab
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-elasticsearch-ingest_pipeline.md
@@ -0,0 +1,102 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-elasticsearch-ingest_pipeline.html
+---
+
+# Elasticsearch ingest_pipeline metricset [metricbeat-metricset-elasticsearch-ingest_pipeline]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+This is the ingest_pipeline metricset of the module elasticsearch.
+
+Collects metrics on ingest pipeline executions, with processor-level granularity.
+
+
+## Processor-level metrics sampling [_processor_level_metrics_sampling]
+
+Processor-level metrics can produce a high volume of data, so the default behavior is to collect those metrics less frequently than the `period` for pipeline-level metrics, by applying a sampling strategy. By default, the processor-level metrics will be collected during 25% of the time. This can be configured with the `ingest.processor_sample_rate` setting:
+
+
+## Configuration example [_configuration_example_19]
+
+```yaml
+- module: elasticsearch
+  period: 10s
+  metricsets:
+    - ingest_pipeline
+  ingest.processor_sample_rate: 0.1 # decrease to 10% of fetches
+```
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_86]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-elasticsearch.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+  "@timestamp": "2023-01-19T19:08:28.770Z",
+  "elasticsearch": {
+    "cluster": {
+      "id": "WocBBA0QRma0sGpdQ7vLfQ",
+      "name": "my-cluster"
+    },
+    "node": {
+      "name": "27fb1c2fd783",
+      "roles": [
+        "ingest",
+        "remote_cluster_client"
+      ],
+      "id": "f5i3v9hMT_q__q6B9WOo5A"
+    },
+    "ingest_pipeline": {
+      "name": "my-pipeline",
+      "total": {
+        "count": 64,
+        "failed": 0,
+        "time": {
+          "total": {
+            "ms": 39
+          },
+          "self": {
+            "ms": 39
+          }
+        }
+      }
+    }
+  },
+  "ecs": {
+    "version": "8.0.0"
+  },
+  "host": {
+    "name": "myhost.local"
+  },
+  "agent": {
+    "type": "metricbeat",
+    "version": "8.7.0",
+    "ephemeral_id": "80fe51b6-57df-46d1-9240-20424df6d675",
+    "id": "faab8154-7ceb-470f-b2ca-0aee636951c3",
+    "name": "myhost.local"
+  },
+  "event": {
+    "dataset": "elasticsearch.ingest_pipeline",
+    "module": "elasticsearch",
+    "duration": 558169708
+  },
+  "metricset": {
+    "period": 10000,
+    "name": "ingest_pipeline"
+  },
+  "service": {
+    "address": "https://localhost:9200",
+    "type": "elasticsearch"
+  }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-elasticsearch-ml_job.md b/docs/reference/metricbeat/metricbeat-metricset-elasticsearch-ml_job.md
new file mode 100644
index 000000000000..5bb82d0b6a4c
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-elasticsearch-ml_job.md
@@ -0,0 +1,62 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-elasticsearch-ml_job.html
+---
+
+# Elasticsearch ml_job metricset [metricbeat-metricset-elasticsearch-ml_job]
+
+This is the `ml_job` metricset of the Elasticsearch module. This metricset requires [Machine Learning](https://www.elastic.co/products/x-pack/machine-learning) to be enabled.
+
+## Fields [_fields_87]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-elasticsearch.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "elasticsearch": {
+        "cluster": {
+            "id": "WocBBA0QRma0sGpdQ7vLfQ",
+            "name": "docker-cluster"
+        },
+        "ml": {
+            "job": {
+                "data_counts": {
+                    "invalid_date_count": 0,
+                    "processed_record_count": 0
+                },
+                "forecasts_stats": {
+                    "total": 0
+                },
+                "id": "total-requests",
+                "model_size": {
+                    "memory_status": "ok"
+                },
+                "state": "closed"
+            }
+        },
+        "node": {
+            "id": "27fb1c2fd783",
+            "name": "node-1"
+        }
+    },
+    "event": {
+        "dataset": "elasticsearch.ml.job",
+        "duration": 115000,
+        "module": "elasticsearch"
+    },
+    "metricset": {
+        "name": "ml_job",
+        "period": 10000
+    },
+    "service": {
+        "address": "172.19.0.2:9200",
+        "name": "elasticsearch",
+        "type": "elasticsearch"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-elasticsearch-node.md b/docs/reference/metricbeat/metricbeat-metricset-elasticsearch-node.md
new file mode 100644
index 000000000000..0d6016dd77f2
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-elasticsearch-node.md
@@ -0,0 +1,73 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-elasticsearch-node.html
+---
+
+# Elasticsearch node metricset [metricbeat-metricset-elasticsearch-node]
+
+The `node` metricset interrogates the [Cluster API endpoint](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-nodes-info) of Elasticsearch to get cluster nodes information. This metricset only fetches the data from the `_local` node so it must run on each Elasticsearch node.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_88]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-elasticsearch.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "elasticsearch": {
+        "cluster": {
+            "id": "WocBBA0QRma0sGpdQ7vLfQ",
+            "name": "docker-cluster"
+        },
+        "node": {
+            "id": "f5i3v9hMT_q__q6B9WOo5A",
+            "jvm": {
+                "memory": {
+                    "heap": {
+                        "init": {
+                            "bytes": 268435456
+                        },
+                        "max": {
+                            "bytes": 268435456
+                        }
+                    },
+                    "nonheap": {
+                        "init": {
+                            "bytes": 7667712
+                        },
+                        "max": {
+                            "bytes": 0
+                        }
+                    }
+                },
+                "version": "16.0.1"
+            },
+            "name": "27fb1c2fd783",
+            "process": {
+                "mlockall": false
+            },
+            "version": "7.14.0"
+        }
+    },
+    "event": {
+        "dataset": "elasticsearch.node",
+        "duration": 115000,
+        "module": "elasticsearch"
+    },
+    "metricset": {
+        "name": "node",
+        "period": 10000
+    },
+    "service": {
+        "address": "172.19.0.2:9200",
+        "name": "elasticsearch",
+        "type": "elasticsearch"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-elasticsearch-node_stats.md b/docs/reference/metricbeat/metricbeat-metricset-elasticsearch-node_stats.md
new file mode 100644
index 000000000000..3b4db0f84241
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-elasticsearch-node_stats.md
@@ -0,0 +1,556 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-elasticsearch-node_stats.html
+---
+
+# Elasticsearch node_stats metricset [metricbeat-metricset-elasticsearch-node_stats]
+
+The `node_stats` metricset interrogates the [Cluster API endpoint](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-nodes-stats) of Elasticsearch to get the cluster nodes statistics. The data received is only for the local node so this Metricbeat has to be run on each Elasticsearch node.
+
+::::{note}
+The indices stats are node-specific. That means for example the total number of docs reported by all nodes together is not the total number of documents in all indices as there can also be replicas.
+::::
+
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_89]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-elasticsearch.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2025-01-28T14:39:37.450Z",
+    "elasticsearch": {
+        "cluster": {
+            "id": "WocBBA0QRma0sGpdQ7vLfQ",
+            "name": "docker-cluster"
+        },
+        "node": {
+            "id": "f5i3v9hMT_q__q6B9WOo5A",
+            "master": true,
+            "mlockall": false,
+            "name": "27fb1c2fd783",
+            "stats": {
+                "fs": {
+                    "total": {
+                        "total_in_bytes": 128849018880,
+                        "available_in_bytes": 122770808832
+                    },
+                    "io_stats": {
+                        "total": {
+                            "read": {
+                                "kb": 33942834,
+                                "operations": {
+                                    "count": 728301
+                                }
+                            },
+                            "write": {
+                                "kb": 3788536676,
+                                "operations": {
+                                    "count": 719077269
+                                }
+                            },
+                            "operations": {
+                                "count": 719805570
+                            }
+                        }
+                    },
+                    "summary": {
+                        "free": {
+                            "bytes": 122770808832
+                        },
+                        "available": {
+                            "bytes": 122770808832
+                        },
+                        "total": {
+                            "bytes": 128849018880
+                        }
+                    }
+                },
+                "indexing_pressure": {
+                    "memory": {
+                        "current": {
+                            "replica": {
+                                "bytes": 0
+                            },
+                            "combined_coordinating_and_primary": {
+                                "bytes": 0
+                            },
+                            "all": {
+                                "bytes": 0
+                            },
+                            "primary": {
+                                "bytes": 0
+                            },
+                            "coordinating": {
+                                "bytes": 0
+                            }
+                        },
+                        "total": {
+                            "all": {
+                                "bytes": 220351441747
+                            },
+                            "primary": {
+                                "bytes": 246538295411,
+                                "rejections": 0
+                            },
+                            "coordinating": {
+                                "rejections": 0,
+                                "bytes": 220351430734
+                            },
+                            "replica": {
+                                "rejections": 0,
+                                "bytes": 0
+                            },
+                            "combined_coordinating_and_primary": {
+                                "bytes": 220351441747
+                            }
+                        },
+                        "limit_in_bytes": 195873996
+                    }
+                },
+                "indices": {
+                    "indexing": {
+                        "index_time": {
+                            "ms": 5609149
+                        },
+                        "index_total": {
+                            "count": 46090439
+                        },
+                        "throttle_time": {
+                            "ms": 0
+                        }
+                    },
+                    "shard_stats": {
+                        "total_count": 140
+                    },
+                    "merges": {
+                        "total_time": {
+                            "ms": 4864222
+                        },
+                        "total": {
+                            "count": 241354
+                        }
+                    },
+                    "flush": {
+                        "total_time": {
+                            "ms": 12498263
+                        },
+                        "total": {
+                            "count": 540712
+                        }
+                    },
+                    "refresh": {
+                        "total_time": {
+                            "ms": 15830993
+                        },
+                        "total": {
+                            "count": 3787539
+                        }
+                    },
+                    "query_cache": {
+                        "memory": {
+                            "bytes": 31842281
+                        }
+                    },
+                    "docs": {
+                        "deleted": 263,
+                        "count": 12575085
+                    },
+                    "get": {
+                        "time": {
+                            "ms": 562391
+                        },
+                        "total": {
+                            "count": 7756876
+                        }
+                    },
+                    "segments": {
+                        "norms": {
+                            "memory": {
+                                "bytes": 0
+                            }
+                        },
+                        "terms": {
+                            "memory": {
+                                "bytes": 0
+                            }
+                        },
+                        "index_writer": {
+                            "memory": {
+                                "bytes": 1055088
+                            }
+                        },
+                        "version_map": {
+                            "memory": {
+                                "bytes": 0
+                            }
+                        },
+                        "doc_values": {
+                            "memory": {
+                                "bytes": 0
+                            }
+                        },
+                        "fixed_bit_set": {
+                            "memory": {
+                                "bytes": 953472
+                            }
+                        },
+                        "points": {
+                            "memory": {
+                                "bytes": 0
+                            }
+                        },
+                        "stored_fields": {
+                            "memory": {
+                                "bytes": 0
+                            }
+                        },
+                        "count": 1257,
+                        "term_vectors": {
+                            "memory": {
+                                "bytes": 0
+                            }
+                        },
+                        "memory": {
+                            "bytes": 0
+                        }
+                    },
+                    "fielddata": {
+                        "evictions": {
+                            "count": 24
+                        },
+                        "memory": {
+                            "bytes": 512
+                        }
+                    },
+                    "translog": {
+                        "operations": {
+                            "count": 882
+                        },
+                        "size": {
+                            "bytes": 3027983
+                        }
+                    },
+                    "search": {
+                        "fetch_time": {
+                            "ms": 756010
+                        },
+                        "fetch_total": {
+                            "count": 19706537
+                        },
+                        "query_time": {
+                            "ms": 7451765
+                        },
+                        "query_total": {
+                            "count": 22765302
+                        }
+                    },
+                    "store": {
+                        "size": {
+                            "bytes": 5347443305
+                        },
+                        "total_data_set_size": {
+                            "bytes": 5347443305
+                        }
+                    },
+                    "request_cache": {
+                        "memory": {
+                            "bytes": 1110448
+                        }
+                    },
+                    "bulk": {
+                        "avg_size": {
+                            "bytes": 46429
+                        },
+                        "avg_time": {
+                            "ms": 0
+                        },
+                        "total_size": {
+                            "bytes": 215948271738
+                        },
+                        "total_time": {
+                            "ms": 8953160
+                        },
+                        "operations": {
+                            "total": {
+                                "count": 4685819
+                            }
+                        }
+                    }
+                },
+                "ingest": {
+                    "total": {
+                        "time_in_millis": 2285355,
+                        "current": 0,
+                        "failed": 0,
+                        "count": 19355426
+                    }
+                },
+                "jvm": {
+                    "gc": {
+                        "collectors": {
+                            "young": {
+                                "collection": {
+                                    "ms": 1973140,
+                                    "count": 61012
+                                }
+                            },
+                            "old": {
+                                "collection": {
+                                    "count": 0,
+                                    "ms": 0
+                                }
+                            }
+                        }
+                    },
+                    "mem": {
+                        "pools": {
+                            "young": {
+                                "used": {
+                                    "bytes": 562036736
+                                },
+                                "max": {
+                                    "bytes": 0
+                                },
+                                "peak": {
+                                    "bytes": 1161822208
+                                },
+                                "peak_max": {
+                                    "bytes": 0
+                                }
+                            },
+                            "survivor": {
+                                "used": {
+                                    "bytes": 23068672
+                                },
+                                "max": {
+                                    "bytes": 0
+                                },
+                                "peak": {
+                                    "bytes": 62914560
+                                },
+                                "peak_max": {
+                                    "bytes": 0
+                                }
+                            },
+                            "old": {
+                                "used": {
+                                    "bytes": 392190120
+                                },
+                                "max": {
+                                    "bytes": 1958739968
+                                },
+                                "peak": {
+                                    "bytes": 409689360
+                                },
+                                "peak_max": {
+                                    "bytes": 1958739968
+                                }
+                            }
+                        },
+                        "heap": {
+                            "max": {
+                                "bytes": 1958739968
+                            },
+                            "used": {
+                                "bytes": 977295528,
+                                "pct": 49
+                            }
+                        }
+                    },
+                    "threads": {
+                        "count": 127
+                    }
+                },
+                "os": {
+                    "cpu": {
+                        "load_avg": {
+                            "1m": 0.64
+                        }
+                    },
+                    "cgroup": {
+                        "cpuacct": {
+                            "usage": {
+                                "ns": 209789071276757
+                            }
+                        },
+                        "cpu": {
+                            "cfs": {
+                                "quota": {
+                                    "us": 220689
+                                }
+                            },
+                            "stat": {
+                                "times_throttled": {
+                                    "count": 36629
+                                },
+                                "time_throttled": {
+                                    "ns": 6561820668942
+                                },
+                                "elapsed_periods": {
+                                    "count": 25671143
+                                }
+                            }
+                        },
+                        "memory": {
+                            "limit": {
+                                "bytes": "4294967296"
+                            },
+                            "usage": {
+                                "bytes": "3965923328"
+                            },
+                            "control_group": "/"
+                        }
+                    }
+                },
+                "process": {
+                    "mem": {
+                        "total_virtual": {
+                            "bytes": 18230607872
+                        }
+                    },
+                    "open_file_descriptors": 1074,
+                    "cpu": {
+                        "pct": 2
+                    }
+                },
+                "thread_pool": {
+                    "search": {
+                        "active": {
+                            "count": 0
+                        },
+                        "queue": {
+                            "count": 0
+                        },
+                        "rejected": {
+                            "count": 0
+                        }
+                    },
+                    "flush": {
+                        "queue": {
+                            "count": 0
+                        },
+                        "rejected": {
+                            "count": 0
+                        },
+                        "active": {
+                            "count": 0
+                        }
+                    },
+                    "force_merge": {
+                        "rejected": {
+                            "count": 0
+                        },
+                        "active": {
+                            "count": 0
+                        },
+                        "queue": {
+                            "count": 0
+                        }
+                    },
+                    "get": {
+                        "active": {
+                            "count": 0
+                        },
+                        "queue": {
+                            "count": 0
+                        },
+                        "rejected": {
+                            "count": 0
+                        }
+                    },
+                    "system_write": {
+                        "active": {
+                            "count": 0
+                        },
+                        "queue": {
+                            "count": 0
+                        },
+                        "rejected": {
+                            "count": 0
+                        }
+                    },
+                    "system_read": {
+                        "active": {
+                            "count": 0
+                        },
+                        "queue": {
+                            "count": 0
+                        },
+                        "rejected": {
+                            "count": 0
+                        }
+                    },
+                    "write": {
+                        "active": {
+                            "count": 0
+                        },
+                        "queue": {
+                            "count": 0
+                        },
+                        "rejected": {
+                            "count": 0
+                        }
+                    },
+                    "snapshot": {
+                        "active": {
+                            "count": 0
+                        },
+                        "queue": {
+                            "count": 0
+                        },
+                        "rejected": {
+                            "count": 0
+                        }
+                    },
+                    "esql_worker": {
+                        "queue": {
+                            "count": 0
+                        },
+                        "rejected": {
+                            "count": 0
+                        },
+                        "active": {
+                            "count": 0
+                        }
+                    }
+                },
+                "transport": {
+                    "tx": {
+                        "count": 6974845,
+                        "size": {
+                            "bytes": 13076882004
+                        }
+                    },
+                    "rx": {
+                        "count": 6974819,
+                        "size": {
+                            "bytes": 36906511403
+                        }
+                    }
+                }
+            }
+        }
+    },
+    "event": {
+        "dataset": "elasticsearch.node.stats",
+        "duration": 115000,
+        "module": "elasticsearch"
+    },
+    "metricset": {
+        "name": "node_stats",
+        "period": 10000
+    },
+    "service": {
+        "address": "172.19.0.2:9200",
+        "name": "elasticsearch",
+        "type": "elasticsearch"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-elasticsearch-pending_tasks.md b/docs/reference/metricbeat/metricbeat-metricset-elasticsearch-pending_tasks.md
new file mode 100644
index 000000000000..594d90268bb2
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-elasticsearch-pending_tasks.md
@@ -0,0 +1,47 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-elasticsearch-pending_tasks.html
+---
+
+# Elasticsearch pending_tasks metricset [metricbeat-metricset-elasticsearch-pending_tasks]
+
+This is the `pending_tasks` metricset of the Elasticsearch module.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_90]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-elasticsearch.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2018-05-03T20:58:17.379Z",
+    "metricset": {
+        "rtt": 2487,
+        "namespace": "elasticsearch.cluster.pending_task",
+        "name": "pending_tasks",
+        "module": "elasticsearch",
+        "host": "localhost:9200"
+    },
+    "elasticsearch": {
+        "cluster": {
+            "id": "3LbUkLkURz--FR-YO0wLNA",
+            "name": "es1",
+            "pending_task": {
+                "insert_order": 47,
+                "priority": "HIGH",
+                "source": "put-mapping",
+                "time_in_queue.ms": 34
+            }
+        }
+    },
+    "agent": {
+        "name": "host.example.com",
+        "hostname": "host.example.com"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-elasticsearch-shard.md b/docs/reference/metricbeat/metricbeat-metricset-elasticsearch-shard.md
new file mode 100644
index 000000000000..5fde746d610a
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-elasticsearch-shard.md
@@ -0,0 +1,70 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-elasticsearch-shard.html
+---
+
+# Elasticsearch shard metricset [metricbeat-metricset-elasticsearch-shard]
+
+The `shard` metricset interrogates the [Cluster State API endpoint](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-cluster-state) to fetch information about all shards.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_91]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-elasticsearch.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "elasticsearch": {
+        "cluster": {
+            "id": "WocBBA0QRma0sGpdQ7vLfQ",
+            "name": "docker-cluster",
+            "state": {
+                "id": "XNIdeSZxQwyItvGfR5fHSw"
+            },
+            "stats": {
+                "state": {
+                    "state_uuid": "XNIdeSZxQwyItvGfR5fHSw"
+                }
+            }
+        },
+        "index": {
+            "name": "pied_piper"
+        },
+        "node": {
+            "id": "f5i3v9hMT_q__q6B9WOo5A"
+        },
+        "shard": {
+            "number": 0,
+            "primary": true,
+            "relocating_node": {
+                "id": null,
+                "name": null
+            },
+            "source_node": {
+                "name": "27fb1c2fd783",
+                "uuid": "f5i3v9hMT_q__q6B9WOo5A"
+            },
+            "state": "STARTED"
+        }
+    },
+    "event": {
+        "dataset": "elasticsearch.shard",
+        "duration": 115000,
+        "module": "elasticsearch"
+    },
+    "metricset": {
+        "name": "shard",
+        "period": 10000
+    },
+    "service": {
+        "address": "172.19.0.2:9200",
+        "type": "elasticsearch"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-envoyproxy-server.md b/docs/reference/metricbeat/metricbeat-metricset-envoyproxy-server.md
new file mode 100644
index 000000000000..7ac3857a0128
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-envoyproxy-server.md
@@ -0,0 +1,90 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-envoyproxy-server.html
+---
+
+# Envoyproxy server metricset [metricbeat-metricset-envoyproxy-server]
+
+This is the server metricset of the module envoyproxy.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_94]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-envoyproxy.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "envoyproxy": {
+        "server": {
+            "cluster_manager": {
+                "active_clusters": 1,
+                "cluster_added": 1,
+                "cluster_modified": 0,
+                "cluster_removed": 0,
+                "warming_clusters": 0
+            },
+            "filesystem": {
+                "flushed_by_timer": 9,
+                "reopen_failed": 0,
+                "write_buffered": 85,
+                "write_completed": 18,
+                "write_total_buffered": 1306
+            },
+            "http2": {},
+            "listener_manager": {
+                "listener_added": 1,
+                "listener_create_failure": 0,
+                "listener_create_success": 12,
+                "listener_modified": 0,
+                "listener_removed": 0,
+                "total_listeners_active": 1,
+                "total_listeners_draining": 0,
+                "total_listeners_warming": 0
+            },
+            "runtime": {
+                "admin_overrides_active": 0,
+                "load_error": 0,
+                "load_success": 0,
+                "num_keys": 0,
+                "override_dir_exists": 0,
+                "override_dir_not_exists": 0
+            },
+            "server": {
+                "days_until_first_cert_expiring": 2147483647,
+                "hot_restart_epoch": 0,
+                "live": 1,
+                "memory_allocated": 3299760,
+                "memory_heap_size": 4194304,
+                "parent_connections": 0,
+                "total_connections": 0,
+                "uptime": 95,
+                "version": 4151803,
+                "watchdog_mega_miss": 0,
+                "watchdog_miss": 0
+            },
+            "stats": {
+                "overflow": 0
+            }
+        }
+    },
+    "event": {
+        "dataset": "envoyproxy.server",
+        "duration": 115000,
+        "module": "envoyproxy"
+    },
+    "metricset": {
+        "name": "server",
+        "period": 10000
+    },
+    "service": {
+        "address": "172.18.0.2:9901",
+        "type": "envoyproxy"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-etcd-leader.md b/docs/reference/metricbeat/metricbeat-metricset-etcd-leader.md
new file mode 100644
index 000000000000..706918210b76
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-etcd-leader.md
@@ -0,0 +1,50 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-etcd-leader.html
+---
+
+# Etcd leader metricset [metricbeat-metricset-etcd-leader]
+
+This is the leader metricset of the module etcd. This metrics is being read from the Etcd V2 endpoint and won’t show any activity regarding Etcd V3.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_95]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-etcd.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "etcd": {
+        "api_version": "2",
+        "leader": {
+            "follower": {
+                "id": "5a22bdba1efc5b4a",
+                "latency":{
+                    "ms": 0.001494
+                },
+                "success_operations": 1248,
+                "failed_operations": 0,
+                "leader": "d3cf079af51fa9a8"
+            }
+        }
+    },
+    "event": {
+        "dataset": "etcd.leader",
+        "duration": 115000,
+        "module": "etcd"
+    },
+    "metricset": {
+        "name": "leader"
+    },
+    "service": {
+        "address": "127.0.0.1:2379",
+        "type": "etcd"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-etcd-metrics.md b/docs/reference/metricbeat/metricbeat-metricset-etcd-metrics.md
new file mode 100644
index 000000000000..a7a85081ed4f
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-etcd-metrics.md
@@ -0,0 +1,127 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-etcd-metrics.html
+---
+
+# Etcd metrics metricset [metricbeat-metricset-etcd-metrics]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+This is the metrics endpoint metricset of the etcd module. This metrics is being read from the Etcd V3 endpoint and won’t show any activity regarding Etcd V2.
+
+## Fields [_fields_96]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-etcd.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "etcd": {
+        "api_version": "3",
+        "disk": {
+            "backend_commit_duration": {
+                "ns": {
+                    "bucket": {
+                        "+Inf": 7,
+                        "1000000": 5,
+                        "1024000000": 7,
+                        "128000000": 7,
+                        "16000000": 7,
+                        "2000000": 7,
+                        "2048000000": 7,
+                        "256000000": 7,
+                        "32000000": 7,
+                        "4000000": 7,
+                        "4096000000": 7,
+                        "512000000": 7,
+                        "64000000": 7,
+                        "8000000": 7,
+                        "8192000000": 7
+                    },
+                    "count": 7,
+                    "sum": 4332557
+                }
+            },
+            "mvcc_db_total_size": {
+                "bytes": 41369600
+            },
+            "wal_fsync_duration": {
+                "ns": {
+                    "bucket": {
+                        "+Inf": 3,
+                        "1000000": 0,
+                        "1024000000": 3,
+                        "128000000": 3,
+                        "16000000": 2,
+                        "2000000": 0,
+                        "2048000000": 3,
+                        "256000000": 3,
+                        "32000000": 3,
+                        "4000000": 0,
+                        "4096000000": 3,
+                        "512000000": 3,
+                        "64000000": 3,
+                        "8000000": 2,
+                        "8192000000": 3
+                    },
+                    "count": 3,
+                    "sum": 40943916.00000001
+                }
+            }
+        },
+        "memory": {
+            "go_memstats_alloc": {
+                "bytes": 9952840
+            }
+        },
+        "network": {
+            "client_grpc_received": {
+                "bytes": 0
+            },
+            "client_grpc_sent": {
+                "bytes": 0
+            }
+        },
+        "server": {
+            "grpc_handled": {
+                "count": 0
+            },
+            "grpc_started": {
+                "count": 0
+            },
+            "has_leader": 1,
+            "leader_changes": {
+                "count": 1
+            },
+            "proposals_committed": {
+                "count": 110024
+            },
+            "proposals_failed": {
+                "count": 0
+            },
+            "proposals_pending": {
+                "count": 0
+            }
+        }
+    },
+    "event": {
+        "dataset": "etcd",
+        "duration": 115000,
+        "module": "etcd"
+    },
+    "metricset": {
+        "name": "metrics"
+    },
+    "service": {
+        "address": "127.0.0.1:2379",
+        "type": "etcd"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-etcd-self.md b/docs/reference/metricbeat/metricbeat-metricset-etcd-self.md
new file mode 100644
index 000000000000..9e90ecb68f12
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-etcd-self.md
@@ -0,0 +1,64 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-etcd-self.html
+---
+
+# Etcd self metricset [metricbeat-metricset-etcd-self]
+
+This is the self metricset of the module etcd. This metrics is being read from the Etcd V2 endpoint and won’t show any activity regarding Etcd V3.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_97]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-etcd.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "etcd": {
+        "api_version": "2",
+        "self": {
+            "id": "8e9e05c52164694d",
+            "leaderinfo": {
+                "leader": "8e9e05c52164694d",
+                "starttime": "2019-03-25T18:00:33.457653099+01:00",
+                "uptime": "20.338096195s"
+            },
+            "name": "default",
+            "recv": {
+                "appendrequest": {
+                    "count": 0
+                },
+                "bandwidthrate": 0,
+                "pkgrate": 0
+            },
+            "send": {
+                "appendrequest": {
+                    "count": 0
+                },
+                "bandwidthrate": 0,
+                "pkgrate": 0
+            },
+            "starttime": "2019-03-25T18:00:32.755273186+01:00",
+            "state": "StateLeader"
+        }
+    },
+    "event": {
+        "dataset": "etcd.self",
+        "duration": 115000,
+        "module": "etcd"
+    },
+    "metricset": {
+        "name": "self"
+    },
+    "service": {
+        "address": "127.0.0.1:2379",
+        "type": "etcd"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-etcd-store.md b/docs/reference/metricbeat/metricbeat-metricset-etcd-store.md
new file mode 100644
index 000000000000..1e8276c6ac80
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-etcd-store.md
@@ -0,0 +1,73 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-etcd-store.html
+---
+
+# Etcd store metricset [metricbeat-metricset-etcd-store]
+
+This is the store metricset of the module etcd. This metrics is being read from the Etcd V2 endpoint and won’t show any activity regarding Etcd V3.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_98]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-etcd.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "etcd": {
+        "api_version": "2",
+        "store": {
+            "compareanddelete": {
+                "fail": 0,
+                "success": 0
+            },
+            "compareandswap": {
+                "fail": 0,
+                "success": 0
+            },
+            "create": {
+                "fail": 0,
+                "success": 1
+            },
+            "delete": {
+                "fail": 0,
+                "success": 0
+            },
+            "expire": {
+                "count": 0
+            },
+            "gets": {
+                "fail": 4,
+                "success": 2
+            },
+            "sets": {
+                "fail": 0,
+                "success": 12
+            },
+            "update": {
+                "fail": 0,
+                "success": 0
+            },
+            "watchers": 0
+        }
+    },
+    "event": {
+        "dataset": "etcd.store",
+        "duration": 115000,
+        "module": "etcd"
+    },
+    "metricset": {
+        "name": "store"
+    },
+    "service": {
+        "address": "127.0.0.1:2379",
+        "type": "etcd"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-gcp-billing.md b/docs/reference/metricbeat/metricbeat-metricset-gcp-billing.md
new file mode 100644
index 000000000000..3f487ea778b8
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-gcp-billing.md
@@ -0,0 +1,87 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-gcp-billing.html
+---
+
+# Google Cloud Platform billing metricset [metricbeat-metricset-gcp-billing]
+
+`billing` metricset is designed for collecting billing metrics from Google Cloud BigQuery daily cost detail table. BigQuery is a fully-managed, serverless data warehouse. Cloud Billing export to BigQuery enables you to export standard and detailed Google Cloud billing data (such as usage, cost estimates, and pricing data) automatically throughout the day to a BigQuery dataset that you specify. Then you can access your Cloud Billing data from BigQuery for detailed analysis using Metricbeat. Please see [export cloud billing data to BigQuery](https://cloud.google.com/billing/docs/how-to/export-data-bigquery) for more details on how to export billing data.
+
+In BigQuery, Google Cloud daily cost data is categorized into two formats: standard and detailed. Each format is stored within a designated dataset and follows a structured schema for precise cost analysis. For a comprehensive understanding of these formats, consult the [ standard](https://cloud.google.com/billing/docs/how-to/export-data-bigquery-tables/standard-usage#standard-usage-cost-data-schema) and [ detailed](https://cloud.google.com/billing/docs/how-to/export-data-bigquery-tables/detailed-usage#detailed-usage-cost-data-schema) data schema documentation.
+
+For standard usage cost data, set the table pattern format to `gcp_billing_export_v1`. This table pattern is set as the default when no other is specified.
+
+For detailed usage cost data, set the table pattern to `gcp_billing_export_resource_v1`. Detailed tables include the standard fields and additional fields, such as `effective_price`, enabling a more granular view of expenses.
+
+
+## Metricset-specific configuration notes [_metricset_specific_configuration_notes_12]
+
+* **dataset_id**: (Required) Dataset ID that points to the top-level container which contains the actual billing tables.
+* **table_pattern**: (Optional) Daily cost detail billing table name prefix. Default to `gcp_billing_export_v1`.
+* **cost_type**: (Optional) The type of cost this line item represents: regular, tax, adjustment, or rounding error. Default to `regular`.
+
+
+## Configuration example [_configuration_example_20]
+
+```yaml
+- module: gcp
+  metricsets:
+    - billing
+  period: 24h
+  project_id: "your project id"
+  credentials_file_path: "your JSON credentials file path"
+  dataset_id: "dataset id"
+  table_pattern: "table pattern"
+  cost_type: "regular"
+```
+
+## Fields [_fields_99]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-gcp.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "cloud.account.id": "01475F-5B1080-1137E7",
+    "cloud.project.id": "elastic-bi",
+    "cloud.project.name": "elastic-containerlib-prod",
+    "cloud.provider": "gcp",
+    "event": {
+        "dataset": "gcp.billing",
+        "duration": 115000,
+        "module": "gcp"
+    },
+    "gcp": {
+        "billing": {
+            "billing_account_id": "01475F-5B1080-1137E7",
+            "cost_type": "regular",
+            "invoice_month": "202106",
+            "project_id": "containerlib-prod-12763",
+            "project_name": "elastic-containerlib-prod",
+            "total": 4717.170681,
+            "sku_id": "0D56-2F80-52A5",
+            "service_id": "6F81-5844-456A",
+            "sku_description": "Network Inter Region Ingress from Jakarta to Americas",
+            "service_description": "Compute Engine",
+            "effective_price": 0.00292353,
+            "tags": [
+                {
+                    "key": "size",
+                    "value": "standard"
+                }
+            ]
+        }
+    },
+    "metricset": {
+        "name": "billing",
+        "period": 10000
+    },
+    "service": {
+        "type": "gcp"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-gcp-carbon.md b/docs/reference/metricbeat/metricbeat-metricset-gcp-carbon.md
new file mode 100644
index 000000000000..ba9eeb98b404
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-gcp-carbon.md
@@ -0,0 +1,78 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-gcp-carbon.html
+---
+
+# Google Cloud Platform carbon metricset [metricbeat-metricset-gcp-carbon]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+The `carbon` metricset is designed to collect Carbon Footprint data from GCP BigQuery monthly cost detail table. BigQuery is a fully-managed, serverless data warehouse.
+
+Cloud Carbon export to BigQuery enables you to export detailed Google Cloud carbon footprint data (such as carbon produced by tier and service) automatically throughout the month to a BigQuery dataset that you specify. Then you can access your Cloud Carbon data from BigQuery for detailed analysis using Metricbeat. Please see [export carbon footprint data to BigQuery](https://cloud.google.com/carbon-footprint/docs/export) for more details on how to export carbon footprint data.
+
+
+## Metricset-specific configuration notes [_metricset_specific_configuration_notes_13]
+
+* **dataset_id**: (Required) Dataset ID that points to the top-level container which contains the actual carbon footprint tables.
+* **table_pattern**: (Optional) The name of the table where carbon footprint data is stored. Default to `carbon_footprint`.
+
+
+## Configuration example [_configuration_example_21]
+
+```yaml
+- module: gcp
+  metricsets:
+    - carbon
+  period: 24h
+  project_id: "your project id"
+  credentials_file_path: "your JSON credentials file path"
+  dataset_id: "dataset id"
+  table_name: "table name"
+```
+
+## Fields [_fields_100]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-gcp.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+  "@timestamp": "2017-10-12T08:05:34.853Z",
+    "cloud.account.id": "01475F-5B1080-1137E7",
+    "cloud.project.id": "elastic-bi",
+    "cloud.project.name": "elastic-containerlib-prod",
+    "cloud.provider": "gcp",
+    "event": {
+      "dataset": "gcp.carbon",
+      "duration": 115000,
+      "module": "gcp"
+    },
+    "gcp": {
+      "carbon": {
+        "project_id": "containerlib-prod-12763",
+        "project_name": "elastic-containerlib-prod",
+        "service_id": "24E6-581D-38E5",
+        "service_description": "BigQuery",
+        "footprint.scope1":          4.044,
+        "footprint.scope2.location": 1.797,
+        "footprint.scope2.market":   null,
+        "footprint.scope3":          2.337,
+        "footprint.offsets":         null
+      }
+    },
+    "metricset": {
+      "name": "carbon",
+      "period": 10000
+    },
+    "service": {
+      "type": "gcp"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-gcp-compute.md b/docs/reference/metricbeat/metricbeat-metricset-gcp-compute.md
new file mode 100644
index 000000000000..187f0265f610
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-gcp-compute.md
@@ -0,0 +1,123 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-gcp-compute.html
+---
+
+# Google Cloud Platform compute metricset [metricbeat-metricset-gcp-compute]
+
+Compute metricset to fetch metrics from [Compute Engine](https://cloud.google.com/compute/) Virtual Machines in Google Cloud Platform. No Monitoring or Logging agent is required in your instances to use this metricset.
+
+The `compute` metricset contains all metrics exported from the [Stackdriver API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-compute). The field names are aligned to [Beats naming conventions](/extend/event-conventions.md) with minor modifications to their GCP metrics name counterpart.
+
+Extra labels and metadata are also extracted using the [Compute API](https://cloud.google.com/compute/docs/reference/rest/v1/instances/get). This is enough to get most of the info associated with a metric like Compute labels and metadata and metric specific Labels.
+
+
+## Labels [_labels]
+
+Here is a list of labels collected by `compute` metricset depending on the type of metric being collected:
+
+* `instance_name`: The name of the VM instance. Collected with:
+
+    * `gcp.instance.firewall.*`
+    * `gcp.instance.cpu.*`
+    * `gcp.instance.disk.*`
+    * `gcp.instance.memory.*`
+    * `gcp.instance.network.*`
+    * `gcp.instance.uptime`
+
+* `device_name`: The name of the disk device. Collected with:
+
+    * `gcp.instance.disk.*`
+
+* `storage_type`: The storage type: `pd-standard`, `pd-ssd`, or `local-ssd`. Collected with:
+
+    * `gcp.instance.disk.*`
+
+* `device_type`: The disk type: `ephemeral` or `permanent`. Collected with:
+
+    * `gcp.instance.disk.*`
+
+* `loadBalanced`: Whether traffic was sent from an L3 loadbalanced IP address assigned to the VM. Traffic that is externally routed from the VM’s standard internal or external IP address, such as L7 loadbalanced traffic, is not considered to be loadbalanced in this metric. Collected with:
+
+    * `gcp.instance.network.*`
+
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_101]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-gcp.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "cloud": {
+        "account": {
+            "id": "elastic-observability",
+            "name": "elastic-observability"
+        },
+        "instance": {
+            "id": "1113015278728017638",
+            "name": "gke-apm-ci-k8s-cluster-pool-2-e8852348-58mx"
+        },
+        "provider": "gcp",
+        "availability_zone": "us-central1-a",
+        "region": "us-central1"
+    },
+    "event": {
+        "dataset": "gcp.compute",
+        "duration": 115000,
+        "module": "gcp"
+    },
+    "gcp": {
+        "compute": {
+            "instance": {
+                "disk": {
+                    "read_bytes_count": {
+                        "value": 989296850
+                    },
+                    "read_ops_count": {
+                        "value": 14862
+                    },
+                    "write_bytes_count": {
+                        "value": 1323095
+                    },
+                    "write_ops_count": {
+                        "value": 105
+                    }
+                }
+            }
+        },
+        "labels": {
+            "metrics": {
+                "device_name": "gke-apm-ci-k8s-cluster-pool-2-e8852348-58mx",
+                "device_type": "permanent",
+                "storage_type": "pd-standard"
+            }
+        }
+    },
+    "host": {
+        "disk": {
+            "read": {
+                "bytes": 989296850
+            },
+            "write": {
+                "bytes": 1323095
+            }
+        },
+        "id": "1113015278728017638",
+        "name": "gke-apm-ci-k8s-cluster-pool-2-e8852348-58mx"
+    },
+    "metricset": {
+        "name": "compute",
+        "period": 10000
+    },
+    "service": {
+        "type": "gcp"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-gcp-dataproc.md b/docs/reference/metricbeat/metricbeat-metricset-gcp-dataproc.md
new file mode 100644
index 000000000000..29cf660afef3
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-gcp-dataproc.md
@@ -0,0 +1,64 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-gcp-dataproc.html
+---
+
+# Google Cloud Platform dataproc metricset [metricbeat-metricset-gcp-dataproc]
+
+Dataproc metricset fetches metrics from [Dataproc](https://cloud.google.com/dataproc/) in Google Cloud Platform.
+
+The `dataproc` metricset contains all metrics exported from the [GCP Dataproc Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-dataproc). The field names are aligned to [Beats naming conventions](/extend/event-conventions.md) with minor modifications to their GCP metrics name counterpart.
+
+You can specify a single region to fetch metrics like `us-central1`. Be aware that GCP Storage does not use zones so `us-central1-a` will return nothing. If no region is specified, metrics are returned from all buckets.
+
+## Fields [_fields_102]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-gcp.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2016-05-23T08:05:34.853Z",
+    "cloud": {
+        "account": {
+            "id": "elastic-apm"
+        },
+        "provider": "gcp"
+    },
+    "event": {
+        "dataset": "gcp.dataproc",
+        "duration": 115000,
+        "module": "gcp"
+    },
+    "gcp": {
+        "labels": {
+            "metrics": {
+                "storage_class": "MULTI_REGIONAL"
+            },
+            "resource": {
+                "bucket_name": "artifacts.elastic-apm.appspot.com",
+                "location": "us"
+            }
+        },
+        "dataproc": {
+            "cluster": {
+                "hdfs": {
+                    "datanodes": {
+                        "value": 15
+                    }
+                }
+            }
+        }
+    },
+    "metricset": {
+        "name": "dataproc",
+        "period": 10000
+    },
+    "service": {
+        "type": "gcp"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-gcp-firestore.md b/docs/reference/metricbeat/metricbeat-metricset-gcp-firestore.md
new file mode 100644
index 000000000000..4efc5be79a71
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-gcp-firestore.md
@@ -0,0 +1,62 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-gcp-firestore.html
+---
+
+# Google Cloud Platform firestore metricset [metricbeat-metricset-gcp-firestore]
+
+Firestore metricset fetches metrics from [Firestore](https://cloud.google.com/firestore/) in Google Cloud Platform.
+
+The `firestore` metricset contains all metrics exported from the [GCP Firestore Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-firestore). The field names are aligned to [Beats naming conventions](/extend/event-conventions.md) with minor modifications to their GCP metrics name counterpart.
+
+You can specify a single region to fetch metrics like `us-central1`. Be aware that GCP Storage does not use zones so `us-central1-a` will return nothing. If no region is specified, metrics are returned from all buckets.
+
+## Fields [_fields_103]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-gcp.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2016-05-23T08:05:34.853Z",
+    "cloud": {
+        "account": {
+            "id": "elastic-apm"
+        },
+        "provider": "gcp"
+    },
+    "event": {
+        "dataset": "gcp.firestore",
+        "duration": 115000,
+        "module": "gcp"
+    },
+    "gcp": {
+        "labels": {
+            "metrics": {
+                "storage_class": "MULTI_REGIONAL"
+            },
+            "resource": {
+                "bucket_name": "artifacts.elastic-apm.appspot.com",
+                "location": "us"
+            }
+        },
+        "firestore": {
+            "document": {
+                "delete_count": {
+                    "value": 15
+                }
+            }
+        }
+    },
+    "metricset": {
+        "name": "firestore",
+        "period": 10000
+    },
+    "service": {
+        "type": "gcp"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-gcp-gke.md b/docs/reference/metricbeat/metricbeat-metricset-gcp-gke.md
new file mode 100644
index 000000000000..793e5953dc4b
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-gcp-gke.md
@@ -0,0 +1,38 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-gcp-gke.html
+---
+
+# Google Cloud Platform gke metricset [metricbeat-metricset-gcp-gke]
+
+`gke` metricset is designed for collecting metrics from [Google Kubernetes Engine](https://cloud.google.com/kubernetes-engine). Google Cloud Monitoring supports Google Kubernetes Engine metrics, as listed in [Google Cloud Monitoring Kubernetes metrics](https://cloud.google.com/monitoring/api/metrics_kubernetes).
+
+This metricset collects all GA Kubernetes metrics from Google Cloud Monitoring APIs. It leverages under the hood the `metrics` metricset. The field names are aligned to [Beats naming conventions](/extend/event-conventions.md) with minor modifications to their GCP metrics name counterpart.
+
+We recommend users to define `period: 1m` for this metricset because in Google Cloud, GKE monitoring metrics are sampled every 60 seconds. Some of the metrics have an ingest delay up to 240 seconds.
+
+
+## Metricset-specific configuration notes [_metricset_specific_configuration_notes_14]
+
+None
+
+
+## Configuration example [_configuration_example_22]
+
+```yaml
+- module: gcp
+  metricsets:
+    - gke
+  project_id: "your project id"
+  credentials_file_path: "your JSON credentials file path"
+  exclude_labels: false
+  period: 1m
+```
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_104]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-gcp.md) section.
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-gcp-loadbalancing.md b/docs/reference/metricbeat/metricbeat-metricset-gcp-loadbalancing.md
new file mode 100644
index 000000000000..2c60147f9df5
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-gcp-loadbalancing.md
@@ -0,0 +1,73 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-gcp-loadbalancing.html
+---
+
+# Google Cloud Platform loadbalancing metricset [metricbeat-metricset-gcp-loadbalancing]
+
+Load Balancing metricset fetches metrics from [Load Balancing](https://cloud.google.com/load-balancing/) in Google Cloud Platform.
+
+The `loadbalancing` metricset contains all metrics exported from the [Stackdriver API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-loadbalancing). The field names are aligned to [Beats naming conventions](/extend/event-conventions.md) with minor modifications to their GCP metrics name counterpart.
+
+## Fields [_fields_105]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-gcp.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "cloud": {
+        "account": {
+            "id": "elastic-observability"
+        },
+        "provider": "gcp"
+    },
+    "event": {
+        "dataset": "gcp.loadbalancing",
+        "duration": 115000,
+        "module": "gcp"
+    },
+    "gcp": {
+        "labels": {
+            "metrics": {
+                "client_network": "ocp-be-c5kjr-network",
+                "client_subnetwork": "ocp-be-c5kjr-worker-subnet",
+                "client_zone": "us-central1-a"
+            },
+            "resource": {
+                "backend_name": "ocp-be-c5kjr-master-us-central1-a",
+                "backend_scope": "us-central1-a",
+                "backend_scope_type": "ZONE",
+                "backend_subnetwork_name": "ocp-be-c5kjr-master-subnet",
+                "backend_target_name": "ocp-be-c5kjr-api-internal",
+                "backend_target_type": "BACKEND_SERVICE",
+                "backend_type": "INSTANCE_GROUP",
+                "forwarding_rule_name": "ocp-be-c5kjr-api-internal",
+                "load_balancer_name": "ocp-be-c5kjr-api-internal",
+                "network_name": "ocp-be-c5kjr-network",
+                "region": "us-central1"
+            }
+        },
+        "loadbalancing": {
+            "l3": {
+                "internal": {
+                    "egress_packets_count": {
+                        "value": 0
+                    }
+                }
+            }
+        }
+    },
+    "metricset": {
+        "name": "loadbalancing",
+        "period": 10000
+    },
+    "service": {
+        "type": "gcp"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-gcp-metrics.md b/docs/reference/metricbeat/metricbeat-metricset-gcp-metrics.md
new file mode 100644
index 000000000000..1f93cd811aff
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-gcp-metrics.md
@@ -0,0 +1,162 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-gcp-metrics.html
+---
+
+# Google Cloud Platform metrics metricset [metricbeat-metricset-gcp-metrics]
+
+Operations monitoring provides visibility into the performance, uptime, and overall health of cloud-powered applications. It collects metrics, events, and metadata from different services from Google Cloud. This metricset is to collect monitoring metrics from Google Cloud using `ListTimeSeries` API. The full list of metric types that Google Cloud monitoring supports can be found in [Google Cloud Metrics](https://cloud.google.com/monitoring/api/metrics_gcp#gcp).
+
+Each monitoring metric from Google Cloud has a sample period and/or ingest delay. Sample period is the time interval between consecutive data points for metrics that are written periodically. Ingest delay represents the time for data points older than this value are guaranteed to be available to read. Sample period and ingest delay are obtained from making [ListMetricDescriptors API](https://cloud.google.com/monitoring/api/ref_v3/rest/v3/projects.metricDescriptors/list) call.
+
+
+## Metricset config and parameters [_metricset_config_and_parameters]
+
+* **aligner**: A single string with which aggregation operation need to be applied onto time series data for ListTimeSeries API. If it’s not given, default aligner is `ALIGN_NONE`. Google Cloud also supports `ALIGN_DELTA`, `ALIGN_RATE`, `ALIGN_MIN`, `ALIGN_MAX`, `ALIGN_MEAN`, `ALIGN_COUNT`, `ALIGN_SUM` etc. Please see [Aggregation Aligner](https://cloud.google.com/monitoring/api/ref_v3/rpc/google.monitoring.v3#aligner) for the full list of aligners.
+* **metric_types**: Required, a list of metric type strings, or a list of metric type prefixes. For example, `instance/cpu` is the prefix for metric type `instance/cpu/usage_time`, `instance/cpu/utilization` etc Each call of the `ListTimeSeries` API can return any number of time series from a single metric type. Metric type is to used for identifying a specific time series.
+* **service**: Required, the name of the service for related metrics. This should be a valid Google Cloud service name. Service names may be viewed from the corresponding page from [GCP Metrics list documentation](https://cloud.google.com/monitoring/api/metrics). The `service` field is used to compute the GCP Metric prefix, unless `service_metric_prefix` is set.
+* **service_metric_prefix**: A string containing the full Metric prefix as specified in the GCP documentation. All metrics from GCP Monitoring API require a prefix. When `service_metric_prefix` is empty, the prefix default to a value computed using the `service` value: `<service>.googleapis.com/`. This default works for any services under "Google Cloud metrics", but does not work for other services (`kubernetes` aka GKE for example). This option allow to override the default and specify an arbitrary metric prefix.
+* **location_label**: Use this option to specify the resource label that identifies the location (such as zone or region) for a Google Cloud service when filtering metrics. For example, labels like `resource.label.location` or `resource.label.zone` are used by Google Cloud to represent the region or zone of a resource. This is an optional configuration for the user.
+
+
+## Example Configuration [_example_configuration_26]
+
+* `metrics` metricset is enabled to collect metrics from all zones under `europe-west1-c` region in `elastic-observability` project. Two sets of metrics are specified: first one is to collect CPU usage time and utilization with aggregation aligner ALIGN_MEAN; second one is to collect uptime with aggregation aligner ALIGN_SUM. These metric types all have 240 seconds ingest delay time and 60 seconds sample period. With `period` specified as `300s` in the config below, Metricbeat will collect compute metrics from Google Cloud every 5-minute with given aggregation aligner applied for each metric type.
+
+    ```yaml
+    - module: gcp
+      metricsets:
+        - metrics
+      zone: "europe-west1-c"
+      project_id: elastic-observability
+      credentials_file_path: "your JSON credentials file path"
+      exclude_labels: false
+      period: 300s
+      metrics:
+        - aligner: ALIGN_MEAN
+          service: compute
+          metric_types:
+            - "instance/cpu/usage_time"
+            - "instance/cpu/utilization"
+        - aligner: ALIGN_SUM
+          service: compute
+          metric_types:
+            - "instance/uptime"
+    ```
+
+* `metrics` metricset is enabled to collect metrics from all zones under `europe-west1-c` region in `elastic-observability` project. Two sets of metrics are specified: first one is to collect CPU usage time and utilization with aggregation aligner ALIGN_MEAN; second one is to collect uptime with aggregation aligner ALIGN_SUM. These metric types all have 240 seconds ingest delay time and 60 seconds sample period. With `period` specified as `60s` in the config below, Metricbeat will collect compute metrics from Google Cloud every minute with no aggregation. This case, the aligners specified in the configuration will be ignored.
+
+    ```yaml
+    - module: gcp
+      metricsets:
+        - metrics
+      zone: "europe-west1-c"
+      project_id: elastic-observability
+      credentials_file_path: "your JSON credentials file path"
+      exclude_labels: false
+      period: 60s
+      metrics:
+        - aligner: ALIGN_MEAN
+          service: compute
+          metric_types:
+            - "instance/cpu/usage_time"
+            - "instance/cpu/utilization"
+        - aligner: ALIGN_SUM
+          service: compute
+          metric_types:
+            - "instance/uptime"
+    ```
+
+* `metrics` metricset is enabled to collect metrics from all zones under `europe-west1-c` region in `elastic-observability` project. One set of metrics will be collected: core usage time for containers in GCP GKE. Note that the is required to use `service_metric_prefix` to override the default metric prefix, as for GKE metrics the required prefix is `kubernetes.io/`
+
+    ```yaml
+    - module: gcp
+      metricsets:
+        - metrics
+      zone: "europe-west1-c"
+      project_id: elastic-observability
+      credentials_file_path: "your JSON credentials file path"
+      exclude_labels: false
+      period: 1m
+      metrics:
+        - service: gke
+          service_metric_prefix: kubernetes.io/
+          metric_types:
+            - "container/cpu/core_usage_time"
+    ```
+
+* `metrics` metricset is enabled to collect metrics from region `us-east4` in `elastic-observability` project. The metric, number of replicas of the prediction model is collected from a new GCP service `aiplatform`. Since its a new service which is not supported by default in this metricset, the user provides the servicelabel (resource.label.location), for which user wants to filter the incoming data
+
+    ```yaml
+    - module: gcp
+      metricsets:
+        - metrics
+      project_id: "elastic-observability"
+      credentials_json: "your JSON credentials"
+      exclude_labels: false
+      period: 1m
+      location_label: "resource.label.location" # This is an optional configuration
+      regions:
+      - us-east4
+      metrics:
+        - service: aiplatform
+          metric_types:
+              - "prediction/online/replicas"
+    ```
+
+
+## Fields [_fields_106]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-gcp.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "cloud": {
+        "account": {
+            "id": "elastic-observability",
+            "name": "elastic-observability"
+        },
+        "instance": {
+            "id": "4049989596327614796",
+            "name": "nchaulet-loadtest-horde-master"
+        },
+        "machine": {
+            "type": "n1-standard-8"
+        },
+        "provider": "gcp"
+    },
+    "cloud.availability_zone": "us-central1-a",
+    "cloud.region": "us-central1",
+    "event": {
+        "dataset": "gcp.metrics",
+        "duration": 115000,
+        "module": "gcp"
+    },
+    "gcp": {
+        "labels": {},
+        "metrics": {
+            "instance": {
+                "uptime_total": {
+                    "value": 791820
+                }
+            }
+        }
+    },
+    "host": {
+        "id": "4049989596327614796",
+        "name": "nchaulet-loadtest-horde-master"
+    },
+    "metricset": {
+        "name": "metrics",
+        "period": 10000
+    },
+    "service": {
+        "type": "gcp"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-gcp-pubsub.md b/docs/reference/metricbeat/metricbeat-metricset-gcp-pubsub.md
new file mode 100644
index 000000000000..9b630cc5c7ab
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-gcp-pubsub.md
@@ -0,0 +1,60 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-gcp-pubsub.html
+---
+
+# Google Cloud Platform pubsub metricset [metricbeat-metricset-gcp-pubsub]
+
+PubSub metricsetf fetches metrics from [Pub/Sub](https://cloud.google.com/pubsub/) topics and subscriptions in Google Cloud Platform.
+
+The `pubsub` metricset contains all GA stage metrics exported from the [Stackdriver API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-pubsub). The field names are aligned to [Beats naming conventions](/extend/event-conventions.md) with minor modifications to their GCP metrics name counterpart.
+
+No special permissions are needed apart from the ones detailed in the module section of the docs.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_107]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-gcp.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "cloud": {
+        "account": {
+            "id": "elastic-observability"
+        },
+        "provider": "gcp"
+    },
+    "event": {
+        "dataset": "gcp.pubsub",
+        "duration": 115000,
+        "module": "gcp"
+    },
+    "gcp": {
+        "labels": {
+            "resource": {
+                "subscription_id": "test-subscription-1"
+            }
+        },
+        "pubsub": {
+            "subscription": {
+                "backlog_bytes": {
+                    "value": 0
+                }
+            }
+        }
+    },
+    "metricset": {
+        "name": "pubsub",
+        "period": 10000
+    },
+    "service": {
+        "type": "gcp"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-gcp-storage.md b/docs/reference/metricbeat/metricbeat-metricset-gcp-storage.md
new file mode 100644
index 000000000000..165ba35f2e80
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-gcp-storage.md
@@ -0,0 +1,62 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-gcp-storage.html
+---
+
+# Google Cloud Platform storage metricset [metricbeat-metricset-gcp-storage]
+
+Storage metricset fetches metrics from [Storage](https://cloud.google.com/storage/) in Google Cloud Platform.
+
+The `storage` metricset contains all metrics exported from the [GCP Storage Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-storage). The field names are aligned to [Beats naming conventions](/extend/event-conventions.md) with minor modifications to their GCP metrics name counterpart.
+
+You can specify a single region to fetch metrics like `us-central1`. Be aware that GCP Storage does not use zones so `us-central1-a` will return nothing. If no region is specified, metrics are returned from all buckets.
+
+## Fields [_fields_108]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-gcp.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "cloud": {
+        "account": {
+            "id": "elastic-apm"
+        },
+        "provider": "gcp"
+    },
+    "event": {
+        "dataset": "gcp.storage",
+        "duration": 115000,
+        "module": "gcp"
+    },
+    "gcp": {
+        "labels": {
+            "metrics": {
+                "storage_class": "MULTI_REGIONAL"
+            },
+            "resource": {
+                "bucket_name": "artifacts.elastic-apm.appspot.com",
+                "location": "us"
+            }
+        },
+        "storage": {
+            "storage": {
+                "object_count": {
+                    "value": 15
+                }
+            }
+        }
+    },
+    "metricset": {
+        "name": "storage",
+        "period": 10000
+    },
+    "service": {
+        "type": "gcp"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-golang-expvar.md b/docs/reference/metricbeat/metricbeat-metricset-golang-expvar.md
new file mode 100644
index 000000000000..0c674e19d52e
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-golang-expvar.md
@@ -0,0 +1,972 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-golang-expvar.html
+---
+
+# Golang expvar metricset [metricbeat-metricset-golang-expvar]
+
+This is the `expvar` metricset of the Golang module. Go can expose its variables by the expvar API. With this metricset, you can collect all the expvar-exposed variables.
+
+## Fields [_fields_109]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-golang.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "agent": {
+        "hostname": "host.example.com",
+        "name": "host.example.com"
+    },
+    "event": {
+        "dataset": "golang.metricbeat",
+        "duration": 115000,
+        "module": "golang"
+    },
+    "golang": {
+        "metricbeat": {
+            "beat.cpu.system.ticks": 166690,
+            "beat.cpu.system.time.ms": 166690,
+            "beat.cpu.total.ticks": 292490,
+            "beat.cpu.total.time.ms": 292490,
+            "beat.cpu.total.value": 292490,
+            "beat.cpu.user.ticks": 125800,
+            "beat.cpu.user.time.ms": 125800,
+            "beat.handles.limit.hard": 1048576,
+            "beat.handles.limit.soft": 1048576,
+            "beat.handles.open": 7,
+            "beat.info.ephemeral_id": "ed780330-bb9e-4e3c-aa77-1d943026f757",
+            "beat.info.uptime.ms": 87848990,
+            "beat.memstats.gc_next": 52327904,
+            "beat.memstats.memory_alloc": 26333672,
+            "beat.memstats.memory_total": 24294102600,
+            "beat.memstats.rss": 87486464,
+            "cmdline": "metricbeat --httpprof :6060 -e",
+            "libbeat.config.module.running": 0,
+            "libbeat.config.module.starts": 0,
+            "libbeat.config.module.stops": 0,
+            "libbeat.config.reloads": 1,
+            "libbeat.output.events.acked": 0,
+            "libbeat.output.events.active": 0,
+            "libbeat.output.events.batches": 0,
+            "libbeat.output.events.dropped": 0,
+            "libbeat.output.events.duplicates": 0,
+            "libbeat.output.events.failed": 0,
+            "libbeat.output.events.total": 0,
+            "libbeat.output.read.bytes": 0,
+            "libbeat.output.read.errors": 0,
+            "libbeat.output.type": "elasticsearch",
+            "libbeat.output.write.bytes": 0,
+            "libbeat.output.write.errors": 0,
+            "libbeat.pipeline.clients": 6,
+            "libbeat.pipeline.events.active": 4119,
+            "libbeat.pipeline.events.dropped": 0,
+            "libbeat.pipeline.events.failed": 0,
+            "libbeat.pipeline.events.filtered": 75,
+            "libbeat.pipeline.events.published": 4116,
+            "libbeat.pipeline.events.retry": 18561,
+            "libbeat.pipeline.events.total": 4194,
+            "libbeat.pipeline.queue.acked": 0,
+            "memstats": {
+                "Alloc": 26413208,
+                "BuckHashSys": 1844227,
+                "BySize": [
+                    {
+                        "Frees": 0,
+                        "Mallocs": 0,
+                        "Size": 0
+                    },
+                    {
+                        "Frees": 2260008,
+                        "Mallocs": 2260217,
+                        "Size": 8
+                    },
+                    {
+                        "Frees": 29751860,
+                        "Mallocs": 29792623,
+                        "Size": 16
+                    },
+                    {
+                        "Frees": 65505746,
+                        "Mallocs": 65517841,
+                        "Size": 32
+                    },
+                    {
+                        "Frees": 8254470,
+                        "Mallocs": 8318036,
+                        "Size": 48
+                    },
+                    {
+                        "Frees": 1030928,
+                        "Mallocs": 1031481,
+                        "Size": 64
+                    },
+                    {
+                        "Frees": 4787005,
+                        "Mallocs": 4788157,
+                        "Size": 80
+                    },
+                    {
+                        "Frees": 721021,
+                        "Mallocs": 722436,
+                        "Size": 96
+                    },
+                    {
+                        "Frees": 3417396,
+                        "Mallocs": 3417608,
+                        "Size": 112
+                    },
+                    {
+                        "Frees": 1306499,
+                        "Mallocs": 1308337,
+                        "Size": 128
+                    },
+                    {
+                        "Frees": 416707,
+                        "Mallocs": 416725,
+                        "Size": 144
+                    },
+                    {
+                        "Frees": 87880,
+                        "Mallocs": 88025,
+                        "Size": 160
+                    },
+                    {
+                        "Frees": 166727,
+                        "Mallocs": 166750,
+                        "Size": 176
+                    },
+                    {
+                        "Frees": 4953,
+                        "Mallocs": 4963,
+                        "Size": 192
+                    },
+                    {
+                        "Frees": 4291495,
+                        "Mallocs": 4291665,
+                        "Size": 208
+                    },
+                    {
+                        "Frees": 79970,
+                        "Mallocs": 79975,
+                        "Size": 224
+                    },
+                    {
+                        "Frees": 90,
+                        "Mallocs": 109,
+                        "Size": 240
+                    },
+                    {
+                        "Frees": 165264,
+                        "Mallocs": 165303,
+                        "Size": 256
+                    },
+                    {
+                        "Frees": 3687232,
+                        "Mallocs": 3747894,
+                        "Size": 288
+                    },
+                    {
+                        "Frees": 171547,
+                        "Mallocs": 171570,
+                        "Size": 320
+                    },
+                    {
+                        "Frees": 242992,
+                        "Mallocs": 243050,
+                        "Size": 352
+                    },
+                    {
+                        "Frees": 9,
+                        "Mallocs": 252,
+                        "Size": 384
+                    },
+                    {
+                        "Frees": 256328,
+                        "Mallocs": 256350,
+                        "Size": 416
+                    },
+                    {
+                        "Frees": 3,
+                        "Mallocs": 6,
+                        "Size": 448
+                    },
+                    {
+                        "Frees": 1352,
+                        "Mallocs": 1357,
+                        "Size": 480
+                    },
+                    {
+                        "Frees": 1847711,
+                        "Mallocs": 1847744,
+                        "Size": 512
+                    },
+                    {
+                        "Frees": 332390,
+                        "Mallocs": 333359,
+                        "Size": 576
+                    },
+                    {
+                        "Frees": 1248,
+                        "Mallocs": 1308,
+                        "Size": 640
+                    },
+                    {
+                        "Frees": 317,
+                        "Mallocs": 323,
+                        "Size": 704
+                    },
+                    {
+                        "Frees": 8,
+                        "Mallocs": 8,
+                        "Size": 768
+                    },
+                    {
+                        "Frees": 754677,
+                        "Mallocs": 754702,
+                        "Size": 896
+                    },
+                    {
+                        "Frees": 4269,
+                        "Mallocs": 4289,
+                        "Size": 1024
+                    },
+                    {
+                        "Frees": 85001,
+                        "Mallocs": 85471,
+                        "Size": 1152
+                    },
+                    {
+                        "Frees": 250196,
+                        "Mallocs": 250219,
+                        "Size": 1280
+                    },
+                    {
+                        "Frees": 158,
+                        "Mallocs": 163,
+                        "Size": 1408
+                    },
+                    {
+                        "Frees": 1829948,
+                        "Mallocs": 1829970,
+                        "Size": 1536
+                    },
+                    {
+                        "Frees": 503683,
+                        "Mallocs": 503710,
+                        "Size": 1792
+                    },
+                    {
+                        "Frees": 8355,
+                        "Mallocs": 8387,
+                        "Size": 2048
+                    },
+                    {
+                        "Frees": 329669,
+                        "Mallocs": 329681,
+                        "Size": 2304
+                    },
+                    {
+                        "Frees": 72,
+                        "Mallocs": 85,
+                        "Size": 2688
+                    },
+                    {
+                        "Frees": 158,
+                        "Mallocs": 162,
+                        "Size": 3072
+                    },
+                    {
+                        "Frees": 3,
+                        "Mallocs": 6,
+                        "Size": 3200
+                    },
+                    {
+                        "Frees": 2,
+                        "Mallocs": 2,
+                        "Size": 3456
+                    },
+                    {
+                        "Frees": 1507173,
+                        "Mallocs": 1507210,
+                        "Size": 4096
+                    },
+                    {
+                        "Frees": 330041,
+                        "Mallocs": 330045,
+                        "Size": 4864
+                    },
+                    {
+                        "Frees": 517,
+                        "Mallocs": 524,
+                        "Size": 5376
+                    },
+                    {
+                        "Frees": 81071,
+                        "Mallocs": 81079,
+                        "Size": 6144
+                    },
+                    {
+                        "Frees": 774,
+                        "Mallocs": 774,
+                        "Size": 6528
+                    },
+                    {
+                        "Frees": 595,
+                        "Mallocs": 595,
+                        "Size": 6784
+                    },
+                    {
+                        "Frees": 332,
+                        "Mallocs": 332,
+                        "Size": 6912
+                    },
+                    {
+                        "Frees": 4708,
+                        "Mallocs": 4711,
+                        "Size": 8192
+                    },
+                    {
+                        "Frees": 84398,
+                        "Mallocs": 84403,
+                        "Size": 9472
+                    },
+                    {
+                        "Frees": 902,
+                        "Mallocs": 902,
+                        "Size": 9728
+                    },
+                    {
+                        "Frees": 69178,
+                        "Mallocs": 69179,
+                        "Size": 10240
+                    },
+                    {
+                        "Frees": 9,
+                        "Mallocs": 12,
+                        "Size": 10880
+                    },
+                    {
+                        "Frees": 0,
+                        "Mallocs": 0,
+                        "Size": 12288
+                    },
+                    {
+                        "Frees": 0,
+                        "Mallocs": 0,
+                        "Size": 13568
+                    },
+                    {
+                        "Frees": 0,
+                        "Mallocs": 8,
+                        "Size": 14336
+                    },
+                    {
+                        "Frees": 14,
+                        "Mallocs": 14,
+                        "Size": 16384
+                    },
+                    {
+                        "Frees": 68815,
+                        "Mallocs": 68816,
+                        "Size": 18432
+                    },
+                    {
+                        "Frees": 1,
+                        "Mallocs": 6,
+                        "Size": 19072
+                    }
+                ],
+                "DebugGC": false,
+                "EnableGC": true,
+                "Frees": 144376316,
+                "GCCPUFraction": 0.00003517968356283283,
+                "GCSys": 2236416,
+                "HeapAlloc": 26413208,
+                "HeapIdle": 20283392,
+                "HeapInuse": 32210944,
+                "HeapObjects": 185078,
+                "HeapReleased": 0,
+                "HeapSys": 52494336,
+                "LastGC": 1551819055172012300,
+                "Lookups": 4343732,
+                "MCacheInuse": 6944,
+                "MCacheSys": 16384,
+                "MSpanInuse": 735072,
+                "MSpanSys": 884736,
+                "Mallocs": 144561394,
+                "NextGC": 52327904,
+                "NumForcedGC": 0,
+                "NumGC": 1087,
+                "OtherSys": 804085,
+                "PauseEnd": [
+                    1551813673522095000,
+                    1551813760290548700,
+                    1551813847190622500,
+                    1551813934200350700,
+                    1551814019721081600,
+                    1551814106939931400,
+                    1551814194787569000,
+                    1551814281548459800,
+                    1551814368492396500,
+                    1551814454527853800,
+                    1551814542119804000,
+                    1551814629649751800,
+                    1551814716395951800,
+                    1551814804210529500,
+                    1551814890615334400,
+                    1551814978246175000,
+                    1551815065421775600,
+                    1551815153390955800,
+                    1551815240459785200,
+                    1551815326193419800,
+                    1551815413860383500,
+                    1551815501772679700,
+                    1551815588006216400,
+                    1551815675091119800,
+                    1551815761793016300,
+                    1551815849517625000,
+                    1551815935297447000,
+                    1551816023119552000,
+                    1551816109742317000,
+                    1551816196383755000,
+                    1551816281910279400,
+                    1551816369138096000,
+                    1551816456444772000,
+                    1551816544463502800,
+                    1551816631379998700,
+                    1551816717725622500,
+                    1551816804412327000,
+                    1551816891003677200,
+                    1551816978029977300,
+                    1551817064869547300,
+                    1551817152548437500,
+                    1551817239386712000,
+                    1551817324881343500,
+                    1551817411567689500,
+                    1551817497956043500,
+                    1551817584365566700,
+                    1551817670801177600,
+                    1551817757319115300,
+                    1551817843753421300,
+                    1551817929208882400,
+                    1551818015703402000,
+                    1551818102313531400,
+                    1551818188852253200,
+                    1551818274246668000,
+                    1551818361273798100,
+                    1551818448904188000,
+                    1551818535388231400,
+                    1551818621922602000,
+                    1551818706218998500,
+                    1551818792711956200,
+                    1551818879595116300,
+                    1551818967168253000,
+                    1551819055172012300,
+                    1551796934883408000,
+                    1551797021248211200,
+                    1551797107751383300,
+                    1551797195222413600,
+                    1551797283189797600,
+                    1551797369177632300,
+                    1551797456524319500,
+                    1551797542181850600,
+                    1551797630514863400,
+                    1551797717763169800,
+                    1551797805427074300,
+                    1551797891788491500,
+                    1551797978864807400,
+                    1551798065588669000,
+                    1551798151326969600,
+                    1551798239535629000,
+                    1551798326356424400,
+                    1551798413341830100,
+                    1551798500461506600,
+                    1551798587951146200,
+                    1551798673754270200,
+                    1551798761447464200,
+                    1551798848875440400,
+                    1551798936054377200,
+                    1551799021834681600,
+                    1551799107136041700,
+                    1551799193854201900,
+                    1551799280921340400,
+                    1551799369022987800,
+                    1551799455534770000,
+                    1551799542074070500,
+                    1551799629776769000,
+                    1551799716017635800,
+                    1551799802785858600,
+                    1551799888925246700,
+                    1551799975612325400,
+                    1551800062708811300,
+                    1551800149194365000,
+                    1551800235751162000,
+                    1551800322693501200,
+                    1551800409568045800,
+                    1551800496085409000,
+                    1551800583059036200,
+                    1551800668750943500,
+                    1551800756404699000,
+                    1551800843149957600,
+                    1551800929235447800,
+                    1551801015888609500,
+                    1551801103210902000,
+                    1551801190067903700,
+                    1551801278423279000,
+                    1551801364164436700,
+                    1551801448666044000,
+                    1551801534848840400,
+                    1551801621663551500,
+                    1551801707933268000,
+                    1551801794317972500,
+                    1551801880680772600,
+                    1551801968184599000,
+                    1551802054810856000,
+                    1551802140391363800,
+                    1551802227860272400,
+                    1551802313366069000,
+                    1551802399985518000,
+                    1551802487183356000,
+                    1551802574032541200,
+                    1551802660872278800,
+                    1551802747890506800,
+                    1551802835392356000,
+                    1551802921037066000,
+                    1551803007089838600,
+                    1551803095687771000,
+                    1551803183049985000,
+                    1551803270445534700,
+                    1551803356331776000,
+                    1551803443692611800,
+                    1551803531417985800,
+                    1551803618719146200,
+                    1551803707210230300,
+                    1551803794789760800,
+                    1551803882673225200,
+                    1551803971459868400,
+                    1551804058578875400,
+                    1551804145960830200,
+                    1551804234254888700,
+                    1551804322256049400,
+                    1551804410265957400,
+                    1551804497226090800,
+                    1551804584053460000,
+                    1551804671152900600,
+                    1551804757897356500,
+                    1551804845449297200,
+                    1551804932020029700,
+                    1551805020157064400,
+                    1551805107257989000,
+                    1551805195756843000,
+                    1551805281765421300,
+                    1551805368207391200,
+                    1551805455844940000,
+                    1551805541505774300,
+                    1551805628455398700,
+                    1551805715152426800,
+                    1551805803356083200,
+                    1551805890093024800,
+                    1551805976698235600,
+                    1551806063405247700,
+                    1551806147778785800,
+                    1551806235017114000,
+                    1551806322267704300,
+                    1551806408876106500,
+                    1551806495885739000,
+                    1551806580581932300,
+                    1551806667097105000,
+                    1551806752682205000,
+                    1551806838448827000,
+                    1551806925195549700,
+                    1551807011741980200,
+                    1551807098721375500,
+                    1551807185978657800,
+                    1551807273380151800,
+                    1551807361262365400,
+                    1551807448039038000,
+                    1551807533444213800,
+                    1551807619848523800,
+                    1551807706214843100,
+                    1551807791497103600,
+                    1551807877970536700,
+                    1551807963287305200,
+                    1551808049742755300,
+                    1551808135095061000,
+                    1551808222020724200,
+                    1551808307935440000,
+                    1551808394622856200,
+                    1551808481461249000,
+                    1551808568136231700,
+                    1551808654787261400,
+                    1551808741431564500,
+                    1551808828836320000,
+                    1551808916029792300,
+                    1551809001543323600,
+                    1551809087926328800,
+                    1551809173839670800,
+                    1551809260959386600,
+                    1551809347467765800,
+                    1551809433043349000,
+                    1551809520551369000,
+                    1551809607539242500,
+                    1551809695671268400,
+                    1551809780606221000,
+                    1551809867569511400,
+                    1551809954451390200,
+                    1551810041665356300,
+                    1551810128427694800,
+                    1551810214973528300,
+                    1551810300475295700,
+                    1551810386957216000,
+                    1551810472868708000,
+                    1551810559555873000,
+                    1551810645177904400,
+                    1551810732307275800,
+                    1551810819084136200,
+                    1551810904761953800,
+                    1551810991401248000,
+                    1551811078766944000,
+                    1551811166044107300,
+                    1551811253602546400,
+                    1551811340892026400,
+                    1551811426723096300,
+                    1551811514132644900,
+                    1551811601291153700,
+                    1551811688391390000,
+                    1551811776222473200,
+                    1551811864259342800,
+                    1551811951514730800,
+                    1551812038325298200,
+                    1551812127268150000,
+                    1551812214801797600,
+                    1551812300436868000,
+                    1551812386985713000,
+                    1551812473741197800,
+                    1551812561146193000,
+                    1551812647184361500,
+                    1551812733805924400,
+                    1551812821584958700,
+                    1551812908693565000,
+                    1551812996554721800,
+                    1551813083661930800,
+                    1551813170106764800,
+                    1551813254586326300,
+                    1551813337054424000,
+                    1551813420426787600,
+                    1551813505845955300,
+                    1551813588899750000
+                ],
+                "PauseNs": [
+                    226100,
+                    322500,
+                    260100,
+                    448500,
+                    207500,
+                    427400,
+                    1550700,
+                    214100,
+                    1427500,
+                    373300,
+                    5243700,
+                    160200,
+                    600500,
+                    135800,
+                    943800,
+                    270300,
+                    893500,
+                    339600,
+                    384000,
+                    299900,
+                    156900,
+                    171100,
+                    1642700,
+                    514800,
+                    165000,
+                    249100,
+                    1508600,
+                    396800,
+                    197900,
+                    243800,
+                    207400,
+                    160300,
+                    246100,
+                    617100,
+                    139600,
+                    353200,
+                    314900,
+                    284000,
+                    2825600,
+                    1395100,
+                    276200,
+                    271900,
+                    108200,
+                    362500,
+                    193000,
+                    271600,
+                    181300,
+                    307300,
+                    257700,
+                    232200,
+                    562800,
+                    480200,
+                    332700,
+                    751400,
+                    363500,
+                    219100,
+                    2766100,
+                    481800,
+                    162400,
+                    1434800,
+                    347600,
+                    212800,
+                    578900,
+                    238000,
+                    1019300,
+                    213300,
+                    239600,
+                    188800,
+                    1122900,
+                    438500,
+                    1379200,
+                    324700,
+                    119200,
+                    242100,
+                    2210500,
+                    197700,
+                    234400,
+                    2782300,
+                    271300,
+                    163400,
+                    1219300,
+                    161600,
+                    361900,
+                    330400,
+                    152600,
+                    178200,
+                    2522200,
+                    468700,
+                    240300,
+                    225000,
+                    874800,
+                    778300,
+                    350300,
+                    289800,
+                    222100,
+                    264400,
+                    350100,
+                    159400,
+                    151200,
+                    2344800,
+                    616200,
+                    579900,
+                    2442800,
+                    291800,
+                    2999000,
+                    484900,
+                    238300,
+                    219200,
+                    614100,
+                    316700,
+                    1619200,
+                    175400,
+                    228000,
+                    280100,
+                    274300,
+                    312800,
+                    157100,
+                    891200,
+                    217400,
+                    223600,
+                    765600,
+                    419700,
+                    286500,
+                    191300,
+                    906200,
+                    432400,
+                    216400,
+                    473500,
+                    188900,
+                    1539000,
+                    156300,
+                    215100,
+                    543400,
+                    265700,
+                    1357700,
+                    115100,
+                    358800,
+                    245700,
+                    247100,
+                    254100,
+                    578800,
+                    1265000,
+                    254800,
+                    170600,
+                    390600,
+                    544800,
+                    1177300,
+                    157300,
+                    276100,
+                    296500,
+                    260100,
+                    318200,
+                    458400,
+                    1839700,
+                    745300,
+                    351900,
+                    1561600,
+                    264000,
+                    2498100,
+                    304500,
+                    338300,
+                    329300,
+                    803600,
+                    820400,
+                    715800,
+                    872500,
+                    894800,
+                    236000,
+                    220700,
+                    281900,
+                    200800,
+                    250200,
+                    321800,
+                    1590900,
+                    1573900,
+                    137800,
+                    361300,
+                    376400,
+                    240900,
+                    317100,
+                    3437200,
+                    1722100,
+                    257600,
+                    189800,
+                    292000,
+                    223800,
+                    1947100,
+                    2491900,
+                    162300,
+                    333200,
+                    935100,
+                    383500,
+                    588700,
+                    365200,
+                    138100,
+                    578300,
+                    375000,
+                    251500,
+                    192100,
+                    423400,
+                    514900,
+                    723400,
+                    291900,
+                    322100,
+                    1684700,
+                    137800,
+                    193400,
+                    2769300,
+                    437200,
+                    2782300,
+                    183700,
+                    123700,
+                    252800,
+                    471500,
+                    304500,
+                    197900,
+                    201200,
+                    281900,
+                    370500,
+                    194300,
+                    125100,
+                    158300,
+                    864300,
+                    1291100,
+                    315800,
+                    209100,
+                    277300,
+                    748300,
+                    186800,
+                    250200,
+                    294900,
+                    206500,
+                    2523200,
+                    186200,
+                    451800,
+                    266300,
+                    275900,
+                    188300,
+                    285200,
+                    85100,
+                    216700,
+                    254500,
+                    239000,
+                    3545400,
+                    297300,
+                    182400,
+                    208900,
+                    1895300,
+                    372800,
+                    160200,
+                    215400,
+                    1316900,
+                    951900,
+                    302100,
+                    222300,
+                    310900
+                ],
+                "PauseTotalNs": 568650700,
+                "StackInuse": 983040,
+                "StackSys": 983040,
+                "Sys": 59263224,
+                "TotalAlloc": 24294182136
+            },
+            "metricbeat.system.cpu.events": 447,
+            "metricbeat.system.cpu.failures": 0,
+            "metricbeat.system.cpu.success": 448,
+            "metricbeat.system.filesystem.events": 76,
+            "metricbeat.system.filesystem.failures": 0,
+            "metricbeat.system.filesystem.success": 77,
+            "metricbeat.system.fsstat.events": 76,
+            "metricbeat.system.fsstat.failures": 0,
+            "metricbeat.system.fsstat.success": 77,
+            "metricbeat.system.load.events": 447,
+            "metricbeat.system.load.failures": 0,
+            "metricbeat.system.load.success": 448,
+            "metricbeat.system.memory.events": 448,
+            "metricbeat.system.memory.failures": 0,
+            "metricbeat.system.memory.success": 449,
+            "metricbeat.system.network.events": 1792,
+            "metricbeat.system.network.failures": 0,
+            "metricbeat.system.network.success": 1793,
+            "metricbeat.system.process.events": 457,
+            "metricbeat.system.process.failures": 0,
+            "metricbeat.system.process.success": 458,
+            "metricbeat.system.process_summary.events": 447,
+            "metricbeat.system.process_summary.failures": 0,
+            "metricbeat.system.process_summary.success": 448,
+            "metricbeat.system.uptime.events": 7,
+            "metricbeat.system.uptime.failures": 0,
+            "metricbeat.system.uptime.success": 8,
+            "system.cpu.cores": 4,
+            "system.load.1": 0.3,
+            "system.load.15": 0.24,
+            "system.load.5": 0.23,
+            "system.load.norm.1": 0.075,
+            "system.load.norm.15": 0.06,
+            "system.load.norm.5": 0.0575
+        }
+    },
+    "metricset": {
+        "name": "expvar"
+    },
+    "service": {
+        "address": "127.0.0.1:6060",
+        "type": "golang"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-golang-heap.md b/docs/reference/metricbeat/metricbeat-metricset-golang-heap.md
new file mode 100644
index 000000000000..bdf1d9c6878c
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-golang-heap.md
@@ -0,0 +1,78 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-golang-heap.html
+---
+
+# Golang heap metricset [metricbeat-metricset-golang-heap]
+
+The `heap` metricset of the Golang module collects the memstats information from the expvar API.
+
+## Fields [_fields_110]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-golang.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "agent": {
+        "hostname": "host.example.com",
+        "name": "host.example.com"
+    },
+    "event": {
+        "dataset": "golang.heap",
+        "duration": 115000,
+        "module": "golang"
+    },
+    "golang": {
+        "heap": {
+            "allocations": {
+                "active": 52076544,
+                "allocated": 50143344,
+                "frees": 23897036,
+                "idle": 352256,
+                "mallocs": 24213008,
+                "objects": 315972,
+                "total": 3857953864
+            },
+            "cmdline": "metricbeat --httpprof :6060 -e",
+            "gc": {
+                "cpu_fraction": 0.00003865910349307519,
+                "next_gc_limit": 52492048,
+                "pause": {
+                    "avg": {
+                        "ns": 466218
+                    },
+                    "count": 237,
+                    "max": {
+                        "ns": 4432500
+                    },
+                    "sum": {
+                        "ns": 110493700
+                    }
+                },
+                "total_count": 237,
+                "total_pause": {
+                    "ns": 110493700
+                }
+            },
+            "system": {
+                "obtained": 52428800,
+                "released": 0,
+                "stack": 983040,
+                "total": 59263224
+            }
+        }
+    },
+    "metricset": {
+        "name": "heap"
+    },
+    "service": {
+        "address": "127.0.0.1:6060",
+        "type": "golang"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-graphite-server.md b/docs/reference/metricbeat/metricbeat-metricset-graphite-server.md
new file mode 100644
index 000000000000..1efb2833b62d
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-graphite-server.md
@@ -0,0 +1,40 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-graphite-server.html
+---
+
+# Graphite server metricset [metricbeat-metricset-graphite-server]
+
+This is the server metricset of the module graphite.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_111]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-graphite.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp":"2016-05-23T08:05:34.853Z",
+    "beat":{
+        "hostname":"beathost",
+        "name":"beathost"
+    },
+    "metricset":{
+        "host":"localhost",
+        "module":"graphite",
+        "name":"server",
+        "rtt":44269
+    },
+    "graphite":{
+        "collector":{
+            "example": "collector"
+        }
+    },
+    "type":"metricsets"
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-haproxy-info.md b/docs/reference/metricbeat/metricbeat-metricset-haproxy-info.md
new file mode 100644
index 000000000000..40c604e033bd
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-haproxy-info.md
@@ -0,0 +1,132 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-haproxy-info.html
+---
+
+# HAProxy info metricset [metricbeat-metricset-haproxy-info]
+
+The HAProxy `info` metricset collects general information about HAProxy processes.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_112]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-haproxy.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "agent": {
+        "hostname": "host.example.com",
+        "name": "host.example.com"
+    },
+    "event": {
+        "dataset": "haproxy.info",
+        "duration": 115000,
+        "module": "haproxy"
+    },
+    "haproxy": {
+        "info": {
+            "compress": {
+                "bps": {
+                    "in": 0,
+                    "out": 0,
+                    "rate_limit": 0
+                }
+            },
+            "connection": {
+                "current": 0,
+                "hard_max": 4000,
+                "max": 4000,
+                "rate": {
+                    "limit": 0,
+                    "max": 0,
+                    "value": 0
+                },
+                "ssl": {
+                    "current": 0,
+                    "max": 0,
+                    "total": 0
+                },
+                "total": 30
+            },
+            "idle": {
+                "pct": 1
+            },
+            "memory": {
+                "max": {
+                    "bytes": 0
+                }
+            },
+            "pipes": {
+                "free": 0,
+                "max": 0,
+                "used": 0
+            },
+            "process_num": 1,
+            "processes": 1,
+            "requests": {
+                "total": 30
+            },
+            "run_queue": 0,
+            "session": {
+                "rate": {
+                    "limit": 0,
+                    "max": 0,
+                    "value": 0
+                }
+            },
+            "sockets": {
+                "max": 8034
+            },
+            "ssl": {
+                "backend": {
+                    "key_rate": {
+                        "max": 0,
+                        "value": 0
+                    }
+                },
+                "cache_misses": 0,
+                "cached_lookups": 0,
+                "frontend": {
+                    "key_rate": {
+                        "max": 0,
+                        "value": 0
+                    },
+                    "session_reuse": {
+                        "pct": 0
+                    }
+                },
+                "rate": {
+                    "limit": 0,
+                    "max": 0,
+                    "value": 0
+                }
+            },
+            "tasks": 7,
+            "ulimit_n": 8034,
+            "uptime": {
+                "sec": 30
+            },
+            "zlib_mem_usage": {
+                "max": 0,
+                "value": 0
+            }
+        }
+    },
+    "metricset": {
+        "name": "info"
+    },
+    "process": {
+        "pid": 7
+    },
+    "service": {
+        "address": "127.0.0.1:14567",
+        "type": "haproxy"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-haproxy-stat.md b/docs/reference/metricbeat/metricbeat-metricset-haproxy-stat.md
new file mode 100644
index 000000000000..a774c043247a
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-haproxy-stat.md
@@ -0,0 +1,106 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-haproxy-stat.html
+---
+
+# HAProxy stat metricset [metricbeat-metricset-haproxy-stat]
+
+The HAProxy `stat` metricset collects *stat* fields from HAProxy processes.
+
+See section "9.1. CSV format" of the [official HAProxy Management Guide](http://www.haproxy.org/download/1.6/doc/management.txt) for a full list of *stat* fields.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_113]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-haproxy.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "agent": {
+        "hostname": "host.example.com",
+        "name": "host.example.com"
+    },
+    "event": {
+        "dataset": "haproxy.stat",
+        "duration": 115000,
+        "module": "haproxy"
+    },
+    "haproxy": {
+        "stat": {
+            "check": {
+                "agent.last": "",
+                "health.last": "",
+                "status": ""
+            },
+            "component_type": 0,
+            "compressor": {
+                "bypassed.bytes": 0,
+                "in.bytes": 0,
+                "out.bytes": 0,
+                "response.bytes": 0
+            },
+            "connection": {
+                "total": 0
+            },
+            "in.bytes": 0,
+            "out.bytes": 0,
+            "proxy": {
+                "id": 2,
+                "name": "stat"
+            },
+            "queue": {},
+            "request": {
+                "denied": 0,
+                "errors": 0,
+                "rate": {
+                    "max": 0,
+                    "value": 0
+                },
+                "total": 0
+            },
+            "response": {
+                "denied": 0,
+                "http": {
+                    "1xx": 0,
+                    "2xx": 0,
+                    "3xx": 0,
+                    "4xx": 0,
+                    "5xx": 0,
+                    "other": 0
+                }
+            },
+            "server": {
+                "id": 0
+            },
+            "service_name": "FRONTEND",
+            "session": {
+                "current": 0,
+                "limit": 25000,
+                "max": 0,
+                "rate": {
+                    "limit": 0,
+                    "max": 0,
+                    "value": 0
+                }
+            },
+            "status": "OPEN"
+        }
+    },
+    "metricset": {
+        "name": "stat"
+    },
+    "process": {
+        "pid": 1
+    },
+    "service": {
+        "address": "127.0.0.1:14567",
+        "type": "haproxy"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-http-json.md b/docs/reference/metricbeat/metricbeat-metricset-http-json.md
new file mode 100644
index 000000000000..c5c17416eb7d
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-http-json.md
@@ -0,0 +1,228 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-http-json.html
+---
+
+# HTTP json metricset [metricbeat-metricset-http-json]
+
+This is the `json` metricset of the HTTP module.
+
+
+## Features and Configuration [_features_and_configuration]
+
+The JSON structure returned by the HTTP endpoint will be added to the provided `namespace` field as shown in the following example:
+
+```json
+{
+  "@timestamp": "2017-05-01T13:00:24.745Z",
+  "beat": {
+    "hostname": "mbp",
+    "name": "mbp",
+    "version": "6.0.0-alpha1"
+  },
+  "http": {
+    "http_json_namespace": {
+      "date": "05-01-2017",
+      "milliseconds_since_epoch": 1493643625474.000000,
+      "time": "01:00:25 PM"
+    }
+  },
+  "metricset": {
+    "host": "date.jsontest.com",
+    "module": "http",
+    "name": "json",
+    "namespace": "http_json_namespace",
+    "rtt": 238397
+  },
+  "type": "metricsets"
+}
+```
+
+Here the response from `date.jsontest.com` is returned in the configured `http_json_namespace` namespace:
+
+```json
+{
+      "date": "05-01-2017",
+      "milliseconds_since_epoch": 1493643625474.000000,
+      "time": "01:00:25 PM"
+}
+```
+
+It is required to set a namespace in the general module config section.
+
+
+### json.is_array [_json_is_array]
+
+With this configuration enabled the `json` metricset expects the JSON structure returned by the HTTP endpoint to be an array. Further, it creates separate events for each element in the array.
+
+
+### request.enabled [_request_enabled]
+
+With this configuration enabled additional information about the request are included. This includes the following information:
+
+* HTTP Header
+* HTTP Method
+* Body/Payload
+
+Example:
+
+```json
+{
+  "@timestamp": "2017-05-01T13:00:24.745Z",
+  "beat": {
+    "hostname": "mbp",
+    "name": "mbp",
+    "version": "6.0.0-alpha1"
+  },
+  "http": {
+    "http_json_namespace": {
+      "date": "05-01-2017",
+      "milliseconds_since_epoch": 1493643625474.000000,
+      "time": "01:00:25 PM"
+    },
+    "request": {
+      "body": "",
+      "headers": {
+        "Accept": "application/json"
+      },
+      "method": "GET"
+    }
+  },
+  "metricset": {
+    "host": "date.jsontest.com",
+    "module": "http",
+    "name": "json",
+    "namespace": "http_json_namespace",
+    "rtt": 238397
+  },
+  "type": "metricsets"
+}
+```
+
+
+### response.enabled [_response_enabled]
+
+With this configuration enabled additional information about the response are included. This includes the following information:
+
+* HTTP Header
+* HTTP Status Code
+
+Example:
+
+```json
+{
+  "@timestamp": "2017-05-01T13:00:24.745Z",
+  "beat": {
+    "hostname": "mbp",
+    "name": "mbp",
+    "version": "6.0.0-alpha1"
+  },
+  "http": {
+    "http_json_namespace": {
+      "date": "05-01-2017",
+      "milliseconds_since_epoch": 1493643625474.000000,
+      "time": "01:00:25 PM"
+    },
+    "response": {
+      "headers": {
+        "Access-Control-Allow-Origin": "*",
+        "Content-Length": "100",
+        "Content-Type": "application/json; charset=ISO-8859-1",
+        "Date": "Mon, 01 May 2017 13:08:38 GMT",
+        "Server": "Google Frontend",
+        "X-Cloud-Trace-Context": "3f532d170112fc5b2a0b94fcbd6493b3"
+      },
+      "code": 200
+    }
+  },
+  "metricset": {
+    "host": "date.jsontest.com",
+    "module": "http",
+    "name": "json",
+    "namespace": "http_json_namespace",
+    "rtt": 238397
+  },
+  "type": "metricsets"
+}
+```
+
+
+### dedot.enabled [_dedot_enabled]
+
+With this configuration enabled dots in json field names  are replaced with `_` character,
+
+Example:
+
+```json
+{
+  "@timestamp": "2017-05-01T13:00:24.745Z",
+  "beat": {
+    "hostname": "mbp",
+    "name": "mbp",
+    "version": "6.0.0-alpha1"
+  },
+  "http": {
+    "http_json_namespace": {
+      "date": "05-01-2017",
+      "milliseconds_since_epoch": 1493643625474.000000,
+      "time": "01:00:25 PM"
+    },
+    "response": {
+      "headers": {
+        "Access-Control-Allow-Origin": "*",
+        "Content-Length": "100",
+        "Content-Type": "application/json; charset=ISO-8859-1",
+        "Date": "Mon, 01 May 2017 13:08:38 GMT",
+        "Server": "Google Frontend",
+        "X-Cloud-Trace-Context": "3f532d170112fc5b2a0b94fcbd6493b3"
+      },
+      "code": 200
+    }
+  },
+  "metricset": {
+    "host": "date.jsontest.com",
+    "module": "http",
+    "name": "json",
+    "namespace": "http_json_namespace",
+    "rtt": 238397
+  },
+  "type": "metricsets"
+}
+```
+
+
+## Exposed fields, Dashboards, Indexes, etc. [_exposed_fields_dashboards_indexes_etc]
+
+Since this is a general purpose module that can be tailored for any application that exposes a JSON structure, it comes with no exposed fields description, dashboards or index patterns.
+
+## Fields [_fields_114]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-http.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2019-03-01T08:05:34.853Z",
+    "event": {
+        "dataset": "http.test",
+        "duration": 115000,
+        "module": "http"
+    },
+    "http": {
+        "test": {
+            "hello": "world"
+        }
+    },
+    "metricset": {
+        "name": "json",
+        "period": 10000
+    },
+    "service": {
+        "address": "127.0.0.1:55555",
+        "type": "http"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-http-server.md b/docs/reference/metricbeat/metricbeat-metricset-http-server.md
new file mode 100644
index 000000000000..b2344ebaefd7
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-http-server.md
@@ -0,0 +1,52 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-http-server.html
+---
+
+# HTTP server metricset [metricbeat-metricset-http-server]
+
+This is the server metricset of the module http.
+
+Events sent to the http endpoint will be put by default under the `http.server` prefix. To change this use the `server.paths` config options. In the example below every request to `/foo` will be put under `http.foo`. Also consider using secure settings for the server using TLS/SSL as shown
+
+```yaml
+- module: http
+  metricsets: ["server"]
+  host: "localhost"
+  ssl.certificate: "/etc/pki/server/cert.pem"
+  ssl.key: "/etc/pki/server/cert.key"
+  port: "8080"
+  server.paths:
+    - path: "/foo"
+      namespace: "foo"
+```
+
+## Fields [_fields_115]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-http.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp":"2016-05-23T08:05:34.853Z",
+    "beat":{
+        "hostname":"beathost",
+        "name":"beathost"
+    },
+    "metricset":{
+        "host":"localhost",
+        "module":"http",
+        "name":"server",
+        "rtt":44269
+    },
+    "http":{
+        "server":{
+            "test_metric": 5,
+        }
+    },
+    "type":"metricsets"
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-ibmmq-qmgr.md b/docs/reference/metricbeat/metricbeat-metricset-ibmmq-qmgr.md
new file mode 100644
index 000000000000..eba26caaf8ac
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-ibmmq-qmgr.md
@@ -0,0 +1,140 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-ibmmq-qmgr.html
+---
+
+# IBM MQ qmgr metricset [metricbeat-metricset-ibmmq-qmgr]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+This is the `qmgr` metricset of the IBM MQ module. It collects status information for the Queue Manager. The manager is a system program that is responsible for maintaining the queues and ensuring that the messages in the queues reach their destination.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_116]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-ibmmq.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2020-01-13T12:58:04.412Z",
+    "@metadata": {
+        "beat": "metricbeat",
+        "type": "_doc",
+        "version": "8.0.0"
+    },
+    "service": {
+        "address": "localhost:9157",
+        "type": "ibmmq"
+    },
+    "agent": {
+        "version": "8.0.0",
+        "type": "metricbeat",
+        "ephemeral_id": "752a92a2-5881-49b6-a6c8-a2848dd2a074",
+        "hostname": "MacBook-Elastic.local",
+        "id": "d662b58a-49c9-4241-aaaf-c5489341138c"
+    },
+    "ecs": {
+        "version": "1.4.0"
+    },
+    "host": {
+        "hostname": "MacBook-Elastic.local",
+        "architecture": "x86_64",
+        "os": {
+            "platform": "darwin",
+            "version": "10.14.6",
+            "family": "darwin",
+            "name": "Mac OS X",
+            "kernel": "18.7.0",
+            "build": "18G95"
+        },
+        "name": "MacBook-Elastic.local",
+        "id": "24F065F8-4274-521D-8DD5-5D27557E15B4"
+    },
+    "prometheus": {
+        "labels": {
+            "qmgr": "QM1",
+            "instance": "localhost:9157",
+            "job": "ibmmq"
+        },
+        "metrics": {
+            "ibmmq_qmgr_mqctl_total": 0,
+            "ibmmq_qmgr_mqcb_total": 0,
+            "ibmmq_qmgr_durable_subscription_delete_total": 0,
+            "ibmmq_qmgr_non_persistent_message_browse_bytes_total": 0,
+            "ibmmq_qmgr_failed_mqset_total": 0,
+            "ibmmq_qmgr_failed_subscription_delete_total": 0,
+            "ibmmq_qmgr_destructive_get_total": 1772,
+            "ibmmq_qmgr_mqput_mqput1_bytes_total": 659084,
+            "ibmmq_qmgr_failed_mqsubrq_total": 0,
+            "ibmmq_qmgr_topic_put_bytes_total": 473772,
+            "ibmmq_qmgr_topic_mqput_mqput1_total": 1761,
+            "ibmmq_qmgr_persistent_topic_mqput_mqput1_total": 0,
+            "ibmmq_qmgr_failed_mqput_total": 0,
+            "ibmmq_qmgr_non_durable_subscription_delete_total": 0,
+            "ibmmq_qmgr_non_persistent_message_browse_total": 0,
+            "ibmmq_qmgr_expired_message_total": 0,
+            "ibmmq_qmgr_non_durable_subscription_create_total": 0,
+            "ibmmq_qmgr_non_persistent_message_destructive_get_total": 1772,
+            "ibmmq_qmgr_failed_mqcb_total": 0,
+            "ibmmq_qmgr_commit_total": 0,
+            "ibmmq_qmgr_mqset_total": 0,
+            "ibmmq_qmgr_mqsubrq_total": 0,
+            "ibmmq_qmgr_mqopen_total": 0,
+            "ibmmq_qmgr_durable_subscription_resume_total": 0,
+            "ibmmq_qmgr_non_persistent_message_mqput1_total": 0,
+            "ibmmq_qmgr_failed_browse_total": 0,
+            "ibmmq_qmgr_non_persistent_topic_mqput_mqput1_total": 1761,
+            "ibmmq_qmgr_mqconn_mqconnx_total": 0,
+            "ibmmq_qmgr_mqstat_total": 0,
+            "ibmmq_qmgr_log_logical_written_bytes_total": 0,
+            "ibmmq_qmgr_log_physical_written_bytes_total": 0,
+            "ibmmq_qmgr_failed_mqput1_total": 0,
+            "ibmmq_qmgr_published_to_subscribers_bytes_total": 473772,
+            "ibmmq_qmgr_failed_mqclose_total": 0,
+            "ibmmq_qmgr_failed_mqget_total": 1481,
+            "ibmmq_qmgr_rollback_total": 0,
+            "ibmmq_qmgr_failed_subscription_create_alter_resume_total": 0,
+            "ibmmq_qmgr_failed_topic_mqput_mqput1_total": 0,
+            "ibmmq_qmgr_mqdisc_total": 0,
+            "ibmmq_qmgr_failed_mqinq_total": 0,
+            "ibmmq_qmgr_non_persistent_message_mqput_total": 1761,
+            "ibmmq_qmgr_durable_subscription_create_total": 0,
+            "ibmmq_qmgr_failed_mqopen_total": 0,
+            "ibmmq_qmgr_failed_mqconn_mqconnx_total": 0,
+            "ibmmq_qmgr_persistent_message_put_bytes_total": 0,
+            "ibmmq_qmgr_non_persistent_message_get_bytes_total": 663212,
+            "ibmmq_qmgr_durable_subscription_alter_total": 0,
+            "ibmmq_qmgr_persistent_message_browse_total": 0,
+            "ibmmq_qmgr_mqput_mqput1_total": 1761,
+            "ibmmq_qmgr_published_to_subscribers_message_total": 1761,
+            "ibmmq_qmgr_destructive_get_bytes_total": 663212,
+            "ibmmq_qmgr_mqclose_total": 2,
+            "ibmmq_qmgr_persistent_message_browse_bytes_total": 0,
+            "ibmmq_qmgr_persistent_message_get_bytes_total": 0,
+            "ibmmq_qmgr_persistent_message_mqput1_total": 0,
+            "ibmmq_qmgr_purged_queue_total": 0,
+            "ibmmq_qmgr_persistent_message_destructive_get_total": 0,
+            "ibmmq_qmgr_persistent_message_mqput_total": 0,
+            "ibmmq_qmgr_mqinq_total": 634,
+            "ibmmq_qmgr_non_persistent_message_put_bytes_total": 659084
+        }
+    },
+    "event": {
+        "dataset": "ibmmq.qmgr",
+        "module": "ibmmq",
+        "duration": 4421890
+    },
+    "metricset": {
+        "name": "qmgr",
+        "period": 10000
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-iis-application_pool.md b/docs/reference/metricbeat/metricbeat-metricset-iis-application_pool.md
new file mode 100644
index 000000000000..b44005ed4edb
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-iis-application_pool.md
@@ -0,0 +1,88 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-iis-application_pool.html
+---
+
+# IIS application_pool metricset [metricbeat-metricset-iis-application_pool]
+
+This is the application_pool metricset of the module iis.
+
+This metricset allows users to retrieve relevant metrics for the application pools running on IIS.
+
+Metric values are divided in several groups:
+
+The `process` object contains System/Process counters like the the overall server and CPU usage for the IIS Worker Process and memory (currently used and available memory for the IIS Worker Process).
+
+The `net_clr` object which returns ASP.NET error rate counter values. Users can specify the application pools they would like to monitor using the configuration option `application_pool.name`, else, all application pools are considered.
+
+
+### Dashboard [_dashboard_27]
+
+:::{image} images/metricbeat-iis-application-pool-overview.png
+:alt: metricbeat iis application pool overview
+:::
+
+## Fields [_fields_117]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-iis.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "event": {
+        "dataset": "iis.application_pool",
+        "duration": 115000,
+        "module": "iis"
+    },
+    "iis": {
+        "application_pool": {
+            "name": "test.local",
+            "net_clr": {
+                "total_exceptions_thrown": 0,
+                "finallys_per_sec": 0,
+                "exceptions_thrown_per_sec": 0,
+                "locks_and_threads": {
+                    "current_queue_length": 0,
+                    "contention_rate_per_sec": 0
+                },
+                "memory": {
+                    "gen_2_heap_size": 0,
+                    "large_object_heap_size": 0,
+                    "gen_1_heap_size": 0,
+                    "gen_1_collections": 0,
+                    "gen_0_heap_size": 0,
+                    "bytes_in_all_heaps": 0,
+                    "total_committed_bytes": 0,
+                    "gen_0_collections": 0,
+                    "gen_2_collections": 0,
+                    "allocated_bytes_per_sec": 0,
+                    "time_in_gc_perc": 0
+                },
+                "filters_per_sec": 0,
+                "throw_to_catch_depth_per_sec": 0
+            },
+            "process": {
+                "handle_count": 532,
+                "private_byte": 35258368,
+                "thread_count": 29,
+                "virtual_bytes": 667226112,
+                "working_set": 36044800
+            }
+        }
+    },
+    "metricset": {
+        "name": "application_pool",
+        "period": 10000
+    },
+    "process": {
+        "pid": 748
+    },
+    "service": {
+        "type": "iis"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-iis-webserver.md b/docs/reference/metricbeat/metricbeat-metricset-iis-webserver.md
new file mode 100644
index 000000000000..430e9d076bac
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-iis-webserver.md
@@ -0,0 +1,103 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-iis-webserver.html
+---
+
+# IIS webserver metricset [metricbeat-metricset-iis-webserver]
+
+This is the webserver metricset of the module iis.
+
+This metricset allows users to retrieve relevant metrics from IIS.
+
+Metric values are divided in several groups:
+
+The `process` object contains System/Process counters like the the overall server and CPU usage for the IIS Worker Processes and memory (currently used and available memory for the IIS Worker Processes).
+
+The `network` object contains the IIS Performance counters like: Web Service: Bytes Received/Sec (helpful to track to identify potential spikes in traffic), Web Service: Bytes Sent/Sec (helpful to track to identify potential spikes in traffic), Web Service: Current Connections (through experience with their apps app, users can identify what is a normal value for this) and others.
+
+The `cache` object contains metrics from the user mode cache and output cache.
+
+The `asp_net` and `asp_net_application` contain asp.net related performance counter values.
+
+
+### Dashboard [_dashboard_28]
+
+:::{image} images/metricbeat-iis-webserver-overview.png
+:alt: metricbeat iis webserver overview
+:::
+
+:::{image} images/metricbeat-iis-webserver-process.png
+:alt: metricbeat iis webserver process
+:::
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_118]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-iis.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "event": {
+        "dataset": "iis.webserver",
+        "duration": 115000,
+        "module": "iis"
+    },
+    "iis": {
+        "webserver": {
+            "asp_net": {
+                "application_restarts": 0,
+                "request_wait_time": 0
+            },
+            "asp_net_application": {
+                "pipeline_instance_count": 3,
+                "requests_executing": 0,
+                "requests_in_application_queue": 0
+            },
+            "cache": {
+                "current_file_cache_memory_usage": 696,
+                "current_files_cached": 2,
+                "current_uris_cached": 0,
+                "file_cache_hits": 1,
+                "file_cache_misses": 7,
+                "maximum_file_cache_memory_usage": 696,
+                "output_cache_current_items": 0,
+                "output_cache_current_memory_usage": 0,
+                "output_cache_total_hits": 0,
+                "output_cache_total_misses": 8,
+                "total_files_cached": 2,
+                "total_uris_cached": 1,
+                "uri_cache_hits": 0,
+                "uri_cache_misses": 8
+            },
+            "network": {
+                "current_anonymous_users": 0,
+                "current_connections": 0,
+                "current_nonanonymous_users": 0,
+                "maximum_connections": 3,
+                "service_uptime": 343447,
+                "total_anonymous_users": 6,
+                "total_bytes_received": 2715,
+                "total_bytes_sent": 89432,
+                "total_connection_attempts": 4,
+                "total_delete_requests": 0,
+                "total_get_requests": 6,
+                "total_nonanonymous_users": 0,
+                "total_post_requests": 0
+            }
+        }
+    },
+    "metricset": {
+        "name": "webserver",
+        "period": 10000
+    },
+    "service": {
+        "type": "iis"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-iis-website.md b/docs/reference/metricbeat/metricbeat-metricset-iis-website.md
new file mode 100644
index 000000000000..854796f1a502
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-iis-website.md
@@ -0,0 +1,69 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-iis-website.html
+---
+
+# IIS website metricset [metricbeat-metricset-iis-website]
+
+This is the website metricset of the module iis.
+
+This metricset allows users to retrieve relevant metrics for the websites running on IIS.
+
+The metrics contain the IIS Performance counter values like: Web Service: Bytes Received/Sec (helpful to track to identify potential spikes in traffic), Web Service: Bytes Sent/Sec (helpful to track to identify potential spikes in traffic), Web Service: Current Connections (through experience with their apps app, users can identify what is a normal value for this) and others.
+
+
+### Dashboard [_dashboard_29]
+
+:::{image} images/metricbeat-iis-website-overview.png
+:alt: metricbeat iis website overview
+:::
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_119]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-iis.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "event": {
+        "dataset": "iis.website",
+        "duration": 115000,
+        "module": "iis"
+    },
+    "iis": {
+        "website": {
+            "network": {
+                "bytes_sent_per_sec": 0,
+                "maximum_connections": 1,
+                "total_post_requests": 0,
+                "post_requests_per_sec": 0,
+                "total_connection_attempts": 1,
+                "service_uptime": 114161,
+                "get_requests_per_sec": 0,
+                "total_put_requests": 0,
+                "current_connections": 0,
+                "total_delete_requests": 0,
+                "bytes_received_per_sec": 0,
+                "put_requests_per_sec": 0,
+                "total_bytes_sent": 944,
+                "total_get_requests": 1,
+                "delete_requests_per_sec": 0
+            },
+            "name": "Default Web Site"
+        }
+    },
+    "metricset": {
+        "name": "website",
+        "period": 10000
+    },
+    "service": {
+        "type": "iis"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-istio-citadel.md b/docs/reference/metricbeat/metricbeat-metricset-istio-citadel.md
new file mode 100644
index 000000000000..16e24d0e71c4
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-istio-citadel.md
@@ -0,0 +1,48 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-istio-citadel.html
+---
+
+# Istio citadel metricset [metricbeat-metricset-istio-citadel]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+This is the citadel metricset of the module istio. This metricset collects Citadel-specific metrics.
+
+## Fields [_fields_120]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-istio.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2019-03-01T08:05:34.853Z",
+    "event": {
+        "dataset": "istio.citadel",
+        "duration": 115000,
+        "module": "istio"
+    },
+    "istio": {
+        "citadel": {
+            "secret_controller_svc_acc_created_cert": {
+                "count": 58
+            },
+            "server_root_cert_expiry_seconds": 1894287345
+        }
+    },
+    "metricset": {
+        "name": "citadel",
+        "period": 10000
+    },
+    "service": {
+        "address": "127.0.0.1:55555",
+        "type": "istio"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-istio-galley.md b/docs/reference/metricbeat/metricbeat-metricset-istio-galley.md
new file mode 100644
index 000000000000..87cdbaaac20e
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-istio-galley.md
@@ -0,0 +1,48 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-istio-galley.html
+---
+
+# Istio galley metricset [metricbeat-metricset-istio-galley]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+This is the galley metricset of the module istio. This metricset collects Galley-specific metrics.
+
+## Fields [_fields_121]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-istio.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2019-03-01T08:05:34.853Z",
+    "event": {
+        "dataset": "istio.galley",
+        "duration": 115000,
+        "module": "istio"
+    },
+    "istio": {
+        "galley": {
+            "collection": "istio/networking/v1alpha3/envoyfilters",
+            "runtime": {
+                "state_type_instances": 1
+            }
+        }
+    },
+    "metricset": {
+        "name": "galley",
+        "period": 10000
+    },
+    "service": {
+        "address": "127.0.0.1:55555",
+        "type": "istio"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-istio-istiod.md b/docs/reference/metricbeat/metricbeat-metricset-istio-istiod.md
new file mode 100644
index 000000000000..3239970bd7d1
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-istio-istiod.md
@@ -0,0 +1,21 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-istio-istiod.html
+---
+
+# Istio istiod metricset [metricbeat-metricset-istio-istiod]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+This is the istiod metricset of the module istio. This metricset collects metrics from the Istio Daemon of Istio versions higher than 1.5
+
+Tested with Istio 1.7
+
+## Fields [_fields_122]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-istio.md) section.
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-istio-mesh.md b/docs/reference/metricbeat/metricbeat-metricset-istio-mesh.md
new file mode 100644
index 000000000000..83b8b6507923
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-istio-mesh.md
@@ -0,0 +1,136 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-istio-mesh.html
+---
+
+# Istio mesh metricset [metricbeat-metricset-istio-mesh]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+This is the mesh metricset of the module istio. This metricset collects all Mixer-generated metrics.
+
+## Fields [_fields_123]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-istio.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2019-03-01T08:05:34.853Z",
+    "event": {
+        "dataset": "istio.mesh",
+        "duration": 115000,
+        "module": "istio"
+    },
+    "istio": {
+        "mesh": {
+            "connection": {
+                "security": {
+                    "policy": "unknown"
+                }
+            },
+            "destination": {
+                "app": "reviews",
+                "principal": "unknown",
+                "service": {
+                    "host": "details.default.svc.cluster.local",
+                    "name": "details",
+                    "namespace": "default"
+                },
+                "version": "v1",
+                "workload": {
+                    "name": "reviews-v1",
+                    "namespace": "default"
+                }
+            },
+            "reporter": "source",
+            "request": {
+                "duration": {
+                    "ms": {
+                        "bucket": {
+                            "+Inf": 1,
+                            "10": 1,
+                            "100": 1,
+                            "1000": 1,
+                            "10000": 1,
+                            "25": 1,
+                            "250": 1,
+                            "2500": 1,
+                            "5": 0,
+                            "50": 1,
+                            "500": 1,
+                            "5000": 1
+                        },
+                        "count": 1,
+                        "sum": 5.815905
+                    }
+                },
+                "protocol": "http",
+                "size": {
+                    "bytes": {
+                        "bucket": {
+                            "+Inf": 1,
+                            "1": 1,
+                            "10": 1,
+                            "100": 1,
+                            "1000": 1,
+                            "10000": 1,
+                            "100000": 1,
+                            "1000000": 1,
+                            "10000000": 1,
+                            "100000000": 1
+                        },
+                        "count": 1,
+                        "sum": 0
+                    }
+                }
+            },
+            "requests": 1,
+            "response": {
+                "code": "200",
+                "size": {
+                    "bytes": {
+                        "bucket": {
+                            "+Inf": 1,
+                            "1": 0,
+                            "10": 0,
+                            "100": 0,
+                            "1000": 1,
+                            "10000": 1,
+                            "100000": 1,
+                            "1000000": 1,
+                            "10000000": 1,
+                            "100000000": 1
+                        },
+                        "count": 1,
+                        "sum": 178
+                    }
+                }
+            },
+            "source": {
+                "app": "productpage",
+                "principal": "unknown",
+                "version": "v1",
+                "workload": {
+                    "name": "productpage-v1",
+                    "namespace": "default"
+                }
+            }
+        }
+    },
+    "metricset": {
+        "name": "mesh",
+        "period": 10000
+    },
+    "service": {
+        "address": "127.0.0.1:55555",
+        "type": "istio"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-istio-mixer.md b/docs/reference/metricbeat/metricbeat-metricset-istio-mixer.md
new file mode 100644
index 000000000000..8fadfb607d9c
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-istio-mixer.md
@@ -0,0 +1,48 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-istio-mixer.html
+---
+
+# Istio mixer metricset [metricbeat-metricset-istio-mixer]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+This is the mixer metricset of the module istio. This metricset collects Mixer-specific metrics and can be used to monitor Mixer itself.
+
+## Fields [_fields_124]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-istio.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2019-03-01T08:05:34.853Z",
+    "event": {
+        "dataset": "istio.mixer",
+        "duration": 115000,
+        "module": "istio"
+    },
+    "istio": {
+        "mixer": {
+            "handler": {
+                "daemons": 1,
+                "name": "prometheus.istio-system"
+            }
+        }
+    },
+    "metricset": {
+        "name": "mixer",
+        "period": 10000
+    },
+    "service": {
+        "address": "127.0.0.1:55555",
+        "type": "istio"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-istio-pilot.md b/docs/reference/metricbeat/metricbeat-metricset-istio-pilot.md
new file mode 100644
index 000000000000..ad73954fc13c
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-istio-pilot.md
@@ -0,0 +1,50 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-istio-pilot.html
+---
+
+# Istio pilot metricset [metricbeat-metricset-istio-pilot]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+This is the pilot metricset of the module istio. This metricset collects all Pilot-generated metrics.
+
+## Fields [_fields_125]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-istio.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2019-03-01T08:05:34.853Z",
+    "event": {
+        "dataset": "istio.pilot",
+        "duration": 115000,
+        "module": "istio"
+    },
+    "istio": {
+        "pilot": {
+            "cluster": "outbound_.15031_._.istio-ingressgateway.istio-system.svc.cluster.local",
+            "xds": {
+                "eds": {
+                    "instances": 1
+                }
+            }
+        }
+    },
+    "metricset": {
+        "name": "pilot",
+        "period": 10000
+    },
+    "service": {
+        "address": "127.0.0.1:55555",
+        "type": "istio"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-istio-proxy.md b/docs/reference/metricbeat/metricbeat-metricset-istio-proxy.md
new file mode 100644
index 000000000000..06b4bd503883
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-istio-proxy.md
@@ -0,0 +1,41 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-istio-proxy.html
+---
+
+# Istio proxy metricset [metricbeat-metricset-istio-proxy]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+This is the proxy metricset of the module istio. This metricset collects metrics from the Envoy proxy’s Prometheus exporter for Istio versions higher than 1.5
+
+Tested with Istio 1.7
+
+
+## Deployment [_deployment]
+
+Istio-proxy is a sidecar container that is being injected into every Pod that is being deployed on a Kubernetes cluster which’s traffic is managed by Istio. Because of this reason, in order to collect metrics from this sidecars we need to automatically identify these sidecar containers and start monitoring them using their IP and the predifined port (15090). This can be achieved easily by defining the proper autodiscover provider that will automatically identify all these sidecar containers and will start the `proxy` metricset for each one of them. Here is an example configuration that can be used for that purpose:
+
+```yaml
+metricbeat.autodiscover:
+  providers:
+    - type: kubernetes
+      node: ${NODE_NAME}
+      templates:
+        - condition:
+            contains:
+              kubernetes.annotations.prometheus.io/path: "/stats/prometheus"
+          config:
+            - module: istio
+              metricsets: ["proxy"]
+              hosts: "${data.kubernetes.pod.ip}:15090"
+```
+
+## Fields [_fields_126]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-istio.md) section.
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-jolokia-jmx.md b/docs/reference/metricbeat/metricbeat-metricset-jolokia-jmx.md
new file mode 100644
index 000000000000..cff85a310ba4
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-jolokia-jmx.md
@@ -0,0 +1,141 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-jolokia-jmx.html
+---
+
+# Jolokia jmx metricset [metricbeat-metricset-jolokia-jmx]
+
+The `jmx` metricset collects metrics from [Jolokia agents](https://jolokia.org/reference/html/agents.md).
+
+
+## Features and configuration [_features_and_configuration_2]
+
+Tested with Jolokia 1.5.0.
+
+To collect metrics from a Jolokia instance, define a mapping section that specifies an MBean `ObjectName` followed by an array of attributes to fetch. For each attribute in the array, specify the Elastic field name where the returned value will be saved.
+
+For example, to get the `Uptime` attribute from the `java.lang:type=Runtime` MBean and map it to an event field called `jolokia.testnamespace.uptime`, configure the following mapping:
+
+```yaml
+- module: jolokia
+  metricsets: ["jmx"]
+  hosts: ["localhost:8778"]
+  namespace: "testnamespace" <1>
+  http_method: "POST" <2>
+  jmx.mappings:
+    - mbean: 'java.lang:type=Runtime'
+      attributes:
+        - attr: Uptime
+          field: uptime <3>
+          event: uptime <4>
+      target:
+          url: "service:jmx:rmi:///jndi/rmi://targethost:9999/jmxrmi"
+          user: "jolokia"
+          password: "s!cr!t"
+```
+
+1. The `namespace` setting is required. This setting is used along with the module name to qualify field names in the output event.
+2. The `http_method` setting is optional. By default all requests to Jolokia are performed using `POST` HTTP method. This setting allows only two values: `POST` or `GET`.
+3. The field where the returned value will be saved. This field will be called `jolokia.testnamespace.uptime` in the output event.
+4. The `event` setting is optional. Use this setting to group all attributes with the same `event` value into the same event when sending data to Elastic.
+
+
+If the underlying attribute is an object (such as the `HeapMemoryUsage` attribute in `java.lang:type=Memory`), its structure will be published to Elastic "as is".
+
+You can configure nested metric aliases by using dots in the mapping name (for example, `gc.cms_collection_time`). For more examples, see [/jolokia/jmx/test/config.yml](https://github.com/elastic/beats/blob/master/metricbeat/module/jolokia/jmx/_meta/test/config.yml).
+
+All metrics from a single mapping will be POSTed to the defined host/port and sent to Elastic as a single event. To make it possible to differentiate between metrics from multiple similar applications running on the same host, you should configure multiple modules.
+
+When wildcards are used, an event is sent to Elastic for each matching MBean, and an `mbean` field is added to the event.
+
+
+## Accessing Jolokia via POST or GET method [_accessing_jolokia_via_post_or_get_method]
+
+All requests to Jolokia are made by default using HTTP POST method. However, there are specific circumstances on the environment where Jolokia agent is deployed, in which POST method can be unavailable. In this case you can use HTTP GET method, by defining `http_method` attribute. In general you can use either POST or GET, but GET has the following drawbacks:
+
+1. [Proxy requests](https://jolokia.org/reference/html/protocol.md#protocol-proxy) are not allowed.
+2. If more than one `jmx.mappings` are defined, then Metricbeat will perform as many GET requests as the mappings defined. For example the following configuration with 3 mappings will create 3 GET requests, one for every MBean. On the contrary, if you use HTTP POST, Metricbeat will create only 1 request to Jolokia.
+
+```yaml
+- module: jolokia
+  metricsets: ["jmx"]
+  enabled: true
+  period: 10s
+  hosts: ["localhost:8080"]
+  namespace: "jolokia_metrics"
+  path: "/jolokia"
+  http_method: 'GET'
+  jmx.mappings:
+    - mbean: 'java.lang:type=Memory'
+      attributes:
+       - attr: HeapMemoryUsage
+         field: memory.heap_usage
+       - attr: NonHeapMemoryUsage
+         field: memory.non_heap_usage
+    - mbean: 'Catalina:name=*,type=ThreadPool'
+      attributes:
+       - attr: port
+         field: catalina.port
+       - attr: maxConnections
+         field: catalina.maxConnections
+    - mbean: 'java.lang:type=Runtime'
+      attributes:
+       - attr: Uptime
+         field: uptime
+```
+
+
+## Limitations [_limitations]
+
+1. All Jolokia requests have `canonicalNaming` set to `false`. See the [Jolokia Protocol](https://jolokia.org/reference/html/protocol.md) documentation for more detail about this parameter.
+2. If `http_method` is set to `GET`, then [Proxy requests](https://jolokia.org/reference/html/protocol.md#protocol-proxy) are not allowed. Thus, setting a value to `target` section is going to fail with an error.
+
+
+## Exposed fields, dashboards, indexes, etc. [_exposed_fields_dashboards_indexes_etc_2]
+
+Because this module is very general and can be tailored for any application that exposes its metrics over Jolokia, it comes with no exposed field descriptions, dashboards, or index patterns.
+
+## Fields [_fields_127]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-jolokia.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "event": {
+        "dataset": "jolokia.testnamespace",
+        "duration": 115000,
+        "module": "jolokia"
+    },
+    "jolokia": {
+        "testnamespace": {
+            "memory": {
+                "heap_usage": {
+                    "committed": 514850816,
+                    "init": 536870912,
+                    "max": 7635730432,
+                    "used": 42335648
+                },
+                "non_heap_usage": {
+                    "committed": 32243712,
+                    "init": 2555904,
+                    "max": -1,
+                    "used": 29999896
+                }
+            },
+            "uptime": 70795470
+        }
+    },
+    "metricset": {
+        "name": "jmx"
+    },
+    "service": {
+        "address": "127.0.0.1:8778",
+        "type": "jolokia"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-kafka-broker.md b/docs/reference/metricbeat/metricbeat-metricset-kafka-broker.md
new file mode 100644
index 000000000000..9159be37c7ce
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-kafka-broker.md
@@ -0,0 +1,125 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-kafka-broker.html
+---
+
+# Kafka broker metricset [metricbeat-metricset-kafka-broker]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+This metricset periodically fetches JMX metrics from Kafka Broker JMX.
+
+
+## Compatibility [_compatibility_27]
+
+The module has been tested with Kafka 2.1.1 and 2.2.2. Other versions are expected to work.
+
+
+## Usage [_usage_6]
+
+The Broker metricset requires [Jolokia](/reference/metricbeat/metricbeat-module-jolokia.md)to fetch JMX metrics. Refer to the link for instructions about how to use Jolokia.
+
+Note that the Jolokia agent is required to be deployed along with the Kafka JVM application. This can be achieved by using the `KAFKA_OPTS` environment variable when starting the Kafka broker application:
+
+```shell
+export KAFKA_OPTS=-javaagent:/opt/jolokia-jvm-1.5.0-agent.jar=port=8779,host=localhost
+./bin/kafka-server-start.sh ./config/server.properties
+```
+
+Then it will be possible to collect the JMX metrics from `localhost:8779`.
+
+## Fields [_fields_128]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-kafka.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2019-10-30T14:22:37.475Z",
+    "@metadata": {
+        "beat": "metricbeat",
+        "type": "_doc",
+        "version": "8.0.0"
+    },
+    "agent": {
+        "ephemeral_id": "f08b3bea-3631-4aaf-b35d-4cef29aeeb06",
+        "hostname": "MBP.lan",
+        "id": "79dd1677-1bea-4efd-9131-e8ca464eddf0",
+        "version": "8.0.0",
+        "type": "metricbeat"
+    },
+    "ecs": {
+        "version": "1.2.0"
+    },
+    "metricset": {
+        "name": "broker",
+        "period": 10000
+    },
+    "service": {
+        "address": "localhost:8779",
+        "type": "kafka"
+    },
+    "kafka": {
+        "broker": {
+            "request": {
+                "fetch": {
+                    "failed_per_second": 0
+                },
+                "channel": {
+                    "queue": {
+                        "size": 0
+                    }
+                },
+                "produce": {
+                    "failed_per_second": 0
+                }
+            },
+            "replication": {
+                "leader_elections": 0,
+                "unclean_leader_elections": 0
+            },
+            "session": {
+                "zookeeper": {
+                    "expire": 0,
+                    "readonly": 0,
+                    "sync": 0.00017675970397749868,
+                    "disconnect": 0
+                }
+            },
+            "topic": {
+                "net": {
+                    "bytes_out": 0,
+                    "bytes_rejected": 0,
+                    "bytes_in": 0
+                },
+                "messages_in": 0
+            }
+        }
+    },
+    "event": {
+        "dataset": "kafka.broker",
+        "module": "kafka",
+        "duration": 7870293
+    },
+    "host": {
+        "name": "MBP.lan",
+        "hostname": "MBP.lan",
+        "architecture": "x86_64",
+        "os": {
+            "version": "10.14.6",
+            "family": "darwin",
+            "name": "Mac OS X",
+            "kernel": "18.7.0",
+            "build": "18G95",
+            "platform": "darwin"
+        },
+        "id": "883134FF-0EC4-5E1B-9F9E-FD06FB681D84"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-kafka-consumer.md b/docs/reference/metricbeat/metricbeat-metricset-kafka-consumer.md
new file mode 100644
index 000000000000..b03767bbbf8b
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-kafka-consumer.md
@@ -0,0 +1,96 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-kafka-consumer.html
+---
+
+# Kafka consumer metricset [metricbeat-metricset-kafka-consumer]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+This metricset periodically fetches JMX metrics from Kafka Consumers implemented in java and expose JMX metrics through jolokia agent.
+
+
+## Compatibility [_compatibility_28]
+
+The module has been tested with Kafka 2.1.1 and 2.2.2. Other versions are expected to work.
+
+
+## Usage [_usage_7]
+
+The Consumer metricset requires [Jolokia](/reference/metricbeat/metricbeat-module-jolokia.md)to fetch JMX metrics. Refer to the link for more information about Jolokia.
+
+Note that the Jolokia agent is required to be deployed along with the JVM application. This can be achieved by using the `KAFKA_OPTS` environment variable when starting the Kafka consumer application:
+
+```shell
+export KAFKA_OPTS=-javaagent:/opt/jolokia-jvm-1.5.0-agent.jar=port=8774,host=localhost
+./bin/kafka-console-consumer.sh --topic=test --bootstrap-server=localhost:9091
+```
+
+Then it will be possible to collect the JMX metrics from `localhost:8774`.
+
+## Fields [_fields_129]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-kafka.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2019-10-31T13:22:06.700Z",
+    "@metadata": {
+        "beat": "metricbeat",
+        "type": "_doc",
+        "version": "8.0.0"
+    },
+    "kafka": {
+        "consumer": {
+            "bytes_consumed": 2.9521300228e+10,
+            "fetch_rate": 0,
+            "records_consumed": 1.23075656e+08,
+            "mbean": "kafka.consumer:client-id=consumer-1,type=consumer-fetch-manager-metrics"
+        }
+    },
+    "event": {
+        "dataset": "kafka.consumer",
+        "module": "kafka",
+        "duration": 7042831
+    },
+    "ecs": {
+        "version": "1.2.0"
+    },
+    "host": {
+        "name": "pr.local",
+        "hostname": "pr.local",
+        "architecture": "x86_64",
+        "os": {
+            "kernel": "18.7.0",
+            "build": "18G95",
+            "platform": "darwin",
+            "version": "10.14.6",
+            "family": "darwin",
+            "name": "Mac OS X"
+        },
+        "id": "883134FF-0EC4-5E1B-9F9E-FD06FB681D84"
+    },
+    "agent": {
+        "hostname": "pr.local",
+        "id": "79dd1677-1bea-4efd-9131-e8ca464eddf0",
+        "version": "8.0.0",
+        "type": "metricbeat",
+        "ephemeral_id": "e40f5843-d3aa-4bdc-a100-64022b70851b"
+    },
+    "metricset": {
+        "name": "consumer",
+        "period": 10000
+    },
+    "service": {
+        "address": "localhost:8774",
+        "type": "kafka"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-kafka-consumergroup.md b/docs/reference/metricbeat/metricbeat-metricset-kafka-consumergroup.md
new file mode 100644
index 000000000000..792a985064db
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-kafka-consumergroup.md
@@ -0,0 +1,64 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-kafka-consumergroup.html
+---
+
+# Kafka consumergroup metricset [metricbeat-metricset-kafka-consumergroup]
+
+This is the `consumergroup` metricset of the Kafka module.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_130]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-kafka.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "event": {
+        "dataset": "kafka.consumergroup",
+        "duration": 115000,
+        "module": "kafka"
+    },
+    "kafka": {
+        "broker": {
+            "address": "172.21.0.2:9092",
+            "id": 0
+        },
+        "consumergroup": {
+            "client": {
+                "host": "127.0.0.1",
+                "id": "consumer-1",
+                "member_id": "consumer-1-8653cb3a-afed-4b1b-87d0-2a208319b41e"
+            },
+            "consumer_lag": 77,
+            "error": {
+                "code": 0
+            },
+            "id": "console-consumer-40539",
+            "meta": "",
+            "offset": -1
+        },
+        "partition": {
+            "id": 0,
+            "topic_id": "0-test"
+        },
+        "topic": {
+            "name": "test"
+        }
+    },
+    "metricset": {
+        "name": "consumergroup",
+        "period": 10000
+    },
+    "service": {
+        "address": "172.21.0.2:9092",
+        "type": "kafka"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-kafka-partition.md b/docs/reference/metricbeat/metricbeat-metricset-kafka-partition.md
new file mode 100644
index 000000000000..3b51f82a3319
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-kafka-partition.md
@@ -0,0 +1,71 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-kafka-partition.html
+---
+
+# Kafka partition metricset [metricbeat-metricset-kafka-partition]
+
+This is the partition metricset of the Kafka module.
+
+## Configuration [_configuration_2]
+
+As the partition metricset fetches the data from the complete Kafka cluster, only one connection host has to be defined. Currently if multiple hosts are defined, the data is fetched multiple times. Support for multiple initial connections host is planned to be added in future releases.
+
+
+## Metricset [_metricset]
+
+The current implementation of the partition metricset fetches the data for all leader partitions. Data for the replicas is not available yet.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+
+## Fields [_fields_131]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-kafka.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "event": {
+        "dataset": "kafka.partition",
+        "duration": 115000,
+        "module": "kafka"
+    },
+    "kafka": {
+        "broker": {
+            "address": "172.21.0.2:9092",
+            "id": 0
+        },
+        "partition": {
+            "id": 0,
+            "offset": {
+                "newest": 1,
+                "oldest": 0
+            },
+            "partition": {
+                "insync_replica": true,
+                "is_leader": true,
+                "leader": 0,
+                "replica": 0
+            },
+            "topic_broker_id": "0-metricbeat-generate-data-0",
+            "topic_id": "0-metricbeat-generate-data"
+        },
+        "topic": {
+            "name": "metricbeat-generate-data"
+        }
+    },
+    "metricset": {
+        "name": "partition",
+        "period": 10000
+    },
+    "service": {
+        "address": "172.21.0.2:9092",
+        "type": "kafka"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-kafka-producer.md b/docs/reference/metricbeat/metricbeat-metricset-kafka-producer.md
new file mode 100644
index 000000000000..046f978e2b76
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-kafka-producer.md
@@ -0,0 +1,103 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-kafka-producer.html
+---
+
+# Kafka producer metricset [metricbeat-metricset-kafka-producer]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+This metricset periodically fetches JMX metrics from Kafka Producers implemented in java and expose JMX metrics through jolokia agent.
+
+
+## Compatibility [_compatibility_29]
+
+The module has been tested with Kafka 2.1.1 and 2.2.2. Other versions are expected to work.
+
+
+## Usage [_usage_8]
+
+The Producer metricset requires [Jolokia](/reference/metricbeat/metricbeat-module-jolokia.md)to fetch JMX metrics. Refer to the link for more information about Jolokia.
+
+Note that the Jolokia agent is required to be deployed along with the JVM application. This can be achieved by using the `KAFKA_OPTS` environment variable when starting the Kafka producer application:
+
+```shell
+export KAFKA_OPTS=-javaagent:/opt/jolokia-jvm-1.5.0-agent.jar=port=8775,host=localhost
+./bin/kafka-console-producer.sh --topic test --broker-list localhost:9091
+```
+
+Then it will be possible to collect the JMX metrics from `localhost:8775`.
+
+## Fields [_fields_132]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-kafka.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2019-10-31T10:19:14.758Z",
+    "@metadata": {
+        "beat": "metricbeat",
+        "type": "_doc",
+        "version": "8.0.0"
+    },
+    "metricset": {
+        "name": "producer",
+        "period": 10000
+    },
+    "ecs": {
+        "version": "1.2.0"
+    },
+    "host": {
+        "os": {
+            "name": "Mac OS X",
+            "kernel": "18.7.0",
+            "build": "18G95",
+            "platform": "darwin",
+            "version": "10.14.6",
+            "family": "darwin"
+        },
+        "id": "883134FF-0EC4-5E1B-9F9E-FD06FB681D84",
+        "hostname": "abc.local",
+        "name": "abc.local",
+        "architecture": "x86_64"
+    },
+    "agent": {
+        "type": "metricbeat",
+        "ephemeral_id": "b95327e7-2737-4262-a1a6-ab8547fc8c8d",
+        "hostname": "abc.local",
+        "id": "79dd1677-1bea-4efd-9131-e8ca464eddf0",
+        "version": "8.0.0"
+    },
+    "service": {
+        "address": "localhost:8775",
+        "type": "kafka"
+    },
+    "event": {
+        "dataset": "kafka.producer",
+        "module": "kafka",
+        "duration": 4485726
+    },
+    "kafka": {
+        "producer": {
+            "response_rate": 0,
+            "request_rate": 0,
+            "record_send_rate": 0,
+            "batch_size_avg": 0,
+            "record_size_avg": 0,
+            "record_retry_rate": 0,
+            "records_per_request": 0,
+            "io_wait": 1.2487715219630156e+07,
+            "mbean": "kafka.producer:client-id=console-producer,type=producer-metrics",
+            "available_buffer_bytes": 0,
+            "record_error_rate": 737.5234685412391
+        }
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-kibana-cluster_actions.md b/docs/reference/metricbeat/metricbeat-metricset-kibana-cluster_actions.md
new file mode 100644
index 000000000000..2afbe44b963f
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-kibana-cluster_actions.md
@@ -0,0 +1,49 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-kibana-cluster_actions.html
+---
+
+# Kibana cluster_actions metricset [metricbeat-metricset-kibana-cluster_actions]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+This is the actions metricset of the module kibana.
+
+## Fields [_fields_133]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-kibana.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp":"2016-05-23T08:05:34.853Z",
+    "beat":{
+        "hostname":"beathost",
+        "name":"beathost"
+    },
+    "metricset":{
+        "host":"localhost",
+        "module":"kibana",
+        "name":"cluster_actions",
+        "rtt":44269
+    },
+    "kibana":{
+        "cluster_actions":{
+            "overdue": {
+                "count": 3,
+                "delay": {
+                    "p50": 500,
+                    "p99": 3000
+                }
+            }
+        }
+    },
+    "type":"metricsets"
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-kibana-cluster_rules.md b/docs/reference/metricbeat/metricbeat-metricset-kibana-cluster_rules.md
new file mode 100644
index 000000000000..75721082e7db
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-kibana-cluster_rules.md
@@ -0,0 +1,49 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-kibana-cluster_rules.html
+---
+
+# Kibana cluster_rules metricset [metricbeat-metricset-kibana-cluster_rules]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+This is the rules metricset of the module kibana.
+
+## Fields [_fields_134]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-kibana.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp":"2016-05-23T08:05:34.853Z",
+    "beat":{
+        "hostname":"beathost",
+        "name":"beathost"
+    },
+    "metricset":{
+        "host":"localhost",
+        "module":"kibana",
+        "name":"cluster_rules",
+        "rtt":44269
+    },
+    "kibana":{
+        "cluster_rules":{
+            "overdue": {
+                "count": 3,
+                "delay": {
+                    "p50": 500,
+                    "p99": 3000
+                }
+            }
+        }
+    },
+    "type":"metricsets"
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-kibana-node_actions.md b/docs/reference/metricbeat/metricbeat-metricset-kibana-node_actions.md
new file mode 100644
index 000000000000..2396af9578f5
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-kibana-node_actions.md
@@ -0,0 +1,45 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-kibana-node_actions.html
+---
+
+# Kibana node_actions metricset [metricbeat-metricset-kibana-node_actions]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+This is the actions metricset of the module kibana.
+
+## Fields [_fields_135]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-kibana.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp":"2016-05-23T08:05:34.853Z",
+    "beat":{
+        "hostname":"beathost",
+        "name":"beathost"
+    },
+    "metricset":{
+        "host":"localhost",
+        "module":"kibana",
+        "name":"node_actions",
+        "rtt":44269
+    },
+    "kibana":{
+        "node_actions":{
+            "executions": 10,
+            "failures": 0,
+            "timeouts": 0
+        }
+    },
+    "type":"metricsets"
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-kibana-node_rules.md b/docs/reference/metricbeat/metricbeat-metricset-kibana-node_rules.md
new file mode 100644
index 000000000000..c43d397a4029
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-kibana-node_rules.md
@@ -0,0 +1,45 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-kibana-node_rules.html
+---
+
+# Kibana node_rules metricset [metricbeat-metricset-kibana-node_rules]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+This is the node_rules metricset of the module kibana.
+
+## Fields [_fields_136]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-kibana.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp":"2016-05-23T08:05:34.853Z",
+    "beat":{
+        "hostname":"beathost",
+        "name":"beathost"
+    },
+    "metricset":{
+        "host":"localhost",
+        "module":"kibana",
+        "name":"node_rules",
+        "rtt":44269
+    },
+    "kibana":{
+        "node_rules":{
+            "executions": 10,
+            "failures": 0,
+            "timeouts": 0
+        }
+    },
+    "type":"metricsets"
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-kibana-settings.md b/docs/reference/metricbeat/metricbeat-metricset-kibana-settings.md
new file mode 100644
index 000000000000..54a573fbff37
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-kibana-settings.md
@@ -0,0 +1,61 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-kibana-settings.html
+---
+
+# Kibana settings metricset [metricbeat-metricset-kibana-settings]
+
+This is the `settings` metricset of the Kibana module. This stats endpoint is available in 6.4 by default.
+
+The intention of the Kibana module is to have a minimal data set that works across Kibana versions.
+
+
+## Module-specific configuration notes [_module_specific_configuration_notes_9]
+
+If the Kibana instance is using a basepath in its URL, you must set the `basepath` setting for this module with the same value.
+
+## Fields [_fields_137]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-kibana.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "event": {
+        "dataset": "kibana.settings",
+        "duration": 115000,
+        "module": "kibana"
+    },
+    "kibana": {
+        "elasticsearch": {
+            "cluster": {
+                "id": "WocBBA0QRma0sGpdQ7vLfQ"
+            }
+        },
+        "settings": {
+            "host": "0.0.0.0",
+            "index": ".kibana",
+            "locale": "en",
+            "name": "b04775fa6831",
+            "port": 5601,
+            "snapshot": false,
+            "status": "green",
+            "transport_address": "0.0.0.0:5601",
+            "uuid": "f87393a7-e8ae-48fd-af1e-91f229fd93fd",
+            "version": "7.14.0"
+        }
+    },
+    "metricset": {
+        "name": "settings",
+        "period": 10000
+    },
+    "service": {
+        "address": "172.19.0.3:5601",
+        "type": "kibana"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-kibana-stats.md b/docs/reference/metricbeat/metricbeat-metricset-kibana-stats.md
new file mode 100644
index 000000000000..0523dc9e20d6
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-kibana-stats.md
@@ -0,0 +1,122 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-kibana-stats.html
+---
+
+# Kibana stats metricset [metricbeat-metricset-kibana-stats]
+
+This is the `stats` metricset of the Kibana module. This stats endpoint is available in 6.4 by default.
+
+The intention of the Kibana module is to have a minimal data set that works across Kibana versions.
+
+
+## Module-specific configuration notes [_module_specific_configuration_notes_10]
+
+If the Kibana instance is using a basepath in its URL, you must set the `basepath` setting for this module with the same value.
+
+## Fields [_fields_138]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-kibana.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "event": {
+        "dataset": "kibana.stats",
+        "duration": 115000,
+        "module": "kibana"
+    },
+    "kibana": {
+        "elasticsearch": {
+            "cluster": {
+                "id": "WocBBA0QRma0sGpdQ7vLfQ"
+            }
+        },
+        "stats": {
+            "concurrent_connections": 4,
+            "host": {
+                "name": "0.0.0.0"
+            },
+            "index": ".kibana",
+            "name": "b04775fa6831",
+            "os": {
+                "distro": "CentOS",
+                "distroRelease": "CentOS-8.4.2105\n",
+                "load": {
+                    "15m": 1.12,
+                    "1m": 0.97,
+                    "5m": 1.01
+                },
+                "memory": {
+                    "free_in_bytes": 323694592,
+                    "total_in_bytes": 33295835136,
+                    "used_in_bytes": 32972140544
+                },
+                "platform": "linux",
+                "platformRelease": "linux-5.14.13-200.fc34.x86_64"
+            },
+            "process": {
+                "event_loop_delay": {
+                    "ms": 0.14306800067424774
+                },
+                "event_loop_utilization": {
+                    "active": 629.1224170000005,
+                    "idle": 359.23554199999995,
+                    "utilization": 0.6365329598160299
+                },
+                "memory": {
+                    "heap": {
+                        "size_limit": {
+                            "bytes": 4345298944
+                        },
+                        "total": {
+                            "bytes": 264982528
+                        },
+                        "used": {
+                            "bytes": 226086648
+                        }
+                    },
+                    "resident_set_size": {
+                        "bytes": 346976256
+                    }
+                },
+                "uptime": {
+                    "ms": 79081
+                }
+            },
+            "request": {
+                "disconnects": 0,
+                "total": 7
+            },
+            "response_time": {
+                "avg": {
+                    "ms": 74
+                },
+                "max": {
+                    "ms": 389
+                }
+            },
+            "snapshot": false,
+            "status": "green",
+            "transport_address": "0.0.0.0:5601"
+        }
+    },
+    "metricset": {
+        "name": "stats",
+        "period": 10000
+    },
+    "process": {
+        "pid": 1222
+    },
+    "service": {
+        "address": "172.19.0.3:5601",
+        "id": "f87393a7-e8ae-48fd-af1e-91f229fd93fd",
+        "type": "kibana",
+        "version": "7.14.0"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-kibana-status.md b/docs/reference/metricbeat/metricbeat-metricset-kibana-status.md
new file mode 100644
index 000000000000..6d54569083e4
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-kibana-status.md
@@ -0,0 +1,59 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-kibana-status.html
+---
+
+# Kibana status metricset [metricbeat-metricset-kibana-status]
+
+This is the `status` metricset of the Kibana module. This status endpoint is available in 6.0 by default and can be enabled in Kibana >= 5.4 with the config option `status.v6ApiFormat: true`.
+
+The intention of the Kibana module is to have a minimal data set that works across Kibana versions.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_139]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-kibana.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2019-03-01T08:05:34.853Z",
+    "event": {
+        "dataset": "kibana.status",
+        "duration": 115000,
+        "module": "kibana"
+    },
+    "kibana": {
+        "status": {
+            "metrics": {
+                "concurrent_connections": 12,
+                "requests": {
+                    "disconnects": 3,
+                    "total": 241
+                }
+            },
+            "name": "ruflin",
+            "status": {
+                "overall": {
+                    "state": "green"
+                }
+            }
+        }
+    },
+    "metricset": {
+        "name": "status",
+        "period": 10000
+    },
+    "service": {
+        "address": "127.0.0.1:55555",
+        "id": "5b2de169-2785-441b-ae8c-186a1936b17d",
+        "name": "kibana",
+        "type": "kibana",
+        "version": "6.0.0-alpha1"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-kubernetes-apiserver.md b/docs/reference/metricbeat/metricbeat-metricset-kubernetes-apiserver.md
new file mode 100644
index 000000000000..a4eb20729aab
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-kubernetes-apiserver.md
@@ -0,0 +1,85 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-kubernetes-apiserver.html
+---
+
+# Kubernetes apiserver metricset [metricbeat-metricset-kubernetes-apiserver]
+
+This is the `apiserver` metricset of the Kubernetes module, in charge of retrieving metrics from the Kubernetes API (available at `/metrics`).
+
+This metricset needs access to the `apiserver` component of Kubernetes, accessible typically by any POD via the `kubernetes.default` service or via environment variables (`KUBERNETES_SERVICE_HOST` and `KUBERNETES_SERVICE_PORT`).
+
+When the API uses https, the pod will need to authenticate using its default token and trust the server using the appropiate CA file.
+
+Configuration example using https and token based authentication:
+
+```yaml
+- module: kubernetes
+  enabled: true
+  metricsets:
+    - apiserver
+  hosts: ["https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}"]
+  #hosts: ["https://kubernetes.default"]
+  bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
+  ssl.certificate_authorities:
+    - /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+  period: 30s
+```
+
+In order to access the `/metrics` path of the API service, some Kubernetes environments might require the following permission to be added to a ClusterRole.
+
+```yaml
+rules:
+- nonResourceURLs:
+  - /metrics
+  verbs:
+  - get
+```
+
+The previous configuration and RBAC requirement is available in the complete example manifest proposed in [Running Metricbeat on Kubernetes](/reference/metricbeat/running-on-kubernetes.md) document.
+
+## Fields [_fields_140]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-kubernetes.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2019-03-01T08:05:34.853Z",
+    "event": {
+        "dataset": "kubernetes.apiserver",
+        "duration": 115000,
+        "module": "kubernetes"
+    },
+    "kubernetes": {
+        "apiserver": {
+            "major": {
+                "version": "1"
+            },
+            "minor": {
+                "version": "21"
+            },
+            "request": {
+                "code": "0",
+                "component": "apiserver",
+                "count": 14,
+                "resource": "endpoints",
+                "scope": "cluster",
+                "verb": "WATCH",
+                "version": "v1"
+            }
+        }
+    },
+    "metricset": {
+        "name": "apiserver",
+        "period": 10000
+    },
+    "service": {
+        "address": "127.0.0.1:55555",
+        "type": "kubernetes"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-kubernetes-container.md b/docs/reference/metricbeat/metricbeat-metricset-kubernetes-container.md
new file mode 100644
index 000000000000..a5b9af5230f1
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-kubernetes-container.md
@@ -0,0 +1,103 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-kubernetes-container.html
+---
+
+# Kubernetes container metricset [metricbeat-metricset-kubernetes-container]
+
+This is the `container` metricset of the Kubernetes module.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_141]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-kubernetes.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-04-06T15:29:27.150Z",
+    "beat": {
+        "hostname": "beathost",
+        "name": "beathost",
+        "version": "6.0.0-alpha1"
+    },
+    "kubernetes": {
+        "container": {
+            "cpu": {
+                "usage": {
+                    "core": {
+                        "ns": 3305756719
+                    },
+                    "nanocores": 5992
+                }
+            },
+            "logs": {
+                "available": {
+                    "bytes": 1188063105024
+                },
+                "capacity": {
+                    "bytes": 1197211648000
+                },
+                "inodes": {
+                    "count": 584581120,
+                    "free": 584447029,
+                    "used": 134091
+                },
+                "used": {
+                    "bytes": 0
+                }
+            },
+            "memory": {
+                "available": {
+                    "bytes": 0
+                },
+                "majorpagefaults": 47,
+                "pagefaults": 2298,
+                "rss": {
+                    "bytes": 1441792
+                },
+                "usage": {
+                    "bytes": 7643136
+                },
+                "workingset": {
+                    "bytes": 1466368
+                }
+            },
+            "name": "nginx",
+            "rootfs": {
+                "available": {
+                    "bytes": 64694517760
+                },
+                "capacity": {
+                    "bytes": 142782496768
+                },
+                "inodes": {
+                    "used": 0
+                },
+                "used": {
+                    "bytes": 16777216
+                }
+            },
+            "start_time": "2017-04-03T10:01:56Z"
+        },
+        "namespace": "ns",
+        "node": {
+          "name": "localhost"
+        },
+        "pod": {
+            "name": "nginx-3137573019-pcfzh",
+        }
+    },
+    "metricset": {
+        "host": "localhost:10255",
+        "module": "kubernetes",
+        "name": "container",
+        "rtt": 650739
+    },
+    "type": "metricsets"
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-kubernetes-controllermanager.md b/docs/reference/metricbeat/metricbeat-metricset-kubernetes-controllermanager.md
new file mode 100644
index 000000000000..bca2ed28ff43
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-kubernetes-controllermanager.md
@@ -0,0 +1,57 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-kubernetes-controllermanager.html
+---
+
+# Kubernetes controllermanager metricset [metricbeat-metricset-kubernetes-controllermanager]
+
+`controllermanager` metricset for the Kubernetes module.
+
+## Fields [_fields_142]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-kubernetes.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2019-03-01T08:05:34.853Z",
+    "event": {
+        "dataset": "kubernetes.controllermanager",
+        "duration": 115000,
+        "module": "kubernetes"
+    },
+    "kubernetes": {
+        "controllermanager": {
+            "name": "daemonset",
+            "workqueue": {
+                "adds": {
+                    "count": 5
+                },
+                "depth": {
+                    "count": 0
+                },
+                "longestrunning": {
+                    "sec": 0
+                },
+                "retries": {
+                    "count": 0
+                },
+                "unfinished": {
+                    "sec": 0
+                }
+            }
+        }
+    },
+    "metricset": {
+        "name": "controllermanager",
+        "period": 10000
+    },
+    "service": {
+        "address": "127.0.0.1:55555",
+        "type": "kubernetes"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-kubernetes-event.md b/docs/reference/metricbeat/metricbeat-metricset-kubernetes-event.md
new file mode 100644
index 000000000000..8710f41ae247
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-kubernetes-event.md
@@ -0,0 +1,62 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-kubernetes-event.html
+---
+
+# Kubernetes event metricset [metricbeat-metricset-kubernetes-event]
+
+This is the `event` metricset of the Kubernetes module.
+
+## Fields [_fields_143]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-kubernetes.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-05-15T08:07:12.945Z",
+    "beat": {
+        "hostname": "hostname",
+        "name": "beatname",
+        "version": "6.0.0-alpha2"
+    },
+    "kubernetes": {
+        "event": {
+            "count": 1,
+            "involved_object": {
+                "api_version": "extensions",
+                "kind": "ReplicaSet",
+                "name": "prometheus-2552087900",
+                "resource_version": "1047038",
+                "uid": "b2f92f14-2ad5-11e7-8cb8-e687a39f6e48"
+            },
+            "message": "Created pod: prometheus-2552087900-9fxh6",
+            "metadata": {
+                "generate_name": "",
+                "name": "prometheus-2552087900.14bf266355fd16e0",
+                "namespace": "default",
+                "resource_version": "1047243",
+                "self_link": "/api/v1/namespaces/default/events/prometheus-2552087900.14bf266355fd16e0",
+                "timestamp": {
+                    "created": "2017-05-16T10:30:09-07:00",
+                    "deleted": ""
+                },
+                "uid": "4f3fe524-3a5d-11e7-b8f2-e687a39f6e48"
+            },
+            "reason": "SuccessfulCreate",
+            "timestamp": {
+                "first_occurrence": "2017-05-16T17:30:09Z",
+                "last_occurrence": "2017-05-16T17:30:09Z"
+            },
+            "type": "Normal"
+        }
+    },
+    "metricset": {
+        "module": "kubernetes",
+        "name": "event"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-kubernetes-node.md b/docs/reference/metricbeat/metricbeat-metricset-kubernetes-node.md
new file mode 100644
index 000000000000..8ac27728c94d
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-kubernetes-node.md
@@ -0,0 +1,105 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-kubernetes-node.html
+---
+
+# Kubernetes node metricset [metricbeat-metricset-kubernetes-node]
+
+This is the `node` metricset of the Kubernetes module.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_144]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-kubernetes.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-04-06T15:29:27.150Z",
+    "beat": {
+        "hostname": "beathost",
+        "name": "beathost",
+        "version": "6.0.0-alpha1"
+    },
+    "kubernetes": {
+        "node": {
+            "cpu": {
+                "usage": {
+                    "core" : {
+                        "ns": 7247863769557035
+                    },
+                    "nanocores": 1662117892
+                }
+            },
+            "fs": {
+                "available": {
+                    "bytes": 1188063105024
+                },
+                "capacity": {
+                    "bytes": 1197211648000
+                },
+                "inodes": {
+                    "count": 584581120,
+                    "free": 584447029,
+                    "used": 134091
+                },
+                "used": {
+                    "bytes": 9148542976
+                }
+            },
+            "memory": {
+                "available": {
+                    "bytes": 134202847232
+                },
+                "majorpagefaults": 1044,
+                "pagefaults": 83482928,
+                "rss": {
+                    "bytes": 178053120
+                },
+                "usage": {
+                    "bytes": 67062091776
+                },
+                "workingset": {
+                    "bytes": 51496206336
+                }
+            },
+            "name": "localhost",
+            "network": {
+                "rx": {
+                    "bytes": 957942806894,
+                    "errors": 0
+                },
+                "tx": {
+                    "bytes": 461158498276,
+                    "errors": 0
+                }
+            },
+            "runtime": {
+                "imagefs": {
+                    "available": {
+                        "bytes": 64694517760
+                    },
+                    "capacity": {
+                        "bytes": 142782496768
+                    },
+                    "used": {
+                        "bytes": 29570629855
+                    }
+                }
+            },
+            "start_time": "2017-02-08T10:33:38Z"
+        }
+    },
+    "metricset": {
+        "host": "localhost:10255",
+        "module": "kubernetes",
+        "name": "node",
+        "rtt": 650741
+    },
+    "type": "metricsets"
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-kubernetes-pod.md b/docs/reference/metricbeat/metricbeat-metricset-kubernetes-pod.md
new file mode 100644
index 000000000000..abe41afa39aa
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-kubernetes-pod.md
@@ -0,0 +1,57 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-kubernetes-pod.html
+---
+
+# Kubernetes pod metricset [metricbeat-metricset-kubernetes-pod]
+
+This is the `pod` metricset of the Kubernetes module.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_145]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-kubernetes.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-04-06T15:29:27.150Z",
+    "beat": {
+        "hostname": "beathost",
+        "name": "beathost",
+        "version": "6.0.0-alpha1"
+    },
+    "kubernetes": {
+        "namespace": "ns",
+        "node": {
+          "name": "localhost",
+        },
+        "pod": {
+            "name": "nginx-3137573019-pcfzh",
+            "uid": "b89a812e-18cd-11e9-b333-080027190d51",
+            "network": {
+                "rx": {
+                    "bytes": 18999261,
+                    "errors": 0
+                },
+                "tx": {
+                    "bytes": 28580621,
+                    "errors": 0
+                }
+            },
+            "start_time": "2017-04-06T12:09:05Z"
+        }
+    },
+    "metricset": {
+        "host": "localhost:10255",
+        "module": "kubernetes",
+        "name": "pod",
+        "rtt": 636230
+    },
+    "type": "metricsets"
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-kubernetes-proxy.md b/docs/reference/metricbeat/metricbeat-metricset-kubernetes-proxy.md
new file mode 100644
index 000000000000..88f8f8ac4d68
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-kubernetes-proxy.md
@@ -0,0 +1,108 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-kubernetes-proxy.html
+---
+
+# Kubernetes proxy metricset [metricbeat-metricset-kubernetes-proxy]
+
+`proxy` metricset for the Kubernetes module.
+
+## Fields [_fields_146]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-kubernetes.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2019-03-01T08:05:34.853Z",
+    "event": {
+        "dataset": "kubernetes.proxy",
+        "duration": 115000,
+        "module": "kubernetes"
+    },
+    "kubernetes": {
+        "proxy": {
+            "client": {
+                "request": {
+                    "duration": {
+                        "us": {
+                            "bucket": {
+                                "+Inf": 1,
+                                "100000": 1,
+                                "1000000": 1,
+                                "15000000": 1,
+                                "2000000": 1,
+                                "25000": 1,
+                                "250000": 1,
+                                "30000000": 1,
+                                "4000000": 1,
+                                "5000": 0,
+                                "500000": 1,
+                                "60000000": 1,
+                                "8000000": 1
+                            },
+                            "count": 1,
+                            "sum": 8318.793
+                        }
+                    },
+                    "size": {
+                        "bytes": {
+                            "bucket": {
+                                "+Inf": 1,
+                                "1024": 1,
+                                "1048576": 1,
+                                "16384": 1,
+                                "16777216": 1,
+                                "256": 1,
+                                "262144": 1,
+                                "4096": 1,
+                                "4194304": 1,
+                                "512": 1,
+                                "64": 0,
+                                "65536": 1
+                            },
+                            "count": 1,
+                            "sum": 218
+                        }
+                    }
+                },
+                "response": {
+                    "size": {
+                        "bytes": {
+                            "bucket": {
+                                "+Inf": 1,
+                                "1024": 1,
+                                "1048576": 1,
+                                "16384": 1,
+                                "16777216": 1,
+                                "256": 0,
+                                "262144": 1,
+                                "4096": 1,
+                                "4194304": 1,
+                                "512": 1,
+                                "64": 0,
+                                "65536": 1
+                            },
+                            "count": 1,
+                            "sum": 465
+                        }
+                    }
+                }
+            },
+            "host": "control-plane.minikube.internal:8443",
+            "verb": "POST"
+        }
+    },
+    "metricset": {
+        "name": "proxy",
+        "period": 10000
+    },
+    "service": {
+        "address": "127.0.0.1:55555",
+        "type": "kubernetes"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-kubernetes-scheduler.md b/docs/reference/metricbeat/metricbeat-metricset-kubernetes-scheduler.md
new file mode 100644
index 000000000000..2ad75eb0b262
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-kubernetes-scheduler.md
@@ -0,0 +1,84 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-kubernetes-scheduler.html
+---
+
+# Kubernetes scheduler metricset [metricbeat-metricset-kubernetes-scheduler]
+
+`scheduler` metricset for the Kubernetes module.
+
+## Fields [_fields_147]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-kubernetes.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2019-03-01T08:05:34.853Z",
+    "event": {
+        "dataset": "kubernetes.scheduler",
+        "duration": 115000,
+        "module": "kubernetes"
+    },
+    "kubernetes": {
+        "scheduler": {
+            "process": {
+                "cpu": {
+                    "sec": 3
+                },
+                "fds": {
+                    "max": {
+                        "count": 1048576
+                    },
+                    "open": {
+                        "count": 11
+                    }
+                },
+                "memory": {
+                    "resident": {
+                        "bytes": 59043840
+                    },
+                    "virtual": {
+                        "bytes": 1317883904
+                    }
+                },
+                "started": {
+                    "sec": 1714044432.82
+                }
+            },
+            "scheduling": {
+                "preemption": {
+                    "attempts": {
+                        "count": 1
+                    },
+                    "victims": {
+                        "bucket": {
+                            "+Inf": 0,
+                            "1": 0,
+                            "16": 0,
+                            "2": 0,
+                            "32": 0,
+                            "4": 0,
+                            "64": 0,
+                            "8": 0
+                        },
+                        "count": 0,
+                        "sum": 0
+                    }
+                }
+            }
+        }
+    },
+    "metricset": {
+        "name": "scheduler",
+        "period": 10000
+    },
+    "service": {
+        "address": "127.0.0.1:55555",
+        "type": "kubernetes"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-kubernetes-state_container.md b/docs/reference/metricbeat/metricbeat-metricset-kubernetes-state_container.md
new file mode 100644
index 000000000000..3c9fe91f1d73
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-kubernetes-state_container.md
@@ -0,0 +1,61 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-kubernetes-state_container.html
+---
+
+# Kubernetes state_container metricset [metricbeat-metricset-kubernetes-state_container]
+
+This is the `state_container` metricset of the Kubernetes module.
+
+## Fields [_fields_148]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-kubernetes.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2019-03-01T08:05:34.853Z",
+    "container": {
+        "id": "054b424625a7c22c210e3fe0aae55069d4f3e18ce8bc802a9a96ce87bb7a2483",
+        "image": {
+            "name": "docker.io/library/busybox:latest"
+        },
+        "runtime": "containerd"
+    },
+    "event": {
+        "dataset": "kubernetes.container",
+        "duration": 115000,
+        "module": "kubernetes"
+    },
+    "kubernetes": {
+        "container": {
+            "id": "054b424625a7c22c210e3fe0aae55069d4f3e18ce8bc802a9a96ce87bb7a2483",
+            "name": "hello",
+            "status": {
+                "phase": "terminated",
+                "ready": false,
+                "reason": "Completed",
+                "restarts": 0
+            }
+        },
+        "namespace": "default",
+        "node": {
+            "name": "kind-control-plane"
+        },
+        "pod": {
+            "name": "hello-28564555-zdfjz"
+        }
+    },
+    "metricset": {
+        "name": "state_container",
+        "period": 10000
+    },
+    "service": {
+        "address": "127.0.0.1:55555",
+        "type": "kubernetes"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-kubernetes-state_cronjob.md b/docs/reference/metricbeat/metricbeat-metricset-kubernetes-state_cronjob.md
new file mode 100644
index 000000000000..16172e153ec5
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-kubernetes-state_cronjob.md
@@ -0,0 +1,62 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-kubernetes-state_cronjob.html
+---
+
+# Kubernetes state_cronjob metricset [metricbeat-metricset-kubernetes-state_cronjob]
+
+This is the `state_cronjob` metricset of the Kubernetes module.
+
+This metricset adds metadata by default only for versions of k8s >= v1.21. For older versions the APIs are not compatible and one need to configure the metricset with `add_metadata: false` and remove the proper `apiGroup` in the `ClusterRole`:
+
+```yaml
+- apiGroups: [ "batch" ]
+  resources:
+  - cronjobs
+```
+
+## Fields [_fields_149]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-kubernetes.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2019-03-01T08:05:34.853Z",
+    "event": {
+        "dataset": "kubernetes.cronjob",
+        "duration": 115000,
+        "module": "kubernetes"
+    },
+    "kubernetes": {
+        "cronjob": {
+            "active": {
+                "count": 0
+            },
+            "created": {
+                "sec": 1713862291
+            },
+            "is_suspended": false,
+            "last_schedule": {
+                "sec": 1713873360
+            },
+            "name": "hello",
+            "next_schedule": {
+                "sec": 1713873420
+            }
+        },
+        "namespace": "default"
+    },
+    "metricset": {
+        "name": "state_cronjob",
+        "period": 10000
+    },
+    "service": {
+        "address": "127.0.0.1:55555",
+        "type": "kubernetes"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-kubernetes-state_daemonset.md b/docs/reference/metricbeat/metricbeat-metricset-kubernetes-state_daemonset.md
new file mode 100644
index 000000000000..09685798c145
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-kubernetes-state_daemonset.md
@@ -0,0 +1,47 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-kubernetes-state_daemonset.html
+---
+
+# Kubernetes state_daemonset metricset [metricbeat-metricset-kubernetes-state_daemonset]
+
+This is the `state_daemonset` metricset of the Kubernetes module.
+
+## Fields [_fields_150]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-kubernetes.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2019-03-01T08:05:34.853Z",
+    "event": {
+        "dataset": "kubernetes.daemonset",
+        "duration": 115000,
+        "module": "kubernetes"
+    },
+    "kubernetes": {
+        "daemonset": {
+            "name": "kube-proxy",
+            "replicas": {
+                "available": 1,
+                "desired": 1,
+                "ready": 1,
+                "unavailable": 0
+            }
+        },
+        "namespace": "kube-system"
+    },
+    "metricset": {
+        "name": "state_daemonset",
+        "period": 10000
+    },
+    "service": {
+        "address": "127.0.0.1:55555",
+        "type": "kubernetes"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-kubernetes-state_deployment.md b/docs/reference/metricbeat/metricbeat-metricset-kubernetes-state_deployment.md
new file mode 100644
index 000000000000..bd49d1ad638b
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-kubernetes-state_deployment.md
@@ -0,0 +1,52 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-kubernetes-state_deployment.html
+---
+
+# Kubernetes state_deployment metricset [metricbeat-metricset-kubernetes-state_deployment]
+
+This is the `state_deployment` metricset of the Kubernetes module.
+
+## Fields [_fields_151]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-kubernetes.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2019-03-01T08:05:34.853Z",
+    "event": {
+        "dataset": "kubernetes.deployment",
+        "duration": 115000,
+        "module": "kubernetes"
+    },
+    "kubernetes": {
+        "deployment": {
+            "name": "kube-state-metrics",
+            "paused": false,
+            "replicas": {
+                "available": 1,
+                "desired": 1,
+                "unavailable": 0,
+                "updated": 1
+            },
+            "status": {
+                "available": "true",
+                "progressing": "true"
+            }
+        },
+        "namespace": "kube-system"
+    },
+    "metricset": {
+        "name": "state_deployment",
+        "period": 10000
+    },
+    "service": {
+        "address": "127.0.0.1:55555",
+        "type": "kubernetes"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-kubernetes-state_job.md b/docs/reference/metricbeat/metricbeat-metricset-kubernetes-state_job.md
new file mode 100644
index 000000000000..0a857399d29c
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-kubernetes-state_job.md
@@ -0,0 +1,64 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-kubernetes-state_job.html
+---
+
+# Kubernetes state_job metricset [metricbeat-metricset-kubernetes-state_job]
+
+This is the state_job metricset of the module kubernetes.
+
+## Fields [_fields_152]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-kubernetes.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2019-03-01T08:05:34.853Z",
+    "event": {
+        "dataset": "kubernetes.job",
+        "duration": 115000,
+        "module": "kubernetes"
+    },
+    "kubernetes": {
+        "job": {
+            "completions": {
+                "desired": 1
+            },
+            "name": "hello-28564554",
+            "owner": {
+                "is_controller": "true",
+                "kind": "CronJob",
+                "name": "hello"
+            },
+            "parallelism": {
+                "desired": 1
+            },
+            "pods": {
+                "active": 0,
+                "failed": 0,
+                "succeeded": 1
+            },
+            "status": {
+                "complete": "true"
+            },
+            "time": {
+                "completed": "2024-04-23T11:54:02.000Z",
+                "created": "2024-04-23T11:54:00.000Z"
+            }
+        },
+        "namespace": "default"
+    },
+    "metricset": {
+        "name": "state_job",
+        "period": 10000
+    },
+    "service": {
+        "address": "127.0.0.1:55555",
+        "type": "kubernetes"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-kubernetes-state_node.md b/docs/reference/metricbeat/metricbeat-metricset-kubernetes-state_node.md
new file mode 100644
index 000000000000..ce78f7b3cc04
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-kubernetes-state_node.md
@@ -0,0 +1,74 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-kubernetes-state_node.html
+---
+
+# Kubernetes state_node metricset [metricbeat-metricset-kubernetes-state_node]
+
+This is the `state_node` metricset of the Kubernetes module.
+
+## Fields [_fields_153]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-kubernetes.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2019-03-01T08:05:34.853Z",
+    "event": {
+        "dataset": "kubernetes.node",
+        "duration": 115000,
+        "module": "kubernetes"
+    },
+    "kubernetes": {
+        "node": {
+            "cpu": {
+                "allocatable": {
+                    "cores": 16
+                },
+                "capacity": {
+                    "cores": 16
+                }
+            },
+            "kubelet": {
+                "version": "v1.29.1"
+            },
+            "memory": {
+                "allocatable": {
+                    "bytes": 16769380352
+                },
+                "capacity": {
+                    "bytes": 16769380352
+                }
+            },
+            "name": "kind-control-plane",
+            "pod": {
+                "allocatable": {
+                    "total": 110
+                },
+                "capacity": {
+                    "total": 110
+                }
+            },
+            "status": {
+                "disk_pressure": "false",
+                "memory_pressure": "false",
+                "pid_pressure": "false",
+                "ready": "true",
+                "unschedulable": false
+            }
+        }
+    },
+    "metricset": {
+        "name": "state_node",
+        "period": 10000
+    },
+    "service": {
+        "address": "127.0.0.1:55555",
+        "type": "kubernetes"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-kubernetes-state_persistentvolumeclaim.md b/docs/reference/metricbeat/metricbeat-metricset-kubernetes-state_persistentvolumeclaim.md
new file mode 100644
index 000000000000..6b3483601a7e
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-kubernetes-state_persistentvolumeclaim.md
@@ -0,0 +1,49 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-kubernetes-state_persistentvolumeclaim.html
+---
+
+# Kubernetes state_persistentvolumeclaim metricset [metricbeat-metricset-kubernetes-state_persistentvolumeclaim]
+
+The `state_persistentvolumeclaim` metricset for kubernetes service related metrics from `kube-state-metrics`.
+
+## Fields [_fields_154]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-kubernetes.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2019-03-01T08:05:34.853Z",
+    "event": {
+        "dataset": "kubernetes.persistentvolumeclaim",
+        "duration": 115000,
+        "module": "kubernetes"
+    },
+    "kubernetes": {
+        "namespace": "default",
+        "persistentvolumeclaim": {
+            "access_mode": "ReadWriteOnce",
+            "created": "2024-04-23T08:51:31.000Z",
+            "name": "task-pv-claim",
+            "phase": "Bound",
+            "request_storage": {
+                "bytes": 1024
+            },
+            "storage_class": "generic",
+            "volume_name": "task-pv-volume"
+        }
+    },
+    "metricset": {
+        "name": "state_persistentvolumeclaim",
+        "period": 10000
+    },
+    "service": {
+        "address": "127.0.0.1:55555",
+        "type": "kubernetes"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-kubernetes-state_pod.md b/docs/reference/metricbeat/metricbeat-metricset-kubernetes-state_pod.md
new file mode 100644
index 000000000000..9d4211a49aff
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-kubernetes-state_pod.md
@@ -0,0 +1,51 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-kubernetes-state_pod.html
+---
+
+# Kubernetes state_pod metricset [metricbeat-metricset-kubernetes-state_pod]
+
+This is the `state_pod` metricset of the Kubernetes module.
+
+## Fields [_fields_155]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-kubernetes.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2019-03-01T08:05:34.853Z",
+    "event": {
+        "dataset": "kubernetes.pod",
+        "duration": 115000,
+        "module": "kubernetes"
+    },
+    "kubernetes": {
+        "namespace": "default",
+        "node": {
+            "name": "kind-control-plane"
+        },
+        "pod": {
+            "host_ip": "172.21.0.2",
+            "ip": "10.244.0.173",
+            "name": "hello-28564555-zdfjz",
+            "status": {
+                "phase": "succeeded",
+                "ready": "false",
+                "scheduled": "true"
+            }
+        }
+    },
+    "metricset": {
+        "name": "state_pod",
+        "period": 10000
+    },
+    "service": {
+        "address": "127.0.0.1:55555",
+        "type": "kubernetes"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-kubernetes-state_replicaset.md b/docs/reference/metricbeat/metricbeat-metricset-kubernetes-state_replicaset.md
new file mode 100644
index 000000000000..0051cbdc0594
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-kubernetes-state_replicaset.md
@@ -0,0 +1,48 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-kubernetes-state_replicaset.html
+---
+
+# Kubernetes state_replicaset metricset [metricbeat-metricset-kubernetes-state_replicaset]
+
+This is the `state_replicaset` metricset of the Kubernetes module.
+
+## Fields [_fields_156]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-kubernetes.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2019-03-01T08:05:34.853Z",
+    "event": {
+        "dataset": "kubernetes.replicaset",
+        "duration": 115000,
+        "module": "kubernetes"
+    },
+    "kubernetes": {
+        "namespace": "local-path-storage",
+        "replicaset": {
+            "name": "local-path-provisioner-7577fdbbfb",
+            "replicas": {
+                "available": 1,
+                "desired": 1,
+                "labeled": 1,
+                "observed": 1,
+                "ready": 1
+            }
+        }
+    },
+    "metricset": {
+        "name": "state_replicaset",
+        "period": 10000
+    },
+    "service": {
+        "address": "127.0.0.1:55555",
+        "type": "kubernetes"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-kubernetes-state_resourcequota.md b/docs/reference/metricbeat/metricbeat-metricset-kubernetes-state_resourcequota.md
new file mode 100644
index 000000000000..591348135bd3
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-kubernetes-state_resourcequota.md
@@ -0,0 +1,44 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-kubernetes-state_resourcequota.html
+---
+
+# Kubernetes state_resourcequota metricset [metricbeat-metricset-kubernetes-state_resourcequota]
+
+The `state_resourcequota` metricset for kubernetes reads from `kube-state-metrics`.
+
+## Fields [_fields_157]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-kubernetes.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2019-03-01T08:05:34.853Z",
+    "event": {
+        "dataset": "kubernetes.resourcequota",
+        "duration": 115000,
+        "module": "kubernetes"
+    },
+    "kubernetes": {
+        "namespace": "default",
+        "resourcequota": {
+            "created": {
+                "sec": 1713862291
+            },
+            "name": "pods-high"
+        }
+    },
+    "metricset": {
+        "name": "state_resourcequota",
+        "period": 10000
+    },
+    "service": {
+        "address": "127.0.0.1:55555",
+        "type": "kubernetes"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-kubernetes-state_service.md b/docs/reference/metricbeat/metricbeat-metricset-kubernetes-state_service.md
new file mode 100644
index 000000000000..9ecdbda49bb8
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-kubernetes-state_service.md
@@ -0,0 +1,44 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-kubernetes-state_service.html
+---
+
+# Kubernetes state_service metricset [metricbeat-metricset-kubernetes-state_service]
+
+The `state_service` metricset for kubernetes service related metrics from `kube-state-metrics`.
+
+## Fields [_fields_158]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-kubernetes.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2019-03-01T08:05:34.853Z",
+    "event": {
+        "dataset": "kubernetes.service",
+        "duration": 115000,
+        "module": "kubernetes"
+    },
+    "kubernetes": {
+        "namespace": "kube-system",
+        "service": {
+            "cluster_ip": "10.96.0.10",
+            "created": "2024-04-23T08:49:44.000Z",
+            "name": "kube-dns",
+            "type": "ClusterIP"
+        }
+    },
+    "metricset": {
+        "name": "state_service",
+        "period": 10000
+    },
+    "service": {
+        "address": "127.0.0.1:55555",
+        "type": "kubernetes"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-kubernetes-state_statefulset.md b/docs/reference/metricbeat/metricbeat-metricset-kubernetes-state_statefulset.md
new file mode 100644
index 000000000000..4de049ef3ff6
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-kubernetes-state_statefulset.md
@@ -0,0 +1,51 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-kubernetes-state_statefulset.html
+---
+
+# Kubernetes state_statefulset metricset [metricbeat-metricset-kubernetes-state_statefulset]
+
+This is the `state_statefulset` metricset of the Kubernetes module.
+
+## Fields [_fields_159]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-kubernetes.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2019-03-01T08:05:34.853Z",
+    "event": {
+        "dataset": "kubernetes.statefulset",
+        "duration": 115000,
+        "module": "kubernetes"
+    },
+    "kubernetes": {
+        "namespace": "default",
+        "statefulset": {
+            "created": 1713862291,
+            "generation": {
+                "desired": 1,
+                "observed": 1
+            },
+            "name": "web",
+            "replicas": {
+                "desired": 1,
+                "observed": 1,
+                "ready": 1
+            }
+        }
+    },
+    "metricset": {
+        "name": "state_statefulset",
+        "period": 10000
+    },
+    "service": {
+        "address": "127.0.0.1:55555",
+        "type": "kubernetes"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-kubernetes-state_storageclass.md b/docs/reference/metricbeat/metricbeat-metricset-kubernetes-state_storageclass.md
new file mode 100644
index 000000000000..3e50c62f5940
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-kubernetes-state_storageclass.md
@@ -0,0 +1,44 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-kubernetes-state_storageclass.html
+---
+
+# Kubernetes state_storageclass metricset [metricbeat-metricset-kubernetes-state_storageclass]
+
+The `state_storageclass` metricset for kubernetes storage class related metrics from `kube-state-metrics`.
+
+## Fields [_fields_160]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-kubernetes.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2019-03-01T08:05:34.853Z",
+    "event": {
+        "dataset": "kubernetes.storageclass",
+        "duration": 115000,
+        "module": "kubernetes"
+    },
+    "kubernetes": {
+        "storageclass": {
+            "created": "2024-04-23T08:49:46.000Z",
+            "name": "standard",
+            "provisioner": "rancher.io/local-path",
+            "reclaim_policy": "Delete",
+            "volume_binding_mode": "WaitForFirstConsumer"
+        }
+    },
+    "metricset": {
+        "name": "state_storageclass",
+        "period": 10000
+    },
+    "service": {
+        "address": "127.0.0.1:55555",
+        "type": "kubernetes"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-kubernetes-system.md b/docs/reference/metricbeat/metricbeat-metricset-kubernetes-system.md
new file mode 100644
index 000000000000..8263f12d0665
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-kubernetes-system.md
@@ -0,0 +1,66 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-kubernetes-system.html
+---
+
+# Kubernetes system metricset [metricbeat-metricset-kubernetes-system]
+
+This is the `system` metricset of the Kubernetes module.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_161]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-kubernetes.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-04-06T15:29:27.150Z",
+    "beat": {
+        "hostname": "beathost",
+        "name": "beathost",
+        "version": "6.0.0-alpha1"
+    },
+    "kubernetes": {
+        "node": {
+            "name": "localhost"
+        },
+        "system": {
+            "container": "kubernetes",
+            "cpu": {
+                "usage": {
+                    "core": {
+                        "ns": 1424273250468228
+                    },
+                    "nanocores": 382404825
+                }
+            },
+            "memory": {
+                "majorpagefaults": 49,
+                "pagefaults": 22921778663,
+                "rss": {
+                    "bytes": 159412224
+                },
+                "usage": {
+                    "bytes": 223035392
+                },
+                "workingset": {
+                    "bytes": 169037824
+                }
+            },
+            "start_time": "2017-02-08T10:35:02Z"
+        }
+    },
+    "metricset": {
+        "host": "localhost:10255",
+        "module": "kubernetes",
+        "name": "system",
+        "rtt": 640649
+    },
+    "type": "metricsets"
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-kubernetes-volume.md b/docs/reference/metricbeat/metricbeat-metricset-kubernetes-volume.md
new file mode 100644
index 000000000000..4bd58306d1dd
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-kubernetes-volume.md
@@ -0,0 +1,64 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-kubernetes-volume.html
+---
+
+# Kubernetes volume metricset [metricbeat-metricset-kubernetes-volume]
+
+This is the `volume` metricset of the Kubernetes module.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_162]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-kubernetes.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-04-06T15:29:27.150Z",
+    "beat": {
+        "hostname": "beathost",
+        "name": "beathost",
+        "version": "6.0.0-alpha1"
+    },
+    "kubernetes": {
+        "namespace": "ns",
+        "node": {
+          "name": "localhost",
+        },
+        "pod": {
+            "name": "nginx-3137573019-pcfzh",
+        },
+        "volume": {
+            "fs": {
+                "available": {
+                    "bytes": 92849512448
+                },
+                "capacity": {
+                    "bytes": 92849524736
+                },
+                "inodes": {
+                    "count": 22668341,
+                    "free": 22668332,
+                    "used": 9
+                },
+                "used": {
+                    "bytes": 12288
+                }
+            },
+            "name": "default-token-4fkmg"
+        }
+    },
+    "metricset": {
+        "host": "localhost:10255",
+        "module": "kubernetes",
+        "name": "volume",
+        "rtt": 648606
+    },
+    "type": "metricsets"
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-kvm-dommemstat.md b/docs/reference/metricbeat/metricbeat-metricset-kvm-dommemstat.md
new file mode 100644
index 000000000000..952745bffe10
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-kvm-dommemstat.md
@@ -0,0 +1,55 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-kvm-dommemstat.html
+---
+
+# KVM dommemstat metricset [metricbeat-metricset-kvm-dommemstat]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+This is the dommemstat metricset of the module kvm.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_163]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-kvm.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "agent": {
+        "hostname": "host.example.com",
+        "name": "host.example.com"
+    },
+    "event":{
+      "dataset":"kvm.dommemstat",
+      "module":"kvm",
+      "duration":4012216
+   },
+   "metricset":{
+      "name":"dommemstat"
+   },
+   "service":{
+      "address":"unix:///var/run/libvirt/libvirt-sock",
+      "type":"kvm"
+   },
+   "kvm":{
+      "dommemstat":{
+         "stat":{
+            "name":"actualballoon",
+            "value":524288
+         },
+         "id":1,
+         "name":"generic-2"
+      }
+   }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-kvm-status.md b/docs/reference/metricbeat/metricbeat-metricset-kvm-status.md
new file mode 100644
index 000000000000..64037ec44496
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-kvm-status.md
@@ -0,0 +1,49 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-kvm-status.html
+---
+
+# KVM status metricset [metricbeat-metricset-kvm-status]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+This is the status metricset of the module kvm.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_164]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-kvm.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "event": {
+        "dataset": "kvm.status",
+        "duration": 115000,
+        "module": "kvm"
+    },
+    "kvm": {
+        "id": 1,
+        "name": "buster-amd64",
+        "status": {
+            "state": "running"
+        }
+    },
+    "metricset": {
+        "name": "status",
+        "period": 10000
+    },
+    "service": {
+        "address": "unix:///var/run/libvirt/libvirt-sock",
+        "type": "kvm"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-linux-conntrack.md b/docs/reference/metricbeat/metricbeat-metricset-linux-conntrack.md
new file mode 100644
index 000000000000..659826d07643
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-linux-conntrack.md
@@ -0,0 +1,53 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-linux-conntrack.html
+---
+
+# Linux conntrack metricset [metricbeat-metricset-linux-conntrack]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+The conntrack module reports on performance counters for the linux connection tracking component of netfilter. Conntrack uses a [hash table](http://people.netfilter.org/pablo/docs/login.pdf) to track the state of network connections.
+
+## Fields [_fields_165]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-linux.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "event": {
+        "dataset": "linux.conntrack",
+        "duration": 115000,
+        "module": "linux"
+    },
+    "linux": {
+        "conntrack": {
+            "summary": {
+                "drop": 0,
+                "early_drop": 0,
+                "entries": 16,
+                "found": 0,
+                "ignore": 3271028,
+                "insert_failed": 0,
+                "invalid": 122,
+                "search_restart": 3
+            }
+        }
+    },
+    "metricset": {
+        "name": "conntrack",
+        "period": 10000
+    },
+    "service": {
+        "type": "linux"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-linux-iostat.md b/docs/reference/metricbeat/metricbeat-metricset-linux-iostat.md
new file mode 100644
index 000000000000..0e4584e5f1fb
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-linux-iostat.md
@@ -0,0 +1,78 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-linux-iostat.html
+---
+
+# Linux iostat metricset [metricbeat-metricset-linux-iostat]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+The iostat module reports per-disk IO statistics that emulate `iostat -x` on linux.
+
+::::{note}
+as of now, this data is part of system/diskio on Metricbeat, but can only be found in the Linux integration in Fleet. In the future, this data will be removed from system/memory.
+::::
+
+
+## Fields [_fields_166]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-linux.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "event": {
+        "dataset": "linux.iostat",
+        "duration": 115000,
+        "module": "linux"
+    },
+    "linux": {
+        "iostat": {
+            "await": 0,
+            "busy": 0.1503,
+            "name": "sda",
+            "queue": {
+                "avg_size": 0.0005
+            },
+            "read": {
+                "await": 0,
+                "per_sec": {
+                    "bytes": 0
+                },
+                "request": {
+                    "merges_per_sec": 0,
+                    "per_sec": 0
+                }
+            },
+            "request": {
+                "avg_size": 2867.2
+            },
+            "service_time": 0.3,
+            "write": {
+                "await": 0,
+                "per_sec": {
+                    "bytes": 14365.929
+                },
+                "request": {
+                    "merges_per_sec": 0,
+                    "per_sec": 5.0104
+                }
+            }
+        }
+    },
+    "metricset": {
+        "name": "iostat",
+        "period": 10000
+    },
+    "service": {
+        "type": "linux"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-linux-ksm.md b/docs/reference/metricbeat/metricbeat-metricset-linux-ksm.md
new file mode 100644
index 000000000000..8bc4bfbd68a8
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-linux-ksm.md
@@ -0,0 +1,52 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-linux-ksm.html
+---
+
+# Linux ksm metricset [metricbeat-metricset-linux-ksm]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+The KSM module reports data from [Kernel Samepage Merging](https://www.kernel.org/doc/html/latest/admin-guide/mm/ksm.html). In order to take advantage of KSM, applications must use the `madvise` system call to mark memory regions for merging. KSM is not enabled on all distros, and KSM status is set with the `CONFIG_KSM` kernel flag.
+
+## Fields [_fields_167]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-linux.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "event": {
+        "dataset": "linux.ksm",
+        "duration": 115000,
+        "module": "linux"
+    },
+    "linux": {
+        "ksm": {
+            "stats": {
+                "pages_shared": 100,
+                "pages_sharing": 10,
+                "pages_unshared": 0,
+                "pages_volatile": 0,
+                "full_scans": 2000,
+                "stable_node_chains": 0,
+                "stable_node_dups": 0
+            }
+        }
+    },
+    "metricset": {
+        "name": "ksm",
+        "period": 10000
+    },
+    "service": {
+        "type": "linux"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-linux-memory.md b/docs/reference/metricbeat/metricbeat-metricset-linux-memory.md
new file mode 100644
index 000000000000..effbce9fb606
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-linux-memory.md
@@ -0,0 +1,272 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-linux-memory.html
+---
+
+# Linux memory metricset [metricbeat-metricset-linux-memory]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+The memory metricset extends system/memory and adds linux-specific memory metrics, including Huge Pages and overall paging statistics.
+
+::::{note}
+as of now, this data is part of system/memory on Metricbeat, but can only be found in the Linux integration in Fleet. In the future, this data will be removed from system/memory.
+::::
+
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_168]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-linux.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "event": {
+        "dataset": "linux.memory",
+        "duration": 115000,
+        "module": "linux"
+    },
+    "linux": {
+        "memory": {
+            "hugepages": {
+                "default_size": 2097152,
+                "free": 0,
+                "reserved": 0,
+                "surplus": 0,
+                "swap": {
+                    "out": {
+                        "fallback": 0,
+                        "pages": 0
+                    }
+                },
+                "total": 0,
+                "used": {
+                    "bytes": 0,
+                    "pct": 0
+                }
+            },
+            "page_stats": {
+                "direct_efficiency": {
+                    "pct": 0.3419
+                },
+                "kswapd_efficiency": {
+                    "pct": 0.8922
+                },
+                "pgfree": {
+                    "pages": 16328309361
+                },
+                "pgscan_direct": {
+                    "pages": 21037589
+                },
+                "pgscan_kswapd": {
+                    "pages": 49831
+                },
+                "pgsteal_direct": {
+                    "pages": 7193725
+                },
+                "pgsteal_kswapd": {
+                    "pages": 44459
+                }
+            },
+            "swap": {
+                "free": 8586252288,
+                "in": {
+                    "pages": 72435
+                },
+                "out": {
+                    "pages": 2032475
+                },
+                "readahead": {
+                    "cached": 5,
+                    "pages": 29
+                },
+                "total": 8589930496,
+                "used": {
+                    "bytes": 3678208,
+                    "pct": 0.0004
+                }
+            },
+            "vmstat": {
+                "allocstall_dma": 0,
+                "allocstall_dma32": 0,
+                "allocstall_movable": 60572,
+                "allocstall_normal": 1125,
+                "balloon_deflate": 0,
+                "balloon_inflate": 0,
+                "balloon_migrate": 0,
+                "cma_alloc_fail": 0,
+                "cma_alloc_success": 0,
+                "compact_daemon_free_scanned": 0,
+                "compact_daemon_migrate_scanned": 0,
+                "compact_daemon_wake": 2,
+                "compact_fail": 0,
+                "compact_free_scanned": 406096,
+                "compact_isolated": 15241,
+                "compact_migrate_scanned": 51056,
+                "compact_stall": 0,
+                "compact_success": 0,
+                "direct_map_level2_splits": 864,
+                "direct_map_level3_splits": 52,
+                "drop_pagecache": 0,
+                "drop_slab": 0,
+                "htlb_buddy_alloc_fail": 0,
+                "htlb_buddy_alloc_success": 0,
+                "kswapd_high_wmark_hit_quickly": 0,
+                "kswapd_inodesteal": 2,
+                "kswapd_low_wmark_hit_quickly": 1,
+                "nr_active_anon": 5553,
+                "nr_active_file": 1478109,
+                "nr_anon_pages": 1024369,
+                "nr_anon_transparent_hugepages": 140,
+                "nr_bounce": 0,
+                "nr_dirtied": 87806596,
+                "nr_dirty": 60,
+                "nr_dirty_background_threshold": 1339484,
+                "nr_dirty_threshold": 2682244,
+                "nr_file_hugepages": 0,
+                "nr_file_pages": 5302193,
+                "nr_file_pmdmapped": 0,
+                "nr_foll_pin_acquired": 2,
+                "nr_foll_pin_released": 2,
+                "nr_free_cma": 0,
+                "nr_free_pages": 8219610,
+                "nr_inactive_anon": 1046105,
+                "nr_inactive_file": 3825289,
+                "nr_isolated_anon": 0,
+                "nr_isolated_file": 0,
+                "nr_kernel_misc_reclaimable": 0,
+                "nr_kernel_stack": 14144,
+                "nr_mapped": 191441,
+                "nr_mlock": 0,
+                "nr_page_table_pages": 6756,
+                "nr_shmem": 9446,
+                "nr_shmem_hugepages": 0,
+                "nr_shmem_pmdmapped": 0,
+                "nr_slab_reclaimable": 362837,
+                "nr_slab_unreclaimable": 167630,
+                "nr_swapcached": 2,
+                "nr_throttled_written": 0,
+                "nr_unevictable": 768,
+                "nr_unstable": 0,
+                "nr_vmscan_immediate_reclaim": 10,
+                "nr_vmscan_write": 2032594,
+                "nr_writeback": 0,
+                "nr_writeback_temp": 0,
+                "nr_written": 77862049,
+                "nr_zone_active_anon": 5553,
+                "nr_zone_active_file": 1478109,
+                "nr_zone_inactive_anon": 1046105,
+                "nr_zone_inactive_file": 3825289,
+                "nr_zone_unevictable": 768,
+                "nr_zone_write_pending": 60,
+                "nr_zspages": 477,
+                "numa_foreign": 0,
+                "numa_hint_faults": 0,
+                "numa_hint_faults_local": 0,
+                "numa_hit": 16320172649,
+                "numa_huge_pte_updates": 0,
+                "numa_interleave": 2819,
+                "numa_local": 16319863485,
+                "numa_miss": 0,
+                "numa_other": 0,
+                "numa_pages_migrated": 0,
+                "numa_pte_updates": 0,
+                "oom_kill": 0,
+                "pageoutrun": 2,
+                "pgactivate": 49439150,
+                "pgalloc_dma": 1024,
+                "pgalloc_dma32": 819165,
+                "pgalloc_movable": 0,
+                "pgalloc_normal": 16318820409,
+                "pgdeactivate": 2560804,
+                "pgdemote_direct": 0,
+                "pgdemote_kswapd": 0,
+                "pgfault": 19447993645,
+                "pgfree": 16328309361,
+                "pginodesteal": 677,
+                "pglazyfree": 40011,
+                "pglazyfreed": 4375,
+                "pgmajfault": 112209,
+                "pgmigrate_fail": 778,
+                "pgmigrate_success": 7169,
+                "pgpgin": 28240034,
+                "pgpgout": 472429900,
+                "pgrefill": 2602042,
+                "pgreuse": 742840224,
+                "pgrotated": 316,
+                "pgscan_anon": 15494945,
+                "pgscan_direct": 21037589,
+                "pgscan_direct_throttle": 0,
+                "pgscan_file": 5592475,
+                "pgscan_kswapd": 49831,
+                "pgskip_dma": 0,
+                "pgskip_dma32": 0,
+                "pgskip_movable": 0,
+                "pgskip_normal": 0,
+                "pgsteal_anon": 2032475,
+                "pgsteal_direct": 7193725,
+                "pgsteal_file": 5205709,
+                "pgsteal_kswapd": 44459,
+                "pswpin": 72435,
+                "pswpout": 2032475,
+                "slabs_scanned": 1097218,
+                "swap_ra": 29,
+                "swap_ra_hit": 5,
+                "thp_collapse_alloc": 1212,
+                "thp_collapse_alloc_failed": 0,
+                "thp_deferred_split_page": 861,
+                "thp_fault_alloc": 10248,
+                "thp_fault_fallback": 0,
+                "thp_fault_fallback_charge": 0,
+                "thp_file_alloc": 0,
+                "thp_file_fallback": 0,
+                "thp_file_fallback_charge": 0,
+                "thp_file_mapped": 0,
+                "thp_migration_fail": 0,
+                "thp_migration_split": 0,
+                "thp_migration_success": 0,
+                "thp_split_page": 0,
+                "thp_split_page_failed": 0,
+                "thp_split_pmd": 3813,
+                "thp_split_pud": 0,
+                "thp_swpout": 0,
+                "thp_swpout_fallback": 0,
+                "thp_zero_page_alloc": 2,
+                "thp_zero_page_alloc_failed": 0,
+                "unevictable_pgs_cleared": 0,
+                "unevictable_pgs_culled": 56303,
+                "unevictable_pgs_mlocked": 36952,
+                "unevictable_pgs_munlocked": 36952,
+                "unevictable_pgs_rescued": 36952,
+                "unevictable_pgs_scanned": 0,
+                "unevictable_pgs_stranded": 0,
+                "workingset_activate_anon": 33561,
+                "workingset_activate_file": 56974,
+                "workingset_nodereclaim": 130600,
+                "workingset_nodes": 9668,
+                "workingset_refault_anon": 72435,
+                "workingset_refault_file": 448332,
+                "workingset_restore_anon": 0,
+                "workingset_restore_file": 40457,
+                "zone_reclaim_failed": 0
+            }
+        }
+    },
+    "metricset": {
+        "name": "memory",
+        "period": 10000
+    },
+    "service": {
+        "type": "linux"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-linux-pageinfo.md b/docs/reference/metricbeat/metricbeat-metricset-linux-pageinfo.md
new file mode 100644
index 000000000000..ea35b99500c2
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-linux-pageinfo.md
@@ -0,0 +1,349 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-linux-pageinfo.html
+---
+
+# Linux pageinfo metricset [metricbeat-metricset-linux-pageinfo]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+The pageinfo metricset reports on paging statistics as found in `/proc/pagetypeinfo`
+
+Reported metrics are broken down by page type: DMA, DMA32, Normal, and Highmem. These types are further broken down by order, which represents zones of 2^ORDER*PAGE_SIZE. These metrics are divided into two reporting types: `buddyinfo`, which is summarized by page type, as in `/proc/buddyinfo`. `nodes` reports info broken down by memory migration type.
+
+This information can be used to determine memory fragmentation. The kernel [buddy algorithim](https://www.kernel.org/doc/gorman/html/understand/understand009.html) will always search for the smallest page order to allocate, and if none is available, a larger page order will be split into two "buddies." When memory is freed, the kernel will attempt to merge the "buddies." If the only available pages are at lower orders, this indicates fragmentation, as buddy pages cannot be merged.
+
+Note that page counts from `/proc/pagetypeinfo` will only display values up to 100,000.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_169]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-linux.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "event": {
+        "dataset": "linux.pageinfo",
+        "duration": 115000,
+        "module": "linux"
+    },
+    "linux": {
+        "pageinfo": {
+            "buddy_info": {
+                "DMA": {
+                    "0": 1,
+                    "1": 0,
+                    "10": 3,
+                    "2": 1,
+                    "3": 0,
+                    "4": 2,
+                    "5": 1,
+                    "6": 1,
+                    "7": 0,
+                    "8": 1,
+                    "9": 1
+                },
+                "DMA32": {
+                    "0": 3,
+                    "1": 4,
+                    "10": 745,
+                    "2": 1,
+                    "3": 2,
+                    "4": 2,
+                    "5": 2,
+                    "6": 2,
+                    "7": 2,
+                    "8": 2,
+                    "9": 3
+                },
+                "Normal": {
+                    "0": 3409,
+                    "1": 4916,
+                    "10": 292,
+                    "2": 4010,
+                    "3": 4853,
+                    "4": 3613,
+                    "5": 2472,
+                    "6": 793,
+                    "7": 552,
+                    "8": 189,
+                    "9": 148
+                }
+            },
+            "nodes": {
+                "0": {
+                    "DMA": {
+                        "CMA": {
+                            "0": 0,
+                            "1": 0,
+                            "10": 0,
+                            "2": 0,
+                            "3": 0,
+                            "4": 0,
+                            "5": 0,
+                            "6": 0,
+                            "7": 0,
+                            "8": 0,
+                            "9": 0
+                        },
+                        "HighAtomic": {
+                            "0": 0,
+                            "1": 0,
+                            "10": 0,
+                            "2": 0,
+                            "3": 0,
+                            "4": 0,
+                            "5": 0,
+                            "6": 0,
+                            "7": 0,
+                            "8": 0,
+                            "9": 0
+                        },
+                        "Isolate": {
+                            "0": 0,
+                            "1": 0,
+                            "10": 0,
+                            "2": 0,
+                            "3": 0,
+                            "4": 0,
+                            "5": 0,
+                            "6": 0,
+                            "7": 0,
+                            "8": 0,
+                            "9": 0
+                        },
+                        "Movable": {
+                            "0": 0,
+                            "1": 0,
+                            "10": 3,
+                            "2": 0,
+                            "3": 0,
+                            "4": 0,
+                            "5": 0,
+                            "6": 0,
+                            "7": 0,
+                            "8": 0,
+                            "9": 1
+                        },
+                        "Reclaimable": {
+                            "0": 0,
+                            "1": 0,
+                            "10": 0,
+                            "2": 0,
+                            "3": 0,
+                            "4": 0,
+                            "5": 0,
+                            "6": 0,
+                            "7": 0,
+                            "8": 0,
+                            "9": 0
+                        },
+                        "Unmovable": {
+                            "0": 1,
+                            "1": 0,
+                            "10": 0,
+                            "2": 1,
+                            "3": 0,
+                            "4": 2,
+                            "5": 1,
+                            "6": 1,
+                            "7": 0,
+                            "8": 1,
+                            "9": 0
+                        }
+                    },
+                    "DMA32": {
+                        "CMA": {
+                            "0": 0,
+                            "1": 0,
+                            "10": 0,
+                            "2": 0,
+                            "3": 0,
+                            "4": 0,
+                            "5": 0,
+                            "6": 0,
+                            "7": 0,
+                            "8": 0,
+                            "9": 0
+                        },
+                        "HighAtomic": {
+                            "0": 0,
+                            "1": 0,
+                            "10": 0,
+                            "2": 0,
+                            "3": 0,
+                            "4": 0,
+                            "5": 0,
+                            "6": 0,
+                            "7": 0,
+                            "8": 0,
+                            "9": 0
+                        },
+                        "Isolate": {
+                            "0": 0,
+                            "1": 0,
+                            "10": 0,
+                            "2": 0,
+                            "3": 0,
+                            "4": 0,
+                            "5": 0,
+                            "6": 0,
+                            "7": 0,
+                            "8": 0,
+                            "9": 0
+                        },
+                        "Movable": {
+                            "0": 3,
+                            "1": 3,
+                            "10": 745,
+                            "2": 1,
+                            "3": 2,
+                            "4": 2,
+                            "5": 2,
+                            "6": 2,
+                            "7": 1,
+                            "8": 1,
+                            "9": 2
+                        },
+                        "Reclaimable": {
+                            "0": 0,
+                            "1": 0,
+                            "10": 0,
+                            "2": 0,
+                            "3": 0,
+                            "4": 0,
+                            "5": 0,
+                            "6": 0,
+                            "7": 0,
+                            "8": 0,
+                            "9": 0
+                        },
+                        "Unmovable": {
+                            "0": 0,
+                            "1": 1,
+                            "10": 0,
+                            "2": 0,
+                            "3": 0,
+                            "4": 0,
+                            "5": 0,
+                            "6": 0,
+                            "7": 1,
+                            "8": 1,
+                            "9": 1
+                        }
+                    },
+                    "Normal": {
+                        "CMA": {
+                            "0": 0,
+                            "1": 0,
+                            "10": 0,
+                            "2": 0,
+                            "3": 0,
+                            "4": 0,
+                            "5": 0,
+                            "6": 0,
+                            "7": 0,
+                            "8": 0,
+                            "9": 0
+                        },
+                        "HighAtomic": {
+                            "0": 0,
+                            "1": 0,
+                            "10": 0,
+                            "2": 0,
+                            "3": 0,
+                            "4": 0,
+                            "5": 0,
+                            "6": 0,
+                            "7": 0,
+                            "8": 0,
+                            "9": 0
+                        },
+                        "Isolate": {
+                            "0": 0,
+                            "1": 0,
+                            "10": 0,
+                            "2": 0,
+                            "3": 0,
+                            "4": 0,
+                            "5": 0,
+                            "6": 0,
+                            "7": 0,
+                            "8": 0,
+                            "9": 0
+                        },
+                        "Movable": {
+                            "0": 3137,
+                            "1": 4732,
+                            "10": 291,
+                            "2": 3687,
+                            "3": 2993,
+                            "4": 2337,
+                            "5": 1504,
+                            "6": 355,
+                            "7": 404,
+                            "8": 155,
+                            "9": 141
+                        },
+                        "Reclaimable": {
+                            "0": 0,
+                            "1": 0,
+                            "10": 0,
+                            "2": 1,
+                            "3": 3,
+                            "4": 227,
+                            "5": 534,
+                            "6": 305,
+                            "7": 124,
+                            "8": 31,
+                            "9": 5
+                        },
+                        "Unmovable": {
+                            "0": 272,
+                            "1": 184,
+                            "10": 1,
+                            "2": 322,
+                            "3": 1857,
+                            "4": 1049,
+                            "5": 434,
+                            "6": 133,
+                            "7": 24,
+                            "8": 3,
+                            "9": 2
+                        }
+                    },
+                    "order_summary": {
+                        "0": 3413,
+                        "1": 4920,
+                        "10": 1040,
+                        "2": 4012,
+                        "3": 4855,
+                        "4": 3617,
+                        "5": 2475,
+                        "6": 796,
+                        "7": 554,
+                        "8": 192,
+                        "9": 152
+                    }
+                }
+            }
+        }
+    },
+    "metricset": {
+        "name": "pageinfo",
+        "period": 10000
+    },
+    "service": {
+        "type": "linux"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-linux-pressure.md b/docs/reference/metricbeat/metricbeat-metricset-linux-pressure.md
new file mode 100644
index 000000000000..0758019e1d04
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-linux-pressure.md
@@ -0,0 +1,51 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-linux-pressure.html
+---
+
+# Linux pressure metricset [metricbeat-metricset-linux-pressure]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+The Pressure module reports [Pressure Stall Information (PSI)](https://www.kernel.org/doc/Documentation/accounting/psi.txt) collected for the `cpu`, `memory`, and `io` files/resources found in `/proc/pressure`. PSI metrics are included in Linux kernel versions from 4.20. Some distributions might have PSI support, but have disabled the feature via the `CONFIG_PSI_DEFAULT_DISABLED` setting, to enable PSI metrics pass `psi=1` on the kernel command line during boot.
+
+## Fields [_fields_170]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-linux.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "event": {
+        "dataset": "linux.pressure",
+        "duration": 115000,
+        "module": "linux"
+    },
+    "linux": {
+        "pressure": {
+            "cpu": {
+                "some": {
+                    "10": 1.63,
+                    "300": 0.06,
+                    "60": 0.29,
+                    "total": 155911207
+                }
+            }
+        }
+    },
+    "metricset": {
+        "name": "pressure",
+        "period": 10000
+    },
+    "service": {
+        "type": "linux"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-linux-rapl.md b/docs/reference/metricbeat/metricbeat-metricset-linux-rapl.md
new file mode 100644
index 000000000000..ddcd52d0a030
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-linux-rapl.md
@@ -0,0 +1,96 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-linux-rapl.html
+---
+
+# Linux rapl metricset [metricbeat-metricset-linux-rapl]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+The RAPL metricset reports power usage in Watts as reported by Intel’s RAPL (Running Average Power Limit) API. In practice, RAPL is used for setting power usage limits on a CPU, but it can also be used for monitoring power usage.
+
+RAPL is available on most Intel CPUs in some form since Sandy Bridge, however, this implementation requires a linux distro that exposes intel MSRs (model-specific registers) via `/dev/cpu/[CPU]/msr`. You can check to see if your linux distro and CPU support RAPL by running
+
+```
+sudo rdmsr 0x606
+```
+
+If that command returns a hex value such as `a1003`, RAPL is supported.
+
+RAPL divides a CPU into four domains, each one corresponding to a component within the hardware itself: `Package`, `DRAM`, `PP0` (usually the collective power usage of the cores), and `PP1` (usually the integrated GPU). Not all packages are available on all CPUs, and the RAPL metricset will report all RAPL domains that it finds.
+
+
+## msr-safe usage [_msr_safe_usage]
+
+This metricset also supports [msr-safe](https://github.com/LLNL/msr-safe), which allows a user to access an MSR device without root. The `rapl.use_msr_safe` flag in the linux module config will enable usage of the `/dev/cpu/[CPU]/msr_safe` device.
+
+For existing msr-safe installs, the following allowlist will open all RAPL MSRs for reading:
+
+```
+0x00000606 0x0000000000000000 # "SMSR_RAPL_POWER_UNIT"
+
+0x00000610 0x0000000000000000 # "SMSR_PACKAGE_POWER_LIMIT"
+0x00000611 0x0000000000000000 # "SMSR_PACKAGE_ENERGY_STATUS"
+0x00000613 0x0000000000000000 # "SMSR_PACKAGE_PERF_STATUS"
+0x00000614 0x0000000000000000 # "SMSR_PACKAGE_POWER_INFO"
+
+0x00000618 0x0000000000000000 # "SMSR_DRAM_POWER_LIMIT"
+0x00000619 0x0000000000000000 # "SMSR_DRAM_ENERGY_STATUS"
+0x0000061b 0x0000000000000000 # "SMSR_DRAM_PERF_STATUS"
+0x0000061c 0x0000000000000000 # "SMSR_DRAM_POWER_INFO"
+
+0x00000638 0x0000000000000000 # "SMSR_PP0_POWER_LIMIT"
+0x00000639 0x0000000000000000 # "SMSR_PP0_ENERGY_STATUS"
+0x0000063a 0x0000000000000000 # "SMSR_PP0_POLICY"
+0x0000063b 0x0000000000000000 # "SMSR_PP0_PERF_STATUS"
+
+0x00000640 0x0000000000000000 # "SMSR_PP1_POWER_LIMIT"
+0x00000641 0x0000000000000000 # "SMSR_PP1_ENERGY_STATUS"
+0x00000642 0x0000000000000000 # "SMSR_PP1_POLICY"
+```
+
+## Fields [_fields_171]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-linux.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "event": {
+        "dataset": "linux.rapl",
+        "duration": 115000,
+        "module": "linux"
+    },
+    "linux": {
+        "rapl": {
+            "core": 0,
+            "dram": {
+                "joules": 38106.59,
+                "watts": 5.912
+            },
+            "package": {
+                "joules": 25764.9984,
+                "watts": 11.5784
+            },
+            "pp0": {
+                "joules": 27353.5644,
+                "watts": 2.7159
+            }
+        }
+    },
+    "metricset": {
+        "name": "rapl",
+        "period": 10000
+    },
+    "service": {
+        "type": "linux"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-logstash-node.md b/docs/reference/metricbeat/metricbeat-metricset-logstash-node.md
new file mode 100644
index 000000000000..8c3aec057926
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-logstash-node.md
@@ -0,0 +1,130 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-logstash-node.html
+---
+
+# Logstash node metricset [metricbeat-metricset-logstash-node]
+
+This is the node metricset of the module Logstash.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_172]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-logstash.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "event": {
+        "dataset": "logstash.node",
+        "duration": 115000,
+        "module": "logstash"
+    },
+    "logstash": {
+        "cluster": {
+            "id": "VUwnkX_lTzCFP9VUoXT1IQ"
+        },
+        "elasticsearch": {
+            "cluster": {
+                "id": "VUwnkX_lTzCFP9VUoXT1IQ"
+            }
+        },
+        "node": {
+            "host": "7dc1b688baf4",
+            "id": "9a1f83e1-52b9-4625-a98a-6aa336f41719",
+            "jvm": {
+                "version": "11.0.10"
+            },
+            "state": {
+                "pipeline": {
+                    "id": "main",
+                    "hash": "5022893e09c573cc517eef12da3df428d41a45370e168b19031f5b6b0da3db22",
+                    "ephemeral_id": "0a6062d1-85e8-4e9b-b943-d80573912692",
+                    "representation": {
+                        "graph": {
+                            "vertices": [
+                                {
+                                    "config_name": "beats",
+                                    "explicit_id": false,
+                                    "id": "293e8492626c637c237bf394279270356589b77d285ea009a555e19977779693",
+                                    "meta": {
+                                        "source": {
+                                            "column": 3,
+                                            "id": "/usr/share/logstash/pipeline/logstash.conf",
+                                            "line": 2,
+                                            "protocol": "file"
+                                        }
+                                    },
+                                    "plugin_type": "input",
+                                    "type": "plugin"
+                                },
+                                {
+                                    "explicit_id": false,
+                                    "id": "__QUEUE__",
+                                    "meta": null,
+                                    "type": "queue"
+                                },
+                                {
+                                    "config_name": "elasticsearch",
+                                    "explicit_id": false,
+                                    "id": "942f820402532e034dc5b27a680547732f49dc4b5e48df0475d280eb31382e0d",
+                                    "meta": {
+                                        "source": {
+                                            "column": 3,
+                                            "id": "/usr/share/logstash/pipeline/logstash.conf",
+                                            "line": 8,
+                                            "protocol": "file"
+                                        }
+                                    },
+                                    "plugin_type": "output",
+                                    "type": "plugin"
+                                }
+                            ],
+                            "edges": [
+                                {
+                                    "from": "293e8492626c637c237bf394279270356589b77d285ea009a555e19977779693",
+                                    "id": "af355ece7f2645e789bd864dd4745756782431bb85e6ea2e5b3ad6d546bca889",
+                                    "to": "__QUEUE__",
+                                    "type": "plain"
+                                },
+                                {
+                                    "from": "__QUEUE__",
+                                    "id": "7eb9677f7cb798312f3dc1ac5ab2469a9f2166f6144da511fe339a31f9fd9b38",
+                                    "to": "942f820402532e034dc5b27a680547732f49dc4b5e48df0475d280eb31382e0d",
+                                    "type": "plain"
+                                }
+                            ]
+                        },
+                        "type": "lir",
+                        "version": "0.0.0",
+                        "hash": "5022893e09c573cc517eef12da3df428d41a45370e168b19031f5b6b0da3db22"
+                    },
+                    "batch_size": 125,
+                    "workers": 12
+                }
+            },
+            "version": "7.12.0"
+        }
+    },
+    "metricset": {
+        "name": "node",
+        "period": 10000
+    },
+    "process": {
+        "pid": 1
+    },
+    "service": {
+        "address": "172.20.0.3:9600",
+        "hostname": "7dc1b688baf4",
+        "id": "9a1f83e1-52b9-4625-a98a-6aa336f41719",
+        "name": "logstash",
+        "type": "logstash",
+        "version": "7.12.0"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-logstash-node_stats.md b/docs/reference/metricbeat/metricbeat-metricset-logstash-node_stats.md
new file mode 100644
index 000000000000..8ed1205c5c29
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-logstash-node_stats.md
@@ -0,0 +1,167 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-logstash-node_stats.html
+---
+
+# Logstash node_stats metricset [metricbeat-metricset-logstash-node_stats]
+
+This is the node metricset of the module Logstash.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_173]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-logstash.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "event": {
+        "dataset": "logstash.node.stats",
+        "duration": 115000,
+        "module": "logstash"
+    },
+    "logstash": {
+        "cluster": {
+           "id": "VUwnkX_lTzCFP9VUoXT1IQ"
+        },
+        "elasticsearch": {
+            "cluster": {
+               "id": "VUwnkX_lTzCFP9VUoXT1IQ"
+            }
+        },
+        "node": {
+            "stats": {
+                "events": {
+                    "duration_in_millis": 0,
+                    "in": 0,
+                    "filtered": 0,
+                    "out": 0
+                },
+                "jvm": {
+                    "gc": {
+                        "collectors": {
+                            "old": {
+                                "collection_count": 3,
+                                "collection_time_in_millis": 738
+                            },
+                            "young": {
+                                "collection_count": 9,
+                                "collection_time_in_millis": 422
+                            }
+                        }
+                    },
+                    "mem": {
+                        "heap_max_in_bytes": 1037959168,
+                        "heap_used_in_bytes": 309034360,
+                        "heap_used_percent": 29
+                    },
+                    "uptime_in_millis": 551958
+                },
+                "reloads": {
+                    "failures": 0,
+                    "successes": 0
+                },
+                "queue": {
+                    "events_count": 0
+                },
+                "process": {
+                    "open_file_descriptors": 171,
+                    "max_file_descriptors": 1024,
+                    "cpu": {
+                        "percent": 0
+                    }
+                },
+                "os": {
+                    "cpu": {
+                        "percent": 0,
+                        "load_average": {
+                            "15m": 1.69,
+                            "1m": 1.51,
+                            "5m": 1.69
+                        }
+                    },
+                    "cgroup": {
+                        "cpuacct": null,
+                        "cpu": {
+                            "stat": null,
+                            "control_group": ""
+                        }
+                    }
+                },
+                "pipelines": [
+                    {
+                        "id": "main",
+                        "hash": "5022893e09c573cc517eef12da3df428d41a45370e168b19031f5b6b0da3db22",
+                        "ephemeral_id": "0a6062d1-85e8-4e9b-b943-d80573912692",
+                        "events": {
+                            "duration_in_millis": 0,
+                            "filtered": 0,
+                            "in": 0,
+                            "out": 0,
+                            "queue_push_duration_in_millis": 0
+                        },
+                        "reloads": {
+                            "successes": 0,
+                            "failures": 0
+                        },
+                        "queue": {
+                            "events_count": 0,
+                            "max_queue_size_in_bytes": 0,
+                            "queue_size_in_bytes": 0,
+                            "type": "memory"
+                        },
+                        "vertices": [
+                            {
+                                "events_out": 0,
+                                "id": "293e8492626c637c237bf394279270356589b77d285ea009a555e19977779693",
+                                "pipeline_ephemeral_id": "0a6062d1-85e8-4e9b-b943-d80573912692",
+                                "queue_push_duration_in_millis": 0
+                            },
+                            {
+                                "cluster_uuid": "VUwnkX_lTzCFP9VUoXT1IQ",
+                                "duration_in_millis": 6011,
+                                "events_in": 0,
+                                "events_out": 0,
+                                "id": "942f820402532e034dc5b27a680547732f49dc4b5e48df0475d280eb31382e0d",
+                                "pipeline_ephemeral_id": "0a6062d1-85e8-4e9b-b943-d80573912692"
+                            }
+                        ]
+                    }
+                ],
+                "logstash": {
+                    "uuid": "9a1f83e1-52b9-4625-a98a-6aa336f41719",
+                    "ephemeral_id": "cead1f28-1e2d-4ef3-9f0b-93c10447e6e7",
+                    "name": "7dc1b688baf4",
+                    "host": "7dc1b688baf4",
+                    "version": "7.12.0",
+                    "snapshot": false,
+                    "status": "green",
+                    "http_address": "0.0.0.0:9600",
+                    "pipeline": {
+                        "batch_size": 125,
+                        "workers": 12
+                    }
+                },
+                "timestamp": "2021-11-03T16:22:10.651Z"
+            }
+        }
+    },
+    "metricset": {
+        "name": "node_stats",
+        "period": 10000
+    },
+    "service": {
+        "address": "172.20.0.3:9600",
+        "hostname": "7dc1b688baf4",
+        "id": "",
+        "name": "logstash",
+        "type": "logstash",
+        "version": "7.12.0"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-memcached-stats.md b/docs/reference/metricbeat/metricbeat-metricset-memcached-stats.md
new file mode 100644
index 000000000000..8d6b303df38f
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-memcached-stats.md
@@ -0,0 +1,76 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-memcached-stats.html
+---
+
+# Memcached stats metricset [metricbeat-metricset-memcached-stats]
+
+This is the `stats` metricset of the Memcached module.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_174]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-memcached.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "agent": {
+        "hostname": "host.example.com",
+        "name": "host.example.com"
+    },
+    "event": {
+        "dataset": "memcached.stats",
+        "duration": 115000,
+        "module": "memcached"
+    },
+    "memcached": {
+        "stats": {
+            "bytes": {
+                "current": 0,
+                "limit": 67108864
+            },
+            "cmd": {
+                "get": 0,
+                "set": 0
+            },
+            "connections": {
+                "current": 10,
+                "total": 135
+            },
+            "evictions": 0,
+            "get": {
+                "hits": 0,
+                "misses": 0
+            },
+            "items": {
+                "current": 0,
+                "total": 0
+            },
+            "pid": 1,
+            "read": {
+                "bytes": 18
+            },
+            "threads": 4,
+            "uptime": {
+                "sec": 139
+            },
+            "written": {
+                "bytes": 2616
+            }
+        }
+    },
+    "metricset": {
+        "name": "stats"
+    },
+    "service": {
+        "address": "172.26.0.2:11211",
+        "type": "memcached"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-meraki-device_health.md b/docs/reference/metricbeat/metricbeat-metricset-meraki-device_health.md
new file mode 100644
index 000000000000..a496e7cf3eeb
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-meraki-device_health.md
@@ -0,0 +1,107 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-meraki-device_health.html
+---
+
+# Cisco Meraki device_health metricset [metricbeat-metricset-meraki-device_health]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+This is the device_health metricset of the module meraki.
+
+## Fields [_fields_175]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-memcached.md#exported-fields-meraki) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2024-09-15T22:33:30.079Z",
+    "service": {
+        "type": "meraki"
+    },
+    "ecs": {
+        "version": "8.0.0"
+    },
+    "host": {
+        "name": "Toms-MBP.broadband"
+    },
+    "agent": {
+        "id": "77b8b5ed-245e-4ddc-a98c-195ffa174328",
+        "name": "Toms-MBP.broadband",
+        "type": "metricbeat",
+        "version": "9.0.0",
+        "ephemeral_id": "cb124423-75db-4ef5-87d3-6b37434d3a17"
+    },
+    "event": {
+        "duration": 9445416042,
+        "dataset": "meraki.device_health",
+        "module": "meraki"
+    },
+    "metricset": {
+        "name": "device_health",
+        "period": 300000
+    },
+    "meraki": {
+        "organization_id": "125432",
+        "device": {
+            "location": [
+                -122.098531723022,
+                37.4180951010362
+            ],
+            "product_type": "switch",
+            "lan_ip": "192.168.128.54",
+            "mac": "00:18:0a:7d:9b:13",
+            "network_id": "N_577586652210304682",
+            "serial": "Q2HP-3M4W-3VJ8",
+            "name": "8 Port Switch",
+            "firmware": "switch-16-1",
+            "model": "MS220-8P"
+        },
+        "switch": {
+            "port": {
+                "poe_enabled": true,
+                "rstp_enabled": true,
+                "allowed_vlans": "all",
+                "status": {
+                    "enabled": true,
+                    "usage": {
+                        "sent": 0,
+                        "recv": 0,
+                        "total": 0
+                    },
+                    "status": "Disconnected",
+                    "secure_port": {
+                        "authentication_status": "Disabled",
+                        "active": false,
+                        "enabled": false
+                    },
+                    "is_uplink": false,
+                    "client_count": 0,
+                    "errors": [
+                        "Port disconnected"
+                    ],
+                    "throughput": {
+                        "recv": 0,
+                        "sent": 0,
+                        "total": 0
+                    }
+                },
+                "stp_guard": "disabled",
+                "type": "trunk",
+                "enabled": true,
+                "access_policy_type": "Open",
+                "vlan": 1,
+                "id": "10",
+                "link_negotiation": "Auto negotiate"
+            }
+        }
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-mongodb-collstats.md b/docs/reference/metricbeat/metricbeat-metricset-mongodb-collstats.md
new file mode 100644
index 000000000000..c728a8d356c5
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-mongodb-collstats.md
@@ -0,0 +1,126 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-mongodb-collstats.html
+---
+
+# MongoDB collstats metricset [metricbeat-metricset-mongodb-collstats]
+
+This is the `collstats` metricset of the module mongodb.
+
+It is using the `top` administrative command to return usage statistics for each collection. It provides the amount of time, in microseconds, used and a count of operations for the following types:
+
+* total
+* readLock
+* writeLock
+* queries
+* getmore
+* insert
+* update
+* remove
+* commands
+
+It requires the following privileges, which is covered by the [`clusterMonitor` role](https://docs.mongodb.com/manual/reference/built-in-roles/#clusterMonitor):
+
+* [`top` action](https://docs.mongodb.com/manual/reference/privilege-actions/#top) on [`cluster` resource](https://docs.mongodb.com/manual/reference/resource-document/#cluster-resource)
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_176]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-mongodb.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "event": {
+        "dataset": "mongodb.collstats",
+        "duration": 115000,
+        "module": "mongodb"
+    },
+    "metricset": {
+        "name": "collstats",
+        "period": 10000
+    },
+    "mongodb": {
+        "collstats": {
+            "collection": "oplog.rs",
+            "commands": {
+                "count": 0,
+                "time": {
+                    "us": 0
+                }
+            },
+            "db": "local",
+            "getmore": {
+                "count": 0,
+                "time": {
+                    "us": 0
+                }
+            },
+            "insert": {
+                "count": 0,
+                "time": {
+                    "us": 0
+                }
+            },
+            "lock": {
+                "read": {
+                    "count": 1,
+                    "time": {
+                        "us": 7
+                    }
+                },
+                "write": {
+                    "count": 1,
+                    "time": {
+                        "us": 6600
+                    }
+                }
+            },
+            "name": "local.oplog.rs",
+            "queries": {
+                "count": 0,
+                "time": {
+                    "us": 0
+                }
+            },
+            "remove": {
+                "count": 0,
+                "time": {
+                    "us": 0
+                }
+            },
+            "total": {
+                "count": 2,
+                "time": {
+                    "us": 6607
+                }
+            },
+            "update": {
+                "count": 0,
+                "time": {
+                    "us": 0
+                }
+            },
+            "stats": {
+                "totalSize": 8192,
+                "max": 5000,
+                "nindexes": 1,
+                "size": 36,
+                "count": 1,
+                "avgObjSize": 36,
+                "storageSize": 4096,
+                "totalIndexSize": 4096
+            }
+        }
+    },
+    "service": {
+        "address": "172.28.0.5:27017",
+        "type": "mongodb"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-mongodb-dbstats.md b/docs/reference/metricbeat/metricbeat-metricset-mongodb-dbstats.md
new file mode 100644
index 000000000000..6f65ffc2d0eb
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-mongodb-dbstats.md
@@ -0,0 +1,64 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-mongodb-dbstats.html
+---
+
+# MongoDB dbstats metricset [metricbeat-metricset-mongodb-dbstats]
+
+This is the `dbstats` metricset of the MongoDB module.
+
+It requires the following privileges, which is covered by the [`clusterMonitor` role](https://docs.mongodb.com/manual/reference/built-in-roles/#clusterMonitor):
+
+* [`listDatabases` action](https://docs.mongodb.com/manual/reference/privilege-actions/#listDatabases) on [`cluster` resource](https://docs.mongodb.com/manual/reference/resource-document/#cluster-resource)
+* for each of the databases, also need [`dbStats` action](https://docs.mongodb.com/manual/reference/privilege-actions/#dbStats) on the [`database` resource](https://docs.mongodb.com/manual/reference/resource-document/#database-and-or-collection-resource)
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_177]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-mongodb.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "event": {
+        "dataset": "mongodb.dbstats",
+        "duration": 115000,
+        "module": "mongodb"
+    },
+    "metricset": {
+        "name": "dbstats",
+        "period": 10000
+    },
+    "mongodb": {
+        "dbstats": {
+            "avg_obj_size": {
+                "bytes": 59
+            },
+            "collections": 1,
+            "data_size": {
+                "bytes": 59
+            },
+            "db": "admin",
+            "file_size": {},
+            "index_size": {
+                "bytes": 20480
+            },
+            "indexes": 1,
+            "ns_size_mb": {},
+            "objects": 1,
+            "storage_size": {
+                "bytes": 20480
+            }
+        }
+    },
+    "service": {
+        "address": "172.28.0.2:27017",
+        "type": "mongodb"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-mongodb-metrics.md b/docs/reference/metricbeat/metricbeat-metricset-mongodb-metrics.md
new file mode 100644
index 000000000000..61091fb14aed
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-mongodb-metrics.md
@@ -0,0 +1,255 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-mongodb-metrics.html
+---
+
+# MongoDB metrics metricset [metricbeat-metricset-mongodb-metrics]
+
+This is the `metrics` metricset of the MongoDB module.
+
+It requires the following privileges, which is covered by the [`clusterMonitor` role](https://docs.mongodb.com/manual/reference/built-in-roles/#clusterMonitor):
+
+* [`serverStatus` action](https://docs.mongodb.com/manual/reference/privilege-actions/#serverStatus) on [`cluster` resource](https://docs.mongodb.com/manual/reference/resource-document/#cluster-resource)
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_178]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-mongodb.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "event": {
+        "dataset": "mongodb.metrics",
+        "duration": 115000,
+        "module": "mongodb"
+    },
+    "metricset": {
+        "name": "metrics",
+        "period": 10000
+    },
+    "mongodb": {
+        "metrics": {
+            "commands": {
+                "aggregate": {
+                    "failed": 0,
+                    "total": 0
+                },
+                "build_info": {
+                    "failed": 0,
+                    "total": 0
+                },
+                "coll_stats": {
+                    "failed": 0,
+                    "total": 0
+                },
+                "connection_pool_stats": {
+                    "failed": 0,
+                    "total": 0
+                },
+                "count": {
+                    "failed": 0,
+                    "total": 0
+                },
+                "db_stats": {
+                    "failed": 0,
+                    "total": 0
+                },
+                "distinct": {
+                    "failed": 0,
+                    "total": 0
+                },
+                "find": {
+                    "failed": 0,
+                    "total": 1
+                },
+                "get_cmd_line_opts": {
+                    "failed": 0,
+                    "total": 0
+                },
+                "get_last_error": {
+                    "failed": 0,
+                    "total": 0
+                },
+                "get_log": {
+                    "failed": 0,
+                    "total": 0
+                },
+                "get_more": {
+                    "failed": 0,
+                    "total": 0
+                },
+                "get_parameter": {
+                    "failed": 0,
+                    "total": 0
+                },
+                "host_info": {
+                    "failed": 0,
+                    "total": 0
+                },
+                "insert": {
+                    "failed": 0,
+                    "total": 0
+                },
+                "is_master": {
+                    "failed": 0,
+                    "total": 6
+                },
+                "is_self": {
+                    "failed": 0,
+                    "total": 0
+                },
+                "last_collections": {
+                    "failed": 0,
+                    "total": 0
+                },
+                "last_commands": {
+                    "failed": 0,
+                    "total": 0
+                },
+                "list_databased": {
+                    "failed": 0,
+                    "total": 0
+                },
+                "list_indexes": {
+                    "failed": 0,
+                    "total": 2
+                },
+                "ping": {
+                    "failed": 0,
+                    "total": 0
+                },
+                "profile": {
+                    "failed": 0,
+                    "total": 0
+                },
+                "replset_get_rbid": {
+                    "failed": 0,
+                    "total": 0
+                },
+                "replset_get_status": {
+                    "failed": 0,
+                    "total": 0
+                },
+                "replset_heartbeat": {
+                    "failed": 0,
+                    "total": 0
+                },
+                "replset_update_position": {
+                    "failed": 0,
+                    "total": 0
+                },
+                "server_status": {
+                    "failed": 0,
+                    "total": 2
+                },
+                "update": {
+                    "failed": 0,
+                    "total": 0
+                },
+                "whatsmyuri": {
+                    "failed": 0,
+                    "total": 0
+                }
+            },
+            "cursor": {
+                "open": {
+                    "no_timeout": 0,
+                    "pinned": 0,
+                    "total": 0
+                },
+                "timed_out": 0
+            },
+            "document": {
+                "deleted": 0,
+                "inserted": 0,
+                "returned": 0,
+                "updated": 0
+            },
+            "get_last_error": {
+                "write_timeouts": 0,
+                "write_wait": {
+                    "count": 0,
+                    "ms": 0
+                }
+            },
+            "operation": {
+                "scan_and_order": 0,
+                "write_conflicts": 0
+            },
+            "query_executor": {
+                "scanned_documents": {
+                    "count": 0
+                },
+                "scanned_indexes": {
+                    "count": 0
+                }
+            },
+            "replication": {
+                "apply": {
+                    "attempts_to_become_secondary": 0,
+                    "batches": {
+                        "count": 0,
+                        "time": {
+                            "ms": 0
+                        }
+                    },
+                    "ops": 0
+                },
+                "buffer": {
+                    "count": 0,
+                    "max_size": {
+                        "bytes": 0
+                    },
+                    "size": {
+                        "bytes": 0
+                    }
+                },
+                "executor": {
+                    "queues": {
+                        "in_progress": {
+                            "network": 0
+                        },
+                        "sleepers": 0
+                    },
+                    "shutting_down": false,
+                    "unsignaled_events": 0
+                },
+                "initial_sync": {
+                    "completed": 0,
+                    "failed_attempts": 0,
+                    "failures": 0
+                },
+                "network": {
+                    "bytes": 0,
+                    "getmores": {
+                        "count": 0,
+                        "time": {
+                            "ms": 0
+                        }
+                    },
+                    "ops": 0,
+                    "reders_created": 0
+                }
+            },
+            "ttl": {
+                "deleted_documents": {
+                    "count": 0
+                },
+                "passes": {
+                    "count": 1
+                }
+            }
+        }
+    },
+    "service": {
+        "address": "172.28.0.3:27017",
+        "type": "mongodb"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-mongodb-replstatus.md b/docs/reference/metricbeat/metricbeat-metricset-mongodb-replstatus.md
new file mode 100644
index 000000000000..4ccd78bf2285
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-mongodb-replstatus.md
@@ -0,0 +1,112 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-mongodb-replstatus.html
+---
+
+# MongoDB replstatus metricset [metricbeat-metricset-mongodb-replstatus]
+
+This is the `replstatus` metricset of the module mongodb.
+
+It requires the following privileges, which is covered by the [`clusterMonitor` role](https://docs.mongodb.com/manual/reference/built-in-roles/#clusterMonitor):
+
+* [`find`/`listCollections` action](https://docs.mongodb.com/manual/reference/privilege-actions/#find) on [the `local` database resource](https://docs.mongodb.com/manual/reference/local-database/)
+* [`collStats` action](https://docs.mongodb.com/manual/reference/privilege-actions/#collStats) on [the `local.oplog.rs` collection resource](https://docs.mongodb.com/manual/reference/local-database/#local.oplog.rs)
+* [`replSetGetStatus` action](https://docs.mongodb.com/manual/reference/privilege-actions/#replSetGetStatus) on [`cluster` resource](https://docs.mongodb.com/manual/reference/resource-document/#cluster-resource)
+
+## Fields [_fields_179]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-mongodb.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "event": {
+        "dataset": "mongodb.replstatus",
+        "duration": 115000,
+        "module": "mongodb"
+    },
+    "metricset": {
+        "name": "replstatus",
+        "period": 10000
+    },
+    "mongodb": {
+        "replstatus": {
+            "headroom": {
+                "max": null,
+                "min": null
+            },
+            "lag": {
+                "max": null,
+                "min": null
+            },
+            "members": {
+                "arbiter": {
+                    "count": 0,
+                    "hosts": null
+                },
+                "down": {
+                    "count": 0,
+                    "hosts": null
+                },
+                "primary": {
+                    "host": "7ba9ef86c3b0:27017",
+                    "optime": 1651925294
+                },
+                "recovering": {
+                    "count": 0,
+                    "hosts": null
+                },
+                "rollback": {
+                    "count": 0,
+                    "hosts": null
+                },
+                "secondary": {
+                    "count": 0,
+                    "hosts": null,
+                    "optimes": null
+                },
+                "startup2": {
+                    "count": 0,
+                    "hosts": null
+                },
+                "unhealthy": {
+                    "count": 0,
+                    "hosts": null
+                },
+                "unknown": {
+                    "count": 0,
+                    "hosts": null
+                }
+            },
+            "oplog": {
+                "first": {
+                    "timestamp": 1651925294
+                },
+                "last": {
+                    "timestamp": 1651925294
+                },
+                "size": {
+                    "allocated": 2379247206,
+                    "used": 1323
+                },
+                "window": 0
+            },
+            "optimes": {
+                "applied": 1651925294,
+                "durable": 1651925294,
+                "last_committed": 1651925294
+            },
+            "server_date": "2022-05-07T12:08:19.506Z",
+            "set_name": "beats"
+        }
+    },
+    "service": {
+        "address": "172.28.0.3:27017",
+        "type": "mongodb"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-mongodb-status.md b/docs/reference/metricbeat/metricbeat-metricset-mongodb-status.md
new file mode 100644
index 000000000000..ef744a90c9b6
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-mongodb-status.md
@@ -0,0 +1,242 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-mongodb-status.html
+---
+
+# MongoDB status metricset [metricbeat-metricset-mongodb-status]
+
+This is the `status` metricset of the MongoDB module.
+
+It requires the following privileges, which is covered by the [`clusterMonitor` role](https://docs.mongodb.com/manual/reference/built-in-roles/#clusterMonitor):
+
+* [`serverStatus` action](https://docs.mongodb.com/manual/reference/privilege-actions/#serverStatus) on [`cluster` resource](https://docs.mongodb.com/manual/reference/resource-document/#cluster-resource)
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_180]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-mongodb.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "event": {
+        "dataset": "mongodb.status",
+        "duration": 115000,
+        "module": "mongodb"
+    },
+    "metricset": {
+        "name": "status",
+        "period": 10000
+    },
+    "mongodb": {
+        "status": {
+            "asserts": {
+                "msg": 0,
+                "regular": 0,
+                "rollovers": 0,
+                "user": 5,
+                "warning": 0
+            },
+            "connections": {
+                "available": 815,
+                "current": 4,
+                "total_created": 783
+            },
+            "extra_info": {
+                "heap_usage": {},
+                "page_faults": 14
+            },
+            "global_lock": {
+                "active_clients": {
+                    "readers": 0,
+                    "total": 18,
+                    "writers": 0
+                },
+                "current_queue": {
+                    "readers": 0,
+                    "total": 0,
+                    "writers": 0
+                },
+                "total_time": {
+                    "us": 793189000
+                }
+            },
+            "local_time": "2022-05-07T12:34:04.274Z",
+            "locks": {
+                "collection": {
+                    "acquire": {
+                        "count": {
+                            "W": 1,
+                            "r": 2741
+                        }
+                    },
+                    "deadlock": {},
+                    "wait": {}
+                },
+                "database": {
+                    "acquire": {
+                        "count": {
+                            "R": 2,
+                            "W": 16,
+                            "r": 3707,
+                            "w": 1
+                        }
+                    },
+                    "deadlock": {},
+                    "wait": {}
+                },
+                "global": {
+                    "acquire": {
+                        "count": {
+                            "W": 2,
+                            "r": 7453,
+                            "w": 17
+                        }
+                    },
+                    "deadlock": {},
+                    "wait": {}
+                },
+                "meta_data": {
+                    "acquire": {
+                        "count": {
+                            "w": 1
+                        }
+                    },
+                    "deadlock": {},
+                    "wait": {}
+                },
+                "oplog": {
+                    "acquire": {
+                        "count": {
+                            "r": 966,
+                            "w": 1
+                        }
+                    },
+                    "deadlock": {},
+                    "wait": {}
+                }
+            },
+            "memory": {
+                "bits": 64,
+                "mapped": {
+                    "mb": 0
+                },
+                "mapped_with_journal": {
+                    "mb": 0
+                },
+                "resident": {
+                    "mb": 66
+                },
+                "virtual": {
+                    "mb": 1183
+                }
+            },
+            "network": {
+                "in": {
+                    "bytes": 7845
+                },
+                "out": {
+                    "bytes": 204883
+                },
+                "requests": 93
+            },
+            "ops": {
+                "counters": {
+                    "command": 48,
+                    "delete": 0,
+                    "getmore": 0,
+                    "insert": 0,
+                    "query": 1,
+                    "update": 0
+                },
+                "latencies": {
+                    "commands": {
+                        "count": 48,
+                        "latency": 43041525
+                    },
+                    "reads": {
+                        "count": 0,
+                        "latency": 0
+                    },
+                    "writes": {
+                        "count": 0,
+                        "latency": 0
+                    }
+                },
+                "replicated": {
+                    "command": 0,
+                    "delete": 0,
+                    "getmore": 0,
+                    "insert": 0,
+                    "query": 0,
+                    "update": 0
+                }
+            },
+            "storage_engine": {
+                "name": "wiredTiger"
+            },
+            "uptime": {
+                "ms": 793190
+            },
+            "wired_tiger": {
+                "cache": {
+                    "dirty": {
+                        "bytes": 0
+                    },
+                    "maximum": {
+                        "bytes": 16113467392
+                    },
+                    "pages": {
+                        "evicted": 0,
+                        "read": 26,
+                        "write": 22
+                    },
+                    "used": {
+                        "bytes": 99789
+                    }
+                },
+                "concurrent_transactions": {
+                    "read": {
+                        "available": 128,
+                        "out": 0,
+                        "total_tickets": 128
+                    },
+                    "write": {
+                        "available": 128,
+                        "out": 0,
+                        "total_tickets": 128
+                    }
+                },
+                "log": {
+                    "flushes": 7918,
+                    "max_file_size": {
+                        "bytes": 104857600
+                    },
+                    "scans": 3,
+                    "size": {
+                        "bytes": 33554432
+                    },
+                    "syncs": 7,
+                    "write": {
+                        "bytes": 5120
+                    },
+                    "writes": 13
+                }
+            }
+        }
+    },
+    "process": {
+        "name": "mongod"
+    },
+    "service": {
+        "address": "172.28.0.2:27017",
+        "type": "mongodb",
+        "version": "3.4.24"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-mssql-performance.md b/docs/reference/metricbeat/metricbeat-metricset-mssql-performance.md
new file mode 100644
index 000000000000..513d564566bd
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-mssql-performance.md
@@ -0,0 +1,82 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-mssql-performance.html
+---
+
+# MSSQL performance metricset [metricbeat-metricset-mssql-performance]
+
+`performance` Metricset fetches information from what’s commonly known as [Performance Counters](https://docs.microsoft.com/en-us/sql/relational-databases/system-dynamic-management-views/sys-dm-os-performance-counters-transact-sql?view=sql-server-2017) in MSSQL.
+
+We fetch the following data:
+
+* **page_splits_per_sec**: Number of page splits per second that occur as the result of overflowing index pages.
+* **lock_waits_per_sec**: Number of lock requests per second that required the caller to wait.
+* **user_connections**: Total number of user connections
+* **transactions**: Total number of transactions
+* **active_temp_tables**: Number of temporary tables/table variables in use.
+* **connections_reset_per_sec**: Total number of logins started from the connection pool.
+* **logins_per_sec**: Total number of logins started per second. This does not include pooled connections.
+* **logouts_per_sec**: Total number of logout operations started per second.
+* **recompilations_per_sec**: Number of statement recompiles per second. Counts the number of times statement recompiles are triggered. Generally, you want the recompiles to be low.
+* **compilations_per_sec**: Number of SQL compilations per second. Indicates the number of times the compile code path is entered. Includes compiles caused by statement-level recompilations in SQL Server. After SQL Server user activity is stable, this value reaches a steady state.
+* **batch_requests_per_sec**: Number of Transact-SQL command batches received per second. This statistic is affected by all constraints (such as I/O, number of users, cache size, complexity of requests, and so on). High batch requests mean good throughput.
+* **cache_hit.pct**: The ratio is the total number of cache hits divided by the total number of cache lookups over the last few thousand page accesses. After a long period of time, the ratio moves very little. Because reading from the cache is much less expensive than reading from disk, you want this ratio to be high
+* **page_life_expectancy.sec**: Indicates the number of seconds a page will stay in the buffer pool without references (in seconds).
+* **buffer.checkpoint_pages_per_sec**: Indicates the number of pages flushed to disk per second by a checkpoint or other operation that require all dirty pages to be flushed.
+* **buffer.database_pages**: Indicates the number of pages in the buffer pool with database content.
+* **buffer.target_pages**: Ideal number of pages in the buffer pool.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_181]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-mssql.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "event": {
+        "dataset": "mssql.performance",
+        "duration": 115000,
+        "module": "mssql"
+    },
+    "metricset": {
+        "name": "performance",
+        "period": 10000
+    },
+    "mssql": {
+        "performance": {
+            "active_temp_tables": 0,
+            "batch_requests_per_sec": 7453,
+            "buffer": {
+                "cache_hit": {
+                    "pct": 0.55
+                },
+                "checkpoint_pages_per_sec": 124,
+                "database_pages": 2191,
+                "page_life_expectancy": {
+                    "sec": 2721
+                },
+                "target_pages": 1589248
+            },
+            "compilations_per_sec": 2503,
+            "connections_reset_per_sec": 61,
+            "lock_waits_per_sec": 4,
+            "logins_per_sec": 2448,
+            "logouts_per_sec": 2446,
+            "page_splits_per_sec": 15,
+            "recompilations_per_sec": 0,
+            "transactions": 0,
+            "user_connections": 2
+        }
+    },
+    "service": {
+        "address": "172.23.0.2:1433",
+        "type": "mssql"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-mssql-transaction_log.md b/docs/reference/metricbeat/metricbeat-metricset-mssql-transaction_log.md
new file mode 100644
index 000000000000..dc3aada11e2f
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-mssql-transaction_log.md
@@ -0,0 +1,82 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-mssql-transaction_log.html
+---
+
+# MSSQL transaction_log metricset [metricbeat-metricset-mssql-transaction_log]
+
+`transaction_log` Metricset fetches information about the operation and transaction log of each MSSQL database in the monitored instance. All data is extracted from the [Database Dynamic Management Views](https://docs.microsoft.com/en-us/sql/relational-databases/system-dynamic-management-views/database-related-dynamic-management-views-transact-sql?view=sql-server-2017)
+
+* **space_usage.since_last_backup.bytes**: The amount of space used since the last log backup in bytes
+* **space_usage.total.bytes**: The size of the log in bytes
+* **space_usage.used.bytes**: The occupied size of the log in bytes
+* **space_usage.used.pct**: A percentage of the occupied size of the log as a percent of the total log size
+* **stats.active_size.bytes**: Total active transaction log size in bytes
+* **stats.backup_time**: Last transaction log backup time.
+* **stats.recovery_size.bytes**: Log size in bytes since log recovery log sequence number (LSN).
+* **stats.since_last_checkpoint.bytes**: Log size in bytes since last checkpoint log sequence number (LSN).
+* **stats.total_size.bytes**: Total transaction log size in bytes.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_182]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-mssql.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "event": {
+        "dataset": "mssql.transaction_log",
+        "duration": 115000,
+        "module": "mssql"
+    },
+    "metricset": {
+        "name": "transaction_log",
+        "period": 10000
+    },
+    "mssql": {
+        "database": {
+            "id": 1,
+            "name": "master"
+        },
+        "transaction_log": {
+            "space_usage": {
+                "since_last_backup": {
+                    "bytes": 937984
+                },
+                "total": {
+                    "bytes": 2088960
+                },
+                "used": {
+                    "bytes": 1318912,
+                    "pct": 63.13725662231445
+                }
+            },
+            "stats": {
+                "active_size": {
+                    "bytes": 937983.737856
+                },
+                "backup_time": "1900-01-01T00:00:00Z",
+                "recovery_size": {
+                    "bytes": 0.894531
+                },
+                "since_last_checkpoint": {
+                    "bytes": 937983.737856
+                },
+                "total_size": {
+                    "bytes": 2088959.475712
+                }
+            }
+        }
+    },
+    "service": {
+        "address": "172.23.0.2:1433",
+        "type": "mssql"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-munin-node.md b/docs/reference/metricbeat/metricbeat-metricset-munin-node.md
new file mode 100644
index 000000000000..78feb3fc7a16
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-munin-node.md
@@ -0,0 +1,96 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-munin-node.html
+---
+
+# Munin node metricset [metricbeat-metricset-munin-node]
+
+This is the node metricset of the module munin.
+
+
+## Features and configuration [_features_and_configuration_3]
+
+The node metricset of the munin module collects metrics from a munin node agent and sends them as events to Elastic.
+
+```yaml
+
+```
+
+Metrics exposed by a single munin node will be sent in an event per plugin.
+
+For example with the previous configuration two events are sent like the following ones.
+
+```json
+---
+"munin": {
+  "plugin": {
+    "name": "swap"
+  },
+  "metrics": {
+    "swap_in": 198609,
+    "swap_out": 612629
+  }
+}
+```
+
+"munin": { "plugin": { "name": "cpu" } "metrics": { "softirq": 680, "guest": 0, "user": 158212, "iowait": 71095, "irq": 1, "system": 35906, "idle": 1185709, "steal": 0, "nice": 1633 } } ---
+
+In principle this module can be used to collect metrics from any agent that implements the munin node protocol ([http://guide.munin-monitoring.org/en/latest/master/network-protocol.html](http://guide.munin-monitoring.org/en/latest/master/network-protocol.html)).
+
+
+## Limitations [_limitations_2]
+
+Currently this module only collects metrics using the basic protocol. It doesn’t support capabilities or automatic dashboards generation based on munin configuration.
+
+
+## Exposed fields, dashboards, indexes, etc. [_exposed_fields_dashboards_indexes_etc_3]
+
+Munin supports a great variety of plugins each of them can be used to obtain different sets of metrics. Metricbeat cannot know the metrics exposed beforehand, so no field description or dashboard is generated automatically.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_183]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-munin.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "agent": {
+        "hostname": "host.example.com",
+        "name": "host.example.com"
+    },
+    "event": {
+        "dataset": "munin.node",
+        "duration": 115000,
+        "module": "munin"
+    },
+    "metricset": {
+        "name": "node"
+    },
+    "munin": {
+        "metrics": {
+            "guest": 0,
+            "idle": 6999219,
+            "iowait": 5441,
+            "irq": 0,
+            "nice": 0,
+            "softirq": 6419,
+            "steal": 0,
+            "system": 374903,
+            "user": 486780
+        },
+        "plugin": {
+            "name": "cpu"
+        }
+    },
+    "service": {
+        "address": "127.0.0.1:4949",
+        "type": "cpu"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-mysql-galera_status.md b/docs/reference/metricbeat/metricbeat-metricset-mysql-galera_status.md
new file mode 100644
index 000000000000..205b083820a6
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-mysql-galera_status.md
@@ -0,0 +1,38 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-mysql-galera_status.html
+---
+
+# MySQL galera_status metricset [metricbeat-metricset-mysql-galera_status]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+This module periodically fetches metrics from [Galera](http://galeracluster.com/)-MySQL cluster servers.
+
+
+## Module-specific configuration notes [_module_specific_configuration_notes_14]
+
+When configuring the `hosts` option, you must use a MySQL Data Source Name (DSN) of the following format:
+
+```
+[username[:password]@][protocol[(address)]]/
+```
+
+You can also separately specify the username and password using the respective configuration options. Usernames and passwords specified in the DSN take precedence over those specified in the `username` and `password` config options.
+
+```
+- module: mysql
+  metricsets: ["status"]
+  hosts: ["tcp(127.0.0.1:3306)/"]
+  username: root
+  password: secret
+```
+
+
+## Compatibility [_compatibility_38]
+
+The galera MetricSets were tested with galera 3.22 (MySQL 5.7.20) and are expected to work with all versions >= 3.0 (MySQL >= 5.7.0)
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-mysql-performance.md b/docs/reference/metricbeat/metricbeat-metricset-mysql-performance.md
new file mode 100644
index 000000000000..997bb36a0d3f
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-mysql-performance.md
@@ -0,0 +1,106 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-mysql-performance.html
+---
+
+# MySQL performance metricset [metricbeat-metricset-mysql-performance]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+`performance` metricset fetches performance related metrics (events statements and table io waits) from MySQL
+
+## Fields [_fields_185]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-mysql.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2024-02-27T07:33:02.881Z",
+    "@metadata": {
+        "beat": "metricbeat",
+        "type": "_doc",
+        "version": "8.14.0"
+    },
+    "mysql": {
+        "performance": {
+            "events_statements": {
+                "digest": {
+                    "text": "SHOW SCHEMAS"
+                },
+                "count": {
+                    "star": 5
+                },
+                "avg": {
+                    "timer": {
+                        "wait": 1.6439131e+10
+                    }
+                },
+                "max": {
+                    "timer": {
+                        "wait": 4.0834164e+10
+                    }
+                },
+                "last": {
+                    "seen": "2024-02-27 06:44:17.296246"
+                },
+                "quantile": {
+                    "95": 4.1686938347e+10
+                },
+                "schemaname": "performance_schema"
+            }
+        }
+    },
+    "host": {
+        "id": "41359f29035549cda159ae8d1a533d72",
+        "containerized": false,
+        "ip": [
+            "127.0.0.1"
+        ],
+        "name": "localhost",
+        "mac": [
+            "86-32-76-45-EB-2B"
+        ],
+        "hostname": "localhost",
+        "architecture": "x86_64",
+        "os": {
+            "name": "CentOS Linux",
+            "kernel": "3.10.0-1160.102.1.el7.x86_64",
+            "codename": "Core",
+            "type": "linux",
+            "platform": "centos",
+            "version": "7 (Core)",
+            "family": "redhat"
+        }
+    },
+    "agent": {
+        "type": "metricbeat",
+        "version": "8.14.0",
+        "ephemeral_id": "539a163b-91ab-433c-9893-31a48d09b5a7",
+        "id": "e5bcfbf0-4c74-44dd-b711-c5e90a69ab7a",
+        "name": "localhost"
+    },
+    "ecs": {
+        "version": "8.0.0"
+    },
+    "event": {
+        "dataset": "mysql.performance",
+        "module": "mysql",
+        "duration": 14244062
+    },
+    "metricset": {
+        "period": 10000,
+        "name": "performance"
+    },
+    "service": {
+        "address": "tcp(127.0.0.1:3306)/?readTimeout=10s&timeout=10s&writeTimeout=10s",
+        "type": "mysql"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-mysql-query.md b/docs/reference/metricbeat/metricbeat-metricset-mysql-query.md
new file mode 100644
index 000000000000..170811b98edc
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-mysql-query.md
@@ -0,0 +1,19 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-mysql-query.html
+---
+
+# MySQL query metricset [metricbeat-metricset-mysql-query]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+`query` metricset allows for custom execution of metric related queries in MySQL
+
+## Fields [_fields_186]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-mysql.md) section.
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-mysql-status.md b/docs/reference/metricbeat/metricbeat-metricset-mysql-status.md
new file mode 100644
index 000000000000..87cfa2c4419a
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-mysql-status.md
@@ -0,0 +1,198 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-mysql-status.html
+---
+
+# MySQL status metricset [metricbeat-metricset-mysql-status]
+
+The MySQL `status` metricset collects data from MySQL by running a [`SHOW GLOBAL STATUS;`](http://dev.mysql.com/doc/refman/5.7/en/show-status.md) SQL query. This query returns a large number of metrics.
+
+## raw config option [_raw_config_option]
+
+::::{warning}
+This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
+::::
+
+
+The MySQL Status Metricset supports the `raw` config option. When enabled, in addition to the existing data structure, all fields available from the mysql service through `"SHOW /*!50002 GLOBAL */ STATUS;"` will be added to the event.
+
+These fields will be added under the namespace `mysql.status.raw`. The fields can vary from one MySQL instance to an other and no guarantees are provided for the  mapping of the fields as the mapping happens dynamically. This option is intended for advanced use cases.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+
+## Fields [_fields_187]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-mysql.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2020-07-13T16:36:00.626Z",
+    "@metadata": {
+        "beat": "metricbeat",
+        "type": "_doc",
+        "version": "8.0.0"
+    },
+    "agent": {
+        "version": "8.0.0",
+        "ephemeral_id": "d9d0d455-c440-453e-aea3-3b6fa512f6f3",
+        "id": "803dfdba-e638-4590-a2de-80cb1cebe78d",
+        "name": "mcastro",
+        "type": "metricbeat"
+    },
+    "mysql": {
+        "status": {
+            "connections": 28,
+            "threads": {
+                "running": 2,
+                "cached": 1,
+                "created": 4,
+                "connected": 3
+            },
+            "innodb": {
+                "rows": {
+                    "updated": 0,
+                    "deleted": 0,
+                    "inserted": 0,
+                    "reads": 0
+                },
+                "buffer_pool": {
+                    "write_requests": 1634,
+                    "bytes": {
+                        "data": 15908864,
+                        "dirty": 0
+                    },
+                    "pages": {
+                        "data": 971,
+                        "dirty": 0,
+                        "flushed": 144,
+                        "free": 7216,
+                        "misc": 5,
+                        "total": 8192
+                    },
+                    "read": {
+                        "requests": 15600,
+                        "ahead": 0,
+                        "ahead_evicted": 0,
+                        "ahead_rnd": 0
+                    },
+                    "pool": {
+                        "reads": 830,
+                        "wait_free": 0
+                    }
+                }
+            },
+            "handler": {
+                "update": 315,
+                "read": {
+                    "rnd_next": 394983,
+                    "first": 33,
+                    "key": 2100,
+                    "last": 0,
+                    "next": 4533,
+                    "prev": 0,
+                    "rnd": 2494
+                },
+                "write": 168505,
+                "mrr_init": 0,
+                "delete": 0,
+                "external_lock": 8167,
+                "savepoint_rollback": 0,
+                "rollback": 0,
+                "commit": 625,
+                "savepoint": 0,
+                "prepare": 0
+            },
+            "bytes": {
+                "sent": 6228481,
+                "received": 143324
+            },
+            "created": {
+                "tmp": {
+                    "tables": 364,
+                    "disk_tables": 0,
+                    "files": 5
+                }
+            },
+            "binlog": {
+                "cache": {
+                    "disk_use": 0,
+                    "use": 0
+                }
+            },
+            "connection": {
+                "errors": {
+                    "max": 0,
+                    "peer_address": 0,
+                    "select": 0,
+                    "tcpwrap": 0,
+                    "accept": 0,
+                    "internal": 0
+                }
+            },
+            "delayed": {
+                "errors": 0,
+                "insert_threads": 0,
+                "writes": 0
+            },
+            "max_used_connections": 4,
+            "opened_tables": 195,
+            "queries": 1183,
+            "flush_commands": 3,
+            "command": {
+                "insert": 0,
+                "select": 705,
+                "update": 0,
+                "delete": 0
+            },
+            "aborted": {
+                "clients": 0,
+                "connects": 2
+            },
+            "cache": {
+                "table": {
+                    "open_cache": {
+                        "hits": 3889,
+                        "misses": 195,
+                        "overflows": 0
+                    }
+                },
+                "ssl": {
+                    "size": 128,
+                    "hits": 0,
+                    "misses": 0
+                }
+            },
+            "questions": 1173,
+            "open": {
+                "streams": 0,
+                "tables": 116,
+                "files": 2
+            }
+        }
+    },
+    "event": {
+        "dataset": "mysql.status",
+        "module": "mysql",
+        "duration": 1871014
+    },
+    "metricset": {
+        "name": "status",
+        "period": 10000
+    },
+    "service": {
+        "address": "172.17.0.2:3306",
+        "type": "mysql"
+    },
+    "ecs": {
+        "version": "1.5.0"
+    },
+    "host": {
+        "name": "mcastro"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-nats-connection.md b/docs/reference/metricbeat/metricbeat-metricset-nats-connection.md
new file mode 100644
index 000000000000..46c00bda3012
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-nats-connection.md
@@ -0,0 +1,54 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-nats-connection.html
+---
+
+# NATS connection metricset [metricbeat-metricset-nats-connection]
+
+This is the connections metricset of the module nats collecting metrics per connection.
+
+## Fields [_fields_188]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-nats.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp":"2016-05-23T08:05:34.853Z",
+    "beat":{
+        "hostname":"beathost",
+        "name":"beathost"
+    },
+    "metricset":{
+        "host":"localhost",
+        "module":"nats",
+        "name":"connections",
+        "rtt":44269
+    },
+    "nats": {
+        "server": {
+            "id": "bUAdpRFtMWddIBWw80Yd9D",
+            "time": "2018-12-28T12:33:53.026865597Z"
+        },
+        "connection": {
+            "idle_time": 0,
+            "in": {
+                "bytes": 678867264,
+                "messages": 42429204
+            },
+            "name": "NATS Benchmark",
+            "out": {
+                "bytes": 0,
+                "messages": 0
+            },
+            "pending_bytes": 0,
+            "subscriptions": 0,
+            "uptime": 29
+        }
+    },
+    "type":"metricsets"
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-nats-connections.md b/docs/reference/metricbeat/metricbeat-metricset-nats-connections.md
new file mode 100644
index 000000000000..2c51b7a52db3
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-nats-connections.md
@@ -0,0 +1,44 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-nats-connections.html
+---
+
+# NATS connections metricset [metricbeat-metricset-nats-connections]
+
+This is the connections metricset of the module nats collecting top level metrics about connections.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_189]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-nats.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp":"2016-05-23T08:05:34.853Z",
+    "beat":{
+        "hostname":"beathost",
+        "name":"beathost"
+    },
+    "metricset":{
+        "host":"localhost",
+        "module":"nats",
+        "name":"connections",
+        "rtt":44269
+    },
+    "nats": {
+        "server": {
+            "id": "bUAdpRFtMWddIBWw80Yd9D",
+            "time": "2018-12-28T12:33:53.026865597Z"
+        },
+        "connections": {
+            "total": 1
+        }
+    },
+    "type":"metricsets"
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-nats-route.md b/docs/reference/metricbeat/metricbeat-metricset-nats-route.md
new file mode 100644
index 000000000000..a917d82f276d
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-nats-route.md
@@ -0,0 +1,54 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-nats-route.html
+---
+
+# NATS route metricset [metricbeat-metricset-nats-route]
+
+This is the route metricset of the module nats collecting metrcis per connection.
+
+## Fields [_fields_190]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-nats.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp":"2016-05-23T08:05:34.853Z",
+    "beat":{
+        "hostname":"beathost",
+        "name":"beathost"
+    },
+    "metricset":{
+        "host":"localhost",
+        "module":"nats",
+        "name":"routes",
+        "rtt":44269
+    },
+    "nats":{
+        "server": {
+            "id": "bUAdpRFtMWddIBWw80Yd9D",
+            "time": "2018-12-28T12:33:53.026865597Z"
+        },
+        "routes": {
+            "in": {
+                "bytes": 0,
+                "messages": 0
+            },
+            "ip": "172.25.255.2",
+            "out": {
+                "bytes": 0,
+                "messages": 0
+            },
+            "pending_size": 0,
+            "port": 60736,
+            "remote_id": "NCYX4P3ZCXZT3UF4BBZUG46S7EU224XXXLUTUBUDOIAUAIR5WJV73BV5",
+            "subscriptions": 0,
+        }
+    },
+    "type":"metricsets"
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-nats-routes.md b/docs/reference/metricbeat/metricbeat-metricset-nats-routes.md
new file mode 100644
index 000000000000..c048abae7713
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-nats-routes.md
@@ -0,0 +1,44 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-nats-routes.html
+---
+
+# NATS routes metricset [metricbeat-metricset-nats-routes]
+
+This is the routes metricset of the module nats collecting top level metrics about routes.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_191]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-nats.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp":"2016-05-23T08:05:34.853Z",
+    "beat":{
+        "hostname":"beathost",
+        "name":"beathost"
+    },
+    "metricset":{
+        "host":"localhost",
+        "module":"nats",
+        "name":"routes",
+        "rtt":44269
+    },
+    "nats":{
+        "server": {
+            "id": "bUAdpRFtMWddIBWw80Yd9D",
+            "time": "2018-12-28T12:33:53.026865597Z"
+        },
+        "routes": {
+            "total": 2
+        }
+    },
+    "type":"metricsets"
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-nats-stats.md b/docs/reference/metricbeat/metricbeat-metricset-nats-stats.md
new file mode 100644
index 000000000000..b41a37f1ba9b
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-nats-stats.md
@@ -0,0 +1,70 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-nats-stats.html
+---
+
+# NATS stats metricset [metricbeat-metricset-nats-stats]
+
+This is the stats metricset of the module nats collecting generic stats.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_192]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-nats.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp":"2016-05-23T08:05:34.853Z",
+    "beat":{
+        "hostname":"beathost",
+        "name":"beathost"
+    },
+    "metricset":{
+        "host":"localhost",
+        "module":"nats",
+        "name":"stats",
+        "rtt":44269
+    },
+    "nats":{
+        "server": {
+            "id": "bUAdpRFtMWddIBWw80Yd9D",
+            "time": "2018-12-28T12:33:53.026865597Z"
+        },
+        "stats":{
+            "cores":0,
+            "cpu":0.52,
+            "http":{
+                "req_stats":{
+                    "uri":{
+                        "connz":10,
+                        "routez":10,
+                        "subsz":10,
+                        "varz":10
+                    }
+                }
+            },
+            "in":{
+                "bytes":0,
+                "messages":0
+            },
+            "mem":{
+                "bytes": 806976
+            },
+            "out":{
+                "bytes":0,
+                "messages":0
+            },
+            "remotes":0,
+            "slow_consumers":0,
+            "total_connections":35,
+            "uptime":9702
+        }
+    },
+    "type":"metricsets"
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-nats-subscriptions.md b/docs/reference/metricbeat/metricbeat-metricset-nats-subscriptions.md
new file mode 100644
index 000000000000..4122ab446e86
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-nats-subscriptions.md
@@ -0,0 +1,51 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-nats-subscriptions.html
+---
+
+# NATS subscriptions metricset [metricbeat-metricset-nats-subscriptions]
+
+This is the subscriptions metricset of the module nats collecting metrics about subscriptions.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_193]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-nats.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp":"2016-05-23T08:05:34.853Z",
+    "beat":{
+        "hostname":"beathost",
+        "name":"beathost"
+    },
+    "metricset":{
+        "host":"localhost",
+        "module":"nats",
+        "name":"subscriptions",
+        "rtt":44269
+    },
+    "nats":{
+        "subscriptions":{
+            "total": 0,
+            "cache": {
+                "hit_rate": 0.0,
+                "size": 0,
+                "fanout": {
+                    "max": 0,
+                    "avg": 0.0
+                }
+            },
+            "inserts": 0,
+            "removes": 0,
+            "matches": 0
+        }
+    },
+    "type":"metricsets"
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-nginx-stubstatus.md b/docs/reference/metricbeat/metricbeat-metricset-nginx-stubstatus.md
new file mode 100644
index 000000000000..ebea083e64ba
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-nginx-stubstatus.md
@@ -0,0 +1,54 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-nginx-stubstatus.html
+---
+
+# Nginx stubstatus metricset [metricbeat-metricset-nginx-stubstatus]
+
+The Nginx `stubstatus` metricset collects data from the Nginx [ngx_http_stub_status](http://nginx.org/en/docs/http/ngx_http_stub_status_module.html) module. It scrapes the server status data from the web page generated by ngx_http_stub_status.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_194]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-nginx.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "agent": {
+        "hostname": "host.example.com",
+        "name": "host.example.com"
+    },
+    "event": {
+        "dataset": "nginx.stubstatus",
+        "duration": 115000,
+        "module": "nginx"
+    },
+    "metricset": {
+        "name": "stubstatus"
+    },
+    "nginx": {
+        "stubstatus": {
+            "accepts": 6254,
+            "active": 2,
+            "current": 1,
+            "dropped": 0,
+            "handled": 6254,
+            "hostname": "127.0.0.1",
+            "reading": 0,
+            "requests": 6259,
+            "waiting": 1,
+            "writing": 1
+        }
+    },
+    "service": {
+        "address": "127.0.0.1",
+        "type": "nginx"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-openai-usage.md b/docs/reference/metricbeat/metricbeat-metricset-openai-usage.md
new file mode 100644
index 000000000000..9098f0ade15b
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-openai-usage.md
@@ -0,0 +1,61 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/master/metricbeat-metricset-openai-usage.html
+---
+
+# openai usage metricset [metricbeat-metricset-openai-usage]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+This is the usage metricset of the module openai.
+
+## Fields [_fields_195]
+
+For a description of each field in the metricset, see the [exported fields](exported-fields-openai.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "event": {
+        "dataset": "openai.usage",
+        "duration": 115000,
+        "module": "openai"
+    },
+    "metricset": {
+        "name": "usage",
+        "period": 10000
+    },
+    "openai": {
+        "usage": {
+            "api_key_id": null,
+            "api_key_name": null,
+            "api_key_redacted": null,
+            "api_key_type": null,
+            "data": {
+                "cached_context_tokens_total": 0,
+                "context_tokens_total": 118,
+                "email": null,
+                "generated_tokens_total": 35,
+                "operation": "completion-realtime",
+                "request_type": "",
+                "requests_total": 1,
+                "snapshot_id": "gpt-4o-realtime-preview-2024-10-01"
+            },
+            "organization_id": "org-dummy",
+            "organization_name": "Personal",
+            "project_id": null,
+            "project_name": null
+        }
+    },
+    "service": {
+        "type": "openai"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-openmetrics-collector.md b/docs/reference/metricbeat/metricbeat-metricset-openmetrics-collector.md
new file mode 100644
index 000000000000..8a00282e5907
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-openmetrics-collector.md
@@ -0,0 +1,52 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-openmetrics-collector.html
+---
+
+# Openmetrics collector metricset [metricbeat-metricset-openmetrics-collector]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+This is the `collector` metricset of the Openmetrics module. It collects metrics from endpoints that follow Openmetrics format.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_196]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-openmetrics.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2019-03-01T08:05:34.853Z",
+    "event": {
+        "dataset": "openmetrics.collector",
+        "duration": 115000,
+        "module": "openmetrics"
+    },
+    "metricset": {
+        "name": "collector",
+        "period": 10000
+    },
+    "openmetrics": {
+        "labels": {
+            "job": "openmetrics",
+            "listener_name": "http"
+        },
+        "metrics": {
+            "net_conntrack_listener_conn_accepted_total": 3,
+            "net_conntrack_listener_conn_closed_total": 0
+        }
+    },
+    "service": {
+        "address": "127.0.0.1:55555",
+        "type": "openmetrics"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-oracle-performance.md b/docs/reference/metricbeat/metricbeat-metricset-oracle-performance.md
new file mode 100644
index 000000000000..4351b25d89a5
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-oracle-performance.md
@@ -0,0 +1,209 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-oracle-performance.html
+---
+
+# Oracle performance metricset [metricbeat-metricset-oracle-performance]
+
+`performance` Metricset includes performance related events that might be correlated between them. It contains mainly cursor and cache based data and can generate 3 types of events.
+
+
+## Required database access [_required_database_access]
+
+To ensure that the module has access to the appropriate metrics, the module requires that you configure a user with access to the following tables:
+
+* V$BUFFER_POOL_STATISTICS
+* v$sesstat
+* v$statname
+* v$session
+* v$sysstat
+* V$LIBRARYCACHE
+
+
+## Description of fields [_description_of_fields]
+
+* **machine**: Operating system machine name
+* **buffer_pool**: Name of the buffer pool in the instance
+* **username**: Oracle username
+* **io_reloads**: Reloads / Pins ratio. A Reload is any PIN of an object that is not the first PIN performed since the object handle was created, and which requires loading the object from disk. Pins are the number of times a PIN was requested for objects of this namespace.
+* **lock_requests**: Average of the ratio between *gethits* and *gets* being *Gethits* the number of times an object’s handle was found in memory and *gets* the number of times a lock was requested for objects of this namespace.
+* **pin_requests**: Average of all pinhits/pins ratios being *PinHits* the number of times all of the metadata pieces of the library object were found in memory and *pins* the number of times a PIN was requested for objects of this namespace.
+* **cache.buffer.hit.pct**: The cache hit ratio of the specified buffer pool.
+* **cache.physical_reads**: Physical reads
+* **cache.get.consistent**: Consistent gets statistic
+* **cache.get.db_blocks**: Database blocks gotten
+* **cursors.avg**: Average cursors opened by username and machine
+* **cursors.max**: Max cursors opened by username and machine
+* **cursors.total**: Total opened cursors by username and machine
+* **cursors.opened.current**: Total number of current open cursors
+* **cursors.opened.total**: Total number of cursors opened since the instance started
+* **cursors.parse.real**: Real number of parses that occurred: session cursor cache hits - parse count (total)
+* **cursors.parse.total**: Total number of parse calls (hard and soft). A soft parse is a check on an object already in the shared pool, to verify that the permissions on the underlying object have not changed.
+* **cursors.session.cache_hits**: Number of hits in the session cursor cache. A hit means that the SQL statement did not have to be reparsed.
+* **cursors.cache_hit.pct**: Ratio of session cursor cache hits from total number of cursors
+
+
+## Example events [_example_events]
+
+Instance based cursors data:
+
+```
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "event": {
+        "dataset": "oracle.performance",
+        "duration": 115000,
+        "module": "oracle"
+    },
+    "metricset": {
+        "name": "performance"
+    },
+    "oracle": {
+        "performance": {
+            "cursors": {
+                "opened": {
+                    "current": 7,
+                    "total": 6225
+                },
+                "parse": {
+                    "real": 1336,
+                    "total": 3684
+                },
+                "session": {
+                    "cache_hits": 5020
+                },
+                "total": {
+                    "cache_hit": {
+                        "pct": 0.8064257028112449
+                    }
+                }
+            },
+            "io_reloads": 0.0013963503027202182,
+            "lock_requests": 0.5725039956419224,
+            "pin_requests": 0.7780581056654354
+        }
+    },
+    "service": {
+        "address": "oracle://sys:passwordlocalhost/ORCLPDB1.localdomain",
+        "type": "oracle"
+    }
+}
+```
+
+Cursor data aggregated by username and machine:
+
+```
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "event": {
+        "dataset": "oracle.performance",
+        "duration": 115000,
+        "module": "oracle"
+    },
+    "metricset": {
+        "name": "performance"
+    },
+    "oracle": {
+        "performance": {
+            "cursors": {
+                "avg": 0.625,
+                "max": 17,
+                "total": 25
+            },
+            "machine": "2ed9ac3a4c3d",
+            "username": "Unknown"
+        }
+    },
+    "service": {
+        "address": "oracle://sys:passwordlocalhost/ORCLPDB1.localdomain",
+        "type": "oracle"
+    }
+}
+```
+
+Cache data:
+
+```
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "event": {
+        "dataset": "oracle.performance",
+        "duration": 115000,
+        "module": "oracle"
+    },
+    "metricset": {
+        "name": "performance"
+    },
+    "oracle": {
+        "performance": {
+            "buffer_pool": "DEFAULT",
+            "cache": {
+                "buffer": {
+                    "hit": {
+                        "pct": 0.9510712759136568
+                    }
+                },
+                "get": {
+                    "consistent": 358125,
+                    "db_blocks": 16195
+                },
+                "physical_reads": 18315
+            }
+        }
+    },
+    "service": {
+        "address": "oracle://sys:passwordlocalhost/ORCLPDB1.localdomain",
+        "type": "oracle"
+    }
+}
+```
+
+## Fields [_fields_197]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-oracle.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "event": {
+        "dataset": "oracle.performance",
+        "duration": 115000,
+        "module": "oracle"
+    },
+    "metricset": {
+        "name": "performance",
+        "period": 10000
+    },
+    "oracle": {
+        "performance": {
+            "cursors": {
+                "cache_hit": {
+                    "pct": 0.8215208034433286
+                },
+                "opened": {
+                    "current": 32,
+                    "total": 125460
+                },
+                "parse": {
+                    "real": 39150,
+                    "total": 63918
+                },
+                "session": {
+                    "cache_hits": 103068
+                }
+            },
+            "io_reloads": 0.009607787973500542,
+            "lock_requests": 0.5939075233457263,
+            "pin_requests": 0.7450330613301921
+        }
+    },
+    "service": {
+        "address": "localhost:32769",
+        "type": "oracle"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-oracle-sysmetric.md b/docs/reference/metricbeat/metricbeat-metricset-oracle-sysmetric.md
new file mode 100644
index 000000000000..d066dff48125
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-oracle-sysmetric.md
@@ -0,0 +1,91 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-oracle-sysmetric.html
+---
+
+# Oracle sysmetric metricset [metricbeat-metricset-oracle-sysmetric]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+`sysmetric` Metricset includes the system metric values captured for the most current time interval from Oracle System View.
+
+This metricset dynamically filters metrics based on given input `patterns`. These patterns can be keywords or regular expressions. The `sysmetric` metricset uses the `OR` operator when forming the SQL query internally. Refer [here](https://docs.oracle.com/cd/B12037_01/server.101/b10759/conditions016.htm) for more details. `V$SYSMETRIC` table provides different metrics for a short duration (15 seconds, `GROUP_ID` 3) and a long duration (60 seconds, `GROUP_ID` 2). This metricset collects metrics which have `GROUP_ID` 2 i.e. the metrics that are queried for long-duration for DBAs to use the data for historical analysis.
+
+**Note**: As the value of the metrics queried for long-duration in the `V$SYSMETRIC` table is updated every 60 seconds, it is recommended for the users to set the collection period in the configuration for sysmetric metricset as greater than or equal to 60 seconds so as to avoid duplication of the metrics in the ingested events.
+
+
+## Required database access [_required_database_access_2]
+
+To ensure that the module has access to the appropriate metrics, the module requires that you configure a user with access to the following tables:
+
+* V$SYSMETRIC
+
+
+## Example event [_example_event]
+
+```
+{
+  "@timestamp": "2022-05-27T02:18:55.112Z",
+  "event": {
+    "dataset": "oracle.sysmetric",
+    "module": "oracle",
+    "duration": 408974115
+  },
+  "metricset": {
+    "name": "sysmetric",
+    "period": 60000
+  },
+  "oracle": {
+    "sysmetric": {
+      "metrics": {
+        "physical_write_total_bytes_per_sec": 15323.3127812031,
+        "total_table_scans_per_txn": 40,
+        "physical_read_total_bytes_per_sec": 40680.153307782,
+        "total_pga_allocated": 2.364416e+08
+      }
+    }
+  },
+  "service": {
+    "address": "oracle://localhost:1521/ORCLCDB.localdomain",
+    "type": "oracle"
+  }
+}
+```
+
+## Fields [_fields_198]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-oracle.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2022-05-27T02:18:55.112Z",
+    "event": {
+        "dataset": "oracle.sysmetric",
+        "module": "oracle",
+        "duration": 408974115
+    },
+    "metricset": {
+        "name": "sysmetric",
+        "period": 60000
+    },
+    "oracle": {
+        "sysmetric": {
+            "physical_write_total_bytes_per_sec": 15323.3127812031,
+            "total_table_scans_per_txn": 40,
+            "physical_read_total_bytes_per_sec": 40680.153307782,
+            "total_pga_allocated": 2.364416e+08
+        }
+    },
+    "service": {
+        "address": "oracle://localhost:1521/ORCLCDB.localdomain",
+        "type": "oracle"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-oracle-tablespace.md b/docs/reference/metricbeat/metricbeat-metricset-oracle-tablespace.md
new file mode 100644
index 000000000000..fd2e4b09d81d
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-oracle-tablespace.md
@@ -0,0 +1,88 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-oracle-tablespace.html
+---
+
+# Oracle tablespace metricset [metricbeat-metricset-oracle-tablespace]
+
+`tablespace` Metricset includes information about data files and temp files, grouped by Tablespace with free space available, used space, status of the data files, status of the Tablespace, etc.
+
+
+## Required database access [_required_database_access_3]
+
+To ensure that the module has access to the appropriate metrics, the module requires that you configure a user with access to the following tables:
+
+* SYS.DBA_TEMP_FILES
+* DBA_TEMP_FREE_SPACE
+* dba_data_files
+* dba_free_space
+
+
+## Description of fields [_description_of_fields_2]
+
+* **data_file.id**: Tablespace data file unique identifier number. Each data file of a Tablespace has a unique name (and each Tablespace may have more than one data file) but this is not the Tablespace ID.
+* **data_file.name**: Filename of the data file (with the full path)
+* **data_file.online_status**: Last known online status of the data file. One of SYSOFF, SYSTEM, OFFLINE, ONLINE or RECOVER.
+* **data_file.size.bytes**: Size of the file in bytes.
+* **data_file.size.free.bytes**: The size of the file available for user data. The actual size of the file minus this value is used to store file related metadata.
+* **data_file.size.max.bytes**: Maximum file size in bytes
+* **data_file.status**: File status: AVAILABLE or INVALID (INVALID means that the file number is not in use, for example, a file in a tablespace that was dropped)
+* **name**: Tablespace name
+* **space.free.bytes**: Tablespace total free space available, in bytes.
+* **space.total.bytes**: Tablespace total size, in bytes. Calculated by adding the file sizes for each Tablespace.
+* **space.used.bytes**: Tablespace used space, in bytes.
+
+## Fields [_fields_199]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-oracle.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "event": {
+        "dataset": "oracle.tablespace",
+        "duration": 115000,
+        "module": "oracle"
+    },
+    "metricset": {
+        "name": "tablespace",
+        "period": 10000
+    },
+    "oracle": {
+        "tablespace": {
+            "data_file": {
+                "id": 3,
+                "name": "/u02/app/oracle/oradata/ORCL/sysaux01.dbf",
+                "online_status": "ONLINE",
+                "size": {
+                    "bytes": 744488960,
+                    "free": {
+                        "bytes": 743440384
+                    },
+                    "max": {
+                        "bytes": 34359721984
+                    }
+                },
+                "status": "AVAILABLE"
+            },
+            "name": "SYSAUX",
+            "space": {
+                "free": {
+                    "bytes": 39124992
+                },
+                "used": {
+                    "bytes": 744488960
+                }
+            }
+        }
+    },
+    "service": {
+        "address": "localhost:32769",
+        "type": "oracle"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-panw-interfaces.md b/docs/reference/metricbeat/metricbeat-metricset-panw-interfaces.md
new file mode 100644
index 000000000000..02820156931f
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-panw-interfaces.md
@@ -0,0 +1,43 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-panw-interfaces.html
+---
+
+# Panw interfaces metricset [metricbeat-metricset-panw-interfaces]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+This is the interfaces metricset of the module panw.
+
+## Fields [_fields_200]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-panw.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp":"2016-05-23T08:05:34.853Z",
+    "beat":{
+        "hostname":"beathost",
+        "name":"beathost"
+    },
+    "metricset":{
+        "host":"localhost",
+        "module":"panw",
+        "name":"interfaces",
+        "rtt":44269
+    },
+    "panw":{
+        "interfaces":{
+            "example": "interfaces"
+        }
+    },
+    "type":"metricsets"
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-panw-routing.md b/docs/reference/metricbeat/metricbeat-metricset-panw-routing.md
new file mode 100644
index 000000000000..1b35128b7f02
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-panw-routing.md
@@ -0,0 +1,43 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-panw-routing.html
+---
+
+# Panw routing metricset [metricbeat-metricset-panw-routing]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+This is the routing metricset of the module panw.
+
+## Fields [_fields_201]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-panw.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp":"2016-05-23T08:05:34.853Z",
+    "beat":{
+        "hostname":"beathost",
+        "name":"beathost"
+    },
+    "metricset":{
+        "host":"localhost",
+        "module":"panw",
+        "name":"routing",
+        "rtt":44269
+    },
+    "panw":{
+        "routing":{
+            "example": "routing"
+        }
+    },
+    "type":"metricsets"
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-panw-system.md b/docs/reference/metricbeat/metricbeat-metricset-panw-system.md
new file mode 100644
index 000000000000..8de2b2648e54
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-panw-system.md
@@ -0,0 +1,43 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-panw-system.html
+---
+
+# Panw system metricset [metricbeat-metricset-panw-system]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+This is the system metricset of the module panw.
+
+## Fields [_fields_202]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-panw.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp":"2016-05-23T08:05:34.853Z",
+    "beat":{
+        "hostname":"beathost",
+        "name":"beathost"
+    },
+    "metricset":{
+        "host":"localhost",
+        "module":"panw",
+        "name":"system",
+        "rtt":44269
+    },
+    "panw":{
+        "system":{
+            "example": "system"
+        }
+    },
+    "type":"metricsets"
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-panw-vpn.md b/docs/reference/metricbeat/metricbeat-metricset-panw-vpn.md
new file mode 100644
index 000000000000..45c204bbd793
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-panw-vpn.md
@@ -0,0 +1,43 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-panw-vpn.html
+---
+
+# Panw vpn metricset [metricbeat-metricset-panw-vpn]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+This is the vpn metricset of the module panw.
+
+## Fields [_fields_203]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-panw.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp":"2016-05-23T08:05:34.853Z",
+    "beat":{
+        "hostname":"beathost",
+        "name":"beathost"
+    },
+    "metricset":{
+        "host":"localhost",
+        "module":"panw",
+        "name":"vpn",
+        "rtt":44269
+    },
+    "panw":{
+        "vpn":{
+            "example": "vpn"
+        }
+    },
+    "type":"metricsets"
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-php_fpm-pool.md b/docs/reference/metricbeat/metricbeat-metricset-php_fpm-pool.md
new file mode 100644
index 000000000000..8acf887a1a6f
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-php_fpm-pool.md
@@ -0,0 +1,59 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-php_fpm-pool.html
+---
+
+# PHP_FPM pool metricset [metricbeat-metricset-php_fpm-pool]
+
+This is the `pool` metricset of the PHP_FPM module.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_204]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-php_fpm.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2019-03-01T08:05:34.853Z",
+    "event": {
+        "dataset": "php_fpm.pool",
+        "duration": 115000,
+        "module": "php_fpm"
+    },
+    "metricset": {
+        "name": "pool",
+        "period": 10000
+    },
+    "php_fpm": {
+        "pool": {
+            "connections": {
+                "accepted": 18,
+                "listen_queue_len": 0,
+                "max_listen_queue": 0,
+                "queued": 0
+            },
+            "name": "www",
+            "process_manager": "dynamic",
+            "processes": {
+                "active": 1,
+                "idle": 1,
+                "max_active": 1,
+                "max_children_reached": 0,
+                "total": 2
+            },
+            "slow_requests": 0,
+            "start_since": 3589,
+            "start_time": 1551792028
+        }
+    },
+    "service": {
+        "address": "127.0.0.1:55555",
+        "type": "php_fpm"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-php_fpm-process.md b/docs/reference/metricbeat/metricbeat-metricset-php_fpm-process.md
new file mode 100644
index 000000000000..bedad13c7e62
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-php_fpm-process.md
@@ -0,0 +1,69 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-php_fpm-process.html
+---
+
+# PHP_FPM process metricset [metricbeat-metricset-php_fpm-process]
+
+This is the process metricset of the module php_fpm.
+
+## Fields [_fields_205]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-php_fpm.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2019-03-01T08:05:34.853Z",
+    "event": {
+        "dataset": "php_fpm.process",
+        "duration": 115000,
+        "module": "php_fpm"
+    },
+    "http": {
+        "request": {
+            "method": "get"
+        },
+        "response": {
+            "body": {
+                "bytes": 0
+            }
+        }
+    },
+    "metricset": {
+        "name": "process",
+        "period": 10000
+    },
+    "php_fpm": {
+        "pool": {
+            "name": "www"
+        },
+        "process": {
+            "last_request_cpu": 0,
+            "last_request_memory": 0,
+            "request_duration": 135,
+            "requests": 9,
+            "script": "-",
+            "start_since": 3471,
+            "start_time": 1551792028,
+            "state": "Running"
+        }
+    },
+    "process": {
+        "pid": 24
+    },
+    "service": {
+        "address": "127.0.0.1:55555",
+        "type": "php_fpm"
+    },
+    "url": {
+        "original": "/status?full\u0026json"
+    },
+    "user": {
+        "name": "-"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-postgresql-activity.md b/docs/reference/metricbeat/metricbeat-metricset-postgresql-activity.md
new file mode 100644
index 000000000000..c153fa5fa094
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-postgresql-activity.md
@@ -0,0 +1,62 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-postgresql-activity.html
+---
+
+# PostgreSQL activity metricset [metricbeat-metricset-postgresql-activity]
+
+This is the `activity` metricset of the PostgreSQL module.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_206]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-postgresql.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "event": {
+        "dataset": "postgresql.activity",
+        "duration": 115000,
+        "module": "postgresql"
+    },
+    "metricset": {
+        "name": "activity",
+        "period": 10000
+    },
+    "postgresql": {
+        "activity": {
+            "application_name": "",
+            "backend_start": "2021-03-05T19:01:40.467Z",
+            "backend_type": "client backend",
+            "client": {
+                "address": "192.168.128.1",
+                "hostname": "",
+                "port": 33414
+            },
+            "database": {
+                "name": "postgres",
+                "oid": 13395
+            },
+            "pid": 2236,
+            "query": "SELECT * FROM pg_stat_activity",
+            "query_start": "2021-03-05T19:01:40.469Z",
+            "state": "idle",
+            "state_change": "2021-03-05T19:01:40.471Z",
+            "user": {
+                "id": 10,
+                "name": "postgres"
+            }
+        }
+    },
+    "service": {
+        "address": "192.168.128.2:5432",
+        "type": "postgresql"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-postgresql-bgwriter.md b/docs/reference/metricbeat/metricbeat-metricset-postgresql-bgwriter.md
new file mode 100644
index 000000000000..283b1f337cd0
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-postgresql-bgwriter.md
@@ -0,0 +1,62 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-postgresql-bgwriter.html
+---
+
+# PostgreSQL bgwriter metricset [metricbeat-metricset-postgresql-bgwriter]
+
+This is the `bgwriter` metricset of the PostgreSQL module.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_207]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-postgresql.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "event": {
+        "dataset": "postgresql.bgwriter",
+        "duration": 115000,
+        "module": "postgresql"
+    },
+    "metricset": {
+        "name": "bgwriter",
+        "period": 10000
+    },
+    "postgresql": {
+        "bgwriter": {
+            "buffers": {
+                "allocated": 273,
+                "backend": 0,
+                "backend_fsync": 0,
+                "checkpoints": 8,
+                "clean": 0,
+                "clean_full": 0
+            },
+            "checkpoints": {
+                "requested": 0,
+                "scheduled": 4,
+                "times": {
+                    "sync": {
+                        "ms": 9
+                    },
+                    "write": {
+                        "ms": 804
+                    }
+                }
+            },
+            "stats_reset": "2021-03-05T18:39:17.954Z"
+        }
+    },
+    "service": {
+        "address": "192.168.128.2:5432",
+        "type": "postgresql"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-postgresql-database.md b/docs/reference/metricbeat/metricbeat-metricset-postgresql-database.md
new file mode 100644
index 000000000000..bb35e2417634
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-postgresql-database.md
@@ -0,0 +1,74 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-postgresql-database.html
+---
+
+# PostgreSQL database metricset [metricbeat-metricset-postgresql-database]
+
+This is the `database` metricset of the PostgreSQL module.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_208]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-postgresql.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "event": {
+        "dataset": "postgresql.database",
+        "duration": 115000,
+        "module": "postgresql"
+    },
+    "metricset": {
+        "name": "database",
+        "period": 10000
+    },
+    "postgresql": {
+        "database": {
+            "blocks": {
+                "hit": 43969,
+                "read": 381,
+                "time": {
+                    "read": {
+                        "ms": 0
+                    },
+                    "write": {
+                        "ms": 0
+                    }
+                }
+            },
+            "conflicts": 0,
+            "deadlocks": 0,
+            "name": "postgres",
+            "number_of_backends": 2,
+            "oid": 13395,
+            "rows": {
+                "deleted": 42,
+                "fetched": 26418,
+                "inserted": 98,
+                "returned": 53201,
+                "updated": 14
+            },
+            "stats_reset": "2021-03-05T18:39:18.089Z",
+            "temporary": {
+                "bytes": 0,
+                "files": 0
+            },
+            "transactions": {
+                "commit": 445,
+                "rollback": 5
+            }
+        }
+    },
+    "service": {
+        "address": "192.168.128.2:5432",
+        "type": "postgresql"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-postgresql-statement.md b/docs/reference/metricbeat/metricbeat-metricset-postgresql-statement.md
new file mode 100644
index 000000000000..4d7fccf76a31
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-postgresql-statement.md
@@ -0,0 +1,116 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-postgresql-statement.html
+---
+
+# PostgreSQL statement metricset [metricbeat-metricset-postgresql-statement]
+
+This is the `statement` metricset of the PostgreSQL module.
+
+This module collects information from the `pg_stat_statements` view, that keeps track of planning and execution statistics of all SQL statements executed by the server.
+
+`pg_stat_statements` is included by an additional module in PostgreSQL. This module requires additional shared memory, and is disabled by default.
+
+You can enable it by adding this module to the configuration as a shared preloaded library.
+
+```
+shared_preload_libraries = 'pg_stat_statements'
+pg_stat_statements.max = 10000
+pg_stat_statements.track = all
+```
+
+::::{note}
+Preloading this library in your server will increase the memory usage of your PostgreSQL server. Use it with care.
+::::
+
+
+Once the server is started with this module, it starts collecting statistics about all statements executed. To make these statistics available in the `pg_stat_statements` view, the following statement needs to be executed in the server:
+
+```sql
+CREATE EXTENSION pg_stat_statements;
+```
+
+You can read more about the available options for this module in the [official documentation](https://www.postgresql.org/docs/13/pgstatstatements.html).
+
+::::{note}
+The PostgreSQL module of Filebeat is also able to collect information about statements executed in the server from its logs. You may chose which one is better for your needings. An important difference is that the Metricbeat module collects aggregated information when the statement is executed several times, but cannot know when each statement was executed. This information can be obtained from logs.
+::::
+
+
+## Fields [_fields_209]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-postgresql.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "event": {
+        "dataset": "postgresql.statement",
+        "duration": 115000,
+        "module": "postgresql"
+    },
+    "metricset": {
+        "name": "statement",
+        "period": 10000
+    },
+    "postgresql": {
+        "statement": {
+            "database": {
+                "oid": 13395
+            },
+            "query": {
+                "calls": 132,
+                "id": -3489238739385425370,
+                "memory": {
+                    "local": {
+                        "dirtied": 0,
+                        "hit": 0,
+                        "read": 0,
+                        "written": 0
+                    },
+                    "shared": {
+                        "dirtied": 0,
+                        "hit": 924,
+                        "read": 0,
+                        "written": 0
+                    },
+                    "temp": {
+                        "read": 0,
+                        "written": 0
+                    }
+                },
+                "rows": 396,
+                "text": "SELECT d.datname as \"Name\",\n       pg_catalog.pg_get_userbyid(d.datdba) as \"Owner\",\n       pg_catalog.pg_encoding_to_char(d.encoding) as \"Encoding\",\n       d.datcollate as \"Collate\",\n       d.datctype as \"Ctype\",\n       pg_catalog.array_to_string(d.datacl, $1) AS \"Access privileges\"\nFROM pg_catalog.pg_database d\nORDER BY 1",
+                "time": {
+                    "max": {
+                        "ms": 0.325369
+                    },
+                    "mean": {
+                        "ms": 0.07867374242424244
+                    },
+                    "min": {
+                        "ms": 0.053835
+                    },
+                    "stddev": {
+                        "ms": 0.037920252272212004
+                    },
+                    "total": {
+                        "ms": 10.384934000000003
+                    }
+                }
+            },
+            "user": {
+                "id": 10
+            }
+        }
+    },
+    "service": {
+        "address": "192.168.128.2:5432",
+        "type": "postgresql"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-prometheus-collector.md b/docs/reference/metricbeat/metricbeat-metricset-prometheus-collector.md
new file mode 100644
index 000000000000..1431020a38b9
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-prometheus-collector.md
@@ -0,0 +1,173 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-prometheus-collector.html
+---
+
+# Prometheus collector metricset [metricbeat-metricset-prometheus-collector]
+
+The Prometheus `collector` metricset scrapes data from [prometheus exporters](https://prometheus.io/docs/instrumenting/exporters/).
+
+
+## Scraping from a Prometheus exporter [_scraping_from_a_prometheus_exporter]
+
+To scrape metrics from a Prometheus exporter, configure the `hosts` field to it. The path to retrieve the metrics from (`/metrics` by default) can be configured with `metrics_path`.
+
+```yaml
+- module: prometheus
+  period: 10s
+  hosts: ["node:9100"]
+  metrics_path: /metrics
+
+  #username: "user"
+  #password: "secret"
+
+  # This can be used for service account based authorization:
+  #bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
+  #ssl.certificate_authorities:
+  #  - /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
+```
+
+
+## Histograms and types [_histograms_and_types]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+```yaml
+metricbeat.modules:
+- module: prometheus
+  period: 10s
+  hosts: ["localhost:9090"]
+  use_types: true
+  rate_counters: false
+```
+
+`use_types` parameter (default: false) enables a different layout for metrics storage, leveraging Elasticsearch types, including [histograms](elasticsearch://reference/elasticsearch/mapping-reference/histogram.md).
+
+`rate_counters` parameter (default: false) enables calculating a rate out of Prometheus counters. When enabled, Metricbeat stores the counter increment since the last collection. This metric should make some aggregations easier and with better performance. This parameter can only be enabled in combination with `use_types`.
+
+When `use_types` and `rate_counters` are enabled, metrics are stored like this:
+
+```json
+{
+    "prometheus": {
+        "labels": {
+            "instance": "172.27.0.2:9090",
+            "job": "prometheus"
+        },
+        "prometheus_target_interval_length_seconds_count": {
+            "counter": 1,
+            "rate": 0
+        },
+        "prometheus_target_interval_length_seconds_sum": {
+            "counter": 15.000401344,
+            "rate": 0
+        }
+        "prometheus_tsdb_compaction_chunk_range_seconds_bucket": {
+            "histogram": {
+                "values": [50, 300, 1000, 4000, 16000],
+                "counts": [10, 2, 34, 7]
+            }
+        }
+    },
+}
+```
+
+
+## Scraping all metrics from a Prometheus server [_scraping_all_metrics_from_a_prometheus_server]
+
+::::{warning}
+Depending on your scale this method may not be suitable. We recommend using the [remote_write](/reference/metricbeat/metricbeat-metricset-prometheus-remote_write.md) metricset for this, and make Prometheus push metrics to Metricbeat.
+
+::::
+
+
+This module can scrape all metrics stored in a Prometheus server, by using the [federation API](https://prometheus.io/docs/prometheus/latest/federation/). By pointing this config to the Prometheus server:
+
+```yaml
+metricbeat.modules:
+- module: prometheus
+  period: 10s
+  hosts: ["localhost:9090"]
+  metrics_path: '/federate'
+  query:
+    'match[]': '{__name__!=""}'
+```
+
+::::{note}
+federation API returns all metrics as untyped, as a result even in case `use_types` and `rate_counters` parameters are enabled, rate metrics will NOT be calculated out of Prometheus counters. To get rate metrics calculated should be used [remote_write](/reference/metricbeat/metricbeat-metricset-prometheus-remote_write.md) metricset instead.
+::::
+
+
+
+## Filtering metrics [_filtering_metrics_2]
+
+In order to filter out/in metrics one can make use of `metrics_filters.include` `metrics_filters.exclude` settings:
+
+```yaml
+- module: prometheus
+  period: 10s
+  hosts: ["localhost:9090"]
+  metrics_path: /metrics
+  metrics_filters:
+    include: ["node_filesystem_*"]
+    exclude: ["node_filesystem_device_*"]
+```
+
+The configuration above will include only metrics that match `node_filesystem_*` pattern and do not match `node_filesystem_device_*`.
+
+To keep only specific metrics, anchor the start and the end of the regexp of each metric:
+
+* the caret `^` matches the beginning of a text or line,
+* the dollar sign `$` matches the end of a text.
+
+```yaml
+- module: prometheus
+  period: 10s
+  hosts: ["localhost:9090"]
+  metrics_path: /metrics
+  metrics_filters:
+    include: ["^node_network_net_dev_group$", "^node_network_up$"]
+```
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_210]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-prometheus.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2019-03-01T08:05:34.853Z",
+    "event": {
+        "dataset": "prometheus.collector",
+        "duration": 115000,
+        "module": "prometheus"
+    },
+    "metrics_count": 2,
+    "metricset": {
+        "name": "collector",
+        "period": 10000
+    },
+    "prometheus": {
+        "labels": {
+            "job": "prometheus",
+            "listener_name": "http"
+        },
+        "metrics": {
+            "net_conntrack_listener_conn_accepted_total": 3,
+            "net_conntrack_listener_conn_closed_total": 0
+        }
+    },
+    "service": {
+        "address": "127.0.0.1:55555",
+        "type": "prometheus"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-prometheus-query.md b/docs/reference/metricbeat/metricbeat-metricset-prometheus-query.md
new file mode 100644
index 000000000000..cba87405451e
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-prometheus-query.md
@@ -0,0 +1,99 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-prometheus-query.html
+---
+
+# Prometheus query metricset [metricbeat-metricset-prometheus-query]
+
+This is the `query` metricset to query from [querying API of Prometheus](https://prometheus.io/docs/prometheus/latest/querying/api/#expression-queries).
+
+
+## Configuration [_configuration_3]
+
+
+### Instant queries [_instant_queries]
+
+The following configuration performs an instant query for `up` metric at a single point in time:
+
+```yaml
+- module: prometheus
+  period: 10s
+  hosts: ["localhost:9090"]
+  metricsets: ["query"]
+  queries:
+  - name: 'up'
+    path: '/api/v1/query'
+    params:
+      query: "up"
+```
+
+More complex PromQL expressions can also be used like the following one which calculates the per-second rate of HTTP requests as measured over the last 5 minutes.
+
+```yaml
+- module: prometheus
+  period: 10s
+  hosts: ["localhost:9090"]
+  metricsets: ["query"]
+  queries:
+  - name: "rate_http_requests_total"
+    path: "/api/v1/query"
+    params:
+      query: "rate(prometheus_http_requests_total[5m])"
+```
+
+
+### Range queries [_range_queries]
+
+The following example evaluates the expression `up` over a 30-second range with a query resolution of 15 seconds:
+
+```yaml
+- module: prometheus
+  period: 10s
+  metricsets: ["query"]
+  hosts: ["node:9100"]
+  queries:
+  - name: "up_master"
+    path: "/api/v1/query_range"
+    params:
+      query: "up{node='master01'}"
+      start: "2019-12-20T23:30:30.000Z"
+      end: "2019-12-21T23:31:00.000Z"
+      step: 15s
+```
+
+## Fields [_fields_211]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-prometheus.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "event": {
+        "dataset": "prometheus.query",
+        "duration": 115000,
+        "module": "prometheus"
+    },
+    "metricset": {
+        "name": "query",
+        "period": 10000
+    },
+    "prometheus": {
+        "labels": {
+            "__name__": "go_threads",
+            "instance": "localhost:9090",
+            "job": "prometheus"
+        },
+        "query": {
+            "go_threads": 18
+        }
+    },
+    "service": {
+        "address": "localhost:32769",
+        "type": "prometheus"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-prometheus-remote_write.md b/docs/reference/metricbeat/metricbeat-metricset-prometheus-remote_write.md
new file mode 100644
index 000000000000..5ee012e0dbc2
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-prometheus-remote_write.md
@@ -0,0 +1,225 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-prometheus-remote_write.html
+---
+
+# Prometheus remote_write metricset [metricbeat-metricset-prometheus-remote_write]
+
+This is the remote_write metricset of the module prometheus. This metricset can receive metrics from a Prometheus server that has configured [remote_write](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#remote_write) setting accordingly, for instance:
+
+```yaml
+remote_write:
+  - url: "http://localhost:9201/write"
+```
+
+::::{tip}
+In order to assure the health of the whole queue, the following configuration [parameters](https://prometheus.io/docs/practices/remote_write/#parameters) should be considered:
+::::
+
+
+* `max_shards`: Sets the maximum number of parallelism with which Prometheus will try to send samples to Metricbeat. It is recommended that this setting should be equal to the number of cores of the machine where Metricbeat runs. Metricbeat can handle connections in parallel and hence setting `max_shards` to the number of parallelism that Metricbeat can actually achieve is the optimal queue configuration.
+* `max_samples_per_send`: Sets the number of samples to batch together for each send. Recommended values are between 100 (default) and 1000. Having a bigger batch can lead to improved throughput and in more efficient storage since Metricbeat groups metrics with the same labels into same event documents. However this will increase the memory usage of Metricbeat.
+* `capacity`: It is recommended to set capacity to 3-5 times `max_samples_per_send`. Capacity sets the number of samples that are queued in memory per shard, and hence capacity should be high enough so as to be able to cover `max_samples_per_send`.
+* `write_relabel_configs`: It is a relabeling, that applies to samples before sending them to the remote endpoint. This could be used to limit which samples are sent.
+
+    ```yaml
+    remote_write:
+      - url: "http://localhost:9201/write"
+        write_relabel_configs:
+          - source_labels: [job]
+            regex: 'prometheus'
+            action: keep
+    ```
+
+
+Metrics sent to the http endpoint will be put by default under the `prometheus.metrics` prefix with their labels under `prometheus.labels`. A basic configuration would look like:
+
+```yaml
+- module: prometheus
+  metricsets: ["remote_write"]
+  host: "localhost"
+  port: "9201"
+```
+
+Also consider using secure settings for the server, configuring the module with TLS/SSL as shown:
+
+```yaml
+- module: prometheus
+  metricsets: ["remote_write"]
+  host: "localhost"
+  ssl.certificate: "/etc/pki/server/cert.pem"
+  ssl.key: "/etc/pki/server/cert.key"
+  port: "9201"
+```
+
+and on Prometheus side:
+
+```yaml
+remote_write:
+  - url: "https://localhost:9201/write"
+    tls_config:
+        cert_file: "/etc/prometheus/my_key.pem"
+        key_file: "/etc/prometheus/my_key.key"
+        # Disable validation of the server certificate.
+        #insecure_skip_verify: true
+```
+
+
+## Histograms and types [_histograms_and_types_2]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+```yaml
+metricbeat.modules:
+- module: prometheus
+  metricsets: ["remote_write"]
+  host: "localhost"
+  port: "9201"
+  use_types: true
+  rate_counters: true
+  period: 60s
+```
+
+`use_types` parameter (default: false) enables a different layout for metrics storage, leveraging Elasticsearch types, including [histograms](elasticsearch://reference/elasticsearch/mapping-reference/histogram.md).
+
+`rate_counters` parameter (default: false) enables calculating a rate out of Prometheus counters. When enabled, Metricbeat stores the counter increment since the last collection. This metric should make some aggregations easier and with better performance. This parameter can only be enabled in combination with `use_types`.
+
+`period` parameter (default: 60s) configures the timeout of internal cache, which stores counter values in order to calculate rates between consecutive fetches. The parameter will be validated and all values lower than 60sec will be reset to the default value.
+
+Note that by default prometheus pushes data with the interval of 60s (in remote write). In case that prometheus push rate is changed, the `period` parameter needs to be configured accordingly.
+
+When `use_types` and `rate_counters` are enabled, metrics are stored like this:
+
+```json
+{
+    "prometheus": {
+        "labels": {
+            "instance": "172.27.0.2:9090",
+            "job": "prometheus"
+        },
+        "prometheus_target_interval_length_seconds_count": {
+            "counter": 1,
+            "rate": 0
+        },
+        "prometheus_target_interval_length_seconds_sum": {
+            "counter": 15.000401344,
+            "rate": 0
+        }
+        "prometheus_tsdb_compaction_chunk_range_seconds_bucket": {
+            "histogram": {
+                "values": [50, 300, 1000, 4000, 16000],
+                "counts": [10, 2, 34, 7]
+            }
+        }
+    },
+}
+```
+
+
+### Types' patterns [_types_patterns]
+
+Unlike `collector` metricset, `remote_write` receives metrics in raw format from the prometheus server. In this, the module has to internally use a heuristic in order to identify efficiently the type of each raw metric. For these purpose some name patterns are used in order to identify the type of each metric. The default patterns are the following:
+
+1. `_total` suffix: the metric is of Counter type
+2. `_sum` suffix: the metric is of Counter type
+3. `_count` suffix: the metric is of Counter type
+4. `_bucket` suffix and `le` in labels: the metric is of Histogram type
+
+Everything else is handled as a Gauge. In addition there is no special handling for Summaries so it is expected that Summary’s quantiles are handled as Gauges and Summary’s sum and count as Counters.
+
+Users have the flexibility to add their own patterns using the following configuration:
+
+```yaml
+metricbeat.modules:
+- module: prometheus
+  metricsets: ["remote_write"]
+  host: "localhost"
+  port: "9201"
+  types_patterns:
+    counter_patterns: ["_my_counter_suffix"]
+    histogram_patterns: ["_my_histogram_suffix"]
+```
+
+The configuration above will consider metrics with names that match `_my_counter_suffix` as Counters and those that match `_my_histogram_suffix` (and have `le` in their labels) as Histograms.
+
+To match only specific metrics, anchor the start and the end of the regexp of each metric:
+
+* the caret `^` matches the beginning of a text or line,
+* the dollar sign `$` matches the end of a text.
+
+```yaml
+metricbeat.modules:
+- module: prometheus
+  metricsets: ["remote_write"]
+  host: "localhost"
+  port: "9201"
+  types_patterns:
+    histogram_patterns: ["^my_histogram_metric$"]
+```
+
+Note that when using `types_patterns`, the provided patterns have higher priority than the default patterns. For instance if `_histogram_total` is a defined histogram pattern, then a metric like `network_bytes_histogram_total` will be handled as a histogram, even if it has the suffix `_total` which is a default pattern for counters.
+
+## Fields [_fields_212]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-prometheus.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2020-02-28T13:55:37.221Z",
+    "@metadata": {
+        "beat": "metricbeat",
+        "type": "_doc",
+        "version": "8.0.0"
+    },
+    "service": {
+        "type": "prometheus"
+    },
+    "agent": {
+        "version": "8.0.0",
+        "type": "metricbeat",
+        "ephemeral_id": "ead09243-0aa0-4fd2-8732-1e09a6d36338",
+        "hostname": "host1",
+        "id": "bd12ee45-881f-48e4-af20-13b139548607"
+    },
+    "ecs": {
+        "version": "1.4.0"
+    },
+    "host": {},
+    "event": {
+        "dataset": "prometheus.remote_write",
+        "module": "prometheus"
+    },
+    "metricset": {
+        "name": "remote_write"
+    },
+    "prometheus": {
+        "metrics": {
+            "container_tasks_state": 0
+        },
+        "labels": {
+            "name": "nodeexporter",
+            "id": "/docker/1d6ec1931c9b527d4fe8e28d9c798f6ec612f48af51949f3219b5ca77e120b10",
+            "container_label_com_docker_compose_oneoff": "False",
+            "instance": "cadvisor:8080",
+            "container_label_com_docker_compose_service": "nodeexporter",
+            "state": "iowaiting",
+            "monitor": "docker-host-alpha",
+            "container_label_com_docker_compose_project": "dockprom",
+            "job": "cadvisor",
+            "image": "prom/node-exporter:v0.18.1",
+            "container_label_maintainer": "The Prometheus Authors <prometheus-developers@googlegroups.com>",
+            "container_label_com_docker_compose_config_hash": "2cc2fedf6da5ff0996a209d9801fb74962a8f4c21e44be03ed82659817d9e7f9",
+            "container_label_com_docker_compose_version": "1.24.1",
+            "container_label_com_docker_compose_container_number": "1",
+            "container_label_org_label_schema_group": "monitoring"
+        }
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-rabbitmq-connection.md b/docs/reference/metricbeat/metricbeat-metricset-rabbitmq-connection.md
new file mode 100644
index 000000000000..86a26915c73d
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-rabbitmq-connection.md
@@ -0,0 +1,72 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-rabbitmq-connection.html
+---
+
+# RabbitMQ connection metricset [metricbeat-metricset-rabbitmq-connection]
+
+This is the `connection` metricset of the RabbitMQ module.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_213]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-rabbitmq.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2019-03-01T08:05:34.853Z",
+    "event": {
+        "dataset": "rabbitmq.connection",
+        "duration": 115000,
+        "module": "rabbitmq"
+    },
+    "metricset": {
+        "name": "connection",
+        "period": 10000
+    },
+    "rabbitmq": {
+        "connection": {
+            "channel_max": 65535,
+            "channels": 2,
+            "client_provided": {
+                "name": "Connection2"
+            },
+            "frame_max": 131072,
+            "host": "::1",
+            "name": "[::1]:60940 -\u003e [::1]:5672",
+            "octet_count": {
+                "received": 3057,
+                "sent": 3344
+            },
+            "packet_count": {
+                "pending": 0,
+                "received": 352,
+                "sent": 352
+            },
+            "peer": {
+                "host": "::1",
+                "port": 60940
+            },
+            "port": 5672,
+            "state": "running",
+            "type": "network"
+        },
+        "node": {
+            "name": "nodename"
+        },
+        "vhost": "/"
+    },
+    "service": {
+        "address": "127.0.0.1:55555",
+        "type": "rabbitmq"
+    },
+    "user": {
+        "name": "guest"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-rabbitmq-exchange.md b/docs/reference/metricbeat/metricbeat-metricset-rabbitmq-exchange.md
new file mode 100644
index 000000000000..f91b23431a4a
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-rabbitmq-exchange.md
@@ -0,0 +1,64 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-rabbitmq-exchange.html
+---
+
+# RabbitMQ exchange metricset [metricbeat-metricset-rabbitmq-exchange]
+
+This is the exchange metricset of the module rabbitmq.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_214]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-rabbitmq.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2019-03-01T08:05:34.853Z",
+    "event": {
+        "dataset": "rabbitmq.exchange",
+        "duration": 115000,
+        "module": "rabbitmq"
+    },
+    "metricset": {
+        "name": "exchange"
+    },
+    "rabbitmq": {
+        "exchange": {
+            "arguments": {},
+            "auto_delete": false,
+            "durable": true,
+            "internal": false,
+            "messages": {
+                "publish_in": {
+                    "count": 100,
+                    "details": {
+                        "rate": 0.5
+                    }
+                },
+                "publish_out": {
+                    "count": 99,
+                    "details": {
+                        "rate": 0.9
+                    }
+                }
+            },
+            "name": "exchange.name",
+            "type": "fanout"
+        },
+        "vhost": "/"
+    },
+    "service": {
+        "address": "127.0.0.1:55555",
+        "type": "rabbitmq"
+    },
+    "user": {
+        "name": "guest"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-rabbitmq-node.md b/docs/reference/metricbeat/metricbeat-metricset-rabbitmq-node.md
new file mode 100644
index 000000000000..020ca8033705
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-rabbitmq-node.md
@@ -0,0 +1,160 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-rabbitmq-node.html
+---
+
+# RabbitMQ node metricset [metricbeat-metricset-rabbitmq-node]
+
+This is the `node` metricset of the RabbitMQ module and collects metrics about RabbitMQ nodes.
+
+The metricset has two modes to collect data which can be selected with the `node.collect` setting:
+
+* `node`: collects metrics only from the node `metricbeat` connects to. This is the default, as it is recommended to deploy `metricbeat` in all nodes.
+* `cluster`: collects metrics from all the nodes in the cluster. This is recommended when collecting metrics of an only endpoint for the whole cluster.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_215]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-rabbitmq.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "event": {
+        "dataset": "rabbitmq.node",
+        "duration": 115000,
+        "module": "rabbitmq"
+    },
+    "metricset": {
+        "name": "node"
+    },
+    "rabbitmq": {
+        "node": {
+            "disk": {
+                "free": {
+                    "bytes": 485213712384,
+                    "limit": {
+                        "bytes": 50000000
+                    }
+                }
+            },
+            "fd": {
+                "total": 1048576,
+                "used": 54
+            },
+            "gc": {
+                "num": {
+                    "count": 5724
+                },
+                "reclaimed": {
+                    "bytes": 294021640
+                }
+            },
+            "io": {
+                "file_handle": {
+                    "open_attempt": {
+                        "avg": {
+                            "ms": 0
+                        },
+                        "count": 10
+                    }
+                },
+                "read": {
+                    "avg": {
+                        "ms": 0
+                    },
+                    "bytes": 1,
+                    "count": 1
+                },
+                "reopen": {
+                    "count": 1
+                },
+                "seek": {
+                    "avg": {
+                        "ms": 0
+                    },
+                    "count": 0
+                },
+                "sync": {
+                    "avg": {
+                        "ms": 0
+                    },
+                    "count": 0
+                },
+                "write": {
+                    "avg": {
+                        "ms": 0
+                    },
+                    "bytes": 0,
+                    "count": 0
+                }
+            },
+            "mem": {
+                "limit": {
+                    "bytes": 13340778496
+                },
+                "used": {
+                    "bytes": 71448312
+                }
+            },
+            "mnesia": {
+                "disk": {
+                    "tx": {
+                        "count": 0
+                    }
+                },
+                "ram": {
+                    "tx": {
+                        "count": 43
+                    }
+                }
+            },
+            "msg": {
+                "store_read": {
+                    "count": 0
+                },
+                "store_write": {
+                    "count": 0
+                }
+            },
+            "name": "rabbit@my-rabbit",
+            "proc": {
+                "total": 1048576,
+                "used": 234
+            },
+            "processors": 12,
+            "queue": {
+                "index": {
+                    "journal_write": {
+                        "count": 0
+                    },
+                    "read": {
+                        "count": 0
+                    },
+                    "write": {
+                        "count": 0
+                    }
+                }
+            },
+            "run": {
+                "queue": 0
+            },
+            "socket": {
+                "total": 943626,
+                "used": 0
+            },
+            "type": "disc",
+            "uptime": 155275
+        }
+    },
+    "service": {
+        "address": "172.17.0.2:15672",
+        "type": "rabbitmq"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-rabbitmq-queue.md b/docs/reference/metricbeat/metricbeat-metricset-rabbitmq-queue.md
new file mode 100644
index 000000000000..e3faeaf1e81e
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-rabbitmq-queue.md
@@ -0,0 +1,92 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-rabbitmq-queue.html
+---
+
+# RabbitMQ queue metricset [metricbeat-metricset-rabbitmq-queue]
+
+This is the queue metricset of the module rabbitmq.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_216]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-rabbitmq.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2019-03-01T08:05:34.853Z",
+    "event": {
+        "dataset": "rabbitmq.queue",
+        "duration": 115000,
+        "module": "rabbitmq"
+    },
+    "metricset": {
+        "name": "queue"
+    },
+    "rabbitmq": {
+        "node": {
+            "name": "rabbit@localhost"
+        },
+        "queue": {
+            "arguments": {
+                "max_priority": 9
+            },
+            "auto_delete": false,
+            "consumers": {
+                "count": 3,
+                "utilisation": {
+                    "pct": 0.7
+                }
+            },
+            "disk": {
+                "reads": {
+                    "count": 212
+                },
+                "writes": {
+                    "count": 121
+                }
+            },
+            "durable": true,
+            "exclusive": false,
+            "memory": {
+                "bytes": 232720
+            },
+            "messages": {
+                "persistent": {
+                    "count": 73
+                },
+                "ready": {
+                    "count": 71,
+                    "details": {
+                        "rate": 0
+                    }
+                },
+                "total": {
+                    "count": 74,
+                    "details": {
+                        "rate": 2.2
+                    }
+                },
+                "unacknowledged": {
+                    "count": 3,
+                    "details": {
+                        "rate": 0.5
+                    }
+                }
+            },
+            "name": "queuenamehere",
+            "state": "running"
+        },
+        "vhost": "/"
+    },
+    "service": {
+        "address": "127.0.0.1:55555",
+        "type": "rabbitmq"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-rabbitmq-shovel.md b/docs/reference/metricbeat/metricbeat-metricset-rabbitmq-shovel.md
new file mode 100644
index 000000000000..38594eb791fa
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-rabbitmq-shovel.md
@@ -0,0 +1,53 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-rabbitmq-shovel.html
+---
+
+# RabbitMQ shovel metricset [metricbeat-metricset-rabbitmq-shovel]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+This is the shovel metricset of the module rabbitmq.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_217]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-rabbitmq.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "event": {
+        "dataset": "rabbitmq.shovel",
+        "duration": 115000,
+        "module": "rabbitmq"
+    },
+    "metricset": {
+        "name": "shovel",
+        "period": 10000
+    },
+    "rabbitmq": {
+        "node": {
+            "name": "rabbit@localhost"
+        },
+        "shovel": {
+            "name": "testshovel",
+            "state": "running",
+            "type": "dynamic"
+        },
+        "vhost": "/"
+    },
+    "service": {
+        "address": "127.0.0.1:60847",
+        "type": "rabbitmq"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-redis-info.md b/docs/reference/metricbeat/metricbeat-metricset-redis-info.md
new file mode 100644
index 000000000000..94ad0b1b686f
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-redis-info.md
@@ -0,0 +1,217 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-redis-info.html
+---
+
+# Redis info metricset [metricbeat-metricset-redis-info]
+
+The Redis `info` metricset collects information and statistics from Redis by running the [`INFO`](http://redis.io/commands/INFO) command and parsing the returned result.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_218]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-redis.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "event": {
+        "dataset": "redis.info",
+        "duration": 115000,
+        "module": "redis"
+    },
+    "metricset": {
+        "name": "info",
+        "period": 10000
+    },
+    "os": {
+        "full": "Linux 5.10.47-linuxkit x86_64"
+    },
+    "process": {
+        "pid": 1
+    },
+    "redis": {
+        "info": {
+            "clients": {
+                "blocked": 0,
+                "connected": 2,
+                "max_input_buffer": 0,
+                "max_output_buffer": 0
+            },
+            "cluster": {
+                "enabled": false
+            },
+            "commandstats": {
+                "info": {
+                    "calls": 3,
+                    "usec": 241,
+                    "usec_per_call": 80.33
+                },
+                "slowlog": {
+                    "calls": 3,
+                    "usec": 22,
+                    "usec_per_call": 7.33
+                }
+            },
+            "cpu": {
+                "used": {
+                    "sys": 0.85,
+                    "sys_children": 0,
+                    "user": 0.14,
+                    "user_children": 0
+                }
+            },
+            "memory": {
+                "active_defrag": {},
+                "allocator": "jemalloc-4.0.3",
+                "allocator_stats": {
+                    "fragmentation": {},
+                    "rss": {}
+                },
+                "fragmentation": {
+                    "ratio": 2.74
+                },
+                "max": {
+                    "policy": "noeviction",
+                    "value": 0
+                },
+                "used": {
+                    "lua": 37888,
+                    "peak": 843312,
+                    "rss": 2310144,
+                    "value": 843312
+                }
+            },
+            "persistence": {
+                "aof": {
+                    "bgrewrite": {
+                        "last_status": "ok"
+                    },
+                    "buffer": {},
+                    "copy_on_write": {},
+                    "enabled": false,
+                    "fsync": {},
+                    "rewrite": {
+                        "buffer": {},
+                        "current_time": {
+                            "sec": -1
+                        },
+                        "in_progress": false,
+                        "last_time": {
+                            "sec": -1
+                        },
+                        "scheduled": false
+                    },
+                    "size": {},
+                    "write": {
+                        "last_status": "ok"
+                    }
+                },
+                "loading": false,
+                "rdb": {
+                    "bgsave": {
+                        "current_time": {
+                            "sec": -1
+                        },
+                        "in_progress": false,
+                        "last_status": "ok",
+                        "last_time": {
+                            "sec": -1
+                        }
+                    },
+                    "copy_on_write": {},
+                    "last_save": {
+                        "changes_since": 0,
+                        "time": 1642155583
+                    }
+                }
+            },
+            "replication": {
+                "backlog": {
+                    "active": 0,
+                    "first_byte_offset": 0,
+                    "histlen": 0,
+                    "size": 1048576
+                },
+                "connected_slaves": 0,
+                "master": {
+                    "offset": 0,
+                    "sync": {}
+                },
+                "role": "master",
+                "slave": {}
+            },
+            "server": {
+                "arch_bits": "64",
+                "build_id": "b9a4cd86ce8027d3",
+                "config_file": "",
+                "gcc_version": "6.4.0",
+                "git_dirty": "0",
+                "git_sha1": "00000000",
+                "hz": 10,
+                "lru_clock": 14765805,
+                "mode": "standalone",
+                "multiplexing_api": "epoll",
+                "run_id": "567ea825bae461f81d687f671c6cfaef5c1e45c7",
+                "tcp_port": 6379,
+                "uptime": 174
+            },
+            "slowlog": {
+                "count": 0
+            },
+            "stats": {
+                "active_defrag": {},
+                "commands_processed": 6,
+                "connections": {
+                    "received": 164,
+                    "rejected": 0
+                },
+                "instantaneous": {
+                    "input_kbps": 0,
+                    "ops_per_sec": 0,
+                    "output_kbps": 0
+                },
+                "keys": {
+                    "evicted": 0,
+                    "expired": 0
+                },
+                "keyspace": {
+                    "hits": 0,
+                    "misses": 0
+                },
+                "latest_fork_usec": 0,
+                "migrate_cached_sockets": 0,
+                "net": {
+                    "input": {
+                        "bytes": 170
+                    },
+                    "output": {
+                        "bytes": 6593
+                    }
+                },
+                "pubsub": {
+                    "channels": 0,
+                    "patterns": 0
+                },
+                "sync": {
+                    "full": 0,
+                    "partial": {
+                        "err": 0,
+                        "ok": 0
+                    }
+                }
+            }
+        }
+    },
+    "service": {
+        "address": "localhost:63118",
+        "type": "redis",
+        "version": "3.2.12"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-redis-key.md b/docs/reference/metricbeat/metricbeat-metricset-redis-key.md
new file mode 100644
index 000000000000..14566816330f
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-redis-key.md
@@ -0,0 +1,79 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-redis-key.html
+---
+
+# Redis key metricset [metricbeat-metricset-redis-key]
+
+The Redis `key` metricset collects information about Redis keys.
+
+For each key matching one of the configured patterns, an event is sent to Elasticsearch with information about this key, what includes the type, its length when available, and its ttl.
+
+Patterns are configured as a list containing these fields:
+
+* `pattern` (required): pattern for key names, as accepted by the Redis `KEYS` or `SCAN` commands.
+* `limit` (optional): safeguard when using patterns with wildcards to avoid collecting too many keys (Default: 0, no limit)
+* `keyspace` (optional): Identifier of the database to use to look for the keys (Default: 0)
+
+For example the following configuration will collect information about all keys whose name starts with `pipeline-*`, with a limit of 20 keys.
+
+```yaml
+- module: redis
+  metricsets: ['key']
+  key.patterns:
+    - pattern: 'pipeline-*'
+      limit: 20
+```
+
+
+## Dashboard [_dashboard_39]
+
+The Redis key metricset comes with a predefined dashboard. For example:
+
+:::{image} images/metricbeat_redis_key_dashboard.png
+:alt: metricbeat redis key dashboard
+:::
+
+## Fields [_fields_219]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-redis.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "agent": {
+        "hostname": "host.example.com",
+        "name": "host.example.com"
+    },
+    "event": {
+        "dataset": "redis.key",
+        "duration": 115000,
+        "module": "redis"
+    },
+    "metricset": {
+        "name": "key"
+    },
+    "redis": {
+        "key": {
+            "expire": {
+                "ttl": 360
+            },
+            "id": "0:foo",
+            "length": 3,
+            "name": "foo",
+            "type": "string"
+        },
+        "keyspace": {
+            "id": "db0"
+        }
+    },
+    "service": {
+        "address": "127.0.0.1:6379",
+        "type": "redis"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-redis-keyspace.md b/docs/reference/metricbeat/metricbeat-metricset-redis-keyspace.md
new file mode 100644
index 000000000000..2dcc53f59b62
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-redis-keyspace.md
@@ -0,0 +1,48 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-redis-keyspace.html
+---
+
+# Redis keyspace metricset [metricbeat-metricset-redis-keyspace]
+
+The Redis `keyspace` metricset collects information about the Redis keyspaces. For each keyspace, an event is sent to Elasticsearch. The keyspace information is fetched from the [`INFO`](http://redis.io/commands/INFO) command.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_220]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-redis.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "agent": {
+        "hostname": "host.example.com",
+        "name": "host.example.com"
+    },
+    "event": {
+        "dataset": "redis.keyspace",
+        "duration": 115000,
+        "module": "redis"
+    },
+    "metricset": {
+        "name": "keyspace"
+    },
+    "redis": {
+        "keyspace": {
+            "avg_ttl": 359459,
+            "expires": 0,
+            "id": "db0",
+            "keys": 1
+        }
+    },
+    "service": {
+        "address": "127.0.0.1:6379",
+        "type": "redis"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-redisenterprise-node.md b/docs/reference/metricbeat/metricbeat-metricset-redisenterprise-node.md
new file mode 100644
index 000000000000..fc3728df48c9
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-redisenterprise-node.md
@@ -0,0 +1,110 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-redisenterprise-node.html
+---
+
+# Redis Enterprise node metricset [metricbeat-metricset-redisenterprise-node]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+This is the `node` metricset of the redisenterprise module. The metricset is compatible with Redis Enterprise Software.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_221]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-redisenterprise.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2020-02-21T08:25:46.123Z",
+    "@metadata": {
+        "beat": "metricbeat",
+        "type": "_doc",
+        "version": "8.0.0"
+    },
+    "metricset": {
+        "period": 60000,
+        "name": "node"
+    },
+    "service": {
+        "type": "redisenterprise",
+        "address": "127.0.0.1:8070"
+    },
+    "ecs": {
+        "version": "1.4.0"
+    },
+    "host": {
+        "hostname": "host",
+        "architecture": "x86_64",
+        "os": {
+            "family": "darwin",
+            "name": "Mac OS X",
+            "kernel": "18.7.0",
+            "build": "18G95",
+            "platform": "darwin",
+            "version": "10.14.6"
+        },
+        "name": "host",
+        "id": "24F065F8-4274-521D-8DD5-5D27557E15B4",
+        "ip": [
+            "fe80::aede:48ff:fe00:1122",
+            "fe80::1c05:593c:e271:97ed",
+            "192.168.0.14",
+            "fe80::488c:55ff:fe4e:3b46",
+            "fe80::def:1653:5676:ea4e",
+            "fe80::f191:956a:99ff:1b98",
+            "fe80::3128:a84c:7b38:e3a9"
+        ],
+        "mac": [
+            "ac:de:48:00:11:22",
+            "a6:83:e7:ae:70:01",
+            "a4:83:e7:ae:70:01",
+            "06:83:e7:ae:70:01"
+        ]
+    },
+    "agent": {
+        "ephemeral_id": "de3a043f-a71f-441e-b730-ca12a8f7fc49",
+        "hostname": "MacBook-Elastic.local",
+        "id": "993db589-f9d8-40f3-94cb-43b2b69fa9f4",
+        "version": "8.0.0",
+        "type": "metricbeat"
+    },
+    "prometheus": {
+        "labels": {
+            "cluster": "cluster.local",
+            "node": "1",
+            "instance": "127.0.0.1:8070",
+            "job": "redisenterprise"
+        },
+        "metrics": {
+            "node_cpu_steal_median": 0,
+            "node_cpu_irqs_max": 0.001,
+            "node_cpu_user_min": 0.021,
+            "node_cpu_iowait_median": 0,
+            "node_cur_aof_rewrites": 0,
+            "node_ingress_bytes_min": 0,
+            "node_ingress_bytes_median": 0,
+            "node_cpu_idle_min": 0.929,
+            "node_cpu_iowait_max": 0,
+            "node_cpu_irqs": 0.0003333333333333333,
+            "node_available_memory": 6.262083584e+09,
+            "node_provisional_memory_no_overbooking": 4.757468584333e+09,
+            "node_cpu_idle": 0.9303333333333335,
+            "node_cpu_steal_max": 0
+        }
+    },
+    "event": {
+        "dataset": "redisenterprise.node",
+        "module": "redisenterprise",
+        "duration": 51870343
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-redisenterprise-proxy.md b/docs/reference/metricbeat/metricbeat-metricset-redisenterprise-proxy.md
new file mode 100644
index 000000000000..ef1ec8636311
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-redisenterprise-proxy.md
@@ -0,0 +1,112 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-redisenterprise-proxy.html
+---
+
+# Redis Enterprise proxy metricset [metricbeat-metricset-redisenterprise-proxy]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+This is the `proxy` metricset of the redisenterprise module. The metricset is compatible with Redis Enterprise Software.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_222]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-redisenterprise.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2020-02-21T08:25:46.123Z",
+    "@metadata": {
+        "beat": "metricbeat",
+        "type": "_doc",
+        "version": "8.0.0"
+    },
+    "metricset": {
+        "period": 60000,
+        "name": "proxy"
+    },
+    "service": {
+        "type": "redisenterprise",
+        "address": "127.0.0.1:8070"
+    },
+    "ecs": {
+        "version": "1.4.0"
+    },
+    "host": {
+        "hostname": "host",
+        "architecture": "x86_64",
+        "os": {
+            "family": "darwin",
+            "name": "Mac OS X",
+            "kernel": "18.7.0",
+            "build": "18G95",
+            "platform": "darwin",
+            "version": "10.14.6"
+        },
+        "name": "host",
+        "id": "24F065F8-4274-521D-8DD5-5D27557E15B4",
+        "ip": [
+            "fe80::aede:48ff:fe00:1122",
+            "fe80::1c05:593c:e271:97ed",
+            "192.168.0.14",
+            "fe80::488c:55ff:fe4e:3b46",
+            "fe80::def:1653:5676:ea4e",
+            "fe80::f191:956a:99ff:1b98",
+            "fe80::3128:a84c:7b38:e3a9"
+        ],
+        "mac": [
+            "ac:de:48:00:11:22",
+            "a6:83:e7:ae:70:01",
+            "a4:83:e7:ae:70:01",
+            "06:83:e7:ae:70:01"
+        ]
+    },
+    "agent": {
+        "ephemeral_id": "de3a043f-a71f-441e-b730-ca12a8f7fc49",
+        "hostname": "MacBook-Elastic.local",
+        "id": "993db589-f9d8-40f3-94cb-43b2b69fa9f4",
+        "version": "8.0.0",
+        "type": "metricbeat"
+    },
+    "prometheus": {
+        "labels": {
+            "cluster": "cluster.local",
+            "proxy": "1",
+            "instance": "127.0.0.1:8070",
+            "job": "redisenterprise"
+        },
+        "metrics": {
+            "listener_acc_latency": 0,
+            "listener_acc_latency_max": 0,
+            "listener_acc_other_latency": 0,
+            "listener_acc_other_latency_max": 0,
+            "listener_acc_read_latency": 0,
+            "listener_acc_read_latency_max": 0,
+            "listener_acc_write_latency": 0,
+            "listener_acc_write_latency_max": 0,
+            "listener_auth_cmds": 0,
+            "listener_auth_cmds_max": 0,
+            "listener_auth_errors": 0,
+            "listener_auth_errors_max": 0,
+            "listener_cmd_flush": 0,
+            "listener_cmd_flush_max": 0,
+            "listener_cmd_get": 0,
+            "listener_cmd_get_max": 0
+        }
+    },
+    "event": {
+        "dataset": "redisenterprise.proxy",
+        "module": "redisenterprise",
+        "duration": 51870343
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-sql-query.md b/docs/reference/metricbeat/metricbeat-metricset-sql-query.md
new file mode 100644
index 000000000000..4272fabdc313
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-sql-query.md
@@ -0,0 +1,47 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-sql-query.html
+---
+
+# SQL query metricset [metricbeat-metricset-sql-query]
+
+The sql `query` metricset collects rows returned by a query.
+
+Field names (columns) are returned as lowercase strings. Values are returned as numeric or string.
+
+## Fields [_fields_223]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-sql.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "event": {
+        "dataset": "sql.query",
+        "duration": 115000,
+        "module": "sql"
+    },
+    "metricset": {
+        "name": "query",
+        "period": 10000
+    },
+    "service": {
+        "address": "localhost:65194",
+        "type": "sql"
+    },
+    "sql": {
+        "driver": "mysql",
+        "metrics": {
+            "engine": "InnoDB",
+            "table_name": "db",
+            "table_rows": 2,
+            "table_schema": "mysql"
+        },
+        "query": "select table_schema, table_name, engine, table_rows from information_schema.tables where table_rows \u003e 0;"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-stan-channels.md b/docs/reference/metricbeat/metricbeat-metricset-stan-channels.md
new file mode 100644
index 000000000000..fc112dcae5d8
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-stan-channels.md
@@ -0,0 +1,53 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-stan-channels.html
+---
+
+# Stan channels metricset [metricbeat-metricset-stan-channels]
+
+Top-level streaming server (STAN) channel statistics
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_224]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-stan.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "event": {
+        "dataset": "stan.channels",
+        "duration": 115000,
+        "module": "stan"
+    },
+    "metricset": {
+        "name": "channels",
+        "period": 10000
+    },
+    "service": {
+        "address": "localhost:32770",
+        "type": "stan"
+    },
+    "stan": {
+        "channels": {
+            "bytes": 1023999504,
+            "depth": 977951,
+            "first_seq": 6166399,
+            "last_seq": 7144430,
+            "messages": 978032,
+            "name": "bar"
+        },
+        "cluster": {
+            "id": "test-cluster"
+        },
+        "server": {
+            "id": "mNKuLCRmOZD79arLFAXiaJ"
+        }
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-stan-stats.md b/docs/reference/metricbeat/metricbeat-metricset-stan-stats.md
new file mode 100644
index 000000000000..416f16067b44
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-stan-stats.md
@@ -0,0 +1,53 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-stan-stats.html
+---
+
+# Stan stats metricset [metricbeat-metricset-stan-stats]
+
+Streaming server statistics (STAN)
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_225]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-stan.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "event": {
+        "dataset": "stan.stats",
+        "duration": 115000,
+        "module": "stan"
+    },
+    "metricset": {
+        "name": "stats",
+        "period": 10000
+    },
+    "service": {
+        "address": "localhost:32768",
+        "type": "stan"
+    },
+    "stan": {
+        "cluster": {
+            "id": "test-cluster"
+        },
+        "server": {
+            "id": "IcYma3g7cxFU6AUhN9flMe"
+        },
+        "stats": {
+            "bytes": 0,
+            "channels": 0,
+            "clients": 0,
+            "messages": 0,
+            "state": "STANDALONE",
+            "subscriptions": 0
+        }
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-stan-subscriptions.md b/docs/reference/metricbeat/metricbeat-metricset-stan-subscriptions.md
new file mode 100644
index 000000000000..3d92b72f0495
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-stan-subscriptions.md
@@ -0,0 +1,53 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-stan-subscriptions.html
+---
+
+# Stan subscriptions metricset [metricbeat-metricset-stan-subscriptions]
+
+NATS streaming server (STAN) subscription statistics
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_226]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-stan.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "event": {
+        "dataset": "stan.subscriptions",
+        "duration": 115000,
+        "module": "stan"
+    },
+    "metricset": {
+        "name": "subscriptions",
+        "period": 10000
+    },
+    "service": {
+        "address": "localhost:32770",
+        "type": "stan"
+    },
+    "stan": {
+        "cluster": {
+            "id": "test-cluster"
+        },
+        "server": {
+            "id": "mNKuLCRmOZD79arLFAXiaJ"
+        },
+        "subscriptions": {
+            "channel": "bar",
+            "id": "benchmark-sub-2",
+            "last_sent": 7195645,
+            "offline": false,
+            "pending": 1024,
+            "stalled": true
+        }
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-statsd-server.md b/docs/reference/metricbeat/metricbeat-metricset-statsd-server.md
new file mode 100644
index 000000000000..eb0dad4c8658
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-statsd-server.md
@@ -0,0 +1,125 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-statsd-server.html
+---
+
+# Statsd server metricset [metricbeat-metricset-statsd-server]
+
+This is the `server` metricset of the `statsd` module.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_227]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-statsd.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "labels": {
+        "k1": "v1",
+        "k2": "v2"
+    },
+    "service": {
+        "type": "statsd"
+    },
+    "statsd": {
+        "metric01": {
+            "value": 1
+        },
+        "metric02": {
+            "count": 2
+        },
+        "metric03": {
+            "count": 30
+        },
+        "metric04": {
+            "15m_rate": 0,
+            "1m_rate": 0,
+            "5m_rate": 0,
+            "count": 1,
+            "max": 4,
+            "mean": 4,
+            "mean_rate": 133262.26012793178,
+            "median": 4,
+            "min": 4,
+            "p75": 4,
+            "p95": 4,
+            "p99": 4,
+            "p99_9": 4,
+            "stddev": 0
+        },
+        "metric05": {
+            "count": 1,
+            "max": 5,
+            "mean": 5,
+            "median": 5,
+            "min": 5,
+            "p75": 5,
+            "p95": 5,
+            "p99": 5,
+            "p99_9": 5,
+            "stddev": 0
+        },
+        "metric06": {
+            "count": 1,
+            "max": 6,
+            "mean": 6,
+            "median": 6,
+            "min": 6,
+            "p75": 6,
+            "p95": 6,
+            "p99": 6,
+            "p99_9": 6,
+            "stddev": 0
+        },
+        "metric07": {
+            "15m_rate": 0,
+            "1m_rate": 0,
+            "5m_rate": 0,
+            "count": 1,
+            "max": 7,
+            "mean": 7,
+            "mean_rate": 378787.8787878788,
+            "median": 7,
+            "min": 7,
+            "p75": 7,
+            "p95": 7,
+            "p99": 7,
+            "p99_9": 7,
+            "stddev": 0
+        },
+        "metric08": {
+            "count": 1
+        },
+        "metric09": {
+            "count": 1,
+            "max": 8,
+            "mean": 8,
+            "median": 8,
+            "min": 8,
+            "p75": 8,
+            "p95": 8,
+            "p99": 8,
+            "p99_9": 8,
+            "stddev": 0
+        },
+        "metric10_with_dots": {
+            "count": 1,
+            "max": 9,
+            "mean": 9,
+            "median": 9,
+            "min": 9,
+            "p75": 9,
+            "p95": 9,
+            "p99": 9,
+            "p99_9": 9,
+            "stddev": 0
+        }
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-syncgateway-db.md b/docs/reference/metricbeat/metricbeat-metricset-syncgateway-db.md
new file mode 100644
index 000000000000..2cba32376ae8
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-syncgateway-db.md
@@ -0,0 +1,232 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-syncgateway-db.html
+---
+
+# SyncGateway db metricset [metricbeat-metricset-syncgateway-db]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+SyncGateway `db` metriset contains the most relevant information of the module about the db metrics
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_228]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-syncgateway.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "event": {
+        "dataset": "syncgateway.db",
+        "duration": 115000,
+        "module": "syncgateway"
+    },
+    "metricset": {
+        "name": "db",
+        "period": 10000
+    },
+    "service": {
+        "address": "127.0.0.1:44949",
+        "type": "syncgateway"
+    },
+    "syncgateway": {
+        "db": {
+            "cache": {
+                "channel": {
+                    "hits": 0,
+                    "misses": 0,
+                    "revs": {
+                        "active": 0,
+                        "removal": 0,
+                        "tombstone": 0
+                    }
+                },
+                "revs": {
+                    "hits": 0,
+                    "misses": 0
+                }
+            },
+            "cbl": {
+                "replication": {
+                    "pull": {
+                        "active": {
+                            "continuous": 0,
+                            "count": 0,
+                            "one_shot": 0
+                        },
+                        "attachment": {
+                            "bytes": 0,
+                            "count": 0
+                        },
+                        "caught_up": 0,
+                        "request_changes": {
+                            "count": 0,
+                            "time": 0
+                        },
+                        "rev": {
+                            "processing_time": 0,
+                            "send": {
+                                "count": 0,
+                                "latency": 0
+                            }
+                        },
+                        "since_zero": 0,
+                        "total": {
+                            "continuous": 0,
+                            "one_shot": 0
+                        }
+                    },
+                    "push": {
+                        "attachment": {
+                            "bytes": 0,
+                            "count": 0
+                        },
+                        "doc_push_count": 0,
+                        "propose_change": {
+                            "count": 0,
+                            "time": 0
+                        },
+                        "sync_function": {
+                            "count": 0,
+                            "time": 0
+                        },
+                        "write_processing_time": 0
+                    }
+                }
+            },
+            "gsi": {
+                "views": {
+                    "access": {
+                        "query": {
+                            "count": 1,
+                            "error": {
+                                "count": 0
+                            },
+                            "time": 214030402
+                        }
+                    },
+                    "all_docs": {
+                        "query": {
+                            "count": 0,
+                            "error": {
+                                "count": 0
+                            },
+                            "time": 0
+                        }
+                    },
+                    "channels": {
+                        "query": {
+                            "count": 0,
+                            "error": {
+                                "count": 0
+                            },
+                            "time": 0
+                        },
+                        "star": {
+                            "query": {
+                                "count": 0,
+                                "error": {
+                                    "count": 0
+                                },
+                                "time": 0
+                            }
+                        }
+                    },
+                    "principals": {
+                        "query": {
+                            "count": 0,
+                            "error": {
+                                "count": 0
+                            },
+                            "time": 0
+                        }
+                    },
+                    "resync": {
+                        "query": {
+                            "count": 0,
+                            "error": {
+                                "count": 0
+                            },
+                            "time": 0
+                        }
+                    },
+                    "role_access": {
+                        "query": {
+                            "count": 1,
+                            "error": {
+                                "count": 0
+                            },
+                            "time": 197753953
+                        }
+                    },
+                    "sequences": {
+                        "query": {
+                            "count": 0,
+                            "error": {
+                                "count": 0
+                            },
+                            "time": 0
+                        }
+                    },
+                    "sessions": {
+                        "query": {
+                            "count": 0,
+                            "error": {
+                                "count": 0
+                            },
+                            "time": 0
+                        }
+                    },
+                    "tombstones": {
+                        "query": {
+                            "count": 0,
+                            "error": {
+                                "count": 0
+                            },
+                            "time": 0
+                        }
+                    }
+                }
+            },
+            "metrics": {
+                "docs": {
+                    "writes": {
+                        "bytes": 2542924,
+                        "conflict": {
+                            "count": 0
+                        },
+                        "count": 7303
+                    }
+                },
+                "replications": {
+                    "active": 0,
+                    "total": 0
+                }
+            },
+            "name": "beer-sample",
+            "security": {
+                "access_errors": {
+                    "count": 0
+                },
+                "auth": {
+                    "failed": {
+                        "count": 0
+                    }
+                },
+                "docs_rejected": {
+                    "count": 0
+                }
+            }
+        }
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-syncgateway-memory.md b/docs/reference/metricbeat/metricbeat-metricset-syncgateway-memory.md
new file mode 100644
index 000000000000..7e2e04e557ca
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-syncgateway-memory.md
@@ -0,0 +1,73 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-syncgateway-memory.html
+---
+
+# SyncGateway memory metricset [metricbeat-metricset-syncgateway-memory]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+SyncGateway `memory` metriset contains detailed information about the memory usage of the SyncGateway Go’s process.
+
+## Fields [_fields_229]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-syncgateway.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "event": {
+        "dataset": "syncgateway.memory",
+        "duration": 115000,
+        "module": "syncgateway"
+    },
+    "metricset": {
+        "name": "memory",
+        "period": 10000
+    },
+    "service": {
+        "address": "127.0.0.1:39195",
+        "type": "syncgateway"
+    },
+    "syncgateway": {
+        "memory": {
+            "Alloc": 159398816,
+            "BuckHashSys": 1759627,
+            "DebugGC": false,
+            "EnableGC": true,
+            "Frees": 55790048,
+            "GCCPUFraction": 0.008328526565497294,
+            "GCSys": 13555712,
+            "HeapAlloc": 159398816,
+            "HeapIdle": 67780608,
+            "HeapInuse": 264388608,
+            "HeapObjects": 1877567,
+            "HeapReleased": 26927104,
+            "HeapSys": 332169216,
+            "LastGC": 1620310398040906500,
+            "Lookups": 0,
+            "MCacheInuse": 20832,
+            "MCacheSys": 32768,
+            "MSpanInuse": 4030632,
+            "MSpanSys": 4358144,
+            "Mallocs": 57667615,
+            "NextGC": 265304208,
+            "NumForcedGC": 0,
+            "NumGC": 51,
+            "OtherSys": 2457453,
+            "PauseTotalNs": 88693194,
+            "StackInuse": 3375104,
+            "StackSys": 3375104,
+            "Sys": 357708024,
+            "TotalAlloc": 2719416432
+        }
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-syncgateway-replication.md b/docs/reference/metricbeat/metricbeat-metricset-syncgateway-replication.md
new file mode 100644
index 000000000000..1ff165244114
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-syncgateway-replication.md
@@ -0,0 +1,19 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-syncgateway-replication.html
+---
+
+# SyncGateway replication metricset [metricbeat-metricset-syncgateway-replication]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+SyncGateway `replication` metriset contains information about the replicas. Note that you won’t see any data if you don’t have any replicas configured on your Couchbase buckets.
+
+## Fields [_fields_230]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-syncgateway.md) section.
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-syncgateway-resources.md b/docs/reference/metricbeat/metricbeat-metricset-syncgateway-resources.md
new file mode 100644
index 000000000000..a716cdfd5eca
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-syncgateway-resources.md
@@ -0,0 +1,83 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-syncgateway-resources.html
+---
+
+# SyncGateway resources metricset [metricbeat-metricset-syncgateway-resources]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+SyncGateway `resources` metriset contains about the global resource utilization of the SyncGateway instance.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_231]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-syncgateway.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "event": {
+        "dataset": "syncgateway.resources",
+        "duration": 115000,
+        "module": "syncgateway"
+    },
+    "metricset": {
+        "name": "resources",
+        "period": 10000
+    },
+    "service": {
+        "address": "127.0.0.1:37571",
+        "type": "syncgateway"
+    },
+    "syncgateway": {
+        "resources": {
+            "admin_net_bytes": {
+                "recv": 186313933,
+                "sent": 67278955
+            },
+            "error_count": 0,
+            "go_memstats": {
+                "heap": {
+                    "alloc": 143386592,
+                    "idle": 81616896,
+                    "inuse": 250585088,
+                    "released": 26927104
+                },
+                "pause": {
+                    "ns": 88693194
+                },
+                "stack": {
+                    "inuse": 3342336,
+                    "sys": 3342336
+                },
+                "sys": 357708024
+            },
+            "goroutines_high_watermark": 311,
+            "num_goroutines": 308,
+            "process": {
+                "cpu_percent_utilization": 0,
+                "memory_resident": 335306752
+            },
+            "pub_net": {
+                "recv": {
+                    "bytes": 186313933
+                },
+                "sent": {
+                    "bytes": 67278955
+                }
+            },
+            "system_memory_total": 33291907072,
+            "warn_count": 6
+        }
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-system-core.md b/docs/reference/metricbeat/metricbeat-metricset-system-core.md
new file mode 100644
index 000000000000..413fd9923fd4
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-system-core.md
@@ -0,0 +1,105 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-system-core.html
+---
+
+# System core metricset [metricbeat-metricset-system-core]
+
+The System `core` metricset provides usage statistics for each CPU core.
+
+This metricset is available on:
+
+* FreeBSD
+* Linux
+* macOS
+* OpenBSD
+* Windows
+
+
+## Configuration [_configuration_4]
+
+**`core.metrics`**
+:   This option controls what metrics are reported for each CPU core. The value is a list and two metric types are supported - `percentages` and `ticks`. The default value is `core.metrics: [percentages]`.
+
+**`use_performance_counters`**
+:   This option enables the use of performance counters to collect data for the CPU/core metricset. It is only effective on Windows. You should use this option if running beats on machins with more than 64 cores. The default value is `use_performance_counters: true`
+
+    ```yaml
+    metricbeat.modules:
+    - module: system
+      metricsets: [core]
+      core.metrics: [percentages, ticks]
+      #use_performance_counters: false
+    ```
+
+
+## Fields [_fields_232]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-system.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "event": {
+        "dataset": "system.core",
+        "duration": 115000,
+        "module": "system"
+    },
+    "metricset": {
+        "name": "core",
+        "period": 10000
+    },
+    "service": {
+        "type": "system"
+    },
+    "system": {
+        "core": {
+            "id": 0,
+            "idle": {
+                "pct": 0.9638,
+                "ticks": 240932600
+            },
+            "iowait": {
+                "pct": 0,
+                "ticks": 10534
+            },
+            "irq": {
+                "pct": 0.002,
+                "ticks": 379774
+            },
+            "nice": {
+                "pct": 0.002,
+                "ticks": 70354
+            },
+            "softirq": {
+                "pct": 0.002,
+                "ticks": 498856
+            },
+            "steal": {
+                "pct": 0,
+                "ticks": 0
+            },
+            "system": {
+                "pct": 0.0201,
+                "ticks": 4072735
+            },
+            "total": {
+                "pct": 0.0362
+            },
+            "user": {
+                "pct": 0.0101,
+                "ticks": 7020807
+            }
+            "model_number": "165",
+            "model_name": "Intel(R) Core(TM) i9-10885H CPU @ 2.40GHz",
+            "mhz": 4359.983,
+            "core_id": 5,
+            "physical_id": 0,
+        }
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-system-cpu.md b/docs/reference/metricbeat/metricbeat-metricset-system-cpu.md
new file mode 100644
index 000000000000..629304153c8d
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-system-cpu.md
@@ -0,0 +1,134 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-system-cpu.html
+---
+
+# System cpu metricset [metricbeat-metricset-system-cpu]
+
+The System `cpu` metricset provides CPU statistics.
+
+This metricset is available on:
+
+* FreeBSD
+* Linux
+* macOS
+* OpenBSD
+* Windows
+
+
+## Configuration [_configuration_5]
+
+**`cpu.metrics`**
+:   This option controls what CPU metrics are reported. The value is a list and three metric types are supported - `percentages`, `normalized_percentages`, and `ticks`. The default value is `cpu.metrics: [percentages]`.
+
+**`use_performance_counters`**
+:   This option enables the use of performance counters to collect data for the CPU/core metricset. It is only effective on Windows. You should use this option if running beats on machins with more than 64 cores. The default value is `use_performance_counters: true`
+
+    ```yaml
+    metricbeat.modules:
+    - module: system
+      metricsets: [cpu]
+      cpu.metrics: [percentages, normalized_percentages, ticks]
+      #use_performance_counters: false
+    ```
+
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_233]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-system.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "event": {
+        "dataset": "system.cpu",
+        "duration": 115000,
+        "module": "system"
+    },
+    "host": {
+        "cpu": {
+            "usage": 0.0467
+        }
+    },
+    "metricset": {
+        "name": "cpu",
+        "period": 10000
+    },
+    "service": {
+        "type": "system"
+    },
+    "system": {
+        "cpu": {
+            "cores": 24,
+            "idle": {
+                "norm": {
+                    "pct": 0.9532
+                },
+                "pct": 22.8778,
+                "ticks": 5843152812
+            },
+            "iowait": {
+                "norm": {
+                    "pct": 0.0001
+                },
+                "pct": 0.002,
+                "ticks": 335866
+            },
+            "irq": {
+                "norm": {
+                    "pct": 0.0017
+                },
+                "pct": 0.0401,
+                "ticks": 7025540
+            },
+            "nice": {
+                "norm": {
+                    "pct": 0.0003
+                },
+                "pct": 0.006,
+                "ticks": 1812301
+            },
+            "softirq": {
+                "norm": {
+                    "pct": 0.0008
+                },
+                "pct": 0.02,
+                "ticks": 3581641
+            },
+            "steal": {
+                "norm": {
+                    "pct": 0
+                },
+                "pct": 0,
+                "ticks": 0
+            },
+            "system": {
+                "norm": {
+                    "pct": 0.0169
+                },
+                "pct": 0.4068,
+                "ticks": 67901836
+            },
+            "total": {
+                "norm": {
+                    "pct": 0.0467
+                },
+                "pct": 1.1202
+            },
+            "user": {
+                "norm": {
+                    "pct": 0.027
+                },
+                "pct": 0.6472,
+                "ticks": 126846063
+            }
+        }
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-system-diskio.md b/docs/reference/metricbeat/metricbeat-metricset-system-diskio.md
new file mode 100644
index 000000000000..3afa1feba8d9
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-system-diskio.md
@@ -0,0 +1,76 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-system-diskio.html
+---
+
+# System diskio metricset [metricbeat-metricset-system-diskio]
+
+The System `diskio` metricset provides disk IO metrics collected from the operating system. One event is created for each disk mounted on the system.
+
+This metricset is available on:
+
+* Linux
+* macOS (requires 10.10+)
+* Windows
+* FreeBSD (amd64)
+
+
+## Configuration [_configuration_6]
+
+**`diskio.include_devices`**
+:   When the `diskio` metricset is enabled, you can use the `diskio.include_devices` option to define a list of device names to pre-filter the devices that are reported. Filters only exact matches. If not set or given `[]` empty array, all disk devices are returned
+
+    The following example config returns metrics for devices matching include_devices:
+
+    ```yaml
+    metricbeat.modules:
+    - module: system
+      metricsets: ["diskio"]
+      diskio.include_devices: ["sda", "sda1"]
+    ```
+
+
+## Fields [_fields_234]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-system.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "event": {
+        "dataset": "system.diskio",
+        "duration": 115000,
+        "module": "system"
+    },
+    "metricset": {
+        "name": "diskio",
+        "period": 10000
+    },
+    "service": {
+        "type": "system"
+    },
+    "system": {
+        "diskio": {
+            "io": {
+                "ops": 0,
+                "time": 545105
+            },
+            "name": "sda",
+            "read": {
+                "bytes": 4242313728,
+                "count": 181371,
+                "time": 2744086
+            },
+            "write": {
+                "bytes": 9611375104,
+                "count": 352596,
+                "time": 10641320
+            }
+        }
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-system-entropy.md b/docs/reference/metricbeat/metricbeat-metricset-system-entropy.md
new file mode 100644
index 000000000000..6fbd9bcff9ce
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-system-entropy.md
@@ -0,0 +1,43 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-system-entropy.html
+---
+
+# System entropy metricset [metricbeat-metricset-system-entropy]
+
+This is the entropy metricset of the module system. It collects the amount of available entropy in bits. On kernel versions greater than 2.6, entropy will be out of a total pool size of 4096.
+
+This Metricset is available on:
+
+* linux
+
+## Fields [_fields_235]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-system.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "event": {
+        "dataset": "system.entropy",
+        "duration": 115000,
+        "module": "system"
+    },
+    "metricset": {
+        "name": "entropy"
+    },
+    "service": {
+        "type": "system"
+    },
+    "system": {
+        "entropy": {
+            "available_bits": 2801,
+            "pct": 0.683837890625
+        }
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-system-filesystem.md b/docs/reference/metricbeat/metricbeat-metricset-system-filesystem.md
new file mode 100644
index 000000000000..52415f372384
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-system-filesystem.md
@@ -0,0 +1,102 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-system-filesystem.html
+---
+
+# System filesystem metricset [metricbeat-metricset-system-filesystem]
+
+The System `filesystem` metricset provides file system statistics. For each file system, one document is provided.
+
+This metricset is available on:
+
+* FreeBSD
+* Linux
+* macOS
+* OpenBSD
+* Windows
+
+
+## Configuration [_configuration_7]
+
+**`filesystem.ignore_types`** - An array of filesystem types to ignore. Metrics will not be collected from filesystems matching these types. If this option is not set, {{metricbeat}} ignores all types for virtual devices in systems where this information is available (e.g. all types marked as `nodev` in `/proc/filesystems` in Linux systems). This setting affects the `fsstats` metricset.
+
+To have {{metricbeat}} report on all filesystems, regardless of type, set `filesystem.ignore_types` to an empty array (`[]`).
+
+To ignore unavailable volumes, such as CD-ROM drives, on Windows include `unavailable` as a value in the array. To ignore unknown filesystems on Windows, include `unknown` as a value in the array.
+
+
+## Filtering [_filtering]
+
+There may be mounted filesystems that you don’t want {{metricbeat}} to report metrics on. One option is to configure {{metricbeat}} to ignore specific filesystem types. This can be accomplished by configuring `filesystem.ignore_types` with an array of filesystem types to ignore. In this example we are ignoring three types of filesystems.
+
+```yaml
+metricbeat.modules:
+  - module: system
+    period: 30s
+    metricsets: ["filesystem"]
+    filesystem.ignore_types: [nfs, smbfs, autofs]
+```
+
+A common approach is to ignore any `unavailable` or `unknown` filesystems on Windows. For example:
+
+```yaml
+metricbeat.modules:
+  - module: system
+    period: 30s
+    metricsets: ["filesystem"]
+    filesystem.ignore_types: [unavailable, unknown]
+```
+
+Another strategy to deal with these filesystems is to configure a `drop_event` processor that matches the `mount_point` using a regular expression. This type of filtering occurs after the data has been collected so it can be less efficient than specifying `filesystem.ignore_types`.
+
+```yaml
+metricbeat.modules:
+  - module: system
+    period: 30s
+    metricsets: ["filesystem"]
+    processors:
+      - drop_event.when.regexp:
+          system.filesystem.mount_point: '^/(sys|cgroup|proc|dev|etc|host)($|/)'
+```
+
+## Fields [_fields_236]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-system.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "event": {
+        "dataset": "system.filesystem",
+        "duration": 115000,
+        "module": "system"
+    },
+    "metricset": {
+        "name": "filesystem",
+        "period": 10000
+    },
+    "service": {
+        "type": "system"
+    },
+    "system": {
+        "filesystem": {
+            "available": 148708327424,
+            "device_name": "/dev/mapper/fedora-root",
+            "files": 105089024,
+            "free": 148708327424,
+            "free_files": 103974920,
+            "mount_point": "/",
+            "total": 215211835392,
+            "type": "xfs",
+            "used": {
+                "bytes": 66503507968,
+                "pct": 0.309
+            }
+        }
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-system-fsstat.md b/docs/reference/metricbeat/metricbeat-metricset-system-fsstat.md
new file mode 100644
index 000000000000..4d0ee69b3cbc
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-system-fsstat.md
@@ -0,0 +1,58 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-system-fsstat.html
+---
+
+# System fsstat metricset [metricbeat-metricset-system-fsstat]
+
+The System `fsstat` metricset provides overall file system statistics.
+
+This metricset is available on:
+
+* FreeBSD
+* Linux
+* macOS
+* OpenBSD
+* Windows
+
+
+## Configuration [_configuration_8]
+
+**`filesystem.ignore_types`** - A list of filesystem types to ignore. Metrics will not be collected from filesystems matching these types. This setting also affects the `filesystem` metricset. If this option is not set, metricbeat ignores all types for virtual devices in systems where this information is available (e.g. all types marked as `nodev` in `/proc/filesystems` in Linux systems).
+
+## Fields [_fields_237]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-system.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "event": {
+        "dataset": "system.fsstat",
+        "duration": 115000,
+        "module": "system"
+    },
+    "metricset": {
+        "name": "fsstat",
+        "period": 10000
+    },
+    "service": {
+        "type": "system"
+    },
+    "system": {
+        "fsstat": {
+            "count": 4,
+            "total_files": 781546688,
+            "total_size": {
+                "free": 7694209683456,
+                "total": 7997223641088,
+                "used": 303013957632
+            }
+        }
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-system-load.md b/docs/reference/metricbeat/metricbeat-metricset-system-load.md
new file mode 100644
index 000000000000..7d86415c1a6a
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-system-load.md
@@ -0,0 +1,64 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-system-load.html
+---
+
+# System load metricset [metricbeat-metricset-system-load]
+
+The System `load` metricset provides load statistics.
+
+This metricset is available on:
+
+* FreeBSD
+* Linux
+* macOS
+* OpenBSD
+
+
+## Configuration [_configuration_9]
+
+There are no configuration options for this metricset.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_238]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-system.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "agent": {
+        "hostname": "host.example.com",
+        "name": "host.example.com"
+    },
+    "event": {
+        "dataset": "system.load",
+        "duration": 115000,
+        "module": "system"
+    },
+    "metricset": {
+        "name": "load"
+    },
+    "service": {
+        "type": "system"
+    },
+    "system": {
+        "load": {
+            "1": 2.33,
+            "15": 2.03,
+            "5": 1.93,
+            "cores": 4,
+            "norm": {
+                "1": 0.5825,
+                "15": 0.5075,
+                "5": 0.4825
+            }
+        }
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-system-memory.md b/docs/reference/metricbeat/metricbeat-metricset-system-memory.md
new file mode 100644
index 000000000000..e02f804f30ed
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-system-memory.md
@@ -0,0 +1,75 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-system-memory.html
+---
+
+# System memory metricset [metricbeat-metricset-system-memory]
+
+The System `memory` metricset provides memory statistics.
+
+This metricset is available on:
+
+* FreeBSD
+* Linux
+* macOS
+* OpenBSD
+* Windows
+
+
+## Configuration [_configuration_10]
+
+There are no configuration options for this metricset.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_239]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-system.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "event": {
+        "dataset": "system.memory",
+        "duration": 115000,
+        "module": "system"
+    },
+    "metricset": {
+        "name": "memory",
+        "period": 10000
+    },
+    "service": {
+        "type": "system"
+    },
+    "system": {
+        "memory": {
+            "actual": {
+                "free": 59377467392,
+                "used": {
+                    "bytes": 3743330304,
+                    "pct": 0.0593
+                }
+            },
+            "cached": 7460179968,
+            "free": 52030529536,
+            "swap": {
+                "free": 8589930496,
+                "total": 8589930496,
+                "used": {
+                    "bytes": 0,
+                    "pct": 0
+                }
+            },
+            "total": 63120797696,
+            "used": {
+                "bytes": 11090268160,
+                "pct": 0.1757
+            }
+        }
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-system-network.md b/docs/reference/metricbeat/metricbeat-metricset-system-network.md
new file mode 100644
index 000000000000..294e7604a5e3
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-system-network.md
@@ -0,0 +1,73 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-system-network.html
+---
+
+# System network metricset [metricbeat-metricset-system-network]
+
+The System `network` metricset provides network IO metrics collected from the operating system. One event is created for each network interface.
+
+This metricset is available on:
+
+* FreeBSD
+* Linux
+* macOS
+* Windows
+
+
+## Configuration [_configuration_11]
+
+**`interfaces`**
+:   By default metrics are reported from all network interfaces. To select which interfaces metrics are reported from, use the `interfaces` configuration option. The value must be an array of interface names. For example:
+
+```yaml
+metricbeat.modules:
+- module: system
+  metricsets: [network]
+  interfaces: [eth0]
+```
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_240]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-system.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "event": {
+        "dataset": "system.network",
+        "duration": 115000,
+        "module": "system"
+    },
+    "metricset": {
+        "name": "network",
+        "period": 10000
+    },
+    "service": {
+        "type": "system"
+    },
+    "system": {
+        "network": {
+            "in": {
+                "bytes": 2595422773,
+                "dropped": 0,
+                "errors": 0,
+                "packets": 18264437
+            },
+            "name": "lo0",
+            "out": {
+                "bytes": 2595422773,
+                "dropped": 0,
+                "errors": 0,
+                "packets": 18264437
+            }
+        }
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-system-network_summary.md b/docs/reference/metricbeat/metricbeat-metricset-system-network_summary.md
new file mode 100644
index 000000000000..56e043c5d398
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-system-network_summary.md
@@ -0,0 +1,273 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-system-network_summary.html
+---
+
+# System network_summary metricset [metricbeat-metricset-system-network_summary]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+The System `network_summary` metricset provides network IO metrics collected from the operating system. These events are global and sorted by protocol.
+
+This metricset is available on:
+
+* Linux
+
+## Fields [_fields_241]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-system.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "event": {
+        "dataset": "system.network_summary",
+        "duration": 115000,
+        "module": "system"
+    },
+    "metricset": {
+        "name": "network_summary",
+        "period": 10000
+    },
+    "service": {
+        "type": "system"
+    },
+    "system": {
+        "network_summary": {
+            "icmp": {
+                "InAddrMaskReps": 0,
+                "InAddrMasks": 0,
+                "InCsumErrors": 0,
+                "InDestUnreachs": 835,
+                "InEchoReps": 0,
+                "InEchos": 1,
+                "InErrors": 20,
+                "InMsgs": 836,
+                "InParmProbs": 0,
+                "InRedirects": 0,
+                "InSrcQuenchs": 0,
+                "InTimeExcds": 0,
+                "InTimestampReps": 0,
+                "InTimestamps": 0,
+                "InType3": 835,
+                "InType8": 1,
+                "OutAddrMaskReps": 0,
+                "OutAddrMasks": 0,
+                "OutDestUnreachs": 940,
+                "OutEchoReps": 1,
+                "OutEchos": 0,
+                "OutErrors": 0,
+                "OutMsgs": 941,
+                "OutParmProbs": 0,
+                "OutRedirects": 0,
+                "OutSrcQuenchs": 0,
+                "OutTimeExcds": 0,
+                "OutTimestampReps": 0,
+                "OutTimestamps": 0,
+                "OutType0": 1,
+                "OutType3": 940
+            },
+            "ip": {
+                "DefaultTTL": 64,
+                "ForwDatagrams": 33389,
+                "Forwarding": 1,
+                "FragCreates": 0,
+                "FragFails": 0,
+                "FragOKs": 0,
+                "InAddrErrors": 19,
+                "InBcastOctets": 431773621,
+                "InBcastPkts": 1686995,
+                "InCEPkts": 0,
+                "InCsumErrors": 0,
+                "InDelivers": 38037698,
+                "InDiscards": 0,
+                "InECT0Pkts": 3160941,
+                "InECT1Pkts": 0,
+                "InHdrErrors": 0,
+                "InMcastOctets": 0,
+                "InMcastPkts": 0,
+                "InNoECTPkts": 129521210,
+                "InNoRoutes": 0,
+                "InOctets": 167733588581,
+                "InReceives": 41266648,
+                "InTruncatedPkts": 0,
+                "InUnknownProtos": 0,
+                "OutBcastOctets": 0,
+                "OutBcastPkts": 0,
+                "OutDiscards": 1,
+                "OutMcastOctets": 0,
+                "OutMcastPkts": 0,
+                "OutNoRoutes": 4,
+                "OutOctets": 75001958794,
+                "OutRequests": 29261852,
+                "ReasmFails": 0,
+                "ReasmOKs": 0,
+                "ReasmOverlaps": 0,
+                "ReasmReqds": 0,
+                "ReasmTimeout": 0
+            },
+            "tcp": {
+                "ActiveOpens": 6172,
+                "ArpFilter": 0,
+                "AttemptFails": 1488,
+                "BusyPollRxPackets": 0,
+                "CurrEstab": 9,
+                "DelayedACKLocked": 111,
+                "DelayedACKLost": 1587,
+                "DelayedACKs": 516004,
+                "EmbryonicRsts": 2,
+                "EstabResets": 404,
+                "IPReversePathFilter": 0,
+                "InCsumErrors": 0,
+                "InErrs": 4,
+                "InSegs": 38005498,
+                "ListenDrops": 0,
+                "ListenOverflows": 0,
+                "LockDroppedIcmps": 0,
+                "MaxConn": -1,
+                "OfoPruned": 0,
+                "OutOfWindowIcmps": 39,
+                "OutRsts": 10739,
+                "OutSegs": 66991971,
+                "PAWSActive": 0,
+                "PAWSEstab": 19,
+                "PFMemallocDrop": 0,
+                "PassiveOpens": 1411,
+                "PruneCalled": 0,
+                "RcvPruned": 0,
+                "RetransSegs": 15996,
+                "RtoAlgorithm": 1,
+                "RtoMax": 120000,
+                "RtoMin": 200,
+                "SyncookiesFailed": 2,
+                "SyncookiesRecv": 0,
+                "SyncookiesSent": 0,
+                "TCPACKSkippedChallenge": 2,
+                "TCPACKSkippedFinWait2": 0,
+                "TCPACKSkippedPAWS": 1,
+                "TCPACKSkippedSeq": 4,
+                "TCPACKSkippedSynRecv": 8,
+                "TCPACKSkippedTimeWait": 0,
+                "TCPAbortFailed": 0,
+                "TCPAbortOnClose": 321,
+                "TCPAbortOnData": 2613,
+                "TCPAbortOnLinger": 0,
+                "TCPAbortOnMemory": 0,
+                "TCPAbortOnTimeout": 84,
+                "TCPAckCompressed": 232116,
+                "TCPAutoCorking": 162,
+                "TCPBacklogCoalesce": 509441,
+                "TCPBacklogDrop": 0,
+                "TCPChallengeACK": 2,
+                "TCPDSACKIgnoredNoUndo": 4623,
+                "TCPDSACKIgnoredOld": 242,
+                "TCPDSACKOfoRecv": 2,
+                "TCPDSACKOfoSent": 15,
+                "TCPDSACKOldSent": 1668,
+                "TCPDSACKRecv": 8205,
+                "TCPDSACKUndo": 36,
+                "TCPDeferAcceptDrop": 0,
+                "TCPDelivered": 54733743,
+                "TCPDeliveredCE": 0,
+                "TCPFastOpenActive": 0,
+                "TCPFastOpenActiveFail": 0,
+                "TCPFastOpenBlackhole": 0,
+                "TCPFastOpenCookieReqd": 0,
+                "TCPFastOpenListenOverflow": 0,
+                "TCPFastOpenPassive": 0,
+                "TCPFastOpenPassiveFail": 0,
+                "TCPFastRetrans": 5324,
+                "TCPFromZeroWindowAdv": 977,
+                "TCPFullUndo": 3,
+                "TCPHPAcks": 4648338,
+                "TCPHPHits": 22005367,
+                "TCPHystartDelayCwnd": 3535,
+                "TCPHystartDelayDetect": 24,
+                "TCPHystartTrainCwnd": 4609,
+                "TCPHystartTrainDetect": 205,
+                "TCPKeepAlive": 312560,
+                "TCPLossFailures": 1,
+                "TCPLossProbeRecovery": 387,
+                "TCPLossProbes": 12748,
+                "TCPLossUndo": 437,
+                "TCPLostRetransmit": 1499,
+                "TCPMD5Failure": 0,
+                "TCPMD5NotFound": 0,
+                "TCPMD5Unexpected": 0,
+                "TCPMTUPFail": 0,
+                "TCPMTUPSuccess": 0,
+                "TCPMemoryPressures": 0,
+                "TCPMemoryPressuresChrono": 0,
+                "TCPMinTTLDrop": 0,
+                "TCPOFODrop": 0,
+                "TCPOFOMerge": 13,
+                "TCPOFOQueue": 266342,
+                "TCPOrigDataSent": 54724129,
+                "TCPPartialUndo": 145,
+                "TCPPureAcks": 6490261,
+                "TCPRcvCoalesce": 5762438,
+                "TCPRcvCollapsed": 0,
+                "TCPRcvQDrop": 0,
+                "TCPRenoFailures": 0,
+                "TCPRenoRecovery": 0,
+                "TCPRenoRecoveryFail": 0,
+                "TCPRenoReorder": 0,
+                "TCPReqQFullDoCookies": 0,
+                "TCPReqQFullDrop": 0,
+                "TCPRetransFail": 0,
+                "TCPSACKDiscard": 123,
+                "TCPSACKReneging": 0,
+                "TCPSACKReorder": 2707,
+                "TCPSYNChallenge": 4,
+                "TCPSackFailures": 5,
+                "TCPSackMerged": 13758,
+                "TCPSackRecovery": 241,
+                "TCPSackRecoveryFail": 3,
+                "TCPSackShiftFallback": 1455,
+                "TCPSackShifted": 37107,
+                "TCPSlowStartRetrans": 2,
+                "TCPSpuriousRTOs": 3,
+                "TCPSpuriousRtxHostQueues": 16,
+                "TCPSynRetrans": 346,
+                "TCPTSReorder": 732,
+                "TCPTimeWaitOverflow": 0,
+                "TCPTimeouts": 2178,
+                "TCPToZeroWindowAdv": 977,
+                "TCPWantZeroWindowAdv": 109048,
+                "TCPWinProbe": 0,
+                "TCPZeroWindowDrop": 0,
+                "TW": 1443,
+                "TWKilled": 0,
+                "TWRecycled": 0
+            },
+            "udp": {
+                "IgnoredMulti": 0,
+                "InCsumErrors": 0,
+                "InDatagrams": 31359,
+                "InErrors": 0,
+                "NoPorts": 61,
+                "OutDatagrams": 31756,
+                "RcvbufErrors": 0,
+                "SndbufErrors": 0
+            },
+            "udpLite": {
+                "IgnoredMulti": 0,
+                "InCsumErrors": 0,
+                "InDatagrams": 0,
+                "InErrors": 0,
+                "NoPorts": 0,
+                "OutDatagrams": 0,
+                "RcvbufErrors": 0,
+                "SndbufErrors": 0
+            }
+        }
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-system-process.md b/docs/reference/metricbeat/metricbeat-metricset-system-process.md
new file mode 100644
index 000000000000..54240bfc5b58
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-system-process.md
@@ -0,0 +1,380 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-system-process.html
+---
+
+# System process metricset [metricbeat-metricset-system-process]
+
+The System `process` metricset provides process statistics. One document is provided for each process.
+
+This metricset is available on:
+
+* FreeBSD
+* Linux
+* macOS
+* Windows
+
+
+## Configuration [_configuration_12]
+
+**`processes`**
+:   When the `process` metricset is enabled, you can use the `processes` option to define a list of regexp expressions to filter the processes that are reported. For more complex filtering, you should use the `processors` configuration option. See [Processors](/reference/metricbeat/filtering-enhancing-data.md) for more information.
+
+    The following example config returns metrics for all processes:
+
+    ```yaml
+    metricbeat.modules:
+    - module: system
+      metricsets: ["process"]
+      processes: ['.*']
+    ```
+
+
+**`process.cgroups.enabled`**
+:   When the `process` metricset is enabled, you can use this boolean configuration option to disable cgroup metrics. By default cgroup metrics collection is enabled.
+
+    The following example config disables cgroup metrics on Linux.
+
+    ```yaml
+    metricbeat.modules:
+    - module: system
+      metricsets: ["process"]
+      process.cgroups.enabled: false
+    ```
+
+
+**`process.cmdline.cache.enabled`**
+:   This metricset caches the command line args for a running process by default. This means if you alter the command line for a process while this metricset is running, these changes are not detected. Caching can be disabled by setting `process.cmdline.cache.enabled: false` in the configuration.
+
+**`process.env.whitelist`**
+:   This metricset can collect the environment variables that were used to start the process. This feature is available on Linux, Darwin, and FreeBSD. No environment variables are collected by default because they could contain sensitive information. You must configure the environment variables that you wish to collect by specifying a list of regular expressions that match the variable name.
+
+    ```yaml
+    metricbeat.modules:
+    - module: system
+      metricsets: ["process"]
+      process.env.whitelist:
+      - '^PATH$'
+      - '^SSH_.*'
+    ```
+
+
+**`process.include_cpu_ticks`**
+:   By default the cumulative CPU tick values are not reported by this metricset (only percentages are reported). Setting this option to true will enable the reporting of the raw CPU tick values (for user, system, and total CPU time).
+
+    ```yaml
+    metricbeat.modules:
+    - module: system
+      metricsets: ["process"]
+      process.include_cpu_ticks: true
+    ```
+
+
+**`process.include_per_cpu`**
+:   By default metrics per cpu are reported when available. Setting this option to false will disable the reporting of these metrics.
+
+**`process.include_top_n`**
+:   These options allow you to filter out all processes that are not in the top N by CPU or memory, in order to reduce the number of documents created. If both the `by_cpu` and `by_memory` options are used, the union of the two sets is included.
+
+**`process.include_top_n.enabled`**
+:   Set to false to disable the top N feature and include all processes, regardless of the other options. The default is `true`, but nothing is filtered unless one of the other options (`by_cpu` or `by_memory`) is set to a non-zero value.
+
+**`process.include_top_n.by_cpu`**
+:   How many processes to include from the top by CPU. The processes are sorted by the `system.process.cpu.total.pct` field. The default is 0.
+
+**`process.include_top_n.by_memory`**
+:   How many processes to include from the top by memory. The processes are sorted by the `system.process.memory.rss.bytes` field. The default is 0.
+
+
+## Monitoring Hybrid Hierarchy Cgroups [_monitoring_hybrid_hierarchy_cgroups]
+
+The process metricset supports both V1 and V2 (sometimes called unfied) cgroups controllers. However, on systems that are running a hybrid hierarchy, with both V1 and V2 controllers, metricbeat will only report one of the hierarchies for a given process. Is a process has both V1 and V2 hierarchies associated with it, metricbeat will check to see if the process is attached to any V2 controllers. If it is, it will report cgroups V2 metrics. If not, it will report V1 metrics.
+
+A workaround is also required if metricbeat is running inside docker on a hybrid system. Within docker, metricbeat won’t be able to see any V2 cgroups components. If you wish to monitor cgroups V2 from within docker on a hybrid system, you must mount the unified sysfs hierarchy (usually `/sys/fs/cgroups/unified`) inside the container, and then use `system.hostfs` to specify the filesystem root within the container.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_242]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-system.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "event": {
+        "dataset": "system.process",
+        "duration": 115000,
+        "module": "system"
+    },
+    "metricset": {
+        "name": "process",
+        "period": 10000
+    },
+    "process": {
+        "args": [
+            "/tmp/go-build2159656503/b001/process.test",
+            "-test.paniconexit0",
+            "-test.timeout=10m0s",
+            "-test.v=true",
+            "-data",
+            "-test.run=TestData"
+        ],
+        "command_line": "/tmp/go-build2159656503/b001/process.test -test.paniconexit0 -test.timeout=10m0s -test.v=true -data -test.run=TestData",
+        "cpu": {
+            "pct": 0.0012,
+            "start_time": "2023-11-28T03:13:18.000Z"
+        },
+        "executable": "/tmp/go-build2159656503/b001/process.test",
+        "memory": {
+            "pct": 0.0008
+        },
+        "name": "process.test",
+        "parent": {
+            "pid": 592387
+        },
+        "pgid": 592387,
+        "pid": 592516,
+        "state": "sleeping",
+        "working_directory": "/home/alexk/go/src/github.com/elastic/beats/metricbeat/module/system/process"
+    },
+    "service": {
+        "type": "system"
+    },
+    "system": {
+        "process": {
+            "cgroup": {
+                "cgroups_version": 2,
+                "cpu": {
+                    "id": "session-426.scope",
+                    "path": "/user.slice/user-1000.slice/session-426.scope",
+                    "pressure": {
+                        "full": {
+                            "10": {
+                                "pct": 0
+                            },
+                            "300": {
+                                "pct": 0
+                            },
+                            "60": {
+                                "pct": 0
+                            },
+                            "total": 5524742
+                        },
+                        "some": {
+                            "10": {
+                                "pct": 0.07
+                            },
+                            "300": {
+                                "pct": 0.1
+                            },
+                            "60": {
+                                "pct": 0.3
+                            },
+                            "total": 32365561
+                        }
+                    },
+                    "stats": {
+                        "periods": 0,
+                        "system": {
+                            "norm": {
+                                "pct": 0
+                            },
+                            "ns": 548263994,
+                            "pct": 0
+                        },
+                        "throttled": {
+                            "periods": 0,
+                            "us": 0
+                        },
+                        "usage": {
+                            "norm": {
+                                "pct": 0
+                            },
+                            "ns": 1599791233,
+                            "pct": 0
+                        },
+                        "user": {
+                            "norm": {
+                                "pct": 0
+                            },
+                            "ns": 1051527238,
+                            "pct": 0
+                        }
+                    }
+                },
+                "id": "session-426.scope",
+                "memory": {
+                    "id": "session-426.scope",
+                    "mem": {
+                        "events": {
+                            "high": 0,
+                            "low": 0,
+                            "max": 0,
+                            "oom": 0,
+                            "oom_kill": 0
+                        },
+                        "low": {
+                            "bytes": 0
+                        },
+                        "usage": {
+                            "bytes": 3864518656
+                        }
+                    },
+                    "memsw": {
+                        "events": {
+                            "fail": 0,
+                            "high": 0,
+                            "max": 0
+                        },
+                        "low": {
+                            "bytes": 0
+                        },
+                        "usage": {
+                            "bytes": 0
+                        }
+                    },
+                    "path": "/user.slice/user-1000.slice/session-426.scope",
+                    "stats": {
+                        "active_anon": {
+                            "bytes": 1759969280
+                        },
+                        "active_file": {
+                            "bytes": 990560256
+                        },
+                        "anon": {
+                            "bytes": 1781649408
+                        },
+                        "anon_thp": {
+                            "bytes": 618659840
+                        },
+                        "file": {
+                            "bytes": 1710731264
+                        },
+                        "file_dirty": {
+                            "bytes": 0
+                        },
+                        "file_mapped": {
+                            "bytes": 15060992
+                        },
+                        "file_thp": {
+                            "bytes": 0
+                        },
+                        "file_writeback": {
+                            "bytes": 0
+                        },
+                        "htp_collapse_alloc": 313,
+                        "inactive_anon": {
+                            "bytes": 327753728
+                        },
+                        "inactive_file": {
+                            "bytes": 698679296
+                        },
+                        "kernel_stack": {
+                            "bytes": 2899968
+                        },
+                        "major_page_faults": 3001,
+                        "page_activate": 0,
+                        "page_deactivate": 0,
+                        "page_faults": 79495294,
+                        "page_lazy_free": 0,
+                        "page_lazy_freed": 0,
+                        "page_refill": 0,
+                        "page_scan": 0,
+                        "page_steal": 0,
+                        "page_tables": {
+                            "bytes": 19267584
+                        },
+                        "per_cpu": {
+                            "bytes": 10336
+                        },
+                        "shmem": {
+                            "bytes": 21491712
+                        },
+                        "shmem_thp": {
+                            "bytes": 0
+                        },
+                        "slab": {
+                            "bytes": 60957576
+                        },
+                        "slab_reclaimable": {
+                            "bytes": 55816376
+                        },
+                        "slab_unreclaimable": {
+                            "bytes": 5141200
+                        },
+                        "sock": {
+                            "bytes": 0
+                        },
+                        "swap_cached": {
+                            "bytes": 0
+                        },
+                        "thp_fault_alloc": 8577,
+                        "unevictable": {
+                            "bytes": 0
+                        },
+                        "workingset_activate_anon": 0,
+                        "workingset_activate_file": 0,
+                        "workingset_node_reclaim": 0,
+                        "workingset_refault_anon": 0,
+                        "workingset_refault_file": 0,
+                        "workingset_restore_anon": 0,
+                        "workingset_restore_file": 0
+                    }
+                },
+                "path": "/user.slice/user-1000.slice/session-426.scope"
+            },
+            "cmdline": "/tmp/go-build2159656503/b001/process.test -test.paniconexit0 -test.timeout=10m0s -test.v=true -data -test.run=TestData",
+            "cpu": {
+                "start_time": "2023-11-28T03:13:18.000Z",
+                "system": {
+                    "ticks": 40
+                },
+                "total": {
+                    "norm": {
+                        "pct": 0.0012
+                    },
+                    "pct": 0.007,
+                    "ticks": 100,
+                    "value": 100
+                },
+                "user": {
+                    "ticks": 60
+                }
+            },
+            "fd": {
+                "limit": {
+                    "hard": 524288,
+                    "soft": 524288
+                },
+                "open": 15
+            },
+            "io": {
+                "cancelled_write_bytes": 0,
+                "read_bytes": 0,
+                "read_char": 2517537,
+                "read_ops": 9551,
+                "write_bytes": 0,
+                "write_char": 22,
+                "write_ops": 4
+            },
+            "memory": {
+                "rss": {
+                    "bytes": 26234880,
+                    "pct": 0.0008
+                },
+                "share": 16252928,
+                "size": 1886003200
+            },
+            "num_threads": 9,
+            "state": "sleeping"
+        }
+    },
+    "user": {
+        "name": "alexk"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-system-process_summary.md b/docs/reference/metricbeat/metricbeat-metricset-system-process_summary.md
new file mode 100644
index 000000000000..77b419e538dc
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-system-process_summary.md
@@ -0,0 +1,62 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-system-process_summary.html
+---
+
+# System process_summary metricset [metricbeat-metricset-system-process_summary]
+
+The `process_summary` metricset collects high level statistics about the running processes.
+
+This metricset is available on:
+
+* FreeBSD
+* Linux
+* macOS
+* Windows
+
+
+## Configuration [_configuration_13]
+
+There are no configuration options for this metricset.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_243]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-system.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "event": {
+        "dataset": "system.process.summary",
+        "duration": 115000,
+        "module": "system"
+    },
+    "metricset": {
+        "name": "process_summary",
+        "period": 10000
+    },
+    "service": {
+        "type": "system"
+    },
+    "system": {
+        "process": {
+            "summary": {
+                "idle": 110,
+                "running": 1,
+                "sleeping": 138,
+                "threads": {
+                    "blocked": 0,
+                    "running": 2
+                },
+                "total": 249
+            }
+        }
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-system-raid.md b/docs/reference/metricbeat/metricbeat-metricset-system-raid.md
new file mode 100644
index 000000000000..3d48ec4b0d06
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-system-raid.md
@@ -0,0 +1,59 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-system-raid.html
+---
+
+# System raid metricset [metricbeat-metricset-system-raid]
+
+This is the raid metricset of the module system. It collects stats about the raid.
+
+This metricset is available on:
+
+* Linux
+
+## Fields [_fields_244]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-system.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "event": {
+        "dataset": "system.raid",
+        "duration": 115000,
+        "module": "system"
+    },
+    "metricset": {
+        "name": "raid"
+    },
+    "service": {
+        "type": "system"
+    },
+    "system": {
+        "raid": {
+            "blocks": {
+                "synced": 0,
+                "total": 4189184
+            },
+            "disks": {
+                "active": 2,
+                "failed": 0,
+                "spare": 1,
+                "states": {
+                    "in_sync": 2,
+                    "spare": 1
+                },
+                "total": 3
+            },
+            "level": "raid1",
+            "name": "md0",
+            "status": "clean",
+            "sync_action": "repair"
+        }
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-system-service.md b/docs/reference/metricbeat/metricbeat-metricset-system-service.md
new file mode 100644
index 000000000000..d5c6cc4ce562
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-system-service.md
@@ -0,0 +1,84 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-system-service.html
+---
+
+# System service metricset [metricbeat-metricset-system-service]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+The `service` metricset reports on the status of systemd services.
+
+This metricset is available on:
+
+* Linux
+
+
+## systemd resource accounting and process metrics [_systemd_resource_accounting_and_process_metrics]
+
+If systemd resource accounting is enabled, this metricset will report any resources tracked by systemd. On most distributions, `tasks` and `memory` are the only resources with accounting enabled by default. For more information, [see the systemd manual pages](https://www.freedesktop.org/software/systemd/man/systemd.resource-control.html).
+
+
+## Configuration [_configuration_14]
+
+**`service.state_filter`** - A list of service states to filter by. This can be any of the states or sub-states known to systemd. **`service.pattern_filter`** - A list of glob patterns to filter service names by. This is an "or" filter, and will report any systemd unit that matches at least one filter pattern.
+
+
+## Dashboard [_dashboard_43]
+
+The system service metricset comes with a predefined dashboard. For example:
+
+:::{image} images/metricbeat-services-host.png
+:alt: metricbeat services host
+:::
+
+## Fields [_fields_245]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-system.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "event": {
+        "dataset": "system.service",
+        "duration": 115000,
+        "module": "system"
+    },
+    "metricset": {
+        "name": "service",
+        "period": 10000
+    },
+    "process": {
+        "exit_code": 0,
+        "pid": 259
+    },
+    "service": {
+        "type": "system"
+    },
+    "system": {
+        "service": {
+            "exec_code": "exited",
+            "load_state": "loaded",
+            "name": "dracut-pre-udev.service",
+            "state": "inactive",
+            "state_since": "2020-08-26T18:05:23.525244-07:00",
+            "sub_state": "dead",
+            "unit_file": {
+                "state": "static",
+                "vendor_preset": "disabled"
+            }
+        }
+    },
+    "systemd": {
+        "fragment_path": "/usr/lib/dracut/modules.d/98dracut-systemd/dracut-pre-udev.service",
+        "unit": "dracut-pre-udev.service"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-system-socket.md b/docs/reference/metricbeat/metricbeat-metricset-system-socket.md
new file mode 100644
index 000000000000..4f5cbd4efc55
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-system-socket.md
@@ -0,0 +1,107 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-system-socket.html
+---
+
+# System socket metricset [metricbeat-metricset-system-socket]
+
+This metricset is available on Linux only and requires kernel 2.6.14 or newer.
+
+The system `socket` metricset reports an event for each new TCP socket that it sees. It does this by polling the kernel periodically to get a dump of all sockets. You set the polling interval by configuring the `period` option. Specifying a short polling interval with this metricset is important to avoid missing short-lived connections. For example:
+
+```yaml
+metricbeat.modules:
+- module: system
+  metricsets: [cpu, memory]
+- module: system
+  metricsets: [socket] <1>
+  period: 1s
+```
+
+1. You can configure the `socket` metricset separately to specify a different `period` value than the other metricsets.
+
+
+The metricset reports the process that has the socket open. To provide this information on Linux for all processes, Metricbeat must be run with `sys_ptrace` and `dac_read_search` capabilities. These permissions are usually granted when running as root, but they can and may need to be explictly added when running Metricbeat inside a container.
+
+
+## Configuration [_configuration_15]
+
+```yaml
+- module: system
+  metricsets: [socket]
+  socket.reverse_lookup.enabled: false
+  socket.reverse_lookup.success_ttl: 60s
+  socket.reverse_lookup.failure_ttl: 60s
+```
+
+**`socket.reverse_lookup.enabled`**
+:   You can configure the metricset to perform a reverse lookup on the remote IP, and the returned hostname will be added to the event and cached. If a hostname is found, then the eTLD+1 (effective top-level domain plus one level) value will also be added to the event. Reverse lookups are disabled by default.
+
+**`socket.reverse_lookup.success_ttl`**
+:   The results of successful reverse lookups are cached for the period of time defined by this option. The default value is 60s.
+
+**`socket.reverse_lookup.failure_ttl`**
+:   The results of failed reverse lookups are cached for the period of time defined by this option. The default value is 60s.
+
+## Fields [_fields_246]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-system.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "agent": {
+        "hostname": "host.example.com",
+        "name": "host.example.com"
+    },
+    "event": {
+        "dataset": "system.socket",
+        "duration": 115000,
+        "module": "system"
+    },
+    "metricset": {
+        "name": "socket"
+    },
+    "network": {
+        "direction": "listening",
+        "iana_number": "41",
+        "type": "ipv6"
+    },
+    "process": {
+        "args": [
+            "/tmp/go-build774092237/b001/socket.test",
+            "-data"
+        ],
+        "executable": "/tmp/go-build774092237/b001/socket.test",
+        "name": "socket.test",
+        "pid": 32127
+    },
+    "server": {
+        "ip": "::",
+        "port": 45109
+    },
+    "service": {
+        "type": "system"
+    },
+    "system": {
+        "socket": {
+            "local": {
+                "ip": "::",
+                "port": 45109
+            },
+            "process": {
+                "cmdline": "/tmp/go-build774092237/b001/socket.test -data"
+            }
+        }
+    },
+    "user": {
+        "full_name": "Jaime Soriano Pastor",
+        "id": "1000",
+        "name": "jaime"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-system-socket_summary.md b/docs/reference/metricbeat/metricbeat-metricset-system-socket_summary.md
new file mode 100644
index 000000000000..7feb6cf45018
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-system-socket_summary.md
@@ -0,0 +1,30 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-system-socket_summary.html
+---
+
+# System socket_summary metricset [metricbeat-metricset-system-socket_summary]
+
+The System `socket_summary` metricset provides the summary of open network sockets in the host system.
+
+It collects a summary of metrics with the count of existing TCP and UDP connections and the count of listening ports.
+
+This metricset is available on:
+
+* FreeBSD
+* Linux
+* macOS
+* Windows
+
+
+## Configuration [_configuration_16]
+
+There are no configuration options for this metricset.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_247]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-system.md) section.
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-system-uptime.md b/docs/reference/metricbeat/metricbeat-metricset-system-uptime.md
new file mode 100644
index 000000000000..4b9f64783f66
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-system-uptime.md
@@ -0,0 +1,59 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-system-uptime.html
+---
+
+# System uptime metricset [metricbeat-metricset-system-uptime]
+
+The System `uptime` metricset provides the uptime of the host operating system.
+
+This metricset is available on:
+
+* Linux
+* macOS
+* OpenBSD
+* FreeBSD
+* Windows
+
+
+## Configuration [_configuration_17]
+
+There are no configuration options for this metricset.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_248]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-system.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "agent": {
+        "hostname": "host.example.com",
+        "name": "host.example.com"
+    },
+    "event": {
+        "dataset": "system.uptime",
+        "duration": 115000,
+        "module": "system"
+    },
+    "metricset": {
+        "name": "uptime"
+    },
+    "service": {
+        "type": "system"
+    },
+    "system": {
+        "uptime": {
+            "duration": {
+                "ms": 1295582000
+            }
+        }
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-system-users.md b/docs/reference/metricbeat/metricbeat-metricset-system-users.md
new file mode 100644
index 000000000000..4157925e0f94
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-system-users.md
@@ -0,0 +1,72 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-system-users.html
+---
+
+# System users metricset [metricbeat-metricset-system-users]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+The system/users metricset reports logged in users and associated sessions via dbus and logind, which is a systemd component. By default, the metricset will look in `/var/run/dbus/` for a system socket, although a new path can be selected with `DBUS_SYSTEM_BUS_ADDRESS`.
+
+This metricset is available on:
+
+* Linux
+
+
+## Configuration [_configuration_18]
+
+There are no configuration options for this metricset.
+
+## Fields [_fields_249]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-system.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "event": {
+        "dataset": "system.users",
+        "duration": 115000,
+        "module": "system"
+    },
+    "metricset": {
+        "name": "users",
+        "period": 10000
+    },
+    "process": {
+        "pid": 10786
+    },
+    "service": {
+        "type": "system"
+    },
+    "source": {
+        "ip": "192.168.1.86"
+    },
+    "system": {
+        "users": {
+            "id": 6,
+            "leader": 10786,
+            "path": "/org/freedesktop/login1/session/_36",
+            "remote": true,
+            "remote_host": "192.168.1.86",
+            "scope": "session-6.scope",
+            "seat": "",
+            "service": "sshd",
+            "state": "active",
+            "type": "tty"
+        }
+    },
+    "user": {
+        "id": "1000",
+        "name": "alexk"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-tomcat-cache.md b/docs/reference/metricbeat/metricbeat-metricset-tomcat-cache.md
new file mode 100644
index 000000000000..9704357b5365
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-tomcat-cache.md
@@ -0,0 +1,100 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-tomcat-cache.html
+---
+
+# Tomcat cache metricset [metricbeat-metricset-tomcat-cache]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+Cache Metricset retrieves the JMX key `Catalina:context=*,host=*,name=Cache,type=WebResourceRoot`. It exposes the following metrics:
+
+* `tomcat.cache.mbean`: Mbean that this event is related to.
+* `tomcat.cache.hit.total`: The number of requests for resources that were served from the cache.
+* `tomcat.cache.size.total.kb`: The current estimate of the cache size in kB
+* `tomcat.cache.size.max.kb`: The maximum permitted size of the cache in kB
+* `tomcat.cache.lookup.total`: The number of requests for resources
+* `tomcat.cache.ttl.ms`: The time-to-live for cache entries in milliseconds
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_250]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-tomcat.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2019-09-19T13:42:47.806Z",
+    "@metadata": {
+        "beat": "metricbeat",
+        "type": "_doc",
+        "version": "8.0.0"
+    },
+    "event": {
+        "dataset": "tomcat.cache",
+        "module": "tomcat",
+        "duration": 98441554
+    },
+    "metricset": {
+        "name": "cache",
+        "period": 10000
+    },
+    "service": {
+        "address": "localhost:8080",
+        "type": "tomcat"
+    },
+    "tomcat": {
+        "cache": {
+            "mbean": "Catalina:context=/docs,host=localhost,name=Cache,type=WebResourceRoot",
+            "hit": {
+                "total": 4
+            },
+            "size": {
+                "total": {
+                    "kb": 5
+                },
+                "max": {
+                    "kb": 10240
+                }
+            },
+            "lookup": {
+                "total": 13
+            },
+            "ttl": {
+                "ms": 5000
+            }
+        }
+    },
+    "ecs": {
+        "version": "1.1.0"
+    },
+    "host": {
+        "id": "54f70115bae545cbac2b150f254472a0",
+        "containerized": false,
+        "hostname": "mcastro",
+        "architecture": "x86_64",
+        "name": "mcastro",
+        "os": {
+            "family": "",
+            "name": "Antergos Linux",
+            "kernel": "5.0.13-arch1-1-ARCH",
+            "platform": "antergos",
+            "version": ""
+        }
+    },
+    "agent": {
+        "version": "8.0.0",
+        "type": "metricbeat",
+        "ephemeral_id": "ccb9ebe2-bd8b-4d90-a362-37132e09370b",
+        "hostname": "mcastro",
+        "id": "7e36a073-1a32-4a94-b65b-4c7f971fb228"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-tomcat-memory.md b/docs/reference/metricbeat/metricbeat-metricset-tomcat-memory.md
new file mode 100644
index 000000000000..b70f023d3f9e
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-tomcat-memory.md
@@ -0,0 +1,100 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-tomcat-memory.html
+---
+
+# Tomcat memory metricset [metricbeat-metricset-tomcat-memory]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+Memory Metricset retrieves the JMX key `java.lang:type=Memory` using Jolokia. It exposes the following metrics:
+
+* `tomcat.memory.heap.usage.committed`: Committed heap memory usage.
+* `tomcat.memory.heap.usage.max`: Max heap memory usage.
+* `tomcat.memory.heap.usage.used`: Used heap memory usage.
+* `tomcat.memory.heap.usage.init`: Initial heap memory usage.
+* `tomcat.memory.other.usage.committed`: Committed non-heap memory usage.
+* `tomcat.memory.other.usage.max`: Max non-heap memory usage.
+* `tomcat.memory.other.usage.used`: Used non-heap memory usage.
+* `tomcat.memory.other.usage.init`: Initial non-heap memory usage.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_251]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-tomcat.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2019-09-16T11:24:36.957Z",
+    "@metadata": {
+        "beat": "metricbeat",
+        "type": "_doc",
+        "version": "8.0.0"
+    },
+    "tomcat": {
+        "memory": {
+            "heap": {
+                "usage": {
+                    "used": 2.0846464e+07,
+                    "init": 5.22190848e+08,
+                    "committed": 5.22190848e+08,
+                    "max": 8.338276352e+09
+                }
+            },
+            "other": {
+                "usage": {
+                    "used": 3.5853392e+07,
+                    "init": 7.667712e+06,
+                    "committed": 3.9911424e+07,
+                    "max": -1
+                }
+            }
+        }
+    },
+    "ecs": {
+        "version": "1.1.0"
+    },
+    "host": {
+        "containerized": false,
+        "hostname": "mcastro",
+        "name": "mcastro",
+        "architecture": "x86_64",
+        "os": {
+            "name": "Antergos Linux",
+            "kernel": "5.0.13-arch1-1-ARCH",
+            "platform": "antergos",
+            "version": "",
+            "family": ""
+        },
+        "id": "54f70115bae545cbac2b150f254472a0"
+    },
+    "agent": {
+        "version": "8.0.0",
+        "type": "metricbeat",
+        "ephemeral_id": "a4cc9624-50c1-462c-b254-fa45896ebdfb",
+        "hostname": "mcastro",
+        "id": "7e36a073-1a32-4a94-b65b-4c7f971fb228"
+    },
+    "event": {
+        "duration": 6965150,
+        "dataset": "tomcat.memory",
+        "module": "tomcat"
+    },
+    "metricset": {
+        "name": "memory",
+        "period": 10000
+    },
+    "service": {
+        "address": "localhost:8080",
+        "type": "tomcat"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-tomcat-requests.md b/docs/reference/metricbeat/metricbeat-metricset-tomcat-requests.md
new file mode 100644
index 000000000000..d4a6f9707e0e
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-tomcat-requests.md
@@ -0,0 +1,94 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-tomcat-requests.html
+---
+
+# Tomcat requests metricset [metricbeat-metricset-tomcat-requests]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+Requests Metricset retrieves the JMX key `Catalina:name=*,type=GlobalRequestProcessor` using Jolokia. It exposes the following metrics:
+
+* `tomcat.requests.mbean`: Number of requests processed
+* `tomcat.requests.total`: Number of requests processed
+* `tomcat.requests.bytes.received`: Amount of data received, in bytes
+* `tomcat.requests.bytes.sent`: Amount of data sent, in bytes
+* `tomcat.requests.processing.ms`: Total time to process the requests
+* `tomcat.requests.errors.total`: Number of errors
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_252]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-tomcat.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2019-09-19T13:42:47.806Z",
+    "@metadata": {
+        "beat": "metricbeat",
+        "type": "_doc",
+        "version": "8.0.0"
+    },
+    "event": {
+        "dataset": "tomcat.requests",
+        "module": "tomcat",
+        "duration": 97947886
+    },
+    "metricset": {
+        "name": "requests",
+        "period": 10000
+    },
+    "service": {
+        "address": "localhost:8080",
+        "type": "tomcat"
+    },
+    "tomcat": {
+        "requests": {
+            "processing": {
+                "ms": 0
+            },
+            "errors": {
+                "total": 0
+            },
+            "total": 0,
+            "mbean": "Catalina:name=\"http-nio-8080\",type=GlobalRequestProcessor",
+            "bytes": {
+                "received": 0,
+                "sent": 0
+            }
+        }
+    },
+    "host": {
+        "containerized": false,
+        "hostname": "mcastro",
+        "name": "mcastro",
+        "architecture": "x86_64",
+        "os": {
+            "name": "Antergos Linux",
+            "kernel": "5.0.13-arch1-1-ARCH",
+            "platform": "antergos",
+            "version": "",
+            "family": ""
+        },
+        "id": "54f70115bae545cbac2b150f254472a0"
+    },
+    "agent": {
+        "type": "metricbeat",
+        "ephemeral_id": "ccb9ebe2-bd8b-4d90-a362-37132e09370b",
+        "hostname": "mcastro",
+        "id": "7e36a073-1a32-4a94-b65b-4c7f971fb228",
+        "version": "8.0.0"
+    },
+    "ecs": {
+        "version": "1.1.0"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-tomcat-threading.md b/docs/reference/metricbeat/metricbeat-metricset-tomcat-threading.md
new file mode 100644
index 000000000000..309dd7a5c4a7
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-tomcat-threading.md
@@ -0,0 +1,101 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-tomcat-threading.html
+---
+
+# Tomcat threading metricset [metricbeat-metricset-tomcat-threading]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+Threading Metricset retrieves the JMX key `Catalina:name=*,type=ThreadPool` and `java.lang:type=Threading` using Jolokia. It exposes the following metrics:
+
+* `tomcat.threading.busy`: Current busy threads from the ThreadPool
+* `tomcat.threading.max`: Max threads from the ThreadPool
+* `tomcat.threading.current`: Current number of threads, taken from the ThreadPool
+* `tomcat.threading.keep_alive.total`: Total keep alive on the ThreadPool
+* `tomcat.threading.keep_alive.timeout.ms`: Keep alive timeout on the ThreadPool
+* `tomcat.threading.started.total`: Current started threads at JVM level (from java.lang:type=Threading)
+* `tomcat.threading.user.time.ms`: User time in milliseconds (from java.lang:type=Threading)
+* `tomcat.threading.cpu.time.ms`: CPU time in milliseconds (from java.lang:type=Threading)
+* `tomcat.threading.total`: Total threads at the JVM level (from java.lang:type=Threading)
+* `tomcat.threading.peak`: Peak number of threads at JVM level (from java.lang:type=Threading)
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_253]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-tomcat.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2019-09-16T11:24:36.957Z",
+    "@metadata": {
+        "beat": "metricbeat",
+        "type": "_doc",
+        "version": "8.0.0"
+    },
+    "event": {
+        "duration": 7677063,
+        "dataset": "tomcat.threading",
+        "module": "tomcat"
+    },
+    "metricset": {
+        "name": "threading",
+        "period": 10000
+    },
+    "service": {
+        "type": "tomcat",
+        "address": "localhost:8080"
+    },
+    "tomcat": {
+        "threading": {
+            "total": 35,
+            "started": {
+                "total": 35
+            },
+            "user": {
+                "time": {
+                    "ms": 6e+07
+                }
+            },
+            "peak": 35,
+            "cpu": {
+                "time": {
+                    "ms": 6.9719161e+07
+                }
+            }
+        }
+    },
+    "ecs": {
+        "version": "1.1.0"
+    },
+    "host": {
+        "hostname": "mcastro",
+        "architecture": "x86_64",
+        "os": {
+            "name": "Antergos Linux",
+            "kernel": "5.0.13-arch1-1-ARCH",
+            "platform": "antergos",
+            "version": "",
+            "family": ""
+        },
+        "id": "54f70115bae545cbac2b150f254472a0",
+        "containerized": false,
+        "name": "mcastro"
+    },
+    "agent": {
+        "ephemeral_id": "a4cc9624-50c1-462c-b254-fa45896ebdfb",
+        "hostname": "mcastro",
+        "id": "7e36a073-1a32-4a94-b65b-4c7f971fb228",
+        "version": "8.0.0",
+        "type": "metricbeat"
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-traefik-health.md b/docs/reference/metricbeat/metricbeat-metricset-traefik-health.md
new file mode 100644
index 000000000000..6cf014d4732d
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-traefik-health.md
@@ -0,0 +1,55 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-traefik-health.html
+---
+
+# Traefik health metricset [metricbeat-metricset-traefik-health]
+
+This is the health metricset of the module traefik.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_254]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-traefik.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2019-03-01T08:05:34.853Z",
+    "event": {
+        "dataset": "traefik.health",
+        "duration": 115000,
+        "module": "traefik"
+    },
+    "metricset": {
+        "name": "health",
+        "period": 10000
+    },
+    "service": {
+        "address": "127.0.0.1:55555",
+        "name": "traefik",
+        "type": "traefik"
+    },
+    "traefik": {
+        "health": {
+            "response": {
+                "avg_time": {
+                    "us": 15
+                },
+                "count": 18,
+                "status_codes": {
+                    "200": 17,
+                    "404": 1
+                }
+            },
+            "uptime": {
+                "sec": 64283
+            }
+        }
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-uwsgi-status.md b/docs/reference/metricbeat/metricbeat-metricset-uwsgi-status.md
new file mode 100644
index 000000000000..56951f06e5e5
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-uwsgi-status.md
@@ -0,0 +1,53 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-uwsgi-status.html
+---
+
+# uWSGI status metricset [metricbeat-metricset-uwsgi-status]
+
+This module periodically fetches metrics from [uWSGI](http://uwsgi-docs.readthedocs.io/en/latest/StatsServer.html) servers.
+
+
+## Compatibility [_compatibility_50]
+
+The uWSGI metricsets were tested with uWSGI 2.0.15 and are expected to work with all version >= 1.4.9
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_255]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-uwsgi.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "event": {
+        "dataset": "uwsgi.status",
+        "duration": 115000,
+        "module": "uwsgi"
+    },
+    "metricset": {
+        "name": "status",
+        "period": 10000
+    },
+    "service": {
+        "address": "172.28.0.3:9191",
+        "type": "uwsgi"
+    },
+    "uwsgi": {
+        "status": {
+            "total": {
+                "exceptions": 0,
+                "pid": 1,
+                "read_errors": 0,
+                "requests": 2,
+                "write_errors": 0
+            }
+        }
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-vsphere-cluster.md b/docs/reference/metricbeat/metricbeat-metricset-vsphere-cluster.md
new file mode 100644
index 000000000000..8e49861ee7ab
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-vsphere-cluster.md
@@ -0,0 +1,108 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-vsphere-cluster.html
+---
+
+# vSphere cluster metricset [metricbeat-metricset-vsphere-cluster]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+This is the `cluster` metricset of the vSphere module.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_256]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-vsphere.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+  "@timestamp": "2017-10-12T08:05:34.853Z",
+  "event": {
+      "dataset": "vsphere.cluster",
+      "duration": 115000,
+      "module": "vsphere"
+  },
+  "metricset": {
+      "name": "cluster",
+      "period": 10000
+  },
+  "service": {
+      "address": "127.0.0.1:33365",
+      "type": "vsphere"
+  },
+  "vsphere": {
+      "cluster": {
+          "triggered_alarms": [
+              {
+                  "status": "red",
+                  "triggered_time": "2024-09-09T13:23:00.786Z",
+                  "description": "Default alarm to monitor system boards.  See the host's Hardware Status tab for more details.",
+                  "entity_name": "121.0.0.0",
+                  "name": "Host hardware system board status",
+                  "id": "alarm-121.host-12"
+              },
+              {
+                  "triggered_time": "2024-09-09T13:23:00.786Z",
+                  "description": "Default alarm to monitor storage.  See the host's Hardware Status tab for more details.",
+                  "entity_name": "121.0.0.0",
+                  "name": "Host storage status",
+                  "id": "alarm-124.host-12",
+                  "status": "red"
+              },
+              {
+                  "entity_name": "121.0.0.0",
+                  "name": "Host memory usage",
+                  "id": "alarm-4.host-12",
+                  "status": "yellow",
+                  "triggered_time": "2024-08-28T10:31:26.621Z",
+                  "description": "Default alarm to monitor host memory usage"
+              },
+              {
+                  "name": "CPU Utilization",
+                  "id": "alarm-703.host-12",
+                  "status": "red",
+                  "triggered_time": "2024-08-28T10:31:26.621Z",
+                  "description": "",
+                  "entity_name": "121.0.0.0"
+              }
+          ],
+          "id": "domain-c1",
+          "name": "Cluster_1",
+          "das_config": {
+              "enabled": false,
+              "admission": {
+                  "control": {
+                      "enabled": true
+                  }
+              }
+          },
+          "host": {
+              "count": 1,
+              "names": [
+                  "Host_1"
+              ]
+          },
+          "datastore": {
+              "count": 1,
+              "names": [
+                  "Datastore_1"
+              ]
+          },
+          "network": {
+              "count": 1,
+              "names": [
+                  "Network_1"
+              ]
+          }
+      }
+  }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-vsphere-datastore.md b/docs/reference/metricbeat/metricbeat-metricset-vsphere-datastore.md
new file mode 100644
index 000000000000..917d76c350b6
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-vsphere-datastore.md
@@ -0,0 +1,86 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-vsphere-datastore.html
+---
+
+# vSphere datastore metricset [metricbeat-metricset-vsphere-datastore]
+
+This is the `datastore` metricset of the vSphere module.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_257]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-vsphere.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "event": {
+        "dataset": "vsphere.datastore",
+        "duration": 115000,
+        "module": "vsphere"
+    },
+    "metricset": {
+        "name": "datastore",
+        "period": 10000
+    },
+    "service": {
+        "address": "127.0.0.1:33365",
+        "type": "vsphere"
+    },
+    "vsphere": {
+        "datastore": {
+            "host": {
+                "count": 1,
+                "names": [
+                    "DC3_H0"
+                ]
+            },
+            "status": "green",
+            "vm": {
+                "count": 6,
+                "names": [
+                    "DC3_H0_VM0"
+                ]
+            },
+            "read": {
+                "bytes": 0
+            },
+            "write": {
+                "bytes": 337000
+            },
+            "disk": {
+                "capacity": {
+                    "usage": {
+                        "bytes": 520505786368
+                    },
+                    "bytes": 1610344300544
+                },
+                "provisioned": {
+                    "bytes": 520505786368
+                }
+            },
+            "capacity": {
+                "free": {
+                    "bytes": 37120094208
+                },
+                "total": {
+                    "bytes": 74686664704
+                },
+                "used": {
+                    "bytes": 37566570496,
+                    "pct": 0.502988996026061
+                }
+            },
+            "fstype": "local",
+            "name": "LocalDS_0",
+            "id": "datastore-0"
+        }
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-vsphere-datastorecluster.md b/docs/reference/metricbeat/metricbeat-metricset-vsphere-datastorecluster.md
new file mode 100644
index 000000000000..90566a4acf4a
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-vsphere-datastorecluster.md
@@ -0,0 +1,60 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-vsphere-datastorecluster.html
+---
+
+# vSphere datastorecluster metricset [metricbeat-metricset-vsphere-datastorecluster]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+This is the Datastore Cluster metricset of the module vsphere.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_258]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-vsphere.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2016-05-23T08:05:34.853Z",
+    "service": {
+        "address": "https://localhost:8980/sdk",
+        "type": "vsphere"
+    },
+    "event": {
+        "dataset": "vsphere.datastorecluster",
+        "module": "vsphere",
+        "duration": 15443161
+    },
+    "metricset": {
+        "period": 20000,
+        "name": "datastorecluster"
+    },
+    "vsphere": {
+        "datastorecluster": {
+            "id": "group-p1",
+            "name": "datastore_cluster1",
+            "capacity": {
+                "bytes": 8795019280384
+            },
+            "free_space": {
+                "bytes": 8788836876288
+            },
+            "datastore": {
+                "count": 1,
+                "names": [
+                    "LocalDS_0"
+                ]
+            }
+        }
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-vsphere-host.md b/docs/reference/metricbeat/metricbeat-metricset-vsphere-host.md
new file mode 100644
index 000000000000..223dadba6ea8
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-vsphere-host.md
@@ -0,0 +1,197 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-vsphere-host.html
+---
+
+# vSphere host metricset [metricbeat-metricset-vsphere-host]
+
+This is the `host` metricset of the vSphere module.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_259]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-vsphere.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2022-09-06T06:41:22.128Z",
+    "metricset": {
+        "name": "host",
+        "period": 10000
+    },
+    "service": {
+        "address": "https://localhost:8989/sdk",
+        "type": "vsphere"
+    },
+    "event": {
+        "module": "vsphere",
+        "duration": 23519250,
+        "dataset": "vsphere.host"
+    },
+    "vsphere": {
+        "host": {
+            "triggered_alarms": [
+                {
+                    "status": "red",
+                    "triggered_time": "2024-09-09T13:23:00.786Z",
+                    "description": "Default alarm to monitor system boards.  See the host's Hardware Status tab for more details.",
+                    "entity_name": "121.0.0.0",
+                    "name": "Host hardware system board status",
+                    "id": "alarm-121.host-12"
+                },
+                {
+                    "triggered_time": "2024-09-09T13:23:00.786Z",
+                    "description": "Default alarm to monitor storage.  See the host's Hardware Status tab for more details.",
+                    "entity_name": "121.0.0.0",
+                    "name": "Host storage status",
+                    "id": "alarm-124.host-12",
+                    "status": "red"
+                },
+                {
+                    "entity_name": "121.0.0.0",
+                    "name": "Host memory usage",
+                    "id": "alarm-4.host-12",
+                    "status": "yellow",
+                    "triggered_time": "2024-08-28T10:31:26.621Z",
+                    "description": "Default alarm to monitor host memory usage"
+                },
+                {
+                    "name": "CPU Utilization",
+                    "id": "alarm-703.host-12",
+                    "status": "red",
+                    "triggered_time": "2024-08-28T10:31:26.621Z",
+                    "description": "",
+                    "entity_name": "121.0.0.0"
+                }
+            ],
+            "cpu": {
+                "used": {
+                    "mhz": 67
+                },
+                "total": {
+                    "mhz": 4588
+                },
+                "free": {
+                    "mhz": 4521
+                }
+            },
+            "disk": {
+                "capacity": {
+                    "usage": {
+                        "bytes": 0
+                    }
+                },
+                "devicelatency": {
+                    "average": {
+                        "ms": 0
+                    }
+                },
+                "latency": {
+                    "total": {
+                        "ms": 18
+                    }
+                },
+                "total": {
+                    "bytes": 262000
+                },
+                "read": {
+                    "bytes": 13000
+                },
+                "write": {
+                    "bytes": 248000
+                }
+            },
+            "memory": {
+                "free": {
+                    "bytes": 2822230016
+                },
+                "total": {
+                    "bytes": 4294430720
+                },
+                "used": {
+                    "bytes": 1472200704
+                }
+            },
+            "network": {
+                "bandwidth": {
+                    "total": {
+                        "bytes": 372000
+                    },
+                    "transmitted": {
+                        "bytes": 0
+                    },
+                    "received": {
+                        "bytes": 371000
+                    }
+                },
+                "packets": {
+                    "received": {
+                        "count": 9463
+                    },
+                    "errors": {
+                        "transmitted": {
+                            "count": 0
+                        },
+                        "received": {
+                            "count": 0
+                        },
+                        "total": {
+                            "count": 0
+                        }
+                    },
+                    "multicast": {
+                        "total": {
+                            "count": 6679
+                        },
+                        "transmitted": {
+                            "count": 0
+                        },
+                        "received": {
+                            "count": 6679
+                        }
+                    },
+                    "dropped": {
+                        "received": {
+                            "count": 0
+                        },
+                        "total": {
+                            "count": 0
+                        },
+                        "transmitted": {
+                            "count": 0
+                        }
+                    },
+                    "transmitted": {
+                        "count": 54
+                    }
+                }
+            },
+            "vm": {
+                "count": 2,
+                "names": [
+                    "DC0_H0_VM0",
+                    "DC0_H0_VM1"
+                ]
+            },
+            "datastore": {
+                "count": 1,
+                "names": [
+                    "LocalDS_0"
+                ]
+            },
+            "network_names": [
+                "VM Network"
+            ],
+            "id": "host-0",
+            "name": "DC0_H0",
+            "status": "green",
+            "uptime": 1728865
+        }
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-vsphere-network.md b/docs/reference/metricbeat/metricbeat-metricset-vsphere-network.md
new file mode 100644
index 000000000000..3b0f98b0dec6
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-vsphere-network.md
@@ -0,0 +1,65 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-vsphere-network.html
+---
+
+# vSphere network metricset [metricbeat-metricset-vsphere-network]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+This is the network metricset of the module vsphere.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_260]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-vsphere.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2024-08-09T05:42:55.582Z",
+    "service": {
+        "address": "https://localhost:8989/sdk",
+        "type": "vsphere"
+    },
+    "event": {
+        "duration": 110445057,
+        "dataset": "vsphere.network",
+        "module": "vsphere"
+    },
+    "metricset": {
+        "period": 10000,
+        "name": "network"
+    },
+    "vsphere": {
+        "network": {
+            "vm": {
+                "names": [
+                  "DC0_H0_VM0",
+                  "DC0_H0_VM1"
+                ],
+                "count": 2
+            },
+            "id": "network-1",
+            "name": "VM Network",
+            "status": "green",
+            "accessible": true,
+            "config": {
+                "status": "green"
+            },
+            "type": "Network",
+            "host": {
+                "names": ["DC0_H0"],
+                "count": 1
+            }
+        }
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-vsphere-resourcepool.md b/docs/reference/metricbeat/metricbeat-metricset-vsphere-resourcepool.md
new file mode 100644
index 000000000000..7bac119606d1
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-vsphere-resourcepool.md
@@ -0,0 +1,104 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-vsphere-resourcepool.html
+---
+
+# vSphere resourcepool metricset [metricbeat-metricset-vsphere-resourcepool]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+This is the resourcepool metricset of the module vsphere.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_261]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-vsphere.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2024-08-06T10:38:51.952Z",
+    "metricset": {
+        "name": "resourcepool",
+        "period": 10000
+    },
+    "service": {
+        "type": "vsphere",
+        "address": "https://localhost:8989/sdk"
+    },
+    "event": {
+        "dataset": "vsphere.resourcepool",
+        "module": "vsphere",
+        "duration": 57462824
+    },
+    "vsphere": {
+        "resourcepool": {
+            "id": "resgroup-30",
+            "name": "Resources",
+            "status": "green",
+            "vm": {
+                "names": ["DC0_H0_VM0", "DC0_H0_VM1"],
+                "count": 2
+            },
+            "cpu": {
+                "usage": {
+                    "mhz": 3323
+                },
+                "demand": {
+                    "mhz": 3344
+                },
+                "entitlement": {
+                    "mhz": 3197,
+                    "static": {
+                        "mhz": 21294
+                    }
+                }
+            },
+            "memory": {
+                "compressed": {
+                    "bytes": 0
+                },
+                "usage": {
+                    "guest": {
+                        "bytes": 6515851264
+                    },
+                    "host": {
+                        "bytes": 122227261440
+                    }
+                },
+                "entitlement": {
+                    "bytes": 38726008832,
+                    "static": {
+                        "bytes": 14680064
+                    }
+                },
+                "private": {
+                    "bytes": 121226919936
+                },
+                "shared": {
+                    "bytes": 45088768
+                },
+                "swapped": {
+                    "bytes": 0
+                },
+                "ballooned": {
+                    "bytes": 0
+                },
+                "overhead": {
+                    "bytes": 1695547392,
+                    "consumed": {
+                        "bytes": 1001390080
+                    }
+                }
+            }
+        }
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-vsphere-virtualmachine.md b/docs/reference/metricbeat/metricbeat-metricset-vsphere-virtualmachine.md
new file mode 100644
index 000000000000..d5b2728fd6fd
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-vsphere-virtualmachine.md
@@ -0,0 +1,115 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-vsphere-virtualmachine.html
+---
+
+# vSphere virtualmachine metricset [metricbeat-metricset-vsphere-virtualmachine]
+
+This is the `virtualmachine` metricset of the vSphere module.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_262]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-vsphere.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2024-08-12T04:51:25.851Z",
+    "event": {
+        "dataset": "vsphere.virtualmachine",
+        "duration": 115000,
+        "module": "vsphere"
+    },
+    "metricset": {
+        "name": "virtualmachine",
+        "period": 10000
+    },
+    "service": {
+        "address": "127.0.0.1:39149",
+        "type": "vsphere"
+    },
+    "vsphere": {
+        "virtualmachine": {
+            "id": "vm-51",
+            "name": "xt0nmfpv9",
+            "uptime": 5348978,
+            "status": "green",
+            "host": {
+                "id": "host-32",
+                "hostname": "phx-w1c1-esxi04.com"
+            },
+            "cpu": {
+                "free": {
+                    "mhz": 0
+                },
+                "used": {
+                    "mhz": 161
+                },
+                "total": {
+                    "mhz": 0
+                }
+            },
+            "network": {
+                "names": [
+                    "PROD_VCF_VMS"
+                ],
+                "count": 1
+            },
+            "memory": {
+                "used": {
+                    "guest": {
+                        "bytes": 686817280
+                    },
+                    "host": {
+                        "bytes": 29027729408
+                    }
+                },
+                "total": {
+                    "guest": {
+                        "bytes": 68719476736
+                    }
+                },
+                "free": {
+                    "guest": {
+                        "bytes": 68032659456
+                    }
+                }
+            },
+            "network_names": [
+                "PROD_VCF_VMS"
+            ],
+            "datastore": {
+                "count": 1,
+                "names": [
+                    "VxRailtoup-Virtual-Datastore-bc1d-5aa310fb"
+                ]
+            },
+            "os": "CentOS 4/5/6/7 (64-bit)",
+            "snapshot": {
+                "info": [
+                    {
+                        "id": 1,
+                        "name": "VM Snapshot 7%2f3%2f2024, 4:01:21 PM",
+                        "description": "Created to demo",
+                        "createtime": "2024-07-03T20:01:34.329Z",
+                        "state": "poweredOn"
+                    },
+                    {
+                        "createtime": "2024-07-05T23:35:40.859Z",
+                        "state": "poweredOn",
+                        "id": 2,
+                        "name": "VM Snapshot 7%2f5%2f2024, 7:35:37 PM",
+                        "description": "backup"
+                    }
+                ],
+                "count": 2
+            }
+        }
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-windows-perfmon.md b/docs/reference/metricbeat/metricbeat-metricset-windows-perfmon.md
new file mode 100644
index 000000000000..2eda7a37ea90
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-windows-perfmon.md
@@ -0,0 +1,115 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-windows-perfmon.html
+---
+
+# Windows perfmon metricset [metricbeat-metricset-windows-perfmon]
+
+The `perfmon` metricset of the Windows module reads Windows performance counters.
+
+
+## Configuration [_configuration_19]
+
+You must configure queries for the Windows performance counters that you wish to collect. The example below collects processor time and disk writes every 10 seconds. If either of the counters do not exist it will ignore the error.
+
+```yaml
+- module: windows
+  metricsets: [perfmon]
+  period: 10s
+  perfmon.ignore_non_existent_counters: true
+  perfmon.group_measurements_by_instance: true
+  perfmon.queries:
+  - object: "Process"
+    instance: ["svchost*", "conhost*"]
+    counters:
+    - name: "% Processor Time"
+      field: time.processor.pct
+      format: "float"
+    - name: "Thread Count"
+      field: thread_count
+    - name: "IO Read Operations/sec"
+  - object: "PhysicalDisk"
+    field : "disk"
+    instance: "*"
+    counters:
+    - name: "Disk Writes/sec"
+    - name: "% Disk Write Time"
+      field: "write_time"
+      format: "float"
+```
+
+**`ignore_non_existent_counters`**
+:   A boolean option that causes the metricset to ignore errors caused by counters that do not exist when set to true. Instead of an error, a message will be logged at the info level stating that the counter does not exist.
+
+**`group_measurements_by_instance`**
+:   A boolean option that causes metricbeat to send all measurements with a matching perfmon instance as part of a single event. In the above example, this will cause the physical_disk.write.per_sec and physical_disk.write.time.pct measurements to be sent as a single event. The default behaviour is for all measurements to be sent as separate events.
+
+**`refresh_wildcard_counters`**
+:   A boolean option to refresh the counter list at each fetch. By default, the counter list will be retrieved at the starting time, to refresh the list at each fetch, users will have to enable this setting.
+
+
+### Query Configuration [_query_configuration]
+
+Each item in the `query` list specifies multiple perfmon queries to perform. In the events generated by the metricset these configuration options map to the field values as shown below.
+
+**`object`**
+:   The performance object to query. A performance object can be a physical component, such as processors, disks, and memory, or a system object, such as processes and threads. Required
+
+**`field`**
+:   The object field/label. Not required, if not entered, it will be `object`.
+
+**`instance`**
+:   Matches the ParentInstance, ObjectInstance, and InstanceIndex are included in the path if multiple instances of the object can exist. Not required for performance counters which do not contain one.
+
+**`counters`**
+:   List of the partial counter paths (At least one partial counter path is required).
+
+**`name`**
+:   The counter name. Required. This is the counter specified in Performance Data Helper (PDH) syntax. For example in case of the counter path `\Processor Information(_Total)\% Processor Time`, the value for this configuration option will be `% Processor Time`.
+
+**`field`**
+:   The counter path value field/label. Not required, if not entered, it will be generated based on the counter path.
+
+**`format`**
+:   Format of the measurement value. The value can be either `float`, `large` or `long`. The default is `float`.
+
+## Fields [_fields_263]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-windows.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "event": {
+        "dataset": "windows.perfmon",
+        "duration": 115000,
+        "module": "windows"
+    },
+    "metricset": {
+        "name": "perfmon",
+        "period": 10000
+    },
+    "service": {
+        "type": "windows"
+    },
+    "windows": {
+        "perfmon": {
+            "instance": "_Total",
+            "metrics": {
+                "processor": {
+                    "time": {
+                        "total": {
+                            "pct": 6.310940413107646
+                        }
+                    }
+                }
+            },
+            "object": "Processor Information"
+        }
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-windows-service.md b/docs/reference/metricbeat/metricbeat-metricset-windows-service.md
new file mode 100644
index 000000000000..2f29b2307c49
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-windows-service.md
@@ -0,0 +1,75 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-windows-service.html
+---
+
+# Windows service metricset [metricbeat-metricset-windows-service]
+
+The `service` metricset of the Windows module reads the status of Windows services.
+
+
+## Dashboard [_dashboard_47]
+
+The service metricset comes with a predefined dashboard. For example:
+
+:::{image} images/metricbeat-windows-service.png
+:alt: metricbeat windows service
+:::
+
+
+## Configuration [_configuration_20]
+
+```yaml
+- module: windows
+  metricsets: ["service"]
+  period: 60s
+```
+
+
+## Filtering [_filtering_2]
+
+Processors can be used to filter the events based on the service states or their names. The example below configures the metricset to drop all events except for the events for the firewall service. See [Processors](/reference/metricbeat/filtering-enhancing-data.md) for more information about using processors.
+
+```yaml
+- module: windows
+  metricsets: ["service"]
+  period: 60s
+  processors:
+    - drop_event.when.not.equals:
+        windows.service.display_name: Windows Firewall
+```
+
+## Fields [_fields_264]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-windows.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "event": {
+        "dataset": "windows.service",
+        "duration": 115000,
+        "module": "windows"
+    },
+    "metricset": {
+        "name": "service"
+    },
+    "service": {
+        "type": "windows"
+    },
+    "windows": {
+        "service": {
+            "display_name": "Servicio de enrutador de AllJoyn",
+            "exit_code": "ERROR_SERVICE_NEVER_STARTED",
+            "id": "IOQgaoSLJ7",
+            "name": "AJRouter",
+            "start_type": "Manual (Triggered)",
+            "state": "Stopped"
+        }
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-windows-wmi.md b/docs/reference/metricbeat/metricbeat-metricset-windows-wmi.md
new file mode 100644
index 000000000000..239feccc7a23
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-windows-wmi.md
@@ -0,0 +1,18 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/master/metricbeat-metricset-windows-wmi.html
+---
+
+# Windows wmi metricset [metricbeat-metricset-windows-wmi]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+The `wmi` metricset of the Windows module reads metrics via Windows Management Instrumentation  [(WMI)](https://learn.microsoft.com/en-us/windows/win32/wmisdk/about-wmi), a core management technology in the Windows Operating system.
+
+By leveraging WMI Query Language (WQL), this metricset allows you to extract detailed system information and metrics to monitor the health and performance of Windows Systems.
+
+This metricset leverages the [Microsoft WMI](https://github.com/microsoft/wmi), library a convenient wrapper around the [GO-OLE](https://github.com/go-ole) library which allows to invoke the WMI Api.
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-zookeeper-connection.md b/docs/reference/metricbeat/metricbeat-metricset-zookeeper-connection.md
new file mode 100644
index 000000000000..71f90f427df1
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-zookeeper-connection.md
@@ -0,0 +1,55 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-zookeeper-connection.html
+---
+
+# ZooKeeper connection metricset [metricbeat-metricset-zookeeper-connection]
+
+`connection` Metricset fetches the data returned by the `cons` admin keyword. It exposes the following metrics:
+
+* `zookeeper.connection.interest_ops`: Interest ops
+* `zookeeper.connection.queued`: Queued connections
+* `zookeeper.connection.received`: Received connections
+* `zookeeper.connection.sent`: Connections sent
+
+## Fields [_fields_266]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-zookeeper.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "client": {
+        "ip": "192.168.176.1",
+        "port": 53618
+    },
+    "event": {
+        "dataset": "zookeeper.connection",
+        "duration": 115000,
+        "module": "zookeeper"
+    },
+    "metricset": {
+        "name": "connection",
+        "period": 10000
+    },
+    "service": {
+        "address": "192.168.176.2:2181",
+        "node": {
+            "name": "0"
+        },
+        "type": "zookeeper"
+    },
+    "zookeeper": {
+        "connection": {
+            "interest_ops": 0,
+            "queued": 0,
+            "received": 1,
+            "sent": 0
+        }
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-zookeeper-mntr.md b/docs/reference/metricbeat/metricbeat-metricset-zookeeper-mntr.md
new file mode 100644
index 000000000000..574116d9e88b
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-zookeeper-mntr.md
@@ -0,0 +1,82 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-zookeeper-mntr.html
+---
+
+# ZooKeeper mntr metricset [metricbeat-metricset-zookeeper-mntr]
+
+`mntr` Metricset fetches the data returned by the `mntr` admin keyword. It exposes the following metrics:
+
+* `zookeeper.mntr.approximate_data_size`: Approximate size of ZooKeeper data.
+* `zookeeper.mntr.latency.avg`: Average latency between ensemble hosts in milliseconds.
+* `zookeeper.mntr.ephemerals_count`: Number of ephemeral znodes.
+* `zookeeper.mntr.followers`: Number of followers seen by the current host.
+* `zookeeper.mntr.max_file_descriptor_count`: Maximum number of file descriptors allowed for the ZooKeeper process.
+* `zookeeper.mntr.latency.max`: Maximum latency in milliseconds.
+* `zookeeper.mntr.latency.min`: Minimum latency in milliseconds.
+* `zookeeper.mntr.num_alive_connections`: Number of connections to ZooKeeper that are currently alive.
+* `zookeeper.mntr.open_file_descriptor_count`: Number of file descriptors open by the ZooKeeper process.
+* `zookeeper.mntr.outstanding_requests`: Number of outstanding requests that need to be processed by the cluster.
+* `zookeeper.mntr.packets.received`: Number of ZooKeeper network packets received.
+* `zookeeper.mntr.packets.sent`: Number of ZooKeeper network packets sent.
+* `zookeeper.mntr.pending_syncs`: Number of pending syncs to carry out to ZooKeeper ensemble followers.
+* `zookeeper.mntr.server_state`: Role in the ZooKeeper ensemble.
+* `zookeeper.mntr.synced_followers`: Number of synced followers reported when a node server_state is leader.
+* `zookeeper.mntr.version`: Version and build string reported.
+* `zookeeper.mntr.watch_count`: Number of watches currently set on the local ZooKeeper process.
+* `zookeeper.mntr.znode_count`: Number of znodes reported by the local ZooKeeper process.
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_267]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-zookeeper.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "event": {
+        "dataset": "zookeeper.mntr",
+        "duration": 115000,
+        "module": "zookeeper"
+    },
+    "metricset": {
+        "name": "mntr",
+        "period": 10000
+    },
+    "service": {
+        "address": "192.168.176.2:2181",
+        "node": {
+            "name": "0"
+        },
+        "type": "zookeeper",
+        "version": "3.5.5-390fe37ea45dee01bf87dc1c042b5e3dcce88653, built on 05/03/2019 12:07 GMT"
+    },
+    "zookeeper": {
+        "mntr": {
+            "approximate_data_size": 44,
+            "ephemerals_count": 0,
+            "latency": {
+                "avg": 0,
+                "max": 0,
+                "min": 0
+            },
+            "max_file_descriptor_count": 1048576,
+            "num_alive_connections": 1,
+            "open_file_descriptor_count": 49,
+            "outstanding_requests": 0,
+            "packets": {
+                "received": 34,
+                "sent": 33
+            },
+            "server_state": "standalone",
+            "watch_count": 0,
+            "znode_count": 5
+        }
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-metricset-zookeeper-server.md b/docs/reference/metricbeat/metricbeat-metricset-zookeeper-server.md
new file mode 100644
index 000000000000..3c88715ff2fd
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-metricset-zookeeper-server.md
@@ -0,0 +1,74 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-zookeeper-server.html
+---
+
+# ZooKeeper server metricset [metricbeat-metricset-zookeeper-server]
+
+`server` Metricset fetches the data returned by the `srvr` admin keyword.
+
+* `zookeeper.server.connections`: Connections established by the server
+* `zookeeper.server.latency.avg`: Average latency of the server
+* `zookeeper.server.latency.max`: Max latency reached by the server
+* `zookeeper.server.latency.min`: Minimum latency that has been reached by the server
+* `zookeeper.server.mode`: Server mode
+* `zookeeper.server.node_count`: Total number of nodes
+* `zookeeper.server.outstanding`: Outstanding
+* `zookeeper.server.received`: Received requests to the server
+* `zookeeper.server.sent`: Requests sent by the server
+* `zookeeper.server.version_date`: Date of the Zookeeper release in use
+* `zookeeper.server.zxid`: Original value of the Zookeeper transaction ID
+* `zookeeper.server.count`: Total transactions of the leader in epoch
+* `zookeeper.server.epoch`: Epoch value of the Zookeeper transaction ID
+
+This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
+
+## Fields [_fields_268]
+
+For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-zookeeper.md) section.
+
+Here is an example document generated by this metricset:
+
+```json
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "event": {
+        "dataset": "zookeeper.server",
+        "duration": 115000,
+        "module": "zookeeper"
+    },
+    "metricset": {
+        "name": "server",
+        "period": 10000
+    },
+    "service": {
+        "address": "192.168.176.2:2181",
+        "node": {
+            "name": "0"
+        },
+        "type": "zookeeper",
+        "version": "3.5.5-390fe37ea45dee01bf87dc1c042b5e3dcce88653"
+    },
+    "zookeeper": {
+        "server": {
+            "connections": 1,
+            "count": 0,
+            "epoch": 0,
+            "latency": {
+                "avg": 0,
+                "max": 0,
+                "min": 0
+            },
+            "mode": "standalone",
+            "node_count": 5,
+            "outstanding": 0,
+            "received": 40,
+            "sent": 39,
+            "version_date": "2019-05-03T12:07:00Z",
+            "zxid": "0x0"
+        }
+    }
+}
+```
+
+
diff --git a/docs/reference/metricbeat/metricbeat-module-activemq.md b/docs/reference/metricbeat/metricbeat-module-activemq.md
new file mode 100644
index 000000000000..509218dbcf39
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-module-activemq.md
@@ -0,0 +1,59 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-module-activemq.html
+---
+
+# ActiveMQ module [metricbeat-module-activemq]
+
+:::::{admonition} Prefer to use {{agent}} for this use case?
+Refer to the [Elastic Integrations documentation](integration-docs://reference/activemq.md).
+
+::::{dropdown} Learn more
+{{agent}} is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, forward data from remote services or hardware, and more. Refer to the documentation for a detailed [comparison of {{beats}} and {{agent}}](docs-content://reference/ingestion-tools/fleet/index.md).
+
+::::
+
+
+:::::
+
+
+This module periodically fetches JMX metrics from Apache ActiveMQ.
+
+
+## Compatibility [_compatibility_4]
+
+The module has been tested with ActiveMQ 5.13.0 and 5.15.9. Other versions are expected to work.
+
+
+## Usage [_usage]
+
+The ActiveMQ module requires [Jolokia](/reference/metricbeat/metricbeat-module-jolokia.md) to fetch JMX metrics. Refer to the link for instructions about how to use Jolokia.
+
+
+## Example configuration [_example_configuration]
+
+The ActiveMQ module supports the standard configuration options that are described in [Modules](/reference/metricbeat/configuration-metricbeat.md). Here is an example configuration:
+
+```yaml
+metricbeat.modules:
+- module: activemq
+  metricsets: ['broker', 'queue', 'topic']
+  period: 10s
+  hosts: ['localhost:8161']
+  path: '/api/jolokia/?ignoreErrors=true&canonicalNaming=false'
+  username: admin # default username
+  password: admin # default password
+```
+
+
+## Metricsets [_metricsets_2]
+
+The following metricsets are available:
+
+* [broker](/reference/metricbeat/metricbeat-metricset-activemq-broker.md)
+* [queue](/reference/metricbeat/metricbeat-metricset-activemq-queue.md)
+* [topic](/reference/metricbeat/metricbeat-metricset-activemq-topic.md)
+
+
+
+
diff --git a/docs/reference/metricbeat/metricbeat-module-aerospike.md b/docs/reference/metricbeat/metricbeat-module-aerospike.md
new file mode 100644
index 000000000000..56a94d3f2e0e
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-module-aerospike.md
@@ -0,0 +1,72 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-module-aerospike.html
+---
+
+# Aerospike module [metricbeat-module-aerospike]
+
+The Aerospike module uses the [Info command](http://www.aerospike.com/docs/reference/info) to collect metrics. The default metricset is `namespace`.
+
+
+## Compatibility [_compatibility_5]
+
+The Aerospike metricsets were tested with Aerospike Enterprise Edition 7.2.0.1 and are expected to work with all versions >= 4.9.
+
+
+## Dashboard [_dashboard]
+
+The Aerospike module comes with a predefined dashboard for Aerospike namespace, node specific stats. For example:
+
+:::{image} images/metricbeat-aerospike-overview.png
+:alt: metricbeat aerospike overview
+:::
+
+
+## Example configuration [_example_configuration_2]
+
+The Aerospike module supports the standard configuration options that are described in [Modules](/reference/metricbeat/configuration-metricbeat.md). Here is an example configuration:
+
+```yaml
+metricbeat.modules:
+- module: aerospike
+  metricsets: ["namespace"]
+  enabled: true
+  period: 10s
+  hosts: ["localhost:3000"]
+
+  # Aerospike Cluster Name
+  #cluster_name: myclustername
+
+  # Username of hosts. Empty by default.
+  #username: root
+
+  # Password of hosts. Empty by default.
+  #password: secret
+
+  # Authentication modes: https://aerospike.com/docs/server/guide/security/access-control
+  # Possible values: internal (default), external, pki
+  #auth_mode: internal
+
+  # Optional SSL/TLS (disabled by default)
+  #ssl.enabled: true
+
+  # List of root certificates for SSL/TLS server verification
+  #ssl.certificate_authorities: ["/etc/pki/root/ca.crt"]
+
+  # Certificate for SSL/TLS client authentication
+  #ssl.certificate: "/etc/pki/client/cert.crt"
+
+  # Client certificate key file
+  #ssl.key: "/etc/pki/client/cert.key"
+```
+
+This module supports TLS connections when using `ssl` config field, as described in [SSL](/reference/metricbeat/configuration-ssl.md).
+
+
+## Metricsets [_metricsets_3]
+
+The following metricsets are available:
+
+* [namespace](/reference/metricbeat/metricbeat-metricset-aerospike-namespace.md)
+
+
diff --git a/docs/reference/metricbeat/metricbeat-module-airflow.md b/docs/reference/metricbeat/metricbeat-module-airflow.md
new file mode 100644
index 000000000000..987dd4b47ec7
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-module-airflow.md
@@ -0,0 +1,56 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-module-airflow.html
+---
+
+# Airflow module [metricbeat-module-airflow]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+This module collects metrics from [Airflow metrics](https://airflow.apache.org/docs/apache-airflow/stable/logging-monitoring/metrics.html). It runs a statsd server where airflow will send metrics to. The default metricset is `statsd`.
+
+
+## Compatibility [_compatibility_6]
+
+The Airflow module is tested with Airflow 2.1.0. It should work with version 2.0.0 and later.
+
+
+## Usage [_usage_2]
+
+The Airflow module requires [Statsd](/reference/metricbeat/metricbeat-module-statsd.md) to receive statsd metrics. Refer to the link for instructions about how to use statsd.
+
+Add the following lines to your Airflow configuration file e.g. `airflow.cfg` ensuring `statsd_prefix` is left empty and replace `%METRICBEAT_HOST%` with the address where metricbeat is running:
+
+```
+[metrics]
+statsd_on = True
+statsd_host = %METRICBEAT_HOST%
+statsd_port = 8126
+statsd_prefix =
+```
+
+
+## Example configuration [_example_configuration_3]
+
+The Airflow module supports the standard configuration options that are described in [Modules](/reference/metricbeat/configuration-metricbeat.md). Here is an example configuration:
+
+```yaml
+metricbeat.modules:
+- module: airflow
+  host: "localhost"
+  port: "8126"
+  #ttl: "30s"
+  metricsets: [ 'statsd' ]
+```
+
+
+## Metricsets [_metricsets_4]
+
+The following metricsets are available:
+
+* [statsd](/reference/metricbeat/metricbeat-metricset-airflow-statsd.md)
+
+
diff --git a/docs/reference/metricbeat/metricbeat-module-apache.md b/docs/reference/metricbeat/metricbeat-module-apache.md
new file mode 100644
index 000000000000..1f50b45605f0
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-module-apache.md
@@ -0,0 +1,70 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-module-apache.html
+---
+
+# Apache module [metricbeat-module-apache]
+
+:::::{admonition} Prefer to use {{agent}} for this use case?
+Refer to the [Elastic Integrations documentation](integration-docs://reference/apache.md).
+
+::::{dropdown} Learn more
+{{agent}} is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, forward data from remote services or hardware, and more. Refer to the documentation for a detailed [comparison of {{beats}} and {{agent}}](docs-content://reference/ingestion-tools/fleet/index.md).
+
+::::
+
+
+:::::
+
+
+This module periodically fetches metrics from [Apache HTTPD](https://httpd.apache.org/) servers. The default metricset is `status`.
+
+
+## Compatibility [_compatibility_7]
+
+The Apache metricsets were tested with Apache 2.4.12 and 2.4.54 and are expected to work with all versions >= 2.2.31 and >= 2.4.16.
+
+
+## Dashboard [_dashboard_2]
+
+The Apache module comes with a predefined dashboard. For example:
+
+:::{image} images/apache_httpd_server_status.png
+:alt: apache httpd server status
+:::
+
+
+## Example configuration [_example_configuration_4]
+
+The Apache module supports the standard configuration options that are described in [Modules](/reference/metricbeat/configuration-metricbeat.md). Here is an example configuration:
+
+```yaml
+metricbeat.modules:
+- module: apache
+  metricsets: ["status"]
+  period: 10s
+  enabled: true
+
+  # Apache hosts
+  hosts: ["http://127.0.0.1"]
+
+  # Path to server status. Default server-status
+  #server_status_path: "server-status"
+
+  # Username of hosts.  Empty by default
+  #username: username
+
+  # Password of hosts. Empty by default
+  #password: password
+```
+
+This module supports TLS connections when using `ssl` config field, as described in [SSL](/reference/metricbeat/configuration-ssl.md). It also supports the options described in [Standard HTTP config options](/reference/metricbeat/configuration-metricbeat.md#module-http-config-options).
+
+
+## Metricsets [_metricsets_5]
+
+The following metricsets are available:
+
+* [status](/reference/metricbeat/metricbeat-metricset-apache-status.md)
+
+
diff --git a/docs/reference/metricbeat/metricbeat-module-aws.md b/docs/reference/metricbeat/metricbeat-module-aws.md
new file mode 100644
index 000000000000..e8dea707fdc7
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-module-aws.md
@@ -0,0 +1,707 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-module-aws.html
+---
+
+# AWS module [metricbeat-module-aws]
+
+:::::{admonition} Prefer to use {{agent}} for this use case?
+Refer to the [Elastic Integrations documentation](integration-docs://reference/aws.md).
+
+::::{dropdown} Learn more
+{{agent}} is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, forward data from remote services or hardware, and more. Refer to the documentation for a detailed [comparison of {{beats}} and {{agent}}](docs-content://reference/ingestion-tools/fleet/index.md).
+
+::::
+
+
+:::::
+
+
+This module periodically fetches monitoring metrics from AWS CloudWatch using [GetMetricData API](https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_GetMetricData.html) for AWS services.
+
+All metrics are enabled by default.
+
+::::{important}
+Extra AWS charges on CloudWatch API requests will be generated by this module. Please see [AWS API requests](#aws-api-requests) for more details.
+::::
+
+
+
+## Module-specific configuration notes [_module_specific_configuration_notes]
+
+* **AWS Credentials**
+
+The `aws` module requires AWS credentials configuration in order to make AWS API calls. Users can either use `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY` and/or `AWS_SESSION_TOKEN`, or use shared AWS credentials file. Please see [AWS credentials options](#aws-credentials-config) for more details.
+
+If you use AWS CloudWatch cross-account observability, credentials of the monitoring account should be used here and Metricbeat will collect all metrics from both the monitoring account and the linked source accounts.
+
+* **regions**
+
+This module also accepts optional configuration `regions` to specify which AWS regions to query metrics from. If the `regions` parameter is not set in the config file, then by default, the `aws` module will query metrics from all available AWS regions. If `endpoint` is specified, `regions` becomes a required config parameter.
+
+* **latency**
+
+Some AWS services send monitoring metrics to CloudWatch with a latency to process larger than Metricbeat collection period. This will cause data points missing or none get collected by Metricbeat. In this case, please specify a `latency` parameter so collection start time and end time will be shifted by the given latency amount.
+
+* **data_granularity**
+
+AWS CloudWatch allows to define the granularity of the returned data points, by setting "Period" while querying metrics. Please see [MetricDataQuery parameters](https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_MetricDataQuery.html) for more information.
+
+By default, metricbeat will query CloudWatch setting "Period" to Metricbeat collection period. If you wish to set a custom value for "Period", please specify a `data_granularity` parameter. By setting `period` and `data_granularity` together, you can control, respectively, how frequently you want your metrics to be collected and how granular they have to be.
+
+If you are concerned about reducing the cost derived by CloudWatch API calls made by Metricbeat with an extra delay in retrieving metrics as trade off, you may consider setting `data_granularity` and increase Metricbeat collection period. For example, setting `data_granularity` to your current value for `period`, and doubling the value of `period`, may lead to a 50% savings in terms of GetMetricData API calls cost.
+
+* **endpoint**
+
+Most AWS services offer a regional endpoint that can be used to make requests. The general syntax of a regional endpoint is `protocol://service-code.region-code.endpoint-code`. Some services, such as IAM, do not support regions. The endpoints for these services do not include a region. In `aws` module, `endpoint` config is to set the `endpoint-code` part, such as `amazonaws.com`, `amazonaws.com.cn`, `c2s.ic.gov`, `sc2s.sgov.gov`.
+
+If endpoint is specified, `regions` config becomes required.
+
+* **include_linked_accounts**
+
+The `include_linked_accounts` parameter is used to enable the inclusion of metrics from different accounts linked to a main monitoring account. By setting this parameter to true, users can gather metrics from multiple AWS accounts that are linked through the [CloudWatch cross-account observability](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Unified-Cross-Account.html). By default, the `include_linked_accounts` parameter is set to true, meaning that metrics from the main monitoring account and all linked accounts are all collected. When set to false, the parameter allows the CloudWatch service to only retrieve metrics from the monitoring account.
+
+If you need to collect metrics from a specific linked account, use `owning_account` configuration.
+
+***Note*:** Users should ensure that the necessary IAM roles and policies are properly set up in order to link the monitoring account and source accounts together. Please see [Link monitoring accounts with source accounts](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Unified-Cross-Account-Setup.html#CloudWatch-Unified-Cross-Account-Setup-permissions) for more details.
+
+* **owning_account**
+
+This configuration works together with `include_linked_accounts` configuration and allows to collect metrics from a specific linked account. The configuration accepts a valid account ID and internally it maps to the `OwningAccount` parameter of [ListMetrics API](https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_ListMetrics.html).
+
+Note that, `include_linked_accounts` should be enabled (which is the default value) to use this parameter.
+
+```yaml
+include_linked_accounts: true
+owning_account: 111111111111
+```
+
+* **tags_filter**
+
+The tags to filter against. If tags are given in config, then only collect metrics from resources that have tag key and tag value matches the filter. For example, if tags parameter is given as `Organization=Engineering` under `AWS/ELB` namespace, then only collect metrics from ELBs with tag name equals to `Organization` and tag value equals to `Engineering`. In order to filter for different values for the same key, add the values to the value array (see example)
+
+Note: tag filtering only works for metricsets with `resource_type` specified in the metricset-specific configuration.
+
+```yaml
+- module: aws
+  period: 5m
+  endpoint: amazonaws.com.cn
+  regions: cn-north-1
+  metricsets:
+    - ec2
+  tags_filter:
+    - key: "Organization"
+      value: ["Engineering", "Product"]
+```
+
+* **fips_enabled**
+
+Enforces the use of FIPS service endpoints. See [AWS credentials options](#aws-credentials-config) for more information.
+
+```yaml
+- module: aws
+  period: 5m
+  fips_enabled: true
+  regions:
+    - us-east-1
+    - us-east-2
+    - us-west-1
+    - us-west-2
+  metricsets:
+    - ec2
+```
+
+* **apigateway_max_results**
+
+This configuration works together with AWS/APIGateway namespace. It defines the maximum number of returned results per page. The default value is 25 and the maximum value is 500. See [GetRestApisInput.Limit](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/apigateway@v1.25.8#GetRestApisInput.Limit)
+
+```yaml
+- module: aws
+      period: 10s
+      regions:
+        - us-east-1
+      metricsets:
+        - cloudwatch
+      metrics:
+        - namespace: "AWS/ApiGateway"
+          resource_type: "apigateway:restapis"
+          apigateway_max_results: 40
+```
+
+The aws module comes with a predefined dashboard. For example:
+
+:::{image} images/metricbeat-aws-overview.png
+:alt: metricbeat aws overview
+:::
+
+
+## Metricsets [_metricsets_6]
+
+Currently, we have `billing`, `cloudwatch`, `dynamodb`, `ebs`, `ec2`, `elb`, `kinesis` `lambda`, `mtest`, `natgateway`, `rds`, `s3_daily_storage`, `s3_request`, `sns`, `sqs`, `transitgateway`, `usage` and `vpn` metricset in `aws` module.
+
+
+### `billing` [_billing]
+
+Billing metric data includes the estimated charges for every service in the AWS account and the estimated overall total charge for the AWS account. The estimated charges are calculated and sent several times daily to CloudWatch. Therefore, `period` in aws module configuration is set to `12h`.
+
+The billing metricset comes with a predefined dashboard:
+
+:::{image} images/metricbeat-aws-billing-overview.png
+:alt: metricbeat aws billing overview
+:::
+
+
+### `cloudwatch` [_cloudwatch]
+
+This metricset allows users to query metrics from AWS CloudWatch with any given namespaces or specific instance with a given period. Please see [AWS Services That Publish CloudWatch Metrics](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/aws-services-cloudwatch-metrics.html) for a list of AWS services that publish metrics to CloudWatch.
+
+
+### `dynamodb` [_dynamodb]
+
+DynamoDB sends metrics to CloudWatch periodically for better monitoring how web application or service is performing.
+
+The dynamodb metricset comes with a predefined dashboard:
+
+:::{image} images/metricbeat-aws-dynamodb-overview.png
+:alt: metricbeat aws dynamodb overview
+:::
+
+
+### `ebs` [_ebs]
+
+For basic monitoring in AWS EBS volumes, data is available automatically in 5-minute periods at no charge. This includes data for the root device volumes for EBS-backed instances. User can also enable detailed monitoring for provisioned IOPS SSD (io1) volumes to automatically send one-minute metrics to CloudWatch. Default period in aws module configuration is set to `5m` for ebs metricset.
+
+The ebs metricset comes with a predefined dashboard:
+
+:::{image} images/metricbeat-aws-ebs-overview.png
+:alt: metricbeat aws ebs overview
+:::
+
+
+### `ec2` [_ec2]
+
+By default, Amazon EC2 sends metric data to CloudWatch every 5 minutes. With this basic monitoring, `period` in aws module configuration should be larger or equal than `300s`. If `period` is set to be less than `300s`, the same cloudwatch metrics will be collected more than once which will cause extra fees without getting more granular metrics. For example, in `US East (N. Virginia)` region, it costs $0.01/1000 metrics requested using GetMetricData. Please see [AWS CloudWatch Pricing](https://aws.amazon.com/cloudwatch/pricing/) for more details. To avoid unnecessary charges, `period` is preferred to be set to `300s` or multiples of `300s`, such as `600s` and `900s`. For more granular monitoring data you can enable detailed monitoring on the instance to get metrics every 1 minute. Please see [Enabling Detailed Monitoring](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-cloudwatch-new.html) for instructions on how to enable detailed monitoring. With detailed monitoring enabled, `period` in aws module configuration can be any number larger than `60s`. Since AWS sends metric data to CloudWatch in 1-minute periods, setting metricbeat module `period` less than `60s` will cause extra API requests which means extra charges on AWS. To avoid unnecessary charges, `period` is preferred to be set to `60s` or multiples of `60s`, such as `120s` and `180s`.
+
+The ec2 metricset comes with a predefined dashboard:
+
+:::{image} images/metricbeat-aws-ec2-overview.png
+:alt: metricbeat aws ec2 overview
+:::
+
+
+### `elb` [_elb]
+
+elb metricset collects CloudWatch metrics from classic load balancer, application load balancer and network load balancer.
+
+All three kinds of elastic load balancing reports metrics to Cloudwatch only when requests are flowing through the load balancer. If there are requests flowing through the load balancer, Elastic Load Balancing measures and sends its metrics in 60-second intervals. If there are no requests flowing through the load balancer or no data for a metric, the metric is not reported. Therefore, `period` in aws module configuration is set to `1m`.
+
+The elb metricset comes with a predefined dashboard:
+
+:::{image} images/metricbeat-aws-elb-overview.png
+:alt: metricbeat aws elb overview
+:::
+
+
+### `lambda` [_lambda]
+
+When an invocation completes, Lambda sends a set of metrics to CloudWatch for that invocation. Default period in aws module configuration is set to `5m` for lambda metricset. The lambda metricset comes with a predefined dashboard:
+
+:::{image} images/metricbeat-aws-lambda-overview.png
+:alt: metricbeat aws lambda overview
+:::
+
+
+### `natgateway` [_natgateway]
+
+CloudWatch collects information from NAT gateways and creates readable, near real-time metrics. This metricset enables users to collect these metrics from CloudWatch to monitor and troubleshoot their NAT gateway. NAT gateway metric data is provided at 1-minute intervals and therefore, `period` for `natgateway` metricset is recommended to be `1m` or multiples of `1m`.
+
+
+### `rds` [_rds]
+
+`period` for `rds` metricset is recommended to be `60s` or multiples of `60s` because Amazon RDS sends metrics and dimensions to Amazon CloudWatch every minute.
+
+The rds metricset comes with a predefined dashboard:
+
+:::{image} images/metricbeat-aws-rds-overview.png
+:alt: metricbeat aws rds overview
+:::
+
+
+### `s3_daily_storage` [_s3_daily_storage]
+
+Daily storage metrics for S3 buckets are reported once per day with no additional cost. Since they are daily metrics, `period` for `s3_daily_storage` metricset is recommended to be `86400s` or multiples of `86400s`.
+
+
+### `s3_request` [_s3_request]
+
+Request metrics are available at 1-minute intervals with additional charges. The s3_request metricset will give more granular data to track S3 bucket usage. The `period` for `s3_request` metricset can be set to `60s` or multiples of `60s`. But because of the extra charges for querying these metrics, the `period` is recommended to set to `86400s`. The user can always adjust this to the granularity they want. Request metrics are not enabled by default for S3 buckets. Please see [How to Configure Request Metrics for S3](https://docs.aws.amazon.com/AmazonS3/latest/user-guide/configure-metrics.html) for instructions on how to enable request metrics for each S3 bucket.
+
+The s3_daily_storage and s3_request metricset comes with a predefined combined dashboard:
+
+:::{image} images/metricbeat-aws-s3-overview.png
+:alt: metricbeat aws s3 overview
+:::
+
+
+### `sqs` [_sqs]
+
+CloudWatch metrics for Amazon SQS queues are automatically collected and pushed to CloudWatch every 5 minutes, the `period` for `sqs` metricset is recommended to be `300s` or multiples of `300s`.
+
+The sqs metricset comes with a predefined dashboard:
+
+:::{image} images/metricbeat-aws-sqs-overview.png
+:alt: metricbeat aws sqs overview
+:::
+
+
+### `transitgateway` [_transitgateway]
+
+Amazon VPC reports metrics to CloudWatch only when requests are flowing through the transit gateway. If there are requests flowing through the transit gateway, Amazon VPC measures and sends its metrics in 60-second intervals. `period` for `transitgateway` metricset is recommended to be `1m` or multiples of `1m`.
+
+
+### `usage` [_usage_3]
+
+CloudWatch collects metrics that track the usage of some AWS resources. These metrics correspond to AWS service quotas. Tracking these metrics can help proactively manage quotas. Service quota usage metrics are in the AWS/Usage namespace and are collected every minute. Therefore, `period` in aws module configuration for usage metricset is set to `1m`.
+
+The usage metricset comes with a predefined dashboard:
+
+:::{image} images/metricbeat-aws-usage-overview.png
+:alt: metricbeat aws usage overview
+:::
+
+
+### `vpn` [_vpn]
+
+CloudWatch collects and processes raw data from the VPN service into readable, near real-time metrics for users to better understand the performance of their web applications and services.
+
+
+## AWS API requests count [aws-api-requests]
+
+This session is to document what are the AWS API called made by each metricset in `aws` module. This will be useful for users to estimate costs for using `aws` module.
+
+Note: some AWS APIs need pagination like ListMetrics and GetMetricData. Count value is depends on the number of results.
+
+ListMetrics max page size: 500, based on [AWS API ListMetrics](https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_ListMetrics.html)
+
+GetMetricData max page size: 100, based on [AWS API GetMetricData](https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_GetMetricData.html)
+
+|     |     |     |
+| --- | --- | --- |
+| AWS API Name | AWS API Count | Frequency |
+| IAM ListAccountAliases | 1 | Once on startup |
+| STS GetCallerIdentity | 1 | Once on startup |
+| EC2 DescribeRegions | 1 | Once on startup |
+| CloudWatch ListMetrics without specifying namespace in configuration | Total number of results / ListMetrics max page size | Per region per collection period |
+| CloudWatch ListMetrics with specific namespaces in configuration | Total number of results / ListMetrics max page size * number of unique namespaces | Per region per collection period |
+| CloudWatch GetMetricData | Total number of results / GetMetricData max page size | Per region per namespace per collection period |
+
+`billing`, `ebs`, `elb`, `sns`, `usage` and `lambda` are the same as `cloudwatch` metricset.
+
+
+### AWS Credentials Configuration [aws-credentials-config]
+
+To configure AWS credentials, either put the credentials into the Metricbeat configuration, or use a shared credentials file, as shown in the following examples.
+
+
+#### Configuration parameters [_configuration_parameters]
+
+* **access_key_id**: first part of access key.
+* **secret_access_key**: second part of access key.
+* **session_token**: required when using temporary security credentials.
+* **credential_profile_name**: profile name in shared credentials file.
+* **shared_credential_file**: directory of the shared credentials file.
+* **role_arn**: AWS IAM Role to assume.
+* **external_id**: external ID to use when assuming a role in another account, see [the AWS documentation for use of external IDs](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html).
+* **proxy_url**: URL of the proxy to use to connect to AWS web services. The syntax is `http(s)://<IP/Hostname>:<port>`
+* **fips_enabled**: Enabling this option instructs Metricbeat to use the FIPS endpoint of a service. All services used by Metricbeat are FIPS compatible except for `tagging` but only certain regions are FIPS compatible. See [https://aws.amazon.com/compliance/fips/](https://aws.amazon.com/compliance/fips/) or the appropriate service page, [https://docs.aws.amazon.com/general/latest/gr/aws-service-information.html](https://docs.aws.amazon.com/general/latest/gr/aws-service-information.html), for a full list of FIPS endpoints and regions.
+* **ssl**: This specifies SSL/TLS configuration. If the ssl section is missing, the host’s CAs are used for HTTPS connections. See [SSL](/reference/metricbeat/configuration-ssl.md) for more information.
+* **default_region**: Default region to query if no other region is set. Most AWS services offer a regional endpoint that can be used to make requests. Some services, such as IAM, do not support regions. If a region is not provided by any other way (environment variable, credential or instance profile), the value set here will be used.
+* **assume_role.duration**: The duration of the requested assume role session. Defaults to 15m when not set. AWS allows a maximum session duration between 1h and 12h depending on your maximum session duration policies.
+* **assume_role.expiry_window**: The expiry_window will allow refreshing the session prior to its expiration. This is beneficial to prevent expiring tokens from causing requests to fail with an ExpiredTokenException.
+
+
+#### Supported Formats [_supported_formats]
+
+::::{note}
+The examples in this section refer to Metricbeat, but the credential options for authentication with AWS are the same no matter which Beat is being used.
+::::
+
+
+* Use `access_key_id`, `secret_access_key`, and/or `session_token`
+
+Users can either put the credentials into the Metricbeat module configuration or use environment variable `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY` and/or `AWS_SESSION_TOKEN` instead.
+
+If running on Docker, these environment variables should be added as a part of the docker command. For example, with Metricbeat:
+
+```bash
+$ docker run -e AWS_ACCESS_KEY_ID=abcd -e AWS_SECRET_ACCESS_KEY=abcd -d --name=metricbeat --user=root --volume="$(pwd)/metricbeat.aws.yml:/usr/share/metricbeat/metricbeat.yml:ro" docker.elastic.co/beats/metricbeat:7.11.1 metricbeat -e -E cloud.auth=elastic:1234 -E cloud.id=test-aws:1234
+```
+
+Sample `metricbeat.aws.yml` looks like:
+
+```yaml
+metricbeat.modules:
+- module: aws
+  period: 5m
+  access_key_id: ${AWS_ACCESS_KEY_ID}
+  secret_access_key: ${AWS_SECRET_ACCESS_KEY}
+  session_token: ${AWS_SESSION_TOKEN}
+  metricsets:
+    - ec2
+```
+
+Environment variables can also be added through a file. For example:
+
+```bash
+$ cat env.list
+AWS_ACCESS_KEY_ID=abcd
+AWS_SECRET_ACCESS_KEY=abcd
+
+$ docker run --env-file env.list -d --name=metricbeat --user=root --volume="$(pwd)/metricbeat.aws.yml:/usr/share/metricbeat/metricbeat.yml:ro" docker.elastic.co/beats/metricbeat:7.11.1 metricbeat -e -E cloud.auth=elastic:1234 -E cloud.id=test-aws:1234
+```
+
+* Use `credential_profile_name` and/or `shared_credential_file`
+
+If `access_key_id`, `secret_access_key` and `role_arn` are all not given, then metricbeat will check for `credential_profile_name`. If you use different credentials for different tools or applications, you can use profiles to configure multiple access keys in the same configuration file. If there is no `credential_profile_name` given, the default profile will be used.
+
+`shared_credential_file` is optional to specify the directory of your shared credentials file. If it’s empty, the default directory will be used. In Windows, shared credentials file is at `C:\Users\<yourUserName>\.aws\credentials`. For Linux, macOS or Unix, the file is located at `~/.aws/credentials`. When running as a service, the home path depends on the user that manages the service, so the `shared_credential_file` parameter can be used to avoid ambiguity. Please see [Create Shared Credentials File](https://docs.aws.amazon.com/ses/latest/DeveloperGuide/create-shared-credentials-file.md) for more details.
+
+* Use `role_arn`
+
+`role_arn` is used to specify which AWS IAM role to assume for generating temporary credentials. If `role_arn` is given, metricbeat will check if access keys are given. If not, metricbeat will check for credential profile name. If neither is given, default credential profile will be used. Please make sure credentials are given under either a credential profile or access keys.
+
+If running on Docker, the credential file needs to be provided via a volume mount. For example, with Metricbeat:
+
+```bash
+docker run -d --name=metricbeat --user=root --volume="$(pwd)/metricbeat.aws.yml:/usr/share/metricbeat/metricbeat.yml:ro" --volume="/Users/foo/.aws/credentials:/usr/share/metricbeat/credentials:ro" docker.elastic.co/beats/metricbeat:7.11.1 metricbeat -e -E cloud.auth=elastic:1234 -E cloud.id=test-aws:1234
+```
+
+Sample `metricbeat.aws.yml` looks like:
+
+```yaml
+metricbeat.modules:
+- module: aws
+  period: 5m
+  credential_profile_name: elastic-beats
+  shared_credential_file: /usr/share/metricbeat/credentials
+  metricsets:
+    - ec2
+```
+
+* Use AWS credentials in Metricbeat configuration
+
+    ```yaml
+    metricbeat.modules:
+    - module: aws
+      period: 300s
+      metricsets:
+        - ec2
+      access_key_id: '<access_key_id>'
+      secret_access_key: '<secret_access_key>'
+      session_token: '<session_token>'
+    ```
+
+    or
+
+    ```yaml
+    metricbeat.modules:
+    - module: aws
+      period: 300s
+      metricsets:
+        - ec2
+      access_key_id: '${AWS_ACCESS_KEY_ID:""}'
+      secret_access_key: '${AWS_SECRET_ACCESS_KEY:""}'
+      session_token: '${AWS_SESSION_TOKEN:""}'
+    ```
+
+* Use IAM role ARN
+
+    ```yaml
+    metricbeat.modules:
+    - module: aws
+      period: 300s
+      metricsets:
+        - ec2
+      role_arn: arn:aws:iam::123456789012:role/test-mb
+    ```
+
+* Use shared AWS credentials file
+
+    ```yaml
+    metricbeat.modules:
+    - module: aws
+      period: 300s
+      metricsets:
+        - ec2
+      credential_profile_name: test-mb
+    ```
+
+* Use IAM role ARN with shared AWS credentials file
+
+    ```yaml
+    metricbeat.modules:
+    - module: aws
+      period: 5m
+      role_arn: arn:aws:iam::123456789012:role/test-mb
+      shared_credential_file: /Users/mb/.aws/credentials_backup
+      credential_profile_name: test
+      metricsets:
+        - ec2
+    ```
+
+
+
+#### AWS Credentials Types [_aws_credentials_types]
+
+There are two different types of AWS credentials can be used: access keys and temporary security credentials.
+
+* Access keys
+
+`AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` are the two parts of access keys. They are long-term credentials for an IAM user or the AWS account root user. Please see [AWS Access Keys and Secret Access Keys](https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys) for more details.
+
+* IAM role ARN
+
+An IAM role is an IAM identity that you can create in your account that has specific permissions that determine what the identity can and cannot do in AWS. A role does not have standard long-term credentials such as a password or access keys associated with it. Instead, when you assume a role, it provides you with temporary security credentials for your role session. IAM role Amazon Resource Name (ARN) can be used to specify which AWS IAM role to assume to generate temporary credentials. Please see [AssumeRole API documentation](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) for more details.
+
+Here are the steps to set up IAM role using AWS CLI for Metricbeat. Please replace `123456789012` with your own account ID.
+
+Step 1. Create `example-policy.json` file to include all permissions:
+
+```yaml
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "VisualEditor0",
+            "Effect": "Allow",
+            "Action": [
+                "s3:GetObject",
+                "sqs:ReceiveMessage"
+            ],
+            "Resource": "*"
+        },
+        {
+            "Sid": "VisualEditor1",
+            "Effect": "Allow",
+            "Action": "sqs:ChangeMessageVisibility",
+            "Resource": "arn:aws:sqs:us-east-1:123456789012:test-fb-ks"
+        },
+        {
+            "Sid": "VisualEditor2",
+            "Effect": "Allow",
+            "Action": "sqs:DeleteMessage",
+            "Resource": "arn:aws:sqs:us-east-1:123456789012:test-fb-ks"
+        },
+        {
+            "Sid": "VisualEditor3",
+            "Effect": "Allow",
+            "Action": [
+                "sts:AssumeRole",
+                "sqs:ListQueues",
+                "tag:GetResources",
+                "ec2:DescribeInstances",
+                "cloudwatch:GetMetricData",
+                "ec2:DescribeRegions",
+                "iam:ListAccountAliases",
+                "sts:GetCallerIdentity",
+                "cloudwatch:ListMetrics"
+            ],
+            "Resource": "*"
+        }
+    ]
+}
+```
+
+Step 2. Create IAM policy using the `aws iam create-policy` command:
+
+```bash
+$ aws iam create-policy --policy-name example-policy --policy-document file://example-policy.json
+```
+
+Step 3. Create the JSON file `example-role-trust-policy.json` that defines the trust relationship of the IAM role
+
+```yaml
+{
+    "Version": "2012-10-17",
+    "Statement": {
+        "Effect": "Allow",
+        "Principal": { "AWS": "arn:aws:iam::123456789012:root" },
+        "Action": "sts:AssumeRole"
+    }
+}
+```
+
+Step 4. Create the IAM role and attach the policy:
+
+```bash
+$ aws iam create-role --role-name example-role --assume-role-policy-document file://example-role-trust-policy.json
+$ aws iam attach-role-policy --role-name example-role --policy-arn "arn:aws:iam::123456789012:policy/example-policy"
+```
+
+After these steps are done, IAM role ARN can be used for authentication in Metricbeat `aws` module.
+
+* Temporary security credentials
+
+Temporary security credentials has a limited lifetime and consists of an access key ID, a secret access key, and a security token which typically returned from `GetSessionToken`. MFA-enabled IAM users would need to submit an MFA code while calling `GetSessionToken`. Please see [Temporary Security Credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html) for more details. `sts get-session-token` AWS CLI can be used to generate temporary credentials. For example. with MFA-enabled:
+
+```bash
+aws> sts get-session-token --serial-number arn:aws:iam::1234:mfa/your-email@example.com --token-code 456789 --duration-seconds 129600
+```
+
+Because temporary security credentials are short term, after they expire, the user needs to generate new ones and modify the aws.yml config file with the new credentials. Unless [live reloading](/reference/metricbeat/_live_reloading.md) feature is enabled for Metricbeat, the user needs to manually restart Metricbeat after updating the config file in order to continue collecting Cloudwatch metrics. This will cause data loss if the config file is not updated with new credentials before the old ones expire. For Metricbeat, we recommend users to use access keys in config file to enable aws module making AWS api calls without have to generate new temporary credentials and update the config frequently.
+
+IAM policy is an entity that defines permissions to an object within your AWS environment. Specific permissions needs to be added into the IAM user’s policy to authorize Metricbeat to collect AWS monitoring metrics. Please see documentation under each metricset for required permissions.
+
+
+## Running on EKS [_running_on_eks]
+
+* **WebIdentity authentication flow**
+
+See documentation in order to create a IAM Role for Service account: [https://docs.aws.amazon.com/eks/latest/userguide/specify-service-account-role.html](https://docs.aws.amazon.com/eks/latest/userguide/specify-service-account-role.html)
+
+Once you have create the IRSA you can annotate `metricbeat` service account with it
+
+```yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations:
+    eks.amazonaws.com/role-arn: arn:aws:iam::<ACCOUNT_ID>:role/<IRSA_ID>
+  name: metricbeat
+  namespace: kube-system
+  labels:
+    k8s-app: metricbeat
+```
+
+In order to enable WebIdentity authentication flow you need to add a trust relationship to the IRSA:
+
+```json
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "Federated": "arn:aws:iam::<ACCOUNT_ID>:oidc-provider/oidc.eks.<REGION>.amazonaws.com/id/<OIDC_PROVIDER_ID>"
+      },
+      "Action": "sts:AssumeRoleWithWebIdentity",
+      "Condition": {
+        "StringEquals": {
+          "oidc.eks.REGION.amazonaws.com/id/<OIDC_PROVIDER_ID>:sub": "system:serviceaccount:kube-system:metricbeat",
+          "oidc.eks.REGION.amazonaws.com/id/<OIDC_PROVIDER_ID>:aud": "sts.amazonaws.com"
+        }
+      }
+    }
+```
+
+In this case there’s no need to add `role_arn` to modules config.
+
+
+### Example configuration [_example_configuration_5]
+
+The AWS module supports the standard configuration options that are described in [Modules](/reference/metricbeat/configuration-metricbeat.md). Here is an example configuration:
+
+```yaml
+metricbeat.modules:
+- module: aws
+  period: 300s
+  credential_profile_name: test-mb
+  metricsets:
+    - ec2
+  tags_filter:
+    - key: "Organization"
+      value: "Engineering"
+- module: aws
+  period: 300s
+  credential_profile_name: test-mb
+  metricsets:
+    - sqs
+  regions:
+    - us-west-1
+- module: aws
+  period: 86400s
+  metricsets:
+    - s3_request
+    - s3_daily_storage
+  access_key_id: '${AWS_ACCESS_KEY_ID:""}'
+  secret_access_key: '${AWS_SECRET_ACCESS_KEY:""}'
+  session_token: '${AWS_SESSION_TOKEN:""}'
+- module: aws
+  period: 300s
+  credential_profile_name: test-mb
+  metricsets:
+    - cloudwatch
+  include_linked_accounts: true
+  # owning_account: 111111111111
+  metrics:
+    - namespace: AWS/EC2
+      name: ["CPUUtilization"]
+      dimensions:
+        - name: InstanceId
+          value: i-0686946e22cf9494a
+    - namespace: AWS/EBS
+    - namespace: AWS/ELB
+      resource_type: elasticloadbalancing
+      tags:
+        - key: "Organization"
+          value: "Engineering"
+- module: aws
+  period: 60s
+  credential_profile_name: test-mb
+  tags_filter:
+    - key: "dept"
+      value: "eng"
+  metricsets:
+    - elb
+    - natgateway
+    - rds
+    - transitgateway
+    - usage
+    - vpn
+- module: aws
+  period: 1m
+  latency: 5m
+  include_linked_accounts: false
+  metricsets:
+    - s3_request
+```
+
+
+### Metricsets [_metricsets_7]
+
+The following metricsets are available:
+
+* [awshealth](/reference/metricbeat/metricbeat-metricset-aws-awshealth.md)
+* [billing](/reference/metricbeat/metricbeat-metricset-aws-billing.md)
+* [cloudwatch](/reference/metricbeat/metricbeat-metricset-aws-cloudwatch.md)
+* [dynamodb](/reference/metricbeat/metricbeat-metricset-aws-dynamodb.md)
+* [ebs](/reference/metricbeat/metricbeat-metricset-aws-ebs.md)
+* [ec2](/reference/metricbeat/metricbeat-metricset-aws-ec2.md)
+* [elb](/reference/metricbeat/metricbeat-metricset-aws-elb.md)
+* [kinesis](/reference/metricbeat/metricbeat-metricset-aws-kinesis.md)
+* [lambda](/reference/metricbeat/metricbeat-metricset-aws-lambda.md)
+* [natgateway](/reference/metricbeat/metricbeat-metricset-aws-natgateway.md)
+* [rds](/reference/metricbeat/metricbeat-metricset-aws-rds.md)
+* [s3_daily_storage](/reference/metricbeat/metricbeat-metricset-aws-s3_daily_storage.md)
+* [s3_request](/reference/metricbeat/metricbeat-metricset-aws-s3_request.md)
+* [sns](/reference/metricbeat/metricbeat-metricset-aws-sns.md)
+* [sqs](/reference/metricbeat/metricbeat-metricset-aws-sqs.md)
+* [transitgateway](/reference/metricbeat/metricbeat-metricset-aws-transitgateway.md)
+* [usage](/reference/metricbeat/metricbeat-metricset-aws-usage.md)
+* [vpn](/reference/metricbeat/metricbeat-metricset-aws-vpn.md)
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/docs/reference/metricbeat/metricbeat-module-awsfargate.md b/docs/reference/metricbeat/metricbeat-module-awsfargate.md
new file mode 100644
index 000000000000..5e66a5d50af9
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-module-awsfargate.md
@@ -0,0 +1,74 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-module-awsfargate.html
+---
+
+# AWS Fargate module [metricbeat-module-awsfargate]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+Amazon ECS on Fargate provides a method to retrieve various metadata, network metrics, and Docker stats about tasks and containers. This is referred to as the [task metadata endpoint](https://docs.aws.amazon.com/AmazonECS/latest/userguide/task-metadata-endpoint-v4-fargate.md) and this endpoint is available per container.
+
+The environment variable is injected by default into the containers of Amazon ECS tasks on Fargate that use platform version 1.4.0 or later and Amazon ECS tasks on Amazon EC2 that are running at least version 1.39.0 of the Amazon ECS container agent.
+
+The awsfargate module is a Metricbeat module which collects AWS fargate metrics from task metadata endpoint.
+
+
+## Introduction to AWS ECS and Fargate [_introduction_to_aws_ecs_and_fargate]
+
+Amazon Elastic Container Service (Amazon ECS) is a highly scalable, fast, container management service that makes it easy to run, stop, and manage containers. ECS has two launch types that can define how compute resources will be managed: ECS EC2 and ECS Fargate.
+
+* **ECS EC2**
+
+ECS EC2 launches containers that run on EC2 instances. Users have to manage EC2 instances. Pricing depends on the number of EC2 instances running.
+
+One can monitor these containers by deploying Metricbeat on the corresponding EC2 instances with the Metricbeat Docker module enabled.
+
+In order to achieve this one will need:
+
+1. to ensure access to these EC2 instances using ssh keys coupled with EC2 instances (attach ssh keys on cluster creation using `Key pair` option)
+2. to enable shh access for the instances with the proper [inbound rules](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-instance.html).
+
+* **ECS Fargate**
+
+ECS Fargate removes the responsibility of provisioning, configuring, and managing the EC2 instances by allowing AWS to manage the EC2 instances. Users only need to specify containers and tasks. Pricing based on the number of tasks.
+
+
+## Task Metadata Endpoint [_task_metadata_endpoint]
+
+[Task metadata endpoint](https://docs.aws.amazon.com/AmazonECS/latest/userguide/task-metadata-endpoint-v4-fargate.md) returns [Docker stats](https://docs.docker.com/engine/api/v1.30/#operation/ContainerStats) in JSON format for all the containers associated with the task. This endpoint is only available from within the task definition itself, which means Metricbeat needs to be run as a sidecar container within the task definition. Since the metadata endpoint is only accessible from within the Fargate Task, there is no authentication in place.
+
+
+## Metricsets [_metricsets_8]
+
+Currently, we have `task_stats` metricset in `awsfargate` module.
+
+
+### `task_stats` [_task_stats]
+
+This metricset collects runtime CPU metrics, disk I/O metrics, memory metrics, network metrics and container metadata from both endpoint `${ECS_CONTAINER_METADATA_URI_V4}/task/stats` and `${ECS_CONTAINER_METADATA_URI_V4}/task`.
+
+
+### Example configuration [_example_configuration_6]
+
+The AWS Fargate module supports the standard configuration options that are described in [Modules](/reference/metricbeat/configuration-metricbeat.md). Here is an example configuration:
+
+```yaml
+metricbeat.modules:
+- module: awsfargate
+  period: 10s
+  metricsets:
+    - task_stats
+```
+
+
+### Metricsets [_metricsets_9]
+
+The following metricsets are available:
+
+* [task_stats](/reference/metricbeat/metricbeat-metricset-awsfargate-task_stats.md)
+
+
diff --git a/docs/reference/metricbeat/metricbeat-module-azure.md b/docs/reference/metricbeat/metricbeat-module-azure.md
new file mode 100644
index 000000000000..ccaad01b932a
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-module-azure.md
@@ -0,0 +1,315 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-module-azure.html
+---
+
+# Azure module [metricbeat-module-azure]
+
+:::::{admonition} Prefer to use {{agent}} for this use case?
+Refer to the [Elastic Integrations documentation](integration-docs://reference/azure_metrics.md).
+
+::::{dropdown} Learn more
+{{agent}} is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, forward data from remote services or hardware, and more. Refer to the documentation for a detailed [comparison of {{beats}} and {{agent}}](docs-content://reference/ingestion-tools/fleet/index.md).
+
+::::
+
+
+:::::
+
+
+The Azure Monitor feature collects and aggregates logs and metrics from a variety of sources into a common data platform where it can be used for analysis, visualization, and alerting.
+
+The azure monitor metrics are numerical values that describe some aspect of a system at a particular point in time. They are collected at regular intervals and are identified with a timestamp, a name, a value, and one or more defining labels.
+
+The azure module will periodically retrieve the azure monitor metrics using the Azure REST APIs as MetricList. Additional azure API calls will be executed in order to retrieve information regarding the resources targeted by the user.
+
+::::{important}
+Extra Azure charges on metric queries may be generated by this module. Please see [additional notes about metrics and costs](#azure-api-cost) for more details.
+::::
+
+
+
+### Dashboards [_dashboards]
+
+The azure module comes with several predefined dashboards for virtual machines, VM guest metrics and virtual machine scale sets.
+
+The VM overview dashboard shows information about CPU, memory, disk usage as well as operations per second. The two available filters help narrowing down the dashbord to specific regions and/or resource groups. For example:
+
+:::{image} images/metricbeat-azure-vm-overview.png
+:alt: metricbeat azure vm overview
+:::
+
+If VM guest metrics are enabled then the guest metrics overview dashboard can help with monitoring ASP.NET applications and SQL Server metrics. For example:
+
+:::{image} images/metricbeat-azure-vm-guestmetrics-overview.png
+:alt: metricbeat azure vm guestmetrics overview
+:::
+
+The virtual machine scale sets dashboard is similar to the VM dashboard and shows relevant health information about running vm scale sets. For example:
+
+:::{image} images/metricbeat-azure-vmss-overview.png
+:alt: metricbeat azure vmss overview
+:::
+
+The Azure storage dashboards show all relevant metrics for the blob, file, table and queue storage services:
+
+:::{image} images/metricbeat-azure-storage-overview.png
+:alt: metricbeat azure storage overview
+:::
+
+The Azure billing dashboards show relevant usage and forecast information:
+
+:::{image} images/metricbeat-azure-billing-overview.png
+:alt: metricbeat azure billing overview
+:::
+
+The Azure app_state dashboard shows relevant application insights information:
+
+:::{image} images/metricbeat-azure-app-state-overview.png
+:alt: metricbeat azure app state overview
+:::
+
+
+### Module-specific configuration notes [_module_specific_configuration_notes_2]
+
+All the tasks executed against the Azure Monitor REST API will use the Azure Resource Manager authentication model. Therefore, all requests must be authenticated with Azure Active Directory (Azure AD). One approach to authenticate the client application is to create an Azure AD service principal and retrieve the authentication (JWT) token. For a more detailed walk-through, have a look at using Azure PowerShell to create a service principal to access resources [https://docs.microsoft.com/en-us/powershell/azure/create-azure-service-principal-azureps?view=azps-2.7.0](https://docs.microsoft.com/en-us/powershell/azure/create-azure-service-principal-azureps?view=azps-2.7.0). It is also possible to create a service principal via the Azure portal [https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal](https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal). Users will have to make sure the roles assigned to the application contain at least reading permissions to the monitor data, more on the roles here [https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles](https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles).
+
+Required credentials for the `azure` module:
+
+`client_id`
+:   The unique identifier for the application (also known as Application Id)
+
+`client_secret`
+:   The client/application secret/key
+
+`subscription_id`
+:   The unique identifier for the azure subscription
+
+`tenant_id`
+:   The unique identifier of the Azure Active Directory instance
+
+The azure credentials keys can be used if configured `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, `AZURE_TENANT_ID`, `AZURE_SUBSCRIPTION_ID`
+
+`resource_manager_endpoint`
+:   *string* Optional, by default the azure public environment will be used, to override, users can provide a specific resource manager endpoint in order to use a different azure environment. Ex: [https://management.chinacloudapi.cn](https://management.chinacloudapi.cn) for azure ChinaCloud [https://management.microsoftazure.de](https://management.microsoftazure.de) for azure GermanCloud [https://management.azure.com](https://management.azure.com) for azure PublicCloud [https://management.usgovcloudapi.net](https://management.usgovcloudapi.net) for azure USGovernmentCloud
+
+`active_directory_endpoint`
+:   *string* Optional, by default the associated active directory endpoint to the resource manager endpoint will be used, to override, users can provide a specific active directory endpoint in order to use a different azure environment. Ex: [https://login.microsoftonline.com](https://login.microsoftonline.com) for azure ChinaCloud [https://login.microsoftonline.us](https://login.microsoftonline.us) for azure GermanCloud [https://login.chinacloudapi.cn](https://login.chinacloudapi.cn) for azure PublicCloud [https://login.microsoftonline.de](https://login.microsoftonline.de) for azure USGovernmentCloud
+
+`resource_manager_audience`
+:   *string* Optional, by default we are using the azure public environment, to override, users can provide a specific resource manager audience in order to use a different azure environment. Ex: [https://management.chinacloudapi.cn/](https://management.chinacloudapi.cn/) for azure ChinaCloud [https://management.microsoftazure.de/](https://management.microsoftazure.de/) for azure GermanCloud [https://management.azure.com/](https://management.azure.com/) for azure PublicCloud [https://management.usgovcloudapi.net/](https://management.usgovcloudapi.net/) for azure USGovernmentCloud Users can also use this in case of a Hybrid Cloud model, where one may define their own audiences.
+
+
+## Metricsets [_metricsets_10]
+
+
+### `monitor` [_monitor]
+
+This metricset allows users to retrieve metrics from specified resources. Added filters can apply here as the interval of retrieving these metrics, metric names, aggregation list, namespaces and metric dimensions. The monitor metrics will have a minimum timegrain of 5 minutes, so the `period` for `monitor` metricset should be `300s` or multiples of `300s`.
+
+
+### `compute_vm` [_compute_vm]
+
+This metricset will collect metrics from the virtual machines, these metrics will have a timegrain every 5 minutes, so the `period` for `compute_vm` metricset  should be `300s` or multiples of `300s`.
+
+
+### `compute_vm_scaleset` [_compute_vm_scaleset]
+
+This metricset will collect metrics from the virtual machine scalesets, these metrics will have a timegrain every 5 minutes, so the `period` for `compute_vm_scaleset` metricset  should be `300s` or multiples of `300s`.
+
+
+### `storage` [_storage]
+
+This metricset will collect metrics from the storage accounts, these metrics will have a timegrain every 5 minutes, so the `period` for `storage` metricset  should be `300s` or multiples of `300s`.
+
+
+### `container_instance` [_container_instance]
+
+This metricset will collect metrics from specified container groups, these metrics will have a timegrain every 5 minutes, so the `period` for `container_instance` metricset  should be `300s` or multiples of `300s`.
+
+
+### `container_registry` [_container_registry]
+
+This metricset will collect metrics from the container registries, these metrics will have a timegrain every 5 minutes, so the `period` for `container_registry` metricset  should be `300s` or multiples of `300s`.
+
+
+### `container_service` [_container_service]
+
+This metricset will collect metrics from the container services, these metrics will have a timegrain every 5 minutes, so the `period` for `container_service` metricset  should be `300s` or multiples of `300s`.
+
+
+### `database_account` [_database_account]
+
+This metricset will collect relevant metrics from specified database accounts, these metrics will have a timegrain every 5 minutes, so the `period` for `database_account` metricset  should be `300s` or multiples of `300s`.
+
+
+### `billing` [_billing_2]
+
+This metricset will collect relevant usage data and forecast information from a specific subscription, these metrics will have a timegrain every 24 hours, so the `period` for `billing` metricset  should be `24h` or multiples of `24h`.
+
+
+### `app_insights` [_app_insights]
+
+This metricset will collect application insights metrics, the `period` (interval) for the `app-insights` metricset is set by default at `300s`.
+
+
+### `app_state` [_app_state]
+
+This metricset concentrate on the most relevant application insights metrics and provides a dashboard for visualization, the `period` (interval) for the `app_state` metricset is set by default at `300s`.
+
+
+## Additional notes about metrics and costs [azure-api-cost]
+
+Costs: Metric queries are charged based on the number of standard API calls. More information on pricing here [https://azure.microsoft.com/id-id/pricing/details/monitor/](https://azure.microsoft.com/id-id/pricing/details/monitor/).
+
+Authentication: we are handling authentication on our side (creating/renewing the authentication token), so we advise users to use dedicated credentials for metricbeat only.
+
+
+### Example configuration [_example_configuration_7]
+
+The Azure module supports the standard configuration options that are described in [Modules](/reference/metricbeat/configuration-metricbeat.md). Here is an example configuration:
+
+```yaml
+metricbeat.modules:
+- module: azure
+  metricsets:
+  - monitor
+  enabled: true
+  period: 300s
+  client_id: '${AZURE_CLIENT_ID:""}'
+  client_secret: '${AZURE_CLIENT_SECRET:""}'
+  tenant_id: '${AZURE_TENANT_ID:""}'
+  subscription_id: '${AZURE_SUBSCRIPTION_ID:""}'
+  resources:
+    - resource_query: "resourceType eq 'Microsoft.DocumentDb/databaseAccounts'"
+      metrics:
+      - name: ["DataUsage", "DocumentCount", "DocumentQuota"]
+        namespace: "Microsoft.DocumentDb/databaseAccounts"
+
+- module: azure
+  metricsets:
+  - compute_vm
+  enabled: true
+  period: 300s
+  client_id: '${AZURE_CLIENT_ID:""}'
+  client_secret: '${AZURE_CLIENT_SECRET:""}'
+  tenant_id: '${AZURE_TENANT_ID:""}'
+  subscription_id: '${AZURE_SUBSCRIPTION_ID:""}'
+
+- module: azure
+  metricsets:
+  - compute_vm_scaleset
+  enabled: true
+  period: 300s
+  client_id: '${AZURE_CLIENT_ID:""}'
+  client_secret: '${AZURE_CLIENT_SECRET:""}'
+  tenant_id: '${AZURE_TENANT_ID:""}'
+  subscription_id: '${AZURE_SUBSCRIPTION_ID:""}'
+
+- module: azure
+  metricsets:
+  - storage
+  enabled: true
+  period: 300s
+  client_id: '${AZURE_CLIENT_ID:""}'
+  client_secret: '${AZURE_CLIENT_SECRET:""}'
+  tenant_id: '${AZURE_TENANT_ID:""}'
+  subscription_id: '${AZURE_SUBSCRIPTION_ID:""}'
+
+- module: azure
+  metricsets:
+  - container_instance
+  enabled: true
+  period: 300s
+  client_id: '${AZURE_CLIENT_ID:""}'
+  client_secret: '${AZURE_CLIENT_SECRET:""}'
+  tenant_id: '${AZURE_TENANT_ID:""}'
+  subscription_id: '${AZURE_SUBSCRIPTION_ID:""}'
+
+- module: azure
+  metricsets:
+  - container_service
+  enabled: true
+  period: 300s
+  client_id: '${AZURE_CLIENT_ID:""}'
+  client_secret: '${AZURE_CLIENT_SECRET:""}'
+  tenant_id: '${AZURE_TENANT_ID:""}'
+  subscription_id: '${AZURE_SUBSCRIPTION_ID:""}'
+
+- module: azure
+  metricsets:
+  - container_registry
+  enabled: true
+  period: 300s
+  client_id: '${AZURE_CLIENT_ID:""}'
+  client_secret: '${AZURE_CLIENT_SECRET:""}'
+  tenant_id: '${AZURE_TENANT_ID:""}'
+  subscription_id: '${AZURE_SUBSCRIPTION_ID:""}'
+
+- module: azure
+  metricsets:
+  - database_account
+  enabled: true
+  period: 300s
+  client_id: '${AZURE_CLIENT_ID:""}'
+  client_secret: '${AZURE_CLIENT_SECRET:""}'
+  tenant_id: '${AZURE_TENANT_ID:""}'
+  subscription_id: '${AZURE_SUBSCRIPTION_ID:""}'
+
+- module: azure
+  metricsets:
+    - billing
+  enabled: true
+  period: 24h
+  client_id: '${AZURE_CLIENT_ID:""}'
+  client_secret: '${AZURE_CLIENT_SECRET:""}'
+  tenant_id: '${AZURE_TENANT_ID:""}'
+  subscription_id: '${AZURE_SUBSCRIPTION_ID:""}'
+
+- module: azure
+  metricsets:
+    - app_insights
+  enabled: true
+  period: 300s
+  application_id: ''
+  api_key: ''
+  metrics:
+    - id: ["requests/count", "requests/duration"]
+
+- module: azure
+  metricsets:
+    - app_state
+  enabled: true
+  period: 300s
+  application_id: ''
+  api_key: ''
+```
+
+
+### Metricsets [_metricsets_11]
+
+The following metricsets are available:
+
+* [app_insights](/reference/metricbeat/metricbeat-metricset-azure-app_insights.md)
+* [app_state](/reference/metricbeat/metricbeat-metricset-azure-app_state.md)
+* [billing](/reference/metricbeat/metricbeat-metricset-azure-billing.md)
+* [compute_vm](/reference/metricbeat/metricbeat-metricset-azure-compute_vm.md)
+* [compute_vm_scaleset](/reference/metricbeat/metricbeat-metricset-azure-compute_vm_scaleset.md)
+* [container_instance](/reference/metricbeat/metricbeat-metricset-azure-container_instance.md)
+* [container_registry](/reference/metricbeat/metricbeat-metricset-azure-container_registry.md)
+* [container_service](/reference/metricbeat/metricbeat-metricset-azure-container_service.md)
+* [database_account](/reference/metricbeat/metricbeat-metricset-azure-database_account.md)
+* [monitor](/reference/metricbeat/metricbeat-metricset-azure-monitor.md)
+* [storage](/reference/metricbeat/metricbeat-metricset-azure-storage.md)
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/docs/reference/metricbeat/metricbeat-module-beat.md b/docs/reference/metricbeat/metricbeat-module-beat.md
new file mode 100644
index 000000000000..8d29e039f4dd
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-module-beat.md
@@ -0,0 +1,56 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-module-beat.html
+---
+
+# Beat module [metricbeat-module-beat]
+
+The `beat` module collects metrics about any Beat or other software based on libbeat.
+
+
+## Compatibility [_compatibility_8]
+
+The `beat` module works with {{beats}} 7.3.0 and later.
+
+
+## Usage for {{stack}} Monitoring [_usage_for_stack_monitoring]
+
+The `beat` module can be used to collect metrics shown in our {{stack-monitor-app}} UI in {{kib}}. To enable this usage, set `xpack.enabled: true` and remove any `metricsets` from the module’s configuration. Alternatively, run `metricbeat modules disable beat` and `metricbeat modules enable beat-xpack`.
+
+::::{note}
+When this module is used for {{stack}} Monitoring, it sends metrics to the monitoring index instead of the default index typically used by {{metricbeat}}. For more details about the monitoring index, see [Configuring indices for monitoring](docs-content://deploy-manage/monitor/monitoring-data/configuring-data-streamsindices-for-monitoring.md).
+::::
+
+
+
+## Example configuration [_example_configuration_8]
+
+The Beat module supports the standard configuration options that are described in [Modules](/reference/metricbeat/configuration-metricbeat.md). Here is an example configuration:
+
+```yaml
+metricbeat.modules:
+- module: beat
+  metricsets:
+    - stats
+    - state
+  period: 10s
+  hosts: ["http://localhost:5066"]
+  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
+
+  # Set to true to send data collected by module to X-Pack
+  # Monitoring instead of metricbeat-* indices.
+  #xpack.enabled: false
+```
+
+This module supports TLS connections when using `ssl` config field, as described in [SSL](/reference/metricbeat/configuration-ssl.md). It also supports the options described in [Standard HTTP config options](/reference/metricbeat/configuration-metricbeat.md#module-http-config-options).
+
+
+## Metricsets [_metricsets_12]
+
+The following metricsets are available:
+
+* [state](/reference/metricbeat/metricbeat-metricset-beat-state.md)
+* [stats](/reference/metricbeat/metricbeat-metricset-beat-stats.md)
+
+
+
diff --git a/docs/reference/metricbeat/metricbeat-module-benchmark.md b/docs/reference/metricbeat/metricbeat-module-benchmark.md
new file mode 100644
index 000000000000..2be9190afad4
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-module-benchmark.md
@@ -0,0 +1,72 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/master/metricbeat-module-benchmark.html
+---
+
+# Benchmark module [metricbeat-module-benchmark]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+:::::{admonition} Prefer to use {{agent}} for this use case?
+Refer to the [Elastic Integrations documentation](integration-docs://reference/index.md).
+
+::::{dropdown} Learn more
+{{agent}} is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, forward data from remote services or hardware, and more. Refer to the documentation for a detailed [comparison of {{beats}} and {{agent}}](docs-content://manage-data/ingest/tools.md).
+
+::::
+
+
+:::::
+
+
+The `benchmark` module is used to generate synthetic metrics at a predictable rate.  This can be useful when you want to test output settings or test system sizing without using real data.
+
+The `benchmark` module metricset is `info`.
+
+```yaml
+- module: benchmark
+  metricsets:
+    - info
+  enabled: true
+  period: 10s
+```
+
+
+## Metricsets [_metricsets_13]
+
+
+### `info` [_info_2]
+
+A metric that includes a `counter` field which is used to keep the metric unique.
+
+
+### Module-specific configuration notes [_module_specific_configuration_notes_3]
+
+`count`
+:   number, the number of metrics to emit per fetch.
+
+
+### Example configuration [_example_configuration_9]
+
+The Benchmark module supports the standard configuration options that are described in [Modules](configuration-metricbeat.md). Here is an example configuration:
+
+```yaml
+metricbeat.modules:
+- module: benchmark
+  metricsets:
+    - info
+  enabled: false
+  period: 10s
+```
+
+
+### Metricsets [_metricsets_14]
+
+The following metricsets are available:
+
+* [info](metricbeat-metricset-benchmark-info.md)
+
+
diff --git a/docs/reference/metricbeat/metricbeat-module-ceph.md b/docs/reference/metricbeat/metricbeat-module-ceph.md
new file mode 100644
index 000000000000..daeadbf0411e
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-module-ceph.md
@@ -0,0 +1,89 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-module-ceph.html
+---
+
+# Ceph module [metricbeat-module-ceph]
+
+The Ceph module collects metrics by submitting HTTP GET requests to the [ceph-rest-api](https://docs.ceph.com/docs/jewel/man/8/ceph-rest-api/). The default metricsets are `cluster_disk`, `cluster_health`, `monitor_health`, `pool_disk`, `osd_tree`.
+
+Metricsets connecting to the Ceph REST API uses by default the service exposed on port 5000. Metricsets using the Ceph Manager Daemon communicate with the API exposed by default on port 8003 (SSL encryption).
+
+
+## Compatibility [_compatibility_9]
+
+The Ceph module is tested with Ceph Jewel (10.2.10) and Ceph Nautilus (14.2.7).
+
+Metricsets with the `mgr_` prefix are compatible with Ceph releases using the Ceph Manager Daemon.
+
+
+## Dashboard [_dashboard_20]
+
+The Ceph module comes with a predefined dashboard showing Ceph cluster related metrics. For example:
+
+:::{image} images/ceph-overview-dashboard.png
+:alt: ceph overview dashboard
+:::
+
+
+## Example configuration [_example_configuration_10]
+
+The Ceph module supports the standard configuration options that are described in [Modules](/reference/metricbeat/configuration-metricbeat.md). Here is an example configuration:
+
+```yaml
+metricbeat.modules:
+# Metricsets depending on the Ceph REST API (default port: 5000)
+- module: ceph
+  metricsets: ["cluster_disk", "cluster_health", "monitor_health", "pool_disk", "osd_tree"]
+  period: 10s
+  hosts: ["localhost:5000"]
+  enabled: true
+
+# Metricsets depending on the Ceph Manager Daemon (default port: 8003)
+- module: ceph
+  metricsets:
+    - mgr_cluster_disk
+    - mgr_osd_perf
+    - mgr_pool_disk
+    - mgr_osd_pool_stats
+    - mgr_osd_tree
+  period: 1m
+  hosts: [ "https://localhost:8003" ]
+  #username: "user"
+  #password: "secret"
+```
+
+This module supports TLS connections when using `ssl` config field, as described in [SSL](/reference/metricbeat/configuration-ssl.md). It also supports the options described in [Standard HTTP config options](/reference/metricbeat/configuration-metricbeat.md#module-http-config-options).
+
+
+## Metricsets [_metricsets_15]
+
+The following metricsets are available:
+
+* [cluster_disk](/reference/metricbeat/metricbeat-metricset-ceph-cluster_disk.md)
+* [cluster_health](/reference/metricbeat/metricbeat-metricset-ceph-cluster_health.md)
+* [cluster_status](/reference/metricbeat/metricbeat-metricset-ceph-cluster_status.md)
+* [mgr_cluster_disk](/reference/metricbeat/metricbeat-metricset-ceph-mgr_cluster_disk.md)
+* [mgr_cluster_health](/reference/metricbeat/metricbeat-metricset-ceph-mgr_cluster_health.md)
+* [mgr_osd_perf](/reference/metricbeat/metricbeat-metricset-ceph-mgr_osd_perf.md)
+* [mgr_osd_pool_stats](/reference/metricbeat/metricbeat-metricset-ceph-mgr_osd_pool_stats.md)
+* [mgr_osd_tree](/reference/metricbeat/metricbeat-metricset-ceph-mgr_osd_tree.md)
+* [mgr_pool_disk](/reference/metricbeat/metricbeat-metricset-ceph-mgr_pool_disk.md)
+* [monitor_health](/reference/metricbeat/metricbeat-metricset-ceph-monitor_health.md)
+* [osd_df](/reference/metricbeat/metricbeat-metricset-ceph-osd_df.md)
+* [osd_tree](/reference/metricbeat/metricbeat-metricset-ceph-osd_tree.md)
+* [pool_disk](/reference/metricbeat/metricbeat-metricset-ceph-pool_disk.md)
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/docs/reference/metricbeat/metricbeat-module-cloudfoundry.md b/docs/reference/metricbeat/metricbeat-module-cloudfoundry.md
new file mode 100644
index 000000000000..0ebb5b37283d
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-module-cloudfoundry.md
@@ -0,0 +1,162 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-module-cloudfoundry.html
+---
+
+# Cloudfoundry module [metricbeat-module-cloudfoundry]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+This is the cloudfoundry module.
+
+The Cloud Foundry module connects to Cloud Foundry loggregator to gather container, counter, and value metrics into a common data platform where it can be used for analysis, visualization, and alerting.
+
+The cloudfoundry module metrics are numerical values that describe some aspect of a system at a particular point in time. They are collected when pushed from the loggregator and are identified with a timestamp, a name, a value, and one or more defining labels.
+
+The cloudfoundry module mericsets are `container`, `counter` and `value`.
+
+
+### Dashboards [_dashboards_2]
+
+The Cloud Foundry module includes some dashboards.
+
+The overview dashboard can be used to visualize the current status of your Cloud Foundry deployments.
+
+:::{image} images/metricbeat-cloudfoundry-overview.png
+:alt: metricbeat cloudfoundry overview
+:::
+
+The platform health dashboard includes visualizations that help diagnosting issues related to the applications deployed in Cloud Foundry.
+
+:::{image} images/metricbeat-cloudfoundry-platform-health.png
+:alt: metricbeat cloudfoundry platform health
+:::
+
+
+### Module-specific configuration notes [_module_specific_configuration_notes_4]
+
+All metrics come from the Cloud Foundry loggregator API. The loggregator API authenticates through the Cloud Foundry UAA API. This requires that a new client be added to UAA with the correct permissions. This can be done using the `uaac` client.
+
+```bash
+$ export CLOUDFOUNDRY_CLIENT_ID=metricbeat
+$ export CLOUDFOUNDRY_CLIENT_SECRET=yoursecret
+$ uaac client add $CLOUDFOUNDRY_CLIENT_ID --name $CLOUDFOUNDRY_CLIENT_ID --secret $CLOUDFOUNDRY_CLIENT_SECRET --authorized_grant_types client_credentials,refresh_token --authorities doppler.firehose,cloud_controller.admin_read_only
+```
+
+Then configuration of the module needs to contain the created `client_id` and `client_secret`.
+
+```yaml
+- module: cloudfoundry
+  api_address: https://api.dev.cfdev.sh
+  client_id: "${CLOUDFOUNDRY_CLIENT_ID}"
+  client_secret: "${CLOUDFOUNDRY_CLIENT_SECRET}"
+  ssl:
+      verification_mode: none
+```
+
+
+## Metricsets [_metricsets_16]
+
+
+### `container` [_container]
+
+The container metricset of Cloud Foundry module allows you to collect container metrics that the loggregator sends to metricbeat.
+
+
+### `counter` [_counter]
+
+The counter metricset of Cloud Foundry module allows you to collect counter metrics that the loggregator sends to metricbeat.
+
+
+### `value` [_value]
+
+The value metricset of Cloud Foundry module allows you to collect value metrics that the loggregator sends to metricbeat.
+
+
+## Configuration options [_configuration_options_18]
+
+The `cloudfoundry` input supports the following configuration options.
+
+
+### `api_address` [_api_address]
+
+The URL of the Cloud Foundry API. Optional. Default: "http://api.bosh-lite.com".
+
+
+### `doppler_address` [_doppler_address]
+
+The URL of the Cloud Foundry Doppler Websocket. Optional. Default: "(value from ${api_address}/v2/info)".
+
+
+### `uaa_address` [_uaa_address]
+
+The URL of the Cloud Foundry UAA API. Optional. Default: "(value from ${api_address}/v2/info)".
+
+
+### `rlp_address` [_rlp_address]
+
+The URL of the Cloud Foundry RLP Gateway. Optional. Default: "(`log-stream` subdomain under the same domain as `api_server`)".
+
+
+### `client_id` [_client_id_2]
+
+Client ID to authenticate with Cloud Foundry. Default: "".
+
+
+### `client_secret` [_client_secret]
+
+Client Secret to authenticate with Cloud Foundry. Default: "".
+
+
+### `shard_id` [_shard_id]
+
+Shard ID for connection to the RLP Gateway. Use the same ID across multiple metricbeat to shard the load of events from the RLP Gateway.
+
+
+#### `version` [_version_2]
+
+Consumer API version to connect with Cloud Foundry to collect events. Use `v1` to collect events using Doppler/Traffic Control. Use `v2` to collect events from the RLP Gateway. Default: "`v1`".
+
+
+### `ssl` [_ssl_6]
+
+This specifies SSL/TLS common config. Default: not used.
+
+
+### Example configuration [_example_configuration_11]
+
+The Cloudfoundry module supports the standard configuration options that are described in [Modules](/reference/metricbeat/configuration-metricbeat.md). Here is an example configuration:
+
+```yaml
+metricbeat.modules:
+- module: cloudfoundry
+  metricsets:
+    - container
+    - counter
+    - value
+  enabled: true
+  api_address: '${CLOUDFOUNDRY_API_ADDRESS:""}'
+  doppler_address: '${CLOUDFOUNDRY_DOPPLER_ADDRESS:""}'
+  uaa_address: '${CLOUDFOUNDRY_UAA_ADDRESS:""}'
+  rlp_address: '${CLOUDFOUNDRY_RLP_ADDRESS:""}'
+  client_id: '${CLOUDFOUNDRY_CLIENT_ID:""}'
+  client_secret: '${CLOUDFOUNDRY_CLIENT_SECRET:""}'
+  shard_id: metricbeat
+  version: v1
+```
+
+
+### Metricsets [_metricsets_17]
+
+The following metricsets are available:
+
+* [container](/reference/metricbeat/metricbeat-metricset-cloudfoundry-container.md)
+* [counter](/reference/metricbeat/metricbeat-metricset-cloudfoundry-counter.md)
+* [value](/reference/metricbeat/metricbeat-metricset-cloudfoundry-value.md)
+
+
+
+
diff --git a/docs/reference/metricbeat/metricbeat-module-cockroachdb.md b/docs/reference/metricbeat/metricbeat-module-cockroachdb.md
new file mode 100644
index 000000000000..b2d01f13c9c7
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-module-cockroachdb.md
@@ -0,0 +1,62 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-module-cockroachdb.html
+---
+
+# CockroachDB module [metricbeat-module-cockroachdb]
+
+:::::{admonition} Prefer to use {{agent}} for this use case?
+Refer to the [Elastic Integrations documentation](integration-docs://reference/cockroachdb.md).
+
+::::{dropdown} Learn more
+{{agent}} is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, forward data from remote services or hardware, and more. Refer to the documentation for a detailed [comparison of {{beats}} and {{agent}}](docs-content://reference/ingestion-tools/fleet/index.md).
+
+::::
+
+
+:::::
+
+
+This module periodically fetches metrics from CockroachDB.
+
+
+## Compatibility [_compatibility_10]
+
+The CockroachDB `status` metricset is compatible with any CockroachDB version exposing metrics in Prometheus format.
+
+
+## Dashboard [_dashboard_21]
+
+The CockroachDB module includes a predefined dashboard with overview information of the monitored servers.
+
+:::{image} images/metricbeat-cockroachdb-overview.png
+:alt: metricbeat cockroachdb overview
+:::
+
+
+## Example configuration [_example_configuration_12]
+
+The CockroachDB module supports the standard configuration options that are described in [Modules](/reference/metricbeat/configuration-metricbeat.md). Here is an example configuration:
+
+```yaml
+metricbeat.modules:
+- module: cockroachdb
+  metricsets: ['status']
+  period: 10s
+  hosts: ['localhost:8080']
+
+  # This module uses the Prometheus collector metricset, all
+  # the options for this metricset are also available here.
+  #metrics_path: /_status/vars
+```
+
+This module supports TLS connections when using `ssl` config field, as described in [SSL](/reference/metricbeat/configuration-ssl.md). It also supports the options described in [Standard HTTP config options](/reference/metricbeat/configuration-metricbeat.md#module-http-config-options).
+
+
+## Metricsets [_metricsets_18]
+
+The following metricsets are available:
+
+* [status](/reference/metricbeat/metricbeat-metricset-cockroachdb-status.md)
+
+
diff --git a/docs/reference/metricbeat/metricbeat-module-consul.md b/docs/reference/metricbeat/metricbeat-module-consul.md
new file mode 100644
index 000000000000..f12c0194f369
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-module-consul.md
@@ -0,0 +1,53 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-module-consul.html
+---
+
+# Consul module [metricbeat-module-consul]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+This is the [Hashicorp’s Consul](https://www.consul.io) Metricbeat module. It is still in beta and under active development to add new Metricsets and introduce enhancements.
+
+
+## Compatibility [_compatibility_11]
+
+The module is being tested with 1.4.2 and 1.9.3 versions of Consul.
+
+
+## Dashboard [_dashboard_22]
+
+The Consul module comes with a predefined dashboard:
+
+:::{image} images/metricbeat-consul.png
+:alt: metricbeat consul
+:::
+
+
+## Example configuration [_example_configuration_13]
+
+The Consul module supports the standard configuration options that are described in [Modules](/reference/metricbeat/configuration-metricbeat.md). Here is an example configuration:
+
+```yaml
+metricbeat.modules:
+- module: consul
+  metricsets:
+  - agent
+  enabled: true
+  period: 10s
+  hosts: ["localhost:8500"]
+```
+
+This module supports TLS connections when using `ssl` config field, as described in [SSL](/reference/metricbeat/configuration-ssl.md). It also supports the options described in [Standard HTTP config options](/reference/metricbeat/configuration-metricbeat.md#module-http-config-options).
+
+
+## Metricsets [_metricsets_19]
+
+The following metricsets are available:
+
+* [agent](/reference/metricbeat/metricbeat-metricset-consul-agent.md)
+
+
diff --git a/docs/reference/metricbeat/metricbeat-module-containerd.md b/docs/reference/metricbeat/metricbeat-module-containerd.md
new file mode 100644
index 000000000000..8d7f428fb803
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-module-containerd.md
@@ -0,0 +1,84 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-module-containerd.html
+---
+
+# Containerd module [metricbeat-module-containerd]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+:::::{admonition} Prefer to use {{agent}} for this use case?
+Refer to the [Elastic Integrations documentation](integration-docs://reference/containerd.md).
+
+::::{dropdown} Learn more
+{{agent}} is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, forward data from remote services or hardware, and more. Refer to the documentation for a detailed [comparison of {{beats}} and {{agent}}](docs-content://reference/ingestion-tools/fleet/index.md).
+
+::::
+
+
+:::::
+
+
+Containerd module collects cpu, memory and blkio statistics about running containers controlled by containerd runtime.
+
+The current metricsets are: `cpu`, `blkio` and `memory` and are enabled by default.
+
+
+## Prerequisites [_prerequisites]
+
+`Containerd` daemon has to be configured to provide metrics before enabling containerd module.
+
+In the configuration file located in `/etc/containerd/config.toml` metrics endpoint needs to be set and containerd daemon needs to be restarted.
+
+```
+[metrics]
+    address = "127.0.0.1:1338"
+```
+
+
+## Compatibility [_compatibility_12]
+
+The Containerd module is tested with the following versions of Containerd: v1.5.2
+
+
+## Module-specific configuration notes [_module_specific_configuration_notes_5]
+
+For cpu metricset if `calcpct.cpu` setting is set to true, cpu usage percentages will be calculated and more specifically fields `containerd.cpu.usage.total.pct`, `containerd.cpu.usage.kernel.pct`, `containerd.cpu.usage.user.pct`. Default value is true.
+
+For memory metricset if `calcpct.memory` setting is set to true, memory usage percentages will be calculated and more specifically fields `containerd.memory.usage.pct` and  `containerd.memory.workingset.pct`. Default value is true.
+
+
+## Example configuration [_example_configuration_14]
+
+The Containerd module supports the standard configuration options that are described in [Modules](/reference/metricbeat/configuration-metricbeat.md). Here is an example configuration:
+
+```yaml
+metricbeat.modules:
+- module: containerd
+  metricsets: ["cpu", "memory", "blkio"]
+  period: 10s
+  # containerd metrics endpoint is configured in /etc/containerd/config.toml
+  # Metrics endpoint does not listen by default
+  # https://github.com/containerd/containerd/blob/main/docs/man/containerd-config.toml.5.md
+  hosts: ["localhost:1338"]
+  # if set to true, cpu and memory usage percentages will be calculated. Default is true
+  calcpct.cpu: true
+  calcpct.memory: true
+  #metrics_path: "v1/metrics"
+```
+
+
+## Metricsets [_metricsets_20]
+
+The following metricsets are available:
+
+* [blkio](/reference/metricbeat/metricbeat-metricset-containerd-blkio.md)
+* [cpu](/reference/metricbeat/metricbeat-metricset-containerd-cpu.md)
+* [memory](/reference/metricbeat/metricbeat-metricset-containerd-memory.md)
+
+
+
+
diff --git a/docs/reference/metricbeat/metricbeat-module-coredns.md b/docs/reference/metricbeat/metricbeat-module-coredns.md
new file mode 100644
index 000000000000..868bfa3738f8
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-module-coredns.md
@@ -0,0 +1,46 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-module-coredns.html
+---
+
+# Coredns module [metricbeat-module-coredns]
+
+This is the CoreDNS module. The CoreDNS module collects metrics from the CoreDNS [prometheus exporter endpoint](https://github.com/coredns/coredns/tree/master/plugin/metrics).
+
+The default metricset is `stats`.
+
+
+## Compatibility [_compatibility_13]
+
+The CoreDNS module is tested with CoreDNS 1.5.0
+
+
+## Dashboard [_dashboard_23]
+
+The CoreDNS module comes with a predefined dashboard. For example:
+
+:::{image} images/metricbeat_coredns_dashboard.png
+:alt: metricbeat coredns dashboard
+:::
+
+
+## Example configuration [_example_configuration_15]
+
+The Coredns module supports the standard configuration options that are described in [Modules](/reference/metricbeat/configuration-metricbeat.md). Here is an example configuration:
+
+```yaml
+metricbeat.modules:
+- module: coredns
+  metricsets: ["stats"]
+  period: 10s
+  hosts: ["localhost:9153"]
+```
+
+
+## Metricsets [_metricsets_21]
+
+The following metricsets are available:
+
+* [stats](/reference/metricbeat/metricbeat-metricset-coredns-stats.md)
+
+
diff --git a/docs/reference/metricbeat/metricbeat-module-couchbase.md b/docs/reference/metricbeat/metricbeat-module-couchbase.md
new file mode 100644
index 000000000000..bc9fd8b4ad48
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-module-couchbase.md
@@ -0,0 +1,51 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-module-couchbase.html
+---
+
+# Couchbase module [metricbeat-module-couchbase]
+
+This module periodically fetches metrics from [Couchbase](https://www.couchbase.com/) servers. The default metricsets are `bucket`, `cluster`, `node`.
+
+
+## Compatibility [_compatibility_14]
+
+The Couchbase module is tested with Couchbase 6.5.1.
+
+
+## Dashboard [_dashboard_24]
+
+The Couchbase module comes with a predefined dashboard for Couchbase cluster, node, bucket specific stats. For example:
+
+:::{image} images/metricbeat-couchbase-overview.png
+:alt: metricbeat couchbase overview
+:::
+
+
+## Example configuration [_example_configuration_16]
+
+The Couchbase module supports the standard configuration options that are described in [Modules](/reference/metricbeat/configuration-metricbeat.md). Here is an example configuration:
+
+```yaml
+metricbeat.modules:
+- module: couchbase
+  metricsets: ["bucket", "cluster", "node"]
+  period: 10s
+  hosts: ["localhost:8091"]
+  enabled: true
+```
+
+This module supports TLS connections when using `ssl` config field, as described in [SSL](/reference/metricbeat/configuration-ssl.md). It also supports the options described in [Standard HTTP config options](/reference/metricbeat/configuration-metricbeat.md#module-http-config-options).
+
+
+## Metricsets [_metricsets_22]
+
+The following metricsets are available:
+
+* [bucket](/reference/metricbeat/metricbeat-metricset-couchbase-bucket.md)
+* [cluster](/reference/metricbeat/metricbeat-metricset-couchbase-cluster.md)
+* [node](/reference/metricbeat/metricbeat-metricset-couchbase-node.md)
+
+
+
+
diff --git a/docs/reference/metricbeat/metricbeat-module-couchdb.md b/docs/reference/metricbeat/metricbeat-module-couchdb.md
new file mode 100644
index 000000000000..e8bebe24ec71
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-module-couchdb.md
@@ -0,0 +1,51 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-module-couchdb.html
+---
+
+# CouchDB module [metricbeat-module-couchdb]
+
+This is the couchdb module.
+
+The default metricset is `server`.
+
+
+## Compatibility [_compatibility_15]
+
+The Couchdb module is tested in CI with Couchdb 1.7 and 2.3. Because of the differences between v1 and v2 for exposing metrics, the path to request metrics for each version is different:
+
+* v1.* uses `[host]:5984/_stats` so the hosts of your config should just be `[host]:5984`
+* v2.* exposes metrics in various places. Local in `[host]:5986/_stats` and cluster wide in `[host]:5984/_node/[node-name]/_stats` or `[host]:5984/_node/_local/_stats`. Recommended config is `[host]:5986` to use the local path (double check that you are using port `5986`) or to use the full path on `5984`  `[host]:5984/_node/[node name or _local]/_stats`
+
+
+## Dashboard [_dashboard_25]
+
+The CouchDB module comes with a predefined dashboard for CouchDB database specific stats. For example:
+
+:::{image} images/metricbeat-couchdb-overview.png
+:alt: metricbeat couchdb overview
+:::
+
+
+## Example configuration [_example_configuration_17]
+
+The CouchDB module supports the standard configuration options that are described in [Modules](/reference/metricbeat/configuration-metricbeat.md). Here is an example configuration:
+
+```yaml
+metricbeat.modules:
+- module: couchdb
+  metricsets: ["server"]
+  period: 10s
+  hosts: ["localhost:5984"]
+```
+
+This module supports TLS connections when using `ssl` config field, as described in [SSL](/reference/metricbeat/configuration-ssl.md). It also supports the options described in [Standard HTTP config options](/reference/metricbeat/configuration-metricbeat.md#module-http-config-options).
+
+
+## Metricsets [_metricsets_23]
+
+The following metricsets are available:
+
+* [server](/reference/metricbeat/metricbeat-metricset-couchdb-server.md)
+
+
diff --git a/docs/reference/metricbeat/metricbeat-module-docker.md b/docs/reference/metricbeat/metricbeat-module-docker.md
new file mode 100644
index 000000000000..9248d2d58494
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-module-docker.md
@@ -0,0 +1,106 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-module-docker.html
+---
+
+# Docker module [metricbeat-module-docker]
+
+:::::{admonition} Prefer to use {{agent}} for this use case?
+Refer to the [Elastic Integrations documentation](integration-docs://reference/docker.md).
+
+::::{dropdown} Learn more
+{{agent}} is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, forward data from remote services or hardware, and more. Refer to the documentation for a detailed [comparison of {{beats}} and {{agent}}](docs-content://reference/ingestion-tools/fleet/index.md).
+
+::::
+
+
+:::::
+
+
+This module fetches metrics from [Docker](https://www.docker.com/) containers. The default metricsets are: `container`, `cpu`, `diskio`, `healthcheck`, `info`, `memory` and `network`. The `image` metricset is not enabled by default.
+
+
+## Compatibility [_compatibility_16]
+
+The Docker module is currently tested on Linux and Mac with the community edition engine, versions 1.11 and 17.09.0-ce. It is not tested on Windows, but it should also work there.
+
+The Docker module supports collection of metrics from Podman’s Docker-compatible API. It has been tested on Linux and Mac with Podman Rest API v2.0.0 and above.
+
+
+## Module-specific configuration notes [_module_specific_configuration_notes_6]
+
+It is strongly recommended that you run Docker metricsets with a [`period`](/reference/metricbeat/configuration-metricbeat.md#metricset-period) that is 3 seconds or longer. The request to the Docker API already takes up to 2 seconds. Specifying less than 3 seconds will result in requests that timeout, and no data will be reported for those requests. In the case of Podman, the configuration parameter `podman` should be set to `true`. This enables streaming of container stats output, which allows for more accurate CPU percentage calculations when using Podman.
+
+
+## Example configuration [_example_configuration_18]
+
+The Docker module supports the standard configuration options that are described in [Modules](/reference/metricbeat/configuration-metricbeat.md). Here is an example configuration:
+
+```yaml
+metricbeat.modules:
+- module: docker
+  metricsets:
+    - "container"
+    - "cpu"
+    - "diskio"
+    - "event"
+    - "healthcheck"
+    - "info"
+    #- "image"
+    - "memory"
+    - "network"
+    #- "network_summary"
+  hosts: ["unix:///var/run/docker.sock"]
+  period: 10s
+  enabled: true
+
+  # If set to true, replace dots in labels with `_`.
+  #labels.dedot: false
+
+  # Docker module supports metrics collection from podman's docker compatible API. In case of podman set to true.
+  # podman: false
+
+  # Skip metrics for certain device major numbers in docker/diskio.
+  # Necessary on systems with software RAID, device mappers,
+  # or other configurations where virtual disks will sum metrics from other disks.
+  # By default, it will skip devices with major numbers 9 or 253.
+  #skip_major: []
+
+  # If set to true, collects metrics per core.
+  #cpu.cores: true
+
+  # To connect to Docker over TLS you must specify a client and CA certificate.
+  #ssl:
+    #certificate_authority: "/etc/pki/root/ca.pem"
+    #certificate:           "/etc/pki/client/cert.pem"
+    #key:                   "/etc/pki/client/cert.key"
+```
+
+This module supports TLS connections when using `ssl` config field, as described in [SSL](/reference/metricbeat/configuration-ssl.md).
+
+
+## Metricsets [_metricsets_24]
+
+The following metricsets are available:
+
+* [container](/reference/metricbeat/metricbeat-metricset-docker-container.md)
+* [cpu](/reference/metricbeat/metricbeat-metricset-docker-cpu.md)
+* [diskio](/reference/metricbeat/metricbeat-metricset-docker-diskio.md)
+* [event](/reference/metricbeat/metricbeat-metricset-docker-event.md)
+* [healthcheck](/reference/metricbeat/metricbeat-metricset-docker-healthcheck.md)
+* [image](/reference/metricbeat/metricbeat-metricset-docker-image.md)
+* [info](/reference/metricbeat/metricbeat-metricset-docker-info.md)
+* [memory](/reference/metricbeat/metricbeat-metricset-docker-memory.md)
+* [network](/reference/metricbeat/metricbeat-metricset-docker-network.md)
+* [network_summary](/reference/metricbeat/metricbeat-metricset-docker-network_summary.md)
+
+
+
+
+
+
+
+
+
+
+
diff --git a/docs/reference/metricbeat/metricbeat-module-dropwizard.md b/docs/reference/metricbeat/metricbeat-module-dropwizard.md
new file mode 100644
index 000000000000..c742c66a15ee
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-module-dropwizard.md
@@ -0,0 +1,40 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-module-dropwizard.html
+---
+
+# Dropwizard module [metricbeat-module-dropwizard]
+
+This is the [Dropwizard](http://dropwizard.io) module. The default metricset is `collector`.
+
+
+## Compatibility [_compatibility_17]
+
+The Dropwizard module is tested with dropwizard metrics 3.2.6, 4.0.0 and 4.1.2.
+
+
+## Example configuration [_example_configuration_19]
+
+The Dropwizard module supports the standard configuration options that are described in [Modules](/reference/metricbeat/configuration-metricbeat.md). Here is an example configuration:
+
+```yaml
+metricbeat.modules:
+- module: dropwizard
+  metricsets: ["collector"]
+  period: 10s
+  hosts: ["localhost:8080"]
+  metrics_path: /metrics/metrics
+  namespace: example
+  enabled: true
+```
+
+This module supports TLS connections when using `ssl` config field, as described in [SSL](/reference/metricbeat/configuration-ssl.md). It also supports the options described in [Standard HTTP config options](/reference/metricbeat/configuration-metricbeat.md#module-http-config-options).
+
+
+## Metricsets [_metricsets_25]
+
+The following metricsets are available:
+
+* [collector](/reference/metricbeat/metricbeat-metricset-dropwizard-collector.md)
+
+
diff --git a/docs/reference/metricbeat/metricbeat-module-elasticsearch.md b/docs/reference/metricbeat/metricbeat-module-elasticsearch.md
new file mode 100644
index 000000000000..4f5d19160cb7
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-module-elasticsearch.md
@@ -0,0 +1,117 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-module-elasticsearch.html
+---
+
+# Elasticsearch module [metricbeat-module-elasticsearch]
+
+:::::{admonition} Prefer to use {{agent}} for this use case?
+Refer to the [Elastic Integrations documentation](integration-docs://reference/elasticsearch.md).
+
+::::{dropdown} Learn more
+{{agent}} is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, forward data from remote services or hardware, and more. Refer to the documentation for a detailed [comparison of {{beats}} and {{agent}}](docs-content://reference/ingestion-tools/fleet/index.md).
+
+::::
+
+
+:::::
+
+
+The `elasticsearch` module collects metrics about {{es}}.
+
+
+## Compatibility [_compatibility_18]
+
+The `elasticsearch` module works with {{es}} 6.7.0 and later.
+
+
+## Usage for {{stack}} Monitoring [_usage_for_stack_monitoring_2]
+
+The `elasticsearch` module can be used to collect metrics shown in our {{stack-monitor-app}} UI in {{kib}}. To enable this usage, set `xpack.enabled: true` and remove any `metricsets` from the module’s configuration. Alternatively, run `metricbeat modules disable elasticsearch` and `metricbeat modules enable elasticsearch-xpack`.
+
+When xpack mode is enabled, all the legacy metricsets are automatically enabled by default. This means that you do not need to manually enable them, and there will be no conflicts or issues because Metricbeat merges the user-defined metricsets with the ones that xpack mode forces to enable. As a result, you can seamlessly collect comprehensive metrics without worrying about dataset overlap or duplication.
+
+```yaml
+metricbeat.modules:
+- module: elasticsearch
+  xpack.enabled: true
+  metricsets:
+    - ingest_pipeline
+  period: 10s
+```
+
+::::{note}
+When this module is used for {{stack}} Monitoring, it sends metrics to the monitoring index instead of the default index typically used by {{metricbeat}}. For more details about the monitoring index, see [Configuring indices for monitoring](docs-content://deploy-manage/monitor/monitoring-data/configuring-data-streamsindices-for-monitoring.md).
+::::
+
+
+
+## Module-specific configuration notes [_module_specific_configuration_notes_7]
+
+Like other Metricbeat modules, the `elasticsearch` module accepts a `hosts` configuration setting. This setting can contain a list of entries. The related `scope` setting determines how each entry in the `hosts` list is interpreted by the module.
+
+* If `scope` is set to `node` (default), each entry in the `hosts` list indicates a distinct node in an {{es}} cluster.
+* If `scope` is set to `cluster`, each entry in the `hosts` list indicates a single endpoint for a distinct {{es}} cluster (for example, a load-balancing proxy fronting the cluster).
+
+
+## Example configuration [_example_configuration_20]
+
+The Elasticsearch module supports the standard configuration options that are described in [Modules](/reference/metricbeat/configuration-metricbeat.md). Here is an example configuration:
+
+```yaml
+metricbeat.modules:
+- module: elasticsearch
+  metricsets:
+    - node
+    - node_stats
+    #- index
+    #- index_recovery
+    #- index_summary
+    #- ingest_pipeline
+    #- shard
+    #- ml_job
+  period: 10s
+  hosts: ["http://localhost:9200"]
+  #username: "elastic"
+  #password: "changeme"
+  #api_key: "foo:bar"
+  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
+
+  #index_recovery.active_only: true
+  #ingest_pipeline.processor_sample_rate: 0.25
+  #xpack.enabled: false
+  #scope: node
+```
+
+This module supports TLS connections when using `ssl` config field, as described in [SSL](/reference/metricbeat/configuration-ssl.md). It also supports the options described in [Standard HTTP config options](/reference/metricbeat/configuration-metricbeat.md#module-http-config-options).
+
+
+## Metricsets [_metricsets_26]
+
+The following metricsets are available:
+
+* [ccr](/reference/metricbeat/metricbeat-metricset-elasticsearch-ccr.md)
+* [cluster_stats](/reference/metricbeat/metricbeat-metricset-elasticsearch-cluster_stats.md)
+* [enrich](/reference/metricbeat/metricbeat-metricset-elasticsearch-enrich.md)
+* [index](/reference/metricbeat/metricbeat-metricset-elasticsearch-index.md)
+* [index_recovery](/reference/metricbeat/metricbeat-metricset-elasticsearch-index_recovery.md)
+* [index_summary](/reference/metricbeat/metricbeat-metricset-elasticsearch-index_summary.md)
+* [ingest_pipeline](/reference/metricbeat/metricbeat-metricset-elasticsearch-ingest_pipeline.md)
+* [ml_job](/reference/metricbeat/metricbeat-metricset-elasticsearch-ml_job.md)
+* [node](/reference/metricbeat/metricbeat-metricset-elasticsearch-node.md)
+* [node_stats](/reference/metricbeat/metricbeat-metricset-elasticsearch-node_stats.md)
+* [pending_tasks](/reference/metricbeat/metricbeat-metricset-elasticsearch-pending_tasks.md)
+* [shard](/reference/metricbeat/metricbeat-metricset-elasticsearch-shard.md)
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/docs/reference/metricbeat/metricbeat-module-envoyproxy.md b/docs/reference/metricbeat/metricbeat-module-envoyproxy.md
new file mode 100644
index 000000000000..2078ff05b5e0
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-module-envoyproxy.md
@@ -0,0 +1,39 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-module-envoyproxy.html
+---
+
+# Envoyproxy module [metricbeat-module-envoyproxy]
+
+This is the envoyproxy module.
+
+The default metricset is `server`.
+
+
+## Compatibility [_compatibility_20]
+
+The envoyproxy module is tested with Envoy 1.7.0 and 1.12.0.
+
+
+## Example configuration [_example_configuration_22]
+
+The Envoyproxy module supports the standard configuration options that are described in [Modules](/reference/metricbeat/configuration-metricbeat.md). Here is an example configuration:
+
+```yaml
+metricbeat.modules:
+- module: envoyproxy
+  metricsets: ["server"]
+  period: 10s
+  hosts: ["localhost:9901"]
+```
+
+This module supports TLS connections when using `ssl` config field, as described in [SSL](/reference/metricbeat/configuration-ssl.md). It also supports the options described in [Standard HTTP config options](/reference/metricbeat/configuration-metricbeat.md#module-http-config-options).
+
+
+## Metricsets [_metricsets_28]
+
+The following metricsets are available:
+
+* [server](/reference/metricbeat/metricbeat-metricset-envoyproxy-server.md)
+
+
diff --git a/docs/reference/metricbeat/metricbeat-module-etcd.md b/docs/reference/metricbeat/metricbeat-module-etcd.md
new file mode 100644
index 000000000000..c543fe2b68b7
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-module-etcd.md
@@ -0,0 +1,47 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-module-etcd.html
+---
+
+# Etcd module [metricbeat-module-etcd]
+
+This module targets Etcd V2 and V3.
+
+When using V2, metrics are collected using [Etcd v2 API](https://coreos.com/etcd/docs/latest/v2/api.md). When using V3, metrics are retrieved from the `/metrics` endpoint as intended for [Etcd v3](https://coreos.com/etcd/docs/latest/metrics.md)
+
+When using V3, metricsest are bundled into `metrics` When using V2, metricsets available are `leader`, `self` and `store`.
+
+
+## Compatibility [_compatibility_21]
+
+The etcd module is tested with etcd 3.2 and 3.3.
+
+
+## Example configuration [_example_configuration_23]
+
+The Etcd module supports the standard configuration options that are described in [Modules](/reference/metricbeat/configuration-metricbeat.md). Here is an example configuration:
+
+```yaml
+metricbeat.modules:
+- module: etcd
+  metricsets: ["leader", "self", "store"]
+  period: 10s
+  hosts: ["localhost:2379"]
+```
+
+This module supports TLS connections when using `ssl` config field, as described in [SSL](/reference/metricbeat/configuration-ssl.md). It also supports the options described in [Standard HTTP config options](/reference/metricbeat/configuration-metricbeat.md#module-http-config-options).
+
+
+## Metricsets [_metricsets_29]
+
+The following metricsets are available:
+
+* [leader](/reference/metricbeat/metricbeat-metricset-etcd-leader.md)
+* [metrics](/reference/metricbeat/metricbeat-metricset-etcd-metrics.md)
+* [self](/reference/metricbeat/metricbeat-metricset-etcd-self.md)
+* [store](/reference/metricbeat/metricbeat-metricset-etcd-store.md)
+
+
+
+
+
diff --git a/docs/reference/metricbeat/metricbeat-module-gcp.md b/docs/reference/metricbeat/metricbeat-module-gcp.md
new file mode 100644
index 000000000000..3d8910d0ba07
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-module-gcp.md
@@ -0,0 +1,384 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-module-gcp.html
+---
+
+# Google Cloud Platform module [metricbeat-module-gcp]
+
+:::::{admonition} Prefer to use {{agent}} for this use case?
+Refer to the [Elastic Integrations documentation](integration-docs://reference/gcp.md).
+
+::::{dropdown} Learn more
+{{agent}} is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, forward data from remote services or hardware, and more. Refer to the documentation for a detailed [comparison of {{beats}} and {{agent}}](docs-content://reference/ingestion-tools/fleet/index.md).
+
+::::
+
+
+:::::
+
+
+This module periodically fetches monitoring metrics from Google Cloud Platform using [Stackdriver Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp) for Google Cloud Platform services.
+
+::::{important}
+Extra GCP charges on Stackdriver Monitoring API requests may be generated by this module. Please see [rough estimation of the number of API calls](#gcp-api-requests) for more details.
+::::
+
+
+
+## Module config and parameters [_module_config_and_parameters]
+
+This is a list of the possible module parameters you can tune:
+
+* **zone**: A single string with the zone you want to monitor like `us-central1-a`. Or you can specific a partial zone name like `us-central1-` or `us-central1-*`, which will monitor all zones start with `us-central1-`: `us-central1-a`, `us-central1-b`, `us-central1-c` and `us-central1-f`. Please see [GCP zones](https://cloud.google.com/compute/docs/regions-zones#available) for zones that are available in GCP.
+* **region**: A single string with the region you want to monitor like `us-central1`. This will enable monitoring for all zones under this region. Or you can specific a partial region name like `us-east` or `us-east*`, which will monitor all regions start with `us-east`: `us-east1` and `us-east4`. If both region and zone are configured, only region will be used. Please see [GCP regions](https://cloud.google.com/compute/docs/regions-zones#available) for regions that are available in GCP. If both `region` and `zone` are not specified, metrics will be collected from all regions/zones.
+* **project_id**: A single string with your GCP Project ID
+* **credentials_file_path**: A single string pointing to the JSON file path reachable by Metricbeat that you have created using IAM.
+* **exclude_labels**: (`true`/`false` default `false`) Do not extract extra labels and metadata information from metricsets and fetch metrics only. At the moment, **labels and metadata extraction is only supported** in `compute` metricset.
+* **period**: A single time duration specified for this module collection frequency.
+* **endpoint**: A custom endpoint to use for the GCP API calls. If not specified, the default endpoint will be used.
+
+
+## Example configuration [_example_configuration_24]
+
+* `compute` metricset is enabled to collect metrics from `us-central1-a` zone in `elastic-observability` project.
+
+    ```yaml
+    - module: gcp
+      metricsets:
+        - compute
+      zone: "us-central1-a"
+      project_id: "elastic-observability"
+      credentials_file_path: "your JSON credentials file path"
+      exclude_labels: false
+      period: 60s
+    ```
+
+* `compute` and `pubsub` metricsets are enabled to collect metrics from all zones under `us-central1` region in `elastic-observability` project.
+
+    ```yaml
+    - module: gcp
+      metricsets:
+        - compute
+        - pubsub
+      region: "us-central1"
+      project_id: "elastic-observability"
+      credentials_file_path: "your JSON credentials file path"
+      exclude_labels: false
+      period: 60s
+    ```
+
+* `compute` metricset is enabled to collect metrics from all regions starts with `us-west` in `elastic-observability` project, which includes all zones under `us-west1`, `us-west2`, `us-west3` and `us-west4`.
+
+    ```yaml
+    - module: gcp
+      metricsets:
+        - compute
+        - pubsub
+      region: "us-west"
+      project_id: "elastic-observability"
+      credentials_file_path: "your JSON credentials file path"
+      exclude_labels: false
+      period: 60s
+    ```
+
+
+
+## Authentication, authorization and permissions. [_authentication_authorization_and_permissions]
+
+Authentication and authorization in Google Cloud Platform can be achieved in many ways. For the current version of the Google Cloud Platform module for Metricbeat, the only supported method is using Service Account JSON files. A typical JSON with a private key looks like this:
+
+
+### Example Credentials [_example_credentials]
+
+```json
+{
+  "type": "service_account",
+  "project_id": "your-project-id",
+  "private_key_id": "a_private_key_id",
+  "private_key": "-----BEGIN PRIVATE KEY-----your private key\n-----END PRIVATE KEY-----\n",
+  "client_email": "some-email@your-project-id.iam.gserviceaccount.com",
+  "client_id": "123456",
+  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
+  "token_uri": "https://oauth2.googleapis.com/token",
+  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
+  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/metricbeat-testing%40your-project-id.iam.gserviceaccount.com"
+}
+```
+
+Generally, you have to create a Service Account and assign it the following roles or the permissions described on each role (applies to all metricsets):
+
+* `Monitoring Viewer`:
+
+    * `monitoring.metricDescriptors.list`
+    * `monitoring.timeSeries.list`
+
+* `Compute Viewer`:
+
+    * `compute.instances.get`
+    * `compute.instances.list`
+
+* `Browser`:
+
+    * `resourcemanager.projects.get`
+    * `resourcemanager.organizations.get`
+
+
+You can play in IAM pretty much with your service accounts and Instance level access to your resources (for example, allowing that everything running in an Instance is authorized to use the Compute API). The module uses Google Cloud Platform libraries for authentication so many possibilities are open but the Module is only supported by using the method mentioned above.
+
+
+## Google Cloud Platform module: Under the hood [_google_cloud_platform_module_under_the_hood]
+
+Google Cloud Platform offers the [Stackdriver Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp) to fetch metrics from its services. **Those metrics are retrieved one by one**.
+
+If you also want to **extract service labels** (by setting `exclude_labels` to false, which is the default state). You also make a new API check on the corresponding service. Service labels requires a new API call to extract those metrics. In the worst case the number of API calls will be doubled. In the best case, all metrics come from the same GCP entity and 100% of the required information is included in the first API call (which is cached for subsequent calls).
+
+We have updated our field names to align with ECS semantics. As part of this change:
+
+* `cloud.account.id` will now contain the Google Cloud Organization ID (previously, it contained the project ID).
+* `cloud.account.name` will now contain the Google Cloud Organization Display Name (previously, it contained the project name).
+* New fields `cloud.project.id` and `cloud.project.name` will be added to store the actual project ID and project name, respectively.
+
+To restore the previous version, you can add a custom ingest pipeline to the Elastic Integration:
+
+```json
+{
+  "processors": [
+    {
+      "set": {
+        "field": "cloud.account.id",
+        "value": "{{cloud.project.id}}",
+        "if": "ctx?.cloud?.project?.id != null"
+      }
+    },
+    {
+      "set": {
+        "field": "cloud.account.name",
+        "value": "{{cloud.project.name}}",
+        "if": "ctx?.cloud?.project?.name != null"
+      }
+    },
+    {
+      "remove": {
+        "field": [
+          "cloud.project.id",
+          "cloud.project.name"
+        ],
+        "ignore_missing": true
+      }
+    }
+  ]
+}
+```
+
+For more information on creating custom ingest pipelines and processors, please see the [Custom Ingest Pipelines](docs-content://reference/ingestion-tools/fleet/data-streams-pipeline-tutorial.md#data-streams-pipeline-two) guide.
+
+If `period` value is set to 5-minute and sample period of the metric type is 60-second, then this module will collect data from this metric type once every 5 minutes with aggregation. GCP monitoring data has a up to 240 seconds latency, which means latest monitoring data will be up to 4 minutes old. Please see [Latency of GCP Monitoring Metric Data](https://cloud.google.com/monitoring/api/v3/latency-n-retention) for more details. In `gcp` module, metrics are collected based on this ingest delay, which is also obtained from ListMetricDescriptors API.
+
+
+### Rough estimation of the number of API calls [gcp-api-requests]
+
+Google Cloud Platform pricing depends of the number of requests you do to their API’s. Here you have some information that you can use to make an estimation of the pricing you should expect. For example, imagine that you have a Compute Metricset activated and you don’t want to exclude labels. You have a total of 20 instances running in a particular GCP project, region and zone.
+
+For example, if Compute Metricset fetches 14 metrics (which is the number of metrics fetched in the early beta version). Each of those metrics will attempt an API call to Compute API to retrieve also their metadata. Because you have 20 different instances, the total number of API calls that will be done on each refresh period are: 14 metrics + 20 instances = 34 API requests every 5 minutes if that is your current Period. 9792 API requests per day with one zone. If you add 2 zones more with the same amount of instances you’ll have 19584 API requests per day (9792 on each zone) or around 587520 per month for the Compute Metricset. This maths must be done for each different Metricset with slight variations.
+
+
+## Metricsets [_metricsets_30]
+
+Currently, we have `billing`, `compute`,  `gke`, `loadbalancing`, `pubsub`, `metrics` and `storage` metricset in `gcp` module.
+
+
+### `billing` [_billing_3]
+
+This metricset fetches billing metrics from [GCP BigQuery](https://cloud.google.com/bigquery) Cloud Billing allows users to export billing data into BigQuery automatically throughout the day. This metricset gets access to the daily cost detail table periodically to export billing metrics for further analysis.
+
+The `billing` metricset comes with a predefined dashboard:
+
+:::{image} images/metricbeat-gcp-billing-overview.png
+:alt: metricbeat gcp billing overview
+:::
+
+
+### `compute` [_compute]
+
+This metricset fetches metrics from [Compute Engine](https://cloud.google.com/compute/) Virtual Machines in Google Cloud Platform. The `compute` metricset contains some of the metrics exported from the [GCP Compute Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-compute). Extra labels and metadata are also extracted using the [Compute API](https://cloud.google.com/compute/docs/reference/rest/v1/instances/get). This is enough to get most of the info associated with a metric like compute labels and metadata and metric specific Labels.
+
+The `compute` metricset comes with a predefined dashboard:
+
+:::{image} images/metricbeat-gcp-compute-overview.png
+:alt: metricbeat gcp compute overview
+:::
+
+
+### `gke` [_gke]
+
+This metricset fetches metrics for [Kubernetes Engine](https://cloud.google.com/kubernetes-engine).
+
+The `gke` metricset contains all GA metrics exported by [Cloud Monitoring Kubernetes metrics](https://cloud.google.com/monitoring/api/metrics_kubernetes).
+
+Extra labels and metadata are also extracted using the [Compute API](https://cloud.google.com/compute/docs/reference/rest/v1/instances/get).
+
+The `gke` metricset comes with a predefined dashboard:
+
+:::{image} images/metricbeat-gcp-gke-overview.png
+:alt: metricbeat gcp gke overview
+:::
+
+
+### `loadbalancing` [_loadbalancing]
+
+This metricset fetches metrics from [Load Balancing](https://cloud.google.com/load-balancing/) in Google Cloud Platform. The `loadbalancing` metricset contains all metrics exported from the [GCP Load Balancing Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-loadbalancing).
+
+The `loadbalancing` metricset comes with two predefined dashboards:
+
+
+#### HTTPS [_https]
+
+For HTTPS load balancing: image::./images/metricbeat-gcp-load-balancing-https-overview.png[]
+
+
+#### L3 [_l3]
+
+For L3 load balancing: image::./images/metricbeat-gcp-load-balancing-l3-overview.png[]
+
+
+#### TCP/SSL/Proxy [_tcpsslproxy]
+
+For TCP/SSL/Proxy load balancing: image::./images/metricbeat-gcp-load-balancing-tcp-ssl-proxy-overview.png[]
+
+
+### `pubsub` [_pubsub]
+
+This metricset fetches metrics from [Pub/Sub](https://cloud.google.com/pubsub/) topics and subscriptions in Google Cloud Platform. The `pubsub` metricset contains all GA stage metrics exported from the [GCP PubSub Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-pubsub).
+
+The `pubsub` metricset comes with a predefined dashboard:
+
+:::{image} images/metricbeat-gcp-pubsub-overview.png
+:alt: metricbeat gcp pubsub overview
+:::
+
+
+### `metrics` [_metrics_7]
+
+`metrics` metricset uses Google Cloud Operations/Stackdriver, which provides visibility into the performance, uptime, and overall health of cloud-powered applications. It collects metrics, events, and metadata from different services from Google Cloud. This metricset is to collect [monitoring metrics](https://cloud.google.com/monitoring/api/metrics_gcp) from Google Cloud using `ListTimeSeries` API.
+
+
+### `storage` [_storage_2]
+
+This metricset fetches metrics from [Storage](https://cloud.google.com/storage/) in Google Cloud Platform. The `storage` metricset contains all GA metrics exported from the [GCP Storage Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-storage).
+
+We recommend users to define `period: 5m` for this metricset because in Google Cloud, storage monitoring metrics are written every 5-minute sample period with a 10-minute ingest delay.
+
+The `storage` metricset comes with a predefined dashboard:
+
+:::{image} images/metricbeat-gcp-storage-overview.png
+:alt: metricbeat gcp storage overview
+:::
+
+
+### Example configuration [_example_configuration_25]
+
+The Google Cloud Platform module supports the standard configuration options that are described in [Modules](/reference/metricbeat/configuration-metricbeat.md). Here is an example configuration:
+
+```yaml
+metricbeat.modules:
+- module: gcp
+  metricsets:
+    - compute
+  region: "us-"
+  project_id: "your project id"
+  credentials_file_path: "your JSON credentials file path"
+  exclude_labels: false
+  period: 1m
+
+- module: gcp
+  metricsets:
+    - pubsub
+    - loadbalancing
+    - firestore
+    - dataproc
+  zone: "us-central1-a"
+  project_id: "your project id"
+  credentials_file_path: "your JSON credentials file path"
+  exclude_labels: false
+  period: 1m
+
+- module: gcp
+  metricsets:
+    - storage
+  project_id: "your project id"
+  credentials_file_path: "your JSON credentials file path"
+  exclude_labels: false
+  period: 5m
+
+- module: gcp
+  metricsets:
+    - metrics
+  project_id: "your project id"
+  credentials_file_path: "your JSON credentials file path"
+  exclude_labels: false
+  period: 1m
+  location_label: "resource.labels.zone"
+  metrics:
+    - aligner: ALIGN_NONE
+      service: compute
+      metric_types:
+        - "instance/cpu/reserved_cores"
+        - "instance/cpu/usage_time"
+        - "instance/cpu/utilization"
+        - "instance/uptime"
+
+- module: gcp
+  metricsets:
+    - gke
+  project_id: "your project id"
+  credentials_file_path: "your JSON credentials file path"
+  exclude_labels: false
+  period: 1m
+
+- module: gcp
+  metricsets:
+    - billing
+  period: 24h
+  project_id: "your project id"
+  credentials_file_path: "your JSON credentials file path"
+  dataset_id: "dataset id"
+  table_pattern: "table pattern"
+  cost_type: "regular"
+
+- module: gcp
+  metricsets:
+    - carbon
+  period: 24h
+  project_id: "your project id"
+  credentials_file_path: "your JSON credentials file path"
+  endpoint: http://your-endpoint
+  dataset_id: "dataset id"
+  table_pattern: "table pattern"
+```
+
+
+### Metricsets [_metricsets_31]
+
+The following metricsets are available:
+
+* [billing](/reference/metricbeat/metricbeat-metricset-gcp-billing.md)
+* [carbon](/reference/metricbeat/metricbeat-metricset-gcp-carbon.md)
+* [compute](/reference/metricbeat/metricbeat-metricset-gcp-compute.md)
+* [dataproc](/reference/metricbeat/metricbeat-metricset-gcp-dataproc.md)
+* [firestore](/reference/metricbeat/metricbeat-metricset-gcp-firestore.md)
+* [gke](/reference/metricbeat/metricbeat-metricset-gcp-gke.md)
+* [loadbalancing](/reference/metricbeat/metricbeat-metricset-gcp-loadbalancing.md)
+* [metrics](/reference/metricbeat/metricbeat-metricset-gcp-metrics.md)
+* [pubsub](/reference/metricbeat/metricbeat-metricset-gcp-pubsub.md)
+* [storage](/reference/metricbeat/metricbeat-metricset-gcp-storage.md)
+
+
+
+
+
+
+
+
+
+
+
diff --git a/docs/reference/metricbeat/metricbeat-module-golang.md b/docs/reference/metricbeat/metricbeat-module-golang.md
new file mode 100644
index 000000000000..a24c7b76c6c0
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-module-golang.md
@@ -0,0 +1,40 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-module-golang.html
+---
+
+# Golang module [metricbeat-module-golang]
+
+The golang module collects metrics by submitting HTTP GET requests to [golang-expvar-api](https://golang.org/pkg/expvar/).
+
+
+## Example configuration [_example_configuration_27]
+
+The Golang module supports the standard configuration options that are described in [Modules](/reference/metricbeat/configuration-metricbeat.md). Here is an example configuration:
+
+```yaml
+metricbeat.modules:
+- module: golang
+  #metricsets:
+  #  - expvar
+  #  - heap
+  period: 10s
+  hosts: ["localhost:6060"]
+  heap.path: "/debug/vars"
+  expvar:
+    namespace: "example"
+    path: "/debug/vars"
+```
+
+This module supports TLS connections when using `ssl` config field, as described in [SSL](/reference/metricbeat/configuration-ssl.md). It also supports the options described in [Standard HTTP config options](/reference/metricbeat/configuration-metricbeat.md#module-http-config-options).
+
+
+## Metricsets [_metricsets_32]
+
+The following metricsets are available:
+
+* [expvar](/reference/metricbeat/metricbeat-metricset-golang-expvar.md)
+* [heap](/reference/metricbeat/metricbeat-metricset-golang-heap.md)
+
+
+
diff --git a/docs/reference/metricbeat/metricbeat-module-graphite.md b/docs/reference/metricbeat/metricbeat-module-graphite.md
new file mode 100644
index 000000000000..a4dca52425dd
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-module-graphite.md
@@ -0,0 +1,49 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-module-graphite.html
+---
+
+# Graphite module [metricbeat-module-graphite]
+
+This is the Graphite module.
+
+The default metricset is `server`.
+
+
+## Example configuration [_example_configuration_28]
+
+The Graphite module supports the standard configuration options that are described in [Modules](/reference/metricbeat/configuration-metricbeat.md). Here is an example configuration:
+
+```yaml
+metricbeat.modules:
+- module: graphite
+  metricsets: ["server"]
+  enabled: true
+
+  # Host address to listen on. Default localhost.
+  #host: localhost
+
+  # Listening port. Default 2003.
+  #port: 2003
+
+  # Protocol to listen on. This can be udp or tcp. Default udp.
+  #protocol: "udp"
+
+  # Receive buffer size in bytes
+  #receive_buffer_size: 1024
+
+  #templates:
+  #  - filter: "test.*.bash.*" # This would match metrics like test.localhost.bash.stats
+  #    namespace: "test"
+  #    template: ".host.shell.metric*" # test.localhost.bash.stats would become metric=stats and tags host=localhost,shell=bash
+  #    delimiter: "_"
+```
+
+
+## Metricsets [_metricsets_33]
+
+The following metricsets are available:
+
+* [server](/reference/metricbeat/metricbeat-metricset-graphite-server.md)
+
+
diff --git a/docs/reference/metricbeat/metricbeat-module-haproxy.md b/docs/reference/metricbeat/metricbeat-module-haproxy.md
new file mode 100644
index 000000000000..7bdb1982f44f
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-module-haproxy.md
@@ -0,0 +1,103 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-module-haproxy.html
+---
+
+# HAProxy module [metricbeat-module-haproxy]
+
+:::::{admonition} Prefer to use {{agent}} for this use case?
+Refer to the [Elastic Integrations documentation](integration-docs://reference/haproxy.md).
+
+::::{dropdown} Learn more
+{{agent}} is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, forward data from remote services or hardware, and more. Refer to the documentation for a detailed [comparison of {{beats}} and {{agent}}](docs-content://reference/ingestion-tools/fleet/index.md).
+
+::::
+
+
+:::::
+
+
+This module collects stats from [HAProxy](http://www.haproxy.org/). It supports collection from TCP sockets, UNIX sockets, or HTTP with or without basic authentication.
+
+Metricbeat can collect two metricsets from HAProxy: `info` and `stat`. `info` is not available when using the stats page.
+
+
+## Configure HAProxy to collect stats [_configure_haproxy_to_collect_stats]
+
+Before you can use Metricbeat to collect stats, you must enable the stats module in HAProxy. You can do this a couple of ways: configure HAProxy to report stats via a TCP or UNIX socket, or enable the stats page.
+
+
+### TCP socket [_tcp_socket]
+
+To enable stats reporting via any local IP on port 14567, add the following line to the `global` or `default` section of the HAProxy config:
+
+```shell
+ stats socket 127.0.0.1:14567
+```
+
+::::{note}
+You should use an internal private IP, or secure this with a firewall rule, so that only designated hosts can access this data.
+::::
+
+
+
+### UNIX socket [_unix_socket]
+
+To enable stats reporting via a UNIX socket, add the following line to the `global` or `default` section of the HAProxy config:
+
+```shell
+ stats socket /path/to/haproxy.sock mode 660 level admin
+```
+
+
+### Stats page [_stats_page]
+
+To enable the HAProxy stats page, add the following lines to the HAProxy config, then restart HAProxy. The stats page in this example will be available to any IP on port 14567 after authentication.
+
+```text
+ listen stats
+   bind 0.0.0.0:14567
+   stats enable
+   stats uri /stats
+   stats auth admin:admin
+```
+
+
+## Compatibility [_compatibility_22]
+
+The HAProxy metricsets are tested with HAProxy versions from 1.6 to 1.8.
+
+
+## Example configuration [_example_configuration_29]
+
+The HAProxy module supports the standard configuration options that are described in [Modules](/reference/metricbeat/configuration-metricbeat.md). Here is an example configuration:
+
+```yaml
+metricbeat.modules:
+- module: haproxy
+  metricsets: ["info", "stat"]
+  period: 10s
+  # TCP socket, UNIX socket, or HTTP address where HAProxy stats are reported
+  # TCP socket
+  hosts: ["tcp://127.0.0.1:14567"]
+  # UNIX socket
+  #hosts: ["unix:///path/to/haproxy.sock"]
+  # Stats page
+  #hosts: ["http://127.0.0.1:14567"]
+  username : "admin"
+  password : "admin"
+  enabled: true
+```
+
+This module supports TLS connections when using `ssl` config field, as described in [SSL](/reference/metricbeat/configuration-ssl.md). It also supports the options described in [Standard HTTP config options](/reference/metricbeat/configuration-metricbeat.md#module-http-config-options).
+
+
+## Metricsets [_metricsets_34]
+
+The following metricsets are available:
+
+* [info](/reference/metricbeat/metricbeat-metricset-haproxy-info.md)
+* [stat](/reference/metricbeat/metricbeat-metricset-haproxy-stat.md)
+
+
+
diff --git a/docs/reference/metricbeat/metricbeat-module-http.md b/docs/reference/metricbeat/metricbeat-module-http.md
new file mode 100644
index 000000000000..7c439e4122aa
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-module-http.md
@@ -0,0 +1,68 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-module-http.html
+---
+
+# HTTP module [metricbeat-module-http]
+
+The HTTP module is a Metricbeat module used to call arbitrary HTTP endpoints for which a dedicated Metricbeat module is not available.
+
+Multiple endpoints can be configured which are polled in a regular interval and the result is shipped to the configured output channel. It is recommended to install a Metricbeat instance on each host from which data should be fetched.
+
+This module is inspired by the Logstash [http_poller](logstash://reference/plugins-inputs-http_poller.md) input filter but doesn’t require that the endpoint is reachable by Logstash as the Metricbeat module pushes the data to the configured output channels, e.g. Logstash or Elasticsearch.
+
+This is often necessary in security restricted network setups, where Logstash is not able to reach all servers. Instead the server to be monitored itself has Metricbeat installed and can send the data or a collector server has Metricbeat installed which is deployed in the secured network environment and can reach all servers to be monitored.
+
+::::{note}
+As the HTTP metricsets also fetch headers, this can lead to lots of fields in Elasticsearch in case there are many different headers. If this is the case for you and you don’t need the headers, we recommend to use processors to filter out the header field.
+::::
+
+
+
+## Example configuration [_example_configuration_30]
+
+The HTTP module supports the standard configuration options that are described in [Modules](/reference/metricbeat/configuration-metricbeat.md). Here is an example configuration:
+
+```yaml
+metricbeat.modules:
+- module: http
+  #metricsets:
+  #  - json
+  period: 10s
+  hosts: ["localhost:80"]
+  namespace: "json_namespace"
+  path: "/"
+  #body: ""
+  #method: "GET"
+  #username: "user"
+  #password: "secret"
+  #request.enabled: false
+  #response.enabled: false
+  #json.is_array: false
+  #dedot.enabled: false
+
+- module: http
+  #metricsets:
+  #  - server
+  host: "localhost"
+  port: "8080"
+  enabled: false
+  #paths:
+  #  - path: "/foo"
+  #    namespace: "foo"
+  #    fields: # added to the the response in root. overwrites existing fields
+  #      key: "value"
+```
+
+This module supports TLS connections when using `ssl` config field, as described in [SSL](/reference/metricbeat/configuration-ssl.md). It also supports the options described in [Standard HTTP config options](/reference/metricbeat/configuration-metricbeat.md#module-http-config-options).
+
+
+## Metricsets [_metricsets_35]
+
+The following metricsets are available:
+
+* [json](/reference/metricbeat/metricbeat-metricset-http-json.md)
+* [server](/reference/metricbeat/metricbeat-metricset-http-server.md)
+
+
+
diff --git a/docs/reference/metricbeat/metricbeat-module-ibmmq.md b/docs/reference/metricbeat/metricbeat-module-ibmmq.md
new file mode 100644
index 000000000000..34ca2f7aa956
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-module-ibmmq.md
@@ -0,0 +1,69 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-module-ibmmq.html
+---
+
+# IBM MQ module [metricbeat-module-ibmmq]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+This module periodically fetches metrics from a containerized distribution of IBM MQ.
+
+
+## Compatibility [_compatibility_23]
+
+The ibmmq `qmgr` metricset is compatible with a containerized distribution of IBM MQ (since version 9.1.0). The Docker image starts the `runmqserver` process, which spawns the HTTP server exposing metrics in Prometheus format ([source code](https://github.com/ibm-messaging/mq-container/blob/9.1.0/internal/metrics/metrics.go))).
+
+The Docker container lifecycle, including metrics collection, has been described in the [Internals](https://github.com/ibm-messaging/mq-container/blob/9.1.0/docs/internals.md) document.
+
+The image provides an option to easily enable metrics exporter using an environment variable:
+
+`MQ_ENABLE_METRICS` - Set this to `true` to generate Prometheus metrics for the Queue Manager.
+
+
+## Dashboard [_dashboard_26]
+
+The ibmmq module includes predefined dashboards with overview information of the monitored Queue Manager, including subscriptions, calls and messages.
+
+:::{image} images/metricbeat-ibmmq-calls.png
+:alt: metricbeat ibmmq calls
+:::
+
+:::{image} images/metricbeat-ibmmq-messages.png
+:alt: metricbeat ibmmq messages
+:::
+
+:::{image} images/metricbeat-ibmmq-subscriptions.png
+:alt: metricbeat ibmmq subscriptions
+:::
+
+
+## Example configuration [_example_configuration_31]
+
+The IBM MQ module supports the standard configuration options that are described in [Modules](/reference/metricbeat/configuration-metricbeat.md). Here is an example configuration:
+
+```yaml
+metricbeat.modules:
+- module: ibmmq
+  metricsets: ['qmgr']
+  period: 10s
+  hosts: ['localhost:9157']
+
+  # This module uses the Prometheus collector metricset, all
+  # the options for this metricset are also available here.
+  metrics_path: /metrics
+```
+
+This module supports TLS connections when using `ssl` config field, as described in [SSL](/reference/metricbeat/configuration-ssl.md). It also supports the options described in [Standard HTTP config options](/reference/metricbeat/configuration-metricbeat.md#module-http-config-options).
+
+
+## Metricsets [_metricsets_36]
+
+The following metricsets are available:
+
+* [qmgr](/reference/metricbeat/metricbeat-metricset-ibmmq-qmgr.md)
+
+
diff --git a/docs/reference/metricbeat/metricbeat-module-iis.md b/docs/reference/metricbeat/metricbeat-module-iis.md
new file mode 100644
index 000000000000..be5594cbfe09
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-module-iis.md
@@ -0,0 +1,97 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-module-iis.html
+---
+
+# IIS module [metricbeat-module-iis]
+
+:::::{admonition} Prefer to use {{agent}} for this use case?
+Refer to the [Elastic Integrations documentation](integration-docs://reference/iis.md).
+
+::::{dropdown} Learn more
+{{agent}} is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, forward data from remote services or hardware, and more. Refer to the documentation for a detailed [comparison of {{beats}} and {{agent}}](docs-content://reference/ingestion-tools/fleet/index.md).
+
+::::
+
+
+:::::
+
+
+IIS (Internet Information Services) is a secure, reliable, and scalable Web server that provides an easy to manage platform for developing and hosting Web applications and services.
+
+The `iis` module will periodically retrieve IIS related metrics using performance counters such as:
+
+* System/Process counters like the the overall server and CPU usage for the IIS Worker Process and memory (currently used and available memory for the IIS Worker Process).
+* IIS performance counters like Web Service: Bytes Received/Sec, Web Service: Bytes Sent/Sec, etc, which are helpful to track to identify potential spikes in traffic.
+* Web Service Cache counters in order to monitor user mode cache and output cache.
+
+The `iis` module mericsets are `webserver`, `website` and `application_pool`.
+
+```yaml
+- module: iis
+  metricsets:
+    - webserver
+    - website
+    - application_pool
+  enabled: true
+  period: 10s
+
+ # filter on application pool names
+ # application_pool.name: []
+```
+
+
+## Metricsets [_metricsets_37]
+
+
+### `webserver` [_webserver]
+
+A light metricset using the windows perfmon metricset as the base metricset. This metricset allows users to retrieve aggregated metrics for the entire webserver,
+
+
+### `website` [_website]
+
+A light metricset using the windows perfmon metricset as the base metricset. This metricset will collect metrics of specific sites, users can configure which websites they want to monitor, else, all are considered.
+
+
+### `application_pool` [_application_pool]
+
+This metricset will collect metrics of specific application pools, users can configure which websites they want to monitor, else, all are considered.
+
+
+### Module-specific configuration notes [_module_specific_configuration_notes_8]
+
+`application_pool.name`
+:   []string, users can specify the application pools they would like to monitor.
+
+
+### Example configuration [_example_configuration_32]
+
+The IIS module supports the standard configuration options that are described in [Modules](/reference/metricbeat/configuration-metricbeat.md). Here is an example configuration:
+
+```yaml
+metricbeat.modules:
+- module: iis
+  metricsets:
+    - webserver
+    - website
+    - application_pool
+  enabled: true
+  period: 10s
+
+ # filter on application pool names
+ # application_pool.name: []
+```
+
+
+### Metricsets [_metricsets_38]
+
+The following metricsets are available:
+
+* [application_pool](/reference/metricbeat/metricbeat-metricset-iis-application_pool.md)
+* [webserver](/reference/metricbeat/metricbeat-metricset-iis-webserver.md)
+* [website](/reference/metricbeat/metricbeat-metricset-iis-website.md)
+
+
+
+
diff --git a/docs/reference/metricbeat/metricbeat-module-istio.md b/docs/reference/metricbeat/metricbeat-module-istio.md
new file mode 100644
index 000000000000..ef8394cb3c75
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-module-istio.md
@@ -0,0 +1,120 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-module-istio.html
+---
+
+# Istio module [metricbeat-module-istio]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+This is the Istio module. When using versions prior to `1.5` then the `mesh`, `mixer`, `pilot`, `galley`, `citadel` metricsets should be used.
+
+In such case, the Istio module collects metrics from the pre v1.5 Istio [prometheus exporters endpoints](https://istio.io/v1.4/docs/tasks/observability/metrics/querying-metrics/#about-the-prometheus-add-on).
+
+For versions after `1.5`, the `istiod` and `proxy` metricsets should be used. In such case, the `istiod` endpoint collects metrics directly from the Istio Daemon while the `proxy` endpoint collects from each of the proxy sidecars. The metrics exposed by Istio after version `1.5` are documented on [Istio Documentation > Reference > Configuration > Istio Standard Metrics](https://istio.io/latest/docs/reference/config/metrics/).
+
+
+## Compatibility [_compatibility_24]
+
+The Istio module is tested with Istio `1.4` for `mesh`, `mixer`, `pilot`, `galley`, `citadel`. The Istio module is tested with Istio `1.7` for `istiod` and `proxy`.
+
+
+## Dashboard [_dashboard_30]
+
+The Istio module includes predefined dashboards:
+
+1. Overview information about Istio Daemon.
+2. Traffic information collected from istio-proxies.
+
+These dashboards are only compatible with versions of Istio after `1.5` which should be monitored with `istiod` and `proxy` metricsets.
+
+:::{image} images/metricbeat-istio-overview.png
+:alt: metricbeat istio overview
+:::
+
+:::{image} images/metricbeat-istio-traffic.png
+:alt: metricbeat istio traffic
+:::
+
+
+## Example configuration [_example_configuration_33]
+
+The Istio module supports the standard configuration options that are described in [Modules](/reference/metricbeat/configuration-metricbeat.md). Here is an example configuration:
+
+```yaml
+metricbeat.modules:
+# Istio mesh. To collect all Mixer-generated metrics. For versions of Istio prior to 1.5.
+- module: istio
+  metricsets: ["mesh"]
+  period: 10s
+  # use istio-telemetry.istio-system:42422, when deploying Metricbeat in a kubernetes cluster as Pod or Daemonset
+  hosts: ["localhost:42422"]
+
+# Istio mixer. To monitor Mixer itself. For versions of Istio prior to 1.5.
+- module: istio
+  metricsets: ["mixer"]
+  period: 10s
+  # use istio-telemetry.istio-system:15014, when deploying Metricbeat in a kubernetes cluster as Pod or Daemonset
+  hosts: ["localhost:15014"]
+
+# Istio galley. To collect all Galley-generated metrics. For versions of Istio prior to 1.5.
+- module: istio
+  metricsets: ["galley"]
+  period: 10s
+  # use istio-galley.istio-system:15014, when deploying Metricbeat in a kubernetes cluster as Pod or Daemonset
+  hosts: ["localhost:15014"]
+
+# Istio pilot. To collect all Pilot-generated metrics. For versions of Istio prior to 1.5.
+- module: istio
+  metricsets: ["pilot"]
+  period: 10s
+  # use istio-pilot.istio-system:15014, when deploying Metricbeat in a kubernetes cluster as Pod or Daemonset
+  hosts: ["localhost:15014"]
+
+# Istio citadel. To collect all Citadel-generated metrics. For versions of Istio prior to 1.5.
+- module: istio
+  metricsets: ["citadel"]
+  period: 10s
+  # use istio-pilot.istio-system:15014, when deploying Metricbeat in a kubernetes cluster as Pod or Daemonset
+  hosts: ["localhost:15014"]
+
+# Istio istiod to monitor the Istio Daemon for versions of Istio after 1.5.
+- module: istio
+  metricsets: ['istiod']
+  period: 10s
+  # use istiod.istio-system:15014, when deploying Metricbeat in a kubernetes cluster as Pod or Daemonset
+  hosts: ['localhost:15014']
+
+# Istio proxy to monitor Envoy sidecars for versions of Istio after 1.5.
+- module: istio
+  metricsets: ['proxy']
+  period: 10s
+  # it's recommended to deploy this metricset with autodiscovery, see metricset's docs for more info
+  hosts: ['localhost:15090']
+```
+
+This module supports TLS connections when using `ssl` config field, as described in [SSL](/reference/metricbeat/configuration-ssl.md). It also supports the options described in [Standard HTTP config options](/reference/metricbeat/configuration-metricbeat.md#module-http-config-options).
+
+
+## Metricsets [_metricsets_39]
+
+The following metricsets are available:
+
+* [citadel](/reference/metricbeat/metricbeat-metricset-istio-citadel.md)
+* [galley](/reference/metricbeat/metricbeat-metricset-istio-galley.md)
+* [istiod](/reference/metricbeat/metricbeat-metricset-istio-istiod.md)
+* [mesh](/reference/metricbeat/metricbeat-metricset-istio-mesh.md)
+* [mixer](/reference/metricbeat/metricbeat-metricset-istio-mixer.md)
+* [pilot](/reference/metricbeat/metricbeat-metricset-istio-pilot.md)
+* [proxy](/reference/metricbeat/metricbeat-metricset-istio-proxy.md)
+
+
+
+
+
+
+
+
diff --git a/docs/reference/metricbeat/metricbeat-module-jolokia.md b/docs/reference/metricbeat/metricbeat-module-jolokia.md
new file mode 100644
index 000000000000..8d565328d8fc
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-module-jolokia.md
@@ -0,0 +1,64 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-module-jolokia.html
+---
+
+# Jolokia module [metricbeat-module-jolokia]
+
+This module collects metrics from [Jolokia agents](https://jolokia.org/reference/html/agents.md) running on a target JMX server or dedicated proxy server. The default metricset is `jmx`.
+
+To collect metrics, Metricbeat communicates with a Jolokia HTTP/REST endpoint that exposes the JMX metrics over HTTP/REST/JSON.
+
+
+## Compatibility [_compatibility_25]
+
+The Jolokia module is tested with Jolokia 1.5.0. It should work with version 1.2.2 and later.
+
+
+## Example configuration [_example_configuration_34]
+
+The Jolokia module supports the standard configuration options that are described in [Modules](/reference/metricbeat/configuration-metricbeat.md). Here is an example configuration:
+
+```yaml
+metricbeat.modules:
+- module: jolokia
+  #metricsets: ["jmx"]
+  period: 10s
+  hosts: ["localhost"]
+  namespace: "metrics"
+  #path: "/jolokia/?ignoreErrors=true&canonicalNaming=false"
+  #username: "user"
+  #password: "secret"
+  jmx.mappings:
+    #- mbean: 'java.lang:type=Runtime'
+    #  attributes:
+    #    - attr: Uptime
+    #      field: uptime
+    #- mbean: 'java.lang:type=Memory'
+    #  attributes:
+    #    - attr: HeapMemoryUsage
+    #      field: memory.heap_usage
+    #    - attr: NonHeapMemoryUsage
+    #      field: memory.non_heap_usage
+    # GC Metrics - this depends on what is available on your JVM
+    #- mbean: 'java.lang:type=GarbageCollector,name=ConcurrentMarkSweep'
+    #  attributes:
+    #    - attr: CollectionTime
+    #      field: gc.cms_collection_time
+    #    - attr: CollectionCount
+    #      field: gc.cms_collection_count
+
+  jmx.application:
+  jmx.instance:
+```
+
+This module supports TLS connections when using `ssl` config field, as described in [SSL](/reference/metricbeat/configuration-ssl.md). It also supports the options described in [Standard HTTP config options](/reference/metricbeat/configuration-metricbeat.md#module-http-config-options).
+
+
+## Metricsets [_metricsets_40]
+
+The following metricsets are available:
+
+* [jmx](/reference/metricbeat/metricbeat-metricset-jolokia-jmx.md)
+
+
diff --git a/docs/reference/metricbeat/metricbeat-module-kafka.md b/docs/reference/metricbeat/metricbeat-module-kafka.md
new file mode 100644
index 000000000000..7cb9f68a7bc7
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-module-kafka.md
@@ -0,0 +1,137 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-module-kafka.html
+---
+
+# Kafka module [metricbeat-module-kafka]
+
+:::::{admonition} Prefer to use {{agent}} for this use case?
+Refer to the [Elastic Integrations documentation](integration-docs://reference/kafka.md).
+
+::::{dropdown} Learn more
+{{agent}} is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, forward data from remote services or hardware, and more. Refer to the documentation for a detailed [comparison of {{beats}} and {{agent}}](docs-content://reference/ingestion-tools/fleet/index.md).
+
+::::
+
+
+:::::
+
+
+This is the Kafka module.
+
+The default metricsets are `consumergroup` and `partition`.
+
+If authorization is configured in the Kafka cluster, the following ACLs are required for the Metricbeat user:
+
+* READ Topic, for the topics to be monitored
+* DESCRIBE Group, for the groups to be monitored
+
+For example, if the `stats` user is being used for Metricbeat, to monitor all topics and all consumer groups, ACLS can be granted with the following commands:
+
+```shell
+kafka-acls --authorizer-properties zookeeper.connect=localhost:2181 --add --allow-principal User:stats --operation Read --topic '*'
+kafka-acls --authorizer-properties zookeeper.connect=localhost:2181 --add --allow-principal User:stats --operation Describe --group '*'
+```
+
+
+## Compatibility [_compatibility_26]
+
+This module is tested with Kafka 0.10.2.1, 1.1.0, 2.1.1, and 2.2.2.
+
+The Broker, Producer, Consumer metricsets require [Jolokia](/reference/metricbeat/metricbeat-module-jolokia.md) to fetch JMX metrics. Refer to the link for Jolokia’s compatibility notes.
+
+
+## Usage [_usage_5]
+
+The Broker, Producer, Consumer metricsets require [Jolokia](/reference/metricbeat/metricbeat-module-jolokia.md) to fetch JMX metrics. Refer to those Metricsets' documentation about how to use Jolokia.
+
+
+## Dashboard [_dashboard_31]
+
+The Kafka module comes with a predefined dashboard. For example:
+
+:::{image} images/metricbeat_kafka_dashboard.png
+:alt: metricbeat kafka dashboard
+:::
+
+
+## Example configuration [_example_configuration_35]
+
+The Kafka module supports the standard configuration options that are described in [Modules](/reference/metricbeat/configuration-metricbeat.md). Here is an example configuration:
+
+```yaml
+metricbeat.modules:
+# Kafka metrics collected using the Kafka protocol
+- module: kafka
+  #metricsets:
+  #  - partition
+  #  - consumergroup
+  period: 10s
+  hosts: ["localhost:9092"]
+
+  #client_id: metricbeat
+  #retries: 3
+  #backoff: 250ms
+
+  # List of Topics to query metadata for. If empty, all topics will be queried.
+  #topics: []
+
+  # Optional SSL. By default is off.
+  # List of root certificates for HTTPS server verifications
+  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
+
+  # Certificate for SSL client authentication
+  #ssl.certificate: "/etc/pki/client/cert.pem"
+
+  # Client Certificate Key
+  #ssl.key: "/etc/pki/client/cert.key"
+
+  # Client Certificate Passphrase (in case your Client Certificate Key is encrypted)
+  #ssl.key_passphrase: "yourKeyPassphrase"
+
+  # SASL authentication
+  #username: ""
+  #password: ""
+
+  # SASL authentication mechanism used. Can be one of PLAIN, SCRAM-SHA-256 or SCRAM-SHA-512.
+  # Defaults to PLAIN when `username` and `password` are configured.
+  #sasl.mechanism: ''
+
+# Metrics collected from a Kafka broker using Jolokia
+#- module: kafka
+#  metricsets:
+#    - broker
+#  period: 10s
+#  hosts: ["localhost:8779"]
+
+# Metrics collected from a Java Kafka consumer using Jolokia
+#- module: kafka
+#  metricsets:
+#    - consumer
+#  period: 10s
+#  hosts: ["localhost:8774"]
+
+# Metrics collected from a Java Kafka producer using Jolokia
+#- module: kafka
+#  metricsets:
+#    - producer
+#  period: 10s
+#  hosts: ["localhost:8775"]
+```
+
+
+## Metricsets [_metricsets_41]
+
+The following metricsets are available:
+
+* [broker](/reference/metricbeat/metricbeat-metricset-kafka-broker.md)
+* [consumer](/reference/metricbeat/metricbeat-metricset-kafka-consumer.md)
+* [consumergroup](/reference/metricbeat/metricbeat-metricset-kafka-consumergroup.md)
+* [partition](/reference/metricbeat/metricbeat-metricset-kafka-partition.md)
+* [producer](/reference/metricbeat/metricbeat-metricset-kafka-producer.md)
+
+
+
+
+
+
diff --git a/docs/reference/metricbeat/metricbeat-module-kibana.md b/docs/reference/metricbeat/metricbeat-module-kibana.md
new file mode 100644
index 000000000000..f7b8a02f21a6
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-module-kibana.md
@@ -0,0 +1,80 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-module-kibana.html
+---
+
+# Kibana module [metricbeat-module-kibana]
+
+:::::{admonition} Prefer to use {{agent}} for this use case?
+Refer to the [Elastic Integrations documentation](integration-docs://reference/kibana.md).
+
+::::{dropdown} Learn more
+{{agent}} is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, forward data from remote services or hardware, and more. Refer to the documentation for a detailed [comparison of {{beats}} and {{agent}}](docs-content://reference/ingestion-tools/fleet/index.md).
+
+::::
+
+
+:::::
+
+
+The `kibana` module collects metrics about {{kib}}.
+
+
+## Compatibility [_compatibility_30]
+
+The `kibana` module works with {{kib}} 6.7.0 and later.
+
+
+## Usage for {{stack}} Monitoring [_usage_for_stack_monitoring_4]
+
+The `kibana` module can be used to collect metrics shown in our {{stack-monitor-app}} UI in {{kib}}. To enable this usage, set `xpack.enabled: true` and remove any `metricsets` from the module’s configuration. Alternatively, run `metricbeat modules disable kibana` and `metricbeat modules enable kibana-xpack`.
+
+::::{note}
+When this module is used for {{stack}} Monitoring, it sends metrics to the monitoring index instead of the default index typically used by {{metricbeat}}. For more details about the monitoring index, see [Configuring indices for monitoring](docs-content://deploy-manage/monitor/monitoring-data/configuring-data-streamsindices-for-monitoring.md).
+::::
+
+
+
+## Example configuration [_example_configuration_36]
+
+The Kibana module supports the standard configuration options that are described in [Modules](/reference/metricbeat/configuration-metricbeat.md). Here is an example configuration:
+
+```yaml
+metricbeat.modules:
+- module: kibana
+  metricsets: ["status"]
+  period: 10s
+  hosts: ["localhost:5601"]
+  basepath: ""
+  enabled: true
+  #username: "user"
+  #password: "secret"
+  #api_key: "foo:bar"
+
+  # Set to true to send data collected by module to X-Pack
+  # Monitoring instead of metricbeat-* indices.
+  #xpack.enabled: false
+```
+
+This module supports TLS connections when using `ssl` config field, as described in [SSL](/reference/metricbeat/configuration-ssl.md). It also supports the options described in [Standard HTTP config options](/reference/metricbeat/configuration-metricbeat.md#module-http-config-options).
+
+
+## Metricsets [_metricsets_42]
+
+The following metricsets are available:
+
+* [cluster_actions](/reference/metricbeat/metricbeat-metricset-kibana-cluster_actions.md)
+* [cluster_rules](/reference/metricbeat/metricbeat-metricset-kibana-cluster_rules.md)
+* [node_actions](/reference/metricbeat/metricbeat-metricset-kibana-node_actions.md)
+* [node_rules](/reference/metricbeat/metricbeat-metricset-kibana-node_rules.md)
+* [settings](/reference/metricbeat/metricbeat-metricset-kibana-settings.md)
+* [stats](/reference/metricbeat/metricbeat-metricset-kibana-stats.md)
+* [status](/reference/metricbeat/metricbeat-metricset-kibana-status.md)
+
+
+
+
+
+
+
+
diff --git a/docs/reference/metricbeat/metricbeat-module-kubernetes.md b/docs/reference/metricbeat/metricbeat-module-kubernetes.md
new file mode 100644
index 000000000000..9675a13dca0a
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-module-kubernetes.md
@@ -0,0 +1,443 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-module-kubernetes.html
+---
+
+# Kubernetes module [metricbeat-module-kubernetes]
+
+:::::{admonition} Prefer to use {{agent}} for this use case?
+Refer to the [Elastic Integrations documentation](integration-docs://reference/kubernetes.md).
+
+::::{dropdown} Learn more
+{{agent}} is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, forward data from remote services or hardware, and more. Refer to the documentation for a detailed [comparison of {{beats}} and {{agent}}](docs-content://reference/ingestion-tools/fleet/index.md).
+
+::::
+
+
+:::::
+
+
+As one of the main pieces provided for Kubernetes monitoring, this module is capable of fetching metrics from several components:
+
+* [kubelet](https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/)
+* [kube-state-metrics](https://github.com/kubernetes/kube-state-metrics)
+* [apiserver](https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/)
+* [controller-manager](https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager/)
+* [scheduler](https://kubernetes.io/docs/reference/command-line-tools-reference/kube-scheduler/)
+* [proxy](https://kubernetes.io/docs/reference/command-line-tools-reference/kube-proxy/)
+
+Some of the previous components are running on each of the Kubernetes nodes (like `kubelet` or `proxy`) while others provide a single cluster-wide endpoint. This is important to determine the optimal configuration and running strategy for the different metricsets included in the module.
+
+For a complete reference on how to configure and run this module on Kubernetes as part of a `DaemonSet` and a `Deployment`, there’s a complete example manifest available in [Running Metricbeat on Kubernetes](/reference/metricbeat/running-on-kubernetes.md) document.
+
+
+## Kubernetes endpoints and metricsets [_kubernetes_endpoints_and_metricsets]
+
+Kubernetes module is a bit complex as its internal metricsets require access to a wide variety of endpoints.
+
+This section highlights and introduces some groups of metricsets with similar endpoint access needs. For more details on the metricsets see `configuration example` and the `metricsets` sections below.
+
+
+### container / node / pod / system / volume [_container_node_pod_system_volume]
+
+The default metricsets `container`, `node`, `pod`, `system`, and `volume` require access to the `kubelet endpoint` in each of the Kubernetes nodes, hence it’s recommended to include them as part of a `Metricbeat DaemonSet` or standalone Metricbeats running on the hosts.
+
+Depending on the version and configuration of Kubernetes nodes, `kubelet` might provide a read only http port (typically 10255), which is used in some configuration examples. But in general, and lately, this endpoint requires SSL (`https`) access (to port 10250 by default) and token based authentication.
+
+
+### state_* and event [_state_and_event]
+
+All metricsets with the `state_` prefix require `hosts` field pointing to `kube-state-metrics service` within the cluster. As the service provides cluster-wide metrics, there’s no need to fetch them per node, hence the recommendation is to run these metricsets as part of a `Metricbeat Deployment` with one only replica.
+
+Note: Kube-state-metrics is not deployed by default in Kubernetes. For these cases the instructions for its deployment are available [here](https://github.com/kubernetes/kube-state-metrics#kubernetes-deployment). Generally `kube-state-metrics` runs a `Deployment` and is accessible via a service called `kube-state-metrics` on `kube-system` namespace, which will be the service to use in our configuration.
+
+
+### apiserver [_apiserver]
+
+The apiserver metricset requires access to the Kubernetes API, which should be easily available in all Kubernetes environments. Depending on the Kubernetes configuration, the API access might require SSL (`https`) and token based authentication.
+
+In order to access the `/metrics` path of the API service, some Kubernetes environments might require the following permission to be added to a ClusterRole.
+
+```yaml
+rules:
+- nonResourceURLs:
+  - /metrics
+  verbs:
+  - get
+```
+
+
+### proxy [_proxy]
+
+The proxy metricset requires access to the proxy endpoint in each of Kubernetes nodes, hence it’s recommended to configure it as a part of a `Metricbeat DaemonSet`.
+
+
+### scheduler and controllermanager [_scheduler_and_controllermanager]
+
+These metricsets require access to the Kubernetes `controller-manager` and `scheduler` endpoints. By default, these pods run only on master nodes, and they are not exposed via a Service, but there are different strategies available for its configuration:
+
+* Create `Kubernetes Services` to make `kube-controller-manager` and `kube-scheduler` available and configure the metricsets to point to these services as part of a Metricbeat `Deployment`.
+* Use `Autodiscovery` functionality as part of a Metricbeat DaemonSet and include the metricsets in a conditional template applied for the specific pods.
+
+Note: In some "As a Service" Kubernetes implementations, like `GKE`, the master nodes or even the pods running on the masters won’t be visible. In these cases it won’t be possible to use `scheduler` and `controllermanager` metricsets.
+
+
+## Kubernetes RBAC [_kubernetes_rbac]
+
+Metricbeat requires certain cluster level privileges in order to fetch the metrics. The following example creates a `ServiceAcount` named `metricbeat` with the necessary permissions to run all the metricsets from the module. A `ClusterRole` and a `ClusterRoleBinding` are created for this purpose:
+
+```yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: metricbeat
+  namespace: kube-system
+  labels:
+    k8s-app: metricbeat
+```
+
+```yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: metricbeat
+  labels:
+    k8s-app: metricbeat
+rules:
+- apiGroups: [""]
+  resources:
+  - nodes
+  - namespaces
+  - events
+  - pods
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["batch"]
+  resources:
+  - jobs
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["extensions"]
+  resources:
+  - replicasets
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["apps"]
+  resources:
+  - statefulsets
+  - deployments
+  - replicasets
+  verbs: ["get", "list", "watch"]
+- apiGroups:
+  - ""
+  resources:
+  - nodes/stats
+  verbs:
+  - get
+- nonResourceURLs:
+  - /metrics
+  verbs:
+  - get
+```
+
+```yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: metricbeat
+subjects:
+- kind: ServiceAccount
+  name: metricbeat
+  namespace: kube-system
+roleRef:
+  kind: ClusterRole
+  name: metricbeat
+  apiGroup: rbac.authorization.k8s.io
+```
+
+
+## Compatibility [_compatibility_31]
+
+The Kubernetes module is tested with the following versions of Kubernetes: 1.28.x, 1.29.x, 1.30.x and 1.31.x
+
+
+## Dashboard [_dashboard_32]
+
+Kubernetes module is shipped including default dashboards for `cluster overview`, `apiserver`, `controllermanager`, `scheduler` and `proxy`.
+
+If you are using HA for those components, be aware that when gathering data from all instances the dashboard will usually show and average of the metrics. For those scenarios filtering by hosts or service address is possible.
+
+Dashboards for `controllermanager` `scheduler` and `proxy` are not compatible with kibana versions below `7.2.0`
+
+Cluster selector in `cluster overview` dashboard helps in distinguishing and filtering metrics collected from multiple clusters. If you want to focus on a subset of the Kubernetes clusters for monitoring a specific scenario, this cluster selector could be a handy tool. Note that this selector gets populated from the `orchestrator.cluster.name` field that may not always be available. This field gets its value from sources like `kube_config`, `kubeadm-config` configMap, and Google Cloud’s meta API for GKE. If the sources mentioned above don’t provide this value, metricbeat will not report it. However, you can always use [add_fields processor](/reference/filebeat/add-fields.md) to set `orchestrator.cluster.name` fields and utilize it in the `cluster overview` dashboard:
+
+```yaml
+processors:
+  - add_fields:
+      target: orchestrator.cluster
+      fields:
+        name: clusterName
+        url: clusterURL
+```
+
+Kubernetes cluster overview example:
+
+:::{image} images/metricbeat-kubernetes-clusteroverview.png
+:alt: metricbeat kubernetes clusteroverview
+:::
+
+If you are setting collection period to a value bigger than `2m` you will need to increase the Interval (in Panel Options) for "Desired Pods", "Available Pods" and "Unavailable Pods" visualisations.
+
+Kubernetes controller manager example:
+
+:::{image} images/metricbeat-kubernetes-controllermanager.png
+:alt: metricbeat kubernetes controllermanager
+:::
+
+Kubernetes scheduler example:
+
+:::{image} images/metricbeat_kubernetes_scheduler.png
+:alt: metricbeat kubernetes scheduler
+:::
+
+Kubernetes proxy example:
+
+:::{image} images/metricbeat-kubernetes-proxy.png
+:alt: metricbeat kubernetes proxy
+:::
+
+
+## Example configuration [_example_configuration_37]
+
+The Kubernetes module supports the standard configuration options that are described in [Modules](/reference/metricbeat/configuration-metricbeat.md). Here is an example configuration:
+
+```yaml
+metricbeat.modules:
+# Node metrics, from kubelet:
+- module: kubernetes
+  metricsets:
+    - container
+    - node
+    - pod
+    - system
+    - volume
+  period: 10s
+  enabled: true
+  hosts: ["https://${NODE_NAME}:10250"]
+  bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
+  ssl.verification_mode: "none"
+  #ssl.certificate_authorities:
+  #  - /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
+  #ssl.certificate: "/etc/pki/client/cert.pem"
+  #ssl.key: "/etc/pki/client/cert.key"
+
+  # Enriching parameters:
+  add_metadata: true
+  # If kube_config is not set, KUBECONFIG environment variable will be checked
+  # and if not present it will fall back to InCluster
+  #kube_config: ~/.kube/config
+  #By default requests to kubeadm config map are made in order to enrich cluster name by requesting /api/v1/namespaces/kube-system/configmaps/kubeadm-config API endpoint.
+  use_kubeadm: true
+  #include_labels: []
+  #exclude_labels: []
+  #include_annotations: []
+  #labels.dedot: true
+  #annotations.dedot: true
+
+  # When used outside the cluster:
+  #node: node_name
+
+  # To configure additionally node and namespace metadata `add_resource_metadata` can be defined.
+  # By default all labels will be included while annotations are not added by default.
+  # add_resource_metadata:
+  #   namespace:
+  #     include_labels: ["namespacelabel1"]
+  #   node:
+  #     include_labels: ["nodelabel2"]
+  #     include_annotations: ["nodeannotation1"]
+  #   deployment: false
+  #   cronjob: false
+  # Kubernetes client QPS and burst can be configured additionally
+  #kube_client_options:
+  #  qps: 5
+  #  burst: 10
+
+# State metrics from kube-state-metrics service:
+- module: kubernetes
+  enabled: true
+  metricsets:
+    - state_node
+    - state_daemonset
+    - state_deployment
+    - state_replicaset
+    - state_statefulset
+    - state_pod
+    - state_container
+    - state_job
+    - state_cronjob
+    - state_resourcequota
+    - state_service
+    - state_persistentvolume
+    - state_persistentvolumeclaim
+    - state_storageclass
+    # Uncomment this to get k8s events:
+    #- event  period: 10s
+  hosts: ["kube-state-metrics:8080"]
+
+  # Enriching parameters:
+  add_metadata: true
+  # If kube_config is not set, KUBECONFIG environment variable will be checked
+  # and if not present it will fall back to InCluster
+  #kube_config: ~/.kube/config
+  #By default requests to kubeadm config map are made in order to enrich cluster name by requesting /api/v1/namespaces/kube-system/configmaps/kubeadm-config API endpoint.
+  use_kubeadm: true
+  #include_labels: []
+  #exclude_labels: []
+  #include_annotations: []
+  #labels.dedot: true
+  #annotations.dedot: true
+
+  # When used outside the cluster:
+  #node: node_name
+
+  # Set the namespace to watch for resources
+  #namespace: staging
+
+  # To configure additionally node and namespace metadata `add_resource_metadata` can be defined.
+  # By default all labels will be included while annotations are not added by default.
+  # add_resource_metadata:
+  #   namespace:
+  #     include_labels: ["namespacelabel1"]
+  #   node:
+  #     include_labels: ["nodelabel2"]
+  #     include_annotations: ["nodeannotation1"]
+  #   deployment: false
+  #   cronjob: false
+  # Kubernetes client QPS and burst can be configured additionally
+  #kube_client_options:
+  #  qps: 5
+  #  burst: 10
+
+# Kubernetes Events
+- module: kubernetes
+  enabled: true
+  metricsets:
+    - event
+  period: 10s
+  # Skip events older than Metricbeat's statup time is enabled by default.
+  # Setting to false the skip_older setting will stop filtering older events.
+  # This setting is also useful went Event's timestamps are not populated properly.
+  #skip_older: false
+  # If kube_config is not set, KUBECONFIG environment variable will be checked
+  # and if not present it will fall back to InCluster
+  #kube_config: ~/.kube/config
+  #By default requests to kubeadm config map are made in order to enrich cluster name by requesting /api/v1/namespaces/kube-system/configmaps/kubeadm-config API endpoint.
+  use_kubeadm: true
+  # Set the namespace to watch for events
+  #namespace: staging
+  # Set the sync period of the watchers
+  #sync_period: 10m
+  # Kubernetes client QPS and burst can be configured additionally
+  #kube_client_options:
+  #  qps: 5
+  #  burst: 10
+
+# Kubernetes API server
+# (when running metricbeat as a deployment)
+- module: kubernetes
+  enabled: true
+  metricsets:
+    - apiserver
+  hosts: ["https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}"]
+  bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
+  ssl.certificate_authorities:
+    - /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+  period: 30s
+  #By default requests to kubeadm config map are made in order to enrich cluster name by requesting /api/v1/namespaces/kube-system/configmaps/kubeadm-config API endpoint.
+  use_kubeadm: true
+
+# Kubernetes proxy server
+# (when running metricbeat locally at hosts or as a daemonset + host network)
+- module: kubernetes
+  enabled: true
+  metricsets:
+    - proxy
+  hosts: ["localhost:10249"]
+  period: 10s
+  #By default requests to kubeadm config map are made in order to enrich cluster name by requesting /api/v1/namespaces/kube-system/configmaps/kubeadm-config API endpoint.
+  use_kubeadm: true
+
+# Kubernetes controller manager
+# (URL and deployment method should be adapted to match the controller manager deployment / service / endpoint)
+- module: kubernetes
+  enabled: true
+  metricsets:
+    - controllermanager
+  hosts: ["http://localhost:10252"]
+  period: 10s
+  #By default requests to kubeadm config map are made in order to enrich cluster name by requesting /api/v1/namespaces/kube-system/configmaps/kubeadm-config API endpoint.
+  use_kubeadm: true
+
+# Kubernetes scheduler
+# (URL and deployment method should be adapted to match scheduler deployment / service / endpoint)
+- module: kubernetes
+  enabled: true
+  metricsets:
+    - scheduler
+  hosts: ["localhost:10251"]
+  period: 10s
+  #By default requests to kubeadm config map are made in order to enrich cluster name by requesting /api/v1/namespaces/kube-system/configmaps/kubeadm-config API endpoint.
+  use_kubeadm: true
+```
+
+This module supports TLS connections when using `ssl` config field, as described in [SSL](/reference/metricbeat/configuration-ssl.md). It also supports the options described in [Standard HTTP config options](/reference/metricbeat/configuration-metricbeat.md#module-http-config-options).
+
+
+## Metricsets [_metricsets_43]
+
+The following metricsets are available:
+
+* [apiserver](/reference/metricbeat/metricbeat-metricset-kubernetes-apiserver.md)
+* [container](/reference/metricbeat/metricbeat-metricset-kubernetes-container.md)
+* [controllermanager](/reference/metricbeat/metricbeat-metricset-kubernetes-controllermanager.md)
+* [event](/reference/metricbeat/metricbeat-metricset-kubernetes-event.md)
+* [node](/reference/metricbeat/metricbeat-metricset-kubernetes-node.md)
+* [pod](/reference/metricbeat/metricbeat-metricset-kubernetes-pod.md)
+* [proxy](/reference/metricbeat/metricbeat-metricset-kubernetes-proxy.md)
+* [scheduler](/reference/metricbeat/metricbeat-metricset-kubernetes-scheduler.md)
+* [state_container](/reference/metricbeat/metricbeat-metricset-kubernetes-state_container.md)
+* [state_cronjob](/reference/metricbeat/metricbeat-metricset-kubernetes-state_cronjob.md)
+* [state_daemonset](/reference/metricbeat/metricbeat-metricset-kubernetes-state_daemonset.md)
+* [state_deployment](/reference/metricbeat/metricbeat-metricset-kubernetes-state_deployment.md)
+* [state_job](/reference/metricbeat/metricbeat-metricset-kubernetes-state_job.md)
+* [state_node](/reference/metricbeat/metricbeat-metricset-kubernetes-state_node.md)
+* [state_persistentvolumeclaim](/reference/metricbeat/metricbeat-metricset-kubernetes-state_persistentvolumeclaim.md)
+* [state_pod](/reference/metricbeat/metricbeat-metricset-kubernetes-state_pod.md)
+* [state_replicaset](/reference/metricbeat/metricbeat-metricset-kubernetes-state_replicaset.md)
+* [state_resourcequota](/reference/metricbeat/metricbeat-metricset-kubernetes-state_resourcequota.md)
+* [state_service](/reference/metricbeat/metricbeat-metricset-kubernetes-state_service.md)
+* [state_statefulset](/reference/metricbeat/metricbeat-metricset-kubernetes-state_statefulset.md)
+* [state_storageclass](/reference/metricbeat/metricbeat-metricset-kubernetes-state_storageclass.md)
+* [system](/reference/metricbeat/metricbeat-metricset-kubernetes-system.md)
+* [volume](/reference/metricbeat/metricbeat-metricset-kubernetes-volume.md)
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/docs/reference/metricbeat/metricbeat-module-kvm.md b/docs/reference/metricbeat/metricbeat-module-kvm.md
new file mode 100644
index 000000000000..0781aa37fb9a
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-module-kvm.md
@@ -0,0 +1,44 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-module-kvm.html
+---
+
+# KVM module [metricbeat-module-kvm]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+This is the kvm module.
+
+
+## Example configuration [_example_configuration_38]
+
+The KVM module supports the standard configuration options that are described in [Modules](/reference/metricbeat/configuration-metricbeat.md). Here is an example configuration:
+
+```yaml
+metricbeat.modules:
+- module: kvm
+  metricsets: ["dommemstat", "status"]
+  enabled: true
+  period: 10s
+  hosts: ["unix:///var/run/libvirt/libvirt-sock"]
+  # For remote hosts, setup network access in libvirtd.conf
+  # and use the tcp scheme:
+  # hosts: [ "tcp://<host>:16509" ]
+
+  # Timeout to connect to Libvirt server
+  #timeout: 1s
+```
+
+
+## Metricsets [_metricsets_44]
+
+The following metricsets are available:
+
+* [dommemstat](/reference/metricbeat/metricbeat-metricset-kvm-dommemstat.md)
+* [status](/reference/metricbeat/metricbeat-metricset-kvm-status.md)
+
+
+
diff --git a/docs/reference/metricbeat/metricbeat-module-linux.md b/docs/reference/metricbeat/metricbeat-module-linux.md
new file mode 100644
index 000000000000..55a157b75dfc
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-module-linux.md
@@ -0,0 +1,68 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-module-linux.html
+---
+
+# Linux module [metricbeat-module-linux]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+:::::{admonition} Prefer to use {{agent}} for this use case?
+Refer to the [Elastic Integrations documentation](integration-docs://reference/linux.md).
+
+::::{dropdown} Learn more
+{{agent}} is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, forward data from remote services or hardware, and more. Refer to the documentation for a detailed [comparison of {{beats}} and {{agent}}](docs-content://reference/ingestion-tools/fleet/index.md).
+
+::::
+
+
+:::::
+
+
+The Linux module reports on metrics exclusive to the Linux kernel and GNU/Linux OS.
+
+
+## Example configuration [_example_configuration_39]
+
+The Linux module supports the standard configuration options that are described in [Modules](/reference/metricbeat/configuration-metricbeat.md). Here is an example configuration:
+
+```yaml
+metricbeat.modules:
+- module: linux
+  period: 10s
+  metricsets:
+    - "pageinfo"
+    - "memory"
+    # - ksm
+    # - conntrack
+    # - iostat
+    # - pressure
+    # - rapl
+  enabled: true
+  #hostfs: /hostfs
+  #rapl.use_msr_safe: false
+```
+
+
+## Metricsets [_metricsets_45]
+
+The following metricsets are available:
+
+* [conntrack](/reference/metricbeat/metricbeat-metricset-linux-conntrack.md)
+* [iostat](/reference/metricbeat/metricbeat-metricset-linux-iostat.md)
+* [ksm](/reference/metricbeat/metricbeat-metricset-linux-ksm.md)
+* [memory](/reference/metricbeat/metricbeat-metricset-linux-memory.md)
+* [pageinfo](/reference/metricbeat/metricbeat-metricset-linux-pageinfo.md)
+* [pressure](/reference/metricbeat/metricbeat-metricset-linux-pressure.md)
+* [rapl](/reference/metricbeat/metricbeat-metricset-linux-rapl.md)
+
+
+
+
+
+
+
+
diff --git a/docs/reference/metricbeat/metricbeat-module-logstash.md b/docs/reference/metricbeat/metricbeat-module-logstash.md
new file mode 100644
index 000000000000..4904ad59e7a2
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-module-logstash.md
@@ -0,0 +1,62 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-module-logstash.html
+---
+
+# Logstash module [metricbeat-module-logstash]
+
+:::::{admonition} Prefer to use {{agent}} for this use case?
+Refer to the [Elastic Integrations documentation](integration-docs://reference/logstash.md).
+
+::::{dropdown} Learn more
+{{agent}} is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, forward data from remote services or hardware, and more. Refer to the documentation for a detailed [comparison of {{beats}} and {{agent}}](docs-content://reference/ingestion-tools/fleet/index.md).
+
+::::
+
+
+:::::
+
+
+The `logstash` module collects metrics about {{ls}}.
+
+
+## Compatibility [_compatibility_32]
+
+The `logstash` module works with {{ls}} 7.3.0 and later.
+
+
+## Usage for Stack Monitoring [_usage_for_stack_monitoring_5]
+
+The `logstash` module can be used to collect metrics shown in our {{stack-monitor-app}} UI in {{kib}}. To enable this usage, set `xpack.enabled: true` and remove any `metricsets` from the module’s configuration. Alternatively, run `metricbeat modules disable logstash` and `metricbeat modules enable logstash-xpack`.
+
+::::{note}
+When this module is used for {{stack}} Monitoring, it sends metrics to the monitoring index instead of the default index typically used by {{metricbeat}}. For more details about the monitoring index, see [Configuring indices for monitoring](docs-content://deploy-manage/monitor/monitoring-data/configuring-data-streamsindices-for-monitoring.md).
+::::
+
+
+
+## Example configuration [_example_configuration_40]
+
+The Logstash module supports the standard configuration options that are described in [Modules](/reference/metricbeat/configuration-metricbeat.md). Here is an example configuration:
+
+```yaml
+metricbeat.modules:
+- module: logstash
+  metricsets: ["node", "node_stats"]
+  enabled: true
+  period: 10s
+  hosts: ["localhost:9600"]
+```
+
+This module supports TLS connections when using `ssl` config field, as described in [SSL](/reference/metricbeat/configuration-ssl.md). It also supports the options described in [Standard HTTP config options](/reference/metricbeat/configuration-metricbeat.md#module-http-config-options).
+
+
+## Metricsets [_metricsets_46]
+
+The following metricsets are available:
+
+* [node](/reference/metricbeat/metricbeat-metricset-logstash-node.md)
+* [node_stats](/reference/metricbeat/metricbeat-metricset-logstash-node_stats.md)
+
+
+
diff --git a/docs/reference/metricbeat/metricbeat-module-memcached.md b/docs/reference/metricbeat/metricbeat-module-memcached.md
new file mode 100644
index 000000000000..f654a63091c3
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-module-memcached.md
@@ -0,0 +1,38 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-module-memcached.html
+---
+
+# Memcached module [metricbeat-module-memcached]
+
+This is the Memcached module. These metricsets were tested with Memcached version 1.4.35.
+
+The default metricset is `stats`.
+
+
+## Compatibility [_compatibility_33]
+
+The memcached module is tested with memcached 1.4.35.
+
+
+## Example configuration [_example_configuration_41]
+
+The Memcached module supports the standard configuration options that are described in [Modules](/reference/metricbeat/configuration-metricbeat.md). Here is an example configuration:
+
+```yaml
+metricbeat.modules:
+- module: memcached
+  metricsets: ["stats"]
+  period: 10s
+  hosts: ["localhost:11211"]
+  enabled: true
+```
+
+
+## Metricsets [_metricsets_47]
+
+The following metricsets are available:
+
+* [stats](/reference/metricbeat/metricbeat-metricset-memcached-stats.md)
+
+
diff --git a/docs/reference/metricbeat/metricbeat-module-meraki.md b/docs/reference/metricbeat/metricbeat-module-meraki.md
new file mode 100644
index 000000000000..052014730c9b
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-module-meraki.md
@@ -0,0 +1,37 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-module-meraki.html
+---
+
+# Cisco Meraki module [metricbeat-module-meraki]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+This is the meraki module.
+
+
+## Example configuration [_example_configuration_42]
+
+The Cisco Meraki module supports the standard configuration options that are described in [Modules](/reference/metricbeat/configuration-metricbeat.md). Here is an example configuration:
+
+```yaml
+metricbeat.modules:
+- module: meraki
+  metricsets: ["device_health"]
+  enabled: true
+  period: 300s
+  apiKey: "Meraki dashboard API key"
+  organizations: ["Meraki organization ID"]
+```
+
+
+## Metricsets [_metricsets_48]
+
+The following metricsets are available:
+
+* [device_health](/reference/metricbeat/metricbeat-metricset-meraki-device_health.md)
+
+
diff --git a/docs/reference/metricbeat/metricbeat-module-mongodb.md b/docs/reference/metricbeat/metricbeat-module-mongodb.md
new file mode 100644
index 000000000000..ba55c088287b
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-module-mongodb.md
@@ -0,0 +1,170 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-module-mongodb.html
+---
+
+# MongoDB module [metricbeat-module-mongodb]
+
+:::::{admonition} Prefer to use {{agent}} for this use case?
+Refer to the [Elastic Integrations documentation](integration-docs://reference/mongodb.md).
+
+::::{dropdown} Learn more
+{{agent}} is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, forward data from remote services or hardware, and more. Refer to the documentation for a detailed [comparison of {{beats}} and {{agent}}](docs-content://reference/ingestion-tools/fleet/index.md).
+
+::::
+
+
+:::::
+
+
+This module periodically fetches metrics from [MongoDB](https://www.mongodb.com) servers.
+
+
+## Module-specific configuration notes [_module_specific_configuration_notes_11]
+
+When configuring the `hosts` option, you must use MongoDB URLs of the following format:
+
+```
+[mongodb://][user:pass@]host[:port][?options]
+```
+
+Or
+
+```
+mongodb://[username:password@]host1[:port1][,...hostN[:portN]][/[defaultauthdb][?options]]
+```
+
+The URL can be as simple as:
+
+```yaml
+- module: mongodb
+  hosts: ["localhost"]
+```
+
+Or more complex like:
+
+```yaml
+- module: mongodb
+  hosts: ["mongodb://myuser:mypass@localhost:40001", "otherhost:40001"]
+```
+
+Some more supported URLs are:
+
+```yaml
+- module: mongodb
+  hosts: ["mongodb://localhost:27017,localhost:27022,localhost:27023"]
+```
+
+```yaml
+- module: mongodb
+  hosts: ["mongodb://localhost:27017/?directConnection=true"]
+```
+
+When the parameter `directConnection=true` is included in the connection URI, all operations are executed on the host specified in the URI. It’s important to note that `directConnection=true` must be explicitly specified in the URI, as it won’t be added automatically unless specified.
+
+```yaml
+- module: mongodb
+  hosts: ["mongodb://localhost:27017,localhost:27022,localhost:27023/?replicaSet=dbrs"]
+```
+
+The username and password can be included in the URL or they can be set using the respective configuration options. The credentials in the URL take precedence over the username and password configuration options.
+
+```yaml
+- module: mongodb
+  metricsets: ["status"]
+  hosts: ["localhost:27017"]
+  username: root
+  password: test
+```
+
+The default metricsets are `collstats`, `dbstats` and `status`.
+
+
+## Compatibility [_compatibility_34]
+
+The MongoDB metricsets were tested with MongoDB 5.0 and are expected to work with all versions >= 5.0.
+
+
+## MongoDB Privileges [_mongodb_privileges]
+
+In order to use the metricsets, the MongoDB user specified in the module configuration needs to have certain [privileges](https://docs.mongodb.com/manual/core/authorization/#privileges).
+
+We recommend using the [`clusterMonitor` role](https://docs.mongodb.com/manual/reference/built-in-roles/#clusterMonitor) to cover all the necessary privileges.
+
+You can use the following command in Mongo shell to create the privileged user (make sure you are using the `admin` db by using `db` command in Mongo shell).
+
+```js
+db.createUser(
+    {
+        user: "beats",
+        pwd: "pass",
+        roles: ["clusterMonitor"]
+    }
+)
+```
+
+You can use the following command in Mongo shell to grant the role to an existing user (make sure you are using the `admin` db by using `db` command in Mongo shell).
+
+```js
+db.grantRolesToUser("user", ["clusterMonitor"])
+```
+
+
+## Example configuration [_example_configuration_43]
+
+The MongoDB module supports the standard configuration options that are described in [Modules](/reference/metricbeat/configuration-metricbeat.md). Here is an example configuration:
+
+```yaml
+metricbeat.modules:
+- module: mongodb
+  metricsets: ["dbstats", "status", "collstats", "metrics", "replstatus"]
+  period: 10s
+  enabled: true
+
+  # The hosts must be passed as MongoDB URLs in the format:
+  # [mongodb://][user:pass@]host[:port].
+  # The username and password can also be set using the respective configuration
+  # options. The credentials in the URL take precedence over the username and
+  # password configuration options.
+  hosts: ["localhost:27017"]
+
+  # Optional SSL. By default is off.
+  #ssl.enabled: true
+
+  # Mode of verification of server certificate ('none' or 'full')
+  #ssl.verification_mode: 'full'
+
+  # List of root certificates for TLS server verifications
+  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
+
+  # Certificate for SSL client authentication
+  #ssl.certificate: "/etc/pki/client/cert.pem"
+
+  # Client Certificate Key
+  #ssl.key: "/etc/pki/client/cert.key"
+
+  # Username to use when connecting to MongoDB. Empty by default.
+  #username: user
+
+  # Password to use when connecting to MongoDB. Empty by default.
+  #password: pass
+```
+
+This module supports TLS connections when using `ssl` config field, as described in [SSL](/reference/metricbeat/configuration-ssl.md).
+
+
+## Metricsets [_metricsets_49]
+
+The following metricsets are available:
+
+* [collstats](/reference/metricbeat/metricbeat-metricset-mongodb-collstats.md)
+* [dbstats](/reference/metricbeat/metricbeat-metricset-mongodb-dbstats.md)
+* [metrics](/reference/metricbeat/metricbeat-metricset-mongodb-metrics.md)
+* [replstatus](/reference/metricbeat/metricbeat-metricset-mongodb-replstatus.md)
+* [status](/reference/metricbeat/metricbeat-metricset-mongodb-status.md)
+
+
+
+
+
+
diff --git a/docs/reference/metricbeat/metricbeat-module-mssql.md b/docs/reference/metricbeat/metricbeat-module-mssql.md
new file mode 100644
index 000000000000..488f0699dc8d
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-module-mssql.md
@@ -0,0 +1,96 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-module-mssql.html
+---
+
+# MSSQL module [metricbeat-module-mssql]
+
+This is the [Microsoft SQL 2017](https://www.microsoft.com/en-us/sql-server/sql-server-2017) Metricbeat module. It is still under active development to add new Metricsets and introduce enhancements.
+
+
+## Compatibility [_compatibility_35]
+
+The module is being tested with [2017 GA](https://hub.docker.com/r/microsoft/mssql-server-linux/) version under Linux
+
+
+## Permission/Access required for tables [_permissionaccess_required_for_tables]
+
+1.`transaction_log` :
+
+* sys.databases
+* sys.dm_db_log_space_usage
+* sys.dm_db_log_stats(DB_ID)
+
+2.`performance` :
+
+* sys.dm_os_performance_counters
+
+If you browse MSDN for above tables, you will find "Permissions" section which defines the permission needed, e.g [Permissions](https://docs.microsoft.com/en-us/sql/relational-databases/system-dynamic-management-views/sys-dm-db-log-space-usage-transact-sql?view=sql-server-ver15)
+
+
+## Metricsets [_metricsets_50]
+
+The following Metricsets are already included:
+
+
+### `transaction_log` [_transaction_log]
+
+`transaction_log` Metricset fetches information about the operation and transaction log of each MSSQL database in the monitored instance. All data is extracted from the [Database Dynamic Management Views](https://docs.microsoft.com/en-us/sql/relational-databases/system-dynamic-management-views/database-related-dynamic-management-views-transact-sql?view=sql-server-2017)
+
+
+### `performance` [_performance]
+
+`performance` Metricset fetches information from what’s commonly known as [Performance Counters](https://docs.microsoft.com/en-us/sql/relational-databases/system-dynamic-management-views/sys-dm-os-performance-counters-transact-sql?view=sql-server-2017) in MSSQL.
+
+
+## Module-specific configuration notes [_module_specific_configuration_notes_12]
+
+When configuring the `hosts` option, you can specify native user credentials as part of the host string with the following format:
+
+```
+hosts: ["sqlserver://sa@localhost"]]
+```
+
+To use Active Directory domain credentials, you can separately specify the username and password using the respective configuration options to allow the domain to be included in the username:
+
+```
+metricbeat.modules:
+- module: mssql
+  metricsets:
+    - "transaction_log"
+    - "performance"
+  hosts: ["sqlserver://localhost"]
+  username: domain\username
+  password: verysecurepassword
+  period: 10
+```
+
+Store sensitive values like passwords in the [secrets keystore](/reference/metricbeat/keystore.md).
+
+
+## Example configuration [_example_configuration_44]
+
+The MSSQL module supports the standard configuration options that are described in [Modules](/reference/metricbeat/configuration-metricbeat.md). Here is an example configuration:
+
+```yaml
+metricbeat.modules:
+- module: mssql
+  metricsets:
+    - "transaction_log"
+    - "performance"
+  hosts: ["sqlserver://localhost"]
+  username: domain\username
+  password: verysecurepassword
+  period: 10s
+```
+
+
+## Metricsets [_metricsets_51]
+
+The following metricsets are available:
+
+* [performance](/reference/metricbeat/metricbeat-metricset-mssql-performance.md)
+* [transaction_log](/reference/metricbeat/metricbeat-metricset-mssql-transaction_log.md)
+
+
+
diff --git a/docs/reference/metricbeat/metricbeat-module-munin.md b/docs/reference/metricbeat/metricbeat-module-munin.md
new file mode 100644
index 000000000000..72d7b80590b9
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-module-munin.md
@@ -0,0 +1,47 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-module-munin.html
+---
+
+# Munin module [metricbeat-module-munin]
+
+This is the munin module.
+
+The default metricset is `node`.
+
+
+## Compatibility [_compatibility_36]
+
+Munin module should be compatible with any implementation of the munin network protocol ([http://guide.munin-monitoring.org/en/latest/master/network-protocol.html](http://guide.munin-monitoring.org/en/latest/master/network-protocol.html)), it is tested with munin node 2.0.
+
+
+## Example configuration [_example_configuration_45]
+
+The Munin module supports the standard configuration options that are described in [Modules](/reference/metricbeat/configuration-metricbeat.md). Here is an example configuration:
+
+```yaml
+metricbeat.modules:
+- module: munin
+  metricsets: ["node"]
+  enabled: true
+  period: 10s
+  hosts: ["localhost:4949"]
+
+  # List of plugins to collect metrics from, by default it collects from
+  # all the available ones.
+  #munin.plugins: []
+
+  # If set to true, it sanitizes fields names in concordance with munin
+  # implementation (all characters that are not alphanumeric, or underscore
+  # are replaced by underscores).
+  #munin.sanitize: false
+```
+
+
+## Metricsets [_metricsets_52]
+
+The following metricsets are available:
+
+* [node](/reference/metricbeat/metricbeat-metricset-munin-node.md)
+
+
diff --git a/docs/reference/metricbeat/metricbeat-module-mysql.md b/docs/reference/metricbeat/metricbeat-module-mysql.md
new file mode 100644
index 000000000000..f962212036f6
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-module-mysql.md
@@ -0,0 +1,115 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-module-mysql.html
+---
+
+# MySQL module [metricbeat-module-mysql]
+
+:::::{admonition} Prefer to use {{agent}} for this use case?
+Refer to the [Elastic Integrations documentation](integration-docs://reference/mysql.md).
+
+::::{dropdown} Learn more
+{{agent}} is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, forward data from remote services or hardware, and more. Refer to the documentation for a detailed [comparison of {{beats}} and {{agent}}](docs-content://reference/ingestion-tools/fleet/index.md).
+
+::::
+
+
+:::::
+
+
+This module periodically fetches metrics from [MySQL](https://www.mysql.com/) servers.
+
+The default metricset is `status`.
+
+
+## Module-specific configuration notes [_module_specific_configuration_notes_13]
+
+When configuring the `hosts` option, you must use a MySQL Data Source Name (DSN) of the following format:
+
+```
+[username[:password]@][protocol[(address)]]/
+```
+
+You can also separately specify the username and password using the respective configuration options. Usernames and passwords specified in the DSN take precedence over those specified in the `username` and `password` config options.
+
+```
+- module: mysql
+  metricsets: ["status"]
+  hosts: ["tcp(127.0.0.1:3306)/"]
+  username: root
+  password: secret
+```
+
+
+## Compatibility [_compatibility_37]
+
+The mysql MetricSets were tested with MySQL and Percona 5.7 and 8.0 and are expected to work with all versions >= 5.7.0. It is also tested with MariaDB 10.2, 10.3 and 10.4.
+
+
+## Dashboard [_dashboard_33]
+
+The mysql module comes with a predefined dashboard. For example:
+
+:::{image} images/metricbeat-mysql.png
+:alt: metricbeat mysql
+:::
+
+
+## Example configuration [_example_configuration_46]
+
+The MySQL module supports the standard configuration options that are described in [Modules](/reference/metricbeat/configuration-metricbeat.md). Here is an example configuration:
+
+```yaml
+metricbeat.modules:
+- module: mysql
+  metricsets:
+    - status
+  #  - galera_status
+  #  - performance
+  #  - query
+  period: 10s
+
+  # Host DSN should be defined as "user:pass@tcp(127.0.0.1:3306)/"
+  # or "unix(/var/lib/mysql/mysql.sock)/",
+  # or another DSN format supported by <https://github.com/Go-SQL-Driver/MySQL/>.
+  # The username and password can either be set in the DSN or using the username
+  # and password config options. Those specified in the DSN take precedence.
+  hosts: ["root:secret@tcp(127.0.0.1:3306)/"]
+
+  # Username of hosts. Empty by default.
+  #username: root
+
+  # Password of hosts. Empty by default.
+  #password: secret
+
+  # By setting raw to true, all raw fields from the status metricset will be added to the event.
+  #raw: false
+
+  # Optional SSL/TLS. By default is false.
+  #ssl.enabled: true
+
+  # List of root certificates for SSL/TLS server verification
+  #ssl.certificate_authorities: ["/etc/pki/root/ca.crt"]
+
+  # Certificate for SSL/TLS client authentication
+  #ssl.certificate: "/etc/pki/client/cert.crt"
+
+  # Client certificate key file
+  #ssl.key: "/etc/pki/client/cert.key"
+```
+
+
+## Metricsets [_metricsets_53]
+
+The following metricsets are available:
+
+* [galera_status](/reference/metricbeat/metricbeat-metricset-mysql-galera_status.md)
+* [performance](/reference/metricbeat/metricbeat-metricset-mysql-performance.md)
+* [query](/reference/metricbeat/metricbeat-metricset-mysql-query.md)
+* [status](/reference/metricbeat/metricbeat-metricset-mysql-status.md)
+
+
+
+
+
+
diff --git a/docs/reference/metricbeat/metricbeat-module-nats.md b/docs/reference/metricbeat/metricbeat-module-nats.md
new file mode 100644
index 000000000000..d35a6812e67e
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-module-nats.md
@@ -0,0 +1,82 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-module-nats.html
+---
+
+# NATS module [metricbeat-module-nats]
+
+:::::{admonition} Prefer to use {{agent}} for this use case?
+Refer to the [Elastic Integrations documentation](integration-docs://reference/nats.md).
+
+::::{dropdown} Learn more
+{{agent}} is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, forward data from remote services or hardware, and more. Refer to the documentation for a detailed [comparison of {{beats}} and {{agent}}](docs-content://reference/ingestion-tools/fleet/index.md).
+
+::::
+
+
+:::::
+
+
+The Nats module uses [Nats monitoring server APIs](https://nats.io/documentation/managing_the_server/monitoring/) to collect metrics.
+
+The default metricsets are `stats`, `connections`, `routes` and `subscriptions` while `connection` and `route` metricsets can be enabled to collect detailed metrics per connection/route.
+
+
+## Compatibility [_compatibility_39]
+
+The Nats module is tested with Nats 1.3.0, 2.0.4 and 2.1.4
+
+
+## Dashboard [_dashboard_34]
+
+The Nats module comes with a predefined dashboard. For example:
+
+:::{image} images/metricbeat_nats_dashboard.png
+:alt: metricbeat nats dashboard
+:::
+
+
+## Example configuration [_example_configuration_47]
+
+The NATS module supports the standard configuration options that are described in [Modules](/reference/metricbeat/configuration-metricbeat.md). Here is an example configuration:
+
+```yaml
+metricbeat.modules:
+- module: nats
+  metricsets:
+    - "connections"
+    - "routes"
+    - "stats"
+    - "subscriptions"
+    #- "connection"
+    #- "route"
+  period: 10s
+  hosts: ["localhost:8222"]
+  #stats.metrics_path: "/varz"
+  #connections.metrics_path: "/connz"
+  #routes.metrics_path: "/routez"
+  #subscriptions.metrics_path: "/subsz"
+  #connection.metrics_path: "/connz"
+  #route.metrics_path: "/routez"
+```
+
+This module supports TLS connections when using `ssl` config field, as described in [SSL](/reference/metricbeat/configuration-ssl.md). It also supports the options described in [Standard HTTP config options](/reference/metricbeat/configuration-metricbeat.md#module-http-config-options).
+
+
+## Metricsets [_metricsets_54]
+
+The following metricsets are available:
+
+* [connection](/reference/metricbeat/metricbeat-metricset-nats-connection.md)
+* [connections](/reference/metricbeat/metricbeat-metricset-nats-connections.md)
+* [route](/reference/metricbeat/metricbeat-metricset-nats-route.md)
+* [routes](/reference/metricbeat/metricbeat-metricset-nats-routes.md)
+* [stats](/reference/metricbeat/metricbeat-metricset-nats-stats.md)
+* [subscriptions](/reference/metricbeat/metricbeat-metricset-nats-subscriptions.md)
+
+
+
+
+
+
+
diff --git a/docs/reference/metricbeat/metricbeat-module-nginx.md b/docs/reference/metricbeat/metricbeat-module-nginx.md
new file mode 100644
index 000000000000..3878a675c2f0
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-module-nginx.md
@@ -0,0 +1,66 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-module-nginx.html
+---
+
+# Nginx module [metricbeat-module-nginx]
+
+:::::{admonition} Prefer to use {{agent}} for this use case?
+Refer to the [Elastic Integrations documentation](integration-docs://reference/nginx.md).
+
+::::{dropdown} Learn more
+{{agent}} is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, forward data from remote services or hardware, and more. Refer to the documentation for a detailed [comparison of {{beats}} and {{agent}}](docs-content://reference/ingestion-tools/fleet/index.md).
+
+::::
+
+
+:::::
+
+
+This module periodically fetches metrics from [Nginx](https://nginx.org/) servers.
+
+The default metricset is `stubstatus`.
+
+
+## Compatibility [_compatibility_40]
+
+The Nginx metricsets were tested with Nginx 1.23.2 and are expected to work with all version >= 1.9.
+
+
+## Dashboard [_dashboard_35]
+
+The nginx module comes with a predefined dashboard. For example:
+
+:::{image} images/metricbeat-nginx.png
+:alt: metricbeat nginx
+:::
+
+
+## Example configuration [_example_configuration_48]
+
+The Nginx module supports the standard configuration options that are described in [Modules](/reference/metricbeat/configuration-metricbeat.md). Here is an example configuration:
+
+```yaml
+metricbeat.modules:
+- module: nginx
+  metricsets: ["stubstatus"]
+  enabled: true
+  period: 10s
+
+  # Nginx hosts
+  hosts: ["http://127.0.0.1"]
+
+  # Path to server status. Default nginx_status
+  server_status_path: "nginx_status"
+```
+
+This module supports TLS connections when using `ssl` config field, as described in [SSL](/reference/metricbeat/configuration-ssl.md). It also supports the options described in [Standard HTTP config options](/reference/metricbeat/configuration-metricbeat.md#module-http-config-options).
+
+
+## Metricsets [_metricsets_55]
+
+The following metricsets are available:
+
+* [stubstatus](/reference/metricbeat/metricbeat-metricset-nginx-stubstatus.md)
+
+
diff --git a/docs/reference/metricbeat/metricbeat-module-openai.md b/docs/reference/metricbeat/metricbeat-module-openai.md
new file mode 100644
index 000000000000..0bb3ae513809
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-module-openai.md
@@ -0,0 +1,65 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/master/metricbeat-module-openai.html
+---
+
+# openai module [metricbeat-module-openai]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+This is the openai module.
+
+
+## Example configuration [_example_configuration_49]
+
+The openai module supports the standard configuration options that are described in [Modules](configuration-metricbeat.md). Here is an example configuration:
+
+```yaml
+metricbeat.modules:
+- module: openai
+  metricsets: ["usage"]
+  enabled: false
+  period: 1h
+
+  # # Project API Keys - Multiple API keys can be specified for different projects
+  # api_keys:
+  # - key: "api_key1"
+  # - key: "api_key2"
+
+  # # API Configuration
+  # ## Base URL for the OpenAI usage API endpoint
+  # api_url: "https://api.openai.com/v1/usage"
+  # ## Custom headers to be included in API requests
+  # headers:
+  # - "k1: v1"
+  # - "k2: v2"
+  ## Rate Limiting Configuration
+  # rate_limit:
+  #   limit: 12 # seconds between requests
+  #   burst: 1  # max concurrent requests
+  # ## Request Timeout Duration
+  # timeout: 30s
+
+  # # Data Collection Configuration
+  # collection:
+  #   ## Number of days to look back when collecting usage data
+  #   lookback_days: 30
+  #   ## Whether to collect usage data in realtime. Defaults to false as how
+  #   # OpenAI usage data is collected will end up adding duplicate data to ES
+  #   # and also making it harder to do analytics. Best approach is to avoid
+  #   # realtime collection and collect only upto last day (in UTC). So, there's
+  #   # at most 24h delay.
+  #   realtime: false
+```
+
+
+## Metricsets [_metricsets_56]
+
+The following metricsets are available:
+
+* [usage](metricbeat-metricset-openai-usage.md)
+
+
diff --git a/docs/reference/metricbeat/metricbeat-module-openmetrics.md b/docs/reference/metricbeat/metricbeat-module-openmetrics.md
new file mode 100644
index 000000000000..2b5d81146fca
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-module-openmetrics.md
@@ -0,0 +1,62 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-module-openmetrics.html
+---
+
+# Openmetrics module [metricbeat-module-openmetrics]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+This module periodically fetches metrics from endpoints following [Openmetrics](https://openmetrics.io/) format.
+
+
+## Filtering metrics [_filtering_metrics]
+
+In order to filter out/in metrics one can make use of `metrics_filters.include` `metrics_filters.exclude` settings:
+
+```yaml
+- module: openmetrics
+  metricsets: ['collector']
+  period: 10s
+  hosts: ["localhost:9090"]
+  metrics_path: /metrics
+  metrics_filters:
+    include: ["node_filesystem_*"]
+    exclude: ["node_filesystem_device_*", "^node_filesystem_readonly$"]
+```
+
+The configuration above will include only metrics that match `node_filesystem_*` pattern and do not match `node_filesystem_device_*` and are not `node_filesystem_readonly` metric.
+
+
+## Example configuration [_example_configuration_50]
+
+The Openmetrics module supports the standard configuration options that are described in [Modules](/reference/metricbeat/configuration-metricbeat.md). Here is an example configuration:
+
+```yaml
+metricbeat.modules:
+- module: openmetrics
+  metricsets: ['collector']
+  period: 10s
+  hosts: ['localhost:9090']
+
+  # This module uses the Prometheus collector metricset, all
+  # the options for this metricset are also available here.
+  metrics_path: /metrics
+  metrics_filters:
+    include: []
+    exclude: []
+```
+
+This module supports TLS connections when using `ssl` config field, as described in [SSL](/reference/metricbeat/configuration-ssl.md). It also supports the options described in [Standard HTTP config options](/reference/metricbeat/configuration-metricbeat.md#module-http-config-options).
+
+
+## Metricsets [_metricsets_57]
+
+The following metricsets are available:
+
+* [collector](/reference/metricbeat/metricbeat-metricset-openmetrics-collector.md)
+
+
diff --git a/docs/reference/metricbeat/metricbeat-module-oracle.md b/docs/reference/metricbeat/metricbeat-module-oracle.md
new file mode 100644
index 000000000000..d0c0a6a722d8
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-module-oracle.md
@@ -0,0 +1,142 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-module-oracle.html
+---
+
+# Oracle module [metricbeat-module-oracle]
+
+This is the [Oracle](https://www.oracle.com) module for Metricbeat. It is under active development with feedback from the community. A single Metricset for Tablespace monitoring is added so the community can start gathering metrics from their nodes and contributing to the module.
+
+
+## Compatibility [_compatibility_41]
+
+Oracle Metricbeat module is being tested version 12c R2 by using the store/oracle/database-enterprise:12.2.0.1 Docker image downloaded directly from the [Oracle Docker Hub repository](https://hub.docker.com/_/oracle-database-enterprise-edition) which is based on 5.0.13-arch1-1-ARCH Arch Linux. This is important, the module has only been tested with the mentioned image in Linux environments.
+
+
+## Dashboard [_dashboard_36]
+
+An overview dashboard for Kibana is already included:
+
+:::{image} images/metricbeat-oracle-overview.png
+:alt: metricbeat oracle overview
+:::
+
+
+## Requirements [_requirements]
+
+Connectivity to Oracle can be facilitated in two ways either by using official Oracle libraries or by using a JDBC driver. Facilitation of the connectivity using JDBC is not supported currently with Metricbeat. Connectivity can be facilitated using Oracle libraries and the detailed steps to do the same are mentioned below.
+
+**Oracle Database Connection Pre-requisites**
+
+To get connected with the Oracle Database ORACLE_SID, ORACLE_BASE, ORACLE_HOME environment variables should be set.
+
+For example: Let’s consider Oracle Database 21c installation using RPM manually by following [this](https://docs.oracle.com/en/database/oracle/oracle-database/21/ladbi/running-rpm-packages-to-install-oracle-database.html) link, environment variables should be set as follows: `ORACLE_SID=ORCLCDB` `ORACLE_BASE=/opt/oracle/oradata` `ORACLE_HOME=/opt/oracle/product/21c/dbhome_1` Also, add `ORACLE_HOME/bin` to the `PATH` environment variable.
+
+**Oracle Instant Client**
+
+Oracle Instant Client enables development and deployment of applications that connect to Oracle Database. The Instant Client libraries provide the necessary network connectivity and advanced data features to make full use of Oracle Database. If you have OCI Oracle server which comes with these libraries pre-installed, you don’t need a separate client installation.
+
+The OCI library install few Client Shared Libraries that must be referenced on the machine where Metricbeat is installed. Please follow [this](https://docs.oracle.com/en/database/oracle/oracle-database/21/lacli/install-instant-client-using-zip.html#GUID-D3DCB4FB-D3CA-4C25-BE48-3A1FB5A22E84) link for OCI Instant Client set up. The OCI Instant Client is available with the Oracle Universal Installer, RPM file or ZIP file. Download links can be found [here](https://www.oracle.com/database/technologies/instant-client/downloads.html).
+
+**Enable Listener**
+
+The Oracle listener is a service that runs on the database host and receives requests from Oracle clients. Make sure that [listener](https://docs.oracle.com/cd/B19306_01/network.102/b14213/lsnrctl.htm) should be running. To check if the listener is running or not, run:
+
+`lsnrctl STATUS`
+
+If the listener is not running, use the command to start:
+
+`lsnrctl START`
+
+Then, Metricbeat can be launched.
+
+**Host Configuration**
+
+The following types of host configuration are supported:
+
+1. An old-style Oracle connection string, for backwards compatibility:
+
+    1. `hosts: ["user/pass@0.0.0.0:1521/ORCLPDB1.localdomain"]`
+    2. `hosts: ["user/password@0.0.0.0:1521/ORCLPDB1.localdomain as sysdba"]`
+
+2. DSN configuration as a URL:
+
+    1. `hosts: ["oracle://user:pass@0.0.0.0:1521/ORCLPDB1.localdomain?sysdba=1"]`
+
+3. DSN configuration as a logfmt-encoded parameter list:
+
+    1. `hosts: ['user="user" password="pass" connectString="0.0.0.0:1521/ORCLPDB1.localdomain"']`
+    2. `hosts: ['user="user" password="password" connectString="host:port/service_name" sysdba=true']`
+
+
+DSN host configuration is the recommended configuration type as it supports the use of special characters in the password.
+
+In a URL any special characters should be URL encoded.
+
+In the logfmt-encoded DSN format, if the password contains a backslash character (`\`), it must be escaped with another backslash. For example, if the password is `my\_password`, it must be written as `my\\_password`.
+
+
+## Metricsets [_metricsets_58]
+
+The following Metricsets are included in the module:
+
+
+### `performance` [_performance_2]
+
+Includes performance related events which contains mainly cursor and cache based data.
+
+
+### `tablespaces` [_tablespaces]
+
+Includes information about data files and temp files, grouped by Tablespace with free space available, used space, status of the data files, status of the Tablespace, etc.
+
+
+### `sysmetric` [_sysmetric]
+
+Includes the system metric values captured for the most current time interval from Oracle system metrics.
+
+
+### Example configuration [_example_configuration_51]
+
+The Oracle module supports the standard configuration options that are described in [Modules](/reference/metricbeat/configuration-metricbeat.md). Here is an example configuration:
+
+```yaml
+metricbeat.modules:
+# Module: oracle
+
+- module: oracle
+  period: 10m
+  metricsets:
+    - tablespace
+  enabled: true
+  hosts: ['user="user" password="pass" connectString="0.0.0.0:1521/ORCLPDB1.localdomain"']
+- module: oracle
+  period: 10s
+  metricsets:
+    - performance
+  enabled: true
+  hosts: ['user="user" password="pass" connectString="0.0.0.0:1521/ORCLPDB1.localdomain"']
+- module: oracle
+  period: 60s
+  metricsets:
+    - sysmetric
+  enabled: true
+  hosts: ['user="user" password="pass" connectString="0.0.0.0:1521/ORCLPDB1.localdomain"']
+  # patterns: ["foo%","%bar","%foobar%"]
+
+  # username: ""
+  # password: ""
+```
+
+
+### Metricsets [_metricsets_59]
+
+The following metricsets are available:
+
+* [performance](/reference/metricbeat/metricbeat-metricset-oracle-performance.md)
+* [sysmetric](/reference/metricbeat/metricbeat-metricset-oracle-sysmetric.md)
+* [tablespace](/reference/metricbeat/metricbeat-metricset-oracle-tablespace.md)
+
+
+
+
diff --git a/docs/reference/metricbeat/metricbeat-module-panw.md b/docs/reference/metricbeat/metricbeat-module-panw.md
new file mode 100644
index 000000000000..f1f4ce5af553
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-module-panw.md
@@ -0,0 +1,135 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-module-panw.html
+---
+
+# Panw module [metricbeat-module-panw]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+:::::{admonition} Prefer to use {{agent}} for this use case?
+Refer to the [Elastic Integrations documentation](integration-docs://reference/panw.md).
+
+::::{dropdown} Learn more
+{{agent}} is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, forward data from remote services or hardware, and more. Refer to the documentation for a detailed [comparison of {{beats}} and {{agent}}](docs-content://reference/ingestion-tools/fleet/index.md).
+
+::::
+
+
+:::::
+
+
+The panw Metricbeat module uses the Palo Alto [pango](https://pkg.go.dev/github.com/PaloAltoNetworks/pango#section-documentation) package to extract metrics information from a firewall device via the XML API.
+
+
+### Dashboards [_dashboards_3]
+
+
+### Module-specific configuration notes [_module_specific_configuration_notes_15]
+
+The panw module configuration requires the ip address of the target firewall device and an API Key generated from that firewall. It is assumed that network access to the firewall is available. All access by the panw module is read-only.
+
+**Limitations** The current version of the module is configured to run against **exactly 1** firewall. Multiple firewalls will require multiple agent configurations. The module has also not been tested with Panorama, though it should work since it only relies on lower level Client.Op calls to send XML API commands to the server.
+
+Required credentials for the `panw` module:
+
+`host_ip`
+:   IP address of the firewall - must be network accessible.
+
+`apiKey`
+:   An API Key generated via an XML API call to the firewall or via the management dashboard. This
+
+
+## Metricsets [_metricsets_60]
+
+
+### `bgp_peers` [_bgp_peers]
+
+This metricset reports information on BGP Peers defined in the firewall.
+
+
+### `certificates` [_certificates]
+
+This metricset will capture certificates defined on the firewall including expiration dates.
+
+
+### `fans` [_fans]
+
+This metricset will collect information from hardware fans (RPMS) and will report if an alarm is active for a given fan.
+
+
+### `filesystem` [_filesystem]
+
+This metricset reports disk usage for filesystems defined on the device, based on df output.
+
+
+### `globalprotect_sessions` [_globalprotect_sessions]
+
+This metricset will collect metrics on current user sessions established on Global Protect gateways.
+
+
+### `globalprotect_stats` [_globalprotect_stats]
+
+This metricset reports the number of user per GlobalProtect gateway and totals across all gateways.
+
+
+### `ha_interfaces` [_ha_interfaces]
+
+This metricset will collect metrics from the device on High Availabilty configuration for interfaces.
+
+
+### `licenses` [_licenses]
+
+This metricset reports on licenses for sofware features with expiration dates.
+
+
+### `logical` [_logical]
+
+This metricset will collect metrics on logical interfaces in the device’s network.
+
+
+### `power` [_power]
+
+This metricset reports power usage and alarms.
+
+
+### `system` [_system]
+
+This metricset captures system informate such as uptime, user count, CPU, memory and swap: essentiallyl the first 5 lines of *top* output.
+
+
+### `temperature` [_temperature]
+
+This metricset reports temperature for various slots on the device and reports on alarm status.
+
+
+### `tunnels` [_tunnels]
+
+This metricset enumerates ipsec tunnels and their status.
+
+
+### Example configuration [_example_configuration_52]
+
+The Panw module supports the standard configuration options that are described in [Modules](/reference/metricbeat/configuration-metricbeat.md). Here is an example configuration:
+
+```yaml
+metricbeat.modules:
+- module: panw
+  metricsets: ["licenses"]
+  enabled: false
+  period: 10s
+  hosts: ["localhost"]
+```
+
+
+### Metricsets [_metricsets_61]
+
+The following metricsets are available:
+
+* [interfaces](/reference/metricbeat/metricbeat-metricset-panw-interfaces.md)
+* [routing](/reference/metricbeat/metricbeat-metricset-panw-routing.md)
+* [system](/reference/metricbeat/metricbeat-metricset-panw-system.md)
+* [vpn](/reference/metricbeat/metricbeat-metricset-panw-vpn.md)
diff --git a/docs/reference/metricbeat/metricbeat-module-php_fpm.md b/docs/reference/metricbeat/metricbeat-module-php_fpm.md
new file mode 100644
index 000000000000..bbc0b413413a
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-module-php_fpm.md
@@ -0,0 +1,63 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-module-php_fpm.html
+---
+
+# PHP_FPM module [metricbeat-module-php_fpm]
+
+This module periodically fetches metrics from [PHP-FPM](https://php-fpm.org) servers.
+
+The default metricset is `pool`.
+
+
+## Module-specific configuration notes [_module_specific_configuration_notes_16]
+
+You need to enable the PHP-FPM status page by properly configuring `pm.status_path`.
+
+Here is a sample nginx configuration to forward requests to the PHP-FPM status page (assuming `pm.status_path` is configured with default value `/status`):
+
+```
+nginx
+location ~ /status {
+     allow 127.0.0.1;
+     deny all;
+     include fastcgi_params;
+     fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+     fastcgi_pass 127.0.0.1:9000;
+}
+```
+
+
+## Compatibility [_compatibility_42]
+
+The PHP_FPM metricsets were tested with PHP 7.1.1 and are expected to work with all versions >= 5.
+
+
+## Example configuration [_example_configuration_53]
+
+The PHP_FPM module supports the standard configuration options that are described in [Modules](/reference/metricbeat/configuration-metricbeat.md). Here is an example configuration:
+
+```yaml
+metricbeat.modules:
+- module: php_fpm
+  metricsets:
+  - pool
+  #- process
+  enabled: true
+  period: 10s
+  status_path: "/status"
+  hosts: ["localhost:8080"]
+```
+
+This module supports TLS connections when using `ssl` config field, as described in [SSL](/reference/metricbeat/configuration-ssl.md). It also supports the options described in [Standard HTTP config options](/reference/metricbeat/configuration-metricbeat.md#module-http-config-options).
+
+
+## Metricsets [_metricsets_62]
+
+The following metricsets are available:
+
+* [pool](/reference/metricbeat/metricbeat-metricset-php_fpm-pool.md)
+* [process](/reference/metricbeat/metricbeat-metricset-php_fpm-process.md)
+
+
+
diff --git a/docs/reference/metricbeat/metricbeat-module-postgresql.md b/docs/reference/metricbeat/metricbeat-module-postgresql.md
new file mode 100644
index 000000000000..6db1b86b20a5
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-module-postgresql.md
@@ -0,0 +1,122 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-module-postgresql.html
+---
+
+# PostgreSQL module [metricbeat-module-postgresql]
+
+:::::{admonition} Prefer to use {{agent}} for this use case?
+Refer to the [Elastic Integrations documentation](integration-docs://reference/postgresql.md).
+
+::::{dropdown} Learn more
+{{agent}} is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, forward data from remote services or hardware, and more. Refer to the documentation for a detailed [comparison of {{beats}} and {{agent}}](docs-content://reference/ingestion-tools/fleet/index.md).
+
+::::
+
+
+:::::
+
+
+This module periodically fetches metrics from [PostgreSQL](https://www.postgresql.org/) servers.
+
+Default metricsets are `activity`, `bgwriter` and `database`.
+
+
+## Dashboard [_dashboard_37]
+
+The PostgreSQL module comes with a predefined dashboard showing databse related metrics. For example:
+
+:::{image} images/metricbeat-postgresql-overview.png
+:alt: metricbeat postgresql overview
+:::
+
+
+## Module-specific configuration notes [_module_specific_configuration_notes_17]
+
+When configuring the `hosts` option, you must use Postgres URLs of the following format:
+
+```
+[postgres://][user:pass@]host[:port][?options]
+```
+
+The URL can be as simple as:
+
+```yaml
+- module: postgresql
+  hosts: ["postgres://localhost"]
+```
+
+Or more complex like:
+
+```yaml
+- module: postgresql
+  hosts: ["postgres://localhost:40001?sslmode=disable", "postgres://otherhost:40001"]
+```
+
+You can also separately specify the username and password using the respective configuration options. Usernames and passwords specified in the URL take precedence over those specified in the `username` and `password` config options.
+
+```yaml
+- module: postgresql
+  metricsets: ["status"]
+  hosts: ["postgres://localhost:5432"]
+  username: root
+  password: test
+```
+
+
+## Compatibility [_compatibility_43]
+
+This module was tested with PostgreSQL 9, 10, 11, 12 and 13. It is expected to work with all versions >= 9.
+
+
+## Example configuration [_example_configuration_54]
+
+The PostgreSQL module supports the standard configuration options that are described in [Modules](/reference/metricbeat/configuration-metricbeat.md). Here is an example configuration:
+
+```yaml
+metricbeat.modules:
+- module: postgresql
+  enabled: true
+  metricsets:
+    # Stats about every PostgreSQL database
+    - database
+
+    # Stats about the background writer process's activity
+    - bgwriter
+
+    # Stats about every PostgreSQL process
+    - activity
+
+    # Stats about every statement executed in the server. It requires the
+    # `pg_stats_statement` library to be configured in the server.
+    #- statement
+
+  period: 10s
+
+  # The host must be passed as PostgreSQL URL. Example:
+  # postgres://localhost:5432?sslmode=disable
+  # The available parameters are documented here:
+  # https://godoc.org/github.com/lib/pq#hdr-Connection_String_Parameters
+  hosts: ["postgres://localhost:5432"]
+
+  # Username to use when connecting to PostgreSQL. Empty by default.
+  #username: user
+
+  # Password to use when connecting to PostgreSQL. Empty by default.
+  #password: pass
+```
+
+
+## Metricsets [_metricsets_63]
+
+The following metricsets are available:
+
+* [activity](/reference/metricbeat/metricbeat-metricset-postgresql-activity.md)
+* [bgwriter](/reference/metricbeat/metricbeat-metricset-postgresql-bgwriter.md)
+* [database](/reference/metricbeat/metricbeat-metricset-postgresql-database.md)
+* [statement](/reference/metricbeat/metricbeat-metricset-postgresql-statement.md)
+
+
+
+
+
diff --git a/docs/reference/metricbeat/metricbeat-module-prometheus.md b/docs/reference/metricbeat/metricbeat-module-prometheus.md
new file mode 100644
index 000000000000..c0a39a285901
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-module-prometheus.md
@@ -0,0 +1,113 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-module-prometheus.html
+---
+
+# Prometheus module [metricbeat-module-prometheus]
+
+:::::{admonition} Prefer to use {{agent}} for this use case?
+Refer to the [Elastic Integrations documentation](integration-docs://reference/prometheus.md).
+
+::::{dropdown} Learn more
+{{agent}} is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, forward data from remote services or hardware, and more. Refer to the documentation for a detailed [comparison of {{beats}} and {{agent}}](docs-content://reference/ingestion-tools/fleet/index.md).
+
+::::
+
+
+:::::
+
+
+$$$prometheus-module$$$
+This module periodically scrapes metrics from [Prometheus exporters](https://prometheus.io/docs/instrumenting/exporters/).
+
+
+## Dashboard [_dashboard_38]
+
+The Prometheus module comes with a predefined dashboard for Prometheus specific stats. For example:
+
+:::{image} images/metricbeat-prometheus-overview.png
+:alt: metricbeat prometheus overview
+:::
+
+
+## Example configuration [_example_configuration_55]
+
+The Prometheus module supports the standard configuration options that are described in [Modules](/reference/metricbeat/configuration-metricbeat.md). Here is an example configuration:
+
+```yaml
+metricbeat.modules:
+# Metrics collected from a Prometheus endpoint
+- module: prometheus
+  period: 10s
+  metricsets: ["collector"]
+  hosts: ["localhost:9090"]
+  metrics_path: /metrics
+  #metrics_filters:
+  #  include: []
+  #  exclude: []
+  #username: "user"
+  #password: "secret"
+
+  # Count number of metrics present in Elasticsearch document (default: false)
+  #metrics_count: false
+
+  # This can be used for service account based authorization:
+  #bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
+  #ssl.certificate_authorities:
+  #  - /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
+
+
+# Metrics sent by a Prometheus server using remote_write option
+#- module: prometheus
+#  metricsets: ["remote_write"]
+#  host: "localhost"
+#  port: "9201"
+
+  # Count number of metrics present in Elasticsearch document (default: false)
+  #metrics_count: false
+
+  # Secure settings for the server using TLS/SSL:
+  #ssl.certificate: "/etc/pki/server/cert.pem"
+  #ssl.key: "/etc/pki/server/cert.key"
+
+# Metrics that will be collected using a PromQL
+#- module: prometheus
+#  metricsets: ["query"]
+#  hosts: ["localhost:9090"]
+#  period: 10s
+#  queries:
+#  - name: "instant_vector"
+#    path: "/api/v1/query"
+#    params:
+#      query: "sum(rate(prometheus_http_requests_total[1m]))"
+#  - name: "range_vector"
+#    path: "/api/v1/query_range"
+#    params:
+#      query: "up"
+#      start: "2019-12-20T00:00:00.000Z"
+#      end:  "2019-12-21T00:00:00.000Z"
+#      step: 1h
+#  - name: "scalar"
+#    path: "/api/v1/query"
+#    params:
+#      query: "100"
+#  - name: "string"
+#    path: "/api/v1/query"
+#    params:
+#      query: "some_value"
+```
+
+This module supports TLS connections when using `ssl` config field, as described in [SSL](/reference/metricbeat/configuration-ssl.md). It also supports the options described in [Standard HTTP config options](/reference/metricbeat/configuration-metricbeat.md#module-http-config-options).
+
+
+## Metricsets [_metricsets_64]
+
+The following metricsets are available:
+
+* [collector](/reference/metricbeat/metricbeat-metricset-prometheus-collector.md)
+* [query](/reference/metricbeat/metricbeat-metricset-prometheus-query.md)
+* [remote_write](/reference/metricbeat/metricbeat-metricset-prometheus-remote_write.md)
+
+
+
+
diff --git a/docs/reference/metricbeat/metricbeat-module-rabbitmq.md b/docs/reference/metricbeat/metricbeat-module-rabbitmq.md
new file mode 100644
index 000000000000..660bf2929c81
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-module-rabbitmq.md
@@ -0,0 +1,69 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-module-rabbitmq.html
+---
+
+# RabbitMQ module [metricbeat-module-rabbitmq]
+
+:::::{admonition} Prefer to use {{agent}} for this use case?
+Refer to the [Elastic Integrations documentation](integration-docs://reference/rabbitmq.md).
+
+::::{dropdown} Learn more
+{{agent}} is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, forward data from remote services or hardware, and more. Refer to the documentation for a detailed [comparison of {{beats}} and {{agent}}](docs-content://reference/ingestion-tools/fleet/index.md).
+
+::::
+
+
+:::::
+
+
+The RabbitMQ module uses [HTTP API](http://www.rabbitmq.com/management.html) created by the management plugin to collect metrics.
+
+The default metricsets are `connection`, `node`, `queue`, `exchange` and `shovel`.
+
+If `management.path_prefix` is set in RabbitMQ configuration, `management_path_prefix` has to be set to the same value in this module configuration.
+
+
+## Compatibility [_compatibility_44]
+
+The rabbitmq module is fully tested with RabbitMQ 3.7.4 and it should be compatible with any version supporting the management plugin (which needs to be installed and enabled). Exchange metricset is also tested with 3.6.0, 3.6.5 and 3.7.14
+
+
+## Example configuration [_example_configuration_56]
+
+The RabbitMQ module supports the standard configuration options that are described in [Modules](/reference/metricbeat/configuration-metricbeat.md). Here is an example configuration:
+
+```yaml
+metricbeat.modules:
+- module: rabbitmq
+  metricsets: ["node", "queue", "connection", "exchange", "shovel"]
+  enabled: true
+  period: 10s
+  hosts: ["localhost:15672"]
+
+  # Management path prefix, if `management.path_prefix` is set in RabbitMQ
+  # configuration, it has to be set to the same value.
+  #management_path_prefix: ""
+
+  #username: guest
+  #password: guest
+```
+
+This module supports TLS connections when using `ssl` config field, as described in [SSL](/reference/metricbeat/configuration-ssl.md). It also supports the options described in [Standard HTTP config options](/reference/metricbeat/configuration-metricbeat.md#module-http-config-options).
+
+
+## Metricsets [_metricsets_65]
+
+The following metricsets are available:
+
+* [connection](/reference/metricbeat/metricbeat-metricset-rabbitmq-connection.md)
+* [exchange](/reference/metricbeat/metricbeat-metricset-rabbitmq-exchange.md)
+* [node](/reference/metricbeat/metricbeat-metricset-rabbitmq-node.md)
+* [queue](/reference/metricbeat/metricbeat-metricset-rabbitmq-queue.md)
+* [shovel](/reference/metricbeat/metricbeat-metricset-rabbitmq-shovel.md)
+
+
+
+
+
+
diff --git a/docs/reference/metricbeat/metricbeat-module-redis.md b/docs/reference/metricbeat/metricbeat-module-redis.md
new file mode 100644
index 000000000000..31c163308ffc
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-module-redis.md
@@ -0,0 +1,114 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-module-redis.html
+---
+
+# Redis module [metricbeat-module-redis]
+
+:::::{admonition} Prefer to use {{agent}} for this use case?
+Refer to the [Elastic Integrations documentation](integration-docs://reference/redis.md).
+
+::::{dropdown} Learn more
+{{agent}} is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, forward data from remote services or hardware, and more. Refer to the documentation for a detailed [comparison of {{beats}} and {{agent}}](docs-content://reference/ingestion-tools/fleet/index.md).
+
+::::
+
+
+:::::
+
+
+This module periodically fetches metrics from [Redis](http://redis.io/) servers.
+
+The defaut metricsets are `info` and `keyspace`.
+
+
+## Module-specific configuration notes [_module_specific_configuration_notes_18]
+
+The Redis module has these additional config options:
+
+**`hosts`**
+:   URLs that are used to connect to Redis. URL format: redis://[:password@]host[:port][/db-number][?option=value] redis://HOST[:PORT][?password=PASSWORD[&db=DATABASE]]
+
+**`password`**
+:   The password to authenticate, by default it’s empty.
+
+**`idle_timeout`**
+:   The duration to remain idle before closing connections. If the value is zero, then idle connections are not closed. The default value is 2 times the module period to allow a connection to be reused across fetches. The `idle_timeout` should be set to less than the server’s connection timeout.
+
+**`network`**
+:   The network type to be used for the Redis connection. The default value is `tcp`.
+
+**`maxconn`**
+:   The maximum number of concurrent connections to Redis. The default value is 10.
+
+
+## Compatibility [_compatibility_45]
+
+The redis metricsets `info`, `key` and `keyspace` are compatible with all distributions of Redis (OSS and enterprise). They were tested with Redis 3.2.12, 4.0.11, 5.0-rc4 and 6.2.6, and are expected to work with all versions >= 3.0.
+
+
+## Example configuration [_example_configuration_57]
+
+The Redis module supports the standard configuration options that are described in [Modules](/reference/metricbeat/configuration-metricbeat.md). Here is an example configuration:
+
+```yaml
+metricbeat.modules:
+- module: redis
+  metricsets: ["info", "keyspace"]
+  enabled: true
+  period: 10s
+
+  # Redis hosts
+  hosts: ["127.0.0.1:6379"]
+
+  # Timeout after which time a metricset should return an error
+  # Timeout is by default defined as period, as a fetch of a metricset
+  # should never take longer then period, as otherwise calls can pile up.
+  #timeout: 1s
+
+  # Optional fields to be added to each event
+  #fields:
+  #  datacenter: west
+
+  # Network type to be used for redis connection. Default: tcp
+  #network: tcp
+
+  # Max number of concurrent connections. Default: 10
+  #maxconn: 10
+
+  # Filters can be used to reduce the number of fields sent.
+  #processors:
+  #  - include_fields:
+  #      fields: ["beat", "metricset", "redis.info.stats"]
+
+  # Redis AUTH username (Redis 6.0+). Empty by default.
+  #username: user
+
+  # Redis AUTH password. Empty by default.
+  #password: pass
+
+  # Optional SSL/TLS (Redis 6.0+). By default is false.
+  #ssl.enabled: true
+
+  # List of root certificates for SSL/TLS server verification
+  #ssl.certificate_authorities: ["/etc/pki/root/ca.crt"]
+
+  # Certificate for SSL/TLS client authentication
+  #ssl.certificate: "/etc/pki/client/cert.crt"
+
+  # Client certificate key file
+  #ssl.key: "/etc/pki/client/cert.key"
+```
+
+
+## Metricsets [_metricsets_66]
+
+The following metricsets are available:
+
+* [info](/reference/metricbeat/metricbeat-metricset-redis-info.md)
+* [key](/reference/metricbeat/metricbeat-metricset-redis-key.md)
+* [keyspace](/reference/metricbeat/metricbeat-metricset-redis-keyspace.md)
+
+
+
+
diff --git a/docs/reference/metricbeat/metricbeat-module-redisenterprise.md b/docs/reference/metricbeat/metricbeat-module-redisenterprise.md
new file mode 100644
index 000000000000..a38a59b397af
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-module-redisenterprise.md
@@ -0,0 +1,65 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-module-redisenterprise.html
+---
+
+# Redis Enterprise module [metricbeat-module-redisenterprise]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+This module periodically fetches metrics from [Redis Enterprise Software](https://redislabs.com/redis-enterprise/).
+
+The defaut metricsets are `node` and `proxy`.
+
+
+## Module-specific configuration notes [_module_specific_configuration_notes_19]
+
+The `redisenterprise` module has these additional config options:
+
+**`hosts`**
+:   URLs that are used to connect to Redis. URL format: `https://HOST:PORT`
+
+
+## Compatibility [_compatibility_46]
+
+The metricsets `node` and `proxy` are compatible with Redis Enterprise Software (RES). There were tested with RES 5.4.10-22 and are expected to work with all versions >= 5.0.2.
+
+
+## Dashboard [_dashboard_40]
+
+The `redisenterprise` module includes a predefined dashboard with overview information of the monitored servers.
+
+:::{image} images/metricbeat-redisenterprise-overview.png
+:alt: metricbeat redisenterprise overview
+:::
+
+
+## Example configuration [_example_configuration_58]
+
+The Redis Enterprise module supports the standard configuration options that are described in [Modules](/reference/metricbeat/configuration-metricbeat.md). Here is an example configuration:
+
+```yaml
+metricbeat.modules:
+- module: redisenterprise
+  metricsets:
+    - node
+    - proxy
+  period: 1m
+
+  # Metrics endpoint
+  hosts: ["https://127.0.0.1:8070/"]
+```
+
+
+## Metricsets [_metricsets_67]
+
+The following metricsets are available:
+
+* [node](/reference/metricbeat/metricbeat-metricset-redisenterprise-node.md)
+* [proxy](/reference/metricbeat/metricbeat-metricset-redisenterprise-proxy.md)
+
+
+
diff --git a/docs/reference/metricbeat/metricbeat-module-sql.md b/docs/reference/metricbeat/metricbeat-module-sql.md
new file mode 100644
index 000000000000..6796cc1a41b2
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-module-sql.md
@@ -0,0 +1,799 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-module-sql.html
+---
+
+# SQL module [metricbeat-module-sql]
+
+The SQL module allows you to execute custom queries against an SQL database and store the results in {{es}}. It also enables the development of various SQL metrics integrations, using SQL query as input.
+
+This module supports the databases that you can monitor with {{metricbeat}}, including:
+
+* PostgreSQL
+* MySQL
+* Oracle
+* Microsoft SQL
+* CockroachDB
+
+To enable the module, run:
+
+```shell
+metricbeat module enable sql
+```
+
+After enabling the module, open `modules.d/sql.yml` and set the required fields:
+
+`driver`
+:   The driver can be any driver that has a {{metricbeat}} module, such as `mssql` or `postgres`.
+
+`fetch_from_all_databases`
+:   Expects either `true` or `false` and it is by default set to `false`. Marking as `true` will enable execution `sql_queries` or `sql_query` for all databases in a server. Currently only `mssql` driver supports this feature. For other drivers, if enabled, "fetch from all databases feature is not supported for driver: <driver_name>" error would be logged.
+
+`raw_data.enabled`
+:   Expects either `true` or `false` and it is by default set to `false`. Marking as `true` will generate event results in a new field format.
+
+Use `sql_queries` or `sql_query` depending on the use-case.
+
+`sql_queries`
+:   List of queries to execute. `query` and `response_format` fields are repeated to get multiple query inputs.
+
+    `query`
+    :   Single SQL query.
+
+    `response_format`
+    :   Either `variables` or `table`.
+
+        `variables`
+        :   Expects a two-column table that looks like a key-value result. The left column is considered a key and the right column is the value. This mode generates a single event on each fetch operation.
+
+        `table`
+        :   Expects any number of columns. This mode generates a single event for each row.
+
+
+`sql_query` (`Backward Compatibility`)
+:   Single query you want to run. Also, provide corresponding `sql_response_format` (value: `variables` or `table`) similar to `sql_queries`'s `response_format`.
+
+
+## Example [_example_4]
+
+Examples of configurations in `sql.yml` to connect with supported databases are mentioned below.
+
+
+### Example: Capture Innodb-related metrics [_example_capture_innodb_related_metrics]
+
+This `sql.yml` configuration shows how to capture Innodb-related metrics that result from the query `SHOW GLOBAL STATUS LIKE 'Innodb_system%'` in a MySQL database:
+
+```yaml
+- module: sql
+  metricsets:
+    - query
+  period: 10s
+  hosts: ["root:root@tcp(localhost:3306)/ps"]
+
+  driver: "mysql"
+  sql_query: "SHOW GLOBAL STATUS LIKE 'Innodb_system%'"
+  sql_response_format: variables
+```
+
+The `SHOW GLOBAL STATUS` query results in this table:
+
+| Variable_name | Value |
+| --- | --- |
+| Innodb_system_rows_deleted | 0 |
+| Innodb_system_rows_inserted | 0 |
+| Innodb_system_rows_read | 5062 |
+| Innodb_system_rows_updated | 315 |
+
+Results are grouped by type in the result event for convenient mapping in {{es}}. For example, `strings` values are grouped into `sql.strings`, `numeric` into `sql.numeric`, and so on.
+
+The example shown earlier generates this event:
+
+```json
+{
+  "@timestamp": "2020-06-09T15:09:14.407Z",
+  "@metadata": {
+    "beat": "metricbeat",
+    "type": "_doc",
+    "version": "8.0.0"
+  },
+  "service": {
+    "address": "172.18.0.2:3306",
+    "type": "sql"
+  },
+  "event": {
+    "dataset": "sql.query",
+    "module": "sql",
+    "duration": 1272810
+  },
+  "sql": {
+    "driver": "mysql",
+    "query": "SHOW GLOBAL STATUS LIKE 'Innodb_system%'",
+    "metrics": {
+      "numeric": {
+        "innodb_system_rows_updated": 315,
+        "innodb_system_rows_deleted": 0,
+        "innodb_system_rows_inserted": 0,
+        "innodb_system_rows_read": 5062
+      }
+    }
+  },
+  "metricset": {
+    "name": "query",
+    "period": 10000
+  },
+  "ecs": {
+    "version": "1.5.0"
+  },
+  "host": {
+    "name": "elastic"
+  },
+  "agent": {
+    "name": "elastic",
+    "type": "metricbeat",
+    "version": "8.0.0",
+    "ephemeral_id": "488431bd-bd3c-4442-ad51-0c50eb555787",
+    "id": "670ef211-87f0-4f38-8beb-655c377f1629"
+  }
+}
+```
+
+
+### Example: Query PostgreSQL and generate a "table" result [_example_query_postgresql_and_generate_a_table_result]
+
+This `sql.yml` configuration shows how to query PostgreSQL and generate a "table" result. This configuration generates a single event for each row returned:
+
+```yaml
+- module: sql
+  metricsets:
+    - query
+  period: 10s
+  hosts: ["postgres://postgres:postgres@localhost:5432/stuff?sslmode=disable"]
+
+  driver: "postgres"
+  sql_query: "SELECT datid, datname, blks_read, blks_hit, tup_returned, tup_fetched, stats_reset FROM pg_stat_database"
+  sql_response_format: table
+```
+
+The SELECT query results in this table:
+
+| datid | datname | blks_read | blks_hit | tup_returned | tup_fetched | stats_reset |
+| --- | --- | --- | --- | --- | --- | --- |
+| 69448 | stuff | 8652 | 205976 | 1484625 | 53218 | 2020-06-07 22:50:12 |
+| 13408 | postgres | 0 | 0 | 0 | 0 |  |
+| 13407 | template0 | 0 | 0 | 0 | 0 |  |
+
+Because the table contains three rows, three events are generated, one event for each row. For example, this event is created for the first row:
+
+```json
+{
+  "@timestamp": "2020-06-09T14:47:35.481Z",
+  "@metadata": {
+    "beat": "metricbeat",
+    "type": "_doc",
+    "version": "8.0.0"
+  },
+  "service": {
+    "address": "localhost:5432",
+    "type": "sql"
+  },
+  "ecs": {
+    "version": "1.5.0"
+  },
+  "host": {
+    "name": "elastic"
+  },
+  "agent": {
+    "type": "metricbeat",
+    "version": "8.0.0",
+    "ephemeral_id": "1bffe66d-a1ae-4ed6-985a-fd48548a1971",
+    "id": "670ef211-87f0-4f38-8beb-655c377f1629",
+    "name": "elastic"
+  },
+  "sql": {
+    "metrics": {
+      "numeric": {
+        "tup_fetched": 53350,
+        "datid": 69448,
+        "blks_read": 8652,
+        "blks_hit": 206501,
+        "tup_returned": 1.491873e+06
+      },
+      "string": {
+        "stats_reset": "2020-06-07T20:50:12.632975Z",
+        "datname": "stuff"
+      }
+    },
+    "driver": "postgres",
+    "query": "SELECT datid, datname, blks_read, blks_hit, tup_returned, tup_fetched, stats_reset FROM pg_stat_database"
+  },
+  "event": {
+    "dataset": "sql.query",
+    "module": "sql",
+    "duration": 14076705
+  },
+  "metricset": {
+    "name": "query",
+    "period": 10000
+  }
+}
+```
+
+
+### Example: Get the buffer catch hit ratio in Oracle [_example_get_the_buffer_catch_hit_ratio_in_oracle]
+
+This `sql.yml` configuration shows how to get the buffer cache hit ratio:
+
+```yaml
+- module: sql
+  metricsets:
+    - query
+  period: 10s
+  hosts: ["oracle://sys:password@172.17.0.3:1521/ORCLPDB1.localdomain?sysdba=1"]
+
+  driver: "oracle"
+  sql_query: 'SELECT name, physical_reads, db_block_gets, consistent_gets, 1 - (physical_reads / (db_block_gets + consistent_gets)) "Hit Ratio" FROM V$BUFFER_POOL_STATISTICS'
+  sql_response_format: table
+```
+
+The example generates this event:
+
+```json
+{
+  "@timestamp": "2020-06-09T15:41:02.200Z",
+  "@metadata": {
+    "beat": "metricbeat",
+    "type": "_doc",
+    "version": "8.0.0"
+  },
+  "sql": {
+    "metrics": {
+      "numeric": {
+        "hit ratio": 0.9742963357937117,
+        "physical_reads": 17161,
+        "db_block_gets": 122221,
+        "consistent_gets": 545427
+      },
+      "string": {
+        "name": "DEFAULT"
+      }
+    },
+    "driver": "oracle",
+    "query": "SELECT name, physical_reads, db_block_gets, consistent_gets, 1 - (physical_reads / (db_block_gets + consistent_gets)) \"Hit Ratio\" FROM V$BUFFER_POOL_STATISTICS"
+  },
+  "metricset": {
+    "period": 10000,
+    "name": "query"
+  },
+  "service": {
+    "address": "172.17.0.3:1521",
+    "type": "sql"
+  },
+  "event": {
+    "dataset": "sql.query",
+    "module": "sql",
+    "duration": 39233704
+  },
+  "ecs": {
+    "version": "1.5.0"
+  },
+  "host": {
+    "name": "elastic"
+  },
+  "agent": {
+    "id": "670ef211-87f0-4f38-8beb-655c377f1629",
+    "name": "elastic",
+    "type": "metricbeat",
+    "version": "8.0.0",
+    "ephemeral_id": "49e00060-0fa4-4b34-80f1-446881f7a788"
+  }
+}
+```
+
+
+### Example: Get the buffer cache hit ratio for MSSQL [_example_get_the_buffer_cache_hit_ratio_for_mssql]
+
+This `sql.yml` configuration gets the buffer cache hit ratio:
+
+```yaml
+- module: sql
+  metricsets:
+    - query
+  period: 10s
+  hosts: ["sqlserver://SA:password@localhost"]
+
+  driver: "mssql"
+  sql_query: 'SELECT * FROM sys.dm_db_log_space_usage'
+  sql_response_format: table
+```
+
+The example generates this event:
+
+```json
+{
+  "@timestamp": "2020-06-09T15:39:14.421Z",
+  "@metadata": {
+    "beat": "metricbeat",
+    "type": "_doc",
+    "version": "8.0.0"
+  },
+  "sql": {
+    "driver": "mssql",
+    "query": "SELECT * FROM sys.dm_db_log_space_usage",
+    "metrics": {
+      "numeric": {
+        "log_space_in_bytes_since_last_backup": 524288,
+        "database_id": 1,
+        "total_log_size_in_bytes": 2.08896e+06,
+        "used_log_space_in_bytes": 954368,
+        "used_log_space_in_percent": 45.686275482177734
+      }
+    }
+  },
+  "event": {
+    "dataset": "sql.query",
+    "module": "sql",
+    "duration": 40750570
+  }
+}
+```
+
+
+### Example: Launch two or more queries. [_example_launch_two_or_more_queries]
+
+To launch two or more queries, specify the full configuration for each query. For example:
+
+```yaml
+- module: sql
+  metricsets:
+    - query
+  period: 10s
+  hosts: ["postgres://postgres:postgres@localhost:5432/stuff?sslmode=disable"]
+  driver: "postgres"
+  raw_data.enabled: true
+
+  sql_queries:
+    - query: "SELECT datid, datname, blks_read, blks_hit, tup_returned, tup_fetched, stats_reset FROM pg_stat_database"
+      response_format: table
+
+    - query: "SELECT datname, datid FROM pg_stat_database;"
+      response_format: variables
+```
+
+The example generates this event: The response event is generated in new format by enabling the flag `raw_data.enabled`.
+
+```json
+{
+  "@timestamp": "2022-05-13T12:47:32.071Z",
+  "@metadata": {
+    "beat": "metricbeat",
+    "type": "_doc",
+    "version": "8.3.0"
+  },
+  "event": {
+    "dataset": "sql.query",
+    "module": "sql",
+    "duration": 114468667
+  },
+  "metricset": {
+    "name": "query",
+    "period": 10000
+  },
+  "service": {
+    "address": "localhost:55656",
+    "type": "sql"
+  },
+  "sql": {
+    "driver": "postgres",
+    "query": "SELECT datid, datname, blks_read, blks_hit, tup_returned, tup_fetched, stats_reset FROM pg_stat_database",
+    "metrics": {
+      "blks_hit": 6360,
+      "tup_returned": 2225,
+      "tup_fetched": 1458,
+      "datid": 13394,
+      "datname": "template0",
+      "blks_read": 33
+    }
+  },
+  "ecs": {
+    "version": "8.0.0"
+  },
+  "host": {
+    "name": "mps"
+  },
+  "agent": {
+    "type": "metricbeat",
+    "version": "8.3.0",
+    "ephemeral_id": "8decc9eb-5ea5-47d8-8a22-fac507a5521b",
+    "id": "6bbf5058-afed-44c6-aa05-775ee14a2da4",
+    "name": "mps"
+  }
+}
+```
+
+The example generates this event: By disabling the flag `raw_data.enabled`, which is the old format.
+
+```json
+{
+  "@timestamp": "2022-05-13T13:09:19.599Z",
+  "@metadata": {
+    "beat": "metricbeat",
+    "type": "_doc",
+    "version": "8.3.0"
+  },
+  "event": {
+    "dataset": "sql.query",
+    "module": "sql",
+    "duration": 77509917
+  },
+"service": {
+    "address": "localhost:55656",
+    "type": "sql"
+  },
+  "metricset": {
+    "name": "query",
+    "period": 10000
+  },
+
+  "sql": {
+    "driver": "postgres",
+    "query": "SELECT datid, datname, blks_read, blks_hit, tup_returned, tup_fetched, stats_reset FROM pg_stat_database",
+    "metrics": {
+      "string": {
+        "stats_reset": "2022-05-13T12:02:33.825483Z"
+      },
+      "numeric": {
+        "blks_hit": 6360,
+        "tup_returned": 2225,
+        "tup_fetched": 1458,
+        "datid": 0,
+        "blks_read": 33
+      }
+    }
+  },
+  "ecs": {
+    "version": "8.0.0"
+  },
+  "host": {
+        "name": "mps"
+    },
+  "agent": {
+    "version": "8.3.0",
+    "ephemeral_id": "bc09584b-62db-4b45-bfe9-6b7e8e982361",
+    "id": "6bbf5058-afed-44c6-aa05-775ee14a2da4",
+    "name": "mps",
+    "type": "metricbeat"
+  }
+}
+```
+
+
+### Example: Merge multiple queries into a single event. [_example_merge_multiple_queries_into_a_single_event]
+
+Multiple queries will create multiple events, one for each query.  It may be preferable to create a single event by combining the metrics together in a single event.
+
+This feature can be enabled using the `merge_results` config.
+
+However, such a merge is possible only if the table queries are merged, each produces a single row.
+
+For example:
+
+```yaml
+- module: sql
+  metricsets:
+    - query
+  period: 10s
+  hosts: ["postgres://postgres:postgres@localhost?sslmode=disable"]
+
+  driver: "postgres"
+  raw_data.enabled: true
+  merge_results: true
+  sql_queries:
+    - query: "SELECT blks_hit,blks_read FROM pg_stat_database limit 1;"
+      response_format: table
+    - query: "select checkpoints_timed,checkpoints_req from pg_stat_bgwriter;"
+      response_format: table
+```
+
+This creates a combined event as below, where `blks_hit`, `blks_read`, `checkpoints_timed` and `checkpoints_req` are part of same event.
+
+```json
+{
+  "@timestamp": "2022-07-21T07:07:06.747Z",
+  "agent": {
+    "name": "MBP-2",
+    "type": "metricbeat",
+    "version": "8.4.0",
+    "ephemeral_id": "b0867287-e56a-492f-b421-0ac870c426f9",
+    "id": "3fe7b378-6f9e-4ca3-9aa1-067c4a6866e5"
+  },
+  "metricset": {
+    "period": 10000,
+    "name": "query"
+  },
+  "service": {
+    "type": "sql",
+    "address": "localhost"
+  },
+  "sql": {
+    "metrics": {
+      "blks_read": 21,
+      "checkpoints_req": 1,
+      "checkpoints_timed": 66,
+      "blks_hit": 7592
+    },
+    "driver": "postgres"
+  },
+  "event": {
+    "module": "sql",
+    "duration": 18883084,
+    "dataset": "sql.query"
+  }
+}
+```
+
+
+### Example: Execute given queries for all database(s) present in a server [_example_execute_given_queries_for_all_databases_present_in_a_server]
+
+Assuming a user could have 100s of databases on their server and then it becomes cumbersome to add them manually to the query. If `fetch_from_all_databases` is set to `true` then SQL module would fetch the databases names automatically and prefix the database selector statement to the queries so that the queries can run against the database provided.
+
+Currently, this feature only works with `mssql` driver. For example:
+
+```yaml
+- module: sql
+  metricsets:
+    - query
+  period: 50s
+  hosts: ["sqlserver://<user>:<password>@<host>"]
+  raw_data.enabled: true
+
+  fetch_from_all_databases: true
+
+  driver: "mssql"
+  sql_queries:
+    - query: SELECT DB_NAME() AS 'database_name';
+      response_format: table
+```
+
+For an mssql instance, by default only four databases are present namely — `master`, `model`, `msdb`, `tempdb`. So, if `fetch_from_all_databases` is enabled then query `SELECT DB_NAME() AS 'database_name'` runs for each one of them i.e., there would be in total 4 documents (one each for 4 databases) for every scrape.
+
+```json
+{
+    "@timestamp": "2023-07-16T22:05:26.976Z",
+    "@metadata": {
+        "beat": "metricbeat",
+        "type": "_doc",
+        "version": "8.10.0"
+    },
+    "service": {
+        "type": "sql",
+        "address": "localhost"
+    },
+    "event": {
+        "dataset": "sql.query",
+        "module": "sql",
+        "duration": 40346375
+    },
+    "metricset": {
+        "name": "query",
+        "period": 50000
+    },
+    "sql": {
+        "metrics": {
+            "database_name": "master"
+        },
+        "driver": "mssql",
+        "query": "USE [master]; SELECT DB_NAME() AS 'database_name';"
+    },
+    "host": {
+        "os": {
+            "type": "macos",
+            "platform": "darwin",
+            "version": "13.3.1",
+            "family": "darwin",
+            "name": "macOS",
+            "kernel": "<redacted>",
+            "build": "<redacted>"
+        },
+        "name": "<redacted>",
+        "id": "<redacted>",
+        "ip": [
+            "<redacted>"
+        ],
+        "mac": [
+            "<redacted>"
+        ],
+        "hostname": "<redacted>",
+        "architecture": "arm64"
+    },
+    "agent": {
+        "name": "<redacted>",
+        "type": "metricbeat",
+        "version": "8.10.0",
+        "ephemeral_id": "<redacted>",
+        "id": "<redacted>"
+    },
+    "ecs": {
+        "version": "8.0.0"
+    }
+}
+{
+    "@timestamp": "2023-07-16T22:05:26.976Z",
+    "@metadata": {
+        "beat": "metricbeat",
+        "type": "_doc",
+        "version": "8.10.0"
+    },
+    "agent": {
+        "ephemeral_id": "<redacted>",
+        "id": "<redacted>",
+        "name": "<redacted>",
+        "type": "metricbeat",
+        "version": "8.10.0"
+    },
+    "event": {
+        "module": "sql",
+        "duration": 43147875,
+        "dataset": "sql.query"
+    },
+    "metricset": {
+        "period": 50000,
+        "name": "query"
+    },
+    "service": {
+        "address": "localhost",
+        "type": "sql"
+    },
+    "sql": {
+        "metrics": {
+            "database_name": "tempdb"
+        },
+        "driver": "mssql",
+        "query": "USE [tempdb]; SELECT DB_NAME() AS 'database_name';"
+    },
+    "ecs": {
+        "version": "8.0.0"
+    },
+    "host": {
+        "name": "<redacted>",
+        "architecture": "arm64",
+        "os": {
+            "platform": "darwin",
+            "version": "13.3.1",
+            "family": "darwin",
+            "name": "macOS",
+            "kernel": "<redacted>",
+            "build": "<redacted>",
+            "type": "macos"
+        },
+        "id": "<redacted>",
+        "ip": [
+            "<redacted>"
+        ],
+        "mac": [
+            "<redacted>"
+        ],
+        "hostname": "<redacted>"
+    }
+}
+{
+    "@timestamp": "2023-07-16T22:05:26.976Z",
+    "@metadata": {
+        "beat": "metricbeat",
+        "type": "_doc",
+        "version": "8.10.0"
+    },
+    "host": {
+        "os": {
+            "build": "<redacted>",
+            "type": "macos",
+            "platform": "darwin",
+            "version": "13.3.1",
+            "family": "darwin",
+            "name": "macOS",
+            "kernel": "<redacted>"
+        },
+        "id": "<redacted>",
+        "ip": [
+            "<redacted>"
+        ],
+        "mac": [
+            "<redacted>"
+        ],
+        "hostname": "<redacted>",
+        "name": "<redacted>",
+        "architecture": "arm64"
+    },
+    "agent": {
+        "ephemeral_id": "<redacted>",
+        "id": "<redacted>",
+        "name": "<redacted>",
+        "type": "metricbeat",
+        "version": "8.10.0"
+    },
+    "service": {
+        "address": "localhost",
+        "type": "sql"
+    },
+    "sql": {
+        "metrics": {
+            "database_name": "model"
+        },
+        "driver": "mssql",
+        "query": "USE [model]; SELECT DB_NAME() AS 'database_name';"
+    },
+    "event": {
+        "dataset": "sql.query",
+        "module": "sql",
+        "duration": 46623125
+    },
+    "metricset": {
+        "name": "query",
+        "period": 50000
+    },
+    "ecs": {
+        "version": "8.0.0"
+    }
+}
+{
+    "@timestamp": "2023-07-16T22:05:26.976Z",
+    "@metadata": {
+        "beat": "metricbeat",
+        "type": "_doc",
+        "version": "8.10.0"
+    },
+    "host": {
+        "architecture": "arm64",
+        "os": {
+            "kernel": "<redacted>",
+            "build": "<redacted>",
+            "type": "macos",
+            "platform": "darwin",
+            "version": "13.3.1",
+            "family": "darwin",
+            "name": "macOS"
+        },
+        "name": "<redacted>",
+        "id": "<redacted>",
+        "ip": [
+            "<redacted>"
+        ],
+        "mac": [
+            "<redacted>"
+        ],
+        "hostname": "<redacted>"
+    },
+    "agent": {
+        "type": "metricbeat",
+        "version": "8.10.0",
+        "ephemeral_id": "<redacted>",
+        "id": "<redacted>",
+        "name": "<redacted>"
+    },
+    "event": {
+        "dataset": "sql.query",
+        "module": "sql",
+        "duration": 49649250
+    },
+    "metricset": {
+        "name": "query",
+        "period": 50000
+    },
+    "service": {
+        "address": "localhost",
+        "type": "sql"
+    },
+    "sql": {
+        "metrics": {
+            "database_name": "msdb"
+        },
+        "driver": "mssql",
+        "query": "USE [msdb]; SELECT DB_NAME() AS 'database_name';"
+    },
+    "ecs": {
+        "version": "8.0.0"
+    }
+}
+```
+
+
+
diff --git a/docs/reference/metricbeat/metricbeat-module-stan.md b/docs/reference/metricbeat/metricbeat-module-stan.md
new file mode 100644
index 000000000000..4c94a3ca544e
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-module-stan.md
@@ -0,0 +1,67 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-module-stan.html
+---
+
+# Stan module [metricbeat-module-stan]
+
+:::::{admonition} Prefer to use {{agent}} for this use case?
+Refer to the [Elastic Integrations documentation](integration-docs://reference/stan.md).
+
+::::{dropdown} Learn more
+{{agent}} is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, forward data from remote services or hardware, and more. Refer to the documentation for a detailed [comparison of {{beats}} and {{agent}}](docs-content://reference/ingestion-tools/fleet/index.md).
+
+::::
+
+
+:::::
+
+
+The STAN module uses [STAN monitoring server APIs](https://github.com/nats-io/nats-streaming-server/blob/master/server/monitor.go) to collect metrics.
+
+The default metricsets are `channels`, `stats` and `subscriptions`.
+
+
+### Compatibility [_compatibility_47]
+
+The STAN module is tested with STAN 0.15.1.
+
+
+## Dashboard [_dashboard_41]
+
+Dashboards for topic message count and queue depth are included:
+
+:::{image} images/metricbeat-stan-overview.png
+:alt: metricbeat stan overview
+:::
+
+
+### Example configuration [_example_configuration_60]
+
+The Stan module supports the standard configuration options that are described in [Modules](/reference/metricbeat/configuration-metricbeat.md). Here is an example configuration:
+
+```yaml
+metricbeat.modules:
+- module: stan
+  metricsets: ["stats", "channels", "subscriptions"]
+  period: 60s
+  hosts: ["localhost:8222"]
+  #stats.metrics_path: "/streaming/serverz"
+  #channels.metrics_path: "/streaming/channelsz"
+  #subscriptions.metrics_path: "/streaming/channelsz" # we retrieve streaming subscriptions with a detailed query param to the channelsz endpoint
+```
+
+This module supports TLS connections when using `ssl` config field, as described in [SSL](/reference/metricbeat/configuration-ssl.md). It also supports the options described in [Standard HTTP config options](/reference/metricbeat/configuration-metricbeat.md#module-http-config-options).
+
+
+### Metricsets [_metricsets_69]
+
+The following metricsets are available:
+
+* [channels](/reference/metricbeat/metricbeat-metricset-stan-channels.md)
+* [stats](/reference/metricbeat/metricbeat-metricset-stan-stats.md)
+* [subscriptions](/reference/metricbeat/metricbeat-metricset-stan-subscriptions.md)
+
+
+
+
diff --git a/docs/reference/metricbeat/metricbeat-module-statsd.md b/docs/reference/metricbeat/metricbeat-module-statsd.md
new file mode 100644
index 000000000000..fa9b3ff44647
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-module-statsd.md
@@ -0,0 +1,78 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-module-statsd.html
+---
+
+# Statsd module [metricbeat-module-statsd]
+
+The `statsd` module is a Metricbeat module which spawns a UDP server and listens for metrics in StatsD compatible format.
+
+
+## Metric types [_metric_types]
+
+The module supports the following types of metrics:
+
+**Counter (c)**
+:   Measurement which accumulates over period of time until flushed (value set to 0).
+
+**Gauge (g)**
+:   Measurement which can increase, decrease or be set to a value.
+
+**Timer (ms)**
+:   Time measurement (in milliseconds) of an event.
+
+**Histogram (h)**
+:   Time measurement, alias for timer.
+
+**Set (s)**
+:   Measurement which counts unique occurrences until flushed (value set to 0).
+
+
+## Supported tag extensions [_supported_tag_extensions]
+
+Example of tag styles supported by the `statsd` module:
+
+[DogStatsD](https://docs.datadoghq.com/developers/dogstatsd/datagram_shell/?tab=metrics#the-dogstatsd-protocol)
+
+`<metric name>:<value>|<type>|@samplerate|#<k>:<v>,<k>:<v>`
+
+[InfluxDB](https://github.com/influxdata/telegraf/blob/master/plugins/inputs/statsd/README.md#influx-statsd)
+
+`<metric name>,<k>=<v>,<k>=<v>:<value>|<type>|@samplerate`
+
+[Graphite_1.1.x](https://graphite.readthedocs.io/en/latest/tags.html#graphite-tag-support)
+
+`<metric name>;<k>=<v>;<k>=<v>:<value>|<type>|@samplerate`
+
+
+## Module-specific configuration notes [_module_specific_configuration_notes_20]
+
+The `statsd` module has these additional config options:
+
+**`ttl`**
+:   It defines how long a metric will be reported after it was last recorded. Irrespective of the given ttl, metrics will be reported at least once. A ttl of zero means metrics will never expire.
+
+**`statsd.mapping`**
+:   It defines how metrics will mapped from the original metric label to the event json. Here’s an example configuration:
+
+```yaml
+statsd.mappings:
+  - metric: 'ti_failures' <1>
+    value:
+      field: task_failures <2>
+  - metric: '<job_name>_start' <1>
+    labels:
+      - attr: job_name <3>
+        field: job_name <4>
+    value:
+      field: started <2>
+```
+
+1. `metric`, required: the label key of the metric in statsd, either as a exact match string or as a template with named label placeholder in the format `<label_placeholder>`
+2. `value.field`, required: field name where to save the metric value in the event json
+3. `label[].attr`, required when using named label placeholder: reference to the named label placeholder defined in `metric`
+4. `label[].field`, required when using named label placeholder field name where to save the named label placeholder value from the template in the event json
+
+
+
+
diff --git a/docs/reference/metricbeat/metricbeat-module-syncgateway.md b/docs/reference/metricbeat/metricbeat-module-syncgateway.md
new file mode 100644
index 000000000000..0108e291d116
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-module-syncgateway.md
@@ -0,0 +1,49 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-module-syncgateway.html
+---
+
+# SyncGateway module [metricbeat-module-syncgateway]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+Sync Gateway is the synchronization server in a Couchbase for Mobile and Edge deployment. This metricset allows to monitor a Sync Gateway instance by using its REST API.
+
+Sync Gateway access `[host]:[port]/_expvar` on Sync Gateway nodes to fetch metrics data, ensure that the URL is accessible from the host where Metricbeat is running.
+
+
+## Example configuration [_example_configuration_62]
+
+The SyncGateway module supports the standard configuration options that are described in [Modules](/reference/metricbeat/configuration-metricbeat.md). Here is an example configuration:
+
+```yaml
+metricbeat.modules:
+- module: syncgateway
+  metricsets:
+    - db
+#    - memory
+#    - replication
+#    - resources
+  period: 10s
+
+  # SyncGateway hosts
+  hosts: ["127.0.0.1:4985"]
+```
+
+
+## Metricsets [_metricsets_72]
+
+The following metricsets are available:
+
+* [db](/reference/metricbeat/metricbeat-metricset-syncgateway-db.md)
+* [memory](/reference/metricbeat/metricbeat-metricset-syncgateway-memory.md)
+* [replication](/reference/metricbeat/metricbeat-metricset-syncgateway-replication.md)
+* [resources](/reference/metricbeat/metricbeat-metricset-syncgateway-resources.md)
+
+
+
+
+
diff --git a/docs/reference/metricbeat/metricbeat-module-system.md b/docs/reference/metricbeat/metricbeat-module-system.md
new file mode 100644
index 000000000000..0a7183f2da58
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-module-system.md
@@ -0,0 +1,284 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-module-system.html
+---
+
+# System module [metricbeat-module-system]
+
+:::::{admonition} Prefer to use {{agent}} for this use case?
+Refer to the [Elastic Integrations documentation](integration-docs://reference/system.md).
+
+::::{dropdown} Learn more
+{{agent}} is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, forward data from remote services or hardware, and more. Refer to the documentation for a detailed [comparison of {{beats}} and {{agent}}](docs-content://reference/ingestion-tools/fleet/index.md).
+
+::::
+
+
+:::::
+
+
+The System module allows you to monitor your servers. Because the System module always applies to the local server, the `hosts` config option is not needed.
+
+The default metricsets are `cpu`, `load`, `memory`, `network`, `process`, `process_summary`, `socket_summary`, `filesystem`, `fsstat`, and `uptime`. To disable a default metricset, comment it out in the `modules.d/system.yml` configuration file. If *all* metricsets are commented out and the System module is enabled, Metricbeat uses the default metricsets.
+
+Note that certain metricsets may access `/proc` to gather process information, and the resulting `ptrace_may_access()` call by the kernel to check for permissions can be blocked by [AppArmor and other LSM software](https://gitlab.com/apparmor/apparmor/wikis/TechnicalDoc_Proc_and_ptrace), even though the System module doesn’t use `ptrace` directly.
+
+::::{admonition} How and when metrics are collected
+:class: tip
+
+Certain metrics monitored by the System module require multiple values to be collected. For example, the `system.process.cpu.total.norm.pct` field reports the percentage of CPU time spent by the process since the last event. For this percentage to be determined, the process needs to appear at least twice so that a performance delta can be calculated.
+
+Note that in some cases a field like this may be missing from the System module metricset if the process has not been available long enough to be included in two periods of metric collection.
+
+::::
+
+
+
+## Dashboard [_dashboard_42]
+
+The System module comes with a predefined dashboard. For example:
+
+:::{image} images/metricbeat_system_dashboard.png
+:alt: metricbeat system dashboard
+:::
+
+
+## Required permissions [_required_permissions]
+
+The System metricsets collect different kinds of metric data, which may require dedicated permissions to be fetched. For security reasons it’s advised to grant the lowest possible permissions. This section justifies which permissions must be present for particular metricsets.
+
+Please notice that modern Linux implementations divide the privileges traditionally associated with superuser into distinct units, known as capabilities, which can be independently enabled and disabled. Capabilities are a per-thread attribute.
+
+
+### cpu [_cpu]
+
+CPU statistics (idle, irq, user, system, iowait, softirq, cores, nice, steal, total) should be available without elevated permissions.
+
+
+### load [_load]
+
+CPU load data (1 min, 5 min, 15 min, cores) should be available without elevated permissions.
+
+
+### memory [_memory]
+
+Memory statistics (swap, total, used, free, actual) should be available without elevated permissions.
+
+
+### network [_network]
+
+Network metrics for interfaces (in, out, errors, dropped, bytes, packets) should be available without elevated permissions.
+
+
+### process [_process]
+
+Process execution data (state, memory, cpu, cmdline) should be available for an authorized user.
+
+If the beats process is running as less privileged user, it may not be able to read process data belonging to other users. The issue should be reported in application logs:
+
+```
+2019-12-23T13:32:06.457+0100    DEBUG   [processes]     process/process.go:475  Skip process pid=235: error getting process state for pid=235: Could not read process info for pid 23
+```
+
+
+### process_summary [_process_summary]
+
+General process summary (unknown, dead, total, sleeping, running, idle, stopped, zombie) should be available without elevated permissions. Please notice that if the process data belongs to the other users, it will be counted as unknown value (no error will be reported in application logs).
+
+
+### socket_summary [_socket_summary]
+
+Used sockets summary (TCP, UDP, count, listening, established, wait, etc.) should be available without elevated permissions.
+
+
+### entropy [_entropy]
+
+Entropy data (available, pool size) requires access to the `/proc/sys/kernel/random` path. Otherwise an error will be reported.
+
+
+### core [_core]
+
+Usage statistics for each CPU core (idle, irq, user, system, iowait, softirq, cores, nice, steal, total) should be available without elevated permissions.
+
+
+### diskio [_diskio]
+
+Disk IO metrics (io, read, write) should be available without elevated permissions.
+
+
+### socket [_socket]
+
+Events for each new TCP socket should be available for an authorized user.
+
+If the beats process is running as less privileged user, it may not be able to view socket data belonging to other users.
+
+
+### service [_service]
+
+Systemd service data (memory, tasks, states) should be available for an authorized user.
+
+If the beats process is running as less privileged user, it may not be able to read process data belonging to other users. The issue should be reported in application logs:
+
+```
+2020-01-02T08:19:50.635Z	INFO	module/wrapper.go:252	Error fetching data for metricset system.service: error getting list of running units: Rejected send message, 2 matched rules; type="method_call", sender=":1.35" (uid=1000 pid=4429 comm="./metricbeat -d * -e ") interface="org.freedesktop.systemd1.Manager" member="ListUnitsByPatterns" error name="(unset)" requested_reply="0" destination="org.freedesktop.systemd1" (uid=0 pid=1 comm="/usr/lib/systemd/systemd --switched-root --system ")
+```
+
+
+### filesystem [_filesystem_2]
+
+Filesystem metrics data (total, available, type, mount point, files, free, used) should be available without elevated permissions.
+
+
+### fsstat [_fsstat]
+
+Fsstat metrics data (total size, free, total, used count) should be available without elevated permissions.
+
+
+### uptime [_uptime]
+
+Uptime metrics data (duration) should be available without elevated permissions.
+
+
+### raid [_raid]
+
+RAID metrics data (block, disks) requires access to the `/sys/block` mount point and all referenced devices. Otherwise an error will be reported.
+
+
+## Example configuration [_example_configuration_63]
+
+The System module supports the standard configuration options that are described in [Modules](/reference/metricbeat/configuration-metricbeat.md). Here is an example configuration:
+
+```yaml
+metricbeat.modules:
+- module: system
+  metricsets:
+    - cpu             # CPU usage
+    - load            # CPU load averages
+    - memory          # Memory usage
+    - network         # Network IO
+    - process         # Per process metrics
+    - process_summary # Process summary
+    - uptime          # System Uptime
+    - socket_summary  # Socket summary
+    #- core           # Per CPU core usage
+    #- diskio         # Disk IO
+    #- filesystem     # File system usage for each mountpoint
+    #- fsstat         # File system summary metrics
+    #- raid           # Raid
+    #- socket         # Sockets and connection info (linux only)
+    #- service        # systemd service information
+  enabled: true
+  period: 10s
+  processes: ['.*']
+
+  # Configure the mount point of the host’s filesystem for use in monitoring a host from within a container
+  #hostfs: "/hostfs"
+
+  # Configure the metric types that are included by these metricsets.
+  cpu.metrics:  ["percentages","normalized_percentages"]  # The other available option is ticks.
+  core.metrics: ["percentages"]  # The other available option is ticks.
+
+  # A list of filesystem types to ignore. The filesystem metricset will not
+  # collect data from filesystems matching any of the specified types, and
+  # fsstats will not include data from these filesystems in its summary stats.
+  # If not set, types associated to virtual filesystems are automatically
+  # added when this information is available in the system (e.g. the list of
+  # `nodev` types in `/proc/filesystem`).
+  #filesystem.ignore_types: []
+
+  # These options allow you to filter out all processes that are not
+  # in the top N by CPU or memory, in order to reduce the number of documents created.
+  # If both the `by_cpu` and `by_memory` options are used, the union of the two sets
+  # is included.
+  #process.include_top_n:
+
+    # Set to false to disable this feature and include all processes
+    #enabled: true
+
+    # How many processes to include from the top by CPU. The processes are sorted
+    # by the `system.process.cpu.total.pct` field.
+    #by_cpu: 0
+
+    # How many processes to include from the top by memory. The processes are sorted
+    # by the `system.process.memory.rss.bytes` field.
+    #by_memory: 0
+
+  # If false, cmdline of a process is not cached.
+  #process.cmdline.cache.enabled: true
+
+  # Enable collection of cgroup metrics from processes on Linux.
+  #process.cgroups.enabled: true
+
+  # A list of regular expressions used to whitelist environment variables
+  # reported with the process metricset's events. Defaults to empty.
+  #process.env.whitelist: []
+
+  # Include the cumulative CPU tick values with the process metrics. Defaults
+  # to false.
+  #process.include_cpu_ticks: false
+
+  # Raid mount point to monitor
+  #raid.mount_point: '/'
+
+  # Configure reverse DNS lookup on remote IP addresses in the socket metricset.
+  #socket.reverse_lookup.enabled: false
+  #socket.reverse_lookup.success_ttl: 60s
+  #socket.reverse_lookup.failure_ttl: 60s
+
+  # Diskio configurations
+  #diskio.include_devices: []
+
+  # Filter systemd services by status or sub-status
+  #service.state_filter: ["active"]
+
+  # Filter systemd services based on a name pattern
+  #service.pattern_filter: ["ssh*", "nfs*"]
+
+  # This option enables the use of performance counters to collect data for cpu/core metricset.
+  # Only effective for Windows.
+  # You should use this option if running beats on machins with more than 64 cores.
+  #use_performance_counters: false
+```
+
+
+## Metricsets [_metricsets_73]
+
+The following metricsets are available:
+
+* [core](/reference/metricbeat/metricbeat-metricset-system-core.md)
+* [cpu](/reference/metricbeat/metricbeat-metricset-system-cpu.md)
+* [diskio](/reference/metricbeat/metricbeat-metricset-system-diskio.md)
+* [entropy](/reference/metricbeat/metricbeat-metricset-system-entropy.md)
+* [filesystem](/reference/metricbeat/metricbeat-metricset-system-filesystem.md)
+* [fsstat](/reference/metricbeat/metricbeat-metricset-system-fsstat.md)
+* [load](/reference/metricbeat/metricbeat-metricset-system-load.md)
+* [memory](/reference/metricbeat/metricbeat-metricset-system-memory.md)
+* [network](/reference/metricbeat/metricbeat-metricset-system-network.md)
+* [network_summary](/reference/metricbeat/metricbeat-metricset-system-network_summary.md)
+* [process](/reference/metricbeat/metricbeat-metricset-system-process.md)
+* [process_summary](/reference/metricbeat/metricbeat-metricset-system-process_summary.md)
+* [raid](/reference/metricbeat/metricbeat-metricset-system-raid.md)
+* [service](/reference/metricbeat/metricbeat-metricset-system-service.md)
+* [socket](/reference/metricbeat/metricbeat-metricset-system-socket.md)
+* [socket_summary](/reference/metricbeat/metricbeat-metricset-system-socket_summary.md)
+* [uptime](/reference/metricbeat/metricbeat-metricset-system-uptime.md)
+* [users](/reference/metricbeat/metricbeat-metricset-system-users.md)
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/docs/reference/metricbeat/metricbeat-module-tomcat.md b/docs/reference/metricbeat/metricbeat-module-tomcat.md
new file mode 100644
index 000000000000..27a4c9335dac
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-module-tomcat.md
@@ -0,0 +1,73 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-module-tomcat.html
+---
+
+# Tomcat module [metricbeat-module-tomcat]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+:::::{admonition} Prefer to use {{agent}} for this use case?
+Refer to the [Elastic Integrations documentation](integration-docs://reference/tomcat.md).
+
+::::{dropdown} Learn more
+{{agent}} is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, forward data from remote services or hardware, and more. Refer to the documentation for a detailed [comparison of {{beats}} and {{agent}}](docs-content://reference/ingestion-tools/fleet/index.md).
+
+::::
+
+
+:::::
+
+
+This module periodically fetches JMX metrics from Apache Tomcat.
+
+
+### Compatibility [_compatibility_48]
+
+The module has been tested with Tomcat 7.0.24 and 9.0.24. Other versions are expected to work.
+
+
+## Dashboard [_dashboard_44]
+
+An overview dashboard for Kibana is already included:
+
+:::{image} images/metricbeat-tomcat-overview.png
+:alt: metricbeat tomcat overview
+:::
+
+
+### Usage [_usage_9]
+
+The Tomcat module requires [Jolokia](/reference/metricbeat/metricbeat-module-jolokia.md)to fetch JMX metrics. Refer to the link for instructions about how to use Jolokia.
+
+
+### Example configuration [_example_configuration_64]
+
+The Tomcat module supports the standard configuration options that are described in [Modules](/reference/metricbeat/configuration-metricbeat.md). Here is an example configuration:
+
+```yaml
+metricbeat.modules:
+- module: tomcat
+  metricsets: ['threading', 'cache', 'memory', 'requests']
+  period: 10s
+  hosts: ['localhost:8080']
+  path: "/jolokia/?ignoreErrors=true&canonicalNaming=false"
+```
+
+
+### Metricsets [_metricsets_74]
+
+The following metricsets are available:
+
+* [cache](/reference/metricbeat/metricbeat-metricset-tomcat-cache.md)
+* [memory](/reference/metricbeat/metricbeat-metricset-tomcat-memory.md)
+* [requests](/reference/metricbeat/metricbeat-metricset-tomcat-requests.md)
+* [threading](/reference/metricbeat/metricbeat-metricset-tomcat-threading.md)
+
+
+
+
+
diff --git a/docs/reference/metricbeat/metricbeat-module-traefik.md b/docs/reference/metricbeat/metricbeat-module-traefik.md
new file mode 100644
index 000000000000..a10b5c4ec082
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-module-traefik.md
@@ -0,0 +1,49 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-module-traefik.html
+---
+
+# Traefik module [metricbeat-module-traefik]
+
+:::::{admonition} Prefer to use {{agent}} for this use case?
+Refer to the [Elastic Integrations documentation](integration-docs://reference/traefik.md).
+
+::::{dropdown} Learn more
+{{agent}} is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, forward data from remote services or hardware, and more. Refer to the documentation for a detailed [comparison of {{beats}} and {{agent}}](docs-content://reference/ingestion-tools/fleet/index.md).
+
+::::
+
+
+:::::
+
+
+This module periodically fetches metrics from a [Traefik](https://traefik.io/) instance. The Traefik instance must be configured to expose it’s HTTP API.
+
+
+## Compatibility [_compatibility_49]
+
+The Traefik metricsets were tested with Traefik 1.6.
+
+
+## Example configuration [_example_configuration_65]
+
+The Traefik module supports the standard configuration options that are described in [Modules](/reference/metricbeat/configuration-metricbeat.md). Here is an example configuration:
+
+```yaml
+metricbeat.modules:
+- module: traefik
+  metricsets: ["health"]
+  period: 10s
+  hosts: ["localhost:8080"]
+```
+
+This module supports TLS connections when using `ssl` config field, as described in [SSL](/reference/metricbeat/configuration-ssl.md). It also supports the options described in [Standard HTTP config options](/reference/metricbeat/configuration-metricbeat.md#module-http-config-options).
+
+
+## Metricsets [_metricsets_75]
+
+The following metricsets are available:
+
+* [health](/reference/metricbeat/metricbeat-metricset-traefik-health.md)
+
+
diff --git a/docs/reference/metricbeat/metricbeat-module-uwsgi.md b/docs/reference/metricbeat/metricbeat-module-uwsgi.md
new file mode 100644
index 000000000000..f5742ded5e56
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-module-uwsgi.md
@@ -0,0 +1,48 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-module-uwsgi.html
+---
+
+# uWSGI module [metricbeat-module-uwsgi]
+
+This is the uwsgi module. By default collects the `stats` metricset, using [StatsServer](http://uwsgi-docs.readthedocs.io/en/latest/StatsServer.html).
+
+
+## Module-specific configuration notes [_module_specific_configuration_notes_21]
+
+The uWSGI module has these additional config options:
+
+**`hosts`**
+:   host URLs to get data from (e.g: `tcp://127.0.0.1:9191`). Can obtain data from 3 types of schemes: tcp (`tcp://ip:port`), unix socket (`unix:///tmp/uwsgi.sock`) and http/https server (`http://ip:port`)
+
+
+## Dashboard [_dashboard_45]
+
+The uwsgi module comes with a predefined dashboard. For example:
+
+:::{image} images/uwsgi_dashboard.png
+:alt: uwsgi dashboard
+:::
+
+
+## Example configuration [_example_configuration_66]
+
+The uWSGI module supports the standard configuration options that are described in [Modules](/reference/metricbeat/configuration-metricbeat.md). Here is an example configuration:
+
+```yaml
+metricbeat.modules:
+- module: uwsgi
+  metricsets: ["status"]
+  enable: true
+  period: 10s
+  hosts: ["tcp://127.0.0.1:9191"]
+```
+
+
+## Metricsets [_metricsets_76]
+
+The following metricsets are available:
+
+* [status](/reference/metricbeat/metricbeat-metricset-uwsgi-status.md)
+
+
diff --git a/docs/reference/metricbeat/metricbeat-module-vsphere.md b/docs/reference/metricbeat/metricbeat-module-vsphere.md
new file mode 100644
index 000000000000..1f4c1d09d2a7
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-module-vsphere.md
@@ -0,0 +1,139 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-module-vsphere.html
+---
+
+# vSphere module [metricbeat-module-vsphere]
+
+The vSphere module uses the [Govmomi](https://github.com/vmware/govmomi) library to collect metrics from any VMware SDK URL (ESXi/VCenter).
+
+This module has been tested against ESXi and vCenter versions 5.5, 6.0, 6.5, and 7.0.3.
+
+By default, the vSphere module enables the following metricsets:
+
+1. cluster
+2. datastore
+3. datastorecluster
+4. host
+5. network
+6. resourcepool
+7. virtualmachine
+
+
+## Supported Periods: [_supported_periods]
+
+The Datastore and Host metricsets support performance data collection using the vSphere performance API. Given that the performance API imposes usage restrictions based on data collection intervals, users should configure the period optimally to ensure the receipt of real-time data. This configuration can be determined based on the [Data Collection Intervals](https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.monitoring.doc/GUID-247646EA-A04B-411A-8DD4-62A3DCFCF49B.md) and [Data Collection Levels](https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.monitoring.doc/GUID-25800DE4-68E5-41CC-82D9-8811E27924BC.md).
+
+::::{important}
+Only host and datastore metricsets have limitation of system configured period from vSphere instance. Users can still collect summary metrics if performance metrics are not supported for the configured instance.
+::::
+
+
+
+### Real-time data collection default interval: [_real_time_data_collection_default_interval]
+
+* 20s
+
+
+### Historical data collection default intervals: [_historical_data_collection_default_intervals]
+
+* 300s
+* 1800s
+* 7200s
+* 86400s
+
+
+## Example: [_example_5]
+
+If you need to configure multiple metricsets with different periods, you can achieve this by setting up multiple vSphere modules with different metricsets as demonstrated below:
+
+```yaml
+- module: vsphere
+  metricsets:
+   - cluster
+   - datastorecluster
+   - network
+   - resourcepool
+   - virtualmachine
+  period: 10s
+  hosts: ["https://localhost/sdk"]
+  username: "user"
+  password: "password"
+  insecure: false
+
+- module: vsphere
+  metricsets:
+   - datastore
+   - host
+  period: 300s
+  hosts: ["https://localhost/sdk"]
+  username: "user"
+  password: "password"
+  insecure: false
+```
+
+
+## Dashboard [_dashboard_46]
+
+The vSphere module includes a predefined dashboard. For example:
+
+:::{image} images/metricbeat_vsphere_dashboard.png
+:alt: metricbeat vsphere dashboard
+:::
+
+:::{image} images/metricbeat_vsphere_vm_dashboard.png
+:alt: metricbeat vsphere vm dashboard
+:::
+
+
+## Example configuration [_example_configuration_67]
+
+The vSphere module supports the standard configuration options that are described in [Modules](/reference/metricbeat/configuration-metricbeat.md). Here is an example configuration:
+
+```yaml
+metricbeat.modules:
+- module: vsphere
+  enabled: true
+  metricsets: ["cluster", "datastore", "datastorecluster", "host", "network", "resourcepool", "virtualmachine"]
+
+  # Real-time data collection – An ESXi Server collects data for each performance counter every 20 seconds by default.
+  # Supported Periods:
+  # The Datastore and Host metricsets support performance data collection using the vSphere performance API.
+  # Since the performance API has usage restrictions based on data collection intervals,
+  # users should ensure that the period is configured optimally to receive real-time data.
+  # users can still collect summary metrics if performance metrics are not supported for the configured instance.
+  # This configuration can be determined based on the Data Collection Intervals and Data Collection Levels.
+  # Reference Links:
+  # Data Collection Intervals: https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.monitoring.doc/GUID-247646EA-A04B-411A-8DD4-62A3DCFCF49B.html
+  # Data Collection Levels: https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.monitoring.doc/GUID-25800DE4-68E5-41CC-82D9-8811E27924BC.html
+  period: 20s
+  hosts: ["https://localhost/sdk"]
+
+  username: "user"
+  password: "password"
+  # If insecure is true, don't verify the server's certificate chain
+  insecure: false
+  # Get custom fields when using virtualmachine metricset. Default false.
+  # get_custom_fields: false
+```
+
+
+## Metricsets [_metricsets_77]
+
+The following metricsets are available:
+
+* [cluster](/reference/metricbeat/metricbeat-metricset-vsphere-cluster.md)
+* [datastore](/reference/metricbeat/metricbeat-metricset-vsphere-datastore.md)
+* [datastorecluster](/reference/metricbeat/metricbeat-metricset-vsphere-datastorecluster.md)
+* [host](/reference/metricbeat/metricbeat-metricset-vsphere-host.md)
+* [network](/reference/metricbeat/metricbeat-metricset-vsphere-network.md)
+* [resourcepool](/reference/metricbeat/metricbeat-metricset-vsphere-resourcepool.md)
+* [virtualmachine](/reference/metricbeat/metricbeat-metricset-vsphere-virtualmachine.md)
+
+
+
+
+
+
+
+
diff --git a/docs/reference/metricbeat/metricbeat-module-windows.md b/docs/reference/metricbeat/metricbeat-module-windows.md
new file mode 100644
index 000000000000..525350b22088
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-module-windows.md
@@ -0,0 +1,87 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-module-windows.html
+---
+
+# Windows module [metricbeat-module-windows]
+
+:::::{admonition} Prefer to use {{agent}} for this use case?
+Refer to the [Elastic Integrations documentation](integration-docs://reference/windows.md).
+
+::::{dropdown} Learn more
+{{agent}} is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, forward data from remote services or hardware, and more. Refer to the documentation for a detailed [comparison of {{beats}} and {{agent}}](docs-content://reference/ingestion-tools/fleet/index.md).
+
+::::
+
+
+:::::
+
+
+This is the `windows` module which collects metrics from Windows systems. The module contains the `service` metricset, which is set up by default when the `windows` module is enabled. The `service` metricset will retrieve status information of the services on the Windows machines. The second `windows` metricset is `perfmon` which collects Windows performance counter values.
+
+
+## Example configuration [_example_configuration_68]
+
+The Windows module supports the standard configuration options that are described in [Modules](/reference/metricbeat/configuration-metricbeat.md). Here is an example configuration:
+
+```yaml
+metricbeat.modules:
+- module: windows
+  metricsets: ["perfmon"]
+  enabled: true
+  period: 10s
+  perfmon.ignore_non_existent_counters: false
+  perfmon.group_measurements_by_instance: false
+  perfmon.queries:
+#  - object: 'Process'
+#    instance: ["*"]
+#    counters:
+#    - name: '% Processor Time'
+#      field: cpu_usage
+#      format: "float"
+#    - name: "Thread Count"
+
+- module: windows
+  metricsets: ["service"]
+  enabled: true
+  period: 60s
+
+- module: windows
+  metricsets: ["wmi"]
+  period: 60s
+  wmi:
+    include_null: false          # Exclude fields with null values from the output
+    include_queries: false       # Do not include the query string in the output
+    include_empty_string: false  # Exclude fields with empty string values from the output
+    warning_threshold: 30s       # Maximum time to wait for a query result before logging a warning (defaults to period)
+    # Default WMI namespace for all queries (if not specified per query)
+    # Uncomment to override the default, which is "root\\cimv2".
+    # namespace: "root\\cimv2"
+    queries:
+    - class: Win32_OperatingSystem # FROM: Class to fetch
+      fields:                      # SELECT: Fields to retrieve for this WMI class. Omit the setting to fetch all properties
+       - FreePhysicalMemory
+       - FreeSpaceInPagingFiles
+       - FreeVirtualMemory
+       - LocalDateTime
+       - NumberOfUsers
+      where: ""                   # Optional WHERE clause to filter query results
+      # Override the WMI namespace for this specific query (optional).
+      # If set, this takes precedence over the default namespace above.
+      # namespace: "root\\cimv2" # Overrides the metric
+```
+
+
+## Metricsets [_metricsets_78]
+
+The following metricsets are available:
+
+* [perfmon](/reference/metricbeat/metricbeat-metricset-windows-perfmon.md)
+* [service](/reference/metricbeat/metricbeat-metricset-windows-service.md)
+* [wmi](/reference/metricbeat/metricbeat-metricset-windows-wmi.md)
+
+
+
+
+
+
diff --git a/docs/reference/metricbeat/metricbeat-module-zookeeper.md b/docs/reference/metricbeat/metricbeat-module-zookeeper.md
new file mode 100644
index 000000000000..fc447924b5d4
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-module-zookeeper.md
@@ -0,0 +1,63 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-module-zookeeper.html
+---
+
+# ZooKeeper module [metricbeat-module-zookeeper]
+
+:::::{admonition} Prefer to use {{agent}} for this use case?
+Refer to the [Elastic Integrations documentation](integration-docs://reference/zookeeper.md).
+
+::::{dropdown} Learn more
+{{agent}} is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, forward data from remote services or hardware, and more. Refer to the documentation for a detailed [comparison of {{beats}} and {{agent}}](docs-content://reference/ingestion-tools/fleet/index.md).
+
+::::
+
+
+:::::
+
+
+The ZooKeeper module fetches statistics from the ZooKeeper service. The default metricsets are `mntr` and `server`.
+
+
+## Compatibility [_compatibility_52]
+
+The ZooKeeper metricsets were tested with ZooKeeper 3.4.8, 3.6.0 and 3.7.0. They are expected to work with all versions >= 3.4.0. Versions prior to 3.4 do not support the `mntr` command.
+
+Note that from ZooKeeper 3.6.0, `mntr`, `stat`, `ruok`, `conf`, `isro`, `cons` command must be explicitly enabled at ZooKeeper side using the `4lw.commands.whitelist` configuration parameter.
+
+
+## Dashboard [_dashboard_48]
+
+The Zookeeper module comes with a predefined dashboard:
+
+:::{image} images/metricbeat-zookeeper.png
+:alt: metricbeat zookeeper
+:::
+
+
+## Example configuration [_example_configuration_69]
+
+The ZooKeeper module supports the standard configuration options that are described in [Modules](/reference/metricbeat/configuration-metricbeat.md). Here is an example configuration:
+
+```yaml
+metricbeat.modules:
+- module: zookeeper
+  enabled: true
+  metricsets: ["mntr", "server"]
+  period: 10s
+  hosts: ["localhost:2181"]
+```
+
+
+## Metricsets [_metricsets_79]
+
+The following metricsets are available:
+
+* [connection](/reference/metricbeat/metricbeat-metricset-zookeeper-connection.md)
+* [mntr](/reference/metricbeat/metricbeat-metricset-zookeeper-mntr.md)
+* [server](/reference/metricbeat/metricbeat-metricset-zookeeper-server.md)
+
+
+
+
diff --git a/docs/reference/metricbeat/metricbeat-modules.md b/docs/reference/metricbeat/metricbeat-modules.md
new file mode 100644
index 000000000000..c1387294d38c
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-modules.md
@@ -0,0 +1,341 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-modules.html
+---
+
+# Modules [metricbeat-modules]
+
+This section contains detailed information about the metric collecting modules contained in Metricbeat. Each module contains one or multiple metricsets. More details about each module can be found under the links below.
+
+| Modules | Dashboards | Metricsets |
+| --- | --- | --- |
+| [ActiveMQ](/reference/metricbeat/metricbeat-module-activemq.md) | ![Prebuilt dashboards are available](images/icon-yes.png "") |  |
+|  |  | [broker](/reference/metricbeat/metricbeat-metricset-activemq-broker.md) |
+| [queue](/reference/metricbeat/metricbeat-metricset-activemq-queue.md) |
+| [topic](/reference/metricbeat/metricbeat-metricset-activemq-topic.md) |
+| [Aerospike](/reference/metricbeat/metricbeat-module-aerospike.md) | ![Prebuilt dashboards are available](images/icon-yes.png "") |  |
+|  |  | [namespace](/reference/metricbeat/metricbeat-metricset-aerospike-namespace.md) |
+| [Airflow](/reference/metricbeat/metricbeat-module-airflow.md)  [beta] | ![No prebuilt dashboards](images/icon-no.png "") |  |
+|  |  | [statsd](/reference/metricbeat/metricbeat-metricset-airflow-statsd.md) [beta] |
+| [Apache](/reference/metricbeat/metricbeat-module-apache.md) | ![Prebuilt dashboards are available](images/icon-yes.png "") |  |
+|  |  | [status](/reference/metricbeat/metricbeat-metricset-apache-status.md) |
+| [AWS](/reference/metricbeat/metricbeat-module-aws.md) | ![Prebuilt dashboards are available](images/icon-yes.png "") |  |
+|  |  | [awshealth](/reference/metricbeat/metricbeat-metricset-aws-awshealth.md) [beta] |
+| [billing](/reference/metricbeat/metricbeat-metricset-aws-billing.md) [beta] |
+| [cloudwatch](/reference/metricbeat/metricbeat-metricset-aws-cloudwatch.md) |
+| [dynamodb](/reference/metricbeat/metricbeat-metricset-aws-dynamodb.md) [beta] |
+| [ebs](/reference/metricbeat/metricbeat-metricset-aws-ebs.md) |
+| [ec2](/reference/metricbeat/metricbeat-metricset-aws-ec2.md) |
+| [elb](/reference/metricbeat/metricbeat-metricset-aws-elb.md) |
+| [kinesis](/reference/metricbeat/metricbeat-metricset-aws-kinesis.md) [beta] |
+| [lambda](/reference/metricbeat/metricbeat-metricset-aws-lambda.md) |
+| [natgateway](/reference/metricbeat/metricbeat-metricset-aws-natgateway.md) [beta] |
+| [rds](/reference/metricbeat/metricbeat-metricset-aws-rds.md) |
+| [s3_daily_storage](/reference/metricbeat/metricbeat-metricset-aws-s3_daily_storage.md) |
+| [s3_request](/reference/metricbeat/metricbeat-metricset-aws-s3_request.md) |
+| [sns](/reference/metricbeat/metricbeat-metricset-aws-sns.md) [beta] |
+| [sqs](/reference/metricbeat/metricbeat-metricset-aws-sqs.md) |
+| [transitgateway](/reference/metricbeat/metricbeat-metricset-aws-transitgateway.md) [beta] |
+| [usage](/reference/metricbeat/metricbeat-metricset-aws-usage.md) [beta] |
+| [vpn](/reference/metricbeat/metricbeat-metricset-aws-vpn.md) [beta] |
+| [AWS Fargate](/reference/metricbeat/metricbeat-module-awsfargate.md)  [beta] | ![Prebuilt dashboards are available](images/icon-yes.png "") |  |
+|  |  | [task_stats](/reference/metricbeat/metricbeat-metricset-awsfargate-task_stats.md) [beta] |
+| [Azure](/reference/metricbeat/metricbeat-module-azure.md) | ![Prebuilt dashboards are available](images/icon-yes.png "") |  |
+|  |  | [app_insights](/reference/metricbeat/metricbeat-metricset-azure-app_insights.md) [beta] |
+| [app_state](/reference/metricbeat/metricbeat-metricset-azure-app_state.md) [beta] |
+| [billing](/reference/metricbeat/metricbeat-metricset-azure-billing.md) [beta] |
+| [compute_vm](/reference/metricbeat/metricbeat-metricset-azure-compute_vm.md) |
+| [compute_vm_scaleset](/reference/metricbeat/metricbeat-metricset-azure-compute_vm_scaleset.md) |
+| [container_instance](/reference/metricbeat/metricbeat-metricset-azure-container_instance.md) |
+| [container_registry](/reference/metricbeat/metricbeat-metricset-azure-container_registry.md) |
+| [container_service](/reference/metricbeat/metricbeat-metricset-azure-container_service.md) |
+| [database_account](/reference/metricbeat/metricbeat-metricset-azure-database_account.md) |
+| [monitor](/reference/metricbeat/metricbeat-metricset-azure-monitor.md) |
+| [storage](/reference/metricbeat/metricbeat-metricset-azure-storage.md) |
+| [Beat](/reference/metricbeat/metricbeat-module-beat.md) | ![No prebuilt dashboards](images/icon-no.png "") |  |
+|  |  | [state](/reference/metricbeat/metricbeat-metricset-beat-state.md) |
+| [stats](/reference/metricbeat/metricbeat-metricset-beat-stats.md) |
+| [Benchmark](/reference/metricbeat/metricbeat-module-benchmark.md)  [beta] | ![No prebuilt dashboards](images/icon-no.png "") |  |
+|  |  | [info](/reference/metricbeat/metricbeat-metricset-benchmark-info.md) [beta] |
+| [Ceph](/reference/metricbeat/metricbeat-module-ceph.md) | ![Prebuilt dashboards are available](images/icon-yes.png "") |  |
+|  |  | [cluster_disk](/reference/metricbeat/metricbeat-metricset-ceph-cluster_disk.md) |
+| [cluster_health](/reference/metricbeat/metricbeat-metricset-ceph-cluster_health.md) |
+| [cluster_status](/reference/metricbeat/metricbeat-metricset-ceph-cluster_status.md) |
+| [mgr_cluster_disk](/reference/metricbeat/metricbeat-metricset-ceph-mgr_cluster_disk.md) [beta] |
+| [mgr_cluster_health](/reference/metricbeat/metricbeat-metricset-ceph-mgr_cluster_health.md) [beta] |
+| [mgr_osd_perf](/reference/metricbeat/metricbeat-metricset-ceph-mgr_osd_perf.md) [beta] |
+| [mgr_osd_pool_stats](/reference/metricbeat/metricbeat-metricset-ceph-mgr_osd_pool_stats.md) [beta] |
+| [mgr_osd_tree](/reference/metricbeat/metricbeat-metricset-ceph-mgr_osd_tree.md) [beta] |
+| [mgr_pool_disk](/reference/metricbeat/metricbeat-metricset-ceph-mgr_pool_disk.md) [beta] |
+| [monitor_health](/reference/metricbeat/metricbeat-metricset-ceph-monitor_health.md) |
+| [osd_df](/reference/metricbeat/metricbeat-metricset-ceph-osd_df.md) |
+| [osd_tree](/reference/metricbeat/metricbeat-metricset-ceph-osd_tree.md) |
+| [pool_disk](/reference/metricbeat/metricbeat-metricset-ceph-pool_disk.md) |
+| [Cloudfoundry](/reference/metricbeat/metricbeat-module-cloudfoundry.md)  [beta] | ![Prebuilt dashboards are available](images/icon-yes.png "") |  |
+|  |  | [container](/reference/metricbeat/metricbeat-metricset-cloudfoundry-container.md) [beta] |
+| [counter](/reference/metricbeat/metricbeat-metricset-cloudfoundry-counter.md) [beta] |
+| [value](/reference/metricbeat/metricbeat-metricset-cloudfoundry-value.md) [beta] |
+| [CockroachDB](/reference/metricbeat/metricbeat-module-cockroachdb.md) | ![Prebuilt dashboards are available](images/icon-yes.png "") |  |
+|  |  | [status](/reference/metricbeat/metricbeat-metricset-cockroachdb-status.md) |
+| [Consul](/reference/metricbeat/metricbeat-module-consul.md)  [beta] | ![Prebuilt dashboards are available](images/icon-yes.png "") |  |
+|  |  | [agent](/reference/metricbeat/metricbeat-metricset-consul-agent.md) [beta] |
+| [Containerd](/reference/metricbeat/metricbeat-module-containerd.md)  [beta] | ![No prebuilt dashboards](images/icon-no.png "") |  |
+|  |  | [blkio](/reference/metricbeat/metricbeat-metricset-containerd-blkio.md) [beta] |
+| [cpu](/reference/metricbeat/metricbeat-metricset-containerd-cpu.md) [beta] |
+| [memory](/reference/metricbeat/metricbeat-metricset-containerd-memory.md) [beta] |
+| [Coredns](/reference/metricbeat/metricbeat-module-coredns.md) | ![Prebuilt dashboards are available](images/icon-yes.png "") |  |
+|  |  | [stats](/reference/metricbeat/metricbeat-metricset-coredns-stats.md) |
+| [Couchbase](/reference/metricbeat/metricbeat-module-couchbase.md) | ![Prebuilt dashboards are available](images/icon-yes.png "") |  |
+|  |  | [bucket](/reference/metricbeat/metricbeat-metricset-couchbase-bucket.md) |
+| [cluster](/reference/metricbeat/metricbeat-metricset-couchbase-cluster.md) |
+| [node](/reference/metricbeat/metricbeat-metricset-couchbase-node.md) |
+| [CouchDB](/reference/metricbeat/metricbeat-module-couchdb.md) | ![Prebuilt dashboards are available](images/icon-yes.png "") |  |
+|  |  | [server](/reference/metricbeat/metricbeat-metricset-couchdb-server.md) |
+| [Docker](/reference/metricbeat/metricbeat-module-docker.md) | ![Prebuilt dashboards are available](images/icon-yes.png "") |  |
+|  |  | [container](/reference/metricbeat/metricbeat-metricset-docker-container.md) |
+| [cpu](/reference/metricbeat/metricbeat-metricset-docker-cpu.md) |
+| [diskio](/reference/metricbeat/metricbeat-metricset-docker-diskio.md) |
+| [event](/reference/metricbeat/metricbeat-metricset-docker-event.md) |
+| [healthcheck](/reference/metricbeat/metricbeat-metricset-docker-healthcheck.md) |
+| [image](/reference/metricbeat/metricbeat-metricset-docker-image.md) |
+| [info](/reference/metricbeat/metricbeat-metricset-docker-info.md) |
+| [memory](/reference/metricbeat/metricbeat-metricset-docker-memory.md) |
+| [network](/reference/metricbeat/metricbeat-metricset-docker-network.md) |
+| [network_summary](/reference/metricbeat/metricbeat-metricset-docker-network_summary.md) [beta] |
+| [Dropwizard](/reference/metricbeat/metricbeat-module-dropwizard.md) | ![No prebuilt dashboards](images/icon-no.png "") |  |
+|  |  | [collector](/reference/metricbeat/metricbeat-metricset-dropwizard-collector.md) |
+| [Elasticsearch](/reference/metricbeat/metricbeat-module-elasticsearch.md) | ![No prebuilt dashboards](images/icon-no.png "") |  |
+|  |  | [ccr](/reference/metricbeat/metricbeat-metricset-elasticsearch-ccr.md) |
+| [cluster_stats](/reference/metricbeat/metricbeat-metricset-elasticsearch-cluster_stats.md) |
+| [enrich](/reference/metricbeat/metricbeat-metricset-elasticsearch-enrich.md) |
+| [index](/reference/metricbeat/metricbeat-metricset-elasticsearch-index.md) |
+| [index_recovery](/reference/metricbeat/metricbeat-metricset-elasticsearch-index_recovery.md) |
+| [index_summary](/reference/metricbeat/metricbeat-metricset-elasticsearch-index_summary.md) |
+| [ingest_pipeline](/reference/metricbeat/metricbeat-metricset-elasticsearch-ingest_pipeline.md) [beta] |
+| [ml_job](/reference/metricbeat/metricbeat-metricset-elasticsearch-ml_job.md) |
+| [node](/reference/metricbeat/metricbeat-metricset-elasticsearch-node.md) |
+| [node_stats](/reference/metricbeat/metricbeat-metricset-elasticsearch-node_stats.md) |
+| [pending_tasks](/reference/metricbeat/metricbeat-metricset-elasticsearch-pending_tasks.md) |
+| [shard](/reference/metricbeat/metricbeat-metricset-elasticsearch-shard.md) |
+| [Envoyproxy](/reference/metricbeat/metricbeat-module-envoyproxy.md) | ![No prebuilt dashboards](images/icon-no.png "") |  |
+|  |  | [server](/reference/metricbeat/metricbeat-metricset-envoyproxy-server.md) |
+| [Etcd](/reference/metricbeat/metricbeat-module-etcd.md) | ![No prebuilt dashboards](images/icon-no.png "") |  |
+|  |  | [leader](/reference/metricbeat/metricbeat-metricset-etcd-leader.md) |
+| [metrics](/reference/metricbeat/metricbeat-metricset-etcd-metrics.md) [beta] |
+| [self](/reference/metricbeat/metricbeat-metricset-etcd-self.md) |
+| [store](/reference/metricbeat/metricbeat-metricset-etcd-store.md) |
+| [Google Cloud Platform](/reference/metricbeat/metricbeat-module-gcp.md) | ![Prebuilt dashboards are available](images/icon-yes.png "") |  |
+|  |  | [billing](/reference/metricbeat/metricbeat-metricset-gcp-billing.md) |
+| [carbon](/reference/metricbeat/metricbeat-metricset-gcp-carbon.md) [beta] |
+| [compute](/reference/metricbeat/metricbeat-metricset-gcp-compute.md) |
+| [dataproc](/reference/metricbeat/metricbeat-metricset-gcp-dataproc.md) |
+| [firestore](/reference/metricbeat/metricbeat-metricset-gcp-firestore.md) |
+| [gke](/reference/metricbeat/metricbeat-metricset-gcp-gke.md) |
+| [loadbalancing](/reference/metricbeat/metricbeat-metricset-gcp-loadbalancing.md) |
+| [metrics](/reference/metricbeat/metricbeat-metricset-gcp-metrics.md) |
+| [pubsub](/reference/metricbeat/metricbeat-metricset-gcp-pubsub.md) |
+| [storage](/reference/metricbeat/metricbeat-metricset-gcp-storage.md) |
+| [Golang](/reference/metricbeat/metricbeat-module-golang.md) | ![Prebuilt dashboards are available](images/icon-yes.png "") |  |
+|  |  | [expvar](/reference/metricbeat/metricbeat-metricset-golang-expvar.md) |
+| [heap](/reference/metricbeat/metricbeat-metricset-golang-heap.md) |
+| [Graphite](/reference/metricbeat/metricbeat-module-graphite.md) | ![No prebuilt dashboards](images/icon-no.png "") |  |
+|  |  | [server](/reference/metricbeat/metricbeat-metricset-graphite-server.md) |
+| [HAProxy](/reference/metricbeat/metricbeat-module-haproxy.md) | ![Prebuilt dashboards are available](images/icon-yes.png "") |  |
+|  |  | [info](/reference/metricbeat/metricbeat-metricset-haproxy-info.md) |
+| [stat](/reference/metricbeat/metricbeat-metricset-haproxy-stat.md) |
+| [HTTP](/reference/metricbeat/metricbeat-module-http.md) | ![No prebuilt dashboards](images/icon-no.png "") |  |
+|  |  | [json](/reference/metricbeat/metricbeat-metricset-http-json.md) |
+| [server](/reference/metricbeat/metricbeat-metricset-http-server.md) |
+| [IBM MQ](/reference/metricbeat/metricbeat-module-ibmmq.md)  [beta] | ![Prebuilt dashboards are available](images/icon-yes.png "") |  |
+|  |  | [qmgr](/reference/metricbeat/metricbeat-metricset-ibmmq-qmgr.md) [beta] |
+| [IIS](/reference/metricbeat/metricbeat-module-iis.md) | ![Prebuilt dashboards are available](images/icon-yes.png "") |  |
+|  |  | [application_pool](/reference/metricbeat/metricbeat-metricset-iis-application_pool.md) |
+| [webserver](/reference/metricbeat/metricbeat-metricset-iis-webserver.md) |
+| [website](/reference/metricbeat/metricbeat-metricset-iis-website.md) |
+| [Istio](/reference/metricbeat/metricbeat-module-istio.md)  [beta] | ![Prebuilt dashboards are available](images/icon-yes.png "") |  |
+|  |  | [citadel](/reference/metricbeat/metricbeat-metricset-istio-citadel.md) [beta] |
+| [galley](/reference/metricbeat/metricbeat-metricset-istio-galley.md) [beta] |
+| [istiod](/reference/metricbeat/metricbeat-metricset-istio-istiod.md) [beta] |
+| [mesh](/reference/metricbeat/metricbeat-metricset-istio-mesh.md) [beta] |
+| [mixer](/reference/metricbeat/metricbeat-metricset-istio-mixer.md) [beta] |
+| [pilot](/reference/metricbeat/metricbeat-metricset-istio-pilot.md) [beta] |
+| [proxy](/reference/metricbeat/metricbeat-metricset-istio-proxy.md) [beta] |
+| [Jolokia](/reference/metricbeat/metricbeat-module-jolokia.md) | ![No prebuilt dashboards](images/icon-no.png "") |  |
+|  |  | [jmx](/reference/metricbeat/metricbeat-metricset-jolokia-jmx.md) |
+| [Kafka](/reference/metricbeat/metricbeat-module-kafka.md) | ![Prebuilt dashboards are available](images/icon-yes.png "") |  |
+|  |  | [broker](/reference/metricbeat/metricbeat-metricset-kafka-broker.md) [beta] |
+| [consumer](/reference/metricbeat/metricbeat-metricset-kafka-consumer.md) [beta] |
+| [consumergroup](/reference/metricbeat/metricbeat-metricset-kafka-consumergroup.md) |
+| [partition](/reference/metricbeat/metricbeat-metricset-kafka-partition.md) |
+| [producer](/reference/metricbeat/metricbeat-metricset-kafka-producer.md) [beta] |
+| [Kibana](/reference/metricbeat/metricbeat-module-kibana.md) | ![No prebuilt dashboards](images/icon-no.png "") |  |
+|  |  | [cluster_actions](/reference/metricbeat/metricbeat-metricset-kibana-cluster_actions.md) [beta] |
+| [cluster_rules](/reference/metricbeat/metricbeat-metricset-kibana-cluster_rules.md) [beta] |
+| [node_actions](/reference/metricbeat/metricbeat-metricset-kibana-node_actions.md) [beta] |
+| [node_rules](/reference/metricbeat/metricbeat-metricset-kibana-node_rules.md) [beta] |
+| [settings](/reference/metricbeat/metricbeat-metricset-kibana-settings.md) |
+| [stats](/reference/metricbeat/metricbeat-metricset-kibana-stats.md) |
+| [status](/reference/metricbeat/metricbeat-metricset-kibana-status.md) |
+| [Kubernetes](/reference/metricbeat/metricbeat-module-kubernetes.md) | ![Prebuilt dashboards are available](images/icon-yes.png "") |  |
+|  |  | [apiserver](/reference/metricbeat/metricbeat-metricset-kubernetes-apiserver.md) |
+| [container](/reference/metricbeat/metricbeat-metricset-kubernetes-container.md) |
+| [controllermanager](/reference/metricbeat/metricbeat-metricset-kubernetes-controllermanager.md) |
+| [event](/reference/metricbeat/metricbeat-metricset-kubernetes-event.md) |
+| [node](/reference/metricbeat/metricbeat-metricset-kubernetes-node.md) |
+| [pod](/reference/metricbeat/metricbeat-metricset-kubernetes-pod.md) |
+| [proxy](/reference/metricbeat/metricbeat-metricset-kubernetes-proxy.md) |
+| [scheduler](/reference/metricbeat/metricbeat-metricset-kubernetes-scheduler.md) |
+| [state_container](/reference/metricbeat/metricbeat-metricset-kubernetes-state_container.md) |
+| [state_cronjob](/reference/metricbeat/metricbeat-metricset-kubernetes-state_cronjob.md) |
+| [state_daemonset](/reference/metricbeat/metricbeat-metricset-kubernetes-state_daemonset.md) |
+| [state_deployment](/reference/metricbeat/metricbeat-metricset-kubernetes-state_deployment.md) |
+| [state_job](/reference/metricbeat/metricbeat-metricset-kubernetes-state_job.md) |
+| [state_node](/reference/metricbeat/metricbeat-metricset-kubernetes-state_node.md) |
+| [state_persistentvolumeclaim](/reference/metricbeat/metricbeat-metricset-kubernetes-state_persistentvolumeclaim.md) |
+| [state_pod](/reference/metricbeat/metricbeat-metricset-kubernetes-state_pod.md) |
+| [state_replicaset](/reference/metricbeat/metricbeat-metricset-kubernetes-state_replicaset.md) |
+| [state_resourcequota](/reference/metricbeat/metricbeat-metricset-kubernetes-state_resourcequota.md) |
+| [state_service](/reference/metricbeat/metricbeat-metricset-kubernetes-state_service.md) |
+| [state_statefulset](/reference/metricbeat/metricbeat-metricset-kubernetes-state_statefulset.md) |
+| [state_storageclass](/reference/metricbeat/metricbeat-metricset-kubernetes-state_storageclass.md) |
+| [system](/reference/metricbeat/metricbeat-metricset-kubernetes-system.md) |
+| [volume](/reference/metricbeat/metricbeat-metricset-kubernetes-volume.md) |
+| [KVM](/reference/metricbeat/metricbeat-module-kvm.md)  [beta] | ![No prebuilt dashboards](images/icon-no.png "") |  |
+|  |  | [dommemstat](/reference/metricbeat/metricbeat-metricset-kvm-dommemstat.md) [beta] |
+| [status](/reference/metricbeat/metricbeat-metricset-kvm-status.md) [beta] |
+| [Linux](/reference/metricbeat/metricbeat-module-linux.md)  [beta] | ![No prebuilt dashboards](images/icon-no.png "") |  |
+|  |  | [conntrack](/reference/metricbeat/metricbeat-metricset-linux-conntrack.md) [beta] |
+| [iostat](/reference/metricbeat/metricbeat-metricset-linux-iostat.md) [beta] |
+| [ksm](/reference/metricbeat/metricbeat-metricset-linux-ksm.md) [beta] |
+| [memory](/reference/metricbeat/metricbeat-metricset-linux-memory.md) [beta] |
+| [pageinfo](/reference/metricbeat/metricbeat-metricset-linux-pageinfo.md) [beta] |
+| [pressure](/reference/metricbeat/metricbeat-metricset-linux-pressure.md) [beta] |
+| [rapl](/reference/metricbeat/metricbeat-metricset-linux-rapl.md) [beta] |
+| [Logstash](/reference/metricbeat/metricbeat-module-logstash.md) | ![No prebuilt dashboards](images/icon-no.png "") |  |
+|  |  | [node](/reference/metricbeat/metricbeat-metricset-logstash-node.md) |
+| [node_stats](/reference/metricbeat/metricbeat-metricset-logstash-node_stats.md) |
+| [Memcached](/reference/metricbeat/metricbeat-module-memcached.md) | ![No prebuilt dashboards](images/icon-no.png "") |  |
+|  |  | [stats](/reference/metricbeat/metricbeat-metricset-memcached-stats.md) |
+| [Cisco Meraki](/reference/metricbeat/metricbeat-module-meraki.md)  [beta] | ![No prebuilt dashboards](images/icon-no.png "") |  |
+|  |  | [device_health](/reference/metricbeat/metricbeat-metricset-meraki-device_health.md) [beta] |
+| [MongoDB](/reference/metricbeat/metricbeat-module-mongodb.md) | ![Prebuilt dashboards are available](images/icon-yes.png "") |  |
+|  |  | [collstats](/reference/metricbeat/metricbeat-metricset-mongodb-collstats.md) |
+| [dbstats](/reference/metricbeat/metricbeat-metricset-mongodb-dbstats.md) |
+| [metrics](/reference/metricbeat/metricbeat-metricset-mongodb-metrics.md) |
+| [replstatus](/reference/metricbeat/metricbeat-metricset-mongodb-replstatus.md) |
+| [status](/reference/metricbeat/metricbeat-metricset-mongodb-status.md) |
+| [MSSQL](/reference/metricbeat/metricbeat-module-mssql.md) | ![Prebuilt dashboards are available](images/icon-yes.png "") |  |
+|  |  | [performance](/reference/metricbeat/metricbeat-metricset-mssql-performance.md) |
+| [transaction_log](/reference/metricbeat/metricbeat-metricset-mssql-transaction_log.md) |
+| [Munin](/reference/metricbeat/metricbeat-module-munin.md) | ![No prebuilt dashboards](images/icon-no.png "") |  |
+|  |  | [node](/reference/metricbeat/metricbeat-metricset-munin-node.md) |
+| [MySQL](/reference/metricbeat/metricbeat-module-mysql.md) | ![Prebuilt dashboards are available](images/icon-yes.png "") |  |
+|  |  | [galera_status](/reference/metricbeat/metricbeat-metricset-mysql-galera_status.md) [beta] |
+| [performance](/reference/metricbeat/metricbeat-metricset-mysql-performance.md) [beta] |
+| [query](/reference/metricbeat/metricbeat-metricset-mysql-query.md) [beta] |
+| [status](/reference/metricbeat/metricbeat-metricset-mysql-status.md) |
+| [NATS](/reference/metricbeat/metricbeat-module-nats.md) | ![Prebuilt dashboards are available](images/icon-yes.png "") |  |
+|  |  | [connection](/reference/metricbeat/metricbeat-metricset-nats-connection.md) |
+| [connections](/reference/metricbeat/metricbeat-metricset-nats-connections.md) |
+| [route](/reference/metricbeat/metricbeat-metricset-nats-route.md) |
+| [routes](/reference/metricbeat/metricbeat-metricset-nats-routes.md) |
+| [stats](/reference/metricbeat/metricbeat-metricset-nats-stats.md) |
+| [subscriptions](/reference/metricbeat/metricbeat-metricset-nats-subscriptions.md) |
+| [Nginx](/reference/metricbeat/metricbeat-module-nginx.md) | ![Prebuilt dashboards are available](images/icon-yes.png "") |  |
+|  |  | [stubstatus](/reference/metricbeat/metricbeat-metricset-nginx-stubstatus.md) |
+| [openai](/reference/metricbeat/metricbeat-module-openai.md)  [beta] | ![No prebuilt dashboards](images/icon-no.png "") |  |
+|  |  | [usage](/reference/metricbeat/metricbeat-metricset-openai-usage.md) [beta] |
+| [Openmetrics](/reference/metricbeat/metricbeat-module-openmetrics.md)  [beta] | ![No prebuilt dashboards](images/icon-no.png "") |  |
+|  |  | [collector](/reference/metricbeat/metricbeat-metricset-openmetrics-collector.md) [beta] |
+| [Oracle](/reference/metricbeat/metricbeat-module-oracle.md) | ![Prebuilt dashboards are available](images/icon-yes.png "") |  |
+|  |  | [performance](/reference/metricbeat/metricbeat-metricset-oracle-performance.md) |
+| [sysmetric](/reference/metricbeat/metricbeat-metricset-oracle-sysmetric.md) [beta] |
+| [tablespace](/reference/metricbeat/metricbeat-metricset-oracle-tablespace.md) |
+| [Panw](/reference/metricbeat/metricbeat-module-panw.md)  [beta] | ![No prebuilt dashboards](images/icon-no.png "") |  |
+|  |  | [interfaces](/reference/metricbeat/metricbeat-metricset-panw-interfaces.md) [beta] |
+| [routing](/reference/metricbeat/metricbeat-metricset-panw-routing.md) [beta] |
+| [system](/reference/metricbeat/metricbeat-metricset-panw-system.md) [beta] |
+| [vpn](/reference/metricbeat/metricbeat-metricset-panw-vpn.md) [beta] |
+| [PHP_FPM](/reference/metricbeat/metricbeat-module-php_fpm.md) | ![No prebuilt dashboards](images/icon-no.png "") |  |
+|  |  | [pool](/reference/metricbeat/metricbeat-metricset-php_fpm-pool.md) |
+| [process](/reference/metricbeat/metricbeat-metricset-php_fpm-process.md) |
+| [PostgreSQL](/reference/metricbeat/metricbeat-module-postgresql.md) | ![Prebuilt dashboards are available](images/icon-yes.png "") |  |
+|  |  | [activity](/reference/metricbeat/metricbeat-metricset-postgresql-activity.md) |
+| [bgwriter](/reference/metricbeat/metricbeat-metricset-postgresql-bgwriter.md) |
+| [database](/reference/metricbeat/metricbeat-metricset-postgresql-database.md) |
+| [statement](/reference/metricbeat/metricbeat-metricset-postgresql-statement.md) |
+| [Prometheus](/reference/metricbeat/metricbeat-module-prometheus.md) | ![Prebuilt dashboards are available](images/icon-yes.png "") |  |
+|  |  | [collector](/reference/metricbeat/metricbeat-metricset-prometheus-collector.md) |
+| [query](/reference/metricbeat/metricbeat-metricset-prometheus-query.md) |
+| [remote_write](/reference/metricbeat/metricbeat-metricset-prometheus-remote_write.md) |
+| [RabbitMQ](/reference/metricbeat/metricbeat-module-rabbitmq.md) | ![Prebuilt dashboards are available](images/icon-yes.png "") |  |
+|  |  | [connection](/reference/metricbeat/metricbeat-metricset-rabbitmq-connection.md) |
+| [exchange](/reference/metricbeat/metricbeat-metricset-rabbitmq-exchange.md) |
+| [node](/reference/metricbeat/metricbeat-metricset-rabbitmq-node.md) |
+| [queue](/reference/metricbeat/metricbeat-metricset-rabbitmq-queue.md) |
+| [shovel](/reference/metricbeat/metricbeat-metricset-rabbitmq-shovel.md) [beta] |
+| [Redis](/reference/metricbeat/metricbeat-module-redis.md) | ![Prebuilt dashboards are available](images/icon-yes.png "") |  |
+|  |  | [info](/reference/metricbeat/metricbeat-metricset-redis-info.md) |
+| [key](/reference/metricbeat/metricbeat-metricset-redis-key.md) |
+| [keyspace](/reference/metricbeat/metricbeat-metricset-redis-keyspace.md) |
+| [Redis Enterprise](/reference/metricbeat/metricbeat-module-redisenterprise.md)  [beta] | ![Prebuilt dashboards are available](images/icon-yes.png "") |  |
+|  |  | [node](/reference/metricbeat/metricbeat-metricset-redisenterprise-node.md) [beta] |
+| [proxy](/reference/metricbeat/metricbeat-metricset-redisenterprise-proxy.md) [beta] |
+| [SQL](/reference/metricbeat/metricbeat-module-sql.md) | ![No prebuilt dashboards](images/icon-no.png "") |  |
+|  |  | [query](/reference/metricbeat/metricbeat-metricset-sql-query.md) |
+| [Stan](/reference/metricbeat/metricbeat-module-stan.md) | ![Prebuilt dashboards are available](images/icon-yes.png "") |  |
+|  |  | [channels](/reference/metricbeat/metricbeat-metricset-stan-channels.md) |
+| [stats](/reference/metricbeat/metricbeat-metricset-stan-stats.md) |
+| [subscriptions](/reference/metricbeat/metricbeat-metricset-stan-subscriptions.md) |
+| [Statsd](/reference/metricbeat/metricbeat-module-statsd.md) | ![No prebuilt dashboards](images/icon-no.png "") |  |
+|  |  | [server](/reference/metricbeat/metricbeat-metricset-statsd-server.md) |
+| [SyncGateway](/reference/metricbeat/metricbeat-module-syncgateway.md)  [beta] | ![No prebuilt dashboards](images/icon-no.png "") |  |
+|  |  | [db](/reference/metricbeat/metricbeat-metricset-syncgateway-db.md) [beta] |
+| [memory](/reference/metricbeat/metricbeat-metricset-syncgateway-memory.md) [beta] |
+| [replication](/reference/metricbeat/metricbeat-metricset-syncgateway-replication.md) [beta] |
+| [resources](/reference/metricbeat/metricbeat-metricset-syncgateway-resources.md) [beta] |
+| [System](/reference/metricbeat/metricbeat-module-system.md) | ![Prebuilt dashboards are available](images/icon-yes.png "") |  |
+|  |  | [core](/reference/metricbeat/metricbeat-metricset-system-core.md) |
+| [cpu](/reference/metricbeat/metricbeat-metricset-system-cpu.md) |
+| [diskio](/reference/metricbeat/metricbeat-metricset-system-diskio.md) |
+| [entropy](/reference/metricbeat/metricbeat-metricset-system-entropy.md) |
+| [filesystem](/reference/metricbeat/metricbeat-metricset-system-filesystem.md) |
+| [fsstat](/reference/metricbeat/metricbeat-metricset-system-fsstat.md) |
+| [load](/reference/metricbeat/metricbeat-metricset-system-load.md) |
+| [memory](/reference/metricbeat/metricbeat-metricset-system-memory.md) |
+| [network](/reference/metricbeat/metricbeat-metricset-system-network.md) |
+| [network_summary](/reference/metricbeat/metricbeat-metricset-system-network_summary.md) [beta] |
+| [process](/reference/metricbeat/metricbeat-metricset-system-process.md) |
+| [process_summary](/reference/metricbeat/metricbeat-metricset-system-process_summary.md) |
+| [raid](/reference/metricbeat/metricbeat-metricset-system-raid.md) |
+| [service](/reference/metricbeat/metricbeat-metricset-system-service.md) [beta] |
+| [socket](/reference/metricbeat/metricbeat-metricset-system-socket.md) |
+| [socket_summary](/reference/metricbeat/metricbeat-metricset-system-socket_summary.md) |
+| [uptime](/reference/metricbeat/metricbeat-metricset-system-uptime.md) |
+| [users](/reference/metricbeat/metricbeat-metricset-system-users.md) [beta] |
+| [Tomcat](/reference/metricbeat/metricbeat-module-tomcat.md)  [beta] | ![Prebuilt dashboards are available](images/icon-yes.png "") |  |
+|  |  | [cache](/reference/metricbeat/metricbeat-metricset-tomcat-cache.md) [beta] |
+| [memory](/reference/metricbeat/metricbeat-metricset-tomcat-memory.md) [beta] |
+| [requests](/reference/metricbeat/metricbeat-metricset-tomcat-requests.md) [beta] |
+| [threading](/reference/metricbeat/metricbeat-metricset-tomcat-threading.md) [beta] |
+| [Traefik](/reference/metricbeat/metricbeat-module-traefik.md) | ![No prebuilt dashboards](images/icon-no.png "") |  |
+|  |  | [health](/reference/metricbeat/metricbeat-metricset-traefik-health.md) |
+| [uWSGI](/reference/metricbeat/metricbeat-module-uwsgi.md) | ![Prebuilt dashboards are available](images/icon-yes.png "") |  |
+|  |  | [status](/reference/metricbeat/metricbeat-metricset-uwsgi-status.md) |
+| [vSphere](/reference/metricbeat/metricbeat-module-vsphere.md) | ![Prebuilt dashboards are available](images/icon-yes.png "") |  |
+|  |  | [cluster](/reference/metricbeat/metricbeat-metricset-vsphere-cluster.md) [beta] |
+| [datastore](/reference/metricbeat/metricbeat-metricset-vsphere-datastore.md) |
+| [datastorecluster](/reference/metricbeat/metricbeat-metricset-vsphere-datastorecluster.md) [beta] |
+| [host](/reference/metricbeat/metricbeat-metricset-vsphere-host.md) |
+| [network](/reference/metricbeat/metricbeat-metricset-vsphere-network.md) [beta] |
+| [resourcepool](/reference/metricbeat/metricbeat-metricset-vsphere-resourcepool.md) [beta] |
+| [virtualmachine](/reference/metricbeat/metricbeat-metricset-vsphere-virtualmachine.md) |
+| [Windows](/reference/metricbeat/metricbeat-module-windows.md) | ![Prebuilt dashboards are available](images/icon-yes.png "") |  |
+|  |  | [perfmon](/reference/metricbeat/metricbeat-metricset-windows-perfmon.md) |
+| [service](/reference/metricbeat/metricbeat-metricset-windows-service.md) |
+| [wmi](/reference/metricbeat/metricbeat-metricset-windows-wmi.md) [beta] |
+| [ZooKeeper](/reference/metricbeat/metricbeat-module-zookeeper.md) | ![Prebuilt dashboards are available](images/icon-yes.png "") |  |
+|  |  | [connection](/reference/metricbeat/metricbeat-metricset-zookeeper-connection.md) |
+| [mntr](/reference/metricbeat/metricbeat-metricset-zookeeper-mntr.md) |
+| [server](/reference/metricbeat/metricbeat-metricset-zookeeper-server.md) |
+
diff --git a/docs/reference/metricbeat/metricbeat-overview.md b/docs/reference/metricbeat/metricbeat-overview.md
new file mode 100644
index 000000000000..67dabc8e61e5
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-overview.md
@@ -0,0 +1,28 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-overview.html
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/index.html
+---
+
+# Metricbeat overview [metricbeat-overview]
+
+Metricbeat is a lightweight shipper that you can install on your servers to periodically collect metrics from the operating system and from services running on the server. Metricbeat takes the metrics and statistics that it collects and ships them to the output that you specify, such as Elasticsearch or Logstash.
+
+Metricbeat helps you monitor your servers by collecting metrics from the system and services running on the server, such as:
+
+* [Apache](/reference/metricbeat/metricbeat-module-apache.md)
+* [HAProxy](/reference/metricbeat/metricbeat-module-haproxy.md)
+* [MongoDB](/reference/metricbeat/metricbeat-module-mongodb.md)
+* [MySQL](/reference/metricbeat/metricbeat-module-mysql.md)
+* [Nginx](/reference/metricbeat/metricbeat-module-nginx.md)
+* [PostgreSQL](/reference/metricbeat/metricbeat-module-postgresql.md)
+* [Redis](/reference/metricbeat/metricbeat-module-redis.md)
+* [System](/reference/metricbeat/metricbeat-module-system.md)
+* [Zookeeper](/reference/metricbeat/metricbeat-module-zookeeper.md)
+
+See [Modules](/reference/metricbeat/metricbeat-modules.md) for the complete list of supported services.
+
+Metricbeat can insert the collected metrics directly into Elasticsearch or send them to Logstash, Redis, or Kafka.
+
+Metricbeat is an Elastic [Beat](https://www.elastic.co/beats). It’s based on the `libbeat` framework. For more information, see the [Beats Platform Reference](/reference/index.md).
+
diff --git a/docs/reference/metricbeat/metricbeat-reference-yml.md b/docs/reference/metricbeat/metricbeat-reference-yml.md
new file mode 100644
index 000000000000..afc9e004edc0
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-reference-yml.md
@@ -0,0 +1,2824 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-reference-yml.html
+---
+
+# metricbeat.reference.yml [metricbeat-reference-yml]
+
+The following reference file is available with your Metricbeat installation. It shows all non-deprecated Metricbeat options. You can copy from this file and paste configurations into the `metricbeat.yml` file to customize it.
+
+::::{tip}
+The reference file is located in the same directory as the `metricbeat.yml` file. To locate the file, see [Directory layout](/reference/metricbeat/directory-layout.md).
+::::
+
+
+The contents of the file are included here for your convenience.
+
+```yaml
+## Metricbeat Configuration ###########################
+
+# This file is a full configuration example documenting all non-deprecated
+# options in comments. For a shorter configuration example, that contains only
+# the most common options, please see metricbeat.yml in the same directory.
+#
+# You can find the full configuration reference here:
+# https://www.elastic.co/guide/en/beats/metricbeat/index.html
+
+#============================  Config Reloading ===============================
+
+# Config reloading allows to dynamically load modules. Each file which is
+# monitored must contain one or multiple modules as a list.
+metricbeat.config.modules:
+
+  # Glob pattern for configuration reloading
+  path: ${path.config}/modules.d/*.yml
+
+  # Period on which files under path should be checked for changes
+  reload.period: 10s
+
+  # Set to true to enable config reloading
+  reload.enabled: false
+
+# Maximum amount of time to randomly delay the start of a metricset. Use 0 to
+# disable startup delay.
+metricbeat.max_start_delay: 10s
+
+#============================== Autodiscover ===================================
+
+# Autodiscover allows you to detect changes in the system and spawn new modules
+# as they happen.
+
+#metricbeat.autodiscover:
+  # List of enabled autodiscover providers
+#  providers:
+#    - type: docker
+#      templates:
+#        - condition:
+#            equals.docker.container.image: etcd
+#          config:
+#            - module: etcd
+#              metricsets: ["leader", "self", "store"]
+#              period: 10s
+#              hosts: ["${host}:2379"]
+
+#=========================== Timeseries instance ===============================
+
+# Enabling this will add a `timeseries.instance` keyword field to all metric
+# events. For a given metricset, this field will be unique for every single item
+# being monitored.
+# This setting is experimental.
+
+#timeseries.enabled: false
+
+
+#==========================  Modules configuration =============================
+metricbeat.modules:
+
+#-------------------------------- System Module --------------------------------
+- module: system
+  metricsets:
+    - cpu             # CPU usage
+    - load            # CPU load averages
+    - memory          # Memory usage
+    - network         # Network IO
+    - process         # Per process metrics
+    - process_summary # Process summary
+    - uptime          # System Uptime
+    - socket_summary  # Socket summary
+    #- core           # Per CPU core usage
+    #- diskio         # Disk IO
+    #- filesystem     # File system usage for each mountpoint
+    #- fsstat         # File system summary metrics
+    #- raid           # Raid
+    #- socket         # Sockets and connection info (linux only)
+    #- service        # systemd service information
+  enabled: true
+  period: 10s
+  processes: ['.*']
+
+  # Configure the mount point of the host’s filesystem for use in monitoring a host from within a container
+  #hostfs: "/hostfs"
+
+  # Configure the metric types that are included by these metricsets.
+  cpu.metrics:  ["percentages","normalized_percentages"]  # The other available option is ticks.
+  core.metrics: ["percentages"]  # The other available option is ticks.
+
+  # A list of filesystem types to ignore. The filesystem metricset will not
+  # collect data from filesystems matching any of the specified types, and
+  # fsstats will not include data from these filesystems in its summary stats.
+  # If not set, types associated to virtual filesystems are automatically
+  # added when this information is available in the system (e.g. the list of
+  # `nodev` types in `/proc/filesystem`).
+  #filesystem.ignore_types: []
+
+  # These options allow you to filter out all processes that are not
+  # in the top N by CPU or memory, in order to reduce the number of documents created.
+  # If both the `by_cpu` and `by_memory` options are used, the union of the two sets
+  # is included.
+  #process.include_top_n:
+
+    # Set to false to disable this feature and include all processes
+    #enabled: true
+
+    # How many processes to include from the top by CPU. The processes are sorted
+    # by the `system.process.cpu.total.pct` field.
+    #by_cpu: 0
+
+    # How many processes to include from the top by memory. The processes are sorted
+    # by the `system.process.memory.rss.bytes` field.
+    #by_memory: 0
+
+  # If false, cmdline of a process is not cached.
+  #process.cmdline.cache.enabled: true
+
+  # Enable collection of cgroup metrics from processes on Linux.
+  #process.cgroups.enabled: true
+
+  # A list of regular expressions used to whitelist environment variables
+  # reported with the process metricset's events. Defaults to empty.
+  #process.env.whitelist: []
+
+  # Include the cumulative CPU tick values with the process metrics. Defaults
+  # to false.
+  #process.include_cpu_ticks: false
+
+  # Raid mount point to monitor
+  #raid.mount_point: '/'
+
+  # Configure reverse DNS lookup on remote IP addresses in the socket metricset.
+  #socket.reverse_lookup.enabled: false
+  #socket.reverse_lookup.success_ttl: 60s
+  #socket.reverse_lookup.failure_ttl: 60s
+
+  # Diskio configurations
+  #diskio.include_devices: []
+
+  # Filter systemd services by status or sub-status
+  #service.state_filter: ["active"]
+
+  # Filter systemd services based on a name pattern
+  #service.pattern_filter: ["ssh*", "nfs*"]
+
+  # This option enables the use of performance counters to collect data for cpu/core metricset.
+  # Only effective for Windows.
+  # You should use this option if running beats on machins with more than 64 cores.
+  #use_performance_counters: false
+
+#------------------------------ Aerospike Module ------------------------------
+- module: aerospike
+  metricsets: ["namespace"]
+  enabled: true
+  period: 10s
+  hosts: ["localhost:3000"]
+
+  # Aerospike Cluster Name
+  #cluster_name: myclustername
+
+  # Username of hosts. Empty by default.
+  #username: root
+
+  # Password of hosts. Empty by default.
+  #password: secret
+
+  # Authentication modes: https://aerospike.com/docs/server/guide/security/access-control
+  # Possible values: internal (default), external, pki
+  #auth_mode: internal
+
+  # Optional SSL/TLS (disabled by default)
+  #ssl.enabled: true
+
+  # List of root certificates for SSL/TLS server verification
+  #ssl.certificate_authorities: ["/etc/pki/root/ca.crt"]
+
+  # Certificate for SSL/TLS client authentication
+  #ssl.certificate: "/etc/pki/client/cert.crt"
+
+  # Client certificate key file
+  #ssl.key: "/etc/pki/client/cert.key"
+
+#-------------------------------- Apache Module --------------------------------
+- module: apache
+  metricsets: ["status"]
+  period: 10s
+  enabled: true
+
+  # Apache hosts
+  hosts: ["http://127.0.0.1"]
+
+  # Path to server status. Default server-status
+  #server_status_path: "server-status"
+
+  # Username of hosts.  Empty by default
+  #username: username
+
+  # Password of hosts. Empty by default
+  #password: password
+
+#--------------------------------- Beat Module ---------------------------------
+- module: beat
+  metricsets:
+    - stats
+    - state
+  period: 10s
+  hosts: ["http://localhost:5066"]
+  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
+
+  # Set to true to send data collected by module to X-Pack
+  # Monitoring instead of metricbeat-* indices.
+  #xpack.enabled: false
+
+#--------------------------------- Ceph Module ---------------------------------
+# Metricsets depending on the Ceph REST API (default port: 5000)
+- module: ceph
+  metricsets: ["cluster_disk", "cluster_health", "monitor_health", "pool_disk", "osd_tree"]
+  period: 10s
+  hosts: ["localhost:5000"]
+  enabled: true
+
+# Metricsets depending on the Ceph Manager Daemon (default port: 8003)
+- module: ceph
+  metricsets:
+    - mgr_cluster_disk
+    - mgr_osd_perf
+    - mgr_pool_disk
+    - mgr_osd_pool_stats
+    - mgr_osd_tree
+  period: 1m
+  hosts: [ "https://localhost:8003" ]
+  #username: "user"
+  #password: "secret"
+
+#-------------------------------- Consul Module --------------------------------
+- module: consul
+  metricsets:
+  - agent
+  enabled: true
+  period: 10s
+  hosts: ["localhost:8500"]
+
+
+#------------------------------ Couchbase Module ------------------------------
+- module: couchbase
+  metricsets: ["bucket", "cluster", "node"]
+  period: 10s
+  hosts: ["localhost:8091"]
+  enabled: true
+
+#------------------------------- CouchDB Module -------------------------------
+- module: couchdb
+  metricsets: ["server"]
+  period: 10s
+  hosts: ["localhost:5984"]
+
+#-------------------------------- Docker Module --------------------------------
+- module: docker
+  metricsets:
+    - "container"
+    - "cpu"
+    - "diskio"
+    - "event"
+    - "healthcheck"
+    - "info"
+    #- "image"
+    - "memory"
+    - "network"
+    #- "network_summary"
+  hosts: ["unix:///var/run/docker.sock"]
+  period: 10s
+  enabled: true
+
+  # If set to true, replace dots in labels with `_`.
+  #labels.dedot: false
+
+  # Docker module supports metrics collection from podman's docker compatible API. In case of podman set to true.
+  # podman: false
+
+  # Skip metrics for certain device major numbers in docker/diskio.
+  # Necessary on systems with software RAID, device mappers,
+  # or other configurations where virtual disks will sum metrics from other disks.
+  # By default, it will skip devices with major numbers 9 or 253.
+  #skip_major: []
+
+  # If set to true, collects metrics per core.
+  #cpu.cores: true
+
+  # To connect to Docker over TLS you must specify a client and CA certificate.
+  #ssl:
+    #certificate_authority: "/etc/pki/root/ca.pem"
+    #certificate:           "/etc/pki/client/cert.pem"
+    #key:                   "/etc/pki/client/cert.key"
+
+#------------------------------ Dropwizard Module ------------------------------
+- module: dropwizard
+  metricsets: ["collector"]
+  period: 10s
+  hosts: ["localhost:8080"]
+  metrics_path: /metrics/metrics
+  namespace: example
+  enabled: true
+
+#---------------------------- Elasticsearch Module ----------------------------
+- module: elasticsearch
+  metricsets:
+    - node
+    - node_stats
+    #- index
+    #- index_recovery
+    #- index_summary
+    #- ingest_pipeline
+    #- shard
+    #- ml_job
+  period: 10s
+  hosts: ["http://localhost:9200"]
+  #username: "elastic"
+  #password: "changeme"
+  #api_key: "foo:bar"
+  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
+
+  #index_recovery.active_only: true
+  #ingest_pipeline.processor_sample_rate: 0.25
+  #xpack.enabled: false
+  #scope: node
+
+#------------------------------ Envoyproxy Module ------------------------------
+- module: envoyproxy
+  metricsets: ["server"]
+  period: 10s
+  hosts: ["localhost:9901"]
+
+#--------------------------------- Etcd Module ---------------------------------
+- module: etcd
+  metricsets: ["leader", "self", "store"]
+  period: 10s
+  hosts: ["localhost:2379"]
+
+#-------------------------------- Golang Module --------------------------------
+- module: golang
+  #metricsets:
+  #  - expvar
+  #  - heap
+  period: 10s
+  hosts: ["localhost:6060"]
+  heap.path: "/debug/vars"
+  expvar:
+    namespace: "example"
+    path: "/debug/vars"
+
+#------------------------------- Graphite Module -------------------------------
+- module: graphite
+  metricsets: ["server"]
+  enabled: true
+
+  # Host address to listen on. Default localhost.
+  #host: localhost
+
+  # Listening port. Default 2003.
+  #port: 2003
+
+  # Protocol to listen on. This can be udp or tcp. Default udp.
+  #protocol: "udp"
+
+  # Receive buffer size in bytes
+  #receive_buffer_size: 1024
+
+  #templates:
+  #  - filter: "test.*.bash.*" # This would match metrics like test.localhost.bash.stats
+  #    namespace: "test"
+  #    template: ".host.shell.metric*" # test.localhost.bash.stats would become metric=stats and tags host=localhost,shell=bash
+  #    delimiter: "_"
+
+
+#------------------------------- HAProxy Module -------------------------------
+- module: haproxy
+  metricsets: ["info", "stat"]
+  period: 10s
+  # TCP socket, UNIX socket, or HTTP address where HAProxy stats are reported
+  # TCP socket
+  hosts: ["tcp://127.0.0.1:14567"]
+  # UNIX socket
+  #hosts: ["unix:///path/to/haproxy.sock"]
+  # Stats page
+  #hosts: ["http://127.0.0.1:14567"]
+  username : "admin"
+  password : "admin"
+  enabled: true
+
+#--------------------------------- HTTP Module ---------------------------------
+- module: http
+  #metricsets:
+  #  - json
+  period: 10s
+  hosts: ["localhost:80"]
+  namespace: "json_namespace"
+  path: "/"
+  #body: ""
+  #method: "GET"
+  #username: "user"
+  #password: "secret"
+  #request.enabled: false
+  #response.enabled: false
+  #json.is_array: false
+  #dedot.enabled: false
+
+- module: http
+  #metricsets:
+  #  - server
+  host: "localhost"
+  port: "8080"
+  enabled: false
+  #paths:
+  #  - path: "/foo"
+  #    namespace: "foo"
+  #    fields: # added to the the response in root. overwrites existing fields
+  #      key: "value"
+
+#------------------------------- Jolokia Module -------------------------------
+- module: jolokia
+  #metricsets: ["jmx"]
+  period: 10s
+  hosts: ["localhost"]
+  namespace: "metrics"
+  #path: "/jolokia/?ignoreErrors=true&canonicalNaming=false"
+  #username: "user"
+  #password: "secret"
+  jmx.mappings:
+    #- mbean: 'java.lang:type=Runtime'
+    #  attributes:
+    #    - attr: Uptime
+    #      field: uptime
+    #- mbean: 'java.lang:type=Memory'
+    #  attributes:
+    #    - attr: HeapMemoryUsage
+    #      field: memory.heap_usage
+    #    - attr: NonHeapMemoryUsage
+    #      field: memory.non_heap_usage
+    # GC Metrics - this depends on what is available on your JVM
+    #- mbean: 'java.lang:type=GarbageCollector,name=ConcurrentMarkSweep'
+    #  attributes:
+    #    - attr: CollectionTime
+    #      field: gc.cms_collection_time
+    #    - attr: CollectionCount
+    #      field: gc.cms_collection_count
+
+  jmx.application:
+  jmx.instance:
+
+#-------------------------------- Kafka Module --------------------------------
+# Kafka metrics collected using the Kafka protocol
+- module: kafka
+  #metricsets:
+  #  - partition
+  #  - consumergroup
+  period: 10s
+  hosts: ["localhost:9092"]
+
+  #client_id: metricbeat
+  #retries: 3
+  #backoff: 250ms
+
+  # List of Topics to query metadata for. If empty, all topics will be queried.
+  #topics: []
+
+  # Optional SSL. By default is off.
+  # List of root certificates for HTTPS server verifications
+  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
+
+  # Certificate for SSL client authentication
+  #ssl.certificate: "/etc/pki/client/cert.pem"
+
+  # Client Certificate Key
+  #ssl.key: "/etc/pki/client/cert.key"
+
+  # Client Certificate Passphrase (in case your Client Certificate Key is encrypted)
+  #ssl.key_passphrase: "yourKeyPassphrase"
+
+  # SASL authentication
+  #username: ""
+  #password: ""
+
+  # SASL authentication mechanism used. Can be one of PLAIN, SCRAM-SHA-256 or SCRAM-SHA-512.
+  # Defaults to PLAIN when `username` and `password` are configured.
+  #sasl.mechanism: ''
+
+# Metrics collected from a Kafka broker using Jolokia
+#- module: kafka
+#  metricsets:
+#    - broker
+#  period: 10s
+#  hosts: ["localhost:8779"]
+
+# Metrics collected from a Java Kafka consumer using Jolokia
+#- module: kafka
+#  metricsets:
+#    - consumer
+#  period: 10s
+#  hosts: ["localhost:8774"]
+
+# Metrics collected from a Java Kafka producer using Jolokia
+#- module: kafka
+#  metricsets:
+#    - producer
+#  period: 10s
+#  hosts: ["localhost:8775"]
+
+#-------------------------------- Kibana Module --------------------------------
+- module: kibana
+  metricsets: ["status"]
+  period: 10s
+  hosts: ["localhost:5601"]
+  basepath: ""
+  enabled: true
+  #username: "user"
+  #password: "secret"
+  #api_key: "foo:bar"
+
+  # Set to true to send data collected by module to X-Pack
+  # Monitoring instead of metricbeat-* indices.
+  #xpack.enabled: false
+
+#------------------------------ Kubernetes Module ------------------------------
+# Node metrics, from kubelet:
+- module: kubernetes
+  metricsets:
+    - container
+    - node
+    - pod
+    - system
+    - volume
+  period: 10s
+  enabled: true
+  hosts: ["https://${NODE_NAME}:10250"]
+  bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
+  ssl.verification_mode: "none"
+  #ssl.certificate_authorities:
+  #  - /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
+  #ssl.certificate: "/etc/pki/client/cert.pem"
+  #ssl.key: "/etc/pki/client/cert.key"
+
+  # Enriching parameters:
+  add_metadata: true
+  # If kube_config is not set, KUBECONFIG environment variable will be checked
+  # and if not present it will fall back to InCluster
+  #kube_config: ~/.kube/config
+  #By default requests to kubeadm config map are made in order to enrich cluster name by requesting /api/v1/namespaces/kube-system/configmaps/kubeadm-config API endpoint.
+  use_kubeadm: true
+  #include_labels: []
+  #exclude_labels: []
+  #include_annotations: []
+  #labels.dedot: true
+  #annotations.dedot: true
+
+  # When used outside the cluster:
+  #node: node_name
+
+  # To configure additionally node and namespace metadata `add_resource_metadata` can be defined.
+  # By default all labels will be included while annotations are not added by default.
+  # add_resource_metadata:
+  #   namespace:
+  #     include_labels: ["namespacelabel1"]
+  #   node:
+  #     include_labels: ["nodelabel2"]
+  #     include_annotations: ["nodeannotation1"]
+  #   deployment: false
+  #   cronjob: false
+  # Kubernetes client QPS and burst can be configured additionally
+  #kube_client_options:
+  #  qps: 5
+  #  burst: 10
+
+# State metrics from kube-state-metrics service:
+- module: kubernetes
+  enabled: true
+  metricsets:
+    - state_node
+    - state_daemonset
+    - state_deployment
+    - state_replicaset
+    - state_statefulset
+    - state_pod
+    - state_container
+    - state_job
+    - state_cronjob
+    - state_resourcequota
+    - state_service
+    - state_persistentvolume
+    - state_persistentvolumeclaim
+    - state_storageclass
+    # Uncomment this to get k8s events:
+    #- event  period: 10s
+  hosts: ["kube-state-metrics:8080"]
+
+  # Enriching parameters:
+  add_metadata: true
+  # If kube_config is not set, KUBECONFIG environment variable will be checked
+  # and if not present it will fall back to InCluster
+  #kube_config: ~/.kube/config
+  #By default requests to kubeadm config map are made in order to enrich cluster name by requesting /api/v1/namespaces/kube-system/configmaps/kubeadm-config API endpoint.
+  use_kubeadm: true
+  #include_labels: []
+  #exclude_labels: []
+  #include_annotations: []
+  #labels.dedot: true
+  #annotations.dedot: true
+
+  # When used outside the cluster:
+  #node: node_name
+
+  # Set the namespace to watch for resources
+  #namespace: staging
+
+  # To configure additionally node and namespace metadata `add_resource_metadata` can be defined.
+  # By default all labels will be included while annotations are not added by default.
+  # add_resource_metadata:
+  #   namespace:
+  #     include_labels: ["namespacelabel1"]
+  #   node:
+  #     include_labels: ["nodelabel2"]
+  #     include_annotations: ["nodeannotation1"]
+  #   deployment: false
+  #   cronjob: false
+  # Kubernetes client QPS and burst can be configured additionally
+  #kube_client_options:
+  #  qps: 5
+  #  burst: 10
+
+# Kubernetes Events
+- module: kubernetes
+  enabled: true
+  metricsets:
+    - event
+  period: 10s
+  # Skip events older than Metricbeat's statup time is enabled by default.
+  # Setting to false the skip_older setting will stop filtering older events.
+  # This setting is also useful went Event's timestamps are not populated properly.
+  #skip_older: false
+  # If kube_config is not set, KUBECONFIG environment variable will be checked
+  # and if not present it will fall back to InCluster
+  #kube_config: ~/.kube/config
+  #By default requests to kubeadm config map are made in order to enrich cluster name by requesting /api/v1/namespaces/kube-system/configmaps/kubeadm-config API endpoint.
+  use_kubeadm: true
+  # Set the namespace to watch for events
+  #namespace: staging
+  # Set the sync period of the watchers
+  #sync_period: 10m
+  # Kubernetes client QPS and burst can be configured additionally
+  #kube_client_options:
+  #  qps: 5
+  #  burst: 10
+
+# Kubernetes API server
+# (when running metricbeat as a deployment)
+- module: kubernetes
+  enabled: true
+  metricsets:
+    - apiserver
+  hosts: ["https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}"]
+  bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
+  ssl.certificate_authorities:
+    - /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+  period: 30s
+  #By default requests to kubeadm config map are made in order to enrich cluster name by requesting /api/v1/namespaces/kube-system/configmaps/kubeadm-config API endpoint.
+  use_kubeadm: true
+
+# Kubernetes proxy server
+# (when running metricbeat locally at hosts or as a daemonset + host network)
+- module: kubernetes
+  enabled: true
+  metricsets:
+    - proxy
+  hosts: ["localhost:10249"]
+  period: 10s
+  #By default requests to kubeadm config map are made in order to enrich cluster name by requesting /api/v1/namespaces/kube-system/configmaps/kubeadm-config API endpoint.
+  use_kubeadm: true
+
+# Kubernetes controller manager
+# (URL and deployment method should be adapted to match the controller manager deployment / service / endpoint)
+- module: kubernetes
+  enabled: true
+  metricsets:
+    - controllermanager
+  hosts: ["http://localhost:10252"]
+  period: 10s
+  #By default requests to kubeadm config map are made in order to enrich cluster name by requesting /api/v1/namespaces/kube-system/configmaps/kubeadm-config API endpoint.
+  use_kubeadm: true
+
+# Kubernetes scheduler
+# (URL and deployment method should be adapted to match scheduler deployment / service / endpoint)
+- module: kubernetes
+  enabled: true
+  metricsets:
+    - scheduler
+  hosts: ["localhost:10251"]
+  period: 10s
+  #By default requests to kubeadm config map are made in order to enrich cluster name by requesting /api/v1/namespaces/kube-system/configmaps/kubeadm-config API endpoint.
+  use_kubeadm: true
+
+#--------------------------------- KVM Module ---------------------------------
+- module: kvm
+  metricsets: ["dommemstat", "status"]
+  enabled: true
+  period: 10s
+  hosts: ["unix:///var/run/libvirt/libvirt-sock"]
+  # For remote hosts, setup network access in libvirtd.conf
+  # and use the tcp scheme:
+  # hosts: [ "tcp://<host>:16509" ]
+
+  # Timeout to connect to Libvirt server
+  #timeout: 1s
+
+#-------------------------------- Linux Module --------------------------------
+- module: linux
+  period: 10s
+  metricsets:
+    - "pageinfo"
+    - "memory"
+    # - ksm
+    # - conntrack
+    # - iostat
+    # - pressure
+    # - rapl
+  enabled: true
+  #hostfs: /hostfs
+  #rapl.use_msr_safe: false
+
+
+#------------------------------- Logstash Module -------------------------------
+- module: logstash
+  metricsets: ["node", "node_stats"]
+  enabled: true
+  period: 10s
+  hosts: ["localhost:9600"]
+
+#------------------------------ Memcached Module ------------------------------
+- module: memcached
+  metricsets: ["stats"]
+  period: 10s
+  hosts: ["localhost:11211"]
+  enabled: true
+
+#------------------------------- MongoDB Module -------------------------------
+- module: mongodb
+  metricsets: ["dbstats", "status", "collstats", "metrics", "replstatus"]
+  period: 10s
+  enabled: true
+
+  # The hosts must be passed as MongoDB URLs in the format:
+  # [mongodb://][user:pass@]host[:port].
+  # The username and password can also be set using the respective configuration
+  # options. The credentials in the URL take precedence over the username and
+  # password configuration options.
+  hosts: ["localhost:27017"]
+
+  # Optional SSL. By default is off.
+  #ssl.enabled: true
+
+  # Mode of verification of server certificate ('none' or 'full')
+  #ssl.verification_mode: 'full'
+
+  # List of root certificates for TLS server verifications
+  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
+
+  # Certificate for SSL client authentication
+  #ssl.certificate: "/etc/pki/client/cert.pem"
+
+  # Client Certificate Key
+  #ssl.key: "/etc/pki/client/cert.key"
+
+  # Username to use when connecting to MongoDB. Empty by default.
+  #username: user
+
+  # Password to use when connecting to MongoDB. Empty by default.
+  #password: pass
+
+#-------------------------------- Munin Module --------------------------------
+- module: munin
+  metricsets: ["node"]
+  enabled: true
+  period: 10s
+  hosts: ["localhost:4949"]
+
+  # List of plugins to collect metrics from, by default it collects from
+  # all the available ones.
+  #munin.plugins: []
+
+  # If set to true, it sanitizes fields names in concordance with munin
+  # implementation (all characters that are not alphanumeric, or underscore
+  # are replaced by underscores).
+  #munin.sanitize: false
+
+#-------------------------------- MySQL Module --------------------------------
+- module: mysql
+  metricsets:
+    - status
+  #  - galera_status
+  #  - performance
+  #  - query
+  period: 10s
+
+  # Host DSN should be defined as "user:pass@tcp(127.0.0.1:3306)/"
+  # or "unix(/var/lib/mysql/mysql.sock)/",
+  # or another DSN format supported by <https://github.com/Go-SQL-Driver/MySQL/>.
+  # The username and password can either be set in the DSN or using the username
+  # and password config options. Those specified in the DSN take precedence.
+  hosts: ["root:secret@tcp(127.0.0.1:3306)/"]
+
+  # Username of hosts. Empty by default.
+  #username: root
+
+  # Password of hosts. Empty by default.
+  #password: secret
+
+  # By setting raw to true, all raw fields from the status metricset will be added to the event.
+  #raw: false
+
+  # Optional SSL/TLS. By default is false.
+  #ssl.enabled: true
+
+  # List of root certificates for SSL/TLS server verification
+  #ssl.certificate_authorities: ["/etc/pki/root/ca.crt"]
+
+  # Certificate for SSL/TLS client authentication
+  #ssl.certificate: "/etc/pki/client/cert.crt"
+
+  # Client certificate key file
+  #ssl.key: "/etc/pki/client/cert.key"
+
+#--------------------------------- NATS Module ---------------------------------
+- module: nats
+  metricsets:
+    - "connections"
+    - "routes"
+    - "stats"
+    - "subscriptions"
+    #- "connection"
+    #- "route"
+  period: 10s
+  hosts: ["localhost:8222"]
+  #stats.metrics_path: "/varz"
+  #connections.metrics_path: "/connz"
+  #routes.metrics_path: "/routez"
+  #subscriptions.metrics_path: "/subsz"
+  #connection.metrics_path: "/connz"
+  #route.metrics_path: "/routez"
+
+#-------------------------------- Nginx Module --------------------------------
+- module: nginx
+  metricsets: ["stubstatus"]
+  enabled: true
+  period: 10s
+
+  # Nginx hosts
+  hosts: ["http://127.0.0.1"]
+
+  # Path to server status. Default nginx_status
+  server_status_path: "nginx_status"
+
+#----------------------------- Openmetrics Module -----------------------------
+- module: openmetrics
+  metricsets: ['collector']
+  period: 10s
+  hosts: ['localhost:9090']
+
+  # This module uses the Prometheus collector metricset, all
+  # the options for this metricset are also available here.
+  metrics_path: /metrics
+  metrics_filters:
+    include: []
+    exclude: []
+
+#------------------------------- PHP_FPM Module -------------------------------
+- module: php_fpm
+  metricsets:
+  - pool
+  #- process
+  enabled: true
+  period: 10s
+  status_path: "/status"
+  hosts: ["localhost:8080"]
+
+#------------------------------ PostgreSQL Module ------------------------------
+- module: postgresql
+  enabled: true
+  metricsets:
+    # Stats about every PostgreSQL database
+    - database
+
+    # Stats about the background writer process's activity
+    - bgwriter
+
+    # Stats about every PostgreSQL process
+    - activity
+
+    # Stats about every statement executed in the server. It requires the
+    # `pg_stats_statement` library to be configured in the server.
+    #- statement
+
+  period: 10s
+
+  # The host must be passed as PostgreSQL URL. Example:
+  # postgres://localhost:5432?sslmode=disable
+  # The available parameters are documented here:
+  # https://godoc.org/github.com/lib/pq#hdr-Connection_String_Parameters
+  hosts: ["postgres://localhost:5432"]
+
+  # Username to use when connecting to PostgreSQL. Empty by default.
+  #username: user
+
+  # Password to use when connecting to PostgreSQL. Empty by default.
+  #password: pass
+
+#------------------------------ Prometheus Module ------------------------------
+# Metrics collected from a Prometheus endpoint
+- module: prometheus
+  period: 10s
+  metricsets: ["collector"]
+  hosts: ["localhost:9090"]
+  metrics_path: /metrics
+  #metrics_filters:
+  #  include: []
+  #  exclude: []
+  #username: "user"
+  #password: "secret"
+
+  # Count number of metrics present in Elasticsearch document (default: false)
+  #metrics_count: false
+
+  # This can be used for service account based authorization:
+  #bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
+  #ssl.certificate_authorities:
+  #  - /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
+
+
+# Metrics sent by a Prometheus server using remote_write option
+#- module: prometheus
+#  metricsets: ["remote_write"]
+#  host: "localhost"
+#  port: "9201"
+
+  # Count number of metrics present in Elasticsearch document (default: false)
+  #metrics_count: false
+
+  # Secure settings for the server using TLS/SSL:
+  #ssl.certificate: "/etc/pki/server/cert.pem"
+  #ssl.key: "/etc/pki/server/cert.key"
+
+# Metrics that will be collected using a PromQL
+#- module: prometheus
+#  metricsets: ["query"]
+#  hosts: ["localhost:9090"]
+#  period: 10s
+#  queries:
+#  - name: "instant_vector"
+#    path: "/api/v1/query"
+#    params:
+#      query: "sum(rate(prometheus_http_requests_total[1m]))"
+#  - name: "range_vector"
+#    path: "/api/v1/query_range"
+#    params:
+#      query: "up"
+#      start: "2019-12-20T00:00:00.000Z"
+#      end:  "2019-12-21T00:00:00.000Z"
+#      step: 1h
+#  - name: "scalar"
+#    path: "/api/v1/query"
+#    params:
+#      query: "100"
+#  - name: "string"
+#    path: "/api/v1/query"
+#    params:
+#      query: "some_value"
+
+#------------------------------- RabbitMQ Module -------------------------------
+- module: rabbitmq
+  metricsets: ["node", "queue", "connection", "exchange", "shovel"]
+  enabled: true
+  period: 10s
+  hosts: ["localhost:15672"]
+
+  # Management path prefix, if `management.path_prefix` is set in RabbitMQ
+  # configuration, it has to be set to the same value.
+  #management_path_prefix: ""
+
+  #username: guest
+  #password: guest
+
+#-------------------------------- Redis Module --------------------------------
+- module: redis
+  metricsets: ["info", "keyspace"]
+  enabled: true
+  period: 10s
+
+  # Redis hosts
+  hosts: ["127.0.0.1:6379"]
+
+  # Timeout after which time a metricset should return an error
+  # Timeout is by default defined as period, as a fetch of a metricset
+  # should never take longer then period, as otherwise calls can pile up.
+  #timeout: 1s
+
+  # Optional fields to be added to each event
+  #fields:
+  #  datacenter: west
+
+  # Network type to be used for redis connection. Default: tcp
+  #network: tcp
+
+  # Max number of concurrent connections. Default: 10
+  #maxconn: 10
+
+  # Filters can be used to reduce the number of fields sent.
+  #processors:
+  #  - include_fields:
+  #      fields: ["beat", "metricset", "redis.info.stats"]
+
+  # Redis AUTH username (Redis 6.0+). Empty by default.
+  #username: user
+
+  # Redis AUTH password. Empty by default.
+  #password: pass
+
+  # Optional SSL/TLS (Redis 6.0+). By default is false.
+  #ssl.enabled: true
+
+  # List of root certificates for SSL/TLS server verification
+  #ssl.certificate_authorities: ["/etc/pki/root/ca.crt"]
+
+  # Certificate for SSL/TLS client authentication
+  #ssl.certificate: "/etc/pki/client/cert.crt"
+
+  # Client certificate key file
+  #ssl.key: "/etc/pki/client/cert.key"
+
+#------------------------------- Traefik Module -------------------------------
+- module: traefik
+  metricsets: ["health"]
+  period: 10s
+  hosts: ["localhost:8080"]
+
+#-------------------------------- UWSGI Module --------------------------------
+- module: uwsgi
+  metricsets: ["status"]
+  enable: true
+  period: 10s
+  hosts: ["tcp://127.0.0.1:9191"]
+
+#------------------------------- VSphere Module -------------------------------
+- module: vsphere
+  enabled: true
+  metricsets: ["cluster", "datastore", "datastorecluster", "host", "network", "resourcepool", "virtualmachine"]
+
+  # Real-time data collection – An ESXi Server collects data for each performance counter every 20 seconds by default.
+  # Supported Periods:
+  # The Datastore and Host metricsets support performance data collection using the vSphere performance API.
+  # Since the performance API has usage restrictions based on data collection intervals,
+  # users should ensure that the period is configured optimally to receive real-time data.
+  # users can still collect summary metrics if performance metrics are not supported for the configured instance.
+  # This configuration can be determined based on the Data Collection Intervals and Data Collection Levels.
+  # Reference Links:
+  # Data Collection Intervals: https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.monitoring.doc/GUID-247646EA-A04B-411A-8DD4-62A3DCFCF49B.html
+  # Data Collection Levels: https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.monitoring.doc/GUID-25800DE4-68E5-41CC-82D9-8811E27924BC.html
+  period: 20s
+  hosts: ["https://localhost/sdk"]
+
+  username: "user"
+  password: "password"
+  # If insecure is true, don't verify the server's certificate chain
+  insecure: false
+  # Get custom fields when using virtualmachine metricset. Default false.
+  # get_custom_fields: false
+
+#------------------------------- Windows Module -------------------------------
+- module: windows
+  metricsets: ["perfmon"]
+  enabled: true
+  period: 10s
+  perfmon.ignore_non_existent_counters: false
+  perfmon.group_measurements_by_instance: false
+  perfmon.queries:
+#  - object: 'Process'
+#    instance: ["*"]
+#    counters:
+#    - name: '% Processor Time'
+#      field: cpu_usage
+#      format: "float"
+#    - name: "Thread Count"
+
+- module: windows
+  metricsets: ["service"]
+  enabled: true
+  period: 60s
+
+- module: windows
+  metricsets: ["wmi"]
+  period: 60s
+  wmi:
+    include_null: false          # Exclude fields with null values from the output
+    include_queries: false       # Do not include the query string in the output
+    include_empty_string: false  # Exclude fields with empty string values from the output
+    warning_threshold: 30s       # Maximum time to wait for a query result before logging a warning (defaults to period)
+    # Default WMI namespace for all queries (if not specified per query)
+    # Uncomment to override the default, which is "root\\cimv2".
+    # namespace: "root\\cimv2"
+    queries:
+    - class: Win32_OperatingSystem # FROM: Class to fetch
+      fields:                      # SELECT: Fields to retrieve for this WMI class. Omit the setting to fetch all properties
+       - FreePhysicalMemory
+       - FreeSpaceInPagingFiles
+       - FreeVirtualMemory
+       - LocalDateTime
+       - NumberOfUsers
+      where: ""                   # Optional WHERE clause to filter query results
+      # Override the WMI namespace for this specific query (optional).
+      # If set, this takes precedence over the default namespace above.
+      # namespace: "root\\cimv2" # Overrides the metric
+
+#------------------------------ ZooKeeper Module ------------------------------
+- module: zookeeper
+  enabled: true
+  metricsets: ["mntr", "server"]
+  period: 10s
+  hosts: ["localhost:2181"]
+
+
+
+
+# ================================== General ===================================
+
+# The name of the shipper that publishes the network data. It can be used to group
+# all the transactions sent by a single shipper in the web interface.
+# If this option is not defined, the hostname is used.
+#name:
+
+# The tags of the shipper are included in their field with each
+# transaction published. Tags make it easy to group servers by different
+# logical properties.
+#tags: ["service-X", "web-tier"]
+
+# Optional fields that you can specify to add additional information to the
+# output. Fields can be scalar values, arrays, dictionaries, or any nested
+# combination of these.
+#fields:
+#  env: staging
+
+# If this option is set to true, the custom fields are stored as top-level
+# fields in the output document instead of being grouped under a field
+# sub-dictionary. Default is false.
+#fields_under_root: false
+
+# Configure the precision of all timestamps in Metricbeat.
+# Available options: millisecond, microsecond, nanosecond
+#timestamp.precision: millisecond
+
+# Internal queue configuration for buffering events to be published.
+# Queue settings may be overridden by performance presets in the
+# Elasticsearch output. To configure them manually use "preset: custom".
+#queue:
+  # Queue type by name (default 'mem')
+  # The memory queue will present all available events (up to the outputs
+  # bulk_max_size) to the output, the moment the output is ready to serve
+  # another batch of events.
+  #mem:
+    # Max number of events the queue can buffer.
+    #events: 3200
+
+    # Hints the minimum number of events stored in the queue,
+    # before providing a batch of events to the outputs.
+    # The default value is set to 2048.
+    # A value of 0 ensures events are immediately available
+    # to be sent to the outputs.
+    #flush.min_events: 1600
+
+    # Maximum duration after which events are available to the outputs,
+    # if the number of events stored in the queue is < `flush.min_events`.
+    #flush.timeout: 10s
+
+  # The disk queue stores incoming events on disk until the output is
+  # ready for them. This allows a higher event limit than the memory-only
+  # queue and lets pending events persist through a restart.
+  #disk:
+    # The directory path to store the queue's data.
+    #path: "${path.data}/diskqueue"
+
+    # The maximum space the queue should occupy on disk. Depending on
+    # input settings, events that exceed this limit are delayed or discarded.
+    #max_size: 10GB
+
+    # The maximum size of a single queue data file. Data in the queue is
+    # stored in smaller segments that are deleted after all their events
+    # have been processed.
+    #segment_size: 1GB
+
+    # The number of events to read from disk to memory while waiting for
+    # the output to request them.
+    #read_ahead: 512
+
+    # The number of events to accept from inputs while waiting for them
+    # to be written to disk. If event data arrives faster than it
+    # can be written to disk, this setting prevents it from overflowing
+    # main memory.
+    #write_ahead: 2048
+
+    # The duration to wait before retrying when the queue encounters a disk
+    # write error.
+    #retry_interval: 1s
+
+    # The maximum length of time to wait before retrying on a disk write
+    # error. If the queue encounters repeated errors, it will double the
+    # length of its retry interval each time, up to this maximum.
+    #max_retry_interval: 30s
+
+# Sets the maximum number of CPUs that can be executed simultaneously. The
+# default is the number of logical CPUs available in the system.
+#max_procs:
+
+# ================================= Processors =================================
+
+# Processors are used to reduce the number of fields in the exported event or to
+# enhance the event with external metadata. This section defines a list of
+# processors that are applied one by one and the first one receives the initial
+# event:
+#
+#   event -> filter1 -> event1 -> filter2 ->event2 ...
+#
+# The supported processors are drop_fields, drop_event, include_fields,
+# decode_json_fields, and add_cloud_metadata.
+#
+# For example, you can use the following processors to keep the fields that
+# contain CPU load percentages, but remove the fields that contain CPU ticks
+# values:
+#
+#processors:
+#  - include_fields:
+#      fields: ["cpu"]
+#  - drop_fields:
+#      fields: ["cpu.user", "cpu.system"]
+#
+# The following example drops the events that have the HTTP response code 200:
+#
+#processors:
+#  - drop_event:
+#      when:
+#        equals:
+#          http.code: 200
+#
+# The following example renames the field a to b:
+#
+#processors:
+#  - rename:
+#      fields:
+#        - from: "a"
+#          to: "b"
+#
+# The following example tokenizes the string into fields:
+#
+#processors:
+#  - dissect:
+#      tokenizer: "%{key1} - %{key2}"
+#      field: "message"
+#      target_prefix: "dissect"
+#
+# The following example enriches each event with metadata from the cloud
+# provider about the host machine. It works on EC2, GCE, DigitalOcean,
+# Tencent Cloud, and Alibaba Cloud.
+#
+#processors:
+#  - add_cloud_metadata: ~
+#
+# The following example enriches each event with the machine's local time zone
+# offset from UTC.
+#
+#processors:
+#  - add_locale:
+#      format: offset
+#
+# The following example enriches each event with docker metadata, it matches
+# given fields to an existing container id and adds info from that container:
+#
+#processors:
+#  - add_docker_metadata:
+#      host: "unix:///var/run/docker.sock"
+#      match_fields: ["system.process.cgroup.id"]
+#      match_pids: ["process.pid", "process.parent.pid"]
+#      match_source: true
+#      match_source_index: 4
+#      match_short_id: false
+#      cleanup_timeout: 60
+#      labels.dedot: false
+#      # To connect to Docker over TLS you must specify a client and CA certificate.
+#      #ssl:
+#      #  certificate_authority: "/etc/pki/root/ca.pem"
+#      #  certificate:           "/etc/pki/client/cert.pem"
+#      #  key:                   "/etc/pki/client/cert.key"
+#
+# The following example enriches each event with docker metadata, it matches
+# container id from log path available in `source` field (by default it expects
+# it to be /var/lib/docker/containers/*/*.log).
+#
+#processors:
+#  - add_docker_metadata: ~
+#
+# The following example enriches each event with host metadata.
+#
+#processors:
+#  - add_host_metadata: ~
+#
+# The following example enriches each event with process metadata using
+# process IDs included in the event.
+#
+#processors:
+#  - add_process_metadata:
+#      match_pids: ["system.process.ppid"]
+#      target: system.process.parent
+#
+# The following example decodes fields containing JSON strings
+# and replaces the strings with valid JSON objects.
+#
+#processors:
+#  - decode_json_fields:
+#      fields: ["field1", "field2", ...]
+#      process_array: false
+#      max_depth: 1
+#      target: ""
+#      overwrite_keys: false
+#
+#processors:
+#  - decompress_gzip_field:
+#      from: "field1"
+#      to: "field2"
+#      ignore_missing: false
+#      fail_on_error: true
+#
+# The following example copies the value of the message to message_copied
+#
+#processors:
+#  - copy_fields:
+#      fields:
+#        - from: message
+#          to: message_copied
+#      fail_on_error: true
+#      ignore_missing: false
+#
+# The following example truncates the value of the message to 1024 bytes
+#
+#processors:
+#  - truncate_fields:
+#      fields:
+#        - message
+#      max_bytes: 1024
+#      fail_on_error: false
+#      ignore_missing: true
+#
+# The following example preserves the raw message under event.original
+#
+#processors:
+#  - copy_fields:
+#      fields:
+#        - from: message
+#          to: event.original
+#      fail_on_error: false
+#      ignore_missing: true
+#  - truncate_fields:
+#      fields:
+#        - event.original
+#      max_bytes: 1024
+#      fail_on_error: false
+#      ignore_missing: true
+#
+# The following example URL-decodes the value of field1 to field2
+#
+#processors:
+#  - urldecode:
+#      fields:
+#        - from: "field1"
+#          to: "field2"
+#      ignore_missing: false
+#      fail_on_error: true
+
+# =============================== Elastic Cloud ================================
+
+# These settings simplify using Metricbeat with the Elastic Cloud (https://cloud.elastic.co/).
+
+# The cloud.id setting overwrites the `output.elasticsearch.hosts` and
+# `setup.kibana.host` options.
+# You can find the `cloud.id` in the Elastic Cloud web UI.
+#cloud.id:
+
+# The cloud.auth setting overwrites the `output.elasticsearch.username` and
+# `output.elasticsearch.password` settings. The format is `<user>:<pass>`.
+#cloud.auth:
+
+# ================================== Outputs ===================================
+
+# Configure what output to use when sending the data collected by the beat.
+
+# ---------------------------- Elasticsearch Output ----------------------------
+output.elasticsearch:
+  # Boolean flag to enable or disable the output module.
+  #enabled: true
+
+  # Array of hosts to connect to.
+  # Scheme and port can be left out and will be set to the default (http and 9200)
+  # In case you specify and additional path, the scheme is required: http://localhost:9200/path
+  # IPv6 addresses should always be defined as: https://[2001:db8::1]:9200
+  hosts: ["localhost:9200"]
+
+  # Performance presets configure other output fields to recommended values
+  # based on a performance priority.
+  # Options are "balanced", "throughput", "scale", "latency" and "custom".
+  # Default if unspecified: "custom"
+  preset: balanced
+
+  # Set gzip compression level. Set to 0 to disable compression.
+  # This field may conflict with performance presets. To set it
+  # manually use "preset: custom".
+  # The default is 1.
+  #compression_level: 1
+
+  # Configure escaping HTML symbols in strings.
+  #escape_html: false
+
+  # Protocol - either `http` (default) or `https`.
+  #protocol: "https"
+
+  # Authentication credentials - either API key or username/password.
+  #api_key: "id:api_key"
+  #username: "elastic"
+  #password: "changeme"
+
+  # Dictionary of HTTP parameters to pass within the URL with index operations.
+  #parameters:
+    #param1: value1
+    #param2: value2
+
+  # Number of workers per Elasticsearch host.
+  # This field may conflict with performance presets. To set it
+  # manually use "preset: custom".
+  #worker: 1
+
+  # If set to true and multiple hosts are configured, the output plugin load
+  # balances published events onto all Elasticsearch hosts. If set to false,
+  # the output plugin sends all events to only one host (determined at random)
+  # and will switch to another host if the currently selected one becomes
+  # unreachable. The default value is true.
+  #loadbalance: true
+
+  # Optional data stream or index name. The default is "metricbeat-%{[agent.version]}".
+  # In case you modify this pattern you must update setup.template.name and setup.template.pattern accordingly.
+  #index: "metricbeat-%{[agent.version]}"
+
+  # Optional ingest pipeline. By default, no pipeline will be used.
+  #pipeline: ""
+
+  # Optional HTTP path
+  #path: "/elasticsearch"
+
+  # Custom HTTP headers to add to each request
+  #headers:
+  #  X-My-Header: Contents of the header
+
+  # Proxy server URL
+  #proxy_url: http://proxy:3128
+
+  # Whether to disable proxy settings for outgoing connections. If true, this
+  # takes precedence over both the proxy_url field and any environment settings
+  # (HTTP_PROXY, HTTPS_PROXY). The default is false.
+  #proxy_disable: false
+
+  # The number of times a particular Elasticsearch index operation is attempted. If
+  # the indexing operation doesn't succeed after this many retries, the events are
+  # dropped. The default is 3.
+  #max_retries: 3
+
+  # The maximum number of events to bulk in a single Elasticsearch bulk API index request.
+  # This field may conflict with performance presets. To set it
+  # manually use "preset: custom".
+  # The default is 1600.
+  #bulk_max_size: 1600
+
+  # The number of seconds to wait before trying to reconnect to Elasticsearch
+  # after a network error. After waiting backoff.init seconds, the Beat
+  # tries to reconnect. If the attempt fails, the backoff timer is increased
+  # exponentially up to backoff.max. After a successful connection, the backoff
+  # timer is reset. The default is 1s.
+  #backoff.init: 1s
+
+  # The maximum number of seconds to wait before attempting to connect to
+  # Elasticsearch after a network error. The default is 60s.
+  #backoff.max: 60s
+
+  # The maximum amount of time an idle connection will remain idle
+  # before closing itself.  Zero means use the default of 60s. The
+  # format is a Go language duration (example 60s is 60 seconds).
+  # This field may conflict with performance presets. To set it
+  # manually use "preset: custom".
+  # The default is 3s.
+  # idle_connection_timeout: 3s
+
+  # Configure HTTP request timeout before failing a request to Elasticsearch.
+  #timeout: 90
+
+  # Prevents metricbeat from connecting to older Elasticsearch versions when set to `false`
+  #allow_older_versions: true
+
+  # Use SSL settings for HTTPS.
+  #ssl.enabled: true
+
+  # Controls the verification of certificates. Valid values are:
+  # * full, which verifies that the provided certificate is signed by a trusted
+  # authority (CA) and also verifies that the server's hostname (or IP address)
+  # matches the names identified within the certificate.
+  # * strict, which verifies that the provided certificate is signed by a trusted
+  # authority (CA) and also verifies that the server's hostname (or IP address)
+  # matches the names identified within the certificate. If the Subject Alternative
+  # Name is empty, it returns an error.
+  # * certificate, which verifies that the provided certificate is signed by a
+  # trusted authority (CA), but does not perform any hostname verification.
+  #  * none, which performs no verification of the server's certificate. This
+  # mode disables many of the security benefits of SSL/TLS and should only be used
+  # after very careful consideration. It is primarily intended as a temporary
+  # diagnostic mechanism when attempting to resolve TLS errors; its use in
+  # production environments is strongly discouraged.
+  # The default value is full.
+  #ssl.verification_mode: full
+
+  # List of supported/valid TLS versions. By default all TLS versions from 1.1
+  # up to 1.3 are enabled.
+  #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3]
+
+  # List of root certificates for HTTPS server verifications
+  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
+
+  # Certificate for SSL client authentication
+  #ssl.certificate: "/etc/pki/client/cert.pem"
+
+  # Client certificate key
+  #ssl.key: "/etc/pki/client/cert.key"
+
+  # Optional passphrase for decrypting the certificate key.
+  #ssl.key_passphrase: ''
+
+  # Configure cipher suites to be used for SSL connections
+  #ssl.cipher_suites: []
+
+  # Configure curve types for ECDHE-based cipher suites
+  #ssl.curve_types: []
+
+  # Configure what types of renegotiation are supported. Valid options are
+  # never, once, and freely. Default is never.
+  #ssl.renegotiation: never
+
+  # Configure a pin that can be used to do extra validation of the verified certificate chain,
+  # this allow you to ensure that a specific certificate is used to validate the chain of trust.
+  #
+  # The pin is a base64 encoded string of the SHA-256 fingerprint.
+  #ssl.ca_sha256: ""
+
+  # A root CA HEX encoded fingerprint. During the SSL handshake if the
+  # fingerprint matches the root CA certificate, it will be added to
+  # the provided list of root CAs (`certificate_authorities`), if the
+  # list is empty or not defined, the matching certificate will be the
+  # only one in the list. Then the normal SSL validation happens.
+  #ssl.ca_trusted_fingerprint: ""
+
+
+  # Enables restarting metricbeat if any file listed by `key`,
+  # `certificate`, or `certificate_authorities` is modified.
+  # This feature IS NOT supported on Windows.
+  #ssl.restart_on_cert_change.enabled: false
+
+  # Period to scan for changes on CA certificate files
+  #ssl.restart_on_cert_change.period: 1m
+
+  # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set.
+  #kerberos.enabled: true
+
+  # Authentication type to use with Kerberos. Available options: keytab, password.
+  #kerberos.auth_type: password
+
+  # Path to the keytab file. It is used when auth_type is set to keytab.
+  #kerberos.keytab: /etc/elastic.keytab
+
+  # Path to the Kerberos configuration.
+  #kerberos.config_path: /etc/krb5.conf
+
+  # Name of the Kerberos user.
+  #kerberos.username: elastic
+
+  # Password of the Kerberos user. It is used when auth_type is set to password.
+  #kerberos.password: changeme
+
+  # Kerberos realm.
+  #kerberos.realm: ELASTIC
+
+
+# ------------------------------ Logstash Output -------------------------------
+#output.logstash:
+  # Boolean flag to enable or disable the output module.
+  #enabled: true
+
+  # The Logstash hosts
+  #hosts: ["localhost:5044"]
+
+  # Number of workers per Logstash host.
+  #worker: 1
+
+  # Set gzip compression level.
+  #compression_level: 3
+
+  # Configure escaping HTML symbols in strings.
+  #escape_html: false
+
+  # Optional maximum time to live for a connection to Logstash, after which the
+  # connection will be re-established.  A value of `0s` (the default) will
+  # disable this feature.
+  #
+  # Not yet supported for async connections (i.e. with the "pipelining" option set)
+  #ttl: 30s
+
+  # Optionally load-balance events between Logstash hosts. Default is false.
+  #loadbalance: false
+
+  # Number of batches to be sent asynchronously to Logstash while processing
+  # new batches.
+  #pipelining: 2
+
+  # If enabled only a subset of events in a batch of events is transferred per
+  # transaction.  The number of events to be sent increases up to `bulk_max_size`
+  # if no error is encountered.
+  #slow_start: false
+
+  # The number of seconds to wait before trying to reconnect to Logstash
+  # after a network error. After waiting backoff.init seconds, the Beat
+  # tries to reconnect. If the attempt fails, the backoff timer is increased
+  # exponentially up to backoff.max. After a successful connection, the backoff
+  # timer is reset. The default is 1s.
+  #backoff.init: 1s
+
+  # The maximum number of seconds to wait before attempting to connect to
+  # Logstash after a network error. The default is 60s.
+  #backoff.max: 60s
+
+  # Optional index name. The default index name is set to metricbeat
+  # in all lowercase.
+  #index: 'metricbeat'
+
+  # SOCKS5 proxy server URL
+  #proxy_url: socks5://user:password@socks5-server:2233
+
+  # Resolve names locally when using a proxy server. Defaults to false.
+  #proxy_use_local_resolver: false
+
+  # Use SSL settings for HTTPS.
+  #ssl.enabled: true
+
+  # Controls the verification of certificates. Valid values are:
+  # * full, which verifies that the provided certificate is signed by a trusted
+  # authority (CA) and also verifies that the server's hostname (or IP address)
+  # matches the names identified within the certificate.
+  # * strict, which verifies that the provided certificate is signed by a trusted
+  # authority (CA) and also verifies that the server's hostname (or IP address)
+  # matches the names identified within the certificate. If the Subject Alternative
+  # Name is empty, it returns an error.
+  # * certificate, which verifies that the provided certificate is signed by a
+  # trusted authority (CA), but does not perform any hostname verification.
+  #  * none, which performs no verification of the server's certificate. This
+  # mode disables many of the security benefits of SSL/TLS and should only be used
+  # after very careful consideration. It is primarily intended as a temporary
+  # diagnostic mechanism when attempting to resolve TLS errors; its use in
+  # production environments is strongly discouraged.
+  # The default value is full.
+  #ssl.verification_mode: full
+
+  # List of supported/valid TLS versions. By default all TLS versions from 1.1
+  # up to 1.3 are enabled.
+  #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3]
+
+  # List of root certificates for HTTPS server verifications
+  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
+
+  # Certificate for SSL client authentication
+  #ssl.certificate: "/etc/pki/client/cert.pem"
+
+  # Client certificate key
+  #ssl.key: "/etc/pki/client/cert.key"
+
+  # Optional passphrase for decrypting the certificate key.
+  #ssl.key_passphrase: ''
+
+  # Configure cipher suites to be used for SSL connections
+  #ssl.cipher_suites: []
+
+  # Configure curve types for ECDHE-based cipher suites
+  #ssl.curve_types: []
+
+  # Configure what types of renegotiation are supported. Valid options are
+  # never, once, and freely. Default is never.
+  #ssl.renegotiation: never
+
+  # Configure a pin that can be used to do extra validation of the verified certificate chain,
+  # this allow you to ensure that a specific certificate is used to validate the chain of trust.
+  #
+  # The pin is a base64 encoded string of the SHA-256 fingerprint.
+  #ssl.ca_sha256: ""
+
+  # A root CA HEX encoded fingerprint. During the SSL handshake if the
+  # fingerprint matches the root CA certificate, it will be added to
+  # the provided list of root CAs (`certificate_authorities`), if the
+  # list is empty or not defined, the matching certificate will be the
+  # only one in the list. Then the normal SSL validation happens.
+  #ssl.ca_trusted_fingerprint: ""
+
+  # Enables restarting metricbeat if any file listed by `key`,
+  # `certificate`, or `certificate_authorities` is modified.
+  # This feature IS NOT supported on Windows.
+  #ssl.restart_on_cert_change.enabled: false
+
+  # Period to scan for changes on CA certificate files
+  #ssl.restart_on_cert_change.period: 1m
+
+  # The number of times to retry publishing an event after a publishing failure.
+  # After the specified number of retries, the events are typically dropped.
+  # Some Beats, such as Filebeat and Winlogbeat, ignore the max_retries setting
+  # and retry until all events are published.  Set max_retries to a value less
+  # than 0 to retry until all events are published. The default is 3.
+  #max_retries: 3
+
+  # The maximum number of events to bulk in a single Logstash request. The
+  # default is 2048.
+  #bulk_max_size: 2048
+
+  # The number of seconds to wait for responses from the Logstash server before
+  # timing out. The default is 30s.
+  #timeout: 30s
+
+# -------------------------------- Kafka Output --------------------------------
+#output.kafka:
+  # Boolean flag to enable or disable the output module.
+  #enabled: true
+
+  # The list of Kafka broker addresses from which to fetch the cluster metadata.
+  # The cluster metadata contain the actual Kafka brokers events are published
+  # to.
+  #hosts: ["localhost:9092"]
+
+  # The Kafka topic used for produced events. The setting can be a format string
+  # using any event field. To set the topic from document type use `%{[type]}`.
+  #topic: beats
+
+  # The Kafka event key setting. Use format string to create a unique event key.
+  # By default no event key will be generated.
+  #key: ''
+
+  # The Kafka event partitioning strategy. Default hashing strategy is `hash`
+  # using the `output.kafka.key` setting or randomly distributes events if
+  # `output.kafka.key` is not configured.
+  #partition.hash:
+    # If enabled, events will only be published to partitions with reachable
+    # leaders. Default is false.
+    #reachable_only: false
+
+    # Configure alternative event field names used to compute the hash value.
+    # If empty `output.kafka.key` setting will be used.
+    # Default value is empty list.
+    #hash: []
+
+  # Authentication details. Password is required if username is set.
+  #username: ''
+  #password: ''
+
+  # SASL authentication mechanism used. Can be one of PLAIN, SCRAM-SHA-256 or SCRAM-SHA-512.
+  # Defaults to PLAIN when `username` and `password` are configured.
+  #sasl.mechanism: ''
+
+  # Kafka version Metricbeat is assumed to run against. Defaults to the "1.0.0".
+  #version: '1.0.0'
+
+  # Configure JSON encoding
+  #codec.json:
+    # Pretty-print JSON event
+    #pretty: false
+
+    # Configure escaping HTML symbols in strings.
+    #escape_html: false
+
+  # Metadata update configuration. Metadata contains leader information
+  # used to decide which broker to use when publishing.
+  #metadata:
+    # Max metadata request retry attempts when cluster is in middle of leader
+    # election. Defaults to 3 retries.
+    #retry.max: 3
+
+    # Wait time between retries during leader elections. Default is 250ms.
+    #retry.backoff: 250ms
+
+    # Refresh metadata interval. Defaults to every 10 minutes.
+    #refresh_frequency: 10m
+
+    # Strategy for fetching the topics metadata from the broker. Default is false.
+    #full: false
+
+  # The number of times to retry publishing an event after a publishing failure.
+  # After the specified number of retries, events are typically dropped.
+  # Some Beats, such as Filebeat, ignore the max_retries setting and retry until
+  # all events are published.  Set max_retries to a value less than 0 to retry
+  # until all events are published. The default is 3.
+  #max_retries: 3
+
+  # The number of seconds to wait before trying to republish to Kafka
+  # after a network error. After waiting backoff.init seconds, the Beat
+  # tries to republish. If the attempt fails, the backoff timer is increased
+  # exponentially up to backoff.max. After a successful publish, the backoff
+  # timer is reset. The default is 1s.
+  #backoff.init: 1s
+
+  # The maximum number of seconds to wait before attempting to republish to
+  # Kafka after a network error. The default is 60s.
+  #backoff.max: 60s
+
+  # The maximum number of events to bulk in a single Kafka request. The default
+  # is 2048.
+  #bulk_max_size: 2048
+
+  # Duration to wait before sending bulk Kafka request. 0 is no delay. The default
+  # is 0.
+  #bulk_flush_frequency: 0s
+
+  # The number of seconds to wait for responses from the Kafka brokers before
+  # timing out. The default is 30s.
+  #timeout: 30s
+
+  # The maximum duration a broker will wait for number of required ACKs. The
+  # default is 10s.
+  #broker_timeout: 10s
+
+  # The number of messages buffered for each Kafka broker. The default is 256.
+  #channel_buffer_size: 256
+
+  # The keep-alive period for an active network connection. If 0s, keep-alives
+  # are disabled. The default is 0 seconds.
+  #keep_alive: 0
+
+  # Sets the output compression codec. Must be one of none, snappy and gzip. The
+  # default is gzip.
+  #compression: gzip
+
+  # Set the compression level. Currently only gzip provides a compression level
+  # between 0 and 9. The default value is chosen by the compression algorithm.
+  #compression_level: 4
+
+  # The maximum permitted size of JSON-encoded messages. Bigger messages will be
+  # dropped. The default value is 1000000 (bytes). This value should be equal to
+  # or less than the broker's message.max.bytes.
+  #max_message_bytes: 1000000
+
+  # The ACK reliability level required from broker. 0=no response, 1=wait for
+  # local commit, -1=wait for all replicas to commit. The default is 1.  Note:
+  # If set to 0, no ACKs are returned by Kafka. Messages might be lost silently
+  # on error.
+  #required_acks: 1
+
+  # The configurable ClientID used for logging, debugging, and auditing
+  # purposes.  The default is "beats".
+  #client_id: beats
+
+  # Use SSL settings for HTTPS.
+  #ssl.enabled: true
+
+  # Controls the verification of certificates. Valid values are:
+  # * full, which verifies that the provided certificate is signed by a trusted
+  # authority (CA) and also verifies that the server's hostname (or IP address)
+  # matches the names identified within the certificate.
+  # * strict, which verifies that the provided certificate is signed by a trusted
+  # authority (CA) and also verifies that the server's hostname (or IP address)
+  # matches the names identified within the certificate. If the Subject Alternative
+  # Name is empty, it returns an error.
+  # * certificate, which verifies that the provided certificate is signed by a
+  # trusted authority (CA), but does not perform any hostname verification.
+  #  * none, which performs no verification of the server's certificate. This
+  # mode disables many of the security benefits of SSL/TLS and should only be used
+  # after very careful consideration. It is primarily intended as a temporary
+  # diagnostic mechanism when attempting to resolve TLS errors; its use in
+  # production environments is strongly discouraged.
+  # The default value is full.
+  #ssl.verification_mode: full
+
+  # List of supported/valid TLS versions. By default all TLS versions from 1.1
+  # up to 1.3 are enabled.
+  #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3]
+
+  # List of root certificates for HTTPS server verifications
+  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
+
+  # Certificate for SSL client authentication
+  #ssl.certificate: "/etc/pki/client/cert.pem"
+
+  # Client certificate key
+  #ssl.key: "/etc/pki/client/cert.key"
+
+  # Optional passphrase for decrypting the certificate key.
+  #ssl.key_passphrase: ''
+
+  # Configure cipher suites to be used for SSL connections
+  #ssl.cipher_suites: []
+
+  # Configure curve types for ECDHE-based cipher suites
+  #ssl.curve_types: []
+
+  # Configure what types of renegotiation are supported. Valid options are
+  # never, once, and freely. Default is never.
+  #ssl.renegotiation: never
+
+  # Configure a pin that can be used to do extra validation of the verified certificate chain,
+  # this allow you to ensure that a specific certificate is used to validate the chain of trust.
+  #
+  # The pin is a base64 encoded string of the SHA-256 fingerprint.
+  #ssl.ca_sha256: ""
+
+  # A root CA HEX encoded fingerprint. During the SSL handshake if the
+  # fingerprint matches the root CA certificate, it will be added to
+  # the provided list of root CAs (`certificate_authorities`), if the
+  # list is empty or not defined, the matching certificate will be the
+  # only one in the list. Then the normal SSL validation happens.
+  #ssl.ca_trusted_fingerprint: ""
+
+  # Enables restarting metricbeat if any file listed by `key`,
+  # `certificate`, or `certificate_authorities` is modified.
+  # This feature IS NOT supported on Windows.
+  #ssl.restart_on_cert_change.enabled: false
+
+  # Period to scan for changes on CA certificate files
+  #ssl.restart_on_cert_change.period: 1m
+
+  # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set.
+  #kerberos.enabled: true
+
+  # Authentication type to use with Kerberos. Available options: keytab, password.
+  #kerberos.auth_type: password
+
+  # Path to the keytab file. It is used when auth_type is set to keytab.
+  #kerberos.keytab: /etc/security/keytabs/kafka.keytab
+
+  # Path to the Kerberos configuration.
+  #kerberos.config_path: /etc/krb5.conf
+
+  # The service name. Service principal name is contructed from
+  # service_name/hostname@realm.
+  #kerberos.service_name: kafka
+
+  # Name of the Kerberos user.
+  #kerberos.username: elastic
+
+  # Password of the Kerberos user. It is used when auth_type is set to password.
+  #kerberos.password: changeme
+
+  # Kerberos realm.
+  #kerberos.realm: ELASTIC
+
+  # Enables Kerberos FAST authentication. This may
+  # conflict with certain Active Directory configurations.
+  #kerberos.enable_krb5_fast: false
+
+# -------------------------------- Redis Output --------------------------------
+#output.redis:
+  # Boolean flag to enable or disable the output module.
+  #enabled: true
+
+  # Configure JSON encoding
+  #codec.json:
+    # Pretty print json event
+    #pretty: false
+
+    # Configure escaping HTML symbols in strings.
+    #escape_html: false
+
+  # The list of Redis servers to connect to. If load-balancing is enabled, the
+  # events are distributed to the servers in the list. If one server becomes
+  # unreachable, the events are distributed to the reachable servers only.
+  # The hosts setting supports redis and rediss urls with custom password like
+  # redis://:password@localhost:6379.
+  #hosts: ["localhost:6379"]
+
+  # The name of the Redis list or channel the events are published to. The
+  # default is metricbeat.
+  #key: metricbeat
+
+  # The password to authenticate to Redis with. The default is no authentication.
+  #password:
+
+  # The Redis database number where the events are published. The default is 0.
+  #db: 0
+
+  # The Redis data type to use for publishing events. If the data type is list,
+  # the Redis RPUSH command is used. If the data type is channel, the Redis
+  # PUBLISH command is used. The default value is list.
+  #datatype: list
+
+  # The number of workers to use for each host configured to publish events to
+  # Redis. Use this setting along with the loadbalance option. For example, if
+  # you have 2 hosts and 3 workers, in total 6 workers are started (3 for each
+  # host).
+  #worker: 1
+
+  # If set to true and multiple hosts or workers are configured, the output
+  # plugin load balances published events onto all Redis hosts. If set to false,
+  # the output plugin sends all events to only one host (determined at random)
+  # and will switch to another host if the currently selected one becomes
+  # unreachable. The default value is true.
+  #loadbalance: true
+
+  # The Redis connection timeout in seconds. The default is 5 seconds.
+  #timeout: 5s
+
+  # The number of times to retry publishing an event after a publishing failure.
+  # After the specified number of retries, the events are typically dropped.
+  # Some Beats, such as Filebeat, ignore the max_retries setting and retry until
+  # all events are published. Set max_retries to a value less than 0 to retry
+  # until all events are published. The default is 3.
+  #max_retries: 3
+
+  # The number of seconds to wait before trying to reconnect to Redis
+  # after a network error. After waiting backoff.init seconds, the Beat
+  # tries to reconnect. If the attempt fails, the backoff timer is increased
+  # exponentially up to backoff.max. After a successful connection, the backoff
+  # timer is reset. The default is 1s.
+  #backoff.init: 1s
+
+  # The maximum number of seconds to wait before attempting to connect to
+  # Redis after a network error. The default is 60s.
+  #backoff.max: 60s
+
+  # The maximum number of events to bulk in a single Redis request or pipeline.
+  # The default is 2048.
+  #bulk_max_size: 2048
+
+  # The URL of the SOCKS5 proxy to use when connecting to the Redis servers. The
+  # value must be a URL with a scheme of socks5://.
+  #proxy_url:
+
+  # This option determines whether Redis hostnames are resolved locally when
+  # using a proxy. The default value is false, which means that name resolution
+  # occurs on the proxy server.
+  #proxy_use_local_resolver: false
+
+  # Use SSL settings for HTTPS.
+  #ssl.enabled: true
+
+  # Controls the verification of certificates. Valid values are:
+  # * full, which verifies that the provided certificate is signed by a trusted
+  # authority (CA) and also verifies that the server's hostname (or IP address)
+  # matches the names identified within the certificate.
+  # * strict, which verifies that the provided certificate is signed by a trusted
+  # authority (CA) and also verifies that the server's hostname (or IP address)
+  # matches the names identified within the certificate. If the Subject Alternative
+  # Name is empty, it returns an error.
+  # * certificate, which verifies that the provided certificate is signed by a
+  # trusted authority (CA), but does not perform any hostname verification.
+  #  * none, which performs no verification of the server's certificate. This
+  # mode disables many of the security benefits of SSL/TLS and should only be used
+  # after very careful consideration. It is primarily intended as a temporary
+  # diagnostic mechanism when attempting to resolve TLS errors; its use in
+  # production environments is strongly discouraged.
+  # The default value is full.
+  #ssl.verification_mode: full
+
+  # List of supported/valid TLS versions. By default all TLS versions from 1.1
+  # up to 1.3 are enabled.
+  #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3]
+
+  # List of root certificates for HTTPS server verifications
+  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
+
+  # Certificate for SSL client authentication
+  #ssl.certificate: "/etc/pki/client/cert.pem"
+
+  # Client certificate key
+  #ssl.key: "/etc/pki/client/cert.key"
+
+  # Optional passphrase for decrypting the certificate key.
+  #ssl.key_passphrase: ''
+
+  # Configure cipher suites to be used for SSL connections
+  #ssl.cipher_suites: []
+
+  # Configure curve types for ECDHE-based cipher suites
+  #ssl.curve_types: []
+
+  # Configure what types of renegotiation are supported. Valid options are
+  # never, once, and freely. Default is never.
+  #ssl.renegotiation: never
+
+  # Configure a pin that can be used to do extra validation of the verified certificate chain,
+  # this allow you to ensure that a specific certificate is used to validate the chain of trust.
+  #
+  # The pin is a base64 encoded string of the SHA-256 fingerprint.
+  #ssl.ca_sha256: ""
+
+  # A root CA HEX encoded fingerprint. During the SSL handshake if the
+  # fingerprint matches the root CA certificate, it will be added to
+  # the provided list of root CAs (`certificate_authorities`), if the
+  # list is empty or not defined, the matching certificate will be the
+  # only one in the list. Then the normal SSL validation happens.
+  #ssl.ca_trusted_fingerprint: ""
+
+
+# -------------------------------- File Output ---------------------------------
+#output.file:
+  # Boolean flag to enable or disable the output module.
+  #enabled: true
+
+  # Configure JSON encoding
+  #codec.json:
+    # Pretty-print JSON event
+    #pretty: false
+
+    # Configure escaping HTML symbols in strings.
+    #escape_html: false
+
+  # Path to the directory where to save the generated files. The option is
+  # mandatory.
+  #path: "/tmp/metricbeat"
+
+  # Name of the generated files. The default is `metricbeat` and it generates
+  # files: `metricbeat-{datetime}.ndjson`, `metricbeat-{datetime}-1.ndjson`, etc.
+  #filename: metricbeat
+
+  # Maximum size in kilobytes of each file. When this size is reached, and on
+  # every Metricbeat restart, the files are rotated. The default value is 10240
+  # kB.
+  #rotate_every_kb: 10000
+
+  # Maximum number of files under path. When this number of files is reached,
+  # the oldest file is deleted and the rest are shifted from last to first. The
+  # default is 7 files.
+  #number_of_files: 7
+
+  # Permissions to use for file creation. The default is 0600.
+  #permissions: 0600
+
+  # Configure automatic file rotation on every startup. The default is true.
+  #rotate_on_startup: true
+
+# ------------------------------- Console Output -------------------------------
+#output.console:
+  # Boolean flag to enable or disable the output module.
+  #enabled: true
+
+  # Configure JSON encoding
+  #codec.json:
+    # Pretty-print JSON event
+    #pretty: false
+
+    # Configure escaping HTML symbols in strings.
+    #escape_html: false
+
+# =================================== Paths ====================================
+
+# The home path for the Metricbeat installation. This is the default base path
+# for all other path settings and for miscellaneous files that come with the
+# distribution (for example, the sample dashboards).
+# If not set by a CLI flag or in the configuration file, the default for the
+# home path is the location of the binary.
+#path.home:
+
+# The configuration path for the Metricbeat installation. This is the default
+# base path for configuration files, including the main YAML configuration file
+# and the Elasticsearch template file. If not set by a CLI flag or in the
+# configuration file, the default for the configuration path is the home path.
+#path.config: ${path.home}
+
+# The data path for the Metricbeat installation. This is the default base path
+# for all the files in which Metricbeat needs to store its data. If not set by a
+# CLI flag or in the configuration file, the default for the data path is a data
+# subdirectory inside the home path.
+#path.data: ${path.home}/data
+
+# The logs path for a Metricbeat installation. This is the default location for
+# the Beat's log files. If not set by a CLI flag or in the configuration file,
+# the default for the logs path is a logs subdirectory inside the home path.
+#path.logs: ${path.home}/logs
+
+# ================================== Keystore ==================================
+
+# Location of the Keystore containing the keys and their sensitive values.
+#keystore.path: "${path.config}/beats.keystore"
+
+# ================================= Dashboards =================================
+
+# These settings control loading the sample dashboards to the Kibana index. Loading
+# the dashboards are disabled by default and can be enabled either by setting the
+# options here or by using the `-setup` CLI flag or the `setup` command.
+#setup.dashboards.enabled: false
+
+# The directory from where to read the dashboards. The default is the `kibana`
+# folder in the home path.
+#setup.dashboards.directory: ${path.home}/kibana
+
+# The URL from where to download the dashboard archive. It is used instead of
+# the directory if it has a value.
+#setup.dashboards.url:
+
+# The file archive (zip file) from where to read the dashboards. It is used instead
+# of the directory when it has a value.
+#setup.dashboards.file:
+
+# In case the archive contains the dashboards from multiple Beats, this lets you
+# select which one to load. You can load all the dashboards in the archive by
+# setting this to the empty string.
+#setup.dashboards.beat: metricbeat
+
+# The name of the Kibana index to use for setting the configuration. Default is ".kibana"
+#setup.dashboards.kibana_index: .kibana
+
+# The Elasticsearch index name. This overwrites the index name defined in the
+# dashboards and index pattern. Example: testbeat-*
+#setup.dashboards.index:
+
+# Always use the Kibana API for loading the dashboards instead of autodetecting
+# how to install the dashboards by first querying Elasticsearch.
+#setup.dashboards.always_kibana: false
+
+# If true and Kibana is not reachable at the time when dashboards are loaded,
+# it will retry to reconnect to Kibana instead of exiting with an error.
+#setup.dashboards.retry.enabled: false
+
+# Duration interval between Kibana connection retries.
+#setup.dashboards.retry.interval: 1s
+
+# Maximum number of retries before exiting with an error, 0 for unlimited retrying.
+#setup.dashboards.retry.maximum: 0
+
+# ================================== Template ==================================
+
+# A template is used to set the mapping in Elasticsearch
+# By default template loading is enabled and the template is loaded.
+# These settings can be adjusted to load your own template or overwrite existing ones.
+
+# Set to false to disable template loading.
+#setup.template.enabled: true
+
+# Template name. By default the template name is "metricbeat-%{[agent.version]}"
+# The template name and pattern has to be set in case the Elasticsearch index pattern is modified.
+#setup.template.name: "metricbeat-%{[agent.version]}"
+
+# Template pattern. By default the template pattern is "metricbeat-%{[agent.version]}" to apply to the default index settings.
+# The template name and pattern has to be set in case the Elasticsearch index pattern is modified.
+#setup.template.pattern: "metricbeat-%{[agent.version]}"
+
+# Path to fields.yml file to generate the template
+#setup.template.fields: "${path.config}/fields.yml"
+
+# A list of fields to be added to the template and Kibana index pattern. Also
+# specify setup.template.overwrite: true to overwrite the existing template.
+#setup.template.append_fields:
+#- name: field_name
+#  type: field_type
+
+# Enable JSON template loading. If this is enabled, the fields.yml is ignored.
+#setup.template.json.enabled: false
+
+# Path to the JSON template file
+#setup.template.json.path: "${path.config}/template.json"
+
+# Name under which the template is stored in Elasticsearch
+#setup.template.json.name: ""
+
+# Set this option if the JSON template is a data stream.
+#setup.template.json.data_stream: false
+
+# Overwrite existing template
+# Do not enable this option for more than one instance of metricbeat as it might
+# overload your Elasticsearch with too many update requests.
+#setup.template.overwrite: false
+
+# Elasticsearch template settings
+setup.template.settings:
+
+  # A dictionary of settings to place into the settings.index dictionary
+  # of the Elasticsearch template. For more details, please check
+  # https://www.elastic.co/guide/en/elasticsearch/reference/current/mapping.html
+  #index:
+    #number_of_shards: 1
+    #codec: best_compression
+
+  # A dictionary of settings for the _source field. For more details, please check
+  # https://www.elastic.co/guide/en/elasticsearch/reference/current/mapping-source-field.html
+  #_source:
+    #enabled: false
+
+# ====================== Index Lifecycle Management (ILM) ======================
+
+# Configure index lifecycle management (ILM) to manage the backing indices
+# of your data streams.
+
+# Enable ILM support. Valid values are true, or false.
+#setup.ilm.enabled: true
+
+# Set the lifecycle policy name. The default policy name is
+# 'beatname'.
+#setup.ilm.policy_name: "mypolicy"
+
+# The path to a JSON file that contains a lifecycle policy configuration. Used
+# to load your own lifecycle policy.
+#setup.ilm.policy_file:
+
+# Disable the check for an existing lifecycle policy. The default is true.
+# If you set this option to false, lifecycle policy will not be installed,
+# even if setup.ilm.overwrite is set to true.
+#setup.ilm.check_exists: true
+
+# Overwrite the lifecycle policy at startup. The default is false.
+#setup.ilm.overwrite: false
+
+# ======================== Data Stream Lifecycle (DSL) =========================
+
+# Configure Data Stream Lifecycle to manage data streams while connected to Serverless elasticsearch.
+# These settings are mutually exclusive with ILM settings which are not supported in Serverless projects.
+
+# Enable DSL support. Valid values are true, or false.
+#setup.dsl.enabled: true
+
+# Set the lifecycle policy name or pattern. For DSL, this name must match the data stream that the lifecycle is for.
+# The default data stream pattern is metricbeat-%{[agent.version]}"
+# The template string `%{[agent.version]}` will resolve to the current stack version.
+# The other possible template value is `%{[beat.name]}`.
+#setup.dsl.data_stream_pattern: "metricbeat-%{[agent.version]}"
+
+# The path to a JSON file that contains a lifecycle policy configuration. Used
+# to load your own lifecycle policy.
+# If no custom policy is specified, a default policy with a lifetime of 7 days will be created.
+#setup.dsl.policy_file:
+
+# Disable the check for an existing lifecycle policy. The default is true. If
+# you disable this check, set setup.dsl.overwrite: true so the lifecycle policy
+# can be installed.
+#setup.dsl.check_exists: true
+
+# Overwrite the lifecycle policy at startup. The default is false.
+#setup.dsl.overwrite: false
+
+# =================================== Kibana ===================================
+
+# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
+# This requires a Kibana endpoint configuration.
+setup.kibana:
+
+  # Kibana Host
+  # Scheme and port can be left out and will be set to the default (http and 5601)
+  # In case you specify and additional path, the scheme is required: http://localhost:5601/path
+  # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601
+  #host: "localhost:5601"
+
+  # Optional protocol and basic auth credentials.
+  #protocol: "https"
+  #username: "elastic"
+  #password: "changeme"
+
+  # Optional HTTP path
+  #path: ""
+
+  # Optional Kibana space ID.
+  #space.id: ""
+
+  # Custom HTTP headers to add to each request
+  #headers:
+  #  X-My-Header: Contents of the header
+
+  # Use SSL settings for HTTPS.
+  #ssl.enabled: true
+
+  # Controls the verification of certificates. Valid values are:
+  # * full, which verifies that the provided certificate is signed by a trusted
+  # authority (CA) and also verifies that the server's hostname (or IP address)
+  # matches the names identified within the certificate.
+  # * strict, which verifies that the provided certificate is signed by a trusted
+  # authority (CA) and also verifies that the server's hostname (or IP address)
+  # matches the names identified within the certificate. If the Subject Alternative
+  # Name is empty, it returns an error.
+  # * certificate, which verifies that the provided certificate is signed by a
+  # trusted authority (CA), but does not perform any hostname verification.
+  #  * none, which performs no verification of the server's certificate. This
+  # mode disables many of the security benefits of SSL/TLS and should only be used
+  # after very careful consideration. It is primarily intended as a temporary
+  # diagnostic mechanism when attempting to resolve TLS errors; its use in
+  # production environments is strongly discouraged.
+  # The default value is full.
+  #ssl.verification_mode: full
+
+  # List of supported/valid TLS versions. By default all TLS versions from 1.1
+  # up to 1.3 are enabled.
+  #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3]
+
+  # List of root certificates for HTTPS server verifications
+  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
+
+  # Certificate for SSL client authentication
+  #ssl.certificate: "/etc/pki/client/cert.pem"
+
+  # Client certificate key
+  #ssl.key: "/etc/pki/client/cert.key"
+
+  # Optional passphrase for decrypting the certificate key.
+  #ssl.key_passphrase: ''
+
+  # Configure cipher suites to be used for SSL connections
+  #ssl.cipher_suites: []
+
+  # Configure curve types for ECDHE-based cipher suites
+  #ssl.curve_types: []
+
+  # Configure what types of renegotiation are supported. Valid options are
+  # never, once, and freely. Default is never.
+  #ssl.renegotiation: never
+
+  # Configure a pin that can be used to do extra validation of the verified certificate chain,
+  # this allow you to ensure that a specific certificate is used to validate the chain of trust.
+  #
+  # The pin is a base64 encoded string of the SHA-256 fingerprint.
+  #ssl.ca_sha256: ""
+
+  # A root CA HEX encoded fingerprint. During the SSL handshake if the
+  # fingerprint matches the root CA certificate, it will be added to
+  # the provided list of root CAs (`certificate_authorities`), if the
+  # list is empty or not defined, the matching certificate will be the
+  # only one in the list. Then the normal SSL validation happens.
+  #ssl.ca_trusted_fingerprint: ""
+
+
+# ================================== Logging ===================================
+
+# There are four options for the log output: file, stderr, syslog, eventlog
+# The file output is the default.
+
+# Sets log level. The default log level is info.
+# Available log levels are: error, warning, info, debug
+#logging.level: info
+
+# Enable debug output for selected components. To enable all selectors use ["*"]
+# Other available selectors are "beat", "publisher", "service"
+# Multiple selectors can be chained.
+#logging.selectors: [ ]
+
+# Send all logging output to stderr. The default is false.
+#logging.to_stderr: false
+
+# Send all logging output to syslog. The default is false.
+#logging.to_syslog: false
+
+# Send all logging output to Windows Event Logs. The default is false.
+#logging.to_eventlog: false
+
+# If enabled, Metricbeat periodically logs its internal metrics that have changed
+# in the last period. For each metric that changed, the delta from the value at
+# the beginning of the period is logged. Also, the total values for
+# all non-zero internal metrics are logged on shutdown. The default is true.
+#logging.metrics.enabled: true
+
+# The period after which to log the internal metrics. The default is 30s.
+#logging.metrics.period: 30s
+
+# A list of metrics namespaces to report in the logs. Defaults to [stats].
+# `stats` contains general Beat metrics. `dataset` may be present in some
+# Beats and contains module or input metrics.
+#logging.metrics.namespaces: [stats]
+
+# Logging to rotating files. Set logging.to_files to false to disable logging to
+# files.
+logging.to_files: true
+logging.files:
+  # Configure the path where the logs are written. The default is the logs directory
+  # under the home path (the binary location).
+  #path: /var/log/metricbeat
+
+  # The name of the files where the logs are written to.
+  #name: metricbeat
+
+  # Configure log file size limit. If the limit is reached, log file will be
+  # automatically rotated.
+  #rotateeverybytes: 10485760 # = 10MB
+
+  # Number of rotated log files to keep. The oldest files will be deleted first.
+  #keepfiles: 7
+
+  # The permissions mask to apply when rotating log files. The default value is 0600.
+  # Must be a valid Unix-style file permissions mask expressed in octal notation.
+  #permissions: 0600
+
+  # Enable log file rotation on time intervals in addition to the size-based rotation.
+  # Intervals must be at least 1s. Values of 1m, 1h, 24h, 7*24h, 30*24h, and 365*24h
+  # are boundary-aligned with minutes, hours, days, weeks, months, and years as
+  # reported by the local system clock. All other intervals are calculated from the
+  # Unix epoch. Defaults to disabled.
+  #interval: 0
+
+  # Rotate existing logs on startup rather than appending them to the existing
+  # file. Defaults to true.
+  # rotateonstartup: true
+
+#=============================== Events Logging ===============================
+# Some outputs will log raw events on errors like indexing errors in the
+# Elasticsearch output, to prevent logging raw events (that may contain
+# sensitive information) together with other log messages, a different
+# log file, only for log entries containing raw events, is used. It will
+# use the same level, selectors and all other configurations from the
+# default logger, but it will have it's own file configuration.
+#
+# Having a different log file for raw events also prevents event data
+# from drowning out the regular log files.
+#
+# IMPORTANT: No matter the default logger output configuration, raw events
+# will **always** be logged to a file configured by `logging.event_data.files`.
+
+# logging.event_data:
+# Logging to rotating files. Set logging.to_files to false to disable logging to
+# files.
+#logging.event_data.to_files: true
+#logging.event_data:
+  # Configure the path where the logs are written. The default is the logs directory
+  # under the home path (the binary location).
+  #path: /var/log/metricbeat
+
+  # The name of the files where the logs are written to.
+  #name: metricbeat-events-data
+
+  # Configure log file size limit. If the limit is reached, log file will be
+  # automatically rotated.
+  #rotateeverybytes: 5242880 # = 5MB
+
+  # Number of rotated log files to keep. The oldest files will be deleted first.
+  #keepfiles: 2
+
+  # The permissions mask to apply when rotating log files. The default value is 0600.
+  # Must be a valid Unix-style file permissions mask expressed in octal notation.
+  #permissions: 0600
+
+  # Enable log file rotation on time intervals in addition to the size-based rotation.
+  # Intervals must be at least 1s. Values of 1m, 1h, 24h, 7*24h, 30*24h, and 365*24h
+  # are boundary-aligned with minutes, hours, days, weeks, months, and years as
+  # reported by the local system clock. All other intervals are calculated from the
+  # Unix epoch. Defaults to disabled.
+  #interval: 0
+
+  # Rotate existing logs on startup rather than appending them to the existing
+  # file. Defaults to false.
+  # rotateonstartup: false
+
+# ============================= X-Pack Monitoring ==============================
+# Metricbeat can export internal metrics to a central Elasticsearch monitoring
+# cluster.  This requires xpack monitoring to be enabled in Elasticsearch.  The
+# reporting is disabled by default.
+
+# Set to true to enable the monitoring reporter.
+#monitoring.enabled: false
+
+# Sets the UUID of the Elasticsearch cluster under which monitoring data for this
+# Metricbeat instance will appear in the Stack Monitoring UI. If output.elasticsearch
+# is enabled, the UUID is derived from the Elasticsearch cluster referenced by output.elasticsearch.
+#monitoring.cluster_uuid:
+
+# Uncomment to send the metrics to Elasticsearch. Most settings from the
+# Elasticsearch output are accepted here as well.
+# Note that the settings should point to your Elasticsearch *monitoring* cluster.
+# Any setting that is not set is automatically inherited from the Elasticsearch
+# output configuration, so if you have the Elasticsearch output configured such
+# that it is pointing to your Elasticsearch monitoring cluster, you can simply
+# uncomment the following line.
+#monitoring.elasticsearch:
+
+  # Array of hosts to connect to.
+  # Scheme and port can be left out and will be set to the default (http and 9200)
+  # In case you specify an additional path, the scheme is required: http://localhost:9200/path
+  # IPv6 addresses should always be defined as: https://[2001:db8::1]:9200
+  #hosts: ["localhost:9200"]
+
+  # Set gzip compression level.
+  #compression_level: 0
+
+  # Protocol - either `http` (default) or `https`.
+  #protocol: "https"
+
+  # Authentication credentials - either API key or username/password.
+  #api_key: "id:api_key"
+  #username: "beats_system"
+  #password: "changeme"
+
+  # Dictionary of HTTP parameters to pass within the URL with index operations.
+  #parameters:
+    #param1: value1
+    #param2: value2
+
+  # Custom HTTP headers to add to each request
+  #headers:
+  #  X-My-Header: Contents of the header
+
+  # Proxy server url
+  #proxy_url: http://proxy:3128
+
+  # The number of times a particular Elasticsearch index operation is attempted. If
+  # the indexing operation doesn't succeed after this many retries, the events are
+  # dropped. The default is 3.
+  #max_retries: 3
+
+  # The maximum number of events to bulk in a single Elasticsearch bulk API index request.
+  # The default is 50.
+  #bulk_max_size: 50
+
+  # The number of seconds to wait before trying to reconnect to Elasticsearch
+  # after a network error. After waiting backoff.init seconds, the Beat
+  # tries to reconnect. If the attempt fails, the backoff timer is increased
+  # exponentially up to backoff.max. After a successful connection, the backoff
+  # timer is reset. The default is 1s.
+  #backoff.init: 1s
+
+  # The maximum number of seconds to wait before attempting to connect to
+  # Elasticsearch after a network error. The default is 60s.
+  #backoff.max: 60s
+
+  # Configure HTTP request timeout before failing a request to Elasticsearch.
+  #timeout: 90
+
+  # Use SSL settings for HTTPS.
+  #ssl.enabled: true
+
+  # Controls the verification of certificates. Valid values are:
+  # * full, which verifies that the provided certificate is signed by a trusted
+  # authority (CA) and also verifies that the server's hostname (or IP address)
+  # matches the names identified within the certificate.
+  # * strict, which verifies that the provided certificate is signed by a trusted
+  # authority (CA) and also verifies that the server's hostname (or IP address)
+  # matches the names identified within the certificate. If the Subject Alternative
+  # Name is empty, it returns an error.
+  # * certificate, which verifies that the provided certificate is signed by a
+  # trusted authority (CA), but does not perform any hostname verification.
+  #  * none, which performs no verification of the server's certificate. This
+  # mode disables many of the security benefits of SSL/TLS and should only be used
+  # after very careful consideration. It is primarily intended as a temporary
+  # diagnostic mechanism when attempting to resolve TLS errors; its use in
+  # production environments is strongly discouraged.
+  # The default value is full.
+  #ssl.verification_mode: full
+
+  # List of supported/valid TLS versions. By default all TLS versions from 1.1
+  # up to 1.3 are enabled.
+  #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3]
+
+  # List of root certificates for HTTPS server verifications
+  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
+
+  # Certificate for SSL client authentication
+  #ssl.certificate: "/etc/pki/client/cert.pem"
+
+  # Client certificate key
+  #ssl.key: "/etc/pki/client/cert.key"
+
+  # Optional passphrase for decrypting the certificate key.
+  #ssl.key_passphrase: ''
+
+  # Configure cipher suites to be used for SSL connections
+  #ssl.cipher_suites: []
+
+  # Configure curve types for ECDHE-based cipher suites
+  #ssl.curve_types: []
+
+  # Configure what types of renegotiation are supported. Valid options are
+  # never, once, and freely. Default is never.
+  #ssl.renegotiation: never
+
+  # Configure a pin that can be used to do extra validation of the verified certificate chain,
+  # this allow you to ensure that a specific certificate is used to validate the chain of trust.
+  #
+  # The pin is a base64 encoded string of the SHA-256 fingerprint.
+  #ssl.ca_sha256: ""
+
+  # A root CA HEX encoded fingerprint. During the SSL handshake if the
+  # fingerprint matches the root CA certificate, it will be added to
+  # the provided list of root CAs (`certificate_authorities`), if the
+  # list is empty or not defined, the matching certificate will be the
+  # only one in the list. Then the normal SSL validation happens.
+  #ssl.ca_trusted_fingerprint: ""
+
+  # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set.
+  #kerberos.enabled: true
+
+  # Authentication type to use with Kerberos. Available options: keytab, password.
+  #kerberos.auth_type: password
+
+  # Path to the keytab file. It is used when auth_type is set to keytab.
+  #kerberos.keytab: /etc/elastic.keytab
+
+  # Path to the Kerberos configuration.
+  #kerberos.config_path: /etc/krb5.conf
+
+  # Name of the Kerberos user.
+  #kerberos.username: elastic
+
+  # Password of the Kerberos user. It is used when auth_type is set to password.
+  #kerberos.password: changeme
+
+  # Kerberos realm.
+  #kerberos.realm: ELASTIC
+
+  #metrics.period: 10s
+  #state.period: 1m
+
+# The `monitoring.cloud.id` setting overwrites the `monitoring.elasticsearch.hosts`
+# setting. You can find the value for this setting in the Elastic Cloud web UI.
+#monitoring.cloud.id:
+
+# The `monitoring.cloud.auth` setting overwrites the `monitoring.elasticsearch.username`
+# and `monitoring.elasticsearch.password` settings. The format is `<user>:<pass>`.
+#monitoring.cloud.auth:
+
+# =============================== HTTP Endpoint ================================
+
+# Each beat can expose internal metrics through an HTTP endpoint. For security
+# reasons the endpoint is disabled by default. This feature is currently experimental.
+# Stats can be accessed through http://localhost:5066/stats. For pretty JSON output
+# append ?pretty to the URL.
+
+# Defines if the HTTP endpoint is enabled.
+#http.enabled: false
+
+# The HTTP endpoint will bind to this hostname, IP address, unix socket, or named pipe.
+# When using IP addresses, it is recommended to only use localhost.
+#http.host: localhost
+
+# Port on which the HTTP endpoint will bind. Default is 5066.
+#http.port: 5066
+
+# Define which user should be owning the named pipe.
+#http.named_pipe.user:
+
+# Define which permissions should be applied to the named pipe, use the Security
+# Descriptor Definition Language (SDDL) to define the permission. This option cannot be used with
+# `http.user`.
+#http.named_pipe.security_descriptor:
+
+# Defines if the HTTP pprof endpoints are enabled.
+# It is recommended that this is only enabled on localhost as these endpoints may leak data.
+#http.pprof.enabled: false
+
+# Controls the fraction of goroutine blocking events that are reported in the
+# blocking profile.
+#http.pprof.block_profile_rate: 0
+
+# Controls the fraction of memory allocations that are recorded and reported in
+# the memory profile.
+#http.pprof.mem_profile_rate: 524288
+
+# Controls the fraction of mutex contention events that are reported in the
+# mutex profile.
+#http.pprof.mutex_profile_rate: 0
+
+# ============================== Process Security ==============================
+
+# Enable or disable seccomp system call filtering on Linux. Default is enabled.
+#seccomp.enabled: true
+
+# ============================== Instrumentation ===============================
+
+# Instrumentation support for the metricbeat.
+#instrumentation:
+    # Set to true to enable instrumentation of metricbeat.
+    #enabled: false
+
+    # Environment in which metricbeat is running on (eg: staging, production, etc.)
+    #environment: ""
+
+    # APM Server hosts to report instrumentation results to.
+    #hosts:
+    #  - http://localhost:8200
+
+    # API Key for the APM Server(s).
+    # If api_key is set then secret_token will be ignored.
+    #api_key:
+
+    # Secret token for the APM Server(s).
+    #secret_token:
+
+    # Enable profiling of the server, recording profile samples as events.
+    #
+    # This feature is experimental.
+    #profiling:
+        #cpu:
+            # Set to true to enable CPU profiling.
+            #enabled: false
+            #interval: 60s
+            #duration: 10s
+        #heap:
+            # Set to true to enable heap profiling.
+            #enabled: false
+            #interval: 60s
+
+# ================================= Migration ==================================
+
+# This allows to enable 6.7 migration aliases
+#migration.6_to_7.enabled: false
+
+# =============================== Feature Flags ================================
+
+# Enable and configure feature flags.
+#features:
+#  fqdn:
+#    enabled: true
+```
+
diff --git a/docs/reference/metricbeat/metricbeat-starting.md b/docs/reference/metricbeat/metricbeat-starting.md
new file mode 100644
index 000000000000..4ab8a24a4ae6
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-starting.md
@@ -0,0 +1,76 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-starting.html
+---
+
+# Start Metricbeat [metricbeat-starting]
+
+Before starting Metricbeat:
+
+* Follow the steps in [Quick start: installation and configuration](/reference/metricbeat/metricbeat-installation-configuration.md) to install, configure, and set up the Metricbeat environment.
+* Make sure {{kib}} and {{es}} are running.
+* Make sure the user specified in `metricbeat.yml` is [authorized to publish events](/reference/metricbeat/privileges-to-publish-events.md).
+
+To start Metricbeat, run:
+
+:::::::{tab-set}
+
+::::::{tab-item} DEB
+```sh
+sudo service metricbeat start
+```
+
+::::{note}
+If you use an `init.d` script to start Metricbeat, you can’t specify command line flags (see [Command reference](/reference/metricbeat/command-line-options.md)). To specify flags, start Metricbeat in the foreground.
+::::
+
+
+Also see [Metricbeat and systemd](/reference/metricbeat/running-with-systemd.md).
+::::::
+
+::::::{tab-item} RPM
+```sh
+sudo service metricbeat start
+```
+
+::::{note}
+If you use an `init.d` script to start Metricbeat, you can’t specify command line flags (see [Command reference](/reference/metricbeat/command-line-options.md)). To specify flags, start Metricbeat in the foreground.
+::::
+
+
+Also see [Metricbeat and systemd](/reference/metricbeat/running-with-systemd.md).
+::::::
+
+::::::{tab-item} MacOS
+```sh
+sudo chown root metricbeat.yml <1>
+sudo chown root modules.d/{modulename}.yml <1>
+sudo ./metricbeat -e
+```
+
+1. You’ll be running Metricbeat as root, so you need to change ownership of the configuration file and any configurations enabled in the `modules.d` directory, or run Metricbeat with `--strict.perms=false` specified. See [Config File Ownership and Permissions](/reference/libbeat/config-file-permissions.md).
+::::::
+
+::::::{tab-item} Linux
+```sh
+sudo chown root metricbeat.yml <1>
+sudo chown root modules.d/{modulename}.yml <1>
+sudo ./metricbeat -e
+```
+
+1. You’ll be running Metricbeat as root, so you need to change ownership of the configuration file and any configurations enabled in the `modules.d` directory, or run Metricbeat with `--strict.perms=false` specified. See [Config File Ownership and Permissions](/reference/libbeat/config-file-permissions.md).
+::::::
+
+::::::{tab-item} Windows
+```sh
+PS C:\Program Files\metricbeat> Start-Service metricbeat
+```
+
+By default, Windows log files are stored in `C:\ProgramData\metricbeat\Logs`.
+
+::::{note}
+On Windows, statistics about system load and swap usage are currently not captured
+::::
+::::::
+
+:::::::
diff --git a/docs/reference/metricbeat/metricbeat-template.md b/docs/reference/metricbeat/metricbeat-template.md
new file mode 100644
index 000000000000..d7b9eac4accc
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat-template.md
@@ -0,0 +1,228 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-template.html
+---
+
+# Load the Elasticsearch index template [metricbeat-template]
+
+{{es}} uses [index templates](docs-content://manage-data/data-store/templates.md) to define:
+
+* Settings that control the behavior of your data stream and backing indices. The settings include the lifecycle policy used to manage backing indices as they grow and age.
+* Mappings that determine how fields are analyzed. Each mapping sets the [{{es}} datatype](elasticsearch://reference/elasticsearch/mapping-reference/field-data-types.md) to use for a specific data field.
+
+The recommended index template file for Metricbeat is installed by the Metricbeat packages. If you accept the default configuration in the `metricbeat.yml` config file, Metricbeat loads the template automatically after successfully connecting to {{es}}. If the template already exists, it’s not overwritten unless you configure Metricbeat to do so.
+
+::::{note}
+A connection to {{es}} is required to load the index template. If the output is not {{es}} (or {{ess}}), you must [load the template manually](#load-template-manually).
+::::
+
+
+This page shows how to change the default template loading behavior to:
+
+* [Load your own index template](#load-custom-template)
+* [Overwrite an existing index template](#overwrite-template)
+* [Disable automatic index template loading](#disable-template-loading)
+* [Load the index template manually](#load-template-manually)
+
+For a full list of template setup options, see [Elasticsearch index template](/reference/metricbeat/configuration-template.md).
+
+
+## Load your own index template [load-custom-template]
+
+To load your own index template, set the following options:
+
+```yaml
+setup.template.name: "your_template_name"
+setup.template.fields: "path/to/fields.yml"
+```
+
+If the template already exists, it’s not overwritten unless you configure Metricbeat to do so.
+
+You can load templates for both data streams and indices.
+
+
+## Overwrite an existing index template [overwrite-template]
+
+::::{warning}
+Do not enable this option for more than one instance of Metricbeat. If you start multiple instances at the same time, it can overload your {{es}} with too many template update requests.
+::::
+
+
+To overwrite a template that’s already loaded into {{es}}, set:
+
+```yaml
+setup.template.overwrite: true
+```
+
+
+## Disable automatic index template loading [disable-template-loading]
+
+You may want to disable automatic template loading if you’re using an output other than {{es}} and need to load the template manually. To disable automatic template loading, set:
+
+```yaml
+setup.template.enabled: false
+```
+
+If you disable automatic template loading, you must load the index template manually.
+
+
+## Load the index template manually [load-template-manually]
+
+To load the index template manually, run the [`setup`](/reference/metricbeat/command-line-options.md#setup-command) command. A connection to {{es}} is required.  If another output is enabled, you need to temporarily disable that output and enable {{es}} by using the `-E` option. The examples here assume that Logstash output is enabled. You can omit the `-E` flags if {{es}} output is already enabled.
+
+If you are connecting to a secured {{es}} cluster, make sure you’ve configured credentials as described in the [Quick start: installation and configuration](/reference/metricbeat/metricbeat-installation-configuration.md).
+
+If the host running Metricbeat does not have direct connectivity to {{es}}, see [Load the index template manually (alternate method)](#load-template-manually-alternate).
+
+To load the template, use the appropriate command for your system.
+
+**deb and rpm:**
+
+```sh
+metricbeat setup --index-management -E output.logstash.enabled=false -E 'output.elasticsearch.hosts=["localhost:9200"]'
+```
+
+**mac:**
+
+```sh
+./metricbeat setup --index-management -E output.logstash.enabled=false -E 'output.elasticsearch.hosts=["localhost:9200"]'
+```
+
+**linux:**
+
+```sh
+./metricbeat setup --index-management -E output.logstash.enabled=false -E 'output.elasticsearch.hosts=["localhost:9200"]'
+```
+
+**docker:**
+
+```sh
+docker run --rm docker.elastic.co/beats/metricbeat:9.0.0-beta1 setup --index-management -E output.logstash.enabled=false -E 'output.elasticsearch.hosts=["localhost:9200"]'
+```
+
+**win:**
+
+Open a PowerShell prompt as an Administrator (right-click the PowerShell icon and select **Run As Administrator**).
+
+From the PowerShell prompt, change to the directory where you installed Metricbeat, and run:
+
+```sh
+PS > .\metricbeat.exe setup --index-management -E output.logstash.enabled=false -E 'output.elasticsearch.hosts=["localhost:9200"]'
+```
+
+
+### Force Kibana to look at newest documents [force-kibana-new]
+
+If you’ve already used Metricbeat to index data into {{es}}, the index may contain old documents. After you load the index template, you can delete the old documents from `metricbeat-*` to force Kibana to look at the newest documents.
+
+Use this command:
+
+**deb and rpm:**
+
+```sh
+curl -XDELETE 'http://localhost:9200/metricbeat-*'
+```
+
+**mac:**
+
+```sh
+curl -XDELETE 'http://localhost:9200/metricbeat-*'
+```
+
+**linux:**
+
+```sh
+curl -XDELETE 'http://localhost:9200/metricbeat-*'
+```
+
+**win:**
+
+```sh
+PS > Invoke-RestMethod -Method Delete "http://localhost:9200/metricbeat-*"
+```
+
+This command deletes all indices that match the pattern `metricbeat`. Before running this command, make sure you want to delete all indices that match the pattern.
+
+
+## Load the index template manually (alternate method) [load-template-manually-alternate]
+
+If the host running Metricbeat does not have direct connectivity to {{es}}, you can export the index template to a file, move it to a machine that does have connectivity, and then install the template manually.
+
+To export the index template, run:
+
+**deb and rpm:**
+
+```sh
+metricbeat export template > metricbeat.template.json
+```
+
+**mac:**
+
+```sh
+./metricbeat export template > metricbeat.template.json
+```
+
+**linux:**
+
+```sh
+./metricbeat export template > metricbeat.template.json
+```
+
+**win:**
+
+```sh
+PS > .\metricbeat.exe export template --es.version 9.0.0-beta1 | Out-File -Encoding UTF8 metricbeat.template.json
+```
+
+To install the template, run:
+
+**deb and rpm:**
+
+```sh
+curl -XPUT -H 'Content-Type: application/json' http://localhost:9200/_index_template/metricbeat-9.0.0-beta1 -d@metricbeat.template.json
+```
+
+**mac:**
+
+```sh
+curl -XPUT -H 'Content-Type: application/json' http://localhost:9200/_index_template/metricbeat-9.0.0-beta1 -d@metricbeat.template.json
+```
+
+**linux:**
+
+```sh
+curl -XPUT -H 'Content-Type: application/json' http://localhost:9200/_index_template/metricbeat-9.0.0-beta1 -d@metricbeat.template.json
+```
+
+**win:**
+
+```sh
+PS > Invoke-RestMethod -Method Put -ContentType "application/json" -InFile metricbeat.template.json -Uri http://localhost:9200/_index_template/metricbeat-9.0.0-beta1
+```
+
+Once you have loaded the index template, load the data stream as well. If you do not load it, you have to give the publisher user `manage` permission on metricbeat-9.0.0-beta1 index.
+
+**deb and rpm:**
+
+```sh
+curl -XPUT http://localhost:9200/_data_stream/metricbeat-9.0.0-beta1
+```
+
+**mac:**
+
+```sh
+curl -XPUT http://localhost:9200/_data_stream/metricbeat-9.0.0-beta1
+```
+
+**linux:**
+
+```sh
+curl -XPUT http://localhost:9200/_data_stream/metricbeat-9.0.0-beta1
+```
+
+**win:**
+
+```sh
+PS > Invoke-RestMethod -Method Put -Uri http://localhost:9200/_data_stream/metricbeat-9.0.0-beta1
+```
+
diff --git a/docs/reference/metricbeat/metricbeat.md b/docs/reference/metricbeat/metricbeat.md
new file mode 100644
index 000000000000..12812abd81e7
--- /dev/null
+++ b/docs/reference/metricbeat/metricbeat.md
@@ -0,0 +1,8 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/index.html
+---
+
+# Metricbeat
+
+Just a placeholder for a top index page.
diff --git a/docs/reference/metricbeat/monitoring-internal-collection.md b/docs/reference/metricbeat/monitoring-internal-collection.md
new file mode 100644
index 000000000000..1002bb9d2112
--- /dev/null
+++ b/docs/reference/metricbeat/monitoring-internal-collection.md
@@ -0,0 +1,73 @@
+---
+navigation_title: "Use internal collection"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/monitoring-internal-collection.html
+---
+
+# Use internal collection to send monitoring data [monitoring-internal-collection]
+
+
+Use internal collectors to send {{beats}} monitoring data directly to your monitoring cluster. Or as an alternative to internal collection, use [Use {{metricbeat}} collection](/reference/metricbeat/monitoring-metricbeat-collection.md). The benefit of using internal collection instead of {{metricbeat}} is that you have fewer pieces of software to install and maintain.
+
+1. Create an API key or user that has appropriate authority to send system-level monitoring data to {{es}}. For example, you can use the built-in `beats_system` user or assign the built-in `beats_system` role to another user. For more information on the required privileges, see [Create a *monitoring* user](/reference/metricbeat/privileges-to-publish-monitoring.md). For more information on how to use API keys, see [*Grant access using API keys*](/reference/metricbeat/beats-api-keys.md).
+2. Add the `monitoring` settings in the Metricbeat configuration file. If you configured the {{es}} output and want to send Metricbeat monitoring events to the same {{es}} cluster, specify the following minimal configuration:
+
+    ```yaml
+    monitoring:
+      enabled: true
+      elasticsearch:
+        api_key:  id:api_key <1>
+        username: beats_system
+        password: somepassword
+    ```
+
+    1. Specify one of `api_key` or `username`/`password`.
+
+
+    If you want to send monitoring events to an [{{ecloud}}](https://cloud.elastic.co/) monitoring cluster, you can use two simpler settings. When defined, these settings overwrite settings from other parts in the configuration. For example:
+
+    ```yaml
+    monitoring:
+      enabled: true
+      cloud.id: 'staging:dXMtZWFzdC0xLmF3cy5mb3VuZC5pbyRjZWM2ZjI2MWE3NGJmMjRjZTMzYmI4ODExYjg0Mjk0ZiRjNmMyY2E2ZDA0MjI0OWFmMGNjN2Q3YTllOTYyNTc0Mw=='
+      cloud.auth: 'elastic:{pwd}'
+    ```
+
+    If you configured a different output, such as {{ls}} or you want to send Metricbeat monitoring events to a separate {{es}} cluster (referred to as the *monitoring cluster*), you must specify additional configuration options. For example:
+
+    ```yaml
+    monitoring:
+      enabled: true
+      cluster_uuid: PRODUCTION_ES_CLUSTER_UUID <1>
+      elasticsearch:
+        hosts: ["https://example.com:9200", "https://example2.com:9200"] <2>
+        api_key:  id:api_key <3>
+        username: beats_system
+        password: somepassword
+    ```
+
+    1. This setting identifies the {{es}} cluster under which the monitoring data for this Metricbeat instance will appear in the Stack Monitoring UI. To get a cluster’s `cluster_uuid`, call the `GET /` API against that production cluster.
+    2. This setting identifies the hosts and port numbers of {{es}} nodes that are part of the monitoring cluster.
+    3. Specify one of `api_key` or `username`/`password`.
+
+
+    If you want to use PKI authentication to send monitoring events to {{es}}, you must specify a different set of configuration options. For example:
+
+    ```yaml
+    monitoring:
+      enabled: true
+      cluster_uuid: PRODUCTION_ES_CLUSTER_UUID
+      elasticsearch:
+        hosts: ["https://example.com:9200", "https://example2.com:9200"]
+        username: ""
+        ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
+        ssl.certificate: "/etc/pki/client/cert.pem"
+        ssl.key: "/etc/pki/client/cert.key"
+    ```
+
+    You must specify the `username` as `""` explicitly so that the username from the client certificate (`CN`) is used. See [SSL](/reference/metricbeat/configuration-ssl.md) for more information about SSL settings.
+
+3. Start Metricbeat.
+4. [View the monitoring data in {{kib}}](docs-content://deploy-manage/monitor/stack-monitoring/kibana-monitoring-data.md).
+
+
diff --git a/docs/reference/metricbeat/monitoring-metricbeat-collection.md b/docs/reference/metricbeat/monitoring-metricbeat-collection.md
new file mode 100644
index 000000000000..7a8e39747aac
--- /dev/null
+++ b/docs/reference/metricbeat/monitoring-metricbeat-collection.md
@@ -0,0 +1,171 @@
+---
+navigation_title: "Use {{metricbeat}} collection"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/monitoring-metricbeat-collection.html
+---
+
+# Use {{metricbeat}} to send monitoring data [monitoring-metricbeat-collection]
+
+
+In 7.3 and later, you can use {{metricbeat}} to collect data about Metricbeat and ship it to the monitoring cluster. The benefit of using {{metricbeat}} instead of internal collection is that the monitoring agent remains active even if the Metricbeat instance dies.
+
+Because you’ll be using {{metricbeat}} to *monitor* Metricbeat, you’ll need to run two instances of Metricbeat: a main instance that collects metrics from the system and services running on the server, and a second instance that collects metrics from Metricbeat only. Using a separate instance as a monitoring agent allows you to send monitoring data to a dedicated monitoring cluster. If the main agent goes down, the monitoring agent remains active.
+
+If you’re running Metricbeat as a service, this approach requires extra work because you need to run two instances of the same installed  service concurrently. If you don’t want to run two instances concurrently, use [internal collection](/reference/metricbeat/monitoring-internal-collection.md) instead of using {{metricbeat}}.
+
+To collect and ship monitoring data:
+
+1. [Configure the shipper you want to monitor](#configure-shipper)
+2. [Install and configure {{metricbeat}} to collect monitoring data](#configure-metricbeat)
+
+
+## Configure the shipper you want to monitor [configure-shipper]
+
+1. Enable the HTTP endpoint to allow external collection of monitoring data:
+
+    Add the following setting in the Metricbeat configuration file (`metricbeat.yml`):
+
+    ```yaml
+    http.enabled: true
+    ```
+
+    By default, metrics are exposed on port 5066. If you need to monitor multiple {{beats}} shippers running on the same server, set `http.port` to expose metrics for each shipper on a different port number:
+
+    ```yaml
+    http.port: 5067
+    ```
+
+2. Disable the default collection of Metricbeat monitoring metrics.<br>
+
+    Add the following setting in the Metricbeat configuration file (`metricbeat.yml`):
+
+    ```yaml
+    monitoring.enabled: false
+    ```
+
+    For more information, see [Monitoring configuration options](/reference/metricbeat/configuration-monitor.md).
+
+3. Configure host (optional).<br>
+
+    If you intend to get metrics using {{metricbeat}} installed on another server, you need to bind the Metricbeat to host’s IP:
+
+    ```yaml
+    http.host: xxx.xxx.xxx.xxx
+    ```
+
+4. Configure cluster UUID.<br>
+
+    The cluster UUID is necessary if you want to see {{beats}} monitoring in the {{kib}} stack monitoring view. The monitoring data will be grouped under the cluster for that UUID. To associate Metricbeat with the cluster UUID, set:
+
+    ```yaml
+    monitoring.cluster_uuid: "cluster-uuid"
+    ```
+
+5. Start Metricbeat.
+
+
+## Install and configure {{metricbeat}} to collect monitoring data [configure-metricbeat]
+
+1. The next step depends on how you want to run {{metricbeat}}:
+
+    * If you’re running as a service and want to run a separate monitoring instance, take the the steps required for your environment to run two instances of {{metricbeat}} as a service. The steps for doing this vary by platform and are beyond the scope of this documentation.
+    * If you’re running the binary directly in the foreground and want to run a separate monitoring instance, install {{metricbeat}} to a different path. If necessary, set `path.config`, `path.data`, and `path.log` to point to the correct directories. See [Directory layout](/reference/metricbeat/directory-layout.md) for the default locations.
+
+2. Enable the `beat-xpack` module in {{metricbeat}}.<br>
+
+    For example, to enable the default configuration in the `modules.d` directory, run the following command, using the correct command syntax for your OS:
+
+    ```sh
+    metricbeat modules enable beat-xpack
+    ```
+
+    For more information, see [Configure modules](/reference/metricbeat/configuration-metricbeat.md) and [beat module](/reference/metricbeat/metricbeat-module-beat.md).
+
+3. Configure the `beat-xpack` module in {{metricbeat}}.<br>
+
+    The `modules.d/beat-xpack.yml` file contains the following settings:
+
+    ```yaml
+    - module: beat
+      metricsets:
+        - stats
+        - state
+      period: 10s
+      hosts: ["http://localhost:5066"]
+      #username: "user"
+      #password: "secret"
+      xpack.enabled: true
+    ```
+
+    Set the `hosts`, `username`, and `password` settings as required by your environment. For other module settings, it’s recommended that you accept the defaults.
+
+    By default, the module collects Metricbeat monitoring data from `localhost:5066`. If you exposed the metrics on a different host or port when you enabled the HTTP endpoint, update the `hosts` setting.
+
+    To monitor multiple {{beats}} agents, specify a list of hosts, for example:
+
+    ```yaml
+    hosts: ["http://localhost:5066","http://localhost:5067","http://localhost:5068"]
+    ```
+
+    If you configured Metricbeat to use encrypted communications, you must access it via HTTPS. For example, use a `hosts` setting like `https://localhost:5066`.
+
+    If the Elastic {{security-features}} are enabled, you must also provide a user ID and password so that {{metricbeat}} can collect metrics successfully:
+
+    1. Create a user on the {{es}} cluster that has the `remote_monitoring_collector` [built-in role](elasticsearch://reference/elasticsearch/roles.md). Alternatively, if it’s available in your environment, use the `remote_monitoring_user` [built-in user](docs-content://deploy-manage/users-roles/cluster-or-deployment-auth/built-in-users.md).
+    2. Add the `username` and `password` settings to the beat module configuration file.
+
+4. Optional: Disable the system module in the {{metricbeat}}.
+
+    By default, the [system module](/reference/metricbeat/metricbeat-module-system.md) is enabled. The information it collects, however, is not shown on the **Stack Monitoring** page in {{kib}}. Unless you want to use that information for other purposes, run the following command:
+
+    ```sh
+    metricbeat modules disable system
+    ```
+
+5. Identify where to send the monitoring data.<br>
+
+    ::::{tip}
+    In production environments, we strongly recommend using a separate cluster (referred to as the *monitoring cluster*) to store the data. Using a separate monitoring cluster prevents production cluster outages from impacting your ability to access your monitoring data. It also prevents monitoring activities from impacting the performance of your production cluster.
+    ::::
+
+
+    For example, specify the {{es}} output information in the {{metricbeat}} configuration file (`metricbeat.yml`):
+
+    ```yaml
+    output.elasticsearch:
+      # Array of hosts to connect to.
+      hosts: ["http://es-mon-1:9200", "http://es-mon2:9200"] <1>
+
+      # Optional protocol and basic auth credentials.
+      #protocol: "https"
+      #api_key:  "id:api_key" <2>
+      #username: "elastic"
+      #password: "changeme"
+    ```
+
+    1. In this example, the data is stored on a monitoring cluster with nodes `es-mon-1` and `es-mon-2`.
+    2. Specify one of `api_key` or `username`/`password`.
+
+
+    If you configured the monitoring cluster to use encrypted communications, you must access it via HTTPS. For example, use a `hosts` setting like `https://es-mon-1:9200`.
+
+    ::::{important}
+    The {{es}} {{monitor-features}} use ingest pipelines. The cluster that stores the monitoring data must have at least one node with the `ingest` role.
+    ::::
+
+
+    If the {{es}} {{security-features}} are enabled on the monitoring cluster, you must provide a valid user ID and password so that {{metricbeat}} can send metrics successfully:
+
+    1. Create a user on the monitoring cluster that has the `remote_monitoring_agent` [built-in role](elasticsearch://reference/elasticsearch/roles.md). Alternatively, if it’s available in your environment, use the `remote_monitoring_user` [built-in user](docs-content://deploy-manage/users-roles/cluster-or-deployment-auth/built-in-users.md).
+
+        ::::{tip}
+        If you’re using index lifecycle management, the remote monitoring user requires additional privileges to create and read indices. For more information, see [*Grant users access to secured resources*](/reference/metricbeat/feature-roles.md).
+        ::::
+
+    2. Add the `username` and `password` settings to the {{es}} output information in the {{metricbeat}} configuration file.
+
+    For more information about these configuration options, see [Configure the {{es}} output](/reference/metricbeat/elasticsearch-output.md).
+
+6. [Start {{metricbeat}}](/reference/metricbeat/metricbeat-starting.md) to begin collecting monitoring data.
+7. [View the monitoring data in {{kib}}](docs-content://deploy-manage/monitor/stack-monitoring/kibana-monitoring-data.md).
+
diff --git a/docs/reference/metricbeat/monitoring-shows-fewer-than-expected-beats.md b/docs/reference/metricbeat/monitoring-shows-fewer-than-expected-beats.md
new file mode 100644
index 000000000000..4d33bb2de0a9
--- /dev/null
+++ b/docs/reference/metricbeat/monitoring-shows-fewer-than-expected-beats.md
@@ -0,0 +1,9 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/monitoring-shows-fewer-than-expected-beats.html
+---
+
+# Monitoring UI shows fewer Beats than expected [monitoring-shows-fewer-than-expected-beats]
+
+If you are running multiple Beat instances on the same host, make sure they each have a distinct `path.data` value.
+
diff --git a/docs/reference/metricbeat/monitoring.md b/docs/reference/metricbeat/monitoring.md
new file mode 100644
index 000000000000..ac3320bcb93c
--- /dev/null
+++ b/docs/reference/metricbeat/monitoring.md
@@ -0,0 +1,16 @@
+---
+navigation_title: "Monitor"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/monitoring.html
+---
+
+# Monitor Metricbeat [monitoring]
+
+
+You can use the {{stack}} {{monitor-features}} to gain insight into the health of Metricbeat instances running in your environment.
+
+To monitor Metricbeat, make sure monitoring is enabled on your {{es}} cluster, then configure the method used to collect Metricbeat metrics. You can use one of following methods:
+
+* [Internal collection](/reference/metricbeat/monitoring-internal-collection.md) - Internal collectors send monitoring data directly to your monitoring cluster.
+* [{{metricbeat}} collection](/reference/metricbeat/monitoring-metricbeat-collection.md) - {{metricbeat}} collects monitoring data from your Metricbeat instance and sends it directly to your monitoring cluster.
+
diff --git a/docs/reference/metricbeat/move-fields.md b/docs/reference/metricbeat/move-fields.md
new file mode 100644
index 000000000000..1fedbcad6e33
--- /dev/null
+++ b/docs/reference/metricbeat/move-fields.md
@@ -0,0 +1,93 @@
+---
+navigation_title: "move_fields"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/move-fields.html
+---
+
+# Move fields [move-fields]
+
+
+The `move_fields` processor moves event fields from one object into another. It can also rearrange fields or add a prefix to fields.
+
+The processor extracts fields from `from`, then uses `fields` and `exclude` as filters to choose which fields to move into the `to` field.
+
+For example, given the following event:
+
+```json
+{
+  "app": {
+    "method": "a",
+    "elapsed_time": 100,
+    "user_id": 100,
+    "message": "i'm a message"
+  }
+}
+```
+
+To move `method` and `elapsed_time` into another object, use this configuration:
+
+```yaml
+processors:
+  - move_fields:
+      from: "app"
+      fields: ["method", "elapsed_time"],
+      to: "rpc."
+```
+
+Your final event will be:
+
+```json
+{
+  "app": {
+    "user_id": 100,
+    "message": "i'm a message",
+    "rpc": {
+      "method": "a",
+      "elapsed_time": 100
+    }
+  }
+}
+```
+
+To add a prefix to the whole event:
+
+```json
+{
+  "app": { "method": "a"},
+  "cost": 100
+}
+```
+
+Use this configuration:
+
+```yaml
+processors:
+  - move_fields:
+      to: "my_prefix_"
+```
+
+Your final event will be:
+
+```json
+{
+  "my_prefix_app": { "method": "a"},
+  "my_prefix_cost": 100
+}
+```
+
+| Name | Required | Default | Description |  |
+| --- | --- | --- | --- | --- |
+| `from` | no |  | Which field you want extract. This field and any nested fields will be moved into `to` unless they are filtered out. If empty, indicates event root. |  |
+| `fields` | no |  | Which fields to extract from `from` and move to `to`. An empty list indicates all fields. |  |
+| `ignore_missing` | no | false | Ignore "not found" errors when extracting fields. |  |
+| `exclude` | no |  | A list of fields to exclude and not move. |  |
+| `to` | yes |  | These fields extract from `from` destination field prefix the `to` will base on fields root. |  |
+
+```yaml
+processors:
+  - move_fields:
+      from: "app"
+      fields: [ "method", "elapsed_time" ]
+      to: "rpc."
+```
+
diff --git a/docs/reference/metricbeat/privileges-to-publish-events.md b/docs/reference/metricbeat/privileges-to-publish-events.md
new file mode 100644
index 000000000000..938c1fdad0dd
--- /dev/null
+++ b/docs/reference/metricbeat/privileges-to-publish-events.md
@@ -0,0 +1,37 @@
+---
+navigation_title: "Create a _publishing_ user"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/privileges-to-publish-events.html
+---
+
+# Grant privileges and roles needed for publishing [privileges-to-publish-events]
+
+
+Users who publish events to {{es}} need to create and write to Metricbeat indices. To minimize the privileges required by the writer role, use the [setup role](/reference/metricbeat/privileges-to-setup-beats.md) to pre-load dependencies. This section assumes that you’ve run the setup.
+
+When using ILM, turn off the ILM setup check in the Metricbeat config file before running Metricbeat to publish events:
+
+```yaml
+setup.ilm.check_exists: false
+```
+
+To grant the required privileges:
+
+1. Create a **writer role**, called something like `metricbeat_writer`, that has the following privileges:
+
+    ::::{note}
+    The `monitor` cluster privilege and the `create_doc` and `auto_configure` privileges on `metricbeat-*` indices are required in every configuration.
+    ::::
+
+
+    | Type | Privilege | Purpose |
+    | --- | --- | --- |
+    | Cluster | `monitor` | Retrieve cluster details (e.g. version) |
+    | Cluster | `read_ilm` | Read the ILM policy when connecting to clusters that support ILM.Not needed when `setup.ilm.check_exists` is `false`. |
+    | Index | `create_doc` on `metricbeat-*` indices | Write events into {{es}} |
+    | Index | `auto_configure` on `metricbeat-*` indices | Update the datastream mapping. Consider either disabling entirely or adding therule `-{{beat_default_index_prefix}}-*` to the cluster settings[action.auto_create_index](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-create)to prevent unwanted indices creations from the agents. |
+
+    Omit any privileges that aren’t relevant in your environment.
+
+2. Assign the **writer role** to users who will index events into {{es}}.
+
diff --git a/docs/reference/metricbeat/privileges-to-publish-monitoring.md b/docs/reference/metricbeat/privileges-to-publish-monitoring.md
new file mode 100644
index 000000000000..2b2129bfd261
--- /dev/null
+++ b/docs/reference/metricbeat/privileges-to-publish-monitoring.md
@@ -0,0 +1,61 @@
+---
+navigation_title: "Create a _monitoring_ user"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/privileges-to-publish-monitoring.html
+---
+
+# Grant privileges and roles needed for monitoring [privileges-to-publish-monitoring]
+
+
+{{es-security-features}} provides built-in users and roles for monitoring. The privileges and roles needed depend on the method used to collect monitoring data.
+
+::::{admonition} Important note for {{ecloud}} users
+:class: important
+
+Built-in users are not available when running our [hosted {{ess}}](https://www.elastic.co/cloud/elasticsearch-service) on {{ecloud}}. To send monitoring data securely, create a monitoring user and grant it the roles described in the following sections.
+
+::::
+
+
+* If you’re using [internal collection](/reference/metricbeat/monitoring-internal-collection.md) to collect metrics about Metricbeat, {{es-security-features}} provides the `beats_system` [built-in user](docs-content://deploy-manage/users-roles/cluster-or-deployment-auth/built-in-users.md) and `beats_system` [built-in role](elasticsearch://reference/elasticsearch/roles.md) to send monitoring information. You can use the built-in user, if it’s available in your environment, or create a user who has the privileges needed to send monitoring information.
+
+    If you use the `beats_system` user, make sure you set the password.
+
+    If you don’t use the `beats_system` user:
+
+    1. Create a **monitoring role**, called something like `metricbeat_monitoring`, that has the following privileges:
+
+        | Type | Privilege | Purpose |
+        | --- | --- | --- |
+        | Cluster | `monitor` | Retrieve cluster details (e.g. version) |
+        | Index | `create_index` on `.monitoring-beats-*` indices | Create monitoring indices in {{es}} |
+        | Index | `create_doc` on `.monitoring-beats-*` indices | Write monitoring events into {{es}} |
+
+    2. Assign the **monitoring role**, along with the following built-in roles, to users who need to monitor Metricbeat:
+
+        | Role | Purpose |
+        | --- | --- |
+        | `kibana_admin` | Use {{kib}} |
+        | `monitoring_user` | Use **Stack Monitoring** in {{kib}} to monitor Metricbeat |
+
+* If you’re [using {{metricbeat}}](/reference/metricbeat/monitoring-metricbeat-collection.md) to collect metrics about Metricbeat, {{es-security-features}} provides the `remote_monitoring_user` [built-in user](docs-content://deploy-manage/users-roles/cluster-or-deployment-auth/built-in-users.md), and the `remote_monitoring_collector` and `remote_monitoring_agent` [built-in roles](elasticsearch://reference/elasticsearch/roles.md) for collecting and sending monitoring information. You can use the built-in user, if it’s available in your environment, or create a user who has the privileges needed to collect and send monitoring information.
+
+    If you use the `remote_monitoring_user` user, make sure you set the password.
+
+    If you don’t use the `remote_monitoring_user` user:
+
+    1. Create a user on the production cluster who will collect and send monitoring information.
+    2. Assign the following roles to the user:
+
+        | Role | Purpose |
+        | --- | --- |
+        | `remote_monitoring_collector` | Collect monitoring metrics from Metricbeat |
+        | `remote_monitoring_agent` | Send monitoring data to the monitoring cluster |
+
+    3. Assign the following role to users who will view the monitoring data in {{kib}}:
+
+        | Role | Purpose |
+        | --- | --- |
+        | `monitoring_user` | Use **Stack Monitoring** in {{kib}} to monitor Metricbeat |
+
+
diff --git a/docs/reference/metricbeat/privileges-to-setup-beats.md b/docs/reference/metricbeat/privileges-to-setup-beats.md
new file mode 100644
index 000000000000..0f6f2d4fd0ab
--- /dev/null
+++ b/docs/reference/metricbeat/privileges-to-setup-beats.md
@@ -0,0 +1,42 @@
+---
+navigation_title: "Create a _setup_ user"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/privileges-to-setup-beats.html
+---
+
+# Grant privileges and roles needed for setup [privileges-to-setup-beats]
+
+
+::::{important}
+Setting up Metricbeat is an admin-level task that requires extra privileges. As a best practice, grant the setup role to administrators only, and use a more restrictive role for event publishing.
+::::
+
+
+Administrators who set up Metricbeat typically need to load mappings, dashboards, and other objects used to index data into {{es}} and visualize it in {{kib}}.
+
+To grant users the required privileges:
+
+1. Create a **setup role**, called something like `metricbeat_setup`, that has the following privileges:
+
+    | Type | Privilege | Purpose |
+    | --- | --- | --- |
+    | Cluster | `monitor` | Retrieve cluster details (e.g. version) |
+    | Cluster | `manage_ilm` | Set up and manage index lifecycle management (ILM) policy |
+    | Index | `manage` on `metricbeat-*` indices | Load data stream |
+
+    Omit any privileges that aren’t relevant in your environment.
+
+    ::::{note}
+    These instructions assume that you are using the default name for Metricbeat indices. If `metricbeat-*` is not listed, or you are using a custom name, enter it manually and modify the privileges to match your index naming pattern.
+    ::::
+
+2. Assign the **setup role**, along with the following built-in roles, to users who need to set up Metricbeat:
+
+    | Role | Purpose |
+    | --- | --- |
+    | `kibana_admin` | Load dependencies, such as example dashboards, if available, into {{kib}} |
+    | `ingest_admin` | Set up index templates and, if available, ingest pipelines |
+
+    Omit any roles that aren’t relevant in your environment.
+
+
diff --git a/docs/reference/metricbeat/processor-dns.md b/docs/reference/metricbeat/processor-dns.md
new file mode 100644
index 000000000000..1f3b40e9dc60
--- /dev/null
+++ b/docs/reference/metricbeat/processor-dns.md
@@ -0,0 +1,102 @@
+---
+navigation_title: "dns"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/processor-dns.html
+---
+
+# DNS Reverse Lookup [processor-dns]
+
+
+The `dns` processor performs DNS queries. It caches the responses that it receives in accordance to the time-to-live (TTL) value contained in the response. It also caches failures that occur during lookups. Each instance of this processor maintains its own independent cache.
+
+The processor uses its own DNS resolver to send requests to nameservers and does not use the operating system’s resolver. It does not read any values contained in `/etc/hosts`.
+
+This processor can significantly slow down your pipeline’s throughput if you have a high latency network or slow upstream nameserver. The cache will help with performance, but if the addresses being resolved have a high cardinality then the cache benefits will be diminished due to the high miss ratio.
+
+By way of example, if each DNS lookup takes 2 milliseconds, the maximum throughput you can achieve is 500 events per second (1000 milliseconds / 2 milliseconds). If you have a high cache hit ratio then your throughput can be higher.
+
+The processor can send the following query types:
+
+* `A` - IPv4 addresses
+* `AAAA` - IPv6 addresses
+* `TXT` - arbitrary human-readable text data
+* `PTR` - reverse IP address lookups
+
+The output value is a list of strings for all query types except `PTR`. For `PTR` queries the output value is a string.
+
+This is a minimal configuration example that resolves the IP addresses contained in two fields.
+
+```yaml
+processors:
+  - dns:
+      type: reverse
+      fields:
+        source.ip: source.domain
+        destination.ip: destination.domain
+```
+
+Next is a configuration example showing all options.
+
+```yaml
+processors:
+- dns:
+    type: reverse
+    action: append
+    transport: tls
+    fields:
+      server.ip: server.domain
+      client.ip: client.domain
+    success_cache:
+      capacity.initial: 1000
+      capacity.max: 10000
+      min_ttl: 1m
+    failure_cache:
+      capacity.initial: 1000
+      capacity.max: 10000
+      ttl: 1m
+    nameservers: ['192.0.2.1', '203.0.113.1']
+    timeout: 500ms
+    tag_on_failure: [_dns_reverse_lookup_failed]
+```
+
+The `dns` processor has the following configuration settings:
+
+`type`
+:   The type of DNS query to perform. The supported types are `A`, `AAAA`, `PTR` (or `reverse`), and `TXT`.
+
+`action`
+:   This defines the behavior of the processor when the target field already exists in the event. The options are `append` (default) and `replace`.
+
+`fields`
+:   This is a mapping of source field names to target field names. The value of the source field will be used in the DNS query and result will be written to the target field.
+
+`success_cache.capacity.initial`
+:   The initial number of items that the success cache will be allocated to hold. When initialized the processor will allocate the memory for this number of items. Default value is `1000`.
+
+`success_cache.capacity.max`
+:   The maximum number of items that the success cache can hold. When the maximum capacity is reached a random item is evicted. Default value is `10000`.
+
+`success_cache.min_ttl`
+:   The duration of the minimum alternative cache TTL for successful DNS responses. Ensures that `TTL=0` successful reverse DNS responses can be cached. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". Default value is `1m`.
+
+`failure_cache.capacity.initial`
+:   The initial number of items that the failure cache will be allocated to hold. When initialized the processor will allocate the memory for this number of items. Default value is `1000`.
+
+`failure_cache.capacity.max`
+:   The maximum number of items that the failure cache can hold. When the maximum capacity is reached a random item is evicted. Default value is `10000`.
+
+`failure_cache.ttl`
+:   The duration for which failures are cached. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". Default value is `1m`.
+
+`nameservers`
+:   A list of nameservers to query. If there are multiple servers, the resolver queries them in the order listed. If none are specified then it will read the nameservers listed in `/etc/resolv.conf` once at initialization. On Windows you must always supply at least one nameserver.
+
+`timeout`
+:   The duration after which a DNS query will timeout. This is timeout for each DNS request so if you have 2 nameservers then the total timeout will be 2 times this value. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". Default value is `500ms`.
+
+`tag_on_failure`
+:   A list of tags to add to the event when any lookup fails. The tags are only added once even if multiple lookups fail. By default, no tags are added upon failure.
+
+`transport`
+:   The type of transport connection that should be used can either be `tls` (DNS over TLS) or `udp`. Defaults to `udp`.
+
diff --git a/docs/reference/metricbeat/processor-registered-domain.md b/docs/reference/metricbeat/processor-registered-domain.md
new file mode 100644
index 000000000000..220c85bdec7f
--- /dev/null
+++ b/docs/reference/metricbeat/processor-registered-domain.md
@@ -0,0 +1,36 @@
+---
+navigation_title: "registered_domain"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/processor-registered-domain.html
+---
+
+# Registered Domain [processor-registered-domain]
+
+
+The `registered_domain` processor reads a field containing a hostname and then writes the "registered domain" contained in the hostname to the target field. For example, given `www.google.co.uk` the processor would output `google.co.uk`. In other words the "registered domain" is the effective top-level domain (`co.uk`) plus one level (`google`). Optionally, it can store the rest of the domain, the `subdomain` into another target field.
+
+This processor uses the Mozilla Public Suffix list to determine the value.
+
+```yaml
+processors:
+  - registered_domain:
+      field: dns.question.name
+      target_field: dns.question.registered_domain
+      target_etld_field: dns.question.top_level_domain
+      target_subdomain_field: dns.question.sudomain
+      ignore_missing: true
+      ignore_failure: true
+```
+
+The `registered_domain` processor has the following configuration settings:
+
+| Name | Required | Default | Description |  |
+| --- | --- | --- | --- | --- |
+| `field` | yes |  | Source field containing a fully qualified domain name (FQDN). |  |
+| `target_field` | yes |  | Target field for the registered domain value. |  |
+| `target_etld_field` | no |  | Target field for the effective top-level domain value. |  |
+| `target_subdomain_field` | no |  | Target subdomain field for the subdomain value. |  |
+| `ignore_missing` | no | false | Ignore errors when the source field is missing. |  |
+| `ignore_failure` | no | false | Ignore all errors produced by the processor. |  |
+| `id` | no |  | An identifier for this processor instance. Useful for debugging. |  |
+
diff --git a/docs/reference/metricbeat/processor-script.md b/docs/reference/metricbeat/processor-script.md
new file mode 100644
index 000000000000..170e26fb285a
--- /dev/null
+++ b/docs/reference/metricbeat/processor-script.md
@@ -0,0 +1,118 @@
+---
+navigation_title: "script"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/processor-script.html
+---
+
+# Script Processor [processor-script]
+
+
+The `script` processor executes Javascript code to process an event. The processor uses a pure Go implementation of ECMAScript 5.1 and has no external dependencies. This can be useful in situations where one of the other processors doesn’t provide the functionality you need to filter events.
+
+The processor can be configured by embedding Javascript in your configuration file or by pointing the processor at external file(s).
+
+```yaml
+processors:
+  - script:
+      lang: javascript
+      source: >
+        function process(event) {
+            event.Tag("js");
+        }
+```
+
+This loads `filter.js` from disk.
+
+```yaml
+processors:
+  - script:
+      lang: javascript
+      file: ${path.config}/filter.js
+```
+
+Parameters can be passed to the script by adding `params` to the config. This allows for a script to be made reusable. When using `params` the code must define a `register(params)` function to receive the parameters.
+
+```yaml
+processors:
+  - script:
+      lang: javascript
+      tag: my_filter
+      params:
+        threshold: 15
+      source: >
+        var params = {threshold: 42};
+        function register(scriptParams) {
+            params = scriptParams;
+        }
+        function process(event) {
+            if (event.Get("severity") < params.threshold) {
+                event.Cancel();
+            }
+        }
+```
+
+If the script defines a `test()` function it will be invoked when the processor is loaded. Any exceptions thrown will cause the processor to fail to load. This can be used to make assertions about the behavior of the script.
+
+```javascript
+function process(event) {
+    if (event.Get("event.code") === 1102) {
+        event.Put("event.action", "cleared");
+    }
+    return event;
+}
+
+function test() {
+    var event = process(new Event({event: {code: 1102}}));
+    if (event.Get("event.action") !== "cleared") {
+        throw "expected event.action === cleared";
+    }
+}
+```
+
+
+## Configuration options [_configuration_options_13]
+
+The `script` processor has the following configuration settings:
+
+`lang`
+:   This field is required and its value must be `javascript`.
+
+`tag`
+:   This is an optional identifier that is added to log messages. If defined it enables metrics logging for this instance of the processor. The metrics include the number of exceptions and a histogram of the execution times for the `process` function.
+
+`source`
+:   Inline Javascript source code.
+
+`file`
+:   Path to a script file to load. Relative paths are interpreted as relative to the `path.config` directory. Globs are expanded.
+
+`files`
+:   List of script files to load. The scripts are concatenated together. Relative paths are interpreted as relative to the `path.config` directory. And globs are expanded.
+
+`params`
+:   A dictionary of parameters that are passed to the `register` of the script.
+
+`tag_on_exception`
+:   Tag to add to events in case the Javascript code causes an exception while processing an event. Defaults to `_js_exception`.
+
+`timeout`
+:   This sets an execution timeout for the `process` function. When the `process` function takes longer than the `timeout` period the function is interrupted. You can set this option to prevent a script from running for too long (like preventing an infinite `while` loop). By default there is no timeout.
+
+`max_cached_sessions`
+:   This sets the maximum number of Javascript VM sessions that will be cached to avoid reallocation. The default is `4`.
+
+
+## Event API [_event_api]
+
+The `Event` object passed to the `process` method has the following API.
+
+| Method | Description |
+| --- | --- |
+| `Get(string)` | Get a value from the event (either a scalar or an object). If the key does notexist `null` is returned. If no key is provided then an object containing allfields is returned.<br>**Example**: `var value = event.Get(key);` |
+| `Put(string, value)` | Put a value into the event. If the key was already set then theprevious value is returned. It throws an exception if the key cannot be setbecause one of the intermediate values is not an object.<br>**Example**: `var old = event.Put(key, value);` |
+| `Rename(string, string)` | Rename a key in the event. The target key must not exist. Itreturns true if the source key was successfully renamed to the target key.<br>**Example**: `var success = event.Rename("source", "target");` |
+| `Delete(string)` | Delete a field from the event. It returns true on success.<br>**Example**: `var deleted = event.Delete("user.email");` |
+| `Cancel()` | Flag the event as cancelled which causes the processor to dropevent.<br>**Example**: `event.Cancel(); return;` |
+| `Tag(string)` | Append a tag to the `tags` field if the tag does not alreadyexist. Throws an exception if `tags` exists and is not a string or a list ofstrings.<br>**Example**: `event.Tag("user_event");` |
+| `AppendTo(string, string)` | `AppendTo` is a specialized `Put` method that converts the existing value to anarray and appends the value if it does not already exist. If there is anexisting value that’s not a string or array of strings then an exception isthrown.<br>**Example**: `event.AppendTo("error.message", "invalid file hash");` |
+
diff --git a/docs/reference/metricbeat/processor-translate-guid.md b/docs/reference/metricbeat/processor-translate-guid.md
new file mode 100644
index 000000000000..de8db623038e
--- /dev/null
+++ b/docs/reference/metricbeat/processor-translate-guid.md
@@ -0,0 +1,79 @@
+---
+navigation_title: "translate_ldap_attribute"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/processor-translate-guid.html
+---
+
+# Translate GUID [processor-translate-guid]
+
+
+The `translate_ldap_attribute` processor translates an LDAP attributes between eachother. It is typically used to translate AD Global Unique Identifiers (GUID) into their common names.
+
+Every object on an Active Directory or an LDAP server is issued a GUID. Internal processes refer to their GUID’s rather than the object’s name and these values sometimes appear in logs.
+
+If the search attribute is invalid (malformed) or does not map to any object on the domain then this will result in the processor returning an error unless `ignore_failure` is set.
+
+The result of this operation is an array of values, given that a single attribute can hold multiple values.
+
+Note: the search attribute is expected to map to a single object. If it doesn’t, no error will be returned, but only results of the first entry will be added to the event.
+
+```yaml
+processors:
+  - translate_ldap_attribute:
+      field: winlog.event_data.ObjectGuid
+      ldap_address: "ldap://"
+      ldap_base_dn: "dc=example,dc=com"
+      ignore_missing: true
+      ignore_failure: true
+```
+
+The `translate_ldap_attribute` processor has the following configuration settings:
+
+| Name | Required | Default | Description |
+| --- | --- | --- | --- |
+| `field` | yes |  | Source field containing a GUID. |
+| `target_field` | no |  | Target field for the mapped attribute value. If not set it will be replaced in place. |
+| `ldap_address` | yes |  | LDAP server address. eg: `ldap://ds.example.com:389` |
+| `ldap_base_dn` | yes |  | LDAP base DN. eg: `dc=example,dc=com` |
+| `ldap_bind_user` | no |  | LDAP user. |
+| `ldap_bind_password` | no |  | LDAP password. |
+| `ldap_search_attribute` | yes | `objectGUID` | LDAP attribute to search by. |
+| `ldap_mapped_attribute` | yes | `cn` | LDAP attribute to map to. |
+| `ldap_search_time_limit` | no | 30 | LDAP search time limit in seconds. |
+| `ldap_ssl`* | no | 30 | LDAP TLS/SSL connection settings. |
+| `ignore_missing` | no | false | Ignore errors when the source field is missing. |
+| `ignore_failure` | no | false | Ignore all errors produced by the processor. |
+
+* Also see [SSL](/reference/metricbeat/configuration-ssl.md) for a full description of the `ldap_ssl` options.
+
+If the searches are slow or you expect a high amount of different key attributes to be found, consider using a cache processor to speed processing:
+
+```yaml
+processors:
+  - cache:
+      backend:
+        memory:
+          id: ldapguids
+      get:
+        key_field: winlog.event_data.ObjectGuid
+        target_field: winlog.common_name
+      ignore_missing: true
+  - if:
+      not:
+        - has_fields: winlog.common_name
+    then:
+      - translate_ldap_attribute:
+          field: winlog.event_data.ObjectGuid
+          target_field: winlog.common_name
+          ldap_address: "ldap://"
+          ldap_base_dn: "dc=example,dc=com"
+      - cache:
+          backend:
+            memory:
+              id: ldapguids
+            capacity: 10000
+          put:
+            key_field: winlog.event_data.ObjectGuid
+            value_field: winlog.common_name
+```
+
diff --git a/docs/reference/metricbeat/processor-translate-sid.md b/docs/reference/metricbeat/processor-translate-sid.md
new file mode 100644
index 000000000000..b5383b4e850f
--- /dev/null
+++ b/docs/reference/metricbeat/processor-translate-sid.md
@@ -0,0 +1,38 @@
+---
+navigation_title: "translate_sid"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/processor-translate-sid.html
+---
+
+# Translate SID [processor-translate-sid]
+
+
+The `translate_sid` processor translates a Windows security identifier (SID) into an account name. It retrieves the name of the account associated with the SID, the first domain on which the SID is found, and the type of account. This is only available on Windows.
+
+Every account on a network is issued a unique SID when the account is first created. Internal processes in Windows refer to an account’s SID rather than the account’s user or group name and these values sometimes appear in logs.
+
+If the SID is invalid (malformed) or does not map to any account on the local system or domain then this will result in the processor returning an error unless `ignore_failure` is set.
+
+```yaml
+processors:
+  - translate_sid:
+      field: winlog.event_data.MemberSid
+      account_name_target: user.name
+      domain_target: user.domain
+      ignore_missing: true
+      ignore_failure: true
+```
+
+The `translate_sid` processor has the following configuration settings:
+
+| Name | Required | Default | Description |
+| --- | --- | --- | --- |
+| `field` | yes |  | Source field containing a Windows security identifier (SID). |
+| `account_name_target` | yes* |  | Target field for the account name value. |
+| `account_type_target` | yes* |  | Target field for the account type value. |
+| `domain_target` | yes* |  | Target field for the domain value. |
+| `ignore_missing` | no | false | Ignore errors when the source field is missing. |
+| `ignore_failure` | no | false | Ignore all errors produced by the processor. |
+
+* At least one of `account_name_target`, `account_type_target`, and `domain_target` is required to be configured.
+
diff --git a/docs/reference/metricbeat/publishing-ls-fails-connection-reset-by-peer.md b/docs/reference/metricbeat/publishing-ls-fails-connection-reset-by-peer.md
new file mode 100644
index 000000000000..821b7f9f0cbb
--- /dev/null
+++ b/docs/reference/metricbeat/publishing-ls-fails-connection-reset-by-peer.md
@@ -0,0 +1,18 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/publishing-ls-fails-connection-reset-by-peer.html
+---
+
+# Publishing to Logstash fails with "connection reset by peer" message [publishing-ls-fails-connection-reset-by-peer]
+
+Metricbeat requires a persistent TCP connection to {{ls}}. If a firewall interferes with the connection, you might see errors like this:
+
+```shell
+Failed to publish events caused by: write tcp ... write: connection reset by peer
+```
+
+To solve the problem:
+
+* make sure the firewall is not closing connections between Metricbeat and {{ls}}, or
+* set the `ttl` value in the [{{ls}} output](/reference/metricbeat/logstash-output.md) to a value that’s lower than the maximum time allowed by the firewall, and set `pipelining` to 0 (pipelining cannot be enabled when `ttl` is used).
+
diff --git a/docs/reference/metricbeat/rate-limit.md b/docs/reference/metricbeat/rate-limit.md
new file mode 100644
index 000000000000..7166cff32781
--- /dev/null
+++ b/docs/reference/metricbeat/rate-limit.md
@@ -0,0 +1,43 @@
+---
+navigation_title: "rate_limit"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/rate-limit.html
+---
+
+# Rate limit the flow of events [rate-limit]
+
+
+The `rate_limit` processor limits the throughput of events based on the specified configuration.
+
+In the current implementation, rate-limited events are dropped. Future implementations may allow rate-limited events to be handled differently.
+
+```yaml
+processors:
+- rate_limit:
+   limit: "10000/m"
+```
+
+```yaml
+processors:
+- rate_limit:
+   fields:
+   - "cloudfoundry.org.name"
+   limit: "400/s"
+```
+
+```yaml
+processors:
+- if.equals.cloudfoundry.org.name: "acme"
+  then:
+  - rate_limit:
+      limit: "500/s"
+```
+
+The following settings are supported:
+
+`limit`
+:   The rate limit. Supported time units for the rate are `s` (per second), `m` (per minute), and `h` (per hour).
+
+`fields`
+:   (Optional) List of fields. The rate limit will be applied to each distinct value derived by combining the values of these fields.
+
diff --git a/docs/reference/metricbeat/redis-output.md b/docs/reference/metricbeat/redis-output.md
new file mode 100644
index 000000000000..1ba17627b61d
--- /dev/null
+++ b/docs/reference/metricbeat/redis-output.md
@@ -0,0 +1,209 @@
+---
+navigation_title: "Redis"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/redis-output.html
+---
+
+# Configure the Redis output [redis-output]
+
+
+The Redis output inserts the events into a Redis list or a Redis channel. This output plugin is compatible with the [Redis input plugin](logstash://reference/plugins-inputs-redis.md) for Logstash.
+
+To use this output, edit the Metricbeat configuration file to disable the {{es}} output by commenting it out, and enable the Redis output by adding `output.redis`.
+
+Example configuration:
+
+```yaml
+output.redis:
+  hosts: ["localhost"]
+  password: "my_password"
+  key: "metricbeat"
+  db: 0
+  timeout: 5
+```
+
+## Compatibility [_compatibility_3]
+
+This output is expected to work with all Redis versions between 3.2.4 and 5.0.8. Other versions might work as well, but are not supported.
+
+
+## Configuration options [_configuration_options_5]
+
+You can specify the following `output.redis` options in the `metricbeat.yml` config file:
+
+### `enabled` [_enabled_5]
+
+The enabled config is a boolean setting to enable or disable the output. If set to false, the output is disabled.
+
+The default value is `true`.
+
+
+### `hosts` [_hosts_3]
+
+The list of Redis servers to connect to. If load balancing is enabled, the events are distributed to the servers in the list. If one server becomes unreachable, the events are distributed to the reachable servers only. You can define each Redis server by specifying `HOST` or `HOST:PORT`. For example: `"192.15.3.2"` or `"test.redis.io:12345"`. If you don’t specify a port number, the value configured by `port` is used. Configure each Redis server with an `IP:PORT` pair or with a `URL`. For example: `redis://localhost:6379` or `rediss://localhost:6379`. URLs can include a server-specific password. For example: `redis://:password@localhost:6379`. The `redis` scheme will disable the `ssl` settings for the host, while `rediss` will enforce TLS.  If `rediss` is specified and no `ssl` settings are configured, the output uses the system certificate store.
+
+
+### `index` [_index_2]
+
+The index name added to the events metadata for use by Logstash. The default is "metricbeat".
+
+
+### `key` [key-option-redis]
+
+The name of the Redis list or channel the events are published to. If not configured, the value of the `index` setting is used.
+
+You can set the key dynamically by using a format string to access any event field. For example, this configuration uses a custom field, `fields.list`, to set the Redis list key. If `fields.list` is missing, `fallback` is used:
+
+```yaml
+output.redis:
+  hosts: ["localhost"]
+  key: "%{[fields.list]:fallback}"
+```
+
+::::{tip}
+To learn how to add custom fields to events, see the [`fields`](/reference/metricbeat/configuration-general-options.md#libbeat-configuration-fields) option.
+::::
+
+
+See the [`keys`](#keys-option-redis) setting for other ways to set the key dynamically.
+
+
+### `keys` [keys-option-redis]
+
+An array of key selector rules. Each rule specifies the `key` to use for events that match the rule. During publishing, Metricbeat uses the first matching rule in the array. Rules can contain conditionals, format string-based fields, and name mappings. If the `keys` setting is missing or no rule matches, the [`key`](#key-option-redis) setting is used.
+
+Rule settings:
+
+**`index`**
+:   The key format string to use. If this string contains field references, such as `%{[fields.name]}`, the fields must exist, or the rule fails.
+
+**`mappings`**
+:   A dictionary that takes the value returned by `key` and maps it to a new name.
+
+**`default`**
+:   The default string value to use if `mappings` does not find a match.
+
+**`when`**
+:   A condition that must succeed in order to execute the current rule. All the [conditions](/reference/metricbeat/defining-processors.md#conditions) supported by processors are also supported here.
+
+Example `keys` settings:
+
+```yaml
+output.redis:
+  hosts: ["localhost"]
+  key: "default_list"
+  keys:
+    - key: "info_list"   # send to info_list if `message` field contains INFO
+      when.contains:
+        message: "INFO"
+    - key: "debug_list"  # send to debug_list if `message` field contains DEBUG
+      when.contains:
+        message: "DEBUG"
+    - key: "%{[fields.list]}"
+      mappings:
+        http: "frontend_list"
+        nginx: "frontend_list"
+        mysql: "backend_list"
+```
+
+
+### `password` [_password_4]
+
+The password to authenticate with. The default is no authentication.
+
+
+### `db` [_db]
+
+The Redis database number where the events are published. The default is 0.
+
+
+### `datatype` [_datatype]
+
+The Redis data type to use for publishing events.If the data type is `list`, the Redis RPUSH command is used and all events are added to the list with the key defined under `key`. If the data type `channel` is used, the Redis `PUBLISH` command is used and means that all events are pushed to the pub/sub mechanism of Redis. The name of the channel is the one defined under `key`. The default value is `list`.
+
+
+### `codec` [_codec_2]
+
+Output codec configuration. If the `codec` section is missing, events will be json encoded.
+
+See [Change the output codec](/reference/metricbeat/configuration-output-codec.md) for more information.
+
+
+### `worker` or `workers` [_worker_or_workers_2]
+
+The number of workers to use for each host configured to publish events to Redis. Use this setting along with the `loadbalance` option. For example, if you have 2 hosts and 3 workers, in total 6 workers are started (3 for each host).
+
+
+### `loadbalance` [_loadbalance_2]
+
+When `loadbalance: true` is set, Metricbeat connects to all configured hosts and sends data through all connections in parallel. If a connection fails, data is sent to the remaining hosts until it can be reestablished. Data will still be sent as long as Metricbeat can connect to at least one of its configured hosts.
+
+When `loadbalance: false` is set, Metricbeat sends data to a single host at a time. The target host is chosen at random from the list of configured hosts, and all data is sent to that target until the connection fails, when a new target is selected. Data will still be sent as long as Metricbeat can connect to at least one of its configured hosts.
+
+The default value is `true`.
+
+
+### `timeout` [_timeout_5]
+
+The Redis connection timeout in seconds. The default is 5 seconds.
+
+
+### `backoff.init` [_backoff_init_3]
+
+The number of seconds to wait before trying to reconnect to Redis after a network error. After waiting `backoff.init` seconds, Metricbeat tries to reconnect. If the attempt fails, the backoff timer is increased exponentially up to `backoff.max`. After a successful connection, the backoff timer is reset. The default is 1s.
+
+
+### `backoff.max` [_backoff_max_3]
+
+The maximum number of seconds to wait before attempting to connect to Redis after a network error. The default is 60s.
+
+
+### `max_retries` [_max_retries_4]
+
+The number of times to retry publishing an event after a publishing failure. After the specified number of retries, the events are typically dropped.
+
+Set `max_retries` to a value less than 0 to retry until all events are published.
+
+The default is 3.
+
+
+### `bulk_max_size` [_bulk_max_size_3]
+
+The maximum number of events to bulk in a single Redis request or pipeline. The default is 2048.
+
+Events can be collected into batches. Metricbeat will split batches read from the queue which are larger than `bulk_max_size` into multiple batches.
+
+Specifying a larger batch size can improve performance by lowering the overhead of sending events. However big batch sizes can also increase processing times, which might result in API errors, killed connections, timed-out publishing requests, and, ultimately, lower throughput.
+
+Setting `bulk_max_size` to values less than or equal to 0 disables the splitting of batches. When splitting is disabled, the queue decides on the number of events to be contained in a batch.
+
+
+### `ssl` [_ssl_5]
+
+Configuration options for SSL parameters like the root CA for Redis connections guarded by SSL proxies (for example [stunnel](https://www.stunnel.org)). See [SSL](/reference/metricbeat/configuration-ssl.md) for more information.
+
+
+### `proxy_url` [_proxy_url_3]
+
+The URL of the SOCKS5 proxy to use when connecting to the Redis servers. The value must be a URL with a scheme of `socks5://`. You cannot use a web proxy because the protocol used to communicate with Redis is not based on HTTP.
+
+If the SOCKS5 proxy server requires client authentication, you can embed a username and password in the URL.
+
+When using a proxy, hostnames are resolved on the proxy server instead of on the client. You can change this behavior by setting the [`proxy_use_local_resolver`](#redis-proxy-use-local-resolver) option.
+
+
+### `proxy_use_local_resolver` [redis-proxy-use-local-resolver]
+
+This option determines whether Redis hostnames are resolved locally when using a proxy. The default value is false, which means that name resolution occurs on the proxy server.
+
+
+### `queue` [_queue_4]
+
+Configuration options for internal queue.
+
+See [Internal queue](/reference/metricbeat/configuring-internal-queue.md) for more information.
+
+Note:`queue` options can be set under `metricbeat.yml` or the `output` section but not both.
+
+
+
diff --git a/docs/reference/metricbeat/regexp-support.md b/docs/reference/metricbeat/regexp-support.md
new file mode 100644
index 000000000000..59a7a5764b7e
--- /dev/null
+++ b/docs/reference/metricbeat/regexp-support.md
@@ -0,0 +1,111 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/regexp-support.html
+---
+
+# Regular expression support [regexp-support]
+
+Metricbeat regular expression support is based on [RE2](https://godoc.org/regexp/syntax).
+
+Before using a regular expression in the config file, refer to the documentation to verify that the option you are setting accepts a regular expression.
+
+::::{note}
+We recommend that you wrap regular expressions in single quotation marks to work around YAML’s string escaping rules. For example, `'^\[?[0-9][0-9]:?[0-9][0-9]|^[[:graph:]]+'`.
+::::
+
+
+For more examples of supported regexp patterns, see [Managing Multiline Messages](/reference/filebeat/multiline-examples.md). Although the examples pertain to Filebeat, the regexp patterns are applicable to other use cases.
+
+The following patterns are supported:
+
+* [Single Characters](#single-characters)
+* [Composites](#composites)
+* [Repetitions](#repetitions)
+* [Groupings](#grouping)
+* [Empty Strings](#empty-strings)
+* [Escape Sequences](#escape-sequences)
+* [ASCII Character Classes](#ascii-character-classes)
+* [Perl Character Classes](#perl-character-classes)
+
+| Pattern | Description |
+| --- | --- |
+| $$$single-characters$$$**Single Characters** |  |
+| `x` | single character |
+| `.` | any character |
+| `[xyz]` | character class |
+| `[^xyz]` | negated character class |
+| `[[:alpha:]]` | ASCII character class |
+| `[[:^alpha:]]` | negated ASCII character class |
+| `\d` | Perl character class |
+| `\D` | negated Perl character class |
+| `\pN` | Unicode character class (one-letter name) |
+| `\p{{Greek}}` | Unicode character class |
+| `\PN` | negated Unicode character class (one-letter name) |
+| `\P{{Greek}}` | negated Unicode character class |
+| $$$composites$$$**Composites** |  |
+| `xy` | `x` followed by `y` |
+| `x&#124;y` | `x` or `y` (prefer `x`) |
+| $$$repetitions$$$**Repetitions** |  |
+| `x*` | zero or more `x` |
+| `x+` | one or more `x` |
+| `x?` | zero or one `x` |
+| `x{n,m}` | `n` or `n+1` or …​ or `m` `x`, prefer more |
+| `x{n,}` | `n` or more `x`, prefer more |
+| `x{{n}}` | exactly `n` `x` |
+| `x*?` | zero or more `x`, prefer fewer |
+| `x+?` | one or more `x`, prefer fewer |
+| `x??` | zero or one `x`, prefer zero |
+| `x{n,m}?` | `n` or `n+1` or …​ or `m` `x`, prefer fewer |
+| `x{n,}?` | `n` or more `x`, prefer fewer |
+| `x{{n}}?` | exactly `n` `x` |
+| $$$grouping$$$**Grouping** |  |
+| `(re)` | numbered capturing group (submatch) |
+| `(?P<name>re)` | named & numbered capturing group (submatch) |
+| `(?:re)` | non-capturing group |
+| `(?i)abc` | set flags within current group, non-capturing |
+| `(?i:re)` | set flags during re, non-capturing |
+| `(?i)PaTTeRN` | case-insensitive (default false) |
+| `(?m)multiline` | multi-line mode: `^` and `$` match begin/end line in addition to begin/end text (default false) |
+| `(?s)pattern.` | let `.` match `\n` (default false) |
+| `(?U)x*abc` | ungreedy: swap meaning of `x*` and `x*?`, `x+` and `x+?`, etc (default false) |
+| $$$empty-strings$$$**Empty Strings** |  |
+| `^` | at beginning of text or line (`m`=true) |
+| `$` | at end of text (like `\z` not `\Z`) or line (`m`=true) |
+| `\A` | at beginning of text |
+| `\b` | at ASCII word boundary (`\w` on one side and `\W`, `\A`, or `\z` on the other) |
+| `\B` | not at ASCII word boundary |
+| `\z` | at end of text |
+| $$$escape-sequences$$$**Escape Sequences** |  |
+| `\a` | bell (same as `\007`) |
+| `\f` | form feed (same as `\014`) |
+| `\t` | horizontal tab (same as `\011`) |
+| `\n` | newline (same as `\012`) |
+| `\r` | carriage return (same as `\015`) |
+| `\v` | vertical tab character (same as `\013`) |
+| `\*` | literal `*`, for any punctuation character `*` |
+| `\123` | octal character code (up to three digits) |
+| `\x7F` | two-digit hex character code |
+| `\x{{10FFFF}}` | hex character code |
+| `\Q...\E` | literal text `...` even if `...` has punctuation |
+| $$$ascii-character-classes$$$**ASCII Character Classes** |  |
+| `[[:alnum:]]` | alphanumeric (same as `[0-9A-Za-z]`) |
+| `[[:alpha:]]` | alphabetic (same as `[A-Za-z]`) |
+| `[[:ascii:]]` | ASCII (same as `\x00-\x7F]`) |
+| `[[:blank:]]` | blank (same as `[\t ]`) |
+| `[[:cntrl:]]` | control (same as `[\x00-\x1F\x7F]`) |
+| `[[:digit:]]` | digits (same as `[0-9]`) |
+| `[[:graph:]]` | graphical (same as ```[!-~] == [A-Za-z0-9!"#$%&'()*+,\-./:;<=>?@[\\\]^_` ``` ```{&#124;}~]```) |
+| `[[:lower:]]` | lower case (same as `[a-z]`) |
+| `[[:print:]]` | printable (same as `[ -~] == [ [:graph:]]`) |
+| `[[:punct:]]` | punctuation (same as ```[!-/:-@[-`{-~]```) |
+| `[[:space:]]` | whitespace (same as `[\t\n\v\f\r ]`) |
+| `[[:upper:]]` | upper case (same as `[A-Z]`) |
+| `[[:word:]]` | word characters (same as `[0-9A-Za-z_]`) |
+| `[[:xdigit:]]` | hex digit (same as `[0-9A-Fa-f]`) |
+| $$$perl-character-classes$$$**Supported Perl Character Classes** |  |
+| `\d` | digits (same as `[0-9]`) |
+| `\D` | not digits (same as `[^0-9]`) |
+| `\s` | whitespace (same as `[\t\n\f\r ]`) |
+| `\S` | not whitespace (same as `[^\t\n\f\r ]`) |
+| `\w` | word characters (same as `[0-9A-Za-z_]`) |
+| `\W` | not word characters (same as `[^0-9A-Za-z_]`) |
diff --git a/docs/reference/metricbeat/rename-fields.md b/docs/reference/metricbeat/rename-fields.md
new file mode 100644
index 000000000000..55468e257955
--- /dev/null
+++ b/docs/reference/metricbeat/rename-fields.md
@@ -0,0 +1,43 @@
+---
+navigation_title: "rename"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/rename-fields.html
+---
+
+# Rename fields from events [rename-fields]
+
+
+The `rename` processor specifies a list of fields to rename. Under the `fields` key, each entry contains a `from: old-key` and a `to: new-key` pair, where:
+
+* `from` is the original field name. It’s supported to use `@metadata.` prefix for `from` and rename keys in the event metadata instead of event fields.
+* `to` is the target field name
+
+The `rename` processor cannot be used to overwrite fields. To overwrite fields either first rename the target field, or use the `drop_fields` processor to drop the field and then rename the field.
+
+::::{tip}
+You can rename fields to resolve field name conflicts. For example, if an event has two fields, `c` and `c.b` (where `b` is a subfield of `c`), assigning scalar values results in an {{es}} error at ingest time. The assignment `{"c": 1, "c.b": 2}` would result in an error because `c` is an object and cannot be assigned a scalar value. To prevent this conflict, rename `c` to `c.value` before assigning values.
+::::
+
+
+```yaml
+processors:
+  - rename:
+      fields:
+        - from: "a.g"
+          to: "e.d"
+      ignore_missing: false
+      fail_on_error: true
+```
+
+The `rename` processor has the following configuration settings:
+
+`ignore_missing`
+:   (Optional) If set to true, no error is logged in case a key which should be renamed is missing. Default is `false`.
+
+`fail_on_error`
+:   (Optional) If set to true, in case of an error the renaming of fields is stopped and the original event is returned. If set to false, renaming continues also if an error happened during renaming. Default is `true`.
+
+See [Conditions](/reference/metricbeat/defining-processors.md#conditions) for a list of supported conditions.
+
+You can specify multiple `rename` processors under the `processors` section.
+
diff --git a/docs/reference/metricbeat/replace-fields.md b/docs/reference/metricbeat/replace-fields.md
new file mode 100644
index 000000000000..f5aa964f6166
--- /dev/null
+++ b/docs/reference/metricbeat/replace-fields.md
@@ -0,0 +1,44 @@
+---
+navigation_title: "replace"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/replace-fields.html
+---
+
+# Replace fields from events [replace-fields]
+
+
+The `replace` processor takes a list of fields to search for a matching value and replaces the matching value with a specified string.
+
+The `replace` processor cannot be used to create a completely new value.
+
+::::{tip}
+You can use this processor to truncate a field value or replace it with a new string value. You can also use this processor to mask PII information.
+::::
+
+
+
+## Example [_example]
+
+The following example changes the path from `/usr/bin` to `/usr/local/bin`:
+
+```yaml
+  - replace:
+      fields:
+        - field: "file.path"
+          pattern: "/usr/"
+          replacement: "/usr/local/"
+      ignore_missing: false
+      fail_on_error: true
+```
+
+
+## Configuration settings [_configuration_settings]
+
+| Name | Required | Default | Description |
+| --- | --- | --- | --- |
+| `fields` | Yes |  | List of one or more items. Each item contains a `field: field-name`, `pattern: regex-pattern`, and `replacement: replacement-string`, where:<br><br>* `field` is the original field name. You can use the `@metadata.` prefix in this field to replace values in the event metadata instead of event fields.<br>* `pattern` is the regex pattern to match the field’s value<br>* `replacement` is the replacement string to use to update the field’s value<br> |
+| `ignore_missing` | No | `false` | Whether to ignore missing fields. If `true`, no error is logged if the specified field is missing. |
+| `fail_on_error` | No | `true` | Whether to fail replacement of field values if an error occurs.If `true` and there’s an error, the replacement of field values is stopped, and the original event is returned.If `false`, replacement continues even if an error occurs during replacement. |
+
+See [Conditions](/reference/metricbeat/defining-processors.md#conditions) for a list of supported conditions.
+
diff --git a/docs/reference/metricbeat/running-on-cloudfoundry.md b/docs/reference/metricbeat/running-on-cloudfoundry.md
new file mode 100644
index 000000000000..8d305eb64d8f
--- /dev/null
+++ b/docs/reference/metricbeat/running-on-cloudfoundry.md
@@ -0,0 +1,93 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/running-on-cloudfoundry.html
+---
+
+# Run Metricbeat on Cloud Foundry [running-on-cloudfoundry]
+
+You can use Metricbeat on Cloud Foundry to retrieve and ship metrics.
+
+However, version 9.0.0-beta1 of Metricbeat has not yet been released, no build is currently available for this version.
+
+## Create Cloud Foundry credentials [_create_cloud_foundry_credentials]
+
+To connect to loggregator and receive the logs, Metricbeat requires credentials created with UAA. The `uaac` command creates the required credentials for connecting to loggregator.
+
+```sh
+uaac client add metricbeat --name metricbeat --secret changeme --authorized_grant_types client_credentials,refresh_token --authorities doppler.firehose,cloud_controller.admin_read_only
+```
+
+::::{warning}
+**Use a unique secret:** The `uaac` command shown here is an example. Remember to replace `changeme` with your secret, and update the `metricbeat.yml` file to use your chosen secret.
+
+::::
+
+
+
+## Download Cloud Foundry deploy manifests [_download_cloud_foundry_deploy_manifests]
+
+You deploy Metricbeat as an application with no route.
+
+Cloud Foundry requires that 3 files exist inside of a directory to allow Metricbeat to be pushed. The commands below provide the basic steps for getting it up and running.
+
+```sh
+curl -L -O https://artifacts.elastic.co/downloads/beats/metricbeat/metricbeat-9.0.0-beta1-linux-x86_64.tar.gz
+tar xzvf metricbeat-9.0.0-beta1-linux-x86_64.tar.gz
+cd metricbeat-9.0.0-beta1-linux-x86_64
+curl -L -O https://raw.githubusercontent.com/elastic/beats/master/deploy/cloudfoundry/metricbeat/metricbeat.yml
+curl -L -O https://raw.githubusercontent.com/elastic/beats/master/deploy/cloudfoundry/metricbeat/manifest.yml
+```
+
+You need to modify the `metricbeat.yml` file to set the `api_address`, `client_id` and `client_secret`.
+
+
+## Load {{kib}} dashboards [_load_kib_dashboards_2]
+
+Metricbeat comes packaged with various pre-built {{kib}} dashboards that you can use to visualize data in {{kib}}.
+
+If these dashboards are not already loaded into {{kib}}, you must run the Metricbeat `setup` command. To learn how, see [Load {{kib}} dashboards](/reference/metricbeat/load-kibana-dashboards.md).
+
+::::{important}
+If you are using a different output other than {{es}}, such as {{ls}}, you need to [Load the index template manually](/reference/metricbeat/metricbeat-template.md#load-template-manually) and [*Load {{kib}} dashboards*](/reference/metricbeat/load-kibana-dashboards.md).
+
+::::
+
+
+
+## Deploy Metricbeat [_deploy_metricbeat]
+
+To deploy Metricbeat to Cloud Foundry, run:
+
+```sh
+cf push
+```
+
+To check the status, run:
+
+```sh
+$ cf apps
+
+name       requested state   instances   memory   disk   urls
+metricbeat   started           1/1         512M     1G
+```
+
+Metric events should start flowing to Elasticsearch. The events are annotated with metadata added by the [add_cloudfoundry_metadata](/reference/metricbeat/add-cloudfoundry-metadata.md) processor.
+
+
+## Scale Metricbeat [_scale_metricbeat]
+
+A single instance of Metricbeat can ship more than a hundred thousand events per minute. If your Cloud Foundry deployment is producing more events than Metricbeat can collect and ship, the Firehose will start dropping events, and it will mark Metricbeat as a slow consumer. If the problems persist, Metricbeat may be disconnected from the Firehose. In such cases, you will need to scale Metricbeat to avoid losing events.
+
+The main settings you need to take into account are:
+
+* The `shard_id` specified in the [`cloudfoundry` module](/reference/metricbeat/metricbeat-module-cloudfoundry.md). The Firehose will divide the events amongst all the Metricbeat instances with the same value for this setting. All instances with the same `shard_id` should have the same configuration.
+* Number of Metricbeat instances. When Metricbeat is deployed as a Cloud Foundry application, it can be scaled up and down like any other application, with `cf scale` or by specifying the number of instances in the manifest.
+* [Output configuration](/reference/metricbeat/configuring-output.md). In some cases, you can fine-tune the output configuration to improve the events throughput. Some outputs support multiple workers. The number of workers can be changed to take better advantage of the available resources.
+
+Some basic recommendations to adjust these settings when Metricbeat is not able to collect all events:
+
+* If Metricbeat is hitting its CPU limits, you will need to increase the number of Metricbeat instances deployed with the same `shard_id`.
+* If Metricbeat has some spare CPU, there may be some backpressure from the output. Try to increase the number of workers in the output. If this doesn’t help, the bottleneck may be in the network or in the service receiving the events sent by Metricbeat.
+* If you need to modify the memory limit of Metricbeat, remember that CPU shares assigned to Cloud Foundry applications depend on the configured memory limit. You may need to check the other recommendations after that.
+
+
diff --git a/docs/reference/metricbeat/running-on-docker.md b/docs/reference/metricbeat/running-on-docker.md
new file mode 100644
index 000000000000..46b805631aef
--- /dev/null
+++ b/docs/reference/metricbeat/running-on-docker.md
@@ -0,0 +1,234 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/running-on-docker.html
+---
+
+# Run Metricbeat on Docker [running-on-docker]
+
+Docker images for Metricbeat are available from the Elastic Docker registry. The base image is [centos:7](https://hub.docker.com/_/centos/).
+
+A list of all published Docker images and tags is available at [www.docker.elastic.co](https://www.docker.elastic.co).
+
+These images are free to use under the Elastic license. They contain open source and free commercial features and access to paid commercial features. [Start a 30-day trial](docs-content://deploy-manage/license/manage-your-license-in-self-managed-cluster.md) to try out all of the paid commercial features. See the [Subscriptions](https://www.elastic.co/subscriptions) page for information about Elastic license levels.
+
+## Pull the image [_pull_the_image]
+
+Obtaining Metricbeat for Docker is as simple as issuing a `docker pull` command against the Elastic Docker registry.
+
+::::{warning}
+Version 9.0.0-beta1 of Metricbeat has not yet been released. No Docker image is currently available for Metricbeat 9.0.0-beta1.
+::::
+
+
+```sh
+docker pull docker.elastic.co/beats/metricbeat:9.0.0-beta1
+```
+
+Alternatively, you can download other Docker images that contain only features available under the Apache 2.0 license. To download the images, go to [www.docker.elastic.co](https://www.docker.elastic.co).
+
+As another option, you can use the hardened [Wolfi](https://wolfi.dev/) image. Using Wolfi images requires Docker version 20.10.10 or higher. For details about why the Wolfi images have been introduced, refer to our article [Reducing CVEs in Elastic container images](https://www.elastic.co/blog/reducing-cves-in-elastic-container-images).
+
+```bash
+docker pull docker.elastic.co/beats/metricbeat-wolfi:9.0.0-beta1
+```
+
+
+## Optional: Verify the image [_optional_verify_the_image]
+
+You can use the [Cosign application](https://docs.sigstore.dev/cosign/installation/) to verify the Metricbeat Docker image signature.
+
+::::{warning}
+Version 9.0.0-beta1 of Metricbeat has not yet been released. No Docker image is currently available for Metricbeat 9.0.0-beta1.
+::::
+
+
+```sh
+wget https://artifacts.elastic.co/cosign.pub
+cosign verify --key cosign.pub docker.elastic.co/beats/metricbeat:9.0.0-beta1
+```
+
+The `cosign` command prints the check results and the signature payload in JSON format:
+
+```sh
+Verification for docker.elastic.co/beats/metricbeat:9.0.0-beta1 --
+The following checks were performed on each of these signatures:
+  - The cosign claims were validated
+  - Existence of the claims in the transparency log was verified offline
+  - The signatures were verified against the specified public key
+```
+
+
+## Run the Metricbeat setup [_run_the_metricbeat_setup]
+
+::::{important}
+A [known issue](https://github.com/elastic/beats/issues/42038) in version 8.17.0 prevents {{beats}} Docker images from starting when no options are provided. When running an image on that version, add an `--environment container` parameter to avoid the problem. This is planned to be addressed in issue [#42060](https://github.com/elastic/beats/pull/42060).
+::::
+
+
+Running Metricbeat with the setup command will create the index pattern and load visualizations , dashboards, and machine learning jobs.  Run this command:
+
+```sh
+docker run --rm \
+docker.elastic.co/beats/metricbeat:9.0.0-beta1 \
+setup -E setup.kibana.host=kibana:5601 \
+-E output.elasticsearch.hosts=["elasticsearch:9200"] <1> <2>
+```
+
+1. Substitute your Kibana and Elasticsearch hosts and ports.
+2. If you are using the hosted {{ess}} in {{ecloud}}, replace the `-E output.elasticsearch.hosts` line with the Cloud ID and elastic password using this syntax:
+
+
+```shell
+-E cloud.id=<Cloud ID from Elasticsearch Service> \
+-E cloud.auth=elastic:<elastic password>
+```
+
+
+## Run Metricbeat on a read-only file system [_run_metricbeat_on_a_read_only_file_system]
+
+If you’d like to run Metricbeat in a Docker container on a read-only file system, you can do so by specifying the `--read-only` option. Metricbeat requires a stateful directory to store application data, so with the `--read-only` option you also need to use the `--mount` option to specify a path to where that data can be stored.
+
+For example:
+
+```sh
+docker run --rm \
+  --mount type=bind,source=$(pwd)/data,destination=/usr/share/metricbeat/data \
+  --read-only \
+  docker.elastic.co/beats/metricbeat:9.0.0-beta1
+```
+
+
+## Configure Metricbeat on Docker [_configure_metricbeat_on_docker]
+
+The Docker image provides several methods for configuring Metricbeat. The conventional approach is to provide a configuration file via a volume mount, but it’s also possible to create a custom image with your configuration included.
+
+### Example configuration file [_example_configuration_file]
+
+Download this example configuration file as a starting point:
+
+```sh
+curl -L -O https://raw.githubusercontent.com/elastic/beats/master/deploy/docker/metricbeat.docker.yml
+```
+
+
+### Volume-mounted configuration [_volume_mounted_configuration]
+
+One way to configure Metricbeat on Docker is to provide `metricbeat.docker.yml` via a volume mount. With `docker run`, the volume mount can be specified like this.
+
+```sh
+docker run -d \
+  --name=metricbeat \
+  --user=root \
+  --volume="$(pwd)/metricbeat.docker.yml:/usr/share/metricbeat/metricbeat.yml:ro" \
+  --volume="/var/run/docker.sock:/var/run/docker.sock:ro" \
+  --volume="/sys/fs/cgroup:/hostfs/sys/fs/cgroup:ro" \
+  --volume="/proc:/hostfs/proc:ro" \
+  --volume="/:/hostfs:ro" \
+  docker.elastic.co/beats/metricbeat:9.0.0-beta1 metricbeat -e \
+  -E output.elasticsearch.hosts=["elasticsearch:9200"] <1> <2>
+```
+
+1. Substitute your Elasticsearch hosts and ports.
+2. If you are using the hosted {{ess}} in {{ecloud}}, replace the `-E output.elasticsearch.hosts` line with the Cloud ID and elastic password using the syntax shown earlier.
+
+
+
+### Customize your configuration [_customize_your_configuration]
+
+The `metricbeat.docker.yml` file you downloaded earlier is configured to deploy Beats modules based on the Docker labels applied to your containers.  See [Hints based autodiscover](/reference/metricbeat/configuration-autodiscover-hints.md) for more details. Add labels to your application Docker containers, and they will be picked up by the Beats autodiscover feature when they are deployed.  Here is an example command for an Apache HTTP Server container with labels to configure the Filebeat and Metricbeat modules for the Apache HTTP Server:
+
+```sh
+docker run \
+  --label co.elastic.logs/module=apache2 \
+  --label co.elastic.logs/fileset.stdout=access \
+  --label co.elastic.logs/fileset.stderr=error \
+  --label co.elastic.metrics/module=apache \
+  --label co.elastic.metrics/metricsets=status \
+  --label co.elastic.metrics/hosts='${data.host}:${data.port}' \
+  --detach=true \
+  --name my-apache-app \
+  -p 8080:80 \
+  httpd:2.4
+```
+
+
+### Custom image configuration [_custom_image_configuration]
+
+It’s possible to embed your Metricbeat configuration in a custom image. Here is an example Dockerfile to achieve this:
+
+```dockerfile
+FROM docker.elastic.co/beats/metricbeat:9.0.0-beta1
+COPY --chown=root:metricbeat metricbeat.yml /usr/share/metricbeat/metricbeat.yml
+```
+
+
+### Monitor the host machine [monitoring-host]
+
+When executing Metricbeat in a container, there are some important things to be aware of if you want to monitor the host machine or other containers. Let’s walk-through some examples using Docker as our container orchestration tool.
+
+This example highlights the changes required to make the system module work properly inside of a container. This enables Metricbeat to monitor the host machine from within the container.
+
+```sh
+docker run \
+  --mount type=bind,source=/proc,target=/hostfs/proc,readonly \ <1>
+  --mount type=bind,source=/sys/fs/cgroup,target=/hostfs/sys/fs/cgroup,readonly \ <2>
+  --mount type=bind,source=/,target=/hostfs,readonly \ <3>
+  --mount type=bind,source=/var/run/dbus/system_bus_socket,target=/hostfs/var/run/dbus/system_bus_socket,readonly \ <4>
+  --env DBUS_SYSTEM_BUS_ADDRESS='unix:path=/hostfs/var/run/dbus/system_bus_socket' \ <4>
+  --net=host \ <5>
+  --cgroupns=host \ <6>
+  docker.elastic.co/beats/metricbeat:9.0.0-beta1 -e --system.hostfs=/hostfs
+```
+
+1. Metricbeat’s [system module](/reference/metricbeat/metricbeat-module-system.md) collects much of its data through the Linux proc filesystem, which is normally located at `/proc`. Because containers are isolated as much as possible from the host, the data inside of the container’s `/proc` is different than the host’s `/proc`. To account for this, you can mount the host’s `/proc` filesystem inside of the container and tell Metricbeat to look inside the `/hostfs` directory when looking for `/proc` by using the `hostfs=/hostfs` config value.
+2. By default, cgroup reporting is enabled for the [system process metricset](/reference/metricbeat/metricbeat-metricset-system-process.md), so you need to mount the host’s cgroup mountpoints within the container. They need to be mounted inside the directory specified by the `hostfs` config value.
+3. If you want to be able to monitor filesystems from the host by using the [system filesystem metricset](/reference/metricbeat/metricbeat-metricset-system-filesystem.md), then those filesystems need to be mounted inside of the container. They can be mounted at any location.
+4. The [system users metricset](/reference/metricbeat/metricbeat-metricset-system-users.md) and [system service metricset](/reference/metricbeat/metricbeat-metricset-system-service.md) both require access to dbus. Mount the dbus socket and set the `DBUS_SYSTEM_BUS_ADDRESS` environment variable to the mounted system socket path.
+5. The [system network metricset](/reference/metricbeat/metricbeat-metricset-system-network.md) uses data from `/proc/net/dev`, or `/hostfs/proc/net/dev` when using `hostfs=/hostfs`. The only way to make this file contain the host’s network devices is to use the `--net=host` flag. This is due to Linux namespacing; simply bind mounting the host’s `/proc` to `/hostfs/proc` is not sufficient.
+6. Runs the container using the host’s cgroup namespace, instead of a private namespace. While this is optional, [system process metricset](/reference/metricbeat/metricbeat-metricset-system-process.md) may produce more correct cgroup metrics when running in host mode.
+
+
+::::{note}
+The special filesystems `/proc` and `/sys` are only available if the host system is running Linux. Attempts to bind-mount these filesystems will fail on Windows and MacOS.
+::::
+
+
+If the [system socket metricset](/reference/metricbeat/metricbeat-metricset-system-socket.md) is being used on Linux, more privileges will need to be granted to Metricbeat. This metricset reads files from `/proc` that are an interface to internal objects owned by other users. The capabilities needed to read all these files (`sys_ptrace` and `dac_read_search`) are disabled by default on Docker. To grant these permissions these flags are needed too:
+
+```sh
+--user root --cap-add sys_ptrace --cap-add dac_read_search
+```
+
+
+### Monitor a service in another container [monitoring-service]
+
+Next, let’s look at an example of monitoring a containerized service from a Metricbeat container.
+
+```sh
+docker run \
+  --network=mysqlnet \ <1>
+  -e MYSQL_PASSWORD=secret \ <2>
+  docker.elastic.co/beats/metricbeat:9.0.0-beta1
+```
+
+1. Placing the Metricbeat and MySQL containers on the same Docker network allows Metricbeat access to the exposed ports of the MySQL container, and makes the hostname `mysql` resolvable to Metricbeat.
+2. If you do not want to hardcode certain values into your Metricbeat configuration, then you can pass them into the container either as environment variables or as command line flags to Metricbeat (see the `-E` CLI flag in [Command reference](/reference/metricbeat/command-line-options.md)).
+
+
+The mysql module configuration would look like this:
+
+```yaml
+metricbeat.modules:
+- module: mysql
+  metricsets: ["status"]
+  hosts: ["tcp(mysql:3306)/"] <1>
+  username: root
+  password: ${MYSQL_PASSWORD} <2>
+```
+
+1. The `mysql` hostname will resolve to the address of a container named `mysql` on the `mysqlnet` Docker network.
+2. The `MYSQL_PASSWORD` variable will be evaluated at startup. If the variable is not set, this will lead to an error at startup.
+
+
+
+
diff --git a/docs/reference/metricbeat/running-on-kubernetes.md b/docs/reference/metricbeat/running-on-kubernetes.md
new file mode 100644
index 000000000000..3eadb3e8bb01
--- /dev/null
+++ b/docs/reference/metricbeat/running-on-kubernetes.md
@@ -0,0 +1,190 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/running-on-kubernetes.html
+---
+
+# Run Metricbeat on Kubernetes [running-on-kubernetes]
+
+You can use Metricbeat [Docker images](/reference/metricbeat/running-on-docker.md) on Kubernetes to retrieve cluster metrics.
+
+::::{tip}
+Running {{ecloud}} on Kubernetes? See [Run {{beats}} on ECK](docs-content://deploy-manage/deploy/cloud-on-k8s/beats.md).
+::::
+
+
+However, version 9.0.0-beta1 of Metricbeat has not yet been released, so no Docker image is currently available for this version.
+
+
+## Kubernetes deploy manifests [_kubernetes_deploy_manifests]
+
+You deploy Metricbeat as a [DaemonSet](https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/) to ensure that there’s a running instance on each node of the cluster. These instances are used to retrieve most metrics from the host, such as system metrics, Docker stats, and metrics from all the services running on top of Kubernetes.
+
+In addition, one of the Pods in the DaemonSet will constantly hold a *leader lock* which makes it responsible for handling cluster-wide monitoring. This instance is used to retrieve metrics that are unique for the whole cluster, such as Kubernetes events or [kube-state-metrics](https://github.com/kubernetes/kube-state-metrics). You can find more information about leader election configuration options at [*Autodiscover*](/reference/metricbeat/configuration-autodiscover.md).
+
+Note: If you are upgrading from older versions, please make sure there are no redundant parts as left-overs from the old manifests. Deployment specification and its ConfigMaps might be the case.
+
+Everything is deployed under the `kube-system` namespace by default. To change the namespace, modify the manifest file.
+
+To download the manifest file, run:
+
+```sh
+curl -L -O https://raw.githubusercontent.com/elastic/beats/master/deploy/kubernetes/metricbeat-kubernetes.yaml
+```
+
+::::{warning}
+**If you are using Kubernetes 1.7 or earlier:** Metricbeat uses a hostPath volume to persist internal data. It’s located under `/var/lib/metricbeat-data`. The manifest uses folder autocreation (`DirectoryOrCreate`), which was introduced in Kubernetes 1.8. You need to remove `type: DirectoryOrCreate` from the manifest and create the host folder yourself.
+
+::::
+
+
+
+## Settings [_settings]
+
+By default, Metricbeat sends events to an existing Elasticsearch deployment, if present. To specify a different destination, change the following parameters in the manifest file:
+
+```yaml
+- name: ELASTICSEARCH_HOST
+  value: elasticsearch
+- name: ELASTICSEARCH_PORT
+  value: "9200"
+- name: ELASTICSEARCH_USERNAME
+  value: elastic
+- name: ELASTICSEARCH_PASSWORD
+  value: changeme
+```
+
+
+### Running Metricbeat on control plane nodes [_running_metricbeat_on_control_plane_nodes]
+
+Kubernetes control plane nodes can use [taints](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) to limit the workloads that can run on them. To run Metricbeat on control plane nodes you may need to update the Daemonset spec to include proper tolerations:
+
+```yaml
+spec:
+ tolerations:
+ - key: node-role.kubernetes.io/control-plane
+   effect: NoSchedule
+```
+
+
+### Red Hat OpenShift configuration [_red_hat_openshift_configuration]
+
+If you are using Red Hat OpenShift, you need to specify additional settings in the manifest file and grant the `metricbeat` service account access to the privileged SCC:
+
+1. In the manifest file, edit the `metricbeat-daemonset-modules` ConfigMap, and specify the following settings under `kubernetes.yml` in the `data` section:
+
+    ```yaml
+      kubernetes.yml: |-
+        - module: kubernetes
+          metricsets:
+            - node
+            - system
+            - pod
+            - container
+            - volume
+          period: 10s
+          host: ${NODE_NAME}
+          hosts: ["https://${NODE_NAME}:10250"]
+          bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
+          ssl.certificate_authorities:
+            - /path/to/kubelet-service-ca.crt
+        - module: kubernetes
+          metricsets:
+            - proxy
+          period: 10s
+          host: ${NODE_NAME}
+          hosts: ["localhost:29101"]
+    ```
+
+    ::::{note}
+    `kubelet-service-ca.crt` can be any CA bundle that contains the issuer of the certificate used in the Kubelet API. According to each specific installation of Openshift this can be found either in `secrets` or in `configmaps`. In some installations it can be available as part of the service account secret, in `/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt`. In case of using [Openshift installer](https://github.com/openshift/installer/blob/master/docs/user/gcp/install.md) for GCP then the following `configmap` can be mounted in Metricbeat Pod and use `ca-bundle.crt` in `ssl.certificate_authorities`:
+    ::::
+
+
+    ```shell
+    Name:         kubelet-serving-ca
+    Namespace:    openshift-kube-apiserver
+    Labels:       <none>
+    Annotations:  <none>
+
+    Data
+    ====
+    ca-bundle.crt:
+    ```
+
+2. If `https` is used to access `kube-state-metrics`, add the following settings to the `metricbeat-daemonset-config` ConfigMap under the kubernetes autodiscover configuration for the `state_*` metricsets:
+
+    ```yaml
+      bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
+      ssl.certificate_authorities:
+        - /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
+    ```
+
+3. Grant the `metricbeat` service account access to the privileged SCC:
+
+    ```shell
+    oc adm policy add-scc-to-user privileged system:serviceaccount:kube-system:metricbeat
+    ```
+
+    This command enables the container to be privileged as an administrator for OpenShift.
+
+4. If the namespace where elastic-agent is running has the `"openshift.io/node-selector"` annotation set, elastic-agent might not run on all nodes. In this case consider overriding the node selector for the namespace to allow scheduling on any node:
+
+    ```shell
+    oc patch namespace kube-system -p \
+    '{"metadata": {"annotations": {"openshift.io/node-selector": ""}}}'
+    ```
+
+    This command sets the node selector for the project to an empty string. If you don’t run this command, the default node selector will skip control plane nodes.
+
+
+::::{note}
+for openshift versions prior to the version 4.x additionally you need to modify the `DaemonSet` container spec in the manifest file to enable the container to run as privileged:
+::::
+
+
+```yaml
+  securityContext:
+    runAsUser: 0
+    privileged: true
+```
+
+
+## Load {{kib}} dashboards [_load_kib_dashboards]
+
+Metricbeat comes packaged with various pre-built {{kib}} dashboards that you can use to visualize metrics about your Kubernetes environment.
+
+If these dashboards are not already loaded into {{kib}}, you must [install Metricbeat](/reference/metricbeat/metricbeat-installation-configuration.md) on any system that can connect to the {{stack}}, and then run the `setup` command to load the dashboards. To learn how, see [Load {{kib}} dashboards](/reference/metricbeat/load-kibana-dashboards.md).
+
+::::{important}
+If you are using a different output other than {{es}}, such as {{ls}}, you need to [Load the index template manually](/reference/metricbeat/metricbeat-template.md#load-template-manually) and [*Load {{kib}} dashboards*](/reference/metricbeat/load-kibana-dashboards.md).
+
+::::
+
+
+
+## Deploy [_deploy]
+
+Metricbeat gets some metrics from [kube-state-metrics](https://github.com/kubernetes/kube-state-metrics#usage). If `kube-state-metrics` is not already running, deploy it now (see the [Kubernetes deployment](https://github.com/kubernetes/kube-state-metrics#kubernetes-deployment) docs).
+
+To deploy Metricbeat to Kubernetes, run:
+
+```sh
+kubectl create -f metricbeat-kubernetes.yaml
+```
+
+To check the status, run:
+
+```sh
+$ kubectl --namespace=kube-system  get ds/metricbeat
+
+NAME       DESIRED   CURRENT   READY     UP-TO-DATE   AVAILABLE   NODE-SELECTOR   AGE
+metricbeat   32        32        0         32           0           <none>          1m
+```
+
+Metrics should start flowing to Elasticsearch.
+
+
+## Deploying Metricbeat to collect cluster-level metrics in large clusters [_deploying_metricbeat_to_collect_cluster_level_metrics_in_large_clusters]
+
+The size and the number of nodes in a Kubernetes cluster can be fairly large at times, and in such cases the Pod that will be collecting cluster level metrics might face performance issues due to resources limitations. In this case users might consider to avoid using the leader election strategy and instead run a dedicated, standalone Metricbeat instance using a Deployment in addition to the DaemonSet.
+
diff --git a/docs/reference/metricbeat/running-with-systemd.md b/docs/reference/metricbeat/running-with-systemd.md
new file mode 100644
index 000000000000..2912d568a399
--- /dev/null
+++ b/docs/reference/metricbeat/running-with-systemd.md
@@ -0,0 +1,86 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/running-with-systemd.html
+---
+
+# Metricbeat and systemd [running-with-systemd]
+
+The DEB and RPM packages include a service unit for Linux systems with systemd. On these systems, you can manage Metricbeat by using the usual systemd commands.
+
+The service unit is configured with `UMask=0027` which means the most permissive mask allowed for files created by Metricbeat is `0640`. All configured file permissions higher than `0640` will be ignored. Please edit the unit file manually in case you need to change that.
+
+## Start and stop Metricbeat [_start_and_stop_metricbeat]
+
+Use `systemctl` to start or stop Metricbeat:
+
+```sh
+sudo systemctl start metricbeat
+```
+
+```sh
+sudo systemctl stop metricbeat
+```
+
+By default, the Metricbeat service starts automatically when the system boots. To enable or disable auto start use:
+
+```sh
+sudo systemctl enable metricbeat
+```
+
+```sh
+sudo systemctl disable metricbeat
+```
+
+
+## Metricbeat status and logs [_metricbeat_status_and_logs]
+
+To get the service status, use `systemctl`:
+
+```sh
+systemctl status metricbeat
+```
+
+Logs are stored by default in journald. To view the Logs, use `journalctl`:
+
+```sh
+journalctl -u metricbeat.service
+```
+
+
+## Customize systemd unit for Metricbeat [_customize_systemd_unit_for_metricbeat]
+
+The systemd service unit file includes environment variables that you can override to change the default options.
+
+| Variable | Description | Default value |
+| --- | --- | --- |
+| BEAT_LOG_OPTS | Log options |  |
+| BEAT_CONFIG_OPTS | Flags for configuration file path | ``-c /etc/metricbeat/metricbeat.yml`` |
+| BEAT_PATH_OPTS | Other paths | ``--path.home /usr/share/metricbeat --path.config /etc/metricbeat --path.data /var/lib/metricbeat --path.logs /var/log/metricbeat`` |
+
+::::{note}
+You can use `BEAT_LOG_OPTS` to set debug selectors for logging. However, to configure logging behavior, set the logging options described in [Configure logging](/reference/metricbeat/configuration-logging.md).
+::::
+
+
+To override these variables, create a drop-in unit file in the `/etc/systemd/system/metricbeat.service.d` directory.
+
+For example a file with the following content placed in `/etc/systemd/system/metricbeat.service.d/debug.conf` would override `BEAT_LOG_OPTS` to enable debug for Elasticsearch output.
+
+```text
+[Service]
+Environment="BEAT_LOG_OPTS=-d elasticsearch"
+```
+
+To apply your changes, reload the systemd configuration and restart the service:
+
+```sh
+systemctl daemon-reload
+systemctl restart metricbeat
+```
+
+::::{note}
+It is recommended that you use a configuration management tool to include drop-in unit files. If you need to add a drop-in manually, use `systemctl edit metricbeat.service`.
+::::
+
+
+
diff --git a/docs/reference/metricbeat/securing-communication-elasticsearch.md b/docs/reference/metricbeat/securing-communication-elasticsearch.md
new file mode 100644
index 000000000000..e3da67904acd
--- /dev/null
+++ b/docs/reference/metricbeat/securing-communication-elasticsearch.md
@@ -0,0 +1,104 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/securing-communication-elasticsearch.html
+---
+
+# Secure communication with Elasticsearch [securing-communication-elasticsearch]
+
+When sending data to a secured cluster through the `elasticsearch` output, Metricbeat can use any of the following authentication methods:
+
+* Basic authentication credentials (username and password).
+* Token-based API authentication.
+* A client certificate.
+
+Authentication is specified in the Metricbeat configuration file:
+
+* To use **basic authentication**, specify the `username` and `password` settings under `output.elasticsearch`. For example:
+
+    ```yaml
+    output.elasticsearch:
+      hosts: ["https://myEShost:9200"]
+      username: "metricbeat_writer" <1>
+      password: "{pwd}" <2>
+    ```
+
+    1. This user needs the privileges required to publish events to {{es}}. To create a user like this, see [Create a *publishing* user](/reference/metricbeat/privileges-to-publish-events.md).
+    2. This example shows a hard-coded password, but you should store sensitive values in the [secrets keystore](/reference/metricbeat/keystore.md).
+
+* To use token-based **API key authentication**, specify the `api_key` under `output.elasticsearch`. For example:
+
+    ```yaml
+    output.elasticsearch:
+      hosts: ["https://myEShost:9200"]
+      api_key: "ZCV7VnwBgnX0T19fN8Qe:KnR6yE41RrSowb0kQ0HWoA" <1>
+    ```
+
+    1. This API key must have the privileges required to publish events to {{es}}. To create an API key like this, see [*Grant access using API keys*](/reference/metricbeat/beats-api-keys.md).
+
+
+* To use **Public Key Infrastructure (PKI) certificates** to authenticate users, specify the `certificate` and `key` settings under `output.elasticsearch`. For example:
+
+    ```yaml
+    output.elasticsearch:
+      hosts: ["https://myEShost:9200"]
+      ssl.certificate: "/etc/pki/client/cert.pem" <1>
+      ssl.key: "/etc/pki/client/cert.key" <2>
+    ```
+
+    1. The path to the certificate for SSL client authentication
+    2. The client certificate key
+
+
+    These settings assume that the distinguished name (DN) in the certificate is mapped to the appropriate roles in the `role_mapping.yml` file on each node in the {{es}} cluster. For more information, see [Using role mapping files](docs-content://deploy-manage/users-roles/cluster-or-deployment-auth/mapping-users-groups-to-roles.md#mapping-roles-file).
+
+    By default, Metricbeat uses the list of trusted certificate authorities (CA) from the operating system where Metricbeat is running. If the certificate authority that signed your node certificates is not in the host system’s trusted certificate authorities list, you need to add the path to the `.pem` file that contains your CA’s certificate to the Metricbeat configuration. This will configure Metricbeat to use a specific list of CA certificates instead of the default list from the OS.
+
+    Here is an example configuration:
+
+    ```yaml
+    output.elasticsearch:
+      hosts: ["https://myEShost:9200"]
+      ssl.certificate_authorities: <1>
+        - /etc/pki/my_root_ca.pem
+        - /etc/pki/my_other_ca.pem
+      ssl.certificate: "/etc/pki/client.pem" <2>
+      ssl.key: "/etc/pki/key.pem" <3>
+    ```
+
+    1. Specify the path to the local `.pem` file that contains your Certificate Authority’s certificate. This is needed if you use your own CA to sign your node certificates.
+    2. The path to the certificate for SSL client authentication
+    3. The client certificate key
+
+
+    ::::{note}
+    For any given connection, the SSL/TLS certificates must have a subject that matches the value specified for `hosts`, or the SSL handshake fails. For example, if you specify `hosts: ["foobar:9200"]`, the certificate MUST include `foobar` in the subject (`CN=foobar`) or as a subject alternative name (SAN). Make sure the hostname resolves to the correct IP address. If no DNS is available, then you can associate the IP address with your hostname in `/etc/hosts` (on Unix) or `C:\Windows\System32\drivers\etc\hosts` (on Windows).
+    ::::
+
+
+
+## Secure communication with the Kibana endpoint [securing-communication-kibana]
+
+If you’ve configured the [{{kib}} endpoint](/reference/metricbeat/setup-kibana-endpoint.md), you can also specify credentials for authenticating with {{kib}} under `kibana.setup`. If no credentials are specified, Kibana will use the configured authentication method in the Elasticsearch output.
+
+For example, specify a unique username and password to connect to Kibana like this:
+
+```yaml
+setup.kibana:
+  host: "mykibanahost:5601"
+  username: "metricbeat_kib_setup" <1>
+  password: "{pwd}" <2>
+```
+
+1. This user needs privileges required to set up dashboards. To create a user like this, see [Create a *setup* user](/reference/metricbeat/privileges-to-setup-beats.md).
+2. This example shows a hard-coded password, but you should store sensitive values in the [secrets keystore](/reference/metricbeat/keystore.md).
+
+
+
+## Learn more about secure communication [securing-communication-learn-more]
+
+More information on sending data to a secured cluster is available in the configuration reference:
+
+* [Elasticsearch](/reference/metricbeat/elasticsearch-output.md)
+* [SSL](/reference/metricbeat/configuration-ssl.md)
+* [{{kib}} endpoint](/reference/metricbeat/setup-kibana-endpoint.md)
+
diff --git a/docs/reference/metricbeat/securing-metricbeat.md b/docs/reference/metricbeat/securing-metricbeat.md
new file mode 100644
index 000000000000..50cea957d26a
--- /dev/null
+++ b/docs/reference/metricbeat/securing-metricbeat.md
@@ -0,0 +1,25 @@
+---
+navigation_title: "Secure"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/securing-metricbeat.html
+---
+
+# Secure Metricbeat [securing-metricbeat]
+
+
+The following topics provide information about securing the Metricbeat process and connecting to a cluster that has {{security-features}} enabled.
+
+You can use role-based access control and optionally, API keys to grant Metricbeat users access to secured resources.
+
+* [*Grant users access to secured resources*](/reference/metricbeat/feature-roles.md)
+* [*Grant access using API keys*](/reference/metricbeat/beats-api-keys.md).
+
+After privileged users have been created, use authentication to connect to a secured Elastic cluster.
+
+* [*Secure communication with Elasticsearch*](/reference/metricbeat/securing-communication-elasticsearch.md)
+* [*Secure communication with Logstash*](/reference/metricbeat/configuring-ssl-logstash.md)
+
+On Linux, Metricbeat can take advantage of secure computing mode to restrict the system calls that a process can issue.
+
+* [*Use Linux Secure Computing Mode (seccomp)*](/reference/metricbeat/linux-seccomp.md)
+
diff --git a/docs/reference/metricbeat/setting-up-running.md b/docs/reference/metricbeat/setting-up-running.md
new file mode 100644
index 000000000000..a6499bbe4750
--- /dev/null
+++ b/docs/reference/metricbeat/setting-up-running.md
@@ -0,0 +1,33 @@
+---
+navigation_title: "Set up and run"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/setting-up-and-running.html
+---
+
+# Set up and run Metricbeat [setting-up-and-running]
+
+
+Before reading this section, see [Quick start: installation and configuration](/reference/metricbeat/metricbeat-installation-configuration.md) for basic installation instructions to get you started.
+
+This section includes additional information on how to install, set up, and run Metricbeat, including:
+
+* [Directory layout](/reference/metricbeat/directory-layout.md)
+* [Secrets keystore](/reference/metricbeat/keystore.md)
+* [Command reference](/reference/metricbeat/command-line-options.md)
+* [Run Metricbeat on Docker](/reference/metricbeat/running-on-docker.md)
+* [Run Metricbeat on Kubernetes](/reference/metricbeat/running-on-kubernetes.md)
+* [Run Metricbeat on Cloud Foundry](/reference/metricbeat/running-on-cloudfoundry.md)
+* [Metricbeat and systemd](/reference/metricbeat/running-with-systemd.md)
+* [Start Metricbeat](/reference/metricbeat/metricbeat-starting.md)
+* [Stop Metricbeat](/reference/metricbeat/shutdown.md)
+
+
+
+
+
+
+
+
+
+
+
diff --git a/docs/reference/metricbeat/setup-kibana-endpoint.md b/docs/reference/metricbeat/setup-kibana-endpoint.md
new file mode 100644
index 000000000000..aa040be91cb3
--- /dev/null
+++ b/docs/reference/metricbeat/setup-kibana-endpoint.md
@@ -0,0 +1,96 @@
+---
+navigation_title: "{{kib}} endpoint"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/setup-kibana-endpoint.html
+---
+
+# Configure the {{kib}} endpoint [setup-kibana-endpoint]
+
+
+{{kib}} dashboards are loaded into {{kib}} via the {{kib}} API. This requires a {{kib}} endpoint configuration. For details on authenticating to the {{kib}} API, see [Authentication](https://www.elastic.co/docs/api/doc/kibana/authentication).
+
+You configure the endpoint in the `setup.kibana` section of the `metricbeat.yml` config file.
+
+Here is an example configuration:
+
+```yaml
+setup.kibana.host: "http://localhost:5601"
+```
+
+
+## Configuration options [_configuration_options_11]
+
+You can specify the following options in the `setup.kibana` section of the `metricbeat.yml` config file:
+
+
+### `setup.kibana.host` [_setup_kibana_host]
+
+The {{kib}} host where the dashboards will be loaded. The default is `127.0.0.1:5601`. The value of `host` can be a `URL` or `IP:PORT`. For example: `http://192.15.3.2`, `192:15.3.2:5601` or `http://192.15.3.2:6701/path`. If no port is specified, `5601` is used.
+
+::::{note}
+When a node is defined as an `IP:PORT`, the *scheme* and *path* are taken from the [setup.kibana.protocol](#kibana-protocol-option) and [setup.kibana.path](#kibana-path-option) config options.
+::::
+
+
+IPv6 addresses must be defined using the following format: `https://[2001:db8::1]:5601`.
+
+
+### `setup.kibana.protocol` [kibana-protocol-option]
+
+The name of the protocol {{kib}} is reachable on. The options are: `http` or `https`. The default is `http`. However, if you specify a URL for host, the value of `protocol` is overridden by whatever scheme you specify in the URL.
+
+Example config:
+
+```yaml
+setup.kibana.host: "192.0.2.255:5601"
+setup.kibana.protocol: "http"
+setup.kibana.path: /kibana
+```
+
+
+### `setup.kibana.username` [_setup_kibana_username]
+
+The basic authentication username for connecting to {{kib}}. If you don’t specify a value for this setting, Metricbeat uses the `username` specified for the {{es}} output.
+
+
+### `setup.kibana.password` [_setup_kibana_password]
+
+The basic authentication password for connecting to {{kib}}. If you don’t specify a value for this setting, Metricbeat uses the `password` specified for the {{es}} output.
+
+
+### `setup.kibana.path` [kibana-path-option]
+
+An HTTP path prefix that is prepended to the HTTP API calls. This is useful for the cases where {{kib}} listens behind an HTTP reverse proxy that exports the API under a custom prefix.
+
+
+### `setup.kibana.space.id` [kibana-space-id-option]
+
+The [Kibana space](docs-content://deploy-manage/manage-spaces.md) ID to use. If specified, Metricbeat loads {{kib}} assets into this {{kib}} space. Omit this option to use the default space.
+
+
+#### `setup.kibana.headers` [_setup_kibana_headers]
+
+Custom HTTP headers to add to each request sent to {{kib}}. Example:
+
+```yaml
+setup.kibana.headers:
+  X-My-Header: Header contents
+```
+
+
+### `setup.kibana.ssl.enabled` [_setup_kibana_ssl_enabled]
+
+Enables Metricbeat to use SSL settings when connecting to {{kib}} via HTTPS. If you configure Metricbeat to connect over HTTPS, this setting defaults to `true` and Metricbeat uses the default SSL settings.
+
+Example configuration:
+
+```yaml
+setup.kibana.host: "https://192.0.2.255:5601"
+setup.kibana.ssl.enabled: true
+setup.kibana.ssl.certificate_authorities: ["/etc/client/ca.pem"]
+setup.kibana.ssl.certificate: "/etc/client/cert.pem"
+setup.kibana.ssl.key: "/etc/client/cert.key
+```
+
+See [SSL](/reference/metricbeat/configuration-ssl.md) for more information.
+
diff --git a/docs/reference/metricbeat/setup-repositories.md b/docs/reference/metricbeat/setup-repositories.md
new file mode 100644
index 000000000000..c06f3865c099
--- /dev/null
+++ b/docs/reference/metricbeat/setup-repositories.md
@@ -0,0 +1,26 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/setup-repositories.html
+---
+
+# Repositories for APT and YUM [setup-repositories]
+
+We have repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.
+
+We use the PGP key [D88E42B4](https://pgp.mit.edu/pks/lookup?op=vindex&search=0xD27D666CD88E42B4), Elasticsearch Signing Key, with fingerprint
+
+```
+4609 5ACC 8548 582C 1A26 99A9 D27D 666C D88E 42B4
+```
+to sign all our packages. It is available from [https://pgp.mit.edu](https://pgp.mit.edu).
+
+
+## APT [_apt]
+
+Version 9.0.0-beta1 of Beats has not yet been released.
+
+
+## YUM [_yum]
+
+Version 9.0.0-beta1 of Beats has not yet been released.
+
diff --git a/docs/reference/metricbeat/shutdown.md b/docs/reference/metricbeat/shutdown.md
new file mode 100644
index 000000000000..7de04a286fc3
--- /dev/null
+++ b/docs/reference/metricbeat/shutdown.md
@@ -0,0 +1,13 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/shutdown.html
+---
+
+# Stop Metricbeat [shutdown]
+
+An orderly shutdown of Metricbeat ensures that it has a chance to clean up and close outstanding resources. You can help ensure an orderly shutdown by stopping Metricbeat properly.
+
+If you’re running Metricbeat as a service, you can stop it via the service management functionality provided by your installation.
+
+If you’re running Metricbeat directly in the console, you can stop it by entering **Ctrl-C**. Alternatively, send SIGTERM to the Metricbeat process on a POSIX system.
+
diff --git a/docs/reference/metricbeat/ssl-client-fails.md b/docs/reference/metricbeat/ssl-client-fails.md
new file mode 100644
index 000000000000..a076a7494804
--- /dev/null
+++ b/docs/reference/metricbeat/ssl-client-fails.md
@@ -0,0 +1,71 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/ssl-client-fails.html
+---
+
+# SSL client fails to connect to Logstash [ssl-client-fails]
+
+The host running {{ls}} might be unreachable or the certificate may not be valid. To resolve your issue:
+
+* Make sure that {{ls}} is running and you can connect to it. First, try to ping the {{ls}} host to verify that you can reach it from the host running Metricbeat. Then use either `nc` or `telnet` to make sure that the port is available. For example:
+
+    ```shell
+    ping <hostname or IP>
+    telnet <hostname or IP> 5044
+    ```
+
+* Verify that the certificate is valid and that the hostname and IP match.
+
+    ::::{tip}
+    For testing purposes only, you can set `verification_mode: none` to disable hostname checking.
+    ::::
+
+* Use OpenSSL to test connectivity to the {{ls}} server and diagnose problems. See the [OpenSSL documentation](https://www.openssl.org/docs/manmaster/man1/openssl-s_client.md) for more info.
+* Make sure that you have enabled SSL (set `ssl => true`) when configuring the [Beats input plugin for {{ls}}](logstash://reference/plugins-inputs-beats.md).
+
+## Common SSL-Related Errors and Resolutions [_common_ssl_related_errors_and_resolutions]
+
+Here are some common errors and ways to fix them:
+
+* [tls: failed to parse private key](#failed-to-parse-private-key)
+* [x509: cannot validate certificate](#cannot-validate-certificate)
+* [getsockopt: no route to host](#getsockopt-no-route-to-host)
+* [getsockopt: connection refused](#getsockopt-connection-refused)
+* [No connection could be made because the target machine actively refused it](#target-machine-refused-connection)
+
+### tls: failed to parse private key [failed-to-parse-private-key]
+
+This might occur for a few reasons:
+
+* The encrypted file is not recognized as an encrypted PEM block. Metricbeat tries to use the encrypted content as the final key, which fails.
+* The file is correctly encrypted in a PEM block, but the decrypted content is not a key in a format that Metricbeat recognizes. The key must be encoded as PEM format.
+* The passphrase is missing or has an error.
+
+
+### x509: cannot validate certificate for <IP address> because it doesn’t contain any IP SANs [cannot-validate-certificate]
+
+This happens because your certificate is only valid for the hostname present in the Subject field.
+
+To resolve this problem, try one of these solutions:
+
+* Create a DNS entry for the hostname mapping it to the server’s IP.
+* Create an entry in `/etc/hosts` for the hostname. Or on Windows add an entry to `C:\Windows\System32\drivers\etc\hosts`.
+* Re-create the server certificate and add a SubjectAltName (SAN) for the IP address of the server. This makes the server’s certificate valid for both the hostname and the IP address.
+
+
+### getsockopt: no route to host [getsockopt-no-route-to-host]
+
+This is not a SSL problem. It’s a networking problem. Make sure the two hosts can communicate.
+
+
+### getsockopt: connection refused [getsockopt-connection-refused]
+
+This is not a SSL problem. Make sure that {{ls}} is running and that there is no firewall blocking the traffic.
+
+
+### No connection could be made because the target machine actively refused it [target-machine-refused-connection]
+
+A firewall is refusing the connection. Check if a firewall is blocking the traffic on the client, the network, or the destination host.
+
+
+
diff --git a/docs/reference/metricbeat/syslog.md b/docs/reference/metricbeat/syslog.md
new file mode 100644
index 000000000000..a39ac2a8bff3
--- /dev/null
+++ b/docs/reference/metricbeat/syslog.md
@@ -0,0 +1,156 @@
+---
+navigation_title: "syslog"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/syslog.html
+---
+
+# Syslog [syslog]
+
+
+The syslog processor parses RFC 3146 and/or RFC 5424 formatted syslog messages that are stored in a field. The processor itself does not handle receiving syslog messages from external sources. This is done through an input, such as the TCP input. Certain integrations, when enabled through configuration, will embed the syslog processor to process syslog messages, such as Custom TCP Logs and Custom UDP Logs.
+
+
+## Configuration [_configuration]
+
+The `syslog` processor parses RFC 3146 and/or RFC 5424 formatted syslog messages that are stored under the `field` key.
+
+The supported configuration options are:
+
+`field`
+:   (Required) Source field containing the syslog message. Defaults to `message`.
+
+`format`
+:   (Optional) The syslog format to use, `rfc3164`, or `rfc5424`. To automatically detect the format from the log entries, set this option to `auto`. The default is `auto`.
+
+`timezone`
+:   (Optional) IANA time zone name(e.g. `America/New York`) or a fixed time offset (e.g. +0200) to use when parsing syslog timestamps that do not contain a time zone. `Local` may be specified to use the machine’s local time zone. Defaults to `Local`.
+
+`overwrite_keys`
+:   (Optional) A boolean that specifies whether keys that already exist in the event are overwritten by keys from the syslog message. The default value is `true`.
+
+`ignore_missing`
+:   (Optional) If `true` the processor will not return an error when a specified field does not exist. Defaults to `false`.
+
+`ignore_failure`
+:   (Optional) Ignore all errors produced by the processor. Defaults to `false`.
+
+`tag`
+:   (Optional) An identifier for this processor. Useful for debugging.
+
+Example:
+
+```yaml
+processors:
+  - syslog:
+      field: message
+```
+
+```json
+{
+  "message": "<165>1 2022-01-11T22:14:15.003Z mymachine.example.com eventslog 1024 ID47 [exampleSDID@32473 iut=\"3\" eventSource=\"Application\" eventID=\"1011\"][examplePriority@32473 class=\"high\"] this is the message"
+}
+```
+
+Will produce the following output:
+
+```json
+{
+  "@timestamp": "2022-01-11T22:14:15.003Z",
+  "log": {
+    "syslog": {
+      "priority": 165,
+      "facility": {
+        "code": 20,
+        "name": "local4"
+      },
+      "severity": {
+        "code": 5,
+        "name": "Notice"
+      },
+      "hostname": "mymachine.example.com",
+      "appname": "eventslog",
+      "procid": "1024",
+      "msgid": "ID47",
+      "version": 1,
+      "structured_data": {
+        "exampleSDID@32473": {
+          "iut":         "3",
+          "eventSource": "Application",
+          "eventID":     "1011"
+        },
+        "examplePriority@32473": {
+          "class": "high"
+        }
+      }
+    }
+  },
+  "message": "this is the message"
+}
+```
+
+
+## Timestamps [_timestamps]
+
+The RFC 3164 format accepts the following forms of timestamps:
+
+* Local timestamp (`Mmm dd hh:mm:ss`):
+
+    * `Jan 23 14:09:01`
+
+* RFC-3339*:
+
+    * `2003-10-11T22:14:15Z`
+    * `2003-10-11T22:14:15.123456Z`
+    * `2003-10-11T22:14:15-06:00`
+    * `2003-10-11T22:14:15.123456-06:00`
+
+
+**Note**: The local timestamp (for example, `Jan 23 14:09:01`) that accompanies an RFC 3164 message lacks year and time zone information. The time zone will be enriched using the `timezone` configuration option, and the year will be enriched using the Metricbeat system’s local time (accounting for time zones). Because of this, it is possible for messages to appear in the future. An example of when this might happen is logs generated on December 31 2021 are ingested on January 1 2022. The logs would be enriched with the year 2022 instead of 2021.
+
+The RFC 5424 format accepts the following forms of timestamps:
+
+* RFC-3339:
+
+    * `2003-10-11T22:14:15Z`
+    * `2003-10-11T22:14:15.123456Z`
+    * `2003-10-11T22:14:15-06:00`
+    * `2003-10-11T22:14:15.123456-06:00`
+
+
+Formats with an asterisk (*) are a non-standard allowance.
+
+
+## Structured Data [_structured_data]
+
+For RFC 5424-formatted logs, if the structured data cannot be parsed according to RFC standards, the original structured data text will be prepended to the message field, separated by a space.
+
+
+## Metrics [_metrics]
+
+Internal metrics are available to assist with debugging efforts. The metrics are served from the metrics HTTP endpoint (for example: `http://localhost:5066/stats`) and are found under `processor.syslog.[instance ID]` or `processor.syslog.[tag]-[instance ID]` if a **tag** is provided. See [HTTP endpoint](/reference/metricbeat/http-endpoint.md) for more information on configuration the metrics HTTP endpoint.
+
+For example, here are metrics from a processor with a **tag** of `log-input` and an **instance ID** of `1`:
+
+```json
+{
+  "processor": {
+    "syslog": {
+      "log-input-1": {
+        "failure": 10,
+        "missing": 0,
+        "success": 3
+      }
+    }
+  }
+}
+```
+
+`failure`
+:   Measures the number of occurrences where a message was unable to be parsed.
+
+`missing`
+:   Measures the number of occurrences where an event was missing the required input field.
+
+`success`
+:   Measures the number of successfully parsed syslog messages.
+
diff --git a/docs/reference/metricbeat/troubleshooting.md b/docs/reference/metricbeat/troubleshooting.md
new file mode 100644
index 000000000000..99552f67c9e8
--- /dev/null
+++ b/docs/reference/metricbeat/troubleshooting.md
@@ -0,0 +1,14 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/troubleshooting.html
+---
+
+# Troubleshoot [troubleshooting]
+
+If you have issues installing or running Metricbeat, read the following tips:
+
+* [*Get help*](/reference/metricbeat/getting-help.md)
+* [*Debug*](/reference/metricbeat/enable-metricbeat-debugging.md)
+* [Understand logged metrics](/reference/metricbeat/understand-metricbeat-logs.md)
+* [*Common problems*](/reference/metricbeat/faq.md)
+
diff --git a/docs/reference/metricbeat/truncate-fields.md b/docs/reference/metricbeat/truncate-fields.md
new file mode 100644
index 000000000000..831975485e4c
--- /dev/null
+++ b/docs/reference/metricbeat/truncate-fields.md
@@ -0,0 +1,38 @@
+---
+navigation_title: "truncate_fields"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/truncate-fields.html
+---
+
+# Truncate fields [truncate-fields]
+
+
+The `truncate_fields` processor truncates a field to a given size. If the size of the field is smaller than the limit, the field is left as is.
+
+`fields`
+:   List of fields to truncate. It’s supported to use `@metadata.` prefix for the fields and truncate values in the event metadata instead of event fields.
+
+`max_bytes`
+:   Maximum number of bytes in a field. Mutually exclusive with `max_characters`.
+
+`max_characters`
+:   Maximum number of characters in a field. Mutually exclusive with `max_bytes`.
+
+`fail_on_error`
+:   (Optional) If set to true, in case of an error the changes to the event are reverted, and the original event is returned. If set to `false`, processing continues also if an error happens. Default is `true`.
+
+`ignore_missing`
+:   (Optional) Whether to ignore events that lack the source field. The default is `false`, which will fail processing of an event if a field is missing.
+
+For example, this configuration truncates the field named `message` to 5 characters:
+
+```yaml
+processors:
+  - truncate_fields:
+      fields:
+        - message
+      max_characters: 5
+      fail_on_error: false
+      ignore_missing: true
+```
+
diff --git a/docs/reference/metricbeat/understand-metricbeat-logs.md b/docs/reference/metricbeat/understand-metricbeat-logs.md
new file mode 100644
index 000000000000..94beafa716ab
--- /dev/null
+++ b/docs/reference/metricbeat/understand-metricbeat-logs.md
@@ -0,0 +1,210 @@
+---
+navigation_title: "Understand logged metrics"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/understand-metricbeat-logs.html
+---
+
+# Understand metrics in Metricbeat logs [understand-metricbeat-logs]
+
+
+Every 30 seconds (by default), Metricbeat collects a *snapshot* of metrics about itself. From this snapshot, Metricbeat computes a *delta snapshot*; this delta snapshot contains any metrics that have *changed* since the last snapshot. Note that the values of the metrics are the values when the snapshot is taken, *NOT* the *difference* in values from the last snapshot.
+
+If this delta snapshot contains *any* metrics (indicating at least one metric that has changed since the last snapshot), this delta snapshot is serialized as JSON and emitted in Metricbeat’s logs at the `INFO` log level. Most snapshot fields report the change in the metric since the last snapshot, however some fields are *gauges*, which always report the current value. Here is an example of such a log entry:
+
+```json
+{"log.level":"info","@timestamp":"2023-07-14T12:50:36.811Z","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cgroup":{"memory":{"mem":{"usage":{"bytes":0}}}},"cpu":{"system":{"ticks":692690,"time":{"ms":60}},"total":{"ticks":3167250,"time":{"ms":150},"value":3167250},"user":{"ticks":2474560,"time":{"ms":90}}},"handles":{"limit":{"hard":1048576,"soft":1048576},"open":32},"info":{"ephemeral_id":"2bab8688-34c0-4522-80af-db86948d547d","uptime":{"ms":617670096},"version":"8.6.2"},"memstats":{"gc_next":57189272,"memory_alloc":43589824,"memory_total":275281335792,"rss":183574528},"runtime":{"goroutines":212}},"filebeat":{"events":{"active":5,"added":52,"done":49},"harvester":{"open_files":6,"running":6,"started":1}},"libbeat":{"config":{"module":{"running":15}},"output":{"events":{"acked":48,"active":0,"batches":6,"total":48},"read":{"bytes":210},"write":{"bytes":26923}},"pipeline":{"clients":15,"events":{"active":5,"filtered":1,"published":51,"total":52},"queue":{"max_events":3500,"filled":{"events":5,"bytes":6425,"pct":0.0014},"added":{"events":52,"bytes":65702},"consumed":{"events":52,"bytes":65702},"removed":{"events":48,"bytes":59277},"acked":48}}},"registrar":{"states":{"current":14,"update":49},"writes":{"success":6,"total":6}},"system":{"load":{"1":0.91,"15":0.37,"5":0.4,"norm":{"1":0.1138,"15":0.0463,"5":0.05}}}},"ecs.version":"1.6.0"}}
+```
+
+
+## Details [_details]
+
+Focussing on the `.monitoring.metrics` field, and formatting the JSON, it’s value is:
+
+```json
+{
+  "beat": {
+    "cgroup": {
+      "memory": {
+        "mem": {
+          "usage": {
+            "bytes": 0
+          }
+        }
+      }
+    },
+    "cpu": {
+      "system": {
+        "ticks": 692690,
+        "time": {
+          "ms": 60
+        }
+      },
+      "total": {
+        "ticks": 3167250,
+        "time": {
+          "ms": 150
+        },
+        "value": 3167250
+      },
+      "user": {
+        "ticks": 2474560,
+        "time": {
+          "ms": 90
+        }
+      }
+    },
+    "handles": {
+      "limit": {
+        "hard": 1048576,
+        "soft": 1048576
+      },
+      "open": 32
+    },
+    "info": {
+      "ephemeral_id": "2bab8688-34c0-4522-80af-db86948d547d",
+      "uptime": {
+        "ms": 617670096
+      },
+      "version": "8.6.2"
+    },
+    "memstats": {
+      "gc_next": 57189272,
+      "memory_alloc": 43589824,
+      "memory_total": 275281335792,
+      "rss": 183574528
+    },
+    "runtime": {
+      "goroutines": 212
+    }
+  },
+  "filebeat": {
+    "events": {
+      "active": 5,
+      "added": 52,
+      "done": 49
+    },
+    "harvester": {
+      "open_files": 6,
+      "running": 6,
+      "started": 1
+    }
+  },
+  "libbeat": {
+    "config": {
+      "module": {
+        "running": 15
+      }
+    },
+    "output": {
+      "events": {
+        "acked": 48,
+        "active": 0,
+        "batches": 6,
+        "total": 48
+      },
+      "read": {
+        "bytes": 210
+      },
+      "write": {
+        "bytes": 26923
+      }
+    },
+    "pipeline": {
+      "clients": 15,
+      "events": {
+        "active": 5,
+        "filtered": 1,
+        "published": 51,
+        "total": 52
+      },
+      "queue": {
+        "max_events": 3500,
+        "filled": {
+          "events": 5,
+          "bytes": 6425,
+          "pct": 0.0014
+        },
+        "added": {
+          "events": 52,
+          "bytes": 65702
+        },
+        "consumed": {
+          "events": 52,
+          "bytes": 65702
+        },
+        "removed": {
+          "events": 48,
+          "bytes": 59277
+        },
+        "acked": 48
+      }
+    }
+  },
+  "registrar": {
+    "states": {
+      "current": 14,
+      "update": 49
+    },
+    "writes": {
+      "success": 6,
+      "total": 6
+    }
+  },
+  "system": {
+    "load": {
+      "1": 0.91,
+      "15": 0.37,
+      "5": 0.4,
+      "norm": {
+        "1": 0.1138,
+        "15": 0.0463,
+        "5": 0.05
+      }
+    }
+  }
+}
+```
+
+The following tables explain the meaning of the most important fields under `.monitoring.metrics` and also provide hints that might be helpful in troubleshooting Metricbeat issues.
+
+| Field path (relative to `.monitoring.metrics`) | Type | Meaning | Troubleshooting hints |
+| --- | --- | --- | --- |
+| `.beat` | Object | Information that is common to all Beats, e.g. version, goroutines, file handles, CPU, memory |  |
+| `.libbeat` | Object | Information about the publisher pipeline and output, also common to all Beats |  |
+
+| Field path (relative to `.monitoring.metrics.beat`) | Type | Meaning | Troubleshooting hints |
+| --- | --- | --- | --- |
+| `.runtime.goroutines` | Integer | Number of goroutines running | If this number grows over time, it indicates a goroutine leak |
+
+| Field path (relative to `.monitoring.metrics.libbeat`) | Type | Meaning | Troubleshooting hints |
+| --- | --- | --- | --- |
+| `.pipeline.events.active` | Integer | Number of events currently in the libbeat publisher pipeline. | If this number grows over time, it may indicate that Metricbeat is producing events faster than the output can consume them. Consider increasing the number of output workers (if this setting is supported by the output; {{es}} and {{ls}} outputs support this setting). The pipeline includes events currently being processed as well as events in the queue. So this metric can sometimes end up slightly higher than the queue size. If this metric reaches the maximum queue size (`queue.mem.events` for the in-memory queue), it almost certainly indicates backpressure on Metricbeat, implying that Metricbeat may need to temporarily stop ingesting more events from the source until this backpressure is relieved. |
+| `.output.events.total` | Integer | Number of events currently being processed by the output. | If this number grows over time, it may indicate that the output destination (e.g. {{ls}} pipeline or {{es}} cluster) is not able to accept events at the same or faster rate than what Metricbeat is sending to it. |
+| `.output.events.acked` | Integer | Number of events acknowledged by the output destination. | Generally, we want this number to be the same as `.output.events.total` as this indicates that the output destination has reliably received all the events sent to it. |
+| `.output.events.failed` | Integer | Number of events that Metricbeat tried to send to the output destination, but the destination failed to receive them. | Generally, we want this field to be absent or its value to be zero. When the value is greater than zero, it’s useful to check Metricbeat’s logs right before this log entry’s `@timestamp` to see if there are any connectivity issues with the output destination. Note that failed events are not lost or dropped; they will be sent back to the publisher pipeline for retrying later. |
+| `.output.events.dropped` | Integer | Number of events that Metricbeat gave up sending to the output destination because of a permanent (non-retryable) error. | `.output.events.dead_letter` |
+| Integer | Number of events that Metricbeat successfully sent to a configured dead letter index after they failed to ingest in the primary index. | `.output.write.latency` | Object |
+
+| Field path (relative to `.monitoring.metrics.libbeat.pipeline`) | Type | Meaning | Troubleshooting hints |
+| --- | --- | --- | --- |
+| `.queue.max_events` | Integer (gauge) | The queue’s maximum event count if it has one, otherwise zero. | `.queue.max_bytes` |
+| Integer (gauge) | The queue’s maximum byte count if it has one, otherwise zero. | `.queue.filled.events` | Integer (gauge) |
+| Number of events currently stored by the queue. |  | `.queue.filled.bytes` | Integer (gauge) |
+| Number of bytes currently stored by the queue. |  | `.queue.filled.pct` | Float (gauge) |
+| How full the queue is relative to its maximum size, as a fraction from 0 to 1. | Low throughput while `queue.filled.pct` is low means congestion in the input. Low throughput while `queue.filled.pct` is high means congestion in the output. | `.queue.added.events` | Integer |
+| Number of events added to the queue by input workers. |  | `.queue.added.bytes` | Integer |
+| Number of bytes added to the queue by input workers. |  | `.queue.consumed.events` | Integer |
+| Number of events sent to output workers. |  | `.queue.consumed.bytes` | Integer |
+| Number of bytes sent to output workers. |  | `.queue.removed.events` | Integer |
+| Number of events removed from the queue after being processed by output workers. |  | `.queue.removed.bytes` | Integer |
+
+When using the memory queue, byte metrics are only set if the output supports them. Currently only the Elasticsearch output supports byte metrics.
+
+
+## Useful commands [_useful_commands]
+
+
+### Parse monitoring metrics from unstructured Metricbeat logs [_parse_monitoring_metrics_from_unstructured_metricbeat_logs]
+
+For Metricbeat versions that emit unstructured logs, the following script can be used to parse monitoring metrics from such logs: [https://github.com/elastic/beats/blob/main/script/metrics_from_log_file.sh](https://github.com/elastic/beats/blob/main/script/metrics_from_log_file.sh).
+
diff --git a/docs/reference/metricbeat/upgrading-metricbeat.md b/docs/reference/metricbeat/upgrading-metricbeat.md
new file mode 100644
index 000000000000..06ddf6c7c54e
--- /dev/null
+++ b/docs/reference/metricbeat/upgrading-metricbeat.md
@@ -0,0 +1,12 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/upgrading-metricbeat.html
+---
+
+# Upgrade Metricbeat [upgrading-metricbeat]
+
+For information about upgrading to a new version, see:
+
+* [Breaking Changes](/release-notes/breaking-changes.md)
+* [Upgrade](/reference/libbeat/upgrading.md)
+
diff --git a/docs/reference/metricbeat/urldecode.md b/docs/reference/metricbeat/urldecode.md
new file mode 100644
index 000000000000..9a8e5a0ddb3b
--- /dev/null
+++ b/docs/reference/metricbeat/urldecode.md
@@ -0,0 +1,38 @@
+---
+navigation_title: "urldecode"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/urldecode.html
+---
+
+# URL Decode [urldecode]
+
+
+The `urldecode` processor specifies a list of fields to decode from URL encoded format. Under the `fields` key, each entry contains a `from: source-field` and a `to: target-field` pair, where:
+
+* `from` is the source field name
+* `to` is the target field name (defaults to the `from` value)
+
+```yaml
+processors:
+  - urldecode:
+      fields:
+        - from: "field1"
+          to: "field2"
+      ignore_missing: false
+      fail_on_error: true
+```
+
+In the example above:
+
+* field1 is decoded in field2
+
+The `urldecode` processor has the following configuration settings:
+
+`ignore_missing`
+:   (Optional) If set to true, no error is logged in case a key which should be URL-decoded is missing. Default is `false`.
+
+`fail_on_error`
+:   (Optional) If set to true, in case of an error the URL-decoding of fields is stopped and the original event is returned. If set to false, decoding continues also if an error happened during decoding. Default is `true`.
+
+See [Conditions](/reference/metricbeat/defining-processors.md#conditions) for a list of supported conditions.
+
diff --git a/docs/reference/metricbeat/using-environ-vars.md b/docs/reference/metricbeat/using-environ-vars.md
new file mode 100644
index 000000000000..d364cdbc611e
--- /dev/null
+++ b/docs/reference/metricbeat/using-environ-vars.md
@@ -0,0 +1,80 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/using-environ-vars.html
+---
+
+# Use environment variables in the configuration [using-environ-vars]
+
+You can use environment variable references in the config file to set values that need to be configurable during deployment. To do this, use:
+
+`${VAR}`
+
+Where `VAR` is the name of the environment variable.
+
+Each variable reference is replaced at startup by the value of the environment variable. The replacement is case-sensitive and occurs before the YAML file is parsed. References to undefined variables are replaced by empty strings unless you specify a default value or custom error text.
+
+To specify a default value, use:
+
+`${VAR:default_value}`
+
+Where `default_value` is the value to use if the environment variable is undefined.
+
+To specify custom error text, use:
+
+`${VAR:?error_text}`
+
+Where `error_text` is custom text that will be prepended to the error message if the environment variable cannot be expanded.
+
+If you need to use a special character in your configuration file, use `$` to escape the expansion. For example, you can escape `${` or `}` with `$${` or `$}`.
+
+After changing the value of an environment variable, you need to restart Metricbeat to pick up the new value.
+
+::::{note}
+You can also specify environment variables when you override a config setting from the command line by using the `-E` option. For example:
+
+`-E name=${NAME}`
+
+::::
+
+
+
+## Examples [_examples]
+
+Here are some examples of configurations that use environment variables and what each configuration looks like after replacement:
+
+| Config source | Environment setting | Config after replacement |
+| --- | --- | --- |
+| `name: ${NAME}` | `export NAME=elastic` | `name: elastic` |
+| `name: ${NAME}` | no setting | `name:` |
+| `name: ${NAME:beats}` | no setting | `name: beats` |
+| `name: ${NAME:beats}` | `export NAME=elastic` | `name: elastic` |
+| `name: ${NAME:?You need to set the NAME environment variable}` | no setting | None. Returns an error message that’s prepended with the custom text. |
+| `name: ${NAME:?You need to set the NAME environment variable}` | `export NAME=elastic` | `name: elastic` |
+
+
+## Specify complex objects in environment variables [_specify_complex_objects_in_environment_variables]
+
+You can specify complex objects, such as lists or dictionaries, in environment variables by using a JSON-like syntax.
+
+As with JSON, dictionaries and lists are constructed using `{}` and `[]`. But unlike JSON, the syntax allows for trailing commas and slightly different string quotation rules. Strings can be unquoted, single-quoted, or double-quoted, as a convenience for simple settings and to make it easier for you to mix quotation usage in the shell. Arrays at the top-level do not require brackets (`[]`).
+
+For example, the following environment variable is set to a list:
+
+```yaml
+ES_HOSTS="10.45.3.2:9220,10.45.3.1:9230"
+```
+
+You can reference this variable in the config file:
+
+```yaml
+output.elasticsearch:
+  hosts: '${ES_HOSTS}'
+```
+
+When Metricbeat loads the config file, it resolves the environment variable and replaces it with the specified list before reading the `hosts` setting.
+
+::::{note}
+Do not use double-quotes (`"`) to wrap regular expressions, or the backslash (`\`) will be interpreted as an escape character.
+::::
+
+
diff --git a/docs/reference/metricbeat/yaml-tips.md b/docs/reference/metricbeat/yaml-tips.md
new file mode 100644
index 000000000000..a48ec7570bc8
--- /dev/null
+++ b/docs/reference/metricbeat/yaml-tips.md
@@ -0,0 +1,60 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/metricbeat/current/yaml-tips.html
+---
+
+# Avoid YAML formatting problems [yaml-tips]
+
+The configuration file uses [YAML](http://yaml.org/) for its syntax. When you edit the file to modify configuration settings, there are a few things that you should know.
+
+
+## Use spaces for indentation [_use_spaces_for_indentation]
+
+Indentation is meaningful in YAML. Make sure that you use spaces, rather than tab characters, to indent sections.
+
+In the default configuration files and in all the examples in the documentation, we use 2 spaces per indentation level. We recommend you do the same.
+
+
+## Look at the default config file for structure [_look_at_the_default_config_file_for_structure]
+
+The best way to understand where to define a configuration option is by looking at the provided sample configuration files. The configuration files contain most of the default configurations that are available for the Beat. To change a setting, simply uncomment the line and change the values.
+
+
+## Test your config file [_test_your_config_file]
+
+You can test your configuration file to verify that the structure is valid. Simply change to the directory where the binary is installed, and run the Beat in the foreground with the `test config` command specified. For example:
+
+```shell
+metricbeat test config -c metricbeat.yml
+```
+
+You’ll see a message if the Beat finds an error in the file.
+
+
+## Wrap regular expressions in single quotation marks [_wrap_regular_expressions_in_single_quotation_marks]
+
+If you need to specify a regular expression in a YAML file, it’s a good idea to wrap the regular expression in single quotation marks to work around YAML’s tricky rules for string escaping.
+
+For more information about YAML, see [http://yaml.org/](http://yaml.org/).
+
+
+## Wrap paths in single quotation marks [wrap-paths-in-quotes]
+
+Windows paths in particular sometimes contain spaces or characters, such as drive letters or triple dots, that may be misinterpreted by the YAML parser.
+
+To avoid this problem, it’s a good idea to wrap paths in single quotation marks.
+
+
+## Avoid using leading zeros in numeric values [avoid-leading-zeros]
+
+If you use a leading zero (for example, `09`) in a numeric field without wrapping the value in single quotation marks, the value may be interpreted incorrectly by the YAML parser. If the value is a valid octal, it’s converted to an integer. If not, it’s converted to a float.
+
+To prevent unwanted type conversions, avoid using leading zeros in field values, or wrap the values in single quotation marks.
+
+
+## Avoid accidental template variable resolution [dollar-sign-strings]
+
+The templating engine that allows the config to resolve data from environment variables can result in errors in strings with `$` characters. For example, if a password field contains `$$`, the engine will resolve this to `$`.
+
+To work around this, either use the [Secrets keystore](/reference/metricbeat/keystore.md) or escape all instances of `$` with `$$`.
+
diff --git a/docs/reference/packetbeat/add-cloud-metadata.md b/docs/reference/packetbeat/add-cloud-metadata.md
new file mode 100644
index 000000000000..1ea22a596bcc
--- /dev/null
+++ b/docs/reference/packetbeat/add-cloud-metadata.md
@@ -0,0 +1,205 @@
+---
+navigation_title: "add_cloud_metadata"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/add-cloud-metadata.html
+---
+
+# Add cloud metadata [add-cloud-metadata]
+
+
+The `add_cloud_metadata` processor enriches each event with instance metadata from the machine’s hosting provider. At startup it will query a list of hosting providers and cache the instance metadata.
+
+The following cloud providers are supported:
+
+* Amazon Web Services (AWS)
+* Digital Ocean
+* Google Compute Engine (GCE)
+* [Tencent Cloud](https://www.qcloud.com/?lang=en) (QCloud)
+* Alibaba Cloud (ECS)
+* Huawei Cloud (ECS)
+* Azure Virtual Machine
+* Openstack Nova
+* Hetzner Cloud
+
+
+## Special notes [_special_notes]
+
+`huawei` is an alias for `openstack`. Huawei cloud runs on OpenStack platform, and when viewed from a metadata API standpoint, it is impossible to differentiate it from OpenStack. If you know that your deployments run on Huawei Cloud exclusively, and you wish to have `cloud.provider` value as `huawei`, you can achieve this by overwriting the value using an `add_fields` processor.
+
+The Alibaba Cloud and Tencent cloud providers are disabled by default, because they require to access a remote host. The `providers` setting allows users to select a list of default providers to query.
+
+Cloud providers tend to maintain metadata services compliant with other cloud providers. For example, Openstack supports [EC2 compliant metadat service](https://docs.openstack.org/nova/latest/user/metadata.html#ec2-compatible-metadata). This makes it impossible to differentiate cloud provider (`cloud.provider` property) with auto discovery (when `providers` configuration is omitted). The processor implementation incorporates a priority mechanism where priority is given to some providers over others when there are multiple successful metadata results. Currently, `aws/ec2` and `azure` have priority over any other provider as their metadata retrival rely on SDKs. The expectation here is that SDK methods should fail if run in an environment not configured accordingly (ex:- missing configurations or credentials).
+
+
+## Configurations [_configurations]
+
+The simple configuration below enables the processor.
+
+```yaml
+processors:
+  - add_cloud_metadata: ~
+```
+
+The `add_cloud_metadata` processor has three optional configuration settings. The first one is `timeout` which specifies the maximum amount of time to wait for a successful response when detecting the hosting provider. The default timeout value is `3s`.
+
+If a timeout occurs then no instance metadata will be added to the events. This makes it possible to enable this processor for all your deployments (in the cloud or on-premise).
+
+The second optional setting is `providers`. The `providers` settings accepts a list of cloud provider names to be used. If `providers` is not configured, then all providers that do not access a remote endpoint are enabled by default. The list of providers may alternatively be configured with the environment variable `BEATS_ADD_CLOUD_METADATA_PROVIDERS`, by setting it to a comma-separated list of provider names.
+
+List of names the `providers` setting supports:
+
+* "alibaba", or "ecs" for the Alibaba Cloud provider (disabled by default).
+* "azure" for Azure Virtual Machine (enabled by default). If the virtual machine is part of an AKS managed cluster, the fields `orchestrator.cluster.name` and `orchestrator.cluster.id` can also be retrieved. "TENANT_ID", "CLIENT_ID" and "CLIENT_SECRET" environment variables need to be set for authentication purposes. If not set we fallback to [DefaultAzureCredential](https://learn.microsoft.com/en-us/azure/developer/go/azure-sdk-authentication?tabs=bash#2-authenticate-with-azure) and user can choose different authentication methods (e.g. workload identity).
+* "digitalocean" for Digital Ocean (enabled by default).
+* "aws", or "ec2" for Amazon Web Services (enabled by default).
+* "gcp" for Google Copmute Enging (enabled by default).
+* "openstack", "nova", or "huawei" for Openstack Nova (enabled by default).
+* "openstack-ssl", or "nova-ssl" for Openstack Nova when SSL metadata APIs are enabled (enabled by default).
+* "tencent", or "qcloud" for Tencent Cloud (disabled by default).
+* "hetzner" for Hetzner Cloud (enabled by default).
+
+For example, configuration below only utilize `aws` metadata retrival mechanism,
+
+```yaml
+processors:
+  - add_cloud_metadata:
+      providers:
+        aws
+```
+
+The third optional configuration setting is `overwrite`. When `overwrite` is `true`, `add_cloud_metadata` overwrites existing `cloud.*` fields (`false` by default).
+
+The `add_cloud_metadata` processor supports SSL options to configure the http client used to query cloud metadata. See [SSL](/reference/packetbeat/configuration-ssl.md) for more information.
+
+
+## Provided metadata [_provided_metadata]
+
+The metadata that is added to events varies by hosting provider. Below are examples for each of the supported providers.
+
+*AWS*
+
+Metadata given below are extracted from [instance identity document](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-identity-documents.html),
+
+```json
+{
+  "cloud": {
+    "account.id": "123456789012",
+    "availability_zone": "us-east-1c",
+    "instance.id": "i-4e123456",
+    "machine.type": "t2.medium",
+    "image.id": "ami-abcd1234",
+    "provider": "aws",
+    "region": "us-east-1"
+  }
+}
+```
+
+If the EC2 instance has IMDS enabled and if tags are allowed through IMDS endpoint, the processor will further append tags in metadata. Please refer official documentation on [IMDS endpoint](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html) for further details.
+
+```json
+{
+  "aws": {
+    "tags": {
+      "org" : "myOrg",
+      "owner": "userID"
+    }
+  }
+}
+```
+
+*Digital Ocean*
+
+```json
+{
+  "cloud": {
+    "instance.id": "1234567",
+    "provider": "digitalocean",
+    "region": "nyc2"
+  }
+}
+```
+
+*GCP*
+
+```json
+{
+  "cloud": {
+    "availability_zone": "us-east1-b",
+    "instance.id": "1234556778987654321",
+    "machine.type": "f1-micro",
+    "project.id": "my-dev",
+    "provider": "gcp"
+  }
+}
+```
+
+*Tencent Cloud*
+
+```json
+{
+  "cloud": {
+    "availability_zone": "gz-azone2",
+    "instance.id": "ins-qcloudv5",
+    "provider": "qcloud",
+    "region": "china-south-gz"
+  }
+}
+```
+
+*Alibaba Cloud*
+
+This metadata is only available when VPC is selected as the network type of the ECS instance.
+
+```json
+{
+  "cloud": {
+    "availability_zone": "cn-shenzhen",
+    "instance.id": "i-wz9g2hqiikg0aliyun2b",
+    "provider": "ecs",
+    "region": "cn-shenzhen-a"
+  }
+}
+```
+
+*Azure Virtual Machine*
+
+```json
+{
+  "cloud": {
+    "provider": "azure",
+    "instance.id": "04ab04c3-63de-4709-a9f9-9ab8c0411d5e",
+    "instance.name": "test-az-vm",
+    "machine.type": "Standard_D3_v2",
+    "region": "eastus2"
+  }
+}
+```
+
+*Openstack Nova*
+
+```json
+{
+  "cloud": {
+    "instance.name": "test-998d932195.mycloud.tld",
+    "instance.id": "i-00011a84",
+    "availability_zone": "xxxx-az-c",
+    "provider": "openstack",
+    "machine.type": "m2.large"
+  }
+}
+```
+
+*Hetzner Cloud*
+
+```json
+{
+  "cloud": {
+    "availability_zone": "hel1-dc2",
+    "instance.name": "my-hetzner-instance",
+    "instance.id": "111111",
+    "provider": "hetzner",
+    "region": "eu-central"
+  }
+}
+```
+
diff --git a/docs/reference/packetbeat/add-cloudfoundry-metadata.md b/docs/reference/packetbeat/add-cloudfoundry-metadata.md
new file mode 100644
index 000000000000..bf9812a5f47b
--- /dev/null
+++ b/docs/reference/packetbeat/add-cloudfoundry-metadata.md
@@ -0,0 +1,70 @@
+---
+navigation_title: "add_cloudfoundry_metadata"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/add-cloudfoundry-metadata.html
+---
+
+# Add Cloud Foundry metadata [add-cloudfoundry-metadata]
+
+
+The `add_cloudfoundry_metadata` processor annotates each event with relevant metadata from Cloud Foundry applications. The events are annotated with Cloud Foundry metadata, only if the event contains a reference to a Cloud Foundry application (using field `cloudfoundry.app.id`) and the configured Cloud Foundry client is able to retrieve information for the application.
+
+Each event is annotated with:
+
+* Application Name
+* Space ID
+* Space Name
+* Organization ID
+* Organization Name
+
+::::{note}
+Pivotal Application Service and Tanzu Application Service include this metadata in all events from the firehose since version 2.8. In these cases the metadata in the events is used, and `add_cloudfoundry_metadata` processor doesn’t modify these fields.
+::::
+
+
+For efficient annotation, application metadata retrieved by the Cloud Foundry client is stored in a persistent cache on the filesystem under the `path.data` directory. This is done so the metadata can persist across restarts of Packetbeat. For control over this cache, use the `cache_duration` and `cache_retry_delay` settings.
+
+```yaml
+processors:
+  - add_cloudfoundry_metadata:
+      api_address: https://api.dev.cfdev.sh
+      client_id: uaa-filebeat
+      client_secret: verysecret
+      ssl:
+        verification_mode: none
+      # To connect to Cloud Foundry over verified TLS you can specify a client and CA certificate.
+      #ssl:
+      #  certificate_authorities: ["/etc/pki/cf/ca.pem"]
+      #  certificate:              "/etc/pki/cf/cert.pem"
+      #  key:                      "/etc/pki/cf/cert.key"
+```
+
+It has the following settings:
+
+`api_address`
+:   (Optional) The URL of the Cloud Foundry API. It uses `http://api.bosh-lite.com` by default.
+
+`doppler_address`
+:   (Optional) The URL of the Cloud Foundry Doppler Websocket. It uses value from ${api_address}/v2/info by default.
+
+`uaa_address`
+:   (Optional) The URL of the Cloud Foundry UAA API. It uses value from ${api_address}/v2/info by default.
+
+`rlp_address`
+:   (Optional) The URL of the Cloud Foundry RLP Gateway. It uses value from ${api_address}/v2/info by default.
+
+`client_id`
+:   Client ID to authenticate with Cloud Foundry.
+
+`client_secret`
+:   Client Secret to authenticate with Cloud Foundry.
+
+`cache_duration`
+:   (Optional) Maximum amount of time to cache an application’s metadata. Defaults to 120 seconds.
+
+`cache_retry_delay`
+:   (Optional) Time to wait before trying to obtain an application’s metadata again in case of error. Defaults to 20 seconds.
+
+`ssl`
+:   (Optional) SSL configuration to use when connecting to Cloud Foundry.
+
diff --git a/docs/reference/packetbeat/add-docker-metadata.md b/docs/reference/packetbeat/add-docker-metadata.md
new file mode 100644
index 000000000000..9f46e3751f3e
--- /dev/null
+++ b/docs/reference/packetbeat/add-docker-metadata.md
@@ -0,0 +1,11 @@
+---
+navigation_title: "add_docker_metadata"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/add-docker-metadata.html
+---
+
+# Add Docker metadata [add-docker-metadata]
+
+
+There is currently extremely limited capability for using packetbeat to monitor and coexist with containers, for example Docker, Podman, or Kubernetes. Using the `add_docker_metadata` processor with packetbeat is not recommended nor supported.
+
diff --git a/docs/reference/packetbeat/add-fields.md b/docs/reference/packetbeat/add-fields.md
new file mode 100644
index 000000000000..9514840e9467
--- /dev/null
+++ b/docs/reference/packetbeat/add-fields.md
@@ -0,0 +1,51 @@
+---
+navigation_title: "add_fields"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/add-fields.html
+---
+
+# Add fields [add-fields]
+
+
+The `add_fields` processor adds additional fields to the event.  Fields can be scalar values, arrays, dictionaries, or any nested combination of these. The `add_fields` processor will overwrite the target field if it already exists. By default the fields that you specify will be grouped under the `fields` sub-dictionary in the event. To group the fields under a different sub-dictionary, use the `target` setting. To store the fields as top-level fields, set `target: ''`.
+
+`target`
+:   (Optional) Sub-dictionary to put all fields into. Defaults to `fields`. Setting this to `@metadata` will add values to the event metadata instead of fields.
+
+`fields`
+:   Fields to be added.
+
+For example, this configuration:
+
+```yaml
+processors:
+  - add_fields:
+      target: project
+      fields:
+        name: myproject
+        id: '574734885120952459'
+```
+
+Adds these fields to any event:
+
+```json
+{
+  "project": {
+    "name": "myproject",
+    "id": "574734885120952459"
+  }
+}
+```
+
+This configuration will alter the event metadata:
+
+```yaml
+processors:
+  - add_fields:
+      target: '@metadata'
+      fields:
+        op_type: "index"
+```
+
+When the event is ingested (e.g. by Elastisearch) the document will have `op_type: "index"` set as a metadata field.
+
diff --git a/docs/reference/packetbeat/add-host-metadata.md b/docs/reference/packetbeat/add-host-metadata.md
new file mode 100644
index 000000000000..8c503f286beb
--- /dev/null
+++ b/docs/reference/packetbeat/add-host-metadata.md
@@ -0,0 +1,92 @@
+---
+navigation_title: "add_host_metadata"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/add-host-metadata.html
+---
+
+# Add Host metadata [add-host-metadata]
+
+
+```yaml
+processors:
+  - add_host_metadata:
+      cache.ttl: 5m
+      geo:
+        name: nyc-dc1-rack1
+        location: 40.7128, -74.0060
+        continent_name: North America
+        country_iso_code: US
+        region_name: New York
+        region_iso_code: NY
+        city_name: New York
+```
+
+It has the following settings:
+
+`netinfo.enabled`
+:   (Optional) Default true. Include IP addresses and MAC addresses as fields host.ip and host.mac
+
+`cache.ttl`
+:   (Optional) The processor uses an internal cache for the host metadata. This sets the cache expiration time. The default is 5m, negative values disable caching altogether.
+
+`geo.name`
+:   (Optional) User definable token to be used for identifying a discrete location. Frequently a datacenter, rack, or similar.
+
+`geo.location`
+:   (Optional) Longitude and latitude in comma separated format.
+
+`geo.continent_name`
+:   (Optional) Name of the continent.
+
+`geo.country_name`
+:   (Optional) Name of the country.
+
+`geo.region_name`
+:   (Optional) Name of the region.
+
+`geo.city_name`
+:   (Optional) Name of the city.
+
+`geo.country_iso_code`
+:   (Optional) ISO country code.
+
+`geo.region_iso_code`
+:   (Optional) ISO region code.
+
+`replace_fields`
+:   (Optional) Default true. If set to false, original host fields from the event will not be replaced by host fields from `add_host_metadata`.
+
+The `add_host_metadata` processor annotates each event with relevant metadata from the host machine. The fields added to the event look like the following:
+
+```json
+{
+   "host":{
+      "architecture":"x86_64",
+      "name":"example-host",
+      "id":"",
+      "os":{
+         "family":"darwin",
+         "type":"macos",
+         "build":"16G1212",
+         "platform":"darwin",
+         "version":"10.12.6",
+         "kernel":"16.7.0",
+         "name":"Mac OS X"
+      },
+      "ip": ["192.168.0.1", "10.0.0.1"],
+      "mac": ["00:25:96:12:34:56", "72:00:06:ff:79:f1"],
+      "geo": {
+          "continent_name": "North America",
+          "country_iso_code": "US",
+          "region_name": "New York",
+          "region_iso_code": "NY",
+          "city_name": "New York",
+          "name": "nyc-dc1-rack1",
+          "location": "40.7128, -74.0060"
+        }
+   }
+}
+```
+
+Note: `add_host_metadata` processor will overwrite host fields if `host.*` fields already exist in the event from Beats by default with `replace_fields` equals to `true`. Please use `add_observer_metadata` if the beat is being used to monitor external systems.
+
diff --git a/docs/reference/packetbeat/add-id.md b/docs/reference/packetbeat/add-id.md
new file mode 100644
index 000000000000..005f1f53736c
--- /dev/null
+++ b/docs/reference/packetbeat/add-id.md
@@ -0,0 +1,24 @@
+---
+navigation_title: "add_id"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/add-id.html
+---
+
+# Generate an ID for an event [add-id]
+
+
+The `add_id` processor generates a unique ID for an event.
+
+```yaml
+processors:
+  - add_id: ~
+```
+
+The following settings are supported:
+
+`target_field`
+:   (Optional) Field where the generated ID will be stored. Default is `@metadata._id`.
+
+`type`
+:   (Optional) Type of ID to generate. Currently only `elasticsearch` is supported and is the default. The `elasticsearch` type generates IDs using the same algorithm that Elasticsearch uses for auto-generating document IDs.
+
diff --git a/docs/reference/packetbeat/add-kubernetes-metadata.md b/docs/reference/packetbeat/add-kubernetes-metadata.md
new file mode 100644
index 000000000000..9b6247673d88
--- /dev/null
+++ b/docs/reference/packetbeat/add-kubernetes-metadata.md
@@ -0,0 +1,244 @@
+---
+navigation_title: "add_kubernetes_metadata"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/add-kubernetes-metadata.html
+---
+
+# Add Kubernetes metadata [add-kubernetes-metadata]
+
+
+The `add_kubernetes_metadata` processor annotates each event with relevant metadata based on which Kubernetes pod the event originated from. This processor only adds metadata to the events that do not have it yet present.
+
+At startup, it detects an `in_cluster` environment and caches the Kubernetes-related metadata. Events are only annotated if a valid configuration is detected. If it’s not able to detect a valid Kubernetes configuration, the events are not annotated with Kubernetes-related metadata.
+
+Each event is annotated with:
+
+* Pod Name
+* Pod UID
+* Namespace
+* Labels
+
+In addition, the node and namespace metadata are added to the pod metadata.
+
+The `add_kubernetes_metadata` processor has two basic building blocks:
+
+* Indexers
+* Matchers
+
+Indexers use pod metadata to create unique identifiers for each one of the pods. These identifiers help to correlate the metadata of the observed pods with actual events. For example, the `ip_port` indexer can take a Kubernetes pod and create identifiers for it based on all its `pod_ip:container_port` combinations.
+
+Matchers use information in events to construct lookup keys that match the identifiers created by the indexers. For example, when the `fields` matcher takes `["metricset.host"]` as a lookup field, it would construct a lookup key with the value of the field `metricset.host`. When one of these lookup keys matches with one of the identifiers, the event is enriched with the metadata of the identified pod.
+
+Each Beat can define its own default indexers and matchers which are enabled by default. For example, Filebeat enables the `container` indexer, which identifies pod metadata based on all container IDs, and a `logs_path` matcher, which takes the `log.file.path` field, extracts the container ID, and uses it to retrieve metadata.
+
+You can find more information about the available indexers and matchers, and some examples in [Indexers and matchers](#kubernetes-indexers-and-matchers).
+
+The configuration below enables the processor when packetbeat is run as a pod in Kubernetes.
+
+```yaml
+processors:
+  - add_kubernetes_metadata:
+      # Defining indexers and matchers manually is required for packetbeat, for instance:
+      #indexers:
+      #  - ip_port:
+      #matchers:
+      #  - fields:
+      #      lookup_fields: ["metricset.host"]
+      #labels.dedot: true
+      #annotations.dedot: true
+```
+
+The configuration below enables the processor on a Beat running as a process on the Kubernetes node.
+
+```yaml
+processors:
+  - add_kubernetes_metadata:
+      host: <hostname>
+      # If kube_config is not set, KUBECONFIG environment variable will be checked
+      # and if not present it will fall back to InCluster
+      kube_config: $Packetbeat Reference/.kube/config
+      # Defining indexers and matchers manually is required for packetbeat, for instance:
+      #indexers:
+      #  - ip_port:
+      #matchers:
+      #  - fields:
+      #      lookup_fields: ["metricset.host"]
+      #labels.dedot: true
+      #annotations.dedot: true
+```
+
+The configuration below has the default indexers and matchers disabled and enables ones that the user is interested in.
+
+```yaml
+processors:
+  - add_kubernetes_metadata:
+      host: <hostname>
+      # If kube_config is not set, KUBECONFIG environment variable will be checked
+      # and if not present it will fall back to InCluster
+      kube_config: ~/.kube/config
+      default_indexers.enabled: false
+      default_matchers.enabled: false
+      indexers:
+        - ip_port:
+      matchers:
+        - fields:
+            lookup_fields: ["metricset.host"]
+      #labels.dedot: true
+      #annotations.dedot: true
+```
+
+The `add_kubernetes_metadata` processor has the following configuration settings:
+
+`host`
+:   (Optional) Specify the node to scope packetbeat to in case it cannot be accurately detected, as when running packetbeat in host network mode.
+
+`scope`
+:   (Optional) Specify if the processor should have visibility at the node level or at the entire cluster level. Possible values are `node` and `cluster`. Scope is `node` by default.
+
+`namespace`
+:   (Optional) Select the namespace from which to collect the metadata. If it is not set, the processor collects metadata from all namespaces. It is unset by default.
+
+`add_resource_metadata`
+:   (Optional) Specify filters and configuration for the extra metadata, that will be added to the event. Configuration parameters:
+
+    * `node` or `namespace`: Specify labels and annotations filters for the extra metadata coming from node and namespace. By default all labels are included while annotations are not. To change default behaviour `include_labels`, `exclude_labels` and `include_annotations` can be defined. Those settings are useful when storing labels and annotations that require special handling to avoid overloading the storage output. Note: wildcards are not supported for those settings. The enrichment of `node` or `namespace` metadata can be individually disabled by setting `enabled: false`.
+    * `deployment`: If resource is `pod` and it is created from a `deployment`, by default the deployment name is added, this can be disabled by setting `deployment: false`.
+    * `cronjob`: If resource is `pod` and it is created from a `cronjob`, by default the cronjob name is added, this can be disabled by setting `cronjob: false`.
+
+        Example:
+
+
+```yaml
+      add_resource_metadata:
+        namespace:
+          include_labels: ["namespacelabel1"]
+          #labels.dedot: true
+          #annotations.dedot: true
+        node:
+          include_labels: ["nodelabel2"]
+          include_annotations: ["nodeannotation1"]
+          #labels.dedot: true
+          #annotations.dedot: true
+        deployment: false
+        cronjob: false
+```
+
+`kube_config`
+:   (Optional) Use given config file as configuration for Kubernetes client. It defaults to `KUBECONFIG` environment variable if present.
+
+`use_kubeadm`
+:   (Optional) Default true. By default requests to kubeadm config map are made in order to enrich cluster name by requesting /api/v1/namespaces/kube-system/configmaps/kubeadm-config API endpoint.
+
+`kube_client_options`
+:   (Optional) Additional options can be configured for Kubernetes client. Currently client QPS and burst are supported, if not set Kubernetes client’s [default QPS and burst](https://pkg.go.dev/k8s.io/client-go/rest#pkg-constants) will be used. Example:
+
+```yaml
+      kube_client_options:
+        qps: 5
+        burst: 10
+```
+
+`cleanup_timeout`
+:   (Optional) Specify the time of inactivity before stopping the running configuration for a container. This is `60s` by default.
+
+`sync_period`
+:   (Optional) Specify the timeout for listing historical resources.
+
+`default_indexers.enabled`
+:   (Optional) Enable or disable default pod indexers when you want to specify your own.
+
+`default_matchers.enabled`
+:   (Optional) Enable or disable default pod matchers when you want to specify your own.
+
+`labels.dedot`
+:   (Optional) Default to be true. If set to true, then `.` in labels will be replaced with `_`.
+
+`annotations.dedot`
+:   (Optional) Default to be true. If set to true, then `.` in labels will be replaced with `_`.
+
+
+## Indexers and matchers [kubernetes-indexers-and-matchers]
+
+## Indexers [_indexers]
+
+Indexers use pods metadata to create unique identifiers for each one of the pods.
+
+Available indexers are:
+
+`container`
+:   Identifies the pod metadata using the IDs of its containers.
+
+`ip_port`
+:   Identifies the pod metadata using combinations of its IP and its exposed ports. When using this indexer metadata is identified using the IP of the pods, and the combination if `ip:port` for each one of the ports exposed by its containers.
+
+`pod_name`
+:   Identifies the pod metadata using its namespace and its name as `namespace/pod_name`.
+
+`pod_uid`
+:   Identifies the pod metadata using the UID of the pod.
+
+
+## Matchers [_matchers]
+
+Matchers are used to construct the lookup keys that match with the identifiers created by indexes.
+
+### `field_format` [_field_format]
+
+Looks up pod metadata using a key created with a string format that can include event fields.
+
+This matcher has an option `format` to define the string format. This string format can contain placeholders for any field in the event.
+
+For example, the following configuration uses the `ip_port` indexer to identify the pod metadata by combinations of the pod IP and its exposed ports, and uses the destination IP and port in events as match keys:
+
+```yaml
+processors:
+- add_kubernetes_metadata:
+    ...
+    default_indexers.enabled: false
+    default_matchers.enabled: false
+    indexers:
+      - ip_port:
+    matchers:
+      - field_format:
+          format: '%{[destination.ip]}:%{[destination.port]}'
+```
+
+
+### `fields` [_fields]
+
+Looks up pod metadata using as key the value of some specific fields. When multiple fields are defined, the first one included in the event is used.
+
+This matcher has an option `lookup_fields` to define the files whose value will be used for lookup.
+
+For example, the following configuration uses the `ip_port` indexer to identify pods, and defines a matcher that uses the destination IP or the server IP for the lookup, the first it finds in the event:
+
+```yaml
+processors:
+- add_kubernetes_metadata:
+    ...
+    default_indexers.enabled: false
+    default_matchers.enabled: false
+    indexers:
+      - ip_port:
+    matchers:
+      - fields:
+          lookup_fields: ['destination.ip', 'server.ip']
+```
+
+It’s also possible to extract the matching key from fields using a regex pattern. The optional `regex_pattern` field can be used to set the pattern. The pattern **must** contain a capture group named `key`, whose value will be used as the matching key.
+
+For example, the following configuration uses the `container` indexer to identify containers by their id, and extracts the matching key from the cgroup id field added to system process metrics. This field has the form `cri-containerd-<id>.scope`, so we need a regex pattern to obtain the container id.
+
+```yaml
+processors:
+  - add_kubernetes_metadata:
+      indexers:
+        - container:
+      matchers:
+        - fields:
+            lookup_fields: ['system.process.cgroup.id']
+            regex_pattern: 'cri-containerd-(?P<key>[0-9a-z]+)\.scope'
+```
+
+
+
diff --git a/docs/reference/packetbeat/add-labels.md b/docs/reference/packetbeat/add-labels.md
new file mode 100644
index 000000000000..74aa4e5e1ce9
--- /dev/null
+++ b/docs/reference/packetbeat/add-labels.md
@@ -0,0 +1,45 @@
+---
+navigation_title: "add_labels"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/add-labels.html
+---
+
+# Add labels [add-labels]
+
+
+The `add_labels` processors adds a set of key-value pairs to an event. The processor will flatten nested configuration objects like arrays or dictionaries into a fully qualified name by merging nested names with a `.`. Array entries create numeric names starting with 0.  Labels are always stored under the Elastic Common Schema compliant `labels` sub-dictionary.
+
+`labels`
+:   dictionaries of labels to be added.
+
+For example, this configuration:
+
+```yaml
+processors:
+  - add_labels:
+      labels:
+        number: 1
+        with.dots: test
+        nested:
+          with.dots: nested
+        array:
+          - do
+          - re
+          - with.field: mi
+```
+
+Adds these fields to every event:
+
+```json
+{
+  "labels": {
+    "number": 1,
+    "with.dots": "test",
+    "nested.with.dots": "nested",
+    "array.0": "do",
+    "array.1": "re",
+    "array.2.with.field": "mi"
+  }
+}
+```
+
diff --git a/docs/reference/packetbeat/add-locale.md b/docs/reference/packetbeat/add-locale.md
new file mode 100644
index 000000000000..eb634b016e56
--- /dev/null
+++ b/docs/reference/packetbeat/add-locale.md
@@ -0,0 +1,31 @@
+---
+navigation_title: "add_locale"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/add-locale.html
+---
+
+# Add the local time zone [add-locale]
+
+
+The `add_locale` processor enriches each event with the machine’s time zone offset from UTC or with the name of the time zone. It supports one configuration option named `format` that controls whether an offset or time zone abbreviation is added to the event. The default format is `offset`. The processor adds the a `event.timezone` value to each event.
+
+The configuration below enables the processor with the default settings.
+
+```yaml
+processors:
+  - add_locale: ~
+```
+
+This configuration enables the processor and configures it to add the time zone abbreviation to events.
+
+```yaml
+processors:
+  - add_locale:
+      format: abbreviation
+```
+
+::::{note}
+Please note that `add_locale` differentiates between daylight savings time (DST) and regular time. For example `CEST` indicates DST and and `CET` is regular time.
+::::
+
+
diff --git a/docs/reference/packetbeat/add-network-direction.md b/docs/reference/packetbeat/add-network-direction.md
new file mode 100644
index 000000000000..385ebd8c4971
--- /dev/null
+++ b/docs/reference/packetbeat/add-network-direction.md
@@ -0,0 +1,22 @@
+---
+navigation_title: "add_network_direction"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/add-network-direction.html
+---
+
+# Add network direction [add-network-direction]
+
+
+The `add_network_direction` processor attempts to compute the perimeter-based network direction given an a source and destination ip address and list of internal networks. The key `internal_networks` can contain either CIDR blocks or a list of special values enumerated in the network section of [Conditions](/reference/packetbeat/defining-processors.md#conditions).
+
+```yaml
+processors:
+  - add_network_direction:
+      source: source.ip
+      destination: destination.ip
+      target: network.direction
+      internal_networks: [ private ]
+```
+
+See [Conditions](/reference/packetbeat/defining-processors.md#conditions) for a list of supported conditions.
+
diff --git a/docs/reference/packetbeat/add-nomad-metadata.md b/docs/reference/packetbeat/add-nomad-metadata.md
new file mode 100644
index 000000000000..2b22f2bc78fb
--- /dev/null
+++ b/docs/reference/packetbeat/add-nomad-metadata.md
@@ -0,0 +1,137 @@
+---
+navigation_title: "add_nomad_metadata"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/add-nomad-metadata.html
+---
+
+# Add Nomad metadata [add-nomad-metadata]
+
+
+::::{warning}
+This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
+::::
+
+
+The `add_nomad_metadata` processor adds fields with relevant metadata for applications deployed in Nomad.
+
+Each event is annotated with the following information:
+
+* Allocation name, identifier and status.
+* Job name and type.
+* Namespace where the job is deployed.
+* Datacenter and region where the agent running the allocation is located.
+
+```yaml
+processors:
+  - add_nomad_metadata: ~
+```
+
+It has the following settings to configure the connection:
+
+`address`
+:   (Optional) The URL of the agent API used to request the metadata. It uses `http://127.0.0.1:4646` by default.
+
+`namespace`
+:   (Optional) Namespace to watch. If set, only events for allocations in this namespace will be annotated.
+
+`region`
+:   (Optional) Region to watch. If set, only events for allocations in this region will be annotated.
+
+`secret_id`
+:   (Optional) SecretID to use when connecting with the agent API. This is an example ACL policy to apply to the token.
+
+```json
+namespace "*" {
+  policy = "read"
+}
+node {
+  policy = "read"
+}
+agent {
+  policy = "read"
+}
+```
+
+`refresh_interval`
+:   (Optional) Interval used to update the cached metadata. It defaults to 30 seconds.
+
+`cleanup_timeout`
+:   (Optional) After an allocation has been removed, time to wait before cleaning up their associated resources. This is useful if you expect to receive events after an allocation has been removed, which can happen when collecting logs. It defaults to 60 seconds.
+
+You can decide if Packetbeat should annotate events related to allocations in local node or on the whole cluster configuring the scope with the following settings:
+
+`scope`
+:   (Optional) Scope of the resources to watch. It can be `node` to get metadata only for the allocations in a single agent, or `global`, to get metadata for allocations running on any agent. It defaults to `node`.
+
+`node`
+:   (Optional) When using `scope: node`, use `node` to specify the name of the local node if it cannot be discovered automatically.
+
+For example the following configuration could be used if Packetbeat is collecting events from all the allocations in the cluster:
+
+```yaml
+processors:
+  - add_nomad_metadata:
+      scope: global
+```
+
+## Indexers and matchers [_indexers_and_matchers]
+
+Indexers and matchers are used to correlate fields in events with actual metadata. Packetbeat uses this information to know what metadata to include in each event.
+
+### Indexers [_indexers_2]
+
+Indexers use allocation metadata to create unique identifiers for each one of the pods.
+
+Avaliable indexers are: `allocation_name`:: Identifies allocations by its name and namespace (as `<namespace>/<name>`) `allocation_uuid`:: Identifies allocations by its unique identifier.
+
+
+### Matchers [_matchers_2]
+
+Matchers are used to construct the lookup keys that match with the identifiers created by indexes.
+
+
+### `field_format` [_field_format_2]
+
+Looks up allocation metadata using a key created with a string format that can include event fields.
+
+This matcher has an option `format` to define the string format. This string format can contain placeholders for any field in the event.
+
+For example, the following configuration uses the `allocation_name` indexer to identify the allocation metadata by its name and namespace, and uses custom fields existing in the event as match keys:
+
+```yaml
+processors:
+- add_nomad_metadata:
+    ...
+    default_indexers.enabled: false
+    default_matchers.enabled: false
+    indexers:
+      - allocation_name:
+    matchers:
+      - field_format:
+          format: '%{[labels.nomad_namespace]}/%{[fields.nomad_alloc_name]}'
+```
+
+
+### `fields` [_fields_2]
+
+Looks up allocation metadata using as key the value of some specific fields. When multiple fields are defined, the first one included in the event is used.
+
+This matcher has an option `lookup_fields` to define the fields whose value will be used for lookup.
+
+For example, the following configuration uses the `allocation_uuid` indexer to identify allocations, and defines a matcher that uses some fields where the allocation UUID can be found for lookup, the first it finds in the event:
+
+```yaml
+processors:
+- add_nomad_metadata:
+    ...
+    default_indexers.enabled: false
+    default_matchers.enabled: false
+    indexers:
+      - allocation_uuid:
+    matchers:
+      - fields:
+          lookup_fields: ['host.name', 'fields.nomad_alloc_uuid']
+```
+
+
+
diff --git a/docs/reference/packetbeat/add-observer-metadata.md b/docs/reference/packetbeat/add-observer-metadata.md
new file mode 100644
index 000000000000..852fac3e1de1
--- /dev/null
+++ b/docs/reference/packetbeat/add-observer-metadata.md
@@ -0,0 +1,88 @@
+---
+navigation_title: "add_observer_metadata"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/add-observer-metadata.html
+---
+
+# Add Observer metadata [add-observer-metadata]
+
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+```yaml
+processors:
+  - add_observer_metadata:
+      cache.ttl: 5m
+      geo:
+        name: nyc-dc1-rack1
+        location: 40.7128, -74.0060
+        continent_name: North America
+        country_iso_code: US
+        region_name: New York
+        region_iso_code: NY
+        city_name: New York
+```
+
+It has the following settings:
+
+`netinfo.enabled`
+:   (Optional) Default true. Include IP addresses and MAC addresses as fields observer.ip and observer.mac
+
+`cache.ttl`
+:   (Optional) The processor uses an internal cache for the observer metadata. This sets the cache expiration time. The default is 5m, negative values disable caching altogether.
+
+`geo.name`
+:   (Optional) User definable token to be used for identifying a discrete location. Frequently a datacenter, rack, or similar.
+
+`geo.location`
+:   (Optional) Longitude and latitude in comma separated format.
+
+`geo.continent_name`
+:   (Optional) Name of the continent.
+
+`geo.country_name`
+:   (Optional) Name of the country.
+
+`geo.region_name`
+:   (Optional) Name of the region.
+
+`geo.city_name`
+:   (Optional) Name of the city.
+
+`geo.country_iso_code`
+:   (Optional) ISO country code.
+
+`geo.region_iso_code`
+:   (Optional) ISO region code.
+
+The `add_observer_metadata` processor annotates each event with relevant metadata from the observer machine. The fields added to the event look like the following:
+
+```json
+{
+  "observer" : {
+    "hostname" : "avce",
+    "type" : "heartbeat",
+    "vendor" : "elastic",
+    "ip" : [
+      "192.168.1.251",
+      "fe80::64b2:c3ff:fe5b:b974",
+    ],
+    "mac" : [
+      "dc:c1:02:6f:1b:ed",
+    ],
+    "geo": {
+      "continent_name": "North America",
+      "country_iso_code": "US",
+      "region_name": "New York",
+      "region_iso_code": "NY",
+      "city_name": "New York",
+      "name": "nyc-dc1-rack1",
+      "location": "40.7128, -74.0060"
+    }
+  }
+}
+```
+
diff --git a/docs/reference/packetbeat/add-process-metadata.md b/docs/reference/packetbeat/add-process-metadata.md
new file mode 100644
index 000000000000..efa1fb6f3721
--- /dev/null
+++ b/docs/reference/packetbeat/add-process-metadata.md
@@ -0,0 +1,94 @@
+---
+navigation_title: "add_process_metadata"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/add-process-metadata.html
+---
+
+# Add process metadata [add-process-metadata]
+
+
+The `add_process_metadata` processor enriches events with information from running processes, identified by their process ID (PID).
+
+```yaml
+processors:
+  - add_process_metadata:
+      match_pids:
+        - process.pid
+```
+
+The fields added to the event look as follows:
+
+```json
+{
+  "container": {
+    "id": "b5285682fba7449c86452b89a800609440ecc88a7ba5f2d38bedfb85409b30b1"
+  },
+  "process": {
+    "args": [
+      "/usr/lib/systemd/systemd",
+      "--switched-root",
+      "--system",
+      "--deserialize",
+      "22"
+    ],
+    "executable": "/usr/lib/systemd/systemd",
+    "name": "systemd",
+    "owner": {
+      "id": "0",
+      "name": "root"
+    },
+    "parent": {
+      "pid": 0
+    },
+    "pid": 1,
+    "start_time": "2018-08-22T08:44:50.684Z",
+    "title": "/usr/lib/systemd/systemd --switched-root --system --deserialize 22"
+  }
+}
+```
+
+Optionally, the process environment can be included, too:
+
+```json
+  ...
+  "env": {
+    "HOME":       "/",
+    "TERM":       "linux",
+    "BOOT_IMAGE": "/boot/vmlinuz-4.11.8-300.fc26.x86_64",
+    "LANG":       "en_US.UTF-8",
+  }
+  ...
+```
+
+It has the following settings:
+
+`match_pids`
+:   List of fields to lookup for a PID. The processor will search the list sequentially until the field is found in the current event, and the PID lookup will be applied to the value of this field.
+
+`target`
+:   (Optional) Destination prefix where the `process` object will be created. The default is the event’s root.
+
+`include_fields`
+:   (Optional) List of fields to add. By default, the processor will add all the available fields except `process.env`.
+
+`ignore_missing`
+:   (Optional) When set to `false`, events that don’t contain any of the fields in match_pids will be discarded and an error will be generated. By default, this condition is ignored.
+
+`overwrite_keys`
+:   (Optional) By default, if a target field already exists, it will not be overwritten, and an error will be logged. If `overwrite_keys` is set to `true`, this condition will be ignored.
+
+`restricted_fields`
+:   (Optional) By default, the `process.env` field is not output, to avoid leaking sensitive data. If `restricted_fields` is `true`, the field will be present in the output.
+
+`host_path`
+:   (Optional) By default, the `host_path` field is set to the root directory of the host `/`. This is the path where `/proc` is mounted. For different runtime configurations of Kubernetes or Docker, the `host_path` can be set to overwrite the default.
+
+`cgroup_prefixes`
+:   (Optional) List of prefixes that will be matched against cgroup paths. When a cgroup path begins with a prefix in the list, then the last element of the path is returned as the container ID. Only one of `cgroup_prefixes` and `cgroup_rexex` should be configured. If neither are configured then a default `cgroup_regex` value is used that matches cgroup paths containing 64-character container IDs (like those from Docker, Kubernetes, and Podman).
+
+`cgroup_regex`
+:   (Optional) A regular expression that will be matched against cgroup paths. It must contain one capturing group. When a cgroup path matches the regular expression then the value of the capturing group is returned as the container ID.  Only one of `cgroup_prefixes` and `cgroup_rexex` should be configured. If neither are configured then a default `cgroup_regex` value is used that matches cgroup paths containing 64-character container IDs (like those from Docker, Kubernetes, and Podman).
+
+`cgroup_cache_expire_time`
+:   (Optional) By default, the `cgroup_cache_expire_time` is set to 30 seconds. This is the length of time before cgroup cache elements expire in seconds. It can be set to 0 to disable the cgroup cache. In some container runtimes technology like runc, the container’s process is also process in the host kernel, and will be affected by PID rollover/reuse. The expire time needs to set smaller than the PIDs wrap around time to avoid wrong container id.
+
diff --git a/docs/reference/packetbeat/add-tags.md b/docs/reference/packetbeat/add-tags.md
new file mode 100644
index 000000000000..0b7b7155f7a9
--- /dev/null
+++ b/docs/reference/packetbeat/add-tags.md
@@ -0,0 +1,34 @@
+---
+navigation_title: "add_tags"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/add-tags.html
+---
+
+# Add tags [add-tags]
+
+
+The `add_tags` processor adds tags to a list of tags. If the target field already exists, the tags are appended to the existing list of tags.
+
+`tags`
+:   List of tags to add.
+
+`target`
+:   (Optional) Field the tags will be added to. Defaults to `tags`. Setting tags in `@metadata` is not supported.
+
+For example, this configuration:
+
+```yaml
+processors:
+  - add_tags:
+      tags: [web, production]
+      target: "environment"
+```
+
+Adds the environment field to every event:
+
+```json
+{
+  "environment": ["web", "production"]
+}
+```
+
diff --git a/docs/reference/packetbeat/append.md b/docs/reference/packetbeat/append.md
new file mode 100644
index 000000000000..1e7ce1c54ad7
--- /dev/null
+++ b/docs/reference/packetbeat/append.md
@@ -0,0 +1,73 @@
+---
+navigation_title: "append"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/append.html
+---
+
+# Append Processor [append]
+
+
+The `append` processor appends one or more values to an existing array if the target field already exists and it is an array. Converts a scaler to an array and appends one or more values to it if the field exists and it is a scaler. Here the values can either be one or more static values or one or more values from the fields listed under *fields* key.
+
+`target_field`
+:   The field in which you want to append the data.
+
+`fields`
+:   (Optional) List of fields from which you want to copy data from. If the value is of a concrete type it will be appended directly to the target. However, if the value is an array, all the elements of the array are pushed individually to the target field.
+
+`values`
+:   (Optional) List of static values you want to append to target field.
+
+`ignore_empty_values`
+:   (Optional) If set to `true`, all the `""` and `nil` are omitted from being appended to the target field.
+
+`fail_on_error`
+:   (Optional) If set to `true` and an error occurs, the changes are reverted and the original is returned. If set to `false`, processing continues if an error occurs. Default is `true`.
+
+`allow_duplicate`
+:   (Optional) If set to `false`, the processor does not append values already present in the field. The default is `true`, which will append duplicate values in the array.
+
+`ignore_missing`
+:   (Optional) Indicates whether to ignore events that lack the source field. The default is `false`, which will fail processing of an event if a field is missing.
+
+note: If you want to use `fields` parameter with fields under `message`, make sure you use `decode_json_fields` first with `target: ""`.
+
+For example, this configuration:
+
+```yaml
+processors:
+  - decode_json_fields:
+      fields: message
+      target: ""
+  - append:
+      target_field: target-field
+      fields:
+        - concrete.field
+        - array.one
+      values:
+        - static-value
+        - ""
+      ignore_missing: true
+      fail_on_error: true
+      ignore_empty_values: true
+```
+
+Copies the values of `concrete.field`, `array.one` response fields and the static values to `target-field`:
+
+```json
+{
+  "concrete": {
+    "field": "val0"
+  },
+  "array": {
+      "one": [ "val1", "val2" ]
+  },
+  "target-field": [
+    "val0",
+    "val1",
+    "val2",
+    "static-value"
+  ]
+}
+```
+
diff --git a/docs/reference/packetbeat/bandwidth-throttling.md b/docs/reference/packetbeat/bandwidth-throttling.md
new file mode 100644
index 000000000000..e988492cbb30
--- /dev/null
+++ b/docs/reference/packetbeat/bandwidth-throttling.md
@@ -0,0 +1,20 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/bandwidth-throttling.html
+---
+
+# Packetbeat uses too much bandwidth [bandwidth-throttling]
+
+If you need to limit bandwidth usage, we recommend that you configure the network stack on your OS to perform bandwidth throttling.
+
+For example, the following Linux commands cap the connection between Packetbeat and Logstash by setting a limit of 50 kbps on TCP connections over port 5044:
+
+```shell
+tc qdisc add dev $DEV root handle 1: htb
+tc class add dev $DEV parent 1:1 classid 1:10 htb rate 50kbps ceil 50kbps
+tc filter add dev $DEV parent 1:0 prio 1 protocol ip handle 10 fw flowid 1:10
+iptables -A OUTPUT -t mangle -p tcp --dport 5044 -j MARK --set-mark 10
+```
+
+Using OS tools to perform bandwidth throttling gives you better control over policies. For example, you can use OS tools to cap bandwidth during the day, but not at night. Or you can leave the bandwidth uncapped, but assign a low priority to the traffic.
+
diff --git a/docs/reference/packetbeat/beats-api-keys.md b/docs/reference/packetbeat/beats-api-keys.md
new file mode 100644
index 000000000000..04d1cd1aeaa0
--- /dev/null
+++ b/docs/reference/packetbeat/beats-api-keys.md
@@ -0,0 +1,142 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/beats-api-keys.html
+---
+
+# Grant access using API keys [beats-api-keys]
+
+Instead of using usernames and passwords, you can use API keys to grant access to {{es}} resources. You can set API keys to expire at a certain time, and you can explicitly invalidate them. Any user with the `manage_api_key` or `manage_own_api_key` cluster privilege can create API keys.
+
+Packetbeat instances typically send both collected data and monitoring information to {{es}}. If you are sending both to the same cluster, you can use the same API key. For different clusters, you need to use an API key per cluster.
+
+::::{note}
+For security reasons, we recommend using a unique API key per Packetbeat instance. You can create as many API keys per user as necessary.
+::::
+
+
+::::{important}
+Review [*Grant users access to secured resources*](/reference/packetbeat/feature-roles.md) before creating API keys for Packetbeat.
+::::
+
+
+
+## Create an API key for publishing [beats-api-key-publish]
+
+To create an API key to use for writing data to {{es}}, use the [Create API key API](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-create-api-key), for example:
+
+```console
+POST /_security/api_key
+{
+  "name": "packetbeat_host001", <1>
+  "role_descriptors": {
+    "packetbeat_writer": { <2>
+      "cluster": ["monitor", "read_ilm", "read_pipeline"],
+      "index": [
+        {
+          "names": ["packetbeat-*"],
+          "privileges": ["view_index_metadata", "create_doc", "auto_configure"]
+        }
+      ]
+    }
+  }
+}
+```
+
+1. Name of the API key
+2. Granted privileges, see [*Grant users access to secured resources*](/reference/packetbeat/feature-roles.md)
+
+
+::::{note}
+See [Create a *publishing* user](/reference/packetbeat/privileges-to-publish-events.md) for the list of privileges required to publish events.
+::::
+
+
+The return value will look something like this:
+
+```console-result
+{
+  "id":"TiNAGG4BaaMdaH1tRfuU", <1>
+  "name":"packetbeat_host001",
+  "api_key":"KnR6yE41RrSowb0kQ0HWoA" <2>
+}
+```
+
+1. Unique id for this API key
+2. Generated API key
+
+
+You can now use this API key in your `packetbeat.yml` configuration file like this:
+
+```yaml
+output.elasticsearch:
+  api_key: TiNAGG4BaaMdaH1tRfuU:KnR6yE41RrSowb0kQ0HWoA <1>
+```
+
+1. Format is `id:api_key` (as returned by [Create API key](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-create-api-key))
+
+
+
+## Create an API key for monitoring [beats-api-key-monitor]
+
+To create an API key to use for sending monitoring data to {{es}}, use the [Create API key API](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-create-api-key), for example:
+
+```console
+POST /_security/api_key
+{
+  "name": "packetbeat_host001", <1>
+  "role_descriptors": {
+    "packetbeat_monitoring": { <2>
+      "cluster": ["monitor"],
+      "index": [
+        {
+          "names": [".monitoring-beats-*"],
+          "privileges": ["create_index", "create"]
+        }
+      ]
+    }
+  }
+}
+```
+
+1. Name of the API key
+2. Granted privileges, see [*Grant users access to secured resources*](/reference/packetbeat/feature-roles.md)
+
+
+::::{note}
+See [Create a *monitoring* user](/reference/packetbeat/privileges-to-publish-monitoring.md) for the list of privileges required to send monitoring data.
+::::
+
+
+The return value will look something like this:
+
+```console-result
+{
+  "id":"TiNAGG4BaaMdaH1tRfuU", <1>
+  "name":"packetbeat_host001",
+  "api_key":"KnR6yE41RrSowb0kQ0HWoA" <2>
+}
+```
+
+1. Unique id for this API key
+2. Generated API key
+
+
+You can now use this API key in your `packetbeat.yml` configuration file like this:
+
+```yaml
+monitoring.elasticsearch:
+  api_key: TiNAGG4BaaMdaH1tRfuU:KnR6yE41RrSowb0kQ0HWoA <1>
+```
+
+1. Format is `id:api_key` (as returned by [Create API key](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-create-api-key))
+
+
+
+## Learn more about API keys [learn-more-api-keys]
+
+See the {{es}} API key documentation for more information:
+
+* [Create API key](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-create-api-key)
+* [Get API key information](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-get-api-key)
+* [Invalidate API key](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-invalidate-api-key)
+
diff --git a/docs/reference/packetbeat/change-index-name.md b/docs/reference/packetbeat/change-index-name.md
new file mode 100644
index 000000000000..b0a81ee28a26
--- /dev/null
+++ b/docs/reference/packetbeat/change-index-name.md
@@ -0,0 +1,23 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/change-index-name.html
+---
+
+# Change the index name [change-index-name]
+
+Packetbeat uses data streams named `packetbeat-9.0.0-beta1`. To use a different name, set the [`index`](/reference/packetbeat/elasticsearch-output.md#index-option-es) option in the {{es}} output. You also need to configure the `setup.template.name` and `setup.template.pattern` options to match the new name. For example:
+
+```sh
+output.elasticsearch.index: "customname-%{[agent.version]}"
+setup.template.name: "customname-%{[agent.version]}"
+setup.template.pattern: "customname-%{[agent.version]}"
+```
+
+If you’re using pre-built Kibana dashboards, also set the `setup.dashboards.index` option. For example:
+
+```yaml
+setup.dashboards.index: "customname-*"
+```
+
+For a full list of template setup options, see [Elasticsearch index template](/reference/packetbeat/configuration-template.md).
+
diff --git a/docs/reference/packetbeat/command-line-options.md b/docs/reference/packetbeat/command-line-options.md
new file mode 100644
index 000000000000..ea56792a26ea
--- /dev/null
+++ b/docs/reference/packetbeat/command-line-options.md
@@ -0,0 +1,385 @@
+---
+navigation_title: "Command reference"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/command-line-options.html
+---
+
+# Packetbeat command reference [command-line-options]
+
+
+Packetbeat provides a command-line interface for starting Packetbeat and performing common tasks, like testing configuration files and loading dashboards.
+
+The command-line also supports [global flags](#global-flags) for controlling global behaviors.
+
+::::{tip}
+Use `sudo` to run the following commands if:
+
+* the config file is owned by `root`, or
+* Packetbeat is configured to capture data that requires `root` access
+
+::::
+
+
+Some of the features described here require an Elastic license. For more information, see [https://www.elastic.co/subscriptions](https://www.elastic.co/subscriptions) and [License Management](docs-content://deploy-manage/license/manage-your-license-in-self-managed-cluster.md).
+
+| Commands |  |
+| --- | --- |
+| [`export`](#export-command) | Exports the configuration, index template, ILM policy, or a dashboard to stdout. |
+| [`help`](#help-command) | Shows help for any command. |
+| [`keystore`](#keystore-command) | Manages the [secrets keystore](/reference/packetbeat/keystore.md). |
+| [`run`](#run-command) | Runs Packetbeat. This command is used by default if you start Packetbeat without specifying a command. |
+| [`setup`](#setup-command) | Sets up the initial environment, including the index template, ILM policy and write alias, and {{kib}} dashboards (when available). |
+| [`test`](#test-command) | Tests the configuration. |
+| [`version`](#version-command) | Shows information about the current version. |
+
+Also see [Global flags](#global-flags).
+
+## `export` command [export-command]
+
+Exports the configuration, index template, ILM policy, or a dashboard to stdout. You can use this command to quickly view your configuration, see the contents of the index template and the ILM policy, or export a dashboard from {{kib}}.
+
+**SYNOPSIS**
+
+```sh
+packetbeat export SUBCOMMAND [FLAGS]
+```
+
+**SUBCOMMANDS**
+
+**`config`**
+:   Exports the current configuration to stdout. If you use the `-c` flag, this command exports the configuration that’s defined in the specified file.
+
+$$$dashboard-subcommand$$$**`dashboard`**
+:   Exports a dashboard. You can use this option to store a dashboard on disk in a module and load it automatically. For example, to export the dashboard to a JSON file, run:
+
+    ```shell
+    packetbeat export dashboard --id="DASHBOARD_ID" > dashboard.json
+    ```
+
+    To find the `DASHBOARD_ID`, look at the URL for the dashboard in {{kib}}. By default, `export dashboard` writes the dashboard to stdout. The example shows how to write the dashboard to a JSON file so that you can import it later. The JSON file will contain the dashboard with all visualizations and searches. You must load the index pattern separately for Packetbeat.
+
+    To load the dashboard, copy the generated `dashboard.json` file into the `kibana/6/dashboard` directory of Packetbeat, and run `packetbeat setup --dashboards` to import the dashboard.
+
+    If {{kib}} is not running on `localhost:5061`, you must also adjust the Packetbeat configuration under `setup.kibana`.
+
+
+$$$template-subcommand$$$**`template`**
+:   Exports the index template to stdout. You can specify the `--es.version` flag to further define what gets exported. Furthermore you can export the template to a file instead of `stdout` by defining a directory via `--dir`.
+
+$$$ilm-policy-subcommand$$$
+
+**`ilm-policy`**
+:   Exports the index lifecycle management policy to stdout. You can specify the `--es.version` and a `--dir` to which the policy should be exported as a file rather than exporting to `stdout`.
+
+**FLAGS**
+
+**`--es.version VERSION`**
+:   When used with [`template`](#template-subcommand), exports an index template that is compatible with the specified version.  When used with [`ilm-policy`](#ilm-policy-subcommand), exports the ILM policy if the specified ES version is enabled for ILM.
+
+**`-h, --help`**
+:   Shows help for the `export` command.
+
+**`--dir DIRNAME`**
+:   Define a directory to which the template, pipelines, and ILM policy should be exported to as files instead of printing them to `stdout`.
+
+**`--id DASHBOARD_ID`**
+:   When used with [`dashboard`](#dashboard-subcommand), specifies the dashboard ID.
+
+Also see [Global flags](#global-flags).
+
+**EXAMPLES**
+
+```sh
+packetbeat export config
+packetbeat export template --es.version 9.0.0-beta1
+packetbeat export dashboard --id="a7b35890-8baa-11e8-9676-ef67484126fb" > dashboard.json
+```
+
+
+## `help` command [help-command]
+
+Shows help for any command. If no command is specified, shows help for the `run` command.
+
+**SYNOPSIS**
+
+```sh
+packetbeat help COMMAND_NAME [FLAGS]
+```
+
+**`COMMAND_NAME`**
+:   Specifies the name of the command to show help for.
+
+**FLAGS**
+
+**`-h, --help`**
+:   Shows help for the `help` command.
+
+Also see [Global flags](#global-flags).
+
+**EXAMPLE**
+
+```sh
+packetbeat help export
+```
+
+
+## `keystore` command [keystore-command]
+
+Manages the [secrets keystore](/reference/packetbeat/keystore.md).
+
+**SYNOPSIS**
+
+```sh
+packetbeat keystore SUBCOMMAND [FLAGS]
+```
+
+**SUBCOMMANDS**
+
+**`add KEY`**
+:   Adds the specified key to the keystore. Use the `--force` flag to overwrite an existing key. Use the `--stdin` flag to pass the value through `stdin`.
+
+**`create`**
+:   Creates a keystore to hold secrets. Use the `--force` flag to overwrite the existing keystore.
+
+**`list`**
+:   Lists the keys in the keystore.
+
+**`remove KEY`**
+:   Removes the specified key from the keystore.
+
+**FLAGS**
+
+**`--force`**
+:   Valid with the `add` and `create` subcommands. When used with `add`, overwrites the specified key. When used with `create`, overwrites the keystore.
+
+**`--stdin`**
+:   When used with `add`, uses the stdin as the source of the key’s value.
+
+**`-h, --help`**
+:   Shows help for the `keystore` command.
+
+Also see [Global flags](#global-flags).
+
+**EXAMPLES**
+
+```sh
+packetbeat keystore create
+packetbeat keystore add ES_PWD
+packetbeat keystore remove ES_PWD
+packetbeat keystore list
+```
+
+See [Secrets keystore](/reference/packetbeat/keystore.md) for more examples.
+
+
+## `run` command [run-command]
+
+Runs Packetbeat. This command is used by default if you start Packetbeat without specifying a command.
+
+**SYNOPSIS**
+
+```sh
+packetbeat run [FLAGS]
+```
+
+Or:
+
+```sh
+packetbeat [FLAGS]
+```
+
+**FLAGS**
+
+**`-I, --I FILE`**
+:   Reads packet data from the specified file instead of reading packets from the network. This option is useful only for testing Packetbeat.
+
+    ```sh
+    packetbeat run -I ~/pcaps/network_traffic.pcap
+    ```
+
+
+**`-N, --N`**
+:   Disables publishing for testing purposes. This option disables all outputs except the [File output](/reference/packetbeat/file-output.md).
+
+**`-O, --O`**
+:   Read packets one by one by pressing *Enter* after each. This option is useful only for testing Packetbeat.
+
+**`--cpuprofile FILE`**
+:   Writes CPU profile data to the specified file. This option is useful for troubleshooting Packetbeat.
+
+**`-devices`**
+:   Prints the list of devices that are available for sniffing and then exits.
+
+**`--dump FILE`**
+:   Writes all captured packets to the specified file. This option is useful for troubleshooting Packetbeat.
+
+**`-h, --help`**
+:   Shows help for the `run` command.
+
+**`--httpprof [HOST]:PORT`**
+:   Starts an http server for profiling. This option is useful for troubleshooting and profiling Packetbeat.
+
+**`-l N`**
+:   Reads the pcap file `N` number of times. The default is 1. Use this option in combination with the `-I` option. For an infinite loop, use *0*. The `-l` option is useful only for testing Packetbeat.
+
+**`--memprofile FILE`**
+:   Writes memory profile data to the specified output file. This option is useful for troubleshooting Packetbeat.
+
+**`--system.hostfs MOUNT_POINT`**
+:   Specifies the mount point of the host’s filesystem for use in monitoring a host. This flag is depricated, and an alternate hostfs should be specified via the `hostfs` module config value.
+
+**`-t`**
+:   Reads packets from the pcap file as fast as possible without sleeping. Use this option in combination with the `-I` option. The `-t` option is useful only for testing Packetbeat.
+
+Also see [Global flags](#global-flags).
+
+**EXAMPLE**
+
+```sh
+packetbeat run -e
+```
+
+Or:
+
+```sh
+packetbeat -e
+```
+
+
+## `setup` command [setup-command]
+
+Sets up the initial environment, including the index template, ILM policy and write alias, and {{kib}} dashboards (when available)
+
+* The index template ensures that fields are mapped correctly in Elasticsearch. If index lifecycle management is enabled it also ensures that the defined ILM policy and write alias are connected to the indices matching the index template. The ILM policy takes care of the lifecycle of an index, when to do a rollover, when to move an index from the hot phase to the next phase, etc.
+* The {{kib}} dashboards make it easier for you to visualize Packetbeat data in {{kib}}.
+
+This command sets up the environment without actually running Packetbeat and ingesting data. Specify optional flags to set up a subset of assets.
+
+**SYNOPSIS**
+
+```sh
+packetbeat setup [FLAGS]
+```
+
+**FLAGS**
+
+**`--dashboards`**
+:   Sets up the {{kib}} dashboards (when available). This option loads the dashboards from the Packetbeat package. For more options, such as loading customized dashboards, see [Importing Existing Beat Dashboards](http://www.elastic.co/guide/en/beats/devguide/master/import-dashboards.md) in the *Beats Developer Guide*.
+
+**`-h, --help`**
+:   Shows help for the `setup` command.
+
+**`--index-management`**
+:   Sets up components related to Elasticsearch index management including template, ILM policy, and write alias (if supported and configured).
+
+Also see [Global flags](#global-flags).
+
+**EXAMPLES**
+
+```sh
+packetbeat setup --dashboards
+packetbeat setup --index-management
+```
+
+
+## `test` command [test-command]
+
+Tests the configuration.
+
+**SYNOPSIS**
+
+```sh
+packetbeat test SUBCOMMAND [FLAGS]
+```
+
+**SUBCOMMANDS**
+
+**`config`**
+:   Tests the configuration settings.
+
+**`output`**
+:   Tests that Packetbeat can connect to the output by using the current settings.
+
+**FLAGS**
+
+**`-h, --help`**
+:   Shows help for the `test` command.
+
+Also see [Global flags](#global-flags).
+
+**EXAMPLE**
+
+```sh
+packetbeat test config
+```
+
+
+## `version` command [version-command]
+
+Shows information about the current version.
+
+**SYNOPSIS**
+
+```sh
+packetbeat version [FLAGS]
+```
+
+**FLAGS**
+
+**`-h, --help`**
+:   Shows help for the `version` command.
+
+Also see [Global flags](#global-flags).
+
+**EXAMPLE**
+
+```sh
+packetbeat version
+```
+
+
+## Global flags [global-flags]
+
+These global flags are available whenever you run Packetbeat.
+
+**`-E, --E "SETTING_NAME=VALUE"`**
+:   Overrides a specific configuration setting. You can specify multiple overrides. For example:
+
+    ```sh
+    packetbeat -E "name=mybeat" -E "output.elasticsearch.hosts=['http://myhost:9200']"
+    ```
+
+    This setting is applied to the currently running Packetbeat process. The Packetbeat configuration file is not changed.
+
+
+**`-c, --c FILE`**
+:   Specifies the configuration file to use for Packetbeat. The file you specify here is relative to `path.config`. If the `-c` flag is not specified, the default config file, `packetbeat.yml`, is used.
+
+**`-d, --d SELECTORS`**
+:   Enables debugging for the specified selectors. For the selectors, you can specify a comma-separated list of components, or you can use `-d "*"` to enable debugging for all components. For example, `-d "publisher"` displays all the publisher-related messages.
+
+**`-e, --e`**
+:   Logs to stderr and disables syslog/file output.
+
+**`--environment`**
+:   For logging purposes, specifies the environment that Packetbeat is running in. This setting is used to select a default log output when no log output is configured. Supported values are: `systemd`, `container`, `macos_service`, and `windows_service`. If `systemd` or `container` is specified, Packetbeat will log to stdout and stderr by default.
+
+**`--path.config`**
+:   Sets the path for configuration files. See the [Directory layout](/reference/packetbeat/directory-layout.md) section for details.
+
+**`--path.data`**
+:   Sets the path for data files. See the [Directory layout](/reference/packetbeat/directory-layout.md) section for details.
+
+**`--path.home`**
+:   Sets the path for miscellaneous files. See the [Directory layout](/reference/packetbeat/directory-layout.md) section for details.
+
+**`--path.logs`**
+:   Sets the path for log files. See the [Directory layout](/reference/packetbeat/directory-layout.md) section for details.
+
+**`--strict.perms`**
+:   Sets strict permission checking on configuration files. The default is `--strict.perms=true`. See [Config file ownership and permissions](/reference/libbeat/config-file-permissions.md) for more information.
+
+**`-v, --v`**
+:   Logs INFO-level messages.
+
+
diff --git a/docs/reference/packetbeat/common-protocol-options.md b/docs/reference/packetbeat/common-protocol-options.md
new file mode 100644
index 000000000000..d46e815ccde6
--- /dev/null
+++ b/docs/reference/packetbeat/common-protocol-options.md
@@ -0,0 +1,78 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/common-protocol-options.html
+---
+
+# Common protocol options [common-protocol-options]
+
+The following options are available for all protocols:
+
+
+## `enabled` [_enabled_2]
+
+The enabled setting is a boolean setting to enable or disable protocols without having to comment out configuration sections. If set to false, the protocol is disabled.
+
+The default value is true.
+
+
+## `ports` [_ports]
+
+Exception: For ICMP the option `enabled` has to be used instead.
+
+The ports where Packetbeat will look to capture traffic for specific protocols. Packetbeat installs a [BPF](https://en.wikipedia.org/wiki/Berkeley_Packet_Filter) filter based on the ports specified in this section. If a packet doesn’t match the filter, very little CPU is required to discard the packet. Packetbeat also uses the ports specified here to determine which parser to use for each packet.
+
+
+## `send_request` [send-request-option]
+
+If this option is enabled, the raw message of the request (`request` field) is sent to Elasticsearch. The default is false. This option is useful when you want to index the whole request. Note that for HTTP, the body is not included by default, only the HTTP headers.
+
+
+## `send_response` [send-response-option]
+
+If this option is enabled, the raw message of the response (`response` field) is sent to Elasticsearch. The default is false.  This option is useful when you want to index the whole response. Note that for HTTP, the body is not included by default, only the HTTP headers.
+
+
+## `transaction_timeout` [transaction-timeout-option]
+
+The per protocol transaction timeout. Expired transactions will no longer be correlated to incoming responses, but sent to Elasticsearch immediately.
+
+
+## `fields` [packetbeat-configuration-fields]
+
+Optional fields that you can specify to add additional information to the output. For example, you might add fields that you can use for filtering log data. Fields can be scalar values, arrays, dictionaries, or any nested combination of these. By default, the fields that you specify here will be grouped under a `fields` sub-dictionary in the output document. To store the custom fields as top-level fields, set the `fields_under_root` option to true. If a duplicate field is declared in the general configuration, then its value will be overwritten by the value declared here.
+
+
+## `index` [packetbeat-configuration-index]
+
+Overrides the index that events for the given protocol are published to.
+
+```yaml
+packetbeat.protocols:
+- type: http
+  ports: [80]
+  fields:
+    service_id: nginx
+```
+
+
+## `fields_under_root` [packetbeat-fields-under-root]
+
+If this option is set to true, the custom [fields](#packetbeat-configuration-fields) are stored as top-level fields in the output document instead of being grouped under a `fields` sub-dictionary. If the custom field names conflict with other field names added by Packetbeat, then the custom fields overwrite the other fields.
+
+
+## `tags` [_tags_2]
+
+A list of tags that will be sent with the transaction event. This setting is optional.
+
+
+## `processors` [_processors_2]
+
+A list of processors to apply to the data generated by the protocol.
+
+See [Processors](/reference/packetbeat/filtering-enhancing-data.md) for information about specifying processors in your config.
+
+
+## `keep_null` [_keep_null_2]
+
+If this option is set to true, fields with `null` values will be published in the output document. By default, `keep_null` is set to `false`.
+
diff --git a/docs/reference/packetbeat/community-id.md b/docs/reference/packetbeat/community-id.md
new file mode 100644
index 000000000000..a04a32fba8f2
--- /dev/null
+++ b/docs/reference/packetbeat/community-id.md
@@ -0,0 +1,41 @@
+---
+navigation_title: "community_id"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/community-id.html
+---
+
+# Community ID Network Flow Hash [community-id]
+
+
+The `community_id` processor computes a network flow hash according to the [Community ID Flow Hash specification](https://github.com/corelight/community-id-spec).
+
+The flow hash is useful for correlating all network events related to a single flow. For example you can filter on a community ID value and you might get back the Netflow records from multiple collectors and layer 7 protocol records from Packetbeat.
+
+By default the processor is configured to read the flow parameters from the appropriate Elastic Common Schema (ECS) fields. If you are processing ECS data then no parameters are required.
+
+```yaml
+processors:
+  - community_id:
+```
+
+If the data does not conform to ECS then you can customize the field names that the processor reads from. You can also change the `target` field which is where the computed hash is written to.
+
+```yaml
+processors:
+  - community_id:
+      fields:
+        source_ip: my_source_ip
+        source_port: my_source_port
+        destination_ip: my_dest_ip
+        destination_port: my_dest_port
+        iana_number: my_iana_number
+        transport: my_transport
+        icmp_type: my_icmp_type
+        icmp_code: my_icmp_code
+      target: network.community_id
+```
+
+If the necessary fields are not present in the event then the processor will silently continue without adding the target field.
+
+The processor also accepts an optional `seed` parameter that must be a 16-bit unsigned integer. This value gets incorporated into all generated hashes.
+
diff --git a/docs/reference/packetbeat/configuration-cassandra.md b/docs/reference/packetbeat/configuration-cassandra.md
new file mode 100644
index 000000000000..f027b4bac0eb
--- /dev/null
+++ b/docs/reference/packetbeat/configuration-cassandra.md
@@ -0,0 +1,45 @@
+---
+navigation_title: "Cassandra"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/configuration-cassandra.html
+---
+
+# Capture Cassandra traffic [configuration-cassandra]
+
+
+The following settings are specific to the Cassandra protocol. Here is a sample configuration for the `cassandra` section of the `packetbeat.yml` config file:
+
+```yaml
+packetbeat.protocols:
+- type: cassandra
+  send_request_header: true
+  send_response_header: true
+  compressor: "snappy"
+  ignored_ops: ["SUPPORTED","OPTIONS"]
+```
+
+## Configuration options [_configuration_options_6]
+
+Also see [Common protocol options](/reference/packetbeat/common-protocol-options.md).
+
+### `send_request_header` [_send_request_header]
+
+If this option is enabled, the raw message of the response (`cassandra_request.request_headers` field) is sent to Elasticsearch. The default is true. enable `send_request` first before enable this option.
+
+
+### `send_response_header` [_send_response_header]
+
+If this option is enabled, the raw message of the response (`cassandra_response.response_headers` field) is included in published events. The default is true. enable `send_response` first before enable this option.
+
+
+### `ignored_ops` [_ignored_ops]
+
+This option indicates which Operator/Operators captured will be ignored. currently support: `ERROR` ,`STARTUP` ,`READY` ,`AUTHENTICATE` ,`OPTIONS` ,`SUPPORTED` , `QUERY` ,`RESULT` ,`PREPARE` ,`EXECUTE` ,`REGISTER`  ,`EVENT` , `BATCH` ,`AUTH_CHALLENGE`,`AUTH_RESPONSE` ,`AUTH_SUCCESS` .
+
+
+### `compressor` [_compressor]
+
+Configures the default compression algorithm being used to uncompress compressed frames by name. Currently only `snappy` is can be configured. By default no compressor is configured.
+
+
+
diff --git a/docs/reference/packetbeat/configuration-dashboards.md b/docs/reference/packetbeat/configuration-dashboards.md
new file mode 100644
index 000000000000..82e39bf27c4f
--- /dev/null
+++ b/docs/reference/packetbeat/configuration-dashboards.md
@@ -0,0 +1,103 @@
+---
+navigation_title: "Kibana dashboards"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/configuration-dashboards.html
+---
+
+# Configure Kibana dashboard loading [configuration-dashboards]
+
+
+Packetbeat comes packaged with example Kibana dashboards, visualizations, and searches for visualizing Packetbeat data in Kibana.
+
+To load the dashboards, you can either enable dashboard loading in the `setup.dashboards` section of the `packetbeat.yml` config file, or you can run the `setup` command. Dashboard loading is disabled by default.
+
+When dashboard loading is enabled, Packetbeat uses the Kibana API to load the sample dashboards. Dashboard loading is only attempted when Packetbeat starts up. If Kibana is not available at startup, Packetbeat will stop with an error.
+
+To enable dashboard loading, add the following setting to the config file:
+
+```yaml
+setup.dashboards.enabled: true
+```
+
+
+## Configuration options [_configuration_options_26]
+
+You can specify the following options in the `setup.dashboards` section of the `packetbeat.yml` config file:
+
+
+### `setup.dashboards.enabled` [_setup_dashboards_enabled]
+
+If this option is set to true, Packetbeat loads the sample Kibana dashboards from the local `kibana` directory in the home path of the Packetbeat installation.
+
+::::{note}
+Packetbeat loads dashboards on startup if either `enabled` is set to `true` or the `setup.dashboards` section is included in the configuration.
+::::
+
+
+::::{note}
+When dashboard loading is enabled, Packetbeat overwrites any existing dashboards that match the names of the dashboards you are loading. This happens every time Packetbeat starts.
+::::
+
+
+If no other options are set, the dashboard are loaded from the local `kibana` directory in the home path of the Packetbeat installation. To load dashboards from a different location, you can configure one of the following options: [`setup.dashboards.directory`](#directory-option), [`setup.dashboards.url`](#url-option), or [`setup.dashboards.file`](#file-option).
+
+
+### `setup.dashboards.directory` [directory-option]
+
+The directory that contains the dashboards to load. The default is the `kibana` folder in the home path.
+
+
+### `setup.dashboards.url` [url-option]
+
+The URL to use for downloading the dashboard archive. If this option is set, Packetbeat downloads the dashboard archive from the specified URL instead of using the local directory.
+
+
+### `setup.dashboards.file` [file-option]
+
+The file archive (zip file) that contains the dashboards to load. If this option is set, Packetbeat looks for a dashboard archive in the specified path instead of using the local directory.
+
+
+### `setup.dashboards.beat` [_setup_dashboards_beat]
+
+In case the archive contains the dashboards for multiple Beats, this setting lets you select the Beat for which you want to load dashboards. To load all the dashboards in the archive, set this option to an empty string. The default is `"packetbeat"`.
+
+
+### `setup.dashboards.kibana_index` [_setup_dashboards_kibana_index]
+
+The name of the Kibana index to use for setting the configuration. The default is `".kibana"`
+
+
+### `setup.dashboards.index` [_setup_dashboards_index]
+
+The Elasticsearch index name. This setting overwrites the index name defined in the dashboards and index pattern. Example: `"testbeat-*"`
+
+::::{note}
+This setting only works for Kibana 6.0 and newer.
+::::
+
+
+
+### `setup.dashboards.always_kibana` [_setup_dashboards_always_kibana]
+
+Force loading of dashboards using the Kibana API without querying Elasticsearch for the version. The default is `false`.
+
+
+### `setup.dashboards.retry.enabled` [_setup_dashboards_retry_enabled]
+
+If this option is set to true, and Kibana is not reachable at the time when dashboards are loaded, Packetbeat will retry to reconnect to Kibana instead of exiting with an error. Disabled by default.
+
+
+### `setup.dashboards.retry.interval` [_setup_dashboards_retry_interval]
+
+Duration interval between Kibana connection retries. Defaults to 1 second.
+
+
+### `setup.dashboards.retry.maximum` [_setup_dashboards_retry_maximum]
+
+Maximum number of retries before exiting with an error. Set to 0 for unlimited retrying. Default is unlimited.
+
+
+### `setup.dashboards.string_replacements` [_setup_dashboards_string_replacements]
+
+The needle and replacements string map, which is used to replace needle string in dashboards and their references contents.
+
diff --git a/docs/reference/packetbeat/configuration-feature-flags.md b/docs/reference/packetbeat/configuration-feature-flags.md
new file mode 100644
index 000000000000..be8508a404c4
--- /dev/null
+++ b/docs/reference/packetbeat/configuration-feature-flags.md
@@ -0,0 +1,54 @@
+---
+navigation_title: "Feature flags"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/configuration-feature-flags.html
+---
+
+# Configure feature flags [configuration-feature-flags]
+
+
+The Feature Flags section of the `packetbeat.yml` config file contains settings in Packetbeat that are disabled by default. These may include experimental features, changes to behaviors within Packetbeat, or settings that could cause a breaking change. For example a setting that changes information included in events might be inconsistent with the naming pattern expected in your configured Packetbeat output.
+
+To enable any of the settings listed on this page, change the associated `enabled` flag from `false` to `true`.
+
+```yaml
+features:
+  mysetting:
+    enabled: true
+```
+
+
+## Configuration options [_configuration_options_30]
+
+You can specify the following options in the `features` section of the `packetbeat.yml` config file:
+
+
+### `fqdn` [_fqdn]
+
+Contains configuration for the FQDN reporting feature. When this feature is enabled, the fully-qualified domain name for the host is reported in the `host.name` field in events produced by Packetbeat.
+
+::::{warning}
+This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
+::::
+
+
+For FQDN reporting to work as expected, the hostname of the current host must either:
+
+* Have a CNAME entry defined in DNS.
+* Have one of its corresponding IP addresses respond successfully to a reverse DNS lookup.
+
+If neither pre-requisite is satisfied, `host.name` continues to report the hostname of the current host as if the FQDN feature flag were not enabled.
+
+Example configuration:
+
+```yaml
+features:
+  fqdn:
+    enabled: true
+```
+
+
+#### `enabled` [_enabled_13]
+
+Set to `true` to enable the FQDN reporting feature of Packetbeat. Defaults to `false`.
+
diff --git a/docs/reference/packetbeat/configuration-flows.md b/docs/reference/packetbeat/configuration-flows.md
new file mode 100644
index 000000000000..89412a569e08
--- /dev/null
+++ b/docs/reference/packetbeat/configuration-flows.md
@@ -0,0 +1,134 @@
+---
+navigation_title: "Network flows"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/configuration-flows.html
+---
+
+# Configure flows to monitor network traffic [configuration-flows]
+
+
+You can configure Packetbeat to collect and report statistics on network flows. A *flow* is a group of packets sent over the same time period that share common properties, such as the same source and destination address and protocol. You can use this feature to analyze network traffic over specific protocols on your network.
+
+For each flow, Packetbeat reports the number of packets and the total number of bytes sent from the source to the destination. Each flow event also contains information about the source and destination hosts, such as their IP address. For bi-directional flows, Packetbeat reports statistics for the reverse flow.
+
+Packetbeat collects and reports statistics up to and including the transport layer. See [*Flow Event fields*](/reference/packetbeat/exported-fields-flows_event.md) for more info about the exported data.
+
+Here’s an example of flow events visualized in the Flows dashboard:
+
+:::{image} images/flows.png
+:alt: flows
+:::
+
+To configure flows, use the `packetbeat.flows` option in the `packetbeat.yml` config file. Flows are enabled by default. If this section is missing from the configuration file, network flows are disabled.
+
+```yaml
+packetbeat.flows:
+  timeout: 30s
+  period: 10s
+```
+
+Here’s an example of a flow information sent by Packetbeat. See [*Flow Event fields*](/reference/packetbeat/exported-fields-flows_event.md) for a description of each field.
+
+```json
+{
+  "@timestamp": "2018-11-15T14:41:24.000Z",
+  "agent": {
+    "hostname": "host.example.com",
+    "name": "host.example.com",
+    "version": "9.0.0-beta1"
+  },
+  "destination": {
+    "bytes": 460,
+    "ip": "198.51.100.2",
+    "mac": "06-05-04-03-02-01",
+    "packets": 2,
+    "port": 80
+  },
+  "event": {
+    "dataset": "flow",
+    "duration": 3000000000,
+    "end": "2018-11-15T14:41:24.000Z",
+    "start": "2018-11-15T14:41:21.000Z"
+  },
+  "flow": {
+    "final": true, <1>
+    "id": "FQQA/wz/Dv//////Fv8BAQEBAgMEBQYGBQQDAgGrAMsAcQPGM2QC9ZdQAA",
+    "vlan": 171
+  },
+  "network": {
+    "bytes": 470,
+    "community_id": "1:t9T66/2c66NQyftAEsr4aMZv4Hc=",
+    "packets": 3,
+    "transport": "tcp",
+    "type": "ipv4"
+  },
+  "source": {
+    "bytes": 10,
+    "ip": "203.0.113.3",
+    "mac": "01-02-03-04-05-06",
+    "packets": 1,
+    "port": 38901
+  }
+}
+```
+
+1. Packetbeat sets the `flow.final` flag to `false` to indicate that the event contains an intermediate report about a flow that it’s tracking. When the flow completes, Packetbeat sends one last event with `flow.final` set to `true`. If you want to aggregate sums of traffic, you need to filter on `final:true`, or use some other technique, so that you get only the latest update from each flow. You can disable intermediate reports by setting `period: -1s`.
+
+
+
+## Configuration options [_configuration_options]
+
+You can specify the following options in the `packetbeat.flows` section of the `packetbeat.yml` config file:
+
+
+### `enabled` [_enabled]
+
+Enables flows support if set to true. Set to false to disable network flows support without having to delete or comment out the flows section. The default value is true.
+
+
+### `timeout` [_timeout]
+
+Timeout configures the lifetime of a flow. If no packets have been received for a flow within the timeout time window, the flow is killed and reported. The default value is 30s.
+
+
+### `period` [_period]
+
+Configure the reporting interval. All flows are reported at the very same point in time. Periodical reporting can be disabled by setting the value to -1. If disabled, flows are still reported once being timed out. The default value is 10s.
+
+
+### `enable_delta_flow_reports` [_enable_delta_flow_reports]
+
+Configure network.bytes and network.packets to be a delta value instead of a cumlative sum for each flow period. The default value is false.
+
+
+### `fields` [packetbeat-configuration-flows-fields]
+
+Optional fields that you can specify to add additional information to the output. For example, you might add fields that you can use for filtering log data. Fields can be scalar values, arrays, dictionaries, or any nested combination of these. By default, the fields that you specify here will be grouped under a `fields` sub-dictionary in the output document. To store the custom fields as top-level fields, set the `fields_under_root` option to true. If a duplicate field is declared in the general configuration, then its value will be overwritten by the value declared here.
+
+
+### `fields_under_root` [_fields_under_root]
+
+If this option is set to true, the custom [fields](#packetbeat-configuration-flows-fields) are stored as top-level fields in the output document instead of being grouped under a `fields` sub-dictionary. If the custom field names conflict with other field names added by Packetbeat, then the custom fields overwrite the other fields.
+
+
+### `tags` [_tags]
+
+A list of tags that will be sent with the protocol event. This setting is optional.
+
+
+### `processors` [_processors]
+
+A list of processors to apply to the data generated by the protocol.
+
+See [Processors](/reference/packetbeat/filtering-enhancing-data.md) for information about specifying processors in your config.
+
+
+### `keep_null` [_keep_null]
+
+If this option is set to true, fields with `null` values will be published in the output document. By default, `keep_null` is set to `false`.
+
+
+### `index` [_index]
+
+Overrides the index that flow events are published to.
+
diff --git a/docs/reference/packetbeat/configuration-general-options.md b/docs/reference/packetbeat/configuration-general-options.md
new file mode 100644
index 000000000000..dfbb4a0bf1af
--- /dev/null
+++ b/docs/reference/packetbeat/configuration-general-options.md
@@ -0,0 +1,88 @@
+---
+navigation_title: "General settings"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/configuration-general-options.html
+---
+
+# Configure general settings [configuration-general-options]
+
+
+You can specify settings in the `packetbeat.yml` config file to control the general behavior of Packetbeat.
+
+
+## General configuration options [configuration-general]
+
+
+These options are supported by all Elastic Beats. Because they are common options, they are not namespaced.
+
+Here is an example configuration:
+
+```yaml
+name: "my-shipper"
+tags: ["service-X", "web-tier"]
+```
+
+
+### `name` [_name]
+
+The name of the Beat. If this option is empty, the `hostname` of the server is used. The name is included as the `agent.name` field in each published transaction. You can use the name to group all transactions sent by a single Beat.
+
+Example:
+
+```yaml
+name: "my-shipper"
+```
+
+
+### `tags` [_tags_3]
+
+A list of tags that the Beat includes in the `tags` field of each published transaction. Tags make it easy to group servers by different logical properties. For example, if you have a cluster of web servers, you can add the "webservers" tag to the Beat on each server, and then use filters and queries in the Kibana web interface to get visualisations for the whole group of servers.
+
+Example:
+
+```yaml
+tags: ["my-service", "hardware", "test"]
+```
+
+
+### `fields` [libbeat-configuration-fields]
+
+Optional fields that you can specify to add additional information to the output. Fields can be scalar values, arrays, dictionaries, or any nested combination of these. By default, the fields that you specify here will be grouped under a `fields` sub-dictionary in the output document. To store the custom fields as top-level fields, set the `fields_under_root` option to true.
+
+Example:
+
+```yaml
+fields: {project: "myproject", instance-id: "574734885120952459"}
+```
+
+
+### `fields_under_root` [_fields_under_root_2]
+
+If this option is set to true, the custom [fields](#libbeat-configuration-fields) are stored as top-level fields in the output document instead of being grouped under a `fields` sub-dictionary. If the custom field names conflict with other field names, then the custom fields overwrite the other fields.
+
+Example:
+
+```yaml
+fields_under_root: true
+fields:
+  instance_id: i-10a64379
+  region: us-east-1
+```
+
+
+### `processors` [_processors_3]
+
+A list of processors to apply to the data generated by the beat.
+
+See [Processors](/reference/packetbeat/filtering-enhancing-data.md) for information about specifying processors in your config.
+
+
+### `max_procs` [_max_procs]
+
+Sets the maximum number of CPUs that can be executing simultaneously. The default is the number of logical CPUs available in the system.
+
+
+### `timestamp.precision` [_timestamp_precision]
+
+Configure the precision of all timestamps. By default it is set to millisecond. Available options: millisecond, microsecond, nanosecond
+
diff --git a/docs/reference/packetbeat/configuration-instrumentation.md b/docs/reference/packetbeat/configuration-instrumentation.md
new file mode 100644
index 000000000000..f931bf60eb39
--- /dev/null
+++ b/docs/reference/packetbeat/configuration-instrumentation.md
@@ -0,0 +1,87 @@
+---
+navigation_title: "Instrumentation"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/configuration-instrumentation.html
+---
+
+# Configure APM instrumentation [configuration-instrumentation]
+
+
+Libbeat uses the Elastic APM Go Agent to instrument its publishing pipeline. Currently, only the Elasticsearch output is instrumented. To gain insight into the performance of Packetbeat, you can enable this instrumentation and send trace data to the APM Integration.
+
+Example configuration with instrumentation enabled:
+
+```yaml
+instrumentation:
+  enabled: true
+  environment: production
+  hosts:
+    - "http://localhost:8200"
+  api_key: L5ER6FEvjkmlfalBealQ3f3fLqf03fazfOV
+```
+
+
+## Configuration options [_configuration_options_29]
+
+You can specify the following options in the `instrumentation` section of the `packetbeat.yml` config file:
+
+
+### `enabled` [_enabled_12]
+
+Set to `true` to enable instrumentation of Packetbeat. Defaults to `false`.
+
+
+### `environment` [_environment]
+
+Set the environment in which Packetbeat is running, for example, `staging`, `production`, `dev`, etc. Environments can be filtered in the [APM app](docs-content://solutions/observability/apps/overviews.md).
+
+
+### `hosts` [_hosts_3]
+
+The APM integration [host](docs-content://reference/ingestion-tools/observability/apm-settings.md) to report instrumentation data to. Defaults to `http://localhost:8200`.
+
+
+### `api_key` [_api_key_2]
+
+The [API Key](docs-content://reference/ingestion-tools/observability/apm-settings.md) used to secure communication with the APM Integration. If `api_key` is set then `secret_token` will be ignored.
+
+
+### `secret_token` [_secret_token]
+
+The [Secret token](docs-content://reference/ingestion-tools/observability/apm-settings.md) used to secure communication with the APM Integration.
+
+
+### `profiling.cpu.enabled` [_profiling_cpu_enabled]
+
+Set to `true` to enable CPU profiling, where profile samples are recorded as events.
+
+This feature is experimental.
+
+
+### `profiling.cpu.interval` [_profiling_cpu_interval]
+
+Configure the CPU profiling interval. Defaults to `60s`.
+
+This feature is experimental.
+
+
+### `profiling.cpu.duration` [_profiling_cpu_duration]
+
+Configure the CPU profiling duration. Defaults to `10s`.
+
+This feature is experimental.
+
+
+### `profiling.heap.enabled` [_profiling_heap_enabled]
+
+Set to `true` to enable heap profiling.
+
+This feature is experimental.
+
+
+### `profiling.heap.interval` [_profiling_heap_interval]
+
+Configure the heap profiling interval. Defaults to `60s`.
+
+This feature is experimental.
+
diff --git a/docs/reference/packetbeat/configuration-interfaces.md b/docs/reference/packetbeat/configuration-interfaces.md
new file mode 100644
index 000000000000..1408103da763
--- /dev/null
+++ b/docs/reference/packetbeat/configuration-interfaces.md
@@ -0,0 +1,250 @@
+---
+navigation_title: "Traffic sniffing"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/configuration-interfaces.html
+---
+
+# Configure traffic capturing options [configuration-interfaces]
+
+
+There are two main ways of deploying Packetbeat:
+
+* On dedicated servers, getting the traffic from mirror ports or tap devices.
+* On your existing application servers.
+
+The first option has the big advantage that there is no overhead of any kind on your application servers. But it requires dedicated networking gear, which is generally not available on cloud setups.
+
+In both cases, the sniffing performance (reading packets passively from the network) is very important. In the case of a dedicated server, better sniffing performance means that less hardware is required. When Packetbeat is installed on an existing application server, better sniffing performance means less overhead.
+
+Currently Packetbeat has several options for traffic capturing:
+
+* `pcap`, which uses the libpcap library and works on most platforms, but it’s not the fastest option.
+* `af_packet`, which uses memory mapped sniffing. This option is faster than libpcap and doesn’t require a kernel module, but it’s Linux-specific.
+
+The `af_packet` option, also known as "memory-mapped sniffing," makes use of a Linux-specific [feature](https://www.kernel.org/doc/Documentation/networking/packet_mmap.txt). This could be the optimal sniffing mode for both the dedicated server and when Packetbeat is deployed on an existing application server.
+
+The way it works is that both the kernel and the user space program map the same memory zone, and a simple circular buffer is organized in this memory zone. The kernel writes packets into the circular buffer, and the user space program reads from it. The poll system call is used for getting a notification for the first packet available, but the remaining available packets can be simply read via memory access.
+
+The `af_packet` sniffer can be further tuned to use more memory in exchange for better performance. The larger the size of the circular buffer, the fewer system calls are needed, which means that fewer CPU cycles are consumed. The default size of the buffer is 30 MB, but you can increase it like this:
+
+```yaml
+packetbeat.interfaces.device: eth0
+packetbeat.interfaces.type: af_packet
+packetbeat.interfaces.buffer_size_mb: 100
+```
+
+
+## Windows Npcap installation options [_windows_npcap_installation_options]
+
+On Windows Packetbeat requires an Npcap DLL installation. This is provided by Packetbeat for users of the Elastic Licenced version. In some cases users may wish to use their own installed version. In order to do this the `packetbeat.npcap.never_install` option can be used. Setting this option to `true` will not attempt to install the bundled Npcap library on start-up unless no Npcap is already installed.
+
+```yaml
+packetbeat.npcap.never_install: true
+```
+
+
+## Sniffing configuration options [_sniffing_configuration_options]
+
+You can specify the following options in the `packetbeat.interfaces` section of the `packetbeat.yml` config file. Here is an example configuration:
+
+```yaml
+packetbeat.interfaces.device: any
+packetbeat.interfaces.snaplen: 1514
+packetbeat.interfaces.type: af_packet
+packetbeat.interfaces.buffer_size_mb: 100
+```
+
+
+### `device` [_device]
+
+The network device to capture traffic from. The specified device is set automatically to promiscuous mode, meaning that Packetbeat can capture traffic from other hosts on the same LAN.
+
+Example:
+
+```yaml
+packetbeat.interfaces.device: eth0
+```
+
+On Linux, you can specify `any` for the device, and Packetbeat captures all messages sent or received by the server where Packetbeat is installed.
+
+::::{note}
+When you specify `any` for the device, the interfaces are not set to promiscuous mode.
+::::
+
+
+The `device` option also accepts specifying the device by its index in the list of devices available for sniffing. To obtain the list of available devices, run Packetbeat with the following command:
+
+```sh
+packetbeat devices
+```
+
+This command returns a list that looks something like the following:
+
+```sh
+0: en0 (No description available)
+1: awdl0 (No description available)
+2: bridge0 (No description available)
+3: fw0 (No description available)
+4: en1 (No description available)
+5: en2 (No description available)
+6: p2p0 (No description available)
+7: en4 (No description available)
+8: lo0 (No description available)
+```
+
+The following example sets up sniffing on the first interface in the list:
+
+```yaml
+packetbeat.interfaces.device: 0
+```
+
+Specifying the index is especially useful on Windows where device names can be long.
+
+Alternatively the `default_route`, `default_route_ipv4` or `default_route_ipv6` device may be specified. This will set the capture device to be the device that is associated with the first default route identified on Packetbeat start-up. `default_route` will select the first default route from either IPv4 or IPv6 with a preference for the IPv4 route, while `default_route_ipv4` and `default_route_ipv6` will only select from the specified stack. The selected interface is not altered after it is chosen.
+
+
+### `snaplen` [_snaplen]
+
+The maximum size of the packets to capture. The default is 65535, which is large enough for almost all networks and interface types. If you sniff on a physical network interface, the optimal setting is the MTU size. On virtual interfaces, however, it’s safer to accept the default value.
+
+Example:
+
+```yaml
+packetbeat.interfaces.device: eth0
+packetbeat.interfaces.snaplen: 1514
+```
+
+
+### `type` [_type]
+
+Packetbeat supports these sniffer types:
+
+* `pcap`, which uses the libpcap library and works on most platforms, but it’s not the fastest option.
+* `af_packet`, which uses memory-mapped sniffing. This option is faster than libpcap and doesn’t require a kernel module, but it’s Linux-specific.
+
+The default sniffer type is `pcap`.
+
+Here is an example configuration that specifies the `af_packet` sniffing type:
+
+```yaml
+packetbeat.interfaces.device: eth0
+packetbeat.interfaces.type: af_packet
+```
+
+On Linux, if you are trying to optimize the CPU usage of Packetbeat, we recommend trying the `af_packet` option.
+
+If you use the `af_packet` sniffer, you can tune its behaviour by specifying the following options:
+
+
+### `buffer_size_mb` [_buffer_size_mb]
+
+The maximum size of the shared memory buffer to use between the kernel and user space. A bigger buffer usually results in lower CPU usage, but consumes more memory. This setting is only available for the `af_packet` sniffer type. The default is 30 MB.
+
+Example:
+
+```yaml
+packetbeat.interfaces.device: eth0
+packetbeat.interfaces.type: af_packet
+packetbeat.interfaces.buffer_size_mb: 100
+```
+
+
+### `fanout_group` [_fanout_group]
+
+To scale processing across multiple Packetbeat processes, a fanout group identifier can be specified. When `fanout_group` is used the Linux kernel splits packets across Packetbeat instances in the same group by using a flow hash. It computes the flow hash modulo with the number of Packetbeat processes in order to consistently route flows to the same Packetbeat instance.
+
+The value must be between 0 and 65535. By default, no value is set.
+
+This is only available on Linux and requires using `type: af_packet`. Each process must be running in same network namespace. All processes must use the same interface settings. You must take responsibility for running multiple instances of Packetbeat.
+
+Example:
+
+```yaml
+packetbeat.interfaces.type: af_packet
+packetbeat.interfaces.fanout_group: 1
+```
+
+
+### `metrics_interval` [_metrics_interval]
+
+Configure the metrics polling interval for supported interface types. Currently, only `af_packet` is supported.
+
+The value must be a duration string. The default is `5s` (5 seconds). A value less than or equal to zero will be set to the default value.
+
+Example:
+
+```yaml
+packetbeat.interfaces.type: af_packet
+packetbeat.interfaces.metrics_interval: 5s
+```
+
+
+### `auto_promisc_mode` [_auto_promisc_mode]
+
+With `auto_promisc_mode` Packetbeat puts interface in promiscuous mode automatically on startup. This option does not work with `any` interface device. The default option is false and requires manual set-up of promiscuous mode. Warning: under some circumstances (e.g beat crash) promiscuous mode can stay enabled even after beat is shut down.
+
+Example:
+
+```yaml
+packetbeat.interfaces.device: eth0
+packetbeat.interfaces.type: af_packet
+packetbeat.interfaces.buffer_size_mb: 100
+packetbeat.interfaces.auto_promisc_mode: true
+```
+
+
+### `with_vlans` [_with_vlans]
+
+Packetbeat automatically generates a [BPF](https://en.wikipedia.org/wiki/Berkeley_Packet_Filter) for capturing only the traffic on ports where it expects to find known protocols. For example, if you have configured port 80 for HTTP and port 3306 for MySQL, Packetbeat generates the following BPF filter: `"port 80 or port 3306"`.
+
+However, if the traffic contains [VLAN](https://en.wikipedia.org/wiki/IEEE_802.1Q) tags, the filter that Packetbeat generates is ineffective because the offset is moved by four bytes. To fix this, you can enable the `with_vlans` option, which generates a BPF filter that looks like this: `"port 80 or port 3306 or (vlan and (port 80 or port 3306))"`.
+
+
+### `bpf_filter` [_bpf_filter]
+
+Packetbeat automatically generates a [BPF](https://en.wikipedia.org/wiki/Berkeley_Packet_Filter) for capturing only the traffic on ports where it expects to find known protocols. For example, if you have configured port 80 for HTTP and port 3306 for MySQL, Packetbeat generates the following BPF filter: `"port 80 or port 3306"`.
+
+You can use the `bpf_filter` setting to overwrite the generated BPF filter. For example:
+
+```yaml
+packetbeat.interfaces.device: eth0
+packetbeat.interfaces.bpf_filter: "net 192.168.238.0/0 and port 80 or port 3306"
+```
+
+::::{note}
+This setting disables automatic generation of the BPF filter. If you use this setting, it’s your responsibility to keep the BPF filters in sync with the ports defined in the `protocols` section.
+::::
+
+
+
+### `ignore_outgoing` [_ignore_outgoing]
+
+If the `ignore_outgoing` option is enabled, Packetbeat ignores all the transactions initiated from the server running Packetbeat.
+
+This is useful when two Packetbeat instances publish the same transactions. Because one Packetbeat sees the transaction in its outgoing queue and the other sees it in its incoming queue, you can end up with duplicate transactions. To remove the duplicates, you can enable the `packetbeat.ignore_outgoing` option on one of the servers.
+
+For example, in the following scenario, you see a 3-server architecture where a Beat is installed on each server. t1 is the transaction exchanged between Server1 and Server2, and t2 is the transaction between Server2 and Server3.
+
+:::{image} images/option_ignore_outgoing.png
+:alt: Beats Architecture
+:::
+
+By default, each transaction is indexed twice because Beat2 sees both transactions. So you would see the following published transactions (when `ignore_outgoing` is false):
+
+* Beat1: t1
+* Beat2: t1 and t2
+* Beat3: t2
+
+To avoid duplicates, you can force your Beats to send only the incoming transactions and ignore the transactions created by the local server. So you would see the following published transactions (when `ignore_outgoing` is true):
+
+* Beat1: none
+* Beat2: t1
+* Beat3: t2
+
+
+### `internal_networks` [_internal_networks]
+
+If the `internal_networks` option is specified, when monitoring network taps or mirror ports, Packetbeat will attempt to classify the network directionality of traffic not intended for this host as it relates to a network perimeter. Any CIDR block specified in `internal_networks` is treated internal to the perimeter, and any IP address falling outside of these CIDR blocks is considered external.
+
+This is useful when Packetbeat is running on an appliance that sits at a network boundary such as a firewall or VPN. Note that this only affects how the directionality of network traffic is classified.
+
diff --git a/docs/reference/packetbeat/configuration-kerberos.md b/docs/reference/packetbeat/configuration-kerberos.md
new file mode 100644
index 000000000000..d27b320d72ba
--- /dev/null
+++ b/docs/reference/packetbeat/configuration-kerberos.md
@@ -0,0 +1,90 @@
+---
+navigation_title: "Kerberos"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/configuration-kerberos.html
+---
+
+# Configure Kerberos [configuration-kerberos]
+
+
+You can specify Kerberos options with any output or input that supports Kerberos, like {{es}}.
+
+The following encryption types are supported:
+
+* aes128-cts-hmac-sha1-96
+* aes128-cts-hmac-sha256-128
+* aes256-cts-hmac-sha1-96
+* aes256-cts-hmac-sha384-192
+* des3-cbc-sha1-kd
+* rc4-hmac
+
+Example output config with Kerberos password based authentication:
+
+```yaml
+output.elasticsearch.hosts: ["http://my-elasticsearch.elastic.co:9200"]
+output.elasticsearch.kerberos.auth_type: password
+output.elasticsearch.kerberos.username: "elastic"
+output.elasticsearch.kerberos.password: "changeme"
+output.elasticsearch.kerberos.config_path: "/etc/krb5.conf"
+output.elasticsearch.kerberos.realm: "ELASTIC.CO"
+```
+
+The service principal name for the Elasticsearch instance is contructed from these options. Based on this configuration it is going to be `HTTP/my-elasticsearch.elastic.co@ELASTIC.CO`.
+
+
+## Configuration options [_configuration_options_23]
+
+You can specify the following options in the `kerberos` section of the `packetbeat.yml` config file:
+
+
+### `enabled` [_enabled_11]
+
+The `enabled` setting can be used to enable the kerberos configuration by setting it to `false`. The default value is `true`.
+
+::::{note}
+Kerberos settings are disabled if either `enabled` is set to `false` or the `kerberos` section is missing.
+::::
+
+
+
+### `auth_type` [_auth_type]
+
+There are two options to authenticate with Kerberos KDC: `password` and `keytab`.
+
+`password` expects the principal name and its password. When choosing `keytab`, you have to specify a principal name and a path to a keytab. The keytab must contain the keys of the selected principal. Otherwise, authentication will fail.
+
+
+### `config_path` [_config_path]
+
+You need to set the path to the `krb5.conf`, so Packetbeat can find the Kerberos KDC to retrieve a ticket.
+
+
+### `username` [_username_3]
+
+Name of the principal used to connect to the output.
+
+
+### `password` [_password_4]
+
+If you configured `password` for `auth_type`, you have to provide a password for the selected principal.
+
+
+### `keytab` [_keytab]
+
+If you configured `keytab` for `auth_type`, you have to provide the path to the keytab of the selected principal.
+
+
+### `service_name` [_service_name]
+
+This option can only be configured for Kafka. It is the name of the Kafka service, usually `kafka`.
+
+
+### `realm` [_realm]
+
+Name of the realm where the output resides.
+
+
+### `enable_krb5_fast` [_enable_krb5_fast]
+
+Enable Kerberos FAST authentication. This may conflict with some Active Directory installations. The default is `false`.
+
diff --git a/docs/reference/packetbeat/configuration-logging.md b/docs/reference/packetbeat/configuration-logging.md
new file mode 100644
index 000000000000..8335341eea63
--- /dev/null
+++ b/docs/reference/packetbeat/configuration-logging.md
@@ -0,0 +1,253 @@
+---
+navigation_title: "Logging"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/configuration-logging.html
+---
+
+# Configure logging [configuration-logging]
+
+
+The `logging` section of the `packetbeat.yml` config file contains options for configuring the logging output. The logging system can write logs to the syslog or rotate log files. If logging is not explicitly configured the file output is used.
+
+```yaml
+logging.level: info
+logging.to_files: true
+logging.files:
+  path: /var/log/packetbeat
+  name: packetbeat
+  keepfiles: 7
+  permissions: 0640
+```
+
+::::{tip}
+In addition to setting logging options in the config file, you can modify the logging output configuration from the command line. See [Command reference](/reference/packetbeat/command-line-options.md).
+::::
+
+
+::::{warning}
+When Packetbeat is running on a Linux system with systemd, it uses by default the `-e` command line option, that makes it write all the logging output to stderr so it can be captured by journald. Other outputs are disabled. See [Packetbeat and systemd](/reference/packetbeat/running-with-systemd.md) to know more and learn how to change this.
+::::
+
+
+
+## Configuration options [_configuration_options_28]
+
+You can specify the following options in the `logging` section of the `packetbeat.yml` config file:
+
+
+### `logging.to_stderr` [_logging_to_stderr]
+
+When true, writes all logging output to standard error output. This is equivalent to using the `-e` command line option.
+
+
+### `logging.to_syslog` [_logging_to_syslog]
+
+When true, writes all logging output to the syslog.
+
+::::{note}
+This option is not supported on Windows.
+::::
+
+
+
+### `logging.to_eventlog` [_logging_to_eventlog]
+
+When true, writes all logging output to the Windows Event Log.
+
+
+### `logging.to_files` [_logging_to_files]
+
+When true, writes all logging output to files. The log files are automatically rotated when the log file size limit is reached.
+
+::::{note}
+Packetbeat only creates a log file if there is logging output. For example, if you set the log [`level`](#level) to `error` and there are no errors, there will be no log file in the directory specified for logs.
+::::
+
+
+
+### `logging.level` [level]
+
+Minimum log level. One of `debug`, `info`, `warning`, or `error`. The default log level is `info`.
+
+`debug`
+:   Logs debug messages, including a detailed printout of all events flushed. Also logs informational messages, warnings, errors, and critical errors. When the log level is `debug`, you can specify a list of [`selectors`](#selectors) to display debug messages for specific components. If no selectors are specified, the `*` selector is used to display debug messages for all components.
+
+`info`
+:   Logs informational messages, including the number of events that are published. Also logs any warnings, errors, or critical errors.
+
+`warning`
+:   Logs warnings, errors, and critical errors.
+
+`error`
+:   Logs errors and critical errors.
+
+
+### `logging.selectors` [selectors]
+
+The list of debugging-only selector tags used by different Packetbeat components. Use `*` to enable debug output for all components. Use `publisher` to display debug messages related to event publishing.
+
+::::{tip}
+The list of available selectors may change between releases, so avoid creating tests that depend on specific selectors.
+
+To see which selectors are available, run Packetbeat in debug mode (set `logging.level: debug` in the configuration). The selector name appears after the log level and is enclosed in brackets.
+
+::::
+
+
+To configure multiple selectors, use the following [YAML list syntax](/reference/libbeat/config-file-format.md):
+
+```yaml
+logging.selectors: [ harvester, input ]
+```
+
+To override selectors at the command line, use the `-d` global flag (`-d` also sets the debug log level). For more information, see [Command reference](/reference/packetbeat/command-line-options.md).
+
+
+### `logging.metrics.enabled` [_logging_metrics_enabled]
+
+By default, Packetbeat periodically logs its internal metrics that have changed in the last period. For each metric that changed, the delta from the value at the beginning of the period is logged. Also, the total values for all non-zero internal metrics are logged on shutdown. Set this to false to disable this behavior. The default is true.
+
+Here is an example log line:
+
+```shell
+2017-12-17T19:17:42.667-0500    INFO    [metrics]       log/log.go:110  Non-zero metrics in the last 30s: beat.info.uptime.ms=30004 beat.memstats.gc_next=5046416
+```
+
+Note that we currently offer no backwards compatible guarantees for the internal metrics and for this reason they are also not documented.
+
+
+### `logging.metrics.period` [_logging_metrics_period]
+
+The period after which to log the internal metrics. The default is 30s.
+
+
+### `logging.metrics.namespaces` [_logging_metrics_namespaces]
+
+A list of metrics namespaces to report in the logs. Defaults to `[stats]`. `stats` contains general Beat metrics. `dataset` and `inputs` may be present in some Beats and contains module or input metrics.
+
+
+### `logging.files.path` [_logging_files_path]
+
+The directory that log files are written to. The default is the logs path. See the [Directory layout](/reference/packetbeat/directory-layout.md) section for details.
+
+
+### `logging.files.name` [_logging_files_name]
+
+The name of the file that logs are written to. The default is *packetbeat*.
+
+
+### `logging.files.rotateeverybytes` [_logging_files_rotateeverybytes]
+
+The maximum size of a log file. If the limit is reached, a new log file is generated. The default size limit is 10485760 (10 MB).
+
+
+### `logging.files.keepfiles` [_logging_files_keepfiles]
+
+The number of most recent rotated log files to keep on disk. Older files are deleted during log rotation. The default value is 7. The `keepfiles` options has to be in the range of 2 to 1024 files.
+
+
+### `logging.files.permissions` [_logging_files_permissions]
+
+The permissions mask to apply when rotating log files. The default value is 0600. The `permissions` option must be a valid Unix-style file permissions mask expressed in octal notation. In Go, numbers in octal notation must start with *0*.
+
+The most permissive mask allowed is 0640. If a higher permissions mask is specified via this setting, it will be subject to an umask of 0027.
+
+This option is not supported on Windows.
+
+Examples:
+
+* 0640: give read and write access to the file owner, and read access to members of the group associated with the file.
+* 0600: give read and write access to the file owner, and no access to all others.
+
+
+### `logging.files.interval` [_logging_files_interval]
+
+Enable log file rotation on time intervals in addition to size-based rotation. Intervals must be at least 1s. Values of 1m, 1h, 24h, 7*24h, 30*24h, and 365*24h are boundary-aligned with minutes, hours, days, weeks, months, and years as reported by the local system clock. All other intervals are calculated from the unix epoch. Defaults to disabled.
+
+
+### `logging.files.rotateonstartup` [_logging_files_rotateonstartup]
+
+If the log file already exists on startup, immediately rotate it and start writing to a new file instead of appending to the existing one. Defaults to true.
+
+
+### `logging.files.redirect_stderr` [preview] [_logging_files_redirect_stderr]
+
+When true, diagnostic messages printed to Packetbeat’s standard error output will also be logged to the log file. This can be helpful in situations were Packetbeat terminates unexpectedly because an error has been detected by Go’s runtime but diagnostic information is not present in the log file. This feature is only available when logging to files (`logging.to_files` is true). Disabled by default.
+
+
+## Logging format [_logging_format]
+
+The logging format is generally the same for each logging output. The one exception is with the syslog output where the timestamp is not included in the message because syslog adds its own timestamp.
+
+Each log message consists of the following parts:
+
+* Timestamp in ISO8601 format
+* Level
+* Logger name contained in brackets (Optional)
+* File name and line number of the caller
+* Message
+* Structured data encoded in JSON (Optional)
+
+Below are some samples:
+
+`2017-12-17T18:54:16.241-0500	INFO	logp/core_test.go:13	unnamed global logger`
+
+`2017-12-17T18:54:16.242-0500	INFO	[example]	logp/core_test.go:16	some message`
+
+`2017-12-17T18:54:16.242-0500	INFO	[example]	logp/core_test.go:19	some message	{"x": 1}`
+
+
+## Configuration options for event_data logger [_configuration_options_for_event_data_logger]
+
+Some outputs will log raw events on errors like indexing errors in the Elasticsearch output, to prevent logging raw events (that may contain sensitive information) together with other log messages, a different log file, only for log entries containing raw events, is used. It will use the same level, selectors and all other configurations from the default logger, but it will have it’s own file configuration.
+
+Having a different log file for raw events also prevents event data from drowning out the regular log files.
+
+::::{important}
+No matter the default logger output configuration, raw events will **always** be logged to a file configured by `logging.event_data.files`.
+::::
+
+
+
+### `logging.event_data.files.path` [_logging_event_data_files_path]
+
+The directory that log files are written to. The default is the logs path. See the [Directory layout](/reference/packetbeat/directory-layout.md) section for details.
+
+
+### `logging.event_data.files.name` [_logging_event_data_files_name]
+
+The name of the file that logs are written to. The default is *packetbeat*-events-data.
+
+
+### `logging.event_data.files.rotateeverybytes` [_logging_event_data_files_rotateeverybytes]
+
+The maximum size of a log file. If the limit is reached, a new log file is generated. The default size limit is 5242880 (5 MB).
+
+
+### `logging.event_data.files.keepfiles` [_logging_event_data_files_keepfiles]
+
+The number of most recent rotated log files to keep on disk. Older files are deleted during log rotation. The default value is 2. The `keepfiles` options has to be in the range of 2 to 1024 files.
+
+
+### `logging.event_data.files.permissions` [_logging_event_data_files_permissions]
+
+The permissions mask to apply when rotating log files. The default value is 0600. The `permissions` option must be a valid Unix-style file permissions mask expressed in octal notation. In Go, numbers in octal notation must start with *0*.
+
+The most permissive mask allowed is 0640. If a higher permissions mask is specified via this setting, it will be subject to an umask of 0027.
+
+This option is not supported on Windows.
+
+Examples:
+
+* 0640: give read and write access to the file owner, and read access to members of the group associated with the file.
+* 0600: give read and write access to the file owner, and no access to all others.
+
+
+### `logging.event_data.files.interval` [_logging_event_data_files_interval]
+
+Enable log file rotation on time intervals in addition to size-based rotation. Intervals must be at least 1s. Values of 1m, 1h, 24h, 7*24h, 30*24h, and 365*24h are boundary-aligned with minutes, hours, days, weeks, months, and years as reported by the local system clock. All other intervals are calculated from the unix epoch. Defaults to disabled.
+
+
+### `logging.event_data.files.rotateonstartup` [_logging_event_data_files_rotateonstartup]
+
+If the log file already exists on startup, immediately rotate it and start writing to a new file instead of appending to the existing one. Defaults to false.
diff --git a/docs/reference/packetbeat/configuration-mongodb.md b/docs/reference/packetbeat/configuration-mongodb.md
new file mode 100644
index 000000000000..29bd13d02664
--- /dev/null
+++ b/docs/reference/packetbeat/configuration-mongodb.md
@@ -0,0 +1,43 @@
+---
+navigation_title: "MongoDB"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/configuration-mongodb.html
+---
+
+# Capture MongoDB traffic [configuration-mongodb]
+
+
+The following settings are specific to the MongoDB protocol. Here is a sample configuration for the `mongodb` section of the `packetbeat.yml` config file:
+
+```yaml
+packetbeat.protocols:
+- type: mongodb
+  send_request: true
+  send_response: true
+  max_docs: 0
+  max_doc_length: 0
+```
+
+## Configuration options [_configuration_options_11]
+
+The `max_docs` and `max_doc_length` settings are useful for limiting the amount of data Packetbeat indexes in the `response` fields.
+
+Also see [Common protocol options](/reference/packetbeat/common-protocol-options.md).
+
+### `max_docs` [_max_docs]
+
+The maximum number of documents from the response to index in the `response` field. The default is 10. You can set this to 0 to index an unlimited number of documents.
+
+Packetbeat adds a `[...]` line at the end to signify that there were additional documents that weren’t saved because of this setting.
+
+
+### `max_doc_length` [_max_doc_length]
+
+The maximum number of characters in a single document indexed in the `response` field. The default is 5000. You can set this to 0 to index an unlimited number of characters per document.
+
+If the document is trimmed because of this setting, Packetbeat adds the string `...` at the end of the document.
+
+Note that limiting documents in this way means that they are no longer correctly formatted JSON objects.
+
+
+
diff --git a/docs/reference/packetbeat/configuration-monitor.md b/docs/reference/packetbeat/configuration-monitor.md
new file mode 100644
index 000000000000..18e1c5636c39
--- /dev/null
+++ b/docs/reference/packetbeat/configuration-monitor.md
@@ -0,0 +1,113 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/configuration-monitor.html
+---
+
+# Settings for internal collection [configuration-monitor]
+
+Use the following settings to configure internal collection when you are not using {{metricbeat}} to collect monitoring data.
+
+You specify these settings in the X-Pack monitoring section of the `packetbeat.yml` config file:
+
+## `monitoring.enabled` [_monitoring_enabled]
+
+The `monitoring.enabled` config is a boolean setting to enable or disable {{monitoring}}. If set to `true`, monitoring is enabled.
+
+The default value is `false`.
+
+
+## `monitoring.elasticsearch` [_monitoring_elasticsearch]
+
+The {{es}} instances that you want to ship your Packetbeat metrics to. This configuration option contains the following fields:
+
+
+## `monitoring.cluster_uuid` [_monitoring_cluster_uuid]
+
+The `monitoring.cluster_uuid` config identifies the {{es}} cluster under which the monitoring data will appear in the Stack Monitoring UI.
+
+### `api_key` [_api_key_3]
+
+The detail of the API key to be used to send monitoring information to {{es}}. See [*Grant access using API keys*](/reference/packetbeat/beats-api-keys.md) for more information.
+
+
+### `bulk_max_size` [_bulk_max_size_5]
+
+The maximum number of metrics to bulk in a single {{es}} bulk API index request. The default is `50`. For more information, see [Elasticsearch](/reference/packetbeat/elasticsearch-output.md).
+
+
+### `backoff.init` [_backoff_init_4]
+
+The number of seconds to wait before trying to reconnect to Elasticsearch after a network error. After waiting `backoff.init` seconds, Packetbeat tries to reconnect. If the attempt fails, the backoff timer is increased exponentially up to `backoff.max`. After a successful connection, the backoff timer is reset. The default is 1s.
+
+
+### `backoff.max` [_backoff_max_4]
+
+The maximum number of seconds to wait before attempting to connect to Elasticsearch after a network error. The default is 60s.
+
+
+### `compression_level` [_compression_level_3]
+
+The gzip compression level. Setting this value to `0` disables compression. The compression level must be in the range of `1` (best speed) to `9` (best compression). The default value is `0`. Increasing the compression level reduces the network usage but increases the CPU usage.
+
+
+### `headers` [_headers_5]
+
+Custom HTTP headers to add to each request. For more information, see [Elasticsearch](/reference/packetbeat/elasticsearch-output.md).
+
+
+### `hosts` [_hosts_4]
+
+The list of {{es}} nodes to connect to. Monitoring metrics are distributed to these nodes in round robin order. For more information, see [Elasticsearch](/reference/packetbeat/elasticsearch-output.md).
+
+
+### `max_retries` [_max_retries_5]
+
+The number of times to retry sending the monitoring metrics after a failure. After the specified number of retries, the metrics are typically dropped. The default value is `3`. For more information, see [Elasticsearch](/reference/packetbeat/elasticsearch-output.md).
+
+
+### `parameters` [_parameters_2]
+
+Dictionary of HTTP parameters to pass within the url with index operations.
+
+
+### `password` [_password_5]
+
+The password that Packetbeat uses to authenticate with the {{es}} instances for shipping monitoring data.
+
+
+### `metrics.period` [_metrics_period]
+
+The time interval (in seconds) when metrics are sent to the {{es}} cluster. A new snapshot of Packetbeat metrics is generated and scheduled for publishing each period. The default value is 10 * time.Second.
+
+
+### `state.period` [_state_period]
+
+The time interval (in seconds) when state information are sent to the {{es}} cluster. A new snapshot of Packetbeat state is generated and scheduled for publishing each period. The default value is 60 * time.Second.
+
+
+### `protocol` [_protocol]
+
+The name of the protocol to use when connecting to the {{es}} cluster. The options are: `http` or `https`. The default is `http`. If you specify a URL for `hosts`, however, the value of protocol is overridden by the scheme you specify in the URL.
+
+
+### `proxy_url` [_proxy_url_4]
+
+The URL of the proxy to use when connecting to the {{es}} cluster. For more information, see [Elasticsearch](/reference/packetbeat/elasticsearch-output.md).
+
+
+### `timeout` [_timeout_6]
+
+The HTTP request timeout in seconds for the {{es}} request. The default is `90`.
+
+
+### `ssl` [_ssl_5]
+
+Configuration options for Transport Layer Security (TLS) or Secure Sockets Layer (SSL) parameters like the certificate authority (CA) to use for HTTPS-based connections. If the `ssl` section is missing, the host CAs are used for HTTPS connections to {{es}}. For more information, see [SSL](/reference/packetbeat/configuration-ssl.md).
+
+
+### `username` [_username_4]
+
+The user ID that Packetbeat uses to authenticate with the {{es}} instances for shipping monitoring data.
+
+
+
diff --git a/docs/reference/packetbeat/configuration-output-codec.md b/docs/reference/packetbeat/configuration-output-codec.md
new file mode 100644
index 000000000000..587ce612525c
--- /dev/null
+++ b/docs/reference/packetbeat/configuration-output-codec.md
@@ -0,0 +1,32 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/configuration-output-codec.html
+---
+
+# Change the output codec [configuration-output-codec]
+
+For outputs that do not require a specific encoding, you can change the encoding by using the codec configuration. You can specify either the `json` or `format` codec. By default the `json` codec is used.
+
+**`json.pretty`**: If `pretty` is set to true, events will be nicely formatted. The default is false.
+
+**`json.escape_html`**: If `escape_html` is set to true, html symbols will be escaped in strings. The default is false.
+
+Example configuration that uses the `json` codec with pretty printing enabled to write events to the console:
+
+```yaml
+output.console:
+  codec.json:
+    pretty: true
+    escape_html: false
+```
+
+**`format.string`**: Configurable format string used to create a custom formatted message.
+
+Example configurable that uses the `format` codec to print the events timestamp and message field to console:
+
+```yaml
+output.console:
+  codec.format:
+    string: '%{[@timestamp]} %{[message]}'
+```
+
diff --git a/docs/reference/packetbeat/configuration-path.md b/docs/reference/packetbeat/configuration-path.md
new file mode 100644
index 000000000000..74d511ad4d17
--- /dev/null
+++ b/docs/reference/packetbeat/configuration-path.md
@@ -0,0 +1,78 @@
+---
+navigation_title: "Project paths"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/configuration-path.html
+---
+
+# Configure project paths [configuration-path]
+
+
+The `path` section of the `packetbeat.yml` config file contains configuration options that define where Packetbeat looks for its files. For example, Packetbeat looks for the Elasticsearch template file in the configuration path and writes log files in the logs path.
+
+Please see the [Directory layout](/reference/packetbeat/directory-layout.md) section for more details.
+
+Here is an example configuration:
+
+```yaml
+path.home: /usr/share/beat
+path.config: /etc/beat
+path.data: /var/lib/beat
+path.logs: /var/log/
+```
+
+Note that it is possible to override these options by using command line flags.
+
+
+## Configuration options [_configuration_options_15]
+
+You can specify the following options in the `path` section of the `packetbeat.yml` config file:
+
+
+### `home` [_home]
+
+The home path for the Packetbeat installation. This is the default base path for all other path settings and for miscellaneous files that come with the distribution (for example, the sample dashboards). If not set by a CLI flag or in the configuration file, the default for the home path is the location of the Packetbeat binary.
+
+Example:
+
+```yaml
+path.home: /usr/share/beats
+```
+
+
+### `config` [_config]
+
+The configuration path for the Packetbeat installation. This is the default base path for configuration files, including the main YAML configuration file and the Elasticsearch template file. If not set by a CLI flag or in the configuration file, the default for the configuration path is the home path.
+
+Example:
+
+```yaml
+path.config: /usr/share/beats/config
+```
+
+
+### `data` [_data]
+
+The data path for the Packetbeat installation. This is the default base path for all the files in which Packetbeat needs to store its data. If not set by a CLI flag or in the configuration file, the default for the data path is a `data` subdirectory inside the home path.
+
+Example:
+
+```yaml
+path.data: /var/lib/beats
+```
+
+::::{tip}
+When running multiple Packetbeat instances on the same host, make sure they each have a distinct `path.data` value.
+::::
+
+
+
+### `logs` [_logs]
+
+The logs path for a Packetbeat installation. This is the default location for Packetbeat’s log files. If not set by a CLI flag or in the configuration file, the default for the logs path is a `logs` subdirectory inside the home path.
+
+Example:
+
+```yaml
+path.logs: /var/log/beats
+```
+
diff --git a/docs/reference/packetbeat/configuration-processes.md b/docs/reference/packetbeat/configuration-processes.md
new file mode 100644
index 000000000000..d5ec2fca90a2
--- /dev/null
+++ b/docs/reference/packetbeat/configuration-processes.md
@@ -0,0 +1,61 @@
+---
+navigation_title: "Processes"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/configuration-processes.html
+---
+
+# Configure which processes to monitor [configuration-processes]
+
+
+This section of the `packetbeat.yml` config file is optional, but configuring the processes enables Packetbeat to show you not only the servers that the traffic is flowing between, but also the processes. Packetbeat can even show you the traffic between two processes running on the same host, which is particularly useful when you have many services running on the same server. By default, process enrichment is disabled.
+
+When Packetbeat starts, and then periodically afterwards, it scans the process table for processes that match the configuration file. For each of these processes, it monitors which file descriptors it has opened. When a new packet is captured, it reads the list of active TCP and UDP connections and matches the corresponding one with the list of file descriptors.
+
+All this information is available via system interfaces: The `/proc` file system in Linux and the IP Helper API (`iphlpapi.dll`) on Windows, so Packetbeat doesn’t need a kernel module.
+
+::::{note}
+Process monitoring is currently only supported on Linux and Windows systems. Packetbeat automatically disables process monitoring when it detects other operating systems.
+::::
+
+
+Example configuration:
+
+```yaml
+packetbeat.procs.enabled: true
+```
+
+When the process monitor is enabled, it will enrich all the events whose source or destination is a local process. The `source.process` and/or `destination.process` fields will be added to an event, when the server side or client side of the connection belong to a local process, respectively.
+
+
+## Configuration options [_configuration_options_14]
+
+You can specify the following process monitoring options in the `monitored` section of the `packetbeat.yml` config file to customize the name of process:
+
+
+### `process` [_process]
+
+The name of the process as it will appear in the published transactions. The name doesn’t have to match the name of the executable, so feel free to choose something more descriptive (for example,  "myapp" instead of "gunicorn").
+
+
+### `cmdline_grep` [_cmdline_grep]
+
+The name used to identify the process at run time. When Packetbeat starts, and then periodically afterwards, it scans the process table for processes that match the values specified for this option. The match is done against the process' command line as read from `/proc/<pid>/cmdline`.
+
+
+### `shutdown_timeout` [shutdown-timeout]
+
+How long Packetbeat waits on shutdown. By default, this option is disabled. Packetbeat will wait for `shutdown_timeout` and then close. It will not track if all events were sent previously.
+
+Example configuration:
+
+```yaml
+packetbeat.shutdown_timeout: 5s
+```
+
+
+### `overwrite_pipelines` [_overwrite_pipelines]
+
+By default Ingest pipelines are not updated if a pipeline with the same ID already exists. If this option is enabled Packetbeat overwrites pipelines every time a new Elasticsearch connection is established.
+
+The default value is `false`.
+
diff --git a/docs/reference/packetbeat/configuration-protocols.md b/docs/reference/packetbeat/configuration-protocols.md
new file mode 100644
index 000000000000..b8a32798dd06
--- /dev/null
+++ b/docs/reference/packetbeat/configuration-protocols.md
@@ -0,0 +1,84 @@
+---
+navigation_title: "Protocols"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/configuration-protocols.html
+---
+
+# Configure which transaction protocols to monitor [configuration-protocols]
+
+
+The `packetbeat.protocols` section of the `packetbeat.yml` config file contains configuration options for each supported protocol, including common options like `enabled`, `ports`, `send_request`, `send_response`, and options that are protocol-specific.
+
+Currently, Packetbeat supports the following protocols:
+
+* ICMP (v4 and v6)
+* DHCP (v4)
+* DNS
+* HTTP
+* AMQP 0.9.1
+* Cassandra
+* Mysql
+* PostgreSQL
+* Redis
+* Thrift-RPC
+* MongoDB
+* Memcache
+* NFS
+* TLS
+* SIP/SDP (beta)
+
+Example configuration:
+
+```yaml
+packetbeat.protocols:
+
+- type: icmp
+  enabled: true
+
+- type: dhcpv4
+  ports: [67, 68]
+
+- type: dns
+  ports: [53]
+
+- type: http
+  ports: [80, 8080, 8000, 5000, 8002]
+
+- type: amqp
+  ports: [5672]
+
+- type: cassandra
+  ports: [9042]
+
+- type: memcache
+  ports: [11211]
+
+- type: mysql
+  ports: [3306,3307]
+
+- type: redis
+  ports: [6379]
+
+- type: pgsql
+  ports: [5432]
+
+- type: thrift
+  ports: [9090]
+
+- type: tls
+  ports: [443, 993, 995, 5223, 8443, 8883, 9243]
+```
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/docs/reference/packetbeat/configuration-ssl.md b/docs/reference/packetbeat/configuration-ssl.md
new file mode 100644
index 000000000000..f7f311acebb2
--- /dev/null
+++ b/docs/reference/packetbeat/configuration-ssl.md
@@ -0,0 +1,486 @@
+---
+navigation_title: "SSL"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/configuration-ssl.html
+---
+
+# Configure SSL [configuration-ssl]
+
+
+You can specify SSL options when you configure:
+
+* [outputs](/reference/packetbeat/configuring-output.md) that support SSL
+* the [Kibana endpoint](/reference/packetbeat/setup-kibana-endpoint.md)
+
+Example output config with SSL enabled:
+
+```yaml
+output.elasticsearch.hosts: ["https://192.168.1.42:9200"]
+output.elasticsearch.ssl.certificate_authorities: ["/etc/client/ca.pem"]
+output.elasticsearch.ssl.certificate: "/etc/client/cert.pem"
+output.elasticsearch.ssl.key: "/etc/client/cert.key"
+```
+
+Also see [*Secure communication with Logstash*](/reference/packetbeat/configuring-ssl-logstash.md).
+
+Example Kibana endpoint config with SSL enabled:
+
+```yaml
+setup.kibana.host: "https://192.0.2.255:5601"
+setup.kibana.ssl.enabled: true
+setup.kibana.ssl.certificate_authorities: ["/etc/client/ca.pem"]
+setup.kibana.ssl.certificate: "/etc/client/cert.pem"
+setup.kibana.ssl.key: "/etc/client/cert.key"
+```
+
+There are a number of SSL configuration options available to you:
+
+* [Common configuration options](#ssl-common-config)
+* [Client configuration options](#ssl-client-config)
+* [Server configuration options](#ssl-server-config)
+
+
+## Common configuration options [ssl-common-config]
+
+Common SSL configuration options can be used in both client and server configurations. You can specify the following options in the `ssl` section of each subsystem that supports SSL.
+
+
+### `enabled` [enabled]
+
+To disable SSL configuration, set the value to `false`. The default value is `true`.
+
+::::{note}
+SSL settings are disabled if either `enabled` is set to `false` or the `ssl` section is missing.
+
+::::
+
+
+
+### `supported_protocols` [supported-protocols]
+
+List of allowed SSL/TLS versions. If SSL/TLS server decides for protocol versions not configured, the connection will be dropped during or after the handshake. The setting is a list of allowed protocol versions: `TLSv1.1`, `TLSv1.2`, and `TLSv1.3`.
+
+The default value is `[TLSv1.2, TLSv1.3]`.
+
+
+### `cipher_suites` [cipher-suites]
+
+The list of cipher suites to use. The first entry has the highest priority. If this option is omitted, the Go crypto library’s [default suites](https://golang.org/pkg/crypto/tls/) are used (recommended).
+
+Note that if TLS 1.3 is enabled (which is true by default), then the default TLS 1.3 cipher suites are always included, because Go’s standard library adds them to all connections. In order to exclude the default TLS 1.3 ciphers, TLS 1.3 must also be disabled, e.g. with the setting `ssl.supported_protocols = [TLSv1.2]`.
+
+The following cipher suites are available:
+
+| Cypher | Notes |
+| --- | --- |
+| ECDHE-ECDSA-AES-128-CBC-SHA |  |
+| ECDHE-ECDSA-AES-128-CBC-SHA256 | TLS 1.2 only. Disabled by default. |
+| ECDHE-ECDSA-AES-128-GCM-SHA256 | TLS 1.2 only. |
+| ECDHE-ECDSA-AES-256-CBC-SHA |  |
+| ECDHE-ECDSA-AES-256-GCM-SHA384 | TLS 1.2 only. |
+| ECDHE-ECDSA-CHACHA20-POLY1305 | TLS 1.2 only. |
+| ECDHE-ECDSA-RC4-128-SHA | Disabled by default. RC4 not recommended. |
+| ECDHE-RSA-3DES-CBC3-SHA |  |
+| ECDHE-RSA-AES-128-CBC-SHA |  |
+| ECDHE-RSA-AES-128-CBC-SHA256 | TLS 1.2 only. Disabled by default. |
+| ECDHE-RSA-AES-128-GCM-SHA256 | TLS 1.2 only. |
+| ECDHE-RSA-AES-256-CBC-SHA |  |
+| ECDHE-RSA-AES-256-GCM-SHA384 | TLS 1.2 only. |
+| ECDHE-RSA-CHACHA20-POLY1205 | TLS 1.2 only. |
+| ECDHE-RSA-RC4-128-SHA | Disabled by default. RC4 not recommended. |
+| RSA-3DES-CBC3-SHA |  |
+| RSA-AES-128-CBC-SHA |  |
+| RSA-AES-128-CBC-SHA256 | TLS 1.2 only. Disabled by default. |
+| RSA-AES-128-GCM-SHA256 | TLS 1.2 only. |
+| RSA-AES-256-CBC-SHA |  |
+| RSA-AES-256-GCM-SHA384 | TLS 1.2 only. |
+| RSA-RC4-128-SHA | Disabled by default. RC4 not recommended. |
+
+Here is a list of acronyms used in defining the cipher suites:
+
+* 3DES: Cipher suites using triple DES
+* AES-128/256: Cipher suites using AES with 128/256-bit keys.
+* CBC: Cipher using Cipher Block Chaining as block cipher mode.
+* ECDHE: Cipher suites using Elliptic Curve Diffie-Hellman (DH) ephemeral key exchange.
+* ECDSA: Cipher suites using Elliptic Curve Digital Signature Algorithm for authentication.
+* GCM: Galois/Counter mode is used for symmetric key cryptography.
+* RC4: Cipher suites using RC4.
+* RSA: Cipher suites using RSA.
+* SHA, SHA256, SHA384: Cipher suites using SHA-1, SHA-256 or SHA-384.
+
+
+### `curve_types` [curve-types]
+
+The list of curve types for ECDHE (Elliptic Curve Diffie-Hellman ephemeral key exchange).
+
+The following elliptic curve types are available:
+
+* P-256
+* P-384
+* P-521
+* X25519
+
+
+### `ca_sha256` [ca-sha256]
+
+This configures a certificate pin that you can use to ensure that a specific certificate is part of the verified chain.
+
+The pin is a base64 encoded string of the SHA-256 of the certificate.
+
+::::{note}
+This check is not a replacement for the normal SSL validation, but it adds additional validation. If this option is used with  `verification_mode` set to `none`, the check will always fail because it will not receive any verified chains.
+::::
+
+
+
+## Client configuration options [ssl-client-config]
+
+You can specify the following options in the `ssl` section of each subsystem that supports SSL.
+
+
+### `certificate_authorities` [client-certificate-authorities]
+
+The list of root certificates for verifications is required. If `certificate_authorities` is empty or not set, the system keystore is used. If `certificate_authorities` is self-signed, the host system needs to trust that CA cert as well.
+
+By default you can specify a list of files that `packetbeat` will read, but you can also embed a certificate directly in the `YAML` configuration:
+
+```yaml
+certificate_authorities:
+  - |
+    -----BEGIN CERTIFICATE-----
+    MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF
+    ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2
+    MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB
+    BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n
+    fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl
+    94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t
+    /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP
+    PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41
+    CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O
+    BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux
+    8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D
+    874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw
+    3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA
+    H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu
+    8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0
+    yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk
+    sxSmbIUfc2SGJGCJD4I=
+    -----END CERTIFICATE-----
+```
+
+
+### `certificate: "/etc/client/cert.pem"` [client-certificate]
+
+The path to the certificate for SSL client authentication is only required if `client_authentication` is specified. If the certificate is not specified, client authentication is not available. The connection might fail if the server requests client authentication. If the SSL server does not require client authentication, the certificate will be loaded, but not requested or used by the server.
+
+When this option is configured, the [`key`](#client-key) option is also required. The certificate option support embedding of the certificate:
+
+```yaml
+certificate: |
+    -----BEGIN CERTIFICATE-----
+    MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF
+    ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2
+    MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB
+    BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n
+    fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl
+    94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t
+    /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP
+    PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41
+    CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O
+    BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux
+    8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D
+    874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw
+    3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA
+    H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu
+    8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0
+    yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk
+    sxSmbIUfc2SGJGCJD4I=
+    -----END CERTIFICATE-----
+```
+
+
+### `key: "/etc/client/cert.key"` [client-key]
+
+The client certificate key used for client authentication and is only required if `client_authentication` is configured. The key option support embedding of the private key:
+
+```yaml
+key: |
+    -----BEGIN PRIVATE KEY-----
+    MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDXHufGPycpCOfI
+    sjl6cRn8NP4DLxdIVEAHFK0jMRDup32UQOPW+DleEsFpgN9/ebi9ngdjQfMvKnUP
+    Zrl1HTwVhOJfazGeoJn7vdDeQebhJfeDXHwX2DiotXyUPYu1ioU45UZDAoAZFj5F
+    KJLwWRUbfEbRe8yO+wUhKKxxkApPbfw+wUtBicn1RIX7W1nBRABt1UXKDIRe5FM2
+    MKfqhEqK4hUWC3g1r+vGTrxu3qFpzz7L2UrRFRIpo7yuTUhEhEGvcVsiTppTil4Z
+    HcprXFHf5158elEwhYJ5IM0nU1leNQiOgemifbLwkyNkLqCKth8V/4sezr1tYblZ
+    nMh1cclBAgMBAAECggEBAKdP5jyOicqknoG9/G564RcDsDyRt64NuO7I6hBg7SZx
+    Jn7UKWDdFuFP/RYtoabn6QOxkVVlydp5Typ3Xu7zmfOyss479Q/HIXxmmbkD0Kp0
+    eRm2KN3y0b6FySsS40KDRjKGQCuGGlNotW3crMw6vOvvsLTlcKgUHF054UVCHoK/
+    Piz7igkDU7NjvJeha53vXL4hIjb10UtJNaGPxIyFLYRZdRPyyBJX7Yt3w8dgz8WM
+    epOPu0dq3bUrY3WQXcxKZo6sQjE1h7kdl4TNji5jaFlvD01Y8LnyG0oThOzf0tve
+    Gaw+kuy17gTGZGMIfGVcdeb+SlioXMAAfOps+mNIwTECgYEA/gTO8W0hgYpOQJzn
+    BpWkic3LAoBXWNpvsQkkC3uba8Fcps7iiEzotXGfwYcb5Ewf5O3Lrz1EwLj7GTW8
+    VNhB3gb7bGOvuwI/6vYk2/dwo84bwW9qRWP5hqPhNZ2AWl8kxmZgHns6WTTxpkRU
+    zrfZ5eUrBDWjRU2R8uppgRImsxMCgYEA2MxuL/C/Ko0d7XsSX1kM4JHJiGpQDvb5
+    GUrlKjP/qVyUysNF92B9xAZZHxxfPWpdfGGBynhw7X6s+YeIoxTzFPZVV9hlkpAA
+    5igma0n8ZpZEqzttjVdpOQZK8o/Oni/Q2S10WGftQOOGw5Is8+LY30XnLvHBJhO7
+    TKMurJ4KCNsCgYAe5TDSVmaj3dGEtFC5EUxQ4nHVnQyCpxa8npL+vor5wSvmsfUF
+    hO0s3GQE4sz2qHecnXuPldEd66HGwC1m2GKygYDk/v7prO1fQ47aHi9aDQB9N3Li
+    e7Vmtdn3bm+lDjtn0h3Qt0YygWj+wwLZnazn9EaWHXv9OuEMfYxVgYKpdwKBgEze
+    Zy8+WDm5IWRjn8cI5wT1DBT/RPWZYgcyxABrwXmGZwdhp3wnzU/kxFLAl5BKF22T
+    kRZ+D+RVZvVutebE9c937BiilJkb0AXLNJwT9pdVLnHcN2LHHHronUhV7vetkop+
+    kGMMLlY0lkLfoGq1AxpfSbIea9KZam6o6VKxEnPDAoGAFDCJm+ZtsJK9nE5GEMav
+    NHy+PwkYsHhbrPl4dgStTNXLenJLIJ+Ke0Pcld4ZPfYdSyu/Tv4rNswZBNpNsW9K
+    0NwJlyMBfayoPNcJKXrH/csJY7hbKviAHr1eYy9/8OL0dHf85FV+9uY5YndLcsDc
+    nygO9KTJuUiBrLr0AHEnqko=
+    -----END PRIVATE KEY-----
+```
+
+
+### `key_passphrase` [client-key-passphrase]
+
+The passphrase used to decrypt an encrypted key stored in the configured `key` file.
+
+
+### `verification_mode` [client-verification-mode]
+
+Controls the verification of server certificates. Valid values are:
+
+`full`
+:   Verifies that the provided certificate is signed by a trusted authority (CA) and also verifies that the server’s hostname (or IP address) matches the names identified within the certificate.
+
+`strict`
+:   Verifies that the provided certificate is signed by a trusted authority (CA) and also verifies that the server’s hostname (or IP address) matches the names identified within the certificate. If the Subject Alternative Name is empty, it returns an error.
+
+`certificate`
+:   Verifies that the provided certificate is signed by a trusted authority (CA), but does not perform any hostname verification.
+
+`none`
+:   Performs *no verification* of the server’s certificate. This mode disables many of the security benefits of SSL/TLS and should only be used after cautious consideration. It is primarily intended as a temporary diagnostic mechanism when attempting to resolve TLS errors; its use in production environments is strongly discouraged.
+
+    The default value is `full`.
+
+
+
+### `ca_trusted_fingerprint` [ca_trusted_fingerprint]
+
+A HEX encoded SHA-256 of a CA certificate. If this certificate is present in the chain during the handshake, it will be added to the `certificate_authorities` list and the handshake will continue normaly.
+
+To get the fingerprint from a CA certificate on a Unix-like system, you can use the following command, where `ca.crt` is the certificate.
+
+```
+openssl x509 -fingerprint -sha256 -noout -in ./ca.crt | awk --field-separator="=" '{print $2}' | sed 's/://g'
+```
+
+
+## Server configuration options [ssl-server-config]
+
+You can specify the following options in the `ssl` section of each subsystem that supports SSL.
+
+
+### `certificate_authorities` [server-certificate-authorities]
+
+The list of root certificates for client verifications is only required if `client_authentication` is configured. If `certificate_authorities` is empty or not set, and `client_authentication` is configured, the system keystore is used.
+
+If `certificate_authorities` is self-signed, the host system needs to trust that CA cert as well. By default you can specify a list of files that `packetbeat` will read, but you can also embed a certificate directly in the `YAML` configuration:
+
+```yaml
+certificate_authorities:
+  - |
+    -----BEGIN CERTIFICATE-----
+    MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF
+    ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2
+    MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB
+    BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n
+    fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl
+    94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t
+    /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP
+    PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41
+    CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O
+    BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux
+    8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D
+    874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw
+    3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA
+    H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu
+    8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0
+    yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk
+    sxSmbIUfc2SGJGCJD4I=
+    -----END CERTIFICATE-----
+```
+
+
+### `certificate: "/etc/server/cert.pem"` [server-certificate]
+
+The end-entity (leaf) certificate that the server uses to identify itself. If the certificate is signed by a certificate authority (CA), then it should include intermediate CA certificates, sorted from leaf to root. For servers, a `certificate` and [`key`](#server-key) must be specified.
+
+The certificate option supports embedding of the PEM certificate content. This example contains the leaf certificate followed by issuer’s certificate.
+
+```yaml
+certificate: |
+  -----BEGIN CERTIFICATE-----
+  MIIF2jCCA8KgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBlMQswCQYDVQQGEwJVUzEW
+  MBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEcMBoGA1UECRMTV2VzdCBFbCBDYW1pbm8g
+  UmVhbDEOMAwGA1UEERMFOTQwNDAxEDAOBgNVBAoTB0VsYXN0aWMwHhcNMjMxMDMw
+  MTkyMzU4WhcNMjMxMDMxMTkyMzU4WjB2MQswCQYDVQQGEwJVUzEWMBQGA1UEBxMN
+  U2FuIEZyYW5jaXNjbzEcMBoGA1UECRMTV2VzdCBFbCBDYW1pbm8gUmVhbDEOMAwG
+  A1UEERMFOTQwNDAxEDAOBgNVBAoTB0VsYXN0aWMxDzANBgNVBAMTBnNlcnZlcjCC
+  AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALW37cart7l0KE3LCStFbiGm
+  Rr/QSkuPv+Y+SXFT4zXrMFP3mOfUCVsR4lugv+jmql9qjbwR9jKsgKXA1kSvNXSZ
+  lLYWRcNnQ+QzwKxJf/jy246nSfqb2FKvVMs580lDwKHHxn/FSpHV93O4Goy5cLfF
+  ACE7BSdJdxl5DVAMmmkzd6gBGgN8dQIbcyJYuIZYQt44PqSYh/BomTyOXKrmvX4y
+  t7/pF+ldJjWZq/6SfCq6WE0jSrpI1P/42Qd9h5Tsnl6qsUGA2Tz5ZqKz2cyxaIlK
+  wL9tYDionfFIl+jZcxkGPF2a14O1TycCI0B/z+0VL+HR/8fKAB0NdP+QRLaPWOrn
+  DvraAO+bVKC6VrQyUYNUOwtd2gMUqm6Hzrf4s3wjP754eSJkvnSoSAB6l7ZmJKe5
+  Pz5oDDOVPwKHv/MrhsCSMNFeXSEO+rq9TtYEAFQI5rFGHlURga8kA1T1pirHyEtS
+  2o8GUSPSHVulaPdFnHg4xfTexfRYLCqya75ISJuY2/+2GblCie/re1GFitZCZ46/
+  xiQQDOjgL96soDVZ+cTtMpXanslgDapTts9LPIJTd9FUJCY1omISGiSjABRuTlCV
+  8054ja4BKVahSd5BqqtVkWyV64SCut6kce2ndwBkyFvlZ6cteLCW7KtzYvba4XBb
+  YIAs+H+9e/bZUVhws5mFAgMBAAGjgYMwgYAwDgYDVR0PAQH/BAQDAgeAMB0GA1Ud
+  JQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAOBgNVHQ4EBwQFAQIDBAUwPwYDVR0R
+  BDgwNoIJbG9jYWxob3N0ghFiZWF0cy5leGFtcGxlLmNvbYcEfwAAAYcQAAAAAAAA
+  AAAAAAAAAAAAATANBgkqhkiG9w0BAQsFAAOCAgEAldSZOUi+OUR46ERQuINl1oED
+  mjNsQ9FNP/RDu8mPJaNb5v2sAbcpuZb9YdnScT+d+n0+LMd5uz2g67Qr73QCpXwL
+  9YJIs56i7qMTKXlVvRQrvF9P/zP3sm5Zfd2I/x+8oXgEeYsxAWipJ8RsbnN1dtu8
+  C4l+P0E58jjrjom11W90RiHYaT0SI2PPBTTRhYLz0HayThPZDMdFnIQqVxUYbQD5
+  ybWu77hnsvC/g2C8/N2LAdQGJJ67owMa5T3YRneiaSvvOf3I45oeLE+olGAPdrSq
+  5Sp0G7fcAKMRPxcwYeD7V5lfYMtb+RzECpYAHT8zHKLZl6/34q2k8P8EWEpAsD80
+  +zSbCkdvNiU5lU90rV8E2baTKCg871k4O8sT48eUyDps6ZUCfT1dgefXeyOTV5bY
+  864Zo6bWJhAJ7Qa2d4HJkqPzSbqsosHVobojgkOcMqkStLHd8sgtCoFmJMflbp7E
+  ghawl/RVFEkL9+TWy9fR8sJWRx13P8CUP6AL9kVmcU2c3gMNpvQfIii9QOnQrRsi
+  yZj9FKl+ZM49I6RQ6dY5JVgWtpVm/+GBVuy1Aj91JEjw7r1jAeir5K9LAXG8kEN9
+  irndx1SK2MMTY79lGHFGQRv3vnQGI0Wzjtn31YJ7qIFNJ1WWbAZLR9FBtzmMeXM6
+  puoJ9UYvfIcHUGPdZGU=
+  -----END CERTIFICATE-----
+  -----BEGIN CERTIFICATE-----
+  MIIFpjCCA46gAwIBAgIBATANBgkqhkiG9w0BAQsFADBlMQswCQYDVQQGEwJVUzEW
+  MBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEcMBoGA1UECRMTV2VzdCBFbCBDYW1pbm8g
+  UmVhbDEOMAwGA1UEERMFOTQwNDAxEDAOBgNVBAoTB0VsYXN0aWMwHhcNMjMxMDMw
+  MTkyMzU2WhcNMjMxMDMxMTkyMzU2WjBlMQswCQYDVQQGEwJVUzEWMBQGA1UEBxMN
+  U2FuIEZyYW5jaXNjbzEcMBoGA1UECRMTV2VzdCBFbCBDYW1pbm8gUmVhbDEOMAwG
+  A1UEERMFOTQwNDAxEDAOBgNVBAoTB0VsYXN0aWMwggIiMA0GCSqGSIb3DQEBAQUA
+  A4ICDwAwggIKAoICAQDQP3hJt4jTIo+tBXB/R4RuBTvv6OOago9joxlNDm0abseJ
+  ehE0V8FDi0SSpa7ZiqwCGq/deu5OIWVNpFCLHeH5YBriNmB7oPkNRCleu50JsUrG
+  RjSTtBIJcu/CVpD7Q5XMbhbhYcPArrxrSreo3ox8a+2X7b8nA1xPgIcWqSCgs9iV
+  lwKHaQWNTUXYwwZG7b9WG4EJaki6t1+1QbDDJU0oWrZNg23wQEBvEVRDQs7kadvm
+  9YtZLPULlSyV4Rk3yNW8dPXHjcz2wp3PBPIWIQe9mzYU608307TkUMVN2EEOImxl
+  Wm1RtXYvvVb1LiY0C2lYbN3jLZQzffK5RsS87ocqTQM+HvDBv/PupHDvW08wietu
+  RtRbdx/2cN0GLmOHnkWKx+GlYDZfAtIj958fTKl2hHyNqJ1pE7vksSYBwBxMFQem
+  eSGzw5pO53kmPcZO203YQ2qoJd7z1aLf7eAOqDn5zwlYNc00bZ6DwTZsyptGv9sZ
+  zcZuovppPgCN4f1I9ja/NPKep+sVKfQqR5HuOFOPFcr6oOioESJSgIvXXF9RhCVh
+  UMeZKWWSCNm1ea4h6q8OJdQfM7XXkXm+dEyF0TogC00CidZWuYMZcgXND5p/1Di5
+  PkCKPUMllCoK0oaTfFioNW7qtNbDGQrW+spwDa4kjJNKYtDD0jjPgFMgSzQ2MwID
+  AQABo2EwXzAOBgNVHQ8BAf8EBAMCAoQwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsG
+  AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFImOXc9Tv+mgn9jOsPig
+  9vlAUTa+MA0GCSqGSIb3DQEBCwUAA4ICAQBZ9tqU88Nmgf+vDgkKMKLmLMaRCRlV
+  HcYrm7WoWLX+q6VSbmvf5eD5OrzzbAnnp16iXap8ivsAEFTo8XWh/bjl7G/2jetR
+  xZD2WHtzmAg3s4SVsEHIyFUF1ERwnjO2ndHjoIsx8ktUk1aNrmgPI6s07fkULDm+
+  2aXyBSZ9/oimZM/s3IqYJecxwE+yyS+FiS6mSDCCVIyQXdtVAbFHegyiBYv8EbwF
+  Xz70QiqQtxotGlfts/3uN1s+xnEoWz5E6S5DQn4xQh0xiKSXPizMXou9xKzypeSW
+  qtNdwtg62jKWDaVriBfrvoCnyjjCIjmcTcvA2VLmeZShyTuIucd0lkg2NKIGeM7I
+  o33hmdiKaop1fVtj8zqXvCRa3ecmlvcxPKX0otVFORFNOfaPjH/CjW0CnP0LByGK
+  YW19w0ncJZa9cc1SlNL28lnBhW+i1+ViR02wtjabH9XO+mtxuaEPDZ1hLhhjktqI
+  Y2oFUso4C5xiTU/hrH8+cFv0dn/+zyQoLfJEQbUX9biFeytt7T4Yynwhdy7jryqH
+  fdy/QM26YnsE8D7l4mv99z+zII0IRGnQOuLTuNAIyGJUf69hCDubZFDeHV/IB9hU
+  6GA6lBpsJlTDgfJLbtKuAHxdn1DO+uGg0GxgwggH6Vh9x9yQK2E6BaepJisL/zNB
+  RQQmEyTn1hn/eA==
+  -----END CERTIFICATE-----
+```
+
+
+### `key: "/etc/server/cert.key"` [server-key]
+
+The server certificate key used for authentication is required. The key option supports embedding of the private key:
+
+```yaml
+key: |
+    -----BEGIN PRIVATE KEY-----
+    MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDXHufGPycpCOfI
+    sjl6cRn8NP4DLxdIVEAHFK0jMRDup32UQOPW+DleEsFpgN9/ebi9ngdjQfMvKnUP
+    Zrl1HTwVhOJfazGeoJn7vdDeQebhJfeDXHwX2DiotXyUPYu1ioU45UZDAoAZFj5F
+    KJLwWRUbfEbRe8yO+wUhKKxxkApPbfw+wUtBicn1RIX7W1nBRABt1UXKDIRe5FM2
+    MKfqhEqK4hUWC3g1r+vGTrxu3qFpzz7L2UrRFRIpo7yuTUhEhEGvcVsiTppTil4Z
+    HcprXFHf5158elEwhYJ5IM0nU1leNQiOgemifbLwkyNkLqCKth8V/4sezr1tYblZ
+    nMh1cclBAgMBAAECggEBAKdP5jyOicqknoG9/G564RcDsDyRt64NuO7I6hBg7SZx
+    Jn7UKWDdFuFP/RYtoabn6QOxkVVlydp5Typ3Xu7zmfOyss479Q/HIXxmmbkD0Kp0
+    eRm2KN3y0b6FySsS40KDRjKGQCuGGlNotW3crMw6vOvvsLTlcKgUHF054UVCHoK/
+    Piz7igkDU7NjvJeha53vXL4hIjb10UtJNaGPxIyFLYRZdRPyyBJX7Yt3w8dgz8WM
+    epOPu0dq3bUrY3WQXcxKZo6sQjE1h7kdl4TNji5jaFlvD01Y8LnyG0oThOzf0tve
+    Gaw+kuy17gTGZGMIfGVcdeb+SlioXMAAfOps+mNIwTECgYEA/gTO8W0hgYpOQJzn
+    BpWkic3LAoBXWNpvsQkkC3uba8Fcps7iiEzotXGfwYcb5Ewf5O3Lrz1EwLj7GTW8
+    VNhB3gb7bGOvuwI/6vYk2/dwo84bwW9qRWP5hqPhNZ2AWl8kxmZgHns6WTTxpkRU
+    zrfZ5eUrBDWjRU2R8uppgRImsxMCgYEA2MxuL/C/Ko0d7XsSX1kM4JHJiGpQDvb5
+    GUrlKjP/qVyUysNF92B9xAZZHxxfPWpdfGGBynhw7X6s+YeIoxTzFPZVV9hlkpAA
+    5igma0n8ZpZEqzttjVdpOQZK8o/Oni/Q2S10WGftQOOGw5Is8+LY30XnLvHBJhO7
+    TKMurJ4KCNsCgYAe5TDSVmaj3dGEtFC5EUxQ4nHVnQyCpxa8npL+vor5wSvmsfUF
+    hO0s3GQE4sz2qHecnXuPldEd66HGwC1m2GKygYDk/v7prO1fQ47aHi9aDQB9N3Li
+    e7Vmtdn3bm+lDjtn0h3Qt0YygWj+wwLZnazn9EaWHXv9OuEMfYxVgYKpdwKBgEze
+    Zy8+WDm5IWRjn8cI5wT1DBT/RPWZYgcyxABrwXmGZwdhp3wnzU/kxFLAl5BKF22T
+    kRZ+D+RVZvVutebE9c937BiilJkb0AXLNJwT9pdVLnHcN2LHHHronUhV7vetkop+
+    kGMMLlY0lkLfoGq1AxpfSbIea9KZam6o6VKxEnPDAoGAFDCJm+ZtsJK9nE5GEMav
+    NHy+PwkYsHhbrPl4dgStTNXLenJLIJ+Ke0Pcld4ZPfYdSyu/Tv4rNswZBNpNsW9K
+    0NwJlyMBfayoPNcJKXrH/csJY7hbKviAHr1eYy9/8OL0dHf85FV+9uY5YndLcsDc
+    nygO9KTJuUiBrLr0AHEnqko=
+    -----END PRIVATE KEY-----
+```
+
+
+### `key_passphrase` [server-key-passphrase]
+
+The passphrase is used to decrypt an encrypted key stored in the configured `key` file.
+
+
+### `verification_mode` [server-verification-mode]
+
+Controls the verification of client certificates. Valid values are:
+
+`full`
+:   Verifies that the provided certificate is signed by a trusted authority (CA) and also verifies that the server’s hostname (or IP address) matches the names identified within the certificate.
+
+`strict`
+:   Verifies that the provided certificate is signed by a trusted authority (CA) and also verifies that the server’s hostname (or IP address) matches the names identified within the certificate. If the Subject Alternative Name is empty, it returns an error.
+
+`certificate`
+:   Verifies that the provided certificate is signed by a trusted authority (CA), but does not perform any hostname verification.
+
+`none`
+:   Performs *no verification* of the server’s certificate. This mode disables many of the security benefits of SSL/TLS and should only be used after cautious consideration. It is primarily intended as a temporary diagnostic mechanism when attempting to resolve TLS errors; its use in production environments is strongly discouraged.
+
+    The default value is `full`.
+
+
+
+### `renegotiation` [server-renegotiation]
+
+This configures what types of TLS renegotiation are supported. The valid options are:
+
+`never`
+:   Disables renegotiation.
+
+`once`
+:   Allows a remote server to request renegotiation once per connection.
+
+`freely`
+:   Allows a remote server to request renegotiation repeatedly.
+
+    The default value is `never`.
+
+
+
+### `restart_on_cert_change.enabled` [exit_on_cert_change_enabled]
+
+If set to `true` Packetbeat will restart if any file listed by `key`, `certificate`, or `certificate_authorities` is modified.
+
+::::{note}
+This feature is NOT supported on Windows. The default value is `false`.
+::::
+
+
+::::{note}
+This feature requres the `execve` system call to be enabled. If you have a custom seccomp policy in place, make sure to allow for `execve`.
+::::
+
+
+
+### `restart_on_cert_change.period` [restart_on_cert_change_period]
+
+Specifies how often the files are checked for changes. Do not set the period to less than 1s because the modification time of files is often stored in seconds. Setting the period to less than 1s will result in validation error and Packetbeat will not start. The default value is 1m.
+
diff --git a/docs/reference/packetbeat/configuration-template.md b/docs/reference/packetbeat/configuration-template.md
new file mode 100644
index 000000000000..e9e914220406
--- /dev/null
+++ b/docs/reference/packetbeat/configuration-template.md
@@ -0,0 +1,112 @@
+---
+navigation_title: "Elasticsearch index template"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/configuration-template.html
+---
+
+# Configure Elasticsearch index template loading [configuration-template]
+
+
+The `setup.template` section of the `packetbeat.yml` config file specifies the [index template](docs-content://manage-data/data-store/templates.md) to use for setting mappings in Elasticsearch. If template loading is enabled (the default), Packetbeat loads the index template automatically after successfully connecting to Elasticsearch.
+
+::::{note}
+A connection to Elasticsearch is required to load the index template. If the configured output is not Elasticsearch (or {{ess}}), you must [load the template manually](/reference/packetbeat/packetbeat-template.md#load-template-manually).
+::::
+
+
+You can adjust the following settings to load your own template or overwrite an existing one.
+
+**`setup.template.enabled`**
+:   Set to false to disable template loading. If this is set to false, you must [load the template manually](/reference/packetbeat/packetbeat-template.md#load-template-manually).
+
+**`setup.template.name`**
+:   The name of the template. The default is `packetbeat`. The Packetbeat version is always appended to the given name, so the final name is `packetbeat-%{[agent.version]}`.
+
+**`setup.template.pattern`**
+:   The template pattern to apply to the default index settings. The default pattern is `packetbeat`. The Packetbeat version is always included in the pattern, so the final pattern is `packetbeat-%{[agent.version]}`.
+
+    Example:
+
+    ```yaml
+    setup.template.name: "packetbeat"
+    setup.template.pattern: "packetbeat"
+    ```
+
+
+**`setup.template.fields`**
+:   The path to the YAML file describing the fields. The default is `fields.yml`. If a relative path is set, it is considered relative to the config path. See the [Directory layout](/reference/packetbeat/directory-layout.md) section for details.
+
+**`setup.template.overwrite`**
+:   A boolean that specifies whether to overwrite the existing template. The default is false. Do not enable this option if you start more than one instance of Packetbeat at the same time. It can overload {{es}} by sending too many template update requests.
+
+**`setup.template.settings`**
+:   A dictionary of settings to place into the `settings.index` dictionary of the Elasticsearch template. For more details about the available Elasticsearch mapping options, please see the Elasticsearch [mapping reference](docs-content://manage-data/data-store/mapping.md).
+
+    Example:
+
+    ```yaml
+    setup.template.name: "packetbeat"
+    setup.template.fields: "fields.yml"
+    setup.template.overwrite: false
+    setup.template.settings:
+      index.number_of_shards: 1
+      index.number_of_replicas: 1
+    ```
+
+
+**`setup.template.settings._source`**
+:   A dictionary of settings for the `_source` field. For the available settings, please see the Elasticsearch [reference](elasticsearch://reference/elasticsearch/mapping-reference/mapping-source-field.md).
+
+    Example:
+
+    ```yaml
+    setup.template.name: "packetbeat"
+    setup.template.fields: "fields.yml"
+    setup.template.overwrite: false
+    setup.template.settings:
+      _source.enabled: false
+    ```
+
+
+**`setup.template.append_fields`**
+:   A list of fields to be added to the template and {{kib}} index pattern. This setting adds new fields. It does not overwrite or change existing fields.
+
+    This setting is useful when your data contains fields that Packetbeat doesn’t know about in advance.
+
+    If `append_fields` is specified along with `overwrite: true`, Packetbeat overwrites the existing template and applies the new template when creating new indices. Existing indices are not affected. If you’re running multiple instances of Packetbeat with different `append_fields` settings, the last one writing the template takes precedence.
+
+    Any changes to this setting also affect the {{kib}} index pattern.
+
+    Example config:
+
+    ```yaml
+    setup.template.overwrite: true
+    setup.template.append_fields:
+    - name: test.name
+      type: keyword
+    - name: test.hostname
+      type: long
+    ```
+
+
+**`setup.template.json.enabled`**
+:   Set to `true` to load a JSON-based template file. Specify the path to your {{es}} index template file and set the name of the template.
+
+    ```yaml
+    setup.template.json.enabled: true
+    setup.template.json.path: "template.json"
+    setup.template.json.name: "template-name"
+    setup.template.json.data_stream: false
+    ```
+
+
+::::{note}
+If the JSON template is used, the `fields.yml` is skipped for the template generation.
+::::
+
+
+::::{note}
+If the JSON template is a data stream, set `setup.template.json.data_stream`.
+::::
+
+
diff --git a/docs/reference/packetbeat/configuration-thrift.md b/docs/reference/packetbeat/configuration-thrift.md
new file mode 100644
index 000000000000..cc22e735b4ee
--- /dev/null
+++ b/docs/reference/packetbeat/configuration-thrift.md
@@ -0,0 +1,89 @@
+---
+navigation_title: "Thrift"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/configuration-thrift.html
+---
+
+# Capture Thrift traffic [configuration-thrift]
+
+
+[Apache Thrift](https://thrift.apache.org/) is a communication protocol and RPC framework initially created at Facebook. It is sometimes used in [microservices](http://martinfowler.com/articles/microservices.html) architectures because it provides better performance when compared to the more obvious HTTP/RESTful API choice, while still supporting a wide range of programming languages and frameworks.
+
+Packetbeat works based on a copy of the traffic, which means that you get performance management features without having to modify your services in any way and without any latency overhead. Packetbeat captures the transactions from the network and indexes them in Elasticsearch so that they can be analyzed and searched.
+
+Packetbeat indexes the method, parameters, return value, and exceptions of each Thrift-RPC call. You can search by and create statistics based on any of these fields. Packetbeat automatically fills in the `status` column with either `OK` or `Error`, so it’s easy to find the problematic RPC calls. A transaction is put into the `Error` state if it returned an exception.
+
+Packetbeat also indexes the `event.duration` field so you can get performance analytics and find the slow RPC calls.
+
+Here is an example performance dashboard:
+
+:::{image} images/thrift-dashboard.png
+:alt: Thrift-RPC dashboard
+:::
+
+Thrift supports multiple [transport and protocol types](http://en.wikipedia.org/wiki/Apache_Thrift). Currently Packetbeat supports the default `TSocket` transport as well as the `TFramed` transport. From the protocol point of view, Packetbeat currently supports only the default `TBinary` protocol.
+
+Packetbeat also has several configuration options that allow you to get the right balance between visibility, disk usage, and data protection. You can, for example, choose to obfuscate all strings or to store the requests but not the responses, while still capturing the response time for each of the RPC calls. You can also choose to limit the size of strings and lists to a given number of elements, so you can fine tune how much data you want to have stored in Elasticsearch.
+
+The Thrift protocol has several specific configuration options. Here is an example configuration section for the Thrift protocol in the `packetbeat.yml` config file:
+
+```yaml
+packetbeat.protocols:
+- type: thrift
+  transport_type: socket
+  protocol_type: binary
+  idl_files: ["tutorial.thrift", "shared.thrift"]
+  string_max_size: 200
+  collection_max_size: 20
+  capture_reply: true
+  obfuscate_strings: true
+  drop_after_n_struct_fields: 100
+```
+
+Providing the Thrift IDL files to Packetbeat is optional. The binary Thrift messages include the called method name and enough structural information to decode the messages without needing the IDL files. However, if you provide the IDL files, Packetbeat can also resolve the service name, arguments, and exception names.
+
+## Configuration options [_configuration_options_10]
+
+Also see [Common protocol options](/reference/packetbeat/common-protocol-options.md).
+
+### `transport_type` [_transport_type]
+
+The Thrift transport type. Currently this option accepts the values `socket` for TSocket, which is the default Thrift transport, and `framed` for the TFramed Thrift transport. The default is `socket`.
+
+
+### `protocol_type` [_protocol_type]
+
+The Thrift protocol type. Currently the only accepted value is `binary` for the TBinary protocol, which is the default Thrift protocol.
+
+
+### `idl_files` [_idl_files]
+
+The Thrift interface description language (IDL) files for the service that Packetbeat is monitoring. Providing the IDL files is optional, because the Thrift messages contain enough information to decode them without having the IDL files. However, providing the IDL enables Packetbeat to include parameter and exception names.
+
+
+### `string_max_size` [_string_max_size]
+
+The maximum length for strings in parameters or return values. If a string is longer than this value, the string is automatically truncated to this length. Packetbeat adds dots at the end of the string to mark that it was truncated. The default is 200.
+
+
+### `collection_max_size` [_collection_max_size]
+
+The maximum number of elements in a Thrift list, set, map, or structure. If a collection has more elements than this value, Packetbeat captures only the specified number of elements. Packetbeat adds a fictive last element `...` to the end of the collection to mark that it was truncated. The default is 15.
+
+
+### `capture_reply` [_capture_reply]
+
+If this option is set to false, Packetbeat decodes the method name from the reply and simply skips the rest of the response message. This setting can be useful for performance, disk usage, or data retention reasons. The default is true.
+
+
+### `obfuscate_strings` [_obfuscate_strings]
+
+If this option is set to true, Packetbeat replaces all strings found in method parameters, return codes, or exception structures with the `"*"` string.
+
+
+### `drop_after_n_struct_fields` [_drop_after_n_struct_fields]
+
+The maximum number of fields that a structure can have before Packetbeat ignores the whole transaction. This is a memory protection mechanism (so that Packetbeat’s memory doesn’t grow indefinitely), so you would typically set this to a relatively high value. The default is 500.
+
+
+
diff --git a/docs/reference/packetbeat/configuration-tls.md b/docs/reference/packetbeat/configuration-tls.md
new file mode 100644
index 000000000000..1e24d7e1d8f2
--- /dev/null
+++ b/docs/reference/packetbeat/configuration-tls.md
@@ -0,0 +1,232 @@
+---
+navigation_title: "TLS"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/configuration-tls.html
+---
+
+# Capture TLS traffic [configuration-tls]
+
+
+TLS is a cryptographic protocol that provides secure communications on top of an existing application protocol, like HTTP or MySQL.
+
+Packetbeat intercepts the initial handshake in a TLS connection and extracts useful information that helps operators diagnose problems and strengthen the security of their network and systems. It does not decrypt any information from the encapsulated protocol, nor does it reveal any sensitive information such as cryptographic keys. TLS versions 1.0 to 1.3 are supported.
+
+It works by intercepting the client and server "hello" messages, which contain the negotiated parameters for the connection such as cryptographic ciphers and protocol versions. It can also intercept TLS alerts, which are sent by one of the parties to signal a problem with the negotiation, such as an expired certificate or a cryptographic error.
+
+An example of indexed event:
+
+```json
+"tls": {
+    "client": {
+      "supported_ciphers": [
+        "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+        "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
+        "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
+        "TLS_EMPTY_RENEGOTIATION_INFO_SCSV"
+      ],
+      "ja3": "e6573e91e6eb777c0933c5b8f97f10cd",
+      "server_name": "example.net"
+    },
+    "server": {
+      "subject": "CN=www.example.org,OU=Technology,O=Internet Corporation for Assigned Names and Numbers,L=Los Angeles,ST=California,C=US",
+      "issuer": "CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US",
+      "not_before": "2018-11-28T00:00:00.000Z",
+      "not_after": "2020-12-02T12:00:00.000Z",
+      "hash": {
+        "sha1": "7BB698386970363D2919CC5772846984FFD4A889"
+      }
+    },
+    "version": "1.2",
+    "version_protocol": "tls",
+    "cipher": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+    "established": true,
+    "next_protocol": "h2",
+    "detailed": {
+      "server_certificate": {
+        "subject": {
+          "common_name": "www.example.org",
+          "country": "US",
+          "organization": "Internet Corporation for Assigned Names and Numbers",
+          "organizational_unit": "Technology",
+          "locality": "Los Angeles",
+          "province": "California"
+        },
+        "not_after": "2020-12-02T12:00:00.000Z",
+        "public_key_size": 2048,
+        "alternative_names": [
+          "www.example.org",
+          "example.com",
+          "example.edu",
+          "example.net",
+          "example.org",
+          "www.example.com",
+          "www.example.edu",
+          "www.example.net"
+        ],
+        "signature_algorithm": "SHA256-RSA",
+        "version": 3,
+        "issuer": {
+          "organization": "DigiCert Inc",
+          "common_name": "DigiCert SHA2 Secure Server CA",
+          "country": "US"
+        },
+        "not_before": "2018-11-28T00:00:00.000Z",
+        "public_key_algorithm": "RSA",
+        "serial_number": "21020869104500376438182461249190639870"
+      },
+      "server_certificate_chain": [
+        {
+          "public_key_algorithm": "RSA",
+          "not_before": "2013-03-08T12:00:00.000Z",
+          "not_after": "2023-03-08T12:00:00.000Z",
+          "version": 3,
+          "serial_number": "2646203786665923649276728595390119057",
+          "issuer": {
+            "organizational_unit": "www.digicert.com",
+            "common_name": "DigiCert Global Root CA",
+            "country": "US",
+            "organization": "DigiCert Inc"
+          },
+          "subject": {
+            "country": "US",
+            "organization": "DigiCert Inc",
+            "common_name": "DigiCert SHA2 Secure Server CA"
+          },
+          "public_key_size": 2048,
+          "signature_algorithm": "SHA256-RSA"
+        },
+        {
+          "public_key_algorithm": "RSA",
+          "subject": {
+            "common_name": "DigiCert Global Root CA",
+            "country": "US",
+            "organization": "DigiCert Inc",
+            "organizational_unit": "www.digicert.com"
+          },
+          "issuer": {
+            "country": "US",
+            "organization": "DigiCert Inc",
+            "organizational_unit": "www.digicert.com",
+            "common_name": "DigiCert Global Root CA"
+          },
+          "signature_algorithm": "SHA1-RSA",
+          "serial_number": "10944719598952040374951832963794454346",
+          "not_before": "2006-11-10T00:00:00.000Z",
+          "not_after": "2031-11-10T00:00:00.000Z",
+          "public_key_size": 2048,
+          "version": 3
+        }
+      ],
+      "client_certificate_requested": false,
+      "version": "TLS 1.2",
+      "client_hello": {
+        "version": "3.3",
+        "supported_compression_methods": [
+          "NULL"
+        ],
+        "extensions": {
+          "ec_points_formats": [
+            "uncompressed"
+          ],
+          "supported_groups": [
+            "x25519",
+            "secp256r1",
+            "secp384r1"
+          ],
+          "signature_algorithms": [
+            "rsa_pkcs1_sha512",
+            "ecdsa_secp521r1_sha512",
+            "(unknown:0xefef)",
+            "rsa_pkcs1_sha384",
+            "ecdsa_secp384r1_sha384",
+            "rsa_pkcs1_sha256",
+            "ecdsa_secp256r1_sha256",
+            "(unknown:0xeeee)",
+            "(unknown:0xeded)",
+            "(unknown:0x0301)",
+            "(unknown:0x0303)",
+            "rsa_pkcs1_sha1",
+            "ecdsa_sha1"
+          ],
+          "application_layer_protocol_negotiation": [
+            "h2",
+            "http/1.1"
+          ],
+          "server_name_indication": [
+            "example.net"
+          ]
+        }
+      },
+      "server_hello": {
+        "version": "3.3",
+        "session_id": "23bb2aed5d215e1228220b0a51d7aa220785e9e4b83b4f430229117971e9913f",
+        "selected_compression_method": "NULL",
+        "extensions": {
+          "application_layer_protocol_negotiation": [
+            "h2"
+          ],
+          "_unparsed_": [
+            "renegotiation_info",
+            "server_name_indication"
+          ],
+          "ec_points_formats": [
+            "uncompressed",
+            "ansiX962_compressed_prime",
+            "ansiX962_compressed_char2"
+          ]
+        }
+      }
+    }
+  }
+```
+
+The TLS events generated by Packetbeat follow the Elastic Common Schema (ECS) format. See [ECS TLS fields](ecs://reference/ecs-tls.md) for a description of the populated fields.
+
+Detailed information that is not defined in ECS is added under the `tls.detailed` key. The [`include_detailed_fields`](#include_detailed_fields) configuration flag is used to control whether this information is exported.
+
+The fields under `tls.detailed.client_hello` contain the algorithms and extensions supported by the client, as well as the maximum TLS version it supports.
+
+Fields under `tls.detailed.server_hello` contain the final settings for the TLS session: The selected cipher, compression method, TLS version to use and other extensions such as application layer protocol negotiation (ALPN).
+
+See the [*Detailed TLS fields*](/reference/packetbeat/exported-fields-tls_detailed.md) section for more information.
+
+The following settings are specific to the TLS protocol. Here is a sample configuration for the `tls` section of the `packetbeat.yml` config file:
+
+```yaml
+packetbeat.protocols:
+- type: tls
+  send_certificates: true
+  include_raw_certificates: false
+  include_detailed_fields: true
+  fingerprints: [ md5, sha1, sha256 ]
+```
+
+## Configuration options [_configuration_options_12]
+
+The `send_certificates` and `include_detailed_fields` settings are useful for limiting the amount of data Packetbeat indexes, as multiple certificates are usually exchanged in a single transaction, and those can take a considerable amount of storage.
+
+Also see [Common protocol options](/reference/packetbeat/common-protocol-options.md).
+
+### `send_certificates` [_send_certificates]
+
+This setting causes information about the certificates presented by the client and server to be included in the detailed fields. The server’s certificate is indexed under `tls.detailed.server_certificate` and its certification chain under `tls.detailed.server_certificate_chain`. For the client, the `client_certificate` and `client_certificate_chain` fields are used. The default is true.
+
+
+### `include_raw_certificates` [_include_raw_certificates]
+
+You can set `include_raw_certificates` to include the raw certificate chains encoded in PEM format, under the `tls.server.certificate_chain` and `tls.client.certificate_chain` fields. The default is false.
+
+
+### `include_detailed_fields` [include_detailed_fields]
+
+Controls whether the [*Detailed TLS fields*](/reference/packetbeat/exported-fields-tls_detailed.md) are added to exported documents. When set to `false`, only [ECS TLS fields](ecs://reference/ecs-tls.md) are included. The default is `true`.
+
+
+### `fingerprints` [_fingerprints]
+
+Defines a list of hash algorithms to calculate the certificate’s fingerprints. Valid values are `sha1`, `sha256` and `md5`.
+
+The default is to output SHA-1 fingerprints.
+
+
+
diff --git a/docs/reference/packetbeat/configure-cloud-id.md b/docs/reference/packetbeat/configure-cloud-id.md
new file mode 100644
index 000000000000..02fad6829f60
--- /dev/null
+++ b/docs/reference/packetbeat/configure-cloud-id.md
@@ -0,0 +1,34 @@
+---
+navigation_title: "{{ess}}"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/configure-cloud-id.html
+---
+
+# Configure the output for {{ess}} on {{ecloud}} [configure-cloud-id]
+
+
+Packetbeat comes with two settings that simplify the output configuration when used together with [{{ess}}](https://www.elastic.co/cloud/elasticsearch-service?page=docs&placement=docs-body). When defined, these setting overwrite settings from other parts in the configuration.
+
+Example:
+
+```yaml
+cloud.id: "staging:dXMtZWFzdC0xLmF3cy5mb3VuZC5pbyRjZWM2ZjI2MWE3NGJmMjRjZTMzYmI4ODExYjg0Mjk0ZiRjNmMyY2E2ZDA0MjI0OWFmMGNjN2Q3YTllOTYyNTc0Mw=="
+cloud.auth: "elastic:{pwd}"
+```
+
+These settings can be also specified at the command line, like this:
+
+```sh
+packetbeat -e -E cloud.id="<cloud-id>" -E cloud.auth="<cloud.auth>"
+```
+
+## `cloud.id` [_cloud_id]
+
+The Cloud ID, which can be found in the {{ess}} web console, is used by Packetbeat to resolve the {{es}} and {{kib}} URLs. This setting overwrites the `output.elasticsearch.hosts` and `setup.kibana.host` settings. For more on locating and configuring the Cloud ID, see [Configure Beats and Logstash with Cloud ID](docs-content://deploy-manage/deploy/cloud-enterprise/find-cloud-id.md).
+
+
+## `cloud.auth` [_cloud_auth]
+
+When specified, the `cloud.auth` overwrites the `output.elasticsearch.username` and `output.elasticsearch.password` settings. Because the Kibana settings inherit the username and password from the {{es}} output, this can also be used to set the `setup.kibana.username` and `setup.kibana.password` options.
+
+
diff --git a/docs/reference/packetbeat/configuring-howto-packetbeat.md b/docs/reference/packetbeat/configuring-howto-packetbeat.md
new file mode 100644
index 000000000000..0f9c60a7d88e
--- /dev/null
+++ b/docs/reference/packetbeat/configuring-howto-packetbeat.md
@@ -0,0 +1,45 @@
+---
+navigation_title: "Configure"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/configuring-howto-packetbeat.html
+---
+
+# Configure Packetbeat [configuring-howto-packetbeat]
+
+
+::::{tip}
+To get started quickly, read [Quick start: installation and configuration](/reference/packetbeat/packetbeat-installation-configuration.md).
+::::
+
+
+To configure Packetbeat, edit the configuration file. The default configuration file is called  `packetbeat.yml`. The location of the file varies by platform. To locate the file, see [Directory layout](/reference/packetbeat/directory-layout.md).
+
+There’s also a full example configuration file called `packetbeat.reference.yml` that shows all non-deprecated options.
+
+::::{tip}
+See the [Config File Format](/reference/libbeat/config-file-format.md) for more about the structure of the config file.
+::::
+
+
+The following topics describe how to configure Packetbeat:
+
+* [Network flows](/reference/packetbeat/configuration-flows.md)
+* [Protocols](/reference/packetbeat/configuration-protocols.md)
+* [Processes](/reference/packetbeat/configuration-processes.md)
+* [General settings](/reference/packetbeat/configuration-general-options.md)
+* [Project paths](/reference/packetbeat/configuration-path.md)
+* [Traffic sniffing](/reference/packetbeat/configuration-interfaces.md)
+* [Output](/reference/packetbeat/configuring-output.md)
+* [SSL](/reference/packetbeat/configuration-ssl.md)
+* [Index lifecycle management (ILM)](/reference/packetbeat/ilm.md)
+* [Elasticsearch index template](/reference/packetbeat/configuration-template.md)
+* [{{kib}} endpoint](/reference/packetbeat/setup-kibana-endpoint.md)
+* [Kibana dashboards](/reference/packetbeat/configuration-dashboards.md)
+* [Processors](/reference/packetbeat/filtering-enhancing-data.md)
+* [Internal queue](/reference/packetbeat/configuring-internal-queue.md)
+* [Logging](/reference/packetbeat/configuration-logging.md)
+* [HTTP endpoint](/reference/packetbeat/http-endpoint.md)
+* [Instrumentation](/reference/packetbeat/configuration-instrumentation.md)
+* [Feature flags](/reference/packetbeat/configuration-feature-flags.md)
+* [*packetbeat.reference.yml*](/reference/packetbeat/packetbeat-reference-yml.md)
+
diff --git a/docs/reference/packetbeat/configuring-ingest-node.md b/docs/reference/packetbeat/configuring-ingest-node.md
new file mode 100644
index 000000000000..8db8f7879ff9
--- /dev/null
+++ b/docs/reference/packetbeat/configuring-ingest-node.md
@@ -0,0 +1,50 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/configuring-ingest-node.html
+---
+
+# Parse data using an ingest pipeline [configuring-ingest-node]
+
+When you use {{es}} for output, you can configure Packetbeat to use an [ingest pipeline](docs-content://manage-data/ingest/transform-enrich/ingest-pipelines.md) to pre-process documents before the actual indexing takes place in {{es}}. An ingest pipeline is a convenient processing option when you want to do some extra processing on your data, but you do not require the full power of {{ls}}. For example, you can create an ingest pipeline in {{es}} that consists of one processor that removes a field in a document followed by another processor that renames a field.
+
+After defining the pipeline in {{es}}, you simply configure Packetbeat to use the pipeline. To configure Packetbeat, you specify the pipeline ID in the `parameters` option under `elasticsearch` in the `packetbeat.yml` file:
+
+```yaml
+output.elasticsearch:
+  hosts: ["localhost:9200"]
+  pipeline: my_pipeline_id
+```
+
+For example, let’s say that you’ve defined the following pipeline in a file named `pipeline.json`:
+
+```json
+{
+    "description": "Test pipeline",
+    "processors": [
+        {
+            "lowercase": {
+                "field": "agent.name"
+            }
+        }
+    ]
+}
+```
+
+To add the pipeline in {{es}}, you would run:
+
+```shell
+curl -H 'Content-Type: application/json' -XPUT 'http://localhost:9200/_ingest/pipeline/test-pipeline' -d@pipeline.json
+```
+
+Then in the `packetbeat.yml` file, you would specify:
+
+```yaml
+output.elasticsearch:
+  hosts: ["localhost:9200"]
+  pipeline: "test-pipeline"
+```
+
+When you run Packetbeat, the value of `agent.name` is converted to lowercase before indexing.
+
+For more information about defining a pre-processing pipeline, see the [ingest pipeline](docs-content://manage-data/ingest/transform-enrich/ingest-pipelines.md) documentation.
+
diff --git a/docs/reference/packetbeat/configuring-internal-queue.md b/docs/reference/packetbeat/configuring-internal-queue.md
new file mode 100644
index 000000000000..cb7d0fbf9a29
--- /dev/null
+++ b/docs/reference/packetbeat/configuring-internal-queue.md
@@ -0,0 +1,144 @@
+---
+navigation_title: "Internal queue"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/configuring-internal-queue.html
+---
+
+# Configure the internal queue [configuring-internal-queue]
+
+
+Packetbeat uses an internal queue to store events before publishing them. The queue is responsible for buffering and combining events into batches that can be consumed by the outputs. The outputs will use bulk operations to send a batch of events in one transaction.
+
+You can configure the type and behavior of the internal queue by setting options in the `queue` section of the `packetbeat.yml` config file or by setting options in the `queue` section of the output. Only one queue type can be configured.
+
+This sample configuration sets the memory queue to buffer up to 4096 events:
+
+```yaml
+queue.mem:
+  events: 4096
+```
+
+
+## Configure the memory queue [configuration-internal-queue-memory]
+
+The memory queue keeps all events in memory.
+
+The memory queue waits for the output to acknowledge or drop events. If the queue is full, no new events can be inserted into the memory queue. Only after the signal from the output will the queue free up space for more events to be accepted.
+
+The memory queue is controlled by the parameters `flush.min_events` and `flush.timeout`. `flush.min_events` gives a limit on the number of events that can be included in a single batch, and `flush.timeout` specifies how long the queue should wait to completely fill an event request. If the output supports a `bulk_max_size` parameter, the maximum batch size will be the smaller of `bulk_max_size` and `flush.min_events`.
+
+`flush.min_events` is a legacy parameter, and new configurations should prefer to control batch size with `bulk_max_size`. As of 8.13, there is never a performance advantage to limiting batch size with `flush.min_events` instead of `bulk_max_size`.
+
+In synchronous mode, an event request is always filled as soon as events are available, even if there are not enough events to fill the requested batch. This is useful when latency must be minimized. To use synchronous mode, set `flush.timeout` to 0.
+
+For backwards compatibility, synchronous mode can also be activated by setting `flush.min_events` to 0 or 1. In this case, batch size will be capped at 1/2 the queue capacity.
+
+In asynchronous mode, an event request will wait up to the specified timeout to try and fill the requested batch completely. If the timeout expires, the queue returns a partial batch with all available events. To use asynchronous mode, set `flush.timeout` to a positive duration, e.g. `5s`.
+
+This sample configuration forwards events to the output when there are enough events to fill the output’s request (usually controlled by `bulk_max_size`, and limited to at most 512 events by `flush.min_events`), or when events have been waiting for 5s without filling the requested size:
+
+```yaml
+queue.mem:
+  events: 4096
+  flush.min_events: 512
+  flush.timeout: 5s
+```
+
+
+## Configuration options [_configuration_options_27]
+
+You can specify the following options in the `queue.mem` section of the `packetbeat.yml` config file:
+
+
+#### `events` [queue-mem-events-option]
+
+Number of events the queue can store.
+
+The default value is 3200 events.
+
+
+#### `flush.min_events` [queue-mem-flush-min-events-option]
+
+If greater than 1, specifies the maximum number of events per batch. In this case the output must wait for the queue to accumulate the requested number of events or for `flush.timeout` to expire before publishing.
+
+If 0 or 1, sets the maximum number of events per batch to half the queue size, and sets the queue to synchronous mode (equivalent to `flush.timeout` of 0).
+
+The default value is 1600.
+
+
+#### `flush.timeout` [queue-mem-flush-timeout-option]
+
+Maximum wait time for event requests from the output to be fulfilled. If set to 0s, events are returned immediately.
+
+The default value is 10s.
+
+
+## Configure the disk queue [configuration-internal-queue-disk]
+
+The disk queue stores pending events on the disk rather than main memory. This allows Beats to queue a larger number of events than is possible with the memory queue, and to save events when a Beat or device is restarted. This increased reliability comes with a performance tradeoff, as every incoming event must be written and read from the device’s disk. However, for setups where the disk is not the main bottleneck, the disk queue gives a simple and relatively low-overhead way to add a layer of robustness to incoming event data.
+
+To enable the disk queue with default settings, specify a maximum size:
+
+```yaml
+queue.disk:
+  max_size: 10GB
+```
+
+The queue will use up to the specified maximum size on disk. It will only use as much space as required. For example, if the queue is only storing 1GB of events, then it will only occupy 1GB on disk no matter how high the maximum is. Queue data is deleted from disk after it has been successfully sent to the output.
+
+
+### Configuration options [configuration-internal-queue-disk-reference]
+
+You can specify the following options in the `queue.disk` section of the `packetbeat.yml` config file:
+
+
+#### `path` [_path]
+
+The path to the directory where the disk queue should store its data files. The directory is created on startup if it doesn’t exist.
+
+The default value is `"${path.data}/diskqueue"`.
+
+
+#### `max_size` (required) [_max_size_required]
+
+The maximum size the queue should use on disk. Events that exceed this maximum will either pause their input or be discarded, depending on the input’s configuration.
+
+A value of `0` means that no maximum size is enforced, and the queue can grow up to the amount of free space on the disk. This value should be used with caution, as completely filling a system’s main disk can make it inoperable. It is best to use this setting only with a dedicated data or backup partition that will not interfere with Packetbeat or the rest of the host system.
+
+The default value is `10GB`.
+
+
+#### `segment_size` [_segment_size]
+
+Data added to the queue is stored in segment files. Each segment contains some number of events waiting to be sent to the outputs, and is deleted when all its events are sent. By default, segment size is limited to 1/10 of the maximum queue size. Using a smaller size means that the queue will use more data files, but they will be deleted more quickly after use. Using a larger size means some data will take longer to delete, but the queue will use fewer auxiliary files. It is usually fine to leave this value unchanged.
+
+The default value is `max_size / 10`.
+
+
+#### `read_ahead` [_read_ahead]
+
+The number of events that should be read from disk into memory while waiting for an output to request them. If you find outputs are slowing down because they can’t read as many events at a time, adjusting this setting upward may help, at the cost of higher memory usage.
+
+The default value is `512`.
+
+
+#### `write_ahead` [_write_ahead]
+
+The number of events the queue should accept and store in memory while waiting for them to be written to disk. If you find the queue’s memory use is too high because events are waiting too long to be written to disk, adjusting this setting downward may help, at the cost of reduced event throughput. On the other hand, if inputs are waiting or discarding events because they are being produced faster than the disk can handle, adjusting this setting upward may help, at the cost of higher memory usage.
+
+The default value is `2048`.
+
+
+#### `retry_interval` [_retry_interval]
+
+Some disk errors may block operation of the queue, for example a permission error writing to the data directory, or a disk full error while writing an event. In this case, the queue reports the error and retries after pausing for the time specified in `retry_interval`.
+
+The default value is `1s` (one second).
+
+
+#### `max_retry_interval` [_max_retry_interval]
+
+When there are multiple consecutive errors writing to the disk, the queue increases the retry interval by factors of 2 up to a maximum of `max_retry_interval`. Increase this value if you are concerned about logging too many errors or overloading the host system if the target disk becomes unavailable for an extended time.
+
+The default value is `30s` (thirty seconds).
+
diff --git a/docs/reference/packetbeat/configuring-output.md b/docs/reference/packetbeat/configuring-output.md
new file mode 100644
index 000000000000..c90cfdeb57b6
--- /dev/null
+++ b/docs/reference/packetbeat/configuring-output.md
@@ -0,0 +1,31 @@
+---
+navigation_title: "Output"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/configuring-output.html
+---
+
+# Configure the output [configuring-output]
+
+
+You configure Packetbeat to write to a specific output by setting options in the Outputs section of the `packetbeat.yml` config file. Only a single output may be defined.
+
+The following topics describe how to configure each supported output. If you’ve secured the {{stack}}, also read [Secure](/reference/packetbeat/securing-packetbeat.md) for more about security-related configuration options.
+
+* [{{ess}}](/reference/packetbeat/configure-cloud-id.md)
+* [Elasticsearch](/reference/packetbeat/elasticsearch-output.md)
+* [Logstash](/reference/packetbeat/logstash-output.md)
+* [Kafka](/reference/packetbeat/kafka-output.md)
+* [Redis](/reference/packetbeat/redis-output.md)
+* [File](/reference/packetbeat/file-output.md)
+* [Console](/reference/packetbeat/console-output.md)
+* [Discard](/reference/packetbeat/discard-output.md)
+
+
+
+
+
+
+
+
+
+
diff --git a/docs/reference/packetbeat/configuring-ssl-logstash.md b/docs/reference/packetbeat/configuring-ssl-logstash.md
new file mode 100644
index 000000000000..70ef93a75081
--- /dev/null
+++ b/docs/reference/packetbeat/configuring-ssl-logstash.md
@@ -0,0 +1,118 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/configuring-ssl-logstash.html
+---
+
+# Secure communication with Logstash [configuring-ssl-logstash]
+
+You can use SSL mutual authentication to secure connections between Packetbeat and Logstash. This ensures that Packetbeat sends encrypted data to trusted Logstash servers only, and that the Logstash server receives data from trusted Packetbeat clients only.
+
+To use SSL mutual authentication:
+
+1. Create a certificate authority (CA) and use it to sign the certificates that you plan to use for Packetbeat and Logstash. Creating a correct SSL/TLS infrastructure is outside the scope of this document. There are many online resources available that describe how to create certificates.
+
+    ::::{tip}
+    If you are using {{security-features}}, you can use the [elasticsearch-certutil tool](elasticsearch://reference/elasticsearch/command-line-tools/certutil.md) to generate certificates.
+    ::::
+
+2. Configure Packetbeat to use SSL. In the `packetbeat.yml` config file, specify the following settings under `ssl`:
+
+    * `certificate_authorities`: Configures Packetbeat to trust any certificates signed by the specified CA. If `certificate_authorities` is empty or not set, the trusted certificate authorities of the host system are used.
+    * `certificate` and `key`: Specifies the certificate and key that Packetbeat uses to authenticate with Logstash.
+
+        For example:
+
+        ```yaml
+        output.logstash:
+          hosts: ["logs.mycompany.com:5044"]
+          ssl.certificate_authorities: ["/etc/ca.crt"]
+          ssl.certificate: "/etc/client.crt"
+          ssl.key: "/etc/client.key"
+        ```
+
+        For more information about these configuration options, see [SSL](/reference/packetbeat/configuration-ssl.md).
+
+3. Configure Logstash to use SSL. In the Logstash config file, specify the following settings for the [Beats input plugin for Logstash](logstash://reference/plugins-inputs-beats.md):
+
+    * `ssl`: When set to true, enables Logstash to use SSL/TLS.
+    * `ssl_certificate_authorities`: Configures Logstash to trust any certificates signed by the specified CA.
+    * `ssl_certificate` and `ssl_key`: Specify the certificate and key that Logstash uses to authenticate with the client.
+    * `ssl_verify_mode`: Specifies whether the Logstash server verifies the client certificate against the CA. You need to specify either `peer` or `force_peer` to make the server ask for the certificate and validate it. If you specify `force_peer`, and Packetbeat doesn’t provide a certificate, the Logstash connection will be closed. If you choose not to use [certutil](elasticsearch://reference/elasticsearch/command-line-tools/certutil.md), the certificates that you obtain must allow for both `clientAuth` and `serverAuth` if the extended key usage extension is present.
+
+        For example:
+
+        ```json
+        input {
+          beats {
+            port => 5044
+            ssl => true
+            ssl_certificate_authorities => ["/etc/ca.crt"]
+            ssl_certificate => "/etc/server.crt"
+            ssl_key => "/etc/server.key"
+            ssl_verify_mode => "force_peer"
+          }
+        }
+        ```
+
+        For more information about these options, see the [documentation for the Beats input plugin](logstash://reference/plugins-inputs-beats.md).
+
+
+
+## Validate the Logstash server’s certificate [testing-ssl-logstash]
+
+Before running Packetbeat, you should validate the Logstash server’s certificate. You can use `curl` to validate the certificate even though the protocol used to communicate with Logstash is not based on HTTP. For example:
+
+```shell
+curl -v --cacert ca.crt https://logs.mycompany.com:5044
+```
+
+If the test is successful, you’ll receive an empty response error:
+
+```shell
+* Rebuilt URL to: https://logs.mycompany.com:5044/
+*   Trying 192.168.99.100...
+* Connected to logs.mycompany.com (192.168.99.100) port 5044 (#0)
+* TLS 1.2 connection using TLS_DHE_RSA_WITH_AES_256_CBC_SHA
+* Server certificate: logs.mycompany.com
+* Server certificate: mycompany.com
+> GET / HTTP/1.1
+> Host: logs.mycompany.com:5044
+> User-Agent: curl/7.43.0
+> Accept: */*
+>
+* Empty reply from server
+* Connection #0 to host logs.mycompany.com left intact
+curl: (52) Empty reply from server
+```
+
+The following example uses the IP address rather than the hostname to validate the certificate:
+
+```shell
+curl -v --cacert ca.crt https://192.168.99.100:5044
+```
+
+Validation for this test fails because the certificate is not valid for the specified IP address. It’s only valid for the `logs.mycompany.com`, the hostname that appears in the Subject field of the certificate.
+
+```shell
+* Rebuilt URL to: https://192.168.99.100:5044/
+*   Trying 192.168.99.100...
+* Connected to 192.168.99.100 (192.168.99.100) port 5044 (#0)
+* WARNING: using IP address, SNI is being disabled by the OS.
+* SSL: certificate verification failed (result: 5)
+* Closing connection 0
+curl: (51) SSL: certificate verification failed (result: 5)
+```
+
+See the [troubleshooting docs](/reference/packetbeat/ssl-client-fails.md) for info about resolving this issue.
+
+
+## Test the Packetbeat to Logstash connection [_test_the_packetbeat_to_logstash_connection]
+
+If you have Packetbeat running as a service, first stop the service. Then test your setup by running Packetbeat in the foreground so you can quickly see any errors that occur:
+
+```sh
+packetbeat -c packetbeat.yml -e -v
+```
+
+Any errors will be printed to the console. See the [troubleshooting docs](/reference/packetbeat/ssl-client-fails.md) for info about resolving common errors.
+
diff --git a/docs/reference/packetbeat/connection-problem.md b/docs/reference/packetbeat/connection-problem.md
new file mode 100644
index 000000000000..a1d8d9f7d7ea
--- /dev/null
+++ b/docs/reference/packetbeat/connection-problem.md
@@ -0,0 +1,20 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/connection-problem.html
+---
+
+# Logstash connection doesn���t work [connection-problem]
+
+You may have configured {{ls}} or Packetbeat incorrectly. To resolve the issue:
+
+* Make sure that {{ls}} is running and you can connect to it. First, try to ping the {{ls}} host to verify that you can reach it from the host running Packetbeat. Then use either `nc` or `telnet` to make sure that the port is available. For example:
+
+    ```shell
+    ping <hostname or IP>
+    telnet <hostname or IP> 5044
+    ```
+
+* Verify that the config file for Packetbeat specifies the correct port where {{ls}} is running.
+* Make sure that the {{es}} output is commented out in the config file and the {{ls}} output is uncommented.
+* Confirm that the most recent [Beats input plugin for {{ls}}](logstash://reference/plugins-inputs-beats.md) is installed and configured. Note that Beats will not connect to the Lumberjack input plugin. To learn how to install and update plugins, see [Working with plugins](logstash://reference/working-with-plugins.md).
+
diff --git a/docs/reference/packetbeat/console-output.md b/docs/reference/packetbeat/console-output.md
new file mode 100644
index 000000000000..760e4085e9b9
--- /dev/null
+++ b/docs/reference/packetbeat/console-output.md
@@ -0,0 +1,67 @@
+---
+navigation_title: "Console"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/console-output.html
+---
+
+# Configure the Console output [console-output]
+
+
+The Console output writes events in JSON format to stdout.
+
+::::{warning}
+The Console output should be used only for debugging issues as it can produce a large amount of logging data.
+::::
+
+
+To use this output, edit the Packetbeat configuration file to disable the {{es}} output by commenting it out, and enable the console output by adding `output.console`.
+
+Example configuration:
+
+```yaml
+output.console:
+  pretty: true
+```
+
+## Configuration options [_configuration_options_21]
+
+You can specify the following `output.console` options in the `packetbeat.yml` config file:
+
+### `enabled` [_enabled_9]
+
+The enabled config is a boolean setting to enable or disable the output. If set to false, the output is disabled.
+
+The default value is `true`.
+
+
+### `pretty` [_pretty]
+
+If `pretty` is set to true, events written to stdout will be nicely formatted. The default is false.
+
+
+### `codec` [_codec_4]
+
+Output codec configuration. If the `codec` section is missing, events will be json encoded using the `pretty` option.
+
+See [Change the output codec](/reference/packetbeat/configuration-output-codec.md) for more information.
+
+
+### `bulk_max_size` [_bulk_max_size_4]
+
+The maximum number of events to buffer internally during publishing. The default is 2048.
+
+Specifying a larger batch size may add some latency and buffering during publishing. However, for Console output, this setting does not affect how events are published.
+
+Setting `bulk_max_size` to values less than or equal to 0 disables the splitting of batches. When splitting is disabled, the queue decides on the number of events to be contained in a batch.
+
+
+### `queue` [_queue_6]
+
+Configuration options for internal queue.
+
+See [Internal queue](/reference/packetbeat/configuring-internal-queue.md) for more information.
+
+Note:`queue` options can be set under `packetbeat.yml` or the `output` section but not both.
+
+
+
diff --git a/docs/reference/packetbeat/contributing-to-beats.md b/docs/reference/packetbeat/contributing-to-beats.md
new file mode 100644
index 000000000000..e497d84e27ac
--- /dev/null
+++ b/docs/reference/packetbeat/contributing-to-beats.md
@@ -0,0 +1,13 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/contributing-to-beats.html
+---
+
+# Contribute to Beats [contributing-to-beats]
+
+The Beats are open source and we love to receive contributions from our community — you!
+
+There are many ways to contribute, from writing tutorials or blog posts, improving the documentation, submitting bug reports and feature requests, or writing code that implements a whole new protocol, module, or Beat.
+
+The [Beats Developer Guide](http://www.elastic.co/guide/en/beats/devguide/master/index.md) is your one-stop shop for everything related to developing code for the Beats project.
+
diff --git a/docs/reference/packetbeat/convert.md b/docs/reference/packetbeat/convert.md
new file mode 100644
index 000000000000..65f50d5a624e
--- /dev/null
+++ b/docs/reference/packetbeat/convert.md
@@ -0,0 +1,42 @@
+---
+navigation_title: "convert"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/convert.html
+---
+
+# Convert [convert]
+
+
+The `convert` processor converts a field in the event to a different type, such as converting a string to an integer.
+
+The supported types include: `integer`, `long`, `float`, `double`, `string`, `boolean`, and `ip`.
+
+The `ip` type is effectively an alias for `string`, but with an added validation that the value is an IPv4 or IPv6 address.
+
+```yaml
+processors:
+  - convert:
+      fields:
+        - {from: "src_ip", to: "source.ip", type: "ip"}
+        - {from: "src_port", to: "source.port", type: "integer"}
+      ignore_missing: true
+      fail_on_error: false
+```
+
+The `convert` processor has the following configuration settings:
+
+`fields`
+:   (Required) This is the list of fields to convert. At least one item must be contained in the list. Each item in the list must have a `from` key that specifies the source field. The `to` key is optional and specifies where to assign the converted value. If `to` is omitted then the `from` field is updated in-place. The `type` key specifies the data type to convert the value to. If `type` is omitted then the processor copies or renames the field without any type conversion.
+
+`ignore_missing`
+:   (Optional) If `true` the processor continues to the next field when the `from` key is not found in the event. If false then the processor returns an error and does not process the remaining fields. Default is `false`.
+
+`fail_on_error`
+:   (Optional) If false type conversion failures are ignored and the processor continues to the next field. Default is `true`.
+
+`tag`
+:   (Optional) An identifier for this processor. Useful for debugging.
+
+`mode`
+:   (Optional) When both `from` and `to` are defined for a field then `mode` controls whether to `copy` or `rename` the field when the type conversion is successful. Default is `copy`.
+
diff --git a/docs/reference/packetbeat/copy-fields.md b/docs/reference/packetbeat/copy-fields.md
new file mode 100644
index 000000000000..cfbdf9019241
--- /dev/null
+++ b/docs/reference/packetbeat/copy-fields.md
@@ -0,0 +1,45 @@
+---
+navigation_title: "copy_fields"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/copy-fields.html
+---
+
+# Copy fields [copy-fields]
+
+
+The `copy_fields` processor takes the value of a field and copies it to a new field.
+
+You cannot use this processor to replace an existing field. If the target field already exists, you must [drop](/reference/packetbeat/drop-fields.md) or [rename](/reference/packetbeat/rename-fields.md) the field before using `copy_fields`.
+
+`fields`
+:   List of `from` and `to` pairs to copy from and to. It’s supported to use `@metadata.` prefix for `from` and `to` and copy values not just in/from/to the event fields but also in/from/to the event metadata.
+
+`fail_on_error`
+:   (Optional) If set to `true` and an error occurs, the changes are reverted and the original is returned. If set to `false`, processing continues if an error occurs. Default is `true`.
+
+`ignore_missing`
+:   (Optional) Indicates whether to ignore events that lack the source field. The default is `false`, which will fail processing of an event if a field is missing.
+
+For example, this configuration:
+
+```yaml
+processors:
+  - copy_fields:
+      fields:
+        - from: message
+          to: event.original
+      fail_on_error: false
+      ignore_missing: true
+```
+
+Copies the original `message` field to `event.original`:
+
+```json
+{
+  "message": "my-interesting-message",
+  "event": {
+      "original": "my-interesting-message"
+  }
+}
+```
+
diff --git a/docs/reference/packetbeat/could-not-locate-index-pattern.md b/docs/reference/packetbeat/could-not-locate-index-pattern.md
new file mode 100644
index 000000000000..5d2d710aa4a8
--- /dev/null
+++ b/docs/reference/packetbeat/could-not-locate-index-pattern.md
@@ -0,0 +1,20 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/could-not-locate-index-pattern.html
+---
+
+# Dashboard could not locate the index-pattern [could-not-locate-index-pattern]
+
+Typically Packetbeat sets up the index pattern automatically when it loads the index template. However, if for some reason Packetbeat loads the index template, but the index pattern does not get created correctly, you’ll see a "could not locate that index-pattern" error. To resolve this problem:
+
+1. Try running the `setup` command again. For example: `./packetbeat setup`.
+2. If that doesn’t work, go to the Management app in {{kib}}, and under **Index Patterns**, look for the pattern.
+
+    1. If the pattern doesn’t exist, create it manually.
+
+        * Set the **Time filter field name** to `@timestamp`.
+        * Set the **Custom index pattern ID** advanced option. For example, if your custom index name is `packetbeat-customname`, set the custom index pattern ID to `packetbeat-customname-*`.
+
+
+For more information, see [Creating an index pattern](docs-content://explore-analyze/find-and-organize/data-views.md) in the {{kib}} docs.
+
diff --git a/docs/reference/packetbeat/customizing-discover.md b/docs/reference/packetbeat/customizing-discover.md
new file mode 100644
index 000000000000..f7819aeca412
--- /dev/null
+++ b/docs/reference/packetbeat/customizing-discover.md
@@ -0,0 +1,30 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/customizing-discover.html
+---
+
+# Customize the Discover page [customizing-discover]
+
+To make it easier for you to search and discover Packetbeat data in Kibana, the sample dashboards contain predefined searches. These searches are not default views on the **Discover** page. To use these searches, make sure you’ve [set up the example Kibana dashboards](/reference/packetbeat/load-kibana-dashboards.md). Then go to the **Discover** page and click **Open**.
+
+Type `Packetbeat` in the Search field to filter the list of searches.
+
+:::{image} images/saved-packetbeat-searches.png
+:alt: Saved Packetbeat Searches
+:class: screenshot
+:::
+
+You can use the predefined searches to customize the columns in the Discover table. For example, select the **Packetbeat Search** to customize the columns in the Discover table:
+
+:::{image} images/discovery-packetbeat-transactions.png
+:alt: Packetbeat Search
+:class: screenshot
+:::
+
+Select the **Packetbeat Flows Search** to display the most important information for Packetbeat flows:
+
+:::{image} images/discovery-packetbeat-flows.png
+:alt: Packetbeat Flows Search
+:class: screenshot
+:::
+
diff --git a/docs/reference/packetbeat/dashboard-fields-incorrect.md b/docs/reference/packetbeat/dashboard-fields-incorrect.md
new file mode 100644
index 000000000000..56cd62948cf7
--- /dev/null
+++ b/docs/reference/packetbeat/dashboard-fields-incorrect.md
@@ -0,0 +1,9 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/dashboard-fields-incorrect.html
+---
+
+# Dashboard in Kibana is breaking up data fields incorrectly [dashboard-fields-incorrect]
+
+The index template might not be loaded correctly. See [*Load the {{es}} index template*](/reference/packetbeat/packetbeat-template.md).
+
diff --git a/docs/reference/packetbeat/decode-base64-field.md b/docs/reference/packetbeat/decode-base64-field.md
new file mode 100644
index 000000000000..84d1fdfb868d
--- /dev/null
+++ b/docs/reference/packetbeat/decode-base64-field.md
@@ -0,0 +1,35 @@
+---
+navigation_title: "decode_base64_field"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/decode-base64-field.html
+---
+
+# Decode Base64 fields [decode-base64-field]
+
+
+The `decode_base64_field` processor specifies a field to base64 decode. The `field` key contains a `from: old-key` and a `to: new-key` pair. `from` is the origin and `to` the target name of the field.
+
+To overwrite fields either first rename the target field or use the `drop_fields` processor to drop the field and then rename the field.
+
+```yaml
+processors:
+  - decode_base64_field:
+      field:
+        from: "field1"
+        to: "field2"
+      ignore_missing: false
+      fail_on_error: true
+```
+
+In the example above: - field1 is decoded in field2
+
+The `decode_base64_field` processor has the following configuration settings:
+
+`ignore_missing`
+:   (Optional) If set to true, no error is logged in case a key which should be base64 decoded is missing. Default is `false`.
+
+`fail_on_error`
+:   (Optional) If set to true, in case of an error the base64 decode of fields is stopped and the original event is returned. If set to false, decoding continues also if an error happened during decoding. Default is `true`.
+
+See [Conditions](/reference/packetbeat/defining-processors.md#conditions) for a list of supported conditions.
+
diff --git a/docs/reference/packetbeat/decode-duration.md b/docs/reference/packetbeat/decode-duration.md
new file mode 100644
index 000000000000..84d104e621a9
--- /dev/null
+++ b/docs/reference/packetbeat/decode-duration.md
@@ -0,0 +1,25 @@
+---
+navigation_title: "decode_duration"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/decode-duration.html
+---
+
+# Decode duration [decode-duration]
+
+
+The `decode_duration` processor decodes a Go-style duration string into a specific `format`.
+
+For more information about the Go `time.Duration` string style, refer to the [Go documentation](https://pkg.go.dev/time#Duration).
+
+| Name | Required | Default | Description |  |
+| --- | --- | --- | --- | --- |
+| `field` | yes |  | Which field of event needs to be decoded as `time.Duration` |  |
+| `format` | yes | `milliseconds` | Supported formats: `milliseconds`/`seconds`/`minutes`/`hours` |  |
+
+```yaml
+processors:
+  - decode_duration:
+      field: "app.rpc.cost"
+      format: "milliseconds"
+```
+
diff --git a/docs/reference/packetbeat/decode-json-fields.md b/docs/reference/packetbeat/decode-json-fields.md
new file mode 100644
index 000000000000..29c4a917e963
--- /dev/null
+++ b/docs/reference/packetbeat/decode-json-fields.md
@@ -0,0 +1,48 @@
+---
+navigation_title: "decode_json_fields"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/decode-json-fields.html
+---
+
+# Decode JSON fields [decode-json-fields]
+
+
+The `decode_json_fields` processor decodes fields containing JSON strings and replaces the strings with valid JSON objects.
+
+```yaml
+processors:
+  - decode_json_fields:
+      fields: ["field1", "field2", ...]
+      process_array: false
+      max_depth: 1
+      target: ""
+      overwrite_keys: false
+      add_error_key: true
+```
+
+The `decode_json_fields` processor has the following configuration settings:
+
+`fields`
+:   The fields containing JSON strings to decode.
+
+`process_array`
+:   (Optional) A Boolean value that specifies whether to process arrays. The default is `false`.
+
+`max_depth`
+:   (Optional) The maximum parsing depth. A value of `1`  will decode the JSON objects in fields indicated in `fields`, a value of `2` will also decode the objects embedded in the fields of these parsed documents. The default is `1`.
+
+`target`
+:   (Optional) The field under which the decoded JSON will be written. By default, the decoded JSON object replaces the string field from which it was read. To merge the decoded JSON fields into the root of the event, specify `target` with an empty string (`target: ""`). Note that the `null` value (`target:`) is treated as if the field was not set.
+
+`overwrite_keys`
+:   (Optional) A Boolean value that specifies whether existing keys in the event are overwritten by keys from the decoded JSON object. The default value is `false`.
+
+`expand_keys`
+:   (Optional) A Boolean value that specifies whether keys in the decoded JSON should be recursively de-dotted and expanded into a hierarchical object structure. For example, `{"a.b.c": 123}` would be expanded into `{"a":{"b":{"c":123}}}`.
+
+`add_error_key`
+:   (Optional) If set to `true` and an error occurs while decoding JSON keys, the `error` field will become a part of the event with the error message. If set to `false`, there will not be any error in the event’s field. The default value is `false`.
+
+`document_id`
+:   (Optional) JSON key that’s used as the document ID. If configured, the field will be removed from the original JSON document and stored in `@metadata._id`
+
diff --git a/docs/reference/packetbeat/decode-xml-wineventlog.md b/docs/reference/packetbeat/decode-xml-wineventlog.md
new file mode 100644
index 000000000000..3f6f5233e2dc
--- /dev/null
+++ b/docs/reference/packetbeat/decode-xml-wineventlog.md
@@ -0,0 +1,162 @@
+---
+navigation_title: "decode_xml_wineventlog"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/decode-xml-wineventlog.html
+---
+
+# Decode XML Wineventlog [decode-xml-wineventlog]
+
+
+::::{warning}
+This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
+::::
+
+
+The `decode_xml_wineventlog` processor decodes Windows Event Log data in XML format that is stored under the `field` key. It outputs the result into the `target_field`.
+
+The output fields will be the same as the [winlogbeat winlog fields](/reference/winlogbeat/exported-fields-winlog.md#_winlog).
+
+The supported configuration options are:
+
+`field`
+:   (Required) Source field containing the XML. Defaults to `message`.
+
+`target_field`
+:   (Required) The field under which the decoded XML will be written. To merge the decoded XML fields into the root of the event specify `target_field` with an empty string (`target_field: ""`). The default value is `winlog`.
+
+`overwrite_keys`
+:   (Optional) A boolean that specifies whether keys that already exist in the event are overwritten by keys from the decoded XML object. The default value is `true`.
+
+`map_ecs_fields`
+:   (Optional) A boolean that specifies whether to map additional ECS fields when possible. Note that ECS field keys are placed outside of `target_field`. The default value is `true`.
+
+`ignore_missing`
+:   (Optional) If `true` the processor will not return an error when a specified field does not exist. Defaults to `false`.
+
+`ignore_failure`
+:   (Optional) Ignore all errors produced by the processor. Defaults to `false`.
+
+`language`
+:   (Optional) The language ID the events will be rendered in. The language will be forced regardless of the system language. Forwarded events will ignore this setting. A complete list of language IDs can be found [here](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-lcid/a9eac961-e77d-41a6-90a5-ce1a8b0cdb9c). It defaults to `0`, which indicates to use the system language.
+
+Example:
+
+```yaml
+processors:
+  - decode_xml_wineventlog:
+      field: event.original
+      target_field: winlog
+```
+
+```json
+{
+  "event": {
+    "original": "<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4672</EventID><Version>0</Version><Level>0</Level><Task>12548</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2021-03-23T09:56:13.137310000Z'/><EventRecordID>11303</EventRecordID><Correlation ActivityID='{ffb23523-1f32-0000-c335-b2ff321fd701}'/><Execution ProcessID='652' ThreadID='4660'/><Channel>Security</Channel><Computer>vagrant</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-5-18</Data><Data Name='SubjectUserName'>SYSTEM</Data><Data Name='SubjectDomainName'>NT AUTHORITY</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='PrivilegeList'>SeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege</Data></EventData><RenderingInfo Culture='en-US'><Message>Special privileges assigned to new logon.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3E7\n\nPrivileges:\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege</Message><Level>Information</Level><Task>Special Logon</Task><Opcode>Info</Opcode><Channel>Security</Channel><Provider>Microsoft Windows security auditing.</Provider><Keywords><Keyword>Audit Success</Keyword></Keywords></RenderingInfo></Event>"
+  }
+}
+```
+
+Will produce the following output:
+
+```json
+{
+  "event": {
+    "original": "<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4672</EventID><Version>0</Version><Level>0</Level><Task>12548</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2021-03-23T09:56:13.137310000Z'/><EventRecordID>11303</EventRecordID><Correlation ActivityID='{ffb23523-1f32-0000-c335-b2ff321fd701}'/><Execution ProcessID='652' ThreadID='4660'/><Channel>Security</Channel><Computer>vagrant</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-5-18</Data><Data Name='SubjectUserName'>SYSTEM</Data><Data Name='SubjectDomainName'>NT AUTHORITY</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='PrivilegeList'>SeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege</Data></EventData><RenderingInfo Culture='en-US'><Message>Special privileges assigned to new logon.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3E7\n\nPrivileges:\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege</Message><Level>Information</Level><Task>Special Logon</Task><Opcode>Info</Opcode><Channel>Security</Channel><Provider>Microsoft Windows security auditing.</Provider><Keywords><Keyword>Audit Success</Keyword></Keywords></RenderingInfo></Event>",
+    "action":   "Special Logon",
+		"code":     "4672",
+		"kind":     "event",
+		"outcome":  "success",
+		"provider": "Microsoft-Windows-Security-Auditing",
+  },
+	"host": {
+    "name": "vagrant",
+  },
+  "log": {
+    "level": "information",
+  },
+  "winlog": {
+    "channel": "Security",
+    "outcome": "success",
+    "activity_id": "{ffb23523-1f32-0000-c335-b2ff321fd701}",
+    "level": "information",
+    "event_id": 4672,
+    "provider_name": "Microsoft-Windows-Security-Auditing",
+    "record_id": 11303,
+    "computer_name": "vagrant",
+    "keywords_raw": 9232379236109516800,
+    "opcode": "Info",
+    "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+    "event_data": {
+      "SubjectUserSid": "S-1-5-18",
+      "SubjectUserName": "SYSTEM",
+      "SubjectDomainName": "NT AUTHORITY",
+      "SubjectLogonId": "0x3e7",
+      "PrivilegeList": "SeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege"
+    },
+    "task": "Special Logon",
+    "keywords": [
+      "Audit Success"
+    ],
+    "message": "Special privileges assigned to new logon.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3E7\n\nPrivileges:\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege",
+    "process": {
+      "pid": 652,
+      "thread": {
+        "id": 4660
+      }
+    }
+  }
+}
+```
+
+See [Conditions](/reference/packetbeat/defining-processors.md#conditions) for a list of supported conditions.
+
+The field mappings are as follows:
+
+| Event Field | Source XML Element | Notes |
+| --- | --- | --- |
+| `winlog.channel` | `<Event><System><Channel>` |  |
+| `winlog.event_id` | `<Event><System><EventID>` |  |
+| `winlog.provider_name` | `<Event><System><Provider>` | `Name` attribute |
+| `winlog.record_id` | `<Event><System><EventRecordID>` |  |
+| `winlog.task` | `<Event><System><Task>` |  |
+| `winlog.computer_name` | `<Event><System><Computer>` |  |
+| `winlog.keywords` | `<Event><RenderingInfo><Keywords>` | list of each `Keyword` |
+| `winlog.opcodes` | `<Event><RenderingInfo><Opcode>` |  |
+| `winlog.provider_guid` | `<Event><System><Provider>` | `Guid` attribute |
+| `winlog.version` | `<Event><System><Version>` |  |
+| `winlog.time_created` | `<Event><System><TimeCreated>` | `SystemTime` attribute |
+| `winlog.outcome` | `<Event><System><Keywords>` | "success" if bit 0x20000000000000 is set, "failure" if 0x10000000000000 is set |
+| `winlog.level` | `<Event><System><Level>` | converted to lowercase |
+| `winlog.message` | `<Event><RenderingInfo><Message>` | line endings removed |
+| `winlog.user.identifier` | `<Event><System><Security><UserID>` |  |
+| `winlog.user.domain` | `<Event><System><Security><Domain>` |  |
+| `winlog.user.name` | `<Event><System><Security><Name>` |  |
+| `winlog.user.type` | `<Event><System><Security><Type>` | converted from integer to String |
+| `winlog.event_data` | `<Event><EventData>` | map where `Name` attribute in Data element is key, and value is the value of the Data element |
+| `winlog.user_data` | `<Event><UserData>` | map where `Name` attribute in Data element is key, and value is the value of the Data element |
+| `winlog.activity_id` | `<Event><System><Correlation><ActivityID>` |  |
+| `winlog.related_activity_id` | `<Event><System><Correlation><RelatedActivityID>` |  |
+| `winlog.kernel_time` | `<Event><System><Execution><KernelTime>` |  |
+| `winlog.process.pid` | `<Event><System><Execution><ProcessID>` |  |
+| `winlog.process.thread.id` | `<Event><System><Execution><ThreadID>` |  |
+| `winlog.processor_id` | `<Event><System><Execution><ProcessorID>` |  |
+| `winlog.processor_time` | `<Event><System><Execution><ProcessorTime>` |  |
+| `winlog.session_id` | `<Event><System><Execution><SessionID>` |  |
+| `winlog.user_time` | `<Event><System><Execution><UserTime>` |  |
+| `winlog.error.code` | `<Event><ProcessingErrorData><ErrorCode>` |  |
+
+If `map_ecs_fields` is enabled then the following field mappings are also performed:
+
+| Event Field | Source XML or other field | Notes |
+| --- | --- | --- |
+| `event.code` | `winlog.event_id` |  |
+| `event.kind` | `"event"` |  |
+| `event.provider` | `<Event><System><Provider>` | `Name` attribute |
+| `event.action` | `<Event><RenderingInfo><Task>` |  |
+| `event.host.name` | `<Event><System><Computer>` |  |
+| `event.outcome` | `winlog.outcome` |  |
+| `log.level` | `winlog.level` |  |
+| `message` | `winlog.message` |  |
+| `error.code` | `winlog.error.code` |  |
+| `error.message` | `winlog.error.message` |  |
+
diff --git a/docs/reference/packetbeat/decode-xml.md b/docs/reference/packetbeat/decode-xml.md
new file mode 100644
index 000000000000..2654617d2b39
--- /dev/null
+++ b/docs/reference/packetbeat/decode-xml.md
@@ -0,0 +1,96 @@
+---
+navigation_title: "decode_xml"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/decode-xml.html
+---
+
+# Decode XML [decode-xml]
+
+
+The `decode_xml` processor decodes XML data that is stored under the `field` key. It outputs the result into the `target_field`.
+
+This example demonstrates how to decode an XML string contained in the `message` field and write the resulting fields into the root of the document. Any fields that already exist will be overwritten.
+
+```yaml
+processors:
+  - decode_xml:
+      field: message
+      target_field: ""
+      overwrite_keys: true
+```
+
+By default any decoding errors that occur will stop the processing chain and the error will be added to `error.message` field. To ignore all errors and continue to the next processor you can set `ignore_failure: true`. To specifically ignore failures caused by `field` not existing you can set `ignore_missing: true`.
+
+```yaml
+processors:
+  - decode_xml:
+      field: example
+      target_field: xml
+      ignore_missing: true
+      ignore_failure: true
+```
+
+By default all keys converted from XML will have the names converted to lowercase. If there is a need to disable this behavior it is possible to use the below example:
+
+```yaml
+processors:
+  - decode_xml:
+      field: message
+      target_field: xml
+      to_lower: false
+```
+
+Example XML input:
+
+```xml
+<catalog>
+  <book seq="1">
+    <author>William H. Gaddis</author>
+    <title>The Recognitions</title>
+    <review>One of the great seminal American novels of the 20th century.</review>
+  </book>
+</catalog>
+```
+
+Will produce the following output:
+
+```json
+{
+	"xml": {
+		"catalog": {
+			"book": {
+				"author": "William H. Gaddis",
+				"review": "One of the great seminal American novels of the 20th century.",
+				"seq": "1",
+				"title": "The Recognitions"
+			}
+		}
+	}
+}
+```
+
+The supported configuration options are:
+
+`field`
+:   (Required) Source field containing the XML. Defaults to `message`.
+
+`target_field`
+:   (Optional) The field under which the decoded XML will be written. By default the decoded XML object replaces the field from which it was read. To merge the decoded XML fields into the root of the event specify `target_field` with an empty string (`target_field: ""`). Note that the `null` value (`target_field:`) is treated as if the field was not set at all.
+
+`overwrite_keys`
+:   (Optional) A boolean that specifies whether keys that already exist in the event are overwritten by keys from the decoded XML object. The default value is `true`.
+
+`to_lower`
+:   (Optional) Converts all keys to lowercase. Accepts either `true` or `false`. The default value is `true`.
+
+`document_id`
+:   (Optional) XML key to use as the document ID. If configured, the field will be removed from the original XML document and stored in `@metadata._id`.
+
+`ignore_missing`
+:   (Optional) If `true` the processor will not return an error when a specified field does not exist. Defaults to `false`.
+
+`ignore_failure`
+:   (Optional) Ignore all errors produced by the processor. Defaults to `false`.
+
+See [Conditions](/reference/packetbeat/defining-processors.md#conditions) for a list of supported conditions.
+
diff --git a/docs/reference/packetbeat/decompress-gzip-field.md b/docs/reference/packetbeat/decompress-gzip-field.md
new file mode 100644
index 000000000000..f64e6686b77b
--- /dev/null
+++ b/docs/reference/packetbeat/decompress-gzip-field.md
@@ -0,0 +1,35 @@
+---
+navigation_title: "decompress_gzip_field"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/decompress-gzip-field.html
+---
+
+# Decompress gzip fields [decompress-gzip-field]
+
+
+The `decompress_gzip_field` processor specifies a field to gzip decompress. The `field` key contains a `from: old-key` and a `to: new-key` pair. `from` is the origin and `to` the target name of the field.
+
+To overwrite fields either first rename the target field or use the `drop_fields` processor to drop the field and then decompress the field.
+
+```yaml
+processors:
+  - decompress_gzip_field:
+      field:
+        from: "field1"
+        to: "field2"
+      ignore_missing: false
+      fail_on_error: true
+```
+
+In the example above: - field1 is decoded in field2
+
+The `decompress_gzip_field` processor has the following configuration settings:
+
+`ignore_missing`
+:   (Optional) If set to true, no error is logged in case a key which should be decompressed is missing. Default is `false`.
+
+`fail_on_error`
+:   (Optional) If set to true, in case of an error the decompression of fields is stopped and the original event is returned. If set to false, decompression continues also if an error happened during decoding. Default is `true`.
+
+See [Conditions](/reference/packetbeat/defining-processors.md#conditions) for a list of supported conditions.
+
diff --git a/docs/reference/packetbeat/defining-processors.md b/docs/reference/packetbeat/defining-processors.md
new file mode 100644
index 000000000000..0f1d5e448f64
--- /dev/null
+++ b/docs/reference/packetbeat/defining-processors.md
@@ -0,0 +1,339 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/defining-processors.html
+---
+
+# Define processors [defining-processors]
+
+You can use processors to filter and enhance data before sending it to the configured output. To define a processor, you specify the processor name, an optional condition, and a set of parameters:
+
+```yaml
+processors:
+  - <processor_name>:
+      when:
+        <condition>
+      <parameters>
+
+  - <processor_name>:
+      when:
+        <condition>
+      <parameters>
+
+...
+```
+
+Where:
+
+* `<processor_name>` specifies a [processor](#processors) that performs some kind of action, such as selecting the fields that are exported or adding metadata to the event.
+* `<condition>` specifies an optional [condition](#conditions). If the condition is present, then the action is executed only if the condition is fulfilled. If no condition is set, then the action is always executed.
+* `<parameters>` is the list of parameters to pass to the processor.
+
+More complex conditional processing can be accomplished by using the if-then-else processor configuration. This allows multiple processors to be executed based on a single condition.
+
+```yaml
+processors:
+  - if:
+      <condition>
+    then: <1>
+      - <processor_name>:
+          <parameters>
+      - <processor_name>:
+          <parameters>
+      ...
+    else: <2>
+      - <processor_name>:
+          <parameters>
+      - <processor_name>:
+          <parameters>
+      ...
+```
+
+1. `then` must contain a single processor or a list of one or more processors to execute when the condition evaluates to true.
+2. `else` is optional. It can contain a single processor or a list of processors to execute when the conditional evaluate to false.
+
+
+## Where are processors valid? [where-valid]
+
+Processors are valid:
+
+* At the top-level in the configuration. The processor is applied to all data collected by Packetbeat.
+* Under a specific protocol. The processor is applied to the data collected for that protocol.
+
+    ```yaml
+    packetbeat.protocols:
+    - type: <protocol_type>
+      processors:
+        - <processor_name>:
+            when:
+              <condition>
+            <parameters>
+    ```
+
+* Under `packetbeat.flows`. The processor is applied to the data in [network flows](/reference/packetbeat/configuration-flows.md):
+
+    ```yaml
+    packetbeat.flows:
+      processors:
+        - <processor_name>:
+            when:
+              <condition>
+            <parameters>
+    ```
+
+
+
+## Processors [processors]
+
+The supported processors are:
+
+* [`add_cloud_metadata`](/reference/packetbeat/add-cloud-metadata.md)
+* [`add_cloudfoundry_metadata`](/reference/packetbeat/add-cloudfoundry-metadata.md)
+* [`add_docker_metadata`](/reference/packetbeat/add-docker-metadata.md)
+* [`add_fields`](/reference/packetbeat/add-fields.md)
+* [`add_host_metadata`](/reference/packetbeat/add-host-metadata.md)
+* [`add_id`](/reference/packetbeat/add-id.md)
+* [`add_kubernetes_metadata`](/reference/packetbeat/add-kubernetes-metadata.md)
+* [`add_labels`](/reference/packetbeat/add-labels.md)
+* [`add_locale`](/reference/packetbeat/add-locale.md)
+* [`add_nomad_metadata`](/reference/packetbeat/add-nomad-metadata.md)
+* [`add_observer_metadata`](/reference/packetbeat/add-observer-metadata.md)
+* [`add_process_metadata`](/reference/packetbeat/add-process-metadata.md)
+* [`add_tags`](/reference/packetbeat/add-tags.md)
+* [`append`](/reference/packetbeat/append.md)
+* [`community_id`](/reference/packetbeat/community-id.md)
+* [`convert`](/reference/packetbeat/convert.md)
+* [`copy_fields`](/reference/packetbeat/copy-fields.md)
+* [`decode_base64_field`](/reference/packetbeat/decode-base64-field.md)
+* [`decode_duration`](/reference/packetbeat/decode-duration.md)
+* [`decode_json_fields`](/reference/packetbeat/decode-json-fields.md)
+* [`decode_xml`](/reference/packetbeat/decode-xml.md)
+* [`decode_xml_wineventlog`](/reference/packetbeat/decode-xml-wineventlog.md)
+* [`decompress_gzip_field`](/reference/packetbeat/decompress-gzip-field.md)
+* [`detect_mime_type`](/reference/packetbeat/detect-mime-type.md)
+* [`dissect`](/reference/packetbeat/dissect.md)
+* [`dns`](/reference/packetbeat/processor-dns.md)
+* [`drop_event`](/reference/packetbeat/drop-event.md)
+* [`drop_fields`](/reference/packetbeat/drop-fields.md)
+* [`extract_array`](/reference/packetbeat/extract-array.md)
+* [`fingerprint`](/reference/packetbeat/fingerprint.md)
+* [`include_fields`](/reference/packetbeat/include-fields.md)
+* [`move-fields`](/reference/packetbeat/move-fields.md)
+* [`rate_limit`](/reference/packetbeat/rate-limit.md)
+* [`registered_domain`](/reference/packetbeat/processor-registered-domain.md)
+* [`rename`](/reference/packetbeat/rename-fields.md)
+* [`replace`](/reference/packetbeat/replace-fields.md)
+* [`syslog`](/reference/packetbeat/syslog.md)
+* [`translate_ldap_attribute`](/reference/packetbeat/processor-translate-guid.md)
+* [`translate_sid`](/reference/packetbeat/processor-translate-sid.md)
+* [`truncate_fields`](/reference/packetbeat/truncate-fields.md)
+* [`urldecode`](/reference/packetbeat/urldecode.md)
+
+
+## Conditions [conditions]
+
+Each condition receives a field to compare. You can specify multiple fields under the same condition by using `AND` between the fields (for example, `field1 AND field2`).
+
+For each field, you can specify a simple field name or a nested map, for example `dns.question.name`.
+
+See [Exported fields](/reference/packetbeat/exported-fields.md) for a list of all the fields that are exported by Packetbeat.
+
+The supported conditions are:
+
+* [`equals`](#condition-equals)
+* [`contains`](#condition-contains)
+* [`regexp`](#condition-regexp)
+* [`range`](#condition-range)
+* [`network`](#condition-network)
+* [`has_fields`](#condition-has_fields)
+* [`or`](#condition-or)
+* [`and`](#condition-and)
+* [`not`](#condition-not)
+
+
+#### `equals` [condition-equals]
+
+With the `equals` condition, you can compare if a field has a certain value. The condition accepts only an integer or a string value.
+
+For example, the following condition checks if the response code of the HTTP transaction is 200:
+
+```yaml
+equals:
+  http.response.code: 200
+```
+
+
+#### `contains` [condition-contains]
+
+The `contains` condition checks if a value is part of a field. The field can be a string or an array of strings. The condition accepts only a string value.
+
+For example, the following condition checks if an error is part of the transaction status:
+
+```yaml
+contains:
+  status: "Specific error"
+```
+
+
+#### `regexp` [condition-regexp]
+
+The `regexp` condition checks the field against a regular expression. The condition accepts only strings.
+
+For example, the following condition checks if the process name starts with `foo`:
+
+```yaml
+regexp:
+  system.process.name: "^foo.*"
+```
+
+
+#### `range` [condition-range]
+
+The `range` condition checks if the field is in a certain range of values. The condition supports `lt`, `lte`, `gt` and `gte`. The condition accepts only integer, float, or strings that can be converted to either of these as values.
+
+For example, the following condition checks for failed HTTP transactions by comparing the `http.response.code` field with 400.
+
+```yaml
+range:
+  http.response.code:
+    gte: 400
+```
+
+This can also be written as:
+
+```yaml
+range:
+  http.response.code.gte: 400
+```
+
+The following condition checks if the CPU usage in percentage has a value between 0.5 and 0.8.
+
+```yaml
+range:
+  system.cpu.user.pct.gte: 0.5
+  system.cpu.user.pct.lt: 0.8
+```
+
+
+#### `network` [condition-network]
+
+The `network` condition checks whether a field’s value falls within a specified IP network range. If multiple fields are provided, each field value must match its corresponding network range. You can specify multiple network ranges for a single field, and a match occurs if any one of the ranges matches. If the field value is an array of IPs, it will match if any of the IPs fall within any of the given ranges. Both IPv4 and IPv6 addresses are supported.
+
+The network range may be specified using CIDR notation, like "192.0.2.0/24" or "2001:db8::/32", or by using one of these named ranges:
+
+* `loopback` - Matches loopback addresses in the range of `127.0.0.0/8` or `::1/128`.
+* `unicast` - Matches global unicast addresses defined in RFC 1122, RFC 4632, and RFC 4291 with the exception of the IPv4 broadcast address (`255.255.255.255`). This includes private address ranges.
+* `multicast` - Matches multicast addresses.
+* `interface_local_multicast` - Matches IPv6 interface-local multicast addresses.
+* `link_local_unicast` - Matches link-local unicast addresses.
+* `link_local_multicast` - Matches link-local multicast addresses.
+* `private` - Matches private address ranges defined in RFC 1918 (IPv4) and RFC 4193 (IPv6).
+* `public` - Matches addresses that are not loopback, unspecified, IPv4 broadcast, link local unicast, link local multicast, interface local multicast, or private.
+* `unspecified` - Matches unspecified addresses (either the IPv4 address "0.0.0.0" or the IPv6 address "::").
+
+The following condition returns true if the `source.ip` value is within the private address space.
+
+```yaml
+network:
+  source.ip: private
+```
+
+This condition returns true if the `destination.ip` value is within the IPv4 range of `192.168.1.0` - `192.168.1.255`.
+
+```yaml
+network:
+  destination.ip: '192.168.1.0/24'
+```
+
+And this condition returns true when `destination.ip` is within any of the given subnets.
+
+```yaml
+network:
+  destination.ip: ['192.168.1.0/24', '10.0.0.0/8', loopback]
+```
+
+
+#### `has_fields` [condition-has_fields]
+
+The `has_fields` condition checks if all the given fields exist in the event. The condition accepts a list of string values denoting the field names.
+
+For example, the following condition checks if the `http.response.code` field is present in the event.
+
+```yaml
+has_fields: ['http.response.code']
+```
+
+
+#### `or` [condition-or]
+
+The `or` operator receives a list of conditions.
+
+```yaml
+or:
+  - <condition1>
+  - <condition2>
+  - <condition3>
+  ...
+```
+
+For example, to configure the condition `http.response.code = 304 OR http.response.code = 404`:
+
+```yaml
+or:
+  - equals:
+      http.response.code: 304
+  - equals:
+      http.response.code: 404
+```
+
+
+#### `and` [condition-and]
+
+The `and` operator receives a list of conditions.
+
+```yaml
+and:
+  - <condition1>
+  - <condition2>
+  - <condition3>
+  ...
+```
+
+For example, to configure the condition `http.response.code = 200 AND status = OK`:
+
+```yaml
+and:
+  - equals:
+      http.response.code: 200
+  - equals:
+      status: OK
+```
+
+To configure a condition like `<condition1> OR <condition2> AND <condition3>`:
+
+```yaml
+or:
+  - <condition1>
+  - and:
+    - <condition2>
+    - <condition3>
+```
+
+
+#### `not` [condition-not]
+
+The `not` operator receives the condition to negate.
+
+```yaml
+not:
+  <condition>
+```
+
+For example, to configure the condition `NOT status = OK`:
+
+```yaml
+not:
+  equals:
+    status: OK
+```
+
+
diff --git a/docs/reference/packetbeat/detect-mime-type.md b/docs/reference/packetbeat/detect-mime-type.md
new file mode 100644
index 000000000000..7443c10f91cf
--- /dev/null
+++ b/docs/reference/packetbeat/detect-mime-type.md
@@ -0,0 +1,22 @@
+---
+navigation_title: "detect_mime_type"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/detect-mime-type.html
+---
+
+# Detect mime type [detect-mime-type]
+
+
+The `detect_mime_type` processor attempts to detect a mime type for a field that contains a given stream of bytes. The `field` key contains the field used as the data source and the `target` key contains the field to populate with the detected type. It’s supported to use `@metadata.` prefix for `target` and set the value in the event metadata instead of fields.
+
+```yaml
+processors:
+  - detect_mime_type:
+      field: http.request.body.content
+      target: http.request.mime_type
+```
+
+In the example above: - http.request.body.content is used as the source and http.request.mime_type is set to the detected mime type
+
+See [Conditions](/reference/packetbeat/defining-processors.md#conditions) for a list of supported conditions.
+
diff --git a/docs/reference/packetbeat/diff-logstash-beats.md b/docs/reference/packetbeat/diff-logstash-beats.md
new file mode 100644
index 000000000000..47c0b3f0c200
--- /dev/null
+++ b/docs/reference/packetbeat/diff-logstash-beats.md
@@ -0,0 +1,13 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/diff-logstash-beats.html
+---
+
+# Not sure whether to use Logstash or Beats [diff-logstash-beats]
+
+Beats are lightweight data shippers that you install as agents on your servers to send specific types of operational data to {{es}}. Beats have a small footprint and use fewer system resources than {{ls}}.
+
+{{ls}} has a larger footprint, but provides a broad array of input, filter, and output plugins for collecting, enriching, and transforming data from a variety of sources.
+
+For more information, see the [{{ls}} Introduction](logstash://reference/index.md) and the [Beats Overview](/reference/index.md).
+
diff --git a/docs/reference/packetbeat/directory-layout.md b/docs/reference/packetbeat/directory-layout.md
new file mode 100644
index 000000000000..800c4845e5d6
--- /dev/null
+++ b/docs/reference/packetbeat/directory-layout.md
@@ -0,0 +1,70 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/directory-layout.html
+---
+
+# Directory layout [directory-layout]
+
+The directory layout of an installation is as follows:
+
+::::{tip}
+Archive installation has a different layout. See [zip, tar.gz, or tgz](#directory-layout-archive).
+::::
+
+
+| Type | Description | Default Location | Config Option |
+| --- | --- | --- | --- |
+| home | Home of the Packetbeat installation. |  | `path.home` |
+| bin | The location for the binary files. | `{path.home}/bin` |  |
+| config | The location for configuration files. | `{path.home}` | `path.config` |
+| data | The location for persistent data files. | `{path.home}/data` | `path.data` |
+| logs | The location for the logs created by Packetbeat. | `{path.home}/logs` | `path.logs` |
+
+You can change these settings by using CLI flags or setting [path options](/reference/packetbeat/configuration-path.md) in the configuration file.
+
+## Default paths [_default_paths]
+
+Packetbeat uses the following default paths unless you explicitly change them.
+
+
+#### deb and rpm [_deb_and_rpm]
+
+| Type | Description | Location |
+| --- | --- | --- |
+| home | Home of the Packetbeat installation. | `/usr/share/packetbeat` |
+| bin | The location for the binary files. | `/usr/share/packetbeat/bin` |
+| config | The location for configuration files. | `/etc/packetbeat` |
+| data | The location for persistent data files. | `/var/lib/packetbeat` |
+| logs | The location for the logs created by Packetbeat. | `/var/log/packetbeat` |
+
+For the deb and rpm distributions, these paths are set in the init script or in the systemd unit file.  Make sure that you start the Packetbeat service by using the preferred operating system method (init scripts or `systemctl`). Otherwise the paths might be set incorrectly.
+
+
+#### docker [_docker]
+
+| Type | Description | Location |
+| --- | --- | --- |
+| home | Home of the Packetbeat installation. | `/usr/share/packetbeat` |
+| bin | The location for the binary files. | `/usr/share/packetbeat` |
+| config | The location for configuration files. | `/usr/share/packetbeat` |
+| data | The location for persistent data files. | `/usr/share/packetbeat/data` |
+| logs | The location for the logs created by Packetbeat. | `/usr/share/packetbeat/logs` |
+
+
+#### zip, tar.gz, or tgz [directory-layout-archive]
+
+| Type | Description | Location |
+| --- | --- | --- |
+| home | Home of the Packetbeat installation. | `{extract.path}` |
+| bin | The location for the binary files. | `{extract.path}` |
+| config | The location for configuration files. | `{extract.path}` |
+| data | The location for persistent data files. | `{extract.path}/data` |
+| logs | The location for the logs created by Packetbeat. | `{extract.path}/logs` |
+
+For the zip, tar.gz, or tgz distributions, these paths are based on the location of the extracted binary file. This means that if you start Packetbeat with the following simple command, all paths are set correctly:
+
+```sh
+./packetbeat
+```
+
+
diff --git a/docs/reference/packetbeat/discard-output.md b/docs/reference/packetbeat/discard-output.md
new file mode 100644
index 000000000000..cff077061ccc
--- /dev/null
+++ b/docs/reference/packetbeat/discard-output.md
@@ -0,0 +1,37 @@
+---
+navigation_title: "Discard"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/discard-output.html
+---
+
+# Configure the Discard output [discard-output]
+
+
+The Discard output throws away data.
+
+::::{warning}
+The Discard output should be used only for development or debugging issues. Data is lost.
+::::
+
+
+This can be useful if you want to work on your input configuration without needing to configure an output. It can also be useful to test how changes in input and processor configuration affect performance.
+
+Example configuration:
+
+```yaml
+output.discard:
+  enabled: true
+```
+
+## Configuration options [_configuration_options_22]
+
+You can specify the following `output.discard` options in the `packetbeat.yml` config file:
+
+### `enabled` [_enabled_10]
+
+The enabled config is a boolean setting to enable or disable the output. If set to false, the output is disabled.
+
+The default value is `true`.
+
+
+
diff --git a/docs/reference/packetbeat/dissect.md b/docs/reference/packetbeat/dissect.md
new file mode 100644
index 000000000000..98337d5a9e0a
--- /dev/null
+++ b/docs/reference/packetbeat/dissect.md
@@ -0,0 +1,95 @@
+---
+navigation_title: "dissect"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/dissect.html
+---
+
+# Dissect strings [dissect]
+
+
+The `dissect` processor tokenizes incoming strings using defined patterns.
+
+```yaml
+processors:
+  - dissect:
+      tokenizer: "%{key1} %{key2} %{key3|convert_datatype}"
+      field: "message"
+      target_prefix: "dissect"
+```
+
+The `dissect` processor has the following configuration settings:
+
+`tokenizer`
+:   The field used to define the **dissection** pattern. Optional convert datatype can be provided after the key using `|` as separator to convert the value from string to integer, long, float, double, boolean or ip.
+
+`field`
+:   (Optional) The event field to tokenize. Default is `message`.
+
+`target_prefix`
+:   (Optional) The name of the field where the values will be extracted. When an empty string is defined, the processor will create the keys at the root of the event. Default is `dissect`. When the target key already exists in the event, the processor won’t replace it and log an error; you need to either drop or rename the key before using dissect, or enable the `overwrite_keys` flag.
+
+`ignore_failure`
+:   (Optional) Flag to control whether the processor returns an error if the tokenizer fails to match the message field. If set to true, the processor will silently restore the original event, allowing execution of subsequent processors (if any). If set to false (default), the processor will log an error, preventing execution of other processors.
+
+`overwrite_keys`
+:   (Optional) When set to true, the processor will overwrite existing keys in the event. The default is false, which causes the processor to fail when a key already exists.
+
+`trim_values`
+:   (Optional) Enables the trimming of the extracted values. Useful to remove leading and/or trailing spaces. Possible values are:
+
+    * `none`: (default) no trimming is performed.
+    * `left`: values are trimmed on the left (leading).
+    * `right`: values are trimmed on the right (trailing).
+    * `all`: values are trimmed for leading and trailing.
+
+
+`trim_chars`
+:   (Optional) Set of characters to trim from values, when trimming is enabled. The default is to trim the space character (`" "`). To trim multiple characters, simply set it to a string containing all characters to trim. For example, `trim_chars: " \t"` will trim spaces and/or tabs.
+
+For tokenization to be successful, all keys must be found and extracted, if one of them cannot be found an error will be logged and no modification is done on the original event.
+
+::::{note}
+A key can contain any characters except reserved suffix or prefix modifiers:  `/`,`&`, `+`, `#` and `?`.
+::::
+
+
+See [Conditions](/reference/packetbeat/defining-processors.md#conditions) for a list of supported conditions.
+
+## Dissect example [dissect-example]
+
+For this example, imagine that an application generates the following messages:
+
+```sh
+"321 - App01 - WebServer is starting"
+"321 - App01 - WebServer is up and running"
+"321 - App01 - WebServer is scaling 2 pods"
+"789 - App02 - Database is will be restarted in 5 minutes"
+"789 - App02 - Database is up and running"
+"789 - App02 - Database is refreshing tables"
+```
+
+Use the `dissect` processor to split each message into three fields, for example, `service.pid`, `service.name` and `service.status`:
+
+```yaml
+processors:
+  - dissect:
+      tokenizer: '"%{service.pid|integer} - %{service.name} - %{service.status}"'
+      field: "message"
+      target_prefix: ""
+```
+
+This configuration produces fields like:
+
+```json
+"service": {
+  "pid": 321,
+  "name": "App01",
+  "status": "WebServer is up and running"
+},
+```
+
+`service.name` is an ECS [keyword field](elasticsearch://reference/elasticsearch/mapping-reference/keyword.md), which means that you can use it in {{es}} for filtering, sorting, and aggregations.
+
+When possible, use ECS-compatible field names. For more information, see the [Elastic Common Schema](ecs://reference/index.md) documentation.
+
+
diff --git a/docs/reference/packetbeat/drop-event.md b/docs/reference/packetbeat/drop-event.md
new file mode 100644
index 000000000000..aefc60e9ae71
--- /dev/null
+++ b/docs/reference/packetbeat/drop-event.md
@@ -0,0 +1,20 @@
+---
+navigation_title: "drop_event"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/drop-event.html
+---
+
+# Drop events [drop-event]
+
+
+The `drop_event` processor drops the entire event if the associated condition is fulfilled. The condition is mandatory, because without one, all the events are dropped.
+
+```yaml
+processors:
+  - drop_event:
+      when:
+        condition
+```
+
+See [Conditions](/reference/packetbeat/defining-processors.md#conditions) for a list of supported conditions.
+
diff --git a/docs/reference/packetbeat/drop-fields.md b/docs/reference/packetbeat/drop-fields.md
new file mode 100644
index 000000000000..59c0493f09e2
--- /dev/null
+++ b/docs/reference/packetbeat/drop-fields.md
@@ -0,0 +1,35 @@
+---
+navigation_title: "drop_fields"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/drop-fields.html
+---
+
+# Drop fields from events [drop-fields]
+
+
+The `drop_fields` processor specifies which fields to drop if a certain condition is fulfilled. The condition is optional. If it’s missing, the specified fields are always dropped. The `@timestamp` and `type` fields cannot be dropped, even if they show up in the `drop_fields` list.
+
+```yaml
+processors:
+  - drop_fields:
+      when:
+        condition
+      fields: ["field1", "field2", ...]
+      ignore_missing: false
+```
+
+See [Conditions](/reference/packetbeat/defining-processors.md#conditions) for a list of supported conditions.
+
+::::{note}
+If you define an empty list of fields under `drop_fields`, then no fields are dropped.
+::::
+
+
+The `drop_fields` processor has the following configuration settings:
+
+`fields`
+:   If non-empty, a list of matching field names will be removed. Any element in array can contain a regular expression delimited by two slashes (*/reg_exp/*), in order to match (name) and remove more than one field.
+
+`ignore_missing`
+:   (Optional) If `true` the processor will not return an error when a specified field does not exist. Defaults to `false`.
+
diff --git a/docs/reference/packetbeat/elasticsearch-output.md b/docs/reference/packetbeat/elasticsearch-output.md
new file mode 100644
index 000000000000..74e8259d59ab
--- /dev/null
+++ b/docs/reference/packetbeat/elasticsearch-output.md
@@ -0,0 +1,519 @@
+---
+navigation_title: "Elasticsearch"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/elasticsearch-output.html
+---
+
+# Configure the Elasticsearch output [elasticsearch-output]
+
+
+The Elasticsearch output sends events directly to Elasticsearch using the Elasticsearch HTTP API.
+
+Example configuration:
+
+```yaml
+output.elasticsearch:
+  hosts: ["https://myEShost:9200"] <1>
+```
+
+1. To enable SSL, add `https` to all URLs defined under *hosts*.
+
+
+When sending data to a secured cluster through the `elasticsearch` output, Packetbeat can use any of the following authentication methods:
+
+* Basic authentication credentials (username and password).
+* Token-based (API key) authentication.
+* Public Key Infrastructure (PKI) certificates.
+
+**Basic authentication:**
+
+```yaml
+output.elasticsearch:
+  hosts: ["https://myEShost:9200"]
+  username: "packetbeat_writer"
+  password: "{pwd}"
+```
+
+**API key authentication:**
+
+```yaml
+output.elasticsearch:
+  hosts: ["https://myEShost:9200"]
+  api_key: "ZCV7VnwBgnX0T19fN8Qe:KnR6yE41RrSowb0kQ0HWoA"
+```
+
+**PKI certificate authentication:**
+
+```yaml
+output.elasticsearch:
+  hosts: ["https://myEShost:9200"]
+  ssl.certificate: "/etc/pki/client/cert.pem"
+  ssl.key: "/etc/pki/client/cert.key"
+```
+
+See [*Secure communication with Elasticsearch*](/reference/packetbeat/securing-communication-elasticsearch.md) for details on each authentication method.
+
+## Compatibility [_compatibility]
+
+This output works with all compatible versions of Elasticsearch. See the [Elastic Support Matrix](https://www.elastic.co/support/matrix#matrix_compatibility).
+
+Optionally, you can set Packetbeat to only connect to instances that are at least on the same version as the Beat. The check can be enabled by setting `output.elasticsearch.allow_older_versions` to `false`. Leaving the setting at it’s default value of `true` avoids an issue where Packetbeat cannot connect to {{es}} after having been upgraded to a version higher than the {{stack}}.
+
+
+## Configuration options [_configuration_options_16]
+
+You can specify the following options in the `elasticsearch` section of the `packetbeat.yml` config file:
+
+### `enabled` [_enabled_4]
+
+The enabled config is a boolean setting to enable or disable the output. If set to `false`, the output is disabled.
+
+The default value is `true`.
+
+
+### `hosts` [hosts-option]
+
+The list of Elasticsearch nodes to connect to. The events are distributed to these nodes in round robin order. If one node becomes unreachable, the event is automatically sent to another node. Each Elasticsearch node can be defined as a `URL` or `IP:PORT`. For example: `http://192.15.3.2`, `https://es.found.io:9230` or `192.24.3.2:9300`. If no port is specified, `9200` is used.
+
+::::{note}
+When a node is defined as an `IP:PORT`, the *scheme* and *path* are taken from the [`protocol`](#protocol-option) and [`path`](#path-option) config options.
+::::
+
+
+```yaml
+output.elasticsearch:
+  hosts: ["10.45.3.2:9220", "10.45.3.1:9230"] <1>
+  protocol: https
+  path: /elasticsearch
+```
+
+1. In the previous example, the Elasticsearch nodes are available at `https://10.45.3.2:9220/elasticsearch` and `https://10.45.3.1:9230/elasticsearch`.
+
+### `compression_level` [compression-level-option]
+
+The gzip compression level. Setting this value to `0` disables compression. The compression level must be in the range of `1` (best speed) to `9` (best compression).
+
+Increasing the compression level will reduce the network usage but will increase the cpu usage.
+
+The default value is `1`.
+
+
+### `escape_html` [_escape_html]
+
+Configure escaping of HTML in strings. Set to `true` to enable escaping.
+
+The default value is `false`.
+
+
+### `worker` or `workers` [worker-option]
+
+The number of workers per configured host publishing events to Elasticsearch. This is best used with load balancing mode enabled. Example: If you have 2 hosts and 3 workers, in total 6 workers are started (3 for each host).
+
+The default value is `1`.
+
+
+### `loadbalance` [_loadbalance]
+
+When `loadbalance: true` is set, Packetbeat connects to all configured hosts and sends data through all connections in parallel. If a connection fails, data is sent to the remaining hosts until it can be reestablished. Data will still be sent as long as Packetbeat can connect to at least one of its configured hosts.
+
+When `loadbalance: false` is set, Packetbeat sends data to a single host at a time. The target host is chosen at random from the list of configured hosts, and all data is sent to that target until the connection fails, when a new target is selected. Data will still be sent as long as Packetbeat can connect to at least one of its configured hosts.
+
+The default value is `true`.
+
+```yaml
+output.elasticsearch:
+  hosts: ["localhost:9200", "localhost:9201"]
+  loadbalance: true
+```
+
+
+### `api_key` [_api_key]
+
+Instead of using a username and password, you can use API keys to secure communication with {{es}}. The value must be the ID of the API key and the API key joined by a colon: `id:api_key`.
+
+See [*Grant access using API keys*](/reference/packetbeat/beats-api-keys.md) for more information.
+
+
+### `username` [_username]
+
+The basic authentication username for connecting to Elasticsearch.
+
+This user needs the privileges required to publish events to {{es}}. To create a user like this, see [Create a *publishing* user](/reference/packetbeat/privileges-to-publish-events.md).
+
+
+### `password` [_password]
+
+The basic authentication password for connecting to Elasticsearch.
+
+
+### `parameters` [_parameters]
+
+Dictionary of HTTP parameters to pass within the url with index operations.
+
+
+### `protocol` [protocol-option]
+
+The name of the protocol Elasticsearch is reachable on. The options are: `http` or `https`. The default is `http`. However, if you specify a URL for [`hosts`](#hosts-option), the value of `protocol` is overridden by whatever scheme you specify in the URL.
+
+
+### `path` [path-option]
+
+An HTTP path prefix that is prepended to the HTTP API calls. This is useful for the cases where Elasticsearch listens behind an HTTP reverse proxy that exports the API under a custom prefix.
+
+
+### `headers` [_headers]
+
+Custom HTTP headers to add to each request created by the Elasticsearch output. Example:
+
+```yaml
+output.elasticsearch.headers:
+  X-My-Header: Header contents
+```
+
+It is possible to specify multiple header values for the same header name by separating them with a comma.
+
+
+### `proxy_disable` [_proxy_disable]
+
+If set to `true` all proxy settings, including `HTTP_PROXY` and `HTTPS_PROXY` variables are ignored.
+
+
+### `proxy_url` [_proxy_url]
+
+The URL of the proxy to use when connecting to the Elasticsearch servers. The value must be a complete URL. If a value is not specified through the configuration file then proxy environment variables are used. See the [Go documentation](https://golang.org/pkg/net/http/#ProxyFromEnvironment) for more information about the environment variables.
+
+
+### `proxy_headers` [_proxy_headers]
+
+Additional headers to send to proxies during CONNECT requests.
+
+
+### `index` [index-option-es]
+
+The indexing target to write events to. Can point to an [index](https://www.elastic.co/guide/en/elasticsearch/reference/current/index-mgmt.html), [alias](docs-content://manage-data/data-store/aliases.md), or [data stream](docs-content://manage-data/data-store/data-streams.md). When using daily indices, this will be the index name. The default is `"packetbeat-%{[agent.version]}-%{+yyyy.MM.dd}"`, for example, `"packetbeat-9.0.0-beta1-2025-01-30"`. If you change this setting, you also need to configure the `setup.template.name` and `setup.template.pattern` options (see [Elasticsearch index template](/reference/packetbeat/configuration-template.md)).
+
+If you are using the pre-built Kibana dashboards, you also need to set the `setup.dashboards.index` option (see [Kibana dashboards](/reference/packetbeat/configuration-dashboards.md)).
+
+When [index lifecycle management (ILM)](/reference/packetbeat/ilm.md) is enabled, the default `index` is `"packetbeat-%{[agent.version]}-%{+yyyy.MM.dd}-%{{index_num}}"`, for example, `"packetbeat-9.0.0-beta1-2025-01-30-000001"`. Custom `index` settings are ignored when ILM is enabled. If you’re sending events to a cluster that supports index lifecycle management, see [Index lifecycle management (ILM)](/reference/packetbeat/ilm.md) to learn how to change the index name.
+
+You can set the index dynamically by using a format string to access any event field. For example, this configuration uses a custom field, `fields.log_type`, to set the index:
+
+```yaml
+output.elasticsearch:
+  hosts: ["http://localhost:9200"]
+  index: "%{[fields.log_type]}-%{[agent.version]}-%{+yyyy.MM.dd}" <1>
+```
+
+1. We recommend including `agent.version` in the name to avoid mapping issues when you upgrade.
+
+
+With this configuration, all events with `log_type: normal` are sent to an index named `normal-9.0.0-beta1-2025-01-30`, and all events with `log_type: critical` are sent to an index named `critical-9.0.0-beta1-2025-01-30`.
+
+::::{tip}
+To learn how to add custom fields to events, see the [`fields`](/reference/packetbeat/configuration-general-options.md#libbeat-configuration-fields) option.
+::::
+
+
+See the [`indices`](#indices-option-es) setting for other ways to set the index dynamically.
+
+
+### `indices` [indices-option-es]
+
+An array of index selector rules. Each rule specifies the index to use for events that match the rule. During publishing, Packetbeat uses the first matching rule in the array. Rules can contain conditionals, format string-based fields, and name mappings. If the `indices` setting is missing or no rule matches, the [`index`](#index-option-es) setting is used.
+
+Similar to `index`, defining custom `indices` will disable [Index lifecycle management (ILM)](/reference/packetbeat/ilm.md).
+
+Rule settings:
+
+**`index`**
+:   The index format string to use. If this string contains field references, such as `%{[fields.name]}`, the fields must exist, or the rule fails.
+
+**`mappings`**
+:   A dictionary that takes the value returned by `index` and maps it to a new name.
+
+**`default`**
+:   The default string value to use if `mappings` does not find a match.
+
+**`when`**
+:   A condition that must succeed in order to execute the current rule. All the [conditions](/reference/packetbeat/defining-processors.md#conditions) supported by processors are also supported here.
+
+The following example sets the index based on whether the `message` field contains the specified string:
+
+```yaml
+output.elasticsearch:
+  hosts: ["http://localhost:9200"]
+  indices:
+    - index: "warning-%{[agent.version]}-%{+yyyy.MM.dd}"
+      when.contains:
+        message: "WARN"
+    - index: "error-%{[agent.version]}-%{+yyyy.MM.dd}"
+      when.contains:
+        message: "ERR"
+```
+
+This configuration results in indices named `warning-9.0.0-beta1-2025-01-30` and `error-9.0.0-beta1-2025-01-30` (plus the default index if no matches are found).
+
+The following example sets the index by taking the name returned by the `index` format string and mapping it to a new name that’s used for the index:
+
+```yaml
+output.elasticsearch:
+  hosts: ["http://localhost:9200"]
+  indices:
+    - index: "%{[fields.log_type]}"
+      mappings:
+        critical: "sev1"
+        normal: "sev2"
+      default: "sev3"
+```
+
+This configuration results in indices named `sev1`, `sev2`, and `sev3`.
+
+The `mappings` setting simplifies the configuration, but is limited to string values. You cannot specify format strings within the mapping pairs.
+
+
+### `ilm` [ilm-es]
+
+Configuration options for index lifecycle management.
+
+See [Index lifecycle management (ILM)](/reference/packetbeat/ilm.md) for more information.
+
+
+### `pipeline` [pipeline-option-es]
+
+A format string value that specifies the ingest pipeline to write events to.
+
+```yaml
+output.elasticsearch:
+  hosts: ["http://localhost:9200"]
+  pipeline: my_pipeline_id
+```
+
+::::{important}
+The `pipeline` is always lowercased. If `pipeline: Foo-Bar`, then the pipeline name in {{es}} needs to be defined as `foo-bar`.
+::::
+
+
+For more information, see [*Parse data using an ingest pipeline*](/reference/packetbeat/configuring-ingest-node.md).
+
+You can set the ingest pipeline dynamically by using a format string to access any event field. For example, this configuration uses a custom field, `fields.log_type`, to set the pipeline for each event:
+
+```yaml
+output.elasticsearch:
+  hosts: ["http://localhost:9200"]
+  pipeline: "%{[fields.log_type]}_pipeline"
+```
+
+With this configuration, all events with `log_type: normal` are sent to a pipeline named `normal_pipeline`, and all events with `log_type: critical` are sent to a pipeline named `critical_pipeline`.
+
+::::{tip}
+To learn how to add custom fields to events, see the [`fields`](/reference/packetbeat/configuration-general-options.md#libbeat-configuration-fields) option.
+::::
+
+
+See the [`pipelines`](#pipelines-option-es) setting for other ways to set the ingest pipeline dynamically.
+
+
+### `pipelines` [pipelines-option-es]
+
+An array of pipeline selector rules. Each rule specifies the ingest pipeline to use for events that match the rule. During publishing, Packetbeat uses the first matching rule in the array. Rules can contain conditionals, format string-based fields, and name mappings. If the `pipelines` setting is missing or no rule matches, the [`pipeline`](#pipeline-option-es) setting is used.
+
+Rule settings:
+
+**`pipeline`**
+:   The pipeline format string to use. If this string contains field references, such as `%{[fields.name]}`, the fields must exist, or the rule fails.
+
+**`mappings`**
+:   A dictionary that takes the value returned by `pipeline` and maps it to a new name.
+
+**`default`**
+:   The default string value to use if `mappings` does not find a match.
+
+**`when`**
+:   A condition that must succeed in order to execute the current rule. All the [conditions](/reference/packetbeat/defining-processors.md#conditions) supported by processors are also supported here.
+
+The following example sends events to a specific pipeline based on whether the `message` field contains the specified string:
+
+```yaml
+output.elasticsearch:
+  hosts: ["http://localhost:9200"]
+  pipelines:
+    - pipeline: "warning_pipeline"
+      when.contains:
+        message: "WARN"
+    - pipeline: "error_pipeline"
+      when.contains:
+        message: "ERR"
+```
+
+The following example sets the pipeline by taking the name returned by the `pipeline` format string and mapping it to a new name that’s used for the pipeline:
+
+```yaml
+output.elasticsearch:
+  hosts: ["http://localhost:9200"]
+  pipelines:
+    - pipeline: "%{[fields.log_type]}"
+      mappings:
+        critical: "sev1_pipeline"
+        normal: "sev2_pipeline"
+      default: "sev3_pipeline"
+```
+
+With this configuration, all events with `log_type: critical` are sent to `sev1_pipeline`, all events with `log_type: normal` are sent to a `sev2_pipeline`, and all other events are sent to `sev3_pipeline`.
+
+For more information about ingest pipelines, see [*Parse data using an ingest pipeline*](/reference/packetbeat/configuring-ingest-node.md).
+
+
+### `max_retries` [_max_retries]
+
+The number of times to retry publishing an event after a publishing failure. After the specified number of retries, the events are typically dropped.
+
+Set `max_retries` to a value less than 0 to retry until all events are published.
+
+The default is 3.
+
+
+### `bulk_max_size` [bulk-max-size-option]
+
+The maximum number of events to bulk in a single Elasticsearch bulk API index request. The default is 1600.
+
+Events can be collected into batches. Packetbeat will split batches read from the queue which are larger than `bulk_max_size` into multiple batches.
+
+Specifying a larger batch size can improve performance by lowering the overhead of sending events. However big batch sizes can also increase processing times, which might result in API errors, killed connections, timed-out publishing requests, and, ultimately, lower throughput.
+
+Setting `bulk_max_size` to values less than or equal to 0 disables the splitting of batches. When splitting is disabled, the queue decides on the number of events to be contained in a batch.
+
+
+### `backoff.init` [backoff-init-option]
+
+The number of seconds to wait before trying to reconnect to Elasticsearch after a network error. After waiting `backoff.init` seconds, Packetbeat tries to reconnect. If the attempt fails, the backoff timer is increased exponentially up to `backoff.max`. After a successful connection, the backoff timer is reset. The default is `1s`.
+
+
+### `backoff.max` [backoff-max-option]
+
+The maximum number of seconds to wait before attempting to connect to Elasticsearch after a network error. The default is `60s`.
+
+
+### `idle_connection_timeout` [idle-connection-timeout-option]
+
+The maximum amount of time an idle connection will remain idle before closing itself. Zero means no limit. The format is a Go language duration (example 60s is 60 seconds). The default is 3s.
+
+
+### `timeout` [_timeout_2]
+
+The http request timeout in seconds for the Elasticsearch request. The default is 90.
+
+
+### `allow_older_versions` [_allow_older_versions]
+
+By default, Packetbeat expects the Elasticsearch instance to be on the same or newer version to provide optimal experience. We suggest you connect to the same version to make sure all features Packetbeat is using are available in your Elasticsearch instance.
+
+You can disable the check for example during updating the Elastic Stack, so data collection can go on.
+
+
+### `ssl` [_ssl]
+
+Configuration options for SSL parameters like the certificate authority to use for HTTPS-based connections. If the `ssl` section is missing, the host CAs are used for HTTPS connections to Elasticsearch.
+
+See the [secure communication with {{es}}](/reference/packetbeat/securing-communication-elasticsearch.md) guide or [SSL configuration reference](/reference/packetbeat/configuration-ssl.md) for more information.
+
+
+### `kerberos` [_kerberos]
+
+Configuration options for Kerberos authentication.
+
+See [Kerberos](/reference/packetbeat/configuration-kerberos.md) for more information.
+
+
+### `queue` [_queue]
+
+Configuration options for internal queue.
+
+See [Internal queue](/reference/packetbeat/configuring-internal-queue.md) for more information.
+
+Note:`queue` options can be set under `packetbeat.yml` or the `output` section but not both. ===== `non_indexable_policy`
+
+Specifies the behavior when the elasticsearch cluster explicitly rejects documents, for example on mapping conflicts.
+
+#### `drop` [_drop]
+
+The default behaviour, when an event is explicitly rejected by elasticsearch it is dropped.
+
+```yaml
+output.elasticsearch:
+  hosts: ["http://localhost:9200"]
+  non_indexable_policy.drop: ~
+```
+
+
+#### `dead_letter_index` [_dead_letter_index]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+On an explicit rejection, this policy will retry the event in the next batch. However, the target index will change to index specified. In addition, the structure of the event will be change to the following fields:
+
+message
+:   Contains the escaped json of the original event.
+
+error.type
+:   Contains the status code
+
+error.message
+:   Contains status returned by elasticsearch, describing the reason
+
+`index`
+:   The index to send rejected events to.
+
+```yaml
+output.elasticsearch:
+  hosts: ["http://localhost:9200"]
+  non_indexable_policy.dead_letter_index:
+    index: "my-dead-letter-index"
+```
+
+
+
+### `preset` [_preset]
+
+The performance preset to apply to the output configuration.
+
+```yaml
+output.elasticsearch:
+  hosts: ["http://localhost:9200"]
+  preset: balanced
+```
+
+Performance presets apply a set of configuration overrides based on a desired performance goal. If set, a performance preset will override other configuration flags to match the recommended settings for that preset. If a preset doesn’t set a value for a particular field, the user-specified value will be used if present, otherwise the default. Valid options are: * `balanced`: good starting point for general efficiency * `throughput`: good for high data volumes, may increase cpu and memory requirements * `scale`: reduces ambient resource use in large low-throughput deployments * `latency`: minimize the time for fresh data to become visible in Elasticsearch * `custom`: apply user configuration directly with no overrides
+
+The default if unspecified is `custom`.
+
+Presets represent current recommendations based on the intended goal; their effect may change between versions to better suit those goals. Currently the presets have the following effects:
+
+| preset | balanced | throughput | scale | latency |
+| --- | --- | --- | --- | --- |
+| [`bulk_max_size`](#bulk-max-size-option) | 1600 | 1600 | 1600 | 50 |
+| [`worker`](#worker-option) | 1 | 4 | 1 | 1 |
+| [`queue.mem.events`](/reference/packetbeat/configuring-internal-queue.md#queue-mem-events-option) | 3200 | 12800 | 3200 | 4100 |
+| [`queue.mem.flush.min_events`](/reference/packetbeat/configuring-internal-queue.md#queue-mem-flush-min-events-option) | 1600 | 1600 | 1600 | 2050 |
+| [`queue.mem.flush.timeout`](/reference/packetbeat/configuring-internal-queue.md#queue-mem-flush-timeout-option) | `10s` | `5s` | `20s` | `1s` |
+| [`compression_level`](#compression-level-option) | 1 | 1 | 1 | 1 |
+| [`idle_connection_timeout`](#idle-connection-timeout-option) | `3s` | `15s` | `1s` | `60s` |
+| [`backoff.init`](#backoff-init-option) | none | none | `5s` | none |
+| [`backoff.max`](#backoff-max-option) | none | none | `300s` | none |
+
+
+
+## Elasticsearch APIs [es-apis]
+
+Packetbeat will use the `_bulk` API from {{es}}, the events are sent in the order they arrive to the publishing pipeline, a single `_bulk` request may contain events from different inputs/modules. Temporary failures are re-tried.
+
+The status code for each event is checked and handled as:
+
+* `< 300`: The event is counted as `events.acked`
+* `409` (Conflict): The event is counted as `events.duplicates`
+* `429` (Too Many Requests): The event is counted as `events.toomany`
+* `> 399 and < 500`: The `non_indexable_policy` is applied.
+
+
diff --git a/docs/reference/packetbeat/enable-packetbeat-debugging.md b/docs/reference/packetbeat/enable-packetbeat-debugging.md
new file mode 100644
index 000000000000..6cb46aa34f45
--- /dev/null
+++ b/docs/reference/packetbeat/enable-packetbeat-debugging.md
@@ -0,0 +1,31 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/enable-packetbeat-debugging.html
+---
+
+# Debug [enable-packetbeat-debugging]
+
+By default, Packetbeat sends all its output to syslog. When you run Packetbeat in the foreground, you can use the `-e` command line flag to redirect the output to standard error instead. For example:
+
+```sh
+packetbeat -e
+```
+
+The default configuration file is packetbeat.yml (the location of the file varies by platform). You can use a different configuration file by specifying the `-c` flag. For example:
+
+```sh
+packetbeat -e -c mypacketbeatconfig.yml
+```
+
+You can increase the verbosity of debug messages by enabling one or more debug selectors. For example, to view publisher-related messages, start Packetbeat with the `publisher` selector:
+
+```sh
+packetbeat -e -d "publisher"
+```
+
+If you want all the debugging output (fair warning, it’s quite a lot), you can use `*`, like this:
+
+```sh
+packetbeat -e -d "*"
+```
+
diff --git a/docs/reference/packetbeat/error-found-unexpected-character.md b/docs/reference/packetbeat/error-found-unexpected-character.md
new file mode 100644
index 000000000000..a56099ad68f2
--- /dev/null
+++ b/docs/reference/packetbeat/error-found-unexpected-character.md
@@ -0,0 +1,13 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/error-found-unexpected-character.html
+---
+
+# Found unexpected or unknown characters [error-found-unexpected-character]
+
+Either there is a problem with the structure of your config file, or you have used a path or expression that the YAML parser cannot resolve because the config file contains characters that aren’t properly escaped.
+
+If the YAML file contains paths with spaces or unusual characters, wrap the paths in single quotation marks (see [Wrap paths in single quotation marks](/reference/packetbeat/yaml-tips.md#wrap-paths-in-quotes)).
+
+Also see the general advice under [*Avoid YAML formatting problems*](/reference/packetbeat/yaml-tips.md).
+
diff --git a/docs/reference/packetbeat/error-loading-config.md b/docs/reference/packetbeat/error-loading-config.md
new file mode 100644
index 000000000000..f07a5d4fc016
--- /dev/null
+++ b/docs/reference/packetbeat/error-loading-config.md
@@ -0,0 +1,14 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/error-loading-config.html
+---
+
+# Error loading config file [error-loading-config]
+
+You may encounter errors loading the config file on POSIX operating systems if:
+
+* an unauthorized user tries to load the config file, or
+* the config file has the wrong permissions.
+
+See [Config File Ownership and Permissions](/reference/libbeat/config-file-permissions.md) for more about resolving these errors.
+
diff --git a/docs/reference/packetbeat/exported-fields-amqp.md b/docs/reference/packetbeat/exported-fields-amqp.md
new file mode 100644
index 000000000000..b50bc432f9b7
--- /dev/null
+++ b/docs/reference/packetbeat/exported-fields-amqp.md
@@ -0,0 +1,247 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/exported-fields-amqp.html
+---
+
+# AMQP fields [exported-fields-amqp]
+
+AMQP specific event fields.
+
+**`amqp.reply-code`**
+:   AMQP reply code to an error, similar to http reply-code
+
+type: long
+
+example: 404
+
+
+**`amqp.reply-text`**
+:   Text explaining the error.
+
+type: keyword
+
+
+**`amqp.class-id`**
+:   Failing method class.
+
+type: long
+
+
+**`amqp.method-id`**
+:   Failing method ID.
+
+type: long
+
+
+**`amqp.exchange`**
+:   Name of the exchange.
+
+type: keyword
+
+
+**`amqp.exchange-type`**
+:   Exchange type.
+
+type: keyword
+
+example: fanout
+
+
+**`amqp.passive`**
+:   If set, do not create exchange/queue.
+
+type: boolean
+
+
+**`amqp.durable`**
+:   If set, request a durable exchange/queue.
+
+type: boolean
+
+
+**`amqp.exclusive`**
+:   If set, request an exclusive queue.
+
+type: boolean
+
+
+**`amqp.auto-delete`**
+:   If set, auto-delete queue when unused.
+
+type: boolean
+
+
+**`amqp.no-wait`**
+:   If set, the server will not respond to the method.
+
+type: boolean
+
+
+**`amqp.consumer-tag`**
+:   Identifier for the consumer, valid within the current channel.
+
+
+**`amqp.delivery-tag`**
+:   The server-assigned and channel-specific delivery tag.
+
+type: long
+
+
+**`amqp.message-count`**
+:   The number of messages in the queue, which will be zero for newly-declared queues.
+
+type: long
+
+
+**`amqp.consumer-count`**
+:   The number of consumers of a queue.
+
+type: long
+
+
+**`amqp.routing-key`**
+:   Message routing key.
+
+type: keyword
+
+
+**`amqp.no-ack`**
+:   If set, the server does not expect acknowledgements for messages.
+
+type: boolean
+
+
+**`amqp.no-local`**
+:   If set, the server will not send messages to the connection that published them.
+
+type: boolean
+
+
+**`amqp.if-unused`**
+:   Delete only if unused.
+
+type: boolean
+
+
+**`amqp.if-empty`**
+:   Delete only if empty.
+
+type: boolean
+
+
+**`amqp.queue`**
+:   The queue name identifies the queue within the vhost.
+
+type: keyword
+
+
+**`amqp.redelivered`**
+:   Indicates that the message has been previously delivered to this or another client.
+
+type: boolean
+
+
+**`amqp.multiple`**
+:   Acknowledge multiple messages.
+
+type: boolean
+
+
+**`amqp.arguments`**
+:   Optional additional arguments passed to some methods. Can be of various types.
+
+type: object
+
+
+**`amqp.mandatory`**
+:   Indicates mandatory routing.
+
+type: boolean
+
+
+**`amqp.immediate`**
+:   Request immediate delivery.
+
+type: boolean
+
+
+**`amqp.content-type`**
+:   MIME content type.
+
+type: keyword
+
+example: text/plain
+
+
+**`amqp.content-encoding`**
+:   MIME content encoding.
+
+type: keyword
+
+
+**`amqp.headers`**
+:   Message header field table.
+
+type: object
+
+
+**`amqp.delivery-mode`**
+:   Non-persistent (1) or persistent (2).
+
+type: keyword
+
+
+**`amqp.priority`**
+:   Message priority, 0 to 9.
+
+type: long
+
+
+**`amqp.correlation-id`**
+:   Application correlation identifier.
+
+type: keyword
+
+
+**`amqp.reply-to`**
+:   Address to reply to.
+
+type: keyword
+
+
+**`amqp.expiration`**
+:   Message expiration specification.
+
+type: keyword
+
+
+**`amqp.message-id`**
+:   Application message identifier.
+
+type: keyword
+
+
+**`amqp.timestamp`**
+:   Message timestamp.
+
+type: keyword
+
+
+**`amqp.type`**
+:   Message type name.
+
+type: keyword
+
+
+**`amqp.user-id`**
+:   Creating user id.
+
+type: keyword
+
+
+**`amqp.app-id`**
+:   Creating application id.
+
+type: keyword
+
+
diff --git a/docs/reference/packetbeat/exported-fields-beat-common.md b/docs/reference/packetbeat/exported-fields-beat-common.md
new file mode 100644
index 000000000000..24f12f1a12c7
--- /dev/null
+++ b/docs/reference/packetbeat/exported-fields-beat-common.md
@@ -0,0 +1,47 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/exported-fields-beat-common.html
+---
+
+# Beat fields [exported-fields-beat-common]
+
+Contains common beat fields available in all event types.
+
+**`agent.hostname`**
+:   Deprecated - use agent.name or agent.id to identify an agent.
+
+type: alias
+
+alias to: agent.name
+
+
+**`beat.timezone`**
+:   type: alias
+
+alias to: event.timezone
+
+
+**`fields`**
+:   Contains user configurable fields.
+
+type: object
+
+
+**`beat.name`**
+:   type: alias
+
+alias to: host.name
+
+
+**`beat.hostname`**
+:   type: alias
+
+alias to: agent.name
+
+
+**`timeseries.instance`**
+:   Time series instance id
+
+type: keyword
+
+
diff --git a/docs/reference/packetbeat/exported-fields-cassandra.md b/docs/reference/packetbeat/exported-fields-cassandra.md
new file mode 100644
index 000000000000..795babd54f77
--- /dev/null
+++ b/docs/reference/packetbeat/exported-fields-cassandra.md
@@ -0,0 +1,526 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/exported-fields-cassandra.html
+---
+
+# Cassandra fields [exported-fields-cassandra]
+
+Cassandra v4/3 specific event fields.
+
+**`no_request`**
+:   type: alias
+
+alias to: cassandra.no_request
+
+
+
+## cassandra [_cassandra]
+
+Information about the Cassandra request and response.
+
+**`cassandra.no_request`**
+:   Indicates that there is no request because this is a PUSH message.
+
+type: boolean
+
+
+
+## request [_request]
+
+Cassandra request.
+
+
+## headers [_headers_3]
+
+Cassandra request headers.
+
+**`cassandra.request.headers.version`**
+:   The version of the protocol.
+
+type: long
+
+
+**`cassandra.request.headers.flags`**
+:   Flags applying to this frame.
+
+type: keyword
+
+
+**`cassandra.request.headers.stream`**
+:   A frame has a stream id.  If a client sends a request message with the stream id X, it is guaranteed that the stream id of the response to that message will be X.
+
+type: keyword
+
+
+**`cassandra.request.headers.op`**
+:   An operation type that distinguishes the actual message.
+
+type: keyword
+
+
+**`cassandra.request.headers.length`**
+:   A integer representing the length of the body of the frame (a frame is limited to 256MB in length).
+
+type: long
+
+
+**`cassandra.request.query`**
+:   The CQL query which client send to cassandra.
+
+type: keyword
+
+
+
+## response [_response]
+
+Cassandra response.
+
+
+## headers [_headers_4]
+
+Cassandra response headers, the structure is as same as request’s header.
+
+**`cassandra.response.headers.version`**
+:   The version of the protocol.
+
+type: long
+
+
+**`cassandra.response.headers.flags`**
+:   Flags applying to this frame.
+
+type: keyword
+
+
+**`cassandra.response.headers.stream`**
+:   A frame has a stream id.  If a client sends a request message with the stream id X, it is guaranteed that the stream id of the response to that message will be X.
+
+type: keyword
+
+
+**`cassandra.response.headers.op`**
+:   An operation type that distinguishes the actual message.
+
+type: keyword
+
+
+**`cassandra.response.headers.length`**
+:   A integer representing the length of the body of the frame (a frame is limited to 256MB in length).
+
+type: long
+
+
+
+## result [_result]
+
+Details about the returned result.
+
+**`cassandra.response.result.type`**
+:   Cassandra result type.
+
+type: keyword
+
+
+
+## rows [_rows]
+
+Details about the rows.
+
+**`cassandra.response.result.rows.num_rows`**
+:   Representing the number of rows present in this result.
+
+type: long
+
+
+
+## meta [_meta]
+
+Composed of result metadata.
+
+**`cassandra.response.result.rows.meta.keyspace`**
+:   Only present after set Global_tables_spec, the keyspace name.
+
+type: keyword
+
+
+**`cassandra.response.result.rows.meta.table`**
+:   Only present after set Global_tables_spec, the table name.
+
+type: keyword
+
+
+**`cassandra.response.result.rows.meta.flags`**
+:   Provides information on the formatting of the remaining information.
+
+type: keyword
+
+
+**`cassandra.response.result.rows.meta.col_count`**
+:   Representing the number of columns selected by the query that produced this result.
+
+type: long
+
+
+**`cassandra.response.result.rows.meta.pkey_columns`**
+:   Representing the PK columns index and counts.
+
+type: long
+
+
+**`cassandra.response.result.rows.meta.paging_state`**
+:   The paging_state is a bytes value that should be used in QUERY/EXECUTE to continue paging and retrieve the remainder of the result for this query.
+
+type: keyword
+
+
+**`cassandra.response.result.keyspace`**
+:   Indicating the name of the keyspace that has been set.
+
+type: keyword
+
+
+
+## schema_change [_schema_change]
+
+The result to a schema_change message.
+
+**`cassandra.response.result.schema_change.change`**
+:   Representing the type of changed involved.
+
+type: keyword
+
+
+**`cassandra.response.result.schema_change.keyspace`**
+:   This describes which keyspace has changed.
+
+type: keyword
+
+
+**`cassandra.response.result.schema_change.table`**
+:   This describes which table has changed.
+
+type: keyword
+
+
+**`cassandra.response.result.schema_change.object`**
+:   This describes the name of said affected object (either the table, user type, function, or aggregate name).
+
+type: keyword
+
+
+**`cassandra.response.result.schema_change.target`**
+:   Target could be "FUNCTION" or "AGGREGATE", multiple arguments.
+
+type: keyword
+
+
+**`cassandra.response.result.schema_change.name`**
+:   The function/aggregate name.
+
+type: keyword
+
+
+**`cassandra.response.result.schema_change.args`**
+:   One string for each argument type (as CQL type).
+
+type: keyword
+
+
+
+## prepared [_prepared]
+
+The result to a PREPARE message.
+
+**`cassandra.response.result.prepared.prepared_id`**
+:   Representing the prepared query ID.
+
+type: keyword
+
+
+
+## req_meta [_req_meta]
+
+This describes the request metadata.
+
+**`cassandra.response.result.prepared.req_meta.keyspace`**
+:   Only present after set Global_tables_spec, the keyspace name.
+
+type: keyword
+
+
+**`cassandra.response.result.prepared.req_meta.table`**
+:   Only present after set Global_tables_spec, the table name.
+
+type: keyword
+
+
+**`cassandra.response.result.prepared.req_meta.flags`**
+:   Provides information on the formatting of the remaining information.
+
+type: keyword
+
+
+**`cassandra.response.result.prepared.req_meta.col_count`**
+:   Representing the number of columns selected by the query that produced this result.
+
+type: long
+
+
+**`cassandra.response.result.prepared.req_meta.pkey_columns`**
+:   Representing the PK columns index and counts.
+
+type: long
+
+
+**`cassandra.response.result.prepared.req_meta.paging_state`**
+:   The paging_state is a bytes value that should be used in QUERY/EXECUTE to continue paging and retrieve the remainder of the result for this query.
+
+type: keyword
+
+
+
+## resp_meta [_resp_meta]
+
+This describes the metadata for the result set.
+
+**`cassandra.response.result.prepared.resp_meta.keyspace`**
+:   Only present after set Global_tables_spec, the keyspace name.
+
+type: keyword
+
+
+**`cassandra.response.result.prepared.resp_meta.table`**
+:   Only present after set Global_tables_spec, the table name.
+
+type: keyword
+
+
+**`cassandra.response.result.prepared.resp_meta.flags`**
+:   Provides information on the formatting of the remaining information.
+
+type: keyword
+
+
+**`cassandra.response.result.prepared.resp_meta.col_count`**
+:   Representing the number of columns selected by the query that produced this result.
+
+type: long
+
+
+**`cassandra.response.result.prepared.resp_meta.pkey_columns`**
+:   Representing the PK columns index and counts.
+
+type: long
+
+
+**`cassandra.response.result.prepared.resp_meta.paging_state`**
+:   The paging_state is a bytes value that should be used in QUERY/EXECUTE to continue paging and retrieve the remainder of the result for this query.
+
+type: keyword
+
+
+**`cassandra.response.supported`**
+:   Indicates which startup options are supported by the server. This message comes as a response to an OPTIONS message.
+
+type: object
+
+
+
+## authentication [_authentication]
+
+Indicates that the server requires authentication, and which authentication mechanism to use.
+
+**`cassandra.response.authentication.class`**
+:   Indicates the full class name of the IAuthenticator in use
+
+type: keyword
+
+
+**`cassandra.response.warnings`**
+:   The text of the warnings, only occur when Warning flag was set.
+
+type: keyword
+
+
+
+## event [_event]
+
+Event pushed by the server. A client will only receive events for the types it has REGISTERed to.
+
+**`cassandra.response.event.type`**
+:   Representing the event type.
+
+type: keyword
+
+
+**`cassandra.response.event.change`**
+:   The message corresponding respectively to the type of change followed by the address of the new/removed node.
+
+type: keyword
+
+
+**`cassandra.response.event.host`**
+:   Representing the node ip.
+
+type: keyword
+
+
+**`cassandra.response.event.port`**
+:   Representing the node port.
+
+type: long
+
+
+
+## schema_change [_schema_change_2]
+
+The events details related to schema change.
+
+**`cassandra.response.event.schema_change.change`**
+:   Representing the type of changed involved.
+
+type: keyword
+
+
+**`cassandra.response.event.schema_change.keyspace`**
+:   This describes which keyspace has changed.
+
+type: keyword
+
+
+**`cassandra.response.event.schema_change.table`**
+:   This describes which table has changed.
+
+type: keyword
+
+
+**`cassandra.response.event.schema_change.object`**
+:   This describes the name of said affected object (either the table, user type, function, or aggregate name).
+
+type: keyword
+
+
+**`cassandra.response.event.schema_change.target`**
+:   Target could be "FUNCTION" or "AGGREGATE", multiple arguments.
+
+type: keyword
+
+
+**`cassandra.response.event.schema_change.name`**
+:   The function/aggregate name.
+
+type: keyword
+
+
+**`cassandra.response.event.schema_change.args`**
+:   One string for each argument type (as CQL type).
+
+type: keyword
+
+
+
+## error [_error]
+
+Indicates an error processing a request. The body of the message will be an  error code followed by a error message. Then, depending on the exception, more content may follow.
+
+**`cassandra.response.error.code`**
+:   The error code of the Cassandra response.
+
+type: long
+
+
+**`cassandra.response.error.msg`**
+:   The error message of the Cassandra response.
+
+type: keyword
+
+
+**`cassandra.response.error.type`**
+:   The error type of the Cassandra response.
+
+type: keyword
+
+
+
+## details [_details]
+
+The details of the error.
+
+**`cassandra.response.error.details.read_consistency`**
+:   Representing the consistency level of the query that triggered the exception.
+
+type: keyword
+
+
+**`cassandra.response.error.details.required`**
+:   Representing the number of nodes that should be alive to respect consistency level.
+
+type: long
+
+
+**`cassandra.response.error.details.alive`**
+:   Representing the number of replicas that were known to be alive when the request had been processed (since an unavailable exception has been triggered).
+
+type: long
+
+
+**`cassandra.response.error.details.received`**
+:   Representing the number of nodes having acknowledged the request.
+
+type: long
+
+
+**`cassandra.response.error.details.blockfor`**
+:   Representing the number of replicas whose acknowledgement is required to achieve consistency level.
+
+type: long
+
+
+**`cassandra.response.error.details.write_type`**
+:   Describe the type of the write that timed out.
+
+type: keyword
+
+
+**`cassandra.response.error.details.data_present`**
+:   It means the replica that was asked for data had responded.
+
+type: boolean
+
+
+**`cassandra.response.error.details.keyspace`**
+:   The keyspace of the failed function.
+
+type: keyword
+
+
+**`cassandra.response.error.details.table`**
+:   The keyspace of the failed function.
+
+type: keyword
+
+
+**`cassandra.response.error.details.stmt_id`**
+:   Representing the unknown ID.
+
+type: keyword
+
+
+**`cassandra.response.error.details.num_failures`**
+:   Representing the number of nodes that experience a failure while executing the request.
+
+type: keyword
+
+
+**`cassandra.response.error.details.function`**
+:   The name of the failed function.
+
+type: keyword
+
+
+**`cassandra.response.error.details.arg_types`**
+:   One string for each argument type (as CQL type) of the failed function.
+
+type: keyword
+
+
diff --git a/docs/reference/packetbeat/exported-fields-cloud.md b/docs/reference/packetbeat/exported-fields-cloud.md
new file mode 100644
index 000000000000..3ec17fc7515f
--- /dev/null
+++ b/docs/reference/packetbeat/exported-fields-cloud.md
@@ -0,0 +1,57 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/exported-fields-cloud.html
+---
+
+# Cloud provider metadata fields [exported-fields-cloud]
+
+Metadata from cloud providers added by the add_cloud_metadata processor.
+
+**`cloud.image.id`**
+:   Image ID for the cloud instance.
+
+example: ami-abcd1234
+
+
+**`meta.cloud.provider`**
+:   type: alias
+
+alias to: cloud.provider
+
+
+**`meta.cloud.instance_id`**
+:   type: alias
+
+alias to: cloud.instance.id
+
+
+**`meta.cloud.instance_name`**
+:   type: alias
+
+alias to: cloud.instance.name
+
+
+**`meta.cloud.machine_type`**
+:   type: alias
+
+alias to: cloud.machine.type
+
+
+**`meta.cloud.availability_zone`**
+:   type: alias
+
+alias to: cloud.availability_zone
+
+
+**`meta.cloud.project_id`**
+:   type: alias
+
+alias to: cloud.project.id
+
+
+**`meta.cloud.region`**
+:   type: alias
+
+alias to: cloud.region
+
+
diff --git a/docs/reference/packetbeat/exported-fields-common.md b/docs/reference/packetbeat/exported-fields-common.md
new file mode 100644
index 000000000000..04eb14a8d401
--- /dev/null
+++ b/docs/reference/packetbeat/exported-fields-common.md
@@ -0,0 +1,71 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/exported-fields-common.html
+---
+
+# Common fields [exported-fields-common]
+
+These fields contain data about the environment in which the transaction or flow was captured.
+
+**`type`**
+:   The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows.
+
+required: True
+
+
+**`server.process.name`**
+:   The name of the process that served the transaction.
+
+
+**`server.process.args`**
+:   The command-line of the process that served the transaction.
+
+
+**`server.process.executable`**
+:   Absolute path to the server process executable.
+
+
+**`server.process.working_directory`**
+:   The working directory of the server process.
+
+
+**`server.process.start`**
+:   The time the server process started.
+
+
+**`client.process.name`**
+:   The name of the process that initiated the transaction.
+
+
+**`client.process.args`**
+:   The command-line of the process that initiated the transaction.
+
+
+**`client.process.executable`**
+:   Absolute path to the client process executable.
+
+
+**`client.process.working_directory`**
+:   The working directory of the client process.
+
+
+**`client.process.start`**
+:   The time the client process started.
+
+
+**`real_ip`**
+:   If the server initiating the transaction is a proxy, this field contains the original client IP address. For HTTP, for example, the IP address extracted from a configurable HTTP header, by default `X-Forwarded-For`. Unless this field is disabled, it always has a value, and it matches the `client_ip` for non proxy clients.
+
+type: alias
+
+alias to: network.forwarded_ip
+
+
+**`transport`**
+:   The transport protocol used for the transaction. If not specified, then tcp is assumed.
+
+type: alias
+
+alias to: network.transport
+
+
diff --git a/docs/reference/packetbeat/exported-fields-dhcpv4.md b/docs/reference/packetbeat/exported-fields-dhcpv4.md
new file mode 100644
index 000000000000..ce8f91a68e88
--- /dev/null
+++ b/docs/reference/packetbeat/exported-fields-dhcpv4.md
@@ -0,0 +1,211 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/exported-fields-dhcpv4.html
+---
+
+# DHCPv4 fields [exported-fields-dhcpv4]
+
+DHCPv4 event fields
+
+**`dhcpv4.transaction_id`**
+:   Transaction ID, a random number chosen by the client, used by the client and server to associate messages and responses between a client and a server.
+
+type: keyword
+
+
+**`dhcpv4.seconds`**
+:   Number of seconds elapsed since client began address acquisition or renewal process.
+
+type: long
+
+
+**`dhcpv4.flags`**
+:   Flags are set by the client to indicate how the DHCP server should its reply — either unicast or broadcast.
+
+type: keyword
+
+
+**`dhcpv4.client_ip`**
+:   The current IP address of the client.
+
+type: ip
+
+
+**`dhcpv4.assigned_ip`**
+:   The IP address that the DHCP server is assigning to the client. This field is also known as "your" IP address.
+
+type: ip
+
+
+**`dhcpv4.server_ip`**
+:   The IP address of the DHCP server that the client should use for the next step in the bootstrap process.
+
+type: ip
+
+
+**`dhcpv4.relay_ip`**
+:   The relay IP address used by the client to contact the server (i.e. a DHCP relay server).
+
+type: ip
+
+
+**`dhcpv4.client_mac`**
+:   The client’s MAC address (layer two).
+
+type: keyword
+
+
+**`dhcpv4.server_name`**
+:   The name of the server sending the message. Optional. Used in DHCPOFFER or DHCPACK messages.
+
+type: keyword
+
+
+**`dhcpv4.op_code`**
+:   The message op code (bootrequest or bootreply).
+
+type: keyword
+
+example: bootreply
+
+
+**`dhcpv4.hops`**
+:   The number of hops the DHCP message went through.
+
+type: long
+
+
+**`dhcpv4.hardware_type`**
+:   The type of hardware used for the local network (Ethernet, LocalTalk, etc).
+
+type: keyword
+
+
+**`dhcpv4.option.message_type`**
+:   The specific type of DHCP message being sent (e.g. discover, offer, request, decline, ack, nak, release, inform).
+
+type: keyword
+
+example: ack
+
+
+**`dhcpv4.option.parameter_request_list`**
+:   This option is used by a DHCP client to request values for specified configuration parameters.
+
+type: keyword
+
+
+**`dhcpv4.option.requested_ip_address`**
+:   This option is used in a client request (DHCPDISCOVER) to allow the client to request that a particular IP address be assigned.
+
+type: ip
+
+
+**`dhcpv4.option.server_identifier`**
+:   IP address of the individual DHCP server which handled this message.
+
+type: ip
+
+
+**`dhcpv4.option.broadcast_address`**
+:   This option specifies the broadcast address in use on the client’s subnet.
+
+type: ip
+
+
+**`dhcpv4.option.max_dhcp_message_size`**
+:   This option specifies the maximum length DHCP message that the client is willing to accept.
+
+type: long
+
+
+**`dhcpv4.option.class_identifier`**
+:   This option is used by DHCP clients to optionally identify the vendor type and configuration of a DHCP client. Vendors may choose to define specific vendor class identifiers to convey particular configuration or other identification information about a client.  For example, the identifier may encode the client’s hardware configuration.
+
+type: keyword
+
+
+**`dhcpv4.option.domain_name`**
+:   This option specifies the domain name that client should use when resolving hostnames via the Domain Name System.
+
+type: keyword
+
+
+**`dhcpv4.option.dns_servers`**
+:   The domain name server option specifies a list of Domain Name System servers available to the client.
+
+type: ip
+
+
+**`dhcpv4.option.vendor_identifying_options`**
+:   A DHCP client may use this option to unambiguously identify the vendor that manufactured the hardware on which the client is running, the software in use, or an industry consortium to which the vendor belongs. This field is described in RFC 3925.
+
+type: object
+
+
+**`dhcpv4.option.subnet_mask`**
+:   The subnet mask that the client should use on the currnet network.
+
+type: ip
+
+
+**`dhcpv4.option.utc_time_offset_sec`**
+:   The time offset field specifies the offset of the client’s subnet in seconds from Coordinated Universal Time (UTC).
+
+type: long
+
+
+**`dhcpv4.option.router`**
+:   The router option specifies a list of IP addresses for routers on the client’s subnet.
+
+type: ip
+
+
+**`dhcpv4.option.time_servers`**
+:   The time server option specifies a list of RFC 868 time servers available to the client.
+
+type: ip
+
+
+**`dhcpv4.option.ntp_servers`**
+:   This option specifies a list of IP addresses indicating NTP servers available to the client.
+
+type: ip
+
+
+**`dhcpv4.option.hostname`**
+:   This option specifies the name of the client.
+
+type: keyword
+
+
+**`dhcpv4.option.ip_address_lease_time_sec`**
+:   This option is used in a client request (DHCPDISCOVER or DHCPREQUEST) to allow the client to request a lease time for the IP address.  In a server reply (DHCPOFFER), a DHCP server uses this option to specify the lease time it is willing to offer.
+
+type: long
+
+
+**`dhcpv4.option.message`**
+:   This option is used by a DHCP server to provide an error message to a DHCP client in a DHCPNAK message in the event of a failure. A client may use this option in a DHCPDECLINE message to indicate the why the client declined the offered parameters.
+
+type: text
+
+
+**`dhcpv4.option.renewal_time_sec`**
+:   This option specifies the time interval from address assignment until the client transitions to the RENEWING state.
+
+type: long
+
+
+**`dhcpv4.option.rebinding_time_sec`**
+:   This option specifies the time interval from address assignment until the client transitions to the REBINDING state.
+
+type: long
+
+
+**`dhcpv4.option.boot_file_name`**
+:   This option is used to identify a bootfile when the *file* field in the DHCP header has been used for DHCP options.
+
+type: keyword
+
+
diff --git a/docs/reference/packetbeat/exported-fields-dns.md b/docs/reference/packetbeat/exported-fields-dns.md
new file mode 100644
index 000000000000..b96ba1e47138
--- /dev/null
+++ b/docs/reference/packetbeat/exported-fields-dns.md
@@ -0,0 +1,151 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/exported-fields-dns.html
+---
+
+# DNS fields [exported-fields-dns]
+
+DNS-specific event fields.
+
+**`dns.flags.authoritative`**
+:   A DNS flag specifying that the responding server is an authority for the domain name used in the question.
+
+type: boolean
+
+
+**`dns.flags.recursion_available`**
+:   A DNS flag specifying whether recursive query support is available in the name server.
+
+type: boolean
+
+
+**`dns.flags.recursion_desired`**
+:   A DNS flag specifying that the client directs the server to pursue a query recursively. Recursive query support is optional.
+
+type: boolean
+
+
+**`dns.flags.authentic_data`**
+:   A DNS flag specifying that the recursive server considers the response authentic.
+
+type: boolean
+
+
+**`dns.flags.checking_disabled`**
+:   A DNS flag specifying that the client disables the server signature validation of the query.
+
+type: boolean
+
+
+**`dns.flags.truncated_response`**
+:   A DNS flag specifying that only the first 512 bytes of the reply were returned.
+
+type: boolean
+
+
+**`dns.question.etld_plus_one`**
+:   The effective top-level domain (eTLD) plus one more label. For example, the eTLD+1 for "foo.bar.golang.org." is "golang.org.". The data for determining the eTLD comes from an embedded copy of the data from [http://publicsuffix.org](http://publicsuffix.org).
+
+example: amazon.co.uk.
+
+
+**`dns.answers_count`**
+:   The number of resource records contained in the `dns.answers` field.
+
+type: long
+
+
+**`dns.authorities`**
+:   An array containing a dictionary for each authority section from the answer.
+
+type: object
+
+
+**`dns.authorities_count`**
+:   The number of resource records contained in the `dns.authorities` field. The `dns.authorities` field may or may not be included depending on the configuration of Packetbeat.
+
+type: long
+
+
+**`dns.authorities.name`**
+:   The domain name to which this resource record pertains.
+
+example: example.com.
+
+
+**`dns.authorities.type`**
+:   The type of data contained in this resource record.
+
+example: NS
+
+
+**`dns.authorities.class`**
+:   The class of DNS data contained in this resource record.
+
+example: IN
+
+
+**`dns.additionals`**
+:   An array containing a dictionary for each additional section from the answer.
+
+type: object
+
+
+**`dns.additionals_count`**
+:   The number of resource records contained in the `dns.additionals` field. The `dns.additionals` field may or may not be included depending on the configuration of Packetbeat.
+
+type: long
+
+
+**`dns.additionals.name`**
+:   The domain name to which this resource record pertains.
+
+example: example.com.
+
+
+**`dns.additionals.type`**
+:   The type of data contained in this resource record.
+
+example: NS
+
+
+**`dns.additionals.class`**
+:   The class of DNS data contained in this resource record.
+
+example: IN
+
+
+**`dns.additionals.ttl`**
+:   The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached.
+
+type: long
+
+
+**`dns.additionals.data`**
+:   The data describing the resource. The meaning of this data depends on the type and class of the resource record.
+
+
+**`dns.opt.version`**
+:   The EDNS version.
+
+example: 0
+
+
+**`dns.opt.do`**
+:   If set, the transaction uses DNSSEC.
+
+type: boolean
+
+
+**`dns.opt.ext_rcode`**
+:   Extended response code field.
+
+example: BADVERS
+
+
+**`dns.opt.udp_size`**
+:   Requestor’s UDP payload size (in bytes).
+
+type: long
+
+
diff --git a/docs/reference/packetbeat/exported-fields-docker-processor.md b/docs/reference/packetbeat/exported-fields-docker-processor.md
new file mode 100644
index 000000000000..294f6c1b7c6d
--- /dev/null
+++ b/docs/reference/packetbeat/exported-fields-docker-processor.md
@@ -0,0 +1,33 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/exported-fields-docker-processor.html
+---
+
+# Docker fields [exported-fields-docker-processor]
+
+Docker stats collected from Docker.
+
+**`docker.container.id`**
+:   type: alias
+
+alias to: container.id
+
+
+**`docker.container.image`**
+:   type: alias
+
+alias to: container.image.name
+
+
+**`docker.container.name`**
+:   type: alias
+
+alias to: container.name
+
+
+**`docker.container.labels`**
+:   Image labels.
+
+type: object
+
+
diff --git a/docs/reference/packetbeat/exported-fields-ecs.md b/docs/reference/packetbeat/exported-fields-ecs.md
new file mode 100644
index 000000000000..618553f5075c
--- /dev/null
+++ b/docs/reference/packetbeat/exported-fields-ecs.md
@@ -0,0 +1,10423 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/exported-fields-ecs.html
+---
+
+# ECS fields [exported-fields-ecs]
+
+This section defines Elastic Common Schema (ECS) fields—a common set of fields to be used when storing event data in {{es}}.
+
+This is an exhaustive list, and fields listed here are not necessarily used by Packetbeat. The goal of ECS is to enable and encourage users of {{es}} to normalize their event data, so that they can better analyze, visualize, and correlate the data represented in their events.
+
+See the [ECS reference](ecs://reference/index.md) for more information.
+
+**`@timestamp`**
+:   Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events.
+
+type: date
+
+example: 2016-05-23T08:05:34.853Z
+
+required: True
+
+
+**`labels`**
+:   Custom key/value pairs. Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. Example: `docker` and `k8s` labels.
+
+type: object
+
+example: {"application": "foo-bar", "env": "production"}
+
+
+**`message`**
+:   For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message.
+
+type: match_only_text
+
+example: Hello World
+
+
+**`tags`**
+:   List of keywords used to tag each event.
+
+type: keyword
+
+example: ["production", "env2"]
+
+
+
+## agent [_agent]
+
+The agent fields contain the data about the software entity, if any, that collects, detects, or observes events on a host, or takes measurements on a host. Examples include Beats. Agents may also run on observers. ECS agent.* fields shall be populated with details of the agent running on the host or observer where the event happened or the measurement was taken.
+
+**`agent.build.original`**
+:   Extended build information for the agent. This field is intended to contain any build information that a data source may provide, no specific formatting is required.
+
+type: keyword
+
+example: metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]
+
+
+**`agent.ephemeral_id`**
+:   Ephemeral identifier of this agent (if one exists). This id normally changes across restarts, but `agent.id` does not.
+
+type: keyword
+
+example: 8a4f500f
+
+
+**`agent.id`**
+:   Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id.
+
+type: keyword
+
+example: 8a4f500d
+
+
+**`agent.name`**
+:   Custom name of the agent. This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. If no name is given, the name is often left empty.
+
+type: keyword
+
+example: foo
+
+
+**`agent.type`**
+:   Type of the agent. The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine.
+
+type: keyword
+
+example: filebeat
+
+
+**`agent.version`**
+:   Version of the agent.
+
+type: keyword
+
+example: 6.0.0-rc2
+
+
+
+## as [_as]
+
+An autonomous system (AS) is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators on behalf of a single administrative entity or domain that presents a common, clearly defined routing policy to the internet.
+
+**`as.number`**
+:   Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+
+type: long
+
+example: 15169
+
+
+**`as.organization.name`**
+:   Organization name.
+
+type: keyword
+
+example: Google LLC
+
+
+**`as.organization.name.text`**
+:   type: match_only_text
+
+
+
+## client [_client]
+
+A client is defined as the initiator of a network connection for events regarding sessions, connections, or bidirectional flow records. For TCP events, the client is the initiator of the TCP connection that sends the SYN packet(s). For other protocols, the client is generally the initiator or requestor in the network transaction. Some systems use the term "originator" to refer the client in TCP connections. The client fields describe details about the system acting as the client in the network event. Client fields are usually populated in conjunction with server fields. Client fields are generally not populated for packet-level events. Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately.
+
+**`client.address`**
+:   Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
+
+type: keyword
+
+
+**`client.as.number`**
+:   Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+
+type: long
+
+example: 15169
+
+
+**`client.as.organization.name`**
+:   Organization name.
+
+type: keyword
+
+example: Google LLC
+
+
+**`client.as.organization.name.text`**
+:   type: match_only_text
+
+
+**`client.bytes`**
+:   Bytes sent from the client to the server.
+
+type: long
+
+example: 184
+
+format: bytes
+
+
+**`client.domain`**
+:   The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.
+
+type: keyword
+
+example: foo.example.com
+
+
+**`client.geo.city_name`**
+:   City name.
+
+type: keyword
+
+example: Montreal
+
+
+**`client.geo.continent_code`**
+:   Two-letter code representing continent’s name.
+
+type: keyword
+
+example: NA
+
+
+**`client.geo.continent_name`**
+:   Name of the continent.
+
+type: keyword
+
+example: North America
+
+
+**`client.geo.country_iso_code`**
+:   Country ISO code.
+
+type: keyword
+
+example: CA
+
+
+**`client.geo.country_name`**
+:   Country name.
+
+type: keyword
+
+example: Canada
+
+
+**`client.geo.location`**
+:   Longitude and latitude.
+
+type: geo_point
+
+example: { "lon": -73.614830, "lat": 45.505918 }
+
+
+**`client.geo.name`**
+:   User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.
+
+type: keyword
+
+example: boston-dc
+
+
+**`client.geo.postal_code`**
+:   Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.
+
+type: keyword
+
+example: 94040
+
+
+**`client.geo.region_iso_code`**
+:   Region ISO code.
+
+type: keyword
+
+example: CA-QC
+
+
+**`client.geo.region_name`**
+:   Region name.
+
+type: keyword
+
+example: Quebec
+
+
+**`client.geo.timezone`**
+:   The time zone of the location, such as IANA time zone name.
+
+type: keyword
+
+example: America/Argentina/Buenos_Aires
+
+
+**`client.ip`**
+:   IP address of the client (IPv4 or IPv6).
+
+type: ip
+
+
+**`client.mac`**
+:   MAC address of the client. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.
+
+type: keyword
+
+example: 00-00-5E-00-53-23
+
+
+**`client.nat.ip`**
+:   Translated IP of source based NAT sessions (e.g. internal client to internet). Typically connections traversing load balancers, firewalls, or routers.
+
+type: ip
+
+
+**`client.nat.port`**
+:   Translated port of source based NAT sessions (e.g. internal client to internet). Typically connections traversing load balancers, firewalls, or routers.
+
+type: long
+
+format: string
+
+
+**`client.packets`**
+:   Packets sent from the client to the server.
+
+type: long
+
+example: 12
+
+
+**`client.port`**
+:   Port of the client.
+
+type: long
+
+format: string
+
+
+**`client.registered_domain`**
+:   The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
+
+type: keyword
+
+example: example.com
+
+
+**`client.subdomain`**
+:   The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
+
+type: keyword
+
+example: east
+
+
+**`client.top_level_domain`**
+:   The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".
+
+type: keyword
+
+example: co.uk
+
+
+**`client.user.domain`**
+:   Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`client.user.email`**
+:   User email address.
+
+type: keyword
+
+
+**`client.user.full_name`**
+:   User’s full name, if available.
+
+type: keyword
+
+example: Albert Einstein
+
+
+**`client.user.full_name.text`**
+:   type: match_only_text
+
+
+**`client.user.group.domain`**
+:   Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`client.user.group.id`**
+:   Unique identifier for the group on the system/platform.
+
+type: keyword
+
+
+**`client.user.group.name`**
+:   Name of the group.
+
+type: keyword
+
+
+**`client.user.hash`**
+:   Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used.
+
+type: keyword
+
+
+**`client.user.id`**
+:   Unique identifier of the user.
+
+type: keyword
+
+example: S-1-5-21-202424912787-2692429404-2351956786-1000
+
+
+**`client.user.name`**
+:   Short name or login of the user.
+
+type: keyword
+
+example: a.einstein
+
+
+**`client.user.name.text`**
+:   type: match_only_text
+
+
+**`client.user.roles`**
+:   Array of user roles at the time of the event.
+
+type: keyword
+
+example: ["kibana_admin", "reporting_user"]
+
+
+
+## cloud [_cloud]
+
+Fields related to the cloud or infrastructure the events are coming from.
+
+**`cloud.account.id`**
+:   The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.
+
+type: keyword
+
+example: 666777888999
+
+
+**`cloud.account.name`**
+:   The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name.
+
+type: keyword
+
+example: elastic-dev
+
+
+**`cloud.availability_zone`**
+:   Availability zone in which this host, resource, or service is located.
+
+type: keyword
+
+example: us-east-1c
+
+
+**`cloud.instance.id`**
+:   Instance ID of the host machine.
+
+type: keyword
+
+example: i-1234567890abcdef0
+
+
+**`cloud.instance.name`**
+:   Instance name of the host machine.
+
+type: keyword
+
+
+**`cloud.machine.type`**
+:   Machine type of the host machine.
+
+type: keyword
+
+example: t2.medium
+
+
+**`cloud.origin.account.id`**
+:   The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.
+
+type: keyword
+
+example: 666777888999
+
+
+**`cloud.origin.account.name`**
+:   The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name.
+
+type: keyword
+
+example: elastic-dev
+
+
+**`cloud.origin.availability_zone`**
+:   Availability zone in which this host, resource, or service is located.
+
+type: keyword
+
+example: us-east-1c
+
+
+**`cloud.origin.instance.id`**
+:   Instance ID of the host machine.
+
+type: keyword
+
+example: i-1234567890abcdef0
+
+
+**`cloud.origin.instance.name`**
+:   Instance name of the host machine.
+
+type: keyword
+
+
+**`cloud.origin.machine.type`**
+:   Machine type of the host machine.
+
+type: keyword
+
+example: t2.medium
+
+
+**`cloud.origin.project.id`**
+:   The cloud project identifier. Examples: Google Cloud Project id, Azure Project id.
+
+type: keyword
+
+example: my-project
+
+
+**`cloud.origin.project.name`**
+:   The cloud project name. Examples: Google Cloud Project name, Azure Project name.
+
+type: keyword
+
+example: my project
+
+
+**`cloud.origin.provider`**
+:   Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
+
+type: keyword
+
+example: aws
+
+
+**`cloud.origin.region`**
+:   Region in which this host, resource, or service is located.
+
+type: keyword
+
+example: us-east-1
+
+
+**`cloud.origin.service.name`**
+:   The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda.
+
+type: keyword
+
+example: lambda
+
+
+**`cloud.project.id`**
+:   The cloud project identifier. Examples: Google Cloud Project id, Azure Project id.
+
+type: keyword
+
+example: my-project
+
+
+**`cloud.project.name`**
+:   The cloud project name. Examples: Google Cloud Project name, Azure Project name.
+
+type: keyword
+
+example: my project
+
+
+**`cloud.provider`**
+:   Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
+
+type: keyword
+
+example: aws
+
+
+**`cloud.region`**
+:   Region in which this host, resource, or service is located.
+
+type: keyword
+
+example: us-east-1
+
+
+**`cloud.service.name`**
+:   The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda.
+
+type: keyword
+
+example: lambda
+
+
+**`cloud.target.account.id`**
+:   The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.
+
+type: keyword
+
+example: 666777888999
+
+
+**`cloud.target.account.name`**
+:   The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name.
+
+type: keyword
+
+example: elastic-dev
+
+
+**`cloud.target.availability_zone`**
+:   Availability zone in which this host, resource, or service is located.
+
+type: keyword
+
+example: us-east-1c
+
+
+**`cloud.target.instance.id`**
+:   Instance ID of the host machine.
+
+type: keyword
+
+example: i-1234567890abcdef0
+
+
+**`cloud.target.instance.name`**
+:   Instance name of the host machine.
+
+type: keyword
+
+
+**`cloud.target.machine.type`**
+:   Machine type of the host machine.
+
+type: keyword
+
+example: t2.medium
+
+
+**`cloud.target.project.id`**
+:   The cloud project identifier. Examples: Google Cloud Project id, Azure Project id.
+
+type: keyword
+
+example: my-project
+
+
+**`cloud.target.project.name`**
+:   The cloud project name. Examples: Google Cloud Project name, Azure Project name.
+
+type: keyword
+
+example: my project
+
+
+**`cloud.target.provider`**
+:   Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
+
+type: keyword
+
+example: aws
+
+
+**`cloud.target.region`**
+:   Region in which this host, resource, or service is located.
+
+type: keyword
+
+example: us-east-1
+
+
+**`cloud.target.service.name`**
+:   The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda.
+
+type: keyword
+
+example: lambda
+
+
+
+## code_signature [_code_signature]
+
+These fields contain information about binary code signatures.
+
+**`code_signature.digest_algorithm`**
+:   The hashing algorithm used to sign the process. This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm.
+
+type: keyword
+
+example: sha256
+
+
+**`code_signature.exists`**
+:   Boolean to capture if a signature is present.
+
+type: boolean
+
+example: true
+
+
+**`code_signature.signing_id`**
+:   The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.
+
+type: keyword
+
+example: com.apple.xpc.proxy
+
+
+**`code_signature.status`**
+:   Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.
+
+type: keyword
+
+example: ERROR_UNTRUSTED_ROOT
+
+
+**`code_signature.subject_name`**
+:   Subject name of the code signer
+
+type: keyword
+
+example: Microsoft Corporation
+
+
+**`code_signature.team_id`**
+:   The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.
+
+type: keyword
+
+example: EQHXZ8M8AV
+
+
+**`code_signature.timestamp`**
+:   Date and time when the code signature was generated and signed.
+
+type: date
+
+example: 2021-01-01T12:10:30Z
+
+
+**`code_signature.trusted`**
+:   Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.
+
+type: boolean
+
+example: true
+
+
+**`code_signature.valid`**
+:   Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.
+
+type: boolean
+
+example: true
+
+
+
+## container [_container]
+
+Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.
+
+**`container.cpu.usage`**
+:   Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000.
+
+type: scaled_float
+
+
+**`container.disk.read.bytes`**
+:   The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection.
+
+type: long
+
+
+**`container.disk.write.bytes`**
+:   The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection.
+
+type: long
+
+
+**`container.id`**
+:   Unique container id.
+
+type: keyword
+
+
+**`container.image.name`**
+:   Name of the image the container was built on.
+
+type: keyword
+
+
+**`container.image.tag`**
+:   Container image tags.
+
+type: keyword
+
+
+**`container.labels`**
+:   Image labels.
+
+type: object
+
+
+**`container.memory.usage`**
+:   Memory usage percentage and it ranges from 0 to 1. Scaling factor: 1000.
+
+type: scaled_float
+
+
+**`container.name`**
+:   Container name.
+
+type: keyword
+
+
+**`container.network.egress.bytes`**
+:   The number of bytes (gauge) sent out on all network interfaces by the container since the last metric collection.
+
+type: long
+
+
+**`container.network.ingress.bytes`**
+:   The number of bytes received (gauge) on all network interfaces by the container since the last metric collection.
+
+type: long
+
+
+**`container.runtime`**
+:   Runtime managing this container.
+
+type: keyword
+
+example: docker
+
+
+
+## data_stream [_data_stream]
+
+The data_stream fields take part in defining the new data stream naming scheme. In the new data stream naming scheme the value of the data stream fields combine to the name of the actual data stream in the following manner: `{data_stream.type}-{data_stream.dataset}-{data_stream.namespace}`. This means the fields can only contain characters that are valid as part of names of data streams. More details about this can be found in this [blog post](https://www.elastic.co/blog/an-introduction-to-the-elastic-data-stream-naming-scheme). An Elasticsearch data stream consists of one or more backing indices, and a data stream name forms part of the backing indices names. Due to this convention, data streams must also follow index naming restrictions. For example, data stream names cannot include `\`, `/`, `*`, `?`, `"`, `<`, `>`, `|`, ` ` (space character), `,`, or `#`. Please see the Elasticsearch reference for additional [restrictions](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-indices-create).
+
+**`data_stream.dataset`**
+:   The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: * Must not contain `-` * No longer than 100 characters
+
+type: constant_keyword
+
+example: nginx.access
+
+
+**`data_stream.namespace`**
+:   A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: * Must not contain `-` * No longer than 100 characters
+
+type: constant_keyword
+
+example: production
+
+
+**`data_stream.type`**
+:   An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future.
+
+type: constant_keyword
+
+example: logs
+
+
+
+## destination [_destination]
+
+Destination fields capture details about the receiver of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction. Destination fields are usually populated in conjunction with source fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated.
+
+**`destination.address`**
+:   Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
+
+type: keyword
+
+
+**`destination.as.number`**
+:   Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+
+type: long
+
+example: 15169
+
+
+**`destination.as.organization.name`**
+:   Organization name.
+
+type: keyword
+
+example: Google LLC
+
+
+**`destination.as.organization.name.text`**
+:   type: match_only_text
+
+
+**`destination.bytes`**
+:   Bytes sent from the destination to the source.
+
+type: long
+
+example: 184
+
+format: bytes
+
+
+**`destination.domain`**
+:   The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.
+
+type: keyword
+
+example: foo.example.com
+
+
+**`destination.geo.city_name`**
+:   City name.
+
+type: keyword
+
+example: Montreal
+
+
+**`destination.geo.continent_code`**
+:   Two-letter code representing continent’s name.
+
+type: keyword
+
+example: NA
+
+
+**`destination.geo.continent_name`**
+:   Name of the continent.
+
+type: keyword
+
+example: North America
+
+
+**`destination.geo.country_iso_code`**
+:   Country ISO code.
+
+type: keyword
+
+example: CA
+
+
+**`destination.geo.country_name`**
+:   Country name.
+
+type: keyword
+
+example: Canada
+
+
+**`destination.geo.location`**
+:   Longitude and latitude.
+
+type: geo_point
+
+example: { "lon": -73.614830, "lat": 45.505918 }
+
+
+**`destination.geo.name`**
+:   User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.
+
+type: keyword
+
+example: boston-dc
+
+
+**`destination.geo.postal_code`**
+:   Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.
+
+type: keyword
+
+example: 94040
+
+
+**`destination.geo.region_iso_code`**
+:   Region ISO code.
+
+type: keyword
+
+example: CA-QC
+
+
+**`destination.geo.region_name`**
+:   Region name.
+
+type: keyword
+
+example: Quebec
+
+
+**`destination.geo.timezone`**
+:   The time zone of the location, such as IANA time zone name.
+
+type: keyword
+
+example: America/Argentina/Buenos_Aires
+
+
+**`destination.ip`**
+:   IP address of the destination (IPv4 or IPv6).
+
+type: ip
+
+
+**`destination.mac`**
+:   MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.
+
+type: keyword
+
+example: 00-00-5E-00-53-23
+
+
+**`destination.nat.ip`**
+:   Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers.
+
+type: ip
+
+
+**`destination.nat.port`**
+:   Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers.
+
+type: long
+
+format: string
+
+
+**`destination.packets`**
+:   Packets sent from the destination to the source.
+
+type: long
+
+example: 12
+
+
+**`destination.port`**
+:   Port of the destination.
+
+type: long
+
+format: string
+
+
+**`destination.registered_domain`**
+:   The highest registered destination domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
+
+type: keyword
+
+example: example.com
+
+
+**`destination.subdomain`**
+:   The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
+
+type: keyword
+
+example: east
+
+
+**`destination.top_level_domain`**
+:   The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".
+
+type: keyword
+
+example: co.uk
+
+
+**`destination.user.domain`**
+:   Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`destination.user.email`**
+:   User email address.
+
+type: keyword
+
+
+**`destination.user.full_name`**
+:   User’s full name, if available.
+
+type: keyword
+
+example: Albert Einstein
+
+
+**`destination.user.full_name.text`**
+:   type: match_only_text
+
+
+**`destination.user.group.domain`**
+:   Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`destination.user.group.id`**
+:   Unique identifier for the group on the system/platform.
+
+type: keyword
+
+
+**`destination.user.group.name`**
+:   Name of the group.
+
+type: keyword
+
+
+**`destination.user.hash`**
+:   Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used.
+
+type: keyword
+
+
+**`destination.user.id`**
+:   Unique identifier of the user.
+
+type: keyword
+
+example: S-1-5-21-202424912787-2692429404-2351956786-1000
+
+
+**`destination.user.name`**
+:   Short name or login of the user.
+
+type: keyword
+
+example: a.einstein
+
+
+**`destination.user.name.text`**
+:   type: match_only_text
+
+
+**`destination.user.roles`**
+:   Array of user roles at the time of the event.
+
+type: keyword
+
+example: ["kibana_admin", "reporting_user"]
+
+
+
+## dll [_dll]
+
+These fields contain information about code libraries dynamically loaded into processes.
+
+Many operating systems refer to "shared code libraries" with different names, but this field set refers to all of the following: * Dynamic-link library (`.dll`) commonly used on Windows * Shared Object (`.so`) commonly used on Unix-like operating systems * Dynamic library (`.dylib`) commonly used on macOS
+
+**`dll.code_signature.digest_algorithm`**
+:   The hashing algorithm used to sign the process. This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm.
+
+type: keyword
+
+example: sha256
+
+
+**`dll.code_signature.exists`**
+:   Boolean to capture if a signature is present.
+
+type: boolean
+
+example: true
+
+
+**`dll.code_signature.signing_id`**
+:   The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.
+
+type: keyword
+
+example: com.apple.xpc.proxy
+
+
+**`dll.code_signature.status`**
+:   Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.
+
+type: keyword
+
+example: ERROR_UNTRUSTED_ROOT
+
+
+**`dll.code_signature.subject_name`**
+:   Subject name of the code signer
+
+type: keyword
+
+example: Microsoft Corporation
+
+
+**`dll.code_signature.team_id`**
+:   The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.
+
+type: keyword
+
+example: EQHXZ8M8AV
+
+
+**`dll.code_signature.timestamp`**
+:   Date and time when the code signature was generated and signed.
+
+type: date
+
+example: 2021-01-01T12:10:30Z
+
+
+**`dll.code_signature.trusted`**
+:   Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.
+
+type: boolean
+
+example: true
+
+
+**`dll.code_signature.valid`**
+:   Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.
+
+type: boolean
+
+example: true
+
+
+**`dll.hash.md5`**
+:   MD5 hash.
+
+type: keyword
+
+
+**`dll.hash.sha1`**
+:   SHA1 hash.
+
+type: keyword
+
+
+**`dll.hash.sha256`**
+:   SHA256 hash.
+
+type: keyword
+
+
+**`dll.hash.sha512`**
+:   SHA512 hash.
+
+type: keyword
+
+
+**`dll.hash.ssdeep`**
+:   SSDEEP hash.
+
+type: keyword
+
+
+**`dll.name`**
+:   Name of the library. This generally maps to the name of the file on disk.
+
+type: keyword
+
+example: kernel32.dll
+
+
+**`dll.path`**
+:   Full file path of the library.
+
+type: keyword
+
+example: C:\Windows\System32\kernel32.dll
+
+
+**`dll.pe.architecture`**
+:   CPU architecture target for the file.
+
+type: keyword
+
+example: x64
+
+
+**`dll.pe.company`**
+:   Internal company name of the file, provided at compile-time.
+
+type: keyword
+
+example: Microsoft Corporation
+
+
+**`dll.pe.description`**
+:   Internal description of the file, provided at compile-time.
+
+type: keyword
+
+example: Paint
+
+
+**`dll.pe.file_version`**
+:   Internal version of the file, provided at compile-time.
+
+type: keyword
+
+example: 6.3.9600.17415
+
+
+**`dll.pe.imphash`**
+:   A hash of the imports in a PE file. An imphash — or import hash — can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at [https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html](https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html).
+
+type: keyword
+
+example: 0c6803c4e922103c4dca5963aad36ddf
+
+
+**`dll.pe.original_file_name`**
+:   Internal name of the file, provided at compile-time.
+
+type: keyword
+
+example: MSPAINT.EXE
+
+
+**`dll.pe.product`**
+:   Internal product name of the file, provided at compile-time.
+
+type: keyword
+
+example: Microsoft® Windows® Operating System
+
+
+
+## dns [_dns]
+
+Fields describing DNS queries and answers. DNS events should either represent a single DNS query prior to getting answers (`dns.type:query`) or they should represent a full exchange and contain the query details as well as all of the answers that were provided for this query (`dns.type:answer`).
+
+**`dns.answers`**
+:   An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields.
+
+type: object
+
+
+**`dns.answers.class`**
+:   The class of DNS data contained in this resource record.
+
+type: keyword
+
+example: IN
+
+
+**`dns.answers.data`**
+:   The data describing the resource. The meaning of this data depends on the type and class of the resource record.
+
+type: keyword
+
+example: 10.10.10.10
+
+
+**`dns.answers.name`**
+:   The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer’s `name` should be the one that corresponds with the answer’s `data`. It should not simply be the original `question.name` repeated.
+
+type: keyword
+
+example: www.example.com
+
+
+**`dns.answers.ttl`**
+:   The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached.
+
+type: long
+
+example: 180
+
+
+**`dns.answers.type`**
+:   The type of data contained in this resource record.
+
+type: keyword
+
+example: CNAME
+
+
+**`dns.header_flags`**
+:   Array of 2 letter DNS header flags. Expected values are: AA, TC, RD, RA, AD, CD, DO.
+
+type: keyword
+
+example: ["RD", "RA"]
+
+
+**`dns.id`**
+:   The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.
+
+type: keyword
+
+example: 62111
+
+
+**`dns.op_code`**
+:   The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response.
+
+type: keyword
+
+example: QUERY
+
+
+**`dns.question.class`**
+:   The class of records being queried.
+
+type: keyword
+
+example: IN
+
+
+**`dns.question.name`**
+:   The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively.
+
+type: keyword
+
+example: www.example.com
+
+
+**`dns.question.registered_domain`**
+:   The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
+
+type: keyword
+
+example: example.com
+
+
+**`dns.question.subdomain`**
+:   The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
+
+type: keyword
+
+example: www
+
+
+**`dns.question.top_level_domain`**
+:   The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".
+
+type: keyword
+
+example: co.uk
+
+
+**`dns.question.type`**
+:   The type of record being queried.
+
+type: keyword
+
+example: AAAA
+
+
+**`dns.resolved_ip`**
+:   Array containing all IPs seen in `answers.data`. The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for.
+
+type: ip
+
+example: ["10.10.10.10", "10.10.10.11"]
+
+
+**`dns.response_code`**
+:   The DNS response code.
+
+type: keyword
+
+example: NOERROR
+
+
+**`dns.type`**
+:   The type of DNS event captured, query or answer. If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers.
+
+type: keyword
+
+example: answer
+
+
+
+## ecs [_ecs]
+
+Meta-information specific to ECS.
+
+**`ecs.version`**
+:   ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices — which may conform to slightly different ECS versions — this field lets integrations adjust to the schema version of the events.
+
+type: keyword
+
+example: 1.0.0
+
+required: True
+
+
+
+## elf [_elf]
+
+These fields contain Linux Executable Linkable Format (ELF) metadata.
+
+**`elf.architecture`**
+:   Machine architecture of the ELF file.
+
+type: keyword
+
+example: x86-64
+
+
+**`elf.byte_order`**
+:   Byte sequence of ELF file.
+
+type: keyword
+
+example: Little Endian
+
+
+**`elf.cpu_type`**
+:   CPU type of the ELF file.
+
+type: keyword
+
+example: Intel
+
+
+**`elf.creation_date`**
+:   Extracted when possible from the file’s metadata. Indicates when it was built or compiled. It can also be faked by malware creators.
+
+type: date
+
+
+**`elf.exports`**
+:   List of exported element names and types.
+
+type: flattened
+
+
+**`elf.header.abi_version`**
+:   Version of the ELF Application Binary Interface (ABI).
+
+type: keyword
+
+
+**`elf.header.class`**
+:   Header class of the ELF file.
+
+type: keyword
+
+
+**`elf.header.data`**
+:   Data table of the ELF header.
+
+type: keyword
+
+
+**`elf.header.entrypoint`**
+:   Header entrypoint of the ELF file.
+
+type: long
+
+format: string
+
+
+**`elf.header.object_version`**
+:   "0x1" for original ELF files.
+
+type: keyword
+
+
+**`elf.header.os_abi`**
+:   Application Binary Interface (ABI) of the Linux OS.
+
+type: keyword
+
+
+**`elf.header.type`**
+:   Header type of the ELF file.
+
+type: keyword
+
+
+**`elf.header.version`**
+:   Version of the ELF header.
+
+type: keyword
+
+
+**`elf.imports`**
+:   List of imported element names and types.
+
+type: flattened
+
+
+**`elf.sections`**
+:   An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`.
+
+type: nested
+
+
+**`elf.sections.chi2`**
+:   Chi-square probability distribution of the section.
+
+type: long
+
+format: number
+
+
+**`elf.sections.entropy`**
+:   Shannon entropy calculation from the section.
+
+type: long
+
+format: number
+
+
+**`elf.sections.flags`**
+:   ELF Section List flags.
+
+type: keyword
+
+
+**`elf.sections.name`**
+:   ELF Section List name.
+
+type: keyword
+
+
+**`elf.sections.physical_offset`**
+:   ELF Section List offset.
+
+type: keyword
+
+
+**`elf.sections.physical_size`**
+:   ELF Section List physical size.
+
+type: long
+
+format: bytes
+
+
+**`elf.sections.type`**
+:   ELF Section List type.
+
+type: keyword
+
+
+**`elf.sections.virtual_address`**
+:   ELF Section List virtual address.
+
+type: long
+
+format: string
+
+
+**`elf.sections.virtual_size`**
+:   ELF Section List virtual size.
+
+type: long
+
+format: string
+
+
+**`elf.segments`**
+:   An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`.
+
+type: nested
+
+
+**`elf.segments.sections`**
+:   ELF object segment sections.
+
+type: keyword
+
+
+**`elf.segments.type`**
+:   ELF object segment type.
+
+type: keyword
+
+
+**`elf.shared_libraries`**
+:   List of shared libraries used by this ELF object.
+
+type: keyword
+
+
+**`elf.telfhash`**
+:   telfhash symbol hash for ELF file.
+
+type: keyword
+
+
+
+## error [_error_2]
+
+These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error.
+
+**`error.code`**
+:   Error code describing the error.
+
+type: keyword
+
+
+**`error.id`**
+:   Unique identifier for the error.
+
+type: keyword
+
+
+**`error.message`**
+:   Error message.
+
+type: match_only_text
+
+
+**`error.stack_trace`**
+:   The stack trace of this error in plain text.
+
+type: wildcard
+
+
+**`error.stack_trace.text`**
+:   type: match_only_text
+
+
+**`error.type`**
+:   The type of the error, for example the class name of the exception.
+
+type: keyword
+
+example: java.lang.NullPointerException
+
+
+
+## event [_event_2]
+
+The event fields are used for context information about the log or metric event itself. A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host and device temperature. See the `event.kind` definition in this section for additional details about metric and state events.
+
+**`event.action`**
+:   The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer.
+
+type: keyword
+
+example: user-password-change
+
+
+**`event.agent_id_status`**
+:   Agents are normally responsible for populating the `agent.id` field value. If the system receiving events is capable of validating the value based on authentication information for the client then this field can be used to reflect the outcome of that validation. For example if the agent’s connection is authenticated with mTLS and the client cert contains the ID of the agent to which the cert was issued then the `agent.id` value in events can be checked against the certificate. If the values match then `event.agent_id_status: verified` is added to the event, otherwise one of the other allowed values should be used. If no validation is performed then the field should be omitted. The allowed values are: `verified` - The `agent.id` field value matches expected value obtained from auth metadata. `mismatch` - The `agent.id` field value does not match the expected value obtained from auth metadata. `missing` - There was no `agent.id` field in the event to validate. `auth_metadata_missing` - There was no auth metadata or it was missing information about the agent ID.
+
+type: keyword
+
+example: verified
+
+
+**`event.category`**
+:   This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories.
+
+type: keyword
+
+example: authentication
+
+
+**`event.code`**
+:   Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID.
+
+type: keyword
+
+example: 4648
+
+
+**`event.created`**
+:   event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent’s or pipeline’s ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used.
+
+type: date
+
+example: 2016-05-23T08:05:34.857Z
+
+
+**`event.dataset`**
+:   Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It’s recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name.
+
+type: keyword
+
+example: apache.access
+
+
+**`event.duration`**
+:   Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time.
+
+type: long
+
+format: duration
+
+
+**`event.end`**
+:   event.end contains the date when the event ended or when the activity was last observed.
+
+type: date
+
+
+**`event.hash`**
+:   Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity.
+
+type: keyword
+
+example: 123456789012345678901234567890ABCD
+
+
+**`event.id`**
+:   Unique ID to describe the event.
+
+type: keyword
+
+example: 8a4f500d
+
+
+**`event.ingested`**
+:   Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred.  It’s also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`.
+
+type: date
+
+example: 2016-05-23T08:05:35.101Z
+
+
+**`event.kind`**
+:   This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not.
+
+type: keyword
+
+example: alert
+
+
+**`event.module`**
+:   Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module.
+
+type: keyword
+
+example: apache
+
+
+**`event.original`**
+:   Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`.
+
+type: keyword
+
+example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232
+
+Field is not indexed.
+
+
+**`event.outcome`**
+:   This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense.
+
+type: keyword
+
+example: success
+
+
+**`event.provider`**
+:   Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing).
+
+type: keyword
+
+example: kernel
+
+
+**`event.reason`**
+:   Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`).
+
+type: keyword
+
+example: Terminated an unexpected process
+
+
+**`event.reference`**
+:   Reference URL linking to additional information about this event. This URL links to a static definition of this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field.
+
+type: keyword
+
+example: [https://system.example.com/event/#0001234](https://system.example.com/event/#0001234)
+
+
+**`event.risk_score`**
+:   Risk score or priority of the event (e.g. security solutions). Use your system’s original value here.
+
+type: float
+
+
+**`event.risk_score_norm`**
+:   Normalized risk score or priority of the event, on a scale of 0 to 100. This is mainly useful if you use more than one system that assigns risk scores, and you want to see a normalized value across all systems.
+
+type: float
+
+
+**`event.sequence`**
+:   Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision.
+
+type: long
+
+format: string
+
+
+**`event.severity`**
+:   The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It’s up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`.
+
+type: long
+
+example: 7
+
+format: string
+
+
+**`event.start`**
+:   event.start contains the date when the event started or when the activity was first observed.
+
+type: date
+
+
+**`event.timezone`**
+:   This field should be populated when the event’s timestamp does not include timezone information already (e.g. default Syslog timestamps). It’s optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00").
+
+type: keyword
+
+
+**`event.type`**
+:   This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types.
+
+type: keyword
+
+
+**`event.url`**
+:   URL linking to an external system to continue investigation of this event. This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field.
+
+type: keyword
+
+example: [https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe](https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe)
+
+
+
+## faas [_faas]
+
+The user fields describe information about the function as a service that is relevant to the event.
+
+**`faas.coldstart`**
+:   Boolean value indicating a cold start of a function.
+
+type: boolean
+
+
+**`faas.execution`**
+:   The execution ID of the current function execution.
+
+type: keyword
+
+example: af9d5aa4-a685-4c5f-a22b-444f80b3cc28
+
+
+**`faas.trigger`**
+:   Details about the function trigger.
+
+type: nested
+
+
+**`faas.trigger.request_id`**
+:   The ID of the trigger request , message, event, etc.
+
+type: keyword
+
+example: 123456789
+
+
+**`faas.trigger.type`**
+:   The trigger for the function execution. Expected values are: * http * pubsub * datasource * timer * other
+
+type: keyword
+
+example: http
+
+
+
+## file [_file]
+
+A file is defined as a set of information that has been created on, or has existed on a filesystem. File objects can be associated with host events, network events, and/or file events (e.g., those produced by File Integrity Monitoring [FIM] products or services). File fields provide details about the affected file associated with the event or metric.
+
+**`file.accessed`**
+:   Last time the file was accessed. Note that not all filesystems keep track of access time.
+
+type: date
+
+
+**`file.attributes`**
+:   Array of file attributes. Attributes names will vary by platform. Here’s a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write.
+
+type: keyword
+
+example: ["readonly", "system"]
+
+
+**`file.code_signature.digest_algorithm`**
+:   The hashing algorithm used to sign the process. This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm.
+
+type: keyword
+
+example: sha256
+
+
+**`file.code_signature.exists`**
+:   Boolean to capture if a signature is present.
+
+type: boolean
+
+example: true
+
+
+**`file.code_signature.signing_id`**
+:   The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.
+
+type: keyword
+
+example: com.apple.xpc.proxy
+
+
+**`file.code_signature.status`**
+:   Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.
+
+type: keyword
+
+example: ERROR_UNTRUSTED_ROOT
+
+
+**`file.code_signature.subject_name`**
+:   Subject name of the code signer
+
+type: keyword
+
+example: Microsoft Corporation
+
+
+**`file.code_signature.team_id`**
+:   The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.
+
+type: keyword
+
+example: EQHXZ8M8AV
+
+
+**`file.code_signature.timestamp`**
+:   Date and time when the code signature was generated and signed.
+
+type: date
+
+example: 2021-01-01T12:10:30Z
+
+
+**`file.code_signature.trusted`**
+:   Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.
+
+type: boolean
+
+example: true
+
+
+**`file.code_signature.valid`**
+:   Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.
+
+type: boolean
+
+example: true
+
+
+**`file.created`**
+:   File creation time. Note that not all filesystems store the creation time.
+
+type: date
+
+
+**`file.ctime`**
+:   Last time the file attributes or metadata changed. Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file.
+
+type: date
+
+
+**`file.device`**
+:   Device that is the source of the file.
+
+type: keyword
+
+example: sda
+
+
+**`file.directory`**
+:   Directory where the file is located. It should include the drive letter, when appropriate.
+
+type: keyword
+
+example: /home/alice
+
+
+**`file.drive_letter`**
+:   Drive letter where the file is located. This field is only relevant on Windows. The value should be uppercase, and not include the colon.
+
+type: keyword
+
+example: C
+
+
+**`file.elf.architecture`**
+:   Machine architecture of the ELF file.
+
+type: keyword
+
+example: x86-64
+
+
+**`file.elf.byte_order`**
+:   Byte sequence of ELF file.
+
+type: keyword
+
+example: Little Endian
+
+
+**`file.elf.cpu_type`**
+:   CPU type of the ELF file.
+
+type: keyword
+
+example: Intel
+
+
+**`file.elf.creation_date`**
+:   Extracted when possible from the file’s metadata. Indicates when it was built or compiled. It can also be faked by malware creators.
+
+type: date
+
+
+**`file.elf.exports`**
+:   List of exported element names and types.
+
+type: flattened
+
+
+**`file.elf.header.abi_version`**
+:   Version of the ELF Application Binary Interface (ABI).
+
+type: keyword
+
+
+**`file.elf.header.class`**
+:   Header class of the ELF file.
+
+type: keyword
+
+
+**`file.elf.header.data`**
+:   Data table of the ELF header.
+
+type: keyword
+
+
+**`file.elf.header.entrypoint`**
+:   Header entrypoint of the ELF file.
+
+type: long
+
+format: string
+
+
+**`file.elf.header.object_version`**
+:   "0x1" for original ELF files.
+
+type: keyword
+
+
+**`file.elf.header.os_abi`**
+:   Application Binary Interface (ABI) of the Linux OS.
+
+type: keyword
+
+
+**`file.elf.header.type`**
+:   Header type of the ELF file.
+
+type: keyword
+
+
+**`file.elf.header.version`**
+:   Version of the ELF header.
+
+type: keyword
+
+
+**`file.elf.imports`**
+:   List of imported element names and types.
+
+type: flattened
+
+
+**`file.elf.sections`**
+:   An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`.
+
+type: nested
+
+
+**`file.elf.sections.chi2`**
+:   Chi-square probability distribution of the section.
+
+type: long
+
+format: number
+
+
+**`file.elf.sections.entropy`**
+:   Shannon entropy calculation from the section.
+
+type: long
+
+format: number
+
+
+**`file.elf.sections.flags`**
+:   ELF Section List flags.
+
+type: keyword
+
+
+**`file.elf.sections.name`**
+:   ELF Section List name.
+
+type: keyword
+
+
+**`file.elf.sections.physical_offset`**
+:   ELF Section List offset.
+
+type: keyword
+
+
+**`file.elf.sections.physical_size`**
+:   ELF Section List physical size.
+
+type: long
+
+format: bytes
+
+
+**`file.elf.sections.type`**
+:   ELF Section List type.
+
+type: keyword
+
+
+**`file.elf.sections.virtual_address`**
+:   ELF Section List virtual address.
+
+type: long
+
+format: string
+
+
+**`file.elf.sections.virtual_size`**
+:   ELF Section List virtual size.
+
+type: long
+
+format: string
+
+
+**`file.elf.segments`**
+:   An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`.
+
+type: nested
+
+
+**`file.elf.segments.sections`**
+:   ELF object segment sections.
+
+type: keyword
+
+
+**`file.elf.segments.type`**
+:   ELF object segment type.
+
+type: keyword
+
+
+**`file.elf.shared_libraries`**
+:   List of shared libraries used by this ELF object.
+
+type: keyword
+
+
+**`file.elf.telfhash`**
+:   telfhash symbol hash for ELF file.
+
+type: keyword
+
+
+**`file.extension`**
+:   File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").
+
+type: keyword
+
+example: png
+
+
+**`file.fork_name`**
+:   A fork is additional data associated with a filesystem object. On Linux, a resource fork is used to store additional data with a filesystem object. A file always has at least one fork for the data portion, and additional forks may exist. On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default data stream for a file is just called $DATA. Zone.Identifier is commonly used by Windows to track contents downloaded from the Internet. An ADS is typically of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name` is the value that should populate `fork_name`. `filename.extension` should populate `file.name`, and `extension` should populate `file.extension`. The full path, `file.path`, will include the fork name.
+
+type: keyword
+
+example: Zone.Identifer
+
+
+**`file.gid`**
+:   Primary group ID (GID) of the file.
+
+type: keyword
+
+example: 1001
+
+
+**`file.group`**
+:   Primary group name of the file.
+
+type: keyword
+
+example: alice
+
+
+**`file.hash.md5`**
+:   MD5 hash.
+
+type: keyword
+
+
+**`file.hash.sha1`**
+:   SHA1 hash.
+
+type: keyword
+
+
+**`file.hash.sha256`**
+:   SHA256 hash.
+
+type: keyword
+
+
+**`file.hash.sha512`**
+:   SHA512 hash.
+
+type: keyword
+
+
+**`file.hash.ssdeep`**
+:   SSDEEP hash.
+
+type: keyword
+
+
+**`file.inode`**
+:   Inode representing the file in the filesystem.
+
+type: keyword
+
+example: 256383
+
+
+**`file.mime_type`**
+:   MIME type should identify the format of the file or stream of bytes using [IANA official types](https://www.iana.org/assignments/media-types/media-types.xhtml), where possible. When more than one type is applicable, the most specific type should be used.
+
+type: keyword
+
+
+**`file.mode`**
+:   Mode of the file in octal representation.
+
+type: keyword
+
+example: 0640
+
+
+**`file.mtime`**
+:   Last time the file content was modified.
+
+type: date
+
+
+**`file.name`**
+:   Name of the file including the extension, without the directory.
+
+type: keyword
+
+example: example.png
+
+
+**`file.owner`**
+:   File owner’s username.
+
+type: keyword
+
+example: alice
+
+
+**`file.path`**
+:   Full path to the file, including the file name. It should include the drive letter, when appropriate.
+
+type: keyword
+
+example: /home/alice/example.png
+
+
+**`file.path.text`**
+:   type: match_only_text
+
+
+**`file.pe.architecture`**
+:   CPU architecture target for the file.
+
+type: keyword
+
+example: x64
+
+
+**`file.pe.company`**
+:   Internal company name of the file, provided at compile-time.
+
+type: keyword
+
+example: Microsoft Corporation
+
+
+**`file.pe.description`**
+:   Internal description of the file, provided at compile-time.
+
+type: keyword
+
+example: Paint
+
+
+**`file.pe.file_version`**
+:   Internal version of the file, provided at compile-time.
+
+type: keyword
+
+example: 6.3.9600.17415
+
+
+**`file.pe.imphash`**
+:   A hash of the imports in a PE file. An imphash — or import hash — can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at [https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html](https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html).
+
+type: keyword
+
+example: 0c6803c4e922103c4dca5963aad36ddf
+
+
+**`file.pe.original_file_name`**
+:   Internal name of the file, provided at compile-time.
+
+type: keyword
+
+example: MSPAINT.EXE
+
+
+**`file.pe.product`**
+:   Internal product name of the file, provided at compile-time.
+
+type: keyword
+
+example: Microsoft® Windows® Operating System
+
+
+**`file.size`**
+:   File size in bytes. Only relevant when `file.type` is "file".
+
+type: long
+
+example: 16384
+
+
+**`file.target_path`**
+:   Target path for symlinks.
+
+type: keyword
+
+
+**`file.target_path.text`**
+:   type: match_only_text
+
+
+**`file.type`**
+:   File type (file, dir, or symlink).
+
+type: keyword
+
+example: file
+
+
+**`file.uid`**
+:   The user ID (UID) or security identifier (SID) of the file owner.
+
+type: keyword
+
+example: 1001
+
+
+**`file.x509.alternative_names`**
+:   List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.
+
+type: keyword
+
+example: *.elastic.co
+
+
+**`file.x509.issuer.common_name`**
+:   List of common name (CN) of issuing certificate authority.
+
+type: keyword
+
+example: Example SHA2 High Assurance Server CA
+
+
+**`file.x509.issuer.country`**
+:   List of country © codes
+
+type: keyword
+
+example: US
+
+
+**`file.x509.issuer.distinguished_name`**
+:   Distinguished name (DN) of issuing certificate authority.
+
+type: keyword
+
+example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA
+
+
+**`file.x509.issuer.locality`**
+:   List of locality names (L)
+
+type: keyword
+
+example: Mountain View
+
+
+**`file.x509.issuer.organization`**
+:   List of organizations (O) of issuing certificate authority.
+
+type: keyword
+
+example: Example Inc
+
+
+**`file.x509.issuer.organizational_unit`**
+:   List of organizational units (OU) of issuing certificate authority.
+
+type: keyword
+
+example: www.example.com
+
+
+**`file.x509.issuer.state_or_province`**
+:   List of state or province names (ST, S, or P)
+
+type: keyword
+
+example: California
+
+
+**`file.x509.not_after`**
+:   Time at which the certificate is no longer considered valid.
+
+type: date
+
+example: 2020-07-16 03:15:39+00:00
+
+
+**`file.x509.not_before`**
+:   Time at which the certificate is first considered valid.
+
+type: date
+
+example: 2019-08-16 01:40:25+00:00
+
+
+**`file.x509.public_key_algorithm`**
+:   Algorithm used to generate the public key.
+
+type: keyword
+
+example: RSA
+
+
+**`file.x509.public_key_curve`**
+:   The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+
+type: keyword
+
+example: nistp521
+
+
+**`file.x509.public_key_exponent`**
+:   Exponent used to derive the public key. This is algorithm specific.
+
+type: long
+
+example: 65537
+
+Field is not indexed.
+
+
+**`file.x509.public_key_size`**
+:   The size of the public key space in bits.
+
+type: long
+
+example: 2048
+
+
+**`file.x509.serial_number`**
+:   Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.
+
+type: keyword
+
+example: 55FBB9C7DEBF09809D12CCAA
+
+
+**`file.x509.signature_algorithm`**
+:   Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See [https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353](https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353).
+
+type: keyword
+
+example: SHA256-RSA
+
+
+**`file.x509.subject.common_name`**
+:   List of common names (CN) of subject.
+
+type: keyword
+
+example: shared.global.example.net
+
+
+**`file.x509.subject.country`**
+:   List of country © code
+
+type: keyword
+
+example: US
+
+
+**`file.x509.subject.distinguished_name`**
+:   Distinguished name (DN) of the certificate subject entity.
+
+type: keyword
+
+example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
+
+
+**`file.x509.subject.locality`**
+:   List of locality names (L)
+
+type: keyword
+
+example: San Francisco
+
+
+**`file.x509.subject.organization`**
+:   List of organizations (O) of subject.
+
+type: keyword
+
+example: Example, Inc.
+
+
+**`file.x509.subject.organizational_unit`**
+:   List of organizational units (OU) of subject.
+
+type: keyword
+
+
+**`file.x509.subject.state_or_province`**
+:   List of state or province names (ST, S, or P)
+
+type: keyword
+
+example: California
+
+
+**`file.x509.version_number`**
+:   Version of x509 format.
+
+type: keyword
+
+example: 3
+
+
+
+## geo [_geo]
+
+Geo fields can carry data about a specific location related to an event. This geolocation information can be derived from techniques such as Geo IP, or be user-supplied.
+
+**`geo.city_name`**
+:   City name.
+
+type: keyword
+
+example: Montreal
+
+
+**`geo.continent_code`**
+:   Two-letter code representing continent’s name.
+
+type: keyword
+
+example: NA
+
+
+**`geo.continent_name`**
+:   Name of the continent.
+
+type: keyword
+
+example: North America
+
+
+**`geo.country_iso_code`**
+:   Country ISO code.
+
+type: keyword
+
+example: CA
+
+
+**`geo.country_name`**
+:   Country name.
+
+type: keyword
+
+example: Canada
+
+
+**`geo.location`**
+:   Longitude and latitude.
+
+type: geo_point
+
+example: { "lon": -73.614830, "lat": 45.505918 }
+
+
+**`geo.name`**
+:   User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.
+
+type: keyword
+
+example: boston-dc
+
+
+**`geo.postal_code`**
+:   Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.
+
+type: keyword
+
+example: 94040
+
+
+**`geo.region_iso_code`**
+:   Region ISO code.
+
+type: keyword
+
+example: CA-QC
+
+
+**`geo.region_name`**
+:   Region name.
+
+type: keyword
+
+example: Quebec
+
+
+**`geo.timezone`**
+:   The time zone of the location, such as IANA time zone name.
+
+type: keyword
+
+example: America/Argentina/Buenos_Aires
+
+
+
+## group [_group]
+
+The group fields are meant to represent groups that are relevant to the event.
+
+**`group.domain`**
+:   Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`group.id`**
+:   Unique identifier for the group on the system/platform.
+
+type: keyword
+
+
+**`group.name`**
+:   Name of the group.
+
+type: keyword
+
+
+
+## hash [_hash]
+
+The hash fields represent different bitwise hash algorithms and their values. Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for other hashes by lowercasing the hash algorithm name and using underscore separators as appropriate (snake case, e.g. sha3_512). Note that this fieldset is used for common hashes that may be computed over a range of generic bytes. Entity-specific hashes such as ja3 or imphash are placed in the fieldsets to which they relate (tls and pe, respectively).
+
+**`hash.md5`**
+:   MD5 hash.
+
+type: keyword
+
+
+**`hash.sha1`**
+:   SHA1 hash.
+
+type: keyword
+
+
+**`hash.sha256`**
+:   SHA256 hash.
+
+type: keyword
+
+
+**`hash.sha512`**
+:   SHA512 hash.
+
+type: keyword
+
+
+**`hash.ssdeep`**
+:   SSDEEP hash.
+
+type: keyword
+
+
+
+## host [_host]
+
+A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.
+
+**`host.architecture`**
+:   Operating system architecture.
+
+type: keyword
+
+example: x86_64
+
+
+**`host.cpu.usage`**
+:   Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1.
+
+type: scaled_float
+
+
+**`host.disk.read.bytes`**
+:   The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection.
+
+type: long
+
+
+**`host.disk.write.bytes`**
+:   The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection.
+
+type: long
+
+
+**`host.domain`**
+:   Name of the domain of which the host is a member. For example, on Windows this could be the host’s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host’s LDAP provider.
+
+type: keyword
+
+example: CONTOSO
+
+
+**`host.geo.city_name`**
+:   City name.
+
+type: keyword
+
+example: Montreal
+
+
+**`host.geo.continent_code`**
+:   Two-letter code representing continent’s name.
+
+type: keyword
+
+example: NA
+
+
+**`host.geo.continent_name`**
+:   Name of the continent.
+
+type: keyword
+
+example: North America
+
+
+**`host.geo.country_iso_code`**
+:   Country ISO code.
+
+type: keyword
+
+example: CA
+
+
+**`host.geo.country_name`**
+:   Country name.
+
+type: keyword
+
+example: Canada
+
+
+**`host.geo.location`**
+:   Longitude and latitude.
+
+type: geo_point
+
+example: { "lon": -73.614830, "lat": 45.505918 }
+
+
+**`host.geo.name`**
+:   User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.
+
+type: keyword
+
+example: boston-dc
+
+
+**`host.geo.postal_code`**
+:   Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.
+
+type: keyword
+
+example: 94040
+
+
+**`host.geo.region_iso_code`**
+:   Region ISO code.
+
+type: keyword
+
+example: CA-QC
+
+
+**`host.geo.region_name`**
+:   Region name.
+
+type: keyword
+
+example: Quebec
+
+
+**`host.geo.timezone`**
+:   The time zone of the location, such as IANA time zone name.
+
+type: keyword
+
+example: America/Argentina/Buenos_Aires
+
+
+**`host.hostname`**
+:   Hostname of the host. It normally contains what the `hostname` command returns on the host machine.
+
+type: keyword
+
+
+**`host.id`**
+:   Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.
+
+type: keyword
+
+
+**`host.ip`**
+:   Host ip addresses.
+
+type: ip
+
+
+**`host.mac`**
+:   Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.
+
+type: keyword
+
+example: ["00-00-5E-00-53-23", "00-00-5E-00-53-24"]
+
+
+**`host.name`**
+:   Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.
+
+type: keyword
+
+
+**`host.network.egress.bytes`**
+:   The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection.
+
+type: long
+
+
+**`host.network.egress.packets`**
+:   The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection.
+
+type: long
+
+
+**`host.network.ingress.bytes`**
+:   The number of bytes received (gauge) on all network interfaces by the host since the last metric collection.
+
+type: long
+
+
+**`host.network.ingress.packets`**
+:   The number of packets (gauge) received on all network interfaces by the host since the last metric collection.
+
+type: long
+
+
+**`host.os.family`**
+:   OS family (such as redhat, debian, freebsd, windows).
+
+type: keyword
+
+example: debian
+
+
+**`host.os.full`**
+:   Operating system name, including the version or code name.
+
+type: keyword
+
+example: Mac OS Mojave
+
+
+**`host.os.full.text`**
+:   type: match_only_text
+
+
+**`host.os.kernel`**
+:   Operating system kernel version as a raw string.
+
+type: keyword
+
+example: 4.4.0-112-generic
+
+
+**`host.os.name`**
+:   Operating system name, without the version.
+
+type: keyword
+
+example: Mac OS X
+
+
+**`host.os.name.text`**
+:   type: match_only_text
+
+
+**`host.os.platform`**
+:   Operating system platform (such centos, ubuntu, windows).
+
+type: keyword
+
+example: darwin
+
+
+**`host.os.type`**
+:   Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you’re dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.
+
+type: keyword
+
+example: macos
+
+
+**`host.os.version`**
+:   Operating system version as a raw string.
+
+type: keyword
+
+example: 10.14.1
+
+
+**`host.type`**
+:   Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.
+
+type: keyword
+
+
+**`host.uptime`**
+:   Seconds the host has been up.
+
+type: long
+
+example: 1325
+
+
+
+## http [_http]
+
+Fields related to HTTP activity. Use the `url` field set to store the url of the request.
+
+**`http.request.body.bytes`**
+:   Size in bytes of the request body.
+
+type: long
+
+example: 887
+
+format: bytes
+
+
+**`http.request.body.content`**
+:   The full HTTP request body.
+
+type: wildcard
+
+example: Hello world
+
+
+**`http.request.body.content.text`**
+:   type: match_only_text
+
+
+**`http.request.bytes`**
+:   Total size in bytes of the request (body and headers).
+
+type: long
+
+example: 1437
+
+format: bytes
+
+
+**`http.request.id`**
+:   A unique identifier for each HTTP request to correlate logs between clients and servers in transactions. The id may be contained in a non-standard HTTP header, such as `X-Request-ID` or `X-Correlation-ID`.
+
+type: keyword
+
+example: 123e4567-e89b-12d3-a456-426614174000
+
+
+**`http.request.method`**
+:   HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field.
+
+type: keyword
+
+example: POST
+
+
+**`http.request.mime_type`**
+:   Mime type of the body of the request. This value must only be populated based on the content of the request body, not on the `Content-Type` header. Comparing the mime type of a request with the request’s Content-Type header can be helpful in detecting threats or misconfigured clients.
+
+type: keyword
+
+example: image/gif
+
+
+**`http.request.referrer`**
+:   Referrer for this HTTP request.
+
+type: keyword
+
+example: [https://blog.example.com/](https://blog.example.com/)
+
+
+**`http.response.body.bytes`**
+:   Size in bytes of the response body.
+
+type: long
+
+example: 887
+
+format: bytes
+
+
+**`http.response.body.content`**
+:   The full HTTP response body.
+
+type: wildcard
+
+example: Hello world
+
+
+**`http.response.body.content.text`**
+:   type: match_only_text
+
+
+**`http.response.bytes`**
+:   Total size in bytes of the response (body and headers).
+
+type: long
+
+example: 1437
+
+format: bytes
+
+
+**`http.response.mime_type`**
+:   Mime type of the body of the response. This value must only be populated based on the content of the response body, not on the `Content-Type` header. Comparing the mime type of a response with the response’s Content-Type header can be helpful in detecting misconfigured servers.
+
+type: keyword
+
+example: image/gif
+
+
+**`http.response.status_code`**
+:   HTTP response status code.
+
+type: long
+
+example: 404
+
+format: string
+
+
+**`http.version`**
+:   HTTP version.
+
+type: keyword
+
+example: 1.1
+
+
+
+## interface [_interface]
+
+The interface fields are used to record ingress and egress interface information when reported by an observer (e.g. firewall, router, load balancer) in the context of the observer handling a network connection.  In the case of a single observer interface (e.g. network sensor on a span port) only the observer.ingress information should be populated.
+
+**`interface.alias`**
+:   Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming.
+
+type: keyword
+
+example: outside
+
+
+**`interface.id`**
+:   Interface ID as reported by an observer (typically SNMP interface ID).
+
+type: keyword
+
+example: 10
+
+
+**`interface.name`**
+:   Interface name as reported by the system.
+
+type: keyword
+
+example: eth0
+
+
+
+## log [_log]
+
+Details about the event’s logging mechanism or logging transport. The log.* fields are typically populated with details about the logging mechanism used to create and/or transport the event. For example, syslog details belong under `log.syslog.*`. The details specific to your event source are typically not logged under `log.*`, but rather in `event.*` or in other ECS fields.
+
+**`log.file.path`**
+:   Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn’t read from a log file, do not populate this field.
+
+type: keyword
+
+example: /var/log/fun-times.log
+
+
+**`log.level`**
+:   Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn’t specify one, you may put your event transport’s severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`.
+
+type: keyword
+
+example: error
+
+
+**`log.logger`**
+:   The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name.
+
+type: keyword
+
+example: org.elasticsearch.bootstrap.Bootstrap
+
+
+**`log.origin.file.line`**
+:   The line number of the file containing the source code which originated the log event.
+
+type: long
+
+example: 42
+
+
+**`log.origin.file.name`**
+:   The name of the file containing the source code which originated the log event. Note that this field is not meant to capture the log file. The correct field to capture the log file is `log.file.path`.
+
+type: keyword
+
+example: Bootstrap.java
+
+
+**`log.origin.function`**
+:   The name of the function or method which originated the log event.
+
+type: keyword
+
+example: init
+
+
+**`log.syslog`**
+:   The Syslog metadata of the event, if the event was transmitted via Syslog. Please see RFCs 5424 or 3164.
+
+type: object
+
+
+**`log.syslog.facility.code`**
+:   The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23.
+
+type: long
+
+example: 23
+
+format: string
+
+
+**`log.syslog.facility.name`**
+:   The Syslog text-based facility of the log event, if available.
+
+type: keyword
+
+example: local7
+
+
+**`log.syslog.priority`**
+:   Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191.
+
+type: long
+
+example: 135
+
+format: string
+
+
+**`log.syslog.severity.code`**
+:   The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source’s numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`.
+
+type: long
+
+example: 3
+
+
+**`log.syslog.severity.name`**
+:   The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source’s text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`.
+
+type: keyword
+
+example: Error
+
+
+
+## network [_network]
+
+The network is defined as the communication path over which a host or network event happens. The network.* fields should be populated with details about the network activity associated with an event.
+
+**`network.application`**
+:   When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application’s or service’s name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying.
+
+type: keyword
+
+example: aim
+
+
+**`network.bytes`**
+:   Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum.
+
+type: long
+
+example: 368
+
+format: bytes
+
+
+**`network.community_id`**
+:   A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at [https://github.com/corelight/community-id-spec](https://github.com/corelight/community-id-spec).
+
+type: keyword
+
+example: 1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=
+
+
+**`network.direction`**
+:   Direction of the network traffic. Recommended values are: * ingress * egress * inbound * outbound * internal * external * unknown
+
+When mapping events from a host-based monitoring context, populate this field from the host’s point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers.
+
+type: keyword
+
+example: inbound
+
+
+**`network.forwarded_ip`**
+:   Host IP address when the source IP address is the proxy.
+
+type: ip
+
+example: 192.1.1.2
+
+
+**`network.iana_number`**
+:   IANA Protocol Number ([https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml](https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml)). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number.
+
+type: keyword
+
+example: 6
+
+
+**`network.inner`**
+:   Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.)
+
+type: object
+
+
+**`network.inner.vlan.id`**
+:   VLAN ID as reported by the observer.
+
+type: keyword
+
+example: 10
+
+
+**`network.inner.vlan.name`**
+:   Optional VLAN name as reported by the observer.
+
+type: keyword
+
+example: outside
+
+
+**`network.name`**
+:   Name given by operators to sections of their network.
+
+type: keyword
+
+example: Guest Wifi
+
+
+**`network.packets`**
+:   Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum.
+
+type: long
+
+example: 24
+
+
+**`network.protocol`**
+:   In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying.
+
+type: keyword
+
+example: http
+
+
+**`network.transport`**
+:   Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying.
+
+type: keyword
+
+example: tcp
+
+
+**`network.type`**
+:   In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying.
+
+type: keyword
+
+example: ipv4
+
+
+**`network.vlan.id`**
+:   VLAN ID as reported by the observer.
+
+type: keyword
+
+example: 10
+
+
+**`network.vlan.name`**
+:   Optional VLAN name as reported by the observer.
+
+type: keyword
+
+example: outside
+
+
+
+## observer [_observer]
+
+An observer is defined as a special network, security, or application device used to detect, observe, or create network, security, or application-related events and metrics. This could be a custom hardware appliance or a server that has been configured to run special network, security, or application software. Examples include firewalls, web proxies, intrusion detection/prevention systems, network monitoring sensors, web application firewalls, data loss prevention systems, and APM servers. The observer.* fields shall be populated with details of the system, if any, that detects, observes and/or creates a network, security, or application event or metric. Message queues and ETL components used in processing events or metrics are not considered observers in ECS.
+
+**`observer.egress`**
+:   Observer.egress holds information like interface number and name, vlan, and zone information to classify egress traffic.  Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic.
+
+type: object
+
+
+**`observer.egress.interface.alias`**
+:   Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming.
+
+type: keyword
+
+example: outside
+
+
+**`observer.egress.interface.id`**
+:   Interface ID as reported by an observer (typically SNMP interface ID).
+
+type: keyword
+
+example: 10
+
+
+**`observer.egress.interface.name`**
+:   Interface name as reported by the system.
+
+type: keyword
+
+example: eth0
+
+
+**`observer.egress.vlan.id`**
+:   VLAN ID as reported by the observer.
+
+type: keyword
+
+example: 10
+
+
+**`observer.egress.vlan.name`**
+:   Optional VLAN name as reported by the observer.
+
+type: keyword
+
+example: outside
+
+
+**`observer.egress.zone`**
+:   Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc.
+
+type: keyword
+
+example: Public_Internet
+
+
+**`observer.geo.city_name`**
+:   City name.
+
+type: keyword
+
+example: Montreal
+
+
+**`observer.geo.continent_code`**
+:   Two-letter code representing continent’s name.
+
+type: keyword
+
+example: NA
+
+
+**`observer.geo.continent_name`**
+:   Name of the continent.
+
+type: keyword
+
+example: North America
+
+
+**`observer.geo.country_iso_code`**
+:   Country ISO code.
+
+type: keyword
+
+example: CA
+
+
+**`observer.geo.country_name`**
+:   Country name.
+
+type: keyword
+
+example: Canada
+
+
+**`observer.geo.location`**
+:   Longitude and latitude.
+
+type: geo_point
+
+example: { "lon": -73.614830, "lat": 45.505918 }
+
+
+**`observer.geo.name`**
+:   User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.
+
+type: keyword
+
+example: boston-dc
+
+
+**`observer.geo.postal_code`**
+:   Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.
+
+type: keyword
+
+example: 94040
+
+
+**`observer.geo.region_iso_code`**
+:   Region ISO code.
+
+type: keyword
+
+example: CA-QC
+
+
+**`observer.geo.region_name`**
+:   Region name.
+
+type: keyword
+
+example: Quebec
+
+
+**`observer.geo.timezone`**
+:   The time zone of the location, such as IANA time zone name.
+
+type: keyword
+
+example: America/Argentina/Buenos_Aires
+
+
+**`observer.hostname`**
+:   Hostname of the observer.
+
+type: keyword
+
+
+**`observer.ingress`**
+:   Observer.ingress holds information like interface number and name, vlan, and zone information to classify ingress traffic.  Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic.
+
+type: object
+
+
+**`observer.ingress.interface.alias`**
+:   Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming.
+
+type: keyword
+
+example: outside
+
+
+**`observer.ingress.interface.id`**
+:   Interface ID as reported by an observer (typically SNMP interface ID).
+
+type: keyword
+
+example: 10
+
+
+**`observer.ingress.interface.name`**
+:   Interface name as reported by the system.
+
+type: keyword
+
+example: eth0
+
+
+**`observer.ingress.vlan.id`**
+:   VLAN ID as reported by the observer.
+
+type: keyword
+
+example: 10
+
+
+**`observer.ingress.vlan.name`**
+:   Optional VLAN name as reported by the observer.
+
+type: keyword
+
+example: outside
+
+
+**`observer.ingress.zone`**
+:   Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc.
+
+type: keyword
+
+example: DMZ
+
+
+**`observer.ip`**
+:   IP addresses of the observer.
+
+type: ip
+
+
+**`observer.mac`**
+:   MAC addresses of the observer. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.
+
+type: keyword
+
+example: ["00-00-5E-00-53-23", "00-00-5E-00-53-24"]
+
+
+**`observer.name`**
+:   Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty.
+
+type: keyword
+
+example: 1_proxySG
+
+
+**`observer.os.family`**
+:   OS family (such as redhat, debian, freebsd, windows).
+
+type: keyword
+
+example: debian
+
+
+**`observer.os.full`**
+:   Operating system name, including the version or code name.
+
+type: keyword
+
+example: Mac OS Mojave
+
+
+**`observer.os.full.text`**
+:   type: match_only_text
+
+
+**`observer.os.kernel`**
+:   Operating system kernel version as a raw string.
+
+type: keyword
+
+example: 4.4.0-112-generic
+
+
+**`observer.os.name`**
+:   Operating system name, without the version.
+
+type: keyword
+
+example: Mac OS X
+
+
+**`observer.os.name.text`**
+:   type: match_only_text
+
+
+**`observer.os.platform`**
+:   Operating system platform (such centos, ubuntu, windows).
+
+type: keyword
+
+example: darwin
+
+
+**`observer.os.type`**
+:   Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you’re dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.
+
+type: keyword
+
+example: macos
+
+
+**`observer.os.version`**
+:   Operating system version as a raw string.
+
+type: keyword
+
+example: 10.14.1
+
+
+**`observer.product`**
+:   The product name of the observer.
+
+type: keyword
+
+example: s200
+
+
+**`observer.serial_number`**
+:   Observer serial number.
+
+type: keyword
+
+
+**`observer.type`**
+:   The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`.
+
+type: keyword
+
+example: firewall
+
+
+**`observer.vendor`**
+:   Vendor name of the observer.
+
+type: keyword
+
+example: Symantec
+
+
+**`observer.version`**
+:   Observer version.
+
+type: keyword
+
+
+
+## orchestrator [_orchestrator]
+
+Fields that describe the resources which container orchestrators manage or act upon.
+
+**`orchestrator.api_version`**
+:   API version being used to carry out the action
+
+type: keyword
+
+example: v1beta1
+
+
+**`orchestrator.cluster.name`**
+:   Name of the cluster.
+
+type: keyword
+
+
+**`orchestrator.cluster.url`**
+:   URL of the API used to manage the cluster.
+
+type: keyword
+
+
+**`orchestrator.cluster.version`**
+:   The version of the cluster.
+
+type: keyword
+
+
+**`orchestrator.namespace`**
+:   Namespace in which the action is taking place.
+
+type: keyword
+
+example: kube-system
+
+
+**`orchestrator.organization`**
+:   Organization affected by the event (for multi-tenant orchestrator setups).
+
+type: keyword
+
+example: elastic
+
+
+**`orchestrator.resource.name`**
+:   Name of the resource being acted upon.
+
+type: keyword
+
+example: test-pod-cdcws
+
+
+**`orchestrator.resource.type`**
+:   Type of resource being acted upon.
+
+type: keyword
+
+example: service
+
+
+**`orchestrator.type`**
+:   Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry).
+
+type: keyword
+
+example: kubernetes
+
+
+
+## organization [_organization]
+
+The organization fields enrich data with information about the company or entity the data is associated with. These fields help you arrange or filter data stored in an index by one or multiple organizations.
+
+**`organization.id`**
+:   Unique identifier for the organization.
+
+type: keyword
+
+
+**`organization.name`**
+:   Organization name.
+
+type: keyword
+
+
+**`organization.name.text`**
+:   type: match_only_text
+
+
+
+## os [_os]
+
+The OS fields contain information about the operating system.
+
+**`os.family`**
+:   OS family (such as redhat, debian, freebsd, windows).
+
+type: keyword
+
+example: debian
+
+
+**`os.full`**
+:   Operating system name, including the version or code name.
+
+type: keyword
+
+example: Mac OS Mojave
+
+
+**`os.full.text`**
+:   type: match_only_text
+
+
+**`os.kernel`**
+:   Operating system kernel version as a raw string.
+
+type: keyword
+
+example: 4.4.0-112-generic
+
+
+**`os.name`**
+:   Operating system name, without the version.
+
+type: keyword
+
+example: Mac OS X
+
+
+**`os.name.text`**
+:   type: match_only_text
+
+
+**`os.platform`**
+:   Operating system platform (such centos, ubuntu, windows).
+
+type: keyword
+
+example: darwin
+
+
+**`os.type`**
+:   Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you’re dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.
+
+type: keyword
+
+example: macos
+
+
+**`os.version`**
+:   Operating system version as a raw string.
+
+type: keyword
+
+example: 10.14.1
+
+
+
+## package [_package]
+
+These fields contain information about an installed software package. It contains general information about a package, such as name, version or size. It also contains installation details, such as time or location.
+
+**`package.architecture`**
+:   Package architecture.
+
+type: keyword
+
+example: x86_64
+
+
+**`package.build_version`**
+:   Additional information about the build version of the installed package. For example use the commit SHA of a non-released package.
+
+type: keyword
+
+example: 36f4f7e89dd61b0988b12ee000b98966867710cd
+
+
+**`package.checksum`**
+:   Checksum of the installed package for verification.
+
+type: keyword
+
+example: 68b329da9893e34099c7d8ad5cb9c940
+
+
+**`package.description`**
+:   Description of the package.
+
+type: keyword
+
+example: Open source programming language to build simple/reliable/efficient software.
+
+
+**`package.install_scope`**
+:   Indicating how the package was installed, e.g. user-local, global.
+
+type: keyword
+
+example: global
+
+
+**`package.installed`**
+:   Time when package was installed.
+
+type: date
+
+
+**`package.license`**
+:   License under which the package was released. Use a short name, e.g. the license identifier from SPDX License List where possible ([https://spdx.org/licenses/](https://spdx.org/licenses/)).
+
+type: keyword
+
+example: Apache License 2.0
+
+
+**`package.name`**
+:   Package name
+
+type: keyword
+
+example: go
+
+
+**`package.path`**
+:   Path where the package is installed.
+
+type: keyword
+
+example: /usr/local/Cellar/go/1.12.9/
+
+
+**`package.reference`**
+:   Home page or reference URL of the software in this package, if available.
+
+type: keyword
+
+example: [https://golang.org](https://golang.org)
+
+
+**`package.size`**
+:   Package size in bytes.
+
+type: long
+
+example: 62231
+
+format: string
+
+
+**`package.type`**
+:   Type of package. This should contain the package file type, rather than the package manager name. Examples: rpm, dpkg, brew, npm, gem, nupkg, jar.
+
+type: keyword
+
+example: rpm
+
+
+**`package.version`**
+:   Package version
+
+type: keyword
+
+example: 1.12.9
+
+
+
+## pe [_pe]
+
+These fields contain Windows Portable Executable (PE) metadata.
+
+**`pe.architecture`**
+:   CPU architecture target for the file.
+
+type: keyword
+
+example: x64
+
+
+**`pe.company`**
+:   Internal company name of the file, provided at compile-time.
+
+type: keyword
+
+example: Microsoft Corporation
+
+
+**`pe.description`**
+:   Internal description of the file, provided at compile-time.
+
+type: keyword
+
+example: Paint
+
+
+**`pe.file_version`**
+:   Internal version of the file, provided at compile-time.
+
+type: keyword
+
+example: 6.3.9600.17415
+
+
+**`pe.imphash`**
+:   A hash of the imports in a PE file. An imphash — or import hash — can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at [https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html](https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html).
+
+type: keyword
+
+example: 0c6803c4e922103c4dca5963aad36ddf
+
+
+**`pe.original_file_name`**
+:   Internal name of the file, provided at compile-time.
+
+type: keyword
+
+example: MSPAINT.EXE
+
+
+**`pe.product`**
+:   Internal product name of the file, provided at compile-time.
+
+type: keyword
+
+example: Microsoft® Windows® Operating System
+
+
+
+## process [_process_2]
+
+These fields contain information about a process. These fields can help you correlate metrics information with a process id/name from a log message.  The `process.pid` often stays in the metric itself and is copied to the global field for correlation.
+
+**`process.args`**
+:   Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information.
+
+type: keyword
+
+example: ["/usr/bin/ssh", "-l", "user", "10.0.0.16"]
+
+
+**`process.args_count`**
+:   Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity.
+
+type: long
+
+example: 4
+
+
+**`process.code_signature.digest_algorithm`**
+:   The hashing algorithm used to sign the process. This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm.
+
+type: keyword
+
+example: sha256
+
+
+**`process.code_signature.exists`**
+:   Boolean to capture if a signature is present.
+
+type: boolean
+
+example: true
+
+
+**`process.code_signature.signing_id`**
+:   The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.
+
+type: keyword
+
+example: com.apple.xpc.proxy
+
+
+**`process.code_signature.status`**
+:   Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.
+
+type: keyword
+
+example: ERROR_UNTRUSTED_ROOT
+
+
+**`process.code_signature.subject_name`**
+:   Subject name of the code signer
+
+type: keyword
+
+example: Microsoft Corporation
+
+
+**`process.code_signature.team_id`**
+:   The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.
+
+type: keyword
+
+example: EQHXZ8M8AV
+
+
+**`process.code_signature.timestamp`**
+:   Date and time when the code signature was generated and signed.
+
+type: date
+
+example: 2021-01-01T12:10:30Z
+
+
+**`process.code_signature.trusted`**
+:   Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.
+
+type: boolean
+
+example: true
+
+
+**`process.code_signature.valid`**
+:   Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.
+
+type: boolean
+
+example: true
+
+
+**`process.command_line`**
+:   Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information.
+
+type: wildcard
+
+example: /usr/bin/ssh -l user 10.0.0.16
+
+
+**`process.command_line.text`**
+:   type: match_only_text
+
+
+**`process.elf.architecture`**
+:   Machine architecture of the ELF file.
+
+type: keyword
+
+example: x86-64
+
+
+**`process.elf.byte_order`**
+:   Byte sequence of ELF file.
+
+type: keyword
+
+example: Little Endian
+
+
+**`process.elf.cpu_type`**
+:   CPU type of the ELF file.
+
+type: keyword
+
+example: Intel
+
+
+**`process.elf.creation_date`**
+:   Extracted when possible from the file’s metadata. Indicates when it was built or compiled. It can also be faked by malware creators.
+
+type: date
+
+
+**`process.elf.exports`**
+:   List of exported element names and types.
+
+type: flattened
+
+
+**`process.elf.header.abi_version`**
+:   Version of the ELF Application Binary Interface (ABI).
+
+type: keyword
+
+
+**`process.elf.header.class`**
+:   Header class of the ELF file.
+
+type: keyword
+
+
+**`process.elf.header.data`**
+:   Data table of the ELF header.
+
+type: keyword
+
+
+**`process.elf.header.entrypoint`**
+:   Header entrypoint of the ELF file.
+
+type: long
+
+format: string
+
+
+**`process.elf.header.object_version`**
+:   "0x1" for original ELF files.
+
+type: keyword
+
+
+**`process.elf.header.os_abi`**
+:   Application Binary Interface (ABI) of the Linux OS.
+
+type: keyword
+
+
+**`process.elf.header.type`**
+:   Header type of the ELF file.
+
+type: keyword
+
+
+**`process.elf.header.version`**
+:   Version of the ELF header.
+
+type: keyword
+
+
+**`process.elf.imports`**
+:   List of imported element names and types.
+
+type: flattened
+
+
+**`process.elf.sections`**
+:   An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`.
+
+type: nested
+
+
+**`process.elf.sections.chi2`**
+:   Chi-square probability distribution of the section.
+
+type: long
+
+format: number
+
+
+**`process.elf.sections.entropy`**
+:   Shannon entropy calculation from the section.
+
+type: long
+
+format: number
+
+
+**`process.elf.sections.flags`**
+:   ELF Section List flags.
+
+type: keyword
+
+
+**`process.elf.sections.name`**
+:   ELF Section List name.
+
+type: keyword
+
+
+**`process.elf.sections.physical_offset`**
+:   ELF Section List offset.
+
+type: keyword
+
+
+**`process.elf.sections.physical_size`**
+:   ELF Section List physical size.
+
+type: long
+
+format: bytes
+
+
+**`process.elf.sections.type`**
+:   ELF Section List type.
+
+type: keyword
+
+
+**`process.elf.sections.virtual_address`**
+:   ELF Section List virtual address.
+
+type: long
+
+format: string
+
+
+**`process.elf.sections.virtual_size`**
+:   ELF Section List virtual size.
+
+type: long
+
+format: string
+
+
+**`process.elf.segments`**
+:   An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`.
+
+type: nested
+
+
+**`process.elf.segments.sections`**
+:   ELF object segment sections.
+
+type: keyword
+
+
+**`process.elf.segments.type`**
+:   ELF object segment type.
+
+type: keyword
+
+
+**`process.elf.shared_libraries`**
+:   List of shared libraries used by this ELF object.
+
+type: keyword
+
+
+**`process.elf.telfhash`**
+:   telfhash symbol hash for ELF file.
+
+type: keyword
+
+
+**`process.end`**
+:   The time the process ended.
+
+type: date
+
+example: 2016-05-23T08:05:34.853Z
+
+
+**`process.entity_id`**
+:   Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.
+
+type: keyword
+
+example: c2c455d9f99375d
+
+
+**`process.executable`**
+:   Absolute path to the process executable.
+
+type: keyword
+
+example: /usr/bin/ssh
+
+
+**`process.executable.text`**
+:   type: match_only_text
+
+
+**`process.exit_code`**
+:   The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start).
+
+type: long
+
+example: 137
+
+
+**`process.hash.md5`**
+:   MD5 hash.
+
+type: keyword
+
+
+**`process.hash.sha1`**
+:   SHA1 hash.
+
+type: keyword
+
+
+**`process.hash.sha256`**
+:   SHA256 hash.
+
+type: keyword
+
+
+**`process.hash.sha512`**
+:   SHA512 hash.
+
+type: keyword
+
+
+**`process.hash.ssdeep`**
+:   SSDEEP hash.
+
+type: keyword
+
+
+**`process.name`**
+:   Process name. Sometimes called program name or similar.
+
+type: keyword
+
+example: ssh
+
+
+**`process.name.text`**
+:   type: match_only_text
+
+
+**`process.parent.args`**
+:   Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information.
+
+type: keyword
+
+example: ["/usr/bin/ssh", "-l", "user", "10.0.0.16"]
+
+
+**`process.parent.args_count`**
+:   Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity.
+
+type: long
+
+example: 4
+
+
+**`process.parent.code_signature.digest_algorithm`**
+:   The hashing algorithm used to sign the process. This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm.
+
+type: keyword
+
+example: sha256
+
+
+**`process.parent.code_signature.exists`**
+:   Boolean to capture if a signature is present.
+
+type: boolean
+
+example: true
+
+
+**`process.parent.code_signature.signing_id`**
+:   The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.
+
+type: keyword
+
+example: com.apple.xpc.proxy
+
+
+**`process.parent.code_signature.status`**
+:   Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.
+
+type: keyword
+
+example: ERROR_UNTRUSTED_ROOT
+
+
+**`process.parent.code_signature.subject_name`**
+:   Subject name of the code signer
+
+type: keyword
+
+example: Microsoft Corporation
+
+
+**`process.parent.code_signature.team_id`**
+:   The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.
+
+type: keyword
+
+example: EQHXZ8M8AV
+
+
+**`process.parent.code_signature.timestamp`**
+:   Date and time when the code signature was generated and signed.
+
+type: date
+
+example: 2021-01-01T12:10:30Z
+
+
+**`process.parent.code_signature.trusted`**
+:   Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.
+
+type: boolean
+
+example: true
+
+
+**`process.parent.code_signature.valid`**
+:   Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.
+
+type: boolean
+
+example: true
+
+
+**`process.parent.command_line`**
+:   Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information.
+
+type: wildcard
+
+example: /usr/bin/ssh -l user 10.0.0.16
+
+
+**`process.parent.command_line.text`**
+:   type: match_only_text
+
+
+**`process.parent.elf.architecture`**
+:   Machine architecture of the ELF file.
+
+type: keyword
+
+example: x86-64
+
+
+**`process.parent.elf.byte_order`**
+:   Byte sequence of ELF file.
+
+type: keyword
+
+example: Little Endian
+
+
+**`process.parent.elf.cpu_type`**
+:   CPU type of the ELF file.
+
+type: keyword
+
+example: Intel
+
+
+**`process.parent.elf.creation_date`**
+:   Extracted when possible from the file’s metadata. Indicates when it was built or compiled. It can also be faked by malware creators.
+
+type: date
+
+
+**`process.parent.elf.exports`**
+:   List of exported element names and types.
+
+type: flattened
+
+
+**`process.parent.elf.header.abi_version`**
+:   Version of the ELF Application Binary Interface (ABI).
+
+type: keyword
+
+
+**`process.parent.elf.header.class`**
+:   Header class of the ELF file.
+
+type: keyword
+
+
+**`process.parent.elf.header.data`**
+:   Data table of the ELF header.
+
+type: keyword
+
+
+**`process.parent.elf.header.entrypoint`**
+:   Header entrypoint of the ELF file.
+
+type: long
+
+format: string
+
+
+**`process.parent.elf.header.object_version`**
+:   "0x1" for original ELF files.
+
+type: keyword
+
+
+**`process.parent.elf.header.os_abi`**
+:   Application Binary Interface (ABI) of the Linux OS.
+
+type: keyword
+
+
+**`process.parent.elf.header.type`**
+:   Header type of the ELF file.
+
+type: keyword
+
+
+**`process.parent.elf.header.version`**
+:   Version of the ELF header.
+
+type: keyword
+
+
+**`process.parent.elf.imports`**
+:   List of imported element names and types.
+
+type: flattened
+
+
+**`process.parent.elf.sections`**
+:   An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`.
+
+type: nested
+
+
+**`process.parent.elf.sections.chi2`**
+:   Chi-square probability distribution of the section.
+
+type: long
+
+format: number
+
+
+**`process.parent.elf.sections.entropy`**
+:   Shannon entropy calculation from the section.
+
+type: long
+
+format: number
+
+
+**`process.parent.elf.sections.flags`**
+:   ELF Section List flags.
+
+type: keyword
+
+
+**`process.parent.elf.sections.name`**
+:   ELF Section List name.
+
+type: keyword
+
+
+**`process.parent.elf.sections.physical_offset`**
+:   ELF Section List offset.
+
+type: keyword
+
+
+**`process.parent.elf.sections.physical_size`**
+:   ELF Section List physical size.
+
+type: long
+
+format: bytes
+
+
+**`process.parent.elf.sections.type`**
+:   ELF Section List type.
+
+type: keyword
+
+
+**`process.parent.elf.sections.virtual_address`**
+:   ELF Section List virtual address.
+
+type: long
+
+format: string
+
+
+**`process.parent.elf.sections.virtual_size`**
+:   ELF Section List virtual size.
+
+type: long
+
+format: string
+
+
+**`process.parent.elf.segments`**
+:   An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`.
+
+type: nested
+
+
+**`process.parent.elf.segments.sections`**
+:   ELF object segment sections.
+
+type: keyword
+
+
+**`process.parent.elf.segments.type`**
+:   ELF object segment type.
+
+type: keyword
+
+
+**`process.parent.elf.shared_libraries`**
+:   List of shared libraries used by this ELF object.
+
+type: keyword
+
+
+**`process.parent.elf.telfhash`**
+:   telfhash symbol hash for ELF file.
+
+type: keyword
+
+
+**`process.parent.end`**
+:   The time the process ended.
+
+type: date
+
+example: 2016-05-23T08:05:34.853Z
+
+
+**`process.parent.entity_id`**
+:   Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.
+
+type: keyword
+
+example: c2c455d9f99375d
+
+
+**`process.parent.executable`**
+:   Absolute path to the process executable.
+
+type: keyword
+
+example: /usr/bin/ssh
+
+
+**`process.parent.executable.text`**
+:   type: match_only_text
+
+
+**`process.parent.exit_code`**
+:   The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start).
+
+type: long
+
+example: 137
+
+
+**`process.parent.hash.md5`**
+:   MD5 hash.
+
+type: keyword
+
+
+**`process.parent.hash.sha1`**
+:   SHA1 hash.
+
+type: keyword
+
+
+**`process.parent.hash.sha256`**
+:   SHA256 hash.
+
+type: keyword
+
+
+**`process.parent.hash.sha512`**
+:   SHA512 hash.
+
+type: keyword
+
+
+**`process.parent.hash.ssdeep`**
+:   SSDEEP hash.
+
+type: keyword
+
+
+**`process.parent.name`**
+:   Process name. Sometimes called program name or similar.
+
+type: keyword
+
+example: ssh
+
+
+**`process.parent.name.text`**
+:   type: match_only_text
+
+
+**`process.parent.pe.architecture`**
+:   CPU architecture target for the file.
+
+type: keyword
+
+example: x64
+
+
+**`process.parent.pe.company`**
+:   Internal company name of the file, provided at compile-time.
+
+type: keyword
+
+example: Microsoft Corporation
+
+
+**`process.parent.pe.description`**
+:   Internal description of the file, provided at compile-time.
+
+type: keyword
+
+example: Paint
+
+
+**`process.parent.pe.file_version`**
+:   Internal version of the file, provided at compile-time.
+
+type: keyword
+
+example: 6.3.9600.17415
+
+
+**`process.parent.pe.imphash`**
+:   A hash of the imports in a PE file. An imphash — or import hash — can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at [https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html](https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html).
+
+type: keyword
+
+example: 0c6803c4e922103c4dca5963aad36ddf
+
+
+**`process.parent.pe.original_file_name`**
+:   Internal name of the file, provided at compile-time.
+
+type: keyword
+
+example: MSPAINT.EXE
+
+
+**`process.parent.pe.product`**
+:   Internal product name of the file, provided at compile-time.
+
+type: keyword
+
+example: Microsoft® Windows® Operating System
+
+
+**`process.parent.pgid`**
+:   Identifier of the group of processes the process belongs to.
+
+type: long
+
+format: string
+
+
+**`process.parent.pid`**
+:   Process id.
+
+type: long
+
+example: 4242
+
+format: string
+
+
+**`process.parent.start`**
+:   The time the process started.
+
+type: date
+
+example: 2016-05-23T08:05:34.853Z
+
+
+**`process.parent.thread.id`**
+:   Thread ID.
+
+type: long
+
+example: 4242
+
+format: string
+
+
+**`process.parent.thread.name`**
+:   Thread name.
+
+type: keyword
+
+example: thread-0
+
+
+**`process.parent.title`**
+:   Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened.
+
+type: keyword
+
+
+**`process.parent.title.text`**
+:   type: match_only_text
+
+
+**`process.parent.uptime`**
+:   Seconds the process has been up.
+
+type: long
+
+example: 1325
+
+
+**`process.parent.working_directory`**
+:   The working directory of the process.
+
+type: keyword
+
+example: /home/alice
+
+
+**`process.parent.working_directory.text`**
+:   type: match_only_text
+
+
+**`process.pe.architecture`**
+:   CPU architecture target for the file.
+
+type: keyword
+
+example: x64
+
+
+**`process.pe.company`**
+:   Internal company name of the file, provided at compile-time.
+
+type: keyword
+
+example: Microsoft Corporation
+
+
+**`process.pe.description`**
+:   Internal description of the file, provided at compile-time.
+
+type: keyword
+
+example: Paint
+
+
+**`process.pe.file_version`**
+:   Internal version of the file, provided at compile-time.
+
+type: keyword
+
+example: 6.3.9600.17415
+
+
+**`process.pe.imphash`**
+:   A hash of the imports in a PE file. An imphash — or import hash — can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at [https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html](https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html).
+
+type: keyword
+
+example: 0c6803c4e922103c4dca5963aad36ddf
+
+
+**`process.pe.original_file_name`**
+:   Internal name of the file, provided at compile-time.
+
+type: keyword
+
+example: MSPAINT.EXE
+
+
+**`process.pe.product`**
+:   Internal product name of the file, provided at compile-time.
+
+type: keyword
+
+example: Microsoft® Windows® Operating System
+
+
+**`process.pgid`**
+:   Identifier of the group of processes the process belongs to.
+
+type: long
+
+format: string
+
+
+**`process.pid`**
+:   Process id.
+
+type: long
+
+example: 4242
+
+format: string
+
+
+**`process.start`**
+:   The time the process started.
+
+type: date
+
+example: 2016-05-23T08:05:34.853Z
+
+
+**`process.thread.id`**
+:   Thread ID.
+
+type: long
+
+example: 4242
+
+format: string
+
+
+**`process.thread.name`**
+:   Thread name.
+
+type: keyword
+
+example: thread-0
+
+
+**`process.title`**
+:   Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened.
+
+type: keyword
+
+
+**`process.title.text`**
+:   type: match_only_text
+
+
+**`process.uptime`**
+:   Seconds the process has been up.
+
+type: long
+
+example: 1325
+
+
+**`process.working_directory`**
+:   The working directory of the process.
+
+type: keyword
+
+example: /home/alice
+
+
+**`process.working_directory.text`**
+:   type: match_only_text
+
+
+
+## registry [_registry]
+
+Fields related to Windows Registry operations.
+
+**`registry.data.bytes`**
+:   Original bytes written with base64 encoding. For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values.
+
+type: keyword
+
+example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA=
+
+
+**`registry.data.strings`**
+:   Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`).
+
+type: wildcard
+
+example: ["C:\rta\red_ttp\bin\myapp.exe"]
+
+
+**`registry.data.type`**
+:   Standard registry type for encoding contents
+
+type: keyword
+
+example: REG_SZ
+
+
+**`registry.hive`**
+:   Abbreviated name for the hive.
+
+type: keyword
+
+example: HKLM
+
+
+**`registry.key`**
+:   Hive-relative path of keys.
+
+type: keyword
+
+example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe
+
+
+**`registry.path`**
+:   Full path, including hive, key and value
+
+type: keyword
+
+example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger
+
+
+**`registry.value`**
+:   Name of the value written.
+
+type: keyword
+
+example: Debugger
+
+
+
+## related [_related]
+
+This field set is meant to facilitate pivoting around a piece of data. Some pieces of information can be seen in many places in an ECS event. To facilitate searching for them, store an array of all seen values to their corresponding field in `related.`. A concrete example is IP addresses, which can be under host, observer, source, destination, client, server, and network.forwarded_ip. If you append all IPs to `related.ip`, you can then search for a given IP trivially, no matter where it appeared, by querying `related.ip:192.0.2.15`.
+
+**`related.hash`**
+:   All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you’re unsure what the hash algorithm is (and therefore which key name to search).
+
+type: keyword
+
+
+**`related.hosts`**
+:   All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases.
+
+type: keyword
+
+
+**`related.ip`**
+:   All of the IPs seen on your event.
+
+type: ip
+
+
+**`related.user`**
+:   All the user names or other user identifiers seen on the event.
+
+type: keyword
+
+
+
+## rule [_rule]
+
+Rule fields are used to capture the specifics of any observer or agent rules that generate alerts or other notable events. Examples of data sources that would populate the rule fields include: network admission control platforms, network or host IDS/IPS, network firewalls, web application firewalls, url filters, endpoint detection and response (EDR) systems, etc.
+
+**`rule.author`**
+:   Name, organization, or pseudonym of the author or authors who created the rule used to generate this event.
+
+type: keyword
+
+example: ["Star-Lord"]
+
+
+**`rule.category`**
+:   A categorization value keyword used by the entity using the rule for detection of this event.
+
+type: keyword
+
+example: Attempted Information Leak
+
+
+**`rule.description`**
+:   The description of the rule generating the event.
+
+type: keyword
+
+example: Block requests to public DNS over HTTPS / TLS protocols
+
+
+**`rule.id`**
+:   A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event.
+
+type: keyword
+
+example: 101
+
+
+**`rule.license`**
+:   Name of the license under which the rule used to generate this event is made available.
+
+type: keyword
+
+example: Apache 2.0
+
+
+**`rule.name`**
+:   The name of the rule or signature generating the event.
+
+type: keyword
+
+example: BLOCK_DNS_over_TLS
+
+
+**`rule.reference`**
+:   Reference URL to additional information about the rule used to generate this event. The URL can point to the vendor’s documentation about the rule. If that’s not available, it can also be a link to a more general page describing this type of alert.
+
+type: keyword
+
+example: [https://en.wikipedia.org/wiki/DNS_over_TLS](https://en.wikipedia.org/wiki/DNS_over_TLS)
+
+
+**`rule.ruleset`**
+:   Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member.
+
+type: keyword
+
+example: Standard_Protocol_Filters
+
+
+**`rule.uuid`**
+:   A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event.
+
+type: keyword
+
+example: 1100110011
+
+
+**`rule.version`**
+:   The version / revision of the rule being used for analysis.
+
+type: keyword
+
+example: 1.1
+
+
+
+## server [_server]
+
+A Server is defined as the responder in a network connection for events regarding sessions, connections, or bidirectional flow records. For TCP events, the server is the receiver of the initial SYN packet(s) of the TCP connection. For other protocols, the server is generally the responder in the network transaction. Some systems actually use the term "responder" to refer the server in TCP connections. The server fields describe details about the system acting as the server in the network event. Server fields are usually populated in conjunction with client fields. Server fields are generally not populated for packet-level events. Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately.
+
+**`server.address`**
+:   Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
+
+type: keyword
+
+
+**`server.as.number`**
+:   Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+
+type: long
+
+example: 15169
+
+
+**`server.as.organization.name`**
+:   Organization name.
+
+type: keyword
+
+example: Google LLC
+
+
+**`server.as.organization.name.text`**
+:   type: match_only_text
+
+
+**`server.bytes`**
+:   Bytes sent from the server to the client.
+
+type: long
+
+example: 184
+
+format: bytes
+
+
+**`server.domain`**
+:   The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.
+
+type: keyword
+
+example: foo.example.com
+
+
+**`server.geo.city_name`**
+:   City name.
+
+type: keyword
+
+example: Montreal
+
+
+**`server.geo.continent_code`**
+:   Two-letter code representing continent’s name.
+
+type: keyword
+
+example: NA
+
+
+**`server.geo.continent_name`**
+:   Name of the continent.
+
+type: keyword
+
+example: North America
+
+
+**`server.geo.country_iso_code`**
+:   Country ISO code.
+
+type: keyword
+
+example: CA
+
+
+**`server.geo.country_name`**
+:   Country name.
+
+type: keyword
+
+example: Canada
+
+
+**`server.geo.location`**
+:   Longitude and latitude.
+
+type: geo_point
+
+example: { "lon": -73.614830, "lat": 45.505918 }
+
+
+**`server.geo.name`**
+:   User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.
+
+type: keyword
+
+example: boston-dc
+
+
+**`server.geo.postal_code`**
+:   Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.
+
+type: keyword
+
+example: 94040
+
+
+**`server.geo.region_iso_code`**
+:   Region ISO code.
+
+type: keyword
+
+example: CA-QC
+
+
+**`server.geo.region_name`**
+:   Region name.
+
+type: keyword
+
+example: Quebec
+
+
+**`server.geo.timezone`**
+:   The time zone of the location, such as IANA time zone name.
+
+type: keyword
+
+example: America/Argentina/Buenos_Aires
+
+
+**`server.ip`**
+:   IP address of the server (IPv4 or IPv6).
+
+type: ip
+
+
+**`server.mac`**
+:   MAC address of the server. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.
+
+type: keyword
+
+example: 00-00-5E-00-53-23
+
+
+**`server.nat.ip`**
+:   Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers.
+
+type: ip
+
+
+**`server.nat.port`**
+:   Translated port of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers.
+
+type: long
+
+format: string
+
+
+**`server.packets`**
+:   Packets sent from the server to the client.
+
+type: long
+
+example: 12
+
+
+**`server.port`**
+:   Port of the server.
+
+type: long
+
+format: string
+
+
+**`server.registered_domain`**
+:   The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
+
+type: keyword
+
+example: example.com
+
+
+**`server.subdomain`**
+:   The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
+
+type: keyword
+
+example: east
+
+
+**`server.top_level_domain`**
+:   The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".
+
+type: keyword
+
+example: co.uk
+
+
+**`server.user.domain`**
+:   Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`server.user.email`**
+:   User email address.
+
+type: keyword
+
+
+**`server.user.full_name`**
+:   User’s full name, if available.
+
+type: keyword
+
+example: Albert Einstein
+
+
+**`server.user.full_name.text`**
+:   type: match_only_text
+
+
+**`server.user.group.domain`**
+:   Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`server.user.group.id`**
+:   Unique identifier for the group on the system/platform.
+
+type: keyword
+
+
+**`server.user.group.name`**
+:   Name of the group.
+
+type: keyword
+
+
+**`server.user.hash`**
+:   Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used.
+
+type: keyword
+
+
+**`server.user.id`**
+:   Unique identifier of the user.
+
+type: keyword
+
+example: S-1-5-21-202424912787-2692429404-2351956786-1000
+
+
+**`server.user.name`**
+:   Short name or login of the user.
+
+type: keyword
+
+example: a.einstein
+
+
+**`server.user.name.text`**
+:   type: match_only_text
+
+
+**`server.user.roles`**
+:   Array of user roles at the time of the event.
+
+type: keyword
+
+example: ["kibana_admin", "reporting_user"]
+
+
+
+## service [_service]
+
+The service fields describe the service for or from which the data was collected. These fields help you find and correlate logs for a specific service and version.
+
+**`service.address`**
+:   Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets).
+
+type: keyword
+
+example: 172.26.0.2:5432
+
+
+**`service.environment`**
+:   Identifies the environment where the service is running. If the same service runs in different environments (production, staging, QA, development, etc.), the environment can identify other instances of the same service. Can also group services and applications from the same environment.
+
+type: keyword
+
+example: production
+
+
+**`service.ephemeral_id`**
+:   Ephemeral identifier of this service (if one exists). This id normally changes across restarts, but `service.id` does not.
+
+type: keyword
+
+example: 8a4f500f
+
+
+**`service.id`**
+:   Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes. This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event. Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead.
+
+type: keyword
+
+example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6
+
+
+**`service.name`**
+:   Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified.
+
+type: keyword
+
+example: elasticsearch-metrics
+
+
+**`service.node.name`**
+:   Name of a service node. This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn’t have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set.
+
+type: keyword
+
+example: instance-0000000016
+
+
+**`service.origin.address`**
+:   Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets).
+
+type: keyword
+
+example: 172.26.0.2:5432
+
+
+**`service.origin.environment`**
+:   Identifies the environment where the service is running. If the same service runs in different environments (production, staging, QA, development, etc.), the environment can identify other instances of the same service. Can also group services and applications from the same environment.
+
+type: keyword
+
+example: production
+
+
+**`service.origin.ephemeral_id`**
+:   Ephemeral identifier of this service (if one exists). This id normally changes across restarts, but `service.id` does not.
+
+type: keyword
+
+example: 8a4f500f
+
+
+**`service.origin.id`**
+:   Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes. This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event. Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead.
+
+type: keyword
+
+example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6
+
+
+**`service.origin.name`**
+:   Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified.
+
+type: keyword
+
+example: elasticsearch-metrics
+
+
+**`service.origin.node.name`**
+:   Name of a service node. This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn’t have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set.
+
+type: keyword
+
+example: instance-0000000016
+
+
+**`service.origin.state`**
+:   Current state of the service.
+
+type: keyword
+
+
+**`service.origin.type`**
+:   The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`.
+
+type: keyword
+
+example: elasticsearch
+
+
+**`service.origin.version`**
+:   Version of the service the data was collected from. This allows to look at a data set only for a specific version of a service.
+
+type: keyword
+
+example: 3.2.4
+
+
+**`service.state`**
+:   Current state of the service.
+
+type: keyword
+
+
+**`service.target.address`**
+:   Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets).
+
+type: keyword
+
+example: 172.26.0.2:5432
+
+
+**`service.target.environment`**
+:   Identifies the environment where the service is running. If the same service runs in different environments (production, staging, QA, development, etc.), the environment can identify other instances of the same service. Can also group services and applications from the same environment.
+
+type: keyword
+
+example: production
+
+
+**`service.target.ephemeral_id`**
+:   Ephemeral identifier of this service (if one exists). This id normally changes across restarts, but `service.id` does not.
+
+type: keyword
+
+example: 8a4f500f
+
+
+**`service.target.id`**
+:   Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes. This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event. Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead.
+
+type: keyword
+
+example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6
+
+
+**`service.target.name`**
+:   Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified.
+
+type: keyword
+
+example: elasticsearch-metrics
+
+
+**`service.target.node.name`**
+:   Name of a service node. This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn’t have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set.
+
+type: keyword
+
+example: instance-0000000016
+
+
+**`service.target.state`**
+:   Current state of the service.
+
+type: keyword
+
+
+**`service.target.type`**
+:   The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`.
+
+type: keyword
+
+example: elasticsearch
+
+
+**`service.target.version`**
+:   Version of the service the data was collected from. This allows to look at a data set only for a specific version of a service.
+
+type: keyword
+
+example: 3.2.4
+
+
+**`service.type`**
+:   The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`.
+
+type: keyword
+
+example: elasticsearch
+
+
+**`service.version`**
+:   Version of the service the data was collected from. This allows to look at a data set only for a specific version of a service.
+
+type: keyword
+
+example: 3.2.4
+
+
+
+## source [_source]
+
+Source fields capture details about the sender of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction. Source fields are usually populated in conjunction with destination fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated.
+
+**`source.address`**
+:   Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
+
+type: keyword
+
+
+**`source.as.number`**
+:   Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+
+type: long
+
+example: 15169
+
+
+**`source.as.organization.name`**
+:   Organization name.
+
+type: keyword
+
+example: Google LLC
+
+
+**`source.as.organization.name.text`**
+:   type: match_only_text
+
+
+**`source.bytes`**
+:   Bytes sent from the source to the destination.
+
+type: long
+
+example: 184
+
+format: bytes
+
+
+**`source.domain`**
+:   The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.
+
+type: keyword
+
+example: foo.example.com
+
+
+**`source.geo.city_name`**
+:   City name.
+
+type: keyword
+
+example: Montreal
+
+
+**`source.geo.continent_code`**
+:   Two-letter code representing continent’s name.
+
+type: keyword
+
+example: NA
+
+
+**`source.geo.continent_name`**
+:   Name of the continent.
+
+type: keyword
+
+example: North America
+
+
+**`source.geo.country_iso_code`**
+:   Country ISO code.
+
+type: keyword
+
+example: CA
+
+
+**`source.geo.country_name`**
+:   Country name.
+
+type: keyword
+
+example: Canada
+
+
+**`source.geo.location`**
+:   Longitude and latitude.
+
+type: geo_point
+
+example: { "lon": -73.614830, "lat": 45.505918 }
+
+
+**`source.geo.name`**
+:   User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.
+
+type: keyword
+
+example: boston-dc
+
+
+**`source.geo.postal_code`**
+:   Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.
+
+type: keyword
+
+example: 94040
+
+
+**`source.geo.region_iso_code`**
+:   Region ISO code.
+
+type: keyword
+
+example: CA-QC
+
+
+**`source.geo.region_name`**
+:   Region name.
+
+type: keyword
+
+example: Quebec
+
+
+**`source.geo.timezone`**
+:   The time zone of the location, such as IANA time zone name.
+
+type: keyword
+
+example: America/Argentina/Buenos_Aires
+
+
+**`source.ip`**
+:   IP address of the source (IPv4 or IPv6).
+
+type: ip
+
+
+**`source.mac`**
+:   MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.
+
+type: keyword
+
+example: 00-00-5E-00-53-23
+
+
+**`source.nat.ip`**
+:   Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers.
+
+type: ip
+
+
+**`source.nat.port`**
+:   Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers.
+
+type: long
+
+format: string
+
+
+**`source.packets`**
+:   Packets sent from the source to the destination.
+
+type: long
+
+example: 12
+
+
+**`source.port`**
+:   Port of the source.
+
+type: long
+
+format: string
+
+
+**`source.registered_domain`**
+:   The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
+
+type: keyword
+
+example: example.com
+
+
+**`source.subdomain`**
+:   The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
+
+type: keyword
+
+example: east
+
+
+**`source.top_level_domain`**
+:   The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".
+
+type: keyword
+
+example: co.uk
+
+
+**`source.user.domain`**
+:   Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`source.user.email`**
+:   User email address.
+
+type: keyword
+
+
+**`source.user.full_name`**
+:   User’s full name, if available.
+
+type: keyword
+
+example: Albert Einstein
+
+
+**`source.user.full_name.text`**
+:   type: match_only_text
+
+
+**`source.user.group.domain`**
+:   Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`source.user.group.id`**
+:   Unique identifier for the group on the system/platform.
+
+type: keyword
+
+
+**`source.user.group.name`**
+:   Name of the group.
+
+type: keyword
+
+
+**`source.user.hash`**
+:   Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used.
+
+type: keyword
+
+
+**`source.user.id`**
+:   Unique identifier of the user.
+
+type: keyword
+
+example: S-1-5-21-202424912787-2692429404-2351956786-1000
+
+
+**`source.user.name`**
+:   Short name or login of the user.
+
+type: keyword
+
+example: a.einstein
+
+
+**`source.user.name.text`**
+:   type: match_only_text
+
+
+**`source.user.roles`**
+:   Array of user roles at the time of the event.
+
+type: keyword
+
+example: ["kibana_admin", "reporting_user"]
+
+
+
+## threat [_threat]
+
+Fields to classify events and alerts according to a threat taxonomy such as the MITRE ATT&CK® framework. These fields are for users to classify alerts from all of their sources (e.g. IDS, NGFW, etc.) within a common taxonomy. The threat.tactic.* fields are meant to capture the high level category of the threat (e.g. "impact"). The threat.technique.* fields are meant to capture which kind of approach is used by this detected threat, to accomplish the goal (e.g. "endpoint denial of service").
+
+**`threat.enrichments`**
+:   A list of associated indicators objects enriching the event, and the context of that association/enrichment.
+
+type: nested
+
+
+**`threat.enrichments.indicator`**
+:   Object containing associated indicators enriching the event.
+
+type: object
+
+
+**`threat.enrichments.indicator.as.number`**
+:   Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+
+type: long
+
+example: 15169
+
+
+**`threat.enrichments.indicator.as.organization.name`**
+:   Organization name.
+
+type: keyword
+
+example: Google LLC
+
+
+**`threat.enrichments.indicator.as.organization.name.text`**
+:   type: match_only_text
+
+
+**`threat.enrichments.indicator.confidence`**
+:   Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. Expected values are: * Not Specified * None * Low * Medium * High
+
+type: keyword
+
+example: Medium
+
+
+**`threat.enrichments.indicator.description`**
+:   Describes the type of action conducted by the threat.
+
+type: keyword
+
+example: IP x.x.x.x was observed delivering the Angler EK.
+
+
+**`threat.enrichments.indicator.email.address`**
+:   Identifies a threat indicator as an email address (irrespective of direction).
+
+type: keyword
+
+example: `phish@example.com`
+
+
+**`threat.enrichments.indicator.file.accessed`**
+:   Last time the file was accessed. Note that not all filesystems keep track of access time.
+
+type: date
+
+
+**`threat.enrichments.indicator.file.attributes`**
+:   Array of file attributes. Attributes names will vary by platform. Here’s a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write.
+
+type: keyword
+
+example: ["readonly", "system"]
+
+
+**`threat.enrichments.indicator.file.code_signature.digest_algorithm`**
+:   The hashing algorithm used to sign the process. This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm.
+
+type: keyword
+
+example: sha256
+
+
+**`threat.enrichments.indicator.file.code_signature.exists`**
+:   Boolean to capture if a signature is present.
+
+type: boolean
+
+example: true
+
+
+**`threat.enrichments.indicator.file.code_signature.signing_id`**
+:   The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.
+
+type: keyword
+
+example: com.apple.xpc.proxy
+
+
+**`threat.enrichments.indicator.file.code_signature.status`**
+:   Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.
+
+type: keyword
+
+example: ERROR_UNTRUSTED_ROOT
+
+
+**`threat.enrichments.indicator.file.code_signature.subject_name`**
+:   Subject name of the code signer
+
+type: keyword
+
+example: Microsoft Corporation
+
+
+**`threat.enrichments.indicator.file.code_signature.team_id`**
+:   The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.
+
+type: keyword
+
+example: EQHXZ8M8AV
+
+
+**`threat.enrichments.indicator.file.code_signature.timestamp`**
+:   Date and time when the code signature was generated and signed.
+
+type: date
+
+example: 2021-01-01T12:10:30Z
+
+
+**`threat.enrichments.indicator.file.code_signature.trusted`**
+:   Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.
+
+type: boolean
+
+example: true
+
+
+**`threat.enrichments.indicator.file.code_signature.valid`**
+:   Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.
+
+type: boolean
+
+example: true
+
+
+**`threat.enrichments.indicator.file.created`**
+:   File creation time. Note that not all filesystems store the creation time.
+
+type: date
+
+
+**`threat.enrichments.indicator.file.ctime`**
+:   Last time the file attributes or metadata changed. Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file.
+
+type: date
+
+
+**`threat.enrichments.indicator.file.device`**
+:   Device that is the source of the file.
+
+type: keyword
+
+example: sda
+
+
+**`threat.enrichments.indicator.file.directory`**
+:   Directory where the file is located. It should include the drive letter, when appropriate.
+
+type: keyword
+
+example: /home/alice
+
+
+**`threat.enrichments.indicator.file.drive_letter`**
+:   Drive letter where the file is located. This field is only relevant on Windows. The value should be uppercase, and not include the colon.
+
+type: keyword
+
+example: C
+
+
+**`threat.enrichments.indicator.file.elf.architecture`**
+:   Machine architecture of the ELF file.
+
+type: keyword
+
+example: x86-64
+
+
+**`threat.enrichments.indicator.file.elf.byte_order`**
+:   Byte sequence of ELF file.
+
+type: keyword
+
+example: Little Endian
+
+
+**`threat.enrichments.indicator.file.elf.cpu_type`**
+:   CPU type of the ELF file.
+
+type: keyword
+
+example: Intel
+
+
+**`threat.enrichments.indicator.file.elf.creation_date`**
+:   Extracted when possible from the file’s metadata. Indicates when it was built or compiled. It can also be faked by malware creators.
+
+type: date
+
+
+**`threat.enrichments.indicator.file.elf.exports`**
+:   List of exported element names and types.
+
+type: flattened
+
+
+**`threat.enrichments.indicator.file.elf.header.abi_version`**
+:   Version of the ELF Application Binary Interface (ABI).
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.elf.header.class`**
+:   Header class of the ELF file.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.elf.header.data`**
+:   Data table of the ELF header.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.elf.header.entrypoint`**
+:   Header entrypoint of the ELF file.
+
+type: long
+
+format: string
+
+
+**`threat.enrichments.indicator.file.elf.header.object_version`**
+:   "0x1" for original ELF files.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.elf.header.os_abi`**
+:   Application Binary Interface (ABI) of the Linux OS.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.elf.header.type`**
+:   Header type of the ELF file.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.elf.header.version`**
+:   Version of the ELF header.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.elf.imports`**
+:   List of imported element names and types.
+
+type: flattened
+
+
+**`threat.enrichments.indicator.file.elf.sections`**
+:   An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`.
+
+type: nested
+
+
+**`threat.enrichments.indicator.file.elf.sections.chi2`**
+:   Chi-square probability distribution of the section.
+
+type: long
+
+format: number
+
+
+**`threat.enrichments.indicator.file.elf.sections.entropy`**
+:   Shannon entropy calculation from the section.
+
+type: long
+
+format: number
+
+
+**`threat.enrichments.indicator.file.elf.sections.flags`**
+:   ELF Section List flags.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.elf.sections.name`**
+:   ELF Section List name.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.elf.sections.physical_offset`**
+:   ELF Section List offset.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.elf.sections.physical_size`**
+:   ELF Section List physical size.
+
+type: long
+
+format: bytes
+
+
+**`threat.enrichments.indicator.file.elf.sections.type`**
+:   ELF Section List type.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.elf.sections.virtual_address`**
+:   ELF Section List virtual address.
+
+type: long
+
+format: string
+
+
+**`threat.enrichments.indicator.file.elf.sections.virtual_size`**
+:   ELF Section List virtual size.
+
+type: long
+
+format: string
+
+
+**`threat.enrichments.indicator.file.elf.segments`**
+:   An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`.
+
+type: nested
+
+
+**`threat.enrichments.indicator.file.elf.segments.sections`**
+:   ELF object segment sections.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.elf.segments.type`**
+:   ELF object segment type.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.elf.shared_libraries`**
+:   List of shared libraries used by this ELF object.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.elf.telfhash`**
+:   telfhash symbol hash for ELF file.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.extension`**
+:   File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").
+
+type: keyword
+
+example: png
+
+
+**`threat.enrichments.indicator.file.fork_name`**
+:   A fork is additional data associated with a filesystem object. On Linux, a resource fork is used to store additional data with a filesystem object. A file always has at least one fork for the data portion, and additional forks may exist. On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default data stream for a file is just called $DATA. Zone.Identifier is commonly used by Windows to track contents downloaded from the Internet. An ADS is typically of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name` is the value that should populate `fork_name`. `filename.extension` should populate `file.name`, and `extension` should populate `file.extension`. The full path, `file.path`, will include the fork name.
+
+type: keyword
+
+example: Zone.Identifer
+
+
+**`threat.enrichments.indicator.file.gid`**
+:   Primary group ID (GID) of the file.
+
+type: keyword
+
+example: 1001
+
+
+**`threat.enrichments.indicator.file.group`**
+:   Primary group name of the file.
+
+type: keyword
+
+example: alice
+
+
+**`threat.enrichments.indicator.file.hash.md5`**
+:   MD5 hash.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.hash.sha1`**
+:   SHA1 hash.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.hash.sha256`**
+:   SHA256 hash.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.hash.sha512`**
+:   SHA512 hash.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.hash.ssdeep`**
+:   SSDEEP hash.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.inode`**
+:   Inode representing the file in the filesystem.
+
+type: keyword
+
+example: 256383
+
+
+**`threat.enrichments.indicator.file.mime_type`**
+:   MIME type should identify the format of the file or stream of bytes using [IANA official types](https://www.iana.org/assignments/media-types/media-types.xhtml), where possible. When more than one type is applicable, the most specific type should be used.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.mode`**
+:   Mode of the file in octal representation.
+
+type: keyword
+
+example: 0640
+
+
+**`threat.enrichments.indicator.file.mtime`**
+:   Last time the file content was modified.
+
+type: date
+
+
+**`threat.enrichments.indicator.file.name`**
+:   Name of the file including the extension, without the directory.
+
+type: keyword
+
+example: example.png
+
+
+**`threat.enrichments.indicator.file.owner`**
+:   File owner’s username.
+
+type: keyword
+
+example: alice
+
+
+**`threat.enrichments.indicator.file.path`**
+:   Full path to the file, including the file name. It should include the drive letter, when appropriate.
+
+type: keyword
+
+example: /home/alice/example.png
+
+
+**`threat.enrichments.indicator.file.path.text`**
+:   type: match_only_text
+
+
+**`threat.enrichments.indicator.file.pe.architecture`**
+:   CPU architecture target for the file.
+
+type: keyword
+
+example: x64
+
+
+**`threat.enrichments.indicator.file.pe.company`**
+:   Internal company name of the file, provided at compile-time.
+
+type: keyword
+
+example: Microsoft Corporation
+
+
+**`threat.enrichments.indicator.file.pe.description`**
+:   Internal description of the file, provided at compile-time.
+
+type: keyword
+
+example: Paint
+
+
+**`threat.enrichments.indicator.file.pe.file_version`**
+:   Internal version of the file, provided at compile-time.
+
+type: keyword
+
+example: 6.3.9600.17415
+
+
+**`threat.enrichments.indicator.file.pe.imphash`**
+:   A hash of the imports in a PE file. An imphash — or import hash — can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at [https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html](https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html).
+
+type: keyword
+
+example: 0c6803c4e922103c4dca5963aad36ddf
+
+
+**`threat.enrichments.indicator.file.pe.original_file_name`**
+:   Internal name of the file, provided at compile-time.
+
+type: keyword
+
+example: MSPAINT.EXE
+
+
+**`threat.enrichments.indicator.file.pe.product`**
+:   Internal product name of the file, provided at compile-time.
+
+type: keyword
+
+example: Microsoft® Windows® Operating System
+
+
+**`threat.enrichments.indicator.file.size`**
+:   File size in bytes. Only relevant when `file.type` is "file".
+
+type: long
+
+example: 16384
+
+
+**`threat.enrichments.indicator.file.target_path`**
+:   Target path for symlinks.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.target_path.text`**
+:   type: match_only_text
+
+
+**`threat.enrichments.indicator.file.type`**
+:   File type (file, dir, or symlink).
+
+type: keyword
+
+example: file
+
+
+**`threat.enrichments.indicator.file.uid`**
+:   The user ID (UID) or security identifier (SID) of the file owner.
+
+type: keyword
+
+example: 1001
+
+
+**`threat.enrichments.indicator.file.x509.alternative_names`**
+:   List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.
+
+type: keyword
+
+example: *.elastic.co
+
+
+**`threat.enrichments.indicator.file.x509.issuer.common_name`**
+:   List of common name (CN) of issuing certificate authority.
+
+type: keyword
+
+example: Example SHA2 High Assurance Server CA
+
+
+**`threat.enrichments.indicator.file.x509.issuer.country`**
+:   List of country © codes
+
+type: keyword
+
+example: US
+
+
+**`threat.enrichments.indicator.file.x509.issuer.distinguished_name`**
+:   Distinguished name (DN) of issuing certificate authority.
+
+type: keyword
+
+example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA
+
+
+**`threat.enrichments.indicator.file.x509.issuer.locality`**
+:   List of locality names (L)
+
+type: keyword
+
+example: Mountain View
+
+
+**`threat.enrichments.indicator.file.x509.issuer.organization`**
+:   List of organizations (O) of issuing certificate authority.
+
+type: keyword
+
+example: Example Inc
+
+
+**`threat.enrichments.indicator.file.x509.issuer.organizational_unit`**
+:   List of organizational units (OU) of issuing certificate authority.
+
+type: keyword
+
+example: www.example.com
+
+
+**`threat.enrichments.indicator.file.x509.issuer.state_or_province`**
+:   List of state or province names (ST, S, or P)
+
+type: keyword
+
+example: California
+
+
+**`threat.enrichments.indicator.file.x509.not_after`**
+:   Time at which the certificate is no longer considered valid.
+
+type: date
+
+example: 2020-07-16 03:15:39+00:00
+
+
+**`threat.enrichments.indicator.file.x509.not_before`**
+:   Time at which the certificate is first considered valid.
+
+type: date
+
+example: 2019-08-16 01:40:25+00:00
+
+
+**`threat.enrichments.indicator.file.x509.public_key_algorithm`**
+:   Algorithm used to generate the public key.
+
+type: keyword
+
+example: RSA
+
+
+**`threat.enrichments.indicator.file.x509.public_key_curve`**
+:   The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+
+type: keyword
+
+example: nistp521
+
+
+**`threat.enrichments.indicator.file.x509.public_key_exponent`**
+:   Exponent used to derive the public key. This is algorithm specific.
+
+type: long
+
+example: 65537
+
+Field is not indexed.
+
+
+**`threat.enrichments.indicator.file.x509.public_key_size`**
+:   The size of the public key space in bits.
+
+type: long
+
+example: 2048
+
+
+**`threat.enrichments.indicator.file.x509.serial_number`**
+:   Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.
+
+type: keyword
+
+example: 55FBB9C7DEBF09809D12CCAA
+
+
+**`threat.enrichments.indicator.file.x509.signature_algorithm`**
+:   Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See [https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353](https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353).
+
+type: keyword
+
+example: SHA256-RSA
+
+
+**`threat.enrichments.indicator.file.x509.subject.common_name`**
+:   List of common names (CN) of subject.
+
+type: keyword
+
+example: shared.global.example.net
+
+
+**`threat.enrichments.indicator.file.x509.subject.country`**
+:   List of country © code
+
+type: keyword
+
+example: US
+
+
+**`threat.enrichments.indicator.file.x509.subject.distinguished_name`**
+:   Distinguished name (DN) of the certificate subject entity.
+
+type: keyword
+
+example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
+
+
+**`threat.enrichments.indicator.file.x509.subject.locality`**
+:   List of locality names (L)
+
+type: keyword
+
+example: San Francisco
+
+
+**`threat.enrichments.indicator.file.x509.subject.organization`**
+:   List of organizations (O) of subject.
+
+type: keyword
+
+example: Example, Inc.
+
+
+**`threat.enrichments.indicator.file.x509.subject.organizational_unit`**
+:   List of organizational units (OU) of subject.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.x509.subject.state_or_province`**
+:   List of state or province names (ST, S, or P)
+
+type: keyword
+
+example: California
+
+
+**`threat.enrichments.indicator.file.x509.version_number`**
+:   Version of x509 format.
+
+type: keyword
+
+example: 3
+
+
+**`threat.enrichments.indicator.first_seen`**
+:   The date and time when intelligence source first reported sighting this indicator.
+
+type: date
+
+example: 2020-11-05T17:25:47.000Z
+
+
+**`threat.enrichments.indicator.geo.city_name`**
+:   City name.
+
+type: keyword
+
+example: Montreal
+
+
+**`threat.enrichments.indicator.geo.continent_code`**
+:   Two-letter code representing continent’s name.
+
+type: keyword
+
+example: NA
+
+
+**`threat.enrichments.indicator.geo.continent_name`**
+:   Name of the continent.
+
+type: keyword
+
+example: North America
+
+
+**`threat.enrichments.indicator.geo.country_iso_code`**
+:   Country ISO code.
+
+type: keyword
+
+example: CA
+
+
+**`threat.enrichments.indicator.geo.country_name`**
+:   Country name.
+
+type: keyword
+
+example: Canada
+
+
+**`threat.enrichments.indicator.geo.location`**
+:   Longitude and latitude.
+
+type: geo_point
+
+example: { "lon": -73.614830, "lat": 45.505918 }
+
+
+**`threat.enrichments.indicator.geo.name`**
+:   User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.
+
+type: keyword
+
+example: boston-dc
+
+
+**`threat.enrichments.indicator.geo.postal_code`**
+:   Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.
+
+type: keyword
+
+example: 94040
+
+
+**`threat.enrichments.indicator.geo.region_iso_code`**
+:   Region ISO code.
+
+type: keyword
+
+example: CA-QC
+
+
+**`threat.enrichments.indicator.geo.region_name`**
+:   Region name.
+
+type: keyword
+
+example: Quebec
+
+
+**`threat.enrichments.indicator.geo.timezone`**
+:   The time zone of the location, such as IANA time zone name.
+
+type: keyword
+
+example: America/Argentina/Buenos_Aires
+
+
+**`threat.enrichments.indicator.ip`**
+:   Identifies a threat indicator as an IP address (irrespective of direction).
+
+type: ip
+
+example: 1.2.3.4
+
+
+**`threat.enrichments.indicator.last_seen`**
+:   The date and time when intelligence source last reported sighting this indicator.
+
+type: date
+
+example: 2020-11-05T17:25:47.000Z
+
+
+**`threat.enrichments.indicator.marking.tlp`**
+:   Traffic Light Protocol sharing markings. Recommended values are: * WHITE * GREEN * AMBER * RED
+
+type: keyword
+
+example: White
+
+
+**`threat.enrichments.indicator.modified_at`**
+:   The date and time when intelligence source last modified information for this indicator.
+
+type: date
+
+example: 2020-11-05T17:25:47.000Z
+
+
+**`threat.enrichments.indicator.port`**
+:   Identifies a threat indicator as a port number (irrespective of direction).
+
+type: long
+
+example: 443
+
+
+**`threat.enrichments.indicator.provider`**
+:   The name of the indicator’s provider.
+
+type: keyword
+
+example: lrz_urlhaus
+
+
+**`threat.enrichments.indicator.reference`**
+:   Reference URL linking to additional information about this indicator.
+
+type: keyword
+
+example: [https://system.example.com/indicator/0001234](https://system.example.com/indicator/0001234)
+
+
+**`threat.enrichments.indicator.registry.data.bytes`**
+:   Original bytes written with base64 encoding. For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values.
+
+type: keyword
+
+example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA=
+
+
+**`threat.enrichments.indicator.registry.data.strings`**
+:   Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`).
+
+type: wildcard
+
+example: ["C:\rta\red_ttp\bin\myapp.exe"]
+
+
+**`threat.enrichments.indicator.registry.data.type`**
+:   Standard registry type for encoding contents
+
+type: keyword
+
+example: REG_SZ
+
+
+**`threat.enrichments.indicator.registry.hive`**
+:   Abbreviated name for the hive.
+
+type: keyword
+
+example: HKLM
+
+
+**`threat.enrichments.indicator.registry.key`**
+:   Hive-relative path of keys.
+
+type: keyword
+
+example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe
+
+
+**`threat.enrichments.indicator.registry.path`**
+:   Full path, including hive, key and value
+
+type: keyword
+
+example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger
+
+
+**`threat.enrichments.indicator.registry.value`**
+:   Name of the value written.
+
+type: keyword
+
+example: Debugger
+
+
+**`threat.enrichments.indicator.scanner_stats`**
+:   Count of AV/EDR vendors that successfully detected malicious file or URL.
+
+type: long
+
+example: 4
+
+
+**`threat.enrichments.indicator.sightings`**
+:   Number of times this indicator was observed conducting threat activity.
+
+type: long
+
+example: 20
+
+
+**`threat.enrichments.indicator.type`**
+:   Type of indicator as represented by Cyber Observable in STIX 2.0. Recommended values: * autonomous-system * artifact * directory * domain-name * email-addr * file * ipv4-addr * ipv6-addr * mac-addr * mutex * port * process * software * url * user-account * windows-registry-key * x509-certificate
+
+type: keyword
+
+example: ipv4-addr
+
+
+**`threat.enrichments.indicator.url.domain`**
+:   Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field.
+
+type: keyword
+
+example: www.elastic.co
+
+
+**`threat.enrichments.indicator.url.extension`**
+:   The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").
+
+type: keyword
+
+example: png
+
+
+**`threat.enrichments.indicator.url.fragment`**
+:   Portion of the url after the `#`, such as "top". The `#` is not part of the fragment.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.url.full`**
+:   If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source.
+
+type: wildcard
+
+example: [https://www.elastic.co:443/search?q=elasticsearch#top](https://www.elastic.co:443/search?q=elasticsearch#top)
+
+
+**`threat.enrichments.indicator.url.full.text`**
+:   type: match_only_text
+
+
+**`threat.enrichments.indicator.url.original`**
+:   Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not.
+
+type: wildcard
+
+example: [https://www.elastic.co:443/search?q=elasticsearch#top](https://www.elastic.co:443/search?q=elasticsearch#top) or /search?q=elasticsearch
+
+
+**`threat.enrichments.indicator.url.original.text`**
+:   type: match_only_text
+
+
+**`threat.enrichments.indicator.url.password`**
+:   Password of the request.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.url.path`**
+:   Path of the request, such as "/search".
+
+type: wildcard
+
+
+**`threat.enrichments.indicator.url.port`**
+:   Port of the request, such as 443.
+
+type: long
+
+example: 443
+
+format: string
+
+
+**`threat.enrichments.indicator.url.query`**
+:   The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.url.registered_domain`**
+:   The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
+
+type: keyword
+
+example: example.com
+
+
+**`threat.enrichments.indicator.url.scheme`**
+:   Scheme of the request, such as "https". Note: The `:` is not part of the scheme.
+
+type: keyword
+
+example: https
+
+
+**`threat.enrichments.indicator.url.subdomain`**
+:   The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
+
+type: keyword
+
+example: east
+
+
+**`threat.enrichments.indicator.url.top_level_domain`**
+:   The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".
+
+type: keyword
+
+example: co.uk
+
+
+**`threat.enrichments.indicator.url.username`**
+:   Username of the request.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.x509.alternative_names`**
+:   List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.
+
+type: keyword
+
+example: *.elastic.co
+
+
+**`threat.enrichments.indicator.x509.issuer.common_name`**
+:   List of common name (CN) of issuing certificate authority.
+
+type: keyword
+
+example: Example SHA2 High Assurance Server CA
+
+
+**`threat.enrichments.indicator.x509.issuer.country`**
+:   List of country © codes
+
+type: keyword
+
+example: US
+
+
+**`threat.enrichments.indicator.x509.issuer.distinguished_name`**
+:   Distinguished name (DN) of issuing certificate authority.
+
+type: keyword
+
+example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA
+
+
+**`threat.enrichments.indicator.x509.issuer.locality`**
+:   List of locality names (L)
+
+type: keyword
+
+example: Mountain View
+
+
+**`threat.enrichments.indicator.x509.issuer.organization`**
+:   List of organizations (O) of issuing certificate authority.
+
+type: keyword
+
+example: Example Inc
+
+
+**`threat.enrichments.indicator.x509.issuer.organizational_unit`**
+:   List of organizational units (OU) of issuing certificate authority.
+
+type: keyword
+
+example: www.example.com
+
+
+**`threat.enrichments.indicator.x509.issuer.state_or_province`**
+:   List of state or province names (ST, S, or P)
+
+type: keyword
+
+example: California
+
+
+**`threat.enrichments.indicator.x509.not_after`**
+:   Time at which the certificate is no longer considered valid.
+
+type: date
+
+example: 2020-07-16 03:15:39+00:00
+
+
+**`threat.enrichments.indicator.x509.not_before`**
+:   Time at which the certificate is first considered valid.
+
+type: date
+
+example: 2019-08-16 01:40:25+00:00
+
+
+**`threat.enrichments.indicator.x509.public_key_algorithm`**
+:   Algorithm used to generate the public key.
+
+type: keyword
+
+example: RSA
+
+
+**`threat.enrichments.indicator.x509.public_key_curve`**
+:   The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+
+type: keyword
+
+example: nistp521
+
+
+**`threat.enrichments.indicator.x509.public_key_exponent`**
+:   Exponent used to derive the public key. This is algorithm specific.
+
+type: long
+
+example: 65537
+
+Field is not indexed.
+
+
+**`threat.enrichments.indicator.x509.public_key_size`**
+:   The size of the public key space in bits.
+
+type: long
+
+example: 2048
+
+
+**`threat.enrichments.indicator.x509.serial_number`**
+:   Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.
+
+type: keyword
+
+example: 55FBB9C7DEBF09809D12CCAA
+
+
+**`threat.enrichments.indicator.x509.signature_algorithm`**
+:   Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See [https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353](https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353).
+
+type: keyword
+
+example: SHA256-RSA
+
+
+**`threat.enrichments.indicator.x509.subject.common_name`**
+:   List of common names (CN) of subject.
+
+type: keyword
+
+example: shared.global.example.net
+
+
+**`threat.enrichments.indicator.x509.subject.country`**
+:   List of country © code
+
+type: keyword
+
+example: US
+
+
+**`threat.enrichments.indicator.x509.subject.distinguished_name`**
+:   Distinguished name (DN) of the certificate subject entity.
+
+type: keyword
+
+example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
+
+
+**`threat.enrichments.indicator.x509.subject.locality`**
+:   List of locality names (L)
+
+type: keyword
+
+example: San Francisco
+
+
+**`threat.enrichments.indicator.x509.subject.organization`**
+:   List of organizations (O) of subject.
+
+type: keyword
+
+example: Example, Inc.
+
+
+**`threat.enrichments.indicator.x509.subject.organizational_unit`**
+:   List of organizational units (OU) of subject.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.x509.subject.state_or_province`**
+:   List of state or province names (ST, S, or P)
+
+type: keyword
+
+example: California
+
+
+**`threat.enrichments.indicator.x509.version_number`**
+:   Version of x509 format.
+
+type: keyword
+
+example: 3
+
+
+**`threat.enrichments.matched.atomic`**
+:   Identifies the atomic indicator value that matched a local environment endpoint or network event.
+
+type: keyword
+
+example: bad-domain.com
+
+
+**`threat.enrichments.matched.field`**
+:   Identifies the field of the atomic indicator that matched a local environment endpoint or network event.
+
+type: keyword
+
+example: file.hash.sha256
+
+
+**`threat.enrichments.matched.id`**
+:   Identifies the _id of the indicator document enriching the event.
+
+type: keyword
+
+example: ff93aee5-86a1-4a61-b0e6-0cdc313d01b5
+
+
+**`threat.enrichments.matched.index`**
+:   Identifies the _index of the indicator document enriching the event.
+
+type: keyword
+
+example: filebeat-8.0.0-2021.05.23-000011
+
+
+**`threat.enrichments.matched.type`**
+:   Identifies the type of match that caused the event to be enriched with the given indicator
+
+type: keyword
+
+example: indicator_match_rule
+
+
+**`threat.framework`**
+:   Name of the threat framework used to further categorize and classify the tactic and technique of the reported threat. Framework classification can be provided by detecting systems, evaluated at ingest time, or retrospectively tagged to events.
+
+type: keyword
+
+example: MITRE ATT&CK
+
+
+**`threat.group.alias`**
+:   The alias(es) of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group alias(es).
+
+type: keyword
+
+example: [ "Magecart Group 6" ]
+
+
+**`threat.group.id`**
+:   The id of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group id.
+
+type: keyword
+
+example: G0037
+
+
+**`threat.group.name`**
+:   The name of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group name.
+
+type: keyword
+
+example: FIN6
+
+
+**`threat.group.reference`**
+:   The reference URL of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group reference URL.
+
+type: keyword
+
+example: [https://attack.mitre.org/groups/G0037/](https://attack.mitre.org/groups/G0037/)
+
+
+**`threat.indicator.as.number`**
+:   Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+
+type: long
+
+example: 15169
+
+
+**`threat.indicator.as.organization.name`**
+:   Organization name.
+
+type: keyword
+
+example: Google LLC
+
+
+**`threat.indicator.as.organization.name.text`**
+:   type: match_only_text
+
+
+**`threat.indicator.confidence`**
+:   Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. Expected values are: * Not Specified * None * Low * Medium * High
+
+type: keyword
+
+example: Medium
+
+
+**`threat.indicator.description`**
+:   Describes the type of action conducted by the threat.
+
+type: keyword
+
+example: IP x.x.x.x was observed delivering the Angler EK.
+
+
+**`threat.indicator.email.address`**
+:   Identifies a threat indicator as an email address (irrespective of direction).
+
+type: keyword
+
+example: `phish@example.com`
+
+
+**`threat.indicator.file.accessed`**
+:   Last time the file was accessed. Note that not all filesystems keep track of access time.
+
+type: date
+
+
+**`threat.indicator.file.attributes`**
+:   Array of file attributes. Attributes names will vary by platform. Here’s a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write.
+
+type: keyword
+
+example: ["readonly", "system"]
+
+
+**`threat.indicator.file.code_signature.digest_algorithm`**
+:   The hashing algorithm used to sign the process. This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm.
+
+type: keyword
+
+example: sha256
+
+
+**`threat.indicator.file.code_signature.exists`**
+:   Boolean to capture if a signature is present.
+
+type: boolean
+
+example: true
+
+
+**`threat.indicator.file.code_signature.signing_id`**
+:   The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.
+
+type: keyword
+
+example: com.apple.xpc.proxy
+
+
+**`threat.indicator.file.code_signature.status`**
+:   Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.
+
+type: keyword
+
+example: ERROR_UNTRUSTED_ROOT
+
+
+**`threat.indicator.file.code_signature.subject_name`**
+:   Subject name of the code signer
+
+type: keyword
+
+example: Microsoft Corporation
+
+
+**`threat.indicator.file.code_signature.team_id`**
+:   The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.
+
+type: keyword
+
+example: EQHXZ8M8AV
+
+
+**`threat.indicator.file.code_signature.timestamp`**
+:   Date and time when the code signature was generated and signed.
+
+type: date
+
+example: 2021-01-01T12:10:30Z
+
+
+**`threat.indicator.file.code_signature.trusted`**
+:   Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.
+
+type: boolean
+
+example: true
+
+
+**`threat.indicator.file.code_signature.valid`**
+:   Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.
+
+type: boolean
+
+example: true
+
+
+**`threat.indicator.file.created`**
+:   File creation time. Note that not all filesystems store the creation time.
+
+type: date
+
+
+**`threat.indicator.file.ctime`**
+:   Last time the file attributes or metadata changed. Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file.
+
+type: date
+
+
+**`threat.indicator.file.device`**
+:   Device that is the source of the file.
+
+type: keyword
+
+example: sda
+
+
+**`threat.indicator.file.directory`**
+:   Directory where the file is located. It should include the drive letter, when appropriate.
+
+type: keyword
+
+example: /home/alice
+
+
+**`threat.indicator.file.drive_letter`**
+:   Drive letter where the file is located. This field is only relevant on Windows. The value should be uppercase, and not include the colon.
+
+type: keyword
+
+example: C
+
+
+**`threat.indicator.file.elf.architecture`**
+:   Machine architecture of the ELF file.
+
+type: keyword
+
+example: x86-64
+
+
+**`threat.indicator.file.elf.byte_order`**
+:   Byte sequence of ELF file.
+
+type: keyword
+
+example: Little Endian
+
+
+**`threat.indicator.file.elf.cpu_type`**
+:   CPU type of the ELF file.
+
+type: keyword
+
+example: Intel
+
+
+**`threat.indicator.file.elf.creation_date`**
+:   Extracted when possible from the file’s metadata. Indicates when it was built or compiled. It can also be faked by malware creators.
+
+type: date
+
+
+**`threat.indicator.file.elf.exports`**
+:   List of exported element names and types.
+
+type: flattened
+
+
+**`threat.indicator.file.elf.header.abi_version`**
+:   Version of the ELF Application Binary Interface (ABI).
+
+type: keyword
+
+
+**`threat.indicator.file.elf.header.class`**
+:   Header class of the ELF file.
+
+type: keyword
+
+
+**`threat.indicator.file.elf.header.data`**
+:   Data table of the ELF header.
+
+type: keyword
+
+
+**`threat.indicator.file.elf.header.entrypoint`**
+:   Header entrypoint of the ELF file.
+
+type: long
+
+format: string
+
+
+**`threat.indicator.file.elf.header.object_version`**
+:   "0x1" for original ELF files.
+
+type: keyword
+
+
+**`threat.indicator.file.elf.header.os_abi`**
+:   Application Binary Interface (ABI) of the Linux OS.
+
+type: keyword
+
+
+**`threat.indicator.file.elf.header.type`**
+:   Header type of the ELF file.
+
+type: keyword
+
+
+**`threat.indicator.file.elf.header.version`**
+:   Version of the ELF header.
+
+type: keyword
+
+
+**`threat.indicator.file.elf.imports`**
+:   List of imported element names and types.
+
+type: flattened
+
+
+**`threat.indicator.file.elf.sections`**
+:   An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`.
+
+type: nested
+
+
+**`threat.indicator.file.elf.sections.chi2`**
+:   Chi-square probability distribution of the section.
+
+type: long
+
+format: number
+
+
+**`threat.indicator.file.elf.sections.entropy`**
+:   Shannon entropy calculation from the section.
+
+type: long
+
+format: number
+
+
+**`threat.indicator.file.elf.sections.flags`**
+:   ELF Section List flags.
+
+type: keyword
+
+
+**`threat.indicator.file.elf.sections.name`**
+:   ELF Section List name.
+
+type: keyword
+
+
+**`threat.indicator.file.elf.sections.physical_offset`**
+:   ELF Section List offset.
+
+type: keyword
+
+
+**`threat.indicator.file.elf.sections.physical_size`**
+:   ELF Section List physical size.
+
+type: long
+
+format: bytes
+
+
+**`threat.indicator.file.elf.sections.type`**
+:   ELF Section List type.
+
+type: keyword
+
+
+**`threat.indicator.file.elf.sections.virtual_address`**
+:   ELF Section List virtual address.
+
+type: long
+
+format: string
+
+
+**`threat.indicator.file.elf.sections.virtual_size`**
+:   ELF Section List virtual size.
+
+type: long
+
+format: string
+
+
+**`threat.indicator.file.elf.segments`**
+:   An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`.
+
+type: nested
+
+
+**`threat.indicator.file.elf.segments.sections`**
+:   ELF object segment sections.
+
+type: keyword
+
+
+**`threat.indicator.file.elf.segments.type`**
+:   ELF object segment type.
+
+type: keyword
+
+
+**`threat.indicator.file.elf.shared_libraries`**
+:   List of shared libraries used by this ELF object.
+
+type: keyword
+
+
+**`threat.indicator.file.elf.telfhash`**
+:   telfhash symbol hash for ELF file.
+
+type: keyword
+
+
+**`threat.indicator.file.extension`**
+:   File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").
+
+type: keyword
+
+example: png
+
+
+**`threat.indicator.file.fork_name`**
+:   A fork is additional data associated with a filesystem object. On Linux, a resource fork is used to store additional data with a filesystem object. A file always has at least one fork for the data portion, and additional forks may exist. On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default data stream for a file is just called $DATA. Zone.Identifier is commonly used by Windows to track contents downloaded from the Internet. An ADS is typically of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name` is the value that should populate `fork_name`. `filename.extension` should populate `file.name`, and `extension` should populate `file.extension`. The full path, `file.path`, will include the fork name.
+
+type: keyword
+
+example: Zone.Identifer
+
+
+**`threat.indicator.file.gid`**
+:   Primary group ID (GID) of the file.
+
+type: keyword
+
+example: 1001
+
+
+**`threat.indicator.file.group`**
+:   Primary group name of the file.
+
+type: keyword
+
+example: alice
+
+
+**`threat.indicator.file.hash.md5`**
+:   MD5 hash.
+
+type: keyword
+
+
+**`threat.indicator.file.hash.sha1`**
+:   SHA1 hash.
+
+type: keyword
+
+
+**`threat.indicator.file.hash.sha256`**
+:   SHA256 hash.
+
+type: keyword
+
+
+**`threat.indicator.file.hash.sha512`**
+:   SHA512 hash.
+
+type: keyword
+
+
+**`threat.indicator.file.hash.ssdeep`**
+:   SSDEEP hash.
+
+type: keyword
+
+
+**`threat.indicator.file.inode`**
+:   Inode representing the file in the filesystem.
+
+type: keyword
+
+example: 256383
+
+
+**`threat.indicator.file.mime_type`**
+:   MIME type should identify the format of the file or stream of bytes using [IANA official types](https://www.iana.org/assignments/media-types/media-types.xhtml), where possible. When more than one type is applicable, the most specific type should be used.
+
+type: keyword
+
+
+**`threat.indicator.file.mode`**
+:   Mode of the file in octal representation.
+
+type: keyword
+
+example: 0640
+
+
+**`threat.indicator.file.mtime`**
+:   Last time the file content was modified.
+
+type: date
+
+
+**`threat.indicator.file.name`**
+:   Name of the file including the extension, without the directory.
+
+type: keyword
+
+example: example.png
+
+
+**`threat.indicator.file.owner`**
+:   File owner’s username.
+
+type: keyword
+
+example: alice
+
+
+**`threat.indicator.file.path`**
+:   Full path to the file, including the file name. It should include the drive letter, when appropriate.
+
+type: keyword
+
+example: /home/alice/example.png
+
+
+**`threat.indicator.file.path.text`**
+:   type: match_only_text
+
+
+**`threat.indicator.file.pe.architecture`**
+:   CPU architecture target for the file.
+
+type: keyword
+
+example: x64
+
+
+**`threat.indicator.file.pe.company`**
+:   Internal company name of the file, provided at compile-time.
+
+type: keyword
+
+example: Microsoft Corporation
+
+
+**`threat.indicator.file.pe.description`**
+:   Internal description of the file, provided at compile-time.
+
+type: keyword
+
+example: Paint
+
+
+**`threat.indicator.file.pe.file_version`**
+:   Internal version of the file, provided at compile-time.
+
+type: keyword
+
+example: 6.3.9600.17415
+
+
+**`threat.indicator.file.pe.imphash`**
+:   A hash of the imports in a PE file. An imphash — or import hash — can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at [https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html](https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html).
+
+type: keyword
+
+example: 0c6803c4e922103c4dca5963aad36ddf
+
+
+**`threat.indicator.file.pe.original_file_name`**
+:   Internal name of the file, provided at compile-time.
+
+type: keyword
+
+example: MSPAINT.EXE
+
+
+**`threat.indicator.file.pe.product`**
+:   Internal product name of the file, provided at compile-time.
+
+type: keyword
+
+example: Microsoft® Windows® Operating System
+
+
+**`threat.indicator.file.size`**
+:   File size in bytes. Only relevant when `file.type` is "file".
+
+type: long
+
+example: 16384
+
+
+**`threat.indicator.file.target_path`**
+:   Target path for symlinks.
+
+type: keyword
+
+
+**`threat.indicator.file.target_path.text`**
+:   type: match_only_text
+
+
+**`threat.indicator.file.type`**
+:   File type (file, dir, or symlink).
+
+type: keyword
+
+example: file
+
+
+**`threat.indicator.file.uid`**
+:   The user ID (UID) or security identifier (SID) of the file owner.
+
+type: keyword
+
+example: 1001
+
+
+**`threat.indicator.file.x509.alternative_names`**
+:   List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.
+
+type: keyword
+
+example: *.elastic.co
+
+
+**`threat.indicator.file.x509.issuer.common_name`**
+:   List of common name (CN) of issuing certificate authority.
+
+type: keyword
+
+example: Example SHA2 High Assurance Server CA
+
+
+**`threat.indicator.file.x509.issuer.country`**
+:   List of country © codes
+
+type: keyword
+
+example: US
+
+
+**`threat.indicator.file.x509.issuer.distinguished_name`**
+:   Distinguished name (DN) of issuing certificate authority.
+
+type: keyword
+
+example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA
+
+
+**`threat.indicator.file.x509.issuer.locality`**
+:   List of locality names (L)
+
+type: keyword
+
+example: Mountain View
+
+
+**`threat.indicator.file.x509.issuer.organization`**
+:   List of organizations (O) of issuing certificate authority.
+
+type: keyword
+
+example: Example Inc
+
+
+**`threat.indicator.file.x509.issuer.organizational_unit`**
+:   List of organizational units (OU) of issuing certificate authority.
+
+type: keyword
+
+example: www.example.com
+
+
+**`threat.indicator.file.x509.issuer.state_or_province`**
+:   List of state or province names (ST, S, or P)
+
+type: keyword
+
+example: California
+
+
+**`threat.indicator.file.x509.not_after`**
+:   Time at which the certificate is no longer considered valid.
+
+type: date
+
+example: 2020-07-16 03:15:39+00:00
+
+
+**`threat.indicator.file.x509.not_before`**
+:   Time at which the certificate is first considered valid.
+
+type: date
+
+example: 2019-08-16 01:40:25+00:00
+
+
+**`threat.indicator.file.x509.public_key_algorithm`**
+:   Algorithm used to generate the public key.
+
+type: keyword
+
+example: RSA
+
+
+**`threat.indicator.file.x509.public_key_curve`**
+:   The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+
+type: keyword
+
+example: nistp521
+
+
+**`threat.indicator.file.x509.public_key_exponent`**
+:   Exponent used to derive the public key. This is algorithm specific.
+
+type: long
+
+example: 65537
+
+Field is not indexed.
+
+
+**`threat.indicator.file.x509.public_key_size`**
+:   The size of the public key space in bits.
+
+type: long
+
+example: 2048
+
+
+**`threat.indicator.file.x509.serial_number`**
+:   Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.
+
+type: keyword
+
+example: 55FBB9C7DEBF09809D12CCAA
+
+
+**`threat.indicator.file.x509.signature_algorithm`**
+:   Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See [https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353](https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353).
+
+type: keyword
+
+example: SHA256-RSA
+
+
+**`threat.indicator.file.x509.subject.common_name`**
+:   List of common names (CN) of subject.
+
+type: keyword
+
+example: shared.global.example.net
+
+
+**`threat.indicator.file.x509.subject.country`**
+:   List of country © code
+
+type: keyword
+
+example: US
+
+
+**`threat.indicator.file.x509.subject.distinguished_name`**
+:   Distinguished name (DN) of the certificate subject entity.
+
+type: keyword
+
+example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
+
+
+**`threat.indicator.file.x509.subject.locality`**
+:   List of locality names (L)
+
+type: keyword
+
+example: San Francisco
+
+
+**`threat.indicator.file.x509.subject.organization`**
+:   List of organizations (O) of subject.
+
+type: keyword
+
+example: Example, Inc.
+
+
+**`threat.indicator.file.x509.subject.organizational_unit`**
+:   List of organizational units (OU) of subject.
+
+type: keyword
+
+
+**`threat.indicator.file.x509.subject.state_or_province`**
+:   List of state or province names (ST, S, or P)
+
+type: keyword
+
+example: California
+
+
+**`threat.indicator.file.x509.version_number`**
+:   Version of x509 format.
+
+type: keyword
+
+example: 3
+
+
+**`threat.indicator.first_seen`**
+:   The date and time when intelligence source first reported sighting this indicator.
+
+type: date
+
+example: 2020-11-05T17:25:47.000Z
+
+
+**`threat.indicator.geo.city_name`**
+:   City name.
+
+type: keyword
+
+example: Montreal
+
+
+**`threat.indicator.geo.continent_code`**
+:   Two-letter code representing continent’s name.
+
+type: keyword
+
+example: NA
+
+
+**`threat.indicator.geo.continent_name`**
+:   Name of the continent.
+
+type: keyword
+
+example: North America
+
+
+**`threat.indicator.geo.country_iso_code`**
+:   Country ISO code.
+
+type: keyword
+
+example: CA
+
+
+**`threat.indicator.geo.country_name`**
+:   Country name.
+
+type: keyword
+
+example: Canada
+
+
+**`threat.indicator.geo.location`**
+:   Longitude and latitude.
+
+type: geo_point
+
+example: { "lon": -73.614830, "lat": 45.505918 }
+
+
+**`threat.indicator.geo.name`**
+:   User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.
+
+type: keyword
+
+example: boston-dc
+
+
+**`threat.indicator.geo.postal_code`**
+:   Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.
+
+type: keyword
+
+example: 94040
+
+
+**`threat.indicator.geo.region_iso_code`**
+:   Region ISO code.
+
+type: keyword
+
+example: CA-QC
+
+
+**`threat.indicator.geo.region_name`**
+:   Region name.
+
+type: keyword
+
+example: Quebec
+
+
+**`threat.indicator.geo.timezone`**
+:   The time zone of the location, such as IANA time zone name.
+
+type: keyword
+
+example: America/Argentina/Buenos_Aires
+
+
+**`threat.indicator.ip`**
+:   Identifies a threat indicator as an IP address (irrespective of direction).
+
+type: ip
+
+example: 1.2.3.4
+
+
+**`threat.indicator.last_seen`**
+:   The date and time when intelligence source last reported sighting this indicator.
+
+type: date
+
+example: 2020-11-05T17:25:47.000Z
+
+
+**`threat.indicator.marking.tlp`**
+:   Traffic Light Protocol sharing markings. Recommended values are: * WHITE * GREEN * AMBER * RED
+
+type: keyword
+
+example: WHITE
+
+
+**`threat.indicator.modified_at`**
+:   The date and time when intelligence source last modified information for this indicator.
+
+type: date
+
+example: 2020-11-05T17:25:47.000Z
+
+
+**`threat.indicator.port`**
+:   Identifies a threat indicator as a port number (irrespective of direction).
+
+type: long
+
+example: 443
+
+
+**`threat.indicator.provider`**
+:   The name of the indicator’s provider.
+
+type: keyword
+
+example: lrz_urlhaus
+
+
+**`threat.indicator.reference`**
+:   Reference URL linking to additional information about this indicator.
+
+type: keyword
+
+example: [https://system.example.com/indicator/0001234](https://system.example.com/indicator/0001234)
+
+
+**`threat.indicator.registry.data.bytes`**
+:   Original bytes written with base64 encoding. For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values.
+
+type: keyword
+
+example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA=
+
+
+**`threat.indicator.registry.data.strings`**
+:   Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`).
+
+type: wildcard
+
+example: ["C:\rta\red_ttp\bin\myapp.exe"]
+
+
+**`threat.indicator.registry.data.type`**
+:   Standard registry type for encoding contents
+
+type: keyword
+
+example: REG_SZ
+
+
+**`threat.indicator.registry.hive`**
+:   Abbreviated name for the hive.
+
+type: keyword
+
+example: HKLM
+
+
+**`threat.indicator.registry.key`**
+:   Hive-relative path of keys.
+
+type: keyword
+
+example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe
+
+
+**`threat.indicator.registry.path`**
+:   Full path, including hive, key and value
+
+type: keyword
+
+example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger
+
+
+**`threat.indicator.registry.value`**
+:   Name of the value written.
+
+type: keyword
+
+example: Debugger
+
+
+**`threat.indicator.scanner_stats`**
+:   Count of AV/EDR vendors that successfully detected malicious file or URL.
+
+type: long
+
+example: 4
+
+
+**`threat.indicator.sightings`**
+:   Number of times this indicator was observed conducting threat activity.
+
+type: long
+
+example: 20
+
+
+**`threat.indicator.type`**
+:   Type of indicator as represented by Cyber Observable in STIX 2.0. Recommended values: * autonomous-system * artifact * directory * domain-name * email-addr * file * ipv4-addr * ipv6-addr * mac-addr * mutex * port * process * software * url * user-account * windows-registry-key * x509-certificate
+
+type: keyword
+
+example: ipv4-addr
+
+
+**`threat.indicator.url.domain`**
+:   Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field.
+
+type: keyword
+
+example: www.elastic.co
+
+
+**`threat.indicator.url.extension`**
+:   The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").
+
+type: keyword
+
+example: png
+
+
+**`threat.indicator.url.fragment`**
+:   Portion of the url after the `#`, such as "top". The `#` is not part of the fragment.
+
+type: keyword
+
+
+**`threat.indicator.url.full`**
+:   If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source.
+
+type: wildcard
+
+example: [https://www.elastic.co:443/search?q=elasticsearch#top](https://www.elastic.co:443/search?q=elasticsearch#top)
+
+
+**`threat.indicator.url.full.text`**
+:   type: match_only_text
+
+
+**`threat.indicator.url.original`**
+:   Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not.
+
+type: wildcard
+
+example: [https://www.elastic.co:443/search?q=elasticsearch#top](https://www.elastic.co:443/search?q=elasticsearch#top) or /search?q=elasticsearch
+
+
+**`threat.indicator.url.original.text`**
+:   type: match_only_text
+
+
+**`threat.indicator.url.password`**
+:   Password of the request.
+
+type: keyword
+
+
+**`threat.indicator.url.path`**
+:   Path of the request, such as "/search".
+
+type: wildcard
+
+
+**`threat.indicator.url.port`**
+:   Port of the request, such as 443.
+
+type: long
+
+example: 443
+
+format: string
+
+
+**`threat.indicator.url.query`**
+:   The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.
+
+type: keyword
+
+
+**`threat.indicator.url.registered_domain`**
+:   The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
+
+type: keyword
+
+example: example.com
+
+
+**`threat.indicator.url.scheme`**
+:   Scheme of the request, such as "https". Note: The `:` is not part of the scheme.
+
+type: keyword
+
+example: https
+
+
+**`threat.indicator.url.subdomain`**
+:   The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
+
+type: keyword
+
+example: east
+
+
+**`threat.indicator.url.top_level_domain`**
+:   The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".
+
+type: keyword
+
+example: co.uk
+
+
+**`threat.indicator.url.username`**
+:   Username of the request.
+
+type: keyword
+
+
+**`threat.indicator.x509.alternative_names`**
+:   List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.
+
+type: keyword
+
+example: *.elastic.co
+
+
+**`threat.indicator.x509.issuer.common_name`**
+:   List of common name (CN) of issuing certificate authority.
+
+type: keyword
+
+example: Example SHA2 High Assurance Server CA
+
+
+**`threat.indicator.x509.issuer.country`**
+:   List of country © codes
+
+type: keyword
+
+example: US
+
+
+**`threat.indicator.x509.issuer.distinguished_name`**
+:   Distinguished name (DN) of issuing certificate authority.
+
+type: keyword
+
+example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA
+
+
+**`threat.indicator.x509.issuer.locality`**
+:   List of locality names (L)
+
+type: keyword
+
+example: Mountain View
+
+
+**`threat.indicator.x509.issuer.organization`**
+:   List of organizations (O) of issuing certificate authority.
+
+type: keyword
+
+example: Example Inc
+
+
+**`threat.indicator.x509.issuer.organizational_unit`**
+:   List of organizational units (OU) of issuing certificate authority.
+
+type: keyword
+
+example: www.example.com
+
+
+**`threat.indicator.x509.issuer.state_or_province`**
+:   List of state or province names (ST, S, or P)
+
+type: keyword
+
+example: California
+
+
+**`threat.indicator.x509.not_after`**
+:   Time at which the certificate is no longer considered valid.
+
+type: date
+
+example: 2020-07-16 03:15:39+00:00
+
+
+**`threat.indicator.x509.not_before`**
+:   Time at which the certificate is first considered valid.
+
+type: date
+
+example: 2019-08-16 01:40:25+00:00
+
+
+**`threat.indicator.x509.public_key_algorithm`**
+:   Algorithm used to generate the public key.
+
+type: keyword
+
+example: RSA
+
+
+**`threat.indicator.x509.public_key_curve`**
+:   The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+
+type: keyword
+
+example: nistp521
+
+
+**`threat.indicator.x509.public_key_exponent`**
+:   Exponent used to derive the public key. This is algorithm specific.
+
+type: long
+
+example: 65537
+
+Field is not indexed.
+
+
+**`threat.indicator.x509.public_key_size`**
+:   The size of the public key space in bits.
+
+type: long
+
+example: 2048
+
+
+**`threat.indicator.x509.serial_number`**
+:   Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.
+
+type: keyword
+
+example: 55FBB9C7DEBF09809D12CCAA
+
+
+**`threat.indicator.x509.signature_algorithm`**
+:   Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See [https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353](https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353).
+
+type: keyword
+
+example: SHA256-RSA
+
+
+**`threat.indicator.x509.subject.common_name`**
+:   List of common names (CN) of subject.
+
+type: keyword
+
+example: shared.global.example.net
+
+
+**`threat.indicator.x509.subject.country`**
+:   List of country © code
+
+type: keyword
+
+example: US
+
+
+**`threat.indicator.x509.subject.distinguished_name`**
+:   Distinguished name (DN) of the certificate subject entity.
+
+type: keyword
+
+example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
+
+
+**`threat.indicator.x509.subject.locality`**
+:   List of locality names (L)
+
+type: keyword
+
+example: San Francisco
+
+
+**`threat.indicator.x509.subject.organization`**
+:   List of organizations (O) of subject.
+
+type: keyword
+
+example: Example, Inc.
+
+
+**`threat.indicator.x509.subject.organizational_unit`**
+:   List of organizational units (OU) of subject.
+
+type: keyword
+
+
+**`threat.indicator.x509.subject.state_or_province`**
+:   List of state or province names (ST, S, or P)
+
+type: keyword
+
+example: California
+
+
+**`threat.indicator.x509.version_number`**
+:   Version of x509 format.
+
+type: keyword
+
+example: 3
+
+
+**`threat.software.alias`**
+:   The alias(es) of the software for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® associated software description.
+
+type: keyword
+
+example: [ "X-Agent" ]
+
+
+**`threat.software.id`**
+:   The id of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software id.
+
+type: keyword
+
+example: S0552
+
+
+**`threat.software.name`**
+:   The name of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software name.
+
+type: keyword
+
+example: AdFind
+
+
+**`threat.software.platforms`**
+:   The platforms of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. Recommended Values: * AWS * Azure * Azure AD * GCP * Linux * macOS * Network * Office 365 * SaaS * Windows
+
+While not required, you can use a MITRE ATT&CK® software platforms.
+
+type: keyword
+
+example: [ "Windows" ]
+
+
+**`threat.software.reference`**
+:   The reference URL of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software reference URL.
+
+type: keyword
+
+example: [https://attack.mitre.org/software/S0552/](https://attack.mitre.org/software/S0552/)
+
+
+**`threat.software.type`**
+:   The type of software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. Recommended values * Malware * Tool
+
+```
+While not required, you can use a MITRE ATT&CK® software type.
+```
+type: keyword
+
+example: Tool
+
+
+**`threat.tactic.id`**
+:   The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. [https://attack.mitre.org/tactics/TA0002/](https://attack.mitre.org/tactics/TA0002/) )
+
+type: keyword
+
+example: TA0002
+
+
+**`threat.tactic.name`**
+:   Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. [https://attack.mitre.org/tactics/TA0002/](https://attack.mitre.org/tactics/TA0002/))
+
+type: keyword
+
+example: Execution
+
+
+**`threat.tactic.reference`**
+:   The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. [https://attack.mitre.org/tactics/TA0002/](https://attack.mitre.org/tactics/TA0002/) )
+
+type: keyword
+
+example: [https://attack.mitre.org/tactics/TA0002/](https://attack.mitre.org/tactics/TA0002/)
+
+
+**`threat.technique.id`**
+:   The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. [https://attack.mitre.org/techniques/T1059/](https://attack.mitre.org/techniques/T1059/))
+
+type: keyword
+
+example: T1059
+
+
+**`threat.technique.name`**
+:   The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. [https://attack.mitre.org/techniques/T1059/](https://attack.mitre.org/techniques/T1059/))
+
+type: keyword
+
+example: Command and Scripting Interpreter
+
+
+**`threat.technique.name.text`**
+:   type: match_only_text
+
+
+**`threat.technique.reference`**
+:   The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. [https://attack.mitre.org/techniques/T1059/](https://attack.mitre.org/techniques/T1059/))
+
+type: keyword
+
+example: [https://attack.mitre.org/techniques/T1059/](https://attack.mitre.org/techniques/T1059/)
+
+
+**`threat.technique.subtechnique.id`**
+:   The full id of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. [https://attack.mitre.org/techniques/T1059/001/](https://attack.mitre.org/techniques/T1059/001/))
+
+type: keyword
+
+example: T1059.001
+
+
+**`threat.technique.subtechnique.name`**
+:   The name of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. [https://attack.mitre.org/techniques/T1059/001/](https://attack.mitre.org/techniques/T1059/001/))
+
+type: keyword
+
+example: PowerShell
+
+
+**`threat.technique.subtechnique.name.text`**
+:   type: match_only_text
+
+
+**`threat.technique.subtechnique.reference`**
+:   The reference url of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. [https://attack.mitre.org/techniques/T1059/001/](https://attack.mitre.org/techniques/T1059/001/))
+
+type: keyword
+
+example: [https://attack.mitre.org/techniques/T1059/001/](https://attack.mitre.org/techniques/T1059/001/)
+
+
+
+## tls [_tls]
+
+Fields related to a TLS connection. These fields focus on the TLS protocol itself and intentionally avoids in-depth analysis of the related x.509 certificate files.
+
+**`tls.cipher`**
+:   String indicating the cipher used during the current connection.
+
+type: keyword
+
+example: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+
+
+**`tls.client.certificate`**
+:   PEM-encoded stand-alone certificate offered by the client. This is usually mutually-exclusive of `client.certificate_chain` since this value also exists in that list.
+
+type: keyword
+
+example: MII…​
+
+
+**`tls.client.certificate_chain`**
+:   Array of PEM-encoded certificates that make up the certificate chain offered by the client. This is usually mutually-exclusive of `client.certificate` since that value should be the first certificate in the chain.
+
+type: keyword
+
+example: ["MII…​", "MII…​"]
+
+
+**`tls.client.hash.md5`**
+:   Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash.
+
+type: keyword
+
+example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC
+
+
+**`tls.client.hash.sha1`**
+:   Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash.
+
+type: keyword
+
+example: 9E393D93138888D288266C2D915214D1D1CCEB2A
+
+
+**`tls.client.hash.sha256`**
+:   Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash.
+
+type: keyword
+
+example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0
+
+
+**`tls.client.issuer`**
+:   Distinguished name of subject of the issuer of the x.509 certificate presented by the client.
+
+type: keyword
+
+example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com
+
+
+**`tls.client.ja3`**
+:   A hash that identifies clients based on how they perform an SSL/TLS handshake.
+
+type: keyword
+
+example: d4e5b18d6b55c71272893221c96ba240
+
+
+**`tls.client.not_after`**
+:   Date/Time indicating when client certificate is no longer considered valid.
+
+type: date
+
+example: 2021-01-01T00:00:00.000Z
+
+
+**`tls.client.not_before`**
+:   Date/Time indicating when client certificate is first considered valid.
+
+type: date
+
+example: 1970-01-01T00:00:00.000Z
+
+
+**`tls.client.server_name`**
+:   Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`.
+
+type: keyword
+
+example: www.elastic.co
+
+
+**`tls.client.subject`**
+:   Distinguished name of subject of the x.509 certificate presented by the client.
+
+type: keyword
+
+example: CN=myclient, OU=Documentation Team, DC=example, DC=com
+
+
+**`tls.client.supported_ciphers`**
+:   Array of ciphers offered by the client during the client hello.
+
+type: keyword
+
+example: ["TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "…​"]
+
+
+**`tls.client.x509.alternative_names`**
+:   List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.
+
+type: keyword
+
+example: *.elastic.co
+
+
+**`tls.client.x509.issuer.common_name`**
+:   List of common name (CN) of issuing certificate authority.
+
+type: keyword
+
+example: Example SHA2 High Assurance Server CA
+
+
+**`tls.client.x509.issuer.country`**
+:   List of country © codes
+
+type: keyword
+
+example: US
+
+
+**`tls.client.x509.issuer.distinguished_name`**
+:   Distinguished name (DN) of issuing certificate authority.
+
+type: keyword
+
+example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA
+
+
+**`tls.client.x509.issuer.locality`**
+:   List of locality names (L)
+
+type: keyword
+
+example: Mountain View
+
+
+**`tls.client.x509.issuer.organization`**
+:   List of organizations (O) of issuing certificate authority.
+
+type: keyword
+
+example: Example Inc
+
+
+**`tls.client.x509.issuer.organizational_unit`**
+:   List of organizational units (OU) of issuing certificate authority.
+
+type: keyword
+
+example: www.example.com
+
+
+**`tls.client.x509.issuer.state_or_province`**
+:   List of state or province names (ST, S, or P)
+
+type: keyword
+
+example: California
+
+
+**`tls.client.x509.not_after`**
+:   Time at which the certificate is no longer considered valid.
+
+type: date
+
+example: 2020-07-16 03:15:39+00:00
+
+
+**`tls.client.x509.not_before`**
+:   Time at which the certificate is first considered valid.
+
+type: date
+
+example: 2019-08-16 01:40:25+00:00
+
+
+**`tls.client.x509.public_key_algorithm`**
+:   Algorithm used to generate the public key.
+
+type: keyword
+
+example: RSA
+
+
+**`tls.client.x509.public_key_curve`**
+:   The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+
+type: keyword
+
+example: nistp521
+
+
+**`tls.client.x509.public_key_exponent`**
+:   Exponent used to derive the public key. This is algorithm specific.
+
+type: long
+
+example: 65537
+
+Field is not indexed.
+
+
+**`tls.client.x509.public_key_size`**
+:   The size of the public key space in bits.
+
+type: long
+
+example: 2048
+
+
+**`tls.client.x509.serial_number`**
+:   Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.
+
+type: keyword
+
+example: 55FBB9C7DEBF09809D12CCAA
+
+
+**`tls.client.x509.signature_algorithm`**
+:   Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See [https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353](https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353).
+
+type: keyword
+
+example: SHA256-RSA
+
+
+**`tls.client.x509.subject.common_name`**
+:   List of common names (CN) of subject.
+
+type: keyword
+
+example: shared.global.example.net
+
+
+**`tls.client.x509.subject.country`**
+:   List of country © code
+
+type: keyword
+
+example: US
+
+
+**`tls.client.x509.subject.distinguished_name`**
+:   Distinguished name (DN) of the certificate subject entity.
+
+type: keyword
+
+example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
+
+
+**`tls.client.x509.subject.locality`**
+:   List of locality names (L)
+
+type: keyword
+
+example: San Francisco
+
+
+**`tls.client.x509.subject.organization`**
+:   List of organizations (O) of subject.
+
+type: keyword
+
+example: Example, Inc.
+
+
+**`tls.client.x509.subject.organizational_unit`**
+:   List of organizational units (OU) of subject.
+
+type: keyword
+
+
+**`tls.client.x509.subject.state_or_province`**
+:   List of state or province names (ST, S, or P)
+
+type: keyword
+
+example: California
+
+
+**`tls.client.x509.version_number`**
+:   Version of x509 format.
+
+type: keyword
+
+example: 3
+
+
+**`tls.curve`**
+:   String indicating the curve used for the given cipher, when applicable.
+
+type: keyword
+
+example: secp256r1
+
+
+**`tls.established`**
+:   Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel.
+
+type: boolean
+
+
+**`tls.next_protocol`**
+:   String indicating the protocol being tunneled. Per the values in the IANA registry ([https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids](https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids)), this string should be lower case.
+
+type: keyword
+
+example: http/1.1
+
+
+**`tls.resumed`**
+:   Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation.
+
+type: boolean
+
+
+**`tls.server.certificate`**
+:   PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list.
+
+type: keyword
+
+example: MII…​
+
+
+**`tls.server.certificate_chain`**
+:   Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain.
+
+type: keyword
+
+example: ["MII…​", "MII…​"]
+
+
+**`tls.server.hash.md5`**
+:   Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash.
+
+type: keyword
+
+example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC
+
+
+**`tls.server.hash.sha1`**
+:   Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash.
+
+type: keyword
+
+example: 9E393D93138888D288266C2D915214D1D1CCEB2A
+
+
+**`tls.server.hash.sha256`**
+:   Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash.
+
+type: keyword
+
+example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0
+
+
+**`tls.server.issuer`**
+:   Subject of the issuer of the x.509 certificate presented by the server.
+
+type: keyword
+
+example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com
+
+
+**`tls.server.ja3s`**
+:   A hash that identifies servers based on how they perform an SSL/TLS handshake.
+
+type: keyword
+
+example: 394441ab65754e2207b1e1b457b3641d
+
+
+**`tls.server.not_after`**
+:   Timestamp indicating when server certificate is no longer considered valid.
+
+type: date
+
+example: 2021-01-01T00:00:00.000Z
+
+
+**`tls.server.not_before`**
+:   Timestamp indicating when server certificate is first considered valid.
+
+type: date
+
+example: 1970-01-01T00:00:00.000Z
+
+
+**`tls.server.subject`**
+:   Subject of the x.509 certificate presented by the server.
+
+type: keyword
+
+example: CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com
+
+
+**`tls.server.x509.alternative_names`**
+:   List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.
+
+type: keyword
+
+example: *.elastic.co
+
+
+**`tls.server.x509.issuer.common_name`**
+:   List of common name (CN) of issuing certificate authority.
+
+type: keyword
+
+example: Example SHA2 High Assurance Server CA
+
+
+**`tls.server.x509.issuer.country`**
+:   List of country © codes
+
+type: keyword
+
+example: US
+
+
+**`tls.server.x509.issuer.distinguished_name`**
+:   Distinguished name (DN) of issuing certificate authority.
+
+type: keyword
+
+example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA
+
+
+**`tls.server.x509.issuer.locality`**
+:   List of locality names (L)
+
+type: keyword
+
+example: Mountain View
+
+
+**`tls.server.x509.issuer.organization`**
+:   List of organizations (O) of issuing certificate authority.
+
+type: keyword
+
+example: Example Inc
+
+
+**`tls.server.x509.issuer.organizational_unit`**
+:   List of organizational units (OU) of issuing certificate authority.
+
+type: keyword
+
+example: www.example.com
+
+
+**`tls.server.x509.issuer.state_or_province`**
+:   List of state or province names (ST, S, or P)
+
+type: keyword
+
+example: California
+
+
+**`tls.server.x509.not_after`**
+:   Time at which the certificate is no longer considered valid.
+
+type: date
+
+example: 2020-07-16 03:15:39+00:00
+
+
+**`tls.server.x509.not_before`**
+:   Time at which the certificate is first considered valid.
+
+type: date
+
+example: 2019-08-16 01:40:25+00:00
+
+
+**`tls.server.x509.public_key_algorithm`**
+:   Algorithm used to generate the public key.
+
+type: keyword
+
+example: RSA
+
+
+**`tls.server.x509.public_key_curve`**
+:   The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+
+type: keyword
+
+example: nistp521
+
+
+**`tls.server.x509.public_key_exponent`**
+:   Exponent used to derive the public key. This is algorithm specific.
+
+type: long
+
+example: 65537
+
+Field is not indexed.
+
+
+**`tls.server.x509.public_key_size`**
+:   The size of the public key space in bits.
+
+type: long
+
+example: 2048
+
+
+**`tls.server.x509.serial_number`**
+:   Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.
+
+type: keyword
+
+example: 55FBB9C7DEBF09809D12CCAA
+
+
+**`tls.server.x509.signature_algorithm`**
+:   Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See [https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353](https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353).
+
+type: keyword
+
+example: SHA256-RSA
+
+
+**`tls.server.x509.subject.common_name`**
+:   List of common names (CN) of subject.
+
+type: keyword
+
+example: shared.global.example.net
+
+
+**`tls.server.x509.subject.country`**
+:   List of country © code
+
+type: keyword
+
+example: US
+
+
+**`tls.server.x509.subject.distinguished_name`**
+:   Distinguished name (DN) of the certificate subject entity.
+
+type: keyword
+
+example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
+
+
+**`tls.server.x509.subject.locality`**
+:   List of locality names (L)
+
+type: keyword
+
+example: San Francisco
+
+
+**`tls.server.x509.subject.organization`**
+:   List of organizations (O) of subject.
+
+type: keyword
+
+example: Example, Inc.
+
+
+**`tls.server.x509.subject.organizational_unit`**
+:   List of organizational units (OU) of subject.
+
+type: keyword
+
+
+**`tls.server.x509.subject.state_or_province`**
+:   List of state or province names (ST, S, or P)
+
+type: keyword
+
+example: California
+
+
+**`tls.server.x509.version_number`**
+:   Version of x509 format.
+
+type: keyword
+
+example: 3
+
+
+**`tls.version`**
+:   Numeric part of the version parsed from the original string.
+
+type: keyword
+
+example: 1.2
+
+
+**`tls.version_protocol`**
+:   Normalized lowercase protocol name parsed from original string.
+
+type: keyword
+
+example: tls
+
+
+**`span.id`**
+:   Unique identifier of the span within the scope of its trace. A span represents an operation within a transaction, such as a request to another service, or a database query.
+
+type: keyword
+
+example: 3ff9a8981b7ccd5a
+
+
+**`trace.id`**
+:   Unique identifier of the trace. A trace groups multiple events like transactions that belong together. For example, a user request handled by multiple inter-connected services.
+
+type: keyword
+
+example: 4bf92f3577b34da6a3ce929d0e0e4736
+
+
+**`transaction.id`**
+:   Unique identifier of the transaction within the scope of its trace. A transaction is the highest level of work measured within a service, such as a request to a server.
+
+type: keyword
+
+example: 00f067aa0ba902b7
+
+
+
+## url [_url]
+
+URL fields provide support for complete or partial URLs, and supports the breaking down into scheme, domain, path, and so on.
+
+**`url.domain`**
+:   Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field.
+
+type: keyword
+
+example: www.elastic.co
+
+
+**`url.extension`**
+:   The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").
+
+type: keyword
+
+example: png
+
+
+**`url.fragment`**
+:   Portion of the url after the `#`, such as "top". The `#` is not part of the fragment.
+
+type: keyword
+
+
+**`url.full`**
+:   If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source.
+
+type: wildcard
+
+example: [https://www.elastic.co:443/search?q=elasticsearch#top](https://www.elastic.co:443/search?q=elasticsearch#top)
+
+
+**`url.full.text`**
+:   type: match_only_text
+
+
+**`url.original`**
+:   Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not.
+
+type: wildcard
+
+example: [https://www.elastic.co:443/search?q=elasticsearch#top](https://www.elastic.co:443/search?q=elasticsearch#top) or /search?q=elasticsearch
+
+
+**`url.original.text`**
+:   type: match_only_text
+
+
+**`url.password`**
+:   Password of the request.
+
+type: keyword
+
+
+**`url.path`**
+:   Path of the request, such as "/search".
+
+type: wildcard
+
+
+**`url.port`**
+:   Port of the request, such as 443.
+
+type: long
+
+example: 443
+
+format: string
+
+
+**`url.query`**
+:   The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.
+
+type: keyword
+
+
+**`url.registered_domain`**
+:   The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
+
+type: keyword
+
+example: example.com
+
+
+**`url.scheme`**
+:   Scheme of the request, such as "https". Note: The `:` is not part of the scheme.
+
+type: keyword
+
+example: https
+
+
+**`url.subdomain`**
+:   The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
+
+type: keyword
+
+example: east
+
+
+**`url.top_level_domain`**
+:   The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".
+
+type: keyword
+
+example: co.uk
+
+
+**`url.username`**
+:   Username of the request.
+
+type: keyword
+
+
+
+## user [_user]
+
+The user fields describe information about the user that is relevant to the event. Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them.
+
+**`user.changes.domain`**
+:   Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`user.changes.email`**
+:   User email address.
+
+type: keyword
+
+
+**`user.changes.full_name`**
+:   User’s full name, if available.
+
+type: keyword
+
+example: Albert Einstein
+
+
+**`user.changes.full_name.text`**
+:   type: match_only_text
+
+
+**`user.changes.group.domain`**
+:   Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`user.changes.group.id`**
+:   Unique identifier for the group on the system/platform.
+
+type: keyword
+
+
+**`user.changes.group.name`**
+:   Name of the group.
+
+type: keyword
+
+
+**`user.changes.hash`**
+:   Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used.
+
+type: keyword
+
+
+**`user.changes.id`**
+:   Unique identifier of the user.
+
+type: keyword
+
+example: S-1-5-21-202424912787-2692429404-2351956786-1000
+
+
+**`user.changes.name`**
+:   Short name or login of the user.
+
+type: keyword
+
+example: a.einstein
+
+
+**`user.changes.name.text`**
+:   type: match_only_text
+
+
+**`user.changes.roles`**
+:   Array of user roles at the time of the event.
+
+type: keyword
+
+example: ["kibana_admin", "reporting_user"]
+
+
+**`user.domain`**
+:   Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`user.effective.domain`**
+:   Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`user.effective.email`**
+:   User email address.
+
+type: keyword
+
+
+**`user.effective.full_name`**
+:   User’s full name, if available.
+
+type: keyword
+
+example: Albert Einstein
+
+
+**`user.effective.full_name.text`**
+:   type: match_only_text
+
+
+**`user.effective.group.domain`**
+:   Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`user.effective.group.id`**
+:   Unique identifier for the group on the system/platform.
+
+type: keyword
+
+
+**`user.effective.group.name`**
+:   Name of the group.
+
+type: keyword
+
+
+**`user.effective.hash`**
+:   Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used.
+
+type: keyword
+
+
+**`user.effective.id`**
+:   Unique identifier of the user.
+
+type: keyword
+
+example: S-1-5-21-202424912787-2692429404-2351956786-1000
+
+
+**`user.effective.name`**
+:   Short name or login of the user.
+
+type: keyword
+
+example: a.einstein
+
+
+**`user.effective.name.text`**
+:   type: match_only_text
+
+
+**`user.effective.roles`**
+:   Array of user roles at the time of the event.
+
+type: keyword
+
+example: ["kibana_admin", "reporting_user"]
+
+
+**`user.email`**
+:   User email address.
+
+type: keyword
+
+
+**`user.full_name`**
+:   User’s full name, if available.
+
+type: keyword
+
+example: Albert Einstein
+
+
+**`user.full_name.text`**
+:   type: match_only_text
+
+
+**`user.group.domain`**
+:   Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`user.group.id`**
+:   Unique identifier for the group on the system/platform.
+
+type: keyword
+
+
+**`user.group.name`**
+:   Name of the group.
+
+type: keyword
+
+
+**`user.hash`**
+:   Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used.
+
+type: keyword
+
+
+**`user.id`**
+:   Unique identifier of the user.
+
+type: keyword
+
+example: S-1-5-21-202424912787-2692429404-2351956786-1000
+
+
+**`user.name`**
+:   Short name or login of the user.
+
+type: keyword
+
+example: a.einstein
+
+
+**`user.name.text`**
+:   type: match_only_text
+
+
+**`user.roles`**
+:   Array of user roles at the time of the event.
+
+type: keyword
+
+example: ["kibana_admin", "reporting_user"]
+
+
+**`user.target.domain`**
+:   Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`user.target.email`**
+:   User email address.
+
+type: keyword
+
+
+**`user.target.full_name`**
+:   User’s full name, if available.
+
+type: keyword
+
+example: Albert Einstein
+
+
+**`user.target.full_name.text`**
+:   type: match_only_text
+
+
+**`user.target.group.domain`**
+:   Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`user.target.group.id`**
+:   Unique identifier for the group on the system/platform.
+
+type: keyword
+
+
+**`user.target.group.name`**
+:   Name of the group.
+
+type: keyword
+
+
+**`user.target.hash`**
+:   Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used.
+
+type: keyword
+
+
+**`user.target.id`**
+:   Unique identifier of the user.
+
+type: keyword
+
+example: S-1-5-21-202424912787-2692429404-2351956786-1000
+
+
+**`user.target.name`**
+:   Short name or login of the user.
+
+type: keyword
+
+example: a.einstein
+
+
+**`user.target.name.text`**
+:   type: match_only_text
+
+
+**`user.target.roles`**
+:   Array of user roles at the time of the event.
+
+type: keyword
+
+example: ["kibana_admin", "reporting_user"]
+
+
+
+## user_agent [_user_agent]
+
+The user_agent fields normally come from a browser request. They often show up in web service logs coming from the parsed user agent string.
+
+**`user_agent.device.name`**
+:   Name of the device.
+
+type: keyword
+
+example: iPhone
+
+
+**`user_agent.name`**
+:   Name of the user agent.
+
+type: keyword
+
+example: Safari
+
+
+**`user_agent.original`**
+:   Unparsed user_agent string.
+
+type: keyword
+
+example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1
+
+
+**`user_agent.original.text`**
+:   type: match_only_text
+
+
+**`user_agent.os.family`**
+:   OS family (such as redhat, debian, freebsd, windows).
+
+type: keyword
+
+example: debian
+
+
+**`user_agent.os.full`**
+:   Operating system name, including the version or code name.
+
+type: keyword
+
+example: Mac OS Mojave
+
+
+**`user_agent.os.full.text`**
+:   type: match_only_text
+
+
+**`user_agent.os.kernel`**
+:   Operating system kernel version as a raw string.
+
+type: keyword
+
+example: 4.4.0-112-generic
+
+
+**`user_agent.os.name`**
+:   Operating system name, without the version.
+
+type: keyword
+
+example: Mac OS X
+
+
+**`user_agent.os.name.text`**
+:   type: match_only_text
+
+
+**`user_agent.os.platform`**
+:   Operating system platform (such centos, ubuntu, windows).
+
+type: keyword
+
+example: darwin
+
+
+**`user_agent.os.type`**
+:   Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you’re dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.
+
+type: keyword
+
+example: macos
+
+
+**`user_agent.os.version`**
+:   Operating system version as a raw string.
+
+type: keyword
+
+example: 10.14.1
+
+
+**`user_agent.version`**
+:   Version of the user agent.
+
+type: keyword
+
+example: 12.0
+
+
+
+## vlan [_vlan]
+
+The VLAN fields are used to identify 802.1q tag(s) of a packet, as well as ingress and egress VLAN associations of an observer in relation to a specific packet or connection. Network.vlan fields are used to record a single VLAN tag, or the outer tag in the case of q-in-q encapsulations, for a packet or connection as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. Network.inner VLAN fields are used to report inner q-in-q 802.1q tags (multiple 802.1q encapsulations) as observed, typically provided by a network sensor  (e.g. Zeek, Wireshark) passively reporting on traffic. Network.inner VLAN fields should only be used in addition to network.vlan fields to indicate q-in-q tagging. Observer.ingress and observer.egress VLAN values are used to record observer specific information when observer events contain discrete ingress and egress VLAN information, typically provided by firewalls, routers, or load balancers.
+
+**`vlan.id`**
+:   VLAN ID as reported by the observer.
+
+type: keyword
+
+example: 10
+
+
+**`vlan.name`**
+:   Optional VLAN name as reported by the observer.
+
+type: keyword
+
+example: outside
+
+
+
+## vulnerability [_vulnerability]
+
+The vulnerability fields describe information about a vulnerability that is relevant to an event.
+
+**`vulnerability.category`**
+:   The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example ([Qualys vulnerability categories](https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm)) This field must be an array.
+
+type: keyword
+
+example: ["Firewall"]
+
+
+**`vulnerability.classification`**
+:   The classification of the vulnerability scoring system. For example ([https://www.first.org/cvss/](https://www.first.org/cvss/))
+
+type: keyword
+
+example: CVSS
+
+
+**`vulnerability.description`**
+:   The description of the vulnerability that provides additional context of the vulnerability. For example ([Common Vulnerabilities and Exposure CVE description](https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created))
+
+type: keyword
+
+example: In macOS before 2.12.6, there is a vulnerability in the RPC…​
+
+
+**`vulnerability.description.text`**
+:   type: match_only_text
+
+
+**`vulnerability.enumeration`**
+:   The type of identifier used for this vulnerability. For example ([https://cve.mitre.org/about/](https://cve.mitre.org/about/))
+
+type: keyword
+
+example: CVE
+
+
+**`vulnerability.id`**
+:   The identification (ID) is the number portion of a vulnerability entry. It includes a unique identification number for the vulnerability. For example ([Common Vulnerabilities and Exposure CVE ID](https://cve.mitre.org/about/faqs.html#what_is_cve_id))
+
+type: keyword
+
+example: CVE-2019-00001
+
+
+**`vulnerability.reference`**
+:   A resource that provides additional information, context, and mitigations for the identified vulnerability.
+
+type: keyword
+
+example: [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111)
+
+
+**`vulnerability.report_id`**
+:   The report or scan identification number.
+
+type: keyword
+
+example: 20191018.0001
+
+
+**`vulnerability.scanner.vendor`**
+:   The name of the vulnerability scanner vendor.
+
+type: keyword
+
+example: Tenable
+
+
+**`vulnerability.score.base`**
+:   Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentiality, integrity, and availability), and scope. For example ([https://www.first.org/cvss/specification-document](https://www.first.org/cvss/specification-document))
+
+type: float
+
+example: 5.5
+
+
+**`vulnerability.score.environmental`**
+:   Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Environmental scores cover an assessment for any modified Base metrics, confidentiality, integrity, and availability requirements. For example ([https://www.first.org/cvss/specification-document](https://www.first.org/cvss/specification-document))
+
+type: float
+
+example: 5.5
+
+
+**`vulnerability.score.temporal`**
+:   Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Temporal scores cover an assessment for code maturity, remediation level, and confidence. For example ([https://www.first.org/cvss/specification-document](https://www.first.org/cvss/specification-document))
+
+type: float
+
+
+**`vulnerability.score.version`**
+:   The National Vulnerability Database (NVD) provides qualitative severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges in addition to the severity ratings for CVSS v3.0 as they are defined in the CVSS v3.0 specification. CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit organization, whose mission is to help computer security incident response teams across the world. For example ([https://nvd.nist.gov/vuln-metrics/cvss](https://nvd.nist.gov/vuln-metrics/cvss))
+
+type: keyword
+
+example: 2.0
+
+
+**`vulnerability.severity`**
+:   The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example ([https://nvd.nist.gov/vuln-metrics/cvss](https://nvd.nist.gov/vuln-metrics/cvss))
+
+type: keyword
+
+example: Critical
+
+
+
+## x509 [_x509]
+
+This implements the common core fields for x509 certificates. This information is likely logged with TLS sessions, digital signatures found in executable binaries, S/MIME information in email bodies, or analysis of files on disk. When the certificate relates to a file, use the fields at `file.x509`. When hashes of the DER-encoded certificate are available, the `hash` data set should be populated as well (e.g. `file.hash.sha256`). Events that contain certificate information about network connections, should use the x509 fields under the relevant TLS fields: `tls.server.x509` and/or `tls.client.x509`.
+
+**`x509.alternative_names`**
+:   List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.
+
+type: keyword
+
+example: *.elastic.co
+
+
+**`x509.issuer.common_name`**
+:   List of common name (CN) of issuing certificate authority.
+
+type: keyword
+
+example: Example SHA2 High Assurance Server CA
+
+
+**`x509.issuer.country`**
+:   List of country © codes
+
+type: keyword
+
+example: US
+
+
+**`x509.issuer.distinguished_name`**
+:   Distinguished name (DN) of issuing certificate authority.
+
+type: keyword
+
+example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA
+
+
+**`x509.issuer.locality`**
+:   List of locality names (L)
+
+type: keyword
+
+example: Mountain View
+
+
+**`x509.issuer.organization`**
+:   List of organizations (O) of issuing certificate authority.
+
+type: keyword
+
+example: Example Inc
+
+
+**`x509.issuer.organizational_unit`**
+:   List of organizational units (OU) of issuing certificate authority.
+
+type: keyword
+
+example: www.example.com
+
+
+**`x509.issuer.state_or_province`**
+:   List of state or province names (ST, S, or P)
+
+type: keyword
+
+example: California
+
+
+**`x509.not_after`**
+:   Time at which the certificate is no longer considered valid.
+
+type: date
+
+example: 2020-07-16 03:15:39+00:00
+
+
+**`x509.not_before`**
+:   Time at which the certificate is first considered valid.
+
+type: date
+
+example: 2019-08-16 01:40:25+00:00
+
+
+**`x509.public_key_algorithm`**
+:   Algorithm used to generate the public key.
+
+type: keyword
+
+example: RSA
+
+
+**`x509.public_key_curve`**
+:   The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+
+type: keyword
+
+example: nistp521
+
+
+**`x509.public_key_exponent`**
+:   Exponent used to derive the public key. This is algorithm specific.
+
+type: long
+
+example: 65537
+
+Field is not indexed.
+
+
+**`x509.public_key_size`**
+:   The size of the public key space in bits.
+
+type: long
+
+example: 2048
+
+
+**`x509.serial_number`**
+:   Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.
+
+type: keyword
+
+example: 55FBB9C7DEBF09809D12CCAA
+
+
+**`x509.signature_algorithm`**
+:   Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See [https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353](https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353).
+
+type: keyword
+
+example: SHA256-RSA
+
+
+**`x509.subject.common_name`**
+:   List of common names (CN) of subject.
+
+type: keyword
+
+example: shared.global.example.net
+
+
+**`x509.subject.country`**
+:   List of country © code
+
+type: keyword
+
+example: US
+
+
+**`x509.subject.distinguished_name`**
+:   Distinguished name (DN) of the certificate subject entity.
+
+type: keyword
+
+example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
+
+
+**`x509.subject.locality`**
+:   List of locality names (L)
+
+type: keyword
+
+example: San Francisco
+
+
+**`x509.subject.organization`**
+:   List of organizations (O) of subject.
+
+type: keyword
+
+example: Example, Inc.
+
+
+**`x509.subject.organizational_unit`**
+:   List of organizational units (OU) of subject.
+
+type: keyword
+
+
+**`x509.subject.state_or_province`**
+:   List of state or province names (ST, S, or P)
+
+type: keyword
+
+example: California
+
+
+**`x509.version_number`**
+:   Version of x509 format.
+
+type: keyword
+
+example: 3
+
+
diff --git a/docs/reference/packetbeat/exported-fields-flows_event.md b/docs/reference/packetbeat/exported-fields-flows_event.md
new file mode 100644
index 000000000000..0608c649c759
--- /dev/null
+++ b/docs/reference/packetbeat/exported-fields-flows_event.md
@@ -0,0 +1,67 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/exported-fields-flows_event.html
+---
+
+# Flow Event fields [exported-fields-flows_event]
+
+These fields contain data about the flow itself.
+
+**`flow.final`**
+:   Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only.
+
+type: boolean
+
+
+**`flow.id`**
+:   Internal flow ID based on connection meta data and address.
+
+
+**`flow.vlan`**
+:   VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag’s VLAN identifier listed first.
+
+type: long
+
+
+**`flow_id`**
+:   type: alias
+
+alias to: flow.id
+
+
+**`final`**
+:   type: alias
+
+alias to: flow.final
+
+
+**`vlan`**
+:   type: alias
+
+alias to: flow.vlan
+
+
+**`source.stats.net_bytes_total`**
+:   type: alias
+
+alias to: source.bytes
+
+
+**`source.stats.net_packets_total`**
+:   type: alias
+
+alias to: source.packets
+
+
+**`dest.stats.net_bytes_total`**
+:   type: alias
+
+alias to: destination.bytes
+
+
+**`dest.stats.net_packets_total`**
+:   type: alias
+
+alias to: destination.packets
+
+
diff --git a/docs/reference/packetbeat/exported-fields-host-processor.md b/docs/reference/packetbeat/exported-fields-host-processor.md
new file mode 100644
index 000000000000..58f2cfa6ff42
--- /dev/null
+++ b/docs/reference/packetbeat/exported-fields-host-processor.md
@@ -0,0 +1,31 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/exported-fields-host-processor.html
+---
+
+# Host fields [exported-fields-host-processor]
+
+Info collected for the host machine.
+
+**`host.containerized`**
+:   If the host is a container.
+
+type: boolean
+
+
+**`host.os.build`**
+:   OS build information.
+
+type: keyword
+
+example: 18D109
+
+
+**`host.os.codename`**
+:   OS codename, if any.
+
+type: keyword
+
+example: stretch
+
+
diff --git a/docs/reference/packetbeat/exported-fields-http.md b/docs/reference/packetbeat/exported-fields-http.md
new file mode 100644
index 000000000000..ae910b3f73c1
--- /dev/null
+++ b/docs/reference/packetbeat/exported-fields-http.md
@@ -0,0 +1,60 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/exported-fields-http.html
+---
+
+# HTTP fields [exported-fields-http]
+
+HTTP-specific event fields.
+
+
+## http [_http_2]
+
+Information about the HTTP request and response.
+
+
+## request [_request_2]
+
+HTTP request
+
+**`http.request.headers`**
+:   A map containing the captured header fields from the request. Which headers to capture is configurable. If headers with the same header name are present in the message, they will be separated by commas.
+
+type: object
+
+
+**`http.request.params`**
+:   type: alias
+
+alias to: url.query
+
+
+
+## response [_response_2]
+
+HTTP response
+
+**`http.response.status_phrase`**
+:   The HTTP status phrase.
+
+example: Not Found
+
+
+**`http.response.headers`**
+:   A map containing the captured header fields from the response. Which headers to capture is configurable. If headers with the same header name are present in the message, they will be separated by commas.
+
+type: object
+
+
+**`http.response.code`**
+:   type: alias
+
+alias to: http.response.status_code
+
+
+**`http.response.phrase`**
+:   type: alias
+
+alias to: http.response.status_phrase
+
+
diff --git a/docs/reference/packetbeat/exported-fields-icmp.md b/docs/reference/packetbeat/exported-fields-icmp.md
new file mode 100644
index 000000000000..7da74e5b6196
--- /dev/null
+++ b/docs/reference/packetbeat/exported-fields-icmp.md
@@ -0,0 +1,49 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/exported-fields-icmp.html
+---
+
+# ICMP fields [exported-fields-icmp]
+
+ICMP specific event fields.
+
+**`icmp.version`**
+:   The version of the ICMP protocol.
+
+
+**`icmp.request.message`**
+:   A human readable form of the request.
+
+type: keyword
+
+
+**`icmp.request.type`**
+:   The request type.
+
+type: long
+
+
+**`icmp.request.code`**
+:   The request code.
+
+type: long
+
+
+**`icmp.response.message`**
+:   A human readable form of the response.
+
+type: keyword
+
+
+**`icmp.response.type`**
+:   The response type.
+
+type: long
+
+
+**`icmp.response.code`**
+:   The response code.
+
+type: long
+
+
diff --git a/docs/reference/packetbeat/exported-fields-jolokia-autodiscover.md b/docs/reference/packetbeat/exported-fields-jolokia-autodiscover.md
new file mode 100644
index 000000000000..80adea727fe9
--- /dev/null
+++ b/docs/reference/packetbeat/exported-fields-jolokia-autodiscover.md
@@ -0,0 +1,51 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/exported-fields-jolokia-autodiscover.html
+---
+
+# Jolokia Discovery autodiscover provider fields [exported-fields-jolokia-autodiscover]
+
+Metadata from Jolokia Discovery added by the jolokia provider.
+
+**`jolokia.agent.version`**
+:   Version number of jolokia agent.
+
+type: keyword
+
+
+**`jolokia.agent.id`**
+:   Each agent has a unique id which can be either provided during startup of the agent in form of a configuration parameter or being autodetected. If autodected, the id has several parts: The IP, the process id, hashcode of the agent and its type.
+
+type: keyword
+
+
+**`jolokia.server.product`**
+:   The container product if detected.
+
+type: keyword
+
+
+**`jolokia.server.version`**
+:   The container’s version (if detected).
+
+type: keyword
+
+
+**`jolokia.server.vendor`**
+:   The vendor of the container the agent is running in.
+
+type: keyword
+
+
+**`jolokia.url`**
+:   The URL how this agent can be contacted.
+
+type: keyword
+
+
+**`jolokia.secured`**
+:   Whether the agent was configured for authentication or not.
+
+type: boolean
+
+
diff --git a/docs/reference/packetbeat/exported-fields-kubernetes-processor.md b/docs/reference/packetbeat/exported-fields-kubernetes-processor.md
new file mode 100644
index 000000000000..82cc7754cfb0
--- /dev/null
+++ b/docs/reference/packetbeat/exported-fields-kubernetes-processor.md
@@ -0,0 +1,87 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/exported-fields-kubernetes-processor.html
+---
+
+# Kubernetes fields [exported-fields-kubernetes-processor]
+
+Kubernetes metadata added by the kubernetes processor
+
+**`kubernetes.pod.name`**
+:   Kubernetes pod name
+
+type: keyword
+
+
+**`kubernetes.pod.uid`**
+:   Kubernetes Pod UID
+
+type: keyword
+
+
+**`kubernetes.pod.ip`**
+:   Kubernetes Pod IP
+
+type: ip
+
+
+**`kubernetes.namespace`**
+:   Kubernetes namespace
+
+type: keyword
+
+
+**`kubernetes.node.name`**
+:   Kubernetes node name
+
+type: keyword
+
+
+**`kubernetes.node.hostname`**
+:   Kubernetes hostname as reported by the node’s kernel
+
+type: keyword
+
+
+**`kubernetes.labels.*`**
+:   Kubernetes labels map
+
+type: object
+
+
+**`kubernetes.annotations.*`**
+:   Kubernetes annotations map
+
+type: object
+
+
+**`kubernetes.selectors.*`**
+:   Kubernetes selectors map
+
+type: object
+
+
+**`kubernetes.replicaset.name`**
+:   Kubernetes replicaset name
+
+type: keyword
+
+
+**`kubernetes.deployment.name`**
+:   Kubernetes deployment name
+
+type: keyword
+
+
+**`kubernetes.statefulset.name`**
+:   Kubernetes statefulset name
+
+type: keyword
+
+
+**`kubernetes.container.name`**
+:   Kubernetes container name (different than the name from the runtime)
+
+type: keyword
+
+
diff --git a/docs/reference/packetbeat/exported-fields-memcache.md b/docs/reference/packetbeat/exported-fields-memcache.md
new file mode 100644
index 000000000000..8ce091fc7480
--- /dev/null
+++ b/docs/reference/packetbeat/exported-fields-memcache.md
@@ -0,0 +1,265 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/exported-fields-memcache.html
+---
+
+# Memcache fields [exported-fields-memcache]
+
+Memcached-specific event fields
+
+**`memcache.protocol_type`**
+:   The memcache protocol implementation. The value can be "binary" for binary-based, "text" for text-based, or "unknown" for an unknown memcache protocol type.
+
+type: keyword
+
+
+**`memcache.request.line`**
+:   The raw command line for unknown commands ONLY.
+
+type: keyword
+
+
+**`memcache.request.command`**
+:   The memcache command being requested in the memcache text protocol. For example "set" or "get". The binary protocol opcodes are translated into memcache text protocol commands.
+
+type: keyword
+
+
+**`memcache.response.command`**
+:   Either the text based protocol response message type or the name of the originating request if binary protocol is used.
+
+type: keyword
+
+
+**`memcache.request.type`**
+:   The memcache command classification. This value can be "UNKNOWN", "Load", "Store", "Delete", "Counter", "Info", "SlabCtrl", "LRUCrawler", "Stats", "Success", "Fail", or "Auth".
+
+type: keyword
+
+
+**`memcache.response.type`**
+:   The memcache command classification. This value can be "UNKNOWN", "Load", "Store", "Delete", "Counter", "Info", "SlabCtrl", "LRUCrawler", "Stats", "Success", "Fail", or "Auth". The text based protocol will employ any of these, whereas the binary based protocol will mirror the request commands only (see `memcache.response.status` for binary protocol).
+
+type: keyword
+
+
+**`memcache.response.error_msg`**
+:   The optional error message in the memcache response (text based protocol only).
+
+type: keyword
+
+
+**`memcache.request.opcode`**
+:   The binary protocol message opcode name.
+
+type: keyword
+
+
+**`memcache.response.opcode`**
+:   The binary protocol message opcode name.
+
+type: keyword
+
+
+**`memcache.request.opcode_value`**
+:   The binary protocol message opcode value.
+
+type: long
+
+
+**`memcache.response.opcode_value`**
+:   The binary protocol message opcode value.
+
+type: long
+
+
+**`memcache.request.opaque`**
+:   The binary protocol opaque header value used for correlating request with response messages.
+
+type: long
+
+
+**`memcache.response.opaque`**
+:   The binary protocol opaque header value used for correlating request with response messages.
+
+type: long
+
+
+**`memcache.request.vbucket`**
+:   The vbucket index sent in the binary message.
+
+type: long
+
+
+**`memcache.response.status`**
+:   The textual representation of the response error code (binary protocol only).
+
+type: keyword
+
+
+**`memcache.response.status_code`**
+:   The status code value returned in the response (binary protocol only).
+
+type: long
+
+
+**`memcache.request.keys`**
+:   The list of keys sent in the store or load commands.
+
+type: array
+
+
+**`memcache.response.keys`**
+:   The list of keys returned for the load command (if present).
+
+type: array
+
+
+**`memcache.request.count_values`**
+:   The number of values found in the memcache request message. If the command does not send any data, this field is missing.
+
+type: long
+
+
+**`memcache.response.count_values`**
+:   The number of values found in the memcache response message. If the command does not send any data, this field is missing.
+
+type: long
+
+
+**`memcache.request.values`**
+:   The list of base64 encoded values sent with the request (if present).
+
+type: array
+
+
+**`memcache.response.values`**
+:   The list of base64 encoded values sent with the response (if present).
+
+type: array
+
+
+**`memcache.request.bytes`**
+:   The byte count of the values being transferred.
+
+type: long
+
+format: bytes
+
+
+**`memcache.response.bytes`**
+:   The byte count of the values being transferred.
+
+type: long
+
+format: bytes
+
+
+**`memcache.request.delta`**
+:   The counter increment/decrement delta value.
+
+type: long
+
+
+**`memcache.request.initial`**
+:   The counter increment/decrement initial value parameter (binary protocol only).
+
+type: long
+
+
+**`memcache.request.verbosity`**
+:   The value of the memcache "verbosity" command.
+
+type: long
+
+
+**`memcache.request.raw_args`**
+:   The text protocol raw arguments for the "stats …​" and "lru crawl …​" commands.
+
+type: keyword
+
+
+**`memcache.request.source_class`**
+:   The source class id in *slab reassign* command.
+
+type: long
+
+
+**`memcache.request.dest_class`**
+:   The destination class id in *slab reassign* command.
+
+type: long
+
+
+**`memcache.request.automove`**
+:   The automove mode in the *slab automove* command expressed as a string. This value can be "standby"(=0), "slow"(=1), "aggressive"(=2), or the raw value if the value is unknown.
+
+type: keyword
+
+
+**`memcache.request.flags`**
+:   The memcache command flags sent in the request (if present).
+
+type: long
+
+
+**`memcache.response.flags`**
+:   The memcache message flags sent in the response (if present).
+
+type: long
+
+
+**`memcache.request.exptime`**
+:   The data expiry time in seconds sent with the memcache command (if present). If the value is <30 days, the expiry time is relative to "now", or else it is an absolute Unix time in seconds (32-bit).
+
+type: long
+
+
+**`memcache.request.sleep_us`**
+:   The sleep setting in microseconds for the *lru_crawler sleep* command.
+
+type: long
+
+
+**`memcache.response.value`**
+:   The counter value returned by a counter operation.
+
+type: long
+
+
+**`memcache.request.noreply`**
+:   Set to true if noreply was set in the request. The `memcache.response` field will be missing.
+
+type: boolean
+
+
+**`memcache.request.quiet`**
+:   Set to true if the binary protocol message is to be treated as a quiet message.
+
+type: boolean
+
+
+**`memcache.request.cas_unique`**
+:   The CAS (compare-and-swap) identifier if present.
+
+type: long
+
+
+**`memcache.response.cas_unique`**
+:   The CAS (compare-and-swap) identifier to be used with CAS-based updates (if present).
+
+type: long
+
+
+**`memcache.response.stats`**
+:   The list of statistic values returned. Each entry is a dictionary with the fields "name" and "value".
+
+type: array
+
+
+**`memcache.response.version`**
+:   The returned memcache version string.
+
+type: keyword
+
+
diff --git a/docs/reference/packetbeat/exported-fields-mongodb.md b/docs/reference/packetbeat/exported-fields-mongodb.md
new file mode 100644
index 000000000000..8bd68d908403
--- /dev/null
+++ b/docs/reference/packetbeat/exported-fields-mongodb.md
@@ -0,0 +1,59 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/exported-fields-mongodb.html
+---
+
+# MongoDb fields [exported-fields-mongodb]
+
+MongoDB-specific event fields. These fields mirror closely the fields for the MongoDB wire protocol. The higher level fields (for example, `query` and `resource`) apply to MongoDB events as well.
+
+**`mongodb.error`**
+:   If the MongoDB request has resulted in an error, this field contains the error message returned by the server.
+
+
+**`mongodb.fullCollectionName`**
+:   The full collection name. The full collection name is the concatenation of the database name with the collection name, using a dot (.) for the concatenation. For example, for the database foo and the collection bar, the full collection name is foo.bar.
+
+
+**`mongodb.numberToSkip`**
+:   Sets the number of documents to omit - starting from the first document in the resulting dataset - when returning the result of the query.
+
+type: long
+
+
+**`mongodb.numberToReturn`**
+:   The requested maximum number of documents to be returned.
+
+type: long
+
+
+**`mongodb.numberReturned`**
+:   The number of documents in the reply.
+
+type: long
+
+
+**`mongodb.startingFrom`**
+:   Where in the cursor this reply is starting.
+
+
+**`mongodb.query`**
+:   A JSON document that represents the query. The query will contain one or more elements, all of which must match for a document to be included in the result set. Possible elements include $query, $orderby, $hint, $explain, and $snapshot.
+
+
+**`mongodb.returnFieldsSelector`**
+:   A JSON document that limits the fields in the returned documents. The returnFieldsSelector contains one or more elements, each of which is the name of a field that should be returned, and the integer value 1.
+
+
+**`mongodb.selector`**
+:   A BSON document that specifies the query for selecting the document to update or delete.
+
+
+**`mongodb.update`**
+:   A BSON document that specifies the update to be performed. For information on specifying updates, see the Update Operations documentation from the MongoDB Manual.
+
+
+**`mongodb.cursorId`**
+:   The cursor identifier returned in the OP_REPLY. This must be the value that was returned from the database.
+
+
diff --git a/docs/reference/packetbeat/exported-fields-mysql.md b/docs/reference/packetbeat/exported-fields-mysql.md
new file mode 100644
index 000000000000..f6bbcfc02e67
--- /dev/null
+++ b/docs/reference/packetbeat/exported-fields-mysql.md
@@ -0,0 +1,41 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/exported-fields-mysql.html
+---
+
+# MySQL fields [exported-fields-mysql]
+
+MySQL-specific event fields.
+
+**`mysql.affected_rows`**
+:   If the MySQL command is successful, this field contains the affected number of rows of the last statement.
+
+type: long
+
+
+**`mysql.insert_id`**
+:   If the INSERT query is successful, this field contains the id of the newly inserted row.
+
+
+**`mysql.num_fields`**
+:   If the SELECT query is successful, this field is set to the number of fields returned.
+
+
+**`mysql.num_rows`**
+:   If the SELECT query is successful, this field is set to the number of rows returned.
+
+
+**`mysql.query`**
+:   The row mysql query as read from the transaction’s request.
+
+
+**`mysql.error_code`**
+:   The error code returned by MySQL.
+
+type: long
+
+
+**`mysql.error_message`**
+:   The error info message returned by MySQL.
+
+
diff --git a/docs/reference/packetbeat/exported-fields-nfs.md b/docs/reference/packetbeat/exported-fields-nfs.md
new file mode 100644
index 000000000000..64c1e798f6c5
--- /dev/null
+++ b/docs/reference/packetbeat/exported-fields-nfs.md
@@ -0,0 +1,92 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/exported-fields-nfs.html
+---
+
+# NFS fields [exported-fields-nfs]
+
+NFS v4/3 specific event fields.
+
+**`nfs.version`**
+:   NFS protocol version number.
+
+type: long
+
+
+**`nfs.minor_version`**
+:   NFS protocol minor version number.
+
+type: long
+
+
+**`nfs.tag`**
+:   NFS v4 COMPOUND operation tag.
+
+
+**`nfs.opcode`**
+:   NFS operation name, or main operation name, in case of COMPOUND calls.
+
+
+**`nfs.status`**
+:   NFS operation reply status.
+
+
+
+## rpc [_rpc]
+
+ONC RPC specific event fields.
+
+**`rpc.xid`**
+:   RPC message transaction identifier.
+
+
+**`rpc.status`**
+:   RPC message reply status.
+
+
+**`rpc.auth_flavor`**
+:   RPC authentication flavor.
+
+
+**`rpc.cred.uid`**
+:   RPC caller’s user id, in case of auth-unix.
+
+type: long
+
+
+**`rpc.cred.gid`**
+:   RPC caller’s group id, in case of auth-unix.
+
+type: long
+
+
+**`rpc.cred.gids`**
+:   RPC caller’s secondary group ids, in case of auth-unix.
+
+
+**`rpc.cred.stamp`**
+:   Arbitrary ID which the caller machine may generate.
+
+type: long
+
+
+**`rpc.cred.machinename`**
+:   The name of the caller’s machine.
+
+
+**`rpc.call_size`**
+:   RPC call size with argument.
+
+type: alias
+
+alias to: source.bytes
+
+
+**`rpc.reply_size`**
+:   RPC reply size with argument.
+
+type: alias
+
+alias to: destination.bytes
+
+
diff --git a/docs/reference/packetbeat/exported-fields-pgsql.md b/docs/reference/packetbeat/exported-fields-pgsql.md
new file mode 100644
index 000000000000..17a0556830d6
--- /dev/null
+++ b/docs/reference/packetbeat/exported-fields-pgsql.md
@@ -0,0 +1,31 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/exported-fields-pgsql.html
+---
+
+# PostgreSQL fields [exported-fields-pgsql]
+
+PostgreSQL-specific event fields.
+
+**`pgsql.error_code`**
+:   The PostgreSQL error code.
+
+type: long
+
+
+**`pgsql.error_message`**
+:   The PostgreSQL error message.
+
+
+**`pgsql.error_severity`**
+:   The PostgreSQL error severity.
+
+
+**`pgsql.num_fields`**
+:   If the SELECT query if successful, this field is set to the number of fields returned.
+
+
+**`pgsql.num_rows`**
+:   If the SELECT query if successful, this field is set to the number of rows returned.
+
+
diff --git a/docs/reference/packetbeat/exported-fields-process.md b/docs/reference/packetbeat/exported-fields-process.md
new file mode 100644
index 000000000000..a970e1bc49f5
--- /dev/null
+++ b/docs/reference/packetbeat/exported-fields-process.md
@@ -0,0 +1,38 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/exported-fields-process.html
+---
+
+# Process fields [exported-fields-process]
+
+Process metadata fields
+
+**`process.exe`**
+:   type: alias
+
+alias to: process.executable
+
+
+
+## owner [_owner]
+
+Process owner information.
+
+**`process.owner.id`**
+:   Unique identifier of the user.
+
+type: keyword
+
+
+**`process.owner.name`**
+:   Short name or login of the user.
+
+type: keyword
+
+example: albert
+
+
+**`process.owner.name.text`**
+:   type: text
+
+
diff --git a/docs/reference/packetbeat/exported-fields-raw.md b/docs/reference/packetbeat/exported-fields-raw.md
new file mode 100644
index 000000000000..bad2c6afe066
--- /dev/null
+++ b/docs/reference/packetbeat/exported-fields-raw.md
@@ -0,0 +1,21 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/exported-fields-raw.html
+---
+
+# Raw fields [exported-fields-raw]
+
+These fields contain the raw transaction data.
+
+**`request`**
+:   For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request.
+
+type: text
+
+
+**`response`**
+:   For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request.
+
+type: text
+
+
diff --git a/docs/reference/packetbeat/exported-fields-redis.md b/docs/reference/packetbeat/exported-fields-redis.md
new file mode 100644
index 000000000000..50085b8fcb10
--- /dev/null
+++ b/docs/reference/packetbeat/exported-fields-redis.md
@@ -0,0 +1,17 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/exported-fields-redis.html
+---
+
+# Redis fields [exported-fields-redis]
+
+Redis-specific event fields.
+
+**`redis.return_value`**
+:   The return value of the Redis command in a human readable format.
+
+
+**`redis.error`**
+:   If the Redis command has resulted in an error, this field contains the error message returned by the Redis server.
+
+
diff --git a/docs/reference/packetbeat/exported-fields-sip.md b/docs/reference/packetbeat/exported-fields-sip.md
new file mode 100644
index 000000000000..9ec3ffd41314
--- /dev/null
+++ b/docs/reference/packetbeat/exported-fields-sip.md
@@ -0,0 +1,432 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/exported-fields-sip.html
+---
+
+# SIP fields [exported-fields-sip]
+
+SIP-specific event fields.
+
+
+## sip [_sip]
+
+Information about SIP traffic.
+
+**`sip.code`**
+:   Response status code.
+
+type: keyword
+
+
+**`sip.method`**
+:   Request method.
+
+type: keyword
+
+
+**`sip.status`**
+:   Response status phrase.
+
+type: keyword
+
+
+**`sip.type`**
+:   Either request or response.
+
+type: keyword
+
+
+**`sip.version`**
+:   SIP protocol version.
+
+type: keyword
+
+
+**`sip.uri.original`**
+:   The original URI.
+
+type: keyword
+
+
+**`sip.uri.original.text`**
+:   type: text
+
+
+**`sip.uri.scheme`**
+:   The URI scheme.
+
+type: keyword
+
+
+**`sip.uri.username`**
+:   The URI user name.
+
+type: keyword
+
+
+**`sip.uri.host`**
+:   The URI host.
+
+type: keyword
+
+
+**`sip.uri.port`**
+:   The URI port.
+
+type: keyword
+
+
+**`sip.accept`**
+:   Accept header value.
+
+type: keyword
+
+
+**`sip.allow`**
+:   Allowed methods.
+
+type: keyword
+
+
+**`sip.call_id`**
+:   Call ID.
+
+type: keyword
+
+
+**`sip.content_length`**
+:   type: long
+
+
+**`sip.content_type`**
+:   type: keyword
+
+
+**`sip.max_forwards`**
+:   type: long
+
+
+**`sip.supported`**
+:   Supported methods.
+
+type: keyword
+
+
+**`sip.user_agent.original`**
+:   type: keyword
+
+
+**`sip.user_agent.original.text`**
+:   type: text
+
+
+**`sip.private.uri.original`**
+:   Private original URI.
+
+type: keyword
+
+
+**`sip.private.uri.original.text`**
+:   type: text
+
+
+**`sip.private.uri.scheme`**
+:   Private URI scheme.
+
+type: keyword
+
+
+**`sip.private.uri.username`**
+:   Private URI user name.
+
+type: keyword
+
+
+**`sip.private.uri.host`**
+:   Private URI host.
+
+type: keyword
+
+
+**`sip.private.uri.port`**
+:   Private URI port.
+
+type: keyword
+
+
+**`sip.cseq.code`**
+:   Sequence code.
+
+type: keyword
+
+
+**`sip.cseq.method`**
+:   Sequence method.
+
+type: keyword
+
+
+**`sip.via.original`**
+:   The original Via value.
+
+type: keyword
+
+
+**`sip.via.original.text`**
+:   type: text
+
+
+**`sip.to.display_info`**
+:   To display info
+
+type: keyword
+
+
+**`sip.to.uri.original`**
+:   To original URI
+
+type: keyword
+
+
+**`sip.to.uri.original.text`**
+:   type: text
+
+
+**`sip.to.uri.scheme`**
+:   To URI scheme
+
+type: keyword
+
+
+**`sip.to.uri.username`**
+:   To URI user name
+
+type: keyword
+
+
+**`sip.to.uri.host`**
+:   To URI host
+
+type: keyword
+
+
+**`sip.to.uri.port`**
+:   To URI port
+
+type: keyword
+
+
+**`sip.to.tag`**
+:   To tag
+
+type: keyword
+
+
+**`sip.from.display_info`**
+:   From display info
+
+type: keyword
+
+
+**`sip.from.uri.original`**
+:   From original URI
+
+type: keyword
+
+
+**`sip.from.uri.original.text`**
+:   type: text
+
+
+**`sip.from.uri.scheme`**
+:   From URI scheme
+
+type: keyword
+
+
+**`sip.from.uri.username`**
+:   From URI user name
+
+type: keyword
+
+
+**`sip.from.uri.host`**
+:   From URI host
+
+type: keyword
+
+
+**`sip.from.uri.port`**
+:   From URI port
+
+type: keyword
+
+
+**`sip.from.tag`**
+:   From tag
+
+type: keyword
+
+
+**`sip.contact.display_info`**
+:   Contact display info
+
+type: keyword
+
+
+**`sip.contact.uri.original`**
+:   Contact original URI
+
+type: keyword
+
+
+**`sip.contact.uri.original.text`**
+:   type: text
+
+
+**`sip.contact.uri.scheme`**
+:   Contat URI scheme
+
+type: keyword
+
+
+**`sip.contact.uri.username`**
+:   Contact URI user name
+
+type: keyword
+
+
+**`sip.contact.uri.host`**
+:   Contact URI host
+
+type: keyword
+
+
+**`sip.contact.uri.port`**
+:   Contact URI port
+
+type: keyword
+
+
+**`sip.contact.transport`**
+:   Contact transport
+
+type: keyword
+
+
+**`sip.contact.line`**
+:   Contact line
+
+type: keyword
+
+
+**`sip.contact.expires`**
+:   Contact expires
+
+type: keyword
+
+
+**`sip.contact.q`**
+:   Contact Q
+
+type: keyword
+
+
+**`sip.auth.scheme`**
+:   Auth scheme
+
+type: keyword
+
+
+**`sip.auth.realm`**
+:   Auth realm
+
+type: keyword
+
+
+**`sip.auth.uri.original`**
+:   Auth original URI
+
+type: keyword
+
+
+**`sip.auth.uri.original.text`**
+:   type: text
+
+
+**`sip.auth.uri.scheme`**
+:   Auth URI scheme
+
+type: keyword
+
+
+**`sip.auth.uri.host`**
+:   Auth URI host
+
+type: keyword
+
+
+**`sip.auth.uri.port`**
+:   Auth URI port
+
+type: keyword
+
+
+**`sip.sdp.version`**
+:   SDP version
+
+type: keyword
+
+
+**`sip.sdp.owner.username`**
+:   SDP owner user name
+
+type: keyword
+
+
+**`sip.sdp.owner.session_id`**
+:   SDP owner session ID
+
+type: keyword
+
+
+**`sip.sdp.owner.version`**
+:   SDP owner version
+
+type: keyword
+
+
+**`sip.sdp.owner.ip`**
+:   SDP owner IP
+
+type: ip
+
+
+**`sip.sdp.session.name`**
+:   SDP session name
+
+type: keyword
+
+
+**`sip.sdp.connection.info`**
+:   SDP connection info
+
+type: keyword
+
+
+**`sip.sdp.connection.address`**
+:   SDP connection address
+
+type: keyword
+
+
+**`sip.sdp.body.original`**
+:   SDP original body
+
+type: keyword
+
+
+**`sip.sdp.body.original.text`**
+:   type: text
+
+
diff --git a/docs/reference/packetbeat/exported-fields-thrift.md b/docs/reference/packetbeat/exported-fields-thrift.md
new file mode 100644
index 000000000000..c774f8f17451
--- /dev/null
+++ b/docs/reference/packetbeat/exported-fields-thrift.md
@@ -0,0 +1,25 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/exported-fields-thrift.html
+---
+
+# Thrift-RPC fields [exported-fields-thrift]
+
+Thrift-RPC specific event fields.
+
+**`thrift.params`**
+:   The RPC method call parameters in a human readable format. If the IDL files are available, the parameters use names whenever possible. Otherwise, the IDs from the message are used.
+
+
+**`thrift.service`**
+:   The name of the Thrift-RPC service as defined in the IDL files.
+
+
+**`thrift.return_value`**
+:   The value returned by the Thrift-RPC call. This is encoded in a human readable format.
+
+
+**`thrift.exceptions`**
+:   If the call resulted in exceptions, this field contains the exceptions in a human readable format.
+
+
diff --git a/docs/reference/packetbeat/exported-fields-tls_detailed.md b/docs/reference/packetbeat/exported-fields-tls_detailed.md
new file mode 100644
index 000000000000..f28fd5e36bba
--- /dev/null
+++ b/docs/reference/packetbeat/exported-fields-tls_detailed.md
@@ -0,0 +1,263 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/exported-fields-tls_detailed.html
+---
+
+# Detailed TLS fields [exported-fields-tls_detailed]
+
+Detailed TLS-specific event fields.
+
+**`tls.client.x509.version`**
+:   Version of x509 format.
+
+type: keyword
+
+example: 3
+
+
+**`tls.client.x509.issuer.province`**
+:   Province or region within country.
+
+type: keyword
+
+
+**`tls.client.x509.subject.province`**
+:   Province or region within country.
+
+type: keyword
+
+
+**`tls.server.x509.version`**
+:   Version of x509 format.
+
+type: keyword
+
+example: 3
+
+
+**`tls.server.x509.issuer.province`**
+:   Province or region within country.
+
+type: keyword
+
+
+**`tls.server.x509.subject.province`**
+:   Province or region within country.
+
+type: keyword
+
+
+**`tls.detailed.version`**
+:   The version of the TLS protocol used.
+
+type: keyword
+
+example: TLS 1.3
+
+
+**`tls.detailed.resumption_method`**
+:   If the session has been resumed, the underlying method used. One of "id" for TLS session ID or "ticket" for TLS ticket extension.
+
+type: keyword
+
+
+**`tls.detailed.client_certificate_requested`**
+:   Whether the server has requested the client to authenticate itself using a client certificate.
+
+type: boolean
+
+
+**`tls.detailed.ocsp_response`**
+:   The result of an OCSP request.
+
+type: keyword
+
+
+**`tls.detailed.client_hello.version`**
+:   The version of the TLS protocol by which the client wishes to communicate during this session.
+
+type: keyword
+
+
+**`tls.detailed.client_hello.random`**
+:   Random data used by the TLS protocol to generate the encryption key.
+
+type: keyword
+
+
+**`tls.detailed.client_hello.session_id`**
+:   Unique number to identify the session for the corresponding connection with the client.
+
+type: keyword
+
+
+**`tls.detailed.client_hello.supported_compression_methods`**
+:   The list of compression methods the client supports. See [https://www.iana.org/assignments/comp-meth-ids/comp-meth-ids.xhtml](https://www.iana.org/assignments/comp-meth-ids/comp-meth-ids.xhtml)
+
+type: keyword
+
+
+
+## extensions [_extensions]
+
+The hello extensions provided by the client.
+
+**`tls.detailed.client_hello.extensions.server_name_indication`**
+:   List of hostnames
+
+type: keyword
+
+
+**`tls.detailed.client_hello.extensions.application_layer_protocol_negotiation`**
+:   List of application-layer protocols the client is willing to use.
+
+type: keyword
+
+
+**`tls.detailed.client_hello.extensions.session_ticket`**
+:   Length of the session ticket, if provided, or an empty string to advertise support for tickets.
+
+type: keyword
+
+
+**`tls.detailed.client_hello.extensions.supported_versions`**
+:   List of TLS versions that the client is willing to use.
+
+type: keyword
+
+
+**`tls.detailed.client_hello.extensions.supported_groups`**
+:   List of Elliptic Curve Cryptography (ECC) curve groups supported by the client.
+
+type: keyword
+
+
+**`tls.detailed.client_hello.extensions.signature_algorithms`**
+:   List of signature algorithms that may be use in digital signatures.
+
+type: keyword
+
+
+**`tls.detailed.client_hello.extensions.ec_points_formats`**
+:   List of Elliptic Curve (EC) point formats. Indicates the set of point formats that the client can parse.
+
+type: keyword
+
+
+
+## status_request [_status_request]
+
+Status request made to the server.
+
+**`tls.detailed.client_hello.extensions.status_request.type`**
+:   The type of the status request. Always "ocsp" if present.
+
+type: keyword
+
+
+**`tls.detailed.client_hello.extensions.status_request.responder_id_list_length`**
+:   The length of the list of trusted responders.
+
+type: short
+
+
+**`tls.detailed.client_hello.extensions.status_request.request_extensions`**
+:   The number of certificate extensions for the request.
+
+type: short
+
+
+**`tls.detailed.client_hello.extensions._unparsed_`**
+:   List of extensions that were left unparsed by Packetbeat.
+
+type: keyword
+
+
+**`tls.detailed.server_hello.version`**
+:   The version of the TLS protocol that is used for this session. It is the highest version supported by the server not exceeding the version requested in the client hello.
+
+type: keyword
+
+
+**`tls.detailed.server_hello.random`**
+:   Random data used by the TLS protocol to generate the encryption key.
+
+type: keyword
+
+
+**`tls.detailed.server_hello.selected_compression_method`**
+:   The compression method selected by the server from the list provided in the client hello.
+
+type: keyword
+
+
+**`tls.detailed.server_hello.session_id`**
+:   Unique number to identify the session for the corresponding connection with the client.
+
+type: keyword
+
+
+
+## extensions [_extensions_2]
+
+The hello extensions provided by the server.
+
+**`tls.detailed.server_hello.extensions.application_layer_protocol_negotiation`**
+:   Negotiated application layer protocol
+
+type: keyword
+
+
+**`tls.detailed.server_hello.extensions.session_ticket`**
+:   Used to announce that a session ticket will be provided by the server. Always an empty string.
+
+type: keyword
+
+
+**`tls.detailed.server_hello.extensions.supported_versions`**
+:   Negotiated TLS version to be used.
+
+type: keyword
+
+
+**`tls.detailed.server_hello.extensions.ec_points_formats`**
+:   List of Elliptic Curve (EC) point formats. Indicates the set of point formats that the server can parse.
+
+type: keyword
+
+
+
+## status_request [_status_request_2]
+
+Status request made to the server.
+
+**`tls.detailed.server_hello.extensions.status_request.response`**
+:   Whether a certificate status request response was made.
+
+type: boolean
+
+
+**`tls.detailed.server_hello.extensions._unparsed_`**
+:   List of extensions that were left unparsed by Packetbeat.
+
+type: keyword
+
+
+**`tls.detailed.server_certificate_chain`**
+:   Chain of trust for the server certificate.
+
+type: array
+
+
+**`tls.detailed.client_certificate_chain`**
+:   Chain of trust for the client certificate.
+
+type: array
+
+
+**`tls.detailed.alert_types`**
+:   An array containing the TLS alert type for every alert received.
+
+type: keyword
+
+
diff --git a/docs/reference/packetbeat/exported-fields-trans_event.md b/docs/reference/packetbeat/exported-fields-trans_event.md
new file mode 100644
index 000000000000..1235d947435e
--- /dev/null
+++ b/docs/reference/packetbeat/exported-fields-trans_event.md
@@ -0,0 +1,49 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/exported-fields-trans_event.html
+---
+
+# Transaction Event fields [exported-fields-trans_event]
+
+These fields contain data about the transaction itself.
+
+**`status`**
+:   The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol.
+
+required: True
+
+
+**`method`**
+:   The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on).
+
+
+**`resource`**
+:   The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types.
+
+
+**`path`**
+:   The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key.
+
+required: True
+
+
+**`query`**
+:   The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`.
+
+type: keyword
+
+
+**`params`**
+:   The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request.
+
+type: text
+
+
+**`notes`**
+:   Messages from Packetbeat itself. This field usually contains error messages for interpreting the raw data. This information can be helpful for troubleshooting.
+
+type: alias
+
+alias to: error.message
+
+
diff --git a/docs/reference/packetbeat/exported-fields-trans_measurements.md b/docs/reference/packetbeat/exported-fields-trans_measurements.md
new file mode 100644
index 000000000000..6a002a42f5b4
--- /dev/null
+++ b/docs/reference/packetbeat/exported-fields-trans_measurements.md
@@ -0,0 +1,25 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/exported-fields-trans_measurements.html
+---
+
+# Measurements (Transactions) fields [exported-fields-trans_measurements]
+
+These fields contain measurements related to the transaction.
+
+**`bytes_in`**
+:   The number of bytes of the request. Note that this size is the application layer message length, without the length of the IP or TCP headers.
+
+type: alias
+
+alias to: source.bytes
+
+
+**`bytes_out`**
+:   The number of bytes of the response. Note that this size is the application layer message length, without the length of the IP or TCP headers.
+
+type: alias
+
+alias to: destination.bytes
+
+
diff --git a/docs/reference/packetbeat/exported-fields.md b/docs/reference/packetbeat/exported-fields.md
new file mode 100644
index 000000000000..58fae9a62025
--- /dev/null
+++ b/docs/reference/packetbeat/exported-fields.md
@@ -0,0 +1,38 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/exported-fields.html
+---
+
+# Exported fields [exported-fields]
+
+This document describes the fields that are exported by Packetbeat. They are grouped in the following categories:
+
+* [*AMQP fields*](/reference/packetbeat/exported-fields-amqp.md)
+* [*Beat fields*](/reference/packetbeat/exported-fields-beat-common.md)
+* [*Cassandra fields*](/reference/packetbeat/exported-fields-cassandra.md)
+* [*Cloud provider metadata fields*](/reference/packetbeat/exported-fields-cloud.md)
+* [*Common fields*](/reference/packetbeat/exported-fields-common.md)
+* [*DHCPv4 fields*](/reference/packetbeat/exported-fields-dhcpv4.md)
+* [*DNS fields*](/reference/packetbeat/exported-fields-dns.md)
+* [*Docker fields*](/reference/packetbeat/exported-fields-docker-processor.md)
+* [*ECS fields*](/reference/packetbeat/exported-fields-ecs.md)
+* [*Flow Event fields*](/reference/packetbeat/exported-fields-flows_event.md)
+* [*Host fields*](/reference/packetbeat/exported-fields-host-processor.md)
+* [*HTTP fields*](/reference/packetbeat/exported-fields-http.md)
+* [*ICMP fields*](/reference/packetbeat/exported-fields-icmp.md)
+* [*Jolokia Discovery autodiscover provider fields*](/reference/packetbeat/exported-fields-jolokia-autodiscover.md)
+* [*Kubernetes fields*](/reference/packetbeat/exported-fields-kubernetes-processor.md)
+* [*Memcache fields*](/reference/packetbeat/exported-fields-memcache.md)
+* [*MongoDb fields*](/reference/packetbeat/exported-fields-mongodb.md)
+* [*MySQL fields*](/reference/packetbeat/exported-fields-mysql.md)
+* [*NFS fields*](/reference/packetbeat/exported-fields-nfs.md)
+* [*PostgreSQL fields*](/reference/packetbeat/exported-fields-pgsql.md)
+* [*Process fields*](/reference/packetbeat/exported-fields-process.md)
+* [*Raw fields*](/reference/packetbeat/exported-fields-raw.md)
+* [*Redis fields*](/reference/packetbeat/exported-fields-redis.md)
+* [*SIP fields*](/reference/packetbeat/exported-fields-sip.md)
+* [*Thrift-RPC fields*](/reference/packetbeat/exported-fields-thrift.md)
+* [*Detailed TLS fields*](/reference/packetbeat/exported-fields-tls_detailed.md)
+* [*Transaction Event fields*](/reference/packetbeat/exported-fields-trans_event.md)
+* [*Measurements (Transactions) fields*](/reference/packetbeat/exported-fields-trans_measurements.md)
+
diff --git a/docs/reference/packetbeat/extract-array.md b/docs/reference/packetbeat/extract-array.md
new file mode 100644
index 000000000000..dab05142941e
--- /dev/null
+++ b/docs/reference/packetbeat/extract-array.md
@@ -0,0 +1,46 @@
+---
+navigation_title: "extract_array"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/extract-array.html
+---
+
+# Extract array [extract-array]
+
+
+::::{warning}
+This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
+::::
+
+
+The `extract_array` processor populates fields with values read from an array field. The following example will populate `source.ip` with the first element of the `my_array` field, `destination.ip` with the second element, and `network.transport` with the third.
+
+```yaml
+processors:
+  - extract_array:
+      field: my_array
+      mappings:
+        source.ip: 0
+        destination.ip: 1
+        network.transport: 2
+```
+
+The following settings are supported:
+
+`field`
+:   The array field whose elements are to be extracted.
+
+`mappings`
+:   Maps each field name to an array index. Use 0 for the first element in the array. Multiple fields can be mapped to the same array element.
+
+`ignore_missing`
+:   (Optional) Whether to ignore events where the array field is missing. The default is `false`, which will fail processing of an event if the specified field does not exist. Set it to `true` to ignore this condition.
+
+`overwrite_keys`
+:   Whether the target fields specified in the mapping are overwritten if they already exist. The default is `false`, which will fail processing if a target field already exists.
+
+`fail_on_error`
+:   (Optional) If set to `true` and an error happens, changes to the event are reverted, and the original event is returned. If set to `false`, processing continues despite errors. Default is `true`.
+
+`omit_empty`
+:   (Optional) Whether empty values are extracted from the array. If set to `true`, instead of the target field being set to an empty value, it is left unset. The empty string (`""`), an empty array (`[]`) or an empty object (`{}`) are considered empty values. Default is `false`.
+
diff --git a/docs/reference/packetbeat/faq.md b/docs/reference/packetbeat/faq.md
new file mode 100644
index 000000000000..f70c6445f673
--- /dev/null
+++ b/docs/reference/packetbeat/faq.md
@@ -0,0 +1,26 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/faq.html
+---
+
+# Common problems [faq]
+
+This section describes common problems you might encounter with Packetbeat. Also check out the [Packetbeat discussion forum](https://discuss.elastic.co/c/beats/packetbeat).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/docs/reference/packetbeat/feature-roles.md b/docs/reference/packetbeat/feature-roles.md
new file mode 100644
index 000000000000..4703e868299b
--- /dev/null
+++ b/docs/reference/packetbeat/feature-roles.md
@@ -0,0 +1,25 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/feature-roles.html
+---
+
+# Grant users access to secured resources [feature-roles]
+
+You can use role-based access control to grant users access to secured resources. The roles that you set up depend on your organization’s security requirements and the minimum privileges required to use specific features.
+
+Typically you need the create the following separate roles:
+
+* [setup role](/reference/packetbeat/privileges-to-setup-beats.md) for setting up index templates and other dependencies
+* [monitoring role](/reference/packetbeat/privileges-to-publish-monitoring.md) for sending monitoring information
+* [writer role](/reference/packetbeat/privileges-to-publish-events.md)  for publishing events collected by Packetbeat
+* [reader role](/reference/packetbeat/kibana-user-privileges.md) for {{kib}} users who need to view and create visualizations that access Packetbeat data
+
+{{es-security-features}} provides [built-in roles](elasticsearch://reference/elasticsearch/roles.md) that grant a subset of the privileges needed by Packetbeat users. When possible, use the built-in roles to minimize the affect of future changes on your security strategy.
+
+Instead of using usernames and passwords, roles and privileges can be assigned to API keys to grant access to Elasticsearch resources. See [*Grant access using API keys*](/reference/packetbeat/beats-api-keys.md) for more information.
+
+
+
+
+
+
diff --git a/docs/reference/packetbeat/file-output.md b/docs/reference/packetbeat/file-output.md
new file mode 100644
index 000000000000..514588ec565e
--- /dev/null
+++ b/docs/reference/packetbeat/file-output.md
@@ -0,0 +1,89 @@
+---
+navigation_title: "File"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/file-output.html
+---
+
+# Configure the File output [file-output]
+
+
+The File output dumps the transactions into a file where each transaction is in a JSON format. Currently, this output is used for testing, but it can be used as input for Logstash.
+
+To use this output, edit the Packetbeat configuration file to disable the {{es}} output by commenting it out, and enable the file output by adding `output.file`.
+
+Example configuration:
+
+```yaml
+output.file:
+  path: "/tmp/packetbeat"
+  filename: packetbeat
+  #rotate_every_kb: 10000
+  #number_of_files: 7
+  #permissions: 0600
+  #rotate_on_startup: true
+```
+
+## Configuration options [_configuration_options_20]
+
+You can specify the following `output.file` options in the `packetbeat.yml` config file:
+
+### `enabled` [_enabled_8]
+
+The enabled config is a boolean setting to enable or disable the output. If set to false, the output is disabled.
+
+The default value is `true`.
+
+
+### `path` [path]
+
+The path to the directory where the generated files will be saved. This option is mandatory.
+
+The path may include the timestamp when the file output is initialized using the `+FORMAT` syntax where `FORMAT` is a valid [time format](https://github.com/elastic/beats/blob/main/libbeat/common/dtfmt/doc.go), and enclosed with expansion braces: `%{+FORMAT}`. For example:
+
+```
+path: 'fileoutput-%{+yyyy.MM.dd}'
+```
+
+
+### `filename` [_filename]
+
+The name of the generated files. The default is set to the Beat name. For example, the files generated by default for Packetbeat would be `"packetbeat-{{datetime}}.ndjson"`, `"packetbeat-{{datetime}}-1.ndjson"`, `"packetbeat-{{datetime}}-2.ndjson"`, and so on.
+
+
+### `rotate_every_kb` [_rotate_every_kb]
+
+The maximum size in kilobytes of each file. When this size is reached, the files are rotated. The default value is 10240 KB.
+
+
+### `number_of_files` [_number_of_files]
+
+The maximum number of files to save under [`path`](#path). When this number of files is reached, the oldest file is deleted, and the rest of the files are shifted from last to first. The number of files must be between 2 and 1024. The default is 7.
+
+
+### `permissions` [_permissions]
+
+Permissions to use for file creation. The default is 0600.
+
+
+### `rotate_on_startup` [_rotate_on_startup]
+
+If the output file already exists on startup, immediately rotate it and start writing to a new file instead of appending to the existing one. Defaults to true.
+
+
+### `codec` [_codec_3]
+
+Output codec configuration. If the `codec` section is missing, events will be json encoded.
+
+See [Change the output codec](/reference/packetbeat/configuration-output-codec.md) for more information.
+
+
+### `queue` [_queue_5]
+
+Configuration options for internal queue.
+
+See [Internal queue](/reference/packetbeat/configuring-internal-queue.md) for more information.
+
+Note:`queue` options can be set under `packetbeat.yml` or the `output` section but not both.
+
+
+
diff --git a/docs/reference/packetbeat/filtering-enhancing-data.md b/docs/reference/packetbeat/filtering-enhancing-data.md
new file mode 100644
index 000000000000..ea6f14e75f6c
--- /dev/null
+++ b/docs/reference/packetbeat/filtering-enhancing-data.md
@@ -0,0 +1,129 @@
+---
+navigation_title: "Processors"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/filtering-and-enhancing-data.html
+---
+
+# Filter and enhance data with processors [filtering-and-enhancing-data]
+
+
+You can [define processors](/reference/packetbeat/defining-processors.md) in your configuration to process events before they are sent to the configured output. The libbeat library provides processors for:
+
+* reducing the number of exported fields
+* enhancing events with additional metadata
+* performing additional processing and decoding
+
+Each processor receives an event, applies a defined action to the event, and returns the event. If you define a list of processors, they are executed in the order they are defined in the Packetbeat configuration file.
+
+```yaml
+event -> processor 1 -> event1 -> processor 2 -> event2 ...
+```
+
+::::{important}
+It’s recommended to do all drop and renaming of existing fields as the last step in a processor configuration. This is because dropping or renaming fields can remove data necessary for the next processor in the chain, for example dropping the `source.ip` field would remove one of the fields necessary for the `community_id` processor to function. If it’s necessary to remove, rename or overwrite an existing event field, please make sure it’s done by a corresponding processor ([`drop_fields`](/reference/packetbeat/drop-fields.md), [`rename`](/reference/packetbeat/rename-fields.md) or [`add_fields`](/reference/packetbeat/add-fields.md)) placed at the end of the processor list defined in the input configuration.
+::::
+
+
+For example, the following configuration includes a subset of the Packetbeat DNS fields so that only the requests and their response codes are reported:
+
+```yaml
+processors:
+  - include_fields:
+      fields:
+        - client.bytes
+        - server.bytes
+        - client.ip
+        - server.ip
+        - dns.question.name
+        - dns.question.etld_plus_one
+        - dns.response_code
+```
+
+The filtered event would look something like this:
+
+```shell
+{
+  "@timestamp": "2019-01-19T03:41:11.798Z",
+  "client": {
+    "bytes": 28,
+    "ip": "10.100.6.82"
+  },
+  "server": {
+    "bytes": 271,
+    "ip": "10.100.4.1"
+  },
+  "dns": {
+    "question": {
+      "name": "www.elastic.co",
+      "etld_plus_one": "elastic.co"
+    },
+    "response_code": "NOERROR"
+  },
+  "type": "dns"
+}
+```
+
+If you would like to drop all the successful transactions, you can use the following configuration:
+
+```yaml
+processors:
+  - drop_event:
+      when:
+        equals:
+          http.response.status_code: 200
+```
+
+If you don’t want to export raw data for the successful transactions:
+
+```yaml
+processors:
+  - drop_fields:
+      when:
+        equals:
+          http.response.status_code: 200
+      fields: ["request", "response"]
+```
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/docs/reference/packetbeat/fingerprint.md b/docs/reference/packetbeat/fingerprint.md
new file mode 100644
index 000000000000..848abd1029c6
--- /dev/null
+++ b/docs/reference/packetbeat/fingerprint.md
@@ -0,0 +1,38 @@
+---
+navigation_title: "fingerprint"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/fingerprint.html
+---
+
+# Generate a fingerprint of an event [fingerprint]
+
+
+The `fingerprint` processor generates a fingerprint of an event based on a specified subset of its fields.
+
+The value that is hashed is constructed as a concatenation of the field name and field value separated by `|`. For example `|field1|value1|field2|value2|`.
+
+Nested fields are supported in the following format: `"field1.field2"` e.g: `["log.path.file", "foo"]`
+
+```yaml
+processors:
+  - fingerprint:
+      fields: ["field1", "field2", ...]
+```
+
+The following settings are supported:
+
+`fields`
+:   List of fields to use as the source for the fingerprint. The list will be alphabetically sorted by the processor.
+
+`ignore_missing`
+:   (Optional) Whether to ignore missing fields. Default is `false`.
+
+`target_field`
+:   (Optional) Field in which the generated fingerprint should be stored. Default is `fingerprint`.
+
+`method`
+:   (Optional) Algorithm to use for computing the fingerprint. Must be one of: `md5`, `sha1`, `sha256`, `sha384`, `sha512`, `xxhash`. Default is `sha256`.
+
+`encoding`
+:   (Optional) Encoding to use on the fingerprint value. Must be one of `hex`, `base32`, or `base64`. Default is `hex`.
+
diff --git a/docs/reference/packetbeat/getting-help.md b/docs/reference/packetbeat/getting-help.md
new file mode 100644
index 000000000000..d83df228dc4a
--- /dev/null
+++ b/docs/reference/packetbeat/getting-help.md
@@ -0,0 +1,16 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/getting-help.html
+---
+
+# Get help [getting-help]
+
+Start by searching the [Packetbeat discussion forum](https://discuss.elastic.co/c/beats/packetbeat) for your issue. If you can’t find a resolution, open a new issue or add a comment to an existing one. Make sure you provide the following information, and we’ll help you troubleshoot the problem:
+
+* Packetbeat version
+* Operating System
+* Configuration
+* Any supporting information, such as debugging output, that will help us diagnose your problem. See [*Debug*](/reference/packetbeat/enable-packetbeat-debugging.md) for more details.
+
+If you’re sure you found a bug, you can open a ticket on [GitHub](https://github.com/elastic/beats/issues?state=open). Note, however, that we close GitHub issues containing questions or requests for help if they don’t indicate the presence of a bug.
+
diff --git a/docs/reference/packetbeat/howto-guides.md b/docs/reference/packetbeat/howto-guides.md
new file mode 100644
index 000000000000..4f026d8a657f
--- /dev/null
+++ b/docs/reference/packetbeat/howto-guides.md
@@ -0,0 +1,17 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/howto-guides.html
+---
+
+# How to guides [howto-guides]
+
+Learn how to perform common Packetbeat configuration tasks.
+
+* [*Load the {{es}} index template*](/reference/packetbeat/packetbeat-template.md)
+* [*Change the index name*](/reference/packetbeat/change-index-name.md)
+* [*Load {{kib}} dashboards*](/reference/packetbeat/load-kibana-dashboards.md)
+* [*Enrich events with geoIP information*](/reference/packetbeat/packetbeat-geoip.md)
+* [*Use environment variables in the configuration*](/reference/packetbeat/using-environ-vars.md)
+* [*Parse data using an ingest pipeline*](/reference/packetbeat/configuring-ingest-node.md)
+* [*Avoid YAML formatting problems*](/reference/packetbeat/yaml-tips.md)
+
diff --git a/docs/reference/packetbeat/http-endpoint.md b/docs/reference/packetbeat/http-endpoint.md
new file mode 100644
index 000000000000..d19bf440ca52
--- /dev/null
+++ b/docs/reference/packetbeat/http-endpoint.md
@@ -0,0 +1,188 @@
+---
+navigation_title: "HTTP endpoint"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/http-endpoint.html
+---
+
+# Configure an HTTP endpoint for metrics [http-endpoint]
+
+
+::::{warning}
+This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
+::::
+
+
+Packetbeat can expose internal metrics through an HTTP endpoint. These are useful to monitor the internal state of the Beat. For security reasons the endpoint is disabled by default, as you may want to avoid exposing this info.
+
+The HTTP endpoint has the following configuration settings:
+
+`http.enabled`
+:   (Optional) Enable the HTTP endpoint. Default is `false`.
+
+`http.host`
+:   (Optional) Bind to this hostname, IP address, unix socket (unix:///var/run/packetbeat.sock) or Windows named pipe (npipe:///packetbeat). It is recommended to use only localhost. Default is `localhost`
+
+`http.port`
+:   (Optional) Port on which the HTTP endpoint will bind. Default is `5066`.
+
+`http.named_pipe.user`
+:   (Optional) User to use to create the named pipe, only work on Windows, Default to the current user.
+
+`http.named_pipe.security_descriptor`
+:   (Optional) Windows Security descriptor string defined in the SDDL format. Default to read and write permission for the current user.
+
+`http.pprof.enabled`
+:   (Optional) Enable the `/debug/pprof/` endpoints when serving HTTP. It is recommended that this is only enabled on localhost as these endpoints may leak data. Default is `false`.
+
+`http.pprof.block_profile_rate`
+:   (Optional) `block_profile_rate` controls the fraction of goroutine blocking events that are reported in the blocking profile available from `/debug/pprof/block`. The profiler aims to sample an average of one blocking event per rate nanoseconds spent blocked. To include every blocking event in the profile, pass rate = 1. To turn off profiling entirely, pass rate ⇐ 0. Defaults to 0.
+
+`http.pprof.mem_profile_rate`
+:   (Optional) `mem_profile_rate` controls the fraction of memory allocations that are recorded and reported in the memory profile available from `/debug/pprof/heap`. The profiler aims to sample an average of one allocation per `mem_profile_rate` bytes allocated. To include every allocated block in the profile, set `mem_profile_rate` to 1. To turn off profiling entirely, set `mem_profile_rate` to 0. Defaults to 524288.
+
+`http.pprof.mutex_profile_rate`
+:   (Optional) `mutex_profile_rate` controls the fraction of mutex contention events that are reported in the mutex profile available from `/debug/pprof/mutex`. On average 1/rate events are reported. To turn off profiling entirely, pass rate 0. The default value is 0.
+
+This is the list of paths you can access. For pretty JSON output append `?pretty` to the URL.
+
+You can query a unix socket using the `cURL` command and the `--unix-socket` flag.
+
+```js
+curl -XGET --unix-socket '/var/run/{beatname_lc}.sock' 'http:/stats/?pretty'
+```
+
+
+## Info [_info]
+
+`/` provides basic info from the Packetbeat. Example:
+
+```js
+curl -XGET 'localhost:5066/?pretty'
+```
+
+```js
+{
+  "beat": "packetbeat",
+  "hostname": "example.lan",
+  "name": "example.lan",
+  "uuid": "34f6c6e1-45a8-4b12-9125-11b3e6e89866",
+  "version": "9.0.0-beta1"
+}
+```
+
+
+## Stats [_stats]
+
+`/stats` reports internal metrics. Example:
+
+```js
+curl -XGET 'localhost:5066/stats?pretty'
+```
+
+```js
+{
+  "beat": {
+    "cpu": {
+      "system": {
+        "ticks": 1710,
+        "time": {
+          "ms": 1712
+        }
+      },
+      "total": {
+        "ticks": 3420,
+        "time": {
+          "ms": 3424
+        },
+        "value": 3420
+      },
+      "user": {
+        "ticks": 1710,
+        "time": {
+          "ms": 1712
+        }
+      }
+    },
+    "info": {
+      "ephemeral_id": "ab4287c4-d907-4d9d-b074-d8c3cec4a577",
+      "uptime": {
+        "ms": 195547
+      }
+    },
+    "memstats": {
+      "gc_next": 17855152,
+      "memory_alloc": 9433384,
+      "memory_total": 492478864,
+      "rss": 50405376
+    },
+    "runtime": {
+      "goroutines": 22
+    }
+  },
+  "libbeat": {
+    "config": {
+      "module": {
+        "running": 0,
+        "starts": 0,
+        "stops": 0
+      },
+      "scans": 1,
+      "reloads": 1
+    },
+    "output": {
+      "events": {
+        "acked": 0,
+        "active": 0,
+        "batches": 0,
+        "dropped": 0,
+        "duplicates": 0,
+        "failed": 0,
+        "total": 0
+      },
+      "read": {
+        "bytes": 0,
+        "errors": 0
+      },
+      "type": "elasticsearch",
+      "write": {
+        "bytes": 0,
+        "errors": 0
+      }
+    },
+    "pipeline": {
+      "clients": 6,
+      "events": {
+        "active": 716,
+        "dropped": 0,
+        "failed": 0,
+        "filtered": 0,
+        "published": 716,
+        "retry": 278,
+        "total": 716
+      },
+      "queue": {
+        "acked": 0
+      }
+    }
+  },
+  "system": {
+    "cpu": {
+      "cores": 4
+    },
+    "load": {
+      "1": 2.22,
+      "15": 1.8,
+      "5": 1.74,
+      "norm": {
+        "1": 0.555,
+        "15": 0.45,
+        "5": 0.435
+      }
+    }
+  }
+}
+```
+
+The actual output may contain more metrics specific to Packetbeat
+
+
diff --git a/docs/reference/packetbeat/ilm.md b/docs/reference/packetbeat/ilm.md
new file mode 100644
index 000000000000..ca6d847b4509
--- /dev/null
+++ b/docs/reference/packetbeat/ilm.md
@@ -0,0 +1,58 @@
+---
+navigation_title: "Index lifecycle management (ILM)"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/ilm.html
+---
+
+# Configure index lifecycle management [ilm]
+
+
+Use the [index lifecycle management](docs-content://manage-data/lifecycle/index-lifecycle-management/tutorial-automate-rollover.md) (ILM) feature in {{es}} to manage your Packetbeat their backing indices of your data streams as they age. Packetbeat loads the default policy automatically and applies it to any data streams created by Packetbeat.
+
+You can view and edit the policy in the **Index lifecycle policies** UI in {{kib}}. For more information about working with the UI, see [Index lifecyle policies](docs-content://manage-data/lifecycle/index-lifecycle-management.md).
+
+Example configuration:
+
+```yaml
+setup.ilm.enabled: true
+```
+
+::::{warning}
+If index lifecycle management is enabled (which is typically the default), `setup.template.name` and `setup.template.pattern` are ignored.
+::::
+
+
+
+## Configuration options [_configuration_options_24]
+
+You can specify the following settings in the `setup.ilm` section of the `packetbeat.yml` config file:
+
+
+### `setup.ilm.enabled` [setup-ilm-option]
+
+Enables or disables index lifecycle management on any new indices created by Packetbeat. Valid values are `true` and `false`.
+
+
+### `setup.ilm.policy_name` [setup-ilm-policy_name-option]
+
+The name to use for the lifecycle policy. The default is `packetbeat`.
+
+
+### `setup.ilm.policy_file` [setup-ilm-policy_file-option]
+
+The path to a JSON file that contains a lifecycle policy configuration. Use this setting to load your own lifecycle policy.
+
+For more information about lifecycle policies, see [Set up index lifecycle management policy](docs-content://manage-data/lifecycle/index-lifecycle-management/configure-lifecycle-policy.md) in the *{{es}} Reference*.
+
+
+### `setup.ilm.check_exists` [setup-ilm-check_exists-option]
+
+When set to `false`, disables the check for an existing lifecycle policy. The default is `true`. You need to disable this check if the Packetbeat user connecting to a secured cluster doesn’t have the `read_ilm` privilege.
+
+If you set this option to `false`, lifecycle policy will not be installed, even if `setup.ilm.overwrite` is set to `true`.
+
+
+### `setup.ilm.overwrite` [setup-ilm-overwrite-option]
+
+When set to `true`, the lifecycle policy is overwritten at startup. The default is `false`.
+
diff --git a/packetbeat/docs/images/coordinate-map.png b/docs/reference/packetbeat/images/coordinate-map.png
similarity index 100%
rename from packetbeat/docs/images/coordinate-map.png
rename to docs/reference/packetbeat/images/coordinate-map.png
diff --git a/packetbeat/docs/images/discovery-packetbeat-flows.png b/docs/reference/packetbeat/images/discovery-packetbeat-flows.png
similarity index 100%
rename from packetbeat/docs/images/discovery-packetbeat-flows.png
rename to docs/reference/packetbeat/images/discovery-packetbeat-flows.png
diff --git a/packetbeat/docs/images/discovery-packetbeat-transactions.png b/docs/reference/packetbeat/images/discovery-packetbeat-transactions.png
similarity index 100%
rename from packetbeat/docs/images/discovery-packetbeat-transactions.png
rename to docs/reference/packetbeat/images/discovery-packetbeat-transactions.png
diff --git a/packetbeat/docs/images/filter_from_context.png b/docs/reference/packetbeat/images/filter_from_context.png
similarity index 100%
rename from packetbeat/docs/images/filter_from_context.png
rename to docs/reference/packetbeat/images/filter_from_context.png
diff --git a/packetbeat/docs/images/filterforval_icon.png b/docs/reference/packetbeat/images/filterforval_icon.png
similarity index 100%
rename from packetbeat/docs/images/filterforval_icon.png
rename to docs/reference/packetbeat/images/filterforval_icon.png
diff --git a/packetbeat/docs/images/filteroutval_icon.png b/docs/reference/packetbeat/images/filteroutval_icon.png
similarity index 100%
rename from packetbeat/docs/images/filteroutval_icon.png
rename to docs/reference/packetbeat/images/filteroutval_icon.png
diff --git a/packetbeat/docs/images/flows.png b/docs/reference/packetbeat/images/flows.png
similarity index 100%
rename from packetbeat/docs/images/flows.png
rename to docs/reference/packetbeat/images/flows.png
diff --git a/packetbeat/docs/images/kibana-filters.png b/docs/reference/packetbeat/images/kibana-filters.png
similarity index 100%
rename from packetbeat/docs/images/kibana-filters.png
rename to docs/reference/packetbeat/images/kibana-filters.png
diff --git a/packetbeat/docs/images/kibana-query-filtering.png b/docs/reference/packetbeat/images/kibana-query-filtering.png
similarity index 100%
rename from packetbeat/docs/images/kibana-query-filtering.png
rename to docs/reference/packetbeat/images/kibana-query-filtering.png
diff --git a/filebeat/docs/images/option_ignore_outgoing.png b/docs/reference/packetbeat/images/option_ignore_outgoing.png
similarity index 100%
rename from filebeat/docs/images/option_ignore_outgoing.png
rename to docs/reference/packetbeat/images/option_ignore_outgoing.png
diff --git a/packetbeat/docs/images/packetbeat-overview-dashboard.png b/docs/reference/packetbeat/images/packetbeat-overview-dashboard.png
similarity index 100%
rename from packetbeat/docs/images/packetbeat-overview-dashboard.png
rename to docs/reference/packetbeat/images/packetbeat-overview-dashboard.png
diff --git a/packetbeat/docs/images/saved-packetbeat-searches.png b/docs/reference/packetbeat/images/saved-packetbeat-searches.png
similarity index 100%
rename from packetbeat/docs/images/saved-packetbeat-searches.png
rename to docs/reference/packetbeat/images/saved-packetbeat-searches.png
diff --git a/packetbeat/docs/images/thrift-dashboard.png b/docs/reference/packetbeat/images/thrift-dashboard.png
similarity index 100%
rename from packetbeat/docs/images/thrift-dashboard.png
rename to docs/reference/packetbeat/images/thrift-dashboard.png
diff --git a/docs/reference/packetbeat/include-fields.md b/docs/reference/packetbeat/include-fields.md
new file mode 100644
index 000000000000..58b0aa55dd8e
--- /dev/null
+++ b/docs/reference/packetbeat/include-fields.md
@@ -0,0 +1,28 @@
+---
+navigation_title: "include_fields"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/include-fields.html
+---
+
+# Keep fields from events [include-fields]
+
+
+The `include_fields` processor specifies which fields to export if a certain condition is fulfilled. The condition is optional. If it’s missing, the specified fields are always exported. The `@timestamp`, `@metadata` and `type` fields are always exported, even if they are not defined in the `include_fields` list.
+
+```yaml
+processors:
+  - include_fields:
+      when:
+        condition
+      fields: ["field1", "field2", ...]
+```
+
+See [Conditions](/reference/packetbeat/defining-processors.md#conditions) for a list of supported conditions.
+
+You can specify multiple `include_fields` processors under the `processors` section.
+
+::::{note}
+If you define an empty list of fields under `include_fields`, then only the required fields, `@timestamp` and `type`, are exported.
+::::
+
+
diff --git a/docs/reference/packetbeat/kafka-output.md b/docs/reference/packetbeat/kafka-output.md
new file mode 100644
index 000000000000..c130e46b1709
--- /dev/null
+++ b/docs/reference/packetbeat/kafka-output.md
@@ -0,0 +1,331 @@
+---
+navigation_title: "Kafka"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/kafka-output.html
+---
+
+# Configure the Kafka output [kafka-output]
+
+
+The Kafka output sends events to Apache Kafka.
+
+To use this output, edit the Packetbeat configuration file to disable the {{es}} output by commenting it out, and enable the Kafka output by uncommenting the Kafka section.
+
+::::{note}
+For Kafka version 0.10.0.0+ the message creation timestamp is set by beats and equals to the initial timestamp of the event. This affects the retention policy in Kafka: for example, if a beat event was created 2 weeks ago, the retention policy is set to 7 days and the message from beats arrives to Kafka today, it’s going to be immediately discarded since the timestamp value is before the last 7 days. It’s possible to change this behavior by setting timestamps on message arrival instead, so the message is not discarded but kept for 7 more days. To do that, please set `log.message.timestamp.type` to `LogAppendTime` (default `CreateTime`) in the Kafka configuration.
+::::
+
+
+Example configuration:
+
+```yaml
+output.kafka:
+  # initial brokers for reading cluster metadata
+  hosts: ["kafka1:9092", "kafka2:9092", "kafka3:9092"]
+
+  # message topic selection + partitioning
+  topic: '%{[fields.log_topic]}'
+  partition.round_robin:
+    reachable_only: false
+
+  required_acks: 1
+  compression: gzip
+  max_message_bytes: 1000000
+```
+
+::::{note}
+Events bigger than [`max_message_bytes`](#kafka-max_message_bytes) will be dropped. To avoid this problem, make sure Packetbeat does not generate events bigger than [`max_message_bytes`](#kafka-max_message_bytes).
+::::
+
+
+## Compatibility [kafka-compatibility]
+
+This output can connect to Kafka version 0.8.2.0 and later. Older versions might work as well, but are not supported. When using Kafka 4.0 and newer, the version must be set to at least `"2.1.0"`
+
+
+## Configuration options [_configuration_options_18]
+
+You can specify the following options in the `kafka` section of the `packetbeat.yml` config file:
+
+### `enabled` [_enabled_6]
+
+The `enabled` config is a boolean setting to enable or disable the output. If set to false, the output is disabled.
+
+The default value is `true`.
+
+
+### `hosts` [_hosts]
+
+The list of Kafka broker addresses from where to fetch the cluster metadata. The cluster metadata contain the actual Kafka brokers events are published to.
+
+
+### `version` [_version]
+
+Kafka protocol version that Packetbeat will request when connecting. Defaults to 2.1.0. When using Kafka 4.0 and newer, the version must be set to at least `"2.1.0"`
+
+Valid values are all kafka releases in between `0.8.2.0` and `2.6.0`.
+
+The protocol version controls the Kafka client features available to Packetbeat; it does not prevent Packetbeat from connecting to Kafka versions newer than the protocol version.
+
+See [Compatibility](#kafka-compatibility) for information on supported versions.
+
+
+### `username` [_username_2]
+
+The username for connecting to Kafka. If username is configured, the password must be configured as well.
+
+
+### `password` [_password_2]
+
+The password for connecting to Kafka.
+
+
+### `sasl.mechanism` [_sasl_mechanism]
+
+The SASL mechanism to use when connecting to Kafka. It can be one of:
+
+* `PLAIN` for SASL/PLAIN.
+* `SCRAM-SHA-256` for SCRAM-SHA-256.
+* `SCRAM-SHA-512` for SCRAM-SHA-512.
+
+If `sasl.mechanism` is not set, `PLAIN` is used if `username` and `password` are provided. Otherwise, SASL authentication is disabled.
+
+To use `GSSAPI` mechanism to authenticate with Kerberos, you must leave this field empty, and use the [`kerberos`](#kerberos-option-kafka) options.
+
+
+### `topic` [topic-option-kafka]
+
+The Kafka topic used for produced events.
+
+You can set the topic dynamically by using a format string to access any event field. For example, this configuration uses a custom field, `fields.log_topic`, to set the topic for each event:
+
+```yaml
+topic: '%{[fields.log_topic]}'
+```
+
+::::{tip}
+To learn how to add custom fields to events, see the [`fields`](/reference/packetbeat/configuration-general-options.md#libbeat-configuration-fields) option.
+::::
+
+
+See the [`topics`](#topics-option-kafka) setting for other ways to set the topic dynamically.
+
+
+### `topics` [topics-option-kafka]
+
+An array of topic selector rules. Each rule specifies the `topic` to use for events that match the rule. During publishing, Packetbeat sets the `topic` for each event based on the first matching rule in the array. Rules can contain conditionals, format string-based fields, and name mappings. If the `topics` setting is missing or no rule matches, the [`topic`](#topic-option-kafka) field is used.
+
+Rule settings:
+
+**`topic`**
+:   The topic format string to use.  If this string contains field references, such as `%{[fields.name]}`, the fields must exist, or the rule fails.
+
+**`mappings`**
+:   A dictionary that takes the value returned by `topic` and maps it to a new name.
+
+**`default`**
+:   The default string value to use if `mappings` does not find a match.
+
+**`when`**
+:   A condition that must succeed in order to execute the current rule. All the [conditions](/reference/packetbeat/defining-processors.md#conditions) supported by processors are also supported here.
+
+The following example sets the topic based on whether the message field contains the specified string:
+
+```yaml
+output.kafka:
+  hosts: ["localhost:9092"]
+  topic: "logs-%{[agent.version]}"
+  topics:
+    - topic: "critical-%{[agent.version]}"
+      when.contains:
+        message: "CRITICAL"
+    - topic: "error-%{[agent.version]}"
+      when.contains:
+        message: "ERR"
+```
+
+This configuration results in topics named `critical-9.0.0-beta1`, `error-9.0.0-beta1`, and `logs-9.0.0-beta1`.
+
+
+### `key` [_key]
+
+Optional formatted string specifying the Kafka event key. If configured, the event key can be extracted from the event using a format string.
+
+See the Kafka documentation for the implications of a particular choice of key; by default, the key is chosen by the Kafka cluster.
+
+
+### `partition` [_partition]
+
+Kafka output broker event partitioning strategy. Must be one of `random`, `round_robin`, or `hash`. By default the `hash` partitioner is used.
+
+**`random.group_events`**: Sets the number of events to be published to the same partition, before the partitioner selects a new partition by random. The default value is 1 meaning after each event a new partition is picked randomly.
+
+**`round_robin.group_events`**: Sets the number of events to be published to the same partition, before the partitioner selects the next partition. The default value is 1 meaning after each event the next partition will be selected.
+
+**`hash.hash`**: List of fields used to compute the partitioning hash value from. If no field is configured, the events `key` value will be used.
+
+**`hash.random`**: Randomly distribute events if no hash or key value can be computed.
+
+All partitioners will try to publish events to all partitions by default. If a partition’s leader becomes unreachable for the beat, the output might block. All partitioners support setting `reachable_only` to overwrite this behavior. If `reachable_only` is set to `true`, events will be published to available partitions only.
+
+::::{note}
+Publishing to a subset of available partitions potentially increases resource usage because events may become unevenly distributed.
+::::
+
+
+
+### `headers` [_headers_2]
+
+A header is a key-value pair, and multiple headers can be included with the same `key`. Only string values are supported. These headers will be included in each produced Kafka message.
+
+```yaml
+output.kafka:
+  hosts: ["localhost:9092"]
+  topic: "logs-%{[agent.version]}"
+  headers:
+    - key: "some-key"
+      value: "some value"
+    - key: "another-key"
+      value: "another value"
+```
+
+
+### `client_id` [_client_id]
+
+The configurable ClientID used for logging, debugging, and auditing purposes. The default is "beats".
+
+
+### `codec` [_codec]
+
+Output codec configuration. If the `codec` section is missing, events will be json encoded.
+
+See [Change the output codec](/reference/packetbeat/configuration-output-codec.md) for more information.
+
+
+### `metadata` [_metadata]
+
+Kafka metadata update settings. The metadata do contain information about brokers, topics, partition, and active leaders to use for publishing.
+
+**`refresh_frequency`**
+:   Metadata refresh interval. Defaults to 10 minutes.
+
+**`full`**
+:   Strategy to use when fetching metadata, when this option is `true`, the client will maintain a full set of metadata for all the available topics, if the this option is set to `false` it will only refresh the metadata for the configured topics. The default is false.
+
+**`retry.max`**
+:   Total number of metadata update retries when cluster is in middle of leader election. The default is 3.
+
+**`retry.backoff`**
+:   Waiting time between retries during leader elections. Default is 250ms.
+
+
+### `max_retries` [_max_retries_3]
+
+The number of times to retry publishing an event after a publishing failure. After the specified number of retries, the events are typically dropped.
+
+Set `max_retries` to a value less than 0 to retry until all events are published.
+
+The default is 3.
+
+
+### `backoff.init` [_backoff_init_2]
+
+The number of seconds to wait before trying to republish to Kafka after a network error. After waiting `backoff.init` seconds, Packetbeat tries to republish. If the attempt fails, the backoff timer is increased exponentially up to `backoff.max`. After a successful publish, the backoff timer is reset. The default is 1s.
+
+
+### `backoff.max` [_backoff_max_2]
+
+The maximum number of seconds to wait before attempting to republish to Kafka after a network error. The default is 60s.
+
+
+### `bulk_max_size` [_bulk_max_size_2]
+
+The maximum number of events to bulk in a single Kafka request. The default is 2048.
+
+
+### `bulk_flush_frequency` [_bulk_flush_frequency]
+
+Duration to wait before sending bulk Kafka request. 0 is no delay. The default is 0.
+
+
+### `timeout` [_timeout_4]
+
+The number of seconds to wait for responses from the Kafka brokers before timing out. The default is 30 (seconds).
+
+
+### `broker_timeout` [_broker_timeout]
+
+The maximum duration a broker will wait for number of required ACKs. The default is 10s.
+
+
+### `channel_buffer_size` [_channel_buffer_size]
+
+Per Kafka broker number of messages buffered in output pipeline. The default is 256.
+
+
+### `keep_alive` [_keep_alive]
+
+The keep-alive period for an active network connection. If 0s, keep-alives are disabled. The default is 0 seconds.
+
+
+### `compression` [_compression]
+
+Sets the output compression codec. Must be one of `none`, `snappy`, `lz4`, `gzip` and `zstd`. The default is `gzip`.
+
+::::{admonition} Known issue with Azure Event Hub for Kafka
+:class: important
+
+When targeting Azure Event Hub for Kafka, set `compression` to `none` as the provided codecs are not supported.
+
+::::
+
+
+
+### `compression_level` [_compression_level_2]
+
+Sets the compression level used by gzip. Setting this value to 0 disables compression. The compression level must be in the range of 1 (best speed) to 9 (best compression).
+
+Increasing the compression level will reduce the network usage but will increase the cpu usage.
+
+The default value is 4.
+
+
+### `max_message_bytes` [kafka-max_message_bytes]
+
+The maximum permitted size of JSON-encoded messages. Bigger messages will be dropped. The default value is 1000000 (bytes). This value should be equal to or less than the broker’s `message.max.bytes`.
+
+
+### `required_acks` [_required_acks]
+
+The ACK reliability level required from broker. 0=no response, 1=wait for local commit, -1=wait for all replicas to commit. The default is 1.
+
+Note: If set to 0, no ACKs are returned by Kafka. Messages might be lost silently on error.
+
+
+### `ssl` [_ssl_3]
+
+Configuration options for SSL parameters like the root CA for Kafka connections. The Kafka host keystore should be created with the `-keyalg RSA` argument to ensure it uses a cipher supported by [Filebeat’s Kafka library](https://github.com/Shopify/sarama/wiki/Frequently-Asked-Questions#why-cant-sarama-connect-to-my-kafka-cluster-using-ssl). See [SSL](/reference/packetbeat/configuration-ssl.md) for more information.
+
+
+### `kerberos` [kerberos-option-kafka]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+Configuration options for Kerberos authentication.
+
+See [Kerberos](/reference/packetbeat/configuration-kerberos.md) for more information.
+
+
+### `queue` [_queue_3]
+
+Configuration options for internal queue.
+
+See [Internal queue](/reference/packetbeat/configuring-internal-queue.md) for more information.
+
+Note:`queue` options can be set under `packetbeat.yml` or the `output` section but not both.
+
+
+
diff --git a/docs/reference/packetbeat/keystore.md b/docs/reference/packetbeat/keystore.md
new file mode 100644
index 000000000000..777db94bf9ea
--- /dev/null
+++ b/docs/reference/packetbeat/keystore.md
@@ -0,0 +1,87 @@
+---
+navigation_title: "Secrets keystore"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/keystore.html
+---
+
+# Secrets keystore for secure settings [keystore]
+
+
+When you configure Packetbeat, you might need to specify sensitive settings, such as passwords. Rather than relying on file system permissions to protect these values, you can use the Packetbeat keystore to obfuscate stored secret values for use in configuration settings.
+
+After adding a key and its secret value to the keystore, you can use the key in place of the secret value when you configure sensitive settings.
+
+The syntax for referencing keys is identical to the syntax for environment variables:
+
+`${KEY}`
+
+Where KEY is the name of the key.
+
+For example, imagine that the keystore contains a key called `ES_PWD` with the value `yourelasticsearchpassword`:
+
+* In the configuration file, use `output.elasticsearch.password: "${ES_PWD}"`
+* On the command line, use: `-E "output.elasticsearch.password=\${ES_PWD}"`
+
+When Packetbeat unpacks the configuration, it resolves keys before resolving environment variables and other variables.
+
+Notice that the Packetbeat keystore differs from the Elasticsearch keystore. Whereas the Elasticsearch keystore lets you store `elasticsearch.yml` values by name, the Packetbeat keystore lets you specify arbitrary names that you can reference in the Packetbeat configuration.
+
+To create and manage keys, use the `keystore` command. See the [command reference](/reference/packetbeat/command-line-options.md#keystore-command) for the full command syntax, including optional flags.
+
+::::{note}
+The `keystore` command must be run by the same user who will run Packetbeat.
+::::
+
+
+
+## Create a keystore [creating-keystore]
+
+To create a secrets keystore, use:
+
+```sh
+packetbeat keystore create
+```
+
+Packetbeat creates the keystore in the directory defined by the `path.data` configuration setting.
+
+
+## Add keys [add-keys-to-keystore]
+
+To store sensitive values, such as authentication credentials for Elasticsearch, use the `keystore add` command:
+
+```sh
+packetbeat keystore add ES_PWD
+```
+
+When prompted, enter a value for the key.
+
+To overwrite an existing key’s value, use the `--force` flag:
+
+```sh
+packetbeat keystore add ES_PWD --force
+```
+
+To pass the value through stdin, use the `--stdin` flag. You can also use `--force`:
+
+```sh
+cat /file/containing/setting/value | packetbeat keystore add ES_PWD --stdin --force
+```
+
+
+## List keys [list-settings]
+
+To list the keys defined in the keystore, use:
+
+```sh
+packetbeat keystore list
+```
+
+
+## Remove keys [remove-settings]
+
+To remove a key from the keystore, use:
+
+```sh
+packetbeat keystore remove ES_PWD
+```
+
diff --git a/docs/reference/packetbeat/kibana-queries-filters.md b/docs/reference/packetbeat/kibana-queries-filters.md
new file mode 100644
index 000000000000..66a899a5db13
--- /dev/null
+++ b/docs/reference/packetbeat/kibana-queries-filters.md
@@ -0,0 +1,147 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/kibana-queries-filters.html
+---
+
+# Kibana queries and filters [kibana-queries-filters]
+
+This topic provides a short introduction to some useful queries for searching Packetbeat data. For a full description of the query syntax, see [Searching Your Data](elasticsearch://reference/query-languages/kql.md) in the *Kibana User Guide*.
+
+In Kibana, you can filter transactions either by entering a search query or by clicking on elements within a visualization.
+
+
+## Create queries [_create_queries]
+
+The search field on the **Discover** page provides a way to query a specific subset of transactions from the selected time frame. It allows boolean operators, wildcards, and field filtering. For example, if you want to find the HTTP redirects, you can search for `http.response.status_code: 302`.
+
+:::{image} images/kibana-query-filtering.png
+:alt: Kibana query
+:class: screenshot
+:::
+
+
+### String queries [_string_queries]
+
+A query may consist of one or more words or a phrase. A phrase is a group of words surrounded by double quotation marks, such as `"test search"`.
+
+To search for all HTTP requests initiated by Mozilla Web browser version 5.0:
+
+```yaml
+"Mozilla/5.0"
+```
+
+To search for all the transactions that contain the following message:
+
+```yaml
+"Cannot change the info of a user"
+```
+
+::::{note}
+To search for an exact string, you need to wrap the string in double quotation marks. Without quotation marks, the search in the example would match any documents containing one of the following words: "Cannot" OR "change" OR "the" OR "info" OR "a" OR "user".
+::::
+
+
+To search for all transactions with the "chunked" encoding:
+
+```yaml
+"Transfer-Encoding: chunked"
+```
+
+
+### Field-based queries [_field_based_queries]
+
+Kibana allows you to search specific fields.
+
+To view HTTP transactions only:
+
+```yaml
+type: http
+```
+
+To view failed transactions only:
+
+```yaml
+status: Error
+```
+
+To view INSERT queries only:
+
+```yaml
+method: INSERT
+```
+
+
+### Regexp queries [_regexp_queries]
+
+Kibana supports regular expression for filters and expressions. For example, to search for all HTTP responses with JSON as the returned value type:
+
+```yaml
+http.response_headers.content_type: *json
+```
+
+See [Elasticsearch regexp query](elasticsearch://reference/query-languages/query-dsl-regexp-query.md) for more details about the syntax.
+
+
+### Range queries [_range_queries]
+
+Range queries allow a field to have values between the lower and upper bounds. The interval can include or exclude the bounds depending on the type of brackets that you use.
+
+To search for slow transactions with a response time greater than or equal to 10ms:
+
+```yaml
+event.duration: [10000000 TO *]
+```
+
+To search for slow transactions with a response time greater than 10ms:
+
+```yaml
+responsetime: {10000000 TO *}
+```
+
+
+### Boolean queries [_boolean_queries]
+
+Boolean operators (AND, OR, NOT) allow combining multiple sub-queries through logic operators.
+
+::::{note}
+Operators such as AND, OR, and NOT must be capitalized.
+::::
+
+
+To search for all transactions except MySQL transactions:
+
+```yaml
+NOT type: mysql
+```
+
+To search for all MySQL INSERT queries with errors:
+
+```yaml
+type: mysql AND method: INSERT AND status: Error
+```
+
+Kibana Query Language (KQL) also supports parentheses to group sub-queries.
+
+To search for either INSERT or UPDATE queries with a response time greater than or equal to 30ms:
+
+```yaml
+(method: INSERT OR method: UPDATE) AND event.duration >= 30000000
+```
+
+
+## Create filters [_create_filters]
+
+In Kibana, you can also filter transactions by clicking on elements within a visualization. For example, to filter for all the HTTP redirects that are coming from a specific IP and port, click the **Filter for value** ![filterforval icon](images/filterforval_icon.png "") icon next to the `client.ip` and `client.port` fields in the transaction detail table. To exclude the HTTP redirects coming from the IP and port, click the **Filter out value** ![filteroutval icon](images/filteroutval_icon.png "") icon instead.
+
+:::{image} images/filter_from_context.png
+:alt: Filter from context
+:class: screenshot
+:::
+
+The selected filters appear under the search box.
+
+:::{image} images/kibana-filters.png
+:alt: Kibana filters
+:class: screenshot
+:::
+
diff --git a/docs/reference/packetbeat/kibana-user-privileges.md b/docs/reference/packetbeat/kibana-user-privileges.md
new file mode 100644
index 000000000000..854c69689399
--- /dev/null
+++ b/docs/reference/packetbeat/kibana-user-privileges.md
@@ -0,0 +1,27 @@
+---
+navigation_title: "Create a _reader_ user"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/kibana-user-privileges.html
+---
+
+# Grant privileges and roles needed to read Packetbeat data from {{kib}} [kibana-user-privileges]
+
+
+{{kib}} users typically need to view dashboards and visualizations that contain Packetbeat data. These users might also need to create and edit dashboards and visualizations.
+
+To grant users the required privileges:
+
+1. Create a **reader role**, called something like `packetbeat_reader`, that has the following privilege:
+
+    | Type | Privilege | Purpose |
+    | --- | --- | --- |
+    | Index | `read` on `packetbeat-*` indices | Read data indexed by Packetbeat |
+    | Spaces | `Read` or `All` on Dashboards, Visualize, and Discover | Allow the user to view, edit, and create dashboards, as well as browse data. |
+
+2. Assign the **reader role**, along with the following built-in roles, to users who need to read Packetbeat data:
+
+    | Role | Purpose |
+    | --- | --- |
+    | `monitoring_user` | Allow users to monitor the health of Packetbeat itself. Only assign this role to users who manage Packetbeat. |
+
+
diff --git a/docs/reference/packetbeat/learn-more-security.md b/docs/reference/packetbeat/learn-more-security.md
new file mode 100644
index 000000000000..83188f22c0ce
--- /dev/null
+++ b/docs/reference/packetbeat/learn-more-security.md
@@ -0,0 +1,12 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/learn-more-security.html
+---
+
+# Learn more about privileges, roles, and users [learn-more-security]
+
+Want to learn more about creating users and roles? See [Secure a cluster](docs-content://deploy-manage/security.md). Also see:
+
+* [Security privileges](elasticsearch://reference/elasticsearch/security-privileges.md) for a description of available privileges
+* [Built-in roles](elasticsearch://reference/elasticsearch/roles.md) for a description of roles that you can assign to users
+
diff --git a/docs/reference/packetbeat/linux-seccomp.md b/docs/reference/packetbeat/linux-seccomp.md
new file mode 100644
index 000000000000..9106be457738
--- /dev/null
+++ b/docs/reference/packetbeat/linux-seccomp.md
@@ -0,0 +1,75 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/linux-seccomp.html
+---
+
+# Use Linux Secure Computing Mode (seccomp) [linux-seccomp]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+On Linux 3.17 and later, Packetbeat can take advantage of secure computing mode, also known as seccomp. Seccomp restricts the system calls that a process can issue. Specifically Packetbeat can load a seccomp BPF filter at process start-up that drops the privileges to invoke specific system calls. Once a filter is loaded by the process it cannot be removed.
+
+The kernel exposes a large number of system calls that are not used by Packetbeat. By installing a seccomp filter, you can limit the total kernel surface exposed to Packetbeat (principle of least privilege). This minimizes the impact of unknown vulnerabilities that might be found in the process.
+
+The filter is expressed as a Berkeley Packet Filter (BPF) program. The BPF program is generated based on a policy defined by Packetbeat. The policy can be customized through configuration as well.
+
+A seccomp policy is architecture specific due to the fact that system calls vary by architecture. Packetbeat includes a whitelist seccomp policy for the amd64 and 386 architectures. You can view those policies [here](https://github.com/elastic/beats/tree/master/libbeat/common/seccomp).
+
+
+## Seccomp Policy Configuration [seccomp-policy-config]
+
+The seccomp policy can be customized through the configuration policy. This is an example blacklist policy that prohibits `execve`, `execveat`, `fork`, and `vfork` syscalls.
+
+```yaml
+seccomp:
+  default_action: allow <1>
+  syscalls:
+  - action: errno <2>
+    names: <3>
+    - execve
+    - execveat
+    - fork
+    - vfork
+```
+
+1. If the system call being invoked by the process does not match one of the names below then it will be allowed.
+2. If the system call being invoked matches one of the names below then an error will be returned to caller. This is known as a blacklist policy.
+3. These are system calls being prohibited.
+
+
+These are the configuration options for a seccomp policy.
+
+**`enabled`**
+:   On Linux, this option is enabled by default. To disable seccomp filter loading, set this option to `false`.
+
+**`default_action`**
+:   The default action to take when none of the defined system calls match. See [action](#seccomp-policy-config-action) for the full list of values. This is required.
+
+**`syscalls`**
+:   Each object in this list must contain an `action` and a list of system call `names`. The list must contain at least one item.
+
+**`names`**
+:   A list of system call names. The system call name must exist for the runtime architecture, otherwise an error will be logged and the filter will not be installed. At least one system call must be defined.
+
+$$$seccomp-policy-config-action$$$
+
+**`action`**
+:   The action to take when any of the system calls listed in `names` is executed. This is required. These are the available action values. The actions that are available depend on the kernel version.
+
+    * `errno` - The system call will return `EPERM` (permission denied) to the caller.
+    * `trace` - The kernel will notify a `ptrace` tracer. If no tracer is present then the system call fails with `ENOSYS` (function not implemented).
+    * `trap` - The kernel will send a `SIGSYS` signal to the calling thread and not execute the system call. The Go runtime will exit.
+    * `kill_thread` - The kernel will immediately terminate the thread. Other threads will continue to execute.
+    * `kill_process` - The kernel will terminate the process. Available in Linux 4.14 and later.
+    * `log` - The kernel will log the system call before executing it. Available in Linux 4.14 and later. (This does not go to the Beat’s log.)
+    * `allow` - The kernel will allow the system call to execute.
+
+
+
+## Auditbeat Reports Seccomp Violations [_auditbeat_reports_seccomp_violations]
+
+You can use Auditbeat to report any seccomp violations that occur on the system. The kernel generates an event for each violation and Auditbeat reports the event. The `event.action` value will be `violated-seccomp-policy` and the event will contain information about the process and system call.
+
diff --git a/docs/reference/packetbeat/load-ingest-pipelines.md b/docs/reference/packetbeat/load-ingest-pipelines.md
new file mode 100644
index 000000000000..bbfc7bb6e886
--- /dev/null
+++ b/docs/reference/packetbeat/load-ingest-pipelines.md
@@ -0,0 +1,23 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/load-ingest-pipelines.html
+---
+
+# Load ingest pipelines [load-ingest-pipelines]
+
+Packetbeat modules are implemented using {{es}} ingest node pipelines.  The events receive their transformations within {{es}}.  The ingest node pipelines must be loaded into {{es}}.  This can happen one of several ways.
+
+
+## On connection to {{es}} [packetbeat-load-pipeline-auto]
+
+Packetbeat will send ingest pipelines automatically to {{es}} if the {{es}} output is enabled.
+
+Make sure the user specified in `packetbeat.yml` is [authorized to set up Packetbeat](/reference/packetbeat/privileges-to-setup-beats.md).
+
+If Packetbeat is sending events to {{ls}} or another output you need to load the ingest pipelines with the `setup` command or manually.
+
+
+## Manually install pipelines [packetbeat-load-pipeline-manual]
+
+Pipelines can be loaded them into {{es}} with the `_ingest/pipeline` REST API call. The user making the REST API call will need to have the `ingest_admin` role assigned to them.
+
diff --git a/docs/reference/packetbeat/load-kibana-dashboards.md b/docs/reference/packetbeat/load-kibana-dashboards.md
new file mode 100644
index 000000000000..e16b5a27c846
--- /dev/null
+++ b/docs/reference/packetbeat/load-kibana-dashboards.md
@@ -0,0 +1,151 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/load-kibana-dashboards.html
+---
+
+# Load Kibana dashboards [load-kibana-dashboards]
+
+Packetbeat comes packaged with example Kibana dashboards, visualizations, and searches for visualizing Packetbeat data in Kibana. Before you can use the dashboards, you need to create the index pattern, `packetbeat-*`, and load the dashboards into Kibana.
+
+To do this, you can either run the `setup` command (as described here) or [configure dashboard loading](/reference/packetbeat/configuration-dashboards.md) in the `packetbeat.yml` config file. This requires a Kibana endpoint configuration. If you didn’t already configure a Kibana endpoint, see [{{kib}} endpoint](/reference/packetbeat/setup-kibana-endpoint.md).
+
+
+## Load dashboards [load-dashboards]
+
+Make sure Kibana is running before you perform this step. If you are accessing a secured Kibana instance, make sure you’ve configured credentials as described in the [Quick start: installation and configuration](/reference/packetbeat/packetbeat-installation-configuration.md).
+
+To load the recommended index template for writing to {{es}} and deploy the sample dashboards for visualizing the data in {{kib}}, use the command that works with your system.
+
+::::{note}
+Use `sudo` to run these commands if the config file is owned by root.
+::::
+
+
+:::::::{tab-set}
+
+::::::{tab-item} DEB
+```sh
+packetbeat setup --dashboards
+```
+::::::
+
+::::::{tab-item} RPM
+```sh
+packetbeat setup --dashboards
+```
+::::::
+
+::::::{tab-item} MacOS
+```sh
+./packetbeat setup --dashboards
+```
+::::::
+
+::::::{tab-item} Linux
+```sh
+./packetbeat setup --dashboards
+```
+::::::
+
+::::::{tab-item} Docker
+```sh
+docker run --rm --net="host" docker.elastic.co/beats/packetbeat:9.0.0-beta1 setup --dashboards
+```
+::::::
+
+::::::{tab-item} Windows
+Open a PowerShell prompt as an Administrator (right-click the PowerShell icon and select **Run As Administrator**).
+
+From the PowerShell prompt, change to the directory where you installed Packetbeat, and run:
+
+```sh
+PS > .\packetbeat.exe setup --dashboards
+```
+::::::
+
+:::::::
+For more options, such as loading customized dashboards, see [Importing Existing Beat Dashboards](http://www.elastic.co/guide/en/beats/devguide/master/import-dashboards.md). If you’ve configured the Logstash output, see [Load dashboards for Logstash output](#load-dashboards-logstash).
+
+
+## Load dashboards for Logstash output [load-dashboards-logstash]
+
+During dashboard loading, Packetbeat connects to Elasticsearch to check version information. To load dashboards when the Logstash output is enabled, you need to temporarily disable the Logstash output and enable Elasticsearch. To connect to a secured Elasticsearch cluster, you also need to pass Elasticsearch credentials.
+
+::::{tip}
+The example shows a hard-coded password, but you should store sensitive values in the [secrets keystore](/reference/packetbeat/keystore.md).
+::::
+
+
+:::::::{tab-set}
+
+::::::{tab-item} DEB
+```sh
+packetbeat setup -e \
+  -E output.logstash.enabled=false \
+  -E output.elasticsearch.hosts=['localhost:9200'] \
+  -E output.elasticsearch.username=packetbeat_internal \
+  -E output.elasticsearch.password={pwd} \
+  -E setup.kibana.host=localhost:5601
+```
+::::::
+
+::::::{tab-item} RPM
+```sh
+packetbeat setup -e \
+  -E output.logstash.enabled=false \
+  -E output.elasticsearch.hosts=['localhost:9200'] \
+  -E output.elasticsearch.username=packetbeat_internal \
+  -E output.elasticsearch.password={pwd} \
+  -E setup.kibana.host=localhost:5601
+```
+::::::
+
+::::::{tab-item} MacOS
+```sh
+./packetbeat setup -e \
+  -E output.logstash.enabled=false \
+  -E output.elasticsearch.hosts=['localhost:9200'] \
+  -E output.elasticsearch.username=packetbeat_internal \
+  -E output.elasticsearch.password={pwd} \
+  -E setup.kibana.host=localhost:5601
+```
+::::::
+
+::::::{tab-item} Linux
+```sh
+./packetbeat setup -e \
+  -E output.logstash.enabled=false \
+  -E output.elasticsearch.hosts=['localhost:9200'] \
+  -E output.elasticsearch.username=packetbeat_internal \
+  -E output.elasticsearch.password={pwd} \
+  -E setup.kibana.host=localhost:5601
+```
+::::::
+
+::::::{tab-item} Docker
+```sh
+docker run --rm --net="host" docker.elastic.co/beats/packetbeat:9.0.0-beta1 setup -e \
+  -E output.logstash.enabled=false \
+  -E output.elasticsearch.hosts=['localhost:9200'] \
+  -E output.elasticsearch.username=packetbeat_internal \
+  -E output.elasticsearch.password={pwd} \
+  -E setup.kibana.host=localhost:5601
+```
+::::::
+
+::::::{tab-item} Windows
+Open a PowerShell prompt as an Administrator (right-click the PowerShell icon and select **Run As Administrator**).
+
+From the PowerShell prompt, change to the directory where you installed Packetbeat, and run:
+
+```sh
+PS > .\packetbeat.exe setup -e `
+  -E output.logstash.enabled=false `
+  -E output.elasticsearch.hosts=['localhost:9200'] `
+  -E output.elasticsearch.username=packetbeat_internal `
+  -E output.elasticsearch.password={pwd} `
+  -E setup.kibana.host=localhost:5601
+```
+::::::
+
+:::::::
diff --git a/docs/reference/packetbeat/logstash-output.md b/docs/reference/packetbeat/logstash-output.md
new file mode 100644
index 000000000000..138fb411f883
--- /dev/null
+++ b/docs/reference/packetbeat/logstash-output.md
@@ -0,0 +1,245 @@
+---
+navigation_title: "Logstash"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/logstash-output.html
+---
+
+# Configure the Logstash output [logstash-output]
+
+
+The {{ls}} output sends events directly to {{ls}} by using the lumberjack protocol, which runs over TCP. {{ls}} allows for additional processing and routing of generated events.
+
+::::{admonition} Prerequisite
+:class: important
+
+To send events to {{ls}}, you also need to create a {{ls}} configuration pipeline that listens for incoming Beats connections and indexes the received events into {{es}}. For more information, see [Getting Started with {{ls}}](logstash://reference/getting-started-with-logstash.md). Also see the documentation for the [{{beats}} input](logstash://reference/plugins-inputs-beats.md) and [{{es}} output](logstash://reference/plugins-outputs-elasticsearch.md) plugins.
+::::
+
+
+If you want to use {{ls}} to perform additional processing on the data collected by Packetbeat, you need to configure Packetbeat to use {{ls}}.
+
+To do this, edit the Packetbeat configuration file to disable the {{es}} output by commenting it out and enable the {{ls}} output by uncommenting the {{ls}} section:
+
+```yaml
+output.logstash:
+  hosts: ["127.0.0.1:5044"]
+```
+
+The `hosts` option specifies the {{ls}} server and the port (`5044`) where {{ls}} is configured to listen for incoming Beats connections.
+
+For this configuration, you must [load the index template into {{es}} manually](/reference/packetbeat/packetbeat-template.md#load-template-manually) because the options for auto loading the template are only available for the {{es}} output.
+
+## Accessing metadata fields [_accessing_metadata_fields]
+
+Every event sent to {{ls}} contains the following metadata fields that you can use in {{ls}} for indexing and filtering:
+
+```json
+{
+    ...
+    "@metadata": { <1>
+      "beat": "packetbeat", <2>
+      "version": "9.0.0-beta1" <3>
+    }
+}
+```
+
+1. Packetbeat uses the `@metadata` field to send metadata to {{ls}}. See the [{{ls}} documentation](logstash://reference/event-dependent-configuration.md#metadata) for more about the `@metadata` field.
+2. The default is packetbeat. To change this value, set the [`index`](#logstash-index) option in the Packetbeat config file.
+3. The current version of Packetbeat.
+
+
+You can access this metadata from within the {{ls}} config file to set values dynamically based on the contents of the metadata.
+
+For example, the following {{ls}} configuration file tells {{ls}} to use the index reported by Packetbeat for indexing events into {{es}}:
+
+```json
+input {
+  beats {
+    port => 5044
+  }
+}
+
+output {
+  elasticsearch {
+    hosts => ["http://localhost:9200"]
+    index => "%{[@metadata][beat]}-%{[@metadata][version]}" <1>
+    action => "create"
+  }
+}
+```
+
+1. `%{[@metadata][beat]}` sets the first part of the index name to the value of the `beat` metadata field and `%{[@metadata][version]}` sets the second part to the Beat’s version. For example: `packetbeat-9.0.0-beta1`.
+
+
+Events indexed into {{es}} with the {{ls}} configuration shown here will be similar to events directly indexed by Packetbeat into {{es}}.
+
+::::{note}
+If ILM is not being used, set `index` to `%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}` instead so {{ls}} creates an index per day, based on the `@timestamp` value of the events coming from Beats.
+::::
+
+
+
+## Compatibility [_compatibility_2]
+
+This output works with all compatible versions of {{ls}}. See the [Elastic Support Matrix](https://www.elastic.co/support/matrix#matrix_compatibility).
+
+
+## Configuration options [_configuration_options_17]
+
+You can specify the following options in the `logstash` section of the `packetbeat.yml` config file:
+
+### `enabled` [_enabled_5]
+
+The enabled config is a boolean setting to enable or disable the output. If set to false, the output is disabled.
+
+The default value is `true`.
+
+
+### `hosts` [hosts]
+
+The list of known {{ls}} servers to connect to. If load balancing is disabled, but multiple hosts are configured, one host is selected randomly (there is no precedence). If one host becomes unreachable, another one is selected randomly.
+
+All entries in this list can contain a port number. The default port number 5044 will be used if no number is given.
+
+
+### `compression_level` [_compression_level]
+
+The gzip compression level. Setting this value to 0 disables compression. The compression level must be in the range of 1 (best speed) to 9 (best compression).
+
+Increasing the compression level will reduce the network usage but will increase the CPU usage.
+
+The default value is 3.
+
+
+### `escape_html` [_escape_html_2]
+
+Configure escaping of HTML in strings. Set to `true` to enable escaping.
+
+The default value is `false`.
+
+
+### `worker` or `workers` [_worker_or_workers]
+
+The number of workers per configured host publishing events to {{ls}}. This is best used with load balancing mode enabled. Example: If you have 2 hosts and 3 workers, in total 6 workers are started (3 for each host).
+
+
+### `loadbalance` [loadbalance]
+
+When `loadbalance: true` is set, Packetbeat connects to all configured hosts and sends data through all connections in parallel. If a connection fails, data is sent to the remaining hosts until it can be reestablished. Data will still be sent as long as Packetbeat can connect to at least one of its configured hosts.
+
+When `loadbalance: false` is set, Packetbeat sends data to a single host at a time. The target host is chosen at random from the list of configured hosts, and all data is sent to that target until the connection fails, when a new target is selected. Data will still be sent as long as Packetbeat can connect to at least one of its configured hosts. To rotate through the list of configured hosts over time, use this option in conjunction with the `ttl` setting to close the connection at the configured interval and choose a new target host.
+
+The default value is `false`.
+
+```yaml
+output.logstash:
+  hosts: ["localhost:5044", "localhost:5045"]
+  loadbalance: true
+  index: packetbeat
+```
+
+
+### `ttl` [_ttl]
+
+Time to live for a connection to {{ls}} after which the connection will be re-established. Useful when {{ls}} hosts represent load balancers. Since the connections to {{ls}} hosts are sticky, operating behind load balancers can lead to uneven load distribution between the instances. Specifying a TTL on the connection allows to achieve equal connection distribution between the instances.  Specifying a TTL of 0 will disable this feature.
+
+The default value is 0. This setting accepts [duration](/reference/libbeat/config-file-format-type.md#_duration) data type values.
+
+::::{note}
+The "ttl" option is not yet supported on an async {{ls}} client (one with the "pipelining" option set).
+::::
+
+
+
+### `pipelining` [_pipelining]
+
+Configures the number of batches to be sent asynchronously to {{ls}} while waiting for ACK from {{ls}}. Output only becomes blocking once number of `pipelining` batches have been written. Pipelining is disabled if a value of 0 is configured. The default value is 2.
+
+
+### `proxy_url` [_proxy_url_2]
+
+The URL of the SOCKS5 proxy to use when connecting to the {{ls}} servers. The value must be a URL with a scheme of `socks5://`. The protocol used to communicate to {{ls}} is not based on HTTP so a web-proxy cannot be used.
+
+If the SOCKS5 proxy server requires client authentication, then a username and password can be embedded in the URL as shown in the example.
+
+When using a proxy, hostnames are resolved on the proxy server instead of on the client. You can change this behavior by setting the [`proxy_use_local_resolver`](#logstash-proxy-use-local-resolver) option.
+
+```yaml
+output.logstash:
+  hosts: ["remote-host:5044"]
+  proxy_url: socks5://user:password@socks5-proxy:2233
+```
+
+
+### `proxy_use_local_resolver` [logstash-proxy-use-local-resolver]
+
+The `proxy_use_local_resolver` option determines if {{ls}} hostnames are resolved locally when using a proxy. The default value is false, which means that when a proxy is used the name resolution occurs on the proxy server.
+
+
+### `index` [logstash-index]
+
+The index root name to write events to. The default is the Beat name. For example `"packetbeat"` generates `"[packetbeat-]9.0.0-beta1-YYYY.MM.DD"` indices (for example, `"packetbeat-9.0.0-beta1-2017.04.26"`).
+
+::::{note}
+This parameter’s value will be assigned to the `metadata.beat` field. It can then be accessed in {{ls}}'s output section as `%{[@metadata][beat]}`.
+::::
+
+
+
+### `ssl` [_ssl_2]
+
+Configuration options for SSL parameters like the root CA for {{ls}} connections. See [SSL](/reference/packetbeat/configuration-ssl.md) for more information. To use SSL, you must also configure the [Beats input plugin for Logstash](logstash://reference/plugins-inputs-beats.md) to use SSL/TLS.
+
+
+### `timeout` [_timeout_3]
+
+The number of seconds to wait for responses from the {{ls}} server before timing out. The default is 30 (seconds).
+
+
+### `max_retries` [_max_retries_2]
+
+The number of times to retry publishing an event after a publishing failure. After the specified number of retries, the events are typically dropped.
+
+Set `max_retries` to a value less than 0 to retry until all events are published.
+
+The default is 3.
+
+
+### `bulk_max_size` [_bulk_max_size]
+
+The maximum number of events to bulk in a single {{ls}} request. The default is 2048.
+
+Events can be collected into batches. Packetbeat will split batches read from the queue which are larger than `bulk_max_size` into multiple batches.
+
+Specifying a larger batch size can improve performance by lowering the overhead of sending events. However big batch sizes can also increase processing times, which might result in API errors, killed connections, timed-out publishing requests, and, ultimately, lower throughput.
+
+Setting `bulk_max_size` to values less than or equal to 0 disables the splitting of batches. When splitting is disabled, the queue decides on the number of events to be contained in a batch.
+
+
+### `slow_start` [_slow_start]
+
+If enabled, only a subset of events in a batch of events is transferred per transaction. The number of events to be sent increases up to `bulk_max_size` if no error is encountered. On error, the number of events per transaction is reduced again.
+
+The default is `false`.
+
+
+### `backoff.init` [_backoff_init]
+
+The number of seconds to wait before trying to reconnect to {{ls}} after a network error. After waiting `backoff.init` seconds, Packetbeat tries to reconnect. If the attempt fails, the backoff timer is increased exponentially up to `backoff.max`. After a successful connection, the backoff timer is reset. The default is 1s.
+
+
+### `backoff.max` [_backoff_max]
+
+The maximum number of seconds to wait before attempting to connect to {{ls}} after a network error. The default is 60s.
+
+
+### `queue` [_queue_2]
+
+Configuration options for internal queue.
+
+See [Internal queue](/reference/packetbeat/configuring-internal-queue.md) for more information.
+
+Note:`queue` options can be set under `packetbeat.yml` or the `output` section but not both.
+
+
+
diff --git a/docs/reference/packetbeat/madvdontneed-rss.md b/docs/reference/packetbeat/madvdontneed-rss.md
new file mode 100644
index 000000000000..03fc78dc9e55
--- /dev/null
+++ b/docs/reference/packetbeat/madvdontneed-rss.md
@@ -0,0 +1,9 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/madvdontneed-rss.html
+---
+
+# High RSS memory usage due to MADV settings [madvdontneed-rss]
+
+In versions of Packetbeat prior to 7.10.2, the go runtime defaults to `MADV_FREE` by default. In some cases, this can lead to high RSS memory usage while the kernel waits to reclaim any pages assigned to Packetbeat. On versions prior to 7.10.2, set the `GODEBUG="madvdontneed=1"` environment variable if you run into RSS usage issues.
+
diff --git a/docs/reference/packetbeat/metadata-missing.md b/docs/reference/packetbeat/metadata-missing.md
new file mode 100644
index 000000000000..393dbe11a939
--- /dev/null
+++ b/docs/reference/packetbeat/metadata-missing.md
@@ -0,0 +1,14 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/metadata-missing.html
+---
+
+# @metadata is missing in Logstash [metadata-missing]
+
+{{ls}} outputs remove `@metadata` fields automatically. Therefore, if {{ls}} instances are chained directly or via some message queue (for example, Redis or Kafka), the `@metadata` field will not be available in the final {{ls}} instance.
+
+::::{tip}
+To preserve `@metadata` fields, use the {{ls}} mutate filter with the rename setting to rename the fields to non-internal fields.
+::::
+
+
diff --git a/docs/reference/packetbeat/monitoring-internal-collection.md b/docs/reference/packetbeat/monitoring-internal-collection.md
new file mode 100644
index 000000000000..d9b61c74f031
--- /dev/null
+++ b/docs/reference/packetbeat/monitoring-internal-collection.md
@@ -0,0 +1,73 @@
+---
+navigation_title: "Use internal collection"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/monitoring-internal-collection.html
+---
+
+# Use internal collection to send monitoring data [monitoring-internal-collection]
+
+
+Use internal collectors to send {{beats}} monitoring data directly to your monitoring cluster. Or as an alternative to internal collection, use [Use {{metricbeat}} collection](/reference/packetbeat/monitoring-metricbeat-collection.md). The benefit of using internal collection instead of {{metricbeat}} is that you have fewer pieces of software to install and maintain.
+
+1. Create an API key or user that has appropriate authority to send system-level monitoring data to {{es}}. For example, you can use the built-in `beats_system` user or assign the built-in `beats_system` role to another user. For more information on the required privileges, see [Create a *monitoring* user](/reference/packetbeat/privileges-to-publish-monitoring.md). For more information on how to use API keys, see [*Grant access using API keys*](/reference/packetbeat/beats-api-keys.md).
+2. Add the `monitoring` settings in the Packetbeat configuration file. If you configured the {{es}} output and want to send Packetbeat monitoring events to the same {{es}} cluster, specify the following minimal configuration:
+
+    ```yaml
+    monitoring:
+      enabled: true
+      elasticsearch:
+        api_key:  id:api_key <1>
+        username: beats_system
+        password: somepassword
+    ```
+
+    1. Specify one of `api_key` or `username`/`password`.
+
+
+    If you want to send monitoring events to an [{{ecloud}}](https://cloud.elastic.co/) monitoring cluster, you can use two simpler settings. When defined, these settings overwrite settings from other parts in the configuration. For example:
+
+    ```yaml
+    monitoring:
+      enabled: true
+      cloud.id: 'staging:dXMtZWFzdC0xLmF3cy5mb3VuZC5pbyRjZWM2ZjI2MWE3NGJmMjRjZTMzYmI4ODExYjg0Mjk0ZiRjNmMyY2E2ZDA0MjI0OWFmMGNjN2Q3YTllOTYyNTc0Mw=='
+      cloud.auth: 'elastic:{pwd}'
+    ```
+
+    If you configured a different output, such as {{ls}} or you want to send Packetbeat monitoring events to a separate {{es}} cluster (referred to as the *monitoring cluster*), you must specify additional configuration options. For example:
+
+    ```yaml
+    monitoring:
+      enabled: true
+      cluster_uuid: PRODUCTION_ES_CLUSTER_UUID <1>
+      elasticsearch:
+        hosts: ["https://example.com:9200", "https://example2.com:9200"] <2>
+        api_key:  id:api_key <3>
+        username: beats_system
+        password: somepassword
+    ```
+
+    1. This setting identifies the {{es}} cluster under which the monitoring data for this Packetbeat instance will appear in the Stack Monitoring UI. To get a cluster’s `cluster_uuid`, call the `GET /` API against that production cluster.
+    2. This setting identifies the hosts and port numbers of {{es}} nodes that are part of the monitoring cluster.
+    3. Specify one of `api_key` or `username`/`password`.
+
+
+    If you want to use PKI authentication to send monitoring events to {{es}}, you must specify a different set of configuration options. For example:
+
+    ```yaml
+    monitoring:
+      enabled: true
+      cluster_uuid: PRODUCTION_ES_CLUSTER_UUID
+      elasticsearch:
+        hosts: ["https://example.com:9200", "https://example2.com:9200"]
+        username: ""
+        ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
+        ssl.certificate: "/etc/pki/client/cert.pem"
+        ssl.key: "/etc/pki/client/cert.key"
+    ```
+
+    You must specify the `username` as `""` explicitly so that the username from the client certificate (`CN`) is used. See [SSL](/reference/packetbeat/configuration-ssl.md) for more information about SSL settings.
+
+3. Start Packetbeat.
+4. [View the monitoring data in {{kib}}](docs-content://deploy-manage/monitor/stack-monitoring/kibana-monitoring-data.md).
+
+
diff --git a/docs/reference/packetbeat/monitoring-metricbeat-collection.md b/docs/reference/packetbeat/monitoring-metricbeat-collection.md
new file mode 100644
index 000000000000..8ac66c69dd57
--- /dev/null
+++ b/docs/reference/packetbeat/monitoring-metricbeat-collection.md
@@ -0,0 +1,163 @@
+---
+navigation_title: "Use {{metricbeat}} collection"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/monitoring-metricbeat-collection.html
+---
+
+# Use {{metricbeat}} to send monitoring data [monitoring-metricbeat-collection]
+
+
+In 7.3 and later, you can use {{metricbeat}} to collect data about Packetbeat and ship it to the monitoring cluster. The benefit of using {{metricbeat}} instead of internal collection is that the monitoring agent remains active even if the Packetbeat instance dies.
+
+To collect and ship monitoring data:
+
+1. [Configure the shipper you want to monitor](#configure-shipper)
+2. [Install and configure {{metricbeat}} to collect monitoring data](#configure-metricbeat)
+
+
+## Configure the shipper you want to monitor [configure-shipper]
+
+1. Enable the HTTP endpoint to allow external collection of monitoring data:
+
+    Add the following setting in the Packetbeat configuration file (`packetbeat.yml`):
+
+    ```yaml
+    http.enabled: true
+    ```
+
+    By default, metrics are exposed on port 5066. If you need to monitor multiple {{beats}} shippers running on the same server, set `http.port` to expose metrics for each shipper on a different port number:
+
+    ```yaml
+    http.port: 5067
+    ```
+
+2. Disable the default collection of Packetbeat monitoring metrics.<br>
+
+    Add the following setting in the Packetbeat configuration file (`packetbeat.yml`):
+
+    ```yaml
+    monitoring.enabled: false
+    ```
+
+    For more information, see [Monitoring configuration options](/reference/packetbeat/configuration-monitor.md).
+
+3. Configure host (optional).<br>
+
+    If you intend to get metrics using {{metricbeat}} installed on another server, you need to bind the Packetbeat to host’s IP:
+
+    ```yaml
+    http.host: xxx.xxx.xxx.xxx
+    ```
+
+4. Configure cluster UUID.<br>
+
+    The cluster UUID is necessary if you want to see {{beats}} monitoring in the {{kib}} stack monitoring view. The monitoring data will be grouped under the cluster for that UUID. To associate Packetbeat with the cluster UUID, set:
+
+    ```yaml
+    monitoring.cluster_uuid: "cluster-uuid"
+    ```
+
+5. Start Packetbeat.
+
+
+## Install and configure {{metricbeat}} to collect monitoring data [configure-metricbeat]
+
+1. Install {{metricbeat}} on the same server as Packetbeat. To learn how, see [Get started with {{metricbeat}}](/reference/metricbeat/metricbeat-installation-configuration.md). If you already have {{metricbeat}} installed on the server, skip this step.
+2. Enable the `beat-xpack` module in {{metricbeat}}.<br>
+
+    For example, to enable the default configuration in the `modules.d` directory, run the following command, using the correct command syntax for your OS:
+
+    ```sh
+    metricbeat modules enable beat-xpack
+    ```
+
+    For more information, see [Configure modules](/reference/metricbeat/configuration-metricbeat.md) and [beat module](/reference/metricbeat/metricbeat-module-beat.md).
+
+3. Configure the `beat-xpack` module in {{metricbeat}}.<br>
+
+    The `modules.d/beat-xpack.yml` file contains the following settings:
+
+    ```yaml
+    - module: beat
+      metricsets:
+        - stats
+        - state
+      period: 10s
+      hosts: ["http://localhost:5066"]
+      #username: "user"
+      #password: "secret"
+      xpack.enabled: true
+    ```
+
+    Set the `hosts`, `username`, and `password` settings as required by your environment. For other module settings, it’s recommended that you accept the defaults.
+
+    By default, the module collects Packetbeat monitoring data from `localhost:5066`. If you exposed the metrics on a different host or port when you enabled the HTTP endpoint, update the `hosts` setting.
+
+    To monitor multiple {{beats}} agents, specify a list of hosts, for example:
+
+    ```yaml
+    hosts: ["http://localhost:5066","http://localhost:5067","http://localhost:5068"]
+    ```
+
+    If you configured Packetbeat to use encrypted communications, you must access it via HTTPS. For example, use a `hosts` setting like `https://localhost:5066`.
+
+    If the Elastic {{security-features}} are enabled, you must also provide a user ID and password so that {{metricbeat}} can collect metrics successfully:
+
+    1. Create a user on the {{es}} cluster that has the `remote_monitoring_collector` [built-in role](elasticsearch://reference/elasticsearch/roles.md). Alternatively, if it’s available in your environment, use the `remote_monitoring_user` [built-in user](docs-content://deploy-manage/users-roles/cluster-or-deployment-auth/built-in-users.md).
+    2. Add the `username` and `password` settings to the beat module configuration file.
+
+4. Optional: Disable the system module in the {{metricbeat}}.
+
+    By default, the [system module](/reference/metricbeat/metricbeat-module-system.md) is enabled. The information it collects, however, is not shown on the **Stack Monitoring** page in {{kib}}. Unless you want to use that information for other purposes, run the following command:
+
+    ```sh
+    metricbeat modules disable system
+    ```
+
+5. Identify where to send the monitoring data.<br>
+
+    ::::{tip}
+    In production environments, we strongly recommend using a separate cluster (referred to as the *monitoring cluster*) to store the data. Using a separate monitoring cluster prevents production cluster outages from impacting your ability to access your monitoring data. It also prevents monitoring activities from impacting the performance of your production cluster.
+    ::::
+
+
+    For example, specify the {{es}} output information in the {{metricbeat}} configuration file (`metricbeat.yml`):
+
+    ```yaml
+    output.elasticsearch:
+      # Array of hosts to connect to.
+      hosts: ["http://es-mon-1:9200", "http://es-mon2:9200"] <1>
+
+      # Optional protocol and basic auth credentials.
+      #protocol: "https"
+      #api_key:  "id:api_key" <2>
+      #username: "elastic"
+      #password: "changeme"
+    ```
+
+    1. In this example, the data is stored on a monitoring cluster with nodes `es-mon-1` and `es-mon-2`.
+    2. Specify one of `api_key` or `username`/`password`.
+
+
+    If you configured the monitoring cluster to use encrypted communications, you must access it via HTTPS. For example, use a `hosts` setting like `https://es-mon-1:9200`.
+
+    ::::{important}
+    The {{es}} {{monitor-features}} use ingest pipelines. The cluster that stores the monitoring data must have at least one node with the `ingest` role.
+    ::::
+
+
+    If the {{es}} {{security-features}} are enabled on the monitoring cluster, you must provide a valid user ID and password so that {{metricbeat}} can send metrics successfully:
+
+    1. Create a user on the monitoring cluster that has the `remote_monitoring_agent` [built-in role](elasticsearch://reference/elasticsearch/roles.md). Alternatively, if it’s available in your environment, use the `remote_monitoring_user` [built-in user](docs-content://deploy-manage/users-roles/cluster-or-deployment-auth/built-in-users.md).
+
+        ::::{tip}
+        If you’re using index lifecycle management, the remote monitoring user requires additional privileges to create and read indices. For more information, see [*Grant users access to secured resources*](/reference/packetbeat/feature-roles.md).
+        ::::
+
+    2. Add the `username` and `password` settings to the {{es}} output information in the {{metricbeat}} configuration file.
+
+    For more information about these configuration options, see [Configure the {{es}} output](/reference/metricbeat/elasticsearch-output.md).
+
+6. [Start {{metricbeat}}](/reference/metricbeat/metricbeat-starting.md) to begin collecting monitoring data.
+7. [View the monitoring data in {{kib}}](docs-content://deploy-manage/monitor/stack-monitoring/kibana-monitoring-data.md).
+
diff --git a/docs/reference/packetbeat/monitoring-shows-fewer-than-expected-beats.md b/docs/reference/packetbeat/monitoring-shows-fewer-than-expected-beats.md
new file mode 100644
index 000000000000..4791f5eb1679
--- /dev/null
+++ b/docs/reference/packetbeat/monitoring-shows-fewer-than-expected-beats.md
@@ -0,0 +1,9 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/monitoring-shows-fewer-than-expected-beats.html
+---
+
+# Monitoring UI shows fewer Beats than expected [monitoring-shows-fewer-than-expected-beats]
+
+If you are running multiple Beat instances on the same host, make sure they each have a distinct `path.data` value.
+
diff --git a/docs/reference/packetbeat/monitoring.md b/docs/reference/packetbeat/monitoring.md
new file mode 100644
index 000000000000..2d42fe1d7405
--- /dev/null
+++ b/docs/reference/packetbeat/monitoring.md
@@ -0,0 +1,16 @@
+---
+navigation_title: "Monitor"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/monitoring.html
+---
+
+# Monitor Packetbeat [monitoring]
+
+
+You can use the {{stack}} {{monitor-features}} to gain insight into the health of Packetbeat instances running in your environment.
+
+To monitor Packetbeat, make sure monitoring is enabled on your {{es}} cluster, then configure the method used to collect Packetbeat metrics. You can use one of following methods:
+
+* [Internal collection](/reference/packetbeat/monitoring-internal-collection.md) - Internal collectors send monitoring data directly to your monitoring cluster.
+* [{{metricbeat}} collection](/reference/packetbeat/monitoring-metricbeat-collection.md) - {{metricbeat}} collects monitoring data from your Packetbeat instance and sends it directly to your monitoring cluster.
+
diff --git a/docs/reference/packetbeat/move-fields.md b/docs/reference/packetbeat/move-fields.md
new file mode 100644
index 000000000000..a434fd8fef8d
--- /dev/null
+++ b/docs/reference/packetbeat/move-fields.md
@@ -0,0 +1,93 @@
+---
+navigation_title: "move_fields"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/move-fields.html
+---
+
+# Move fields [move-fields]
+
+
+The `move_fields` processor moves event fields from one object into another. It can also rearrange fields or add a prefix to fields.
+
+The processor extracts fields from `from`, then uses `fields` and `exclude` as filters to choose which fields to move into the `to` field.
+
+For example, given the following event:
+
+```json
+{
+  "app": {
+    "method": "a",
+    "elapsed_time": 100,
+    "user_id": 100,
+    "message": "i'm a message"
+  }
+}
+```
+
+To move `method` and `elapsed_time` into another object, use this configuration:
+
+```yaml
+processors:
+  - move_fields:
+      from: "app"
+      fields: ["method", "elapsed_time"],
+      to: "rpc."
+```
+
+Your final event will be:
+
+```json
+{
+  "app": {
+    "user_id": 100,
+    "message": "i'm a message",
+    "rpc": {
+      "method": "a",
+      "elapsed_time": 100
+    }
+  }
+}
+```
+
+To add a prefix to the whole event:
+
+```json
+{
+  "app": { "method": "a"},
+  "cost": 100
+}
+```
+
+Use this configuration:
+
+```yaml
+processors:
+  - move_fields:
+      to: "my_prefix_"
+```
+
+Your final event will be:
+
+```json
+{
+  "my_prefix_app": { "method": "a"},
+  "my_prefix_cost": 100
+}
+```
+
+| Name | Required | Default | Description |  |
+| --- | --- | --- | --- | --- |
+| `from` | no |  | Which field you want extract. This field and any nested fields will be moved into `to` unless they are filtered out. If empty, indicates event root. |  |
+| `fields` | no |  | Which fields to extract from `from` and move to `to`. An empty list indicates all fields. |  |
+| `ignore_missing` | no | false | Ignore "not found" errors when extracting fields. |  |
+| `exclude` | no |  | A list of fields to exclude and not move. |  |
+| `to` | yes |  | These fields extract from `from` destination field prefix the `to` will base on fields root. |  |
+
+```yaml
+processors:
+  - move_fields:
+      from: "app"
+      fields: [ "method", "elapsed_time" ]
+      to: "rpc."
+```
+
diff --git a/docs/reference/packetbeat/mysql-no-data.md b/docs/reference/packetbeat/mysql-no-data.md
new file mode 100644
index 000000000000..2952ba96a7cc
--- /dev/null
+++ b/docs/reference/packetbeat/mysql-no-data.md
@@ -0,0 +1,27 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/mysql-no-data.html
+---
+
+# Packetbeat isn���t capturing MySQL performance data [mysql-no-data]
+
+You may be listening on the wrong interface or trying to capture data sent over an encrypted connection. Packetbeat can only monitor MySQL traffic if it is unencrypted. To resolve your issue:
+
+* Make sure Packetbeat is configured to listen on the `lo0` interface:
+
+    ```shell
+    packetbeat.interfaces.device: lo0
+    ```
+
+* Make sure the client programs you are monitoring run `mysql` with SSL disabled. For example:
+
+    ```shell
+    mysql --protocol tcp --host=127.0.0.1 --port=3306 --ssl-mode=DISABLED
+    ```
+
+
+::::{important}
+When SSL is disabled, the connection between the MySQL client and server is unencrypted, which means that anyone with access to your network may be able to inspect data sent between the client and server. If MySQL is running in an untrusted network, it’s not advisable to disable encryption.
+::::
+
+
diff --git a/docs/reference/packetbeat/packetbeat-amqp-options.md b/docs/reference/packetbeat/packetbeat-amqp-options.md
new file mode 100644
index 000000000000..6fd8b549b0c7
--- /dev/null
+++ b/docs/reference/packetbeat/packetbeat-amqp-options.md
@@ -0,0 +1,46 @@
+---
+navigation_title: "AMQP"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-amqp-options.html
+---
+
+# Capture AMQP traffic [packetbeat-amqp-options]
+
+
+The `amqp` section of the `packetbeat.yml` config file specifies configuration options for the AMQP 0.9.1 protocol. Here is a sample configuration:
+
+```yaml
+packetbeat.protocols:
+- type: amqp
+  ports: [5672]
+  max_body_length: 1000
+  parse_headers: true
+  parse_arguments: false
+  hide_connection_information: true
+```
+
+## Configuration options [_configuration_options_5]
+
+Also see [Common protocol options](/reference/packetbeat/common-protocol-options.md).
+
+### `max_body_length` [_max_body_length]
+
+The maximum size in bytes of the message displayed in the request or response fields. Messages that are bigger than the specified size are truncated. Use this option to avoid publishing huge messages when [`send_request`](/reference/packetbeat/common-protocol-options.md#send-request-option) or [`send_request`](/reference/packetbeat/common-protocol-options.md#send-request-option) is enabled. The default is 1000 bytes.
+
+
+### `parse_headers` [_parse_headers]
+
+If set to true, Packetbeat parses the additional arguments specified in the headers field of a message. Those arguments are key-value pairs that specify information such as the content type of the message or the message priority. The default is true.
+
+
+### `parse_arguments` [_parse_arguments]
+
+If set to true, Packetbeat parses the additional arguments specified in AMQP methods. Those arguments are key-value pairs specified by the user and can be of any length. The default is true.
+
+
+### `hide_connection_information` [_hide_connection_information]
+
+If set to false, the connection layer methods of the protocol are also displayed, such as the opening and closing of connections and channels by clients, or the quality of service negotiation. The default is true.
+
+
+
diff --git a/docs/reference/packetbeat/packetbeat-dns-options.md b/docs/reference/packetbeat/packetbeat-dns-options.md
new file mode 100644
index 000000000000..81f48df25288
--- /dev/null
+++ b/docs/reference/packetbeat/packetbeat-dns-options.md
@@ -0,0 +1,34 @@
+---
+navigation_title: "DNS"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-dns-options.html
+---
+
+# Capture DNS traffic [packetbeat-dns-options]
+
+
+The `dns` section of the `packetbeat.yml` config file specifies configuration options for the DNS protocol. The DNS protocol supports processing DNS messages on TCP and UDP. Here is a sample configuration section for DNS:
+
+```yaml
+packetbeat.protocols:
+- type: dns
+  ports: [53]
+  include_authorities: true
+  include_additionals: true
+```
+
+## Configuration options [_configuration_options_3]
+
+Also see [Common protocol options](/reference/packetbeat/common-protocol-options.md).
+
+### `include_authorities` [_include_authorities]
+
+If this option is enabled, dns.authority fields (authority resource records) are added to DNS events. The default is false.
+
+
+### `include_additionals` [_include_additionals]
+
+If this option is enabled, dns.additionals fields (additional resource records) are added to DNS events. The default is false.
+
+
+
diff --git a/docs/reference/packetbeat/packetbeat-geoip.md b/docs/reference/packetbeat/packetbeat-geoip.md
new file mode 100644
index 000000000000..b995e066c635
--- /dev/null
+++ b/docs/reference/packetbeat/packetbeat-geoip.md
@@ -0,0 +1,213 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-geoip.html
+---
+
+# Enrich events with geoIP information [packetbeat-geoip]
+
+::::{tip}
+To populate the client locations map in the Packetbeat dashboard, follow the steps in this section.
+::::
+
+
+You can use Packetbeat along with the [GeoIP Processor](elasticsearch://reference/ingestion-tools/enrich-processor/geoip-processor.md) in {{es}} to export geographic location information based on IP addresses. Then you can use this information to visualize the location of IP addresses on a map in {{kib}}.
+
+The `geoip` processor adds information about the geographical location of IP addresses, based on data from the Maxmind GeoLite2 City Database. Because the processor uses a geoIP database that’s installed on {{es}}, you don’t need to install a geoIP database on the machines running Packetbeat.
+
+::::{note}
+If your use case involves using {{ls}}, you can use the [GeoIP filter](logstash://reference/plugins-filters-geoip.md) available in {{ls}} instead of using the `geoip` processor. However, using the `geoip` processor is the simplest approach when you don’t require the additional processing power of {{ls}}.
+::::
+
+
+
+## Configure the `geoip` processor [packetbeat-configuring-geoip]
+
+To configure Packetbeat and the `geoip` processor:
+
+1. Define an ingest pipeline that uses one or more `geoip` processors to add location information to the event. For example, you can use the Console in {{kib}} to create the following pipeline:
+
+    ```console
+    PUT _ingest/pipeline/geoip-info
+    {
+      "description": "Add geoip info",
+      "processors": [
+        {
+          "geoip": {
+            "field": "client.ip",
+            "target_field": "client.geo",
+            "ignore_missing": true
+          }
+        },
+        {
+          "geoip": {
+            "database_file": "GeoLite2-ASN.mmdb",
+            "field": "client.ip",
+            "target_field": "client.as",
+            "properties": [
+              "asn",
+              "organization_name"
+            ],
+            "ignore_missing": true
+          }
+        },
+        {
+          "geoip": {
+            "field": "source.ip",
+            "target_field": "source.geo",
+            "ignore_missing": true
+          }
+        },
+        {
+          "geoip": {
+            "database_file": "GeoLite2-ASN.mmdb",
+            "field": "source.ip",
+            "target_field": "source.as",
+            "properties": [
+              "asn",
+              "organization_name"
+            ],
+            "ignore_missing": true
+          }
+        },
+        {
+          "geoip": {
+            "field": "destination.ip",
+            "target_field": "destination.geo",
+            "ignore_missing": true
+          }
+        },
+        {
+          "geoip": {
+            "database_file": "GeoLite2-ASN.mmdb",
+            "field": "destination.ip",
+            "target_field": "destination.as",
+            "properties": [
+              "asn",
+              "organization_name"
+            ],
+            "ignore_missing": true
+          }
+        },
+        {
+          "geoip": {
+            "field": "server.ip",
+            "target_field": "server.geo",
+            "ignore_missing": true
+          }
+        },
+        {
+          "geoip": {
+            "database_file": "GeoLite2-ASN.mmdb",
+            "field": "server.ip",
+            "target_field": "server.as",
+            "properties": [
+              "asn",
+              "organization_name"
+            ],
+            "ignore_missing": true
+          }
+        },
+        {
+          "geoip": {
+            "field": "host.ip",
+            "target_field": "host.geo",
+            "ignore_missing": true
+          }
+        },
+        {
+          "rename": {
+            "field": "server.as.asn",
+            "target_field": "server.as.number",
+            "ignore_missing": true
+          }
+        },
+        {
+          "rename": {
+            "field": "server.as.organization_name",
+            "target_field": "server.as.organization.name",
+            "ignore_missing": true
+          }
+        },
+        {
+          "rename": {
+            "field": "client.as.asn",
+            "target_field": "client.as.number",
+            "ignore_missing": true
+          }
+        },
+        {
+          "rename": {
+            "field": "client.as.organization_name",
+            "target_field": "client.as.organization.name",
+            "ignore_missing": true
+          }
+        },
+        {
+          "rename": {
+            "field": "source.as.asn",
+            "target_field": "source.as.number",
+            "ignore_missing": true
+          }
+        },
+        {
+          "rename": {
+            "field": "source.as.organization_name",
+            "target_field": "source.as.organization.name",
+            "ignore_missing": true
+          }
+        },
+        {
+          "rename": {
+            "field": "destination.as.asn",
+            "target_field": "destination.as.number",
+            "ignore_missing": true
+          }
+        },
+        {
+          "rename": {
+            "field": "destination.as.organization_name",
+            "target_field": "destination.as.organization.name",
+            "ignore_missing": true
+          }
+        }
+      ]
+    }
+    ```
+
+    In this example, the pipeline ID is `geoip-info`. `field` specifies the field that contains the IP address to use for the geographical lookup, and `target_field` is the field that will hold the geographical information. `"ignore_missing": true` configures the pipeline to continue processing when it encounters an event that doesn’t have the specified field.
+
+    See [GeoIP Processor](elasticsearch://reference/ingestion-tools/enrich-processor/geoip-processor.md) for more options.
+
+    To learn more about adding host information to an event, see [add_host_metadata](/reference/packetbeat/add-host-metadata.md).
+
+2. In the Packetbeat config file, configure the {{es}} output to use the pipeline. Specify the pipeline ID in the `pipeline` option under `output.elasticsearch`. For example:
+
+    ```yaml
+    output.elasticsearch:
+      hosts: ["localhost:9200"]
+      pipeline: geoip-info
+    ```
+
+3. Run Packetbeat. Remember to use `sudo` if the config file is owned by root.
+
+    ```sh
+    ./packetbeat -e
+    ```
+
+    If the lookups succeed, the events are enriched with `geo_point` fields, such as `client.geo.location` and `host.geo.location`, that you can use to populate visualizations in {{kib}}.
+
+
+As a convenience, the Packetbeat index template already has mappings defined for `client.geo.location`, `source.geo.location`, `destination.geo.location`, `server.geo.location`, and `host.geo.location`. The mappings ensure that each field, when it exists, gets indexed as a `geo_point`.
+
+If you add a field that’s not already defined as a `geo_point` in the index template, add a mapping so the field gets indexed correctly.
+
+
+## Visualize locations [packetbeat-visualizing-location]
+
+To visualize the location of IP addresses, you can [set up the example {{kib}} dashboards](/reference/packetbeat/load-kibana-dashboards.md) (if you haven’t already), or create a new [coordinate map](docs-content://explore-analyze/visualize/maps.md) in {{kib}} and select the location field, for example `client.geo.location` or `host.geo.location`, as the Geohash.
+
+:::{image} images/coordinate-map.png
+:alt: Coordinate map in {kib}
+:class: screenshot
+:::
+
diff --git a/docs/reference/packetbeat/packetbeat-http-options.md b/docs/reference/packetbeat/packetbeat-http-options.md
new file mode 100644
index 000000000000..f38b046b72ca
--- /dev/null
+++ b/docs/reference/packetbeat/packetbeat-http-options.md
@@ -0,0 +1,123 @@
+---
+navigation_title: "HTTP"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-http-options.html
+---
+
+# Capture HTTP traffic [packetbeat-http-options]
+
+
+The HTTP protocol has several specific configuration options. Here is a sample configuration for the `http` section of the `packetbeat.yml` config file:
+
+```yaml
+packetbeat.protocols:
+- type: http
+  ports: [80, 8080, 8000, 5000, 8002]
+  hide_keywords: ["pass", "password", "passwd"]
+  send_headers: ["User-Agent", "Cookie", "Set-Cookie"]
+  split_cookie: true
+  real_ip_header: "X-Forwarded-For"
+```
+
+## Configuration options [_configuration_options_4]
+
+Also see [Common protocol options](/reference/packetbeat/common-protocol-options.md).
+
+### `hide_keywords` [_hide_keywords]
+
+A list of query parameters that Packetbeat will automatically censor in the transactions that it saves. The values associated with these parameters are replaced by `'xxxxx'`. By default, no changes are made to the HTTP messages.
+
+Packetbeat has this option because, unlike SQL traffic, which typically only contains the hashes of the passwords, HTTP traffic may contain sensitive data. To reduce security risks, you can configure this option to avoid sending the contents of certain HTTP POST parameters.
+
+::::{warning}
+This option replaces query parameters from GET requests and top-level parameters from POST requests. If sensitive data is encoded inside a parameter that you don’t specify here, Packetbeat cannot censor it. Also, note that if you configure Packetbeat to save the raw request and response fields (see the [`send_request`](/reference/packetbeat/common-protocol-options.md#send-request-option) and the [`send_response`](/reference/packetbeat/common-protocol-options.md#send-response-option) options), sensitive data may be present in those fields.
+::::
+
+
+
+### `redact_authorization` [_redact_authorization]
+
+When this option is enabled, Packetbeat obscures the value of `Authorization` and `Proxy-Authorization` HTTP headers, and censors those strings in the response.
+
+You should set this option to true for transactions that use Basic Authentication because they may contain the base64 unencrypted username and password.
+
+
+### `send_headers` [_send_headers]
+
+A list of header names to capture and send to Elasticsearch. These headers are placed under the `headers` dictionary in the resulting JSON.
+
+
+### `send_all_headers` [_send_all_headers]
+
+Instead of sending a white list of headers to Elasticsearch, you can send all headers by setting this option to true. The default is false.
+
+
+### `redact_headers` [_redact_headers]
+
+A list of headers to redact if present in the HTTP request. This will keep the header field present, but will redact it’s value to show the header’s presence.
+
+
+### `include_body_for` [_include_body_for]
+
+The list of content types for which Packetbeat exports the full HTTP payload. The HTTP body is available under `http.request.body.content` and `http.response.body.content` for these Content-Types.
+
+In addition, if [`send_response`](/reference/packetbeat/common-protocol-options.md#send-response-option) option is enabled, then the HTTP body is exported together with the HTTP headers under `response` and if [`send_request`](/reference/packetbeat/common-protocol-options.md#send-request-option) enabled, then `request` contains the entire HTTP message including the body.
+
+In the following example, the HTML attachments of the HTTP responses are exported under the `response` field and under `http.request.body.content` or `http.response.body.content`:
+
+```yaml
+packetbeat.protocols:
+- type: http
+  ports: [80, 8080]
+  send_response: true
+  include_body_for: ["text/html"]
+```
+
+
+### `decode_body` [_decode_body]
+
+A boolean flag that controls decoding of HTTP payload. It interprets the `Content-Encoding` and `Transfer-Encoding` headers and uncompresses the entity body. Supported encodings are `gzip` and `deflate`. This option is only applicable in the cases where the HTTP payload is exported, that is, when one of the `include_*_body_for` options is specified or a POST request contains url-encoded parameters.
+
+
+### `split_cookie` [_split_cookie]
+
+If the `Cookie` or `Set-Cookie` headers are sent, this option controls whether they are split into individual values. For example, with this option set, an HTTP response might result in the following JSON:
+
+```json
+"response": {
+  "code": 200,
+  "headers": {
+    "connection": "close",
+    "content-language": "en",
+    "content-type": "text/html; charset=utf-8",
+    "date": "Fri, 21 Nov 2014 17:07:34 GMT",
+    "server": "gunicorn/19.1.1",
+    "set-cookie": { <1>
+      "csrftoken": "S9ZuJF8mvIMT5CL4T1Xqn32wkA6ZSeyf",
+      "expires": "Fri, 20-Nov-2015 17:07:34 GMT",
+      "max-age": "31449600",
+      "path": "/"
+    },
+    "vary": "Cookie, Accept-Language"
+  },
+  "status_phrase": "OK"
+}
+```
+
+1. Note that `set-cookie` is a map containing the cookie names as keys.
+
+
+The default is false.
+
+
+### `real_ip_header` [_real_ip_header]
+
+The header field to extract the real IP from. This setting is useful when you want to capture traffic behind a reverse proxy, but you want to get the geo-location information. If this header is present and contains a valid IP addresses, the information is used for the `network.forwarded_ip` field.
+
+
+### `max_message_size` [_max_message_size]
+
+If an individual HTTP message is larger than this setting (in bytes), it will be trimmed to this size. Unless this value is very small (<1.5K), Packetbeat is able to still correctly follow the transaction and create an event for it. The default is 10485760 (10 MB).
+
+
+
diff --git a/docs/reference/packetbeat/packetbeat-icmp-options.md b/docs/reference/packetbeat/packetbeat-icmp-options.md
new file mode 100644
index 000000000000..5cfc4ed4a1fd
--- /dev/null
+++ b/docs/reference/packetbeat/packetbeat-icmp-options.md
@@ -0,0 +1,30 @@
+---
+navigation_title: "ICMP"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-icmp-options.html
+---
+
+# Capture ICMP traffic [packetbeat-icmp-options]
+
+
+The `icmp` section of the `packetbeat.yml` config file specifies options for the ICMP protocol. Here is a sample configuration section for ICMP:
+
+```yaml
+packetbeat.protocols:
+
+- type: icmp
+  enabled: true
+```
+
+## Configuration options [_configuration_options_2]
+
+Also see [Common protocol options](/reference/packetbeat/common-protocol-options.md).
+
+### `enabled` [_enabled_3]
+
+The ICMP protocol can be enabled/disabled via this option. The default is true.
+
+If enabled Packetbeat will generate the following BPF filter: `"icmp or icmp6"`.
+
+
+
diff --git a/docs/reference/packetbeat/packetbeat-installation-configuration.md b/docs/reference/packetbeat/packetbeat-installation-configuration.md
new file mode 100644
index 000000000000..606f3b3cdfc0
--- /dev/null
+++ b/docs/reference/packetbeat/packetbeat-installation-configuration.md
@@ -0,0 +1,393 @@
+---
+navigation_title: "Quick start"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-installation-configuration.html
+---
+
+# Packetbeat quick start: installation and configuration [packetbeat-installation-configuration]
+
+
+The best way to understand the value of a network packet analytics system like Packetbeat is to try it on your own traffic.
+
+This guide describes how to get started quickly with network packets analytics. You’ll learn how to:
+
+* install Packetbeat on each system you want to monitor
+* specify the network devices and protocols to sniff
+* parse the packet data into fields and send it to {es}
+* visualize the packet data in {kib}
+
+:::{image} images/packetbeat-overview-dashboard.png
+:alt: Packetbeat Overview dashboard
+:class: screenshot
+:::
+
+
+## Before you begin [_before_you_begin]
+
+* You need {{es}} for storing and searching your data, and {{kib}} for visualizing and managing it.
+
+    :::::::{tab-set}
+
+::::::{tab-item} Elasticsearch Service
+To get started quickly, spin up a deployment of our [hosted {{ess}}](https://www.elastic.co/cloud/elasticsearch-service). The {{ess}} is available on AWS, GCP, and Azure. [Try it out for free](https://cloud.elastic.co/registration?page=docs&placement=docs-body).
+::::::
+
+::::::{tab-item} Self-managed
+To install and run {{es}} and {{kib}}, see [Installing the {{stack}}](docs-content://deploy-manage/deploy/self-managed/deploy-cluster.md).
+::::::
+
+::::::{tab-item} DEB
+```sh
+sudo apt-get install libpcap0.8
+```
+::::::
+
+::::::{tab-item} RPM
+```sh
+sudo yum install libpcap
+```
+::::::
+
+::::::{tab-item} MacOS
+You probably do not need to install libpcap.
+::::::
+
+::::::{tab-item} Linux
+You probably do not need to install libpcap.
+::::::
+
+::::::{tab-item} Windows
+You probably do not need to install libpcap. The default distribution of {{packetbeat}} for Windows comes bundled with the Npcap library.
+
+    For the OSS-only distribution, you must download and install a packet sniffing library, such as [Npcap](https://nmap.org/npcap/), that implements the [libpcap](https://github.com/the-tcpdump-group/libpcap) interfaces.
+
+    If you use Npcap, make sure you install it in WinPcap API-compatible mode. If you plan to capture traffic from the loopback device (127.0.0.1 traffic), also select the option to support loopback traffic.
+::::::
+
+::::::{tab-item} DEB
+Version 9.0.0-beta1 of Packetbeat has not yet been released.
+::::::
+
+::::::{tab-item} RPM
+Version 9.0.0-beta1 of Packetbeat has not yet been released.
+::::::
+
+::::::{tab-item} MacOS
+Version 9.0.0-beta1 of Packetbeat has not yet been released.
+::::::
+
+::::::{tab-item} Linux
+Version 9.0.0-beta1 of Packetbeat has not yet been released.
+::::::
+
+::::::{tab-item} Windows
+Version 9.0.0-beta1 of Packetbeat has not yet been released.
+::::::
+
+:::::::
+The commands shown are for AMD platforms, but ARM packages are also available. Refer to the [download page](https://www.elastic.co/downloads/beats/packetbeat) for the full list of available packages.
+
+
+### Other installation options [other-installation-options]
+
+* [APT or YUM](/reference/packetbeat/setup-repositories.md)
+* [Download page](https://www.elastic.co/downloads/beats/packetbeat)
+* [Docker](/reference/packetbeat/running-on-docker.md)
+
+
+## Step 2: Connect to the {{stack}} [set-connection]
+
+Connections to {{es}} and {{kib}} are required to set up Packetbeat.
+
+Set the connection information in `packetbeat.yml`. To locate this configuration file, see [Directory layout](/reference/packetbeat/directory-layout.md).
+
+:::::::{tab-set}
+
+::::::{tab-item} Elasticsearch Service
+Specify the [cloud.id](/reference/packetbeat/configure-cloud-id.md) of your {{ess}}, and set [cloud.auth](/reference/packetbeat/configure-cloud-id.md) to a user who is authorized to set up Packetbeat. For example:
+
+```yaml
+cloud.id: "staging:dXMtZWFzdC0xLmF3cy5mb3VuZC5pbyRjZWM2ZjI2MWE3NGJmMjRjZTMzYmI4ODExYjg0Mjk0ZiRjNmMyY2E2ZDA0MjI0OWFmMGNjN2Q3YTllOTYyNTc0Mw=="
+cloud.auth: "packetbeat_setup:{pwd}" <1>
+```
+
+1. This examples shows a hard-coded password, but you should store sensitive values in the [secrets keystore](/reference/packetbeat/keystore.md).
+::::::
+
+::::::{tab-item} Self-managed
+1. Set the host and port where Packetbeat can find the {{es}} installation, and set the username and password of a user who is authorized to set up Packetbeat. For example:
+
+    ```yaml
+    output.elasticsearch:
+      hosts: ["https://myEShost:9200"]
+      username: "packetbeat_internal"
+      password: "{pwd}" <1>
+      ssl:
+        enabled: true
+        ca_trusted_fingerprint: "b9a10bbe64ee9826abeda6546fc988c8bf798b41957c33d05db736716513dc9c" <2>
+    ```
+
+    1. This example shows a hard-coded password, but you should store sensitive values in the [secrets keystore](/reference/packetbeat/keystore.md).
+    2. This example shows a hard-coded fingerprint, but you should store sensitive values in the [secrets keystore](/reference/packetbeat/keystore.md). The fingerprint is a HEX encoded SHA-256 of a CA certificate, when you start {{es}} for the first time, security features such as network encryption (TLS) for {{es}} are enabled by default. If you are using the self-signed certificate generated by {{es}} when it is started for the first time, you will need to add its fingerprint here. The fingerprint is printed on {{es}} start up logs, or you can refer to [connect clients to {{es}} documentation](docs-content://deploy-manage/security/security-certificates-keys.md#_connect_clients_to_es_5) for other options on retrieving it. If you are providing your own SSL certificate to {{es}} refer to [Packetbeat documentation on how to setup SSL](/reference/packetbeat/configuration-ssl.md#ssl-client-config).
+
+2. If you plan to use our pre-built {{kib}} dashboards, configure the {{kib}} endpoint. Skip this step if {{kib}} is running on the same host as {{es}}.
+
+    ```yaml
+      setup.kibana:
+        host: "mykibanahost:5601" <1>
+        username: "my_kibana_user" <2> <3>
+        password: "{pwd}"
+    ```
+
+    1. The hostname and port of the machine where {{kib}} is running, for example, `mykibanahost:5601`. If you specify a path after the port number, include the scheme and port: `http://mykibanahost:5601/path`.
+    2. The `username` and `password` settings for {{kib}} are optional. If you don’t specify credentials for {{kib}}, Packetbeat uses the `username` and `password` specified for the {{es}} output.
+    3. To use the pre-built {{kib}} dashboards, this user must be authorized to view dashboards or have the `kibana_admin` [built-in role](elasticsearch://reference/elasticsearch/roles.md).
+::::::
+
+:::::::
+To learn more about required roles and privileges, see [*Grant users access to secured resources*](/reference/packetbeat/feature-roles.md).
+
+::::{note}
+You can send data to other [outputs](/reference/packetbeat/configuring-output.md), such as {{ls}}, but that requires additional configuration and setup.
+::::
+
+
+
+## Step 3: Configure sniffing [configuration]
+
+In `packetbeat.yml`, configure the network devices and protocols to capture traffic from.
+
+1. Set the sniffer type. By default, Packetbeat uses `pcap`, which uses the libpcap library and works on most platforms.
+
+    On Linux, set the sniffer type to `af_packet` to use memory-mapped sniffing. This option is faster than libpcap and doesn’t require a kernel module, but it’s Linux-specific:
+
+    ```yaml
+    packetbeat.interfaces.type: af_packet
+    ```
+
+2. Specify the network device to capture traffic from. For example:
+
+    ```yaml
+    packetbeat.interfaces.device: eth0
+    ```
+
+    ::::{tip}
+    On Linux, specify `packetbeat.interfaces.device: any` to capture all messages sent or received by the server where Packetbeat is installed. The `any` setting does not work on macOS.
+
+    ::::
+
+
+    To see a list of available devices, run:
+
+    :::::::{tab-set}
+
+::::::{tab-item} DEB
+```shell
+    packetbeat devices
+    ```
+::::::
+
+::::::{tab-item} RPM
+```shell
+    packetbeat devices
+    ```
+::::::
+
+::::::{tab-item} MacOS
+```shell
+    ./packetbeat devices
+    ```
+::::::
+
+::::::{tab-item} Linux
+```shell
+    ./packetbeat devices
+    ```
+::::::
+
+::::::{tab-item} Windows
+```shell
+    PS C:\Program Files\Packetbeat> .\packetbeat.exe devices
+
+    0: \Device\NPF_{113535AD-934A-452E-8D5F-3004797DE286} (Intel(R) PRO/1000 MT Desktop Adapter)
+    ```
+
+    In this example, there’s only one network card, with the index 0, installed on the system. If there are multiple network cards, remember the index of the device you want to use for capturing the traffic.
+
+    Modify the `device` setting to point to the index of the device:
+
+    ```shell
+    packetbeat.interfaces.device: 0
+    ```
+::::::
+
+::::::{tab-item} DEB
+```sh
+    packetbeat setup -e
+    ```
+::::::
+
+::::::{tab-item} RPM
+```sh
+    packetbeat setup -e
+    ```
+::::::
+
+::::::{tab-item} MacOS
+```sh
+    ./packetbeat setup -e
+    ```
+::::::
+
+::::::{tab-item} Linux
+```sh
+    ./packetbeat setup -e
+    ```
+::::::
+
+::::::{tab-item} Windows
+```sh
+    PS > .\packetbeat.exe setup -e
+    ```
+::::::
+
+::::::{tab-item} DEB
+```sh
+sudo service packetbeat start
+```
+
+::::{note}
+If you use an `init.d` script to start Packetbeat, you can’t specify command line flags (see [Command reference](/reference/packetbeat/command-line-options.md)). To specify flags, start Packetbeat in the foreground.
+::::
+
+
+Also see [Packetbeat and systemd](/reference/packetbeat/running-with-systemd.md).
+::::::
+
+::::::{tab-item} RPM
+```sh
+sudo service packetbeat start
+```
+
+::::{note}
+If you use an `init.d` script to start Packetbeat, you can’t specify command line flags (see [Command reference](/reference/packetbeat/command-line-options.md)). To specify flags, start Packetbeat in the foreground.
+::::
+
+
+Also see [Packetbeat and systemd](/reference/packetbeat/running-with-systemd.md).
+::::::
+
+::::::{tab-item} MacOS
+```sh
+sudo chown root packetbeat.yml <1>
+sudo ./packetbeat -e
+```
+
+1. You’ll be running Packetbeat as root, so you need to change ownership of the configuration file, or run Packetbeat with `--strict.perms=false` specified. See [Config File Ownership and Permissions](/reference/libbeat/config-file-permissions.md).
+::::::
+
+::::::{tab-item} Linux
+```sh
+sudo chown root packetbeat.yml <1>
+sudo ./packetbeat -e
+```
+
+1. You’ll be running Packetbeat as root, so you need to change ownership of the configuration file, or run Packetbeat with `--strict.perms=false` specified. See [Config File Ownership and Permissions](/reference/libbeat/config-file-permissions.md).
+::::::
+
+::::::{tab-item} Windows
+```sh
+PS C:\Program Files\packetbeat> Start-Service packetbeat
+```
+
+By default, Windows log files are stored in `C:\ProgramData\packetbeat\Logs`.
+::::::
+
+:::::::
+Packetbeat should begin streaming data to {{es}}.
+
+
+## Step 6: View your data in {{kib}} [view-data]
+
+Packetbeat comes with pre-built {{kib}} dashboards and UIs for visualizing log data. You loaded the dashboards earlier when you ran the `setup` command.
+
+To open the dashboards:
+
+1. Launch {{kib}}:
+
+    <div class="tabs" data-tab-group="host">
+      <div role="tablist" aria-label="Open Kibana">
+        <button role="tab"
+                aria-selected="true"
+                aria-controls="cloud-tab-open-kibana"
+                id="cloud-open-kibana">
+          Elasticsearch Service
+        </button>
+        <button role="tab"
+                aria-selected="false"
+                aria-controls="self-managed-tab-open-kibana"
+                id="self-managed-open-kibana"
+                tabindex="-1">
+          Self-managed
+        </button>
+      </div>
+      <div tabindex="0"
+           role="tabpanel"
+           id="cloud-tab-open-kibana"
+           aria-labelledby="cloud-open-kibana">
+    1. [Log in](https://cloud.elastic.co/) to your {{ecloud}} account.
+    2. Navigate to the {{kib}} endpoint in your deployment.
+
+      </div>
+      <div tabindex="0"
+           role="tabpanel"
+           id="self-managed-tab-open-kibana"
+           aria-labelledby="self-managed-open-kibana"
+           hidden="">
+    Point your browser to [http://localhost:5601](http://localhost:5601), replacing `localhost` with the name of the {{kib}} host.
+
+      </div>
+    </div>
+
+2. In the side navigation, click **Discover**. To see Packetbeat data, make sure the predefined `packetbeat-*` data view is selected.
+
+    ::::{tip}
+    If you don’t see data in {{kib}}, try changing the time filter to a larger range. By default, {{kib}} shows the last 15 minutes.
+    ::::
+
+3. In the side navigation, click **Dashboard**, then select the dashboard that you want to open.
+
+The dashboards are provided as examples. We recommend that you [customize](docs-content://explore-analyze/dashboards.md) them to meet your needs.
+
+::::{tip}
+To populate the client locations map in the overview dashboard, follow the steps described in [*Enrich events with geoIP information*](/reference/packetbeat/packetbeat-geoip.md).
+::::
+
+
+
+## What’s next? [_whats_next]
+
+Now that you have your data streaming into {{es}}, learn how to unify your logs, metrics, uptime, and application performance data.
+
+1. Ingest data from other sources by installing and configuring other Elastic {{beats}}:
+
+    | Elastic {{beats}} | To capture |
+    | --- | --- |
+    | [{{metricbeat}}](/reference/metricbeat/metricbeat-installation-configuration.md) | Infrastructure metrics |
+    | [{{filebeat}}](/reference/filebeat/filebeat-installation-configuration.md) | Logs |
+    | [{{winlogbeat}}](/reference/winlogbeat/winlogbeat-installation-configuration.md) | Windows event logs |
+    | [{{heartbeat}}](/reference/heartbeat/heartbeat-installation-configuration.md) | Uptime information |
+    | [APM](docs-content://solutions/observability/apps/application-performance-monitoring-apm.md) | Application performance metrics |
+    | [{{auditbeat}}](/reference/auditbeat/auditbeat-installation-configuration.md) | Audit events |
+
+2. Use the Observability apps in {{kib}} to search across all your data:
+
+    | Elastic apps | Use to |
+    | --- | --- |
+    | [{{metrics-app}}](docs-content://solutions/observability/infra-and-hosts/analyze-infrastructure-host-metrics.md) | Explore metrics about systems and services across your ecosystem |
+    | [{{logs-app}}](docs-content://solutions/observability/logs/explore-logs.md) | Tail related log data in real time |
+    | [{{uptime-app}}](docs-content://solutions/observability/apps/synthetic-monitoring.md#monitoring-uptime) | Monitor availability issues across your apps and services |
+    | [APM app](docs-content://solutions/observability/apps/overviews.md) | Monitor application performance |
+    | [{{siem-app}}](docs-content://solutions/security.md) | Analyze security events |
+
+
diff --git a/docs/reference/packetbeat/packetbeat-loopback-interface.md b/docs/reference/packetbeat/packetbeat-loopback-interface.md
new file mode 100644
index 000000000000..9735128b7d02
--- /dev/null
+++ b/docs/reference/packetbeat/packetbeat-loopback-interface.md
@@ -0,0 +1,20 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-loopback-interface.html
+---
+
+# Packetbeat can���t capture traffic from Windows loopback interface [packetbeat-loopback-interface]
+
+The Windows TCP/IP stack does not implement a network loopback interface, making it difficult for Windows packet capture drivers to capture traffic from the loopback device (127.0.0.1 traffic). To resolve this issue, install [Npcap](https://nmap.org/npcap/) in WinPcap API-compatible mode and select the option to support loopback traffic. When you restart Windows, Npcap creates an Npcap Loopback Adapter that you can select to capture loopback traffic.
+
+For the list of devices shown here, you would configure Packetbeat to use device `4`:
+
+```sh
+PS C:\Program Files\Packetbeat .\packetbeat.exe -devices
+0: \Device\NPF_NdisWanBh (NdisWan Adapter)
+1: \Device\NPF_NdisWanIp (NdisWan Adapter)
+2: \Device\NPF_NdisWanIpv6 (NdisWan Adapter)
+3: \Device\NPF_{DD72B02C-4E48-4924-8D0F-F80EA2755534} (Intel(R) PRO/1000 MT Desktop Adapter)
+4: \Device\NPF_{77DFFCAF-1335-4B0D-AFD4-5A4685674FAA} (MS NDIS 6.0 LoopBack Driver)
+```
+
diff --git a/docs/reference/packetbeat/packetbeat-memcache-options.md b/docs/reference/packetbeat/packetbeat-memcache-options.md
new file mode 100644
index 000000000000..81d081b6a83a
--- /dev/null
+++ b/docs/reference/packetbeat/packetbeat-memcache-options.md
@@ -0,0 +1,68 @@
+---
+navigation_title: "Memcache"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-memcache-options.html
+---
+
+# Capture Memcache traffic [packetbeat-memcache-options]
+
+
+The `memcache` section of the `packetbeat.yml` config file specifies configuration options for the memcache protocol. Here is a sample configuration section for memcache:
+
+```yaml
+packetbeat.protocols:
+- type: memcache
+  ports: [11211]
+  parseunknown: false
+  maxvalues: 0
+  maxbytespervalue: 100
+  transaction_timeout: 200
+  udptransactiontimeout: 200
+```
+
+## Configuration options [_configuration_options_7]
+
+Also see [Common protocol options](/reference/packetbeat/common-protocol-options.md).
+
+### `parseunknown` [_parseunknown]
+
+When this option is enabled, it forces the memcache text protocol parser to accept unknown commands.
+
+::::{note}
+The unknown commands MUST NOT contain a data part.
+::::
+
+
+
+### `maxvalues` [_maxvalues]
+
+The maximum number of values to store in the message (multi-get). All values will be base64 encoded.
+
+The possible settings for this option are:
+
+* `maxvalue: -1`, which stores all values (text based protocol multi-get)
+* `maxvalue: 0`, which stores no values (default)
+* `maxvalue: N`, which stores up to N values
+
+
+### `maxbytespervalue` [_maxbytespervalue]
+
+The maximum number of bytes to be copied for each value element.
+
+::::{note}
+Values will be base64 encoded, so the actual size in the JSON document will be 4 times the value that you specify for `maxbytespervalue`.
+::::
+
+
+
+### `udptransactiontimeout` [_udptransactiontimeout]
+
+The transaction timeout in milliseconds. The defaults is 10000 milliseconds.
+
+::::{note}
+Quiet messages in UDP binary protocol get responses only if there is an error. The memcache protocol analyzer will wait for the number of milliseconds specified by `udptransactiontimeout` before publishing quiet messages. Non-quiet messages or quiet requests with an error response are published immediately.
+::::
+
+
+
+
diff --git a/docs/reference/packetbeat/packetbeat-mirror-ports.md b/docs/reference/packetbeat/packetbeat-mirror-ports.md
new file mode 100644
index 000000000000..0f37fde8a7f0
--- /dev/null
+++ b/docs/reference/packetbeat/packetbeat-mirror-ports.md
@@ -0,0 +1,15 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-mirror-ports.html
+---
+
+# Packetbeat doesn���t see any packets when using mirror ports [packetbeat-mirror-ports]
+
+The interface needs to be set to promiscuous mode. Run the following command:
+
+```sh
+ip link set <device_name> promisc on
+```
+
+For example: `ip link set enp5s0f1 promisc on`
+
diff --git a/docs/reference/packetbeat/packetbeat-missing-transactions.md b/docs/reference/packetbeat/packetbeat-missing-transactions.md
new file mode 100644
index 000000000000..6c394554656e
--- /dev/null
+++ b/docs/reference/packetbeat/packetbeat-missing-transactions.md
@@ -0,0 +1,11 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-missing-transactions.html
+---
+
+# Packetbeat is missing long running transactions [packetbeat-missing-transactions]
+
+Packetbeat has an internal timeout that it uses to time out transactions and TCP connections when no packets have been seen for a long time.
+
+To process long running transactions, you can specify a larger value for the [`transaction_timeout`](/reference/packetbeat/common-protocol-options.md#transaction-timeout-option) option. However, keep in mind that very large timeout values can increase memory usage if messages are lost or transaction response messages are not sent.
+
diff --git a/docs/reference/packetbeat/packetbeat-mysql-options.md b/docs/reference/packetbeat/packetbeat-mysql-options.md
new file mode 100644
index 000000000000..d06898038c82
--- /dev/null
+++ b/docs/reference/packetbeat/packetbeat-mysql-options.md
@@ -0,0 +1,38 @@
+---
+navigation_title: "MySQL"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-mysql-options.html
+---
+
+# Capture MySQL traffic [packetbeat-mysql-options]
+
+
+The `mysql` section of the `packetbeat.yml` config file specifies configuration options for the MySQL protocols.
+
+```yaml
+packetbeat.protocols:
+
+- type: mysql
+  ports: [3306,3307]
+```
+
+## Configuration options [_configuration_options_8]
+
+Also see [Common protocol options](/reference/packetbeat/common-protocol-options.md).
+
+### `max_rows` [_max_rows]
+
+The maximum number of rows from the SQL message to publish to Elasticsearch. The default is 10 rows.
+
+
+### `max_row_length` [_max_row_length]
+
+The maximum length in bytes of a row from the SQL message to publish to Elasticsearch. The default is 1024 bytes.
+
+
+
+## `statement_timeout` [_statement_timeout]
+
+The duration for which prepared statements are cached after their last use. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". The default is `1h`.
+
+
diff --git a/docs/reference/packetbeat/packetbeat-overview.md b/docs/reference/packetbeat/packetbeat-overview.md
new file mode 100644
index 000000000000..787e0da3514e
--- /dev/null
+++ b/docs/reference/packetbeat/packetbeat-overview.md
@@ -0,0 +1,42 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-overview.html
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/index.html
+---
+
+# Packetbeat overview [packetbeat-overview]
+
+Packetbeat is a real-time network packet analyzer that you can use with Elasticsearch to provide an *application monitoring and performance analytics system*. Packetbeat completes the [Beats platform](/reference/index.md) by providing visibility between the servers of your network.
+
+Packetbeat works by capturing the network traffic between your application servers, decoding the application layer protocols (HTTP, MySQL, Redis, and so on), correlating the requests with the responses, and recording the interesting [fields](/reference/packetbeat/exported-fields.md) for each transaction.
+
+Packetbeat can help you easily notice issues with your back-end application, such as bugs or performance problems, and it makes troubleshooting them - and therefore fixing them - much faster.
+
+Packetbeat sniffs the traffic between your servers, parses the application-level protocols on the fly, and correlates the messages into transactions. Currently, Packetbeat supports the following protocols:
+
+* ICMP (v4 and v6)
+* DHCP (v4)
+* DNS
+* HTTP
+* AMQP 0.9.1
+* Cassandra
+* Mysql
+* PostgreSQL
+* Redis
+* Thrift-RPC
+* MongoDB
+* Memcache
+* NFS
+* TLS
+* SIP/SDP (beta)
+
+Packetbeat can insert the correlated transactions directly into Elasticsearch or into a central queue created with Redis and Logstash.
+
+Packetbeat can run on the same servers as your application processes or on its own servers. When running on dedicated servers, Packetbeat can get the traffic from the switch’s mirror ports or from tapping devices. In such a deployment, there is zero overhead on the monitored application. See [Traffic sniffing](/reference/packetbeat/configuration-interfaces.md) for details.
+
+After decoding the Layer 7 messages, Packetbeat correlates the requests with the responses in what we call *transactions*. For each transaction, Packetbeat inserts a JSON document into Elasticsearch. See the [Exported fields](/reference/packetbeat/exported-fields.md) section for details about which fields are indexed.
+
+The same Elasticsearch and Kibana instances that are used for analysing the network traffic gathered by Packetbeat can be used for analysing the log files gathered by Logstash. This way, you can have network traffic and log analysis in the same system.
+
+Packetbeat is an Elastic [Beat](https://www.elastic.co/beats). It’s based on the `libbeat` framework. For more information, see the [Beats Platform Reference](/reference/index.md).
+
diff --git a/docs/reference/packetbeat/packetbeat-pgsql-options.md b/docs/reference/packetbeat/packetbeat-pgsql-options.md
new file mode 100644
index 000000000000..dc6afffe9797
--- /dev/null
+++ b/docs/reference/packetbeat/packetbeat-pgsql-options.md
@@ -0,0 +1,33 @@
+---
+navigation_title: "PgSQL"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-pgsql-options.html
+---
+
+# Capture PgSQL traffic [packetbeat-pgsql-options]
+
+
+The `pgsql` sections of the `packetbeat.yml` config file specifies configuration options for the PgSQL protocols.
+
+```yaml
+packetbeat.protocols:
+
+- type: pgsql
+  ports: [5432]
+```
+
+## Configuration options [_configuration_options_9]
+
+Also see [Common protocol options](/reference/packetbeat/common-protocol-options.md).
+
+### `max_rows` [_max_rows_2]
+
+The maximum number of rows from the SQL message to publish to Elasticsearch. The default is 10 rows.
+
+
+### `max_row_length` [_max_row_length_2]
+
+The maximum length in bytes of a row from the SQL message to publish to Elasticsearch. The default is 1024 bytes.
+
+
+
diff --git a/docs/reference/packetbeat/packetbeat-redis-options.md b/docs/reference/packetbeat/packetbeat-redis-options.md
new file mode 100644
index 000000000000..8e9da3a63639
--- /dev/null
+++ b/docs/reference/packetbeat/packetbeat-redis-options.md
@@ -0,0 +1,29 @@
+---
+navigation_title: "Redis"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-redis-options.html
+---
+
+# Capture Redis traffic [packetbeat-redis-options]
+
+
+The Redis protocol has several specific configuration options. Here is a sample configuration for the `redis` section of the `packetbeat.yml` config file:
+
+```yaml
+packetbeat.protocols:
+- type: redis
+  ports: [6379]
+  queue_max_bytes: 1048576
+  queue_max_messages: 20000
+```
+
+## Configuration options [_configuration_options_13]
+
+Also see [Common protocol options](/reference/packetbeat/common-protocol-options.md).
+
+### `queue_max_bytes` and `queue_max_messages` [_queue_max_bytes_and_queue_max_messages]
+
+In order for request/response correlation to work, Packetbeat needs to store requests in memory until a response is received. These settings impose a limit on the number of bytes (`queue_max_bytes`) and number of requests (`queue_max_messages`) that can be stored. These limits are per-connection. The default is to queue up to 1MB or 20.000 requests per connection, which allows to use request pipelining while at the same time limiting the amount of memory consumed by replication sessions.
+
+
+
diff --git a/docs/reference/packetbeat/packetbeat-reference-yml.md b/docs/reference/packetbeat/packetbeat-reference-yml.md
new file mode 100644
index 000000000000..39b381797b02
--- /dev/null
+++ b/docs/reference/packetbeat/packetbeat-reference-yml.md
@@ -0,0 +1,2342 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-reference-yml.html
+---
+
+# packetbeat.reference.yml [packetbeat-reference-yml]
+
+The following reference file is available with your Packetbeat installation. It shows all non-deprecated Packetbeat options. You can copy from this file and paste configurations into the `packetbeat.yml` file to customize it.
+
+::::{tip}
+The reference file is located in the same directory as the `packetbeat.yml` file. To locate the file, see [Directory layout](/reference/packetbeat/directory-layout.md).
+::::
+
+
+The contents of the file are included here for your convenience.
+
+```yaml
+## Packetbeat Configuration Example #######################
+
+# This file is a full configuration example documenting all non-deprecated
+# options in comments. For a shorter configuration example, that contains only
+# the most common options, please see packetbeat.yml in the same directory.
+#
+# You can find the full configuration reference here:
+# https://www.elastic.co/guide/en/beats/packetbeat/index.html
+
+# =============================== Network device ===============================
+
+# Select the network interface to sniff the data. You can use the "any"
+# keyword to sniff on all connected interfaces. On all platforms, you
+# can use "default_route", "default_route_ipv4" or "default_route_ipv6"
+# to sniff on the device carrying the default route.
+packetbeat.interfaces.device: any
+
+# The network CIDR blocks are considered "internal" networks for
+# the purpose of network perimeter boundary classification. The valid
+# values for internal_networks are the same as those that can be used
+# with processor network conditions.
+#
+# For a list of available values see:
+# https://www.elastic.co/guide/en/beats/packetbeat/current/defining-processors.html#condition-network
+packetbeat.interfaces.internal_networks:
+  - private
+
+# Packetbeat supports three sniffer types:
+# * pcap, which uses the libpcap library and works on most platforms, but it's
+# not the fastest option.
+# * af_packet, which uses memory-mapped sniffing. This option is faster than
+# libpcap and doesn't require a kernel module, but it's Linux-specific.
+#packetbeat.interfaces.type: pcap
+
+# The maximum size of the packets to capture. The default is 65535, which is
+# large enough for almost all networks and interface types. If you sniff on a
+# physical network interface, the optimal setting is the MTU size. On virtual
+# interfaces, however, it's safer to accept the default value.
+#packetbeat.interfaces.snaplen: 65535
+
+# The maximum size of the shared memory buffer to use between the kernel and
+# user space. A bigger buffer usually results in lower CPU usage but consumes
+# more memory. This setting is only available for the af_packet sniffer type.
+# The default is 30 MB.
+#packetbeat.interfaces.buffer_size_mb: 30
+
+# Set the polling frequency for interface metrics. This currently only applies
+# to the "afpacket" interface type.
+# The default is 5s (seconds).
+#packetbeat.interfaces.metrics_interval: 5s
+
+# To scale processing across multiple Packetbeat processes, a fanout group
+# identifier can be specified. When `fanout_group` is used the Linux kernel splits
+# packets across Packetbeat instances in the same group by using a flow hash. It
+# computes the flow hash modulo with the number of Packetbeat processes in order
+# to consistently route flows to the same Packetbeat instance.
+#
+# The value must be between 0 and 65535. By default, no value is set.
+#
+# This is only available on Linux and requires using `type: af_packet`. Each process
+# must be running in the same network namespace. All processes must use the same
+# interface settings. You must take responsibility for running multiple instances
+# of Packetbeat.
+#packetbeat.interfaces.fanout_group: ~
+
+# Packetbeat automatically generates a BPF for capturing only the traffic on
+# ports where it expects to find known protocols. Use this setting to tell
+# Packetbeat to generate a BPF filter that accepts VLAN tags.
+#packetbeat.interfaces.with_vlans: true
+
+# Use this setting to override the automatically generated BPF filter.
+#packetbeat.interfaces.bpf_filter:
+
+# With `auto_promisc_mode` Packetbeat puts the interface in promiscuous mode automatically on startup.
+# This option does not work with `any` interface device.
+# The default option is false and requires manual set-up of promiscuous mode.
+# Warning: under some circumstances (e.g., beat crash) promiscuous mode
+# can stay enabled even after beat is shut down.
+#packetbeat.interfaces.auto_promisc_mode: true
+
+# By default Ingest pipelines are not updated if a pipeline with the same ID
+# already exists. If this option is enabled Packetbeat overwrites pipelines
+# every time a new Elasticsearch connection is established.
+#packetbeat.overwrite_pipelines: false
+
+# =================================== Flows ====================================
+
+packetbeat.flows:
+  # Enable Network flows. Default: true
+  #enabled: true
+
+  # Set network flow timeout. Flow is killed if no packet is received before being
+  # timed out.
+  timeout: 30s
+
+  # Configure reporting period. If set to -1s, only killed flows will be reported
+  period: 10s
+
+  # Set to true to publish fields with null values in events.
+  #keep_null: false
+
+  # Overrides where flow events are indexed.
+  #index: my-custom-flow-index
+
+# =========================== Transaction protocols ============================
+
+packetbeat.protocols:
+- type: icmp
+  # Enable ICMPv4 and ICMPv6 monitoring. The default is true.
+  #enabled: true
+
+  # Set to true to publish fields with null values in events.
+  #keep_null: false
+
+  # Overrides where this protocol's events are indexed.
+  #index: my-custom-icmp-index
+
+- type: amqp
+  # Enable AMQP monitoring. Default: true
+  #enabled: true
+
+  # Configure the ports where to listen for AMQP traffic. You can disable
+  # the AMQP protocol by commenting out the list of ports.
+  ports: [5672]
+  # Truncate messages that are published and avoid huge messages being
+  # indexed.
+  # Default: 1000
+  #max_body_length: 1000
+
+  # Hide the header fields in header frames.
+  # Default: false
+  #parse_headers: false
+
+  # Hide the additional arguments of method frames.
+  # Default: false
+  #parse_arguments: false
+
+  # Hide all methods relative to connection negotiation between the server and
+  # client.
+  # Default: true
+  #hide_connection_information: true
+
+  # If this option is enabled, the raw message of the request (`request` field)
+  # is sent to Elasticsearch. The default is false.
+  #send_request: false
+
+  # If this option is enabled, the raw message of the response (`response`
+  # field) is sent to Elasticsearch. The default is false.
+  #send_response: false
+
+  # Set to true to publish fields with null values in events.
+  #keep_null: false
+
+  # Transaction timeout. Expired transactions will no longer be correlated to
+  # incoming responses, but sent to Elasticsearch immediately.
+  #transaction_timeout: 10s
+
+  # Overrides where this protocol's events are indexed.
+  #index: my-custom-amqp-index
+
+- type: cassandra
+  #Cassandra port for traffic monitoring.
+  ports: [9042]
+
+  # If this option is enabled, the raw message of the request (`cassandra_request` field)
+  # is included in published events. The default is true.
+  #send_request: true
+
+  # If this option is enabled, the raw message of the response (`cassandra_request.request_headers` field)
+  # is included in published events. The default is true. enable `send_request` first before enabling this option.
+  #send_request_header: true
+
+  # If this option is enabled, the raw message of the response (`cassandra_response` field)
+  # is included in published events. The default is true.
+  #send_response: true
+
+  # If this option is enabled, the raw message of the response (`cassandra_response.response_headers` field)
+  # is included in published events. The default is true. enable `send_response` first before enabling this option.
+  #send_response_header: true
+
+  # Set to true to publish fields with null values in events.
+  #keep_null: false
+
+  # Configures the default compression algorithm being used to uncompress compressed frames by name. Currently only `snappy` is can be configured.
+  # By default no compressor is configured.
+  #compressor: "snappy"
+
+  # This option indicates which Operator/Operators will be ignored.
+  #ignored_ops: ["SUPPORTED","OPTIONS"]
+
+  # Overrides where this protocol's events are indexed.
+  #index: my-custom-cassandra-index
+
+- type: dhcpv4
+  # Configure the DHCP for IPv4 ports.
+  ports: [67, 68]
+
+  # Set to true to publish fields with null values in events.
+  #keep_null: false
+
+- type: dns
+  # Enable DNS monitoring. Default: true
+  #enabled: true
+
+  # Configure the ports where to listen for DNS traffic. You can disable
+  # the DNS protocol by commenting out the list of ports.
+  ports: [53]
+
+  # include_authorities controls whether or not the dns.authorities field
+  # (authority resource records) is added to messages.
+  # Default: false
+  include_authorities: true
+  # include_additionals controls whether or not the dns.additionals field
+  # (additional resource records) is added to messages.
+  # Default: false
+  include_additionals: true
+
+  # send_request and send_response control whether or not the stringified DNS
+  # request and response message are added to the result.
+  # Nearly all data about the request/response is available in the dns.*
+  # fields, but this can be useful if you need visibility specifically
+  # into the request or the response.
+  # Default: false
+  # send_request:  true
+  # send_response: true
+
+  # Set to true to publish fields with null values in events.
+  #keep_null: false
+
+  # Transaction timeout. Expired transactions will no longer be correlated to
+  # incoming responses, but sent to Elasticsearch immediately.
+  #transaction_timeout: 10s
+
+  # Overrides where this protocol's events are indexed.
+  #index: my-custom-dhcpv4-index
+
+- type: http
+  # Enable HTTP monitoring. Default: true
+  #enabled: true
+
+  # Configure the ports where to listen for HTTP traffic. You can disable
+  # the HTTP protocol by commenting out the list of ports.
+  ports: [80, 8080, 8000, 5000, 8002]
+
+  # Uncomment the following to hide certain parameters in the URL or forms attached
+  # to HTTP requests. The names of the parameters are case-insensitive.
+  # The value of the parameters will be replaced with the 'xxxxx' string.
+  # This is generally useful for avoiding storing user passwords or other
+  # sensitive information.
+  # Only query parameters and top level form parameters are replaced.
+  # hide_keywords: ['pass', 'password', 'passwd']
+
+  # A list of header names to capture and send to Elasticsearch. These headers
+  # are placed under the `headers` dictionary in the resulting JSON.
+  #send_headers: false
+
+  # Instead of sending a white list of headers to Elasticsearch, you can send
+  # all headers by setting this option to true. The default is false.
+  #send_all_headers: false
+
+  # A list of headers to redact if present in the HTTP request. This will keep
+  # the header field present, but will redact it's value to show the headers
+  # presence.
+  #redact_headers: []
+
+  # The list of content types for which Packetbeat includes the full HTTP
+  # payload. If the request's or response's Content-Type matches any on this
+  # list, the full body will be included under the request or response field.
+  #include_body_for: []
+
+  # The list of content types for which Packetbeat includes the full HTTP
+  # request payload.
+  #include_request_body_for: []
+
+  # The list of content types for which Packetbeat includes the full HTTP
+  # response payload.
+  #include_response_body_for: []
+
+  # Whether the body of a request must be decoded when a content-encoding
+  # or transfer-encoding has been applied.
+  #decode_body: true
+
+  # If the Cookie or Set-Cookie headers are sent, this option controls whether
+  # they are split into individual values.
+  #split_cookie: false
+
+  # The header field to extract the real IP from. This setting is useful when
+  # you want to capture traffic behind a reverse proxy, but you want to get the
+  # geo-location information.
+  #real_ip_header:
+
+  # If this option is enabled, the raw message of the request (`request` field)
+  # is sent to Elasticsearch. The default is false.
+  #send_request: false
+
+  # If this option is enabled, the raw message of the response (`response`
+  # field) is sent to Elasticsearch. The default is false.
+  #send_response: false
+
+  # Set to true to publish fields with null values in events.
+  #keep_null: false
+
+  # Transaction timeout. Expired transactions will no longer be correlated to
+  # incoming responses, but sent to Elasticsearch immediately.
+  #transaction_timeout: 10s
+
+  # Maximum message size. If an HTTP message is larger than this, it will
+  # be trimmed to this size. Default is 10 MB.
+  #max_message_size: 10485760
+
+  # Overrides where this protocol's events are indexed.
+  #index: my-custom-http-index
+
+- type: memcache
+  # Enable memcache monitoring. Default: true
+  #enabled: true
+
+  # Configure the ports where to listen for memcache traffic. You can disable
+  # the Memcache protocol by commenting out the list of ports.
+  ports: [11211]
+
+  # Uncomment the parseunknown option to force the memcache text protocol parser
+  # to accept unknown commands.
+  # Note: All unknown commands MUST not contain any data parts!
+  # Default: false
+  # parseunknown: true
+
+  # Update the maxvalue option to store the values - base64 encoded - in the
+  # json output.
+  # possible values:
+  #    maxvalue: -1  # store all values (text based protocol multi-get)
+  #    maxvalue: 0   # store no values at all
+  #    maxvalue: N   # store up to N values
+  # Default: 0
+  # maxvalues: -1
+
+  # Use maxbytespervalue to limit the number of bytes to be copied per value element.
+  # Note: Values will be base64 encoded, so actual size in json document
+  #       will be 4 times maxbytespervalue.
+  # Default: unlimited
+  # maxbytespervalue: 100
+
+  # UDP transaction timeout in milliseconds.
+  # Note: Quiet messages in UDP binary protocol will get response only in error case.
+  #       The memcached analyzer will wait for udptransactiontimeout milliseconds
+  #       before publishing quiet messages. Non quiet messages or quiet requests with
+  #       error response will not have to wait for the timeout.
+  # Default: 200
+  # udptransactiontimeout: 1000
+
+  # If this option is enabled, the raw message of the request (`request` field)
+  # is sent to Elasticsearch. The default is false.
+  #send_request: false
+
+  # If this option is enabled, the raw message of the response (`response`
+  # field) is sent to Elasticsearch. The default is false.
+  #send_response: false
+
+  # Set to true to publish fields with null values in events.
+  #keep_null: false
+
+  # Transaction timeout. Expired transactions will no longer be correlated to
+  # incoming responses, but sent to Elasticsearch immediately.
+  #transaction_timeout: 10s
+
+  # Overrides where this protocol's events are indexed.
+  #index: my-custom-memcache-index
+
+- type: mysql
+  # Enable mysql monitoring. Default: true
+  #enabled: true
+
+  # Configure the ports where to listen for MySQL traffic. You can disable
+  # the MySQL protocol by commenting out the list of ports.
+  ports: [3306,3307]
+
+  # If this option is enabled, the raw message of the request (`request` field)
+  # is sent to Elasticsearch. The default is false.
+  #send_request: false
+
+  # If this option is enabled, the raw message of the response (`response`
+  # field) is sent to Elasticsearch. The default is false.
+  #send_response: false
+
+  # Set to true to publish fields with null values in events.
+  #keep_null: false
+
+  # Transaction timeout. Expired transactions will no longer be correlated to
+  # incoming responses, but sent to Elasticsearch immediately.
+  #transaction_timeout: 10s
+
+  # Overrides where this protocol's events are indexed.
+  #index: my-custom-mysql-index
+
+- type: pgsql
+  # Enable pgsql monitoring. Default: true
+  #enabled: true
+
+  # Configure the ports where to listen for Pgsql traffic. You can disable
+  # the Pgsql protocol by commenting out the list of ports.
+  ports: [5432]
+
+  # If this option is enabled, the raw message of the request (`request` field)
+  # is sent to Elasticsearch. The default is false.
+  #send_request: false
+
+  # If this option is enabled, the raw message of the response (`response`
+  # field) is sent to Elasticsearch. The default is false.
+  #send_response: false
+
+  # Set to true to publish fields with null values in events.
+  #keep_null: false
+
+  # Transaction timeout. Expired transactions will no longer be correlated to
+  # incoming responses, but sent to Elasticsearch immediately.
+  #transaction_timeout: 10s
+
+  # Overrides where this protocol's events are indexed.
+  #index: my-custom-pgsql-index
+
+- type: redis
+  # Enable redis monitoring. Default: true
+  #enabled: true
+
+  # Configure the ports where to listen for Redis traffic. You can disable
+  # the Redis protocol by commenting out the list of ports.
+  ports: [6379]
+
+  # If this option is enabled, the raw message of the request (`request` field)
+  # is sent to Elasticsearch. The default is false.
+  #send_request: false
+
+  # If this option is enabled, the raw message of the response (`response`
+  # field) is sent to Elasticsearch. The default is false.
+  #send_response: false
+
+  # Set to true to publish fields with null values in events.
+  #keep_null: false
+
+  # Transaction timeout. Expired transactions will no longer be correlated to
+  # incoming responses, but sent to Elasticsearch immediately.
+  #transaction_timeout: 10s
+
+  # Max size for per-session message queue. This places a limit on the memory
+  # that can be used to buffer requests and responses for correlation.
+  #queue_max_bytes: 1048576
+
+  # Max number of messages for per-session message queue. This limits the number
+  # of requests or responses that can be buffered for correlation. Set a value
+  # large enough to allow for pipelining.
+  #queue_max_messages: 20000
+
+  # Overrides where this protocol's events are indexed.
+  #index: my-custom-redis-index
+
+- type: thrift
+  # Enable thrift monitoring. Default: true
+  #enabled: true
+
+  # Configure the ports where to listen for Thrift-RPC traffic. You can disable
+  # the Thrift-RPC protocol by commenting out the list of ports.
+  ports: [9090]
+
+  # The Thrift transport type. Currently this option accepts the values socket
+  # for TSocket, which is the default Thrift transport, and framed for the
+  # TFramed Thrift transport. The default is socket.
+  #transport_type: socket
+
+  # The Thrift protocol type. Currently the only accepted value is binary for
+  # the TBinary protocol, which is the default Thrift protocol.
+  #protocol_type: binary
+
+  # The Thrift interface description language (IDL) files for the service that
+  # Packetbeat is monitoring.  Providing the IDL enables Packetbeat to include
+  # parameter and exception names.
+  #idl_files: []
+
+  # The maximum length for strings in parameters or return values. If a string
+  # is longer than this value, the string is automatically truncated to this
+  # length.
+  #string_max_size: 200
+
+  # The maximum number of elements in a Thrift list, set, map, or structure.
+  #collection_max_size: 15
+
+  # If this option is set to false, Packetbeat decodes the method name from the
+  # reply and simply skips the rest of the response message.
+  #capture_reply: true
+
+  # If this option is set to true, Packetbeat replaces all strings found in
+  # method parameters, return codes, or exception structures with the "*"
+  # string.
+  #obfuscate_strings: false
+
+  # The maximum number of fields that a structure can have before Packetbeat
+  # ignores the whole transaction.
+  #drop_after_n_struct_fields: 500
+
+  # If this option is enabled, the raw message of the request (`request` field)
+  # is sent to Elasticsearch. The default is false.
+  #send_request: false
+
+  # If this option is enabled, the raw message of the response (`response`
+  # field) is sent to Elasticsearch. The default is false.
+  #send_response: false
+
+  # Set to true to publish fields with null values in events.
+  #keep_null: false
+
+  # Transaction timeout. Expired transactions will no longer be correlated to
+  # incoming responses, but sent to Elasticsearch immediately.
+  #transaction_timeout: 10s
+
+  # Overrides where this protocol's events are indexed.
+  #index: my-custom-thrift-index
+
+- type: mongodb
+  # Enable mongodb monitoring. Default: true
+  #enabled: true
+
+  # Configure the ports where to listen for MongoDB traffic. You can disable
+  # the MongoDB protocol by commenting out the list of ports.
+  ports: [27017]
+
+
+  # The maximum number of documents from the response to index in the `response`
+  # field. The default is 10.
+  #max_docs: 10
+
+  # The maximum number of characters in a single document indexed in the
+  # `response` field. The default is 5000. You can set this to 0 to index an
+  # unlimited number of characters per document.
+  #max_doc_length: 5000
+
+  # If this option is enabled, the raw message of the request (`request` field)
+  # is sent to Elasticsearch. The default is false.
+  #send_request: false
+
+  # If this option is enabled, the raw message of the response (`response`
+  # field) is sent to Elasticsearch. The default is false.
+  #send_response: false
+
+  # Set to true to publish fields with null values in events.
+  #keep_null: false
+
+  # Transaction timeout. Expired transactions will no longer be correlated to
+  # incoming responses, but sent to Elasticsearch immediately.
+  #transaction_timeout: 10s
+
+  # Overrides where this protocol's events are indexed.
+  #index: my-custom-mongodb-index
+
+- type: nfs
+  # Enable NFS monitoring. Default: true
+  #enabled: true
+
+  # Configure the ports where to listen for NFS traffic. You can disable
+  # the NFS protocol by commenting out the list of ports.
+  ports: [2049]
+
+  # If this option is enabled, the raw message of the request (`request` field)
+  # is sent to Elasticsearch. The default is false.
+  #send_request: false
+
+  # If this option is enabled, the raw message of the response (`response`
+  # field) is sent to Elasticsearch. The default is false.
+  #send_response: false
+
+  # Set to true to publish fields with null values in events.
+  #keep_null: false
+
+  # Transaction timeout. Expired transactions will no longer be correlated to
+  # incoming responses, but sent to Elasticsearch immediately.
+  #transaction_timeout: 10s
+
+  # Overrides where this protocol's events are indexed.
+  #index: my-custom-nfs-index
+
+- type: tls
+  # Enable TLS monitoring. Default: true
+  #enabled: true
+
+  # Configure the ports where to listen for TLS traffic. You can disable
+  # the TLS protocol by commenting out the list of ports.
+  ports:
+    - 443   # HTTPS
+    - 993   # IMAPS
+    - 995   # POP3S
+    - 5223  # XMPP over SSL
+    - 8443
+    - 8883  # Secure MQTT
+    - 9243  # Elasticsearch
+
+  # List of hash algorithms to use to calculate certificates' fingerprints.
+  # Valid values are `sha1`, `sha256` and `md5`.
+  #fingerprints: [sha1]
+
+  # If this option is enabled, the client and server certificates and
+  # certificate chains are sent to Elasticsearch. The default is true.
+  #send_certificates: true
+
+  # If this option is enabled, the raw certificates will be stored
+  # in PEM format under the `raw` key. The default is false.
+  #include_raw_certificates: false
+
+  # Set to true to publish fields with null values in events.
+  #keep_null: false
+
+  # Overrides where this protocol's events are indexed.
+  #index: my-custom-tls-index
+
+- type: sip
+  # Configure the ports where to listen for SIP traffic. You can disable the SIP protocol by commenting out the list of ports.
+  ports: [5060]
+
+  # Parse the authorization headers
+  parse_authorization: true
+
+  # Parse body contents (only when body is SDP)
+  parse_body: true
+
+  # Preserve original contents in event.original
+  keep_original: true
+
+  # You can monitor tcp SIP traffic by setting the transport_protocol option
+  # to tcp, it defaults to udp.
+  #transport_protocol: tcp
+
+  # Overrides where this protocol's events are indexed.
+  #index: my-custom-sip-index
+
+# ============================ Monitored processes =============================
+
+# Packetbeat can enrich events with information about the process associated
+# the socket that sent or received the packet if Packetbeat is monitoring
+# traffic from the host machine. By default process enrichment is disabled.
+# This feature works on Linux and Windows.
+packetbeat.procs.enabled: false
+
+# If you want to ignore transactions created by the server on which the shipper
+# is installed you can enable this option. This option is useful to remove
+# duplicates if shippers are installed on multiple servers. Default value is
+# false.
+packetbeat.ignore_outgoing: false
+
+# ================================== General ===================================
+
+# The name of the shipper that publishes the network data. It can be used to group
+# all the transactions sent by a single shipper in the web interface.
+# If this option is not defined, the hostname is used.
+#name:
+
+# The tags of the shipper are included in their field with each
+# transaction published. Tags make it easy to group servers by different
+# logical properties.
+#tags: ["service-X", "web-tier"]
+
+# Optional fields that you can specify to add additional information to the
+# output. Fields can be scalar values, arrays, dictionaries, or any nested
+# combination of these.
+#fields:
+#  env: staging
+
+# If this option is set to true, the custom fields are stored as top-level
+# fields in the output document instead of being grouped under a field
+# sub-dictionary. Default is false.
+#fields_under_root: false
+
+# Configure the precision of all timestamps in Packetbeat.
+# Available options: millisecond, microsecond, nanosecond
+#timestamp.precision: millisecond
+
+# Internal queue configuration for buffering events to be published.
+# Queue settings may be overridden by performance presets in the
+# Elasticsearch output. To configure them manually use "preset: custom".
+#queue:
+  # Queue type by name (default 'mem')
+  # The memory queue will present all available events (up to the outputs
+  # bulk_max_size) to the output, the moment the output is ready to serve
+  # another batch of events.
+  #mem:
+    # Max number of events the queue can buffer.
+    #events: 3200
+
+    # Hints the minimum number of events stored in the queue,
+    # before providing a batch of events to the outputs.
+    # The default value is set to 2048.
+    # A value of 0 ensures events are immediately available
+    # to be sent to the outputs.
+    #flush.min_events: 1600
+
+    # Maximum duration after which events are available to the outputs,
+    # if the number of events stored in the queue is < `flush.min_events`.
+    #flush.timeout: 10s
+
+  # The disk queue stores incoming events on disk until the output is
+  # ready for them. This allows a higher event limit than the memory-only
+  # queue and lets pending events persist through a restart.
+  #disk:
+    # The directory path to store the queue's data.
+    #path: "${path.data}/diskqueue"
+
+    # The maximum space the queue should occupy on disk. Depending on
+    # input settings, events that exceed this limit are delayed or discarded.
+    #max_size: 10GB
+
+    # The maximum size of a single queue data file. Data in the queue is
+    # stored in smaller segments that are deleted after all their events
+    # have been processed.
+    #segment_size: 1GB
+
+    # The number of events to read from disk to memory while waiting for
+    # the output to request them.
+    #read_ahead: 512
+
+    # The number of events to accept from inputs while waiting for them
+    # to be written to disk. If event data arrives faster than it
+    # can be written to disk, this setting prevents it from overflowing
+    # main memory.
+    #write_ahead: 2048
+
+    # The duration to wait before retrying when the queue encounters a disk
+    # write error.
+    #retry_interval: 1s
+
+    # The maximum length of time to wait before retrying on a disk write
+    # error. If the queue encounters repeated errors, it will double the
+    # length of its retry interval each time, up to this maximum.
+    #max_retry_interval: 30s
+
+# Sets the maximum number of CPUs that can be executed simultaneously. The
+# default is the number of logical CPUs available in the system.
+#max_procs:
+
+# ================================= Processors =================================
+
+# Processors are used to reduce the number of fields in the exported event or to
+# enhance the event with external metadata. This section defines a list of
+# processors that are applied one by one and the first one receives the initial
+# event:
+#
+#   event -> filter1 -> event1 -> filter2 ->event2 ...
+#
+# The supported processors are drop_fields, drop_event, include_fields,
+# decode_json_fields, and add_cloud_metadata.
+#
+# For example, you can use the following processors to keep the fields that
+# contain CPU load percentages, but remove the fields that contain CPU ticks
+# values:
+#
+#processors:
+#  - include_fields:
+#      fields: ["cpu"]
+#  - drop_fields:
+#      fields: ["cpu.user", "cpu.system"]
+#
+# The following example drops the events that have the HTTP response code 200:
+#
+#processors:
+#  - drop_event:
+#      when:
+#        equals:
+#          http.code: 200
+#
+# The following example renames the field a to b:
+#
+#processors:
+#  - rename:
+#      fields:
+#        - from: "a"
+#          to: "b"
+#
+# The following example tokenizes the string into fields:
+#
+#processors:
+#  - dissect:
+#      tokenizer: "%{key1} - %{key2}"
+#      field: "message"
+#      target_prefix: "dissect"
+#
+# The following example enriches each event with metadata from the cloud
+# provider about the host machine. It works on EC2, GCE, DigitalOcean,
+# Tencent Cloud, and Alibaba Cloud.
+#
+#processors:
+#  - add_cloud_metadata: ~
+#
+# The following example enriches each event with the machine's local time zone
+# offset from UTC.
+#
+#processors:
+#  - add_locale:
+#      format: offset
+#
+# The following example enriches each event with docker metadata, it matches
+# given fields to an existing container id and adds info from that container:
+#
+#processors:
+#  - add_docker_metadata:
+#      host: "unix:///var/run/docker.sock"
+#      match_fields: ["system.process.cgroup.id"]
+#      match_pids: ["process.pid", "process.parent.pid"]
+#      match_source: true
+#      match_source_index: 4
+#      match_short_id: false
+#      cleanup_timeout: 60
+#      labels.dedot: false
+#      # To connect to Docker over TLS you must specify a client and CA certificate.
+#      #ssl:
+#      #  certificate_authority: "/etc/pki/root/ca.pem"
+#      #  certificate:           "/etc/pki/client/cert.pem"
+#      #  key:                   "/etc/pki/client/cert.key"
+#
+# The following example enriches each event with docker metadata, it matches
+# container id from log path available in `source` field (by default it expects
+# it to be /var/lib/docker/containers/*/*.log).
+#
+#processors:
+#  - add_docker_metadata: ~
+#
+# The following example enriches each event with host metadata.
+#
+#processors:
+#  - add_host_metadata: ~
+#
+# The following example enriches each event with process metadata using
+# process IDs included in the event.
+#
+#processors:
+#  - add_process_metadata:
+#      match_pids: ["system.process.ppid"]
+#      target: system.process.parent
+#
+# The following example decodes fields containing JSON strings
+# and replaces the strings with valid JSON objects.
+#
+#processors:
+#  - decode_json_fields:
+#      fields: ["field1", "field2", ...]
+#      process_array: false
+#      max_depth: 1
+#      target: ""
+#      overwrite_keys: false
+#
+#processors:
+#  - decompress_gzip_field:
+#      from: "field1"
+#      to: "field2"
+#      ignore_missing: false
+#      fail_on_error: true
+#
+# The following example copies the value of the message to message_copied
+#
+#processors:
+#  - copy_fields:
+#      fields:
+#        - from: message
+#          to: message_copied
+#      fail_on_error: true
+#      ignore_missing: false
+#
+# The following example truncates the value of the message to 1024 bytes
+#
+#processors:
+#  - truncate_fields:
+#      fields:
+#        - message
+#      max_bytes: 1024
+#      fail_on_error: false
+#      ignore_missing: true
+#
+# The following example preserves the raw message under event.original
+#
+#processors:
+#  - copy_fields:
+#      fields:
+#        - from: message
+#          to: event.original
+#      fail_on_error: false
+#      ignore_missing: true
+#  - truncate_fields:
+#      fields:
+#        - event.original
+#      max_bytes: 1024
+#      fail_on_error: false
+#      ignore_missing: true
+#
+# The following example URL-decodes the value of field1 to field2
+#
+#processors:
+#  - urldecode:
+#      fields:
+#        - from: "field1"
+#          to: "field2"
+#      ignore_missing: false
+#      fail_on_error: true
+
+# =============================== Elastic Cloud ================================
+
+# These settings simplify using Packetbeat with the Elastic Cloud (https://cloud.elastic.co/).
+
+# The cloud.id setting overwrites the `output.elasticsearch.hosts` and
+# `setup.kibana.host` options.
+# You can find the `cloud.id` in the Elastic Cloud web UI.
+#cloud.id:
+
+# The cloud.auth setting overwrites the `output.elasticsearch.username` and
+# `output.elasticsearch.password` settings. The format is `<user>:<pass>`.
+#cloud.auth:
+
+# ================================== Outputs ===================================
+
+# Configure what output to use when sending the data collected by the beat.
+
+# ---------------------------- Elasticsearch Output ----------------------------
+output.elasticsearch:
+  # Boolean flag to enable or disable the output module.
+  #enabled: true
+
+  # Array of hosts to connect to.
+  # Scheme and port can be left out and will be set to the default (http and 9200)
+  # In case you specify and additional path, the scheme is required: http://localhost:9200/path
+  # IPv6 addresses should always be defined as: https://[2001:db8::1]:9200
+  hosts: ["localhost:9200"]
+
+  # Performance presets configure other output fields to recommended values
+  # based on a performance priority.
+  # Options are "balanced", "throughput", "scale", "latency" and "custom".
+  # Default if unspecified: "custom"
+  preset: balanced
+
+  # Set gzip compression level. Set to 0 to disable compression.
+  # This field may conflict with performance presets. To set it
+  # manually use "preset: custom".
+  # The default is 1.
+  #compression_level: 1
+
+  # Configure escaping HTML symbols in strings.
+  #escape_html: false
+
+  # Protocol - either `http` (default) or `https`.
+  #protocol: "https"
+
+  # Authentication credentials - either API key or username/password.
+  #api_key: "id:api_key"
+  #username: "elastic"
+  #password: "changeme"
+
+  # Dictionary of HTTP parameters to pass within the URL with index operations.
+  #parameters:
+    #param1: value1
+    #param2: value2
+
+  # Number of workers per Elasticsearch host.
+  # This field may conflict with performance presets. To set it
+  # manually use "preset: custom".
+  #worker: 1
+
+  # If set to true and multiple hosts are configured, the output plugin load
+  # balances published events onto all Elasticsearch hosts. If set to false,
+  # the output plugin sends all events to only one host (determined at random)
+  # and will switch to another host if the currently selected one becomes
+  # unreachable. The default value is true.
+  #loadbalance: true
+
+  # Optional data stream or index name. The default is "packetbeat-%{[agent.version]}".
+  # In case you modify this pattern you must update setup.template.name and setup.template.pattern accordingly.
+  #index: "packetbeat-%{[agent.version]}"
+
+  # Optional ingest pipeline. By default, no pipeline will be used.
+  #pipeline: ""
+
+  # Optional HTTP path
+  #path: "/elasticsearch"
+
+  # Custom HTTP headers to add to each request
+  #headers:
+  #  X-My-Header: Contents of the header
+
+  # Proxy server URL
+  #proxy_url: http://proxy:3128
+
+  # Whether to disable proxy settings for outgoing connections. If true, this
+  # takes precedence over both the proxy_url field and any environment settings
+  # (HTTP_PROXY, HTTPS_PROXY). The default is false.
+  #proxy_disable: false
+
+  # The number of times a particular Elasticsearch index operation is attempted. If
+  # the indexing operation doesn't succeed after this many retries, the events are
+  # dropped. The default is 3.
+  #max_retries: 3
+
+  # The maximum number of events to bulk in a single Elasticsearch bulk API index request.
+  # This field may conflict with performance presets. To set it
+  # manually use "preset: custom".
+  # The default is 1600.
+  #bulk_max_size: 1600
+
+  # The number of seconds to wait before trying to reconnect to Elasticsearch
+  # after a network error. After waiting backoff.init seconds, the Beat
+  # tries to reconnect. If the attempt fails, the backoff timer is increased
+  # exponentially up to backoff.max. After a successful connection, the backoff
+  # timer is reset. The default is 1s.
+  #backoff.init: 1s
+
+  # The maximum number of seconds to wait before attempting to connect to
+  # Elasticsearch after a network error. The default is 60s.
+  #backoff.max: 60s
+
+  # The maximum amount of time an idle connection will remain idle
+  # before closing itself.  Zero means use the default of 60s. The
+  # format is a Go language duration (example 60s is 60 seconds).
+  # This field may conflict with performance presets. To set it
+  # manually use "preset: custom".
+  # The default is 3s.
+  # idle_connection_timeout: 3s
+
+  # Configure HTTP request timeout before failing a request to Elasticsearch.
+  #timeout: 90
+
+  # Prevents packetbeat from connecting to older Elasticsearch versions when set to `false`
+  #allow_older_versions: true
+
+  # Use SSL settings for HTTPS.
+  #ssl.enabled: true
+
+  # Controls the verification of certificates. Valid values are:
+  # * full, which verifies that the provided certificate is signed by a trusted
+  # authority (CA) and also verifies that the server's hostname (or IP address)
+  # matches the names identified within the certificate.
+  # * strict, which verifies that the provided certificate is signed by a trusted
+  # authority (CA) and also verifies that the server's hostname (or IP address)
+  # matches the names identified within the certificate. If the Subject Alternative
+  # Name is empty, it returns an error.
+  # * certificate, which verifies that the provided certificate is signed by a
+  # trusted authority (CA), but does not perform any hostname verification.
+  #  * none, which performs no verification of the server's certificate. This
+  # mode disables many of the security benefits of SSL/TLS and should only be used
+  # after very careful consideration. It is primarily intended as a temporary
+  # diagnostic mechanism when attempting to resolve TLS errors; its use in
+  # production environments is strongly discouraged.
+  # The default value is full.
+  #ssl.verification_mode: full
+
+  # List of supported/valid TLS versions. By default all TLS versions from 1.1
+  # up to 1.3 are enabled.
+  #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3]
+
+  # List of root certificates for HTTPS server verifications
+  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
+
+  # Certificate for SSL client authentication
+  #ssl.certificate: "/etc/pki/client/cert.pem"
+
+  # Client certificate key
+  #ssl.key: "/etc/pki/client/cert.key"
+
+  # Optional passphrase for decrypting the certificate key.
+  #ssl.key_passphrase: ''
+
+  # Configure cipher suites to be used for SSL connections
+  #ssl.cipher_suites: []
+
+  # Configure curve types for ECDHE-based cipher suites
+  #ssl.curve_types: []
+
+  # Configure what types of renegotiation are supported. Valid options are
+  # never, once, and freely. Default is never.
+  #ssl.renegotiation: never
+
+  # Configure a pin that can be used to do extra validation of the verified certificate chain,
+  # this allow you to ensure that a specific certificate is used to validate the chain of trust.
+  #
+  # The pin is a base64 encoded string of the SHA-256 fingerprint.
+  #ssl.ca_sha256: ""
+
+  # A root CA HEX encoded fingerprint. During the SSL handshake if the
+  # fingerprint matches the root CA certificate, it will be added to
+  # the provided list of root CAs (`certificate_authorities`), if the
+  # list is empty or not defined, the matching certificate will be the
+  # only one in the list. Then the normal SSL validation happens.
+  #ssl.ca_trusted_fingerprint: ""
+
+
+  # Enables restarting packetbeat if any file listed by `key`,
+  # `certificate`, or `certificate_authorities` is modified.
+  # This feature IS NOT supported on Windows.
+  #ssl.restart_on_cert_change.enabled: false
+
+  # Period to scan for changes on CA certificate files
+  #ssl.restart_on_cert_change.period: 1m
+
+  # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set.
+  #kerberos.enabled: true
+
+  # Authentication type to use with Kerberos. Available options: keytab, password.
+  #kerberos.auth_type: password
+
+  # Path to the keytab file. It is used when auth_type is set to keytab.
+  #kerberos.keytab: /etc/elastic.keytab
+
+  # Path to the Kerberos configuration.
+  #kerberos.config_path: /etc/krb5.conf
+
+  # Name of the Kerberos user.
+  #kerberos.username: elastic
+
+  # Password of the Kerberos user. It is used when auth_type is set to password.
+  #kerberos.password: changeme
+
+  # Kerberos realm.
+  #kerberos.realm: ELASTIC
+
+
+# ------------------------------ Logstash Output -------------------------------
+#output.logstash:
+  # Boolean flag to enable or disable the output module.
+  #enabled: true
+
+  # The Logstash hosts
+  #hosts: ["localhost:5044"]
+
+  # Number of workers per Logstash host.
+  #worker: 1
+
+  # Set gzip compression level.
+  #compression_level: 3
+
+  # Configure escaping HTML symbols in strings.
+  #escape_html: false
+
+  # Optional maximum time to live for a connection to Logstash, after which the
+  # connection will be re-established.  A value of `0s` (the default) will
+  # disable this feature.
+  #
+  # Not yet supported for async connections (i.e. with the "pipelining" option set)
+  #ttl: 30s
+
+  # Optionally load-balance events between Logstash hosts. Default is false.
+  #loadbalance: false
+
+  # Number of batches to be sent asynchronously to Logstash while processing
+  # new batches.
+  #pipelining: 2
+
+  # If enabled only a subset of events in a batch of events is transferred per
+  # transaction.  The number of events to be sent increases up to `bulk_max_size`
+  # if no error is encountered.
+  #slow_start: false
+
+  # The number of seconds to wait before trying to reconnect to Logstash
+  # after a network error. After waiting backoff.init seconds, the Beat
+  # tries to reconnect. If the attempt fails, the backoff timer is increased
+  # exponentially up to backoff.max. After a successful connection, the backoff
+  # timer is reset. The default is 1s.
+  #backoff.init: 1s
+
+  # The maximum number of seconds to wait before attempting to connect to
+  # Logstash after a network error. The default is 60s.
+  #backoff.max: 60s
+
+  # Optional index name. The default index name is set to packetbeat
+  # in all lowercase.
+  #index: 'packetbeat'
+
+  # SOCKS5 proxy server URL
+  #proxy_url: socks5://user:password@socks5-server:2233
+
+  # Resolve names locally when using a proxy server. Defaults to false.
+  #proxy_use_local_resolver: false
+
+  # Use SSL settings for HTTPS.
+  #ssl.enabled: true
+
+  # Controls the verification of certificates. Valid values are:
+  # * full, which verifies that the provided certificate is signed by a trusted
+  # authority (CA) and also verifies that the server's hostname (or IP address)
+  # matches the names identified within the certificate.
+  # * strict, which verifies that the provided certificate is signed by a trusted
+  # authority (CA) and also verifies that the server's hostname (or IP address)
+  # matches the names identified within the certificate. If the Subject Alternative
+  # Name is empty, it returns an error.
+  # * certificate, which verifies that the provided certificate is signed by a
+  # trusted authority (CA), but does not perform any hostname verification.
+  #  * none, which performs no verification of the server's certificate. This
+  # mode disables many of the security benefits of SSL/TLS and should only be used
+  # after very careful consideration. It is primarily intended as a temporary
+  # diagnostic mechanism when attempting to resolve TLS errors; its use in
+  # production environments is strongly discouraged.
+  # The default value is full.
+  #ssl.verification_mode: full
+
+  # List of supported/valid TLS versions. By default all TLS versions from 1.1
+  # up to 1.3 are enabled.
+  #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3]
+
+  # List of root certificates for HTTPS server verifications
+  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
+
+  # Certificate for SSL client authentication
+  #ssl.certificate: "/etc/pki/client/cert.pem"
+
+  # Client certificate key
+  #ssl.key: "/etc/pki/client/cert.key"
+
+  # Optional passphrase for decrypting the certificate key.
+  #ssl.key_passphrase: ''
+
+  # Configure cipher suites to be used for SSL connections
+  #ssl.cipher_suites: []
+
+  # Configure curve types for ECDHE-based cipher suites
+  #ssl.curve_types: []
+
+  # Configure what types of renegotiation are supported. Valid options are
+  # never, once, and freely. Default is never.
+  #ssl.renegotiation: never
+
+  # Configure a pin that can be used to do extra validation of the verified certificate chain,
+  # this allow you to ensure that a specific certificate is used to validate the chain of trust.
+  #
+  # The pin is a base64 encoded string of the SHA-256 fingerprint.
+  #ssl.ca_sha256: ""
+
+  # A root CA HEX encoded fingerprint. During the SSL handshake if the
+  # fingerprint matches the root CA certificate, it will be added to
+  # the provided list of root CAs (`certificate_authorities`), if the
+  # list is empty or not defined, the matching certificate will be the
+  # only one in the list. Then the normal SSL validation happens.
+  #ssl.ca_trusted_fingerprint: ""
+
+  # Enables restarting packetbeat if any file listed by `key`,
+  # `certificate`, or `certificate_authorities` is modified.
+  # This feature IS NOT supported on Windows.
+  #ssl.restart_on_cert_change.enabled: false
+
+  # Period to scan for changes on CA certificate files
+  #ssl.restart_on_cert_change.period: 1m
+
+  # The number of times to retry publishing an event after a publishing failure.
+  # After the specified number of retries, the events are typically dropped.
+  # Some Beats, such as Filebeat and Winlogbeat, ignore the max_retries setting
+  # and retry until all events are published.  Set max_retries to a value less
+  # than 0 to retry until all events are published. The default is 3.
+  #max_retries: 3
+
+  # The maximum number of events to bulk in a single Logstash request. The
+  # default is 2048.
+  #bulk_max_size: 2048
+
+  # The number of seconds to wait for responses from the Logstash server before
+  # timing out. The default is 30s.
+  #timeout: 30s
+
+# -------------------------------- Kafka Output --------------------------------
+#output.kafka:
+  # Boolean flag to enable or disable the output module.
+  #enabled: true
+
+  # The list of Kafka broker addresses from which to fetch the cluster metadata.
+  # The cluster metadata contain the actual Kafka brokers events are published
+  # to.
+  #hosts: ["localhost:9092"]
+
+  # The Kafka topic used for produced events. The setting can be a format string
+  # using any event field. To set the topic from document type use `%{[type]}`.
+  #topic: beats
+
+  # The Kafka event key setting. Use format string to create a unique event key.
+  # By default no event key will be generated.
+  #key: ''
+
+  # The Kafka event partitioning strategy. Default hashing strategy is `hash`
+  # using the `output.kafka.key` setting or randomly distributes events if
+  # `output.kafka.key` is not configured.
+  #partition.hash:
+    # If enabled, events will only be published to partitions with reachable
+    # leaders. Default is false.
+    #reachable_only: false
+
+    # Configure alternative event field names used to compute the hash value.
+    # If empty `output.kafka.key` setting will be used.
+    # Default value is empty list.
+    #hash: []
+
+  # Authentication details. Password is required if username is set.
+  #username: ''
+  #password: ''
+
+  # SASL authentication mechanism used. Can be one of PLAIN, SCRAM-SHA-256 or SCRAM-SHA-512.
+  # Defaults to PLAIN when `username` and `password` are configured.
+  #sasl.mechanism: ''
+
+  # Kafka version Packetbeat is assumed to run against. Defaults to the "1.0.0".
+  #version: '1.0.0'
+
+  # Configure JSON encoding
+  #codec.json:
+    # Pretty-print JSON event
+    #pretty: false
+
+    # Configure escaping HTML symbols in strings.
+    #escape_html: false
+
+  # Metadata update configuration. Metadata contains leader information
+  # used to decide which broker to use when publishing.
+  #metadata:
+    # Max metadata request retry attempts when cluster is in middle of leader
+    # election. Defaults to 3 retries.
+    #retry.max: 3
+
+    # Wait time between retries during leader elections. Default is 250ms.
+    #retry.backoff: 250ms
+
+    # Refresh metadata interval. Defaults to every 10 minutes.
+    #refresh_frequency: 10m
+
+    # Strategy for fetching the topics metadata from the broker. Default is false.
+    #full: false
+
+  # The number of times to retry publishing an event after a publishing failure.
+  # After the specified number of retries, events are typically dropped.
+  # Some Beats, such as Filebeat, ignore the max_retries setting and retry until
+  # all events are published.  Set max_retries to a value less than 0 to retry
+  # until all events are published. The default is 3.
+  #max_retries: 3
+
+  # The number of seconds to wait before trying to republish to Kafka
+  # after a network error. After waiting backoff.init seconds, the Beat
+  # tries to republish. If the attempt fails, the backoff timer is increased
+  # exponentially up to backoff.max. After a successful publish, the backoff
+  # timer is reset. The default is 1s.
+  #backoff.init: 1s
+
+  # The maximum number of seconds to wait before attempting to republish to
+  # Kafka after a network error. The default is 60s.
+  #backoff.max: 60s
+
+  # The maximum number of events to bulk in a single Kafka request. The default
+  # is 2048.
+  #bulk_max_size: 2048
+
+  # Duration to wait before sending bulk Kafka request. 0 is no delay. The default
+  # is 0.
+  #bulk_flush_frequency: 0s
+
+  # The number of seconds to wait for responses from the Kafka brokers before
+  # timing out. The default is 30s.
+  #timeout: 30s
+
+  # The maximum duration a broker will wait for number of required ACKs. The
+  # default is 10s.
+  #broker_timeout: 10s
+
+  # The number of messages buffered for each Kafka broker. The default is 256.
+  #channel_buffer_size: 256
+
+  # The keep-alive period for an active network connection. If 0s, keep-alives
+  # are disabled. The default is 0 seconds.
+  #keep_alive: 0
+
+  # Sets the output compression codec. Must be one of none, snappy and gzip. The
+  # default is gzip.
+  #compression: gzip
+
+  # Set the compression level. Currently only gzip provides a compression level
+  # between 0 and 9. The default value is chosen by the compression algorithm.
+  #compression_level: 4
+
+  # The maximum permitted size of JSON-encoded messages. Bigger messages will be
+  # dropped. The default value is 1000000 (bytes). This value should be equal to
+  # or less than the broker's message.max.bytes.
+  #max_message_bytes: 1000000
+
+  # The ACK reliability level required from broker. 0=no response, 1=wait for
+  # local commit, -1=wait for all replicas to commit. The default is 1.  Note:
+  # If set to 0, no ACKs are returned by Kafka. Messages might be lost silently
+  # on error.
+  #required_acks: 1
+
+  # The configurable ClientID used for logging, debugging, and auditing
+  # purposes.  The default is "beats".
+  #client_id: beats
+
+  # Use SSL settings for HTTPS.
+  #ssl.enabled: true
+
+  # Controls the verification of certificates. Valid values are:
+  # * full, which verifies that the provided certificate is signed by a trusted
+  # authority (CA) and also verifies that the server's hostname (or IP address)
+  # matches the names identified within the certificate.
+  # * strict, which verifies that the provided certificate is signed by a trusted
+  # authority (CA) and also verifies that the server's hostname (or IP address)
+  # matches the names identified within the certificate. If the Subject Alternative
+  # Name is empty, it returns an error.
+  # * certificate, which verifies that the provided certificate is signed by a
+  # trusted authority (CA), but does not perform any hostname verification.
+  #  * none, which performs no verification of the server's certificate. This
+  # mode disables many of the security benefits of SSL/TLS and should only be used
+  # after very careful consideration. It is primarily intended as a temporary
+  # diagnostic mechanism when attempting to resolve TLS errors; its use in
+  # production environments is strongly discouraged.
+  # The default value is full.
+  #ssl.verification_mode: full
+
+  # List of supported/valid TLS versions. By default all TLS versions from 1.1
+  # up to 1.3 are enabled.
+  #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3]
+
+  # List of root certificates for HTTPS server verifications
+  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
+
+  # Certificate for SSL client authentication
+  #ssl.certificate: "/etc/pki/client/cert.pem"
+
+  # Client certificate key
+  #ssl.key: "/etc/pki/client/cert.key"
+
+  # Optional passphrase for decrypting the certificate key.
+  #ssl.key_passphrase: ''
+
+  # Configure cipher suites to be used for SSL connections
+  #ssl.cipher_suites: []
+
+  # Configure curve types for ECDHE-based cipher suites
+  #ssl.curve_types: []
+
+  # Configure what types of renegotiation are supported. Valid options are
+  # never, once, and freely. Default is never.
+  #ssl.renegotiation: never
+
+  # Configure a pin that can be used to do extra validation of the verified certificate chain,
+  # this allow you to ensure that a specific certificate is used to validate the chain of trust.
+  #
+  # The pin is a base64 encoded string of the SHA-256 fingerprint.
+  #ssl.ca_sha256: ""
+
+  # A root CA HEX encoded fingerprint. During the SSL handshake if the
+  # fingerprint matches the root CA certificate, it will be added to
+  # the provided list of root CAs (`certificate_authorities`), if the
+  # list is empty or not defined, the matching certificate will be the
+  # only one in the list. Then the normal SSL validation happens.
+  #ssl.ca_trusted_fingerprint: ""
+
+  # Enables restarting packetbeat if any file listed by `key`,
+  # `certificate`, or `certificate_authorities` is modified.
+  # This feature IS NOT supported on Windows.
+  #ssl.restart_on_cert_change.enabled: false
+
+  # Period to scan for changes on CA certificate files
+  #ssl.restart_on_cert_change.period: 1m
+
+  # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set.
+  #kerberos.enabled: true
+
+  # Authentication type to use with Kerberos. Available options: keytab, password.
+  #kerberos.auth_type: password
+
+  # Path to the keytab file. It is used when auth_type is set to keytab.
+  #kerberos.keytab: /etc/security/keytabs/kafka.keytab
+
+  # Path to the Kerberos configuration.
+  #kerberos.config_path: /etc/krb5.conf
+
+  # The service name. Service principal name is contructed from
+  # service_name/hostname@realm.
+  #kerberos.service_name: kafka
+
+  # Name of the Kerberos user.
+  #kerberos.username: elastic
+
+  # Password of the Kerberos user. It is used when auth_type is set to password.
+  #kerberos.password: changeme
+
+  # Kerberos realm.
+  #kerberos.realm: ELASTIC
+
+  # Enables Kerberos FAST authentication. This may
+  # conflict with certain Active Directory configurations.
+  #kerberos.enable_krb5_fast: false
+
+# -------------------------------- Redis Output --------------------------------
+#output.redis:
+  # Boolean flag to enable or disable the output module.
+  #enabled: true
+
+  # Configure JSON encoding
+  #codec.json:
+    # Pretty print json event
+    #pretty: false
+
+    # Configure escaping HTML symbols in strings.
+    #escape_html: false
+
+  # The list of Redis servers to connect to. If load-balancing is enabled, the
+  # events are distributed to the servers in the list. If one server becomes
+  # unreachable, the events are distributed to the reachable servers only.
+  # The hosts setting supports redis and rediss urls with custom password like
+  # redis://:password@localhost:6379.
+  #hosts: ["localhost:6379"]
+
+  # The name of the Redis list or channel the events are published to. The
+  # default is packetbeat.
+  #key: packetbeat
+
+  # The password to authenticate to Redis with. The default is no authentication.
+  #password:
+
+  # The Redis database number where the events are published. The default is 0.
+  #db: 0
+
+  # The Redis data type to use for publishing events. If the data type is list,
+  # the Redis RPUSH command is used. If the data type is channel, the Redis
+  # PUBLISH command is used. The default value is list.
+  #datatype: list
+
+  # The number of workers to use for each host configured to publish events to
+  # Redis. Use this setting along with the loadbalance option. For example, if
+  # you have 2 hosts and 3 workers, in total 6 workers are started (3 for each
+  # host).
+  #worker: 1
+
+  # If set to true and multiple hosts or workers are configured, the output
+  # plugin load balances published events onto all Redis hosts. If set to false,
+  # the output plugin sends all events to only one host (determined at random)
+  # and will switch to another host if the currently selected one becomes
+  # unreachable. The default value is true.
+  #loadbalance: true
+
+  # The Redis connection timeout in seconds. The default is 5 seconds.
+  #timeout: 5s
+
+  # The number of times to retry publishing an event after a publishing failure.
+  # After the specified number of retries, the events are typically dropped.
+  # Some Beats, such as Filebeat, ignore the max_retries setting and retry until
+  # all events are published. Set max_retries to a value less than 0 to retry
+  # until all events are published. The default is 3.
+  #max_retries: 3
+
+  # The number of seconds to wait before trying to reconnect to Redis
+  # after a network error. After waiting backoff.init seconds, the Beat
+  # tries to reconnect. If the attempt fails, the backoff timer is increased
+  # exponentially up to backoff.max. After a successful connection, the backoff
+  # timer is reset. The default is 1s.
+  #backoff.init: 1s
+
+  # The maximum number of seconds to wait before attempting to connect to
+  # Redis after a network error. The default is 60s.
+  #backoff.max: 60s
+
+  # The maximum number of events to bulk in a single Redis request or pipeline.
+  # The default is 2048.
+  #bulk_max_size: 2048
+
+  # The URL of the SOCKS5 proxy to use when connecting to the Redis servers. The
+  # value must be a URL with a scheme of socks5://.
+  #proxy_url:
+
+  # This option determines whether Redis hostnames are resolved locally when
+  # using a proxy. The default value is false, which means that name resolution
+  # occurs on the proxy server.
+  #proxy_use_local_resolver: false
+
+  # Use SSL settings for HTTPS.
+  #ssl.enabled: true
+
+  # Controls the verification of certificates. Valid values are:
+  # * full, which verifies that the provided certificate is signed by a trusted
+  # authority (CA) and also verifies that the server's hostname (or IP address)
+  # matches the names identified within the certificate.
+  # * strict, which verifies that the provided certificate is signed by a trusted
+  # authority (CA) and also verifies that the server's hostname (or IP address)
+  # matches the names identified within the certificate. If the Subject Alternative
+  # Name is empty, it returns an error.
+  # * certificate, which verifies that the provided certificate is signed by a
+  # trusted authority (CA), but does not perform any hostname verification.
+  #  * none, which performs no verification of the server's certificate. This
+  # mode disables many of the security benefits of SSL/TLS and should only be used
+  # after very careful consideration. It is primarily intended as a temporary
+  # diagnostic mechanism when attempting to resolve TLS errors; its use in
+  # production environments is strongly discouraged.
+  # The default value is full.
+  #ssl.verification_mode: full
+
+  # List of supported/valid TLS versions. By default all TLS versions from 1.1
+  # up to 1.3 are enabled.
+  #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3]
+
+  # List of root certificates for HTTPS server verifications
+  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
+
+  # Certificate for SSL client authentication
+  #ssl.certificate: "/etc/pki/client/cert.pem"
+
+  # Client certificate key
+  #ssl.key: "/etc/pki/client/cert.key"
+
+  # Optional passphrase for decrypting the certificate key.
+  #ssl.key_passphrase: ''
+
+  # Configure cipher suites to be used for SSL connections
+  #ssl.cipher_suites: []
+
+  # Configure curve types for ECDHE-based cipher suites
+  #ssl.curve_types: []
+
+  # Configure what types of renegotiation are supported. Valid options are
+  # never, once, and freely. Default is never.
+  #ssl.renegotiation: never
+
+  # Configure a pin that can be used to do extra validation of the verified certificate chain,
+  # this allow you to ensure that a specific certificate is used to validate the chain of trust.
+  #
+  # The pin is a base64 encoded string of the SHA-256 fingerprint.
+  #ssl.ca_sha256: ""
+
+  # A root CA HEX encoded fingerprint. During the SSL handshake if the
+  # fingerprint matches the root CA certificate, it will be added to
+  # the provided list of root CAs (`certificate_authorities`), if the
+  # list is empty or not defined, the matching certificate will be the
+  # only one in the list. Then the normal SSL validation happens.
+  #ssl.ca_trusted_fingerprint: ""
+
+
+# -------------------------------- File Output ---------------------------------
+#output.file:
+  # Boolean flag to enable or disable the output module.
+  #enabled: true
+
+  # Configure JSON encoding
+  #codec.json:
+    # Pretty-print JSON event
+    #pretty: false
+
+    # Configure escaping HTML symbols in strings.
+    #escape_html: false
+
+  # Path to the directory where to save the generated files. The option is
+  # mandatory.
+  #path: "/tmp/packetbeat"
+
+  # Name of the generated files. The default is `packetbeat` and it generates
+  # files: `packetbeat-{datetime}.ndjson`, `packetbeat-{datetime}-1.ndjson`, etc.
+  #filename: packetbeat
+
+  # Maximum size in kilobytes of each file. When this size is reached, and on
+  # every Packetbeat restart, the files are rotated. The default value is 10240
+  # kB.
+  #rotate_every_kb: 10000
+
+  # Maximum number of files under path. When this number of files is reached,
+  # the oldest file is deleted and the rest are shifted from last to first. The
+  # default is 7 files.
+  #number_of_files: 7
+
+  # Permissions to use for file creation. The default is 0600.
+  #permissions: 0600
+
+  # Configure automatic file rotation on every startup. The default is true.
+  #rotate_on_startup: true
+
+# ------------------------------- Console Output -------------------------------
+#output.console:
+  # Boolean flag to enable or disable the output module.
+  #enabled: true
+
+  # Configure JSON encoding
+  #codec.json:
+    # Pretty-print JSON event
+    #pretty: false
+
+    # Configure escaping HTML symbols in strings.
+    #escape_html: false
+
+# =================================== Paths ====================================
+
+# The home path for the Packetbeat installation. This is the default base path
+# for all other path settings and for miscellaneous files that come with the
+# distribution (for example, the sample dashboards).
+# If not set by a CLI flag or in the configuration file, the default for the
+# home path is the location of the binary.
+#path.home:
+
+# The configuration path for the Packetbeat installation. This is the default
+# base path for configuration files, including the main YAML configuration file
+# and the Elasticsearch template file. If not set by a CLI flag or in the
+# configuration file, the default for the configuration path is the home path.
+#path.config: ${path.home}
+
+# The data path for the Packetbeat installation. This is the default base path
+# for all the files in which Packetbeat needs to store its data. If not set by a
+# CLI flag or in the configuration file, the default for the data path is a data
+# subdirectory inside the home path.
+#path.data: ${path.home}/data
+
+# The logs path for a Packetbeat installation. This is the default location for
+# the Beat's log files. If not set by a CLI flag or in the configuration file,
+# the default for the logs path is a logs subdirectory inside the home path.
+#path.logs: ${path.home}/logs
+
+# ================================== Keystore ==================================
+
+# Location of the Keystore containing the keys and their sensitive values.
+#keystore.path: "${path.config}/beats.keystore"
+
+# ================================= Dashboards =================================
+
+# These settings control loading the sample dashboards to the Kibana index. Loading
+# the dashboards are disabled by default and can be enabled either by setting the
+# options here or by using the `-setup` CLI flag or the `setup` command.
+#setup.dashboards.enabled: false
+
+# The directory from where to read the dashboards. The default is the `kibana`
+# folder in the home path.
+#setup.dashboards.directory: ${path.home}/kibana
+
+# The URL from where to download the dashboard archive. It is used instead of
+# the directory if it has a value.
+#setup.dashboards.url:
+
+# The file archive (zip file) from where to read the dashboards. It is used instead
+# of the directory when it has a value.
+#setup.dashboards.file:
+
+# In case the archive contains the dashboards from multiple Beats, this lets you
+# select which one to load. You can load all the dashboards in the archive by
+# setting this to the empty string.
+#setup.dashboards.beat: packetbeat
+
+# The name of the Kibana index to use for setting the configuration. Default is ".kibana"
+#setup.dashboards.kibana_index: .kibana
+
+# The Elasticsearch index name. This overwrites the index name defined in the
+# dashboards and index pattern. Example: testbeat-*
+#setup.dashboards.index:
+
+# Always use the Kibana API for loading the dashboards instead of autodetecting
+# how to install the dashboards by first querying Elasticsearch.
+#setup.dashboards.always_kibana: false
+
+# If true and Kibana is not reachable at the time when dashboards are loaded,
+# it will retry to reconnect to Kibana instead of exiting with an error.
+#setup.dashboards.retry.enabled: false
+
+# Duration interval between Kibana connection retries.
+#setup.dashboards.retry.interval: 1s
+
+# Maximum number of retries before exiting with an error, 0 for unlimited retrying.
+#setup.dashboards.retry.maximum: 0
+
+# ================================== Template ==================================
+
+# A template is used to set the mapping in Elasticsearch
+# By default template loading is enabled and the template is loaded.
+# These settings can be adjusted to load your own template or overwrite existing ones.
+
+# Set to false to disable template loading.
+#setup.template.enabled: true
+
+# Template name. By default the template name is "packetbeat-%{[agent.version]}"
+# The template name and pattern has to be set in case the Elasticsearch index pattern is modified.
+#setup.template.name: "packetbeat-%{[agent.version]}"
+
+# Template pattern. By default the template pattern is "packetbeat-%{[agent.version]}" to apply to the default index settings.
+# The template name and pattern has to be set in case the Elasticsearch index pattern is modified.
+#setup.template.pattern: "packetbeat-%{[agent.version]}"
+
+# Path to fields.yml file to generate the template
+#setup.template.fields: "${path.config}/fields.yml"
+
+# A list of fields to be added to the template and Kibana index pattern. Also
+# specify setup.template.overwrite: true to overwrite the existing template.
+#setup.template.append_fields:
+#- name: field_name
+#  type: field_type
+
+# Enable JSON template loading. If this is enabled, the fields.yml is ignored.
+#setup.template.json.enabled: false
+
+# Path to the JSON template file
+#setup.template.json.path: "${path.config}/template.json"
+
+# Name under which the template is stored in Elasticsearch
+#setup.template.json.name: ""
+
+# Set this option if the JSON template is a data stream.
+#setup.template.json.data_stream: false
+
+# Overwrite existing template
+# Do not enable this option for more than one instance of packetbeat as it might
+# overload your Elasticsearch with too many update requests.
+#setup.template.overwrite: false
+
+# Elasticsearch template settings
+setup.template.settings:
+
+  # A dictionary of settings to place into the settings.index dictionary
+  # of the Elasticsearch template. For more details, please check
+  # https://www.elastic.co/guide/en/elasticsearch/reference/current/mapping.html
+  #index:
+    #number_of_shards: 1
+    #codec: best_compression
+
+  # A dictionary of settings for the _source field. For more details, please check
+  # https://www.elastic.co/guide/en/elasticsearch/reference/current/mapping-source-field.html
+  #_source:
+    #enabled: false
+
+# ====================== Index Lifecycle Management (ILM) ======================
+
+# Configure index lifecycle management (ILM) to manage the backing indices
+# of your data streams.
+
+# Enable ILM support. Valid values are true, or false.
+#setup.ilm.enabled: true
+
+# Set the lifecycle policy name. The default policy name is
+# 'beatname'.
+#setup.ilm.policy_name: "mypolicy"
+
+# The path to a JSON file that contains a lifecycle policy configuration. Used
+# to load your own lifecycle policy.
+#setup.ilm.policy_file:
+
+# Disable the check for an existing lifecycle policy. The default is true.
+# If you set this option to false, lifecycle policy will not be installed,
+# even if setup.ilm.overwrite is set to true.
+#setup.ilm.check_exists: true
+
+# Overwrite the lifecycle policy at startup. The default is false.
+#setup.ilm.overwrite: false
+
+# ======================== Data Stream Lifecycle (DSL) =========================
+
+# Configure Data Stream Lifecycle to manage data streams while connected to Serverless elasticsearch.
+# These settings are mutually exclusive with ILM settings which are not supported in Serverless projects.
+
+# Enable DSL support. Valid values are true, or false.
+#setup.dsl.enabled: true
+
+# Set the lifecycle policy name or pattern. For DSL, this name must match the data stream that the lifecycle is for.
+# The default data stream pattern is packetbeat-%{[agent.version]}"
+# The template string `%{[agent.version]}` will resolve to the current stack version.
+# The other possible template value is `%{[beat.name]}`.
+#setup.dsl.data_stream_pattern: "packetbeat-%{[agent.version]}"
+
+# The path to a JSON file that contains a lifecycle policy configuration. Used
+# to load your own lifecycle policy.
+# If no custom policy is specified, a default policy with a lifetime of 7 days will be created.
+#setup.dsl.policy_file:
+
+# Disable the check for an existing lifecycle policy. The default is true. If
+# you disable this check, set setup.dsl.overwrite: true so the lifecycle policy
+# can be installed.
+#setup.dsl.check_exists: true
+
+# Overwrite the lifecycle policy at startup. The default is false.
+#setup.dsl.overwrite: false
+
+# =================================== Kibana ===================================
+
+# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
+# This requires a Kibana endpoint configuration.
+setup.kibana:
+
+  # Kibana Host
+  # Scheme and port can be left out and will be set to the default (http and 5601)
+  # In case you specify and additional path, the scheme is required: http://localhost:5601/path
+  # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601
+  #host: "localhost:5601"
+
+  # Optional protocol and basic auth credentials.
+  #protocol: "https"
+  #username: "elastic"
+  #password: "changeme"
+
+  # Optional HTTP path
+  #path: ""
+
+  # Optional Kibana space ID.
+  #space.id: ""
+
+  # Custom HTTP headers to add to each request
+  #headers:
+  #  X-My-Header: Contents of the header
+
+  # Use SSL settings for HTTPS.
+  #ssl.enabled: true
+
+  # Controls the verification of certificates. Valid values are:
+  # * full, which verifies that the provided certificate is signed by a trusted
+  # authority (CA) and also verifies that the server's hostname (or IP address)
+  # matches the names identified within the certificate.
+  # * strict, which verifies that the provided certificate is signed by a trusted
+  # authority (CA) and also verifies that the server's hostname (or IP address)
+  # matches the names identified within the certificate. If the Subject Alternative
+  # Name is empty, it returns an error.
+  # * certificate, which verifies that the provided certificate is signed by a
+  # trusted authority (CA), but does not perform any hostname verification.
+  #  * none, which performs no verification of the server's certificate. This
+  # mode disables many of the security benefits of SSL/TLS and should only be used
+  # after very careful consideration. It is primarily intended as a temporary
+  # diagnostic mechanism when attempting to resolve TLS errors; its use in
+  # production environments is strongly discouraged.
+  # The default value is full.
+  #ssl.verification_mode: full
+
+  # List of supported/valid TLS versions. By default all TLS versions from 1.1
+  # up to 1.3 are enabled.
+  #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3]
+
+  # List of root certificates for HTTPS server verifications
+  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
+
+  # Certificate for SSL client authentication
+  #ssl.certificate: "/etc/pki/client/cert.pem"
+
+  # Client certificate key
+  #ssl.key: "/etc/pki/client/cert.key"
+
+  # Optional passphrase for decrypting the certificate key.
+  #ssl.key_passphrase: ''
+
+  # Configure cipher suites to be used for SSL connections
+  #ssl.cipher_suites: []
+
+  # Configure curve types for ECDHE-based cipher suites
+  #ssl.curve_types: []
+
+  # Configure what types of renegotiation are supported. Valid options are
+  # never, once, and freely. Default is never.
+  #ssl.renegotiation: never
+
+  # Configure a pin that can be used to do extra validation of the verified certificate chain,
+  # this allow you to ensure that a specific certificate is used to validate the chain of trust.
+  #
+  # The pin is a base64 encoded string of the SHA-256 fingerprint.
+  #ssl.ca_sha256: ""
+
+  # A root CA HEX encoded fingerprint. During the SSL handshake if the
+  # fingerprint matches the root CA certificate, it will be added to
+  # the provided list of root CAs (`certificate_authorities`), if the
+  # list is empty or not defined, the matching certificate will be the
+  # only one in the list. Then the normal SSL validation happens.
+  #ssl.ca_trusted_fingerprint: ""
+
+
+# ================================== Logging ===================================
+
+# There are four options for the log output: file, stderr, syslog, eventlog
+# The file output is the default.
+
+# Sets log level. The default log level is info.
+# Available log levels are: error, warning, info, debug
+#logging.level: info
+
+# Enable debug output for selected components. To enable all selectors use ["*"]
+# Other available selectors are "beat", "publisher", "service"
+# Multiple selectors can be chained.
+#logging.selectors: [ ]
+
+# Send all logging output to stderr. The default is false.
+#logging.to_stderr: false
+
+# Send all logging output to syslog. The default is false.
+#logging.to_syslog: false
+
+# Send all logging output to Windows Event Logs. The default is false.
+#logging.to_eventlog: false
+
+# If enabled, Packetbeat periodically logs its internal metrics that have changed
+# in the last period. For each metric that changed, the delta from the value at
+# the beginning of the period is logged. Also, the total values for
+# all non-zero internal metrics are logged on shutdown. The default is true.
+#logging.metrics.enabled: true
+
+# The period after which to log the internal metrics. The default is 30s.
+#logging.metrics.period: 30s
+
+# A list of metrics namespaces to report in the logs. Defaults to [stats].
+# `stats` contains general Beat metrics. `dataset` may be present in some
+# Beats and contains module or input metrics.
+#logging.metrics.namespaces: [stats]
+
+# Logging to rotating files. Set logging.to_files to false to disable logging to
+# files.
+logging.to_files: true
+logging.files:
+  # Configure the path where the logs are written. The default is the logs directory
+  # under the home path (the binary location).
+  #path: /var/log/packetbeat
+
+  # The name of the files where the logs are written to.
+  #name: packetbeat
+
+  # Configure log file size limit. If the limit is reached, log file will be
+  # automatically rotated.
+  #rotateeverybytes: 10485760 # = 10MB
+
+  # Number of rotated log files to keep. The oldest files will be deleted first.
+  #keepfiles: 7
+
+  # The permissions mask to apply when rotating log files. The default value is 0600.
+  # Must be a valid Unix-style file permissions mask expressed in octal notation.
+  #permissions: 0600
+
+  # Enable log file rotation on time intervals in addition to the size-based rotation.
+  # Intervals must be at least 1s. Values of 1m, 1h, 24h, 7*24h, 30*24h, and 365*24h
+  # are boundary-aligned with minutes, hours, days, weeks, months, and years as
+  # reported by the local system clock. All other intervals are calculated from the
+  # Unix epoch. Defaults to disabled.
+  #interval: 0
+
+  # Rotate existing logs on startup rather than appending them to the existing
+  # file. Defaults to true.
+  # rotateonstartup: true
+
+#=============================== Events Logging ===============================
+# Some outputs will log raw events on errors like indexing errors in the
+# Elasticsearch output, to prevent logging raw events (that may contain
+# sensitive information) together with other log messages, a different
+# log file, only for log entries containing raw events, is used. It will
+# use the same level, selectors and all other configurations from the
+# default logger, but it will have it's own file configuration.
+#
+# Having a different log file for raw events also prevents event data
+# from drowning out the regular log files.
+#
+# IMPORTANT: No matter the default logger output configuration, raw events
+# will **always** be logged to a file configured by `logging.event_data.files`.
+
+# logging.event_data:
+# Logging to rotating files. Set logging.to_files to false to disable logging to
+# files.
+#logging.event_data.to_files: true
+#logging.event_data:
+  # Configure the path where the logs are written. The default is the logs directory
+  # under the home path (the binary location).
+  #path: /var/log/packetbeat
+
+  # The name of the files where the logs are written to.
+  #name: packetbeat-events-data
+
+  # Configure log file size limit. If the limit is reached, log file will be
+  # automatically rotated.
+  #rotateeverybytes: 5242880 # = 5MB
+
+  # Number of rotated log files to keep. The oldest files will be deleted first.
+  #keepfiles: 2
+
+  # The permissions mask to apply when rotating log files. The default value is 0600.
+  # Must be a valid Unix-style file permissions mask expressed in octal notation.
+  #permissions: 0600
+
+  # Enable log file rotation on time intervals in addition to the size-based rotation.
+  # Intervals must be at least 1s. Values of 1m, 1h, 24h, 7*24h, 30*24h, and 365*24h
+  # are boundary-aligned with minutes, hours, days, weeks, months, and years as
+  # reported by the local system clock. All other intervals are calculated from the
+  # Unix epoch. Defaults to disabled.
+  #interval: 0
+
+  # Rotate existing logs on startup rather than appending them to the existing
+  # file. Defaults to false.
+  # rotateonstartup: false
+
+# ============================= X-Pack Monitoring ==============================
+# Packetbeat can export internal metrics to a central Elasticsearch monitoring
+# cluster.  This requires xpack monitoring to be enabled in Elasticsearch.  The
+# reporting is disabled by default.
+
+# Set to true to enable the monitoring reporter.
+#monitoring.enabled: false
+
+# Sets the UUID of the Elasticsearch cluster under which monitoring data for this
+# Packetbeat instance will appear in the Stack Monitoring UI. If output.elasticsearch
+# is enabled, the UUID is derived from the Elasticsearch cluster referenced by output.elasticsearch.
+#monitoring.cluster_uuid:
+
+# Uncomment to send the metrics to Elasticsearch. Most settings from the
+# Elasticsearch output are accepted here as well.
+# Note that the settings should point to your Elasticsearch *monitoring* cluster.
+# Any setting that is not set is automatically inherited from the Elasticsearch
+# output configuration, so if you have the Elasticsearch output configured such
+# that it is pointing to your Elasticsearch monitoring cluster, you can simply
+# uncomment the following line.
+#monitoring.elasticsearch:
+
+  # Array of hosts to connect to.
+  # Scheme and port can be left out and will be set to the default (http and 9200)
+  # In case you specify an additional path, the scheme is required: http://localhost:9200/path
+  # IPv6 addresses should always be defined as: https://[2001:db8::1]:9200
+  #hosts: ["localhost:9200"]
+
+  # Set gzip compression level.
+  #compression_level: 0
+
+  # Protocol - either `http` (default) or `https`.
+  #protocol: "https"
+
+  # Authentication credentials - either API key or username/password.
+  #api_key: "id:api_key"
+  #username: "beats_system"
+  #password: "changeme"
+
+  # Dictionary of HTTP parameters to pass within the URL with index operations.
+  #parameters:
+    #param1: value1
+    #param2: value2
+
+  # Custom HTTP headers to add to each request
+  #headers:
+  #  X-My-Header: Contents of the header
+
+  # Proxy server url
+  #proxy_url: http://proxy:3128
+
+  # The number of times a particular Elasticsearch index operation is attempted. If
+  # the indexing operation doesn't succeed after this many retries, the events are
+  # dropped. The default is 3.
+  #max_retries: 3
+
+  # The maximum number of events to bulk in a single Elasticsearch bulk API index request.
+  # The default is 50.
+  #bulk_max_size: 50
+
+  # The number of seconds to wait before trying to reconnect to Elasticsearch
+  # after a network error. After waiting backoff.init seconds, the Beat
+  # tries to reconnect. If the attempt fails, the backoff timer is increased
+  # exponentially up to backoff.max. After a successful connection, the backoff
+  # timer is reset. The default is 1s.
+  #backoff.init: 1s
+
+  # The maximum number of seconds to wait before attempting to connect to
+  # Elasticsearch after a network error. The default is 60s.
+  #backoff.max: 60s
+
+  # Configure HTTP request timeout before failing a request to Elasticsearch.
+  #timeout: 90
+
+  # Use SSL settings for HTTPS.
+  #ssl.enabled: true
+
+  # Controls the verification of certificates. Valid values are:
+  # * full, which verifies that the provided certificate is signed by a trusted
+  # authority (CA) and also verifies that the server's hostname (or IP address)
+  # matches the names identified within the certificate.
+  # * strict, which verifies that the provided certificate is signed by a trusted
+  # authority (CA) and also verifies that the server's hostname (or IP address)
+  # matches the names identified within the certificate. If the Subject Alternative
+  # Name is empty, it returns an error.
+  # * certificate, which verifies that the provided certificate is signed by a
+  # trusted authority (CA), but does not perform any hostname verification.
+  #  * none, which performs no verification of the server's certificate. This
+  # mode disables many of the security benefits of SSL/TLS and should only be used
+  # after very careful consideration. It is primarily intended as a temporary
+  # diagnostic mechanism when attempting to resolve TLS errors; its use in
+  # production environments is strongly discouraged.
+  # The default value is full.
+  #ssl.verification_mode: full
+
+  # List of supported/valid TLS versions. By default all TLS versions from 1.1
+  # up to 1.3 are enabled.
+  #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3]
+
+  # List of root certificates for HTTPS server verifications
+  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
+
+  # Certificate for SSL client authentication
+  #ssl.certificate: "/etc/pki/client/cert.pem"
+
+  # Client certificate key
+  #ssl.key: "/etc/pki/client/cert.key"
+
+  # Optional passphrase for decrypting the certificate key.
+  #ssl.key_passphrase: ''
+
+  # Configure cipher suites to be used for SSL connections
+  #ssl.cipher_suites: []
+
+  # Configure curve types for ECDHE-based cipher suites
+  #ssl.curve_types: []
+
+  # Configure what types of renegotiation are supported. Valid options are
+  # never, once, and freely. Default is never.
+  #ssl.renegotiation: never
+
+  # Configure a pin that can be used to do extra validation of the verified certificate chain,
+  # this allow you to ensure that a specific certificate is used to validate the chain of trust.
+  #
+  # The pin is a base64 encoded string of the SHA-256 fingerprint.
+  #ssl.ca_sha256: ""
+
+  # A root CA HEX encoded fingerprint. During the SSL handshake if the
+  # fingerprint matches the root CA certificate, it will be added to
+  # the provided list of root CAs (`certificate_authorities`), if the
+  # list is empty or not defined, the matching certificate will be the
+  # only one in the list. Then the normal SSL validation happens.
+  #ssl.ca_trusted_fingerprint: ""
+
+  # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set.
+  #kerberos.enabled: true
+
+  # Authentication type to use with Kerberos. Available options: keytab, password.
+  #kerberos.auth_type: password
+
+  # Path to the keytab file. It is used when auth_type is set to keytab.
+  #kerberos.keytab: /etc/elastic.keytab
+
+  # Path to the Kerberos configuration.
+  #kerberos.config_path: /etc/krb5.conf
+
+  # Name of the Kerberos user.
+  #kerberos.username: elastic
+
+  # Password of the Kerberos user. It is used when auth_type is set to password.
+  #kerberos.password: changeme
+
+  # Kerberos realm.
+  #kerberos.realm: ELASTIC
+
+  #metrics.period: 10s
+  #state.period: 1m
+
+# The `monitoring.cloud.id` setting overwrites the `monitoring.elasticsearch.hosts`
+# setting. You can find the value for this setting in the Elastic Cloud web UI.
+#monitoring.cloud.id:
+
+# The `monitoring.cloud.auth` setting overwrites the `monitoring.elasticsearch.username`
+# and `monitoring.elasticsearch.password` settings. The format is `<user>:<pass>`.
+#monitoring.cloud.auth:
+
+# =============================== HTTP Endpoint ================================
+
+# Each beat can expose internal metrics through an HTTP endpoint. For security
+# reasons the endpoint is disabled by default. This feature is currently experimental.
+# Stats can be accessed through http://localhost:5066/stats. For pretty JSON output
+# append ?pretty to the URL.
+
+# Defines if the HTTP endpoint is enabled.
+#http.enabled: false
+
+# The HTTP endpoint will bind to this hostname, IP address, unix socket, or named pipe.
+# When using IP addresses, it is recommended to only use localhost.
+#http.host: localhost
+
+# Port on which the HTTP endpoint will bind. Default is 5066.
+#http.port: 5066
+
+# Define which user should be owning the named pipe.
+#http.named_pipe.user:
+
+# Define which permissions should be applied to the named pipe, use the Security
+# Descriptor Definition Language (SDDL) to define the permission. This option cannot be used with
+# `http.user`.
+#http.named_pipe.security_descriptor:
+
+# Defines if the HTTP pprof endpoints are enabled.
+# It is recommended that this is only enabled on localhost as these endpoints may leak data.
+#http.pprof.enabled: false
+
+# Controls the fraction of goroutine blocking events that are reported in the
+# blocking profile.
+#http.pprof.block_profile_rate: 0
+
+# Controls the fraction of memory allocations that are recorded and reported in
+# the memory profile.
+#http.pprof.mem_profile_rate: 524288
+
+# Controls the fraction of mutex contention events that are reported in the
+# mutex profile.
+#http.pprof.mutex_profile_rate: 0
+
+# ============================== Process Security ==============================
+
+# Enable or disable seccomp system call filtering on Linux. Default is enabled.
+#seccomp.enabled: true
+
+# ============================== Instrumentation ===============================
+
+# Instrumentation support for the packetbeat.
+#instrumentation:
+    # Set to true to enable instrumentation of packetbeat.
+    #enabled: false
+
+    # Environment in which packetbeat is running on (eg: staging, production, etc.)
+    #environment: ""
+
+    # APM Server hosts to report instrumentation results to.
+    #hosts:
+    #  - http://localhost:8200
+
+    # API Key for the APM Server(s).
+    # If api_key is set then secret_token will be ignored.
+    #api_key:
+
+    # Secret token for the APM Server(s).
+    #secret_token:
+
+    # Enable profiling of the server, recording profile samples as events.
+    #
+    # This feature is experimental.
+    #profiling:
+        #cpu:
+            # Set to true to enable CPU profiling.
+            #enabled: false
+            #interval: 60s
+            #duration: 10s
+        #heap:
+            # Set to true to enable heap profiling.
+            #enabled: false
+            #interval: 60s
+
+# ================================= Migration ==================================
+
+# This allows to enable 6.7 migration aliases
+#migration.6_to_7.enabled: false
+
+# =============================== Feature Flags ================================
+
+# Enable and configure feature flags.
+#features:
+#  fqdn:
+#    enabled: true
+```
+
diff --git a/docs/reference/packetbeat/packetbeat-starting.md b/docs/reference/packetbeat/packetbeat-starting.md
new file mode 100644
index 000000000000..dd8089d2ad31
--- /dev/null
+++ b/docs/reference/packetbeat/packetbeat-starting.md
@@ -0,0 +1,70 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-starting.html
+---
+
+# Start Packetbeat [packetbeat-starting]
+
+Before starting Packetbeat:
+
+* Follow the steps in [Quick start: installation and configuration](/reference/packetbeat/packetbeat-installation-configuration.md) to install, configure, and set up the Packetbeat environment.
+* Make sure {{kib}} and {{es}} are running.
+* Make sure the user specified in `packetbeat.yml` is [authorized to publish events](/reference/packetbeat/privileges-to-publish-events.md).
+
+To start Packetbeat, run:
+
+:::::::{tab-set}
+
+::::::{tab-item} DEB
+```sh
+sudo service packetbeat start
+```
+
+::::{note}
+If you use an `init.d` script to start Packetbeat, you can’t specify command line flags (see [Command reference](/reference/packetbeat/command-line-options.md)). To specify flags, start Packetbeat in the foreground.
+::::
+
+
+Also see [Packetbeat and systemd](/reference/packetbeat/running-with-systemd.md).
+::::::
+
+::::::{tab-item} RPM
+```sh
+sudo service packetbeat start
+```
+
+::::{note}
+If you use an `init.d` script to start Packetbeat, you can’t specify command line flags (see [Command reference](/reference/packetbeat/command-line-options.md)). To specify flags, start Packetbeat in the foreground.
+::::
+
+
+Also see [Packetbeat and systemd](/reference/packetbeat/running-with-systemd.md).
+::::::
+
+::::::{tab-item} MacOS
+```sh
+sudo chown root packetbeat.yml <1>
+sudo ./packetbeat -e
+```
+
+1. You’ll be running Packetbeat as root, so you need to change ownership of the configuration file, or run Packetbeat with `--strict.perms=false` specified. See [Config File Ownership and Permissions](/reference/libbeat/config-file-permissions.md).
+::::::
+
+::::::{tab-item} Linux
+```sh
+sudo chown root packetbeat.yml <1>
+sudo ./packetbeat -e
+```
+
+1. You’ll be running Packetbeat as root, so you need to change ownership of the configuration file, or run Packetbeat with `--strict.perms=false` specified. See [Config File Ownership and Permissions](/reference/libbeat/config-file-permissions.md).
+::::::
+
+::::::{tab-item} Windows
+```sh
+PS C:\Program Files\packetbeat> Start-Service packetbeat
+```
+
+By default, Windows log files are stored in `C:\ProgramData\packetbeat\Logs`.
+::::::
+
+:::::::
diff --git a/docs/reference/packetbeat/packetbeat-template.md b/docs/reference/packetbeat/packetbeat-template.md
new file mode 100644
index 000000000000..b199e716b0bf
--- /dev/null
+++ b/docs/reference/packetbeat/packetbeat-template.md
@@ -0,0 +1,233 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-template.html
+---
+
+# Load the Elasticsearch index template [packetbeat-template]
+
+{{es}} uses [index templates](docs-content://manage-data/data-store/templates.md) to define:
+
+* Settings that control the behavior of your data stream and backing indices. The settings include the lifecycle policy used to manage backing indices as they grow and age.
+* Mappings that determine how fields are analyzed. Each mapping sets the [{{es}} datatype](elasticsearch://reference/elasticsearch/mapping-reference/field-data-types.md) to use for a specific data field.
+
+The recommended index template file for Packetbeat is installed by the Packetbeat packages. If you accept the default configuration in the `packetbeat.yml` config file, Packetbeat loads the template automatically after successfully connecting to {{es}}. If the template already exists, it’s not overwritten unless you configure Packetbeat to do so.
+
+::::{note}
+A connection to {{es}} is required to load the index template. If the output is not {{es}} (or {{ess}}), you must [load the template manually](#load-template-manually).
+::::
+
+
+This page shows how to change the default template loading behavior to:
+
+* [Load your own index template](#load-custom-template)
+* [Overwrite an existing index template](#overwrite-template)
+* [Disable automatic index template loading](#disable-template-loading)
+* [Load the index template manually](#load-template-manually)
+
+For a full list of template setup options, see [Elasticsearch index template](/reference/packetbeat/configuration-template.md).
+
+
+## Load your own index template [load-custom-template]
+
+To load your own index template, set the following options:
+
+```yaml
+setup.template.name: "your_template_name"
+setup.template.fields: "path/to/fields.yml"
+```
+
+If the template already exists, it’s not overwritten unless you configure Packetbeat to do so.
+
+You can load templates for both data streams and indices.
+
+
+## Overwrite an existing index template [overwrite-template]
+
+::::{warning}
+Do not enable this option for more than one instance of Packetbeat. If you start multiple instances at the same time, it can overload your {{es}} with too many template update requests.
+::::
+
+
+To overwrite a template that’s already loaded into {{es}}, set:
+
+```yaml
+setup.template.overwrite: true
+```
+
+
+## Disable automatic index template loading [disable-template-loading]
+
+You may want to disable automatic template loading if you’re using an output other than {{es}} and need to load the template manually. To disable automatic template loading, set:
+
+```yaml
+setup.template.enabled: false
+```
+
+If you disable automatic template loading, you must load the index template manually.
+
+
+## Load the index template manually [load-template-manually]
+
+To load the index template manually, run the [`setup`](/reference/packetbeat/command-line-options.md#setup-command) command. A connection to {{es}} is required.  If another output is enabled, you need to temporarily disable that output and enable {{es}} by using the `-E` option. The examples here assume that Logstash output is enabled. You can omit the `-E` flags if {{es}} output is already enabled.
+
+If you are connecting to a secured {{es}} cluster, make sure you’ve configured credentials as described in the [Quick start: installation and configuration](/reference/packetbeat/packetbeat-installation-configuration.md).
+
+If the host running Packetbeat does not have direct connectivity to {{es}}, see [Load the index template manually (alternate method)](#load-template-manually-alternate).
+
+To load the template, use the appropriate command for your system.
+
+::::{note}
+Use `sudo` to run these commands if the config file is owned by root.
+::::
+
+
+**deb and rpm:**
+
+```sh
+packetbeat setup --index-management -E output.logstash.enabled=false -E 'output.elasticsearch.hosts=["localhost:9200"]'
+```
+
+**mac:**
+
+```sh
+./packetbeat setup --index-management -E output.logstash.enabled=false -E 'output.elasticsearch.hosts=["localhost:9200"]'
+```
+
+**linux:**
+
+```sh
+./packetbeat setup --index-management -E output.logstash.enabled=false -E 'output.elasticsearch.hosts=["localhost:9200"]'
+```
+
+**docker:**
+
+```sh
+docker run --rm docker.elastic.co/beats/packetbeat:9.0.0-beta1 setup --index-management -E output.logstash.enabled=false -E 'output.elasticsearch.hosts=["localhost:9200"]'
+```
+
+**win:**
+
+Open a PowerShell prompt as an Administrator (right-click the PowerShell icon and select **Run As Administrator**).
+
+From the PowerShell prompt, change to the directory where you installed Packetbeat, and run:
+
+```sh
+PS > .\packetbeat.exe setup --index-management -E output.logstash.enabled=false -E 'output.elasticsearch.hosts=["localhost:9200"]'
+```
+
+
+### Force Kibana to look at newest documents [force-kibana-new]
+
+If you’ve already used Packetbeat to index data into {{es}}, the index may contain old documents. After you load the index template, you can delete the old documents from `packetbeat-*` to force Kibana to look at the newest documents.
+
+Use this command:
+
+**deb and rpm:**
+
+```sh
+curl -XDELETE 'http://localhost:9200/packetbeat-*'
+```
+
+**mac:**
+
+```sh
+curl -XDELETE 'http://localhost:9200/packetbeat-*'
+```
+
+**linux:**
+
+```sh
+curl -XDELETE 'http://localhost:9200/packetbeat-*'
+```
+
+**win:**
+
+```sh
+PS > Invoke-RestMethod -Method Delete "http://localhost:9200/packetbeat-*"
+```
+
+This command deletes all indices that match the pattern `packetbeat`. Before running this command, make sure you want to delete all indices that match the pattern.
+
+
+## Load the index template manually (alternate method) [load-template-manually-alternate]
+
+If the host running Packetbeat does not have direct connectivity to {{es}}, you can export the index template to a file, move it to a machine that does have connectivity, and then install the template manually.
+
+To export the index template, run:
+
+**deb and rpm:**
+
+```sh
+packetbeat export template > packetbeat.template.json
+```
+
+**mac:**
+
+```sh
+./packetbeat export template > packetbeat.template.json
+```
+
+**linux:**
+
+```sh
+./packetbeat export template > packetbeat.template.json
+```
+
+**win:**
+
+```sh
+PS > .\packetbeat.exe export template --es.version 9.0.0-beta1 | Out-File -Encoding UTF8 packetbeat.template.json
+```
+
+To install the template, run:
+
+**deb and rpm:**
+
+```sh
+curl -XPUT -H 'Content-Type: application/json' http://localhost:9200/_index_template/packetbeat-9.0.0-beta1 -d@packetbeat.template.json
+```
+
+**mac:**
+
+```sh
+curl -XPUT -H 'Content-Type: application/json' http://localhost:9200/_index_template/packetbeat-9.0.0-beta1 -d@packetbeat.template.json
+```
+
+**linux:**
+
+```sh
+curl -XPUT -H 'Content-Type: application/json' http://localhost:9200/_index_template/packetbeat-9.0.0-beta1 -d@packetbeat.template.json
+```
+
+**win:**
+
+```sh
+PS > Invoke-RestMethod -Method Put -ContentType "application/json" -InFile packetbeat.template.json -Uri http://localhost:9200/_index_template/packetbeat-9.0.0-beta1
+```
+
+Once you have loaded the index template, load the data stream as well. If you do not load it, you have to give the publisher user `manage` permission on packetbeat-9.0.0-beta1 index.
+
+**deb and rpm:**
+
+```sh
+curl -XPUT http://localhost:9200/_data_stream/packetbeat-9.0.0-beta1
+```
+
+**mac:**
+
+```sh
+curl -XPUT http://localhost:9200/_data_stream/packetbeat-9.0.0-beta1
+```
+
+**linux:**
+
+```sh
+curl -XPUT http://localhost:9200/_data_stream/packetbeat-9.0.0-beta1
+```
+
+**win:**
+
+```sh
+PS > Invoke-RestMethod -Method Put -Uri http://localhost:9200/_data_stream/packetbeat-9.0.0-beta1
+```
+
diff --git a/docs/reference/packetbeat/packetbeat.md b/docs/reference/packetbeat/packetbeat.md
new file mode 100644
index 000000000000..199c9af2e525
--- /dev/null
+++ b/docs/reference/packetbeat/packetbeat.md
@@ -0,0 +1,8 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/index.html
+---
+
+# Packetbeat
+
+Just a placeholder for a top index page.
diff --git a/docs/reference/packetbeat/privileges-to-publish-events.md b/docs/reference/packetbeat/privileges-to-publish-events.md
new file mode 100644
index 000000000000..e9e773f46c77
--- /dev/null
+++ b/docs/reference/packetbeat/privileges-to-publish-events.md
@@ -0,0 +1,37 @@
+---
+navigation_title: "Create a _publishing_ user"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/privileges-to-publish-events.html
+---
+
+# Grant privileges and roles needed for publishing [privileges-to-publish-events]
+
+
+Users who publish events to {{es}} need to create and write to Packetbeat indices. To minimize the privileges required by the writer role, use the [setup role](/reference/packetbeat/privileges-to-setup-beats.md) to pre-load dependencies. This section assumes that you’ve run the setup.
+
+When using ILM, turn off the ILM setup check in the Packetbeat config file before running Packetbeat to publish events:
+
+```yaml
+setup.ilm.check_exists: false
+```
+
+To grant the required privileges:
+
+1. Create a **writer role**, called something like `packetbeat_writer`, that has the following privileges:
+
+    ::::{note}
+    The `monitor` cluster privilege and the `create_doc` and `auto_configure` privileges on `packetbeat-*` indices are required in every configuration.
+    ::::
+
+
+    | Type | Privilege | Purpose |
+    | --- | --- | --- |
+    | Cluster | `monitor` | Retrieve cluster details (e.g. version) |
+    | Cluster | `read_ilm` | Read the ILM policy when connecting to clusters that support ILM.Not needed when `setup.ilm.check_exists` is `false`. |
+    | Index | `create_doc` on `packetbeat-*` indices | Write events into {{es}} |
+    | Index | `auto_configure` on `packetbeat-*` indices | Update the datastream mapping. Consider either disabling entirely or adding therule `-{{beat_default_index_prefix}}-*` to the cluster settings[action.auto_create_index](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-create)to prevent unwanted indices creations from the agents. |
+
+    Omit any privileges that aren’t relevant in your environment.
+
+2. Assign the **writer role** to users who will index events into {{es}}.
+
diff --git a/docs/reference/packetbeat/privileges-to-publish-monitoring.md b/docs/reference/packetbeat/privileges-to-publish-monitoring.md
new file mode 100644
index 000000000000..f0300f2122dc
--- /dev/null
+++ b/docs/reference/packetbeat/privileges-to-publish-monitoring.md
@@ -0,0 +1,61 @@
+---
+navigation_title: "Create a _monitoring_ user"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/privileges-to-publish-monitoring.html
+---
+
+# Grant privileges and roles needed for monitoring [privileges-to-publish-monitoring]
+
+
+{{es-security-features}} provides built-in users and roles for monitoring. The privileges and roles needed depend on the method used to collect monitoring data.
+
+::::{admonition} Important note for {{ecloud}} users
+:class: important
+
+Built-in users are not available when running our [hosted {{ess}}](https://www.elastic.co/cloud/elasticsearch-service) on {{ecloud}}. To send monitoring data securely, create a monitoring user and grant it the roles described in the following sections.
+
+::::
+
+
+* If you’re using [internal collection](/reference/packetbeat/monitoring-internal-collection.md) to collect metrics about Packetbeat, {{es-security-features}} provides the `beats_system` [built-in user](docs-content://deploy-manage/users-roles/cluster-or-deployment-auth/built-in-users.md) and `beats_system` [built-in role](elasticsearch://reference/elasticsearch/roles.md) to send monitoring information. You can use the built-in user, if it’s available in your environment, or create a user who has the privileges needed to send monitoring information.
+
+    If you use the `beats_system` user, make sure you set the password.
+
+    If you don’t use the `beats_system` user:
+
+    1. Create a **monitoring role**, called something like `packetbeat_monitoring`, that has the following privileges:
+
+        | Type | Privilege | Purpose |
+        | --- | --- | --- |
+        | Cluster | `monitor` | Retrieve cluster details (e.g. version) |
+        | Index | `create_index` on `.monitoring-beats-*` indices | Create monitoring indices in {{es}} |
+        | Index | `create_doc` on `.monitoring-beats-*` indices | Write monitoring events into {{es}} |
+
+    2. Assign the **monitoring role**, along with the following built-in roles, to users who need to monitor Packetbeat:
+
+        | Role | Purpose |
+        | --- | --- |
+        | `kibana_admin` | Use {{kib}} |
+        | `monitoring_user` | Use **Stack Monitoring** in {{kib}} to monitor Packetbeat |
+
+* If you’re [using {{metricbeat}}](/reference/packetbeat/monitoring-metricbeat-collection.md) to collect metrics about Packetbeat, {{es-security-features}} provides the `remote_monitoring_user` [built-in user](docs-content://deploy-manage/users-roles/cluster-or-deployment-auth/built-in-users.md), and the `remote_monitoring_collector` and `remote_monitoring_agent` [built-in roles](elasticsearch://reference/elasticsearch/roles.md) for collecting and sending monitoring information. You can use the built-in user, if it’s available in your environment, or create a user who has the privileges needed to collect and send monitoring information.
+
+    If you use the `remote_monitoring_user` user, make sure you set the password.
+
+    If you don’t use the `remote_monitoring_user` user:
+
+    1. Create a user on the production cluster who will collect and send monitoring information.
+    2. Assign the following roles to the user:
+
+        | Role | Purpose |
+        | --- | --- |
+        | `remote_monitoring_collector` | Collect monitoring metrics from Packetbeat |
+        | `remote_monitoring_agent` | Send monitoring data to the monitoring cluster |
+
+    3. Assign the following role to users who will view the monitoring data in {{kib}}:
+
+        | Role | Purpose |
+        | --- | --- |
+        | `monitoring_user` | Use **Stack Monitoring** in {{kib}} to monitor Packetbeat |
+
+
diff --git a/docs/reference/packetbeat/privileges-to-setup-beats.md b/docs/reference/packetbeat/privileges-to-setup-beats.md
new file mode 100644
index 000000000000..336a92667f55
--- /dev/null
+++ b/docs/reference/packetbeat/privileges-to-setup-beats.md
@@ -0,0 +1,42 @@
+---
+navigation_title: "Create a _setup_ user"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/privileges-to-setup-beats.html
+---
+
+# Grant privileges and roles needed for setup [privileges-to-setup-beats]
+
+
+::::{important}
+Setting up Packetbeat is an admin-level task that requires extra privileges. As a best practice, grant the setup role to administrators only, and use a more restrictive role for event publishing.
+::::
+
+
+Administrators who set up Packetbeat typically need to load mappings, dashboards, and other objects used to index data into {{es}} and visualize it in {{kib}}.
+
+To grant users the required privileges:
+
+1. Create a **setup role**, called something like `packetbeat_setup`, that has the following privileges:
+
+    | Type | Privilege | Purpose |
+    | --- | --- | --- |
+    | Cluster | `monitor` | Retrieve cluster details (e.g. version) |
+    | Cluster | `manage_ilm` | Set up and manage index lifecycle management (ILM) policy |
+    | Index | `manage` on `packetbeat-*` indices | Load data stream |
+
+    Omit any privileges that aren’t relevant in your environment.
+
+    ::::{note}
+    These instructions assume that you are using the default name for Packetbeat indices. If `packetbeat-*` is not listed, or you are using a custom name, enter it manually and modify the privileges to match your index naming pattern.
+    ::::
+
+2. Assign the **setup role**, along with the following built-in roles, to users who need to set up Packetbeat:
+
+    | Role | Purpose |
+    | --- | --- |
+    | `kibana_admin` | Load dependencies, such as example dashboards, if available, into {{kib}} |
+    | `ingest_admin` | Set up index templates and, if available, ingest pipelines |
+
+    Omit any roles that aren’t relevant in your environment.
+
+
diff --git a/docs/reference/packetbeat/processor-dns.md b/docs/reference/packetbeat/processor-dns.md
new file mode 100644
index 000000000000..2d2111bda386
--- /dev/null
+++ b/docs/reference/packetbeat/processor-dns.md
@@ -0,0 +1,102 @@
+---
+navigation_title: "dns"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/processor-dns.html
+---
+
+# DNS Reverse Lookup [processor-dns]
+
+
+The `dns` processor performs DNS queries. It caches the responses that it receives in accordance to the time-to-live (TTL) value contained in the response. It also caches failures that occur during lookups. Each instance of this processor maintains its own independent cache.
+
+The processor uses its own DNS resolver to send requests to nameservers and does not use the operating system’s resolver. It does not read any values contained in `/etc/hosts`.
+
+This processor can significantly slow down your pipeline’s throughput if you have a high latency network or slow upstream nameserver. The cache will help with performance, but if the addresses being resolved have a high cardinality then the cache benefits will be diminished due to the high miss ratio.
+
+By way of example, if each DNS lookup takes 2 milliseconds, the maximum throughput you can achieve is 500 events per second (1000 milliseconds / 2 milliseconds). If you have a high cache hit ratio then your throughput can be higher.
+
+The processor can send the following query types:
+
+* `A` - IPv4 addresses
+* `AAAA` - IPv6 addresses
+* `TXT` - arbitrary human-readable text data
+* `PTR` - reverse IP address lookups
+
+The output value is a list of strings for all query types except `PTR`. For `PTR` queries the output value is a string.
+
+This is a minimal configuration example that resolves the IP addresses contained in two fields.
+
+```yaml
+processors:
+  - dns:
+      type: reverse
+      fields:
+        source.ip: source.domain
+        destination.ip: destination.domain
+```
+
+Next is a configuration example showing all options.
+
+```yaml
+processors:
+- dns:
+    type: reverse
+    action: append
+    transport: tls
+    fields:
+      server.ip: server.domain
+      client.ip: client.domain
+    success_cache:
+      capacity.initial: 1000
+      capacity.max: 10000
+      min_ttl: 1m
+    failure_cache:
+      capacity.initial: 1000
+      capacity.max: 10000
+      ttl: 1m
+    nameservers: ['192.0.2.1', '203.0.113.1']
+    timeout: 500ms
+    tag_on_failure: [_dns_reverse_lookup_failed]
+```
+
+The `dns` processor has the following configuration settings:
+
+`type`
+:   The type of DNS query to perform. The supported types are `A`, `AAAA`, `PTR` (or `reverse`), and `TXT`.
+
+`action`
+:   This defines the behavior of the processor when the target field already exists in the event. The options are `append` (default) and `replace`.
+
+`fields`
+:   This is a mapping of source field names to target field names. The value of the source field will be used in the DNS query and result will be written to the target field.
+
+`success_cache.capacity.initial`
+:   The initial number of items that the success cache will be allocated to hold. When initialized the processor will allocate the memory for this number of items. Default value is `1000`.
+
+`success_cache.capacity.max`
+:   The maximum number of items that the success cache can hold. When the maximum capacity is reached a random item is evicted. Default value is `10000`.
+
+`success_cache.min_ttl`
+:   The duration of the minimum alternative cache TTL for successful DNS responses. Ensures that `TTL=0` successful reverse DNS responses can be cached. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". Default value is `1m`.
+
+`failure_cache.capacity.initial`
+:   The initial number of items that the failure cache will be allocated to hold. When initialized the processor will allocate the memory for this number of items. Default value is `1000`.
+
+`failure_cache.capacity.max`
+:   The maximum number of items that the failure cache can hold. When the maximum capacity is reached a random item is evicted. Default value is `10000`.
+
+`failure_cache.ttl`
+:   The duration for which failures are cached. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". Default value is `1m`.
+
+`nameservers`
+:   A list of nameservers to query. If there are multiple servers, the resolver queries them in the order listed. If none are specified then it will read the nameservers listed in `/etc/resolv.conf` once at initialization. On Windows you must always supply at least one nameserver.
+
+`timeout`
+:   The duration after which a DNS query will timeout. This is timeout for each DNS request so if you have 2 nameservers then the total timeout will be 2 times this value. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". Default value is `500ms`.
+
+`tag_on_failure`
+:   A list of tags to add to the event when any lookup fails. The tags are only added once even if multiple lookups fail. By default, no tags are added upon failure.
+
+`transport`
+:   The type of transport connection that should be used can either be `tls` (DNS over TLS) or `udp`. Defaults to `udp`.
+
diff --git a/docs/reference/packetbeat/processor-registered-domain.md b/docs/reference/packetbeat/processor-registered-domain.md
new file mode 100644
index 000000000000..1c295f197c24
--- /dev/null
+++ b/docs/reference/packetbeat/processor-registered-domain.md
@@ -0,0 +1,36 @@
+---
+navigation_title: "registered_domain"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/processor-registered-domain.html
+---
+
+# Registered Domain [processor-registered-domain]
+
+
+The `registered_domain` processor reads a field containing a hostname and then writes the "registered domain" contained in the hostname to the target field. For example, given `www.google.co.uk` the processor would output `google.co.uk`. In other words the "registered domain" is the effective top-level domain (`co.uk`) plus one level (`google`). Optionally, it can store the rest of the domain, the `subdomain` into another target field.
+
+This processor uses the Mozilla Public Suffix list to determine the value.
+
+```yaml
+processors:
+  - registered_domain:
+      field: dns.question.name
+      target_field: dns.question.registered_domain
+      target_etld_field: dns.question.top_level_domain
+      target_subdomain_field: dns.question.sudomain
+      ignore_missing: true
+      ignore_failure: true
+```
+
+The `registered_domain` processor has the following configuration settings:
+
+| Name | Required | Default | Description |  |
+| --- | --- | --- | --- | --- |
+| `field` | yes |  | Source field containing a fully qualified domain name (FQDN). |  |
+| `target_field` | yes |  | Target field for the registered domain value. |  |
+| `target_etld_field` | no |  | Target field for the effective top-level domain value. |  |
+| `target_subdomain_field` | no |  | Target subdomain field for the subdomain value. |  |
+| `ignore_missing` | no | false | Ignore errors when the source field is missing. |  |
+| `ignore_failure` | no | false | Ignore all errors produced by the processor. |  |
+| `id` | no |  | An identifier for this processor instance. Useful for debugging. |  |
+
diff --git a/docs/reference/packetbeat/processor-translate-guid.md b/docs/reference/packetbeat/processor-translate-guid.md
new file mode 100644
index 000000000000..c5da58d8f0b1
--- /dev/null
+++ b/docs/reference/packetbeat/processor-translate-guid.md
@@ -0,0 +1,79 @@
+---
+navigation_title: "translate_ldap_attribute"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/processor-translate-guid.html
+---
+
+# Translate GUID [processor-translate-guid]
+
+
+The `translate_ldap_attribute` processor translates an LDAP attributes between eachother. It is typically used to translate AD Global Unique Identifiers (GUID) into their common names.
+
+Every object on an Active Directory or an LDAP server is issued a GUID. Internal processes refer to their GUID’s rather than the object’s name and these values sometimes appear in logs.
+
+If the search attribute is invalid (malformed) or does not map to any object on the domain then this will result in the processor returning an error unless `ignore_failure` is set.
+
+The result of this operation is an array of values, given that a single attribute can hold multiple values.
+
+Note: the search attribute is expected to map to a single object. If it doesn’t, no error will be returned, but only results of the first entry will be added to the event.
+
+```yaml
+processors:
+  - translate_ldap_attribute:
+      field: winlog.event_data.ObjectGuid
+      ldap_address: "ldap://"
+      ldap_base_dn: "dc=example,dc=com"
+      ignore_missing: true
+      ignore_failure: true
+```
+
+The `translate_ldap_attribute` processor has the following configuration settings:
+
+| Name | Required | Default | Description |
+| --- | --- | --- | --- |
+| `field` | yes |  | Source field containing a GUID. |
+| `target_field` | no |  | Target field for the mapped attribute value. If not set it will be replaced in place. |
+| `ldap_address` | yes |  | LDAP server address. eg: `ldap://ds.example.com:389` |
+| `ldap_base_dn` | yes |  | LDAP base DN. eg: `dc=example,dc=com` |
+| `ldap_bind_user` | no |  | LDAP user. |
+| `ldap_bind_password` | no |  | LDAP password. |
+| `ldap_search_attribute` | yes | `objectGUID` | LDAP attribute to search by. |
+| `ldap_mapped_attribute` | yes | `cn` | LDAP attribute to map to. |
+| `ldap_search_time_limit` | no | 30 | LDAP search time limit in seconds. |
+| `ldap_ssl`* | no | 30 | LDAP TLS/SSL connection settings. |
+| `ignore_missing` | no | false | Ignore errors when the source field is missing. |
+| `ignore_failure` | no | false | Ignore all errors produced by the processor. |
+
+* Also see [SSL](/reference/packetbeat/configuration-ssl.md) for a full description of the `ldap_ssl` options.
+
+If the searches are slow or you expect a high amount of different key attributes to be found, consider using a cache processor to speed processing:
+
+```yaml
+processors:
+  - cache:
+      backend:
+        memory:
+          id: ldapguids
+      get:
+        key_field: winlog.event_data.ObjectGuid
+        target_field: winlog.common_name
+      ignore_missing: true
+  - if:
+      not:
+        - has_fields: winlog.common_name
+    then:
+      - translate_ldap_attribute:
+          field: winlog.event_data.ObjectGuid
+          target_field: winlog.common_name
+          ldap_address: "ldap://"
+          ldap_base_dn: "dc=example,dc=com"
+      - cache:
+          backend:
+            memory:
+              id: ldapguids
+            capacity: 10000
+          put:
+            key_field: winlog.event_data.ObjectGuid
+            value_field: winlog.common_name
+```
+
diff --git a/docs/reference/packetbeat/processor-translate-sid.md b/docs/reference/packetbeat/processor-translate-sid.md
new file mode 100644
index 000000000000..215963e081c9
--- /dev/null
+++ b/docs/reference/packetbeat/processor-translate-sid.md
@@ -0,0 +1,38 @@
+---
+navigation_title: "translate_sid"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/processor-translate-sid.html
+---
+
+# Translate SID [processor-translate-sid]
+
+
+The `translate_sid` processor translates a Windows security identifier (SID) into an account name. It retrieves the name of the account associated with the SID, the first domain on which the SID is found, and the type of account. This is only available on Windows.
+
+Every account on a network is issued a unique SID when the account is first created. Internal processes in Windows refer to an account’s SID rather than the account’s user or group name and these values sometimes appear in logs.
+
+If the SID is invalid (malformed) or does not map to any account on the local system or domain then this will result in the processor returning an error unless `ignore_failure` is set.
+
+```yaml
+processors:
+  - translate_sid:
+      field: winlog.event_data.MemberSid
+      account_name_target: user.name
+      domain_target: user.domain
+      ignore_missing: true
+      ignore_failure: true
+```
+
+The `translate_sid` processor has the following configuration settings:
+
+| Name | Required | Default | Description |
+| --- | --- | --- | --- |
+| `field` | yes |  | Source field containing a Windows security identifier (SID). |
+| `account_name_target` | yes* |  | Target field for the account name value. |
+| `account_type_target` | yes* |  | Target field for the account type value. |
+| `domain_target` | yes* |  | Target field for the domain value. |
+| `ignore_missing` | no | false | Ignore errors when the source field is missing. |
+| `ignore_failure` | no | false | Ignore all errors produced by the processor. |
+
+* At least one of `account_name_target`, `account_type_target`, and `domain_target` is required to be configured.
+
diff --git a/docs/reference/packetbeat/protocol-metrics-packetbeat.md b/docs/reference/packetbeat/protocol-metrics-packetbeat.md
new file mode 100644
index 000000000000..65a8f0e007f4
--- /dev/null
+++ b/docs/reference/packetbeat/protocol-metrics-packetbeat.md
@@ -0,0 +1,55 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/protocol-metrics-packetbeat.html
+---
+
+# Protocol-Specific Metrics [protocol-metrics-packetbeat]
+
+Packetbeat exposes per-protocol metrics under the [HTTP monitoring endpoint](/reference/packetbeat/http-endpoint.md). These metrics are exposed under the `/inputs/` path. They can be used to observe the activity of Packetbeat for the monitored protocol.
+
+
+## AF_PACKET Metrics [_af_packet_metrics]
+
+| Metric | Description |
+| --- | --- |
+| `device` | Name of the device being monitored. |
+| `socket_packets` | Number of packets delivered by the kernel to the shared buffer. |
+| `socket_drops` | Number of packets dropped by the kernel on the socket. |
+| `socket_queue_freezes` | Number of kernel queue freezes on the socket. |
+| `packets` | Number of packets handled by Packetbeat. |
+| `polls` | Number of blocking syscalls made waiting for packets. |
+
+
+## TCP Metrics [_tcp_metrics]
+
+| Metric | Description |
+| --- | --- |
+| `device` | Name of the device being monitored. |
+| `received_events_total` | Number of packets processed. |
+| `received_bytes_total` | Number of bytes processed. |
+| `tcp_overlaps` | Number of packets shrunk due to overlap. |
+| `tcp.dropped_because_of_gaps` | Number of packets dropped because of gaps. |
+| `arrival_period` | Histogram of the elapsed time between packet arrivals. |
+| `processing_time` | Histogram of the elapsed time between packet receipt and publication. |
+| `fin_flags_total` | Number of TCP FIN (finish) flags observed. |
+| `syn_flags_total` | Number of TCP SYN (synchronization) flags observed. |
+| `rst_flags_total` | Number of TCP RST (reset) flags observed. |
+| `psh_flags_total` | Number of TCP PSH (push) flags observed. |
+| `ack_flags_total` | Number of TCP ACK (acknowledgement) flags observed. |
+| `urg_flags_total` | Number of TCP URG (urgent) flags observed. |
+| `ece_flags_total` | Number of TCP ECE (ECN echo) flags observed. |
+| `cwr_flags_total` | Number of TCP CWR (congestion window reduced) flags observed. |
+| `ns_flags_total` | Number of TCP NS (nonce sum) flags observed. |
+| `received_headers_total` | Number of headers observed, including unprocessed packets. |
+
+
+## UDP Metrics [_udp_metrics]
+
+| Metric | Description |
+| --- | --- |
+| `device` | Name of the device being monitored. |
+| `received_events_total` | Number of packets processed. |
+| `received_bytes_total` | Number of bytes processed. |
+| `arrival_period` | Histogram of the elapsed time between packet arrivals. |
+| `processing_time` | Histogram of the elapsed time between packet receipt and publication. |
+
diff --git a/docs/reference/packetbeat/publishing-ls-fails-connection-reset-by-peer.md b/docs/reference/packetbeat/publishing-ls-fails-connection-reset-by-peer.md
new file mode 100644
index 000000000000..eb1edcee75a6
--- /dev/null
+++ b/docs/reference/packetbeat/publishing-ls-fails-connection-reset-by-peer.md
@@ -0,0 +1,18 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/publishing-ls-fails-connection-reset-by-peer.html
+---
+
+# Publishing to Logstash fails with "connection reset by peer" message [publishing-ls-fails-connection-reset-by-peer]
+
+Packetbeat requires a persistent TCP connection to {{ls}}. If a firewall interferes with the connection, you might see errors like this:
+
+```shell
+Failed to publish events caused by: write tcp ... write: connection reset by peer
+```
+
+To solve the problem:
+
+* make sure the firewall is not closing connections between Packetbeat and {{ls}}, or
+* set the `ttl` value in the [{{ls}} output](/reference/packetbeat/logstash-output.md) to a value that’s lower than the maximum time allowed by the firewall, and set `pipelining` to 0 (pipelining cannot be enabled when `ttl` is used).
+
diff --git a/docs/reference/packetbeat/rate-limit.md b/docs/reference/packetbeat/rate-limit.md
new file mode 100644
index 000000000000..e0e8b2413706
--- /dev/null
+++ b/docs/reference/packetbeat/rate-limit.md
@@ -0,0 +1,43 @@
+---
+navigation_title: "rate_limit"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/rate-limit.html
+---
+
+# Rate limit the flow of events [rate-limit]
+
+
+The `rate_limit` processor limits the throughput of events based on the specified configuration.
+
+In the current implementation, rate-limited events are dropped. Future implementations may allow rate-limited events to be handled differently.
+
+```yaml
+processors:
+- rate_limit:
+   limit: "10000/m"
+```
+
+```yaml
+processors:
+- rate_limit:
+   fields:
+   - "cloudfoundry.org.name"
+   limit: "400/s"
+```
+
+```yaml
+processors:
+- if.equals.cloudfoundry.org.name: "acme"
+  then:
+  - rate_limit:
+      limit: "500/s"
+```
+
+The following settings are supported:
+
+`limit`
+:   The rate limit. Supported time units for the rate are `s` (per second), `m` (per minute), and `h` (per hour).
+
+`fields`
+:   (Optional) List of fields. The rate limit will be applied to each distinct value derived by combining the values of these fields.
+
diff --git a/docs/reference/packetbeat/recording-trace.md b/docs/reference/packetbeat/recording-trace.md
new file mode 100644
index 000000000000..c379231857fd
--- /dev/null
+++ b/docs/reference/packetbeat/recording-trace.md
@@ -0,0 +1,20 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/recording-trace.html
+---
+
+# Record a trace [recording-trace]
+
+If you are having an issue, it’s often useful to record a full network trace and send it to us. It will help us reproduce the issue, and we can also add it to our automatic regression tests so that the problem never reoccurs. A trace of 10-20 seconds is usually enough. To record the trace, you can use the following Packetbeat command:
+
+```shell
+packetbeat -e --dump trace.pcap
+```
+
+This command executes Packetbeat in normal mode (all processing happens as usual), but at the same time, it records all packets in libpcap format in the `trace.pcap` file. If there’s a particular error message you want us to investigate, please keep the trace running until the error shows up (it will printed on standard error).
+
+::::{warning}
+PCAP files can be large. Please monitor the disk usage while doing the dump to make sure you don’t run out of disk space. Whenever possible, we recommend recording the trace on a non-production machine.
+::::
+
+
diff --git a/docs/reference/packetbeat/redis-output.md b/docs/reference/packetbeat/redis-output.md
new file mode 100644
index 000000000000..223ab8d5634e
--- /dev/null
+++ b/docs/reference/packetbeat/redis-output.md
@@ -0,0 +1,209 @@
+---
+navigation_title: "Redis"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/redis-output.html
+---
+
+# Configure the Redis output [redis-output]
+
+
+The Redis output inserts the events into a Redis list or a Redis channel. This output plugin is compatible with the [Redis input plugin](logstash://reference/plugins-inputs-redis.md) for Logstash.
+
+To use this output, edit the Packetbeat configuration file to disable the {{es}} output by commenting it out, and enable the Redis output by adding `output.redis`.
+
+Example configuration:
+
+```yaml
+output.redis:
+  hosts: ["localhost"]
+  password: "my_password"
+  key: "packetbeat"
+  db: 0
+  timeout: 5
+```
+
+## Compatibility [_compatibility_3]
+
+This output is expected to work with all Redis versions between 3.2.4 and 5.0.8. Other versions might work as well, but are not supported.
+
+
+## Configuration options [_configuration_options_19]
+
+You can specify the following `output.redis` options in the `packetbeat.yml` config file:
+
+### `enabled` [_enabled_7]
+
+The enabled config is a boolean setting to enable or disable the output. If set to false, the output is disabled.
+
+The default value is `true`.
+
+
+### `hosts` [_hosts_2]
+
+The list of Redis servers to connect to. If load balancing is enabled, the events are distributed to the servers in the list. If one server becomes unreachable, the events are distributed to the reachable servers only. You can define each Redis server by specifying `HOST` or `HOST:PORT`. For example: `"192.15.3.2"` or `"test.redis.io:12345"`. If you don’t specify a port number, the value configured by `port` is used. Configure each Redis server with an `IP:PORT` pair or with a `URL`. For example: `redis://localhost:6379` or `rediss://localhost:6379`. URLs can include a server-specific password. For example: `redis://:password@localhost:6379`. The `redis` scheme will disable the `ssl` settings for the host, while `rediss` will enforce TLS.  If `rediss` is specified and no `ssl` settings are configured, the output uses the system certificate store.
+
+
+### `index` [_index_2]
+
+The index name added to the events metadata for use by Logstash. The default is "packetbeat".
+
+
+### `key` [key-option-redis]
+
+The name of the Redis list or channel the events are published to. If not configured, the value of the `index` setting is used.
+
+You can set the key dynamically by using a format string to access any event field. For example, this configuration uses a custom field, `fields.list`, to set the Redis list key. If `fields.list` is missing, `fallback` is used:
+
+```yaml
+output.redis:
+  hosts: ["localhost"]
+  key: "%{[fields.list]:fallback}"
+```
+
+::::{tip}
+To learn how to add custom fields to events, see the [`fields`](/reference/packetbeat/configuration-general-options.md#libbeat-configuration-fields) option.
+::::
+
+
+See the [`keys`](#keys-option-redis) setting for other ways to set the key dynamically.
+
+
+### `keys` [keys-option-redis]
+
+An array of key selector rules. Each rule specifies the `key` to use for events that match the rule. During publishing, Packetbeat uses the first matching rule in the array. Rules can contain conditionals, format string-based fields, and name mappings. If the `keys` setting is missing or no rule matches, the [`key`](#key-option-redis) setting is used.
+
+Rule settings:
+
+**`index`**
+:   The key format string to use. If this string contains field references, such as `%{[fields.name]}`, the fields must exist, or the rule fails.
+
+**`mappings`**
+:   A dictionary that takes the value returned by `key` and maps it to a new name.
+
+**`default`**
+:   The default string value to use if `mappings` does not find a match.
+
+**`when`**
+:   A condition that must succeed in order to execute the current rule. All the [conditions](/reference/packetbeat/defining-processors.md#conditions) supported by processors are also supported here.
+
+Example `keys` settings:
+
+```yaml
+output.redis:
+  hosts: ["localhost"]
+  key: "default_list"
+  keys:
+    - key: "info_list"   # send to info_list if `message` field contains INFO
+      when.contains:
+        message: "INFO"
+    - key: "debug_list"  # send to debug_list if `message` field contains DEBUG
+      when.contains:
+        message: "DEBUG"
+    - key: "%{[fields.list]}"
+      mappings:
+        http: "frontend_list"
+        nginx: "frontend_list"
+        mysql: "backend_list"
+```
+
+
+### `password` [_password_3]
+
+The password to authenticate with. The default is no authentication.
+
+
+### `db` [_db]
+
+The Redis database number where the events are published. The default is 0.
+
+
+### `datatype` [_datatype]
+
+The Redis data type to use for publishing events.If the data type is `list`, the Redis RPUSH command is used and all events are added to the list with the key defined under `key`. If the data type `channel` is used, the Redis `PUBLISH` command is used and means that all events are pushed to the pub/sub mechanism of Redis. The name of the channel is the one defined under `key`. The default value is `list`.
+
+
+### `codec` [_codec_2]
+
+Output codec configuration. If the `codec` section is missing, events will be json encoded.
+
+See [Change the output codec](/reference/packetbeat/configuration-output-codec.md) for more information.
+
+
+### `worker` or `workers` [_worker_or_workers_2]
+
+The number of workers to use for each host configured to publish events to Redis. Use this setting along with the `loadbalance` option. For example, if you have 2 hosts and 3 workers, in total 6 workers are started (3 for each host).
+
+
+### `loadbalance` [_loadbalance_2]
+
+When `loadbalance: true` is set, Packetbeat connects to all configured hosts and sends data through all connections in parallel. If a connection fails, data is sent to the remaining hosts until it can be reestablished. Data will still be sent as long as Packetbeat can connect to at least one of its configured hosts.
+
+When `loadbalance: false` is set, Packetbeat sends data to a single host at a time. The target host is chosen at random from the list of configured hosts, and all data is sent to that target until the connection fails, when a new target is selected. Data will still be sent as long as Packetbeat can connect to at least one of its configured hosts.
+
+The default value is `true`.
+
+
+### `timeout` [_timeout_5]
+
+The Redis connection timeout in seconds. The default is 5 seconds.
+
+
+### `backoff.init` [_backoff_init_3]
+
+The number of seconds to wait before trying to reconnect to Redis after a network error. After waiting `backoff.init` seconds, Packetbeat tries to reconnect. If the attempt fails, the backoff timer is increased exponentially up to `backoff.max`. After a successful connection, the backoff timer is reset. The default is 1s.
+
+
+### `backoff.max` [_backoff_max_3]
+
+The maximum number of seconds to wait before attempting to connect to Redis after a network error. The default is 60s.
+
+
+### `max_retries` [_max_retries_4]
+
+The number of times to retry publishing an event after a publishing failure. After the specified number of retries, the events are typically dropped.
+
+Set `max_retries` to a value less than 0 to retry until all events are published.
+
+The default is 3.
+
+
+### `bulk_max_size` [_bulk_max_size_3]
+
+The maximum number of events to bulk in a single Redis request or pipeline. The default is 2048.
+
+Events can be collected into batches. Packetbeat will split batches read from the queue which are larger than `bulk_max_size` into multiple batches.
+
+Specifying a larger batch size can improve performance by lowering the overhead of sending events. However big batch sizes can also increase processing times, which might result in API errors, killed connections, timed-out publishing requests, and, ultimately, lower throughput.
+
+Setting `bulk_max_size` to values less than or equal to 0 disables the splitting of batches. When splitting is disabled, the queue decides on the number of events to be contained in a batch.
+
+
+### `ssl` [_ssl_4]
+
+Configuration options for SSL parameters like the root CA for Redis connections guarded by SSL proxies (for example [stunnel](https://www.stunnel.org)). See [SSL](/reference/packetbeat/configuration-ssl.md) for more information.
+
+
+### `proxy_url` [_proxy_url_3]
+
+The URL of the SOCKS5 proxy to use when connecting to the Redis servers. The value must be a URL with a scheme of `socks5://`. You cannot use a web proxy because the protocol used to communicate with Redis is not based on HTTP.
+
+If the SOCKS5 proxy server requires client authentication, you can embed a username and password in the URL.
+
+When using a proxy, hostnames are resolved on the proxy server instead of on the client. You can change this behavior by setting the [`proxy_use_local_resolver`](#redis-proxy-use-local-resolver) option.
+
+
+### `proxy_use_local_resolver` [redis-proxy-use-local-resolver]
+
+This option determines whether Redis hostnames are resolved locally when using a proxy. The default value is false, which means that name resolution occurs on the proxy server.
+
+
+### `queue` [_queue_4]
+
+Configuration options for internal queue.
+
+See [Internal queue](/reference/packetbeat/configuring-internal-queue.md) for more information.
+
+Note:`queue` options can be set under `packetbeat.yml` or the `output` section but not both.
+
+
+
diff --git a/docs/reference/packetbeat/refresh-index-pattern.md b/docs/reference/packetbeat/refresh-index-pattern.md
new file mode 100644
index 000000000000..87bacafa27b4
--- /dev/null
+++ b/docs/reference/packetbeat/refresh-index-pattern.md
@@ -0,0 +1,23 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/refresh-index-pattern.html
+---
+
+# Fields show up as nested JSON in Kibana [refresh-index-pattern]
+
+When Packetbeat exports a field of type dictionary, and the keys are not known in advance, the Discovery page in {{kib}} will display the field as a nested JSON object:
+
+```shell
+http.response.headers = {
+        "content-length": 12,
+        "content-type": "application/json"
+}
+```
+
+To fix this you need to [reload the index pattern](docs-content://explore-analyze/find-and-organize/data-views.md) in {{kib}} under the Management→Index Patterns, and the index pattern will be updated with a field for each key available in the dictionary:
+
+```shell
+http.response.headers.content-length = 12
+http.response.headers.content-type = "application/json"
+```
+
diff --git a/docs/reference/packetbeat/rename-fields.md b/docs/reference/packetbeat/rename-fields.md
new file mode 100644
index 000000000000..d1922c79416a
--- /dev/null
+++ b/docs/reference/packetbeat/rename-fields.md
@@ -0,0 +1,43 @@
+---
+navigation_title: "rename"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/rename-fields.html
+---
+
+# Rename fields from events [rename-fields]
+
+
+The `rename` processor specifies a list of fields to rename. Under the `fields` key, each entry contains a `from: old-key` and a `to: new-key` pair, where:
+
+* `from` is the original field name. It’s supported to use `@metadata.` prefix for `from` and rename keys in the event metadata instead of event fields.
+* `to` is the target field name
+
+The `rename` processor cannot be used to overwrite fields. To overwrite fields either first rename the target field, or use the `drop_fields` processor to drop the field and then rename the field.
+
+::::{tip}
+You can rename fields to resolve field name conflicts. For example, if an event has two fields, `c` and `c.b` (where `b` is a subfield of `c`), assigning scalar values results in an {{es}} error at ingest time. The assignment `{"c": 1, "c.b": 2}` would result in an error because `c` is an object and cannot be assigned a scalar value. To prevent this conflict, rename `c` to `c.value` before assigning values.
+::::
+
+
+```yaml
+processors:
+  - rename:
+      fields:
+        - from: "a.g"
+          to: "e.d"
+      ignore_missing: false
+      fail_on_error: true
+```
+
+The `rename` processor has the following configuration settings:
+
+`ignore_missing`
+:   (Optional) If set to true, no error is logged in case a key which should be renamed is missing. Default is `false`.
+
+`fail_on_error`
+:   (Optional) If set to true, in case of an error the renaming of fields is stopped and the original event is returned. If set to false, renaming continues also if an error happened during renaming. Default is `true`.
+
+See [Conditions](/reference/packetbeat/defining-processors.md#conditions) for a list of supported conditions.
+
+You can specify multiple `rename` processors under the `processors` section.
+
diff --git a/docs/reference/packetbeat/replace-fields.md b/docs/reference/packetbeat/replace-fields.md
new file mode 100644
index 000000000000..abc89e55545e
--- /dev/null
+++ b/docs/reference/packetbeat/replace-fields.md
@@ -0,0 +1,44 @@
+---
+navigation_title: "replace"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/replace-fields.html
+---
+
+# Replace fields from events [replace-fields]
+
+
+The `replace` processor takes a list of fields to search for a matching value and replaces the matching value with a specified string.
+
+The `replace` processor cannot be used to create a completely new value.
+
+::::{tip}
+You can use this processor to truncate a field value or replace it with a new string value. You can also use this processor to mask PII information.
+::::
+
+
+
+## Example [_example]
+
+The following example changes the path from `/usr/bin` to `/usr/local/bin`:
+
+```yaml
+  - replace:
+      fields:
+        - field: "file.path"
+          pattern: "/usr/"
+          replacement: "/usr/local/"
+      ignore_missing: false
+      fail_on_error: true
+```
+
+
+## Configuration settings [_configuration_settings]
+
+| Name | Required | Default | Description |
+| --- | --- | --- | --- |
+| `fields` | Yes |  | List of one or more items. Each item contains a `field: field-name`, `pattern: regex-pattern`, and `replacement: replacement-string`, where:<br><br>* `field` is the original field name. You can use the `@metadata.` prefix in this field to replace values in the event metadata instead of event fields.<br>* `pattern` is the regex pattern to match the field’s value<br>* `replacement` is the replacement string to use to update the field’s value<br> |
+| `ignore_missing` | No | `false` | Whether to ignore missing fields. If `true`, no error is logged if the specified field is missing. |
+| `fail_on_error` | No | `true` | Whether to fail replacement of field values if an error occurs.If `true` and there’s an error, the replacement of field values is stopped, and the original event is returned.If `false`, replacement continues even if an error occurs during replacement. |
+
+See [Conditions](/reference/packetbeat/defining-processors.md#conditions) for a list of supported conditions.
+
diff --git a/docs/reference/packetbeat/running-on-docker.md b/docs/reference/packetbeat/running-on-docker.md
new file mode 100644
index 000000000000..7c806a5d09b3
--- /dev/null
+++ b/docs/reference/packetbeat/running-on-docker.md
@@ -0,0 +1,175 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/running-on-docker.html
+---
+
+# Run Packetbeat on Docker [running-on-docker]
+
+Docker images for Packetbeat are available from the Elastic Docker registry. The base image is [centos:7](https://hub.docker.com/_/centos/).
+
+A list of all published Docker images and tags is available at [www.docker.elastic.co](https://www.docker.elastic.co).
+
+These images are free to use under the Elastic license. They contain open source and free commercial features and access to paid commercial features. [Start a 30-day trial](docs-content://deploy-manage/license/manage-your-license-in-self-managed-cluster.md) to try out all of the paid commercial features. See the [Subscriptions](https://www.elastic.co/subscriptions) page for information about Elastic license levels.
+
+## Pull the image [_pull_the_image]
+
+Obtaining Packetbeat for Docker is as simple as issuing a `docker pull` command against the Elastic Docker registry.
+
+::::{warning}
+Version 9.0.0-beta1 of Packetbeat has not yet been released. No Docker image is currently available for Packetbeat 9.0.0-beta1.
+::::
+
+
+```sh
+docker pull docker.elastic.co/beats/packetbeat:9.0.0-beta1
+```
+
+Alternatively, you can download other Docker images that contain only features available under the Apache 2.0 license. To download the images, go to [www.docker.elastic.co](https://www.docker.elastic.co).
+
+As another option, you can use the hardened [Wolfi](https://wolfi.dev/) image. Using Wolfi images requires Docker version 20.10.10 or higher. For details about why the Wolfi images have been introduced, refer to our article [Reducing CVEs in Elastic container images](https://www.elastic.co/blog/reducing-cves-in-elastic-container-images).
+
+```bash
+docker pull docker.elastic.co/beats/packetbeat-wolfi:9.0.0-beta1
+```
+
+
+## Optional: Verify the image [_optional_verify_the_image]
+
+You can use the [Cosign application](https://docs.sigstore.dev/cosign/installation/) to verify the Packetbeat Docker image signature.
+
+::::{warning}
+Version 9.0.0-beta1 of Packetbeat has not yet been released. No Docker image is currently available for Packetbeat 9.0.0-beta1.
+::::
+
+
+```sh
+wget https://artifacts.elastic.co/cosign.pub
+cosign verify --key cosign.pub docker.elastic.co/beats/packetbeat:9.0.0-beta1
+```
+
+The `cosign` command prints the check results and the signature payload in JSON format:
+
+```sh
+Verification for docker.elastic.co/beats/packetbeat:9.0.0-beta1 --
+The following checks were performed on each of these signatures:
+  - The cosign claims were validated
+  - Existence of the claims in the transparency log was verified offline
+  - The signatures were verified against the specified public key
+```
+
+
+## Run the Packetbeat setup [_run_the_packetbeat_setup]
+
+::::{important}
+A [known issue](https://github.com/elastic/beats/issues/42038) in version 8.17.0 prevents {{beats}} Docker images from starting when no options are provided. When running an image on that version, add an `--environment container` parameter to avoid the problem. This is planned to be addressed in issue [#42060](https://github.com/elastic/beats/pull/42060).
+::::
+
+
+Running Packetbeat with the setup command will create the index pattern and load visualizations , dashboards, and machine learning jobs.  Run this command:
+
+```sh
+docker run --rm \
+--cap-add=NET_ADMIN \
+docker.elastic.co/beats/packetbeat:9.0.0-beta1 \
+setup -E setup.kibana.host=kibana:5601 \
+-E output.elasticsearch.hosts=["elasticsearch:9200"] <1> <2>
+```
+
+1. Substitute your Kibana and Elasticsearch hosts and ports.
+2. If you are using the hosted {{ess}} in {{ecloud}}, replace the `-E output.elasticsearch.hosts` line with the Cloud ID and elastic password using this syntax:
+
+
+```shell
+-E cloud.id=<Cloud ID from Elasticsearch Service> \
+-E cloud.auth=elastic:<elastic password>
+```
+
+
+## Run Packetbeat on a read-only file system [_run_packetbeat_on_a_read_only_file_system]
+
+If you’d like to run Packetbeat in a Docker container on a read-only file system, you can do so by specifying the `--read-only` option. Packetbeat requires a stateful directory to store application data, so with the `--read-only` option you also need to use the `--mount` option to specify a path to where that data can be stored.
+
+For example:
+
+```sh
+docker run --rm \
+  --mount type=bind,source=$(pwd)/data,destination=/usr/share/packetbeat/data \
+  --read-only \
+  docker.elastic.co/beats/packetbeat:9.0.0-beta1
+```
+
+
+## Configure Packetbeat on Docker [_configure_packetbeat_on_docker]
+
+The Docker image provides several methods for configuring Packetbeat. The conventional approach is to provide a configuration file via a volume mount, but it’s also possible to create a custom image with your configuration included.
+
+### Example configuration file [_example_configuration_file]
+
+Download this example configuration file as a starting point:
+
+```sh
+curl -L -O https://raw.githubusercontent.com/elastic/beats/master/deploy/docker/packetbeat.docker.yml
+```
+
+
+### Volume-mounted configuration [_volume_mounted_configuration]
+
+One way to configure Packetbeat on Docker is to provide `packetbeat.docker.yml` via a volume mount. With `docker run`, the volume mount can be specified like this.
+
+```sh
+docker run -d \
+  --name=packetbeat \
+  --user=packetbeat \
+  --volume="$(pwd)/packetbeat.docker.yml:/usr/share/packetbeat/packetbeat.yml:ro" \
+  --cap-add="NET_RAW" \
+  --cap-add="NET_ADMIN" \
+  --network=host \
+  docker.elastic.co/beats/packetbeat:9.0.0-beta1 \
+  --strict.perms=false -e \
+  -E output.elasticsearch.hosts=["elasticsearch:9200"] <1> <2>
+```
+
+1. Substitute your Elasticsearch hosts and ports.
+2. If you are using the hosted {{ess}} in {{ecloud}}, replace the `-E output.elasticsearch.hosts` line with the Cloud ID and elastic password using the syntax shown earlier.
+
+
+
+### Customize your configuration [_customize_your_configuration]
+
+The `packetbeat.docker.yml` downloaded earlier should be customized for your environment. See [Configure](/reference/packetbeat/configuring-howto-packetbeat.md) for more details. Edit the configuration file and customize it to match your environment then re-deploy your Packetbeat container.
+
+
+### Custom image configuration [_custom_image_configuration]
+
+It’s possible to embed your Packetbeat configuration in a custom image. Here is an example Dockerfile to achieve this:
+
+```dockerfile
+FROM docker.elastic.co/beats/packetbeat:9.0.0-beta1
+COPY --chown=root:packetbeat packetbeat.yml /usr/share/packetbeat/packetbeat.yml
+```
+
+
+### Required network capabilities [_required_network_capabilities]
+
+Under Docker, Packetbeat runs as a non-root user, but requires some privileged network capabilities to operate correctly. Ensure that the `NET_ADMIN` capability is available to the container.
+
+```sh
+docker run --cap-add=NET_ADMIN docker.elastic.co/beats/packetbeat:9.0.0-beta1
+```
+
+
+### Capture traffic from the host system [_capture_traffic_from_the_host_system]
+
+By default, Docker networking will connect the Packetbeat container to an isolated virtual network, with a limited view of network traffic. You may wish to connect the container directly to the host network in order to see traffic destined for, and originating from, the host system. With `docker run`, this can be achieved by specifying `--network=host`.
+
+```sh
+docker run --cap-add=NET_ADMIN --network=host docker.elastic.co/beats/packetbeat:9.0.0-beta1
+```
+
+::::{note}
+On Windows and MacOS, specifying `--network=host` will bind the container’s network interface to the virtual interface of Docker’s embedded Linux virtual machine, not to the physical interface of the host system.
+::::
+
+
+
+
diff --git a/docs/reference/packetbeat/running-with-systemd.md b/docs/reference/packetbeat/running-with-systemd.md
new file mode 100644
index 000000000000..dfdb667e06f9
--- /dev/null
+++ b/docs/reference/packetbeat/running-with-systemd.md
@@ -0,0 +1,86 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/running-with-systemd.html
+---
+
+# Packetbeat and systemd [running-with-systemd]
+
+The DEB and RPM packages include a service unit for Linux systems with systemd. On these systems, you can manage Packetbeat by using the usual systemd commands.
+
+The service unit is configured with `UMask=0027` which means the most permissive mask allowed for files created by Packetbeat is `0640`. All configured file permissions higher than `0640` will be ignored. Please edit the unit file manually in case you need to change that.
+
+## Start and stop Packetbeat [_start_and_stop_packetbeat]
+
+Use `systemctl` to start or stop Packetbeat:
+
+```sh
+sudo systemctl start packetbeat
+```
+
+```sh
+sudo systemctl stop packetbeat
+```
+
+By default, the Packetbeat service starts automatically when the system boots. To enable or disable auto start use:
+
+```sh
+sudo systemctl enable packetbeat
+```
+
+```sh
+sudo systemctl disable packetbeat
+```
+
+
+## Packetbeat status and logs [_packetbeat_status_and_logs]
+
+To get the service status, use `systemctl`:
+
+```sh
+systemctl status packetbeat
+```
+
+Logs are stored by default in journald. To view the Logs, use `journalctl`:
+
+```sh
+journalctl -u packetbeat.service
+```
+
+
+## Customize systemd unit for Packetbeat [_customize_systemd_unit_for_packetbeat]
+
+The systemd service unit file includes environment variables that you can override to change the default options.
+
+| Variable | Description | Default value |
+| --- | --- | --- |
+| BEAT_LOG_OPTS | Log options |  |
+| BEAT_CONFIG_OPTS | Flags for configuration file path | ``-c /etc/packetbeat/packetbeat.yml`` |
+| BEAT_PATH_OPTS | Other paths | ``--path.home /usr/share/packetbeat --path.config /etc/packetbeat --path.data /var/lib/packetbeat --path.logs /var/log/packetbeat`` |
+
+::::{note}
+You can use `BEAT_LOG_OPTS` to set debug selectors for logging. However, to configure logging behavior, set the logging options described in [Configure logging](/reference/packetbeat/configuration-logging.md).
+::::
+
+
+To override these variables, create a drop-in unit file in the `/etc/systemd/system/packetbeat.service.d` directory.
+
+For example a file with the following content placed in `/etc/systemd/system/packetbeat.service.d/debug.conf` would override `BEAT_LOG_OPTS` to enable debug for Elasticsearch output.
+
+```text
+[Service]
+Environment="BEAT_LOG_OPTS=-d elasticsearch"
+```
+
+To apply your changes, reload the systemd configuration and restart the service:
+
+```sh
+systemctl daemon-reload
+systemctl restart packetbeat
+```
+
+::::{note}
+It is recommended that you use a configuration management tool to include drop-in unit files. If you need to add a drop-in manually, use `systemctl edit packetbeat.service`.
+::::
+
+
+
diff --git a/docs/reference/packetbeat/securing-communication-elasticsearch.md b/docs/reference/packetbeat/securing-communication-elasticsearch.md
new file mode 100644
index 000000000000..ecc12e7da8c8
--- /dev/null
+++ b/docs/reference/packetbeat/securing-communication-elasticsearch.md
@@ -0,0 +1,104 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/securing-communication-elasticsearch.html
+---
+
+# Secure communication with Elasticsearch [securing-communication-elasticsearch]
+
+When sending data to a secured cluster through the `elasticsearch` output, Packetbeat can use any of the following authentication methods:
+
+* Basic authentication credentials (username and password).
+* Token-based API authentication.
+* A client certificate.
+
+Authentication is specified in the Packetbeat configuration file:
+
+* To use **basic authentication**, specify the `username` and `password` settings under `output.elasticsearch`. For example:
+
+    ```yaml
+    output.elasticsearch:
+      hosts: ["https://myEShost:9200"]
+      username: "packetbeat_writer" <1>
+      password: "{pwd}" <2>
+    ```
+
+    1. This user needs the privileges required to publish events to {{es}}. To create a user like this, see [Create a *publishing* user](/reference/packetbeat/privileges-to-publish-events.md).
+    2. This example shows a hard-coded password, but you should store sensitive values in the [secrets keystore](/reference/packetbeat/keystore.md).
+
+* To use token-based **API key authentication**, specify the `api_key` under `output.elasticsearch`. For example:
+
+    ```yaml
+    output.elasticsearch:
+      hosts: ["https://myEShost:9200"]
+      api_key: "ZCV7VnwBgnX0T19fN8Qe:KnR6yE41RrSowb0kQ0HWoA" <1>
+    ```
+
+    1. This API key must have the privileges required to publish events to {{es}}. To create an API key like this, see [*Grant access using API keys*](/reference/packetbeat/beats-api-keys.md).
+
+
+* To use **Public Key Infrastructure (PKI) certificates** to authenticate users, specify the `certificate` and `key` settings under `output.elasticsearch`. For example:
+
+    ```yaml
+    output.elasticsearch:
+      hosts: ["https://myEShost:9200"]
+      ssl.certificate: "/etc/pki/client/cert.pem" <1>
+      ssl.key: "/etc/pki/client/cert.key" <2>
+    ```
+
+    1. The path to the certificate for SSL client authentication
+    2. The client certificate key
+
+
+    These settings assume that the distinguished name (DN) in the certificate is mapped to the appropriate roles in the `role_mapping.yml` file on each node in the {{es}} cluster. For more information, see [Using role mapping files](docs-content://deploy-manage/users-roles/cluster-or-deployment-auth/mapping-users-groups-to-roles.md#mapping-roles-file).
+
+    By default, Packetbeat uses the list of trusted certificate authorities (CA) from the operating system where Packetbeat is running. If the certificate authority that signed your node certificates is not in the host system’s trusted certificate authorities list, you need to add the path to the `.pem` file that contains your CA’s certificate to the Packetbeat configuration. This will configure Packetbeat to use a specific list of CA certificates instead of the default list from the OS.
+
+    Here is an example configuration:
+
+    ```yaml
+    output.elasticsearch:
+      hosts: ["https://myEShost:9200"]
+      ssl.certificate_authorities: <1>
+        - /etc/pki/my_root_ca.pem
+        - /etc/pki/my_other_ca.pem
+      ssl.certificate: "/etc/pki/client.pem" <2>
+      ssl.key: "/etc/pki/key.pem" <3>
+    ```
+
+    1. Specify the path to the local `.pem` file that contains your Certificate Authority’s certificate. This is needed if you use your own CA to sign your node certificates.
+    2. The path to the certificate for SSL client authentication
+    3. The client certificate key
+
+
+    ::::{note}
+    For any given connection, the SSL/TLS certificates must have a subject that matches the value specified for `hosts`, or the SSL handshake fails. For example, if you specify `hosts: ["foobar:9200"]`, the certificate MUST include `foobar` in the subject (`CN=foobar`) or as a subject alternative name (SAN). Make sure the hostname resolves to the correct IP address. If no DNS is available, then you can associate the IP address with your hostname in `/etc/hosts` (on Unix) or `C:\Windows\System32\drivers\etc\hosts` (on Windows).
+    ::::
+
+
+
+## Secure communication with the Kibana endpoint [securing-communication-kibana]
+
+If you’ve configured the [{{kib}} endpoint](/reference/packetbeat/setup-kibana-endpoint.md), you can also specify credentials for authenticating with {{kib}} under `kibana.setup`. If no credentials are specified, Kibana will use the configured authentication method in the Elasticsearch output.
+
+For example, specify a unique username and password to connect to Kibana like this:
+
+```yaml
+setup.kibana:
+  host: "mykibanahost:5601"
+  username: "packetbeat_kib_setup" <1>
+  password: "{pwd}" <2>
+```
+
+1. This user needs privileges required to set up dashboards. To create a user like this, see [Create a *setup* user](/reference/packetbeat/privileges-to-setup-beats.md).
+2. This example shows a hard-coded password, but you should store sensitive values in the [secrets keystore](/reference/packetbeat/keystore.md).
+
+
+
+## Learn more about secure communication [securing-communication-learn-more]
+
+More information on sending data to a secured cluster is available in the configuration reference:
+
+* [Elasticsearch](/reference/packetbeat/elasticsearch-output.md)
+* [SSL](/reference/packetbeat/configuration-ssl.md)
+* [{{kib}} endpoint](/reference/packetbeat/setup-kibana-endpoint.md)
+
diff --git a/docs/reference/packetbeat/securing-packetbeat.md b/docs/reference/packetbeat/securing-packetbeat.md
new file mode 100644
index 000000000000..d8cfe03c812d
--- /dev/null
+++ b/docs/reference/packetbeat/securing-packetbeat.md
@@ -0,0 +1,25 @@
+---
+navigation_title: "Secure"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/securing-packetbeat.html
+---
+
+# Secure Packetbeat [securing-packetbeat]
+
+
+The following topics provide information about securing the Packetbeat process and connecting to a cluster that has {{security-features}} enabled.
+
+You can use role-based access control and optionally, API keys to grant Packetbeat users access to secured resources.
+
+* [*Grant users access to secured resources*](/reference/packetbeat/feature-roles.md)
+* [*Grant access using API keys*](/reference/packetbeat/beats-api-keys.md).
+
+After privileged users have been created, use authentication to connect to a secured Elastic cluster.
+
+* [*Secure communication with Elasticsearch*](/reference/packetbeat/securing-communication-elasticsearch.md)
+* [*Secure communication with Logstash*](/reference/packetbeat/configuring-ssl-logstash.md)
+
+On Linux, Packetbeat can take advantage of secure computing mode to restrict the system calls that a process can issue.
+
+* [*Use Linux Secure Computing Mode (seccomp)*](/reference/packetbeat/linux-seccomp.md)
+
diff --git a/docs/reference/packetbeat/setting-up-running.md b/docs/reference/packetbeat/setting-up-running.md
new file mode 100644
index 000000000000..17b837279d6d
--- /dev/null
+++ b/docs/reference/packetbeat/setting-up-running.md
@@ -0,0 +1,29 @@
+---
+navigation_title: "Set up and run"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/setting-up-and-running.html
+---
+
+# Set up and run Packetbeat [setting-up-and-running]
+
+
+Before reading this section, see [Quick start: installation and configuration](/reference/packetbeat/packetbeat-installation-configuration.md) for basic installation instructions to get you started.
+
+This section includes additional information on how to install, set up, and run Packetbeat, including:
+
+* [Directory layout](/reference/packetbeat/directory-layout.md)
+* [Command reference](/reference/packetbeat/command-line-options.md)
+* [Repositories for APT and YUM](/reference/packetbeat/setup-repositories.md)
+* [Run Packetbeat on Docker](/reference/packetbeat/running-on-docker.md)
+* [Packetbeat and systemd](/reference/packetbeat/running-with-systemd.md)
+* [Start Packetbeat](/reference/packetbeat/packetbeat-starting.md)
+* [Stop Packetbeat](/reference/packetbeat/shutdown.md)
+
+
+
+
+
+
+
+
+
diff --git a/docs/reference/packetbeat/setup-kibana-endpoint.md b/docs/reference/packetbeat/setup-kibana-endpoint.md
new file mode 100644
index 000000000000..f962acd6f19f
--- /dev/null
+++ b/docs/reference/packetbeat/setup-kibana-endpoint.md
@@ -0,0 +1,96 @@
+---
+navigation_title: "{{kib}} endpoint"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/setup-kibana-endpoint.html
+---
+
+# Configure the {{kib}} endpoint [setup-kibana-endpoint]
+
+
+{{kib}} dashboards are loaded into {{kib}} via the {{kib}} API. This requires a {{kib}} endpoint configuration. For details on authenticating to the {{kib}} API, see [Authentication](https://www.elastic.co/docs/api/doc/kibana/authentication).
+
+You configure the endpoint in the `setup.kibana` section of the `packetbeat.yml` config file.
+
+Here is an example configuration:
+
+```yaml
+setup.kibana.host: "http://localhost:5601"
+```
+
+
+## Configuration options [_configuration_options_25]
+
+You can specify the following options in the `setup.kibana` section of the `packetbeat.yml` config file:
+
+
+### `setup.kibana.host` [_setup_kibana_host]
+
+The {{kib}} host where the dashboards will be loaded. The default is `127.0.0.1:5601`. The value of `host` can be a `URL` or `IP:PORT`. For example: `http://192.15.3.2`, `192:15.3.2:5601` or `http://192.15.3.2:6701/path`. If no port is specified, `5601` is used.
+
+::::{note}
+When a node is defined as an `IP:PORT`, the *scheme* and *path* are taken from the [setup.kibana.protocol](#kibana-protocol-option) and [setup.kibana.path](#kibana-path-option) config options.
+::::
+
+
+IPv6 addresses must be defined using the following format: `https://[2001:db8::1]:5601`.
+
+
+### `setup.kibana.protocol` [kibana-protocol-option]
+
+The name of the protocol {{kib}} is reachable on. The options are: `http` or `https`. The default is `http`. However, if you specify a URL for host, the value of `protocol` is overridden by whatever scheme you specify in the URL.
+
+Example config:
+
+```yaml
+setup.kibana.host: "192.0.2.255:5601"
+setup.kibana.protocol: "http"
+setup.kibana.path: /kibana
+```
+
+
+### `setup.kibana.username` [_setup_kibana_username]
+
+The basic authentication username for connecting to {{kib}}. If you don’t specify a value for this setting, Packetbeat uses the `username` specified for the {{es}} output.
+
+
+### `setup.kibana.password` [_setup_kibana_password]
+
+The basic authentication password for connecting to {{kib}}. If you don’t specify a value for this setting, Packetbeat uses the `password` specified for the {{es}} output.
+
+
+### `setup.kibana.path` [kibana-path-option]
+
+An HTTP path prefix that is prepended to the HTTP API calls. This is useful for the cases where {{kib}} listens behind an HTTP reverse proxy that exports the API under a custom prefix.
+
+
+### `setup.kibana.space.id` [kibana-space-id-option]
+
+The [Kibana space](docs-content://deploy-manage/manage-spaces.md) ID to use. If specified, Packetbeat loads {{kib}} assets into this {{kib}} space. Omit this option to use the default space.
+
+
+#### `setup.kibana.headers` [_setup_kibana_headers]
+
+Custom HTTP headers to add to each request sent to {{kib}}. Example:
+
+```yaml
+setup.kibana.headers:
+  X-My-Header: Header contents
+```
+
+
+### `setup.kibana.ssl.enabled` [_setup_kibana_ssl_enabled]
+
+Enables Packetbeat to use SSL settings when connecting to {{kib}} via HTTPS. If you configure Packetbeat to connect over HTTPS, this setting defaults to `true` and Packetbeat uses the default SSL settings.
+
+Example configuration:
+
+```yaml
+setup.kibana.host: "https://192.0.2.255:5601"
+setup.kibana.ssl.enabled: true
+setup.kibana.ssl.certificate_authorities: ["/etc/client/ca.pem"]
+setup.kibana.ssl.certificate: "/etc/client/cert.pem"
+setup.kibana.ssl.key: "/etc/client/cert.key
+```
+
+See [SSL](/reference/packetbeat/configuration-ssl.md) for more information.
+
diff --git a/docs/reference/packetbeat/setup-repositories.md b/docs/reference/packetbeat/setup-repositories.md
new file mode 100644
index 000000000000..b7bebf4afb67
--- /dev/null
+++ b/docs/reference/packetbeat/setup-repositories.md
@@ -0,0 +1,26 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/setup-repositories.html
+---
+
+# Repositories for APT and YUM [setup-repositories]
+
+We have repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.
+
+We use the PGP key [D88E42B4](https://pgp.mit.edu/pks/lookup?op=vindex&search=0xD27D666CD88E42B4), Elasticsearch Signing Key, with fingerprint
+
+```
+4609 5ACC 8548 582C 1A26 99A9 D27D 666C D88E 42B4
+```
+to sign all our packages. It is available from [https://pgp.mit.edu](https://pgp.mit.edu).
+
+
+## APT [_apt]
+
+Version 9.0.0-beta1 of Beats has not yet been released.
+
+
+## YUM [_yum]
+
+Version 9.0.0-beta1 of Beats has not yet been released.
+
diff --git a/docs/reference/packetbeat/shutdown.md b/docs/reference/packetbeat/shutdown.md
new file mode 100644
index 000000000000..66f28dd6cd0b
--- /dev/null
+++ b/docs/reference/packetbeat/shutdown.md
@@ -0,0 +1,13 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/shutdown.html
+---
+
+# Stop Packetbeat [shutdown]
+
+An orderly shutdown of Packetbeat ensures that it has a chance to clean up and close outstanding resources. You can help ensure an orderly shutdown by stopping Packetbeat properly.
+
+If you’re running Packetbeat as a service, you can stop it via the service management functionality provided by your installation.
+
+If you’re running Packetbeat directly in the console, you can stop it by entering **Ctrl-C**. Alternatively, send SIGTERM to the Packetbeat process on a POSIX system.
+
diff --git a/docs/reference/packetbeat/ssl-client-fails.md b/docs/reference/packetbeat/ssl-client-fails.md
new file mode 100644
index 000000000000..e5511f998873
--- /dev/null
+++ b/docs/reference/packetbeat/ssl-client-fails.md
@@ -0,0 +1,71 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/ssl-client-fails.html
+---
+
+# SSL client fails to connect to Logstash [ssl-client-fails]
+
+The host running {{ls}} might be unreachable or the certificate may not be valid. To resolve your issue:
+
+* Make sure that {{ls}} is running and you can connect to it. First, try to ping the {{ls}} host to verify that you can reach it from the host running Packetbeat. Then use either `nc` or `telnet` to make sure that the port is available. For example:
+
+    ```shell
+    ping <hostname or IP>
+    telnet <hostname or IP> 5044
+    ```
+
+* Verify that the certificate is valid and that the hostname and IP match.
+
+    ::::{tip}
+    For testing purposes only, you can set `verification_mode: none` to disable hostname checking.
+    ::::
+
+* Use OpenSSL to test connectivity to the {{ls}} server and diagnose problems. See the [OpenSSL documentation](https://www.openssl.org/docs/manmaster/man1/openssl-s_client.md) for more info.
+* Make sure that you have enabled SSL (set `ssl => true`) when configuring the [Beats input plugin for {{ls}}](logstash://reference/plugins-inputs-beats.md).
+
+## Common SSL-Related Errors and Resolutions [_common_ssl_related_errors_and_resolutions]
+
+Here are some common errors and ways to fix them:
+
+* [tls: failed to parse private key](#failed-to-parse-private-key)
+* [x509: cannot validate certificate](#cannot-validate-certificate)
+* [getsockopt: no route to host](#getsockopt-no-route-to-host)
+* [getsockopt: connection refused](#getsockopt-connection-refused)
+* [No connection could be made because the target machine actively refused it](#target-machine-refused-connection)
+
+### tls: failed to parse private key [failed-to-parse-private-key]
+
+This might occur for a few reasons:
+
+* The encrypted file is not recognized as an encrypted PEM block. Packetbeat tries to use the encrypted content as the final key, which fails.
+* The file is correctly encrypted in a PEM block, but the decrypted content is not a key in a format that Packetbeat recognizes. The key must be encoded as PEM format.
+* The passphrase is missing or has an error.
+
+
+### x509: cannot validate certificate for <IP address> because it doesn’t contain any IP SANs [cannot-validate-certificate]
+
+This happens because your certificate is only valid for the hostname present in the Subject field.
+
+To resolve this problem, try one of these solutions:
+
+* Create a DNS entry for the hostname mapping it to the server’s IP.
+* Create an entry in `/etc/hosts` for the hostname. Or on Windows add an entry to `C:\Windows\System32\drivers\etc\hosts`.
+* Re-create the server certificate and add a SubjectAltName (SAN) for the IP address of the server. This makes the server’s certificate valid for both the hostname and the IP address.
+
+
+### getsockopt: no route to host [getsockopt-no-route-to-host]
+
+This is not a SSL problem. It’s a networking problem. Make sure the two hosts can communicate.
+
+
+### getsockopt: connection refused [getsockopt-connection-refused]
+
+This is not a SSL problem. Make sure that {{ls}} is running and that there is no firewall blocking the traffic.
+
+
+### No connection could be made because the target machine actively refused it [target-machine-refused-connection]
+
+A firewall is refusing the connection. Check if a firewall is blocking the traffic on the client, the network, or the destination host.
+
+
+
diff --git a/docs/reference/packetbeat/syslog.md b/docs/reference/packetbeat/syslog.md
new file mode 100644
index 000000000000..3495dcf2f956
--- /dev/null
+++ b/docs/reference/packetbeat/syslog.md
@@ -0,0 +1,156 @@
+---
+navigation_title: "syslog"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/syslog.html
+---
+
+# Syslog [syslog]
+
+
+The syslog processor parses RFC 3146 and/or RFC 5424 formatted syslog messages that are stored in a field. The processor itself does not handle receiving syslog messages from external sources. This is done through an input, such as the TCP input. Certain integrations, when enabled through configuration, will embed the syslog processor to process syslog messages, such as Custom TCP Logs and Custom UDP Logs.
+
+
+## Configuration [_configuration]
+
+The `syslog` processor parses RFC 3146 and/or RFC 5424 formatted syslog messages that are stored under the `field` key.
+
+The supported configuration options are:
+
+`field`
+:   (Required) Source field containing the syslog message. Defaults to `message`.
+
+`format`
+:   (Optional) The syslog format to use, `rfc3164`, or `rfc5424`. To automatically detect the format from the log entries, set this option to `auto`. The default is `auto`.
+
+`timezone`
+:   (Optional) IANA time zone name(e.g. `America/New York`) or a fixed time offset (e.g. +0200) to use when parsing syslog timestamps that do not contain a time zone. `Local` may be specified to use the machine’s local time zone. Defaults to `Local`.
+
+`overwrite_keys`
+:   (Optional) A boolean that specifies whether keys that already exist in the event are overwritten by keys from the syslog message. The default value is `true`.
+
+`ignore_missing`
+:   (Optional) If `true` the processor will not return an error when a specified field does not exist. Defaults to `false`.
+
+`ignore_failure`
+:   (Optional) Ignore all errors produced by the processor. Defaults to `false`.
+
+`tag`
+:   (Optional) An identifier for this processor. Useful for debugging.
+
+Example:
+
+```yaml
+processors:
+  - syslog:
+      field: message
+```
+
+```json
+{
+  "message": "<165>1 2022-01-11T22:14:15.003Z mymachine.example.com eventslog 1024 ID47 [exampleSDID@32473 iut=\"3\" eventSource=\"Application\" eventID=\"1011\"][examplePriority@32473 class=\"high\"] this is the message"
+}
+```
+
+Will produce the following output:
+
+```json
+{
+  "@timestamp": "2022-01-11T22:14:15.003Z",
+  "log": {
+    "syslog": {
+      "priority": 165,
+      "facility": {
+        "code": 20,
+        "name": "local4"
+      },
+      "severity": {
+        "code": 5,
+        "name": "Notice"
+      },
+      "hostname": "mymachine.example.com",
+      "appname": "eventslog",
+      "procid": "1024",
+      "msgid": "ID47",
+      "version": 1,
+      "structured_data": {
+        "exampleSDID@32473": {
+          "iut":         "3",
+          "eventSource": "Application",
+          "eventID":     "1011"
+        },
+        "examplePriority@32473": {
+          "class": "high"
+        }
+      }
+    }
+  },
+  "message": "this is the message"
+}
+```
+
+
+## Timestamps [_timestamps]
+
+The RFC 3164 format accepts the following forms of timestamps:
+
+* Local timestamp (`Mmm dd hh:mm:ss`):
+
+    * `Jan 23 14:09:01`
+
+* RFC-3339*:
+
+    * `2003-10-11T22:14:15Z`
+    * `2003-10-11T22:14:15.123456Z`
+    * `2003-10-11T22:14:15-06:00`
+    * `2003-10-11T22:14:15.123456-06:00`
+
+
+**Note**: The local timestamp (for example, `Jan 23 14:09:01`) that accompanies an RFC 3164 message lacks year and time zone information. The time zone will be enriched using the `timezone` configuration option, and the year will be enriched using the Packetbeat system’s local time (accounting for time zones). Because of this, it is possible for messages to appear in the future. An example of when this might happen is logs generated on December 31 2021 are ingested on January 1 2022. The logs would be enriched with the year 2022 instead of 2021.
+
+The RFC 5424 format accepts the following forms of timestamps:
+
+* RFC-3339:
+
+    * `2003-10-11T22:14:15Z`
+    * `2003-10-11T22:14:15.123456Z`
+    * `2003-10-11T22:14:15-06:00`
+    * `2003-10-11T22:14:15.123456-06:00`
+
+
+Formats with an asterisk (*) are a non-standard allowance.
+
+
+## Structured Data [_structured_data]
+
+For RFC 5424-formatted logs, if the structured data cannot be parsed according to RFC standards, the original structured data text will be prepended to the message field, separated by a space.
+
+
+## Metrics [_metrics]
+
+Internal metrics are available to assist with debugging efforts. The metrics are served from the metrics HTTP endpoint (for example: `http://localhost:5066/stats`) and are found under `processor.syslog.[instance ID]` or `processor.syslog.[tag]-[instance ID]` if a **tag** is provided. See [HTTP endpoint](/reference/packetbeat/http-endpoint.md) for more information on configuration the metrics HTTP endpoint.
+
+For example, here are metrics from a processor with a **tag** of `log-input` and an **instance ID** of `1`:
+
+```json
+{
+  "processor": {
+    "syslog": {
+      "log-input-1": {
+        "failure": 10,
+        "missing": 0,
+        "success": 3
+      }
+    }
+  }
+}
+```
+
+`failure`
+:   Measures the number of occurrences where a message was unable to be parsed.
+
+`missing`
+:   Measures the number of occurrences where an event was missing the required input field.
+
+`success`
+:   Measures the number of successfully parsed syslog messages.
+
diff --git a/docs/reference/packetbeat/troubleshooting.md b/docs/reference/packetbeat/troubleshooting.md
new file mode 100644
index 000000000000..4557a7a97d71
--- /dev/null
+++ b/docs/reference/packetbeat/troubleshooting.md
@@ -0,0 +1,15 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/troubleshooting.html
+---
+
+# Troubleshoot [troubleshooting]
+
+If you have issues installing or running Packetbeat, read the following tips:
+
+* [*Get help*](/reference/packetbeat/getting-help.md)
+* [*Debug*](/reference/packetbeat/enable-packetbeat-debugging.md)
+* [Understand logged metrics](/reference/packetbeat/understand-packetbeat-logs.md)
+* [*Record a trace*](/reference/packetbeat/recording-trace.md)
+* [*Common problems*](/reference/packetbeat/faq.md)
+
diff --git a/docs/reference/packetbeat/truncate-fields.md b/docs/reference/packetbeat/truncate-fields.md
new file mode 100644
index 000000000000..902ab733d126
--- /dev/null
+++ b/docs/reference/packetbeat/truncate-fields.md
@@ -0,0 +1,38 @@
+---
+navigation_title: "truncate_fields"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/truncate-fields.html
+---
+
+# Truncate fields [truncate-fields]
+
+
+The `truncate_fields` processor truncates a field to a given size. If the size of the field is smaller than the limit, the field is left as is.
+
+`fields`
+:   List of fields to truncate. It’s supported to use `@metadata.` prefix for the fields and truncate values in the event metadata instead of event fields.
+
+`max_bytes`
+:   Maximum number of bytes in a field. Mutually exclusive with `max_characters`.
+
+`max_characters`
+:   Maximum number of characters in a field. Mutually exclusive with `max_bytes`.
+
+`fail_on_error`
+:   (Optional) If set to true, in case of an error the changes to the event are reverted, and the original event is returned. If set to `false`, processing continues also if an error happens. Default is `true`.
+
+`ignore_missing`
+:   (Optional) Whether to ignore events that lack the source field. The default is `false`, which will fail processing of an event if a field is missing.
+
+For example, this configuration truncates the field named `message` to 5 characters:
+
+```yaml
+processors:
+  - truncate_fields:
+      fields:
+        - message
+      max_characters: 5
+      fail_on_error: false
+      ignore_missing: true
+```
+
diff --git a/docs/reference/packetbeat/understand-packetbeat-logs.md b/docs/reference/packetbeat/understand-packetbeat-logs.md
new file mode 100644
index 000000000000..b778256f4c13
--- /dev/null
+++ b/docs/reference/packetbeat/understand-packetbeat-logs.md
@@ -0,0 +1,210 @@
+---
+navigation_title: "Understand logged metrics"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/understand-packetbeat-logs.html
+---
+
+# Understand metrics in Packetbeat logs [understand-packetbeat-logs]
+
+
+Every 30 seconds (by default), Packetbeat collects a *snapshot* of metrics about itself. From this snapshot, Packetbeat computes a *delta snapshot*; this delta snapshot contains any metrics that have *changed* since the last snapshot. Note that the values of the metrics are the values when the snapshot is taken, *NOT* the *difference* in values from the last snapshot.
+
+If this delta snapshot contains *any* metrics (indicating at least one metric that has changed since the last snapshot), this delta snapshot is serialized as JSON and emitted in Packetbeat’s logs at the `INFO` log level. Most snapshot fields report the change in the metric since the last snapshot, however some fields are *gauges*, which always report the current value. Here is an example of such a log entry:
+
+```json
+{"log.level":"info","@timestamp":"2023-07-14T12:50:36.811Z","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cgroup":{"memory":{"mem":{"usage":{"bytes":0}}}},"cpu":{"system":{"ticks":692690,"time":{"ms":60}},"total":{"ticks":3167250,"time":{"ms":150},"value":3167250},"user":{"ticks":2474560,"time":{"ms":90}}},"handles":{"limit":{"hard":1048576,"soft":1048576},"open":32},"info":{"ephemeral_id":"2bab8688-34c0-4522-80af-db86948d547d","uptime":{"ms":617670096},"version":"8.6.2"},"memstats":{"gc_next":57189272,"memory_alloc":43589824,"memory_total":275281335792,"rss":183574528},"runtime":{"goroutines":212}},"filebeat":{"events":{"active":5,"added":52,"done":49},"harvester":{"open_files":6,"running":6,"started":1}},"libbeat":{"config":{"module":{"running":15}},"output":{"events":{"acked":48,"active":0,"batches":6,"total":48},"read":{"bytes":210},"write":{"bytes":26923}},"pipeline":{"clients":15,"events":{"active":5,"filtered":1,"published":51,"total":52},"queue":{"max_events":3500,"filled":{"events":5,"bytes":6425,"pct":0.0014},"added":{"events":52,"bytes":65702},"consumed":{"events":52,"bytes":65702},"removed":{"events":48,"bytes":59277},"acked":48}}},"registrar":{"states":{"current":14,"update":49},"writes":{"success":6,"total":6}},"system":{"load":{"1":0.91,"15":0.37,"5":0.4,"norm":{"1":0.1138,"15":0.0463,"5":0.05}}}},"ecs.version":"1.6.0"}}
+```
+
+
+## Details [_details_2]
+
+Focussing on the `.monitoring.metrics` field, and formatting the JSON, it’s value is:
+
+```json
+{
+  "beat": {
+    "cgroup": {
+      "memory": {
+        "mem": {
+          "usage": {
+            "bytes": 0
+          }
+        }
+      }
+    },
+    "cpu": {
+      "system": {
+        "ticks": 692690,
+        "time": {
+          "ms": 60
+        }
+      },
+      "total": {
+        "ticks": 3167250,
+        "time": {
+          "ms": 150
+        },
+        "value": 3167250
+      },
+      "user": {
+        "ticks": 2474560,
+        "time": {
+          "ms": 90
+        }
+      }
+    },
+    "handles": {
+      "limit": {
+        "hard": 1048576,
+        "soft": 1048576
+      },
+      "open": 32
+    },
+    "info": {
+      "ephemeral_id": "2bab8688-34c0-4522-80af-db86948d547d",
+      "uptime": {
+        "ms": 617670096
+      },
+      "version": "8.6.2"
+    },
+    "memstats": {
+      "gc_next": 57189272,
+      "memory_alloc": 43589824,
+      "memory_total": 275281335792,
+      "rss": 183574528
+    },
+    "runtime": {
+      "goroutines": 212
+    }
+  },
+  "filebeat": {
+    "events": {
+      "active": 5,
+      "added": 52,
+      "done": 49
+    },
+    "harvester": {
+      "open_files": 6,
+      "running": 6,
+      "started": 1
+    }
+  },
+  "libbeat": {
+    "config": {
+      "module": {
+        "running": 15
+      }
+    },
+    "output": {
+      "events": {
+        "acked": 48,
+        "active": 0,
+        "batches": 6,
+        "total": 48
+      },
+      "read": {
+        "bytes": 210
+      },
+      "write": {
+        "bytes": 26923
+      }
+    },
+    "pipeline": {
+      "clients": 15,
+      "events": {
+        "active": 5,
+        "filtered": 1,
+        "published": 51,
+        "total": 52
+      },
+      "queue": {
+        "max_events": 3500,
+        "filled": {
+          "events": 5,
+          "bytes": 6425,
+          "pct": 0.0014
+        },
+        "added": {
+          "events": 52,
+          "bytes": 65702
+        },
+        "consumed": {
+          "events": 52,
+          "bytes": 65702
+        },
+        "removed": {
+          "events": 48,
+          "bytes": 59277
+        },
+        "acked": 48
+      }
+    }
+  },
+  "registrar": {
+    "states": {
+      "current": 14,
+      "update": 49
+    },
+    "writes": {
+      "success": 6,
+      "total": 6
+    }
+  },
+  "system": {
+    "load": {
+      "1": 0.91,
+      "15": 0.37,
+      "5": 0.4,
+      "norm": {
+        "1": 0.1138,
+        "15": 0.0463,
+        "5": 0.05
+      }
+    }
+  }
+}
+```
+
+The following tables explain the meaning of the most important fields under `.monitoring.metrics` and also provide hints that might be helpful in troubleshooting Packetbeat issues.
+
+| Field path (relative to `.monitoring.metrics`) | Type | Meaning | Troubleshooting hints |
+| --- | --- | --- | --- |
+| `.beat` | Object | Information that is common to all Beats, e.g. version, goroutines, file handles, CPU, memory |  |
+| `.libbeat` | Object | Information about the publisher pipeline and output, also common to all Beats |  |
+
+| Field path (relative to `.monitoring.metrics.beat`) | Type | Meaning | Troubleshooting hints |
+| --- | --- | --- | --- |
+| `.runtime.goroutines` | Integer | Number of goroutines running | If this number grows over time, it indicates a goroutine leak |
+
+| Field path (relative to `.monitoring.metrics.libbeat`) | Type | Meaning | Troubleshooting hints |
+| --- | --- | --- | --- |
+| `.pipeline.events.active` | Integer | Number of events currently in the libbeat publisher pipeline. | If this number grows over time, it may indicate that Packetbeat is producing events faster than the output can consume them. Consider increasing the number of output workers (if this setting is supported by the output; {{es}} and {{ls}} outputs support this setting). The pipeline includes events currently being processed as well as events in the queue. So this metric can sometimes end up slightly higher than the queue size. If this metric reaches the maximum queue size (`queue.mem.events` for the in-memory queue), it almost certainly indicates backpressure on Packetbeat, implying that Packetbeat may need to temporarily stop ingesting more events from the source until this backpressure is relieved. |
+| `.output.events.total` | Integer | Number of events currently being processed by the output. | If this number grows over time, it may indicate that the output destination (e.g. {{ls}} pipeline or {{es}} cluster) is not able to accept events at the same or faster rate than what Packetbeat is sending to it. |
+| `.output.events.acked` | Integer | Number of events acknowledged by the output destination. | Generally, we want this number to be the same as `.output.events.total` as this indicates that the output destination has reliably received all the events sent to it. |
+| `.output.events.failed` | Integer | Number of events that Packetbeat tried to send to the output destination, but the destination failed to receive them. | Generally, we want this field to be absent or its value to be zero. When the value is greater than zero, it’s useful to check Packetbeat’s logs right before this log entry’s `@timestamp` to see if there are any connectivity issues with the output destination. Note that failed events are not lost or dropped; they will be sent back to the publisher pipeline for retrying later. |
+| `.output.events.dropped` | Integer | Number of events that Packetbeat gave up sending to the output destination because of a permanent (non-retryable) error. | `.output.events.dead_letter` |
+| Integer | Number of events that Packetbeat successfully sent to a configured dead letter index after they failed to ingest in the primary index. | `.output.write.latency` | Object |
+
+| Field path (relative to `.monitoring.metrics.libbeat.pipeline`) | Type | Meaning | Troubleshooting hints |
+| --- | --- | --- | --- |
+| `.queue.max_events` | Integer (gauge) | The queue’s maximum event count if it has one, otherwise zero. | `.queue.max_bytes` |
+| Integer (gauge) | The queue’s maximum byte count if it has one, otherwise zero. | `.queue.filled.events` | Integer (gauge) |
+| Number of events currently stored by the queue. |  | `.queue.filled.bytes` | Integer (gauge) |
+| Number of bytes currently stored by the queue. |  | `.queue.filled.pct` | Float (gauge) |
+| How full the queue is relative to its maximum size, as a fraction from 0 to 1. | Low throughput while `queue.filled.pct` is low means congestion in the input. Low throughput while `queue.filled.pct` is high means congestion in the output. | `.queue.added.events` | Integer |
+| Number of events added to the queue by input workers. |  | `.queue.added.bytes` | Integer |
+| Number of bytes added to the queue by input workers. |  | `.queue.consumed.events` | Integer |
+| Number of events sent to output workers. |  | `.queue.consumed.bytes` | Integer |
+| Number of bytes sent to output workers. |  | `.queue.removed.events` | Integer |
+| Number of events removed from the queue after being processed by output workers. |  | `.queue.removed.bytes` | Integer |
+
+When using the memory queue, byte metrics are only set if the output supports them. Currently only the Elasticsearch output supports byte metrics.
+
+
+## Useful commands [_useful_commands]
+
+
+### Parse monitoring metrics from unstructured Packetbeat logs [_parse_monitoring_metrics_from_unstructured_packetbeat_logs]
+
+For Packetbeat versions that emit unstructured logs, the following script can be used to parse monitoring metrics from such logs: [https://github.com/elastic/beats/blob/main/script/metrics_from_log_file.sh](https://github.com/elastic/beats/blob/main/script/metrics_from_log_file.sh).
+
diff --git a/docs/reference/packetbeat/upgrading-packetbeat.md b/docs/reference/packetbeat/upgrading-packetbeat.md
new file mode 100644
index 000000000000..151185cb3d21
--- /dev/null
+++ b/docs/reference/packetbeat/upgrading-packetbeat.md
@@ -0,0 +1,12 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/upgrading-packetbeat.html
+---
+
+# Upgrade Packetbeat [upgrading-packetbeat]
+
+For information about upgrading to a new version, see:
+
+* [Breaking Changes](/release-notes/breaking-changes.md)
+* [Upgrade](/reference/libbeat/upgrading.md)
+
diff --git a/docs/reference/packetbeat/urldecode.md b/docs/reference/packetbeat/urldecode.md
new file mode 100644
index 000000000000..4396fd1b5df0
--- /dev/null
+++ b/docs/reference/packetbeat/urldecode.md
@@ -0,0 +1,38 @@
+---
+navigation_title: "urldecode"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/urldecode.html
+---
+
+# URL Decode [urldecode]
+
+
+The `urldecode` processor specifies a list of fields to decode from URL encoded format. Under the `fields` key, each entry contains a `from: source-field` and a `to: target-field` pair, where:
+
+* `from` is the source field name
+* `to` is the target field name (defaults to the `from` value)
+
+```yaml
+processors:
+  - urldecode:
+      fields:
+        - from: "field1"
+          to: "field2"
+      ignore_missing: false
+      fail_on_error: true
+```
+
+In the example above:
+
+* field1 is decoded in field2
+
+The `urldecode` processor has the following configuration settings:
+
+`ignore_missing`
+:   (Optional) If set to true, no error is logged in case a key which should be URL-decoded is missing. Default is `false`.
+
+`fail_on_error`
+:   (Optional) If set to true, in case of an error the URL-decoding of fields is stopped and the original event is returned. If set to false, decoding continues also if an error happened during decoding. Default is `true`.
+
+See [Conditions](/reference/packetbeat/defining-processors.md#conditions) for a list of supported conditions.
+
diff --git a/docs/reference/packetbeat/using-environ-vars.md b/docs/reference/packetbeat/using-environ-vars.md
new file mode 100644
index 000000000000..b7b8edb13175
--- /dev/null
+++ b/docs/reference/packetbeat/using-environ-vars.md
@@ -0,0 +1,80 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/using-environ-vars.html
+---
+
+# Use environment variables in the configuration [using-environ-vars]
+
+You can use environment variable references in the config file to set values that need to be configurable during deployment. To do this, use:
+
+`${VAR}`
+
+Where `VAR` is the name of the environment variable.
+
+Each variable reference is replaced at startup by the value of the environment variable. The replacement is case-sensitive and occurs before the YAML file is parsed. References to undefined variables are replaced by empty strings unless you specify a default value or custom error text.
+
+To specify a default value, use:
+
+`${VAR:default_value}`
+
+Where `default_value` is the value to use if the environment variable is undefined.
+
+To specify custom error text, use:
+
+`${VAR:?error_text}`
+
+Where `error_text` is custom text that will be prepended to the error message if the environment variable cannot be expanded.
+
+If you need to use a special character in your configuration file, use `$` to escape the expansion. For example, you can escape `${` or `}` with `$${` or `$}`.
+
+After changing the value of an environment variable, you need to restart Packetbeat to pick up the new value.
+
+::::{note}
+You can also specify environment variables when you override a config setting from the command line by using the `-E` option. For example:
+
+`-E name=${NAME}`
+
+::::
+
+
+
+## Examples [_examples]
+
+Here are some examples of configurations that use environment variables and what each configuration looks like after replacement:
+
+| Config source | Environment setting | Config after replacement |
+| --- | --- | --- |
+| `name: ${NAME}` | `export NAME=elastic` | `name: elastic` |
+| `name: ${NAME}` | no setting | `name:` |
+| `name: ${NAME:beats}` | no setting | `name: beats` |
+| `name: ${NAME:beats}` | `export NAME=elastic` | `name: elastic` |
+| `name: ${NAME:?You need to set the NAME environment variable}` | no setting | None. Returns an error message that’s prepended with the custom text. |
+| `name: ${NAME:?You need to set the NAME environment variable}` | `export NAME=elastic` | `name: elastic` |
+
+
+## Specify complex objects in environment variables [_specify_complex_objects_in_environment_variables]
+
+You can specify complex objects, such as lists or dictionaries, in environment variables by using a JSON-like syntax.
+
+As with JSON, dictionaries and lists are constructed using `{}` and `[]`. But unlike JSON, the syntax allows for trailing commas and slightly different string quotation rules. Strings can be unquoted, single-quoted, or double-quoted, as a convenience for simple settings and to make it easier for you to mix quotation usage in the shell. Arrays at the top-level do not require brackets (`[]`).
+
+For example, the following environment variable is set to a list:
+
+```yaml
+ES_HOSTS="10.45.3.2:9220,10.45.3.1:9230"
+```
+
+You can reference this variable in the config file:
+
+```yaml
+output.elasticsearch:
+  hosts: '${ES_HOSTS}'
+```
+
+When Packetbeat loads the config file, it resolves the environment variable and replaces it with the specified list before reading the `hosts` setting.
+
+::::{note}
+Do not use double-quotes (`"`) to wrap regular expressions, or the backslash (`\`) will be interpreted as an escape character.
+::::
+
+
diff --git a/docs/reference/packetbeat/visualizing-data-packetbeat.md b/docs/reference/packetbeat/visualizing-data-packetbeat.md
new file mode 100644
index 000000000000..8eeb8ea232c9
--- /dev/null
+++ b/docs/reference/packetbeat/visualizing-data-packetbeat.md
@@ -0,0 +1,14 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/visualizing-data-packetbeat.html
+---
+
+# Visualize Packetbeat data in Kibana [visualizing-data-packetbeat]
+
+Before trying to visualize Packetbeat data in Kibana, we recommend that you [set up the example Kibana dashboards](/reference/packetbeat/load-kibana-dashboards.md). Then read the topics in this section to learn how to work with Packetbeat data in Kibana:
+
+* [*Customize the Discover page*](/reference/packetbeat/customizing-discover.md)
+* [*Kibana queries and filters*](/reference/packetbeat/kibana-queries-filters.md)
+
+Also see the [Kibana User Guide](docs-content://get-started/the-stack.md).
+
diff --git a/docs/reference/packetbeat/yaml-tips.md b/docs/reference/packetbeat/yaml-tips.md
new file mode 100644
index 000000000000..403fa422c035
--- /dev/null
+++ b/docs/reference/packetbeat/yaml-tips.md
@@ -0,0 +1,60 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/packetbeat/current/yaml-tips.html
+---
+
+# Avoid YAML formatting problems [yaml-tips]
+
+The configuration file uses [YAML](http://yaml.org/) for its syntax. When you edit the file to modify configuration settings, there are a few things that you should know.
+
+
+## Use spaces for indentation [_use_spaces_for_indentation]
+
+Indentation is meaningful in YAML. Make sure that you use spaces, rather than tab characters, to indent sections.
+
+In the default configuration files and in all the examples in the documentation, we use 2 spaces per indentation level. We recommend you do the same.
+
+
+## Look at the default config file for structure [_look_at_the_default_config_file_for_structure]
+
+The best way to understand where to define a configuration option is by looking at the provided sample configuration files. The configuration files contain most of the default configurations that are available for the Beat. To change a setting, simply uncomment the line and change the values.
+
+
+## Test your config file [_test_your_config_file]
+
+You can test your configuration file to verify that the structure is valid. Simply change to the directory where the binary is installed, and run the Beat in the foreground with the `test config` command specified. For example:
+
+```shell
+packetbeat test config -c packetbeat.yml
+```
+
+You’ll see a message if the Beat finds an error in the file.
+
+
+## Wrap regular expressions in single quotation marks [_wrap_regular_expressions_in_single_quotation_marks]
+
+If you need to specify a regular expression in a YAML file, it’s a good idea to wrap the regular expression in single quotation marks to work around YAML’s tricky rules for string escaping.
+
+For more information about YAML, see [http://yaml.org/](http://yaml.org/).
+
+
+## Wrap paths in single quotation marks [wrap-paths-in-quotes]
+
+Windows paths in particular sometimes contain spaces or characters, such as drive letters or triple dots, that may be misinterpreted by the YAML parser.
+
+To avoid this problem, it’s a good idea to wrap paths in single quotation marks.
+
+
+## Avoid using leading zeros in numeric values [avoid-leading-zeros]
+
+If you use a leading zero (for example, `09`) in a numeric field without wrapping the value in single quotation marks, the value may be interpreted incorrectly by the YAML parser. If the value is a valid octal, it’s converted to an integer. If not, it’s converted to a float.
+
+To prevent unwanted type conversions, avoid using leading zeros in field values, or wrap the values in single quotation marks.
+
+
+## Avoid accidental template variable resolution [dollar-sign-strings]
+
+The templating engine that allows the config to resolve data from environment variables can result in errors in strings with `$` characters. For example, if a password field contains `$$`, the engine will resolve this to `$`.
+
+To work around this, either use the [Secrets keystore](/reference/packetbeat/keystore.md) or escape all instances of `$` with `$$`.
+
diff --git a/docs/reference/serverless/beats.md b/docs/reference/serverless/beats.md
new file mode 100644
index 000000000000..0f66d5131c8a
--- /dev/null
+++ b/docs/reference/serverless/beats.md
@@ -0,0 +1,30 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/serverless/current/elasticsearch-ingest-data-through-beats.html
+---
+
+# Beats [elasticsearch-ingest-data-through-beats]
+
+{{beats}} are lightweight data shippers that send operational data to {{es}}. Elastic provides separate {{beats}} for different types of data, such as logs, metrics, and uptime. Depending on what data you want to collect, you may need to install multiple shippers on a single host.
+
+| Data | {{beats}} |
+| --- | --- |
+| Audit data | [Auditbeat](https://www.elastic.co/products/beats/auditbeat) |
+| Log files and journals | [Filebeat](https://www.elastic.co/products/beats/filebeat) |
+| Availability | [Heartbeat](https://www.elastic.co/products/beats/heartbeat) |
+| Metrics | [Metricbeat](https://www.elastic.co/products/beats/metricbeat) |
+| Network traffic | [Packetbeat](https://www.elastic.co/products/beats/packetbeat) |
+| Windows event logs | [Winlogbeat](https://www.elastic.co/products/beats/winlogbeat) |
+
+{{beats}} can send data to {{es}} directly or through {{ls}}, where you can further process and enhance the data before visualizing it in {{kib}}.
+
+::::{admonition} Authenticating with {es}
+:class: note
+
+When you use {{beats}} to export data to an {{es-serverless}} project, the {{beats}} require an API key to authenticate with {{es}}. Refer to [Create API key](docs-content://solutions/search/search-connection-details.md#create-an-api-key-serverless) for the steps to set up your API key, and to [Grant access using API keys](https://www.elastic.co/guide/en/beats/filebeat/current/beats-api-keys.md) in the Filebeat documentation for an example of how to configure your {{beats}} to use the key.
+
+::::
+
+
+Check out [Get started with Beats](/reference/index.md) for some next steps.
+
diff --git a/docs/reference/toc.yml b/docs/reference/toc.yml
new file mode 100644
index 000000000000..cb40c697f7d7
--- /dev/null
+++ b/docs/reference/toc.yml
@@ -0,0 +1,1682 @@
+project: 'Beats'
+toc:
+  # TO DO: Do we want these to be separate pages?
+  - file: index.md
+  - file: serverless/beats.md
+  - file: libbeat/config-file-format.md
+    children:
+      - file: libbeat/config-file-format-namespacing.md
+      - file: libbeat/config-file-format-type.md
+      - file: libbeat/config-file-format-env-vars.md
+      - file: libbeat/config-gile-format-refs.md
+      - file: libbeat/config-file-permissions.md
+      - file: libbeat/config-file-format-cli.md
+      - file: libbeat/config-file-format-tips.md
+  - file: auditbeat/auditbeat.md
+    children:
+      - file: auditbeat/auditbeat-overview.md
+      - file: auditbeat/auditbeat-installation-configuration.md
+      - file: auditbeat/setting-up-running.md
+        children:
+          - file: auditbeat/directory-layout.md
+          - file: auditbeat/keystore.md
+          - file: auditbeat/command-line-options.md
+          - file: auditbeat/setup-repositories.md
+          - file: auditbeat/running-on-docker.md
+          - file: auditbeat/running-on-kubernetes.md
+          - file: auditbeat/running-with-systemd.md
+          - file: auditbeat/auditbeat-starting.md
+          - file: auditbeat/shutdown.md
+      - file: auditbeat/upgrading-auditbeat.md
+      - file: auditbeat/configuring-howto-auditbeat.md
+        children:
+          - file: auditbeat/configuration-auditbeat.md
+          - file: auditbeat/configuration-general-options.md
+          - file: auditbeat/configuration-path.md
+          - file: auditbeat/auditbeat-configuration-reloading.md
+          - file: auditbeat/configuring-output.md
+            children:
+              - file: auditbeat/configure-cloud-id.md
+              - file: auditbeat/elasticsearch-output.md
+              - file: auditbeat/logstash-output.md
+              - file: auditbeat/kafka-output.md
+              - file: auditbeat/redis-output.md
+              - file: auditbeat/file-output.md
+              - file: auditbeat/console-output.md
+              - file: auditbeat/discard-output.md
+              - file: auditbeat/configuration-output-codec.md
+          - file: auditbeat/configuration-kerberos.md
+          - file: auditbeat/configuration-ssl.md
+          - file: auditbeat/ilm.md
+          - file: auditbeat/configuration-template.md
+          - file: auditbeat/setup-kibana-endpoint.md
+          - file: auditbeat/configuration-dashboards.md
+          - file: auditbeat/filtering-enhancing-data.md
+            children:
+              - file: auditbeat/defining-processors.md
+              - file: auditbeat/add-cloud-metadata.md
+              - file: auditbeat/add-cloudfoundry-metadata.md
+              - file: auditbeat/add-docker-metadata.md
+              - file: auditbeat/add-fields.md
+              - file: auditbeat/add-host-metadata.md
+              - file: auditbeat/add-id.md
+              - file: auditbeat/add-kubernetes-metadata.md
+              - file: auditbeat/add-labels.md
+              - file: auditbeat/add-locale.md
+              - file: auditbeat/add-network-direction.md
+              - file: auditbeat/add-nomad-metadata.md
+              - file: auditbeat/add-observer-metadata.md
+              - file: auditbeat/add-process-metadata.md
+              - file: auditbeat/add-session-metadata.md
+              - file: auditbeat/add-tags.md
+              - file: auditbeat/append.md
+              - file: auditbeat/community-id.md
+              - file: auditbeat/convert.md
+              - file: auditbeat/copy-fields.md
+              - file: auditbeat/decode-base64-field.md
+              - file: auditbeat/decode-duration.md
+              - file: auditbeat/decode-json-fields.md
+              - file: auditbeat/decode-xml.md
+              - file: auditbeat/decode-xml-wineventlog.md
+              - file: auditbeat/decompress-gzip-field.md
+              - file: auditbeat/detect-mime-type.md
+              - file: auditbeat/dissect.md
+              - file: auditbeat/processor-dns.md
+              - file: auditbeat/drop-event.md
+              - file: auditbeat/drop-fields.md
+              - file: auditbeat/extract-array.md
+              - file: auditbeat/fingerprint.md
+              - file: auditbeat/include-fields.md
+              - file: auditbeat/move-fields.md
+              - file: auditbeat/rate-limit.md
+              - file: auditbeat/processor-registered-domain.md
+              - file: auditbeat/rename-fields.md
+              - file: auditbeat/replace-fields.md
+              - file: auditbeat/syslog.md
+              - file: auditbeat/processor-translate-guid.md
+              - file: auditbeat/processor-translate-sid.md
+              - file: auditbeat/truncate-fields.md
+              - file: auditbeat/urldecode.md
+          - file: auditbeat/configuring-internal-queue.md
+          - file: auditbeat/configuration-logging.md
+          - file: auditbeat/http-endpoint.md
+          - file: auditbeat/regexp-support.md
+          - file: auditbeat/configuration-instrumentation.md
+          - file: auditbeat/configuration-feature-flags.md
+          - file: auditbeat/auditbeat-reference-yml.md
+      - file: auditbeat/howto-guides.md
+        children:
+          - file: auditbeat/auditbeat-template.md
+          - file: auditbeat/change-index-name.md
+          - file: auditbeat/load-kibana-dashboards.md
+          - file: auditbeat/auditbeat-geoip.md
+          - file: auditbeat/configuring-ingest-node.md
+          - file: auditbeat/using-environ-vars.md
+          - file: auditbeat/yaml-tips.md
+      - file: auditbeat/auditbeat-modules.md
+        children:
+          - file: auditbeat/auditbeat-module-auditd.md
+          - file: auditbeat/auditbeat-module-file_integrity.md
+          - file: auditbeat/auditbeat-module-system.md
+            children:
+              - file: auditbeat/auditbeat-dataset-system-host.md
+              - file: auditbeat/auditbeat-dataset-system-login.md
+              - file: auditbeat/auditbeat-dataset-system-package.md
+              - file: auditbeat/auditbeat-dataset-system-process.md
+              - file: auditbeat/auditbeat-dataset-system-socket.md
+              - file: auditbeat/auditbeat-dataset-system-user.md
+      - file: auditbeat/exported-fields.md
+        children:
+          - file: auditbeat/exported-fields-auditd.md
+          - file: auditbeat/exported-fields-beat-common.md
+          - file: auditbeat/exported-fields-cloud.md
+          - file: auditbeat/exported-fields-common.md
+          - file: auditbeat/exported-fields-docker-processor.md
+          - file: auditbeat/exported-fields-ecs.md
+          - file: auditbeat/exported-fields-file_integrity.md
+          - file: auditbeat/exported-fields-host-processor.md
+          - file: auditbeat/exported-fields-jolokia-autodiscover.md
+          - file: auditbeat/exported-fields-kubernetes-processor.md
+          - file: auditbeat/exported-fields-process.md
+          - file: auditbeat/exported-fields-system.md
+      - file: auditbeat/monitoring.md
+        children:
+          - file: auditbeat/monitoring-internal-collection.md
+            children:
+              - file: auditbeat/configuration-monitor.md
+          - file: auditbeat/monitoring-metricbeat-collection.md
+      - file: auditbeat/securing-auditbeat.md
+        children:
+          - file: auditbeat/feature-roles.md
+            children:
+              - file: auditbeat/privileges-to-setup-beats.md
+              - file: auditbeat/privileges-to-publish-monitoring.md
+              - file: auditbeat/privileges-to-publish-events.md
+              - file: auditbeat/kibana-user-privileges.md
+              - file: auditbeat/learn-more-security.md
+          - file: auditbeat/beats-api-keys.md
+          - file: auditbeat/securing-communication-elasticsearch.md
+          - file: auditbeat/configuring-ssl-logstash.md
+          - file: auditbeat/linux-seccomp.md
+      - file: auditbeat/troubleshooting.md
+        children:
+          - file: auditbeat/getting-help.md
+          - file: auditbeat/enable-auditbeat-debugging.md
+          - file: auditbeat/understand-auditbeat-logs.md
+          - file: auditbeat/faq.md
+            children:
+              - file: auditbeat/ulimit.md
+              - file: auditbeat/bandwidth-throttling.md
+              - file: auditbeat/error-loading-config.md
+              - file: auditbeat/error-found-unexpected-character.md
+              - file: auditbeat/connection-problem.md
+              - file: auditbeat/publishing-ls-fails-connection-reset-by-peer.md
+              - file: auditbeat/metadata-missing.md
+              - file: auditbeat/diff-logstash-beats.md
+              - file: auditbeat/ssl-client-fails.md
+              - file: auditbeat/monitoring-shows-fewer-than-expected-beats.md
+              - file: auditbeat/could-not-locate-index-pattern.md
+              - file: auditbeat/madvdontneed-rss.md
+      - file: auditbeat/contributing-to-beats.md
+  - file: filebeat/filebeat.md
+    children:
+      - file: filebeat/filebeat-overview.md
+      - file: filebeat/filebeat-installation-configuration.md
+      - file: filebeat/setting-up-running.md
+        children:
+          - file: filebeat/directory-layout.md
+          - file: filebeat/keystore.md
+          - file: filebeat/command-line-options.md
+          - file: filebeat/setup-repositories.md
+          - file: filebeat/running-on-docker.md
+          - file: filebeat/running-on-kubernetes.md
+          - file: filebeat/running-on-cloudfoundry.md
+          - file: filebeat/running-with-systemd.md
+          - file: filebeat/filebeat-starting.md
+          - file: filebeat/shutdown.md
+      - file: filebeat/upgrading-filebeat.md
+      - file: filebeat/how-filebeat-works.md
+      - file: filebeat/configuring-howto-filebeat.md
+        children:
+          - file: filebeat/configuration-filebeat-options.md
+            children:
+              - file: filebeat/multiline-examples.md
+              - file: filebeat/filebeat-input-aws-cloudwatch.md
+              - file: filebeat/filebeat-input-aws-s3.md
+              - file: filebeat/filebeat-input-azure-eventhub.md
+              - file: filebeat/filebeat-input-azure-blob-storage.md
+              - file: filebeat/filebeat-input-benchmark.md
+              - file: filebeat/filebeat-input-cel.md
+              - file: filebeat/filebeat-input-cloudfoundry.md
+              - file: filebeat/filebeat-input-cometd.md
+              - file: filebeat/filebeat-input-container.md
+              - file: filebeat/filebeat-input-entity-analytics.md
+              - file: filebeat/filebeat-input-etw.md
+              - file: filebeat/filebeat-input-filestream.md
+              - file: filebeat/filebeat-input-gcp-pubsub.md
+              - file: filebeat/filebeat-input-gcs.md
+              - file: filebeat/filebeat-input-http_endpoint.md
+              - file: filebeat/filebeat-input-httpjson.md
+              - file: filebeat/filebeat-input-journald.md
+              - file: filebeat/filebeat-input-kafka.md
+              - file: filebeat/filebeat-input-log.md
+              - file: filebeat/filebeat-input-mqtt.md
+              - file: filebeat/filebeat-input-netflow.md
+              - file: filebeat/filebeat-input-o365audit.md
+              - file: filebeat/filebeat-input-redis.md
+              - file: filebeat/filebeat-input-salesforce.md
+              - file: filebeat/filebeat-input-stdin.md
+              - file: filebeat/filebeat-input-streaming.md
+              - file: filebeat/filebeat-input-syslog.md
+              - file: filebeat/filebeat-input-tcp.md
+              - file: filebeat/filebeat-input-udp.md
+              - file: filebeat/filebeat-input-unifiedlogs.md
+              - file: filebeat/filebeat-input-unix.md
+              - file: filebeat/filebeat-input-winlog.md
+          - file: filebeat/configuration-filebeat-modules.md
+            children:
+              - file: filebeat/advanced-settings.md
+          - file: filebeat/configuration-general-options.md
+          - file: filebeat/configuration-path.md
+          - file: filebeat/filebeat-configuration-reloading.md
+            children:
+              - file: filebeat/_live_reloading.md
+          - file: filebeat/configuring-output.md
+            children:
+              - file: filebeat/configure-cloud-id.md
+              - file: filebeat/elasticsearch-output.md
+              - file: filebeat/logstash-output.md
+              - file: filebeat/kafka-output.md
+              - file: filebeat/redis-output.md
+              - file: filebeat/file-output.md
+              - file: filebeat/console-output.md
+              - file: filebeat/discard-output.md
+              - file: filebeat/configuration-output-codec.md
+          - file: filebeat/configuration-kerberos.md
+          - file: filebeat/configuration-ssl.md
+          - file: filebeat/ilm.md
+          - file: filebeat/configuration-template.md
+          - file: filebeat/setup-kibana-endpoint.md
+          - file: filebeat/configuration-dashboards.md
+          - file: filebeat/filtering-enhancing-data.md
+            children:
+              - file: filebeat/defining-processors.md
+              - file: filebeat/add-cloud-metadata.md
+              - file: filebeat/add-cloudfoundry-metadata.md
+              - file: filebeat/add-docker-metadata.md
+              - file: filebeat/add-fields.md
+              - file: filebeat/add-host-metadata.md
+              - file: filebeat/add-id.md
+              - file: filebeat/add-kubernetes-metadata.md
+              - file: filebeat/add-labels.md
+              - file: filebeat/add-locale.md
+              - file: filebeat/add-network-direction.md
+              - file: filebeat/add-nomad-metadata.md
+              - file: filebeat/add-observer-metadata.md
+              - file: filebeat/add-process-metadata.md
+              - file: filebeat/add-tags.md
+              - file: filebeat/append.md
+              - file: filebeat/add-cached-metadata.md
+              - file: filebeat/community-id.md
+              - file: filebeat/convert.md
+              - file: filebeat/copy-fields.md
+              - file: filebeat/decode-base64-field.md
+              - file: filebeat/processor-decode-cef.md
+              - file: filebeat/decode-csv-fields.md
+              - file: filebeat/decode-duration.md
+              - file: filebeat/decode-json-fields.md
+              - file: filebeat/decode-xml.md
+              - file: filebeat/decode-xml-wineventlog.md
+              - file: filebeat/decompress-gzip-field.md
+              - file: filebeat/detect-mime-type.md
+              - file: filebeat/dissect.md
+              - file: filebeat/processor-dns.md
+              - file: filebeat/drop-event.md
+              - file: filebeat/drop-fields.md
+              - file: filebeat/extract-array.md
+              - file: filebeat/fingerprint.md
+              - file: filebeat/include-fields.md
+              - file: filebeat/move-fields.md
+              - file: filebeat/processor-parse-aws-vpc-flow-log.md
+              - file: filebeat/rate-limit.md
+              - file: filebeat/processor-registered-domain.md
+              - file: filebeat/rename-fields.md
+              - file: filebeat/replace-fields.md
+              - file: filebeat/processor-script.md
+              - file: filebeat/syslog.md
+              - file: filebeat/processor-timestamp.md
+              - file: filebeat/processor-translate-guid.md
+              - file: filebeat/processor-translate-sid.md
+              - file: filebeat/truncate-fields.md
+              - file: filebeat/urldecode.md
+          - file: filebeat/configuration-autodiscover.md
+            children:
+              - file: filebeat/configuration-autodiscover-hints.md
+              - file: filebeat/configuration-autodiscover-advanced.md
+          - file: filebeat/configuring-internal-queue.md
+          - file: filebeat/configuration-logging.md
+          - file: filebeat/http-endpoint.md
+          - file: filebeat/regexp-support.md
+          - file: filebeat/configuration-instrumentation.md
+          - file: filebeat/configuration-feature-flags.md
+          - file: filebeat/filebeat-reference-yml.md
+      - file: filebeat/howto-guides.md
+        children:
+          - file: filebeat/override-filebeat-config-settings.md
+          - file: filebeat/filebeat-template.md
+          - file: filebeat/change-index-name.md
+          - file: filebeat/load-kibana-dashboards.md
+          - file: filebeat/load-ingest-pipelines.md
+          - file: filebeat/filebeat-geoip.md
+          - file: filebeat/filebeat-deduplication.md
+          - file: filebeat/configuring-ingest-node.md
+          - file: filebeat/using-environ-vars.md
+          - file: filebeat/yaml-tips.md
+          - file: filebeat/migrate-to-filestream.md
+            children:
+              - file: filebeat/_step_1_set_an_identifier_for_each_filestream_input.md
+              - file: filebeat/_step_2_enable_the_take_over_mode.md
+              - file: filebeat/_step_3_use_new_option_names.md
+              - file: filebeat/_step_4.md
+              - file: filebeat/_if_something_went_wrong.md
+              - file: filebeat/_debugging_on_kibana.md
+          - file: filebeat/migrate-from-deprecated-module.md
+      - file: filebeat/filebeat-modules.md
+        children:
+          - file: filebeat/filebeat-modules-overview.md
+          - file: filebeat/filebeat-module-activemq.md
+          - file: filebeat/filebeat-module-apache.md
+          - file: filebeat/filebeat-module-auditd.md
+          - file: filebeat/filebeat-module-aws.md
+          - file: filebeat/filebeat-module-awsfargate.md
+          - file: filebeat/filebeat-module-azure.md
+          - file: filebeat/filebeat-module-cef.md
+          - file: filebeat/filebeat-module-checkpoint.md
+          - file: filebeat/filebeat-module-cisco.md
+          - file: filebeat/filebeat-module-coredns.md
+          - file: filebeat/filebeat-module-crowdstrike.md
+          - file: filebeat/filebeat-module-cyberarkpas.md
+          - file: filebeat/filebeat-module-elasticsearch.md
+          - file: filebeat/filebeat-module-envoyproxy.md
+          - file: filebeat/filebeat-module-fortinet.md
+          - file: filebeat/filebeat-module-gcp.md
+          - file: filebeat/filebeat-module-google_workspace.md
+          - file: filebeat/filebeat-module-haproxy.md
+          - file: filebeat/filebeat-module-ibmmq.md
+          - file: filebeat/filebeat-module-icinga.md
+          - file: filebeat/filebeat-module-iis.md
+          - file: filebeat/filebeat-module-iptables.md
+          - file: filebeat/filebeat-module-juniper.md
+          - file: filebeat/filebeat-module-kafka.md
+          - file: filebeat/filebeat-module-kibana.md
+          - file: filebeat/filebeat-module-logstash.md
+          - file: filebeat/filebeat-module-microsoft.md
+          - file: filebeat/filebeat-module-misp.md
+          - file: filebeat/filebeat-module-mongodb.md
+          - file: filebeat/filebeat-module-mssql.md
+          - file: filebeat/filebeat-module-mysql.md
+          - file: filebeat/filebeat-module-mysqlenterprise.md
+          - file: filebeat/filebeat-module-nats.md
+          - file: filebeat/filebeat-module-netflow.md
+          - file: filebeat/filebeat-module-nginx.md
+          - file: filebeat/filebeat-module-o365.md
+          - file: filebeat/filebeat-module-okta.md
+          - file: filebeat/filebeat-module-oracle.md
+          - file: filebeat/filebeat-module-osquery.md
+          - file: filebeat/filebeat-module-panw.md
+          - file: filebeat/filebeat-module-pensando.md
+          - file: filebeat/filebeat-module-postgresql.md
+          - file: filebeat/filebeat-module-rabbitmq.md
+          - file: filebeat/filebeat-module-redis.md
+          - file: filebeat/filebeat-module-salesforce.md
+            children:
+              - file: filebeat/_set_up_the_oauth_app_in_the_salesforce_2.md
+          - file: filebeat/filebeat-module-santa.md
+          - file: filebeat/filebeat-module-snyk.md
+          - file: filebeat/filebeat-module-sophos.md
+          - file: filebeat/filebeat-module-suricata.md
+          - file: filebeat/filebeat-module-system.md
+          - file: filebeat/filebeat-module-threatintel.md
+          - file: filebeat/filebeat-module-traefik.md
+          - file: filebeat/filebeat-module-zeek.md
+          - file: filebeat/filebeat-module-zookeeper.md
+          - file: filebeat/filebeat-module-zoom.md
+      - file: filebeat/exported-fields.md
+        children:
+          - file: filebeat/exported-fields-activemq.md
+          - file: filebeat/exported-fields-apache.md
+          - file: filebeat/exported-fields-auditd.md
+          - file: filebeat/exported-fields-aws.md
+          - file: filebeat/exported-fields-aws-cloudwatch.md
+          - file: filebeat/exported-fields-awsfargate.md
+          - file: filebeat/exported-fields-azure.md
+          - file: filebeat/exported-fields-beat-common.md
+          - file: filebeat/exported-fields-cef.md
+          - file: filebeat/exported-fields-cef-module.md
+          - file: filebeat/exported-fields-checkpoint.md
+          - file: filebeat/exported-fields-cisco.md
+          - file: filebeat/exported-fields-cloud.md
+          - file: filebeat/exported-fields-coredns.md
+          - file: filebeat/exported-fields-crowdstrike.md
+          - file: filebeat/exported-fields-cyberarkpas.md
+          - file: filebeat/exported-fields-docker-processor.md
+          - file: filebeat/exported-fields-ecs.md
+          - file: filebeat/exported-fields-elasticsearch.md
+          - file: filebeat/exported-fields-envoyproxy.md
+          - file: filebeat/exported-fields-fortinet.md
+          - file: filebeat/exported-fields-gcp.md
+          - file: filebeat/exported-fields-google_workspace.md
+          - file: filebeat/exported-fields-haproxy.md
+          - file: filebeat/exported-fields-host-processor.md
+          - file: filebeat/exported-fields-ibmmq.md
+          - file: filebeat/exported-fields-icinga.md
+          - file: filebeat/exported-fields-iis.md
+          - file: filebeat/exported-fields-iptables.md
+          - file: filebeat/exported-fields-jolokia-autodiscover.md
+          - file: filebeat/exported-fields-juniper.md
+          - file: filebeat/exported-fields-kafka.md
+          - file: filebeat/exported-fields-kibana.md
+          - file: filebeat/exported-fields-kubernetes-processor.md
+          - file: filebeat/exported-fields-log.md
+          - file: filebeat/exported-fields-logstash.md
+          - file: filebeat/exported-fields-lumberjack.md
+          - file: filebeat/exported-fields-microsoft.md
+          - file: filebeat/exported-fields-misp.md
+          - file: filebeat/exported-fields-mongodb.md
+          - file: filebeat/exported-fields-mssql.md
+          - file: filebeat/exported-fields-mysql.md
+          - file: filebeat/exported-fields-mysqlenterprise.md
+          - file: filebeat/exported-fields-nats.md
+          - file: filebeat/exported-fields-netflow.md
+          - file: filebeat/exported-fields-nginx.md
+          - file: filebeat/exported-fields-o365.md
+          - file: filebeat/exported-fields-okta.md
+          - file: filebeat/exported-fields-oracle.md
+          - file: filebeat/exported-fields-osquery.md
+          - file: filebeat/exported-fields-panw.md
+          - file: filebeat/exported-fields-pensando.md
+          - file: filebeat/exported-fields-postgresql.md
+          - file: filebeat/exported-fields-process.md
+          - file: filebeat/exported-fields-rabbitmq.md
+          - file: filebeat/exported-fields-redis.md
+          - file: filebeat/exported-fields-s3.md
+          - file: filebeat/exported-fields-salesforce.md
+          - file: filebeat/exported-fields-santa.md
+          - file: filebeat/exported-fields-snyk.md
+          - file: filebeat/exported-fields-sophos.md
+          - file: filebeat/exported-fields-suricata.md
+          - file: filebeat/exported-fields-system.md
+          - file: filebeat/exported-fields-threatintel.md
+          - file: filebeat/exported-fields-traefik.md
+          - file: filebeat/exported-fields-winlog.md
+          - file: filebeat/exported-fields-zeek.md
+          - file: filebeat/exported-fields-zookeeper.md
+          - file: filebeat/exported-fields-zoom.md
+      - file: filebeat/monitoring.md
+        children:
+          - file: filebeat/monitoring-internal-collection.md
+            children:
+              - file: filebeat/configuration-monitor.md
+          - file: filebeat/monitoring-metricbeat-collection.md
+      - file: filebeat/securing-filebeat.md
+        children:
+          - file: filebeat/feature-roles.md
+            children:
+              - file: filebeat/privileges-to-setup-beats.md
+              - file: filebeat/privileges-to-publish-monitoring.md
+              - file: filebeat/privileges-to-publish-events.md
+              - file: filebeat/kibana-user-privileges.md
+              - file: filebeat/learn-more-security.md
+          - file: filebeat/beats-api-keys.md
+          - file: filebeat/securing-communication-elasticsearch.md
+          - file: filebeat/configuring-ssl-logstash.md
+          - file: filebeat/linux-seccomp.md
+      - file: filebeat/troubleshooting.md
+        children:
+          - file: filebeat/getting-help.md
+          - file: filebeat/enable-filebeat-debugging.md
+          - file: filebeat/understand-filebeat-logs.md
+          - file: filebeat/faq.md
+            children:
+              - file: filebeat/filebeat-kubernetes-metadata-error-extracting-container-id.md
+              - file: filebeat/filebeat-network-volumes.md
+              - file: filebeat/filebeat-not-collecting-lines.md
+              - file: filebeat/open-file-handlers.md
+              - file: filebeat/reduce-registry-size.md
+              - file: filebeat/inode-reuse-issue.md
+              - file: filebeat/file-log-rotation.md
+              - file: filebeat/windows-file-rotation.md
+              - file: filebeat/filebeat-cpu.md
+              - file: filebeat/dashboard-fields-incorrect-filebeat.md
+              - file: filebeat/fields-not-indexed.md
+              - file: filebeat/newline-character-required-eof.md
+              - file: filebeat/faq-deleted-files-are-not-freed.md
+              - file: filebeat/bandwidth-throttling.md
+              - file: filebeat/error-loading-config.md
+              - file: filebeat/error-found-unexpected-character.md
+              - file: filebeat/connection-problem.md
+              - file: filebeat/publishing-ls-fails-connection-reset-by-peer.md
+              - file: filebeat/metadata-missing.md
+              - file: filebeat/diff-logstash-beats.md
+              - file: filebeat/ssl-client-fails.md
+              - file: filebeat/monitoring-shows-fewer-than-expected-beats.md
+              - file: filebeat/could-not-locate-index-pattern.md
+              - file: filebeat/madvdontneed-rss.md
+      - file: filebeat/contributing-to-beats.md
+  - file: heartbeat/heartbeat.md
+    children:
+      - file: heartbeat/heartbeat-overview.md
+      - file: heartbeat/heartbeat-installation-configuration.md
+      - file: heartbeat/setting-up-running.md
+        children:
+          - file: heartbeat/directory-layout.md
+          - file: heartbeat/keystore.md
+          - file: heartbeat/command-line-options.md
+          - file: heartbeat/setup-repositories.md
+          - file: heartbeat/running-on-docker.md
+          - file: heartbeat/running-on-kubernetes.md
+          - file: heartbeat/running-with-systemd.md
+          - file: heartbeat/shutdown.md
+      - file: heartbeat/configuring-howto-heartbeat.md
+        children:
+          - file: heartbeat/configuration-heartbeat-options.md
+            children:
+              - file: heartbeat/monitor-options.md
+              - file: heartbeat/monitor-icmp-options.md
+              - file: heartbeat/monitor-tcp-options.md
+              - file: heartbeat/monitor-http-options.md
+          - file: heartbeat/monitors-scheduler.md
+          - file: heartbeat/configuration-general-options.md
+          - file: heartbeat/configuration-path.md
+          - file: heartbeat/configuring-output.md
+            children:
+              - file: heartbeat/configure-cloud-id.md
+              - file: heartbeat/elasticsearch-output.md
+              - file: heartbeat/logstash-output.md
+              - file: heartbeat/kafka-output.md
+              - file: heartbeat/redis-output.md
+              - file: heartbeat/file-output.md
+              - file: heartbeat/console-output.md
+              - file: heartbeat/discard-output.md
+              - file: heartbeat/configuration-output-codec.md
+          - file: heartbeat/configuration-kerberos.md
+          - file: heartbeat/configuration-ssl.md
+          - file: heartbeat/ilm.md
+          - file: heartbeat/configuration-template.md
+          - file: heartbeat/filtering-enhancing-data.md
+            children:
+              - file: heartbeat/defining-processors.md
+              - file: heartbeat/add-cloud-metadata.md
+              - file: heartbeat/add-cloudfoundry-metadata.md
+              - file: heartbeat/add-docker-metadata.md
+              - file: heartbeat/add-fields.md
+              - file: heartbeat/add-host-metadata.md
+              - file: heartbeat/add-id.md
+              - file: heartbeat/add-kubernetes-metadata.md
+              - file: heartbeat/add-labels.md
+              - file: heartbeat/add-locale.md
+              - file: heartbeat/add-network-direction.md
+              - file: heartbeat/add-nomad-metadata.md
+              - file: heartbeat/add-observer-metadata.md
+              - file: heartbeat/add-process-metadata.md
+              - file: heartbeat/add-tags.md
+              - file: heartbeat/append.md
+              - file: heartbeat/community-id.md
+              - file: heartbeat/convert.md
+              - file: heartbeat/copy-fields.md
+              - file: heartbeat/decode-base64-field.md
+              - file: heartbeat/decode-duration.md
+              - file: heartbeat/decode-json-fields.md
+              - file: heartbeat/decode-xml.md
+              - file: heartbeat/decode-xml-wineventlog.md
+              - file: heartbeat/decompress-gzip-field.md
+              - file: heartbeat/detect-mime-type.md
+              - file: heartbeat/dissect.md
+              - file: heartbeat/processor-dns.md
+              - file: heartbeat/drop-event.md
+              - file: heartbeat/drop-fields.md
+              - file: heartbeat/extract-array.md
+              - file: heartbeat/fingerprint.md
+              - file: heartbeat/include-fields.md
+              - file: heartbeat/move-fields.md
+              - file: heartbeat/rate-limit.md
+              - file: heartbeat/processor-registered-domain.md
+              - file: heartbeat/rename-fields.md
+              - file: heartbeat/replace-fields.md
+              - file: heartbeat/processor-script.md
+              - file: heartbeat/syslog.md
+              - file: heartbeat/processor-translate-guid.md
+              - file: heartbeat/processor-translate-sid.md
+              - file: heartbeat/truncate-fields.md
+              - file: heartbeat/urldecode.md
+          - file: heartbeat/configuration-autodiscover.md
+            children:
+              - file: heartbeat/configuration-autodiscover-hints.md
+              - file: heartbeat/configuration-autodiscover-advanced.md
+          - file: heartbeat/configuring-internal-queue.md
+          - file: heartbeat/configuration-logging.md
+          - file: heartbeat/http-endpoint.md
+          - file: heartbeat/regexp-support.md
+          - file: heartbeat/configuration-instrumentation.md
+          - file: heartbeat/configuration-feature-flags.md
+          - file: heartbeat/heartbeat-reference-yml.md
+      - file: heartbeat/howto-guides.md
+        children:
+          - file: heartbeat/configuration-observer-options.md
+          - file: heartbeat/heartbeat-template.md
+          - file: heartbeat/change-index-name.md
+          - file: heartbeat/heartbeat-geoip.md
+          - file: heartbeat/using-environ-vars.md
+          - file: heartbeat/configuring-ingest-node.md
+          - file: heartbeat/yaml-tips.md
+      - file: heartbeat/exported-fields.md
+        children:
+          - file: heartbeat/exported-fields-beat-common.md
+          - file: heartbeat/exported-fields-browser.md
+          - file: heartbeat/exported-fields-cloud.md
+          - file: heartbeat/exported-fields-common.md
+          - file: heartbeat/exported-fields-docker-processor.md
+          - file: heartbeat/exported-fields-ecs.md
+          - file: heartbeat/exported-fields-host-processor.md
+          - file: heartbeat/exported-fields-http.md
+          - file: heartbeat/exported-fields-icmp.md
+          - file: heartbeat/exported-fields-jolokia-autodiscover.md
+          - file: heartbeat/exported-fields-kubernetes-processor.md
+          - file: heartbeat/exported-fields-process.md
+          - file: heartbeat/exported-fields-resolve.md
+          - file: heartbeat/exported-fields-service.md
+          - file: heartbeat/exported-fields-socks5.md
+          - file: heartbeat/exported-fields-state.md
+          - file: heartbeat/exported-fields-summary.md
+          - file: heartbeat/exported-fields-synthetics.md
+          - file: heartbeat/exported-fields-tcp.md
+          - file: heartbeat/exported-fields-tls.md
+      - file: heartbeat/monitoring.md
+        children:
+          - file: heartbeat/monitoring-internal-collection.md
+            children:
+              - file: heartbeat/configuration-monitor.md
+          - file: heartbeat/monitoring-metricbeat-collection.md
+      - file: heartbeat/securing-heartbeat.md
+        children:
+          - file: heartbeat/feature-roles.md
+            children:
+              - file: heartbeat/privileges-to-setup-beats.md
+              - file: heartbeat/privileges-to-publish-monitoring.md
+              - file: heartbeat/privileges-to-publish-events.md
+              - file: heartbeat/kibana-user-privileges.md
+              - file: heartbeat/learn-more-security.md
+          - file: heartbeat/beats-api-keys.md
+          - file: heartbeat/securing-communication-elasticsearch.md
+          - file: heartbeat/configuring-ssl-logstash.md
+          - file: heartbeat/linux-seccomp.md
+      - file: heartbeat/troubleshooting.md
+        children:
+          - file: heartbeat/getting-help.md
+          - file: heartbeat/enable-heartbeat-debugging.md
+          - file: heartbeat/understand-heartbeat-logs.md
+          - file: heartbeat/faq.md
+            children:
+              - file: heartbeat/bandwidth-throttling.md
+              - file: heartbeat/error-loading-config.md
+              - file: heartbeat/error-found-unexpected-character.md
+              - file: heartbeat/connection-problem.md
+              - file: heartbeat/publishing-ls-fails-connection-reset-by-peer.md
+              - file: heartbeat/metadata-missing.md
+              - file: heartbeat/diff-logstash-beats.md
+              - file: heartbeat/ssl-client-fails.md
+              - file: heartbeat/monitoring-shows-fewer-than-expected-beats.md
+              - file: heartbeat/madvdontneed-rss.md
+      - file: heartbeat/contributing-to-beats.md
+  - file: metricbeat/metricbeat.md
+    children:
+      - file: metricbeat/metricbeat-overview.md
+      - file: metricbeat/metricbeat-installation-configuration.md
+      - file: metricbeat/setting-up-running.md
+        children:
+          - file: metricbeat/directory-layout.md
+          - file: metricbeat/keystore.md
+          - file: metricbeat/command-line-options.md
+          - file: metricbeat/setup-repositories.md
+          - file: metricbeat/running-on-docker.md
+          - file: metricbeat/running-on-kubernetes.md
+          - file: metricbeat/running-on-cloudfoundry.md
+          - file: metricbeat/running-with-systemd.md
+          - file: metricbeat/metricbeat-starting.md
+          - file: metricbeat/shutdown.md
+      - file: metricbeat/upgrading-metricbeat.md
+      - file: metricbeat/how-metricbeat-works.md
+        children:
+          - file: metricbeat/metricbeat-event-structure.md
+          - file: metricbeat/error-event-structure.md
+          - file: metricbeat/key-features.md
+      - file: metricbeat/configuring-howto-metricbeat.md
+        children:
+          - file: metricbeat/configuration-metricbeat.md
+          - file: metricbeat/configuration-general-options.md
+          - file: metricbeat/configuration-path.md
+          - file: metricbeat/metricbeat-configuration-reloading.md
+            children:
+              - file: metricbeat/_live_reloading.md
+          - file: metricbeat/configuring-output.md
+            children:
+              - file: metricbeat/configure-cloud-id.md
+              - file: metricbeat/elasticsearch-output.md
+              - file: metricbeat/logstash-output.md
+              - file: metricbeat/kafka-output.md
+              - file: metricbeat/redis-output.md
+              - file: metricbeat/file-output.md
+              - file: metricbeat/console-output.md
+              - file: metricbeat/discard-output.md
+              - file: metricbeat/configuration-output-codec.md
+          - file: metricbeat/configuration-kerberos.md
+          - file: metricbeat/configuration-ssl.md
+          - file: metricbeat/ilm.md
+          - file: metricbeat/configuration-template.md
+          - file: metricbeat/setup-kibana-endpoint.md
+          - file: metricbeat/configuration-dashboards.md
+          - file: metricbeat/filtering-enhancing-data.md
+            children:
+              - file: metricbeat/defining-processors.md
+              - file: metricbeat/add-cloud-metadata.md
+              - file: metricbeat/add-cloudfoundry-metadata.md
+              - file: metricbeat/add-docker-metadata.md
+              - file: metricbeat/add-fields.md
+              - file: metricbeat/add-host-metadata.md
+              - file: metricbeat/add-id.md
+              - file: metricbeat/add-kubernetes-metadata.md
+              - file: metricbeat/add-labels.md
+              - file: metricbeat/add-locale.md
+              - file: metricbeat/add-network-direction.md
+              - file: metricbeat/add-nomad-metadata.md
+              - file: metricbeat/add-observer-metadata.md
+              - file: metricbeat/add-process-metadata.md
+              - file: metricbeat/add-tags.md
+              - file: metricbeat/append.md
+              - file: metricbeat/community-id.md
+              - file: metricbeat/convert.md
+              - file: metricbeat/copy-fields.md
+              - file: metricbeat/decode-base64-field.md
+              - file: metricbeat/decode-duration.md
+              - file: metricbeat/decode-json-fields.md
+              - file: metricbeat/decode-xml.md
+              - file: metricbeat/decode-xml-wineventlog.md
+              - file: metricbeat/decompress-gzip-field.md
+              - file: metricbeat/detect-mime-type.md
+              - file: metricbeat/dissect.md
+              - file: metricbeat/processor-dns.md
+              - file: metricbeat/drop-event.md
+              - file: metricbeat/drop-fields.md
+              - file: metricbeat/extract-array.md
+              - file: metricbeat/fingerprint.md
+              - file: metricbeat/include-fields.md
+              - file: metricbeat/move-fields.md
+              - file: metricbeat/rate-limit.md
+              - file: metricbeat/processor-registered-domain.md
+              - file: metricbeat/rename-fields.md
+              - file: metricbeat/replace-fields.md
+              - file: metricbeat/processor-script.md
+              - file: metricbeat/syslog.md
+              - file: metricbeat/processor-translate-guid.md
+              - file: metricbeat/processor-translate-sid.md
+              - file: metricbeat/truncate-fields.md
+              - file: metricbeat/urldecode.md
+          - file: metricbeat/configuration-autodiscover.md
+            children:
+              - file: metricbeat/configuration-autodiscover-hints.md
+              - file: metricbeat/configuration-autodiscover-advanced.md
+          - file: metricbeat/configuring-internal-queue.md
+          - file: metricbeat/configuration-logging.md
+          - file: metricbeat/http-endpoint.md
+          - file: metricbeat/regexp-support.md
+          - file: metricbeat/configuration-instrumentation.md
+          - file: metricbeat/configuration-feature-flags.md
+          - file: metricbeat/metricbeat-reference-yml.md
+      - file: metricbeat/howto-guides.md
+        children:
+          - file: metricbeat/metricbeat-template.md
+          - file: metricbeat/change-index-name.md
+          - file: metricbeat/load-kibana-dashboards.md
+          - file: metricbeat/metricbeat-geoip.md
+          - file: metricbeat/using-environ-vars.md
+          - file: metricbeat/configuring-ingest-node.md
+          - file: metricbeat/yaml-tips.md
+      - file: metricbeat/metricbeat-modules.md
+        children:
+          - file: metricbeat/metricbeat-module-activemq.md
+            children:
+              - file: metricbeat/metricbeat-metricset-activemq-broker.md
+              - file: metricbeat/metricbeat-metricset-activemq-queue.md
+              - file: metricbeat/metricbeat-metricset-activemq-topic.md
+          - file: metricbeat/metricbeat-module-aerospike.md
+            children:
+              - file: metricbeat/metricbeat-metricset-aerospike-namespace.md
+          - file: metricbeat/metricbeat-module-airflow.md
+            children:
+              - file: metricbeat/metricbeat-metricset-airflow-statsd.md
+          - file: metricbeat/metricbeat-module-apache.md
+            children:
+              - file: metricbeat/metricbeat-metricset-apache-status.md
+          - file: metricbeat/metricbeat-module-aws.md
+            children:
+              - file: metricbeat/metricbeat-metricset-aws-awshealth.md
+              - file: metricbeat/metricbeat-metricset-aws-billing.md
+              - file: metricbeat/metricbeat-metricset-aws-cloudwatch.md
+              - file: metricbeat/metricbeat-metricset-aws-dynamodb.md
+              - file: metricbeat/metricbeat-metricset-aws-ebs.md
+              - file: metricbeat/metricbeat-metricset-aws-ec2.md
+              - file: metricbeat/metricbeat-metricset-aws-elb.md
+              - file: metricbeat/metricbeat-metricset-aws-kinesis.md
+              - file: metricbeat/metricbeat-metricset-aws-lambda.md
+              - file: metricbeat/metricbeat-metricset-aws-natgateway.md
+              - file: metricbeat/metricbeat-metricset-aws-rds.md
+              - file: metricbeat/metricbeat-metricset-aws-s3_daily_storage.md
+              - file: metricbeat/metricbeat-metricset-aws-s3_request.md
+              - file: metricbeat/metricbeat-metricset-aws-sns.md
+              - file: metricbeat/metricbeat-metricset-aws-sqs.md
+              - file: metricbeat/metricbeat-metricset-aws-transitgateway.md
+              - file: metricbeat/metricbeat-metricset-aws-usage.md
+              - file: metricbeat/metricbeat-metricset-aws-vpn.md
+          - file: metricbeat/metricbeat-module-awsfargate.md
+            children:
+              - file: metricbeat/metricbeat-metricset-awsfargate-task_stats.md
+          - file: metricbeat/metricbeat-module-azure.md
+            children:
+              - file: metricbeat/metricbeat-metricset-azure-app_insights.md
+              - file: metricbeat/metricbeat-metricset-azure-app_state.md
+              - file: metricbeat/metricbeat-metricset-azure-billing.md
+              - file: metricbeat/metricbeat-metricset-azure-compute_vm.md
+              - file: metricbeat/metricbeat-metricset-azure-compute_vm_scaleset.md
+              - file: metricbeat/metricbeat-metricset-azure-container_instance.md
+              - file: metricbeat/metricbeat-metricset-azure-container_registry.md
+              - file: metricbeat/metricbeat-metricset-azure-container_service.md
+              - file: metricbeat/metricbeat-metricset-azure-database_account.md
+              - file: metricbeat/metricbeat-metricset-azure-monitor.md
+              - file: metricbeat/metricbeat-metricset-azure-storage.md
+          - file: metricbeat/metricbeat-module-beat.md
+            children:
+              - file: metricbeat/metricbeat-metricset-beat-state.md
+              - file: metricbeat/metricbeat-metricset-beat-stats.md
+          - file: metricbeat/metricbeat-module-benchmark.md
+            children:
+              - file: metricbeat/metricbeat-metricset-benchmark-info.md
+          - file: metricbeat/metricbeat-module-ceph.md
+            children:
+              - file: metricbeat/metricbeat-metricset-ceph-cluster_disk.md
+              - file: metricbeat/metricbeat-metricset-ceph-cluster_health.md
+              - file: metricbeat/metricbeat-metricset-ceph-cluster_status.md
+              - file: metricbeat/metricbeat-metricset-ceph-mgr_cluster_disk.md
+              - file: metricbeat/metricbeat-metricset-ceph-mgr_cluster_health.md
+              - file: metricbeat/metricbeat-metricset-ceph-mgr_osd_perf.md
+              - file: metricbeat/metricbeat-metricset-ceph-mgr_osd_pool_stats.md
+              - file: metricbeat/metricbeat-metricset-ceph-mgr_osd_tree.md
+              - file: metricbeat/metricbeat-metricset-ceph-mgr_pool_disk.md
+              - file: metricbeat/metricbeat-metricset-ceph-monitor_health.md
+              - file: metricbeat/metricbeat-metricset-ceph-osd_df.md
+              - file: metricbeat/metricbeat-metricset-ceph-osd_tree.md
+              - file: metricbeat/metricbeat-metricset-ceph-pool_disk.md
+          - file: metricbeat/metricbeat-module-cloudfoundry.md
+            children:
+              - file: metricbeat/metricbeat-metricset-cloudfoundry-container.md
+              - file: metricbeat/metricbeat-metricset-cloudfoundry-counter.md
+              - file: metricbeat/metricbeat-metricset-cloudfoundry-value.md
+          - file: metricbeat/metricbeat-module-cockroachdb.md
+            children:
+              - file: metricbeat/metricbeat-metricset-cockroachdb-status.md
+          - file: metricbeat/metricbeat-module-consul.md
+            children:
+              - file: metricbeat/metricbeat-metricset-consul-agent.md
+          - file: metricbeat/metricbeat-module-containerd.md
+            children:
+              - file: metricbeat/metricbeat-metricset-containerd-blkio.md
+              - file: metricbeat/metricbeat-metricset-containerd-cpu.md
+              - file: metricbeat/metricbeat-metricset-containerd-memory.md
+          - file: metricbeat/metricbeat-module-coredns.md
+            children:
+              - file: metricbeat/metricbeat-metricset-coredns-stats.md
+          - file: metricbeat/metricbeat-module-couchbase.md
+            children:
+              - file: metricbeat/metricbeat-metricset-couchbase-bucket.md
+              - file: metricbeat/metricbeat-metricset-couchbase-cluster.md
+              - file: metricbeat/metricbeat-metricset-couchbase-node.md
+          - file: metricbeat/metricbeat-module-couchdb.md
+            children:
+              - file: metricbeat/metricbeat-metricset-couchdb-server.md
+          - file: metricbeat/metricbeat-module-docker.md
+            children:
+              - file: metricbeat/metricbeat-metricset-docker-container.md
+              - file: metricbeat/metricbeat-metricset-docker-cpu.md
+              - file: metricbeat/metricbeat-metricset-docker-diskio.md
+              - file: metricbeat/metricbeat-metricset-docker-event.md
+              - file: metricbeat/metricbeat-metricset-docker-healthcheck.md
+              - file: metricbeat/metricbeat-metricset-docker-image.md
+              - file: metricbeat/metricbeat-metricset-docker-info.md
+              - file: metricbeat/metricbeat-metricset-docker-memory.md
+              - file: metricbeat/metricbeat-metricset-docker-network.md
+              - file: metricbeat/metricbeat-metricset-docker-network_summary.md
+          - file: metricbeat/metricbeat-module-dropwizard.md
+            children:
+              - file: metricbeat/metricbeat-metricset-dropwizard-collector.md
+          - file: metricbeat/metricbeat-module-elasticsearch.md
+            children:
+              - file: metricbeat/metricbeat-metricset-elasticsearch-ccr.md
+              - file: metricbeat/metricbeat-metricset-elasticsearch-cluster_stats.md
+              - file: metricbeat/metricbeat-metricset-elasticsearch-enrich.md
+              - file: metricbeat/metricbeat-metricset-elasticsearch-index.md
+              - file: metricbeat/metricbeat-metricset-elasticsearch-index_recovery.md
+              - file: metricbeat/metricbeat-metricset-elasticsearch-index_summary.md
+              - file: metricbeat/metricbeat-metricset-elasticsearch-ingest_pipeline.md
+              - file: metricbeat/metricbeat-metricset-elasticsearch-ml_job.md
+              - file: metricbeat/metricbeat-metricset-elasticsearch-node.md
+              - file: metricbeat/metricbeat-metricset-elasticsearch-node_stats.md
+              - file: metricbeat/metricbeat-metricset-elasticsearch-pending_tasks.md
+              - file: metricbeat/metricbeat-metricset-elasticsearch-shard.md
+          - file: metricbeat/metricbeat-module-envoyproxy.md
+            children:
+              - file: metricbeat/metricbeat-metricset-envoyproxy-server.md
+          - file: metricbeat/metricbeat-module-etcd.md
+            children:
+              - file: metricbeat/metricbeat-metricset-etcd-leader.md
+              - file: metricbeat/metricbeat-metricset-etcd-metrics.md
+              - file: metricbeat/metricbeat-metricset-etcd-self.md
+              - file: metricbeat/metricbeat-metricset-etcd-store.md
+          - file: metricbeat/metricbeat-module-gcp.md
+            children:
+              - file: metricbeat/metricbeat-metricset-gcp-billing.md
+              - file: metricbeat/metricbeat-metricset-gcp-carbon.md
+              - file: metricbeat/metricbeat-metricset-gcp-compute.md
+              - file: metricbeat/metricbeat-metricset-gcp-dataproc.md
+              - file: metricbeat/metricbeat-metricset-gcp-firestore.md
+              - file: metricbeat/metricbeat-metricset-gcp-gke.md
+              - file: metricbeat/metricbeat-metricset-gcp-loadbalancing.md
+              - file: metricbeat/metricbeat-metricset-gcp-metrics.md
+              - file: metricbeat/metricbeat-metricset-gcp-pubsub.md
+              - file: metricbeat/metricbeat-metricset-gcp-storage.md
+          - file: metricbeat/metricbeat-module-golang.md
+            children:
+              - file: metricbeat/metricbeat-metricset-golang-expvar.md
+              - file: metricbeat/metricbeat-metricset-golang-heap.md
+          - file: metricbeat/metricbeat-module-graphite.md
+            children:
+              - file: metricbeat/metricbeat-metricset-graphite-server.md
+          - file: metricbeat/metricbeat-module-haproxy.md
+            children:
+              - file: metricbeat/metricbeat-metricset-haproxy-info.md
+              - file: metricbeat/metricbeat-metricset-haproxy-stat.md
+          - file: metricbeat/metricbeat-module-http.md
+            children:
+              - file: metricbeat/metricbeat-metricset-http-json.md
+              - file: metricbeat/metricbeat-metricset-http-server.md
+          - file: metricbeat/metricbeat-module-ibmmq.md
+            children:
+              - file: metricbeat/metricbeat-metricset-ibmmq-qmgr.md
+          - file: metricbeat/metricbeat-module-iis.md
+            children:
+              - file: metricbeat/metricbeat-metricset-iis-application_pool.md
+              - file: metricbeat/metricbeat-metricset-iis-webserver.md
+              - file: metricbeat/metricbeat-metricset-iis-website.md
+          - file: metricbeat/metricbeat-module-istio.md
+            children:
+              - file: metricbeat/metricbeat-metricset-istio-citadel.md
+              - file: metricbeat/metricbeat-metricset-istio-galley.md
+              - file: metricbeat/metricbeat-metricset-istio-istiod.md
+              - file: metricbeat/metricbeat-metricset-istio-mesh.md
+              - file: metricbeat/metricbeat-metricset-istio-mixer.md
+              - file: metricbeat/metricbeat-metricset-istio-pilot.md
+              - file: metricbeat/metricbeat-metricset-istio-proxy.md
+          - file: metricbeat/metricbeat-module-jolokia.md
+            children:
+              - file: metricbeat/metricbeat-metricset-jolokia-jmx.md
+          - file: metricbeat/metricbeat-module-kafka.md
+            children:
+              - file: metricbeat/metricbeat-metricset-kafka-broker.md
+              - file: metricbeat/metricbeat-metricset-kafka-consumer.md
+              - file: metricbeat/metricbeat-metricset-kafka-consumergroup.md
+              - file: metricbeat/metricbeat-metricset-kafka-partition.md
+              - file: metricbeat/metricbeat-metricset-kafka-producer.md
+          - file: metricbeat/metricbeat-module-kibana.md
+            children:
+              - file: metricbeat/metricbeat-metricset-kibana-cluster_actions.md
+              - file: metricbeat/metricbeat-metricset-kibana-cluster_rules.md
+              - file: metricbeat/metricbeat-metricset-kibana-node_actions.md
+              - file: metricbeat/metricbeat-metricset-kibana-node_rules.md
+              - file: metricbeat/metricbeat-metricset-kibana-settings.md
+              - file: metricbeat/metricbeat-metricset-kibana-stats.md
+              - file: metricbeat/metricbeat-metricset-kibana-status.md
+          - file: metricbeat/metricbeat-module-kubernetes.md
+            children:
+              - file: metricbeat/metricbeat-metricset-kubernetes-apiserver.md
+              - file: metricbeat/metricbeat-metricset-kubernetes-container.md
+              - file: metricbeat/metricbeat-metricset-kubernetes-controllermanager.md
+              - file: metricbeat/metricbeat-metricset-kubernetes-event.md
+              - file: metricbeat/metricbeat-metricset-kubernetes-node.md
+              - file: metricbeat/metricbeat-metricset-kubernetes-pod.md
+              - file: metricbeat/metricbeat-metricset-kubernetes-proxy.md
+              - file: metricbeat/metricbeat-metricset-kubernetes-scheduler.md
+              - file: metricbeat/metricbeat-metricset-kubernetes-state_container.md
+              - file: metricbeat/metricbeat-metricset-kubernetes-state_cronjob.md
+              - file: metricbeat/metricbeat-metricset-kubernetes-state_daemonset.md
+              - file: metricbeat/metricbeat-metricset-kubernetes-state_deployment.md
+              - file: metricbeat/metricbeat-metricset-kubernetes-state_job.md
+              - file: metricbeat/metricbeat-metricset-kubernetes-state_node.md
+              - file: metricbeat/metricbeat-metricset-kubernetes-state_persistentvolumeclaim.md
+              - file: metricbeat/metricbeat-metricset-kubernetes-state_pod.md
+              - file: metricbeat/metricbeat-metricset-kubernetes-state_replicaset.md
+              - file: metricbeat/metricbeat-metricset-kubernetes-state_resourcequota.md
+              - file: metricbeat/metricbeat-metricset-kubernetes-state_service.md
+              - file: metricbeat/metricbeat-metricset-kubernetes-state_statefulset.md
+              - file: metricbeat/metricbeat-metricset-kubernetes-state_storageclass.md
+              - file: metricbeat/metricbeat-metricset-kubernetes-system.md
+              - file: metricbeat/metricbeat-metricset-kubernetes-volume.md
+          - file: metricbeat/metricbeat-module-kvm.md
+            children:
+              - file: metricbeat/metricbeat-metricset-kvm-dommemstat.md
+              - file: metricbeat/metricbeat-metricset-kvm-status.md
+          - file: metricbeat/metricbeat-module-linux.md
+            children:
+              - file: metricbeat/metricbeat-metricset-linux-conntrack.md
+              - file: metricbeat/metricbeat-metricset-linux-iostat.md
+              - file: metricbeat/metricbeat-metricset-linux-ksm.md
+              - file: metricbeat/metricbeat-metricset-linux-memory.md
+              - file: metricbeat/metricbeat-metricset-linux-pageinfo.md
+              - file: metricbeat/metricbeat-metricset-linux-pressure.md
+              - file: metricbeat/metricbeat-metricset-linux-rapl.md
+          - file: metricbeat/metricbeat-module-logstash.md
+            children:
+              - file: metricbeat/metricbeat-metricset-logstash-node.md
+              - file: metricbeat/metricbeat-metricset-logstash-node_stats.md
+          - file: metricbeat/metricbeat-module-memcached.md
+            children:
+              - file: metricbeat/metricbeat-metricset-memcached-stats.md
+          - file: metricbeat/metricbeat-module-meraki.md
+            children:
+              - file: metricbeat/metricbeat-metricset-meraki-device_health.md
+          - file: metricbeat/metricbeat-module-mongodb.md
+            children:
+              - file: metricbeat/metricbeat-metricset-mongodb-collstats.md
+              - file: metricbeat/metricbeat-metricset-mongodb-dbstats.md
+              - file: metricbeat/metricbeat-metricset-mongodb-metrics.md
+              - file: metricbeat/metricbeat-metricset-mongodb-replstatus.md
+              - file: metricbeat/metricbeat-metricset-mongodb-status.md
+          - file: metricbeat/metricbeat-module-mssql.md
+            children:
+              - file: metricbeat/metricbeat-metricset-mssql-performance.md
+              - file: metricbeat/metricbeat-metricset-mssql-transaction_log.md
+          - file: metricbeat/metricbeat-module-munin.md
+            children:
+              - file: metricbeat/metricbeat-metricset-munin-node.md
+          - file: metricbeat/metricbeat-module-mysql.md
+            children:
+              - file: metricbeat/metricbeat-metricset-mysql-galera_status.md
+              - file: metricbeat/_galera_status_metricset.md
+              - file: metricbeat/metricbeat-metricset-mysql-performance.md
+              - file: metricbeat/metricbeat-metricset-mysql-query.md
+              - file: metricbeat/metricbeat-metricset-mysql-status.md
+          - file: metricbeat/metricbeat-module-nats.md
+            children:
+              - file: metricbeat/metricbeat-metricset-nats-connection.md
+              - file: metricbeat/metricbeat-metricset-nats-connections.md
+              - file: metricbeat/metricbeat-metricset-nats-route.md
+              - file: metricbeat/metricbeat-metricset-nats-routes.md
+              - file: metricbeat/metricbeat-metricset-nats-stats.md
+              - file: metricbeat/metricbeat-metricset-nats-subscriptions.md
+          - file: metricbeat/metricbeat-module-nginx.md
+            children:
+              - file: metricbeat/metricbeat-metricset-nginx-stubstatus.md
+          - file: metricbeat/metricbeat-module-openai.md
+            children:
+              - file: metricbeat/metricbeat-metricset-openai-usage.md
+          - file: metricbeat/metricbeat-module-openmetrics.md
+            children:
+              - file: metricbeat/metricbeat-metricset-openmetrics-collector.md
+          - file: metricbeat/metricbeat-module-oracle.md
+            children:
+              - file: metricbeat/metricbeat-metricset-oracle-performance.md
+              - file: metricbeat/metricbeat-metricset-oracle-sysmetric.md
+              - file: metricbeat/metricbeat-metricset-oracle-tablespace.md
+          - file: metricbeat/metricbeat-module-panw.md
+            children:
+              - file: metricbeat/metricbeat-metricset-panw-interfaces.md
+              - file: metricbeat/metricbeat-metricset-panw-routing.md
+              - file: metricbeat/metricbeat-metricset-panw-system.md
+              - file: metricbeat/metricbeat-metricset-panw-vpn.md
+          - file: metricbeat/metricbeat-module-php_fpm.md
+            children:
+              - file: metricbeat/metricbeat-metricset-php_fpm-pool.md
+              - file: metricbeat/metricbeat-metricset-php_fpm-process.md
+          - file: metricbeat/metricbeat-module-postgresql.md
+            children:
+              - file: metricbeat/metricbeat-metricset-postgresql-activity.md
+              - file: metricbeat/metricbeat-metricset-postgresql-bgwriter.md
+              - file: metricbeat/metricbeat-metricset-postgresql-database.md
+              - file: metricbeat/metricbeat-metricset-postgresql-statement.md
+          - file: metricbeat/metricbeat-module-prometheus.md
+            children:
+              - file: metricbeat/metricbeat-metricset-prometheus-collector.md
+              - file: metricbeat/metricbeat-metricset-prometheus-query.md
+              - file: metricbeat/metricbeat-metricset-prometheus-remote_write.md
+          - file: metricbeat/metricbeat-module-rabbitmq.md
+            children:
+              - file: metricbeat/metricbeat-metricset-rabbitmq-connection.md
+              - file: metricbeat/metricbeat-metricset-rabbitmq-exchange.md
+              - file: metricbeat/metricbeat-metricset-rabbitmq-node.md
+              - file: metricbeat/metricbeat-metricset-rabbitmq-queue.md
+              - file: metricbeat/metricbeat-metricset-rabbitmq-shovel.md
+          - file: metricbeat/metricbeat-module-redis.md
+            children:
+              - file: metricbeat/metricbeat-metricset-redis-info.md
+              - file: metricbeat/metricbeat-metricset-redis-key.md
+              - file: metricbeat/metricbeat-metricset-redis-keyspace.md
+          - file: metricbeat/metricbeat-module-redisenterprise.md
+            children:
+              - file: metricbeat/metricbeat-metricset-redisenterprise-node.md
+              - file: metricbeat/metricbeat-metricset-redisenterprise-proxy.md
+          - file: metricbeat/metricbeat-module-sql.md
+            children:
+              - file: metricbeat/_host_setup.md
+              - file: metricbeat/metricbeat-metricset-sql-query.md
+          - file: metricbeat/metricbeat-module-stan.md
+            children:
+              - file: metricbeat/metricbeat-metricset-stan-channels.md
+              - file: metricbeat/metricbeat-metricset-stan-stats.md
+              - file: metricbeat/metricbeat-metricset-stan-subscriptions.md
+          - file: metricbeat/metricbeat-module-statsd.md
+            children:
+              - file: metricbeat/_metricsets_70.md
+              - file: metricbeat/metricbeat-metricset-statsd-server.md
+          - file: metricbeat/metricbeat-module-syncgateway.md
+            children:
+              - file: metricbeat/metricbeat-metricset-syncgateway-db.md
+              - file: metricbeat/metricbeat-metricset-syncgateway-memory.md
+              - file: metricbeat/metricbeat-metricset-syncgateway-replication.md
+              - file: metricbeat/metricbeat-metricset-syncgateway-resources.md
+          - file: metricbeat/metricbeat-module-system.md
+            children:
+              - file: metricbeat/metricbeat-metricset-system-core.md
+              - file: metricbeat/metricbeat-metricset-system-cpu.md
+              - file: metricbeat/metricbeat-metricset-system-diskio.md
+              - file: metricbeat/metricbeat-metricset-system-entropy.md
+              - file: metricbeat/metricbeat-metricset-system-filesystem.md
+              - file: metricbeat/metricbeat-metricset-system-fsstat.md
+              - file: metricbeat/metricbeat-metricset-system-load.md
+              - file: metricbeat/metricbeat-metricset-system-memory.md
+              - file: metricbeat/metricbeat-metricset-system-network.md
+              - file: metricbeat/metricbeat-metricset-system-network_summary.md
+              - file: metricbeat/metricbeat-metricset-system-process.md
+              - file: metricbeat/metricbeat-metricset-system-process_summary.md
+              - file: metricbeat/metricbeat-metricset-system-raid.md
+              - file: metricbeat/metricbeat-metricset-system-service.md
+              - file: metricbeat/metricbeat-metricset-system-socket.md
+              - file: metricbeat/metricbeat-metricset-system-socket_summary.md
+              - file: metricbeat/metricbeat-metricset-system-uptime.md
+              - file: metricbeat/metricbeat-metricset-system-users.md
+          - file: metricbeat/metricbeat-module-tomcat.md
+            children:
+              - file: metricbeat/metricbeat-metricset-tomcat-cache.md
+              - file: metricbeat/metricbeat-metricset-tomcat-memory.md
+              - file: metricbeat/metricbeat-metricset-tomcat-requests.md
+              - file: metricbeat/metricbeat-metricset-tomcat-threading.md
+          - file: metricbeat/metricbeat-module-traefik.md
+            children:
+              - file: metricbeat/metricbeat-metricset-traefik-health.md
+          - file: metricbeat/metricbeat-module-uwsgi.md
+            children:
+              - file: metricbeat/metricbeat-metricset-uwsgi-status.md
+          - file: metricbeat/metricbeat-module-vsphere.md
+            children:
+              - file: metricbeat/metricbeat-metricset-vsphere-cluster.md
+              - file: metricbeat/metricbeat-metricset-vsphere-datastore.md
+              - file: metricbeat/metricbeat-metricset-vsphere-datastorecluster.md
+              - file: metricbeat/metricbeat-metricset-vsphere-host.md
+              - file: metricbeat/metricbeat-metricset-vsphere-network.md
+              - file: metricbeat/metricbeat-metricset-vsphere-resourcepool.md
+              - file: metricbeat/metricbeat-metricset-vsphere-virtualmachine.md
+          - file: metricbeat/metricbeat-module-windows.md
+            children:
+              - file: metricbeat/metricbeat-metricset-windows-perfmon.md
+              - file: metricbeat/metricbeat-metricset-windows-service.md
+              - file: metricbeat/metricbeat-metricset-windows-wmi.md
+          - file: metricbeat/metricbeat-module-zookeeper.md
+            children:
+              - file: metricbeat/metricbeat-metricset-zookeeper-connection.md
+              - file: metricbeat/metricbeat-metricset-zookeeper-mntr.md
+              - file: metricbeat/metricbeat-metricset-zookeeper-server.md
+      - file: metricbeat/exported-fields.md
+        children:
+          - file: metricbeat/exported-fields-activemq.md
+          - file: metricbeat/exported-fields-aerospike.md
+          - file: metricbeat/exported-fields-airflow.md
+          - file: metricbeat/exported-fields-apache.md
+          - file: metricbeat/exported-fields-aws.md
+          - file: metricbeat/exported-fields-awsfargate.md
+          - file: metricbeat/exported-fields-azure.md
+          - file: metricbeat/exported-fields-beat-common.md
+          - file: metricbeat/exported-fields-beat.md
+          - file: metricbeat/exported-fields-benchmark.md
+          - file: metricbeat/exported-fields-ceph.md
+          - file: metricbeat/exported-fields-cloud.md
+          - file: metricbeat/exported-fields-cloudfoundry.md
+          - file: metricbeat/exported-fields-cockroachdb.md
+          - file: metricbeat/exported-fields-common.md
+          - file: metricbeat/exported-fields-consul.md
+          - file: metricbeat/exported-fields-containerd.md
+          - file: metricbeat/exported-fields-coredns.md
+          - file: metricbeat/exported-fields-couchbase.md
+          - file: metricbeat/exported-fields-couchdb.md
+          - file: metricbeat/exported-fields-docker-processor.md
+          - file: metricbeat/exported-fields-docker.md
+          - file: metricbeat/exported-fields-dropwizard.md
+          - file: metricbeat/exported-fields-ecs.md
+          - file: metricbeat/exported-fields-elasticsearch.md
+          - file: metricbeat/exported-fields-envoyproxy.md
+          - file: metricbeat/exported-fields-etcd.md
+          - file: metricbeat/exported-fields-gcp.md
+          - file: metricbeat/exported-fields-golang.md
+          - file: metricbeat/exported-fields-graphite.md
+          - file: metricbeat/exported-fields-haproxy.md
+          - file: metricbeat/exported-fields-host-processor.md
+          - file: metricbeat/exported-fields-http.md
+          - file: metricbeat/exported-fields-ibmmq.md
+          - file: metricbeat/exported-fields-iis.md
+          - file: metricbeat/exported-fields-istio.md
+          - file: metricbeat/exported-fields-jolokia.md
+          - file: metricbeat/exported-fields-jolokia-autodiscover.md
+          - file: metricbeat/exported-fields-kafka.md
+          - file: metricbeat/exported-fields-kibana.md
+          - file: metricbeat/exported-fields-kubernetes-processor.md
+          - file: metricbeat/exported-fields-kubernetes.md
+          - file: metricbeat/exported-fields-kvm.md
+          - file: metricbeat/exported-fields-linux.md
+          - file: metricbeat/exported-fields-logstash.md
+          - file: metricbeat/exported-fields-memcached.md
+          - file: metricbeat/exported-fields-mongodb.md
+          - file: metricbeat/exported-fields-mssql.md
+          - file: metricbeat/exported-fields-munin.md
+          - file: metricbeat/exported-fields-mysql.md
+          - file: metricbeat/exported-fields-nats.md
+          - file: metricbeat/exported-fields-nginx.md
+          - file: metricbeat/exported-fields-openai.md
+          - file: metricbeat/exported-fields-openmetrics.md
+          - file: metricbeat/exported-fields-oracle.md
+          - file: metricbeat/exported-fields-panw.md
+          - file: metricbeat/exported-fields-php_fpm.md
+          - file: metricbeat/exported-fields-postgresql.md
+          - file: metricbeat/exported-fields-process.md
+          - file: metricbeat/exported-fields-prometheus.md
+          - file: metricbeat/exported-fields-prometheus-xpack.md
+          - file: metricbeat/exported-fields-rabbitmq.md
+          - file: metricbeat/exported-fields-redis.md
+          - file: metricbeat/exported-fields-redisenterprise.md
+          - file: metricbeat/exported-fields-sql.md
+          - file: metricbeat/exported-fields-stan.md
+          - file: metricbeat/exported-fields-statsd.md
+          - file: metricbeat/exported-fields-syncgateway.md
+          - file: metricbeat/exported-fields-system.md
+          - file: metricbeat/exported-fields-tomcat.md
+          - file: metricbeat/exported-fields-traefik.md
+          - file: metricbeat/exported-fields-uwsgi.md
+          - file: metricbeat/exported-fields-vsphere.md
+          - file: metricbeat/exported-fields-windows.md
+          - file: metricbeat/exported-fields-zookeeper.md
+      - file: metricbeat/monitoring.md
+        children:
+          - file: metricbeat/monitoring-internal-collection.md
+            children:
+              - file: metricbeat/configuration-monitor.md
+          - file: metricbeat/monitoring-metricbeat-collection.md
+      - file: metricbeat/securing-metricbeat.md
+        children:
+          - file: metricbeat/feature-roles.md
+            children:
+              - file: metricbeat/privileges-to-setup-beats.md
+              - file: metricbeat/privileges-to-publish-monitoring.md
+              - file: metricbeat/privileges-to-publish-events.md
+              - file: metricbeat/kibana-user-privileges.md
+              - file: metricbeat/learn-more-security.md
+          - file: metricbeat/beats-api-keys.md
+          - file: metricbeat/securing-communication-elasticsearch.md
+          - file: metricbeat/configuring-ssl-logstash.md
+          - file: metricbeat/linux-seccomp.md
+      - file: metricbeat/troubleshooting.md
+        children:
+          - file: metricbeat/getting-help.md
+          - file: metricbeat/enable-metricbeat-debugging.md
+          - file: metricbeat/understand-metricbeat-logs.md
+          - file: metricbeat/faq.md
+            children:
+              - file: metricbeat/freebsd-no-such-file.md
+              - file: metricbeat/faq-unexpected-metrics.md
+              - file: metricbeat/bandwidth-throttling.md
+              - file: metricbeat/error-loading-config.md
+              - file: metricbeat/error-found-unexpected-character.md
+              - file: metricbeat/connection-problem.md
+              - file: metricbeat/publishing-ls-fails-connection-reset-by-peer.md
+              - file: metricbeat/metadata-missing.md
+              - file: metricbeat/diff-logstash-beats.md
+              - file: metricbeat/ssl-client-fails.md
+              - file: metricbeat/monitoring-shows-fewer-than-expected-beats.md
+              - file: metricbeat/could-not-locate-index-pattern.md
+              - file: metricbeat/madvdontneed-rss.md
+      - file: metricbeat/contributing-to-beats.md
+  - file: packetbeat/packetbeat.md
+    children:
+      - file: packetbeat/packetbeat-overview.md
+      - file: packetbeat/packetbeat-installation-configuration.md
+      - file: packetbeat/setting-up-running.md
+        children:
+          - file: packetbeat/directory-layout.md
+          - file: packetbeat/keystore.md
+          - file: packetbeat/command-line-options.md
+          - file: packetbeat/setup-repositories.md
+          - file: packetbeat/running-on-docker.md
+          - file: packetbeat/running-with-systemd.md
+          - file: packetbeat/packetbeat-starting.md
+          - file: packetbeat/shutdown.md
+      - file: packetbeat/upgrading-packetbeat.md
+      - file: packetbeat/configuring-howto-packetbeat.md
+        children:
+          - file: packetbeat/configuration-interfaces.md
+          - file: packetbeat/configuration-flows.md
+          - file: packetbeat/configuration-protocols.md
+            children:
+              - file: packetbeat/common-protocol-options.md
+              - file: packetbeat/packetbeat-icmp-options.md
+              - file: packetbeat/packetbeat-dns-options.md
+              - file: packetbeat/packetbeat-http-options.md
+              - file: packetbeat/packetbeat-amqp-options.md
+              - file: packetbeat/configuration-cassandra.md
+              - file: packetbeat/packetbeat-memcache-options.md
+              - file: packetbeat/packetbeat-mysql-options.md
+              - file: packetbeat/packetbeat-pgsql-options.md
+              - file: packetbeat/configuration-thrift.md
+              - file: packetbeat/configuration-mongodb.md
+              - file: packetbeat/configuration-tls.md
+              - file: packetbeat/packetbeat-redis-options.md
+          - file: packetbeat/configuration-processes.md
+          - file: packetbeat/configuration-general-options.md
+          - file: packetbeat/configuration-path.md
+          - file: packetbeat/configuring-output.md
+            children:
+              - file: packetbeat/configure-cloud-id.md
+              - file: packetbeat/elasticsearch-output.md
+              - file: packetbeat/logstash-output.md
+              - file: packetbeat/kafka-output.md
+              - file: packetbeat/redis-output.md
+              - file: packetbeat/file-output.md
+              - file: packetbeat/console-output.md
+              - file: packetbeat/discard-output.md
+              - file: packetbeat/configuration-output-codec.md
+          - file: packetbeat/configuration-kerberos.md
+          - file: packetbeat/configuration-ssl.md
+          - file: packetbeat/ilm.md
+          - file: packetbeat/configuration-template.md
+          - file: packetbeat/setup-kibana-endpoint.md
+          - file: packetbeat/configuration-dashboards.md
+          - file: packetbeat/filtering-enhancing-data.md
+            children:
+              - file: packetbeat/defining-processors.md
+              - file: packetbeat/add-cloud-metadata.md
+              - file: packetbeat/add-cloudfoundry-metadata.md
+              - file: packetbeat/add-docker-metadata.md
+              - file: packetbeat/add-fields.md
+              - file: packetbeat/add-host-metadata.md
+              - file: packetbeat/add-id.md
+              - file: packetbeat/add-kubernetes-metadata.md
+              - file: packetbeat/add-labels.md
+              - file: packetbeat/add-locale.md
+              - file: packetbeat/add-network-direction.md
+              - file: packetbeat/add-nomad-metadata.md
+              - file: packetbeat/add-observer-metadata.md
+              - file: packetbeat/add-process-metadata.md
+              - file: packetbeat/add-tags.md
+              - file: packetbeat/append.md
+              - file: packetbeat/community-id.md
+              - file: packetbeat/convert.md
+              - file: packetbeat/copy-fields.md
+              - file: packetbeat/decode-base64-field.md
+              - file: packetbeat/decode-duration.md
+              - file: packetbeat/decode-json-fields.md
+              - file: packetbeat/decode-xml.md
+              - file: packetbeat/decode-xml-wineventlog.md
+              - file: packetbeat/decompress-gzip-field.md
+              - file: packetbeat/detect-mime-type.md
+              - file: packetbeat/dissect.md
+              - file: packetbeat/processor-dns.md
+              - file: packetbeat/drop-event.md
+              - file: packetbeat/drop-fields.md
+              - file: packetbeat/extract-array.md
+              - file: packetbeat/fingerprint.md
+              - file: packetbeat/include-fields.md
+              - file: packetbeat/move-fields.md
+              - file: packetbeat/rate-limit.md
+              - file: packetbeat/processor-registered-domain.md
+              - file: packetbeat/rename-fields.md
+              - file: packetbeat/replace-fields.md
+              - file: packetbeat/syslog.md
+              - file: packetbeat/processor-translate-guid.md
+              - file: packetbeat/processor-translate-sid.md
+              - file: packetbeat/truncate-fields.md
+              - file: packetbeat/urldecode.md
+          - file: packetbeat/configuring-internal-queue.md
+          - file: packetbeat/configuration-logging.md
+          - file: packetbeat/http-endpoint.md
+            children:
+              - file: packetbeat/protocol-metrics-packetbeat.md
+          - file: packetbeat/configuration-instrumentation.md
+          - file: packetbeat/configuration-feature-flags.md
+          - file: packetbeat/packetbeat-reference-yml.md
+      - file: packetbeat/howto-guides.md
+        children:
+          - file: packetbeat/packetbeat-template.md
+          - file: packetbeat/change-index-name.md
+          - file: packetbeat/load-kibana-dashboards.md
+          - file: packetbeat/packetbeat-geoip.md
+          - file: packetbeat/load-ingest-pipelines.md
+          - file: packetbeat/using-environ-vars.md
+          - file: packetbeat/configuring-ingest-node.md
+          - file: packetbeat/yaml-tips.md
+      - file: packetbeat/exported-fields.md
+        children:
+          - file: packetbeat/exported-fields-amqp.md
+          - file: packetbeat/exported-fields-beat-common.md
+          - file: packetbeat/exported-fields-cassandra.md
+          - file: packetbeat/exported-fields-cloud.md
+          - file: packetbeat/exported-fields-common.md
+          - file: packetbeat/exported-fields-dhcpv4.md
+          - file: packetbeat/exported-fields-dns.md
+          - file: packetbeat/exported-fields-docker-processor.md
+          - file: packetbeat/exported-fields-ecs.md
+          - file: packetbeat/exported-fields-flows_event.md
+          - file: packetbeat/exported-fields-host-processor.md
+          - file: packetbeat/exported-fields-http.md
+          - file: packetbeat/exported-fields-icmp.md
+          - file: packetbeat/exported-fields-jolokia-autodiscover.md
+          - file: packetbeat/exported-fields-kubernetes-processor.md
+          - file: packetbeat/exported-fields-memcache.md
+          - file: packetbeat/exported-fields-mongodb.md
+          - file: packetbeat/exported-fields-mysql.md
+          - file: packetbeat/exported-fields-nfs.md
+          - file: packetbeat/exported-fields-pgsql.md
+          - file: packetbeat/exported-fields-process.md
+          - file: packetbeat/exported-fields-raw.md
+          - file: packetbeat/exported-fields-redis.md
+          - file: packetbeat/exported-fields-sip.md
+          - file: packetbeat/exported-fields-thrift.md
+          - file: packetbeat/exported-fields-tls_detailed.md
+          - file: packetbeat/exported-fields-trans_event.md
+          - file: packetbeat/exported-fields-trans_measurements.md
+      - file: packetbeat/monitoring.md
+        children:
+          - file: packetbeat/monitoring-internal-collection.md
+            children:
+              - file: packetbeat/configuration-monitor.md
+          - file: packetbeat/monitoring-metricbeat-collection.md
+      - file: packetbeat/securing-packetbeat.md
+        children:
+          - file: packetbeat/feature-roles.md
+            children:
+              - file: packetbeat/privileges-to-setup-beats.md
+              - file: packetbeat/privileges-to-publish-monitoring.md
+              - file: packetbeat/privileges-to-publish-events.md
+              - file: packetbeat/kibana-user-privileges.md
+              - file: packetbeat/learn-more-security.md
+          - file: packetbeat/beats-api-keys.md
+          - file: packetbeat/securing-communication-elasticsearch.md
+          - file: packetbeat/configuring-ssl-logstash.md
+          - file: packetbeat/linux-seccomp.md
+      - file: packetbeat/visualizing-data-packetbeat.md
+        children:
+          - file: packetbeat/customizing-discover.md
+          - file: packetbeat/kibana-queries-filters.md
+      - file: packetbeat/troubleshooting.md
+        children:
+          - file: packetbeat/getting-help.md
+          - file: packetbeat/enable-packetbeat-debugging.md
+          - file: packetbeat/understand-packetbeat-logs.md
+          - file: packetbeat/recording-trace.md
+          - file: packetbeat/faq.md
+            children:
+              - file: packetbeat/dashboard-fields-incorrect.md
+              - file: packetbeat/packetbeat-mirror-ports.md
+              - file: packetbeat/packetbeat-loopback-interface.md
+              - file: packetbeat/packetbeat-missing-transactions.md
+              - file: packetbeat/mysql-no-data.md
+              - file: packetbeat/bandwidth-throttling.md
+              - file: packetbeat/error-loading-config.md
+              - file: packetbeat/error-found-unexpected-character.md
+              - file: packetbeat/connection-problem.md
+              - file: packetbeat/publishing-ls-fails-connection-reset-by-peer.md
+              - file: packetbeat/metadata-missing.md
+              - file: packetbeat/diff-logstash-beats.md
+              - file: packetbeat/ssl-client-fails.md
+              - file: packetbeat/monitoring-shows-fewer-than-expected-beats.md
+              - file: packetbeat/could-not-locate-index-pattern.md
+              - file: packetbeat/madvdontneed-rss.md
+              - file: packetbeat/refresh-index-pattern.md
+      - file: packetbeat/contributing-to-beats.md
+  - file: winlogbeat/winlogbeat.md
+    children:
+      - file: winlogbeat/_winlogbeat_overview.md
+      - file: winlogbeat/winlogbeat-installation-configuration.md
+      - file: winlogbeat/setting-up-running.md
+        children:
+          - file: winlogbeat/directory-layout.md
+          - file: winlogbeat/keystore.md
+          - file: winlogbeat/command-line-options.md
+          - file: winlogbeat/winlogbeat-starting.md
+          - file: winlogbeat/shutdown.md
+      - file: winlogbeat/upgrading-winlogbeat.md
+      - file: winlogbeat/configuring-howto-winlogbeat.md
+        children:
+          - file: winlogbeat/configuration-winlogbeat-options.md
+          - file: winlogbeat/configuration-general-options.md
+          - file: winlogbeat/configuration-path.md
+          - file: winlogbeat/configuring-output.md
+            children:
+              - file: winlogbeat/configure-cloud-id.md
+              - file: winlogbeat/elasticsearch-output.md
+              - file: winlogbeat/logstash-output.md
+              - file: winlogbeat/kafka-output.md
+              - file: winlogbeat/redis-output.md
+              - file: winlogbeat/file-output.md
+              - file: winlogbeat/console-output.md
+              - file: winlogbeat/discard-output.md
+              - file: winlogbeat/configuration-output-codec.md
+          - file: winlogbeat/configuration-kerberos.md
+          - file: winlogbeat/configuration-ssl.md
+          - file: winlogbeat/ilm.md
+          - file: winlogbeat/configuration-template.md
+          - file: winlogbeat/setup-kibana-endpoint.md
+          - file: winlogbeat/configuration-dashboards.md
+          - file: winlogbeat/filtering-enhancing-data.md
+            children:
+              - file: winlogbeat/defining-processors.md
+              - file: winlogbeat/add-cloud-metadata.md
+              - file: winlogbeat/add-cloudfoundry-metadata.md
+              - file: winlogbeat/add-docker-metadata.md
+              - file: winlogbeat/add-fields.md
+              - file: winlogbeat/add-host-metadata.md
+              - file: winlogbeat/add-id.md
+              - file: winlogbeat/add-kubernetes-metadata.md
+              - file: winlogbeat/add-labels.md
+              - file: winlogbeat/add-locale.md
+              - file: winlogbeat/add-network-direction.md
+              - file: winlogbeat/add-nomad-metadata.md
+              - file: winlogbeat/add-observer-metadata.md
+              - file: winlogbeat/add-process-metadata.md
+              - file: winlogbeat/add-tags.md
+              - file: winlogbeat/append.md
+              - file: winlogbeat/community-id.md
+              - file: winlogbeat/convert.md
+              - file: winlogbeat/copy-fields.md
+              - file: winlogbeat/decode-base64-field.md
+              - file: winlogbeat/decode-duration.md
+              - file: winlogbeat/decode-json-fields.md
+              - file: winlogbeat/decode-xml.md
+              - file: winlogbeat/decode-xml-wineventlog.md
+              - file: winlogbeat/decompress-gzip-field.md
+              - file: winlogbeat/detect-mime-type.md
+              - file: winlogbeat/dissect.md
+              - file: winlogbeat/processor-dns.md
+              - file: winlogbeat/drop-event.md
+              - file: winlogbeat/drop-fields.md
+              - file: winlogbeat/extract-array.md
+              - file: winlogbeat/fingerprint.md
+              - file: winlogbeat/include-fields.md
+              - file: winlogbeat/move-fields.md
+              - file: winlogbeat/rate-limit.md
+              - file: winlogbeat/processor-registered-domain.md
+              - file: winlogbeat/rename-fields.md
+              - file: winlogbeat/replace-fields.md
+              - file: winlogbeat/processor-script.md
+              - file: winlogbeat/syslog.md
+              - file: winlogbeat/processor-timestamp.md
+              - file: winlogbeat/processor-translate-guid.md
+              - file: winlogbeat/processor-translate-sid.md
+              - file: winlogbeat/truncate-fields.md
+              - file: winlogbeat/urldecode.md
+          - file: winlogbeat/configuring-internal-queue.md
+          - file: winlogbeat/configuration-logging.md
+          - file: winlogbeat/http-endpoint.md
+            children:
+              - file: winlogbeat/metrics-winlogbeat.md
+          - file: winlogbeat/configuration-instrumentation.md
+          - file: winlogbeat/winlogbeat-reference-yml.md
+      - file: winlogbeat/howto-guides.md
+        children:
+          - file: winlogbeat/winlogbeat-geoip.md
+          - file: winlogbeat/winlogbeat-template.md
+          - file: winlogbeat/change-index-name.md
+          - file: winlogbeat/load-kibana-dashboards.md
+          - file: winlogbeat/load-ingest-pipelines.md
+          - file: winlogbeat/using-environ-vars.md
+          - file: winlogbeat/configuring-ingest-node.md
+          - file: winlogbeat/yaml-tips.md
+      - file: winlogbeat/winlogbeat-modules.md
+        children:
+          - file: winlogbeat/winlogbeat-module-powershell.md
+          - file: winlogbeat/winlogbeat-module-security.md
+          - file: winlogbeat/winlogbeat-module-sysmon.md
+      - file: winlogbeat/exported-fields.md
+        children:
+          - file: winlogbeat/exported-fields-beat-common.md
+          - file: winlogbeat/exported-fields-cloud.md
+          - file: winlogbeat/exported-fields-docker-processor.md
+          - file: winlogbeat/exported-fields-ecs.md
+          - file: winlogbeat/exported-fields-eventlog.md
+          - file: winlogbeat/exported-fields-host-processor.md
+          - file: winlogbeat/exported-fields-jolokia-autodiscover.md
+          - file: winlogbeat/exported-fields-kubernetes-processor.md
+          - file: winlogbeat/exported-fields-powershell.md
+          - file: winlogbeat/exported-fields-process.md
+          - file: winlogbeat/exported-fields-security.md
+          - file: winlogbeat/exported-fields-sysmon.md
+          - file: winlogbeat/exported-fields-winlog.md
+      - file: winlogbeat/monitoring.md
+        children:
+          - file: winlogbeat/monitoring-internal-collection.md
+            children:
+              - file: winlogbeat/configuration-monitor.md
+          - file: winlogbeat/monitoring-metricbeat-collection.md
+      - file: winlogbeat/securing-winlogbeat.md
+        children:
+          - file: winlogbeat/feature-roles.md
+            children:
+              - file: winlogbeat/privileges-to-setup-beats.md
+              - file: winlogbeat/privileges-to-publish-monitoring.md
+              - file: winlogbeat/privileges-to-publish-events.md
+              - file: winlogbeat/kibana-user-privileges.md
+              - file: winlogbeat/learn-more-security.md
+          - file: winlogbeat/beats-api-keys.md
+          - file: winlogbeat/securing-communication-elasticsearch.md
+          - file: winlogbeat/configuring-ssl-logstash.md
+      - file: winlogbeat/troubleshooting.md
+        children:
+          - file: winlogbeat/getting-help.md
+          - file: winlogbeat/enable-winlogbeat-debugging.md
+          - file: winlogbeat/understand-winlogbeat-logs.md
+          - file: winlogbeat/faq.md
+            children:
+              - file: winlogbeat/dashboard-fields-incorrect.md
+              - file: winlogbeat/bogus-computer-name-fields.md
+              - file: winlogbeat/error-loading-config.md
+              - file: winlogbeat/error-found-unexpected-character.md
+              - file: winlogbeat/connection-problem.md
+              - file: winlogbeat/publishing-ls-fails-connection-reset-by-peer.md
+              - file: winlogbeat/metadata-missing.md
+              - file: winlogbeat/diff-logstash-beats.md
+              - file: winlogbeat/ssl-client-fails.md
+              - file: winlogbeat/monitoring-shows-fewer-than-expected-beats.md
+              - file: winlogbeat/could-not-locate-index-pattern.md
+              - file: winlogbeat/madvdontneed-rss.md
+              - file: winlogbeat/reading-from-evtx.md
+      - file: winlogbeat/contributing-to-beats.md
+  - file: libbeat/upgrading.md
+  - file: libbeat/community-beats.md
+  - file: libbeat/contributing-to-beats.md
+  - file: loggingplugin/elastic-logging-plugin-for-docker.md
+    children:
+      - file: loggingplugin/log-driver-installation.md
+      - file: loggingplugin/log-driver-configuration.md
+      - file: loggingplugin/log-driver-usage-examples.md
+      - file: loggingplugin/log-driver-limitations.md
diff --git a/docs/reference/winlogbeat/_winlogbeat_overview.md b/docs/reference/winlogbeat/_winlogbeat_overview.md
new file mode 100644
index 000000000000..4e53af36e0c3
--- /dev/null
+++ b/docs/reference/winlogbeat/_winlogbeat_overview.md
@@ -0,0 +1,21 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/index.html
+---
+
+# Winlogbeat Overview [_winlogbeat_overview]
+
+Winlogbeat ships Windows event logs to Elasticsearch or Logstash. You can install it as a Windows service.
+
+Winlogbeat reads from one or more event logs using Windows APIs, filters the events based on user-configured criteria, then sends the event data to the configured outputs (Elasticsearch or Logstash). Winlogbeat watches the event logs so that new event data is sent in a timely manner. The read position for each event log is persisted to disk to allow Winlogbeat to resume after restarts.
+
+Winlogbeat can capture event data from any event logs running on your system. For example, you can capture events such as:
+
+* application events
+* hardware events
+* security events
+* system events
+
+Winlogbeat is an Elastic [Beat](https://www.elastic.co/beats). It’s based on the `libbeat` framework. For more information, see the [Beats Platform Reference](/reference/index.md).
+
diff --git a/docs/reference/winlogbeat/add-cloud-metadata.md b/docs/reference/winlogbeat/add-cloud-metadata.md
new file mode 100644
index 000000000000..9316a61c19e2
--- /dev/null
+++ b/docs/reference/winlogbeat/add-cloud-metadata.md
@@ -0,0 +1,205 @@
+---
+navigation_title: "add_cloud_metadata"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/add-cloud-metadata.html
+---
+
+# Add cloud metadata [add-cloud-metadata]
+
+
+The `add_cloud_metadata` processor enriches each event with instance metadata from the machine’s hosting provider. At startup it will query a list of hosting providers and cache the instance metadata.
+
+The following cloud providers are supported:
+
+* Amazon Web Services (AWS)
+* Digital Ocean
+* Google Compute Engine (GCE)
+* [Tencent Cloud](https://www.qcloud.com/?lang=en) (QCloud)
+* Alibaba Cloud (ECS)
+* Huawei Cloud (ECS)
+* Azure Virtual Machine
+* Openstack Nova
+* Hetzner Cloud
+
+
+## Special notes [_special_notes]
+
+`huawei` is an alias for `openstack`. Huawei cloud runs on OpenStack platform, and when viewed from a metadata API standpoint, it is impossible to differentiate it from OpenStack. If you know that your deployments run on Huawei Cloud exclusively, and you wish to have `cloud.provider` value as `huawei`, you can achieve this by overwriting the value using an `add_fields` processor.
+
+The Alibaba Cloud and Tencent cloud providers are disabled by default, because they require to access a remote host. The `providers` setting allows users to select a list of default providers to query.
+
+Cloud providers tend to maintain metadata services compliant with other cloud providers. For example, Openstack supports [EC2 compliant metadat service](https://docs.openstack.org/nova/latest/user/metadata.html#ec2-compatible-metadata). This makes it impossible to differentiate cloud provider (`cloud.provider` property) with auto discovery (when `providers` configuration is omitted). The processor implementation incorporates a priority mechanism where priority is given to some providers over others when there are multiple successful metadata results. Currently, `aws/ec2` and `azure` have priority over any other provider as their metadata retrival rely on SDKs. The expectation here is that SDK methods should fail if run in an environment not configured accordingly (ex:- missing configurations or credentials).
+
+
+## Configurations [_configurations]
+
+The simple configuration below enables the processor.
+
+```yaml
+processors:
+  - add_cloud_metadata: ~
+```
+
+The `add_cloud_metadata` processor has three optional configuration settings. The first one is `timeout` which specifies the maximum amount of time to wait for a successful response when detecting the hosting provider. The default timeout value is `3s`.
+
+If a timeout occurs then no instance metadata will be added to the events. This makes it possible to enable this processor for all your deployments (in the cloud or on-premise).
+
+The second optional setting is `providers`. The `providers` settings accepts a list of cloud provider names to be used. If `providers` is not configured, then all providers that do not access a remote endpoint are enabled by default. The list of providers may alternatively be configured with the environment variable `BEATS_ADD_CLOUD_METADATA_PROVIDERS`, by setting it to a comma-separated list of provider names.
+
+List of names the `providers` setting supports:
+
+* "alibaba", or "ecs" for the Alibaba Cloud provider (disabled by default).
+* "azure" for Azure Virtual Machine (enabled by default). If the virtual machine is part of an AKS managed cluster, the fields `orchestrator.cluster.name` and `orchestrator.cluster.id` can also be retrieved. "TENANT_ID", "CLIENT_ID" and "CLIENT_SECRET" environment variables need to be set for authentication purposes. If not set we fallback to [DefaultAzureCredential](https://learn.microsoft.com/en-us/azure/developer/go/azure-sdk-authentication?tabs=bash#2-authenticate-with-azure) and user can choose different authentication methods (e.g. workload identity).
+* "digitalocean" for Digital Ocean (enabled by default).
+* "aws", or "ec2" for Amazon Web Services (enabled by default).
+* "gcp" for Google Copmute Enging (enabled by default).
+* "openstack", "nova", or "huawei" for Openstack Nova (enabled by default).
+* "openstack-ssl", or "nova-ssl" for Openstack Nova when SSL metadata APIs are enabled (enabled by default).
+* "tencent", or "qcloud" for Tencent Cloud (disabled by default).
+* "hetzner" for Hetzner Cloud (enabled by default).
+
+For example, configuration below only utilize `aws` metadata retrival mechanism,
+
+```yaml
+processors:
+  - add_cloud_metadata:
+      providers:
+        aws
+```
+
+The third optional configuration setting is `overwrite`. When `overwrite` is `true`, `add_cloud_metadata` overwrites existing `cloud.*` fields (`false` by default).
+
+The `add_cloud_metadata` processor supports SSL options to configure the http client used to query cloud metadata. See [SSL](/reference/winlogbeat/configuration-ssl.md) for more information.
+
+
+## Provided metadata [_provided_metadata]
+
+The metadata that is added to events varies by hosting provider. Below are examples for each of the supported providers.
+
+*AWS*
+
+Metadata given below are extracted from [instance identity document](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-identity-documents.html),
+
+```json
+{
+  "cloud": {
+    "account.id": "123456789012",
+    "availability_zone": "us-east-1c",
+    "instance.id": "i-4e123456",
+    "machine.type": "t2.medium",
+    "image.id": "ami-abcd1234",
+    "provider": "aws",
+    "region": "us-east-1"
+  }
+}
+```
+
+If the EC2 instance has IMDS enabled and if tags are allowed through IMDS endpoint, the processor will further append tags in metadata. Please refer official documentation on [IMDS endpoint](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html) for further details.
+
+```json
+{
+  "aws": {
+    "tags": {
+      "org" : "myOrg",
+      "owner": "userID"
+    }
+  }
+}
+```
+
+*Digital Ocean*
+
+```json
+{
+  "cloud": {
+    "instance.id": "1234567",
+    "provider": "digitalocean",
+    "region": "nyc2"
+  }
+}
+```
+
+*GCP*
+
+```json
+{
+  "cloud": {
+    "availability_zone": "us-east1-b",
+    "instance.id": "1234556778987654321",
+    "machine.type": "f1-micro",
+    "project.id": "my-dev",
+    "provider": "gcp"
+  }
+}
+```
+
+*Tencent Cloud*
+
+```json
+{
+  "cloud": {
+    "availability_zone": "gz-azone2",
+    "instance.id": "ins-qcloudv5",
+    "provider": "qcloud",
+    "region": "china-south-gz"
+  }
+}
+```
+
+*Alibaba Cloud*
+
+This metadata is only available when VPC is selected as the network type of the ECS instance.
+
+```json
+{
+  "cloud": {
+    "availability_zone": "cn-shenzhen",
+    "instance.id": "i-wz9g2hqiikg0aliyun2b",
+    "provider": "ecs",
+    "region": "cn-shenzhen-a"
+  }
+}
+```
+
+*Azure Virtual Machine*
+
+```json
+{
+  "cloud": {
+    "provider": "azure",
+    "instance.id": "04ab04c3-63de-4709-a9f9-9ab8c0411d5e",
+    "instance.name": "test-az-vm",
+    "machine.type": "Standard_D3_v2",
+    "region": "eastus2"
+  }
+}
+```
+
+*Openstack Nova*
+
+```json
+{
+  "cloud": {
+    "instance.name": "test-998d932195.mycloud.tld",
+    "instance.id": "i-00011a84",
+    "availability_zone": "xxxx-az-c",
+    "provider": "openstack",
+    "machine.type": "m2.large"
+  }
+}
+```
+
+*Hetzner Cloud*
+
+```json
+{
+  "cloud": {
+    "availability_zone": "hel1-dc2",
+    "instance.name": "my-hetzner-instance",
+    "instance.id": "111111",
+    "provider": "hetzner",
+    "region": "eu-central"
+  }
+}
+```
+
diff --git a/docs/reference/winlogbeat/add-cloudfoundry-metadata.md b/docs/reference/winlogbeat/add-cloudfoundry-metadata.md
new file mode 100644
index 000000000000..f41798673256
--- /dev/null
+++ b/docs/reference/winlogbeat/add-cloudfoundry-metadata.md
@@ -0,0 +1,70 @@
+---
+navigation_title: "add_cloudfoundry_metadata"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/add-cloudfoundry-metadata.html
+---
+
+# Add Cloud Foundry metadata [add-cloudfoundry-metadata]
+
+
+The `add_cloudfoundry_metadata` processor annotates each event with relevant metadata from Cloud Foundry applications. The events are annotated with Cloud Foundry metadata, only if the event contains a reference to a Cloud Foundry application (using field `cloudfoundry.app.id`) and the configured Cloud Foundry client is able to retrieve information for the application.
+
+Each event is annotated with:
+
+* Application Name
+* Space ID
+* Space Name
+* Organization ID
+* Organization Name
+
+::::{note}
+Pivotal Application Service and Tanzu Application Service include this metadata in all events from the firehose since version 2.8. In these cases the metadata in the events is used, and `add_cloudfoundry_metadata` processor doesn’t modify these fields.
+::::
+
+
+For efficient annotation, application metadata retrieved by the Cloud Foundry client is stored in a persistent cache on the filesystem under the `path.data` directory. This is done so the metadata can persist across restarts of Winlogbeat. For control over this cache, use the `cache_duration` and `cache_retry_delay` settings.
+
+```yaml
+processors:
+  - add_cloudfoundry_metadata:
+      api_address: https://api.dev.cfdev.sh
+      client_id: uaa-filebeat
+      client_secret: verysecret
+      ssl:
+        verification_mode: none
+      # To connect to Cloud Foundry over verified TLS you can specify a client and CA certificate.
+      #ssl:
+      #  certificate_authorities: ["/etc/pki/cf/ca.pem"]
+      #  certificate:              "/etc/pki/cf/cert.pem"
+      #  key:                      "/etc/pki/cf/cert.key"
+```
+
+It has the following settings:
+
+`api_address`
+:   (Optional) The URL of the Cloud Foundry API. It uses `http://api.bosh-lite.com` by default.
+
+`doppler_address`
+:   (Optional) The URL of the Cloud Foundry Doppler Websocket. It uses value from ${api_address}/v2/info by default.
+
+`uaa_address`
+:   (Optional) The URL of the Cloud Foundry UAA API. It uses value from ${api_address}/v2/info by default.
+
+`rlp_address`
+:   (Optional) The URL of the Cloud Foundry RLP Gateway. It uses value from ${api_address}/v2/info by default.
+
+`client_id`
+:   Client ID to authenticate with Cloud Foundry.
+
+`client_secret`
+:   Client Secret to authenticate with Cloud Foundry.
+
+`cache_duration`
+:   (Optional) Maximum amount of time to cache an application’s metadata. Defaults to 120 seconds.
+
+`cache_retry_delay`
+:   (Optional) Time to wait before trying to obtain an application’s metadata again in case of error. Defaults to 20 seconds.
+
+`ssl`
+:   (Optional) SSL configuration to use when connecting to Cloud Foundry.
+
diff --git a/docs/reference/winlogbeat/add-docker-metadata.md b/docs/reference/winlogbeat/add-docker-metadata.md
new file mode 100644
index 000000000000..7ee48d5d6705
--- /dev/null
+++ b/docs/reference/winlogbeat/add-docker-metadata.md
@@ -0,0 +1,80 @@
+---
+navigation_title: "add_docker_metadata"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/add-docker-metadata.html
+---
+
+# Add Docker metadata [add-docker-metadata]
+
+
+The `add_docker_metadata` processor annotates each event with relevant metadata from Docker containers. At startup it detects a docker environment and caches the metadata. The events are annotated with Docker metadata, only if a valid configuration is detected and the processor is able to reach Docker API.
+
+Each event is annotated with:
+
+* Container ID
+* Name
+* Image
+* Labels
+
+::::{note}
+When running Winlogbeat in a container, you need to provide access to Docker’s unix socket in order for the `add_docker_metadata` processor to work. You can do this by mounting the socket inside the container. For example:
+
+`docker run -v /var/run/docker.sock:/var/run/docker.sock ...`
+
+To avoid privilege issues, you may also need to add `--user=root` to the `docker run` flags. Because the user must be part of the docker group in order to access `/var/run/docker.sock`, root access is required if Winlogbeat is running as non-root inside the container.
+
+If Docker daemon is restarted the mounted socket will become invalid and metadata will stop working, in these situations there are two options:
+
+* Restart Winlogbeat every time Docker is restarted
+* Mount the entire `/var/run` directory (instead of just the socket)
+
+::::
+
+
+```yaml
+processors:
+  - add_docker_metadata:
+      host: "unix:///var/run/docker.sock"
+      #match_fields: ["system.process.cgroup.id"]
+      #match_pids: ["process.pid", "process.parent.pid"]
+      #match_source: true
+      #match_source_index: 4
+      #match_short_id: true
+      #cleanup_timeout: 60
+      #labels.dedot: false
+      # To connect to Docker over TLS you must specify a client and CA certificate.
+      #ssl:
+      #  certificate_authority: "/etc/pki/root/ca.pem"
+      #  certificate:           "/etc/pki/client/cert.pem"
+      #  key:                   "/etc/pki/client/cert.key"
+```
+
+It has the following settings:
+
+`host`
+:   (Optional) Docker socket (UNIX or TCP socket). It uses `unix:///var/run/docker.sock` by default.
+
+`ssl`
+:   (Optional) SSL configuration to use when connecting to the Docker socket.
+
+`match_fields`
+:   (Optional) A list of fields to match a container ID, at least one of them should hold a container ID to get the event enriched.
+
+`match_pids`
+:   (Optional) A list of fields that contain process IDs. If the process is running in Docker then the event will be enriched. The default value is `["process.pid", "process.parent.pid"]`.
+
+`match_source`
+:   (Optional) Match container ID from a log path present in the `log.file.path` field. Enabled by default.
+
+`match_short_id`
+:   (Optional) Match container short ID from a log path present in the `log.file.path` field. Disabled by default. This allows to match directories names that have the first 12 characters of the container ID. For example, `/var/log/containers/b7e3460e2b21/*.log`.
+
+`match_source_index`
+:   (Optional) Index in the source path split by `/` to look for container ID. It defaults to 4 to match `/var/lib/docker/containers/<container_id>/*.log`
+
+`cleanup_timeout`
+:   (Optional) Time of inactivity to consider we can clean and forget metadata for a container, 60s by default.
+
+`labels.dedot`
+:   (Optional) Default to be false. If set to true, replace dots in labels with `_`.
+
diff --git a/docs/reference/winlogbeat/add-fields.md b/docs/reference/winlogbeat/add-fields.md
new file mode 100644
index 000000000000..f4ae5ccca9de
--- /dev/null
+++ b/docs/reference/winlogbeat/add-fields.md
@@ -0,0 +1,51 @@
+---
+navigation_title: "add_fields"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/add-fields.html
+---
+
+# Add fields [add-fields]
+
+
+The `add_fields` processor adds additional fields to the event.  Fields can be scalar values, arrays, dictionaries, or any nested combination of these. The `add_fields` processor will overwrite the target field if it already exists. By default the fields that you specify will be grouped under the `fields` sub-dictionary in the event. To group the fields under a different sub-dictionary, use the `target` setting. To store the fields as top-level fields, set `target: ''`.
+
+`target`
+:   (Optional) Sub-dictionary to put all fields into. Defaults to `fields`. Setting this to `@metadata` will add values to the event metadata instead of fields.
+
+`fields`
+:   Fields to be added.
+
+For example, this configuration:
+
+```yaml
+processors:
+  - add_fields:
+      target: project
+      fields:
+        name: myproject
+        id: '574734885120952459'
+```
+
+Adds these fields to any event:
+
+```json
+{
+  "project": {
+    "name": "myproject",
+    "id": "574734885120952459"
+  }
+}
+```
+
+This configuration will alter the event metadata:
+
+```yaml
+processors:
+  - add_fields:
+      target: '@metadata'
+      fields:
+        op_type: "index"
+```
+
+When the event is ingested (e.g. by Elastisearch) the document will have `op_type: "index"` set as a metadata field.
+
diff --git a/docs/reference/winlogbeat/add-host-metadata.md b/docs/reference/winlogbeat/add-host-metadata.md
new file mode 100644
index 000000000000..5e89344a02e4
--- /dev/null
+++ b/docs/reference/winlogbeat/add-host-metadata.md
@@ -0,0 +1,92 @@
+---
+navigation_title: "add_host_metadata"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/add-host-metadata.html
+---
+
+# Add Host metadata [add-host-metadata]
+
+
+```yaml
+processors:
+  - add_host_metadata:
+      cache.ttl: 5m
+      geo:
+        name: nyc-dc1-rack1
+        location: 40.7128, -74.0060
+        continent_name: North America
+        country_iso_code: US
+        region_name: New York
+        region_iso_code: NY
+        city_name: New York
+```
+
+It has the following settings:
+
+`netinfo.enabled`
+:   (Optional) Default true. Include IP addresses and MAC addresses as fields host.ip and host.mac
+
+`cache.ttl`
+:   (Optional) The processor uses an internal cache for the host metadata. This sets the cache expiration time. The default is 5m, negative values disable caching altogether.
+
+`geo.name`
+:   (Optional) User definable token to be used for identifying a discrete location. Frequently a datacenter, rack, or similar.
+
+`geo.location`
+:   (Optional) Longitude and latitude in comma separated format.
+
+`geo.continent_name`
+:   (Optional) Name of the continent.
+
+`geo.country_name`
+:   (Optional) Name of the country.
+
+`geo.region_name`
+:   (Optional) Name of the region.
+
+`geo.city_name`
+:   (Optional) Name of the city.
+
+`geo.country_iso_code`
+:   (Optional) ISO country code.
+
+`geo.region_iso_code`
+:   (Optional) ISO region code.
+
+`replace_fields`
+:   (Optional) Default true. If set to false, original host fields from the event will not be replaced by host fields from `add_host_metadata`.
+
+The `add_host_metadata` processor annotates each event with relevant metadata from the host machine. The fields added to the event look like the following:
+
+```json
+{
+   "host":{
+      "architecture":"x86_64",
+      "name":"example-host",
+      "id":"",
+      "os":{
+         "family":"darwin",
+         "type":"macos",
+         "build":"16G1212",
+         "platform":"darwin",
+         "version":"10.12.6",
+         "kernel":"16.7.0",
+         "name":"Mac OS X"
+      },
+      "ip": ["192.168.0.1", "10.0.0.1"],
+      "mac": ["00:25:96:12:34:56", "72:00:06:ff:79:f1"],
+      "geo": {
+          "continent_name": "North America",
+          "country_iso_code": "US",
+          "region_name": "New York",
+          "region_iso_code": "NY",
+          "city_name": "New York",
+          "name": "nyc-dc1-rack1",
+          "location": "40.7128, -74.0060"
+        }
+   }
+}
+```
+
+Note: `add_host_metadata` processor will overwrite host fields if `host.*` fields already exist in the event from Beats by default with `replace_fields` equals to `true`. Please use `add_observer_metadata` if the beat is being used to monitor external systems.
+
diff --git a/docs/reference/winlogbeat/add-id.md b/docs/reference/winlogbeat/add-id.md
new file mode 100644
index 000000000000..1abd7ed6f666
--- /dev/null
+++ b/docs/reference/winlogbeat/add-id.md
@@ -0,0 +1,24 @@
+---
+navigation_title: "add_id"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/add-id.html
+---
+
+# Generate an ID for an event [add-id]
+
+
+The `add_id` processor generates a unique ID for an event.
+
+```yaml
+processors:
+  - add_id: ~
+```
+
+The following settings are supported:
+
+`target_field`
+:   (Optional) Field where the generated ID will be stored. Default is `@metadata._id`.
+
+`type`
+:   (Optional) Type of ID to generate. Currently only `elasticsearch` is supported and is the default. The `elasticsearch` type generates IDs using the same algorithm that Elasticsearch uses for auto-generating document IDs.
+
diff --git a/docs/reference/winlogbeat/add-kubernetes-metadata.md b/docs/reference/winlogbeat/add-kubernetes-metadata.md
new file mode 100644
index 000000000000..3bfb23aa4d52
--- /dev/null
+++ b/docs/reference/winlogbeat/add-kubernetes-metadata.md
@@ -0,0 +1,244 @@
+---
+navigation_title: "add_kubernetes_metadata"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/add-kubernetes-metadata.html
+---
+
+# Add Kubernetes metadata [add-kubernetes-metadata]
+
+
+The `add_kubernetes_metadata` processor annotates each event with relevant metadata based on which Kubernetes pod the event originated from. This processor only adds metadata to the events that do not have it yet present.
+
+At startup, it detects an `in_cluster` environment and caches the Kubernetes-related metadata. Events are only annotated if a valid configuration is detected. If it’s not able to detect a valid Kubernetes configuration, the events are not annotated with Kubernetes-related metadata.
+
+Each event is annotated with:
+
+* Pod Name
+* Pod UID
+* Namespace
+* Labels
+
+In addition, the node and namespace metadata are added to the pod metadata.
+
+The `add_kubernetes_metadata` processor has two basic building blocks:
+
+* Indexers
+* Matchers
+
+Indexers use pod metadata to create unique identifiers for each one of the pods. These identifiers help to correlate the metadata of the observed pods with actual events. For example, the `ip_port` indexer can take a Kubernetes pod and create identifiers for it based on all its `pod_ip:container_port` combinations.
+
+Matchers use information in events to construct lookup keys that match the identifiers created by the indexers. For example, when the `fields` matcher takes `["metricset.host"]` as a lookup field, it would construct a lookup key with the value of the field `metricset.host`. When one of these lookup keys matches with one of the identifiers, the event is enriched with the metadata of the identified pod.
+
+Each Beat can define its own default indexers and matchers which are enabled by default. For example, Filebeat enables the `container` indexer, which identifies pod metadata based on all container IDs, and a `logs_path` matcher, which takes the `log.file.path` field, extracts the container ID, and uses it to retrieve metadata.
+
+You can find more information about the available indexers and matchers, and some examples in [Indexers and matchers](#kubernetes-indexers-and-matchers).
+
+The configuration below enables the processor when winlogbeat is run as a pod in Kubernetes.
+
+```yaml
+processors:
+  - add_kubernetes_metadata:
+      # Defining indexers and matchers manually is required for winlogbeat, for instance:
+      #indexers:
+      #  - ip_port:
+      #matchers:
+      #  - fields:
+      #      lookup_fields: ["metricset.host"]
+      #labels.dedot: true
+      #annotations.dedot: true
+```
+
+The configuration below enables the processor on a Beat running as a process on the Kubernetes node.
+
+```yaml
+processors:
+  - add_kubernetes_metadata:
+      host: <hostname>
+      # If kube_config is not set, KUBECONFIG environment variable will be checked
+      # and if not present it will fall back to InCluster
+      kube_config: $Winlogbeat Reference/.kube/config
+      # Defining indexers and matchers manually is required for winlogbeat, for instance:
+      #indexers:
+      #  - ip_port:
+      #matchers:
+      #  - fields:
+      #      lookup_fields: ["metricset.host"]
+      #labels.dedot: true
+      #annotations.dedot: true
+```
+
+The configuration below has the default indexers and matchers disabled and enables ones that the user is interested in.
+
+```yaml
+processors:
+  - add_kubernetes_metadata:
+      host: <hostname>
+      # If kube_config is not set, KUBECONFIG environment variable will be checked
+      # and if not present it will fall back to InCluster
+      kube_config: ~/.kube/config
+      default_indexers.enabled: false
+      default_matchers.enabled: false
+      indexers:
+        - ip_port:
+      matchers:
+        - fields:
+            lookup_fields: ["metricset.host"]
+      #labels.dedot: true
+      #annotations.dedot: true
+```
+
+The `add_kubernetes_metadata` processor has the following configuration settings:
+
+`host`
+:   (Optional) Specify the node to scope winlogbeat to in case it cannot be accurately detected, as when running winlogbeat in host network mode.
+
+`scope`
+:   (Optional) Specify if the processor should have visibility at the node level or at the entire cluster level. Possible values are `node` and `cluster`. Scope is `node` by default.
+
+`namespace`
+:   (Optional) Select the namespace from which to collect the metadata. If it is not set, the processor collects metadata from all namespaces. It is unset by default.
+
+`add_resource_metadata`
+:   (Optional) Specify filters and configuration for the extra metadata, that will be added to the event. Configuration parameters:
+
+    * `node` or `namespace`: Specify labels and annotations filters for the extra metadata coming from node and namespace. By default all labels are included while annotations are not. To change default behaviour `include_labels`, `exclude_labels` and `include_annotations` can be defined. Those settings are useful when storing labels and annotations that require special handling to avoid overloading the storage output. Note: wildcards are not supported for those settings. The enrichment of `node` or `namespace` metadata can be individually disabled by setting `enabled: false`.
+    * `deployment`: If resource is `pod` and it is created from a `deployment`, by default the deployment name is added, this can be disabled by setting `deployment: false`.
+    * `cronjob`: If resource is `pod` and it is created from a `cronjob`, by default the cronjob name is added, this can be disabled by setting `cronjob: false`.
+
+        Example:
+
+
+```yaml
+      add_resource_metadata:
+        namespace:
+          include_labels: ["namespacelabel1"]
+          #labels.dedot: true
+          #annotations.dedot: true
+        node:
+          include_labels: ["nodelabel2"]
+          include_annotations: ["nodeannotation1"]
+          #labels.dedot: true
+          #annotations.dedot: true
+        deployment: false
+        cronjob: false
+```
+
+`kube_config`
+:   (Optional) Use given config file as configuration for Kubernetes client. It defaults to `KUBECONFIG` environment variable if present.
+
+`use_kubeadm`
+:   (Optional) Default true. By default requests to kubeadm config map are made in order to enrich cluster name by requesting /api/v1/namespaces/kube-system/configmaps/kubeadm-config API endpoint.
+
+`kube_client_options`
+:   (Optional) Additional options can be configured for Kubernetes client. Currently client QPS and burst are supported, if not set Kubernetes client’s [default QPS and burst](https://pkg.go.dev/k8s.io/client-go/rest#pkg-constants) will be used. Example:
+
+```yaml
+      kube_client_options:
+        qps: 5
+        burst: 10
+```
+
+`cleanup_timeout`
+:   (Optional) Specify the time of inactivity before stopping the running configuration for a container. This is `60s` by default.
+
+`sync_period`
+:   (Optional) Specify the timeout for listing historical resources.
+
+`default_indexers.enabled`
+:   (Optional) Enable or disable default pod indexers when you want to specify your own.
+
+`default_matchers.enabled`
+:   (Optional) Enable or disable default pod matchers when you want to specify your own.
+
+`labels.dedot`
+:   (Optional) Default to be true. If set to true, then `.` in labels will be replaced with `_`.
+
+`annotations.dedot`
+:   (Optional) Default to be true. If set to true, then `.` in labels will be replaced with `_`.
+
+
+## Indexers and matchers [kubernetes-indexers-and-matchers]
+
+## Indexers [_indexers]
+
+Indexers use pods metadata to create unique identifiers for each one of the pods.
+
+Available indexers are:
+
+`container`
+:   Identifies the pod metadata using the IDs of its containers.
+
+`ip_port`
+:   Identifies the pod metadata using combinations of its IP and its exposed ports. When using this indexer metadata is identified using the IP of the pods, and the combination if `ip:port` for each one of the ports exposed by its containers.
+
+`pod_name`
+:   Identifies the pod metadata using its namespace and its name as `namespace/pod_name`.
+
+`pod_uid`
+:   Identifies the pod metadata using the UID of the pod.
+
+
+## Matchers [_matchers]
+
+Matchers are used to construct the lookup keys that match with the identifiers created by indexes.
+
+### `field_format` [_field_format]
+
+Looks up pod metadata using a key created with a string format that can include event fields.
+
+This matcher has an option `format` to define the string format. This string format can contain placeholders for any field in the event.
+
+For example, the following configuration uses the `ip_port` indexer to identify the pod metadata by combinations of the pod IP and its exposed ports, and uses the destination IP and port in events as match keys:
+
+```yaml
+processors:
+- add_kubernetes_metadata:
+    ...
+    default_indexers.enabled: false
+    default_matchers.enabled: false
+    indexers:
+      - ip_port:
+    matchers:
+      - field_format:
+          format: '%{[destination.ip]}:%{[destination.port]}'
+```
+
+
+### `fields` [_fields]
+
+Looks up pod metadata using as key the value of some specific fields. When multiple fields are defined, the first one included in the event is used.
+
+This matcher has an option `lookup_fields` to define the files whose value will be used for lookup.
+
+For example, the following configuration uses the `ip_port` indexer to identify pods, and defines a matcher that uses the destination IP or the server IP for the lookup, the first it finds in the event:
+
+```yaml
+processors:
+- add_kubernetes_metadata:
+    ...
+    default_indexers.enabled: false
+    default_matchers.enabled: false
+    indexers:
+      - ip_port:
+    matchers:
+      - fields:
+          lookup_fields: ['destination.ip', 'server.ip']
+```
+
+It’s also possible to extract the matching key from fields using a regex pattern. The optional `regex_pattern` field can be used to set the pattern. The pattern **must** contain a capture group named `key`, whose value will be used as the matching key.
+
+For example, the following configuration uses the `container` indexer to identify containers by their id, and extracts the matching key from the cgroup id field added to system process metrics. This field has the form `cri-containerd-<id>.scope`, so we need a regex pattern to obtain the container id.
+
+```yaml
+processors:
+  - add_kubernetes_metadata:
+      indexers:
+        - container:
+      matchers:
+        - fields:
+            lookup_fields: ['system.process.cgroup.id']
+            regex_pattern: 'cri-containerd-(?P<key>[0-9a-z]+)\.scope'
+```
+
+
+
diff --git a/docs/reference/winlogbeat/add-labels.md b/docs/reference/winlogbeat/add-labels.md
new file mode 100644
index 000000000000..a2d1bfddd56d
--- /dev/null
+++ b/docs/reference/winlogbeat/add-labels.md
@@ -0,0 +1,45 @@
+---
+navigation_title: "add_labels"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/add-labels.html
+---
+
+# Add labels [add-labels]
+
+
+The `add_labels` processors adds a set of key-value pairs to an event. The processor will flatten nested configuration objects like arrays or dictionaries into a fully qualified name by merging nested names with a `.`. Array entries create numeric names starting with 0.  Labels are always stored under the Elastic Common Schema compliant `labels` sub-dictionary.
+
+`labels`
+:   dictionaries of labels to be added.
+
+For example, this configuration:
+
+```yaml
+processors:
+  - add_labels:
+      labels:
+        number: 1
+        with.dots: test
+        nested:
+          with.dots: nested
+        array:
+          - do
+          - re
+          - with.field: mi
+```
+
+Adds these fields to every event:
+
+```json
+{
+  "labels": {
+    "number": 1,
+    "with.dots": "test",
+    "nested.with.dots": "nested",
+    "array.0": "do",
+    "array.1": "re",
+    "array.2.with.field": "mi"
+  }
+}
+```
+
diff --git a/docs/reference/winlogbeat/add-locale.md b/docs/reference/winlogbeat/add-locale.md
new file mode 100644
index 000000000000..9f30f9abe6f2
--- /dev/null
+++ b/docs/reference/winlogbeat/add-locale.md
@@ -0,0 +1,31 @@
+---
+navigation_title: "add_locale"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/add-locale.html
+---
+
+# Add the local time zone [add-locale]
+
+
+The `add_locale` processor enriches each event with the machine’s time zone offset from UTC or with the name of the time zone. It supports one configuration option named `format` that controls whether an offset or time zone abbreviation is added to the event. The default format is `offset`. The processor adds the a `event.timezone` value to each event.
+
+The configuration below enables the processor with the default settings.
+
+```yaml
+processors:
+  - add_locale: ~
+```
+
+This configuration enables the processor and configures it to add the time zone abbreviation to events.
+
+```yaml
+processors:
+  - add_locale:
+      format: abbreviation
+```
+
+::::{note}
+Please note that `add_locale` differentiates between daylight savings time (DST) and regular time. For example `CEST` indicates DST and and `CET` is regular time.
+::::
+
+
diff --git a/docs/reference/winlogbeat/add-network-direction.md b/docs/reference/winlogbeat/add-network-direction.md
new file mode 100644
index 000000000000..5124908f099f
--- /dev/null
+++ b/docs/reference/winlogbeat/add-network-direction.md
@@ -0,0 +1,22 @@
+---
+navigation_title: "add_network_direction"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/add-network-direction.html
+---
+
+# Add network direction [add-network-direction]
+
+
+The `add_network_direction` processor attempts to compute the perimeter-based network direction given an a source and destination ip address and list of internal networks. The key `internal_networks` can contain either CIDR blocks or a list of special values enumerated in the network section of [Conditions](/reference/winlogbeat/defining-processors.md#conditions).
+
+```yaml
+processors:
+  - add_network_direction:
+      source: source.ip
+      destination: destination.ip
+      target: network.direction
+      internal_networks: [ private ]
+```
+
+See [Conditions](/reference/winlogbeat/defining-processors.md#conditions) for a list of supported conditions.
+
diff --git a/docs/reference/winlogbeat/add-nomad-metadata.md b/docs/reference/winlogbeat/add-nomad-metadata.md
new file mode 100644
index 000000000000..c9f7f3331b96
--- /dev/null
+++ b/docs/reference/winlogbeat/add-nomad-metadata.md
@@ -0,0 +1,137 @@
+---
+navigation_title: "add_nomad_metadata"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/add-nomad-metadata.html
+---
+
+# Add Nomad metadata [add-nomad-metadata]
+
+
+::::{warning}
+This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
+::::
+
+
+The `add_nomad_metadata` processor adds fields with relevant metadata for applications deployed in Nomad.
+
+Each event is annotated with the following information:
+
+* Allocation name, identifier and status.
+* Job name and type.
+* Namespace where the job is deployed.
+* Datacenter and region where the agent running the allocation is located.
+
+```yaml
+processors:
+  - add_nomad_metadata: ~
+```
+
+It has the following settings to configure the connection:
+
+`address`
+:   (Optional) The URL of the agent API used to request the metadata. It uses `http://127.0.0.1:4646` by default.
+
+`namespace`
+:   (Optional) Namespace to watch. If set, only events for allocations in this namespace will be annotated.
+
+`region`
+:   (Optional) Region to watch. If set, only events for allocations in this region will be annotated.
+
+`secret_id`
+:   (Optional) SecretID to use when connecting with the agent API. This is an example ACL policy to apply to the token.
+
+```json
+namespace "*" {
+  policy = "read"
+}
+node {
+  policy = "read"
+}
+agent {
+  policy = "read"
+}
+```
+
+`refresh_interval`
+:   (Optional) Interval used to update the cached metadata. It defaults to 30 seconds.
+
+`cleanup_timeout`
+:   (Optional) After an allocation has been removed, time to wait before cleaning up their associated resources. This is useful if you expect to receive events after an allocation has been removed, which can happen when collecting logs. It defaults to 60 seconds.
+
+You can decide if Winlogbeat should annotate events related to allocations in local node or on the whole cluster configuring the scope with the following settings:
+
+`scope`
+:   (Optional) Scope of the resources to watch. It can be `node` to get metadata only for the allocations in a single agent, or `global`, to get metadata for allocations running on any agent. It defaults to `node`.
+
+`node`
+:   (Optional) When using `scope: node`, use `node` to specify the name of the local node if it cannot be discovered automatically.
+
+For example the following configuration could be used if Winlogbeat is collecting events from all the allocations in the cluster:
+
+```yaml
+processors:
+  - add_nomad_metadata:
+      scope: global
+```
+
+## Indexers and matchers [_indexers_and_matchers]
+
+Indexers and matchers are used to correlate fields in events with actual metadata. Winlogbeat uses this information to know what metadata to include in each event.
+
+### Indexers [_indexers_2]
+
+Indexers use allocation metadata to create unique identifiers for each one of the pods.
+
+Avaliable indexers are: `allocation_name`:: Identifies allocations by its name and namespace (as `<namespace>/<name>`) `allocation_uuid`:: Identifies allocations by its unique identifier.
+
+
+### Matchers [_matchers_2]
+
+Matchers are used to construct the lookup keys that match with the identifiers created by indexes.
+
+
+### `field_format` [_field_format_2]
+
+Looks up allocation metadata using a key created with a string format that can include event fields.
+
+This matcher has an option `format` to define the string format. This string format can contain placeholders for any field in the event.
+
+For example, the following configuration uses the `allocation_name` indexer to identify the allocation metadata by its name and namespace, and uses custom fields existing in the event as match keys:
+
+```yaml
+processors:
+- add_nomad_metadata:
+    ...
+    default_indexers.enabled: false
+    default_matchers.enabled: false
+    indexers:
+      - allocation_name:
+    matchers:
+      - field_format:
+          format: '%{[labels.nomad_namespace]}/%{[fields.nomad_alloc_name]}'
+```
+
+
+### `fields` [_fields_2]
+
+Looks up allocation metadata using as key the value of some specific fields. When multiple fields are defined, the first one included in the event is used.
+
+This matcher has an option `lookup_fields` to define the fields whose value will be used for lookup.
+
+For example, the following configuration uses the `allocation_uuid` indexer to identify allocations, and defines a matcher that uses some fields where the allocation UUID can be found for lookup, the first it finds in the event:
+
+```yaml
+processors:
+- add_nomad_metadata:
+    ...
+    default_indexers.enabled: false
+    default_matchers.enabled: false
+    indexers:
+      - allocation_uuid:
+    matchers:
+      - fields:
+          lookup_fields: ['host.name', 'fields.nomad_alloc_uuid']
+```
+
+
+
diff --git a/docs/reference/winlogbeat/add-observer-metadata.md b/docs/reference/winlogbeat/add-observer-metadata.md
new file mode 100644
index 000000000000..3c4746fb7db6
--- /dev/null
+++ b/docs/reference/winlogbeat/add-observer-metadata.md
@@ -0,0 +1,88 @@
+---
+navigation_title: "add_observer_metadata"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/add-observer-metadata.html
+---
+
+# Add Observer metadata [add-observer-metadata]
+
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+```yaml
+processors:
+  - add_observer_metadata:
+      cache.ttl: 5m
+      geo:
+        name: nyc-dc1-rack1
+        location: 40.7128, -74.0060
+        continent_name: North America
+        country_iso_code: US
+        region_name: New York
+        region_iso_code: NY
+        city_name: New York
+```
+
+It has the following settings:
+
+`netinfo.enabled`
+:   (Optional) Default true. Include IP addresses and MAC addresses as fields observer.ip and observer.mac
+
+`cache.ttl`
+:   (Optional) The processor uses an internal cache for the observer metadata. This sets the cache expiration time. The default is 5m, negative values disable caching altogether.
+
+`geo.name`
+:   (Optional) User definable token to be used for identifying a discrete location. Frequently a datacenter, rack, or similar.
+
+`geo.location`
+:   (Optional) Longitude and latitude in comma separated format.
+
+`geo.continent_name`
+:   (Optional) Name of the continent.
+
+`geo.country_name`
+:   (Optional) Name of the country.
+
+`geo.region_name`
+:   (Optional) Name of the region.
+
+`geo.city_name`
+:   (Optional) Name of the city.
+
+`geo.country_iso_code`
+:   (Optional) ISO country code.
+
+`geo.region_iso_code`
+:   (Optional) ISO region code.
+
+The `add_observer_metadata` processor annotates each event with relevant metadata from the observer machine. The fields added to the event look like the following:
+
+```json
+{
+  "observer" : {
+    "hostname" : "avce",
+    "type" : "heartbeat",
+    "vendor" : "elastic",
+    "ip" : [
+      "192.168.1.251",
+      "fe80::64b2:c3ff:fe5b:b974",
+    ],
+    "mac" : [
+      "dc:c1:02:6f:1b:ed",
+    ],
+    "geo": {
+      "continent_name": "North America",
+      "country_iso_code": "US",
+      "region_name": "New York",
+      "region_iso_code": "NY",
+      "city_name": "New York",
+      "name": "nyc-dc1-rack1",
+      "location": "40.7128, -74.0060"
+    }
+  }
+}
+```
+
diff --git a/docs/reference/winlogbeat/add-process-metadata.md b/docs/reference/winlogbeat/add-process-metadata.md
new file mode 100644
index 000000000000..a5d98f8846d4
--- /dev/null
+++ b/docs/reference/winlogbeat/add-process-metadata.md
@@ -0,0 +1,94 @@
+---
+navigation_title: "add_process_metadata"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/add-process-metadata.html
+---
+
+# Add process metadata [add-process-metadata]
+
+
+The `add_process_metadata` processor enriches events with information from running processes, identified by their process ID (PID).
+
+```yaml
+processors:
+  - add_process_metadata:
+      match_pids:
+        - process.pid
+```
+
+The fields added to the event look as follows:
+
+```json
+{
+  "container": {
+    "id": "b5285682fba7449c86452b89a800609440ecc88a7ba5f2d38bedfb85409b30b1"
+  },
+  "process": {
+    "args": [
+      "/usr/lib/systemd/systemd",
+      "--switched-root",
+      "--system",
+      "--deserialize",
+      "22"
+    ],
+    "executable": "/usr/lib/systemd/systemd",
+    "name": "systemd",
+    "owner": {
+      "id": "0",
+      "name": "root"
+    },
+    "parent": {
+      "pid": 0
+    },
+    "pid": 1,
+    "start_time": "2018-08-22T08:44:50.684Z",
+    "title": "/usr/lib/systemd/systemd --switched-root --system --deserialize 22"
+  }
+}
+```
+
+Optionally, the process environment can be included, too:
+
+```json
+  ...
+  "env": {
+    "HOME":       "/",
+    "TERM":       "linux",
+    "BOOT_IMAGE": "/boot/vmlinuz-4.11.8-300.fc26.x86_64",
+    "LANG":       "en_US.UTF-8",
+  }
+  ...
+```
+
+It has the following settings:
+
+`match_pids`
+:   List of fields to lookup for a PID. The processor will search the list sequentially until the field is found in the current event, and the PID lookup will be applied to the value of this field.
+
+`target`
+:   (Optional) Destination prefix where the `process` object will be created. The default is the event’s root.
+
+`include_fields`
+:   (Optional) List of fields to add. By default, the processor will add all the available fields except `process.env`.
+
+`ignore_missing`
+:   (Optional) When set to `false`, events that don’t contain any of the fields in match_pids will be discarded and an error will be generated. By default, this condition is ignored.
+
+`overwrite_keys`
+:   (Optional) By default, if a target field already exists, it will not be overwritten, and an error will be logged. If `overwrite_keys` is set to `true`, this condition will be ignored.
+
+`restricted_fields`
+:   (Optional) By default, the `process.env` field is not output, to avoid leaking sensitive data. If `restricted_fields` is `true`, the field will be present in the output.
+
+`host_path`
+:   (Optional) By default, the `host_path` field is set to the root directory of the host `/`. This is the path where `/proc` is mounted. For different runtime configurations of Kubernetes or Docker, the `host_path` can be set to overwrite the default.
+
+`cgroup_prefixes`
+:   (Optional) List of prefixes that will be matched against cgroup paths. When a cgroup path begins with a prefix in the list, then the last element of the path is returned as the container ID. Only one of `cgroup_prefixes` and `cgroup_rexex` should be configured. If neither are configured then a default `cgroup_regex` value is used that matches cgroup paths containing 64-character container IDs (like those from Docker, Kubernetes, and Podman).
+
+`cgroup_regex`
+:   (Optional) A regular expression that will be matched against cgroup paths. It must contain one capturing group. When a cgroup path matches the regular expression then the value of the capturing group is returned as the container ID.  Only one of `cgroup_prefixes` and `cgroup_rexex` should be configured. If neither are configured then a default `cgroup_regex` value is used that matches cgroup paths containing 64-character container IDs (like those from Docker, Kubernetes, and Podman).
+
+`cgroup_cache_expire_time`
+:   (Optional) By default, the `cgroup_cache_expire_time` is set to 30 seconds. This is the length of time before cgroup cache elements expire in seconds. It can be set to 0 to disable the cgroup cache. In some container runtimes technology like runc, the container’s process is also process in the host kernel, and will be affected by PID rollover/reuse. The expire time needs to set smaller than the PIDs wrap around time to avoid wrong container id.
+
diff --git a/docs/reference/winlogbeat/add-tags.md b/docs/reference/winlogbeat/add-tags.md
new file mode 100644
index 000000000000..3d13cffdee7b
--- /dev/null
+++ b/docs/reference/winlogbeat/add-tags.md
@@ -0,0 +1,34 @@
+---
+navigation_title: "add_tags"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/add-tags.html
+---
+
+# Add tags [add-tags]
+
+
+The `add_tags` processor adds tags to a list of tags. If the target field already exists, the tags are appended to the existing list of tags.
+
+`tags`
+:   List of tags to add.
+
+`target`
+:   (Optional) Field the tags will be added to. Defaults to `tags`. Setting tags in `@metadata` is not supported.
+
+For example, this configuration:
+
+```yaml
+processors:
+  - add_tags:
+      tags: [web, production]
+      target: "environment"
+```
+
+Adds the environment field to every event:
+
+```json
+{
+  "environment": ["web", "production"]
+}
+```
+
diff --git a/docs/reference/winlogbeat/append.md b/docs/reference/winlogbeat/append.md
new file mode 100644
index 000000000000..85e8f864ad1c
--- /dev/null
+++ b/docs/reference/winlogbeat/append.md
@@ -0,0 +1,73 @@
+---
+navigation_title: "append"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/append.html
+---
+
+# Append Processor [append]
+
+
+The `append` processor appends one or more values to an existing array if the target field already exists and it is an array. Converts a scaler to an array and appends one or more values to it if the field exists and it is a scaler. Here the values can either be one or more static values or one or more values from the fields listed under *fields* key.
+
+`target_field`
+:   The field in which you want to append the data.
+
+`fields`
+:   (Optional) List of fields from which you want to copy data from. If the value is of a concrete type it will be appended directly to the target. However, if the value is an array, all the elements of the array are pushed individually to the target field.
+
+`values`
+:   (Optional) List of static values you want to append to target field.
+
+`ignore_empty_values`
+:   (Optional) If set to `true`, all the `""` and `nil` are omitted from being appended to the target field.
+
+`fail_on_error`
+:   (Optional) If set to `true` and an error occurs, the changes are reverted and the original is returned. If set to `false`, processing continues if an error occurs. Default is `true`.
+
+`allow_duplicate`
+:   (Optional) If set to `false`, the processor does not append values already present in the field. The default is `true`, which will append duplicate values in the array.
+
+`ignore_missing`
+:   (Optional) Indicates whether to ignore events that lack the source field. The default is `false`, which will fail processing of an event if a field is missing.
+
+note: If you want to use `fields` parameter with fields under `message`, make sure you use `decode_json_fields` first with `target: ""`.
+
+For example, this configuration:
+
+```yaml
+processors:
+  - decode_json_fields:
+      fields: message
+      target: ""
+  - append:
+      target_field: target-field
+      fields:
+        - concrete.field
+        - array.one
+      values:
+        - static-value
+        - ""
+      ignore_missing: true
+      fail_on_error: true
+      ignore_empty_values: true
+```
+
+Copies the values of `concrete.field`, `array.one` response fields and the static values to `target-field`:
+
+```json
+{
+  "concrete": {
+    "field": "val0"
+  },
+  "array": {
+      "one": [ "val1", "val2" ]
+  },
+  "target-field": [
+    "val0",
+    "val1",
+    "val2",
+    "static-value"
+  ]
+}
+```
+
diff --git a/docs/reference/winlogbeat/beats-api-keys.md b/docs/reference/winlogbeat/beats-api-keys.md
new file mode 100644
index 000000000000..7bb81a4cc0af
--- /dev/null
+++ b/docs/reference/winlogbeat/beats-api-keys.md
@@ -0,0 +1,142 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/beats-api-keys.html
+---
+
+# Grant access using API keys [beats-api-keys]
+
+Instead of using usernames and passwords, you can use API keys to grant access to {{es}} resources. You can set API keys to expire at a certain time, and you can explicitly invalidate them. Any user with the `manage_api_key` or `manage_own_api_key` cluster privilege can create API keys.
+
+Winlogbeat instances typically send both collected data and monitoring information to {{es}}. If you are sending both to the same cluster, you can use the same API key. For different clusters, you need to use an API key per cluster.
+
+::::{note}
+For security reasons, we recommend using a unique API key per Winlogbeat instance. You can create as many API keys per user as necessary.
+::::
+
+
+::::{important}
+Review [*Grant users access to secured resources*](/reference/winlogbeat/feature-roles.md) before creating API keys for Winlogbeat.
+::::
+
+
+
+## Create an API key for publishing [beats-api-key-publish]
+
+To create an API key to use for writing data to {{es}}, use the [Create API key API](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-create-api-key), for example:
+
+```console
+POST /_security/api_key
+{
+  "name": "winlogbeat_host001", <1>
+  "role_descriptors": {
+    "winlogbeat_writer": { <2>
+      "cluster": ["monitor", "read_ilm", "read_pipeline"],
+      "index": [
+        {
+          "names": ["winlogbeat-*"],
+          "privileges": ["view_index_metadata", "create_doc", "auto_configure"]
+        }
+      ]
+    }
+  }
+}
+```
+
+1. Name of the API key
+2. Granted privileges, see [*Grant users access to secured resources*](/reference/winlogbeat/feature-roles.md)
+
+
+::::{note}
+See [Create a *publishing* user](/reference/winlogbeat/privileges-to-publish-events.md) for the list of privileges required to publish events.
+::::
+
+
+The return value will look something like this:
+
+```console-result
+{
+  "id":"TiNAGG4BaaMdaH1tRfuU", <1>
+  "name":"winlogbeat_host001",
+  "api_key":"KnR6yE41RrSowb0kQ0HWoA" <2>
+}
+```
+
+1. Unique id for this API key
+2. Generated API key
+
+
+You can now use this API key in your `winlogbeat.yml` configuration file like this:
+
+```yaml
+output.elasticsearch:
+  api_key: TiNAGG4BaaMdaH1tRfuU:KnR6yE41RrSowb0kQ0HWoA <1>
+```
+
+1. Format is `id:api_key` (as returned by [Create API key](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-create-api-key))
+
+
+
+## Create an API key for monitoring [beats-api-key-monitor]
+
+To create an API key to use for sending monitoring data to {{es}}, use the [Create API key API](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-create-api-key), for example:
+
+```console
+POST /_security/api_key
+{
+  "name": "winlogbeat_host001", <1>
+  "role_descriptors": {
+    "winlogbeat_monitoring": { <2>
+      "cluster": ["monitor"],
+      "index": [
+        {
+          "names": [".monitoring-beats-*"],
+          "privileges": ["create_index", "create"]
+        }
+      ]
+    }
+  }
+}
+```
+
+1. Name of the API key
+2. Granted privileges, see [*Grant users access to secured resources*](/reference/winlogbeat/feature-roles.md)
+
+
+::::{note}
+See [Create a *monitoring* user](/reference/winlogbeat/privileges-to-publish-monitoring.md) for the list of privileges required to send monitoring data.
+::::
+
+
+The return value will look something like this:
+
+```console-result
+{
+  "id":"TiNAGG4BaaMdaH1tRfuU", <1>
+  "name":"winlogbeat_host001",
+  "api_key":"KnR6yE41RrSowb0kQ0HWoA" <2>
+}
+```
+
+1. Unique id for this API key
+2. Generated API key
+
+
+You can now use this API key in your `winlogbeat.yml` configuration file like this:
+
+```yaml
+monitoring.elasticsearch:
+  api_key: TiNAGG4BaaMdaH1tRfuU:KnR6yE41RrSowb0kQ0HWoA <1>
+```
+
+1. Format is `id:api_key` (as returned by [Create API key](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-create-api-key))
+
+
+
+## Learn more about API keys [learn-more-api-keys]
+
+See the {{es}} API key documentation for more information:
+
+* [Create API key](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-create-api-key)
+* [Get API key information](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-get-api-key)
+* [Invalidate API key](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-invalidate-api-key)
+
diff --git a/docs/reference/winlogbeat/bogus-computer-name-fields.md b/docs/reference/winlogbeat/bogus-computer-name-fields.md
new file mode 100644
index 000000000000..c58bedbd3f5b
--- /dev/null
+++ b/docs/reference/winlogbeat/bogus-computer-name-fields.md
@@ -0,0 +1,9 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/bogus-computer-name-fields.html
+---
+
+# Bogus computer_name fields are reported in some events [bogus-computer-name-fields]
+
+Prior to the hostname configuration stage, during OS installation any event log records generated may have a randomly assigned hostname.
+
diff --git a/docs/reference/winlogbeat/change-index-name.md b/docs/reference/winlogbeat/change-index-name.md
new file mode 100644
index 000000000000..3d327dd58b1c
--- /dev/null
+++ b/docs/reference/winlogbeat/change-index-name.md
@@ -0,0 +1,23 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/change-index-name.html
+---
+
+# Change the index name [change-index-name]
+
+Winlogbeat uses data streams named `winlogbeat-9.0.0-beta1`. To use a different name, set the [`index`](/reference/winlogbeat/elasticsearch-output.md#index-option-es) option in the {{es}} output. You also need to configure the `setup.template.name` and `setup.template.pattern` options to match the new name. For example:
+
+```sh
+output.elasticsearch.index: "customname-%{[agent.version]}"
+setup.template.name: "customname-%{[agent.version]}"
+setup.template.pattern: "customname-%{[agent.version]}"
+```
+
+If you’re using pre-built Kibana dashboards, also set the `setup.dashboards.index` option. For example:
+
+```yaml
+setup.dashboards.index: "customname-*"
+```
+
+For a full list of template setup options, see [Elasticsearch index template](/reference/winlogbeat/configuration-template.md).
+
diff --git a/docs/reference/winlogbeat/command-line-options.md b/docs/reference/winlogbeat/command-line-options.md
new file mode 100644
index 000000000000..158357dab278
--- /dev/null
+++ b/docs/reference/winlogbeat/command-line-options.md
@@ -0,0 +1,358 @@
+---
+navigation_title: "Command reference"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/command-line-options.html
+---
+
+# Winlogbeat command reference [command-line-options]
+
+
+Winlogbeat provides a command-line interface for starting Winlogbeat and performing common tasks, like testing configuration files and loading dashboards.
+
+The command-line also supports [global flags](#global-flags) for controlling global behaviors.
+
+Some of the features described here require an Elastic license. For more information, see [https://www.elastic.co/subscriptions](https://www.elastic.co/subscriptions) and [License Management](docs-content://deploy-manage/license/manage-your-license-in-self-managed-cluster.md).
+
+| Commands |  |
+| --- | --- |
+| [`export`](#export-command) | Exports the configuration, index template, pipeline, or ILM policy to stdout. |
+| [`help`](#help-command) | Shows help for any command. |
+| [`keystore`](#keystore-command) | Manages the [secrets keystore](/reference/winlogbeat/keystore.md). |
+| [`run`](#run-command) | Runs Winlogbeat. This command is used by default if you start Winlogbeat without specifying a command. |
+| [`setup`](#setup-command) | Sets up the initial environment, including the index template, ILM policy and write alias, and {{kib}} dashboards (when available). |
+| [`test`](#test-command) | Tests the configuration. |
+| [`version`](#version-command) | Shows information about the current version. |
+
+Also see [Global flags](#global-flags).
+
+## `export` command [export-command]
+
+Exports the configuration, index template, pipeline, or ILM policy to stdout. You can use this command to quickly view your configuration, see the contents of the index template and the ILM policy, export a dashboard from {{kib}}, or export ingest pipelines.
+
+**SYNOPSIS**
+
+```sh
+winlogbeat export SUBCOMMAND [FLAGS]
+```
+
+**SUBCOMMANDS**
+
+**`config`**
+:   Exports the current configuration to stdout. If you use the `-c` flag, this command exports the configuration that’s defined in the specified file.
+
+$$$dashboard-subcommand$$$**`dashboard`**
+:   Exports a dashboard. You can use this option to store a dashboard on disk in a module and load it automatically. For example, to export the dashboard to a JSON file, run:
+
+    ```shell
+    winlogbeat export dashboard --id="DASHBOARD_ID" > dashboard.json
+    ```
+
+    To find the `DASHBOARD_ID`, look at the URL for the dashboard in {{kib}}. By default, `export dashboard` writes the dashboard to stdout. The example shows how to write the dashboard to a JSON file so that you can import it later. The JSON file will contain the dashboard with all visualizations and searches. You must load the index pattern separately for Winlogbeat.
+
+    To load the dashboard, copy the generated `dashboard.json` file into the `kibana/6/dashboard` directory of Winlogbeat, and run `winlogbeat setup --dashboards` to import the dashboard.
+
+    If {{kib}} is not running on `localhost:5061`, you must also adjust the Winlogbeat configuration under `setup.kibana`.
+
+
+$$$template-subcommand$$$**`template`**
+:   Exports the index template to stdout. You can specify the `--es.version` flag to further define what gets exported. Furthermore you can export the template to a file instead of `stdout` by defining a directory via `--dir`.
+
+$$$ilm-policy-subcommand$$$
+
+**`ilm-policy`**
+:   Exports the index lifecycle management policy to stdout. You can specify the `--es.version` and a `--dir` to which the policy should be exported as a file rather than exporting to `stdout`.
+
+$$$pipeline-subcommand$$$
+
+**`pipeline`**
+:   Exports the ingest piplines.  You must specify the `--es.version` to specify which version of {{es}} the pipelines should be compatible with. You can optionally specify `--dir` to control where the pipelines are written.
+
+**FLAGS**
+
+**`--es.version VERSION`**
+:   When used with [`template`](#template-subcommand), exports an index template that is compatible with the specified version.  When used with [`ilm-policy`](#ilm-policy-subcommand), exports the ILM policy if the specified ES version is enabled for ILM.  When used with [`pipeline`](#pipeline-subcommand), exports versions of the pipeline that is compatible with the specified version.
+
+**`-h, --help`**
+:   Shows help for the `export` command.
+
+**`--dir DIRNAME`**
+:   Define a directory to which the template, pipelines, and ILM policy should be exported to as files instead of printing them to `stdout`.
+
+**`--id DASHBOARD_ID`**
+:   When used with [`dashboard`](#dashboard-subcommand), specifies the dashboard ID.
+
+Also see [Global flags](#global-flags).
+
+**EXAMPLES**
+
+```sh
+winlogbeat export config
+winlogbeat export template --es.version 9.0.0-beta1
+winlogbeat export dashboard --id="a7b35890-8baa-11e8-9676-ef67484126fb" > dashboard.json
+```
+
+
+## `help` command [help-command]
+
+Shows help for any command. If no command is specified, shows help for the `run` command.
+
+**SYNOPSIS**
+
+```sh
+winlogbeat help COMMAND_NAME [FLAGS]
+```
+
+**`COMMAND_NAME`**
+:   Specifies the name of the command to show help for.
+
+**FLAGS**
+
+**`-h, --help`**
+:   Shows help for the `help` command.
+
+Also see [Global flags](#global-flags).
+
+**EXAMPLE**
+
+```sh
+winlogbeat help export
+```
+
+
+## `keystore` command [keystore-command]
+
+Manages the [secrets keystore](/reference/winlogbeat/keystore.md).
+
+**SYNOPSIS**
+
+```sh
+winlogbeat keystore SUBCOMMAND [FLAGS]
+```
+
+**SUBCOMMANDS**
+
+**`add KEY`**
+:   Adds the specified key to the keystore. Use the `--force` flag to overwrite an existing key. Use the `--stdin` flag to pass the value through `stdin`.
+
+**`create`**
+:   Creates a keystore to hold secrets. Use the `--force` flag to overwrite the existing keystore.
+
+**`list`**
+:   Lists the keys in the keystore.
+
+**`remove KEY`**
+:   Removes the specified key from the keystore.
+
+**FLAGS**
+
+**`--force`**
+:   Valid with the `add` and `create` subcommands. When used with `add`, overwrites the specified key. When used with `create`, overwrites the keystore.
+
+**`--stdin`**
+:   When used with `add`, uses the stdin as the source of the key’s value.
+
+**`-h, --help`**
+:   Shows help for the `keystore` command.
+
+Also see [Global flags](#global-flags).
+
+**EXAMPLES**
+
+```sh
+winlogbeat keystore create
+winlogbeat keystore add ES_PWD
+winlogbeat keystore remove ES_PWD
+winlogbeat keystore list
+```
+
+See [Secrets keystore](/reference/winlogbeat/keystore.md) for more examples.
+
+
+## `run` command [run-command]
+
+Runs Winlogbeat. This command is used by default if you start Winlogbeat without specifying a command.
+
+**SYNOPSIS**
+
+```sh
+winlogbeat run [FLAGS]
+```
+
+Or:
+
+```sh
+winlogbeat [FLAGS]
+```
+
+**FLAGS**
+
+**`-N, --N`**
+:   Disables publishing for testing purposes. This option disables all outputs except the [File output](/reference/winlogbeat/file-output.md).
+
+**`--cpuprofile FILE`**
+:   Writes CPU profile data to the specified file. This option is useful for troubleshooting Winlogbeat.
+
+**`-h, --help`**
+:   Shows help for the `run` command.
+
+**`--httpprof [HOST]:PORT`**
+:   Starts an http server for profiling. This option is useful for troubleshooting and profiling Winlogbeat.
+
+**`--memprofile FILE`**
+:   Writes memory profile data to the specified output file. This option is useful for troubleshooting Winlogbeat.
+
+**`--system.hostfs MOUNT_POINT`**
+:   Specifies the mount point of the host’s filesystem for use in monitoring a host. This flag is depricated, and an alternate hostfs should be specified via the `hostfs` module config value.
+
+Also see [Global flags](#global-flags).
+
+**EXAMPLE**
+
+```sh
+winlogbeat run -e
+```
+
+Or:
+
+```sh
+winlogbeat -e
+```
+
+
+## `setup` command [setup-command]
+
+Sets up the initial environment, including the index template, ILM policy and write alias, and {{kib}} dashboards (when available)
+
+* The index template ensures that fields are mapped correctly in Elasticsearch. If index lifecycle management is enabled it also ensures that the defined ILM policy and write alias are connected to the indices matching the index template. The ILM policy takes care of the lifecycle of an index, when to do a rollover, when to move an index from the hot phase to the next phase, etc.
+* The {{kib}} dashboards make it easier for you to visualize Winlogbeat data in {{kib}}.
+
+This command sets up the environment without actually running Winlogbeat and ingesting data. Specify optional flags to set up a subset of assets.
+
+**SYNOPSIS**
+
+```sh
+winlogbeat setup [FLAGS]
+```
+
+**FLAGS**
+
+**`--dashboards`**
+:   Sets up the {{kib}} dashboards (when available). This option loads the dashboards from the Winlogbeat package. For more options, such as loading customized dashboards, see [Importing Existing Beat Dashboards](http://www.elastic.co/guide/en/beats/devguide/master/import-dashboards.md) in the *Beats Developer Guide*.
+
+**`-h, --help`**
+:   Shows help for the `setup` command.
+
+**`--index-management`**
+:   Sets up components related to Elasticsearch index management including template, ILM policy, and write alias (if supported and configured).
+
+Also see [Global flags](#global-flags).
+
+**EXAMPLES**
+
+```sh
+winlogbeat setup --dashboards
+winlogbeat setup --index-management
+```
+
+
+## `test` command [test-command]
+
+Tests the configuration.
+
+**SYNOPSIS**
+
+```sh
+winlogbeat test SUBCOMMAND [FLAGS]
+```
+
+**SUBCOMMANDS**
+
+**`config`**
+:   Tests the configuration settings.
+
+**`output`**
+:   Tests that Winlogbeat can connect to the output by using the current settings.
+
+**FLAGS**
+
+**`-h, --help`**
+:   Shows help for the `test` command.
+
+Also see [Global flags](#global-flags).
+
+**EXAMPLE**
+
+```sh
+winlogbeat test config
+```
+
+
+## `version` command [version-command]
+
+Shows information about the current version.
+
+**SYNOPSIS**
+
+```sh
+winlogbeat version [FLAGS]
+```
+
+**FLAGS**
+
+**`-h, --help`**
+:   Shows help for the `version` command.
+
+Also see [Global flags](#global-flags).
+
+**EXAMPLE**
+
+```sh
+winlogbeat version
+```
+
+
+## Global flags [global-flags]
+
+These global flags are available whenever you run Winlogbeat.
+
+**`-E, --E "SETTING_NAME=VALUE"`**
+:   Overrides a specific configuration setting. You can specify multiple overrides. For example:
+
+    ```sh
+    winlogbeat -E "name=mybeat" -E "output.elasticsearch.hosts=['http://myhost:9200']"
+    ```
+
+    This setting is applied to the currently running Winlogbeat process. The Winlogbeat configuration file is not changed.
+
+
+**`-c, --c FILE`**
+:   Specifies the configuration file to use for Winlogbeat. The file you specify here is relative to `path.config`. If the `-c` flag is not specified, the default config file, `winlogbeat.yml`, is used.
+
+**`-d, --d SELECTORS`**
+:   Enables debugging for the specified selectors. For the selectors, you can specify a comma-separated list of components, or you can use `-d "*"` to enable debugging for all components. For example, `-d "publisher"` displays all the publisher-related messages.
+
+**`-e, --e`**
+:   Logs to stderr and disables syslog/file output.
+
+**`--environment`**
+:   For logging purposes, specifies the environment that Winlogbeat is running in. This setting is used to select a default log output when no log output is configured. Supported values are: `systemd`, `container`, `macos_service`, and `windows_service`. If `systemd` or `container` is specified, Winlogbeat will log to stdout and stderr by default.
+
+**`--path.config`**
+:   Sets the path for configuration files. See the [Directory layout](/reference/winlogbeat/directory-layout.md) section for details.
+
+**`--path.data`**
+:   Sets the path for data files. See the [Directory layout](/reference/winlogbeat/directory-layout.md) section for details.
+
+**`--path.home`**
+:   Sets the path for miscellaneous files. See the [Directory layout](/reference/winlogbeat/directory-layout.md) section for details.
+
+**`--path.logs`**
+:   Sets the path for log files. See the [Directory layout](/reference/winlogbeat/directory-layout.md) section for details.
+
+**`--strict.perms`**
+:   Sets strict permission checking on configuration files. The default is `--strict.perms=true`. See [Config file ownership and permissions](/reference/libbeat/config-file-permissions.md) for more information.
+
+**`-v, --v`**
+:   Logs INFO-level messages.
+
+
diff --git a/docs/reference/winlogbeat/community-id.md b/docs/reference/winlogbeat/community-id.md
new file mode 100644
index 000000000000..c2133839bae5
--- /dev/null
+++ b/docs/reference/winlogbeat/community-id.md
@@ -0,0 +1,41 @@
+---
+navigation_title: "community_id"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/community-id.html
+---
+
+# Community ID Network Flow Hash [community-id]
+
+
+The `community_id` processor computes a network flow hash according to the [Community ID Flow Hash specification](https://github.com/corelight/community-id-spec).
+
+The flow hash is useful for correlating all network events related to a single flow. For example you can filter on a community ID value and you might get back the Netflow records from multiple collectors and layer 7 protocol records from Packetbeat.
+
+By default the processor is configured to read the flow parameters from the appropriate Elastic Common Schema (ECS) fields. If you are processing ECS data then no parameters are required.
+
+```yaml
+processors:
+  - community_id:
+```
+
+If the data does not conform to ECS then you can customize the field names that the processor reads from. You can also change the `target` field which is where the computed hash is written to.
+
+```yaml
+processors:
+  - community_id:
+      fields:
+        source_ip: my_source_ip
+        source_port: my_source_port
+        destination_ip: my_dest_ip
+        destination_port: my_dest_port
+        iana_number: my_iana_number
+        transport: my_transport
+        icmp_type: my_icmp_type
+        icmp_code: my_icmp_code
+      target: network.community_id
+```
+
+If the necessary fields are not present in the event then the processor will silently continue without adding the target field.
+
+The processor also accepts an optional `seed` parameter that must be a 16-bit unsigned integer. This value gets incorporated into all generated hashes.
+
diff --git a/docs/reference/winlogbeat/configuration-dashboards.md b/docs/reference/winlogbeat/configuration-dashboards.md
new file mode 100644
index 000000000000..2624020b022e
--- /dev/null
+++ b/docs/reference/winlogbeat/configuration-dashboards.md
@@ -0,0 +1,103 @@
+---
+navigation_title: "Kibana dashboards"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/configuration-dashboards.html
+---
+
+# Configure Kibana dashboard loading [configuration-dashboards]
+
+
+Winlogbeat comes packaged with example Kibana dashboards, visualizations, and searches for visualizing Winlogbeat data in Kibana.
+
+To load the dashboards, you can either enable dashboard loading in the `setup.dashboards` section of the `winlogbeat.yml` config file, or you can run the `setup` command. Dashboard loading is disabled by default.
+
+When dashboard loading is enabled, Winlogbeat uses the Kibana API to load the sample dashboards. Dashboard loading is only attempted when Winlogbeat starts up. If Kibana is not available at startup, Winlogbeat will stop with an error.
+
+To enable dashboard loading, add the following setting to the config file:
+
+```yaml
+setup.dashboards.enabled: true
+```
+
+
+## Configuration options [_configuration_options_13]
+
+You can specify the following options in the `setup.dashboards` section of the `winlogbeat.yml` config file:
+
+
+### `setup.dashboards.enabled` [_setup_dashboards_enabled]
+
+If this option is set to true, Winlogbeat loads the sample Kibana dashboards from the local `kibana` directory in the home path of the Winlogbeat installation.
+
+::::{note}
+Winlogbeat loads dashboards on startup if either `enabled` is set to `true` or the `setup.dashboards` section is included in the configuration.
+::::
+
+
+::::{note}
+When dashboard loading is enabled, Winlogbeat overwrites any existing dashboards that match the names of the dashboards you are loading. This happens every time Winlogbeat starts.
+::::
+
+
+If no other options are set, the dashboard are loaded from the local `kibana` directory in the home path of the Winlogbeat installation. To load dashboards from a different location, you can configure one of the following options: [`setup.dashboards.directory`](#directory-option), [`setup.dashboards.url`](#url-option), or [`setup.dashboards.file`](#file-option).
+
+
+### `setup.dashboards.directory` [directory-option]
+
+The directory that contains the dashboards to load. The default is the `kibana` folder in the home path.
+
+
+### `setup.dashboards.url` [url-option]
+
+The URL to use for downloading the dashboard archive. If this option is set, Winlogbeat downloads the dashboard archive from the specified URL instead of using the local directory.
+
+
+### `setup.dashboards.file` [file-option]
+
+The file archive (zip file) that contains the dashboards to load. If this option is set, Winlogbeat looks for a dashboard archive in the specified path instead of using the local directory.
+
+
+### `setup.dashboards.beat` [_setup_dashboards_beat]
+
+In case the archive contains the dashboards for multiple Beats, this setting lets you select the Beat for which you want to load dashboards. To load all the dashboards in the archive, set this option to an empty string. The default is `"winlogbeat"`.
+
+
+### `setup.dashboards.kibana_index` [_setup_dashboards_kibana_index]
+
+The name of the Kibana index to use for setting the configuration. The default is `".kibana"`
+
+
+### `setup.dashboards.index` [_setup_dashboards_index]
+
+The Elasticsearch index name. This setting overwrites the index name defined in the dashboards and index pattern. Example: `"testbeat-*"`
+
+::::{note}
+This setting only works for Kibana 6.0 and newer.
+::::
+
+
+
+### `setup.dashboards.always_kibana` [_setup_dashboards_always_kibana]
+
+Force loading of dashboards using the Kibana API without querying Elasticsearch for the version. The default is `false`.
+
+
+### `setup.dashboards.retry.enabled` [_setup_dashboards_retry_enabled]
+
+If this option is set to true, and Kibana is not reachable at the time when dashboards are loaded, Winlogbeat will retry to reconnect to Kibana instead of exiting with an error. Disabled by default.
+
+
+### `setup.dashboards.retry.interval` [_setup_dashboards_retry_interval]
+
+Duration interval between Kibana connection retries. Defaults to 1 second.
+
+
+### `setup.dashboards.retry.maximum` [_setup_dashboards_retry_maximum]
+
+Maximum number of retries before exiting with an error. Set to 0 for unlimited retrying. Default is unlimited.
+
+
+### `setup.dashboards.string_replacements` [_setup_dashboards_string_replacements]
+
+The needle and replacements string map, which is used to replace needle string in dashboards and their references contents.
+
diff --git a/docs/reference/winlogbeat/configuration-general-options.md b/docs/reference/winlogbeat/configuration-general-options.md
new file mode 100644
index 000000000000..f0d9bb0c8986
--- /dev/null
+++ b/docs/reference/winlogbeat/configuration-general-options.md
@@ -0,0 +1,88 @@
+---
+navigation_title: "General settings"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/configuration-general-options.html
+---
+
+# Configure general settings [configuration-general-options]
+
+
+You can specify settings in the `winlogbeat.yml` config file to control the general behavior of Winlogbeat.
+
+
+## General configuration options [configuration-general]
+
+
+These options are supported by all Elastic Beats. Because they are common options, they are not namespaced.
+
+Here is an example configuration:
+
+```yaml
+name: "my-shipper"
+tags: ["service-X", "web-tier"]
+```
+
+
+### `name` [_name]
+
+The name of the Beat. If this option is empty, the `hostname` of the server is used. The name is included as the `agent.name` field in each published transaction. You can use the name to group all transactions sent by a single Beat.
+
+Example:
+
+```yaml
+name: "my-shipper"
+```
+
+
+### `tags` [_tags]
+
+A list of tags that the Beat includes in the `tags` field of each published transaction. Tags make it easy to group servers by different logical properties. For example, if you have a cluster of web servers, you can add the "webservers" tag to the Beat on each server, and then use filters and queries in the Kibana web interface to get visualisations for the whole group of servers.
+
+Example:
+
+```yaml
+tags: ["my-service", "hardware", "test"]
+```
+
+
+### `fields` [libbeat-configuration-fields]
+
+Optional fields that you can specify to add additional information to the output. Fields can be scalar values, arrays, dictionaries, or any nested combination of these. By default, the fields that you specify here will be grouped under a `fields` sub-dictionary in the output document. To store the custom fields as top-level fields, set the `fields_under_root` option to true.
+
+Example:
+
+```yaml
+fields: {project: "myproject", instance-id: "574734885120952459"}
+```
+
+
+### `fields_under_root` [_fields_under_root]
+
+If this option is set to true, the custom [fields](#libbeat-configuration-fields) are stored as top-level fields in the output document instead of being grouped under a `fields` sub-dictionary. If the custom field names conflict with other field names, then the custom fields overwrite the other fields.
+
+Example:
+
+```yaml
+fields_under_root: true
+fields:
+  instance_id: i-10a64379
+  region: us-east-1
+```
+
+
+### `processors` [_processors]
+
+A list of processors to apply to the data generated by the beat.
+
+See [Processors](/reference/winlogbeat/filtering-enhancing-data.md) for information about specifying processors in your config.
+
+
+### `max_procs` [_max_procs]
+
+Sets the maximum number of CPUs that can be executing simultaneously. The default is the number of logical CPUs available in the system.
+
+
+### `timestamp.precision` [_timestamp_precision]
+
+Configure the precision of all timestamps. By default it is set to millisecond. Available options: millisecond, microsecond, nanosecond
+
diff --git a/docs/reference/winlogbeat/configuration-instrumentation.md b/docs/reference/winlogbeat/configuration-instrumentation.md
new file mode 100644
index 000000000000..9f829e3a2ebe
--- /dev/null
+++ b/docs/reference/winlogbeat/configuration-instrumentation.md
@@ -0,0 +1,87 @@
+---
+navigation_title: "Instrumentation"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/configuration-instrumentation.html
+---
+
+# Configure APM instrumentation [configuration-instrumentation]
+
+
+Libbeat uses the Elastic APM Go Agent to instrument its publishing pipeline. Currently, only the Elasticsearch output is instrumented. To gain insight into the performance of Winlogbeat, you can enable this instrumentation and send trace data to the APM Integration.
+
+Example configuration with instrumentation enabled:
+
+```yaml
+instrumentation:
+  enabled: true
+  environment: production
+  hosts:
+    - "http://localhost:8200"
+  api_key: L5ER6FEvjkmlfalBealQ3f3fLqf03fazfOV
+```
+
+
+## Configuration options [_configuration_options_17]
+
+You can specify the following options in the `instrumentation` section of the `winlogbeat.yml` config file:
+
+
+### `enabled` [_enabled_9]
+
+Set to `true` to enable instrumentation of Winlogbeat. Defaults to `false`.
+
+
+### `environment` [_environment]
+
+Set the environment in which Winlogbeat is running, for example, `staging`, `production`, `dev`, etc. Environments can be filtered in the [APM app](docs-content://solutions/observability/apps/overviews.md).
+
+
+### `hosts` [_hosts_3]
+
+The APM integration [host](docs-content://reference/ingestion-tools/observability/apm-settings.md) to report instrumentation data to. Defaults to `http://localhost:8200`.
+
+
+### `api_key` [_api_key_2]
+
+The [API Key](docs-content://reference/ingestion-tools/observability/apm-settings.md) used to secure communication with the APM Integration. If `api_key` is set then `secret_token` will be ignored.
+
+
+### `secret_token` [_secret_token]
+
+The [Secret token](docs-content://reference/ingestion-tools/observability/apm-settings.md) used to secure communication with the APM Integration.
+
+
+### `profiling.cpu.enabled` [_profiling_cpu_enabled]
+
+Set to `true` to enable CPU profiling, where profile samples are recorded as events.
+
+This feature is experimental.
+
+
+### `profiling.cpu.interval` [_profiling_cpu_interval]
+
+Configure the CPU profiling interval. Defaults to `60s`.
+
+This feature is experimental.
+
+
+### `profiling.cpu.duration` [_profiling_cpu_duration]
+
+Configure the CPU profiling duration. Defaults to `10s`.
+
+This feature is experimental.
+
+
+### `profiling.heap.enabled` [_profiling_heap_enabled]
+
+Set to `true` to enable heap profiling.
+
+This feature is experimental.
+
+
+### `profiling.heap.interval` [_profiling_heap_interval]
+
+Configure the heap profiling interval. Defaults to `60s`.
+
+This feature is experimental.
+
diff --git a/docs/reference/winlogbeat/configuration-kerberos.md b/docs/reference/winlogbeat/configuration-kerberos.md
new file mode 100644
index 000000000000..d784d4a8d462
--- /dev/null
+++ b/docs/reference/winlogbeat/configuration-kerberos.md
@@ -0,0 +1,90 @@
+---
+navigation_title: "Kerberos"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/configuration-kerberos.html
+---
+
+# Configure Kerberos [configuration-kerberos]
+
+
+You can specify Kerberos options with any output or input that supports Kerberos, like {{es}}.
+
+The following encryption types are supported:
+
+* aes128-cts-hmac-sha1-96
+* aes128-cts-hmac-sha256-128
+* aes256-cts-hmac-sha1-96
+* aes256-cts-hmac-sha384-192
+* des3-cbc-sha1-kd
+* rc4-hmac
+
+Example output config with Kerberos password based authentication:
+
+```yaml
+output.elasticsearch.hosts: ["http://my-elasticsearch.elastic.co:9200"]
+output.elasticsearch.kerberos.auth_type: password
+output.elasticsearch.kerberos.username: "elastic"
+output.elasticsearch.kerberos.password: "changeme"
+output.elasticsearch.kerberos.config_path: "/etc/krb5.conf"
+output.elasticsearch.kerberos.realm: "ELASTIC.CO"
+```
+
+The service principal name for the Elasticsearch instance is contructed from these options. Based on this configuration it is going to be `HTTP/my-elasticsearch.elastic.co@ELASTIC.CO`.
+
+
+## Configuration options [_configuration_options_10]
+
+You can specify the following options in the `kerberos` section of the `winlogbeat.yml` config file:
+
+
+### `enabled` [_enabled_8]
+
+The `enabled` setting can be used to enable the kerberos configuration by setting it to `false`. The default value is `true`.
+
+::::{note}
+Kerberos settings are disabled if either `enabled` is set to `false` or the `kerberos` section is missing.
+::::
+
+
+
+### `auth_type` [_auth_type]
+
+There are two options to authenticate with Kerberos KDC: `password` and `keytab`.
+
+`password` expects the principal name and its password. When choosing `keytab`, you have to specify a principal name and a path to a keytab. The keytab must contain the keys of the selected principal. Otherwise, authentication will fail.
+
+
+### `config_path` [_config_path]
+
+You need to set the path to the `krb5.conf`, so Winlogbeat can find the Kerberos KDC to retrieve a ticket.
+
+
+### `username` [_username_3]
+
+Name of the principal used to connect to the output.
+
+
+### `password` [_password_4]
+
+If you configured `password` for `auth_type`, you have to provide a password for the selected principal.
+
+
+### `keytab` [_keytab]
+
+If you configured `keytab` for `auth_type`, you have to provide the path to the keytab of the selected principal.
+
+
+### `service_name` [_service_name]
+
+This option can only be configured for Kafka. It is the name of the Kafka service, usually `kafka`.
+
+
+### `realm` [_realm]
+
+Name of the realm where the output resides.
+
+
+### `enable_krb5_fast` [_enable_krb5_fast]
+
+Enable Kerberos FAST authentication. This may conflict with some Active Directory installations. The default is `false`.
+
diff --git a/docs/reference/winlogbeat/configuration-logging.md b/docs/reference/winlogbeat/configuration-logging.md
new file mode 100644
index 000000000000..72367fee2458
--- /dev/null
+++ b/docs/reference/winlogbeat/configuration-logging.md
@@ -0,0 +1,248 @@
+---
+navigation_title: "Logging"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/configuration-logging.html
+---
+
+# Configure logging [configuration-logging]
+
+
+The `logging` section of the `winlogbeat.yml` config file contains options for configuring the logging output. The logging system can write logs to the syslog or rotate log files. If logging is not explicitly configured the file output is used.
+
+```yaml
+logging.level: info
+logging.to_files: true
+logging.files:
+  path: C:\ProgramData\winlogbeat\Logs
+  name: winlogbeat
+  keepfiles: 7
+  permissions: 0640
+```
+
+::::{tip}
+In addition to setting logging options in the config file, you can modify the logging output configuration from the command line. See [Command reference](/reference/winlogbeat/command-line-options.md).
+::::
+
+
+
+## Configuration options [_configuration_options_16]
+
+You can specify the following options in the `logging` section of the `winlogbeat.yml` config file:
+
+
+### `logging.to_stderr` [_logging_to_stderr]
+
+When true, writes all logging output to standard error output. This is equivalent to using the `-e` command line option.
+
+
+### `logging.to_syslog` [_logging_to_syslog]
+
+When true, writes all logging output to the syslog.
+
+::::{note}
+This option is not supported on Windows.
+::::
+
+
+
+### `logging.to_eventlog` [_logging_to_eventlog]
+
+When true, writes all logging output to the Windows Event Log.
+
+
+### `logging.to_files` [_logging_to_files]
+
+When true, writes all logging output to files. The log files are automatically rotated when the log file size limit is reached.
+
+::::{note}
+Winlogbeat only creates a log file if there is logging output. For example, if you set the log [`level`](#level) to `error` and there are no errors, there will be no log file in the directory specified for logs.
+::::
+
+
+
+### `logging.level` [level]
+
+Minimum log level. One of `debug`, `info`, `warning`, or `error`. The default log level is `info`.
+
+`debug`
+:   Logs debug messages, including a detailed printout of all events flushed. Also logs informational messages, warnings, errors, and critical errors. When the log level is `debug`, you can specify a list of [`selectors`](#selectors) to display debug messages for specific components. If no selectors are specified, the `*` selector is used to display debug messages for all components.
+
+`info`
+:   Logs informational messages, including the number of events that are published. Also logs any warnings, errors, or critical errors.
+
+`warning`
+:   Logs warnings, errors, and critical errors.
+
+`error`
+:   Logs errors and critical errors.
+
+
+### `logging.selectors` [selectors]
+
+The list of debugging-only selector tags used by different Winlogbeat components. Use `*` to enable debug output for all components. Use `publisher` to display debug messages related to event publishing.
+
+::::{tip}
+The list of available selectors may change between releases, so avoid creating tests that depend on specific selectors.
+
+To see which selectors are available, run Winlogbeat in debug mode (set `logging.level: debug` in the configuration). The selector name appears after the log level and is enclosed in brackets.
+
+::::
+
+
+To configure multiple selectors, use the following [YAML list syntax](/reference/libbeat/config-file-format.md):
+
+```yaml
+logging.selectors: [ harvester, input ]
+```
+
+To override selectors at the command line, use the `-d` global flag (`-d` also sets the debug log level). For more information, see [Command reference](/reference/winlogbeat/command-line-options.md).
+
+
+### `logging.metrics.enabled` [_logging_metrics_enabled]
+
+By default, Winlogbeat periodically logs its internal metrics that have changed in the last period. For each metric that changed, the delta from the value at the beginning of the period is logged. Also, the total values for all non-zero internal metrics are logged on shutdown. Set this to false to disable this behavior. The default is true.
+
+Here is an example log line:
+
+```shell
+2017-12-17T19:17:42.667-0500    INFO    [metrics]       log/log.go:110  Non-zero metrics in the last 30s: beat.info.uptime.ms=30004 beat.memstats.gc_next=5046416
+```
+
+Note that we currently offer no backwards compatible guarantees for the internal metrics and for this reason they are also not documented.
+
+
+### `logging.metrics.period` [_logging_metrics_period]
+
+The period after which to log the internal metrics. The default is 30s.
+
+
+### `logging.metrics.namespaces` [_logging_metrics_namespaces]
+
+A list of metrics namespaces to report in the logs. Defaults to `[stats]`. `stats` contains general Beat metrics. `dataset` and `inputs` may be present in some Beats and contains module or input metrics.
+
+
+### `logging.files.path` [_logging_files_path]
+
+The directory that log files are written to. The default is the logs path. See the [Directory layout](/reference/winlogbeat/directory-layout.md) section for details.
+
+
+### `logging.files.name` [_logging_files_name]
+
+The name of the file that logs are written to. The default is *winlogbeat*.
+
+
+### `logging.files.rotateeverybytes` [_logging_files_rotateeverybytes]
+
+The maximum size of a log file. If the limit is reached, a new log file is generated. The default size limit is 10485760 (10 MB).
+
+
+### `logging.files.keepfiles` [_logging_files_keepfiles]
+
+The number of most recent rotated log files to keep on disk. Older files are deleted during log rotation. The default value is 7. The `keepfiles` options has to be in the range of 2 to 1024 files.
+
+
+### `logging.files.permissions` [_logging_files_permissions]
+
+The permissions mask to apply when rotating log files. The default value is 0600. The `permissions` option must be a valid Unix-style file permissions mask expressed in octal notation. In Go, numbers in octal notation must start with *0*.
+
+The most permissive mask allowed is 0640. If a higher permissions mask is specified via this setting, it will be subject to an umask of 0027.
+
+This option is not supported on Windows.
+
+Examples:
+
+* 0640: give read and write access to the file owner, and read access to members of the group associated with the file.
+* 0600: give read and write access to the file owner, and no access to all others.
+
+
+### `logging.files.interval` [_logging_files_interval]
+
+Enable log file rotation on time intervals in addition to size-based rotation. Intervals must be at least 1s. Values of 1m, 1h, 24h, 7*24h, 30*24h, and 365*24h are boundary-aligned with minutes, hours, days, weeks, months, and years as reported by the local system clock. All other intervals are calculated from the unix epoch. Defaults to disabled.
+
+
+### `logging.files.rotateonstartup` [_logging_files_rotateonstartup]
+
+If the log file already exists on startup, immediately rotate it and start writing to a new file instead of appending to the existing one. Defaults to true.
+
+
+### `logging.files.redirect_stderr` [preview] [_logging_files_redirect_stderr]
+
+When true, diagnostic messages printed to Winlogbeat’s standard error output will also be logged to the log file. This can be helpful in situations were Winlogbeat terminates unexpectedly because an error has been detected by Go’s runtime but diagnostic information is not present in the log file. This feature is only available when logging to files (`logging.to_files` is true). Disabled by default.
+
+
+## Logging format [_logging_format]
+
+The logging format is generally the same for each logging output. The one exception is with the syslog output where the timestamp is not included in the message because syslog adds its own timestamp.
+
+Each log message consists of the following parts:
+
+* Timestamp in ISO8601 format
+* Level
+* Logger name contained in brackets (Optional)
+* File name and line number of the caller
+* Message
+* Structured data encoded in JSON (Optional)
+
+Below are some samples:
+
+`2017-12-17T18:54:16.241-0500	INFO	logp/core_test.go:13	unnamed global logger`
+
+`2017-12-17T18:54:16.242-0500	INFO	[example]	logp/core_test.go:16	some message`
+
+`2017-12-17T18:54:16.242-0500	INFO	[example]	logp/core_test.go:19	some message	{"x": 1}`
+
+
+## Configuration options for event_data logger [_configuration_options_for_event_data_logger]
+
+Some outputs will log raw events on errors like indexing errors in the Elasticsearch output, to prevent logging raw events (that may contain sensitive information) together with other log messages, a different log file, only for log entries containing raw events, is used. It will use the same level, selectors and all other configurations from the default logger, but it will have it’s own file configuration.
+
+Having a different log file for raw events also prevents event data from drowning out the regular log files.
+
+::::{important}
+No matter the default logger output configuration, raw events will **always** be logged to a file configured by `logging.event_data.files`.
+::::
+
+
+
+### `logging.event_data.files.path` [_logging_event_data_files_path]
+
+The directory that log files are written to. The default is the logs path. See the [Directory layout](/reference/winlogbeat/directory-layout.md) section for details.
+
+
+### `logging.event_data.files.name` [_logging_event_data_files_name]
+
+The name of the file that logs are written to. The default is *winlogbeat*-events-data.
+
+
+### `logging.event_data.files.rotateeverybytes` [_logging_event_data_files_rotateeverybytes]
+
+The maximum size of a log file. If the limit is reached, a new log file is generated. The default size limit is 5242880 (5 MB).
+
+
+### `logging.event_data.files.keepfiles` [_logging_event_data_files_keepfiles]
+
+The number of most recent rotated log files to keep on disk. Older files are deleted during log rotation. The default value is 2. The `keepfiles` options has to be in the range of 2 to 1024 files.
+
+
+### `logging.event_data.files.permissions` [_logging_event_data_files_permissions]
+
+The permissions mask to apply when rotating log files. The default value is 0600. The `permissions` option must be a valid Unix-style file permissions mask expressed in octal notation. In Go, numbers in octal notation must start with *0*.
+
+The most permissive mask allowed is 0640. If a higher permissions mask is specified via this setting, it will be subject to an umask of 0027.
+
+This option is not supported on Windows.
+
+Examples:
+
+* 0640: give read and write access to the file owner, and read access to members of the group associated with the file.
+* 0600: give read and write access to the file owner, and no access to all others.
+
+
+### `logging.event_data.files.interval` [_logging_event_data_files_interval]
+
+Enable log file rotation on time intervals in addition to size-based rotation. Intervals must be at least 1s. Values of 1m, 1h, 24h, 7*24h, 30*24h, and 365*24h are boundary-aligned with minutes, hours, days, weeks, months, and years as reported by the local system clock. All other intervals are calculated from the unix epoch. Defaults to disabled.
+
+
+### `logging.event_data.files.rotateonstartup` [_logging_event_data_files_rotateonstartup]
+
+If the log file already exists on startup, immediately rotate it and start writing to a new file instead of appending to the existing one. Defaults to false.
diff --git a/docs/reference/winlogbeat/configuration-monitor.md b/docs/reference/winlogbeat/configuration-monitor.md
new file mode 100644
index 000000000000..b9b5d2331a21
--- /dev/null
+++ b/docs/reference/winlogbeat/configuration-monitor.md
@@ -0,0 +1,113 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/configuration-monitor.html
+---
+
+# Settings for internal collection [configuration-monitor]
+
+Use the following settings to configure internal collection when you are not using {{metricbeat}} to collect monitoring data.
+
+You specify these settings in the X-Pack monitoring section of the `winlogbeat.yml` config file:
+
+## `monitoring.enabled` [_monitoring_enabled]
+
+The `monitoring.enabled` config is a boolean setting to enable or disable {{monitoring}}. If set to `true`, monitoring is enabled.
+
+The default value is `false`.
+
+
+## `monitoring.elasticsearch` [_monitoring_elasticsearch]
+
+The {{es}} instances that you want to ship your Winlogbeat metrics to. This configuration option contains the following fields:
+
+
+## `monitoring.cluster_uuid` [_monitoring_cluster_uuid]
+
+The `monitoring.cluster_uuid` config identifies the {{es}} cluster under which the monitoring data will appear in the Stack Monitoring UI.
+
+### `api_key` [_api_key_3]
+
+The detail of the API key to be used to send monitoring information to {{es}}. See [*Grant access using API keys*](/reference/winlogbeat/beats-api-keys.md) for more information.
+
+
+### `bulk_max_size` [_bulk_max_size_5]
+
+The maximum number of metrics to bulk in a single {{es}} bulk API index request. The default is `50`. For more information, see [Elasticsearch](/reference/winlogbeat/elasticsearch-output.md).
+
+
+### `backoff.init` [_backoff_init_4]
+
+The number of seconds to wait before trying to reconnect to Elasticsearch after a network error. After waiting `backoff.init` seconds, Winlogbeat tries to reconnect. If the attempt fails, the backoff timer is increased exponentially up to `backoff.max`. After a successful connection, the backoff timer is reset. The default is 1s.
+
+
+### `backoff.max` [_backoff_max_4]
+
+The maximum number of seconds to wait before attempting to connect to Elasticsearch after a network error. The default is 60s.
+
+
+### `compression_level` [_compression_level_3]
+
+The gzip compression level. Setting this value to `0` disables compression. The compression level must be in the range of `1` (best speed) to `9` (best compression). The default value is `0`. Increasing the compression level reduces the network usage but increases the CPU usage.
+
+
+### `headers` [_headers_3]
+
+Custom HTTP headers to add to each request. For more information, see [Elasticsearch](/reference/winlogbeat/elasticsearch-output.md).
+
+
+### `hosts` [_hosts_4]
+
+The list of {{es}} nodes to connect to. Monitoring metrics are distributed to these nodes in round robin order. For more information, see [Elasticsearch](/reference/winlogbeat/elasticsearch-output.md).
+
+
+### `max_retries` [_max_retries_5]
+
+The number of times to retry sending the monitoring metrics after a failure. After the specified number of retries, the metrics are typically dropped. The default value is `3`. For more information, see [Elasticsearch](/reference/winlogbeat/elasticsearch-output.md).
+
+
+### `parameters` [_parameters_2]
+
+Dictionary of HTTP parameters to pass within the url with index operations.
+
+
+### `password` [_password_5]
+
+The password that Winlogbeat uses to authenticate with the {{es}} instances for shipping monitoring data.
+
+
+### `metrics.period` [_metrics_period]
+
+The time interval (in seconds) when metrics are sent to the {{es}} cluster. A new snapshot of Winlogbeat metrics is generated and scheduled for publishing each period. The default value is 10 * time.Second.
+
+
+### `state.period` [_state_period]
+
+The time interval (in seconds) when state information are sent to the {{es}} cluster. A new snapshot of Winlogbeat state is generated and scheduled for publishing each period. The default value is 60 * time.Second.
+
+
+### `protocol` [_protocol]
+
+The name of the protocol to use when connecting to the {{es}} cluster. The options are: `http` or `https`. The default is `http`. If you specify a URL for `hosts`, however, the value of protocol is overridden by the scheme you specify in the URL.
+
+
+### `proxy_url` [_proxy_url_4]
+
+The URL of the proxy to use when connecting to the {{es}} cluster. For more information, see [Elasticsearch](/reference/winlogbeat/elasticsearch-output.md).
+
+
+### `timeout` [_timeout_5]
+
+The HTTP request timeout in seconds for the {{es}} request. The default is `90`.
+
+
+### `ssl` [_ssl_5]
+
+Configuration options for Transport Layer Security (TLS) or Secure Sockets Layer (SSL) parameters like the certificate authority (CA) to use for HTTPS-based connections. If the `ssl` section is missing, the host CAs are used for HTTPS connections to {{es}}. For more information, see [SSL](/reference/winlogbeat/configuration-ssl.md).
+
+
+### `username` [_username_4]
+
+The user ID that Winlogbeat uses to authenticate with the {{es}} instances for shipping monitoring data.
+
+
+
diff --git a/docs/reference/winlogbeat/configuration-output-codec.md b/docs/reference/winlogbeat/configuration-output-codec.md
new file mode 100644
index 000000000000..5b7ca32cca56
--- /dev/null
+++ b/docs/reference/winlogbeat/configuration-output-codec.md
@@ -0,0 +1,32 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/configuration-output-codec.html
+---
+
+# Change the output codec [configuration-output-codec]
+
+For outputs that do not require a specific encoding, you can change the encoding by using the codec configuration. You can specify either the `json` or `format` codec. By default the `json` codec is used.
+
+**`json.pretty`**: If `pretty` is set to true, events will be nicely formatted. The default is false.
+
+**`json.escape_html`**: If `escape_html` is set to true, html symbols will be escaped in strings. The default is false.
+
+Example configuration that uses the `json` codec with pretty printing enabled to write events to the console:
+
+```yaml
+output.console:
+  codec.json:
+    pretty: true
+    escape_html: false
+```
+
+**`format.string`**: Configurable format string used to create a custom formatted message.
+
+Example configurable that uses the `format` codec to print the events timestamp and message field to console:
+
+```yaml
+output.console:
+  codec.format:
+    string: '%{[@timestamp]} %{[message]}'
+```
+
diff --git a/docs/reference/winlogbeat/configuration-path.md b/docs/reference/winlogbeat/configuration-path.md
new file mode 100644
index 000000000000..b4c483a8f7b3
--- /dev/null
+++ b/docs/reference/winlogbeat/configuration-path.md
@@ -0,0 +1,78 @@
+---
+navigation_title: "Project paths"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/configuration-path.html
+---
+
+# Configure project paths [configuration-path]
+
+
+The `path` section of the `winlogbeat.yml` config file contains configuration options that define where Winlogbeat looks for its files. For example, Winlogbeat looks for the Elasticsearch template file in the configuration path and writes log files in the logs path. Winlogbeat looks for its registry files in the data path.
+
+Please see the [Directory layout](/reference/winlogbeat/directory-layout.md) section for more details.
+
+Here is an example configuration:
+
+```yaml
+path.home: /usr/share/beat
+path.config: /etc/beat
+path.data: /var/lib/beat
+path.logs: /var/log/
+```
+
+Note that it is possible to override these options by using command line flags.
+
+
+## Configuration options [_configuration_options_2]
+
+You can specify the following options in the `path` section of the `winlogbeat.yml` config file:
+
+
+### `home` [_home]
+
+The home path for the Winlogbeat installation. This is the default base path for all other path settings and for miscellaneous files that come with the distribution (for example, the sample dashboards). If not set by a CLI flag or in the configuration file, the default for the home path is the location of the Winlogbeat binary.
+
+Example:
+
+```yaml
+path.home: /usr/share/beats
+```
+
+
+### `config` [_config]
+
+The configuration path for the Winlogbeat installation. This is the default base path for configuration files, including the main YAML configuration file and the Elasticsearch template file. If not set by a CLI flag or in the configuration file, the default for the configuration path is the home path.
+
+Example:
+
+```yaml
+path.config: /usr/share/beats/config
+```
+
+
+### `data` [_data]
+
+The data path for the Winlogbeat installation. This is the default base path for all the files in which Winlogbeat needs to store its data. If not set by a CLI flag or in the configuration file, the default for the data path is a `data` subdirectory inside the home path.
+
+Example:
+
+```yaml
+path.data: /var/lib/beats
+```
+
+::::{tip}
+When running multiple Winlogbeat instances on the same host, make sure they each have a distinct `path.data` value.
+::::
+
+
+
+### `logs` [_logs]
+
+The logs path for a Winlogbeat installation. This is the default location for Winlogbeat’s log files. If not set by a CLI flag or in the configuration file, the default for the logs path is a `logs` subdirectory inside the home path.
+
+Example:
+
+```yaml
+path.logs: /var/log/beats
+```
+
diff --git a/docs/reference/winlogbeat/configuration-ssl.md b/docs/reference/winlogbeat/configuration-ssl.md
new file mode 100644
index 000000000000..ed8d3de07474
--- /dev/null
+++ b/docs/reference/winlogbeat/configuration-ssl.md
@@ -0,0 +1,486 @@
+---
+navigation_title: "SSL"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/configuration-ssl.html
+---
+
+# Configure SSL [configuration-ssl]
+
+
+You can specify SSL options when you configure:
+
+* [outputs](/reference/winlogbeat/configuring-output.md) that support SSL
+* the [Kibana endpoint](/reference/winlogbeat/setup-kibana-endpoint.md)
+
+Example output config with SSL enabled:
+
+```yaml
+output.elasticsearch.hosts: ["https://192.168.1.42:9200"]
+output.elasticsearch.ssl.certificate_authorities: ["/etc/client/ca.pem"]
+output.elasticsearch.ssl.certificate: "/etc/client/cert.pem"
+output.elasticsearch.ssl.key: "/etc/client/cert.key"
+```
+
+Also see [*Secure communication with Logstash*](/reference/winlogbeat/configuring-ssl-logstash.md).
+
+Example Kibana endpoint config with SSL enabled:
+
+```yaml
+setup.kibana.host: "https://192.0.2.255:5601"
+setup.kibana.ssl.enabled: true
+setup.kibana.ssl.certificate_authorities: ["/etc/client/ca.pem"]
+setup.kibana.ssl.certificate: "/etc/client/cert.pem"
+setup.kibana.ssl.key: "/etc/client/cert.key"
+```
+
+There are a number of SSL configuration options available to you:
+
+* [Common configuration options](#ssl-common-config)
+* [Client configuration options](#ssl-client-config)
+* [Server configuration options](#ssl-server-config)
+
+
+## Common configuration options [ssl-common-config]
+
+Common SSL configuration options can be used in both client and server configurations. You can specify the following options in the `ssl` section of each subsystem that supports SSL.
+
+
+### `enabled` [enabled]
+
+To disable SSL configuration, set the value to `false`. The default value is `true`.
+
+::::{note}
+SSL settings are disabled if either `enabled` is set to `false` or the `ssl` section is missing.
+
+::::
+
+
+
+### `supported_protocols` [supported-protocols]
+
+List of allowed SSL/TLS versions. If SSL/TLS server decides for protocol versions not configured, the connection will be dropped during or after the handshake. The setting is a list of allowed protocol versions: `TLSv1.1`, `TLSv1.2`, and `TLSv1.3`.
+
+The default value is `[TLSv1.2, TLSv1.3]`.
+
+
+### `cipher_suites` [cipher-suites]
+
+The list of cipher suites to use. The first entry has the highest priority. If this option is omitted, the Go crypto library’s [default suites](https://golang.org/pkg/crypto/tls/) are used (recommended).
+
+Note that if TLS 1.3 is enabled (which is true by default), then the default TLS 1.3 cipher suites are always included, because Go’s standard library adds them to all connections. In order to exclude the default TLS 1.3 ciphers, TLS 1.3 must also be disabled, e.g. with the setting `ssl.supported_protocols = [TLSv1.2]`.
+
+The following cipher suites are available:
+
+| Cypher | Notes |
+| --- | --- |
+| ECDHE-ECDSA-AES-128-CBC-SHA |  |
+| ECDHE-ECDSA-AES-128-CBC-SHA256 | TLS 1.2 only. Disabled by default. |
+| ECDHE-ECDSA-AES-128-GCM-SHA256 | TLS 1.2 only. |
+| ECDHE-ECDSA-AES-256-CBC-SHA |  |
+| ECDHE-ECDSA-AES-256-GCM-SHA384 | TLS 1.2 only. |
+| ECDHE-ECDSA-CHACHA20-POLY1305 | TLS 1.2 only. |
+| ECDHE-ECDSA-RC4-128-SHA | Disabled by default. RC4 not recommended. |
+| ECDHE-RSA-3DES-CBC3-SHA |  |
+| ECDHE-RSA-AES-128-CBC-SHA |  |
+| ECDHE-RSA-AES-128-CBC-SHA256 | TLS 1.2 only. Disabled by default. |
+| ECDHE-RSA-AES-128-GCM-SHA256 | TLS 1.2 only. |
+| ECDHE-RSA-AES-256-CBC-SHA |  |
+| ECDHE-RSA-AES-256-GCM-SHA384 | TLS 1.2 only. |
+| ECDHE-RSA-CHACHA20-POLY1205 | TLS 1.2 only. |
+| ECDHE-RSA-RC4-128-SHA | Disabled by default. RC4 not recommended. |
+| RSA-3DES-CBC3-SHA |  |
+| RSA-AES-128-CBC-SHA |  |
+| RSA-AES-128-CBC-SHA256 | TLS 1.2 only. Disabled by default. |
+| RSA-AES-128-GCM-SHA256 | TLS 1.2 only. |
+| RSA-AES-256-CBC-SHA |  |
+| RSA-AES-256-GCM-SHA384 | TLS 1.2 only. |
+| RSA-RC4-128-SHA | Disabled by default. RC4 not recommended. |
+
+Here is a list of acronyms used in defining the cipher suites:
+
+* 3DES: Cipher suites using triple DES
+* AES-128/256: Cipher suites using AES with 128/256-bit keys.
+* CBC: Cipher using Cipher Block Chaining as block cipher mode.
+* ECDHE: Cipher suites using Elliptic Curve Diffie-Hellman (DH) ephemeral key exchange.
+* ECDSA: Cipher suites using Elliptic Curve Digital Signature Algorithm for authentication.
+* GCM: Galois/Counter mode is used for symmetric key cryptography.
+* RC4: Cipher suites using RC4.
+* RSA: Cipher suites using RSA.
+* SHA, SHA256, SHA384: Cipher suites using SHA-1, SHA-256 or SHA-384.
+
+
+### `curve_types` [curve-types]
+
+The list of curve types for ECDHE (Elliptic Curve Diffie-Hellman ephemeral key exchange).
+
+The following elliptic curve types are available:
+
+* P-256
+* P-384
+* P-521
+* X25519
+
+
+### `ca_sha256` [ca-sha256]
+
+This configures a certificate pin that you can use to ensure that a specific certificate is part of the verified chain.
+
+The pin is a base64 encoded string of the SHA-256 of the certificate.
+
+::::{note}
+This check is not a replacement for the normal SSL validation, but it adds additional validation. If this option is used with  `verification_mode` set to `none`, the check will always fail because it will not receive any verified chains.
+::::
+
+
+
+## Client configuration options [ssl-client-config]
+
+You can specify the following options in the `ssl` section of each subsystem that supports SSL.
+
+
+### `certificate_authorities` [client-certificate-authorities]
+
+The list of root certificates for verifications is required. If `certificate_authorities` is empty or not set, the system keystore is used. If `certificate_authorities` is self-signed, the host system needs to trust that CA cert as well.
+
+By default you can specify a list of files that `winlogbeat` will read, but you can also embed a certificate directly in the `YAML` configuration:
+
+```yaml
+certificate_authorities:
+  - |
+    -----BEGIN CERTIFICATE-----
+    MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF
+    ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2
+    MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB
+    BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n
+    fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl
+    94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t
+    /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP
+    PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41
+    CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O
+    BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux
+    8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D
+    874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw
+    3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA
+    H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu
+    8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0
+    yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk
+    sxSmbIUfc2SGJGCJD4I=
+    -----END CERTIFICATE-----
+```
+
+
+### `certificate: "/etc/client/cert.pem"` [client-certificate]
+
+The path to the certificate for SSL client authentication is only required if `client_authentication` is specified. If the certificate is not specified, client authentication is not available. The connection might fail if the server requests client authentication. If the SSL server does not require client authentication, the certificate will be loaded, but not requested or used by the server.
+
+When this option is configured, the [`key`](#client-key) option is also required. The certificate option support embedding of the certificate:
+
+```yaml
+certificate: |
+    -----BEGIN CERTIFICATE-----
+    MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF
+    ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2
+    MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB
+    BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n
+    fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl
+    94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t
+    /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP
+    PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41
+    CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O
+    BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux
+    8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D
+    874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw
+    3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA
+    H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu
+    8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0
+    yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk
+    sxSmbIUfc2SGJGCJD4I=
+    -----END CERTIFICATE-----
+```
+
+
+### `key: "/etc/client/cert.key"` [client-key]
+
+The client certificate key used for client authentication and is only required if `client_authentication` is configured. The key option support embedding of the private key:
+
+```yaml
+key: |
+    -----BEGIN PRIVATE KEY-----
+    MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDXHufGPycpCOfI
+    sjl6cRn8NP4DLxdIVEAHFK0jMRDup32UQOPW+DleEsFpgN9/ebi9ngdjQfMvKnUP
+    Zrl1HTwVhOJfazGeoJn7vdDeQebhJfeDXHwX2DiotXyUPYu1ioU45UZDAoAZFj5F
+    KJLwWRUbfEbRe8yO+wUhKKxxkApPbfw+wUtBicn1RIX7W1nBRABt1UXKDIRe5FM2
+    MKfqhEqK4hUWC3g1r+vGTrxu3qFpzz7L2UrRFRIpo7yuTUhEhEGvcVsiTppTil4Z
+    HcprXFHf5158elEwhYJ5IM0nU1leNQiOgemifbLwkyNkLqCKth8V/4sezr1tYblZ
+    nMh1cclBAgMBAAECggEBAKdP5jyOicqknoG9/G564RcDsDyRt64NuO7I6hBg7SZx
+    Jn7UKWDdFuFP/RYtoabn6QOxkVVlydp5Typ3Xu7zmfOyss479Q/HIXxmmbkD0Kp0
+    eRm2KN3y0b6FySsS40KDRjKGQCuGGlNotW3crMw6vOvvsLTlcKgUHF054UVCHoK/
+    Piz7igkDU7NjvJeha53vXL4hIjb10UtJNaGPxIyFLYRZdRPyyBJX7Yt3w8dgz8WM
+    epOPu0dq3bUrY3WQXcxKZo6sQjE1h7kdl4TNji5jaFlvD01Y8LnyG0oThOzf0tve
+    Gaw+kuy17gTGZGMIfGVcdeb+SlioXMAAfOps+mNIwTECgYEA/gTO8W0hgYpOQJzn
+    BpWkic3LAoBXWNpvsQkkC3uba8Fcps7iiEzotXGfwYcb5Ewf5O3Lrz1EwLj7GTW8
+    VNhB3gb7bGOvuwI/6vYk2/dwo84bwW9qRWP5hqPhNZ2AWl8kxmZgHns6WTTxpkRU
+    zrfZ5eUrBDWjRU2R8uppgRImsxMCgYEA2MxuL/C/Ko0d7XsSX1kM4JHJiGpQDvb5
+    GUrlKjP/qVyUysNF92B9xAZZHxxfPWpdfGGBynhw7X6s+YeIoxTzFPZVV9hlkpAA
+    5igma0n8ZpZEqzttjVdpOQZK8o/Oni/Q2S10WGftQOOGw5Is8+LY30XnLvHBJhO7
+    TKMurJ4KCNsCgYAe5TDSVmaj3dGEtFC5EUxQ4nHVnQyCpxa8npL+vor5wSvmsfUF
+    hO0s3GQE4sz2qHecnXuPldEd66HGwC1m2GKygYDk/v7prO1fQ47aHi9aDQB9N3Li
+    e7Vmtdn3bm+lDjtn0h3Qt0YygWj+wwLZnazn9EaWHXv9OuEMfYxVgYKpdwKBgEze
+    Zy8+WDm5IWRjn8cI5wT1DBT/RPWZYgcyxABrwXmGZwdhp3wnzU/kxFLAl5BKF22T
+    kRZ+D+RVZvVutebE9c937BiilJkb0AXLNJwT9pdVLnHcN2LHHHronUhV7vetkop+
+    kGMMLlY0lkLfoGq1AxpfSbIea9KZam6o6VKxEnPDAoGAFDCJm+ZtsJK9nE5GEMav
+    NHy+PwkYsHhbrPl4dgStTNXLenJLIJ+Ke0Pcld4ZPfYdSyu/Tv4rNswZBNpNsW9K
+    0NwJlyMBfayoPNcJKXrH/csJY7hbKviAHr1eYy9/8OL0dHf85FV+9uY5YndLcsDc
+    nygO9KTJuUiBrLr0AHEnqko=
+    -----END PRIVATE KEY-----
+```
+
+
+### `key_passphrase` [client-key-passphrase]
+
+The passphrase used to decrypt an encrypted key stored in the configured `key` file.
+
+
+### `verification_mode` [client-verification-mode]
+
+Controls the verification of server certificates. Valid values are:
+
+`full`
+:   Verifies that the provided certificate is signed by a trusted authority (CA) and also verifies that the server’s hostname (or IP address) matches the names identified within the certificate.
+
+`strict`
+:   Verifies that the provided certificate is signed by a trusted authority (CA) and also verifies that the server’s hostname (or IP address) matches the names identified within the certificate. If the Subject Alternative Name is empty, it returns an error.
+
+`certificate`
+:   Verifies that the provided certificate is signed by a trusted authority (CA), but does not perform any hostname verification.
+
+`none`
+:   Performs *no verification* of the server’s certificate. This mode disables many of the security benefits of SSL/TLS and should only be used after cautious consideration. It is primarily intended as a temporary diagnostic mechanism when attempting to resolve TLS errors; its use in production environments is strongly discouraged.
+
+    The default value is `full`.
+
+
+
+### `ca_trusted_fingerprint` [ca_trusted_fingerprint]
+
+A HEX encoded SHA-256 of a CA certificate. If this certificate is present in the chain during the handshake, it will be added to the `certificate_authorities` list and the handshake will continue normaly.
+
+To get the fingerprint from a CA certificate on a Unix-like system, you can use the following command, where `ca.crt` is the certificate.
+
+```
+openssl x509 -fingerprint -sha256 -noout -in ./ca.crt | awk --field-separator="=" '{print $2}' | sed 's/://g'
+```
+
+
+## Server configuration options [ssl-server-config]
+
+You can specify the following options in the `ssl` section of each subsystem that supports SSL.
+
+
+### `certificate_authorities` [server-certificate-authorities]
+
+The list of root certificates for client verifications is only required if `client_authentication` is configured. If `certificate_authorities` is empty or not set, and `client_authentication` is configured, the system keystore is used.
+
+If `certificate_authorities` is self-signed, the host system needs to trust that CA cert as well. By default you can specify a list of files that `winlogbeat` will read, but you can also embed a certificate directly in the `YAML` configuration:
+
+```yaml
+certificate_authorities:
+  - |
+    -----BEGIN CERTIFICATE-----
+    MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF
+    ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2
+    MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB
+    BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n
+    fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl
+    94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t
+    /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP
+    PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41
+    CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O
+    BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux
+    8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D
+    874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw
+    3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA
+    H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu
+    8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0
+    yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk
+    sxSmbIUfc2SGJGCJD4I=
+    -----END CERTIFICATE-----
+```
+
+
+### `certificate: "/etc/server/cert.pem"` [server-certificate]
+
+The end-entity (leaf) certificate that the server uses to identify itself. If the certificate is signed by a certificate authority (CA), then it should include intermediate CA certificates, sorted from leaf to root. For servers, a `certificate` and [`key`](#server-key) must be specified.
+
+The certificate option supports embedding of the PEM certificate content. This example contains the leaf certificate followed by issuer’s certificate.
+
+```yaml
+certificate: |
+  -----BEGIN CERTIFICATE-----
+  MIIF2jCCA8KgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBlMQswCQYDVQQGEwJVUzEW
+  MBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEcMBoGA1UECRMTV2VzdCBFbCBDYW1pbm8g
+  UmVhbDEOMAwGA1UEERMFOTQwNDAxEDAOBgNVBAoTB0VsYXN0aWMwHhcNMjMxMDMw
+  MTkyMzU4WhcNMjMxMDMxMTkyMzU4WjB2MQswCQYDVQQGEwJVUzEWMBQGA1UEBxMN
+  U2FuIEZyYW5jaXNjbzEcMBoGA1UECRMTV2VzdCBFbCBDYW1pbm8gUmVhbDEOMAwG
+  A1UEERMFOTQwNDAxEDAOBgNVBAoTB0VsYXN0aWMxDzANBgNVBAMTBnNlcnZlcjCC
+  AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALW37cart7l0KE3LCStFbiGm
+  Rr/QSkuPv+Y+SXFT4zXrMFP3mOfUCVsR4lugv+jmql9qjbwR9jKsgKXA1kSvNXSZ
+  lLYWRcNnQ+QzwKxJf/jy246nSfqb2FKvVMs580lDwKHHxn/FSpHV93O4Goy5cLfF
+  ACE7BSdJdxl5DVAMmmkzd6gBGgN8dQIbcyJYuIZYQt44PqSYh/BomTyOXKrmvX4y
+  t7/pF+ldJjWZq/6SfCq6WE0jSrpI1P/42Qd9h5Tsnl6qsUGA2Tz5ZqKz2cyxaIlK
+  wL9tYDionfFIl+jZcxkGPF2a14O1TycCI0B/z+0VL+HR/8fKAB0NdP+QRLaPWOrn
+  DvraAO+bVKC6VrQyUYNUOwtd2gMUqm6Hzrf4s3wjP754eSJkvnSoSAB6l7ZmJKe5
+  Pz5oDDOVPwKHv/MrhsCSMNFeXSEO+rq9TtYEAFQI5rFGHlURga8kA1T1pirHyEtS
+  2o8GUSPSHVulaPdFnHg4xfTexfRYLCqya75ISJuY2/+2GblCie/re1GFitZCZ46/
+  xiQQDOjgL96soDVZ+cTtMpXanslgDapTts9LPIJTd9FUJCY1omISGiSjABRuTlCV
+  8054ja4BKVahSd5BqqtVkWyV64SCut6kce2ndwBkyFvlZ6cteLCW7KtzYvba4XBb
+  YIAs+H+9e/bZUVhws5mFAgMBAAGjgYMwgYAwDgYDVR0PAQH/BAQDAgeAMB0GA1Ud
+  JQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAOBgNVHQ4EBwQFAQIDBAUwPwYDVR0R
+  BDgwNoIJbG9jYWxob3N0ghFiZWF0cy5leGFtcGxlLmNvbYcEfwAAAYcQAAAAAAAA
+  AAAAAAAAAAAAATANBgkqhkiG9w0BAQsFAAOCAgEAldSZOUi+OUR46ERQuINl1oED
+  mjNsQ9FNP/RDu8mPJaNb5v2sAbcpuZb9YdnScT+d+n0+LMd5uz2g67Qr73QCpXwL
+  9YJIs56i7qMTKXlVvRQrvF9P/zP3sm5Zfd2I/x+8oXgEeYsxAWipJ8RsbnN1dtu8
+  C4l+P0E58jjrjom11W90RiHYaT0SI2PPBTTRhYLz0HayThPZDMdFnIQqVxUYbQD5
+  ybWu77hnsvC/g2C8/N2LAdQGJJ67owMa5T3YRneiaSvvOf3I45oeLE+olGAPdrSq
+  5Sp0G7fcAKMRPxcwYeD7V5lfYMtb+RzECpYAHT8zHKLZl6/34q2k8P8EWEpAsD80
+  +zSbCkdvNiU5lU90rV8E2baTKCg871k4O8sT48eUyDps6ZUCfT1dgefXeyOTV5bY
+  864Zo6bWJhAJ7Qa2d4HJkqPzSbqsosHVobojgkOcMqkStLHd8sgtCoFmJMflbp7E
+  ghawl/RVFEkL9+TWy9fR8sJWRx13P8CUP6AL9kVmcU2c3gMNpvQfIii9QOnQrRsi
+  yZj9FKl+ZM49I6RQ6dY5JVgWtpVm/+GBVuy1Aj91JEjw7r1jAeir5K9LAXG8kEN9
+  irndx1SK2MMTY79lGHFGQRv3vnQGI0Wzjtn31YJ7qIFNJ1WWbAZLR9FBtzmMeXM6
+  puoJ9UYvfIcHUGPdZGU=
+  -----END CERTIFICATE-----
+  -----BEGIN CERTIFICATE-----
+  MIIFpjCCA46gAwIBAgIBATANBgkqhkiG9w0BAQsFADBlMQswCQYDVQQGEwJVUzEW
+  MBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEcMBoGA1UECRMTV2VzdCBFbCBDYW1pbm8g
+  UmVhbDEOMAwGA1UEERMFOTQwNDAxEDAOBgNVBAoTB0VsYXN0aWMwHhcNMjMxMDMw
+  MTkyMzU2WhcNMjMxMDMxMTkyMzU2WjBlMQswCQYDVQQGEwJVUzEWMBQGA1UEBxMN
+  U2FuIEZyYW5jaXNjbzEcMBoGA1UECRMTV2VzdCBFbCBDYW1pbm8gUmVhbDEOMAwG
+  A1UEERMFOTQwNDAxEDAOBgNVBAoTB0VsYXN0aWMwggIiMA0GCSqGSIb3DQEBAQUA
+  A4ICDwAwggIKAoICAQDQP3hJt4jTIo+tBXB/R4RuBTvv6OOago9joxlNDm0abseJ
+  ehE0V8FDi0SSpa7ZiqwCGq/deu5OIWVNpFCLHeH5YBriNmB7oPkNRCleu50JsUrG
+  RjSTtBIJcu/CVpD7Q5XMbhbhYcPArrxrSreo3ox8a+2X7b8nA1xPgIcWqSCgs9iV
+  lwKHaQWNTUXYwwZG7b9WG4EJaki6t1+1QbDDJU0oWrZNg23wQEBvEVRDQs7kadvm
+  9YtZLPULlSyV4Rk3yNW8dPXHjcz2wp3PBPIWIQe9mzYU608307TkUMVN2EEOImxl
+  Wm1RtXYvvVb1LiY0C2lYbN3jLZQzffK5RsS87ocqTQM+HvDBv/PupHDvW08wietu
+  RtRbdx/2cN0GLmOHnkWKx+GlYDZfAtIj958fTKl2hHyNqJ1pE7vksSYBwBxMFQem
+  eSGzw5pO53kmPcZO203YQ2qoJd7z1aLf7eAOqDn5zwlYNc00bZ6DwTZsyptGv9sZ
+  zcZuovppPgCN4f1I9ja/NPKep+sVKfQqR5HuOFOPFcr6oOioESJSgIvXXF9RhCVh
+  UMeZKWWSCNm1ea4h6q8OJdQfM7XXkXm+dEyF0TogC00CidZWuYMZcgXND5p/1Di5
+  PkCKPUMllCoK0oaTfFioNW7qtNbDGQrW+spwDa4kjJNKYtDD0jjPgFMgSzQ2MwID
+  AQABo2EwXzAOBgNVHQ8BAf8EBAMCAoQwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsG
+  AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFImOXc9Tv+mgn9jOsPig
+  9vlAUTa+MA0GCSqGSIb3DQEBCwUAA4ICAQBZ9tqU88Nmgf+vDgkKMKLmLMaRCRlV
+  HcYrm7WoWLX+q6VSbmvf5eD5OrzzbAnnp16iXap8ivsAEFTo8XWh/bjl7G/2jetR
+  xZD2WHtzmAg3s4SVsEHIyFUF1ERwnjO2ndHjoIsx8ktUk1aNrmgPI6s07fkULDm+
+  2aXyBSZ9/oimZM/s3IqYJecxwE+yyS+FiS6mSDCCVIyQXdtVAbFHegyiBYv8EbwF
+  Xz70QiqQtxotGlfts/3uN1s+xnEoWz5E6S5DQn4xQh0xiKSXPizMXou9xKzypeSW
+  qtNdwtg62jKWDaVriBfrvoCnyjjCIjmcTcvA2VLmeZShyTuIucd0lkg2NKIGeM7I
+  o33hmdiKaop1fVtj8zqXvCRa3ecmlvcxPKX0otVFORFNOfaPjH/CjW0CnP0LByGK
+  YW19w0ncJZa9cc1SlNL28lnBhW+i1+ViR02wtjabH9XO+mtxuaEPDZ1hLhhjktqI
+  Y2oFUso4C5xiTU/hrH8+cFv0dn/+zyQoLfJEQbUX9biFeytt7T4Yynwhdy7jryqH
+  fdy/QM26YnsE8D7l4mv99z+zII0IRGnQOuLTuNAIyGJUf69hCDubZFDeHV/IB9hU
+  6GA6lBpsJlTDgfJLbtKuAHxdn1DO+uGg0GxgwggH6Vh9x9yQK2E6BaepJisL/zNB
+  RQQmEyTn1hn/eA==
+  -----END CERTIFICATE-----
+```
+
+
+### `key: "/etc/server/cert.key"` [server-key]
+
+The server certificate key used for authentication is required. The key option supports embedding of the private key:
+
+```yaml
+key: |
+    -----BEGIN PRIVATE KEY-----
+    MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDXHufGPycpCOfI
+    sjl6cRn8NP4DLxdIVEAHFK0jMRDup32UQOPW+DleEsFpgN9/ebi9ngdjQfMvKnUP
+    Zrl1HTwVhOJfazGeoJn7vdDeQebhJfeDXHwX2DiotXyUPYu1ioU45UZDAoAZFj5F
+    KJLwWRUbfEbRe8yO+wUhKKxxkApPbfw+wUtBicn1RIX7W1nBRABt1UXKDIRe5FM2
+    MKfqhEqK4hUWC3g1r+vGTrxu3qFpzz7L2UrRFRIpo7yuTUhEhEGvcVsiTppTil4Z
+    HcprXFHf5158elEwhYJ5IM0nU1leNQiOgemifbLwkyNkLqCKth8V/4sezr1tYblZ
+    nMh1cclBAgMBAAECggEBAKdP5jyOicqknoG9/G564RcDsDyRt64NuO7I6hBg7SZx
+    Jn7UKWDdFuFP/RYtoabn6QOxkVVlydp5Typ3Xu7zmfOyss479Q/HIXxmmbkD0Kp0
+    eRm2KN3y0b6FySsS40KDRjKGQCuGGlNotW3crMw6vOvvsLTlcKgUHF054UVCHoK/
+    Piz7igkDU7NjvJeha53vXL4hIjb10UtJNaGPxIyFLYRZdRPyyBJX7Yt3w8dgz8WM
+    epOPu0dq3bUrY3WQXcxKZo6sQjE1h7kdl4TNji5jaFlvD01Y8LnyG0oThOzf0tve
+    Gaw+kuy17gTGZGMIfGVcdeb+SlioXMAAfOps+mNIwTECgYEA/gTO8W0hgYpOQJzn
+    BpWkic3LAoBXWNpvsQkkC3uba8Fcps7iiEzotXGfwYcb5Ewf5O3Lrz1EwLj7GTW8
+    VNhB3gb7bGOvuwI/6vYk2/dwo84bwW9qRWP5hqPhNZ2AWl8kxmZgHns6WTTxpkRU
+    zrfZ5eUrBDWjRU2R8uppgRImsxMCgYEA2MxuL/C/Ko0d7XsSX1kM4JHJiGpQDvb5
+    GUrlKjP/qVyUysNF92B9xAZZHxxfPWpdfGGBynhw7X6s+YeIoxTzFPZVV9hlkpAA
+    5igma0n8ZpZEqzttjVdpOQZK8o/Oni/Q2S10WGftQOOGw5Is8+LY30XnLvHBJhO7
+    TKMurJ4KCNsCgYAe5TDSVmaj3dGEtFC5EUxQ4nHVnQyCpxa8npL+vor5wSvmsfUF
+    hO0s3GQE4sz2qHecnXuPldEd66HGwC1m2GKygYDk/v7prO1fQ47aHi9aDQB9N3Li
+    e7Vmtdn3bm+lDjtn0h3Qt0YygWj+wwLZnazn9EaWHXv9OuEMfYxVgYKpdwKBgEze
+    Zy8+WDm5IWRjn8cI5wT1DBT/RPWZYgcyxABrwXmGZwdhp3wnzU/kxFLAl5BKF22T
+    kRZ+D+RVZvVutebE9c937BiilJkb0AXLNJwT9pdVLnHcN2LHHHronUhV7vetkop+
+    kGMMLlY0lkLfoGq1AxpfSbIea9KZam6o6VKxEnPDAoGAFDCJm+ZtsJK9nE5GEMav
+    NHy+PwkYsHhbrPl4dgStTNXLenJLIJ+Ke0Pcld4ZPfYdSyu/Tv4rNswZBNpNsW9K
+    0NwJlyMBfayoPNcJKXrH/csJY7hbKviAHr1eYy9/8OL0dHf85FV+9uY5YndLcsDc
+    nygO9KTJuUiBrLr0AHEnqko=
+    -----END PRIVATE KEY-----
+```
+
+
+### `key_passphrase` [server-key-passphrase]
+
+The passphrase is used to decrypt an encrypted key stored in the configured `key` file.
+
+
+### `verification_mode` [server-verification-mode]
+
+Controls the verification of client certificates. Valid values are:
+
+`full`
+:   Verifies that the provided certificate is signed by a trusted authority (CA) and also verifies that the server’s hostname (or IP address) matches the names identified within the certificate.
+
+`strict`
+:   Verifies that the provided certificate is signed by a trusted authority (CA) and also verifies that the server’s hostname (or IP address) matches the names identified within the certificate. If the Subject Alternative Name is empty, it returns an error.
+
+`certificate`
+:   Verifies that the provided certificate is signed by a trusted authority (CA), but does not perform any hostname verification.
+
+`none`
+:   Performs *no verification* of the server’s certificate. This mode disables many of the security benefits of SSL/TLS and should only be used after cautious consideration. It is primarily intended as a temporary diagnostic mechanism when attempting to resolve TLS errors; its use in production environments is strongly discouraged.
+
+    The default value is `full`.
+
+
+
+### `renegotiation` [server-renegotiation]
+
+This configures what types of TLS renegotiation are supported. The valid options are:
+
+`never`
+:   Disables renegotiation.
+
+`once`
+:   Allows a remote server to request renegotiation once per connection.
+
+`freely`
+:   Allows a remote server to request renegotiation repeatedly.
+
+    The default value is `never`.
+
+
+
+### `restart_on_cert_change.enabled` [exit_on_cert_change_enabled]
+
+If set to `true` Winlogbeat will restart if any file listed by `key`, `certificate`, or `certificate_authorities` is modified.
+
+::::{note}
+This feature is NOT supported on Windows. The default value is `false`.
+::::
+
+
+::::{note}
+This feature requres the `execve` system call to be enabled. If you have a custom seccomp policy in place, make sure to allow for `execve`.
+::::
+
+
+
+### `restart_on_cert_change.period` [restart_on_cert_change_period]
+
+Specifies how often the files are checked for changes. Do not set the period to less than 1s because the modification time of files is often stored in seconds. Setting the period to less than 1s will result in validation error and Winlogbeat will not start. The default value is 1m.
+
diff --git a/docs/reference/winlogbeat/configuration-template.md b/docs/reference/winlogbeat/configuration-template.md
new file mode 100644
index 000000000000..a904aea71a2a
--- /dev/null
+++ b/docs/reference/winlogbeat/configuration-template.md
@@ -0,0 +1,112 @@
+---
+navigation_title: "Elasticsearch index template"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/configuration-template.html
+---
+
+# Configure Elasticsearch index template loading [configuration-template]
+
+
+The `setup.template` section of the `winlogbeat.yml` config file specifies the [index template](docs-content://manage-data/data-store/templates.md) to use for setting mappings in Elasticsearch. If template loading is enabled (the default), Winlogbeat loads the index template automatically after successfully connecting to Elasticsearch.
+
+::::{note}
+A connection to Elasticsearch is required to load the index template. If the configured output is not Elasticsearch (or {{ess}}), you must [load the template manually](/reference/winlogbeat/winlogbeat-template.md#load-template-manually).
+::::
+
+
+You can adjust the following settings to load your own template or overwrite an existing one.
+
+**`setup.template.enabled`**
+:   Set to false to disable template loading. If this is set to false, you must [load the template manually](/reference/winlogbeat/winlogbeat-template.md#load-template-manually).
+
+**`setup.template.name`**
+:   The name of the template. The default is `winlogbeat`. The Winlogbeat version is always appended to the given name, so the final name is `winlogbeat-%{[agent.version]}`.
+
+**`setup.template.pattern`**
+:   The template pattern to apply to the default index settings. The default pattern is `winlogbeat`. The Winlogbeat version is always included in the pattern, so the final pattern is `winlogbeat-%{[agent.version]}`.
+
+    Example:
+
+    ```yaml
+    setup.template.name: "winlogbeat"
+    setup.template.pattern: "winlogbeat"
+    ```
+
+
+**`setup.template.fields`**
+:   The path to the YAML file describing the fields. The default is `fields.yml`. If a relative path is set, it is considered relative to the config path. See the [Directory layout](/reference/winlogbeat/directory-layout.md) section for details.
+
+**`setup.template.overwrite`**
+:   A boolean that specifies whether to overwrite the existing template. The default is false. Do not enable this option if you start more than one instance of Winlogbeat at the same time. It can overload {{es}} by sending too many template update requests.
+
+**`setup.template.settings`**
+:   A dictionary of settings to place into the `settings.index` dictionary of the Elasticsearch template. For more details about the available Elasticsearch mapping options, please see the Elasticsearch [mapping reference](docs-content://manage-data/data-store/mapping.md).
+
+    Example:
+
+    ```yaml
+    setup.template.name: "winlogbeat"
+    setup.template.fields: "fields.yml"
+    setup.template.overwrite: false
+    setup.template.settings:
+      index.number_of_shards: 1
+      index.number_of_replicas: 1
+    ```
+
+
+**`setup.template.settings._source`**
+:   A dictionary of settings for the `_source` field. For the available settings, please see the Elasticsearch [reference](elasticsearch://reference/elasticsearch/mapping-reference/mapping-source-field.md).
+
+    Example:
+
+    ```yaml
+    setup.template.name: "winlogbeat"
+    setup.template.fields: "fields.yml"
+    setup.template.overwrite: false
+    setup.template.settings:
+      _source.enabled: false
+    ```
+
+
+**`setup.template.append_fields`**
+:   A list of fields to be added to the template and {{kib}} index pattern. This setting adds new fields. It does not overwrite or change existing fields.
+
+    This setting is useful when your data contains fields that Winlogbeat doesn’t know about in advance.
+
+    If `append_fields` is specified along with `overwrite: true`, Winlogbeat overwrites the existing template and applies the new template when creating new indices. Existing indices are not affected. If you’re running multiple instances of Winlogbeat with different `append_fields` settings, the last one writing the template takes precedence.
+
+    Any changes to this setting also affect the {{kib}} index pattern.
+
+    Example config:
+
+    ```yaml
+    setup.template.overwrite: true
+    setup.template.append_fields:
+    - name: test.name
+      type: keyword
+    - name: test.hostname
+      type: long
+    ```
+
+
+**`setup.template.json.enabled`**
+:   Set to `true` to load a JSON-based template file. Specify the path to your {{es}} index template file and set the name of the template.
+
+    ```yaml
+    setup.template.json.enabled: true
+    setup.template.json.path: "template.json"
+    setup.template.json.name: "template-name"
+    setup.template.json.data_stream: false
+    ```
+
+
+::::{note}
+If the JSON template is used, the `fields.yml` is skipped for the template generation.
+::::
+
+
+::::{note}
+If the JSON template is a data stream, set `setup.template.json.data_stream`.
+::::
+
+
diff --git a/docs/reference/winlogbeat/configuration-winlogbeat-options.md b/docs/reference/winlogbeat/configuration-winlogbeat-options.md
new file mode 100644
index 000000000000..6b8eace6ec63
--- /dev/null
+++ b/docs/reference/winlogbeat/configuration-winlogbeat-options.md
@@ -0,0 +1,347 @@
+---
+navigation_title: "Winlogbeat"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/configuration-winlogbeat-options.html
+---
+
+# Configure Winlogbeat [configuration-winlogbeat-options]
+
+
+The `winlogbeat` section of the `winlogbeat.yml` config file specifies all options that are specific to Winlogbeat. Most importantly, it contains the list of event logs to monitor.
+
+Here is a sample configuration:
+
+```yaml
+winlogbeat.event_logs:
+  - name: Application
+    ignore_older: 72h
+  - name: Security
+  - name: System
+```
+
+
+## Configuration options [_configuration_options]
+
+You can specify the following options in the `winlogbeat` section of the `winlogbeat.yml` config file:
+
+
+### `registry_file` [_registry_file]
+
+The name of the file where Winlogbeat stores information that it uses to resume monitoring after a restart. By default the file is stored as `.winlogbeat.yml` in the directory where the Beat was started. When you run the process as a Windows service, it’s recommended that you set the value to `C:/ProgramData/winlogbeat/.winlogbeat.yml`.
+
+```yaml
+winlogbeat.registry_file: C:/ProgramData/winlogbeat/.winlogbeat.yml
+```
+
+::::{note}
+The forward slashes (/) in the path are automatically changed to backslashes (\) for Windows compatibility. You can use either forward or backslashes. Forward slashes are easier to work with in YAML because there is no need to escape them.
+::::
+
+
+
+### `registry_flush` [_registry_flush]
+
+The timeout value that controls when registry entries are written to disk (flushed). When an unwritten update exceeds this value, it triggers a write to disk. When flush is set to 0s, the registry is written to disk after each batch of events has been published successfully.
+
+The default value is 5s.
+
+Valid time units are `ns`, `us`, `ms`, `s`, `m`, `h`.
+
+```yaml
+winlogbeat.registry_flush: 5s
+```
+
+
+### `shutdown_timeout` [_shutdown_timeout]
+
+The amount of time to wait for all events to be published when shutting down. By default there is no shutdown timeout so Winlogbeat will stop without waiting. When you restart it will resume from the last successfully published event in each event log.
+
+In some use cases you do want to wait for the publishing queue to drain before exiting and that’s when you would use this option.
+
+Valid time units are `ns`, `us`, `ms`, `s`, `m`, `h`.
+
+```yaml
+winlogbeat.shutdown_timeout: 30s
+```
+
+
+### `event_logs` [_event_logs]
+
+A list of entries (called *dictionaries* in YAML) that specify which event logs to monitor. Each entry in the list defines an event log to monitor as well as any information to be associated with the event log (filter, tags, and so on).
+
+```yaml
+winlogbeat.event_logs:
+  - name: Application
+```
+
+
+### `event_logs.batch_read_size` [_event_logs_batch_read_size]
+
+The maximum number of event log records to read from the Windows API in a single batch. The default batch size is 512. Most Windows versions return an error if the value is larger than 1024. **This option is only available on operating systems supporting the Windows Event Log API (Microsoft Windows Vista and newer).**
+
+Winlogbeat starts a goroutine (a lightweight thread) to read from each individual event log. The goroutine reads a batch of event log records using the Windows API, applies any processors to the events, publishes them to the configured outputs, and waits for an acknowledgement from the outputs before reading additional event log records.
+
+
+### `event_logs.name` [configuration-winlogbeat-options-event_logs-name]
+
+The name of the event log to monitor. Each dictionary under `event_logs` must have a `name` field, except for those which use a custom XML query. A channel is a named stream of events that transports events from an event source to an event log. Most channels are tied to specific event publishers. You can get a list of available event logs by using the PowerShell [`Get-WinEvent`](https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/get-winevent) cmdlet on Windows Vista or newer. Here is a sample of the output from the command:
+
+```sh
+PS C:\> Get-WinEvent -ListLog * | Format-List -Property LogName
+LogName : Application
+LogName : HardwareEvents
+LogName : Internet Explorer
+LogName : Key Management Service
+LogName : Security
+LogName : System
+LogName : Windows PowerShell
+LogName : ForwardedEvents
+LogName : Microsoft-Management-UI/Admin
+LogName : Microsoft-Rdms-UI/Admin
+LogName : Microsoft-Rdms-UI/Operational
+LogName : Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
+...
+```
+
+If `Get-WinEvent` is not available, the [`Get-EventLog`](https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-eventlog) cmdlet can be used in its place.
+
+```sh
+PS C:\Users\vagrant> Get-EventLog *
+
+  Max(K) Retain OverflowAction        Entries Log
+  ------ ------ --------------        ------- ---
+  20,480      0 OverwriteAsNeeded          75 Application
+  20,480      0 OverwriteAsNeeded           0 HardwareEvents
+     512      7 OverwriteOlder              0 Internet Explorer
+  20,480      0 OverwriteAsNeeded           0 Key Management Service
+  20,480      0 OverwriteAsNeeded       1,609 Security
+  20,480      0 OverwriteAsNeeded       1,184 System
+  15,360      0 OverwriteAsNeeded         464 Windows PowerShell
+```
+
+You must specify the full name of the channel in the configuration file.
+
+```yaml
+winlogbeat.event_logs:
+  - name: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
+```
+
+To read events from an archived `.evtx` file you can specify the `name` as the absolute path (it cannot be relative) to the file. There’s a complete example of how to read from an .evtx file in the [FAQ](/reference/winlogbeat/reading-from-evtx.md).
+
+```yaml
+winlogbeat.event_logs:
+  - name: 'C:\backup\sysmon-2019.08.evtx'
+```
+
+The name key must not be used with custom XML queries.
+
+
+### `event_logs.id` [_event_logs_id]
+
+A unique identifier for the event log. This key is required when using a custom XML query.
+
+It is used to uniquely identify the event log reader in the registry file. This is useful if multiple event logs are being set up to watch the same channel or file. If an ID is not given, the `event_logs.name` value will be used.
+
+This value must be unique.
+
+```yaml
+winlogbeat.event_logs:
+  - name: Application
+    id: application-logs
+    ignore_older: 168h
+```
+
+
+### `event_logs.ignore_older` [_event_logs_ignore_older]
+
+If this option is specified, Winlogbeat filters events that are older than the specified amount of time. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". This option is useful when you are beginning to monitor an event log that contains older records that you would like to ignore. This field is optional.
+
+```yaml
+winlogbeat.event_logs:
+  - name: Application
+    ignore_older: 168h
+```
+
+
+### `event_logs.forwarded` [_event_logs_forwarded]
+
+A boolean flag to indicate that the log contains only events collected from remote hosts using the Windows Event Collector. The value defaults to true for the ForwardedEvents log and false for any other log. **This option is only available on operating systems supporting the Windows Event Log API (Microsoft Windows Vista and newer).**
+
+This settings allows Winlogbeat to optimize reads for forwarded events that are already rendered. When the value is true Winlogbeat does not attempt to render the event using message files from the host computer. The Windows Event Collector subscription should be configured to use the "RenderedText" format (this is the default) to ensure that the events are distributed with messages and descriptions.
+
+
+### `event_logs.event_id` [_event_logs_event_id]
+
+A whitelist and blacklist of event IDs. The value is a comma-separated list. The accepted values are single event IDs to include (e.g. 4624), a range of event IDs to include (e.g. 4700-4800), single event IDs to exclude (e.g. -4735), and a range of event IDs to exclude (e.g. -4701-4710). **This option is only available on operating systems supporting the Windows Event Log API (Microsoft Windows Vista and newer).**
+
+```yaml
+winlogbeat.event_logs:
+  - name: Security
+    event_id: 4624, 4625, 4700-4800, -4735, -4701-4710
+```
+
+
+### `event_logs.language` [_event_logs_language]
+
+The language ID the events will be rendered in. The language will be forced regardless of the system language. A complete list of language IDs can be found [here](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-lcid/a9eac961-e77d-41a6-90a5-ce1a8b0cdb9c). It defaults to `0`, which indicates to use the system language.
+
+```yaml
+winlogbeat.event_logs:
+  - name: Security
+    event_id: 4624, 4625, 4700-4800, -4735
+    language: 0x0409 # en-US
+```
+
+
+### `event_logs.level` [_event_logs_level]
+
+A list of event levels to include. The value is a comma-separated list of levels. **This option is only available on operating systems supporting the Windows Event Log API (Microsoft Windows Vista and newer).**
+
+| Level | Value |
+| --- | --- |
+| critical, crit | 1 |
+| error, err | 2 |
+| warning, warn | 3 |
+| information, info | 0 or 4 |
+| verbose | 5 |
+
+```yaml
+winlogbeat.event_logs:
+  - name: Security
+    level: critical, error, warning
+```
+
+
+### `event_logs.provider` [_event_logs_provider]
+
+A list of providers (source names) to include. The value is a YAML list. **This option is only available on operating systems supporting the Windows Event Log API (Microsoft Windows Vista and newer).**
+
+```yaml
+winlogbeat.event_logs:
+  - name: Application
+    provider:
+      - Application Error
+      - Application Hang
+      - Windows Error Reporting
+      - EMET
+```
+
+You can obtain a list of providers associated with a log by using PowerShell. Here is an example showing the providers associated with the Security log.
+
+```sh
+PS C:\> (Get-WinEvent -ListLog Security).ProviderNames
+DS
+LSA
+SC Manager
+Security
+Security Account Manager
+ServiceModel 4.0.0.0
+Spooler
+TCP/IP
+VSSAudit
+Microsoft-Windows-Security-Auditing
+Microsoft-Windows-Eventlog
+```
+
+
+### `event_logs.xml_query` [_event_logs_xml_query]
+
+Provide a custom XML query. This option is mutually exclusive with the `name`, `event_id`, `ignore_older`, `level`, and `provider` options. These options should be included in the XML query directly. Furthermore, an `id` must be provided. Custom XML queries provide more flexibility and advanced options than the simpler query options in Winlogbeat. **This option is only available on operating systems supporting the Windows Event Log API (Microsoft Windows Vista and newer).**
+
+Here is a configuration which will collect DHCP server events from multiple channels:
+
+```yaml
+winlogbeat.event_logs:
+  - id: dhcp-server-logs
+    xml_query: >
+      <QueryList>
+        <Query Id="0" Path="DhcpAdminEvents">
+          <Select Path="DhcpAdminEvents">*</Select>
+          <Select Path="Microsoft-Windows-Dhcp-Server/FilterNotifications">*</Select>
+          <Select Path="Microsoft-Windows-Dhcp-Server/Operational">*</Select>
+        </Query>
+      </QueryList>
+```
+
+XML queries may also be created in Windows Event Viewer using custom views. The query can be created using a graphical interface and the corresponding XML can be retrieved from the XML tab.
+
+
+### `event_logs.include_xml` [_event_logs_include_xml]
+
+Boolean option that controls if the raw XML representation of an event is included in the data sent by Winlogbeat. The default is false. **This option is only available on operating systems supporting the Windows Event Log API (Microsoft Windows Vista and newer).**
+
+The XML representation of the event is useful for troubleshooting purposes. The data in the fields reported by Winlogbeat can be compared to the data in the XML to diagnose problems.
+
+Example:
+
+```yaml
+winlogbeat.event_logs:
+  - name: Microsoft-Windows-Windows Defender/Operational
+    include_xml: true
+```
+
+* This can have a significant impact on performance that can vary depending on your system specs.
+
+
+### `event_logs.tags` [_event_logs_tags]
+
+A list of tags that the Beat includes in the `tags` field of each published event. Tags make it easy to select specific events in Kibana or apply conditional filtering in Logstash. These tags will be appended to the list of tags specified in the general configuration.
+
+Example:
+
+```yaml
+winlogbeat.event_logs:
+  - name: CustomLog
+    tags: ["web"]
+```
+
+
+### `event_logs.fields` [winlogbeat-configuration-fields]
+
+Optional fields that you can specify to add additional information to the output. For example, you might add fields that you can use for filtering event data. Fields can be scalar values, arrays, dictionaries, or any nested combination of these. By default, the fields that you specify here will be grouped under a `fields` sub-dictionary in the output document. To store the custom fields as top-level fields, set the `fields_under_root` option to true. If a duplicate field is declared in the general configuration, then its value will be overwritten by the value declared here.
+
+```yaml
+winlogbeat.event_logs:
+  - name: CustomLog
+    fields:
+      customer_id: 51415432
+```
+
+
+### `event_logs.fields_under_root` [_event_logs_fields_under_root]
+
+If this option is set to true, the custom [fields](#winlogbeat-configuration-fields) are stored as top-level fields in the output document instead of being grouped under a `fields` sub-dictionary. If the custom field names conflict with other field names added by Winlogbeat, then the custom fields overwrite the other fields.
+
+
+### `event_logs.processors` [_event_logs_processors]
+
+A list of processors to apply to the data generated by the event log.
+
+See [Processors](/reference/winlogbeat/filtering-enhancing-data.md) for information about specifying processors in your config.
+
+
+### `event_logs.index` [_event_logs_index]
+
+If present, this formatted string overrides the index for events from this event log (for elasticsearch outputs), or sets the `raw_index` field of the event’s metadata (for other outputs). This string can only refer to the agent name and version and the event timestamp; for access to dynamic fields, use `output.elasticsearch.index` or a processor.
+
+Example value: `"%{[agent.name]}-myindex-%{+yyyy.MM.dd}"` might expand to `"winlogbeat-myindex-2019.12.13"`.
+
+
+### `event_logs.keep_null` [_event_logs_keep_null]
+
+If this option is set to true, fields with `null` values will be published in the output document. By default, `keep_null` is set to `false`.
+
+
+### `event_logs.no_more_events` [_event_logs_no_more_events]
+
+The action that the event log reader should take when it receives a signal from Windows that there are no more events to read. It can either `wait` for more events to be written (the default behavior) or it can `stop`. The overall Winlogbeat process will stop when all of the individual event log readers have stopped. **This option is only available on operating systems supporting the Windows Event Log API (Microsoft Windows Vista and newer).**
+
+Setting `no_more_events` to `stop` is useful when reading from archived event log files where you want to read the whole file then exit. There’s a complete example of how to read from an `.evtx` file in the [FAQ](/reference/winlogbeat/reading-from-evtx.md).
+
+
+### `overwrite_pipelines` [_overwrite_pipelines]
+
+By default Ingest pipelines are not updated if a pipeline with the same ID already exists. If this option is enabled Winlogbeat overwrites pipelines every time a new Elasticsearch connection is established.
+
+The default value is `false`.
+
diff --git a/docs/reference/winlogbeat/configure-cloud-id.md b/docs/reference/winlogbeat/configure-cloud-id.md
new file mode 100644
index 000000000000..72d1b2ccfef6
--- /dev/null
+++ b/docs/reference/winlogbeat/configure-cloud-id.md
@@ -0,0 +1,34 @@
+---
+navigation_title: "{{ess}}"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/configure-cloud-id.html
+---
+
+# Configure the output for {{ess}} on {{ecloud}} [configure-cloud-id]
+
+
+Winlogbeat comes with two settings that simplify the output configuration when used together with [{{ess}}](https://www.elastic.co/cloud/elasticsearch-service?page=docs&placement=docs-body). When defined, these setting overwrite settings from other parts in the configuration.
+
+Example:
+
+```yaml
+cloud.id: "staging:dXMtZWFzdC0xLmF3cy5mb3VuZC5pbyRjZWM2ZjI2MWE3NGJmMjRjZTMzYmI4ODExYjg0Mjk0ZiRjNmMyY2E2ZDA0MjI0OWFmMGNjN2Q3YTllOTYyNTc0Mw=="
+cloud.auth: "elastic:{pwd}"
+```
+
+These settings can be also specified at the command line, like this:
+
+```sh
+winlogbeat -e -E cloud.id="<cloud-id>" -E cloud.auth="<cloud.auth>"
+```
+
+## `cloud.id` [_cloud_id]
+
+The Cloud ID, which can be found in the {{ess}} web console, is used by Winlogbeat to resolve the {{es}} and {{kib}} URLs. This setting overwrites the `output.elasticsearch.hosts` and `setup.kibana.host` settings. For more on locating and configuring the Cloud ID, see [Configure Beats and Logstash with Cloud ID](docs-content://deploy-manage/deploy/cloud-enterprise/find-cloud-id.md).
+
+
+## `cloud.auth` [_cloud_auth]
+
+When specified, the `cloud.auth` overwrites the `output.elasticsearch.username` and `output.elasticsearch.password` settings. Because the Kibana settings inherit the username and password from the {{es}} output, this can also be used to set the `setup.kibana.username` and `setup.kibana.password` options.
+
+
diff --git a/docs/reference/winlogbeat/configuring-howto-winlogbeat.md b/docs/reference/winlogbeat/configuring-howto-winlogbeat.md
new file mode 100644
index 000000000000..270a0e9f417c
--- /dev/null
+++ b/docs/reference/winlogbeat/configuring-howto-winlogbeat.md
@@ -0,0 +1,41 @@
+---
+navigation_title: "Configure"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/configuring-howto-winlogbeat.html
+---
+
+# Configure Winlogbeat [configuring-howto-winlogbeat]
+
+
+::::{tip}
+To get started quickly, read [Quick start: installation and configuration](/reference/winlogbeat/winlogbeat-installation-configuration.md).
+::::
+
+
+To configure Winlogbeat, edit the configuration file. The default configuration file is called  `winlogbeat.yml`. The location of the file varies by platform. To locate the file, see [Directory layout](/reference/winlogbeat/directory-layout.md).
+
+There’s also a full example configuration file called `winlogbeat.reference.yml` that shows all non-deprecated options.
+
+::::{tip}
+See the [Config File Format](/reference/libbeat/config-file-format.md) for more about the structure of the config file.
+::::
+
+
+The following topics describe how to configure Winlogbeat:
+
+* [Winlogbeat](/reference/winlogbeat/configuration-winlogbeat-options.md)
+* [General settings](/reference/winlogbeat/configuration-general-options.md)
+* [Project paths](/reference/winlogbeat/configuration-path.md)
+* [Output](/reference/winlogbeat/configuring-output.md)
+* [SSL](/reference/winlogbeat/configuration-ssl.md)
+* [Index lifecycle management (ILM)](/reference/winlogbeat/ilm.md)
+* [Elasticsearch index template](/reference/winlogbeat/configuration-template.md)
+* [{{kib}} endpoint](/reference/winlogbeat/setup-kibana-endpoint.md)
+* [Kibana dashboards](/reference/winlogbeat/configuration-dashboards.md)
+* [Processors](/reference/winlogbeat/filtering-enhancing-data.md)
+* [Internal queue](/reference/winlogbeat/configuring-internal-queue.md)
+* [Logging](/reference/winlogbeat/configuration-logging.md)
+* [HTTP endpoint](/reference/winlogbeat/http-endpoint.md)
+* [Instrumentation](/reference/winlogbeat/configuration-instrumentation.md)
+* [*winlogbeat.reference.yml*](/reference/winlogbeat/winlogbeat-reference-yml.md)
+
diff --git a/docs/reference/winlogbeat/configuring-ingest-node.md b/docs/reference/winlogbeat/configuring-ingest-node.md
new file mode 100644
index 000000000000..9429c620ee81
--- /dev/null
+++ b/docs/reference/winlogbeat/configuring-ingest-node.md
@@ -0,0 +1,50 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/configuring-ingest-node.html
+---
+
+# Parse data using an ingest pipeline [configuring-ingest-node]
+
+When you use {{es}} for output, you can configure Winlogbeat to use an [ingest pipeline](docs-content://manage-data/ingest/transform-enrich/ingest-pipelines.md) to pre-process documents before the actual indexing takes place in {{es}}. An ingest pipeline is a convenient processing option when you want to do some extra processing on your data, but you do not require the full power of {{ls}}. For example, you can create an ingest pipeline in {{es}} that consists of one processor that removes a field in a document followed by another processor that renames a field.
+
+After defining the pipeline in {{es}}, you simply configure Winlogbeat to use the pipeline. To configure Winlogbeat, you specify the pipeline ID in the `parameters` option under `elasticsearch` in the `winlogbeat.yml` file:
+
+```yaml
+output.elasticsearch:
+  hosts: ["localhost:9200"]
+  pipeline: my_pipeline_id
+```
+
+For example, let’s say that you’ve defined the following pipeline in a file named `pipeline.json`:
+
+```json
+{
+    "description": "Test pipeline",
+    "processors": [
+        {
+            "lowercase": {
+                "field": "agent.name"
+            }
+        }
+    ]
+}
+```
+
+To add the pipeline in {{es}}, you would run:
+
+```shell
+curl -H 'Content-Type: application/json' -XPUT 'http://localhost:9200/_ingest/pipeline/test-pipeline' -d@pipeline.json
+```
+
+Then in the `winlogbeat.yml` file, you would specify:
+
+```yaml
+output.elasticsearch:
+  hosts: ["localhost:9200"]
+  pipeline: "test-pipeline"
+```
+
+When you run Winlogbeat, the value of `agent.name` is converted to lowercase before indexing.
+
+For more information about defining a pre-processing pipeline, see the [ingest pipeline](docs-content://manage-data/ingest/transform-enrich/ingest-pipelines.md) documentation.
+
diff --git a/docs/reference/winlogbeat/configuring-internal-queue.md b/docs/reference/winlogbeat/configuring-internal-queue.md
new file mode 100644
index 000000000000..d507edba1eb5
--- /dev/null
+++ b/docs/reference/winlogbeat/configuring-internal-queue.md
@@ -0,0 +1,144 @@
+---
+navigation_title: "Internal queue"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/configuring-internal-queue.html
+---
+
+# Configure the internal queue [configuring-internal-queue]
+
+
+Winlogbeat uses an internal queue to store events before publishing them. The queue is responsible for buffering and combining events into batches that can be consumed by the outputs. The outputs will use bulk operations to send a batch of events in one transaction.
+
+You can configure the type and behavior of the internal queue by setting options in the `queue` section of the `winlogbeat.yml` config file or by setting options in the `queue` section of the output. Only one queue type can be configured.
+
+This sample configuration sets the memory queue to buffer up to 4096 events:
+
+```yaml
+queue.mem:
+  events: 4096
+```
+
+
+## Configure the memory queue [configuration-internal-queue-memory]
+
+The memory queue keeps all events in memory.
+
+The memory queue waits for the output to acknowledge or drop events. If the queue is full, no new events can be inserted into the memory queue. Only after the signal from the output will the queue free up space for more events to be accepted.
+
+The memory queue is controlled by the parameters `flush.min_events` and `flush.timeout`. `flush.min_events` gives a limit on the number of events that can be included in a single batch, and `flush.timeout` specifies how long the queue should wait to completely fill an event request. If the output supports a `bulk_max_size` parameter, the maximum batch size will be the smaller of `bulk_max_size` and `flush.min_events`.
+
+`flush.min_events` is a legacy parameter, and new configurations should prefer to control batch size with `bulk_max_size`. As of 8.13, there is never a performance advantage to limiting batch size with `flush.min_events` instead of `bulk_max_size`.
+
+In synchronous mode, an event request is always filled as soon as events are available, even if there are not enough events to fill the requested batch. This is useful when latency must be minimized. To use synchronous mode, set `flush.timeout` to 0.
+
+For backwards compatibility, synchronous mode can also be activated by setting `flush.min_events` to 0 or 1. In this case, batch size will be capped at 1/2 the queue capacity.
+
+In asynchronous mode, an event request will wait up to the specified timeout to try and fill the requested batch completely. If the timeout expires, the queue returns a partial batch with all available events. To use asynchronous mode, set `flush.timeout` to a positive duration, e.g. `5s`.
+
+This sample configuration forwards events to the output when there are enough events to fill the output’s request (usually controlled by `bulk_max_size`, and limited to at most 512 events by `flush.min_events`), or when events have been waiting for 5s without filling the requested size:
+
+```yaml
+queue.mem:
+  events: 4096
+  flush.min_events: 512
+  flush.timeout: 5s
+```
+
+
+## Configuration options [_configuration_options_15]
+
+You can specify the following options in the `queue.mem` section of the `winlogbeat.yml` config file:
+
+
+#### `events` [queue-mem-events-option]
+
+Number of events the queue can store.
+
+The default value is 3200 events.
+
+
+#### `flush.min_events` [queue-mem-flush-min-events-option]
+
+If greater than 1, specifies the maximum number of events per batch. In this case the output must wait for the queue to accumulate the requested number of events or for `flush.timeout` to expire before publishing.
+
+If 0 or 1, sets the maximum number of events per batch to half the queue size, and sets the queue to synchronous mode (equivalent to `flush.timeout` of 0).
+
+The default value is 1600.
+
+
+#### `flush.timeout` [queue-mem-flush-timeout-option]
+
+Maximum wait time for event requests from the output to be fulfilled. If set to 0s, events are returned immediately.
+
+The default value is 10s.
+
+
+## Configure the disk queue [configuration-internal-queue-disk]
+
+The disk queue stores pending events on the disk rather than main memory. This allows Beats to queue a larger number of events than is possible with the memory queue, and to save events when a Beat or device is restarted. This increased reliability comes with a performance tradeoff, as every incoming event must be written and read from the device’s disk. However, for setups where the disk is not the main bottleneck, the disk queue gives a simple and relatively low-overhead way to add a layer of robustness to incoming event data.
+
+To enable the disk queue with default settings, specify a maximum size:
+
+```yaml
+queue.disk:
+  max_size: 10GB
+```
+
+The queue will use up to the specified maximum size on disk. It will only use as much space as required. For example, if the queue is only storing 1GB of events, then it will only occupy 1GB on disk no matter how high the maximum is. Queue data is deleted from disk after it has been successfully sent to the output.
+
+
+### Configuration options [configuration-internal-queue-disk-reference]
+
+You can specify the following options in the `queue.disk` section of the `winlogbeat.yml` config file:
+
+
+#### `path` [_path]
+
+The path to the directory where the disk queue should store its data files. The directory is created on startup if it doesn’t exist.
+
+The default value is `"${path.data}/diskqueue"`.
+
+
+#### `max_size` (required) [_max_size_required]
+
+The maximum size the queue should use on disk. Events that exceed this maximum will either pause their input or be discarded, depending on the input’s configuration.
+
+A value of `0` means that no maximum size is enforced, and the queue can grow up to the amount of free space on the disk. This value should be used with caution, as completely filling a system’s main disk can make it inoperable. It is best to use this setting only with a dedicated data or backup partition that will not interfere with Winlogbeat or the rest of the host system.
+
+The default value is `10GB`.
+
+
+#### `segment_size` [_segment_size]
+
+Data added to the queue is stored in segment files. Each segment contains some number of events waiting to be sent to the outputs, and is deleted when all its events are sent. By default, segment size is limited to 1/10 of the maximum queue size. Using a smaller size means that the queue will use more data files, but they will be deleted more quickly after use. Using a larger size means some data will take longer to delete, but the queue will use fewer auxiliary files. It is usually fine to leave this value unchanged.
+
+The default value is `max_size / 10`.
+
+
+#### `read_ahead` [_read_ahead]
+
+The number of events that should be read from disk into memory while waiting for an output to request them. If you find outputs are slowing down because they can’t read as many events at a time, adjusting this setting upward may help, at the cost of higher memory usage.
+
+The default value is `512`.
+
+
+#### `write_ahead` [_write_ahead]
+
+The number of events the queue should accept and store in memory while waiting for them to be written to disk. If you find the queue’s memory use is too high because events are waiting too long to be written to disk, adjusting this setting downward may help, at the cost of reduced event throughput. On the other hand, if inputs are waiting or discarding events because they are being produced faster than the disk can handle, adjusting this setting upward may help, at the cost of higher memory usage.
+
+The default value is `2048`.
+
+
+#### `retry_interval` [_retry_interval]
+
+Some disk errors may block operation of the queue, for example a permission error writing to the data directory, or a disk full error while writing an event. In this case, the queue reports the error and retries after pausing for the time specified in `retry_interval`.
+
+The default value is `1s` (one second).
+
+
+#### `max_retry_interval` [_max_retry_interval]
+
+When there are multiple consecutive errors writing to the disk, the queue increases the retry interval by factors of 2 up to a maximum of `max_retry_interval`. Increase this value if you are concerned about logging too many errors or overloading the host system if the target disk becomes unavailable for an extended time.
+
+The default value is `30s` (thirty seconds).
+
diff --git a/docs/reference/winlogbeat/configuring-output.md b/docs/reference/winlogbeat/configuring-output.md
new file mode 100644
index 000000000000..b3dc366b9cb0
--- /dev/null
+++ b/docs/reference/winlogbeat/configuring-output.md
@@ -0,0 +1,31 @@
+---
+navigation_title: "Output"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/configuring-output.html
+---
+
+# Configure the output [configuring-output]
+
+
+You configure Winlogbeat to write to a specific output by setting options in the Outputs section of the `winlogbeat.yml` config file. Only a single output may be defined.
+
+The following topics describe how to configure each supported output. If you’ve secured the {{stack}}, also read [Secure](/reference/winlogbeat/securing-winlogbeat.md) for more about security-related configuration options.
+
+* [{{ess}}](/reference/winlogbeat/configure-cloud-id.md)
+* [Elasticsearch](/reference/winlogbeat/elasticsearch-output.md)
+* [Logstash](/reference/winlogbeat/logstash-output.md)
+* [Kafka](/reference/winlogbeat/kafka-output.md)
+* [Redis](/reference/winlogbeat/redis-output.md)
+* [File](/reference/winlogbeat/file-output.md)
+* [Console](/reference/winlogbeat/console-output.md)
+* [Discard](/reference/winlogbeat/discard-output.md)
+
+
+
+
+
+
+
+
+
+
diff --git a/docs/reference/winlogbeat/configuring-ssl-logstash.md b/docs/reference/winlogbeat/configuring-ssl-logstash.md
new file mode 100644
index 000000000000..5ffbb4d0ce31
--- /dev/null
+++ b/docs/reference/winlogbeat/configuring-ssl-logstash.md
@@ -0,0 +1,118 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/configuring-ssl-logstash.html
+---
+
+# Secure communication with Logstash [configuring-ssl-logstash]
+
+You can use SSL mutual authentication to secure connections between Winlogbeat and Logstash. This ensures that Winlogbeat sends encrypted data to trusted Logstash servers only, and that the Logstash server receives data from trusted Winlogbeat clients only.
+
+To use SSL mutual authentication:
+
+1. Create a certificate authority (CA) and use it to sign the certificates that you plan to use for Winlogbeat and Logstash. Creating a correct SSL/TLS infrastructure is outside the scope of this document. There are many online resources available that describe how to create certificates.
+
+    ::::{tip}
+    If you are using {{security-features}}, you can use the [elasticsearch-certutil tool](elasticsearch://reference/elasticsearch/command-line-tools/certutil.md) to generate certificates.
+    ::::
+
+2. Configure Winlogbeat to use SSL. In the `winlogbeat.yml` config file, specify the following settings under `ssl`:
+
+    * `certificate_authorities`: Configures Winlogbeat to trust any certificates signed by the specified CA. If `certificate_authorities` is empty or not set, the trusted certificate authorities of the host system are used.
+    * `certificate` and `key`: Specifies the certificate and key that Winlogbeat uses to authenticate with Logstash.
+
+        For example:
+
+        ```yaml
+        output.logstash:
+          hosts: ["logs.mycompany.com:5044"]
+          ssl.certificate_authorities: ["/etc/ca.crt"]
+          ssl.certificate: "/etc/client.crt"
+          ssl.key: "/etc/client.key"
+        ```
+
+        For more information about these configuration options, see [SSL](/reference/winlogbeat/configuration-ssl.md).
+
+3. Configure Logstash to use SSL. In the Logstash config file, specify the following settings for the [Beats input plugin for Logstash](logstash://reference/plugins-inputs-beats.md):
+
+    * `ssl`: When set to true, enables Logstash to use SSL/TLS.
+    * `ssl_certificate_authorities`: Configures Logstash to trust any certificates signed by the specified CA.
+    * `ssl_certificate` and `ssl_key`: Specify the certificate and key that Logstash uses to authenticate with the client.
+    * `ssl_verify_mode`: Specifies whether the Logstash server verifies the client certificate against the CA. You need to specify either `peer` or `force_peer` to make the server ask for the certificate and validate it. If you specify `force_peer`, and Winlogbeat doesn’t provide a certificate, the Logstash connection will be closed. If you choose not to use [certutil](elasticsearch://reference/elasticsearch/command-line-tools/certutil.md), the certificates that you obtain must allow for both `clientAuth` and `serverAuth` if the extended key usage extension is present.
+
+        For example:
+
+        ```json
+        input {
+          beats {
+            port => 5044
+            ssl => true
+            ssl_certificate_authorities => ["/etc/ca.crt"]
+            ssl_certificate => "/etc/server.crt"
+            ssl_key => "/etc/server.key"
+            ssl_verify_mode => "force_peer"
+          }
+        }
+        ```
+
+        For more information about these options, see the [documentation for the Beats input plugin](logstash://reference/plugins-inputs-beats.md).
+
+
+
+## Validate the Logstash server’s certificate [testing-ssl-logstash]
+
+Before running Winlogbeat, you should validate the Logstash server’s certificate. You can use `curl` to validate the certificate even though the protocol used to communicate with Logstash is not based on HTTP. For example:
+
+```shell
+curl -v --cacert ca.crt https://logs.mycompany.com:5044
+```
+
+If the test is successful, you’ll receive an empty response error:
+
+```shell
+* Rebuilt URL to: https://logs.mycompany.com:5044/
+*   Trying 192.168.99.100...
+* Connected to logs.mycompany.com (192.168.99.100) port 5044 (#0)
+* TLS 1.2 connection using TLS_DHE_RSA_WITH_AES_256_CBC_SHA
+* Server certificate: logs.mycompany.com
+* Server certificate: mycompany.com
+> GET / HTTP/1.1
+> Host: logs.mycompany.com:5044
+> User-Agent: curl/7.43.0
+> Accept: */*
+>
+* Empty reply from server
+* Connection #0 to host logs.mycompany.com left intact
+curl: (52) Empty reply from server
+```
+
+The following example uses the IP address rather than the hostname to validate the certificate:
+
+```shell
+curl -v --cacert ca.crt https://192.168.99.100:5044
+```
+
+Validation for this test fails because the certificate is not valid for the specified IP address. It’s only valid for the `logs.mycompany.com`, the hostname that appears in the Subject field of the certificate.
+
+```shell
+* Rebuilt URL to: https://192.168.99.100:5044/
+*   Trying 192.168.99.100...
+* Connected to 192.168.99.100 (192.168.99.100) port 5044 (#0)
+* WARNING: using IP address, SNI is being disabled by the OS.
+* SSL: certificate verification failed (result: 5)
+* Closing connection 0
+curl: (51) SSL: certificate verification failed (result: 5)
+```
+
+See the [troubleshooting docs](/reference/winlogbeat/ssl-client-fails.md) for info about resolving this issue.
+
+
+## Test the Winlogbeat to Logstash connection [_test_the_winlogbeat_to_logstash_connection]
+
+If you have Winlogbeat running as a service, first stop the service. Then test your setup by running Winlogbeat in the foreground so you can quickly see any errors that occur:
+
+```sh
+winlogbeat -c winlogbeat.yml -e -v
+```
+
+Any errors will be printed to the console. See the [troubleshooting docs](/reference/winlogbeat/ssl-client-fails.md) for info about resolving common errors.
+
diff --git a/docs/reference/winlogbeat/connection-problem.md b/docs/reference/winlogbeat/connection-problem.md
new file mode 100644
index 000000000000..3c9ef9a5d83c
--- /dev/null
+++ b/docs/reference/winlogbeat/connection-problem.md
@@ -0,0 +1,20 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/connection-problem.html
+---
+
+# Logstash connection doesn���t work [connection-problem]
+
+You may have configured {{ls}} or Winlogbeat incorrectly. To resolve the issue:
+
+* Make sure that {{ls}} is running and you can connect to it. First, try to ping the {{ls}} host to verify that you can reach it from the host running Winlogbeat. Then use either `nc` or `telnet` to make sure that the port is available. For example:
+
+    ```shell
+    ping <hostname or IP>
+    telnet <hostname or IP> 5044
+    ```
+
+* Verify that the config file for Winlogbeat specifies the correct port where {{ls}} is running.
+* Make sure that the {{es}} output is commented out in the config file and the {{ls}} output is uncommented.
+* Confirm that the most recent [Beats input plugin for {{ls}}](logstash://reference/plugins-inputs-beats.md) is installed and configured. Note that Beats will not connect to the Lumberjack input plugin. To learn how to install and update plugins, see [Working with plugins](logstash://reference/working-with-plugins.md).
+
diff --git a/docs/reference/winlogbeat/console-output.md b/docs/reference/winlogbeat/console-output.md
new file mode 100644
index 000000000000..6091a621d291
--- /dev/null
+++ b/docs/reference/winlogbeat/console-output.md
@@ -0,0 +1,67 @@
+---
+navigation_title: "Console"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/console-output.html
+---
+
+# Configure the Console output [console-output]
+
+
+The Console output writes events in JSON format to stdout.
+
+::::{warning}
+The Console output should be used only for debugging issues as it can produce a large amount of logging data.
+::::
+
+
+To use this output, edit the Winlogbeat configuration file to disable the {{es}} output by commenting it out, and enable the console output by adding `output.console`.
+
+Example configuration:
+
+```yaml
+output.console:
+  pretty: true
+```
+
+## Configuration options [_configuration_options_8]
+
+You can specify the following `output.console` options in the `winlogbeat.yml` config file:
+
+### `enabled` [_enabled_6]
+
+The enabled config is a boolean setting to enable or disable the output. If set to false, the output is disabled.
+
+The default value is `true`.
+
+
+### `pretty` [_pretty]
+
+If `pretty` is set to true, events written to stdout will be nicely formatted. The default is false.
+
+
+### `codec` [_codec_4]
+
+Output codec configuration. If the `codec` section is missing, events will be json encoded using the `pretty` option.
+
+See [Change the output codec](/reference/winlogbeat/configuration-output-codec.md) for more information.
+
+
+### `bulk_max_size` [_bulk_max_size_4]
+
+The maximum number of events to buffer internally during publishing. The default is 2048.
+
+Specifying a larger batch size may add some latency and buffering during publishing. However, for Console output, this setting does not affect how events are published.
+
+Setting `bulk_max_size` to values less than or equal to 0 disables the splitting of batches. When splitting is disabled, the queue decides on the number of events to be contained in a batch.
+
+
+### `queue` [_queue_6]
+
+Configuration options for internal queue.
+
+See [Internal queue](/reference/winlogbeat/configuring-internal-queue.md) for more information.
+
+Note:`queue` options can be set under `winlogbeat.yml` or the `output` section but not both.
+
+
+
diff --git a/docs/reference/winlogbeat/contributing-to-beats.md b/docs/reference/winlogbeat/contributing-to-beats.md
new file mode 100644
index 000000000000..4e0bfca7d26b
--- /dev/null
+++ b/docs/reference/winlogbeat/contributing-to-beats.md
@@ -0,0 +1,13 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/contributing-to-beats.html
+---
+
+# Contribute to Beats [contributing-to-beats]
+
+The Beats are open source and we love to receive contributions from our community — you!
+
+There are many ways to contribute, from writing tutorials or blog posts, improving the documentation, submitting bug reports and feature requests, or writing code that implements a whole new protocol, module, or Beat.
+
+The [Beats Developer Guide](http://www.elastic.co/guide/en/beats/devguide/master/index.md) is your one-stop shop for everything related to developing code for the Beats project.
+
diff --git a/docs/reference/winlogbeat/convert.md b/docs/reference/winlogbeat/convert.md
new file mode 100644
index 000000000000..13766d1371b3
--- /dev/null
+++ b/docs/reference/winlogbeat/convert.md
@@ -0,0 +1,42 @@
+---
+navigation_title: "convert"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/convert.html
+---
+
+# Convert [convert]
+
+
+The `convert` processor converts a field in the event to a different type, such as converting a string to an integer.
+
+The supported types include: `integer`, `long`, `float`, `double`, `string`, `boolean`, and `ip`.
+
+The `ip` type is effectively an alias for `string`, but with an added validation that the value is an IPv4 or IPv6 address.
+
+```yaml
+processors:
+  - convert:
+      fields:
+        - {from: "src_ip", to: "source.ip", type: "ip"}
+        - {from: "src_port", to: "source.port", type: "integer"}
+      ignore_missing: true
+      fail_on_error: false
+```
+
+The `convert` processor has the following configuration settings:
+
+`fields`
+:   (Required) This is the list of fields to convert. At least one item must be contained in the list. Each item in the list must have a `from` key that specifies the source field. The `to` key is optional and specifies where to assign the converted value. If `to` is omitted then the `from` field is updated in-place. The `type` key specifies the data type to convert the value to. If `type` is omitted then the processor copies or renames the field without any type conversion.
+
+`ignore_missing`
+:   (Optional) If `true` the processor continues to the next field when the `from` key is not found in the event. If false then the processor returns an error and does not process the remaining fields. Default is `false`.
+
+`fail_on_error`
+:   (Optional) If false type conversion failures are ignored and the processor continues to the next field. Default is `true`.
+
+`tag`
+:   (Optional) An identifier for this processor. Useful for debugging.
+
+`mode`
+:   (Optional) When both `from` and `to` are defined for a field then `mode` controls whether to `copy` or `rename` the field when the type conversion is successful. Default is `copy`.
+
diff --git a/docs/reference/winlogbeat/copy-fields.md b/docs/reference/winlogbeat/copy-fields.md
new file mode 100644
index 000000000000..8e9d4ebf8efd
--- /dev/null
+++ b/docs/reference/winlogbeat/copy-fields.md
@@ -0,0 +1,45 @@
+---
+navigation_title: "copy_fields"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/copy-fields.html
+---
+
+# Copy fields [copy-fields]
+
+
+The `copy_fields` processor takes the value of a field and copies it to a new field.
+
+You cannot use this processor to replace an existing field. If the target field already exists, you must [drop](/reference/winlogbeat/drop-fields.md) or [rename](/reference/winlogbeat/rename-fields.md) the field before using `copy_fields`.
+
+`fields`
+:   List of `from` and `to` pairs to copy from and to. It’s supported to use `@metadata.` prefix for `from` and `to` and copy values not just in/from/to the event fields but also in/from/to the event metadata.
+
+`fail_on_error`
+:   (Optional) If set to `true` and an error occurs, the changes are reverted and the original is returned. If set to `false`, processing continues if an error occurs. Default is `true`.
+
+`ignore_missing`
+:   (Optional) Indicates whether to ignore events that lack the source field. The default is `false`, which will fail processing of an event if a field is missing.
+
+For example, this configuration:
+
+```yaml
+processors:
+  - copy_fields:
+      fields:
+        - from: message
+          to: event.original
+      fail_on_error: false
+      ignore_missing: true
+```
+
+Copies the original `message` field to `event.original`:
+
+```json
+{
+  "message": "my-interesting-message",
+  "event": {
+      "original": "my-interesting-message"
+  }
+}
+```
+
diff --git a/docs/reference/winlogbeat/could-not-locate-index-pattern.md b/docs/reference/winlogbeat/could-not-locate-index-pattern.md
new file mode 100644
index 000000000000..fdd95513412a
--- /dev/null
+++ b/docs/reference/winlogbeat/could-not-locate-index-pattern.md
@@ -0,0 +1,20 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/could-not-locate-index-pattern.html
+---
+
+# Dashboard could not locate the index-pattern [could-not-locate-index-pattern]
+
+Typically Winlogbeat sets up the index pattern automatically when it loads the index template. However, if for some reason Winlogbeat loads the index template, but the index pattern does not get created correctly, you’ll see a "could not locate that index-pattern" error. To resolve this problem:
+
+1. Try running the `setup` command again. For example: `./winlogbeat setup`.
+2. If that doesn’t work, go to the Management app in {{kib}}, and under **Index Patterns**, look for the pattern.
+
+    1. If the pattern doesn’t exist, create it manually.
+
+        * Set the **Time filter field name** to `@timestamp`.
+        * Set the **Custom index pattern ID** advanced option. For example, if your custom index name is `winlogbeat-customname`, set the custom index pattern ID to `winlogbeat-customname-*`.
+
+
+For more information, see [Creating an index pattern](docs-content://explore-analyze/find-and-organize/data-views.md) in the {{kib}} docs.
+
diff --git a/docs/reference/winlogbeat/dashboard-fields-incorrect.md b/docs/reference/winlogbeat/dashboard-fields-incorrect.md
new file mode 100644
index 000000000000..2d886e435a54
--- /dev/null
+++ b/docs/reference/winlogbeat/dashboard-fields-incorrect.md
@@ -0,0 +1,9 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/dashboard-fields-incorrect.html
+---
+
+# Dashboard in Kibana is breaking up data fields incorrectly [dashboard-fields-incorrect]
+
+The index template might not be loaded correctly. See [*Load the {{es}} index template*](/reference/winlogbeat/winlogbeat-template.md).
+
diff --git a/docs/reference/winlogbeat/decode-base64-field.md b/docs/reference/winlogbeat/decode-base64-field.md
new file mode 100644
index 000000000000..55c20685bebd
--- /dev/null
+++ b/docs/reference/winlogbeat/decode-base64-field.md
@@ -0,0 +1,35 @@
+---
+navigation_title: "decode_base64_field"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/decode-base64-field.html
+---
+
+# Decode Base64 fields [decode-base64-field]
+
+
+The `decode_base64_field` processor specifies a field to base64 decode. The `field` key contains a `from: old-key` and a `to: new-key` pair. `from` is the origin and `to` the target name of the field.
+
+To overwrite fields either first rename the target field or use the `drop_fields` processor to drop the field and then rename the field.
+
+```yaml
+processors:
+  - decode_base64_field:
+      field:
+        from: "field1"
+        to: "field2"
+      ignore_missing: false
+      fail_on_error: true
+```
+
+In the example above: - field1 is decoded in field2
+
+The `decode_base64_field` processor has the following configuration settings:
+
+`ignore_missing`
+:   (Optional) If set to true, no error is logged in case a key which should be base64 decoded is missing. Default is `false`.
+
+`fail_on_error`
+:   (Optional) If set to true, in case of an error the base64 decode of fields is stopped and the original event is returned. If set to false, decoding continues also if an error happened during decoding. Default is `true`.
+
+See [Conditions](/reference/winlogbeat/defining-processors.md#conditions) for a list of supported conditions.
+
diff --git a/docs/reference/winlogbeat/decode-duration.md b/docs/reference/winlogbeat/decode-duration.md
new file mode 100644
index 000000000000..37a9d2f00c8e
--- /dev/null
+++ b/docs/reference/winlogbeat/decode-duration.md
@@ -0,0 +1,25 @@
+---
+navigation_title: "decode_duration"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/decode-duration.html
+---
+
+# Decode duration [decode-duration]
+
+
+The `decode_duration` processor decodes a Go-style duration string into a specific `format`.
+
+For more information about the Go `time.Duration` string style, refer to the [Go documentation](https://pkg.go.dev/time#Duration).
+
+| Name | Required | Default | Description |  |
+| --- | --- | --- | --- | --- |
+| `field` | yes |  | Which field of event needs to be decoded as `time.Duration` |  |
+| `format` | yes | `milliseconds` | Supported formats: `milliseconds`/`seconds`/`minutes`/`hours` |  |
+
+```yaml
+processors:
+  - decode_duration:
+      field: "app.rpc.cost"
+      format: "milliseconds"
+```
+
diff --git a/docs/reference/winlogbeat/decode-json-fields.md b/docs/reference/winlogbeat/decode-json-fields.md
new file mode 100644
index 000000000000..046b9cec3216
--- /dev/null
+++ b/docs/reference/winlogbeat/decode-json-fields.md
@@ -0,0 +1,48 @@
+---
+navigation_title: "decode_json_fields"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/decode-json-fields.html
+---
+
+# Decode JSON fields [decode-json-fields]
+
+
+The `decode_json_fields` processor decodes fields containing JSON strings and replaces the strings with valid JSON objects.
+
+```yaml
+processors:
+  - decode_json_fields:
+      fields: ["field1", "field2", ...]
+      process_array: false
+      max_depth: 1
+      target: ""
+      overwrite_keys: false
+      add_error_key: true
+```
+
+The `decode_json_fields` processor has the following configuration settings:
+
+`fields`
+:   The fields containing JSON strings to decode.
+
+`process_array`
+:   (Optional) A Boolean value that specifies whether to process arrays. The default is `false`.
+
+`max_depth`
+:   (Optional) The maximum parsing depth. A value of `1`  will decode the JSON objects in fields indicated in `fields`, a value of `2` will also decode the objects embedded in the fields of these parsed documents. The default is `1`.
+
+`target`
+:   (Optional) The field under which the decoded JSON will be written. By default, the decoded JSON object replaces the string field from which it was read. To merge the decoded JSON fields into the root of the event, specify `target` with an empty string (`target: ""`). Note that the `null` value (`target:`) is treated as if the field was not set.
+
+`overwrite_keys`
+:   (Optional) A Boolean value that specifies whether existing keys in the event are overwritten by keys from the decoded JSON object. The default value is `false`.
+
+`expand_keys`
+:   (Optional) A Boolean value that specifies whether keys in the decoded JSON should be recursively de-dotted and expanded into a hierarchical object structure. For example, `{"a.b.c": 123}` would be expanded into `{"a":{"b":{"c":123}}}`.
+
+`add_error_key`
+:   (Optional) If set to `true` and an error occurs while decoding JSON keys, the `error` field will become a part of the event with the error message. If set to `false`, there will not be any error in the event’s field. The default value is `false`.
+
+`document_id`
+:   (Optional) JSON key that’s used as the document ID. If configured, the field will be removed from the original JSON document and stored in `@metadata._id`
+
diff --git a/docs/reference/winlogbeat/decode-xml-wineventlog.md b/docs/reference/winlogbeat/decode-xml-wineventlog.md
new file mode 100644
index 000000000000..d3d2ee0ee1ba
--- /dev/null
+++ b/docs/reference/winlogbeat/decode-xml-wineventlog.md
@@ -0,0 +1,162 @@
+---
+navigation_title: "decode_xml_wineventlog"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/decode-xml-wineventlog.html
+---
+
+# Decode XML Wineventlog [decode-xml-wineventlog]
+
+
+::::{warning}
+This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
+::::
+
+
+The `decode_xml_wineventlog` processor decodes Windows Event Log data in XML format that is stored under the `field` key. It outputs the result into the `target_field`.
+
+The output fields will be the same as the [winlogbeat winlog fields](/reference/winlogbeat/exported-fields-winlog.md#_winlog).
+
+The supported configuration options are:
+
+`field`
+:   (Required) Source field containing the XML. Defaults to `message`.
+
+`target_field`
+:   (Required) The field under which the decoded XML will be written. To merge the decoded XML fields into the root of the event specify `target_field` with an empty string (`target_field: ""`). The default value is `winlog`.
+
+`overwrite_keys`
+:   (Optional) A boolean that specifies whether keys that already exist in the event are overwritten by keys from the decoded XML object. The default value is `true`.
+
+`map_ecs_fields`
+:   (Optional) A boolean that specifies whether to map additional ECS fields when possible. Note that ECS field keys are placed outside of `target_field`. The default value is `true`.
+
+`ignore_missing`
+:   (Optional) If `true` the processor will not return an error when a specified field does not exist. Defaults to `false`.
+
+`ignore_failure`
+:   (Optional) Ignore all errors produced by the processor. Defaults to `false`.
+
+`language`
+:   (Optional) The language ID the events will be rendered in. The language will be forced regardless of the system language. Forwarded events will ignore this setting. A complete list of language IDs can be found [here](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-lcid/a9eac961-e77d-41a6-90a5-ce1a8b0cdb9c). It defaults to `0`, which indicates to use the system language.
+
+Example:
+
+```yaml
+processors:
+  - decode_xml_wineventlog:
+      field: event.original
+      target_field: winlog
+```
+
+```json
+{
+  "event": {
+    "original": "<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4672</EventID><Version>0</Version><Level>0</Level><Task>12548</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2021-03-23T09:56:13.137310000Z'/><EventRecordID>11303</EventRecordID><Correlation ActivityID='{ffb23523-1f32-0000-c335-b2ff321fd701}'/><Execution ProcessID='652' ThreadID='4660'/><Channel>Security</Channel><Computer>vagrant</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-5-18</Data><Data Name='SubjectUserName'>SYSTEM</Data><Data Name='SubjectDomainName'>NT AUTHORITY</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='PrivilegeList'>SeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege</Data></EventData><RenderingInfo Culture='en-US'><Message>Special privileges assigned to new logon.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3E7\n\nPrivileges:\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege</Message><Level>Information</Level><Task>Special Logon</Task><Opcode>Info</Opcode><Channel>Security</Channel><Provider>Microsoft Windows security auditing.</Provider><Keywords><Keyword>Audit Success</Keyword></Keywords></RenderingInfo></Event>"
+  }
+}
+```
+
+Will produce the following output:
+
+```json
+{
+  "event": {
+    "original": "<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4672</EventID><Version>0</Version><Level>0</Level><Task>12548</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2021-03-23T09:56:13.137310000Z'/><EventRecordID>11303</EventRecordID><Correlation ActivityID='{ffb23523-1f32-0000-c335-b2ff321fd701}'/><Execution ProcessID='652' ThreadID='4660'/><Channel>Security</Channel><Computer>vagrant</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-5-18</Data><Data Name='SubjectUserName'>SYSTEM</Data><Data Name='SubjectDomainName'>NT AUTHORITY</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='PrivilegeList'>SeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege</Data></EventData><RenderingInfo Culture='en-US'><Message>Special privileges assigned to new logon.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3E7\n\nPrivileges:\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege</Message><Level>Information</Level><Task>Special Logon</Task><Opcode>Info</Opcode><Channel>Security</Channel><Provider>Microsoft Windows security auditing.</Provider><Keywords><Keyword>Audit Success</Keyword></Keywords></RenderingInfo></Event>",
+    "action":   "Special Logon",
+		"code":     "4672",
+		"kind":     "event",
+		"outcome":  "success",
+		"provider": "Microsoft-Windows-Security-Auditing",
+  },
+	"host": {
+    "name": "vagrant",
+  },
+  "log": {
+    "level": "information",
+  },
+  "winlog": {
+    "channel": "Security",
+    "outcome": "success",
+    "activity_id": "{ffb23523-1f32-0000-c335-b2ff321fd701}",
+    "level": "information",
+    "event_id": 4672,
+    "provider_name": "Microsoft-Windows-Security-Auditing",
+    "record_id": 11303,
+    "computer_name": "vagrant",
+    "keywords_raw": 9232379236109516800,
+    "opcode": "Info",
+    "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+    "event_data": {
+      "SubjectUserSid": "S-1-5-18",
+      "SubjectUserName": "SYSTEM",
+      "SubjectDomainName": "NT AUTHORITY",
+      "SubjectLogonId": "0x3e7",
+      "PrivilegeList": "SeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege"
+    },
+    "task": "Special Logon",
+    "keywords": [
+      "Audit Success"
+    ],
+    "message": "Special privileges assigned to new logon.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3E7\n\nPrivileges:\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege",
+    "process": {
+      "pid": 652,
+      "thread": {
+        "id": 4660
+      }
+    }
+  }
+}
+```
+
+See [Conditions](/reference/winlogbeat/defining-processors.md#conditions) for a list of supported conditions.
+
+The field mappings are as follows:
+
+| Event Field | Source XML Element | Notes |
+| --- | --- | --- |
+| `winlog.channel` | `<Event><System><Channel>` |  |
+| `winlog.event_id` | `<Event><System><EventID>` |  |
+| `winlog.provider_name` | `<Event><System><Provider>` | `Name` attribute |
+| `winlog.record_id` | `<Event><System><EventRecordID>` |  |
+| `winlog.task` | `<Event><System><Task>` |  |
+| `winlog.computer_name` | `<Event><System><Computer>` |  |
+| `winlog.keywords` | `<Event><RenderingInfo><Keywords>` | list of each `Keyword` |
+| `winlog.opcodes` | `<Event><RenderingInfo><Opcode>` |  |
+| `winlog.provider_guid` | `<Event><System><Provider>` | `Guid` attribute |
+| `winlog.version` | `<Event><System><Version>` |  |
+| `winlog.time_created` | `<Event><System><TimeCreated>` | `SystemTime` attribute |
+| `winlog.outcome` | `<Event><System><Keywords>` | "success" if bit 0x20000000000000 is set, "failure" if 0x10000000000000 is set |
+| `winlog.level` | `<Event><System><Level>` | converted to lowercase |
+| `winlog.message` | `<Event><RenderingInfo><Message>` | line endings removed |
+| `winlog.user.identifier` | `<Event><System><Security><UserID>` |  |
+| `winlog.user.domain` | `<Event><System><Security><Domain>` |  |
+| `winlog.user.name` | `<Event><System><Security><Name>` |  |
+| `winlog.user.type` | `<Event><System><Security><Type>` | converted from integer to String |
+| `winlog.event_data` | `<Event><EventData>` | map where `Name` attribute in Data element is key, and value is the value of the Data element |
+| `winlog.user_data` | `<Event><UserData>` | map where `Name` attribute in Data element is key, and value is the value of the Data element |
+| `winlog.activity_id` | `<Event><System><Correlation><ActivityID>` |  |
+| `winlog.related_activity_id` | `<Event><System><Correlation><RelatedActivityID>` |  |
+| `winlog.kernel_time` | `<Event><System><Execution><KernelTime>` |  |
+| `winlog.process.pid` | `<Event><System><Execution><ProcessID>` |  |
+| `winlog.process.thread.id` | `<Event><System><Execution><ThreadID>` |  |
+| `winlog.processor_id` | `<Event><System><Execution><ProcessorID>` |  |
+| `winlog.processor_time` | `<Event><System><Execution><ProcessorTime>` |  |
+| `winlog.session_id` | `<Event><System><Execution><SessionID>` |  |
+| `winlog.user_time` | `<Event><System><Execution><UserTime>` |  |
+| `winlog.error.code` | `<Event><ProcessingErrorData><ErrorCode>` |  |
+
+If `map_ecs_fields` is enabled then the following field mappings are also performed:
+
+| Event Field | Source XML or other field | Notes |
+| --- | --- | --- |
+| `event.code` | `winlog.event_id` |  |
+| `event.kind` | `"event"` |  |
+| `event.provider` | `<Event><System><Provider>` | `Name` attribute |
+| `event.action` | `<Event><RenderingInfo><Task>` |  |
+| `event.host.name` | `<Event><System><Computer>` |  |
+| `event.outcome` | `winlog.outcome` |  |
+| `log.level` | `winlog.level` |  |
+| `message` | `winlog.message` |  |
+| `error.code` | `winlog.error.code` |  |
+| `error.message` | `winlog.error.message` |  |
+
diff --git a/docs/reference/winlogbeat/decode-xml.md b/docs/reference/winlogbeat/decode-xml.md
new file mode 100644
index 000000000000..787f2233abe7
--- /dev/null
+++ b/docs/reference/winlogbeat/decode-xml.md
@@ -0,0 +1,96 @@
+---
+navigation_title: "decode_xml"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/decode-xml.html
+---
+
+# Decode XML [decode-xml]
+
+
+The `decode_xml` processor decodes XML data that is stored under the `field` key. It outputs the result into the `target_field`.
+
+This example demonstrates how to decode an XML string contained in the `message` field and write the resulting fields into the root of the document. Any fields that already exist will be overwritten.
+
+```yaml
+processors:
+  - decode_xml:
+      field: message
+      target_field: ""
+      overwrite_keys: true
+```
+
+By default any decoding errors that occur will stop the processing chain and the error will be added to `error.message` field. To ignore all errors and continue to the next processor you can set `ignore_failure: true`. To specifically ignore failures caused by `field` not existing you can set `ignore_missing: true`.
+
+```yaml
+processors:
+  - decode_xml:
+      field: example
+      target_field: xml
+      ignore_missing: true
+      ignore_failure: true
+```
+
+By default all keys converted from XML will have the names converted to lowercase. If there is a need to disable this behavior it is possible to use the below example:
+
+```yaml
+processors:
+  - decode_xml:
+      field: message
+      target_field: xml
+      to_lower: false
+```
+
+Example XML input:
+
+```xml
+<catalog>
+  <book seq="1">
+    <author>William H. Gaddis</author>
+    <title>The Recognitions</title>
+    <review>One of the great seminal American novels of the 20th century.</review>
+  </book>
+</catalog>
+```
+
+Will produce the following output:
+
+```json
+{
+	"xml": {
+		"catalog": {
+			"book": {
+				"author": "William H. Gaddis",
+				"review": "One of the great seminal American novels of the 20th century.",
+				"seq": "1",
+				"title": "The Recognitions"
+			}
+		}
+	}
+}
+```
+
+The supported configuration options are:
+
+`field`
+:   (Required) Source field containing the XML. Defaults to `message`.
+
+`target_field`
+:   (Optional) The field under which the decoded XML will be written. By default the decoded XML object replaces the field from which it was read. To merge the decoded XML fields into the root of the event specify `target_field` with an empty string (`target_field: ""`). Note that the `null` value (`target_field:`) is treated as if the field was not set at all.
+
+`overwrite_keys`
+:   (Optional) A boolean that specifies whether keys that already exist in the event are overwritten by keys from the decoded XML object. The default value is `true`.
+
+`to_lower`
+:   (Optional) Converts all keys to lowercase. Accepts either `true` or `false`. The default value is `true`.
+
+`document_id`
+:   (Optional) XML key to use as the document ID. If configured, the field will be removed from the original XML document and stored in `@metadata._id`.
+
+`ignore_missing`
+:   (Optional) If `true` the processor will not return an error when a specified field does not exist. Defaults to `false`.
+
+`ignore_failure`
+:   (Optional) Ignore all errors produced by the processor. Defaults to `false`.
+
+See [Conditions](/reference/winlogbeat/defining-processors.md#conditions) for a list of supported conditions.
+
diff --git a/docs/reference/winlogbeat/decompress-gzip-field.md b/docs/reference/winlogbeat/decompress-gzip-field.md
new file mode 100644
index 000000000000..72a628a2c849
--- /dev/null
+++ b/docs/reference/winlogbeat/decompress-gzip-field.md
@@ -0,0 +1,35 @@
+---
+navigation_title: "decompress_gzip_field"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/decompress-gzip-field.html
+---
+
+# Decompress gzip fields [decompress-gzip-field]
+
+
+The `decompress_gzip_field` processor specifies a field to gzip decompress. The `field` key contains a `from: old-key` and a `to: new-key` pair. `from` is the origin and `to` the target name of the field.
+
+To overwrite fields either first rename the target field or use the `drop_fields` processor to drop the field and then decompress the field.
+
+```yaml
+processors:
+  - decompress_gzip_field:
+      field:
+        from: "field1"
+        to: "field2"
+      ignore_missing: false
+      fail_on_error: true
+```
+
+In the example above: - field1 is decoded in field2
+
+The `decompress_gzip_field` processor has the following configuration settings:
+
+`ignore_missing`
+:   (Optional) If set to true, no error is logged in case a key which should be decompressed is missing. Default is `false`.
+
+`fail_on_error`
+:   (Optional) If set to true, in case of an error the decompression of fields is stopped and the original event is returned. If set to false, decompression continues also if an error happened during decoding. Default is `true`.
+
+See [Conditions](/reference/winlogbeat/defining-processors.md#conditions) for a list of supported conditions.
+
diff --git a/docs/reference/winlogbeat/defining-processors.md b/docs/reference/winlogbeat/defining-processors.md
new file mode 100644
index 000000000000..139fd57b4869
--- /dev/null
+++ b/docs/reference/winlogbeat/defining-processors.md
@@ -0,0 +1,330 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/defining-processors.html
+---
+
+# Define processors [defining-processors]
+
+You can use processors to filter and enhance data before sending it to the configured output. To define a processor, you specify the processor name, an optional condition, and a set of parameters:
+
+```yaml
+processors:
+  - <processor_name>:
+      when:
+        <condition>
+      <parameters>
+
+  - <processor_name>:
+      when:
+        <condition>
+      <parameters>
+
+...
+```
+
+Where:
+
+* `<processor_name>` specifies a [processor](#processors) that performs some kind of action, such as selecting the fields that are exported or adding metadata to the event.
+* `<condition>` specifies an optional [condition](#conditions). If the condition is present, then the action is executed only if the condition is fulfilled. If no condition is set, then the action is always executed.
+* `<parameters>` is the list of parameters to pass to the processor.
+
+More complex conditional processing can be accomplished by using the if-then-else processor configuration. This allows multiple processors to be executed based on a single condition.
+
+```yaml
+processors:
+  - if:
+      <condition>
+    then: <1>
+      - <processor_name>:
+          <parameters>
+      - <processor_name>:
+          <parameters>
+      ...
+    else: <2>
+      - <processor_name>:
+          <parameters>
+      - <processor_name>:
+          <parameters>
+      ...
+```
+
+1. `then` must contain a single processor or a list of one or more processors to execute when the condition evaluates to true.
+2. `else` is optional. It can contain a single processor or a list of processors to execute when the conditional evaluate to false.
+
+
+## Where are processors valid? [where-valid]
+
+Processors are valid:
+
+* At the top-level in the configuration. The processor is applied to all data collected by Winlogbeat.
+* Under a specific event log shipper. The processor is applied to the data collected for that event log shipper.
+
+    ```yaml
+    winlogbeat.event_logs:
+    - name: <network_shipper_name>
+      processors:
+        - <processor_name>:
+            when:
+              <condition>
+            <parameters>
+    ```
+
+
+
+## Processors [processors]
+
+The supported processors are:
+
+* [`add_cloud_metadata`](/reference/winlogbeat/add-cloud-metadata.md)
+* [`add_cloudfoundry_metadata`](/reference/winlogbeat/add-cloudfoundry-metadata.md)
+* [`add_docker_metadata`](/reference/winlogbeat/add-docker-metadata.md)
+* [`add_fields`](/reference/winlogbeat/add-fields.md)
+* [`add_host_metadata`](/reference/winlogbeat/add-host-metadata.md)
+* [`add_id`](/reference/winlogbeat/add-id.md)
+* [`add_kubernetes_metadata`](/reference/winlogbeat/add-kubernetes-metadata.md)
+* [`add_labels`](/reference/winlogbeat/add-labels.md)
+* [`add_locale`](/reference/winlogbeat/add-locale.md)
+* [`add_nomad_metadata`](/reference/winlogbeat/add-nomad-metadata.md)
+* [`add_observer_metadata`](/reference/winlogbeat/add-observer-metadata.md)
+* [`add_process_metadata`](/reference/winlogbeat/add-process-metadata.md)
+* [`add_tags`](/reference/winlogbeat/add-tags.md)
+* [`append`](/reference/winlogbeat/append.md)
+* [`community_id`](/reference/winlogbeat/community-id.md)
+* [`convert`](/reference/winlogbeat/convert.md)
+* [`copy_fields`](/reference/winlogbeat/copy-fields.md)
+* [`decode_base64_field`](/reference/winlogbeat/decode-base64-field.md)
+* [`decode_duration`](/reference/winlogbeat/decode-duration.md)
+* [`decode_json_fields`](/reference/winlogbeat/decode-json-fields.md)
+* [`decode_xml`](/reference/winlogbeat/decode-xml.md)
+* [`decode_xml_wineventlog`](/reference/winlogbeat/decode-xml-wineventlog.md)
+* [`decompress_gzip_field`](/reference/winlogbeat/decompress-gzip-field.md)
+* [`detect_mime_type`](/reference/winlogbeat/detect-mime-type.md)
+* [`dissect`](/reference/winlogbeat/dissect.md)
+* [`dns`](/reference/winlogbeat/processor-dns.md)
+* [`drop_event`](/reference/winlogbeat/drop-event.md)
+* [`drop_fields`](/reference/winlogbeat/drop-fields.md)
+* [`extract_array`](/reference/winlogbeat/extract-array.md)
+* [`fingerprint`](/reference/winlogbeat/fingerprint.md)
+* [`include_fields`](/reference/winlogbeat/include-fields.md)
+* [`move-fields`](/reference/winlogbeat/move-fields.md)
+* [`rate_limit`](/reference/winlogbeat/rate-limit.md)
+* [`registered_domain`](/reference/winlogbeat/processor-registered-domain.md)
+* [`rename`](/reference/winlogbeat/rename-fields.md)
+* [`replace`](/reference/winlogbeat/replace-fields.md)
+* [`script`](/reference/winlogbeat/processor-script.md)
+* [`syslog`](/reference/winlogbeat/syslog.md)
+* [`timestamp`](/reference/winlogbeat/processor-timestamp.md)
+* [`translate_ldap_attribute`](/reference/winlogbeat/processor-translate-guid.md)
+* [`translate_sid`](/reference/winlogbeat/processor-translate-sid.md)
+* [`truncate_fields`](/reference/winlogbeat/truncate-fields.md)
+* [`urldecode`](/reference/winlogbeat/urldecode.md)
+
+
+## Conditions [conditions]
+
+Each condition receives a field to compare. You can specify multiple fields under the same condition by using `AND` between the fields (for example, `field1 AND field2`).
+
+For each field, you can specify a simple field name or a nested map, for example `dns.question.name`.
+
+See [Exported fields](/reference/winlogbeat/exported-fields.md) for a list of all the fields that are exported by Winlogbeat.
+
+The supported conditions are:
+
+* [`equals`](#condition-equals)
+* [`contains`](#condition-contains)
+* [`regexp`](#condition-regexp)
+* [`range`](#condition-range)
+* [`network`](#condition-network)
+* [`has_fields`](#condition-has_fields)
+* [`or`](#condition-or)
+* [`and`](#condition-and)
+* [`not`](#condition-not)
+
+
+#### `equals` [condition-equals]
+
+With the `equals` condition, you can compare if a field has a certain value. The condition accepts only an integer or a string value.
+
+For example, the following condition checks if the response code of the HTTP transaction is 200:
+
+```yaml
+equals:
+  http.response.code: 200
+```
+
+
+#### `contains` [condition-contains]
+
+The `contains` condition checks if a value is part of a field. The field can be a string or an array of strings. The condition accepts only a string value.
+
+For example, the following condition checks if an error is part of the transaction status:
+
+```yaml
+contains:
+  status: "Specific error"
+```
+
+
+#### `regexp` [condition-regexp]
+
+The `regexp` condition checks the field against a regular expression. The condition accepts only strings.
+
+For example, the following condition checks if the process name starts with `foo`:
+
+```yaml
+regexp:
+  system.process.name: "^foo.*"
+```
+
+
+#### `range` [condition-range]
+
+The `range` condition checks if the field is in a certain range of values. The condition supports `lt`, `lte`, `gt` and `gte`. The condition accepts only integer, float, or strings that can be converted to either of these as values.
+
+For example, the following condition checks for failed HTTP transactions by comparing the `http.response.code` field with 400.
+
+```yaml
+range:
+  http.response.code:
+    gte: 400
+```
+
+This can also be written as:
+
+```yaml
+range:
+  http.response.code.gte: 400
+```
+
+The following condition checks if the CPU usage in percentage has a value between 0.5 and 0.8.
+
+```yaml
+range:
+  system.cpu.user.pct.gte: 0.5
+  system.cpu.user.pct.lt: 0.8
+```
+
+
+#### `network` [condition-network]
+
+The `network` condition checks whether a field’s value falls within a specified IP network range. If multiple fields are provided, each field value must match its corresponding network range. You can specify multiple network ranges for a single field, and a match occurs if any one of the ranges matches. If the field value is an array of IPs, it will match if any of the IPs fall within any of the given ranges. Both IPv4 and IPv6 addresses are supported.
+
+The network range may be specified using CIDR notation, like "192.0.2.0/24" or "2001:db8::/32", or by using one of these named ranges:
+
+* `loopback` - Matches loopback addresses in the range of `127.0.0.0/8` or `::1/128`.
+* `unicast` - Matches global unicast addresses defined in RFC 1122, RFC 4632, and RFC 4291 with the exception of the IPv4 broadcast address (`255.255.255.255`). This includes private address ranges.
+* `multicast` - Matches multicast addresses.
+* `interface_local_multicast` - Matches IPv6 interface-local multicast addresses.
+* `link_local_unicast` - Matches link-local unicast addresses.
+* `link_local_multicast` - Matches link-local multicast addresses.
+* `private` - Matches private address ranges defined in RFC 1918 (IPv4) and RFC 4193 (IPv6).
+* `public` - Matches addresses that are not loopback, unspecified, IPv4 broadcast, link local unicast, link local multicast, interface local multicast, or private.
+* `unspecified` - Matches unspecified addresses (either the IPv4 address "0.0.0.0" or the IPv6 address "::").
+
+The following condition returns true if the `source.ip` value is within the private address space.
+
+```yaml
+network:
+  source.ip: private
+```
+
+This condition returns true if the `destination.ip` value is within the IPv4 range of `192.168.1.0` - `192.168.1.255`.
+
+```yaml
+network:
+  destination.ip: '192.168.1.0/24'
+```
+
+And this condition returns true when `destination.ip` is within any of the given subnets.
+
+```yaml
+network:
+  destination.ip: ['192.168.1.0/24', '10.0.0.0/8', loopback]
+```
+
+
+#### `has_fields` [condition-has_fields]
+
+The `has_fields` condition checks if all the given fields exist in the event. The condition accepts a list of string values denoting the field names.
+
+For example, the following condition checks if the `http.response.code` field is present in the event.
+
+```yaml
+has_fields: ['http.response.code']
+```
+
+
+#### `or` [condition-or]
+
+The `or` operator receives a list of conditions.
+
+```yaml
+or:
+  - <condition1>
+  - <condition2>
+  - <condition3>
+  ...
+```
+
+For example, to configure the condition `http.response.code = 304 OR http.response.code = 404`:
+
+```yaml
+or:
+  - equals:
+      http.response.code: 304
+  - equals:
+      http.response.code: 404
+```
+
+
+#### `and` [condition-and]
+
+The `and` operator receives a list of conditions.
+
+```yaml
+and:
+  - <condition1>
+  - <condition2>
+  - <condition3>
+  ...
+```
+
+For example, to configure the condition `http.response.code = 200 AND status = OK`:
+
+```yaml
+and:
+  - equals:
+      http.response.code: 200
+  - equals:
+      status: OK
+```
+
+To configure a condition like `<condition1> OR <condition2> AND <condition3>`:
+
+```yaml
+or:
+  - <condition1>
+  - and:
+    - <condition2>
+    - <condition3>
+```
+
+
+#### `not` [condition-not]
+
+The `not` operator receives the condition to negate.
+
+```yaml
+not:
+  <condition>
+```
+
+For example, to configure the condition `NOT status = OK`:
+
+```yaml
+not:
+  equals:
+    status: OK
+```
+
+
diff --git a/docs/reference/winlogbeat/detect-mime-type.md b/docs/reference/winlogbeat/detect-mime-type.md
new file mode 100644
index 000000000000..b6f310ab91b5
--- /dev/null
+++ b/docs/reference/winlogbeat/detect-mime-type.md
@@ -0,0 +1,22 @@
+---
+navigation_title: "detect_mime_type"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/detect-mime-type.html
+---
+
+# Detect mime type [detect-mime-type]
+
+
+The `detect_mime_type` processor attempts to detect a mime type for a field that contains a given stream of bytes. The `field` key contains the field used as the data source and the `target` key contains the field to populate with the detected type. It’s supported to use `@metadata.` prefix for `target` and set the value in the event metadata instead of fields.
+
+```yaml
+processors:
+  - detect_mime_type:
+      field: http.request.body.content
+      target: http.request.mime_type
+```
+
+In the example above: - http.request.body.content is used as the source and http.request.mime_type is set to the detected mime type
+
+See [Conditions](/reference/winlogbeat/defining-processors.md#conditions) for a list of supported conditions.
+
diff --git a/docs/reference/winlogbeat/diff-logstash-beats.md b/docs/reference/winlogbeat/diff-logstash-beats.md
new file mode 100644
index 000000000000..fbe7bafaff11
--- /dev/null
+++ b/docs/reference/winlogbeat/diff-logstash-beats.md
@@ -0,0 +1,13 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/diff-logstash-beats.html
+---
+
+# Not sure whether to use Logstash or Beats [diff-logstash-beats]
+
+Beats are lightweight data shippers that you install as agents on your servers to send specific types of operational data to {{es}}. Beats have a small footprint and use fewer system resources than {{ls}}.
+
+{{ls}} has a larger footprint, but provides a broad array of input, filter, and output plugins for collecting, enriching, and transforming data from a variety of sources.
+
+For more information, see the [{{ls}} Introduction](logstash://reference/index.md) and the [Beats Overview](/reference/index.md).
+
diff --git a/docs/reference/winlogbeat/directory-layout.md b/docs/reference/winlogbeat/directory-layout.md
new file mode 100644
index 000000000000..aa572ee27024
--- /dev/null
+++ b/docs/reference/winlogbeat/directory-layout.md
@@ -0,0 +1,46 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/directory-layout.html
+---
+
+# Directory layout [directory-layout]
+
+The directory layout of an installation is as follows:
+
+::::{tip}
+Archive installation has a different layout. See [zip, tar.gz, or tgz](#directory-layout-archive).
+::::
+
+
+| Type | Description | Default Location | Config Option |
+| --- | --- | --- | --- |
+| home | Home of the Winlogbeat installation. |  | `path.home` |
+| bin | The location for the binary files. | `{path.home}/bin` |  |
+| config | The location for configuration files. | `{path.home}` | `path.config` |
+| data | The location for persistent data files. | `{path.home}/data` | `path.data` |
+| logs | The location for the logs created by Winlogbeat. | `{path.home}/logs` | `path.logs` |
+
+You can change these settings by using CLI flags or setting [path options](/reference/winlogbeat/configuration-path.md) in the configuration file.
+
+## Default paths [_default_paths]
+
+Winlogbeat uses the following default paths unless you explicitly change them.
+
+
+#### zip, tar.gz, or tgz [directory-layout-archive]
+
+| Type | Description | Location |
+| --- | --- | --- |
+| home | Home of the Winlogbeat installation. | `{extract.path}` |
+| bin | The location for the binary files. | `{extract.path}` |
+| config | The location for configuration files. | `{extract.path}` |
+| data | The location for persistent data files. | `{extract.path}/data` |
+| logs | The location for the logs created by Winlogbeat. | `{extract.path}/logs` |
+
+For the zip, tar.gz, or tgz distributions, these paths are based on the location of the extracted binary file. This means that if you start Winlogbeat with the following simple command, all paths are set correctly:
+
+```sh
+Start-Service winlogbeat
+```
+
+
diff --git a/docs/reference/winlogbeat/discard-output.md b/docs/reference/winlogbeat/discard-output.md
new file mode 100644
index 000000000000..de0af1492a91
--- /dev/null
+++ b/docs/reference/winlogbeat/discard-output.md
@@ -0,0 +1,37 @@
+---
+navigation_title: "Discard"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/discard-output.html
+---
+
+# Configure the Discard output [discard-output]
+
+
+The Discard output throws away data.
+
+::::{warning}
+The Discard output should be used only for development or debugging issues. Data is lost.
+::::
+
+
+This can be useful if you want to work on your input configuration without needing to configure an output. It can also be useful to test how changes in input and processor configuration affect performance.
+
+Example configuration:
+
+```yaml
+output.discard:
+  enabled: true
+```
+
+## Configuration options [_configuration_options_9]
+
+You can specify the following `output.discard` options in the `winlogbeat.yml` config file:
+
+### `enabled` [_enabled_7]
+
+The enabled config is a boolean setting to enable or disable the output. If set to false, the output is disabled.
+
+The default value is `true`.
+
+
+
diff --git a/docs/reference/winlogbeat/dissect.md b/docs/reference/winlogbeat/dissect.md
new file mode 100644
index 000000000000..b9d3df0d20c3
--- /dev/null
+++ b/docs/reference/winlogbeat/dissect.md
@@ -0,0 +1,95 @@
+---
+navigation_title: "dissect"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/dissect.html
+---
+
+# Dissect strings [dissect]
+
+
+The `dissect` processor tokenizes incoming strings using defined patterns.
+
+```yaml
+processors:
+  - dissect:
+      tokenizer: "%{key1} %{key2} %{key3|convert_datatype}"
+      field: "message"
+      target_prefix: "dissect"
+```
+
+The `dissect` processor has the following configuration settings:
+
+`tokenizer`
+:   The field used to define the **dissection** pattern. Optional convert datatype can be provided after the key using `|` as separator to convert the value from string to integer, long, float, double, boolean or ip.
+
+`field`
+:   (Optional) The event field to tokenize. Default is `message`.
+
+`target_prefix`
+:   (Optional) The name of the field where the values will be extracted. When an empty string is defined, the processor will create the keys at the root of the event. Default is `dissect`. When the target key already exists in the event, the processor won’t replace it and log an error; you need to either drop or rename the key before using dissect, or enable the `overwrite_keys` flag.
+
+`ignore_failure`
+:   (Optional) Flag to control whether the processor returns an error if the tokenizer fails to match the message field. If set to true, the processor will silently restore the original event, allowing execution of subsequent processors (if any). If set to false (default), the processor will log an error, preventing execution of other processors.
+
+`overwrite_keys`
+:   (Optional) When set to true, the processor will overwrite existing keys in the event. The default is false, which causes the processor to fail when a key already exists.
+
+`trim_values`
+:   (Optional) Enables the trimming of the extracted values. Useful to remove leading and/or trailing spaces. Possible values are:
+
+    * `none`: (default) no trimming is performed.
+    * `left`: values are trimmed on the left (leading).
+    * `right`: values are trimmed on the right (trailing).
+    * `all`: values are trimmed for leading and trailing.
+
+
+`trim_chars`
+:   (Optional) Set of characters to trim from values, when trimming is enabled. The default is to trim the space character (`" "`). To trim multiple characters, simply set it to a string containing all characters to trim. For example, `trim_chars: " \t"` will trim spaces and/or tabs.
+
+For tokenization to be successful, all keys must be found and extracted, if one of them cannot be found an error will be logged and no modification is done on the original event.
+
+::::{note}
+A key can contain any characters except reserved suffix or prefix modifiers:  `/`,`&`, `+`, `#` and `?`.
+::::
+
+
+See [Conditions](/reference/winlogbeat/defining-processors.md#conditions) for a list of supported conditions.
+
+## Dissect example [dissect-example]
+
+For this example, imagine that an application generates the following messages:
+
+```sh
+"321 - App01 - WebServer is starting"
+"321 - App01 - WebServer is up and running"
+"321 - App01 - WebServer is scaling 2 pods"
+"789 - App02 - Database is will be restarted in 5 minutes"
+"789 - App02 - Database is up and running"
+"789 - App02 - Database is refreshing tables"
+```
+
+Use the `dissect` processor to split each message into three fields, for example, `service.pid`, `service.name` and `service.status`:
+
+```yaml
+processors:
+  - dissect:
+      tokenizer: '"%{service.pid|integer} - %{service.name} - %{service.status}"'
+      field: "message"
+      target_prefix: ""
+```
+
+This configuration produces fields like:
+
+```json
+"service": {
+  "pid": 321,
+  "name": "App01",
+  "status": "WebServer is up and running"
+},
+```
+
+`service.name` is an ECS [keyword field](elasticsearch://reference/elasticsearch/mapping-reference/keyword.md), which means that you can use it in {{es}} for filtering, sorting, and aggregations.
+
+When possible, use ECS-compatible field names. For more information, see the [Elastic Common Schema](ecs://reference/index.md) documentation.
+
+
diff --git a/docs/reference/winlogbeat/drop-event.md b/docs/reference/winlogbeat/drop-event.md
new file mode 100644
index 000000000000..ca1164ac485d
--- /dev/null
+++ b/docs/reference/winlogbeat/drop-event.md
@@ -0,0 +1,20 @@
+---
+navigation_title: "drop_event"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/drop-event.html
+---
+
+# Drop events [drop-event]
+
+
+The `drop_event` processor drops the entire event if the associated condition is fulfilled. The condition is mandatory, because without one, all the events are dropped.
+
+```yaml
+processors:
+  - drop_event:
+      when:
+        condition
+```
+
+See [Conditions](/reference/winlogbeat/defining-processors.md#conditions) for a list of supported conditions.
+
diff --git a/docs/reference/winlogbeat/drop-fields.md b/docs/reference/winlogbeat/drop-fields.md
new file mode 100644
index 000000000000..0e555290c387
--- /dev/null
+++ b/docs/reference/winlogbeat/drop-fields.md
@@ -0,0 +1,35 @@
+---
+navigation_title: "drop_fields"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/drop-fields.html
+---
+
+# Drop fields from events [drop-fields]
+
+
+The `drop_fields` processor specifies which fields to drop if a certain condition is fulfilled. The condition is optional. If it’s missing, the specified fields are always dropped. The `@timestamp` and `type` fields cannot be dropped, even if they show up in the `drop_fields` list.
+
+```yaml
+processors:
+  - drop_fields:
+      when:
+        condition
+      fields: ["field1", "field2", ...]
+      ignore_missing: false
+```
+
+See [Conditions](/reference/winlogbeat/defining-processors.md#conditions) for a list of supported conditions.
+
+::::{note}
+If you define an empty list of fields under `drop_fields`, then no fields are dropped.
+::::
+
+
+The `drop_fields` processor has the following configuration settings:
+
+`fields`
+:   If non-empty, a list of matching field names will be removed. Any element in array can contain a regular expression delimited by two slashes (*/reg_exp/*), in order to match (name) and remove more than one field.
+
+`ignore_missing`
+:   (Optional) If `true` the processor will not return an error when a specified field does not exist. Defaults to `false`.
+
diff --git a/docs/reference/winlogbeat/elasticsearch-output.md b/docs/reference/winlogbeat/elasticsearch-output.md
new file mode 100644
index 000000000000..e0170fb96bb8
--- /dev/null
+++ b/docs/reference/winlogbeat/elasticsearch-output.md
@@ -0,0 +1,516 @@
+---
+navigation_title: "Elasticsearch"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/elasticsearch-output.html
+---
+
+# Configure the Elasticsearch output [elasticsearch-output]
+
+
+The Elasticsearch output sends events directly to Elasticsearch using the Elasticsearch HTTP API.
+
+Example configuration:
+
+```yaml
+output.elasticsearch:
+  hosts: ["https://myEShost:9200"] <1>
+```
+
+1. To enable SSL, add `https` to all URLs defined under *hosts*.
+
+
+When sending data to a secured cluster through the `elasticsearch` output, Winlogbeat can use any of the following authentication methods:
+
+* Basic authentication credentials (username and password).
+* Token-based (API key) authentication.
+* Public Key Infrastructure (PKI) certificates.
+
+**Basic authentication:**
+
+```yaml
+output.elasticsearch:
+  hosts: ["https://myEShost:9200"]
+  username: "winlogbeat_writer"
+  password: "{pwd}"
+```
+
+**API key authentication:**
+
+```yaml
+output.elasticsearch:
+  hosts: ["https://myEShost:9200"]
+  api_key: "ZCV7VnwBgnX0T19fN8Qe:KnR6yE41RrSowb0kQ0HWoA"
+```
+
+**PKI certificate authentication:**
+
+```yaml
+output.elasticsearch:
+  hosts: ["https://myEShost:9200"]
+  ssl.certificate: "/etc/pki/client/cert.pem"
+  ssl.key: "/etc/pki/client/cert.key"
+```
+
+See [*Secure communication with Elasticsearch*](/reference/winlogbeat/securing-communication-elasticsearch.md) for details on each authentication method.
+
+## Compatibility [_compatibility]
+
+This output works with all compatible versions of Elasticsearch. See the [Elastic Support Matrix](https://www.elastic.co/support/matrix#matrix_compatibility).
+
+Optionally, you can set Winlogbeat to only connect to instances that are at least on the same version as the Beat. The check can be enabled by setting `output.elasticsearch.allow_older_versions` to `false`. Leaving the setting at it’s default value of `true` avoids an issue where Winlogbeat cannot connect to {{es}} after having been upgraded to a version higher than the {{stack}}.
+
+
+## Configuration options [_configuration_options_3]
+
+You can specify the following options in the `elasticsearch` section of the `winlogbeat.yml` config file:
+
+### `enabled` [_enabled]
+
+The enabled config is a boolean setting to enable or disable the output. If set to `false`, the output is disabled.
+
+The default value is `true`.
+
+
+### `hosts` [hosts-option]
+
+The list of Elasticsearch nodes to connect to. The events are distributed to these nodes in round robin order. If one node becomes unreachable, the event is automatically sent to another node. Each Elasticsearch node can be defined as a `URL` or `IP:PORT`. For example: `http://192.15.3.2`, `https://es.found.io:9230` or `192.24.3.2:9300`. If no port is specified, `9200` is used.
+
+::::{note}
+When a node is defined as an `IP:PORT`, the *scheme* and *path* are taken from the [`protocol`](#protocol-option) and [`path`](#path-option) config options.
+::::
+
+
+```yaml
+output.elasticsearch:
+  hosts: ["10.45.3.2:9220", "10.45.3.1:9230"] <1>
+  protocol: https
+  path: /elasticsearch
+```
+
+1. In the previous example, the Elasticsearch nodes are available at `https://10.45.3.2:9220/elasticsearch` and `https://10.45.3.1:9230/elasticsearch`.
+
+
+### `compression_level` [compression-level-option]
+
+The gzip compression level. Setting this value to `0` disables compression. The compression level must be in the range of `1` (best speed) to `9` (best compression).
+
+Increasing the compression level will reduce the network usage but will increase the cpu usage.
+
+The default value is `1`.
+
+
+### `escape_html` [_escape_html]
+
+Configure escaping of HTML in strings. Set to `true` to enable escaping.
+
+The default value is `false`.
+
+
+### `worker` or `workers` [worker-option]
+
+The number of workers per configured host publishing events to Elasticsearch. This is best used with load balancing mode enabled. Example: If you have 2 hosts and 3 workers, in total 6 workers are started (3 for each host).
+
+The default value is `1`.
+
+
+### `loadbalance` [_loadbalance]
+
+When `loadbalance: true` is set, Winlogbeat connects to all configured hosts and sends data through all connections in parallel. If a connection fails, data is sent to the remaining hosts until it can be reestablished. Data will still be sent as long as Winlogbeat can connect to at least one of its configured hosts.
+
+When `loadbalance: false` is set, Winlogbeat sends data to a single host at a time. The target host is chosen at random from the list of configured hosts, and all data is sent to that target until the connection fails, when a new target is selected. Data will still be sent as long as Winlogbeat can connect to at least one of its configured hosts.
+
+The default value is `true`.
+
+```yaml
+output.elasticsearch:
+  hosts: ["localhost:9200", "localhost:9201"]
+  loadbalance: true
+```
+
+
+### `api_key` [_api_key]
+
+Instead of using a username and password, you can use API keys to secure communication with {{es}}. The value must be the ID of the API key and the API key joined by a colon: `id:api_key`.
+
+See [*Grant access using API keys*](/reference/winlogbeat/beats-api-keys.md) for more information.
+
+
+### `username` [_username]
+
+The basic authentication username for connecting to Elasticsearch.
+
+This user needs the privileges required to publish events to {{es}}. To create a user like this, see [Create a *publishing* user](/reference/winlogbeat/privileges-to-publish-events.md).
+
+
+### `password` [_password]
+
+The basic authentication password for connecting to Elasticsearch.
+
+
+### `parameters` [_parameters]
+
+Dictionary of HTTP parameters to pass within the url with index operations.
+
+
+### `protocol` [protocol-option]
+
+The name of the protocol Elasticsearch is reachable on. The options are: `http` or `https`. The default is `http`. However, if you specify a URL for [`hosts`](#hosts-option), the value of `protocol` is overridden by whatever scheme you specify in the URL.
+
+
+### `path` [path-option]
+
+An HTTP path prefix that is prepended to the HTTP API calls. This is useful for the cases where Elasticsearch listens behind an HTTP reverse proxy that exports the API under a custom prefix.
+
+
+### `headers` [_headers]
+
+Custom HTTP headers to add to each request created by the Elasticsearch output. Example:
+
+```yaml
+output.elasticsearch.headers:
+  X-My-Header: Header contents
+```
+
+It is possible to specify multiple header values for the same header name by separating them with a comma.
+
+
+### `proxy_disable` [_proxy_disable]
+
+If set to `true` all proxy settings, including `HTTP_PROXY` and `HTTPS_PROXY` variables are ignored.
+
+
+### `proxy_url` [_proxy_url]
+
+The URL of the proxy to use when connecting to the Elasticsearch servers. The value must be a complete URL. If a value is not specified through the configuration file then proxy environment variables are used. See the [Go documentation](https://golang.org/pkg/net/http/#ProxyFromEnvironment) for more information about the environment variables.
+
+
+### `proxy_headers` [_proxy_headers]
+
+Additional headers to send to proxies during CONNECT requests.
+
+
+### `index` [index-option-es]
+
+The indexing target to write events to. Can point to an [index](https://www.elastic.co/guide/en/elasticsearch/reference/current/index-mgmt.html), [alias](docs-content://manage-data/data-store/aliases.md), or [data stream](docs-content://manage-data/data-store/data-streams.md). When using daily indices, this will be the index name. The default is `"winlogbeat-%{[agent.version]}-%{+yyyy.MM.dd}"`, for example, `"winlogbeat-9.0.0-beta1-2025-01-30"`. If you change this setting, you also need to configure the `setup.template.name` and `setup.template.pattern` options (see [Elasticsearch index template](/reference/winlogbeat/configuration-template.md)).
+
+If you are using the pre-built Kibana dashboards, you also need to set the `setup.dashboards.index` option (see [Kibana dashboards](/reference/winlogbeat/configuration-dashboards.md)).
+
+When [index lifecycle management (ILM)](/reference/winlogbeat/ilm.md) is enabled, the default `index` is `"winlogbeat-%{[agent.version]}-%{+yyyy.MM.dd}-%{{index_num}}"`, for example, `"winlogbeat-9.0.0-beta1-2025-01-30-000001"`. Custom `index` settings are ignored when ILM is enabled. If you’re sending events to a cluster that supports index lifecycle management, see [Index lifecycle management (ILM)](/reference/winlogbeat/ilm.md) to learn how to change the index name.
+
+You can set the index dynamically by using a format string to access any event field. For example, this configuration uses a custom field, `fields.log_type`, to set the index:
+
+```yaml
+output.elasticsearch:
+  hosts: ["http://localhost:9200"]
+  index: "%{[fields.log_type]}-%{[agent.version]}-%{+yyyy.MM.dd}" <1>
+```
+
+1. We recommend including `agent.version` in the name to avoid mapping issues when you upgrade.
+
+
+With this configuration, all events with `log_type: normal` are sent to an index named `normal-9.0.0-beta1-2025-01-30`, and all events with `log_type: critical` are sent to an index named `critical-9.0.0-beta1-2025-01-30`.
+
+::::{tip}
+To learn how to add custom fields to events, see the [`fields`](/reference/winlogbeat/configuration-general-options.md#libbeat-configuration-fields) option.
+::::
+
+
+See the [`indices`](#indices-option-es) setting for other ways to set the index dynamically.
+
+
+### `indices` [indices-option-es]
+
+An array of index selector rules. Each rule specifies the index to use for events that match the rule. During publishing, Winlogbeat uses the first matching rule in the array. Rules can contain conditionals, format string-based fields, and name mappings. If the `indices` setting is missing or no rule matches, the [`index`](#index-option-es) setting is used.
+
+Similar to `index`, defining custom `indices` will disable [Index lifecycle management (ILM)](/reference/winlogbeat/ilm.md).
+
+Rule settings:
+
+**`index`**
+:   The index format string to use. If this string contains field references, such as `%{[fields.name]}`, the fields must exist, or the rule fails.
+
+**`mappings`**
+:   A dictionary that takes the value returned by `index` and maps it to a new name.
+
+**`default`**
+:   The default string value to use if `mappings` does not find a match.
+
+**`when`**
+:   A condition that must succeed in order to execute the current rule. All the [conditions](/reference/winlogbeat/defining-processors.md#conditions) supported by processors are also supported here.
+
+The following example sets the index based on whether the `message` field contains the specified string:
+
+```yaml
+output.elasticsearch:
+  hosts: ["http://localhost:9200"]
+  indices:
+    - index: "warning-%{[agent.version]}-%{+yyyy.MM.dd}"
+      when.contains:
+        message: "WARN"
+    - index: "error-%{[agent.version]}-%{+yyyy.MM.dd}"
+      when.contains:
+        message: "ERR"
+```
+
+This configuration results in indices named `warning-9.0.0-beta1-2025-01-30` and `error-9.0.0-beta1-2025-01-30` (plus the default index if no matches are found).
+
+The following example sets the index by taking the name returned by the `index` format string and mapping it to a new name that’s used for the index:
+
+```yaml
+output.elasticsearch:
+  hosts: ["http://localhost:9200"]
+  indices:
+    - index: "%{[fields.log_type]}"
+      mappings:
+        critical: "sev1"
+        normal: "sev2"
+      default: "sev3"
+```
+
+This configuration results in indices named `sev1`, `sev2`, and `sev3`.
+
+The `mappings` setting simplifies the configuration, but is limited to string values. You cannot specify format strings within the mapping pairs.
+
+
+### `ilm` [ilm-es]
+
+Configuration options for index lifecycle management.
+
+See [Index lifecycle management (ILM)](/reference/winlogbeat/ilm.md) for more information.
+
+
+### `pipeline` [pipeline-option-es]
+
+A format string value that specifies the ingest pipeline to write events to.
+
+```yaml
+output.elasticsearch:
+  hosts: ["http://localhost:9200"]
+  pipeline: my_pipeline_id
+```
+
+::::{important}
+The `pipeline` is always lowercased. If `pipeline: Foo-Bar`, then the pipeline name in {{es}} needs to be defined as `foo-bar`.
+::::
+
+
+For more information, see [*Parse data using an ingest pipeline*](/reference/winlogbeat/configuring-ingest-node.md).
+
+You can set the ingest pipeline dynamically by using a format string to access any event field. For example, this configuration uses a custom field, `fields.log_type`, to set the pipeline for each event:
+
+```yaml
+output.elasticsearch:
+  hosts: ["http://localhost:9200"]
+  pipeline: "%{[fields.log_type]}_pipeline"
+```
+
+With this configuration, all events with `log_type: normal` are sent to a pipeline named `normal_pipeline`, and all events with `log_type: critical` are sent to a pipeline named `critical_pipeline`.
+
+::::{tip}
+To learn how to add custom fields to events, see the [`fields`](/reference/winlogbeat/configuration-general-options.md#libbeat-configuration-fields) option.
+::::
+
+
+See the [`pipelines`](#pipelines-option-es) setting for other ways to set the ingest pipeline dynamically.
+
+
+### `pipelines` [pipelines-option-es]
+
+An array of pipeline selector rules. Each rule specifies the ingest pipeline to use for events that match the rule. During publishing, Winlogbeat uses the first matching rule in the array. Rules can contain conditionals, format string-based fields, and name mappings. If the `pipelines` setting is missing or no rule matches, the [`pipeline`](#pipeline-option-es) setting is used.
+
+Rule settings:
+
+**`pipeline`**
+:   The pipeline format string to use. If this string contains field references, such as `%{[fields.name]}`, the fields must exist, or the rule fails.
+
+**`mappings`**
+:   A dictionary that takes the value returned by `pipeline` and maps it to a new name.
+
+**`default`**
+:   The default string value to use if `mappings` does not find a match.
+
+**`when`**
+:   A condition that must succeed in order to execute the current rule. All the [conditions](/reference/winlogbeat/defining-processors.md#conditions) supported by processors are also supported here.
+
+The following example sends events to a specific pipeline based on whether the `message` field contains the specified string:
+
+```yaml
+output.elasticsearch:
+  hosts: ["http://localhost:9200"]
+  pipelines:
+    - pipeline: "warning_pipeline"
+      when.contains:
+        message: "WARN"
+    - pipeline: "error_pipeline"
+      when.contains:
+        message: "ERR"
+```
+
+The following example sets the pipeline by taking the name returned by the `pipeline` format string and mapping it to a new name that’s used for the pipeline:
+
+```yaml
+output.elasticsearch:
+  hosts: ["http://localhost:9200"]
+  pipelines:
+    - pipeline: "%{[fields.log_type]}"
+      mappings:
+        critical: "sev1_pipeline"
+        normal: "sev2_pipeline"
+      default: "sev3_pipeline"
+```
+
+With this configuration, all events with `log_type: critical` are sent to `sev1_pipeline`, all events with `log_type: normal` are sent to a `sev2_pipeline`, and all other events are sent to `sev3_pipeline`.
+
+For more information about ingest pipelines, see [*Parse data using an ingest pipeline*](/reference/winlogbeat/configuring-ingest-node.md).
+
+
+### `max_retries` [_max_retries]
+
+Winlogbeat ignores the `max_retries` setting and retries indefinitely.
+
+
+### `bulk_max_size` [bulk-max-size-option]
+
+The maximum number of events to bulk in a single Elasticsearch bulk API index request. The default is 1600.
+
+Events can be collected into batches. Winlogbeat will split batches read from the queue which are larger than `bulk_max_size` into multiple batches.
+
+Specifying a larger batch size can improve performance by lowering the overhead of sending events. However big batch sizes can also increase processing times, which might result in API errors, killed connections, timed-out publishing requests, and, ultimately, lower throughput.
+
+Setting `bulk_max_size` to values less than or equal to 0 disables the splitting of batches. When splitting is disabled, the queue decides on the number of events to be contained in a batch.
+
+
+### `backoff.init` [backoff-init-option]
+
+The number of seconds to wait before trying to reconnect to Elasticsearch after a network error. After waiting `backoff.init` seconds, Winlogbeat tries to reconnect. If the attempt fails, the backoff timer is increased exponentially up to `backoff.max`. After a successful connection, the backoff timer is reset. The default is `1s`.
+
+
+### `backoff.max` [backoff-max-option]
+
+The maximum number of seconds to wait before attempting to connect to Elasticsearch after a network error. The default is `60s`.
+
+
+### `idle_connection_timeout` [idle-connection-timeout-option]
+
+The maximum amount of time an idle connection will remain idle before closing itself. Zero means no limit. The format is a Go language duration (example 60s is 60 seconds). The default is 3s.
+
+
+### `timeout` [_timeout]
+
+The http request timeout in seconds for the Elasticsearch request. The default is 90.
+
+
+### `allow_older_versions` [_allow_older_versions]
+
+By default, Winlogbeat expects the Elasticsearch instance to be on the same or newer version to provide optimal experience. We suggest you connect to the same version to make sure all features Winlogbeat is using are available in your Elasticsearch instance.
+
+You can disable the check for example during updating the Elastic Stack, so data collection can go on.
+
+
+### `ssl` [_ssl]
+
+Configuration options for SSL parameters like the certificate authority to use for HTTPS-based connections. If the `ssl` section is missing, the host CAs are used for HTTPS connections to Elasticsearch.
+
+See the [secure communication with {{es}}](/reference/winlogbeat/securing-communication-elasticsearch.md) guide or [SSL configuration reference](/reference/winlogbeat/configuration-ssl.md) for more information.
+
+
+### `kerberos` [_kerberos]
+
+Configuration options for Kerberos authentication.
+
+See [Kerberos](/reference/winlogbeat/configuration-kerberos.md) for more information.
+
+
+### `queue` [_queue]
+
+Configuration options for internal queue.
+
+See [Internal queue](/reference/winlogbeat/configuring-internal-queue.md) for more information.
+
+Note:`queue` options can be set under `winlogbeat.yml` or the `output` section but not both. ===== `non_indexable_policy`
+
+Specifies the behavior when the elasticsearch cluster explicitly rejects documents, for example on mapping conflicts.
+
+#### `drop` [_drop]
+
+The default behaviour, when an event is explicitly rejected by elasticsearch it is dropped.
+
+```yaml
+output.elasticsearch:
+  hosts: ["http://localhost:9200"]
+  non_indexable_policy.drop: ~
+```
+
+
+#### `dead_letter_index` [_dead_letter_index]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+On an explicit rejection, this policy will retry the event in the next batch. However, the target index will change to index specified. In addition, the structure of the event will be change to the following fields:
+
+message
+:   Contains the escaped json of the original event.
+
+error.type
+:   Contains the status code
+
+error.message
+:   Contains status returned by elasticsearch, describing the reason
+
+`index`
+:   The index to send rejected events to.
+
+```yaml
+output.elasticsearch:
+  hosts: ["http://localhost:9200"]
+  non_indexable_policy.dead_letter_index:
+    index: "my-dead-letter-index"
+```
+
+
+
+### `preset` [_preset]
+
+The performance preset to apply to the output configuration.
+
+```yaml
+output.elasticsearch:
+  hosts: ["http://localhost:9200"]
+  preset: balanced
+```
+
+Performance presets apply a set of configuration overrides based on a desired performance goal. If set, a performance preset will override other configuration flags to match the recommended settings for that preset. If a preset doesn’t set a value for a particular field, the user-specified value will be used if present, otherwise the default. Valid options are: * `balanced`: good starting point for general efficiency * `throughput`: good for high data volumes, may increase cpu and memory requirements * `scale`: reduces ambient resource use in large low-throughput deployments * `latency`: minimize the time for fresh data to become visible in Elasticsearch * `custom`: apply user configuration directly with no overrides
+
+The default if unspecified is `custom`.
+
+Presets represent current recommendations based on the intended goal; their effect may change between versions to better suit those goals. Currently the presets have the following effects:
+
+| preset | balanced | throughput | scale | latency |
+| --- | --- | --- | --- | --- |
+| [`bulk_max_size`](#bulk-max-size-option) | 1600 | 1600 | 1600 | 50 |
+| [`worker`](#worker-option) | 1 | 4 | 1 | 1 |
+| [`queue.mem.events`](/reference/winlogbeat/configuring-internal-queue.md#queue-mem-events-option) | 3200 | 12800 | 3200 | 4100 |
+| [`queue.mem.flush.min_events`](/reference/winlogbeat/configuring-internal-queue.md#queue-mem-flush-min-events-option) | 1600 | 1600 | 1600 | 2050 |
+| [`queue.mem.flush.timeout`](/reference/winlogbeat/configuring-internal-queue.md#queue-mem-flush-timeout-option) | `10s` | `5s` | `20s` | `1s` |
+| [`compression_level`](#compression-level-option) | 1 | 1 | 1 | 1 |
+| [`idle_connection_timeout`](#idle-connection-timeout-option) | `3s` | `15s` | `1s` | `60s` |
+| [`backoff.init`](#backoff-init-option) | none | none | `5s` | none |
+| [`backoff.max`](#backoff-max-option) | none | none | `300s` | none |
+
+
+
+## Elasticsearch APIs [es-apis]
+
+Winlogbeat will use the `_bulk` API from {{es}}, the events are sent in the order they arrive to the publishing pipeline, a single `_bulk` request may contain events from different inputs/modules. Temporary failures are re-tried.
+
+The status code for each event is checked and handled as:
+
+* `< 300`: The event is counted as `events.acked`
+* `409` (Conflict): The event is counted as `events.duplicates`
+* `429` (Too Many Requests): The event is counted as `events.toomany`
+* `> 399 and < 500`: The `non_indexable_policy` is applied.
+
+
diff --git a/docs/reference/winlogbeat/enable-winlogbeat-debugging.md b/docs/reference/winlogbeat/enable-winlogbeat-debugging.md
new file mode 100644
index 000000000000..b326a5e77001
--- /dev/null
+++ b/docs/reference/winlogbeat/enable-winlogbeat-debugging.md
@@ -0,0 +1,31 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/enable-winlogbeat-debugging.html
+---
+
+# Debug [enable-winlogbeat-debugging]
+
+By default, Winlogbeat sends all its output to syslog. When you run Winlogbeat in the foreground, you can use the `-e` command line flag to redirect the output to standard error instead. For example:
+
+```sh
+winlogbeat -e
+```
+
+The default configuration file is winlogbeat.yml (the location of the file varies by platform). You can use a different configuration file by specifying the `-c` flag. For example:
+
+```sh
+winlogbeat -e -c mywinlogbeatconfig.yml
+```
+
+You can increase the verbosity of debug messages by enabling one or more debug selectors. For example, to view publisher-related messages, start Winlogbeat with the `publisher` selector:
+
+```sh
+winlogbeat -e -d "publisher"
+```
+
+If you want all the debugging output (fair warning, it’s quite a lot), you can use `*`, like this:
+
+```sh
+winlogbeat -e -d "*"
+```
+
diff --git a/docs/reference/winlogbeat/error-found-unexpected-character.md b/docs/reference/winlogbeat/error-found-unexpected-character.md
new file mode 100644
index 000000000000..2b22be72b245
--- /dev/null
+++ b/docs/reference/winlogbeat/error-found-unexpected-character.md
@@ -0,0 +1,13 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/error-found-unexpected-character.html
+---
+
+# Found unexpected or unknown characters [error-found-unexpected-character]
+
+Either there is a problem with the structure of your config file, or you have used a path or expression that the YAML parser cannot resolve because the config file contains characters that aren’t properly escaped.
+
+If the YAML file contains paths with spaces or unusual characters, wrap the paths in single quotation marks (see [Wrap paths in single quotation marks](/reference/winlogbeat/yaml-tips.md#wrap-paths-in-quotes)).
+
+Also see the general advice under [*Avoid YAML formatting problems*](/reference/winlogbeat/yaml-tips.md).
+
diff --git a/docs/reference/winlogbeat/error-loading-config.md b/docs/reference/winlogbeat/error-loading-config.md
new file mode 100644
index 000000000000..55a9e22c9bda
--- /dev/null
+++ b/docs/reference/winlogbeat/error-loading-config.md
@@ -0,0 +1,14 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/error-loading-config.html
+---
+
+# Error loading config file [error-loading-config]
+
+You may encounter errors loading the config file on POSIX operating systems if:
+
+* an unauthorized user tries to load the config file, or
+* the config file has the wrong permissions.
+
+See [Config File Ownership and Permissions](/reference/libbeat/config-file-permissions.md) for more about resolving these errors.
+
diff --git a/docs/reference/winlogbeat/exported-fields-beat-common.md b/docs/reference/winlogbeat/exported-fields-beat-common.md
new file mode 100644
index 000000000000..a1c167ad18a0
--- /dev/null
+++ b/docs/reference/winlogbeat/exported-fields-beat-common.md
@@ -0,0 +1,47 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/exported-fields-beat-common.html
+---
+
+# Beat fields [exported-fields-beat-common]
+
+Contains common beat fields available in all event types.
+
+**`agent.hostname`**
+:   Deprecated - use agent.name or agent.id to identify an agent.
+
+type: alias
+
+alias to: agent.name
+
+
+**`beat.timezone`**
+:   type: alias
+
+alias to: event.timezone
+
+
+**`fields`**
+:   Contains user configurable fields.
+
+type: object
+
+
+**`beat.name`**
+:   type: alias
+
+alias to: host.name
+
+
+**`beat.hostname`**
+:   type: alias
+
+alias to: agent.name
+
+
+**`timeseries.instance`**
+:   Time series instance id
+
+type: keyword
+
+
diff --git a/docs/reference/winlogbeat/exported-fields-cloud.md b/docs/reference/winlogbeat/exported-fields-cloud.md
new file mode 100644
index 000000000000..7c4b97380b38
--- /dev/null
+++ b/docs/reference/winlogbeat/exported-fields-cloud.md
@@ -0,0 +1,57 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/exported-fields-cloud.html
+---
+
+# Cloud provider metadata fields [exported-fields-cloud]
+
+Metadata from cloud providers added by the add_cloud_metadata processor.
+
+**`cloud.image.id`**
+:   Image ID for the cloud instance.
+
+example: ami-abcd1234
+
+
+**`meta.cloud.provider`**
+:   type: alias
+
+alias to: cloud.provider
+
+
+**`meta.cloud.instance_id`**
+:   type: alias
+
+alias to: cloud.instance.id
+
+
+**`meta.cloud.instance_name`**
+:   type: alias
+
+alias to: cloud.instance.name
+
+
+**`meta.cloud.machine_type`**
+:   type: alias
+
+alias to: cloud.machine.type
+
+
+**`meta.cloud.availability_zone`**
+:   type: alias
+
+alias to: cloud.availability_zone
+
+
+**`meta.cloud.project_id`**
+:   type: alias
+
+alias to: cloud.project.id
+
+
+**`meta.cloud.region`**
+:   type: alias
+
+alias to: cloud.region
+
+
diff --git a/docs/reference/winlogbeat/exported-fields-docker-processor.md b/docs/reference/winlogbeat/exported-fields-docker-processor.md
new file mode 100644
index 000000000000..2551bf668f28
--- /dev/null
+++ b/docs/reference/winlogbeat/exported-fields-docker-processor.md
@@ -0,0 +1,33 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/exported-fields-docker-processor.html
+---
+
+# Docker fields [exported-fields-docker-processor]
+
+Docker stats collected from Docker.
+
+**`docker.container.id`**
+:   type: alias
+
+alias to: container.id
+
+
+**`docker.container.image`**
+:   type: alias
+
+alias to: container.image.name
+
+
+**`docker.container.name`**
+:   type: alias
+
+alias to: container.name
+
+
+**`docker.container.labels`**
+:   Image labels.
+
+type: object
+
+
diff --git a/docs/reference/winlogbeat/exported-fields-ecs.md b/docs/reference/winlogbeat/exported-fields-ecs.md
new file mode 100644
index 000000000000..d255b70659f8
--- /dev/null
+++ b/docs/reference/winlogbeat/exported-fields-ecs.md
@@ -0,0 +1,10423 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/exported-fields-ecs.html
+---
+
+# ECS fields [exported-fields-ecs]
+
+This section defines Elastic Common Schema (ECS) fields—a common set of fields to be used when storing event data in {{es}}.
+
+This is an exhaustive list, and fields listed here are not necessarily used by Winlogbeat. The goal of ECS is to enable and encourage users of {{es}} to normalize their event data, so that they can better analyze, visualize, and correlate the data represented in their events.
+
+See the [ECS reference](ecs://reference/index.md) for more information.
+
+**`@timestamp`**
+:   Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events.
+
+type: date
+
+example: 2016-05-23T08:05:34.853Z
+
+required: True
+
+
+**`labels`**
+:   Custom key/value pairs. Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. Example: `docker` and `k8s` labels.
+
+type: object
+
+example: {"application": "foo-bar", "env": "production"}
+
+
+**`message`**
+:   For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message.
+
+type: match_only_text
+
+example: Hello World
+
+
+**`tags`**
+:   List of keywords used to tag each event.
+
+type: keyword
+
+example: ["production", "env2"]
+
+
+
+## agent [_agent]
+
+The agent fields contain the data about the software entity, if any, that collects, detects, or observes events on a host, or takes measurements on a host. Examples include Beats. Agents may also run on observers. ECS agent.* fields shall be populated with details of the agent running on the host or observer where the event happened or the measurement was taken.
+
+**`agent.build.original`**
+:   Extended build information for the agent. This field is intended to contain any build information that a data source may provide, no specific formatting is required.
+
+type: keyword
+
+example: metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]
+
+
+**`agent.ephemeral_id`**
+:   Ephemeral identifier of this agent (if one exists). This id normally changes across restarts, but `agent.id` does not.
+
+type: keyword
+
+example: 8a4f500f
+
+
+**`agent.id`**
+:   Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id.
+
+type: keyword
+
+example: 8a4f500d
+
+
+**`agent.name`**
+:   Custom name of the agent. This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. If no name is given, the name is often left empty.
+
+type: keyword
+
+example: foo
+
+
+**`agent.type`**
+:   Type of the agent. The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine.
+
+type: keyword
+
+example: filebeat
+
+
+**`agent.version`**
+:   Version of the agent.
+
+type: keyword
+
+example: 6.0.0-rc2
+
+
+
+## as [_as]
+
+An autonomous system (AS) is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators on behalf of a single administrative entity or domain that presents a common, clearly defined routing policy to the internet.
+
+**`as.number`**
+:   Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+
+type: long
+
+example: 15169
+
+
+**`as.organization.name`**
+:   Organization name.
+
+type: keyword
+
+example: Google LLC
+
+
+**`as.organization.name.text`**
+:   type: match_only_text
+
+
+
+## client [_client]
+
+A client is defined as the initiator of a network connection for events regarding sessions, connections, or bidirectional flow records. For TCP events, the client is the initiator of the TCP connection that sends the SYN packet(s). For other protocols, the client is generally the initiator or requestor in the network transaction. Some systems use the term "originator" to refer the client in TCP connections. The client fields describe details about the system acting as the client in the network event. Client fields are usually populated in conjunction with server fields. Client fields are generally not populated for packet-level events. Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately.
+
+**`client.address`**
+:   Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
+
+type: keyword
+
+
+**`client.as.number`**
+:   Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+
+type: long
+
+example: 15169
+
+
+**`client.as.organization.name`**
+:   Organization name.
+
+type: keyword
+
+example: Google LLC
+
+
+**`client.as.organization.name.text`**
+:   type: match_only_text
+
+
+**`client.bytes`**
+:   Bytes sent from the client to the server.
+
+type: long
+
+example: 184
+
+format: bytes
+
+
+**`client.domain`**
+:   The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.
+
+type: keyword
+
+example: foo.example.com
+
+
+**`client.geo.city_name`**
+:   City name.
+
+type: keyword
+
+example: Montreal
+
+
+**`client.geo.continent_code`**
+:   Two-letter code representing continent’s name.
+
+type: keyword
+
+example: NA
+
+
+**`client.geo.continent_name`**
+:   Name of the continent.
+
+type: keyword
+
+example: North America
+
+
+**`client.geo.country_iso_code`**
+:   Country ISO code.
+
+type: keyword
+
+example: CA
+
+
+**`client.geo.country_name`**
+:   Country name.
+
+type: keyword
+
+example: Canada
+
+
+**`client.geo.location`**
+:   Longitude and latitude.
+
+type: geo_point
+
+example: { "lon": -73.614830, "lat": 45.505918 }
+
+
+**`client.geo.name`**
+:   User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.
+
+type: keyword
+
+example: boston-dc
+
+
+**`client.geo.postal_code`**
+:   Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.
+
+type: keyword
+
+example: 94040
+
+
+**`client.geo.region_iso_code`**
+:   Region ISO code.
+
+type: keyword
+
+example: CA-QC
+
+
+**`client.geo.region_name`**
+:   Region name.
+
+type: keyword
+
+example: Quebec
+
+
+**`client.geo.timezone`**
+:   The time zone of the location, such as IANA time zone name.
+
+type: keyword
+
+example: America/Argentina/Buenos_Aires
+
+
+**`client.ip`**
+:   IP address of the client (IPv4 or IPv6).
+
+type: ip
+
+
+**`client.mac`**
+:   MAC address of the client. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.
+
+type: keyword
+
+example: 00-00-5E-00-53-23
+
+
+**`client.nat.ip`**
+:   Translated IP of source based NAT sessions (e.g. internal client to internet). Typically connections traversing load balancers, firewalls, or routers.
+
+type: ip
+
+
+**`client.nat.port`**
+:   Translated port of source based NAT sessions (e.g. internal client to internet). Typically connections traversing load balancers, firewalls, or routers.
+
+type: long
+
+format: string
+
+
+**`client.packets`**
+:   Packets sent from the client to the server.
+
+type: long
+
+example: 12
+
+
+**`client.port`**
+:   Port of the client.
+
+type: long
+
+format: string
+
+
+**`client.registered_domain`**
+:   The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
+
+type: keyword
+
+example: example.com
+
+
+**`client.subdomain`**
+:   The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
+
+type: keyword
+
+example: east
+
+
+**`client.top_level_domain`**
+:   The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".
+
+type: keyword
+
+example: co.uk
+
+
+**`client.user.domain`**
+:   Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`client.user.email`**
+:   User email address.
+
+type: keyword
+
+
+**`client.user.full_name`**
+:   User’s full name, if available.
+
+type: keyword
+
+example: Albert Einstein
+
+
+**`client.user.full_name.text`**
+:   type: match_only_text
+
+
+**`client.user.group.domain`**
+:   Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`client.user.group.id`**
+:   Unique identifier for the group on the system/platform.
+
+type: keyword
+
+
+**`client.user.group.name`**
+:   Name of the group.
+
+type: keyword
+
+
+**`client.user.hash`**
+:   Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used.
+
+type: keyword
+
+
+**`client.user.id`**
+:   Unique identifier of the user.
+
+type: keyword
+
+example: S-1-5-21-202424912787-2692429404-2351956786-1000
+
+
+**`client.user.name`**
+:   Short name or login of the user.
+
+type: keyword
+
+example: a.einstein
+
+
+**`client.user.name.text`**
+:   type: match_only_text
+
+
+**`client.user.roles`**
+:   Array of user roles at the time of the event.
+
+type: keyword
+
+example: ["kibana_admin", "reporting_user"]
+
+
+
+## cloud [_cloud]
+
+Fields related to the cloud or infrastructure the events are coming from.
+
+**`cloud.account.id`**
+:   The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.
+
+type: keyword
+
+example: 666777888999
+
+
+**`cloud.account.name`**
+:   The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name.
+
+type: keyword
+
+example: elastic-dev
+
+
+**`cloud.availability_zone`**
+:   Availability zone in which this host, resource, or service is located.
+
+type: keyword
+
+example: us-east-1c
+
+
+**`cloud.instance.id`**
+:   Instance ID of the host machine.
+
+type: keyword
+
+example: i-1234567890abcdef0
+
+
+**`cloud.instance.name`**
+:   Instance name of the host machine.
+
+type: keyword
+
+
+**`cloud.machine.type`**
+:   Machine type of the host machine.
+
+type: keyword
+
+example: t2.medium
+
+
+**`cloud.origin.account.id`**
+:   The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.
+
+type: keyword
+
+example: 666777888999
+
+
+**`cloud.origin.account.name`**
+:   The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name.
+
+type: keyword
+
+example: elastic-dev
+
+
+**`cloud.origin.availability_zone`**
+:   Availability zone in which this host, resource, or service is located.
+
+type: keyword
+
+example: us-east-1c
+
+
+**`cloud.origin.instance.id`**
+:   Instance ID of the host machine.
+
+type: keyword
+
+example: i-1234567890abcdef0
+
+
+**`cloud.origin.instance.name`**
+:   Instance name of the host machine.
+
+type: keyword
+
+
+**`cloud.origin.machine.type`**
+:   Machine type of the host machine.
+
+type: keyword
+
+example: t2.medium
+
+
+**`cloud.origin.project.id`**
+:   The cloud project identifier. Examples: Google Cloud Project id, Azure Project id.
+
+type: keyword
+
+example: my-project
+
+
+**`cloud.origin.project.name`**
+:   The cloud project name. Examples: Google Cloud Project name, Azure Project name.
+
+type: keyword
+
+example: my project
+
+
+**`cloud.origin.provider`**
+:   Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
+
+type: keyword
+
+example: aws
+
+
+**`cloud.origin.region`**
+:   Region in which this host, resource, or service is located.
+
+type: keyword
+
+example: us-east-1
+
+
+**`cloud.origin.service.name`**
+:   The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda.
+
+type: keyword
+
+example: lambda
+
+
+**`cloud.project.id`**
+:   The cloud project identifier. Examples: Google Cloud Project id, Azure Project id.
+
+type: keyword
+
+example: my-project
+
+
+**`cloud.project.name`**
+:   The cloud project name. Examples: Google Cloud Project name, Azure Project name.
+
+type: keyword
+
+example: my project
+
+
+**`cloud.provider`**
+:   Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
+
+type: keyword
+
+example: aws
+
+
+**`cloud.region`**
+:   Region in which this host, resource, or service is located.
+
+type: keyword
+
+example: us-east-1
+
+
+**`cloud.service.name`**
+:   The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda.
+
+type: keyword
+
+example: lambda
+
+
+**`cloud.target.account.id`**
+:   The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.
+
+type: keyword
+
+example: 666777888999
+
+
+**`cloud.target.account.name`**
+:   The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name.
+
+type: keyword
+
+example: elastic-dev
+
+
+**`cloud.target.availability_zone`**
+:   Availability zone in which this host, resource, or service is located.
+
+type: keyword
+
+example: us-east-1c
+
+
+**`cloud.target.instance.id`**
+:   Instance ID of the host machine.
+
+type: keyword
+
+example: i-1234567890abcdef0
+
+
+**`cloud.target.instance.name`**
+:   Instance name of the host machine.
+
+type: keyword
+
+
+**`cloud.target.machine.type`**
+:   Machine type of the host machine.
+
+type: keyword
+
+example: t2.medium
+
+
+**`cloud.target.project.id`**
+:   The cloud project identifier. Examples: Google Cloud Project id, Azure Project id.
+
+type: keyword
+
+example: my-project
+
+
+**`cloud.target.project.name`**
+:   The cloud project name. Examples: Google Cloud Project name, Azure Project name.
+
+type: keyword
+
+example: my project
+
+
+**`cloud.target.provider`**
+:   Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
+
+type: keyword
+
+example: aws
+
+
+**`cloud.target.region`**
+:   Region in which this host, resource, or service is located.
+
+type: keyword
+
+example: us-east-1
+
+
+**`cloud.target.service.name`**
+:   The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda.
+
+type: keyword
+
+example: lambda
+
+
+
+## code_signature [_code_signature]
+
+These fields contain information about binary code signatures.
+
+**`code_signature.digest_algorithm`**
+:   The hashing algorithm used to sign the process. This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm.
+
+type: keyword
+
+example: sha256
+
+
+**`code_signature.exists`**
+:   Boolean to capture if a signature is present.
+
+type: boolean
+
+example: true
+
+
+**`code_signature.signing_id`**
+:   The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.
+
+type: keyword
+
+example: com.apple.xpc.proxy
+
+
+**`code_signature.status`**
+:   Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.
+
+type: keyword
+
+example: ERROR_UNTRUSTED_ROOT
+
+
+**`code_signature.subject_name`**
+:   Subject name of the code signer
+
+type: keyword
+
+example: Microsoft Corporation
+
+
+**`code_signature.team_id`**
+:   The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.
+
+type: keyword
+
+example: EQHXZ8M8AV
+
+
+**`code_signature.timestamp`**
+:   Date and time when the code signature was generated and signed.
+
+type: date
+
+example: 2021-01-01T12:10:30Z
+
+
+**`code_signature.trusted`**
+:   Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.
+
+type: boolean
+
+example: true
+
+
+**`code_signature.valid`**
+:   Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.
+
+type: boolean
+
+example: true
+
+
+
+## container [_container]
+
+Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.
+
+**`container.cpu.usage`**
+:   Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000.
+
+type: scaled_float
+
+
+**`container.disk.read.bytes`**
+:   The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection.
+
+type: long
+
+
+**`container.disk.write.bytes`**
+:   The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection.
+
+type: long
+
+
+**`container.id`**
+:   Unique container id.
+
+type: keyword
+
+
+**`container.image.name`**
+:   Name of the image the container was built on.
+
+type: keyword
+
+
+**`container.image.tag`**
+:   Container image tags.
+
+type: keyword
+
+
+**`container.labels`**
+:   Image labels.
+
+type: object
+
+
+**`container.memory.usage`**
+:   Memory usage percentage and it ranges from 0 to 1. Scaling factor: 1000.
+
+type: scaled_float
+
+
+**`container.name`**
+:   Container name.
+
+type: keyword
+
+
+**`container.network.egress.bytes`**
+:   The number of bytes (gauge) sent out on all network interfaces by the container since the last metric collection.
+
+type: long
+
+
+**`container.network.ingress.bytes`**
+:   The number of bytes received (gauge) on all network interfaces by the container since the last metric collection.
+
+type: long
+
+
+**`container.runtime`**
+:   Runtime managing this container.
+
+type: keyword
+
+example: docker
+
+
+
+## data_stream [_data_stream]
+
+The data_stream fields take part in defining the new data stream naming scheme. In the new data stream naming scheme the value of the data stream fields combine to the name of the actual data stream in the following manner: `{data_stream.type}-{data_stream.dataset}-{data_stream.namespace}`. This means the fields can only contain characters that are valid as part of names of data streams. More details about this can be found in this [blog post](https://www.elastic.co/blog/an-introduction-to-the-elastic-data-stream-naming-scheme). An Elasticsearch data stream consists of one or more backing indices, and a data stream name forms part of the backing indices names. Due to this convention, data streams must also follow index naming restrictions. For example, data stream names cannot include `\`, `/`, `*`, `?`, `"`, `<`, `>`, `|`, ` ` (space character), `,`, or `#`. Please see the Elasticsearch reference for additional [restrictions](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-indices-create).
+
+**`data_stream.dataset`**
+:   The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: * Must not contain `-` * No longer than 100 characters
+
+type: constant_keyword
+
+example: nginx.access
+
+
+**`data_stream.namespace`**
+:   A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: * Must not contain `-` * No longer than 100 characters
+
+type: constant_keyword
+
+example: production
+
+
+**`data_stream.type`**
+:   An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future.
+
+type: constant_keyword
+
+example: logs
+
+
+
+## destination [_destination]
+
+Destination fields capture details about the receiver of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction. Destination fields are usually populated in conjunction with source fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated.
+
+**`destination.address`**
+:   Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
+
+type: keyword
+
+
+**`destination.as.number`**
+:   Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+
+type: long
+
+example: 15169
+
+
+**`destination.as.organization.name`**
+:   Organization name.
+
+type: keyword
+
+example: Google LLC
+
+
+**`destination.as.organization.name.text`**
+:   type: match_only_text
+
+
+**`destination.bytes`**
+:   Bytes sent from the destination to the source.
+
+type: long
+
+example: 184
+
+format: bytes
+
+
+**`destination.domain`**
+:   The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.
+
+type: keyword
+
+example: foo.example.com
+
+
+**`destination.geo.city_name`**
+:   City name.
+
+type: keyword
+
+example: Montreal
+
+
+**`destination.geo.continent_code`**
+:   Two-letter code representing continent’s name.
+
+type: keyword
+
+example: NA
+
+
+**`destination.geo.continent_name`**
+:   Name of the continent.
+
+type: keyword
+
+example: North America
+
+
+**`destination.geo.country_iso_code`**
+:   Country ISO code.
+
+type: keyword
+
+example: CA
+
+
+**`destination.geo.country_name`**
+:   Country name.
+
+type: keyword
+
+example: Canada
+
+
+**`destination.geo.location`**
+:   Longitude and latitude.
+
+type: geo_point
+
+example: { "lon": -73.614830, "lat": 45.505918 }
+
+
+**`destination.geo.name`**
+:   User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.
+
+type: keyword
+
+example: boston-dc
+
+
+**`destination.geo.postal_code`**
+:   Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.
+
+type: keyword
+
+example: 94040
+
+
+**`destination.geo.region_iso_code`**
+:   Region ISO code.
+
+type: keyword
+
+example: CA-QC
+
+
+**`destination.geo.region_name`**
+:   Region name.
+
+type: keyword
+
+example: Quebec
+
+
+**`destination.geo.timezone`**
+:   The time zone of the location, such as IANA time zone name.
+
+type: keyword
+
+example: America/Argentina/Buenos_Aires
+
+
+**`destination.ip`**
+:   IP address of the destination (IPv4 or IPv6).
+
+type: ip
+
+
+**`destination.mac`**
+:   MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.
+
+type: keyword
+
+example: 00-00-5E-00-53-23
+
+
+**`destination.nat.ip`**
+:   Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers.
+
+type: ip
+
+
+**`destination.nat.port`**
+:   Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers.
+
+type: long
+
+format: string
+
+
+**`destination.packets`**
+:   Packets sent from the destination to the source.
+
+type: long
+
+example: 12
+
+
+**`destination.port`**
+:   Port of the destination.
+
+type: long
+
+format: string
+
+
+**`destination.registered_domain`**
+:   The highest registered destination domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
+
+type: keyword
+
+example: example.com
+
+
+**`destination.subdomain`**
+:   The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
+
+type: keyword
+
+example: east
+
+
+**`destination.top_level_domain`**
+:   The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".
+
+type: keyword
+
+example: co.uk
+
+
+**`destination.user.domain`**
+:   Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`destination.user.email`**
+:   User email address.
+
+type: keyword
+
+
+**`destination.user.full_name`**
+:   User’s full name, if available.
+
+type: keyword
+
+example: Albert Einstein
+
+
+**`destination.user.full_name.text`**
+:   type: match_only_text
+
+
+**`destination.user.group.domain`**
+:   Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`destination.user.group.id`**
+:   Unique identifier for the group on the system/platform.
+
+type: keyword
+
+
+**`destination.user.group.name`**
+:   Name of the group.
+
+type: keyword
+
+
+**`destination.user.hash`**
+:   Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used.
+
+type: keyword
+
+
+**`destination.user.id`**
+:   Unique identifier of the user.
+
+type: keyword
+
+example: S-1-5-21-202424912787-2692429404-2351956786-1000
+
+
+**`destination.user.name`**
+:   Short name or login of the user.
+
+type: keyword
+
+example: a.einstein
+
+
+**`destination.user.name.text`**
+:   type: match_only_text
+
+
+**`destination.user.roles`**
+:   Array of user roles at the time of the event.
+
+type: keyword
+
+example: ["kibana_admin", "reporting_user"]
+
+
+
+## dll [_dll]
+
+These fields contain information about code libraries dynamically loaded into processes.
+
+Many operating systems refer to "shared code libraries" with different names, but this field set refers to all of the following: * Dynamic-link library (`.dll`) commonly used on Windows * Shared Object (`.so`) commonly used on Unix-like operating systems * Dynamic library (`.dylib`) commonly used on macOS
+
+**`dll.code_signature.digest_algorithm`**
+:   The hashing algorithm used to sign the process. This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm.
+
+type: keyword
+
+example: sha256
+
+
+**`dll.code_signature.exists`**
+:   Boolean to capture if a signature is present.
+
+type: boolean
+
+example: true
+
+
+**`dll.code_signature.signing_id`**
+:   The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.
+
+type: keyword
+
+example: com.apple.xpc.proxy
+
+
+**`dll.code_signature.status`**
+:   Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.
+
+type: keyword
+
+example: ERROR_UNTRUSTED_ROOT
+
+
+**`dll.code_signature.subject_name`**
+:   Subject name of the code signer
+
+type: keyword
+
+example: Microsoft Corporation
+
+
+**`dll.code_signature.team_id`**
+:   The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.
+
+type: keyword
+
+example: EQHXZ8M8AV
+
+
+**`dll.code_signature.timestamp`**
+:   Date and time when the code signature was generated and signed.
+
+type: date
+
+example: 2021-01-01T12:10:30Z
+
+
+**`dll.code_signature.trusted`**
+:   Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.
+
+type: boolean
+
+example: true
+
+
+**`dll.code_signature.valid`**
+:   Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.
+
+type: boolean
+
+example: true
+
+
+**`dll.hash.md5`**
+:   MD5 hash.
+
+type: keyword
+
+
+**`dll.hash.sha1`**
+:   SHA1 hash.
+
+type: keyword
+
+
+**`dll.hash.sha256`**
+:   SHA256 hash.
+
+type: keyword
+
+
+**`dll.hash.sha512`**
+:   SHA512 hash.
+
+type: keyword
+
+
+**`dll.hash.ssdeep`**
+:   SSDEEP hash.
+
+type: keyword
+
+
+**`dll.name`**
+:   Name of the library. This generally maps to the name of the file on disk.
+
+type: keyword
+
+example: kernel32.dll
+
+
+**`dll.path`**
+:   Full file path of the library.
+
+type: keyword
+
+example: C:\Windows\System32\kernel32.dll
+
+
+**`dll.pe.architecture`**
+:   CPU architecture target for the file.
+
+type: keyword
+
+example: x64
+
+
+**`dll.pe.company`**
+:   Internal company name of the file, provided at compile-time.
+
+type: keyword
+
+example: Microsoft Corporation
+
+
+**`dll.pe.description`**
+:   Internal description of the file, provided at compile-time.
+
+type: keyword
+
+example: Paint
+
+
+**`dll.pe.file_version`**
+:   Internal version of the file, provided at compile-time.
+
+type: keyword
+
+example: 6.3.9600.17415
+
+
+**`dll.pe.imphash`**
+:   A hash of the imports in a PE file. An imphash — or import hash — can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at [https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html](https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html).
+
+type: keyword
+
+example: 0c6803c4e922103c4dca5963aad36ddf
+
+
+**`dll.pe.original_file_name`**
+:   Internal name of the file, provided at compile-time.
+
+type: keyword
+
+example: MSPAINT.EXE
+
+
+**`dll.pe.product`**
+:   Internal product name of the file, provided at compile-time.
+
+type: keyword
+
+example: Microsoft® Windows® Operating System
+
+
+
+## dns [_dns]
+
+Fields describing DNS queries and answers. DNS events should either represent a single DNS query prior to getting answers (`dns.type:query`) or they should represent a full exchange and contain the query details as well as all of the answers that were provided for this query (`dns.type:answer`).
+
+**`dns.answers`**
+:   An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields.
+
+type: object
+
+
+**`dns.answers.class`**
+:   The class of DNS data contained in this resource record.
+
+type: keyword
+
+example: IN
+
+
+**`dns.answers.data`**
+:   The data describing the resource. The meaning of this data depends on the type and class of the resource record.
+
+type: keyword
+
+example: 10.10.10.10
+
+
+**`dns.answers.name`**
+:   The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer’s `name` should be the one that corresponds with the answer’s `data`. It should not simply be the original `question.name` repeated.
+
+type: keyword
+
+example: www.example.com
+
+
+**`dns.answers.ttl`**
+:   The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached.
+
+type: long
+
+example: 180
+
+
+**`dns.answers.type`**
+:   The type of data contained in this resource record.
+
+type: keyword
+
+example: CNAME
+
+
+**`dns.header_flags`**
+:   Array of 2 letter DNS header flags. Expected values are: AA, TC, RD, RA, AD, CD, DO.
+
+type: keyword
+
+example: ["RD", "RA"]
+
+
+**`dns.id`**
+:   The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.
+
+type: keyword
+
+example: 62111
+
+
+**`dns.op_code`**
+:   The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response.
+
+type: keyword
+
+example: QUERY
+
+
+**`dns.question.class`**
+:   The class of records being queried.
+
+type: keyword
+
+example: IN
+
+
+**`dns.question.name`**
+:   The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively.
+
+type: keyword
+
+example: www.example.com
+
+
+**`dns.question.registered_domain`**
+:   The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
+
+type: keyword
+
+example: example.com
+
+
+**`dns.question.subdomain`**
+:   The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
+
+type: keyword
+
+example: www
+
+
+**`dns.question.top_level_domain`**
+:   The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".
+
+type: keyword
+
+example: co.uk
+
+
+**`dns.question.type`**
+:   The type of record being queried.
+
+type: keyword
+
+example: AAAA
+
+
+**`dns.resolved_ip`**
+:   Array containing all IPs seen in `answers.data`. The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for.
+
+type: ip
+
+example: ["10.10.10.10", "10.10.10.11"]
+
+
+**`dns.response_code`**
+:   The DNS response code.
+
+type: keyword
+
+example: NOERROR
+
+
+**`dns.type`**
+:   The type of DNS event captured, query or answer. If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers.
+
+type: keyword
+
+example: answer
+
+
+
+## ecs [_ecs]
+
+Meta-information specific to ECS.
+
+**`ecs.version`**
+:   ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices — which may conform to slightly different ECS versions — this field lets integrations adjust to the schema version of the events.
+
+type: keyword
+
+example: 1.0.0
+
+required: True
+
+
+
+## elf [_elf]
+
+These fields contain Linux Executable Linkable Format (ELF) metadata.
+
+**`elf.architecture`**
+:   Machine architecture of the ELF file.
+
+type: keyword
+
+example: x86-64
+
+
+**`elf.byte_order`**
+:   Byte sequence of ELF file.
+
+type: keyword
+
+example: Little Endian
+
+
+**`elf.cpu_type`**
+:   CPU type of the ELF file.
+
+type: keyword
+
+example: Intel
+
+
+**`elf.creation_date`**
+:   Extracted when possible from the file’s metadata. Indicates when it was built or compiled. It can also be faked by malware creators.
+
+type: date
+
+
+**`elf.exports`**
+:   List of exported element names and types.
+
+type: flattened
+
+
+**`elf.header.abi_version`**
+:   Version of the ELF Application Binary Interface (ABI).
+
+type: keyword
+
+
+**`elf.header.class`**
+:   Header class of the ELF file.
+
+type: keyword
+
+
+**`elf.header.data`**
+:   Data table of the ELF header.
+
+type: keyword
+
+
+**`elf.header.entrypoint`**
+:   Header entrypoint of the ELF file.
+
+type: long
+
+format: string
+
+
+**`elf.header.object_version`**
+:   "0x1" for original ELF files.
+
+type: keyword
+
+
+**`elf.header.os_abi`**
+:   Application Binary Interface (ABI) of the Linux OS.
+
+type: keyword
+
+
+**`elf.header.type`**
+:   Header type of the ELF file.
+
+type: keyword
+
+
+**`elf.header.version`**
+:   Version of the ELF header.
+
+type: keyword
+
+
+**`elf.imports`**
+:   List of imported element names and types.
+
+type: flattened
+
+
+**`elf.sections`**
+:   An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`.
+
+type: nested
+
+
+**`elf.sections.chi2`**
+:   Chi-square probability distribution of the section.
+
+type: long
+
+format: number
+
+
+**`elf.sections.entropy`**
+:   Shannon entropy calculation from the section.
+
+type: long
+
+format: number
+
+
+**`elf.sections.flags`**
+:   ELF Section List flags.
+
+type: keyword
+
+
+**`elf.sections.name`**
+:   ELF Section List name.
+
+type: keyword
+
+
+**`elf.sections.physical_offset`**
+:   ELF Section List offset.
+
+type: keyword
+
+
+**`elf.sections.physical_size`**
+:   ELF Section List physical size.
+
+type: long
+
+format: bytes
+
+
+**`elf.sections.type`**
+:   ELF Section List type.
+
+type: keyword
+
+
+**`elf.sections.virtual_address`**
+:   ELF Section List virtual address.
+
+type: long
+
+format: string
+
+
+**`elf.sections.virtual_size`**
+:   ELF Section List virtual size.
+
+type: long
+
+format: string
+
+
+**`elf.segments`**
+:   An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`.
+
+type: nested
+
+
+**`elf.segments.sections`**
+:   ELF object segment sections.
+
+type: keyword
+
+
+**`elf.segments.type`**
+:   ELF object segment type.
+
+type: keyword
+
+
+**`elf.shared_libraries`**
+:   List of shared libraries used by this ELF object.
+
+type: keyword
+
+
+**`elf.telfhash`**
+:   telfhash symbol hash for ELF file.
+
+type: keyword
+
+
+
+## error [_error]
+
+These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error.
+
+**`error.code`**
+:   Error code describing the error.
+
+type: keyword
+
+
+**`error.id`**
+:   Unique identifier for the error.
+
+type: keyword
+
+
+**`error.message`**
+:   Error message.
+
+type: match_only_text
+
+
+**`error.stack_trace`**
+:   The stack trace of this error in plain text.
+
+type: wildcard
+
+
+**`error.stack_trace.text`**
+:   type: match_only_text
+
+
+**`error.type`**
+:   The type of the error, for example the class name of the exception.
+
+type: keyword
+
+example: java.lang.NullPointerException
+
+
+
+## event [_event]
+
+The event fields are used for context information about the log or metric event itself. A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host and device temperature. See the `event.kind` definition in this section for additional details about metric and state events.
+
+**`event.action`**
+:   The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer.
+
+type: keyword
+
+example: user-password-change
+
+
+**`event.agent_id_status`**
+:   Agents are normally responsible for populating the `agent.id` field value. If the system receiving events is capable of validating the value based on authentication information for the client then this field can be used to reflect the outcome of that validation. For example if the agent’s connection is authenticated with mTLS and the client cert contains the ID of the agent to which the cert was issued then the `agent.id` value in events can be checked against the certificate. If the values match then `event.agent_id_status: verified` is added to the event, otherwise one of the other allowed values should be used. If no validation is performed then the field should be omitted. The allowed values are: `verified` - The `agent.id` field value matches expected value obtained from auth metadata. `mismatch` - The `agent.id` field value does not match the expected value obtained from auth metadata. `missing` - There was no `agent.id` field in the event to validate. `auth_metadata_missing` - There was no auth metadata or it was missing information about the agent ID.
+
+type: keyword
+
+example: verified
+
+
+**`event.category`**
+:   This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories.
+
+type: keyword
+
+example: authentication
+
+
+**`event.code`**
+:   Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID.
+
+type: keyword
+
+example: 4648
+
+
+**`event.created`**
+:   event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent’s or pipeline’s ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used.
+
+type: date
+
+example: 2016-05-23T08:05:34.857Z
+
+
+**`event.dataset`**
+:   Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It’s recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name.
+
+type: keyword
+
+example: apache.access
+
+
+**`event.duration`**
+:   Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time.
+
+type: long
+
+format: duration
+
+
+**`event.end`**
+:   event.end contains the date when the event ended or when the activity was last observed.
+
+type: date
+
+
+**`event.hash`**
+:   Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity.
+
+type: keyword
+
+example: 123456789012345678901234567890ABCD
+
+
+**`event.id`**
+:   Unique ID to describe the event.
+
+type: keyword
+
+example: 8a4f500d
+
+
+**`event.ingested`**
+:   Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred.  It’s also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`.
+
+type: date
+
+example: 2016-05-23T08:05:35.101Z
+
+
+**`event.kind`**
+:   This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not.
+
+type: keyword
+
+example: alert
+
+
+**`event.module`**
+:   Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module.
+
+type: keyword
+
+example: apache
+
+
+**`event.original`**
+:   Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`.
+
+type: keyword
+
+example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232
+
+Field is not indexed.
+
+
+**`event.outcome`**
+:   This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense.
+
+type: keyword
+
+example: success
+
+
+**`event.provider`**
+:   Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing).
+
+type: keyword
+
+example: kernel
+
+
+**`event.reason`**
+:   Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`).
+
+type: keyword
+
+example: Terminated an unexpected process
+
+
+**`event.reference`**
+:   Reference URL linking to additional information about this event. This URL links to a static definition of this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field.
+
+type: keyword
+
+example: [https://system.example.com/event/#0001234](https://system.example.com/event/#0001234)
+
+
+**`event.risk_score`**
+:   Risk score or priority of the event (e.g. security solutions). Use your system’s original value here.
+
+type: float
+
+
+**`event.risk_score_norm`**
+:   Normalized risk score or priority of the event, on a scale of 0 to 100. This is mainly useful if you use more than one system that assigns risk scores, and you want to see a normalized value across all systems.
+
+type: float
+
+
+**`event.sequence`**
+:   Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision.
+
+type: long
+
+format: string
+
+
+**`event.severity`**
+:   The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It’s up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`.
+
+type: long
+
+example: 7
+
+format: string
+
+
+**`event.start`**
+:   event.start contains the date when the event started or when the activity was first observed.
+
+type: date
+
+
+**`event.timezone`**
+:   This field should be populated when the event’s timestamp does not include timezone information already (e.g. default Syslog timestamps). It’s optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00").
+
+type: keyword
+
+
+**`event.type`**
+:   This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types.
+
+type: keyword
+
+
+**`event.url`**
+:   URL linking to an external system to continue investigation of this event. This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field.
+
+type: keyword
+
+example: [https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe](https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe)
+
+
+
+## faas [_faas]
+
+The user fields describe information about the function as a service that is relevant to the event.
+
+**`faas.coldstart`**
+:   Boolean value indicating a cold start of a function.
+
+type: boolean
+
+
+**`faas.execution`**
+:   The execution ID of the current function execution.
+
+type: keyword
+
+example: af9d5aa4-a685-4c5f-a22b-444f80b3cc28
+
+
+**`faas.trigger`**
+:   Details about the function trigger.
+
+type: nested
+
+
+**`faas.trigger.request_id`**
+:   The ID of the trigger request , message, event, etc.
+
+type: keyword
+
+example: 123456789
+
+
+**`faas.trigger.type`**
+:   The trigger for the function execution. Expected values are: * http * pubsub * datasource * timer * other
+
+type: keyword
+
+example: http
+
+
+
+## file [_file]
+
+A file is defined as a set of information that has been created on, or has existed on a filesystem. File objects can be associated with host events, network events, and/or file events (e.g., those produced by File Integrity Monitoring [FIM] products or services). File fields provide details about the affected file associated with the event or metric.
+
+**`file.accessed`**
+:   Last time the file was accessed. Note that not all filesystems keep track of access time.
+
+type: date
+
+
+**`file.attributes`**
+:   Array of file attributes. Attributes names will vary by platform. Here’s a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write.
+
+type: keyword
+
+example: ["readonly", "system"]
+
+
+**`file.code_signature.digest_algorithm`**
+:   The hashing algorithm used to sign the process. This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm.
+
+type: keyword
+
+example: sha256
+
+
+**`file.code_signature.exists`**
+:   Boolean to capture if a signature is present.
+
+type: boolean
+
+example: true
+
+
+**`file.code_signature.signing_id`**
+:   The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.
+
+type: keyword
+
+example: com.apple.xpc.proxy
+
+
+**`file.code_signature.status`**
+:   Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.
+
+type: keyword
+
+example: ERROR_UNTRUSTED_ROOT
+
+
+**`file.code_signature.subject_name`**
+:   Subject name of the code signer
+
+type: keyword
+
+example: Microsoft Corporation
+
+
+**`file.code_signature.team_id`**
+:   The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.
+
+type: keyword
+
+example: EQHXZ8M8AV
+
+
+**`file.code_signature.timestamp`**
+:   Date and time when the code signature was generated and signed.
+
+type: date
+
+example: 2021-01-01T12:10:30Z
+
+
+**`file.code_signature.trusted`**
+:   Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.
+
+type: boolean
+
+example: true
+
+
+**`file.code_signature.valid`**
+:   Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.
+
+type: boolean
+
+example: true
+
+
+**`file.created`**
+:   File creation time. Note that not all filesystems store the creation time.
+
+type: date
+
+
+**`file.ctime`**
+:   Last time the file attributes or metadata changed. Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file.
+
+type: date
+
+
+**`file.device`**
+:   Device that is the source of the file.
+
+type: keyword
+
+example: sda
+
+
+**`file.directory`**
+:   Directory where the file is located. It should include the drive letter, when appropriate.
+
+type: keyword
+
+example: /home/alice
+
+
+**`file.drive_letter`**
+:   Drive letter where the file is located. This field is only relevant on Windows. The value should be uppercase, and not include the colon.
+
+type: keyword
+
+example: C
+
+
+**`file.elf.architecture`**
+:   Machine architecture of the ELF file.
+
+type: keyword
+
+example: x86-64
+
+
+**`file.elf.byte_order`**
+:   Byte sequence of ELF file.
+
+type: keyword
+
+example: Little Endian
+
+
+**`file.elf.cpu_type`**
+:   CPU type of the ELF file.
+
+type: keyword
+
+example: Intel
+
+
+**`file.elf.creation_date`**
+:   Extracted when possible from the file’s metadata. Indicates when it was built or compiled. It can also be faked by malware creators.
+
+type: date
+
+
+**`file.elf.exports`**
+:   List of exported element names and types.
+
+type: flattened
+
+
+**`file.elf.header.abi_version`**
+:   Version of the ELF Application Binary Interface (ABI).
+
+type: keyword
+
+
+**`file.elf.header.class`**
+:   Header class of the ELF file.
+
+type: keyword
+
+
+**`file.elf.header.data`**
+:   Data table of the ELF header.
+
+type: keyword
+
+
+**`file.elf.header.entrypoint`**
+:   Header entrypoint of the ELF file.
+
+type: long
+
+format: string
+
+
+**`file.elf.header.object_version`**
+:   "0x1" for original ELF files.
+
+type: keyword
+
+
+**`file.elf.header.os_abi`**
+:   Application Binary Interface (ABI) of the Linux OS.
+
+type: keyword
+
+
+**`file.elf.header.type`**
+:   Header type of the ELF file.
+
+type: keyword
+
+
+**`file.elf.header.version`**
+:   Version of the ELF header.
+
+type: keyword
+
+
+**`file.elf.imports`**
+:   List of imported element names and types.
+
+type: flattened
+
+
+**`file.elf.sections`**
+:   An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`.
+
+type: nested
+
+
+**`file.elf.sections.chi2`**
+:   Chi-square probability distribution of the section.
+
+type: long
+
+format: number
+
+
+**`file.elf.sections.entropy`**
+:   Shannon entropy calculation from the section.
+
+type: long
+
+format: number
+
+
+**`file.elf.sections.flags`**
+:   ELF Section List flags.
+
+type: keyword
+
+
+**`file.elf.sections.name`**
+:   ELF Section List name.
+
+type: keyword
+
+
+**`file.elf.sections.physical_offset`**
+:   ELF Section List offset.
+
+type: keyword
+
+
+**`file.elf.sections.physical_size`**
+:   ELF Section List physical size.
+
+type: long
+
+format: bytes
+
+
+**`file.elf.sections.type`**
+:   ELF Section List type.
+
+type: keyword
+
+
+**`file.elf.sections.virtual_address`**
+:   ELF Section List virtual address.
+
+type: long
+
+format: string
+
+
+**`file.elf.sections.virtual_size`**
+:   ELF Section List virtual size.
+
+type: long
+
+format: string
+
+
+**`file.elf.segments`**
+:   An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`.
+
+type: nested
+
+
+**`file.elf.segments.sections`**
+:   ELF object segment sections.
+
+type: keyword
+
+
+**`file.elf.segments.type`**
+:   ELF object segment type.
+
+type: keyword
+
+
+**`file.elf.shared_libraries`**
+:   List of shared libraries used by this ELF object.
+
+type: keyword
+
+
+**`file.elf.telfhash`**
+:   telfhash symbol hash for ELF file.
+
+type: keyword
+
+
+**`file.extension`**
+:   File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").
+
+type: keyword
+
+example: png
+
+
+**`file.fork_name`**
+:   A fork is additional data associated with a filesystem object. On Linux, a resource fork is used to store additional data with a filesystem object. A file always has at least one fork for the data portion, and additional forks may exist. On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default data stream for a file is just called $DATA. Zone.Identifier is commonly used by Windows to track contents downloaded from the Internet. An ADS is typically of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name` is the value that should populate `fork_name`. `filename.extension` should populate `file.name`, and `extension` should populate `file.extension`. The full path, `file.path`, will include the fork name.
+
+type: keyword
+
+example: Zone.Identifer
+
+
+**`file.gid`**
+:   Primary group ID (GID) of the file.
+
+type: keyword
+
+example: 1001
+
+
+**`file.group`**
+:   Primary group name of the file.
+
+type: keyword
+
+example: alice
+
+
+**`file.hash.md5`**
+:   MD5 hash.
+
+type: keyword
+
+
+**`file.hash.sha1`**
+:   SHA1 hash.
+
+type: keyword
+
+
+**`file.hash.sha256`**
+:   SHA256 hash.
+
+type: keyword
+
+
+**`file.hash.sha512`**
+:   SHA512 hash.
+
+type: keyword
+
+
+**`file.hash.ssdeep`**
+:   SSDEEP hash.
+
+type: keyword
+
+
+**`file.inode`**
+:   Inode representing the file in the filesystem.
+
+type: keyword
+
+example: 256383
+
+
+**`file.mime_type`**
+:   MIME type should identify the format of the file or stream of bytes using [IANA official types](https://www.iana.org/assignments/media-types/media-types.xhtml), where possible. When more than one type is applicable, the most specific type should be used.
+
+type: keyword
+
+
+**`file.mode`**
+:   Mode of the file in octal representation.
+
+type: keyword
+
+example: 0640
+
+
+**`file.mtime`**
+:   Last time the file content was modified.
+
+type: date
+
+
+**`file.name`**
+:   Name of the file including the extension, without the directory.
+
+type: keyword
+
+example: example.png
+
+
+**`file.owner`**
+:   File owner’s username.
+
+type: keyword
+
+example: alice
+
+
+**`file.path`**
+:   Full path to the file, including the file name. It should include the drive letter, when appropriate.
+
+type: keyword
+
+example: /home/alice/example.png
+
+
+**`file.path.text`**
+:   type: match_only_text
+
+
+**`file.pe.architecture`**
+:   CPU architecture target for the file.
+
+type: keyword
+
+example: x64
+
+
+**`file.pe.company`**
+:   Internal company name of the file, provided at compile-time.
+
+type: keyword
+
+example: Microsoft Corporation
+
+
+**`file.pe.description`**
+:   Internal description of the file, provided at compile-time.
+
+type: keyword
+
+example: Paint
+
+
+**`file.pe.file_version`**
+:   Internal version of the file, provided at compile-time.
+
+type: keyword
+
+example: 6.3.9600.17415
+
+
+**`file.pe.imphash`**
+:   A hash of the imports in a PE file. An imphash — or import hash — can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at [https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html](https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html).
+
+type: keyword
+
+example: 0c6803c4e922103c4dca5963aad36ddf
+
+
+**`file.pe.original_file_name`**
+:   Internal name of the file, provided at compile-time.
+
+type: keyword
+
+example: MSPAINT.EXE
+
+
+**`file.pe.product`**
+:   Internal product name of the file, provided at compile-time.
+
+type: keyword
+
+example: Microsoft® Windows® Operating System
+
+
+**`file.size`**
+:   File size in bytes. Only relevant when `file.type` is "file".
+
+type: long
+
+example: 16384
+
+
+**`file.target_path`**
+:   Target path for symlinks.
+
+type: keyword
+
+
+**`file.target_path.text`**
+:   type: match_only_text
+
+
+**`file.type`**
+:   File type (file, dir, or symlink).
+
+type: keyword
+
+example: file
+
+
+**`file.uid`**
+:   The user ID (UID) or security identifier (SID) of the file owner.
+
+type: keyword
+
+example: 1001
+
+
+**`file.x509.alternative_names`**
+:   List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.
+
+type: keyword
+
+example: *.elastic.co
+
+
+**`file.x509.issuer.common_name`**
+:   List of common name (CN) of issuing certificate authority.
+
+type: keyword
+
+example: Example SHA2 High Assurance Server CA
+
+
+**`file.x509.issuer.country`**
+:   List of country © codes
+
+type: keyword
+
+example: US
+
+
+**`file.x509.issuer.distinguished_name`**
+:   Distinguished name (DN) of issuing certificate authority.
+
+type: keyword
+
+example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA
+
+
+**`file.x509.issuer.locality`**
+:   List of locality names (L)
+
+type: keyword
+
+example: Mountain View
+
+
+**`file.x509.issuer.organization`**
+:   List of organizations (O) of issuing certificate authority.
+
+type: keyword
+
+example: Example Inc
+
+
+**`file.x509.issuer.organizational_unit`**
+:   List of organizational units (OU) of issuing certificate authority.
+
+type: keyword
+
+example: www.example.com
+
+
+**`file.x509.issuer.state_or_province`**
+:   List of state or province names (ST, S, or P)
+
+type: keyword
+
+example: California
+
+
+**`file.x509.not_after`**
+:   Time at which the certificate is no longer considered valid.
+
+type: date
+
+example: 2020-07-16 03:15:39+00:00
+
+
+**`file.x509.not_before`**
+:   Time at which the certificate is first considered valid.
+
+type: date
+
+example: 2019-08-16 01:40:25+00:00
+
+
+**`file.x509.public_key_algorithm`**
+:   Algorithm used to generate the public key.
+
+type: keyword
+
+example: RSA
+
+
+**`file.x509.public_key_curve`**
+:   The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+
+type: keyword
+
+example: nistp521
+
+
+**`file.x509.public_key_exponent`**
+:   Exponent used to derive the public key. This is algorithm specific.
+
+type: long
+
+example: 65537
+
+Field is not indexed.
+
+
+**`file.x509.public_key_size`**
+:   The size of the public key space in bits.
+
+type: long
+
+example: 2048
+
+
+**`file.x509.serial_number`**
+:   Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.
+
+type: keyword
+
+example: 55FBB9C7DEBF09809D12CCAA
+
+
+**`file.x509.signature_algorithm`**
+:   Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See [https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353](https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353).
+
+type: keyword
+
+example: SHA256-RSA
+
+
+**`file.x509.subject.common_name`**
+:   List of common names (CN) of subject.
+
+type: keyword
+
+example: shared.global.example.net
+
+
+**`file.x509.subject.country`**
+:   List of country © code
+
+type: keyword
+
+example: US
+
+
+**`file.x509.subject.distinguished_name`**
+:   Distinguished name (DN) of the certificate subject entity.
+
+type: keyword
+
+example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
+
+
+**`file.x509.subject.locality`**
+:   List of locality names (L)
+
+type: keyword
+
+example: San Francisco
+
+
+**`file.x509.subject.organization`**
+:   List of organizations (O) of subject.
+
+type: keyword
+
+example: Example, Inc.
+
+
+**`file.x509.subject.organizational_unit`**
+:   List of organizational units (OU) of subject.
+
+type: keyword
+
+
+**`file.x509.subject.state_or_province`**
+:   List of state or province names (ST, S, or P)
+
+type: keyword
+
+example: California
+
+
+**`file.x509.version_number`**
+:   Version of x509 format.
+
+type: keyword
+
+example: 3
+
+
+
+## geo [_geo]
+
+Geo fields can carry data about a specific location related to an event. This geolocation information can be derived from techniques such as Geo IP, or be user-supplied.
+
+**`geo.city_name`**
+:   City name.
+
+type: keyword
+
+example: Montreal
+
+
+**`geo.continent_code`**
+:   Two-letter code representing continent’s name.
+
+type: keyword
+
+example: NA
+
+
+**`geo.continent_name`**
+:   Name of the continent.
+
+type: keyword
+
+example: North America
+
+
+**`geo.country_iso_code`**
+:   Country ISO code.
+
+type: keyword
+
+example: CA
+
+
+**`geo.country_name`**
+:   Country name.
+
+type: keyword
+
+example: Canada
+
+
+**`geo.location`**
+:   Longitude and latitude.
+
+type: geo_point
+
+example: { "lon": -73.614830, "lat": 45.505918 }
+
+
+**`geo.name`**
+:   User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.
+
+type: keyword
+
+example: boston-dc
+
+
+**`geo.postal_code`**
+:   Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.
+
+type: keyword
+
+example: 94040
+
+
+**`geo.region_iso_code`**
+:   Region ISO code.
+
+type: keyword
+
+example: CA-QC
+
+
+**`geo.region_name`**
+:   Region name.
+
+type: keyword
+
+example: Quebec
+
+
+**`geo.timezone`**
+:   The time zone of the location, such as IANA time zone name.
+
+type: keyword
+
+example: America/Argentina/Buenos_Aires
+
+
+
+## group [_group]
+
+The group fields are meant to represent groups that are relevant to the event.
+
+**`group.domain`**
+:   Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`group.id`**
+:   Unique identifier for the group on the system/platform.
+
+type: keyword
+
+
+**`group.name`**
+:   Name of the group.
+
+type: keyword
+
+
+
+## hash [_hash]
+
+The hash fields represent different bitwise hash algorithms and their values. Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for other hashes by lowercasing the hash algorithm name and using underscore separators as appropriate (snake case, e.g. sha3_512). Note that this fieldset is used for common hashes that may be computed over a range of generic bytes. Entity-specific hashes such as ja3 or imphash are placed in the fieldsets to which they relate (tls and pe, respectively).
+
+**`hash.md5`**
+:   MD5 hash.
+
+type: keyword
+
+
+**`hash.sha1`**
+:   SHA1 hash.
+
+type: keyword
+
+
+**`hash.sha256`**
+:   SHA256 hash.
+
+type: keyword
+
+
+**`hash.sha512`**
+:   SHA512 hash.
+
+type: keyword
+
+
+**`hash.ssdeep`**
+:   SSDEEP hash.
+
+type: keyword
+
+
+
+## host [_host]
+
+A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.
+
+**`host.architecture`**
+:   Operating system architecture.
+
+type: keyword
+
+example: x86_64
+
+
+**`host.cpu.usage`**
+:   Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1.
+
+type: scaled_float
+
+
+**`host.disk.read.bytes`**
+:   The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection.
+
+type: long
+
+
+**`host.disk.write.bytes`**
+:   The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection.
+
+type: long
+
+
+**`host.domain`**
+:   Name of the domain of which the host is a member. For example, on Windows this could be the host’s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host’s LDAP provider.
+
+type: keyword
+
+example: CONTOSO
+
+
+**`host.geo.city_name`**
+:   City name.
+
+type: keyword
+
+example: Montreal
+
+
+**`host.geo.continent_code`**
+:   Two-letter code representing continent’s name.
+
+type: keyword
+
+example: NA
+
+
+**`host.geo.continent_name`**
+:   Name of the continent.
+
+type: keyword
+
+example: North America
+
+
+**`host.geo.country_iso_code`**
+:   Country ISO code.
+
+type: keyword
+
+example: CA
+
+
+**`host.geo.country_name`**
+:   Country name.
+
+type: keyword
+
+example: Canada
+
+
+**`host.geo.location`**
+:   Longitude and latitude.
+
+type: geo_point
+
+example: { "lon": -73.614830, "lat": 45.505918 }
+
+
+**`host.geo.name`**
+:   User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.
+
+type: keyword
+
+example: boston-dc
+
+
+**`host.geo.postal_code`**
+:   Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.
+
+type: keyword
+
+example: 94040
+
+
+**`host.geo.region_iso_code`**
+:   Region ISO code.
+
+type: keyword
+
+example: CA-QC
+
+
+**`host.geo.region_name`**
+:   Region name.
+
+type: keyword
+
+example: Quebec
+
+
+**`host.geo.timezone`**
+:   The time zone of the location, such as IANA time zone name.
+
+type: keyword
+
+example: America/Argentina/Buenos_Aires
+
+
+**`host.hostname`**
+:   Hostname of the host. It normally contains what the `hostname` command returns on the host machine.
+
+type: keyword
+
+
+**`host.id`**
+:   Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.
+
+type: keyword
+
+
+**`host.ip`**
+:   Host ip addresses.
+
+type: ip
+
+
+**`host.mac`**
+:   Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.
+
+type: keyword
+
+example: ["00-00-5E-00-53-23", "00-00-5E-00-53-24"]
+
+
+**`host.name`**
+:   Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.
+
+type: keyword
+
+
+**`host.network.egress.bytes`**
+:   The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection.
+
+type: long
+
+
+**`host.network.egress.packets`**
+:   The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection.
+
+type: long
+
+
+**`host.network.ingress.bytes`**
+:   The number of bytes received (gauge) on all network interfaces by the host since the last metric collection.
+
+type: long
+
+
+**`host.network.ingress.packets`**
+:   The number of packets (gauge) received on all network interfaces by the host since the last metric collection.
+
+type: long
+
+
+**`host.os.family`**
+:   OS family (such as redhat, debian, freebsd, windows).
+
+type: keyword
+
+example: debian
+
+
+**`host.os.full`**
+:   Operating system name, including the version or code name.
+
+type: keyword
+
+example: Mac OS Mojave
+
+
+**`host.os.full.text`**
+:   type: match_only_text
+
+
+**`host.os.kernel`**
+:   Operating system kernel version as a raw string.
+
+type: keyword
+
+example: 4.4.0-112-generic
+
+
+**`host.os.name`**
+:   Operating system name, without the version.
+
+type: keyword
+
+example: Mac OS X
+
+
+**`host.os.name.text`**
+:   type: match_only_text
+
+
+**`host.os.platform`**
+:   Operating system platform (such centos, ubuntu, windows).
+
+type: keyword
+
+example: darwin
+
+
+**`host.os.type`**
+:   Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you’re dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.
+
+type: keyword
+
+example: macos
+
+
+**`host.os.version`**
+:   Operating system version as a raw string.
+
+type: keyword
+
+example: 10.14.1
+
+
+**`host.type`**
+:   Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.
+
+type: keyword
+
+
+**`host.uptime`**
+:   Seconds the host has been up.
+
+type: long
+
+example: 1325
+
+
+
+## http [_http]
+
+Fields related to HTTP activity. Use the `url` field set to store the url of the request.
+
+**`http.request.body.bytes`**
+:   Size in bytes of the request body.
+
+type: long
+
+example: 887
+
+format: bytes
+
+
+**`http.request.body.content`**
+:   The full HTTP request body.
+
+type: wildcard
+
+example: Hello world
+
+
+**`http.request.body.content.text`**
+:   type: match_only_text
+
+
+**`http.request.bytes`**
+:   Total size in bytes of the request (body and headers).
+
+type: long
+
+example: 1437
+
+format: bytes
+
+
+**`http.request.id`**
+:   A unique identifier for each HTTP request to correlate logs between clients and servers in transactions. The id may be contained in a non-standard HTTP header, such as `X-Request-ID` or `X-Correlation-ID`.
+
+type: keyword
+
+example: 123e4567-e89b-12d3-a456-426614174000
+
+
+**`http.request.method`**
+:   HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field.
+
+type: keyword
+
+example: POST
+
+
+**`http.request.mime_type`**
+:   Mime type of the body of the request. This value must only be populated based on the content of the request body, not on the `Content-Type` header. Comparing the mime type of a request with the request’s Content-Type header can be helpful in detecting threats or misconfigured clients.
+
+type: keyword
+
+example: image/gif
+
+
+**`http.request.referrer`**
+:   Referrer for this HTTP request.
+
+type: keyword
+
+example: [https://blog.example.com/](https://blog.example.com/)
+
+
+**`http.response.body.bytes`**
+:   Size in bytes of the response body.
+
+type: long
+
+example: 887
+
+format: bytes
+
+
+**`http.response.body.content`**
+:   The full HTTP response body.
+
+type: wildcard
+
+example: Hello world
+
+
+**`http.response.body.content.text`**
+:   type: match_only_text
+
+
+**`http.response.bytes`**
+:   Total size in bytes of the response (body and headers).
+
+type: long
+
+example: 1437
+
+format: bytes
+
+
+**`http.response.mime_type`**
+:   Mime type of the body of the response. This value must only be populated based on the content of the response body, not on the `Content-Type` header. Comparing the mime type of a response with the response’s Content-Type header can be helpful in detecting misconfigured servers.
+
+type: keyword
+
+example: image/gif
+
+
+**`http.response.status_code`**
+:   HTTP response status code.
+
+type: long
+
+example: 404
+
+format: string
+
+
+**`http.version`**
+:   HTTP version.
+
+type: keyword
+
+example: 1.1
+
+
+
+## interface [_interface]
+
+The interface fields are used to record ingress and egress interface information when reported by an observer (e.g. firewall, router, load balancer) in the context of the observer handling a network connection.  In the case of a single observer interface (e.g. network sensor on a span port) only the observer.ingress information should be populated.
+
+**`interface.alias`**
+:   Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming.
+
+type: keyword
+
+example: outside
+
+
+**`interface.id`**
+:   Interface ID as reported by an observer (typically SNMP interface ID).
+
+type: keyword
+
+example: 10
+
+
+**`interface.name`**
+:   Interface name as reported by the system.
+
+type: keyword
+
+example: eth0
+
+
+
+## log [_log]
+
+Details about the event’s logging mechanism or logging transport. The log.* fields are typically populated with details about the logging mechanism used to create and/or transport the event. For example, syslog details belong under `log.syslog.*`. The details specific to your event source are typically not logged under `log.*`, but rather in `event.*` or in other ECS fields.
+
+**`log.file.path`**
+:   Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn’t read from a log file, do not populate this field.
+
+type: keyword
+
+example: /var/log/fun-times.log
+
+
+**`log.level`**
+:   Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn’t specify one, you may put your event transport’s severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`.
+
+type: keyword
+
+example: error
+
+
+**`log.logger`**
+:   The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name.
+
+type: keyword
+
+example: org.elasticsearch.bootstrap.Bootstrap
+
+
+**`log.origin.file.line`**
+:   The line number of the file containing the source code which originated the log event.
+
+type: long
+
+example: 42
+
+
+**`log.origin.file.name`**
+:   The name of the file containing the source code which originated the log event. Note that this field is not meant to capture the log file. The correct field to capture the log file is `log.file.path`.
+
+type: keyword
+
+example: Bootstrap.java
+
+
+**`log.origin.function`**
+:   The name of the function or method which originated the log event.
+
+type: keyword
+
+example: init
+
+
+**`log.syslog`**
+:   The Syslog metadata of the event, if the event was transmitted via Syslog. Please see RFCs 5424 or 3164.
+
+type: object
+
+
+**`log.syslog.facility.code`**
+:   The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23.
+
+type: long
+
+example: 23
+
+format: string
+
+
+**`log.syslog.facility.name`**
+:   The Syslog text-based facility of the log event, if available.
+
+type: keyword
+
+example: local7
+
+
+**`log.syslog.priority`**
+:   Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191.
+
+type: long
+
+example: 135
+
+format: string
+
+
+**`log.syslog.severity.code`**
+:   The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source’s numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`.
+
+type: long
+
+example: 3
+
+
+**`log.syslog.severity.name`**
+:   The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source’s text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`.
+
+type: keyword
+
+example: Error
+
+
+
+## network [_network]
+
+The network is defined as the communication path over which a host or network event happens. The network.* fields should be populated with details about the network activity associated with an event.
+
+**`network.application`**
+:   When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application’s or service’s name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying.
+
+type: keyword
+
+example: aim
+
+
+**`network.bytes`**
+:   Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum.
+
+type: long
+
+example: 368
+
+format: bytes
+
+
+**`network.community_id`**
+:   A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at [https://github.com/corelight/community-id-spec](https://github.com/corelight/community-id-spec).
+
+type: keyword
+
+example: 1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=
+
+
+**`network.direction`**
+:   Direction of the network traffic. Recommended values are: * ingress * egress * inbound * outbound * internal * external * unknown
+
+When mapping events from a host-based monitoring context, populate this field from the host’s point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers.
+
+type: keyword
+
+example: inbound
+
+
+**`network.forwarded_ip`**
+:   Host IP address when the source IP address is the proxy.
+
+type: ip
+
+example: 192.1.1.2
+
+
+**`network.iana_number`**
+:   IANA Protocol Number ([https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml](https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml)). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number.
+
+type: keyword
+
+example: 6
+
+
+**`network.inner`**
+:   Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.)
+
+type: object
+
+
+**`network.inner.vlan.id`**
+:   VLAN ID as reported by the observer.
+
+type: keyword
+
+example: 10
+
+
+**`network.inner.vlan.name`**
+:   Optional VLAN name as reported by the observer.
+
+type: keyword
+
+example: outside
+
+
+**`network.name`**
+:   Name given by operators to sections of their network.
+
+type: keyword
+
+example: Guest Wifi
+
+
+**`network.packets`**
+:   Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum.
+
+type: long
+
+example: 24
+
+
+**`network.protocol`**
+:   In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying.
+
+type: keyword
+
+example: http
+
+
+**`network.transport`**
+:   Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying.
+
+type: keyword
+
+example: tcp
+
+
+**`network.type`**
+:   In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying.
+
+type: keyword
+
+example: ipv4
+
+
+**`network.vlan.id`**
+:   VLAN ID as reported by the observer.
+
+type: keyword
+
+example: 10
+
+
+**`network.vlan.name`**
+:   Optional VLAN name as reported by the observer.
+
+type: keyword
+
+example: outside
+
+
+
+## observer [_observer]
+
+An observer is defined as a special network, security, or application device used to detect, observe, or create network, security, or application-related events and metrics. This could be a custom hardware appliance or a server that has been configured to run special network, security, or application software. Examples include firewalls, web proxies, intrusion detection/prevention systems, network monitoring sensors, web application firewalls, data loss prevention systems, and APM servers. The observer.* fields shall be populated with details of the system, if any, that detects, observes and/or creates a network, security, or application event or metric. Message queues and ETL components used in processing events or metrics are not considered observers in ECS.
+
+**`observer.egress`**
+:   Observer.egress holds information like interface number and name, vlan, and zone information to classify egress traffic.  Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic.
+
+type: object
+
+
+**`observer.egress.interface.alias`**
+:   Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming.
+
+type: keyword
+
+example: outside
+
+
+**`observer.egress.interface.id`**
+:   Interface ID as reported by an observer (typically SNMP interface ID).
+
+type: keyword
+
+example: 10
+
+
+**`observer.egress.interface.name`**
+:   Interface name as reported by the system.
+
+type: keyword
+
+example: eth0
+
+
+**`observer.egress.vlan.id`**
+:   VLAN ID as reported by the observer.
+
+type: keyword
+
+example: 10
+
+
+**`observer.egress.vlan.name`**
+:   Optional VLAN name as reported by the observer.
+
+type: keyword
+
+example: outside
+
+
+**`observer.egress.zone`**
+:   Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc.
+
+type: keyword
+
+example: Public_Internet
+
+
+**`observer.geo.city_name`**
+:   City name.
+
+type: keyword
+
+example: Montreal
+
+
+**`observer.geo.continent_code`**
+:   Two-letter code representing continent’s name.
+
+type: keyword
+
+example: NA
+
+
+**`observer.geo.continent_name`**
+:   Name of the continent.
+
+type: keyword
+
+example: North America
+
+
+**`observer.geo.country_iso_code`**
+:   Country ISO code.
+
+type: keyword
+
+example: CA
+
+
+**`observer.geo.country_name`**
+:   Country name.
+
+type: keyword
+
+example: Canada
+
+
+**`observer.geo.location`**
+:   Longitude and latitude.
+
+type: geo_point
+
+example: { "lon": -73.614830, "lat": 45.505918 }
+
+
+**`observer.geo.name`**
+:   User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.
+
+type: keyword
+
+example: boston-dc
+
+
+**`observer.geo.postal_code`**
+:   Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.
+
+type: keyword
+
+example: 94040
+
+
+**`observer.geo.region_iso_code`**
+:   Region ISO code.
+
+type: keyword
+
+example: CA-QC
+
+
+**`observer.geo.region_name`**
+:   Region name.
+
+type: keyword
+
+example: Quebec
+
+
+**`observer.geo.timezone`**
+:   The time zone of the location, such as IANA time zone name.
+
+type: keyword
+
+example: America/Argentina/Buenos_Aires
+
+
+**`observer.hostname`**
+:   Hostname of the observer.
+
+type: keyword
+
+
+**`observer.ingress`**
+:   Observer.ingress holds information like interface number and name, vlan, and zone information to classify ingress traffic.  Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic.
+
+type: object
+
+
+**`observer.ingress.interface.alias`**
+:   Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming.
+
+type: keyword
+
+example: outside
+
+
+**`observer.ingress.interface.id`**
+:   Interface ID as reported by an observer (typically SNMP interface ID).
+
+type: keyword
+
+example: 10
+
+
+**`observer.ingress.interface.name`**
+:   Interface name as reported by the system.
+
+type: keyword
+
+example: eth0
+
+
+**`observer.ingress.vlan.id`**
+:   VLAN ID as reported by the observer.
+
+type: keyword
+
+example: 10
+
+
+**`observer.ingress.vlan.name`**
+:   Optional VLAN name as reported by the observer.
+
+type: keyword
+
+example: outside
+
+
+**`observer.ingress.zone`**
+:   Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc.
+
+type: keyword
+
+example: DMZ
+
+
+**`observer.ip`**
+:   IP addresses of the observer.
+
+type: ip
+
+
+**`observer.mac`**
+:   MAC addresses of the observer. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.
+
+type: keyword
+
+example: ["00-00-5E-00-53-23", "00-00-5E-00-53-24"]
+
+
+**`observer.name`**
+:   Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty.
+
+type: keyword
+
+example: 1_proxySG
+
+
+**`observer.os.family`**
+:   OS family (such as redhat, debian, freebsd, windows).
+
+type: keyword
+
+example: debian
+
+
+**`observer.os.full`**
+:   Operating system name, including the version or code name.
+
+type: keyword
+
+example: Mac OS Mojave
+
+
+**`observer.os.full.text`**
+:   type: match_only_text
+
+
+**`observer.os.kernel`**
+:   Operating system kernel version as a raw string.
+
+type: keyword
+
+example: 4.4.0-112-generic
+
+
+**`observer.os.name`**
+:   Operating system name, without the version.
+
+type: keyword
+
+example: Mac OS X
+
+
+**`observer.os.name.text`**
+:   type: match_only_text
+
+
+**`observer.os.platform`**
+:   Operating system platform (such centos, ubuntu, windows).
+
+type: keyword
+
+example: darwin
+
+
+**`observer.os.type`**
+:   Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you’re dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.
+
+type: keyword
+
+example: macos
+
+
+**`observer.os.version`**
+:   Operating system version as a raw string.
+
+type: keyword
+
+example: 10.14.1
+
+
+**`observer.product`**
+:   The product name of the observer.
+
+type: keyword
+
+example: s200
+
+
+**`observer.serial_number`**
+:   Observer serial number.
+
+type: keyword
+
+
+**`observer.type`**
+:   The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`.
+
+type: keyword
+
+example: firewall
+
+
+**`observer.vendor`**
+:   Vendor name of the observer.
+
+type: keyword
+
+example: Symantec
+
+
+**`observer.version`**
+:   Observer version.
+
+type: keyword
+
+
+
+## orchestrator [_orchestrator]
+
+Fields that describe the resources which container orchestrators manage or act upon.
+
+**`orchestrator.api_version`**
+:   API version being used to carry out the action
+
+type: keyword
+
+example: v1beta1
+
+
+**`orchestrator.cluster.name`**
+:   Name of the cluster.
+
+type: keyword
+
+
+**`orchestrator.cluster.url`**
+:   URL of the API used to manage the cluster.
+
+type: keyword
+
+
+**`orchestrator.cluster.version`**
+:   The version of the cluster.
+
+type: keyword
+
+
+**`orchestrator.namespace`**
+:   Namespace in which the action is taking place.
+
+type: keyword
+
+example: kube-system
+
+
+**`orchestrator.organization`**
+:   Organization affected by the event (for multi-tenant orchestrator setups).
+
+type: keyword
+
+example: elastic
+
+
+**`orchestrator.resource.name`**
+:   Name of the resource being acted upon.
+
+type: keyword
+
+example: test-pod-cdcws
+
+
+**`orchestrator.resource.type`**
+:   Type of resource being acted upon.
+
+type: keyword
+
+example: service
+
+
+**`orchestrator.type`**
+:   Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry).
+
+type: keyword
+
+example: kubernetes
+
+
+
+## organization [_organization]
+
+The organization fields enrich data with information about the company or entity the data is associated with. These fields help you arrange or filter data stored in an index by one or multiple organizations.
+
+**`organization.id`**
+:   Unique identifier for the organization.
+
+type: keyword
+
+
+**`organization.name`**
+:   Organization name.
+
+type: keyword
+
+
+**`organization.name.text`**
+:   type: match_only_text
+
+
+
+## os [_os]
+
+The OS fields contain information about the operating system.
+
+**`os.family`**
+:   OS family (such as redhat, debian, freebsd, windows).
+
+type: keyword
+
+example: debian
+
+
+**`os.full`**
+:   Operating system name, including the version or code name.
+
+type: keyword
+
+example: Mac OS Mojave
+
+
+**`os.full.text`**
+:   type: match_only_text
+
+
+**`os.kernel`**
+:   Operating system kernel version as a raw string.
+
+type: keyword
+
+example: 4.4.0-112-generic
+
+
+**`os.name`**
+:   Operating system name, without the version.
+
+type: keyword
+
+example: Mac OS X
+
+
+**`os.name.text`**
+:   type: match_only_text
+
+
+**`os.platform`**
+:   Operating system platform (such centos, ubuntu, windows).
+
+type: keyword
+
+example: darwin
+
+
+**`os.type`**
+:   Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you’re dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.
+
+type: keyword
+
+example: macos
+
+
+**`os.version`**
+:   Operating system version as a raw string.
+
+type: keyword
+
+example: 10.14.1
+
+
+
+## package [_package]
+
+These fields contain information about an installed software package. It contains general information about a package, such as name, version or size. It also contains installation details, such as time or location.
+
+**`package.architecture`**
+:   Package architecture.
+
+type: keyword
+
+example: x86_64
+
+
+**`package.build_version`**
+:   Additional information about the build version of the installed package. For example use the commit SHA of a non-released package.
+
+type: keyword
+
+example: 36f4f7e89dd61b0988b12ee000b98966867710cd
+
+
+**`package.checksum`**
+:   Checksum of the installed package for verification.
+
+type: keyword
+
+example: 68b329da9893e34099c7d8ad5cb9c940
+
+
+**`package.description`**
+:   Description of the package.
+
+type: keyword
+
+example: Open source programming language to build simple/reliable/efficient software.
+
+
+**`package.install_scope`**
+:   Indicating how the package was installed, e.g. user-local, global.
+
+type: keyword
+
+example: global
+
+
+**`package.installed`**
+:   Time when package was installed.
+
+type: date
+
+
+**`package.license`**
+:   License under which the package was released. Use a short name, e.g. the license identifier from SPDX License List where possible ([https://spdx.org/licenses/](https://spdx.org/licenses/)).
+
+type: keyword
+
+example: Apache License 2.0
+
+
+**`package.name`**
+:   Package name
+
+type: keyword
+
+example: go
+
+
+**`package.path`**
+:   Path where the package is installed.
+
+type: keyword
+
+example: /usr/local/Cellar/go/1.12.9/
+
+
+**`package.reference`**
+:   Home page or reference URL of the software in this package, if available.
+
+type: keyword
+
+example: [https://golang.org](https://golang.org)
+
+
+**`package.size`**
+:   Package size in bytes.
+
+type: long
+
+example: 62231
+
+format: string
+
+
+**`package.type`**
+:   Type of package. This should contain the package file type, rather than the package manager name. Examples: rpm, dpkg, brew, npm, gem, nupkg, jar.
+
+type: keyword
+
+example: rpm
+
+
+**`package.version`**
+:   Package version
+
+type: keyword
+
+example: 1.12.9
+
+
+
+## pe [_pe]
+
+These fields contain Windows Portable Executable (PE) metadata.
+
+**`pe.architecture`**
+:   CPU architecture target for the file.
+
+type: keyword
+
+example: x64
+
+
+**`pe.company`**
+:   Internal company name of the file, provided at compile-time.
+
+type: keyword
+
+example: Microsoft Corporation
+
+
+**`pe.description`**
+:   Internal description of the file, provided at compile-time.
+
+type: keyword
+
+example: Paint
+
+
+**`pe.file_version`**
+:   Internal version of the file, provided at compile-time.
+
+type: keyword
+
+example: 6.3.9600.17415
+
+
+**`pe.imphash`**
+:   A hash of the imports in a PE file. An imphash — or import hash — can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at [https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html](https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html).
+
+type: keyword
+
+example: 0c6803c4e922103c4dca5963aad36ddf
+
+
+**`pe.original_file_name`**
+:   Internal name of the file, provided at compile-time.
+
+type: keyword
+
+example: MSPAINT.EXE
+
+
+**`pe.product`**
+:   Internal product name of the file, provided at compile-time.
+
+type: keyword
+
+example: Microsoft® Windows® Operating System
+
+
+
+## process [_process]
+
+These fields contain information about a process. These fields can help you correlate metrics information with a process id/name from a log message.  The `process.pid` often stays in the metric itself and is copied to the global field for correlation.
+
+**`process.args`**
+:   Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information.
+
+type: keyword
+
+example: ["/usr/bin/ssh", "-l", "user", "10.0.0.16"]
+
+
+**`process.args_count`**
+:   Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity.
+
+type: long
+
+example: 4
+
+
+**`process.code_signature.digest_algorithm`**
+:   The hashing algorithm used to sign the process. This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm.
+
+type: keyword
+
+example: sha256
+
+
+**`process.code_signature.exists`**
+:   Boolean to capture if a signature is present.
+
+type: boolean
+
+example: true
+
+
+**`process.code_signature.signing_id`**
+:   The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.
+
+type: keyword
+
+example: com.apple.xpc.proxy
+
+
+**`process.code_signature.status`**
+:   Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.
+
+type: keyword
+
+example: ERROR_UNTRUSTED_ROOT
+
+
+**`process.code_signature.subject_name`**
+:   Subject name of the code signer
+
+type: keyword
+
+example: Microsoft Corporation
+
+
+**`process.code_signature.team_id`**
+:   The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.
+
+type: keyword
+
+example: EQHXZ8M8AV
+
+
+**`process.code_signature.timestamp`**
+:   Date and time when the code signature was generated and signed.
+
+type: date
+
+example: 2021-01-01T12:10:30Z
+
+
+**`process.code_signature.trusted`**
+:   Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.
+
+type: boolean
+
+example: true
+
+
+**`process.code_signature.valid`**
+:   Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.
+
+type: boolean
+
+example: true
+
+
+**`process.command_line`**
+:   Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information.
+
+type: wildcard
+
+example: /usr/bin/ssh -l user 10.0.0.16
+
+
+**`process.command_line.text`**
+:   type: match_only_text
+
+
+**`process.elf.architecture`**
+:   Machine architecture of the ELF file.
+
+type: keyword
+
+example: x86-64
+
+
+**`process.elf.byte_order`**
+:   Byte sequence of ELF file.
+
+type: keyword
+
+example: Little Endian
+
+
+**`process.elf.cpu_type`**
+:   CPU type of the ELF file.
+
+type: keyword
+
+example: Intel
+
+
+**`process.elf.creation_date`**
+:   Extracted when possible from the file’s metadata. Indicates when it was built or compiled. It can also be faked by malware creators.
+
+type: date
+
+
+**`process.elf.exports`**
+:   List of exported element names and types.
+
+type: flattened
+
+
+**`process.elf.header.abi_version`**
+:   Version of the ELF Application Binary Interface (ABI).
+
+type: keyword
+
+
+**`process.elf.header.class`**
+:   Header class of the ELF file.
+
+type: keyword
+
+
+**`process.elf.header.data`**
+:   Data table of the ELF header.
+
+type: keyword
+
+
+**`process.elf.header.entrypoint`**
+:   Header entrypoint of the ELF file.
+
+type: long
+
+format: string
+
+
+**`process.elf.header.object_version`**
+:   "0x1" for original ELF files.
+
+type: keyword
+
+
+**`process.elf.header.os_abi`**
+:   Application Binary Interface (ABI) of the Linux OS.
+
+type: keyword
+
+
+**`process.elf.header.type`**
+:   Header type of the ELF file.
+
+type: keyword
+
+
+**`process.elf.header.version`**
+:   Version of the ELF header.
+
+type: keyword
+
+
+**`process.elf.imports`**
+:   List of imported element names and types.
+
+type: flattened
+
+
+**`process.elf.sections`**
+:   An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`.
+
+type: nested
+
+
+**`process.elf.sections.chi2`**
+:   Chi-square probability distribution of the section.
+
+type: long
+
+format: number
+
+
+**`process.elf.sections.entropy`**
+:   Shannon entropy calculation from the section.
+
+type: long
+
+format: number
+
+
+**`process.elf.sections.flags`**
+:   ELF Section List flags.
+
+type: keyword
+
+
+**`process.elf.sections.name`**
+:   ELF Section List name.
+
+type: keyword
+
+
+**`process.elf.sections.physical_offset`**
+:   ELF Section List offset.
+
+type: keyword
+
+
+**`process.elf.sections.physical_size`**
+:   ELF Section List physical size.
+
+type: long
+
+format: bytes
+
+
+**`process.elf.sections.type`**
+:   ELF Section List type.
+
+type: keyword
+
+
+**`process.elf.sections.virtual_address`**
+:   ELF Section List virtual address.
+
+type: long
+
+format: string
+
+
+**`process.elf.sections.virtual_size`**
+:   ELF Section List virtual size.
+
+type: long
+
+format: string
+
+
+**`process.elf.segments`**
+:   An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`.
+
+type: nested
+
+
+**`process.elf.segments.sections`**
+:   ELF object segment sections.
+
+type: keyword
+
+
+**`process.elf.segments.type`**
+:   ELF object segment type.
+
+type: keyword
+
+
+**`process.elf.shared_libraries`**
+:   List of shared libraries used by this ELF object.
+
+type: keyword
+
+
+**`process.elf.telfhash`**
+:   telfhash symbol hash for ELF file.
+
+type: keyword
+
+
+**`process.end`**
+:   The time the process ended.
+
+type: date
+
+example: 2016-05-23T08:05:34.853Z
+
+
+**`process.entity_id`**
+:   Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.
+
+type: keyword
+
+example: c2c455d9f99375d
+
+
+**`process.executable`**
+:   Absolute path to the process executable.
+
+type: keyword
+
+example: /usr/bin/ssh
+
+
+**`process.executable.text`**
+:   type: match_only_text
+
+
+**`process.exit_code`**
+:   The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start).
+
+type: long
+
+example: 137
+
+
+**`process.hash.md5`**
+:   MD5 hash.
+
+type: keyword
+
+
+**`process.hash.sha1`**
+:   SHA1 hash.
+
+type: keyword
+
+
+**`process.hash.sha256`**
+:   SHA256 hash.
+
+type: keyword
+
+
+**`process.hash.sha512`**
+:   SHA512 hash.
+
+type: keyword
+
+
+**`process.hash.ssdeep`**
+:   SSDEEP hash.
+
+type: keyword
+
+
+**`process.name`**
+:   Process name. Sometimes called program name or similar.
+
+type: keyword
+
+example: ssh
+
+
+**`process.name.text`**
+:   type: match_only_text
+
+
+**`process.parent.args`**
+:   Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information.
+
+type: keyword
+
+example: ["/usr/bin/ssh", "-l", "user", "10.0.0.16"]
+
+
+**`process.parent.args_count`**
+:   Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity.
+
+type: long
+
+example: 4
+
+
+**`process.parent.code_signature.digest_algorithm`**
+:   The hashing algorithm used to sign the process. This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm.
+
+type: keyword
+
+example: sha256
+
+
+**`process.parent.code_signature.exists`**
+:   Boolean to capture if a signature is present.
+
+type: boolean
+
+example: true
+
+
+**`process.parent.code_signature.signing_id`**
+:   The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.
+
+type: keyword
+
+example: com.apple.xpc.proxy
+
+
+**`process.parent.code_signature.status`**
+:   Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.
+
+type: keyword
+
+example: ERROR_UNTRUSTED_ROOT
+
+
+**`process.parent.code_signature.subject_name`**
+:   Subject name of the code signer
+
+type: keyword
+
+example: Microsoft Corporation
+
+
+**`process.parent.code_signature.team_id`**
+:   The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.
+
+type: keyword
+
+example: EQHXZ8M8AV
+
+
+**`process.parent.code_signature.timestamp`**
+:   Date and time when the code signature was generated and signed.
+
+type: date
+
+example: 2021-01-01T12:10:30Z
+
+
+**`process.parent.code_signature.trusted`**
+:   Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.
+
+type: boolean
+
+example: true
+
+
+**`process.parent.code_signature.valid`**
+:   Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.
+
+type: boolean
+
+example: true
+
+
+**`process.parent.command_line`**
+:   Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information.
+
+type: wildcard
+
+example: /usr/bin/ssh -l user 10.0.0.16
+
+
+**`process.parent.command_line.text`**
+:   type: match_only_text
+
+
+**`process.parent.elf.architecture`**
+:   Machine architecture of the ELF file.
+
+type: keyword
+
+example: x86-64
+
+
+**`process.parent.elf.byte_order`**
+:   Byte sequence of ELF file.
+
+type: keyword
+
+example: Little Endian
+
+
+**`process.parent.elf.cpu_type`**
+:   CPU type of the ELF file.
+
+type: keyword
+
+example: Intel
+
+
+**`process.parent.elf.creation_date`**
+:   Extracted when possible from the file’s metadata. Indicates when it was built or compiled. It can also be faked by malware creators.
+
+type: date
+
+
+**`process.parent.elf.exports`**
+:   List of exported element names and types.
+
+type: flattened
+
+
+**`process.parent.elf.header.abi_version`**
+:   Version of the ELF Application Binary Interface (ABI).
+
+type: keyword
+
+
+**`process.parent.elf.header.class`**
+:   Header class of the ELF file.
+
+type: keyword
+
+
+**`process.parent.elf.header.data`**
+:   Data table of the ELF header.
+
+type: keyword
+
+
+**`process.parent.elf.header.entrypoint`**
+:   Header entrypoint of the ELF file.
+
+type: long
+
+format: string
+
+
+**`process.parent.elf.header.object_version`**
+:   "0x1" for original ELF files.
+
+type: keyword
+
+
+**`process.parent.elf.header.os_abi`**
+:   Application Binary Interface (ABI) of the Linux OS.
+
+type: keyword
+
+
+**`process.parent.elf.header.type`**
+:   Header type of the ELF file.
+
+type: keyword
+
+
+**`process.parent.elf.header.version`**
+:   Version of the ELF header.
+
+type: keyword
+
+
+**`process.parent.elf.imports`**
+:   List of imported element names and types.
+
+type: flattened
+
+
+**`process.parent.elf.sections`**
+:   An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`.
+
+type: nested
+
+
+**`process.parent.elf.sections.chi2`**
+:   Chi-square probability distribution of the section.
+
+type: long
+
+format: number
+
+
+**`process.parent.elf.sections.entropy`**
+:   Shannon entropy calculation from the section.
+
+type: long
+
+format: number
+
+
+**`process.parent.elf.sections.flags`**
+:   ELF Section List flags.
+
+type: keyword
+
+
+**`process.parent.elf.sections.name`**
+:   ELF Section List name.
+
+type: keyword
+
+
+**`process.parent.elf.sections.physical_offset`**
+:   ELF Section List offset.
+
+type: keyword
+
+
+**`process.parent.elf.sections.physical_size`**
+:   ELF Section List physical size.
+
+type: long
+
+format: bytes
+
+
+**`process.parent.elf.sections.type`**
+:   ELF Section List type.
+
+type: keyword
+
+
+**`process.parent.elf.sections.virtual_address`**
+:   ELF Section List virtual address.
+
+type: long
+
+format: string
+
+
+**`process.parent.elf.sections.virtual_size`**
+:   ELF Section List virtual size.
+
+type: long
+
+format: string
+
+
+**`process.parent.elf.segments`**
+:   An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`.
+
+type: nested
+
+
+**`process.parent.elf.segments.sections`**
+:   ELF object segment sections.
+
+type: keyword
+
+
+**`process.parent.elf.segments.type`**
+:   ELF object segment type.
+
+type: keyword
+
+
+**`process.parent.elf.shared_libraries`**
+:   List of shared libraries used by this ELF object.
+
+type: keyword
+
+
+**`process.parent.elf.telfhash`**
+:   telfhash symbol hash for ELF file.
+
+type: keyword
+
+
+**`process.parent.end`**
+:   The time the process ended.
+
+type: date
+
+example: 2016-05-23T08:05:34.853Z
+
+
+**`process.parent.entity_id`**
+:   Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.
+
+type: keyword
+
+example: c2c455d9f99375d
+
+
+**`process.parent.executable`**
+:   Absolute path to the process executable.
+
+type: keyword
+
+example: /usr/bin/ssh
+
+
+**`process.parent.executable.text`**
+:   type: match_only_text
+
+
+**`process.parent.exit_code`**
+:   The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start).
+
+type: long
+
+example: 137
+
+
+**`process.parent.hash.md5`**
+:   MD5 hash.
+
+type: keyword
+
+
+**`process.parent.hash.sha1`**
+:   SHA1 hash.
+
+type: keyword
+
+
+**`process.parent.hash.sha256`**
+:   SHA256 hash.
+
+type: keyword
+
+
+**`process.parent.hash.sha512`**
+:   SHA512 hash.
+
+type: keyword
+
+
+**`process.parent.hash.ssdeep`**
+:   SSDEEP hash.
+
+type: keyword
+
+
+**`process.parent.name`**
+:   Process name. Sometimes called program name or similar.
+
+type: keyword
+
+example: ssh
+
+
+**`process.parent.name.text`**
+:   type: match_only_text
+
+
+**`process.parent.pe.architecture`**
+:   CPU architecture target for the file.
+
+type: keyword
+
+example: x64
+
+
+**`process.parent.pe.company`**
+:   Internal company name of the file, provided at compile-time.
+
+type: keyword
+
+example: Microsoft Corporation
+
+
+**`process.parent.pe.description`**
+:   Internal description of the file, provided at compile-time.
+
+type: keyword
+
+example: Paint
+
+
+**`process.parent.pe.file_version`**
+:   Internal version of the file, provided at compile-time.
+
+type: keyword
+
+example: 6.3.9600.17415
+
+
+**`process.parent.pe.imphash`**
+:   A hash of the imports in a PE file. An imphash — or import hash — can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at [https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html](https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html).
+
+type: keyword
+
+example: 0c6803c4e922103c4dca5963aad36ddf
+
+
+**`process.parent.pe.original_file_name`**
+:   Internal name of the file, provided at compile-time.
+
+type: keyword
+
+example: MSPAINT.EXE
+
+
+**`process.parent.pe.product`**
+:   Internal product name of the file, provided at compile-time.
+
+type: keyword
+
+example: Microsoft® Windows® Operating System
+
+
+**`process.parent.pgid`**
+:   Identifier of the group of processes the process belongs to.
+
+type: long
+
+format: string
+
+
+**`process.parent.pid`**
+:   Process id.
+
+type: long
+
+example: 4242
+
+format: string
+
+
+**`process.parent.start`**
+:   The time the process started.
+
+type: date
+
+example: 2016-05-23T08:05:34.853Z
+
+
+**`process.parent.thread.id`**
+:   Thread ID.
+
+type: long
+
+example: 4242
+
+format: string
+
+
+**`process.parent.thread.name`**
+:   Thread name.
+
+type: keyword
+
+example: thread-0
+
+
+**`process.parent.title`**
+:   Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened.
+
+type: keyword
+
+
+**`process.parent.title.text`**
+:   type: match_only_text
+
+
+**`process.parent.uptime`**
+:   Seconds the process has been up.
+
+type: long
+
+example: 1325
+
+
+**`process.parent.working_directory`**
+:   The working directory of the process.
+
+type: keyword
+
+example: /home/alice
+
+
+**`process.parent.working_directory.text`**
+:   type: match_only_text
+
+
+**`process.pe.architecture`**
+:   CPU architecture target for the file.
+
+type: keyword
+
+example: x64
+
+
+**`process.pe.company`**
+:   Internal company name of the file, provided at compile-time.
+
+type: keyword
+
+example: Microsoft Corporation
+
+
+**`process.pe.description`**
+:   Internal description of the file, provided at compile-time.
+
+type: keyword
+
+example: Paint
+
+
+**`process.pe.file_version`**
+:   Internal version of the file, provided at compile-time.
+
+type: keyword
+
+example: 6.3.9600.17415
+
+
+**`process.pe.imphash`**
+:   A hash of the imports in a PE file. An imphash — or import hash — can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at [https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html](https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html).
+
+type: keyword
+
+example: 0c6803c4e922103c4dca5963aad36ddf
+
+
+**`process.pe.original_file_name`**
+:   Internal name of the file, provided at compile-time.
+
+type: keyword
+
+example: MSPAINT.EXE
+
+
+**`process.pe.product`**
+:   Internal product name of the file, provided at compile-time.
+
+type: keyword
+
+example: Microsoft® Windows® Operating System
+
+
+**`process.pgid`**
+:   Identifier of the group of processes the process belongs to.
+
+type: long
+
+format: string
+
+
+**`process.pid`**
+:   Process id.
+
+type: long
+
+example: 4242
+
+format: string
+
+
+**`process.start`**
+:   The time the process started.
+
+type: date
+
+example: 2016-05-23T08:05:34.853Z
+
+
+**`process.thread.id`**
+:   Thread ID.
+
+type: long
+
+example: 4242
+
+format: string
+
+
+**`process.thread.name`**
+:   Thread name.
+
+type: keyword
+
+example: thread-0
+
+
+**`process.title`**
+:   Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened.
+
+type: keyword
+
+
+**`process.title.text`**
+:   type: match_only_text
+
+
+**`process.uptime`**
+:   Seconds the process has been up.
+
+type: long
+
+example: 1325
+
+
+**`process.working_directory`**
+:   The working directory of the process.
+
+type: keyword
+
+example: /home/alice
+
+
+**`process.working_directory.text`**
+:   type: match_only_text
+
+
+
+## registry [_registry]
+
+Fields related to Windows Registry operations.
+
+**`registry.data.bytes`**
+:   Original bytes written with base64 encoding. For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values.
+
+type: keyword
+
+example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA=
+
+
+**`registry.data.strings`**
+:   Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`).
+
+type: wildcard
+
+example: ["C:\rta\red_ttp\bin\myapp.exe"]
+
+
+**`registry.data.type`**
+:   Standard registry type for encoding contents
+
+type: keyword
+
+example: REG_SZ
+
+
+**`registry.hive`**
+:   Abbreviated name for the hive.
+
+type: keyword
+
+example: HKLM
+
+
+**`registry.key`**
+:   Hive-relative path of keys.
+
+type: keyword
+
+example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe
+
+
+**`registry.path`**
+:   Full path, including hive, key and value
+
+type: keyword
+
+example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger
+
+
+**`registry.value`**
+:   Name of the value written.
+
+type: keyword
+
+example: Debugger
+
+
+
+## related [_related]
+
+This field set is meant to facilitate pivoting around a piece of data. Some pieces of information can be seen in many places in an ECS event. To facilitate searching for them, store an array of all seen values to their corresponding field in `related.`. A concrete example is IP addresses, which can be under host, observer, source, destination, client, server, and network.forwarded_ip. If you append all IPs to `related.ip`, you can then search for a given IP trivially, no matter where it appeared, by querying `related.ip:192.0.2.15`.
+
+**`related.hash`**
+:   All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you’re unsure what the hash algorithm is (and therefore which key name to search).
+
+type: keyword
+
+
+**`related.hosts`**
+:   All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases.
+
+type: keyword
+
+
+**`related.ip`**
+:   All of the IPs seen on your event.
+
+type: ip
+
+
+**`related.user`**
+:   All the user names or other user identifiers seen on the event.
+
+type: keyword
+
+
+
+## rule [_rule]
+
+Rule fields are used to capture the specifics of any observer or agent rules that generate alerts or other notable events. Examples of data sources that would populate the rule fields include: network admission control platforms, network or host IDS/IPS, network firewalls, web application firewalls, url filters, endpoint detection and response (EDR) systems, etc.
+
+**`rule.author`**
+:   Name, organization, or pseudonym of the author or authors who created the rule used to generate this event.
+
+type: keyword
+
+example: ["Star-Lord"]
+
+
+**`rule.category`**
+:   A categorization value keyword used by the entity using the rule for detection of this event.
+
+type: keyword
+
+example: Attempted Information Leak
+
+
+**`rule.description`**
+:   The description of the rule generating the event.
+
+type: keyword
+
+example: Block requests to public DNS over HTTPS / TLS protocols
+
+
+**`rule.id`**
+:   A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event.
+
+type: keyword
+
+example: 101
+
+
+**`rule.license`**
+:   Name of the license under which the rule used to generate this event is made available.
+
+type: keyword
+
+example: Apache 2.0
+
+
+**`rule.name`**
+:   The name of the rule or signature generating the event.
+
+type: keyword
+
+example: BLOCK_DNS_over_TLS
+
+
+**`rule.reference`**
+:   Reference URL to additional information about the rule used to generate this event. The URL can point to the vendor’s documentation about the rule. If that’s not available, it can also be a link to a more general page describing this type of alert.
+
+type: keyword
+
+example: [https://en.wikipedia.org/wiki/DNS_over_TLS](https://en.wikipedia.org/wiki/DNS_over_TLS)
+
+
+**`rule.ruleset`**
+:   Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member.
+
+type: keyword
+
+example: Standard_Protocol_Filters
+
+
+**`rule.uuid`**
+:   A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event.
+
+type: keyword
+
+example: 1100110011
+
+
+**`rule.version`**
+:   The version / revision of the rule being used for analysis.
+
+type: keyword
+
+example: 1.1
+
+
+
+## server [_server]
+
+A Server is defined as the responder in a network connection for events regarding sessions, connections, or bidirectional flow records. For TCP events, the server is the receiver of the initial SYN packet(s) of the TCP connection. For other protocols, the server is generally the responder in the network transaction. Some systems actually use the term "responder" to refer the server in TCP connections. The server fields describe details about the system acting as the server in the network event. Server fields are usually populated in conjunction with client fields. Server fields are generally not populated for packet-level events. Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately.
+
+**`server.address`**
+:   Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
+
+type: keyword
+
+
+**`server.as.number`**
+:   Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+
+type: long
+
+example: 15169
+
+
+**`server.as.organization.name`**
+:   Organization name.
+
+type: keyword
+
+example: Google LLC
+
+
+**`server.as.organization.name.text`**
+:   type: match_only_text
+
+
+**`server.bytes`**
+:   Bytes sent from the server to the client.
+
+type: long
+
+example: 184
+
+format: bytes
+
+
+**`server.domain`**
+:   The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.
+
+type: keyword
+
+example: foo.example.com
+
+
+**`server.geo.city_name`**
+:   City name.
+
+type: keyword
+
+example: Montreal
+
+
+**`server.geo.continent_code`**
+:   Two-letter code representing continent’s name.
+
+type: keyword
+
+example: NA
+
+
+**`server.geo.continent_name`**
+:   Name of the continent.
+
+type: keyword
+
+example: North America
+
+
+**`server.geo.country_iso_code`**
+:   Country ISO code.
+
+type: keyword
+
+example: CA
+
+
+**`server.geo.country_name`**
+:   Country name.
+
+type: keyword
+
+example: Canada
+
+
+**`server.geo.location`**
+:   Longitude and latitude.
+
+type: geo_point
+
+example: { "lon": -73.614830, "lat": 45.505918 }
+
+
+**`server.geo.name`**
+:   User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.
+
+type: keyword
+
+example: boston-dc
+
+
+**`server.geo.postal_code`**
+:   Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.
+
+type: keyword
+
+example: 94040
+
+
+**`server.geo.region_iso_code`**
+:   Region ISO code.
+
+type: keyword
+
+example: CA-QC
+
+
+**`server.geo.region_name`**
+:   Region name.
+
+type: keyword
+
+example: Quebec
+
+
+**`server.geo.timezone`**
+:   The time zone of the location, such as IANA time zone name.
+
+type: keyword
+
+example: America/Argentina/Buenos_Aires
+
+
+**`server.ip`**
+:   IP address of the server (IPv4 or IPv6).
+
+type: ip
+
+
+**`server.mac`**
+:   MAC address of the server. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.
+
+type: keyword
+
+example: 00-00-5E-00-53-23
+
+
+**`server.nat.ip`**
+:   Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers.
+
+type: ip
+
+
+**`server.nat.port`**
+:   Translated port of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers.
+
+type: long
+
+format: string
+
+
+**`server.packets`**
+:   Packets sent from the server to the client.
+
+type: long
+
+example: 12
+
+
+**`server.port`**
+:   Port of the server.
+
+type: long
+
+format: string
+
+
+**`server.registered_domain`**
+:   The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
+
+type: keyword
+
+example: example.com
+
+
+**`server.subdomain`**
+:   The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
+
+type: keyword
+
+example: east
+
+
+**`server.top_level_domain`**
+:   The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".
+
+type: keyword
+
+example: co.uk
+
+
+**`server.user.domain`**
+:   Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`server.user.email`**
+:   User email address.
+
+type: keyword
+
+
+**`server.user.full_name`**
+:   User’s full name, if available.
+
+type: keyword
+
+example: Albert Einstein
+
+
+**`server.user.full_name.text`**
+:   type: match_only_text
+
+
+**`server.user.group.domain`**
+:   Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`server.user.group.id`**
+:   Unique identifier for the group on the system/platform.
+
+type: keyword
+
+
+**`server.user.group.name`**
+:   Name of the group.
+
+type: keyword
+
+
+**`server.user.hash`**
+:   Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used.
+
+type: keyword
+
+
+**`server.user.id`**
+:   Unique identifier of the user.
+
+type: keyword
+
+example: S-1-5-21-202424912787-2692429404-2351956786-1000
+
+
+**`server.user.name`**
+:   Short name or login of the user.
+
+type: keyword
+
+example: a.einstein
+
+
+**`server.user.name.text`**
+:   type: match_only_text
+
+
+**`server.user.roles`**
+:   Array of user roles at the time of the event.
+
+type: keyword
+
+example: ["kibana_admin", "reporting_user"]
+
+
+
+## service [_service]
+
+The service fields describe the service for or from which the data was collected. These fields help you find and correlate logs for a specific service and version.
+
+**`service.address`**
+:   Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets).
+
+type: keyword
+
+example: 172.26.0.2:5432
+
+
+**`service.environment`**
+:   Identifies the environment where the service is running. If the same service runs in different environments (production, staging, QA, development, etc.), the environment can identify other instances of the same service. Can also group services and applications from the same environment.
+
+type: keyword
+
+example: production
+
+
+**`service.ephemeral_id`**
+:   Ephemeral identifier of this service (if one exists). This id normally changes across restarts, but `service.id` does not.
+
+type: keyword
+
+example: 8a4f500f
+
+
+**`service.id`**
+:   Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes. This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event. Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead.
+
+type: keyword
+
+example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6
+
+
+**`service.name`**
+:   Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified.
+
+type: keyword
+
+example: elasticsearch-metrics
+
+
+**`service.node.name`**
+:   Name of a service node. This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn’t have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set.
+
+type: keyword
+
+example: instance-0000000016
+
+
+**`service.origin.address`**
+:   Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets).
+
+type: keyword
+
+example: 172.26.0.2:5432
+
+
+**`service.origin.environment`**
+:   Identifies the environment where the service is running. If the same service runs in different environments (production, staging, QA, development, etc.), the environment can identify other instances of the same service. Can also group services and applications from the same environment.
+
+type: keyword
+
+example: production
+
+
+**`service.origin.ephemeral_id`**
+:   Ephemeral identifier of this service (if one exists). This id normally changes across restarts, but `service.id` does not.
+
+type: keyword
+
+example: 8a4f500f
+
+
+**`service.origin.id`**
+:   Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes. This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event. Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead.
+
+type: keyword
+
+example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6
+
+
+**`service.origin.name`**
+:   Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified.
+
+type: keyword
+
+example: elasticsearch-metrics
+
+
+**`service.origin.node.name`**
+:   Name of a service node. This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn’t have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set.
+
+type: keyword
+
+example: instance-0000000016
+
+
+**`service.origin.state`**
+:   Current state of the service.
+
+type: keyword
+
+
+**`service.origin.type`**
+:   The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`.
+
+type: keyword
+
+example: elasticsearch
+
+
+**`service.origin.version`**
+:   Version of the service the data was collected from. This allows to look at a data set only for a specific version of a service.
+
+type: keyword
+
+example: 3.2.4
+
+
+**`service.state`**
+:   Current state of the service.
+
+type: keyword
+
+
+**`service.target.address`**
+:   Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets).
+
+type: keyword
+
+example: 172.26.0.2:5432
+
+
+**`service.target.environment`**
+:   Identifies the environment where the service is running. If the same service runs in different environments (production, staging, QA, development, etc.), the environment can identify other instances of the same service. Can also group services and applications from the same environment.
+
+type: keyword
+
+example: production
+
+
+**`service.target.ephemeral_id`**
+:   Ephemeral identifier of this service (if one exists). This id normally changes across restarts, but `service.id` does not.
+
+type: keyword
+
+example: 8a4f500f
+
+
+**`service.target.id`**
+:   Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes. This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event. Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead.
+
+type: keyword
+
+example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6
+
+
+**`service.target.name`**
+:   Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified.
+
+type: keyword
+
+example: elasticsearch-metrics
+
+
+**`service.target.node.name`**
+:   Name of a service node. This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn’t have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set.
+
+type: keyword
+
+example: instance-0000000016
+
+
+**`service.target.state`**
+:   Current state of the service.
+
+type: keyword
+
+
+**`service.target.type`**
+:   The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`.
+
+type: keyword
+
+example: elasticsearch
+
+
+**`service.target.version`**
+:   Version of the service the data was collected from. This allows to look at a data set only for a specific version of a service.
+
+type: keyword
+
+example: 3.2.4
+
+
+**`service.type`**
+:   The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`.
+
+type: keyword
+
+example: elasticsearch
+
+
+**`service.version`**
+:   Version of the service the data was collected from. This allows to look at a data set only for a specific version of a service.
+
+type: keyword
+
+example: 3.2.4
+
+
+
+## source [_source]
+
+Source fields capture details about the sender of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction. Source fields are usually populated in conjunction with destination fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated.
+
+**`source.address`**
+:   Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
+
+type: keyword
+
+
+**`source.as.number`**
+:   Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+
+type: long
+
+example: 15169
+
+
+**`source.as.organization.name`**
+:   Organization name.
+
+type: keyword
+
+example: Google LLC
+
+
+**`source.as.organization.name.text`**
+:   type: match_only_text
+
+
+**`source.bytes`**
+:   Bytes sent from the source to the destination.
+
+type: long
+
+example: 184
+
+format: bytes
+
+
+**`source.domain`**
+:   The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.
+
+type: keyword
+
+example: foo.example.com
+
+
+**`source.geo.city_name`**
+:   City name.
+
+type: keyword
+
+example: Montreal
+
+
+**`source.geo.continent_code`**
+:   Two-letter code representing continent’s name.
+
+type: keyword
+
+example: NA
+
+
+**`source.geo.continent_name`**
+:   Name of the continent.
+
+type: keyword
+
+example: North America
+
+
+**`source.geo.country_iso_code`**
+:   Country ISO code.
+
+type: keyword
+
+example: CA
+
+
+**`source.geo.country_name`**
+:   Country name.
+
+type: keyword
+
+example: Canada
+
+
+**`source.geo.location`**
+:   Longitude and latitude.
+
+type: geo_point
+
+example: { "lon": -73.614830, "lat": 45.505918 }
+
+
+**`source.geo.name`**
+:   User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.
+
+type: keyword
+
+example: boston-dc
+
+
+**`source.geo.postal_code`**
+:   Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.
+
+type: keyword
+
+example: 94040
+
+
+**`source.geo.region_iso_code`**
+:   Region ISO code.
+
+type: keyword
+
+example: CA-QC
+
+
+**`source.geo.region_name`**
+:   Region name.
+
+type: keyword
+
+example: Quebec
+
+
+**`source.geo.timezone`**
+:   The time zone of the location, such as IANA time zone name.
+
+type: keyword
+
+example: America/Argentina/Buenos_Aires
+
+
+**`source.ip`**
+:   IP address of the source (IPv4 or IPv6).
+
+type: ip
+
+
+**`source.mac`**
+:   MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.
+
+type: keyword
+
+example: 00-00-5E-00-53-23
+
+
+**`source.nat.ip`**
+:   Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers.
+
+type: ip
+
+
+**`source.nat.port`**
+:   Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers.
+
+type: long
+
+format: string
+
+
+**`source.packets`**
+:   Packets sent from the source to the destination.
+
+type: long
+
+example: 12
+
+
+**`source.port`**
+:   Port of the source.
+
+type: long
+
+format: string
+
+
+**`source.registered_domain`**
+:   The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
+
+type: keyword
+
+example: example.com
+
+
+**`source.subdomain`**
+:   The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
+
+type: keyword
+
+example: east
+
+
+**`source.top_level_domain`**
+:   The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".
+
+type: keyword
+
+example: co.uk
+
+
+**`source.user.domain`**
+:   Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`source.user.email`**
+:   User email address.
+
+type: keyword
+
+
+**`source.user.full_name`**
+:   User’s full name, if available.
+
+type: keyword
+
+example: Albert Einstein
+
+
+**`source.user.full_name.text`**
+:   type: match_only_text
+
+
+**`source.user.group.domain`**
+:   Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`source.user.group.id`**
+:   Unique identifier for the group on the system/platform.
+
+type: keyword
+
+
+**`source.user.group.name`**
+:   Name of the group.
+
+type: keyword
+
+
+**`source.user.hash`**
+:   Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used.
+
+type: keyword
+
+
+**`source.user.id`**
+:   Unique identifier of the user.
+
+type: keyword
+
+example: S-1-5-21-202424912787-2692429404-2351956786-1000
+
+
+**`source.user.name`**
+:   Short name or login of the user.
+
+type: keyword
+
+example: a.einstein
+
+
+**`source.user.name.text`**
+:   type: match_only_text
+
+
+**`source.user.roles`**
+:   Array of user roles at the time of the event.
+
+type: keyword
+
+example: ["kibana_admin", "reporting_user"]
+
+
+
+## threat [_threat]
+
+Fields to classify events and alerts according to a threat taxonomy such as the MITRE ATT&CK® framework. These fields are for users to classify alerts from all of their sources (e.g. IDS, NGFW, etc.) within a common taxonomy. The threat.tactic.* fields are meant to capture the high level category of the threat (e.g. "impact"). The threat.technique.* fields are meant to capture which kind of approach is used by this detected threat, to accomplish the goal (e.g. "endpoint denial of service").
+
+**`threat.enrichments`**
+:   A list of associated indicators objects enriching the event, and the context of that association/enrichment.
+
+type: nested
+
+
+**`threat.enrichments.indicator`**
+:   Object containing associated indicators enriching the event.
+
+type: object
+
+
+**`threat.enrichments.indicator.as.number`**
+:   Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+
+type: long
+
+example: 15169
+
+
+**`threat.enrichments.indicator.as.organization.name`**
+:   Organization name.
+
+type: keyword
+
+example: Google LLC
+
+
+**`threat.enrichments.indicator.as.organization.name.text`**
+:   type: match_only_text
+
+
+**`threat.enrichments.indicator.confidence`**
+:   Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. Expected values are: * Not Specified * None * Low * Medium * High
+
+type: keyword
+
+example: Medium
+
+
+**`threat.enrichments.indicator.description`**
+:   Describes the type of action conducted by the threat.
+
+type: keyword
+
+example: IP x.x.x.x was observed delivering the Angler EK.
+
+
+**`threat.enrichments.indicator.email.address`**
+:   Identifies a threat indicator as an email address (irrespective of direction).
+
+type: keyword
+
+example: `phish@example.com`
+
+
+**`threat.enrichments.indicator.file.accessed`**
+:   Last time the file was accessed. Note that not all filesystems keep track of access time.
+
+type: date
+
+
+**`threat.enrichments.indicator.file.attributes`**
+:   Array of file attributes. Attributes names will vary by platform. Here’s a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write.
+
+type: keyword
+
+example: ["readonly", "system"]
+
+
+**`threat.enrichments.indicator.file.code_signature.digest_algorithm`**
+:   The hashing algorithm used to sign the process. This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm.
+
+type: keyword
+
+example: sha256
+
+
+**`threat.enrichments.indicator.file.code_signature.exists`**
+:   Boolean to capture if a signature is present.
+
+type: boolean
+
+example: true
+
+
+**`threat.enrichments.indicator.file.code_signature.signing_id`**
+:   The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.
+
+type: keyword
+
+example: com.apple.xpc.proxy
+
+
+**`threat.enrichments.indicator.file.code_signature.status`**
+:   Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.
+
+type: keyword
+
+example: ERROR_UNTRUSTED_ROOT
+
+
+**`threat.enrichments.indicator.file.code_signature.subject_name`**
+:   Subject name of the code signer
+
+type: keyword
+
+example: Microsoft Corporation
+
+
+**`threat.enrichments.indicator.file.code_signature.team_id`**
+:   The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.
+
+type: keyword
+
+example: EQHXZ8M8AV
+
+
+**`threat.enrichments.indicator.file.code_signature.timestamp`**
+:   Date and time when the code signature was generated and signed.
+
+type: date
+
+example: 2021-01-01T12:10:30Z
+
+
+**`threat.enrichments.indicator.file.code_signature.trusted`**
+:   Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.
+
+type: boolean
+
+example: true
+
+
+**`threat.enrichments.indicator.file.code_signature.valid`**
+:   Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.
+
+type: boolean
+
+example: true
+
+
+**`threat.enrichments.indicator.file.created`**
+:   File creation time. Note that not all filesystems store the creation time.
+
+type: date
+
+
+**`threat.enrichments.indicator.file.ctime`**
+:   Last time the file attributes or metadata changed. Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file.
+
+type: date
+
+
+**`threat.enrichments.indicator.file.device`**
+:   Device that is the source of the file.
+
+type: keyword
+
+example: sda
+
+
+**`threat.enrichments.indicator.file.directory`**
+:   Directory where the file is located. It should include the drive letter, when appropriate.
+
+type: keyword
+
+example: /home/alice
+
+
+**`threat.enrichments.indicator.file.drive_letter`**
+:   Drive letter where the file is located. This field is only relevant on Windows. The value should be uppercase, and not include the colon.
+
+type: keyword
+
+example: C
+
+
+**`threat.enrichments.indicator.file.elf.architecture`**
+:   Machine architecture of the ELF file.
+
+type: keyword
+
+example: x86-64
+
+
+**`threat.enrichments.indicator.file.elf.byte_order`**
+:   Byte sequence of ELF file.
+
+type: keyword
+
+example: Little Endian
+
+
+**`threat.enrichments.indicator.file.elf.cpu_type`**
+:   CPU type of the ELF file.
+
+type: keyword
+
+example: Intel
+
+
+**`threat.enrichments.indicator.file.elf.creation_date`**
+:   Extracted when possible from the file’s metadata. Indicates when it was built or compiled. It can also be faked by malware creators.
+
+type: date
+
+
+**`threat.enrichments.indicator.file.elf.exports`**
+:   List of exported element names and types.
+
+type: flattened
+
+
+**`threat.enrichments.indicator.file.elf.header.abi_version`**
+:   Version of the ELF Application Binary Interface (ABI).
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.elf.header.class`**
+:   Header class of the ELF file.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.elf.header.data`**
+:   Data table of the ELF header.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.elf.header.entrypoint`**
+:   Header entrypoint of the ELF file.
+
+type: long
+
+format: string
+
+
+**`threat.enrichments.indicator.file.elf.header.object_version`**
+:   "0x1" for original ELF files.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.elf.header.os_abi`**
+:   Application Binary Interface (ABI) of the Linux OS.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.elf.header.type`**
+:   Header type of the ELF file.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.elf.header.version`**
+:   Version of the ELF header.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.elf.imports`**
+:   List of imported element names and types.
+
+type: flattened
+
+
+**`threat.enrichments.indicator.file.elf.sections`**
+:   An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`.
+
+type: nested
+
+
+**`threat.enrichments.indicator.file.elf.sections.chi2`**
+:   Chi-square probability distribution of the section.
+
+type: long
+
+format: number
+
+
+**`threat.enrichments.indicator.file.elf.sections.entropy`**
+:   Shannon entropy calculation from the section.
+
+type: long
+
+format: number
+
+
+**`threat.enrichments.indicator.file.elf.sections.flags`**
+:   ELF Section List flags.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.elf.sections.name`**
+:   ELF Section List name.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.elf.sections.physical_offset`**
+:   ELF Section List offset.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.elf.sections.physical_size`**
+:   ELF Section List physical size.
+
+type: long
+
+format: bytes
+
+
+**`threat.enrichments.indicator.file.elf.sections.type`**
+:   ELF Section List type.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.elf.sections.virtual_address`**
+:   ELF Section List virtual address.
+
+type: long
+
+format: string
+
+
+**`threat.enrichments.indicator.file.elf.sections.virtual_size`**
+:   ELF Section List virtual size.
+
+type: long
+
+format: string
+
+
+**`threat.enrichments.indicator.file.elf.segments`**
+:   An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`.
+
+type: nested
+
+
+**`threat.enrichments.indicator.file.elf.segments.sections`**
+:   ELF object segment sections.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.elf.segments.type`**
+:   ELF object segment type.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.elf.shared_libraries`**
+:   List of shared libraries used by this ELF object.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.elf.telfhash`**
+:   telfhash symbol hash for ELF file.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.extension`**
+:   File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").
+
+type: keyword
+
+example: png
+
+
+**`threat.enrichments.indicator.file.fork_name`**
+:   A fork is additional data associated with a filesystem object. On Linux, a resource fork is used to store additional data with a filesystem object. A file always has at least one fork for the data portion, and additional forks may exist. On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default data stream for a file is just called $DATA. Zone.Identifier is commonly used by Windows to track contents downloaded from the Internet. An ADS is typically of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name` is the value that should populate `fork_name`. `filename.extension` should populate `file.name`, and `extension` should populate `file.extension`. The full path, `file.path`, will include the fork name.
+
+type: keyword
+
+example: Zone.Identifer
+
+
+**`threat.enrichments.indicator.file.gid`**
+:   Primary group ID (GID) of the file.
+
+type: keyword
+
+example: 1001
+
+
+**`threat.enrichments.indicator.file.group`**
+:   Primary group name of the file.
+
+type: keyword
+
+example: alice
+
+
+**`threat.enrichments.indicator.file.hash.md5`**
+:   MD5 hash.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.hash.sha1`**
+:   SHA1 hash.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.hash.sha256`**
+:   SHA256 hash.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.hash.sha512`**
+:   SHA512 hash.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.hash.ssdeep`**
+:   SSDEEP hash.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.inode`**
+:   Inode representing the file in the filesystem.
+
+type: keyword
+
+example: 256383
+
+
+**`threat.enrichments.indicator.file.mime_type`**
+:   MIME type should identify the format of the file or stream of bytes using [IANA official types](https://www.iana.org/assignments/media-types/media-types.xhtml), where possible. When more than one type is applicable, the most specific type should be used.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.mode`**
+:   Mode of the file in octal representation.
+
+type: keyword
+
+example: 0640
+
+
+**`threat.enrichments.indicator.file.mtime`**
+:   Last time the file content was modified.
+
+type: date
+
+
+**`threat.enrichments.indicator.file.name`**
+:   Name of the file including the extension, without the directory.
+
+type: keyword
+
+example: example.png
+
+
+**`threat.enrichments.indicator.file.owner`**
+:   File owner’s username.
+
+type: keyword
+
+example: alice
+
+
+**`threat.enrichments.indicator.file.path`**
+:   Full path to the file, including the file name. It should include the drive letter, when appropriate.
+
+type: keyword
+
+example: /home/alice/example.png
+
+
+**`threat.enrichments.indicator.file.path.text`**
+:   type: match_only_text
+
+
+**`threat.enrichments.indicator.file.pe.architecture`**
+:   CPU architecture target for the file.
+
+type: keyword
+
+example: x64
+
+
+**`threat.enrichments.indicator.file.pe.company`**
+:   Internal company name of the file, provided at compile-time.
+
+type: keyword
+
+example: Microsoft Corporation
+
+
+**`threat.enrichments.indicator.file.pe.description`**
+:   Internal description of the file, provided at compile-time.
+
+type: keyword
+
+example: Paint
+
+
+**`threat.enrichments.indicator.file.pe.file_version`**
+:   Internal version of the file, provided at compile-time.
+
+type: keyword
+
+example: 6.3.9600.17415
+
+
+**`threat.enrichments.indicator.file.pe.imphash`**
+:   A hash of the imports in a PE file. An imphash — or import hash — can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at [https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html](https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html).
+
+type: keyword
+
+example: 0c6803c4e922103c4dca5963aad36ddf
+
+
+**`threat.enrichments.indicator.file.pe.original_file_name`**
+:   Internal name of the file, provided at compile-time.
+
+type: keyword
+
+example: MSPAINT.EXE
+
+
+**`threat.enrichments.indicator.file.pe.product`**
+:   Internal product name of the file, provided at compile-time.
+
+type: keyword
+
+example: Microsoft® Windows® Operating System
+
+
+**`threat.enrichments.indicator.file.size`**
+:   File size in bytes. Only relevant when `file.type` is "file".
+
+type: long
+
+example: 16384
+
+
+**`threat.enrichments.indicator.file.target_path`**
+:   Target path for symlinks.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.target_path.text`**
+:   type: match_only_text
+
+
+**`threat.enrichments.indicator.file.type`**
+:   File type (file, dir, or symlink).
+
+type: keyword
+
+example: file
+
+
+**`threat.enrichments.indicator.file.uid`**
+:   The user ID (UID) or security identifier (SID) of the file owner.
+
+type: keyword
+
+example: 1001
+
+
+**`threat.enrichments.indicator.file.x509.alternative_names`**
+:   List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.
+
+type: keyword
+
+example: *.elastic.co
+
+
+**`threat.enrichments.indicator.file.x509.issuer.common_name`**
+:   List of common name (CN) of issuing certificate authority.
+
+type: keyword
+
+example: Example SHA2 High Assurance Server CA
+
+
+**`threat.enrichments.indicator.file.x509.issuer.country`**
+:   List of country © codes
+
+type: keyword
+
+example: US
+
+
+**`threat.enrichments.indicator.file.x509.issuer.distinguished_name`**
+:   Distinguished name (DN) of issuing certificate authority.
+
+type: keyword
+
+example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA
+
+
+**`threat.enrichments.indicator.file.x509.issuer.locality`**
+:   List of locality names (L)
+
+type: keyword
+
+example: Mountain View
+
+
+**`threat.enrichments.indicator.file.x509.issuer.organization`**
+:   List of organizations (O) of issuing certificate authority.
+
+type: keyword
+
+example: Example Inc
+
+
+**`threat.enrichments.indicator.file.x509.issuer.organizational_unit`**
+:   List of organizational units (OU) of issuing certificate authority.
+
+type: keyword
+
+example: www.example.com
+
+
+**`threat.enrichments.indicator.file.x509.issuer.state_or_province`**
+:   List of state or province names (ST, S, or P)
+
+type: keyword
+
+example: California
+
+
+**`threat.enrichments.indicator.file.x509.not_after`**
+:   Time at which the certificate is no longer considered valid.
+
+type: date
+
+example: 2020-07-16 03:15:39+00:00
+
+
+**`threat.enrichments.indicator.file.x509.not_before`**
+:   Time at which the certificate is first considered valid.
+
+type: date
+
+example: 2019-08-16 01:40:25+00:00
+
+
+**`threat.enrichments.indicator.file.x509.public_key_algorithm`**
+:   Algorithm used to generate the public key.
+
+type: keyword
+
+example: RSA
+
+
+**`threat.enrichments.indicator.file.x509.public_key_curve`**
+:   The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+
+type: keyword
+
+example: nistp521
+
+
+**`threat.enrichments.indicator.file.x509.public_key_exponent`**
+:   Exponent used to derive the public key. This is algorithm specific.
+
+type: long
+
+example: 65537
+
+Field is not indexed.
+
+
+**`threat.enrichments.indicator.file.x509.public_key_size`**
+:   The size of the public key space in bits.
+
+type: long
+
+example: 2048
+
+
+**`threat.enrichments.indicator.file.x509.serial_number`**
+:   Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.
+
+type: keyword
+
+example: 55FBB9C7DEBF09809D12CCAA
+
+
+**`threat.enrichments.indicator.file.x509.signature_algorithm`**
+:   Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See [https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353](https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353).
+
+type: keyword
+
+example: SHA256-RSA
+
+
+**`threat.enrichments.indicator.file.x509.subject.common_name`**
+:   List of common names (CN) of subject.
+
+type: keyword
+
+example: shared.global.example.net
+
+
+**`threat.enrichments.indicator.file.x509.subject.country`**
+:   List of country © code
+
+type: keyword
+
+example: US
+
+
+**`threat.enrichments.indicator.file.x509.subject.distinguished_name`**
+:   Distinguished name (DN) of the certificate subject entity.
+
+type: keyword
+
+example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
+
+
+**`threat.enrichments.indicator.file.x509.subject.locality`**
+:   List of locality names (L)
+
+type: keyword
+
+example: San Francisco
+
+
+**`threat.enrichments.indicator.file.x509.subject.organization`**
+:   List of organizations (O) of subject.
+
+type: keyword
+
+example: Example, Inc.
+
+
+**`threat.enrichments.indicator.file.x509.subject.organizational_unit`**
+:   List of organizational units (OU) of subject.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.file.x509.subject.state_or_province`**
+:   List of state or province names (ST, S, or P)
+
+type: keyword
+
+example: California
+
+
+**`threat.enrichments.indicator.file.x509.version_number`**
+:   Version of x509 format.
+
+type: keyword
+
+example: 3
+
+
+**`threat.enrichments.indicator.first_seen`**
+:   The date and time when intelligence source first reported sighting this indicator.
+
+type: date
+
+example: 2020-11-05T17:25:47.000Z
+
+
+**`threat.enrichments.indicator.geo.city_name`**
+:   City name.
+
+type: keyword
+
+example: Montreal
+
+
+**`threat.enrichments.indicator.geo.continent_code`**
+:   Two-letter code representing continent’s name.
+
+type: keyword
+
+example: NA
+
+
+**`threat.enrichments.indicator.geo.continent_name`**
+:   Name of the continent.
+
+type: keyword
+
+example: North America
+
+
+**`threat.enrichments.indicator.geo.country_iso_code`**
+:   Country ISO code.
+
+type: keyword
+
+example: CA
+
+
+**`threat.enrichments.indicator.geo.country_name`**
+:   Country name.
+
+type: keyword
+
+example: Canada
+
+
+**`threat.enrichments.indicator.geo.location`**
+:   Longitude and latitude.
+
+type: geo_point
+
+example: { "lon": -73.614830, "lat": 45.505918 }
+
+
+**`threat.enrichments.indicator.geo.name`**
+:   User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.
+
+type: keyword
+
+example: boston-dc
+
+
+**`threat.enrichments.indicator.geo.postal_code`**
+:   Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.
+
+type: keyword
+
+example: 94040
+
+
+**`threat.enrichments.indicator.geo.region_iso_code`**
+:   Region ISO code.
+
+type: keyword
+
+example: CA-QC
+
+
+**`threat.enrichments.indicator.geo.region_name`**
+:   Region name.
+
+type: keyword
+
+example: Quebec
+
+
+**`threat.enrichments.indicator.geo.timezone`**
+:   The time zone of the location, such as IANA time zone name.
+
+type: keyword
+
+example: America/Argentina/Buenos_Aires
+
+
+**`threat.enrichments.indicator.ip`**
+:   Identifies a threat indicator as an IP address (irrespective of direction).
+
+type: ip
+
+example: 1.2.3.4
+
+
+**`threat.enrichments.indicator.last_seen`**
+:   The date and time when intelligence source last reported sighting this indicator.
+
+type: date
+
+example: 2020-11-05T17:25:47.000Z
+
+
+**`threat.enrichments.indicator.marking.tlp`**
+:   Traffic Light Protocol sharing markings. Recommended values are: * WHITE * GREEN * AMBER * RED
+
+type: keyword
+
+example: White
+
+
+**`threat.enrichments.indicator.modified_at`**
+:   The date and time when intelligence source last modified information for this indicator.
+
+type: date
+
+example: 2020-11-05T17:25:47.000Z
+
+
+**`threat.enrichments.indicator.port`**
+:   Identifies a threat indicator as a port number (irrespective of direction).
+
+type: long
+
+example: 443
+
+
+**`threat.enrichments.indicator.provider`**
+:   The name of the indicator’s provider.
+
+type: keyword
+
+example: lrz_urlhaus
+
+
+**`threat.enrichments.indicator.reference`**
+:   Reference URL linking to additional information about this indicator.
+
+type: keyword
+
+example: [https://system.example.com/indicator/0001234](https://system.example.com/indicator/0001234)
+
+
+**`threat.enrichments.indicator.registry.data.bytes`**
+:   Original bytes written with base64 encoding. For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values.
+
+type: keyword
+
+example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA=
+
+
+**`threat.enrichments.indicator.registry.data.strings`**
+:   Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`).
+
+type: wildcard
+
+example: ["C:\rta\red_ttp\bin\myapp.exe"]
+
+
+**`threat.enrichments.indicator.registry.data.type`**
+:   Standard registry type for encoding contents
+
+type: keyword
+
+example: REG_SZ
+
+
+**`threat.enrichments.indicator.registry.hive`**
+:   Abbreviated name for the hive.
+
+type: keyword
+
+example: HKLM
+
+
+**`threat.enrichments.indicator.registry.key`**
+:   Hive-relative path of keys.
+
+type: keyword
+
+example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe
+
+
+**`threat.enrichments.indicator.registry.path`**
+:   Full path, including hive, key and value
+
+type: keyword
+
+example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger
+
+
+**`threat.enrichments.indicator.registry.value`**
+:   Name of the value written.
+
+type: keyword
+
+example: Debugger
+
+
+**`threat.enrichments.indicator.scanner_stats`**
+:   Count of AV/EDR vendors that successfully detected malicious file or URL.
+
+type: long
+
+example: 4
+
+
+**`threat.enrichments.indicator.sightings`**
+:   Number of times this indicator was observed conducting threat activity.
+
+type: long
+
+example: 20
+
+
+**`threat.enrichments.indicator.type`**
+:   Type of indicator as represented by Cyber Observable in STIX 2.0. Recommended values: * autonomous-system * artifact * directory * domain-name * email-addr * file * ipv4-addr * ipv6-addr * mac-addr * mutex * port * process * software * url * user-account * windows-registry-key * x509-certificate
+
+type: keyword
+
+example: ipv4-addr
+
+
+**`threat.enrichments.indicator.url.domain`**
+:   Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field.
+
+type: keyword
+
+example: www.elastic.co
+
+
+**`threat.enrichments.indicator.url.extension`**
+:   The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").
+
+type: keyword
+
+example: png
+
+
+**`threat.enrichments.indicator.url.fragment`**
+:   Portion of the url after the `#`, such as "top". The `#` is not part of the fragment.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.url.full`**
+:   If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source.
+
+type: wildcard
+
+example: [https://www.elastic.co:443/search?q=elasticsearch#top](https://www.elastic.co:443/search?q=elasticsearch#top)
+
+
+**`threat.enrichments.indicator.url.full.text`**
+:   type: match_only_text
+
+
+**`threat.enrichments.indicator.url.original`**
+:   Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not.
+
+type: wildcard
+
+example: [https://www.elastic.co:443/search?q=elasticsearch#top](https://www.elastic.co:443/search?q=elasticsearch#top) or /search?q=elasticsearch
+
+
+**`threat.enrichments.indicator.url.original.text`**
+:   type: match_only_text
+
+
+**`threat.enrichments.indicator.url.password`**
+:   Password of the request.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.url.path`**
+:   Path of the request, such as "/search".
+
+type: wildcard
+
+
+**`threat.enrichments.indicator.url.port`**
+:   Port of the request, such as 443.
+
+type: long
+
+example: 443
+
+format: string
+
+
+**`threat.enrichments.indicator.url.query`**
+:   The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.url.registered_domain`**
+:   The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
+
+type: keyword
+
+example: example.com
+
+
+**`threat.enrichments.indicator.url.scheme`**
+:   Scheme of the request, such as "https". Note: The `:` is not part of the scheme.
+
+type: keyword
+
+example: https
+
+
+**`threat.enrichments.indicator.url.subdomain`**
+:   The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
+
+type: keyword
+
+example: east
+
+
+**`threat.enrichments.indicator.url.top_level_domain`**
+:   The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".
+
+type: keyword
+
+example: co.uk
+
+
+**`threat.enrichments.indicator.url.username`**
+:   Username of the request.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.x509.alternative_names`**
+:   List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.
+
+type: keyword
+
+example: *.elastic.co
+
+
+**`threat.enrichments.indicator.x509.issuer.common_name`**
+:   List of common name (CN) of issuing certificate authority.
+
+type: keyword
+
+example: Example SHA2 High Assurance Server CA
+
+
+**`threat.enrichments.indicator.x509.issuer.country`**
+:   List of country © codes
+
+type: keyword
+
+example: US
+
+
+**`threat.enrichments.indicator.x509.issuer.distinguished_name`**
+:   Distinguished name (DN) of issuing certificate authority.
+
+type: keyword
+
+example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA
+
+
+**`threat.enrichments.indicator.x509.issuer.locality`**
+:   List of locality names (L)
+
+type: keyword
+
+example: Mountain View
+
+
+**`threat.enrichments.indicator.x509.issuer.organization`**
+:   List of organizations (O) of issuing certificate authority.
+
+type: keyword
+
+example: Example Inc
+
+
+**`threat.enrichments.indicator.x509.issuer.organizational_unit`**
+:   List of organizational units (OU) of issuing certificate authority.
+
+type: keyword
+
+example: www.example.com
+
+
+**`threat.enrichments.indicator.x509.issuer.state_or_province`**
+:   List of state or province names (ST, S, or P)
+
+type: keyword
+
+example: California
+
+
+**`threat.enrichments.indicator.x509.not_after`**
+:   Time at which the certificate is no longer considered valid.
+
+type: date
+
+example: 2020-07-16 03:15:39+00:00
+
+
+**`threat.enrichments.indicator.x509.not_before`**
+:   Time at which the certificate is first considered valid.
+
+type: date
+
+example: 2019-08-16 01:40:25+00:00
+
+
+**`threat.enrichments.indicator.x509.public_key_algorithm`**
+:   Algorithm used to generate the public key.
+
+type: keyword
+
+example: RSA
+
+
+**`threat.enrichments.indicator.x509.public_key_curve`**
+:   The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+
+type: keyword
+
+example: nistp521
+
+
+**`threat.enrichments.indicator.x509.public_key_exponent`**
+:   Exponent used to derive the public key. This is algorithm specific.
+
+type: long
+
+example: 65537
+
+Field is not indexed.
+
+
+**`threat.enrichments.indicator.x509.public_key_size`**
+:   The size of the public key space in bits.
+
+type: long
+
+example: 2048
+
+
+**`threat.enrichments.indicator.x509.serial_number`**
+:   Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.
+
+type: keyword
+
+example: 55FBB9C7DEBF09809D12CCAA
+
+
+**`threat.enrichments.indicator.x509.signature_algorithm`**
+:   Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See [https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353](https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353).
+
+type: keyword
+
+example: SHA256-RSA
+
+
+**`threat.enrichments.indicator.x509.subject.common_name`**
+:   List of common names (CN) of subject.
+
+type: keyword
+
+example: shared.global.example.net
+
+
+**`threat.enrichments.indicator.x509.subject.country`**
+:   List of country © code
+
+type: keyword
+
+example: US
+
+
+**`threat.enrichments.indicator.x509.subject.distinguished_name`**
+:   Distinguished name (DN) of the certificate subject entity.
+
+type: keyword
+
+example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
+
+
+**`threat.enrichments.indicator.x509.subject.locality`**
+:   List of locality names (L)
+
+type: keyword
+
+example: San Francisco
+
+
+**`threat.enrichments.indicator.x509.subject.organization`**
+:   List of organizations (O) of subject.
+
+type: keyword
+
+example: Example, Inc.
+
+
+**`threat.enrichments.indicator.x509.subject.organizational_unit`**
+:   List of organizational units (OU) of subject.
+
+type: keyword
+
+
+**`threat.enrichments.indicator.x509.subject.state_or_province`**
+:   List of state or province names (ST, S, or P)
+
+type: keyword
+
+example: California
+
+
+**`threat.enrichments.indicator.x509.version_number`**
+:   Version of x509 format.
+
+type: keyword
+
+example: 3
+
+
+**`threat.enrichments.matched.atomic`**
+:   Identifies the atomic indicator value that matched a local environment endpoint or network event.
+
+type: keyword
+
+example: bad-domain.com
+
+
+**`threat.enrichments.matched.field`**
+:   Identifies the field of the atomic indicator that matched a local environment endpoint or network event.
+
+type: keyword
+
+example: file.hash.sha256
+
+
+**`threat.enrichments.matched.id`**
+:   Identifies the _id of the indicator document enriching the event.
+
+type: keyword
+
+example: ff93aee5-86a1-4a61-b0e6-0cdc313d01b5
+
+
+**`threat.enrichments.matched.index`**
+:   Identifies the _index of the indicator document enriching the event.
+
+type: keyword
+
+example: filebeat-8.0.0-2021.05.23-000011
+
+
+**`threat.enrichments.matched.type`**
+:   Identifies the type of match that caused the event to be enriched with the given indicator
+
+type: keyword
+
+example: indicator_match_rule
+
+
+**`threat.framework`**
+:   Name of the threat framework used to further categorize and classify the tactic and technique of the reported threat. Framework classification can be provided by detecting systems, evaluated at ingest time, or retrospectively tagged to events.
+
+type: keyword
+
+example: MITRE ATT&CK
+
+
+**`threat.group.alias`**
+:   The alias(es) of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group alias(es).
+
+type: keyword
+
+example: [ "Magecart Group 6" ]
+
+
+**`threat.group.id`**
+:   The id of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group id.
+
+type: keyword
+
+example: G0037
+
+
+**`threat.group.name`**
+:   The name of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group name.
+
+type: keyword
+
+example: FIN6
+
+
+**`threat.group.reference`**
+:   The reference URL of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group reference URL.
+
+type: keyword
+
+example: [https://attack.mitre.org/groups/G0037/](https://attack.mitre.org/groups/G0037/)
+
+
+**`threat.indicator.as.number`**
+:   Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+
+type: long
+
+example: 15169
+
+
+**`threat.indicator.as.organization.name`**
+:   Organization name.
+
+type: keyword
+
+example: Google LLC
+
+
+**`threat.indicator.as.organization.name.text`**
+:   type: match_only_text
+
+
+**`threat.indicator.confidence`**
+:   Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. Expected values are: * Not Specified * None * Low * Medium * High
+
+type: keyword
+
+example: Medium
+
+
+**`threat.indicator.description`**
+:   Describes the type of action conducted by the threat.
+
+type: keyword
+
+example: IP x.x.x.x was observed delivering the Angler EK.
+
+
+**`threat.indicator.email.address`**
+:   Identifies a threat indicator as an email address (irrespective of direction).
+
+type: keyword
+
+example: `phish@example.com`
+
+
+**`threat.indicator.file.accessed`**
+:   Last time the file was accessed. Note that not all filesystems keep track of access time.
+
+type: date
+
+
+**`threat.indicator.file.attributes`**
+:   Array of file attributes. Attributes names will vary by platform. Here’s a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write.
+
+type: keyword
+
+example: ["readonly", "system"]
+
+
+**`threat.indicator.file.code_signature.digest_algorithm`**
+:   The hashing algorithm used to sign the process. This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm.
+
+type: keyword
+
+example: sha256
+
+
+**`threat.indicator.file.code_signature.exists`**
+:   Boolean to capture if a signature is present.
+
+type: boolean
+
+example: true
+
+
+**`threat.indicator.file.code_signature.signing_id`**
+:   The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.
+
+type: keyword
+
+example: com.apple.xpc.proxy
+
+
+**`threat.indicator.file.code_signature.status`**
+:   Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.
+
+type: keyword
+
+example: ERROR_UNTRUSTED_ROOT
+
+
+**`threat.indicator.file.code_signature.subject_name`**
+:   Subject name of the code signer
+
+type: keyword
+
+example: Microsoft Corporation
+
+
+**`threat.indicator.file.code_signature.team_id`**
+:   The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.
+
+type: keyword
+
+example: EQHXZ8M8AV
+
+
+**`threat.indicator.file.code_signature.timestamp`**
+:   Date and time when the code signature was generated and signed.
+
+type: date
+
+example: 2021-01-01T12:10:30Z
+
+
+**`threat.indicator.file.code_signature.trusted`**
+:   Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.
+
+type: boolean
+
+example: true
+
+
+**`threat.indicator.file.code_signature.valid`**
+:   Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.
+
+type: boolean
+
+example: true
+
+
+**`threat.indicator.file.created`**
+:   File creation time. Note that not all filesystems store the creation time.
+
+type: date
+
+
+**`threat.indicator.file.ctime`**
+:   Last time the file attributes or metadata changed. Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file.
+
+type: date
+
+
+**`threat.indicator.file.device`**
+:   Device that is the source of the file.
+
+type: keyword
+
+example: sda
+
+
+**`threat.indicator.file.directory`**
+:   Directory where the file is located. It should include the drive letter, when appropriate.
+
+type: keyword
+
+example: /home/alice
+
+
+**`threat.indicator.file.drive_letter`**
+:   Drive letter where the file is located. This field is only relevant on Windows. The value should be uppercase, and not include the colon.
+
+type: keyword
+
+example: C
+
+
+**`threat.indicator.file.elf.architecture`**
+:   Machine architecture of the ELF file.
+
+type: keyword
+
+example: x86-64
+
+
+**`threat.indicator.file.elf.byte_order`**
+:   Byte sequence of ELF file.
+
+type: keyword
+
+example: Little Endian
+
+
+**`threat.indicator.file.elf.cpu_type`**
+:   CPU type of the ELF file.
+
+type: keyword
+
+example: Intel
+
+
+**`threat.indicator.file.elf.creation_date`**
+:   Extracted when possible from the file’s metadata. Indicates when it was built or compiled. It can also be faked by malware creators.
+
+type: date
+
+
+**`threat.indicator.file.elf.exports`**
+:   List of exported element names and types.
+
+type: flattened
+
+
+**`threat.indicator.file.elf.header.abi_version`**
+:   Version of the ELF Application Binary Interface (ABI).
+
+type: keyword
+
+
+**`threat.indicator.file.elf.header.class`**
+:   Header class of the ELF file.
+
+type: keyword
+
+
+**`threat.indicator.file.elf.header.data`**
+:   Data table of the ELF header.
+
+type: keyword
+
+
+**`threat.indicator.file.elf.header.entrypoint`**
+:   Header entrypoint of the ELF file.
+
+type: long
+
+format: string
+
+
+**`threat.indicator.file.elf.header.object_version`**
+:   "0x1" for original ELF files.
+
+type: keyword
+
+
+**`threat.indicator.file.elf.header.os_abi`**
+:   Application Binary Interface (ABI) of the Linux OS.
+
+type: keyword
+
+
+**`threat.indicator.file.elf.header.type`**
+:   Header type of the ELF file.
+
+type: keyword
+
+
+**`threat.indicator.file.elf.header.version`**
+:   Version of the ELF header.
+
+type: keyword
+
+
+**`threat.indicator.file.elf.imports`**
+:   List of imported element names and types.
+
+type: flattened
+
+
+**`threat.indicator.file.elf.sections`**
+:   An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`.
+
+type: nested
+
+
+**`threat.indicator.file.elf.sections.chi2`**
+:   Chi-square probability distribution of the section.
+
+type: long
+
+format: number
+
+
+**`threat.indicator.file.elf.sections.entropy`**
+:   Shannon entropy calculation from the section.
+
+type: long
+
+format: number
+
+
+**`threat.indicator.file.elf.sections.flags`**
+:   ELF Section List flags.
+
+type: keyword
+
+
+**`threat.indicator.file.elf.sections.name`**
+:   ELF Section List name.
+
+type: keyword
+
+
+**`threat.indicator.file.elf.sections.physical_offset`**
+:   ELF Section List offset.
+
+type: keyword
+
+
+**`threat.indicator.file.elf.sections.physical_size`**
+:   ELF Section List physical size.
+
+type: long
+
+format: bytes
+
+
+**`threat.indicator.file.elf.sections.type`**
+:   ELF Section List type.
+
+type: keyword
+
+
+**`threat.indicator.file.elf.sections.virtual_address`**
+:   ELF Section List virtual address.
+
+type: long
+
+format: string
+
+
+**`threat.indicator.file.elf.sections.virtual_size`**
+:   ELF Section List virtual size.
+
+type: long
+
+format: string
+
+
+**`threat.indicator.file.elf.segments`**
+:   An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`.
+
+type: nested
+
+
+**`threat.indicator.file.elf.segments.sections`**
+:   ELF object segment sections.
+
+type: keyword
+
+
+**`threat.indicator.file.elf.segments.type`**
+:   ELF object segment type.
+
+type: keyword
+
+
+**`threat.indicator.file.elf.shared_libraries`**
+:   List of shared libraries used by this ELF object.
+
+type: keyword
+
+
+**`threat.indicator.file.elf.telfhash`**
+:   telfhash symbol hash for ELF file.
+
+type: keyword
+
+
+**`threat.indicator.file.extension`**
+:   File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").
+
+type: keyword
+
+example: png
+
+
+**`threat.indicator.file.fork_name`**
+:   A fork is additional data associated with a filesystem object. On Linux, a resource fork is used to store additional data with a filesystem object. A file always has at least one fork for the data portion, and additional forks may exist. On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default data stream for a file is just called $DATA. Zone.Identifier is commonly used by Windows to track contents downloaded from the Internet. An ADS is typically of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name` is the value that should populate `fork_name`. `filename.extension` should populate `file.name`, and `extension` should populate `file.extension`. The full path, `file.path`, will include the fork name.
+
+type: keyword
+
+example: Zone.Identifer
+
+
+**`threat.indicator.file.gid`**
+:   Primary group ID (GID) of the file.
+
+type: keyword
+
+example: 1001
+
+
+**`threat.indicator.file.group`**
+:   Primary group name of the file.
+
+type: keyword
+
+example: alice
+
+
+**`threat.indicator.file.hash.md5`**
+:   MD5 hash.
+
+type: keyword
+
+
+**`threat.indicator.file.hash.sha1`**
+:   SHA1 hash.
+
+type: keyword
+
+
+**`threat.indicator.file.hash.sha256`**
+:   SHA256 hash.
+
+type: keyword
+
+
+**`threat.indicator.file.hash.sha512`**
+:   SHA512 hash.
+
+type: keyword
+
+
+**`threat.indicator.file.hash.ssdeep`**
+:   SSDEEP hash.
+
+type: keyword
+
+
+**`threat.indicator.file.inode`**
+:   Inode representing the file in the filesystem.
+
+type: keyword
+
+example: 256383
+
+
+**`threat.indicator.file.mime_type`**
+:   MIME type should identify the format of the file or stream of bytes using [IANA official types](https://www.iana.org/assignments/media-types/media-types.xhtml), where possible. When more than one type is applicable, the most specific type should be used.
+
+type: keyword
+
+
+**`threat.indicator.file.mode`**
+:   Mode of the file in octal representation.
+
+type: keyword
+
+example: 0640
+
+
+**`threat.indicator.file.mtime`**
+:   Last time the file content was modified.
+
+type: date
+
+
+**`threat.indicator.file.name`**
+:   Name of the file including the extension, without the directory.
+
+type: keyword
+
+example: example.png
+
+
+**`threat.indicator.file.owner`**
+:   File owner’s username.
+
+type: keyword
+
+example: alice
+
+
+**`threat.indicator.file.path`**
+:   Full path to the file, including the file name. It should include the drive letter, when appropriate.
+
+type: keyword
+
+example: /home/alice/example.png
+
+
+**`threat.indicator.file.path.text`**
+:   type: match_only_text
+
+
+**`threat.indicator.file.pe.architecture`**
+:   CPU architecture target for the file.
+
+type: keyword
+
+example: x64
+
+
+**`threat.indicator.file.pe.company`**
+:   Internal company name of the file, provided at compile-time.
+
+type: keyword
+
+example: Microsoft Corporation
+
+
+**`threat.indicator.file.pe.description`**
+:   Internal description of the file, provided at compile-time.
+
+type: keyword
+
+example: Paint
+
+
+**`threat.indicator.file.pe.file_version`**
+:   Internal version of the file, provided at compile-time.
+
+type: keyword
+
+example: 6.3.9600.17415
+
+
+**`threat.indicator.file.pe.imphash`**
+:   A hash of the imports in a PE file. An imphash — or import hash — can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at [https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html](https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html).
+
+type: keyword
+
+example: 0c6803c4e922103c4dca5963aad36ddf
+
+
+**`threat.indicator.file.pe.original_file_name`**
+:   Internal name of the file, provided at compile-time.
+
+type: keyword
+
+example: MSPAINT.EXE
+
+
+**`threat.indicator.file.pe.product`**
+:   Internal product name of the file, provided at compile-time.
+
+type: keyword
+
+example: Microsoft® Windows® Operating System
+
+
+**`threat.indicator.file.size`**
+:   File size in bytes. Only relevant when `file.type` is "file".
+
+type: long
+
+example: 16384
+
+
+**`threat.indicator.file.target_path`**
+:   Target path for symlinks.
+
+type: keyword
+
+
+**`threat.indicator.file.target_path.text`**
+:   type: match_only_text
+
+
+**`threat.indicator.file.type`**
+:   File type (file, dir, or symlink).
+
+type: keyword
+
+example: file
+
+
+**`threat.indicator.file.uid`**
+:   The user ID (UID) or security identifier (SID) of the file owner.
+
+type: keyword
+
+example: 1001
+
+
+**`threat.indicator.file.x509.alternative_names`**
+:   List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.
+
+type: keyword
+
+example: *.elastic.co
+
+
+**`threat.indicator.file.x509.issuer.common_name`**
+:   List of common name (CN) of issuing certificate authority.
+
+type: keyword
+
+example: Example SHA2 High Assurance Server CA
+
+
+**`threat.indicator.file.x509.issuer.country`**
+:   List of country © codes
+
+type: keyword
+
+example: US
+
+
+**`threat.indicator.file.x509.issuer.distinguished_name`**
+:   Distinguished name (DN) of issuing certificate authority.
+
+type: keyword
+
+example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA
+
+
+**`threat.indicator.file.x509.issuer.locality`**
+:   List of locality names (L)
+
+type: keyword
+
+example: Mountain View
+
+
+**`threat.indicator.file.x509.issuer.organization`**
+:   List of organizations (O) of issuing certificate authority.
+
+type: keyword
+
+example: Example Inc
+
+
+**`threat.indicator.file.x509.issuer.organizational_unit`**
+:   List of organizational units (OU) of issuing certificate authority.
+
+type: keyword
+
+example: www.example.com
+
+
+**`threat.indicator.file.x509.issuer.state_or_province`**
+:   List of state or province names (ST, S, or P)
+
+type: keyword
+
+example: California
+
+
+**`threat.indicator.file.x509.not_after`**
+:   Time at which the certificate is no longer considered valid.
+
+type: date
+
+example: 2020-07-16 03:15:39+00:00
+
+
+**`threat.indicator.file.x509.not_before`**
+:   Time at which the certificate is first considered valid.
+
+type: date
+
+example: 2019-08-16 01:40:25+00:00
+
+
+**`threat.indicator.file.x509.public_key_algorithm`**
+:   Algorithm used to generate the public key.
+
+type: keyword
+
+example: RSA
+
+
+**`threat.indicator.file.x509.public_key_curve`**
+:   The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+
+type: keyword
+
+example: nistp521
+
+
+**`threat.indicator.file.x509.public_key_exponent`**
+:   Exponent used to derive the public key. This is algorithm specific.
+
+type: long
+
+example: 65537
+
+Field is not indexed.
+
+
+**`threat.indicator.file.x509.public_key_size`**
+:   The size of the public key space in bits.
+
+type: long
+
+example: 2048
+
+
+**`threat.indicator.file.x509.serial_number`**
+:   Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.
+
+type: keyword
+
+example: 55FBB9C7DEBF09809D12CCAA
+
+
+**`threat.indicator.file.x509.signature_algorithm`**
+:   Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See [https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353](https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353).
+
+type: keyword
+
+example: SHA256-RSA
+
+
+**`threat.indicator.file.x509.subject.common_name`**
+:   List of common names (CN) of subject.
+
+type: keyword
+
+example: shared.global.example.net
+
+
+**`threat.indicator.file.x509.subject.country`**
+:   List of country © code
+
+type: keyword
+
+example: US
+
+
+**`threat.indicator.file.x509.subject.distinguished_name`**
+:   Distinguished name (DN) of the certificate subject entity.
+
+type: keyword
+
+example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
+
+
+**`threat.indicator.file.x509.subject.locality`**
+:   List of locality names (L)
+
+type: keyword
+
+example: San Francisco
+
+
+**`threat.indicator.file.x509.subject.organization`**
+:   List of organizations (O) of subject.
+
+type: keyword
+
+example: Example, Inc.
+
+
+**`threat.indicator.file.x509.subject.organizational_unit`**
+:   List of organizational units (OU) of subject.
+
+type: keyword
+
+
+**`threat.indicator.file.x509.subject.state_or_province`**
+:   List of state or province names (ST, S, or P)
+
+type: keyword
+
+example: California
+
+
+**`threat.indicator.file.x509.version_number`**
+:   Version of x509 format.
+
+type: keyword
+
+example: 3
+
+
+**`threat.indicator.first_seen`**
+:   The date and time when intelligence source first reported sighting this indicator.
+
+type: date
+
+example: 2020-11-05T17:25:47.000Z
+
+
+**`threat.indicator.geo.city_name`**
+:   City name.
+
+type: keyword
+
+example: Montreal
+
+
+**`threat.indicator.geo.continent_code`**
+:   Two-letter code representing continent’s name.
+
+type: keyword
+
+example: NA
+
+
+**`threat.indicator.geo.continent_name`**
+:   Name of the continent.
+
+type: keyword
+
+example: North America
+
+
+**`threat.indicator.geo.country_iso_code`**
+:   Country ISO code.
+
+type: keyword
+
+example: CA
+
+
+**`threat.indicator.geo.country_name`**
+:   Country name.
+
+type: keyword
+
+example: Canada
+
+
+**`threat.indicator.geo.location`**
+:   Longitude and latitude.
+
+type: geo_point
+
+example: { "lon": -73.614830, "lat": 45.505918 }
+
+
+**`threat.indicator.geo.name`**
+:   User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.
+
+type: keyword
+
+example: boston-dc
+
+
+**`threat.indicator.geo.postal_code`**
+:   Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.
+
+type: keyword
+
+example: 94040
+
+
+**`threat.indicator.geo.region_iso_code`**
+:   Region ISO code.
+
+type: keyword
+
+example: CA-QC
+
+
+**`threat.indicator.geo.region_name`**
+:   Region name.
+
+type: keyword
+
+example: Quebec
+
+
+**`threat.indicator.geo.timezone`**
+:   The time zone of the location, such as IANA time zone name.
+
+type: keyword
+
+example: America/Argentina/Buenos_Aires
+
+
+**`threat.indicator.ip`**
+:   Identifies a threat indicator as an IP address (irrespective of direction).
+
+type: ip
+
+example: 1.2.3.4
+
+
+**`threat.indicator.last_seen`**
+:   The date and time when intelligence source last reported sighting this indicator.
+
+type: date
+
+example: 2020-11-05T17:25:47.000Z
+
+
+**`threat.indicator.marking.tlp`**
+:   Traffic Light Protocol sharing markings. Recommended values are: * WHITE * GREEN * AMBER * RED
+
+type: keyword
+
+example: WHITE
+
+
+**`threat.indicator.modified_at`**
+:   The date and time when intelligence source last modified information for this indicator.
+
+type: date
+
+example: 2020-11-05T17:25:47.000Z
+
+
+**`threat.indicator.port`**
+:   Identifies a threat indicator as a port number (irrespective of direction).
+
+type: long
+
+example: 443
+
+
+**`threat.indicator.provider`**
+:   The name of the indicator’s provider.
+
+type: keyword
+
+example: lrz_urlhaus
+
+
+**`threat.indicator.reference`**
+:   Reference URL linking to additional information about this indicator.
+
+type: keyword
+
+example: [https://system.example.com/indicator/0001234](https://system.example.com/indicator/0001234)
+
+
+**`threat.indicator.registry.data.bytes`**
+:   Original bytes written with base64 encoding. For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values.
+
+type: keyword
+
+example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA=
+
+
+**`threat.indicator.registry.data.strings`**
+:   Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`).
+
+type: wildcard
+
+example: ["C:\rta\red_ttp\bin\myapp.exe"]
+
+
+**`threat.indicator.registry.data.type`**
+:   Standard registry type for encoding contents
+
+type: keyword
+
+example: REG_SZ
+
+
+**`threat.indicator.registry.hive`**
+:   Abbreviated name for the hive.
+
+type: keyword
+
+example: HKLM
+
+
+**`threat.indicator.registry.key`**
+:   Hive-relative path of keys.
+
+type: keyword
+
+example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe
+
+
+**`threat.indicator.registry.path`**
+:   Full path, including hive, key and value
+
+type: keyword
+
+example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger
+
+
+**`threat.indicator.registry.value`**
+:   Name of the value written.
+
+type: keyword
+
+example: Debugger
+
+
+**`threat.indicator.scanner_stats`**
+:   Count of AV/EDR vendors that successfully detected malicious file or URL.
+
+type: long
+
+example: 4
+
+
+**`threat.indicator.sightings`**
+:   Number of times this indicator was observed conducting threat activity.
+
+type: long
+
+example: 20
+
+
+**`threat.indicator.type`**
+:   Type of indicator as represented by Cyber Observable in STIX 2.0. Recommended values: * autonomous-system * artifact * directory * domain-name * email-addr * file * ipv4-addr * ipv6-addr * mac-addr * mutex * port * process * software * url * user-account * windows-registry-key * x509-certificate
+
+type: keyword
+
+example: ipv4-addr
+
+
+**`threat.indicator.url.domain`**
+:   Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field.
+
+type: keyword
+
+example: www.elastic.co
+
+
+**`threat.indicator.url.extension`**
+:   The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").
+
+type: keyword
+
+example: png
+
+
+**`threat.indicator.url.fragment`**
+:   Portion of the url after the `#`, such as "top". The `#` is not part of the fragment.
+
+type: keyword
+
+
+**`threat.indicator.url.full`**
+:   If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source.
+
+type: wildcard
+
+example: [https://www.elastic.co:443/search?q=elasticsearch#top](https://www.elastic.co:443/search?q=elasticsearch#top)
+
+
+**`threat.indicator.url.full.text`**
+:   type: match_only_text
+
+
+**`threat.indicator.url.original`**
+:   Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not.
+
+type: wildcard
+
+example: [https://www.elastic.co:443/search?q=elasticsearch#top](https://www.elastic.co:443/search?q=elasticsearch#top) or /search?q=elasticsearch
+
+
+**`threat.indicator.url.original.text`**
+:   type: match_only_text
+
+
+**`threat.indicator.url.password`**
+:   Password of the request.
+
+type: keyword
+
+
+**`threat.indicator.url.path`**
+:   Path of the request, such as "/search".
+
+type: wildcard
+
+
+**`threat.indicator.url.port`**
+:   Port of the request, such as 443.
+
+type: long
+
+example: 443
+
+format: string
+
+
+**`threat.indicator.url.query`**
+:   The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.
+
+type: keyword
+
+
+**`threat.indicator.url.registered_domain`**
+:   The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
+
+type: keyword
+
+example: example.com
+
+
+**`threat.indicator.url.scheme`**
+:   Scheme of the request, such as "https". Note: The `:` is not part of the scheme.
+
+type: keyword
+
+example: https
+
+
+**`threat.indicator.url.subdomain`**
+:   The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
+
+type: keyword
+
+example: east
+
+
+**`threat.indicator.url.top_level_domain`**
+:   The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".
+
+type: keyword
+
+example: co.uk
+
+
+**`threat.indicator.url.username`**
+:   Username of the request.
+
+type: keyword
+
+
+**`threat.indicator.x509.alternative_names`**
+:   List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.
+
+type: keyword
+
+example: *.elastic.co
+
+
+**`threat.indicator.x509.issuer.common_name`**
+:   List of common name (CN) of issuing certificate authority.
+
+type: keyword
+
+example: Example SHA2 High Assurance Server CA
+
+
+**`threat.indicator.x509.issuer.country`**
+:   List of country © codes
+
+type: keyword
+
+example: US
+
+
+**`threat.indicator.x509.issuer.distinguished_name`**
+:   Distinguished name (DN) of issuing certificate authority.
+
+type: keyword
+
+example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA
+
+
+**`threat.indicator.x509.issuer.locality`**
+:   List of locality names (L)
+
+type: keyword
+
+example: Mountain View
+
+
+**`threat.indicator.x509.issuer.organization`**
+:   List of organizations (O) of issuing certificate authority.
+
+type: keyword
+
+example: Example Inc
+
+
+**`threat.indicator.x509.issuer.organizational_unit`**
+:   List of organizational units (OU) of issuing certificate authority.
+
+type: keyword
+
+example: www.example.com
+
+
+**`threat.indicator.x509.issuer.state_or_province`**
+:   List of state or province names (ST, S, or P)
+
+type: keyword
+
+example: California
+
+
+**`threat.indicator.x509.not_after`**
+:   Time at which the certificate is no longer considered valid.
+
+type: date
+
+example: 2020-07-16 03:15:39+00:00
+
+
+**`threat.indicator.x509.not_before`**
+:   Time at which the certificate is first considered valid.
+
+type: date
+
+example: 2019-08-16 01:40:25+00:00
+
+
+**`threat.indicator.x509.public_key_algorithm`**
+:   Algorithm used to generate the public key.
+
+type: keyword
+
+example: RSA
+
+
+**`threat.indicator.x509.public_key_curve`**
+:   The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+
+type: keyword
+
+example: nistp521
+
+
+**`threat.indicator.x509.public_key_exponent`**
+:   Exponent used to derive the public key. This is algorithm specific.
+
+type: long
+
+example: 65537
+
+Field is not indexed.
+
+
+**`threat.indicator.x509.public_key_size`**
+:   The size of the public key space in bits.
+
+type: long
+
+example: 2048
+
+
+**`threat.indicator.x509.serial_number`**
+:   Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.
+
+type: keyword
+
+example: 55FBB9C7DEBF09809D12CCAA
+
+
+**`threat.indicator.x509.signature_algorithm`**
+:   Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See [https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353](https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353).
+
+type: keyword
+
+example: SHA256-RSA
+
+
+**`threat.indicator.x509.subject.common_name`**
+:   List of common names (CN) of subject.
+
+type: keyword
+
+example: shared.global.example.net
+
+
+**`threat.indicator.x509.subject.country`**
+:   List of country © code
+
+type: keyword
+
+example: US
+
+
+**`threat.indicator.x509.subject.distinguished_name`**
+:   Distinguished name (DN) of the certificate subject entity.
+
+type: keyword
+
+example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
+
+
+**`threat.indicator.x509.subject.locality`**
+:   List of locality names (L)
+
+type: keyword
+
+example: San Francisco
+
+
+**`threat.indicator.x509.subject.organization`**
+:   List of organizations (O) of subject.
+
+type: keyword
+
+example: Example, Inc.
+
+
+**`threat.indicator.x509.subject.organizational_unit`**
+:   List of organizational units (OU) of subject.
+
+type: keyword
+
+
+**`threat.indicator.x509.subject.state_or_province`**
+:   List of state or province names (ST, S, or P)
+
+type: keyword
+
+example: California
+
+
+**`threat.indicator.x509.version_number`**
+:   Version of x509 format.
+
+type: keyword
+
+example: 3
+
+
+**`threat.software.alias`**
+:   The alias(es) of the software for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® associated software description.
+
+type: keyword
+
+example: [ "X-Agent" ]
+
+
+**`threat.software.id`**
+:   The id of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software id.
+
+type: keyword
+
+example: S0552
+
+
+**`threat.software.name`**
+:   The name of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software name.
+
+type: keyword
+
+example: AdFind
+
+
+**`threat.software.platforms`**
+:   The platforms of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. Recommended Values: * AWS * Azure * Azure AD * GCP * Linux * macOS * Network * Office 365 * SaaS * Windows
+
+While not required, you can use a MITRE ATT&CK® software platforms.
+
+type: keyword
+
+example: [ "Windows" ]
+
+
+**`threat.software.reference`**
+:   The reference URL of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software reference URL.
+
+type: keyword
+
+example: [https://attack.mitre.org/software/S0552/](https://attack.mitre.org/software/S0552/)
+
+
+**`threat.software.type`**
+:   The type of software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. Recommended values * Malware * Tool
+
+```
+While not required, you can use a MITRE ATT&CK® software type.
+```
+type: keyword
+
+example: Tool
+
+
+**`threat.tactic.id`**
+:   The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. [https://attack.mitre.org/tactics/TA0002/](https://attack.mitre.org/tactics/TA0002/) )
+
+type: keyword
+
+example: TA0002
+
+
+**`threat.tactic.name`**
+:   Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. [https://attack.mitre.org/tactics/TA0002/](https://attack.mitre.org/tactics/TA0002/))
+
+type: keyword
+
+example: Execution
+
+
+**`threat.tactic.reference`**
+:   The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. [https://attack.mitre.org/tactics/TA0002/](https://attack.mitre.org/tactics/TA0002/) )
+
+type: keyword
+
+example: [https://attack.mitre.org/tactics/TA0002/](https://attack.mitre.org/tactics/TA0002/)
+
+
+**`threat.technique.id`**
+:   The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. [https://attack.mitre.org/techniques/T1059/](https://attack.mitre.org/techniques/T1059/))
+
+type: keyword
+
+example: T1059
+
+
+**`threat.technique.name`**
+:   The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. [https://attack.mitre.org/techniques/T1059/](https://attack.mitre.org/techniques/T1059/))
+
+type: keyword
+
+example: Command and Scripting Interpreter
+
+
+**`threat.technique.name.text`**
+:   type: match_only_text
+
+
+**`threat.technique.reference`**
+:   The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. [https://attack.mitre.org/techniques/T1059/](https://attack.mitre.org/techniques/T1059/))
+
+type: keyword
+
+example: [https://attack.mitre.org/techniques/T1059/](https://attack.mitre.org/techniques/T1059/)
+
+
+**`threat.technique.subtechnique.id`**
+:   The full id of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. [https://attack.mitre.org/techniques/T1059/001/](https://attack.mitre.org/techniques/T1059/001/))
+
+type: keyword
+
+example: T1059.001
+
+
+**`threat.technique.subtechnique.name`**
+:   The name of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. [https://attack.mitre.org/techniques/T1059/001/](https://attack.mitre.org/techniques/T1059/001/))
+
+type: keyword
+
+example: PowerShell
+
+
+**`threat.technique.subtechnique.name.text`**
+:   type: match_only_text
+
+
+**`threat.technique.subtechnique.reference`**
+:   The reference url of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. [https://attack.mitre.org/techniques/T1059/001/](https://attack.mitre.org/techniques/T1059/001/))
+
+type: keyword
+
+example: [https://attack.mitre.org/techniques/T1059/001/](https://attack.mitre.org/techniques/T1059/001/)
+
+
+
+## tls [_tls]
+
+Fields related to a TLS connection. These fields focus on the TLS protocol itself and intentionally avoids in-depth analysis of the related x.509 certificate files.
+
+**`tls.cipher`**
+:   String indicating the cipher used during the current connection.
+
+type: keyword
+
+example: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+
+
+**`tls.client.certificate`**
+:   PEM-encoded stand-alone certificate offered by the client. This is usually mutually-exclusive of `client.certificate_chain` since this value also exists in that list.
+
+type: keyword
+
+example: MII…​
+
+
+**`tls.client.certificate_chain`**
+:   Array of PEM-encoded certificates that make up the certificate chain offered by the client. This is usually mutually-exclusive of `client.certificate` since that value should be the first certificate in the chain.
+
+type: keyword
+
+example: ["MII…​", "MII…​"]
+
+
+**`tls.client.hash.md5`**
+:   Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash.
+
+type: keyword
+
+example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC
+
+
+**`tls.client.hash.sha1`**
+:   Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash.
+
+type: keyword
+
+example: 9E393D93138888D288266C2D915214D1D1CCEB2A
+
+
+**`tls.client.hash.sha256`**
+:   Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash.
+
+type: keyword
+
+example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0
+
+
+**`tls.client.issuer`**
+:   Distinguished name of subject of the issuer of the x.509 certificate presented by the client.
+
+type: keyword
+
+example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com
+
+
+**`tls.client.ja3`**
+:   A hash that identifies clients based on how they perform an SSL/TLS handshake.
+
+type: keyword
+
+example: d4e5b18d6b55c71272893221c96ba240
+
+
+**`tls.client.not_after`**
+:   Date/Time indicating when client certificate is no longer considered valid.
+
+type: date
+
+example: 2021-01-01T00:00:00.000Z
+
+
+**`tls.client.not_before`**
+:   Date/Time indicating when client certificate is first considered valid.
+
+type: date
+
+example: 1970-01-01T00:00:00.000Z
+
+
+**`tls.client.server_name`**
+:   Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`.
+
+type: keyword
+
+example: www.elastic.co
+
+
+**`tls.client.subject`**
+:   Distinguished name of subject of the x.509 certificate presented by the client.
+
+type: keyword
+
+example: CN=myclient, OU=Documentation Team, DC=example, DC=com
+
+
+**`tls.client.supported_ciphers`**
+:   Array of ciphers offered by the client during the client hello.
+
+type: keyword
+
+example: ["TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "…​"]
+
+
+**`tls.client.x509.alternative_names`**
+:   List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.
+
+type: keyword
+
+example: *.elastic.co
+
+
+**`tls.client.x509.issuer.common_name`**
+:   List of common name (CN) of issuing certificate authority.
+
+type: keyword
+
+example: Example SHA2 High Assurance Server CA
+
+
+**`tls.client.x509.issuer.country`**
+:   List of country © codes
+
+type: keyword
+
+example: US
+
+
+**`tls.client.x509.issuer.distinguished_name`**
+:   Distinguished name (DN) of issuing certificate authority.
+
+type: keyword
+
+example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA
+
+
+**`tls.client.x509.issuer.locality`**
+:   List of locality names (L)
+
+type: keyword
+
+example: Mountain View
+
+
+**`tls.client.x509.issuer.organization`**
+:   List of organizations (O) of issuing certificate authority.
+
+type: keyword
+
+example: Example Inc
+
+
+**`tls.client.x509.issuer.organizational_unit`**
+:   List of organizational units (OU) of issuing certificate authority.
+
+type: keyword
+
+example: www.example.com
+
+
+**`tls.client.x509.issuer.state_or_province`**
+:   List of state or province names (ST, S, or P)
+
+type: keyword
+
+example: California
+
+
+**`tls.client.x509.not_after`**
+:   Time at which the certificate is no longer considered valid.
+
+type: date
+
+example: 2020-07-16 03:15:39+00:00
+
+
+**`tls.client.x509.not_before`**
+:   Time at which the certificate is first considered valid.
+
+type: date
+
+example: 2019-08-16 01:40:25+00:00
+
+
+**`tls.client.x509.public_key_algorithm`**
+:   Algorithm used to generate the public key.
+
+type: keyword
+
+example: RSA
+
+
+**`tls.client.x509.public_key_curve`**
+:   The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+
+type: keyword
+
+example: nistp521
+
+
+**`tls.client.x509.public_key_exponent`**
+:   Exponent used to derive the public key. This is algorithm specific.
+
+type: long
+
+example: 65537
+
+Field is not indexed.
+
+
+**`tls.client.x509.public_key_size`**
+:   The size of the public key space in bits.
+
+type: long
+
+example: 2048
+
+
+**`tls.client.x509.serial_number`**
+:   Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.
+
+type: keyword
+
+example: 55FBB9C7DEBF09809D12CCAA
+
+
+**`tls.client.x509.signature_algorithm`**
+:   Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See [https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353](https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353).
+
+type: keyword
+
+example: SHA256-RSA
+
+
+**`tls.client.x509.subject.common_name`**
+:   List of common names (CN) of subject.
+
+type: keyword
+
+example: shared.global.example.net
+
+
+**`tls.client.x509.subject.country`**
+:   List of country © code
+
+type: keyword
+
+example: US
+
+
+**`tls.client.x509.subject.distinguished_name`**
+:   Distinguished name (DN) of the certificate subject entity.
+
+type: keyword
+
+example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
+
+
+**`tls.client.x509.subject.locality`**
+:   List of locality names (L)
+
+type: keyword
+
+example: San Francisco
+
+
+**`tls.client.x509.subject.organization`**
+:   List of organizations (O) of subject.
+
+type: keyword
+
+example: Example, Inc.
+
+
+**`tls.client.x509.subject.organizational_unit`**
+:   List of organizational units (OU) of subject.
+
+type: keyword
+
+
+**`tls.client.x509.subject.state_or_province`**
+:   List of state or province names (ST, S, or P)
+
+type: keyword
+
+example: California
+
+
+**`tls.client.x509.version_number`**
+:   Version of x509 format.
+
+type: keyword
+
+example: 3
+
+
+**`tls.curve`**
+:   String indicating the curve used for the given cipher, when applicable.
+
+type: keyword
+
+example: secp256r1
+
+
+**`tls.established`**
+:   Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel.
+
+type: boolean
+
+
+**`tls.next_protocol`**
+:   String indicating the protocol being tunneled. Per the values in the IANA registry ([https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids](https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids)), this string should be lower case.
+
+type: keyword
+
+example: http/1.1
+
+
+**`tls.resumed`**
+:   Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation.
+
+type: boolean
+
+
+**`tls.server.certificate`**
+:   PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list.
+
+type: keyword
+
+example: MII…​
+
+
+**`tls.server.certificate_chain`**
+:   Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain.
+
+type: keyword
+
+example: ["MII…​", "MII…​"]
+
+
+**`tls.server.hash.md5`**
+:   Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash.
+
+type: keyword
+
+example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC
+
+
+**`tls.server.hash.sha1`**
+:   Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash.
+
+type: keyword
+
+example: 9E393D93138888D288266C2D915214D1D1CCEB2A
+
+
+**`tls.server.hash.sha256`**
+:   Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash.
+
+type: keyword
+
+example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0
+
+
+**`tls.server.issuer`**
+:   Subject of the issuer of the x.509 certificate presented by the server.
+
+type: keyword
+
+example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com
+
+
+**`tls.server.ja3s`**
+:   A hash that identifies servers based on how they perform an SSL/TLS handshake.
+
+type: keyword
+
+example: 394441ab65754e2207b1e1b457b3641d
+
+
+**`tls.server.not_after`**
+:   Timestamp indicating when server certificate is no longer considered valid.
+
+type: date
+
+example: 2021-01-01T00:00:00.000Z
+
+
+**`tls.server.not_before`**
+:   Timestamp indicating when server certificate is first considered valid.
+
+type: date
+
+example: 1970-01-01T00:00:00.000Z
+
+
+**`tls.server.subject`**
+:   Subject of the x.509 certificate presented by the server.
+
+type: keyword
+
+example: CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com
+
+
+**`tls.server.x509.alternative_names`**
+:   List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.
+
+type: keyword
+
+example: *.elastic.co
+
+
+**`tls.server.x509.issuer.common_name`**
+:   List of common name (CN) of issuing certificate authority.
+
+type: keyword
+
+example: Example SHA2 High Assurance Server CA
+
+
+**`tls.server.x509.issuer.country`**
+:   List of country © codes
+
+type: keyword
+
+example: US
+
+
+**`tls.server.x509.issuer.distinguished_name`**
+:   Distinguished name (DN) of issuing certificate authority.
+
+type: keyword
+
+example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA
+
+
+**`tls.server.x509.issuer.locality`**
+:   List of locality names (L)
+
+type: keyword
+
+example: Mountain View
+
+
+**`tls.server.x509.issuer.organization`**
+:   List of organizations (O) of issuing certificate authority.
+
+type: keyword
+
+example: Example Inc
+
+
+**`tls.server.x509.issuer.organizational_unit`**
+:   List of organizational units (OU) of issuing certificate authority.
+
+type: keyword
+
+example: www.example.com
+
+
+**`tls.server.x509.issuer.state_or_province`**
+:   List of state or province names (ST, S, or P)
+
+type: keyword
+
+example: California
+
+
+**`tls.server.x509.not_after`**
+:   Time at which the certificate is no longer considered valid.
+
+type: date
+
+example: 2020-07-16 03:15:39+00:00
+
+
+**`tls.server.x509.not_before`**
+:   Time at which the certificate is first considered valid.
+
+type: date
+
+example: 2019-08-16 01:40:25+00:00
+
+
+**`tls.server.x509.public_key_algorithm`**
+:   Algorithm used to generate the public key.
+
+type: keyword
+
+example: RSA
+
+
+**`tls.server.x509.public_key_curve`**
+:   The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+
+type: keyword
+
+example: nistp521
+
+
+**`tls.server.x509.public_key_exponent`**
+:   Exponent used to derive the public key. This is algorithm specific.
+
+type: long
+
+example: 65537
+
+Field is not indexed.
+
+
+**`tls.server.x509.public_key_size`**
+:   The size of the public key space in bits.
+
+type: long
+
+example: 2048
+
+
+**`tls.server.x509.serial_number`**
+:   Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.
+
+type: keyword
+
+example: 55FBB9C7DEBF09809D12CCAA
+
+
+**`tls.server.x509.signature_algorithm`**
+:   Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See [https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353](https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353).
+
+type: keyword
+
+example: SHA256-RSA
+
+
+**`tls.server.x509.subject.common_name`**
+:   List of common names (CN) of subject.
+
+type: keyword
+
+example: shared.global.example.net
+
+
+**`tls.server.x509.subject.country`**
+:   List of country © code
+
+type: keyword
+
+example: US
+
+
+**`tls.server.x509.subject.distinguished_name`**
+:   Distinguished name (DN) of the certificate subject entity.
+
+type: keyword
+
+example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
+
+
+**`tls.server.x509.subject.locality`**
+:   List of locality names (L)
+
+type: keyword
+
+example: San Francisco
+
+
+**`tls.server.x509.subject.organization`**
+:   List of organizations (O) of subject.
+
+type: keyword
+
+example: Example, Inc.
+
+
+**`tls.server.x509.subject.organizational_unit`**
+:   List of organizational units (OU) of subject.
+
+type: keyword
+
+
+**`tls.server.x509.subject.state_or_province`**
+:   List of state or province names (ST, S, or P)
+
+type: keyword
+
+example: California
+
+
+**`tls.server.x509.version_number`**
+:   Version of x509 format.
+
+type: keyword
+
+example: 3
+
+
+**`tls.version`**
+:   Numeric part of the version parsed from the original string.
+
+type: keyword
+
+example: 1.2
+
+
+**`tls.version_protocol`**
+:   Normalized lowercase protocol name parsed from original string.
+
+type: keyword
+
+example: tls
+
+
+**`span.id`**
+:   Unique identifier of the span within the scope of its trace. A span represents an operation within a transaction, such as a request to another service, or a database query.
+
+type: keyword
+
+example: 3ff9a8981b7ccd5a
+
+
+**`trace.id`**
+:   Unique identifier of the trace. A trace groups multiple events like transactions that belong together. For example, a user request handled by multiple inter-connected services.
+
+type: keyword
+
+example: 4bf92f3577b34da6a3ce929d0e0e4736
+
+
+**`transaction.id`**
+:   Unique identifier of the transaction within the scope of its trace. A transaction is the highest level of work measured within a service, such as a request to a server.
+
+type: keyword
+
+example: 00f067aa0ba902b7
+
+
+
+## url [_url]
+
+URL fields provide support for complete or partial URLs, and supports the breaking down into scheme, domain, path, and so on.
+
+**`url.domain`**
+:   Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field.
+
+type: keyword
+
+example: www.elastic.co
+
+
+**`url.extension`**
+:   The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").
+
+type: keyword
+
+example: png
+
+
+**`url.fragment`**
+:   Portion of the url after the `#`, such as "top". The `#` is not part of the fragment.
+
+type: keyword
+
+
+**`url.full`**
+:   If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source.
+
+type: wildcard
+
+example: [https://www.elastic.co:443/search?q=elasticsearch#top](https://www.elastic.co:443/search?q=elasticsearch#top)
+
+
+**`url.full.text`**
+:   type: match_only_text
+
+
+**`url.original`**
+:   Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not.
+
+type: wildcard
+
+example: [https://www.elastic.co:443/search?q=elasticsearch#top](https://www.elastic.co:443/search?q=elasticsearch#top) or /search?q=elasticsearch
+
+
+**`url.original.text`**
+:   type: match_only_text
+
+
+**`url.password`**
+:   Password of the request.
+
+type: keyword
+
+
+**`url.path`**
+:   Path of the request, such as "/search".
+
+type: wildcard
+
+
+**`url.port`**
+:   Port of the request, such as 443.
+
+type: long
+
+example: 443
+
+format: string
+
+
+**`url.query`**
+:   The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.
+
+type: keyword
+
+
+**`url.registered_domain`**
+:   The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
+
+type: keyword
+
+example: example.com
+
+
+**`url.scheme`**
+:   Scheme of the request, such as "https". Note: The `:` is not part of the scheme.
+
+type: keyword
+
+example: https
+
+
+**`url.subdomain`**
+:   The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
+
+type: keyword
+
+example: east
+
+
+**`url.top_level_domain`**
+:   The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".
+
+type: keyword
+
+example: co.uk
+
+
+**`url.username`**
+:   Username of the request.
+
+type: keyword
+
+
+
+## user [_user]
+
+The user fields describe information about the user that is relevant to the event. Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them.
+
+**`user.changes.domain`**
+:   Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`user.changes.email`**
+:   User email address.
+
+type: keyword
+
+
+**`user.changes.full_name`**
+:   User’s full name, if available.
+
+type: keyword
+
+example: Albert Einstein
+
+
+**`user.changes.full_name.text`**
+:   type: match_only_text
+
+
+**`user.changes.group.domain`**
+:   Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`user.changes.group.id`**
+:   Unique identifier for the group on the system/platform.
+
+type: keyword
+
+
+**`user.changes.group.name`**
+:   Name of the group.
+
+type: keyword
+
+
+**`user.changes.hash`**
+:   Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used.
+
+type: keyword
+
+
+**`user.changes.id`**
+:   Unique identifier of the user.
+
+type: keyword
+
+example: S-1-5-21-202424912787-2692429404-2351956786-1000
+
+
+**`user.changes.name`**
+:   Short name or login of the user.
+
+type: keyword
+
+example: a.einstein
+
+
+**`user.changes.name.text`**
+:   type: match_only_text
+
+
+**`user.changes.roles`**
+:   Array of user roles at the time of the event.
+
+type: keyword
+
+example: ["kibana_admin", "reporting_user"]
+
+
+**`user.domain`**
+:   Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`user.effective.domain`**
+:   Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`user.effective.email`**
+:   User email address.
+
+type: keyword
+
+
+**`user.effective.full_name`**
+:   User’s full name, if available.
+
+type: keyword
+
+example: Albert Einstein
+
+
+**`user.effective.full_name.text`**
+:   type: match_only_text
+
+
+**`user.effective.group.domain`**
+:   Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`user.effective.group.id`**
+:   Unique identifier for the group on the system/platform.
+
+type: keyword
+
+
+**`user.effective.group.name`**
+:   Name of the group.
+
+type: keyword
+
+
+**`user.effective.hash`**
+:   Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used.
+
+type: keyword
+
+
+**`user.effective.id`**
+:   Unique identifier of the user.
+
+type: keyword
+
+example: S-1-5-21-202424912787-2692429404-2351956786-1000
+
+
+**`user.effective.name`**
+:   Short name or login of the user.
+
+type: keyword
+
+example: a.einstein
+
+
+**`user.effective.name.text`**
+:   type: match_only_text
+
+
+**`user.effective.roles`**
+:   Array of user roles at the time of the event.
+
+type: keyword
+
+example: ["kibana_admin", "reporting_user"]
+
+
+**`user.email`**
+:   User email address.
+
+type: keyword
+
+
+**`user.full_name`**
+:   User’s full name, if available.
+
+type: keyword
+
+example: Albert Einstein
+
+
+**`user.full_name.text`**
+:   type: match_only_text
+
+
+**`user.group.domain`**
+:   Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`user.group.id`**
+:   Unique identifier for the group on the system/platform.
+
+type: keyword
+
+
+**`user.group.name`**
+:   Name of the group.
+
+type: keyword
+
+
+**`user.hash`**
+:   Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used.
+
+type: keyword
+
+
+**`user.id`**
+:   Unique identifier of the user.
+
+type: keyword
+
+example: S-1-5-21-202424912787-2692429404-2351956786-1000
+
+
+**`user.name`**
+:   Short name or login of the user.
+
+type: keyword
+
+example: a.einstein
+
+
+**`user.name.text`**
+:   type: match_only_text
+
+
+**`user.roles`**
+:   Array of user roles at the time of the event.
+
+type: keyword
+
+example: ["kibana_admin", "reporting_user"]
+
+
+**`user.target.domain`**
+:   Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`user.target.email`**
+:   User email address.
+
+type: keyword
+
+
+**`user.target.full_name`**
+:   User’s full name, if available.
+
+type: keyword
+
+example: Albert Einstein
+
+
+**`user.target.full_name.text`**
+:   type: match_only_text
+
+
+**`user.target.group.domain`**
+:   Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name.
+
+type: keyword
+
+
+**`user.target.group.id`**
+:   Unique identifier for the group on the system/platform.
+
+type: keyword
+
+
+**`user.target.group.name`**
+:   Name of the group.
+
+type: keyword
+
+
+**`user.target.hash`**
+:   Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used.
+
+type: keyword
+
+
+**`user.target.id`**
+:   Unique identifier of the user.
+
+type: keyword
+
+example: S-1-5-21-202424912787-2692429404-2351956786-1000
+
+
+**`user.target.name`**
+:   Short name or login of the user.
+
+type: keyword
+
+example: a.einstein
+
+
+**`user.target.name.text`**
+:   type: match_only_text
+
+
+**`user.target.roles`**
+:   Array of user roles at the time of the event.
+
+type: keyword
+
+example: ["kibana_admin", "reporting_user"]
+
+
+
+## user_agent [_user_agent]
+
+The user_agent fields normally come from a browser request. They often show up in web service logs coming from the parsed user agent string.
+
+**`user_agent.device.name`**
+:   Name of the device.
+
+type: keyword
+
+example: iPhone
+
+
+**`user_agent.name`**
+:   Name of the user agent.
+
+type: keyword
+
+example: Safari
+
+
+**`user_agent.original`**
+:   Unparsed user_agent string.
+
+type: keyword
+
+example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1
+
+
+**`user_agent.original.text`**
+:   type: match_only_text
+
+
+**`user_agent.os.family`**
+:   OS family (such as redhat, debian, freebsd, windows).
+
+type: keyword
+
+example: debian
+
+
+**`user_agent.os.full`**
+:   Operating system name, including the version or code name.
+
+type: keyword
+
+example: Mac OS Mojave
+
+
+**`user_agent.os.full.text`**
+:   type: match_only_text
+
+
+**`user_agent.os.kernel`**
+:   Operating system kernel version as a raw string.
+
+type: keyword
+
+example: 4.4.0-112-generic
+
+
+**`user_agent.os.name`**
+:   Operating system name, without the version.
+
+type: keyword
+
+example: Mac OS X
+
+
+**`user_agent.os.name.text`**
+:   type: match_only_text
+
+
+**`user_agent.os.platform`**
+:   Operating system platform (such centos, ubuntu, windows).
+
+type: keyword
+
+example: darwin
+
+
+**`user_agent.os.type`**
+:   Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you’re dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.
+
+type: keyword
+
+example: macos
+
+
+**`user_agent.os.version`**
+:   Operating system version as a raw string.
+
+type: keyword
+
+example: 10.14.1
+
+
+**`user_agent.version`**
+:   Version of the user agent.
+
+type: keyword
+
+example: 12.0
+
+
+
+## vlan [_vlan]
+
+The VLAN fields are used to identify 802.1q tag(s) of a packet, as well as ingress and egress VLAN associations of an observer in relation to a specific packet or connection. Network.vlan fields are used to record a single VLAN tag, or the outer tag in the case of q-in-q encapsulations, for a packet or connection as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. Network.inner VLAN fields are used to report inner q-in-q 802.1q tags (multiple 802.1q encapsulations) as observed, typically provided by a network sensor  (e.g. Zeek, Wireshark) passively reporting on traffic. Network.inner VLAN fields should only be used in addition to network.vlan fields to indicate q-in-q tagging. Observer.ingress and observer.egress VLAN values are used to record observer specific information when observer events contain discrete ingress and egress VLAN information, typically provided by firewalls, routers, or load balancers.
+
+**`vlan.id`**
+:   VLAN ID as reported by the observer.
+
+type: keyword
+
+example: 10
+
+
+**`vlan.name`**
+:   Optional VLAN name as reported by the observer.
+
+type: keyword
+
+example: outside
+
+
+
+## vulnerability [_vulnerability]
+
+The vulnerability fields describe information about a vulnerability that is relevant to an event.
+
+**`vulnerability.category`**
+:   The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example ([Qualys vulnerability categories](https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm)) This field must be an array.
+
+type: keyword
+
+example: ["Firewall"]
+
+
+**`vulnerability.classification`**
+:   The classification of the vulnerability scoring system. For example ([https://www.first.org/cvss/](https://www.first.org/cvss/))
+
+type: keyword
+
+example: CVSS
+
+
+**`vulnerability.description`**
+:   The description of the vulnerability that provides additional context of the vulnerability. For example ([Common Vulnerabilities and Exposure CVE description](https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created))
+
+type: keyword
+
+example: In macOS before 2.12.6, there is a vulnerability in the RPC…​
+
+
+**`vulnerability.description.text`**
+:   type: match_only_text
+
+
+**`vulnerability.enumeration`**
+:   The type of identifier used for this vulnerability. For example ([https://cve.mitre.org/about/](https://cve.mitre.org/about/))
+
+type: keyword
+
+example: CVE
+
+
+**`vulnerability.id`**
+:   The identification (ID) is the number portion of a vulnerability entry. It includes a unique identification number for the vulnerability. For example ([Common Vulnerabilities and Exposure CVE ID](https://cve.mitre.org/about/faqs.html#what_is_cve_id))
+
+type: keyword
+
+example: CVE-2019-00001
+
+
+**`vulnerability.reference`**
+:   A resource that provides additional information, context, and mitigations for the identified vulnerability.
+
+type: keyword
+
+example: [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111)
+
+
+**`vulnerability.report_id`**
+:   The report or scan identification number.
+
+type: keyword
+
+example: 20191018.0001
+
+
+**`vulnerability.scanner.vendor`**
+:   The name of the vulnerability scanner vendor.
+
+type: keyword
+
+example: Tenable
+
+
+**`vulnerability.score.base`**
+:   Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentiality, integrity, and availability), and scope. For example ([https://www.first.org/cvss/specification-document](https://www.first.org/cvss/specification-document))
+
+type: float
+
+example: 5.5
+
+
+**`vulnerability.score.environmental`**
+:   Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Environmental scores cover an assessment for any modified Base metrics, confidentiality, integrity, and availability requirements. For example ([https://www.first.org/cvss/specification-document](https://www.first.org/cvss/specification-document))
+
+type: float
+
+example: 5.5
+
+
+**`vulnerability.score.temporal`**
+:   Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Temporal scores cover an assessment for code maturity, remediation level, and confidence. For example ([https://www.first.org/cvss/specification-document](https://www.first.org/cvss/specification-document))
+
+type: float
+
+
+**`vulnerability.score.version`**
+:   The National Vulnerability Database (NVD) provides qualitative severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges in addition to the severity ratings for CVSS v3.0 as they are defined in the CVSS v3.0 specification. CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit organization, whose mission is to help computer security incident response teams across the world. For example ([https://nvd.nist.gov/vuln-metrics/cvss](https://nvd.nist.gov/vuln-metrics/cvss))
+
+type: keyword
+
+example: 2.0
+
+
+**`vulnerability.severity`**
+:   The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example ([https://nvd.nist.gov/vuln-metrics/cvss](https://nvd.nist.gov/vuln-metrics/cvss))
+
+type: keyword
+
+example: Critical
+
+
+
+## x509 [_x509]
+
+This implements the common core fields for x509 certificates. This information is likely logged with TLS sessions, digital signatures found in executable binaries, S/MIME information in email bodies, or analysis of files on disk. When the certificate relates to a file, use the fields at `file.x509`. When hashes of the DER-encoded certificate are available, the `hash` data set should be populated as well (e.g. `file.hash.sha256`). Events that contain certificate information about network connections, should use the x509 fields under the relevant TLS fields: `tls.server.x509` and/or `tls.client.x509`.
+
+**`x509.alternative_names`**
+:   List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.
+
+type: keyword
+
+example: *.elastic.co
+
+
+**`x509.issuer.common_name`**
+:   List of common name (CN) of issuing certificate authority.
+
+type: keyword
+
+example: Example SHA2 High Assurance Server CA
+
+
+**`x509.issuer.country`**
+:   List of country © codes
+
+type: keyword
+
+example: US
+
+
+**`x509.issuer.distinguished_name`**
+:   Distinguished name (DN) of issuing certificate authority.
+
+type: keyword
+
+example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA
+
+
+**`x509.issuer.locality`**
+:   List of locality names (L)
+
+type: keyword
+
+example: Mountain View
+
+
+**`x509.issuer.organization`**
+:   List of organizations (O) of issuing certificate authority.
+
+type: keyword
+
+example: Example Inc
+
+
+**`x509.issuer.organizational_unit`**
+:   List of organizational units (OU) of issuing certificate authority.
+
+type: keyword
+
+example: www.example.com
+
+
+**`x509.issuer.state_or_province`**
+:   List of state or province names (ST, S, or P)
+
+type: keyword
+
+example: California
+
+
+**`x509.not_after`**
+:   Time at which the certificate is no longer considered valid.
+
+type: date
+
+example: 2020-07-16 03:15:39+00:00
+
+
+**`x509.not_before`**
+:   Time at which the certificate is first considered valid.
+
+type: date
+
+example: 2019-08-16 01:40:25+00:00
+
+
+**`x509.public_key_algorithm`**
+:   Algorithm used to generate the public key.
+
+type: keyword
+
+example: RSA
+
+
+**`x509.public_key_curve`**
+:   The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+
+type: keyword
+
+example: nistp521
+
+
+**`x509.public_key_exponent`**
+:   Exponent used to derive the public key. This is algorithm specific.
+
+type: long
+
+example: 65537
+
+Field is not indexed.
+
+
+**`x509.public_key_size`**
+:   The size of the public key space in bits.
+
+type: long
+
+example: 2048
+
+
+**`x509.serial_number`**
+:   Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.
+
+type: keyword
+
+example: 55FBB9C7DEBF09809D12CCAA
+
+
+**`x509.signature_algorithm`**
+:   Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See [https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353](https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353).
+
+type: keyword
+
+example: SHA256-RSA
+
+
+**`x509.subject.common_name`**
+:   List of common names (CN) of subject.
+
+type: keyword
+
+example: shared.global.example.net
+
+
+**`x509.subject.country`**
+:   List of country © code
+
+type: keyword
+
+example: US
+
+
+**`x509.subject.distinguished_name`**
+:   Distinguished name (DN) of the certificate subject entity.
+
+type: keyword
+
+example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
+
+
+**`x509.subject.locality`**
+:   List of locality names (L)
+
+type: keyword
+
+example: San Francisco
+
+
+**`x509.subject.organization`**
+:   List of organizations (O) of subject.
+
+type: keyword
+
+example: Example, Inc.
+
+
+**`x509.subject.organizational_unit`**
+:   List of organizational units (OU) of subject.
+
+type: keyword
+
+
+**`x509.subject.state_or_province`**
+:   List of state or province names (ST, S, or P)
+
+type: keyword
+
+example: California
+
+
+**`x509.version_number`**
+:   Version of x509 format.
+
+type: keyword
+
+example: 3
+
+
diff --git a/docs/reference/winlogbeat/exported-fields-eventlog.md b/docs/reference/winlogbeat/exported-fields-eventlog.md
new file mode 100644
index 000000000000..84ef78314216
--- /dev/null
+++ b/docs/reference/winlogbeat/exported-fields-eventlog.md
@@ -0,0 +1,117 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/exported-fields-eventlog.html
+---
+
+# Legacy Winlogbeat alias fields [exported-fields-eventlog]
+
+Field aliases based on Winlogbeat 6.x that point to the fields for this version of Winlogbeat. These are added to the index template when `migration.6_to_7.enable: true` is set in the configuration.
+
+**`activity_id`**
+:   type: alias
+
+alias to: winlog.activity_id
+
+
+**`computer_name`**
+:   type: alias
+
+alias to: winlog.computer_name
+
+
+**`event_id`**
+:   type: alias
+
+alias to: winlog.event_id
+
+
+**`keywords`**
+:   type: alias
+
+alias to: winlog.keywords
+
+
+**`log_name`**
+:   type: alias
+
+alias to: winlog.channel
+
+
+**`message_error`**
+:   type: alias
+
+alias to: error.message
+
+
+**`record_number`**
+:   type: alias
+
+alias to: winlog.record_id
+
+
+**`related_activity_id`**
+:   type: alias
+
+alias to: winlog.related_activity_id
+
+
+**`opcode`**
+:   type: alias
+
+alias to: winlog.opcode
+
+
+**`provider_guid`**
+:   type: alias
+
+alias to: winlog.provider_guid
+
+
+**`process_id`**
+:   type: alias
+
+alias to: winlog.process.pid
+
+
+**`source_name`**
+:   type: alias
+
+alias to: winlog.provider_name
+
+
+**`task`**
+:   type: alias
+
+alias to: winlog.task
+
+
+**`thread_id`**
+:   type: alias
+
+alias to: winlog.process.thread.id
+
+
+**`user.identifier`**
+:   type: alias
+
+alias to: winlog.user.identifier
+
+
+**`user.type`**
+:   type: alias
+
+alias to: winlog.user.type
+
+
+**`version`**
+:   type: alias
+
+alias to: winlog.version
+
+
+**`xml`**
+:   type: alias
+
+alias to: event.original
+
+
diff --git a/docs/reference/winlogbeat/exported-fields-host-processor.md b/docs/reference/winlogbeat/exported-fields-host-processor.md
new file mode 100644
index 000000000000..994fb9dd52d7
--- /dev/null
+++ b/docs/reference/winlogbeat/exported-fields-host-processor.md
@@ -0,0 +1,31 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/exported-fields-host-processor.html
+---
+
+# Host fields [exported-fields-host-processor]
+
+Info collected for the host machine.
+
+**`host.containerized`**
+:   If the host is a container.
+
+type: boolean
+
+
+**`host.os.build`**
+:   OS build information.
+
+type: keyword
+
+example: 18D109
+
+
+**`host.os.codename`**
+:   OS codename, if any.
+
+type: keyword
+
+example: stretch
+
+
diff --git a/docs/reference/winlogbeat/exported-fields-jolokia-autodiscover.md b/docs/reference/winlogbeat/exported-fields-jolokia-autodiscover.md
new file mode 100644
index 000000000000..0b6b6339983e
--- /dev/null
+++ b/docs/reference/winlogbeat/exported-fields-jolokia-autodiscover.md
@@ -0,0 +1,51 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/exported-fields-jolokia-autodiscover.html
+---
+
+# Jolokia Discovery autodiscover provider fields [exported-fields-jolokia-autodiscover]
+
+Metadata from Jolokia Discovery added by the jolokia provider.
+
+**`jolokia.agent.version`**
+:   Version number of jolokia agent.
+
+type: keyword
+
+
+**`jolokia.agent.id`**
+:   Each agent has a unique id which can be either provided during startup of the agent in form of a configuration parameter or being autodetected. If autodected, the id has several parts: The IP, the process id, hashcode of the agent and its type.
+
+type: keyword
+
+
+**`jolokia.server.product`**
+:   The container product if detected.
+
+type: keyword
+
+
+**`jolokia.server.version`**
+:   The container’s version (if detected).
+
+type: keyword
+
+
+**`jolokia.server.vendor`**
+:   The vendor of the container the agent is running in.
+
+type: keyword
+
+
+**`jolokia.url`**
+:   The URL how this agent can be contacted.
+
+type: keyword
+
+
+**`jolokia.secured`**
+:   Whether the agent was configured for authentication or not.
+
+type: boolean
+
+
diff --git a/docs/reference/winlogbeat/exported-fields-kubernetes-processor.md b/docs/reference/winlogbeat/exported-fields-kubernetes-processor.md
new file mode 100644
index 000000000000..3344e9e0238e
--- /dev/null
+++ b/docs/reference/winlogbeat/exported-fields-kubernetes-processor.md
@@ -0,0 +1,87 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/exported-fields-kubernetes-processor.html
+---
+
+# Kubernetes fields [exported-fields-kubernetes-processor]
+
+Kubernetes metadata added by the kubernetes processor
+
+**`kubernetes.pod.name`**
+:   Kubernetes pod name
+
+type: keyword
+
+
+**`kubernetes.pod.uid`**
+:   Kubernetes Pod UID
+
+type: keyword
+
+
+**`kubernetes.pod.ip`**
+:   Kubernetes Pod IP
+
+type: ip
+
+
+**`kubernetes.namespace`**
+:   Kubernetes namespace
+
+type: keyword
+
+
+**`kubernetes.node.name`**
+:   Kubernetes node name
+
+type: keyword
+
+
+**`kubernetes.node.hostname`**
+:   Kubernetes hostname as reported by the node’s kernel
+
+type: keyword
+
+
+**`kubernetes.labels.*`**
+:   Kubernetes labels map
+
+type: object
+
+
+**`kubernetes.annotations.*`**
+:   Kubernetes annotations map
+
+type: object
+
+
+**`kubernetes.selectors.*`**
+:   Kubernetes selectors map
+
+type: object
+
+
+**`kubernetes.replicaset.name`**
+:   Kubernetes replicaset name
+
+type: keyword
+
+
+**`kubernetes.deployment.name`**
+:   Kubernetes deployment name
+
+type: keyword
+
+
+**`kubernetes.statefulset.name`**
+:   Kubernetes statefulset name
+
+type: keyword
+
+
+**`kubernetes.container.name`**
+:   Kubernetes container name (different than the name from the runtime)
+
+type: keyword
+
+
diff --git a/docs/reference/winlogbeat/exported-fields-powershell.md b/docs/reference/winlogbeat/exported-fields-powershell.md
new file mode 100644
index 000000000000..436dec93c424
--- /dev/null
+++ b/docs/reference/winlogbeat/exported-fields-powershell.md
@@ -0,0 +1,224 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/exported-fields-powershell.html
+---
+
+# PowerShell module fields [exported-fields-powershell]
+
+These are the event fields specific to the module for the Microsoft-Windows-PowerShell/Operational and Windows PowerShell logs.
+
+**`powershell.id`**
+:   Shell Id.
+
+type: keyword
+
+example: Microsoft Powershell
+
+
+**`powershell.pipeline_id`**
+:   Pipeline id.
+
+type: keyword
+
+example: 1
+
+
+**`powershell.runspace_id`**
+:   Runspace id.
+
+type: keyword
+
+example: 4fa9074d-45ab-4e53-9195-e91981ac2bbb
+
+
+**`powershell.sequence`**
+:   Sequence number of the powershell execution.
+
+type: long
+
+example: 1
+
+
+**`powershell.total`**
+:   Total number of messages in the sequence.
+
+type: long
+
+example: 10
+
+
+
+## powershell.command [_powershell_command]
+
+Data related to the executed command.
+
+**`powershell.command.path`**
+:   Path of the executed command.
+
+type: keyword
+
+example: C:\Windows\system32\cmd.exe
+
+
+**`powershell.command.name`**
+:   Name of the executed command.
+
+type: keyword
+
+example: cmd.exe
+
+
+**`powershell.command.type`**
+:   Type of the executed command.
+
+type: keyword
+
+example: Application
+
+
+**`powershell.command.value`**
+:   The invoked command.
+
+type: text
+
+example: Import-LocalizedData  LocalizedData -filename ArchiveResources
+
+
+**`powershell.command.invocation_details`**
+:   An array of objects containing detailed information of the executed command.
+
+type: array
+
+
+**`powershell.command.invocation_details.type`**
+:   The type of detail.
+
+type: keyword
+
+example: CommandInvocation
+
+
+**`powershell.command.invocation_details.related_command`**
+:   The command to which the detail is related to.
+
+type: keyword
+
+example: Add-Type
+
+
+**`powershell.command.invocation_details.name`**
+:   Only used for ParameterBinding detail type. Indicates the parameter name.
+
+type: keyword
+
+example: AssemblyName
+
+
+**`powershell.command.invocation_details.value`**
+:   The value of the detail. The meaning of it will depend on the detail type.
+
+type: text
+
+example: System.IO.Compression.FileSystem
+
+
+
+## powershell.connected_user [_powershell_connected_user]
+
+Data related to the connected user executing the command.
+
+**`powershell.connected_user.domain`**
+:   User domain.
+
+type: keyword
+
+example: VAGRANT
+
+
+**`powershell.connected_user.name`**
+:   User name.
+
+type: keyword
+
+example: vagrant
+
+
+
+## powershell.engine [_powershell_engine]
+
+Data related to the PowerShell engine.
+
+**`powershell.engine.version`**
+:   Version of the PowerShell engine version used to execute the command.
+
+type: keyword
+
+example: 5.1.17763.1007
+
+
+**`powershell.engine.previous_state`**
+:   Previous state of the PowerShell engine.
+
+type: keyword
+
+example: Available
+
+
+**`powershell.engine.new_state`**
+:   New state of the PowerShell engine.
+
+type: keyword
+
+example: Stopped
+
+
+
+## powershell.file [_powershell_file]
+
+Data related to the executed script file.
+
+**`powershell.file.script_block_id`**
+:   Id of the executed script block.
+
+type: keyword
+
+example: 50d2dbda-7361-4926-a94d-d9eadfdb43fa
+
+
+**`powershell.file.script_block_text`**
+:   Text of the executed script block.
+
+type: text
+
+example: .\a_script.ps1
+
+
+**`powershell.process.executable_version`**
+:   Version of the engine hosting process executable.
+
+type: keyword
+
+example: 5.1.17763.1007
+
+
+
+## powershell.provider [_powershell_provider]
+
+Data related to the PowerShell engine host.
+
+**`powershell.provider.new_state`**
+:   New state of the PowerShell provider.
+
+type: keyword
+
+example: Active
+
+
+**`powershell.provider.name`**
+:   Provider name.
+
+type: keyword
+
+example: Variable
+
+
diff --git a/docs/reference/winlogbeat/exported-fields-process.md b/docs/reference/winlogbeat/exported-fields-process.md
new file mode 100644
index 000000000000..f34dcce0faaf
--- /dev/null
+++ b/docs/reference/winlogbeat/exported-fields-process.md
@@ -0,0 +1,38 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/exported-fields-process.html
+---
+
+# Process fields [exported-fields-process]
+
+Process metadata fields
+
+**`process.exe`**
+:   type: alias
+
+alias to: process.executable
+
+
+
+## owner [_owner]
+
+Process owner information.
+
+**`process.owner.id`**
+:   Unique identifier of the user.
+
+type: keyword
+
+
+**`process.owner.name`**
+:   Short name or login of the user.
+
+type: keyword
+
+example: albert
+
+
+**`process.owner.name.text`**
+:   type: text
+
+
diff --git a/docs/reference/winlogbeat/exported-fields-security.md b/docs/reference/winlogbeat/exported-fields-security.md
new file mode 100644
index 000000000000..a2c737a33671
--- /dev/null
+++ b/docs/reference/winlogbeat/exported-fields-security.md
@@ -0,0 +1,46 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/exported-fields-security.html
+---
+
+# Security module fields [exported-fields-security]
+
+These are the event fields specific to the module for the Security log.
+
+
+## winlog.logon [_winlog_logon]
+
+Data related to a Windows logon.
+
+**`winlog.logon.type`**
+:   Logon type name. This is the descriptive version of the `winlog.event_data.LogonType` ordinal. This is an enrichment added by the Security module.
+
+type: keyword
+
+example: RemoteInteractive
+
+
+**`winlog.logon.id`**
+:   Logon ID that can be used to associate this logon with other events related to the same logon session.
+
+type: keyword
+
+
+**`winlog.logon.failure.reason`**
+:   The reason the logon failed.
+
+type: keyword
+
+
+**`winlog.logon.failure.status`**
+:   The reason the logon failed. This is textual description based on the value of the hexadecimal `Status` field.
+
+type: keyword
+
+
+**`winlog.logon.failure.sub_status`**
+:   Additional information about the logon failure. This is a textual description based on the value of the hexidecimal `SubStatus` field.
+
+type: keyword
+
+
diff --git a/docs/reference/winlogbeat/exported-fields-sysmon.md b/docs/reference/winlogbeat/exported-fields-sysmon.md
new file mode 100644
index 000000000000..5b27996429c9
--- /dev/null
+++ b/docs/reference/winlogbeat/exported-fields-sysmon.md
@@ -0,0 +1,27 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/exported-fields-sysmon.html
+---
+
+# Sysmon module fields [exported-fields-sysmon]
+
+These are the event fields specific to the Sysmon module.
+
+**`sysmon.dns.status`**
+:   Windows status code returned for the DNS query.
+
+type: keyword
+
+
+**`sysmon.file.archived`**
+:   Indicates if the deleted file was archived.
+
+type: boolean
+
+
+**`sysmon.file.is_executable`**
+:   Indicates if the deleted file was an executable.
+
+type: boolean
+
+
diff --git a/docs/reference/winlogbeat/exported-fields-winlog.md b/docs/reference/winlogbeat/exported-fields-winlog.md
new file mode 100644
index 000000000000..00d8acb3ee27
--- /dev/null
+++ b/docs/reference/winlogbeat/exported-fields-winlog.md
@@ -0,0 +1,753 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/exported-fields-winlog.html
+---
+
+# Winlogbeat fields [exported-fields-winlog]
+
+Fields from the Windows Event Log.
+
+**`event.original`**
+:   The raw XML representation of the event obtained from Windows. This field is only available on operating systems supporting the Windows Event Log API (Microsoft Windows Vista and newer). This field is not included by default and must be enabled by setting `include_xml: true` as a configuration option for an individual event log. The XML representation of the event is useful for troubleshooting purposes. The data in the fields reported by Winlogbeat can be compared to the data in the XML to diagnose problems.
+
+
+
+## winlog [_winlog]
+
+All fields specific to the Windows Event Log are defined here.
+
+**`winlog.activity_id`**
+:   A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity.
+
+type: keyword
+
+required: False
+
+
+**`winlog.computer_name`**
+:   The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`.
+
+type: keyword
+
+required: True
+
+
+**`winlog.computerObject.domain`**
+:   The domain of the account that was added, modified or deleted in the event.
+
+type: keyword
+
+required: False
+
+
+**`winlog.computerObject.id`**
+:   A globally unique identifier that identifies the target device.
+
+type: keyword
+
+required: False
+
+
+**`winlog.computerObject.name`**
+:   The account name that was added, modified or deleted in the event.
+
+type: keyword
+
+required: False
+
+
+**`winlog.event_data`**
+:   The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows.
+
+type: object
+
+required: False
+
+
+
+## event_data [_event_data]
+
+This is a non-exhaustive list of parameters that are used in Windows events. By having these fields defined in the template they can be used in dashboards and machine-learning jobs.
+
+**`winlog.event_data.AuthenticationPackageName`**
+:   type: keyword
+
+
+**`winlog.event_data.Binary`**
+:   type: keyword
+
+
+**`winlog.event_data.BitlockerUserInputTime`**
+:   type: keyword
+
+
+**`winlog.event_data.BootMode`**
+:   type: keyword
+
+
+**`winlog.event_data.BootType`**
+:   type: keyword
+
+
+**`winlog.event_data.BuildVersion`**
+:   type: keyword
+
+
+**`winlog.event_data.CallTrace`**
+:   type: keyword
+
+
+**`winlog.event_data.ClientInfo`**
+:   type: keyword
+
+
+**`winlog.event_data.Company`**
+:   type: keyword
+
+
+**`winlog.event_data.Configuration`**
+:   type: keyword
+
+
+**`winlog.event_data.CorruptionActionState`**
+:   type: keyword
+
+
+**`winlog.event_data.CreationUtcTime`**
+:   type: keyword
+
+
+**`winlog.event_data.Description`**
+:   type: keyword
+
+
+**`winlog.event_data.Detail`**
+:   type: keyword
+
+
+**`winlog.event_data.DeviceName`**
+:   type: keyword
+
+
+**`winlog.event_data.DeviceNameLength`**
+:   type: keyword
+
+
+**`winlog.event_data.DeviceTime`**
+:   type: keyword
+
+
+**`winlog.event_data.DeviceVersionMajor`**
+:   type: keyword
+
+
+**`winlog.event_data.DeviceVersionMinor`**
+:   type: keyword
+
+
+**`winlog.event_data.DriveName`**
+:   type: keyword
+
+
+**`winlog.event_data.DriverName`**
+:   type: keyword
+
+
+**`winlog.event_data.DriverNameLength`**
+:   type: keyword
+
+
+**`winlog.event_data.DwordVal`**
+:   type: keyword
+
+
+**`winlog.event_data.EntryCount`**
+:   type: keyword
+
+
+**`winlog.event_data.EventType`**
+:   type: keyword
+
+
+**`winlog.event_data.EventNamespace`**
+:   type: keyword
+
+
+**`winlog.event_data.ExtraInfo`**
+:   type: keyword
+
+
+**`winlog.event_data.FailureName`**
+:   type: keyword
+
+
+**`winlog.event_data.FailureNameLength`**
+:   type: keyword
+
+
+**`winlog.event_data.FileVersion`**
+:   type: keyword
+
+
+**`winlog.event_data.FinalStatus`**
+:   type: keyword
+
+
+**`winlog.event_data.GrantedAccess`**
+:   type: keyword
+
+
+**`winlog.event_data.Group`**
+:   type: keyword
+
+
+**`winlog.event_data.IdleImplementation`**
+:   type: keyword
+
+
+**`winlog.event_data.IdleStateCount`**
+:   type: keyword
+
+
+**`winlog.event_data.ImpersonationLevel`**
+:   type: keyword
+
+
+**`winlog.event_data.IntegrityLevel`**
+:   type: keyword
+
+
+**`winlog.event_data.IpAddress`**
+:   type: keyword
+
+
+**`winlog.event_data.IpPort`**
+:   type: keyword
+
+
+**`winlog.event_data.KeyLength`**
+:   type: keyword
+
+
+**`winlog.event_data.LastBootGood`**
+:   type: keyword
+
+
+**`winlog.event_data.LastShutdownGood`**
+:   type: keyword
+
+
+**`winlog.event_data.LmPackageName`**
+:   type: keyword
+
+
+**`winlog.event_data.LogonGuid`**
+:   type: keyword
+
+
+**`winlog.event_data.LogonId`**
+:   type: keyword
+
+
+**`winlog.event_data.LogonProcessName`**
+:   type: keyword
+
+
+**`winlog.event_data.LogonType`**
+:   type: keyword
+
+
+**`winlog.event_data.MajorVersion`**
+:   type: keyword
+
+
+**`winlog.event_data.MaximumPerformancePercent`**
+:   type: keyword
+
+
+**`winlog.event_data.MemberName`**
+:   type: keyword
+
+
+**`winlog.event_data.MemberSid`**
+:   type: keyword
+
+
+**`winlog.event_data.MinimumPerformancePercent`**
+:   type: keyword
+
+
+**`winlog.event_data.MinimumThrottlePercent`**
+:   type: keyword
+
+
+**`winlog.event_data.MinorVersion`**
+:   type: keyword
+
+
+**`winlog.event_data.Name`**
+:   type: keyword
+
+
+**`winlog.event_data.NewProcessId`**
+:   type: keyword
+
+
+**`winlog.event_data.NewProcessName`**
+:   type: keyword
+
+
+**`winlog.event_data.NewSchemeGuid`**
+:   type: keyword
+
+
+**`winlog.event_data.NewThreadId`**
+:   type: keyword
+
+
+**`winlog.event_data.NewTime`**
+:   type: keyword
+
+
+**`winlog.event_data.NominalFrequency`**
+:   type: keyword
+
+
+**`winlog.event_data.Number`**
+:   type: keyword
+
+
+**`winlog.event_data.OldSchemeGuid`**
+:   type: keyword
+
+
+**`winlog.event_data.OldTime`**
+:   type: keyword
+
+
+**`winlog.event_data.Operation`**
+:   type: keyword
+
+
+**`winlog.event_data.OriginalFileName`**
+:   type: keyword
+
+
+**`winlog.event_data.Path`**
+:   type: keyword
+
+
+**`winlog.event_data.PerformanceImplementation`**
+:   type: keyword
+
+
+**`winlog.event_data.PreviousCreationUtcTime`**
+:   type: keyword
+
+
+**`winlog.event_data.PreviousTime`**
+:   type: keyword
+
+
+**`winlog.event_data.PrivilegeList`**
+:   type: keyword
+
+
+**`winlog.event_data.ProcessId`**
+:   type: keyword
+
+
+**`winlog.event_data.ProcessName`**
+:   type: keyword
+
+
+**`winlog.event_data.ProcessPath`**
+:   type: keyword
+
+
+**`winlog.event_data.ProcessPid`**
+:   type: keyword
+
+
+**`winlog.event_data.Product`**
+:   type: keyword
+
+
+**`winlog.event_data.PuaCount`**
+:   type: keyword
+
+
+**`winlog.event_data.PuaPolicyId`**
+:   type: keyword
+
+
+**`winlog.event_data.QfeVersion`**
+:   type: keyword
+
+
+**`winlog.event_data.Query`**
+:   type: keyword
+
+
+**`winlog.event_data.Reason`**
+:   type: keyword
+
+
+**`winlog.event_data.SchemaVersion`**
+:   type: keyword
+
+
+**`winlog.event_data.ScriptBlockText`**
+:   type: keyword
+
+
+**`winlog.event_data.ServiceName`**
+:   type: keyword
+
+
+**`winlog.event_data.ServiceVersion`**
+:   type: keyword
+
+
+**`winlog.event_data.Session`**
+:   type: keyword
+
+
+**`winlog.event_data.ShutdownActionType`**
+:   type: keyword
+
+
+**`winlog.event_data.ShutdownEventCode`**
+:   type: keyword
+
+
+**`winlog.event_data.ShutdownReason`**
+:   type: keyword
+
+
+**`winlog.event_data.Signature`**
+:   type: keyword
+
+
+**`winlog.event_data.SignatureStatus`**
+:   type: keyword
+
+
+**`winlog.event_data.Signed`**
+:   type: keyword
+
+
+**`winlog.event_data.StartAddress`**
+:   type: keyword
+
+
+**`winlog.event_data.StartFunction`**
+:   type: keyword
+
+
+**`winlog.event_data.StartModule`**
+:   type: keyword
+
+
+**`winlog.event_data.StartTime`**
+:   type: keyword
+
+
+**`winlog.event_data.State`**
+:   type: keyword
+
+
+**`winlog.event_data.Status`**
+:   type: keyword
+
+
+**`winlog.event_data.StopTime`**
+:   type: keyword
+
+
+**`winlog.event_data.SubjectDomainName`**
+:   type: keyword
+
+
+**`winlog.event_data.SubjectLogonId`**
+:   type: keyword
+
+
+**`winlog.event_data.SubjectUserName`**
+:   type: keyword
+
+
+**`winlog.event_data.SubjectUserSid`**
+:   type: keyword
+
+
+**`winlog.event_data.TSId`**
+:   type: keyword
+
+
+**`winlog.event_data.TargetDomainName`**
+:   type: keyword
+
+
+**`winlog.event_data.TargetImage`**
+:   type: keyword
+
+
+**`winlog.event_data.TargetInfo`**
+:   type: keyword
+
+
+**`winlog.event_data.TargetLogonGuid`**
+:   type: keyword
+
+
+**`winlog.event_data.TargetLogonId`**
+:   type: keyword
+
+
+**`winlog.event_data.TargetProcessGUID`**
+:   type: keyword
+
+
+**`winlog.event_data.TargetProcessId`**
+:   type: keyword
+
+
+**`winlog.event_data.TargetServerName`**
+:   type: keyword
+
+
+**`winlog.event_data.TargetUserName`**
+:   type: keyword
+
+
+**`winlog.event_data.TargetUserSid`**
+:   type: keyword
+
+
+**`winlog.event_data.TerminalSessionId`**
+:   type: keyword
+
+
+**`winlog.event_data.TokenElevationType`**
+:   type: keyword
+
+
+**`winlog.event_data.TransmittedServices`**
+:   type: keyword
+
+
+**`winlog.event_data.Type`**
+:   type: keyword
+
+
+**`winlog.event_data.UserSid`**
+:   type: keyword
+
+
+**`winlog.event_data.Version`**
+:   type: keyword
+
+
+**`winlog.event_data.Workstation`**
+:   type: keyword
+
+
+**`winlog.event_data.param1`**
+:   type: keyword
+
+
+**`winlog.event_data.param2`**
+:   type: keyword
+
+
+**`winlog.event_data.param3`**
+:   type: keyword
+
+
+**`winlog.event_data.param4`**
+:   type: keyword
+
+
+**`winlog.event_data.param5`**
+:   type: keyword
+
+
+**`winlog.event_data.param6`**
+:   type: keyword
+
+
+**`winlog.event_data.param7`**
+:   type: keyword
+
+
+**`winlog.event_data.param8`**
+:   type: keyword
+
+
+**`winlog.event_id`**
+:   The event identifier. The value is specific to the source of the event.
+
+type: keyword
+
+required: True
+
+
+**`winlog.keywords`**
+:   The keywords are used to classify an event.
+
+type: keyword
+
+required: False
+
+
+**`winlog.channel`**
+:   The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration.
+
+type: keyword
+
+required: True
+
+
+**`winlog.record_id`**
+:   The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (232 for the Event Logging API and 264 for the Windows Event Log API), the next record number will be 0.
+
+type: keyword
+
+required: True
+
+
+**`winlog.related_activity_id`**
+:   A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier.
+
+type: keyword
+
+required: False
+
+
+**`winlog.opcode`**
+:   The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged.
+
+type: keyword
+
+required: False
+
+
+**`winlog.provider_guid`**
+:   A globally unique identifier that identifies the provider that logged the event.
+
+type: keyword
+
+required: False
+
+
+**`winlog.process.pid`**
+:   The process_id of the Client Server Runtime Process.
+
+type: long
+
+required: False
+
+
+**`winlog.provider_name`**
+:   The source of the event log record (the application or service that logged the record).
+
+type: keyword
+
+required: True
+
+
+**`winlog.task`**
+:   The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field.
+
+type: keyword
+
+required: False
+
+
+**`winlog.time_created`**
+:   The event creation time.
+
+type: date
+
+required: False
+
+
+**`winlog.trustAttribute`**
+:   The decimal value of attributes for new trust created to a domain.
+
+type: keyword
+
+required: False
+
+
+**`winlog.trustDirection`**
+:   The direction of new trust created to a domain. Possible values are `TRUST_DIRECTION_DISABLED`, `TRUST_DIRECTION_INBOUND`, `TRUST_DIRECTION_OUTBOUND` and `TRUST_DIRECTION_BIDIRECTIONAL`
+
+type: keyword
+
+required: False
+
+
+**`winlog.trustType`**
+:   The account name that was added, modified or deleted in the event. Possible values are `TRUST_TYPE_DOWNLEVEL`, `TRUST_TYPE_UPLEVEL`, `TRUST_TYPE_MIT` and `TRUST_TYPE_DCE`
+
+type: keyword
+
+required: False
+
+
+**`winlog.process.thread.id`**
+:   type: long
+
+required: False
+
+
+**`winlog.user_data`**
+:   The event specific data. This field is mutually exclusive with `event_data`.
+
+type: object
+
+required: False
+
+
+**`winlog.user.identifier`**
+:   The Windows security identifier (SID) of the account associated with this event. If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be.
+
+type: keyword
+
+example: S-1-5-21-3541430928-2051711210-1391384369-1001
+
+required: False
+
+
+**`winlog.user.name`**
+:   Name of the user associated with this event.
+
+type: keyword
+
+
+**`winlog.user.domain`**
+:   The domain that the account associated with this event is a member of.
+
+type: keyword
+
+required: False
+
+
+**`winlog.user.type`**
+:   The type of account associated with this event.
+
+type: keyword
+
+required: False
+
+
+**`winlog.version`**
+:   The version number of the event’s definition.
+
+type: long
+
+required: False
+
+
diff --git a/docs/reference/winlogbeat/exported-fields.md b/docs/reference/winlogbeat/exported-fields.md
new file mode 100644
index 000000000000..384a7c6fe21b
--- /dev/null
+++ b/docs/reference/winlogbeat/exported-fields.md
@@ -0,0 +1,23 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/exported-fields.html
+---
+
+# Exported fields [exported-fields]
+
+This document describes the fields that are exported by Winlogbeat. They are grouped in the following categories:
+
+* [*Beat fields*](/reference/winlogbeat/exported-fields-beat-common.md)
+* [*Cloud provider metadata fields*](/reference/winlogbeat/exported-fields-cloud.md)
+* [*Docker fields*](/reference/winlogbeat/exported-fields-docker-processor.md)
+* [*ECS fields*](/reference/winlogbeat/exported-fields-ecs.md)
+* [*Legacy Winlogbeat alias fields*](/reference/winlogbeat/exported-fields-eventlog.md)
+* [*Host fields*](/reference/winlogbeat/exported-fields-host-processor.md)
+* [*Jolokia Discovery autodiscover provider fields*](/reference/winlogbeat/exported-fields-jolokia-autodiscover.md)
+* [*Kubernetes fields*](/reference/winlogbeat/exported-fields-kubernetes-processor.md)
+* [*PowerShell module fields*](/reference/winlogbeat/exported-fields-powershell.md)
+* [*Process fields*](/reference/winlogbeat/exported-fields-process.md)
+* [*Security module fields*](/reference/winlogbeat/exported-fields-security.md)
+* [*Sysmon module fields*](/reference/winlogbeat/exported-fields-sysmon.md)
+* [*Winlogbeat fields*](/reference/winlogbeat/exported-fields-winlog.md)
+
diff --git a/docs/reference/winlogbeat/extract-array.md b/docs/reference/winlogbeat/extract-array.md
new file mode 100644
index 000000000000..408319c74709
--- /dev/null
+++ b/docs/reference/winlogbeat/extract-array.md
@@ -0,0 +1,46 @@
+---
+navigation_title: "extract_array"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/extract-array.html
+---
+
+# Extract array [extract-array]
+
+
+::::{warning}
+This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
+::::
+
+
+The `extract_array` processor populates fields with values read from an array field. The following example will populate `source.ip` with the first element of the `my_array` field, `destination.ip` with the second element, and `network.transport` with the third.
+
+```yaml
+processors:
+  - extract_array:
+      field: my_array
+      mappings:
+        source.ip: 0
+        destination.ip: 1
+        network.transport: 2
+```
+
+The following settings are supported:
+
+`field`
+:   The array field whose elements are to be extracted.
+
+`mappings`
+:   Maps each field name to an array index. Use 0 for the first element in the array. Multiple fields can be mapped to the same array element.
+
+`ignore_missing`
+:   (Optional) Whether to ignore events where the array field is missing. The default is `false`, which will fail processing of an event if the specified field does not exist. Set it to `true` to ignore this condition.
+
+`overwrite_keys`
+:   Whether the target fields specified in the mapping are overwritten if they already exist. The default is `false`, which will fail processing if a target field already exists.
+
+`fail_on_error`
+:   (Optional) If set to `true` and an error happens, changes to the event are reverted, and the original event is returned. If set to `false`, processing continues despite errors. Default is `true`.
+
+`omit_empty`
+:   (Optional) Whether empty values are extracted from the array. If set to `true`, instead of the target field being set to an empty value, it is left unset. The empty string (`""`), an empty array (`[]`) or an empty object (`{}`) are considered empty values. Default is `false`.
+
diff --git a/docs/reference/winlogbeat/faq.md b/docs/reference/winlogbeat/faq.md
new file mode 100644
index 000000000000..5985754f33c5
--- /dev/null
+++ b/docs/reference/winlogbeat/faq.md
@@ -0,0 +1,22 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/faq.html
+---
+
+# Common problems [faq]
+
+This section describes common problems you might encounter with Winlogbeat. Also check out the [Winlogbeat discussion forum](https://discuss.elastic.co/c/beats/winlogbeat).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/docs/reference/winlogbeat/feature-roles.md b/docs/reference/winlogbeat/feature-roles.md
new file mode 100644
index 000000000000..56446ec91641
--- /dev/null
+++ b/docs/reference/winlogbeat/feature-roles.md
@@ -0,0 +1,25 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/feature-roles.html
+---
+
+# Grant users access to secured resources [feature-roles]
+
+You can use role-based access control to grant users access to secured resources. The roles that you set up depend on your organization’s security requirements and the minimum privileges required to use specific features.
+
+Typically you need the create the following separate roles:
+
+* [setup role](/reference/winlogbeat/privileges-to-setup-beats.md) for setting up index templates and other dependencies
+* [monitoring role](/reference/winlogbeat/privileges-to-publish-monitoring.md) for sending monitoring information
+* [writer role](/reference/winlogbeat/privileges-to-publish-events.md)  for publishing events collected by Winlogbeat
+* [reader role](/reference/winlogbeat/kibana-user-privileges.md) for {{kib}} users who need to view and create visualizations that access Winlogbeat data
+
+{{es-security-features}} provides [built-in roles](elasticsearch://reference/elasticsearch/roles.md) that grant a subset of the privileges needed by Winlogbeat users. When possible, use the built-in roles to minimize the affect of future changes on your security strategy.
+
+Instead of using usernames and passwords, roles and privileges can be assigned to API keys to grant access to Elasticsearch resources. See [*Grant access using API keys*](/reference/winlogbeat/beats-api-keys.md) for more information.
+
+
+
+
+
+
diff --git a/docs/reference/winlogbeat/file-output.md b/docs/reference/winlogbeat/file-output.md
new file mode 100644
index 000000000000..38daa0c25d95
--- /dev/null
+++ b/docs/reference/winlogbeat/file-output.md
@@ -0,0 +1,89 @@
+---
+navigation_title: "File"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/file-output.html
+---
+
+# Configure the File output [file-output]
+
+
+The File output dumps the transactions into a file where each transaction is in a JSON format. Currently, this output is used for testing, but it can be used as input for Logstash.
+
+To use this output, edit the Winlogbeat configuration file to disable the {{es}} output by commenting it out, and enable the file output by adding `output.file`.
+
+Example configuration:
+
+```yaml
+output.file:
+  path: "/tmp/winlogbeat"
+  filename: winlogbeat
+  #rotate_every_kb: 10000
+  #number_of_files: 7
+  #permissions: 0600
+  #rotate_on_startup: true
+```
+
+## Configuration options [_configuration_options_7]
+
+You can specify the following `output.file` options in the `winlogbeat.yml` config file:
+
+### `enabled` [_enabled_5]
+
+The enabled config is a boolean setting to enable or disable the output. If set to false, the output is disabled.
+
+The default value is `true`.
+
+
+### `path` [path]
+
+The path to the directory where the generated files will be saved. This option is mandatory.
+
+The path may include the timestamp when the file output is initialized using the `+FORMAT` syntax where `FORMAT` is a valid [time format](https://github.com/elastic/beats/blob/main/libbeat/common/dtfmt/doc.go), and enclosed with expansion braces: `%{+FORMAT}`. For example:
+
+```
+path: 'fileoutput-%{+yyyy.MM.dd}'
+```
+
+
+### `filename` [_filename]
+
+The name of the generated files. The default is set to the Beat name. For example, the files generated by default for Winlogbeat would be `"winlogbeat-{{datetime}}.ndjson"`, `"winlogbeat-{{datetime}}-1.ndjson"`, `"winlogbeat-{{datetime}}-2.ndjson"`, and so on.
+
+
+### `rotate_every_kb` [_rotate_every_kb]
+
+The maximum size in kilobytes of each file. When this size is reached, the files are rotated. The default value is 10240 KB.
+
+
+### `number_of_files` [_number_of_files]
+
+The maximum number of files to save under [`path`](#path). When this number of files is reached, the oldest file is deleted, and the rest of the files are shifted from last to first. The number of files must be between 2 and 1024. The default is 7.
+
+
+### `permissions` [_permissions]
+
+Permissions to use for file creation. The default is 0600.
+
+
+### `rotate_on_startup` [_rotate_on_startup]
+
+If the output file already exists on startup, immediately rotate it and start writing to a new file instead of appending to the existing one. Defaults to true.
+
+
+### `codec` [_codec_3]
+
+Output codec configuration. If the `codec` section is missing, events will be json encoded.
+
+See [Change the output codec](/reference/winlogbeat/configuration-output-codec.md) for more information.
+
+
+### `queue` [_queue_5]
+
+Configuration options for internal queue.
+
+See [Internal queue](/reference/winlogbeat/configuring-internal-queue.md) for more information.
+
+Note:`queue` options can be set under `winlogbeat.yml` or the `output` section but not both.
+
+
+
diff --git a/docs/reference/winlogbeat/filtering-enhancing-data.md b/docs/reference/winlogbeat/filtering-enhancing-data.md
new file mode 100644
index 000000000000..308b1dc4a3c6
--- /dev/null
+++ b/docs/reference/winlogbeat/filtering-enhancing-data.md
@@ -0,0 +1,79 @@
+---
+navigation_title: "Processors"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/filtering-and-enhancing-data.html
+---
+
+# Filter and enhance data with processors [filtering-and-enhancing-data]
+
+
+You can [define processors](/reference/winlogbeat/defining-processors.md) in your configuration to process events before they are sent to the configured output. The libbeat library provides processors for:
+
+* reducing the number of exported fields
+* enhancing events with additional metadata
+* performing additional processing and decoding
+
+Each processor receives an event, applies a defined action to the event, and returns the event. If you define a list of processors, they are executed in the order they are defined in the Winlogbeat configuration file.
+
+```yaml
+event -> processor 1 -> event1 -> processor 2 -> event2 ...
+```
+
+::::{important}
+It’s recommended to do all drop and renaming of existing fields as the last step in a processor configuration. This is because dropping or renaming fields can remove data necessary for the next processor in the chain, for example dropping the `source.ip` field would remove one of the fields necessary for the `community_id` processor to function. If it’s necessary to remove, rename or overwrite an existing event field, please make sure it’s done by a corresponding processor ([`drop_fields`](/reference/winlogbeat/drop-fields.md), [`rename`](/reference/winlogbeat/rename-fields.md) or [`add_fields`](/reference/winlogbeat/add-fields.md)) placed at the end of the processor list defined in the input configuration.
+::::
+
+
+For example, the following filter configuration drops a few fields that are rarely used (`provider_guid`, `process_id`, `thread_id`, and `version`) and one nested field, `event_data.ErrorSourceTable`:
+
+```yaml
+processors:
+  - drop_fields:
+      fields: [winlog.provider_guid, winlog.process.pid, winlog.process.thread.id, winlog.version, winlog.event_data.ErrorSourceTable]
+```
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/docs/reference/winlogbeat/fingerprint.md b/docs/reference/winlogbeat/fingerprint.md
new file mode 100644
index 000000000000..f90d3d0f105f
--- /dev/null
+++ b/docs/reference/winlogbeat/fingerprint.md
@@ -0,0 +1,38 @@
+---
+navigation_title: "fingerprint"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/fingerprint.html
+---
+
+# Generate a fingerprint of an event [fingerprint]
+
+
+The `fingerprint` processor generates a fingerprint of an event based on a specified subset of its fields.
+
+The value that is hashed is constructed as a concatenation of the field name and field value separated by `|`. For example `|field1|value1|field2|value2|`.
+
+Nested fields are supported in the following format: `"field1.field2"` e.g: `["log.path.file", "foo"]`
+
+```yaml
+processors:
+  - fingerprint:
+      fields: ["field1", "field2", ...]
+```
+
+The following settings are supported:
+
+`fields`
+:   List of fields to use as the source for the fingerprint. The list will be alphabetically sorted by the processor.
+
+`ignore_missing`
+:   (Optional) Whether to ignore missing fields. Default is `false`.
+
+`target_field`
+:   (Optional) Field in which the generated fingerprint should be stored. Default is `fingerprint`.
+
+`method`
+:   (Optional) Algorithm to use for computing the fingerprint. Must be one of: `md5`, `sha1`, `sha256`, `sha384`, `sha512`, `xxhash`. Default is `sha256`.
+
+`encoding`
+:   (Optional) Encoding to use on the fingerprint value. Must be one of `hex`, `base32`, or `base64`. Default is `hex`.
+
diff --git a/docs/reference/winlogbeat/getting-help.md b/docs/reference/winlogbeat/getting-help.md
new file mode 100644
index 000000000000..959e4877d52b
--- /dev/null
+++ b/docs/reference/winlogbeat/getting-help.md
@@ -0,0 +1,16 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/getting-help.html
+---
+
+# Get Help [getting-help]
+
+Start by searching the [Winlogbeat discussion forum](https://discuss.elastic.co/c/beats/winlogbeat) for your issue. If you can’t find a resolution, open a new issue or add a comment to an existing one. Make sure you provide the following information, and we’ll help you troubleshoot the problem:
+
+* Winlogbeat version
+* Operating System
+* Configuration
+* Any supporting information, such as debugging output, that will help us diagnose your problem. See [*Debug*](/reference/winlogbeat/enable-winlogbeat-debugging.md) for more details.
+
+If you’re sure you found a bug, you can open a ticket on [GitHub](https://github.com/elastic/beats/issues?state=open). Note, however, that we close GitHub issues containing questions or requests for help if they don’t indicate the presence of a bug.
+
diff --git a/docs/reference/winlogbeat/howto-guides.md b/docs/reference/winlogbeat/howto-guides.md
new file mode 100644
index 000000000000..f28c42f69a8d
--- /dev/null
+++ b/docs/reference/winlogbeat/howto-guides.md
@@ -0,0 +1,18 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/howto-guides.html
+---
+
+# How to guides [howto-guides]
+
+Learn how to perform common Winlogbeat configuration tasks.
+
+* [*Enrich events with geoIP information*](/reference/winlogbeat/winlogbeat-geoip.md)
+* [*Load the {{es}} index template*](/reference/winlogbeat/winlogbeat-template.md)
+* [*Change the index name*](/reference/winlogbeat/change-index-name.md)
+* [*Load {{kib}} dashboards*](/reference/winlogbeat/load-kibana-dashboards.md)
+* [*Load ingest pipelines*](/reference/winlogbeat/load-ingest-pipelines.md)
+* [*Use environment variables in the configuration*](/reference/winlogbeat/using-environ-vars.md)
+* [*Parse data using an ingest pipeline*](/reference/winlogbeat/configuring-ingest-node.md)
+* [*Avoid YAML formatting problems*](/reference/winlogbeat/yaml-tips.md)
+
diff --git a/docs/reference/winlogbeat/http-endpoint.md b/docs/reference/winlogbeat/http-endpoint.md
new file mode 100644
index 000000000000..46b6069d808d
--- /dev/null
+++ b/docs/reference/winlogbeat/http-endpoint.md
@@ -0,0 +1,188 @@
+---
+navigation_title: "HTTP endpoint"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/http-endpoint.html
+---
+
+# Configure an HTTP endpoint for metrics [http-endpoint]
+
+
+::::{warning}
+This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
+::::
+
+
+Winlogbeat can expose internal metrics through an HTTP endpoint. These are useful to monitor the internal state of the Beat. For security reasons the endpoint is disabled by default, as you may want to avoid exposing this info.
+
+The HTTP endpoint has the following configuration settings:
+
+`http.enabled`
+:   (Optional) Enable the HTTP endpoint. Default is `false`.
+
+`http.host`
+:   (Optional) Bind to this hostname, IP address, unix socket (unix:///var/run/winlogbeat.sock) or Windows named pipe (npipe:///winlogbeat). It is recommended to use only localhost. Default is `localhost`
+
+`http.port`
+:   (Optional) Port on which the HTTP endpoint will bind. Default is `5066`.
+
+`http.named_pipe.user`
+:   (Optional) User to use to create the named pipe, only work on Windows, Default to the current user.
+
+`http.named_pipe.security_descriptor`
+:   (Optional) Windows Security descriptor string defined in the SDDL format. Default to read and write permission for the current user.
+
+`http.pprof.enabled`
+:   (Optional) Enable the `/debug/pprof/` endpoints when serving HTTP. It is recommended that this is only enabled on localhost as these endpoints may leak data. Default is `false`.
+
+`http.pprof.block_profile_rate`
+:   (Optional) `block_profile_rate` controls the fraction of goroutine blocking events that are reported in the blocking profile available from `/debug/pprof/block`. The profiler aims to sample an average of one blocking event per rate nanoseconds spent blocked. To include every blocking event in the profile, pass rate = 1. To turn off profiling entirely, pass rate ⇐ 0. Defaults to 0.
+
+`http.pprof.mem_profile_rate`
+:   (Optional) `mem_profile_rate` controls the fraction of memory allocations that are recorded and reported in the memory profile available from `/debug/pprof/heap`. The profiler aims to sample an average of one allocation per `mem_profile_rate` bytes allocated. To include every allocated block in the profile, set `mem_profile_rate` to 1. To turn off profiling entirely, set `mem_profile_rate` to 0. Defaults to 524288.
+
+`http.pprof.mutex_profile_rate`
+:   (Optional) `mutex_profile_rate` controls the fraction of mutex contention events that are reported in the mutex profile available from `/debug/pprof/mutex`. On average 1/rate events are reported. To turn off profiling entirely, pass rate 0. The default value is 0.
+
+This is the list of paths you can access. For pretty JSON output append `?pretty` to the URL.
+
+You can query a unix socket using the `cURL` command and the `--unix-socket` flag.
+
+```js
+curl -XGET --unix-socket '/var/run/{beatname_lc}.sock' 'http:/stats/?pretty'
+```
+
+
+## Info [_info]
+
+`/` provides basic info from the Winlogbeat. Example:
+
+```js
+curl -XGET 'localhost:5066/?pretty'
+```
+
+```js
+{
+  "beat": "winlogbeat",
+  "hostname": "example.lan",
+  "name": "example.lan",
+  "uuid": "34f6c6e1-45a8-4b12-9125-11b3e6e89866",
+  "version": "9.0.0-beta1"
+}
+```
+
+
+## Stats [_stats]
+
+`/stats` reports internal metrics. Example:
+
+```js
+curl -XGET 'localhost:5066/stats?pretty'
+```
+
+```js
+{
+  "beat": {
+    "cpu": {
+      "system": {
+        "ticks": 1710,
+        "time": {
+          "ms": 1712
+        }
+      },
+      "total": {
+        "ticks": 3420,
+        "time": {
+          "ms": 3424
+        },
+        "value": 3420
+      },
+      "user": {
+        "ticks": 1710,
+        "time": {
+          "ms": 1712
+        }
+      }
+    },
+    "info": {
+      "ephemeral_id": "ab4287c4-d907-4d9d-b074-d8c3cec4a577",
+      "uptime": {
+        "ms": 195547
+      }
+    },
+    "memstats": {
+      "gc_next": 17855152,
+      "memory_alloc": 9433384,
+      "memory_total": 492478864,
+      "rss": 50405376
+    },
+    "runtime": {
+      "goroutines": 22
+    }
+  },
+  "libbeat": {
+    "config": {
+      "module": {
+        "running": 0,
+        "starts": 0,
+        "stops": 0
+      },
+      "scans": 1,
+      "reloads": 1
+    },
+    "output": {
+      "events": {
+        "acked": 0,
+        "active": 0,
+        "batches": 0,
+        "dropped": 0,
+        "duplicates": 0,
+        "failed": 0,
+        "total": 0
+      },
+      "read": {
+        "bytes": 0,
+        "errors": 0
+      },
+      "type": "elasticsearch",
+      "write": {
+        "bytes": 0,
+        "errors": 0
+      }
+    },
+    "pipeline": {
+      "clients": 6,
+      "events": {
+        "active": 716,
+        "dropped": 0,
+        "failed": 0,
+        "filtered": 0,
+        "published": 716,
+        "retry": 278,
+        "total": 716
+      },
+      "queue": {
+        "acked": 0
+      }
+    }
+  },
+  "system": {
+    "cpu": {
+      "cores": 4
+    },
+    "load": {
+      "1": 2.22,
+      "15": 1.8,
+      "5": 1.74,
+      "norm": {
+        "1": 0.555,
+        "15": 0.45,
+        "5": 0.435
+      }
+    }
+  }
+}
+```
+
+The actual output may contain more metrics specific to Winlogbeat
+
+
diff --git a/docs/reference/winlogbeat/ilm.md b/docs/reference/winlogbeat/ilm.md
new file mode 100644
index 000000000000..fac0e75293bd
--- /dev/null
+++ b/docs/reference/winlogbeat/ilm.md
@@ -0,0 +1,58 @@
+---
+navigation_title: "Index lifecycle management (ILM)"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/ilm.html
+---
+
+# Configure index lifecycle management [ilm]
+
+
+Use the [index lifecycle management](docs-content://manage-data/lifecycle/index-lifecycle-management/tutorial-automate-rollover.md) (ILM) feature in {{es}} to manage your Winlogbeat their backing indices of your data streams as they age. Winlogbeat loads the default policy automatically and applies it to any data streams created by Winlogbeat.
+
+You can view and edit the policy in the **Index lifecycle policies** UI in {{kib}}. For more information about working with the UI, see [Index lifecyle policies](docs-content://manage-data/lifecycle/index-lifecycle-management.md).
+
+Example configuration:
+
+```yaml
+setup.ilm.enabled: true
+```
+
+::::{warning}
+If index lifecycle management is enabled (which is typically the default), `setup.template.name` and `setup.template.pattern` are ignored.
+::::
+
+
+
+## Configuration options [_configuration_options_11]
+
+You can specify the following settings in the `setup.ilm` section of the `winlogbeat.yml` config file:
+
+
+### `setup.ilm.enabled` [setup-ilm-option]
+
+Enables or disables index lifecycle management on any new indices created by Winlogbeat. Valid values are `true` and `false`.
+
+
+### `setup.ilm.policy_name` [setup-ilm-policy_name-option]
+
+The name to use for the lifecycle policy. The default is `winlogbeat`.
+
+
+### `setup.ilm.policy_file` [setup-ilm-policy_file-option]
+
+The path to a JSON file that contains a lifecycle policy configuration. Use this setting to load your own lifecycle policy.
+
+For more information about lifecycle policies, see [Set up index lifecycle management policy](docs-content://manage-data/lifecycle/index-lifecycle-management/configure-lifecycle-policy.md) in the *{{es}} Reference*.
+
+
+### `setup.ilm.check_exists` [setup-ilm-check_exists-option]
+
+When set to `false`, disables the check for an existing lifecycle policy. The default is `true`. You need to disable this check if the Winlogbeat user connecting to a secured cluster doesn’t have the `read_ilm` privilege.
+
+If you set this option to `false`, lifecycle policy will not be installed, even if `setup.ilm.overwrite` is set to `true`.
+
+
+### `setup.ilm.overwrite` [setup-ilm-overwrite-option]
+
+When set to `true`, the lifecycle policy is overwritten at startup. The default is `false`.
+
diff --git a/docs/reference/winlogbeat/images/coordinate-map.png b/docs/reference/winlogbeat/images/coordinate-map.png
new file mode 100644
index 000000000000..8ac69fe747cf
Binary files /dev/null and b/docs/reference/winlogbeat/images/coordinate-map.png differ
diff --git a/docs/reference/winlogbeat/images/kibana-powershell.jpg b/docs/reference/winlogbeat/images/kibana-powershell.jpg
new file mode 100644
index 000000000000..3b0f2e4d9e68
Binary files /dev/null and b/docs/reference/winlogbeat/images/kibana-powershell.jpg differ
diff --git a/docs/reference/winlogbeat/images/winlogbeat-dashboard.png b/docs/reference/winlogbeat/images/winlogbeat-dashboard.png
new file mode 100644
index 000000000000..714edcdf75d9
Binary files /dev/null and b/docs/reference/winlogbeat/images/winlogbeat-dashboard.png differ
diff --git a/docs/reference/winlogbeat/include-fields.md b/docs/reference/winlogbeat/include-fields.md
new file mode 100644
index 000000000000..fffd70dd43e3
--- /dev/null
+++ b/docs/reference/winlogbeat/include-fields.md
@@ -0,0 +1,28 @@
+---
+navigation_title: "include_fields"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/include-fields.html
+---
+
+# Keep fields from events [include-fields]
+
+
+The `include_fields` processor specifies which fields to export if a certain condition is fulfilled. The condition is optional. If it’s missing, the specified fields are always exported. The `@timestamp`, `@metadata` and `type` fields are always exported, even if they are not defined in the `include_fields` list.
+
+```yaml
+processors:
+  - include_fields:
+      when:
+        condition
+      fields: ["field1", "field2", ...]
+```
+
+See [Conditions](/reference/winlogbeat/defining-processors.md#conditions) for a list of supported conditions.
+
+You can specify multiple `include_fields` processors under the `processors` section.
+
+::::{note}
+If you define an empty list of fields under `include_fields`, then only the required fields, `@timestamp` and `type`, are exported.
+::::
+
+
diff --git a/docs/reference/winlogbeat/kafka-output.md b/docs/reference/winlogbeat/kafka-output.md
new file mode 100644
index 000000000000..c94d454305a9
--- /dev/null
+++ b/docs/reference/winlogbeat/kafka-output.md
@@ -0,0 +1,327 @@
+---
+navigation_title: "Kafka"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/kafka-output.html
+---
+
+# Configure the Kafka output [kafka-output]
+
+
+The Kafka output sends events to Apache Kafka.
+
+To use this output, edit the Winlogbeat configuration file to disable the {{es}} output by commenting it out, and enable the Kafka output by uncommenting the Kafka section.
+
+::::{note}
+For Kafka version 0.10.0.0+ the message creation timestamp is set by beats and equals to the initial timestamp of the event. This affects the retention policy in Kafka: for example, if a beat event was created 2 weeks ago, the retention policy is set to 7 days and the message from beats arrives to Kafka today, it’s going to be immediately discarded since the timestamp value is before the last 7 days. It’s possible to change this behavior by setting timestamps on message arrival instead, so the message is not discarded but kept for 7 more days. To do that, please set `log.message.timestamp.type` to `LogAppendTime` (default `CreateTime`) in the Kafka configuration.
+::::
+
+
+Example configuration:
+
+```yaml
+output.kafka:
+  # initial brokers for reading cluster metadata
+  hosts: ["kafka1:9092", "kafka2:9092", "kafka3:9092"]
+
+  # message topic selection + partitioning
+  topic: '%{[fields.log_topic]}'
+  partition.round_robin:
+    reachable_only: false
+
+  required_acks: 1
+  compression: gzip
+  max_message_bytes: 1000000
+```
+
+::::{note}
+Events bigger than [`max_message_bytes`](#kafka-max_message_bytes) will be dropped. To avoid this problem, make sure Winlogbeat does not generate events bigger than [`max_message_bytes`](#kafka-max_message_bytes).
+::::
+
+
+## Compatibility [kafka-compatibility]
+
+This output can connect to Kafka version 0.8.2.0 and later. Older versions might work as well, but are not supported. When using Kafka 4.0 and newer, the version must be set to at least `"2.1.0"`
+
+
+## Configuration options [_configuration_options_5]
+
+You can specify the following options in the `kafka` section of the `winlogbeat.yml` config file:
+
+### `enabled` [_enabled_3]
+
+The `enabled` config is a boolean setting to enable or disable the output. If set to false, the output is disabled.
+
+The default value is `true`.
+
+
+### `hosts` [_hosts]
+
+The list of Kafka broker addresses from where to fetch the cluster metadata. The cluster metadata contain the actual Kafka brokers events are published to.
+
+
+### `version` [_version]
+
+Kafka protocol version that Winlogbeat will request when connecting. Defaults to 2.1.0. When using Kafka 4.0 and newer, the version must be set to at least `"2.1.0"`
+
+Valid values are all kafka releases in between `0.8.2.0` and `2.6.0`.
+
+The protocol version controls the Kafka client features available to Winlogbeat; it does not prevent Winlogbeat from connecting to Kafka versions newer than the protocol version.
+
+See [Compatibility](#kafka-compatibility) for information on supported versions.
+
+
+### `username` [_username_2]
+
+The username for connecting to Kafka. If username is configured, the password must be configured as well.
+
+
+### `password` [_password_2]
+
+The password for connecting to Kafka.
+
+
+### `sasl.mechanism` [_sasl_mechanism]
+
+The SASL mechanism to use when connecting to Kafka. It can be one of:
+
+* `PLAIN` for SASL/PLAIN.
+* `SCRAM-SHA-256` for SCRAM-SHA-256.
+* `SCRAM-SHA-512` for SCRAM-SHA-512.
+
+If `sasl.mechanism` is not set, `PLAIN` is used if `username` and `password` are provided. Otherwise, SASL authentication is disabled.
+
+To use `GSSAPI` mechanism to authenticate with Kerberos, you must leave this field empty, and use the [`kerberos`](#kerberos-option-kafka) options.
+
+
+### `topic` [topic-option-kafka]
+
+The Kafka topic used for produced events.
+
+You can set the topic dynamically by using a format string to access any event field. For example, this configuration uses a custom field, `fields.log_topic`, to set the topic for each event:
+
+```yaml
+topic: '%{[fields.log_topic]}'
+```
+
+::::{tip}
+To learn how to add custom fields to events, see the [`fields`](/reference/winlogbeat/configuration-general-options.md#libbeat-configuration-fields) option.
+::::
+
+
+See the [`topics`](#topics-option-kafka) setting for other ways to set the topic dynamically.
+
+
+### `topics` [topics-option-kafka]
+
+An array of topic selector rules. Each rule specifies the `topic` to use for events that match the rule. During publishing, Winlogbeat sets the `topic` for each event based on the first matching rule in the array. Rules can contain conditionals, format string-based fields, and name mappings. If the `topics` setting is missing or no rule matches, the [`topic`](#topic-option-kafka) field is used.
+
+Rule settings:
+
+**`topic`**
+:   The topic format string to use.  If this string contains field references, such as `%{[fields.name]}`, the fields must exist, or the rule fails.
+
+**`mappings`**
+:   A dictionary that takes the value returned by `topic` and maps it to a new name.
+
+**`default`**
+:   The default string value to use if `mappings` does not find a match.
+
+**`when`**
+:   A condition that must succeed in order to execute the current rule. All the [conditions](/reference/winlogbeat/defining-processors.md#conditions) supported by processors are also supported here.
+
+The following example sets the topic based on whether the message field contains the specified string:
+
+```yaml
+output.kafka:
+  hosts: ["localhost:9092"]
+  topic: "logs-%{[agent.version]}"
+  topics:
+    - topic: "critical-%{[agent.version]}"
+      when.contains:
+        message: "CRITICAL"
+    - topic: "error-%{[agent.version]}"
+      when.contains:
+        message: "ERR"
+```
+
+This configuration results in topics named `critical-9.0.0-beta1`, `error-9.0.0-beta1`, and `logs-9.0.0-beta1`.
+
+
+### `key` [_key]
+
+Optional formatted string specifying the Kafka event key. If configured, the event key can be extracted from the event using a format string.
+
+See the Kafka documentation for the implications of a particular choice of key; by default, the key is chosen by the Kafka cluster.
+
+
+### `partition` [_partition]
+
+Kafka output broker event partitioning strategy. Must be one of `random`, `round_robin`, or `hash`. By default the `hash` partitioner is used.
+
+**`random.group_events`**: Sets the number of events to be published to the same partition, before the partitioner selects a new partition by random. The default value is 1 meaning after each event a new partition is picked randomly.
+
+**`round_robin.group_events`**: Sets the number of events to be published to the same partition, before the partitioner selects the next partition. The default value is 1 meaning after each event the next partition will be selected.
+
+**`hash.hash`**: List of fields used to compute the partitioning hash value from. If no field is configured, the events `key` value will be used.
+
+**`hash.random`**: Randomly distribute events if no hash or key value can be computed.
+
+All partitioners will try to publish events to all partitions by default. If a partition’s leader becomes unreachable for the beat, the output might block. All partitioners support setting `reachable_only` to overwrite this behavior. If `reachable_only` is set to `true`, events will be published to available partitions only.
+
+::::{note}
+Publishing to a subset of available partitions potentially increases resource usage because events may become unevenly distributed.
+::::
+
+
+
+### `headers` [_headers_2]
+
+A header is a key-value pair, and multiple headers can be included with the same `key`. Only string values are supported. These headers will be included in each produced Kafka message.
+
+```yaml
+output.kafka:
+  hosts: ["localhost:9092"]
+  topic: "logs-%{[agent.version]}"
+  headers:
+    - key: "some-key"
+      value: "some value"
+    - key: "another-key"
+      value: "another value"
+```
+
+
+### `client_id` [_client_id]
+
+The configurable ClientID used for logging, debugging, and auditing purposes. The default is "beats".
+
+
+### `codec` [_codec]
+
+Output codec configuration. If the `codec` section is missing, events will be json encoded.
+
+See [Change the output codec](/reference/winlogbeat/configuration-output-codec.md) for more information.
+
+
+### `metadata` [_metadata]
+
+Kafka metadata update settings. The metadata do contain information about brokers, topics, partition, and active leaders to use for publishing.
+
+**`refresh_frequency`**
+:   Metadata refresh interval. Defaults to 10 minutes.
+
+**`full`**
+:   Strategy to use when fetching metadata, when this option is `true`, the client will maintain a full set of metadata for all the available topics, if the this option is set to `false` it will only refresh the metadata for the configured topics. The default is false.
+
+**`retry.max`**
+:   Total number of metadata update retries when cluster is in middle of leader election. The default is 3.
+
+**`retry.backoff`**
+:   Waiting time between retries during leader elections. Default is 250ms.
+
+
+### `max_retries` [_max_retries_3]
+
+Winlogbeat ignores the `max_retries` setting and retries indefinitely.
+
+
+### `backoff.init` [_backoff_init_2]
+
+The number of seconds to wait before trying to republish to Kafka after a network error. After waiting `backoff.init` seconds, Winlogbeat tries to republish. If the attempt fails, the backoff timer is increased exponentially up to `backoff.max`. After a successful publish, the backoff timer is reset. The default is 1s.
+
+
+### `backoff.max` [_backoff_max_2]
+
+The maximum number of seconds to wait before attempting to republish to Kafka after a network error. The default is 60s.
+
+
+### `bulk_max_size` [_bulk_max_size_2]
+
+The maximum number of events to bulk in a single Kafka request. The default is 2048.
+
+
+### `bulk_flush_frequency` [_bulk_flush_frequency]
+
+Duration to wait before sending bulk Kafka request. 0 is no delay. The default is 0.
+
+
+### `timeout` [_timeout_3]
+
+The number of seconds to wait for responses from the Kafka brokers before timing out. The default is 30 (seconds).
+
+
+### `broker_timeout` [_broker_timeout]
+
+The maximum duration a broker will wait for number of required ACKs. The default is 10s.
+
+
+### `channel_buffer_size` [_channel_buffer_size]
+
+Per Kafka broker number of messages buffered in output pipeline. The default is 256.
+
+
+### `keep_alive` [_keep_alive]
+
+The keep-alive period for an active network connection. If 0s, keep-alives are disabled. The default is 0 seconds.
+
+
+### `compression` [_compression]
+
+Sets the output compression codec. Must be one of `none`, `snappy`, `lz4`, `gzip` and `zstd`. The default is `gzip`.
+
+::::{admonition} Known issue with Azure Event Hub for Kafka
+:class: important
+
+When targeting Azure Event Hub for Kafka, set `compression` to `none` as the provided codecs are not supported.
+
+::::
+
+
+
+### `compression_level` [_compression_level_2]
+
+Sets the compression level used by gzip. Setting this value to 0 disables compression. The compression level must be in the range of 1 (best speed) to 9 (best compression).
+
+Increasing the compression level will reduce the network usage but will increase the cpu usage.
+
+The default value is 4.
+
+
+### `max_message_bytes` [kafka-max_message_bytes]
+
+The maximum permitted size of JSON-encoded messages. Bigger messages will be dropped. The default value is 1000000 (bytes). This value should be equal to or less than the broker’s `message.max.bytes`.
+
+
+### `required_acks` [_required_acks]
+
+The ACK reliability level required from broker. 0=no response, 1=wait for local commit, -1=wait for all replicas to commit. The default is 1.
+
+Note: If set to 0, no ACKs are returned by Kafka. Messages might be lost silently on error.
+
+
+### `ssl` [_ssl_3]
+
+Configuration options for SSL parameters like the root CA for Kafka connections. The Kafka host keystore should be created with the `-keyalg RSA` argument to ensure it uses a cipher supported by [Filebeat’s Kafka library](https://github.com/Shopify/sarama/wiki/Frequently-Asked-Questions#why-cant-sarama-connect-to-my-kafka-cluster-using-ssl). See [SSL](/reference/winlogbeat/configuration-ssl.md) for more information.
+
+
+### `kerberos` [kerberos-option-kafka]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+Configuration options for Kerberos authentication.
+
+See [Kerberos](/reference/winlogbeat/configuration-kerberos.md) for more information.
+
+
+### `queue` [_queue_3]
+
+Configuration options for internal queue.
+
+See [Internal queue](/reference/winlogbeat/configuring-internal-queue.md) for more information.
+
+Note:`queue` options can be set under `winlogbeat.yml` or the `output` section but not both.
+
+
+
diff --git a/docs/reference/winlogbeat/keystore.md b/docs/reference/winlogbeat/keystore.md
new file mode 100644
index 000000000000..2192660e515a
--- /dev/null
+++ b/docs/reference/winlogbeat/keystore.md
@@ -0,0 +1,87 @@
+---
+navigation_title: "Secrets keystore"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/keystore.html
+---
+
+# Secrets keystore for secure settings [keystore]
+
+
+When you configure Winlogbeat, you might need to specify sensitive settings, such as passwords. Rather than relying on file system permissions to protect these values, you can use the Winlogbeat keystore to obfuscate stored secret values for use in configuration settings.
+
+After adding a key and its secret value to the keystore, you can use the key in place of the secret value when you configure sensitive settings.
+
+The syntax for referencing keys is identical to the syntax for environment variables:
+
+`${KEY}`
+
+Where KEY is the name of the key.
+
+For example, imagine that the keystore contains a key called `ES_PWD` with the value `yourelasticsearchpassword`:
+
+* In the configuration file, use `output.elasticsearch.password: "${ES_PWD}"`
+* On the command line, use: `-E "output.elasticsearch.password=\${ES_PWD}"`
+
+When Winlogbeat unpacks the configuration, it resolves keys before resolving environment variables and other variables.
+
+Notice that the Winlogbeat keystore differs from the Elasticsearch keystore. Whereas the Elasticsearch keystore lets you store `elasticsearch.yml` values by name, the Winlogbeat keystore lets you specify arbitrary names that you can reference in the Winlogbeat configuration.
+
+To create and manage keys, use the `keystore` command. See the [command reference](/reference/winlogbeat/command-line-options.md#keystore-command) for the full command syntax, including optional flags.
+
+::::{note}
+The `keystore` command must be run by the same user who will run Winlogbeat.
+::::
+
+
+
+## Create a keystore [creating-keystore]
+
+To create a secrets keystore, use:
+
+```sh
+winlogbeat keystore create
+```
+
+Winlogbeat creates the keystore in the directory defined by the `path.data` configuration setting.
+
+
+## Add keys [add-keys-to-keystore]
+
+To store sensitive values, such as authentication credentials for Elasticsearch, use the `keystore add` command:
+
+```sh
+winlogbeat keystore add ES_PWD
+```
+
+When prompted, enter a value for the key.
+
+To overwrite an existing key’s value, use the `--force` flag:
+
+```sh
+winlogbeat keystore add ES_PWD --force
+```
+
+To pass the value through stdin, use the `--stdin` flag. You can also use `--force`:
+
+```sh
+cat /file/containing/setting/value | winlogbeat keystore add ES_PWD --stdin --force
+```
+
+
+## List keys [list-settings]
+
+To list the keys defined in the keystore, use:
+
+```sh
+winlogbeat keystore list
+```
+
+
+## Remove keys [remove-settings]
+
+To remove a key from the keystore, use:
+
+```sh
+winlogbeat keystore remove ES_PWD
+```
+
diff --git a/docs/reference/winlogbeat/kibana-user-privileges.md b/docs/reference/winlogbeat/kibana-user-privileges.md
new file mode 100644
index 000000000000..0b110e6b4bd8
--- /dev/null
+++ b/docs/reference/winlogbeat/kibana-user-privileges.md
@@ -0,0 +1,27 @@
+---
+navigation_title: "Create a _reader_ user"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/kibana-user-privileges.html
+---
+
+# Grant privileges and roles needed to read Winlogbeat data from {{kib}} [kibana-user-privileges]
+
+
+{{kib}} users typically need to view dashboards and visualizations that contain Winlogbeat data. These users might also need to create and edit dashboards and visualizations.
+
+To grant users the required privileges:
+
+1. Create a **reader role**, called something like `winlogbeat_reader`, that has the following privilege:
+
+    | Type | Privilege | Purpose |
+    | --- | --- | --- |
+    | Index | `read` on `winlogbeat-*` indices | Read data indexed by Winlogbeat |
+    | Spaces | `Read` or `All` on Dashboards, Visualize, and Discover | Allow the user to view, edit, and create dashboards, as well as browse data. |
+
+2. Assign the **reader role**, along with the following built-in roles, to users who need to read Winlogbeat data:
+
+    | Role | Purpose |
+    | --- | --- |
+    | `monitoring_user` | Allow users to monitor the health of Winlogbeat itself. Only assign this role to users who manage Winlogbeat. |
+
+
diff --git a/docs/reference/winlogbeat/learn-more-security.md b/docs/reference/winlogbeat/learn-more-security.md
new file mode 100644
index 000000000000..a293b5cac374
--- /dev/null
+++ b/docs/reference/winlogbeat/learn-more-security.md
@@ -0,0 +1,12 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/learn-more-security.html
+---
+
+# Learn more about privileges, roles, and users [learn-more-security]
+
+Want to learn more about creating users and roles? See [Secure a cluster](docs-content://deploy-manage/security.md). Also see:
+
+* [Security privileges](elasticsearch://reference/elasticsearch/security-privileges.md) for a description of available privileges
+* [Built-in roles](elasticsearch://reference/elasticsearch/roles.md) for a description of roles that you can assign to users
+
diff --git a/docs/reference/winlogbeat/load-ingest-pipelines.md b/docs/reference/winlogbeat/load-ingest-pipelines.md
new file mode 100644
index 000000000000..982c116aec66
--- /dev/null
+++ b/docs/reference/winlogbeat/load-ingest-pipelines.md
@@ -0,0 +1,40 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/load-ingest-pipelines.html
+---
+
+# Load ingest pipelines [load-ingest-pipelines]
+
+Winlogbeat modules are implemented using {{es}} ingest node pipelines.  The events receive their transformations within {{es}}.  The ingest node pipelines must be loaded into {{es}}.  This can happen one of several ways.
+
+
+## On connection to {{es}} [winlogbeat-load-pipeline-auto]
+
+Winlogbeat will send ingest pipelines automatically to {{es}} if the {{es}} output is enabled.
+
+Make sure the user specified in `winlogbeat.yml` is [authorized to set up Winlogbeat](/reference/winlogbeat/privileges-to-setup-beats.md).
+
+If Winlogbeat is sending events to {{ls}} or another output you need to load the ingest pipelines with the `setup` command or manually.
+
+
+## setup command [winlogbeat-load-pipeline-setup]
+
+On a machine that has Winlogbeat installed and has {{es}} configured as the output, run the `setup` command with the `--pipelines` option specified.  For example, the following command loads the ingest pipelines:
+
+```sh
+PS > .\winlogbeat.exe setup --pipelines
+```
+
+Make sure the user specified in `winlogbeat.yml` is [authorized to set up Winlogbeat](/reference/winlogbeat/privileges-to-setup-beats.md).
+
+
+## Manually install pipelines [winlogbeat-load-pipeline-manual]
+
+On a machine that has Winlogbeat installed export the the pipelines to disk. This can be done with the `export` command with `pipelines` option specified.  For example, the following command exports the ingest pipelines:
+
+```sh
+PS> .\winlogbeat.exe export pipelines --es.version=7.16.0
+```
+
+Once the pipelines have been exported you can load them into {{es}} with the `_ingest/pipeline` REST API call.  The user making the REST API call will need to have the `ingest_admin` role assigned to them.
+
diff --git a/docs/reference/winlogbeat/load-kibana-dashboards.md b/docs/reference/winlogbeat/load-kibana-dashboards.md
new file mode 100644
index 000000000000..d7578b70b384
--- /dev/null
+++ b/docs/reference/winlogbeat/load-kibana-dashboards.md
@@ -0,0 +1,146 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/load-kibana-dashboards.html
+---
+
+# Load Kibana dashboards [load-kibana-dashboards]
+
+Winlogbeat comes packaged with example Kibana dashboards, visualizations, and searches for visualizing Winlogbeat data in Kibana. Before you can use the dashboards, you need to create the index pattern, `winlogbeat-*`, and load the dashboards into Kibana.
+
+To do this, you can either run the `setup` command (as described here) or [configure dashboard loading](/reference/winlogbeat/configuration-dashboards.md) in the `winlogbeat.yml` config file. This requires a Kibana endpoint configuration. If you didn’t already configure a Kibana endpoint, see [{{kib}} endpoint](/reference/winlogbeat/setup-kibana-endpoint.md).
+
+
+## Load dashboards [load-dashboards]
+
+Make sure Kibana is running before you perform this step. If you are accessing a secured Kibana instance, make sure you’ve configured credentials as described in the [Quick start: installation and configuration](/reference/winlogbeat/winlogbeat-installation-configuration.md).
+
+To load the recommended index template for writing to {{es}} and deploy the sample dashboards for visualizing the data in {{kib}}, use the command that works with your system.
+
+:::::::{tab-set}
+
+::::::{tab-item} DEB
+```sh
+winlogbeat setup --dashboards
+```
+::::::
+
+::::::{tab-item} RPM
+```sh
+winlogbeat setup --dashboards
+```
+::::::
+
+::::::{tab-item} MacOS
+```sh
+./winlogbeat setup --dashboards
+```
+::::::
+
+::::::{tab-item} Linux
+```sh
+./winlogbeat setup --dashboards
+```
+::::::
+
+::::::{tab-item} Docker
+```sh
+docker run --rm --net="host" docker.elastic.co/beats/winlogbeat:9.0.0-beta1 setup --dashboards
+```
+::::::
+
+::::::{tab-item} Windows
+Open a PowerShell prompt as an Administrator (right-click the PowerShell icon and select **Run As Administrator**).
+
+From the PowerShell prompt, change to the directory where you installed Winlogbeat, and run:
+
+```sh
+PS > .\winlogbeat.exe setup --dashboards
+```
+::::::
+
+:::::::
+For more options, such as loading customized dashboards, see [Importing Existing Beat Dashboards](http://www.elastic.co/guide/en/beats/devguide/master/import-dashboards.md). If you’ve configured the Logstash output, see [Load dashboards for Logstash output](#load-dashboards-logstash).
+
+
+## Load dashboards for Logstash output [load-dashboards-logstash]
+
+During dashboard loading, Winlogbeat connects to Elasticsearch to check version information. To load dashboards when the Logstash output is enabled, you need to temporarily disable the Logstash output and enable Elasticsearch. To connect to a secured Elasticsearch cluster, you also need to pass Elasticsearch credentials.
+
+::::{tip}
+The example shows a hard-coded password, but you should store sensitive values in the [secrets keystore](/reference/winlogbeat/keystore.md).
+::::
+
+
+:::::::{tab-set}
+
+::::::{tab-item} DEB
+```sh
+winlogbeat setup -e \
+  -E output.logstash.enabled=false \
+  -E output.elasticsearch.hosts=['localhost:9200'] \
+  -E output.elasticsearch.username=winlogbeat_internal \
+  -E output.elasticsearch.password={pwd} \
+  -E setup.kibana.host=localhost:5601
+```
+::::::
+
+::::::{tab-item} RPM
+```sh
+winlogbeat setup -e \
+  -E output.logstash.enabled=false \
+  -E output.elasticsearch.hosts=['localhost:9200'] \
+  -E output.elasticsearch.username=winlogbeat_internal \
+  -E output.elasticsearch.password={pwd} \
+  -E setup.kibana.host=localhost:5601
+```
+::::::
+
+::::::{tab-item} MacOS
+```sh
+./winlogbeat setup -e \
+  -E output.logstash.enabled=false \
+  -E output.elasticsearch.hosts=['localhost:9200'] \
+  -E output.elasticsearch.username=winlogbeat_internal \
+  -E output.elasticsearch.password={pwd} \
+  -E setup.kibana.host=localhost:5601
+```
+::::::
+
+::::::{tab-item} Linux
+```sh
+./winlogbeat setup -e \
+  -E output.logstash.enabled=false \
+  -E output.elasticsearch.hosts=['localhost:9200'] \
+  -E output.elasticsearch.username=winlogbeat_internal \
+  -E output.elasticsearch.password={pwd} \
+  -E setup.kibana.host=localhost:5601
+```
+::::::
+
+::::::{tab-item} Docker
+```sh
+docker run --rm --net="host" docker.elastic.co/beats/winlogbeat:9.0.0-beta1 setup -e \
+  -E output.logstash.enabled=false \
+  -E output.elasticsearch.hosts=['localhost:9200'] \
+  -E output.elasticsearch.username=winlogbeat_internal \
+  -E output.elasticsearch.password={pwd} \
+  -E setup.kibana.host=localhost:5601
+```
+::::::
+
+::::::{tab-item} Windows
+Open a PowerShell prompt as an Administrator (right-click the PowerShell icon and select **Run As Administrator**).
+
+From the PowerShell prompt, change to the directory where you installed Winlogbeat, and run:
+
+```sh
+PS > .\winlogbeat.exe setup -e `
+  -E output.logstash.enabled=false `
+  -E output.elasticsearch.hosts=['localhost:9200'] `
+  -E output.elasticsearch.username=winlogbeat_internal `
+  -E output.elasticsearch.password={pwd} `
+  -E setup.kibana.host=localhost:5601
+```
+::::::
+
+:::::::
diff --git a/docs/reference/winlogbeat/logstash-output.md b/docs/reference/winlogbeat/logstash-output.md
new file mode 100644
index 000000000000..3ec3c72f9a87
--- /dev/null
+++ b/docs/reference/winlogbeat/logstash-output.md
@@ -0,0 +1,241 @@
+---
+navigation_title: "Logstash"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/logstash-output.html
+---
+
+# Configure the Logstash output [logstash-output]
+
+
+The {{ls}} output sends events directly to {{ls}} by using the lumberjack protocol, which runs over TCP. {{ls}} allows for additional processing and routing of generated events.
+
+::::{admonition} Prerequisite
+:class: important
+
+To send events to {{ls}}, you also need to create a {{ls}} configuration pipeline that listens for incoming Beats connections and indexes the received events into {{es}}. For more information, see [Getting Started with {{ls}}](logstash://reference/getting-started-with-logstash.md). Also see the documentation for the [{{beats}} input](logstash://reference/plugins-inputs-beats.md) and [{{es}} output](logstash://reference/plugins-outputs-elasticsearch.md) plugins.
+::::
+
+
+If you want to use {{ls}} to perform additional processing on the data collected by Winlogbeat, you need to configure Winlogbeat to use {{ls}}.
+
+To do this, edit the Winlogbeat configuration file to disable the {{es}} output by commenting it out and enable the {{ls}} output by uncommenting the {{ls}} section:
+
+```yaml
+output.logstash:
+  hosts: ["127.0.0.1:5044"]
+```
+
+The `hosts` option specifies the {{ls}} server and the port (`5044`) where {{ls}} is configured to listen for incoming Beats connections.
+
+For this configuration, you must [load the index template into {{es}} manually](/reference/winlogbeat/winlogbeat-template.md#load-template-manually) because the options for auto loading the template are only available for the {{es}} output.
+
+## Accessing metadata fields [_accessing_metadata_fields]
+
+Every event sent to {{ls}} contains the following metadata fields that you can use in {{ls}} for indexing and filtering:
+
+```json
+{
+    ...
+    "@metadata": { <1>
+      "beat": "winlogbeat", <2>
+      "version": "9.0.0-beta1" <3>
+    }
+}
+```
+
+1. Winlogbeat uses the `@metadata` field to send metadata to {{ls}}. See the [{{ls}} documentation](logstash://reference/event-dependent-configuration.md#metadata) for more about the `@metadata` field.
+2. The default is winlogbeat. To change this value, set the [`index`](#logstash-index) option in the Winlogbeat config file.
+3. The current version of Winlogbeat.
+
+
+You can access this metadata from within the {{ls}} config file to set values dynamically based on the contents of the metadata.
+
+For example, the following {{ls}} configuration file tells {{ls}} to use the index reported by Winlogbeat for indexing events into {{es}}:
+
+```json
+input {
+  beats {
+    port => 5044
+  }
+}
+
+output {
+  elasticsearch {
+    hosts => ["http://localhost:9200"]
+    index => "%{[@metadata][beat]}-%{[@metadata][version]}" <1>
+    action => "create"
+  }
+}
+```
+
+1. `%{[@metadata][beat]}` sets the first part of the index name to the value of the `beat` metadata field and `%{[@metadata][version]}` sets the second part to the Beat’s version. For example: `winlogbeat-9.0.0-beta1`.
+
+
+Events indexed into {{es}} with the {{ls}} configuration shown here will be similar to events directly indexed by Winlogbeat into {{es}}.
+
+::::{note}
+If ILM is not being used, set `index` to `%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}` instead so {{ls}} creates an index per day, based on the `@timestamp` value of the events coming from Beats.
+::::
+
+
+
+## Compatibility [_compatibility_2]
+
+This output works with all compatible versions of {{ls}}. See the [Elastic Support Matrix](https://www.elastic.co/support/matrix#matrix_compatibility).
+
+
+## Configuration options [_configuration_options_4]
+
+You can specify the following options in the `logstash` section of the `winlogbeat.yml` config file:
+
+### `enabled` [_enabled_2]
+
+The enabled config is a boolean setting to enable or disable the output. If set to false, the output is disabled.
+
+The default value is `true`.
+
+
+### `hosts` [hosts]
+
+The list of known {{ls}} servers to connect to. If load balancing is disabled, but multiple hosts are configured, one host is selected randomly (there is no precedence). If one host becomes unreachable, another one is selected randomly.
+
+All entries in this list can contain a port number. The default port number 5044 will be used if no number is given.
+
+
+### `compression_level` [_compression_level]
+
+The gzip compression level. Setting this value to 0 disables compression. The compression level must be in the range of 1 (best speed) to 9 (best compression).
+
+Increasing the compression level will reduce the network usage but will increase the CPU usage.
+
+The default value is 3.
+
+
+### `escape_html` [_escape_html_2]
+
+Configure escaping of HTML in strings. Set to `true` to enable escaping.
+
+The default value is `false`.
+
+
+### `worker` or `workers` [_worker_or_workers]
+
+The number of workers per configured host publishing events to {{ls}}. This is best used with load balancing mode enabled. Example: If you have 2 hosts and 3 workers, in total 6 workers are started (3 for each host).
+
+
+### `loadbalance` [loadbalance]
+
+When `loadbalance: true` is set, Winlogbeat connects to all configured hosts and sends data through all connections in parallel. If a connection fails, data is sent to the remaining hosts until it can be reestablished. Data will still be sent as long as Winlogbeat can connect to at least one of its configured hosts.
+
+When `loadbalance: false` is set, Winlogbeat sends data to a single host at a time. The target host is chosen at random from the list of configured hosts, and all data is sent to that target until the connection fails, when a new target is selected. Data will still be sent as long as Winlogbeat can connect to at least one of its configured hosts. To rotate through the list of configured hosts over time, use this option in conjunction with the `ttl` setting to close the connection at the configured interval and choose a new target host.
+
+The default value is `false`.
+
+```yaml
+output.logstash:
+  hosts: ["localhost:5044", "localhost:5045"]
+  loadbalance: true
+  index: winlogbeat
+```
+
+
+### `ttl` [_ttl]
+
+Time to live for a connection to {{ls}} after which the connection will be re-established. Useful when {{ls}} hosts represent load balancers. Since the connections to {{ls}} hosts are sticky, operating behind load balancers can lead to uneven load distribution between the instances. Specifying a TTL on the connection allows to achieve equal connection distribution between the instances.  Specifying a TTL of 0 will disable this feature.
+
+The default value is 0. This setting accepts [duration](/reference/libbeat/config-file-format-type.md#_duration) data type values.
+
+::::{note}
+The "ttl" option is not yet supported on an async {{ls}} client (one with the "pipelining" option set).
+::::
+
+
+
+### `pipelining` [_pipelining]
+
+Configures the number of batches to be sent asynchronously to {{ls}} while waiting for ACK from {{ls}}. Output only becomes blocking once number of `pipelining` batches have been written. Pipelining is disabled if a value of 0 is configured. The default value is 2.
+
+
+### `proxy_url` [_proxy_url_2]
+
+The URL of the SOCKS5 proxy to use when connecting to the {{ls}} servers. The value must be a URL with a scheme of `socks5://`. The protocol used to communicate to {{ls}} is not based on HTTP so a web-proxy cannot be used.
+
+If the SOCKS5 proxy server requires client authentication, then a username and password can be embedded in the URL as shown in the example.
+
+When using a proxy, hostnames are resolved on the proxy server instead of on the client. You can change this behavior by setting the [`proxy_use_local_resolver`](#logstash-proxy-use-local-resolver) option.
+
+```yaml
+output.logstash:
+  hosts: ["remote-host:5044"]
+  proxy_url: socks5://user:password@socks5-proxy:2233
+```
+
+
+### `proxy_use_local_resolver` [logstash-proxy-use-local-resolver]
+
+The `proxy_use_local_resolver` option determines if {{ls}} hostnames are resolved locally when using a proxy. The default value is false, which means that when a proxy is used the name resolution occurs on the proxy server.
+
+
+### `index` [logstash-index]
+
+The index root name to write events to. The default is the Beat name. For example `"winlogbeat"` generates `"[winlogbeat-]9.0.0-beta1-YYYY.MM.DD"` indices (for example, `"winlogbeat-9.0.0-beta1-2017.04.26"`).
+
+::::{note}
+This parameter’s value will be assigned to the `metadata.beat` field. It can then be accessed in {{ls}}'s output section as `%{[@metadata][beat]}`.
+::::
+
+
+
+### `ssl` [_ssl_2]
+
+Configuration options for SSL parameters like the root CA for {{ls}} connections. See [SSL](/reference/winlogbeat/configuration-ssl.md) for more information. To use SSL, you must also configure the [Beats input plugin for Logstash](logstash://reference/plugins-inputs-beats.md) to use SSL/TLS.
+
+
+### `timeout` [_timeout_2]
+
+The number of seconds to wait for responses from the {{ls}} server before timing out. The default is 30 (seconds).
+
+
+### `max_retries` [_max_retries_2]
+
+Winlogbeat ignores the `max_retries` setting and retries indefinitely.
+
+
+### `bulk_max_size` [_bulk_max_size]
+
+The maximum number of events to bulk in a single {{ls}} request. The default is 2048.
+
+Events can be collected into batches. Winlogbeat will split batches read from the queue which are larger than `bulk_max_size` into multiple batches.
+
+Specifying a larger batch size can improve performance by lowering the overhead of sending events. However big batch sizes can also increase processing times, which might result in API errors, killed connections, timed-out publishing requests, and, ultimately, lower throughput.
+
+Setting `bulk_max_size` to values less than or equal to 0 disables the splitting of batches. When splitting is disabled, the queue decides on the number of events to be contained in a batch.
+
+
+### `slow_start` [_slow_start]
+
+If enabled, only a subset of events in a batch of events is transferred per transaction. The number of events to be sent increases up to `bulk_max_size` if no error is encountered. On error, the number of events per transaction is reduced again.
+
+The default is `false`.
+
+
+### `backoff.init` [_backoff_init]
+
+The number of seconds to wait before trying to reconnect to {{ls}} after a network error. After waiting `backoff.init` seconds, Winlogbeat tries to reconnect. If the attempt fails, the backoff timer is increased exponentially up to `backoff.max`. After a successful connection, the backoff timer is reset. The default is 1s.
+
+
+### `backoff.max` [_backoff_max]
+
+The maximum number of seconds to wait before attempting to connect to {{ls}} after a network error. The default is 60s.
+
+
+### `queue` [_queue_2]
+
+Configuration options for internal queue.
+
+See [Internal queue](/reference/winlogbeat/configuring-internal-queue.md) for more information.
+
+Note:`queue` options can be set under `winlogbeat.yml` or the `output` section but not both.
+
+
+
diff --git a/docs/reference/winlogbeat/madvdontneed-rss.md b/docs/reference/winlogbeat/madvdontneed-rss.md
new file mode 100644
index 000000000000..6c82ff6f9bf8
--- /dev/null
+++ b/docs/reference/winlogbeat/madvdontneed-rss.md
@@ -0,0 +1,9 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/madvdontneed-rss.html
+---
+
+# High RSS memory usage due to MADV settings [madvdontneed-rss]
+
+In versions of Winlogbeat prior to 7.10.2, the go runtime defaults to `MADV_FREE` by default. In some cases, this can lead to high RSS memory usage while the kernel waits to reclaim any pages assigned to Winlogbeat. On versions prior to 7.10.2, set the `GODEBUG="madvdontneed=1"` environment variable if you run into RSS usage issues.
+
diff --git a/docs/reference/winlogbeat/metadata-missing.md b/docs/reference/winlogbeat/metadata-missing.md
new file mode 100644
index 000000000000..f099a1add213
--- /dev/null
+++ b/docs/reference/winlogbeat/metadata-missing.md
@@ -0,0 +1,14 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/metadata-missing.html
+---
+
+# @metadata is missing in Logstash [metadata-missing]
+
+{{ls}} outputs remove `@metadata` fields automatically. Therefore, if {{ls}} instances are chained directly or via some message queue (for example, Redis or Kafka), the `@metadata` field will not be available in the final {{ls}} instance.
+
+::::{tip}
+To preserve `@metadata` fields, use the {{ls}} mutate filter with the rename setting to rename the fields to non-internal fields.
+::::
+
+
diff --git a/docs/reference/winlogbeat/metrics-winlogbeat.md b/docs/reference/winlogbeat/metrics-winlogbeat.md
new file mode 100644
index 000000000000..dcb133e1265a
--- /dev/null
+++ b/docs/reference/winlogbeat/metrics-winlogbeat.md
@@ -0,0 +1,22 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/metrics-winlogbeat.html
+---
+
+# Event Processing Metrics [metrics-winlogbeat]
+
+Winlogbeat exposes metrics under the [HTTP monitoring endpoint](/reference/winlogbeat/http-endpoint.md). These metrics are exposed under the `/inputs` path. They can be used to observe the event log processing activity of Winlogbeat.
+
+
+## Winlog Metrics [_winlog_metrics]
+
+| Metric | Description |
+| --- | --- |
+| `provider` | Name of the provider being read. |
+| `received_events_total` | Total number of events received. |
+| `discarded_events_total` | Total number of discarded events. |
+| `errors_total` | Total number of errors. |
+| `received_events_count` | Histogram of the number of events in each non-zero batch. |
+| `source_lag_time` | Histogram of the difference in nanoseconds between timestamped event’s creation and reading. |
+| `batch_read_period` | Histogram of the elapsed time in nanoseconds between non-zero batch reads. |
+
diff --git a/docs/reference/winlogbeat/monitoring-internal-collection.md b/docs/reference/winlogbeat/monitoring-internal-collection.md
new file mode 100644
index 000000000000..93add46fb6d2
--- /dev/null
+++ b/docs/reference/winlogbeat/monitoring-internal-collection.md
@@ -0,0 +1,73 @@
+---
+navigation_title: "Use internal collection"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/monitoring-internal-collection.html
+---
+
+# Use internal collection to send monitoring data [monitoring-internal-collection]
+
+
+Use internal collectors to send {{beats}} monitoring data directly to your monitoring cluster. Or as an alternative to internal collection, use [Use {{metricbeat}} collection](/reference/winlogbeat/monitoring-metricbeat-collection.md). The benefit of using internal collection instead of {{metricbeat}} is that you have fewer pieces of software to install and maintain.
+
+1. Create an API key or user that has appropriate authority to send system-level monitoring data to {{es}}. For example, you can use the built-in `beats_system` user or assign the built-in `beats_system` role to another user. For more information on the required privileges, see [Create a *monitoring* user](/reference/winlogbeat/privileges-to-publish-monitoring.md). For more information on how to use API keys, see [*Grant access using API keys*](/reference/winlogbeat/beats-api-keys.md).
+2. Add the `monitoring` settings in the Winlogbeat configuration file. If you configured the {{es}} output and want to send Winlogbeat monitoring events to the same {{es}} cluster, specify the following minimal configuration:
+
+    ```yaml
+    monitoring:
+      enabled: true
+      elasticsearch:
+        api_key:  id:api_key <1>
+        username: beats_system
+        password: somepassword
+    ```
+
+    1. Specify one of `api_key` or `username`/`password`.
+
+
+    If you want to send monitoring events to an [{{ecloud}}](https://cloud.elastic.co/) monitoring cluster, you can use two simpler settings. When defined, these settings overwrite settings from other parts in the configuration. For example:
+
+    ```yaml
+    monitoring:
+      enabled: true
+      cloud.id: 'staging:dXMtZWFzdC0xLmF3cy5mb3VuZC5pbyRjZWM2ZjI2MWE3NGJmMjRjZTMzYmI4ODExYjg0Mjk0ZiRjNmMyY2E2ZDA0MjI0OWFmMGNjN2Q3YTllOTYyNTc0Mw=='
+      cloud.auth: 'elastic:{pwd}'
+    ```
+
+    If you configured a different output, such as {{ls}} or you want to send Winlogbeat monitoring events to a separate {{es}} cluster (referred to as the *monitoring cluster*), you must specify additional configuration options. For example:
+
+    ```yaml
+    monitoring:
+      enabled: true
+      cluster_uuid: PRODUCTION_ES_CLUSTER_UUID <1>
+      elasticsearch:
+        hosts: ["https://example.com:9200", "https://example2.com:9200"] <2>
+        api_key:  id:api_key <3>
+        username: beats_system
+        password: somepassword
+    ```
+
+    1. This setting identifies the {{es}} cluster under which the monitoring data for this Winlogbeat instance will appear in the Stack Monitoring UI. To get a cluster’s `cluster_uuid`, call the `GET /` API against that production cluster.
+    2. This setting identifies the hosts and port numbers of {{es}} nodes that are part of the monitoring cluster.
+    3. Specify one of `api_key` or `username`/`password`.
+
+
+    If you want to use PKI authentication to send monitoring events to {{es}}, you must specify a different set of configuration options. For example:
+
+    ```yaml
+    monitoring:
+      enabled: true
+      cluster_uuid: PRODUCTION_ES_CLUSTER_UUID
+      elasticsearch:
+        hosts: ["https://example.com:9200", "https://example2.com:9200"]
+        username: ""
+        ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
+        ssl.certificate: "/etc/pki/client/cert.pem"
+        ssl.key: "/etc/pki/client/cert.key"
+    ```
+
+    You must specify the `username` as `""` explicitly so that the username from the client certificate (`CN`) is used. See [SSL](/reference/winlogbeat/configuration-ssl.md) for more information about SSL settings.
+
+3. Start Winlogbeat.
+4. [View the monitoring data in {{kib}}](docs-content://deploy-manage/monitor/stack-monitoring/kibana-monitoring-data.md).
+
+
diff --git a/docs/reference/winlogbeat/monitoring-metricbeat-collection.md b/docs/reference/winlogbeat/monitoring-metricbeat-collection.md
new file mode 100644
index 000000000000..bfbf69b981d2
--- /dev/null
+++ b/docs/reference/winlogbeat/monitoring-metricbeat-collection.md
@@ -0,0 +1,163 @@
+---
+navigation_title: "Use {{metricbeat}} collection"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/monitoring-metricbeat-collection.html
+---
+
+# Use {{metricbeat}} to send monitoring data [monitoring-metricbeat-collection]
+
+
+In 7.3 and later, you can use {{metricbeat}} to collect data about Winlogbeat and ship it to the monitoring cluster. The benefit of using {{metricbeat}} instead of internal collection is that the monitoring agent remains active even if the Winlogbeat instance dies.
+
+To collect and ship monitoring data:
+
+1. [Configure the shipper you want to monitor](#configure-shipper)
+2. [Install and configure {{metricbeat}} to collect monitoring data](#configure-metricbeat)
+
+
+## Configure the shipper you want to monitor [configure-shipper]
+
+1. Enable the HTTP endpoint to allow external collection of monitoring data:
+
+    Add the following setting in the Winlogbeat configuration file (`winlogbeat.yml`):
+
+    ```yaml
+    http.enabled: true
+    ```
+
+    By default, metrics are exposed on port 5066. If you need to monitor multiple {{beats}} shippers running on the same server, set `http.port` to expose metrics for each shipper on a different port number:
+
+    ```yaml
+    http.port: 5067
+    ```
+
+2. Disable the default collection of Winlogbeat monitoring metrics.<br>
+
+    Add the following setting in the Winlogbeat configuration file (`winlogbeat.yml`):
+
+    ```yaml
+    monitoring.enabled: false
+    ```
+
+    For more information, see [Monitoring configuration options](/reference/winlogbeat/configuration-monitor.md).
+
+3. Configure host (optional).<br>
+
+    If you intend to get metrics using {{metricbeat}} installed on another server, you need to bind the Winlogbeat to host’s IP:
+
+    ```yaml
+    http.host: xxx.xxx.xxx.xxx
+    ```
+
+4. Configure cluster UUID.<br>
+
+    The cluster UUID is necessary if you want to see {{beats}} monitoring in the {{kib}} stack monitoring view. The monitoring data will be grouped under the cluster for that UUID. To associate Winlogbeat with the cluster UUID, set:
+
+    ```yaml
+    monitoring.cluster_uuid: "cluster-uuid"
+    ```
+
+5. Start Winlogbeat.
+
+
+## Install and configure {{metricbeat}} to collect monitoring data [configure-metricbeat]
+
+1. Install {{metricbeat}} on the same server as Winlogbeat. To learn how, see [Get started with {{metricbeat}}](/reference/metricbeat/metricbeat-installation-configuration.md). If you already have {{metricbeat}} installed on the server, skip this step.
+2. Enable the `beat-xpack` module in {{metricbeat}}.<br>
+
+    For example, to enable the default configuration in the `modules.d` directory, run the following command, using the correct command syntax for your OS:
+
+    ```sh
+    metricbeat modules enable beat-xpack
+    ```
+
+    For more information, see [Configure modules](/reference/metricbeat/configuration-metricbeat.md) and [beat module](/reference/metricbeat/metricbeat-module-beat.md).
+
+3. Configure the `beat-xpack` module in {{metricbeat}}.<br>
+
+    The `modules.d/beat-xpack.yml` file contains the following settings:
+
+    ```yaml
+    - module: beat
+      metricsets:
+        - stats
+        - state
+      period: 10s
+      hosts: ["http://localhost:5066"]
+      #username: "user"
+      #password: "secret"
+      xpack.enabled: true
+    ```
+
+    Set the `hosts`, `username`, and `password` settings as required by your environment. For other module settings, it’s recommended that you accept the defaults.
+
+    By default, the module collects Winlogbeat monitoring data from `localhost:5066`. If you exposed the metrics on a different host or port when you enabled the HTTP endpoint, update the `hosts` setting.
+
+    To monitor multiple {{beats}} agents, specify a list of hosts, for example:
+
+    ```yaml
+    hosts: ["http://localhost:5066","http://localhost:5067","http://localhost:5068"]
+    ```
+
+    If you configured Winlogbeat to use encrypted communications, you must access it via HTTPS. For example, use a `hosts` setting like `https://localhost:5066`.
+
+    If the Elastic {{security-features}} are enabled, you must also provide a user ID and password so that {{metricbeat}} can collect metrics successfully:
+
+    1. Create a user on the {{es}} cluster that has the `remote_monitoring_collector` [built-in role](elasticsearch://reference/elasticsearch/roles.md). Alternatively, if it’s available in your environment, use the `remote_monitoring_user` [built-in user](docs-content://deploy-manage/users-roles/cluster-or-deployment-auth/built-in-users.md).
+    2. Add the `username` and `password` settings to the beat module configuration file.
+
+4. Optional: Disable the system module in the {{metricbeat}}.
+
+    By default, the [system module](/reference/metricbeat/metricbeat-module-system.md) is enabled. The information it collects, however, is not shown on the **Stack Monitoring** page in {{kib}}. Unless you want to use that information for other purposes, run the following command:
+
+    ```sh
+    metricbeat modules disable system
+    ```
+
+5. Identify where to send the monitoring data.<br>
+
+    ::::{tip}
+    In production environments, we strongly recommend using a separate cluster (referred to as the *monitoring cluster*) to store the data. Using a separate monitoring cluster prevents production cluster outages from impacting your ability to access your monitoring data. It also prevents monitoring activities from impacting the performance of your production cluster.
+    ::::
+
+
+    For example, specify the {{es}} output information in the {{metricbeat}} configuration file (`metricbeat.yml`):
+
+    ```yaml
+    output.elasticsearch:
+      # Array of hosts to connect to.
+      hosts: ["http://es-mon-1:9200", "http://es-mon2:9200"] <1>
+
+      # Optional protocol and basic auth credentials.
+      #protocol: "https"
+      #api_key:  "id:api_key" <2>
+      #username: "elastic"
+      #password: "changeme"
+    ```
+
+    1. In this example, the data is stored on a monitoring cluster with nodes `es-mon-1` and `es-mon-2`.
+    2. Specify one of `api_key` or `username`/`password`.
+
+
+    If you configured the monitoring cluster to use encrypted communications, you must access it via HTTPS. For example, use a `hosts` setting like `https://es-mon-1:9200`.
+
+    ::::{important}
+    The {{es}} {{monitor-features}} use ingest pipelines. The cluster that stores the monitoring data must have at least one node with the `ingest` role.
+    ::::
+
+
+    If the {{es}} {{security-features}} are enabled on the monitoring cluster, you must provide a valid user ID and password so that {{metricbeat}} can send metrics successfully:
+
+    1. Create a user on the monitoring cluster that has the `remote_monitoring_agent` [built-in role](elasticsearch://reference/elasticsearch/roles.md). Alternatively, if it’s available in your environment, use the `remote_monitoring_user` [built-in user](docs-content://deploy-manage/users-roles/cluster-or-deployment-auth/built-in-users.md).
+
+        ::::{tip}
+        If you’re using index lifecycle management, the remote monitoring user requires additional privileges to create and read indices. For more information, see [*Grant users access to secured resources*](/reference/winlogbeat/feature-roles.md).
+        ::::
+
+    2. Add the `username` and `password` settings to the {{es}} output information in the {{metricbeat}} configuration file.
+
+    For more information about these configuration options, see [Configure the {{es}} output](/reference/metricbeat/elasticsearch-output.md).
+
+6. [Start {{metricbeat}}](/reference/metricbeat/metricbeat-starting.md) to begin collecting monitoring data.
+7. [View the monitoring data in {{kib}}](docs-content://deploy-manage/monitor/stack-monitoring/kibana-monitoring-data.md).
+
diff --git a/docs/reference/winlogbeat/monitoring-shows-fewer-than-expected-beats.md b/docs/reference/winlogbeat/monitoring-shows-fewer-than-expected-beats.md
new file mode 100644
index 000000000000..f364df149f67
--- /dev/null
+++ b/docs/reference/winlogbeat/monitoring-shows-fewer-than-expected-beats.md
@@ -0,0 +1,9 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/monitoring-shows-fewer-than-expected-beats.html
+---
+
+# Monitoring UI shows fewer Beats than expected [monitoring-shows-fewer-than-expected-beats]
+
+If you are running multiple Beat instances on the same host, make sure they each have a distinct `path.data` value.
+
diff --git a/docs/reference/winlogbeat/monitoring.md b/docs/reference/winlogbeat/monitoring.md
new file mode 100644
index 000000000000..0f07a4da0cb7
--- /dev/null
+++ b/docs/reference/winlogbeat/monitoring.md
@@ -0,0 +1,16 @@
+---
+navigation_title: "Monitor"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/monitoring.html
+---
+
+# Monitor Winlogbeat [monitoring]
+
+
+You can use the {{stack}} {{monitor-features}} to gain insight into the health of Winlogbeat instances running in your environment.
+
+To monitor Winlogbeat, make sure monitoring is enabled on your {{es}} cluster, then configure the method used to collect Winlogbeat metrics. You can use one of following methods:
+
+* [Internal collection](/reference/winlogbeat/monitoring-internal-collection.md) - Internal collectors send monitoring data directly to your monitoring cluster.
+* [{{metricbeat}} collection](/reference/winlogbeat/monitoring-metricbeat-collection.md) - {{metricbeat}} collects monitoring data from your Winlogbeat instance and sends it directly to your monitoring cluster.
+
diff --git a/docs/reference/winlogbeat/move-fields.md b/docs/reference/winlogbeat/move-fields.md
new file mode 100644
index 000000000000..d2acba6debb3
--- /dev/null
+++ b/docs/reference/winlogbeat/move-fields.md
@@ -0,0 +1,93 @@
+---
+navigation_title: "move_fields"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/move-fields.html
+---
+
+# Move fields [move-fields]
+
+
+The `move_fields` processor moves event fields from one object into another. It can also rearrange fields or add a prefix to fields.
+
+The processor extracts fields from `from`, then uses `fields` and `exclude` as filters to choose which fields to move into the `to` field.
+
+For example, given the following event:
+
+```json
+{
+  "app": {
+    "method": "a",
+    "elapsed_time": 100,
+    "user_id": 100,
+    "message": "i'm a message"
+  }
+}
+```
+
+To move `method` and `elapsed_time` into another object, use this configuration:
+
+```yaml
+processors:
+  - move_fields:
+      from: "app"
+      fields: ["method", "elapsed_time"],
+      to: "rpc."
+```
+
+Your final event will be:
+
+```json
+{
+  "app": {
+    "user_id": 100,
+    "message": "i'm a message",
+    "rpc": {
+      "method": "a",
+      "elapsed_time": 100
+    }
+  }
+}
+```
+
+To add a prefix to the whole event:
+
+```json
+{
+  "app": { "method": "a"},
+  "cost": 100
+}
+```
+
+Use this configuration:
+
+```yaml
+processors:
+  - move_fields:
+      to: "my_prefix_"
+```
+
+Your final event will be:
+
+```json
+{
+  "my_prefix_app": { "method": "a"},
+  "my_prefix_cost": 100
+}
+```
+
+| Name | Required | Default | Description |  |
+| --- | --- | --- | --- | --- |
+| `from` | no |  | Which field you want extract. This field and any nested fields will be moved into `to` unless they are filtered out. If empty, indicates event root. |  |
+| `fields` | no |  | Which fields to extract from `from` and move to `to`. An empty list indicates all fields. |  |
+| `ignore_missing` | no | false | Ignore "not found" errors when extracting fields. |  |
+| `exclude` | no |  | A list of fields to exclude and not move. |  |
+| `to` | yes |  | These fields extract from `from` destination field prefix the `to` will base on fields root. |  |
+
+```yaml
+processors:
+  - move_fields:
+      from: "app"
+      fields: [ "method", "elapsed_time" ]
+      to: "rpc."
+```
+
diff --git a/docs/reference/winlogbeat/privileges-to-publish-events.md b/docs/reference/winlogbeat/privileges-to-publish-events.md
new file mode 100644
index 000000000000..cca57a511358
--- /dev/null
+++ b/docs/reference/winlogbeat/privileges-to-publish-events.md
@@ -0,0 +1,38 @@
+---
+navigation_title: "Create a _publishing_ user"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/privileges-to-publish-events.html
+---
+
+# Grant privileges and roles needed for publishing [privileges-to-publish-events]
+
+
+Users who publish events to {{es}} need to create and write to Winlogbeat indices. To minimize the privileges required by the writer role, use the [setup role](/reference/winlogbeat/privileges-to-setup-beats.md) to pre-load dependencies. This section assumes that you’ve run the setup.
+
+When using ILM, turn off the ILM setup check in the Winlogbeat config file before running Winlogbeat to publish events:
+
+```yaml
+setup.ilm.check_exists: false
+```
+
+To grant the required privileges:
+
+1. Create a **writer role**, called something like `winlogbeat_writer`, that has the following privileges:
+
+    ::::{note}
+    The `monitor` cluster privilege and the `create_doc` and `auto_configure` privileges on `winlogbeat-*` indices are required in every configuration.
+    ::::
+
+
+    | Type | Privilege | Purpose |
+    | --- | --- | --- |
+    | Cluster | `monitor` | Retrieve cluster details (e.g. version) |
+    | Cluster | `read_ilm` | Read the ILM policy when connecting to clusters that support ILM.Not needed when `setup.ilm.check_exists` is `false`. |
+    | Cluster | `read_pipeline` | Check for ingest pipelines used by Winlogbeat. |
+    | Index | `create_doc` on `winlogbeat-*` indices | Write events into {{es}} |
+    | Index | `auto_configure` on `winlogbeat-*` indices | Update the datastream mapping. Consider either disabling entirely or adding therule `-{{beat_default_index_prefix}}-*` to the cluster settings[action.auto_create_index](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-create)to prevent unwanted indices creations from the agents. |
+
+    Omit any privileges that aren’t relevant in your environment.
+
+2. Assign the **writer role** to users who will index events into {{es}}.
+
diff --git a/docs/reference/winlogbeat/privileges-to-publish-monitoring.md b/docs/reference/winlogbeat/privileges-to-publish-monitoring.md
new file mode 100644
index 000000000000..b913c3ccee19
--- /dev/null
+++ b/docs/reference/winlogbeat/privileges-to-publish-monitoring.md
@@ -0,0 +1,61 @@
+---
+navigation_title: "Create a _monitoring_ user"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/privileges-to-publish-monitoring.html
+---
+
+# Grant privileges and roles needed for monitoring [privileges-to-publish-monitoring]
+
+
+{{es-security-features}} provides built-in users and roles for monitoring. The privileges and roles needed depend on the method used to collect monitoring data.
+
+::::{admonition} Important note for {{ecloud}} users
+:class: important
+
+Built-in users are not available when running our [hosted {{ess}}](https://www.elastic.co/cloud/elasticsearch-service) on {{ecloud}}. To send monitoring data securely, create a monitoring user and grant it the roles described in the following sections.
+
+::::
+
+
+* If you’re using [internal collection](/reference/winlogbeat/monitoring-internal-collection.md) to collect metrics about Winlogbeat, {{es-security-features}} provides the `beats_system` [built-in user](docs-content://deploy-manage/users-roles/cluster-or-deployment-auth/built-in-users.md) and `beats_system` [built-in role](elasticsearch://reference/elasticsearch/roles.md) to send monitoring information. You can use the built-in user, if it’s available in your environment, or create a user who has the privileges needed to send monitoring information.
+
+    If you use the `beats_system` user, make sure you set the password.
+
+    If you don’t use the `beats_system` user:
+
+    1. Create a **monitoring role**, called something like `winlogbeat_monitoring`, that has the following privileges:
+
+        | Type | Privilege | Purpose |
+        | --- | --- | --- |
+        | Cluster | `monitor` | Retrieve cluster details (e.g. version) |
+        | Index | `create_index` on `.monitoring-beats-*` indices | Create monitoring indices in {{es}} |
+        | Index | `create_doc` on `.monitoring-beats-*` indices | Write monitoring events into {{es}} |
+
+    2. Assign the **monitoring role**, along with the following built-in roles, to users who need to monitor Winlogbeat:
+
+        | Role | Purpose |
+        | --- | --- |
+        | `kibana_admin` | Use {{kib}} |
+        | `monitoring_user` | Use **Stack Monitoring** in {{kib}} to monitor Winlogbeat |
+
+* If you’re [using {{metricbeat}}](/reference/winlogbeat/monitoring-metricbeat-collection.md) to collect metrics about Winlogbeat, {{es-security-features}} provides the `remote_monitoring_user` [built-in user](docs-content://deploy-manage/users-roles/cluster-or-deployment-auth/built-in-users.md), and the `remote_monitoring_collector` and `remote_monitoring_agent` [built-in roles](elasticsearch://reference/elasticsearch/roles.md) for collecting and sending monitoring information. You can use the built-in user, if it’s available in your environment, or create a user who has the privileges needed to collect and send monitoring information.
+
+    If you use the `remote_monitoring_user` user, make sure you set the password.
+
+    If you don’t use the `remote_monitoring_user` user:
+
+    1. Create a user on the production cluster who will collect and send monitoring information.
+    2. Assign the following roles to the user:
+
+        | Role | Purpose |
+        | --- | --- |
+        | `remote_monitoring_collector` | Collect monitoring metrics from Winlogbeat |
+        | `remote_monitoring_agent` | Send monitoring data to the monitoring cluster |
+
+    3. Assign the following role to users who will view the monitoring data in {{kib}}:
+
+        | Role | Purpose |
+        | --- | --- |
+        | `monitoring_user` | Use **Stack Monitoring** in {{kib}} to monitor Winlogbeat |
+
+
diff --git a/docs/reference/winlogbeat/privileges-to-setup-beats.md b/docs/reference/winlogbeat/privileges-to-setup-beats.md
new file mode 100644
index 000000000000..27ceb405600a
--- /dev/null
+++ b/docs/reference/winlogbeat/privileges-to-setup-beats.md
@@ -0,0 +1,42 @@
+---
+navigation_title: "Create a _setup_ user"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/privileges-to-setup-beats.html
+---
+
+# Grant privileges and roles needed for setup [privileges-to-setup-beats]
+
+
+::::{important}
+Setting up Winlogbeat is an admin-level task that requires extra privileges. As a best practice, grant the setup role to administrators only, and use a more restrictive role for event publishing.
+::::
+
+
+Administrators who set up Winlogbeat typically need to load mappings, dashboards, and other objects used to index data into {{es}} and visualize it in {{kib}}.
+
+To grant users the required privileges:
+
+1. Create a **setup role**, called something like `winlogbeat_setup`, that has the following privileges:
+
+    | Type | Privilege | Purpose |
+    | --- | --- | --- |
+    | Cluster | `monitor` | Retrieve cluster details (e.g. version) |
+    | Cluster | `manage_ilm` | Set up and manage index lifecycle management (ILM) policy |
+    | Index | `manage` on `winlogbeat-*` indices | Load data stream |
+
+    Omit any privileges that aren’t relevant in your environment.
+
+    ::::{note}
+    These instructions assume that you are using the default name for Winlogbeat indices. If `winlogbeat-*` is not listed, or you are using a custom name, enter it manually and modify the privileges to match your index naming pattern.
+    ::::
+
+2. Assign the **setup role**, along with the following built-in roles, to users who need to set up Winlogbeat:
+
+    | Role | Purpose |
+    | --- | --- |
+    | `kibana_admin` | Load dependencies, such as example dashboards, if available, into {{kib}} |
+    | `ingest_admin` | Set up index templates and, if available, ingest pipelines |
+
+    Omit any roles that aren’t relevant in your environment.
+
+
diff --git a/docs/reference/winlogbeat/processor-dns.md b/docs/reference/winlogbeat/processor-dns.md
new file mode 100644
index 000000000000..e90d2373f171
--- /dev/null
+++ b/docs/reference/winlogbeat/processor-dns.md
@@ -0,0 +1,102 @@
+---
+navigation_title: "dns"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/processor-dns.html
+---
+
+# DNS Reverse Lookup [processor-dns]
+
+
+The `dns` processor performs DNS queries. It caches the responses that it receives in accordance to the time-to-live (TTL) value contained in the response. It also caches failures that occur during lookups. Each instance of this processor maintains its own independent cache.
+
+The processor uses its own DNS resolver to send requests to nameservers and does not use the operating system’s resolver. It does not read any values contained in `/etc/hosts`.
+
+This processor can significantly slow down your pipeline’s throughput if you have a high latency network or slow upstream nameserver. The cache will help with performance, but if the addresses being resolved have a high cardinality then the cache benefits will be diminished due to the high miss ratio.
+
+By way of example, if each DNS lookup takes 2 milliseconds, the maximum throughput you can achieve is 500 events per second (1000 milliseconds / 2 milliseconds). If you have a high cache hit ratio then your throughput can be higher.
+
+The processor can send the following query types:
+
+* `A` - IPv4 addresses
+* `AAAA` - IPv6 addresses
+* `TXT` - arbitrary human-readable text data
+* `PTR` - reverse IP address lookups
+
+The output value is a list of strings for all query types except `PTR`. For `PTR` queries the output value is a string.
+
+This is a minimal configuration example that resolves the IP addresses contained in two fields.
+
+```yaml
+processors:
+  - dns:
+      type: reverse
+      fields:
+        source.ip: source.domain
+        destination.ip: destination.domain
+```
+
+Next is a configuration example showing all options.
+
+```yaml
+processors:
+- dns:
+    type: reverse
+    action: append
+    transport: tls
+    fields:
+      server.ip: server.domain
+      client.ip: client.domain
+    success_cache:
+      capacity.initial: 1000
+      capacity.max: 10000
+      min_ttl: 1m
+    failure_cache:
+      capacity.initial: 1000
+      capacity.max: 10000
+      ttl: 1m
+    nameservers: ['192.0.2.1', '203.0.113.1']
+    timeout: 500ms
+    tag_on_failure: [_dns_reverse_lookup_failed]
+```
+
+The `dns` processor has the following configuration settings:
+
+`type`
+:   The type of DNS query to perform. The supported types are `A`, `AAAA`, `PTR` (or `reverse`), and `TXT`.
+
+`action`
+:   This defines the behavior of the processor when the target field already exists in the event. The options are `append` (default) and `replace`.
+
+`fields`
+:   This is a mapping of source field names to target field names. The value of the source field will be used in the DNS query and result will be written to the target field.
+
+`success_cache.capacity.initial`
+:   The initial number of items that the success cache will be allocated to hold. When initialized the processor will allocate the memory for this number of items. Default value is `1000`.
+
+`success_cache.capacity.max`
+:   The maximum number of items that the success cache can hold. When the maximum capacity is reached a random item is evicted. Default value is `10000`.
+
+`success_cache.min_ttl`
+:   The duration of the minimum alternative cache TTL for successful DNS responses. Ensures that `TTL=0` successful reverse DNS responses can be cached. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". Default value is `1m`.
+
+`failure_cache.capacity.initial`
+:   The initial number of items that the failure cache will be allocated to hold. When initialized the processor will allocate the memory for this number of items. Default value is `1000`.
+
+`failure_cache.capacity.max`
+:   The maximum number of items that the failure cache can hold. When the maximum capacity is reached a random item is evicted. Default value is `10000`.
+
+`failure_cache.ttl`
+:   The duration for which failures are cached. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". Default value is `1m`.
+
+`nameservers`
+:   A list of nameservers to query. If there are multiple servers, the resolver queries them in the order listed. If none are specified then it will read the nameservers listed in `/etc/resolv.conf` once at initialization. On Windows you must always supply at least one nameserver.
+
+`timeout`
+:   The duration after which a DNS query will timeout. This is timeout for each DNS request so if you have 2 nameservers then the total timeout will be 2 times this value. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". Default value is `500ms`.
+
+`tag_on_failure`
+:   A list of tags to add to the event when any lookup fails. The tags are only added once even if multiple lookups fail. By default, no tags are added upon failure.
+
+`transport`
+:   The type of transport connection that should be used can either be `tls` (DNS over TLS) or `udp`. Defaults to `udp`.
+
diff --git a/docs/reference/winlogbeat/processor-registered-domain.md b/docs/reference/winlogbeat/processor-registered-domain.md
new file mode 100644
index 000000000000..8a10177a8ee4
--- /dev/null
+++ b/docs/reference/winlogbeat/processor-registered-domain.md
@@ -0,0 +1,36 @@
+---
+navigation_title: "registered_domain"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/processor-registered-domain.html
+---
+
+# Registered Domain [processor-registered-domain]
+
+
+The `registered_domain` processor reads a field containing a hostname and then writes the "registered domain" contained in the hostname to the target field. For example, given `www.google.co.uk` the processor would output `google.co.uk`. In other words the "registered domain" is the effective top-level domain (`co.uk`) plus one level (`google`). Optionally, it can store the rest of the domain, the `subdomain` into another target field.
+
+This processor uses the Mozilla Public Suffix list to determine the value.
+
+```yaml
+processors:
+  - registered_domain:
+      field: dns.question.name
+      target_field: dns.question.registered_domain
+      target_etld_field: dns.question.top_level_domain
+      target_subdomain_field: dns.question.sudomain
+      ignore_missing: true
+      ignore_failure: true
+```
+
+The `registered_domain` processor has the following configuration settings:
+
+| Name | Required | Default | Description |  |
+| --- | --- | --- | --- | --- |
+| `field` | yes |  | Source field containing a fully qualified domain name (FQDN). |  |
+| `target_field` | yes |  | Target field for the registered domain value. |  |
+| `target_etld_field` | no |  | Target field for the effective top-level domain value. |  |
+| `target_subdomain_field` | no |  | Target subdomain field for the subdomain value. |  |
+| `ignore_missing` | no | false | Ignore errors when the source field is missing. |  |
+| `ignore_failure` | no | false | Ignore all errors produced by the processor. |  |
+| `id` | no |  | An identifier for this processor instance. Useful for debugging. |  |
+
diff --git a/docs/reference/winlogbeat/processor-script.md b/docs/reference/winlogbeat/processor-script.md
new file mode 100644
index 000000000000..14190d089050
--- /dev/null
+++ b/docs/reference/winlogbeat/processor-script.md
@@ -0,0 +1,118 @@
+---
+navigation_title: "script"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/processor-script.html
+---
+
+# Script Processor [processor-script]
+
+
+The `script` processor executes Javascript code to process an event. The processor uses a pure Go implementation of ECMAScript 5.1 and has no external dependencies. This can be useful in situations where one of the other processors doesn’t provide the functionality you need to filter events.
+
+The processor can be configured by embedding Javascript in your configuration file or by pointing the processor at external file(s).
+
+```yaml
+processors:
+  - script:
+      lang: javascript
+      source: >
+        function process(event) {
+            event.Tag("js");
+        }
+```
+
+This loads `filter.js` from disk.
+
+```yaml
+processors:
+  - script:
+      lang: javascript
+      file: ${path.config}/filter.js
+```
+
+Parameters can be passed to the script by adding `params` to the config. This allows for a script to be made reusable. When using `params` the code must define a `register(params)` function to receive the parameters.
+
+```yaml
+processors:
+  - script:
+      lang: javascript
+      tag: my_filter
+      params:
+        threshold: 15
+      source: >
+        var params = {threshold: 42};
+        function register(scriptParams) {
+            params = scriptParams;
+        }
+        function process(event) {
+            if (event.Get("severity") < params.threshold) {
+                event.Cancel();
+            }
+        }
+```
+
+If the script defines a `test()` function it will be invoked when the processor is loaded. Any exceptions thrown will cause the processor to fail to load. This can be used to make assertions about the behavior of the script.
+
+```javascript
+function process(event) {
+    if (event.Get("event.code") === 1102) {
+        event.Put("event.action", "cleared");
+    }
+    return event;
+}
+
+function test() {
+    var event = process(new Event({event: {code: 1102}}));
+    if (event.Get("event.action") !== "cleared") {
+        throw "expected event.action === cleared";
+    }
+}
+```
+
+
+## Configuration options [_configuration_options_14]
+
+The `script` processor has the following configuration settings:
+
+`lang`
+:   This field is required and its value must be `javascript`.
+
+`tag`
+:   This is an optional identifier that is added to log messages. If defined it enables metrics logging for this instance of the processor. The metrics include the number of exceptions and a histogram of the execution times for the `process` function.
+
+`source`
+:   Inline Javascript source code.
+
+`file`
+:   Path to a script file to load. Relative paths are interpreted as relative to the `path.config` directory. Globs are expanded.
+
+`files`
+:   List of script files to load. The scripts are concatenated together. Relative paths are interpreted as relative to the `path.config` directory. And globs are expanded.
+
+`params`
+:   A dictionary of parameters that are passed to the `register` of the script.
+
+`tag_on_exception`
+:   Tag to add to events in case the Javascript code causes an exception while processing an event. Defaults to `_js_exception`.
+
+`timeout`
+:   This sets an execution timeout for the `process` function. When the `process` function takes longer than the `timeout` period the function is interrupted. You can set this option to prevent a script from running for too long (like preventing an infinite `while` loop). By default there is no timeout.
+
+`max_cached_sessions`
+:   This sets the maximum number of Javascript VM sessions that will be cached to avoid reallocation. The default is `4`.
+
+
+## Event API [_event_api]
+
+The `Event` object passed to the `process` method has the following API.
+
+| Method | Description |
+| --- | --- |
+| `Get(string)` | Get a value from the event (either a scalar or an object). If the key does notexist `null` is returned. If no key is provided then an object containing allfields is returned.<br>**Example**: `var value = event.Get(key);` |
+| `Put(string, value)` | Put a value into the event. If the key was already set then theprevious value is returned. It throws an exception if the key cannot be setbecause one of the intermediate values is not an object.<br>**Example**: `var old = event.Put(key, value);` |
+| `Rename(string, string)` | Rename a key in the event. The target key must not exist. Itreturns true if the source key was successfully renamed to the target key.<br>**Example**: `var success = event.Rename("source", "target");` |
+| `Delete(string)` | Delete a field from the event. It returns true on success.<br>**Example**: `var deleted = event.Delete("user.email");` |
+| `Cancel()` | Flag the event as cancelled which causes the processor to dropevent.<br>**Example**: `event.Cancel(); return;` |
+| `Tag(string)` | Append a tag to the `tags` field if the tag does not alreadyexist. Throws an exception if `tags` exists and is not a string or a list ofstrings.<br>**Example**: `event.Tag("user_event");` |
+| `AppendTo(string, string)` | `AppendTo` is a specialized `Put` method that converts the existing value to anarray and appends the value if it does not already exist. If there is anexisting value that’s not a string or array of strings then an exception isthrown.<br>**Example**: `event.AppendTo("error.message", "invalid file hash");` |
+
diff --git a/docs/reference/winlogbeat/processor-timestamp.md b/docs/reference/winlogbeat/processor-timestamp.md
new file mode 100644
index 000000000000..860999114f1c
--- /dev/null
+++ b/docs/reference/winlogbeat/processor-timestamp.md
@@ -0,0 +1,64 @@
+---
+navigation_title: "timestamp"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/processor-timestamp.html
+---
+
+# Timestamp [processor-timestamp]
+
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+
+The `timestamp` processor parses a timestamp from a field. By default the timestamp processor writes the parsed result to the `@timestamp` field. You can specify a different field by setting the `target_field` parameter. The timestamp value is parsed according to the `layouts` parameter. Multiple layouts can be specified and they will be used sequentially to attempt parsing the timestamp field.
+
+::::{note}
+The timestamp layouts used by this processor are different than the formats supported by date processors in Logstash and Elasticsearch Ingest Node.
+::::
+
+
+The `layouts` are described using a reference time that is based on this specific time:
+
+```
+Mon Jan 2 15:04:05 MST 2006
+```
+Since MST is GMT-0700, the reference time is:
+
+```
+01/02 03:04:05PM '06 -0700
+```
+To define your own layout, rewrite the reference time in a format that matches the timestamps you expect to parse. For more layout examples and details see the [Go time package documentation](https://godoc.org/time#pkg-constants).
+
+If a layout does not contain a year then the current year in the specified `timezone` is added to the time value.
+
+| Name | Required | Default | Description |  |
+| --- | --- | --- | --- | --- |
+| `field` | yes |  | Source field containing the time to be parsed. |  |
+| `target_field` | no | @timestamp | Target field for the parsed time value. The target value is always written as UTC. |  |
+| `layouts` | yes |  | Timestamp layouts that define the expected time value format. In addition layouts, `UNIX` and `UNIX_MS` are accepted. |  |
+| `timezone` | no | UTC | IANA time zone name (e.g. `America/New_York`) or fixed time offset (e.g. `+0200`) to use when parsing times that do not contain a time zone. `Local` may be specified to use the machine’s local time zone. |  |
+| `ignore_missing` | no | false | Ignore errors when the source field is missing. |  |
+| `ignore_failure` | no | false | Ignore all errors produced by the processor. |  |
+| `test` | no |  | A list of timestamps that must parse successfully when loading the processor. |  |
+| `id` | no |  | An identifier for this processor instance. Useful for debugging. |  |
+
+Here is an example that parses the `start_time` field and writes the result to the `@timestamp` field then deletes the `start_time` field. When the processor is loaded, it will immediately validate that the two `test` timestamps parse with this configuration.
+
+```yaml
+processors:
+  - timestamp:
+      field: start_time
+      layouts:
+        - '2006-01-02T15:04:05Z'
+        - '2006-01-02T15:04:05.999Z'
+        - '2006-01-02T15:04:05.999-07:00'
+      test:
+        - '2019-06-22T16:33:51Z'
+        - '2019-11-18T04:59:51.123Z'
+        - '2020-08-03T07:10:20.123456+02:00'
+  - drop_fields:
+      fields: [start_time]
+```
+
diff --git a/docs/reference/winlogbeat/processor-translate-guid.md b/docs/reference/winlogbeat/processor-translate-guid.md
new file mode 100644
index 000000000000..565935dad31d
--- /dev/null
+++ b/docs/reference/winlogbeat/processor-translate-guid.md
@@ -0,0 +1,79 @@
+---
+navigation_title: "translate_ldap_attribute"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/processor-translate-guid.html
+---
+
+# Translate GUID [processor-translate-guid]
+
+
+The `translate_ldap_attribute` processor translates an LDAP attributes between eachother. It is typically used to translate AD Global Unique Identifiers (GUID) into their common names.
+
+Every object on an Active Directory or an LDAP server is issued a GUID. Internal processes refer to their GUID’s rather than the object’s name and these values sometimes appear in logs.
+
+If the search attribute is invalid (malformed) or does not map to any object on the domain then this will result in the processor returning an error unless `ignore_failure` is set.
+
+The result of this operation is an array of values, given that a single attribute can hold multiple values.
+
+Note: the search attribute is expected to map to a single object. If it doesn’t, no error will be returned, but only results of the first entry will be added to the event.
+
+```yaml
+processors:
+  - translate_ldap_attribute:
+      field: winlog.event_data.ObjectGuid
+      ldap_address: "ldap://"
+      ldap_base_dn: "dc=example,dc=com"
+      ignore_missing: true
+      ignore_failure: true
+```
+
+The `translate_ldap_attribute` processor has the following configuration settings:
+
+| Name | Required | Default | Description |
+| --- | --- | --- | --- |
+| `field` | yes |  | Source field containing a GUID. |
+| `target_field` | no |  | Target field for the mapped attribute value. If not set it will be replaced in place. |
+| `ldap_address` | yes |  | LDAP server address. eg: `ldap://ds.example.com:389` |
+| `ldap_base_dn` | yes |  | LDAP base DN. eg: `dc=example,dc=com` |
+| `ldap_bind_user` | no |  | LDAP user. |
+| `ldap_bind_password` | no |  | LDAP password. |
+| `ldap_search_attribute` | yes | `objectGUID` | LDAP attribute to search by. |
+| `ldap_mapped_attribute` | yes | `cn` | LDAP attribute to map to. |
+| `ldap_search_time_limit` | no | 30 | LDAP search time limit in seconds. |
+| `ldap_ssl`* | no | 30 | LDAP TLS/SSL connection settings. |
+| `ignore_missing` | no | false | Ignore errors when the source field is missing. |
+| `ignore_failure` | no | false | Ignore all errors produced by the processor. |
+
+* Also see [SSL](/reference/winlogbeat/configuration-ssl.md) for a full description of the `ldap_ssl` options.
+
+If the searches are slow or you expect a high amount of different key attributes to be found, consider using a cache processor to speed processing:
+
+```yaml
+processors:
+  - cache:
+      backend:
+        memory:
+          id: ldapguids
+      get:
+        key_field: winlog.event_data.ObjectGuid
+        target_field: winlog.common_name
+      ignore_missing: true
+  - if:
+      not:
+        - has_fields: winlog.common_name
+    then:
+      - translate_ldap_attribute:
+          field: winlog.event_data.ObjectGuid
+          target_field: winlog.common_name
+          ldap_address: "ldap://"
+          ldap_base_dn: "dc=example,dc=com"
+      - cache:
+          backend:
+            memory:
+              id: ldapguids
+            capacity: 10000
+          put:
+            key_field: winlog.event_data.ObjectGuid
+            value_field: winlog.common_name
+```
+
diff --git a/docs/reference/winlogbeat/processor-translate-sid.md b/docs/reference/winlogbeat/processor-translate-sid.md
new file mode 100644
index 000000000000..4e600e573c28
--- /dev/null
+++ b/docs/reference/winlogbeat/processor-translate-sid.md
@@ -0,0 +1,38 @@
+---
+navigation_title: "translate_sid"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/processor-translate-sid.html
+---
+
+# Translate SID [processor-translate-sid]
+
+
+The `translate_sid` processor translates a Windows security identifier (SID) into an account name. It retrieves the name of the account associated with the SID, the first domain on which the SID is found, and the type of account. This is only available on Windows.
+
+Every account on a network is issued a unique SID when the account is first created. Internal processes in Windows refer to an account’s SID rather than the account’s user or group name and these values sometimes appear in logs.
+
+If the SID is invalid (malformed) or does not map to any account on the local system or domain then this will result in the processor returning an error unless `ignore_failure` is set.
+
+```yaml
+processors:
+  - translate_sid:
+      field: winlog.event_data.MemberSid
+      account_name_target: user.name
+      domain_target: user.domain
+      ignore_missing: true
+      ignore_failure: true
+```
+
+The `translate_sid` processor has the following configuration settings:
+
+| Name | Required | Default | Description |
+| --- | --- | --- | --- |
+| `field` | yes |  | Source field containing a Windows security identifier (SID). |
+| `account_name_target` | yes* |  | Target field for the account name value. |
+| `account_type_target` | yes* |  | Target field for the account type value. |
+| `domain_target` | yes* |  | Target field for the domain value. |
+| `ignore_missing` | no | false | Ignore errors when the source field is missing. |
+| `ignore_failure` | no | false | Ignore all errors produced by the processor. |
+
+* At least one of `account_name_target`, `account_type_target`, and `domain_target` is required to be configured.
+
diff --git a/docs/reference/winlogbeat/publishing-ls-fails-connection-reset-by-peer.md b/docs/reference/winlogbeat/publishing-ls-fails-connection-reset-by-peer.md
new file mode 100644
index 000000000000..5ea720aeabf0
--- /dev/null
+++ b/docs/reference/winlogbeat/publishing-ls-fails-connection-reset-by-peer.md
@@ -0,0 +1,18 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/publishing-ls-fails-connection-reset-by-peer.html
+---
+
+# Publishing to Logstash fails with "connection reset by peer" message [publishing-ls-fails-connection-reset-by-peer]
+
+Winlogbeat requires a persistent TCP connection to {{ls}}. If a firewall interferes with the connection, you might see errors like this:
+
+```shell
+Failed to publish events caused by: write tcp ... write: connection reset by peer
+```
+
+To solve the problem:
+
+* make sure the firewall is not closing connections between Winlogbeat and {{ls}}, or
+* set the `ttl` value in the [{{ls}} output](/reference/winlogbeat/logstash-output.md) to a value that’s lower than the maximum time allowed by the firewall, and set `pipelining` to 0 (pipelining cannot be enabled when `ttl` is used).
+
diff --git a/docs/reference/winlogbeat/rate-limit.md b/docs/reference/winlogbeat/rate-limit.md
new file mode 100644
index 000000000000..734ce490df7a
--- /dev/null
+++ b/docs/reference/winlogbeat/rate-limit.md
@@ -0,0 +1,43 @@
+---
+navigation_title: "rate_limit"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/rate-limit.html
+---
+
+# Rate limit the flow of events [rate-limit]
+
+
+The `rate_limit` processor limits the throughput of events based on the specified configuration.
+
+In the current implementation, rate-limited events are dropped. Future implementations may allow rate-limited events to be handled differently.
+
+```yaml
+processors:
+- rate_limit:
+   limit: "10000/m"
+```
+
+```yaml
+processors:
+- rate_limit:
+   fields:
+   - "cloudfoundry.org.name"
+   limit: "400/s"
+```
+
+```yaml
+processors:
+- if.equals.cloudfoundry.org.name: "acme"
+  then:
+  - rate_limit:
+      limit: "500/s"
+```
+
+The following settings are supported:
+
+`limit`
+:   The rate limit. Supported time units for the rate are `s` (per second), `m` (per minute), and `h` (per hour).
+
+`fields`
+:   (Optional) List of fields. The rate limit will be applied to each distinct value derived by combining the values of these fields.
+
diff --git a/docs/reference/winlogbeat/reading-from-evtx.md b/docs/reference/winlogbeat/reading-from-evtx.md
new file mode 100644
index 000000000000..d7136c1b3389
--- /dev/null
+++ b/docs/reference/winlogbeat/reading-from-evtx.md
@@ -0,0 +1,33 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/reading-from-evtx.html
+---
+
+# Not sure how to read from .evtx files [reading-from-evtx]
+
+Yes, Winlogbeat can ingest archived .evtx files. When you set the `name` parameter as the absolute path to an event log file it will read from that file. Here’s an example. First create a new config file for Winlogbeat.
+
+winlogbeat-evtx.yml
+
+```yaml
+winlogbeat.event_logs:
+  - name: ${EVTX_FILE} <1>
+    no_more_events: stop <2>
+
+winlogbeat.shutdown_timeout: 30s <3>
+winlogbeat.registry_file: evtx-registry.yml <4>
+
+output.elasticsearch.hosts: ['http://localhost:9200']
+```
+
+1. `name` will be set to the value of the `EVTX_FILE` environment variable.
+2. `no_more_events` sets the behavior of Winlogbeat when Windows reports that there are no more events to read. We want Winlogbeat to *stop* rather than *wait* since this is an archived file that will not receive any more events.
+3. `shutdown_timeout` controls the maximum amount of time Winlogbeat will wait to finish publishing the events to {{es}} after stopping because it reached the end of the log.
+4. A separate registry file is used to avoid overwriting the default registry file. You can delete this file after you’re done ingesting the .evtx data.
+
+Now execute Winlogbeat and wait for it to complete. It will exit when it’s done.
+
+```sh
+.\winlogbeat.exe -e -c .\winlogbeat-evtx.yml -E EVTX_FILE=c:\backup\Security-2019.01.evtx
+```
+
diff --git a/docs/reference/winlogbeat/redis-output.md b/docs/reference/winlogbeat/redis-output.md
new file mode 100644
index 000000000000..83b528fe7437
--- /dev/null
+++ b/docs/reference/winlogbeat/redis-output.md
@@ -0,0 +1,205 @@
+---
+navigation_title: "Redis"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/redis-output.html
+---
+
+# Configure the Redis output [redis-output]
+
+
+The Redis output inserts the events into a Redis list or a Redis channel. This output plugin is compatible with the [Redis input plugin](logstash://reference/plugins-inputs-redis.md) for Logstash.
+
+To use this output, edit the Winlogbeat configuration file to disable the {{es}} output by commenting it out, and enable the Redis output by adding `output.redis`.
+
+Example configuration:
+
+```yaml
+output.redis:
+  hosts: ["localhost"]
+  password: "my_password"
+  key: "winlogbeat"
+  db: 0
+  timeout: 5
+```
+
+## Compatibility [_compatibility_3]
+
+This output is expected to work with all Redis versions between 3.2.4 and 5.0.8. Other versions might work as well, but are not supported.
+
+
+## Configuration options [_configuration_options_6]
+
+You can specify the following `output.redis` options in the `winlogbeat.yml` config file:
+
+### `enabled` [_enabled_4]
+
+The enabled config is a boolean setting to enable or disable the output. If set to false, the output is disabled.
+
+The default value is `true`.
+
+
+### `hosts` [_hosts_2]
+
+The list of Redis servers to connect to. If load balancing is enabled, the events are distributed to the servers in the list. If one server becomes unreachable, the events are distributed to the reachable servers only. You can define each Redis server by specifying `HOST` or `HOST:PORT`. For example: `"192.15.3.2"` or `"test.redis.io:12345"`. If you don’t specify a port number, the value configured by `port` is used. Configure each Redis server with an `IP:PORT` pair or with a `URL`. For example: `redis://localhost:6379` or `rediss://localhost:6379`. URLs can include a server-specific password. For example: `redis://:password@localhost:6379`. The `redis` scheme will disable the `ssl` settings for the host, while `rediss` will enforce TLS.  If `rediss` is specified and no `ssl` settings are configured, the output uses the system certificate store.
+
+
+### `index` [_index]
+
+The index name added to the events metadata for use by Logstash. The default is "winlogbeat".
+
+
+### `key` [key-option-redis]
+
+The name of the Redis list or channel the events are published to. If not configured, the value of the `index` setting is used.
+
+You can set the key dynamically by using a format string to access any event field. For example, this configuration uses a custom field, `fields.list`, to set the Redis list key. If `fields.list` is missing, `fallback` is used:
+
+```yaml
+output.redis:
+  hosts: ["localhost"]
+  key: "%{[fields.list]:fallback}"
+```
+
+::::{tip}
+To learn how to add custom fields to events, see the [`fields`](/reference/winlogbeat/configuration-general-options.md#libbeat-configuration-fields) option.
+::::
+
+
+See the [`keys`](#keys-option-redis) setting for other ways to set the key dynamically.
+
+
+### `keys` [keys-option-redis]
+
+An array of key selector rules. Each rule specifies the `key` to use for events that match the rule. During publishing, Winlogbeat uses the first matching rule in the array. Rules can contain conditionals, format string-based fields, and name mappings. If the `keys` setting is missing or no rule matches, the [`key`](#key-option-redis) setting is used.
+
+Rule settings:
+
+**`index`**
+:   The key format string to use. If this string contains field references, such as `%{[fields.name]}`, the fields must exist, or the rule fails.
+
+**`mappings`**
+:   A dictionary that takes the value returned by `key` and maps it to a new name.
+
+**`default`**
+:   The default string value to use if `mappings` does not find a match.
+
+**`when`**
+:   A condition that must succeed in order to execute the current rule. All the [conditions](/reference/winlogbeat/defining-processors.md#conditions) supported by processors are also supported here.
+
+Example `keys` settings:
+
+```yaml
+output.redis:
+  hosts: ["localhost"]
+  key: "default_list"
+  keys:
+    - key: "info_list"   # send to info_list if `message` field contains INFO
+      when.contains:
+        message: "INFO"
+    - key: "debug_list"  # send to debug_list if `message` field contains DEBUG
+      when.contains:
+        message: "DEBUG"
+    - key: "%{[fields.list]}"
+      mappings:
+        http: "frontend_list"
+        nginx: "frontend_list"
+        mysql: "backend_list"
+```
+
+
+### `password` [_password_3]
+
+The password to authenticate with. The default is no authentication.
+
+
+### `db` [_db]
+
+The Redis database number where the events are published. The default is 0.
+
+
+### `datatype` [_datatype]
+
+The Redis data type to use for publishing events.If the data type is `list`, the Redis RPUSH command is used and all events are added to the list with the key defined under `key`. If the data type `channel` is used, the Redis `PUBLISH` command is used and means that all events are pushed to the pub/sub mechanism of Redis. The name of the channel is the one defined under `key`. The default value is `list`.
+
+
+### `codec` [_codec_2]
+
+Output codec configuration. If the `codec` section is missing, events will be json encoded.
+
+See [Change the output codec](/reference/winlogbeat/configuration-output-codec.md) for more information.
+
+
+### `worker` or `workers` [_worker_or_workers_2]
+
+The number of workers to use for each host configured to publish events to Redis. Use this setting along with the `loadbalance` option. For example, if you have 2 hosts and 3 workers, in total 6 workers are started (3 for each host).
+
+
+### `loadbalance` [_loadbalance_2]
+
+When `loadbalance: true` is set, Winlogbeat connects to all configured hosts and sends data through all connections in parallel. If a connection fails, data is sent to the remaining hosts until it can be reestablished. Data will still be sent as long as Winlogbeat can connect to at least one of its configured hosts.
+
+When `loadbalance: false` is set, Winlogbeat sends data to a single host at a time. The target host is chosen at random from the list of configured hosts, and all data is sent to that target until the connection fails, when a new target is selected. Data will still be sent as long as Winlogbeat can connect to at least one of its configured hosts.
+
+The default value is `true`.
+
+
+### `timeout` [_timeout_4]
+
+The Redis connection timeout in seconds. The default is 5 seconds.
+
+
+### `backoff.init` [_backoff_init_3]
+
+The number of seconds to wait before trying to reconnect to Redis after a network error. After waiting `backoff.init` seconds, Winlogbeat tries to reconnect. If the attempt fails, the backoff timer is increased exponentially up to `backoff.max`. After a successful connection, the backoff timer is reset. The default is 1s.
+
+
+### `backoff.max` [_backoff_max_3]
+
+The maximum number of seconds to wait before attempting to connect to Redis after a network error. The default is 60s.
+
+
+### `max_retries` [_max_retries_4]
+
+Winlogbeat ignores the `max_retries` setting and retries indefinitely.
+
+
+### `bulk_max_size` [_bulk_max_size_3]
+
+The maximum number of events to bulk in a single Redis request or pipeline. The default is 2048.
+
+Events can be collected into batches. Winlogbeat will split batches read from the queue which are larger than `bulk_max_size` into multiple batches.
+
+Specifying a larger batch size can improve performance by lowering the overhead of sending events. However big batch sizes can also increase processing times, which might result in API errors, killed connections, timed-out publishing requests, and, ultimately, lower throughput.
+
+Setting `bulk_max_size` to values less than or equal to 0 disables the splitting of batches. When splitting is disabled, the queue decides on the number of events to be contained in a batch.
+
+
+### `ssl` [_ssl_4]
+
+Configuration options for SSL parameters like the root CA for Redis connections guarded by SSL proxies (for example [stunnel](https://www.stunnel.org)). See [SSL](/reference/winlogbeat/configuration-ssl.md) for more information.
+
+
+### `proxy_url` [_proxy_url_3]
+
+The URL of the SOCKS5 proxy to use when connecting to the Redis servers. The value must be a URL with a scheme of `socks5://`. You cannot use a web proxy because the protocol used to communicate with Redis is not based on HTTP.
+
+If the SOCKS5 proxy server requires client authentication, you can embed a username and password in the URL.
+
+When using a proxy, hostnames are resolved on the proxy server instead of on the client. You can change this behavior by setting the [`proxy_use_local_resolver`](#redis-proxy-use-local-resolver) option.
+
+
+### `proxy_use_local_resolver` [redis-proxy-use-local-resolver]
+
+This option determines whether Redis hostnames are resolved locally when using a proxy. The default value is false, which means that name resolution occurs on the proxy server.
+
+
+### `queue` [_queue_4]
+
+Configuration options for internal queue.
+
+See [Internal queue](/reference/winlogbeat/configuring-internal-queue.md) for more information.
+
+Note:`queue` options can be set under `winlogbeat.yml` or the `output` section but not both.
+
+
+
diff --git a/docs/reference/winlogbeat/rename-fields.md b/docs/reference/winlogbeat/rename-fields.md
new file mode 100644
index 000000000000..b41660e469dd
--- /dev/null
+++ b/docs/reference/winlogbeat/rename-fields.md
@@ -0,0 +1,43 @@
+---
+navigation_title: "rename"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/rename-fields.html
+---
+
+# Rename fields from events [rename-fields]
+
+
+The `rename` processor specifies a list of fields to rename. Under the `fields` key, each entry contains a `from: old-key` and a `to: new-key` pair, where:
+
+* `from` is the original field name. It’s supported to use `@metadata.` prefix for `from` and rename keys in the event metadata instead of event fields.
+* `to` is the target field name
+
+The `rename` processor cannot be used to overwrite fields. To overwrite fields either first rename the target field, or use the `drop_fields` processor to drop the field and then rename the field.
+
+::::{tip}
+You can rename fields to resolve field name conflicts. For example, if an event has two fields, `c` and `c.b` (where `b` is a subfield of `c`), assigning scalar values results in an {{es}} error at ingest time. The assignment `{"c": 1, "c.b": 2}` would result in an error because `c` is an object and cannot be assigned a scalar value. To prevent this conflict, rename `c` to `c.value` before assigning values.
+::::
+
+
+```yaml
+processors:
+  - rename:
+      fields:
+        - from: "a.g"
+          to: "e.d"
+      ignore_missing: false
+      fail_on_error: true
+```
+
+The `rename` processor has the following configuration settings:
+
+`ignore_missing`
+:   (Optional) If set to true, no error is logged in case a key which should be renamed is missing. Default is `false`.
+
+`fail_on_error`
+:   (Optional) If set to true, in case of an error the renaming of fields is stopped and the original event is returned. If set to false, renaming continues also if an error happened during renaming. Default is `true`.
+
+See [Conditions](/reference/winlogbeat/defining-processors.md#conditions) for a list of supported conditions.
+
+You can specify multiple `rename` processors under the `processors` section.
+
diff --git a/docs/reference/winlogbeat/replace-fields.md b/docs/reference/winlogbeat/replace-fields.md
new file mode 100644
index 000000000000..3ba61c1072dd
--- /dev/null
+++ b/docs/reference/winlogbeat/replace-fields.md
@@ -0,0 +1,44 @@
+---
+navigation_title: "replace"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/replace-fields.html
+---
+
+# Replace fields from events [replace-fields]
+
+
+The `replace` processor takes a list of fields to search for a matching value and replaces the matching value with a specified string.
+
+The `replace` processor cannot be used to create a completely new value.
+
+::::{tip}
+You can use this processor to truncate a field value or replace it with a new string value. You can also use this processor to mask PII information.
+::::
+
+
+
+## Example [_example]
+
+The following example changes the path from `/usr/bin` to `/usr/local/bin`:
+
+```yaml
+  - replace:
+      fields:
+        - field: "file.path"
+          pattern: "/usr/"
+          replacement: "/usr/local/"
+      ignore_missing: false
+      fail_on_error: true
+```
+
+
+## Configuration settings [_configuration_settings]
+
+| Name | Required | Default | Description |
+| --- | --- | --- | --- |
+| `fields` | Yes |  | List of one or more items. Each item contains a `field: field-name`, `pattern: regex-pattern`, and `replacement: replacement-string`, where:<br><br>* `field` is the original field name. You can use the `@metadata.` prefix in this field to replace values in the event metadata instead of event fields.<br>* `pattern` is the regex pattern to match the field’s value<br>* `replacement` is the replacement string to use to update the field’s value<br> |
+| `ignore_missing` | No | `false` | Whether to ignore missing fields. If `true`, no error is logged if the specified field is missing. |
+| `fail_on_error` | No | `true` | Whether to fail replacement of field values if an error occurs.If `true` and there’s an error, the replacement of field values is stopped, and the original event is returned.If `false`, replacement continues even if an error occurs during replacement. |
+
+See [Conditions](/reference/winlogbeat/defining-processors.md#conditions) for a list of supported conditions.
+
diff --git a/docs/reference/winlogbeat/securing-communication-elasticsearch.md b/docs/reference/winlogbeat/securing-communication-elasticsearch.md
new file mode 100644
index 000000000000..7c7732f17154
--- /dev/null
+++ b/docs/reference/winlogbeat/securing-communication-elasticsearch.md
@@ -0,0 +1,104 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/securing-communication-elasticsearch.html
+---
+
+# Secure communication with Elasticsearch [securing-communication-elasticsearch]
+
+When sending data to a secured cluster through the `elasticsearch` output, Winlogbeat can use any of the following authentication methods:
+
+* Basic authentication credentials (username and password).
+* Token-based API authentication.
+* A client certificate.
+
+Authentication is specified in the Winlogbeat configuration file:
+
+* To use **basic authentication**, specify the `username` and `password` settings under `output.elasticsearch`. For example:
+
+    ```yaml
+    output.elasticsearch:
+      hosts: ["https://myEShost:9200"]
+      username: "winlogbeat_writer" <1>
+      password: "{pwd}" <2>
+    ```
+
+    1. This user needs the privileges required to publish events to {{es}}. To create a user like this, see [Create a *publishing* user](/reference/winlogbeat/privileges-to-publish-events.md).
+    2. This example shows a hard-coded password, but you should store sensitive values in the [secrets keystore](/reference/winlogbeat/keystore.md).
+
+* To use token-based **API key authentication**, specify the `api_key` under `output.elasticsearch`. For example:
+
+    ```yaml
+    output.elasticsearch:
+      hosts: ["https://myEShost:9200"]
+      api_key: "ZCV7VnwBgnX0T19fN8Qe:KnR6yE41RrSowb0kQ0HWoA" <1>
+    ```
+
+    1. This API key must have the privileges required to publish events to {{es}}. To create an API key like this, see [*Grant access using API keys*](/reference/winlogbeat/beats-api-keys.md).
+
+
+* To use **Public Key Infrastructure (PKI) certificates** to authenticate users, specify the `certificate` and `key` settings under `output.elasticsearch`. For example:
+
+    ```yaml
+    output.elasticsearch:
+      hosts: ["https://myEShost:9200"]
+      ssl.certificate: "/etc/pki/client/cert.pem" <1>
+      ssl.key: "/etc/pki/client/cert.key" <2>
+    ```
+
+    1. The path to the certificate for SSL client authentication
+    2. The client certificate key
+
+
+    These settings assume that the distinguished name (DN) in the certificate is mapped to the appropriate roles in the `role_mapping.yml` file on each node in the {{es}} cluster. For more information, see [Using role mapping files](docs-content://deploy-manage/users-roles/cluster-or-deployment-auth/mapping-users-groups-to-roles.md#mapping-roles-file).
+
+    By default, Winlogbeat uses the list of trusted certificate authorities (CA) from the operating system where Winlogbeat is running. If the certificate authority that signed your node certificates is not in the host system’s trusted certificate authorities list, you need to add the path to the `.pem` file that contains your CA’s certificate to the Winlogbeat configuration. This will configure Winlogbeat to use a specific list of CA certificates instead of the default list from the OS.
+
+    Here is an example configuration:
+
+    ```yaml
+    output.elasticsearch:
+      hosts: ["https://myEShost:9200"]
+      ssl.certificate_authorities: <1>
+        - /etc/pki/my_root_ca.pem
+        - /etc/pki/my_other_ca.pem
+      ssl.certificate: "/etc/pki/client.pem" <2>
+      ssl.key: "/etc/pki/key.pem" <3>
+    ```
+
+    1. Specify the path to the local `.pem` file that contains your Certificate Authority’s certificate. This is needed if you use your own CA to sign your node certificates.
+    2. The path to the certificate for SSL client authentication
+    3. The client certificate key
+
+
+    ::::{note}
+    For any given connection, the SSL/TLS certificates must have a subject that matches the value specified for `hosts`, or the SSL handshake fails. For example, if you specify `hosts: ["foobar:9200"]`, the certificate MUST include `foobar` in the subject (`CN=foobar`) or as a subject alternative name (SAN). Make sure the hostname resolves to the correct IP address. If no DNS is available, then you can associate the IP address with your hostname in `/etc/hosts` (on Unix) or `C:\Windows\System32\drivers\etc\hosts` (on Windows).
+    ::::
+
+
+
+## Secure communication with the Kibana endpoint [securing-communication-kibana]
+
+If you’ve configured the [{{kib}} endpoint](/reference/winlogbeat/setup-kibana-endpoint.md), you can also specify credentials for authenticating with {{kib}} under `kibana.setup`. If no credentials are specified, Kibana will use the configured authentication method in the Elasticsearch output.
+
+For example, specify a unique username and password to connect to Kibana like this:
+
+```yaml
+setup.kibana:
+  host: "mykibanahost:5601"
+  username: "winlogbeat_kib_setup" <1>
+  password: "{pwd}" <2>
+```
+
+1. This user needs privileges required to set up dashboards. To create a user like this, see [Create a *setup* user](/reference/winlogbeat/privileges-to-setup-beats.md).
+2. This example shows a hard-coded password, but you should store sensitive values in the [secrets keystore](/reference/winlogbeat/keystore.md).
+
+
+
+## Learn more about secure communication [securing-communication-learn-more]
+
+More information on sending data to a secured cluster is available in the configuration reference:
+
+* [Elasticsearch](/reference/winlogbeat/elasticsearch-output.md)
+* [SSL](/reference/winlogbeat/configuration-ssl.md)
+* [{{kib}} endpoint](/reference/winlogbeat/setup-kibana-endpoint.md)
+
diff --git a/docs/reference/winlogbeat/securing-winlogbeat.md b/docs/reference/winlogbeat/securing-winlogbeat.md
new file mode 100644
index 000000000000..df1aa046cf48
--- /dev/null
+++ b/docs/reference/winlogbeat/securing-winlogbeat.md
@@ -0,0 +1,21 @@
+---
+navigation_title: "Secure"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/securing-winlogbeat.html
+---
+
+# Secure Winlogbeat [securing-winlogbeat]
+
+
+The following topics provide information about securing the Winlogbeat process and connecting to a cluster that has {{security-features}} enabled.
+
+You can use role-based access control and optionally, API keys to grant Winlogbeat users access to secured resources.
+
+* [*Grant users access to secured resources*](/reference/winlogbeat/feature-roles.md)
+* [*Grant access using API keys*](/reference/winlogbeat/beats-api-keys.md).
+
+After privileged users have been created, use authentication to connect to a secured Elastic cluster.
+
+* [*Secure communication with Elasticsearch*](/reference/winlogbeat/securing-communication-elasticsearch.md)
+* [*Secure communication with Logstash*](/reference/winlogbeat/configuring-ssl-logstash.md)
+
diff --git a/docs/reference/winlogbeat/setting-up-running.md b/docs/reference/winlogbeat/setting-up-running.md
new file mode 100644
index 000000000000..1dc0f253999a
--- /dev/null
+++ b/docs/reference/winlogbeat/setting-up-running.md
@@ -0,0 +1,24 @@
+---
+navigation_title: "Set up and run"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/setting-up-and-running.html
+---
+
+# Set up and run Winlogbeat [setting-up-and-running]
+
+
+Before reading this section, see [Quick start: installation and configuration](/reference/winlogbeat/winlogbeat-installation-configuration.md) for basic installation instructions to get you started.
+
+This section includes additional information on how to install, set up, and run Winlogbeat, including:
+
+* [Directory layout](/reference/winlogbeat/directory-layout.md)
+* [Secrets keystore](/reference/winlogbeat/keystore.md)
+* [Command reference](/reference/winlogbeat/command-line-options.md)
+* [Start Winlogbeat](/reference/winlogbeat/winlogbeat-starting.md)
+* [Stop Winlogbeat](/reference/winlogbeat/shutdown.md)
+
+
+
+
+
+
diff --git a/docs/reference/winlogbeat/setup-kibana-endpoint.md b/docs/reference/winlogbeat/setup-kibana-endpoint.md
new file mode 100644
index 000000000000..1c18700f934d
--- /dev/null
+++ b/docs/reference/winlogbeat/setup-kibana-endpoint.md
@@ -0,0 +1,96 @@
+---
+navigation_title: "{{kib}} endpoint"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/setup-kibana-endpoint.html
+---
+
+# Configure the {{kib}} endpoint [setup-kibana-endpoint]
+
+
+{{kib}} dashboards are loaded into {{kib}} via the {{kib}} API. This requires a {{kib}} endpoint configuration. For details on authenticating to the {{kib}} API, see [Authentication](https://www.elastic.co/docs/api/doc/kibana/authentication).
+
+You configure the endpoint in the `setup.kibana` section of the `winlogbeat.yml` config file.
+
+Here is an example configuration:
+
+```yaml
+setup.kibana.host: "http://localhost:5601"
+```
+
+
+## Configuration options [_configuration_options_12]
+
+You can specify the following options in the `setup.kibana` section of the `winlogbeat.yml` config file:
+
+
+### `setup.kibana.host` [_setup_kibana_host]
+
+The {{kib}} host where the dashboards will be loaded. The default is `127.0.0.1:5601`. The value of `host` can be a `URL` or `IP:PORT`. For example: `http://192.15.3.2`, `192:15.3.2:5601` or `http://192.15.3.2:6701/path`. If no port is specified, `5601` is used.
+
+::::{note}
+When a node is defined as an `IP:PORT`, the *scheme* and *path* are taken from the [setup.kibana.protocol](#kibana-protocol-option) and [setup.kibana.path](#kibana-path-option) config options.
+::::
+
+
+IPv6 addresses must be defined using the following format: `https://[2001:db8::1]:5601`.
+
+
+### `setup.kibana.protocol` [kibana-protocol-option]
+
+The name of the protocol {{kib}} is reachable on. The options are: `http` or `https`. The default is `http`. However, if you specify a URL for host, the value of `protocol` is overridden by whatever scheme you specify in the URL.
+
+Example config:
+
+```yaml
+setup.kibana.host: "192.0.2.255:5601"
+setup.kibana.protocol: "http"
+setup.kibana.path: /kibana
+```
+
+
+### `setup.kibana.username` [_setup_kibana_username]
+
+The basic authentication username for connecting to {{kib}}. If you don’t specify a value for this setting, Winlogbeat uses the `username` specified for the {{es}} output.
+
+
+### `setup.kibana.password` [_setup_kibana_password]
+
+The basic authentication password for connecting to {{kib}}. If you don’t specify a value for this setting, Winlogbeat uses the `password` specified for the {{es}} output.
+
+
+### `setup.kibana.path` [kibana-path-option]
+
+An HTTP path prefix that is prepended to the HTTP API calls. This is useful for the cases where {{kib}} listens behind an HTTP reverse proxy that exports the API under a custom prefix.
+
+
+### `setup.kibana.space.id` [kibana-space-id-option]
+
+The [Kibana space](docs-content://deploy-manage/manage-spaces.md) ID to use. If specified, Winlogbeat loads {{kib}} assets into this {{kib}} space. Omit this option to use the default space.
+
+
+#### `setup.kibana.headers` [_setup_kibana_headers]
+
+Custom HTTP headers to add to each request sent to {{kib}}. Example:
+
+```yaml
+setup.kibana.headers:
+  X-My-Header: Header contents
+```
+
+
+### `setup.kibana.ssl.enabled` [_setup_kibana_ssl_enabled]
+
+Enables Winlogbeat to use SSL settings when connecting to {{kib}} via HTTPS. If you configure Winlogbeat to connect over HTTPS, this setting defaults to `true` and Winlogbeat uses the default SSL settings.
+
+Example configuration:
+
+```yaml
+setup.kibana.host: "https://192.0.2.255:5601"
+setup.kibana.ssl.enabled: true
+setup.kibana.ssl.certificate_authorities: ["/etc/client/ca.pem"]
+setup.kibana.ssl.certificate: "/etc/client/cert.pem"
+setup.kibana.ssl.key: "/etc/client/cert.key
+```
+
+See [SSL](/reference/winlogbeat/configuration-ssl.md) for more information.
+
diff --git a/docs/reference/winlogbeat/shutdown.md b/docs/reference/winlogbeat/shutdown.md
new file mode 100644
index 000000000000..ec7eb56d34a2
--- /dev/null
+++ b/docs/reference/winlogbeat/shutdown.md
@@ -0,0 +1,13 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/shutdown.html
+---
+
+# Stop Winlogbeat [shutdown]
+
+An orderly shutdown of Winlogbeat ensures that it has a chance to clean up and close outstanding resources. You can help ensure an orderly shutdown by stopping Winlogbeat properly.
+
+If you’re running Winlogbeat as a service, you can stop it via the service management functionality provided by your installation.
+
+If you’re running Winlogbeat directly in the console, you can stop it by entering **Ctrl-C**. Alternatively, send SIGTERM to the Winlogbeat process on a POSIX system.
+
diff --git a/docs/reference/winlogbeat/ssl-client-fails.md b/docs/reference/winlogbeat/ssl-client-fails.md
new file mode 100644
index 000000000000..634e6c43a12f
--- /dev/null
+++ b/docs/reference/winlogbeat/ssl-client-fails.md
@@ -0,0 +1,71 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/ssl-client-fails.html
+---
+
+# SSL client fails to connect to Logstash [ssl-client-fails]
+
+The host running {{ls}} might be unreachable or the certificate may not be valid. To resolve your issue:
+
+* Make sure that {{ls}} is running and you can connect to it. First, try to ping the {{ls}} host to verify that you can reach it from the host running Winlogbeat. Then use either `nc` or `telnet` to make sure that the port is available. For example:
+
+    ```shell
+    ping <hostname or IP>
+    telnet <hostname or IP> 5044
+    ```
+
+* Verify that the certificate is valid and that the hostname and IP match.
+
+    ::::{tip}
+    For testing purposes only, you can set `verification_mode: none` to disable hostname checking.
+    ::::
+
+* Use OpenSSL to test connectivity to the {{ls}} server and diagnose problems. See the [OpenSSL documentation](https://www.openssl.org/docs/manmaster/man1/openssl-s_client.md) for more info.
+* Make sure that you have enabled SSL (set `ssl => true`) when configuring the [Beats input plugin for {{ls}}](logstash://reference/plugins-inputs-beats.md).
+
+## Common SSL-Related Errors and Resolutions [_common_ssl_related_errors_and_resolutions]
+
+Here are some common errors and ways to fix them:
+
+* [tls: failed to parse private key](#failed-to-parse-private-key)
+* [x509: cannot validate certificate](#cannot-validate-certificate)
+* [getsockopt: no route to host](#getsockopt-no-route-to-host)
+* [getsockopt: connection refused](#getsockopt-connection-refused)
+* [No connection could be made because the target machine actively refused it](#target-machine-refused-connection)
+
+### tls: failed to parse private key [failed-to-parse-private-key]
+
+This might occur for a few reasons:
+
+* The encrypted file is not recognized as an encrypted PEM block. Winlogbeat tries to use the encrypted content as the final key, which fails.
+* The file is correctly encrypted in a PEM block, but the decrypted content is not a key in a format that Winlogbeat recognizes. The key must be encoded as PEM format.
+* The passphrase is missing or has an error.
+
+
+### x509: cannot validate certificate for <IP address> because it doesn’t contain any IP SANs [cannot-validate-certificate]
+
+This happens because your certificate is only valid for the hostname present in the Subject field.
+
+To resolve this problem, try one of these solutions:
+
+* Create a DNS entry for the hostname mapping it to the server’s IP.
+* Create an entry in `/etc/hosts` for the hostname. Or on Windows add an entry to `C:\Windows\System32\drivers\etc\hosts`.
+* Re-create the server certificate and add a SubjectAltName (SAN) for the IP address of the server. This makes the server’s certificate valid for both the hostname and the IP address.
+
+
+### getsockopt: no route to host [getsockopt-no-route-to-host]
+
+This is not a SSL problem. It’s a networking problem. Make sure the two hosts can communicate.
+
+
+### getsockopt: connection refused [getsockopt-connection-refused]
+
+This is not a SSL problem. Make sure that {{ls}} is running and that there is no firewall blocking the traffic.
+
+
+### No connection could be made because the target machine actively refused it [target-machine-refused-connection]
+
+A firewall is refusing the connection. Check if a firewall is blocking the traffic on the client, the network, or the destination host.
+
+
+
diff --git a/docs/reference/winlogbeat/syslog.md b/docs/reference/winlogbeat/syslog.md
new file mode 100644
index 000000000000..e6b059e5fce3
--- /dev/null
+++ b/docs/reference/winlogbeat/syslog.md
@@ -0,0 +1,156 @@
+---
+navigation_title: "syslog"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/syslog.html
+---
+
+# Syslog [syslog]
+
+
+The syslog processor parses RFC 3146 and/or RFC 5424 formatted syslog messages that are stored in a field. The processor itself does not handle receiving syslog messages from external sources. This is done through an input, such as the TCP input. Certain integrations, when enabled through configuration, will embed the syslog processor to process syslog messages, such as Custom TCP Logs and Custom UDP Logs.
+
+
+## Configuration [_configuration]
+
+The `syslog` processor parses RFC 3146 and/or RFC 5424 formatted syslog messages that are stored under the `field` key.
+
+The supported configuration options are:
+
+`field`
+:   (Required) Source field containing the syslog message. Defaults to `message`.
+
+`format`
+:   (Optional) The syslog format to use, `rfc3164`, or `rfc5424`. To automatically detect the format from the log entries, set this option to `auto`. The default is `auto`.
+
+`timezone`
+:   (Optional) IANA time zone name(e.g. `America/New York`) or a fixed time offset (e.g. +0200) to use when parsing syslog timestamps that do not contain a time zone. `Local` may be specified to use the machine’s local time zone. Defaults to `Local`.
+
+`overwrite_keys`
+:   (Optional) A boolean that specifies whether keys that already exist in the event are overwritten by keys from the syslog message. The default value is `true`.
+
+`ignore_missing`
+:   (Optional) If `true` the processor will not return an error when a specified field does not exist. Defaults to `false`.
+
+`ignore_failure`
+:   (Optional) Ignore all errors produced by the processor. Defaults to `false`.
+
+`tag`
+:   (Optional) An identifier for this processor. Useful for debugging.
+
+Example:
+
+```yaml
+processors:
+  - syslog:
+      field: message
+```
+
+```json
+{
+  "message": "<165>1 2022-01-11T22:14:15.003Z mymachine.example.com eventslog 1024 ID47 [exampleSDID@32473 iut=\"3\" eventSource=\"Application\" eventID=\"1011\"][examplePriority@32473 class=\"high\"] this is the message"
+}
+```
+
+Will produce the following output:
+
+```json
+{
+  "@timestamp": "2022-01-11T22:14:15.003Z",
+  "log": {
+    "syslog": {
+      "priority": 165,
+      "facility": {
+        "code": 20,
+        "name": "local4"
+      },
+      "severity": {
+        "code": 5,
+        "name": "Notice"
+      },
+      "hostname": "mymachine.example.com",
+      "appname": "eventslog",
+      "procid": "1024",
+      "msgid": "ID47",
+      "version": 1,
+      "structured_data": {
+        "exampleSDID@32473": {
+          "iut":         "3",
+          "eventSource": "Application",
+          "eventID":     "1011"
+        },
+        "examplePriority@32473": {
+          "class": "high"
+        }
+      }
+    }
+  },
+  "message": "this is the message"
+}
+```
+
+
+## Timestamps [_timestamps]
+
+The RFC 3164 format accepts the following forms of timestamps:
+
+* Local timestamp (`Mmm dd hh:mm:ss`):
+
+    * `Jan 23 14:09:01`
+
+* RFC-3339*:
+
+    * `2003-10-11T22:14:15Z`
+    * `2003-10-11T22:14:15.123456Z`
+    * `2003-10-11T22:14:15-06:00`
+    * `2003-10-11T22:14:15.123456-06:00`
+
+
+**Note**: The local timestamp (for example, `Jan 23 14:09:01`) that accompanies an RFC 3164 message lacks year and time zone information. The time zone will be enriched using the `timezone` configuration option, and the year will be enriched using the Winlogbeat system’s local time (accounting for time zones). Because of this, it is possible for messages to appear in the future. An example of when this might happen is logs generated on December 31 2021 are ingested on January 1 2022. The logs would be enriched with the year 2022 instead of 2021.
+
+The RFC 5424 format accepts the following forms of timestamps:
+
+* RFC-3339:
+
+    * `2003-10-11T22:14:15Z`
+    * `2003-10-11T22:14:15.123456Z`
+    * `2003-10-11T22:14:15-06:00`
+    * `2003-10-11T22:14:15.123456-06:00`
+
+
+Formats with an asterisk (*) are a non-standard allowance.
+
+
+## Structured Data [_structured_data]
+
+For RFC 5424-formatted logs, if the structured data cannot be parsed according to RFC standards, the original structured data text will be prepended to the message field, separated by a space.
+
+
+## Metrics [_metrics]
+
+Internal metrics are available to assist with debugging efforts. The metrics are served from the metrics HTTP endpoint (for example: `http://localhost:5066/stats`) and are found under `processor.syslog.[instance ID]` or `processor.syslog.[tag]-[instance ID]` if a **tag** is provided. See [HTTP endpoint](/reference/winlogbeat/http-endpoint.md) for more information on configuration the metrics HTTP endpoint.
+
+For example, here are metrics from a processor with a **tag** of `log-input` and an **instance ID** of `1`:
+
+```json
+{
+  "processor": {
+    "syslog": {
+      "log-input-1": {
+        "failure": 10,
+        "missing": 0,
+        "success": 3
+      }
+    }
+  }
+}
+```
+
+`failure`
+:   Measures the number of occurrences where a message was unable to be parsed.
+
+`missing`
+:   Measures the number of occurrences where an event was missing the required input field.
+
+`success`
+:   Measures the number of successfully parsed syslog messages.
+
diff --git a/docs/reference/winlogbeat/troubleshooting.md b/docs/reference/winlogbeat/troubleshooting.md
new file mode 100644
index 000000000000..784179f29da3
--- /dev/null
+++ b/docs/reference/winlogbeat/troubleshooting.md
@@ -0,0 +1,14 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/troubleshooting.html
+---
+
+# Troubleshoot [troubleshooting]
+
+If you have issues installing or running Winlogbeat, read the following tips:
+
+* [*Get Help*](/reference/winlogbeat/getting-help.md)
+* [*Debug*](/reference/winlogbeat/enable-winlogbeat-debugging.md)
+* [Understand logged metrics](/reference/winlogbeat/understand-winlogbeat-logs.md)
+* [*Common problems*](/reference/winlogbeat/faq.md)
+
diff --git a/docs/reference/winlogbeat/truncate-fields.md b/docs/reference/winlogbeat/truncate-fields.md
new file mode 100644
index 000000000000..050c466e9ae7
--- /dev/null
+++ b/docs/reference/winlogbeat/truncate-fields.md
@@ -0,0 +1,38 @@
+---
+navigation_title: "truncate_fields"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/truncate-fields.html
+---
+
+# Truncate fields [truncate-fields]
+
+
+The `truncate_fields` processor truncates a field to a given size. If the size of the field is smaller than the limit, the field is left as is.
+
+`fields`
+:   List of fields to truncate. It’s supported to use `@metadata.` prefix for the fields and truncate values in the event metadata instead of event fields.
+
+`max_bytes`
+:   Maximum number of bytes in a field. Mutually exclusive with `max_characters`.
+
+`max_characters`
+:   Maximum number of characters in a field. Mutually exclusive with `max_bytes`.
+
+`fail_on_error`
+:   (Optional) If set to true, in case of an error the changes to the event are reverted, and the original event is returned. If set to `false`, processing continues also if an error happens. Default is `true`.
+
+`ignore_missing`
+:   (Optional) Whether to ignore events that lack the source field. The default is `false`, which will fail processing of an event if a field is missing.
+
+For example, this configuration truncates the field named `message` to 5 characters:
+
+```yaml
+processors:
+  - truncate_fields:
+      fields:
+        - message
+      max_characters: 5
+      fail_on_error: false
+      ignore_missing: true
+```
+
diff --git a/docs/reference/winlogbeat/understand-winlogbeat-logs.md b/docs/reference/winlogbeat/understand-winlogbeat-logs.md
new file mode 100644
index 000000000000..21db34cc9b53
--- /dev/null
+++ b/docs/reference/winlogbeat/understand-winlogbeat-logs.md
@@ -0,0 +1,210 @@
+---
+navigation_title: "Understand logged metrics"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/understand-winlogbeat-logs.html
+---
+
+# Understand metrics in Winlogbeat logs [understand-winlogbeat-logs]
+
+
+Every 30 seconds (by default), Winlogbeat collects a *snapshot* of metrics about itself. From this snapshot, Winlogbeat computes a *delta snapshot*; this delta snapshot contains any metrics that have *changed* since the last snapshot. Note that the values of the metrics are the values when the snapshot is taken, *NOT* the *difference* in values from the last snapshot.
+
+If this delta snapshot contains *any* metrics (indicating at least one metric that has changed since the last snapshot), this delta snapshot is serialized as JSON and emitted in Winlogbeat’s logs at the `INFO` log level. Most snapshot fields report the change in the metric since the last snapshot, however some fields are *gauges*, which always report the current value. Here is an example of such a log entry:
+
+```json
+{"log.level":"info","@timestamp":"2023-07-14T12:50:36.811Z","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cgroup":{"memory":{"mem":{"usage":{"bytes":0}}}},"cpu":{"system":{"ticks":692690,"time":{"ms":60}},"total":{"ticks":3167250,"time":{"ms":150},"value":3167250},"user":{"ticks":2474560,"time":{"ms":90}}},"handles":{"limit":{"hard":1048576,"soft":1048576},"open":32},"info":{"ephemeral_id":"2bab8688-34c0-4522-80af-db86948d547d","uptime":{"ms":617670096},"version":"8.6.2"},"memstats":{"gc_next":57189272,"memory_alloc":43589824,"memory_total":275281335792,"rss":183574528},"runtime":{"goroutines":212}},"filebeat":{"events":{"active":5,"added":52,"done":49},"harvester":{"open_files":6,"running":6,"started":1}},"libbeat":{"config":{"module":{"running":15}},"output":{"events":{"acked":48,"active":0,"batches":6,"total":48},"read":{"bytes":210},"write":{"bytes":26923}},"pipeline":{"clients":15,"events":{"active":5,"filtered":1,"published":51,"total":52},"queue":{"max_events":3500,"filled":{"events":5,"bytes":6425,"pct":0.0014},"added":{"events":52,"bytes":65702},"consumed":{"events":52,"bytes":65702},"removed":{"events":48,"bytes":59277},"acked":48}}},"registrar":{"states":{"current":14,"update":49},"writes":{"success":6,"total":6}},"system":{"load":{"1":0.91,"15":0.37,"5":0.4,"norm":{"1":0.1138,"15":0.0463,"5":0.05}}}},"ecs.version":"1.6.0"}}
+```
+
+
+## Details [_details]
+
+Focussing on the `.monitoring.metrics` field, and formatting the JSON, it’s value is:
+
+```json
+{
+  "beat": {
+    "cgroup": {
+      "memory": {
+        "mem": {
+          "usage": {
+            "bytes": 0
+          }
+        }
+      }
+    },
+    "cpu": {
+      "system": {
+        "ticks": 692690,
+        "time": {
+          "ms": 60
+        }
+      },
+      "total": {
+        "ticks": 3167250,
+        "time": {
+          "ms": 150
+        },
+        "value": 3167250
+      },
+      "user": {
+        "ticks": 2474560,
+        "time": {
+          "ms": 90
+        }
+      }
+    },
+    "handles": {
+      "limit": {
+        "hard": 1048576,
+        "soft": 1048576
+      },
+      "open": 32
+    },
+    "info": {
+      "ephemeral_id": "2bab8688-34c0-4522-80af-db86948d547d",
+      "uptime": {
+        "ms": 617670096
+      },
+      "version": "8.6.2"
+    },
+    "memstats": {
+      "gc_next": 57189272,
+      "memory_alloc": 43589824,
+      "memory_total": 275281335792,
+      "rss": 183574528
+    },
+    "runtime": {
+      "goroutines": 212
+    }
+  },
+  "filebeat": {
+    "events": {
+      "active": 5,
+      "added": 52,
+      "done": 49
+    },
+    "harvester": {
+      "open_files": 6,
+      "running": 6,
+      "started": 1
+    }
+  },
+  "libbeat": {
+    "config": {
+      "module": {
+        "running": 15
+      }
+    },
+    "output": {
+      "events": {
+        "acked": 48,
+        "active": 0,
+        "batches": 6,
+        "total": 48
+      },
+      "read": {
+        "bytes": 210
+      },
+      "write": {
+        "bytes": 26923
+      }
+    },
+    "pipeline": {
+      "clients": 15,
+      "events": {
+        "active": 5,
+        "filtered": 1,
+        "published": 51,
+        "total": 52
+      },
+      "queue": {
+        "max_events": 3500,
+        "filled": {
+          "events": 5,
+          "bytes": 6425,
+          "pct": 0.0014
+        },
+        "added": {
+          "events": 52,
+          "bytes": 65702
+        },
+        "consumed": {
+          "events": 52,
+          "bytes": 65702
+        },
+        "removed": {
+          "events": 48,
+          "bytes": 59277
+        },
+        "acked": 48
+      }
+    }
+  },
+  "registrar": {
+    "states": {
+      "current": 14,
+      "update": 49
+    },
+    "writes": {
+      "success": 6,
+      "total": 6
+    }
+  },
+  "system": {
+    "load": {
+      "1": 0.91,
+      "15": 0.37,
+      "5": 0.4,
+      "norm": {
+        "1": 0.1138,
+        "15": 0.0463,
+        "5": 0.05
+      }
+    }
+  }
+}
+```
+
+The following tables explain the meaning of the most important fields under `.monitoring.metrics` and also provide hints that might be helpful in troubleshooting Winlogbeat issues.
+
+| Field path (relative to `.monitoring.metrics`) | Type | Meaning | Troubleshooting hints |
+| --- | --- | --- | --- |
+| `.beat` | Object | Information that is common to all Beats, e.g. version, goroutines, file handles, CPU, memory |  |
+| `.libbeat` | Object | Information about the publisher pipeline and output, also common to all Beats |  |
+
+| Field path (relative to `.monitoring.metrics.beat`) | Type | Meaning | Troubleshooting hints |
+| --- | --- | --- | --- |
+| `.runtime.goroutines` | Integer | Number of goroutines running | If this number grows over time, it indicates a goroutine leak |
+
+| Field path (relative to `.monitoring.metrics.libbeat`) | Type | Meaning | Troubleshooting hints |
+| --- | --- | --- | --- |
+| `.pipeline.events.active` | Integer | Number of events currently in the libbeat publisher pipeline. | If this number grows over time, it may indicate that Winlogbeat is producing events faster than the output can consume them. Consider increasing the number of output workers (if this setting is supported by the output; {{es}} and {{ls}} outputs support this setting). The pipeline includes events currently being processed as well as events in the queue. So this metric can sometimes end up slightly higher than the queue size. If this metric reaches the maximum queue size (`queue.mem.events` for the in-memory queue), it almost certainly indicates backpressure on Winlogbeat, implying that Winlogbeat may need to temporarily stop ingesting more events from the source until this backpressure is relieved. |
+| `.output.events.total` | Integer | Number of events currently being processed by the output. | If this number grows over time, it may indicate that the output destination (e.g. {{ls}} pipeline or {{es}} cluster) is not able to accept events at the same or faster rate than what Winlogbeat is sending to it. |
+| `.output.events.acked` | Integer | Number of events acknowledged by the output destination. | Generally, we want this number to be the same as `.output.events.total` as this indicates that the output destination has reliably received all the events sent to it. |
+| `.output.events.failed` | Integer | Number of events that Winlogbeat tried to send to the output destination, but the destination failed to receive them. | Generally, we want this field to be absent or its value to be zero. When the value is greater than zero, it’s useful to check Winlogbeat’s logs right before this log entry’s `@timestamp` to see if there are any connectivity issues with the output destination. Note that failed events are not lost or dropped; they will be sent back to the publisher pipeline for retrying later. |
+| `.output.events.dropped` | Integer | Number of events that Winlogbeat gave up sending to the output destination because of a permanent (non-retryable) error. | `.output.events.dead_letter` |
+| Integer | Number of events that Winlogbeat successfully sent to a configured dead letter index after they failed to ingest in the primary index. | `.output.write.latency` | Object |
+
+| Field path (relative to `.monitoring.metrics.libbeat.pipeline`) | Type | Meaning | Troubleshooting hints |
+| --- | --- | --- | --- |
+| `.queue.max_events` | Integer (gauge) | The queue’s maximum event count if it has one, otherwise zero. | `.queue.max_bytes` |
+| Integer (gauge) | The queue’s maximum byte count if it has one, otherwise zero. | `.queue.filled.events` | Integer (gauge) |
+| Number of events currently stored by the queue. |  | `.queue.filled.bytes` | Integer (gauge) |
+| Number of bytes currently stored by the queue. |  | `.queue.filled.pct` | Float (gauge) |
+| How full the queue is relative to its maximum size, as a fraction from 0 to 1. | Low throughput while `queue.filled.pct` is low means congestion in the input. Low throughput while `queue.filled.pct` is high means congestion in the output. | `.queue.added.events` | Integer |
+| Number of events added to the queue by input workers. |  | `.queue.added.bytes` | Integer |
+| Number of bytes added to the queue by input workers. |  | `.queue.consumed.events` | Integer |
+| Number of events sent to output workers. |  | `.queue.consumed.bytes` | Integer |
+| Number of bytes sent to output workers. |  | `.queue.removed.events` | Integer |
+| Number of events removed from the queue after being processed by output workers. |  | `.queue.removed.bytes` | Integer |
+
+When using the memory queue, byte metrics are only set if the output supports them. Currently only the Elasticsearch output supports byte metrics.
+
+
+## Useful commands [_useful_commands]
+
+
+### Parse monitoring metrics from unstructured Winlogbeat logs [_parse_monitoring_metrics_from_unstructured_winlogbeat_logs]
+
+For Winlogbeat versions that emit unstructured logs, the following script can be used to parse monitoring metrics from such logs: [https://github.com/elastic/beats/blob/main/script/metrics_from_log_file.sh](https://github.com/elastic/beats/blob/main/script/metrics_from_log_file.sh).
+
diff --git a/docs/reference/winlogbeat/upgrading-winlogbeat.md b/docs/reference/winlogbeat/upgrading-winlogbeat.md
new file mode 100644
index 000000000000..618d9c25ac14
--- /dev/null
+++ b/docs/reference/winlogbeat/upgrading-winlogbeat.md
@@ -0,0 +1,14 @@
+---
+navigation_title: "Upgrade"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/upgrading-winlogbeat.html
+---
+
+# Upgrade Winlogbeat [upgrading-winlogbeat]
+
+
+For information about upgrading to a new version, see:
+
+* [Breaking Changes](/release-notes/breaking-changes.md)
+* [Upgrade](/reference/libbeat/upgrading.md)
+
diff --git a/docs/reference/winlogbeat/urldecode.md b/docs/reference/winlogbeat/urldecode.md
new file mode 100644
index 000000000000..156c8cc38257
--- /dev/null
+++ b/docs/reference/winlogbeat/urldecode.md
@@ -0,0 +1,38 @@
+---
+navigation_title: "urldecode"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/urldecode.html
+---
+
+# URL Decode [urldecode]
+
+
+The `urldecode` processor specifies a list of fields to decode from URL encoded format. Under the `fields` key, each entry contains a `from: source-field` and a `to: target-field` pair, where:
+
+* `from` is the source field name
+* `to` is the target field name (defaults to the `from` value)
+
+```yaml
+processors:
+  - urldecode:
+      fields:
+        - from: "field1"
+          to: "field2"
+      ignore_missing: false
+      fail_on_error: true
+```
+
+In the example above:
+
+* field1 is decoded in field2
+
+The `urldecode` processor has the following configuration settings:
+
+`ignore_missing`
+:   (Optional) If set to true, no error is logged in case a key which should be URL-decoded is missing. Default is `false`.
+
+`fail_on_error`
+:   (Optional) If set to true, in case of an error the URL-decoding of fields is stopped and the original event is returned. If set to false, decoding continues also if an error happened during decoding. Default is `true`.
+
+See [Conditions](/reference/winlogbeat/defining-processors.md#conditions) for a list of supported conditions.
+
diff --git a/docs/reference/winlogbeat/using-environ-vars.md b/docs/reference/winlogbeat/using-environ-vars.md
new file mode 100644
index 000000000000..be7118f5b2b0
--- /dev/null
+++ b/docs/reference/winlogbeat/using-environ-vars.md
@@ -0,0 +1,80 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/using-environ-vars.html
+---
+
+# Use environment variables in the configuration [using-environ-vars]
+
+You can use environment variable references in the config file to set values that need to be configurable during deployment. To do this, use:
+
+`${VAR}`
+
+Where `VAR` is the name of the environment variable.
+
+Each variable reference is replaced at startup by the value of the environment variable. The replacement is case-sensitive and occurs before the YAML file is parsed. References to undefined variables are replaced by empty strings unless you specify a default value or custom error text.
+
+To specify a default value, use:
+
+`${VAR:default_value}`
+
+Where `default_value` is the value to use if the environment variable is undefined.
+
+To specify custom error text, use:
+
+`${VAR:?error_text}`
+
+Where `error_text` is custom text that will be prepended to the error message if the environment variable cannot be expanded.
+
+If you need to use a special character in your configuration file, use `$` to escape the expansion. For example, you can escape `${` or `}` with `$${` or `$}`.
+
+After changing the value of an environment variable, you need to restart Winlogbeat to pick up the new value.
+
+::::{note}
+You can also specify environment variables when you override a config setting from the command line by using the `-E` option. For example:
+
+`-E name=${NAME}`
+
+::::
+
+
+
+## Examples [_examples]
+
+Here are some examples of configurations that use environment variables and what each configuration looks like after replacement:
+
+| Config source | Environment setting | Config after replacement |
+| --- | --- | --- |
+| `name: ${NAME}` | `export NAME=elastic` | `name: elastic` |
+| `name: ${NAME}` | no setting | `name:` |
+| `name: ${NAME:beats}` | no setting | `name: beats` |
+| `name: ${NAME:beats}` | `export NAME=elastic` | `name: elastic` |
+| `name: ${NAME:?You need to set the NAME environment variable}` | no setting | None. Returns an error message that’s prepended with the custom text. |
+| `name: ${NAME:?You need to set the NAME environment variable}` | `export NAME=elastic` | `name: elastic` |
+
+
+## Specify complex objects in environment variables [_specify_complex_objects_in_environment_variables]
+
+You can specify complex objects, such as lists or dictionaries, in environment variables by using a JSON-like syntax.
+
+As with JSON, dictionaries and lists are constructed using `{}` and `[]`. But unlike JSON, the syntax allows for trailing commas and slightly different string quotation rules. Strings can be unquoted, single-quoted, or double-quoted, as a convenience for simple settings and to make it easier for you to mix quotation usage in the shell. Arrays at the top-level do not require brackets (`[]`).
+
+For example, the following environment variable is set to a list:
+
+```yaml
+ES_HOSTS="10.45.3.2:9220,10.45.3.1:9230"
+```
+
+You can reference this variable in the config file:
+
+```yaml
+output.elasticsearch:
+  hosts: '${ES_HOSTS}'
+```
+
+When Winlogbeat loads the config file, it resolves the environment variable and replaces it with the specified list before reading the `hosts` setting.
+
+::::{note}
+Do not use double-quotes (`"`) to wrap regular expressions, or the backslash (`\`) will be interpreted as an escape character.
+::::
+
+
diff --git a/docs/reference/winlogbeat/winlogbeat-geoip.md b/docs/reference/winlogbeat/winlogbeat-geoip.md
new file mode 100644
index 000000000000..f894633b997c
--- /dev/null
+++ b/docs/reference/winlogbeat/winlogbeat-geoip.md
@@ -0,0 +1,206 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-geoip.html
+---
+
+# Enrich events with geoIP information [winlogbeat-geoip]
+
+You can use Winlogbeat along with the [GeoIP Processor](elasticsearch://reference/ingestion-tools/enrich-processor/geoip-processor.md) in {{es}} to export geographic location information based on IP addresses. Then you can use this information to visualize the location of IP addresses on a map in {{kib}}.
+
+The `geoip` processor adds information about the geographical location of IP addresses, based on data from the Maxmind GeoLite2 City Database. Because the processor uses a geoIP database that’s installed on {{es}}, you don’t need to install a geoIP database on the machines running Winlogbeat.
+
+::::{note}
+If your use case involves using {{ls}}, you can use the [GeoIP filter](logstash://reference/plugins-filters-geoip.md) available in {{ls}} instead of using the `geoip` processor. However, using the `geoip` processor is the simplest approach when you don’t require the additional processing power of {{ls}}.
+::::
+
+
+
+## Configure the `geoip` processor [winlogbeat-configuring-geoip]
+
+To configure Winlogbeat and the `geoip` processor:
+
+1. Define an ingest pipeline that uses one or more `geoip` processors to add location information to the event. For example, you can use the Console in {{kib}} to create the following pipeline:
+
+    ```console
+    PUT _ingest/pipeline/geoip-info
+    {
+      "description": "Add geoip info",
+      "processors": [
+        {
+          "geoip": {
+            "field": "client.ip",
+            "target_field": "client.geo",
+            "ignore_missing": true
+          }
+        },
+        {
+          "geoip": {
+            "database_file": "GeoLite2-ASN.mmdb",
+            "field": "client.ip",
+            "target_field": "client.as",
+            "properties": [
+              "asn",
+              "organization_name"
+            ],
+            "ignore_missing": true
+          }
+        },
+        {
+          "geoip": {
+            "field": "source.ip",
+            "target_field": "source.geo",
+            "ignore_missing": true
+          }
+        },
+        {
+          "geoip": {
+            "database_file": "GeoLite2-ASN.mmdb",
+            "field": "source.ip",
+            "target_field": "source.as",
+            "properties": [
+              "asn",
+              "organization_name"
+            ],
+            "ignore_missing": true
+          }
+        },
+        {
+          "geoip": {
+            "field": "destination.ip",
+            "target_field": "destination.geo",
+            "ignore_missing": true
+          }
+        },
+        {
+          "geoip": {
+            "database_file": "GeoLite2-ASN.mmdb",
+            "field": "destination.ip",
+            "target_field": "destination.as",
+            "properties": [
+              "asn",
+              "organization_name"
+            ],
+            "ignore_missing": true
+          }
+        },
+        {
+          "geoip": {
+            "field": "server.ip",
+            "target_field": "server.geo",
+            "ignore_missing": true
+          }
+        },
+        {
+          "geoip": {
+            "database_file": "GeoLite2-ASN.mmdb",
+            "field": "server.ip",
+            "target_field": "server.as",
+            "properties": [
+              "asn",
+              "organization_name"
+            ],
+            "ignore_missing": true
+          }
+        },
+        {
+          "geoip": {
+            "field": "host.ip",
+            "target_field": "host.geo",
+            "ignore_missing": true
+          }
+        },
+        {
+          "rename": {
+            "field": "server.as.asn",
+            "target_field": "server.as.number",
+            "ignore_missing": true
+          }
+        },
+        {
+          "rename": {
+            "field": "server.as.organization_name",
+            "target_field": "server.as.organization.name",
+            "ignore_missing": true
+          }
+        },
+        {
+          "rename": {
+            "field": "client.as.asn",
+            "target_field": "client.as.number",
+            "ignore_missing": true
+          }
+        },
+        {
+          "rename": {
+            "field": "client.as.organization_name",
+            "target_field": "client.as.organization.name",
+            "ignore_missing": true
+          }
+        },
+        {
+          "rename": {
+            "field": "source.as.asn",
+            "target_field": "source.as.number",
+            "ignore_missing": true
+          }
+        },
+        {
+          "rename": {
+            "field": "source.as.organization_name",
+            "target_field": "source.as.organization.name",
+            "ignore_missing": true
+          }
+        },
+        {
+          "rename": {
+            "field": "destination.as.asn",
+            "target_field": "destination.as.number",
+            "ignore_missing": true
+          }
+        },
+        {
+          "rename": {
+            "field": "destination.as.organization_name",
+            "target_field": "destination.as.organization.name",
+            "ignore_missing": true
+          }
+        }
+      ]
+    }
+    ```
+
+    In this example, the pipeline ID is `geoip-info`. `field` specifies the field that contains the IP address to use for the geographical lookup, and `target_field` is the field that will hold the geographical information. `"ignore_missing": true` configures the pipeline to continue processing when it encounters an event that doesn’t have the specified field.
+
+    See [GeoIP Processor](elasticsearch://reference/ingestion-tools/enrich-processor/geoip-processor.md) for more options.
+
+    To learn more about adding host information to an event, see [add_host_metadata](/reference/winlogbeat/add-host-metadata.md).
+
+2. In the Winlogbeat config file, configure the {{es}} output to use the pipeline. Specify the pipeline ID in the `pipeline` option under `output.elasticsearch`. For example:
+
+    ```yaml
+    output.elasticsearch:
+      hosts: ["localhost:9200"]
+      pipeline: geoip-info
+    ```
+
+3. Run Winlogbeat. Remember to use `sudo` if the config file is owned by root.
+
+    ```sh
+    ./winlogbeat -e
+    ```
+
+    If the lookups succeed, the events are enriched with `geo_point` fields, such as `client.geo.location` and `host.geo.location`, that you can use to populate visualizations in {{kib}}.
+
+
+If you add a field that’s not already defined as a `geo_point` in the index template, add a mapping so the field gets indexed correctly.
+
+
+## Visualize locations [winlogbeat-visualizing-location]
+
+To visualize the location of IP addresses, you can create a new [coordinate map](docs-content://explore-analyze/visualize/maps.md) in {{kib}} and select the location field, for example `client.geo.location` or `host.geo.location`, as the Geohash.
+
+:::{image} images/coordinate-map.png
+:alt: Coordinate map in {kib}
+:class: screenshot
+:::
+
diff --git a/docs/reference/winlogbeat/winlogbeat-installation-configuration.md b/docs/reference/winlogbeat/winlogbeat-installation-configuration.md
new file mode 100644
index 000000000000..23a723d76cf2
--- /dev/null
+++ b/docs/reference/winlogbeat/winlogbeat-installation-configuration.md
@@ -0,0 +1,317 @@
+---
+navigation_title: "Quick start"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html
+---
+
+# Winlogbeat quick start: installation and configuration [winlogbeat-installation-configuration]
+
+
+This guide describes how to get started quickly with Windows log monitoring. You’ll learn how to:
+
+* install Winlogbeat on each system you want to monitor
+* specify the location of your log files
+* parse log data into fields and send it to {es}
+* visualize the log data in {kib}
+
+:::{image} images/winlogbeat-dashboard.png
+:alt: Winlogbeat dashboard
+:class: screenshot
+:::
+
+
+## Before you begin [_before_you_begin]
+
+You need {{es}} for storing and searching your data, and {{kib}} for visualizing and managing it.
+
+:::::::{tab-set}
+
+::::::{tab-item} Elasticsearch Service
+To get started quickly, spin up a deployment of our [hosted {{ess}}](https://www.elastic.co/cloud/elasticsearch-service). The {{ess}} is available on AWS, GCP, and Azure. [Try it out for free](https://cloud.elastic.co/registration?page=docs&placement=docs-body).
+::::::
+
+::::::{tab-item} Self-managed
+To install and run {{es}} and {{kib}}, see [Installing the {{stack}}](docs-content://deploy-manage/deploy/self-managed/deploy-cluster.md).
+::::::
+
+:::::::
+
+## Step 1: Install Winlogbeat [installation]
+
+1. Download the Winlogbeat zip file from the [downloads page](https://www.elastic.co/downloads/beats/winlogbeat).
+2. Extract the contents into `C:\Program Files`.
+3. Rename the `winlogbeat-<version>` directory to `Winlogbeat`.
+4. Open a PowerShell prompt as an Administrator (right-click on the PowerShell icon and select Run As Administrator).
+5. From the PowerShell prompt, run the following commands to install the service.
+
+```sh
+PS C:\Users\Administrator> cd 'C:\Program Files\Winlogbeat'
+PS C:\Program Files\Winlogbeat> .\install-service-winlogbeat.ps1
+
+Security warning
+Run only scripts that you trust. While scripts from the internet can be useful,
+this script can potentially harm your computer. If you trust this script, use
+the Unblock-File cmdlet to allow the script to run without this warning message.
+Do you want to run C:\Program Files\Winlogbeat\install-service-winlogbeat.ps1?
+[D] Do not run  [R] Run once  [S] Suspend  [?] Help (default is "D"): R
+
+Status   Name               DisplayName
+------   ----               -----------
+Stopped  winlogbeat         winlogbeat
+```
+
+::::{note}
+If script execution is disabled on your system, you need to set the execution policy for the current session to allow the script to run. For example: `PowerShell.exe -ExecutionPolicy UnRestricted -File .\install-service-winlogbeat.ps1`.
+::::
+
+
+::::{note}
+To use a local non-Administrator account to run Winlogbeat, follow [these additional steps](#local-user-account-setup).
+::::
+
+
+
+## Step 2: Connect to the {{stack}} [set-connection]
+
+Connections to {{es}} and {{kib}} are required to set up Winlogbeat.
+
+Set the connection information in `winlogbeat.yml`. To locate this configuration file, see [Directory layout](/reference/winlogbeat/directory-layout.md).
+
+:::::::{tab-set}
+
+::::::{tab-item} Elasticsearch Service
+Specify the [cloud.id](/reference/winlogbeat/configure-cloud-id.md) of your {{ess}}, and set [cloud.auth](/reference/winlogbeat/configure-cloud-id.md) to a user who is authorized to set up Winlogbeat. For example:
+
+```yaml
+cloud.id: "staging:dXMtZWFzdC0xLmF3cy5mb3VuZC5pbyRjZWM2ZjI2MWE3NGJmMjRjZTMzYmI4ODExYjg0Mjk0ZiRjNmMyY2E2ZDA0MjI0OWFmMGNjN2Q3YTllOTYyNTc0Mw=="
+cloud.auth: "winlogbeat_setup:{pwd}" <1>
+```
+
+1. This examples shows a hard-coded password, but you should store sensitive values in the [secrets keystore](/reference/winlogbeat/keystore.md).
+::::::
+
+::::::{tab-item} Self-managed
+1. Set the host and port where Winlogbeat can find the {{es}} installation, and set the username and password of a user who is authorized to set up Winlogbeat. For example:
+
+    ```yaml
+    output.elasticsearch:
+      hosts: ["https://myEShost:9200"]
+      username: "winlogbeat_internal"
+      password: "{pwd}" <1>
+      ssl:
+        enabled: true
+        ca_trusted_fingerprint: "b9a10bbe64ee9826abeda6546fc988c8bf798b41957c33d05db736716513dc9c" <2>
+    ```
+
+    1. This example shows a hard-coded password, but you should store sensitive values in the [secrets keystore](/reference/winlogbeat/keystore.md).
+    2. This example shows a hard-coded fingerprint, but you should store sensitive values in the [secrets keystore](/reference/winlogbeat/keystore.md). The fingerprint is a HEX encoded SHA-256 of a CA certificate, when you start {{es}} for the first time, security features such as network encryption (TLS) for {{es}} are enabled by default. If you are using the self-signed certificate generated by {{es}} when it is started for the first time, you will need to add its fingerprint here. The fingerprint is printed on {{es}} start up logs, or you can refer to [connect clients to {{es}} documentation](docs-content://deploy-manage/security/security-certificates-keys.md#_connect_clients_to_es_5) for other options on retrieving it. If you are providing your own SSL certificate to {{es}} refer to [Winlogbeat documentation on how to setup SSL](/reference/winlogbeat/configuration-ssl.md#ssl-client-config).
+
+2. If you plan to use our pre-built {{kib}} dashboards, configure the {{kib}} endpoint. Skip this step if {{kib}} is running on the same host as {{es}}.
+
+    ```yaml
+      setup.kibana:
+        host: "mykibanahost:5601" <1>
+        username: "my_kibana_user" <2> <3>
+        password: "{pwd}"
+    ```
+
+    1. The hostname and port of the machine where {{kib}} is running, for example, `mykibanahost:5601`. If you specify a path after the port number, include the scheme and port: `http://mykibanahost:5601/path`.
+    2. The `username` and `password` settings for {{kib}} are optional. If you don’t specify credentials for {{kib}}, Winlogbeat uses the `username` and `password` specified for the {{es}} output.
+    3. To use the pre-built {{kib}} dashboards, this user must be authorized to view dashboards or have the `kibana_admin` [built-in role](elasticsearch://reference/elasticsearch/roles.md).
+::::::
+
+:::::::
+To learn more about required roles and privileges, see [*Grant users access to secured resources*](/reference/winlogbeat/feature-roles.md).
+
+
+## Step 3: Configure Winlogbeat [configuration]
+
+In `winlogbeat.yml`, configure the event logs that you want to monitor.
+
+1. Under `winlogbeat.event_log`, specify a list of event logs to monitor. By default, Winlogbeat monitors application, security, and system logs.
+
+    ```yaml
+    winlogbeat.event_logs:
+      - name: Application
+      - name: Security
+      - name: System
+    ```
+
+    To obtain a list of available event logs, run `Get-EventLog *` in PowerShell. For more information about this command, see the configuration details for [event_logs.name](/reference/winlogbeat/configuration-winlogbeat-options.md#configuration-winlogbeat-options-event_logs-name).
+
+2. (Optional) Set logging options to write Winlogbeat logs to a file:
+
+    ```yaml
+    logging.to_files: true
+    logging.files:
+      path: C:\ProgramData\winlogbeat\Logs
+    logging.level: info
+    ```
+
+3. After you save your configuration file, test it with the following command.
+
+    ```shell
+    PS C:\Program Files\Winlogbeat> .\winlogbeat.exe test config -c .\winlogbeat.yml -e
+    ```
+
+
+For more information about configuring Winlogbeat, also see:
+
+* [Configure Winlogbeat](/reference/winlogbeat/configuring-howto-winlogbeat.md)
+* [Config file format](/reference/libbeat/config-file-format.md)
+* [`winlogbeat.reference.yml`](/reference/winlogbeat/winlogbeat-reference-yml.md): This reference configuration file shows all non-deprecated options. You’ll find it in the same location as `winlogbeat.yml`.
+
+
+## Step 4: Set up assets [setup-assets]
+
+Winlogbeat comes with predefined assets for parsing, indexing, and visualizing your data. To load these assets:
+
+1. Make sure the user specified in `winlogbeat.yml` is [authorized to set up Winlogbeat](/reference/winlogbeat/privileges-to-setup-beats.md).
+2. From the installation directory, run:
+
+    ```sh
+    PS > .\winlogbeat.exe setup -e
+    ```
+
+
+This step loads the recommended [index template](docs-content://manage-data/data-store/templates.md) for writing to {{es}} , loads the ingest pipelines to parse the events (x-pack only), and deploys the sample dashboards for visualizing the data in {{kib}}.
+
+::::{tip}
+A connection to {{es}} (or {{ess}}) is required to set up the initial environment. If you’re using a different output, such as {{ls}}, see:
+
+* [Load the index template manually](/reference/winlogbeat/winlogbeat-template.md#load-template-manually)
+* [*Load {{kib}} dashboards*](/reference/winlogbeat/load-kibana-dashboards.md)
+* [*Load ingest pipelines*](/reference/winlogbeat/load-ingest-pipelines.md) (x-pack only)
+
+::::
+
+
+
+## Step 5: Start Winlogbeat [start]
+
+Before starting Winlogbeat, modify the user credentials in `winlogbeat.yml` and specify a user who is [authorized to publish events](/reference/winlogbeat/privileges-to-publish-events.md).
+
+To start the Winlogbeat service, run:
+
+```shell
+PS C:\Program Files\Winlogbeat> Start-Service winlogbeat
+```
+
+Winlogbeat should now be running. If you used the logging configuration described here, you can view the log file at `C:\ProgramData\winlogbeat\Logs\winlogbeat`.
+
+You can view the status of the service and control it from the Services management console in Windows. To launch the management console, run this command:
+
+```shell
+PS C:\Program Files\Winlogbeat> services.msc
+```
+
+
+### Stop Winlogbeat [_stop_winlogbeat]
+
+Stop the Winlogbeat service with the following command:
+
+```shell
+PS C:\Program Files\Winlogbeat> Stop-Service winlogbeat
+```
+
+
+## Step 6: View your data in {{kib}} [view-data]
+
+Winlogbeat comes with pre-built {{kib}} dashboards and UIs for visualizing log data. You loaded the dashboards earlier when you ran the `setup` command.
+
+To open the dashboards:
+
+1. Launch {{kib}}:
+
+    <div class="tabs" data-tab-group="host">
+      <div role="tablist" aria-label="Open Kibana">
+        <button role="tab"
+                aria-selected="true"
+                aria-controls="cloud-tab-open-kibana"
+                id="cloud-open-kibana">
+          Elasticsearch Service
+        </button>
+        <button role="tab"
+                aria-selected="false"
+                aria-controls="self-managed-tab-open-kibana"
+                id="self-managed-open-kibana"
+                tabindex="-1">
+          Self-managed
+        </button>
+      </div>
+      <div tabindex="0"
+           role="tabpanel"
+           id="cloud-tab-open-kibana"
+           aria-labelledby="cloud-open-kibana">
+    1. [Log in](https://cloud.elastic.co/) to your {{ecloud}} account.
+    2. Navigate to the {{kib}} endpoint in your deployment.
+
+      </div>
+      <div tabindex="0"
+           role="tabpanel"
+           id="self-managed-tab-open-kibana"
+           aria-labelledby="self-managed-open-kibana"
+           hidden="">
+    Point your browser to [http://localhost:5601](http://localhost:5601), replacing `localhost` with the name of the {{kib}} host.
+
+      </div>
+    </div>
+
+2. In the side navigation, click **Discover**. To see Winlogbeat data, make sure the predefined `winlogbeat-*` data view is selected.
+
+    ::::{tip}
+    If you don’t see data in {{kib}}, try changing the time filter to a larger range. By default, {{kib}} shows the last 15 minutes.
+    ::::
+
+3. In the side navigation, click **Dashboard**, then select the dashboard that you want to open.
+
+The dashboards are provided as examples. We recommend that you [customize](docs-content://explore-analyze/dashboards.md) them to meet your needs.
+
+
+## Using a local non-Administrator account to run Winlogbeat [local-user-account-setup]
+
+By default, the `Winlogbeat` service runs as the `Local System` account. If you want to run the `Winlogbeat` service as a local user account that is not an Administrator, then follow the steps below. The local user account must be granted `Log on as a service` in the security policy and be made part of the `Builtin\Event Log Readers` group to read the event log.
+
+1. Open the Services Management console with this command:
+
+    ```shell
+    PS C:\Program Files\Winlogbeat> services.msc
+    ```
+
+2. Right-click on service named `winlogbeat` and select `Properties`
+3. Under `Log On` tab, select `This account:` and browse for the local account user that you want to run Winlogbeat service as.
+4. Enter local user account’s password and click `Apply`.
+5. Search and open `Local Group Policy Editor` in Windows search or run `gpedit.msc` from Powershell.
+6. Navigate to path: `Computer Settings → Security Settings → Local Policies` and open `User Rights Assignment` under it.
+7. Inside `User Rights Assignment`, add your local user account to the policy named `Log on as a service`. This should allow your local user account log on as a service.
+8. Open `Local Users and Group Manager` by running `lusrmgr.msc` in Powershell.
+9. Under `Users`, right-click on your local account user and open `Properties`.
+10. Select `Member of` tab and click on `Add...`
+11. Find and select the group named `Event Log Readers` and click `Apply`. This should allow your local account user to read the event log.
+
+
+## What’s next? [_whats_next]
+
+Now that you have your logs streaming into {{es}}, learn how to unify your logs, metrics, uptime, and application performance data.
+
+1. Ingest data from other sources by installing and configuring other Elastic {{beats}}:
+
+    | Elastic {{beats}} | To capture |
+    | --- | --- |
+    | [{{metricbeat}}](/reference/metricbeat/metricbeat-installation-configuration.md) | Infrastructure metrics |
+    | [{{filebeat}}](/reference/filebeat/filebeat-installation-configuration.md) | Logs |
+    | [{{heartbeat}}](/reference/heartbeat/heartbeat-installation-configuration.md) | Uptime information |
+    | [APM](docs-content://solutions/observability/apps/application-performance-monitoring-apm.md) | Application performance metrics |
+    | [{{auditbeat}}](/reference/auditbeat/auditbeat-installation-configuration.md) | Audit events |
+
+2. Use the Observability apps in {{kib}} to search across all your data:
+
+    | Elastic apps | Use to |
+    | --- | --- |
+    | [{{metrics-app}}](docs-content://solutions/observability/infra-and-hosts/analyze-infrastructure-host-metrics.md) | Explore metrics about systems and services across your ecosystem |
+    | [{{logs-app}}](docs-content://solutions/observability/logs/explore-logs.md) | Tail related log data in real time |
+    | [{{uptime-app}}](docs-content://solutions/observability/apps/synthetic-monitoring.md#monitoring-uptime) | Monitor availability issues across your apps and services |
+    | [APM app](docs-content://solutions/observability/apps/overviews.md) | Monitor application performance |
+    | [{{siem-app}}](docs-content://solutions/security.md) | Analyze security events |
+
+
diff --git a/docs/reference/winlogbeat/winlogbeat-module-powershell.md b/docs/reference/winlogbeat/winlogbeat-module-powershell.md
new file mode 100644
index 000000000000..54272ad85360
--- /dev/null
+++ b/docs/reference/winlogbeat/winlogbeat-module-powershell.md
@@ -0,0 +1,58 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-module-powershell.html
+---
+
+# PowerShell Module [winlogbeat-module-powershell]
+
+The PowerShell module processes event log records from the Microsoft-Windows-PowerShell/Operational and Windows PowerShell logs.
+
+The module has transformations for the following event IDs:
+
+* 400 - Engine state is changed from None to Available.
+* 403 - Engine state is changed from Available to Stopped.
+* 600 - A Provider is Started.
+* 800 - Pipeline executed.
+* 4103 - Module logging.
+* 4104 - Script block logging.
+* 4105 - Command started.
+* 4106 - Command completed.
+
+
+## Configuration [_configuration_2]
+
+By default, module and script block logging (event ID’s 410x) are disabled, to enable them you can do so through "Windows Powershell" GPO settings and set "Turn on Module Logging" and "Turn on PowerShell Script Block Logging" to enabled.
+
+Alternatively they can be enabled setting the following registry values:
+
+```
+HKCU/HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging: EnableModuleLogging = 1
+HKCU/HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging \ModuleNames: * = *
+HKCU/HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging: EnableScriptBlockLogging = 1
+HKCU/HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging: EnableScriptBlockInvocationLogging = 1
+```
+
+```yaml
+winlogbeat.event_logs:
+  - name: Windows PowerShell
+    event_id: 400, 403, 600, 800
+
+  - name: Microsoft-Windows-PowerShell/Operational
+    event_id: 4103, 4104, 4105, 4106
+
+output.elasticsearch.pipeline: winlogbeat-%{[agent.version]}-routing <1>
+```
+
+1. All module processing is handled via Elasticsearch Ingest Node pipelines. See [Setup of Ingest Node pipelines](/reference/winlogbeat/winlogbeat-modules.md#winlogbeat-modules-setup) for details.
+
+
+
+## Example dashboard [_example_dashboard]
+
+This module comes with a sample dashboard.
+
+:::{image} images/kibana-powershell.jpg
+:alt: kibana powershell
+:class: screenshot
+:::
+
diff --git a/docs/reference/winlogbeat/winlogbeat-module-security.md b/docs/reference/winlogbeat/winlogbeat-module-security.md
new file mode 100644
index 000000000000..13faf2a582c3
--- /dev/null
+++ b/docs/reference/winlogbeat/winlogbeat-module-security.md
@@ -0,0 +1,22 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-module-security.html
+---
+
+# Security Module [winlogbeat-module-security]
+
+The security module processes event log records from the Security log.
+
+
+## Configuration [_configuration_3]
+
+```yaml
+winlogbeat.event_logs:
+  - name: Security
+
+output.elasticsearch.pipeline: winlogbeat-%{[agent.version]}-routing <1>
+```
+
+1. All module processing is handled via Elasticsearch Ingest Node pipelines. See [Setup of Ingest Node pipelines](/reference/winlogbeat/winlogbeat-modules.md#winlogbeat-modules-setup) for details.
+
+
diff --git a/docs/reference/winlogbeat/winlogbeat-module-sysmon.md b/docs/reference/winlogbeat/winlogbeat-module-sysmon.md
new file mode 100644
index 000000000000..c65d0d070860
--- /dev/null
+++ b/docs/reference/winlogbeat/winlogbeat-module-sysmon.md
@@ -0,0 +1,26 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-module-sysmon.html
+---
+
+# Sysmon Module [winlogbeat-module-sysmon]
+
+The sysmon module processes event log records from the [Sysinternals System Monitor](https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon) (Sysmon) which is a Windows service and device driver that logs system activity to the event log. Sysmon is not bundled with Windows or Winlogbeat and must be installed independently.
+
+The default configuration file includes configuration for the Sysmon channel. If you do not have Sysmon installed Winlogbeat will log a warning that it could not read from the `Microsoft-Windows-Sysmon/Operational` channel. It will continue to read from the other configured channels. If you do install Sysmon at a later time then a restart of Winlogbeat is required to make it begin reading from the channel.
+
+This module was built based on Sysmon v13 event manifests. It contains transformations for each of the defined event IDs.
+
+
+## Configuration [_configuration_4]
+
+```yaml
+winlogbeat.event_logs:
+  - name: Microsoft-Windows-Sysmon/Operational
+
+output.elasticsearch.pipeline: winlogbeat-%{[agent.version]}-routing <1>
+```
+
+1. All module processing is handled via Elasticsearch Ingest Node pipelines. See [Setup of Ingest Node pipelines](/reference/winlogbeat/winlogbeat-modules.md#winlogbeat-modules-setup) for details.
+
+
diff --git a/docs/reference/winlogbeat/winlogbeat-modules.md b/docs/reference/winlogbeat/winlogbeat-modules.md
new file mode 100644
index 000000000000..a55887911e18
--- /dev/null
+++ b/docs/reference/winlogbeat/winlogbeat-modules.md
@@ -0,0 +1,61 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-modules.html
+---
+
+# Modules [winlogbeat-modules]
+
+::::{note}
+Winlogbeat modules have changed in 8.0.0 to use Elasticsearch Ingest Node for processing. If you are upgrading from 7.x please review the documentation and see the default configuration file.
+::::
+
+
+This section contains detailed information about the available Windows event log processing modules contained in Winlogbeat. More details about each module can be found in the module’s documentation.
+
+Winlogbeat modules are implemented using Elasticsearch Ingest Node pipelines. The events receive their transformations within Elasticsearch. All events are sent through Winlogbeat’s "routing" pipeline that routes events to specific module pipelines based on their `winlog.channel` value.
+
+Winlogbeat’s default config file contains the option to send all events to the routing pipeline. If you remove this option then the module processing will not be applied.
+
+```yaml
+output.elasticsearch.pipeline: winlogbeat-%{[agent.version]}-routing
+```
+
+The general goal of each module is to transform events by renaming fields to comply with the [Elastic Common Schema](ecs://reference/index.md) (ECS). The modules may also apply additional categorization, tagging, and parsing as necessary.
+
+::::{note}
+The provided modules only support events in English. For more information about how to configure the language in `winlogbeat`, refer to [Winlogbeat](/reference/winlogbeat/configuration-winlogbeat-options.md).
+::::
+
+
+
+## Setup of Ingest Node pipelines [winlogbeat-modules-setup]
+
+Winlogbeat’s Ingest Node pipelines must be installed to Elasticsearch if you want to apply the module processing to events. The simplest way to get started is to use the Elasticsearch output and Winlogbeat will automatically install the pipelines when it first connects to Elasticsearch.
+
+Installation Methods
+
+1. [On connection to {{es}}](/reference/winlogbeat/load-ingest-pipelines.md#winlogbeat-load-pipeline-auto)
+2. [setup command](/reference/winlogbeat/load-ingest-pipelines.md#winlogbeat-load-pipeline-setup)
+3. [Manually install pipelines](/reference/winlogbeat/load-ingest-pipelines.md#winlogbeat-load-pipeline-manual)
+
+
+## Usage with Forwarded Events [_usage_with_forwarded_events]
+
+No special configuration options are required when working with the `ForwardedEvents` channel. The events in this log retain the channel name of their origin (e.g. `winlog.channel: Security`). And because the routing pipeline processes events based on the channel name no special config is necessary.
+
+```yaml
+winlogbeat.event_logs:
+- name: ForwardedEvents
+  tags: [forwarded]
+  language: 0x0409 # en-US
+
+output.elasticsearch.pipeline: winlogbeat-%{[agent.version]}-routing
+```
+
+
+## Modules [_modules]
+
+* [Powershell](/reference/winlogbeat/winlogbeat-module-powershell.md)
+* [Security](/reference/winlogbeat/winlogbeat-module-security.md)
+* [Sysmon](/reference/winlogbeat/winlogbeat-module-sysmon.md)
+
diff --git a/docs/reference/winlogbeat/winlogbeat-reference-yml.md b/docs/reference/winlogbeat/winlogbeat-reference-yml.md
new file mode 100644
index 000000000000..929fceb9bf7d
--- /dev/null
+++ b/docs/reference/winlogbeat/winlogbeat-reference-yml.md
@@ -0,0 +1,1753 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-reference-yml.html
+---
+
+# winlogbeat.reference.yml [winlogbeat-reference-yml]
+
+The following reference file is available with your Winlogbeat installation. It shows all non-deprecated Winlogbeat options. You can copy from this file and paste configurations into the `winlogbeat.yml` file to customize it.
+
+::::{tip}
+The reference file is located in the same directory as the `winlogbeat.yml` file. To locate the file, see [Directory layout](/reference/winlogbeat/directory-layout.md).
+::::
+
+
+The contents of the file are included here for your convenience.
+
+```yaml
+## Winlogbeat Configuration Example ########################
+
+# This file is an example configuration file highlighting only the most common
+# options. The winlogbeat.reference.yml file from the same directory contains
+# all the supported options with more comments. You can use it as a reference.
+#
+# You can find the full configuration reference here:
+# https://www.elastic.co/guide/en/beats/winlogbeat/index.html
+
+# ======================== Winlogbeat specific options =========================
+
+# The registry file is where Winlogbeat persists its state so that the beat can
+# resume after shutdown or an outage. The default is .winlogbeat.yml in the
+# directory in which it was started.
+#winlogbeat.registry_file: .winlogbeat.yml
+
+# The timeout value that controls when registry entries are written to disk
+# (flushed). When an unwritten update exceeds this value, it triggers a write
+# to disk. When flush is set to 0s, the registry is written to disk after each
+# batch of events has been published successfully. The default value is 5s.
+#winlogbeat.registry_flush: 5s
+
+# By default Ingest pipelines are not updated if a pipeline with the same ID
+# already exists. If this option is enabled Winlogbeat overwrites pipelines
+# every time a new Elasticsearch connection is established.
+#winlogbeat.overwrite_pipelines: false
+
+# event_logs specifies a list of event logs to monitor as well as any
+# accompanying options. The YAML data type of event_logs is a list of
+# dictionaries.
+#
+# The supported keys are name, id, xml_query, tags, fields, fields_under_root,
+# forwarded, ignore_older, level, event_id, provider, and include_xml.
+# The xml_query key requires an id and must not be used with the name,
+# ignore_older, level, event_id, or provider keys. Please visit the
+# documentation for the complete details of each option.
+# https://go.es.io/WinlogbeatConfig
+
+winlogbeat.event_logs:
+  - name: Application
+    ignore_older: 72h
+
+  - name: System
+
+  - name: Security
+
+  - name: ForwardedEvents
+    tags: [forwarded]
+
+  - name: Windows PowerShell
+    event_id: 400, 403, 600, 800
+
+  - name: Microsoft-Windows-PowerShell/Operational
+    event_id: 4103, 4104, 4105, 4106
+
+
+# ================================== General ===================================
+
+# The name of the shipper that publishes the network data. It can be used to group
+# all the transactions sent by a single shipper in the web interface.
+# If this option is not defined, the hostname is used.
+#name:
+
+# The tags of the shipper are included in their field with each
+# transaction published. Tags make it easy to group servers by different
+# logical properties.
+#tags: ["service-X", "web-tier"]
+
+# Optional fields that you can specify to add additional information to the
+# output. Fields can be scalar values, arrays, dictionaries, or any nested
+# combination of these.
+#fields:
+#  env: staging
+
+# If this option is set to true, the custom fields are stored as top-level
+# fields in the output document instead of being grouped under a field
+# sub-dictionary. Default is false.
+#fields_under_root: false
+
+# Configure the precision of all timestamps in Winlogbeat.
+# Available options: millisecond, microsecond, nanosecond
+#timestamp.precision: millisecond
+
+# Internal queue configuration for buffering events to be published.
+# Queue settings may be overridden by performance presets in the
+# Elasticsearch output. To configure them manually use "preset: custom".
+#queue:
+  # Queue type by name (default 'mem')
+  # The memory queue will present all available events (up to the outputs
+  # bulk_max_size) to the output, the moment the output is ready to serve
+  # another batch of events.
+  #mem:
+    # Max number of events the queue can buffer.
+    #events: 3200
+
+    # Hints the minimum number of events stored in the queue,
+    # before providing a batch of events to the outputs.
+    # The default value is set to 2048.
+    # A value of 0 ensures events are immediately available
+    # to be sent to the outputs.
+    #flush.min_events: 1600
+
+    # Maximum duration after which events are available to the outputs,
+    # if the number of events stored in the queue is < `flush.min_events`.
+    #flush.timeout: 10s
+
+  # The disk queue stores incoming events on disk until the output is
+  # ready for them. This allows a higher event limit than the memory-only
+  # queue and lets pending events persist through a restart.
+  #disk:
+    # The directory path to store the queue's data.
+    #path: "${path.data}/diskqueue"
+
+    # The maximum space the queue should occupy on disk. Depending on
+    # input settings, events that exceed this limit are delayed or discarded.
+    #max_size: 10GB
+
+    # The maximum size of a single queue data file. Data in the queue is
+    # stored in smaller segments that are deleted after all their events
+    # have been processed.
+    #segment_size: 1GB
+
+    # The number of events to read from disk to memory while waiting for
+    # the output to request them.
+    #read_ahead: 512
+
+    # The number of events to accept from inputs while waiting for them
+    # to be written to disk. If event data arrives faster than it
+    # can be written to disk, this setting prevents it from overflowing
+    # main memory.
+    #write_ahead: 2048
+
+    # The duration to wait before retrying when the queue encounters a disk
+    # write error.
+    #retry_interval: 1s
+
+    # The maximum length of time to wait before retrying on a disk write
+    # error. If the queue encounters repeated errors, it will double the
+    # length of its retry interval each time, up to this maximum.
+    #max_retry_interval: 30s
+
+# Sets the maximum number of CPUs that can be executed simultaneously. The
+# default is the number of logical CPUs available in the system.
+#max_procs:
+
+# ================================= Processors =================================
+
+# Processors are used to reduce the number of fields in the exported event or to
+# enhance the event with external metadata. This section defines a list of
+# processors that are applied one by one and the first one receives the initial
+# event:
+#
+#   event -> filter1 -> event1 -> filter2 ->event2 ...
+#
+# The supported processors are drop_fields, drop_event, include_fields,
+# decode_json_fields, and add_cloud_metadata.
+#
+# For example, you can use the following processors to keep the fields that
+# contain CPU load percentages, but remove the fields that contain CPU ticks
+# values:
+#
+#processors:
+#  - include_fields:
+#      fields: ["cpu"]
+#  - drop_fields:
+#      fields: ["cpu.user", "cpu.system"]
+#
+# The following example drops the events that have the HTTP response code 200:
+#
+#processors:
+#  - drop_event:
+#      when:
+#        equals:
+#          http.code: 200
+#
+# The following example renames the field a to b:
+#
+#processors:
+#  - rename:
+#      fields:
+#        - from: "a"
+#          to: "b"
+#
+# The following example tokenizes the string into fields:
+#
+#processors:
+#  - dissect:
+#      tokenizer: "%{key1} - %{key2}"
+#      field: "message"
+#      target_prefix: "dissect"
+#
+# The following example enriches each event with metadata from the cloud
+# provider about the host machine. It works on EC2, GCE, DigitalOcean,
+# Tencent Cloud, and Alibaba Cloud.
+#
+#processors:
+#  - add_cloud_metadata: ~
+#
+# The following example enriches each event with the machine's local time zone
+# offset from UTC.
+#
+#processors:
+#  - add_locale:
+#      format: offset
+#
+# The following example enriches each event with docker metadata, it matches
+# given fields to an existing container id and adds info from that container:
+#
+#processors:
+#  - add_docker_metadata:
+#      host: "unix:///var/run/docker.sock"
+#      match_fields: ["system.process.cgroup.id"]
+#      match_pids: ["process.pid", "process.parent.pid"]
+#      match_source: true
+#      match_source_index: 4
+#      match_short_id: false
+#      cleanup_timeout: 60
+#      labels.dedot: false
+#      # To connect to Docker over TLS you must specify a client and CA certificate.
+#      #ssl:
+#      #  certificate_authority: "/etc/pki/root/ca.pem"
+#      #  certificate:           "/etc/pki/client/cert.pem"
+#      #  key:                   "/etc/pki/client/cert.key"
+#
+# The following example enriches each event with docker metadata, it matches
+# container id from log path available in `source` field (by default it expects
+# it to be /var/lib/docker/containers/*/*.log).
+#
+#processors:
+#  - add_docker_metadata: ~
+#
+# The following example enriches each event with host metadata.
+#
+#processors:
+#  - add_host_metadata: ~
+#
+# The following example enriches each event with process metadata using
+# process IDs included in the event.
+#
+#processors:
+#  - add_process_metadata:
+#      match_pids: ["system.process.ppid"]
+#      target: system.process.parent
+#
+# The following example decodes fields containing JSON strings
+# and replaces the strings with valid JSON objects.
+#
+#processors:
+#  - decode_json_fields:
+#      fields: ["field1", "field2", ...]
+#      process_array: false
+#      max_depth: 1
+#      target: ""
+#      overwrite_keys: false
+#
+#processors:
+#  - decompress_gzip_field:
+#      from: "field1"
+#      to: "field2"
+#      ignore_missing: false
+#      fail_on_error: true
+#
+# The following example copies the value of the message to message_copied
+#
+#processors:
+#  - copy_fields:
+#      fields:
+#        - from: message
+#          to: message_copied
+#      fail_on_error: true
+#      ignore_missing: false
+#
+# The following example truncates the value of the message to 1024 bytes
+#
+#processors:
+#  - truncate_fields:
+#      fields:
+#        - message
+#      max_bytes: 1024
+#      fail_on_error: false
+#      ignore_missing: true
+#
+# The following example preserves the raw message under event.original
+#
+#processors:
+#  - copy_fields:
+#      fields:
+#        - from: message
+#          to: event.original
+#      fail_on_error: false
+#      ignore_missing: true
+#  - truncate_fields:
+#      fields:
+#        - event.original
+#      max_bytes: 1024
+#      fail_on_error: false
+#      ignore_missing: true
+#
+# The following example URL-decodes the value of field1 to field2
+#
+#processors:
+#  - urldecode:
+#      fields:
+#        - from: "field1"
+#          to: "field2"
+#      ignore_missing: false
+#      fail_on_error: true
+
+# =============================== Elastic Cloud ================================
+
+# These settings simplify using Winlogbeat with the Elastic Cloud (https://cloud.elastic.co/).
+
+# The cloud.id setting overwrites the `output.elasticsearch.hosts` and
+# `setup.kibana.host` options.
+# You can find the `cloud.id` in the Elastic Cloud web UI.
+#cloud.id:
+
+# The cloud.auth setting overwrites the `output.elasticsearch.username` and
+# `output.elasticsearch.password` settings. The format is `<user>:<pass>`.
+#cloud.auth:
+
+# ================================== Outputs ===================================
+
+# Configure what output to use when sending the data collected by the beat.
+
+# ---------------------------- Elasticsearch Output ----------------------------
+output.elasticsearch:
+  # Boolean flag to enable or disable the output module.
+  #enabled: true
+
+  # Array of hosts to connect to.
+  # Scheme and port can be left out and will be set to the default (http and 9200)
+  # In case you specify and additional path, the scheme is required: http://localhost:9200/path
+  # IPv6 addresses should always be defined as: https://[2001:db8::1]:9200
+  hosts: ["localhost:9200"]
+
+  # Performance presets configure other output fields to recommended values
+  # based on a performance priority.
+  # Options are "balanced", "throughput", "scale", "latency" and "custom".
+  # Default if unspecified: "custom"
+  preset: balanced
+
+  # Set gzip compression level. Set to 0 to disable compression.
+  # This field may conflict with performance presets. To set it
+  # manually use "preset: custom".
+  # The default is 1.
+  #compression_level: 1
+
+  # Configure escaping HTML symbols in strings.
+  #escape_html: false
+
+  # Protocol - either `http` (default) or `https`.
+  #protocol: "https"
+
+  # Authentication credentials - either API key or username/password.
+  #api_key: "id:api_key"
+  #username: "elastic"
+  #password: "changeme"
+
+  # Dictionary of HTTP parameters to pass within the URL with index operations.
+  #parameters:
+    #param1: value1
+    #param2: value2
+
+  # Number of workers per Elasticsearch host.
+  # This field may conflict with performance presets. To set it
+  # manually use "preset: custom".
+  #worker: 1
+
+  # If set to true and multiple hosts are configured, the output plugin load
+  # balances published events onto all Elasticsearch hosts. If set to false,
+  # the output plugin sends all events to only one host (determined at random)
+  # and will switch to another host if the currently selected one becomes
+  # unreachable. The default value is true.
+  #loadbalance: true
+
+  # Optional data stream or index name. The default is "winlogbeat-%{[agent.version]}".
+  # In case you modify this pattern you must update setup.template.name and setup.template.pattern accordingly.
+  #index: "winlogbeat-%{[agent.version]}"
+
+  # Optional ingest pipeline. By default, no pipeline will be used.
+  #pipeline: ""
+
+  # Optional HTTP path
+  #path: "/elasticsearch"
+
+  # Custom HTTP headers to add to each request
+  #headers:
+  #  X-My-Header: Contents of the header
+
+  # Proxy server URL
+  #proxy_url: http://proxy:3128
+
+  # Whether to disable proxy settings for outgoing connections. If true, this
+  # takes precedence over both the proxy_url field and any environment settings
+  # (HTTP_PROXY, HTTPS_PROXY). The default is false.
+  #proxy_disable: false
+
+  # The number of times a particular Elasticsearch index operation is attempted. If
+  # the indexing operation doesn't succeed after this many retries, the events are
+  # dropped. The default is 3.
+  #max_retries: 3
+
+  # The maximum number of events to bulk in a single Elasticsearch bulk API index request.
+  # This field may conflict with performance presets. To set it
+  # manually use "preset: custom".
+  # The default is 1600.
+  #bulk_max_size: 1600
+
+  # The number of seconds to wait before trying to reconnect to Elasticsearch
+  # after a network error. After waiting backoff.init seconds, the Beat
+  # tries to reconnect. If the attempt fails, the backoff timer is increased
+  # exponentially up to backoff.max. After a successful connection, the backoff
+  # timer is reset. The default is 1s.
+  #backoff.init: 1s
+
+  # The maximum number of seconds to wait before attempting to connect to
+  # Elasticsearch after a network error. The default is 60s.
+  #backoff.max: 60s
+
+  # The maximum amount of time an idle connection will remain idle
+  # before closing itself.  Zero means use the default of 60s. The
+  # format is a Go language duration (example 60s is 60 seconds).
+  # This field may conflict with performance presets. To set it
+  # manually use "preset: custom".
+  # The default is 3s.
+  # idle_connection_timeout: 3s
+
+  # Configure HTTP request timeout before failing a request to Elasticsearch.
+  #timeout: 90
+
+  # Prevents winlogbeat from connecting to older Elasticsearch versions when set to `false`
+  #allow_older_versions: true
+
+  # Use SSL settings for HTTPS.
+  #ssl.enabled: true
+
+  # Controls the verification of certificates. Valid values are:
+  # * full, which verifies that the provided certificate is signed by a trusted
+  # authority (CA) and also verifies that the server's hostname (or IP address)
+  # matches the names identified within the certificate.
+  # * strict, which verifies that the provided certificate is signed by a trusted
+  # authority (CA) and also verifies that the server's hostname (or IP address)
+  # matches the names identified within the certificate. If the Subject Alternative
+  # Name is empty, it returns an error.
+  # * certificate, which verifies that the provided certificate is signed by a
+  # trusted authority (CA), but does not perform any hostname verification.
+  #  * none, which performs no verification of the server's certificate. This
+  # mode disables many of the security benefits of SSL/TLS and should only be used
+  # after very careful consideration. It is primarily intended as a temporary
+  # diagnostic mechanism when attempting to resolve TLS errors; its use in
+  # production environments is strongly discouraged.
+  # The default value is full.
+  #ssl.verification_mode: full
+
+  # List of supported/valid TLS versions. By default all TLS versions from 1.1
+  # up to 1.3 are enabled.
+  #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3]
+
+  # List of root certificates for HTTPS server verifications
+  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
+
+  # Certificate for SSL client authentication
+  #ssl.certificate: "/etc/pki/client/cert.pem"
+
+  # Client certificate key
+  #ssl.key: "/etc/pki/client/cert.key"
+
+  # Optional passphrase for decrypting the certificate key.
+  #ssl.key_passphrase: ''
+
+  # Configure cipher suites to be used for SSL connections
+  #ssl.cipher_suites: []
+
+  # Configure curve types for ECDHE-based cipher suites
+  #ssl.curve_types: []
+
+  # Configure what types of renegotiation are supported. Valid options are
+  # never, once, and freely. Default is never.
+  #ssl.renegotiation: never
+
+  # Configure a pin that can be used to do extra validation of the verified certificate chain,
+  # this allow you to ensure that a specific certificate is used to validate the chain of trust.
+  #
+  # The pin is a base64 encoded string of the SHA-256 fingerprint.
+  #ssl.ca_sha256: ""
+
+  # A root CA HEX encoded fingerprint. During the SSL handshake if the
+  # fingerprint matches the root CA certificate, it will be added to
+  # the provided list of root CAs (`certificate_authorities`), if the
+  # list is empty or not defined, the matching certificate will be the
+  # only one in the list. Then the normal SSL validation happens.
+  #ssl.ca_trusted_fingerprint: ""
+
+
+  # Enables restarting winlogbeat if any file listed by `key`,
+  # `certificate`, or `certificate_authorities` is modified.
+  # This feature IS NOT supported on Windows.
+  #ssl.restart_on_cert_change.enabled: false
+
+  # Period to scan for changes on CA certificate files
+  #ssl.restart_on_cert_change.period: 1m
+
+  # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set.
+  #kerberos.enabled: true
+
+  # Authentication type to use with Kerberos. Available options: keytab, password.
+  #kerberos.auth_type: password
+
+  # Path to the keytab file. It is used when auth_type is set to keytab.
+  #kerberos.keytab: /etc/elastic.keytab
+
+  # Path to the Kerberos configuration.
+  #kerberos.config_path: /etc/krb5.conf
+
+  # Name of the Kerberos user.
+  #kerberos.username: elastic
+
+  # Password of the Kerberos user. It is used when auth_type is set to password.
+  #kerberos.password: changeme
+
+  # Kerberos realm.
+  #kerberos.realm: ELASTIC
+
+
+# ------------------------------ Logstash Output -------------------------------
+#output.logstash:
+  # Boolean flag to enable or disable the output module.
+  #enabled: true
+
+  # The Logstash hosts
+  #hosts: ["localhost:5044"]
+
+  # Number of workers per Logstash host.
+  #worker: 1
+
+  # Set gzip compression level.
+  #compression_level: 3
+
+  # Configure escaping HTML symbols in strings.
+  #escape_html: false
+
+  # Optional maximum time to live for a connection to Logstash, after which the
+  # connection will be re-established.  A value of `0s` (the default) will
+  # disable this feature.
+  #
+  # Not yet supported for async connections (i.e. with the "pipelining" option set)
+  #ttl: 30s
+
+  # Optionally load-balance events between Logstash hosts. Default is false.
+  #loadbalance: false
+
+  # Number of batches to be sent asynchronously to Logstash while processing
+  # new batches.
+  #pipelining: 2
+
+  # If enabled only a subset of events in a batch of events is transferred per
+  # transaction.  The number of events to be sent increases up to `bulk_max_size`
+  # if no error is encountered.
+  #slow_start: false
+
+  # The number of seconds to wait before trying to reconnect to Logstash
+  # after a network error. After waiting backoff.init seconds, the Beat
+  # tries to reconnect. If the attempt fails, the backoff timer is increased
+  # exponentially up to backoff.max. After a successful connection, the backoff
+  # timer is reset. The default is 1s.
+  #backoff.init: 1s
+
+  # The maximum number of seconds to wait before attempting to connect to
+  # Logstash after a network error. The default is 60s.
+  #backoff.max: 60s
+
+  # Optional index name. The default index name is set to winlogbeat
+  # in all lowercase.
+  #index: 'winlogbeat'
+
+  # SOCKS5 proxy server URL
+  #proxy_url: socks5://user:password@socks5-server:2233
+
+  # Resolve names locally when using a proxy server. Defaults to false.
+  #proxy_use_local_resolver: false
+
+  # Use SSL settings for HTTPS.
+  #ssl.enabled: true
+
+  # Controls the verification of certificates. Valid values are:
+  # * full, which verifies that the provided certificate is signed by a trusted
+  # authority (CA) and also verifies that the server's hostname (or IP address)
+  # matches the names identified within the certificate.
+  # * strict, which verifies that the provided certificate is signed by a trusted
+  # authority (CA) and also verifies that the server's hostname (or IP address)
+  # matches the names identified within the certificate. If the Subject Alternative
+  # Name is empty, it returns an error.
+  # * certificate, which verifies that the provided certificate is signed by a
+  # trusted authority (CA), but does not perform any hostname verification.
+  #  * none, which performs no verification of the server's certificate. This
+  # mode disables many of the security benefits of SSL/TLS and should only be used
+  # after very careful consideration. It is primarily intended as a temporary
+  # diagnostic mechanism when attempting to resolve TLS errors; its use in
+  # production environments is strongly discouraged.
+  # The default value is full.
+  #ssl.verification_mode: full
+
+  # List of supported/valid TLS versions. By default all TLS versions from 1.1
+  # up to 1.3 are enabled.
+  #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3]
+
+  # List of root certificates for HTTPS server verifications
+  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
+
+  # Certificate for SSL client authentication
+  #ssl.certificate: "/etc/pki/client/cert.pem"
+
+  # Client certificate key
+  #ssl.key: "/etc/pki/client/cert.key"
+
+  # Optional passphrase for decrypting the certificate key.
+  #ssl.key_passphrase: ''
+
+  # Configure cipher suites to be used for SSL connections
+  #ssl.cipher_suites: []
+
+  # Configure curve types for ECDHE-based cipher suites
+  #ssl.curve_types: []
+
+  # Configure what types of renegotiation are supported. Valid options are
+  # never, once, and freely. Default is never.
+  #ssl.renegotiation: never
+
+  # Configure a pin that can be used to do extra validation of the verified certificate chain,
+  # this allow you to ensure that a specific certificate is used to validate the chain of trust.
+  #
+  # The pin is a base64 encoded string of the SHA-256 fingerprint.
+  #ssl.ca_sha256: ""
+
+  # A root CA HEX encoded fingerprint. During the SSL handshake if the
+  # fingerprint matches the root CA certificate, it will be added to
+  # the provided list of root CAs (`certificate_authorities`), if the
+  # list is empty or not defined, the matching certificate will be the
+  # only one in the list. Then the normal SSL validation happens.
+  #ssl.ca_trusted_fingerprint: ""
+
+  # Enables restarting winlogbeat if any file listed by `key`,
+  # `certificate`, or `certificate_authorities` is modified.
+  # This feature IS NOT supported on Windows.
+  #ssl.restart_on_cert_change.enabled: false
+
+  # Period to scan for changes on CA certificate files
+  #ssl.restart_on_cert_change.period: 1m
+
+  # The number of times to retry publishing an event after a publishing failure.
+  # After the specified number of retries, the events are typically dropped.
+  # Some Beats, such as Filebeat and Winlogbeat, ignore the max_retries setting
+  # and retry until all events are published.  Set max_retries to a value less
+  # than 0 to retry until all events are published. The default is 3.
+  #max_retries: 3
+
+  # The maximum number of events to bulk in a single Logstash request. The
+  # default is 2048.
+  #bulk_max_size: 2048
+
+  # The number of seconds to wait for responses from the Logstash server before
+  # timing out. The default is 30s.
+  #timeout: 30s
+
+# -------------------------------- Kafka Output --------------------------------
+#output.kafka:
+  # Boolean flag to enable or disable the output module.
+  #enabled: true
+
+  # The list of Kafka broker addresses from which to fetch the cluster metadata.
+  # The cluster metadata contain the actual Kafka brokers events are published
+  # to.
+  #hosts: ["localhost:9092"]
+
+  # The Kafka topic used for produced events. The setting can be a format string
+  # using any event field. To set the topic from document type use `%{[type]}`.
+  #topic: beats
+
+  # The Kafka event key setting. Use format string to create a unique event key.
+  # By default no event key will be generated.
+  #key: ''
+
+  # The Kafka event partitioning strategy. Default hashing strategy is `hash`
+  # using the `output.kafka.key` setting or randomly distributes events if
+  # `output.kafka.key` is not configured.
+  #partition.hash:
+    # If enabled, events will only be published to partitions with reachable
+    # leaders. Default is false.
+    #reachable_only: false
+
+    # Configure alternative event field names used to compute the hash value.
+    # If empty `output.kafka.key` setting will be used.
+    # Default value is empty list.
+    #hash: []
+
+  # Authentication details. Password is required if username is set.
+  #username: ''
+  #password: ''
+
+  # SASL authentication mechanism used. Can be one of PLAIN, SCRAM-SHA-256 or SCRAM-SHA-512.
+  # Defaults to PLAIN when `username` and `password` are configured.
+  #sasl.mechanism: ''
+
+  # Kafka version Winlogbeat is assumed to run against. Defaults to the "1.0.0".
+  #version: '1.0.0'
+
+  # Configure JSON encoding
+  #codec.json:
+    # Pretty-print JSON event
+    #pretty: false
+
+    # Configure escaping HTML symbols in strings.
+    #escape_html: false
+
+  # Metadata update configuration. Metadata contains leader information
+  # used to decide which broker to use when publishing.
+  #metadata:
+    # Max metadata request retry attempts when cluster is in middle of leader
+    # election. Defaults to 3 retries.
+    #retry.max: 3
+
+    # Wait time between retries during leader elections. Default is 250ms.
+    #retry.backoff: 250ms
+
+    # Refresh metadata interval. Defaults to every 10 minutes.
+    #refresh_frequency: 10m
+
+    # Strategy for fetching the topics metadata from the broker. Default is false.
+    #full: false
+
+  # The number of times to retry publishing an event after a publishing failure.
+  # After the specified number of retries, events are typically dropped.
+  # Some Beats, such as Filebeat, ignore the max_retries setting and retry until
+  # all events are published.  Set max_retries to a value less than 0 to retry
+  # until all events are published. The default is 3.
+  #max_retries: 3
+
+  # The number of seconds to wait before trying to republish to Kafka
+  # after a network error. After waiting backoff.init seconds, the Beat
+  # tries to republish. If the attempt fails, the backoff timer is increased
+  # exponentially up to backoff.max. After a successful publish, the backoff
+  # timer is reset. The default is 1s.
+  #backoff.init: 1s
+
+  # The maximum number of seconds to wait before attempting to republish to
+  # Kafka after a network error. The default is 60s.
+  #backoff.max: 60s
+
+  # The maximum number of events to bulk in a single Kafka request. The default
+  # is 2048.
+  #bulk_max_size: 2048
+
+  # Duration to wait before sending bulk Kafka request. 0 is no delay. The default
+  # is 0.
+  #bulk_flush_frequency: 0s
+
+  # The number of seconds to wait for responses from the Kafka brokers before
+  # timing out. The default is 30s.
+  #timeout: 30s
+
+  # The maximum duration a broker will wait for number of required ACKs. The
+  # default is 10s.
+  #broker_timeout: 10s
+
+  # The number of messages buffered for each Kafka broker. The default is 256.
+  #channel_buffer_size: 256
+
+  # The keep-alive period for an active network connection. If 0s, keep-alives
+  # are disabled. The default is 0 seconds.
+  #keep_alive: 0
+
+  # Sets the output compression codec. Must be one of none, snappy and gzip. The
+  # default is gzip.
+  #compression: gzip
+
+  # Set the compression level. Currently only gzip provides a compression level
+  # between 0 and 9. The default value is chosen by the compression algorithm.
+  #compression_level: 4
+
+  # The maximum permitted size of JSON-encoded messages. Bigger messages will be
+  # dropped. The default value is 1000000 (bytes). This value should be equal to
+  # or less than the broker's message.max.bytes.
+  #max_message_bytes: 1000000
+
+  # The ACK reliability level required from broker. 0=no response, 1=wait for
+  # local commit, -1=wait for all replicas to commit. The default is 1.  Note:
+  # If set to 0, no ACKs are returned by Kafka. Messages might be lost silently
+  # on error.
+  #required_acks: 1
+
+  # The configurable ClientID used for logging, debugging, and auditing
+  # purposes.  The default is "beats".
+  #client_id: beats
+
+  # Use SSL settings for HTTPS.
+  #ssl.enabled: true
+
+  # Controls the verification of certificates. Valid values are:
+  # * full, which verifies that the provided certificate is signed by a trusted
+  # authority (CA) and also verifies that the server's hostname (or IP address)
+  # matches the names identified within the certificate.
+  # * strict, which verifies that the provided certificate is signed by a trusted
+  # authority (CA) and also verifies that the server's hostname (or IP address)
+  # matches the names identified within the certificate. If the Subject Alternative
+  # Name is empty, it returns an error.
+  # * certificate, which verifies that the provided certificate is signed by a
+  # trusted authority (CA), but does not perform any hostname verification.
+  #  * none, which performs no verification of the server's certificate. This
+  # mode disables many of the security benefits of SSL/TLS and should only be used
+  # after very careful consideration. It is primarily intended as a temporary
+  # diagnostic mechanism when attempting to resolve TLS errors; its use in
+  # production environments is strongly discouraged.
+  # The default value is full.
+  #ssl.verification_mode: full
+
+  # List of supported/valid TLS versions. By default all TLS versions from 1.1
+  # up to 1.3 are enabled.
+  #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3]
+
+  # List of root certificates for HTTPS server verifications
+  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
+
+  # Certificate for SSL client authentication
+  #ssl.certificate: "/etc/pki/client/cert.pem"
+
+  # Client certificate key
+  #ssl.key: "/etc/pki/client/cert.key"
+
+  # Optional passphrase for decrypting the certificate key.
+  #ssl.key_passphrase: ''
+
+  # Configure cipher suites to be used for SSL connections
+  #ssl.cipher_suites: []
+
+  # Configure curve types for ECDHE-based cipher suites
+  #ssl.curve_types: []
+
+  # Configure what types of renegotiation are supported. Valid options are
+  # never, once, and freely. Default is never.
+  #ssl.renegotiation: never
+
+  # Configure a pin that can be used to do extra validation of the verified certificate chain,
+  # this allow you to ensure that a specific certificate is used to validate the chain of trust.
+  #
+  # The pin is a base64 encoded string of the SHA-256 fingerprint.
+  #ssl.ca_sha256: ""
+
+  # A root CA HEX encoded fingerprint. During the SSL handshake if the
+  # fingerprint matches the root CA certificate, it will be added to
+  # the provided list of root CAs (`certificate_authorities`), if the
+  # list is empty or not defined, the matching certificate will be the
+  # only one in the list. Then the normal SSL validation happens.
+  #ssl.ca_trusted_fingerprint: ""
+
+  # Enables restarting winlogbeat if any file listed by `key`,
+  # `certificate`, or `certificate_authorities` is modified.
+  # This feature IS NOT supported on Windows.
+  #ssl.restart_on_cert_change.enabled: false
+
+  # Period to scan for changes on CA certificate files
+  #ssl.restart_on_cert_change.period: 1m
+
+  # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set.
+  #kerberos.enabled: true
+
+  # Authentication type to use with Kerberos. Available options: keytab, password.
+  #kerberos.auth_type: password
+
+  # Path to the keytab file. It is used when auth_type is set to keytab.
+  #kerberos.keytab: /etc/security/keytabs/kafka.keytab
+
+  # Path to the Kerberos configuration.
+  #kerberos.config_path: /etc/krb5.conf
+
+  # The service name. Service principal name is contructed from
+  # service_name/hostname@realm.
+  #kerberos.service_name: kafka
+
+  # Name of the Kerberos user.
+  #kerberos.username: elastic
+
+  # Password of the Kerberos user. It is used when auth_type is set to password.
+  #kerberos.password: changeme
+
+  # Kerberos realm.
+  #kerberos.realm: ELASTIC
+
+  # Enables Kerberos FAST authentication. This may
+  # conflict with certain Active Directory configurations.
+  #kerberos.enable_krb5_fast: false
+
+# -------------------------------- Redis Output --------------------------------
+#output.redis:
+  # Boolean flag to enable or disable the output module.
+  #enabled: true
+
+  # Configure JSON encoding
+  #codec.json:
+    # Pretty print json event
+    #pretty: false
+
+    # Configure escaping HTML symbols in strings.
+    #escape_html: false
+
+  # The list of Redis servers to connect to. If load-balancing is enabled, the
+  # events are distributed to the servers in the list. If one server becomes
+  # unreachable, the events are distributed to the reachable servers only.
+  # The hosts setting supports redis and rediss urls with custom password like
+  # redis://:password@localhost:6379.
+  #hosts: ["localhost:6379"]
+
+  # The name of the Redis list or channel the events are published to. The
+  # default is winlogbeat.
+  #key: winlogbeat
+
+  # The password to authenticate to Redis with. The default is no authentication.
+  #password:
+
+  # The Redis database number where the events are published. The default is 0.
+  #db: 0
+
+  # The Redis data type to use for publishing events. If the data type is list,
+  # the Redis RPUSH command is used. If the data type is channel, the Redis
+  # PUBLISH command is used. The default value is list.
+  #datatype: list
+
+  # The number of workers to use for each host configured to publish events to
+  # Redis. Use this setting along with the loadbalance option. For example, if
+  # you have 2 hosts and 3 workers, in total 6 workers are started (3 for each
+  # host).
+  #worker: 1
+
+  # If set to true and multiple hosts or workers are configured, the output
+  # plugin load balances published events onto all Redis hosts. If set to false,
+  # the output plugin sends all events to only one host (determined at random)
+  # and will switch to another host if the currently selected one becomes
+  # unreachable. The default value is true.
+  #loadbalance: true
+
+  # The Redis connection timeout in seconds. The default is 5 seconds.
+  #timeout: 5s
+
+  # The number of times to retry publishing an event after a publishing failure.
+  # After the specified number of retries, the events are typically dropped.
+  # Some Beats, such as Filebeat, ignore the max_retries setting and retry until
+  # all events are published. Set max_retries to a value less than 0 to retry
+  # until all events are published. The default is 3.
+  #max_retries: 3
+
+  # The number of seconds to wait before trying to reconnect to Redis
+  # after a network error. After waiting backoff.init seconds, the Beat
+  # tries to reconnect. If the attempt fails, the backoff timer is increased
+  # exponentially up to backoff.max. After a successful connection, the backoff
+  # timer is reset. The default is 1s.
+  #backoff.init: 1s
+
+  # The maximum number of seconds to wait before attempting to connect to
+  # Redis after a network error. The default is 60s.
+  #backoff.max: 60s
+
+  # The maximum number of events to bulk in a single Redis request or pipeline.
+  # The default is 2048.
+  #bulk_max_size: 2048
+
+  # The URL of the SOCKS5 proxy to use when connecting to the Redis servers. The
+  # value must be a URL with a scheme of socks5://.
+  #proxy_url:
+
+  # This option determines whether Redis hostnames are resolved locally when
+  # using a proxy. The default value is false, which means that name resolution
+  # occurs on the proxy server.
+  #proxy_use_local_resolver: false
+
+  # Use SSL settings for HTTPS.
+  #ssl.enabled: true
+
+  # Controls the verification of certificates. Valid values are:
+  # * full, which verifies that the provided certificate is signed by a trusted
+  # authority (CA) and also verifies that the server's hostname (or IP address)
+  # matches the names identified within the certificate.
+  # * strict, which verifies that the provided certificate is signed by a trusted
+  # authority (CA) and also verifies that the server's hostname (or IP address)
+  # matches the names identified within the certificate. If the Subject Alternative
+  # Name is empty, it returns an error.
+  # * certificate, which verifies that the provided certificate is signed by a
+  # trusted authority (CA), but does not perform any hostname verification.
+  #  * none, which performs no verification of the server's certificate. This
+  # mode disables many of the security benefits of SSL/TLS and should only be used
+  # after very careful consideration. It is primarily intended as a temporary
+  # diagnostic mechanism when attempting to resolve TLS errors; its use in
+  # production environments is strongly discouraged.
+  # The default value is full.
+  #ssl.verification_mode: full
+
+  # List of supported/valid TLS versions. By default all TLS versions from 1.1
+  # up to 1.3 are enabled.
+  #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3]
+
+  # List of root certificates for HTTPS server verifications
+  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
+
+  # Certificate for SSL client authentication
+  #ssl.certificate: "/etc/pki/client/cert.pem"
+
+  # Client certificate key
+  #ssl.key: "/etc/pki/client/cert.key"
+
+  # Optional passphrase for decrypting the certificate key.
+  #ssl.key_passphrase: ''
+
+  # Configure cipher suites to be used for SSL connections
+  #ssl.cipher_suites: []
+
+  # Configure curve types for ECDHE-based cipher suites
+  #ssl.curve_types: []
+
+  # Configure what types of renegotiation are supported. Valid options are
+  # never, once, and freely. Default is never.
+  #ssl.renegotiation: never
+
+  # Configure a pin that can be used to do extra validation of the verified certificate chain,
+  # this allow you to ensure that a specific certificate is used to validate the chain of trust.
+  #
+  # The pin is a base64 encoded string of the SHA-256 fingerprint.
+  #ssl.ca_sha256: ""
+
+  # A root CA HEX encoded fingerprint. During the SSL handshake if the
+  # fingerprint matches the root CA certificate, it will be added to
+  # the provided list of root CAs (`certificate_authorities`), if the
+  # list is empty or not defined, the matching certificate will be the
+  # only one in the list. Then the normal SSL validation happens.
+  #ssl.ca_trusted_fingerprint: ""
+
+
+# -------------------------------- File Output ---------------------------------
+#output.file:
+  # Boolean flag to enable or disable the output module.
+  #enabled: true
+
+  # Configure JSON encoding
+  #codec.json:
+    # Pretty-print JSON event
+    #pretty: false
+
+    # Configure escaping HTML symbols in strings.
+    #escape_html: false
+
+  # Path to the directory where to save the generated files. The option is
+  # mandatory.
+  #path: "/tmp/winlogbeat"
+
+  # Name of the generated files. The default is `winlogbeat` and it generates
+  # files: `winlogbeat-{datetime}.ndjson`, `winlogbeat-{datetime}-1.ndjson`, etc.
+  #filename: winlogbeat
+
+  # Maximum size in kilobytes of each file. When this size is reached, and on
+  # every Winlogbeat restart, the files are rotated. The default value is 10240
+  # kB.
+  #rotate_every_kb: 10000
+
+  # Maximum number of files under path. When this number of files is reached,
+  # the oldest file is deleted and the rest are shifted from last to first. The
+  # default is 7 files.
+  #number_of_files: 7
+
+  # Permissions to use for file creation. The default is 0600.
+  #permissions: 0600
+
+  # Configure automatic file rotation on every startup. The default is true.
+  #rotate_on_startup: true
+
+# ------------------------------- Console Output -------------------------------
+#output.console:
+  # Boolean flag to enable or disable the output module.
+  #enabled: true
+
+  # Configure JSON encoding
+  #codec.json:
+    # Pretty-print JSON event
+    #pretty: false
+
+    # Configure escaping HTML symbols in strings.
+    #escape_html: false
+
+# =================================== Paths ====================================
+
+# The home path for the Winlogbeat installation. This is the default base path
+# for all other path settings and for miscellaneous files that come with the
+# distribution (for example, the sample dashboards).
+# If not set by a CLI flag or in the configuration file, the default for the
+# home path is the location of the binary.
+#path.home:
+
+# The configuration path for the Winlogbeat installation. This is the default
+# base path for configuration files, including the main YAML configuration file
+# and the Elasticsearch template file. If not set by a CLI flag or in the
+# configuration file, the default for the configuration path is the home path.
+#path.config: ${path.home}
+
+# The data path for the Winlogbeat installation. This is the default base path
+# for all the files in which Winlogbeat needs to store its data. If not set by a
+# CLI flag or in the configuration file, the default for the data path is a data
+# subdirectory inside the home path.
+#path.data: ${path.home}/data
+
+# The logs path for a Winlogbeat installation. This is the default location for
+# the Beat's log files. If not set by a CLI flag or in the configuration file,
+# the default for the logs path is a logs subdirectory inside the home path.
+#path.logs: ${path.home}/logs
+
+# ================================== Keystore ==================================
+
+# Location of the Keystore containing the keys and their sensitive values.
+#keystore.path: "${path.config}/beats.keystore"
+
+# ================================= Dashboards =================================
+
+# These settings control loading the sample dashboards to the Kibana index. Loading
+# the dashboards are disabled by default and can be enabled either by setting the
+# options here or by using the `-setup` CLI flag or the `setup` command.
+#setup.dashboards.enabled: false
+
+# The directory from where to read the dashboards. The default is the `kibana`
+# folder in the home path.
+#setup.dashboards.directory: ${path.home}/kibana
+
+# The URL from where to download the dashboard archive. It is used instead of
+# the directory if it has a value.
+#setup.dashboards.url:
+
+# The file archive (zip file) from where to read the dashboards. It is used instead
+# of the directory when it has a value.
+#setup.dashboards.file:
+
+# In case the archive contains the dashboards from multiple Beats, this lets you
+# select which one to load. You can load all the dashboards in the archive by
+# setting this to the empty string.
+#setup.dashboards.beat: winlogbeat
+
+# The name of the Kibana index to use for setting the configuration. Default is ".kibana"
+#setup.dashboards.kibana_index: .kibana
+
+# The Elasticsearch index name. This overwrites the index name defined in the
+# dashboards and index pattern. Example: testbeat-*
+#setup.dashboards.index:
+
+# Always use the Kibana API for loading the dashboards instead of autodetecting
+# how to install the dashboards by first querying Elasticsearch.
+#setup.dashboards.always_kibana: false
+
+# If true and Kibana is not reachable at the time when dashboards are loaded,
+# it will retry to reconnect to Kibana instead of exiting with an error.
+#setup.dashboards.retry.enabled: false
+
+# Duration interval between Kibana connection retries.
+#setup.dashboards.retry.interval: 1s
+
+# Maximum number of retries before exiting with an error, 0 for unlimited retrying.
+#setup.dashboards.retry.maximum: 0
+
+# ================================== Template ==================================
+
+# A template is used to set the mapping in Elasticsearch
+# By default template loading is enabled and the template is loaded.
+# These settings can be adjusted to load your own template or overwrite existing ones.
+
+# Set to false to disable template loading.
+#setup.template.enabled: true
+
+# Template name. By default the template name is "winlogbeat-%{[agent.version]}"
+# The template name and pattern has to be set in case the Elasticsearch index pattern is modified.
+#setup.template.name: "winlogbeat-%{[agent.version]}"
+
+# Template pattern. By default the template pattern is "winlogbeat-%{[agent.version]}" to apply to the default index settings.
+# The template name and pattern has to be set in case the Elasticsearch index pattern is modified.
+#setup.template.pattern: "winlogbeat-%{[agent.version]}"
+
+# Path to fields.yml file to generate the template
+#setup.template.fields: "${path.config}/fields.yml"
+
+# A list of fields to be added to the template and Kibana index pattern. Also
+# specify setup.template.overwrite: true to overwrite the existing template.
+#setup.template.append_fields:
+#- name: field_name
+#  type: field_type
+
+# Enable JSON template loading. If this is enabled, the fields.yml is ignored.
+#setup.template.json.enabled: false
+
+# Path to the JSON template file
+#setup.template.json.path: "${path.config}/template.json"
+
+# Name under which the template is stored in Elasticsearch
+#setup.template.json.name: ""
+
+# Set this option if the JSON template is a data stream.
+#setup.template.json.data_stream: false
+
+# Overwrite existing template
+# Do not enable this option for more than one instance of winlogbeat as it might
+# overload your Elasticsearch with too many update requests.
+#setup.template.overwrite: false
+
+# Elasticsearch template settings
+setup.template.settings:
+
+  # A dictionary of settings to place into the settings.index dictionary
+  # of the Elasticsearch template. For more details, please check
+  # https://www.elastic.co/guide/en/elasticsearch/reference/current/mapping.html
+  #index:
+    #number_of_shards: 1
+    #codec: best_compression
+
+  # A dictionary of settings for the _source field. For more details, please check
+  # https://www.elastic.co/guide/en/elasticsearch/reference/current/mapping-source-field.html
+  #_source:
+    #enabled: false
+
+# ====================== Index Lifecycle Management (ILM) ======================
+
+# Configure index lifecycle management (ILM) to manage the backing indices
+# of your data streams.
+
+# Enable ILM support. Valid values are true, or false.
+#setup.ilm.enabled: true
+
+# Set the lifecycle policy name. The default policy name is
+# 'beatname'.
+#setup.ilm.policy_name: "mypolicy"
+
+# The path to a JSON file that contains a lifecycle policy configuration. Used
+# to load your own lifecycle policy.
+#setup.ilm.policy_file:
+
+# Disable the check for an existing lifecycle policy. The default is true.
+# If you set this option to false, lifecycle policy will not be installed,
+# even if setup.ilm.overwrite is set to true.
+#setup.ilm.check_exists: true
+
+# Overwrite the lifecycle policy at startup. The default is false.
+#setup.ilm.overwrite: false
+
+# ======================== Data Stream Lifecycle (DSL) =========================
+
+# Configure Data Stream Lifecycle to manage data streams while connected to Serverless elasticsearch.
+# These settings are mutually exclusive with ILM settings which are not supported in Serverless projects.
+
+# Enable DSL support. Valid values are true, or false.
+#setup.dsl.enabled: true
+
+# Set the lifecycle policy name or pattern. For DSL, this name must match the data stream that the lifecycle is for.
+# The default data stream pattern is winlogbeat-%{[agent.version]}"
+# The template string `%{[agent.version]}` will resolve to the current stack version.
+# The other possible template value is `%{[beat.name]}`.
+#setup.dsl.data_stream_pattern: "winlogbeat-%{[agent.version]}"
+
+# The path to a JSON file that contains a lifecycle policy configuration. Used
+# to load your own lifecycle policy.
+# If no custom policy is specified, a default policy with a lifetime of 7 days will be created.
+#setup.dsl.policy_file:
+
+# Disable the check for an existing lifecycle policy. The default is true. If
+# you disable this check, set setup.dsl.overwrite: true so the lifecycle policy
+# can be installed.
+#setup.dsl.check_exists: true
+
+# Overwrite the lifecycle policy at startup. The default is false.
+#setup.dsl.overwrite: false
+
+# =================================== Kibana ===================================
+
+# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
+# This requires a Kibana endpoint configuration.
+setup.kibana:
+
+  # Kibana Host
+  # Scheme and port can be left out and will be set to the default (http and 5601)
+  # In case you specify and additional path, the scheme is required: http://localhost:5601/path
+  # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601
+  #host: "localhost:5601"
+
+  # Optional protocol and basic auth credentials.
+  #protocol: "https"
+  #username: "elastic"
+  #password: "changeme"
+
+  # Optional HTTP path
+  #path: ""
+
+  # Optional Kibana space ID.
+  #space.id: ""
+
+  # Custom HTTP headers to add to each request
+  #headers:
+  #  X-My-Header: Contents of the header
+
+  # Use SSL settings for HTTPS.
+  #ssl.enabled: true
+
+  # Controls the verification of certificates. Valid values are:
+  # * full, which verifies that the provided certificate is signed by a trusted
+  # authority (CA) and also verifies that the server's hostname (or IP address)
+  # matches the names identified within the certificate.
+  # * strict, which verifies that the provided certificate is signed by a trusted
+  # authority (CA) and also verifies that the server's hostname (or IP address)
+  # matches the names identified within the certificate. If the Subject Alternative
+  # Name is empty, it returns an error.
+  # * certificate, which verifies that the provided certificate is signed by a
+  # trusted authority (CA), but does not perform any hostname verification.
+  #  * none, which performs no verification of the server's certificate. This
+  # mode disables many of the security benefits of SSL/TLS and should only be used
+  # after very careful consideration. It is primarily intended as a temporary
+  # diagnostic mechanism when attempting to resolve TLS errors; its use in
+  # production environments is strongly discouraged.
+  # The default value is full.
+  #ssl.verification_mode: full
+
+  # List of supported/valid TLS versions. By default all TLS versions from 1.1
+  # up to 1.3 are enabled.
+  #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3]
+
+  # List of root certificates for HTTPS server verifications
+  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
+
+  # Certificate for SSL client authentication
+  #ssl.certificate: "/etc/pki/client/cert.pem"
+
+  # Client certificate key
+  #ssl.key: "/etc/pki/client/cert.key"
+
+  # Optional passphrase for decrypting the certificate key.
+  #ssl.key_passphrase: ''
+
+  # Configure cipher suites to be used for SSL connections
+  #ssl.cipher_suites: []
+
+  # Configure curve types for ECDHE-based cipher suites
+  #ssl.curve_types: []
+
+  # Configure what types of renegotiation are supported. Valid options are
+  # never, once, and freely. Default is never.
+  #ssl.renegotiation: never
+
+  # Configure a pin that can be used to do extra validation of the verified certificate chain,
+  # this allow you to ensure that a specific certificate is used to validate the chain of trust.
+  #
+  # The pin is a base64 encoded string of the SHA-256 fingerprint.
+  #ssl.ca_sha256: ""
+
+  # A root CA HEX encoded fingerprint. During the SSL handshake if the
+  # fingerprint matches the root CA certificate, it will be added to
+  # the provided list of root CAs (`certificate_authorities`), if the
+  # list is empty or not defined, the matching certificate will be the
+  # only one in the list. Then the normal SSL validation happens.
+  #ssl.ca_trusted_fingerprint: ""
+
+
+# ================================== Logging ===================================
+
+# There are four options for the log output: file, stderr, syslog, eventlog
+# The file output is the default.
+
+# Sets log level. The default log level is info.
+# Available log levels are: error, warning, info, debug
+#logging.level: info
+
+# Enable debug output for selected components. To enable all selectors use ["*"]
+# Other available selectors are "beat", "publisher", "service"
+# Multiple selectors can be chained.
+#logging.selectors: [ ]
+
+# Send all logging output to stderr. The default is false.
+#logging.to_stderr: false
+
+# Send all logging output to syslog. The default is false.
+#logging.to_syslog: false
+
+# Send all logging output to Windows Event Logs. The default is false.
+#logging.to_eventlog: false
+
+# If enabled, Winlogbeat periodically logs its internal metrics that have changed
+# in the last period. For each metric that changed, the delta from the value at
+# the beginning of the period is logged. Also, the total values for
+# all non-zero internal metrics are logged on shutdown. The default is true.
+#logging.metrics.enabled: true
+
+# The period after which to log the internal metrics. The default is 30s.
+#logging.metrics.period: 30s
+
+# A list of metrics namespaces to report in the logs. Defaults to [stats].
+# `stats` contains general Beat metrics. `dataset` may be present in some
+# Beats and contains module or input metrics.
+#logging.metrics.namespaces: [stats]
+
+# Logging to rotating files. Set logging.to_files to false to disable logging to
+# files.
+logging.to_files: true
+logging.files:
+  # Configure the path where the logs are written. The default is the logs directory
+  # under the home path (the binary location).
+  #path: /var/log/winlogbeat
+
+  # The name of the files where the logs are written to.
+  #name: winlogbeat
+
+  # Configure log file size limit. If the limit is reached, log file will be
+  # automatically rotated.
+  #rotateeverybytes: 10485760 # = 10MB
+
+  # Number of rotated log files to keep. The oldest files will be deleted first.
+  #keepfiles: 7
+
+  # The permissions mask to apply when rotating log files. The default value is 0600.
+  # Must be a valid Unix-style file permissions mask expressed in octal notation.
+  #permissions: 0600
+
+  # Enable log file rotation on time intervals in addition to the size-based rotation.
+  # Intervals must be at least 1s. Values of 1m, 1h, 24h, 7*24h, 30*24h, and 365*24h
+  # are boundary-aligned with minutes, hours, days, weeks, months, and years as
+  # reported by the local system clock. All other intervals are calculated from the
+  # Unix epoch. Defaults to disabled.
+  #interval: 0
+
+  # Rotate existing logs on startup rather than appending them to the existing
+  # file. Defaults to true.
+  # rotateonstartup: true
+
+#=============================== Events Logging ===============================
+# Some outputs will log raw events on errors like indexing errors in the
+# Elasticsearch output, to prevent logging raw events (that may contain
+# sensitive information) together with other log messages, a different
+# log file, only for log entries containing raw events, is used. It will
+# use the same level, selectors and all other configurations from the
+# default logger, but it will have it's own file configuration.
+#
+# Having a different log file for raw events also prevents event data
+# from drowning out the regular log files.
+#
+# IMPORTANT: No matter the default logger output configuration, raw events
+# will **always** be logged to a file configured by `logging.event_data.files`.
+
+# logging.event_data:
+# Logging to rotating files. Set logging.to_files to false to disable logging to
+# files.
+#logging.event_data.to_files: true
+#logging.event_data:
+  # Configure the path where the logs are written. The default is the logs directory
+  # under the home path (the binary location).
+  #path: /var/log/winlogbeat
+
+  # The name of the files where the logs are written to.
+  #name: winlogbeat-events-data
+
+  # Configure log file size limit. If the limit is reached, log file will be
+  # automatically rotated.
+  #rotateeverybytes: 5242880 # = 5MB
+
+  # Number of rotated log files to keep. The oldest files will be deleted first.
+  #keepfiles: 2
+
+  # The permissions mask to apply when rotating log files. The default value is 0600.
+  # Must be a valid Unix-style file permissions mask expressed in octal notation.
+  #permissions: 0600
+
+  # Enable log file rotation on time intervals in addition to the size-based rotation.
+  # Intervals must be at least 1s. Values of 1m, 1h, 24h, 7*24h, 30*24h, and 365*24h
+  # are boundary-aligned with minutes, hours, days, weeks, months, and years as
+  # reported by the local system clock. All other intervals are calculated from the
+  # Unix epoch. Defaults to disabled.
+  #interval: 0
+
+  # Rotate existing logs on startup rather than appending them to the existing
+  # file. Defaults to false.
+  # rotateonstartup: false
+
+# ============================= X-Pack Monitoring ==============================
+# Winlogbeat can export internal metrics to a central Elasticsearch monitoring
+# cluster.  This requires xpack monitoring to be enabled in Elasticsearch.  The
+# reporting is disabled by default.
+
+# Set to true to enable the monitoring reporter.
+#monitoring.enabled: false
+
+# Sets the UUID of the Elasticsearch cluster under which monitoring data for this
+# Winlogbeat instance will appear in the Stack Monitoring UI. If output.elasticsearch
+# is enabled, the UUID is derived from the Elasticsearch cluster referenced by output.elasticsearch.
+#monitoring.cluster_uuid:
+
+# Uncomment to send the metrics to Elasticsearch. Most settings from the
+# Elasticsearch output are accepted here as well.
+# Note that the settings should point to your Elasticsearch *monitoring* cluster.
+# Any setting that is not set is automatically inherited from the Elasticsearch
+# output configuration, so if you have the Elasticsearch output configured such
+# that it is pointing to your Elasticsearch monitoring cluster, you can simply
+# uncomment the following line.
+#monitoring.elasticsearch:
+
+  # Array of hosts to connect to.
+  # Scheme and port can be left out and will be set to the default (http and 9200)
+  # In case you specify an additional path, the scheme is required: http://localhost:9200/path
+  # IPv6 addresses should always be defined as: https://[2001:db8::1]:9200
+  #hosts: ["localhost:9200"]
+
+  # Set gzip compression level.
+  #compression_level: 0
+
+  # Protocol - either `http` (default) or `https`.
+  #protocol: "https"
+
+  # Authentication credentials - either API key or username/password.
+  #api_key: "id:api_key"
+  #username: "beats_system"
+  #password: "changeme"
+
+  # Dictionary of HTTP parameters to pass within the URL with index operations.
+  #parameters:
+    #param1: value1
+    #param2: value2
+
+  # Custom HTTP headers to add to each request
+  #headers:
+  #  X-My-Header: Contents of the header
+
+  # Proxy server url
+  #proxy_url: http://proxy:3128
+
+  # The number of times a particular Elasticsearch index operation is attempted. If
+  # the indexing operation doesn't succeed after this many retries, the events are
+  # dropped. The default is 3.
+  #max_retries: 3
+
+  # The maximum number of events to bulk in a single Elasticsearch bulk API index request.
+  # The default is 50.
+  #bulk_max_size: 50
+
+  # The number of seconds to wait before trying to reconnect to Elasticsearch
+  # after a network error. After waiting backoff.init seconds, the Beat
+  # tries to reconnect. If the attempt fails, the backoff timer is increased
+  # exponentially up to backoff.max. After a successful connection, the backoff
+  # timer is reset. The default is 1s.
+  #backoff.init: 1s
+
+  # The maximum number of seconds to wait before attempting to connect to
+  # Elasticsearch after a network error. The default is 60s.
+  #backoff.max: 60s
+
+  # Configure HTTP request timeout before failing a request to Elasticsearch.
+  #timeout: 90
+
+  # Use SSL settings for HTTPS.
+  #ssl.enabled: true
+
+  # Controls the verification of certificates. Valid values are:
+  # * full, which verifies that the provided certificate is signed by a trusted
+  # authority (CA) and also verifies that the server's hostname (or IP address)
+  # matches the names identified within the certificate.
+  # * strict, which verifies that the provided certificate is signed by a trusted
+  # authority (CA) and also verifies that the server's hostname (or IP address)
+  # matches the names identified within the certificate. If the Subject Alternative
+  # Name is empty, it returns an error.
+  # * certificate, which verifies that the provided certificate is signed by a
+  # trusted authority (CA), but does not perform any hostname verification.
+  #  * none, which performs no verification of the server's certificate. This
+  # mode disables many of the security benefits of SSL/TLS and should only be used
+  # after very careful consideration. It is primarily intended as a temporary
+  # diagnostic mechanism when attempting to resolve TLS errors; its use in
+  # production environments is strongly discouraged.
+  # The default value is full.
+  #ssl.verification_mode: full
+
+  # List of supported/valid TLS versions. By default all TLS versions from 1.1
+  # up to 1.3 are enabled.
+  #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3]
+
+  # List of root certificates for HTTPS server verifications
+  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
+
+  # Certificate for SSL client authentication
+  #ssl.certificate: "/etc/pki/client/cert.pem"
+
+  # Client certificate key
+  #ssl.key: "/etc/pki/client/cert.key"
+
+  # Optional passphrase for decrypting the certificate key.
+  #ssl.key_passphrase: ''
+
+  # Configure cipher suites to be used for SSL connections
+  #ssl.cipher_suites: []
+
+  # Configure curve types for ECDHE-based cipher suites
+  #ssl.curve_types: []
+
+  # Configure what types of renegotiation are supported. Valid options are
+  # never, once, and freely. Default is never.
+  #ssl.renegotiation: never
+
+  # Configure a pin that can be used to do extra validation of the verified certificate chain,
+  # this allow you to ensure that a specific certificate is used to validate the chain of trust.
+  #
+  # The pin is a base64 encoded string of the SHA-256 fingerprint.
+  #ssl.ca_sha256: ""
+
+  # A root CA HEX encoded fingerprint. During the SSL handshake if the
+  # fingerprint matches the root CA certificate, it will be added to
+  # the provided list of root CAs (`certificate_authorities`), if the
+  # list is empty or not defined, the matching certificate will be the
+  # only one in the list. Then the normal SSL validation happens.
+  #ssl.ca_trusted_fingerprint: ""
+
+  # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set.
+  #kerberos.enabled: true
+
+  # Authentication type to use with Kerberos. Available options: keytab, password.
+  #kerberos.auth_type: password
+
+  # Path to the keytab file. It is used when auth_type is set to keytab.
+  #kerberos.keytab: /etc/elastic.keytab
+
+  # Path to the Kerberos configuration.
+  #kerberos.config_path: /etc/krb5.conf
+
+  # Name of the Kerberos user.
+  #kerberos.username: elastic
+
+  # Password of the Kerberos user. It is used when auth_type is set to password.
+  #kerberos.password: changeme
+
+  # Kerberos realm.
+  #kerberos.realm: ELASTIC
+
+  #metrics.period: 10s
+  #state.period: 1m
+
+# The `monitoring.cloud.id` setting overwrites the `monitoring.elasticsearch.hosts`
+# setting. You can find the value for this setting in the Elastic Cloud web UI.
+#monitoring.cloud.id:
+
+# The `monitoring.cloud.auth` setting overwrites the `monitoring.elasticsearch.username`
+# and `monitoring.elasticsearch.password` settings. The format is `<user>:<pass>`.
+#monitoring.cloud.auth:
+
+# =============================== HTTP Endpoint ================================
+
+# Each beat can expose internal metrics through an HTTP endpoint. For security
+# reasons the endpoint is disabled by default. This feature is currently experimental.
+# Stats can be accessed through http://localhost:5066/stats. For pretty JSON output
+# append ?pretty to the URL.
+
+# Defines if the HTTP endpoint is enabled.
+#http.enabled: false
+
+# The HTTP endpoint will bind to this hostname, IP address, unix socket, or named pipe.
+# When using IP addresses, it is recommended to only use localhost.
+#http.host: localhost
+
+# Port on which the HTTP endpoint will bind. Default is 5066.
+#http.port: 5066
+
+# Define which user should be owning the named pipe.
+#http.named_pipe.user:
+
+# Define which permissions should be applied to the named pipe, use the Security
+# Descriptor Definition Language (SDDL) to define the permission. This option cannot be used with
+# `http.user`.
+#http.named_pipe.security_descriptor:
+
+# Defines if the HTTP pprof endpoints are enabled.
+# It is recommended that this is only enabled on localhost as these endpoints may leak data.
+#http.pprof.enabled: false
+
+# Controls the fraction of goroutine blocking events that are reported in the
+# blocking profile.
+#http.pprof.block_profile_rate: 0
+
+# Controls the fraction of memory allocations that are recorded and reported in
+# the memory profile.
+#http.pprof.mem_profile_rate: 524288
+
+# Controls the fraction of mutex contention events that are reported in the
+# mutex profile.
+#http.pprof.mutex_profile_rate: 0
+
+# ============================== Process Security ==============================
+
+# Enable or disable seccomp system call filtering on Linux. Default is enabled.
+#seccomp.enabled: true
+
+# ============================== Instrumentation ===============================
+
+# Instrumentation support for the winlogbeat.
+#instrumentation:
+    # Set to true to enable instrumentation of winlogbeat.
+    #enabled: false
+
+    # Environment in which winlogbeat is running on (eg: staging, production, etc.)
+    #environment: ""
+
+    # APM Server hosts to report instrumentation results to.
+    #hosts:
+    #  - http://localhost:8200
+
+    # API Key for the APM Server(s).
+    # If api_key is set then secret_token will be ignored.
+    #api_key:
+
+    # Secret token for the APM Server(s).
+    #secret_token:
+
+    # Enable profiling of the server, recording profile samples as events.
+    #
+    # This feature is experimental.
+    #profiling:
+        #cpu:
+            # Set to true to enable CPU profiling.
+            #enabled: false
+            #interval: 60s
+            #duration: 10s
+        #heap:
+            # Set to true to enable heap profiling.
+            #enabled: false
+            #interval: 60s
+
+# ================================= Migration ==================================
+
+# This allows to enable 6.7 migration aliases
+#migration.6_to_7.enabled: false
+
+# =============================== Feature Flags ================================
+
+# Enable and configure feature flags.
+#features:
+#  fqdn:
+#    enabled: true
+```
+
diff --git a/docs/reference/winlogbeat/winlogbeat-starting.md b/docs/reference/winlogbeat/winlogbeat-starting.md
new file mode 100644
index 000000000000..62a48f96380d
--- /dev/null
+++ b/docs/reference/winlogbeat/winlogbeat-starting.md
@@ -0,0 +1,27 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-starting.html
+---
+
+# Start Winlogbeat [winlogbeat-starting]
+
+Before starting Winlogbeat:
+
+* Follow the steps in [Quick start: installation and configuration](/reference/winlogbeat/winlogbeat-installation-configuration.md) to install, configure, and set up the Winlogbeat environment.
+* Make sure {{kib}} and {{es}} are running.
+* Make sure the user specified in `winlogbeat.yml` is [authorized to publish events](/reference/winlogbeat/privileges-to-publish-events.md).
+
+To start Winlogbeat, run:
+
+```shell
+PS C:\Program Files\Winlogbeat> Start-Service winlogbeat
+```
+
+Winlogbeat should now be running. If you used the logging configuration described here, you can view the log file at `C:\ProgramData\winlogbeat\Logs\winlogbeat`.
+
+You can view the status of the service and control it from the Services management console in Windows. To launch the management console, run this command:
+
+```shell
+PS C:\Program Files\Winlogbeat> services.msc
+```
+
diff --git a/docs/reference/winlogbeat/winlogbeat-template.md b/docs/reference/winlogbeat/winlogbeat-template.md
new file mode 100644
index 000000000000..84eb4853fa06
--- /dev/null
+++ b/docs/reference/winlogbeat/winlogbeat-template.md
@@ -0,0 +1,122 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-template.html
+---
+
+# Load the Elasticsearch index template [winlogbeat-template]
+
+{{es}} uses [index templates](docs-content://manage-data/data-store/templates.md) to define:
+
+* Settings that control the behavior of your data stream and backing indices. The settings include the lifecycle policy used to manage backing indices as they grow and age.
+* Mappings that determine how fields are analyzed. Each mapping sets the [{{es}} datatype](elasticsearch://reference/elasticsearch/mapping-reference/field-data-types.md) to use for a specific data field.
+
+The recommended index template file for Winlogbeat is installed by the Winlogbeat packages. If you accept the default configuration in the `winlogbeat.yml` config file, Winlogbeat loads the template automatically after successfully connecting to {{es}}. If the template already exists, it’s not overwritten unless you configure Winlogbeat to do so.
+
+::::{note}
+A connection to {{es}} is required to load the index template. If the output is not {{es}} (or {{ess}}), you must [load the template manually](#load-template-manually).
+::::
+
+
+This page shows how to change the default template loading behavior to:
+
+* [Load your own index template](#load-custom-template)
+* [Overwrite an existing index template](#overwrite-template)
+* [Disable automatic index template loading](#disable-template-loading)
+* [Load the index template manually](#load-template-manually)
+
+For a full list of template setup options, see [Elasticsearch index template](/reference/winlogbeat/configuration-template.md).
+
+
+## Load your own index template [load-custom-template]
+
+To load your own index template, set the following options:
+
+```yaml
+setup.template.name: "your_template_name"
+setup.template.fields: "path/to/fields.yml"
+```
+
+If the template already exists, it’s not overwritten unless you configure Winlogbeat to do so.
+
+You can load templates for both data streams and indices.
+
+
+## Overwrite an existing index template [overwrite-template]
+
+::::{warning}
+Do not enable this option for more than one instance of Winlogbeat. If you start multiple instances at the same time, it can overload your {{es}} with too many template update requests.
+::::
+
+
+To overwrite a template that’s already loaded into {{es}}, set:
+
+```yaml
+setup.template.overwrite: true
+```
+
+
+## Disable automatic index template loading [disable-template-loading]
+
+You may want to disable automatic template loading if you’re using an output other than {{es}} and need to load the template manually. To disable automatic template loading, set:
+
+```yaml
+setup.template.enabled: false
+```
+
+If you disable automatic template loading, you must load the index template manually.
+
+
+## Load the index template manually [load-template-manually]
+
+To load the index template manually, run the [`setup`](/reference/winlogbeat/command-line-options.md#setup-command) command. A connection to {{es}} is required.  If another output is enabled, you need to temporarily disable that output and enable {{es}} by using the `-E` option. The examples here assume that Logstash output is enabled. You can omit the `-E` flags if {{es}} output is already enabled.
+
+If you are connecting to a secured {{es}} cluster, make sure you’ve configured credentials as described in the [Quick start: installation and configuration](/reference/winlogbeat/winlogbeat-installation-configuration.md).
+
+If the host running Winlogbeat does not have direct connectivity to {{es}}, see [Load the index template manually (alternate method)](#load-template-manually-alternate).
+
+To load the template:
+
+Open a PowerShell prompt as an Administrator (right-click the PowerShell icon and select **Run As Administrator**).
+
+From the PowerShell prompt, change to the directory where you installed Winlogbeat, and run:
+
+```sh
+PS > .\winlogbeat.exe setup --index-management -E output.logstash.enabled=false -E 'output.elasticsearch.hosts=["localhost:9200"]'
+```
+
+
+### Force Kibana to look at newest documents [force-kibana-new]
+
+If you’ve already used Winlogbeat to index data into {{es}}, the index may contain old documents. After you load the index template, you can delete the old documents from `winlogbeat-*` to force Kibana to look at the newest documents.
+
+Use this command:
+
+```sh
+PS > Invoke-RestMethod -Method Delete "http://localhost:9200/winlogbeat-*"
+```
+
+This command deletes all indices that match the pattern `winlogbeat`. Before running this command, make sure you want to delete all indices that match the pattern.
+
+
+## Load the index template manually (alternate method) [load-template-manually-alternate]
+
+If the host running Winlogbeat does not have direct connectivity to {{es}}, you can export the index template to a file, move it to a machine that does have connectivity, and then install the template manually.
+
+To export the index template, run:
+
+```sh
+PS > .\winlogbeat.exe export template --es.version 9.0.0-beta1 | Out-File -Encoding UTF8 winlogbeat.template.json
+```
+
+To install the template, run:
+
+```sh
+PS > Invoke-RestMethod -Method Put -ContentType "application/json" -InFile winlogbeat.template.json -Uri http://localhost:9200/_index_template/winlogbeat-9.0.0-beta1
+```
+
+Once you have loaded the index template, load the data stream as well. If you do not load it, you have to give the publisher user `manage` permission on winlogbeat-9.0.0-beta1 index.
+
+```sh
+PS > Invoke-RestMethod -Method Put -Uri http://localhost:9200/_data_stream/winlogbeat-9.0.0-beta1
+```
+
diff --git a/docs/reference/winlogbeat/winlogbeat.md b/docs/reference/winlogbeat/winlogbeat.md
new file mode 100644
index 000000000000..6b2b63f99ac1
--- /dev/null
+++ b/docs/reference/winlogbeat/winlogbeat.md
@@ -0,0 +1,8 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/index.html
+---
+
+# Winlogbeat
+
+Just a placeholder for a top index page.
diff --git a/docs/reference/winlogbeat/yaml-tips.md b/docs/reference/winlogbeat/yaml-tips.md
new file mode 100644
index 000000000000..c7e1f185ab0d
--- /dev/null
+++ b/docs/reference/winlogbeat/yaml-tips.md
@@ -0,0 +1,60 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/winlogbeat/current/yaml-tips.html
+---
+
+# Avoid YAML formatting problems [yaml-tips]
+
+The configuration file uses [YAML](http://yaml.org/) for its syntax. When you edit the file to modify configuration settings, there are a few things that you should know.
+
+
+## Use spaces for indentation [_use_spaces_for_indentation]
+
+Indentation is meaningful in YAML. Make sure that you use spaces, rather than tab characters, to indent sections.
+
+In the default configuration files and in all the examples in the documentation, we use 2 spaces per indentation level. We recommend you do the same.
+
+
+## Look at the default config file for structure [_look_at_the_default_config_file_for_structure]
+
+The best way to understand where to define a configuration option is by looking at the provided sample configuration files. The configuration files contain most of the default configurations that are available for the Beat. To change a setting, simply uncomment the line and change the values.
+
+
+## Test your config file [_test_your_config_file]
+
+You can test your configuration file to verify that the structure is valid. Simply change to the directory where the binary is installed, and run the Beat in the foreground with the `test config` command specified. For example:
+
+```shell
+winlogbeat test config -c winlogbeat.yml
+```
+
+You’ll see a message if the Beat finds an error in the file.
+
+
+## Wrap regular expressions in single quotation marks [_wrap_regular_expressions_in_single_quotation_marks]
+
+If you need to specify a regular expression in a YAML file, it’s a good idea to wrap the regular expression in single quotation marks to work around YAML’s tricky rules for string escaping.
+
+For more information about YAML, see [http://yaml.org/](http://yaml.org/).
+
+
+## Wrap paths in single quotation marks [wrap-paths-in-quotes]
+
+Windows paths in particular sometimes contain spaces or characters, such as drive letters or triple dots, that may be misinterpreted by the YAML parser.
+
+To avoid this problem, it’s a good idea to wrap paths in single quotation marks.
+
+
+## Avoid using leading zeros in numeric values [avoid-leading-zeros]
+
+If you use a leading zero (for example, `09`) in a numeric field without wrapping the value in single quotation marks, the value may be interpreted incorrectly by the YAML parser. If the value is a valid octal, it’s converted to an integer. If not, it’s converted to a float.
+
+To prevent unwanted type conversions, avoid using leading zeros in field values, or wrap the values in single quotation marks.
+
+
+## Avoid accidental template variable resolution [dollar-sign-strings]
+
+The templating engine that allows the config to resolve data from environment variables can result in errors in strings with `$` characters. For example, if a password field contains `$$`, the engine will resolve this to `$`.
+
+To work around this, either use the [Secrets keystore](/reference/winlogbeat/keystore.md) or escape all instances of `$` with `$$`.
+
diff --git a/docs/release-notes/breaking-changes.md b/docs/release-notes/breaking-changes.md
new file mode 100644
index 000000000000..8b9b3051d9ef
--- /dev/null
+++ b/docs/release-notes/breaking-changes.md
@@ -0,0 +1,22 @@
+---
+navigation_title: "Beats"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/libbeat/current/breaking-changes.html
+---
+
+# Beats breaking changes [beats-breaking-changes]
+Before you upgrade, carefully review the Beats breaking changes and take the necessary steps to mitigate any issues.
+
+To learn how to upgrade, check out <uprade docs>.
+
+% ## Next version
+% **Release date:** Month day, year
+
+% Description and impact of the breaking change.
+% For more information, check [PR #](PR link).
+
+## 9.0.0 [beats-900-breaking-changes]
+**Release date:** March 25, 2025
+
+% Description and impact of the breaking change.
+% For more information, check [PR #](PR link).
\ No newline at end of file
diff --git a/docs/release-notes/deprecations.md b/docs/release-notes/deprecations.md
new file mode 100644
index 000000000000..b1d829dce0e2
--- /dev/null
+++ b/docs/release-notes/deprecations.md
@@ -0,0 +1,28 @@
+---
+navigation_title: "Beats"
+---
+
+# Beats deprecations [beats-deprecations]
+Review the deprecated functionality for your Beats version. While deprecations have no immediate impact, we strongly encourage you update your implementation after you upgrade.
+
+To learn how to upgrade, check out <uprade docs>.
+
+% ## Next version
+% **Release date:** Month day, year
+
+% ::::{dropdown} Deprecation title
+% Description of the deprecation.
+% For more information, check [PR #](PR link).
+% **Impact**<br> Impact of deprecation. 
+% **Action**<br> Steps for mitigating deprecation impact.
+% ::::
+
+% ## 9.0.0 [beats-900-deprecations]
+% **Release date:** March 25, 2025
+
+% ::::{dropdown} Deprecation title
+% Description of the deprecation.
+% For more information, check [PR #](PR link).
+% **Impact**<br> Impact of deprecation. 
+% **Action**<br> Steps for mitigating deprecation impact.
+% ::::
\ No newline at end of file
diff --git a/docs/release-notes/index.md b/docs/release-notes/index.md
new file mode 100644
index 000000000000..492ed016ae87
--- /dev/null
+++ b/docs/release-notes/index.md
@@ -0,0 +1,27 @@
+---
+navigation_title: "Beats"
+mapped_pages:
+  - https://www.elastic.co/guide/en/beats/libbeat/8.17/release-notes.html
+  - https://www.elastic.co/guide/en/beats/libbeat/current/release-notes.html
+---
+
+# Beats release notes [beats-release-notes]
+Review the changes, fixes, and more in each version of Beats.
+
+To check for security updates, go to [Security announcements for the Elastic stack](https://discuss.elastic.co/c/announcements/security-announcements/31).
+
+% Release notes include only features, enhancements, and fixes. Add breaking changes, deprecations, and known issues to the applicable release notes sections.
+
+% ## version.next [beats-versionext-release-notes]
+% **Release date:** Month day, year
+
+% ### Features and enhancements [beats-versionext-features-enhancements]
+
+% ### Fixes [beats-versionext-fixes]
+
+## 9.0.0 [beats-900-release-notes]
+**Release date:** March 25, 2025
+
+### Features and enhancements [beats-900-features-enhancements]
+
+### Fixes [beats-900-fixes]
\ No newline at end of file
diff --git a/docs/release-notes/known-issues.md b/docs/release-notes/known-issues.md
new file mode 100644
index 000000000000..f7b26b8a1ff6
--- /dev/null
+++ b/docs/release-notes/known-issues.md
@@ -0,0 +1,20 @@
+---
+navigation_title: "Beats"
+
+---
+
+# Beats known issues [beats-known-issues]
+
+% Use the following template to add entries to this page.
+
+% :::{dropdown} Title of known issue
+% **Details** 
+% On [Month/Day/Year], a known issue was discovered that [description of known issue].
+
+% **Workaround** 
+% Workaround description.
+
+% **Resolved**
+% On [Month/Day/Year], this issue was resolved.
+
+:::
\ No newline at end of file
diff --git a/docs/release-notes/toc.yml b/docs/release-notes/toc.yml
new file mode 100644
index 000000000000..a4100679473b
--- /dev/null
+++ b/docs/release-notes/toc.yml
@@ -0,0 +1,5 @@
+toc:
+  - file: index.md
+  - file: known-issues.md
+  - file: breaking-changes.md
+  - file: deprecations.md
\ No newline at end of file
diff --git a/filebeat/docs/autodiscover-docker-config.asciidoc b/filebeat/docs/autodiscover-docker-config.asciidoc
deleted file mode 100644
index 6cc3b17e8368..000000000000
--- a/filebeat/docs/autodiscover-docker-config.asciidoc
+++ /dev/null
@@ -1,40 +0,0 @@
-Filebeat supports templates for inputs and modules.
-
-["source","yaml",subs="attributes"]
--------------------------------------------------------------------------------------
-filebeat.autodiscover:
-  providers:
-    - type: docker
-      templates:
-        - condition:
-            contains:
-              docker.container.image: redis
-          config:
-            - type: container
-              paths:
-                - /var/lib/docker/containers/${data.docker.container.id}/*.log
-              exclude_lines: ["^\\s+[\\-`('.|_]"]  # drop asciiart lines
--------------------------------------------------------------------------------------
-
-This configuration launches a `docker` logs input for all containers running an image with `redis` in the name.
-`labels.dedot` defaults to be `true` for docker autodiscover, which means dots in docker labels are replaced with '_' by default.
-
-If you are using modules, you can override the default input and use the docker input instead.
-
-["source","yaml",subs="attributes"]
--------------------------------------------------------------------------------------
-filebeat.autodiscover:
-  providers:
-    - type: docker
-      templates:
-        - condition:
-            contains:
-              docker.container.image: redis
-          config:
-            - module: redis
-              log:
-                input:
-                  type: container
-                  paths:
-                    - /var/lib/docker/containers/${data.docker.container.id}/*.log
--------------------------------------------------------------------------------------
diff --git a/filebeat/docs/autodiscover-hints.asciidoc b/filebeat/docs/autodiscover-hints.asciidoc
deleted file mode 100644
index 19d0fe951138..000000000000
--- a/filebeat/docs/autodiscover-hints.asciidoc
+++ /dev/null
@@ -1,453 +0,0 @@
-{beatname_uc} supports autodiscover based on hints from the provider. The hints system looks for
-hints in Kubernetes Pod annotations or Docker labels that have the prefix `co.elastic.logs`. As soon as
-the container starts, {beatname_uc} will check if it contains any hints and launch the proper config for
-it. Hints tell {beatname_uc} how to get logs for the given container. By default logs will be retrieved
-from the container using the `filestream` input. You can use hints to modify this behavior. This is the full
-list of supported hints:
-
-[float]
-===== `co.elastic.logs/enabled`
-
-Filebeat gets logs from all containers by default, you can set this hint to `false` to ignore
-the output of the container. Filebeat won't read or send logs from it. If default config is
-disabled, you can use this annotation to enable log retrieval only for containers with this
-set to `true`. If you are aiming to use this with Kubernetes, have in mind that annotation
-values can only be of string type so you will need to explicitly define this as `"true"`
-or `"false"` accordingly.
-
-[float]
-===== `co.elastic.logs/multiline.*`
-
-Multiline settings. See <<multiline-examples>> for a full list of all supported options.
-
-[float]
-===== `co.elastic.logs/json.*`
-
-JSON settings. See <<filebeat-input-filestream-ndjson>> for a full list of all supported options.
-
-For example, the following hints with json options:
-[source,yaml]
------
-co.elastic.logs/json.message_key: "log"
-co.elastic.logs/json.add_error_key: "true"
------
-will lead to the following input configuration:
-
-`filestream`
-[source,yaml]
------
-parsers:
-  - ndjson:
-      message_key: "log"
-      add_error_key: "true"
------
-
-[float]
-===== `co.elastic.logs/include_lines`
-
-A list of regular expressions to match the lines that you want {beatname_uc} to include.
-See <<configuration-filebeat-options>> for more info.
-
-[float]
-===== `co.elastic.logs/exclude_lines`
-
-A list of regular expressions to match the lines that you want {beatname_uc} to exclude.
-See <<configuration-filebeat-options>> for more info.
-
-[float]
-===== `co.elastic.logs/module`
-
-Instead of using raw `docker` input, specifies the module to use to parse logs from the container. See
-<<filebeat-modules>> for the list of supported modules.
-
-[float]
-===== `co.elastic.logs/fileset`
-
-When module is configured, map container logs to module filesets. You can either configure
-a single fileset like this:
-
-[source,yaml]
------
-co.elastic.logs/fileset: access
------
-
-Or configure a fileset per stream in the container (stdout and stderr):
-
-[source,yaml]
------
-co.elastic.logs/fileset.stdout: access
-co.elastic.logs/fileset.stderr: error
------
-
-[float]
-===== `co.elastic.logs/raw`
-When an entire input/module configuration needs to be completely set the `raw` hint can be used. You can provide a
-stringified JSON of the input configuration. `raw` overrides every other hint and can be used to create both a single or
-a list of configurations.
-
-[source,yaml]
------
-co.elastic.logs/raw: "[{\"containers\":{\"ids\":[\"${data.container.id}\"]},\"multiline\":{\"negate\":\"true\",\"pattern\":\"^test\"},\"type\":\"docker\"}]"
------
-
-[float]
-===== `co.elastic.logs/processors`
-
-Define a processor to be added to the {beatname_uc} input/module configuration. See <<filtering-and-enhancing-data>> for the list
-of supported processors.
-
-If processors configuration uses list data structure, object fields must be enumerated.
-For example, hints for the `rename` processor configuration below
-[source,yaml]
------
-processors:
-  - rename:
-      fields:
-        - from: "a.g"
-          to: "e.d"
-      fail_on_error: true
------
-will look like:
-[source,yaml]
------
-co.elastic.logs/processors.rename.fields.0.from: "a.g"
-co.elastic.logs/processors.rename.fields.1.to: "e.d"
-co.elastic.logs/processors.rename.fail_on_error: 'true'
------
-
-If processors configuration uses map data structure, enumeration is not needed. For example, the equivalent to the `add_fields` configuration below
-[source,yaml]
------
-processors:
-  - add_fields:
-      target: project
-      fields:
-        name: myproject
------
-is
-[source,yaml]
------
-co.elastic.logs/processors.1.add_fields.target: "project"
-co.elastic.logs/processors.1.add_fields.fields.name: "myproject"
------
-
-In order to provide ordering of the processor definition, numbers can be provided. If not, the hints builder will do
-arbitrary ordering:
-
-[source,yaml]
------
-co.elastic.logs/processors.1.dissect.tokenizer: "%{key1} %{key2}"
-co.elastic.logs/processors.dissect.tokenizer: "%{key2} %{key1}"
------
-
-In the above sample the processor definition tagged with `1` would be executed first.
-
-[float]
-===== `co.elastic.logs/pipeline`
-
-Define an ingest pipeline ID to be added to the {beatname_uc} input/module configuration.
-
-[source,yaml]
------
-co.elastic.logs/pipeline: custom-pipeline
------
-
-When hints are used along with templates, then hints will be evaluated only in case
-there is no template's condition that resolves to true. For example:
-
-[source,yaml]
------
-filebeat.autodiscover.providers:
-  - type: docker
-    hints.enabled: true
-    hints.default_config:
-      type: container
-      paths:
-        - /var/lib/docker/containers/${data.container.id}/*.log
-    templates:
-      - condition:
-          equals:
-            docker.container.labels.type: "pipeline"
-        config:
-          - type: container
-            paths:
-              - "/var/lib/docker/containers/${data.docker.container.id}/*.log"
-            pipeline: my-pipeline
------
-
-In this example first the condition `docker.container.labels.type: "pipeline"` is evaluated
-and if not matched the hints will be processed and if there is again no valid config
-the `hints.default_config` will be used.
-
-[float]
-==== Kubernetes
-
-Kubernetes autodiscover provider supports hints in Pod annotations. To enable it just set `hints.enabled`:
-
-[source,yaml]
------
-filebeat.autodiscover:
-  providers:
-    - type: kubernetes
-      hints.enabled: true
------
-
-You can configure the default config that will be launched when a new container is seen, like this:
-
-[source,yaml]
------
-filebeat.autodiscover:
-  providers:
-    - type: kubernetes
-      hints.enabled: true
-      hints.default_config:
-        type: container
-        paths:
-          - /var/log/containers/*-${data.container.id}.log  # CRI path
------
-
-You can also disable default settings entirely, so only Pods annotated like `co.elastic.logs/enabled: true`
-will be retrieved:
-
-[source,yaml]
------
-filebeat.autodiscover:
-  providers:
-    - type: kubernetes
-      hints.enabled: true
-      hints.default_config.enabled: false
------
-
-You can annotate Kubernetes Pods with useful info to spin up {beatname_uc} inputs or modules:
-
-[source,yaml]
------
-annotations:
-  co.elastic.logs/multiline.pattern: '^\['
-  co.elastic.logs/multiline.negate: true
-  co.elastic.logs/multiline.match: after
------
-
-
-[float]
-===== Multiple containers
-
-When a pod has multiple containers, the settings are shared unless you put the container name in the
-hint. For example, these hints configure multiline settings for all containers in the pod, but set a
-specific `exclude_lines` hint for the container called `sidecar`.
-
-
-[source,yaml]
------
-annotations:
-  co.elastic.logs/multiline.pattern: '^\['
-  co.elastic.logs/multiline.negate: true
-  co.elastic.logs/multiline.match: after
-  co.elastic.logs.sidecar/exclude_lines: '^DBG'
------
-
-[float]
-===== Multiple sets of hints
-When a container needs multiple inputs to be defined on it, sets of annotations can be provided with numeric prefixes.
-If there are hints that don't have a numeric prefix then they get grouped together into a single configuration.
-
-["source","yaml",subs="attributes"]
--------------------------------------------------------------------------------------
-annotations:
-  co.elastic.logs/exclude_lines: '^DBG'
-  co.elastic.logs/1.include_lines: '^DBG'
-  co.elastic.logs/1.processors.dissect.tokenizer: "%{key2} %{key1}"
--------------------------------------------------------------------------------------
-
-The above configuration would generate two input configurations. The first input handles only debug logs and passes it through a dissect
-tokenizer. The second input handles everything but debug logs.
-
-[float]
-=====  Namespace Defaults
-
-Hints can be configured on the Namespace's annotations as defaults to use when Pod level annotations are missing.
-The resultant hints are a combination of Pod annotations and Namespace annotations with the Pod's taking precedence. To
-enable Namespace defaults configure the `add_resource_metadata` for Namespace objects as follows:
-
-["source","yaml",subs="attributes"]
--------------------------------------------------------------------------------------
-filebeat.autodiscover:
-  providers:
-    - type: kubernetes
-      hints.enabled: true
-      add_resource_metadata:
-        namespace:
-          include_annotations: ["nsannotation1"]
--------------------------------------------------------------------------------------
-
-
-
-[float]
-==== Docker
-
-Docker autodiscover provider supports hints in labels. To enable it just set `hints.enabled`:
-
-[source,yaml]
------
-filebeat.autodiscover:
-  providers:
-    - type: docker
-      hints.enabled: true
------
-
-You can configure the default config that will be launched when a new container is seen, like this:
-
-[source,yaml]
------
-filebeat.autodiscover:
-  providers:
-    - type: docker
-      hints.enabled: true
-      hints.default_config:
-        type: container
-        paths:
-          - /var/log/containers/*-${data.container.id}.log  # CRI path
------
-
-You can also disable default settings entirely, so only containers labeled with `co.elastic.logs/enabled: true`
-will be retrieved:
-
-[source,yaml]
------
-filebeat.autodiscover:
-  providers:
-    - type: docker
-      hints.enabled: true
-      hints.default_config.enabled: false
------
-
-You can label Docker containers with useful info to spin up {beatname_uc} inputs, for example:
-
-[source,yaml]
------
-  co.elastic.logs/module: nginx
-  co.elastic.logs/fileset.stdout: access
-  co.elastic.logs/fileset.stderr: error
------
-
-The above labels configure {beatname_uc} to use the Nginx module to harvest logs for this container.
-Access logs will be retrieved from stdout stream, and error logs from stderr.
-
-
-You can label Docker containers with useful info to decode logs structured as JSON messages, for example:
-
-[source,yaml]
------
-  co.elastic.logs/json.keys_under_root: true
-  co.elastic.logs/json.add_error_key: true
-  co.elastic.logs/json.message_key: log
------
-
-
-
-[float]
-==== Nomad
-
-Nomad autodiscover provider supports hints using the
-https://www.nomadproject.io/docs/job-specification/meta.html[`meta` stanza]. To
-enable it just set `hints.enabled`:
-
-[source,yaml]
------
-filebeat.autodiscover:
-  providers:
-    - type: nomad
-      hints.enabled: true
------
-
-You can configure the default config that will be launched when a new job is
-seen, like this:
-
-[source,yaml]
------
-filebeat.autodiscover:
-  providers:
-    - type: nomad
-      hints.enabled: true
-      hints.default_config:
-        type: filestream
-        id: ${data.nomad.task.name}-${data.nomad.allocation.id} # unique ID required
-        paths:
-          - /opt/nomad/alloc/${data.nomad.allocation.id}/alloc/logs/${data.nomad.task.name}.*
------
-
-You can also disable the default config such that only logs from jobs explicitly
-annotated with `"co.elastic.logs/enabled" = "true"` will be collected:
-
-[source,yaml]
------
-filebeat.autodiscover:
-  providers:
-    - type: nomad
-      hints.enabled: true
-      hints.default_config:
-        enabled: false
-        type: filestream
-        id: ${data.nomad.task.name}-${data.nomad.allocation.id} # unique ID required
-        paths:
-          - /opt/nomad/alloc/${data.nomad.allocation.id}/alloc/logs/${data.nomad.task.name}.*
------
-
-You can annotate Nomad Jobs using the `meta` stanza with useful info to spin up
-{beatname_uc} inputs or modules:
-
-[source,hcl]
------
-meta {
-  "co.elastic.logs/enabled"           = "true"
-  "co.elastic.logs/multiline.pattern" = "^\\["
-  "co.elastic.logs/multiline.negate"  = "true"
-  "co.elastic.logs/multiline.match"   = "after"
-}
------
-
-If you are using autodiscover then in most cases you will want to use the
-<<add-nomad-metadata,`add_nomad_metadata`>> processor to enrich events with
-Nomad metadata. This example configures {{beatname_uc}} to connect to the local
-Nomad agent over HTTPS and adds the Nomad allocation ID to all events from the
-input. Later in the pipeline the `add_nomad_metadata` processor will use that ID
-to enrich the event.
-
-[source,yaml]
------
-filebeat.autodiscover:
-  providers:
-    - type: nomad
-      address: https://localhost:4646
-      hints.enabled: true
-      hints.default_config:
-        enabled: false <1>
-        type: filestream
-        id: ${data.nomad.task.name}-${data.nomad.allocation.id} # unique ID required
-        paths:
-          - /opt/nomad/alloc/${data.nomad.allocation.id}/alloc/logs/${data.nomad.task.name}.*
-        processors:
-          - add_fields: <2>
-              target: nomad
-              fields:
-                allocation.id: ${data.nomad.allocation.id}
-
-processors:
-  - add_nomad_metadata: <3>
-      when.has_fields.fields: [nomad.allocation.id]
-      address: https://localhost:4646
-      default_indexers.enabled: false
-      default_matchers.enabled: false
-      indexers:
-        - allocation_uuid:
-      matchers:
-        - fields:
-            lookup_fields:
-              - 'nomad.allocation.id'
------
-<1> The default config is disabled meaning any task without the
-`"co.elastic.logs/enabled" = "true"` metadata will be ignored.
-<2> The `add_fields` processor populates the `nomad.allocation.id` field with
-the Nomad allocation UUID.
-<3> The `add_nomad_metadata` processor is configured at the global level so
-that it is only instantiated one time which saves resources.
diff --git a/filebeat/docs/autodiscover-jolokia-config.asciidoc b/filebeat/docs/autodiscover-jolokia-config.asciidoc
deleted file mode 100644
index 48f936338a96..000000000000
--- a/filebeat/docs/autodiscover-jolokia-config.asciidoc
+++ /dev/null
@@ -1,23 +0,0 @@
-Filebeat supports templates for inputs and modules:
-
-["source","yaml",subs="attributes"]
--------------------------------------------------------------------------------
-filebeat.autodiscover:
-  providers:
-    - type: jolokia
-      interfaces:
-      - name: lo
-      templates:
-      - condition:
-          contains:
-            jolokia.server.product: "kafka"
-        config:
-        - module: kafka
-          log:
-            enabled: true
-            var.paths:
-            - /var/log/kafka/*.log
--------------------------------------------------------------------------------
-
-This configuration starts a jolokia module that collects logs of kafka if it is
-running. Discovery probes are sent using the local interface.
diff --git a/filebeat/docs/autodiscover-kubernetes-config.asciidoc b/filebeat/docs/autodiscover-kubernetes-config.asciidoc
deleted file mode 100644
index 89e6e74be2de..000000000000
--- a/filebeat/docs/autodiscover-kubernetes-config.asciidoc
+++ /dev/null
@@ -1,40 +0,0 @@
-Filebeat supports templates for inputs and modules.
-
-["source","yaml",subs="attributes"]
--------------------------------------------------------------------------------------
-filebeat.autodiscover:
-  providers:
-    - type: kubernetes
-      templates:
-        - condition:
-            equals:
-              kubernetes.namespace: kube-system
-          config:
-            - type: container
-              paths:
-                - /var/log/containers/*-${data.kubernetes.container.id}.log
-              exclude_lines: ["^\\s+[\\-`('.|_]"]  # drop asciiart lines
--------------------------------------------------------------------------------------
-
-This configuration launches a `docker` logs input for all containers of pods running in the Kubernetes namespace
-`kube-system`.
-
-If you are using modules, you can override the default input and use the docker input instead.
-
-["source","yaml",subs="attributes"]
--------------------------------------------------------------------------------------
-filebeat.autodiscover:
-  providers:
-    - type: kubernetes
-      templates:
-        - condition:
-            equals:
-              kubernetes.container.image: "redis"
-          config:
-            - module: redis
-              log:
-                input:
-                  type: container
-                  paths:
-                    - /var/log/containers/*-${data.kubernetes.container.id}.log
--------------------------------------------------------------------------------------
diff --git a/filebeat/docs/autodiscover-nomad-config.asciidoc b/filebeat/docs/autodiscover-nomad-config.asciidoc
deleted file mode 100644
index 8952d652ef98..000000000000
--- a/filebeat/docs/autodiscover-nomad-config.asciidoc
+++ /dev/null
@@ -1,50 +0,0 @@
-Filebeat supports templates for inputs and modules.
-
-["source","yaml",subs="attributes"]
--------------------------------------------------------------------------------------
-filebeat.autodiscover:
-  providers:
-    - type: nomad
-      node: nomad1
-      scope: local
-      hints.enabled: true
-      allow_stale: true
-      templates:
-        - condition:
-            equals:
-              nomad.namespace: web
-          config:
-            - type: filestream
-              id: ${data.nomad.task.name}-${data.nomad.allocation.id} # unique ID required
-              paths:
-                - /var/lib/nomad/alloc/${data.nomad.allocation.id}/alloc/logs/${data.nomad.task.name}.stderr.[0-9]*
-              exclude_lines: ["^\\s+[\\-`('.|_]"]  # drop asciiart lines
--------------------------------------------------------------------------------------
-
-This configuration launches a `filestream` input for all jobs under the `web` Nomad namespace.
-
-If you are using modules, you can override the default input and customize it to read from the
-`${data.nomad.task.name}.stdout` and/or `${data.nomad.task.name}.stderr` files.
-
-["source","yaml",subs="attributes"]
--------------------------------------------------------------------------------------
-filebeat.autodiscover:
-  providers:
-    - type: nomad
-      templates:
-        - condition:
-            equals:
-              nomad.task.service.tags: "redis"
-          config:
-            - module: redis
-              log:
-                input:
-                  type: filestream
-                  id: ${data.nomad.task.name}-${data.nomad.allocation.id} # unique ID required
-                  paths:
-                    - /var/lib/nomad/alloc/${data.nomad.allocation.id}/alloc/logs/${data.nomad.task.name}.*
--------------------------------------------------------------------------------------
-
-WARNING: The `docker` input is currently not supported. Nomad doesn't expose the container ID
-associated with the allocation. Without the container ID, there is no way of generating the proper
-path for reading the container's logs.
diff --git a/filebeat/docs/aws-credentials-examples.asciidoc b/filebeat/docs/aws-credentials-examples.asciidoc
deleted file mode 100644
index c8509bf826e7..000000000000
--- a/filebeat/docs/aws-credentials-examples.asciidoc
+++ /dev/null
@@ -1,43 +0,0 @@
-* Use AWS credentials in Filebeat configuration
-+
-[source,yaml]
-----
-filebeat.inputs:
-- type: aws-s3
-  queue_url: https://sqs.us-east-1.amazonaws.com/123/test-queue
-  access_key_id: '<access_key_id>'
-  secret_access_key: '<secret_access_key>'
-  session_token: '<session_token>'
-----
-+
-or
-+
-[source,yaml]
-----
-filebeat.inputs:
-- type: aws-s3
-  queue_url: https://sqs.us-east-1.amazonaws.com/123/test-queue
-  access_key_id: '${AWS_ACCESS_KEY_ID:""}'
-  secret_access_key: '${AWS_SECRET_ACCESS_KEY:""}'
-  session_token: '${AWS_SESSION_TOKEN:""}'
-----
-
-* Use IAM role ARN
-+
-[source,yaml]
-----
-filebeat.inputs:
-- type: aws-s3
-  queue_url: https://sqs.us-east-1.amazonaws.com/123/test-queue
-  role_arn: arn:aws:iam::123456789012:role/test-mb
-----
-
-* Use shared AWS credentials file
-+
-[source,yaml]
-----
-filebeat.inputs:
-- type: aws-s3
-  queue_url: https://sqs.us-east-1.amazonaws.com/123/test-queue
-  credential_profile_name: test-fb
-----
diff --git a/filebeat/docs/configuring-howto.asciidoc b/filebeat/docs/configuring-howto.asciidoc
deleted file mode 100644
index 2dd0f0d719a1..000000000000
--- a/filebeat/docs/configuring-howto.asciidoc
+++ /dev/null
@@ -1,76 +0,0 @@
-[[configuring-howto-filebeat]]
-= Configure {beatname_uc}
-
-[partintro]
---
-++++
-<titleabbrev>Configure</titleabbrev>
-++++
-
-include::{libbeat-dir}/shared/configuring-intro.asciidoc[]
-
-* <<configuration-filebeat-options>>
-* <<configuration-{beatname_lc}-modules>>
-* <<configuration-general-options>>
-* <<configuration-path>>
-* <<filebeat-configuration-reloading>>
-* <<configuring-output>>
-* <<configuration-ssl>>
-* <<ilm>>
-* <<configuration-template>>
-* <<setup-kibana-endpoint>>
-* <<configuration-dashboards>>
-* <<filtering-and-enhancing-data>>
-* <<configuration-autodiscover>>
-* <<configuring-internal-queue>>
-* <<configuration-logging>>
-* <<http-endpoint>>
-* <<regexp-support>>
-* <<configuration-instrumentation>>
-* <<configuration-feature-flags>>
-* <<{beatname_lc}-reference-yml>>
-
---
-
-include::./filebeat-options.asciidoc[]
-
-include::{docdir}/../docs/filebeat-modules-options.asciidoc[]
-
-include::./filebeat-general-options.asciidoc[]
-
-include::{libbeat-dir}/shared-path-config.asciidoc[]
-
-include::./reload-configuration.asciidoc[]
-
-include::{libbeat-dir}/outputconfig.asciidoc[]
-
-ifndef::no_kerberos[]
-include::{libbeat-dir}/shared-kerberos-config.asciidoc[]
-endif::[]
-
-include::{libbeat-dir}/shared-ssl-config.asciidoc[]
-
-include::../../libbeat/docs/shared-ilm.asciidoc[]
-
-include::{libbeat-dir}/setup-config.asciidoc[]
-
-include::./filebeat-filtering.asciidoc[]
-
-:autodiscoverJolokia:
-:autodiscoverHints:
-:autodiscoverNomad:
-include::{libbeat-dir}/shared-autodiscover.asciidoc[]
-
-include::{libbeat-dir}/queueconfig.asciidoc[]
-
-include::{libbeat-dir}/loggingconfig.asciidoc[]
-
-include::{libbeat-dir}/http-endpoint.asciidoc[]
-
-include::{libbeat-dir}/regexp.asciidoc[]
-
-include::{libbeat-dir}/shared-instrumentation.asciidoc[]
-
-include::{libbeat-dir}/shared-feature-flags.asciidoc[]
-
-include::{libbeat-dir}/reference-yml.asciidoc[]
diff --git a/filebeat/docs/faq.asciidoc b/filebeat/docs/faq.asciidoc
deleted file mode 100644
index ee7ceeabad89..000000000000
--- a/filebeat/docs/faq.asciidoc
+++ /dev/null
@@ -1,145 +0,0 @@
-[[faq]]
-== Common problems
-
-This section describes common problems you might encounter with
-{beatname_uc}. Also check out the
-https://discuss.elastic.co/c/beats/{beatname_lc}[{beatname_uc} discussion forum].
-
-[[filebeat-kubernetes-metadata-error-extracting-container-id]]
-=== Error extracting container id while using Kubernetes metadata
-
-The `add_kubernetes_metadata` processor might throw the error `Error extracting container id - source value does not contain matcher's logs_path`.
-There might be some issues with the matchers definitions or the location of `logs_path`.
-Please verify the Kubernetes pod is healthy.
-
-[[filebeat-network-volumes]]
-=== Can't read log files from network volumes
-
-We do not recommend reading log files from network volumes. Whenever possible, install {beatname_uc} on the host machine and
-send the log files directly from there. Reading files from network volumes (especially on Windows) can have unexpected side
-effects. For example, changed file identifiers may result in {beatname_uc} reading a log file from scratch again.
-
-If it is not possible to read from the host, then using the
-<<filebeat-input-filestream-file-identity-fingerprint, `fingerprint`>>
-file identity is the next best option.
-
-[[filebeat-not-collecting-lines]]
-=== {beatname_uc} isn't collecting lines from a file
-
-{beatname_uc} might be incorrectly configured or unable to send events to the output. To resolve the issue:
-
-* If using modules, make sure the `var.paths` setting points to the file. If
-configuring an input manually, make sure the `paths` setting is correct.
-* Verify that the file is not older than the value specified by <<{beatname_lc}-input-log-ignore-older,`ignore_older`>>. `ignore_older` is disable by
-default so this depends on the value you have set. You can change this behavior by specifying a different value for
-<<{beatname_lc}-input-log-ignore-older,`ignore_older`>>.
-* Make sure that {beatname_uc} is able to send events to the configured output. Run {beatname_uc} in debug mode to determine whether
-it's publishing events successfully:
-+
-["source","sh",subs="attributes,callouts"]
-----------------------------------------------------------------------
-./filebeat -c config.yml -e -d "*"
-----------------------------------------------------------------------
-
-[[open-file-handlers]]
-=== Too many open file handlers
-
-{beatname_uc} keeps the file handler open in case it reaches the end of a file so that it can read new log lines in near real time. If {beatname_uc} is harvesting a large number of files, the number of open files can become an issue. In most environments, the number of files that are actively updated is low. The `close_inactive` configuration option should be set accordingly to close files that are no longer active.
-
-There are additional configuration options that you can use to close file handlers, but all of them should be used carefully because they can have side effects. The options are:
-
-* <<{beatname_lc}-input-log-close-renamed,`close_renamed`>>
-* <<{beatname_lc}-input-log-close-removed,`close_removed`>>
-* <<{beatname_lc}-input-log-close-eof,`close_eof`>>
-* <<{beatname_lc}-input-log-close-timeout,`close_timeout`>>
-* <<{beatname_lc}-input-log-harvester-limit,`harvester_limit`>>
-
-The `close_renamed` and `close_removed` options can be useful on Windows to resolve issues related to file rotation. See <<windows-file-rotation>>. The `close_eof` option can be useful in environments with a large number of files that have only very few entries. The `close_timeout` option is useful in environments where closing file handlers is more important than sending all log lines. For more details, see <<configuration-filebeat-options>>.
-
-Make sure that you read the documentation for these configuration options before using any of them.
-
-[[reduce-registry-size]]
-=== Registry file is too large
-
-{beatname_uc} keeps the state of each file and persists the state to disk in the registry file. The file state is used to continue file reading at a previous position when {beatname_uc} is restarted. If a large number of new files are produced every day, the registry file might grow to be too large. To reduce the size of the registry file, there are two configuration options available: <<{beatname_lc}-input-log-clean-removed,`clean_removed`>> and <<{beatname_lc}-input-log-clean-inactive,`clean_inactive`>>.
-
-For old files that you no longer touch and are ignored (see <<{beatname_lc}-input-log-ignore-older,`ignore_older`>>), we recommended that you use `clean_inactive`. If old files get removed from disk, then use the `clean_removed` option.
-
-
-[[inode-reuse-issue]]
-=== Inode reuse causes {beatname_uc} to skip lines
-
-On Linux file systems, {beatname_uc} uses the inode and device to identify files. When a file is removed from disk, the inode may be assigned to a new file. In use cases involving file rotation, if an old file is removed and a new one is created immediately afterwards, the new file may have the exact same inode as the file that was removed. In this case, {beatname_uc} assumes that the new file is the same as the old and tries to continue reading at the old position, which is not correct.
-
-By default states are never removed from the registry file. To resolve the inode reuse issue, we recommend that you use the <<{beatname_lc}-input-log-clean-options,`clean_*`>> options, especially <<{beatname_lc}-input-log-clean-inactive,`clean_inactive`>>, to remove the state of inactive files. For example, if your files get rotated every 24 hours, and the rotated files are not updated anymore, you can set <<{beatname_lc}-input-log-ignore-older,`ignore_older`>> to 48 hours and <<{beatname_lc}-input-log-clean-inactive,`clean_inactive`>> to 72 hours.
-
-You can use <<{beatname_lc}-input-log-clean-removed,`clean_removed`>> for files that are removed from disk. Be aware that `clean_removed` cleans the file state from the registry whenever a file cannot be found during a scan. If the file shows up again later, it will be sent again from scratch.
-
-Aside from that you should also change the
-<<filebeat-input-filestream-file-identity, `file_identity`>> to
-<<filebeat-input-filestream-file-identity-fingerprint,
-`fingerprint`>>. If you were using `native` (the default) or `path`,
-the state of the files will be automatically migrated to
-`fingerprint`.
-
-include::filebeat-log-rotation.asciidoc[]
-
-[[windows-file-rotation]]
-=== Open file handlers cause issues with Windows file rotation
-
-On Windows, you might have problems renaming or removing files because {beatname_uc} keeps the file handlers open. This can lead to issues with the file rotating system. To avoid this issue, you can use the <<{beatname_lc}-input-log-close-removed,`close_removed`>> and <<{beatname_lc}-input-log-close-renamed,`close_renamed`>> options together.
-
-IMPORTANT: When you configure these options, files may be closed before the harvester has finished reading the files. If the file cannot be picked up again by the input and the harvester hasn't finish reading the file, the missing lines will never be sent to the output.
-
-
-[[filebeat-cpu]]
-=== {beatname_uc} is using too much CPU
-
-{beatname_uc} might be configured to scan for files too frequently. Check the setting for `scan_frequency` in the `filebeat.yml`
-config file. Setting `scan_frequency` to less than 1s may cause {beatname_uc} to scan the disk in a tight loop.
-
-[[dashboard-fields-incorrect-filebeat]]
-=== Dashboard in {kib} is breaking up data fields incorrectly
-
-The index template might not be loaded correctly. See <<filebeat-template>>.
-
-[[fields-not-indexed]]
-=== Fields are not indexed or usable in {kib} visualizations
-
-If you have recently performed an operation that loads or parses custom, structured logs,
-you might need to refresh the index to make the fields available in {kib}. To refresh
-the index, use the {ref}/indices-refresh.html[refresh API]. For example:
-
-["source","sh"]
-----------------------------------------------------------------------
-curl -XPOST 'http://localhost:9200/filebeat-2016.08.09/_refresh'
-----------------------------------------------------------------------
-
-[[newline-character-required-eof]]
-=== {beatname_uc} isn't shipping the last line of a file
-
-{beatname_uc} uses a newline character to detect the end of an event. If lines are added incrementally to a file that's being
-harvested, a newline character is required after the last line, or {beatname_uc} will not read the last line of
-the file.
-
-[[faq-deleted-files-are-not-freed]]
-=== {beatname_uc} keeps open file handlers of deleted files for a long time
-
-In the default behaviour, {beatname_uc} opens the files and keeps them open until it
-reaches the end of them.  In situations when the configured output is blocked
-(e.g. {es} or {ls} is unavailable) for a long time, this can cause
-{beatname_uc} to keep file handlers to files that were deleted from the file system
-in the mean time. As long as {beatname_uc} keeps the deleted files open, the
-operating system doesn't free up the space on disk, which can lead to increase
-disk utilisation or even out of disk situations.
-
-To mitigate this issue, you can set the
-<<{beatname_lc}-input-log-close-timeout>> setting to `5m`. This will ensure
-every file handler is closed once every 5 minutes, regardless of whether it
-reached EOF or not. Note that this option can lead to data loss if the file is
-deleted before {beatname_uc} reaches the end of the file.
-
-
-include::{libbeat-dir}/faq-limit-bandwidth.asciidoc[]
-
-include::{libbeat-dir}/shared-faq.asciidoc[]
diff --git a/filebeat/docs/filebeat-filtering.asciidoc b/filebeat/docs/filebeat-filtering.asciidoc
deleted file mode 100644
index 09d48f2767ec..000000000000
--- a/filebeat/docs/filebeat-filtering.asciidoc
+++ /dev/null
@@ -1,112 +0,0 @@
-[[filtering-and-enhancing-data]]
-== Filter and enhance data with processors
-
-++++
-<titleabbrev>Processors</titleabbrev>
-++++
-
-Your use case might require only a subset of the data exported by {beatname_uc},
-or you might need to enhance the exported data (for example, by adding
-metadata). {beatname_uc} provides a couple of options for filtering and
-enhancing exported data.
-
-You can configure each input to include or exclude specific lines or files. This
-allows you to specify different filtering criteria for each input. To do this,
-you use the `include_lines`, `exclude_lines`, and `exclude_files` options under
-the +{beatname_lc}.inputs+ section of the config file (see
-<<configuration-{beatname_lc}-options>>). The disadvantage of this approach is
-that you need to implement a configuration option for each filtering criteria
-that you need.
-
-Another approach (the one described here) is to define processors to configure
-global processing across all data exported by {beatname_uc}.
-
-
-[float]
-[[using-processors]]
-=== Processors
-
-include::{libbeat-dir}/processors.asciidoc[]
-
-[float]
-[[drop-event-example]]
-==== Drop event example
-
-The following configuration drops all the DEBUG messages.
-
-[source,yaml]
------------------------------------------------------
-processors:
-  - drop_event:
-      when:
-        regexp:
-          message: "^DBG:"
------------------------------------------------------
-
-To drop all the log messages coming from a certain log file:
-
-[source,yaml]
-----------------
-processors:
-  - drop_event:
-      when:
-        contains:
-          source: "test"
-----------------
-
-[float]
-[[decode-json-example]]
-==== Decode JSON example
-
-In the following example, the fields exported by {beatname_uc} include a
-field, `inner`, whose value is a JSON object encoded as a string:
-
-[source,json]
------------------------------------------------------
-{ "outer": "value", "inner": "{\"data\": \"value\"}" }
------------------------------------------------------
-
-The following configuration decodes the inner JSON object:
-
-["source","yaml",subs="attributes"]
------------------------------------------------------
-{beatname_lc}.inputs:
-- type: filestream
-  paths:
-    - input.json
-  parsers:
-    - ndjson:
-        target: ""
-
-processors:
-  - decode_json_fields:
-      fields: ["inner"]
-
-output.console.pretty: true
------------------------------------------------------
-
-The resulting output looks something like this:
-
-["source","json",subs="attributes"]
------------------------------------------------------
-{
-  "@timestamp": "2016-12-06T17:38:11.541Z",
-  "beat": {
-    "hostname": "host.example.com",
-    "name": "host.example.com",
-    "version": "{version}"
-  },
-  "inner": {
-    "data": "value"
-  },
-  "input": {
-    "type": "log",
-  },
-  "offset": 55,
-  "outer": "value",
-  "source": "input.json",
-  "type": "log"
-}
------------------------------------------------------
-
-include::{libbeat-dir}/processors-using.asciidoc[]
diff --git a/filebeat/docs/filebeat-general-options.asciidoc b/filebeat/docs/filebeat-general-options.asciidoc
deleted file mode 100644
index 224706e43609..000000000000
--- a/filebeat/docs/filebeat-general-options.asciidoc
+++ /dev/null
@@ -1,144 +0,0 @@
-[[configuration-general-options]]
-== Configure general settings
-
-++++
-<titleabbrev>General settings</titleabbrev>
-++++
-
-You can specify settings in the +{beatname_lc}.yml+ config file to control the
-general behavior of {beatname_uc}. This includes:
-
-* <<configuration-global-options,Global options>> that control things like
-publisher behavior and the location of some files.
-
-* <<configuration-general,General options>> that are supported by all Elastic
-Beats.
-
-[float]
-[[configuration-global-options]]
-=== Global Filebeat configuration options
-
-These options are in the `filebeat` namespace.
-
-[float]
-==== `registry.path`
-
-The root path of the registry.  If a relative path is used, it is considered
-relative to the data path. See the <<directory-layout>> section for details.
-The default is `${path.data}/registry`.
-
-[source,yaml]
--------------------------------------------------------------------------------------
-filebeat.registry.path: registry
--------------------------------------------------------------------------------------
-
-NOTE: The registry is only updated when new events are flushed and not on a predefined period.
-That means in case there are some states where the TTL expired, these are only removed when new events are processed.
-
-[float]
-==== `registry.file_permissions`
-
-The permissions mask to apply on registry data file. The default value is 0600. The permissions option must be a valid Unix-style file permissions mask expressed in octal notation. In Go, numbers in octal notation must start with 0.
-
-The most permissive mask allowed is 0640. If a higher permissions mask is
-specified via this setting, it will be subject to an umask of 0027.
-
-This option is not supported on Windows.
-
-Examples:
-
-* 0640: give read and write access to the file owner, and read access to members of the group associated with the file.
-* 0600: give read and write access to the file owner, and no access to all others.
-
-[source,yaml]
--------------------------------------------------------------------------------------
-filebeat.registry.file_permissions: 0600
--------------------------------------------------------------------------------------
-
-[float]
-==== `registry.flush`
-
-
-The timeout value that controls when registry entries are written to disk
-(flushed). When an unwritten update exceeds this value, it triggers a write to
-disk. When `registry.flush` is set to 0s, the registry is written to disk after
-each batch of events has been published successfully. The default value is 1s.
-
-NOTE: The registry is always updated when Filebeat shuts down normally. After an
-abnormal shutdown, the registry will not be up-to-date if the `registry.flush`
-value is >0s. Filebeat will send published events again (depending on values in
-the last updated registry file).
-
-NOTE: Filtering out a huge number of logs can cause many registry updates, slowing
-down processing. Setting `registry.flush` to a value >0s reduces write operations,
-helping Filebeat process more events.
-
-[float]
-==== `registry.migrate_file`
-
-Prior to Filebeat 7.0 the registry is stored in a single file. When you upgrade
-to 7.0, Filebeat will automatically migrate the old Filebeat 6.x registry file
-to use the new directory format. Filebeat looks for the file in the location
-specified by `filebeat.registry.path`. If you changed the path while upgrading,
-set `filebeat.registry.migrate_file` to point to the old registry file.
-
-[source,yaml]
--------------------------------------------------------------------------------------
-filebeat.registry.path: ${path.data}/registry
-filebeat.registry.migrate_file: /path/to/old/registry_file
--------------------------------------------------------------------------------------
-
-The registry will be migrated to the new location only if a registry using the
-directory format does not already exist.
-
-
-[float]
-==== `config_dir`
-
-deprecated:[6.0.0, Use <<load-input-config>> instead.]
-
-The full path to the directory that contains additional input configuration files.
-Each configuration file must end with `.yml`. Each config file must also specify the full Filebeat
-config hierarchy even though only the `inputs` part of each file is processed. All global
-options, such as `registry_file`, are ignored.
-
-The `config_dir` option MUST point to a directory other than the directory where the main Filebeat config file resides.
-
-If the specified path is not absolute, it is considered relative to the configuration path. See the
-<<directory-layout>> section for details.
-
-[source,yaml]
--------------------------------------------------------------------------------------
-filebeat.config_dir: path/to/configs
--------------------------------------------------------------------------------------
-
-[float]
-[[shutdown-timeout]]
-==== `shutdown_timeout`
-
-How long Filebeat waits on shutdown for the publisher to finish sending events
-before Filebeat shuts down.
-
-By default, this option is disabled, and Filebeat does not wait for the
-publisher to finish sending events before shutting down. This means that any
-events sent to the output, but not acknowledged before Filebeat shuts down,
-are sent again when you restart Filebeat. For more details about how this
-works, see <<at-least-once-delivery>>.
-
-You can configure the `shutdown_timeout` option to specify the maximum amount
-of time that Filebeat waits for the publisher to finish sending events before
-shutting down. If all events are acknowledged before `shutdown_timeout` is
-reached, Filebeat will shut down.
-
-There is no recommended setting for this option because determining the correct
-value for `shutdown_timeout` depends heavily on the environment in which
-Filebeat is running and the current state of the output.
-
-Example configuration:
-
-[source,yaml]
--------------------------------------------------------------------------------------
-filebeat.shutdown_timeout: 5s
--------------------------------------------------------------------------------------
-
-include::{libbeat-dir}/generalconfig.asciidoc[]
diff --git a/filebeat/docs/filebeat-log-rotation.asciidoc b/filebeat/docs/filebeat-log-rotation.asciidoc
deleted file mode 100644
index 69eafd22e7e2..000000000000
--- a/filebeat/docs/filebeat-log-rotation.asciidoc
+++ /dev/null
@@ -1,98 +0,0 @@
-[[file-log-rotation]]
-=== Log rotation results in lost or duplicate events
-
-{beatname_uc} supports reading from rotating log files. However, some log
-rotation strategies can result in lost or duplicate events when using
-{beatname_uc} to forward messages. To resolve this issue:
-
-* *Avoid log rotation strategies that copy and truncate log files* 
-+
-Log rotation strategies that copy and truncate the input log file can result in
-{beatname_uc} sending duplicate events. This happens because {beatname_uc}
-identifies files by inode and device name. During log rotation, lines that
-{beatname_uc} has already processed are moved to a new file. When
-{beatname_uc} encounters the new file, it reads from the beginning because the
-previous state information (the offset and read timestamp) is associated with the
-inode and device name of the old file.
-+
-Furthermore, strategies that copy and truncate the input log file can result in
-lost events if lines are written to the log file after it's copied, but before
-it's truncated.
-
-* *Make sure {beatname_uc} is configured to read from all rotated logs*
-+
-When an input log file is moved or renamed during log rotation, {beatname_uc} is
-able to recognize that the file has already been read. After the file is
-rotated, a new log file is created, and the application continues logging.
-{beatname_uc} picks up the new file during the next scan. Because the file
-has a new inode and device name, {beatname_uc} starts reading it from the
-beginning.
-+
-To avoid missing events from a rotated file, configure the input to read from
-the log file and all the rotated files. For examples, see
-<<log-rotate-example>>.
-
-If you're using Windows, also see <<log-rotation-windows>>.
-
-[float]
-[[log-rotate-example]]
-==== Example configurations
-
-This section shows a typical configuration for logrotate, a popular tool for
-doing log rotation on Linux, followed by a {beatname_uc} configuration that
-reads all the rotated logs.
-
-[float]
-[[log-rotate-example-logrotate]]
-===== logrotate.conf
-
-In this example, {beatname_uc} reads web server log. The logs are rotated every
-day, and the new file is created with the specified permissions.
-
-[source,yaml]
------------------------------------------------------
-/var/log/my-server/my-server.log {
-    daily
-    missingok
-    rotate 7
-    notifempty
-    create 0640 www-data www-data
-}
------------------------------------------------------
-
-[float]
-[[log-rotate-example-filebeat]]
-===== filebeat.yml
-
-In this example, {beatname_uc} is configured to read all log files to make
-sure it does not miss any events.
-
-[source,yaml]
------------------------------------------------------
-filebeat.inputs:
-- type: filestream
-  id: my-server-filestream-id
-  paths:
-  - /var/log/my-server/my-server.log*
------------------------------------------------------
-
-[float]
-[[log-rotation-windows]]
-==== More about log rotation on Windows
-
-On Windows, log rotation schemes that delete old files and rename newer
-files to old filenames might get blocked if the old files are being processed by
-{beatname_uc}. This happens because Windows does not delete files and file
-metadata until the last process has closed the file. Unlike most *nix
-filesystems, a Windows filename cannot be reused until all processes accessing
-the file have closed the deleted file.
-
-To avoid this problem, use dates in rotated filenames. The file will never
-be renamed to an older filename, and the log writer and log rotator will always
-be able to open the file. This approach also highly reduces the chance of
-log writing, rotation, and collection interfering with each other.
-
-Because log rotation is typically handled by the logging application, we are
-not providing an example configuration for Windows.
-
-Also read <<windows-file-rotation>>.
diff --git a/filebeat/docs/filebeat-modules-options.asciidoc b/filebeat/docs/filebeat-modules-options.asciidoc
deleted file mode 100644
index 8c39c56c9a66..000000000000
--- a/filebeat/docs/filebeat-modules-options.asciidoc
+++ /dev/null
@@ -1,125 +0,0 @@
-:modulename: nginx
-
-[id="configuration-{beatname_lc}-modules"]
-== Configure modules
-
-++++
-<titleabbrev>Modules</titleabbrev>
-++++
-
-NOTE: Using {beatname_uc} modules is optional. You may decide to
-<<configuration-{beatname_lc}-options,configure inputs manually>> if you're using
-a log type that isn't supported, or you want to use a different setup.
-
-{beatname_uc} <<{beatname_lc}-modules,modules>> provide a quick way to
-get started processing common log formats. They contain default configurations,
-{es} ingest pipeline definitions, and {kib} dashboards to help you
-implement and deploy a log monitoring solution.
-
-You can configure modules in the `modules.d` directory (recommended), or in the
-{beatname_uc} configuration file.
-
-Before running {beatname_uc} with modules enabled, make sure you also set up the
-environment to use {kib} dashboards. See
-<<{beatname_lc}-installation-configuration>> for more information.
-
-include::{libbeat-dir}/shared-note-file-permissions.asciidoc[]
-
-[float]
-[[configure-modules-d-configs]]
-===  Configure modules in the `modules.d` directory
-
-The `modules.d` directory contains default configurations for all the modules
-available in {beatname_uc}. To enable or disable specific module configurations
-under `modules.d`, run the
-<<modules-command,`modules enable` or `modules disable`>> command. For example:
-
-include::{libbeat-dir}/tab-widgets/enable-modules-widget.asciidoc[]
-
-The default configurations assume that your data is in the location expected for
-your OS and that the behavior of the module is appropriate for your environment.
-To change the default behavior, configure variable settings. For a list of
-available settings, see the documentation under <<{beatname_lc}-modules>>.
-
-For advanced use cases, you can also
-<<advanced-settings,override input settings>>.
-
-TIP: You can enable modules at runtime by using the
-<<{beatname_lc}-modules,--modules flag>>. This is useful if you're getting started
-and want to try things out. Any modules specified at the command line are loaded
-along with any modules that are enabled in the configuration file or `modules.d`
-directory. If there's a conflict, the configuration specified at the command
-line is used.
-
-[float]
-[[configure-modules-config-file]]
-=== Configure modules in the +{beatname_lc}.yml+ file
-
-When possible, you should use the config files in the `modules.d` directory.
-
-However, configuring <<{beatname_lc}-modules,modules>> directly in the config
-file is a practical approach if you have upgraded from a previous version of
-{beatname_uc} and don't want to move your module configs to the `modules.d`
-directory. You can continue to configure modules in the +{beatname_lc}.yml+
-file, but you won't be able to use the `modules` command to enable and disable
-configurations because the command requires the `modules.d` layout.
-
-To enable specific modules in the +{beatname_lc}.yml+ config file, add
-entries to the +{beatname_lc}.modules+ list. Each entry in the list begins with
-a dash (-) and is followed by settings for that module.
-
-The following example shows a configuration that runs the `nginx`,`mysql`, and
-`system` modules:
-
-["source","yaml",subs="attributes"]
-----
-{beatname_lc}.modules:
-- module: nginx
-  access:
-  error:
-- module: mysql
-  slowlog:
-- module: system
-  auth:
-----
-
-[[advanced-settings]]
-=== Override input settings
-
-Behind the scenes, each module starts a {beatname_uc} input. Advanced users
-can add or override any input settings. For example, you can set
-<<{beatname_lc}-input-log-close-eof,close_eof>> to `true` in the module
-configuration:
-
-[source,yaml]
-----------------------------------------------------------------------
-- module: nginx
-  access:
-    input:
-      close_eof: true
-----------------------------------------------------------------------
-
-Or at the command line when you run {beatname_uc}:
-
-["source","sh",subs="attributes"]
-----------------------------------------------------------------------
--M "nginx.access.input.close_eof=true"
-----------------------------------------------------------------------
-
-You can use wildcards to change variables or settings for multiple
-modules/filesets at once. For example, you can enable `close_eof` for all the
-filesets in the `nginx` module:
-
-["source","sh",subs="attributes"]
-----------------------------------------------------------------------
--M "nginx.*.input.close_eof=true"
-----------------------------------------------------------------------
-
-You can also enable `close_eof` for all inputs created by any of the modules:
-
-["source","sh",subs="attributes"]
-----------------------------------------------------------------------
--M "*.*.input.close_eof=true"
-----------------------------------------------------------------------
-
-:modulename!:
diff --git a/filebeat/docs/filebeat-options.asciidoc b/filebeat/docs/filebeat-options.asciidoc
deleted file mode 100644
index 5e77999a00b3..000000000000
--- a/filebeat/docs/filebeat-options.asciidoc
+++ /dev/null
@@ -1,166 +0,0 @@
-[id="configuration-{beatname_lc}-options"]
-== Configure inputs
-
-++++
-<titleabbrev>Inputs</titleabbrev>
-++++
-
-TIP: <<{beatname_lc}-modules-overview,{beatname_uc} modules>> provide the
-fastest getting started experience for common log formats. See
-<<{beatname_lc}-installation-configuration>> to learn how to get started.
-
-To configure {beatname_uc} manually (instead of using
-<<{beatname_lc}-modules-overview,modules>>), you specify a list of inputs in the
-+{beatname_lc}.inputs+ section of the +{beatname_lc}.yml+. Inputs specify how
-{beatname_uc} locates and processes input data.
-
-The list is a http://yaml.org/[YAML] array, so each input begins with
-a dash (`-`). You can specify multiple inputs, and you can specify the same
-input type more than once. For example:
-
-["source","yaml",subs="attributes"]
-----
-{beatname_lc}.inputs:
-- type: filestream
-  id: my-filestream-id <1>
-  paths:
-    - /var/log/system.log
-    - /var/log/wifi.log
-- type: filestream
-  id: apache-filestream-id
-  paths:
-    - "/var/log/apache2/*"
-  fields:
-    apache: true
-  fields_under_root: true
-----
-
-<1> Each filestream input must have a unique ID to allow tracking the state of files.
-
-For the most basic configuration, define a single input with a single path. For
-example:
-
-[source,yaml]
--------------------------------------------------------------------------------------
-filebeat.inputs:
-- type: filestream
-  id: my-filestream-id
-  paths:
-    - /var/log/*.log
--------------------------------------------------------------------------------------
-
-The input in this example harvests all files in the path `/var/log/*.log`, which
-means that {beatname_uc} will harvest all files in the directory `/var/log/`
-that end with `.log`. All patterns supported by
-https://golang.org/pkg/path/filepath/#Glob[Go Glob] are also supported here.
-
-To fetch all files from a predefined level of subdirectories, use this pattern:
-`/var/log/*/*.log`. This fetches all `.log` files from the subfolders of
-`/var/log`. It does not fetch log files from the `/var/log` folder itself.
-Currently it is not possible to recursively fetch all files in all
-subdirectories of a directory.
-
-[float]
-[id="{beatname_lc}-input-types"]
-=== Input types
-
-You can configure {beatname_uc} to use the following inputs:
-
-* <<{beatname_lc}-input-aws-cloudwatch>>
-* <<{beatname_lc}-input-aws-s3>>
-* <<{beatname_lc}-input-azure-eventhub>>
-* <<{beatname_lc}-input-azure-blob-storage>>
-* <<{beatname_lc}-input-benchmark>>
-* <<{beatname_lc}-input-cel>>
-* <<{beatname_lc}-input-cloudfoundry>>
-* <<{beatname_lc}-input-cometd>>
-* <<{beatname_lc}-input-container>>
-* <<{beatname_lc}-input-entity-analytics>>
-* <<{beatname_lc}-input-etw>>
-* <<{beatname_lc}-input-filestream>>
-* <<{beatname_lc}-input-gcp-pubsub>>
-* <<{beatname_lc}-input-gcs>>
-* <<{beatname_lc}-input-http_endpoint>>
-* <<{beatname_lc}-input-httpjson>>
-* <<{beatname_lc}-input-journald>>
-* <<{beatname_lc}-input-kafka>>
-* <<{beatname_lc}-input-log>> (deprecated in 7.16.0, use <<{beatname_lc}-input-filestream>>)
-* <<{beatname_lc}-input-mqtt>>
-* <<{beatname_lc}-input-netflow>>
-* <<{beatname_lc}-input-o365audit>>
-* <<{beatname_lc}-input-redis>>
-* <<{beatname_lc}-input-salesforce>>
-* <<{beatname_lc}-input-stdin>>
-* <<{beatname_lc}-input-streaming>>
-* <<{beatname_lc}-input-syslog>>
-* <<{beatname_lc}-input-tcp>>
-* <<{beatname_lc}-input-udp>>
-* <<{beatname_lc}-input-unifiedlogs>>
-* <<{beatname_lc}-input-unix>>
-* <<{beatname_lc}-input-winlog>>
-
-include::multiline.asciidoc[]
-
-include::../../x-pack/filebeat/docs/inputs/input-aws-cloudwatch.asciidoc[]
-
-include::../../x-pack/filebeat/docs/inputs/input-aws-s3.asciidoc[]
-
-include::../../x-pack/filebeat/docs/inputs/input-azure-eventhub.asciidoc[]
-
-include::../../x-pack/filebeat/docs/inputs/input-azure-blob-storage.asciidoc[]
-
-include::../../x-pack/filebeat/docs/inputs/input-benchmark.asciidoc[]
-
-include::../../x-pack/filebeat/docs/inputs/input-cel.asciidoc[]
-
-include::../../x-pack/filebeat/docs/inputs/input-cloudfoundry.asciidoc[]
-
-include::../../x-pack/filebeat/docs/inputs/input-cometd.asciidoc[]
-
-include::inputs/input-container.asciidoc[]
-
-include::../../x-pack/filebeat/docs/inputs/input-entity-analytics.asciidoc[]
-
-include::../../x-pack/filebeat/docs/inputs/input-etw.asciidoc[]
-
-include::inputs/input-filestream.asciidoc[]
-
-include::../../x-pack/filebeat/docs/inputs/input-gcp-pubsub.asciidoc[]
-
-include::../../x-pack/filebeat/docs/inputs/input-gcs.asciidoc[]
-
-include::../../x-pack/filebeat/docs/inputs/input-http-endpoint.asciidoc[]
-
-include::../../x-pack/filebeat/docs/inputs/input-httpjson.asciidoc[]
-
-include::inputs/input-journald.asciidoc[]
-
-include::inputs/input-kafka.asciidoc[]
-
-include::inputs/input-log.asciidoc[]
-
-include::inputs/input-mqtt.asciidoc[]
-
-include::../../x-pack/filebeat/docs/inputs/input-netflow.asciidoc[]
-
-include::../../x-pack/filebeat/docs/inputs/input-o365audit.asciidoc[]
-
-include::inputs/input-redis.asciidoc[]
-
-include::../../x-pack/filebeat/docs/inputs/input-salesforce.asciidoc[]
-
-include::inputs/input-stdin.asciidoc[]
-
-include::../../x-pack/filebeat/docs/inputs/input-streaming.asciidoc[]
-
-include::inputs/input-syslog.asciidoc[]
-
-include::inputs/input-tcp.asciidoc[]
-
-include::inputs/input-udp.asciidoc[]
-
-include::../../x-pack/filebeat/docs/inputs/input-unifiedlogs.asciidoc[]
-
-include::inputs/input-unix.asciidoc[]
-
-include::inputs/input-winlog.asciidoc[]
diff --git a/filebeat/docs/getting-started.asciidoc b/filebeat/docs/getting-started.asciidoc
deleted file mode 100644
index 71a0b22647ef..000000000000
--- a/filebeat/docs/getting-started.asciidoc
+++ /dev/null
@@ -1,208 +0,0 @@
-:modulename: nginx
-
-//TODO: Remove release-state override before merging.
-
-[id="{beatname_lc}-installation-configuration"]
-== {beatname_uc} quick start: installation and configuration
-
-++++
-<titleabbrev>Quick start: installation and configuration</titleabbrev>
-++++
-
-This guide describes how to get started quickly with log collection.
-You'll learn how to:
-
-* install {beatname_uc} on each system you want to monitor
-* specify the location of your log files
-* parse log data into fields and send it to {es}
-* visualize the log data in {kib}
-
-[role="screenshot"]
-image::./images/kibana-system.png[{beatname_uc} System dashboard]
-
-//TODO: We should replace this with an nginx dashboard rather than system
-
-[float]
-=== Before you begin
-
-You need {es} for storing and searching your data, and {kib} for visualizing and
-managing it.
-
-include::{libbeat-dir}/tab-widgets/spinup-stack-widget.asciidoc[]
-
-[float]
-[[installation]]
-=== Step 1: Install {beatname_uc}
-
-Install {beatname_uc} on all the servers you want to monitor.
-
-To download and install {beatname_uc}, use the commands that work with your
-system:
-
-include::{libbeat-dir}/tab-widgets/install-widget.asciidoc[]
-
-The commands shown are for AMD platforms, but ARM packages are also available.
-Refer to the https://www.elastic.co/downloads/beats/{beatname_lc}[download page]
-for the full list of available packages.
-
-[float]
-[[other-installation-options]]
-==== Other installation options
-
-* <<setup-repositories,APT or YUM>>
-* https://www.elastic.co/downloads/beats/{beatname_lc}[Download page]
-* <<running-on-docker,Docker>>
-* <<running-on-kubernetes,Kubernetes>>
-* <<running-on-cloudfoundry,Cloud Foundry>>
-
-[float]
-[[set-connection]]
-=== Step 2: Connect to the {stack}
-
-include::{libbeat-dir}/shared/connecting-to-es.asciidoc[]
-
-[float]
-[[collect-log-data]]
-=== Step 3: Collect log data
-
-There are several ways to collect log data with {beatname_uc}:
-
-* Data collection modules -- simplify the collection, parsing,
-and visualization of common log formats
-* ECS loggers -- structure and format
-application logs into ECS-compatible JSON
-* Manual {beatname_uc} configuration
-
-[float]
-[[enable-modules]]
-==== Enable and configure data collection modules
-
-. Identify the modules you need to enable. To see a list of available
-<<filebeat-modules,modules>>, run:
-+
---
-include::{libbeat-dir}/tab-widgets/list-modules-widget.asciidoc[]
---
-
-. From the installation directory, enable one or more modules. For example, the
-following command enables the +{modulename}+ module config:
-+
---
-include::{libbeat-dir}/tab-widgets/enable-modules-widget.asciidoc[]
---
-
-. In the module config under `modules.d`, change the module settings to match
-your environment. You must enable at least one fileset in the module.
-**Filesets are disabled by default.**
-+
-For example, log locations are set based on the OS. If your logs aren't in
-default locations, set the `paths` variable:
-+
---
-[source,yaml]
-----
-- module: nginx
-  access:
-    enabled: true
-    var.paths: ["/var/log/nginx/access.log*"] <1>
-----
---
-
-To see the full list of variables for a module, see the documentation under
-<<filebeat-modules>>.
-
-include::{libbeat-dir}/shared/config-check.asciidoc[]
-
-[float]
-[[collect-application-logs]]
-==== Enable and configure ECS loggers for application log collection
-
-While {beatname_uc} can be used to ingest raw, plain-text application logs,
-we recommend structuring your logs at ingest time. This lets you extract fields,
-like log level and exception stack traces.
-
-Elastic simplifies this process by providing application log formatters in a variety
-of popular programming languages. These plugins format your logs into ECS-compatible JSON,
-which removes the need to manually parse logs.
-
-See {ecs-logging-ref}/intro.html[ECS loggers] to get started.
-
-[float]
-[[manual-configuration]]
-==== Configure {beatname_uc} manually
-
-If you're unable to find a module for your file type, or can't change your application's
-log output, see <<configuration-filebeat-options,configure the input>> manually.
-
-[float]
-[[setup-assets]]
-=== Step 4: Set up assets
-
-{beatname_uc} comes with predefined assets for parsing, indexing, and
-visualizing your data. To load these assets:
-
-. Make sure the user specified in +{beatname_lc}.yml+ is
-<<privileges-to-setup-beats,authorized to set up {beatname_uc}>>.
-
-. From the installation directory, run:
-+
---
-include::{libbeat-dir}/tab-widgets/setup-widget.asciidoc[]
---
-+
-`-e` is optional and sends output to standard error instead of the configured log output.
-
-This step loads the recommended {ref}/index-templates.html[index template] for writing to {es}
-and deploys the sample dashboards for visualizing the data in {kib}.
-
-This step does not load the ingest pipelines used to parse log lines. By
-default, ingest pipelines are set up automatically the first time you run the
-module and connect to {es}.
-
-[TIP]
-=====
-A connection to {es} (or {ess}) is required to set up the initial
-environment. If you're using a different output, such as {ls}, see:
-
-* <<load-template-manually>>
-* <<load-kibana-dashboards>>
-* <<load-ingest-pipelines>>
-=====
-
-NOTE: Filebeat should not be used to ingest its own log as this may lead to an infinite loop.
-
-[float]
-[[start]]
-=== Step 5: Start {beatname_uc}
-
-Before starting {beatname_uc}, modify the user credentials in
-+{beatname_lc}.yml+ and specify a user who is
-<<privileges-to-publish-events,authorized to publish events>>.
-
-To start {beatname_uc}, run:
-
-// tag::start-step[]
-:requires-sudo:
-include::{libbeat-dir}/tab-widgets/start-widget.asciidoc[]
-:requires-sudo!:
-// end::start-step[]
-
-{beatname_uc} should begin streaming events to {es}.
-
-[float]
-[[view-data]]
-=== Step 6: View your data in {kib}
-
-include::{libbeat-dir}/shared/opendashboards.asciidoc[tag=open-dashboards-intro]
-
-include::{libbeat-dir}/shared/opendashboards.asciidoc[tag=open-dashboards]
-
-[float]
-=== What's next?
-
-Now that you have your logs streaming into {es}, learn how to unify your logs,
-metrics, uptime, and application performance data.
-
-include::{libbeat-dir}/shared/obs-apps.asciidoc[]
-
-:modulename!:
diff --git a/filebeat/docs/how-filebeat-works.asciidoc b/filebeat/docs/how-filebeat-works.asciidoc
deleted file mode 100644
index 9607175f54da..000000000000
--- a/filebeat/docs/how-filebeat-works.asciidoc
+++ /dev/null
@@ -1,82 +0,0 @@
-[id="how-{beatname_lc}-works"]
-== How {beatname_uc} works
-
-//TODO: Make this topic more generic and move harvester-specific content to
-//the topic about the filestream input
-
-In this topic, you learn about the key building blocks of {beatname_uc} and how they work together. Understanding these concepts will help you make informed decisions about configuring {beatname_uc} for specific use cases.
-
-{beatname_uc} consists of two main components: <<input,inputs>> and <<harvester,harvesters>>. These components work together to tail files and send event data to the output that you specify.
-
-
-[float]
-[[harvester]]
-=== What is a harvester?
-
-A harvester is responsible for reading the content of a single file. The harvester reads each file, line by line, and sends the content to the output. One harvester is started for each file. The harvester is responsible for opening and closing the file, which means that the file descriptor remains open while the harvester is running. If a file is removed or renamed while it's being harvested, {beatname_uc} continues to read the file. This has the side effect that the space on your disk is reserved until the harvester closes. By default, {beatname_uc} keeps the file open until <<{beatname_lc}-input-filestream-close-inactive,`close.on_state_change.inactive`>> is reached.
-
-Closing a harvester has the following consequences:
-
-* The file handler is closed, freeing up the underlying resources if the file was deleted while the harvester was still reading the file.
-* The harvesting of the file will only be started again after <<{beatname_lc}-input-filestream-scan-frequency,`prospector.scanner.check_interval`>> has elapsed.
-* If the file is moved or removed while the harvester is closed, harvesting of the file will not continue.
-
-To control when a harvester is closed, use the <<{beatname_lc}-input-filestream-close-options,`close_*`>> configuration options.
-
-[float]
-[[input]]
-=== What is an input?
-
-An input is responsible for managing the harvesters and finding all sources to read from.
-
-If the input type is `filestream`, the input finds all files on the drive that match the defined glob paths and starts a harvester for each file. Each input runs in its own Go routine.
-
-The following example configures {beatname_uc} to harvest lines from all log files that match the specified glob patterns:
-
-["source","yaml",subs="attributes"]
--------------------------------------------------------------------------------------
-{beatname_lc}.inputs:
-- type: filestream
-  id: unique-ID
-  paths:
-    - /var/log/*.log
-    - /var/path2/*.log
--------------------------------------------------------------------------------------
-
-{beatname_uc} currently supports <<{beatname_lc}-input-types,several `input` types>>. Each input type can be defined multiple times. The `filestream` input checks each file to see whether a harvester needs to be started, whether one is already running, or whether the file can be ignored (see <<{beatname_lc}-input-filestream-ignore-older,`ignore_older`>>). New lines are only picked up if the size of the file has changed since the harvester was closed.
-
-[float]
-=== How does {beatname_uc} keep the state of files?
-
-{beatname_uc} keeps the state of each file and frequently flushes the state to disk in the registry file. The state is used to remember the last offset a harvester was reading from and to ensure all log lines are sent. If the output, such as Elasticsearch or Logstash, is not reachable, {beatname_uc} keeps track of the last lines sent and will continue reading the files as soon as the output becomes available again. While {beatname_uc} is running, the state information is also kept in memory for each input. When {beatname_uc} is restarted, data from the registry file is used to rebuild the state, and {beatname_uc} continues each harvester at the last known position.
-
-For each input, {beatname_uc} keeps a state of each file it finds. Because files can be renamed or moved, the filename and path are not enough to identify a file. For each file, {beatname_uc} stores unique identifiers to detect whether a file was harvested previously.
-
-If your use case involves creating a large number of new files every day, you might find that the registry file grows to be too large. See <<reduce-registry-size>> for details about configuration options that you can set to resolve this issue.
-
-[float]
-[[at-least-once-delivery]]
-=== How does {beatname_uc} ensure at-least-once delivery?
-
-{beatname_uc} guarantees that events will be delivered to the configured output at
-least once and with no data loss. {beatname_uc} is able to achieve this behavior
-because it stores the delivery state of each event in the registry file.
-
-In situations where the defined output is blocked and has not confirmed all
-events, {beatname_uc} will keep trying to send events until the output acknowledges
-that it has received the events.
-
-If {beatname_uc} shuts down while it's in the process of sending events, it does not
-wait for the output to acknowledge all events before shutting down. Any events
-that are sent to the output, but not acknowledged before {beatname_uc} shuts down,
-are sent again when {beatname_uc} is restarted. This ensures that each event is sent
-at least once, but you can end up with duplicate events being sent to the
-output. You can configure {beatname_uc} to wait a specific amount of time before
-shutting down by setting the <<shutdown-timeout,`shutdown_timeout`>> option.
-
-NOTE: There is a limitation to {beatname_uc}'s at-least-once delivery guarantee
-involving log rotation and the deletion of old files. If log files are written
-to disk and rotated faster than they can be processed by {beatname_uc}, or if files
-are deleted while the output is unavailable, data might be lost. On Linux, it's
-also possible for {beatname_uc} to skip lines as the result of inode reuse. See
-<<faq>> for more details about the inode reuse issue.
diff --git a/filebeat/docs/howto/howto.asciidoc b/filebeat/docs/howto/howto.asciidoc
deleted file mode 100644
index 7b9a3cffa030..000000000000
--- a/filebeat/docs/howto/howto.asciidoc
+++ /dev/null
@@ -1,51 +0,0 @@
-[[howto-guides]]
-= How to guides
-
-[partintro]
---
-Learn how to perform common {beatname_uc} configuration tasks.
-
-* <<override-{beatname_lc}-config-settings>>
-* <<{beatname_lc}-template>>
-* <<change-index-name>>
-* <<load-kibana-dashboards>>
-* <<load-ingest-pipelines>>
-* <<{beatname_lc}-geoip>>
-* <<{beatname_lc}-deduplication>>
-* <<configuring-ingest-node>>
-* <<using-environ-vars>>
-* <<yaml-tips>>
-* <<migrate-to-filestream>>
-* <<migrate-from-deprecated-module>>
-
-
---
-
-include::override-config-settings.asciidoc[]
-
-include::{libbeat-dir}/howto/load-index-templates.asciidoc[]
-
-include::{libbeat-dir}/howto/change-index-name.asciidoc[]
-
-include::{libbeat-dir}/howto/load-dashboards.asciidoc[]
-
-include::load-ingest-pipelines.asciidoc[]
-
-include::{libbeat-dir}/shared-geoip.asciidoc[]
-
-include::{libbeat-dir}/shared-deduplication.asciidoc[]
-
-include::{libbeat-dir}/shared-config-ingest.asciidoc[]
-
-:standalone:
-include::{libbeat-dir}/shared-env-vars.asciidoc[]
-:standalone!:
-
-:standalone:
-include::{libbeat-dir}/yaml.asciidoc[]
-:standalone!:
-
-include::migrate-to-filestream.asciidoc[]
-
-include::migrate-from-deprecated-module.asciidoc[]
-
diff --git a/filebeat/docs/howto/load-ingest-pipelines.asciidoc b/filebeat/docs/howto/load-ingest-pipelines.asciidoc
deleted file mode 100644
index 23dc1a2ac64c..000000000000
--- a/filebeat/docs/howto/load-ingest-pipelines.asciidoc
+++ /dev/null
@@ -1,112 +0,0 @@
-[[load-ingest-pipelines]]
-== Load ingest pipelines
-
-The ingest pipelines used to parse log lines are set up automatically the first
-time you run {beatname_uc}, assuming the {es} output is enabled. If you're sending
-events to {ls} you need to load the ingest pipelines manually. To do this, run the
-`setup` command with the `--pipelines` option specified.  You also need to enable
-the modules and filesets, this can be accomplished several ways.
-
-First you can use the `--modules` option to enable the module, and the
-`-M` option to enable the fileset.  For example, the following command
-loads the access pipeline from the nginx module.
-
-*deb and rpm:*
-
-["source","sh",subs="attributes"]
-----
-{beatname_lc} setup --pipelines --modules nginx -M "nginx.access.enabled=true"
-----
-
-*mac:*
-
-["source","sh",subs="attributes"]
-----
-./{beatname_lc} setup --pipelines --modules nginx -M "nginx.access.enabled=true"
-----
-
-*linux:*
-
-["source","sh",subs="attributes"]
-----
-./{beatname_lc} setup --pipelines --modules nginx -M "nginx.access.enabled=true"
-----
-
-*win:*
-
-["source","sh",subs="attributes"]
-----
-PS > .{backslash}{beatname_lc}.exe setup --pipelines --modules nginx -M "nginx.access.enabled=true"
-----
-
-The second option is to use the `--modules` option to enable the
-module, and the `--force-enable-module-filesets` option to enable all
-the filesets in the module.  For example, the following command loads
-the access pipeline from the nginx module.
-
-*deb and rpm:*
-
-["source","sh",subs="attributes"]
-----
-{beatname_lc} setup --pipelines --modules nginx --force-enable-module-filesets
-----
-
-*mac:*
-
-["source","sh",subs="attributes"]
-----
-./{beatname_lc} setup --pipelines --modules nginx --force-enable-module-filesets
-----
-
-*linux:*
-
-["source","sh",subs="attributes"]
-----
-./{beatname_lc} setup --pipelines --modules nginx --force-enable-module-filesets
-----
-
-*win:*
-
-["source","sh",subs="attributes"]
-----
-PS > .{backslash}{beatname_lc}.exe setup --pipelines --modules nginx --force-enable-module-filesets
-----
-
-The third option is to use the `--enable-all-filesets` option to
-enable all the modules and all the filesets so all of the ingest
-pipelines are loaded.  For example, the following command loads all
-the ingest pipelines.
-
-//TODO: Replace with the platform tab widget.
-
-*deb and rpm:*
-
-["source","sh",subs="attributes"]
-----
-{beatname_lc} setup --pipelines --enable-all-filesets
-----
-
-*mac:*
-
-["source","sh",subs="attributes"]
-----
-./{beatname_lc} setup --pipelines --enable-all-filesets
-----
-
-*linux:*
-
-["source","sh",subs="attributes"]
-----
-./{beatname_lc} setup --pipelines --enable-all-filesets
-----
-
-*win:*
-
-["source","sh",subs="attributes"]
-----
-PS > .{backslash}{beatname_lc}.exe setup --pipelines --enable-all-filesets
-----
-
-TIP: If you're loading ingest pipelines manually because you want to send events
-to {ls}, also see
-{logstash-ref}/filebeat-modules.html[Working with {beatname_uc} modules].
diff --git a/filebeat/docs/howto/migrate-from-deprecated-module.asciidoc b/filebeat/docs/howto/migrate-from-deprecated-module.asciidoc
deleted file mode 100644
index fd163353f92b..000000000000
--- a/filebeat/docs/howto/migrate-from-deprecated-module.asciidoc
+++ /dev/null
@@ -1,30 +0,0 @@
-[[migrate-from-deprecated-module]]
-== Migrating from a Deprecated Filebeat Module
-
-If a Filebeat module has been deprecated, there are a few options available for
-a path forward:
-
-1. Migrate to an Elastic integration, if available. The deprecation notice will
-link to an appropriate integration, if one exists.
-
-2. https://www.elastic.co/guide/en/fleet/current/migrate-beats-to-agent.html[Migrate to Elastic Agent]
-for ingesting logs. If a specific integration for the vendor/product does not
-exist, then one of the custom integrations can be used for ingesting events. A
-https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html[custom pipeline]
-may also be attached to the integration for further processing.
-    - https://docs.elastic.co/integrations/cel[CEL Custom API] - Collect events from an API using CEL (Common Expression Language)
-    - https://docs.elastic.co/integrations/httpjson[Custom API] - Collect events from an API using the HTTPJSON input
-    - https://docs.elastic.co/integrations/gcp_pubsub[Custom Google Pub/Sub] - Collect events from Google Pub/Sub topics
-    - https://docs.elastic.co/integrations/http_endpoint[Custom HTTP Endpoint] - Collect events from a listening HTTP port
-    - https://docs.elastic.co/integrations/journald[Custom Journald] - Collect events from journald
-    - https://docs.elastic.co/integrations/kafka_log[Custom Kafka] - Collect events from a Kafka topic
-    - https://docs.elastic.co/integrations/log[Custom Logs] - Collect events from files
-    - https://docs.elastic.co/integrations/tcp[Custom TCP] - Collect events from a listening TCP port
-    - https://docs.elastic.co/integrations/udp[Custom UDP] - Collect events from a listening UDP port
-    - https://docs.elastic.co/integrations/winlog[Custom Windows Event] - Collect events from a Windows Event Log channel
-
-3. Migrate to a different Filebeat module. In some cases, a Filebeat module may
-be superseded by a new module. The deprecation notice will link to an appropriate
-module, if one exists.
-
-4. Use a custom Filebeat input, processors, and ingest pipeline (if necessary).
diff --git a/filebeat/docs/howto/migrate-to-filestream.asciidoc b/filebeat/docs/howto/migrate-to-filestream.asciidoc
deleted file mode 100644
index 55c05a5b46d8..000000000000
--- a/filebeat/docs/howto/migrate-to-filestream.asciidoc
+++ /dev/null
@@ -1,261 +0,0 @@
-[[migrate-to-filestream]]
-== Migrate `log` input configurations to `filestream`
-
-The `filestream` input has been generally available since 7.14 and it is highly recommended
-you migrate your existing `log` input configurations. The `filestream` input comes with many
-improvements over the old `log` input, such as configurable order for parsers and more.
-
-The `log` input is deprecated and will eventually be removed from Filebeat. We are not fixing
-new issues or adding any enhancements to the `log` input. Our focus is on `filestream`.
-
-This manual migration is required only if you've defined `log` inputs manually
-in your stand-alone Filebeat configuration. All the integrations or modules that are still using
-`log` inputs under the hood will be eventually migrated automatically without any additional actions
-required from the user.
-
-In this guide, you'll learn how to migrate an existing `log` input configuration.
-
-IMPORTANT: You must replace `log` inputs with `filestream` inputs, make sure you have removed
-all the old `log` inputs from the configuration before starting Filebeat with the new `filestream` inputs. Running old `log` inputs and new `filestream` inputs pointed to the same files will lead to data duplication.
-
-The following example shows three `log` inputs:
-
-[source,yaml]
-----
-filebeat.inputs:
- - type: log
-   enabled: true
-   paths:
-     - /var/log/java-exceptions*.log
-   multiline:
-    pattern: '^\['
-    negate: true
-    match: after
-  close_removed: true
-  close_renamed: true
-
-- type: log
-  enabled: true
-  paths:
-    - /var/log/my-application*.json
-  scan_frequency: 1m
-  json.keys_under_root: true
-
-- type: log
-  enabled: true
-  paths:
-    - /var/log/my-old-files*.log
-  tail_files: true
-----
-
-For this example, let's assume that the `log` input is used to collect logs from the following files. The progress of data collection is shown for each file.
-["source","sh",subs="attributes"]
-----
-/var/log/java-exceptions1.log (100%)
-/var/log/java-exceptions2.log (100%)
-/var/log/java-exceptions3.log (75%)
-/var/log/java-exceptions4.log (0%)
-/var/log/java-exceptions5.log (0%)
-/var/log/my-application1.json (100%)
-/var/log/my-application2.json (5%)
-/var/log/my-application3.json (0%)
-/var/log/my-old-files1.json (0%)
-----
-
-=== Step 1: Set an identifier for each `filestream` input
-
-All `filestream` inputs require an ID. Ensure you set a unique identifier for every input.
-
-IMPORTANT: Never change the ID of an input, or you will end up with duplicate events.
-
-[source,yaml]
-----
-filebeat.inputs:
-- type: filestream
-  enabled: true
-  id: my-java-collector
-  paths:
-    - /var/log/java-exceptions*.log
-
-- type: filestream
-  enabled: true
-  id: my-application-input
-  paths:
-    - /var/log/my-application*.json
-
-- type: filestream
-  enabled: true
-  id: my-old-files
-  paths:
-    - /var/log/my-old-files*.log
-----
-
-=== Step 2: Enable the `take over` mode
-
-Now, to indicate that the new `filestream` is supposed to take over the files from a previously
-defined `log` input, we need to add `take_over: true` to each new `filestream`. This will make sure
-that the new `filestream` inputs will continue ingesting files from the same offset where the `log`
-inputs stopped.
-
-NOTE: It's recommended to enable debug-level logs for Filebeat in order to follow the migration process.
-After the first run with `take_over: true` the setting can be removed.
-
-WARNING: The `take over` mode is in beta.
-
-IMPORTANT: If this parameter is not set, all the files will be re-ingested from the beginning
-and this will lead to data duplication. Please, double-check that this parameter is set.
-
-[source,yaml]
-----
-logging:
-  level: debug
-filebeat.inputs:
-- type: filestream
-  enabled: true
-  id: my-java-collector
-  take_over: true
-  paths:
-    - /var/log/java-exceptions*.log
-
-- type: filestream
-  enabled: true
-  id: my-application-input
-  take_over: true
-  paths:
-    - /var/log/my-application*.json
-
-- type: filestream
-  enabled: true
-  id: my-old-files
-  take_over: true
-  paths:
-    - /var/log/my-old-files*.log
-----
-
-=== Step 3: Use new option names
-
-Several options are renamed in `filestream`. You can find a table with all of the
-changed configuration names at the end of this guide.
-
-The most significant change you have to know about is in parsers. The configuration of
-`multiline`, `json`, and other parsers has changed. Now the ordering is
-configurable, so `filestream` expects a list of parsers. Furthermore, the `json`
-parser was renamed to `ndjson`.
-
-The example configuration shown earlier needs to be adjusted as well:
-
-[source,yaml]
-----
-- type: filestream
-  enabled: true
-  id: my-java-collector
-  take_over: true
-  paths:
-    - /var/log/java-exceptions*.log
-  parsers:
-    - multiline:
-        pattern: '^\['
-        negate: true
-        match: after
-  close.on_state_change.removed: true
-  close.on_state_change.renamed: true
-
-- type: filestream
-  enabled: true
-  id: my-application-input
-  take_over: true
-  paths:
-    - /var/log/my-application*.json
-  prospector.scanner.check_interval: 1m
-  parsers:
-    - ndjson:
-        keys_under_root: true
-
-- type: filestream
-  enabled: true
-  id: my-old-files
-  take_over: true
-  paths:
-    - /var/log/my-old-files*.log
-  ignore_inactive: since_last_start
-----
-
-[cols="1,1"]
-|===
-|Option name in log input
-|Option name in filestream input
-
-|recursive_glob.enabled
-|prospector.scanner.recursive_glob
-
-|harvester_buffer_size
-|buffer_size
-
-|max_bytes
-|message_max_bytes
-
-|json
-|parsers.n.ndjson
-
-|multiline
-|parsers.n.multiline
-
-|exclude_files
-|prospector.scanner.exclude_files
-
-|close_inactive
-|close.on_state_change.inactive
-
-|close_removed
-|close.on_state_change.removed
-
-|close_eof
-|close.reader.on_eof
-
-|close_timeout
-|close.reader.after_interval
-
-|close_inactive
-|close.on_state_change.inactive
-
-|scan_frequency
-|prospector.scanner.check_interval
-
-|tail_files
-|ignore_inactive.since_last_start
-
-|symlinks
-|prospector.scanner.symlinks
-
-|backoff
-|backoff.init
-
-|backoff_max
-|backoff.max
-|===
-
-=== Step 4
-
-The events produced by `filestream` input with `take_over: true` contain a `take_over` tag.
-You can filter on this tag in Kibana and see the events which came from a filestream in the "take_over" mode. 
-
-Once you start receiving events with this tag, you can remove `take_over: true` and restart the fileinput again.
-
-=== If something went wrong
-
-If for whatever reason you'd like to revert the configuration after running the migrated configuration
-and return to old `log` inputs the files that were taken by `filestream` inputs, you need to do the following:
-
-1. Stop Filebeat as soon as possible
-2. Save its debug-level logs for further investigation
-3. Find your <<configuration-global-options,`registry.path/filebeat` directory>>
-4. Find the created backup files, they have the `<timestamp>.bak` suffix. If you have multiple backups for the same file, choose the one with the more recent timestamp.
-5. Replace the files with their backups, e.g. `log.json` should be replaced by `log.json-1674152412247684000.bak`
-6. Run Filebeat with the old configuration (no `filestream` inputs with `take_over: true`).
-
-NOTE: Reverting to backups might cause some events to repeat, depends on the amount of time the new configuration was running.
-
-=== Debugging on Kibana
-
-Events produced by `filestream` with `take_over: true` contains `take_over` tag.
-You can filter on this tag in Kibana and see the events which came from a filestream in the "take over" mode. 
\ No newline at end of file
diff --git a/filebeat/docs/howto/override-config-settings.asciidoc b/filebeat/docs/howto/override-config-settings.asciidoc
deleted file mode 100644
index 63bcbfa784db..000000000000
--- a/filebeat/docs/howto/override-config-settings.asciidoc
+++ /dev/null
@@ -1,77 +0,0 @@
-[id="override-{beatname_lc}-config-settings"]
-== Override configuration settings at the command line
-
-++++
-<titleabbrev>Override configuration settings</titleabbrev>
-++++
-
-//TODO: Convert this topic to use platform tabs.
-
-// REVEWERS: This is a mix of new and old content. Please review.
-
-NOTE: If you're running {beatname_uc} as a service, you can't specify
-command-line flags. To specify flags, start {beatname_uc} in the foreground.
-
-You can override any configuration setting from the command line by using flags:
-
-`-E, --E "SETTING_NAME=VALUE"`::
-Overrides a specific configuration setting. 
-`-M, --M "VAR_NAME=VALUE"`::
-Overrides the default configuration for a module. 
-
-You can specify multiple overrides. Overrides are applied to the currently
-running {beatname_uc} process. The {beatname_uc} configuration file is not
-changed.
-
-[float]
-[[example-override-config]]
-=== Example: override configuration file settings
-
-The following configuration sends logging output to files:
-
-["source","sh",subs="attributes"]
-----
-logging.level: info
-logging.to_files: true
-logging.files:
-  path: /var/log/filebeat
-  name: filebeat
-  keepfiles: 7
-  permissions: 0640
-----
-
-To override the logging level and send logging output to standard error instead
-of a file, use the `-E` flag when you run {beatname_uc}:
-
-["source","sh",subs="attributes"]
-----
--E "logging.to_files=false" -E "logging.to_stderr=true" -E "logging.level=error"
-----
-
-[float]
-[[example-override-module-setting]]
-=== Example: override module settings
-
-The following configuration sets the path to Nginx access logs:
-
-[source,yaml]
-----
-- module: nginx
-  access:
-    var.paths: ["/var/log/nginx/access.log*"] <1> 
-----
-
-To override this setting from the command line, use the `-M` flag when you run
-{beatname_uc}. The variable name must include the module and fileset name. For
-example:
-
-["source","sh",subs="attributes"]
-----
--M "nginx.access.var.paths=[/path/to/log/nginx/access.log*]"
-----
-
-You can specify multiple overrides. Each override must start with `-M`. 
-
-For information about specific variables that you can set for each fileset,
-see the documentation under <<{beatname_lc}-modules>>.
-
diff --git a/filebeat/docs/images/configuration-blocks.png b/filebeat/docs/images/configuration-blocks.png
deleted file mode 100644
index 20fef6b173d7..000000000000
Binary files a/filebeat/docs/images/configuration-blocks.png and /dev/null differ
diff --git a/filebeat/docs/images/enrolled-beats-apache.png b/filebeat/docs/images/enrolled-beats-apache.png
deleted file mode 100644
index d540758cd83a..000000000000
Binary files a/filebeat/docs/images/enrolled-beats-apache.png and /dev/null differ
diff --git a/filebeat/docs/images/enrolled-beats-dev-prod.png b/filebeat/docs/images/enrolled-beats-dev-prod.png
deleted file mode 100644
index ac5b28c64c20..000000000000
Binary files a/filebeat/docs/images/enrolled-beats-dev-prod.png and /dev/null differ
diff --git a/filebeat/docs/images/enrolled-beats.png b/filebeat/docs/images/enrolled-beats.png
deleted file mode 100644
index 2a4ca97eea32..000000000000
Binary files a/filebeat/docs/images/enrolled-beats.png and /dev/null differ
diff --git a/filebeat/docs/images/filebeat-discover-tab.png b/filebeat/docs/images/filebeat-discover-tab.png
deleted file mode 100644
index 2f8181870577..000000000000
Binary files a/filebeat/docs/images/filebeat-discover-tab.png and /dev/null differ
diff --git a/filebeat/docs/images/filebeat-nginx-ml.png b/filebeat/docs/images/filebeat-nginx-ml.png
deleted file mode 100644
index ff3505c30e8f..000000000000
Binary files a/filebeat/docs/images/filebeat-nginx-ml.png and /dev/null differ
diff --git a/filebeat/docs/images/filebeat-overview.png b/filebeat/docs/images/filebeat-overview.png
deleted file mode 100644
index 0cd9b38f186e..000000000000
Binary files a/filebeat/docs/images/filebeat-overview.png and /dev/null differ
diff --git a/filebeat/docs/images/filebeat-threatintel-malware-bazaar.png b/filebeat/docs/images/filebeat-threatintel-malware-bazaar.png
deleted file mode 100644
index 601132ad9b9b..000000000000
Binary files a/filebeat/docs/images/filebeat-threatintel-malware-bazaar.png and /dev/null differ
diff --git a/filebeat/docs/include/cisco-log-level.asciidoc b/filebeat/docs/include/cisco-log-level.asciidoc
deleted file mode 100644
index 9cfd1c2ec93d..000000000000
--- a/filebeat/docs/include/cisco-log-level.asciidoc
+++ /dev/null
@@ -1,24 +0,0 @@
-An integer between 1 and 7 that allows filtering messages based on the
-severity level. The different severity levels supported by the Cisco ASA are:
-
-[width="30%",cols="^1,2",options="header"]
-|===========================
-| log_level | severity
-|     1     | Alert
-|     2     | Critical
-|     3     | Error
-|     4     | Warning
-|     5     | Notification
-|     6     | Informational
-|     7     | Debugging
-|===========================
-
-A value of 7 (default) will not filter any messages. A lower value will drop
-any messages with a severity level higher than the specified value. For
-example, `var.log_level: 3` will allow messages of level 1 (Alert), 2 (Critical)
-and 3 (Error). All other messages will be dropped.
-
-NOTE: The filtering is done in the ingest pipeline, if this setting is
-changed, the ingest pipeline need to be reloaded manually. To reload
-the ingest pipeline, set `filebeat.overwrite_pipelines: true` and
-manually <<load-ingest-pipelines>>.
\ No newline at end of file
diff --git a/filebeat/docs/include/config-option-intro.asciidoc b/filebeat/docs/include/config-option-intro.asciidoc
deleted file mode 100644
index 364b111a126f..000000000000
--- a/filebeat/docs/include/config-option-intro.asciidoc
+++ /dev/null
@@ -1,15 +0,0 @@
-[float]
-[id="{modulename}-settings"]
-==== Variable settings
-
-Each fileset has separate variable settings for configuring the behavior of the
-module. If you don’t specify variable settings, the +{modulename}+ module uses
-the defaults.
-
-For advanced use cases, you can also override input settings. See
-<<advanced-settings>>.
-
-TIP: When you specify a setting at the command line, remember to prefix the
-setting with the module name, for example, +{modulename}.{fileset_ex}.var.paths+
-instead of +{fileset_ex}.var.paths+.
-
diff --git a/filebeat/docs/include/configuring-intro.asciidoc b/filebeat/docs/include/configuring-intro.asciidoc
deleted file mode 100644
index f4f62e9a0f08..000000000000
--- a/filebeat/docs/include/configuring-intro.asciidoc
+++ /dev/null
@@ -1,10 +0,0 @@
-[float]
-[id="configuring-{modulename}-module"]
-=== Configure the module
-
-You can further refine the behavior of the +{modulename}+ module by specifying
-<<{modulename}-settings,variable settings>> in the
-+modules.d/{modulename}.yml+ file, or overriding settings at the command line.
-
-You must enable at least one fileset in the module.
-**Filesets are disabled by default.**
diff --git a/filebeat/docs/include/gs-link.asciidoc b/filebeat/docs/include/gs-link.asciidoc
deleted file mode 100644
index 6c47e8c67d79..000000000000
--- a/filebeat/docs/include/gs-link.asciidoc
+++ /dev/null
@@ -1,2 +0,0 @@
-TIP: Read the <<{beatname_lc}-installation-configuration,quick start>> to learn
-how to configure and run modules.
\ No newline at end of file
diff --git a/filebeat/docs/include/timezone-support.asciidoc b/filebeat/docs/include/timezone-support.asciidoc
deleted file mode 100644
index 50370e18a6c5..000000000000
--- a/filebeat/docs/include/timezone-support.asciidoc
+++ /dev/null
@@ -1,17 +0,0 @@
-[float]
-==== Time zone support
-
-This module parses logs that don't contain time zone information. For these logs,
-Filebeat reads the local time zone and uses it when parsing to convert the
-timestamp to UTC. The time zone to be used for parsing is included in the event
-in the `event.timezone` field.
-
-To disable this conversion, the `event.timezone` field can be removed with
-the `drop_fields` processor.
-
-If logs are originated from systems or applications with a different time zone to
-the local one, the `event.timezone` field can be overwritten with the original
-time zone using the `add_fields` processor.
-
-See <<filtering-and-enhancing-data>> for information about specifying
-processors in your config.
diff --git a/filebeat/docs/include/use-journald.asciidoc b/filebeat/docs/include/use-journald.asciidoc
deleted file mode 100644
index acfc8b2d94ac..000000000000
--- a/filebeat/docs/include/use-journald.asciidoc
+++ /dev/null
@@ -1,4 +0,0 @@
-*`var.use_journald`*::
-
-A boolean that when set to `true` will read logs from Journald. When
-Journald is used all events contain the tag `journald`.
\ No newline at end of file
diff --git a/filebeat/docs/include/var-paths.asciidoc b/filebeat/docs/include/var-paths.asciidoc
deleted file mode 100644
index ea6f7d1c6ae0..000000000000
--- a/filebeat/docs/include/var-paths.asciidoc
+++ /dev/null
@@ -1,9 +0,0 @@
-*`var.paths`*::
-
-An array of glob-based paths that specify where to look for the log files. All
-patterns supported by https://golang.org/pkg/path/filepath/#Glob[Go Glob]
-are also supported here. For example, you can use wildcards to fetch all files
-from a predefined level of subdirectories: `/path/to/log/*/*.log`. This
-fetches all `.log` files from the subfolders of `/path/to/log`. It does not
-fetch log files from the `/path/to/log` folder itself. If this setting is left
-empty, {beatname_uc} will choose log paths based on your operating system.
diff --git a/filebeat/docs/include/what-happens.asciidoc b/filebeat/docs/include/what-happens.asciidoc
deleted file mode 100644
index 9d736c923eae..000000000000
--- a/filebeat/docs/include/what-happens.asciidoc
+++ /dev/null
@@ -1,13 +0,0 @@
-When you run the module, it performs a few tasks under the hood:
-
-* Sets the default paths to the log files (but don't worry, you can override the
-defaults)
-
-* Makes sure each multiline log event gets sent as a single event
-
-* Uses an {es} ingest pipeline to parse and process the log lines, shaping the
-data into a structure suitable for visualizing in Kibana
-
-ifeval::["{has-dashboards}"=="true"]
-* Deploys dashboards for visualizing the log data
-endif::[]
diff --git a/filebeat/docs/index.asciidoc b/filebeat/docs/index.asciidoc
deleted file mode 100644
index aedc0f74de6d..000000000000
--- a/filebeat/docs/index.asciidoc
+++ /dev/null
@@ -1,69 +0,0 @@
-= Filebeat Reference
-
-:libbeat-dir: {docdir}/../../libbeat/docs
-
-include::{libbeat-dir}/version.asciidoc[]
-
-include::{asciidoc-dir}/../../shared/versions/stack/{source_branch}.asciidoc[]
-
-include::{asciidoc-dir}/../../shared/attributes.asciidoc[]
-
-:beatname_lc: filebeat
-:beatname_uc: Filebeat
-:beatname_pkg: {beatname_lc}
-:github_repo_name: beats
-:discuss_forum: beats/{beatname_lc}
-:beat_default_index_prefix: {beatname_lc}
-:beat_kib_app: {kib} Logs
-:has_ml_jobs: yes
-:has_solutions:
-:ignores_max_retries:
-:has_docker_label_ex:
-:has_modules_command:
-:has_kubernetes_logs_path_matcher:
-:has_nomad_logs_path_matcher:
-:has_registry:
-:has_inputs_endpoint:
-:deb_os:
-:rpm_os:
-:mac_os:
-:linux_os:
-:docker_platform:
-:win_os:
-:no_add_session_metadata_processor:
-
-:kubernetes_default_indexers: {docdir}/kubernetes-default-indexers-matchers.asciidoc
-
-include::{libbeat-dir}/shared-beats-attributes.asciidoc[]
-
-include::./overview.asciidoc[]
-
-include::./getting-started.asciidoc[]
-
-include::./setting-up-running.asciidoc[]
-
-include::./upgrading.asciidoc[]
-
-include::./how-filebeat-works.asciidoc[]
-
-include::./configuring-howto.asciidoc[]
-
-include::{docdir}/howto/howto.asciidoc[]
-
-include::./modules.asciidoc[]
-
-include::./fields.asciidoc[]
-
-include::{libbeat-dir}/monitoring/monitoring-beats.asciidoc[]
-
-include::{libbeat-dir}/shared-securing-beat.asciidoc[]
-
-include::./troubleshooting.asciidoc[]
-
-include::./faq.asciidoc[]
-
-include::{libbeat-dir}/contributing-to-beats.asciidoc[]
-
-include::redirects.asciidoc[]
-
-include::{libbeat-dir}/redirects.asciidoc[]
diff --git a/filebeat/docs/inputs/input-common-file-options.asciidoc b/filebeat/docs/inputs/input-common-file-options.asciidoc
deleted file mode 100644
index 7d62c5827fec..000000000000
--- a/filebeat/docs/inputs/input-common-file-options.asciidoc
+++ /dev/null
@@ -1,443 +0,0 @@
-//////////////////////////////////////////////////////////////////////////
-//// This content is shared by Filebeat inputs that use the input
-//// to process files on disk (includes options for managing physical files)
-//// If you add IDs to sections, make sure you use attributes to create
-//// unique IDs for each input that includes this file. Use the format:
-//// [id="{beatname_lc}-input-{type}-option-name"]
-//////////////////////////////////////////////////////////////////////////
-
-[float]
-[id="{beatname_lc}-input-{type}-exclude-files"]
-===== `exclude_files`
-
-A list of regular expressions to match the files that you want {beatname_uc} to
-ignore. By default no files are excluded.
-
-The following example configures {beatname_uc} to ignore all the files that have
-a `gz` extension:
-
-["source","yaml",subs="attributes"]
-----
-{beatname_lc}.inputs:
-- type: {type}
-  ...
-  exclude_files: ['\.gz$']
-----
-
-See <<regexp-support>> for a list of supported regexp patterns.
-
-[float]
-[id="{beatname_lc}-input-{type}-ignore-older"]
-===== `ignore_older`
-
-If this option is enabled, {beatname_uc} ignores any files that were modified
-before the specified timespan. Configuring `ignore_older` can be especially
-useful if you keep log files for a long time. For example, if you want to start
-{beatname_uc}, but only want to send the newest files and files from last week,
-you can configure this option.
-
-You can use time strings like 2h (2 hours) and 5m (5 minutes). The default is 0,
-which disables the setting. Commenting out the config has the same effect as
-setting it to 0.
-
-IMPORTANT: You must set `ignore_older` to be greater than `close_inactive`.
-
-The files affected by this setting fall into two categories:
-
-* Files that were never harvested
-* Files that were harvested but weren't updated for longer than `ignore_older`
-
-For files which were never seen before, the offset state is set to the end of
-the file. If a state already exist, the offset is not changed. In case a file is
-updated again later, reading continues at the set offset position.
-
-The `ignore_older` setting relies on the modification time of the file to
-determine if a file is ignored. If the modification time of the file is not
-updated when lines are written to a file (which can happen on Windows), the
-`ignore_older` setting may cause {beatname_uc} to ignore files even though
-content was added at a later time.
-
-To remove the state of previously harvested files from the registry file, use
-the `clean_inactive` configuration option.
-
-Before a file can be ignored by {beatname_uc}, the file must be closed. To
-ensure a file is no longer being harvested when it is ignored, you must set
-`ignore_older` to a longer duration than `close_inactive`.
-
-If a file that's currently being harvested falls under `ignore_older`, the
-harvester will first finish reading the file and close it after `close_inactive`
-is reached. Then, after that, the file will be ignored.
-
-[float]
-[id="{beatname_lc}-input-{type}-close-options"]
-===== `close_*`
-
-The `close_*` configuration options are used to close the harvester after a
-certain criteria or time. Closing the harvester means closing the file handler.
-If a file is updated after the harvester is closed, the file will be picked up
-again after `scan_frequency` has elapsed. However, if the file is moved or
-deleted while the harvester is closed, {beatname_uc} will not be able to pick up
-the file again, and any data that the harvester hasn't read will be lost.
-The `close_*` settings are applied synchronously when {beatname_uc} attempts
-to read from a file, meaning that if {beatname_uc} is in a blocked state
-due to blocked output, full queue or other issue, a file that would
-otherwise be closed remains open until {beatname_uc} once again attempts to read from the file.
-
-
-[float]
-[id="{beatname_lc}-input-{type}-close-inactive"]
-===== `close_inactive`
-
-When this option is enabled, {beatname_uc} closes the file handle if a file has
-not been harvested for the specified duration. The counter for the defined
-period starts when the last log line was read by the harvester. It is not based
-on the modification time of the file. If the closed file changes again, a new
-harvester is started and the latest changes will be picked up after
-`scan_frequency` has elapsed.
-
-We recommended that you set `close_inactive` to a value that is larger than the
-least frequent updates to your log files. For example, if your log files get
-updated every few seconds, you can safely set `close_inactive` to `1m`. If there
-are log files with very different update rates, you can use multiple
-configurations with different values.
-
-Setting `close_inactive` to a lower value means that file handles are closed
-sooner. However this has the side effect that new log lines are not sent in near
-real time if the harvester is closed.
-
-The timestamp for closing a file does not depend on the modification time of the
-file. Instead, {beatname_uc} uses an internal timestamp that reflects when the
-file was last harvested. For example, if `close_inactive` is set to 5 minutes,
-the countdown for the 5 minutes starts after the harvester reads the last line
-of the file.
-
-You can use time strings like 2h (2 hours) and 5m (5 minutes). The default is
-5m.
-
-[float]
-[id="{beatname_lc}-input-{type}-close-renamed"]
-===== `close_renamed`
-
-WARNING: Only use this option if you understand that data loss is a potential
-side effect.
-
-When this option is enabled, {beatname_uc} closes the file handler when a file
-is renamed. This happens, for example, when rotating files. By default, the
-harvester stays open and keeps reading the file because the file handler does
-not depend on the file name. If the `close_renamed` option is enabled and the
-file is renamed or moved in such a way that it's no longer matched by the file
-patterns specified for the path, the file will not be picked up again.
-{beatname_uc} will not finish reading the file.
-
-Do not use this option when `path` based `file_identity` is configured. It does
-not make sense to enable the option, as Filebeat cannot detect renames using
-path names as unique identifiers.
-
-WINDOWS: If your Windows log rotation system shows errors because it can't
-rotate the files, you should enable this option.
-
-[float]
-[id="{beatname_lc}-input-{type}-close-removed"]
-===== `close_removed`
-
-When this option is enabled, {beatname_uc} closes the harvester when a file is
-removed. Normally a file should only be removed after it's inactive for the
-duration specified by `close_inactive`. However, if a file is removed early and
-you don't enable `close_removed`, {beatname_uc} keeps the file open to make sure
-the harvester has completed. If this setting results in files that are not
-completely read because they are removed from disk too early, disable this
-option.
-
-This option is enabled by default. If you disable this option, you must also
-disable `clean_removed`.
-
-WINDOWS: If your Windows log rotation system shows errors because it can't
-rotate files, make sure this option is enabled.
-
-[float]
-[id="{beatname_lc}-input-{type}-close-eof"]
-===== `close_eof`
-
-WARNING: Only use this option if you understand that data loss is a potential
-side effect.
-
-When this option is enabled, {beatname_uc} closes a file as soon as the end of a
-file is reached. This is useful when your files are only written once and not
-updated from time to time. For example, this happens when you are writing every
-single log event to a new file. This option is disabled by default.
-
-[float]
-[id="{beatname_lc}-input-{type}-close-timeout"]
-===== `close_timeout`
-
-WARNING: Only use this option if you understand that data loss is a potential
-side effect. Another side effect is that multiline events might not be
-completely sent before the timeout expires.
-
-When this option is enabled, {beatname_uc} gives every harvester a predefined
-lifetime. Regardless of where the reader is in the file, reading will stop after
-the `close_timeout` period has elapsed. This option can be useful for older log
-files when you want to spend only a predefined amount of time on the files.
-While `close_timeout` will close the file after the predefined timeout, if the
-file is still being updated, {beatname_uc} will start a new harvester again per
-the defined `scan_frequency`. And the close_timeout for this harvester will
-start again with the countdown for the timeout.
-
-This option is particularly useful in case the output is blocked, which makes
-{beatname_uc} keep open file handlers even for files that were deleted from the
-disk. Setting `close_timeout` to `5m` ensures that the files are periodically
-closed so they can be freed up by the operating system.
-
-If you set `close_timeout` to equal `ignore_older`, the file will not be picked
-up if it's modified while the harvester is closed. This combination of settings
-normally leads to data loss, and the complete file is not sent.
-
-When you use `close_timeout` for logs that contain multiline events, the
-harvester might stop in the middle of a multiline event, which means that only
-parts of the event will be sent. If the harvester is started again and the file
-still exists, only the second part of the event will be sent.
-
-This option is set to 0 by default which means it is disabled.
-
-
-[float]
-[id="{beatname_lc}-input-{type}-clean-options"]
-===== `clean_*`
-
-The `clean_*` options are used to clean up the state entries in the registry
-file. These settings help to reduce the size of the registry file and can
-prevent a potential <<inode-reuse-issue,inode reuse issue>>.
-
-[float]
-[id="{beatname_lc}-input-{type}-clean-inactive"]
-===== `clean_inactive`
-
-WARNING: Only use this option if you understand that data loss is a potential
-side effect.
-
-When this option is enabled, {beatname_uc} removes the state of a file after the
-specified period of inactivity has elapsed. The  state can only be removed if
-the file is already ignored by {beatname_uc} (the file is older than
-`ignore_older`). The `clean_inactive` setting must be greater than `ignore_older +
-scan_frequency` to make sure that no states are removed while a file is still
-being harvested. Otherwise, the setting could result in {beatname_uc} resending
-the full content constantly because  `clean_inactive` removes state for files
-that are still detected by {beatname_uc}. If a file is updated or appears
-again, the file is read from the beginning.
-
-The `clean_inactive` configuration option is useful to reduce the size of the
-registry file, especially if a large amount of new files are generated every
-day.
-
-This config option is also useful to prevent {beatname_uc} problems resulting
-from inode reuse on Linux. For more information, see <<inode-reuse-issue>>.
-
-NOTE: Every time a file is renamed, the file state is updated and the counter
-for `clean_inactive` starts at 0 again.
-
-TIP: During testing, you might notice that the registry contains state entries
-that should be removed based on the `clean_inactive` setting. This happens
-because {beatname_uc} doesn't remove the entries until it opens the registry
-again to read a different file. If you are testing the `clean_inactive` setting,
-make sure {beatname_uc} is configured to read from more than one file, or the
-file state will never be removed from the registry.
-
-[float]
-[id="{beatname_lc}-input-{type}-clean-removed"]
-===== `clean_removed`
-
-When this option is enabled, {beatname_uc} cleans files from the registry if
-they cannot be found on disk anymore under the last known name. This means also
-files which were renamed after the harvester was finished will be removed. This
-option is enabled by default.
-
-If a shared drive disappears for a short period and appears again, all files
-will be read again from the beginning because the states were removed from the
-registry file. In such cases, we recommend that you disable the `clean_removed`
-option.
-
-You must disable this option if you also disable `close_removed`.
-
-[float]
-[id="{beatname_lc}-input-{type}-scan-frequency"]
-===== `scan_frequency`
-
-How often {beatname_uc} checks for new files in the paths that are specified
-for harvesting. For example, if you specify a glob like `/var/log/*`, the
-directory is scanned for files using the frequency specified by
-`scan_frequency`. Specify 1s to scan the directory as frequently as possible
-without causing {beatname_uc} to scan too frequently. We do not recommend to set
-this value `<1s`.
-
-If you require log lines to be sent in near real time do not use a very low
-`scan_frequency` but adjust `close_inactive` so the file handler stays open and
-constantly polls your files.
-
-The default setting is 10s.
-
-[float]
-[id="{beatname_lc}-input-{type}-scan-sort"]
-===== `scan.sort`
-
-experimental[]
-
-If you specify a value other than the empty string for this setting you can
-determine whether to use ascending or descending order using `scan.order`.
-Possible values are `modtime` and `filename`. To sort by file modification time,
-use `modtime`, otherwise use `filename`. Leave this option empty to disable it.
-
-If you specify a value for this setting, you can use `scan.order` to configure
-whether files are scanned in ascending or descending order.
-
-The default setting is disabled.
-
-[float]
-[id="{beatname_lc}-input-{type}-scan-order"]
-===== `scan.order`
-
-experimental[]
-
-Specifies whether to use ascending or descending order when `scan.sort` is set to a value other than none. Possible values are `asc` or `desc`.
-
-The default setting is `asc`.
-
-[float]
-===== `tail_files`
-
-If this option is set to true, {beatname_uc} starts reading new files at the end
-of each file instead of the beginning. When this option is used in combination
-with log rotation, it's possible that the first log entries in a new file might
-be skipped. The default setting is false.
-
-This option applies to files that {beatname_uc} has not already processed. If
-you ran {beatname_uc} previously and the state of the file was already
-persisted, `tail_files` will not apply. Harvesting will continue at the previous
-offset. To apply `tail_files` to all files, you must stop {beatname_uc} and
-remove the registry file. Be aware that doing this removes ALL previous states.
-
-NOTE: You can use this setting to avoid indexing old log lines when you run
-{beatname_uc} on a set of log files for the first time. After the first run, we
-recommend disabling this option, or you risk losing lines during file rotation.
-
-[float]
-===== `symlinks`
-
-The `symlinks` option allows {beatname_uc} to harvest symlinks in addition to
-regular files. When harvesting symlinks, {beatname_uc} opens and reads the
-original file even though it reports the path of the symlink.
-
-When you configure a symlink for harvesting, make sure the original path is
-excluded. If a single input is configured to harvest both the symlink and
-the original file, {beatname_uc} will detect the problem and only process the
-first file it finds. However, if two different inputs are configured (one
-to read the symlink and the other the original path), both paths will be
-harvested, causing {beatname_uc} to send duplicate data and the inputs to
-overwrite each other's state.
-
-The `symlinks` option can be useful if symlinks to the log files have additional
-metadata in the file name, and you want to process the metadata in Logstash.
-This is, for example, the case for Kubernetes log files.
-
-Because this option may lead to data loss, it is disabled by default.
-
-[float]
-===== `backoff`
-
-The backoff options specify how aggressively {beatname_uc} crawls open files for
-updates. You can use the default values in most cases.
-
-The `backoff` option defines how long {beatname_uc} waits before checking a file
-again after EOF is reached. The default is 1s, which means the file is checked
-every second if new lines were added. This enables near real-time crawling.
-Every time a new line appears in the file, the `backoff` value is reset to the
-initial value. The default is 1s.
-
-[float]
-===== `max_backoff`
-
-The maximum time for {beatname_uc} to wait before checking a file again after
-EOF is reached. After having backed off multiple times from checking the file,
-the wait time will never exceed `max_backoff` regardless of what is specified
-for  `backoff_factor`. Because it takes a maximum of 10s to read a new line,
-specifying 10s for `max_backoff` means that, at the worst, a new line could be
-added to the log file if {beatname_uc} has backed off multiple times. The
-default is 10s.
-
-Requirement: Set `max_backoff` to be greater than or equal to `backoff` and
-less than or equal to `scan_frequency` (`backoff <= max_backoff <= scan_frequency`).
-If `max_backoff` needs to be higher, it is recommended to close the file handler
-instead and let {beatname_uc} pick up the file again.
-
-[float]
-===== `backoff_factor`
-
-This option specifies how fast the waiting time is increased. The bigger the
-backoff factor, the faster the `max_backoff` value is reached. The backoff
-factor increments exponentially. The minimum value allowed is 1. If this value
-is set to 1, the backoff algorithm is disabled, and the `backoff` value is used
-for waiting for new lines. The `backoff` value will be multiplied each time with
-the `backoff_factor` until `max_backoff` is reached. The default is 2.
-
-[float]
-[id="{beatname_lc}-input-{type}-harvester-limit"]
-===== `harvester_limit`
-
-The `harvester_limit` option limits the number of harvesters that are started in
-parallel for one input. This directly relates to the maximum number of file
-handlers that are opened. The default for `harvester_limit` is 0, which means
-there is no limit. This configuration is useful if the number of files to be
-harvested exceeds the open file handler limit of the operating system.
-
-Setting a limit on the number of harvesters means that potentially not all files
-are opened in parallel. Therefore we recommended that you use this option in
-combination with the `close_*` options to make sure harvesters are stopped more
-often so that new files can be picked up.
-
-Currently if a new harvester can be started again, the harvester is picked
-randomly. This means it's possible that the harvester for a file that was just
-closed and then updated again might be started instead of the harvester for a
-file that hasn't been harvested for a longer period of time.
-
-This configuration option applies per input. You can use this option to
-indirectly set higher priorities on certain inputs by assigning a higher
-limit of harvesters.
-
-[float]
-===== `file_identity`
-
-Different `file_identity` methods can be configured to suit the
-environment where you are collecting log messages.
-
-
-*`native`*:: The default behaviour of {beatname_uc} is to differentiate
-between files using their inodes and device ids.
-
-[source,yaml]
-----
-file_identity.native: ~
-----
-
-*`path`*:: To identify files based on their paths use this strategy.
-
-WARNING: Only use this strategy if your log files are rotated to a folder
-outside of the scope of your input or not at all. Otherwise you end up
-with duplicated events.
-
-WARNING: This strategy does not support renaming files.
-If an input file is renamed, {beatname_uc} will read it again if the new path
-matches the settings of the input.
-
-[source,yaml]
-----
-file_identity.path: ~
-----
-
-*`inode_marker`*:: If the device id changes from time to time, you must use
-this method to distinguish files. This option is not supported on Windows.
-
-Set the location of the marker file the following way:
-
-[source,yaml]
-----
-file_identity.inode_marker.path: /logs/.filebeat-marker
-----
diff --git a/filebeat/docs/inputs/input-common-harvester-options.asciidoc b/filebeat/docs/inputs/input-common-harvester-options.asciidoc
deleted file mode 100644
index 014958050a27..000000000000
--- a/filebeat/docs/inputs/input-common-harvester-options.asciidoc
+++ /dev/null
@@ -1,214 +0,0 @@
-//////////////////////////////////////////////////////////////////////////
-//// This content is shared by Filebeat inputs that use the input
-//// but do not process files (the options for managing files
-//// on disk are not relevant)
-//// If you add IDs to sections, make sure you use attributes to create
-//// unique IDs for each input that includes this file. Use the format:
-//// [id="{beatname_lc}-input-{type}-option-name"]
-//////////////////////////////////////////////////////////////////////////
-
-[float]
-===== `encoding`
-
-The file encoding to use for reading data that contains international
-characters. See the encoding names http://www.w3.org/TR/encoding/[recommended by
-the W3C for use in HTML5].
-
-Valid encodings:
-
-	* `plain`: plain ASCII encoding
-	* `utf-8` or `utf8`: UTF-8 encoding
-	* `gbk`: simplified Chinese charaters
-	* `iso8859-6e`: ISO8859-6E, Latin/Arabic
-	* `iso8859-6i`: ISO8859-6I, Latin/Arabic
-	* `iso8859-8e`: ISO8859-8E, Latin/Hebrew
-	* `iso8859-8i`: ISO8859-8I, Latin/Hebrew
-	* `iso8859-1`: ISO8859-1, Latin-1
-	* `iso8859-2`: ISO8859-2, Latin-2
-	* `iso8859-3`: ISO8859-3, Latin-3
-	* `iso8859-4`: ISO8859-4, Latin-4
-	* `iso8859-5`: ISO8859-5, Latin/Cyrillic
-	* `iso8859-6`: ISO8859-6, Latin/Arabic
-	* `iso8859-7`: ISO8859-7, Latin/Greek
-	* `iso8859-8`: ISO8859-8, Latin/Hebrew
-	* `iso8859-9`: ISO8859-9, Latin-5
-	* `iso8859-10`: ISO8859-10, Latin-6
-	* `iso8859-13`: ISO8859-13, Latin-7
-	* `iso8859-14`: ISO8859-14, Latin-8
-	* `iso8859-15`: ISO8859-15, Latin-9
-	* `iso8859-16`: ISO8859-16, Latin-10
-	* `cp437`: IBM CodePage 437
-	* `cp850`: IBM CodePage 850
-	* `cp852`: IBM CodePage 852
-	* `cp855`: IBM CodePage 855
-	* `cp858`: IBM CodePage 858
-	* `cp860`: IBM CodePage 860
-	* `cp862`: IBM CodePage 862
-	* `cp863`: IBM CodePage 863
-	* `cp865`: IBM CodePage 865
-	* `cp866`: IBM CodePage 866
-	* `ebcdic-037`: IBM CodePage 037
-	* `ebcdic-1040`: IBM CodePage 1140
-	* `ebcdic-1047`: IBM CodePage 1047
-	* `koi8r`: KOI8-R, Russian (Cyrillic)
-	* `koi8u`: KOI8-U, Ukranian (Cyrillic)
-	* `macintosh`: Macintosh encoding
-	* `macintosh-cyrillic`: Macintosh Cyrillic encoding
-	* `windows1250`: Windows1250, Central and Eastern European
-	* `windows1251`: Windows1251, Russian, Serbian (Cyrillic)
-	* `windows1252`: Windows1252, Legacy
-	* `windows1253`: Windows1253, Modern Greek
-	* `windows1254`: Windows1254, Turkish
-	* `windows1255`: Windows1255, Hebrew
-	* `windows1256`: Windows1256, Arabic
-	* `windows1257`: Windows1257, Estonian, Latvian, Lithuanian
-	* `windows1258`: Windows1258, Vietnamese
-	* `windows874`:  Windows874, ISO/IEC 8859-11, Latin/Thai
-	* `utf-16-bom`: UTF-16 with required BOM
-	* `utf-16be-bom`: big endian UTF-16 with required BOM
-	* `utf-16le-bom`: little endian UTF-16 with required BOM
-
-The `plain` encoding is special, because it does not validate or transform any input.
-
-[float]
-[id="{beatname_lc}-input-{type}-exclude-lines"]
-===== `exclude_lines`
-
-A list of regular expressions to match the lines that you want {beatname_uc} to
-exclude. {beatname_uc} drops any lines that match a regular expression in the
-list. By default, no lines are dropped. Empty lines are ignored.
-
-If <<multiline,multiline>> settings are also specified, each multiline message
-is combined into a single line before the lines are filtered by `exclude_lines`.
-
-The following example configures {beatname_uc} to drop any lines that start with
-`DBG`.
-
-["source","yaml",subs="attributes"]
-----
-{beatname_lc}.inputs:
-- type: {type}
-  ...
-  exclude_lines: ['^DBG']
-----
-
-See <<regexp-support>> for a list of supported regexp patterns.
-
-[float]
-[id="{beatname_lc}-input-{type}-include-lines"]
-===== `include_lines`
-
-A list of regular expressions to match the lines that you want {beatname_uc} to
-include. {beatname_uc} exports only the lines that match a regular expression in
-the list. By default, all lines are exported. Empty lines are ignored.
-
-If <<multiline,multiline>> settings also specified, each multiline message is
-combined into a single line before the lines are filtered by `include_lines`.
-
-The following example configures {beatname_uc} to export any lines that start
-with `ERR` or `WARN`:
-
-["source","yaml",subs="attributes"]
-----
-{beatname_lc}.inputs:
-- type: {type}
-  ...
-  include_lines: ['^ERR', '^WARN']
-----
-
-NOTE: If both `include_lines` and `exclude_lines` are defined, {beatname_uc}
-executes `include_lines` first and then executes `exclude_lines`. The order in
-which the two options are defined doesn't matter. The `include_lines` option
-will always be executed before the `exclude_lines` option, even if
-`exclude_lines` appears before `include_lines` in the config file.
-
-The following example exports all log lines that contain `sometext`,
-except for lines that begin with `DBG` (debug messages):
-
-["source","yaml",subs="attributes"]
-----
-{beatname_lc}.inputs:
-- type: {type}
-  ...
-  include_lines: ['sometext']
-  exclude_lines: ['^DBG']
-----
-
-See <<regexp-support>> for a list of supported regexp patterns.
-
-[float]
-===== `harvester_buffer_size`
-
-The size in bytes of the buffer that each harvester uses when fetching a file.
-The default is 16384.
-
-[float]
-===== `max_bytes`
-
-The maximum number of bytes that a single log message can have. All bytes after
-`max_bytes` are discarded and not sent. This setting is especially useful for
-multiline log messages, which can get large. The default is 10MB (10485760).
-
-[float]
-[id="{beatname_lc}-input-{type}-config-json"]
-===== `json`
-These options make it possible for {beatname_uc} to decode logs structured as
-JSON messages. {beatname_uc} processes the logs line by line, so the JSON
-decoding only works if there is one JSON object per line.
-
-The decoding happens before line filtering and multiline. You can combine JSON
-decoding with filtering and multiline if you set the `message_key` option. This
-can be helpful in situations where the application logs are wrapped in JSON
-objects, as with like it happens for example with Docker.
-
-Example configuration:
-
-[source,yaml]
-----
-json.keys_under_root: true
-json.add_error_key: true
-json.message_key: log
-----
-
-You must specify at least one of the following settings to enable JSON parsing
-mode:
-
-*`keys_under_root`*:: By default, the decoded JSON is placed under a "json" key
-in the output document. If you enable this setting, the keys are copied top
-level in the output document. The default is false.
-
-*`overwrite_keys`*:: If `keys_under_root` and this setting are enabled, then the
-values from the decoded JSON object overwrite the fields that {beatname_uc}
-normally adds (type, source, offset, etc.) in case of conflicts.
-
-*`expand_keys`*:: If this setting is enabled, {beatname_uc} will recursively
-de-dot keys in the decoded JSON, and expand them into a hierarchical object
-structure. For example, `{"a.b.c": 123}` would be expanded into `{"a":{"b":{"c":123}}}`.
-This setting should be enabled when the input is produced by an
-https://github.com/elastic/ecs-logging[ECS logger].
-
-*`add_error_key`*:: If this setting is enabled, {beatname_uc} adds a
-"error.message" and "error.type: json" key in case of JSON unmarshalling errors
-or when a `message_key` is defined in the configuration but cannot be used.
-
-*`message_key`*:: An optional configuration setting that specifies a JSON key on
-which to apply the line filtering and multiline settings. If specified the key
-must be at the top level in the JSON object and the value associated with the
-key must be a string, otherwise no filtering or multiline aggregation will
-occur.
-
-*`document_id`*:: Option configuration setting that specifies the JSON key to
-set the document id. If configured, the field will be removed from the original
-json document and stored in `@metadata._id`
-
-*`ignore_decoding_error`*:: An optional configuration setting that specifies if
-JSON decoding errors should be logged or not. If set to true, errors will not
-be logged. The default is false.
-
-[float]
-===== `multiline`
-
-Options that control how {beatname_uc} deals with log messages that span
-multiple lines. See <<multiline-examples>> for more information about
-configuring multiline options.
-
diff --git a/filebeat/docs/inputs/input-common-options.asciidoc b/filebeat/docs/inputs/input-common-options.asciidoc
deleted file mode 100644
index cbd7a06f9cda..000000000000
--- a/filebeat/docs/inputs/input-common-options.asciidoc
+++ /dev/null
@@ -1,112 +0,0 @@
-//////////////////////////////////////////////////////////////////////////
-//// This content is shared by all Filebeat inputs
-//// If you add IDs to sections, make sure you use attributes to create
-//// unique IDs for each input that includes this file. Use the format:
-//// [id="{beatname_lc}-input-{type}-option-name"]
-//////////////////////////////////////////////////////////////////////////
-
-==== Common options
-
-The following configuration options are supported by all inputs.
-
-[float]
-===== `enabled`
-
-Use the `enabled` option to enable and disable inputs. By default, enabled is
-set to true.
-
-[float]
-===== `tags`
-
-A list of tags that {beatname_uc} includes in the `tags` field of each published
-event. Tags make it easy to select specific events in Kibana or apply
-conditional filtering in Logstash. These tags will be appended to the list of
-tags specified in the general configuration.
-
-Example:
-
-["source","yaml",subs="attributes"]
------
-{beatname_lc}.inputs:
-- type: {type}
-  . . .
-  tags: ["json"]
------
-
-
-[float]
-[id="{beatname_lc}-input-{type}-fields"]
-===== `fields`
-
-Optional fields that you can specify to add additional information to the
-output. For example, you might add fields that you can use for filtering log
-data. Fields can be scalar values, arrays, dictionaries, or any nested
-combination of these. By default, the fields that you specify here will be
-grouped under a `fields` sub-dictionary in the output document. To store the
-custom fields as top-level fields, set the `fields_under_root` option to true.
-If a duplicate field is declared in the general configuration, then its value
-will be overwritten by the value declared here.
-
-["source","yaml",subs="attributes"]
------
-{beatname_lc}.inputs:
-- type: {type}
-  . . .
-  fields:
-    app_id: query_engine_12
------
-
-[float]
-[id="fields-under-root-{type}"]
-===== `fields_under_root`
-
-If this option is set to true, the custom
-<<{beatname_lc}-input-{type}-fields,fields>> are stored as top-level fields in
-the output document instead of being grouped under a `fields` sub-dictionary. If
-the custom field names conflict with other field names added by {beatname_uc},
-then the custom fields overwrite the other fields.
-
-[float]
-===== `processors`
-
-A list of processors to apply to the input data.
-
-See <<filtering-and-enhancing-data>> for information about specifying
-processors in your config.
-
-[float]
-===== `pipeline`
-
-The ingest pipeline ID to set for the events generated by this input.
-
-NOTE: The pipeline ID can also be configured in the Elasticsearch output, but
-this option usually results in simpler configuration files. If the pipeline is
-configured both in the input and output, the option from the
-input is used.
-
-IMPORTANT: The `pipeline` is always lowercased. If `pipeline: Foo-Bar`, then
-the pipeline name in {es} needs to be defined as `foo-bar`.
-
-[float]
-===== `keep_null`
-
-If this option is set to true, fields with `null` values will be published in
-the output document. By default, `keep_null` is set to `false`.
-
-[float]
-===== `index`
-
-If present, this formatted string overrides the index for events from this input
-(for elasticsearch outputs), or sets the `raw_index` field of the event's
-metadata (for other outputs). This string can only refer to the agent name and
-version and the event timestamp; for access to dynamic fields, use
-`output.elasticsearch.index` or a processor.
-
-Example value: `"%{[agent.name]}-myindex-%{+yyyy.MM.dd}"` might
-expand to `"filebeat-myindex-2019.11.01"`.
-
-[float]
-===== `publisher_pipeline.disable_host`
-
-By default, all events contain `host.name`. This option can be set to `true` to
-disable the addition of this field to all events. The default value is `false`.
diff --git a/filebeat/docs/inputs/input-common-tcp-options.asciidoc b/filebeat/docs/inputs/input-common-tcp-options.asciidoc
deleted file mode 100644
index f0d8262f8174..000000000000
--- a/filebeat/docs/inputs/input-common-tcp-options.asciidoc
+++ /dev/null
@@ -1,61 +0,0 @@
-//////////////////////////////////////////////////////////////////////////
-//// This content is shared by Filebeat inputs that use the TCP inputsource
-//// If you add IDs to sections, make sure you use attributes to create
-//// unique IDs for each input that includes this file. Use the format:
-//// [id="{beatname_lc}-input-{type}-option-name"]
-//////////////////////////////////////////////////////////////////////////
-[float]
-[id="{beatname_lc}-input-{type}-tcp-max-message-size"]
-==== `max_message_size`
-
-The maximum size of the message received over TCP. The default is `20MiB`.
-
-[float]
-[id="{beatname_lc}-input-{type}-tcp-host"]
-==== `host`
-
-The host and TCP port to listen on for event streams.
-
-[float]
-[id="{beatname_lc}-input-{type}-tcp-network"]
-==== `network`
-
-The network type. Acceptable values are: "tcp" (default), "tcp4", "tcp6"
-
-[float]
-[id="{beatname_lc}-input-{type}-tcp-framing"]
-==== `framing`
-
-Specify the framing used to split incoming events.  Can be one of
-`delimiter` or `rfc6587`.  `delimiter` uses the characters specified
-in `line_delimiter` to split the incoming events.  `rfc6587` supports
-octet counting and non-transparent framing as described in
-https://tools.ietf.org/html/rfc6587[RFC6587].  `line_delimiter` is
-used to split the events in non-transparent framing.  The default is `delimiter`.
-
-[float]
-[id="{beatname_lc}-input-{type}-tcp-line-delimiter"]
-==== `line_delimiter`
-
-Specify the characters used to split the incoming events. The default is '\n'.
-
-[float]
-[id="{beatname_lc}-input-{type}-tcp-max-connections"]
-==== `max_connections`
-
-The at most number of connections to accept at any given point in time.
-
-[float]
-[id="{beatname_lc}-input-{type}-tcp-timeout"]
-==== `timeout`
-
-The number of seconds of inactivity before a remote connection is closed. The default is `300s`.
-
-[float]
-[id="{beatname_lc}-input-{type}-tcp-ssl"]
-===== `ssl`
-
-Configuration options for SSL parameters like the certificate, key and the certificate authorities
-to use.
-
-See <<configuration-ssl>> for more information.
diff --git a/filebeat/docs/inputs/input-common-udp-options.asciidoc b/filebeat/docs/inputs/input-common-udp-options.asciidoc
deleted file mode 100644
index 109db7c3e5c8..000000000000
--- a/filebeat/docs/inputs/input-common-udp-options.asciidoc
+++ /dev/null
@@ -1,36 +0,0 @@
-//////////////////////////////////////////////////////////////////////////
-//// This content is shared by Filebeat inputs that use the UDP inputsource
-//// If you add IDs to sections, make sure you use attributes to create
-//// unique IDs for each input that includes this file. Use the format:
-//// [id="{beatname_lc}-input-{type}-option-name"]
-//////////////////////////////////////////////////////////////////////////
-[float]
-[id="{beatname_lc}-input-{type}-udp-max-message-size"]
-==== `max_message_size`
-
-The maximum size of the message received over UDP. The default is `10KiB`.
-
-[float]
-[id="{beatname_lc}-input-{type}-udp-host"]
-==== `host`
-
-The host and UDP port to listen on for event streams.
-
-[float]
-[id="{beatname_lc}-input-{type}-udp-network"]
-==== `network`
-
-The network type. Acceptable values are: "udp" (default), "udp4", "udp6"
-
-[float]
-[id="{beatname_lc}-input-{type}-udp-read-buffer"]
-==== `read_buffer`
-
-The size of the read buffer on the UDP socket. If not specified the default 
-from the operating system will be used.
-
-[float]
-[id="{beatname_lc}-input-{type}-udp-timeout"]
-==== `timeout`
-
-The read and write timeout for socket operations. The default is `5m`.
diff --git a/filebeat/docs/inputs/input-common-unix-options.asciidoc b/filebeat/docs/inputs/input-common-unix-options.asciidoc
deleted file mode 100644
index 2580b31b9205..000000000000
--- a/filebeat/docs/inputs/input-common-unix-options.asciidoc
+++ /dev/null
@@ -1,71 +0,0 @@
-//////////////////////////////////////////////////////////////////////////
-//// This content is shared by Filebeat inputs that use the Unix inputsource
-//// If you add IDs to sections, make sure you use attributes to create
-//// unique IDs for each input that includes this file. Use the format:
-//// [id="{beatname_lc}-input-{type}-option-name"]
-//////////////////////////////////////////////////////////////////////////
-[float]
-[id="{beatname_lc}-input-{type}-unix-max-message-size"]
-==== `max_message_size`
-
-The maximum size of the message received over the socket. The default is `20MiB`.
-
-[float]
-[id="{beatname_lc}-input-{type}-unix-path"]
-==== `path`
-
-The path to the Unix socket that will receive events.
-
-[float]
-[id="{beatname_lc}-input-{type}-unix-socket-type"]
-==== `socket_type`
-
-The type to of the Unix socket that will receive events. Valid values
-are `stream` and `datagram`. The default is `stream`.
-
-[float]
-[id="{beatname_lc}-input-{type}-unix-group"]
-==== `group`
-
-The group ownership of the Unix socket that will be created by Filebeat.
-The default is the primary group name for the user Filebeat is running as.
-This option is ignored on Windows.
-
-[float]
-[id="{beatname_lc}-input-{type}-unix-mode"]
-==== `mode`
-
-The file mode of the Unix socket that will be created by Filebeat. This is
-expected to be a file mode as an octal string. The default value is the system
-default (generally `0755`).
-
-[float]
-[id="{beatname_lc}-input-{type}-unix-framing"]
-==== `framing`
-
-Specify the framing used to split incoming events.  Can be one of
-`delimiter` or `rfc6587`.  `delimiter` uses the characters specified
-in `line_delimiter` to split the incoming events.  `rfc6587` supports
-octet counting and non-transparent framing as described in
-https://tools.ietf.org/html/rfc6587[RFC6587].  `line_delimiter` is
-used to split the events in non-transparent framing.  The default is `delimiter`.
-
-[float]
-[id="{beatname_lc}-input-{type}-unix-line-delimiter"]
-==== `line_delimiter`
-
-Specify the characters used to split the incoming events. The default is '\n'.
-
-[float]
-[id="{beatname_lc}-input-{type}-unix-max-connections"]
-==== `max_connections`
-
-The at most number of connections to accept at any given point in time.
-
-[float]
-[id="{beatname_lc}-input-{type}-unix-timeout"]
-==== `timeout`
-
-The number of seconds of inactivity before a connection is closed. The default is `300s`.
-
-See <<configuration-ssl>> for more information.
diff --git a/filebeat/docs/inputs/input-container.asciidoc b/filebeat/docs/inputs/input-container.asciidoc
deleted file mode 100644
index 14b5be28ccbf..000000000000
--- a/filebeat/docs/inputs/input-container.asciidoc
+++ /dev/null
@@ -1,93 +0,0 @@
-:type: container
-
-[id="{beatname_lc}-input-{type}"]
-=== Container input
-
-deprecated:[7.16.0]
-
-The container input is just a preset for the <<filebeat-input-log,`log`>> input. The <<filebeat-input-log,`log`>> input has been deprecated since 7.16.0, therefore the container input is also deprecated. Please use the <<filebeat-input-filestream,`filestream`>> input and its <<filebeat-input-filestream-parsers-container,`container`>> parser instead.
-
-Example configuration of using the <<filebeat-input-filestream-parsers-container,`container`>> parser with the <<filebeat-input-filestream,`filestream`>> input:
-
-["source","yaml",subs="attributes"]
-----
-{beatname_lc}.inputs:
-- type: filestream
-  id: unique-input-id <1>
-  prospector.scanner.symlinks: true <2>
-  parsers:
-    - container:
-        stream: stdout
-        format: docker
-  paths: <3>
-    - '/var/log/containers/*.log'
-----
-
-<1> all <<filebeat-input-filestream,`filestream`>> inputs require a <<filebeat-input-filestream-id,`unique ID`>>.
-<2> container logs use symlinks, so they need to be <<filebeat-input-filestream-prospector-scanner-symlinks,`enabled`>>.
-<3> `paths` is required.
-
-++++
-<titleabbrev>Container</titleabbrev>
-++++
-
-Due to deprecation of this input, it's possible to use it only in combination with the `allow_deprecated_use: true` setting as a part of the input configuration.
-
-This input searches for container logs under the given path, and parse them into
-common message lines, extracting timestamps too. Everything happens before line
-filtering, multiline, and JSON decoding, so this input can be used in
-combination with those settings.
-
-Example configuration:
-
-["source","yaml",subs="attributes"]
-----
-{beatname_lc}.inputs:
-- type: container
-  paths: <1>
-    - '/var/log/containers/*.log'
-----
-
-<1> `paths` is required. All other settings are optional.
-
-
-NOTE: '/var/log/containers/*.log' is normally a symlink to '/var/log/pods/*/*/.log',
-so above path can be edited accordingly
-
-
-==== Configuration options
-
-The `container` input supports the following configuration options plus the
-<<{beatname_lc}-input-{type}-common-options>> described later.
-
-===== `stream`
-
-Reads from the specified streams only: `all`, `stdout` or `stderr`. The default
-is `all`.
-
-===== `format`
-
-Use the given format when reading the log file: `auto`, `docker` or `cri`. The
-default is `auto`, it will automatically detect the format. To disable
-autodetection set any of the other options.
-
-
-The following input configures {beatname_uc} to read the `stdout` stream from
-all containers under the default Kubernetes logs path:
-
-[source,yaml]
-----
-- type: container
-  stream: stdout
-  paths:
-    - "/var/log/containers/*.log"
-----
-
-include::../inputs/input-common-harvester-options.asciidoc[]
-
-include::../inputs/input-common-file-options.asciidoc[]
-
-[id="{beatname_lc}-input-{type}-common-options"]
-include::../inputs/input-common-options.asciidoc[]
-
-:type!:
diff --git a/filebeat/docs/inputs/input-filestream-file-options.asciidoc b/filebeat/docs/inputs/input-filestream-file-options.asciidoc
deleted file mode 100644
index 0a1487c48a58..000000000000
--- a/filebeat/docs/inputs/input-filestream-file-options.asciidoc
+++ /dev/null
@@ -1,695 +0,0 @@
-//////////////////////////////////////////////////////////////////////////
-//// This content is shared by Filebeat inputs that use the input
-//// to process files on disk (includes options for managing physical files)
-//// If you add IDs to sections, make sure you use attributes to create
-//// unique IDs for each input that includes this file. Use the format:
-//// [id="{beatname_lc}-input-{type}-option-name"]
-//////////////////////////////////////////////////////////////////////////
-
-[float]
-[id="{beatname_lc}-input-{type}-options"]
-=== Prospector options
-
-The prospector is running a file system watcher which looks for files specified
-in the `paths` option. At the moment only simple file system scanning is
-supported.
-
-[float]
-[id="{beatname_lc}-input-{type}-id"]
-===== `id`
-
-A unique identifier for this filestream input. Each filestream input
-must have a unique ID. Filestream will not start inputs with duplicated IDs.
-
-WARNING: Changing input ID may cause data duplication because the
-state of the files will be lost and they will be read from the
-beginning again.
-
-[float]
-[[filestream-input-allow_deprecated_id_duplication]]
-===== `allow_deprecated_id_duplication`
-
-This allows {beatname_uc} to run multiple instances of the {type}
-input with the same ID. This is intended to add backwards
-compatibility with the behaviour prior to 9.0. It defaults to `false`
-and is **not recommended** in new configurations.
-
-This setting is per input, so make sure to enable it in all {type}
-inputs that use duplicated IDs.
-
-WARNING: Duplicated IDs will lead to data duplication and some input
-instances will not produce any metrics.
-
-[float]
-[[filestream-input-paths]]
-===== `paths`
-
-A list of glob-based paths that will be crawled and fetched. All patterns
-supported by https://golang.org/pkg/path/filepath/#Glob[Go Glob] are also
-supported here. For example, to fetch all files from a predefined level of
-subdirectories, the following pattern can be used: `/var/log/*/*.log`. This
-fetches all `.log` files from the subfolders of `/var/log`. It does not
-fetch log files from the `/var/log` folder itself.
-It is possible to recursively fetch all files in all subdirectories of a directory
-using the optional <<filestream-recursive-glob,`recursive_glob`>> settings.
-
-{beatname_uc} starts a harvester for each file that it finds under the specified
-paths. You can specify one path per line. Each line begins with a dash (-).
-
-==== Scanner options
-
-The scanner watches the configured paths. It scans the file system periodically
-and returns the file system events to the Prospector.
-
-[float]
-[[filestream-recursive-glob]]
-===== `prospector.scanner.recursive_glob`
-
-Enable expanding `**` into recursive glob patterns. With this feature enabled,
-the rightmost `**` in each path is expanded into a fixed number of glob
-patterns. For example: `/foo/**` expands to `/foo`, `/foo/*`, `/foo/*/*`, and so
-on. If enabled it expands a single `**` into a 8-level deep `*` pattern.
-
-This feature is enabled by default. Set `prospector.scanner.recursive_glob` to false to
-disable it.
-
-[float]
-[id="{beatname_lc}-input-{type}-exclude-files"]
-===== `prospector.scanner.exclude_files`
-
-A list of regular expressions to match the files that you want {beatname_uc} to
-ignore. By default no files are excluded.
-
-The following example configures {beatname_uc} to ignore all the files that have
-a `gz` extension:
-
-["source","yaml",subs="attributes"]
-----
-{beatname_lc}.inputs:
-- type: {type}
-  ...
-  prospector.scanner.exclude_files: ['\.gz$']
-----
-
-See <<regexp-support>> for a list of supported regexp patterns.
-
-===== `prospector.scanner.include_files`
-
-A list of regular expressions to match the files that you want {beatname_uc} to
-include. If a list of regexes is provided, only the files that are allowed by
-the patterns are harvested.
-
-By default no files are excluded. This option is the counterpart of
-`prospector.scanner.exclude_files`.
-
-The following example configures {beatname_uc} to exclude files that
-are not under `/var/log`:
-
-["source","yaml",subs="attributes"]
-----
-{beatname_lc}.inputs:
-- type: {type}
-  ...
-  prospector.scanner.include_files: ['^/var/log/.*']
-----
-
-NOTE: Patterns should start with `^` in case of absolute paths.
-
-See <<regexp-support>> for a list of supported regexp patterns.
-
-[id="{beatname_lc}-input-{type}-prospector-scanner-symlinks"]
-===== `prospector.scanner.symlinks`
-
-The `symlinks` option allows {beatname_uc} to harvest symlinks in addition to
-regular files. When harvesting symlinks, {beatname_uc} opens and reads the
-original file even though it reports the path of the symlink.
-
-When you configure a symlink for harvesting, make sure the original path is
-excluded. If a single input is configured to harvest both the symlink and
-the original file, {beatname_uc} will detect the problem and only process the
-first file it finds. However, if two different inputs are configured (one
-to read the symlink and the other the original path), both paths will be
-harvested, causing {beatname_uc} to send duplicate data and the inputs to
-overwrite each other's state.
-
-The `symlinks` option can be useful if symlinks to the log files have additional
-metadata in the file name, and you want to process the metadata in Logstash.
-This is, for example, the case for Kubernetes log files.
-
-Because this option may lead to data loss, it is disabled by default.
-
-===== `prospector.scanner.resend_on_touch`
-
-If this option is enabled a file is resent if its size has not changed
-but its modification time has changed to a later time than before.
-It is disabled by default to avoid accidentally resending files.
-
-
-[float]
-[id="{beatname_lc}-input-{type}-scan-frequency"]
-===== `prospector.scanner.check_interval`
-
-How often {beatname_uc} checks for new files in the paths that are specified
-for harvesting. For example, if you specify a glob like `/var/log/*`, the
-directory is scanned for files using the frequency specified by
-`check_interval`. Specify 1s to scan the directory as frequently as possible
-without causing {beatname_uc} to scan too frequently. We do not recommend to set
-this value `<1s`.
-
-If you require log lines to be sent in near real time do not use a very low
-`check_interval` but adjust `close.on_state_change.inactive` so the file handler
-stays open and constantly polls your files.
-
-The default setting is 10s.
-
-[float]
-[id="{beatname_lc}-input-{type}-scan-fingerprint"]
-===== `prospector.scanner.fingerprint`
-
-Instead of relying on the device ID and inode values when comparing
-files, compare hashes of the given byte ranges of files. This is the
-default behaviour for {beatname_uc}.
-
-Following are some scenarios where this can happen:
-
-. Some file systems (i.e. in Docker) cache and re-use inodes
-+
-for example if you:
-+
-.. Create a file (`touch x`)
-.. Check the file's inode (`ls -i x`)
-.. Delete the file (`rm x`)
-.. Create a new file right away (`touch y`)
-.. Check the inode of the new file (`ls -i y`)
-+
-
-For both files you might see the same inode value despite even having different filenames.
-+
-. Non-Ext file systems can change inodes:
-+
-Ext file systems store the inode number in the `i_ino` file, inside a struct `inode`, which is written to disk. In this case, if the file is the same (not another file with the same name) then the inode number is guaranteed to be the same.
-+
-If the file system is other than Ext, the inode number is generated by the inode operations defined by the file system driver. As they don't have the concept of what an inode is, they have to mimic all of the inode's internal fields to comply with VFS, so this number will probably be different after a reboot, even after closing and opening the file again (theoretically).
-+
-. Some file processing tools change inode values
-+
-Sometimes users unintentionally change inodes by using tools like `rsync` or `sed`.
-+
-. Some operating systems change device IDs after reboot
-+
-Depending on a mounting approach, the device ID (which is also used for comparing files) might change after a reboot.
-
-**Configuration**
-
-Fingerprint mode is disabled by default.
-
-WARNING: Enabling fingerprint mode delays ingesting new files until they grow to at least `offset`+`length` bytes in size, so they can be fingerprinted. Until then these files are ignored.
-
-Normally, log lines contain timestamps and other unique fields that should be able to use the fingerprint mode,
-but in every use-case users should inspect their logs to determine what are the appropriate values for
-the `offset` and `length` parameters. Default `offset` is `0` and default `length` is `1024` or 1 KB. `length` cannot be less than `64`.
-
-[source,yaml]
-----
-fingerprint:
-  enabled: false
-  offset: 0
-  length: 1024
-----
-
-
-[float]
-[id="{beatname_lc}-input-{type}-ignore-older"]
-===== `ignore_older`
-
-If this option is enabled, {beatname_uc} ignores any files that were modified
-before the specified timespan. Configuring `ignore_older` can be especially
-useful if you keep log files for a long time. For example, if you want to start
-{beatname_uc}, but only want to send the newest files and files from last week,
-you can configure this option.
-
-You can use time strings like 2h (2 hours) and 5m (5 minutes). The default is 0,
-which disables the setting. Commenting out the config has the same effect as
-setting it to 0.
-
-IMPORTANT: You must set `ignore_older` to be greater than `close.on_state_change.inactive`.
-
-The files affected by this setting fall into two categories:
-
-* Files that were never harvested
-* Files that were harvested but weren't updated for longer than `ignore_older`
-
-For files which were never seen before, the offset state is set to the end of
-the file. If a state already exists, the offset is reset to the size of the file.
-If a file is updated again later, reading continues at the set offset position.
-
-The `ignore_older` setting relies on the modification time of the file to
-determine if a file is ignored. If the modification time of the file is not
-updated when lines are written to a file (which can happen on Windows), the
-`ignore_older` setting may cause {beatname_uc} to ignore files even though
-content was added at a later time.
-
-To remove the state of previously harvested files from the registry file, use
-the `clean_inactive` configuration option.
-
-Before a file can be ignored by {beatname_uc}, the file must be closed. To
-ensure a file is no longer being harvested when it is ignored, you must set
-`ignore_older` to a longer duration than `close.on_state_change.inactive`.
-
-If a file that's currently being harvested falls under `ignore_older`, the
-harvester will first finish reading the file and close it after
-`close.on_state_change.inactive` is reached. Then, after that, the file will be ignored.
-
-[float]
-[id="{beatname_lc}-input-{type}-ignore-inactive"]
-===== `ignore_inactive`
-
-If this option is enabled, {beatname_uc} ignores every file that has not been
-updated since the selected time. Possible options are `since_first_start` and
-`since_last_start`. The first option ignores every file that has not been updated since
-the first start of {beatname_uc}. It is useful when the Beat might be restarted
-due to configuration changes or a failure. The second option tells
-the Beat to read from files that have been updated since its start.
-
-The files affected by this setting fall into two categories:
-
-* Files that were never harvested
-* Files that were harvested but weren't updated since `ignore_inactive`.
-
-For files that were never seen before, the offset state is set to the end of
-the file. If a state already exist, the offset is not changed. In case a file is
-updated again later, reading continues at the set offset position.
-
-The setting relies on the modification time of the file to
-determine if a file is ignored. If the modification time of the file is not
-updated when lines are written to a file (which can happen on Windows), the
-setting may cause {beatname_uc} to ignore files even though content was added
-at a later time.
-
-To remove the state of previously harvested files from the registry file, use
-the `clean_inactive` configuration option.
-
-[float]
-[id="{beatname_lc}-input-{type}-take-over"]
-===== `take_over`
-
-If `take_over` is set to `true`, this `filestream` will take over all files
-from `log` inputs if they match at least one of the `paths` set in the `filestream`.
-
-IMPORTANT: `take_over: true` requires the `filestream` to have a unique ID.
-
-This `take over` mode was created to enable smooth migration from deprecated `log`
-inputs to the new `filestream` inputs.
-
-See <<migrate-to-filestream>> for more details about the migration process.
-
-WARNING: The `take over` mode is still in beta, however, it's manually reversible
-due to backups created in the <<configuration-global-options,`registry.path/filebeat` directory>>
-and should be generally safe to use.
-
-[float]
-[id="{beatname_lc}-input-{type}-close-options"]
-===== `close.*`
-
-The `close.*` configuration options are used to close the harvester after a
-certain criteria or time. Closing the harvester means closing the file handler.
-If a file is updated after the harvester is closed, the file will be picked up
-again after `prospector.scanner.check_interval` has elapsed. However, if the file
-is moved or deleted while the harvester is closed, {beatname_uc} will not be able
-to pick up the file again, and any data that the harvester hasn't read will be lost.
-
-The `close.on_state_change.*` settings are applied asynchronously
-to read from a file, meaning that if {beatname_uc} is in a blocked state
-due to blocked output, full queue or other issue, a file that would be
-closed regardless.
-
-
-[float]
-[id="{beatname_lc}-input-{type}-close-inactive"]
-===== `close.on_state_change.inactive`
-
-When this option is enabled, {beatname_uc} closes the file handle if a file has
-not been harvested for the specified duration. The counter for the defined
-period starts when the last log line was read by the harvester. It is not based
-on the modification time of the file. If the closed file changes again, a new
-harvester is started and the latest changes will be picked up after
-`prospector.scanner.check_interval` has elapsed.
-
-We recommended that you set `close.on_state_change.inactive` to a value that is
-larger than the least frequent updates to your log files. For example, if your
-log files get updated every few seconds, you can safely set
-`close.on_state_change.inactive` to `1m`. If there are log files with very
-different update rates, you can use multiple configurations with different values.
-
-Setting `close.on_state_change.inactive` to a lower value means that file handles
-are closed sooner. However this has the side effect that new log lines are not
-sent in near real time if the harvester is closed.
-
-The timestamp for closing a file does not depend on the modification time of the
-file. Instead, {beatname_uc} uses an internal timestamp that reflects when the
-file was last harvested. For example, if `close.on_state_change.inactive` is set
-to 5 minutes, the countdown for the 5 minutes starts after the harvester reads the
-last line of the file.
-
-You can use time strings like 2h (2 hours) and 5m (5 minutes). The default is
-5m.
-
-[float]
-[id="{beatname_lc}-input-{type}-close-renamed"]
-===== `close.on_state_change.renamed`
-
-WARNING: Only use this option if you understand that data loss is a potential
-side effect.
-
-When this option is enabled, {beatname_uc} closes the file handler when a file
-is renamed. This happens, for example, when rotating files. By default, the
-harvester stays open and keeps reading the file because the file handler does
-not depend on the file name. If the `close.on_state_change.renamed` option is
-enabled and the file is renamed or moved in such a way that it's no longer
-matched by the file patterns specified for the , the file will not be picked
-up again. {beatname_uc} will not finish reading the file.
-
-Do not use this option when `path` based `file_identity` is configured. It does
-not make sense to enable the option, as Filebeat cannot detect renames using
-path names as unique identifiers.
-
-WINDOWS: If your Windows log rotation system shows errors because it can't
-rotate the files, you should enable this option.
-
-[float]
-[id="{beatname_lc}-input-{type}-close-removed"]
-===== `close.on_state_change.removed`
-
-When this option is enabled, {beatname_uc} closes the harvester when a file is
-removed. Normally a file should only be removed after it's inactive for the
-duration specified by `close.on_state_change.inactive`. However, if a file is
-removed early and you don't enable `close.on_state_change.removed`, {beatname_uc}
-keeps the file open to make sure the harvester has completed. If this setting
-results in files that are not completely read because they are removed from
-disk too early, disable this option.
-
-This option is enabled by default. If you disable this option, you must also
-disable `clean_removed`.
-
-WINDOWS: If your Windows log rotation system shows errors because it can't
-rotate files, make sure this option is enabled.
-
-[float]
-[id="{beatname_lc}-input-{type}-close-eof"]
-===== `close.reader.on_eof`
-
-WARNING: Only use this option if you understand that data loss is a potential
-side effect.
-
-When this option is enabled, {beatname_uc} closes a file as soon as the end of a
-file is reached. This is useful when your files are only written once and not
-updated from time to time. For example, this happens when you are writing every
-single log event to a new file. This option is disabled by default.
-
-[float]
-[id="{beatname_lc}-input-{type}-close-timeout"]
-===== `close.reader.after_interval`
-
-WARNING: Only use this option if you understand that data loss is a potential
-side effect. Another side effect is that multiline events might not be
-completely sent before the timeout expires.
-
-When this option is enabled, {beatname_uc} gives every harvester a predefined
-lifetime. Regardless of where the reader is in the file, reading will stop after
-the `close.reader.after_interval` period has elapsed. This option can be useful for older log
-files when you want to spend only a predefined amount of time on the files.
-While `close.reader.after_interval` will close the file after the predefined timeout, if the
-file is still being updated, {beatname_uc} will start a new harvester again per
-the defined `prospector.scanner.check_interval`. And the close.reader.after_interval for this harvester will
-start again with the countdown for the timeout.
-
-This option is particularly useful in case the output is blocked, which makes
-{beatname_uc} keep open file handlers even for files that were deleted from the
-disk. Setting `close.reader.after_interval` to `5m` ensures that the files are periodically
-closed so they can be freed up by the operating system.
-
-If you set `close.reader.after_interval` to equal `ignore_older`, the file will not be picked
-up if it's modified while the harvester is closed. This combination of settings
-normally leads to data loss, and the complete file is not sent.
-
-When you use `close.reader.after_interval` for logs that contain multiline events, the
-harvester might stop in the middle of a multiline event, which means that only
-parts of the event will be sent. If the harvester is started again and the file
-still exists, only the second part of the event will be sent.
-
-This option is set to 0 by default which means it is disabled.
-
-
-[float]
-[id="{beatname_lc}-input-{type}-clean-options"]
-===== `clean_*`
-
-The `clean_*` options are used to clean up the state entries in the registry
-file. These settings help to reduce the size of the registry file and can
-prevent a potential <<inode-reuse-issue,inode reuse issue>>.
-
-[float]
-[id="{beatname_lc}-input-{type}-clean-inactive"]
-===== `clean_inactive`
-
-WARNING: Only use this option if you understand that data loss is a potential
-side effect.
-
-When this option is enabled, {beatname_uc} removes the state of a file after the
-specified period of inactivity has elapsed. The state can only be removed if
-the file is already ignored by {beatname_uc} (the file is older than
-`ignore_older`). The `clean_inactive` setting must be greater than `ignore_older +
-prospector.scanner.check_interval` to make sure that no states are removed while a file is still
-being harvested. Otherwise, the setting could result in {beatname_uc} resending
-the full content constantly because `clean_inactive` removes state for files
-that are still detected by {beatname_uc}. If a file is updated or appears
-again, the file is read from the beginning.
-
-The `clean_inactive` configuration option is useful to reduce the size of the
-registry file, especially if a large amount of new files are generated every
-day.
-
-This config option is also useful to prevent {beatname_uc} problems resulting
-from inode reuse on Linux. For more information, see <<inode-reuse-issue>>.
-
-NOTE: Every time a file is renamed, the file state is updated and the counter
-for `clean_inactive` starts at 0 again.
-
-TIP: During testing, you might notice that the registry contains state entries
-that should be removed based on the `clean_inactive` setting. This happens
-because {beatname_uc} doesn't remove the entries until the registry garbage
-collector (GC) runs. Once the TTL for a state expired, there are no active
-harvesters for the file and the registry GC runs, then, and only then
-the state is removed from memory and an `op: remove` is added to the registry
-log file.
-
-[float]
-[id="{beatname_lc}-input-{type}-clean-removed"]
-===== `clean_removed`
-
-When this option is enabled, {beatname_uc} cleans files from the registry if
-they cannot be found on disk anymore under the last known name. This means also
-files which were renamed after the harvester was finished will be removed. This
-option is enabled by default.
-
-If a shared drive disappears for a short period and appears again, all files
-will be read again from the beginning because the states were removed from the
-registry file. In such cases, we recommend that you disable the `clean_removed`
-option.
-
-You must disable this option if you also disable `close.on_state_change.removed`.
-
-[float]
-===== `backoff.*`
-
-The backoff options specify how aggressively {beatname_uc} crawls open files for
-updates. You can use the default values in most cases.
-
-
-[float]
-===== `backoff.init`
-
-The `backoff.init` option defines how long {beatname_uc} waits for the first time
-before checking a file again after EOF is reached. The backoff intervals increase exponentially.
-The default is 2s. Thus, the file is checked after 2 seconds, then 4 seconds,
-then 8 seconds and so on until it reaches the limit defined in `backoff.max`.
-Every time a new line appears in the file, the `backoff.init` value is reset to the
-initial value.
-
-[float]
-===== `backoff.max`
-
-The maximum time for {beatname_uc} to wait before checking a file again after
-EOF is reached. After having backed off multiple times from checking the file,
-the wait time will never exceed `backoff.max`.
-Because it takes a maximum of 10s to read a new line,
-specifying 10s for `backoff.max` means that, at the worst, a new line could be
-added to the log file if {beatname_uc} has backed off multiple times. The
-default is 10s.
-
-Requirement: Set `backoff.max` to be greater than or equal to `backoff.init` and
-less than or equal to `prospector.scanner.check_interval`
-(`backoff.init <= backoff.max <= prospector.scanner.check_interval`).
-If `backoff.max` needs to be higher, it is recommended to close the file handler
-instead and let {beatname_uc} pick up the file again.
-
-[float]
-[id="{beatname_lc}-input-{type}-harvester-limit"]
-===== `harvester_limit`
-
-The `harvester_limit` option limits the number of harvesters that are started in
-parallel for one input. This directly relates to the maximum number of file
-handlers that are opened. The default for `harvester_limit` is 0, which means
-there is no limit. This configuration is useful if the number of files to be
-harvested exceeds the open file handler limit of the operating system.
-
-Setting a limit on the number of harvesters means that potentially not all files
-are opened in parallel. Therefore we recommended that you use this option in
-combination with the `close.on_state_change.*` options to make sure
-harvesters are stopped more often so that new files can be picked up.
-
-Currently if a new harvester can be started again, the harvester is picked
-randomly. This means it's possible that the harvester for a file that was just
-closed and then updated again might be started instead of the harvester for a
-file that hasn't been harvested for a longer period of time.
-
-This configuration option applies per input. You can use this option to
-indirectly set higher priorities on certain inputs by assigning a higher
-limit of harvesters.
-
-[float]
-[id="{beatname_lc}-input-{type}-file-identity"]
-===== `file_identity`
-
-Different `file_identity` methods can be configured to suit the
-environment where you are collecting log messages.
-
-IMPORTANT: Changing `file_identity` is only supported from `native` or
-`path` to `fingerprint`. On those cases {beatname_uc} will
-automatically migrate the state of the file when {type} starts.
-
-WARNING: Any unsupported change in `file_identity` methods between
-runs may result in duplicated events in the output.
-
-[id="{beatname_lc}-input-{type}-file-identity-fingerprint"]
-*`fingerprint`*:: The default behaviour of {beatname_uc} is to
-identify files based on content by hashing a specific range (0 to 1024
-bytes by default).
-
-WARNING: In order to use this file identity option, you must enable
-the <<{beatname_lc}-input-filestream-scan-fingerprint,fingerprint
-option in the scanner>>. Once this file identity is enabled, changing
-the fingerprint configuration (offset, length, or other settings) will
-lead to a global re-ingestion of all files that match the paths
-configuration of the input.
-
-Please refer to the
-<<{beatname_lc}-input-filestream-scan-fingerprint,fingerprint
-configuration for details>>.
-
-[source,yaml]
-----
-file_identity.fingerprint: ~
-----
-
-*`native`*:: Differentiates between files using their inodes and
-device ids.
-+
-In some cases these values can change during the lifetime of a file. 
-For example, when using the Linux
-link:https://en.wikipedia.org/wiki/Logical_Volume_Manager_%28Linux%29[LVM]
-(Logical Volume Manager), device numbers are allocated dynamically at
-module load (refer to
-link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/logical_volume_manager_administration/lv#persistent_numbers[Persistent
-Device Numbers] in the Red Hat Enterprise Linux documentation). To
-avoid the possibility of data duplication in this case, you can set
-`file_identity` to `fingerprint` rather than the default `native`.
-+
-The states of files generated by `native` file identity can be migrated to `fingerprint`.
-
-[source,yaml]
-----
-file_identity.native: ~
-----
-
-*`path`*:: To identify files based on their paths use this strategy.
-+
-WARNING: Only use this strategy if your log files are rotated to a folder
-outside of the scope of your input or not at all. Otherwise you end up
-with duplicated events.
-+
-WARNING: This strategy does not support renaming files.
-If an input file is renamed, {beatname_uc} will read it again if the new path
-matches the settings of the input.
-+
-The states of files generated by `path` file identity can be migrated to `fingerprint`.
-
-[source,yaml]
-----
-file_identity.path: ~
-----
-
-*`inode_marker`*:: If the device id changes from time to time, you must use
-this method to distinguish files. This option is not supported on Windows.
-+
-Set the location of the marker file the following way:
-
-[source,yaml]
-----
-file_identity.inode_marker.path: /logs/.filebeat-marker
-----
-
-[[filestream-log-rotation-support]]
-[float]
-=== Log rotation
-
-As log files are constantly written, they must be rotated and purged to prevent
-the logger application from filling up the disk. Rotation is done by an external
-application, thus, {beatname_uc} needs information how to cooperate with it.
-
-When reading from rotating files make sure the paths configuration includes
-both the active file and all rotated files.
-
-By default, {beatname_uc} is able to track files correctly in the following strategies:
-
-* create: new active file with a unique name is created on rotation
-* rename: rotated files are renamed
-
-However, in case of copytruncate strategy, you should provide additional configuration
-to {beatname_uc}.
-
-[float]
-==== rotation.external.strategy.copytruncate
-
-experimental[]
-
-If the log rotating application copies the contents of the active file and then
-truncates the original file, use these options to help {beatname_uc} to read files
-correctly.
-
-Set the option `suffix_regex` so {beatname_uc} can tell active and rotated files apart. There are
-two supported suffix types in the input: numberic and date.
-
-==== Numeric suffix
-
-If your rotated files have an incrementing index appended to the end of the filename, e.g.
-active file `apache.log` and the rotated files are named `apache.log.1`, `apache.log.2`, etc,
-use the following configuration.
-
-[source,yaml]
----
-rotation.external.strategy.copytruncate:
-  suffix_regex: \.\d$
----
-
-==== Date suffix
-
-If the rotation date is appended to the end of the filename, e.g. active file `apache.log` and the
-rotated files are named `apache.log-20210526`, `apache.log-20210527`, etc. use the following configuration:
-
-[source,yaml]
----
-rotation.external.strategy.copytruncate:
-  suffix_regex: \-\d{6}$
-  dateformat: -20060102
----
diff --git a/filebeat/docs/inputs/input-filestream-reader-options.asciidoc b/filebeat/docs/inputs/input-filestream-reader-options.asciidoc
deleted file mode 100644
index 55f084f7f148..000000000000
--- a/filebeat/docs/inputs/input-filestream-reader-options.asciidoc
+++ /dev/null
@@ -1,345 +0,0 @@
-//////////////////////////////////////////////////////////////////////////
-//// This content is shared by Filebeat inputs that use the input
-//// but do not process files (the options for managing files
-//// on disk are not relevant)
-//// If you add IDs to sections, make sure you use attributes to create
-//// unique IDs for each input that includes this file. Use the format:
-//// [id="{beatname_lc}-input-{type}-option-name"]
-//////////////////////////////////////////////////////////////////////////
-
-[float]
-===== `encoding`
-
-The file encoding to use for reading data that contains international
-characters. See the encoding names http://www.w3.org/TR/encoding/[recommended by
-the W3C for use in HTML5].
-
-Valid encodings:
-
-	* `plain`: plain ASCII encoding
-	* `utf-8` or `utf8`: UTF-8 encoding
-	* `gbk`: simplified Chinese charaters
-	* `iso8859-6e`: ISO8859-6E, Latin/Arabic
-	* `iso8859-6i`: ISO8859-6I, Latin/Arabic
-	* `iso8859-8e`: ISO8859-8E, Latin/Hebrew
-	* `iso8859-8i`: ISO8859-8I, Latin/Hebrew
-	* `iso8859-1`: ISO8859-1, Latin-1
-	* `iso8859-2`: ISO8859-2, Latin-2
-	* `iso8859-3`: ISO8859-3, Latin-3
-	* `iso8859-4`: ISO8859-4, Latin-4
-	* `iso8859-5`: ISO8859-5, Latin/Cyrillic
-	* `iso8859-6`: ISO8859-6, Latin/Arabic
-	* `iso8859-7`: ISO8859-7, Latin/Greek
-	* `iso8859-8`: ISO8859-8, Latin/Hebrew
-	* `iso8859-9`: ISO8859-9, Latin-5
-	* `iso8859-10`: ISO8859-10, Latin-6
-	* `iso8859-13`: ISO8859-13, Latin-7
-	* `iso8859-14`: ISO8859-14, Latin-8
-	* `iso8859-15`: ISO8859-15, Latin-9
-	* `iso8859-16`: ISO8859-16, Latin-10
-	* `cp437`: IBM CodePage 437
-	* `cp850`: IBM CodePage 850
-	* `cp852`: IBM CodePage 852
-	* `cp855`: IBM CodePage 855
-	* `cp858`: IBM CodePage 858
-	* `cp860`: IBM CodePage 860
-	* `cp862`: IBM CodePage 862
-	* `cp863`: IBM CodePage 863
-	* `cp865`: IBM CodePage 865
-	* `cp866`: IBM CodePage 866
-	* `ebcdic-037`: IBM CodePage 037
-	* `ebcdic-1040`: IBM CodePage 1140
-	* `ebcdic-1047`: IBM CodePage 1047
-	* `koi8r`: KOI8-R, Russian (Cyrillic)
-	* `koi8u`: KOI8-U, Ukranian (Cyrillic)
-	* `macintosh`: Macintosh encoding
-	* `macintosh-cyrillic`: Macintosh Cyrillic encoding
-	* `windows1250`: Windows1250, Central and Eastern European
-	* `windows1251`: Windows1251, Russian, Serbian (Cyrillic)
-	* `windows1252`: Windows1252, Legacy
-	* `windows1253`: Windows1253, Modern Greek
-	* `windows1254`: Windows1254, Turkish
-	* `windows1255`: Windows1255, Hebrew
-	* `windows1256`: Windows1256, Arabic
-	* `windows1257`: Windows1257, Estonian, Latvian, Lithuanian
-	* `windows1258`: Windows1258, Vietnamese
-	* `windows874`:  Windows874, ISO/IEC 8859-11, Latin/Thai
-	* `utf-16-bom`: UTF-16 with required BOM
-	* `utf-16be-bom`: big endian UTF-16 with required BOM
-	* `utf-16le-bom`: little endian UTF-16 with required BOM
-
-The `plain` encoding is special, because it does not validate or transform any input.
-
-[float]
-[id="{beatname_lc}-input-{type}-exclude-lines"]
-===== `exclude_lines`
-
-A list of regular expressions to match the lines that you want {beatname_uc} to
-exclude. {beatname_uc} drops any lines that match a regular expression in the
-list. By default, no lines are dropped. Empty lines are ignored.
-
-The following example configures {beatname_uc} to drop any lines that start with
-`DBG`.
-
-["source","yaml",subs="attributes"]
-----
-{beatname_lc}.inputs:
-- type: {type}
-  ...
-  exclude_lines: ['^DBG']
-----
-
-See <<regexp-support>> for a list of supported regexp patterns.
-
-[float]
-[id="{beatname_lc}-input-{type}-include-lines"]
-===== `include_lines`
-
-A list of regular expressions to match the lines that you want {beatname_uc} to
-include. {beatname_uc} exports only the lines that match a regular expression in
-the list. By default, all lines are exported. Empty lines are ignored.
-
-The following example configures {beatname_uc} to export any lines that start
-with `ERR` or `WARN`:
-
-["source","yaml",subs="attributes"]
-----
-{beatname_lc}.inputs:
-- type: {type}
-  ...
-  include_lines: ['^ERR', '^WARN']
-----
-
-NOTE: If both `include_lines` and `exclude_lines` are defined, {beatname_uc}
-executes `include_lines` first and then executes `exclude_lines`. The order in
-which the two options are defined doesn't matter. The `include_lines` option
-will always be executed before the `exclude_lines` option, even if
-`exclude_lines` appears before `include_lines` in the config file.
-
-The following example exports all log lines that contain `sometext`,
-except for lines that begin with `DBG` (debug messages):
-
-["source","yaml",subs="attributes"]
-----
-{beatname_lc}.inputs:
-- type: {type}
-  ...
-  include_lines: ['sometext']
-  exclude_lines: ['^DBG']
-----
-
-See <<regexp-support>> for a list of supported regexp patterns.
-
-[float]
-===== `buffer_size`
-
-The size in bytes of the buffer that each harvester uses when fetching a file.
-The default is 16384.
-
-[float]
-===== `message_max_bytes`
-
-The maximum number of bytes that a single log message can have. All bytes after
-`message_max_bytes` are discarded and not sent. The default is 10MB (10485760).
-
-[float]
-===== `parsers`
-
-This option expects a list of parsers that the log line has to go through.
-
-Available parsers:
-
-* `multiline`
-* `ndjson`
-* `container`
-* `syslog`
-* `include_message`
-
-In this example, {beatname_uc} is reading multiline messages that consist of 3 lines
-and are encapsulated in single-line JSON objects.
-The multiline message is stored under the key `msg`.
-
-["source","yaml",subs="attributes"]
-----
-{beatname_lc}.inputs:
-- type: {type}
-  ...
-  parsers:
-    - ndjson:
-        target: ""
-        message_key: msg
-    - multiline:
-        type: count
-        count_lines: 3
-----
-
-See the available parser settings in detail below.
-
-[float]
-===== `multiline`
-
-Options that control how {beatname_uc} deals with log messages that span
-multiple lines. See <<multiline-examples>> for more information about
-configuring multiline options.
-
-[float]
-[id="{beatname_lc}-input-{type}-ndjson"]
-===== `ndjson`
-
-These options make it possible for {beatname_uc} to decode logs structured as
-JSON messages. {beatname_uc} processes the logs line by line, so the JSON
-decoding only works if there is one JSON object per message.
-
-The decoding happens before line filtering. You can combine JSON
-decoding with filtering if you set the `message_key` option. This
-can be helpful in situations where the application logs are wrapped in JSON
-objects, like when using Docker.
-
-Example configuration:
-
-[source,yaml]
-----
-- ndjson:
-    target: ""
-    add_error_key: true
-    message_key: log
-----
-
-*`target`*:: The name of the new JSON object that should contain the parsed key value pairs. If you
-leave it empty, the new keys will go under root.
-
-*`overwrite_keys`*:: Values from the decoded JSON object overwrite the fields that {beatname_uc}
-normally adds (type, source, offset, etc.) in case of conflicts. Disable it if you want
-to keep previously added values.
-
-*`expand_keys`*:: If this setting is enabled, {beatname_uc} will recursively
-de-dot keys in the decoded JSON, and expand them into a hierarchical object
-structure. For example, `{"a.b.c": 123}` would be expanded into `{"a":{"b":{"c":123}}}`.
-This setting should be enabled when the input is produced by an
-https://github.com/elastic/ecs-logging[ECS logger].
-
-*`add_error_key`*:: If this setting is enabled, {beatname_uc} adds an
-"error.message" and "error.type: json" key in case of JSON unmarshalling errors
-or when a `message_key` is defined in the configuration but cannot be used.
-
-*`message_key`*:: An optional configuration setting that specifies a JSON key on
-which to apply the line filtering and multiline settings. If specified the key
-must be at the top level in the JSON object and the value associated with the
-key must be a string, otherwise no filtering or multiline aggregation will
-occur.
-
-*`document_id`*:: Option configuration setting that specifies the JSON key to
-set the document id. If configured, the field will be removed from the original
-JSON document and stored in `@metadata._id`
-
-*`ignore_decoding_error`*:: An optional configuration setting that specifies if
-JSON decoding errors should be logged or not. If set to true, errors will not
-be logged. The default is false.
-
-[float]
-[id="{beatname_lc}-input-{type}-parsers-container"]
-===== `container`
-
-Use the `container` parser to extract information from  containers log files.
-It parses lines into common message lines, extracting timestamps too.
-
-*`stream`*:: Reads from the specified streams only: `all`, `stdout` or `stderr`. The default
-is `all`.
-
-*`format`*:: Use the given format when parsing logs: `auto`, `docker` or `cri`. The
-default is `auto`, it will automatically detect the format. To disable
-autodetection set any of the other options.
-
-The following snippet configures {beatname_uc} to read the `stdout` stream from
-all containers under the default Kubernetes logs path:
-
-[source,yaml]
-----
-  paths:
-    - "/var/log/containers/*.log"
-  parsers:
-    - container:
-        stream: stdout
-----
-
-[float]
-===== `syslog`
-
-The `syslog` parser parses RFC 3146 and/or RFC 5424 formatted syslog messages.
-
-The supported configuration options are:
-
-*`format`*:: (Optional) The syslog format to use, `rfc3164`, or `rfc5424`. To automatically
-detect the format from the log entries, set this option to `auto`. The default is `auto`.
-
-*`timezone`*:: (Optional) IANA time zone name(e.g. `America/New York`) or a
-fixed time offset (e.g. +0200) to use when parsing syslog timestamps that do not contain
-a time zone. `Local` may be specified to use the machine's local time zone. Defaults to `Local`.
-
-*`log_errors`*:: (Optional) If `true` the parser will log syslog parsing errors. Defaults to `false`.
-
-*`add_error_key`*:: (Optional) If this setting is enabled, the parser adds or appends to an
-`error.message` key with the parsing error that was encountered. Defaults to `true`.
-
-Example configuration:
-
-[source,yaml]
--------------------------------------------------------------------------------
-- syslog:
-    format: rfc3164
-    timezone: America/Chicago
-    log_errors: true
-    add_error_key: true
--------------------------------------------------------------------------------
-
-*Timestamps*
-
-The RFC 3164 format accepts the following forms of timestamps:
-
-* Local timestamp (`Mmm dd hh:mm:ss`):
-** `Jan 23 14:09:01`
-* RFC-3339*:
-** `2003-10-11T22:14:15Z`
-** `2003-10-11T22:14:15.123456Z`
-** `2003-10-11T22:14:15-06:00`
-** `2003-10-11T22:14:15.123456-06:00`
-
-*Note*: The local timestamp (for example, `Jan 23 14:09:01`) that accompanies an
-RFC 3164 message lacks year and time zone information. The time zone will be enriched
-using the `timezone` configuration option, and the year will be enriched using the
-{beatname_uc} system's local time (accounting for time zones). Because of this, it is possible
-for messages to appear in the future. An example of when this might happen is logs
-generated on December 31 2021 are ingested on January 1 2022. The logs would be enriched
-with the year 2022 instead of 2021.
-
-The RFC 5424 format accepts the following forms of timestamps:
-
-* RFC-3339:
-** `2003-10-11T22:14:15Z`
-** `2003-10-11T22:14:15.123456Z`
-** `2003-10-11T22:14:15-06:00`
-** `2003-10-11T22:14:15.123456-06:00`
-
-Formats with an asterisk (*) are a non-standard allowance.
-
-[float]
-===== `include_message`
-
-Use the `include_message` parser to filter messages in the parsers pipeline. Messages that
-match the provided pattern are passed to the next parser, the others are dropped.
-
-You should use `include_message` instead of `include_lines` if you would like to
-control when the filtering happens. `include_lines` runs after the parsers, `include_message`
-runs in the parsers pipeline.
-
-*`patterns`*:: List of regexp patterns to match.
-
-This example shows you how to include messages that start with the string ERR or WARN:
-
-[source,yaml]
-----
-  paths:
-    - "/var/log/containers/*.log"
-  parsers:
-    - include_message.patterns: ["^ERR", "^WARN"]
-----
\ No newline at end of file
diff --git a/filebeat/docs/inputs/input-filestream.asciidoc b/filebeat/docs/inputs/input-filestream.asciidoc
deleted file mode 100644
index e845239d7862..000000000000
--- a/filebeat/docs/inputs/input-filestream.asciidoc
+++ /dev/null
@@ -1,199 +0,0 @@
-:type: filestream
-
-[id="{beatname_lc}-input-{type}"]
-=== filestream input
-
-++++
-<titleabbrev>filestream</titleabbrev>
-++++
-
-Use the `filestream` input to read lines from active log files. It is the
-new, improved alternative to the `log` input. It comes with various improvements
-to the existing input:
-
-1. Checking of `close.on_state_change.*` options happens out of
-band. Thus, if an output is blocked, {beatname_uc} can close the
-reader and avoid keeping too many files open.
-
-2. Detailed metrics are available for all files that match the `paths` configuration
-regardless of the `harvester_limit`. This way, you can keep track of all files,
-even ones that are not actively read.
-
-3. The order of `parsers` is configurable. So it is possible to parse JSON lines and then
-aggregate the contents into a multiline event.
-
-4. Some position updates and metadata changes no longer depend on the publishing pipeline.
-If the pipeline is blocked some changes are still applied to the registry.
-
-5. Only the most recent updates are serialized to the registry. In contrast, the `log` input
-has to serialize the complete registry on each ACK from the outputs. This makes the registry updates
-much quicker with this input.
-
-6. The input ensures that only offsets updates are written to the registry append only log.
-The `log` writes the complete file state.
-
-7. Stale entries can be removed from the registry, even if there is no active input.
-
-8. The default behaviour is to identify files based on their contents
-using the <<filebeat-input-filestream-file-identity-fingerprint,
-`fingerprint`>> <<filebeat-input-filestream-file-identity,
-`file_identity`>> This solves data duplication caused by inode reuse.
-
-To configure this input, specify a list of glob-based <<filestream-input-paths,`paths`>>
-that must be crawled to locate and fetch the log lines.
-
-Example configuration:
-
-["source","yaml",subs="attributes"]
-----
-{beatname_lc}.inputs:
-- type: filestream
-  id: my-filestream-id
-  paths:
-    - /var/log/messages
-    - /var/log/*.log
-----
-
-WARNING: Each filestream input must have a unique ID. Omitting or changing the filestream ID may cause
-data duplication. Without a unique ID, filestream is unable to correctly track the state of files.
-
-You can apply additional
-<<{beatname_lc}-input-{type}-options,configuration settings>> (such as `fields`,
-`include_lines`, `exclude_lines` and so on) to the lines harvested
-from these files. The options that you specify are applied to all the files
-harvested by this input.
-
-To apply different configuration settings to different files, you need to define
-multiple input sections:
-
-["source","yaml",subs="attributes"]
-----
-{beatname_lc}.inputs:
-- type: filestream <1>
-  id: my-filestream-id
-  paths:
-    - /var/log/system.log
-    - /var/log/wifi.log
-- type: filestream <2>
-  id: apache-filestream-id
-  paths:
-    - "/var/log/apache2/*"
-  fields:
-    apache: true
-----
-
-<1> Harvests lines from two files:  `system.log` and
-`wifi.log`.
-<2> Harvests lines from every file in the `apache2` directory, and uses the
-`fields` configuration option to add a field called `apache` to the output.
-
-
-[[filestream-file-identity]]
-==== Reading files on network shares and cloud providers
-
-WARNING: Some file identity methods do not support reading from
-network shares and cloud providers, to avoid duplicating events, use
-the default `file_identity`: `fingerprint`.
-
-IMPORTANT: Changing `file_identity` is only supported when
-migrating from `native` or `path` to `fingerprint`.
-
-WARNING: Any unsupported change in `file_identity` methods between
-runs may result in duplicated events in the output.
-
-`fingerprint` is the default and recommended file identity because it does not
-rely on the file system/OS, it generates a hash from a portion of the
-file (the first 1024 bytes, by default) and uses that to identify the
-file. This works well with log rotation strategies that move/rename
-the file and on Windows as file identifiers might be more
-volatile. The downside is that {beatname_uc} will wait until the file
-reaches 1024 bytes before start ingesting any file.
-
-WARNING: Once this file identity is enabled, changing
-the fingerprint configuration (offset, length, etc) will lead to a
-global re-ingestion of all files that match the paths configuration of
-the input.
-
-Please refer to the
-<<{beatname_lc}-input-filestream-scan-fingerprint,fingerprint
-configuration for details>>.
-
-Selecting `path` instructs {beatname_uc} to identify files based on their
-paths. This is a quick way to avoid rereading files if inode and device ids
-might change. However, keep in mind if the files are rotated (renamed), they
-will be reread and resubmitted.
-
-The option `inode_marker` can be used if the inodes stay the same even if
-the device id is changed. You should choose this method if your files are
-rotated instead of `path` if possible. You have to configure a marker file
-readable by {beatname_uc} and set the path in the option `path` of `inode_marker`.
-
-The content of this file must be unique to the device. You can put the
-UUID of the device or mountpoint where the input is stored. The following
-example oneliner generates a hidden marker file for the selected mountpoint `/logs`:
-Please note that you should not use this option on Windows as file identifiers might be
-more volatile.
-
-["source","sh",subs="attributes"]
-----
-$ lsblk -o MOUNTPOINT,UUID | grep /logs | awk '{print $2}' >> /logs/.filebeat-marker
-----
-
-To set the generated file as a marker for `file_identity` you should configure
-the input the following way:
-
-["source","yaml",subs="attributes"]
-----
-{beatname_lc}.inputs:
-- type: filestream
-  id: my-filestream-id
-  paths:
-    - /logs/*.log
-  file_identity.inode_marker.path: /logs/.filebeat-marker
-----
-
-
-[[filestream-rotating-logs]]
-==== Reading from rotating logs
-
-When dealing with file rotation, avoid harvesting symlinks. Instead
-use the <<filestream-input-paths>> setting to point to the original file, and specify
-a pattern that matches the file you want to harvest and all of its rotated
-files. Also make sure your log rotation strategy prevents lost or duplicate
-messages. For more information, see <<file-log-rotation>>.
-
-Furthermore, to avoid duplicate of rotated log messages, do not use the
-`path` method for `file_identity`. Or exclude the rotated files with `exclude_files`
-option.
-
-include::../inputs/input-filestream-file-options.asciidoc[]
-
-include::../inputs/input-filestream-reader-options.asciidoc[]
-
-[float]
-=== Metrics
-
-This input exposes metrics under the <<http-endpoint, HTTP monitoring endpoint>>.
-These metrics are exposed under the `/inputs` path. They can be used to
-observe the activity of the input. Note that metrics from processors are not included.
-
-[options="header"]
-|=======
-| Metric                     | Description
-| `files_opened_total`        | Total number of files opened.
-| `files_closed_total`        | Total number of files closed.
-| `files_active`              | Number of files currently open (gauge).
-| `messages_read_total`      | Total number of messages read.
-| `messages_truncated_total` | Total number of messages truncated.
-| `bytes_processed_total`    | Total number of bytes processed.
-| `events_processed_total`   | Total number of events processed.
-| `processing_errors_total`  | Total number of processing errors.
-| `processing_time`          | Histogram of the elapsed time to process messages (expressed in nanoseconds).
-|=======
-
-Note:
-
-[id="{beatname_lc}-input-{type}-common-options"]
-include::../inputs/input-common-options.asciidoc[]
-
-:type!:
diff --git a/filebeat/docs/inputs/input-journald.asciidoc b/filebeat/docs/inputs/input-journald.asciidoc
deleted file mode 100644
index e00e37b153e2..000000000000
--- a/filebeat/docs/inputs/input-journald.asciidoc
+++ /dev/null
@@ -1,524 +0,0 @@
-:type: journald
-
-[id="{beatname_lc}-input-{type}"]
-=== Journald input
-
-++++
-<titleabbrev>journald</titleabbrev>
-++++
-
-https://www.freedesktop.org/software/systemd/man/systemd-journald.service.html[`journald`]
-is a system service that collects and stores logging data. The `journald` input
-reads this log data and the metadata associated with it. To read this
-log data {beatname_uc} calls `journalctl` to read from the journal, therefore
-{beatname_uc} needs permission to execute `journalctl`.
-
-If the `journalctl` process exits unexpectedly the {type} input will
-terminate with an error and {beatname_uc} will need to be
-restarted to start reading from the jouranl again.
-
-The simplest configuration example is one that reads all logs from the default
-journal.
-
-["source","yaml",subs="attributes"]
-----
-{beatname_lc}.inputs:
-- type: journald
-  id: everything
-----
-
-You may wish to have separate inputs for each service. You can use
-`include_matches` to specify filtering expressions.
-A good way to list the https://www.freedesktop.org/software/systemd/man/systemd.journal-fields.html[journald fields] that are available for
-filtering messages is to run `journalctl -o json` to output logs and metadata as
-JSON. This example collects logs from the `vault.service` systemd unit.
-
-["source","yaml",subs="attributes"]
-----
-{beatname_lc}.inputs:
-- type: journald
-  id: service-vault
-  include_matches.match:
-    - _SYSTEMD_UNIT=vault.service
-----
-
-This example collects kernel logs where the message begins with `iptables`.
-Note that `include_matches` is more efficient than Beat processors because that
-are applied before the data is passed to the {beatname_uc} so prefer them where
-possible.
-
-["source","yaml",subs="attributes"]
-----
-{beatname_lc}.inputs:
-- type: journald
-  id: iptables
-  include_matches.match:
-    - _TRANSPORT=kernel
-  processors:
-    - drop_event:
-        when.not.regexp.message: '^iptables'
-----
-
-Each example adds the `id` for the input to ensure the cursor is persisted to
-the registry with a unique ID. The ID should be unique among journald inputs.
-If you don't specify and `id` then one is created for you by hashing
-the configuration. So when you modify the config this will result in a new ID
-and a fresh cursor.
-
-[id="{beatname_lc}-input-{type}-options"]
-==== Configuration options
-
-The `journald` input supports the following configuration options plus the
-<<{beatname_lc}-input-{type}-common-options>> described later.
-
-[float]
-[id="{beatname_lc}-input-{type}-id"]
-==== `id`
-
-An unique identifier for the input. By providing a unique `id` you can
-operate multiple inputs on the same journal. This allows each input's cursor to
-be persisted independently in the registry file. Each {type} input must have
-an unique ID.
-
-["source","yaml",subs="attributes"]
-----
-{beatname_lc}.inputs:
-- type: journald
-  id: consul.service
-  include_matches.match:
-    - _SYSTEMD_UNIT=consul.service
-
-- type: journald
-  id: vault.service
-  include_matches.match:
-    - _SYSTEMD_UNIT=vault.service
-----
-
-[float]
-[id="{beatname_lc}-input-{type}-paths"]
-==== `paths`
-
-A list of paths that will be crawled and fetched. Each path can be a directory
-path (to collect events from all journals in a directory), or a file path. If
-you specify a directory, {beatname_uc} merges all journals under the directory
-into a single journal and reads them.
-
-If no paths are specified, {beatname_uc} reads from the default journal.
-
-[float]
-[id="{beatname_lc}-input-{type}-seek"]
-==== `seek`
-
-The position to start reading the journal from. Valid settings are:
-
-* `head`: Starts reading at the beginning of the journal. After a restart,
-{beatname_uc} resends all log messages in the journal.
-* `tail`: Starts reading at the end of the journal. This means that no events
-will be sent until a new message is written.
-* `since`: Use the `since` option to determine where to start reading from.
-
-Regardless of the value of `seek` if {beatname_uc} has a state (cursor) for this
-input, the `seek` value is ignored and the current cursor is used. To reset
-the cursor, just change the `id` of the input, this will start from a fresh state.
-
-
-[float]
-[id="{beatname_lc}-input-{type}-since"]
-==== `since`
-
-A time offset from the current time to start reading from. To use
-`since`, `seek` option must be set to `since`.
-
-This example demonstrates how to resume from the persisted cursor when
-it exists, or otherwise begin reading logs from the last 24 hours.
-
-["source","yaml",subs="attributes"]
-----
-seek: since
-since: -24h
-----
-
-[float]
-[id="{beatname_lc}-input-{type}-units"]
-==== `units`
-
-Iterate only the entries of the units specified in this option. The iterated entries include
-messages from the units, messages about the units by authorized daemons and coredumps. However,
-it does not match systemd user units.
-
-[float]
-[id="{beatname_lc}-input-{type}-syslog-identifiers"]
-==== `syslog_identifiers`
-
-Read only the entries with the selected syslog identifiers.
-
-[float]
-[id="{beatname_lc}-input-{type}-transports"]
-==== `transports`
-
-Collect the messages using the specified transports. Example: syslog.
-
-Valid transports:
-
-* audit: messages from the kernel audit subsystem
-* driver: internally generated messages
-* syslog: messages received via the local syslog socket with the syslog protocol
-* journal: messages received via the native journal protocol
-* stdout: messages from a service's standard output or error output
-* kernel: messages from the kernel
-
-[float]
-[id="{beatname_lc}-input-{type}-facilities"]
-==== `facilities`
-
-Filter entries by facilities, facilities must be specified using their
-numeric code.
-
-[float]
-[id="{beatname_lc}-input-{type}-include-matches"]
-==== `include_matches`
-
-A collection of filter expressions used to match fields. The format of the expression
-is `field=value` or `+` representing disjunction (i.e. logical
-OR). {beatname_uc} fetches all events that exactly match the
-expressions. Pattern matching is not supported.
-
-When `+` is used, it will cause all matches before and after to be
-combined in a disjunction (i.e. logical OR).
-
-If you configured a filter expression, only entries with this field set will be iterated by the journald reader of Filebeat.
-If the filter expressions apply to different fields, only entries with all fields set will be iterated.
-If they apply to the same fields, only entries where the field takes one of the specified values will be iterated.
-
-`match`: List of filter expressions to match fields.
-
-Please note that these expressions are limited. You can build complex filtering, but full logical
-expressions are not supported.
-
-The following include matches configuration will ingest entries that
-contain `journald.process.name: systemd` and `systemd.transport: syslog`.
-
-["source","yaml",subs="attributes"]
-----
-include_matches:
-  match:
-    - "journald.process.name=systemd"
-    - "systemd.transport=syslog"
-----
-
-The following include matches configuration will ingest entries that
-contain `systemd.transport: systemd` or `systemd.transport: kernel`.
-
-["source","yaml",subs="attributes"]
-----
-include_matches:
-  match:
-    - "systemd.transport=kernel"
-    - "systemd.transport=syslog"
-----
-
-
-The following include matches configuration is the equivalent of the
-following logical expression:
-
-```
-A=a OR (B=b AND C=c) OR (D=d AND B=1)
-```
-
-["source","yaml",subs="attributes"]
-----
-include_matches:
-  match:
-    - A=a
-    - +
-    - B=b
-    - C=c
-    - +
-    - B=1
-----
-
-`include_matches` translates to `journalctl` `MATCHES`, its
-[documentation](https://www.man7.org/linux/man-pages/man1/journalctl.1.html)
-is not clear about how multiple disjunctions are handled. The previous
-example was tested with journalctl version 257.
-
-To reference fields, use one of the following:
-
-* The field name used by the systemd journal. For example,
-`CONTAINER_TAG=redis`.
-* The <<{beatname_lc}-input-{type}-translated-fields,translated field name>>
-used by {beatname_uc}. For example, `container.image.tag=redis`. {beatname_uc}
-does not translate all fields from the journal. For custom fields, use the name
-specified in the systemd journal.
-
-[float]
-===== `parsers`
-
-This option expects a list of parsers that the entry has to go through.
-
-Available parsers:
-
-* `multiline`
-* `ndjson`
-* `container`
-* `syslog`
-* `include_message`
-
-In this example, {beatname_uc} is reading multiline messages that consist of 3 lines
-and are encapsulated in single-line JSON objects.
-The multiline message is stored under the key `msg`.
-
-["source","yaml",subs="attributes"]
-----
-{beatname_lc}.inputs:
-- type: {type}
-  ...
-  parsers:
-    - ndjson:
-        target: ""
-        message_key: msg
-    - multiline:
-        type: count
-        count_lines: 3
-----
-
-See the available parser settings in detail below.
-
-[float]
-===== `multiline`
-
-Options that control how {beatname_uc} deals with log messages that span
-multiple lines. See <<multiline-examples>> for more information about
-configuring multiline options.
-
-[float]
-[id="{beatname_lc}-input-{type}-ndjson"]
-===== `ndjson`
-
-These options make it possible for {beatname_uc} to decode logs structured as
-JSON messages. {beatname_uc} processes the entry by line, so the JSON
-decoding only works if there is one JSON object per message.
-
-The decoding happens before line filtering. You can combine JSON
-decoding with filtering if you set the `message_key` option. This
-can be helpful in situations where the application logs are wrapped in JSON
-objects, like when using Docker.
-
-Example configuration:
-
-[source,yaml]
-----
-- ndjson:
-    target: ""
-    add_error_key: true
-    message_key: log
-----
-
-*`target`*:: The name of the new JSON object that should contain the parsed key value pairs. If you
-leave it empty, the new keys will go under root.
-
-*`overwrite_keys`*:: Values from the decoded JSON object overwrite the fields that {beatname_uc}
-normally adds (type, source, offset, etc.) in case of conflicts. Disable it if you want
-to keep previously added values.
-
-*`expand_keys`*:: If this setting is enabled, {beatname_uc} will recursively
-de-dot keys in the decoded JSON, and expand them into a hierarchical object
-structure. For example, `{"a.b.c": 123}` would be expanded into `{"a":{"b":{"c":123}}}`.
-This setting should be enabled when the input is produced by an
-https://github.com/elastic/ecs-logging[ECS logger].
-
-*`add_error_key`*:: If this setting is enabled, {beatname_uc} adds an
-"error.message" and "error.type: json" key in case of JSON unmarshalling errors
-or when a `message_key` is defined in the configuration but cannot be used.
-
-*`message_key`*:: An optional configuration setting that specifies a JSON key on
-which to apply the line filtering and multiline settings. If specified the key
-must be at the top level in the JSON object and the value associated with the
-key must be a string, otherwise no filtering or multiline aggregation will
-occur.
-
-*`document_id`*:: Option configuration setting that specifies the JSON key to
-set the document id. If configured, the field will be removed from the original
-JSON document and stored in `@metadata._id`
-
-*`ignore_decoding_error`*:: An optional configuration setting that specifies if
-JSON decoding errors should be logged or not. If set to true, errors will not
-be logged. The default is false.
-
-[float]
-===== `container`
-
-Use the `container` parser to extract information from  containers log files.
-It parses lines into common message lines, extracting timestamps too.
-
-*`stream`*:: Reads from the specified streams only: `all`, `stdout` or `stderr`. The default
-is `all`.
-
-*`format`*:: Use the given format when parsing logs: `auto`, `docker` or `cri`. The
-default is `auto`, it will automatically detect the format. To disable
-autodetection set any of the other options.
-
-The following snippet configures {beatname_uc} to read the `stdout` stream from
-all containers under the default Kubernetes logs path:
-
-[source,yaml]
-----
-  parsers:
-    - container:
-        stream: stdout
-----
-
-[float]
-===== `syslog`
-
-The `syslog` parser parses RFC 3146 and/or RFC 5424 formatted syslog messages.
-
-The supported configuration options are:
-
-*`format`*:: (Optional) The syslog format to use, `rfc3164`, or `rfc5424`. To automatically
-detect the format from the log entries, set this option to `auto`. The default is `auto`.
-
-*`timezone`*:: (Optional) IANA time zone name(e.g. `America/New York`) or a
-fixed time offset (e.g. +0200) to use when parsing syslog timestamps that do not contain
-a time zone. `Local` may be specified to use the machine's local time zone. Defaults to `Local`.
-
-*`log_errors`*:: (Optional) If `true` the parser will log syslog parsing errors. Defaults to `false`.
-
-*`add_error_key`*:: (Optional) If this setting is enabled, the parser adds or appends to an
-`error.message` key with the parsing error that was encountered. Defaults to `true`.
-
-Example configuration:
-
-[source,yaml]
--------------------------------------------------------------------------------
-- syslog:
-    format: rfc3164
-    timezone: America/Chicago
-    log_errors: true
-    add_error_key: true
--------------------------------------------------------------------------------
-
-*Timestamps*
-
-The RFC 3164 format accepts the following forms of timestamps:
-
-* Local timestamp (`Mmm dd hh:mm:ss`):
-** `Jan 23 14:09:01`
-* RFC-3339*:
-** `2003-10-11T22:14:15Z`
-** `2003-10-11T22:14:15.123456Z`
-** `2003-10-11T22:14:15-06:00`
-** `2003-10-11T22:14:15.123456-06:00`
-
-*Note*: The local timestamp (for example, `Jan 23 14:09:01`) that accompanies an
-RFC 3164 message lacks year and time zone information. The time zone will be enriched
-using the `timezone` configuration option, and the year will be enriched using the
-{beatname_uc} system's local time (accounting for time zones). Because of this, it is possible
-for messages to appear in the future. An example of when this might happen is logs
-generated on December 31 2021 are ingested on January 1 2022. The logs would be enriched
-with the year 2022 instead of 2021.
-
-The RFC 5424 format accepts the following forms of timestamps:
-
-* RFC-3339:
-** `2003-10-11T22:14:15Z`
-** `2003-10-11T22:14:15.123456Z`
-** `2003-10-11T22:14:15-06:00`
-** `2003-10-11T22:14:15.123456-06:00`
-
-Formats with an asterisk (*) are a non-standard allowance.
-
-[float]
-===== `include_message`
-
-Use the `include_message` parser to filter messages in the parsers pipeline. Messages that
-match the provided pattern are passed to the next parser, the others are dropped.
-
-You should use `include_message` instead of `include_lines` if you would like to
-control when the filtering happens. `include_lines` runs after the parsers, `include_message`
-runs in the parsers pipeline.
-
-*`patterns`*:: List of regexp patterns to match.
-
-This example shows you how to include messages that start with the string ERR or WARN:
-
-[source,yaml]
-----
-  parsers:
-    - include_message.patterns: ["^ERR", "^WARN"]
-----
-
-[float]
-[id="{beatname_lc}-input-{type}-translated-fields"]
-=== Translated field names
-
-You can use the following translated names in filter expressions to reference
-journald fields:
-
-[horizontal]
-*Journald field name*:: *Translated name*
-`COREDUMP_UNIT`::             `journald.coredump.unit`
-`COREDUMP_USER_UNIT`::        `journald.coredump.user_unit`
-`OBJECT_AUDIT_LOGINUID`::     `journald.object.audit.login_uid`
-`OBJECT_AUDIT_SESSION`::      `journald.object.audit.session`
-`OBJECT_CMDLINE`::            `journald.object.cmd`
-`OBJECT_COMM`::               `journald.object.name`
-`OBJECT_EXE`::                `journald.object.executable`
-`OBJECT_GID`::                `journald.object.gid`
-`OBJECT_PID`::                `journald.object.pid`
-`OBJECT_SYSTEMD_OWNER_UID`::  `journald.object.systemd.owner_uid`
-`OBJECT_SYSTEMD_SESSION`::    `journald.object.systemd.session`
-`OBJECT_SYSTEMD_UNIT`::       `journald.object.systemd.unit`
-`OBJECT_SYSTEMD_USER_UNIT`::  `journald.object.systemd.user_unit`
-`OBJECT_UID`::                `journald.object.uid`
-`_AUDIT_LOGINUID`::           `process.audit.login_uid`
-`_AUDIT_SESSION`::            `process.audit.session`
-`_BOOT_ID`::                  `host.boot_id`
-`_CAP_EFFECTIVE`::            `process.capabilites`
-`_CMDLINE`::                  `process.cmd`
-`_CODE_FILE`::                `journald.code.file`
-`_CODE_FUNC`::                `journald.code.func`
-`_CODE_LINE`::                `journald.code.line`
-`_COMM`::                     `process.name`
-`_EXE`::                      `process.executable`
-`_GID`::                      `process.uid`
-`_HOSTNAME`::                 `host.name`
-`_KERNEL_DEVICE`::            `journald.kernel.device`
-`_KERNEL_SUBSYSTEM`::         `journald.kernel.subsystem`
-`_MACHINE_ID`::               `host.id`
-`_MESSAGE`::                  `message`
-`_PID`::                      `process.pid`
-`_PRIORITY`::                 `log.syslog.priority`
-`_SYSLOG_FACILITY`::          `log.syslog.facility.code`
-`_SYSLOG_IDENTIFIER`::        `log.syslog.appname`
-`_SYSLOG_PID`::               `log.syslog.procid`
-`_SYSTEMD_CGROUP`::           `systemd.cgroup`
-`_SYSTEMD_INVOCATION_ID`::    `systemd.invocation_id`
-`_SYSTEMD_OWNER_UID`::        `systemd.owner_uid`
-`_SYSTEMD_SESSION`::          `systemd.session`
-`_SYSTEMD_SLICE`::            `systemd.slice`
-`_SYSTEMD_UNIT`::             `systemd.unit`
-`_SYSTEMD_USER_SLICE`::       `systemd.user_slice`
-`_SYSTEMD_USER_UNIT`::        `systemd.user_unit`
-`_TRANSPORT`::                `systemd.transport`
-`_UDEV_DEVLINK`::             `journald.kernel.device_symlinks`
-`_UDEV_DEVNODE`::             `journald.kernel.device_node_path`
-`_UDEV_SYSNAME`::             `journald.kernel.device_name`
-`_UID`::                      `process.uid`
-
-The following translated fields for
-https://docs.docker.com/config/containers/logging/journald/[Docker] are also
-available:
-
-[horizontal]
-`CONTAINER_ID_FULL`::         `container.id`
-`CONTAINER_NAME`::            `container.name`
-`IMAGE_NAME`::		      `container.image.name`
-
-If `CONTAINER_PARTIAL_MESSAGE` is present and it is true, then the tag
-`partial_message` is added to the final event.
-
-[id="{beatname_lc}-input-{type}-common-options"]
-include::../inputs/input-common-options.asciidoc[]
-
-:type!:
diff --git a/filebeat/docs/inputs/input-kafka.asciidoc b/filebeat/docs/inputs/input-kafka.asciidoc
deleted file mode 100644
index 360218bb74b0..000000000000
--- a/filebeat/docs/inputs/input-kafka.asciidoc
+++ /dev/null
@@ -1,255 +0,0 @@
-:type: kafka
-
-[id="{beatname_lc}-input-{type}"]
-=== Kafka input
-
-++++
-<titleabbrev>Kafka</titleabbrev>
-++++
-
-Use the `kafka` input to read from topics in a Kafka cluster.
-
-To configure this input, specify a list of one or more <<hosts,`hosts`>> in the
-cluster to bootstrap the connection with, a list of <<topics,`topics`>> to
-track, and a <<groupid,`group_id`>> for the connection.
-
-Example configuration:
-
-["source","yaml",subs="attributes"]
-----
-{beatname_lc}.inputs:
-- type: kafka
-  hosts:
-    - kafka-broker-1:9092
-    - kafka-broker-2:9092
-  topics: ["my-topic"]
-  group_id: "filebeat"
-
-----
-
-The following example shows how to use the `kafka` input to ingest data from
-Microsoft Azure Event Hubs that have Kafka compatibility enabled:
-
-["source","yaml",subs="attributes"]
-----
-{beatname_lc}.inputs:
-- type: kafka
-  hosts: ["<your event hub namespace>.servicebus.windows.net:9093"]
-  topics: ["<your event hub instance>"]
-  group_id: "<your consumer group>"
-
-  username: "$ConnectionString"
-  password: "<your connection string>"
-  ssl.enabled: true
-
-----
-
-For more details on the mapping between Kafka and Event Hubs configuration
-parameters, see the
-link:https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-for-kafka-ecosystem-overview[Azure documentation].
-
-[[kafka-input-compatibility]]
-==== Compatibility
-
-This input works with all Kafka versions in between 0.11 and 2.8.0. Older versions
-might work as well, but are not supported.
-
-[id="{beatname_lc}-input-{type}-options"]
-==== Configuration options
-
-The `kafka` input supports the following configuration options plus the
-<<{beatname_lc}-input-{type}-common-options>> described later.
-
-NOTE: If you're using {agent} with a Kafka input and need to increase throughput, we recommend scaling horizontally by additional {agents} to read from the Kafka topic.
-Note that each {agent} reads concurrently from each of the partitions it has been assigned. 
-
-[float]
-[[kafka-hosts]]
-===== `hosts`
-
-A list of Kafka bootstrapping hosts (brokers) for this cluster.
-
-[float]
-[[topics]]
-===== `topics`
-
-A list of topics to read from.
-
-[float]
-[[groupid]]
-===== `group_id`
-
-The Kafka consumer group id.
-
-[float]
-===== `client_id`
-
-The Kafka client id (optional).
-
-[float]
-===== `version`
-
-The version of the Kafka protocol to use (defaults to `"2.1.0"`). When using Kafka 4.0 and newer, the version must be set to at least `"2.1.0"`.
-
-[float]
-===== `initial_offset`
-
-The initial offset to start reading, either "oldest" or "newest". Defaults to
-"oldest".
-
-===== `connect_backoff`
-
-How long to wait before trying to reconnect to the kafka cluster after a
-fatal error. Default is 30s.
-
-===== `consume_backoff`
-
-How long to wait before retrying a failed read. Default is 2s.
-
-===== `max_wait_time`
-
-How long to wait for the minimum number of input bytes while reading. Default
-is 250ms.
-
-===== `wait_close`
-
-When shutting down, how long to wait for in-flight messages to be delivered
-and acknowledged.
-
-===== `isolation_level`
-
-This configures the Kafka group isolation level:
-
-- `"read_uncommitted"` returns _all_ messages in the message channel.
-- `"read_committed"` hides messages that are part of an aborted transaction.
-
-The default is `"read_uncommitted"`.
-
-===== `fetch`
-
-Kafka fetch settings:
-
-*`min`*:: The minimum number of bytes to wait for. Defaults to 1.
-
-*`default`*:: The default number of bytes to read per request. Defaults to 1MB.
-
-*`max`*:: The maximum number of bytes to read per request. Defaults to 0
-(no limit).
-
-===== `expand_event_list_from_field`
-
-If the fileset using this input expects to receive multiple messages bundled under a specific field then the config option `expand_event_list_from_field` value can be assigned the name of the field.
-For example in the case of azure filesets the events are found under the json object "records".
-
-["source","json"]
-----
-{
-"records": [ {event1}, {event2}]
-}
-----
-
-This setting will be able to split the messages under the group value ('records') into separate events.
-
-===== `rebalance`
-
-Kafka rebalance settings:
-
-*`strategy`*:: Either `"range"` or `"roundrobin"`. Defaults to `"range"`.
-
-*`timeout`*:: How long to wait for an attempted rebalance. Defaults to 60s.
-
-*`max_retries`*:: How many times to retry if rebalancing fails. Defaults to 4.
-
-*`retry_backoff`*:: How long to wait after an unsuccessful rebalance attempt.
-Defaults to 2s.
-
-===== `sasl.mechanism`
-
-The SASL mechanism to use when connecting to Kafka. It can be one of:
-
-* `PLAIN` for SASL/PLAIN.
-* `SCRAM-SHA-256` for SCRAM-SHA-256.
-* `SCRAM-SHA-512` for SCRAM-SHA-512.
-
-If `sasl.mechanism` is not set, `PLAIN` is used if `username` and `password`
-are provided. Otherwise, SASL authentication is disabled.
-
-To use `GSSAPI` mechanism to authenticate with Kerberos, you must leave this
-field empty, and use the <<kerberos-option-kafka>> options.
-
-===== `kerberos`
-
-beta[]
-
-Configuration options for Kerberos authentication.
-
-See <<configuration-kerberos>> for more information.
-
-[float]
-===== `parsers`
-
-This option expects a list of parsers that the payload has to go through.
-
-Available parsers:
-
-* `ndjson`
-* `multiline`
-
-[float]
-===== `ndjson`
-
-These options make it possible for {beatname_uc} to decode the payload as
-JSON messages.
-
-Example configuration:
-
-[source,yaml]
-----
-- ndjson:
-  target: ""
-  add_error_key: true
-  message_key: log
-----
-
-*`target`*:: The name of the new JSON object that should contain the parsed key value pairs. If you
-leave it empty, the new keys will go under root.
-
-*`overwrite_keys`*:: Values from the decoded JSON object overwrite the fields that {beatname_uc}
-normally adds (type, source, offset, etc.) in case of conflicts. Disable it if you want
-to keep previously added values.
-
-*`expand_keys`*:: If this setting is enabled, {beatname_uc} will recursively
-de-dot keys in the decoded JSON, and expand them into a hierarchical object
-structure. For example, `{"a.b.c": 123}` would be expanded into `{"a":{"b":{"c":123}}}`.
-This setting should be enabled when the input is produced by an
-https://github.com/elastic/ecs-logging[ECS logger].
-
-*`add_error_key`*:: If this setting is enabled, {beatname_uc} adds an
-"error.message" and "error.type: json" key in case of JSON unmarshalling errors
-or when a `message_key` is defined in the configuration but cannot be used.
-
-*`message_key`*:: An optional configuration setting that specifies a JSON key on
-which to apply the line filtering and multiline settings. If specified the key
-must be at the top level in the JSON object and the value associated with the
-key must be a string, otherwise no filtering or multiline aggregation will
-occur.
-
-*`document_id`*:: Option configuration setting that specifies the JSON key to
-set the document id. If configured, the field will be removed from the original
-JSON document and stored in `@metadata._id`
-
-*`ignore_decoding_error`*:: An optional configuration setting that specifies if
-JSON decoding errors should be logged or not. If set to true, errors will not
-be logged. The default is false.
-
-[float]
-===== `multiline`
-
-Options that control how {beatname_uc} deals with log messages that span
-multiple lines. See <<multiline-examples>> for more information about
-configuring multiline options.
-
-[id="{beatname_lc}-input-{type}-common-options"]
-include::../inputs/input-common-options.asciidoc[]
-
-:type!:
diff --git a/filebeat/docs/inputs/input-log.asciidoc b/filebeat/docs/inputs/input-log.asciidoc
deleted file mode 100644
index 5da62f622bab..000000000000
--- a/filebeat/docs/inputs/input-log.asciidoc
+++ /dev/null
@@ -1,169 +0,0 @@
-:type: log
-
-[id="{beatname_lc}-input-{type}"]
-=== Log input
-
-deprecated:[7.16.0]
-
-The log input is deprecated. Please use the the <<filebeat-input-filestream,`filestream input`>> for sending log files to outputs.
-
-It's possible to use this input type only in combination with the `allow_deprecated_use: true` setting as a part of the input configuration.
-
-++++
-<titleabbrev>Log</titleabbrev>
-++++
-
-Use the `log` input to read lines from log files.
-
-To configure this input, specify a list of glob-based <<input-paths,`paths`>>
-that must be crawled to locate and fetch the log lines.
-
-Example configuration:
-
-["source","yaml",subs="attributes"]
-----
-{beatname_lc}.inputs:
-- type: log
-  paths:
-    - /var/log/messages
-    - /var/log/*.log
-----
-
-
-You can apply additional
-<<{beatname_lc}-input-{type}-options,configuration settings>> (such as `fields`,
-`include_lines`, `exclude_lines`, `multiline`, and so on) to the lines harvested
-from these files. The options that you specify are applied to all the files
-harvested by this input.
-
-To apply different configuration settings to different files, you need to define
-multiple input sections:
-
-["source","yaml",subs="attributes"]
-----
-{beatname_lc}.inputs:
-- type: log <1>
-  paths:
-    - /var/log/system.log
-    - /var/log/wifi.log
-- type: log <2>
-  paths:
-    - "/var/log/apache2/*"
-  fields:
-    apache: true
-  fields_under_root: true
-----
-
-<1> Harvests lines from two files:  `system.log` and
-`wifi.log`.
-<2> Harvests lines from every file in the `apache2` directory, and uses the
-`fields` configuration option to add a field called `apache` to the output.
-
-
-IMPORTANT: Make sure a file is not defined more than once across all inputs
-because this can lead to unexpected behaviour.
-
-[[file-identity]]
-==== Reading files on network shares and cloud providers
-
-WARNING: Filebeat does not support reading from network shares and cloud providers.
-
-However, one of the limitations of these data sources can be mitigated
-if you configure Filebeat adequately.
-
-By default, {beatname_uc} identifies files based on their inodes and
-device IDs. However, on network shares and cloud providers these
-values might change during the lifetime of the file. If this happens
-{beatname_uc} thinks that file is new and resends the whole content
-of the file. To solve this problem you can configure `file_identity` option. Possible
-values besides the default `inode_deviceid` are `path` and `inode_marker`.
-
-Selecting `path` instructs {beatname_uc} to identify files based on their
-paths. This is a quick way to avoid rereading files if inode and device ids
-might change. However, keep in mind if the files are rotated (renamed), they
-will be reread and resubmitted.
-
-The option `inode_marker` can be used if the inodes stay the same even if
-the device id is changed. You should choose this method if your files are
-rotated instead of `path` if possible. You have to configure a marker file
-readable by {beatname_uc} and set the path in the option `path` of `inode_marker`.
-
-The content of this file must be unique to the device. You can put the
-UUID of the device or mountpoint where the input is stored. The following
-example oneliner generates a hidden marker file for the selected mountpoint `/logs`:
-Please note that you should not use this option on Windows as file identifiers might be
-more volatile.
-
-["source","sh",subs="attributes"]
-----
-$ lsblk -o MOUNTPOINT,UUID | grep /logs | awk '{print $2}' >> /logs/.filebeat-marker
-----
-
-To set the generated file as a marker for `file_identity` you should configure
-the input the following way:
-
-["source","yaml",subs="attributes"]
-----
-{beatname_lc}.inputs:
-- type: log
-  paths:
-    - /logs/*.log
-  file_identity.inode_marker.path: /logs/.filebeat-marker
-----
-
-
-[[rotating-logs]]
-==== Reading from rotating logs
-
-When dealing with file rotation, avoid harvesting symlinks. Instead
-use the <<input-paths>> setting to point to the original file, and specify
-a pattern that matches the file you want to harvest and all of its rotated
-files. Also make sure your log rotation strategy prevents lost or duplicate
-messages. For more information, see <<file-log-rotation>>.
-
-Furthermore, to avoid duplicate of rotated log messages, do not use the
-`path` method for `file_identity`. Or exclude the rotated files with `exclude_files`
-option.
-
-[id="{beatname_lc}-input-{type}-options"]
-==== Configuration options
-
-The `log` input supports the following configuration options plus the
-<<{beatname_lc}-input-{type}-common-options>> described later.
-
-[float]
-[[input-paths]]
-===== `paths`
-
-A list of glob-based paths that will be crawled and fetched. All patterns
-supported by https://golang.org/pkg/path/filepath/#Glob[Go Glob] are also
-supported here. For example, to fetch all files from a predefined level of
-subdirectories, the following pattern can be used: `/var/log/*/*.log`. This
-fetches all `.log` files from the subfolders of `/var/log`. It does not
-fetch log files from the `/var/log` folder itself.
-It is possible to recursively fetch all files in all subdirectories of a directory
-using the optional <<recursive_glob,`recursive_glob`>> settings.
-
-{beatname_uc} starts a harvester for each file that it finds under the specified
-paths. You can specify one path per line. Each line begins with a dash (-).
-
-[float]
-[[recursive_glob]]
-===== `recursive_glob.enabled`
-
-Enable expanding `**` into recursive glob patterns. With this feature enabled,
-the rightmost `**` in each path is expanded into a fixed number of glob
-patterns. For example: `/foo/**` expands to `/foo`, `/foo/*`, `/foo/*/*`, and so
-on. If enabled it expands a single `**` into a 8-level deep `*` pattern.
-
-This feature is enabled by default. Set `recursive_glob.enabled` to false to
-disable it.
-
-include::../inputs/input-common-harvester-options.asciidoc[]
-
-include::../inputs/input-common-file-options.asciidoc[]
-
-[id="{beatname_lc}-input-{type}-common-options"]
-include::../inputs/input-common-options.asciidoc[]
-
-:type!:
diff --git a/filebeat/docs/inputs/input-mqtt.asciidoc b/filebeat/docs/inputs/input-mqtt.asciidoc
deleted file mode 100644
index 3f8e61cedb91..000000000000
--- a/filebeat/docs/inputs/input-mqtt.asciidoc
+++ /dev/null
@@ -1,92 +0,0 @@
-:type: mqtt
-
-[id="{beatname_lc}-input-{type}"]
-=== MQTT input
-
-++++
-<titleabbrev>MQTT</titleabbrev>
-++++
-
-Use the `MQTT` input to read data transmitted using lightweight messaging protocol
-for small and mobile devices, optimized for high-latency or unreliable networks.
-
-This input connects to the MQTT broker, subscribes to selected topics and parses data
-into common message lines. Everything happens before line filtering, multiline, and JSON decoding,
-so this input can be used in combination with those settings.
-
-Example configuration:
-
-["source","yaml",subs="attributes"]
-----
-{beatname_lc}.inputs:
-- type: mqtt
-  hosts: <1>
-    - tcp://broker:1883
-    - ssl://secure_broker:8883
-  topics: <2>
-    - sample_topic
-----
-
-<1> `hosts` are required.
-
-<2> `topics` are required.
-
-All other settings are optional.
-
-==== Configuration options
-
-The `mqtt` input supports the following configuration options plus the
-<<{beatname_lc}-input-{type}-common-options>> described later.
-
-===== `hosts`
-
-A list of MQTT brokers to connect to.
-
-===== `topics`
-
-A list of topics to subscribe to and read from.
-
-===== `qos`
-
-An agreement level between the sender of a message and the receiver of a message that defines the guarantee of delivery.
-
-There are 3 QoS levels in MQTT. Defaults to `0`:
-
-* At most once (`0`),
-* At least once (`1`),
-* Exactly once (`2`).
-
-===== `client_id`
-
-A unique identifier of each MQTT client connecting to a MQTT broker.
-
-===== `username`
-
-A client username used for authentication provided on the application level by the MQTT protocol.
-
-===== `password`
-
-A client password used for authentication provided on the application level by the MQTT protocol.
-
-===== `clean_session`
-
-The `clean_session` flag indicates whether the client wants to establish a persistent session with the broker. 
-The default is `true`.
-
-When `clean_session` is set to false, the session is considered to be persistent. The broker stores all subscriptions for 
-the client and all missed messages for the client that subscribed with a Quality of Service (QoS) level 1 or 2. 
-
-In contrast, when `clean_session` is set to true, the broker doesn’t retain any information for the client 
-and discards any previous state from any persistent session.
-
-===== `ssl`
-
-Configuration options for SSL parameters like the certificate, key and the certificate authorities
-to use.
-
-See <<configuration-ssl>> for more information.
-
-[id="{beatname_lc}-input-{type}-common-options"]
-include::../inputs/input-common-options.asciidoc[]
-
-:type!:
diff --git a/filebeat/docs/inputs/input-redis.asciidoc b/filebeat/docs/inputs/input-redis.asciidoc
deleted file mode 100644
index f2c6b0f4cb0b..000000000000
--- a/filebeat/docs/inputs/input-redis.asciidoc
+++ /dev/null
@@ -1,94 +0,0 @@
-:type: redis
-
-[id="{beatname_lc}-input-{type}"]
-=== Redis input
-
-++++
-<titleabbrev>Redis</titleabbrev>
-++++
-
-experimental[]
-
-Use the `redis` input to read entries from Redis slowlogs.
-
-Example configuration:
-
-["source","yaml",subs="attributes"]
-----
-{beatname_lc}.inputs:
-- type: redis
-  hosts: ["localhost:6379"]
-  password: "${redis_pwd}"
-----
-
-
-==== Configuration options
-
-The `redis` input supports the following configuration options plus the
-<<{beatname_lc}-input-{type}-common-options>> described later.
-
-[float]
-[[redis-hosts]]
-===== `hosts`
-
-The list of Redis hosts to connect to.
-
-[float]
-[[redis-password]]
-===== `password`
-
-The password to use when connecting to Redis.
-
-[float]
-[[redis-username]]
-===== `username`
-
-The username to use when connecting to Redis.
-
-[float]
-[[redis-scan_frequency]]
-===== `scan_frequency`
-
-How often {beatname_uc} reads entries from Redis slowlogs. Specify `1s` to scan
-Redis as frequently as possible without causing {beatname_uc} to scan too
-frequently. Do not set this value to less than `1s`.
-
-The default is `10s`.
-
-IMPORTANT: Redis slowlogs are not permanent. To ensure that all slowlog entries
-are collected, set `scan_frequency` to a value that allows {beatname_uc}
-sufficient time to connect to Redis, query the logs, and buffer them to the
-output within the specified interval.
-
-[float]
-[[redis-timeout]]
-===== `timeout`
-
-How long to wait for a response from Redis before the input returns an error.
-The default is `1s`.
-
-[float]
-[[redis-network]]
-===== `network`
-
-The network type to use for the Redis connection. Valid settings include: `tcp`,
-`tcp4`, `tcp6`, and `unix`. The default is `tcp`.
-
-[float]
-[[redis-maxconn]]
-===== `maxconn`
-
-The maximum number of concurrent connections. The default is `10`.
-
-[id="{beatname_lc}-input-{type}-common-options"]
-include::../inputs/input-common-options.asciidoc[]
-
-:type!:
-
-[float]
-[[redis-ssl]]
-===== `ssl`
-
-Configuration options for SSL parameters like the certificate, key and the certificate authorities to use.
-
-See <<configuration-ssl>> for more information.
\ No newline at end of file
diff --git a/filebeat/docs/inputs/input-stdin.asciidoc b/filebeat/docs/inputs/input-stdin.asciidoc
deleted file mode 100644
index 1e9b6acaf061..000000000000
--- a/filebeat/docs/inputs/input-stdin.asciidoc
+++ /dev/null
@@ -1,34 +0,0 @@
-:type: stdin
-
-[id="{beatname_lc}-input-{type}"]
-=== Stdin input
-
-++++
-<titleabbrev>Stdin</titleabbrev>
-++++
-
-Use the `stdin` input to read events from standard in.
-
-Note: This input cannot be run at the same time with other input types.
-
-Example configuration:
-
-["source","yaml",subs="attributes"]
-----
-{beatname_lc}.inputs:
-- type: stdin
-----
-
-[[stdin-input-options]]
-==== Configuration options
-
-The `stdin` input supports the following configuration options plus the
-<<{beatname_lc}-input-{type}-common-options>> described later.
-
-include::../inputs/input-common-harvester-options.asciidoc[]
-
-[id="{beatname_lc}-input-{type}-common-options"]
-include::../inputs/input-common-options.asciidoc[]
-
-:type!:
-
diff --git a/filebeat/docs/inputs/input-syslog.asciidoc b/filebeat/docs/inputs/input-syslog.asciidoc
deleted file mode 100644
index 3e0555d03b91..000000000000
--- a/filebeat/docs/inputs/input-syslog.asciidoc
+++ /dev/null
@@ -1,79 +0,0 @@
-:type: syslog
-
-[id="{beatname_lc}-input-{type}"]
-=== Syslog input
-
-deprecated:[8.14.0]
-
-The syslog input is deprecated. Please use the <<syslog, `syslog`>> processor for processing syslog messages.
-
-++++
-<titleabbrev>Syslog</titleabbrev>
-++++
-
-The `syslog` input reads Syslog events as specified by RFC 3164 and RFC 5424,
-over TCP, UDP, or a Unix stream socket.
-
-Example configurations:
-
-["source","yaml",subs="attributes"]
-----
-{beatname_lc}.inputs:
-- type: syslog
-  format: rfc3164
-  protocol.udp:
-    host: "localhost:9000"
-----
-
-["source","yaml",subs="attributes"]
-----
-{beatname_lc}.inputs:
-- type: syslog
-  format: rfc5424
-  protocol.tcp:
-    host: "localhost:9000"
-----
-
-["source","yaml",subs="attributes"]
-----
-{beatname_lc}.inputs:
-- type: syslog
-  format: auto
-  protocol.unix:
-    path: "/path/to/syslog.sock"
-----
-
-==== Configuration options
-
-The `syslog` input configuration includes format, protocol specific options, and
-the <<{beatname_lc}-input-{type}-common-options>> described later.
-
-===== `format`
-
-The syslog variant to use, `rfc3164` or `rfc5424`. To automatically detect the
-format from the log entries, set this option to `auto`. The default is
-`rfc3164`.
-
-===== `timezone`
-
-IANA time zone name (e.g. `America/New_York`) or fixed time offset (e.g.
-`+0200`) to use when parsing syslog timestamps that do not contain a time zone.
-`Local` may be specified to use the machine's local time zone. Defaults to
-`Local`.
-
-===== Protocol `udp`:
-
-include::../inputs/input-common-udp-options.asciidoc[]
-
-===== Protocol `tcp`:
-
-include::../inputs/input-common-tcp-options.asciidoc[]
-
-===== Protocol `unix`:
-
-include::../inputs/input-common-unix-options.asciidoc[]
-
-[id="{beatname_lc}-input-{type}-common-options"]
-include::../inputs/input-common-options.asciidoc[]
-
-:type!:
diff --git a/filebeat/docs/inputs/input-tcp.asciidoc b/filebeat/docs/inputs/input-tcp.asciidoc
deleted file mode 100644
index 6f44b7fd4e3c..000000000000
--- a/filebeat/docs/inputs/input-tcp.asciidoc
+++ /dev/null
@@ -1,51 +0,0 @@
-:type: tcp
-
-[id="{beatname_lc}-input-{type}"]
-=== TCP input
-
-++++
-<titleabbrev>TCP</titleabbrev>
-++++
-
-Use the `TCP` input to read events over TCP.
-
-Example configuration:
-
-["source","yaml",subs="attributes"]
-----
-{beatname_lc}.inputs:
-- type: tcp
-  max_message_size: 10MiB
-  host: "localhost:9000"
-----
-
-
-==== Configuration options
-
-The `tcp` input supports the following configuration options plus the
-<<{beatname_lc}-input-{type}-common-options>> described later.
-
-include::../inputs/input-common-tcp-options.asciidoc[]
-
-[float]
-=== Metrics
-
-This input exposes metrics under the <<http-endpoint, HTTP monitoring endpoint>>.
-These metrics are exposed under the `/inputs` path. They can be used to
-observe the activity of the input.
-
-[options="header"]
-|=======
-| Metric                         | Description
-| `device`                       | Host/port of the TCP stream.
-| `received_events_total`        | Total number of packets (events) that have been received.
-| `received_bytes_total`         | Total number of bytes received.
-| `receive_queue_length`         | Aggregated size of the system receive queues (IPv4 and IPv6) (linux only) (gauge).
-| `arrival_period`               | Histogram of the time between successive packets in nanoseconds.
-| `processing_time`              | Histogram of the time taken to process packets in nanoseconds.
-|=======
-
-[id="{beatname_lc}-input-{type}-common-options"]
-include::../inputs/input-common-options.asciidoc[]
-
-:type!:
diff --git a/filebeat/docs/inputs/input-udp.asciidoc b/filebeat/docs/inputs/input-udp.asciidoc
deleted file mode 100644
index 1674ff1773c2..000000000000
--- a/filebeat/docs/inputs/input-udp.asciidoc
+++ /dev/null
@@ -1,53 +0,0 @@
-:type: udp
-
-[id="{beatname_lc}-input-{type}"]
-=== UDP input
-
-++++
-<titleabbrev>UDP</titleabbrev>
-++++
-
-Use the `udp` input to read events over UDP.
-
-Example configuration:
-
-["source","yaml",subs="attributes"]
-----
-{beatname_lc}.inputs:
-- type: udp
-  max_message_size: 10KiB
-  host: "localhost:8080"
-----
-
-
-==== Configuration options
-
-The `udp` input supports the following configuration options plus the
-<<{beatname_lc}-input-{type}-common-options>> described later.
-
-include::../inputs/input-common-udp-options.asciidoc[]
-
-[float]
-=== Metrics
-
-This input exposes metrics under the <<http-endpoint, HTTP monitoring endpoint>>.
-These metrics are exposed under the `/inputs` path. They can be used to
-observe the activity of the input.
-
-[options="header"]
-|=======
-| Metric                         | Description
-| `device`                       | Host/port of the UDP stream.
-| `udp_read_buffer_length_gauge` | Size of the UDP socket buffer length in bytes (gauge).
-| `received_events_total`        | Total number of packets (events) that have been received.
-| `received_bytes_total`         | Total number of bytes received.
-| `receive_queue_length`         | Aggregated size of the system receive queues (IPv4 and IPv6) (linux only) (gauge).
-| `system_packet_drops`          | Aggregated number of system packet drops (IPv4 and IPv6) (linux only) (gauge).
-| `arrival_period`               | Histogram of the time between successive packets in nanoseconds.
-| `processing_time`              | Histogram of the time taken to process packets in nanoseconds.
-|=======
-
-[id="{beatname_lc}-input-{type}-common-options"]
-include::../inputs/input-common-options.asciidoc[]
-
-:type!:
diff --git a/filebeat/docs/inputs/input-unix.asciidoc b/filebeat/docs/inputs/input-unix.asciidoc
deleted file mode 100644
index 5bdc30aaa58d..000000000000
--- a/filebeat/docs/inputs/input-unix.asciidoc
+++ /dev/null
@@ -1,52 +0,0 @@
-:type: unix
-
-[id="{beatname_lc}-input-{type}"]
-=== Unix input
-
-beta[]
-
-++++
-<titleabbrev>Unix</titleabbrev>
-++++
-
-Use the `unix` input to read events over a stream-oriented Unix domain socket.
-
-Example configuration:
-
-["source","yaml",subs="attributes"]
-----
-{beatname_lc}.inputs:
-- type: unix
-  max_message_size: 10MiB
-  path: "/var/run/filebeat.sock"
-----
-
-
-==== Configuration options
-
-The `unix` input supports the following configuration options plus the
-<<{beatname_lc}-input-{type}-common-options>> described later.
-
-include::../inputs/input-common-unix-options.asciidoc[]
-
-[float]
-=== Metrics
-
-This input exposes metrics under the <<http-endpoint, HTTP monitoring endpoint>>.
-These metrics are exposed under the `/inputs` path. They can be used to
-observe the activity of the input.
-
-[options="header"]
-|=======
-| Metric                         | Description
-| `path`                         | Path of the unix socket.
-| `received_events_total`        | Total number of packets (events) that have been received.
-| `received_bytes_total`         | Total number of bytes received.
-| `arrival_period`               | Histogram of the time between successive packets in nanoseconds.
-| `processing_time`              | Histogram of the time taken to process packets in nanoseconds.
-|=======
-
-[id="{beatname_lc}-input-{type}-common-options"]
-include::../inputs/input-common-options.asciidoc[]
-
-:type!:
diff --git a/filebeat/docs/inputs/input-winlog.asciidoc b/filebeat/docs/inputs/input-winlog.asciidoc
deleted file mode 100644
index c982e3649123..000000000000
--- a/filebeat/docs/inputs/input-winlog.asciidoc
+++ /dev/null
@@ -1,405 +0,0 @@
-:type: winlog
-
-[id="{beatname_lc}-input-{type}"]
-=== winlog input
-
-++++
-<titleabbrev>winlog</titleabbrev>
-++++
-
-beta[]
-
-Use the `winlog` input to read Windows event logs. It reads from one 
-event log using Windows APIs, filters the events based on user-configured criteria, 
-then sends the event data to the configured outputs. It watches the event
-log so that new event data is sent in a timely manner. The read position for
-the event log is persisted to disk to allow the input to resume after
-restarts.
-
-The `winlog` input can capture event data from any event logs running on your system.
-For example, you can capture events such as:
-
-* application events
-* hardware events
-* security events
-* system events
-
-Here is a sample configuration:
-
-[source,yaml]
---------------------------------------------------------------------------------
-- type: winlog
-  name: Application
-  ignore_older: 72h
---------------------------------------------------------------------------------
-
-[float]
-=== Configuration options
-
-[float]
-==== `batch_read_size`
-
-The maximum number of event log records to read from the Windows API in a single
-batch. The default batch size is 512. Most Windows versions return an error if
-the value is larger than 1024. *{vista_and_newer}*
-
-{beatname_uc} starts a goroutine (a lightweight thread) to read from each
-individual event log. The goroutine reads a batch of event log records using the
-Windows API, applies any processors to the events, publishes them to the
-configured outputs, and waits for an acknowledgement from the outputs before
-reading additional event log records.
-
-[float]
-==== `name`
-
-The name of the event log to monitor. It must
-have a `name` field, except for those which use a custom XML query.
-A channel is a named stream of events that transports events from an event
-source to an event log. Most channels are tied to specific event publishers.
-You can get a list of available event logs by using the PowerShell
-https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/get-winevent[`Get-WinEvent`] cmdlet
-on Windows Vista or newer. Here is a sample of the output from the command:
-
-[source,sh]
---------------------------------------------------------------------------------
-PS C:\> Get-WinEvent -ListLog * | Format-List -Property LogName
-LogName : Application
-LogName : HardwareEvents
-LogName : Internet Explorer
-LogName : Key Management Service
-LogName : Security
-LogName : System
-LogName : Windows PowerShell
-LogName : ForwardedEvents
-LogName : Microsoft-Management-UI/Admin
-LogName : Microsoft-Rdms-UI/Admin
-LogName : Microsoft-Rdms-UI/Operational
-LogName : Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
-...
---------------------------------------------------------------------------------
-
-If `Get-WinEvent` is not available, the https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-eventlog[`Get-EventLog`] cmdlet can be used in its
-place.
-
-[source,sh]
---------------------------------------------------------------------------------
-PS C:\Users\vagrant> Get-EventLog *
-
-  Max(K) Retain OverflowAction        Entries Log
-  ------ ------ --------------        ------- ---
-  20,480      0 OverwriteAsNeeded          75 Application
-  20,480      0 OverwriteAsNeeded           0 HardwareEvents
-     512      7 OverwriteOlder              0 Internet Explorer
-  20,480      0 OverwriteAsNeeded           0 Key Management Service
-  20,480      0 OverwriteAsNeeded       1,609 Security
-  20,480      0 OverwriteAsNeeded       1,184 System
-  15,360      0 OverwriteAsNeeded         464 Windows PowerShell
---------------------------------------------------------------------------------
-
-You must specify the full name of the channel in the configuration file.
-
-[source,yaml]
---------------------------------------------------------------------------------
-- type: winlog
-  name: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
---------------------------------------------------------------------------------
-
-To read events from an archived `.evtx` file you can specify the `name` as the
-absolute path (it cannot be relative) to the file.
-
-[source,yaml]
---------------------------------------------------------------------------------
-- type: winlog
-  name: 'C:\backup\sysmon-2019.08.evtx'
-  no_more_events: stop
---------------------------------------------------------------------------------
-
-The name key must not be used with custom XML queries.
-
-[float]
-==== `id`
-
-A unique identifier for the event log. This key is required when using a custom
-XML query.
-
-It is used to uniquely identify the event log reader in the registry file. This is
-useful if multiple event logs are being set up to watch the same channel or file. If an
-ID is not given, the `name` value will be used.
-
-This value must be unique.
-
-[source,yaml]
---------------------------------------------------------------------------------
-- type: winlog
-  name: Application
-  id: application-logs
-  ignore_older: 168h
---------------------------------------------------------------------------------
-
-[float]
-==== `ignore_older`
-
-If this option is specified, the input filters events that are older than the
-specified amount of time. Valid time units are "ns", "us" (or "µs"), "ms", "s",
-"m", "h". This option is useful when you are beginning to monitor an event log
-that contains older records that you would like to ignore. This field is
-optional.
-
-[source,yaml]
---------------------------------------------------------------------------------
-- type: winlog
-  name: Application
-  ignore_older: 168h
---------------------------------------------------------------------------------
-
-[float]
-==== `forwarded`
-
-A boolean flag to indicate that the log contains only events collected from
-remote hosts using the Windows Event Collector. The value defaults to true for
-the ForwardedEvents log and false for any other log. *{vista_and_newer}*
-
-This settings allows {beatname_uc} to optimize reads for forwarded events that are
-already rendered. When the value is true {beatname_uc} does not attempt to render
-the event using message files from the host computer. The Windows Event
-Collector subscription should be configured to use the "RenderedText" format
-(this is the default) to ensure that the events are distributed with messages
-and descriptions.
-
-[float]
-==== `event_id`
-
-An allowlist and blocklist of event IDs. The value is a comma-separated list. The
-accepted values are single event IDs to include (e.g. 4624), a range of event
-IDs to include (e.g. 4700-4800), and single event IDs to exclude (e.g. -4735).
-*{vista_and_newer}*
-
-[source,yaml]
---------------------------------------------------------------------------------
-- type: winlog
-  name: Security
-  event_id: 4624, 4625, 4700-4800, -4735
---------------------------------------------------------------------------------
-
-[float]
-==== `language`
-
-The language ID the events will be rendered in. The language will be forced regardless
-of the system language. A complete list of language IDs can be found
-https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-lcid/a9eac961-e77d-41a6-90a5-ce1a8b0cdb9c[here].
-It defaults to `0`, which indicates to use the system language.
-
-[source,yaml]
---------------------------------------------------------------------------------
-- type: winlog
-  name: Security
-  event_id: 4624, 4625, 4700-4800, -4735
-  language: 0x0409 # en-US
---------------------------------------------------------------------------------
-
-[float]
-==== `level`
-
-A list of event levels to include. The value is a comma-separated list of
-levels. *{vista_and_newer}*
-
-[cols="2*", options="header"]
-|===
-|Level
-|Value
-
-|critical, crit
-|1
-
-|error, err
-|2
-
-|warning, warn
-|3
-
-|information, info
-|0 or 4
-
-|verbose
-|5
-|===
-
-[source,yaml]
---------------------------------------------------------------------------------
-- type: winlog
-  name: Security
-  level: critical, error, warning
---------------------------------------------------------------------------------
-
-[float]
-==== `provider`
-
-A list of providers (source names) to include. The value is a YAML list.
-*{vista_and_newer}*
-
-[source,yaml]
---------------------------------------------------------------------------------
-- type: winlog
-  name: Application
-  provider:
-    - Application Error
-    - Application Hang
-    - Windows Error Reporting
-    - EMET
---------------------------------------------------------------------------------
-
-You can obtain a list of providers associated with a log by using PowerShell.
-Here is an example showing the providers associated with the Security log.
-
-[source,sh]
---------------------------------------------------------------------------------
-PS C:\> (Get-WinEvent -ListLog Security).ProviderNames
-DS
-LSA
-SC Manager
-Security
-Security Account Manager
-ServiceModel 4.0.0.0
-Spooler
-TCP/IP
-VSSAudit
-Microsoft-Windows-Security-Auditing
-Microsoft-Windows-Eventlog
---------------------------------------------------------------------------------
-
-[float]
-==== `xml_query`
-
-Provide a custom XML query. This option is mutually exclusive with the `name`, `event_id`,
-`ignore_older`, `level`, and `provider` options. These options should be included in
-the XML query directly. Furthermore, an `id` must be provided. Custom XML queries
-provide more flexibility and advanced options than the simpler query options in {beatname_uc}.
-*{vista_and_newer}*
-
-Here is a configuration which will collect DHCP server events from multiple channels:
-
-[source,yaml]
---------------------------------------------------------------------------------
-- type: winlog
-  id: dhcp-server-logs
-  xml_query: >
-    <QueryList>
-      <Query Id="0" Path="DhcpAdminEvents">
-        <Select Path="DhcpAdminEvents">*</Select>
-        <Select Path="Microsoft-Windows-Dhcp-Server/FilterNotifications">*</Select>
-        <Select Path="Microsoft-Windows-Dhcp-Server/Operational">*</Select>
-      </Query>
-    </QueryList>
---------------------------------------------------------------------------------
-
-XML queries may also be created in Windows Event Viewer using custom views. The query
-can be created using a graphical interface and the corresponding XML can be
-retrieved from the XML tab.
-
-[float]
-==== `include_xml`
-
-Boolean option that controls if the raw XML representation of an event is
-included in the data sent by {beatname_uc}. The default is false.
-*{vista_and_newer}*
-
-The XML representation of the event is useful for troubleshooting purposes. The
-data in the fields reported by {beatname_uc} can be compared to the data in the XML
-to diagnose problems.
-
-Example:
-
-[source,yaml]
---------------------------------------------------------------------------------
-- type: winlog
-  name: Microsoft-Windows-Windows Defender/Operational
-  include_xml: true
---------------------------------------------------------------------------------
-
-* This can have a significant impact on performance that can vary depending
-on your system specs.
-
-[float]
-==== `tags`
-
-A list of tags that the Beat includes in the `tags` field of each published
-event. Tags make it easy to select specific events in Kibana or apply
-conditional filtering in Logstash. These tags will be appended to the list of
-tags specified in the general configuration.
-
-Example:
-
-[source,yaml]
---------------------------------------------------------------------------------
-- type: winlog
-  name: CustomLog
-  tags: ["web"]
---------------------------------------------------------------------------------
-
-[float]
-[[winlog-configuration-fields]]
-==== `fields`
-
-Optional fields that you can specify to add additional information to the
-output. For example, you might add fields that you can use for filtering event
-data. Fields can be scalar values, arrays, dictionaries, or any nested
-combination of these. By default, the fields that you specify here will be
-grouped under a `fields` sub-dictionary in the output document. To store the
-custom fields as top-level fields, set the `fields_under_root` option to true.
-If a duplicate field is declared in the general configuration, then its value
-will be overwritten by the value declared here.
-
-[source,yaml]
---------------------------------------------------------------------------------
-- type: winlog
-  name: CustomLog
-  fields:
-    customer_id: 51415432
---------------------------------------------------------------------------------
-
-[float]
-==== `fields_under_root`
-
-If this option is set to true, the custom <<winlog-configuration-fields,fields>>
-are stored as top-level fields in the output document instead of being grouped
-under a `fields` sub-dictionary. If the custom field names conflict with other
-field names added by {beatname_uc}, then the custom fields overwrite the other
-fields.
-
-[float]
-==== `processors`
-
-A list of processors to apply to the data generated by the event log.
-
-See <<filtering-and-enhancing-data>> for information about specifying
-processors in your config.
-
-[float]
-==== `index`
-
-If present, this formatted string overrides the index for events from this
-event log (for elasticsearch outputs), or sets the `raw_index` field of the event's
-metadata (for other outputs). This string can only refer to the agent name and
-version and the event timestamp; for access to dynamic fields, use
-`output.elasticsearch.index` or a processor.
-
-Example value: `"%{[agent.name]}-myindex-%{+yyyy.MM.dd}"` might
-expand to `"filebeat-myindex-2019.12.13"`.
-
-[float]
-==== `keep_null`
-
-If this option is set to true, fields with `null` values will be published in
-the output document. By default, `keep_null` is set to `false`.
-
-[float]
-==== `no_more_events`
-
-The action that the event log reader should take when it receives a signal from
-Windows that there are no more events to read. It can either `wait` for more
-events to be written (the default behavior) or it can `stop`. The overall
-{beatname_uc} process will stop when all of the individual event log readers have
-stopped. *{vista_and_newer}*
-
-Setting `no_more_events` to `stop` is useful when reading from archived event
-log files where you want to read the whole file then exit. 
diff --git a/filebeat/docs/kubernetes-default-indexers-matchers.asciidoc b/filebeat/docs/kubernetes-default-indexers-matchers.asciidoc
deleted file mode 100644
index 287b3bdbb3c5..000000000000
--- a/filebeat/docs/kubernetes-default-indexers-matchers.asciidoc
+++ /dev/null
@@ -1,14 +0,0 @@
-When `add_kubernetes_metadata` is used with {beatname_uc}, it uses the
-`container` indexer and the `logs_path`. So events whose path in `log.file.path`
-contains a reference to a container ID are enriched with metadata of the pod of
-this container.
-
-This behaviour can be disabled by disabling default indexers and matchers in the
-configuration:
-[source,yaml]
--------------------------------------------------------------------------------
-processors:
-  - add_kubernetes_metadata:
-      default_indexers.enabled: false
-      default_matchers.enabled: false
--------------------------------------------------------------------------------
diff --git a/filebeat/docs/module-development-guide.asciidoc b/filebeat/docs/module-development-guide.asciidoc
deleted file mode 100644
index 67e7a10f0dbe..000000000000
--- a/filebeat/docs/module-development-guide.asciidoc
+++ /dev/null
@@ -1,8 +0,0 @@
-= Filebeat modules developer guide
-
-This guide describes the process of creating a new Filebeat module.
-
-== Overview
-
-A Filebeat module is typically named after the service that creates the logs it
-is collecting and parsing.
diff --git a/filebeat/docs/modules-overview.asciidoc b/filebeat/docs/modules-overview.asciidoc
deleted file mode 100644
index 3dfc98e05dc4..000000000000
--- a/filebeat/docs/modules-overview.asciidoc
+++ /dev/null
@@ -1,40 +0,0 @@
-[[filebeat-modules-overview]]
-== Modules overview
-
-{beatname_uc} modules simplify the collection, parsing, and visualization of common
-log formats.
-
-A typical module (say, for the Nginx logs) is composed of one or
-more filesets (in the case of Nginx, `access` and `error`). A fileset contains
-the following:
-
-* {beatname_uc} input configurations, which contain the default paths where to
-  look for the log files. These default paths depend on the operating system.
-  The {beatname_uc} configuration is also responsible with stitching together
-  multiline events when needed.
-
-* {es} {ref}/ingest.html[ingest pipeline] definition,
-  which is used to parse the log lines.
-
-* Fields definitions, which are used to configure {es} with the
-  correct types for each field. They also contain short descriptions for each
-  of the fields.
-
-* Sample {kib} dashboards, when available, that can be used to visualize the
-log files.
-
-{beatname_uc} automatically adjusts these configurations based on your environment
-and loads them to the respective {stack} components.
-
-If a module configuration is updated, the {es} ingest pipeline
-definition is not reloaded automatically. To reload the ingest
-pipeline, set `filebeat.overwrite_pipelines: true` and manually
-<<load-ingest-pipelines, load the ingest pipelines>>.
-
-[float]
-=== Get started
-
-To learn how to configure and run {beatname_uc} modules:
-
-* Get started by reading <<{beatname_lc}-installation-configuration>>.
-* Dive into the documentation for each <<filebeat-modules,module>>.
diff --git a/filebeat/docs/modules.asciidoc b/filebeat/docs/modules.asciidoc
deleted file mode 100644
index 9de23994c656..000000000000
--- a/filebeat/docs/modules.asciidoc
+++ /dev/null
@@ -1,14 +0,0 @@
-[[filebeat-modules]]
-= Modules
-
-[partintro]
---
-This section contains an <<filebeat-modules-overview,overview>> of the Filebeat
-modules feature as well as details about each of the currently supported
-modules.
-
-Filebeat modules require Elasticsearch 5.2 or later.
-
-NOTE: While {filebeat} modules are still supported, we recommend {agent} integrations over {filebeat} modules. Integrations provide a streamlined way to connect data from a variety of vendors to the {stack}. Refer to the https://www.elastic.co/integrations/data-integrations[full list of integrations]. For more information, please refer to the {fleet-guide}/beats-agent-comparison.html[{beats} vs {agent} comparison documentation].
-
-include::modules_list.asciidoc[]
diff --git a/filebeat/docs/modules_list.asciidoc b/filebeat/docs/modules_list.asciidoc
deleted file mode 100644
index 68f0476e11e0..000000000000
--- a/filebeat/docs/modules_list.asciidoc
+++ /dev/null
@@ -1,120 +0,0 @@
-////
-This file is generated! See scripts/docs_collector.py
-////
-
-  * <<filebeat-modules-overview>>
-  * <<filebeat-module-activemq>>
-  * <<filebeat-module-apache>>
-  * <<filebeat-module-auditd>>
-  * <<filebeat-module-aws>>
-  * <<filebeat-module-awsfargate>>
-  * <<filebeat-module-azure>>
-  * <<filebeat-module-cef>>
-  * <<filebeat-module-checkpoint>>
-  * <<filebeat-module-cisco>>
-  * <<filebeat-module-coredns>>
-  * <<filebeat-module-crowdstrike>>
-  * <<filebeat-module-cyberarkpas>>
-  * <<filebeat-module-elasticsearch>>
-  * <<filebeat-module-envoyproxy>>
-  * <<filebeat-module-fortinet>>
-  * <<filebeat-module-gcp>>
-  * <<filebeat-module-google_workspace>>
-  * <<filebeat-module-haproxy>>
-  * <<filebeat-module-ibmmq>>
-  * <<filebeat-module-icinga>>
-  * <<filebeat-module-iis>>
-  * <<filebeat-module-iptables>>
-  * <<filebeat-module-juniper>>
-  * <<filebeat-module-kafka>>
-  * <<filebeat-module-kibana>>
-  * <<filebeat-module-logstash>>
-  * <<filebeat-module-microsoft>>
-  * <<filebeat-module-misp>>
-  * <<filebeat-module-mongodb>>
-  * <<filebeat-module-mssql>>
-  * <<filebeat-module-mysql>>
-  * <<filebeat-module-mysqlenterprise>>
-  * <<filebeat-module-nats>>
-  * <<filebeat-module-netflow>>
-  * <<filebeat-module-nginx>>
-  * <<filebeat-module-o365>>
-  * <<filebeat-module-okta>>
-  * <<filebeat-module-oracle>>
-  * <<filebeat-module-osquery>>
-  * <<filebeat-module-panw>>
-  * <<filebeat-module-pensando>>
-  * <<filebeat-module-postgresql>>
-  * <<filebeat-module-rabbitmq>>
-  * <<filebeat-module-redis>>
-  * <<filebeat-module-salesforce>>
-  * <<filebeat-module-santa>>
-  * <<filebeat-module-snyk>>
-  * <<filebeat-module-sophos>>
-  * <<filebeat-module-suricata>>
-  * <<filebeat-module-system>>
-  * <<filebeat-module-threatintel>>
-  * <<filebeat-module-traefik>>
-  * <<filebeat-module-zeek>>
-  * <<filebeat-module-zookeeper>>
-  * <<filebeat-module-zoom>>
-
-
---
-
-include::modules-overview.asciidoc[]
-include::modules/activemq.asciidoc[]
-include::modules/apache.asciidoc[]
-include::modules/auditd.asciidoc[]
-include::modules/aws.asciidoc[]
-include::modules/awsfargate.asciidoc[]
-include::modules/azure.asciidoc[]
-include::modules/cef.asciidoc[]
-include::modules/checkpoint.asciidoc[]
-include::modules/cisco.asciidoc[]
-include::modules/coredns.asciidoc[]
-include::modules/crowdstrike.asciidoc[]
-include::modules/cyberarkpas.asciidoc[]
-include::modules/elasticsearch.asciidoc[]
-include::modules/envoyproxy.asciidoc[]
-include::modules/fortinet.asciidoc[]
-include::modules/gcp.asciidoc[]
-include::modules/google_workspace.asciidoc[]
-include::modules/haproxy.asciidoc[]
-include::modules/ibmmq.asciidoc[]
-include::modules/icinga.asciidoc[]
-include::modules/iis.asciidoc[]
-include::modules/iptables.asciidoc[]
-include::modules/juniper.asciidoc[]
-include::modules/kafka.asciidoc[]
-include::modules/kibana.asciidoc[]
-include::modules/logstash.asciidoc[]
-include::modules/microsoft.asciidoc[]
-include::modules/misp.asciidoc[]
-include::modules/mongodb.asciidoc[]
-include::modules/mssql.asciidoc[]
-include::modules/mysql.asciidoc[]
-include::modules/mysqlenterprise.asciidoc[]
-include::modules/nats.asciidoc[]
-include::modules/netflow.asciidoc[]
-include::modules/nginx.asciidoc[]
-include::modules/o365.asciidoc[]
-include::modules/okta.asciidoc[]
-include::modules/oracle.asciidoc[]
-include::modules/osquery.asciidoc[]
-include::modules/panw.asciidoc[]
-include::modules/pensando.asciidoc[]
-include::modules/postgresql.asciidoc[]
-include::modules/rabbitmq.asciidoc[]
-include::modules/redis.asciidoc[]
-include::modules/salesforce.asciidoc[]
-include::modules/santa.asciidoc[]
-include::modules/snyk.asciidoc[]
-include::modules/sophos.asciidoc[]
-include::modules/suricata.asciidoc[]
-include::modules/system.asciidoc[]
-include::modules/threatintel.asciidoc[]
-include::modules/traefik.asciidoc[]
-include::modules/zeek.asciidoc[]
-include::modules/zookeeper.asciidoc[]
-include::modules/zoom.asciidoc[]
diff --git a/filebeat/docs/multiline.asciidoc b/filebeat/docs/multiline.asciidoc
deleted file mode 100644
index c141df3dd51c..000000000000
--- a/filebeat/docs/multiline.asciidoc
+++ /dev/null
@@ -1,322 +0,0 @@
-[[multiline-examples]]
-=== Manage multiline messages
-
-++++
-<titleabbrev>Multiline messages</titleabbrev>
-++++
-
-The files harvested by {beatname_uc} may contain messages that span multiple
-lines of text. For example, multiline messages are common in files that contain
-Java stack traces. In order to correctly handle these multiline events, you need
-to configure `multiline` settings in the +{beatname_lc}.yml+ file to specify
-which lines are part of a single event.
-
-IMPORTANT: If you are sending multiline events to Logstash, use the options described here to handle multiline events
-before sending the event data to Logstash. Trying to implement multiline event handling in Logstash (for example, by
-using the Logstash multiline codec) may result in the mixing of streams and corrupted data.
-
-Also read <<yaml-tips>> and <<regexp-support>> to avoid common mistakes.
-
-[float]
-[[multiline]]
-==== Configuration options
-
-You can specify the following options in the +{beatname_lc}.inputs+ section of
-the +{beatname_lc}.yml+ config file to control how {beatname_uc} deals with messages
-that span multiple lines.
-
-The following example shows how to configure `filestream` input in {beatname_uc} to handle a multiline message where the first line of the message begins with a bracket (`[`).
-
-Please note that the example below only works with `filestream` input, and not with `log` input.
-
-[source,yaml]
--------------------------------------------------------------------------------------
-parsers:
-- multiline:
-    type: pattern
-    pattern: '^\['
-    negate: true
-    match: after
-
--------------------------------------------------------------------------------------
-
-If you still use the deprecated `log` input, there is no need to use `parsers`.
-
-[source,yaml]
--------------------------------------------------------------------------------------
-multiline.type: pattern
-multiline.pattern: '^\['
-multiline.negate: true
-multiline.match: after
-
--------------------------------------------------------------------------------------
-
-{beatname_uc} takes all the lines that do not start with `[` and combines them with the previous line that does. For example, you could use this configuration to join the following lines of a multiline message into a single event:
-
-["source","sh",subs="attributes,callouts"]
--------------------------------------------------------------------------------------
-[beat-logstash-some-name-832-2015.11.28] IndexNotFoundException[no such index]
-    at org.elasticsearch.cluster.metadata.IndexNameExpressionResolver$WildcardExpressionResolver.resolve(IndexNameExpressionResolver.java:566)
-    at org.elasticsearch.cluster.metadata.IndexNameExpressionResolver.concreteIndices(IndexNameExpressionResolver.java:133)
-    at org.elasticsearch.cluster.metadata.IndexNameExpressionResolver.concreteIndices(IndexNameExpressionResolver.java:77)
-    at org.elasticsearch.action.admin.indices.delete.TransportDeleteIndexAction.checkBlock(TransportDeleteIndexAction.java:75)
--------------------------------------------------------------------------------------
-
-*`multiline.type`*:: Defines which aggregation method to use. The default is `pattern`. The other options
-are `count` which lets you aggregate constant number of lines and `while_pattern` which aggregate lines by pattern without match option.
-
-*`multiline.pattern`*:: Specifies the regular expression pattern to match. Note that the regexp patterns supported by {beatname_uc}
-differ somewhat from the patterns supported by Logstash. See <<regexp-support>> for a list of supported regexp patterns.
-Depending on how you configure other multiline options, lines that match the specified regular expression are considered
-either continuations of a previous line or the start of a new multiline event. You can set the `negate` option to negate
-the pattern.
-
-*`multiline.negate`*:: Defines whether the pattern is negated. The default is `false`.
-
-*`multiline.match`*:: Specifies how {beatname_uc} combines matching lines into an event. The settings are `after` or `before`. The behavior of these settings depends on what you specify for `negate`:
-+
-[options="header"]
-|=======================
-|Setting for `negate` | Setting for `match` | Result | Example `pattern: ^b`
-|`false`              | `after`             | Consecutive lines that match the pattern are appended to the previous line that doesn't match. | image:./images/false-after-multi.png[Lines a b b c b b become "abb" and "cbb"]
-|`false`              | `before`            | Consecutive lines that match the pattern are prepended to the next line that doesn't match. | image:./images/false-before-multi.png[Lines b b a b b c become "bba" and "bbc"]
-|`true`               | `after`             | Consecutive lines that don't match the pattern are appended to the previous line that does match. | image:./images/true-after-multi.png[Lines b a c b d e become "bac" and "bde"]
-|`true`               | `before`            | Consecutive lines that don't match the pattern are prepended to the next line that does match. | image:./images/true-before-multi.png[Lines a c b d e b become "acb" and "deb"]
-|=======================
-+
-NOTE: The `after` setting is equivalent to `previous` in https://www.elastic.co/guide/en/logstash/current/plugins-codecs-multiline.html[Logstash], and `before` is equivalent to `next`.
-
-*`multiline.flush_pattern`*:: Specifies a regular expression, in which the current multiline will be flushed from memory, ending the multiline-message. Work only with `pattern` type.
-
-*`multiline.max_lines`*:: The maximum number of lines that can be combined into one event. If
-the multiline message contains more than `max_lines`, any additional
-lines are discarded. The default is 500.
-
-*`multiline.timeout`*:: After the specified timeout, {beatname_uc} sends the multiline event even if no new pattern is found to start a new event. The default is 5s.
-
-*`multiline.count_lines`*:: The number of lines to aggregate into a single event.
-
-*`multiline.skip_newline`*:: When set, multiline events are concatenated without a line separator.
-
-
-==== Examples of multiline configuration
-
-The examples in this section cover the following use cases:
-
-* Combining a Java stack trace into a single event
-* Combining C-style line continuations into a single event
-* Combining multiple lines from time-stamped events
-
-[float]
-===== Java stack traces
-
-Java stack traces consist of multiple lines, with each line after the initial line beginning with whitespace, as in
-this example:
-
-[source,java]
--------------------------------------------------------------------------------------
-Exception in thread "main" java.lang.NullPointerException
-        at com.example.myproject.Book.getTitle(Book.java:16)
-        at com.example.myproject.Author.getBookTitles(Author.java:25)
-        at com.example.myproject.Bootstrap.main(Bootstrap.java:14)
--------------------------------------------------------------------------------------
-
-To consolidate these lines into a single event in {beatname_uc}, use the following multiline configuration with `filestream`:
-
-[source,yaml]
--------------------------------------------------------------------------------------
-parsers:
-- multiline:
-    type: pattern
-    pattern: '^[[:space:]]'
-    negate: false
-    match: after
--------------------------------------------------------------------------------------
-
-Using `log` input:
-
-[source,yaml]
--------------------------------------------------------------------------------------
-multiline.type: pattern
-multiline.pattern: '^[[:space:]]'
-multiline.negate: false
-multiline.match: after
--------------------------------------------------------------------------------------
-
-This configuration merges any line that begins with whitespace up to the previous line.
-
-Here's a Java stack trace that presents a slightly more complex example:
-
-["source","sh",subs="attributes,callouts"]
--------------------------------------------------------------------------------------
-Exception in thread "main" java.lang.IllegalStateException: A book has a null property
-       at com.example.myproject.Author.getBookIds(Author.java:38)
-       at com.example.myproject.Bootstrap.main(Bootstrap.java:14)
-Caused by: java.lang.NullPointerException
-       at com.example.myproject.Book.getId(Book.java:22)
-       at com.example.myproject.Author.getBookIds(Author.java:35)
-       ... 1 more
--------------------------------------------------------------------------------------
-
-To consolidate these lines into a single event in {beatname_uc}, use the following multiline configuration with `filestream`:
-
-[source,yaml]
--------------------------------------------------------------------------------------
-parsers:
-- multiline:
-    type: pattern
-    pattern: '^[[:space:]]+(at|\.{3})[[:space:]]+\b|^Caused by:'
-    negate: false
-    match: after
--------------------------------------------------------------------------------------
-
-Using `log` input:
-
-[source,yaml]
--------------------------------------------------------------------------------------
-multiline.type: pattern
-multiline.pattern: '^[[:space:]]+(at|\.{3})[[:space:]]+\b|^Caused by:'
-multiline.negate: false
-multiline.match: after
--------------------------------------------------------------------------------------
-
-In this example, the pattern matches the following lines:
-
-* a line that begins with spaces followed by the word `at` or `...`
-* a line that begins with the words `Caused by:`
-
-[float]
-===== Line continuations
-
-Several programming languages use the backslash (`\`) character at the end of a line to denote that the line continues,
-as in this example:
-
-[source,c]
--------------------------------------------------------------------------------------
-printf ("%10.10ld  \t %10.10ld \t %s\
-  %f", w, x, y, z );
--------------------------------------------------------------------------------------
-
-To consolidate these lines into a single event in {beatname_uc}, use the following multiline configuration with `filestream`:
-
-[source,yaml]
--------------------------------------------------------------------------------------
-parsers:
-- multiline:
-    type: pattern
-    pattern: '\\$'
-    negate: false
-    match: before
--------------------------------------------------------------------------------------
-
-Using `log` input:
-
-[source,yaml]
--------------------------------------------------------------------------------------
-multiline.type: pattern
-multiline.pattern: '\\$'
-multiline.negate: false
-multiline.match: before
--------------------------------------------------------------------------------------
-
-This configuration merges any line that ends with the `\` character with the line that follows.
-
-[float]
-===== Timestamps
-
-Activity logs from services such as Elasticsearch typically begin with a timestamp, followed by information on the
-specific activity, as in this example:
-
-[source,shell]
--------------------------------------------------------------------------------------
-[2015-08-24 11:49:14,389][INFO ][env                      ] [Letha] using [1] data paths, mounts [[/
-(/dev/disk1)]], net usable_space [34.5gb], net total_space [118.9gb], types [hfs]
--------------------------------------------------------------------------------------
-
-To consolidate these lines into a single event in {beatname_uc}, use the following multiline configuration with `filestream`:
-
-[source,yaml]
--------------------------------------------------------------------------------------
-parsers:
-- multiline:
-    type: pattern
-    pattern: '^\[[0-9]{4}-[0-9]{2}-[0-9]{2}'
-    negate: true
-    match: after
--------------------------------------------------------------------------------------
-
-Using `log` input:
-
-[source,yaml]
--------------------------------------------------------------------------------------
-multiline.type: pattern
-multiline.pattern: '^\[[0-9]{4}-[0-9]{2}-[0-9]{2}'
-multiline.negate: true
-multiline.match: after
--------------------------------------------------------------------------------------
-
-This configuration uses the `negate: true` and `match: after` settings to specify that any line that does not match the
-specified pattern belongs to the previous line.
-
-[float]
-===== Application events
-
-Sometimes your application logs contain events, that begin and end with custom markers, such as the following example:
-
-[source,shell]
--------------------------------------------------------------------------------------
-[2015-08-24 11:49:14,389] Start new event
-[2015-08-24 11:49:14,395] Content of processing something
-[2015-08-24 11:49:14,399] End event
--------------------------------------------------------------------------------------
-
-To consolidate this as a single event in {beatname_uc}, use the following multiline configuration with `filestream`:
-
-[source,yaml]
--------------------------------------------------------------------------------------
-parsers:
-- multiline:
-    type: pattern
-    pattern: 'Start new event'
-    negate: true
-    match: after
-    flush_pattern: 'End event'
--------------------------------------------------------------------------------------
-
-Using `log` input:
-
-[source,yaml]
--------------------------------------------------------------------------------------
-multiline.type: pattern
-multiline.pattern: 'Start new event'
-multiline.negate: true
-multiline.match: after
-multiline.flush_pattern: 'End event'
--------------------------------------------------------------------------------------
-
-The `flush_pattern` option, specifies a regex at which the current multiline will be flushed. If you think of the `pattern` option specifying the beginning of an event, the `flush_pattern` option will specify the end or last line of the event.
-
-NOTE: This example will not work correctly if start/end log blocks are mixed with non-multiline logs, or if different start/end log blocks overlap with each other. For instance, `Some other log` log lines in the following example will be merged into a _single_ multiline document because they neither match `multiline.pattern` nor `multiline.flush_pattern`, and `multiline.negate` is set to `true`.
-
-[source,shell]
--------------------------------------------------------------------------------------
-[2015-08-24 11:49:14,389] Start new event
-[2015-08-24 11:49:14,395] Content of processing something
-[2015-08-24 11:49:14,399] End event
-[2015-08-24 11:50:14,389] Some other log
-[2015-08-24 11:50:14,395] Some other log
-[2015-08-24 11:50:14,399] Some other log
-[2015-08-24 11:51:14,389] Start new event
-[2015-08-24 11:51:14,395] Content of processing something
-[2015-08-24 11:51:14,399] End event
--------------------------------------------------------------------------------------
-
-==== Test your regexp pattern for multiline
-
-To make it easier for you to test the regexp patterns in your multiline config, we've created a
-https://play.golang.org/p/uAd5XHxscu[Go Playground]. You can simply plug in the regexp pattern along with
-the `multiline.negate` setting that you plan to use, and paste a sample message between the content backticks (` `).
-Then click Run, and you'll see which lines in the message match your specified configuration. For example:
-
-image:images/go-playground.png[]
-
diff --git a/filebeat/docs/overview.asciidoc b/filebeat/docs/overview.asciidoc
deleted file mode 100644
index e45acb4a69a8..000000000000
--- a/filebeat/docs/overview.asciidoc
+++ /dev/null
@@ -1,22 +0,0 @@
-[[filebeat-overview]]
-== Filebeat overview
-
-{beatname_uc} is a lightweight shipper for forwarding and centralizing log data.
-Installed as an agent on your servers, {beatname_uc} monitors the log
-files or locations that you specify, collects log events, and forwards them 
-either to https://www.elastic.co/products/elasticsearch[Elasticsearch] or
-https://www.elastic.co/products/logstash[Logstash] for indexing.
-
-Here's how {beatname_uc} works: When you start {beatname_uc}, it starts one or
-more inputs that look in the locations you've specified for log data. For
-each log that {beatname_uc} locates, {beatname_uc} starts a harvester. Each
-harvester reads a single log for new content and sends the new log data to
-libbeat, which aggregates the events and sends the aggregated data to the output
-that you've configured for {beatname_uc}.
-
-image::./images/filebeat.png[Beats design]
-
-For more information about inputs and harvesters, see
-<<how-filebeat-works>>.
-
-include::{libbeat-dir}/shared-libbeat-description.asciidoc[]
diff --git a/filebeat/docs/redirects.asciidoc b/filebeat/docs/redirects.asciidoc
deleted file mode 100644
index 6d8b54b075bf..000000000000
--- a/filebeat/docs/redirects.asciidoc
+++ /dev/null
@@ -1,14 +0,0 @@
-["appendix",role="exclude",id="redirects"]
-= Deleted pages
-
-The following pages have moved or been deleted.
-
-[role="exclude",id="filebeat-module-googlecloud"]
-== Google Cloud module
-
-See <<filebeat-module-gcp>>.
-
-[role="exclude",id="filebeat-module-gsuite"]
-== GSuite module
-
-The GSuite module has been replaced by the <<filebeat-module-google_workspace>>.
diff --git a/filebeat/docs/reload-configuration.asciidoc b/filebeat/docs/reload-configuration.asciidoc
deleted file mode 100644
index 3d01e7a38500..000000000000
--- a/filebeat/docs/reload-configuration.asciidoc
+++ /dev/null
@@ -1,140 +0,0 @@
-[[filebeat-configuration-reloading]]
-== Load external configuration files
-
-++++
-<titleabbrev>Config file loading</titleabbrev>
-++++
-
-{beatname_uc} can load external configuration files for inputs and modules,
-allowing you to separate your configuration into multiple smaller
-configuration files. See the <<load-input-config>> and the
-<<load-module-config>> sections for details.
-
-include::{libbeat-dir}/shared-note-file-permissions.asciidoc[]
-
-[float]
-[[load-input-config]]
-=== Input config
-
-For input configurations, you specify the `path` option in the
-+{beatname_lc}.config.inputs+ section of the +{beatname_lc}.yml+ file. For
-example:
-
-["source","sh",subs="attributes,callouts"]
-------------------------------------------------------------------------------
-{beatname_lc}.config.inputs:
-  enabled: true
-  path: inputs.d/*.yml
-------------------------------------------------------------------------------
-
-
-Each file found by the `path` Glob must contain a list of one or more input
-definitions.
-
-TIP: The first line of each external configuration file must be an input
-definition that starts with `- type`. Make sure you omit the line
-+{beatname_lc}.config.inputs+ from this file. All <<filebeat-input-types,`input type configuration options`>>
-must be specified within each external configuration file.  Specifying these
-configuration options at the global `filebeat.config.inputs` level is not supported.
-
-Example external configuration file:
-
-[source,yaml]
-------------------------------------------------------------------------------
-- type: filestream
-  id: first
-  paths:
-    - /var/log/mysql.log
-  prospector.scanner.check_interval: 10s
-
-- type: filestream
-  id: second
-  paths:
-    - /var/log/apache.log
-  prospector.scanner.check_interval: 5s
-------------------------------------------------------------------------------
-
-
-WARNING: It is critical that two running inputs DO NOT have overlapping
-file paths defined. If more than one input harvests the same file at the
-same time, it can lead to unexpected behavior.
-
-[float]
-[[load-module-config]]
-=== Module config
-
-For module configurations, you specify the `path` option in the
-+{beatname_lc}.config.modules+ section of the +{beatname_lc}.yml+ file. By default,
-{beatname_uc} loads the module configurations enabled in the
-<<configure-modules-d-configs,`modules.d`>> directory. For example:
-
-["source","sh",subs="attributes"]
-------------------------------------------------------------------------------
-{beatname_lc}.config.modules:
-  enabled: true
-  path: ${path.config}/modules.d/*.yml
-------------------------------------------------------------------------------
-
-
-The `path` setting must point to the `modules.d` directory if you want to use
-the <<modules-command,`modules`>> command to enable and disable module
-configurations.
-
-Each file found by the Glob must contain a list of one or more module
-definitions.
-
-TIP: The first line of each external configuration file must be a module
-definition that starts with `- module`. Make sure you omit the line
-+{beatname_lc}.config.modules+ from this file.
-
-For example:
-
-[source,yaml]
-------------------------------------------------------------------------------
-- module: apache
-  access:
-    enabled: true
-    var.paths: [/var/log/apache2/access.log*]
-  error:
-    enabled: true
-    var.paths: [/var/log/apache2/error.log*]
-------------------------------------------------------------------------------
-
-
-=== Live reloading
-
-You can configure {beatname_uc} to dynamically reload external configuration files
-when there are changes. This feature is available for input and module
-configurations that are loaded as
-<<{beatname_lc}-configuration-reloading,external configuration files>>. You cannot
-use this feature to reload the main +{beatname_lc}.yml+ configuration file.
-
-To configure this feature, you specify a path
-(https://golang.org/pkg/path/filepath/#Glob[Glob]) to watch for configuration
-changes. When the files found by the Glob change, new inputs and/or
-modules are started and stopped according to changes in the configuration files.
-
-This feature is especially useful in container environments where one container
-is used to tail logs for services running in other containers on the same host.
-
-To enable dynamic config reloading, you specify the `path` and `reload` options
-under +{beatname_lc}.config.inputs+ or +{beatname_lc}.config.modules+ sections.
-For example:
-
-["source","sh",subs="attributes"]
-------------------------------------------------------------------------------
-{beatname_lc}.config.inputs:
-  enabled: true
-  path: configs/*.yml
-  reload.enabled: true
-  reload.period: 10s
-------------------------------------------------------------------------------
-
-`path`:: A Glob that defines the files to check for changes.
-`reload.enabled`:: When set to `true`, enables dynamic config reload.
-`reload.period`:: Specifies how often the files are checked for changes. Do not
-set the `period` to less than 1s because the modification time of files is often
-stored in seconds. Setting the `period` to less than 1s will result in
-unnecessary overhead.
-
-include::{libbeat-dir}/shared-note-file-permissions.asciidoc[]
diff --git a/filebeat/docs/running-on-cloudfoundry.asciidoc b/filebeat/docs/running-on-cloudfoundry.asciidoc
deleted file mode 100644
index 0289e955282e..000000000000
--- a/filebeat/docs/running-on-cloudfoundry.asciidoc
+++ /dev/null
@@ -1 +0,0 @@
-include::{libbeat-dir}/shared-cloudfoundry.asciidoc[]
diff --git a/filebeat/docs/running-on-docker.asciidoc b/filebeat/docs/running-on-docker.asciidoc
deleted file mode 100644
index dbfcce5b489d..000000000000
--- a/filebeat/docs/running-on-docker.asciidoc
+++ /dev/null
@@ -1 +0,0 @@
-include::{libbeat-dir}/shared-docker.asciidoc[]
diff --git a/filebeat/docs/running-on-kubernetes.asciidoc b/filebeat/docs/running-on-kubernetes.asciidoc
deleted file mode 100644
index 889ec8d5d8b7..000000000000
--- a/filebeat/docs/running-on-kubernetes.asciidoc
+++ /dev/null
@@ -1,273 +0,0 @@
-[[running-on-kubernetes]]
-=== Run {beatname_uc} on Kubernetes
-
-You can use {beatname_uc} <<running-on-docker,Docker images>> on Kubernetes to
-retrieve and ship container logs.
-
-TIP: Running {ecloud} on Kubernetes? See {eck-ref}/k8s-beat.html[Run {beats} on ECK].
-
-ifeval::["{release-state}"=="unreleased"]
-
-However, version {version} of {beatname_uc} has not yet been
-released, so no Docker image is currently available for this version.
-
-endif::[]
-
-
-[float]
-==== Kubernetes deploy manifests
-
-You deploy {beatname_uc} as a https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/[DaemonSet]
-to ensure there's a running instance on each node of the cluster.
-
-The container logs host folder (`/var/log/containers`) is mounted on the
-{beatname_uc} container. {beatname_uc} starts an input for the files and
-begins harvesting them as soon as they appear in the folder.
-
-Everything is deployed under the `kube-system` namespace by default. To change
-the namespace, modify the manifest file.
-
-To download the manifest file, run:
-
-["source", "sh", subs="attributes"]
-------------------------------------------------
-curl -L -O https://raw.githubusercontent.com/elastic/beats/{branch}/deploy/kubernetes/filebeat-kubernetes.yaml
-------------------------------------------------
-
-[WARNING]
-=======================================
-*If you are using Kubernetes 1.7 or earlier:* {beatname_uc} uses a hostPath volume to persist internal data. It's located
-under +/var/lib/{beatname_lc}-data+. The manifest uses folder autocreation (`DirectoryOrCreate`), which was introduced in
-Kubernetes 1.8. You need to remove `type: DirectoryOrCreate` from the manifest and create the host folder yourself.
-=======================================
-
-[float]
-==== Settings
-
-By default, {beatname_uc} sends events to an existing Elasticsearch deployment,
-if present. To specify a different destination, change the following parameters
-in the manifest file:
-
-[source,yaml]
-------------------------------------------------
-- name: ELASTICSEARCH_HOST
-  value: elasticsearch
-- name: ELASTICSEARCH_PORT
-  value: "9200"
-- name: ELASTICSEARCH_USERNAME
-  value: elastic
-- name: ELASTICSEARCH_PASSWORD
-  value: changeme
-------------------------------------------------
-
-[float]
-===== Running {beatname_uc} on control plane nodes
-
-Kubernetes control plane nodes can use https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/[taints]
-to limit the workloads that can run on them. To run {beatname_uc} on control plane nodes you may need to
-update the Daemonset spec to include proper tolerations:
-
-[source,yaml]
-------------------------------------------------
-spec:
- tolerations:
- - key: node-role.kubernetes.io/control-plane
-   effect: NoSchedule
-------------------------------------------------
-
-[float]
-===== Red Hat OpenShift configuration
-
-If you are using Red Hat OpenShift, you need to specify additional settings in
-the manifest file and enable the container to run as privileged. Filebeat needs to run as a privileged container to mount logs written on the node (hostPath) and read them.
-
-. Modify the `DaemonSet` container spec in the manifest file:
-+
-[source,yaml]
------
-  securityContext:
-    runAsUser: 0
-    privileged: true
------
-
-. Grant the `filebeat` service account access to the privileged SCC:
-+
-[source,shell]
------
-oc adm policy add-scc-to-user privileged system:serviceaccount:kube-system:filebeat
------
-+
-This command enables the container to be privileged as an administrator for
-OpenShift.
-
-. Override the default node selector for the `kube-system` namespace (or your
-custom namespace) to allow for scheduling on any node:
-+
-[source,shell]
-----
-oc patch namespace kube-system -p \
-'{"metadata": {"annotations": {"openshift.io/node-selector": ""}}}'
-----
-+
-This command sets the node selector for the project to an empty string. If you
-don't run this command, the default node selector will skip control plane nodes.
-
-In order to support runtime environments with Openshift (eg. CRI-O, containerd) you need to configure following path:
-
-["source","yaml",subs="attributes"]
-----
-{beatname_lc}.inputs:
-- type: container
-  paths: <1>
-    - '/var/log/containers/*.log'
-----
-
-Same path needs to be configured in case autodiscovery needs to be enabled:
-
-["source","yaml",subs="attributes"]
-----
-filebeat.autodiscover:
-  providers:
-    - type: kubernetes
-      node: ${NODE_NAME}
-      hints.enabled: true
-      hints.default_config:
-        type: container
-        paths:
-          - /var/log/containers/*.log
-----
-
-NOTE: `/var/log/containers/\*.log` is normally a symlink to `/var/log/pods/*/*.log`,
-so above paths can be edited accordingly
-
-
-[float]
-==== Load {kib} dashboards
-
-{beatname_uc} comes packaged with various pre-built {kib} dashboards
-that you can use to visualize logs from your Kubernetes environment.
-
-If these dashboards are not already loaded into {kib}, you must <<{beatname_lc}-installation-configuration,install {beatname_uc}>>
-on any system that can connect to the {stack}, and then run the `setup` command to load the dashboards.
-To learn how, see <<load-kibana-dashboards,Load {kib} dashboards>>.
-
-The `setup` command does not load the ingest pipelines used to parse log lines. By default, ingest pipelines
-are set up automatically the first time you run {beatname_uc} and connect to {es}.
-
-[IMPORTANT]
-=======================================
-If you are using a different output other than {es}, such as {ls}, you
-need to:
-
-* <<load-template-manually>>
-* <<load-kibana-dashboards>>
-* <<load-ingest-pipelines>>
-=======================================
-
-[float]
-==== Deploy
-
-To deploy {beatname_uc} to Kubernetes, run:
-
-["source", "sh", subs="attributes"]
-------------------------------------------------
-kubectl create -f filebeat-kubernetes.yaml
-------------------------------------------------
-
-To check the status, run:
-
-["source", "sh", subs="attributes"]
-------------------------------------------------
-$ kubectl --namespace=kube-system get ds/filebeat
-
-NAME       DESIRED   CURRENT   READY     UP-TO-DATE   AVAILABLE   NODE-SELECTOR   AGE
-filebeat   32        32        0         32           0           <none>          1m
-------------------------------------------------
-
-Log events should start flowing to Elasticsearch. The events are annotated with
-metadata added by the <<add-kubernetes-metadata>> processor.
-
-
-[float]
-==== Parsing json logs
-
-It is common case when collecting logs from workloads running on Kubernetes that these
-applications are logging in json format. In these case, special handling can be applied so as to
-parse these json logs properly and decode them into fields. Bellow there are provided 2 different ways
-of configuring <<configuration-autodiscover, filebeat's autodiscover>> so as to identify and parse json logs.
-We will use an example of one Pod with 2 containers where only one of these logs in json format.
-
-Example log:
-```
-{"type":"log","@timestamp":"2020-11-16T14:30:13+00:00","tags":["warning","plugins","licensing"],"pid":7,"message":"License information could not be obtained from Elasticsearch due to Error: No Living connections error"}
-```
-
-
-. Using `json.*` options with templates
-+
-[source,yaml]
-------------------------------------------------
-filebeat.autodiscover:
-  providers:
-      - type: kubernetes
-        node: ${NODE_NAME}
-        templates:
-          - condition:
-              contains:
-                kubernetes.container.name: "no-json-logging"
-            config:
-              - type: container
-                paths:
-                  - "/var/log/containers/*-${data.kubernetes.container.id}.log"
-          - condition:
-              contains:
-                kubernetes.container.name: "json-logging"
-            config:
-              - type: container
-                paths:
-                  - "/var/log/containers/*-${data.kubernetes.container.id}.log"
-                json.keys_under_root: true
-                json.add_error_key: true
-                json.message_key: message
-------------------------------------------------
-
-. Using `json.*` options with hints
-+
-Key part here is to properly annotate the Pod to only parse logs of the correct container
-as json logs. In this, annotation should be constructed like this:
-+
-`co.elastic.logs.<container_name>/json.keys_under_root: "true"`
-+
-Autodiscovery configuration:
-+
-[source,yaml]
-------------------------------------------------
-filebeat.autodiscover:
-  providers:
-    - type: kubernetes
-      node: ${NODE_NAME}
-      hints.enabled: true
-      hints.default_config:
-        type: container
-        paths:
-          - /var/log/containers/*${data.kubernetes.container.id}.log
-------------------------------------------------
-+
-Then annotate the pod properly:
-+
-[source,yaml]
-------------------------------------------------
-annotations:
-    co.elastic.logs.json-logging/json.keys_under_root: "true"
-    co.elastic.logs.json-logging/json.add_error_key: "true"
-    co.elastic.logs.json-logging/json.message_key: "message"
-------------------------------------------------
-
-[float]
-==== Logrotation
-
-According to https://kubernetes.io/docs/concepts/cluster-administration/logging/#logging-at-the-node-level[kubernetes documentation]
-_Kubernetes is not responsible for rotating logs, but rather a deployment tool should set up a solution to address that_.
-Different logrotation strategies can cause issues that might make Filebeat losing events or even duplicating events.
-Users can find more information about Filebeat's logrotation best practises at Filebeat's
-<<file-log-rotation,log rotation specific documentation>>
diff --git a/filebeat/docs/setting-up-running.asciidoc b/filebeat/docs/setting-up-running.asciidoc
deleted file mode 100644
index f81ebee92970..000000000000
--- a/filebeat/docs/setting-up-running.asciidoc
+++ /dev/null
@@ -1,62 +0,0 @@
-/////
-// NOTE:
-// Each beat has its own setup overview to allow for the addition of content
-// that is unique to each beat.
-/////
-
-[[setting-up-and-running]]
-== Set up and run {beatname_uc}
-
-++++
-<titleabbrev>Set up and run</titleabbrev>
-++++
-
-Before reading this section, see
-<<{beatname_lc}-installation-configuration>> for basic
-installation instructions to get you started.
-
-This section includes additional information on how to install, set up, and run
-{beatname_uc}, including:
-
-* <<directory-layout>>
-
-* <<keystore>>
-
-* <<command-line-options>>
-
-* <<setup-repositories>>
-
-* <<running-on-docker>>
-
-* <<running-on-kubernetes>>
-
-* <<running-on-cloudfoundry>>
-
-* <<running-with-systemd>>
-
-* <<{beatname_lc}-starting>>
-
-* <<shutdown>>
-
-
-//MAINTAINERS: If you add a new file to this section, make sure you update the bulleted list ^^ too.
-
-include::{libbeat-dir}/shared-directory-layout.asciidoc[]
-
-include::{libbeat-dir}/keystore.asciidoc[]
-
-include::{libbeat-dir}/command-reference.asciidoc[]
-
-include::{libbeat-dir}/repositories.asciidoc[]
-
-include::./running-on-docker.asciidoc[]
-
-include::./running-on-kubernetes.asciidoc[]
-
-include::./running-on-cloudfoundry.asciidoc[]
-
-include::{libbeat-dir}/shared-systemd.asciidoc[]
-
-include::{libbeat-dir}/shared/start-beat.asciidoc[]
-
-include::{libbeat-dir}/shared/shutdown.asciidoc[]
diff --git a/filebeat/docs/support.asciidoc b/filebeat/docs/support.asciidoc
deleted file mode 100644
index 3f2ff2d6cc8f..000000000000
--- a/filebeat/docs/support.asciidoc
+++ /dev/null
@@ -1,5 +0,0 @@
-
-
-
-
-
diff --git a/filebeat/docs/troubleshooting.asciidoc b/filebeat/docs/troubleshooting.asciidoc
deleted file mode 100644
index f16042bc871e..000000000000
--- a/filebeat/docs/troubleshooting.asciidoc
+++ /dev/null
@@ -1,41 +0,0 @@
-[[troubleshooting]]
-= Troubleshoot
-
-[partintro]
---
-If you have issues installing or running Filebeat, read the
-following tips:
-
-* <<getting-help>>
-* <<enable-filebeat-debugging>>
-* <<understand-{beatname_lc}-logs>>
-* <<faq>>
-
-//sets block macro for getting-help.asciidoc included in next section
-
---
-
-[[getting-help]]
-== Get help
-
-include::{libbeat-dir}/getting-help.asciidoc[]
-
-//sets block macro for debugging.asciidoc included in next section
-
-[[enable-filebeat-debugging]]
-== Debug
-
-include::{libbeat-dir}/debugging.asciidoc[]
-
-//sets block macro for metrics-in-logs.asciidoc included in next section
-
-[id="understand-{beatname_lc}-logs"]
-[role="xpack"]
-== Understand metrics in {beatname_uc} logs
-
-++++
-<titleabbrev>Understand logged metrics</titleabbrev>
-++++
-
-include::{libbeat-dir}/metrics-in-logs.asciidoc[]
-
diff --git a/filebeat/docs/upgrading.asciidoc b/filebeat/docs/upgrading.asciidoc
deleted file mode 100644
index ca5aa0cfbe87..000000000000
--- a/filebeat/docs/upgrading.asciidoc
+++ /dev/null
@@ -1,11 +0,0 @@
-[[upgrading-filebeat]]
-== Upgrade {beatname_uc}
-
-++++
-<titleabbrev>Upgrade</titleabbrev>
-++++
-
-For information about upgrading to a new version, see:
-
-* {beats-ref}/breaking-changes.html[Breaking Changes]
-* {beats-ref}/upgrading.html[Upgrade]
diff --git a/heartbeat/docs/autodiscover-aws-elb-config.asciidoc b/heartbeat/docs/autodiscover-aws-elb-config.asciidoc
deleted file mode 100644
index 52bb820d3b0f..000000000000
--- a/heartbeat/docs/autodiscover-aws-elb-config.asciidoc
+++ /dev/null
@@ -1,22 +0,0 @@
-{beatname_uc} supports templates for modules:
-
-["source","yaml",subs="attributes"]
--------------------------------------------------------------------------------------
-heartbeat.autodiscover:
-  providers:
-  - type: aws_elb
-    period: 1m
-    regions: ["us-east-1", "us-east-2"]
-    access_key_id: my-access-key
-    secret_access_key: my-secret-access-key
-    templates:
-    - condition:
-        equals.port: 8080
-      config:
-      - type: tcp
-        hosts: ["${data.host}:${data.port}"]
-        schedule: "@every 5s"
-        timeout: 1s
--------------------------------------------------------------------------------------
-
-This configuration launches a `tcp` monitor for all ELBs that have a declared port.
diff --git a/heartbeat/docs/autodiscover-docker-config.asciidoc b/heartbeat/docs/autodiscover-docker-config.asciidoc
deleted file mode 100644
index 3c071c355acc..000000000000
--- a/heartbeat/docs/autodiscover-docker-config.asciidoc
+++ /dev/null
@@ -1,19 +0,0 @@
-{beatname_uc} supports templates for modules:
-
-["source","yaml",subs="attributes"]
--------------------------------------------------------------------------------------
-heartbeat.autodiscover:
-  providers:
-    - type: docker
-      templates:
-        - condition:
-            contains:
-              docker.container.image: redis
-          config:
-            - type: tcp
-              hosts: ["${data.host}:${data.port}"]
-              schedule: "@every 1s"
-              timeout: 1s
--------------------------------------------------------------------------------------
-
-This configuration launches a `redis` monitor for all containers running an image with `redis` in the name.
diff --git a/heartbeat/docs/autodiscover-hints.asciidoc b/heartbeat/docs/autodiscover-hints.asciidoc
deleted file mode 100644
index e544c39e92b4..000000000000
--- a/heartbeat/docs/autodiscover-hints.asciidoc
+++ /dev/null
@@ -1,153 +0,0 @@
-{beatname_uc} supports autodiscover based on hints from the provider. The hints system looks for
-hints in Kubernetes Pod annotations or Docker labels that have the prefix `co.elastic.monitor`. As soon as
-the container starts, {beatname_uc} will check if it contains any hints and launch the proper config for
-it. Hints tell {beatname_uc} how to get logs for the given container. By default monitors will be created
-for the container that exposes the port being requested to be monitored. You can use hints to modify this behavior. This is the full
-list of supported hints:
-
-
-[float]
-===== `co.elastic.monitor/type`
-
-Define the monitor type to use. Ex: http, tcp, icmp
-
-[float]
-===== `co.elastic.monitor/hosts`
-
-The URIs to monitor. Example:
-[source,yaml]
------
-co.elastic.monitor/type: icmp
-co.elastic.monitor/hosts: ${data.host}
------
-
-This would ensure that each host has an ICMP monitor enabled on it.
-
-[float]
-===== `co.elastic.monitor/schedule`
-
-Define the schedule on which the monitor should be executed.
------
-co.elastic.monitor/schedule: "@every 5s"
------
-
-[float]
-===== `co.elastic.monitor/processors`
-
-Define a processor to be added to the {beatname_uc} monitor configuration. See <<filtering-and-enhancing-data>> for the list
-of supported processors.
-
-In order to provide ordering of the processor definition, numbers can be provided. If not, the hints builder will do
-arbitrary ordering:
-
-[source,yaml]
------
-co.elastic.monitor/processors.1.drop_fields.fields: "field1, field2"
-co.elastic.monitor/processors.drop_fields.fields: "field3"
------
-
-In the above sample the processor definition tagged with `1` would be executed first.
-
-When hints are used along with templates, then hints will be evaluated only in case
-there is no template's condition that resolves to true. For example:
-
-[source,yaml]
------
-heartbeat.autodiscover:
-    - type: docker
-      hints.enabled: true
-      templates:
-        - condition:
-            contains:
-              docker.container.image: redis
-          config:
-            - type: tcp
-              hosts: ["${data.host}:${data.port}"]
-              schedule: "@every 1s"
-              timeout: 1s
------
-
-In this example first the condition `docker.container.image: redis` is evaluated
-and if not matched the hints will be processed and if there is again no valid config
-the `hints.default_config` will be used.
-
-[float]
-==== Kubernetes
-
-Kubernetes autodiscover provider supports hints in Pod annotations. To enable it just set `hints.enabled`:
-
-[source,yaml]
------
-heartbeat.autodiscover:
-  providers:
-    - type: kubernetes
-      hints.enabled: true
------
-
-You can annotate Kubernetes Pods with useful info to spin up {beatname_uc} monitors:
-
-[source,yaml]
------
-annotations:
-  co.elastic.monitor/type: icmp
-  co.elastic.monitor/hosts: ${data.host}
-  co.elastic.monitor/schedule: "@every 5s"
------
-
-
-[float]
-===== Multiple containers
-
-When a pod has multiple containers, the settings are shared unless you add the container name in the
-hint. For example, these hints configure the container exposing port 8080 to do a HTTP check and have the `sidecar`
-container to have an TCP check.
-
-
-[source,yaml]
------
-annotations:
-  co.elastic.monitor/type: http
-  co.elastic.monitor/hosts: ${data.host}:8080/healthz
-  co.elastic.monitor/schedule: "@every 5s"
-  co.elastic.monitor.sidecar/type: tcp
-  co.elastic.monitor.sidecar/hosts: ${data.host}:8081
-  co.elastic.monitor.sidecar/schedule: "@every 5s"
-
------
-
-[float]
-===== Multiple sets of hints
-When a container needs multiple monitors to be defined on it, sets of annotations can be provided with numeric prefixes.
-Annotations without numeric prefixes would default into a single monitor configuration.
-
-["source","yaml",subs="attributes"]
--------------------------------------------------------------------------------------
-annotations:
-  co.elastic.monitor/type: http
-  co.elastic.monitor/hosts: ${data.host}:8080/healthz
-  co.elastic.monitor/schedule: "@every 5s"
-  co.elastic.monitor/1.type: tcp
-  co.elastic.monitor/1.hosts: ${data.host}:8080
-  co.elastic.monitor/1.schedule: "@every 5s"
--------------------------------------------------------------------------------------
-
-
-[float]
-==== Docker
-
-Docker autodiscover provider supports hints in labels. To enable it just set `hints.enabled`:
-
-[source,yaml]
------
-heartbeat.autodiscover:
-  providers:
-    - type: docker
-      hints.enabled: true
------
-
-You can label Docker containers with useful info to spin up {beatname_uc} monitors similar to the Kubernetes example:
-----------------------------------------------------------------------
-LABEL co.elastic.monitor/1.type=tcp co.elastic.monitor/1.hosts='${data.host}:6379' co.elastic.monitor/1.schedule='@every 10s'
-LABEL co.elastic.monitor/2.type=icmp co.elastic.monitor/2.hosts='${data.host}' co.elastic.monitor/2.schedule='@every 10s'
-----------------------------------------------------------------------
-
diff --git a/heartbeat/docs/autodiscover-kubernetes-config.asciidoc b/heartbeat/docs/autodiscover-kubernetes-config.asciidoc
deleted file mode 100644
index 5f6788a17487..000000000000
--- a/heartbeat/docs/autodiscover-kubernetes-config.asciidoc
+++ /dev/null
@@ -1,20 +0,0 @@
-{beatname_uc} supports templates for modules:
-
-["source","yaml",subs="attributes"]
--------------------------------------------------------------------------------------
-heartbeat.autodiscover:
-  providers:
-    - type: kubernetes
-      include_annotations: ["prometheus.io.scrape"]
-      templates:
-        - condition:
-            contains:
-              kubernetes.annotations.prometheus.io/scrape: "true"
-          config:
-            - type: http
-              hosts: ["${data.host}:${data.port}"]
-              schedule: "@every 1s"
-              timeout: 1s
--------------------------------------------------------------------------------------
-
-This configuration launches an `http` module for all containers of pods annotated with `prometheus.io/scrape=true`.
diff --git a/heartbeat/docs/aws-credentials-examples.asciidoc b/heartbeat/docs/aws-credentials-examples.asciidoc
deleted file mode 100644
index 881db653c227..000000000000
--- a/heartbeat/docs/aws-credentials-examples.asciidoc
+++ /dev/null
@@ -1,52 +0,0 @@
-[source,yaml]
-----
-heartbeat.autodiscover:
-  providers:
-  - type: aws_elb
-    period: 1m
-    regions: ["us-east-1", "us-east-2"]
-    access_key_id: '<access_key_id>'
-    secret_access_key: '<secret_access_key>'
-    session_token: '<session_token>'
-    templates:
-    - type: tcp
-      hosts: ["${data.host}:${data.port}"]
-      schedule: "@every 5s"
-      timeout: 1s
-----
-
-or
-
-[source,yaml]
-----
-heartbeat.autodiscover:
-  providers:
-  - type: aws_elb
-    period: 1m
-    regions: ["us-east-1", "us-east-2"]
-    access_key_id: '${AWS_ACCESS_KEY_ID:""}'
-    secret_access_key: '${AWS_SECRET_ACCESS_KEY:""}'
-    session_token: '${AWS_SESSION_TOKEN:""}'
-    templates:
-    - type: tcp
-      hosts: ["${data.host}:${data.port}"]
-      schedule: "@every 5s"
-      timeout: 1s
-----
-
-* Use shared AWS credentials file
-
-[source,yaml]
-----
-heartbeat.autodiscover:
-  providers:
-  - type: aws_elb
-    period: 1m
-    regions: ["us-east-1", "us-east-2"]
-    credential_profile_name: test-hb
-    templates:
-    - type: tcp
-      hosts: ["${data.host}:${data.port}"]
-      schedule: "@every 5s"
-      timeout: 1s
-----
diff --git a/heartbeat/docs/configuring-howto.asciidoc b/heartbeat/docs/configuring-howto.asciidoc
deleted file mode 100644
index 430044820a6c..000000000000
--- a/heartbeat/docs/configuring-howto.asciidoc
+++ /dev/null
@@ -1,74 +0,0 @@
-[[configuring-howto-heartbeat]]
-= Configure {beatname_uc}
-
-[partintro]
---
-++++
-<titleabbrev>Configure</titleabbrev>
-++++
-
-include::{libbeat-dir}/shared/configuring-intro.asciidoc[]
-
-* <<configuration-heartbeat-options>>
-* <<monitors-scheduler>>
-* <<configuration-general-options>>
-* <<configuration-path>>
-* <<configuring-output>>
-* <<configuration-ssl>>
-* <<ilm>>
-* <<configuration-template>>
-* <<filtering-and-enhancing-data>>
-* <<configuration-autodiscover>>
-* <<configuring-internal-queue>>
-* <<configuration-logging>>
-* <<http-endpoint>>
-* <<regexp-support>>
-* <<configuration-instrumentation>>
-* <<configuration-feature-flags>>
-* <<{beatname_lc}-reference-yml>>
-
---
-
-include::./heartbeat-options.asciidoc[]
-
-include::./heartbeat-scheduler.asciidoc[]
-
-include::./heartbeat-general-options.asciidoc[]
-
-include::{libbeat-dir}/shared-path-config.asciidoc[]
-
-include::{libbeat-dir}/outputconfig.asciidoc[]
-
-ifndef::no_kerberos[]
-include::{libbeat-dir}/shared-kerberos-config.asciidoc[]
-endif::[]
-
-include::{libbeat-dir}/shared-ssl-config.asciidoc[]
-
-include::{libbeat-dir}/shared-ilm.asciidoc[]
-
-include::{libbeat-dir}/setup-config.asciidoc[]
-
-include::./heartbeat-filtering.asciidoc[]
-
-:autodiscoverAWSELB:
-:autodiscoverHints:
-include::{libbeat-dir}/shared-autodiscover.asciidoc[]
-:autodiscoverHints!:
-:autodiscoverAWSELB!:
-
-include::{libbeat-dir}/queueconfig.asciidoc[]
-
-include::{libbeat-dir}/loggingconfig.asciidoc[]
-
-include::{libbeat-dir}/http-endpoint.asciidoc[]
-
-include::{libbeat-dir}/regexp.asciidoc[]
-
-include::{libbeat-dir}/shared-instrumentation.asciidoc[]
-
-include::{libbeat-dir}/shared-feature-flags.asciidoc[]
-
-include::{libbeat-dir}/reference-yml.asciidoc[]
-
-include::./monitors/monitor-browser.asciidoc[]
diff --git a/heartbeat/docs/faq.asciidoc b/heartbeat/docs/faq.asciidoc
deleted file mode 100644
index bbe89a61c721..000000000000
--- a/heartbeat/docs/faq.asciidoc
+++ /dev/null
@@ -1,10 +0,0 @@
-[[faq]]
-== Common problems
-
-This section describes common problems you might encounter with
-{beatname_uc}. Also check out the
-https://discuss.elastic.co/c/beats/{beatname_lc}[{beatname_uc} discussion forum].
-
-include::{libbeat-dir}/faq-limit-bandwidth.asciidoc[]
-
-include::{libbeat-dir}/shared-faq.asciidoc[]
diff --git a/heartbeat/docs/getting-started.asciidoc b/heartbeat/docs/getting-started.asciidoc
deleted file mode 100644
index be2853331139..000000000000
--- a/heartbeat/docs/getting-started.asciidoc
+++ /dev/null
@@ -1,202 +0,0 @@
-[id="{beatname_lc}-installation-configuration"]
-== {beatname_uc} quick start: installation and configuration
-
-++++
-<titleabbrev>Quick start: installation and configuration</titleabbrev>
-++++
-
-This guide describes how to get started quickly collecting uptime data about
-your hosts. You'll learn how to:
-
-* install {beatname_uc}
-* specify the protocols to monitor
-* send uptime data to {es}
-* visualize the uptime data in {kib}
-
-[role="screenshot"]
-image::./images/heartbeat-statistics.png[{beatname_uc} HTTP monitoring dashboard]
-
-[float]
-=== Before you begin
-
-You need {es} for storing and searching your data, and {kib} for visualizing and
-managing it.
-
-include::{libbeat-dir}/tab-widgets/spinup-stack-widget.asciidoc[]
-
-[float]
-[[installation]]
-=== Step 1: Install Heartbeat
-
-Unlike most Beats, which you install on edge nodes, you typically install
-Heartbeat as part of a monitoring service that runs on a separate machine
-and possibly even outside of the network where the services that you want to
-monitor are running.
-
-To download and install {beatname_uc}, use the commands that work with your
-system:
-
-include::{libbeat-dir}/tab-widgets/install-widget.asciidoc[]
-
-The commands shown are for AMD platforms, but ARM packages are also available.
-Refer to the https://www.elastic.co/downloads/beats/{beatname_lc}[download page]
-for the full list of available packages.
-
-[float]
-[[other-installation-options]]
-==== Other installation options
-
-* <<setup-repositories,APT or YUM>>
-* https://www.elastic.co/downloads/beats/{beatname_lc}[Download page]
-* <<running-on-docker,Docker>>
-
-[float]
-[[set-connection]]
-=== Step 2: Connect to the {stack}
-
-include::{libbeat-dir}/shared/connecting-to-es.asciidoc[]
-
-[float]
-[[configuration]]
-=== Step 3: Configure Heartbeat monitors
-
-Heartbeat provides monitors to check the status of hosts at set intervals.
-Heartbeat currently provides monitors for ICMP, TCP, and HTTP (see
-<<heartbeat-overview>> for more about these monitors).
-
-You configure each monitor individually. In +{beatname_lc}.yml+, specify the
-list of monitors that you want to enable. Each item in the list begins with a
-dash (-). The following example configures Heartbeat to use three monitors: an
-`icmp` monitor, a `tcp` monitor, and an `http` monitor.
-
-[source,yaml]
-----------------------------------------------------------------------
-heartbeat.monitors:
-- type: icmp
-  schedule: '*/5 * * * * * *' <1>
-  hosts: ["myhost"]
-  id: my-icmp-service
-  name: My ICMP Service
-- type: tcp
-  schedule: '@every 5s' <2>
-  hosts: ["myhost:12345"]
-  mode: any <3>
-  id: my-tcp-service
-- type: http
-  schedule: '@every 5s'
-  urls: ["http://example.net"]
-  service.name: apm-service-name <4>
-  id: my-http-service
-  name: My HTTP Service
-----------------------------------------------------------------------
-<1> The `icmp` monitor is scheduled to run exactly every 5 seconds (10:00:00,
-10:00:05, and so on). The `schedule` option uses a cron-like syntax based on
-https://github.com/gorhill/cronexpr#implementation[this `cronexpr` implementation].
-<2> The `tcp` monitor is set to run every 5 seconds from the time when Heartbeat
-was started. Heartbeat adds the `@every` keyword to the syntax provided by the
-`cronexpr` package.
-<3> The `mode` specifies whether to ping one IP (`any`) or all resolvable IPs
-<4> The `service.name` field can be used to integrate heartbeat with elastic APM via the Uptime UI.
-
-include::{libbeat-dir}/shared/config-check.asciidoc[]
-
-[float]
-[[configurelocation]]
-=== Step 4: Configure the Heartbeat location
-
-Heartbeat can be deployed in multiple locations so that you can detect
-differences in availability and response times across those locations.
-Configure the Heartbeat location to allow {kib} to display location-specific
-information on Uptime maps and perform Uptime anomaly detection based
-on location.
-
-To configure the location of a Heartbeat instance, modify the
-`add_observer_metadata` processor in +{beatname_lc}.yml+.  The following
-example specifies the `geo.name` of the `add_observer_metadata` processor as
-`us-east-1a`:
-
-[source,yaml]
-----------------------------------------------------------------------
-# ============================ Processors ============================
-
-processors:
-  - add_observer_metadata:
-      # Optional, but recommended geo settings for the location Heartbeat is running in
-      geo: <1>
-        # Token describing this location
-        name: us-east-1a <2>
-        # Lat, Lon "
-        #location: "37.926868, -78.024902" <3>
-----------------------------------------------------------------------
-<1> Uncomment the `geo` setting.
-<2> Uncomment `name` and assign the name of the location of the Heartbeat server.
-<3> Optionally uncomment `location` and assign the latitude and longitude.
-
-include::{libbeat-dir}/shared/config-check.asciidoc[]
-
-[float]
-[[setup-assets]]
-=== Step 5: Set up assets
-
-{beatname_uc} comes with predefined assets for parsing, indexing, and
-visualizing your data. To load these assets:
-
-. Make sure the user specified in +{beatname_lc}.yml+ is
-<<privileges-to-setup-beats,authorized to set up {beatname_uc}>>.
-
-. From the installation directory, run:
-+
---
-include::{libbeat-dir}/tab-widgets/setup-widget.asciidoc[]
---
-+
-`-e` is optional and sends output to standard error instead of the configured log output.
-
-This step loads the recommended {ref}/index-templates.html[index template] for writing to {es}.
-It does not install {beatname_uc} dashboards.  Heartbeat dashboards and
-installation steps are available in the
-https://github.com/elastic/uptime-contrib[uptime-contrib] GitHub repository.
-
-[TIP]
-=====
-A connection to {es} (or {ess}) is required to set up the initial
-environment. If you're using a different output, such as {ls}, see
-<<load-template-manually>>.
-=====
-
-[float]
-[[start]]
-=== Step 6: Start Heartbeat
-
-Before starting {beatname_uc}, modify the user credentials in
-+{beatname_lc}.yml+ and specify a user who is
-<<privileges-to-publish-events,authorized to publish events>>.
-
-To start {beatname_uc}, run:
-
-:requires-sudo:
-include::{libbeat-dir}/tab-widgets/start-widget.asciidoc[]
-:requires-sudo!:
-
-Heartbeat is now ready to check the status of your services and send
-events to your defined output.
-
-[float]
-[[view-data]]
-=== Step 7: View your data in {kib}
-
-{beatname_uc} comes with pre-built {kib} dashboards and UIs for visualizing the
-status of your services. The dashboards are available in the
-https://github.com/elastic/uptime-contrib[uptime-contrib] GitHub repository.
-
-If you loaded the dashboards earlier, open them now.
-
-include::{libbeat-dir}/shared/opendashboards.asciidoc[tag=open-dashboards]
-
-[float]
-=== What's next?
-
-Now that you have your uptime data streaming into {es}, learn how to unify your
-logs, metrics, uptime, and application performance data.
-
-include::{libbeat-dir}/shared/obs-apps.asciidoc[]
diff --git a/heartbeat/docs/heartbeat-devguide.asciidoc b/heartbeat/docs/heartbeat-devguide.asciidoc
deleted file mode 100644
index 1939648b7596..000000000000
--- a/heartbeat/docs/heartbeat-devguide.asciidoc
+++ /dev/null
@@ -1,27 +0,0 @@
-[[heartbeat-developer-guide]]
-= Heartbeat developer guide
-
-[partintro]
---
-
-Heartbeat pings your remote services periodically and determines whether they
-are available. As a developer, you can use Heartbeat in two different ways:
-
-* Extend Heartbeat directly
-* Create your own Beat and use Heartbeat as a library
-
-We recommend that you start by creating your own Beat to keep the development of
-your own monitors independent of Heartbeat. At a later stage, if you decide to
-add a monitor to Heartbeat, you can reuse the code without making additional changes.
-
-The following topics describe how to contribute to Heartbeat by adding new monitors
-and new Beats based on Heartbeat:
-
---
-
-[[heartbeat-dev-overview]]
-== Overview
-
-Heartbeat consists of monitors that....
-
-//TODO: Add developer guide content when Heartbeat is further along
diff --git a/heartbeat/docs/heartbeat-filtering.asciidoc b/heartbeat/docs/heartbeat-filtering.asciidoc
deleted file mode 100644
index 6919965ac540..000000000000
--- a/heartbeat/docs/heartbeat-filtering.asciidoc
+++ /dev/null
@@ -1,10 +0,0 @@
-[[filtering-and-enhancing-data]]
-== Filter and enhance data with processors
-
-++++
-<titleabbrev>Processors</titleabbrev>
-++++
-
-include::{libbeat-dir}/processors.asciidoc[]
-
-include::{libbeat-dir}/processors-using.asciidoc[]
diff --git a/heartbeat/docs/heartbeat-general-options.asciidoc b/heartbeat/docs/heartbeat-general-options.asciidoc
deleted file mode 100644
index d1a6c1b97507..000000000000
--- a/heartbeat/docs/heartbeat-general-options.asciidoc
+++ /dev/null
@@ -1,12 +0,0 @@
-[[configuration-general-options]]
-== Configure general settings
-
-++++
-<titleabbrev>General settings</titleabbrev>
-++++
-
-You can specify settings in the +{beatname_lc}.yml+ config file to control the
-general behavior of {beatname_uc}.
-
-include::{libbeat-dir}/generalconfig.asciidoc[]
-
diff --git a/heartbeat/docs/heartbeat-observer-options.asciidoc b/heartbeat/docs/heartbeat-observer-options.asciidoc
deleted file mode 100644
index 5b0bbaf5c896..000000000000
--- a/heartbeat/docs/heartbeat-observer-options.asciidoc
+++ /dev/null
@@ -1,27 +0,0 @@
-[[configuration-observer-options]]
-== Add observer and geo metadata
-
-Use the `heartbeat.run_from` option to set the geographic location fields relevant to a given heartbeat instance.
-
-The `run_from` option is used to label the geographic location where the monitor is running.
-Note, you can also set the `run_from` option on an individual monitor to apply a unique setting to just that monitor.
-
-The `run_from` option takes two top-level fields:
-
-* `id`: A string used to uniquely identify the geographic location. It is indexed as the `observer.name` field.
-* `geo`: A map conforming to {ecs-ref}/ecs-geo.html[ECS geo fields]. It is indexed under `observer.geo`.
-
-Example:
-
-```yaml
-heartbeat.run_from:
-  id: my-custom-geo
-  geo:
-	name: nyc-dc1-rack2
-	location: 40.7128, -74.0060
-	continent_name: North America
-	country_iso_code: US
-	region_name: New York
-	region_iso_code: NY
-	city_name: New York
-```
diff --git a/heartbeat/docs/heartbeat-options.asciidoc b/heartbeat/docs/heartbeat-options.asciidoc
deleted file mode 100644
index 65ca08a938f9..000000000000
--- a/heartbeat/docs/heartbeat-options.asciidoc
+++ /dev/null
@@ -1,153 +0,0 @@
-[[configuration-heartbeat-options]]
-== Configure {beatname_uc} monitors
-
-++++
-<titleabbrev>Monitors</titleabbrev>
-++++
-
-To configure {beatname_uc} define a set of `monitors` to check your remote hosts.
-Specify monitors either directly inside the +heartbeat.yml+ config file, or in external
-dynamically loaded files located in the directory referenced by `heartbeat.config.monitors.path`.
-One advantage of using external files is that these can be automatically reloaded
-without stopping the {beatname_uc} process.
-
-Each `monitor` item is an entry in a yaml list, and so begins with a dash (-).
-You can define the type of monitor to use, the hosts to check, and other
-optional settings that control {beatname_uc} behavior.
-
-The following example configures three monitors checking via the `icmp`, `tcp`, and `http`
-protocols directly inside the +heartbeat.yml+ file, and demonstrates how to use TCP Echo
-and HTTP response verification:
-
-[source,yaml]
-----------------------------------------------------------------------
-# heartbeat.yml
-heartbeat.monitors:
-- type: icmp
-  id: ping-myhost
-  name: My Host Ping
-  hosts: ["myhost"]
-  schedule: '*/5 * * * * * *'
-- type: tcp
-  id: myhost-tcp-echo
-  name: My Host TCP Echo
-  hosts: ["myhost:777"]  # default TCP Echo Protocol
-  check.send: "Check"
-  check.receive: "Check"
-  schedule: '@every 5s'
-- type: http
-  id: service-status
-  name: Service Status
-  service.name: my-apm-service-name
-  hosts: ["http://localhost:80/service/status"]
-  check.response.status: [200]
-  schedule: '@every 5s'
-heartbeat.scheduler:
-  limit: 10
-----------------------------------------------------------------------
-
-Using the +heartbeat.yml+ configuration file is convenient, but has two drawbacks:
-it can become hard to manage with large numbers of monitors, and it will not reload
-heartbeat automatically when its contents changes.
-
-Define monitors via the +heartbeat.config.monitors+ to prevent those issues from
-happening to you. To do so you would instead have your +heartbeat.yml+ file contain the following:
-
-[source,yaml]
-----------------------------------------------------------------------
-# heartbeat.yml
-heartbeat.config.monitors:
-  # Directory + glob pattern to search for configuration files
-  path: /path/to/my/monitors.d/*.yml
-  # If enabled, heartbeat will periodically check the config.monitors path for changes
-  reload.enabled: true
-  # How often to check for changes
-  reload.period: 1s
-----------------------------------------------------------------------
-
-Then, define one or more files in the directory pointed to by `heartbeat.config.monitors.path`.
-You may specify multiple monitors in a given file if you like. The contents of these files is
-monitor definitions only, e.g. what is normally under the `heartbeat.monitors` section of
-+heartbeat.yml+. See below for an example
-
-[source,yaml]
-----------------------------------------------------------------------
-# /path/to/my/monitors.d/localhost_service_check.yml
-- type: http
-  id: service-status
-  name: Service Status
-  hosts: ["http://localhost:80/service/status"]
-  check.response.status: [200]
-  schedule: '@every 5s'
-----------------------------------------------------------------------
-
-[float]
-[[monitor-types]]
-=== Monitor types
-
-You can configure {beatname_uc} to use the following monitor types:
-
-*<<monitor-icmp-options,`icmp`>>*:: Uses an ICMP (v4 and v6) Echo Request to ping the configured hosts.
-Requires special permissions or root access.
-*<<monitor-tcp-options,`tcp`>>*:: Connects via TCP and optionally verifies the endpoint by sending and/or
-receiving a custom payload.
-*<<monitor-http-options,`http`>>*:: Connects via HTTP and optionally verifies that the host returns the
-expected response. Will use `Elastic-Heartbeat` as
-the user agent product.
-
-The `tcp` and `http` monitor types both support SSL/TLS and some proxy
-settings.
-
-[NOTE]
-=====
-*Looking for browser monitor options?*  {heartbeat} browser checks are in beta and will never be made generally available.
-
-If you want to set up browser checks, we highly recommend using Synthetics via {observability-guide}/synthetics-get-started-project.html[Projects] or the {observability-guide}/synthetics-get-started-ui.html[Synthetics app in {kib}] to create and manage browser monitors.
-
-If you need to refer to how beta {heartbeat} browser checks were set up previously, refer to the {beats-ref-root}/heartbeat/8.7/monitor-browser-options.html[Browser options documentation for 8.7].
-=====
-
-include::monitors/monitor-common-options.asciidoc[]
-
-include::monitors/monitor-icmp.asciidoc[]
-
-include::monitors/monitor-tcp.asciidoc[]
-
-include::monitors/monitor-http.asciidoc[]
-
-[float]
-[[run-once-mode]]
-=== Run Once Mode (Experimental)
-
-You can configure {beatname_uc} run monitors exactly once then exit, bypassing the scheduler. This is referred to as running {beatname_uc} in 
-"run once" mode by setting `heartbeat.run_once: true`. All {beatname_uc} monitors will ignore their schedules and run exactly once at startup.
-This is an experimental feature and is subject to change. 
-
-Note, the `schedule` field is still required and is used by {beatname_uc} to set the expectation around when
-the next run will occur. That duration is encoded in the `monitor.timespan` field in the {beatname_uc} output.
-
-[source,yaml]
-----------------------------------------------------------------------
-# heartbeat.yml
-heartbeat.run_once: true
-heartbeat.monitors:
-# your monitor config here...
-----------------------------------------------------------------------
-
-[float]
-[[publish-timeout]]
-=== Publish timeout (Experimental)
-
-You can configure {beatname_uc} to exit after an elapsed timeout if unable to publish pending events.
-This is an experimental feature and is subject to change. 
-
-Note, the `heartbeat.run_once` flag is required for `publish_timeout` to take effect.
-
-[source,yaml]
-----------------------------------------------------------------------
-# heartbeat.yml
-heartbeat.publish_timeout: 30s
-heartbeat.run_once: true
-heartbeat.monitors:
-# your monitor config here...
-----------------------------------------------------------------------
diff --git a/heartbeat/docs/heartbeat-scheduler.asciidoc b/heartbeat/docs/heartbeat-scheduler.asciidoc
deleted file mode 100644
index d9820a3fdedb..000000000000
--- a/heartbeat/docs/heartbeat-scheduler.asciidoc
+++ /dev/null
@@ -1,62 +0,0 @@
-[[monitors-scheduler]]
-== Configure the task scheduler
-
-++++
-<titleabbrev>Task scheduler</titleabbrev>
-++++
-
-You specify options under `heartbeat.scheduler` to control the behavior of the task
-scheduler.
-
-Example configuration:
-
-[source,yaml]
--------------------------------------------------------------------------------
-heartbeat.scheduler:
-  limit: 10
-  location: 'UTC-08:00'
--------------------------------------------------------------------------------
-
-In the example, setting `limit` to 10 guarantees that only 10 concurrent
-I/O tasks will be active. An I/O task can be the actual check or resolving an
-address via DNS.
-
-[float]
-[[heartbeat-scheduler-limit]]
-==== `limit`
-
-The number of concurrent I/O tasks that {beatname_uc} is allowed to execute. If set
-to 0, there is no limit. The default is 0.
-
-Most operating systems set a file descriptor limit of 1024. For {beatname_uc} to
-operate correctly and not accidentally block libbeat output, the value that you
-specify for `limit` should be below the configured ulimit.
-
-
-[float]
-[[heartbeat-scheduler-location]]
-==== `location`
-
-The time zone for the scheduler. By default the scheduler uses localtime.
-
-
-[float]
-[[heartbeat-job-limit]]
-==== `job.limit`
-
-On top of the scheduler level limit, {beatname_uc} allows limiting the number of
-concurrent tasks per monitor/job type.
-
-Example configuration:
-
-[source,yaml]
--------------------------------------------------------------------------------
-heartbeat.jobs:
-  http:
-    limit: 10
--------------------------------------------------------------------------------
-
-In the example, at any given time {beatname_uc} guarantees that only 10
-concurrent `http` tasks will be active.
-
-These limits can also be set via the environment variables `SYNTHETICS_LIMIT_{TYPE}`, where `{TYPE}` is one of `HTTP`, `TCP`, and `ICMP`.
\ No newline at end of file
diff --git a/heartbeat/docs/how-heartbeat-works.asciidoc b/heartbeat/docs/how-heartbeat-works.asciidoc
deleted file mode 100644
index 5869eca33ba8..000000000000
--- a/heartbeat/docs/how-heartbeat-works.asciidoc
+++ /dev/null
@@ -1,10 +0,0 @@
-[[how-heartbeat-works]]
-== How Heartbeat works
-
-In this topic, you learn about the key building blocks of Heartbeat and how
-they work together. Understanding these concepts will help you make informed
-decisions about configuring Heartbeat for specific use cases.
-
-//TODO: Add details to this topic.
-
-
diff --git a/heartbeat/docs/howto/howto.asciidoc b/heartbeat/docs/howto/howto.asciidoc
deleted file mode 100644
index dfaa11b68d44..000000000000
--- a/heartbeat/docs/howto/howto.asciidoc
+++ /dev/null
@@ -1,38 +0,0 @@
-[[howto-guides]]
-= How to guides
-
-[partintro]
---
-Learn how to perform common {beatname_uc} configuration tasks.
-
-* <<configuration-observer-options>>
-* <<{beatname_lc}-template>>
-* <<change-index-name>>
-* <<{beatname_lc}-geoip>>
-* <<using-environ-vars>>
-* <<configuring-ingest-node>>
-* <<yaml-tips>>
-
-
---
-
-include::{docdir}/heartbeat-observer-options.asciidoc[]
-
-include::{libbeat-dir}/howto/load-index-templates.asciidoc[]
-
-include::{libbeat-dir}/howto/change-index-name.asciidoc[]
-
-include::{libbeat-dir}/shared-geoip.asciidoc[]
-
-:standalone:
-include::{libbeat-dir}/shared-env-vars.asciidoc[]
-:standalone!:
-
-include::{libbeat-dir}/shared-config-ingest.asciidoc[]
-
-:standalone:
-include::{libbeat-dir}/yaml.asciidoc[]
-:standalone!:
-
-
-
diff --git a/heartbeat/docs/index.asciidoc b/heartbeat/docs/index.asciidoc
deleted file mode 100644
index e2d56f8ef5a9..000000000000
--- a/heartbeat/docs/index.asciidoc
+++ /dev/null
@@ -1,56 +0,0 @@
-= Heartbeat Reference
-
-:libbeat-dir: {docdir}/../../libbeat/docs
-
-include::{libbeat-dir}/version.asciidoc[]
-
-include::{asciidoc-dir}/../../shared/versions/stack/{source_branch}.asciidoc[]
-
-include::{asciidoc-dir}/../../shared/attributes.asciidoc[]
-
-:beatname_lc: heartbeat
-:beatname_uc: Heartbeat
-:beatname_pkg: heartbeat-elastic
-:github_repo_name: beats
-:discuss_forum: beats/{beatname_lc}
-:beat_default_index_prefix: {beatname_lc}
-:beat_kib_app: {kib} Uptime
-:deb_os:
-:rpm_os:
-:mac_os:
-:linux_os:
-:docker_platform:
-:win_os:
-:no_cache_processor:
-:no_dashboards:
-:no_decode_cef_processor:
-:no_decode_csv_fields_processor:
-:no_parse_aws_vpc_flow_log_processor:
-:no_timestamp_processor:
-:no_add_session_metadata_processor:
-
-include::{libbeat-dir}/shared-beats-attributes.asciidoc[]
-
-include::./overview.asciidoc[]
-
-include::./getting-started.asciidoc[]
-
-include::./setting-up-running.asciidoc[]
-
-include::./configuring-howto.asciidoc[]
-
-include::{docdir}/howto/howto.asciidoc[]
-
-include::./fields.asciidoc[]
-
-include::{libbeat-dir}/monitoring/monitoring-beats.asciidoc[]
-
-include::{libbeat-dir}/shared-securing-beat.asciidoc[]
-
-include::./troubleshooting.asciidoc[]
-
-include::./faq.asciidoc[]
-
-include::{libbeat-dir}/contributing-to-beats.asciidoc[]
-
-
diff --git a/heartbeat/docs/monitors/monitor-browser.asciidoc b/heartbeat/docs/monitors/monitor-browser.asciidoc
deleted file mode 100644
index 5db23228f9a5..000000000000
--- a/heartbeat/docs/monitors/monitor-browser.asciidoc
+++ /dev/null
@@ -1,8 +0,0 @@
-[role="exclude",id="monitor-browser-options"]
-== Browser options
-
-*{heartbeat} browser checks are in beta and will not be made generally available.*
-
-If you want to set up browser checks, we highly recommend using Synthetics via {observability-guide}/synthetics-get-started-project.html[Projects] or the {observability-guide}/synthetics-get-started-ui.html[Synthetics app in {kib}] to create and manage browser monitors.
-
-If you need to refer to how beta {heartbeat} browser checks were set up previously, refer to the {beats-ref-root}/heartbeat/8.7/monitor-browser-options.html[Browser options documentation for 8.7].
diff --git a/heartbeat/docs/monitors/monitor-common-options.asciidoc b/heartbeat/docs/monitors/monitor-common-options.asciidoc
deleted file mode 100644
index d5bd391b75aa..000000000000
--- a/heartbeat/docs/monitors/monitor-common-options.asciidoc
+++ /dev/null
@@ -1,290 +0,0 @@
-[[monitor-options]]
-=== Common monitor options
-
-You can specify the following options when defining a {beatname_uc} monitor in any location.
-These options are the same for all monitors. Each monitor type has additional configuration
-options that are specific to that monitor type.
-
-[float]
-[[monitor-type]]
-==== `type`
-
-The type of monitor to run. See <<monitor-types>>.
-
-[float]
-[[monitor-id]]
-==== `id`
-
-A unique identifier for this configuration. This should not change with edits to the monitor configuration
-regardless of changes to any config fields. Examples: `uploader-service`, `http://example.net`, `us-west-loadbalancer`. Note that this uniqueness is only within a given beat instance. If you want to monitor the same endpoint from multiple locations it is recommended that those heartbeat instances use the same IDs so that their results can be correlated. You can use the `host.geo.name` property to disambiguate them.
-
-When querying against indexed monitor data this is the field you will be aggregating with. Appears in the
-<<exported-fields,exported fields>> as `monitor.id`.
-
-If you do not set this explicitly the monitor's config will be hashed and a generated value used. This value will
-change with any options change to this monitor making aggregations over time between changes impossible. For this reason
-it is recommended that you set this manually.
-
-[float]
-[[monitor-name]]
-==== `name`
-
-Optional human readable name for this monitor. This value appears in the <<exported-fields,exported fields>>
-as `monitor.name`.
-
-
-[float]
-[[service-name]]
-==== `service.name`
-
-Optional APM service name for this monitor. Corresponds to the `service.name` ECS field. Set this when monitoring an app
-that is also using APM to enable integrations between Uptime and APM data in Kibana.
-
-[float]
-[[monitor-enabled]]
-==== `enabled`
-
-A Boolean value that specifies whether the module is enabled. If the `enabled`
-option is missing from the configuration block, the module is enabled by
-default.
-
-[float]
-[[monitor-schedule]]
-==== `schedule`
-
-A cron-like expression that specifies the task schedule. For example:
-
-* `*/5 * * * * * *` runs the task every 5 seconds (for example, at 10:00:00,
-10:00:05, and so on).
-* `@every 5s` runs the task every 5 seconds from the time when {beatname_uc} was
-started.
-
-The `schedule` option uses a cron-like syntax based on https://github.com/gorhill/cronexpr#implementation[this `cronexpr` implementation],
-but adds the `@every` keyword.
-
-For stats on the execution of scheduled tasks you can enable the HTTP stats server with `http.enabled: true` in heartbeat.yml, then run `curl http://localhost:5066/stats | jq .heartbeat.scheduler` to view the scheduler's stats. Stats are provided for both jobs and tasks. Each time a monitor is scheduled is considered to be a single job, while portions of the work a job does, like DNS lookups and executing network requests are defined as tasks. The stats provided are:
-
-* **jobs.active:** The number of actively running jobs/monitors.
-* **jobs.missed_deadline:** The number of jobs that executed after their scheduled time. This can be caused either by overlong long timeouts from the previous job or high load preventing heartbeat from keeping up with work.
-* **tasks.active:** The number of tasks currently running.
-* **tasks.waiting:** If the global `schedule.limit` option is set, this number will reflect the number of tasks that are ready to execute, but have not been started in order to prevent exceeding `schedule.limit`.
-
-Also see the <<monitors-scheduler,task scheduler>> settings.
-
-[float]
-[[monitor-ipv4]]
-==== `ipv4`
-
-A Boolean value that specifies whether to ping using the ipv4 protocol if
-hostnames are configured. The default is `true`.
-
-[float]
-[[monitor-ipv6]]
-==== `ipv6`
-
-A Boolean value that specifies whether to ping using the ipv6 protocol
-if hostnames are configured. The default is `true`.
-
-[float]
-[[monitor-mode]]
-==== `mode`
-
-If `mode` is `any`, the monitor pings only one IP address for a hostname. If
-`mode` is `all`, the monitor pings all resolvable IPs for a hostname. The
-`mode: all` setting is useful if you are using a DNS-load balancer and want to
-ping every IP address for the specified hostname. The default is `any`.
-
-[float]
-[[monitor-timeout]]
-==== `timeout`
-
-The total running time for each ping test. This is the total time allowed for
-testing the connection and exchanging data. The default is 16 seconds (16s).
-
-If the timeout is exceeded, {beatname_uc} publishes a `service-down` event. If the
-value specified for `timeout` is greater than `schedule`, intermediate checks
-will not be executed by the scheduler.
-
-[float]
-[[monitor-run-from]]
-=== `run_from`
-
-Use the `run_from` option to set the geographic location fields relevant to a given heartbeat monitor.
-
-The `run_from` option is used to label the geographic location where the monitor is running.
-Note, you can also set the `run_from` option on all monitors via the `heartbeat.run_from` option.
-
-The `run_from` option takes two top-level fields:
-
-* `id`: A string used to uniquely identify the geographic location. It is indexed as the `observer.name` field.
-* `geo`: A map conforming to {ecs-ref}/ecs-geo.html[ECS geo fields]. It is indexed under `observer.geo`.
-
-Example:
-
-```yaml
-- type: http
-  # Set enabled to true (or delete the following line) to enable this example monitor
-  enabled: true
-  # ID used to uniquely identify this monitor in elasticsearch even if the config changes
-  id: geo-test
-  # Human readable display name for this service in Uptime UI and elsewhere
-  name: Geo Test
-  # List or urls to query
-  urls: ["http://example.net"]
-  # Configure task schedule
-  schedule: '@every 10s'
-  run_from:
-    id: my-custom-geo
-    geo:
-      name: nyc-dc1-rack1
-      location: 40.7128, -74.0060
-      continent_name: North America
-      country_iso_code: US
-      region_name: New York
-      region_iso_code: NY
-      city_name: New York
-
-```
-
-[float]
-[[monitor-maintenance-windows]]
-=== `maintenance_windows`
-
-Use the `maintenance_windows` option to define recurring time periods when a heartbeat monitor should be paused. This feature is implemented via `rrule`, allowing flexible scheduling of maintenance windows.
-
-The `maintenance_windows` option supports the following top-level fields:
-
-* `freq`: Specifies the frequency of the maintenance window. Supported values are `daily`, `weekly`, `monthly`, and `yearly`.
-* `dtstart`: The start date and time for the first occurrence of the maintenance window in ISO 8601 format. This value cannot be older than two years to prevent excessive `rrule` iterations.
-* `interval`: The interval at which the rule repeats. For example, an interval of `1` with `freq: weekly` means the maintenance window occurs every week.
-* `byweekday`: (Optional) Specifies the days of the week when the maintenance window occurs. Accepts values like `MO`, `TU`, `WE`, `TH`, `FR`, `SA`, `SU`.
-* `byhour`: (Optional) Specifies the hour(s) of the day when the maintenance window should trigger.
-* `byminute`: (Optional) Specifies the minute(s) of the hour when the maintenance window should trigger.
-* `bysecond`: (Optional) Specifies the second(s) of the minute when the maintenance window should trigger.
-* `byeaster`: (Optional) Specifies the offset from Easter Sunday for the maintenance window.
-* `bysetpos`: (Optional) Specifies the nth occurrence in the set of recurrence values.
-* `bymonth`: (Optional) Specifies the month(s) when the maintenance window should trigger.
-* `byweekno`: (Optional) Specifies the week(s) of the year when the maintenance window should trigger.
-* `byyearday`: (Optional) Specifies the day(s) of the year when the maintenance window should trigger.
-* `bymonthday`: (Optional) Specifies the day(s) of the month when the maintenance window should trigger.
-* `wkst`: (Optional) Specifies the starting day of the week (e.g., `MO` for Monday).
-* `duration`: The duration of each maintenance window in milliseconds.
-* `count`: (Optional) The number of times the maintenance window should occur before stopping.
-
-Example:
-
-```yaml
-- type: http
-  # ID used to uniquely identify this monitor
-  id: my-monitor
-  # List of URLs to query
-  urls: ["http://localhost:9200"]
-  # Define maintenance windows
-  maintenance_windows:
-    - freq: daily
-      dtstart: "2024-11-04T01:00:00.000Z"
-      interval: 1
-      byweekday: [MO, TU, WE, TH, FR]
-      byhour: [1, 2]
-      byminute: [0, 30]
-      bysecond: [0]
-      bymonth: [1, 6, 12]
-      byweekno: [10, 20, 30]
-      byyearday: [100, 200, 300]
-      bymonthday: [1, 15, 31]
-      wkst: MO
-      duration: 3600000  # 1 hour in milliseconds
-      count: 10
-```
-
-This configuration pauses the monitor every weekday at 01:00 and 02:00 UTC for one hour, repeating for ten occurrences.
-
-**Limitations:**
-
-- Only `daily`, `weekly`, `monthly`, and `yearly` frequencies are supported.
-- `dtstart` must not be older than two years to limit the number of `rrule` iterations.
-
-
-
-[float]
-[[monitor-fields]]
-==== `fields`
-
-Optional fields that you can specify to add additional information to the
-output. For example, you might add fields that you can use for filtering log
-data. Fields can be scalar values, arrays, dictionaries, or any nested
-combination of these. By default, the fields that you specify here will be
-grouped under a `fields` sub-dictionary in the output document. To store the
-custom fields as top-level fields, set the `fields_under_root` option to true.
-If a duplicate field is declared in the general configuration, then its value
-will be overwritten by the value declared here.
-
-[float]
-[[monitor-fields-under-root]]
-==== `fields_under_root`
-
-If this option is set to true, the custom <<monitor-fields,fields>>
-are stored as top-level fields in the output document instead of being grouped
-under a `fields` sub-dictionary. If the custom field names conflict with other
-field names added by {beatname_uc}, then the custom fields overwrite the other
-fields.
-
-[float]
-[[monitor-tags]]
-==== `tags`
-
-A list of tags that will be sent with the monitor event. This setting is optional.
-
-[float]
-[[monitor-processors]]
-==== `processors`
-
-A list of processors to apply to the data generated by the monitor.
-
-See <<filtering-and-enhancing-data>> for information about specifying
-processors in your config.
-
-[float]
-[[monitor-data-stream]]
-==== `data_stream`
-
-Contains options pertaining to data stream naming, following the conventions followed by {fleet-guide}/data-streams.html[Fleet Data Streams]. By default Heartbeat will
-write to a datastream named `heartbeat-VERSION`.
-
-
-```yaml
-# To enable data streams with the default namespace
-data_stream.namespace: default
-```
-
-[float]
-[[monitor-pipeline]]
-===== `pipeline`
-
-The {es} ingest pipeline ID to set for the events generated by this input.
-
-NOTE: The pipeline ID can also be configured in the Elasticsearch output, but
-this option usually results in simpler configuration files. If the pipeline is
-configured both in the input and output, the option from the
-input is used.
-
-[float]
-[[monitor-index]]
-===== `index` (deprecated)
-
-This setting is now deprecated in favor of the `data_stream` option.
-If present, this formatted string overrides the index for events from this input
-(for elasticsearch outputs), or sets the `raw_index` field of the event's
-metadata (for other outputs). This string can only refer to the agent name and
-version and the event timestamp; for access to dynamic fields, use
-`output.elasticsearch.index` or a processor.
-
-Example value: `"%{[agent.name]}-myindex-%{+yyyy.MM.dd}"` might
-expand to `"heartbeat-myindex-2019.11.01"`.
-
-[float]
-[[monitor-keep-null]]
-==== `keep_null`
-
-If this option is set to true, fields with `null` values will be published in
-the output document. By default, `keep_null` is set to `false`.
diff --git a/heartbeat/docs/monitors/monitor-http.asciidoc b/heartbeat/docs/monitors/monitor-http.asciidoc
deleted file mode 100644
index bc43bc285944..000000000000
--- a/heartbeat/docs/monitors/monitor-http.asciidoc
+++ /dev/null
@@ -1,357 +0,0 @@
-[[monitor-http-options]]
-=== HTTP options
-
-Also see <<monitor-options>>.
-
-The options described here configure {beatname_uc} to connect via HTTP and
-optionally verify that the host returns the expected response.
-
-Example configuration:
-
-[source,yaml]
-----
-- type: http
-  id: myhost
-  name: My HTTP Host
-  schedule: '@every 5s'
-  hosts: ["http://myhost:80"]
-----
-
-[float]
-[[monitor-http-urls]]
-==== `hosts`
-
-A list of URLs to ping.
-
-[float]
-[[monitor-http-max-redirects]]
-==== `max_redirects`
-
-The total number of redirections Heartbeat will follow. Defaults to 0, meaning heartbeat will not follow redirects,
-but will report the status of the redirect. If set to a number greater than 0 heartbeat will follow that number of redirects.
-
-When this option is set to a value greater than zero the `monitor.ip` field will no longer be reported, as multiple
-DNS requests across multiple IPs may return multiple IPs. Fine grained network timing data will also not be recorded, as with redirects
-that data will span multiple requests. Specifically the fields `http.rtt.content.us`, `http.rtt.response_header.us`,
-`http.rtt.total.us`, `http.rtt.validate.us`, `http.rtt.write_request.us` and `dns.rtt.us` will be omitted.
-
-[float]
-[[monitor-http-proxy-url]]
-==== `proxy_url`
-
-The HTTP proxy URL. This setting is optional. Example `http://proxy.mydomain.com:3128`
-
-[float]
-[[monitor-http-proxy-headers]]
-==== `proxy_headers`
-
-Additional headers to send to proxies during CONNECT requests.
-
-[float]
-[[monitor-http-username]]
-==== `username`
-
-The username for authenticating with the server. The credentials are passed
-with the request. This setting is optional.
-
-You need to specify credentials when your `check.response` settings require it.
-For example, you can check for a 403 response (`check.response.status: [403]`)
-without setting credentials.
-
-[float]
-[[monitor-http-password]]
-==== `password`
-
-The password for authenticating with the server. This setting is optional.
-
-[float]
-[[monitor-http-tls-ssl]]
-==== `ssl`
-
-The TLS/SSL connection settings for use with the HTTPS endpoint. If you don't
-specify settings, the system defaults are used.
-
-
-Example configuration:
-
-[source,yaml]
--------------------------------------------------------------------------------
-- type: http
-  id: my-http-service
-  name: My HTTP Service
-  hosts: ["https://myhost:443"]
-  schedule: '@every 5s'
-  ssl:
-    certificate_authorities: ['/etc/ca.crt']
-    supported_protocols: ["TLSv1.0", "TLSv1.1", "TLSv1.2"]
--------------------------------------------------------------------------------
-
-Also see <<configuration-ssl>> for a full description of the `ssl` options.
-
-
-[float]
-[[monitor-http-headers]]
-=== `headers`
-
-Controls the indexing of the HTTP response headers `http.response.body.headers` field.
-
-On by default. Set `response.include_headers` to `false` to disable.
-
-[float]
-[[monitor-http-response]]
-=== `response`
-
-Controls the indexing of the HTTP response body contents to the `http.response.body.contents` field.
-
-Set `response.include_body` to one of the options listed below.
-
-*`on_error`*:: Include the body if an error is encountered during the check. This is the default.
-*`never`*:: Never include the body.
-*`always`*:: Always include the body with checks.
-
-Set `response.include_body_max_bytes` to control the maximum size of the stored body contents. Defaults to 1024 bytes.
-
-[float]
-[[monitor-http-check]]
-==== `check`
-
-An optional `request` to send to the remote host and the expected `response`.
-
-Example configuration:
-
-[source,yaml]
--------------------------------------------------------------------------------
-- type: http
-  id: my-http-host
-  name: My HTTP Service
-  hosts: ["http://myhost:80"]
-  check.request.method: HEAD
-  check.response.status: [200]
-  schedule: '@every 5s'
--------------------------------------------------------------------------------
-
-
-Under `check.request`, specify these options:
-
-*`method`*:: The HTTP method to use. Valid values are `"HEAD"`, `"GET"`, `"POST"`, `"PUT"`, `"DELETE"`, `"CONNECT"`,
-`"TRACE"` and `"OPTIONS"`.
-*`headers`*:: A dictionary of additional HTTP headers to send. By default heartbeat
-will set the 'User-Agent' header to identify itself.
-*`body`*:: Optional request body content.
-
-Example configuration:
-This monitor POSTs an `x-www-form-urlencoded` string
-to the endpoint `/demo/add`
-
-[source,yaml]
--------------------------------------------------------------------------------
-- type: http
-  id: demo-service
-  name: Demo Service
-  schedule: '@every 5s'
-  urls: ["http://localhost:8080/demo/add"]
-  check.request:
-    method: POST
-    headers:
-      'Content-Type': 'application/x-www-form-urlencoded'
-    # urlencode the body:
-    body: "name=first&email=someemail%40someemailprovider.com"
-  check.response:
-    status: [200]
-    body:
-      - Saved
-      - saved
--------------------------------------------------------------------------------
-
-Under `check.response`, specify these options:
-
-*`status`*:: A list of expected status codes. 4xx and 5xx codes are considered `down` by default. Other codes are considered `up`.
-*`headers`*:: The required response headers.
-*`body`*:: A list of regular expressions to match the body output. Only a single expression needs to match. HTTP response
-bodies of up to 100MiB are supported.
-
-Example configuration:
-This monitor examines the
-response body for the strings `saved` or `Saved` and expects 200 or 201 status codes
-
-[source,yaml]
--------------------------------------------------------------------------------
-- type: http
-  id: demo-service
-  name: Demo Service
-  schedule: '@every 5s'
-  urls: ["http://localhost:8080/demo/add"]
-  check.request:
-    method: POST
-    headers:
-      'Content-Type': 'application/x-www-form-urlencoded'
-    # urlencode the body:
-    body: "name=first&email=someemail%40someemailprovider.com"
-  check.response:
-    status: [200, 201]
-    body:
-      - Saved
-      - saved
--------------------------------------------------------------------------------
-
-Under `check.response.body`, specify these options:
-*`positive`*:: This option has the same behavior as given a list of regular expressions under `check.response.body`.
-*`negative`*:: A list of regular expressions to match the the body output negatively.
-Return match failed if single expression matches.
-HTTP response bodies of up to 100MiB are supported.
-
-Example configuration:
-This monitor examines the response body for the strings 'foo' or 'Foo'
-
-[source,yaml]
--------------------------------------------------------------------------------
-- type: http
-  id: demo-service
-  name: Demo Service
-  schedule: '@every 5s'
-  urls: ["http://localhost:8080/demo/add"]
-  check.request:
-    method: POST
-    headers:
-      'Content-Type': 'application/x-www-form-urlencoded'
-    # urlencode the body:
-    body: "name=first&email=someemail%40someemailprovider.com"
-  check.response:
-    body:
-      positive:
-        - foo
-        - Foo
--------------------------------------------------------------------------------
-
-Example configuration:
-This monitor examines match successfully if there is no 'bar' or 'Bar' at all,
-examines match failed if there is 'bar' or 'Bar' in the response body
-
-[source,yaml]
--------------------------------------------------------------------------------
-- type: http
-  id: demo-service
-  name: Demo Service
-  schedule: '@every 5s'
-  urls: ["http://localhost:8080/demo/add"]
-  check.request:
-    method: POST
-    headers:
-      'Content-Type': 'application/x-www-form-urlencoded'
-    # urlencode the body:
-    body: "name=first&email=someemail%40someemailprovider.com"
-  check.response:
-    status: [200, 201]
-    body:
-      negative:
-        - bar
-        - Bar
--------------------------------------------------------------------------------
-
-Example configuration:
-This monitor examines match successfully only when 'foo' or 'Foo' in body AND no 'bar' or 'Bar' in body
-
-[source,yaml]
--------------------------------------------------------------------------------
-- type: http
-  id: demo-service
-  name: Demo Service
-  schedule: '@every 5s'
-  urls: ["http://localhost:8080/demo/add"]
-  check.response:
-    status: [200, 201]
-    body:
-      positive:
-        - foo
-        - Foo
-      negative:
-        - bar
-        - Bar
--------------------------------------------------------------------------------
-
-*`json`*:: A list of expressions or <<conditions,condition>> statements (now deprecated) executed against the body when parsed as JSON. Body sizes
-must be less than or equal to 100 MiB.
-
-The following configuration shows how to check the response using https://github.com/PaesslerAG/gval/blob/master/README.md[gval] expressions when the body contains JSON:
-
-[source,yaml]
--------------------------------------------------------------------------------
-- type: http
-  id: demo-service
-  name: Demo Service
-  schedule: '@every 5s'
-  hosts: ["https://localhost:9200/_/nodes/stats"]
-  username: elastic
-  password: changeme
-  check.response:
-    status: [200]
-    json:
-      - description: check status
-        expression: 'foo.bar == "myValue"'
--------------------------------------------------------------------------------
-
-Expressions can be much more complex than simple equality. They can also use https://goessner.net/articles/JsonPath/[jsonpath] syntax. Note that strings must be double quoted with `"` rather than single quoted with `'` in the `gval` variant of jsonpath. Please note that jsonpath sub-expressions must start with `$.`, for instance `'$.nodes[?(@.name=="myname")] != []'` will check that the `nodes` map has at least one value with the name 'myname'.
-
-When working with responses that are returned in the form of a JSON array at the root rather than an object jsonpath can be used as well. As an example `$.[0].foo == "bar"` tests that the first item in the response has an attribute `foo` that has the value "bar".
-
-JSON bodies can also be checked via the now deprecated `condition` option, which is not as powerful as `expression`. The following configuration shows how to check the response using a `condition` statement when the body contains JSON:
-
-[source,yaml]
--------------------------------------------------------------------------------
-- type: http
-  id: demo-service
-  name: Demo Service
-  schedule: '@every 5s'
-  hosts: ["https://myhost:80"]
-  check.request:
-    method: GET
-    headers:
-      'X-API-Key': '12345-mykey-67890'
-  check.response:
-    status: [200]
-    json:
-      - description: check status
-        condition:
-          equals:
-            status: ok
--------------------------------------------------------------------------------
-
-The following configuration shows how to check the response for multiple regex
-patterns:
-
-[source,yaml]
--------------------------------------------------------------------------------
-- type: http
-  id: demo-service
-  name: Demo Service
-  schedule: '@every 5s'
-  hosts: ["https://myhost:80"]
-  check.request:
-    method: GET
-    headers:
-      'X-API-Key': '12345-mykey-67890'
-  check.response:
-    status: [200]
-    body:
-      - hello
-      - world
--------------------------------------------------------------------------------
-
-The following configuration shows how to check the response with a multiline
-regex:
-
-[source,yaml]
--------------------------------------------------------------------------------
-- type: http
-  id: demo-service
-  name: Demo Service
-  schedule: '@every 5s'
-  hosts: ["https://myhost:80"]
-  check.request:
-    method: GET
-    headers:
-      'X-API-Key': '12345-mykey-67890'
-  check.response:
-    status: [200]
-    body: '(?s)first.*second.*third'
--------------------------------------------------------------------------------
diff --git a/heartbeat/docs/monitors/monitor-icmp.asciidoc b/heartbeat/docs/monitors/monitor-icmp.asciidoc
deleted file mode 100644
index 914b3f8c1fa7..000000000000
--- a/heartbeat/docs/monitors/monitor-icmp.asciidoc
+++ /dev/null
@@ -1,40 +0,0 @@
-[[monitor-icmp-options]]
-=== ICMP options
-
-Also see <<monitor-options>>.
-
-The options described here configure {beatname_uc} to use ICMP (v4 and v6) Echo
-Requests to check the configured hosts. Please note that on most platforms you
-must execute Heartbeat with elevated permissions to perform ICMP pings.
-
-On Linux, regular users may perform pings if the right file capabilities are set. Run
-`sudo setcap cap_net_raw+eip /path/to/heartbeat` to  grant {beatname_uc} ping capabilities on Linux.
-
-The binary has the correct capabilities already set on the container image, however your container runtime
-must allow the use of these privileges for them to be used. On docker this can be achieved with `--cap-add=NET_RAW`.
-
-Other platforms may require {beatname_uc} to run as root or administrator to execute pings.
-
-Example configuration:
-
-[source,yaml]
-----
-- type: icmp
-  id: ping-myhost
-  name: My Host Ping
-  hosts: ["myhost"]
-  schedule: '*/5 * * * * * *'
-----
-
-[float]
-[[monitor-icmp-hosts]]
-==== `hosts`
-
-A list of hosts to ping.
-
-[float]
-[[monitor-icmp-wait]]
-==== `wait`
-
-The duration to wait before emitting another ICMP Echo Request if no response is received. The default is 1
-second (1s).
diff --git a/heartbeat/docs/monitors/monitor-tcp.asciidoc b/heartbeat/docs/monitors/monitor-tcp.asciidoc
deleted file mode 100644
index 10d39b063026..000000000000
--- a/heartbeat/docs/monitors/monitor-tcp.asciidoc
+++ /dev/null
@@ -1,134 +0,0 @@
-[[monitor-tcp-options]]
-=== TCP options
-
-Also see <<monitor-options>>.
-
-The options described here configure {beatname_uc} to connect via TCP and
-optionally verify the endpoint by sending and/or receiving a custom payload.
-
-Example configuration:
-
-[source,yaml]
-----
-- type: tcp
-  id: my-host-services
-  name: My Host Services
-  hosts: ["myhost"]
-  ports: [80, 9200, 5044]
-  schedule: '@every 5s'
-----
-
-[float]
-[[monitor-tcp-hosts]]
-==== `hosts`
-
-A list of hosts to ping. The entries in the list can be:
-
-* A plain host name, such as `localhost`, or an IP address. If you specify this
-option, you must also specify a value for <<monitor-tcp-ports,`ports`>>.  If the
-monitor is <<configuration-ssl,configured to use SSL>>, {beatname_uc} establishes an
-SSL/TLS-based connection. Otherwise, it establishes a plain TCP connection.
-* A hostname and port, such as `localhost:12345`. {beatname_uc} connects
-to the port on the specified host. If the monitor is
-<<configuration-ssl,configured to use SSL>>, {beatname_uc} establishes an
-SSL/TLS-based connection. Otherwise, it establishes a TCP connection.
-* A full URL using the syntax `scheme://<host>:[port]`, where:
-** `scheme` is one of `tcp`, `plain`, `ssl` or `tls`. If `tcp` or `plain` is
-specified, {beatname_uc} establishes a TCP connection even if the monitor is
-configured to use SSL. If `tls` or `ssl` is specified, {beatname_uc} establishes
-an SSL connection. However, if the monitor is not configured to use SSL, the
-system defaults are used (currently not supported on Windows).
-** `host` is the hostname.
-** `port` is the port number. If `port` is missing in the URL, the
-<<monitor-tcp-ports,`ports`>> setting is required.
-
-[float]
-[[monitor-tcp-ports]]
-==== `ports`
-
-A list of ports to ping if the host specified in <<monitor-tcp-hosts,`hosts`>>
-does not contain a port number. It is generally preferable to use a single value here,
-since each port will be monitored using a separate `id`, with the given `id` value,
-used as a prefix in the Heartbeat data, and the configured `name` shared across events
-sent via this check.
-
-[float]
-[[monitor-tcp-check]]
-==== `check`
-
-An optional payload string to send to the remote host and the expected answer.
-If no payload is specified, the endpoint is assumed to be available if the
-connection attempt was successful. If `send` is specified without `receive`,
-any response is accepted as OK. If `receive` is specified without `send`, no
-payload is sent, but the client expects to receive a payload in the form of a
-"hello message" or "banner" on connect.
-
-Example configuration:
-
-[source,yaml]
--------------------------------------------------------------------------------
-- type: tcp
-  id: echo-service
-  name: Echo Service
-  hosts: ["myhost"]
-  ports: [7]
-  check.send: 'Hello World'
-  check.receive: 'Hello World'
-  schedule: '@every 5s'
--------------------------------------------------------------------------------
-
-
-[float]
-[[monitor-tcp-proxy-url]]
-==== `proxy_url`
-
-The URL of the SOCKS5 proxy to use when connecting to the server. The value
-must be a URL with a scheme of socks5://.
-
-If the SOCKS5 proxy server requires client authentication, then a username and
-password can be embedded in the URL as shown in the example.
-
-[source,yaml]
--------------------------------------------------------------------------------
-  proxy_url: socks5://user:password@socks5-proxy:2233
--------------------------------------------------------------------------------
-
-When using a proxy, hostnames are resolved on the proxy server instead of on
-the client. You can change this behavior by setting the
-`proxy_use_local_resolver` option.
-
-[float]
-[[monitor-tcp-proxy-use-local-resolver]]
-==== `proxy_use_local_resolver`
-
-A Boolean value that determines whether hostnames are resolved locally instead
-of being resolved on the proxy server. The default value is false, which means
-that name resolution occurs on the proxy server.
-
-[float]
-[[monitor-tcp-tls-ssl]]
-==== `ssl`
-
-The TLS/SSL connection settings.  If the monitor is
-<<configuration-ssl,configured to use SSL>>, it will attempt an SSL
-handshake. If `check` is not configured, the monitor will only check to see if
-it can establish an SSL/TLS connection. This check can fail either at TCP level
-or during certificate validation.
-
-Example configuration:
-
-[source,yaml]
--------------------------------------------------------------------------------
-- type: tcp
-  id: tls-mail
-  name: TLS Mail
-  hosts: ["mail.example.net"]
-  ports: [465]
-  schedule: '@every 5s'
-  ssl:
-    certificate_authorities: ['/etc/ca.crt']
-    supported_protocols: ["TLSv1.0", "TLSv1.1", "TLSv1.2"]
--------------------------------------------------------------------------------
-
-
-Also see <<configuration-ssl>> for a full description of the `ssl` options.
diff --git a/heartbeat/docs/overview.asciidoc b/heartbeat/docs/overview.asciidoc
deleted file mode 100644
index b1bdd33b2b60..000000000000
--- a/heartbeat/docs/overview.asciidoc
+++ /dev/null
@@ -1,36 +0,0 @@
-[[heartbeat-overview]]
-== Heartbeat overview
-
-Heartbeat is a lightweight daemon that you install on a remote server
-to periodically check the status of your services and determine whether they are
-available. Unlike {metricbeat-ref}/index.html[Metricbeat], which only tells you if
-your servers are up or down, Heartbeat tells you whether your services are
-reachable.
-
-Heartbeat is useful when you need to verify that you're meeting your service
-level agreements for service uptime. It's also useful for other scenarios, such
-as security use cases, when you need to verify that no one from the outside can
-access services on your private enterprise server.
-
-You can configure Heartbeat to ping all DNS-resolvable IP addresses for a
-specified hostname. That way, you can check all services that are load-balanced
-to see if they are available.
-
-When you configure Heartbeat, you specify monitors that identify the
-hostnames that you want to check. Each monitor runs based on the schedule that
-you specify. For example, you can configure one monitor to run every 10
-minutes, and a different monitor to run between the hours of 9:00 and 17:00.
-
-Heartbeat currently supports monitors for checking hosts via:
-
-* ICMP (v4 and v6) Echo Requests. Use the `icmp` monitor when you simply want to
-check whether a service is available. This monitor requires root access.
-* TCP. Use the `tcp` monitor to connect via TCP. You can optionally configure this
-monitor to verify the endpoint by sending and/or receiving a custom payload.
-* HTTP. Use the `http` monitor to connect via HTTP. You can optionally configure
-this monitor to verify that the service returns the expected response, such as a
-specific status code, response header, or content.
-
-The `tcp` and `http` monitors both support SSL/TLS and some proxy settings.
-
-include::{libbeat-dir}/shared-libbeat-description.asciidoc[]
diff --git a/heartbeat/docs/running-on-docker.asciidoc b/heartbeat/docs/running-on-docker.asciidoc
deleted file mode 100644
index 2347e937d731..000000000000
--- a/heartbeat/docs/running-on-docker.asciidoc
+++ /dev/null
@@ -1,13 +0,0 @@
-include::{libbeat-dir}/shared-docker.asciidoc[]
-
-[float]
-==== Required network capabilities
-
-Under Docker, {beatname_uc} runs as a non-root user, but requires some privileged
-network capabilities to operate correctly. Ensure that the +NET_RAW+
-capability is available to the container.
-
-["source","sh",subs="attributes"]
-----
-docker run --cap-add=NET_RAW {dockerimage}
-----
\ No newline at end of file
diff --git a/heartbeat/docs/running-on-kubernetes.asciidoc b/heartbeat/docs/running-on-kubernetes.asciidoc
deleted file mode 100644
index 528f0c0b45b7..000000000000
--- a/heartbeat/docs/running-on-kubernetes.asciidoc
+++ /dev/null
@@ -1,95 +0,0 @@
-[[running-on-kubernetes]]
-=== Running {beatname_uc} on Kubernetes
-
-{beatname_uc} <<running-on-docker,Docker images>> can be used on Kubernetes to
-check resources uptime.
-
-TIP: Running {ecloud} on Kubernetes? See {eck-ref}/k8s-beat.html[Run {beats} on ECK]
-
-ifeval::["{release-state}"=="unreleased"]
-
-However, version {version} of {beatname_uc} has not yet been
-released, so no Docker image is currently available for this version.
-
-endif::[]
-
-
-[float]
-==== Kubernetes deploy manifests
-
-A single {beatname_uc} can check for uptime of the whole cluster.
-
-Everything is deployed under `kube-system` namespace, you can change that by
-updating the YAML file.
-
-To get the manifests just run:
-
-["source", "sh", subs="attributes"]
-------------------------------------------------
-curl -L -O https://raw.githubusercontent.com/elastic/beats/{branch}/deploy/kubernetes/{beatname_lc}-kubernetes.yaml
-------------------------------------------------
-
-[WARNING]
-=======================================
-If you are using Kubernetes 1.7 or earlier: {beatname_uc} uses a hostPath volume to persist internal data, it's located
-under /var/lib/{beatname_lc}-data. The manifest uses folder autocreation (`DirectoryOrCreate`), which was introduced in
-Kubernetes 1.8. You will need to remove `type: DirectoryOrCreate` from the manifest and create the host folder yourself.
-=======================================
-
-[float]
-==== Settings
-
-Some parameters are exposed in the manifest to configure logs destination, by
-default they will use an existing Elasticsearch deploy if it's present, but you
-may want to change that behavior, so just edit the YAML file and modify them:
-
-["source", "yaml", subs="attributes"]
-------------------------------------------------
-- name: ELASTICSEARCH_HOST
-  value: elasticsearch
-- name: ELASTICSEARCH_PORT
-  value: "9200"
-- name: ELASTICSEARCH_USERNAME
-  value: elastic
-- name: ELASTICSEARCH_PASSWORD
-  value: changeme
-------------------------------------------------
-
-[float]
-==== Deploy
-
-To deploy {beatname_uc} to Kubernetes just run:
-
-["source", "sh", subs="attributes"]
-------------------------------------------------
-kubectl create -f {beatname_lc}-kubernetes.yaml
-------------------------------------------------
-
-Then you should be able to check the status by running:
-
-["source", "sh", subs="attributes"]
-------------------------------------------------
-$ kubectl --namespace=kube-system get deployment/{beatname_lc}
-
-NAME        READY   UP-TO-DATE   AVAILABLE   AGE
-{beatname_lc}   1/1     1            1           1m
-------------------------------------------------
-
-[float]
-==== Running {beatname_uc} as unprivileged user
-
-Under Kubernetes, {beatname_uc} can run as a non-root user, but requires some privileged
-network capabilities to operate correctly. Ensure that the +NET_RAW+
-capability is available to the container.
-
-["source","yaml",subs="attributes"]
-----
-containers:
-- name: heartbeat
-  image: {dockerimage}
-  securityContext:
-    runAsUser: 1000
-    runAsGroup: 1000
-    capabilities:
-      add: [ NET_RAW ]
-----
diff --git a/heartbeat/docs/setting-up-running.asciidoc b/heartbeat/docs/setting-up-running.asciidoc
deleted file mode 100644
index 9fbf90b7dc1a..000000000000
--- a/heartbeat/docs/setting-up-running.asciidoc
+++ /dev/null
@@ -1,51 +0,0 @@
-/////
-// NOTE:
-// Each beat has its own setup overview to allow for the addition of content
-// that is unique to each beat.
-/////
-
-[[setting-up-and-running]]
-== Set up and run {beatname_uc}
-
-++++
-<titleabbrev>Set up and run</titleabbrev>
-++++
-
-Before reading this section, see
-<<{beatname_lc}-installation-configuration>> for basic
-installation instructions to get you started.
-
-This section includes additional information on how to install, set up, and run
-{beatname_uc}, including:
-
-* <<directory-layout>>
-
-* <<keystore>>
-
-* <<command-line-options>>
-
-* <<setup-repositories>>
-
-* <<running-on-docker>>
-
-* <<running-on-kubernetes>>
-
-* <<running-with-systemd>>
-
-//MAINTAINERS: If you add a new file to this section, make sure you update the bulleted list ^^ too.
-
-include::{libbeat-dir}/shared-directory-layout.asciidoc[]
-
-include::{libbeat-dir}/keystore.asciidoc[]
-
-include::{libbeat-dir}/command-reference.asciidoc[]
-
-include::{libbeat-dir}/repositories.asciidoc[]
-
-include::./running-on-docker.asciidoc[]
-
-include::./running-on-kubernetes.asciidoc[]
-
-include::{libbeat-dir}/shared-systemd.asciidoc[]
-
-include::{libbeat-dir}/shared/shutdown.asciidoc[]
diff --git a/heartbeat/docs/troubleshooting.asciidoc b/heartbeat/docs/troubleshooting.asciidoc
deleted file mode 100644
index ebed4a6863f1..000000000000
--- a/heartbeat/docs/troubleshooting.asciidoc
+++ /dev/null
@@ -1,40 +0,0 @@
-[[troubleshooting]]
-= Troubleshoot
-
-[partintro]
---
-If you have issues installing or running Heartbeat, read the
-following tips:
-
-* <<getting-help>>
-* <<enable-heartbeat-debugging>>
-* <<understand-{beatname_lc}-logs>>
-* <<faq>>
-
-//sets block macro for getting-help.asciidoc included in next section
-
---
-
-[[getting-help]]
-== Get help
-
-include::{libbeat-dir}/getting-help.asciidoc[]
-
-//sets block macro for debugging.asciidoc included in next section
-
-[[enable-heartbeat-debugging]]
-== Debug
-
-include::{libbeat-dir}/debugging.asciidoc[]
-
-//sets block macro for metrics-in-logs.asciidoc included in next section
-
-[id="understand-{beatname_lc}-logs"]
-[role="xpack"]
-== Understand metrics in {beatname_uc} logs
-
-++++
-<titleabbrev>Understand logged metrics</titleabbrev>
-++++
-
-include::{libbeat-dir}/metrics-in-logs.asciidoc[]
diff --git a/libbeat/docs/command-reference.asciidoc b/libbeat/docs/command-reference.asciidoc
deleted file mode 100644
index 64b9067ca799..000000000000
--- a/libbeat/docs/command-reference.asciidoc
+++ /dev/null
@@ -1,961 +0,0 @@
-//////////////////////////////////////////////////////////////////////////
-//// This content is shared by all Elastic Beats. Make sure you keep the
-//// descriptions here generic enough to work for all Beats that include
-//// this file. When using cross references, make sure that the cross
-//// references resolve correctly for any files that include this one.
-//// Use the appropriate variables defined in the index.asciidoc file to
-//// resolve Beat names: beatname_uc and beatname_lc
-//// Use the following include to pull this content into a doc file:
-//// include::../../libbeat/docs/command-reference.asciidoc[]
-//////////////////////////////////////////////////////////////////////////
-
-
-// These attributes are used to resolve short descriptions
-// tag::attributes[]
-
-:global-flags: Also see <<global-flags,Global flags>>.
-
-:deploy-command-short-desc: Deploys the specified function to your serverless environment
-
-:apikey-command-short-desc: Manage API Keys for communication between APM agents and server.
-
-ifndef::export_pipeline[]
-ifndef::serverless[]
-ifndef::no_dashboards[]
-:export-command-short-desc: Exports the configuration, index template, ILM policy, or a dashboard to stdout
-endif::no_dashboards[]
-
-ifdef::no_dashboards[]
-:export-command-short-desc: Exports the configuration, index template, or ILM policy to stdout
-endif::no_dashboards[]
-endif::serverless[]
-
-ifdef::serverless[]
-:export-command-short-desc: Exports the configuration, index template, or {cloudformation-ref} template to stdout
-endif::serverless[]
-endif::export_pipeline[]
-
-ifdef::export_pipeline[]
-:export-command-short-desc: Exports the configuration, index template, pipeline, or ILM policy to stdout
-endif::export_pipeline[]
-
-:help-command-short-desc: Shows help for any command
-:keystore-command-short-desc: Manages the <<keystore,secrets keystore>>
-:modules-command-short-desc: Manages configured modules
-:package-command-short-desc: Packages the configuration and executable into a zip file
-:remove-command-short-desc: Removes the specified function from your serverless environment
-:run-command-short-desc: Runs {beatname_uc}. This command is used by default if you start {beatname_uc} without specifying a command
-
-ifdef::has_ml_jobs[]
-:setup-command-short-desc: Sets up the initial environment, including the index template, ILM policy and write alias, {kib} dashboards (when available), and machine learning jobs (when available)
-endif::[]
-
-ifdef::no_dashboards[]
-:setup-command-short-desc: Sets up the initial environment, including the ES index template, and ILM policy and write alias
-endif::no_dashboards[]
-
-ifndef::has_ml_jobs,no_dashboards[]
-:setup-command-short-desc: Sets up the initial environment, including the index template, ILM policy and write alias, and {kib} dashboards (when available)
-endif::[]
-
-:update-command-short-desc: Updates the specified function
-:test-command-short-desc: Tests the configuration
-:version-command-short-desc: Shows information about the current version
-
-// end::attributes[]
-
-[[command-line-options]]
-=== {beatname_uc} command reference
-
-++++
-<titleabbrev>Command reference</titleabbrev>
-++++
-
-ifndef::no_dashboards[]
-{beatname_uc} provides a command-line interface for starting {beatname_uc} and
-performing common tasks, like testing configuration files and loading dashboards.
-endif::no_dashboards[]
-
-ifdef::no_dashboards[]
-{beatname_uc} provides a command-line interface for starting {beatname_uc} and
-performing common tasks, like testing configuration files.
-endif::no_dashboards[]
-
-The command-line also supports <<global-flags,global flags>>
-for controlling global behaviors.
-
-ifeval::["{beatname_lc}"!="winlogbeat"]
-[TIP]
-=========================
-Use `sudo` to run the following commands if:
-
-* the config file is owned by `root`, or
-* {beatname_uc} is configured to capture data that requires `root` access
-
-=========================
-endif::[]
-
-Some of the features described here require an Elastic license. For
-more information, see https://www.elastic.co/subscriptions and
-{kibana-ref}/managing-licenses.html[License Management].
-
-
-[options="header"]
-|=======================
-|Commands |
-ifdef::apm-server[]
-|<<apikey-command,`apikey`>> |{apikey-command-short-desc}.
-endif::[]
-|<<export-command,`export`>> |{export-command-short-desc}.
-|<<help-command,`help`>> |{help-command-short-desc}.
-ifndef::serverless[]
-|<<keystore-command,`keystore`>> |{keystore-command-short-desc}.
-endif::[]
-ifdef::has_modules_command[]
-|<<modules-command,`modules`>> |{modules-command-short-desc}.
-endif::[]
-ifndef::serverless[]
-|<<run-command,`run`>> |{run-command-short-desc}.
-endif::[]
-|<<setup-command,`setup`>> |{setup-command-short-desc}.
-|<<test-command,`test`>> |{test-command-short-desc}.
-|<<version-command,`version`>> |{version-command-short-desc}.
-|=======================
-
-Also see <<global-flags,Global flags>>.
-
-ifdef::apm-server[]
-[[apikey-command]]
-==== `apikey` command
-
-experimental::[]
-
-Communication between APM agents and APM Server supports sending an
-<<api-key,API Key in the Authorization header>>.
-APM Server provides an `apikey` command that can create, verify, invalidate,
-and show information about API Keys for agent/server communication.
-Most operations require the `manage_api_key` cluster privilege,
-and you must ensure that either `apm-server.auth.api_key` or `output.elasticsearch` are configured appropriately.
-
-*SYNOPSIS*
-
-["source","sh",subs="attributes"]
-----
-{beatname_lc} apikey SUBCOMMAND [FLAGS]
-----
-
-*SUBCOMMANDS*
-
-// tag::apikey-subcommands[]
-*`create`*::
-Create an API Key with the specified privilege(s). No required flags.
-+
-The user requesting to create an API Key needs to have APM privileges used by the APM Server.
-A superuser, by default, has these privileges. For other users,
-you can create them. See <<privileges-api-key,create an API key user>> for required privileges.
-
-*`info`*::
-Query API Key(s). `--id` or `--name` required.
-
-*`invalidate`*::
-Invalidate API Key(s). `--id` or `--name` required.
-
-*`verify`*::
-Check if a credentials string has the given privilege(s).
- `--credentials` required.
-// end::apikey-subcommands[]
-
-*FLAGS*
-
-*`--agent-config`*::
-Required for agents to read configuration remotely. Valid with the `create` and `verify` subcommands.
-When used with `create`, gives the `config_agent:read` privilege to the created key.
-When used with `verify`, asks for the `config_agent:read` privilege.
-
-*`--credentials CREDS`*::
-Required for the `verify` subcommand. Specifies the credentials for which to to check privileges.
-Credentials are the base64 encoded representation of the API key's `id:name`.
-
-*`--expiration TIME`*::
-When used with `create`, specifies the expiration for the key, e.g., "1d" (default never).
-
-*`--id ID`*::
-ID of the API key. Valid with the `info` and `invalidate` subcommands.
-When used with `info`, queries the specified ID.
-When used with `invalidate`, deletes the specified ID.
-
-*`--ingest`*::
-Required for ingesting events. Valid with the `create` and `verify` subcommands.
-When used with `create`, gives the `event:write` privilege to the created key.
-When used with `verify`, asks for the `event:write` privilege.
-
-*`--json`*::
-Prints the output of the command as JSON.
-Valid with all `apikey` subcommands.
-
-*`--name NAME`*::
-Name of the API key(s). Valid with the `create`, `info`, and `invalidate` subcommands.
-When used with `create`, specifies the name of the API key to be created (default: "apm-key").
-When used with `info`, specifies the API key to query (multiple matches are possible).
-When used with `invalidate`, specifies the API key to delete (multiple matches are possible).
-
-*`--sourcemap`*::
-Required for uploading sourcemaps. Valid with the `create` and `verify` subcommands.
-When used with `create`, gives the `sourcemap:write` privilege to the created key.
-When used with `verify`, asks for the `sourcemap:write` privilege.
-
-*`--valid-only`*::
-When used with `info`, only returns valid API Keys (not expired or invalidated).
-
-{global-flags}
-
-*EXAMPLES*
-
-["source","sh",subs="attributes"]
------
-{beatname_lc} apikey create --ingest --agent-config --name example-001
-{beatname_lc} apikey info --name example-001 --valid-only
-{beatname_lc} apikey invalidate --name example-001
------
-
-For more information, see <<api-key>>.
-
-endif::[]
-
-[[export-command]]
-==== `export` command
-
-ifndef::export_pipeline[]
-ifndef::serverless[]
-ifndef::no_dashboards[]
-{export-command-short-desc}. You can use this
-command to quickly view your configuration, see the contents of the index
-template and the ILM policy, or export a dashboard from {kib}.
-endif::no_dashboards[]
-
-ifdef::no_dashboards[]
-{export-command-short-desc}. You can use this
-command to quickly view your configuration or see the contents of the index
-template or the ILM policy.
-endif::no_dashboards[]
-endif::serverless[]
-
-ifdef::serverless[]
-{export-command-short-desc}. You can use this
-command to quickly view your configuration, see the contents of the index
-template and the ILM policy, or export an CloudFormation template.
-endif::serverless[]
-endif::export_pipeline[]
-
-ifdef::export_pipeline[]
-{export-command-short-desc}. You can use this
-command to quickly view your configuration, see the contents of the index
-template and the ILM policy, export a dashboard from {kib}, or export ingest
-pipelines.
-endif::export_pipeline[]
-
-*SYNOPSIS*
-
-["source","sh",subs="attributes"]
-----
-{beatname_lc} export SUBCOMMAND [FLAGS]
-----
-
-*SUBCOMMANDS*
-
-*`config`*::
-Exports the current configuration to stdout. If you use the `-c` flag, this
-command exports the configuration that's defined in the specified file.
-
-ifndef::no_dashboards[]
-[[dashboard-subcommand]]*`dashboard`*::
-Exports a dashboard. You can use this option to store a dashboard on disk in a
-module and load it automatically. For example, to export the dashboard to a JSON
-file, run:
-+
-["source","shell",subs="attributes"]
-----
-{beatname_lc} export dashboard --id="DASHBOARD_ID" > dashboard.json
-----
-+
-To find the `DASHBOARD_ID`, look at the URL for the dashboard in {kib}. By
-default, `export dashboard` writes the dashboard to stdout. The example shows
-how to write the dashboard to a JSON file so that you can import it later. The
-JSON file will contain the dashboard with all visualizations and searches. You
-must load the index pattern separately for {beatname_uc}.
-+
-To load the dashboard, copy the generated `dashboard.json` file into the
-`kibana/6/dashboard` directory of {beatname_uc}, and run
-+{beatname_lc} setup --dashboards+ to import the dashboard.
-+
-If {kib} is not running on `localhost:5061`, you must also adjust the
-{beatname_uc} configuration under `setup.kibana`.
-endif::no_dashboards[]
-
-[[template-subcommand]]*`template`*::
-Exports the index template to stdout. You can specify the `--es.version`
-flag to further define what gets exported. Furthermore you can export
-the template to a file instead of `stdout` by defining a directory via `--dir`.
-
-[[ilm-policy-subcommand]]
-*`ilm-policy`*::
-Exports the index lifecycle management policy to stdout. You can specify the
-`--es.version` and a `--dir` to which the policy should be exported as a
-file rather than exporting to `stdout`.
-
-ifdef::serverless[]
-[[function-subcommand]]*`function` FUNCTION_NAME*::
-Exports an {cloudformation-ref} template to stdout.
-endif::serverless[]
-
-ifdef::export_pipeline[]
-[[pipeline-subcommand]]
-*`pipeline`*::
-
-Exports the ingest piplines.  You must specify the `--es.version` to
-specify which version of {es} the pipelines should be compatible with.
-You can optionally specify `--dir` to control where the pipelines are
-written.
-
-endif::export_pipeline[]
-
-*FLAGS*
-
-ifdef::export_pipeline[]
-*`--es.version VERSION`*::
-
-When used with <<template-subcommand,`template`>>, exports an index
-template that is compatible with the specified version.  When used
-with <<ilm-policy-subcommand,`ilm-policy`>>, exports the ILM policy if
-the specified ES version is enabled for ILM.  When used with
-<<pipeline-subcommand, `pipeline`>>, exports versions of the pipeline
-that is compatible with the specified version.
-endif::export_pipeline[]
-
-ifndef::export_pipeline[]
-*`--es.version VERSION`*::
-
-When used with <<template-subcommand,`template`>>, exports an index
-template that is compatible with the specified version.  When used
-with <<ilm-policy-subcommand,`ilm-policy`>>, exports the ILM policy if
-the specified ES version is enabled for ILM.
-endif::export_pipeline[]
-
-
-*`-h, --help`*::
-Shows help for the `export` command.
-
-
-*`--dir DIRNAME`*::
-
-Define a directory to which the template, pipelines, and ILM policy
-should be exported to as files instead of printing them to `stdout`.
-
-ifndef::no_dashboards[]
-*`--id DASHBOARD_ID`*::
-When used with <<dashboard-subcommand,`dashboard`>>, specifies the dashboard ID.
-endif::no_dashboards[]
-
-{global-flags}
-
-*EXAMPLES*
-
-ifndef::serverless[]
-ifndef::no_dashboards[]
-["source","sh",subs="attributes"]
------
-{beatname_lc} export config
-{beatname_lc} export template --es.version {version}
-{beatname_lc} export dashboard --id="a7b35890-8baa-11e8-9676-ef67484126fb" > dashboard.json
------
-endif::no_dashboards[]
-
-ifdef::no_dashboards[]
-["source","sh",subs="attributes"]
------
-{beatname_lc} export config
-{beatname_lc} export template --es.version {version}
------
-endif::no_dashboards[]
-endif::serverless[]
-
-ifdef::serverless[]
-["source","sh",subs="attributes"]
------
-{beatname_lc} export config
-{beatname_lc} export template --es.version {version}
-{beatname_lc} export function cloudwatch
------
-endif::serverless[]
-
-[[help-command]]
-==== `help` command
-
-{help-command-short-desc}.
-ifndef::serverless[]
-If no command is specified, shows help for the `run` command.
-endif::[]
-
-*SYNOPSIS*
-
-["source","sh",subs="attributes"]
-----
-{beatname_lc} help COMMAND_NAME [FLAGS]
-----
-
-
-*`COMMAND_NAME`*::
-Specifies the name of the command to show help for.
-
-*FLAGS*
-
-*`-h, --help`*:: Shows help for the `help` command.
-
-{global-flags}
-
-*EXAMPLE*
-
-["source","sh",subs="attributes"]
------
-{beatname_lc} help export
------
-
-ifndef::serverless[]
-[[keystore-command]]
-==== `keystore` command
-
-{keystore-command-short-desc}.
-
-*SYNOPSIS*
-
-["source","sh",subs="attributes"]
-----
-{beatname_lc} keystore SUBCOMMAND [FLAGS]
-----
-
-*SUBCOMMANDS*
-
-*`add KEY`*::
-Adds the specified key to the keystore. Use the `--force` flag to overwrite an
-existing key. Use the `--stdin` flag to pass the value through `stdin`.
-
-*`create`*::
-Creates a keystore to hold secrets. Use the `--force` flag to overwrite the
-existing keystore.
-
-*`list`*::
-Lists the keys in the keystore.
-
-*`remove KEY`*::
-Removes the specified key from the keystore.
-
-*FLAGS*
-
-*`--force`*::
-Valid with the `add` and `create` subcommands. When used with `add`, overwrites
-the specified key. When used with `create`, overwrites the keystore.
-
-*`--stdin`*::
-When used with `add`, uses the stdin as the source of the key's value.
-
-*`-h, --help`*::
-Shows help for the `keystore` command.
-
-
-{global-flags}
-
-*EXAMPLES*
-
-["source","sh",subs="attributes"]
------
-{beatname_lc} keystore create
-{beatname_lc} keystore add ES_PWD
-{beatname_lc} keystore remove ES_PWD
-{beatname_lc} keystore list
------
-
-See <<keystore>> for more examples.
-
-endif::[]
-
-ifdef::has_modules_command[]
-[[modules-command]]
-==== `modules` command
-
-{modules-command-short-desc}. You can use this command to enable and disable
-specific module configurations defined in the `modules.d` directory. The
-changes you make with this command are persisted and used for subsequent
-runs of {beatname_uc}.
-
-To see which modules are enabled and disabled, run the `list` subcommand.
-
-*SYNOPSIS*
-
-["source","sh",subs="attributes"]
-----
-{beatname_lc} modules SUBCOMMAND [FLAGS]
-----
-
-
-*SUBCOMMANDS*
-
-*`disable MODULE_LIST`*::
-Disables the modules specified in the space-separated list.
-
-*`enable MODULE_LIST`*::
-Enables the modules specified in the space-separated list.
-
-*`list`*::
-Lists the modules that are currently enabled and disabled.
-
-
-*FLAGS*
-
-*`-h, --help`*::
-Shows help for the `modules` command.
-
-
-{global-flags}
-
-*EXAMPLES*
-
-ifeval::["{beatname_lc}"=="filebeat"]
-["source","sh",subs="attributes"]
------
-{beatname_lc} modules list
-{beatname_lc} modules enable apache2 auditd mysql
------
-endif::[]
-
-ifeval::["{beatname_lc}"=="metricbeat"]
-["source","sh",subs="attributes"]
------
-{beatname_lc} modules list
-{beatname_lc} modules enable apache nginx system
------
-endif::[]
-endif::[]
-
-ifndef::serverless[]
-[[run-command]]
-==== `run` command
-
-{run-command-short-desc}.
-
-*SYNOPSIS*
-
-["source","sh",subs="attributes"]
------
-{beatname_lc} run [FLAGS]
------
-
-Or:
-
-["source","sh",subs="attributes"]
------
-{beatname_lc} [FLAGS]
------
-
-*FLAGS*
-
-ifeval::["{beatname_lc}"=="packetbeat"]
-*`-I, --I FILE`*::
-Reads packet data from the specified file instead of reading packets from the
-network. This option is useful only for testing {beatname_uc}.
-+
-["source","sh",subs="attributes"]
------
-{beatname_lc} run -I ~/pcaps/network_traffic.pcap
------
-endif::[]
-
-*`-N, --N`*:: Disables publishing for testing purposes.
-ifndef::no_file_output[]
-This option disables all outputs except the <<file-output,File output>>.
-endif::[]
-
-ifeval::["{beatname_lc}"=="packetbeat"]
-*`-O, --O`*::
-Read packets one by one by pressing _Enter_ after each. This option is useful
-only for testing {beatname_uc}.
-endif::[]
-
-*`--cpuprofile FILE`*::
-Writes CPU profile data to the specified file. This option is useful for
-troubleshooting {beatname_uc}.
-
-ifeval::["{beatname_lc}"=="packetbeat"]
-*`-devices`*::
-Prints the list of devices that are available for sniffing and then exits.
-endif::[]
-
-ifeval::["{beatname_lc}"=="packetbeat"]
-*`--dump FILE`*::
-Writes all captured packets to the specified file. This option is useful for
-troubleshooting {beatname_uc}.
-endif::[]
-
-*`-h, --help`*::
-Shows help for the `run` command.
-
-*`--httpprof [HOST]:PORT`*::
-Starts an http server for profiling. This option is useful for troubleshooting
-and profiling {beatname_uc}.
-
-ifeval::["{beatname_lc}"=="packetbeat"]
-*`-l N`*::
-Reads the pcap file `N` number of times. The default is 1. Use this option in
-combination with the `-I` option. For an infinite loop, use _0_. The `-l`
-option is useful only for testing {beatname_uc}.
-endif::[]
-
-*`--memprofile FILE`*::
-Writes memory profile data to the specified output file. This option is useful
-for troubleshooting {beatname_uc}.
-
-ifeval::["{beatname_lc}"=="filebeat"]
-*`--modules MODULE_LIST`*::
-Specifies a comma-separated list of modules to run. For example:
-+
-["source","sh",subs="attributes"]
------
-{beatname_lc} run --modules nginx,mysql,system
------
-+
-Rather than specifying the list of modules every time you run {beatname_uc},
-you can use the <<modules-command,`modules`>> command to enable and disable
-specific modules. Then when you run {beatname_uc}, it will run any modules
-that are enabled.
-endif::[]
-
-ifeval::["{beatname_lc}"=="filebeat"]
-*`--once`*::
-When the `--once` flag is used, {beatname_uc} starts all configured harvesters
-and inputs, and runs each input until the harvesters are closed. If you set the
-`--once` flag, you should also set `close_eof` so the harvester is closed when
-the end of the file is reached. By default harvesters are closed after
-`close_inactive` is reached.
-+
-The `--once` option is not currently supported with the
-{filebeat-ref}/filebeat-input-filestream.html[`filestream`] input type.
-
-endif::[]
-
-*`--system.hostfs MOUNT_POINT`*::
-
-Specifies the mount point of the host's filesystem for use in monitoring a host.
-This flag is depricated, and an alternate hostfs should be specified via the `hostfs` module config value.
-
-
-ifeval::["{beatname_lc}"=="packetbeat"]
-*`-t`*::
-Reads packets from the pcap file as fast as possible without sleeping. Use this
-option in combination with the `-I` option. The `-t` option is useful only for
-testing Packetbeat.
-endif::[]
-
-{global-flags}
-
-*EXAMPLE*
-
-["source","sh",subs="attributes"]
------
-{beatname_lc} run -e
------
-
-Or:
-
-["source","sh",subs="attributes"]
------
-{beatname_lc} -e
------
-endif::[]
-
-
-[[setup-command]]
-==== `setup` command
-
-{setup-command-short-desc}
-
-* The index template ensures that fields are mapped correctly in Elasticsearch.
-If index lifecycle management is enabled it also ensures that the defined ILM policy
-and write alias are connected to the indices matching the index template.
-The ILM policy takes care of the lifecycle of an index, when to do a rollover,
-when to move an index from the hot phase to the next phase, etc.
-
-ifndef::no_dashboards[]
-* The {kib} dashboards make it easier for you to visualize {beatname_uc} data
-in {kib}.
-endif::no_dashboards[]
-
-ifdef::has_ml_jobs[]
-* The machine learning jobs contain the configuration information and metadata
-necessary to analyze data for anomalies.
-endif::[]
-
-This command sets up the environment without actually running
-{beatname_uc} and ingesting data. Specify optional flags to set up a subset of
-assets.
-
-*SYNOPSIS*
-
-// tag::setup-command-tag[]
-["source","sh",subs="attributes"]
-----
-{beatname_lc} setup [FLAGS]
-----
-
-
-*FLAGS*
-
-ifndef::no_dashboards[]
-*`--dashboards`*::
-Sets up the {kib} dashboards (when available). This option loads the dashboards
-from the {beatname_uc} package. For more options, such as loading customized
-dashboards, see {beatsdevguide}/import-dashboards.html[Importing Existing Beat
-Dashboards] in the _Beats Developer Guide_.
-endif::no_dashboards[]
-
-*`-h, --help`*::
-Shows help for the `setup` command.
-
-ifeval::["{beatname_lc}"=="filebeat"]
-*`--modules MODULE_LIST`*::
-Specifies a comma-separated list of modules. Use this flag to avoid errors when
-there are no modules defined in the +{beatname_lc}.yml+ file.
-
-*`--pipelines`*::
-Sets up ingest pipelines for configured filesets. {beatname_uc} looks for
-enabled modules in the +{beatname_lc}.yml+ file. If you used the
-<<modules-command,`modules`>> command to enable modules in the `modules.d`
-directory, also specify the `--modules` flag.
-
-*`--enable-all-filesets`*::
-Enables all modules and filesets. This is useful with `--pipelines`
-if you want to load all ingest pipelines. Without this option you
-would have to list every module with the <<modules-command,`modules`>>
-command and enable every fileset within the module with a `-M` option,
-to load all of the ingest pipelines.
-
-*`--force-enable-module-filesets`*::
-Enables all filesets in the enabled modules. This is useful with
-`--pipelines` if you want to load ingest pipelines. Without this
-option you enable every fileset within the module with a `-M` option,
-to load the ingest pipelines.
-
-endif::[]
-
-*`--index-management`*::
-Sets up components related to Elasticsearch index management including
-template, ILM policy, and write alias (if supported and configured).
-
-ifdef::apm-server[]
-*`--pipelines`*::
-Registers the <<configuring-ingest-node,pipeline>> definitions set in `ingest/pipeline/definition.json`.
-endif::apm-server[]
-
-{global-flags}
-
-*EXAMPLES*
-
-ifeval::["{beatname_lc}"=="filebeat"]
-["source","sh",subs="attributes"]
------
-{beatname_lc} setup --dashboards
-{beatname_lc} setup --pipelines
-{beatname_lc} setup --pipelines --modules system,nginx,mysql <1>
-{beatname_lc} setup --index-management
------
-<1> If you used the <<modules-command,`modules`>> command to enable modules in
-the `modules.d` directory, also specify the `--modules` flag to indicate which
-modules to load pipelines for.
-endif::[]
-
-ifeval::["{beatname_lc}"!="filebeat"]
-
-ifndef::no_dashboards[]
-["source","sh",subs="attributes"]
------
-{beatname_lc} setup --dashboards
-{beatname_lc} setup --index-management
------
-endif::no_dashboards[]
-
-ifndef::apm-server[]
-ifdef::no_dashboards[]
-["source","sh",subs="attributes"]
------
-{beatname_lc} setup --index-management
------
-endif::no_dashboards[]
-endif::apm-server[]
-
-ifdef::apm-server[]
-["source","sh",subs="attributes"]
------
-{beatname_lc} setup --index-management
-{beatname_lc} setup --pipelines
------
-endif::apm-server[]
-
-endif::[]
-// end::setup-command-tag[]
-
-[[test-command]]
-==== `test` command
-
-{test-command-short-desc}.
-
-*SYNOPSIS*
-
-["source","sh",subs="attributes"]
-----
-{beatname_lc} test SUBCOMMAND [FLAGS]
-----
-
-*SUBCOMMANDS*
-
-*`config`*::
-Tests the configuration settings.
-
-ifeval::["{beatname_lc}"=="metricbeat"]
-*`modules [MODULE_NAME] [METRICSET_NAME]`*::
-Tests module settings for all configured modules. When you run this command,
-{beatname_uc} does a test run that applies the current settings, retrieves the
-metrics, and shows them as output. To test the settings for a specific module,
-specify `MODULE_NAME`. To test the settings for a specific metricset in the
-module, also specify `METRICSET_NAME`.
-endif::[]
-
-*`output`*::
-Tests that {beatname_uc} can connect to the output by using the
-current settings.
-
-*FLAGS*
-
-*`-h, --help`*:: Shows help for the `test` command.
-
-{global-flags}
-
-ifeval::["{beatname_lc}"!="metricbeat"]
-*EXAMPLE*
-
-["source","sh",subs="attributes"]
------
-{beatname_lc} test config
------
-endif::[]
-
-ifeval::["{beatname_lc}"=="metricbeat"]
-*EXAMPLES*
-
-["source","sh",subs="attributes"]
------
-{beatname_lc} test config
-{beatname_lc} test modules system cpu
------
-endif::[]
-
-[[version-command]]
-==== `version` command
-
-{version-command-short-desc}.
-
-*SYNOPSIS*
-
-["source","sh",subs="attributes"]
-----
-{beatname_lc} version [FLAGS]
-----
-
-
-*FLAGS*
-
-*`-h, --help`*:: Shows help for the `version` command.
-
-{global-flags}
-
-*EXAMPLE*
-
-["source","sh",subs="attributes"]
------
-{beatname_lc} version
------
-
-
-[float]
-[[global-flags]]
-=== Global flags
-
-These global flags are available whenever you run {beatname_uc}.
-
-*`-E, --E "SETTING_NAME=VALUE"`*::
-Overrides a specific configuration setting. You can specify multiple overrides.
-For example:
-+
-["source","sh",subs="attributes"]
-----------------------------------------------------------------------
-{beatname_lc} -E "name=mybeat" -E "output.elasticsearch.hosts=['http://myhost:9200']"
-----------------------------------------------------------------------
-+
-This setting is applied to the currently running {beatname_uc} process.
-The {beatname_uc} configuration file is not changed.
-
-ifeval::["{beatname_lc}"=="filebeat"]
-*`-M, --M "VAR_NAME=VALUE"`*:: Overrides the default configuration for a
-{beatname_uc} module. You can specify multiple variable overrides. For example:
-+
-["source","sh",subs="attributes"]
-----------------------------------------------------------------------
-{beatname_lc} --modules=nginx -M "nginx.access.var.paths=['/var/log/nginx/access.log*']" -M "nginx.access.var.pipeline=no_plugins"
-----------------------------------------------------------------------
-endif::[]
-
-*`-c, --c FILE`*::
-Specifies the configuration file to use for {beatname_uc}. The file you specify
-here is relative to `path.config`. If the `-c` flag is not specified, the
-default config file, +{beatname_lc}.yml+, is used.
-
-*`-d, --d SELECTORS`*::
-Enables debugging for the specified selectors. For the selectors, you can
-specify a comma-separated
-list of components, or you can use `-d "*"` to enable debugging for all
-components. For example, `-d "publisher"` displays all the publisher-related
-messages.
-
-*`-e, --e`*::
-Logs to stderr and disables syslog/file output.
-
-*`--environment`*::
-For logging purposes, specifies the environment that {beatname_uc} is running in.
-This setting is used to select a default log output when no log output is configured.
-Supported values are: `systemd`, `container`, `macos_service`, and `windows_service`.
-If `systemd` or `container` is specified, {beatname_uc} will log to stdout and stderr
-by default.
-
-*`--path.config`*::
-Sets the path for configuration files. See the <<directory-layout>> section for
-details.
-
-*`--path.data`*::
-Sets the path for data files. See the <<directory-layout>> section for details.
-
-*`--path.home`*::
-Sets the path for miscellaneous files. See the <<directory-layout>> section for
-details.
-
-*`--path.logs`*::
-Sets the path for log files. See the <<directory-layout>> section for details.
-
-*`--strict.perms`*::
-Sets strict permission checking on configuration files. The default is `--strict.perms=true`.
-ifndef::apm-server[]
-See {beats-ref}/config-file-permissions.html[Config file ownership and permissions]
-for more information.
-endif::[]
-ifdef::apm-server[]
-See <<config-file-ownership>> for more information.
-endif::[]
-
-*`-v, --v`*::
-Logs INFO-level messages.
diff --git a/libbeat/docs/communitybeats.asciidoc b/libbeat/docs/communitybeats.asciidoc
deleted file mode 100644
index d9989d88c172..000000000000
--- a/libbeat/docs/communitybeats.asciidoc
+++ /dev/null
@@ -1,146 +0,0 @@
-//////////////////////////////////////////////////////////////////////////
-//// This content appears in both the Beats Platform Reference and the
-//// Beats Developer Guide.
-//////////////////////////////////////////////////////////////////////////
-
-[[community-beats]]
-== Community {beats}
-
-****
-**Custom Beat generator code no longer available in 8.0 and later**
-
-The custom Beat generator was a helper tool that allowed developers to bootstrap
-their custom {beats}. This tool was deprecated in 7.16 and is no longer
-available starting in 8.0.
-
-Developers can continue to create custom {beats} to address specific and targeted
-use cases. If you need to create a Beat from scratch, you can use the custom
-Beat generator tool available in version 7.16 or 7.17 to generate the custom
-Beat, then upgrade its various components to the 8.x release. 
-****
-
-This page lists some of the {beats} developed by the open source community.
-
-Have a question about developing a community Beat? You can post questions and discuss issues in the
-https://discuss.elastic.co/tags/c/elastic-stack/beats/28/beats-development[{beats} discussion forum].
-
-Have you created a Beat that's not listed? Add the name and description of your Beat to the source document for
-https://github.com/elastic/beats/blob/main/libbeat/docs/communitybeats.asciidoc[Community {beats}] and https://help.github.com/articles/using-pull-requests[open a pull request] in the https://github.com/elastic/beats[{beats} GitHub repository] to get your change merged. When you're ready, go ahead and https://discuss.elastic.co/c/announcements[announce] your new Beat in the Elastic
-discussion forum.
-
-ifndef::dev-guide[]
-Want to contribute? See <<contributing-to-beats>>.
-endif::[]
-
-NOTE: Elastic provides no warranty or support for community-sourced {beats}.
-
-[horizontal]
-https://github.com/awormuth/amazonbeat[amazonbeat]:: Reads data from a specified Amazon product.
-https://github.com/radoondas/apachebeat[apachebeat]:: Reads status from Apache HTTPD server-status.
-https://github.com/verticle-io/apexbeat[apexbeat]:: Extracts configurable contextual data and metrics from Java applications via the  http://toolkits.verticle.io[APEX] toolkit.
-https://github.com/MelonSmasher/browserbeat[browserbeat]:: Reads and ships browser history (Chrome, Firefox, & Safari) to an Elastic output.
-https://github.com/toravir/cborbeat[cborbeat]:: Reads from cbor encoded files (specifically log files). More: https://cbor.io[CBOR Encoding] https://github.com/toravir/csd[Decoder]
-https://github.com/hartfordfive/cloudflarebeat[cloudflarebeat]:: Indexes log entries from the Cloudflare Enterprise Log Share API.
-https://github.com/jarl-tornroos/cloudfrontbeat[cloudfrontbeat]:: Reads log events from Amazon Web Services https://aws.amazon.com/cloudfront/[CloudFront].
-https://github.com/aidan-/cloudtrailbeat[cloudtrailbeat]:: Reads events from Amazon Web Services' https://aws.amazon.com/cloudtrail/[CloudTrail].
-https://github.com/narmitech/cloudwatchmetricbeat[cloudwatchmetricbeat]::  A beat for Amazon Web Services' https://aws.amazon.com/cloudwatch/details/#other-aws-resource-monitoring[CloudWatch Metrics].
-https://github.com/e-travel/cloudwatchlogsbeat[cloudwatchlogsbeat]:: Reads log events from Amazon Web Services' https://aws.amazon.com/cloudwatch/details/#log-monitoring[CloudWatch Logs].
-https://github.com/eBay/collectbeat[collectbeat]:: Adds discovery on top of Filebeat and Metricbeat in environments like Kubernetes.
-https://github.com/raboof/connbeat[connbeat]:: Exposes metadata about TCP connections.
-https://github.com/Pravoru/consulbeat[consulbeat]:: Reads services health checks from consul and pushes them to Elastic.
-https://github.com/hellmouthengine/discobeat[discobeat]:: Reads messages from Discord and indexes them in Elasticsearch
-https://github.com/Ingensi/dockbeat[dockbeat]:: Reads Docker container
-statistics and indexes them in Elasticsearch.
-https://github.com/radoondas/earthquakebeat[earthquakebeat]:: Pulls data from https://earthquake.usgs.gov/fdsnws/event/1/[USGS] earthquake API.
-https://github.com/radoondas/elasticbeat[elasticbeat]:: Reads status from an Elasticsearch cluster and indexes them in Elasticsearch.
-https://github.com/berfinsari/envoyproxybeat[envoyproxybeat]:: Reads stats from the Envoy Proxy and indexes them into Elasticsearch.
-https://github.com/gamegos/etcdbeat[etcdbeat]:: Reads stats from the Etcd v2 API and indexes them into Elasticsearch.
-https://gitlab.com/hatricker/etherbeat[etherbeat]:: Reads blocks from Ethereum compatible blockchain and indexes them into Elasticsearch.
-https://github.com/christiangalsterer/execbeat[execbeat]:: Periodically executes shell commands and sends the standard output and standard error to
-Logstash or Elasticsearch.
-https://github.com/jarpy/factbeat[factbeat]:: Collects facts from https://github.com/puppetlabs/facter[Facter].
-https://github.com/ctindel/fastcombeat[fastcombeat]:: Periodically gather internet download speed from  https://fast.com[fast.com].
-https://github.com/cloudronics/fileoccurancebeat[fileoccurencebeat]:: Checks for file existence recurssively under a given directory, handy while handling queues/pipeline buffers.
-https://github.com/FStelzer/flowbeat[flowbeat]:: Collects, parses, and indexes http://www.sflow.org/index.php[sflow] samples.
-https://github.com/GeneralElectric/GABeat[gabeat]:: Collects data from Google Analytics Realtime API.
-https://github.com/GoogleCloudPlatform/gcsbeat[gcsbeat]:: Reads data from https://cloud.google.com/storage/[Google Cloud Storage] buckets.
-https://github.com/threatstack/gelfbeat[gelfbeat]:: Collects and parses GELF-encoded UDP messages.
-https://github.com/josephlewis42/githubbeat[githubbeat]:: Easily monitors GitHub repository activity.
-https://github.com/hpcugent/gpfsbeat[gpfsbeat]:: Collects GPFS metric and quota information.
-https://github.com/ullaakut/hackerbeat[hackerbeat]:: Indexes the top stories of HackerNews into an ElasticSearch instance.
-https://github.com/YaSuenag/hsbeat[hsbeat]:: Reads all performance counters in Java HotSpot VM.
-https://github.com/christiangalsterer/httpbeat[httpbeat]:: Polls multiple HTTP(S) endpoints and sends the data to
-Logstash or Elasticsearch. Supports all HTTP methods and proxies.
-https://github.com/hsngerami/hsnburrowbeat[hsnburrowbeat]:: Monitors Kafka consumer lag for Burrow V1.0.0(API V3).
-https://github.com/jasperla/hwsensorsbeat[hwsensorsbeat]:: Reads sensors information from OpenBSD.
-https://github.com/icinga/icingabeat[icingabeat]:: Icingabeat ships events and states from Icinga 2 to Elasticsearch or Logstash.
-https://github.com/visasimbu/IIBBeat[IIBBeat]:: Periodically executes shell commands or batch commands to collect IBM Integration node, Integration server, app status, bar file deployment time and bar file location to Logstash or Elasticsearch.
-https://github.com/devopsmakers/iobeat[iobeat]:: Reads IO stats from /proc/diskstats on Linux.
-https://github.com/radoondas/jmxproxybeat[jmxproxybeat]:: Reads Tomcat JMX metrics exposed over 'JMX Proxy Servlet' to HTTP.
-https://github.com/mheese/journalbeat[journalbeat]:: Used for log shipping from systemd/journald based Linux systems.
-https://github.com/justsocialapps/kafkabeat[kafkabeat]:: Reads data from Kafka topics.
-https://github.com/arkady-emelyanov/kafkabeat[kafkabeat2]:: Reads data (json or plain) from Kafka topics.
-https://github.com/PPACI/krakenbeat[krakenbeat]:: Collect information on each transaction on the Kraken crypto platform.
-https://github.com/eskibars/lmsensorsbeat[lmsensorsbeat]:: Collects data from lm-sensors (such as CPU temperatures, fan speeds, and voltages from i2c and smbus).
-https://github.com/consulthys/logstashbeat[logstashbeat]:: Collects data from Logstash monitoring API (v5 onwards) and indexes them in Elasticsearch.
-https://github.com/bozdag/macwifibeat[macwifibeat]:: Reads various indicators for a MacBook's WiFi Signal Strength
-https://github.com/yedamao/mcqbeat[mcqbeat]:: Reads the status of queues from memcacheq.
-https://developer.cisco.com/codeexchange/github/repo/CiscoDevNet/merakibeat[merakibeat]:: Collects https://dashboard.meraki.com/api_docs#wireless-health[wireless health] and users https://documentation.meraki.com/MR/Monitoring_and_Reporting/Scanning_API[location analytics] data using Cisco  Meraki APIs.
-https://github.com/berfinsari/mesosbeat[mesosbeat]:: Reads stats from the Mesos API and indexes them into Elasticsearch.
-https://github.com/scottcrespo/mongobeat[mongobeat]:: Monitors MongoDB instances and can be configured to send multiple document types to Elasticsearch.
-https://github.com/nathan-K-/mqttbeat[mqttbeat]:: Add messages from mqtt topics to Elasticsearch.
-https://github.com/adibendahan/mysqlbeat[mysqlbeat]:: Run any query on MySQL and send results to Elasticsearch.
-https://github.com/PhaedrusTheGreek/nagioscheckbeat[nagioscheckbeat]:: For Nagios checks and performance data.
-https://github.com/nfvsap/natsbeat[natsbeat]:: Collects data from NATS monitoring endpoints
-https://github.com/radoondas/netatmobeat[netatmobeat]:: Reads data from Netatmo weather station.
-https://github.com/hmschreck/netbeat[netbeat]:: Reads configurable data from SNMP-enabled devices.
-https://github.com/mrkschan/nginxbeat[nginxbeat]:: Reads status from Nginx.
-https://github.com/2Fast2BCn/nginxupstreambeat[nginxupstreambeat]:: Reads upstream status from nginx upstream module.
-https://github.com/mschneider82/nsqbeat[nsqbeat]:: Reads data from a NSQ topic.
-https://github.com/eBay/nvidiagpubeat[nvidiagpubeat]:: Uses nvidia-smi to grab metrics of NVIDIA GPUs.
-https://github.com/counteractive/o365beat[o365beat]:: Ships Office 365 logs from the O365 Management Activities API
-https://github.com/aristanetworks/openconfigbeat[openconfigbeat]:: Streams data from http://openconfig.net[OpenConfig]-enabled network devices
-https://github.com/nabeel-shakeel/openvpnbeat[openvpnbeat]:: Collects OpenVPN connection metrics
-https://github.com/radoondas/owmbeat[owmbeat]:: Open Weather Map beat to pull weather data from all around the world and store and visualize them in Elastic Stack
-https://github.com/joehillen/packagebeat[packagebeat]:: Collects information about system packages from package
-managers.
-https://github.com/WuerthIT/perfstatbeat[perfstatbeat]:: Collects performance metrics on the AIX operating system.
-https://github.com/stric-co/phishbeat[phishbeat]:: Monitors Certificate Transparency logs for phishing and defamatory domains.
-https://github.com/kozlice/phpfpmbeat[phpfpmbeat]:: Reads status from PHP-FPM.
-https://github.com/joshuar/pingbeat[pingbeat]:: Sends ICMP pings to a list
-of targets and stores the round trip time (RTT) in Elasticsearch.
-https://github.com/kckecheng/powermaxbeat[powermaxbeat]:: Collects performance metrics from Dell EMC PowerMax storage array.
-https://github.com/pawankt/processbeat[processbeat]:: Collects process health status and performance.
-https://github.com/carlpett/prombeat[prombeat]:: Indexes https://prometheus.io[Prometheus] metrics.
-https://github.com/infonova/prometheusbeat[prometheusbeat]:: Send Prometheus metrics to Elasticsearch via the remote write feature.
-https://github.com/hartfordfive/protologbeat[protologbeat]:: Accepts structured and unstructured logs via UDP or TCP.  Can also be used to receive syslog messages or GELF formatted messages. (To be used as a successor to udplogbeat)
-https://github.com/GoogleCloudPlatform/pubsubbeat[pubsubbeat]:: Reads data from https://cloud.google.com/pubsub/[Google Cloud Pub/Sub].
-https://github.com/voigt/redditbeat[redditbeat]:: Collects new Reddit Submissions of one or multiple Subreddits.
-https://github.com/chrsblck/redisbeat[redisbeat]:: Used for Redis monitoring.
-https://github.com/consulthys/retsbeat[retsbeat]:: Collects counts of http://www.reso.org[RETS] resource/class records from https://en.wikipedia.org/wiki/Multiple_listing_service[Multiple Listing Service] (MLS) servers.
-https://github.com/yourdream/rsbeat[rsbeat]:: Ships redis slow logs to elasticsearch and analyze by Kibana.
-https://github.com/radoondas/safecastbeat[safecastbeat]:: Pulls data from Safecast API and store them in Elasticsearch.
-https://github.com/martinhoefling/saltbeat[saltbeat]:: Reads events from salt master event bus.
-https://github.com/benben/serialbeat[serialbeat]:: Reads from a serial device.
-https://github.com/Corwind/servicebeat[servicebeat]:: Send services status to Elasticsearch
-https://github.com/consulthys/springbeat[springbeat]:: Collects health and metrics data from Spring Boot applications running with the actuator module.
-https://github.com/philkra/springboot2beat[springboot2beat]:: Query and accumulate all metrics endpoints of a Spring Boot 2 web app via the web channel, leveraging the http://micrometer.io/[mircometer.io] metrics facade.
-https://github.com/sentient/statsdbeat[statsdbeat]:: Receives UDP https://github.com/etsy/statsd/wiki[statsd] events from a statsd client.
-https://github.com/Corwind/supervisorctlbeat.git[supervisorctlbeat]:: This beat aims to parse the supervisorctl status command output and send it to elasticsearch for indexation
-https://github.com/live-wire/terminalbeat[terminalbeat]:: Runs an external command and forwards the https://www.computerhope.com/jargon/s/stdout.htm[stdout] for the same to Elasticsearch/Logstash.
-https://timebeat.app/download.php[timebeat]:: NTP and PTP clock synchonisation beat that reports accuracy metrics to elastic. Includes Kibana dashboards.
-https://github.com/berfinsari/tracebeat[tracebeat]:: Reads traceroute output and indexes them into Elasticsearch.
-https://github.com/DmitryZ-outten/trivybeat[trivybeat]:: Fetches Docker containers which are running on the same machine, scan CVEs of those containers using Trivy server and index them into Elasticsearch.
-https://github.com/buehler/go-elastic-twitterbeat[twitterbeat]:: Reads tweets for specified screen names.
-https://github.com/gravitational/udpbeat[udpbeat]:: Ships structured logs via UDP.
-https://github.com/hartfordfive/udplogbeat[udplogbeat]:: Accept events via local UDP socket (in plain-text or JSON with ability to enforce schemas).  Can also be used for applications only supporting syslog logging.
-https://github.com/cleesmith/unifiedbeat[unifiedbeat]:: Reads records from Unified2 binary files generated by
-network intrusion detection software and indexes the records in Elasticsearch.
-https://github.com/kckecheng/unitybeat[unitybeat]:: Collects performance metrics from Dell EMC Unity storage array.
-https://github.com/mrkschan/uwsgibeat[uwsgibeat]:: Reads stats from uWSGI.
-https://github.com/phenomenes/varnishlogbeat[varnishlogbeat]:: Reads log data from a Varnish instance and ships it to Elasticsearch.
-https://github.com/phenomenes/varnishstatbeat[varnishstatbeat]:: Reads stats data from a Varnish instance and ships it to Elasticsearch.
-https://gitlab.com/msvechla/vaultbeat[vaultbeat]:: Collects performance metrics and statistics from Hashicorp's Vault.
-https://github.com/eskibars/wmibeat[wmibeat]:: Uses WMI to grab your favorite, configurable Windows metrics.
-https://github.com/IBM/yarnbeat[yarnbeat]:: Polls YARN and MapReduce APIs for cluster and application metrics.
-https://github.com/maireanu/zfsbeat[zfsbeat]:: Querying ZFS Storage and Pool Status
diff --git a/libbeat/docs/config-file-format.asciidoc b/libbeat/docs/config-file-format.asciidoc
deleted file mode 100644
index 32a6ff49913b..000000000000
--- a/libbeat/docs/config-file-format.asciidoc
+++ /dev/null
@@ -1,376 +0,0 @@
-[[config-file-format]]
-== Config file format
-
-Beats config files are based on http://www.yaml.org[YAML], a file format that is
-easier to read and write than other common data formats like XML or JSON.
-Config files must be encoded in UTF-8.
-
-In beats all YAML files start with a dictionary, an unordered collection of
-name/value pairs. In addition to dictionaries, YAML also supports lists, numbers,
-strings, and many other data types. All members of the same list or dictionary must
-have the same indentation level.
-
-Dictionaries are represented by simple `key: value` pairs all having the same
-indentation level. The colon after `key` must be followed by a space.
-
-[source,yaml]
------
-name: John Doe
-age: 34
-country: Canada
------
-
-Lists are introduced by dashes `- `. All list members will be lines beginning
-with `- ` at the same indentation level.
-
-[source,yaml]
------
-- Red
-- Green
-- Blue
------
-
-Lists and dictionaries are used in beats to build structured configurations.
-
-[source,yaml]
------
-filebeat:
-  inputs:
-    - type: log
-      paths:
-        - /var/log/*.log
-      multiline:
-        pattern: '^['
-        match: after
------
-
-Lists and dictionaries can also be represented in abbreviated form. Abbreviated
-form is somewhat similar to JSON using `{}` for dictionaries and `[]` for lists:
-
-[source,yaml]
------
-person: {name: "John Doe", age: 34, country: "Canada"}
-colors: ["Red", "Green", "Blue"]
------
-
-The following topics provide more detail to help you understand and work with config files in YAML:
-
-* <<config-file-format-namespacing>>
-* <<config-file-format-type>>
-* <<config-file-format-env-vars>>
-* <<config-gile-format-refs>>
-* <<config-file-permissions>>
-* <<config-file-format-cli>>
-* <<config-file-format-tips>>
-
-[[config-file-format-namespacing]]
-=== Namespacing
-
-All settings are structured using dictionaries and lists. Those are collapsed
-into "namespaced" settings, by creating a setting using the full path of the
-settings name and it's parent structures names, when reading the configuration
-file.
-
-For example this setting:
-
-["source","yaml",subs="attributes"]
------
-output:
-  elasticsearch:
-    index: 'beat-%{[{beat_version_key}]}-%{+yyyy.MM.dd}'
------
-
-gets collapsed into +output.elasticsearch.index: \'beat-%{[{beat_version_key}]}-%{+yyyy.MM.dd}'+. The
-full name of a setting is based on all parent structures involved.
-
-Lists create numeric names starting with 0.
-
-For example this filebeat setting:
-
-[source,yaml]
------
-filebeat:
-  inputs:
-    - type: log
------
-
-Gets collapsed into `filebeat.inputs.0.type: log`.
-
-Alternatively to using indentation, setting names can be used in collapsed form too.
-
-Note: having two settings with same fully collapsed path is invalid.
-
-Simple filebeat example with partially collapsed setting names and use of compact form:
-
-
-[source,yaml]
------
-filebeat.inputs:
-- type: log
-  paths: ["/var/log/*.log"]
-  multiline.pattern: '^['
-  multiline.match: after
-
-output.elasticsearch.hosts: ["http://localhost:9200"]
------
-
-[[config-file-format-type]]
-=== Config file data types
-
-Values of configuration settings are interpreted as required by beats.
-If a value can not be correctly interpreted as the required type - for example a
-string is given when a number is required - the beat will fail to start up.
-
-==== Boolean
-
-Boolean values can be either `true` or `false`. Alternative names for `true` are
-`yes` and `on`. Instead of `false` the values `no` and `off` can be used.
-
-[source,yaml]
------
-enabled: true
-disabled: false
------
-
-==== Number
-
-Number values require you to enter the number to use without using single or
-double quotes. Some settings only support a restricted number range though.
-
-[source,yaml]
------
-integer: 123
-negative: -1
-float: 5.4
------
-
-==== String
-
-In YAML[http://www.yaml.org], multiple styles of string definitions are supported:
- double-quoted, single-quoted, unquoted.
-
-The double-quoted style is specified by surrounding the string with `"`. This
-style provides support for escaping unprintable characters using `\`, but comes
-at the cost of having to escape `\` and `"` characters.
-
-The single-quoted style is specified by surrounding the string with `'`. This
-style supports no escaping (use `''` to quote a single quote). Only printable
-characters can be used when using this form.
-
-Unquoted style requires no quotes, but does not support any escaping plus care
-needs to be taken to not use any symbol that has a special meaning in YAML.
-
-Note: Single-quoted style is recommended when defining regular expressions,
-event format strings, windows file paths, or non-alphabetical symbolic characters.
-
-==== Duration
-
-Durations require a numeric value with optional fraction and required unit.
-Valid time units are `ns`, `us`, `ms`, `s`, `m`, `h`. Sometimes features based
-on durations can be disabled by using zero or negative durations.
-
-[source,yaml]
------
-duration1: 2.5s
-duration2: 6h
-duration_disabled: -1s
------
-
-==== Regular expression
-
-Regular expressions are special strings getting compiled into regular
-expressions at load time.
-
-As regular expressions and YAML use `\` for escaping
-characters in strings, it's highly recommended to use single quoted strings when
-defining regular expressions. When single quoted strings are used, `\` character
-is not interpreted by YAML parser as escape symbol.
-
-==== Format String (sprintf)
-
-Format strings enable you to refer to event field values creating a string based
-on the current event being processed. Variable expansions are enclosed in
-expansion braces `%{<accessor>:default value}`. Event fields are accessed using
-field references `[fieldname]`. Optional default values can be specified in case the
-field name is missing from the event.
-
-You can also format time stored in the
-`@timestamp` field using the `+FORMAT` syntax where FORMAT is a valid https://godoc.org/github.com/elastic/beats/libbeat/common/dtfmt[time
-format].
-
-[source,yaml]
------
-constant-format-string: 'constant string'
-field-format-string: '%{[fieldname]} string'
-format-string-with-date: '%{[fieldname]}-%{+yyyy.MM.dd}'
------
-
-
-[[config-file-format-env-vars]]
-=== Environment variables
-
-include::shared-env-vars.asciidoc[]
-
-[[config-gile-format-refs]]
-=== Reference variables
-
-Beats settings can reference other settings splicing multiple optionally custom
-named settings into new values. References use the same syntax as
-<<config-file-format-env-vars>> do. Only fully collapsed setting names can be
-referenced to.
-
-For example the filebeat registry file defaults to:
-
-[source,yaml]
------
-filebeat.registry: ${path.data}/registry
------
-
-With `path.data` being an implicit config setting, that is overridable from
-command line, as well as in the configuration file.
-
-Example referencing `es.host` in `output.elasticsearch.hosts`:
-
-[source,yaml]
------
-es.host: '${ES_HOST:localhost}'
-
-output.elasticsearch:
-  hosts: ['http://${es.host}:9200']
------
-
-Introducing `es.host`, the host can be overwritten from command line using
-`-E es.host=another-host`.
-
-Plain references, having no default value and are not spliced with other
-references or strings can reference complete namespaces.
-
-These setting with duplicate content:
-
-[source,yaml]
------
-namespace1:
-  subnamespace:
-    host: localhost
-    sleep: 1s
-
-namespace2:
-  subnamespace:
-    host: localhost
-    sleep: 1s
------
-
-can be rewritten to
-
-[source,yaml]
------
-namespace1: ${shared}
-namespace2: ${shared}
-
-shared:
-  subnamespace:
-    host: localhost
-    sleep: 1s
------
-
-when using plain references.
-
-
-[[config-file-permissions]]
-=== Config file ownership and permissions
-
-NOTE: This section does not apply to Windows or other non-POSIX operating systems.
-
-On systems with POSIX file permissions, all Beats configuration files are
-subject to ownership and file permission checks. The purpose of these checks is
-to prevent unauthorized users from providing or modifying configurations that
-are run by the Beat. The owner of the configuration files must be either `root`
-or the user who is executing the Beat process. The permissions on each file must
-disallow writes by anyone other than the owner.
-
-When installed via an RPM or DEB package, the config file at
-`/etc/{beatname}/{beatname}.yml` will have the proper owner and permissions. The
-file is owned by `root` and has file permissions of `0644` (`-rw-r--r--`).
-
-You may encounter the following errors if your config file fails these checks:
-
-[source,sh]
------
-Exiting: error loading config file: config file ("{beatname}.yml") must be
-owned by the beat user (uid=501) or root
------
-
-To correct this problem you can use either `chown root {beatname}.yml` or
-`chown 501 {beatname}.yml` to change the owner of the configuration file.
-
-[source,sh]
------
-Exiting: error loading config file: config file ("{beatname}.yml") can only be
-writable by the owner but the permissions are "-rw-rw-r--" (to fix the
-permissions use: 'chmod go-w /etc/{beatname}/{beatname}.yml')
------
-
-To correct this problem, use `chmod go-w /etc/{beatname}/{beatname}.yml` to
-remove write privileges from anyone other than the owner.
-
-Other config files, such as the files in the `modules.d` directory, are subject
-to the same ownership and file permission checks. 
-
-==== Disabling strict permission checks
-
-You can disable strict permission checks from the command line by using
-`--strict.perms=false`, but we strongly encourage you to leave the checks enabled.
-
-[[config-file-format-cli]]
-=== Command line arguments
-
-Config files to load are set using the `-c` flag on command line. If no flag is
-given, a beat and OS-specific default file path will be assumed.
-
-You can specify multiple configuration files by repeating the `-c` flag. You can
-use this, for example, for setting defaults in a base configuration file, and
-overwrite settings via local configuration files.
-
-In addition to overwriting settings using multiple configuration files,
-individual settings can be overwritten using `-E <setting>=<value>`. The
-`<value>` can be either a single value or a complex object, such as a list or
-dictionary.
-
-For example, given the following configuration:
-
-[source,yaml]
------
-output.elasticsearch:
-  hosts: ["http://localhost:9200"]
-  username: username
-  password: password
------
-
-You can disable the Elasticsearch output and write all events to the console by
-setting:
-
-[source,sh]
------
--E output='{elasticsearch.enabled: false, console.pretty: true}'
------
-
-Any complex objects that you specify at the command line are merged with the
-original configuration, and the following configuration is passed to the Beat:
-
-[source,yaml]
------
-output.elasticsearch:
-  enabled: false
-  hosts: ["http://localhost:9200"]
-  username: username
-  password: password
-
-output.console:
-  pretty: true
------
-
-
-[[config-file-format-tips]]
-=== YAML tips and gotchas
-
-include::yaml.asciidoc[]
diff --git a/libbeat/docs/contributing-to-beats.asciidoc b/libbeat/docs/contributing-to-beats.asciidoc
deleted file mode 100644
index 7205fbb8bbe3..000000000000
--- a/libbeat/docs/contributing-to-beats.asciidoc
+++ /dev/null
@@ -1,23 +0,0 @@
-//////////////////////////////////////////////////////////////////////////
-//// This content is shared by all Elastic Beats. Make sure you keep the
-//// descriptions here generic enough to work for all Beats that include
-//// this file. When using cross references, make sure that the cross
-//// references resolve correctly for any files that include this one.
-//// Use the appropriate variables defined in the index.asciidoc file to
-//// resolve Beat names: beatname_uc and beatname_lc.
-//// Use the following include to pull this content into a doc file:
-//// include::../../libbeat/docs/contributing-to-beats.asciidoc[]
-//////////////////////////////////////////////////////////////////////////
-
-["appendix",id="contributing-to-beats"]
-= Contribute to Beats
-
-The Beats are open source and we love to receive contributions from our
-community — you!
-
-There are many ways to contribute, from writing tutorials or blog posts,
-improving the documentation, submitting bug reports and feature requests, or
-writing code that implements a whole new protocol, module, or Beat.
-
-The {beatsdevguide}/index.html[Beats Developer Guide] is your one-stop shop for
-everything related to developing code for the Beats project. 
diff --git a/libbeat/docs/dashboardsconfig.asciidoc b/libbeat/docs/dashboardsconfig.asciidoc
deleted file mode 100644
index cad419ac28e3..000000000000
--- a/libbeat/docs/dashboardsconfig.asciidoc
+++ /dev/null
@@ -1,135 +0,0 @@
-//////////////////////////////////////////////////////////////////////////
-//// This content is shared by all Elastic Beats. Make sure you keep the
-//// descriptions here generic enough to work for all Beats that include
-//// this file. When using cross references, make sure that the cross
-//// references resolve correctly for any files that include this one.
-//// Use the appropriate variables defined in the index.asciidoc file to
-//// resolve Beat names: beatname_uc and beatname_lc
-//// Use the following include to pull this content into a doc file:
-//// include::../../libbeat/docs/dashboardsconfig.asciidoc[]
-//////////////////////////////////////////////////////////////////////////
-
-[[configuration-dashboards]]
-== Configure Kibana dashboard loading
-
-++++
-<titleabbrev>Kibana dashboards</titleabbrev>
-++++
-
-{beatname_uc} comes packaged with example Kibana dashboards, visualizations,
-and searches for visualizing {beatname_uc} data in Kibana.
-
-To load the dashboards, you can either enable dashboard loading in the
-`setup.dashboards` section of the +{beatname_lc}.yml+ config file, or you can
-run the `setup` command. Dashboard loading is disabled by default.
-
-When dashboard loading is enabled, {beatname_uc} uses the Kibana API to load the
-sample dashboards. Dashboard loading is only attempted when {beatname_uc} starts up.
-If Kibana is not available at startup, {beatname_uc} will stop with an error.
-
-To enable dashboard loading, add the following setting to the config file:
-
-[source,yaml]
-------------------------------------------------------------------------------
-setup.dashboards.enabled: true
-------------------------------------------------------------------------------
-
-[float]
-=== Configuration options
-
-You can specify the following options in the `setup.dashboards` section of the
-+{beatname_lc}.yml+ config file:
-
-[float]
-==== `setup.dashboards.enabled`
-
-If this option is set to true, {beatname_uc} loads the sample Kibana dashboards
-from the local `kibana` directory in the home path of the {beatname_uc} installation.
-
-NOTE: {beatname_uc} loads dashboards on startup if either `enabled` is set to `true`
-or the `setup.dashboards` section is included in the configuration.
-
-NOTE: When dashboard loading is enabled, {beatname_uc} overwrites any existing
-dashboards that match the names of the dashboards you are loading. This happens
-every time {beatname_uc} starts. 
-
-If no other options are set, the dashboard are loaded
-from the local `kibana` directory in the home path of the {beatname_uc} installation.
-To load dashboards from a different location, you can configure one of the
-following options: <<directory-option,`setup.dashboards.directory`>>,
-<<url-option,`setup.dashboards.url`>>, or
-<<file-option,`setup.dashboards.file`>>.
-
-[float]
-[[directory-option]]
-==== `setup.dashboards.directory`
-
-The directory that contains the dashboards to load. The default is the `kibana`
-folder in the home path.
-
-[float]
-[[url-option]]
-==== `setup.dashboards.url`
-
-The URL to use for downloading the dashboard archive. If this option
-is set, {beatname_uc} downloads the dashboard archive from the specified URL
-instead of using the local directory.
-
-[float]
-[[file-option]]
-==== `setup.dashboards.file`
-
-The file archive (zip file) that contains the dashboards to load. If this option
-is set, {beatname_uc} looks for a dashboard archive in the specified path
-instead of using the local directory.
-
-[float]
-==== `setup.dashboards.beat`
-
-In case the archive contains the dashboards for multiple Beats, this setting
-lets you select the Beat for which you want to load dashboards. To load all the
-dashboards in the archive, set this option to an empty string. The default is
-+"{beatname_lc}"+.
-
-[float]
-==== `setup.dashboards.kibana_index`
-
-The name of the Kibana index to use for setting the configuration. The default
-is `".kibana"`
-
-
-[float]
-==== `setup.dashboards.index`
-
-The Elasticsearch index name. This setting overwrites the index name defined
-in the dashboards and index pattern. Example: `"testbeat-*"`
-
-NOTE: This setting only works for Kibana 6.0 and newer.
-
-[float]
-==== `setup.dashboards.always_kibana`
-
-Force loading of dashboards using the Kibana API without querying Elasticsearch for the version.
-The default is `false`.
-
-[float]
-==== `setup.dashboards.retry.enabled`
-
-If this option is set to true, and Kibana is not reachable at the time when dashboards are loaded,
- {beatname_uc} will retry to reconnect to Kibana instead of exiting with an error. Disabled by default.
-
-[float]
-==== `setup.dashboards.retry.interval`
-
-Duration interval between Kibana connection retries. Defaults to 1 second.
-
-[float]
-==== `setup.dashboards.retry.maximum`
-
-Maximum number of retries before exiting with an error. Set to 0 for unlimited retrying.
-Default is unlimited.
-
-[float]
-==== `setup.dashboards.string_replacements`
-
-The needle and replacements string map, which is used to replace needle string in dashboards and their references contents.
diff --git a/libbeat/docs/debugging.asciidoc b/libbeat/docs/debugging.asciidoc
deleted file mode 100644
index 08cdc3f71521..000000000000
--- a/libbeat/docs/debugging.asciidoc
+++ /dev/null
@@ -1,44 +0,0 @@
-//////////////////////////////////////////////////////////////////////////
-//// This content is shared by all Elastic Beats. Make sure you keep the
-//// descriptions here generic enough to work for all Beats that include
-//// this file. When using cross references, make sure that the cross
-//// references resolve correctly for any files that include this one.
-//// Use the appropriate variables defined in the index.asciidoc file to
-//// resolve Beat names: beatname_uc and beatname_lc.
-//// Use the following include to pull this content into a doc file:
-//// include::../../libbeat/docs/debugging.asciidoc[]
-//////////////////////////////////////////////////////////////////////////
-
-By default, {beatname_uc} sends all its output to syslog. When you run {beatname_uc} in
-the foreground, you can use the `-e` command line flag to redirect the output to
-standard error instead. For example:
-
-["source","sh",subs="attributes"]
------------------------------------------------
-{beatname_lc} -e
------------------------------------------------
-
-The default configuration file is {beatname_lc}.yml (the location of the file varies by
-platform). You can use a different configuration file by specifying the `-c` flag. For example:
-
-["source","sh",subs="attributes"]
-------------------------------------------------------------
-{beatname_lc} -e -c my{beatname_lc}config.yml
-------------------------------------------------------------
-
-You can increase the verbosity of debug messages by enabling one or more debug
-selectors. For example, to view publisher-related messages, start {beatname_uc}
-with the `publisher` selector:
-
-["source","sh",subs="attributes"]
-------------------------------------------------------------
-{beatname_lc} -e -d "publisher"
-------------------------------------------------------------
-
-If you want all the debugging output (fair warning, it's quite a lot), you can
-use `*`, like this:
-
-["source","sh",subs="attributes"]
-------------------------------------------------------------
-{beatname_lc} -e -d "*"
-------------------------------------------------------------
diff --git a/libbeat/docs/faq-limit-bandwidth.asciidoc b/libbeat/docs/faq-limit-bandwidth.asciidoc
deleted file mode 100644
index 0b1b9fbe17a8..000000000000
--- a/libbeat/docs/faq-limit-bandwidth.asciidoc
+++ /dev/null
@@ -1,19 +0,0 @@
-[[bandwidth-throttling]]
-=== {beatname_uc} uses too much bandwidth
-
-If you need to limit bandwidth usage, we recommend that you configure the network stack on your OS to perform
-bandwidth throttling.
-
-For example, the following Linux commands cap the connection between {beatname_uc} and Logstash by setting a
-limit of 50 kbps on TCP connections over port 5044:
-
-[source,shell]
-----------------------------------------------------------------------
-tc qdisc add dev $DEV root handle 1: htb
-tc class add dev $DEV parent 1:1 classid 1:10 htb rate 50kbps ceil 50kbps
-tc filter add dev $DEV parent 1:0 prio 1 protocol ip handle 10 fw flowid 1:10
-iptables -A OUTPUT -t mangle -p tcp --dport 5044 -j MARK --set-mark 10
-----------------------------------------------------------------------
-
-Using OS tools to perform bandwidth throttling gives you better control over policies. For example, you can use
-OS tools to cap bandwidth during the day, but not at night. Or you can leave the bandwidth uncapped, but assign a low priority to the traffic.
diff --git a/libbeat/docs/faq-refresh-index.asciidoc b/libbeat/docs/faq-refresh-index.asciidoc
deleted file mode 100644
index 1ebc62a0411a..000000000000
--- a/libbeat/docs/faq-refresh-index.asciidoc
+++ /dev/null
@@ -1,23 +0,0 @@
-[[refresh-index-pattern]]
-=== Fields show up as nested JSON in {kib}
-
-When {beatname_uc} exports a field of type dictionary, and the keys are not known in advance, the Discovery page in {kib} will display the field as a nested JSON object:
-
-[source,shell]
-----------------------------------------------------------------------
-http.response.headers = {
-        "content-length": 12,
-        "content-type": "application/json"
-}
-----------------------------------------------------------------------
-
-To fix this you need to {kibana-ref}/index-patterns.html[reload the index pattern] in {kib} under the Management->Index Patterns, and the index pattern will be
-updated with a field for each key available in the dictionary:
-
-[source,shell]
-----------------------------------------------------------------------
-http.response.headers.content-length = 12
-http.response.headers.content-type = "application/json"
-----------------------------------------------------------------------
-
-
diff --git a/libbeat/docs/generalconfig.asciidoc b/libbeat/docs/generalconfig.asciidoc
deleted file mode 100644
index 76d045fafe6d..000000000000
--- a/libbeat/docs/generalconfig.asciidoc
+++ /dev/null
@@ -1,115 +0,0 @@
-//////////////////////////////////////////////////////////////////////////
-//// This content is shared by all Elastic Beats. Make sure you keep the
-//// descriptions here generic enough to work for all Beats that include
-//// this file. When using cross references, make sure that the cross
-//// references resolve correctly for any files that include this one.
-//// Use the appropriate variables defined in the index.asciidoc file to
-//// resolve Beat names: beatname_uc and beatname_lc.
-//// Use the following include to pull this content into a doc file:
-//// include::../../libbeat/docs/generalconfig.asciidoc[]
-//// Make sure this content appears below a level 2 heading.
-//////////////////////////////////////////////////////////////////////////
-
-[float]
-[[configuration-general]]
-=== General configuration options
-
-++++
-<titleabbrev>General settings</titleabbrev>
-++++
-
-These options are supported by all Elastic Beats. Because they are common
-options, they are not namespaced.
-
-Here is an example configuration:
-
-[source,yaml]
-------------------------------------------------------------------------------
-name: "my-shipper"
-tags: ["service-X", "web-tier"]
-------------------------------------------------------------------------------
-
-[float]
-==== `name`
-
-The name of the Beat. If this option is empty, the `hostname` of the server is
-used. The name is included as the `agent.name` field in each published transaction. You can
-use the name to group all transactions sent by a single Beat.
-
-Example:
-
-[source,yaml]
-------------------------------------------------------------------------------
-name: "my-shipper"
-------------------------------------------------------------------------------
-
-[float]
-==== `tags`
-
-A list of tags that the Beat includes in the `tags` field of each published
-transaction. Tags make it easy to group servers by different logical properties.
-For example, if you have a cluster of web servers, you can add the "webservers"
-tag to the Beat on each server, and then use filters and queries in the Kibana
-web interface to get visualisations for the whole group of servers.
-
-Example:
-
-[source,yaml]
---------------------------------------------------------------------------------
-tags: ["my-service", "hardware", "test"]
---------------------------------------------------------------------------------
-
-[float]
-[[libbeat-configuration-fields]]
-==== `fields`
-
-Optional fields that you can specify to add additional information to the
-output. Fields can be scalar values, arrays, dictionaries, or any nested
-combination of these. By default, the fields that you specify here will be
-grouped under a `fields` sub-dictionary in the output document. To store the
-custom fields as top-level fields, set the `fields_under_root` option to true.
-
-Example:
-
-[source,yaml]
-------------------------------------------------------------------------------
-fields: {project: "myproject", instance-id: "574734885120952459"}
-------------------------------------------------------------------------------
-
-[float]
-==== `fields_under_root`
-
-If this option is set to true, the custom <<libbeat-configuration-fields,fields>> are
-stored as top-level fields in the output document instead of being grouped under
-a `fields` sub-dictionary. If the custom field names conflict with other field
-names, then the custom fields overwrite the other fields.
-
-Example:
-
-[source,yaml]
-------------------------------------------------------------------------------
-fields_under_root: true
-fields:
-  instance_id: i-10a64379
-  region: us-east-1
-------------------------------------------------------------------------------
-
-[float]
-==== `processors`
-
-A list of processors to apply to the data generated by the beat.
-
-See <<filtering-and-enhancing-data>> for information about specifying
-processors in your config.
-
-[float]
-==== `max_procs`
-
-Sets the maximum number of CPUs that can be executing simultaneously. The
-default is the number of logical CPUs available in the system.
-
-[float]
-==== `timestamp.precision`
-
-Configure the precision of all timestamps. By default it is set to millisecond.
-Available options: millisecond, microsecond, nanosecond
diff --git a/libbeat/docs/getting-help.asciidoc b/libbeat/docs/getting-help.asciidoc
deleted file mode 100644
index 2404de19a022..000000000000
--- a/libbeat/docs/getting-help.asciidoc
+++ /dev/null
@@ -1,24 +0,0 @@
-//////////////////////////////////////////////////////////////////////////
-//// This content is shared by all Elastic Beats. Make sure you keep the
-//// descriptions here generic enough to work for all Beats that include
-//// this file. When using cross references, make sure that the cross
-//// references resolve correctly for any files that include this one.
-//// Use the appropriate variables defined in the index.asciidoc file to
-//// resolve Beat names: beatname_uc and beatname_lc.
-//// Use the following include to pull this content into a doc file:
-//// include::../../libbeat/docs/getting-help.asciidoc[]
-//////////////////////////////////////////////////////////////////////////
-
-Start by searching the https://discuss.elastic.co/c/{discuss_forum}[{beatname_uc} discussion forum] for your issue. If you can't find a resolution, open a new issue or add a comment to an existing one. Make sure you provide the following information, and we'll help
-you troubleshoot the problem:
-
-* {beatname_uc} version
-* Operating System
-* Configuration
-* Any supporting information, such as debugging output, that will help us diagnose your
-problem. See <<enable-{beatname_lc}-debugging>> for more details.
-
-If you're sure you found a bug, you can open a ticket on
-https://github.com/elastic/{github_repo_name}/issues?state=open[GitHub]. Note, however,
-that we close GitHub issues containing questions or requests for help if they
-don't indicate the presence of a bug.
diff --git a/libbeat/docs/getting-started.asciidoc b/libbeat/docs/getting-started.asciidoc
deleted file mode 100644
index 63773da71a8d..000000000000
--- a/libbeat/docs/getting-started.asciidoc
+++ /dev/null
@@ -1,15 +0,0 @@
-[[getting-started]]
-== Get started with {beats}
-
-Each Beat is a separately installable product. To learn how to get started, see:
-
-* {auditbeat-ref}/auditbeat-installation-configuration.html[Auditbeat]
-* {filebeat-ref}/filebeat-installation-configuration.html[Filebeat]
-* {heartbeat-ref}/heartbeat-installation-configuration.html[Heartbeat]
-* {metricbeat-ref}/metricbeat-installation-configuration.html[Metricbeat]
-* {packetbeat-ref}/packetbeat-installation-configuration.html[Packetbeat]
-* {winlogbeat-ref}/winlogbeat-installation-configuration.html[Winlogbeat]
-
-If you're planning to use the {metrics-app} or the {logs-app} in {kib},
-see {observability-guide}/analyze-metrics.html[Analyze metrics]
-and {observability-guide}/monitor-logs.html[Monitor logs].
diff --git a/libbeat/docs/howto/change-index-name.asciidoc b/libbeat/docs/howto/change-index-name.asciidoc
deleted file mode 100644
index c13d06218751..000000000000
--- a/libbeat/docs/howto/change-index-name.asciidoc
+++ /dev/null
@@ -1,30 +0,0 @@
-[id="change-index-name"]
-== Change the index name
-
-{beatname_uc} uses data streams named +{beatname_lc}-{version}+.
-To use a different name, set the <<index-option-es,`index`>> option
-in the {es} output. You also need to configure the `setup.template.name` and
-`setup.template.pattern` options to match the new name. For example:
-
-["source","sh",subs="attributes,callouts"]
------
-output.elasticsearch.index: "customname-%{[{beat_version_key}]}"
-setup.template.name: "customname-%{[{beat_version_key}]}"
-setup.template.pattern: "customname-%{[{beat_version_key}]}"
------
-
-ifndef::no_dashboards[]
-If you're using pre-built Kibana dashboards, also set the
-`setup.dashboards.index` option. For example: 
-
-[source, yaml]
-----
-setup.dashboards.index: "customname-*"
-----
-endif::no_dashboards[]
-
-For a full list of template setup options, see <<configuration-template>>.
-
-ifdef::no_dashboards[]
-Remember to change the index name when you load dashboards via the Kibana UI.
-endif::no_dashboards[]
diff --git a/libbeat/docs/howto/load-dashboards.asciidoc b/libbeat/docs/howto/load-dashboards.asciidoc
deleted file mode 100644
index aca39fc56778..000000000000
--- a/libbeat/docs/howto/load-dashboards.asciidoc
+++ /dev/null
@@ -1,79 +0,0 @@
-//////////////////////////////////////////////////////////////////////////
-//// This content is shared by all Elastic Beats. Make sure you keep the
-//// descriptions here generic enough to work for all Beats that include
-//// this file. When using cross references, make sure that the cross
-//// references resolve correctly for any files that include this one.
-//// Use the appropriate variables defined in the index.asciidoc file to
-//// resolve Beat names: beatname_uc and beatname_lc.
-//// Use the following include to pull this content into a doc file:
-//// include::../../libbeat/docs/dashboards.asciidoc[]
-//////////////////////////////////////////////////////////////////////////
-
-[[load-kibana-dashboards]]
-== Load {kib} dashboards
-
-ifdef::has_solutions[]
-TIP: For deeper observability into your infrastructure, you can use the
-{metrics-app} and the {logs-app} in {kib}.
-For more details, see {observability-guide}/analyze-metrics.html[Metrics monitoring]
-and {observability-guide}/monitor-logs.html[Log monitoring].
-endif::has_solutions[]
-
-{beatname_uc} comes packaged with example Kibana dashboards, visualizations,
-and searches for visualizing {beatname_uc} data in Kibana. Before you can use
-the dashboards, you need to create the index pattern, +{beat_default_index_prefix}-*+, and
-load the dashboards into Kibana.
-
-To do this, you can either run the `setup`
-command (as described here) or
-<<configuration-dashboards,configure dashboard loading>> in the
-+{beatname_lc}.yml+ config file. This requires a Kibana endpoint configuration. If you didn't already configure
-a Kibana endpoint, see <<setup-kibana-endpoint>>.
-
-[float]
-[[load-dashboards]]
-=== Load dashboards
-
-Make sure Kibana is running before you perform this step. If you are accessing a
-secured Kibana instance, make sure you've configured credentials as described in
-the <<{beatname_lc}-installation-configuration>>.
-
-To load the recommended index template for writing to {es} and deploy the sample dashboards
-for visualizing the data in {kib}, use the command that works with your system.
-
-ifdef::requires-sudo[]
-include::{libbeat-dir}/shared-note-sudo.asciidoc[]
-endif::requires-sudo[]
-
-include::{libbeat-dir}/tab-widgets/load-dashboards-widget.asciidoc[]
-
-For more options, such as loading customized dashboards, see
-{beatsdevguide}/import-dashboards.html[Importing Existing Beat Dashboards].
-ifndef::no-output-logstash[]
-If you've configured the Logstash output, see
-<<load-dashboards-logstash>>.
-endif::[]
-
-ifndef::no-output-logstash[]
-[float]
-[[load-dashboards-logstash]]
-=== Load dashboards for Logstash output
-
-During dashboard loading, {beatname_uc} connects to Elasticsearch to check
-version information. To load dashboards when the Logstash output is enabled, you
-need to temporarily disable the Logstash output and enable Elasticsearch. To
-connect to a secured Elasticsearch cluster, you also need to pass Elasticsearch
-credentials.
-
-TIP: The example shows a hard-coded password, but you should store sensitive
-values
-ifndef::serverless[]
-in the <<keystore,secrets keystore>>.
-endif::[]
-ifdef::serverless[]
-in environment variables.
-endif::[]
-
-endif::no-output-logstash[]
-
-include::{libbeat-dir}/tab-widgets/load-dashboards-logstash-widget.asciidoc[]
diff --git a/libbeat/docs/howto/load-index-templates.asciidoc b/libbeat/docs/howto/load-index-templates.asciidoc
deleted file mode 100644
index 3fe67ce0875d..000000000000
--- a/libbeat/docs/howto/load-index-templates.asciidoc
+++ /dev/null
@@ -1,356 +0,0 @@
-[id="{beatname_lc}-template"]
-== Load the {es} index template
-
-{es} uses {ref}/index-templates.html[index templates] to define:
-
-* Settings that control the behavior of your data stream and backing indices.
-The settings include the lifecycle policy used to manage backing indices as they grow and age.
-* Mappings that determine how fields are analyzed. Each mapping sets the
-{ref}/mapping-types.html[{es} datatype] to use for a specific data field.
-
-The recommended index template file for {beatname_uc} is installed by the
-{beatname_uc} packages. If you accept the default configuration in the
-+{beatname_lc}.yml+ config file, {beatname_uc} loads the template automatically
-after successfully connecting to {es}. If the template already exists,
-it's not overwritten unless you configure {beatname_uc} to do so.
-
-ifndef::no-output-logstash[]
-NOTE: A connection to {es} is required to load the index template. If
-the output is not {es} (or {ess}), you must
-<<load-template-manually,load the template manually>>.
-endif::[]
-
-This page shows how to change the default template loading behavior to:
-
-* <<load-custom-template>>
-* <<overwrite-template>>
-* <<disable-template-loading>>
-* <<load-template-manually>>
-
-For a full list of template setup options, see <<configuration-template>>.
-
-[float]
-[[load-custom-template]]
-=== Load your own index template
-
-To load your own index template, set the following options:
-
-[source,yaml]
------
-setup.template.name: "your_template_name"
-setup.template.fields: "path/to/fields.yml"
------
-
-If the template already exists, it’s not overwritten unless you configure
-{beatname_uc} to do so.
-
-You can load templates for both data streams and indices.
-
-[float]
-[[overwrite-template]]
-=== Overwrite an existing index template
-
-WARNING: Do not enable this option for more than one instance of {beatname_uc}. If you start
-multiple instances at the same time, it can overload your {es} with too many
-template update requests.
-
-To overwrite a template that's already loaded into {es}, set:
-
-[source,yaml]
------
-setup.template.overwrite: true
------
-
-[float]
-[[disable-template-loading]]
-=== Disable automatic index template loading
-
-You may want to disable automatic template loading if you're using an output
-other than {es} and need to load the template manually. To disable automatic
-template loading, set:
-
-[source,yaml]
------
-setup.template.enabled: false
------
-
-If you disable automatic template loading, you must load the index template
-manually.
-
-[float]
-[[load-template-manually]]
-=== Load the index template manually
-
-To load the index template manually, run the <<setup-command,`setup`>> command.
-A connection to {es} is required.  If another output is enabled, you need to
-temporarily disable that output and enable {es} by using the `-E` option.
-ifndef::no-output-logstash[]
-The examples here assume that Logstash output is enabled.
-endif::[]
-You can omit the `-E` flags if {es} output is already enabled.
-
-ifndef::apm-server[]
-If you are connecting to a secured {es} cluster, make sure you've
-configured credentials as described in the <<{beatname_lc}-installation-configuration>>.
-endif::[]
-
-If the host running {beatname_uc} does not have direct connectivity to
-{es}, see <<load-template-manually-alternate>>.
-
-ifndef::win_only[]
-To load the template, use the appropriate command for your system.
-endif::win_only[]
-
-ifdef::win_only[]
-To load the template:
-endif::win_only[]
-
-ifndef::no-output-logstash[]
-:disable_logstash: {sp}-E output.logstash.enabled=false
-endif::[]
-
-ifdef::no-output-logstash[]
-:disable_logstash:
-endif::[]
-
-ifdef::requires-sudo[]
-include::{libbeat-dir}/shared-note-sudo.asciidoc[]
-endif::requires-sudo[]
-
-ifdef::deb_os,rpm_os[]
-*deb and rpm:*
-["source","sh",subs="attributes"]
-----
-{beatname_lc} setup --index-management{disable_logstash} -E 'output.elasticsearch.hosts=["localhost:9200"]'
-----
-endif::deb_os,rpm_os[]
-
-ifdef::mac_os[]
-*mac:*
-
-["source","sh",subs="attributes"]
-----
-./{beatname_lc} setup --index-management{disable_logstash} -E 'output.elasticsearch.hosts=["localhost:9200"]'
-----
-
-endif::mac_os[]
-
-ifdef::linux_os[]
-*linux:*
-
-["source","sh",subs="attributes"]
-----
-./{beatname_lc} setup --index-management{disable_logstash} -E 'output.elasticsearch.hosts=["localhost:9200"]'
-----
-endif::linux_os[]
-
-
-ifdef::docker_platform[]
-*docker:*
-
-["source","sh",subs="attributes"]
-----------------------------------------------------------------------
-docker run --rm {dockerimage} setup --index-management{disable_logstash} -E 'output.elasticsearch.hosts=["localhost:9200"]'
-----------------------------------------------------------------------
-endif::docker_platform[]
-
-ifdef::win_os[]
-ifndef::win_only[]
-*win:*
-endif::win_only[]
-
-Open a PowerShell prompt as an Administrator (right-click the PowerShell icon
-and select *Run As Administrator*).
-
-From the PowerShell prompt, change to the directory where you installed {beatname_uc},
-and run:
-
-["source","sh",subs="attributes"]
-----------------------------------------------------------------------
-PS > .{backslash}{beatname_lc}.exe setup --index-management{disable_logstash} -E 'output.elasticsearch.hosts=["localhost:9200"]'
-----------------------------------------------------------------------
-endif::win_os[]
-
-[float]
-[[force-kibana-new]]
-==== Force Kibana to look at newest documents
-
-If you've already used {beatname_uc} to index data into {es},
-the index may contain old documents. After you load the index template,
-you can delete the old documents from +{beatname_lc}-*+ to force Kibana to look
-at the newest documents.
-
-Use this command:
-
-ifdef::deb_os,rpm_os[]
-*deb and rpm:*
-
-["source","sh",subs="attributes"]
-----------------------------------------------------------------------
-curl -XDELETE 'http://localhost:9200/{beatname_lc}-*'
-----------------------------------------------------------------------
-endif::deb_os,rpm_os[]
-
-ifdef::mac_os[]
-*mac:*
-
-["source","sh",subs="attributes"]
-----------------------------------------------------------------------
-curl -XDELETE 'http://localhost:9200/{beatname_lc}-*'
-----------------------------------------------------------------------
-endif::mac_os[]
-
-ifdef::linux_os[]
-*linux:*
-
-["source","sh",subs="attributes"]
-----------------------------------------------------------------------
-curl -XDELETE 'http://localhost:9200/{beatname_lc}-*'
-----------------------------------------------------------------------
-endif::linux_os[]
-
-ifdef::win_os[]
-ifndef::win_only[]
-*win:*
-endif::win_only[]
-
-["source","sh",subs="attributes"]
-----------------------------------------------------------------------
-PS > Invoke-RestMethod -Method Delete "http://localhost:9200/{beatname_lc}-*"
-----------------------------------------------------------------------
-endif::win_os[]
-
-This command deletes all indices that match the pattern +{beat_default_index_prefix}+.
-Before running this command, make sure you want to delete all indices that match
-the pattern.
-
-[float]
-[[load-template-manually-alternate]]
-=== Load the index template manually (alternate method)
-
-If the host running {beatname_uc} does not have direct connectivity to
-{es}, you can export the index template to a file, move it to a
-machine that does have connectivity, and then install the template manually.
-
-To export the index template, run:
-
-ifdef::deb_os,rpm_os[]
-*deb and rpm:*
-
-["source","sh",subs="attributes"]
-----
-{beatname_lc} export template > {beatname_lc}.template.json
-----
-endif::deb_os,rpm_os[]
-
-ifdef::mac_os[]
-*mac:*
-
-["source","sh",subs="attributes"]
-----
-./{beatname_lc} export template > {beatname_lc}.template.json
-----
-
-endif::mac_os[]
-
-ifdef::linux_os[]
-*linux:*
-
-["source","sh",subs="attributes"]
-----
-./{beatname_lc} export template > {beatname_lc}.template.json
-----
-endif::linux_os[]
-
-ifdef::win_os[]
-ifndef::win_only[]
-*win:*
-endif::win_only[]
-
-["source","sh",subs="attributes"]
-----
-PS > .{backslash}{beatname_lc}.exe export template --es.version {version} | Out-File -Encoding UTF8 {beatname_lc}.template.json
-----
-endif::win_os[]
-
-To install the template, run:
-
-ifdef::deb_os,rpm_os[]
-*deb and rpm:*
-
-["source","sh",subs="attributes"]
-----
-curl -XPUT -H 'Content-Type: application/json' http://localhost:9200/_index_template/{beatname_lc}-{version} -d@{beatname_lc}.template.json
-----
-endif::deb_os,rpm_os[]
-
-ifdef::mac_os[]
-*mac:*
-
-["source","sh",subs="attributes"]
-----
-curl -XPUT -H 'Content-Type: application/json' http://localhost:9200/_index_template/{beatname_lc}-{version} -d@{beatname_lc}.template.json
-----
-endif::mac_os[]
-
-ifdef::linux_os[]
-*linux:*
-
-["source","sh",subs="attributes"]
-----
-curl -XPUT -H 'Content-Type: application/json' http://localhost:9200/_index_template/{beatname_lc}-{version} -d@{beatname_lc}.template.json
-----
-endif::linux_os[]
-
-ifdef::win_os[]
-ifndef::win_only[]
-*win:*
-endif::win_only[]
-
-["source","sh",subs="attributes"]
-----
-PS > Invoke-RestMethod -Method Put -ContentType "application/json" -InFile {beatname_lc}.template.json -Uri http://localhost:9200/_index_template/{beatname_lc}-{version}
-----
-endif::win_os[]
-
-Once you have loaded the index template, load the data stream as well. If you
-do not load it, you have to give the publisher user `manage` permission on
-{beatname_lc}-{version} index.
-
-ifdef::deb_os,rpm_os[]
-*deb and rpm:*
-
-["source","sh",subs="attributes"]
-----
-curl -XPUT http://localhost:9200/_data_stream/{beatname_lc}-{version}
-----
-endif::deb_os,rpm_os[]
-
-ifdef::mac_os[]
-*mac:*
-
-["source","sh",subs="attributes"]
-----
-curl -XPUT http://localhost:9200/_data_stream/{beatname_lc}-{version}
-----
-endif::mac_os[]
-
-ifdef::linux_os[]
-*linux:*
-
-["source","sh",subs="attributes"]
-----
-curl -XPUT http://localhost:9200/_data_stream/{beatname_lc}-{version}
-----
-endif::linux_os[]
-
-ifdef::win_os[]
-ifndef::win_only[]
-*win:*
-endif::win_only[]
-
-["source","sh",subs="attributes"]
-----
-PS > Invoke-RestMethod -Method Put -Uri http://localhost:9200/_data_stream/{beatname_lc}-{version}
-----
-endif::win_os[]
diff --git a/libbeat/docs/http-endpoint.asciidoc b/libbeat/docs/http-endpoint.asciidoc
deleted file mode 100644
index f021e9f32769..000000000000
--- a/libbeat/docs/http-endpoint.asciidoc
+++ /dev/null
@@ -1,223 +0,0 @@
-//////////////////////////////////////////////////////////////////////////
-//// This content is shared by all Elastic Beats. Make sure you keep the
-//// descriptions here generic enough to work for all Beats that include
-//// this file. When using cross references, make sure that the cross
-//// references resolve correctly for any files that include this one.
-//// Use the appropriate variables defined in the index.asciidoc file to
-//// resolve Beat names: beatname_uc and beatname_lc.
-//// Use the following include to pull this content into a doc file:
-//// include::../../libbeat/docs/http-endpoint.asciidoc[]
-//////////////////////////////////////////////////////////////////////////
-
-[[http-endpoint]]
-== Configure an HTTP endpoint for metrics
-
-++++
-<titleabbrev>HTTP endpoint</titleabbrev>
-++++
-
-experimental[]
-
-{beatname_uc} can expose internal metrics through an HTTP endpoint. These are useful to
-monitor the internal state of the Beat. For security reasons the endpoint is disabled
-by default, as you may want to avoid exposing this info.
-
-The HTTP endpoint has the following configuration settings:
-
-`http.enabled`:: (Optional) Enable the HTTP endpoint. Default is `false`.
-`http.host`:: (Optional) Bind to this hostname, IP address, unix socket (unix:///var/run/{beatname_lc}.sock) or Windows named pipe (npipe:///{beatname_lc}).
-It is recommended to use only localhost. Default is `localhost`
-`http.port`:: (Optional) Port on which the HTTP endpoint will bind. Default is `5066`.
-`http.named_pipe.user`:: (Optional) User to use to create the named pipe, only work on Windows, Default to the
-current user.
-`http.named_pipe.security_descriptor`:: (Optional) Windows Security descriptor string defined in the SDDL format. Default to
-read and write permission for the current user.
-`http.pprof.enabled`:: (Optional) Enable the `/debug/pprof/` endpoints when serving HTTP. It is recommended that this is only enabled on localhost as these endpoints may leak data. Default is `false`.
-`http.pprof.block_profile_rate`:: (Optional) `block_profile_rate` controls the
-fraction of goroutine blocking events that are reported in the blocking profile
-available from `/debug/pprof/block`. The profiler aims to sample an average of
-one blocking event per rate nanoseconds spent blocked. To include every blocking
-event in the profile, pass rate = 1. To turn off profiling entirely, pass rate
-<= 0. Defaults to 0.
-`http.pprof.mem_profile_rate`:: (Optional) `mem_profile_rate` controls the
-fraction of memory allocations that are recorded and reported in the memory
-profile available from `/debug/pprof/heap`. The profiler aims to sample an
-average of one allocation per `mem_profile_rate` bytes allocated. To include
-every allocated block in the profile, set `mem_profile_rate` to 1. To turn off
-profiling entirely, set `mem_profile_rate` to 0. Defaults to 524288.
-`http.pprof.mutex_profile_rate`:: (Optional) `mutex_profile_rate` controls the
-fraction of mutex contention events that are reported in the mutex profile
-available from `/debug/pprof/mutex`. On average 1/rate events are reported.
-To turn off profiling entirely, pass rate 0. The default value is 0.
-
-This is the list of paths you can access. For pretty JSON output append `?pretty` to the URL.
-
-You can query a unix socket using the `cURL` command and the `--unix-socket` flag.
-
-[source,js]
-----
-curl -XGET --unix-socket '/var/run/{beatname_lc}.sock' 'http:/stats/?pretty'
-----
-
-
-[float]
-=== Info
-
-`/` provides basic info from the {beatname_uc}. Example:
-
-[source,js]
-----
-curl -XGET 'localhost:5066/?pretty'
-----
-
-["source","js",subs="attributes"]
-----
-{
-  "beat": "{beatname_lc}",
-  "hostname": "example.lan",
-  "name": "example.lan",
-  "uuid": "34f6c6e1-45a8-4b12-9125-11b3e6e89866",
-  "version": "{version}"
-}
-----
-
-[float]
-=== Stats
-
-`/stats` reports internal metrics. Example:
-
-[source,js]
-----
-curl -XGET 'localhost:5066/stats?pretty'
-----
-
-["source","js",subs="attributes"]
-----
-{
-  "beat": {
-    "cpu": {
-      "system": {
-        "ticks": 1710,
-        "time": {
-          "ms": 1712
-        }
-      },
-      "total": {
-        "ticks": 3420,
-        "time": {
-          "ms": 3424
-        },
-        "value": 3420
-      },
-      "user": {
-        "ticks": 1710,
-        "time": {
-          "ms": 1712
-        }
-      }
-    },
-    "info": {
-      "ephemeral_id": "ab4287c4-d907-4d9d-b074-d8c3cec4a577",
-      "uptime": {
-        "ms": 195547
-      }
-    },
-    "memstats": {
-      "gc_next": 17855152,
-      "memory_alloc": 9433384,
-      "memory_total": 492478864,
-      "rss": 50405376
-    },
-    "runtime": {
-      "goroutines": 22
-    }
-  },
-  "libbeat": {
-    "config": {
-      "module": {
-        "running": 0,
-        "starts": 0,
-        "stops": 0
-      },
-      "scans": 1,
-      "reloads": 1
-    },
-    "output": {
-      "events": {
-        "acked": 0,
-        "active": 0,
-        "batches": 0,
-        "dropped": 0,
-        "duplicates": 0,
-        "failed": 0,
-        "total": 0
-      },
-      "read": {
-        "bytes": 0,
-        "errors": 0
-      },
-      "type": "elasticsearch",
-      "write": {
-        "bytes": 0,
-        "errors": 0
-      }
-    },
-    "pipeline": {
-      "clients": 6,
-      "events": {
-        "active": 716,
-        "dropped": 0,
-        "failed": 0,
-        "filtered": 0,
-        "published": 716,
-        "retry": 278,
-        "total": 716
-      },
-      "queue": {
-        "acked": 0
-      }
-    }
-  },
-  "system": {
-    "cpu": {
-      "cores": 4
-    },
-    "load": {
-      "1": 2.22,
-      "15": 1.8,
-      "5": 1.74,
-      "norm": {
-        "1": 0.555,
-        "15": 0.45,
-        "5": 0.435
-      }
-    }
-  }
-}
-----
-
-The actual output may contain more metrics specific to {beatname_uc}
-
-ifdef::has_inputs_endpoint[]
-[float]
-=== Inputs
-
-`/inputs/` returns metrics related to input instances. It returns a list of
-objects where each object contains metrics for an instance of an input. Each
-object will minimally contain an `input` field that identifies the type of input
-(e.g. `aws-s3`) and an `id` field that is the unique identifier for the input
-instance.
-
-A request may optionally specify a `type` query parameter to request metrics
-for a specific type of input. And `pretty` may be included to have the
-returned JSON be pretty formatted.
-
-[source,js]
-----
-curl 'http://localhost:5066/inputs/'
-curl 'http://localhost:5066/inputs/?pretty'
-curl 'http://localhost:5066/inputs/?type=aws-s3&pretty'
-----
-
-["source","js",subs="attributes"]
-endif::has_inputs_endpoint[]
diff --git a/libbeat/docs/https.asciidoc b/libbeat/docs/https.asciidoc
deleted file mode 100644
index 24387a7d376a..000000000000
--- a/libbeat/docs/https.asciidoc
+++ /dev/null
@@ -1,165 +0,0 @@
-//////////////////////////////////////////////////////////////////////////
-//// This content is shared by all Elastic Beats. Make sure you keep the
-//// descriptions here generic enough to work for all Beats that include
-//// this file. When using cross references, make sure that the cross
-//// references resolve correctly for any files that include this one.
-//// Use the appropriate variables defined in the index.asciidoc file to
-//// resolve Beat names: beatname_uc and beatname_lc.
-//// Use the following include to pull this content into a doc file:
-//// include::../../libbeat/docs/https.asciidoc[]
-//// This content is structured to be included as a whole file.
-//////////////////////////////////////////////////////////////////////////
-
-[role="xpack"]
-[[securing-communication-elasticsearch]]
-== Secure communication with Elasticsearch
-
-When sending data to a secured cluster through the `elasticsearch`
-output, {beatname_uc} can use any of the following authentication methods:
-
-* Basic authentication credentials (username and password).
-* Token-based API authentication.
-* A client certificate.
-
-Authentication is specified in the {beatname_uc} configuration file:
-
-* To use *basic authentication*, specify the `username` and `password` settings under `output.elasticsearch`.
-For example:
-+
---
-["source","yaml",subs="attributes,callouts"]
-----------------------------------------------------------------------
-output.elasticsearch:
-  hosts: ["https://myEShost:9200"]
-  username: "{beat_default_index_prefix}_writer" <1>
-  password: "{pwd}" <2>
-----------------------------------------------------------------------
-<1> This user needs the privileges required to publish events to {es}.
-To create a user like this, see <<privileges-to-publish-events>>.
-<2> This example shows a hard-coded password, but you should store sensitive
-values
-ifndef::serverless[]
-in the <<keystore,secrets keystore>>.
-endif::[]
-ifdef::serverless[]
-in environment variables.
-endif::[]
---
-
-* To use token-based *API key authentication*, specify the `api_key` under `output.elasticsearch`.
-For example:
-+
---
-["source","yaml",subs="attributes,callouts"]
-----------------------------------------------------------------------
-output.elasticsearch:
-  hosts: ["https://myEShost:9200"]
-  api_key: "ZCV7VnwBgnX0T19fN8Qe:KnR6yE41RrSowb0kQ0HWoA" <1>
-----------------------------------------------------------------------
-<1> This API key must have the privileges required to publish events to {es}.
-To create an API key like this, see <<beats-api-keys>>.
---
-
-[[beats-tls]]
-* To use *Public Key Infrastructure (PKI) certificates* to authenticate users,
-specify the `certificate` and `key` settings under `output.elasticsearch`.
-For example:
-+
---
-["source","yaml",subs="attributes,callouts"]
-----------------------------------------------------------------------
-output.elasticsearch:
-  hosts: ["https://myEShost:9200"]
-  ssl.certificate: "/etc/pki/client/cert.pem" <1>
-  ssl.key: "/etc/pki/client/cert.key" <2>
-----------------------------------------------------------------------
-<1> The path to the certificate for SSL client authentication
-<2> The client certificate key
---
-+
-These settings assume that the
-distinguished name (DN) in the certificate is mapped to the appropriate roles in
-the `role_mapping.yml` file on each node in the {es} cluster. For more
-information, see {ref}/mapping-roles.html#mapping-roles-file[Using role
-mapping files].
-+
-By default, {beatname_uc} uses the list of trusted certificate authorities (CA) from the
-operating system where {beatname_uc} is running. If the certificate authority that signed your node certificates
-is not in the host system's trusted certificate authorities list, you need
-to add the path to the `.pem` file that contains your CA's certificate to the
-{beatname_uc} configuration. This will configure {beatname_uc} to use a specific list of
-CA certificates instead of the default list from the OS.
-+
-Here is an example configuration:
-+
---
-["source","yaml",subs="attributes,callouts"]
-----------------------------------------------------------------------
-output.elasticsearch:
-  hosts: ["https://myEShost:9200"]
-  ssl.certificate_authorities: <1>
-    - /etc/pki/my_root_ca.pem
-    - /etc/pki/my_other_ca.pem
-  ssl.certificate: "/etc/pki/client.pem" <2>
-  ssl.key: "/etc/pki/key.pem" <3>
-----------------------------------------------------------------------
-<1> Specify the path to the local `.pem` file that contains your Certificate
-Authority's certificate. This is needed if you use your own CA to sign your node certificates.
-<2> The path to the certificate for SSL client authentication
-<3> The client certificate key
---
-+
-NOTE: For any given connection, the SSL/TLS certificates must have a subject
-that matches the value specified for `hosts`, or the SSL handshake fails.
-For example, if you specify `hosts: ["foobar:9200"]`, the certificate MUST
-include `foobar` in the subject (`CN=foobar`) or as a subject alternative name
-(SAN). Make sure the hostname resolves to the correct IP address. If no DNS is available, then
-you can associate the IP address with your hostname in `/etc/hosts`
-(on Unix) or `C:\Windows\System32\drivers\etc\hosts` (on Windows).
-
-ifndef::no_dashboards[]
-[role="xpack"]
-[float]
-[[securing-communication-kibana]]
-=== Secure communication with the Kibana endpoint
-
-If you've configured the <<setup-kibana-endpoint,{kib} endpoint>>,
-you can also specify credentials for authenticating with {kib} under `kibana.setup`.
-If no credentials are specified, Kibana will use the configured authentication method
-in the Elasticsearch output.
-
-For example, specify a unique username and password to connect to Kibana like this:
-
---
-["source","yaml",subs="attributes,callouts"]
-----
-setup.kibana:
-  host: "mykibanahost:5601"
-  username: "{beat_default_index_prefix}_kib_setup" <1>
-  password: "{pwd}" <2>
-----
-<1> This user needs privileges required to set up dashboards. To create a user like this,
-see <<privileges-to-setup-beats>>.
-<2> This example shows a hard-coded password, but you should store sensitive
-values
-ifndef::serverless[]
-in the <<keystore,secrets keystore>>.
-endif::[]
-ifdef::serverless[]
-in environment variables.
-endif::[]
-endif::no_dashboards[]
---
-
-[role="xpack"]
-[float]
-[[securing-communication-learn-more]]
-=== Learn more about secure communication
-
-More information on sending data to a secured cluster is available in the configuration reference:
-
-* <<elasticsearch-output>>
-* <<configuration-ssl>>
-ifndef::no_dashboards[]
-* <<setup-kibana-endpoint>>
-endif::no_dashboards[]
diff --git a/libbeat/docs/images/beat_overview.svg b/libbeat/docs/images/beat_overview.svg
deleted file mode 100644
index 55038896b9e4..000000000000
--- a/libbeat/docs/images/beat_overview.svg
+++ /dev/null
@@ -1,253 +0,0 @@
-<?xml version="1.0" encoding="UTF-8" standalone="no"?>
-<!-- Created with Inkscape (http://www.inkscape.org/) -->
-
-<svg
-   xmlns:dc="http://purl.org/dc/elements/1.1/"
-   xmlns:cc="http://creativecommons.org/ns#"
-   xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
-   xmlns:svg="http://www.w3.org/2000/svg"
-   xmlns="http://www.w3.org/2000/svg"
-   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
-   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
-   width="210mm"
-   height="297mm"
-   viewBox="0 0 210 297"
-   id="svg2"
-   version="1.1"
-   inkscape:version="0.91+devel+osxmenu r12922"
-   sodipodi:docname="beat_overview.svg"
-   inkscape:export-filename="/Users/tsg/src/github.com/elastic/libbeat/docs/images/beat_overview.png"
-   inkscape:export-xdpi="96"
-   inkscape:export-ydpi="96">
-  <defs
-     id="defs4">
-    <marker
-       inkscape:stockid="Arrow1Lend"
-       orient="auto"
-       refY="0.0"
-       refX="0.0"
-       id="Arrow1Lend"
-       style="overflow:visible;"
-       inkscape:isstock="true">
-      <path
-         id="path4167"
-         d="M 0.0,0.0 L 5.0,-5.0 L -12.5,0.0 L 5.0,5.0 L 0.0,0.0 z "
-         style="fill-rule:evenodd;stroke:#000000;stroke-width:1pt;stroke-opacity:1;fill:#000000;fill-opacity:1"
-         transform="scale(0.8) rotate(180) translate(12.5,0)" />
-    </marker>
-  </defs>
-  <sodipodi:namedview
-     id="base"
-     pagecolor="#ffffff"
-     bordercolor="#666666"
-     borderopacity="1.0"
-     inkscape:pageopacity="0.0"
-     inkscape:pageshadow="2"
-     inkscape:zoom="1.979899"
-     inkscape:cx="324.57309"
-     inkscape:cy="949.92927"
-     inkscape:document-units="mm"
-     inkscape:current-layer="layer1"
-     showgrid="false"
-     inkscape:window-width="1945"
-     inkscape:window-height="1134"
-     inkscape:window-x="192"
-     inkscape:window-y="23"
-     inkscape:window-maximized="0"
-     showguides="false" />
-  <metadata
-     id="metadata7">
-    <rdf:RDF>
-      <cc:Work
-         rdf:about="">
-        <dc:format>image/svg+xml</dc:format>
-        <dc:type
-           rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
-        <dc:title></dc:title>
-      </cc:Work>
-    </rdf:RDF>
-  </metadata>
-  <g
-     inkscape:label="Layer 1"
-     inkscape:groupmode="layer"
-     id="layer1">
-    <path
-       style="fill:none;fill-rule:evenodd;stroke:#898989;stroke-width:0.265;stroke-linecap:butt;stroke-linejoin:round;stroke-opacity:1;stroke-miterlimit:4;stroke-dasharray:0.795, 0.26500000000000001;stroke-dashoffset:0"
-       d="m 114.12409,15.832457 c 0,35.279576 0,35.413212 0,35.413212 l -88.86712,0 0.258318,-0.149141 0,34.09237 1.879839,0 134.302933,0 0,-2.004521 0,-67.61919 z"
-       id="path4583"
-       inkscape:connector-curvature="0" />
-    <rect
-       style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:0.26458332px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
-       id="rect3336"
-       width="34.210503"
-       height="24.321527"
-       x="30.335091"
-       y="22.113289" />
-    <text
-       xml:space="preserve"
-       style="font-style:normal;font-weight:normal;font-size:6.3499999px;line-height:125%;font-family:sans-serif;letter-spacing:0px;word-spacing:0px;fill:#000000;fill-opacity:1;stroke:none;stroke-width:0.26458332px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
-       x="37.01683"
-       y="27.725952"
-       id="text4143"
-       sodipodi:linespacing="125%"><tspan
-         sodipodi:role="line"
-         id="tspan4145"
-         x="37.01683"
-         y="27.725952"
-         style="stroke-width:0.26458332px">Beat</tspan><tspan
-         sodipodi:role="line"
-         x="37.01683"
-         y="35.663452"
-         style="stroke-width:0.26458332px"
-         id="tspan4149">custom </tspan><tspan
-         sodipodi:role="line"
-         x="37.01683"
-         y="43.600952"
-         style="stroke-width:0.26458332px"
-         id="tspan4147">logic</tspan></text>
-    <rect
-       y="23.182367"
-       x="120.13765"
-       height="24.321527"
-       width="34.210503"
-       id="rect4151"
-       style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:0.26458332px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1" />
-    <text
-       xml:space="preserve"
-       style="font-style:normal;font-weight:normal;font-size:6.3499999px;line-height:125%;font-family:sans-serif;letter-spacing:0px;word-spacing:0px;fill:#000000;fill-opacity:1;stroke:none;stroke-width:0.26458332px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
-       x="123.61214"
-       y="37.481293"
-       id="text4153"
-       sodipodi:linespacing="125%"><tspan
-         sodipodi:role="line"
-         id="tspan4155"
-         x="123.61214"
-         y="37.481293"
-         style="stroke-width:0.26458332px">Publisher</tspan></text>
-    <path
-       style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:0.265;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;stroke-miterlimit:4;stroke-dasharray:none;marker-end:url(#Arrow1Lend)"
-       d="m 66.817382,34.808593 c 49.311228,0.133634 49.311228,0.133634 49.311228,0.133634"
-       id="path4159"
-       inkscape:connector-curvature="0" />
-    <text
-       xml:space="preserve"
-       style="font-style:normal;font-weight:normal;font-size:6.3499999px;line-height:125%;font-family:sans-serif;letter-spacing:0px;word-spacing:0px;fill:#000000;fill-opacity:1;stroke:none;stroke-width:0.26458332px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
-       x="77.374535"
-       y="33.472244"
-       id="text4503"
-       sodipodi:linespacing="125%"><tspan
-         sodipodi:role="line"
-         id="tspan4505"
-         x="77.374535"
-         y="33.472244"
-         style="font-size:4.23333311px;stroke-width:0.26458332px">events channel</tspan></text>
-    <g
-       id="g4567"
-       transform="translate(0,0.13363647)">
-      <rect
-         y="55.655613"
-         x="30.602362"
-         height="20.980656"
-         width="27.395126"
-         id="rect4507"
-         style="fill:none;stroke:#000000;stroke-width:0.26499999;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" />
-      <text
-         sodipodi:linespacing="125%"
-         id="text4509"
-         y="67.23735"
-         x="31.745653"
-         style="font-style:normal;font-weight:normal;font-size:6.3499999px;line-height:125%;font-family:sans-serif;letter-spacing:0px;word-spacing:0px;fill:#000000;fill-opacity:1;stroke:none;stroke-width:0.26458332px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
-         xml:space="preserve"><tspan
-           style="font-size:4.23333311px;stroke-width:0.26458332px"
-           y="67.23735"
-           x="31.745653"
-           id="tspan4511"
-           sodipodi:role="line">Configuration</tspan></text>
-    </g>
-    <g
-       id="g4572"
-       transform="translate(4.6326791,-0.13363647)">
-      <rect
-         style="fill:none;stroke:#000000;stroke-width:0.26499999;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
-         id="rect4513"
-         width="27.395126"
-         height="20.980656"
-         x="63.20924"
-         y="55.922886" />
-      <text
-         xml:space="preserve"
-         style="font-style:normal;font-weight:normal;font-size:6.3499999px;line-height:125%;font-family:sans-serif;letter-spacing:0px;word-spacing:0px;fill:#000000;fill-opacity:1;stroke:none;stroke-width:0.26458332px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
-         x="69.34964"
-         y="67.46328"
-         id="text4515"
-         sodipodi:linespacing="125%"><tspan
-           id="tspan4538"
-           sodipodi:role="line"
-           x="69.34964"
-           y="67.46328"
-           style="font-size:4.23333311px;stroke-width:0.26458332px">Logging</tspan></text>
-    </g>
-    <g
-       id="g4577"
-       transform="translate(8.062633,-0.13363266)">
-      <rect
-         y="55.922882"
-         x="97.018837"
-         height="20.980656"
-         width="27.395126"
-         id="rect4548"
-         style="fill:none;stroke:#000000;stroke-width:0.26499999;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" />
-      <text
-         sodipodi:linespacing="125%"
-         id="text4550"
-         y="65.243256"
-         x="101.41464"
-         style="font-style:normal;font-weight:normal;font-size:6.3499999px;line-height:125%;font-family:sans-serif;letter-spacing:0px;word-spacing:0px;fill:#000000;fill-opacity:1;stroke:none;stroke-width:0.26458332px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
-         xml:space="preserve"><tspan
-           style="font-size:4.23333311px;stroke-width:0.26458332px"
-           y="65.243256"
-           x="101.41464"
-           sodipodi:role="line"
-           id="tspan4552">Daemon /</tspan><tspan
-           id="tspan4556"
-           style="font-size:4.23333311px;stroke-width:0.26458332px"
-           y="70.53492"
-           x="101.41464"
-           sodipodi:role="line">service</tspan></text>
-    </g>
-    <g
-       id="g4562"
-       transform="translate(11.893494)">
-      <circle
-         r="0.8018086"
-         cy="65.745041"
-         cx="131.22934"
-         id="path4554"
-         style="fill:#000000;fill-opacity:1;stroke:#000000;stroke-width:0.26499999;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" />
-      <circle
-         style="fill:#000000;fill-opacity:1;stroke:#000000;stroke-width:0.26499999;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
-         id="circle4558"
-         cx="134.16931"
-         cy="65.745041"
-         r="0.8018086" />
-      <circle
-         r="0.8018086"
-         cy="65.745041"
-         cx="137.10928"
-         id="circle4560"
-         style="fill:#000000;fill-opacity:1;stroke:#000000;stroke-width:0.26499999;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" />
-    </g>
-    <text
-       xml:space="preserve"
-       style="font-style:normal;font-weight:normal;font-size:6.3499999px;line-height:125%;font-family:sans-serif;letter-spacing:0px;word-spacing:0px;fill:#4f4f4f;fill-opacity:1;stroke:none;stroke-width:0.26458332px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;"
-       x="139.38107"
-       y="83.050743"
-       id="text4585"
-       sodipodi:linespacing="125%"><tspan
-         sodipodi:role="line"
-         id="tspan4587"
-         x="139.38107"
-         y="83.050743"
-         style="stroke-width:0.26458332px;fill:#4f4f4f;fill-opacity:1;">libbeat</tspan></text>
-  </g>
-</svg>
diff --git a/libbeat/docs/images/configuration-blocks.png b/libbeat/docs/images/configuration-blocks.png
deleted file mode 100644
index 20fef6b173d7..000000000000
Binary files a/libbeat/docs/images/configuration-blocks.png and /dev/null differ
diff --git a/libbeat/docs/images/enrolled-beats-apache.png b/libbeat/docs/images/enrolled-beats-apache.png
deleted file mode 100644
index d540758cd83a..000000000000
Binary files a/libbeat/docs/images/enrolled-beats-apache.png and /dev/null differ
diff --git a/libbeat/docs/images/enrolled-beats-dev-prod.png b/libbeat/docs/images/enrolled-beats-dev-prod.png
deleted file mode 100644
index ac5b28c64c20..000000000000
Binary files a/libbeat/docs/images/enrolled-beats-dev-prod.png and /dev/null differ
diff --git a/libbeat/docs/images/enrolled-beats.png b/libbeat/docs/images/enrolled-beats.png
deleted file mode 100644
index 2a4ca97eea32..000000000000
Binary files a/libbeat/docs/images/enrolled-beats.png and /dev/null differ
diff --git a/libbeat/docs/images/option_ignore_outgoing.png b/libbeat/docs/images/option_ignore_outgoing.png
deleted file mode 100644
index 43813abb6645..000000000000
Binary files a/libbeat/docs/images/option_ignore_outgoing.png and /dev/null differ
diff --git a/libbeat/docs/index.asciidoc b/libbeat/docs/index.asciidoc
deleted file mode 100644
index 10bf384c7d2a..000000000000
--- a/libbeat/docs/index.asciidoc
+++ /dev/null
@@ -1,38 +0,0 @@
-= Beats Platform Reference
-
-:libbeat-dir: {docdir}/../../libbeat/docs
-
-include::./version.asciidoc[]
-
-include::{asciidoc-dir}/../../shared/versions/stack/{source_branch}.asciidoc[]
-
-include::{asciidoc-dir}/../../shared/attributes.asciidoc[]
-
-:beatname_lc: beatname
-:beatname_uc: a Beat
-:beatname_pkg: {beatname_lc}
-:github_repo_name: beats
-:discuss_forum: beats/{beatname_lc}
-:beat_default_index_prefix: {beatname_lc}
-:has_ml_jobs:
-:no_keystore:
-
-include::{libbeat-dir}/shared-beats-attributes.asciidoc[]
-
-include::./overview.asciidoc[]
-
-include::./release-notes/redirects.asciidoc[]
-
-include::./communitybeats.asciidoc[]
-
-include::./getting-started.asciidoc[]
-
-include::./config-file-format.asciidoc[]
-
-include::./upgrading.asciidoc[]
-
-include::./release.asciidoc[]
-
-include::./release-notes/breaking/breaking.asciidoc[]
-
-include::{libbeat-dir}/contributing-to-beats.asciidoc[]
diff --git a/libbeat/docs/keystore.asciidoc b/libbeat/docs/keystore.asciidoc
deleted file mode 100644
index 24494939764a..000000000000
--- a/libbeat/docs/keystore.asciidoc
+++ /dev/null
@@ -1,123 +0,0 @@
-//////////////////////////////////////////////////////////////////////////
-//// This content is shared by all Elastic Beats. Make sure you keep the
-//// descriptions here generic enough to work for all Beats that include
-//// this file. When using cross references, make sure that the cross
-//// references resolve correctly for any files that include this one.
-//// Use the appropriate variables defined in the index.asciidoc file to
-//// resolve Beat names: beatname_uc and beatname_lc
-//// Use the following include to pull this content into a doc file:
-//// include::../../libbeat/docs/keystore.asciidoc[]
-//////////////////////////////////////////////////////////////////////////
-
-[[keystore]]
-=== Secrets keystore for secure settings
-
-++++
-<titleabbrev>Secrets keystore</titleabbrev>
-++++
-
-When you configure {beatname_uc}, you might need to specify sensitive settings,
-such as passwords. Rather than relying on file system permissions to protect
-these values, you can use the {beatname_uc} keystore to obfuscate stored secret
-values for use in configuration settings.
-
-After adding a key and its secret value to the keystore, you can use the key in
-place of the secret value when you configure sensitive settings.
-
-The syntax for referencing keys is identical to the syntax for environment
-variables:
-
-`${KEY}`
-
-Where KEY is the name of the key.
-
-For example, imagine that the keystore contains a key called `ES_PWD` with the
-value `yourelasticsearchpassword`:
-
-* In the configuration file, use `output.elasticsearch.password: "${ES_PWD}"`
-* On the command line, use: `-E "output.elasticsearch.password=\${ES_PWD}"`
-
-When {beatname_uc} unpacks the configuration, it resolves keys before resolving
-environment variables and other variables.
-
-Notice that the {beatname_uc} keystore differs from the Elasticsearch keystore.
-Whereas the Elasticsearch keystore lets you store `elasticsearch.yml` values by
-name, the {beatname_uc} keystore lets you specify arbitrary names that you can
-reference in the {beatname_uc} configuration.
-
-To create and manage keys, use the `keystore` command. See the
-<<keystore-command,command reference>> for the full command syntax, including
-optional flags.
-
-NOTE: The `keystore` command must be run by the same user who will run
-{beatname_uc}.
-
-[float]
-[[creating-keystore]]
-=== Create a keystore
-
-To create a secrets keystore, use:
-
-["source","sh",subs="attributes"]
-----------------------------------------------------------------
-{beatname_lc} keystore create
-----------------------------------------------------------------
-
-
-{beatname_uc} creates the keystore in the directory defined by the `path.data`
-configuration setting.
-
-[float]
-[[add-keys-to-keystore]]
-=== Add keys
-
-To store sensitive values, such as authentication credentials for Elasticsearch,
-use the `keystore add` command:
-
-["source","sh",subs="attributes"]
-----------------------------------------------------------------
-{beatname_lc} keystore add ES_PWD
-----------------------------------------------------------------
-
-
-When prompted, enter a value for the key.
-
-To overwrite an existing key's value, use the `--force` flag:
-
-["source","sh",subs="attributes"]
-----------------------------------------------------------------
-{beatname_lc} keystore add ES_PWD --force
-----------------------------------------------------------------
-
-To pass the value through stdin, use the `--stdin` flag. You can also use
-`--force`:
-
-["source","sh",subs="attributes"]
-----------------------------------------------------------------
-cat /file/containing/setting/value | {beatname_lc} keystore add ES_PWD --stdin --force
-----------------------------------------------------------------
-
-
-[float]
-[[list-settings]]
-=== List keys
-
-To list the keys defined in the keystore, use:
-
-["source","sh",subs="attributes"]
-----------------------------------------------------------------
-{beatname_lc} keystore list
-----------------------------------------------------------------
-
-
-[float]
-[[remove-settings]]
-=== Remove keys
-
-To remove a key from the keystore, use:
-
-["source","sh",subs="attributes"]
-----------------------------------------------------------------
-{beatname_lc} keystore remove ES_PWD
-----------------------------------------------------------------
-
diff --git a/libbeat/docs/loggingconfig.asciidoc b/libbeat/docs/loggingconfig.asciidoc
deleted file mode 100644
index dd3a70811713..000000000000
--- a/libbeat/docs/loggingconfig.asciidoc
+++ /dev/null
@@ -1,371 +0,0 @@
-//////////////////////////////////////////////////////////////////////////
-//// This content is shared by all Elastic Beats. Make sure you keep the
-//// descriptions here generic enough to work for all Beats that include
-//// this file. When using cross references, make sure that the cross
-//// references resolve correctly for any files that include this one.
-//// Use the appropriate variables defined in the index.asciidoc file to
-//// resolve Beat names: beatname_uc and beatname_lc
-//// Use the following include to pull this content into a doc file:
-//// include::../../libbeat/docs/loggingconfig.asciidoc[]
-//// Make sure this content appears below a level 2 heading.
-//////////////////////////////////////////////////////////////////////////
-
-[[configuration-logging]]
-== Configure logging
-
-++++
-<titleabbrev>Logging</titleabbrev>
-++++
-
-The `logging` section of the +{beatname_lc}.yml+ config file contains options
-for configuring the logging output.
-ifndef::serverless[]
-The logging system can write logs to the syslog or rotate log files. If logging
-is not explicitly configured the file output is used.
-
-ifndef::win_only[]
-["source","yaml",subs="attributes"]
-----
-logging.level: info
-logging.to_files: true
-logging.files:
-  path: /var/log/{beatname_lc}
-  name: {beatname_lc}
-  keepfiles: 7
-  permissions: 0640
-----
-endif::win_only[]
-
-ifdef::win_only[]
-["source","yaml",subs="attributes"]
-----
-logging.level: info
-logging.to_files: true
-logging.files:
-  path: C:{backslash}ProgramData{backslash}{beatname_lc}{backslash}Logs
-  name: {beatname_lc}
-  keepfiles: 7
-  permissions: 0640
-----
-endif::win_only[]
-
-TIP: In addition to setting logging options in the config file, you can modify
-the logging output configuration from the command line. See
-<<command-line-options>>.
-
-ifndef::win_only[]
-WARNING: When {beatname_uc} is running on a Linux system with systemd, it uses
-by default the `-e` command line option, that makes it write all the logging output
-to stderr so it can be captured by journald. Other outputs are disabled. See
-<<running-with-systemd>> to know more and learn how to change this.
-endif::win_only[]
-endif::serverless[]
-
-ifdef::serverless[]
-For example, the following options configure {beatname_uc} to log all the debug
-messages related to event publishing:
-
-["source","yaml",subs="attributes"]
-----
-logging.level: debug
-logging.selectors: ["publisher"]
-----
-
-The logs generated by {beatname_uc} are written to the CloudWatch log group for
-the function running on Amazon Web Services (AWS). To view the logs, go to the
-the monitoring area of the AWS Lambda console and view the CloudWatch log group
-for the function.
-
-// TODO: When we add support for other cloud providers, we will need to modify
-// this statement and possibly have a different attribute for each provider to
-// show the correct text.
-endif::serverless[]
-
-[float]
-=== Configuration options
-
-You can specify the following options in the `logging` section of the
-+{beatname_lc}.yml+ config file:
-
-ifndef::serverless[]
-[float]
-==== `logging.to_stderr`
-
-When true, writes all logging output to standard error output. This is
-equivalent to using the `-e` command line option.
-
-[float]
-==== `logging.to_syslog`
-
-When true, writes all logging output to the syslog.
-
-NOTE: This option is not supported on Windows.
-
-[float]
-==== `logging.to_eventlog`
-
-When true, writes all logging output to the Windows Event Log.
-
-[float]
-==== `logging.to_files`
-
-When true, writes all logging output to files. The log files are automatically
-rotated when the log file size limit is reached.
-
-NOTE: {beatname_uc} only creates a log file if there is logging output. For
-example, if you set the log <<level,`level`>> to `error` and there are no
-errors, there will be no log file in the directory specified for logs.
-endif::serverless[]
-
-[float]
-[[level]]
-==== `logging.level`
-
-Minimum log level. One of `debug`, `info`, `warning`, or `error`. The default
-log level is `info`.
-
-`debug`:: Logs debug messages, including a detailed printout of all events
-flushed. Also logs informational messages, warnings, errors, and
-critical errors. When the log level is `debug`, you can specify a list of
-<<selectors,`selectors`>> to display debug messages for specific components. If
-no selectors are specified, the `*` selector is used to display debug messages
-for all components.
-
-`info`:: Logs informational messages, including the number of events that are
-published. Also logs any warnings, errors, or critical errors.
-
-`warning`:: Logs warnings, errors, and critical errors.
-
-`error`:: Logs errors and critical errors.
-
-[float]
-[[selectors]]
-==== `logging.selectors`
-
-The list of debugging-only selector tags used by different {beatname_uc} components.
-Use `*` to enable debug output for all components. Use `publisher` to display
-debug messages related to event publishing.
-
-[TIP]
-=====
-The list of available selectors may change between releases, so avoid creating
-tests that depend on specific selectors.
-
-To see which selectors are available, run {beatname_uc} in debug mode
-(set `logging.level: debug` in the configuration). The selector name appears
-after the log level and is enclosed in brackets.
-=====
-
-To configure multiple selectors, use the following {beats-ref}/config-file-format.html[YAML list syntax]:
-["source","yaml",subs="attributes"]
-----
-logging.selectors: [ harvester, input ]
-----
-
-ifndef::serverless[]
-To override selectors at the command line, use the `-d` global flag (`-d` also
-sets the debug log level). For more information, see <<command-line-options>>.
-endif::serverless[]
-
-[float]
-==== `logging.metrics.enabled`
-
-By default, {beatname_uc} periodically logs its internal metrics that have
-changed in the last period. For each metric that changed, the delta from the
-value at the beginning of the period is logged. Also, the total values for all
-non-zero internal metrics are logged on shutdown. Set this to false to disable
-this behavior. The default is true.
-
-Here is an example log line:
-
-[source,shell]
-----------------------------------------------------------------------------------------------------------------------------------------------------
-2017-12-17T19:17:42.667-0500    INFO    [metrics]       log/log.go:110  Non-zero metrics in the last 30s: beat.info.uptime.ms=30004 beat.memstats.gc_next=5046416
-----------------------------------------------------------------------------------------------------------------------------------------------------
-
-Note that we currently offer no backwards compatible guarantees for the internal
-metrics and for this reason they are also not documented.
-
-[float]
-==== `logging.metrics.period`
-
-The period after which to log the internal metrics. The default is 30s.
-
-[float]
-==== `logging.metrics.namespaces`
-
-A list of metrics namespaces to report in the logs. Defaults to `[stats]`.
-`stats` contains general Beat metrics. `dataset` and `inputs` may be present in
-some Beats and contains module or input metrics.
-
-ifndef::serverless[]
-[float]
-==== `logging.files.path`
-
-The directory that log files are written to. The default is the logs path. See
-the <<directory-layout>> section for details.
-
-[float]
-==== `logging.files.name`
-
-The name of the file that logs are written to. The default is '{beatname_lc}'.
-
-[float]
-==== `logging.files.rotateeverybytes`
-
-The maximum size of a log file. If the limit is reached, a new log file is
-generated. The default size limit is 10485760 (10 MB).
-
-[float]
-==== `logging.files.keepfiles`
-
-The number of most recent rotated log files to keep on disk. Older files are
-deleted during log rotation. The default value is 7. The `keepfiles` options has
-to be in the range of 2 to 1024 files.
-
-[float]
-==== `logging.files.permissions`
-
-The permissions mask to apply when rotating log files. The default value is
-0600. The `permissions` option must be a valid Unix-style file permissions mask
-expressed in octal notation. In Go, numbers in octal notation must start with
-'0'.
-
-The most permissive mask allowed is 0640. If a higher permissions mask is
-specified via this setting, it will be subject to an umask of 0027.
-
-This option is not supported on Windows.
-
-Examples:
-
-* 0640: give read and write access to the file owner, and read access to members of the group associated with the file.
-* 0600: give read and write access to the file owner, and no access to all others.
-
-[float]
-==== `logging.files.interval`
-
-Enable log file rotation on time intervals in addition to size-based rotation.
-Intervals must be at least 1s. Values of 1m, 1h, 24h, 7*24h, 30*24h, and 365*24h
-are boundary-aligned with minutes, hours, days, weeks, months, and years as
-reported by the local system clock. All other intervals are calculated from the
-unix epoch. Defaults to disabled.
-endif::serverless[]
-
-[float]
-==== `logging.files.rotateonstartup`
-
-If the log file already exists on startup, immediately rotate it and start
-writing to a new file instead of appending to the existing one. Defaults to
-true.
-
-ifndef::serverless[]
-[float]
-==== `logging.files.redirect_stderr` experimental[]
-
-When true, diagnostic messages printed to {beatname_uc}'s standard error output
-will also be logged to the log file. This can be helpful in situations were
-{beatname_uc} terminates unexpectedly because an error has been detected by
-Go's runtime but diagnostic information is not present in the log file.
-This feature is only available when logging to files (`logging.to_files` is true).
-Disabled by default.
-endif::serverless[]
-
-[float]
-=== Logging format
-
-The logging format is generally the same for each logging output. The one
-exception is with the syslog output where the timestamp is not included in the
-message because syslog adds its own timestamp.
-
-Each log message consists of the following parts:
-
-* Timestamp in ISO8601 format
-* Level
-* Logger name contained in brackets (Optional)
-* File name and line number of the caller
-* Message
-* Structured data encoded in JSON (Optional)
-
-Below are some samples:
-
-`2017-12-17T18:54:16.241-0500	INFO	logp/core_test.go:13	unnamed global logger`
-
-`2017-12-17T18:54:16.242-0500	INFO	[example]	logp/core_test.go:16	some message`
-
-`2017-12-17T18:54:16.242-0500	INFO	[example]	logp/core_test.go:19	some message	{"x": 1}`
-
-ifndef::serverless[]
-[float]
-=== Configuration options for event_data logger
-
-Some outputs will log raw events on errors like indexing errors in the
-Elasticsearch output, to prevent logging raw events (that may contain
-sensitive information) together with other log messages, a different
-log file, only for log entries containing raw events, is used. It will
-use the same level, selectors and all other configurations from the
-default logger, but it will have it's own file configuration.
-
-Having a different log file for raw events also prevents event data
-from drowning out the regular log files.
-
-IMPORTANT: No matter the default logger output configuration, raw events
-will **always** be logged to a file configured by `logging.event_data.files`.
-
-[float]
-==== `logging.event_data.files.path`
-
-The directory that log files are written to. The default is the logs path. See
-the <<directory-layout>> section for details.
-
-[float]
-==== `logging.event_data.files.name`
-
-The name of the file that logs are written to. The default is '{beatname_lc}'-events-data.
-
-[float]
-==== `logging.event_data.files.rotateeverybytes`
-
-The maximum size of a log file. If the limit is reached, a new log file is
-generated. The default size limit is 5242880 (5 MB).
-
-[float]
-==== `logging.event_data.files.keepfiles`
-
-The number of most recent rotated log files to keep on disk. Older files are
-deleted during log rotation. The default value is 2. The `keepfiles` options has
-to be in the range of 2 to 1024 files.
-
-[float]
-==== `logging.event_data.files.permissions`
-
-The permissions mask to apply when rotating log files. The default value is
-0600. The `permissions` option must be a valid Unix-style file permissions mask
-expressed in octal notation. In Go, numbers in octal notation must start with
-'0'.
-
-The most permissive mask allowed is 0640. If a higher permissions mask is
-specified via this setting, it will be subject to an umask of 0027.
-
-This option is not supported on Windows.
-
-Examples:
-
-* 0640: give read and write access to the file owner, and read access to members of the group associated with the file.
-* 0600: give read and write access to the file owner, and no access to all others.
-
-[float]
-==== `logging.event_data.files.interval`
-
-Enable log file rotation on time intervals in addition to size-based rotation.
-Intervals must be at least 1s. Values of 1m, 1h, 24h, 7*24h, 30*24h, and 365*24h
-are boundary-aligned with minutes, hours, days, weeks, months, and years as
-reported by the local system clock. All other intervals are calculated from the
-unix epoch. Defaults to disabled.
-
-[float]
-==== `logging.event_data.files.rotateonstartup`
-
-If the log file already exists on startup, immediately rotate it and start
-writing to a new file instead of appending to the existing one. Defaults to
-false.
-endif::serverless[]
diff --git a/libbeat/docs/metrics-in-logs.asciidoc b/libbeat/docs/metrics-in-logs.asciidoc
deleted file mode 100644
index f6168ad462fc..000000000000
--- a/libbeat/docs/metrics-in-logs.asciidoc
+++ /dev/null
@@ -1,282 +0,0 @@
-
-
-Every 30 seconds (by default), {beatname_uc} collects a _snapshot_ of metrics about itself. From this snapshot, {beatname_uc} computes a _delta snapshot_; this delta snapshot contains any metrics that have _changed_ since the last snapshot. Note that the values of the metrics are the values when the snapshot is taken, _NOT_ the _difference_ in values from the last snapshot.
-
-If this delta snapshot contains _any_ metrics (indicating at least one metric that has changed since the last snapshot), this delta snapshot is serialized as JSON and emitted in {beatname_uc}'s logs at the `INFO` log level. Most snapshot fields report the change in the metric since the last snapshot, however some fields are _gauges_, which always report the current value. Here is an example of such a log entry:
-
-[source,json]
-----
-{"log.level":"info","@timestamp":"2023-07-14T12:50:36.811Z","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cgroup":{"memory":{"mem":{"usage":{"bytes":0}}}},"cpu":{"system":{"ticks":692690,"time":{"ms":60}},"total":{"ticks":3167250,"time":{"ms":150},"value":3167250},"user":{"ticks":2474560,"time":{"ms":90}}},"handles":{"limit":{"hard":1048576,"soft":1048576},"open":32},"info":{"ephemeral_id":"2bab8688-34c0-4522-80af-db86948d547d","uptime":{"ms":617670096},"version":"8.6.2"},"memstats":{"gc_next":57189272,"memory_alloc":43589824,"memory_total":275281335792,"rss":183574528},"runtime":{"goroutines":212}},"filebeat":{"events":{"active":5,"added":52,"done":49},"harvester":{"open_files":6,"running":6,"started":1}},"libbeat":{"config":{"module":{"running":15}},"output":{"events":{"acked":48,"active":0,"batches":6,"total":48},"read":{"bytes":210},"write":{"bytes":26923}},"pipeline":{"clients":15,"events":{"active":5,"filtered":1,"published":51,"total":52},"queue":{"max_events":3500,"filled":{"events":5,"bytes":6425,"pct":0.0014},"added":{"events":52,"bytes":65702},"consumed":{"events":52,"bytes":65702},"removed":{"events":48,"bytes":59277},"acked":48}}},"registrar":{"states":{"current":14,"update":49},"writes":{"success":6,"total":6}},"system":{"load":{"1":0.91,"15":0.37,"5":0.4,"norm":{"1":0.1138,"15":0.0463,"5":0.05}}}},"ecs.version":"1.6.0"}}
-----
-
-[discrete]
-== Details
-
-Focussing on the `.monitoring.metrics` field, and formatting the JSON, it's value is:
-
-[source,json]
-----
-{
-  "beat": {
-    "cgroup": {
-      "memory": {
-        "mem": {
-          "usage": {
-            "bytes": 0
-          }
-        }
-      }
-    },
-    "cpu": {
-      "system": {
-        "ticks": 692690,
-        "time": {
-          "ms": 60
-        }
-      },
-      "total": {
-        "ticks": 3167250,
-        "time": {
-          "ms": 150
-        },
-        "value": 3167250
-      },
-      "user": {
-        "ticks": 2474560,
-        "time": {
-          "ms": 90
-        }
-      }
-    },
-    "handles": {
-      "limit": {
-        "hard": 1048576,
-        "soft": 1048576
-      },
-      "open": 32
-    },
-    "info": {
-      "ephemeral_id": "2bab8688-34c0-4522-80af-db86948d547d",
-      "uptime": {
-        "ms": 617670096
-      },
-      "version": "8.6.2"
-    },
-    "memstats": {
-      "gc_next": 57189272,
-      "memory_alloc": 43589824,
-      "memory_total": 275281335792,
-      "rss": 183574528
-    },
-    "runtime": {
-      "goroutines": 212
-    }
-  },
-  "filebeat": {
-    "events": {
-      "active": 5,
-      "added": 52,
-      "done": 49
-    },
-    "harvester": {
-      "open_files": 6,
-      "running": 6,
-      "started": 1
-    }
-  },
-  "libbeat": {
-    "config": {
-      "module": {
-        "running": 15
-      }
-    },
-    "output": {
-      "events": {
-        "acked": 48,
-        "active": 0,
-        "batches": 6,
-        "total": 48
-      },
-      "read": {
-        "bytes": 210
-      },
-      "write": {
-        "bytes": 26923
-      }
-    },
-    "pipeline": {
-      "clients": 15,
-      "events": {
-        "active": 5,
-        "filtered": 1,
-        "published": 51,
-        "total": 52
-      },
-      "queue": {
-        "max_events": 3500,
-        "filled": {
-          "events": 5,
-          "bytes": 6425,
-          "pct": 0.0014
-        },
-        "added": {
-          "events": 52,
-          "bytes": 65702
-        },
-        "consumed": {
-          "events": 52,
-          "bytes": 65702
-        },
-        "removed": {
-          "events": 48,
-          "bytes": 59277
-        },
-        "acked": 48
-      }
-    }
-  },
-  "registrar": {
-    "states": {
-      "current": 14,
-      "update": 49
-    },
-    "writes": {
-      "success": 6,
-      "total": 6
-    }
-  },
-  "system": {
-    "load": {
-      "1": 0.91,
-      "15": 0.37,
-      "5": 0.4,
-      "norm": {
-        "1": 0.1138,
-        "15": 0.0463,
-        "5": 0.05
-      }
-    }
-  }
-}
-----
-
-The following tables explain the meaning of the most important fields under `.monitoring.metrics` and also provide hints that might be helpful in troubleshooting {beatname_uc} issues.
-
-[cols="1,1,2,2"]
-|===
-| Field path (relative to `.monitoring.metrics`) | Type    | Meaning                              | Troubleshooting hints
-
-| `.beat`                | Object | Information that is common to all Beats, e.g. version, goroutines, file handles, CPU, memory |
-| `.libbeat`             | Object | Information about the publisher pipeline and output, also common to all Beats |
-ifeval::["{beatname_lc}"=="filebeat"]
-| `.filebeat`            | Object | Information specific to {filebeat}, e.g. harvester, events |
-endif::[]
-|===
-
-[cols="1,1,2,2"]
-|===
-| Field path (relative to `.monitoring.metrics.beat`) | Type    | Meaning                              | Troubleshooting hints
-
-| `.runtime.goroutines` | Integer | Number of goroutines running | If this number grows over time, it indicates a goroutine leak
-|===
-
-[cols="1,1,2,2"]
-|===
-| Field path (relative to `.monitoring.metrics.libbeat`) | Type    | Meaning                              | Troubleshooting hints
-
-| `.pipeline.events.active` | Integer | Number of events currently in the libbeat publisher pipeline. | If this number grows over time, it may indicate that {beatname_uc} is producing events faster than the output can consume them. Consider increasing the number of output workers (if this setting is supported by the output; {es} and {ls} outputs support this setting). The pipeline includes events currently being processed as well as events in the queue. So this metric can sometimes end up slightly higher than the queue size. If this metric reaches the maximum queue size (`queue.mem.events` for the in-memory queue), it almost certainly indicates backpressure on {beatname_uc}, implying that {beatname_uc} may need to temporarily stop ingesting more events from the source until this backpressure is relieved.
-| `.output.events.total` | Integer | Number of events currently being processed by the output. | If this number grows over time, it may indicate that the output destination (e.g. {ls} pipeline or {es} cluster) is not able to accept events at the same or faster rate than what {beatname_uc} is sending to it.
-| `.output.events.acked` | Integer | Number of events acknowledged by the output destination. | Generally, we want this number to be the same as `.output.events.total` as this indicates that the output destination has reliably received all the events sent to it.
-| `.output.events.failed` | Integer | Number of events that {beatname_uc} tried to send to the output destination, but the destination failed to receive them. | Generally, we want this field to be absent or its value to be zero. When the value is greater than zero, it's useful to check {beatname_uc}'s logs right before this log entry's `@timestamp` to see if there are any connectivity issues with the output destination. Note that failed events are not lost or dropped; they will be sent back to the publisher pipeline for retrying later.
-| `.output.events.dropped` | Integer | Number of events that {beatname_uc} gave up sending to the output destination because of a permanent (non-retryable) error. |
-| `.output.events.dead_letter` | Integer | Number of events that {beatname_uc} successfully sent to a configured dead letter index after they failed to ingest in the primary index. |
-| `.output.write.latency` | Object | Reports statistics on the time to send an event to the connected output, in milliseconds. This can be used to diagnose delays and performance issues caused by I/O or output configuration. This metric is available for the Elasticsearch, file, redis, and logstash outputs. |
-|===
-
-[cols="1,1,2,2"]
-|===
-| Field path (relative to `.monitoring.metrics.libbeat.pipeline`) | Type    | Meaning                              | Troubleshooting hints
-
-| `.queue.max_events` | Integer (gauge) | The queue's maximum event count if it has one, otherwise zero. |
-| `.queue.max_bytes` | Integer (gauge) | The queue's maximum byte count if it has one, otherwise zero. |
-| `.queue.filled.events` | Integer (gauge) | Number of events currently stored by the queue. |
-| `.queue.filled.bytes` | Integer (gauge) | Number of bytes currently stored by the queue. |
-| `.queue.filled.pct` | Float (gauge) | How full the queue is relative to its maximum size, as a fraction from 0 to 1. | Low throughput while `queue.filled.pct` is low means congestion in the input. Low throughput while `queue.filled.pct` is high means congestion in the output.
-| `.queue.added.events` | Integer | Number of events added to the queue by input workers. |
-| `.queue.added.bytes` | Integer | Number of bytes added to the queue by input workers. |
-| `.queue.consumed.events` | Integer | Number of events sent to output workers. |
-| `.queue.consumed.bytes` | Integer | Number of bytes sent to output workers. |
-| `.queue.removed.events` | Integer | Number of events removed from the queue after being processed by output workers. |
-| `.queue.removed.bytes` | Integer | Number of bytes removed from the queue after being processed by output workers. |
-|===
-
-When using the memory queue, byte metrics are only set if the output supports them. Currently only the Elasticsearch output supports byte metrics.
-
-ifeval::["{beatname_lc}"=="filebeat"]
-[cols="1,1,2,2"]
-|===
-| Field path (relative to `.monitoring.metrics.filebeat`) | Type    | Meaning                              | Troubleshooting hints
-
-| `.events.active` | Integer | Number of events being actively processed by {filebeat} (including events {filebeat} has already sent to the libbeat publisher pipeline, but not including events the pipeline has sent to the output). | If this number grows over time, it may indicate that {filebeat} inputs are harvesting events too fast for the pipeline and output to keep up.
-|===
-endif::[]
-
-[discrete]
-== Useful commands
-
-[discrete]
-=== Parse monitoring metrics from unstructured {beatname_uc} logs
-
-For {beatname_uc} versions that emit unstructured logs, the following script can be
-used to parse monitoring metrics from such logs: https://github.com/elastic/beats/blob/main/script/metrics_from_log_file.sh.
-
-
-ifeval::["{beatname_lc}"=="filebeat"]
-[discrete]
-=== Check if {filebeat} is processing events
-
-[source]
-----
-$ cat beat.log | jq -r '[.["@timestamp"],.monitoring.metrics.filebeat.events.active,.monitoring.metrics.libbeat.pipeline.events.active,.monitoring.metrics.libbeat.output.events.total,.monitoring.metrics.libbeat.output.events.acked,.monitoring.metrics.libbeat.output.events.failed//0] | @tsv' | sort
-----
-
-Example output:
-
-[source]
-----
-2023-07-14T11:24:36.811Z	1	1	38033	38033	0
-2023-07-14T11:25:06.811Z	1	1	17	17	0
-2023-07-14T11:25:36.812Z	1	1	16	16	0
-2023-07-14T11:26:06.811Z	1	1	17	17	0
-2023-07-14T11:26:36.811Z	2	2	21	21	0
-2023-07-14T11:27:06.812Z	1	1	18	18	0
-2023-07-14T11:27:36.811Z	1	1	17	17	0
-2023-07-14T11:28:06.811Z	1	1	18	18	0
-2023-07-14T11:28:36.811Z	1	1	16	16	0
-2023-07-14T11:37:06.811Z	1	1	270	270	0
-2023-07-14T11:37:36.811Z	1	1	16	16	0
-2023-07-14T11:38:06.811Z	1	1	17	17	0
-2023-07-14T11:38:36.811Z	1	1	16	16	0
-2023-07-14T11:41:36.811Z	3	3	323	323	0
-2023-07-14T11:42:06.811Z	3	3	17	17	0
-2023-07-14T11:42:36.812Z	4	4	18	18	0
-2023-07-14T11:43:06.811Z	4	4	17	17	0
-2023-07-14T11:43:36.811Z	2	2	17	17	0
-2023-07-14T11:47:06.811Z	0	0	117	117	0
-2023-07-14T11:47:36.811Z	2	2	14	14	0
-2023-07-14T11:48:06.811Z	3	3	17	17	0
-2023-07-14T11:48:36.811Z	2	2	17	17	0
-2023-07-14T12:49:36.811Z	3	3	2008	1960	48
-2023-07-14T12:50:06.812Z	2	2	18	18	0
-2023-07-14T12:50:36.811Z	5	5	48	48	0
-----
-
-The columns here are:
-
-1. `.@timestamp`
-2. `.monitoring.metrics.filebeat.events.active`
-3. `.monitoring.metrics.libbeat.pipeline.events.active`
-4. `.monitoring.metrics.libbeat.output.events.total`
-5. `.monitoring.metrics.libbeat.output.events.acked`
-6. `.monitoring.metrics.libbeat.output.events.failed`
-endif::[]
diff --git a/libbeat/docs/monitoring/monitoring-beats.asciidoc b/libbeat/docs/monitoring/monitoring-beats.asciidoc
deleted file mode 100644
index 6f31c73aa2da..000000000000
--- a/libbeat/docs/monitoring/monitoring-beats.asciidoc
+++ /dev/null
@@ -1,42 +0,0 @@
-[role="xpack"]
-[[monitoring]]
-= Monitor {beatname_uc}
-
-[partintro]
---
-++++
-<titleabbrev>Monitor</titleabbrev>
-++++
-
-You can use the {stack} {monitor-features} to gain insight into the health of
-ifndef::apm-server[]
-{beatname_uc} instances running in your environment.
-endif::[]
-ifdef::apm-server[]
-{beatname_uc}.
-endif::[]
-
-To monitor {beatname_uc}, make sure monitoring is enabled on your {es} cluster,
-then configure the method used to collect {beatname_uc} metrics. You can use one
-of following methods:
-
-* <<monitoring-internal-collection,Internal collection>> - Internal
-collectors send monitoring data directly to your monitoring cluster.
-ifndef::serverless[]
-* <<monitoring-metricbeat-collection, {metricbeat} collection>> -
-{metricbeat} collects monitoring data from your {beatname_uc} instance
-and sends it directly to your monitoring cluster.
-endif::[]
-
-//Commenting out this link temporarily until the general monitoring docs can be
-//updated.
-//To learn about monitoring in general, see
-//{ref}/monitor-elasticsearch-cluster.html[Monitor a cluster].
-
---
-
-include::monitoring-internal-collection.asciidoc[]
-
-ifndef::serverless[]
-include::monitoring-metricbeat.asciidoc[]
-endif::[]
diff --git a/libbeat/docs/monitoring/monitoring-internal-collection.asciidoc b/libbeat/docs/monitoring/monitoring-internal-collection.asciidoc
deleted file mode 100644
index f626ed93a3cc..000000000000
--- a/libbeat/docs/monitoring/monitoring-internal-collection.asciidoc
+++ /dev/null
@@ -1,125 +0,0 @@
-//////////////////////////////////////////////////////////////////////////
-//// This content is shared by all Elastic Beats. Make sure you keep the
-//// descriptions here generic enough to work for all Beats that include
-//// this file. When using cross references, make sure that the cross
-//// references resolve correctly for any files that include this one.
-//// Use the appropriate variables defined in the index.asciidoc file to
-//// resolve Beat names: beatname_uc and beatname_lc.
-//// Use the following include to pull this content into a doc file:
-//// include::../../libbeat/docs/monitoring/monitoring-internal-collection.asciidoc[]
-//////////////////////////////////////////////////////////////////////////
-
-[role="xpack"]
-[[monitoring-internal-collection]]
-== Use internal collection to send monitoring data
-++++
-<titleabbrev>Use internal collection</titleabbrev>
-++++
-
-Use internal collectors to send {beats} monitoring data directly to your
-monitoring cluster.
-ifndef::serverless[]
-Or as an alternative to internal collection, use
-<<monitoring-metricbeat-collection>>. The benefit of using internal collection
-instead of {metricbeat} is that you have fewer pieces of software to install
-and maintain.
-endif::[]
-
-//Commenting out this link temporarily until the general monitoring docs can be
-//updated. 
-//To learn about monitoring in general, see 
-//{ref}/monitor-elasticsearch-cluster.html[Monitor a cluster]. 
-
-. Create an API key or user that has appropriate authority to send system-level monitoring
-data to {es}. For example, you can use the built-in +{beat_monitoring_user}+ user or
-assign the built-in +{beat_monitoring_user}+ role to another user. For more
-information on the required privileges, see <<privileges-to-publish-monitoring>>.
-For more information on how to use API keys, see <<beats-api-keys>>.
-
-. Add the `monitoring` settings in the {beatname_uc} configuration file. If you
-configured the {es} output and want to send {beatname_uc} monitoring events to
-the same {es} cluster, specify the following minimal configuration:
-+
-["source","yml",subs="attributes"]
---------------------
-monitoring:
-  enabled: true
-  elasticsearch:
-    api_key:  id:api_key <1>
-    username: {beat_monitoring_user}
-    password: somepassword
---------------------
-<1> Specify one of `api_key` or `username`/`password`.
-+
-If you want to send monitoring events to an https://cloud.elastic.co/[{ecloud}]
-monitoring cluster, you can use two simpler settings. When defined, these settings
-overwrite settings from other parts in the configuration. For example:
-+
-[source,yaml]
---------------------
-monitoring:
-  enabled: true
-  cloud.id: 'staging:dXMtZWFzdC0xLmF3cy5mb3VuZC5pbyRjZWM2ZjI2MWE3NGJmMjRjZTMzYmI4ODExYjg0Mjk0ZiRjNmMyY2E2ZDA0MjI0OWFmMGNjN2Q3YTllOTYyNTc0Mw=='
-  cloud.auth: 'elastic:{pwd}'
---------------------
-+
-If you
-ifndef::no-output-logstash[]
-configured a different output, such as {ls} or you
-endif::[]
-want to send {beatname_uc} monitoring events to a separate {es} cluster
-(referred to as the _monitoring cluster_), you must specify additional
-configuration options. For example:
-+
-["source","yml",subs="attributes"]
---------------------
-monitoring:
-  enabled: true
-  cluster_uuid: PRODUCTION_ES_CLUSTER_UUID <1>
-  elasticsearch:
-    hosts: ["https://example.com:9200", "https://example2.com:9200"] <2>
-    api_key:  id:api_key <3>
-    username: {beat_monitoring_user}
-    password: somepassword
---------------------
-<1> This setting identifies the {es} cluster under which the
-monitoring data for this {beatname_uc} instance will appear in the
-Stack Monitoring UI. To get a cluster's `cluster_uuid`,
-call the `GET /` API against that production cluster.
-<2> This setting identifies the hosts and port numbers of {es} nodes
-that are part of the monitoring cluster.
-<3> Specify one of `api_key` or `username`/`password`.
-+
-If you want to use PKI authentication to send monitoring events to
-{es}, you must specify a different set of configuration options. For
-example:
-+
-[source,yaml]
---------------------
-monitoring:
-  enabled: true
-  cluster_uuid: PRODUCTION_ES_CLUSTER_UUID
-  elasticsearch:
-    hosts: ["https://example.com:9200", "https://example2.com:9200"]
-    username: ""
-    ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
-    ssl.certificate: "/etc/pki/client/cert.pem"
-    ssl.key: "/etc/pki/client/cert.key"
---------------------
-+
-You must specify the `username` as `""` explicitly so that
-the username from the client certificate (`CN`) is used. See
-<<configuration-ssl>> for more information about SSL settings.
-
-ifndef::serverless[]
-. Start {beatname_uc}.
-endif::[]
-
-ifdef::serverless[]
-. Deploy {beatname_uc}.
-endif::[]
-
-. {kibana-ref}/monitoring-data.html[View the monitoring data in {kib}]. 
-
-
-include::shared-monitor-config.asciidoc[]
diff --git a/libbeat/docs/monitoring/monitoring-metricbeat.asciidoc b/libbeat/docs/monitoring/monitoring-metricbeat.asciidoc
deleted file mode 100644
index 93a9cdf1eb1e..000000000000
--- a/libbeat/docs/monitoring/monitoring-metricbeat.asciidoc
+++ /dev/null
@@ -1,288 +0,0 @@
-[role="xpack"]
-[[monitoring-metricbeat-collection]]
-== Use {metricbeat} to send monitoring data
-[subs="attributes"]
-++++
-<titleabbrev>Use {metricbeat} collection</titleabbrev>
-++++
-
-In 7.3 and later, you can use {metricbeat} to collect data about {beatname_uc} 
-and ship it to the monitoring cluster. The benefit of using {metricbeat} instead
-of internal collection is that the monitoring agent remains active even if the
-{beatname_uc} instance dies.
-
-ifeval::["{beatname_lc}"=="metricbeat"]
-Because you'll be using {metricbeat} to _monitor_ {beatname_uc}, you'll need to
-run two instances of {beatname_uc}: a main instance that collects metrics from
-the system and services running on the server, and a second instance that
-collects metrics from {beatname_uc} only. Using a separate instance as a
-monitoring agent allows you to send monitoring data to a dedicated monitoring
-cluster. If the main agent goes down, the monitoring agent remains active.
-
-If you're running {beatname_uc} as a service, this approach requires extra work
-because you need to run two instances of the same installed  service
-concurrently. If you don't want to run two instances concurrently, use
-<<monitoring-internal-collection,internal collection>> instead of using
-{metricbeat}.
-endif::[]
-
-//Commenting out this link temporarily until the general monitoring docs can be
-//updated. 
-//To learn about monitoring in general, see 
-//{ref}/monitor-elasticsearch-cluster.html[Monitor a cluster].
-
-//NOTE: The tagged regions are re-used in the Stack Overview.
-
-To collect and ship monitoring data:
-
-. <<configure-shipper,Configure the shipper you want to monitor>>
-
-. <<configure-metricbeat,Install and configure {metricbeat} to collect monitoring data>>
-
-[float]
-[[configure-shipper]]
-=== Configure the shipper you want to monitor
-
-. Enable the HTTP endpoint to allow external collection of monitoring data:
-+
---
-// tag::enable-http-endpoint[]
-Add the following setting in the {beatname_uc} configuration file
-(+{beatname_lc}.yml+):
-
-[source,yaml]
-----------------------------------
-http.enabled: true
-----------------------------------
-
-By default, metrics are exposed on port 5066. If you need to monitor multiple
-{beats} shippers running on the same server, set `http.port` to expose metrics
-for each shipper on a different port number:
-
-[source,yaml]
-----------------------------------
-http.port: 5067
-----------------------------------
-// end::enable-http-endpoint[]
---
-
-. Disable the default collection of {beatname_uc} monitoring metrics. +
-+
---
-// tag::disable-beat-collection[]
-Add the following setting in the {beatname_uc} configuration file
-(+{beatname_lc}.yml+): 
-
-[source,yaml]
-----------------------------------
-monitoring.enabled: false
-----------------------------------
-// end::disable-beat-collection[]
-
-For more information, see 
-<<configuration-monitor,Monitoring configuration options>>.
---
-
-. Configure host (optional). +
-+
---
-// tag::set-http-host[]
-If you intend to get metrics using {metricbeat} installed on another server, you need to bind the {beatname_uc} to host's IP:
-
-[source,yaml]
-----------------------------------
-http.host: xxx.xxx.xxx.xxx
-----------------------------------
-// end::set-http-host[]
---
-
-. Configure cluster UUID. +
-+
---
-// tag::set-cluster-uuid[]
-The cluster UUID is necessary if you want to see {beats} monitoring in the {kib} stack monitoring view. The monitoring data will be grouped under the cluster for that UUID. To associate {beatname_uc} with the cluster UUID, set:
-
-[source,yaml]
-----------------------------------
-monitoring.cluster_uuid: "cluster-uuid"
-----------------------------------
-// end::set-cluster-uuid[]
---
-
-ifndef::serverless[]
-. Start {beatname_uc}.
-endif::[]
-
-[float]
-[[configure-metricbeat]]
-=== Install and configure {metricbeat} to collect monitoring data
-
-ifeval::["{beatname_lc}"!="metricbeat"]
-. Install {metricbeat} on the same server as {beatname_uc}. To learn how, see
-{metricbeat-ref}/metricbeat-installation-configuration.html[Get started with {metricbeat}].
-If you already have {metricbeat} installed on the server, skip this step.
-endif::[]
-ifeval::["{beatname_lc}"=="metricbeat"]
-. The next step depends on how you want to run {metricbeat}:
-* If you're running as a service and want to run a separate monitoring instance,
-take the the steps required for your environment to run two instances of
-{metricbeat} as a service. The steps for doing this vary by platform and are
-beyond the scope of this documentation.
-* If you're running the binary directly in the foreground and want to run a
-separate monitoring instance, install {metricbeat} to a different path. If
-necessary, set `path.config`, `path.data`, and `path.log` to point to the
-correct directories. See <<directory-layout>> for the default locations.
-endif::[]
-
-. Enable the `beat-xpack` module in {metricbeat}. +
-+
---
-// tag::enable-beat-module[]
-For example, to enable the default configuration in the `modules.d` directory, 
-run the following command, using the correct command syntax for your OS:
-
-["source","sh",subs="attributes,callouts"]
-----------------------------------------------------------------------
-metricbeat modules enable beat-xpack
-----------------------------------------------------------------------
-
-For more information, see 
-{metricbeat-ref}/configuration-metricbeat.html[Configure modules] and 
-{metricbeat-ref}/metricbeat-module-beat.html[beat module]. 
-// end::enable-beat-module[]
---
-
-. Configure the `beat-xpack` module in {metricbeat}. +
-+
---
-// tag::configure-beat-module[]
-The `modules.d/beat-xpack.yml` file contains the following settings:
-
-[source,yaml]
-----------------------------------
-- module: beat
-  metricsets:
-    - stats
-    - state
-  period: 10s
-  hosts: ["http://localhost:5066"]
-  #username: "user"
-  #password: "secret"
-  xpack.enabled: true
-----------------------------------
- 
-Set the `hosts`, `username`, and `password` settings as required by your
-environment. For other module settings, it's recommended that you accept the
-defaults.
-
-By default, the module collects {beatname_uc} monitoring data from
-`localhost:5066`. If you exposed the metrics on a different host or port when
-you enabled the HTTP endpoint, update the `hosts` setting.
-
-To monitor multiple 
-ifndef::apm-server[]
-{beats} agents,
-endif::[]
-ifdef::apm-server[]
-APM Server instances,
-endif::[]
-specify a list of hosts, for example:
-
-[source,yaml]
-----------------------------------
-hosts: ["http://localhost:5066","http://localhost:5067","http://localhost:5068"]
-----------------------------------
-
-If you configured {beatname_uc} to use encrypted communications, you must access
-it via HTTPS. For example, use a `hosts` setting like `https://localhost:5066`.
-// end::configure-beat-module[]
-
-// tag::remote-monitoring-user[]
-If the Elastic {security-features} are enabled, you must also provide a user 
-ID and password so that {metricbeat} can collect metrics successfully: 
-
-.. Create a user on the {es} cluster that has the 
-`remote_monitoring_collector` {ref}/built-in-roles.html[built-in role]. 
-Alternatively, if it's available in your environment, use the
-`remote_monitoring_user` {ref}/built-in-users.html[built-in user].
-
-.. Add the `username` and `password` settings to the beat module configuration 
-file.
-// end::remote-monitoring-user[]
---
-
-. Optional: Disable the system module in the {metricbeat}.
-+
---
-// tag::disable-system-module[]
-By default, the {metricbeat-ref}/metricbeat-module-system.html[system module] is
-enabled. The information it collects, however, is not shown on the
-*Stack Monitoring* page in {kib}. Unless you want to use that information for
-other purposes, run the following command:
-
-["source","sh",subs="attributes,callouts"]
-----------------------------------------------------------------------
-metricbeat modules disable system
-----------------------------------------------------------------------
-// end::disable-system-module[] 
---
-
-. Identify where to send the monitoring data. +
-+
---
-TIP: In production environments, we strongly recommend using a separate cluster 
-(referred to as the _monitoring cluster_) to store the data. Using a separate 
-monitoring cluster prevents production cluster outages from impacting your 
-ability to access your monitoring data. It also prevents monitoring activities 
-from impacting the performance of your production cluster.
-
-For example, specify the {es} output information in the {metricbeat} 
-configuration file (`metricbeat.yml`):
-
-[source,yaml]
-----------------------------------
-output.elasticsearch:
-  # Array of hosts to connect to.
-  hosts: ["http://es-mon-1:9200", "http://es-mon2:9200"] <1>
-  
-  # Optional protocol and basic auth credentials.
-  #protocol: "https"
-  #api_key:  "id:api_key" <2>
-  #username: "elastic"
-  #password: "changeme"
-----------------------------------
-<1> In this example, the data is stored on a monitoring cluster with nodes 
-`es-mon-1` and `es-mon-2`.
-<2> Specify one of `api_key` or `username`/`password`.
-
-If you configured the monitoring cluster to use encrypted communications, you
-must access it via HTTPS. For example, use a `hosts` setting like
-`https://es-mon-1:9200`.
-
-IMPORTANT: The {es} {monitor-features} use ingest pipelines. The cluster that
-stores the monitoring data must have at least one node with the `ingest` role.
-
-If the {es} {security-features} are enabled on the monitoring cluster, you 
-must provide a valid user ID and password so that {metricbeat} can send metrics 
-successfully: 
-
-.. Create a user on the monitoring cluster that has the 
-`remote_monitoring_agent` {ref}/built-in-roles.html[built-in role]. 
-Alternatively, if it's available in your environment, use the
-`remote_monitoring_user` {ref}/built-in-users.html[built-in user]. 
-+
-TIP: If you're using index lifecycle management, the remote monitoring user
-requires additional privileges to create and read indices. For more
-information, see <<feature-roles>>.
-
-.. Add the `username` and `password` settings to the {es} output information in 
-the {metricbeat} configuration file.
-
-For more information about these configuration options, see 
-{metricbeat-ref}/elasticsearch-output.html[Configure the {es} output].
---
-
-. {metricbeat-ref}/metricbeat-starting.html[Start {metricbeat}] to begin
-collecting monitoring data. 
-
-. {kibana-ref}/monitoring-data.html[View the monitoring data in {kib}]. 
diff --git a/libbeat/docs/monitoring/shared-monitor-config.asciidoc b/libbeat/docs/monitoring/shared-monitor-config.asciidoc
deleted file mode 100644
index e9116008e5f0..000000000000
--- a/libbeat/docs/monitoring/shared-monitor-config.asciidoc
+++ /dev/null
@@ -1,132 +0,0 @@
-//////////////////////////////////////////////////////////////////////////
-//// This content is shared by all Elastic Beats. Make sure you keep the
-//// descriptions here generic enough to work for all Beats that include
-//// this file. When using cross references, make sure that the cross
-//// references resolve correctly for any files that include this one.
-//// Use the appropriate variables defined in the index.asciidoc file to
-//// resolve Beat names: beatname_uc and beatname_lc.
-//// Use the following include to pull this content into a doc file:
-//// include::../../libbeat/docs/monitoring/shared-monitor-config.asciidoc[]
-//// Make sure this content appears below a level 2 heading.
-//////////////////////////////////////////////////////////////////////////
-
-[role="xpack"]
-[[configuration-monitor]]
-=== Settings for internal collection
-
-Use the following settings to configure internal collection when you are not
-using {metricbeat} to collect monitoring data.
-
-You specify these settings in the X-Pack monitoring section of the
-+{beatname_lc}.yml+ config file:
-
-==== `monitoring.enabled`
-
-The `monitoring.enabled` config is a boolean setting to enable or disable {monitoring}.
-If set to `true`, monitoring is enabled.
-
-The default value is `false`.
-
-==== `monitoring.elasticsearch`
-
-The {es} instances that you want to ship your {beatname_uc} metrics to. This
-configuration option contains the following fields:
-
-==== `monitoring.cluster_uuid`
-
-The `monitoring.cluster_uuid` config identifies the {es} cluster under which the monitoring data will appear in the Stack Monitoring UI. 
-
-===== `api_key`
-
-The detail of the API key to be used to send monitoring information to {es}.
-See <<beats-api-keys>> for more information.
-
-===== `bulk_max_size`
-
-The maximum number of metrics to bulk in a single {es} bulk API index request.
-The default is `50`. For more information, see <<elasticsearch-output>>.
-
-===== `backoff.init`
-
-The number of seconds to wait before trying to reconnect to Elasticsearch after
-a network error. After waiting `backoff.init` seconds, {beatname_uc} tries to
-reconnect. If the attempt fails, the backoff timer is increased exponentially up
-to `backoff.max`. After a successful connection, the backoff timer is reset. The
-default is 1s.
-
-===== `backoff.max`
-
-The maximum number of seconds to wait before attempting to connect to
-Elasticsearch after a network error. The default is 60s.
-
-===== `compression_level`
-
-The gzip compression level. Setting this value to `0` disables compression. The
-compression level must be in the range of `1` (best speed) to `9` (best
-compression). The default value is `0`. Increasing the compression level
-reduces the network usage but increases the CPU usage.
-
-===== `headers`
-
-Custom HTTP headers to add to each request. For more information, see
-<<elasticsearch-output>>.
-
-===== `hosts`
-
-The list of {es} nodes to connect to. Monitoring metrics are distributed to
-these nodes in round robin order. For more information, see
-<<elasticsearch-output>>.
-
-===== `max_retries`
-
-The number of times to retry sending the monitoring metrics after a failure.
-After the specified number of retries, the metrics are typically dropped. The
-default value is `3`. For more information, see <<elasticsearch-output>>.
-
-===== `parameters`
-
-Dictionary of HTTP parameters to pass within the url with index operations.
-
-===== `password`
-
-The password that {beatname_uc} uses to authenticate with the {es} instances for
-shipping monitoring data.
-
-===== `metrics.period`
-
-The time interval (in seconds) when metrics are sent to the {es} cluster. A new
-snapshot of {beatname_uc} metrics is generated and scheduled for publishing each
-period. The default value is 10 * time.Second.
-
-===== `state.period`
-
-The time interval (in seconds) when state information are sent to the {es} cluster. A new
-snapshot of {beatname_uc} state is generated and scheduled for publishing each
-period. The default value is 60 * time.Second.
-
-===== `protocol`
-
-The name of the protocol to use when connecting to the {es} cluster. The options
-are: `http` or `https`. The default is `http`. If you specify a URL for `hosts`,
-however, the value of protocol is overridden by the scheme you specify in the URL.
-
-===== `proxy_url`
-
-The URL of the proxy to use when connecting to the {es} cluster. For more
-information, see <<elasticsearch-output>>.
-
-===== `timeout`
-
-The HTTP request timeout in seconds for the {es} request. The default is `90`.
-
-===== `ssl`
-
-Configuration options for Transport Layer Security (TLS) or Secure Sockets Layer
-(SSL) parameters like the certificate authority (CA) to use for HTTPS-based
-connections. If the `ssl` section is missing, the host CAs are used for
-HTTPS connections to {es}. For more information, see <<configuration-ssl>>.
-
-===== `username`
-
-The user ID that {beatname_uc} uses to authenticate with the {es} instances for
-shipping monitoring data.
diff --git a/libbeat/docs/output-cloud.asciidoc b/libbeat/docs/output-cloud.asciidoc
deleted file mode 100644
index 2502dfb1a3cc..000000000000
--- a/libbeat/docs/output-cloud.asciidoc
+++ /dev/null
@@ -1,50 +0,0 @@
-[[configure-cloud-id]]
-=== Configure the output for {ess} on {ecloud}
-
-[subs="attributes"]
-++++
-<titleabbrev>{ess}</titleabbrev>
-++++
-
-ifdef::apm-server[]
-NOTE: This page refers to using a separate instance of APM Server with an existing
-{ess-product}[{ess} deployment].
-If you want to use APM on {ess}, see:
-{cloud}/ec-create-deployment.html[Create your deployment] and
-{cloud}/ec-manage-apm-settings.html[Add APM user settings].
-endif::apm-server[]
-
-{beatname_uc} comes with two settings that simplify the output configuration
-when used together with {ess-product}[{ess}]. When defined,
-these setting overwrite settings from other parts in the configuration.
-
-Example:
-
-["source","yaml",subs="attributes"]
-------------------------------------------------------------------------------
-cloud.id: "staging:dXMtZWFzdC0xLmF3cy5mb3VuZC5pbyRjZWM2ZjI2MWE3NGJmMjRjZTMzYmI4ODExYjg0Mjk0ZiRjNmMyY2E2ZDA0MjI0OWFmMGNjN2Q3YTllOTYyNTc0Mw=="
-cloud.auth: "elastic:{pwd}"
-------------------------------------------------------------------------------
-
-These settings can be also specified at the command line, like this:
-
-
-["source","sh",subs="attributes"]
-------------------------------------------------------------------------------
-{beatname_lc} -e -E cloud.id="<cloud-id>" -E cloud.auth="<cloud.auth>"
-------------------------------------------------------------------------------
-
-
-==== `cloud.id`
-
-The Cloud ID, which can be found in the {ess} web console, is used by
-{beatname_uc} to resolve the {es} and {kib} URLs. This setting
-overwrites the `output.elasticsearch.hosts` and `setup.kibana.host` settings.
-For more on locating and configuring the Cloud ID, see {ece-ref}/ece-cloud-id.html[Configure Beats and Logstash with Cloud ID].
-
-==== `cloud.auth`
-
-When specified, the `cloud.auth` overwrites the `output.elasticsearch.username` and
-`output.elasticsearch.password` settings. Because the Kibana settings inherit
-the username and password from the {es} output, this can also be used
-to set the `setup.kibana.username` and `setup.kibana.password` options.
diff --git a/libbeat/docs/outputconfig.asciidoc b/libbeat/docs/outputconfig.asciidoc
deleted file mode 100644
index efb84fabbfaf..000000000000
--- a/libbeat/docs/outputconfig.asciidoc
+++ /dev/null
@@ -1,35 +0,0 @@
-//////////////////////////////////////////////////////////////////////////
-//// This content is shared by all Elastic Beats. Make sure you keep the
-//// descriptions here generic enough to work for all Beats that include
-//// this file. When using cross references, make sure that the cross
-//// references resolve correctly for any files that include this one.
-//// Use the appropriate variables defined in the index.asciidoc file to
-//// resolve Beat names: beatname_uc and beatname_lc.
-//// Use the following include to pull this content into a doc file:
-//// include::../../libbeat/docs/outputconfig.asciidoc[]
-//// Make sure this content appears below a level 2 heading.
-//////////////////////////////////////////////////////////////////////////
-
-
-[[configuring-output]]
-== Configure the output
-
-++++
-<titleabbrev>Output</titleabbrev>
-++++
-
-You configure {beatname_uc} to write to a specific output by setting options
-in the Outputs section of the +{beatname_lc}.yml+ config file. Only a single
-output may be defined.
-
-The following topics describe how to configure each supported output. If you've
-secured the {stack}, also read <<securing-{beatname_lc}>> for more about
-security-related configuration options.
-
-include::outputs-list.asciidoc[tag=outputs-list]
-
-ifdef::beat-specific-output-config[]
-include::{beat-specific-output-config}[]
-endif::[]
-
-include::outputs-list.asciidoc[tag=outputs-include]
diff --git a/libbeat/docs/outputs-list.asciidoc b/libbeat/docs/outputs-list.asciidoc
deleted file mode 100644
index bf6bda35094b..000000000000
--- a/libbeat/docs/outputs-list.asciidoc
+++ /dev/null
@@ -1,97 +0,0 @@
-// TODO: Create script that generates this file. Conditional coding needs to
-// be preserved.
-
-//# tag::outputs-list[]
-
-ifndef::no_cloud_id[]
-* <<configure-cloud-id>>
-endif::[]
-ifndef::no_es_output[]
-* <<elasticsearch-output>>
-endif::[]
-ifndef::no_ls_output[]
-* <<logstash-output>>
-endif::[]
-ifndef::no_kafka_output[]
-* <<kafka-output>>
-endif::[]
-ifndef::no_redis_output[]
-* <<redis-output>>
-endif::[]
-ifndef::no_file_output[]
-* <<file-output>>
-endif::[]
-ifndef::no_console_output[]
-* <<console-output>>
-endif::[]
-ifndef::no_discard_output[]
-* <<discard-output>>
-endif::[]
-
-//# end::outputs-list[]
-
-//# tag::outputs-include[]
-ifndef::no_cloud_id[]
-ifdef::requires_xpack[]
-[role="xpack"]
-endif::[]
-include::output-cloud.asciidoc[]
-endif::[]
-
-ifndef::no_es_output[]
-ifdef::requires_xpack[]
-[role="xpack"]
-endif::[]
-include::{libbeat-outputs-dir}/elasticsearch/docs/elasticsearch.asciidoc[]
-endif::[]
-
-ifndef::no_ls_output[]
-ifdef::requires_xpack[]
-[role="xpack"]
-endif::[]
-include::{libbeat-outputs-dir}/logstash/docs/logstash.asciidoc[]
-endif::[]
-
-ifndef::no_kafka_output[]
-ifdef::requires_xpack[]
-[role="xpack"]
-endif::[]
-include::{libbeat-outputs-dir}/kafka/docs/kafka.asciidoc[]
-endif::[]
-
-ifndef::no_redis_output[]
-ifdef::requires_xpack[]
-[role="xpack"]
-endif::[]
-include::{libbeat-outputs-dir}/redis/docs/redis.asciidoc[]
-endif::[]
-
-ifndef::no_file_output[]
-ifdef::requires_xpack[]
-[role="xpack"]
-endif::[]
-include::{libbeat-outputs-dir}/fileout/docs/fileout.asciidoc[]
-endif::[]
-
-ifndef::no_console_output[]
-ifdef::requires_xpack[]
-[role="xpack"]
-endif::[]
-include::{libbeat-outputs-dir}/console/docs/console.asciidoc[]
-endif::[]
-
-ifndef::no_discard_output[]
-ifdef::requires_xpack[]
-[role="xpack"]
-endif::[]
-include::{libbeat-outputs-dir}/discard/docs/discard.asciidoc[]
-endif::[]
-
-ifndef::no_codec[]
-ifdef::requires_xpack[]
-[role="xpack"]
-endif::[]
-include::{libbeat-outputs-dir}/codec/docs/codec.asciidoc[]
-endif::[]
-
-//# end::outputs-include[]
diff --git a/libbeat/docs/overview.asciidoc b/libbeat/docs/overview.asciidoc
deleted file mode 100644
index d42f3e904eb3..000000000000
--- a/libbeat/docs/overview.asciidoc
+++ /dev/null
@@ -1,40 +0,0 @@
-[[beats-reference]]
-== What are {beats}?
-
-{beats} are open source data shippers that you install as agents on your
-servers to send operational data to
-https://www.elastic.co/products/elasticsearch[{es}]. Elastic provides {beats}
-for capturing:
-
-[horizontal]
-Audit data:: https://www.elastic.co/products/beats/auditbeat[Auditbeat]
-Log files and journals:: https://www.elastic.co/products/beats/filebeat[Filebeat]
-Availability:: https://www.elastic.co/products/beats/heartbeat[Heartbeat]
-Metrics:: https://www.elastic.co/products/beats/metricbeat[Metricbeat]
-Network traffic:: https://www.elastic.co/products/beats/packetbeat[Packetbeat]
-Windows event logs:: https://www.elastic.co/products/beats/winlogbeat[Winlogbeat]
-
-{beats} can send data directly to {es} or via
-https://www.elastic.co/products/logstash[{ls}], where you can further process
-and enhance the data, before visualizing it in
-https://www.elastic.co/products/logstash[{kib}].
-
-image::./images/beats-platform.png[Beats Platform]
-
-To get started, see <<getting-started>>.
-
-Want to get up and running quickly with infrastructure metrics monitoring and
-centralized log analytics?
-Try out the {metrics-app} and the {logs-app} in {kib}.
-For more details, see {observability-guide}/analyze-metrics.html[Analyze metrics]
-and {observability-guide}/monitor-logs.html[Monitor logs].
-
-[float]
-=== Need to capture other kinds of data?
-
-If you have a specific use case to solve, we encourage you to create a
-<<community-beats,community Beat>>. We've created an infrastructure to simplify
-the process. The _libbeat_ library, written entirely in Go, offers the API
-that all Beats use to ship data to Elasticsearch, configure the input options,
-implement logging, and more. To learn how to create a new Beat, see the
-{beatsdevguide}/index.html[Beats Developer Guide].
diff --git a/libbeat/docs/processors-list.asciidoc b/libbeat/docs/processors-list.asciidoc
deleted file mode 100644
index 341875f9f960..000000000000
--- a/libbeat/docs/processors-list.asciidoc
+++ /dev/null
@@ -1,298 +0,0 @@
-// TODO: Create script that generates this file. Conditional coding needs to
-// be preserved.
-
-//# tag::processors-list[]
-ifndef::no_add_cloud_metadata_processor[]
-* <<add-cloud-metadata,`add_cloud_metadata`>>
-endif::[]
-ifndef::no_add_cloudfoundry_metadata_processor[]
-* <<add-cloudfoundry-metadata,`add_cloudfoundry_metadata`>>
-endif::[]
-ifndef::no_add_docker_metadata_processor[]
-* <<add-docker-metadata,`add_docker_metadata`>>
-endif::[]
-ifndef::no_add_fields_processor[]
-* <<add-fields, `add_fields`>>
-endif::[]
-ifndef::no_add_host_metadata_processor[]
-* <<add-host-metadata,`add_host_metadata`>>
-endif::[]
-ifndef::no_add_id_processor[]
-* <<add-id,`add_id`>>
-endif::[]
-ifndef::no_add_kubernetes_metadata_processor[]
-* <<add-kubernetes-metadata,`add_kubernetes_metadata`>>
-endif::[]
-ifndef::no_add_labels_processor[]
-* <<add-labels, `add_labels`>>
-endif::[]
-ifndef::no_add_locale_processor[]
-* <<add-locale,`add_locale`>>
-endif::[]
-ifndef::no_add_nomad_metadata_processor[]
-* <<add-nomad-metadata,`add_nomad_metadata`>>
-endif::[]
-ifndef::no_add_observer_metadata_processor[]
-* <<add-observer-metadata,`add_observer_metadata`>>
-endif::[]
-ifndef::no_add_process_metadata_processor[]
-* <<add-process-metadata,`add_process_metadata`>>
-endif::[]
-ifndef::no_add_session_metadata_processor[]
-* <<add-session-metadata,`add_session_metadata`>>
-endif::[]
-ifndef::no_add_tags_processor[]
-* <<add-tags, `add_tags`>>
-endif::[]
-ifndef::no_append_processor[]
-* <<append, `append`>>
-endif::[]
-ifndef::no_community_id_processor[]
-* <<community-id,`community_id`>>
-endif::[]
-ifndef::no_convert_processor[]
-* <<convert,`convert`>>
-endif::[]
-ifndef::no_copy_fields_processor[]
-* <<copy-fields, `copy_fields`>>
-endif::[]
-ifndef::no_decode_base64_field_processor[]
-* <<decode-base64-field,`decode_base64_field`>>
-endif::[]
-ifndef::no_decode_cef_processor[]
-* <<processor-decode-cef,`decode_cef`>>
-endif::[]
-ifndef::no_decode_csv_fields_processor[]
-* <<decode-csv-fields,`decode_csv_fields`>>
-endif::[]
-ifndef::no_decode_duration_processor[]
-* <<decode-duration,`decode_duration`>>
-endif::[]
-ifndef::no_decode_json_fields_processor[]
-* <<decode-json-fields,`decode_json_fields`>>
-endif::[]
-ifndef::no_decode_xml_processor[]
-* <<decode-xml, `decode_xml`>>
-endif::[]
-ifndef::no_decode_xml_wineventlog_processor[]
-* <<decode-xml-wineventlog, `decode_xml_wineventlog`>>
-endif::[]
-ifndef::no_decompress_gzip_field_processor[]
-* <<decompress-gzip-field,`decompress_gzip_field`>>
-endif::[]
-ifndef::no_detect_mime_type_processor[]
-* <<detect-mime-type,`detect_mime_type`>>
-endif::[]
-ifndef::no_dissect_processor[]
-* <<dissect, `dissect`>>
-endif::[]
-ifndef::no_dns_processor[]
-* <<processor-dns, `dns`>>
-endif::[]
-ifndef::no_drop_event_processor[]
-* <<drop-event,`drop_event`>>
-endif::[]
-ifndef::no_drop_fields_processor[]
-* <<drop-fields,`drop_fields`>>
-endif::[]
-ifndef::no_extract_array_processor[]
-* <<extract-array,`extract_array`>>
-endif::[]
-ifndef::no_fingerprint_processor[]
-* <<fingerprint,`fingerprint`>>
-endif::[]
-ifndef::no_include_fields_processor[]
-* <<include-fields,`include_fields`>>
-endif::[]
-ifndef::no_move_fields_processor[]
-* <<move-fields,`move-fields`>>
-endif::[]
-ifndef::no_parse_aws_vpc_flow_log_processor[]
-* <<processor-parse-aws-vpc-flow-log, `parse_aws_vpc_flow_log`>>
-endif::[]
-ifndef::no_include_rate_limit_processor[]
-* <<rate-limit,`rate_limit`>>
-endif::[]
-ifndef::no_registered_domain_processor[]
-* <<processor-registered-domain,`registered_domain`>>
-endif::[]
-ifndef::no_rename_processor[]
-* <<rename-fields,`rename`>>
-endif::[]
-ifndef::no_replace_processor[]
-* <<replace-fields,`replace`>>
-endif::[]
-ifndef::no_script_processor[]
-* <<processor-script,`script`>>
-endif::[]
-ifndef::no_syslog_processor[]
-* <<syslog,`syslog`>>
-endif::[]
-ifndef::no_timestamp_processor[]
-* <<processor-timestamp,`timestamp`>>
-endif::[]
-ifndef::no_translate_ldap_attribute_processor[]
-* <<processor-translate-guid, `translate_ldap_attribute`>>
-endif::[]
-ifndef::no_translate_sid_processor[]
-* <<processor-translate-sid, `translate_sid`>>
-endif::[]
-ifndef::no_truncate_fields_processor[]
-* <<truncate-fields, `truncate_fields`>>
-endif::[]
-ifndef::no_urldecode_processor[]
-* <<urldecode, `urldecode`>>
-endif::[]
-//# end::processors-list[]
-
-//# tag::processors-include[]
-ifndef::no_add_cloud_metadata_processor[]
-include::{libbeat-processors-dir}/add_cloud_metadata/docs/add_cloud_metadata.asciidoc[]
-endif::[]
-ifndef::no_add_cloudfoundry_metadata_processor[]
-include::{x-libbeat-processors-dir}/add_cloudfoundry_metadata/docs/add_cloudfoundry_metadata.asciidoc[]
-endif::[]
-ifndef::no_add_docker_metadata_processor[]
-include::{libbeat-processors-dir}/add_docker_metadata/docs/add_docker_metadata.asciidoc[]
-endif::[]
-ifndef::no_add_fields_processor[]
-include::{libbeat-processors-dir}/actions/docs/add_fields.asciidoc[]
-endif::[]
-ifndef::no_add_host_metadata_processor[]
-include::{libbeat-processors-dir}/add_host_metadata/docs/add_host_metadata.asciidoc[]
-endif::[]
-ifndef::no_add_id[]
-include::{libbeat-processors-dir}/add_id/docs/add_id.asciidoc[]
-endif::[]
-ifndef::no_add_kubernetes_metadata_processor[]
-include::{libbeat-processors-dir}/add_kubernetes_metadata/docs/add_kubernetes_metadata.asciidoc[]
-include::{libbeat-processors-dir}/add_kubernetes_metadata/docs/indexers_and_matchers.asciidoc[]
-endif::[]
-ifndef::no_add_labels_processor[]
-include::{libbeat-processors-dir}/actions/docs/add_labels.asciidoc[]
-endif::[]
-ifndef::no_add_locale_processor[]
-include::{libbeat-processors-dir}/add_locale/docs/add_locale.asciidoc[]
-endif::[]
-ifndef::no_add_network_direction_processor[]
-include::{libbeat-processors-dir}/actions/docs/add_network_direction.asciidoc[]
-endif::[]
-ifndef::no_add_nomad_metadata_processor[]
-include::{x-libbeat-processors-dir}/add_nomad_metadata/docs/add_nomad_metadata.asciidoc[]
-endif::[]
-ifndef::no_add_observer_metadata_processor[]
-include::{libbeat-processors-dir}/add_observer_metadata/docs/add_observer_metadata.asciidoc[]
-endif::[]
-ifndef::no_add_process_metadata_processor[]
-include::{libbeat-processors-dir}/add_process_metadata/docs/add_process_metadata.asciidoc[]
-endif::[]
-ifndef::no_add_session_metadata_processor[]
-include::{x-auditbeat-processors-dir}/sessionmd/docs/add_session_metadata.asciidoc[]
-endif::[]
-ifndef::no_add_tags_processor[]
-include::{libbeat-processors-dir}/actions/docs/add_tags.asciidoc[]
-endif::[]
-ifndef::no_append_processor[]
-include::{libbeat-processors-dir}/actions/docs/append.asciidoc[]
-endif::[]
-ifndef::no_cache_processor[]
-include::{libbeat-processors-dir}/cache/docs/cache.asciidoc[]
-endif::[]
-ifndef::no_community_id_processor[]
-include::{libbeat-processors-dir}/communityid/docs/communityid.asciidoc[]
-endif::[]
-ifndef::no_convert_processor[]
-include::{libbeat-processors-dir}/convert/docs/convert.asciidoc[]
-endif::[]
-ifndef::no_copy_fields_processor[]
-include::{libbeat-processors-dir}/actions/docs/copy_fields.asciidoc[]
-endif::[]
-ifndef::no_decode_base64_field_processor[]
-include::{libbeat-processors-dir}/actions/docs/decode_base64_field.asciidoc[]
-endif::[]
-ifndef::no_decode_cef_processor[]
-include::{x-filebeat-processors-dir}/decode_cef/docs/decode_cef.asciidoc[]
-endif::[]
-ifndef::no_decode_csv_fields_processor[]
-include::{libbeat-processors-dir}/decode_csv_fields/docs/decode_csv_fields.asciidoc[]
-endif::[]
-ifndef::no_include_decode_duration_processor[]
-include::{libbeat-processors-dir}/decode_duration/docs/decode_duration.asciidoc[]
-endif::[]
-ifndef::no_decode_json_fields_processor[]
-include::{libbeat-processors-dir}/actions/docs/decode_json_fields.asciidoc[]
-endif::[]
-ifndef::no_decode_xml_processor[]
-include::{libbeat-processors-dir}/decode_xml/docs/decode_xml.asciidoc[]
-endif::[]
-ifndef::no_decode_xml_wineventlog_processor[]
-include::{libbeat-processors-dir}/decode_xml_wineventlog/docs/decode_xml_wineventlog.asciidoc[]
-endif::[]
-ifndef::no_decompress_gzip_field_processor[]
-include::{libbeat-processors-dir}/actions/docs/decompress_gzip_field.asciidoc[]
-endif::[]
-ifndef::no_detect_mime_type_processor[]
-include::{libbeat-processors-dir}/actions/docs/detect_mime_type.asciidoc[]
-endif::[]
-ifndef::no_dissect_processor[]
-include::{libbeat-processors-dir}/dissect/docs/dissect.asciidoc[]
-endif::[]
-ifndef::no_dns_processor[]
-include::{libbeat-processors-dir}/dns/docs/dns.asciidoc[]
-endif::[]
-ifndef::no_drop_event_processor[]
-include::{libbeat-processors-dir}/actions/docs/drop_event.asciidoc[]
-endif::[]
-ifndef::no_drop_fields_processor[]
-include::{libbeat-processors-dir}/actions/docs/drop_fields.asciidoc[]
-endif::[]
-ifndef::no_extract_array_processor[]
-include::{libbeat-processors-dir}/extract_array/docs/extract_array.asciidoc[]
-endif::[]
-ifndef::no_fingerprint_processor[]
-include::{libbeat-processors-dir}/fingerprint/docs/fingerprint.asciidoc[]
-endif::[]
-ifndef::no_include_fields_processor[]
-include::{libbeat-processors-dir}/actions/docs/include_fields.asciidoc[]
-endif::[]
-ifndef::no_include_move_fields_processor[]
-include::{libbeat-processors-dir}/move_fields/docs/move_fields.asciidoc[]
-endif::[]
-ifndef::no_parse_aws_vpc_flow_log_processor[]
-include::{x-filebeat-processors-dir}/aws_vpcflow/docs/parse_aws_vpc_flow_log.asciidoc[]
-endif::[]
-ifndef::no_include_rate_limit_processor[]
-include::{libbeat-processors-dir}/ratelimit/docs/rate_limit.asciidoc[]
-endif::[]
-ifndef::no_registered_domain_processor[]
-include::{libbeat-processors-dir}/registered_domain/docs/registered_domain.asciidoc[]
-endif::[]
-ifndef::no_rename_processor[]
-include::{libbeat-processors-dir}/actions/docs/rename.asciidoc[]
-endif::[]
-ifndef::no_replace_processor[]
-include::{libbeat-processors-dir}/actions/docs/replace.asciidoc[]
-endif::[]
-ifndef::no_script_processor[]
-include::{libbeat-processors-dir}/script/docs/script.asciidoc[]
-endif::[]
-ifndef::no_syslog_processor[]
-include::{libbeat-processors-dir}/syslog/docs/syslog.asciidoc[]
-endif::[]
-ifndef::no_timestamp_processor[]
-include::{libbeat-processors-dir}/timestamp/docs/timestamp.asciidoc[]
-endif::[]
-ifndef::no_translate_ldap_attribute_processor[]
-include::{libbeat-processors-dir}/translate_ldap_attribute/docs/translate_ldap_attribute.asciidoc[]
-endif::[]
-ifndef::no_translate_sid_processor[]
-include::{libbeat-processors-dir}/translate_sid/docs/translate_sid.asciidoc[]
-endif::[]
-ifndef::no_truncate_fields_processor[]
-include::{libbeat-processors-dir}/actions/docs/truncate_fields.asciidoc[]
-endif::[]
-ifndef::no_urldecode_processor[]
-include::{libbeat-processors-dir}/urldecode/docs/urldecode.asciidoc[]
-endif::[]
-
-//# end::processors-include[]
diff --git a/libbeat/docs/processors-using.asciidoc b/libbeat/docs/processors-using.asciidoc
deleted file mode 100644
index a029f5f2ea8b..000000000000
--- a/libbeat/docs/processors-using.asciidoc
+++ /dev/null
@@ -1,475 +0,0 @@
-[[defining-processors]]
-=== Define processors
-
-You can use processors to filter and enhance data before sending it to the
-configured output. To define a processor, you specify the processor name, an
-optional condition, and a set of parameters:
-
-[source,yaml]
-------
-processors:
-  - <processor_name>:
-      when:
-        <condition>
-      <parameters>
-
-  - <processor_name>:
-      when:
-        <condition>
-      <parameters>
-
-...
-------
-
-Where:
-
-* `<processor_name>` specifies a <<processors,processor>> that performs some kind
-of action, such as selecting the fields that are exported or adding metadata to
-the event.
-* `<condition>` specifies an optional <<conditions,condition>>. If the
-condition is present, then the action is executed only if the condition is
-fulfilled. If no condition is set, then the action is always executed.
-* `<parameters>` is the list of parameters to pass to the processor.
-
-More complex conditional processing can be accomplished by using the
-if-then-else processor configuration. This allows multiple processors to be
-executed based on a single condition.
-
-[source,yaml]
-----
-processors:
-  - if:
-      <condition>
-    then: <1>
-      - <processor_name>:
-          <parameters>
-      - <processor_name>:
-          <parameters>
-      ...
-    else: <2>
-      - <processor_name>:
-          <parameters>
-      - <processor_name>:
-          <parameters>
-      ...
-----
-<1> `then` must contain a single processor or a list of one or more processors
-to execute when the condition evaluates to true.
-<2> `else` is optional. It can contain a single processor or a list of
-processors to execute when the conditional evaluate to false.
-
-[[where-valid]]
-==== Where are processors valid?
-
-// TODO: ANY NEW BEATS THAT RE-USE THIS TOPIC NEED TO DEFINE processor-scope.
-
-ifeval::["{beatname_lc}"=="filebeat"]
-:processor-scope: input
-endif::[]
-
-ifeval::["{beatname_lc}"=="auditbeat"]
-:processor-scope: module
-endif::[]
-
-ifeval::["{beatname_lc}"=="metricbeat"]
-:processor-scope: module
-endif::[]
-
-ifeval::["{beatname_lc}"=="packetbeat"]
-:processor-scope: protocol
-endif::[]
-
-ifeval::["{beatname_lc}"=="heartbeat"]
-:processor-scope: monitor
-endif::[]
-
-ifeval::["{beatname_lc}"=="winlogbeat"]
-:processor-scope: event log shipper
-endif::[]
-
-Processors are valid:
-
-* At the top-level in the configuration. The processor is applied to all data
-collected by {beatname_uc}.
-* Under a specific {processor-scope}. The processor is applied to the data
-collected for that {processor-scope}.
-ifeval::["{beatname_lc}"=="filebeat"]
-+
-[source,yaml]
-------
-- type: <input_type>
-  processors:
-    - <processor_name>:
-        when:
-          <condition>
-        <parameters>
-...
-------
-+
-Similarly, for {beatname_uc} modules, you can define processors under the
-`input` section of the module definition.
-endif::[]
-ifeval::["{beatname_lc}"=="metricbeat"]
-+
-[source,yaml]
-----
-- module: <module_name>
-  metricsets: ["<metricset_name>"]
-  processors:
-    - <processor_name>:
-        when:
-          <condition>
-        <parameters>
-----
-endif::[]
-ifeval::["{beatname_lc}"=="auditbeat"]
-+
-[source,yaml]
-----
-auditbeat.modules:
-- module: <module_name>
-  processors:
-    - <processor_name>:
-        when:
-          <condition>
-        <parameters>
-----
-endif::[]
-ifeval::["{beatname_lc}"=="packetbeat"]
-+
-[source,yaml]
-----
-packetbeat.protocols:
-- type: <protocol_type>
-  processors:
-    - <processor_name>:
-        when:
-          <condition>
-        <parameters>
-----
-
-* Under `packetbeat.flows`. The processor is applied to the data in
-<<configuration-flows,network flows>>:
-+
-[source,yaml]
-----
-packetbeat.flows:
-  processors:
-    - <processor_name>:
-        when:
-          <condition>
-        <parameters>
-----
-endif::[]
-ifeval::["{beatname_lc}"=="heartbeat"]
-+
-[source,yaml]
-----
-heartbeat.monitors:
-- type: <monitor_type>
-  processors:
-    - <processor_name>:
-        when:
-          <condition>
-        <parameters>
-----
-endif::[]
-ifeval::["{beatname_lc}"=="winlogbeat"]
-+
-[source,yaml]
-----
-winlogbeat.event_logs:
-- name: <network_shipper_name>
-  processors:
-    - <processor_name>:
-        when:
-          <condition>
-        <parameters>
-----
-endif::[]
-
-
-[[processors]]
-==== Processors
-
-The supported processors are:
-
-include::processors-list.asciidoc[tag=processors-list]
-
-[[conditions]]
-==== Conditions
-
-Each condition receives a field to compare. You can specify multiple fields
-under the same condition by using `AND` between the fields (for example,
-`field1 AND field2`).
-
-For each field, you can specify a simple field name or a nested map, for example
-`dns.question.name`.
-
-See <<exported-fields>> for a list of all the fields that are exported by
-{beatname_uc}.
-
-The supported conditions are:
-
-* <<condition-equals,`equals`>>
-* <<condition-contains,`contains`>>
-* <<condition-regexp,`regexp`>>
-* <<condition-range, `range`>>
-* <<condition-network, `network`>>
-* <<condition-has_fields, `has_fields`>>
-* <<condition-or, `or`>>
-* <<condition-and, `and`>>
-* <<condition-not, `not`>>
-
-
-[float]
-[[condition-equals]]
-===== `equals`
-
-With the `equals` condition, you can compare if a field has a certain value.
-The condition accepts only an integer or a string value.
-
-For example, the following condition checks if the response code of the HTTP
-transaction is 200:
-
-[source,yaml]
--------
-equals:
-  http.response.code: 200
--------
-
-[float]
-[[condition-contains]]
-===== `contains`
-
-The `contains` condition checks if a value is part of a field. The field can be
-a string or an array of strings. The condition accepts only a string value.
-
-For example, the following condition checks if an error is part of the
-transaction status:
-
-[source,yaml]
-------
-contains:
-  status: "Specific error"
-------
-
-[float]
-[[condition-regexp]]
-===== `regexp`
-
-The `regexp` condition checks the field against a regular expression. The
-condition accepts only strings.
-
-For example, the following condition checks if the process name starts with
-`foo`:
-
-[source,yaml]
------
-regexp:
-  system.process.name: "^foo.*"
------
-
-[float]
-[[condition-range]]
-===== `range`
-
-The `range` condition checks if the field is in a certain range of values. The
-condition supports `lt`, `lte`, `gt` and `gte`. The condition accepts only
-integer, float, or strings that can be converted to either of these as values.
-
-For example, the following condition checks for failed HTTP transactions by
-comparing the `http.response.code` field with 400.
-
-
-[source,yaml]
-------
-range:
-  http.response.code:
-    gte: 400
-------
-
-This can also be written as:
-
-[source,yaml]
-----
-range:
-  http.response.code.gte: 400
-----
-
-The following condition checks if the CPU usage in percentage has a value
-between 0.5 and 0.8.
-
-[source,yaml]
-------
-range:
-  system.cpu.user.pct.gte: 0.5
-  system.cpu.user.pct.lt: 0.8
-------
-
-[float]
-[[condition-network]]
-===== `network`
-
-The `network` condition checks whether a field's value falls within a specified
-IP network range. If multiple fields are provided, each field value must match
-its corresponding network range. You can specify multiple network ranges for a
-single field, and a match occurs if any one of the ranges matches. If the field
-value is an array of IPs, it will match if any of the IPs fall within any of the
-given ranges. Both IPv4 and IPv6 addresses are supported.
-
-The network range may be specified using CIDR notation, like "192.0.2.0/24" or 
-"2001:db8::/32", or by using one of these named ranges:
-
-- `loopback` - Matches loopback addresses in the range of `127.0.0.0/8` or
-  `::1/128`.
-- `unicast` - Matches global unicast addresses defined in RFC 1122, RFC 4632,
-  and RFC 4291 with the exception of the IPv4 broadcast address
-  (`255.255.255.255`). This includes private address ranges.
-- `multicast` - Matches multicast addresses.
-- `interface_local_multicast` - Matches IPv6 interface-local multicast addresses.
-- `link_local_unicast` - Matches link-local unicast addresses.
-- `link_local_multicast` - Matches link-local multicast addresses.
-- `private` - Matches private address ranges defined in RFC 1918 (IPv4) and
-  RFC 4193 (IPv6).
-- `public` - Matches addresses that are not loopback, unspecified, IPv4
-  broadcast, link local unicast, link local multicast, interface local
-  multicast, or private.
-- `unspecified` - Matches unspecified addresses (either the IPv4 address
-  "0.0.0.0" or the IPv6 address "::").
-
-The following condition returns true if the `source.ip` value is within the
-private address space.
-
-[source,yaml]
-----
-network:
-  source.ip: private
-----
-
-This condition returns true if the `destination.ip` value is within the
-IPv4 range of `192.168.1.0` - `192.168.1.255`.
-
-[source,yaml]
-----
-network:
-  destination.ip: '192.168.1.0/24'
-----
-
-And this condition returns true when `destination.ip` is within any of the given
-subnets.
-
-[source,yaml]
-----
-network:
-  destination.ip: ['192.168.1.0/24', '10.0.0.0/8', loopback]
-----
-
-[float]
-[[condition-has_fields]]
-===== `has_fields`
-
-The `has_fields` condition checks if all the given fields exist in the
-event. The condition accepts a list of string values denoting the field names.
-
-For example, the following condition checks if the `http.response.code` field
-is present in the event.
-
-
-[source,yaml]
-------
-has_fields: ['http.response.code']
-------
-
-
-[float]
-[[condition-or]]
-===== `or`
-
-The `or` operator receives a list of conditions.
-
-[source,yaml]
--------
-or:
-  - <condition1>
-  - <condition2>
-  - <condition3>
-  ...
-
--------
-
-For example, to configure the condition
-`http.response.code = 304 OR http.response.code = 404`:
-
-[source,yaml]
-------
-or:
-  - equals:
-      http.response.code: 304
-  - equals:
-      http.response.code: 404
-------
-
-[float]
-[[condition-and]]
-===== `and`
-
-The `and` operator receives a list of conditions.
-
-[source,yaml]
--------
-and:
-  - <condition1>
-  - <condition2>
-  - <condition3>
-  ...
-
--------
-
-For example, to configure the condition
-`http.response.code = 200 AND status = OK`:
-
-[source,yaml]
-------
-and:
-  - equals:
-      http.response.code: 200
-  - equals:
-      status: OK
-------
-
-To configure a condition like `<condition1> OR <condition2> AND <condition3>`:
-
-[source,yaml]
-------
-or:
-  - <condition1>
-  - and:
-    - <condition2>
-    - <condition3>
-
-------
-
-[float]
-[[condition-not]]
-===== `not`
-
-The `not` operator receives the condition to negate.
-
-[source,yaml]
--------
-not:
-  <condition>
-
--------
-
-For example, to configure the condition `NOT status = OK`:
-
-[source,yaml]
-------
-not:
-  equals:
-    status: OK
-------
-
-include::processors-list.asciidoc[tag=processors-include]
diff --git a/libbeat/docs/processors.asciidoc b/libbeat/docs/processors.asciidoc
deleted file mode 100644
index fc91b31a49af..000000000000
--- a/libbeat/docs/processors.asciidoc
+++ /dev/null
@@ -1,29 +0,0 @@
-//////////////////////////////////////////////////////////////////////////
-//// This content is shared by all Elastic Beats. Make sure you keep the
-//// descriptions here generic enough to work for all Beats that include
-//// this file. When using cross references, make sure that the cross
-//// references resolve correctly for any files that include this one.
-//// Use the appropriate variables defined in the index.asciidoc file to
-//// resolve Beat names: beatname_uc and beatname_lc.
-//// Use the following include to pull this content into a doc file:
-//// include::../../libbeat/docs/processors.asciidoc[]
-//////////////////////////////////////////////////////////////////////////
-
-You can <<defining-processors,define processors>> in your configuration to
-process events before they are sent to the configured output. The libbeat
-library provides processors for:
-
-* reducing the number of exported fields
-* enhancing events with additional metadata
-* performing additional processing and decoding
-
-Each processor receives an event, applies a defined action to the event, and
-returns the event. If you define a list of processors, they are executed in the
-order they are defined in the {beatname_uc} configuration file.
-
-[source,yaml]
--------
-event -> processor 1 -> event1 -> processor 2 -> event2 ...
--------
-
-IMPORTANT: It's recommended to do all drop and renaming of existing fields as the last step in a processor configuration. This is because dropping or renaming fields can remove data necessary for the next processor in the chain, for example dropping the `source.ip` field would remove one of the fields necessary for the `community_id` processor to function. If it's necessary to remove, rename or overwrite an existing event field, please make sure it's done by a corresponding processor (<<drop-fields,`drop_fields`>>, <<rename-fields,`rename`>> or <<add-fields, `add_fields`>>) placed at the end of the processor list defined in the input configuration.
diff --git a/libbeat/docs/queueconfig.asciidoc b/libbeat/docs/queueconfig.asciidoc
deleted file mode 100644
index 499ab9d46672..000000000000
--- a/libbeat/docs/queueconfig.asciidoc
+++ /dev/null
@@ -1,220 +0,0 @@
-[[configuring-internal-queue]]
-== Configure the internal queue
-
-++++
-<titleabbrev>Internal queue</titleabbrev>
-++++
-{beatname_uc} uses an internal queue to store events before publishing them. The
-queue is responsible for buffering and combining events into batches that can
-be consumed by the outputs. The outputs will use bulk operations to send a
-batch of events in one transaction.
-
-You can configure the type and behavior of the internal queue by
-setting options in the `queue` section of the +{beatname_lc}.yml+
-config file or by setting options in the `queue` section of the
-output. Only one queue type can be configured.
-
-This sample configuration sets the memory queue to buffer up to 4096 events:
-
-[source,yaml]
-------------------------------------------------------------------------------
-queue.mem:
-  events: 4096
-------------------------------------------------------------------------------
-
-[float]
-[[configuration-internal-queue-memory]]
-=== Configure the memory queue
-
-The memory queue keeps all events in memory.
-
-The memory queue waits for the output to acknowledge or drop events. If
-the queue is full, no new events can be inserted into the memory queue. Only
-after the signal from the output will the queue free up space for more events to be accepted.
-
-The memory queue is controlled by the parameters `flush.min_events` and `flush.timeout`.
-`flush.min_events` gives a limit on the number of events that can be included in a
-single batch, and `flush.timeout` specifies how long the queue should wait to completely
-fill an event request. If the output supports a `bulk_max_size` parameter, the maximum
-batch size will be the smaller of `bulk_max_size` and `flush.min_events`.
-
-`flush.min_events` is a legacy parameter, and new configurations should prefer to control
-batch size with `bulk_max_size`. As of 8.13, there is never a performance advantage to
-limiting batch size with `flush.min_events` instead of `bulk_max_size`.
-
-In synchronous mode, an event request is always filled as soon as events are available,
-even if there are not enough events to fill the requested batch. This is useful when
-latency must be minimized. To use synchronous mode, set `flush.timeout` to 0.
-
-For backwards compatibility, synchronous mode can also be activated by setting `flush.min_events`
-to 0 or 1. In this case, batch size will be capped at 1/2 the queue capacity.
-
-In asynchronous mode, an event request will wait up to the specified timeout to try
-and fill the requested batch completely. If the timeout expires, the queue returns a
-partial batch with all available events. To use asynchronous mode, set `flush.timeout`
-to a positive duration, e.g. `5s`.
-
-This sample configuration forwards events to the output when there are enough events
-to fill the output's request (usually controlled by `bulk_max_size`, and limited to at
-most 512 events by `flush.min_events`), or when events have been waiting for 5s without
-filling the requested size:
-
-[source,yaml]
-------------------------------------------------------------------------------
-queue.mem:
-  events: 4096
-  flush.min_events: 512
-  flush.timeout: 5s
-------------------------------------------------------------------------------
-
-[float]
-=== Configuration options
-
-You can specify the following options in the `queue.mem` section of the +{beatname_lc}.yml+ config file:
-
-[float]
-[[queue-mem-events-option]]
-===== `events`
-
-Number of events the queue can store.
-
-The default value is 3200 events.
-
-[float]
-[[queue-mem-flush-min-events-option]]
-===== `flush.min_events`
-
-If greater than 1, specifies the maximum number of events per batch. In this case the
-output must wait for the
-queue to accumulate the requested number of events or for `flush.timeout` to expire before
-publishing.
-
-If 0 or 1, sets the maximum number of events per batch to half the queue size, and sets
-the queue to synchronous mode (equivalent to `flush.timeout` of 0).
-
-The default value is 1600.
-
-[float]
-[[queue-mem-flush-timeout-option]]
-===== `flush.timeout`
-
-Maximum wait time for event requests from the output to be fulfilled. If set to 0s, events are returned immediately.
-
-The default value is 10s.
-
-[float]
-[[configuration-internal-queue-disk]]
-=== Configure the disk queue
-
-The disk queue stores pending events on the disk rather than main memory.
-This allows Beats to queue a larger number of events than is possible with
-the memory queue, and to save events when a Beat or device is restarted.
-This increased reliability comes with a performance tradeoff, as every
-incoming event must be written and read from the device's disk. However,
-for setups where the disk is not the main bottleneck, the disk queue gives
-a simple and relatively low-overhead way to add a layer of robustness to
-incoming event data.
-
-
-To enable the disk queue with default settings, specify a maximum size:
-
-[source,yaml]
-------------------------------------------------------------------------------
-queue.disk:
-  max_size: 10GB
-------------------------------------------------------------------------------
-
-The queue will use up to the specified maximum size on disk. It will only
-use as much space as required. For example, if the queue is only storing
-1GB of events, then it will only occupy 1GB on disk no matter how high the
-maximum is. Queue data is deleted from disk after it has been successfully
-sent to the output.
-
-[float]
-[[configuration-internal-queue-disk-reference]]
-==== Configuration options
-
-You can specify the following options in the `queue.disk` section of the
-+{beatname_lc}.yml+ config file:
-
-[float]
-===== `path`
-
-The path to the directory where the disk queue should store its data files.
-The directory is created on startup if it doesn't exist.
-
-The default value is `"${path.data}/diskqueue"`.
-
-[float]
-===== `max_size` (required)
-
-The maximum size the queue should use on disk. Events that exceed this
-maximum will either pause their input or be discarded, depending on
-the input's configuration.
-
-A value of `0` means that no maximum size is enforced, and the queue can
-grow up to the amount of free space on the disk. This value should be used
-with caution, as completely filling a system's main disk can make it
-inoperable. It is best to use this setting only with a dedicated data or
-backup partition that will not interfere with {beatname_uc} or the rest
-of the host system.
-
-The default value is `10GB`.
-
-[float]
-===== `segment_size`
-
-Data added to the queue is stored in segment files. Each segment contains
-some number of events waiting to be sent to the outputs, and is deleted when
-all its events are sent. By default, segment size is limited to 1/10 of the
-maximum queue size. Using a smaller size means that the queue will use more
-data files, but they will be deleted more quickly after use. Using a larger
-size means some data will take longer to delete, but the queue will use
-fewer auxiliary files. It is usually fine to leave this value unchanged.
-
-The default value is `max_size / 10`.
-
-[float]
-===== `read_ahead`
-
-The number of events that should be read from disk into memory while
-waiting for an output to request them. If you find outputs are slowing
-down because they can't read as many events at a time, adjusting this
-setting upward may help, at the cost of higher memory usage.
-
-The default value is `512`.
-
-[float]
-===== `write_ahead`
-
-The number of events the queue should accept and store in memory while
-waiting for them to be written to disk. If you find the queue's memory
-use is too high because events are waiting too long to be written to
-disk, adjusting this setting downward may help, at the cost of reduced
-event throughput. On the other hand, if inputs are waiting or discarding
-events because they are being produced faster than the disk can handle,
-adjusting this setting upward may help, at the cost of higher memory
-usage.
-
-The default value is `2048`.
-
-[float]
-===== `retry_interval`
-
-Some disk errors may block operation of the queue, for example a permission
-error writing to the data directory, or a disk full error while writing an
-event. In this case, the queue reports the error and retries after pausing
-for the time specified in `retry_interval`.
-
-The default value is `1s` (one second).
-
-[float]
-===== `max_retry_interval`
-
-When there are multiple consecutive errors writing to the disk, the queue
-increases the retry interval by factors of 2 up to a maximum of
-`max_retry_interval`. Increase this value if you are concerned about logging
-too many errors or overloading the host system if the target disk becomes
-unavailable for an extended time.
-
-The default value is `30s` (thirty seconds).
diff --git a/libbeat/docs/redirects.asciidoc b/libbeat/docs/redirects.asciidoc
deleted file mode 100644
index 15e822022af6..000000000000
--- a/libbeat/docs/redirects.asciidoc
+++ /dev/null
@@ -1,25 +0,0 @@
-["appendix",role="exclude",id="redirects-global"]
-= Deleted pages
-
-The following pages have moved or been deleted.
-
-[role="exclude",id="configuration-central-management"]
-== {beats} central management
-
-Starting in version 7.14, {beats} central management has been removed.
-
-// tag::fleet-redirect[]
-Elastic now provides simpler and faster data onboarding with secure,
-centralized agent management through {agent} and {fleet}. For more information,
-refer to {fleet-guide}/fleet-overview.html[{fleet} and {agent} overview].
-// end::fleet-redirect[]
-
-[role="exclude",id="how-central-managment-works"]
-== How central management works
-
-include::redirects.asciidoc[tag=fleet-redirect]
-
-[role="exclude",id="enroll-beats"]
-== Enroll {beats} in central management
-
-include::redirects.asciidoc[tag=fleet-redirect]
diff --git a/libbeat/docs/reference-yml.asciidoc b/libbeat/docs/reference-yml.asciidoc
deleted file mode 100644
index 692bf12a4172..000000000000
--- a/libbeat/docs/reference-yml.asciidoc
+++ /dev/null
@@ -1,25 +0,0 @@
-[id="{beatname_lc}-reference-yml"]
-== {beatname_lc}.reference.yml
-
-The following reference file is available with your {beatname_uc} installation. It
-shows all non-deprecated {beatname_uc} options. You can copy from this file and paste
-configurations into the +{beatname_lc}.yml+ file to customize it.
-
-TIP: The reference file is located in the same directory as the
-+{beatname_lc}.yml+ file. To locate the file, see <<directory-layout>>. 
-
-The contents of the file are included here for your convenience.
-
-ifndef::requires_xpack[]
-[source,yaml]
-----
-include::../../{beatname_lc}/{beatname_lc}.reference.yml[]
-----
-endif::requires_xpack[]
-
-ifdef::requires_xpack[]
-[source,yaml]
-----
-include::../../x-pack/{beatname_lc}/{beatname_lc}.reference.yml[]
-----
-endif::requires_xpack[]
diff --git a/libbeat/docs/regexp.asciidoc b/libbeat/docs/regexp.asciidoc
deleted file mode 100644
index 8d138ffc2e1f..000000000000
--- a/libbeat/docs/regexp.asciidoc
+++ /dev/null
@@ -1,130 +0,0 @@
-//////////////////////////////////////////////////////////////////////////
-//// This content is shared by all Elastic Beats. Make sure you keep the
-//// descriptions here generic enough to work for all Beats that include
-//// this file. When using cross references, make sure that the cross
-//// references resolve correctly for any files that include this one.
-//// Use the appropriate variables defined in the index.asciidoc file to
-//// resolve Beat names: beatname_uc and beatname_lc.
-//// Use the following include to pull this content into a doc file:
-//// include::../../libbeat/docs/regexp.asciidoc[]
-//////////////////////////////////////////////////////////////////////////
-
-[[regexp-support]]
-== Regular expression support
-
-{beatname_uc} regular expression support is based on https://godoc.org/regexp/syntax[RE2].
-
-ifeval::["{beatname_lc}"=="filebeat"]
-
-{beatname_uc} has several configuration options that accept regular expressions.
-For example, `multiline.pattern`, `include_lines`, `exclude_lines`, and
-`exclude_files` all accept regular expressions. Some options, however, such as
-the input `paths` option, accept only glob-based paths.
-
-endif::[]
-
-Before using a regular expression in the config file, refer to the documentation
-to verify that the option you are setting accepts a regular expression.
-
-NOTE: We recommend that you wrap regular expressions in single quotation marks to work around YAML's string escaping rules. For example, `'^\[?[0-9][0-9]:?[0-9][0-9]|^[[:graph:]]+'`.
-
-For more examples of supported regexp patterns, see {filebeat-ref}/multiline-examples.html[Managing Multiline Messages].
-Although the examples pertain to Filebeat, the regexp patterns are applicable to other use cases.
-
-The following patterns are supported:
-
-* <<single-characters, Single Characters>>
-* <<composites, Composites>>
-* <<repetitions, Repetitions>>
-* <<grouping, Groupings>>
-* <<empty-strings, Empty Strings>>
-* <<escape-sequences, Escape Sequences>>
-* <<ascii-character-classes, ASCII Character Classes>>
-* <<perl-character-classes, Perl Character Classes>>
-
-[options="header"]
-|=======================
-|Pattern          |Description
-|[[single-characters]]*Single Characters* 1+|
-|`x`              |single character
-|`.`              |any character
-|`[xyz]`          |character class
-|`[^xyz]`         |negated character class
-|`[[:alpha:]]`    |ASCII character class
-|`[[:^alpha:]]`   |negated ASCII character class
-|`\d`             |Perl character class
-|`\D`             |negated Perl character class
-|`\pN`            |Unicode character class (one-letter name)
-|`\p{Greek}`      |Unicode character class
-|`\PN`            |negated Unicode character class (one-letter name)
-|`\P{Greek}`      |negated Unicode character class
-|[[composites]]*Composites* 1+|
-|`xy`             |`x` followed by `y`
-|`x\|y`           |`x` or `y` (prefer `x`)
-|[[repetitions]]*Repetitions* 1+|
-|`x*`             |zero or more `x`
-|`x+`             |one or more `x`
-|`x?`             |zero or one `x`
-|`x{n,m}`         |`n` or `n+1` or ... or `m` `x`, prefer more
-|`x{n,}`          |`n` or more `x`, prefer more
-|`x{n}`           |exactly `n` `x`
-|`x*?`            |zero or more `x`, prefer fewer
-|`x+?`            |one or more `x`, prefer fewer
-|`x??`            |zero or one `x`, prefer zero
-|`x{n,m}?`        |`n` or `n+1` or ... or `m` `x`, prefer fewer
-|`x{n,}?`         |`n` or more `x`, prefer fewer
-|`x{n}?`          |exactly `n` `x`
-|[[grouping]]*Grouping* 1+|
-|`(re)`           |numbered capturing group (submatch)
-|`(?P<name>re)`   |named & numbered capturing group (submatch)
-|`(?:re)`         |non-capturing group
-|`(?i)abc`        |set flags within current group, non-capturing
-|`(?i:re)`        |set flags during re, non-capturing
-|`(?i)PaTTeRN`    |case-insensitive (default false)
-|`(?m)multiline`  |multi-line mode: `^` and `$` match begin/end line in addition to begin/end text (default false)
-|`(?s)pattern.`   |let `.` match `\n` (default false)
-|`(?U)x*abc`      |ungreedy: swap meaning of `x*` and `x*?`, `x+` and `x+?`, etc (default false)
-|[[empty-strings]]*Empty Strings* 1+|
-|`^`              |at beginning of text or line (`m`=true)
-|`$`              |at end of text (like `\z` not `\Z`) or line (`m`=true)
-|`\A`             |at beginning of text
-|`\b`             |at ASCII word boundary (`\w` on one side and `\W`, `\A`, or `\z` on the other)
-|`\B`             |not at ASCII word boundary
-|`\z`             |at end of text
-|[[escape-sequences]]*Escape Sequences* 1+|
-|`\a`             |bell (same as `\007`)
-|`\f`             |form feed (same as `\014`)
-|`\t`             |horizontal tab (same as `\011`)
-|`\n`             |newline (same as `\012`)
-|`\r`             |carriage return (same as `\015`)
-|`\v`             |vertical tab character (same as `\013`)
-|`\*`             |literal `*`, for any punctuation character `*`
-|`\123`           |octal character code (up to three digits)
-|`\x7F`           |two-digit hex character code
-|`\x{10FFFF}`     |hex character code
-|`\Q...\E`        |literal text `...` even if `...` has punctuation
-|[[ascii-character-classes]]*ASCII Character Classes* 1+|
-|`[[:alnum:]]`    |alphanumeric (same as `[0-9A-Za-z]`)
-|`[[:alpha:]]`    |alphabetic (same as `[A-Za-z]`)
-|`[[:ascii:]]`    |ASCII (same as `\x00-\x7F]`)
-|`[[:blank:]]`    |blank (same as `[\t ]`)
-|`[[:cntrl:]]`    |control (same as `[\x00-\x1F\x7F]`)
-|`[[:digit:]]`    |digits (same as `[0-9]`)
-|`[[:graph:]]`    |graphical (same as `[!-~] == [A-Za-z0-9!"#$%&'()*+,\-./:;<=>?@[\\\]^_`` `{\|}~]`)
-|`[[:lower:]]`    |lower case (same as `[a-z]`)
-|`[[:print:]]`    |printable (same as `[ -~] == [ [:graph:]]`)
-|`[[:punct:]]`    |punctuation (same as ++[!-/:-@[-`{-~]++)
-|`[[:space:]]`    |whitespace (same as `[\t\n\v\f\r ]`)
-|`[[:upper:]]`    |upper case (same as `[A-Z]`)
-|`[[:word:]]`     |word characters (same as `[0-9A-Za-z_]`)
-|`[[:xdigit:]]`   |hex digit (same as `[0-9A-Fa-f]`)
-|[[perl-character-classes]]*Supported Perl Character Classes*  1+|
-|`\d`             |digits (same as `[0-9]`)
-|`\D`             |not digits (same as `[^0-9]`)
-|`\s`             |whitespace (same as `[\t\n\f\r ]`)
-|`\S`             |not whitespace (same as `[^\t\n\f\r ]`)
-|`\w`             |word characters (same as `[0-9A-Za-z_]`)
-|`\W`             |not word characters (same as `[^0-9A-Za-z_]`)
-|=======================
-
-
diff --git a/libbeat/docs/release-notes/5.0.0.asciidoc b/libbeat/docs/release-notes/5.0.0.asciidoc
deleted file mode 100644
index 60407ffa3c61..000000000000
--- a/libbeat/docs/release-notes/5.0.0.asciidoc
+++ /dev/null
@@ -1,240 +0,0 @@
-[[release-notes-5.0.0]]
-=== Beats version 5.0.0
-
-The list below covers changes between 1.x to 5.0.0 releases.
-
-
-==== Breaking changes
-
-*Affecting all Beats*
-
-- Rename the `filters` section to `processors`. {pull}1944[1944]
-- Require braces for environment variable expansion in config files {pull}1304[1304]
-- On DEB/RPM installations, the binary files are now found under `/usr/share/{{beat_name}}/bin`, not in `/usr/bin`. {pull}1385[1385]
-- The logs are written by default to self rotating files, instead of syslog. {pull}1371[1371]
-- Remove deprecated `host` option from elasticsearch, logstash and redis outputs. {pull}1474[1474]
-- All configuration settings under `shipper:` are moved to be top level configuration settings. I.e.
-  `shipper.name:` becomes `name:` in the configuration file. {pull}1570[1570]
-- The `topology_expire` option of the Elasticsearch output was removed. {pull}1907[1907]
-- The Elasticsearch template is now loaded by default. {pull}1993[1993]
-- The Redis output `index` setting is renamed to `key`. `index` still works but it's deprecated. {pull}2077[2077]
-- The undocumented file output `index` setting was removed. Use `filename` instead. {pull}2077[2077]
-- Change Elasticsearch output index configuration to be based on format strings. If index has been configured, no date will be appended anymore to the index name. {pull}2119[2119]
-- If the path specified by the `-c` flag is not absolute and `-path.config` is not specified, it
-  is considered relative to the current working directory. {pull}2245[2245]
-- Rename `tls` configurations section to `ssl`. {pull}2330[2330]
-- Rename `certificate_key` configuration to `key`. {pull}2330[2330]
-- Replace `tls.insecure` with `ssl.verification_mode` setting. {pull}2330[2330]
-- Replace `tls.min/max_version` with `ssl.supported_protocols` setting requiring full protocol name. {pull}2330[2330]
-- A dynamic mapping rule is added to the default Elasticsearch template to treat strings as keywords by default. {pull}2688[2688]
-
-
-*Filebeat*
-
-- Scalar values in used in the `fields` configuration setting are no longer automatically converted to strings. {pull}1092[1092]
-- Count field was removed from event as not used in filebeat {issue}778[778]
-- Default location for the registry file was changed to be `data/registry` from the binary directory,
-  rather than `.filebeat` in the current working directory. This affects installations for zip/tar.gz/source,
-  the location for DEB and RPM packages stays the same. {pull}1373[1373]
-- The state for files which fall under ignore_older is not stored anymore. This has the consequence, that if a file which fell under ignore_older is updated, the whole file will be crawled.
-- Ignore symlinks by default, but they can be enabled with `symlinks` config {pull}1686[1686] {pull}2478[2478]
-- Set `close_inactive` default to 5 minutes (was 1 hour before)
-- Set `clean_removed` and `close_removed` to true by default
-
-
-*Packetbeat*
-
-- Rename output fields in the dns package. Former flag `recursion_allowed` becomes `recursion_available`. {pull}803[803]
-  Former SOA field `ttl` becomes `minimum`. {pull}803[803]
-- The fully qualified domain names which are part of output fields values of the dns package now terminate with a dot. {pull}803[803]
-- Remove the `count` field from the exported event {pull}1210[1210]
-- Configuration of redis topology support changed. {pull}1353[1353]
-- Move all Packetbeat configuration options under the packetbeat namespace {issue}1417[1417]
-- Set `enabled` ` in `packetbeat.protocols.icmp` configuration to `true` by default. {pull}1988[1988]
-- Group HTTP fields under `http.request` and `http.response` {pull}2167[2167]
-- Export `http.request.body` and `http.response.body` when configured under `include_body_for` {pull}2167[2167]
-- Move `ignore_outgoing` config to `packetbeat.ignore_outgoing` {pull}2393[2393]
-
-*Winlogbeat*
-
-- The `message_inserts` field was replaced with the `event_data` field {issue}1053[1053]
-- The `category` field was renamed to `task` to better align with the Windows Event Log API naming {issue}1053[1053]
-- Remove the `count` field from the exported event {pull}1218[1218]
-
-
-==== Bugfixes
-
-*Affecting all Beats*
-
-- Logstash output will not retry events that are not JSON-encodable {pull}927[927]
-- Drain response buffers when pipelining is used by Redis output. {pull}1353[1353]
-- Unterminated environment variable expressions in config files will now cause an error {pull}1389[1389]
-- Fix issue with the automatic template loading when Elasticsearch is not available on Beat start. {issue}1321[1321]
-- Fix bug affecting `-cpuprofile`, `-memprofile`, and `-httpprof` CLI flags {pull}1415[1415]
-- Fix race when multiple outputs access the same event with logstash output manipulating event {issue}1410[1410] {pull}1428[1428]
-- Seed random number generator using crypto.rand package. {pull}1503{1503]
-- Fix beats hanging in `-configtest` {issue}1213[1213]
-- Reset backoff factor on partial ACK. {issue}1803[1803]
-- Fix beats load balancer deadlock if max_retries: -1 or publish_async is enabled in filebeat. {issue}1829[1829]
-- Fix logstash output with pipelining mode enabled not reconnecting. {issue}1876[1876]
-- Empty configuration sections become merge-able with variables containing full path. {pull}1900[1900]
-- Fix error message about required fields missing not printing the missing field name. {pull}1900[1900]
-- Fix sync publisher `PublishEvents` return value if client is closed concurrently. {pull}2046[2046]
-- Fix Logstash output handles error twice when asynchronous sending fails. {pull}2441[2441]
-- Fix Elasticsearch structured error response parsing error. {issue}2229[2229]
-- Fixed the run script to allow the overriding of the configuration file. {issue}2171[2171]
-- Fix logstash output crash if no hosts are configured. {issue}2325[2325]
-- Fix beats failing to start due to invalid duplicate key error in configuration file. {pull}2521[2521]
-- Fix panic on non writable logging directory. {pull}2571[2571]
-- Fix ignoring all fields from drop_fields in case the first field is unknown. {pull}2685[2685]
-- Fix dynamic configuration int/uint` to float type conversion. {pull}2698[2698]
-- Fix primitive types conversion if values are read from environment variables. {pull}2698[2698]
-
-
-*Filebeat*
-
-- Stop filebeat if started without any prospectors defined or empty prospectors {pull}644[644] {pull}647[647]
-- Improve shutdown of crawler and prospector to wait for clean completion {pull}720[720]
-- Omit `fields` from Filebeat events when null {issue}899[899]
-- Improvements in registrar dealing with file rotation. {pull}1281[1281]
-- Multiline reader normalizing newline to use `\n`. {pull}1552[1552]
-- Fix potential data loss between Filebeat restarts, reporting unpublished lines as published. {issue}2041[2041]
-- Fix open file handler issue. {issue}2028[2028] {pull}2020[2020]
-- Fix async publisher sending empty events {pull}2455[2455]
-- Fix potential issue with multiple harvester per file on large file numbers or slow output {pull}2541[2541]
-- Fix input buffer on encoding problem. {pull}2416[2416]
-- Fix issue when `clean_removed` and `clean_inactive` were used together that states were not directly removed from the registry.
-- Fix issue where upgrading a 1.x registry file resulted in duplicate state entries. {pull}2792[2792]
-
-
-*Packetbeat*
-
-- Create a proper BPF filter when ICMP is the only enabled protocol {issue}757[757]
-- Check column length in pgsql parser. {issue}565[565]
-- Harden pgsql parser. {issue}565[565]
-- Add missing nil-check to memcached GapInStream handler. {issue}1162[1162]
-- Fix NFSv4 Operation returning the first found first-class operation available in compound requests. {pull}1821[1821]
-- Fix TCP overlapping segments not being handled correctly. {pull}1898[1898]
-- Fix mapping for some Packetbeat flow metrics that were not marked as being longs. {issue}2177[2177]
-- Fix handling of messages larger than the maximum message size (10MB). {pull}2470[2470]
-- Fix the `bpf_filter` setting. {issue}2660[2660]
-- Fix compile issues for OpenBSD. {pull}1347[1347]
-
-
-*Winlogbeat*
-
-- Fix panic when reading messages larger than 32K characters on Windows XP and 2003. {pull}1498[1498]
-- Fix panic that occurs when reading a large events on Windows Vista and newer. {pull}1499[1499]
-- Adding missing argument to the "Stop processing" log message. {pull}1590[1590]
-- Fix issue with rendering forwarded event log records. {pull}1891[1891]
-- Fix potential data loss between Winlogbeat restarts, reporting unpublished lines as published. {issue}2041[2041]
-- Fix corrupt registry file that occurs on power loss by disabling file write caching. {issue}2313[2313]
-
-
-
-==== Added
-
-*Affecting all Beats*
-
-- Update to Go 1.7. {pull}2306[2306]
-- Add option to Elasticsearch output to pass http parameters in index operations {issue}805[805]
-- Improve Logstash and Elasticsearch backoff behavior. {pull}927[927]
-- Add Kafka output. {pull}942[942] {pull}2188[2188] {pull}2190[2190] {pull}2284[2284]
-- Add config file option to configure GOMAXPROCS. {pull}969[969]
-- Improve shutdown handling in libbeat. {pull}1075[1075]
-- Log total non-zero internal metrics on shutdown. {pull}2349[2349]
-- Add `fields` and `fields_under_root` options under the `shipper` configuration {pull}1092[1092]
-- Add the ability to use a SOCKS5 proxy with the Logstash output {issue}823[823]
-- The `-configtest` flag will now print "Config OK" to stdout on success {pull}1249[1249]
-- Add support for TLS to Redis output. {pull}1353[1353]
-- Add SOCKS5 proxy support to Redis output. {pull}1353[1353]
-- Failover and load balancing support in Redis output. {pull}1353[1353]
-- Multiple-worker per host support for Redis output. {pull}1353[1353]
-- Added ability to escape `${x}` in config files to avoid environment variable expansion {pull}1389[1389]
-- Configuration options and CLI flags for setting the home, data and config paths. {pull}1373[1373]
-- Configuration options and CLI flags for setting the default logs path. {pull}1437[1437]
-- Add Elasticsearch template files compatible with Elasticsearch 2.x. {pull}1501[1501]
-- Load the mapping template depending on the Elasticsearch version. {pull}1993[1993]
-- Add conditions to processors. {pull}1623[1623]
-- Enhance `contains` condition to work on fields that are arrays of strings. {issue}2237[2237]
-- Add OR/AND/NOT to the condition associated with the processors. {pull}1983[1983]
-- Improve error message if compiling regular expression from config files fails. {pull}1900[1900]
-- Compression support in the Elasticsearch output. {pull}1835[1835]
-- Periodically log internal metrics. {pull}1955[1955]
-- Add `enabled` setting to all output modules. {pull}1987[1987]
-- Command line flag `-c` can be used multiple times. {pull}1985[1985]
-- Add `-E` CLI flag for overwriting single config options via command line. {pull}1986[1986]
-- Check stdout being available when console output is configured. {issue}2035[2035]
-- Add script to generate the Kibana index-pattern from fields.yml. {pull}2122[2122]
-- Enhance Redis output key selection based on format string. {pull}2169[2169]
-- Configurable Redis `keys` using filters and format strings. {pull}2169[2169]
-- Lookup the configuration file relative to the `-path.config` CLI flag. {pull}2245[2245]
-- Re-write `import_dashboards` script in Golang. {pull}2155[2155]
-- Add support for encrypted private key files by introducing `ssl.key_passphrase` setting. {pull}2330[2330]
-- Add `beat.version` fields to all events.
-- Make sure Beats sent always float values when they are defined as float by sending 5.00000 instead of 5. {pull}2627[2627]
-
-
-*Filebeat*
-
-- Add the ability to set a list of tags for each prospector {pull}1092[1092]
-- Add JSON decoding support {pull}1143[1143]
-- The registry format was changed to an array instead of dict. The migration to the new format will happen automatically at the first startup. {pull}1703[1703]
-- Introduce `close_removed` and `close_renamed` harvester options. {issue}1600[1600]
-- Introduce `close_eof` harvester option. {issue}1600[1600]
-- Add `clean_removed` and `clean_inactive` config option. {issue}1600[1600]
-- Introduce `close_timeout` harvester options {issue}1926[1926]
-- Strip BOM from first message in case of BOM files {issue}2351[2351]
-- Add `harvester_limit` option {pull}2417[2417]
-
-
-*Packetbeat*
-
-- Change the DNS library used throughout the dns package to github.com/miekg/dns. {pull}803[803]
-- Add support for NFS v3 and v4. {pull}1231[1231]
-- Add support for EDNS and DNSSEC. {pull}1292[1292]
-- Add `enabled` setting to Packetbeat protocols. {pull}1988[1988]
-- Add `enabled` setting to Packetbeat network flows configuration. {pull}1988[1988]
-- Add Cassandra protocol analyzer to Packetbeat. {pull}1959[1959]
-- Match connections with IPv6 addresses to processes {pull}2254[2254]
-- Add IP address to `-devices` command output {pull}2327[2327]
-- Add configuration option for the maximum message size. Used to be hard-coded to 10 MB. {pull}2470[2470]
-
-*Metricbeat*
-
-- First public release, containing the following modules: system, Apache, MySQL, PostgreSQL, Nginx, Redis, MongoDB, and Zookeeper.
-  Metricbeat is replacing Topbeat in 5.0, and its default behaviour is to export system statistics like CPU usage,
-  memory usage, Disk IO similar with what Topbeat 1.x is doing.
-- Add `pgid` field to process information. {pull} 2021[2021]
-- Use the new `scaled_float` Elasticsearch type for the percentage values. {pull}2156[2156]
-- Improve mapping by converting `half_float` to `scaled_float` and integers to long. {pull}2430[2430]
-- Add experimental `cgroup` metrics to the system/process MetricSet. {pull}2184[2184]
-- Add experimental `haproxy` module. {pull}2384[2384]
-
-
-*Winlogbeat*
-
-- Add caching of event metadata handles and the system render context for the wineventlog API {pull}888[888]
-- Improve config validation by checking for unknown top-level YAML keys. {pull}1100[1100]
-- Add the ability to set `tags`, `fields`, and `fields_under_root` as options for each event log {pull}1092[1092]
-- Add additional data to the events published by Winlogbeat. The new fields are `activity_id`,
-`event_data`, `keywords`, `opcode`, `process_id`, `provider_guid`, `related_activity_id`,
-`task`, `thread_id`, `user_data`, and `version`. {issue}1053[1053]
-- Add `event_id`, `level`, and `provider` configuration options for filtering events {pull}1218[1218]
-- Add `include_xml` configuration option for including the raw XML with the event {pull}1218[1218]
-
-
-==== Deprecated
-
-*Affecting all Beats*
-
-- The support for doing GeoIP lookups is deprecated and will be removed in version 6.0. {pull}1601[1601]
-- Topology map is deprecated. This applies to the settings: `refresh_topology_freq`, `topology_expire`, `save_topology`,
-  `host_topology`, `password_topology`, `db_topology`.
-- Setting `port` has been deprecated in Redis and Logstash outputs. {pull}2620[2620]
-
-*Filebeat*
-
-- Deprecate `close_older` option and replace it with `close_inactive`. {issue}2051[2051]
-- Deprecate `force_close_files` option and replace it with `close_removed` and `close_renamed`. {issue}1600[1600]
-
diff --git a/libbeat/docs/release-notes/6.0.0.asciidoc b/libbeat/docs/release-notes/6.0.0.asciidoc
deleted file mode 100644
index 63412008f284..000000000000
--- a/libbeat/docs/release-notes/6.0.0.asciidoc
+++ /dev/null
@@ -1,244 +0,0 @@
-[[release-notes-6.0.0]]
-=== Beats version 6.0.0
-
-The list below covers the changes during the 6.0.0-alpha1, -alpha2, -beta1, -beta2, -rc1 and -rc2 releases.
-
-Also read {beats-ref-60}/breaking-changes-6.0.html[Breaking changes] for more detail about changes that affect
-upgrade.
-
-==== Breaking changes
-
-*Affecting all Beats*
-
-- The log directory (`path.log`) for Windows services is now set to `C:\ProgramData\[beatname]\logs`. {issue}4764[4764]
-- The _all field is disabled in Elasticsearch 6.0. This means that searching by individual
-  words only work on text fields. {issue}4901[4901]
-- Fail if removed setting output.X.flush_interval is explicitly configured.
-- Rename the `/usr/bin/beatname.sh` script (e.g. `metricbeat.sh`) to `/usr/bin/beatname`. {pull}4933[4933]
-- Beat does not start if elasticsearch index pattern was modified but not the template name and pattern. {issue}4769[4769]
-- Fail if removed setting output.X.flush_interval is explicitly configured. {pull}4880[4880]
-- Rename `kubernetes` processor to `add_kubernetes_metadata`. {pull}4473[4473]
-- Rename `*.full.yml` config files to `*.reference.yml`. {pull}4563[4563]
-- The `scripts/import_dashboards` is removed from packages. Use the `setup` command instead. {pull}4586[4586]
-- Change format of the saved kibana dashboards to have a single JSON file for each dashboard {pull}4413[4413]
-- Rename `configtest` command to `test config`. {pull}4590[4590]
-- Remove setting `queue_size` and `bulk_queue_size`. {pull}4650[4650]
-- Remove setting `dashboard.snapshot` and `dashboard.snapshot_url`. They are no longer needed because the
-  dashboards are included in the packages by default. {pull}4675[4675]
-- Beats can no longer be launched from Windows Explorer (GUI), command line is required. {pull}4420[4420]
-
-*Filebeat*
-
-- Rename `input_type` field to `prospector.type` {pull}4294[4294]
-- The `@metadata.type` field, added by the Logstash output, is now hardcoded to `doc` and will be removed in future versions. {pull}4331[4331].
-
-*Metricbeat*
-
-- Change all `system.cpu.*.pct` metrics to be scaled by the number of CPU cores.
-  This will make the CPU usage percentages from the system cpu metricset consistent
-  with the system process metricset. The documentation for these metrics already
-  stated that on multi-core systems the percentages could be greater than 100%. {pull}4544[4544]
-- Remove filters setting from metricbeat modules. {pull}4699[4699]
-- Added `type` field to filesystem metrics. {pull}4717[4717]
-
-*Heartbeat*
-
-- Renamed the heartbeat RPM/DEB name to `heartbeat-elastic`. {pull}4601[4601]
-
-*Packetbeat*
-
-- Remove not-working `runoptions.uid` and `runoptions.gid` options in Packetbeat. {pull}5261[5261]
-- Remove the already unsupported `pf_ring` sniffer option. {pull}4608[4608]
-
-*Auditbeat*
-
-- Changed file metricset config to make `file.paths` a list instead of a dictionary. {pull}4796[4796]
-
-==== Bugfixes
-
-*Affecting all Beats*
-
-- Fix data race accessing watched containers. {issue}5147[5147]
-- Do not require template if index change and template disabled {pull}5319[5319]
-- Fix missing ACK in redis output. {issue}5404[5404]
-- Fix the `/usr/bin/beatname` script to accept `-d "*"` as a parameter. {issue}5040[5040]
-- Combine `fields.yml` properties when they are defined in different sources. {issue}5075[5075]
-- Keep Docker & Kubernetes pod metadata after container dies while they are needed by processors. {pull}5084[5084]
-- Fix `fields.yml` lookup when using `export template` with a custom `path.config` param. {issue}5089[5089]
-- Remove runner creation from every reload check {pull}5141[5141]
-- Fix add_kubernetes_metadata matcher registry lookup. {pull}5159[5159]
-- Register kubernetes `field_format` matcher and remove logger in `Encode` API {pull}4888[4888]
-- Fix go plugins not loaded when beat starts {pull}4799[4799]
-- Add support for `initContainers` in `add_kubernetes_metadata` processor. {issue}4825[4825]
-- Eliminate deprecated _default_ mapping in 6.x {pull}4864[4864]
-- Fix pod name indexer to use both namespace, pod name to frame index key {pull}4775[4775]
-- Don't stop with error loading the ES template if the ES output is not enabled. {pull}4436[4436]
-- Fix race condition in internal logging rotator. {pull}4519[4519]
-- Normalize all times to UTC to ensure proper index naming. {issue}4569[4569]
-- Fix issue with loading dashboards to ES 6.0 when .kibana index did not already exist. {issue}4659[4659]
-- Fix importing the dashboards when the limit for max open files is too low. {issue}4244[4244]
-- Fix configuration documentation for kubernetes processor {pull}4313[4313]
-- Fix misspelling in `add_locale` configuration option for abbreviation.
-
-*Filebeat*
-
-- Fix machine learning jobs setup for dynamic modules. {pull}5509[5509]
-- Fix default paths for redis 4.0.1 logs on macOS {pull}5173[5173]
-- Fix Filebeat not starting if command line and modules configs are used together. {issue}5376[5376]
-- Fix double `@timestamp` field when JSON decoding was used. {pull}5436[5436]
-- Fix issue where the `fileset.module` could have the wrong value. {issue}4761[4761]
-- Fix race condition on harvester stopping with reloading enabled. {issue}3779[3779]
-- Fix recursive glob config parsing and resolution across restarts. {pull}4269[4269]
-- Allow string characters in user agent patch version (NGINX and Apache) {pull}4415[4415]
-- Fix grok pattern in filebeat module system/auth without hostname. {pull}4224[4224]
-
-*Winlogbeat*
-
-- Removed validation of top-level config keys. This behavior was inconsistent with other Beats
-  and caused maintainability issues. {pull}4657[4657]
-
-*Metricbeat*
-
-- Use `beat.name` instead of `beat.hostname` in the Host Overview dashboard. {pull}5340[5340]
-- Fix the loading of 5.x dashboards. {issue}5277[5277]
-- Fix a memory allocation issue where more memory was allocated than needed in the windows-perfmon metricset. {issue}5035[5035]
-- Don't start metricbeat if external modules config is wrong and reload is disabled {pull}5053[5053]
-- The MongoDB module now connects on each fetch, to avoid stopping the whole Metricbeat instance if MongoDB is not up when starting. {pull}5120[5120]
-- Fix kubernetes events module to be able to index time fields properly. {issue}5093[5093]
-- Fixed `cmd_set` and `cmd_get` being mixed in the Memcache module. {pull}5189[5189]
-- Added missing mongodb configuration file to the `modules.d` folder. {pull}4870[4870]
-- Fix wrong MySQL CRUD queries timelion visualization {pull}4857[4857]
-- Add new metrics to CPU metricset {pull}4969[4969]
-- Fix issue affecting Windows services timing out at startup. {pull}4491[4491]
-- Fix incorrect docker.diskio.total metric calculation. {pull}4507[4507]
-- Vsphere module: used memory field corrected. {issue}4461[4461]
-- Set correct format for percent fields in memory module. {pull}4619[4619]
-- Fix a debug statement that said a module wrapper had stopped when it hadn't. {pull}4264[4264]
-- Use MemAvailable value from /proc/meminfo on Linux 3.14. {pull}4316[4316]
-- Fix panic when events were dropped by filters. {issue}4327[4327]
-- Add filtering to system filesystem metricset to remove relative mountpoints like those
-  from Linux network namespaces. {pull}4370[4370]
-- Remove unnecessary print statement in schema apis. {pull}4355[4355]
-- Fix type of field `haproxy.stat.check.health.last`. {issue}4407[4407]
-
-*Heartbeat*
-
-- Fix monitor.name being empty by default. {issue}4852[4852]
-- Fix wrong event timestamps. {issue}4851[4851]
-
-*Packetbeat*
-
-- Fix missing length check in the PostgreSQL module. {pull}5457[5457]
-- Fix panic in ACK handler if event is dropped on blocked queue {issue}5524[5524]
-- Update flow timestamp on each packet being received. {issue}4895[4895]
-- Enabled /proc/net/tcp6 scanning and fixed ip v6 parsing. {pull}4442[4442]
-- Enable memcache filtering only if a port is specified in the config file. {issue}4335[4335]
-
-*Auditbeat*
-
-- Fix `file.max_file_size` config option for the audit file metricset. {pull}4796[4796]
-
-==== Added
-
-*Affecting all Beats*
-
-- Enable flush timeout by default. {pull}5150[5150]
-- Add @metadata.version to events send to Logstash. {pull}5166[5166]
-- Add setting to enable/disable the slow start in logstash output. {pull}4972[4972]
-- Update init scripts to use the `test config` subcommand instead of the deprecated `-configtest` flag. {issue}4600[4600]
-- Get by default the credentials for connecting to Kibana from the Elasticsearch output configuration. {pull}4867[4867]
-- Added `cloud.id` and `cloud.auth` settings, for simplifying using Beats with the Elastic Cloud. {issue}4959[4959]
-- Add lz4 compression support to kafka output. {pull}4977[4977]
-- Add newer kafka versions to kafka output. {pull}4977[4977]
-- Configure the index name when loading the dashboards and the index pattern. {pull}4949[4949]
-- New cli subcommands interface. {pull}4420[4420]
-- Allow source path matching in `add_docker_metadata` processor. {pull}4495[4495]
-- Add support for analyzers and multifields in fields.yml. {pull}4574[4574]
-- Add support for JSON logging. {pull}4523[4523]
-- Add `test output` command, to test Elasticsearch and Logstash output settings. {pull}4590[4590]
-- Introduce configurable event queue settings: queue.mem.events, queue.mem.flush.min_events and queue.mem.flush.timeout. {pull}4650[4650]
-- Enable pipelining in Logstash output by default. {pull}4650[4650]
-- Added 'result' field to Elasticsearch QueryResult struct for compatibility with 6.x Index and Delete API responses. {issue]4661[4661]
-- The sample dashboards are now included in the Beats packages. {pull}4675[4675]
-- Add `pattern` option to be used in the fields.yml to specify the pattern for a number field. {pull}4731[4731]
-- Upgraded to Golang 1.8.3. {pull}4401[4401]
-- Added the possibility to set Elasticsearch mapping template settings from the Beat configuration file. {pull}4284[4284] {pull}4317[4317]
-- Add a variable to the SysV init scripts to make it easier to change the user. {pull}4340[4340]
-- Add the option to write the generated Elasticsearch mapping template into a file. {pull}4323[4323]
-- Add `instance_name` in GCE add_cloud_metadata processor. {pull}4414[4414]
-- Add `add_docker_metadata` processor. {pull}4352[4352]
-- Add `logging.files` `permissions` option. {pull}4295[4295]
-
-*Filebeat*
-
-- Add Kubernetes manifests to deploy Filebeat. {pull}5349[5349]
-- Changed the number of shards in the default configuration to 3. {issue}5095[5095]
-- Don't start filebeat if external modules/prospectors config is wrong and reload is disabled {pull}5053[5053]
-- Add `filebeat.registry_flush` setting, to delay the registry updates. {pull}5146[5146]
-- Add experimental Redis module. {pull}4441[4441]
-- Nginx module: use the first not-private IP address as the remote_ip. {pull}4417[4417]
-- Load Ingest Node pipelines when the Elasticsearch connection is established, instead of only once at startup. {pull}4479[4479]
-- Add support for loading Xpack Machine Learning configurations from the modules, and added sample configurations for the Nginx module. {pull}4506[4506] {pull}4609[4609]
-- Add udp prospector type. {pull}4452[4452]
-- Enabled Cgo which means libc is dynamically compiled. {pull}4546[4546]
-- Add Beta module config reloading mechanism {pull}4566[4566]
-- Remove spooler and publisher components and settings. {pull}4644[4644]
-- Added ability to sort harvested files. {pull}4374[4374]
-- Add experimental Redis slow log prospector type. {pull}4180[4180]
-
-*Winlogbeat*
-
-- Changed the number of shards in the default configuration to 3. {issue}5095[5095]
-- Add the ability to use LevelRaw if Level isn't populated in the event XML. {pull}4257[4257]
-
-*Metricbeat*
-
-- Add Kubernetes manifests to deploy Metricbeat. {pull}5349[5349]
-- Auto-select a hostname (based on the host on which the Beat is running) in the Host Overview dashboard. {pull}5340[5340]
-- Add `filesystem.ignore_types` to system module for ignoring filesystem types. {issue}4685[4685]
-- Add support to exclude labels from kubernetes pod metadata. {pull}4757[4757]
-- Add random startup delay to each metricset to avoid the thundering herd problem. {issue}4010[4010]
-- Add the ability to configure audit rules to the kernel module. {pull}4482[4482]
-- Add the ability to configure kernel's audit failure mode. {pull}4516[4516]
-- Add experimental Aerospike module. {pull}4560[4560]
-- Vsphere module: collect custom fields from virtual machines. {issue}4464[4464]
-- Add `test modules` command, to test modules expected output. {pull}4656[4656]
-- Add `processors` setting to metricbeat modules. {pull}4699[4699]
-- Support `npipe` protocol (Windows) in Docker module. {pull}4751[4751]
-- Add macOS implementation of the system diskio metricset. {issue}4144[4144]
-- Add process_summary metricset that records high level metrics about processes. {pull}4231[4231]
-- Add `kube-state-metrics` based metrics to `kubernetes` module {pull}4253[4253]
-- Add debug logging to Jolokia JMX metricset. {pull}4341[4341]
-- Add events metricset for kubernetes metricbeat module {pull}4315[4315]
-- Change Metricbeat default configuration file to be better optimized for most users. {pull}4329[4329]
-- Add experimental RabbitMQ module. {pull}4394[4394]
-- Add Kibana dashboard for the Kubernetes modules. {pull}4138[4138]
-
-*Heartbeat*
-
-- Changed the number of shards in the default configuration to 1. {issue}5095[5095]
-- Enabled Cgo which means libc is dynamically compiled. {pull}4546[4546]
-
-*Packetbeat*
-
-- Changed the number of shards in the default configuration to 3. {issue}5095[5095]
-
-*Auditbeat*
-
-- Changed the number of shards in the default configuration to 3. {issue}5095[5095]
-- Add support for receiving audit events using a multicast socket. {issue}4850[4850]
-- Added `file.hash_types` config option for controlling the hash types. {pull}4796[4796]
-- Added the ability to specify byte unit suffixes to `file.max_file_size`. {pull}4796[4796]
-- Add file integrity metricset to the audit module. {pull}4486[4486]
-
-==== Deprecated
-
-*Affecting all Beats*
-
-- The `@metadata.type` field, added by the Logstash output, is deprecated, hardcoded to `doc` and will be removed in future versions. {pull}4331[4331].
-
-
-*Filebeat*
-
-- The `filebeat.config_dir` option is deprecated. Use `filebeat.config.prospector` options instead. {pull}5321[5321]
-- Deprecate `input_type` prospector config. Use `type` config option instead. {pull}4294[4294]
diff --git a/libbeat/docs/release-notes/7.0.0.asciidoc b/libbeat/docs/release-notes/7.0.0.asciidoc
deleted file mode 100644
index 284fca0b59d9..000000000000
--- a/libbeat/docs/release-notes/7.0.0.asciidoc
+++ /dev/null
@@ -1,335 +0,0 @@
-[[release-notes-7.0.0]]
-=== Beats version 7.0.0
-
-The list below covers the changes during the 7.0.0-alpha1, -alpha2, -beta1, -rc1 and -rc2 releases.
-
-Also read <<breaking-changes>> for more detail about changes that affect
-upgrade.
-
-==== Breaking changes
-
-*Affecting all Beats*
-
-- Empty `meta.json` file will be treated as a missing meta file. {issue}8558[8558]
-- Removed dashboards and index patterns generation for Kibana 5. {pull}8927[8927]
-- On systems with systemd, the Beats log is now written to journald by default rather than file.
-  To revert this behaviour override BEAT_LOG_OPTS with an empty value. {pull}8942[8942].
-- Automatically cap signed integers to 63 bits. {pull}8991[8991]
-- Use _doc as document type. {pull}9056[9056]
-- Update add_cloud_metadata fields to adjust to ECS. {pull}9265[9265]
-- Rename beat.timezone to event.timezone. {pull}9458[9458]
-- Embedded html is not escaped anymore by default. {pull}9914[9914]
-- Remove port settings from Logstash and Redis output. {pull}9934[9934]
-- Rename `process.exe` to `process.executable` in add_process_metadata to align with ECS. {pull}9949[9949]
-- Remove --configtest command line flag. {pull}10138[10138]
-- Remove --setup command line flag. {pull}10138[10138]
-- Remove --version command line flag. {pull}10138[10138]
-- Import ECS change https://github.com/elastic/ecs/pull/308[ecs#308]:
-  leaf field `user.group` is now the `group` field set. {pull}10275[10275]
-- Docker and Kubernetes labels/annotations will be "dedoted" by default. {pull}10338[10338]
-- ILM will be available by default if Elasticsearch > 7.0 is used. {pull}10347[10347]
-- Move output.elasticsearch.ilm settings to setup.ilm. {pull}10347[10347]
-- On Google Cloud Engine (GCE) the add_cloud_metadata will now trim the project
-  info from the cloud.machine.type and cloud.availability_zone.  {issue}10968[10968]
-- Rename `migration.enabled` config to `migration.6_to_7.enabled`. {pull}11284[11284]
-
-*Auditbeat*
-
-- Rename beat.name to agent.type, beat.hostname to agent.hostname, beat.version to agent.version.
-- Use `initial_scan` action for new paths. {pull}7954[7954]
-- Remove warning for deprecated option: `filters`. {pull}9002[9002]
-- Rename `source.hostname` to `source.domain` in the auditd module. {pull}9027[9027]
-- Rename `process.exe` to `process.executable` in auditd module to align with ECS. {pull}9949[9949]
-- Rename `process.cwd` to `process.working_directory` in auditd module to align with ECS. {pull}10195[10195]
-- Change data type of `process.pid` and `process.ppid` to number in JSON output of the auditd module. {pull}10195[10195]
-- Change data type of `file.uid` and `file.gid` to string in JSON output of the FIM module. {pull}10195[10195]
-- Rename user fields to ECS in auditd module. {pull}10456[10456]
-- Rename `event.type` to `auditd.message_type` in auditd module because event.type is reserved for future use by ECS. {pull}10536[10536]
-- Field `file.origin` changed type from `text` to `keyword`. {pull}10544[10544]
-- Rename `auditd.messages` to `event.original` and `auditd.warnings` to `error.message`. {pull}10577[10577]
-- Process dataset: Only report processes with executable. {pull}11232[11232]
-- Shorten entity IDs. {pull}11405[11405]
-
-*Filebeat*
-
-- Rename `fileset.name` to `event.name`. {pull}8879[8879]
-- Rename `fileset.module` to `event.module`. {pull}8879[8879]
-- Rename `source` to `log.file.path` and `log.source.ip`. {pull}8902[8902]
-- Remove the deprecated `prospectors` option in the configuration. Use `inputs` instead. {pull}8909[8909]
-- Rename `offset` to `log.offset`. {pull}8923[8923]
-- Modify apache/error dataset to follow ECS. {pull}8963[8963]
-- Rename `source_ecs` to `source` in the Filebeat Suricata module. {pull}8983[8983]
-- Remove warnings for deprecated options: `spool_size`, `publish_async`, `idle_timeout`. {pull}9002[9002]
-- Rename many `traefik.access.*` fields to map to ECS. {pull}9005[9005]
-- Rename many `nginx.access.*` fields to map to ECS. {pull}9081[9081]
-- Rename many `iis.access.*` fields to map to ECS. {pull}9084[9084]
-- IIS module's user agent string is no longer encoded (`+` replaced with spaces). {pull}9084[9084]
-- Rename many `haproxy.*` fields to map to ECS. {pull}9117[9117]
-- Rename many `system.syslog.*` fields to map to ECS. {pull}9135[9135]
-- Rename many `system.auth.*` fields to map to ECS. {pull}9138[9138]
-- Rename many `apache2.access.*` fields to map to ECS. {pull}9245[9245]
-- Rename a few `elasticsearch.audit.*` fields to map to ECS. {pull}9293[9293]
-- Rename many `kibana.log.*` fields to map to ECS. {pull}9301[9301]
-- Rename `apache2` module to `apache`. {pull}9402[9402]
-- Fix parsing of GC entries in elasticsearch server log. {issue}9513[9513] {pull}9810[9810]
-- Rename `read_timestamp` to `event.created` for Redis input. {pull}9924[9924]
-- Rename a few `logstash.*` fields to map to ECS. Remove `logstash.slowlog.message`. {pull}9935[9935]
-- Rename many `iis.error.*` fields to map to ECS. {pull}9955[9955]
-- Rename a few `nginx.error.*` fields to map to ECS. {pull}10007[10007]
-- Rename a few `mysql.*` fields to map to ECS. {pull}10008[10008]
-- Rename a few `mongodb.*` fields to map to ECS. {pull}10009[10009]
-- Remove `service.name` from Elastcsearch module. Replace with `service.type`. {pull}10042[10042]
-- Rename `read_timestamp` to `event.created` for all Filebeat modules using it. {pull}10139[10139]
-- Now save the 'first seen' timestamp in `event.created` (previously `read_timestamp`),
-  instead of saving the parsed date. Now aligned with `event.created` semantics elsewhere. {pull}10139[10139]
-- Adjust fileset `haproxy.log` to map to ECS. {pull}10143[10143]
-- Rename `mysql.error.thread_id` and `mysql.slowlog.id` to `mysql.thread_id`. {pull}10161[10161]
-- Remove `mysql.error.timestamp`  and `mysql.slowlog.timestamp`. {pull}10161[10161]
-- Rename multiple fields to `http.response.body.bytes`, from modules "apache", "iis",
-  "kibana", "nginx" and "traefik", including `http.response.content_length` (ECS). {pull}10188[10188]
-- Rename many `auditd.log.*` fields to map to ECS. {pull}10192[10192]
-- Remove numeric coercions for `user.id` and `group.id`. IDs should be `keyword`. {pull}10233[10233]
-- Migrate multiple fields to `event.duration`, from modules "apache", "elasticsearch",
-  "haproxy", "iis", "kibana", "mysql", "nginx", "postgresql" and "traefik", including `http.response.elapsed_time` (ECS). {pull}10188[10188], {pull}10274[10274]
-- Ingesting Elasticsearch audit logs is only supported with Elasticsearch 6.5.0 and above. {pull}10352[10352]
-- Migrate Elasticsearch audit logs fields to ECS. {pull}10352[10352]
-- Change type of `haproxy.log` fileset fields from text to keyword:
-  `response.captured_headers`, `request.captured_headers`, `raw_request_line`, `mode`. {pull}10397[10397]
-- Remove field `kafka.log.trace.full` from `kafka.log` fileset. {pull}10398[10398]
-- Change field `kafka.log.class` for `kafka.log` fileset from text to keyword. {pull}10398[10398]
-- Change type of field `backend_url` and `frontend_name` in `traefik.access` metricset to type keyword. {pull}10401[10401]
-- Several text fields in the Elasticsearch module are now indexed as `keyword` fields with `text` multi-fields (ECS). {pull}10414[10414]
-- Several text fields in the Logstash module are now indexed as `keyword` fields with `text` multi-fields (ECS). {pull}10417[10417]
-- Move dissect pattern for `traefik.access` fileset from Filbeat to Elasticsearch. {pull}10442[10442]
-- The `elasticsearch/deprecation` fileset now indexes the `component` field under `elasticsearch` instead of `elasticsearch.server`. {pull}10445[10445]
-- Rename setting `filebeat.registry_flush` to `filebeat.registry.flush`. {pull}10504[10504]
-- Rename setting `filebeat.registry_file_permission` to `filebeat.registry.file_permission`. {pull}10504[10504]
-- Remove setting `filebeat.registry_file` in favor of `filebeat.registry.path`. The registry file will be stored in a sub-directory now. {pull}10504[10504]
-- Address `add_kubernetes_metadata` processor issue where old source field is still used for matcher. {issue}10505[10505] {pull}10506[10506]
-- Change type of `haproxy.source` from text to keyword. {pull}10506[10506]
-- Rename `event.type` to `suricata.eve.event_type` in Suricata module because `event.type` is reserved for future use by ECS. {pull}10575[10575]
-- Set `ecs: true` in `user_agent` processors when loading pipelines with Filebeat 7.0.x into Elasticsearch 6.7.x. {issue}10655[10655] {pull}10875[10875]
-
-
-*Heartbeat*
-
-- A number of fields have been aliased to their relevant counterparts in the `url.*` field.
-  Existing visualizations should mostly work. The fields that have been moved are
-  `monitor.scheme -> url.scheme`, `monitor.host -> url.domain`, `resolve.host -> url.domain`, `http.url -> url.full`,
-  `tcp.port -> url.port`. In addition to these moves the new fields `url.username`, `url.password`, `url.path`, and `url.query` are now present.
-  It should be noted that the `url.password` field does not contain actual password values, but rather the text `<hidden>` {pull}9570[9570].
-- Monitor IDs are now configurable. Auto generated monitor IDs now use a different formula based on a hash of their config values.
-  To have continuity with the old format of monitor IDs, set the `id` property explicitly. {pull}9697[9697]
-- The included Kibana HTTP dashboard is now removed in favor of the Uptime app in Kibana. {pull}10294[10294]
-
-*Journalbeat*
-
-- Rename `host.name` to `host.hostname` to align with ECS. {pull}10043[10043]
-- Rename `read_timestamp` to `event.created` to align with ECS. {pull}10043[10043], {pull}10139[10139]
-- Fix typo in the field name `container.id_truncated`. {pull}10525[10525]
-- Change type of `text` fields to `keyword`. {pull}10542[10542]
-- Rename `container.image.tag` to `container.log.tag`. {pull}10561[10561]
-
-*Metricbeat*
-
-- `event.duration` is now in nano and not microseconds anymore. {pull}8941[8941]
-- Remove warning for deprecated option: `filters`. {pull}9002[9002]
-- Refactor Prometheus metric mappings. {pull}9948[9948]
-- Remove Prometheus stats metricset in favor of just using Prometheus collector. {pull}9948[9948]
-- Rename `http.request.body` field to `http.request.body.content`. {pull}10315[10315]
-- Change the following fields from type text to keyword: {pull}10318[10318]
-  - `ceph.osd_df.name`
-  - `ceph.osd_tree.name`
-  - `ceph.osd_tree.children`
-  - `kafka.consumergroup.meta`
-  - `kibana.stats.name`
-  - `mongodb.metrics.replication.executor.network_interface`
-  - `php_fpm.process.request_uri`
-  - `php_fpm.process.script`
-- Adjust `redis.info` metricset fields to ECS. {pull}10319[10319]
-- Refactor munin module to collect an event per plugin and to have more strict field mappings.
-  The `namespace` option has been removed and will be replaced by `service.name`. {pull}10322[10322]
-- Migrate system process metricset fields to ECS. {pull}10332[10332]
-- Migrate system socket metricset fields to ECS. {pull}10339[10339]
-- Renamed direction values in sockets to ECS recommendations, from incoming/outcoming to inbound/outbound. {pull}10339[10339]
-- Update a few `elasticsearch.* fields` to map to ECS. {pull}10350[10350]
-- Update a few `kibana.*` fields to map to ECS. {pull}10350[10350]
-- Update a few `logstash.*` fields to map to ECS. {pull}10350[10350]
-- Change type of field `docker.container.ip_addresses` to `ip` instead of `keyword`. {pull}10364[10364]
-- Adjust `php_fpm.process` metricset fields to ECS. {pull}10366[10366]
-- Adjust `mongodb.status` metricset to to ECS. {pull}10368[10368]
-- Add `service.name` option to all modules to explicitly set `service.name` if it is unset. {pull}10427[10427]
-- Update `rabbitmq.*` fields to map to ECS. {pull}10563[10563]
-- Update `haproxy.*` fields to map to ECS. {pull}10558[10558] {pull}10568[10568]
-- Collect all EC2 metadata from all instances in all states. {pull}10628[10628]
-- Migrate docker module to ECS. {pull}10927[10927]
-- Add connection and request timeouts for HTTP helper. {pull}11032[11032]
-
-
-*Packetbeat*
-
-- Change Packetbeat fields to align with ECS. {issue}7968[7968]
-- Rename the flow event fields to follow ECS. {pull}9121[9121]
-- Rename several client and server fields. IP, port, and process metadata are
-  now contained under the client and server namespaces. {issue}9303[9303]
-- Adjust Packetbeat `http` fields to ECS. {pull}9645[9645]
-  - `http.request.body` moves to `http.request.body.content`
-  - `http.response.body` moves to `http.response.body.content`
-- Remove trailing dot from domain names reported by the DNS protocol. {pull}9941[9941]
-
-*Winlogbeat*
-
-- Adjust Winlogbeat fields to map to ECS. {pull}10333[10333]
-
-==== Bugfixes
-
-*Affecting all Beats*
-
-- Fix support of `add_docker_metadata` in Windows by identifying systems' path separator. {issue}7797[7797]
-- Fix `-d` CLI flag by trimming spaces from selectors. {pull}7864[7864]
-- Start autodiscover consumers before producers. {pull}7926[7926]
-- Fix `exclude_labels` when there are dotted keys. {pull}10154[10154]
-- Fix unauthorized error when loading dashboards by adding username and password into kibana config. {issue}10513[10513] {pull}10675[10675]
-- Allow to configure Kafka fetching strategy for the topic metadata. {pull}10682[10682]
-- Reconnections of Kubernetes watchers are now logged at debug level when they are harmless. {pull}10988[10988]
-- Add `missing host.*` fields to fields.yml. {pull}11016[11016]
-- Fixed OS family classification in `add_host_metadata` for Amazon Linux, Raspbian, and RedHat Linux. {issue}9134[9134] {pull}11494[11494]
-- Relax validation of the X-Pack license UID value. {issue}11640[11640]
-- Fix a parsing error with the X-Pack license check on 32-bit system. {issue}11650[11650]
-
-*Filebeat*
-
-- Rename many `icinga.*` fields to map to ECS. {pull}9294[9294]
-- Rename many `kafka.log.*` fields to map to ECS. {pull}9297[9297]
-- Rename many `postgresql.log.*` fields to map to ECS. {pull}9308[9308]
-- Rename many `redis.log.*` fields to map to ECS. {pull}9315[9315]
-- Use `log.source.address` instead of `log.source.ip` for network input sources. {pull}9487[9487]
-- Support IPv6 addresses with zone id in IIS ingest pipeline.  {issue}9836[9836] error log: {pull}9869[9869], access log: {pull}9955[9955].
-- Ensure `source.address` is always populated by the nginx module (ECS). {pull}10418[10418]
-- Fix errors in filebeat Zeek dashboard and README files. Add `notice.log` support. {pull}10916[10916]
-- Fix a bug when converting NetFlow fields to snake_case. {pull}10950[10950]
-- Add `on_failure` handler for Zeek ingest pipelines. Fix one field name error
-  for notice and add an additional test case. {issue}11004[11004] {pull}11105[11105]
-- Fix issue preventing docker container events to be stored if the container
-  has a network interface without ip address. {issue}11225[11225] {pull}11247[11247]
-- Fix goroutine leak happening when harvesters are dynamically stopped. {pull}11263[11263]
-- Don't apply multiline rules in Logstash json logs. {pull}11346[11346]
-- Fix panic in `add_kubernetes_metadata` processor when key `log` does not exist. {issue}11543[11543] {pull}11549[11549]
-
-*Heartbeat*
-
-- Fix rare issue where TLS connections to endpoints with x509 certificates missing either
-  notBefore or notAfter would cause the check to fail with a stacktrace.  {pull}9566[9566]
-- Fix checks for TCP send/receive data. {pull}11118[11118]
-
-*Metricbeat*
-
-- Fix for not reusable http client leading to connection leaks in Jolokia module. {pull}11014[11014]
-- Collect metrics when EC2 instances are not in running state. {issue}11008[11008] {pull}11023[11023]
-- Change ECS field `cloud.provider` to `aws`. {pull}11023[11023]
-- Fix `ec2` metricset to collect metrics from Cloudwatch with the same timestamp. {pull}11142[11142]
-- Add missing `aws.ec2.instance.state.name` into fields.yml. {issue}11219[11219] {pull}11221[11221]
-- Fix potential memory leak in stopped docker metricsets. {pull}11294[11294]
-
-*Packetbeat*
-
-- Fixed the mysql missing transactions if monitoring a connection from the start. {pull}8173[8173]
-
-*Winlogbeat*
-
-- Close handle on signalEvent. {pull}9838[9838]
-
-==== Added
-
-*Affecting all Beats*
-
-- Add field `host.os.kernel` to the `add_host_metadata` processor and to the internal monitoring data. {issue}7807[7807]
-- Add debug check to logp.Logger {pull}7965[7965]
-- Count HTTP 429 responses in the elasticsearch output. {pull}8056[8056]
-- Allow Bus to buffer events in case listeners are not configured. {pull}8527[8527]
-- Perform `add_cloud_metadata` initialization asynchronously to avoid delays on startup. {pull}8845[8845]
-- Autodiscovery no longer requires that the `condition` field be set. If left unset all configs will be matched. {pull}9029[9029]
-- Add geo fields to `add_host_metadata` processor. {pull}9392[9392]
-- Add `agent.id` and `agent.ephemeral_id` fields to all beats. {pull}9404[9404]
-- Add dedot method in `add_docker_metadata` processor in libbeat. {issue}9350[9350] {pull}9505[9505]
-- Update field definitions for `http` to ECS. {pull}9645[9645]
-- Calls to Elasticsearch X-Pack APIs made by Beats won't cause deprecation logs in Elasticsearch logs. {pull}9656[9656]
-- Introduce `migration.enabled` configuration. {pull}9805[9805]
-- Add `name` config option to `add_host_metadata` processor. {pull}9943[9943]
-- Add `add_labels` and `add_tags` processors. {pull}9973[9973]
-- Add alias field support in Kibana index pattern. {pull}10075[10075]
-- Add missing file encoding to readers. {pull}10080[10080]
-- Add `add_fields` processor. {pull}10119[10119]
-- Add Kibana field formatter to bytes fields. {pull}10184[10184]
-- Add ILM mode `auto` to `setup.ilm.enabled` setting. This new default value detects if ILM is available {pull}10347[10347]
-- Add support to read ILM policy from external JSON file. {pull}10347[10347]
-- Add `overwrite` and `check_exists` settings to ILM support. {pull}10347[10347]
-- Support Kafka 2.1.0. {pull}10440[10440]
-- Generate Kibana index pattern on demand instead of using a local file. {pull}10478[10478]
-
-*Auditbeat*
-
-- Move System module to beta. {pull}10800[10800]
-- Add `user.id` (UID) and `user.name` for ECS. {pull}10195[10195]
-- Add `group.id` (GID) and `group.name` for ECS. {pull}10195[10195]
-- Login dataset: Add event category and type. {pull}11339[11339]
-
-*Filebeat*
-
-- Add custom unpack to log hints config to avoid env resolution. {pull}7710[7710]
-- Make docker input check if container strings are empty. {pull}7960[7960]
-- Keep unparsed user agent information in `user_agent.original`. {pull}8537[8537]
-- Elasticsearch module's slowlog now populates `event.duration` (ECS). {pull}9293[9293]
-- Add option to modules.yml file to indicate that a module has been moved. {pull}9432[9432].
-- Added module for parsing Google Santa logs. {pull}9540[9540]
-- Add module zeek. {issue}9931[9931] {pull}10034[10034]
-- Add `service.type` field to all Modules. By default the field is set with the module name. It can be overwritten with `service.type` config. {pull}10042[10042]
-- HAProxy module now populates `event.duration` and `http.response.bytes` (ECS). {pull}10143[10143]
-- Apache module's `error` fileset now performs GeoIP lookup, like the `access` fileset. {pull}10273[10273]
-- Added support for ingesting structured Elasticsearch audit logs. {pull}10352[10352]
-- Added support for ingesting structured Elasticsearch server logs. {pull}10428[10428]
-- Added support for ingesting structured Elasticsearch deprecation logs. {pull}10445[10445]
-- Added support for ingesting structured Elasticsearch slow logs. {pull}10445[10445]
-- Add ISO8601 timestamp support in syslog metricset. {issue}8716[8716] {pull}10736[10736]
-- Add support for loading custom NetFlow and IPFIX field definitions to netflow input. {pull}10945[10945] {pull}11223[11223]
-- Added categorization fields for SSH login events in the system/auth fileset. {pull}11334[11334]
-- Add support for MySQL 8.0, Percona 8.0 and MariaDB 10.3. {pull}11417[11417]
-
-*Heartbeat*
-
-- Add central management support. {pull}9254[9254]
-
-*Metricbeat*
-
-- Add metrics about cache size to memcached module. {pull}7740[7740]
-- Add `service.type` field to Metricbeat. {pull}8965[8965]
-- Add AWS EC2 module. {pull}9257[9257] {issue}9300[9300]
-- Add MS SQL module to X-Pack. {pull}9414[9414]
-- Add `socket_summary` metricset to system defaults. Remove experimental tag and support Windows. {pull}9709[9709]
-- Add `key` metricset to the Redis module. {issue}9582[9582] {pull}9657[9657] {pull}9746[9746]
-- Add `performance` metricset to X-Pack mssql module. {pull}9826[9826]
-- Add more meaningful metrics to `performance` metricset in MSSQL module. {pull}10011[10011]
-- Add `nats` module. {issue}10071[10071]
-- Rename some fields in `performance` metricset on MSSQL module to match the updated documentation from Microsoft. {pull}10074[10074]
-- Rename `db` metricset to `transaction_log` in MSSQL Metricbeat module. {pull}10109[10109]
-- Release Kvm module as beta. {pull}10279[10279]
-- Release Nats module as GA. {pull}10281[10281]
-- Release Munin module as GA. {pull}10311[10311]
-- Release Golang module as GA. {pull}10312[10312]
-- Add process arguments and the path to its executable file in the system process metricset. {pull}10332[10332]
-- Release AWS module as GA. {pull}10345[10345]
-- Add filters and pie chart for AWS EC2 dashboard. {pull}10596[10596]
-
-*Packetbeat*
-
-- Add support to decode HTTP bodies compressed with `gzip` and `deflate`. {pull}7915[7915]
-- Add support to decode mysql prepared statement command. {pull}8084[8084]
-- Added support to calculate certificates' fingerprints (MD5, SHA-1, SHA-256). {issue}8180[8180]
-- Add `network.community_id` to Packetbeat flow events. {pull}10061[10061]
-- Add aliases for flow fields that were renamed. {issue}7968[7968] {pull}10063[10063]
-
-==== Known Issue
-
-*Journalbeat*
-
-- Journalbeat requires at least systemd v233 in order to follow entries after journal changes (rotation, vacuum).
diff --git a/libbeat/docs/release-notes/breaking/breaking-7.17.asciidoc b/libbeat/docs/release-notes/breaking/breaking-7.17.asciidoc
deleted file mode 100644
index d7d73508c6db..000000000000
--- a/libbeat/docs/release-notes/breaking/breaking-7.17.asciidoc
+++ /dev/null
@@ -1,11 +0,0 @@
-[[breaking-changes-7.17]]
-
-=== Breaking changes in 7.17
-++++
-<titleabbrev>7.17</titleabbrev>
-++++
-
-The Docker base image has changed from CentOS 7 to Ubuntu 20.04. This change
-affects all {beats}.
-
-{see-relnotes}
diff --git a/libbeat/docs/release-notes/breaking/breaking-8.0.asciidoc b/libbeat/docs/release-notes/breaking/breaking-8.0.asciidoc
deleted file mode 100644
index 7fe56f44053c..000000000000
--- a/libbeat/docs/release-notes/breaking/breaking-8.0.asciidoc
+++ /dev/null
@@ -1,89 +0,0 @@
-[[breaking-changes-8.0]]
-
-=== Breaking changes in 8.0
-++++
-<titleabbrev>8.0</titleabbrev>
-++++
-
-See the <<release-notes,release notes>> for a complete list of breaking changes,
-bug fixes, and enhancements, including changes to beta or experimental
-functionality.
-
-[discrete]
-==== {beats} logs are now ECS-compliant
-
-All Elastic {beats} now write ECS-compliant logs in JSON format, and the config
-options for enabling ECS/JSON are removed. The new log name format is
-`{beatname}-{date}(-n)?.ndjson`. For example (from oldest to newest):
-`filebeat-20200101.ndjson`, `filebeat-20200101-1.ndjson`,
-`filebeat-20200101-2.ndjson`, and so on.
-
-With this change, we now provide a uniform logging scheme across Elastic
-products, which makes it easier to develop ECS-aware visualizations for
-behaviors like correlating metrics or events across products.
-
-If you have any monitoring configurations that expect the old log format, you
-must update them to use the new log format.
-
-[discrete]
-==== {beats} now store events in data streams instead of indices
-
-All {beats} shippers now store events in data streams in {es} instead of indices
-regardless of the {es} version. This change affects the underlying data storage
-method used in {es}; it does not change the naming convention. The name of the
-data stream follows the format `{beatname}-{version}`, and the index pattern is
-`{beatname}-{version}`. Do not confuse this change with the naming convention we
-use in Elastic integrations.
-
-As part of this change, some index lifecycle managment (ILM) options
-(`rollover_alias` and `pattern`) are removed because data streams do not
-require index aliases. Also the `setup.template.type` option is removed because
-it no longer makes sense.
-
-If you are loading JSON index templates by specifying a file in
-`setup.template.json.path`, make sure you move from the legacy format to
-composable index templates.
-
-NOTE: Data streams support create operations only. Thus, there is no
-way to use operation types like "index" or "delete" when sending events to {es}.
-
-For more information, refer to the {es} documentation about
-{ref}/data-streams.html[data streams].
-
-[discrete]
-==== Homebrew formulae no longer available for {beats}
-
-Starting with version 8.0.0, Elastic no longer publishes Homebrew formulae for
-{beats}. You must use a different installation method. See
-the https://www.elastic.co/downloads/beats/[{beats} download pages]
-for available installation methods.
-
-
-[discrete]
-==== Removal of older platforms from {beats} support matrix
-Starting with version 8.0.0, the following operating systems are no longer supported
-by {beats} due to lack of vendor support for the operating system. In order to have
-the best product experience, you are encouraged to move to a vendor-supported 
-version of the operating system.
-
-.*These platforms are:*
-* Centos 6
-* Centos 8
-* RHEL 6
-* Ubuntu 14.04
-* Ubuntu 16.04
-* Debian 8
-* Windows 7 SP1
-* Windows Server 2008 R2
-* MacOS 10.13
-* MacOS 10.14
-
-[discrete]
-==== {filebeat} filesets are disabled by default
-Prior to version 8.0.0, modules had some filesets that were enabled by default.
-This meant that in some cases you could enable a module from the command line
-and run it without modifying the configuration in the `modules.d` directory.
-However this caused problems for some users.
-
-Starting in version 8.0.0, filesets are disabled by default. You must explicitly
-enable the filesets you want {filebeat} to use.
diff --git a/libbeat/docs/release-notes/breaking/breaking.asciidoc b/libbeat/docs/release-notes/breaking/breaking.asciidoc
deleted file mode 100644
index b66dc6008c7b..000000000000
--- a/libbeat/docs/release-notes/breaking/breaking.asciidoc
+++ /dev/null
@@ -1,18 +0,0 @@
-:see-relnotes: See the <<release-notes,release notes>> for a complete list of breaking changes, including changes to beta or experimental functionality.
-
-[[breaking-changes]]
-== Breaking changes
-
-As a general rule, we strive to keep backwards compatibility between minor
-versions (e.g.  8.x to 8.y) so you can upgrade without any configuration file
-changes, but there are breaking changes between major versions (e.g. 7.x to
-8.y). Migrating directly between non consecutive major versions (e.g. 6.x to
-8.x) is not recommended.
-
-See the following topics for a description of breaking changes between major versions:
-
-* <<breaking-changes-8.0>>
-
-For breaking changes between minor versions, see the <<release-notes,release notes>>.
-
-include::breaking-8.0.asciidoc[]
diff --git a/libbeat/docs/release-notes/redirects.asciidoc b/libbeat/docs/release-notes/redirects.asciidoc
deleted file mode 100644
index cd6585651cea..000000000000
--- a/libbeat/docs/release-notes/redirects.asciidoc
+++ /dev/null
@@ -1,35 +0,0 @@
-[role="exclude",id="whats-new"]
-== What's new in {beats} {minor-version}
-
-This page has moved. Please see {observability-guide}/whats-new.html[What's new
-in Observability {minor-version}].
-
-[role="exclude",id="breaking-changes-8.5"]
-== Breaking changes in 8.5
-
-This page no longer exists.
-There are no notable breaking changes for 8.5.
-
-[role="exclude",id="breaking-changes-8.4"]
-== Breaking changes in 8.4
-
-This page no longer exists.
-There are no notable breaking changes for 8.4.
-
-[role="exclude",id="breaking-changes-8.3"]
-== Breaking changes in 8.3
-
-This page no longer exists.
-There are no notable breaking changes for 8.3.
-
-[role="exclude",id="breaking-changes-8.2"]
-== Breaking changes in 8.2
-
-This page no longer exists.
-There are no notable breaking changes for 8.2.
-
-[role="exclude",id="breaking-changes-8.1"]
-== Breaking changes in 8.1
-
-This page no longer exists.
-There are no notable breaking changes for 8.1.
diff --git a/libbeat/docs/repositories.asciidoc b/libbeat/docs/repositories.asciidoc
deleted file mode 100644
index 848cfafea451..000000000000
--- a/libbeat/docs/repositories.asciidoc
+++ /dev/null
@@ -1,239 +0,0 @@
-//////////////////////////////////////////////////////////////////////////
-//// This content is shared by all Elastic Beats. Make sure you keep the
-//// descriptions here generic enough to work for all Beats that include
-//// this file. When using cross references, make sure that the cross
-//// references resolve correctly for any files that include this one.
-//// Use the appropriate variables defined in the index.asciidoc file to
-//// resolve Beat names: beatname_uc and beatname_lc.
-//// Use the following include to pull this content into a doc file:
-//// include::../../libbeat/docs/setup-repositories.asciidoc[]
-//////////////////////////////////////////////////////////////////////////
-
-[[setup-repositories]]
-=== Repositories for APT and YUM
-
-We have repositories available for APT and YUM-based distributions. Note that we
-provide binary packages, but no source packages.
-
-We use the PGP key https://pgp.mit.edu/pks/lookup?op=vindex&search=0xD27D666CD88E42B4[D88E42B4],
-Elasticsearch Signing Key, with fingerprint
-
-    4609 5ACC 8548 582C 1A26 99A9 D27D 666C D88E 42B4
-
-to sign all our packages. It is available from https://pgp.mit.edu.
-
-[float]
-==== APT
-
-ifeval::["{release-state}"=="unreleased"]
-
-Version {version} of {repo} has not yet been released.
-
-endif::[]
-
-ifeval::["{release-state}"!="unreleased"]
-
-To add the {repo} repository for APT:
-
-. Download and install the Public Signing Key:
-+
-[source,sh]
---------------------------------------------------
-wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
---------------------------------------------------
-
-. You may need to install the `apt-transport-https` package on Debian before proceeding:
-+
-[source,sh]
---------------------------------------------------
-sudo apt-get install apt-transport-https
---------------------------------------------------
-
-ifeval::["{release-state}"=="prerelease"]
-. Save the repository definition to  +/etc/apt/sources.list.d/elastic-{major-version}-prerelease.list+:
-+
-["source","sh",subs="attributes"]
---------------------------------------------------
-echo "deb https://artifacts.elastic.co/packages/{major-version}-prerelease/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-{major-version}-prerelease.list
---------------------------------------------------
-+
-endif::[]
-ifeval::["{release-state}"=="released"]
-. Save the repository definition to  +/etc/apt/sources.list.d/elastic-{major-version}.list+:
-+
-["source","sh",subs="attributes"]
---------------------------------------------------
-echo "deb https://artifacts.elastic.co/packages/{major-version}/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-{major-version}.list
---------------------------------------------------
-+
-endif::[]
-[NOTE]
-==================================================
-
-The package is free to use under the Elastic license. An alternative package
-which contains only features that are available under the Apache 2.0 license is
-also available. To install it, use the following sources list:
-
-ifeval::["{release-state}"=="prerelease"]
-
-["source","sh",subs="attributes"]
---------------------------------------------------
-echo "deb https://artifacts.elastic.co/packages/oss-{major-version}-prerelease/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-{major-version}-prerelease.list
---------------------------------------------------
-
-endif::[]
-
-ifeval::["{release-state}"!="prerelease"]
-
-["source","sh",subs="attributes"]
---------------------------------------------------
-echo "deb https://artifacts.elastic.co/packages/oss-{major-version}/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-{major-version}.list
---------------------------------------------------
-
-endif::[]
-
-==================================================
-+
-[WARNING]
-==================================================
-To add the Elastic repository, make sure that you use the `echo` method  shown
-in the example. Do not use `add-apt-repository` because it will add a `deb-src`
-entry, but we do not provide a source package.
-
-If you have added the `deb-src` entry by mistake, you will see an error like
-the following:
-
-    Unable to find expected entry 'main/source/Sources' in Release file (Wrong sources.list entry or malformed file)
-
-Simply delete the `deb-src` entry from the `/etc/apt/sources.list` file, and the installation should work as expected.
-==================================================
-
-. Run `apt-get update`, and the repository is ready for use. For example, you can
-install {beatname_uc} by running:
-+
-["source","sh",subs="attributes"]
---------------------------------------------------
-sudo apt-get update && sudo apt-get install {beatname_pkg}
---------------------------------------------------
-
-. To configure {beatname_uc} to start automatically during boot, run:
-+
-["source","sh",subs="attributes"]
---------------------------------------------------
-sudo systemctl enable {beatname_pkg}
---------------------------------------------------
-ifndef::apm-server[]
-+
-If your system does not use `systemd` then run:
-+
-["source","sh",subs="attributes"]
---------------------------------------------------
-sudo update-rc.d {beatname_pkg} defaults 95 10
---------------------------------------------------
-endif::[]
-
-endif::[]
-
-[float]
-==== YUM
-
-ifeval::["{release-state}"=="unreleased"]
-
-Version {version} of {repo} has not yet been released.
-
-endif::[]
-
-ifeval::["{release-state}"!="unreleased"]
-
-To add the {repo} repository for YUM:
-
-. Download and install the public signing key:
-+
-[source,sh]
---------------------------------------------------
-sudo rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
---------------------------------------------------
-
-. Create a file with a `.repo` extension (for example, `elastic.repo`) in
-your `/etc/yum.repos.d/` directory and add the following lines:
-+
-ifeval::["{release-state}"=="prerelease"]
-["source","sh",subs="attributes"]
---------------------------------------------------
-[elastic-{major-version}-prerelease]
-name=Elastic repository for {major-version} prerelease packages
-baseurl=https://artifacts.elastic.co/packages/{major-version}-prerelease/yum
-gpgcheck=1
-gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
-enabled=1
-autorefresh=1
-type=rpm-md
---------------------------------------------------
-endif::[]
-ifeval::["{release-state}"=="released"]
-["source","sh",subs="attributes"]
---------------------------------------------------
-[elastic-{major-version}]
-name=Elastic repository for {major-version} packages
-baseurl=https://artifacts.elastic.co/packages/{major-version}/yum
-gpgcheck=1
-gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
-enabled=1
-autorefresh=1
-type=rpm-md
---------------------------------------------------
-endif::[]
-+
-[NOTE]
-==================================================
-
-The package is free to use under the Elastic license. An alternative package
-which contains only features that are available under the Apache 2.0 license is
-also available. To install it, use the following `baseurl` in your
-`.repo` file:
-
-ifeval::["{release-state}"=="prerelease"]
-
-["source","sh",subs="attributes"]
---------------------------------------------------
-baseurl=https://artifacts.elastic.co/packages/oss-{major-version}-prerelease/yum
---------------------------------------------------
-
-endif::[]
-
-ifeval::["{release-state}"!="prerelease"]
-
-["source","sh",subs="attributes"]
---------------------------------------------------
-baseurl=https://artifacts.elastic.co/packages/oss-{major-version}/yum
---------------------------------------------------
-
-endif::[]
-
-==================================================
-+
-Your repository is ready to use. For example, you can install {beatname_uc} by
-running:
-+
-["source","sh",subs="attributes"]
---------------------------------------------------
-sudo yum install {beatname_pkg}
---------------------------------------------------
-
-. To configure {beatname_uc} to start automatically during boot, run:
-+
-["source","sh",subs="attributes"]
---------------------------------------------------
-sudo systemctl enable {beatname_pkg}
---------------------------------------------------
-ifndef::apm-server[]
-+
-If your system does not use `systemd` then run:
-+
-["source","sh",subs="attributes"]
---------------------------------------------------
-sudo chkconfig --add {beatname_pkg}
---------------------------------------------------
-endif::[]
-
-endif::[]
diff --git a/libbeat/docs/security/api-keys.asciidoc b/libbeat/docs/security/api-keys.asciidoc
deleted file mode 100644
index db068f087828..000000000000
--- a/libbeat/docs/security/api-keys.asciidoc
+++ /dev/null
@@ -1,127 +0,0 @@
-[role="xpack"]
-[[beats-api-keys]]
-== Grant access using API keys
-
-Instead of using usernames and passwords, you can use API keys to grant
-access to {es} resources. You can set API keys to expire at a certain time,
-and you can explicitly invalidate them. Any user with the `manage_api_key`
-or `manage_own_api_key` cluster privilege can create API keys.
-
-{beatname_uc} instances typically send both collected data and monitoring
-information to {es}. If you are sending both to the same cluster, you can use the same
-API key. For different clusters, you need to use an API key per cluster.
-
-NOTE: For security reasons, we recommend using a unique API key per {beatname_uc} instance.
-You can create as many API keys per user as necessary.
-
-IMPORTANT: Review <<feature-roles>> before creating API keys for {beatname_uc}.
-
-[float]
-[[beats-api-key-publish]]
-=== Create an API key for publishing
-To create an API key to use for writing data to {es}, use the
-{ref}/security-api-create-api-key.html[Create API key API], for example:
-
-[source,console,subs="attributes,callouts"]
-------------------------------------------------------------
-POST /_security/api_key
-{
-  "name": "{beat_default_index_prefix}_host001", <1>
-  "role_descriptors": {
-    "{beat_default_index_prefix}_writer": { <2>
-      "cluster": ["monitor", "read_ilm", "read_pipeline"],
-      "index": [
-        {
-          "names": ["{beat_default_index_prefix}-*"],
-          "privileges": ["view_index_metadata", "create_doc", "auto_configure"]
-        }
-      ]
-    }
-  }
-}
-------------------------------------------------------------
-<1> Name of the API key
-<2> Granted privileges, see <<feature-roles>>
-
-NOTE: See <<privileges-to-publish-events>> for the list of privileges required to publish events.
-
-The return value will look something like this:
-
-[source,console-result,subs="attributes,callouts"]
---------------------------------------------------
-{
-  "id":"TiNAGG4BaaMdaH1tRfuU", <1>
-  "name":"{beat_default_index_prefix}_host001",
-  "api_key":"KnR6yE41RrSowb0kQ0HWoA" <2>
-}
---------------------------------------------------
-<1> Unique id for this API key
-<2> Generated API key
-
-You can now use this API key in your +{beatname_lc}.yml+ configuration file like this:
-["source","yaml"]
---------------------
-output.elasticsearch:
-  api_key: TiNAGG4BaaMdaH1tRfuU:KnR6yE41RrSowb0kQ0HWoA <1>
---------------------
-<1> Format is `id:api_key` (as returned by {ref}/security-api-create-api-key.html[Create API key])
-
-[float]
-[[beats-api-key-monitor]]
-=== Create an API key for monitoring
-To create an API key to use for sending monitoring data to {es}, use the
-{ref}/security-api-create-api-key.html[Create API key API], for example:
-
-[source,console,subs="attributes,callouts"]
-------------------------------------------------------------
-POST /_security/api_key
-{
-  "name": "{beat_default_index_prefix}_host001", <1>
-  "role_descriptors": {
-    "{beat_default_index_prefix}_monitoring": { <2>
-      "cluster": ["monitor"],
-      "index": [
-        {
-          "names": [".monitoring-beats-*"],
-          "privileges": ["create_index", "create"]
-        }
-      ]
-    }
-  }
-}
-------------------------------------------------------------
-<1> Name of the API key
-<2> Granted privileges, see <<feature-roles>>
-
-NOTE: See <<privileges-to-publish-monitoring>> for the list of privileges required to send monitoring data.
-
-The return value will look something like this:
-
-[source,console-result,subs="attributes,callouts"]
---------------------------------------------------
-{
-  "id":"TiNAGG4BaaMdaH1tRfuU", <1>
-  "name":"{beat_default_index_prefix}_host001",
-  "api_key":"KnR6yE41RrSowb0kQ0HWoA" <2>
-}
---------------------------------------------------
-<1> Unique id for this API key
-<2> Generated API key
-
-You can now use this API key in your +{beatname_lc}.yml+ configuration file like this:
-["source","yml",subs="attributes"]
---------------------
-monitoring.elasticsearch:
-  api_key: TiNAGG4BaaMdaH1tRfuU:KnR6yE41RrSowb0kQ0HWoA <1>
---------------------
-<1> Format is `id:api_key` (as returned by {ref}/security-api-create-api-key.html[Create API key])
-
-[[learn-more-api-keys]]
-[float]
-=== Learn more about API keys
-
-See the {es} API key documentation for more information:
-
-* {ref}/security-api-create-api-key.html[Create API key]
-* {ref}/security-api-get-api-key.html[Get API key information]
-* {ref}/security-api-invalidate-api-key.html[Invalidate API key]
diff --git a/libbeat/docs/security/linux-seccomp.asciidoc b/libbeat/docs/security/linux-seccomp.asciidoc
deleted file mode 100644
index 353580a728ed..000000000000
--- a/libbeat/docs/security/linux-seccomp.asciidoc
+++ /dev/null
@@ -1,93 +0,0 @@
-[[linux-seccomp]]
-== Use Linux Secure Computing Mode (seccomp)
-
-beta[]
-
-On Linux 3.17 and later, {beatname_uc} can take advantage of secure computing
-mode, also known as seccomp. Seccomp restricts the system calls that a process
-can issue. Specifically {beatname_uc} can load a seccomp BPF filter at process
-start-up that drops the privileges to invoke specific system calls. Once a
-filter is loaded by the process it cannot be removed.
-
-The kernel exposes a large number of system calls that are not used by
-{beatname_uc}. By installing a seccomp filter, you can limit the total kernel
-surface exposed to {beatname_uc} (principle of least privilege). This minimizes
-the impact of unknown vulnerabilities that might be found in the process.
-
-The filter is expressed as a Berkeley Packet Filter (BPF) program. The BPF
-program is generated based on a policy defined by {beatname_uc}. The policy
-can be customized through configuration as well.
-
-A seccomp policy is architecture specific due to the fact that system calls vary
-by architecture. {beatname_uc} includes a whitelist seccomp policy for the
-amd64 and 386 architectures. You can view those policies
-https://github.com/elastic/beats/tree/{branch}/libbeat/common/seccomp[here].
-
-[float]
-[[seccomp-policy-config]]
-=== Seccomp Policy Configuration
-
-The seccomp policy can be customized through the configuration policy. This is
-an example blacklist policy that prohibits `execve`, `execveat`, `fork`, and
-`vfork` syscalls.
-
-[source,yaml]
-----
-seccomp:
-  default_action: allow <1>
-  syscalls:
-  - action: errno <2>
-    names: <3>
-    - execve
-    - execveat
-    - fork
-    - vfork
-----
-<1> If the system call being invoked by the process does not match one of the
-names below then it will be allowed.
-<2> If the system call being invoked matches one of the names below then an
-error will be returned to caller. This is known as a blacklist policy.
-<3> These are system calls being prohibited.
-
-These are the configuration options for a seccomp policy.
-
-*`enabled`*:: On Linux, this option is enabled by default. To disable seccomp
-filter loading, set this option to `false`.
-
-*`default_action`*:: The default action to take when none of the defined system
-calls match. See <<seccomp-policy-config-action,action>> for the full list of
-values. This is required.
-
-*`syscalls`*:: Each object in this list must contain an `action` and a list of
-system call `names`. The list must contain at least one item.
-
-*`names`*:: A list of system call names. The system call name must exist for
-the runtime architecture, otherwise an error will be logged and the filter will
-not be installed. At least one system call must be defined.
-
-[[seccomp-policy-config-action]]
-*`action`*:: The action to take when any of the system calls listed in `names`
-is executed. This is required. These are the available action values. The
-actions that are available depend on the kernel version.
-
-- `errno` - The system call will return `EPERM` (permission denied) to the
-  caller.
-- `trace` - The kernel will notify a `ptrace` tracer. If no tracer is present
-  then the system call fails with `ENOSYS` (function not implemented).
-- `trap` - The kernel will send a `SIGSYS` signal to the calling thread and not
-  execute the system call. The Go runtime will exit.
-- `kill_thread` - The kernel will immediately terminate the thread. Other
-  threads will continue to execute.
-- `kill_process` - The kernel will terminate the process. Available in Linux
-  4.14 and later.
-- `log` - The kernel will log the system call before executing it. Available in
-  Linux 4.14 and later. (This does not go to the Beat's log.)
-- `allow` - The kernel will allow the system call to execute.
-
-[float]
-=== Auditbeat Reports Seccomp Violations
-
-You can use Auditbeat to report any seccomp violations that occur on the system.
-The kernel generates an event for each violation and Auditbeat reports the
-event. The `event.action` value will be `violated-seccomp-policy` and the event
-will contain information about the process and system call.
diff --git a/libbeat/docs/security/users.asciidoc b/libbeat/docs/security/users.asciidoc
deleted file mode 100644
index 846e8bc5937c..000000000000
--- a/libbeat/docs/security/users.asciidoc
+++ /dev/null
@@ -1,363 +0,0 @@
-[role="xpack"]
-[[feature-roles]]
-== Grant users access to secured resources
-
-You can use role-based access control to grant users access to secured
-resources. The roles that you set up depend on your organization's security
-requirements and the minimum privileges required to use specific features.
-
-Typically you need the create the following separate roles:
-
-* <<privileges-to-setup-beats,setup role>> for setting up index templates and
-other dependencies
-* <<privileges-to-publish-monitoring,monitoring role>> for sending monitoring
-information
-* <<privileges-to-publish-events,writer role>>  for publishing events collected
-by {beatname_uc}
-* <<kibana-user-privileges,reader role>> for {kib} users who need to view and
-create visualizations that access {beatname_uc} data
-
-
-{es-security-features} provides {ref}/built-in-roles.html[built-in roles] that grant a
-subset of the privileges needed by {beatname_uc} users. When possible, use the
-built-in roles to minimize the affect of future changes on your security
-strategy.
-
-Instead of using usernames and passwords, roles and privileges can be assigned to
-API keys to grant access to Elasticsearch resources. See <<beats-api-keys>> for
-more information.
-
-[[privileges-to-setup-beats]]
-=== Grant privileges and roles needed for setup
-
-++++
-<titleabbrev>Create a _setup_ user</titleabbrev>
-++++
-
-IMPORTANT: Setting up {beatname_uc} is an admin-level task that requires extra
-privileges. As a best practice, grant the setup role to administrators only, and
-use a more restrictive role for event publishing.
-
-Administrators who set up {beatname_uc} typically need to load mappings,
-dashboards, and other objects used to index data into {es} and visualize it in
-{kib}.
-
-To grant users the required privileges:
-
-. Create a *setup role*, called something like +{beat_default_index_prefix}_setup+, that has
-the following privileges:
-+
-[options="header"]
-|====
-|Type | Privilege | Purpose
-
-|Cluster
-|`monitor`
-|Retrieve cluster details (e.g. version)
-
-ifndef::no_ilm[]
-|Cluster
-|`manage_ilm`
-|Set up and manage index lifecycle management (ILM) policy
-endif::no_ilm[]
-
-|Index
-|`manage` on +{beat_default_index_prefix}-*+ indices
-|Load data stream
-
-|====
-+
-Omit any privileges that aren't relevant in your environment.
-+
-NOTE: These instructions assume that you are using the default name for
-{beatname_uc} indices. If +{beat_default_index_prefix}-*+ is not listed, or you are using a custom name, enter it manually and modify the privileges to
-match your index naming pattern.
-
-. Assign the *setup role*, along with the following built-in roles, to users who
-need to set up {beatname_uc}:
-+
-[options="header"]
-|====
-|Role | Purpose
-
-|`kibana_admin`
-|Load dependencies, such as example dashboards, if available, into {kib}
-
-|`ingest_admin`
-|Set up index templates and, if available, ingest pipelines
-
-ifdef::apm-server[]
-|`ingest_admin`
-|Set up ingest pipelines
-endif::apm-server[]
-
-|====
-+
-Omit any roles that aren't relevant in your environment.
-
-[[privileges-to-publish-monitoring]]
-=== Grant privileges and roles needed for monitoring
-
-++++
-<titleabbrev>Create a _monitoring_ user</titleabbrev>
-++++
-
-{es-security-features} provides built-in users and roles for monitoring. The privileges and
-roles needed depend on the method used to collect monitoring data.
-
-[IMPORTANT]
-.Important note for {ecloud} users
-====
-Built-in users are not available when running our
-https://www.elastic.co/cloud/elasticsearch-service[hosted {ess}]
-on {ecloud}. To send monitoring data securely, create a monitoring user and
-grant it the roles described in the following sections.
-====
-
-* If you're using <<monitoring-internal-collection,internal collection>> to
-collect metrics about {beatname_uc}, {es-security-features} provides
-the +{beat_monitoring_user}+ {ref}/built-in-users.html[built-in user] and
-+{beat_monitoring_user}+ {ref}/built-in-roles.html[built-in role] to send
-monitoring information. You can use the built-in user, if it's available in your
-environment, or create a user who has the privileges needed to send monitoring
-information.
-+
-If you use the +{beat_monitoring_user}+ user, make sure you set the password.
-+
-If you don't use the +{beat_monitoring_user}+ user:
-+
---
-. Create a *monitoring role*, called something like
-+{beat_default_index_prefix}_monitoring+, that has the following privileges:
-+
-[options="header"]
-|====
-|Type | Privilege | Purpose
-
-|Cluster
-|`monitor`
-|Retrieve cluster details (e.g. version)
-
-|Index
-|`create_index` on `.monitoring-beats-*` indices
-|Create monitoring indices in {es}
-
-|Index
-|`create_doc` on `.monitoring-beats-*` indices
-|Write monitoring events into {es}
-|====
-
-. Assign the *monitoring role*, along with the following built-in roles, to
-users who need to monitor {beatname_uc}:
-+
-[options="header"]
-|====
-|Role | Purpose
-
-|`kibana_admin`
-|Use {kib}
-
-|`monitoring_user`
-|Use *Stack Monitoring* in {kib} to monitor {beatname_uc}
-|====
---
-
-ifndef::serverless[]
-
-* If you're <<monitoring-metricbeat-collection,using {metricbeat}>> to collect
-metrics about {beatname_uc}, {es-security-features} provides the `remote_monitoring_user`
-{ref}/built-in-users.html[built-in user], and the `remote_monitoring_collector`
-and `remote_monitoring_agent` {ref}/built-in-roles.html[built-in roles] for
-collecting and sending monitoring information. You can use the built-in user, if
-it's available in your environment, or create a user who has the privileges
-needed to collect and send monitoring information.
-+
-If you use the `remote_monitoring_user` user, make sure you set the password.
-+
-If you don't use the `remote_monitoring_user` user:
-+
---
-. Create a user on the production cluster who will collect and send monitoring
-information.
-
-. Assign the following roles to the user:
-+
-[options="header"]
-|====
-|Role | Purpose
-
-|`remote_monitoring_collector`
-|Collect monitoring metrics from {beatname_uc}
-
-|`remote_monitoring_agent`
-|Send monitoring data to the monitoring cluster
-|====
-
-. Assign the following role to users who will view the monitoring data in
-{kib}:
-+
-[options="header"]
-|====
-|Role | Purpose
-
-|`monitoring_user`
-|Use *Stack Monitoring* in {kib} to monitor {beatname_uc}
-|====
---
-endif::serverless[]
-
-[[privileges-to-publish-events]]
-=== Grant privileges and roles needed for publishing
-
-++++
-<titleabbrev>Create a _publishing_ user</titleabbrev>
-++++
-
-Users who publish events to {es} need to create and write to {beatname_uc}
-indices. To minimize the privileges required by the writer role, use the
-<<privileges-to-setup-beats,setup role>> to pre-load dependencies. This section
-assumes that you've run the setup.
-
-ifndef::no_ilm[]
-When using ILM, turn off the ILM setup check in the {beatname_uc} config file before
-running {beatname_uc} to publish events:
-
-[source,yaml]
-----
-setup.ilm.check_exists: false
-----
-endif::no_ilm[]
-
-To grant the required privileges:
-
-. Create a *writer role*, called something like +{beat_default_index_prefix}_writer+,
-that has the following privileges:
-+
-NOTE: The `monitor` cluster privilege and the `create_doc` and `auto_configure`
-privileges on +{beat_default_index_prefix}-*+ indices are required in every
-configuration.
-+
-[options="header"]
-|====
-|Type | Privilege | Purpose
-
-ifndef::apm-server[]
-|Cluster
-|`monitor`
-|Retrieve cluster details (e.g. version)
-endif::apm-server[]
-
-ifndef::no_ilm[]
-|Cluster
-|`read_ilm`
-| Read the ILM policy when connecting to clusters that support ILM.
-Not needed when `setup.ilm.check_exists` is `false`.
-endif::no_ilm[]
-
-ifeval::["{beatname_lc}"=="filebeat"]
-|Cluster
-|`read_pipeline`
-|Check for ingest pipelines used by modules. Needed when using modules.
-endif::[]
-
-ifeval::["{beatname_lc}"=="winlogbeat"]
-|Cluster
-|`read_pipeline`
-|Check for ingest pipelines used by {beatname_uc}.
-endif::[]
-
-|Index
-|`create_doc` on +{beat_default_index_prefix}-*+ indices
-|Write events into {es}
-
-|Index
-|`auto_configure` on +{beat_default_index_prefix}-*+ indices
-|Update the datastream mapping. Consider either disabling entirely or adding the
-rule `-{beat_default_index_prefix}-*` to the cluster settings
-https://www.elastic.co/guide/en/elasticsearch/reference/current/docs-index_.html#index-creation[action.auto_create_index]
-to prevent unwanted indices creations from the agents.
-|====
-
-ifndef::apm-server[]
-+
-Omit any privileges that aren't relevant in your environment.
-endif::apm-server[]
-
-. Assign the *writer role* to users who will index events into {es}.
-
-[[kibana-user-privileges]]
-=== Grant privileges and roles needed to read {beatname_uc} data from {kib}
-
-++++
-<titleabbrev>Create a _reader_ user</titleabbrev>
-++++
-
-{kib} users typically need to view dashboards and visualizations that contain
-{beatname_uc} data. These users might also need to create and edit dashboards
-and visualizations.
-
-To grant users the required privileges:
-
-ifndef::apm-server[]
-. Create a *reader role*, called something like +{beat_default_index_prefix}_reader+, that has
-the following privilege:
-+
-[options="header"]
-|====
-|Type | Privilege | Purpose
-
-|Index
-|`read` on +{beat_default_index_prefix}-*+ indices
-|Read data indexed by {beatname_uc}
-
-| Spaces
-| `Read` or `All` on Dashboards, Visualize, and Discover
-| Allow the user to view, edit, and create dashboards, as well as browse data.
-
-ifdef::beat_kib_app[]
-| Spaces
-| `Read` or `All` on {beat_kib_app}
-| Allow the use of {beat_kib_app}
-endif::[]
-|====
-
-. Assign the *reader role*, along with the following built-in roles, to
-users who need to read {beatname_uc} data:
-+
-[options="header"]
-|====
-|Role | Purpose
-
-| `monitoring_user`
-| Allow users to monitor the health of {beatname_uc} itself. Only assign this role to users who manage {beatname_uc}.
-
-|====
-endif::apm-server[]
-
-ifdef::apm-server[]
-. Assign the following built-in roles to users who need to read {beatname_uc}
-data:
-+
-[options="header"]
-|====
-|Role | Purpose
-
-|`kibana_user` and `apm_user`
-|Use the APM UI
-
-|`admin`
-|Read and update APM Agent configuration via {kib}
-|====
-endif::apm-server[]
-
-// to do: THIS SHOULD GO IN ITS OWN FILE
-[[learn-more-security]]
-=== Learn more about privileges, roles, and users
-
-Want to learn more about creating users and roles? See
-{ref}/secure-cluster.html[Secure a cluster]. Also see:
-
-* {ref}/security-privileges.html[Security privileges] for a description of
-available privileges
-* {ref}/built-in-roles.html[Built-in roles] for a description of roles that
-you can assign to users
diff --git a/libbeat/docs/setup-config.asciidoc b/libbeat/docs/setup-config.asciidoc
deleted file mode 100644
index ce58296afc60..000000000000
--- a/libbeat/docs/setup-config.asciidoc
+++ /dev/null
@@ -1,9 +0,0 @@
-
-include::./template-config.asciidoc[]
-
-ifndef::no_dashboards[]
-include::./shared-kibana-config.asciidoc[]
-
-include::./dashboardsconfig.asciidoc[]
-endif::no_dashboards[]
-
diff --git a/libbeat/docs/shared-autodiscover.asciidoc b/libbeat/docs/shared-autodiscover.asciidoc
deleted file mode 100644
index 83d44b498ac2..000000000000
--- a/libbeat/docs/shared-autodiscover.asciidoc
+++ /dev/null
@@ -1,746 +0,0 @@
-[[configuration-autodiscover]]
-== Autodiscover
-
-When you run applications on containers, they become moving targets to the monitoring system. Autodiscover
-allows you to track them and adapt settings as changes happen. By defining configuration templates, the
-autodiscover subsystem can monitor services as they start running.
-
-You define autodiscover settings in the  +{beatname_lc}.autodiscover+ section of the +{beatname_lc}.yml+
-config file. To enable autodiscover, you specify a list of providers.
-
-[float]
-=== Providers
-
-Autodiscover providers work by watching for events on the system and translating those events into internal autodiscover
-events with a common format. When you configure the provider, you can optionally use fields from the autodiscover event
-to set conditions that, when met, launch specific configurations.
-
-On start, {beatname_uc} will scan existing containers and launch the proper configs for them. Then it will watch for new
-start/stop events. This ensures you don't need to worry about state, but only define your desired configs.
-
-[float]
-===== Docker
-
-The Docker autodiscover provider watches for Docker containers to start and stop.
-
-It has the following settings:
-
-`host`:: (Optional) Docker socket (UNIX or TCP socket). It uses
-`unix:///var/run/docker.sock` by default.
-`ssl`:: (Optional) SSL configuration to use when connecting to the Docker
-socket.
-`cleanup_timeout`:: (Optional) Specify the time of inactivity before stopping the
-running configuration for a container,
-ifeval::["{beatname_lc}"=="filebeat"]
- 60s by default.
-endif::[]
-ifeval::["{beatname_lc}"!="filebeat"]
- disabled by default.
-endif::[]
-`labels.dedot`:: (Optional) Default to be false. If set to true, replace dots in
- labels with `_`.
-
-
-These are the fields available within config templating. The `docker.*` fields will be available on each emitted event.
-event:
-
-  * host
-  * port
-  * docker.container.id
-  * docker.container.image
-  * docker.container.name
-  * docker.container.labels
-
-
-For example:
-
-[source,yaml]
--------------------------------------------------------------------------------------
-{
-  "host": "10.4.15.9",
-  "port": 6379,
-  "docker": {
-    "container": {
-      "id": "382184ecdb385cfd5d1f1a65f78911054c8511ae009635300ac28b4fc357ce51"
-      "name": "redis",
-      "image": "redis:3.2.11",
-      "labels": {
-        "io.kubernetes.pod.namespace": "default"
-        ...
-      }
-    }
-  }
-}
--------------------------------------------------------------------------------------
-
-You can define a set of configuration templates to be applied when the condition matches an event. Templates define
-a condition to match on autodiscover events, together with the list of configurations to launch when this condition
-happens.
-
-Conditions match events from the provider. Providers use the same format for <<conditions>> that
-processors use.
-
-Configuration templates can contain variables from the autodiscover event. They can be accessed under the `data` namespace.
-For example, with the example event, "`${data.port}`" resolves to `6379`.
-
-include::../../{beatname_lc}/docs/autodiscover-docker-config.asciidoc[]
-
-
-ifeval::["{beatname_lc}"=="filebeat"]
-[WARNING]
-=======================================
-When using autodiscover, you have to be careful when defining config templates, especially if they are
-reading from places holding information for several containers. For instance, under this file structure:
-
-`/mnt/logs/<container_id>/*.log`
-
-You can define a config template like this:
-
-**Wrong settings**:
-
-[source,yaml]
--------------------------------------------------------------------------------------
-autodiscover.providers:
-  - type: docker
-    templates:
-      - condition.contains:
-          docker.container.image: nginx
-        config:
-          - type: log
-            paths:
-              - "/mnt/logs/*/*.log"
--------------------------------------------------------------------------------------
-
-That would read all the files under the given path several times (one per nginx container). What you really
-want is to scope your template to the container that matched the autodiscover condition. Good settings:
-
-[source,yaml]
--------------------------------------------------------------------------------------
-autodiscover.providers:
-  - type: docker
-    templates:
-      - condition.contains:
-          docker.container.image: nginx
-        config:
-          - type: log
-            paths:
-              - "/mnt/logs/${data.docker.container.id}/*.log"
--------------------------------------------------------------------------------------
-=======================================
-endif::[]
-
-
-[float]
-===== Kubernetes
-
-The Kubernetes autodiscover provider watches for Kubernetes nodes, pods, services to start, update, and stop.
-
-The `kubernetes` autodiscover provider has the following configuration settings:
-
-`node`:: (Optional) Specify the node to scope {beatname_lc} to in case it
-  cannot be accurately detected, as when running {beatname_lc} in host network
-  mode.
-`namespace`:: (Optional) Select the namespace from which to collect the events from the resources. If it is not set, the provider collects them from all namespaces. It is unset by default. The namespace configuration only applies to kubernetes resources that are namespace scoped and if `unique` field is set to `false`.
-`cleanup_timeout`:: (Optional) Specify the time of inactivity before stopping the
-running configuration for a container,
-ifeval::["{beatname_lc}"=="filebeat"]
- 60s by default.
-endif::[]
-ifeval::["{beatname_lc}"!="filebeat"]
- disabled by default.
-endif::[]
-`kube_config`:: (Optional) Use given config file as configuration for Kubernetes
-  client. If kube_config is not set, KUBECONFIG environment variable will be
-  checked and if not present it will fall back to InCluster.
-`kube_client_options`:: (Optional) Additional options can be configured for Kubernetes
-  client. Currently client QPS and burst are supported, if not set Kubernetes client's
-  https://pkg.go.dev/k8s.io/client-go/rest#pkg-constants[default QPS and burst] will be used.
-  Example:
-["source","yaml",subs="attributes"]
--------------------------------------------------------------------------------------
-      kube_client_options:
-        qps: 5
-        burst: 10
--------------------------------------------------------------------------------------
-
-`resource`:: (Optional) Select the resource to do discovery on. Currently supported
-  Kubernetes resources are `pod`, `service` and `node`. If not configured `resource`
-  defaults to `pod`.
-`scope`:: (Optional) Specify at what level autodiscover needs to be done at. `scope` can
-  either take `node` or `cluster` as values. `node` scope allows discovery of resources in
-  the specified node. `cluster` scope allows cluster wide discovery. Only `pod` and `node` resources
-  can be discovered at node scope.
-`add_resource_metadata`:: (Optional) Specify filters and configration for the extra metadata, that will be added to the event.
-Configuration parameters:
- * `node` or `namespace`: Specify labels and annotations filters for the extra metadata coming from node and namespace. By default all labels are included while annotations are not. To change default behaviour `include_labels`, `exclude_labels` and `include_annotations` can be defined. Those settings are useful when storing labels and annotations that require special handling to avoid overloading the storage output.
- Note: wildcards are not supported for those settings.
- The enrichment of `node` or `namespace` metadata can be individually disabled by setting `enabled: false`.
- * `deployment`: If resource is `pod` and it is created from a `deployment`, by default the deployment name isn't added, this can be enabled by setting `deployment: true`.
- * `cronjob`: If resource is `pod` and it is created from a `cronjob`, by default the cronjob name isn't added, this can be enabled by setting `cronjob: true`.
-+
-Example:
-["source","yaml",subs="attributes"]
--------------------------------------------------------------------------------------
-      add_resource_metadata:
-        namespace:
-          include_labels: ["namespacelabel1"]
-        node:
-          include_labels: ["nodelabel2"]
-          include_annotations: ["nodeannotation1"]
-        # deployment: false
-        # cronjob: false
--------------------------------------------------------------------------------------
-
-`unique`:: (Optional) Defaults to `false`. Marking an autodiscover provider as unique results into
-  making the provider to enable the provided templates only when it will gain the leader lease.
-  This setting can only be combined with `cluster` scope. When `unique` is enabled, `resource`
-  and `add_resource_metadata` settings are not taken into account.
-`leader_lease`:: (Optional) Defaults to +{beatname_lc}-cluster-leader+. This will be name of the lock lease.
-  One can monitor the status of the lease with `kubectl describe lease beats-cluster-leader`.
-  Different Beats that refer to the same leader lease will be competitors in holding the lease
-  and only one will be elected as leader each time.
-`leader_leaseduration`:: (Optional) Duration that non-leader candidates will wait to force acquire the lease leadership. Defaults to `15s`.
-`leader_renewdeadline`:: (Optional) Duration that the leader will retry refreshing its leadership before giving up. Defaults to `10s`.
-`leader_retryperiod`:: (Optional) Duration that the metricbeat instances running to acquire the lease should wait between tries of actions. Defaults to `2s`.
-
-Configuration templates can contain variables from the autodiscover event. These variables can be accessed under the `data`
-namespace, e.g. to access Pod IP: `${data.kubernetes.pod.ip}`.
-
-These are the fields available within config templating. The `kubernetes.*` fields will be available on each emitted event:
-
-[float]
-====== Generic fields:
-  * host
-
-[float]
-====== Pod specific:
-|===
-|Key |Type |Description
-
-|`port`
-|`string`
-|Pod port. If pod has multiple ports exposed should be used `ports.<port-name>` instead
-
-|`kubernetes.namespace`
-|`string`
-|Namespace, where the Pod is running
-
-|`kubernetes.namespace_uuid`
-|`string`
-|UUID of the Namespace, where the Pod is running
-
-|`kubernetes.namespace_annotations.*`
-|`object`
-|Annotations of the Namespace, where the Pod is running. Annotations should be used in not dedoted format, e.g. `kubernetes.namespace_annotations.app.kubernetes.io/name`
-
-|`kubernetes.pod.name`
-|`string`
-|Name of the Pod
-
-|`kubernetes.pod.uid`
-|`string`
-|UID of the Pod
-
-|`kubernetes.pod.ip`
-|`string`
-|IP of the Pod
-
-|`kubernetes.labels.*`
-|`object`
-|Object of the Pod labels. Labels should be used in not dedoted format, e.g. `kubernetes.labels.app.kubernetes.io/name`
-
-|`kubernetes.annotations.*`
-|`object`
-|Object of the Pod annotations. Annotations should be used in not dedoted format, e.g. `kubernetes.annotations.test.io/test`
-
-|`kubernetes.container.name`
-|`string`
-|Name of the container
-
-|`kubernetes.container.runtime`
-|`string`
-|Runtime of the container
-
-|`kubernetes.container.id`
-|`string`
-|ID of the container
-
-|`kubernetes.container.image`
-|`string`
-|Image of the container
-
-|`kubernetes.node.name`
-|`string`
-|Name of the Node
-
-|`kubernetes.node.uid`
-|`string`
-|UID of the Node
-
-|`kubernetes.node.hostname`
-|`string`
-|Hostname of the Node
-|===
-
-[float]
-====== Node specific:
-|===
-|Key |Type |Description
-
-|`kubernetes.labels.*`
-|`object`
-|Object of labels of the Node
-
-|`kubernetes.annotations.*`
-|`object`
-|Object of annotations of the Node
-
-|`kubernetes.node.name`
-|`string`
-|Name of the Node
-
-|`kubernetes.node.uid`
-|`string`
-|UID of the Node
-
-|`kubernetes.node.hostname`
-|`string`
-|Hostname of the Node
-|===
-
-[float]
-====== Service specific:
-|===
-|Key |Type |Description
-
-|`port`
-|`string`
-|Service port
-
-|`kubernetes.namespace`
-|`string`
-|Namespace of the Service
-
-|`kubernetes.namespace_uuid`
-|`string`
-|UUID of the Namespace of the Service
-
-|`kubernetes.namespace_annotations.*`
-|`object`
-|Annotations of the Namespace of the Service. Annotations should be used in not dedoted format, e.g. `kubernetes.namespace_annotations.app.kubernetes.io/name`
-
-|`kubernetes.labels.*`
-|`object`
-|Object of the Service labels
-
-|`kubernetes.annotations.*`
-|`object`
-|Object of the Service annotations
-
-|`kubernetes.service.name`
-|`string`
-|Name of the Service
-
-|`kubernetes.service.uid`
-|`string`
-|UID of the Service
-|===
-
-If the `include_annotations` config is added to the provider config, then the list of annotations present in the config
-are added to the event.
-
-If the `include_labels` config is added to the provider config, then the list of labels present in the config
-will be added to the event.
-
-If the `exclude_labels` config is added to the provider config, then the list of labels present in the config
-will be excluded from the event.
-
-if the `labels.dedot` config is set to be `true` in the provider config, then `.` in labels will be replaced with `_`.
-By default it is `true`.
-
-if the `annotations.dedot` config is set to be `true` in the provider config, then `.` in annotations will be replaced
-with `_`. By default it is `true`.
-
-NOTE: Starting from 8.6 release `kubernetes.labels.*` used in config templating are not dedoted regardless of `labels.dedot` value.
-This config parameter only affects the fields added in the final Elasticsearch document. For example, for a pod with label `app.kubernetes.io/name=ingress-nginx`
-the matching condition should be `condition.equals:
-kubernetes.labels.app.kubernetes.io/name: "ingress-nginx"`. If `labels.dedot` is set to `true`(default value)
-the label will be stored in Elasticsearch as `kubernetes.labels.app_kubernetes_io/name`. The same applies for kubernetes annotations.
-
-For example:
-
-[source,yaml]
--------------------------------------------------------------------------------------
-{
-  "host": "172.17.0.21",
-  "port": 9090,
-  "kubernetes": {
-    "container": {
-      "id": "bb3a50625c01b16a88aa224779c39262a9ad14264c3034669a50cd9a90af1527",
-      "image": "prom/prometheus",
-      "name": "prometheus"
-    },
-    "labels": {
-      "project": "prometheus",
-      ...
-    },
-    "namespace": "default",
-    "node": {
-      "name": "minikube"
-    },
-    "pod": {
-      "name": "prometheus-2657348378-k1pnh"
-    }
-  },
-}
--------------------------------------------------------------------------------------
-
-ifeval::["{beatname_lc}"=="metricbeat"]
-Example:
-
-["source","yaml",subs="attributes"]
--------------------------------------------------------------------------------------
-metricbeat.autodiscover:
-  providers:
-    - type: kubernetes
-      scope: cluster
-      node: ${NODE_NAME}
-      unique: true
-      identifier: leader-election-metricbeat
-      templates:
-        - config:
-            - module: kubernetes
-              hosts: ["kube-state-metrics:8080"]
-              period: 10s
-              add_metadata: true
-              metricsets:
-                - state_node
--------------------------------------------------------------------------------------
-
-The above configuration when deployed on one or more Metribceat instances will enable `state_node`
-metricset only for the Metricbeat instance that will gain the leader lease/lock. With this deployment
-strategy we can ensure that cluster-wide metricsets are only enabled by one Beat instance when
-deploying a Beat as DaemonSet.
-endif::[]
-
-include::../../{beatname_lc}/docs/autodiscover-kubernetes-config.asciidoc[]
-
-ifdef::autodiscoverJolokia[]
-[float]
-===== Jolokia
-
-The Jolokia autodiscover provider uses Jolokia Discovery to find agents running
-in your host or your network.
-
-The configuration of this provider consists in a set of network interfaces, as
-well as a set of templates as in other providers. The network interfaces will be
-the ones used for discovery probes, each item of `interfaces` has these settings:
-
-`name`:: the name of the interface (e.g. `br0`), it can contain a wildcard
-  as suffix to apply the same settings to multiple network interfaces of
-  the same type (e.g. `br*`).
-`interval`:: time between probes (defaults to 10s)
- `grace_period`:: time since the last reply to consider an instance stopped
-  (defaults to 30s)
-`probe_timeout`:: max time to wait for responses since a probe is sent
-  (defaults to 1s)
-
-Jolokia Discovery mechanism is supported by any Jolokia agent since version
-1.2.0, it is enabled by default when Jolokia is included in the application as
-a JVM agent, but disabled in other cases as the OSGI or WAR (Java EE) agents.
-In any case, this feature is controlled with two properties:
-
-  * `discoveryEnabled`, to enable the feature
-  * `discoveryAgentUrl`, if set, this is the URL announced by the agent when
-    being discovered, setting this parameter implicitly enables the feature
-
-There are multiple ways of setting these properties, and they can vary from
-application to application, please refer to the documentation of your
-application to find the more suitable way to set them in your case.
-
-Jolokia Discovery is based on UDP multicast requests. Agents join the multicast
-group 239.192.48.84, port 24884, and discovery is done by sending queries to
-this group. You have to take into account that UDP traffic between {beatname_uc}
-and the Jolokia agents has to be allowed. Also notice that this multicast
-address is in the 239.0.0.0/8 range, that is reserved for private use within an
-organization, so it can only be used in private networks.
-
-These are the available fields during within config templating. The `jolokia.*` fields will be available on each emitted event.
-
-  * jolokia.agent.id
-  * jolokia.agent.version
-  * jolokia.secured
-  * jolokia.server.product
-  * jolokia.server.vendor
-  * jolokia.server.version
-  * jolokia.url
-
-include::../../{beatname_lc}/docs/autodiscover-jolokia-config.asciidoc[]
-endif::autodiscoverJolokia[]
-
-ifdef::autodiscoverAWSELB[]
-[float]
-===== Amazon ELBs (Deprecated)
-
-*Note: This provider is now deprecated and will be removed in a future release.*
-
-The Amazon ELB autodiscover provider discovers https://aws.amazon.com/elasticloadbalancing/[ELBs] and their listeners. This is useful when you don't want to connect
-directly to a service, but rather to the ELB fronting a pool of services.
-
-This provider will yield one config block per ELB Listener. So, if you have one ELB exposing both ports 80 and 443, it
-will generate two configs, one for each port. Keep in mind that the beat will de-duplicate configs. So, if the generated
-configs are the same only one will actually run.
-
-This provider will load AWS credentials using the standard AWS environment variables and shared credentials files see https://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html[Best Practices for Managing AWS Access Keys] for more information. If you do not wish to use these, you may explicitly set the `access_key_id` and `secret_access_key` variables.
-
-These are the available fields during within config templating. The `aws.elb.*` fields will be available on each emitted event.
-
-  * host
-  * port
-
-  * cloud.availability_zone
-  * cloud.provider
-  * cloud.region
-
-  * aws.elb.listener_arn
-  * aws.elb.load_balancer_arn
-  * aws.elb.protocol
-  * aws.elb.type
-  * aws.elb.scheme
-  * aws.elb.availability_zones
-  * aws.elb.created
-  * aws.elb.state.code
-  * aws.elb.state.reason
-  * aws.elb.ip_address_type
-  * aws.elb.security_groups
-  * aws.elb.vpc_id
-  * aws.elb.ssl_policy
-
-include::../../{beatname_lc}/docs/autodiscover-aws-elb-config.asciidoc[]
-
-This autodiscover provider takes our standard <<aws-credentials-config,AWS credentials options>>.
-
-[id="aws-credentials-config"]
-include::../../x-pack/libbeat/docs/aws-credentials-config.asciidoc[]
-
-endif::autodiscoverAWSELB[]
-
-ifdef::autodiscoverNomad[]
-[float]
-===== Nomad
-
-experimental[]
-
-The Nomad autodiscover provider watches for Nomad jobs to start, update, and stop.
-
-The `nomad` autodiscover provider has the following configuration settings:
-
-`address`:: (Optional) Specify the address of the Nomad agent. By default it will try to talk to a
-  Nomad agent running locally (`http://127.0.0.1:4646`).
-
-`region`:: (Optional) Region to use. If not provided, the default agent region is used.
-
-`namespace`:: (Optional) Namespace to use. If not provided the `default` namespace is used.
-
-`secret_id`:: (Optional) SecretID to use if ACL is enabled in Nomad. This is an
-example ACL policy to apply to the token.
-
-[source,hcl]
-----
-namespace "*" {
-  policy = "read"
-}
-node {
-  policy = "read"
-}
-agent {
-  policy = "read"
-}
-----
-
-`node`:: (Optional) Specify the node to scope {beatname_lc} to in case it
-  cannot be accurately detected when `node` scope is used.
-
-`scope`:: (Optional) Specify at what level autodiscover needs to be done at. `scope` can
-  either take `node` or `cluster` as values. `node` scope allows discovery of resources in
-  the specified node. `cluster` scope allows cluster wide discovery. Defaults to `node`.
-
-`wait_time`:: (Optional) Limits how long a Watch will block. If not specified (or set to `0`) the
-  default configuration from the agent will be used.
-
-`allow_stale`:: (Optional) allows any Nomad server (non-leader) to service a read. This normally
-  means that the local node where filebeat is allocated will service filebeat's requests.
-  Defaults to `true`.
-
-The configuration of templates and conditions is similar to that of the Docker provider.
-Configuration templates can contain variables from the autodiscover event. They can be accessed under
-`data` namespace.
-
-These are the available fields during config templating. The `nomad.*` fields will be available
-on each emitted event.
-
-* nomad.allocation.id
-* nomad.allocation.name
-* nomad.allocation.status
-* nomad.datacenter
-* nomad.job.name
-* nomad.job.type
-* nomad.namespace
-* nomad.region
-* nomad.task.name
-* nomad.task.service.canary_tags
-* nomad.task.service.name
-* nomad.task.service.tags
-
-If the `include_labels` config is added to the provider config, then the list of labels present in
-the config will be added to the event.
-
-If the `exclude_labels` config is added to the provider config, then the list of labels present in
-the config will be excluded from the event.
-
-if the `labels.dedot` config is set to be `true` in the provider config, then `.` in labels will be
-replaced with `_`.
-
-For example:
-
-[source,yaml]
--------------------------------------------------------------------------------------
-{
-  ...
-  "region": "europe",
-  "allocation": {
-    "name": "coffeshop.api[0]",
-    "id": "35eba07f-e5e4-20ac-6def-85117bee6efb",
-    "status": "running"
-  },
-  "datacenters": [
-    "europe-west4"
-  ],
-  "namespace": "default",
-  "job": {
-    "type": "service",
-    "name": "coffeshop"
-  },
-  "task": {
-    "service": {
-      "name": [
-        "coffeshop"
-      ],
-      "tags": [
-        "coffeshop",
-        "nginx"
-      ],
-      "canary_tags": [
-        "coffeshop"
-      ]
-    },
-    "name": "api"
-  },
-  ...
-}
--------------------------------------------------------------------------------------
-
-include::../../{beatname_lc}/docs/autodiscover-nomad-config.asciidoc[]
-
-endif::autodiscoverNomad[]
-
-ifdef::autodiscoverAWSEC2[]
-[float]
-===== Amazon EC2s
-
-experimental[]
-
-The Amazon EC2 autodiscover provider discovers https://aws.amazon.com/ec2/[EC2 instances].
-This is useful for users to launch {beatname_uc} modules to monitor services running on AWS EC2 instances.
-
-ifeval::["{beatname_lc}"=="metricbeat"]
-For example, you can use this provider to gather MySQL metrics from MySQL
-servers running on EC2 instances that have a specific tag, `service: mysql`.
-endif::[]
-
-This provider will load AWS credentials using the standard AWS environment variables and shared credentials files
-see https://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html[Best Practices for Managing AWS Access Keys]
-for more information. If you do not wish to use these, you may explicitly set the `access_key_id` and
-`secret_access_key` variables.
-
-These are the available fields during within config templating.
-The `aws.ec2.*` fields and `cloud.*` fields will be available on each emitted event.
-
-* cloud.availability_zone
-* cloud.instance.id
-* cloud.machine.type
-* cloud.provider
-* cloud.region
-
-* aws.ec2.architecture
-* aws.ec2.image.id
-* aws.ec2.kernel.id
-* aws.ec2.monitoring.state
-* aws.ec2.private.dns_name
-* aws.ec2.private.ip
-* aws.ec2.public.dns_name
-* aws.ec2.public.ip
-* aws.ec2.root_device_name
-* aws.ec2.state.code
-* aws.ec2.state.name
-* aws.ec2.subnet.id
-* aws.ec2.tags
-* aws.ec2.vpc.id
-
-include::../../{beatname_lc}/docs/autodiscover-aws-ec2-config.asciidoc[]
-
-This autodiscover provider takes our standard <<aws-credentials-config,AWS credentials options>>.
-
-endif::autodiscoverAWSEC2[]
-
-ifdef::autodiscoverHints[]
-[[configuration-autodiscover-hints]]
-=== Hints based autodiscover
-
-include::../../{beatname_lc}/docs/autodiscover-hints.asciidoc[]
-endif::autodiscoverHints[]
-
-[[configuration-autodiscover-advanced]]
-=== Advanced usage
-
-////
-Builders are not exposed in docs, as we only have `hints` builder by the moment,
-and that's covered in previous section
-
-[float]
-==== Builders
-Builders allow users to pass hints to autodiscover for it to be able to make decisions
-on how and what kind of configuration should be generated. Each Beat can define its own
-Builders that it can use. Hints are generated based on all information that is passed to
-the provider using a prefix "co.elastic.*". The Kubernetes provider uses annotations and
-the Docker provider uses labels to achieve the same.
-
-////
-
-[float]
-==== Appenders
-Appenders allow users to append configuration that is already built with the help of either templates
-or builders. Appenders can be configured to be applied only when a required condition is matched. The kind
-of configuration that is applied is specific to each appender.
-
-[float]
-===== Config
-The config appender can apply a config on top of the config that was generated by
-templates or builders. The config is applied whenever a provided condition is matched. It is always
-applied if there is no condition provided.
-
-["source","yaml",subs="attributes"]
--------------------------------------------------------------------------------------
-{beatname_lc}.autodiscover:
-  providers:
-    - type: kubernetes
-      templates:
-        ...
-      appenders:
-        - type: config
-          condition.equals:
-            kubernetes.namespace: "prometheus"
-          config:
-            fields:
-              type: monitoring
--------------------------------------------------------------------------------------
diff --git a/libbeat/docs/shared-beats-attributes.asciidoc b/libbeat/docs/shared-beats-attributes.asciidoc
deleted file mode 100644
index 6d523594ae78..000000000000
--- a/libbeat/docs/shared-beats-attributes.asciidoc
+++ /dev/null
@@ -1,22 +0,0 @@
-:beatsdevguide: http://www.elastic.co/guide/en/beats/devguide/{branch}
-:beats-ref-all: https://www.elastic.co/guide/en/beats/libbeat
-:dashboards: https://artifacts.elastic.co/downloads/beats/beats-dashboards/beats-dashboards-{version}.zip
-:dockerimage: docker.elastic.co/beats/{beatname_lc}:{version}
-:dockerimage-wolfi: docker.elastic.co/beats/{beatname_lc}-wolfi:{version}
-:dockerconfig: https://raw.githubusercontent.com/elastic/beats/{branch}/deploy/docker/{beatname_lc}.docker.yml
-:downloads: https://artifacts.elastic.co/downloads/beats
-:libbeat-processors-dir: {beats-root}/libbeat/processors
-:x-libbeat-processors-dir: {beats-root}/x-pack/libbeat/processors
-:libbeat-outputs-dir: {beats-root}/libbeat/outputs
-:x-auditbeat-processors-dir: {beats-root}/x-pack/auditbeat/processors
-:x-filebeat-processors-dir: {beats-root}/x-pack/filebeat/processors
-:winlogbeat-processors-dir: {beats-root}/winlogbeat/processors
-
-:cm-ui: Central Management
-:libbeat-docs: Beats Platform Reference
-:beat_monitoring_user: beats_system
-:beat_monitoring_user_version: 6.3.0
-:beat_monitoring_version: 6.2
-:beat_version_key: agent.version
-:access_role: {beat_default_index_prefix}_reader
-:repo: Beats
diff --git a/libbeat/docs/shared-cloudfoundry.asciidoc b/libbeat/docs/shared-cloudfoundry.asciidoc
deleted file mode 100644
index ad75a2ba3106..000000000000
--- a/libbeat/docs/shared-cloudfoundry.asciidoc
+++ /dev/null
@@ -1,157 +0,0 @@
-[[running-on-cloudfoundry]]
-=== Run {beatname_uc} on Cloud Foundry
-
-ifeval::["{beatname_lc}"=="filebeat"]
-You can use {beatname_uc} on Cloud Foundry to retrieve and ship logs.
-endif::[]
-ifeval::["{beatname_lc}"=="metricbeat"]
-You can use {beatname_uc} on Cloud Foundry to retrieve and ship metrics.
-endif::[]
-
-ifeval::["{release-state}"=="unreleased"]
-
-However, version {version} of {beatname_uc} has not yet been
-released, no build is currently available for this version.
-
-endif::[]
-
-
-==== Create Cloud Foundry credentials
-
-To connect to loggregator and receive the logs, {beatname_uc} requires credentials created with UAA. The `uaac`
-command creates the required credentials for connecting to loggregator.
-
-["source","sh",subs="attributes"]
-------------------------------------------------
-uaac client add {beatname_lc} --name {beatname_lc} --secret changeme --authorized_grant_types client_credentials,refresh_token --authorities doppler.firehose,cloud_controller.admin_read_only
-------------------------------------------------
-
-[WARNING]
-=======================================
-*Use a unique secret:* The `uaac` command shown here is an example. Remember to
-replace `changeme` with your secret, and update the +{beatname_lc}.yml+ file to
-use your chosen secret.
-=======================================
-
-
-==== Download Cloud Foundry deploy manifests
-
-You deploy {beatname_uc} as an application with no route.
-
-Cloud Foundry requires that 3 files exist inside of a directory to allow {beatname_uc} to be pushed. The commands
-below provide the basic steps for getting it up and running.
-
-["source", "sh", subs="attributes"]
-------------------------------------------------
-curl -L -O https://artifacts.elastic.co/downloads/beats/{beatname_lc}/{beatname_lc}-{version}-linux-x86_64.tar.gz
-tar xzvf {beatname_lc}-{version}-linux-x86_64.tar.gz
-cd {beatname_lc}-{version}-linux-x86_64
-curl -L -O https://raw.githubusercontent.com/elastic/beats/{branch}/deploy/cloudfoundry/{beatname_lc}/{beatname_lc}.yml
-curl -L -O https://raw.githubusercontent.com/elastic/beats/{branch}/deploy/cloudfoundry/{beatname_lc}/manifest.yml
-------------------------------------------------
-
-You need to modify the +{beatname_lc}.yml+ file to set the `api_address`,
-`client_id` and `client_secret`.
-
-==== Load {kib} dashboards
-
-{beatname_uc} comes packaged with various pre-built {kib} dashboards
-that you can use to visualize data in {kib}.
-
-If these dashboards are not already loaded into {kib}, you must run the {beatname_uc} `setup` command.
-To learn how, see <<load-kibana-dashboards,Load {kib} dashboards>>.
-
-ifeval::["{beatname_lc}"=="metricbeat"]
-[IMPORTANT]
-=======================================
-If you are using a different output other than {es}, such as {ls}, you
-need to <<load-template-manually>> and <<load-kibana-dashboards>>.
-=======================================
-endif::[]
-ifeval::["{beatname_lc}"=="filebeat"]
-The `setup` command does not load the ingest pipelines used to parse log lines. By default, ingest pipelines
-are set up automatically the first time you run {beatname_uc} and connect to {es}.
-
-[IMPORTANT]
-=======================================
-If you are using a different output other than {es}, such as {ls}, you
-need to:
-
-* <<load-template-manually>>
-* <<load-kibana-dashboards>>
-* <<load-ingest-pipelines>>
-=======================================
-endif::[]
-
-==== Deploy {beatname_uc}
-
-To deploy {beatname_uc} to Cloud Foundry, run:
-
-["source", "sh", subs="attributes"]
-------------------------------------------------
-cf push
-------------------------------------------------
-
-To check the status, run:
-
-["source", "sh", subs="attributes"]
-------------------------------------------------
-$ cf apps
-
-name       requested state   instances   memory   disk   urls
-{beatname_lc}   started           1/1         512M     1G
-------------------------------------------------
-
-ifeval::["{beatname_lc}"=="filebeat"]
-Log events should start flowing to Elasticsearch.
-endif::[]
-ifeval::["{beatname_lc}"=="metricbeat"]
-Metric events should start flowing to Elasticsearch.
-endif::[]
-The events are annotated with metadata added by the <<add-cloudfoundry-metadata>> processor.
-
-==== Scale {beatname_uc}
-
-A single instance of {beatname_uc} can ship more than a hundred thousand events
-per minute. If your Cloud Foundry deployment is producing more events than
-{beatname_uc} can collect and ship, the Firehose will start dropping events, and it
-will mark {beatname_uc} as a slow consumer. If the problems persist, {beatname_uc} may
-be disconnected from the Firehose.
-In such cases, you will need to scale {beatname_uc} to avoid losing events.
-
-The main settings you need to take into account are:
-
-ifeval::["{beatname_lc}"=="filebeat"]
-* The `shard_id` specified in the
-  <<filebeat-input-cloudfoundry,`cloudfoundry` input configuration>>. The
-  Firehose will divide the events amongst all the {beatname_uc} instances with
-  the same value for this setting. All the instances with the same `shard_id`
-  should have the same configuration.
-endif::[]
-ifeval::["{beatname_lc}"=="metricbeat"]
-* The `shard_id` specified in the
-  <<metricbeat-module-cloudfoundry,`cloudfoundry` module>>. The
-  Firehose will divide the events amongst all the {beatname_uc} instances with
-  the same value for this setting. All instances with the same `shard_id`
-  should have the same configuration.
-endif::[]
-* Number of {beatname_uc} instances. When {beatname_uc} is deployed as a Cloud
-  Foundry application, it can be scaled up and down like any other application,
-  with `cf scale` or by specifying the number of instances in the manifest.
-* <<configuring-output,Output configuration>>. In some cases, you can fine-tune
-  the output configuration to improve the events throughput. Some outputs
-  support multiple workers. The number of workers can be changed to take better
-  advantage of the available resources.
-
-Some basic recommendations to adjust these settings when {beatname_uc} is not
-able to collect all events:
-
-* If {beatname_uc} is hitting its CPU limits, you will need to increase the
-  number of {beatname_uc} instances deployed with the same `shard_id`.
-* If {beatname_uc} has some spare CPU, there may be some backpressure from the
-  output. Try to increase the number of workers in the output. If this doesn't
-  help, the bottleneck may be in the network or in the service receiving the
-  events sent by {beatname_uc}.
-* If you need to modify the memory limit of {beatname_uc}, remember that CPU
-  shares assigned to Cloud Foundry applications depend on the configured memory
-  limit. You may need to check the other recommendations after that.
diff --git a/libbeat/docs/shared-config-ingest.asciidoc b/libbeat/docs/shared-config-ingest.asciidoc
deleted file mode 100644
index 178c4b666fba..000000000000
--- a/libbeat/docs/shared-config-ingest.asciidoc
+++ /dev/null
@@ -1,73 +0,0 @@
-//////////////////////////////////////////////////////////////////////////
-//// This content is shared by all Elastic Beats. Make sure you keep the
-//// descriptions here generic enough to work for all Beats that include
-//// this file. When using cross references, make sure that the cross
-//// references resolve correctly for any files that include this one.
-//// Use the appropriate variables defined in the index.asciidoc file to
-//// resolve Beat names: beatname_uc and beatname_lc.
-//// Use the following include to pull this content into a doc file:
-//// include::../../libbeat/docs/shared-config-ingest.asciidoc[]
-//////////////////////////////////////////////////////////////////////////
-
-[[configuring-ingest-node]]
-== Parse data using an ingest pipeline
-
-When you use {es} for output, you can configure {beatname_uc} to use
-an {ref}/ingest.html[ingest pipeline] to pre-process documents before the actual
-indexing takes place in {es}.
-ifndef::no-output-logstash[]
-An ingest pipeline is a convenient processing option when you want to do some
-extra processing on your data, but you do not require the full power of {ls}.
-endif::[]
-For example, you can create an ingest pipeline
-in {es} that consists of one processor that removes a field in a
-document followed by another processor that renames a field.
-
-After defining the pipeline in {es}, you simply configure {beatname_uc}
-to use the pipeline. To configure {beatname_uc}, you specify the pipeline ID in
-the `parameters` option under `elasticsearch` in the +{beatname_lc}.yml+ file:
-
-[source,yaml]
-------------------------------------------------------------------------------
-output.elasticsearch:
-  hosts: ["localhost:9200"]
-  pipeline: my_pipeline_id
-------------------------------------------------------------------------------
-
-For example, let's say that you've defined the following pipeline in a file
-named `pipeline.json`:
-
-[source,json]
-------------------------------------------------------------------------------
-{
-    "description": "Test pipeline",
-    "processors": [
-        {
-            "lowercase": {
-                "field": "agent.name"
-            }
-        }
-    ]
-}
-------------------------------------------------------------------------------
-
-To add the pipeline in {es}, you would run:
-
-[source,shell]
-------------------------------------------------------------------------------
-curl -H 'Content-Type: application/json' -XPUT 'http://localhost:9200/_ingest/pipeline/test-pipeline' -d@pipeline.json
-------------------------------------------------------------------------------
-
-Then in the +{beatname_lc}.yml+ file, you would specify:
-
-[source,yaml]
-------------------------------------------------------------------------------
-output.elasticsearch:
-  hosts: ["localhost:9200"]
-  pipeline: "test-pipeline"
-------------------------------------------------------------------------------
-
-When you run {beatname_uc}, the value of `agent.name` is converted to lowercase before indexing.
-
-For more information about defining a pre-processing pipeline, see the
-{ref}/ingest.html[ingest pipeline] documentation.
diff --git a/libbeat/docs/shared-deduplication.asciidoc b/libbeat/docs/shared-deduplication.asciidoc
deleted file mode 100644
index e0d1f06e1aab..000000000000
--- a/libbeat/docs/shared-deduplication.asciidoc
+++ /dev/null
@@ -1,139 +0,0 @@
-[id="{beatname_lc}-deduplication"]
-== Deduplicate data
-
-The {beats} framework guarantees at-least-once delivery to ensure that no data
-is lost when events are sent to outputs that support acknowledgement, such as
-{es}, {ls}, Kafka, and Redis. This is great if everything goes as planned. But
-if {beatname_uc} shuts down during processing, or the connection is lost before
-events are acknowledged, you can end up with duplicate data.
-
-[float]
-=== What causes duplicates in {es}?
-
-When an output is blocked, the retry mechanism in {beatname_uc} attempts to
-resend events until they are acknowledged by the output. If the output receives
-the events, but is unable to acknowledge them, the data might be sent to the
-output multiple times. Because document IDs are typically set by {es} _after_ it
-receives the data from {beats}, the duplicate events are indexed as new
-documents.
-
-[float]
-=== How can I avoid duplicates?
-
-Rather than allowing {es} to set the document ID, set the ID in {beats}. The ID
-is stored in the {beats} `@metadata._id` field and used to set the document ID
-during indexing. That way, if {beats} sends the same event to {es} more than
-once, {es} overwrites the existing document rather than creating a new one.
-
-The `@metadata._id` field is passed along with the event so that you can use
-it to set the document ID after the event has been published by {beatname_uc}
-but before it's received by {es}. For example, see <<ls-doc-id>>. 
-
-There are several ways to set the document ID in {beats}:
-
-* *`add_id` processor*
-+
-Use the <<add-id,`add_id`>> processor when your data has no natural key field,
-and you can’t derive a unique key from existing fields. 
-+
-This example generates a unique ID for each event and adds it to the
-`@metadata._id` field:
-+
-[source,yaml]
-----
-processors:
-  - add_id: ~
-----
- 
-* *`fingerprint` processor*
-+
-Use the <<fingerprint,`fingerprint`>> processor to derive a unique key from
-one or more existing fields.
-+
-This example uses the values of `field1` and `field2` to derive a unique key
-that it adds to the `@metadata._id` field:
-+
-[source,yaml]
-----
-processors:
-  - fingerprint:
-      fields: ["field1", "field2"]
-      target_field: "@metadata._id"
-----
-
-* *`decode_json_fields` processor*
-+
-Use the `document_id` setting in the <<decode-json-fields,`decode_json_fields`>>
-processor when you're decoding a JSON string that contains a natural key field.
-+
-For this example, assume that the `message` field contains the JSON string
-`{"myid": "100", "text": "Some text"}`. This example takes the value of `myid`
-from the JSON string and stores it in the `@metadata._id` field:
-+
-[source,yaml]
-----
-processors:
-  - decode_json_fields:
-      document_id: "myid"
-      fields: ["message"]
-      max_depth: 1
-      target: ""
-----
-+
-The resulting document ID is `100`.
-
-* *JSON input settings*
-+
-Use the `json.document_id` input setting if you’re ingesting JSON-formatted
-data, and the data has a natural key field.
-+
-This example takes the value of `key1` from the JSON document and stores it in
-the `@metadata._id` field:
-+
-[source,yaml]
-----
-filebeat.inputs:
-- type: log 
-  paths:
-    - /path/to/json.log
-  json.document_id: "key1"
-----
-
-[float]
-[[ls-doc-id]]
-=== {ls} pipeline example
-
-For this example, assume that you've used one of the approaches described
-earlier to store the document ID in the {beats} `@metadata._id` field. To
-preserve the ID when you send {beats} data through {ls} en route to {es},
-set the `document_id` field in the {ls} pipeline:
-
-[source,json]
-----
-input {
-  beats {
-    port => 5044
-  }
-}
-
-output {
-  if [@metadata][_id] {
-    elasticsearch {
-      hosts => ["http://localhost:9200"]
-      document_id => "%{[@metadata][_id]}" <1>
-      index => "%{[@metadata][beat]}-%{[@metadata][version]}"
-    }
-  } else {
-    elasticsearch {
-      hosts => ["http://localhost:9200"]
-      index => "%{[@metadata][beat]}-%{[@metadata][version]}" 
-    }
-  }
-}
-----
-<1> Sets the `document_id` field in the
-{logstash-ref}/plugins-outputs-elasticsearch.html[{es} output] to the value
-stored in `@metadata._id`.
-
-When {es} indexes the document, it sets the document ID to the specified value,
-preserving the ID passed from {beats}.
diff --git a/libbeat/docs/shared-directory-layout.asciidoc b/libbeat/docs/shared-directory-layout.asciidoc
deleted file mode 100644
index ae8c41dea57a..000000000000
--- a/libbeat/docs/shared-directory-layout.asciidoc
+++ /dev/null
@@ -1,112 +0,0 @@
-//////////////////////////////////////////////////////////////////////////
-//// This content is shared by all Elastic Beats. Make sure you keep the
-//// descriptions here generic enough to work for all Beats that include
-//// this file. When using cross references, make sure that the cross
-//// references resolve correctly for any files that include this one.
-//// Use the appropriate variables defined in the index.asciidoc file to
-//// resolve Beat names: beatname_uc and beatname_lc.
-//// Use the following include to pull this content into a doc file:
-//// include::../../libbeat/docs/shared-directory-layout.asciidoc[]
-//////////////////////////////////////////////////////////////////////////
-
-[[directory-layout]]
-=== Directory layout
-
-The directory layout of an installation is as follows:
-
-TIP: Archive installation has a different layout. See <<directory-layout-archive>>.
-
-[cols="<h,<,<m,<m",options="header",]
-|=======================================================================
-| Type   | Description | Default Location | Config Option
-| home   | Home of the {beatname_uc} installation. | | path.home
-| bin    | The location for the binary files. | {path.home}/bin |
-| config | The location for configuration files. | {path.home} | path.config
-| data   | The location for persistent data files. | {path.home}/data| path.data
-| logs   | The location for the logs created by {beatname_uc}. | {path.home}/logs | path.logs
-|=======================================================================
-
-ifndef::serverless[]
-You can change these settings by using CLI flags or setting
-<<configuration-path,path options>> in the configuration file.
-endif::serverless[]
-
-==== Default paths
-
-{beatname_uc} uses the following default paths unless you explicitly change them.
-
-ifdef::deb_os,rpm_os[]
-[float]
-===== deb and rpm
-[cols="<h,<,<m",options="header",]
-|=======================================================================
-| Type   | Description | Location
-| home   | Home of the {beatname_uc} installation. | /usr/share/{beatname_lc}
-| bin    | The location for the binary files. | /usr/share/{beatname_lc}/bin
-| config | The location for configuration files. | /etc/{beatname_lc}
-| data   | The location for persistent data files. | /var/lib/{beatname_lc}
-| logs   | The location for the logs created by {beatname_uc}. | /var/log/{beatname_lc}
-|=======================================================================
-
-For the deb and rpm distributions, these paths are set in the init script or in
-the systemd unit file.  Make sure that you start the {beatname_uc} service by using
-the preferred operating system method (init scripts or `systemctl`).
-Otherwise the paths might be set incorrectly.
-
-endif::deb_os,rpm_os[]
-
-ifdef::docker_platform[]
-[float]
-===== docker
-[cols="<h,<,<m",options="header",]
-|=======================================================================
-| Type   | Description | Location
-| home   | Home of the {beatname_uc} installation. | /usr/share/{beatname_lc}
-| bin    | The location for the binary files. | /usr/share/{beatname_lc}
-| config | The location for configuration files. | /usr/share/{beatname_lc}
-| data   | The location for persistent data files. | /usr/share/{beatname_lc}/data
-| logs   | The location for the logs created by {beatname_uc}. | /usr/share/{beatname_lc}/logs
-|=======================================================================
-
-endif::docker_platform[]
-
-ifdef::mac_os,win_os[]
-[float]
-[[directory-layout-archive]]
-===== zip, tar.gz, or tgz
-[cols="<h,<,<m",options="header",]
-|=======================================================================
-| Type   | Description | Location
-| home   | Home of the {beatname_uc} installation. | {extract.path}
-| bin    | The location for the binary files. | {extract.path}
-| config | The location for configuration files. | {extract.path}
-| data   | The location for persistent data files. | {extract.path}/data
-| logs   | The location for the logs created by {beatname_uc}. | {extract.path}/logs
-ifdef::serverless[]
-| pkg    | The location for the binary uploaded to your serverless provider. | {extract.path}/pkg
-endif::serverless[]
-|=======================================================================
-
-For the zip, tar.gz, or tgz distributions, these paths are based on the location
-of the extracted binary file. This means that if you start {beatname_uc} with
-the following simple command, all paths are set correctly:
-
-endif::mac_os,win_os[]
-
-ifndef::win_only[]
-
-["source","sh",subs="attributes"]
-----------------------------------------------------------------------
-./{beatname_lc}
-----------------------------------------------------------------------
-
-endif::win_only[]
-
-ifdef::win_only[]
-
-["source","sh",subs="attributes"]
-----------------------------------------------------------------------
-Start-Service {beatname_lc}
-----------------------------------------------------------------------
-
-endif::win_only[]
diff --git a/libbeat/docs/shared-docker.asciidoc b/libbeat/docs/shared-docker.asciidoc
deleted file mode 100644
index b0cb273ccc03..000000000000
--- a/libbeat/docs/shared-docker.asciidoc
+++ /dev/null
@@ -1,335 +0,0 @@
-[[running-on-docker]]
-=== Run {beatname_uc} on Docker
-
-Docker images for {beatname_uc} are available from the Elastic Docker
-registry. The base image is https://hub.docker.com/_/centos/[centos:7].
-
-A list of all published Docker images and tags is available at
-https://www.docker.elastic.co[www.docker.elastic.co].
-
-These images are free to use under the Elastic license. They contain open source
-and free commercial features and access to paid commercial features.
-{kibana-ref}/managing-licenses.html[Start a 30-day trial] to try out all of the
-paid commercial features. See the
-https://www.elastic.co/subscriptions[Subscriptions] page for information about
-Elastic license levels.
-
-==== Pull the image
-
-Obtaining {beatname_uc} for Docker is as simple as issuing a +docker pull+ command
-against the Elastic Docker registry.
-
-ifeval::["{release-state}"=="unreleased"]
-WARNING: Version {version} of {beatname_uc} has not yet been released.
-No Docker image is currently available for {beatname_uc} {version}.
-endif::[]
-
-["source", "sh", subs="attributes"]
-------------------------------------------------
-docker pull {dockerimage}
-------------------------------------------------
-
-Alternatively, you can download other Docker images that contain only features
-available under the Apache 2.0 license. To download the images, go to
-https://www.docker.elastic.co[www.docker.elastic.co].
-
-ifndef::apm-server[]
-
-As another option, you can use the hardened link:https://wolfi.dev/[Wolfi] image.
-Using Wolfi images requires Docker version 20.10.10 or higher.
-For details about why the Wolfi images have been introduced, refer to our article 
-link:https://www.elastic.co/blog/reducing-cves-in-elastic-container-images[Reducing CVEs in Elastic container images].
-
-[source,terminal,subs="attributes"]
-----
-docker pull {dockerimage-wolfi}
-----
-
-==== Optional: Verify the image
-
-You can use the https://docs.sigstore.dev/cosign/installation/[Cosign application] to verify the {beatname_uc} Docker image signature.
-
-ifeval::["{release-state}"=="unreleased"]
-WARNING: Version {version} of {beatname_uc} has not yet been released.
-No Docker image is currently available for {beatname_uc} {version}.
-endif::[]
-
-["source", "sh", subs="attributes"]
-----
-wget https://artifacts.elastic.co/cosign.pub
-cosign verify --key cosign.pub {dockerimage}
-----
-
-The `cosign` command prints the check results and the signature payload in JSON format:
-
-[source,sh,subs="attributes"]
-----
-Verification for {dockerimage} --
-The following checks were performed on each of these signatures:
-  - The cosign claims were validated
-  - Existence of the claims in the transparency log was verified offline
-  - The signatures were verified against the specified public key
-----
-
-==== Run the {beatname_uc} setup
-
-IMPORTANT: A link:https://github.com/elastic/beats/issues/42038[known issue] in version 8.17.0 prevents {beats} Docker images from starting when no options are provided. When running an image on that version, add an `--environment container` parameter to avoid the problem. This is planned to be addressed in issue link:https://github.com/elastic/beats/pull/42060[#42060].
-
-Running {beatname_uc} with the setup command will create the index pattern and
-load visualizations
-ifndef::no_dashboards[]
-, dashboards,
-endif::no_dashboards[]
-and machine learning jobs.  Run this command:
-
-ifeval::["{beatname_lc}"=="filebeat"]
-["source", "sh", subs="attributes"]
---------------------------------------------
-docker run --rm \
-{dockerimage} \
-setup -E setup.kibana.host=kibana:5601 \
--E output.elasticsearch.hosts=["elasticsearch:9200"] <1> <2>
---------------------------------------------
-endif::[]
-
-ifeval::["{beatname_lc}"=="metricbeat"]
-["source", "sh", subs="attributes"]
---------------------------------------------
-docker run --rm \
-{dockerimage} \
-setup -E setup.kibana.host=kibana:5601 \
--E output.elasticsearch.hosts=["elasticsearch:9200"] <1> <2>
---------------------------------------------
-endif::[]
-
-ifeval::["{beatname_lc}"=="heartbeat"]
-["source", "sh", subs="attributes"]
---------------------------------------------
-docker run --rm \
---cap-add=NET_RAW \
-{dockerimage} \
-setup -E setup.kibana.host=kibana:5601 \
--E output.elasticsearch.hosts=["elasticsearch:9200"] <1> <2>
---------------------------------------------
-endif::[]
-
-ifeval::["{beatname_lc}"=="packetbeat"]
-["source", "sh", subs="attributes"]
---------------------------------------------
-docker run --rm \
---cap-add=NET_ADMIN \
-{dockerimage} \
-setup -E setup.kibana.host=kibana:5601 \
--E output.elasticsearch.hosts=["elasticsearch:9200"] <1> <2>
---------------------------------------------
-endif::[]
-
-ifeval::["{beatname_lc}"=="auditbeat"]
-["source", "sh", subs="attributes"]
---------------------------------------------
-docker run --rm \
-  --cap-add="AUDIT_CONTROL" \
-  --cap-add="AUDIT_READ" \
-  {dockerimage} \
-  setup -E setup.kibana.host=kibana:5601 \
-  -E output.elasticsearch.hosts=["elasticsearch:9200"] <1> <2>
---------------------------------------------
-endif::[]
-
-<1> Substitute your Kibana and Elasticsearch hosts and ports.
-<2> If you are using the hosted {ess} in {ecloud}, replace
-the `-E output.elasticsearch.hosts` line with the Cloud ID and elastic password
-using this syntax:
-
-[source,shell]
---------------------------------------------
--E cloud.id=<Cloud ID from Elasticsearch Service> \
--E cloud.auth=elastic:<elastic password>
---------------------------------------------
-
-endif::apm-server[]
-
-==== Run {beatname_uc} on a read-only file system
-
-If you'd like to run {beatname_uc} in a Docker container on a read-only file
-system, you can do so by specifying the `--read-only` option.
-{beatname_uc} requires a stateful directory to store application data, so
-with the `--read-only` option you also need to use the `--mount` option to
-specify a path to where that data can be stored.
-
-For example:
-
-["source", "sh", subs="attributes"]
---------------------------------------------
-docker run --rm \
-  --mount type=bind,source=$(pwd)/data,destination=/usr/share/{beatname_lc}/data \
-  --read-only \
-  {dockerimage}
---------------------------------------------
-
-==== Configure {beatname_uc} on Docker
-
-The Docker image provides several methods for configuring {beatname_uc}. The
-conventional approach is to provide a configuration file via a volume mount, but
-it's also possible to create a custom image with your
-configuration included.
-
-===== Example configuration file
-
-Download this example configuration file as a starting point:
-
-["source","sh",subs="attributes,callouts"]
-------------------------------------------------
-curl -L -O {dockerconfig}
-------------------------------------------------
-
-===== Volume-mounted configuration
-
-One way to configure {beatname_uc} on Docker is to provide +{beatname_lc}.docker.yml+ via a volume mount.
-With +docker run+, the volume mount can be specified like this.
-
-ifeval::["{beatname_lc}"=="filebeat"]
-["source", "sh", subs="attributes"]
---------------------------------------------
-docker run -d \
-  --name={beatname_lc} \
-  --user=root \
-  --volume="$(pwd)/{beatname_lc}.docker.yml:/usr/share/{beatname_lc}/{beatname_lc}.yml:ro" \
-  --volume="/var/lib/docker/containers:/var/lib/docker/containers:ro" \
-  --volume="/var/run/docker.sock:/var/run/docker.sock:ro" \
-  --volume="registry:/usr/share/{beatname_lc}/data:rw" \
-  {dockerimage} {beatname_lc} -e --strict.perms=false \
-  -E output.elasticsearch.hosts=["elasticsearch:9200"] <1> <2>
---------------------------------------------
-endif::[]
-
-ifeval::["{beatname_lc}"=="metricbeat"]
-["source", "sh", subs="attributes"]
---------------------------------------------
-docker run -d \
-  --name={beatname_lc} \
-  --user=root \
-  --volume="$(pwd)/{beatname_lc}.docker.yml:/usr/share/{beatname_lc}/{beatname_lc}.yml:ro" \
-  --volume="/var/run/docker.sock:/var/run/docker.sock:ro" \
-  --volume="/sys/fs/cgroup:/hostfs/sys/fs/cgroup:ro" \
-  --volume="/proc:/hostfs/proc:ro" \
-  --volume="/:/hostfs:ro" \
-  {dockerimage} {beatname_lc} -e \
-  -E output.elasticsearch.hosts=["elasticsearch:9200"] <1> <2>
---------------------------------------------
-endif::[]
-
-ifeval::["{beatname_lc}"=="packetbeat"]
-["source", "sh", subs="attributes"]
---------------------------------------------
-docker run -d \
-  --name={beatname_lc} \
-  --user={beatname_lc} \
-  --volume="$(pwd)/{beatname_lc}.docker.yml:/usr/share/{beatname_lc}/{beatname_lc}.yml:ro" \
-  --cap-add="NET_RAW" \
-  --cap-add="NET_ADMIN" \
-  --network=host \
-  {dockerimage} \
-  --strict.perms=false -e \
-  -E output.elasticsearch.hosts=["elasticsearch:9200"] <1> <2>
---------------------------------------------
-endif::[]
-
-ifeval::["{beatname_lc}"=="auditbeat"]
-["source", "sh", subs="attributes"]
---------------------------------------------
-docker run -d \
-  --name={beatname_lc} \
-  --user=root \
-  --volume="$(pwd)/{beatname_lc}.docker.yml:/usr/share/{beatname_lc}/{beatname_lc}.yml:ro" \
-  --cap-add="AUDIT_CONTROL" \
-  --cap-add="AUDIT_READ" \
-  --pid=host \
-  {dockerimage} -e \
-  --strict.perms=false \
-  -E output.elasticsearch.hosts=["elasticsearch:9200"] <1> <2>
---------------------------------------------
-endif::[]
-
-ifeval::["{beatname_lc}"=="heartbeat"]
-["source", "sh", subs="attributes"]
---------------------------------------------
-docker run -d \
-  --name={beatname_lc} \
-  --user={beatname_lc} \
-  --volume="$(pwd)/{beatname_lc}.docker.yml:/usr/share/{beatname_lc}/{beatname_lc}.yml:ro" \
-  --cap-add=NET_RAW \
-  {dockerimage} \
-  --strict.perms=false -e \
-  -E output.elasticsearch.hosts=["elasticsearch:9200"] <1> <2>
---------------------------------------------
-endif::[]
-
-ifeval::["{beatname_lc}"=="apm-server"]
-["source", "sh", subs="attributes"]
---------------------------------------------
-docker run -d \
-  -p 8200:8200 \
-  --name={beatname_lc} \
-  --user={beatname_lc} \
-  --volume="$(pwd)/{beatname_lc}.docker.yml:/usr/share/{beatname_lc}/{beatname_lc}.yml:ro" \
-  {dockerimage} \
-  --strict.perms=false -e \
-  -E output.elasticsearch.hosts=["elasticsearch:9200"] <1> <2>
---------------------------------------------
-endif::[]
-
-<1> Substitute your Elasticsearch hosts and ports.
-<2> If you are using the hosted {ess} in {ecloud}, replace
-the `-E output.elasticsearch.hosts` line with the Cloud ID and elastic password
-using the syntax shown earlier.
-
-===== Customize your configuration
-
-ifdef::has_docker_label_ex[]
-The +{beatname_lc}.docker.yml+ file you downloaded earlier is configured to deploy Beats modules based on the Docker labels applied to your containers.  See <<configuration-autodiscover-hints>> for more details. Add labels to your application Docker containers, and they will be picked up by the Beats autodiscover feature when they are deployed.  Here is an example command for an Apache HTTP Server container with labels to configure the Filebeat and Metricbeat modules for the Apache HTTP Server:
-
-["source", "sh", subs="attributes"]
---------------------------------------------
-docker run \
-  --label co.elastic.logs/module=apache2 \
-  --label co.elastic.logs/fileset.stdout=access \
-  --label co.elastic.logs/fileset.stderr=error \
-  --label co.elastic.metrics/module=apache \
-  --label co.elastic.metrics/metricsets=status \
-  --label co.elastic.metrics/hosts='${data.host}:${data.port}' \
-  --detach=true \
-  --name my-apache-app \
-  -p 8080:80 \
-  httpd:2.4
---------------------------------------------
-endif::[]
-
-ifndef::has_docker_label_ex[]
-The +{beatname_lc}.docker.yml+ downloaded earlier should be customized for your environment. See <<configuring-howto-{beatname_lc}>> for more details. Edit the configuration file and customize it to match your environment then re-deploy your {beatname_uc} container.
-endif::[]
-
-===== Custom image configuration
-
-It's possible to embed your {beatname_uc} configuration in a custom image.
-Here is an example Dockerfile to achieve this:
-
-ifeval::["{beatname_lc}"!="auditbeat"]
-
-["source", "dockerfile", subs="attributes"]
---------------------------------------------
-FROM {dockerimage}
-COPY --chown=root:{beatname_lc} {beatname_lc}.yml /usr/share/{beatname_lc}/{beatname_lc}.yml
---------------------------------------------
-
-endif::[]
-
-ifeval::["{beatname_lc}"=="auditbeat"]
-
-["source", "dockerfile", subs="attributes"]
---------------------------------------------
-FROM {dockerimage}
-COPY {beatname_lc}.yml /usr/share/{beatname_lc}/{beatname_lc}.yml
---------------------------------------------
-
-endif::[]
diff --git a/libbeat/docs/shared-env-vars.asciidoc b/libbeat/docs/shared-env-vars.asciidoc
deleted file mode 100644
index e0285f8b9752..000000000000
--- a/libbeat/docs/shared-env-vars.asciidoc
+++ /dev/null
@@ -1,109 +0,0 @@
-//////////////////////////////////////////////////////////////////////////
-//// This content is shared by all Elastic Beats. Make sure you keep the
-//// descriptions here generic enough to work for all Beats that include
-//// this file. When using cross references, make sure that the cross
-//// references resolve correctly for any files that include this one.
-//// Use the appropriate variables defined in the index.asciidoc file to
-//// resolve Beat names: beatname_uc and beatname_lc.
-//// Use the following include to pull this content into a doc file:
-//// :standalone:
-//// include::../../libbeat/docs/shared-env-vars.asciidoc[]
-//// Specify :standalone: when this file is pulled into and index. When
-//// the file is embedded in another file, do no specify :standalone:
-//////////////////////////////////////////////////////////////////////////
-
-ifdef::standalone[]
-
-[[using-environ-vars]]
-== Use environment variables in the configuration
-
-endif::[]
-
-You can use environment variable references in the config file to
-set values that need to be configurable during deployment. To do this, use:
-
-`${VAR}`
-
-Where `VAR` is the name of the environment variable.
-
-Each variable reference is replaced at startup by the value of the environment
-variable. The replacement is case-sensitive and occurs before the YAML file is
-parsed. References to undefined variables are replaced by empty strings unless
-you specify a default value or custom error text.
-
-To specify a default value, use:
-
-`${VAR:default_value}`
-
-Where `default_value` is the value to use if the environment variable is
-undefined.
-
-To specify custom error text, use:
-
-`${VAR:?error_text}`
-
-Where `error_text` is custom text that will be prepended to the error
-message if the environment variable cannot be expanded.
-
-If you need to use a special character in your configuration file, use `$` to escape the expansion. For example, you can escape `${` or `}` with `$${` or `$}`.
-
-After changing the value of an environment variable, you need to restart
-{beatname_uc} to pick up the new value.
-
-[NOTE]
-==================================
-You can also specify environment variables when you override a config
-setting from the command line by using the `-E` option. For example:
-
-`-E name=${NAME}`
-
-==================================
-
-[float]
-=== Examples
-
-Here are some examples of configurations that use environment variables
-and what each configuration looks like after replacement:
-
-[options="header"]
-|==================================
-|Config source	         |Environment setting   |Config after replacement
-|`name: ${NAME}`         |`export NAME=elastic` |`name: elastic`
-|`name: ${NAME}`         |no setting            |`name:`
-|`name: ${NAME:beats}`   |no setting            |`name: beats`
-|`name: ${NAME:beats}`   |`export NAME=elastic` |`name: elastic`
-|`name: ${NAME:?You need to set the NAME environment variable}`  |no setting            | None. Returns an error message that's prepended with the custom text.
-|`name: ${NAME:?You need to set the NAME environment variable}`  |`export NAME=elastic` | `name: elastic`
-|==================================
-
-[float]
-=== Specify complex objects in environment variables
-
-You can specify complex objects, such as lists or dictionaries, in environment
-variables by using a JSON-like syntax.
-
-As with JSON, dictionaries and lists are constructed using `{}` and `[]`. But
-unlike JSON, the syntax allows for trailing commas and slightly different string
-quotation rules. Strings can be unquoted, single-quoted, or double-quoted, as a
-convenience for simple settings and to make it easier for you to mix quotation
-usage in the shell. Arrays at the top-level do not require brackets (`[]`).
-
-For example, the following environment variable is set to a list:
-
-[source,yaml]
--------------------------------------------------------------------------------
-ES_HOSTS="10.45.3.2:9220,10.45.3.1:9230"
--------------------------------------------------------------------------------
-
-You can reference this variable in the config file:
-
-[source,yaml]
--------------------------------------------------------------------------------
-output.elasticsearch:
-  hosts: '${ES_HOSTS}'
--------------------------------------------------------------------------------
-
-When {beatname_uc} loads the config file, it resolves the environment variable and
-replaces it with the specified list before reading the `hosts` setting.
-
-NOTE: Do not use double-quotes (`"`) to wrap regular expressions, or the backslash (`\`) will be interpreted as an escape character.
diff --git a/libbeat/docs/shared-faq.asciidoc b/libbeat/docs/shared-faq.asciidoc
deleted file mode 100644
index fcd385755870..000000000000
--- a/libbeat/docs/shared-faq.asciidoc
+++ /dev/null
@@ -1,214 +0,0 @@
-//////////////////////////////////////////////////////////////////////////
-//// This content is shared by all Elastic Beats. Make sure you keep the
-//// descriptions here generic enough to work for all Beats that include
-//// this file. When using cross references, make sure that the cross
-//// references resolve correctly for any files that include this one.
-//// Use the appropriate variables defined in the index.asciidoc file to
-//// resolve Beat names: beatname_uc and beatname_lc.
-//// Use the following include to pull this content into a doc file:
-//// include::../../libbeat/docs/shared-faq.asciidoc[]
-//////////////////////////////////////////////////////////////////////////
-
-[[error-loading-config]]
-=== Error loading config file
-
-You may encounter errors loading the config file on POSIX operating systems if:
-
-* an unauthorized user tries to load the config file, or
-* the config file has the wrong permissions.
-
-See {beats-ref}/config-file-permissions.html[Config File Ownership and Permissions]
-for more about resolving these errors.
-
-[[error-found-unexpected-character]]
-=== Found unexpected or unknown characters
-
-Either there is a problem with the structure of your config file, or you have
-used a path or expression that the YAML parser cannot resolve because the config
-file contains characters that aren't properly escaped.
-
-If the YAML file contains paths with spaces or unusual characters, wrap the
-paths in single quotation marks (see <<wrap-paths-in-quotes>>).
-
-Also see the general advice under <<yaml-tips>>.
-
-ifndef::no-output-logstash[]
-[[connection-problem]]
-=== {ls} connection doesn't work
-
-You may have configured {ls} or {beatname_uc} incorrectly. To resolve the issue:
-
-* Make sure that {ls} is running and you can connect to it. First, try to ping the {ls} host to verify that you can reach it
-from the host running {beatname_uc}. Then use either `nc` or `telnet` to make sure that the port is available. For example:
-+
-[source,shell]
-----------------------------------------------------------------------
-ping <hostname or IP>
-telnet <hostname or IP> 5044
-----------------------------------------------------------------------
-* Verify that the config file for {beatname_uc} specifies the correct port where {ls} is running.
-* Make sure that the {es} output is commented out in the config file and the {ls} output is uncommented.
-* Confirm that the most recent {logstash-ref}/plugins-inputs-beats.html[Beats
-input plugin for {ls}] is installed and configured. Note that Beats will not
-connect to the Lumberjack input plugin. To learn how to install and update
-plugins, see {logstash-ref}/working-with-plugins.html[Working with plugins].
-endif::[]
-
-ifndef::no-output-logstash[]
-[[publishing-ls-fails-connection-reset-by-peer]]
-=== Publishing to {ls} fails with "connection reset by peer" message
-
-{beatname_uc} requires a persistent TCP connection to {ls}. If a firewall interferes
-with the connection, you might see errors like this: 
-
-[source,shell]
-----------------------------------------------------------------------
-Failed to publish events caused by: write tcp ... write: connection reset by peer
-----------------------------------------------------------------------
-
-
-To solve the problem:
-
-* make sure the firewall is not closing connections between {beatname_uc} and {ls}, or
-* set the `ttl` value in the <<logstash-output,{ls} output>> to a value that's
-lower than the maximum time allowed by the firewall, and set `pipelining` to 0
-(pipelining cannot be enabled when `ttl` is used).
-endif::[]
-
-ifndef::no-output-logstash[]
-[[metadata-missing]]
-=== @metadata is missing in {ls}
-
-{ls} outputs remove `@metadata` fields automatically. Therefore, if {ls} instances are chained directly or via some message
-queue (for example, Redis or Kafka), the `@metadata` field will not be available in the final {ls} instance.
-
-TIP: To preserve `@metadata` fields, use the {ls} mutate filter with the rename setting to rename the fields to
-non-internal fields.
-endif::[]
-
-ifndef::no-output-logstash[]
-[[diff-logstash-beats]]
-=== Not sure whether to use {ls} or Beats
-
-Beats are lightweight data shippers that you install as agents on your servers to send specific types of operational
-data to {es}. Beats have a small footprint and use fewer system resources than {ls}.
-
-{ls} has a larger footprint, but provides a broad array of input, filter, and output plugins for collecting, enriching,
-and transforming data from a variety of sources.
-
-For more information, see the https://www.elastic.co/guide/en/logstash/current/introduction.html[{ls} Introduction] and
-the https://www.elastic.co/guide/en/beats/libbeat/current/beats-reference.html[Beats Overview].
-endif::[]
-
-ifndef::no-output-logstash[]
-[[ssl-client-fails]]
-=== SSL client fails to connect to {ls}
-
-The host running {ls} might be unreachable or the certificate may not be valid. To resolve your issue:
-
-* Make sure that {ls} is running and you can connect to it. First, try to ping the {ls} host to verify that you can reach it
-from the host running {beatname_uc}. Then use either `nc` or `telnet` to make sure that the port is available. For example:
-+
-[source,shell]
-----------------------------------------------------------------------
-ping <hostname or IP>
-telnet <hostname or IP> 5044
-----------------------------------------------------------------------
-
-* Verify that the certificate is valid and that the hostname and IP match.
-+
-TIP: For testing purposes only, you can set `verification_mode: none` to disable hostname checking.
-
-* Use OpenSSL to test connectivity to the {ls} server and diagnose problems. See the https://www.openssl.org/docs/manmaster/man1/openssl-s_client.html[OpenSSL documentation] for more info.
-* Make sure that you have enabled SSL (set `ssl => true`) when configuring the {logstash-ref}/plugins-inputs-beats.html[Beats input plugin for {ls}].
-
-==== Common SSL-Related Errors and Resolutions
-
-Here are some common errors and ways to fix them:
-
-* <<failed-to-parse-private-key,tls: failed to parse private key>>
-* <<cannot-validate-certificate,x509: cannot validate certificate>>
-* <<getsockopt-no-route-to-host,getsockopt: no route to host>>
-* <<getsockopt-connection-refused,getsockopt: connection refused>>
-* <<target-machine-refused-connection,No connection could be made because the target machine actively refused it>>
-
-[[failed-to-parse-private-key]]
-===== tls: failed to parse private key
-
-This might occur for a few reasons:
-
-* The encrypted file is not recognized as an encrypted PEM block. {beatname_uc}
-tries to use the encrypted content as the final key, which fails.
-* The file is correctly encrypted in a PEM block, but the decrypted content is
-not a key in a format that {beatname_uc} recognizes. The key must be encoded as
-PEM format.
-* The passphrase is missing or has an error.
-
-[[cannot-validate-certificate]]
-===== x509: cannot validate certificate for <IP address> because it doesn't contain any IP SANs
-
-This happens because your certificate is only valid for the hostname present in the Subject field.
-
-To resolve this problem, try one of these solutions:
-
-* Create a DNS entry for the hostname mapping it to the server's IP.
-* Create an entry in `/etc/hosts` for the hostname. Or on Windows add an entry to
-`C:\Windows\System32\drivers\etc\hosts`.
-* Re-create the server certificate and add a SubjectAltName (SAN) for the IP address of the server. This makes the
-server's certificate valid for both the hostname and the IP address.
-
-[[getsockopt-no-route-to-host]]
-===== getsockopt: no route to host
-
-This is not a SSL problem. It's a networking problem. Make sure the two hosts can communicate.
-
-[[getsockopt-connection-refused]]
-===== getsockopt: connection refused
-
-This is not a SSL problem. Make sure that {ls} is running and that there is no firewall blocking the traffic.
-
-[[target-machine-refused-connection]]
-===== No connection could be made because the target machine actively refused it
-
-A firewall is refusing the connection. Check if a firewall is blocking the traffic on the client, the network, or the
-destination host.
-endif::no-output-logstash[]
-
-[[monitoring-shows-fewer-than-expected-beats]]
-=== Monitoring UI shows fewer Beats than expected
-
-If you are running multiple Beat instances on the same host, make sure they each have a distinct `path.data` value.
-
-ifndef::no_dashboards[]
-[[could-not-locate-index-pattern]]
-=== Dashboard could not locate the index-pattern
-
-Typically {beatname_uc} sets up the index pattern automatically when it
-loads the index template. However, if for some reason {beatname_uc} loads the
-index template, but the index pattern does not get created correctly, you'll see
-a "could not locate that index-pattern" error. To resolve this problem:
-
-. Try running the `setup` command again. For example: +./{beatname_lc} setup+.
-
-. If that doesn't work, go to the Management app in {kib}, and under
-*Index Patterns*, look for the pattern.
-
-.. If the pattern doesn't exist, create it manually.
-+
---
-* Set the *Time filter field name* to `@timestamp`.
-* Set the *Custom index pattern ID* advanced option. For example, if your
-custom index name is +{beatname_lc}-customname+, set the custom index pattern ID
-to +{beatname_lc}-customname-*+.
---
-
-For more information, see {kibana-ref}/index-patterns.html[Creating an index
-pattern] in the {kib} docs.
-endif::no_dashboards[]
-
-[[madvdontneed-rss]]
-=== High RSS memory usage due to MADV settings
-
-In versions of {beatname_uc} prior to 7.10.2, the go runtime defaults to `MADV_FREE` by default.
-In some cases, this can lead to high RSS memory usage while the kernel waits to reclaim any pages assigned to {beatname_uc}.
-On versions prior to 7.10.2, set the `GODEBUG="madvdontneed=1"` environment variable if you run into RSS usage issues.
diff --git a/libbeat/docs/shared-feature-flags.asciidoc b/libbeat/docs/shared-feature-flags.asciidoc
deleted file mode 100644
index c269733118aa..000000000000
--- a/libbeat/docs/shared-feature-flags.asciidoc
+++ /dev/null
@@ -1,61 +0,0 @@
-[[configuration-feature-flags]]
-== Configure feature flags
-
-++++
-<titleabbrev>Feature flags</titleabbrev>
-++++
-
-The Feature Flags section of the +{beatname_lc}.yml+ config file contains
-settings in {beatname_uc} that are disabled by default. These may include 
-experimental features, changes to behaviors within {beatname_uc}, or 
-settings that could cause a breaking change. For example a
-setting that changes information included in events might be inconsistent with
-the naming pattern expected in your configured {beatname_uc} output.
-
-To enable any of the settings listed on this page, change the associated `enabled`
-flag from `false` to `true`.
-
-[source,yaml]
-----
-features:
-  mysetting:
-    enabled: true
-----
-
-[float]
-=== Configuration options
-
-You can specify the following options in the `features` section of the +{beatname_lc}.yml+ config file:
-
-[float]
-==== `fqdn`
-
-Contains configuration for the FQDN reporting feature. When this feature is
-enabled, the fully-qualified domain name for the host is reported in the
-`host.name` field in events produced by {beatname_uc}.
-
-preview::[]
-
-For FQDN reporting to work as expected, the hostname of the current host must either:
-
-* Have a CNAME entry defined in DNS.
-* Have one of its corresponding IP addresses respond successfully to a reverse
-DNS lookup.
-
-If neither pre-requisite is satisfied, `host.name` continues to report the
-hostname of the current host as if the FQDN feature flag were not enabled.
-
-Example configuration:
-
-[source,yaml]
-----
-features:
-  fqdn:
-    enabled: true
-----
-
-[float]
-===== `enabled`
-Set to `true` to enable the FQDN reporting feature of {beatname_uc}.
-Defaults to `false`.
-
diff --git a/libbeat/docs/shared-geoip.asciidoc b/libbeat/docs/shared-geoip.asciidoc
deleted file mode 100644
index 522b451f027a..000000000000
--- a/libbeat/docs/shared-geoip.asciidoc
+++ /dev/null
@@ -1,248 +0,0 @@
-[id="{beatname_lc}-geoip"]
-== Enrich events with geoIP information
-
-ifeval::["{beatname_lc}"=="packetbeat"]
-TIP: To populate the client locations map in the {beatname_uc} dashboard, follow
-the steps in this section.
-endif::[]
-
-You can use {beatname_uc} along with the {ref}/geoip-processor.html[GeoIP
-Processor] in {es} to export geographic location information based on IP
-addresses. Then you can use this information to visualize the location of IP
-addresses on a map in {kib}.
-
-The `geoip` processor adds information about the geographical location of
-IP addresses, based on data from the Maxmind GeoLite2 City Database. Because the
-processor uses a geoIP database that's installed on {es}, you don't need
-to install a geoIP database on the machines running {beatname_uc}.
-
-ifndef::no-output-logstash[]
-NOTE: If your use case involves using {ls}, you can use the
-{logstash-ref}/plugins-filters-geoip.html[GeoIP filter] available in {ls}
-instead of using the `geoip` processor. However, using the `geoip` processor is
-the simplest approach when you don't require the additional processing power of
-{ls}.
-endif::no-output-logstash[]
-
-[float]
-[id="{beatname_lc}-configuring-geoip"]
-=== Configure the `geoip` processor
-
-To configure {beatname_uc} and the `geoip` processor:
-
-1. Define an ingest pipeline that uses one or more `geoip` processors to
-add location information to the event. For example, you can use the Console in
-{kib} to create the following pipeline:
-+
---
-[source,json]
-----
-PUT _ingest/pipeline/geoip-info
-{
-  "description": "Add geoip info",
-  "processors": [
-    {
-      "geoip": {
-        "field": "client.ip",
-        "target_field": "client.geo",
-        "ignore_missing": true
-      }
-    },
-    {
-      "geoip": {
-        "database_file": "GeoLite2-ASN.mmdb",
-        "field": "client.ip",
-        "target_field": "client.as",
-        "properties": [
-          "asn",
-          "organization_name"
-        ],
-        "ignore_missing": true
-      }
-    },
-    {
-      "geoip": {
-        "field": "source.ip",
-        "target_field": "source.geo",
-        "ignore_missing": true
-      }
-    },
-    {
-      "geoip": {
-        "database_file": "GeoLite2-ASN.mmdb",
-        "field": "source.ip",
-        "target_field": "source.as",
-        "properties": [
-          "asn",
-          "organization_name"
-        ],
-        "ignore_missing": true
-      }
-    },
-    {
-      "geoip": {
-        "field": "destination.ip",
-        "target_field": "destination.geo",
-        "ignore_missing": true
-      }
-    },
-    {
-      "geoip": {
-        "database_file": "GeoLite2-ASN.mmdb",
-        "field": "destination.ip",
-        "target_field": "destination.as",
-        "properties": [
-          "asn",
-          "organization_name"
-        ],
-        "ignore_missing": true
-      }
-    },
-    {
-      "geoip": {
-        "field": "server.ip",
-        "target_field": "server.geo",
-        "ignore_missing": true
-      }
-    },
-    {
-      "geoip": {
-        "database_file": "GeoLite2-ASN.mmdb",
-        "field": "server.ip",
-        "target_field": "server.as",
-        "properties": [
-          "asn",
-          "organization_name"
-        ],
-        "ignore_missing": true
-      }
-    },
-    {
-      "geoip": {
-        "field": "host.ip",
-        "target_field": "host.geo",
-        "ignore_missing": true
-      }
-    },
-    {
-      "rename": {
-        "field": "server.as.asn",
-        "target_field": "server.as.number",
-        "ignore_missing": true
-      }
-    },
-    {
-      "rename": {
-        "field": "server.as.organization_name",
-        "target_field": "server.as.organization.name",
-        "ignore_missing": true
-      }
-    },
-    {
-      "rename": {
-        "field": "client.as.asn",
-        "target_field": "client.as.number",
-        "ignore_missing": true
-      }
-    },
-    {
-      "rename": {
-        "field": "client.as.organization_name",
-        "target_field": "client.as.organization.name",
-        "ignore_missing": true
-      }
-    },
-    {
-      "rename": {
-        "field": "source.as.asn",
-        "target_field": "source.as.number",
-        "ignore_missing": true
-      }
-    },
-    {
-      "rename": {
-        "field": "source.as.organization_name",
-        "target_field": "source.as.organization.name",
-        "ignore_missing": true
-      }
-    },
-    {
-      "rename": {
-        "field": "destination.as.asn",
-        "target_field": "destination.as.number",
-        "ignore_missing": true
-      }
-    },
-    {
-      "rename": {
-        "field": "destination.as.organization_name",
-        "target_field": "destination.as.organization.name",
-        "ignore_missing": true
-      }
-    }
-  ]
-}
-----
-//CONSOLE
---
-+
-In this example, the pipeline ID is `geoip-info`. `field` specifies the field
-that contains the IP address to use for the geographical lookup, and
-`target_field` is the field that will hold the geographical information.
-`"ignore_missing": true` configures the pipeline to continue processing when
-it encounters an event that doesn't have the specified field.
-+
-See
-{ref}/geoip-processor.html[GeoIP Processor] for more options.
-+
-To learn more about adding host information to an event, see
-<<add-host-metadata>>.
-
-2. In the {beatname_uc} config file, configure the {es} output to use the
-pipeline. Specify the pipeline ID in the `pipeline` option under
-`output.elasticsearch`. For example:
-+
-[source,yaml]
--------------------------------------------------------------------------------
-output.elasticsearch:
-  hosts: ["localhost:9200"]
-  pipeline: geoip-info
--------------------------------------------------------------------------------
-
-3. Run {beatname_uc}. Remember to use `sudo` if the config file is owned by
-root.
-+
-["source","sh",subs="attributes"]
--------------------------------------------------------------------------------
-./{beatname_lc} -e
--------------------------------------------------------------------------------
-+
-If the lookups succeed, the events are enriched with `geo_point` fields, such as
-`client.geo.location` and `host.geo.location`, that you can use to populate
-visualizations in {kib}.
-
-ifeval::["{beatname_lc}"=="packetbeat"]
-As a convenience, the {beatname_uc} index template already has mappings defined
-for `client.geo.location`, `source.geo.location`, `destination.geo.location`,
-`server.geo.location`, and `host.geo.location`. The mappings ensure that each
-field, when it exists, gets indexed as a `geo_point`.
-endif::[]
-
-If you add a field that's not already defined as a `geo_point` in the
-index template, add a mapping so the field gets indexed correctly. 
-
-[float]
-[id="{beatname_lc}-visualizing-location"]
-=== Visualize locations
-
-To visualize the location of IP addresses, you can
-ifdef::has_map[]
-<<load-kibana-dashboards,set up the example {kib} dashboards>> (if
-you haven't already), or
-endif::has_map[]
-create a new {kibana-ref}/tilemap.html[coordinate map] in {kib} and select the
-location field, for example `client.geo.location` or `host.geo.location`, as
-the Geohash.
-
-[role="screenshot"]
-image::./images/coordinate-map.png[Coordinate map in {kib}]
diff --git a/libbeat/docs/shared-ilm.asciidoc b/libbeat/docs/shared-ilm.asciidoc
deleted file mode 100644
index 5ccb0a43f95e..000000000000
--- a/libbeat/docs/shared-ilm.asciidoc
+++ /dev/null
@@ -1,75 +0,0 @@
-[[ilm]]
-[role="xpack"]
-== Configure index lifecycle management
-
-++++
-<titleabbrev>Index lifecycle management (ILM)</titleabbrev>
-++++
-
-Use the {ref}/getting-started-index-lifecycle-management.html[index lifecycle
-management] (ILM) feature in {es} to manage your {beatname_uc}
-their backing indices of your data streams as they age. {beatname_uc} loads
-the default policy automatically and applies it to any
-data streams created by {beatname_uc}.
-
-You can view and edit the policy in the *Index lifecycle policies* UI in {kib}.
-For more information about working with the UI, see
-{kibana-ref}/index-lifecycle-policies.html[Index lifecyle policies].
-
-Example configuration:
-
-["source","yaml",subs="attributes"]
-----
-setup.ilm.enabled: true
-----
-
-WARNING: If <<ilm,index lifecycle management>> is enabled (which is typically the default), `setup.template.name` and `setup.template.pattern` are ignored.
-
-[float]
-=== Configuration options
-
-You can specify the following settings in the `setup.ilm` section of the
-+{beatname_lc}.yml+ config file:
-
-[float]
-[[setup-ilm-option]]
-==== `setup.ilm.enabled`
-
-Enables or disables index lifecycle management on any new indices created by
-{beatname_uc}. Valid values are `true` and `false`.
-
-[float]
-[[setup-ilm-policy_name-option]]
-==== `setup.ilm.policy_name`
-
-The name to use for the lifecycle policy. The default is
-+{beatname_lc}+.
-
-[float]
-[[setup-ilm-policy_file-option]]
-==== `setup.ilm.policy_file`
-
-The path to a JSON file that contains a lifecycle policy configuration. Use this
-setting to load your own lifecycle policy.
-
-For more information about lifecycle policies, see
-{ref}/set-up-lifecycle-policy.html[Set up index lifecycle management policy] in
-the _{es} Reference_.
-
-[float]
-[[setup-ilm-check_exists-option]]
-==== `setup.ilm.check_exists`
-
-When set to `false`, disables the check for an existing lifecycle policy. The
-default is `true`. You need to disable this check if the {beatname_uc}
-user connecting to a secured cluster doesn't have the `read_ilm` privilege.
-
-If you set this option to `false`, lifecycle policy will not be installed, even if
-`setup.ilm.overwrite` is set to `true`.
-
-[float]
-[[setup-ilm-overwrite-option]]
-==== `setup.ilm.overwrite`
-
-When set to `true`, the lifecycle policy is overwritten at startup. The default
-is `false`.
diff --git a/libbeat/docs/shared-instrumentation.asciidoc b/libbeat/docs/shared-instrumentation.asciidoc
deleted file mode 100644
index 9e26d0af4ad4..000000000000
--- a/libbeat/docs/shared-instrumentation.asciidoc
+++ /dev/null
@@ -1,91 +0,0 @@
-[[configuration-instrumentation]]
-== Configure APM instrumentation
-
-++++
-<titleabbrev>Instrumentation</titleabbrev>
-++++
-
-Libbeat uses the Elastic APM Go Agent to instrument its publishing pipeline.
-Currently, only the Elasticsearch output is instrumented.
-To gain insight into the performance of {beatname_uc}, you can enable this instrumentation and send trace data to the APM Integration.
-
-Example configuration with instrumentation enabled:
-
-["source","yaml"]
-----
-instrumentation:
-  enabled: true
-  environment: production
-  hosts:
-    - "http://localhost:8200"
-  api_key: L5ER6FEvjkmlfalBealQ3f3fLqf03fazfOV
-----
-
-[float]
-=== Configuration options
-
-You can specify the following options in the `instrumentation` section of the +{beatname_lc}.yml+ config file:
-
-[float]
-==== `enabled`
-
-Set to `true` to enable instrumentation of {beatname_uc}.
-Defaults to `false`.
-
-[float]
-==== `environment`
-
-Set the environment in which {beatname_uc} is running, for example, `staging`, `production`, `dev`, etc.
-Environments can be filtered in the {kibana-ref}/xpack-apm.html[APM app].
-
-[float]
-==== `hosts`
-
-The APM integration {apm-guide-ref}/input-apm.html[host] to report instrumentation data to.
-Defaults to `http://localhost:8200`.
-
-[float]
-==== `api_key`
-
-The {apm-guide-ref}/input-apm.html[API Key] used to secure communication with the APM Integration.
-If `api_key` is set then `secret_token` will be ignored.
-
-[float]
-==== `secret_token`
-
-The {apm-guide-ref}/input-apm.html[Secret token] used to secure communication with the APM Integration.
-
-[float]
-==== `profiling.cpu.enabled`
-
-Set to `true` to enable CPU profiling, where profile samples are recorded as events.
-
-This feature is experimental.
-
-[float]
-==== `profiling.cpu.interval`
-
-Configure the CPU profiling interval. Defaults to `60s`.
-
-This feature is experimental.
-
-[float]
-==== `profiling.cpu.duration`
-
-Configure the CPU profiling duration. Defaults to `10s`.
-
-This feature is experimental.
-
-[float]
-==== `profiling.heap.enabled`
-
-Set to `true` to enable heap profiling.
-
-This feature is experimental.
-
-[float]
-==== `profiling.heap.interval`
-
-Configure the heap profiling interval. Defaults to `60s`.
-
-This feature is experimental.
diff --git a/libbeat/docs/shared-kerberos-config.asciidoc b/libbeat/docs/shared-kerberos-config.asciidoc
deleted file mode 100644
index b74cef2f1eef..000000000000
--- a/libbeat/docs/shared-kerberos-config.asciidoc
+++ /dev/null
@@ -1,93 +0,0 @@
-[[configuration-kerberos]]
-== Configure Kerberos
-
-++++
-<titleabbrev>Kerberos</titleabbrev>
-++++
-
-You can specify Kerberos options with any output or input that supports Kerberos, like {es}.
-
-The following encryption types are supported:
-
-* aes128-cts-hmac-sha1-96
-* aes128-cts-hmac-sha256-128
-* aes256-cts-hmac-sha1-96
-* aes256-cts-hmac-sha384-192
-* des3-cbc-sha1-kd
-* rc4-hmac
-
-Example output config with Kerberos password based authentication:
-
-[source,yaml]
-----
-output.elasticsearch.hosts: ["http://my-elasticsearch.elastic.co:9200"]
-output.elasticsearch.kerberos.auth_type: password
-output.elasticsearch.kerberos.username: "elastic"
-output.elasticsearch.kerberos.password: "changeme"
-output.elasticsearch.kerberos.config_path: "/etc/krb5.conf"
-output.elasticsearch.kerberos.realm: "ELASTIC.CO"
-----
-
-The service principal name for the Elasticsearch instance is contructed from these options. Based on this configuration
-it is going to be `HTTP/my-elasticsearch.elastic.co@ELASTIC.CO`.
-
-[float]
-=== Configuration options
-
-You can specify the following options in the `kerberos` section of the +{beatname_lc}.yml+ config file:
-
-[float]
-==== `enabled`
-
-The `enabled` setting can be used to enable the kerberos configuration by setting
-it to `false`. The default value is `true`.
-
-NOTE: Kerberos settings are disabled if either `enabled` is set to `false` or the
-`kerberos` section is missing.
-
-[float]
-==== `auth_type`
-
-There are two options to authenticate with Kerberos KDC: `password` and `keytab`.
-
-`password` expects the principal name and its password. When choosing `keytab`, you
-have to specify a principal name and a path to a keytab. The keytab must contain
-the keys of the selected principal. Otherwise, authentication will fail.
-
-[float]
-==== `config_path`
-
-You need to set the path to the `krb5.conf`, so {beatname_uc} can find the Kerberos KDC to
-retrieve a ticket.
-
-[float]
-==== `username`
-
-Name of the principal used to connect to the output.
-
-[float]
-==== `password`
-
-If you configured `password` for `auth_type`, you have to provide a password
-for the selected principal.
-
-[float]
-==== `keytab`
-
-If you configured `keytab` for `auth_type`, you have to provide the path to the
-keytab of the selected principal.
-
-[float]
-==== `service_name`
-
-This option can only be configured for Kafka. It is the name of the Kafka service, usually `kafka`.
-
-[float]
-==== `realm`
-
-Name of the realm where the output resides.
-
-[float]
-==== `enable_krb5_fast`
-
-Enable Kerberos FAST authentication. This may conflict with some Active Directory installations. The default is `false`.
diff --git a/libbeat/docs/shared-kibana-config.asciidoc b/libbeat/docs/shared-kibana-config.asciidoc
deleted file mode 100644
index 9f05939aca3e..000000000000
--- a/libbeat/docs/shared-kibana-config.asciidoc
+++ /dev/null
@@ -1,131 +0,0 @@
-//////////////////////////////////////////////////////////////////////////
-//// This content is shared by all Elastic Beats. Make sure you keep the
-//// descriptions here generic enough to work for all Beats that include
-//// this file. When using cross references, make sure that the cross
-//// references resolve correctly for any files that include this one.
-//// Use the appropriate variables defined in the index.asciidoc file to
-//// resolve Beat names: beatname_uc and beatname_lc.
-//// Use the following include to pull this content into a doc file:
-//// include::../../libbeat/docs/shared-kibana-config.asciidoc[]
-//////////////////////////////////////////////////////////////////////////
-
-[[setup-kibana-endpoint]]
-== Configure the {kib} endpoint
-
-++++
-<titleabbrev>{kib} endpoint</titleabbrev>
-++++
-
-{kib} dashboards are loaded into {kib}
-via the {kib} API. This requires a {kib} endpoint configuration. For details on
-authenticating to the {kib} API, see {kibana-ref}/api.html#api-authentication[Authentication].
-
-You configure the endpoint in the `setup.kibana` section of the
-+{beatname_lc}.yml+ config file.
-
-Here is an example configuration:
-
-[source,yaml]
-----
-setup.kibana.host: "http://localhost:5601"
-----
-
-[float]
-=== Configuration options
-
-You can specify the following options in the `setup.kibana` section of the
-+{beatname_lc}.yml+ config file:
-
-[float]
-==== `setup.kibana.host`
-
-The {kib} host where the dashboards will be loaded. The default is
-`127.0.0.1:5601`. The value of `host` can be a `URL` or `IP:PORT`. For example: `http://192.15.3.2`, `192:15.3.2:5601` or `http://192.15.3.2:6701/path`. If no
-port is specified, `5601` is used.
-
-NOTE: When a node is defined as an `IP:PORT`, the _scheme_ and _path_ are taken
-from the <<kibana-protocol-option,setup.kibana.protocol>> and
-<<kibana-path-option,setup.kibana.path>> config options.
-
-IPv6 addresses must be defined using the following format:
-`https://[2001:db8::1]:5601`.
-
-[float]
-[[kibana-protocol-option]]
-==== `setup.kibana.protocol`
-
-The name of the protocol {kib} is reachable on. The options are: `http` or
-`https`. The default is `http`. However, if you specify a URL for host, the
-value of `protocol` is overridden by whatever scheme you specify in the URL.
-
-Example config:
-
-[source,yaml]
-----
-setup.kibana.host: "192.0.2.255:5601"
-setup.kibana.protocol: "http"
-setup.kibana.path: /kibana
-----
-
-
-[float]
-==== `setup.kibana.username`
-
-The basic authentication username for connecting to {kib}. If you don't
-specify a value for this setting, {beatname_uc} uses the `username` specified
-for the {es} output.
-
-[float]
-==== `setup.kibana.password`
-
-The basic authentication password for connecting to {kib}. If you don't
-specify a value for this setting, {beatname_uc} uses the `password` specified
-for the {es} output.
-
-[float]
-[[kibana-path-option]]
-==== `setup.kibana.path`
-
-An HTTP path prefix that is prepended to the HTTP API calls. This is useful for
-the cases where {kib} listens behind an HTTP reverse proxy that exports the API
-under a custom prefix.
-
-[float]
-[[kibana-space-id-option]]
-==== `setup.kibana.space.id`
-
-The {kibana-ref}/xpack-spaces.html[Kibana space] ID to use. If specified,
-{beatname_uc} loads {kib} assets into this {kib} space. Omit this option to
-use the default space.
-
-[float]
-===== `setup.kibana.headers`
-
-Custom HTTP headers to add to each request sent to {kib}.
-Example:
-
-[source,yaml]
-------------------------------------------------------------------------------
-setup.kibana.headers:
-  X-My-Header: Header contents
-------------------------------------------------------------------------------
-
-[float]
-==== `setup.kibana.ssl.enabled`
-
-Enables {beatname_uc} to use SSL settings when connecting to {kib} via HTTPS.
-If you configure {beatname_uc} to connect over HTTPS, this setting defaults to
-`true` and {beatname_uc} uses the default SSL settings.
-
-Example configuration:
-
-[source,yaml]
-----
-setup.kibana.host: "https://192.0.2.255:5601"
-setup.kibana.ssl.enabled: true
-setup.kibana.ssl.certificate_authorities: ["/etc/client/ca.pem"]
-setup.kibana.ssl.certificate: "/etc/client/cert.pem"
-setup.kibana.ssl.key: "/etc/client/cert.key
-----
-
-See <<configuration-ssl>> for more information.
diff --git a/libbeat/docs/shared-libbeat-description.asciidoc b/libbeat/docs/shared-libbeat-description.asciidoc
deleted file mode 100644
index c457c21be0fc..000000000000
--- a/libbeat/docs/shared-libbeat-description.asciidoc
+++ /dev/null
@@ -1,3 +0,0 @@
-{beatname_uc} is an Elastic https://www.elastic.co/beats[Beat]. It's
-based on the `libbeat` framework. For more information, see the
-{beats-ref}/index.html[{libbeat-docs}]. 
diff --git a/libbeat/docs/shared-license-statement.asciidoc b/libbeat/docs/shared-license-statement.asciidoc
deleted file mode 100644
index 9314ae124636..000000000000
--- a/libbeat/docs/shared-license-statement.asciidoc
+++ /dev/null
@@ -1,4 +0,0 @@
-Don't have a license? You can start a 30-day trial. At the end of the trial
-period, you can purchase a subscription to keep using central management. For
-more information, see https://www.elastic.co/subscriptions and
-{kibana-ref}/managing-licenses.html[License Management].
diff --git a/libbeat/docs/shared-note-file-permissions.asciidoc b/libbeat/docs/shared-note-file-permissions.asciidoc
deleted file mode 100644
index 43d4c49a9b2b..000000000000
--- a/libbeat/docs/shared-note-file-permissions.asciidoc
+++ /dev/null
@@ -1,3 +0,0 @@
-NOTE: On systems with POSIX file permissions, all Beats configuration files are
-subject to ownership and file permission checks. For more information, see
-{beats-ref}/config-file-permissions.html[Config File Ownership and Permissions].
diff --git a/libbeat/docs/shared-note-sudo.asciidoc b/libbeat/docs/shared-note-sudo.asciidoc
deleted file mode 100644
index 4a3768c3709f..000000000000
--- a/libbeat/docs/shared-note-sudo.asciidoc
+++ /dev/null
@@ -1 +0,0 @@
-NOTE: Use `sudo` to run these commands if the config file is owned by root.
diff --git a/libbeat/docs/shared-path-config.asciidoc b/libbeat/docs/shared-path-config.asciidoc
deleted file mode 100644
index 44c4e6d28090..000000000000
--- a/libbeat/docs/shared-path-config.asciidoc
+++ /dev/null
@@ -1,126 +0,0 @@
-//////////////////////////////////////////////////////////////////////////
-//// This content is shared by all Elastic Beats. Make sure you keep the
-//// descriptions here generic enough to work for all Beats that include
-//// this file. When using cross references, make sure that the cross
-//// references resolve correctly for any files that include this one.
-//// Use the appropriate variables defined in the index.asciidoc file to
-//// resolve Beat names: beatname_uc and beatname_lc.
-//// Use the following include to pull this content into a doc file:
-//// include::../../libbeat/docs/shared-path-config.asciidoc[]
-//// Make sure this content appears below a level 2 heading.
-//////////////////////////////////////////////////////////////////////////
-
-[[configuration-path]]
-== Configure project paths
-
-++++
-<titleabbrev>Project paths</titleabbrev>
-++++
-
-The `path` section of the +{beatname_lc}.yml+ config file contains configuration
-options that define where {beatname_uc} looks for its files. For example, {beatname_uc}
-looks for the Elasticsearch template file in the configuration path and writes
-log files in the logs path.
-ifdef::has_registry[]
-{beatname_uc} looks for its registry files in the data path.
-endif::[]
-
-Please see the <<directory-layout>> section for more details.
-
-Here is an example configuration:
-
-[source,yaml]
-------------------------------------------------------------------------------
-path.home: /usr/share/beat
-path.config: /etc/beat
-path.data: /var/lib/beat
-path.logs: /var/log/
-------------------------------------------------------------------------------
-
-Note that it is possible to override these options by using command line flags.
-
-[float]
-=== Configuration options
-
-You can specify the following options in the `path` section of the +{beatname_lc}.yml+ config file:
-
-[float]
-==== `home`
-
-The home path for the {beatname_uc} installation. This is the default base path for all
-other path settings and for miscellaneous files that come with the distribution (for example, the
-sample dashboards). If not set by a CLI flag or in the configuration file, the default
-for the home path is the location of the {beatname_uc} binary.
-
-Example:
-
-[source,yaml]
-------------------------------------------------------------------------------
-path.home: /usr/share/beats
-------------------------------------------------------------------------------
-
-[float]
-==== `config`
-
-The configuration path for the {beatname_uc} installation. This is the default base path
-for configuration files, including the main YAML configuration file and the
-Elasticsearch template file. If not set by a CLI flag or in the configuration file, the default for the
-configuration path is the home path.
-
-Example:
-
-[source,yaml]
-------------------------------------------------------------------------------
-path.config: /usr/share/beats/config
-------------------------------------------------------------------------------
-
-[float]
-==== `data`
-
-The data path for the {beatname_uc} installation. This is the default base path for all
-the files in which {beatname_uc} needs to store its data. If not set by a CLI
-flag or in the configuration file, the default for the data path is a `data`
-subdirectory inside the home path.
-
-
-Example:
-
-[source,yaml]
-------------------------------------------------------------------------------
-path.data: /var/lib/beats
-------------------------------------------------------------------------------
-
-TIP: When running multiple {beatname_uc} instances on the same host, make sure they
-each have a distinct `path.data` value.
-
-[float]
-==== `logs`
-
-The logs path for a {beatname_uc} installation. This is the default location for {beatname_uc}'s
-log files. If not set by a CLI flag or in the configuration file, the default
-for the logs path is a `logs` subdirectory inside the home path.
-
-Example:
-
-[source,yaml]
-------------------------------------------------------------------------------
-path.logs: /var/log/beats
-------------------------------------------------------------------------------
-
-ifeval::["{beatname_lc}"=="metricbeat"]
-[float]
-==== `system.hostfs`
-
-Specifies the mount point of the host's filesystem for use in monitoring a host.
-This can either be set in the config, or with the `--system.hostfs` CLI flag. This is used for cgroup self-monitoring.
-
-This is also used by the system module to read files from `/proc` and `/sys`.
-This option is deprecated and will be removed in a future release. To set the filesystem root, use the `hostfs` flag inside the module-level config.
-
-Example:
-
-[source,yaml]
-------------------------------------------------------------------------------
-system.hostfs: /mount/rootfs
-------------------------------------------------------------------------------
-endif::[]
\ No newline at end of file
diff --git a/libbeat/docs/shared-securing-beat.asciidoc b/libbeat/docs/shared-securing-beat.asciidoc
deleted file mode 100644
index e1c47d91f2cd..000000000000
--- a/libbeat/docs/shared-securing-beat.asciidoc
+++ /dev/null
@@ -1,78 +0,0 @@
-[id="securing-{beatname_lc}"]
-= Secure {beatname_uc}
-
-[partintro]
-
---
-++++
-<titleabbrev>Secure</titleabbrev>
-++++
-
-The following topics provide information about securing the {beatname_uc}
-process and connecting to a cluster that has {security-features} enabled.
-
-You can use role-based access control and optionally, API keys to grant {beatname_uc} users access to
-secured resources.
-
-* <<feature-roles>>
-* <<beats-api-keys>>.
-
-After privileged users have been created, use authentication to connect to a secured Elastic cluster.
-
-* <<securing-communication-elasticsearch>>
-ifndef::no-output-logstash[]
-* <<configuring-ssl-logstash>>
-endif::[]
-
-ifdef::apm-server[]
-For secure communication between APM Server and APM Agents, see <<secure-communication-agents>>.
-endif::[]
-
-ifndef::serverless[]
-ifndef::win_only[]
-On Linux, {beatname_uc} can take advantage of secure computing mode to restrict the
-system calls that a process can issue.
-
-* <<linux-seccomp>>
-endif::[]
-endif::[]
-
-// APM HTTPS information
-ifdef::beat-specific-security[]
-include::{beat-specific-security}[]
-endif::[]
-
---
-
-// APM privileges
-ifdef::apm-server[]
-include::{docdir}/feature-roles.asciidoc[]
-endif::[]
-
-// Beat privileges
-ifndef::apm-server[]
-include::./security/users.asciidoc[]
-endif::[]
-
-// API Keys
-include::./security/api-keys.asciidoc[]
-
-// APM Agent security
-ifdef::apm-server[]
-include::{docdir}/secure-communication-agents.asciidoc[]
-endif::[]
-
-// Elasticsearch security
-include::./https.asciidoc[]
-
-// Logstash security
-ifndef::no-output-logstash[]
-include::./shared-ssl-logstash-config.asciidoc[]
-endif::[]
-
-// Linux Seccomp
-ifndef::serverless[]
-ifndef::win_only[]
-include::./security/linux-seccomp.asciidoc[]
-endif::[]
-endif::[]
diff --git a/libbeat/docs/shared-ssl-config.asciidoc b/libbeat/docs/shared-ssl-config.asciidoc
deleted file mode 100644
index a4bcd2223b9d..000000000000
--- a/libbeat/docs/shared-ssl-config.asciidoc
+++ /dev/null
@@ -1,659 +0,0 @@
-[[configuration-ssl]]
-ifndef::apm-server[]
-== Configure SSL
-
-++++
-<titleabbrev>SSL</titleabbrev>
-++++
-endif::apm-server[]
-ifdef::apm-server[]
-== SSL output settings
-
-You can specify SSL options with any output that supports SSL, like {es}, {ls}, or Kafka.
-endif::[]
-
-ifndef::apm-server[]
-You can specify SSL options when you configure:
-
-* <<configuring-output,outputs>> that support SSL
-ifndef::no_dashboards[]
-* the <<setup-kibana-endpoint,Kibana endpoint>>
-endif::[]
-ifeval::["{beatname_lc}"=="heartbeat"]
-* <<configuration-heartbeat-options,{beatname_uc} monitors>> that support SSL
-endif::[]
-ifeval::["{beatname_lc}"=="metricbeat"]
-* <<metricbeat-modules,modules>> that define the host as an HTTP URL
-endif::[]
-endif::[]
-
-Example output config with SSL enabled:
-
-[source,yaml]
-----
-output.elasticsearch.hosts: ["https://192.168.1.42:9200"]
-output.elasticsearch.ssl.certificate_authorities: ["/etc/client/ca.pem"]
-output.elasticsearch.ssl.certificate: "/etc/client/cert.pem"
-output.elasticsearch.ssl.key: "/etc/client/cert.key"
-----
-
-ifndef::no-output-logstash[]
-Also see <<configuring-ssl-logstash>>.
-endif::[]
-
-ifndef::no_kibana[]
-Example Kibana endpoint config with SSL enabled:
-
-[source,yaml]
-----
-setup.kibana.host: "https://192.0.2.255:5601"
-setup.kibana.ssl.enabled: true
-setup.kibana.ssl.certificate_authorities: ["/etc/client/ca.pem"]
-setup.kibana.ssl.certificate: "/etc/client/cert.pem"
-setup.kibana.ssl.key: "/etc/client/cert.key"
-----
-endif::no_kibana[]
-
-ifeval::["{beatname_lc}"=="heartbeat"]
-Example monitor with SSL enabled:
-
-[source,yaml]
--------------------------------------------------------------------------------
-heartbeat.monitors:
-- type: tcp
-  schedule: '@every 5s'
-  hosts: ["myhost"]
-  ports: [80, 9200, 5044]
-  ssl:
-    certificate_authorities: ['/etc/ca.crt']
-    supported_protocols: ["TLSv1.1", "TLSv1.2"]
--------------------------------------------------------------------------------
-endif::[]
-
-ifeval::["{beatname_lc}"=="metricbeat"]
-Example module with SSL enabled:
-
-[source,yaml]
-----
-- module: http
-  namespace: "myservice"
-  enabled: true
-  period: 10s
-  hosts: ["https://localhost"]
-  path: "/stats"
-  headers:
-    Authorization: "Bearer test123"
-  ssl.verification_mode: "none"
-----
-endif::[]
-
-There are a number of SSL configuration options available to you:
-
-* <<ssl-common-config,Common configuration options>>
-* <<ssl-client-config,Client configuration options>>
-* <<ssl-server-config,Server configuration options>>
-
-[discrete]
-[[ssl-common-config]]
-=== Common configuration options
-
-Common SSL configuration options can be used in both client and server configurations.
-You can specify the following options in the `ssl` section of each subsystem that
-supports SSL.
-
-[float]
-[[enabled]]
-==== `enabled`
-
-To disable SSL configuration, set the value to `false`. The default value is `true`.
-
-[NOTE]
-=====
-SSL settings are disabled if either `enabled` is set to `false` or the
-`ssl` section is missing.
-=====
-
-[float]
-[[supported-protocols]]
-==== `supported_protocols`
-
-List of allowed SSL/TLS versions. If SSL/TLS server decides for protocol versions
-not configured, the connection will be dropped during or after the handshake. The
-setting is a list of allowed protocol versions:
-`TLSv1.1`, `TLSv1.2`, and `TLSv1.3`.
-
-The default value is `[TLSv1.2, TLSv1.3]`.
-
-[float]
-[[cipher-suites]]
-==== `cipher_suites`
-
-The list of cipher suites to use. The first entry has the highest priority.
-If this option is omitted, the Go crypto library's https://golang.org/pkg/crypto/tls/[default suites]
-are used (recommended).
-
-Note that if TLS 1.3 is enabled (which is true by default), then the default TLS 1.3 cipher suites are always included, because Go's standard library adds them to all connections. In order to exclude the default TLS 1.3 ciphers, TLS 1.3 must also be disabled, e.g. with the setting `ssl.supported_protocols = [TLSv1.2]`.
-
-// tag::cipher_suites[]
-The following cipher suites are available:
-
-[options="header"]
-|===
-| Cypher | Notes
-| ECDHE-ECDSA-AES-128-CBC-SHA |
-| ECDHE-ECDSA-AES-128-CBC-SHA256 | TLS 1.2 only. Disabled by default.
-| ECDHE-ECDSA-AES-128-GCM-SHA256 | TLS 1.2 only.
-| ECDHE-ECDSA-AES-256-CBC-SHA |
-| ECDHE-ECDSA-AES-256-GCM-SHA384 | TLS 1.2 only.
-| ECDHE-ECDSA-CHACHA20-POLY1305 | TLS 1.2 only.
-| ECDHE-ECDSA-RC4-128-SHA | Disabled by default. RC4 not recommended.
-| ECDHE-RSA-3DES-CBC3-SHA |
-| ECDHE-RSA-AES-128-CBC-SHA |
-| ECDHE-RSA-AES-128-CBC-SHA256 | TLS 1.2 only. Disabled by default.
-| ECDHE-RSA-AES-128-GCM-SHA256 | TLS 1.2 only.
-| ECDHE-RSA-AES-256-CBC-SHA |
-| ECDHE-RSA-AES-256-GCM-SHA384 | TLS 1.2 only.
-| ECDHE-RSA-CHACHA20-POLY1205 | TLS 1.2 only.
-| ECDHE-RSA-RC4-128-SHA | Disabled by default. RC4 not recommended.
-| RSA-3DES-CBC3-SHA |
-| RSA-AES-128-CBC-SHA |
-| RSA-AES-128-CBC-SHA256 | TLS 1.2 only. Disabled by default.
-| RSA-AES-128-GCM-SHA256 | TLS 1.2 only.
-| RSA-AES-256-CBC-SHA |
-| RSA-AES-256-GCM-SHA384 | TLS 1.2 only.
-| RSA-RC4-128-SHA | Disabled by default. RC4 not recommended.
-|===
-
-Here is a list of acronyms used in defining the cipher suites:
-
-* 3DES:
-  Cipher suites using triple DES
-
-* AES-128/256:
-  Cipher suites using AES with 128/256-bit keys.
-
-* CBC:
-  Cipher using Cipher Block Chaining as block cipher mode.
-
-* ECDHE:
-  Cipher suites using Elliptic Curve Diffie-Hellman (DH) ephemeral key exchange.
-
-* ECDSA:
-  Cipher suites using Elliptic Curve Digital Signature Algorithm for authentication.
-
-* GCM:
-  Galois/Counter mode is used for symmetric key cryptography.
-
-* RC4:
-  Cipher suites using RC4.
-
-* RSA:
-  Cipher suites using RSA.
-
-* SHA, SHA256, SHA384:
-  Cipher suites using SHA-1, SHA-256 or SHA-384.
-// end::cipher_suites[]
-
-[float]
-[[curve-types]]
-==== `curve_types`
-
-The list of curve types for ECDHE (Elliptic Curve Diffie-Hellman ephemeral key exchange).
-
-The following elliptic curve types are available:
-
-* P-256
-* P-384
-* P-521
-* X25519
-
-[float]
-[[ca-sha256]]
-==== `ca_sha256`
-
-This configures a certificate pin that you can use to ensure that a specific certificate is part of the verified chain.
-
-The pin is a base64 encoded string of the SHA-256 of the certificate.
-
-NOTE: This check is not a replacement for the normal SSL validation, but it adds additional validation.
-If this option is used with  `verification_mode` set to `none`, the check will always fail because
-it will not receive any verified chains.
-
-[discrete]
-[[ssl-client-config]]
-=== Client configuration options
-
-You can specify the following options in the `ssl` section of each subsystem that
-supports SSL.
-
-[float]
-[[client-certificate-authorities]]
-==== `certificate_authorities`
-
-The list of root certificates for verifications is required. If `certificate_authorities` is empty or not set, the
-system keystore is used. If `certificate_authorities` is self-signed, the host system
-needs to trust that CA cert as well.
-
-By default you can specify a list of files that +{beatname_lc}+ will read, but you
-can also embed a certificate directly in the `YAML` configuration:
-
-[source,yaml]
-----
-certificate_authorities:
-  - |
-    -----BEGIN CERTIFICATE-----
-    MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF
-    ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2
-    MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB
-    BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n
-    fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl
-    94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t
-    /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP
-    PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41
-    CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O
-    BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux
-    8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D
-    874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw
-    3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA
-    H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu
-    8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0
-    yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk
-    sxSmbIUfc2SGJGCJD4I=
-    -----END CERTIFICATE-----
-----
-
-[float]
-[[client-certificate]]
-==== `certificate: "/etc/client/cert.pem"`
-
-The path to the certificate for SSL client authentication is only required if
-`client_authentication` is specified. If the certificate
-is not specified, client authentication is not available. The connection
-might fail if the server requests client authentication. If the SSL server does not
-require client authentication, the certificate will be loaded, but not requested or used
-by the server.
-
-When this option is configured, the <<client-key,`key`>> option is also required.
-The certificate option support embedding of the certificate:
-
-[source,yaml]
-----
-certificate: |
-    -----BEGIN CERTIFICATE-----
-    MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF
-    ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2
-    MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB
-    BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n
-    fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl
-    94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t
-    /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP
-    PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41
-    CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O
-    BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux
-    8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D
-    874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw
-    3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA
-    H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu
-    8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0
-    yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk
-    sxSmbIUfc2SGJGCJD4I=
-    -----END CERTIFICATE-----
-----
-
-[float]
-[[client-key]]
-==== `key: "/etc/client/cert.key"`
-
-The client certificate key used for client authentication and is only required
-if `client_authentication` is configured. The key option support embedding of the private key:
-
-[source,yaml]
-----
-key: |
-    -----BEGIN PRIVATE KEY-----
-    MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDXHufGPycpCOfI
-    sjl6cRn8NP4DLxdIVEAHFK0jMRDup32UQOPW+DleEsFpgN9/ebi9ngdjQfMvKnUP
-    Zrl1HTwVhOJfazGeoJn7vdDeQebhJfeDXHwX2DiotXyUPYu1ioU45UZDAoAZFj5F
-    KJLwWRUbfEbRe8yO+wUhKKxxkApPbfw+wUtBicn1RIX7W1nBRABt1UXKDIRe5FM2
-    MKfqhEqK4hUWC3g1r+vGTrxu3qFpzz7L2UrRFRIpo7yuTUhEhEGvcVsiTppTil4Z
-    HcprXFHf5158elEwhYJ5IM0nU1leNQiOgemifbLwkyNkLqCKth8V/4sezr1tYblZ
-    nMh1cclBAgMBAAECggEBAKdP5jyOicqknoG9/G564RcDsDyRt64NuO7I6hBg7SZx
-    Jn7UKWDdFuFP/RYtoabn6QOxkVVlydp5Typ3Xu7zmfOyss479Q/HIXxmmbkD0Kp0
-    eRm2KN3y0b6FySsS40KDRjKGQCuGGlNotW3crMw6vOvvsLTlcKgUHF054UVCHoK/
-    Piz7igkDU7NjvJeha53vXL4hIjb10UtJNaGPxIyFLYRZdRPyyBJX7Yt3w8dgz8WM
-    epOPu0dq3bUrY3WQXcxKZo6sQjE1h7kdl4TNji5jaFlvD01Y8LnyG0oThOzf0tve
-    Gaw+kuy17gTGZGMIfGVcdeb+SlioXMAAfOps+mNIwTECgYEA/gTO8W0hgYpOQJzn
-    BpWkic3LAoBXWNpvsQkkC3uba8Fcps7iiEzotXGfwYcb5Ewf5O3Lrz1EwLj7GTW8
-    VNhB3gb7bGOvuwI/6vYk2/dwo84bwW9qRWP5hqPhNZ2AWl8kxmZgHns6WTTxpkRU
-    zrfZ5eUrBDWjRU2R8uppgRImsxMCgYEA2MxuL/C/Ko0d7XsSX1kM4JHJiGpQDvb5
-    GUrlKjP/qVyUysNF92B9xAZZHxxfPWpdfGGBynhw7X6s+YeIoxTzFPZVV9hlkpAA
-    5igma0n8ZpZEqzttjVdpOQZK8o/Oni/Q2S10WGftQOOGw5Is8+LY30XnLvHBJhO7
-    TKMurJ4KCNsCgYAe5TDSVmaj3dGEtFC5EUxQ4nHVnQyCpxa8npL+vor5wSvmsfUF
-    hO0s3GQE4sz2qHecnXuPldEd66HGwC1m2GKygYDk/v7prO1fQ47aHi9aDQB9N3Li
-    e7Vmtdn3bm+lDjtn0h3Qt0YygWj+wwLZnazn9EaWHXv9OuEMfYxVgYKpdwKBgEze
-    Zy8+WDm5IWRjn8cI5wT1DBT/RPWZYgcyxABrwXmGZwdhp3wnzU/kxFLAl5BKF22T
-    kRZ+D+RVZvVutebE9c937BiilJkb0AXLNJwT9pdVLnHcN2LHHHronUhV7vetkop+
-    kGMMLlY0lkLfoGq1AxpfSbIea9KZam6o6VKxEnPDAoGAFDCJm+ZtsJK9nE5GEMav
-    NHy+PwkYsHhbrPl4dgStTNXLenJLIJ+Ke0Pcld4ZPfYdSyu/Tv4rNswZBNpNsW9K
-    0NwJlyMBfayoPNcJKXrH/csJY7hbKviAHr1eYy9/8OL0dHf85FV+9uY5YndLcsDc
-    nygO9KTJuUiBrLr0AHEnqko=
-    -----END PRIVATE KEY-----
-----
-
-[float]
-[[client-key-passphrase]]
-==== `key_passphrase`
-
-The passphrase used to decrypt an encrypted key stored in the configured `key` file.
-
-
-[float]
-[[client-verification-mode]]
-==== `verification_mode`
-
-Controls the verification of server certificates. Valid values are:
-
-`full`::
-Verifies that the provided certificate is signed by a trusted
-authority (CA) and also verifies that the server's hostname (or IP address)
-matches the names identified within the certificate.
-
-`strict`::
-Verifies that the provided certificate is signed by a trusted
-authority (CA) and also verifies that the server's hostname (or IP address)
-matches the names identified within the certificate. If the Subject Alternative
-Name is empty, it returns an error.
-
-`certificate`::
-Verifies that the provided certificate is signed by a
-trusted authority (CA), but does not perform any hostname verification.
-
-`none`::
-Performs _no verification_ of the server's certificate. This
-mode disables many of the security benefits of SSL/TLS and should only be used
-after cautious consideration. It is primarily intended as a temporary
-diagnostic mechanism when attempting to resolve TLS errors; its use in
-production environments is strongly discouraged.
-+
-The default value is `full`.
-
-[float]
-[[ca_trusted_fingerprint]]
-==== `ca_trusted_fingerprint`
-A HEX encoded SHA-256 of a CA certificate. If this certificate is
-present in the chain during the handshake, it will be added to the
-`certificate_authorities` list and the handshake will continue
-normaly.
-
-To get the fingerprint from a CA certificate on a Unix-like
-system, you can use the following command, where `ca.crt` is the
-certificate.
-
-[source]
-------------------------
-openssl x509 -fingerprint -sha256 -noout -in ./ca.crt | awk --field-separator="=" '{print $2}' | sed 's/://g'
-------------------------
-
-[discrete]
-[[ssl-server-config]]
-=== Server configuration options
-
-You can specify the following options in the `ssl` section of each subsystem that
-supports SSL.
-
-[float]
-[[server-certificate-authorities]]
-==== `certificate_authorities`
-
-The list of root certificates for client verifications is only required if
-`client_authentication` is configured. If `certificate_authorities` is empty or not set, and
-`client_authentication` is configured, the system keystore is used.
-
-If `certificate_authorities` is self-signed, the host system needs to trust that CA cert as well.
-By default you can specify a list of files that +{beatname_lc}+ will read, but you can also embed a certificate
-directly in the `YAML` configuration:
-
-[source,yaml]
-----
-certificate_authorities:
-  - |
-    -----BEGIN CERTIFICATE-----
-    MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF
-    ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2
-    MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB
-    BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n
-    fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl
-    94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t
-    /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP
-    PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41
-    CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O
-    BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux
-    8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D
-    874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw
-    3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA
-    H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu
-    8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0
-    yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk
-    sxSmbIUfc2SGJGCJD4I=
-    -----END CERTIFICATE-----
-----
-
-[float]
-[[server-certificate]]
-==== `certificate: "/etc/server/cert.pem"`
-
-The end-entity (leaf) certificate that the server uses to identify itself.
-If the certificate is signed by a certificate authority (CA), then it should
-include intermediate CA certificates, sorted from leaf to root.
-For servers, a `certificate` and <<server-key,`key`>> must be specified.
-
-The certificate option supports embedding of the PEM certificate content. This
-example contains the leaf certificate followed by issuer's certificate.
-
-[source,yaml]
-----
-certificate: |
-  -----BEGIN CERTIFICATE-----
-  MIIF2jCCA8KgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBlMQswCQYDVQQGEwJVUzEW
-  MBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEcMBoGA1UECRMTV2VzdCBFbCBDYW1pbm8g
-  UmVhbDEOMAwGA1UEERMFOTQwNDAxEDAOBgNVBAoTB0VsYXN0aWMwHhcNMjMxMDMw
-  MTkyMzU4WhcNMjMxMDMxMTkyMzU4WjB2MQswCQYDVQQGEwJVUzEWMBQGA1UEBxMN
-  U2FuIEZyYW5jaXNjbzEcMBoGA1UECRMTV2VzdCBFbCBDYW1pbm8gUmVhbDEOMAwG
-  A1UEERMFOTQwNDAxEDAOBgNVBAoTB0VsYXN0aWMxDzANBgNVBAMTBnNlcnZlcjCC
-  AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALW37cart7l0KE3LCStFbiGm
-  Rr/QSkuPv+Y+SXFT4zXrMFP3mOfUCVsR4lugv+jmql9qjbwR9jKsgKXA1kSvNXSZ
-  lLYWRcNnQ+QzwKxJf/jy246nSfqb2FKvVMs580lDwKHHxn/FSpHV93O4Goy5cLfF
-  ACE7BSdJdxl5DVAMmmkzd6gBGgN8dQIbcyJYuIZYQt44PqSYh/BomTyOXKrmvX4y
-  t7/pF+ldJjWZq/6SfCq6WE0jSrpI1P/42Qd9h5Tsnl6qsUGA2Tz5ZqKz2cyxaIlK
-  wL9tYDionfFIl+jZcxkGPF2a14O1TycCI0B/z+0VL+HR/8fKAB0NdP+QRLaPWOrn
-  DvraAO+bVKC6VrQyUYNUOwtd2gMUqm6Hzrf4s3wjP754eSJkvnSoSAB6l7ZmJKe5
-  Pz5oDDOVPwKHv/MrhsCSMNFeXSEO+rq9TtYEAFQI5rFGHlURga8kA1T1pirHyEtS
-  2o8GUSPSHVulaPdFnHg4xfTexfRYLCqya75ISJuY2/+2GblCie/re1GFitZCZ46/
-  xiQQDOjgL96soDVZ+cTtMpXanslgDapTts9LPIJTd9FUJCY1omISGiSjABRuTlCV
-  8054ja4BKVahSd5BqqtVkWyV64SCut6kce2ndwBkyFvlZ6cteLCW7KtzYvba4XBb
-  YIAs+H+9e/bZUVhws5mFAgMBAAGjgYMwgYAwDgYDVR0PAQH/BAQDAgeAMB0GA1Ud
-  JQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAOBgNVHQ4EBwQFAQIDBAUwPwYDVR0R
-  BDgwNoIJbG9jYWxob3N0ghFiZWF0cy5leGFtcGxlLmNvbYcEfwAAAYcQAAAAAAAA
-  AAAAAAAAAAAAATANBgkqhkiG9w0BAQsFAAOCAgEAldSZOUi+OUR46ERQuINl1oED
-  mjNsQ9FNP/RDu8mPJaNb5v2sAbcpuZb9YdnScT+d+n0+LMd5uz2g67Qr73QCpXwL
-  9YJIs56i7qMTKXlVvRQrvF9P/zP3sm5Zfd2I/x+8oXgEeYsxAWipJ8RsbnN1dtu8
-  C4l+P0E58jjrjom11W90RiHYaT0SI2PPBTTRhYLz0HayThPZDMdFnIQqVxUYbQD5
-  ybWu77hnsvC/g2C8/N2LAdQGJJ67owMa5T3YRneiaSvvOf3I45oeLE+olGAPdrSq
-  5Sp0G7fcAKMRPxcwYeD7V5lfYMtb+RzECpYAHT8zHKLZl6/34q2k8P8EWEpAsD80
-  +zSbCkdvNiU5lU90rV8E2baTKCg871k4O8sT48eUyDps6ZUCfT1dgefXeyOTV5bY
-  864Zo6bWJhAJ7Qa2d4HJkqPzSbqsosHVobojgkOcMqkStLHd8sgtCoFmJMflbp7E
-  ghawl/RVFEkL9+TWy9fR8sJWRx13P8CUP6AL9kVmcU2c3gMNpvQfIii9QOnQrRsi
-  yZj9FKl+ZM49I6RQ6dY5JVgWtpVm/+GBVuy1Aj91JEjw7r1jAeir5K9LAXG8kEN9
-  irndx1SK2MMTY79lGHFGQRv3vnQGI0Wzjtn31YJ7qIFNJ1WWbAZLR9FBtzmMeXM6
-  puoJ9UYvfIcHUGPdZGU=
-  -----END CERTIFICATE-----
-  -----BEGIN CERTIFICATE-----
-  MIIFpjCCA46gAwIBAgIBATANBgkqhkiG9w0BAQsFADBlMQswCQYDVQQGEwJVUzEW
-  MBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEcMBoGA1UECRMTV2VzdCBFbCBDYW1pbm8g
-  UmVhbDEOMAwGA1UEERMFOTQwNDAxEDAOBgNVBAoTB0VsYXN0aWMwHhcNMjMxMDMw
-  MTkyMzU2WhcNMjMxMDMxMTkyMzU2WjBlMQswCQYDVQQGEwJVUzEWMBQGA1UEBxMN
-  U2FuIEZyYW5jaXNjbzEcMBoGA1UECRMTV2VzdCBFbCBDYW1pbm8gUmVhbDEOMAwG
-  A1UEERMFOTQwNDAxEDAOBgNVBAoTB0VsYXN0aWMwggIiMA0GCSqGSIb3DQEBAQUA
-  A4ICDwAwggIKAoICAQDQP3hJt4jTIo+tBXB/R4RuBTvv6OOago9joxlNDm0abseJ
-  ehE0V8FDi0SSpa7ZiqwCGq/deu5OIWVNpFCLHeH5YBriNmB7oPkNRCleu50JsUrG
-  RjSTtBIJcu/CVpD7Q5XMbhbhYcPArrxrSreo3ox8a+2X7b8nA1xPgIcWqSCgs9iV
-  lwKHaQWNTUXYwwZG7b9WG4EJaki6t1+1QbDDJU0oWrZNg23wQEBvEVRDQs7kadvm
-  9YtZLPULlSyV4Rk3yNW8dPXHjcz2wp3PBPIWIQe9mzYU608307TkUMVN2EEOImxl
-  Wm1RtXYvvVb1LiY0C2lYbN3jLZQzffK5RsS87ocqTQM+HvDBv/PupHDvW08wietu
-  RtRbdx/2cN0GLmOHnkWKx+GlYDZfAtIj958fTKl2hHyNqJ1pE7vksSYBwBxMFQem
-  eSGzw5pO53kmPcZO203YQ2qoJd7z1aLf7eAOqDn5zwlYNc00bZ6DwTZsyptGv9sZ
-  zcZuovppPgCN4f1I9ja/NPKep+sVKfQqR5HuOFOPFcr6oOioESJSgIvXXF9RhCVh
-  UMeZKWWSCNm1ea4h6q8OJdQfM7XXkXm+dEyF0TogC00CidZWuYMZcgXND5p/1Di5
-  PkCKPUMllCoK0oaTfFioNW7qtNbDGQrW+spwDa4kjJNKYtDD0jjPgFMgSzQ2MwID
-  AQABo2EwXzAOBgNVHQ8BAf8EBAMCAoQwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsG
-  AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFImOXc9Tv+mgn9jOsPig
-  9vlAUTa+MA0GCSqGSIb3DQEBCwUAA4ICAQBZ9tqU88Nmgf+vDgkKMKLmLMaRCRlV
-  HcYrm7WoWLX+q6VSbmvf5eD5OrzzbAnnp16iXap8ivsAEFTo8XWh/bjl7G/2jetR
-  xZD2WHtzmAg3s4SVsEHIyFUF1ERwnjO2ndHjoIsx8ktUk1aNrmgPI6s07fkULDm+
-  2aXyBSZ9/oimZM/s3IqYJecxwE+yyS+FiS6mSDCCVIyQXdtVAbFHegyiBYv8EbwF
-  Xz70QiqQtxotGlfts/3uN1s+xnEoWz5E6S5DQn4xQh0xiKSXPizMXou9xKzypeSW
-  qtNdwtg62jKWDaVriBfrvoCnyjjCIjmcTcvA2VLmeZShyTuIucd0lkg2NKIGeM7I
-  o33hmdiKaop1fVtj8zqXvCRa3ecmlvcxPKX0otVFORFNOfaPjH/CjW0CnP0LByGK
-  YW19w0ncJZa9cc1SlNL28lnBhW+i1+ViR02wtjabH9XO+mtxuaEPDZ1hLhhjktqI
-  Y2oFUso4C5xiTU/hrH8+cFv0dn/+zyQoLfJEQbUX9biFeytt7T4Yynwhdy7jryqH
-  fdy/QM26YnsE8D7l4mv99z+zII0IRGnQOuLTuNAIyGJUf69hCDubZFDeHV/IB9hU
-  6GA6lBpsJlTDgfJLbtKuAHxdn1DO+uGg0GxgwggH6Vh9x9yQK2E6BaepJisL/zNB
-  RQQmEyTn1hn/eA==
-  -----END CERTIFICATE-----
-----
-
-[float]
-[[server-key]]
-==== `key: "/etc/server/cert.key"`
-
-The server certificate key used for authentication is required.
-The key option supports embedding of the private key:
-
-[source,yaml]
-----
-key: |
-    -----BEGIN PRIVATE KEY-----
-    MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDXHufGPycpCOfI
-    sjl6cRn8NP4DLxdIVEAHFK0jMRDup32UQOPW+DleEsFpgN9/ebi9ngdjQfMvKnUP
-    Zrl1HTwVhOJfazGeoJn7vdDeQebhJfeDXHwX2DiotXyUPYu1ioU45UZDAoAZFj5F
-    KJLwWRUbfEbRe8yO+wUhKKxxkApPbfw+wUtBicn1RIX7W1nBRABt1UXKDIRe5FM2
-    MKfqhEqK4hUWC3g1r+vGTrxu3qFpzz7L2UrRFRIpo7yuTUhEhEGvcVsiTppTil4Z
-    HcprXFHf5158elEwhYJ5IM0nU1leNQiOgemifbLwkyNkLqCKth8V/4sezr1tYblZ
-    nMh1cclBAgMBAAECggEBAKdP5jyOicqknoG9/G564RcDsDyRt64NuO7I6hBg7SZx
-    Jn7UKWDdFuFP/RYtoabn6QOxkVVlydp5Typ3Xu7zmfOyss479Q/HIXxmmbkD0Kp0
-    eRm2KN3y0b6FySsS40KDRjKGQCuGGlNotW3crMw6vOvvsLTlcKgUHF054UVCHoK/
-    Piz7igkDU7NjvJeha53vXL4hIjb10UtJNaGPxIyFLYRZdRPyyBJX7Yt3w8dgz8WM
-    epOPu0dq3bUrY3WQXcxKZo6sQjE1h7kdl4TNji5jaFlvD01Y8LnyG0oThOzf0tve
-    Gaw+kuy17gTGZGMIfGVcdeb+SlioXMAAfOps+mNIwTECgYEA/gTO8W0hgYpOQJzn
-    BpWkic3LAoBXWNpvsQkkC3uba8Fcps7iiEzotXGfwYcb5Ewf5O3Lrz1EwLj7GTW8
-    VNhB3gb7bGOvuwI/6vYk2/dwo84bwW9qRWP5hqPhNZ2AWl8kxmZgHns6WTTxpkRU
-    zrfZ5eUrBDWjRU2R8uppgRImsxMCgYEA2MxuL/C/Ko0d7XsSX1kM4JHJiGpQDvb5
-    GUrlKjP/qVyUysNF92B9xAZZHxxfPWpdfGGBynhw7X6s+YeIoxTzFPZVV9hlkpAA
-    5igma0n8ZpZEqzttjVdpOQZK8o/Oni/Q2S10WGftQOOGw5Is8+LY30XnLvHBJhO7
-    TKMurJ4KCNsCgYAe5TDSVmaj3dGEtFC5EUxQ4nHVnQyCpxa8npL+vor5wSvmsfUF
-    hO0s3GQE4sz2qHecnXuPldEd66HGwC1m2GKygYDk/v7prO1fQ47aHi9aDQB9N3Li
-    e7Vmtdn3bm+lDjtn0h3Qt0YygWj+wwLZnazn9EaWHXv9OuEMfYxVgYKpdwKBgEze
-    Zy8+WDm5IWRjn8cI5wT1DBT/RPWZYgcyxABrwXmGZwdhp3wnzU/kxFLAl5BKF22T
-    kRZ+D+RVZvVutebE9c937BiilJkb0AXLNJwT9pdVLnHcN2LHHHronUhV7vetkop+
-    kGMMLlY0lkLfoGq1AxpfSbIea9KZam6o6VKxEnPDAoGAFDCJm+ZtsJK9nE5GEMav
-    NHy+PwkYsHhbrPl4dgStTNXLenJLIJ+Ke0Pcld4ZPfYdSyu/Tv4rNswZBNpNsW9K
-    0NwJlyMBfayoPNcJKXrH/csJY7hbKviAHr1eYy9/8OL0dHf85FV+9uY5YndLcsDc
-    nygO9KTJuUiBrLr0AHEnqko=
-    -----END PRIVATE KEY-----
-----
-
-[float]
-[[server-key-passphrase]]
-==== `key_passphrase`
-
-The passphrase is used to decrypt an encrypted key stored in the configured `key` file.
-
-[float]
-[[server-verification-mode]]
-==== `verification_mode`
-
-Controls the verification of client certificates. Valid values are:
-
-`full`::
-Verifies that the provided certificate is signed by a trusted
-authority (CA) and also verifies that the server's hostname (or IP address)
-matches the names identified within the certificate.
-
-`strict`::
-Verifies that the provided certificate is signed by a trusted
-authority (CA) and also verifies that the server's hostname (or IP address)
-matches the names identified within the certificate. If the Subject Alternative
-Name is empty, it returns an error.
-
-`certificate`::
-Verifies that the provided certificate is signed by a
-trusted authority (CA), but does not perform any hostname verification.
-
-`none`::
-Performs _no verification_ of the server's certificate. This
-mode disables many of the security benefits of SSL/TLS and should only be used
-after cautious consideration. It is primarily intended as a temporary
-diagnostic mechanism when attempting to resolve TLS errors; its use in
-production environments is strongly discouraged.
-+
-The default value is `full`.
-
-[float]
-[[server-renegotiation]]
-==== `renegotiation`
-
-This configures what types of TLS renegotiation are supported. The valid options
-are:
-
-`never`::
-Disables renegotiation.
-
-`once`::
-Allows a remote server to request renegotiation once per connection.
-
-`freely`::
-Allows a remote server to request renegotiation repeatedly.
-+
-The default value is `never`.
-
-[float]
-[[exit_on_cert_change_enabled]]
-==== `restart_on_cert_change.enabled`
-If set to `true` {beatname_uc} will restart if any file listed by `key`,
-`certificate`, or `certificate_authorities` is modified.
-
-NOTE: This feature is NOT supported on Windows. The default value is
-`false`.
-
-NOTE: This feature requres the `execve` system call to be enabled. If
-you have a custom seccomp policy in place, make sure to allow for
-`execve`.
-
-[float]
-[[restart_on_cert_change_period]]
-==== `restart_on_cert_change.period`
-Specifies how often the files are checked for changes. Do not set the
-period to less than 1s because the modification time of files is often
-stored in seconds. Setting the period to less than 1s will result in
-validation error and {beatname_uc} will not start. The default value
-is 1m.
-
-ifeval::["{beatname_lc}" == "filebeat"]
-[float]
-[[server-client-renegotiation]]
-==== `client_authentication`
-
-The type of client authentication mode. When `certificate_authorities` is set, it
-defaults to `required`. Otherwise, it defaults to `none`.
-
-The valid options are:
-
-`none`::
-Disables client authentication.
-
-`optional`::
-When a client certificate is supplied, the server will verify it.
-
-`required`::
-Will require clients to provide a valid certificate.
-endif::[]
diff --git a/libbeat/docs/shared-ssl-logstash-config.asciidoc b/libbeat/docs/shared-ssl-logstash-config.asciidoc
deleted file mode 100644
index 31cbf73fc628..000000000000
--- a/libbeat/docs/shared-ssl-logstash-config.asciidoc
+++ /dev/null
@@ -1,144 +0,0 @@
-//////////////////////////////////////////////////////////////////////////
-//// This content is shared by all Elastic Beats. Make sure you keep the
-//// descriptions here generic enough to work for all Beats that include
-//// this file. When using cross references, make sure that the cross
-//// references resolve correctly for any files that include this one.
-//// Use the appropriate variables defined in the index.asciidoc file to
-//// resolve Beat names: beatname_uc and beatname_lc.
-//// Use the following include to pull this content into a doc file:
-//// include::../../libbeat/docs/shared-ssl-logstash-config.asciidoc[]
-//////////////////////////////////////////////////////////////////////////
-
-[role="xpack"]
-[[configuring-ssl-logstash]]
-== Secure communication with Logstash
-
-You can use SSL mutual authentication to secure connections between {beatname_uc} and Logstash. This ensures that
-{beatname_uc} sends encrypted data to trusted Logstash servers only, and that the Logstash server receives data from
-trusted {beatname_uc} clients only.
-
-To use SSL mutual authentication:
-
-. Create a certificate authority (CA) and use it to sign the certificates that you plan to use for
-{beatname_uc} and Logstash. Creating a correct SSL/TLS infrastructure is outside the scope of this
-document. There are many online resources available that describe how to create certificates.
-+
-TIP: If you are using {security-features}, you can use the
-{ref}/certutil.html[elasticsearch-certutil tool] to generate certificates.
-
-. Configure {beatname_uc} to use SSL. In the +{beatname_lc}.yml+ config file, specify the following settings under
-`ssl`:
-+
-* `certificate_authorities`: Configures {beatname_uc} to trust any certificates signed by the specified CA. If
-`certificate_authorities` is empty or not set, the trusted certificate authorities of the host system are used.
-
-* `certificate` and `key`: Specifies the certificate and key that {beatname_uc} uses to authenticate with
-Logstash.
-+
-For example:
-+
-[source,yaml]
-------------------------------------------------------------------------------
-output.logstash:
-  hosts: ["logs.mycompany.com:5044"]
-  ssl.certificate_authorities: ["/etc/ca.crt"]
-  ssl.certificate: "/etc/client.crt"
-  ssl.key: "/etc/client.key"
-------------------------------------------------------------------------------
-+
-For more information about these configuration options, see <<configuration-ssl>>.
-
-. Configure Logstash to use SSL. In the Logstash config file, specify the following settings for the https://www.elastic.co/guide/en/logstash/current/plugins-inputs-beats.html[Beats input plugin for Logstash]:
-+
-* `ssl`: When set to true, enables Logstash to use SSL/TLS.
-* `ssl_certificate_authorities`: Configures Logstash to trust any certificates signed by the specified CA.
-* `ssl_certificate` and `ssl_key`: Specify the certificate and key that Logstash uses to authenticate with the client.
-* `ssl_verify_mode`: Specifies whether the Logstash server verifies the client certificate against the CA. You
-need to specify either `peer` or `force_peer` to make the server ask for the certificate and validate it. If you
-specify `force_peer`, and {beatname_uc} doesn't provide a certificate, the Logstash connection will be closed. If you choose not to use {ref}/certutil.html[certutil], the certificates that you obtain must allow for both `clientAuth` and `serverAuth` if the extended key usage extension is present.
-+
-For example:
-+
-[source,json]
-------------------------------------------------------------------------------
-input {
-  beats {
-    port => 5044
-    ssl => true
-    ssl_certificate_authorities => ["/etc/ca.crt"]
-    ssl_certificate => "/etc/server.crt"
-    ssl_key => "/etc/server.key"
-    ssl_verify_mode => "force_peer"
-  }
-}
-------------------------------------------------------------------------------
-+
-For more information about these options, see the
-https://www.elastic.co/guide/en/logstash/current/plugins-inputs-beats.html[documentation for the Beats input plugin].
-
-[float]
-[[testing-ssl-logstash]]
-=== Validate the Logstash server's certificate
-
-Before running {beatname_uc}, you should validate the Logstash server's certificate. You can use `curl` to validate the certificate even though the protocol used to communicate with Logstash is not based on HTTP. For example:
-
-[source,shell]
-------------------------------------------------------------------------------
-curl -v --cacert ca.crt https://logs.mycompany.com:5044
-------------------------------------------------------------------------------
-
-If the test is successful, you'll receive an empty response error:
-
-[source,shell]
-------------------------------------------------------------------------------
-* Rebuilt URL to: https://logs.mycompany.com:5044/
-*   Trying 192.168.99.100...
-* Connected to logs.mycompany.com (192.168.99.100) port 5044 (#0)
-* TLS 1.2 connection using TLS_DHE_RSA_WITH_AES_256_CBC_SHA
-* Server certificate: logs.mycompany.com
-* Server certificate: mycompany.com
-> GET / HTTP/1.1
-> Host: logs.mycompany.com:5044
-> User-Agent: curl/7.43.0
-> Accept: */*
->
-* Empty reply from server
-* Connection #0 to host logs.mycompany.com left intact
-curl: (52) Empty reply from server
-------------------------------------------------------------------------------
-
-The following example uses the IP address rather than the hostname to validate the certificate:
-
-[source,shell]
-------------------------------------------------------------------------------
-curl -v --cacert ca.crt https://192.168.99.100:5044
-------------------------------------------------------------------------------
-
-Validation for this test fails because the certificate is not valid for the specified IP address. It's only valid for the `logs.mycompany.com`, the hostname that appears in the Subject field of the certificate.
-
-[source,shell]
-------------------------------------------------------------------------------
-* Rebuilt URL to: https://192.168.99.100:5044/
-*   Trying 192.168.99.100...
-* Connected to 192.168.99.100 (192.168.99.100) port 5044 (#0)
-* WARNING: using IP address, SNI is being disabled by the OS.
-* SSL: certificate verification failed (result: 5)
-* Closing connection 0
-curl: (51) SSL: certificate verification failed (result: 5)
-------------------------------------------------------------------------------
-
-See the <<ssl-client-fails,troubleshooting docs>> for info about resolving this issue.
-
-[float]
-=== Test the {beatname_uc} to Logstash connection
-
-If you have {beatname_uc} running as a service, first stop the service. Then test your setup by running {beatname_uc} in
-the foreground so you can quickly see any errors that occur:
-
-["source","sh",subs="attributes,callouts"]
-------------------------------------------------------------------------------
-{beatname_lc} -c {beatname_lc}.yml -e -v
-------------------------------------------------------------------------------
-
-Any errors will be printed to the console. See the <<ssl-client-fails,troubleshooting docs>> for info about
-resolving common errors.
diff --git a/libbeat/docs/shared-systemd.asciidoc b/libbeat/docs/shared-systemd.asciidoc
deleted file mode 100644
index 0fccb8a6d051..000000000000
--- a/libbeat/docs/shared-systemd.asciidoc
+++ /dev/null
@@ -1,105 +0,0 @@
-[[running-with-systemd]]
-=== {beatname_uc} and systemd
-
-The DEB and RPM packages include a service unit for Linux systems with
-systemd. On these systems, you can manage {beatname_uc} by using the usual
-systemd commands.
-
-The service unit is configured with `UMask=0027` which means the most permissive mask allowed for files created by {beatname_uc} is `0640`. All configured file permissions higher than `0640` will be ignored. Please edit the unit file manually in case you need to change that.
-
-ifdef::apm-server[]
-We recommend that the {beatname_pkg} process is run as a non-root user.
-Therefore, that is the default setup for {beatname_uc}'s DEB package and RPM installation.
-endif::apm-server[]
-
-==== Start and stop {beatname_uc}
-
-Use `systemctl` to start or stop {beatname_uc}:
-
-["source", "sh", subs="attributes"]
-------------------------------------------------
-sudo systemctl start {beatname_pkg}
-------------------------------------------------
-
-["source", "sh", subs="attributes"]
-------------------------------------------------
-sudo systemctl stop {beatname_pkg}
-------------------------------------------------
-
-By default, the {beatname_uc} service starts automatically when the system
-boots. To enable or disable auto start use:
-
-["source", "sh", subs="attributes"]
-------------------------------------------------
-sudo systemctl enable {beatname_pkg}
-------------------------------------------------
-
-["source", "sh", subs="attributes"]
-------------------------------------------------
-sudo systemctl disable {beatname_pkg}
-------------------------------------------------
-
-
-==== {beatname_uc} status and logs
-
-To get the service status, use `systemctl`:
-
-["source", "sh", subs="attributes"]
-------------------------------------------------
-systemctl status {beatname_pkg}
-------------------------------------------------
-
-Logs are stored by default in journald. To view the Logs, use `journalctl`:
-
-["source", "sh", subs="attributes"]
-------------------------------------------------
-journalctl -u {beatname_pkg}.service
-------------------------------------------------
-
-[float]
-=== Customize systemd unit for {beatname_uc}
-
-The systemd service unit file includes environment variables that you can
-override to change the default options.
-
-[cols="<h,<,<m",options="header",]
-|=======================================
-| Variable | Description | Default value
-| BEAT_LOG_OPTS | Log options |
-| BEAT_CONFIG_OPTS | Flags for configuration file path | +-c /etc/{beatname_lc}/{beatname_lc}.yml+
-| BEAT_PATH_OPTS | Other paths | +--path.home /usr/share/{beatname_lc} --path.config /etc/{beatname_lc} --path.data /var/lib/{beatname_lc} --path.logs /var/log/{beatname_lc}+
-|=======================================
-
-NOTE: You can use `BEAT_LOG_OPTS` to set debug selectors for logging. However,
-to configure logging behavior, set the logging options described in
-<<configuration-logging,Configure logging>>.
-
-To override these variables, create a drop-in unit file in the
-+/etc/systemd/system/{beatname_pkg}.service.d+ directory.  
-
-For example a file with the following content placed in
-+/etc/systemd/system/{beatname_pkg}.service.d/debug.conf+
-would override `BEAT_LOG_OPTS` to enable debug for Elasticsearch output.
-
-["source", "systemd", subs="attributes"]
-------------------------------------------------
-[Service]
-Environment="BEAT_LOG_OPTS=-d elasticsearch"
-------------------------------------------------
-
-To apply your changes, reload the systemd configuration and restart
-the service:
-
-["source", "sh", subs="attributes"]
-------------------------------------------------
-systemctl daemon-reload
-systemctl restart {beatname_pkg}
-------------------------------------------------
-
-NOTE: It is recommended that you use a configuration management tool to
-include drop-in unit files. If you need to add a drop-in manually, use
-+systemctl edit {beatname_pkg}.service+.
-
-ifdef::apm-server[]
-include::{docdir}/config-ownership.asciidoc[]
-endif::apm-server[]
diff --git a/libbeat/docs/shared/config-check.asciidoc b/libbeat/docs/shared/config-check.asciidoc
deleted file mode 100644
index 1db38fc26832..000000000000
--- a/libbeat/docs/shared/config-check.asciidoc
+++ /dev/null
@@ -1,29 +0,0 @@
-ifndef::requires-sudo[]
-TIP: To test your configuration file, change to the directory where the
-{beatname_uc} binary is installed, and run {beatname_uc} in the foreground with
-the following options specified: +./{beatname_lc} test config -e+. Make sure your
-config files are in the path expected by {beatname_uc} (see <<directory-layout>>),
-or use the `-c` flag to specify the path to the config file.
-endif::[]
-
-ifdef::requires-sudo[]
-TIP: To test your configuration file, change to the directory where the
-{beatname_uc} binary is installed, and run {beatname_uc} in the foreground with
-the following options specified: +sudo ./{beatname_lc} test config -e+. Make sure
-your config files are in the path expected by {beatname_uc} (see
-<<directory-layout>>), or use the `-c` flag to specify the path to the config
-file. Depending on your OS, you might run into file ownership issues when you
-run this test. See
-{beats-ref}/config-file-permissions.html[Config File Ownership and Permissions]
-for more information.
-endif::[]
-
-For more information about configuring {beatname_uc}, also see:
-
-* <<configuring-howto-{beatname_lc},Configure {beatname_uc}>>
-* {beats-ref}/config-file-format.html[Config file format]
-ifeval::["{beatname_lc}"!="apm-server"]
-* <<{beatname_lc}-reference-yml,+{beatname_lc}.reference.yml+>>: This reference configuration
-file shows all non-deprecated options. You'll find it in the same location as
-+{beatname_lc}.yml+.
-endif::[]
diff --git a/libbeat/docs/shared/configuring-intro.asciidoc b/libbeat/docs/shared/configuring-intro.asciidoc
deleted file mode 100644
index 82812c34bd11..000000000000
--- a/libbeat/docs/shared/configuring-intro.asciidoc
+++ /dev/null
@@ -1,19 +0,0 @@
-
-ifndef::apm-server[]
-TIP: To get started quickly, read <<{beatname_lc}-installation-configuration>>.
-endif::[]
-
-To configure {beatname_uc}, edit the configuration file. The default
-configuration file is called  +{beatname_lc}.yml+. The location of the file
-varies by platform. To locate the file, see <<directory-layout>>.
-
-ifndef::apm-server[]
-There’s also a full example configuration file called +{beatname_lc}.reference.yml+
-that shows all non-deprecated options.
-endif::[]
-
-TIP: See the
-{beats-ref}/config-file-format.html[Config File Format] for more about the
-structure of the config file.
-
-The following topics describe how to configure {beatname_uc}:
diff --git a/libbeat/docs/shared/connecting-to-es.asciidoc b/libbeat/docs/shared/connecting-to-es.asciidoc
deleted file mode 100644
index 67cb2cc37556..000000000000
--- a/libbeat/docs/shared/connecting-to-es.asciidoc
+++ /dev/null
@@ -1,17 +0,0 @@
-Connections to {es} and {kib} are required to set up {beatname_uc}.
-
-Set the connection information in +{beatname_lc}.yml+. To locate this
-configuration file, see <<directory-layout>>.
-
-include::{libbeat-dir}/tab-widgets/set-connection-widget.asciidoc[]
-
-To learn more about required roles and privileges, see
-<<feature-roles>>.
-
-ifeval::["{beatname_uc}"!="Winlogbeat"]
-NOTE: You can send data to other <<configuring-output,outputs>>,
-ifndef::no-output-logstash[]
-such as {ls},
-endif::no-output-logstash[]
-but that requires additional configuration and setup.
-endif::[]
diff --git a/libbeat/docs/shared/integration-link.asciidoc b/libbeat/docs/shared/integration-link.asciidoc
deleted file mode 100644
index 278c5d3cf484..000000000000
--- a/libbeat/docs/shared/integration-link.asciidoc
+++ /dev/null
@@ -1,17 +0,0 @@
-.Prefer to use {agent} for this use case?
-****
-Refer to the
-https://docs.elastic.co/en/integrations/{modulename}[Elastic Integrations documentation].
-
-[%collapsible]
-.Learn more
-====
-{agent} is a single, unified way to add monitoring for logs, metrics, and
-other types of data to a host. It can also protect hosts from security threats,
-query data from operating systems, forward data from remote services or
-hardware, and more. Refer to the documentation for a detailed
-{fleet-guide}/beats-agent-comparison.html[comparison of {beats} and {agent}]. 
-
-====
-
-****
\ No newline at end of file
diff --git a/libbeat/docs/shared/obs-apps.asciidoc b/libbeat/docs/shared/obs-apps.asciidoc
deleted file mode 100644
index e9a9367b38a3..000000000000
--- a/libbeat/docs/shared/obs-apps.asciidoc
+++ /dev/null
@@ -1,56 +0,0 @@
-. Ingest data from other sources by installing and configuring other Elastic
-{beats}:
-+
---
-[options="header"]
-|===
-|Elastic {beats} | To capture
-
-ifeval::["{beatname_lc}"!="metricbeat"]
-|{metricbeat-ref}/metricbeat-installation-configuration.html[{metricbeat}]
-|Infrastructure metrics
-endif::[]
-ifeval::["{beatname_lc}"!="filebeat"]
-|{filebeat-ref}/filebeat-installation-configuration.html[{filebeat}]
-|Logs
-endif::[]
-ifeval::["{beatname_lc}"!="winlogbeat"]
-|{winlogbeat-ref}/winlogbeat-installation-configuration.html[{winlogbeat}]
-|Windows event logs
-endif::[]
-ifeval::["{beatname_lc}"!="heartbeat"]
-|{heartbeat-ref}/heartbeat-installation-configuration.html[{heartbeat}]
-|Uptime information
-endif::[]
-|{apm-guide-ref}/index.html[APM]
-|Application performance metrics
-ifeval::["{beatname_lc}"!="auditbeat"]
-|{auditbeat-ref}/auditbeat-installation-configuration.html[{auditbeat}]
-|Audit events
-endif::[]
-|===
---
-
-. Use the Observability apps in {kib} to search across all your data:
-+
---
-[options="header"]
-|===
-|Elastic apps | Use to
-
-|{observability-guide}/analyze-metrics.html[{metrics-app}]
-|Explore metrics about systems and services across your ecosystem
-
-|{observability-guide}/monitor-logs.html[{logs-app}]
-|Tail related log data in real time
-
-|{observability-guide}/monitor-uptime.html[{uptime-app}]
-|Monitor availability issues across your apps and services
-
-|{kibana-ref}/xpack-apm.html[APM app]
-|Monitor application performance
-
-|{kibana-ref}/xpack-siem.html[{siem-app}]
-|Analyze security events
-|===
---
diff --git a/libbeat/docs/shared/opendashboards.asciidoc b/libbeat/docs/shared/opendashboards.asciidoc
deleted file mode 100644
index 1b9425049984..000000000000
--- a/libbeat/docs/shared/opendashboards.asciidoc
+++ /dev/null
@@ -1,28 +0,0 @@
-// tag::open-dashboards-intro[]
-{beatname_uc} comes with pre-built {kib} dashboards and UIs for visualizing log
-data. You loaded the dashboards earlier when you ran the `setup` command.
-// end::open-dashboards-intro[]
-
-// tag::open-dashboards[]
-To open the dashboards:
-
-. Launch {kib}:
-+
---
-include::{libbeat-dir}/tab-widgets/open-kibana-widget.asciidoc[]
---
-
-. In the side navigation, click *Discover*. To see {beatname_uc} data, make
-sure the predefined +{beatname_lc}-*+ data view is selected.
-+
---
-TIP: If you don’t see data in {kib}, try changing the time filter to a larger
-range. By default, {kib} shows the last 15 minutes.
---
-
-. In the side navigation, click *Dashboard*, then select the dashboard that you
-want to open.
-
-The dashboards are provided as examples. We recommend that you
-{kibana-ref}/dashboard.html[customize] them to meet your needs.
-// end::open-dashboards[]
diff --git a/libbeat/docs/shared/README.txt b/libbeat/docs/shared/readme.txt
similarity index 100%
rename from libbeat/docs/shared/README.txt
rename to libbeat/docs/shared/readme.txt
diff --git a/libbeat/docs/shared/shutdown.asciidoc b/libbeat/docs/shared/shutdown.asciidoc
deleted file mode 100644
index 7ce26c34c17c..000000000000
--- a/libbeat/docs/shared/shutdown.asciidoc
+++ /dev/null
@@ -1,13 +0,0 @@
-[[shutdown]]
-=== Stop {beatname_uc}
-
-An orderly shutdown of {beatname_uc} ensures that it has a chance to clean up 
-and close outstanding resources. You can help ensure an orderly shutdown by 
-stopping {beatname_uc} properly. 
-
-If you’re running {beatname_uc} as a service, you can stop it via the service 
-management functionality provided by your installation. 
-
-If you’re running {beatname_uc} directly in the console, you can stop it by 
-entering *Ctrl-C*. Alternatively, send SIGTERM to the {beatname_uc} process on a 
-POSIX system.
diff --git a/libbeat/docs/shared/start-beat.asciidoc b/libbeat/docs/shared/start-beat.asciidoc
deleted file mode 100644
index 5ced237d8543..000000000000
--- a/libbeat/docs/shared/start-beat.asciidoc
+++ /dev/null
@@ -1,14 +0,0 @@
-[id="{beatname_lc}-starting"]
-=== Start {beatname_uc}
-
-Before starting {beatname_uc}:
-
-* Follow the steps in <<{beatname_lc}-installation-configuration>> to install,
-configure, and set up the {beatname_uc} environment.
-* Make sure {kib} and {es} are running.
-* Make sure the user specified in +{beatname_lc}.yml+ is
-<<privileges-to-publish-events,authorized to publish events>>.
-
-To start {beatname_uc}, run:
-
-include::{docdir}/getting-started.asciidoc[tag=start-step]
diff --git a/libbeat/docs/tab-widgets/enable-modules-widget.asciidoc b/libbeat/docs/tab-widgets/enable-modules-widget.asciidoc
deleted file mode 100644
index acae6033985c..000000000000
--- a/libbeat/docs/tab-widgets/enable-modules-widget.asciidoc
+++ /dev/null
@@ -1,94 +0,0 @@
-++++
-<div class="tabs" data-tab-group="os">
-  <div role="tablist" aria-label="Enable modules">
-    <button role="tab"
-            aria-selected="true"
-            aria-controls="deb-tab-enable-modules"
-            id="deb-enable-modules">
-      DEB
-    </button>
-    <button role="tab"
-            aria-selected="false"
-            aria-controls="rpm-tab-enable-modules"
-            id="rpm-enable-modules"
-            tabindex="-1">
-      RPM
-    </button>
-    <button role="tab"
-            aria-selected="false"
-            aria-controls="mac-tab-enable-modules"
-            id="mac-enable-modules"
-            tabindex="-1">
-      MacOS
-    </button>
-    <button role="tab"
-            aria-selected="false"
-            aria-controls="linux-tab-enable-modules"
-            id="linux-enable-modules"
-            tabindex="-1">
-      Linux
-    </button>
-    <button role="tab"
-            aria-selected="false"
-            aria-controls="win-tab-enable-modules"
-            id="win-enable-modules"
-            tabindex="-1">
-      Windows
-    </button>
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="deb-tab-enable-modules"
-       aria-labelledby="deb-enable-modules">
-++++
-
-include::enable-modules.asciidoc[tag=deb]
-
-++++
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="rpm-tab-enable-modules"
-       aria-labelledby="rpm-enable-modules"
-       hidden="">
-++++
-
-include::enable-modules.asciidoc[tag=rpm]
-
-++++
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="mac-tab-enable-modules"
-       aria-labelledby="mac-enable-modules"
-       hidden="">
-++++
-
-include::enable-modules.asciidoc[tag=mac]
-
-++++
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="linux-tab-enable-modules"
-       aria-labelledby="linux-enable-modules"
-       hidden="">
-++++
-
-include::enable-modules.asciidoc[tag=linux]
-
-++++
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="win-tab-enable-modules"
-       aria-labelledby="win-enable-modules"
-       hidden="">
-++++
-
-include::enable-modules.asciidoc[tag=win]
-
-++++
-  </div>
-</div>
-++++
diff --git a/libbeat/docs/tab-widgets/enable-modules.asciidoc b/libbeat/docs/tab-widgets/enable-modules.asciidoc
deleted file mode 100644
index 254d0ea71359..000000000000
--- a/libbeat/docs/tab-widgets/enable-modules.asciidoc
+++ /dev/null
@@ -1,34 +0,0 @@
-// tag::deb[]
-["source","sh",subs="attributes"]
-----
-{beatname_lc} modules enable {modulename}
-----
-// end::deb[]
-
-// tag::rpm[]
-["source","sh",subs="attributes"]
-----
-{beatname_lc} modules enable {modulename}
-----
-// end::rpm[]
-
-// tag::mac[]
-["source","sh",subs="attributes"]
-----
-./{beatname_lc} modules enable {modulename}
-----
-// end::mac[]
-
-// tag::linux[]
-["source","sh",subs="attributes"]
-----
-./{beatname_lc} modules enable {modulename}
-----
-// end::linux[]
-
-// tag::win[]
-["source","sh",subs="attributes"]
-----
-PS > .{backslash}{beatname_lc}.exe modules enable {modulename}
-----
-// end::win[]
diff --git a/libbeat/docs/tab-widgets/install-deb-rpm-linux-widget.asciidoc b/libbeat/docs/tab-widgets/install-deb-rpm-linux-widget.asciidoc
deleted file mode 100644
index d6186388bd57..000000000000
--- a/libbeat/docs/tab-widgets/install-deb-rpm-linux-widget.asciidoc
+++ /dev/null
@@ -1,58 +0,0 @@
-++++
-<div class="tabs" data-tab-group="os">
-  <div role="tablist" aria-label="Install">
-    <button role="tab"
-            aria-selected="true"
-            aria-controls="deb-tab-install"
-            id="deb-install">
-      DEB
-    </button>
-    <button role="tab"
-            aria-selected="false"
-            aria-controls="rpm-tab-install"
-            id="rpm-install"
-            tabindex="-1">
-      RPM
-    </button>
-    <button role="tab"
-            aria-selected="false"
-            aria-controls="linux-tab-install"
-            id="linux-install"
-            tabindex="-1">
-      Linux
-    </button>
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="deb-tab-install"
-       aria-labelledby="deb-install">
-++++
-
-include::install.asciidoc[tag=deb]
-
-++++
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="rpm-tab-install"
-       aria-labelledby="rpm-install"
-       hidden="">
-++++
-
-include::install.asciidoc[tag=rpm]
-
-++++
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="linux-tab-install"
-       aria-labelledby="linux-install"
-       hidden="">
-++++
-
-include::install.asciidoc[tag=linux]
-
-++++
-  </div>
-</div>
-++++
diff --git a/libbeat/docs/tab-widgets/install-linux-mac-win-short-widget.asciidoc b/libbeat/docs/tab-widgets/install-linux-mac-win-short-widget.asciidoc
deleted file mode 100644
index f166aa5e45c1..000000000000
--- a/libbeat/docs/tab-widgets/install-linux-mac-win-short-widget.asciidoc
+++ /dev/null
@@ -1,58 +0,0 @@
-++++
-<div class="tabs" data-tab-group="os">
-  <div role="tablist" aria-label="Install">
-    <button role="tab"
-            aria-selected="true"
-            aria-controls="mac-tab-install"
-            id="mac-install">
-      MacOS
-    </button>
-    <button role="tab"
-            aria-selected="false"
-            aria-controls="linux-tab-install"
-            id="linux-install"
-            tabindex="-1">
-      Linux
-    </button>
-    <button role="tab"
-            aria-selected="false"
-            aria-controls="win-tab-install"
-            id="win-install"
-            tabindex="-1">
-      Windows
-    </button>
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="mac-tab-install"
-       aria-labelledby="mac-install">
-++++
-
-include::install.asciidoc[tag=mac]
-
-++++
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="linux-tab-install"
-       aria-labelledby="linux-install"
-       hidden="">
-++++
-
-include::install.asciidoc[tag=linux]
-
-++++
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="win-tab-install"
-       aria-labelledby="win-install"
-       hidden="">
-++++
-
-include::install.asciidoc[tag=win-short]
-
-++++
-  </div>
-</div>
-++++
diff --git a/libbeat/docs/tab-widgets/install-widget-filebeat.asciidoc b/libbeat/docs/tab-widgets/install-widget-filebeat.asciidoc
deleted file mode 100644
index 88e81a4974fe..000000000000
--- a/libbeat/docs/tab-widgets/install-widget-filebeat.asciidoc
+++ /dev/null
@@ -1,96 +0,0 @@
-:beatname_uc: Filebeat
-:beatname_lc: filebeat
-++++
-<div class="tabs" data-tab-group="os">
-  <div role="tablist" aria-label="Install-f">
-    <button role="tab"
-            aria-selected="true"
-            aria-controls="deb-tab-install-filebeat"
-            id="deb-install-filebeat">
-      DEB
-    </button>
-    <button role="tab"
-            aria-selected="false"
-            aria-controls="rpm-tab-install-filebeat"
-            id="rpm-install-filebeat"
-            tabindex="-1">
-      RPM
-    </button>
-    <button role="tab"
-            aria-selected="false"
-            aria-controls="mac-tab-install-filebeat"
-            id="mac-install-filebeat"
-            tabindex="-1">
-      MacOS
-    </button>
-    <button role="tab"
-            aria-selected="false"
-            aria-controls="linux-tab-install-filebeat"
-            id="linux-install-filebeat"
-            tabindex="-1">
-      Linux
-    </button>
-    <button role="tab"
-            aria-selected="false"
-            aria-controls="win-tab-install-filebeat"
-            id="win-install-filebeat"
-            tabindex="-1">
-      Windows
-    </button>
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="deb-tab-install-filebeat"
-       aria-labelledby="deb-install-filebeat">
-++++
-
-include::install.asciidoc[tag=deb]
-
-++++
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="rpm-tab-install-filebeat"
-       aria-labelledby="rpm-install-filebeat"
-       hidden="">
-++++
-
-include::install.asciidoc[tag=rpm]
-
-++++
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="mac-tab-install-filebeat"
-       aria-labelledby="mac-install-filebeat"
-       hidden="">
-++++
-
-include::install.asciidoc[tag=mac]
-
-++++
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="linux-tab-install-filebeat"
-       aria-labelledby="linux-install-filebeat"
-       hidden="">
-++++
-
-include::install.asciidoc[tag=linux]
-
-++++
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="win-tab-install-filebeat"
-       aria-labelledby="win-install-filebeat"
-       hidden="">
-++++
-
-include::install.asciidoc[tag=win]
-
-++++
-  </div>
-</div>
-++++
diff --git a/libbeat/docs/tab-widgets/install-widget-heartbeat.asciidoc b/libbeat/docs/tab-widgets/install-widget-heartbeat.asciidoc
deleted file mode 100644
index e69a9d451c7c..000000000000
--- a/libbeat/docs/tab-widgets/install-widget-heartbeat.asciidoc
+++ /dev/null
@@ -1,96 +0,0 @@
-:beatname_uc: Heartbeat
-:beatname_lc: heartbeat
-++++
-<div class="tabs" data-tab-group="os">
-  <div role="tablist" aria-label="Install-h">
-    <button role="tab"
-            aria-selected="true"
-            aria-controls="deb-tab-install-heartbeat"
-            id="deb-install-heartbeat">
-      DEB
-    </button>
-    <button role="tab"
-            aria-selected="false"
-            aria-controls="rpm-tab-install-heartbeat"
-            id="rpm-install-heartbeat"
-            tabindex="-1">
-      RPM
-    </button>
-    <button role="tab"
-            aria-selected="false"
-            aria-controls="mac-tab-install-heartbeat"
-            id="mac-install-heartbeat"
-            tabindex="-1">
-      MacOS
-    </button>
-    <button role="tab"
-            aria-selected="false"
-            aria-controls="linux-tab-install-heartbeat"
-            id="linux-install-heartbeat"
-            tabindex="-1">
-      Linux
-    </button>
-    <button role="tab"
-            aria-selected="false"
-            aria-controls="win-tab-install-heartbeat"
-            id="win-install-heartbeat"
-            tabindex="-1">
-      Windows
-    </button>
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="deb-tab-install-heartbeat"
-       aria-labelledby="deb-install-heartbeat">
-++++
-
-include::install.asciidoc[tag=deb]
-
-++++
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="rpm-tab-install-heartbeat"
-       aria-labelledby="rpm-install-heartbeat"
-       hidden="">
-++++
-
-include::install.asciidoc[tag=rpm]
-
-++++
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="mac-tab-install-heartbeat"
-       aria-labelledby="mac-install-heartbeat"
-       hidden="">
-++++
-
-include::install.asciidoc[tag=mac]
-
-++++
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="linux-tab-install-heartbeat"
-       aria-labelledby="linux-install-heartbeat"
-       hidden="">
-++++
-
-include::install.asciidoc[tag=linux]
-
-++++
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="win-tab-install-heartbeat"
-       aria-labelledby="win-install-heartbeat"
-       hidden="">
-++++
-
-include::install.asciidoc[tag=win]
-
-++++
-  </div>
-</div>
-++++
diff --git a/libbeat/docs/tab-widgets/install-widget-metricbeat.asciidoc b/libbeat/docs/tab-widgets/install-widget-metricbeat.asciidoc
deleted file mode 100644
index c85a01ad3ec0..000000000000
--- a/libbeat/docs/tab-widgets/install-widget-metricbeat.asciidoc
+++ /dev/null
@@ -1,96 +0,0 @@
-:beatname_uc: Metricbeat
-:beatname_lc: metricbeat
-++++
-<div class="tabs" data-tab-group="os">
-  <div role="tablist" aria-label="Install-m">
-    <button role="tab"
-            aria-selected="true"
-            aria-controls="deb-tab-install-metricbeat"
-            id="deb-install-metricbeat">
-      DEB
-    </button>
-    <button role="tab"
-            aria-selected="false"
-            aria-controls="rpm-tab-install-metricbeat"
-            id="rpm-install-metricbeat"
-            tabindex="-1">
-      RPM
-    </button>
-    <button role="tab"
-            aria-selected="false"
-            aria-controls="mac-tab-install-metricbeat"
-            id="mac-install-metricbeat"
-            tabindex="-1">
-      MacOS
-    </button>
-    <button role="tab"
-            aria-selected="false"
-            aria-controls="linux-tab-install-metricbeat"
-            id="linux-install-metricbeat"
-            tabindex="-1">
-      Linux
-    </button>
-    <button role="tab"
-            aria-selected="false"
-            aria-controls="win-tab-install-metricbeat"
-            id="win-install-metricbeat"
-            tabindex="-1">
-      Windows
-    </button>
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="deb-tab-install-metricbeat"
-       aria-labelledby="deb-install-metricbeat">
-++++
-
-include::install.asciidoc[tag=deb]
-
-++++
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="rpm-tab-install-metricbeat"
-       aria-labelledby="rpm-install-metricbeat"
-       hidden="">
-++++
-
-include::install.asciidoc[tag=rpm]
-
-++++
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="mac-tab-install-metricbeat"
-       aria-labelledby="mac-install-metricbeat"
-       hidden="">
-++++
-
-include::install.asciidoc[tag=mac]
-
-++++
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="linux-tab-install-metricbeat"
-       aria-labelledby="linux-install-metricbeat"
-       hidden="">
-++++
-
-include::install.asciidoc[tag=linux]
-
-++++
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="win-tab-install-metricbeat"
-       aria-labelledby="win-install-metricbeat"
-       hidden="">
-++++
-
-include::install.asciidoc[tag=win]
-
-++++
-  </div>
-</div>
-++++
diff --git a/libbeat/docs/tab-widgets/install-widget.asciidoc b/libbeat/docs/tab-widgets/install-widget.asciidoc
deleted file mode 100644
index d3405a397011..000000000000
--- a/libbeat/docs/tab-widgets/install-widget.asciidoc
+++ /dev/null
@@ -1,94 +0,0 @@
-++++
-<div class="tabs" data-tab-group="os">
-  <div role="tablist" aria-label="Install">
-    <button role="tab"
-            aria-selected="true"
-            aria-controls="deb-tab-install"
-            id="deb-install">
-      DEB
-    </button>
-    <button role="tab"
-            aria-selected="false"
-            aria-controls="rpm-tab-install"
-            id="rpm-install"
-            tabindex="-1">
-      RPM
-    </button>
-    <button role="tab"
-            aria-selected="false"
-            aria-controls="mac-tab-install"
-            id="mac-install"
-            tabindex="-1">
-      MacOS
-    </button>
-    <button role="tab"
-            aria-selected="false"
-            aria-controls="linux-tab-install"
-            id="linux-install"
-            tabindex="-1">
-      Linux
-    </button>
-    <button role="tab"
-            aria-selected="false"
-            aria-controls="win-tab-install"
-            id="win-install"
-            tabindex="-1">
-      Windows
-    </button>
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="deb-tab-install"
-       aria-labelledby="deb-install">
-++++
-
-include::install.asciidoc[tag=deb]
-
-++++
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="rpm-tab-install"
-       aria-labelledby="rpm-install"
-       hidden="">
-++++
-
-include::install.asciidoc[tag=rpm]
-
-++++
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="mac-tab-install"
-       aria-labelledby="mac-install"
-       hidden="">
-++++
-
-include::install.asciidoc[tag=mac]
-
-++++
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="linux-tab-install"
-       aria-labelledby="linux-install"
-       hidden="">
-++++
-
-include::install.asciidoc[tag=linux]
-
-++++
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="win-tab-install"
-       aria-labelledby="win-install"
-       hidden="">
-++++
-
-include::install.asciidoc[tag=win]
-
-++++
-  </div>
-</div>
-++++
diff --git a/libbeat/docs/tab-widgets/install.asciidoc b/libbeat/docs/tab-widgets/install.asciidoc
deleted file mode 100644
index 08bd8a128e9b..000000000000
--- a/libbeat/docs/tab-widgets/install.asciidoc
+++ /dev/null
@@ -1,123 +0,0 @@
-// tag::deb[]
-ifeval::["{release-state}"=="unreleased"]
-
-Version {version} of {beatname_uc} has not yet been released.
-
-endif::[]
-
-ifeval::["{release-state}"!="unreleased"]
-
-["source","sh",subs="attributes"]
-------------------------------------------------
-curl -L -O https://artifacts.elastic.co/downloads/beats/{beatname_lc}/{beatname_lc}-{version}-amd64.deb
-sudo dpkg -i {beatname_lc}-{version}-amd64.deb
-------------------------------------------------
-
-endif::[]
-// end::deb[]
-
-// tag::rpm[]
-ifeval::["{release-state}"=="unreleased"]
-
-Version {version} of {beatname_uc} has not yet been released.
-
-endif::[]
-
-ifeval::["{release-state}"!="unreleased"]
-
-["source","sh",subs="attributes"]
-------------------------------------------------
-curl -L -O https://artifacts.elastic.co/downloads/beats/{beatname_lc}/{beatname_lc}-{version}-x86_64.rpm
-sudo rpm -vi {beatname_lc}-{version}-x86_64.rpm
-------------------------------------------------
-
-endif::[]
-// end::rpm[]
-
-// tag::mac[]
-ifeval::["{release-state}"=="unreleased"]
-
-Version {version} of {beatname_uc} has not yet been released.
-
-endif::[]
-
-ifeval::["{release-state}"!="unreleased"]
-
-["source","sh",subs="attributes"]
-------------------------------------------------
-curl -L -O https://artifacts.elastic.co/downloads/beats/{beatname_lc}/{beatname_lc}-{version}-darwin-x86_64.tar.gz
-tar xzvf {beatname_lc}-{version}-darwin-x86_64.tar.gz
-------------------------------------------------
-
-endif::[]
-// end::mac[]
-
-// tag::linux[]
-ifeval::["{release-state}"=="unreleased"]
-
-Version {version} of {beatname_uc} has not yet been released.
-
-endif::[]
-
-ifeval::["{release-state}"!="unreleased"]
-
-["source","sh",subs="attributes"]
-------------------------------------------------
-curl -L -O https://artifacts.elastic.co/downloads/beats/{beatname_lc}/{beatname_lc}-{version}-linux-x86_64.tar.gz
-tar xzvf {beatname_lc}-{version}-linux-x86_64.tar.gz
-------------------------------------------------
-
-endif::[]
-// end::linux[]
-
-// tag::win[]
-ifeval::["{release-state}"=="unreleased"]
-
-Version {version} of {beatname_uc} has not yet been released.
-
-endif::[]
-
-ifeval::["{release-state}"!="unreleased"]
-
-. Download the {beatname_uc} Windows zip file: https://artifacts.elastic.co/downloads/beats/{beatname_lc}/{beatname_lc}-{version}-windows-x86_64.zip
-
-. Extract the contents of the zip file into `C:\Program Files`.
-
-. Rename the +{beatname_lc}-{version}-windows-x86_64+ directory to +{beatname_uc}+.
-
-. Open a PowerShell prompt as an Administrator (right-click the PowerShell icon
-and select *Run As Administrator*).
-
-. From the PowerShell prompt, run the following commands to install
-{beatname_uc} as a Windows service:
-+
-["source","sh",subs="attributes"]
-----------------------------------------------------------------------
-PS > cd 'C:{backslash}Program Files{backslash}{beatname_uc}'
-PS C:{backslash}Program Files{backslash}{beatname_uc}> .{backslash}install-service-{beatname_lc}.ps1
-----------------------------------------------------------------------
-
-NOTE: If script execution is disabled on your system, you need to set the
-execution policy for the current session to allow the script to run. For
-example:
-+PowerShell.exe -ExecutionPolicy UnRestricted -File .\install-service-{beatname_lc}.ps1+.
-
-endif::[]
-// end::win[]
-
-// tag::win-short[]
-ifeval::["{release-state}"=="unreleased"]
-
-Version {version} of {beatname_uc} has not yet been released.
-
-endif::[]
-
-ifeval::["{release-state}"!="unreleased"]
-
-. Download the {beatname_uc} Windows zip file from the
-https://www.elastic.co/downloads/beats/{beatname_lc}[downloads page].
-
-. Extract the contents of the zip file into `C:\Program Files`.
-
-endif::[]
-// end::win-short[]
diff --git a/libbeat/docs/tab-widgets/list-modules-widget.asciidoc b/libbeat/docs/tab-widgets/list-modules-widget.asciidoc
deleted file mode 100644
index 7925d75c835d..000000000000
--- a/libbeat/docs/tab-widgets/list-modules-widget.asciidoc
+++ /dev/null
@@ -1,94 +0,0 @@
-++++
-<div class="tabs" data-tab-group="os">
-  <div role="tablist" aria-label="List modules">
-    <button role="tab"
-            aria-selected="true"
-            aria-controls="deb-tab-list-modules"
-            id="deb-list-modules">
-      DEB
-    </button>
-    <button role="tab"
-            aria-selected="false"
-            aria-controls="rpm-tab-list-modules"
-            id="rpm-list-modules"
-            tabindex="-1">
-      RPM
-    </button>
-    <button role="tab"
-            aria-selected="false"
-            aria-controls="mac-tab-list-modules"
-            id="mac-list-modules"
-            tabindex="-1">
-      MacOS
-    </button>
-    <button role="tab"
-            aria-selected="false"
-            aria-controls="linux-tab-list-modules"
-            id="linux-list-modules"
-            tabindex="-1">
-      Linux
-    </button>
-    <button role="tab"
-            aria-selected="false"
-            aria-controls="win-tab-list-modules"
-            id="win-list-modules"
-            tabindex="-1">
-      Windows
-    </button>
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="deb-tab-list-modules"
-       aria-labelledby="deb-list-modules">
-++++
-
-include::list-modules.asciidoc[tag=deb]
-
-++++
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="rpm-tab-list-modules"
-       aria-labelledby="rpm-list-modules"
-       hidden="">
-++++
-
-include::list-modules.asciidoc[tag=rpm]
-
-++++
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="mac-tab-list-modules"
-       aria-labelledby="mac-list-modules"
-       hidden="">
-++++
-
-include::list-modules.asciidoc[tag=mac]
-
-++++
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="linux-tab-list-modules"
-       aria-labelledby="linux-list-modules"
-       hidden="">
-++++
-
-include::list-modules.asciidoc[tag=linux]
-
-++++
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="win-tab-list-modules"
-       aria-labelledby="win-list-modules"
-       hidden="">
-++++
-
-include::list-modules.asciidoc[tag=win]
-
-++++
-  </div>
-</div>
-++++
diff --git a/libbeat/docs/tab-widgets/list-modules.asciidoc b/libbeat/docs/tab-widgets/list-modules.asciidoc
deleted file mode 100644
index 3d90f94496e4..000000000000
--- a/libbeat/docs/tab-widgets/list-modules.asciidoc
+++ /dev/null
@@ -1,35 +0,0 @@
-// tag::deb[]
-["source","sh",subs="attributes"]
-----
-{beatname_lc} modules list
-----
-// end::deb[]
-
-// tag::rpm[]
-["source","sh",subs="attributes"]
-----
-{beatname_lc} modules list
-----
-// end::rpm[]
-
-// tag::mac[]
-["source","sh",subs="attributes"]
-----
-./{beatname_lc} modules list
-----
-// end::mac[]
-
-// tag::linux[]
-["source","sh",subs="attributes"]
-----
-./{beatname_lc} modules list
-----
-
-// end::linux[]
-
-// tag::win[]
-["source","sh",subs="attributes"]
-----
-PS > .{backslash}{beatname_lc}.exe modules list
-----
-// end::win[]
diff --git a/libbeat/docs/tab-widgets/load-dashboards-logstash-widget.asciidoc b/libbeat/docs/tab-widgets/load-dashboards-logstash-widget.asciidoc
deleted file mode 100644
index eda3b0c698f6..000000000000
--- a/libbeat/docs/tab-widgets/load-dashboards-logstash-widget.asciidoc
+++ /dev/null
@@ -1,112 +0,0 @@
-++++
-<div class="tabs" data-tab-group="os">
-  <div role="tablist" aria-label="Load dashboards Logstash">
-    <button role="tab"
-            aria-selected="true"
-            aria-controls="deb-tab-dashboards-logstash"
-            id="deb-dashboards-logstash">
-      DEB
-    </button>
-    <button role="tab"
-            aria-selected="false"
-            aria-controls="rpm-tab-dashboards-logstash"
-            id="rpm-dashboards-logstash"
-            tabindex="-1">
-      RPM
-    </button>
-    <button role="tab"
-            aria-selected="false"
-            aria-controls="mac-tab-dashboards-logstash"
-            id="mac-dashboards-logstash"
-            tabindex="-1">
-      MacOS
-    </button>
-    <button role="tab"
-            aria-selected="false"
-            aria-controls="linux-tab-dashboards-logstash"
-            id="linux-dashboards-logstash"
-            tabindex="-1">
-      Linux
-    </button>
-    <button role="tab"
-            aria-selected="false"
-            aria-controls="docker-tab-dashboards-logstash"
-            id="docker-dashboards-logstash"
-            tabindex="-1">
-      Docker
-    </button>
-    <button role="tab"
-            aria-selected="false"
-            aria-controls="win-tab-dashboards-logstash"
-            id="win-dashboards-logstash"
-            tabindex="-1">            
-      Windows
-    </button>
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="deb-tab-dashboards-logstash"
-       aria-labelledby="deb-dashboards-logstash">
-++++
-
-include::load-dashboards-logstash.asciidoc[tag=deb]
-
-++++
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="rpm-tab-dashboards-logstash"
-       aria-labelledby="rpm-dashboards-logstash"
-       hidden="">
-++++
-
-include::load-dashboards-logstash.asciidoc[tag=rpm]
-
-++++
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="mac-tab-dashboards-logstash"
-       aria-labelledby="mac-dashboards-logstash"
-       hidden="">
-++++
-
-include::load-dashboards-logstash.asciidoc[tag=mac]
-
-++++
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="linux-tab-dashboards-logstash"
-       aria-labelledby="linux-dashboards-logstash"
-       hidden="">
-++++
-
-include::load-dashboards-logstash.asciidoc[tag=linux]
-
-++++
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="docker-tab-dashboards-logstash"
-       aria-labelledby="docker-dashboards-logstash"
-       hidden="">
-++++
-
-include::load-dashboards-logstash.asciidoc[tag=docker]
-
-++++
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="win-tab-dashboards-logstash"
-       aria-labelledby="win-dashboards-logstash"
-       hidden="">
-++++
-
-include::load-dashboards-logstash.asciidoc[tag=win]
-
-++++
-  </div>
-</div>
-++++
\ No newline at end of file
diff --git a/libbeat/docs/tab-widgets/load-dashboards-logstash.asciidoc b/libbeat/docs/tab-widgets/load-dashboards-logstash.asciidoc
deleted file mode 100644
index e4327b78afc3..000000000000
--- a/libbeat/docs/tab-widgets/load-dashboards-logstash.asciidoc
+++ /dev/null
@@ -1,76 +0,0 @@
-// tag::deb[]
-["source","sh",subs="attributes"]
-----
-{beatname_lc} setup -e \
-  -E output.logstash.enabled=false \
-  -E output.elasticsearch.hosts=['localhost:9200'] \
-  -E output.elasticsearch.username={beat_default_index_prefix}_internal \
-  -E output.elasticsearch.password={pwd} \
-  -E setup.kibana.host=localhost:5601
-----
-// end::deb[]
-
-// tag::rpm[]
-["source","sh",subs="attributes"]
-----
-{beatname_lc} setup -e \
-  -E output.logstash.enabled=false \
-  -E output.elasticsearch.hosts=['localhost:9200'] \
-  -E output.elasticsearch.username={beat_default_index_prefix}_internal \
-  -E output.elasticsearch.password={pwd} \
-  -E setup.kibana.host=localhost:5601
-----
-// end::rpm[]
-
-// tag::mac[]
-["source","sh",subs="attributes"]
-----
-./{beatname_lc} setup -e \
-  -E output.logstash.enabled=false \
-  -E output.elasticsearch.hosts=['localhost:9200'] \
-  -E output.elasticsearch.username={beat_default_index_prefix}_internal \
-  -E output.elasticsearch.password={pwd} \
-  -E setup.kibana.host=localhost:5601
-----
-// end::mac[]
-
-// tag::linux[]
-["source","sh",subs="attributes"]
-----
-./{beatname_lc} setup -e \
-  -E output.logstash.enabled=false \
-  -E output.elasticsearch.hosts=['localhost:9200'] \
-  -E output.elasticsearch.username={beat_default_index_prefix}_internal \
-  -E output.elasticsearch.password={pwd} \
-  -E setup.kibana.host=localhost:5601
-----
-// end::linux[]
-
-// tag::docker[]
-["source","sh",subs="attributes"]
-----
-docker run --rm --net="host" {dockerimage} setup -e \
-  -E output.logstash.enabled=false \
-  -E output.elasticsearch.hosts=['localhost:9200'] \
-  -E output.elasticsearch.username={beat_default_index_prefix}_internal \
-  -E output.elasticsearch.password={pwd} \
-  -E setup.kibana.host=localhost:5601
-----
-// end::docker[]
-
-// tag::win[]
-
-Open a PowerShell prompt as an Administrator (right-click the PowerShell icon and select *Run As Administrator*).
-
-From the PowerShell prompt, change to the directory where you installed {beatname_uc}, and run:
-
-["source","sh",subs="attributes"]
-----
-PS > .{backslash}{beatname_lc}.exe setup -e `
-  -E output.logstash.enabled=false `
-  -E output.elasticsearch.hosts=['localhost:9200'] `
-  -E output.elasticsearch.username={beat_default_index_prefix}_internal `
-  -E output.elasticsearch.password={pwd} `
-  -E setup.kibana.host=localhost:5601
-----
-// end::win[]
diff --git a/libbeat/docs/tab-widgets/load-dashboards-widget.asciidoc b/libbeat/docs/tab-widgets/load-dashboards-widget.asciidoc
deleted file mode 100644
index 16b60bba619c..000000000000
--- a/libbeat/docs/tab-widgets/load-dashboards-widget.asciidoc
+++ /dev/null
@@ -1,112 +0,0 @@
-++++
-<div class="tabs" data-tab-group="os">
-  <div role="tablist" aria-label="Load dashboards">
-    <button role="tab"
-            aria-selected="true"
-            aria-controls="deb-tab-load-dashboards"
-            id="deb-load-dashboards">
-      DEB
-    </button>
-    <button role="tab"
-            aria-selected="false"
-            aria-controls="rpm-tab-load-dashboards"
-            id="rpm-load-dashboards"
-            tabindex="-1">
-      RPM
-    </button>
-    <button role="tab"
-            aria-selected="false"
-            aria-controls="mac-tab-load-dashboards"
-            id="mac-load-dashboards"
-            tabindex="-1">
-      MacOS
-    </button>
-    <button role="tab"
-            aria-selected="false"
-            aria-controls="linux-tab-load-dashboards"
-            id="linux-load-dashboards"
-            tabindex="-1">
-      Linux
-    </button>
-    <button role="tab"
-            aria-selected="false"
-            aria-controls="docker-tab-load-dashboards"
-            id="docker-load-dashboards"
-            tabindex="-1">
-      Docker
-    </button>
-    <button role="tab"
-            aria-selected="false"
-            aria-controls="win-tab-load-dashboards"
-            id="win-load-dashboards"
-            tabindex="-1">            
-      Windows
-    </button>
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="deb-tab-load-dashboards"
-       aria-labelledby="deb-load-dashboards">
-++++
-
-include::load-dashboards.asciidoc[tag=deb]
-
-++++
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="rpm-tab-load-dashboards"
-       aria-labelledby="rpm-load-dashboards"
-       hidden="">
-++++
-
-include::load-dashboards.asciidoc[tag=rpm]
-
-++++
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="mac-tab-load-dashboards"
-       aria-labelledby="mac-load-dashboards"
-       hidden="">
-++++
-
-include::load-dashboards.asciidoc[tag=mac]
-
-++++
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="linux-tab-load-dashboards"
-       aria-labelledby="linux-load-dashboards"
-       hidden="">
-++++
-
-include::load-dashboards.asciidoc[tag=linux]
-
-++++
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="docker-tab-load-dashboards"
-       aria-labelledby="docker-load-dashboards"
-       hidden="">
-++++
-
-include::load-dashboards.asciidoc[tag=docker]
-
-++++
-  </div>
-  <div tabindex="0"
-       role="tabpanel"v
-       id="win-tab-load-dashboards"
-       aria-labelledby="win-load-dashboards"
-       hidden="">
-++++
-
-include::load-dashboards.asciidoc[tag=win]
-
-++++
-  </div>
-</div>
-++++
\ No newline at end of file
diff --git a/libbeat/docs/tab-widgets/load-dashboards.asciidoc b/libbeat/docs/tab-widgets/load-dashboards.asciidoc
deleted file mode 100644
index 34b9df30ffe8..000000000000
--- a/libbeat/docs/tab-widgets/load-dashboards.asciidoc
+++ /dev/null
@@ -1,48 +0,0 @@
-// tag::deb[]
-["source","sh",subs="attributes"]
-----
-{beatname_lc} setup --dashboards
-----
-// end::deb[]
-
-// tag::rpm[]
-["source","sh",subs="attributes"]
-----
-{beatname_lc} setup --dashboards
-----
-// end::rpm[]
-
-// tag::mac[]
-["source","sh",subs="attributes"]
-----
-./{beatname_lc} setup --dashboards
-----
-// end::mac[]
-
-// tag::linux[]
-["source","sh",subs="attributes"]
-----
-./{beatname_lc} setup --dashboards
-----
-// end::linux[]
-
-// tag::docker[]
-["source","sh",subs="attributes"]
-----
-docker run --rm --net="host" {dockerimage} setup --dashboards
-----
-// end::docker[]
-
-// tag::win[]
-
-Open a PowerShell prompt as an Administrator (right-click the PowerShell icon
-and select *Run As Administrator*).
-
-From the PowerShell prompt, change to the directory where you installed {beatname_uc},
-and run:
-
-["source","sh",subs="attributes"]
-----
-PS > .{backslash}{beatname_lc}.exe setup --dashboards
-----
-// end::win[]
diff --git a/libbeat/docs/tab-widgets/load-index-template-widget.asciidoc b/libbeat/docs/tab-widgets/load-index-template-widget.asciidoc
deleted file mode 100644
index 234b9a4a6311..000000000000
--- a/libbeat/docs/tab-widgets/load-index-template-widget.asciidoc
+++ /dev/null
@@ -1,112 +0,0 @@
-++++
-<div class="tabs" data-tab-group="os">
-  <div role="tablist" aria-label="Load index template">
-    <button role="tab"
-            aria-selected="true"
-            aria-controls="deb-tab-load-index-template"
-            id="deb-load-index-template">
-      DEB
-    </button>
-    <button role="tab"
-            aria-selected="false"
-            aria-controls="rpm-tab-load-index-template"
-            id="rpm-load-index-template"
-            tabindex="-1">
-      RPM
-    </button>
-    <button role="tab"
-            aria-selected="false"
-            aria-controls="mac-tab-load-index-template"
-            id="mac-load-index-template"
-            tabindex="-1">
-      MacOS
-    </button>
-    <button role="tab"
-            aria-selected="false"
-            aria-controls="linux-tab-load-index-template"
-            id="linux-load-index-template"
-            tabindex="-1">
-      Linux
-    </button>
-    <button role="tab"
-            aria-selected="false"
-            aria-controls="docker-tab-load-index-template"
-            id="docker-load-index-template"
-            tabindex="-1">
-      Docker
-    </button>
-    <button role="tab"
-            aria-selected="false"
-            aria-controls="win-tab-load-index-template"
-            id="win-load-index-template"
-            tabindex="-1">            
-      Windows
-    </button>
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="deb-tab-load-index-template"
-       aria-labelledby="deb-load-index-template">
-++++
-
-include::load-index-template.asciidoc[tag=deb]
-
-++++
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="rpm-tab-load-index-template"
-       aria-labelledby="rpm-load-index-template"
-       hidden="">
-++++
-
-include::load-index-template.asciidoc[tag=rpm]
-
-++++
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="mac-tab-load-index-template"
-       aria-labelledby="mac-load-index-template"
-       hidden="">
-++++
-
-include::load-index-template.asciidoc[tag=mac]
-
-++++
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="linux-tab-load-index-template"
-       aria-labelledby="linux-load-index-template"
-       hidden="">
-++++
-
-include::load-index-template.asciidoc[tag=linux]
-
-++++
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="docker-tab-load-index-template"
-       aria-labelledby="docker-load-index-template"
-       hidden="">
-++++
-
-include::load-index-template.asciidoc[tag=docker]
-
-++++
-  </div>
-  <div tabindex="0"
-       role="tabpanel"v
-       id="win-tab-load-index-template"
-       aria-labelledby="win-load-index-template"
-       hidden="">
-++++
-
-include::load-index-template.asciidoc[tag=win]
-
-++++
-  </div>
-</div>
-++++
\ No newline at end of file
diff --git a/libbeat/docs/tab-widgets/load-index-template.asciidoc b/libbeat/docs/tab-widgets/load-index-template.asciidoc
deleted file mode 100644
index 40914f378f1e..000000000000
--- a/libbeat/docs/tab-widgets/load-index-template.asciidoc
+++ /dev/null
@@ -1,48 +0,0 @@
-// tag::deb[]
-["source","sh",subs="attributes"]
-----
-{beatname_lc} setup --index-management
-----
-// end::deb[]
-
-// tag::rpm[]
-["source","sh",subs="attributes"]
-----
-{beatname_lc} setup --index-management
-----
-// end::rpm[]
-
-// tag::mac[]
-["source","sh",subs="attributes"]
-----
-./{beatname_lc} setup --index-management
-----
-// end::mac[]
-
-// tag::linux[]
-["source","sh",subs="attributes"]
-----
-./{beatname_lc} setup --index-management
-----
-// end::linux[]
-
-// tag::docker[]
-["source","sh",subs="attributes"]
-----
-docker run --rm --net="host" {dockerimage} setup --index-management
-----
-// end::docker[]
-
-// tag::win[]
-
-Open a PowerShell prompt as an Administrator (right-click the PowerShell icon
-and select *Run As Administrator*).
-
-From the PowerShell prompt, change to the directory where you installed {beatname_uc},
-and run:
-
-["source","sh",subs="attributes"]
-----
-PS > .{backslash}{beatname_lc}.exe setup --index-management
-----
-// end::win[]
diff --git a/libbeat/docs/tab-widgets/open-kibana-widget.asciidoc b/libbeat/docs/tab-widgets/open-kibana-widget.asciidoc
deleted file mode 100644
index 849d2864fe8d..000000000000
--- a/libbeat/docs/tab-widgets/open-kibana-widget.asciidoc
+++ /dev/null
@@ -1,40 +0,0 @@
-++++
-<div class="tabs" data-tab-group="host">
-  <div role="tablist" aria-label="Open Kibana">
-    <button role="tab"
-            aria-selected="true"
-            aria-controls="cloud-tab-open-kibana"
-            id="cloud-open-kibana">
-      Elasticsearch Service
-    </button>
-    <button role="tab"
-            aria-selected="false"
-            aria-controls="self-managed-tab-open-kibana"
-            id="self-managed-open-kibana"
-            tabindex="-1">
-      Self-managed
-    </button>
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="cloud-tab-open-kibana"
-       aria-labelledby="cloud-open-kibana">
-++++
-
-include::open-kibana.asciidoc[tag=cloud]
-
-++++
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="self-managed-tab-open-kibana"
-       aria-labelledby="self-managed-open-kibana"
-       hidden="">
-++++
-
-include::open-kibana.asciidoc[tag=self-managed]
-
-++++
-  </div>
-</div>
-++++
diff --git a/libbeat/docs/tab-widgets/open-kibana.asciidoc b/libbeat/docs/tab-widgets/open-kibana.asciidoc
deleted file mode 100644
index 9adcde4ee0a1..000000000000
--- a/libbeat/docs/tab-widgets/open-kibana.asciidoc
+++ /dev/null
@@ -1,10 +0,0 @@
-// tag::cloud[]
-. https://cloud.elastic.co/[Log in] to your {ecloud} account.
-
-. Navigate to the {kib} endpoint in your deployment.
-// end::cloud[]
-
-// tag::self-managed[]
-Point your browser to http://localhost:5601[http://localhost:5601], replacing
-`localhost` with the name of the {kib} host.
-// end::self-managed[]
diff --git a/libbeat/docs/tab-widgets/set-connection-widget.asciidoc b/libbeat/docs/tab-widgets/set-connection-widget.asciidoc
deleted file mode 100644
index 1365bab45885..000000000000
--- a/libbeat/docs/tab-widgets/set-connection-widget.asciidoc
+++ /dev/null
@@ -1,40 +0,0 @@
-++++
-<div class="tabs" data-tab-group="host">
-  <div role="tablist" aria-label="Set connection">
-    <button role="tab"
-            aria-selected="true"
-            aria-controls="cloud-tab-set-connection"
-            id="cloud-set-connection">
-      Elasticsearch Service
-    </button>
-    <button role="tab"
-            aria-selected="false"
-            aria-controls="self-managed-tab-set-connection"
-            id="self-managed-set-connection"
-            tabindex="-1">
-      Self-managed
-    </button>
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="cloud-tab-set-connection"
-       aria-labelledby="cloud-set-connection">
-++++
-
-include::set-connection.asciidoc[tag=cloud]
-
-++++
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="self-managed-tab-set-connection"
-       aria-labelledby="self-managed-set-connection"
-       hidden="">
-++++
-
-include::set-connection.asciidoc[tag=self-managed]
-
-++++
-  </div>
-</div>
-++++
diff --git a/libbeat/docs/tab-widgets/set-connection.asciidoc b/libbeat/docs/tab-widgets/set-connection.asciidoc
deleted file mode 100644
index 3d8c90147326..000000000000
--- a/libbeat/docs/tab-widgets/set-connection.asciidoc
+++ /dev/null
@@ -1,86 +0,0 @@
-// tag::cloud[]
-
-:beatname_url: {beats-ref-root}/{beatname_lc}/{branch}
-
-Specify the {beatname_url}/configure-cloud-id.html[cloud.id] of your {ess}, and set
-{beatname_url}/configure-cloud-id.html[cloud.auth] to a user who is authorized to
-set up {beatname_uc}. For example:
-
-["source","yaml",subs="attributes"]
-----------------------------------------------------------------------
-cloud.id: "staging:dXMtZWFzdC0xLmF3cy5mb3VuZC5pbyRjZWM2ZjI2MWE3NGJmMjRjZTMzYmI4ODExYjg0Mjk0ZiRjNmMyY2E2ZDA0MjI0OWFmMGNjN2Q3YTllOTYyNTc0Mw=="
-cloud.auth: "{beatname_lc}_setup:{pwd}" <1>
-----------------------------------------------------------------------
-<1> This examples shows a hard-coded password, but you should store sensitive
-values
-ifndef::serverless[]
-in the {beatname_url}/keystore.html[secrets keystore].
-endif::[]
-ifdef::serverless[]
-in environment variables.
-endif::[]
-// end::cloud[]
-
-// tag::self-managed[]
-. Set the host and port where {beatname_uc} can find the {es} installation, and
-set the username and password of a user who is authorized to set up
-{beatname_uc}. For example:
-+
-["source","yaml",subs="attributes"]
-----
-output.elasticsearch:
-  hosts: ["https://myEShost:9200"]
-  username: "{beatname_lc}_internal"
-  password: "{pwd}" <1>
-  ssl:
-    enabled: true
-    ca_trusted_fingerprint: "b9a10bbe64ee9826abeda6546fc988c8bf798b41957c33d05db736716513dc9c" <2>
-----
-<1> This example shows a hard-coded password, but you should store sensitive
-values
-ifndef::serverless[]
-in the {beatname_url}/keystore.html[secrets keystore].
-endif::[]
-ifdef::serverless[]
-in environment variables.
-endif::[]
-<2> This example shows a hard-coded fingerprint, but you should store sensitive
-values
-ifndef::serverless[]
-in the {beatname_url}/keystore.html[secrets keystore].
-endif::[]
-ifdef::serverless[]
-in environment variables.
-endif::[]
-The fingerprint is a HEX encoded SHA-256 of a CA certificate,
-when you start {es} for the first time, security features such as
-network encryption (TLS) for {es} are enabled by default. If you are
-using the self-signed certificate generated by {es} when it is started
-for the first time, you will need to add its fingerprint here. The
-fingerprint is printed on {es} start up logs, or you can refer to {ref-80}/configuring-stack-security.html#_connect_clients_to_elasticsearch_5[connect clients to {es}
-documentation] for other options on retrieving it. If you are
-providing your own SSL certificate to {es} refer to
-{beatname_url}/configuration-ssl.html#ssl-client-config[{beatname_uc}
-documentation on how to setup SSL].
-
-. If you plan to use our pre-built {kib} dashboards, configure the {kib}
-endpoint. Skip this step if {kib} is running on the same host as {es}.
-+
-[source,yaml]
-----------------------------------------------------------------------
-  setup.kibana:
-    host: "mykibanahost:5601" <1>
-    username: "my_kibana_user" <2> <3>
-    password: "{pwd}"
-----------------------------------------------------------------------
-<1> The hostname and port of the machine where {kib} is running,
-for example, `mykibanahost:5601`. If you specify a path after the port number,
-include the scheme and port: `http://mykibanahost:5601/path`.
-<2> The `username` and `password` settings for {kib} are optional. If you don't
-specify credentials for {kib}, {beatname_uc} uses the `username` and `password`
-specified for the {es} output.
-<3> To use the pre-built {kib} dashboards, this user must be authorized to
-view dashboards or have the
-`kibana_admin` {ref}/built-in-roles.html[built-in role].
-// end::self-managed[]
-
diff --git a/libbeat/docs/tab-widgets/setup-deb-rpm-linux-widget.asciidoc b/libbeat/docs/tab-widgets/setup-deb-rpm-linux-widget.asciidoc
deleted file mode 100644
index 43b893627084..000000000000
--- a/libbeat/docs/tab-widgets/setup-deb-rpm-linux-widget.asciidoc
+++ /dev/null
@@ -1,58 +0,0 @@
-++++
-<div class="tabs" data-tab-group="os">
-  <div role="tablist" aria-label="Set up">
-    <button role="tab"
-            aria-selected="true"
-            aria-controls="deb-tab-setup"
-            id="deb-setup">
-      Deb
-    </button>
-    <button role="tab"
-            aria-selected="false"
-            aria-controls="rpm-tab-setup"
-            id="rpm-setup"
-            tabindex="-1">
-      RPM
-    </button>
-    <button role="tab"
-            aria-selected="false"
-            aria-controls="linux-tab-setup"
-            id="linux-setup"
-            tabindex="-1">
-      Linux
-    </button>
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="deb-tab-setup"
-       aria-labelledby="deb-setup">
-++++
-
-include::setup.asciidoc[tag=deb]
-
-++++
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="rpm-tab-setup"
-       aria-labelledby="rpm-setup"
-       hidden="">
-++++
-
-include::setup.asciidoc[tag=rpm]
-
-++++
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="linux-tab-setup"
-       aria-labelledby="linux-setup"
-       hidden="">
-++++
-
-include::setup.asciidoc[tag=linux]
-
-++++
-  </div>
-</div>
-++++
diff --git a/libbeat/docs/tab-widgets/setup-linux-mac-win-widget.asciidoc b/libbeat/docs/tab-widgets/setup-linux-mac-win-widget.asciidoc
deleted file mode 100644
index 16d9061b1210..000000000000
--- a/libbeat/docs/tab-widgets/setup-linux-mac-win-widget.asciidoc
+++ /dev/null
@@ -1,58 +0,0 @@
-++++
-<div class="tabs" data-tab-group="os">
-  <div role="tablist" aria-label="Set up">
-    <button role="tab"
-            aria-selected="true"
-            aria-controls="mac-tab-setup"
-            id="mac-setup">
-      MacOS
-    </button>
-    <button role="tab"
-            aria-selected="false"
-            aria-controls="linux-tab-setup"
-            id="linux-setup"
-            tabindex="-1">
-      Linux
-    </button>
-    <button role="tab"
-            aria-selected="false"
-            aria-controls="win-tab-setup"
-            id="win-setup"
-            tabindex="-1">
-      Windows
-    </button>
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="mac-tab-setup"
-       aria-labelledby="mac-setup">
-++++
-
-include::setup.asciidoc[tag=mac]
-
-++++
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="linux-tab-setup"
-       aria-labelledby="linux-setup"
-       hidden="">
-++++
-
-include::setup.asciidoc[tag=linux]
-
-++++
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="win-tab-setup"
-       aria-labelledby="win-setup"
-       hidden="">
-++++
-
-include::setup.asciidoc[tag=win]
-
-++++
-  </div>
-</div>
-++++
diff --git a/libbeat/docs/tab-widgets/setup-widget.asciidoc b/libbeat/docs/tab-widgets/setup-widget.asciidoc
deleted file mode 100644
index f580826d7d87..000000000000
--- a/libbeat/docs/tab-widgets/setup-widget.asciidoc
+++ /dev/null
@@ -1,94 +0,0 @@
-++++
-<div class="tabs" data-tab-group="os">
-  <div role="tablist" aria-label="Set up">
-    <button role="tab"
-            aria-selected="true"
-            aria-controls="deb-tab-setup"
-            id="deb-setup">
-      DEB
-    </button>
-    <button role="tab"
-            aria-selected="false"
-            aria-controls="rpm-tab-setup"
-            id="rpm-setup"
-            tabindex="-1">
-      RPM
-    </button>
-    <button role="tab"
-            aria-selected="false"
-            aria-controls="mac-tab-setup"
-            id="mac-setup"
-            tabindex="-1">
-      MacOS
-    </button>
-    <button role="tab"
-            aria-selected="false"
-            aria-controls="linux-tab-setup"
-            id="linux-setup"
-            tabindex="-1">
-      Linux
-    </button>
-    <button role="tab"
-            aria-selected="false"
-            aria-controls="win-tab-setup"
-            id="win-setup"
-            tabindex="-1">
-      Windows
-    </button>
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="deb-tab-setup"
-       aria-labelledby="deb-setup">
-++++
-
-include::setup.asciidoc[tag=deb]
-
-++++
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="rpm-tab-setup"
-       aria-labelledby="rpm-setup"
-       hidden="">
-++++
-
-include::setup.asciidoc[tag=rpm]
-
-++++
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="mac-tab-setup"
-       aria-labelledby="mac-setup"
-       hidden="">
-++++
-
-include::setup.asciidoc[tag=mac]
-
-++++
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="linux-tab-setup"
-       aria-labelledby="linux-setup"
-       hidden="">
-++++
-
-include::setup.asciidoc[tag=linux]
-
-++++
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="win-tab-setup"
-       aria-labelledby="win-setup"
-       hidden="">
-++++
-
-include::setup.asciidoc[tag=win]
-
-++++
-  </div>
-</div>
-++++
diff --git a/libbeat/docs/tab-widgets/setup.asciidoc b/libbeat/docs/tab-widgets/setup.asciidoc
deleted file mode 100644
index 3a5836d577f6..000000000000
--- a/libbeat/docs/tab-widgets/setup.asciidoc
+++ /dev/null
@@ -1,35 +0,0 @@
-// tag::deb[]
-["source","sh",subs="attributes"]
-----
-{beatname_lc} setup -e
-----
-// end::deb[]
-
-// tag::rpm[]
-["source","sh",subs="attributes"]
-----
-{beatname_lc} setup -e
-----
-// end::rpm[]
-
-// tag::mac[]
-["source","sh",subs="attributes"]
-----
-./{beatname_lc} setup -e
-----
-// end::mac[]
-
-// tag::linux[]
-["source","sh",subs="attributes"]
-----
-./{beatname_lc} setup -e
-----
-// end::linux[]
-
-// tag::win[]
-["source","sh",subs="attributes"]
-----
-PS > .{backslash}{beatname_lc}.exe setup -e
-----
-// end::win[]
-
diff --git a/libbeat/docs/tab-widgets/spinup-stack-widget.asciidoc b/libbeat/docs/tab-widgets/spinup-stack-widget.asciidoc
deleted file mode 100644
index 4b05b31976cc..000000000000
--- a/libbeat/docs/tab-widgets/spinup-stack-widget.asciidoc
+++ /dev/null
@@ -1,40 +0,0 @@
-++++
-<div class="tabs" data-tab-group="host">
-  <div role="tablist" aria-label="Spin up">
-    <button role="tab"
-            aria-selected="true"
-            aria-controls="cloud-tab-spinup"
-            id="cloud-spinup">
-      Elasticsearch Service
-    </button>
-    <button role="tab"
-            aria-selected="false"
-            aria-controls="self-managed-tab-spinup"
-            id="self-managed-spinup"
-            tabindex="-1">
-      Self-managed
-    </button>
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="cloud-tab-spinup"
-       aria-labelledby="cloud-spinup">
-++++
-
-include::spinup-stack.asciidoc[tag=cloud]
-
-++++
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="self-managed-tab-spinup"
-       aria-labelledby="self-managed-spinup"
-       hidden="">
-++++
-
-include::spinup-stack.asciidoc[tag=self-managed]
-
-++++
-  </div>
-</div>
-++++
diff --git a/libbeat/docs/tab-widgets/spinup-stack.asciidoc b/libbeat/docs/tab-widgets/spinup-stack.asciidoc
deleted file mode 100644
index 5d12335d53e9..000000000000
--- a/libbeat/docs/tab-widgets/spinup-stack.asciidoc
+++ /dev/null
@@ -1,9 +0,0 @@
-// tag::cloud[]
-To get started quickly, spin up a deployment of our
-https://www.elastic.co/cloud/elasticsearch-service[hosted {ess}]. The {ess} is
-available on AWS, GCP, and Azure. {ess-trial}[Try it out for free].
-// end::cloud[]
-
-// tag::self-managed[]
-To install and run {es} and {kib}, see {stack-ref}/installing-elastic-stack.html[Installing the {stack}].
-// end::self-managed[]
diff --git a/libbeat/docs/tab-widgets/start-deb-rpm-linux-widget.asciidoc b/libbeat/docs/tab-widgets/start-deb-rpm-linux-widget.asciidoc
deleted file mode 100644
index cc12343555e5..000000000000
--- a/libbeat/docs/tab-widgets/start-deb-rpm-linux-widget.asciidoc
+++ /dev/null
@@ -1,58 +0,0 @@
-++++
-<div class="tabs" data-tab-group="os">
-  <div role="tablist" aria-label="Start">
-    <button role="tab"
-            aria-selected="true"
-            aria-controls="deb-tab-start"
-            id="deb-start">
-      DEB
-    </button>
-    <button role="tab"
-            aria-selected="false"
-            aria-controls="rpm-tab-start"
-            id="rpm-start"
-            tabindex="-1">
-      RPM
-    </button>
-    <button role="tab"
-            aria-selected="false"
-            aria-controls="linux-tab-start"
-            id="linux-start"
-            tabindex="-1">
-      Linux
-    </button>
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="deb-tab-start"
-       aria-labelledby="deb-start">
-++++
-
-include::start.asciidoc[tag=deb]
-
-++++
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="rpm-tab-start"
-       aria-labelledby="rpm-start"
-       hidden="">
-++++
-
-include::start.asciidoc[tag=rpm]
-
-++++
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="linux-tab-start"
-       aria-labelledby="linux-start"
-       hidden="">
-++++
-
-include::start.asciidoc[tag=linux]
-
-++++
-  </div>
-</div>
-++++
diff --git a/libbeat/docs/tab-widgets/start-filebeat.asciidoc b/libbeat/docs/tab-widgets/start-filebeat.asciidoc
deleted file mode 100644
index 285b2cff35ca..000000000000
--- a/libbeat/docs/tab-widgets/start-filebeat.asciidoc
+++ /dev/null
@@ -1,47 +0,0 @@
-// tag::deb[]
-
-:beatname_url: {beats-ref-root}/{beatname_lc}/{branch}
-
-["source","sh",subs="attributes"]
-----
-sudo service {beatname_pkg} start
-----
-
-Also see {beatname_url}/running-with-systemd.html[{beatname_uc} and systemd].
-// end::deb[]
-
-// tag::rpm[]
-["source","sh",subs="attributes"]
-----
-sudo service {beatname_pkg} start
-----
-
-Also see {beatname_url}/running-with-systemd.html[{beatname_uc} and systemd].
-
-// end::rpm[]
-
-// tag::mac[]
-["source","sh",subs="attributes,callouts"]
-----
-./{beatname_lc} -e
-----
-// end::mac[]
-
-// tag::linux[]
-
-["source","sh",subs="attributes,callouts"]
-----
-./{beatname_lc} -e
-----
-
-// end::linux[]
-
-// tag::win[]
-["source","sh",subs="attributes"]
-----
-PS C:{backslash}Program Files{backslash}{beatname_lc}> Start-Service {beatname_lc}
-----
-
-By default, Windows log files are stored in +C:{backslash}ProgramData{backslash}{beatname_lc}\Logs+.
-
-// end::win[]
diff --git a/libbeat/docs/tab-widgets/start-widget-filebeat.asciidoc b/libbeat/docs/tab-widgets/start-widget-filebeat.asciidoc
deleted file mode 100644
index 0179ad565899..000000000000
--- a/libbeat/docs/tab-widgets/start-widget-filebeat.asciidoc
+++ /dev/null
@@ -1,97 +0,0 @@
-:beatname_uc: Filebeat
-:beatname_lc: filebeat
-:beatname_pkg: filebeat
-++++
-<div class="tabs" data-tab-group="os">
-  <div role="tablist" aria-label="Start-f">
-    <button role="tab"
-            aria-selected="true"
-            aria-controls="deb-tab-start-filebeat"
-            id="deb-start-filebeat">
-      DEB
-    </button>
-    <button role="tab"
-            aria-selected="false"
-            aria-controls="rpm-tab-start-filebeat"
-            id="rpm-start-filebeat"
-            tabindex="-1">
-      RPM
-    </button>
-    <button role="tab"
-            aria-selected="false"
-            aria-controls="mac-tab-start-filebeat"
-            id="mac-start-filebeat"
-            tabindex="-1">
-      MacOS
-    </button>
-    <button role="tab"
-            aria-selected="false"
-            aria-controls="linux-tab-start-filebeat"
-            id="linux-start-filebeat"
-            tabindex="-1">
-      Linux
-    </button>
-    <button role="tab"
-            aria-selected="false"
-            aria-controls="win-tab-start-filebeat"
-            id="win-start-filebeat"
-            tabindex="-1">
-      Windows
-    </button>
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="deb-tab-start-filebeat"
-       aria-labelledby="deb-start-filebeat">
-++++
-
-include::start-filebeat.asciidoc[tag=deb]
-
-++++
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="rpm-tab-start-filebeat"
-       aria-labelledby="rpm-start-filebeat"
-       hidden="">
-++++
-
-include::start-filebeat.asciidoc[tag=rpm]
-
-++++
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="mac-tab-start-filebeat"
-       aria-labelledby="mac-start-filebeat"
-       hidden="">
-++++
-
-include::start-filebeat.asciidoc[tag=mac]
-
-++++
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="linux-tab-start-filebeat"
-       aria-labelledby="linux-start-filebeat"
-       hidden="">
-++++
-
-include::start-filebeat.asciidoc[tag=linux]
-
-++++
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="win-tab-start-filebeat"
-       aria-labelledby="win-start-filebeat"
-       hidden="">
-++++
-
-include::start-filebeat.asciidoc[tag=win]
-
-++++
-  </div>
-</div>
-++++
\ No newline at end of file
diff --git a/libbeat/docs/tab-widgets/start-widget-heartbeat.asciidoc b/libbeat/docs/tab-widgets/start-widget-heartbeat.asciidoc
deleted file mode 100644
index 2a910fe5a3fa..000000000000
--- a/libbeat/docs/tab-widgets/start-widget-heartbeat.asciidoc
+++ /dev/null
@@ -1,97 +0,0 @@
-:beatname_uc: Heartbeat
-:beatname_lc: heartbeat
-:beatname_pkg: heartbeat
-++++
-<div class="tabs" data-tab-group="os">
-  <div role="tablist" aria-label="Start-h">
-    <button role="tab"
-            aria-selected="true"
-            aria-controls="deb-tab-start-heartbeat"
-            id="deb-start-heartbeat">
-      DEB
-    </button>
-    <button role="tab"
-            aria-selected="false"
-            aria-controls="rpm-tab-start-heartbeat"
-            id="rpm-start-heartbeat"
-            tabindex="-1">
-      RPM
-    </button>
-    <button role="tab"
-            aria-selected="false"
-            aria-controls="mac-tab-start-heartbeat"
-            id="mac-start-heartbeat"
-            tabindex="-1">
-      MacOS
-    </button>
-    <button role="tab"
-            aria-selected="false"
-            aria-controls="linux-tab-start-heartbeat"
-            id="linux-start-heartbeat"
-            tabindex="-1">
-      Linux
-    </button>
-    <button role="tab"
-            aria-selected="false"
-            aria-controls="win-tab-start-heartbeat"
-            id="win-start-heartbeat"
-            tabindex="-1">
-      Windows
-    </button>
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="deb-tab-start-heartbeat"
-       aria-labelledby="deb-start-heartbeat">
-++++
-
-include::start.asciidoc[tag=deb]
-
-++++
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="rpm-tab-start-heartbeat"
-       aria-labelledby="rpm-start-heartbeat"
-       hidden="">
-++++
-
-include::start.asciidoc[tag=rpm]
-
-++++
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="mac-tab-start-heartbeat"
-       aria-labelledby="mac-start-heartbeat"
-       hidden="">
-++++
-
-include::start.asciidoc[tag=mac]
-
-++++
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="linux-tab-start-heartbeat"
-       aria-labelledby="linux-start-heartbeat"
-       hidden="">
-++++
-
-include::start.asciidoc[tag=linux]
-
-++++
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="win-tab-start-heartbeat"
-       aria-labelledby="win-start-heartbeat"
-       hidden="">
-++++
-
-include::start.asciidoc[tag=win]
-
-++++
-  </div>
-</div>
-++++
\ No newline at end of file
diff --git a/libbeat/docs/tab-widgets/start-widget-metricbeat.asciidoc b/libbeat/docs/tab-widgets/start-widget-metricbeat.asciidoc
deleted file mode 100644
index 0dc5069c418f..000000000000
--- a/libbeat/docs/tab-widgets/start-widget-metricbeat.asciidoc
+++ /dev/null
@@ -1,97 +0,0 @@
-:beatname_uc: Metricbeat
-:beatname_lc: metricbeat
-:beatname_pkg: metricbeat
-++++
-<div class="tabs" data-tab-group="os">
-  <div role="tablist" aria-label="Start-m">
-    <button role="tab"
-            aria-selected="true"
-            aria-controls="deb-tab-start-metricbeat"
-            id="deb-start-metricbeat">
-      DEB
-    </button>
-    <button role="tab"
-            aria-selected="false"
-            aria-controls="rpm-tab-start-metricbeat"
-            id="rpm-start-metricbeat"
-            tabindex="-1">
-      RPM
-    </button>
-    <button role="tab"
-            aria-selected="false"
-            aria-controls="mac-tab-start-metricbeat"
-            id="mac-start-metricbeat"
-            tabindex="-1">
-      MacOS
-    </button>
-    <button role="tab"
-            aria-selected="false"
-            aria-controls="linux-tab-start-metricbeat"
-            id="linux-start-metricbeat"
-            tabindex="-1">
-      Linux
-    </button>
-    <button role="tab"
-            aria-selected="false"
-            aria-controls="win-tab-start-metricbeat"
-            id="win-start-metricbeat"
-            tabindex="-1">
-      Windows
-    </button>
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="deb-tab-start-metricbeat"
-       aria-labelledby="deb-start-metricbeat">
-++++
-
-include::start.asciidoc[tag=deb]
-
-++++
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="rpm-tab-start-metricbeat"
-       aria-labelledby="rpm-start-metricbeat"
-       hidden="">
-++++
-
-include::start.asciidoc[tag=rpm]
-
-++++
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="mac-tab-start-metricbeat"
-       aria-labelledby="mac-start-metricbeat"
-       hidden="">
-++++
-
-include::start.asciidoc[tag=mac]
-
-++++
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="linux-tab-start-metricbeat"
-       aria-labelledby="linux-start-metricbeat"
-       hidden="">
-++++
-
-include::start.asciidoc[tag=linux]
-
-++++
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="win-tab-start-metricbeat"
-       aria-labelledby="win-start-metricbeat"
-       hidden="">
-++++
-
-include::start.asciidoc[tag=win]
-
-++++
-  </div>
-</div>
-++++
\ No newline at end of file
diff --git a/libbeat/docs/tab-widgets/start-widget.asciidoc b/libbeat/docs/tab-widgets/start-widget.asciidoc
deleted file mode 100644
index 7b5d2da88469..000000000000
--- a/libbeat/docs/tab-widgets/start-widget.asciidoc
+++ /dev/null
@@ -1,94 +0,0 @@
-++++
-<div class="tabs" data-tab-group="os">
-  <div role="tablist" aria-label="Start">
-    <button role="tab"
-            aria-selected="true"
-            aria-controls="deb-tab-start"
-            id="deb-start">
-      DEB
-    </button>
-    <button role="tab"
-            aria-selected="false"
-            aria-controls="rpm-tab-start"
-            id="rpm-start"
-            tabindex="-1">
-      RPM
-    </button>
-    <button role="tab"
-            aria-selected="false"
-            aria-controls="mac-tab-start"
-            id="mac-start"
-            tabindex="-1">
-      MacOS
-    </button>
-    <button role="tab"
-            aria-selected="false"
-            aria-controls="linux-tab-start"
-            id="linux-start"
-            tabindex="-1">
-      Linux
-    </button>
-    <button role="tab"
-            aria-selected="false"
-            aria-controls="win-tab-start"
-            id="win-start"
-            tabindex="-1">
-      Windows
-    </button>
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="deb-tab-start"
-       aria-labelledby="deb-start">
-++++
-
-include::start.asciidoc[tag=deb]
-
-++++
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="rpm-tab-start"
-       aria-labelledby="rpm-start"
-       hidden="">
-++++
-
-include::start.asciidoc[tag=rpm]
-
-++++
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="mac-tab-start"
-       aria-labelledby="mac-start"
-       hidden="">
-++++
-
-include::start.asciidoc[tag=mac]
-
-++++
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="linux-tab-start"
-       aria-labelledby="linux-start"
-       hidden="">
-++++
-
-include::start.asciidoc[tag=linux]
-
-++++
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="win-tab-start"
-       aria-labelledby="win-start"
-       hidden="">
-++++
-
-include::start.asciidoc[tag=win]
-
-++++
-  </div>
-</div>
-++++
diff --git a/libbeat/docs/tab-widgets/start.asciidoc b/libbeat/docs/tab-widgets/start.asciidoc
deleted file mode 100644
index 1c551fcf6946..000000000000
--- a/libbeat/docs/tab-widgets/start.asciidoc
+++ /dev/null
@@ -1,90 +0,0 @@
-// tag::deb[]
-
-:beatname_url: {beats-ref-root}/{beatname_lc}/{branch}
-
-["source","sh",subs="attributes"]
-----------------------------------------------------------------------
-sudo service {beatname_pkg} start
-----------------------------------------------------------------------
-
-Also see {beatname_url}/running-with-systemd.html[{beatname_uc} and systemd].
-// end::deb[]
-
-// tag::rpm[]
-["source","sh",subs="attributes"]
-----------------------------------------------------------------------
-sudo service {beatname_pkg} start
-----------------------------------------------------------------------
-
-Also see {beatname_url}/running-with-systemd.html[{beatname_uc} and systemd].
-
-// end::rpm[]
-
-// tag::mac[]
-ifndef::has_modules_command[]
-["source","sh",subs="attributes,callouts"]
-----------------------------------------------------------------------
-sudo chown root {beatname_lc}.yml <1>
-sudo ./{beatname_lc} -e
-----------------------------------------------------------------------
-<1> You'll be running {beatname_uc} as root, so you need to change ownership
-of the configuration file, or run {beatname_uc} with `--strict.perms=false`
-specified. See
-{beats-ref}/config-file-permissions.html[Config File Ownership and Permissions].
-endif::has_modules_command[]
-ifdef::has_modules_command[]
-["source","sh",subs="attributes,callouts"]
-----------------------------------------------------------------------
-sudo chown root {beatname_lc}.yml <1>
-sudo chown root modules.d/{modulename}.yml <1>
-sudo ./{beatname_lc} -e
-----------------------------------------------------------------------
-<1> You'll be running {beatname_uc} as root, so you need to change ownership of the
-configuration file and any configurations enabled in the `modules.d` directory,
-or run {beatname_uc} with `--strict.perms=false` specified. See
-{beats-ref}/config-file-permissions.html[Config File Ownership and Permissions].
-endif::has_modules_command[]
-// end::mac[]
-
-// tag::linux[]
-
-ifndef::has_modules_command[]
-["source","sh",subs="attributes,callouts"]
-----------------------------------------------------------------------
-sudo chown root {beatname_lc}.yml <1>
-sudo ./{beatname_lc} -e
-----------------------------------------------------------------------
-<1> You'll be running {beatname_uc} as root, so you need to change ownership
-of the configuration file, or run {beatname_uc} with `--strict.perms=false`
-specified. See
-{beats-ref}/config-file-permissions.html[Config File Ownership and Permissions].
-endif::has_modules_command[]
-ifdef::has_modules_command[]
-["source","sh",subs="attributes,callouts"]
-----------------------------------------------------------------------
-sudo chown root {beatname_lc}.yml <1>
-sudo chown root modules.d/{modulename}.yml <1>
-sudo ./{beatname_lc} -e
-----------------------------------------------------------------------
-<1> You'll be running {beatname_uc} as root, so you need to change ownership of the
-configuration file and any configurations enabled in the `modules.d` directory,
-or run {beatname_uc} with `--strict.perms=false` specified. See
-{beats-ref}/config-file-permissions.html[Config File Ownership and Permissions].
-endif::has_modules_command[]
-
-// end::linux[]
-
-// tag::win[]
-["source","sh",subs="attributes"]
-----------------------------------------------------------------------
-PS C:{backslash}Program Files{backslash}{beatname_lc}> Start-Service {beatname_lc}
-----------------------------------------------------------------------
-
-By default, Windows log files are stored in +C:{backslash}ProgramData{backslash}{beatname_lc}\Logs+.
-
-ifeval::["{beatname_lc}"=="metricbeat"]
-NOTE: On Windows, statistics about system load and swap usage are currently
-not captured
-endif::[]
-
-// end::win[]
diff --git a/libbeat/docs/template-config.asciidoc b/libbeat/docs/template-config.asciidoc
deleted file mode 100644
index a3d1c8f1d725..000000000000
--- a/libbeat/docs/template-config.asciidoc
+++ /dev/null
@@ -1,137 +0,0 @@
-[[configuration-template]]
-
-== Configure Elasticsearch index template loading
-
-++++
-<titleabbrev>Elasticsearch index template</titleabbrev>
-++++
-
-The `setup.template` section of the +{beatname_lc}.yml+ config file specifies
-the {ref}/index-templates.html[index template] to use for setting
-mappings in Elasticsearch. If template loading is enabled (the default),
-{beatname_uc} loads the index template automatically after successfully
-connecting to Elasticsearch.
-
-ifndef::no-output-logstash[]
-
-NOTE: A connection to Elasticsearch is required to load the index template. If
-the configured output is not Elasticsearch (or {ess}), you must
-<<load-template-manually,load the template manually>>.
-
-endif::[]
-
-You can adjust the following settings to load your own template or overwrite an
-existing one.
-
-*`setup.template.enabled`*:: Set to false to disable template loading. If this is set to false,
-you must <<load-template-manually,load the template manually>>.
-
-*`setup.template.name`*:: The name of the template. The default is
-+{beatname_lc}+. The {beatname_uc} version is always appended to the given
-name, so the final name is +{beatname_lc}-%{[{beat_version_key}]}+.
-
-// Maintainers: a backslash character is required to escape curly braces and
-// asterisks in inline code examples that contain asciidoc attributes. You'll
-// note that a backslash does not appear before the asterisk
-// in +{beatname_lc}-%{[{beat_version_key}]}-*+. This is intentional and formats
-// the example as expected.
-
-*`setup.template.pattern`*:: The template pattern to apply to the default index
-settings. The default pattern is +{beat_default_index_prefix}+. The {beatname_uc} version is always
-included in the pattern, so the final pattern is
-+{beat_default_index_prefix}-%{[{beat_version_key}]}+. 
-+
-Example:
-+
-["source","yaml",subs="attributes"]
-----------------------------------------------------------------------
-setup.template.name: "{beatname_lc}"
-setup.template.pattern: "{beat_default_index_prefix}"
-----------------------------------------------------------------------
-
-*`setup.template.fields`*:: The path to the YAML file describing the fields. The default is +fields.yml+. If a
-relative path is set, it is considered relative to the config path. See the <<directory-layout>>
-section for details.
-
-*`setup.template.overwrite`*:: A boolean that specifies whether to overwrite the existing template. The default
-is false. Do not enable this option if you start more than one instance of {beatname_uc} at the same time. It
-can overload {es} by sending too many template update requests.
-
-*`setup.template.settings`*:: A dictionary of settings to place into the `settings.index` dictionary of the
-Elasticsearch template. For more details about the available Elasticsearch mapping options, please
-see the Elasticsearch {ref}/mapping.html[mapping reference].
-+
-Example:
-+
-["source","yaml",subs="attributes"]
-----------------------------------------------------------------------
-setup.template.name: "{beatname_lc}"
-setup.template.fields: "fields.yml"
-setup.template.overwrite: false
-setup.template.settings:
-  index.number_of_shards: 1
-  index.number_of_replicas: 1
-----------------------------------------------------------------------
-
-*`setup.template.settings._source`*:: A dictionary of settings for the `_source` field. For the available settings,
-please see the Elasticsearch {ref}/mapping-source-field.html[reference].
-+
-Example:
-+
-["source","yaml",subs="attributes"]
-----------------------------------------------------------------------
-setup.template.name: "{beatname_lc}"
-setup.template.fields: "fields.yml"
-setup.template.overwrite: false
-setup.template.settings:
-  _source.enabled: false
-----------------------------------------------------------------------
-
-*`setup.template.append_fields`*:: A list of fields to be added
-to the template and {kib} index pattern. This setting adds new fields. It does
-not overwrite or change existing fields.
-+
-This setting is useful when your data contains fields that {beatname_uc} doesn't
-know about in advance.
-ifeval::["{beatname_lc}"=="metricbeat"]
-For example, you might want to append fields to the template when you're using
-a metricset, such as the <<metricbeat-metricset-http-json>>, and the full data
-structure is not known in advance.
-endif::[]
-+
-If `append_fields` is specified along with `overwrite: true`, {beatname_uc}
-overwrites the existing template and applies the new template when creating new
-indices. Existing indices are not affected. If you're running multiple
-instances of {beatname_uc} with different `append_fields` settings, the last one
-writing the template takes precedence.
-+
-Any changes to this setting also affect the {kib} index pattern.
-+
-Example config:
-+
-[source,yaml]
-----
-setup.template.overwrite: true
-setup.template.append_fields:
-- name: test.name
-  type: keyword
-- name: test.hostname
-  type: long
-----
-
-*`setup.template.json.enabled`*:: Set to `true` to load a
-JSON-based template file. Specify the path to your {es} index template file and
-set the name of the template.
-+
-["source","yaml",subs="attributes"]
-----------------------------------------------------------------------
-setup.template.json.enabled: true
-setup.template.json.path: "template.json"
-setup.template.json.name: "template-name"
-setup.template.json.data_stream: false
-----------------------------------------------------------------------
-
-NOTE: If the JSON template is used, the `fields.yml` is skipped for the template
-generation.
-
-NOTE: If the JSON template is a data stream, set `setup.template.json.data_stream`.
diff --git a/libbeat/docs/upgrading.asciidoc b/libbeat/docs/upgrading.asciidoc
deleted file mode 100644
index 9e312d22ff4a..000000000000
--- a/libbeat/docs/upgrading.asciidoc
+++ /dev/null
@@ -1,247 +0,0 @@
-[[upgrading]]
-== Upgrade
-
-This section gives general recommendations for upgrading {beats} shippers:
-
-* <<upgrade-minor-versions>>
-* <<upgrade-7-to-8>>
-* <<troubleshooting-upgrade>>
-
-If you're upgrading other products in the stack, also read the
-{stack-ref}/index.html[Elastic Stack Installation and Upgrade Guide].
-
-[discrete]
-[[upgrade-minor-versions]]
-=== Upgrade between minor versions
-
-As a general rule, you can upgrade between minor versions (for example, 8.x to
-8.y, where x < y) by simply installing the new release and restarting the Beat
-process. {beats} typically maintain backwards compatibility for configuration
-settings and exported fields. Please review the
-<<release-notes,release notes>> for potential exceptions.
-
-Upgrading between non-consecutive major versions (e.g. 6.x to 8.x) is not
-supported.
-
-[discrete]
-[[upgrade-7-to-8]]
-=== Upgrade from 7.x to 8.x
-
-Before upgrading your {beats}, review the <<breaking-changes,breaking changes>>
-and the <<release-notes>>.
-
-If you're upgrading other products in the stack, also read the
-{stack-ref}/index.html[Elastic Stack Installation and Upgrade Guide].
-
-We recommend that you fully upgrade {es} and {kib} to version 8.0
-before upgrading {beats}. The {beats} version must be lower than or equal to the
-{es} version. {beats} cannot send data to older versions of {es}.
-
-If you use the Uptime app in {kib}, make sure you add `heartbeat-8*` and `synthetics-*` to *Uptime indices*
-on the {observability-guide}/configure-uptime-settings.html[Settings page]. The first index is used by newer versions of {beatname_uc}, while the latter is used by {fleet}.
-
-If you're on {beats} 7.0 through 7.16, upgrade the {stack} and {beats} to
-version 7.17 *before* proceeding with the 8.0 upgrade.
-
-Upgrading between non-consecutive major versions (e.g. 6.x to 8.x) is not
-supported.
-
-IMPORTANT: Please read through all upgrade steps before proceeding. These steps
-are required before running the software for the first time.
-
-[discrete]
-[[upgrade-to-7.17]]
-==== Upgrade to {beats} 7.17 before upgrading to 8.0
-
-The upgrade procedure assumes that you have {beats} 7.17 installed. If you're on
-a previous 7.x version of {beats}, *upgrade to version 7.17 first*. If you're
-using other products in the {stack}, upgrade {beats} as part of the
-{stack-ref}/upgrading-elastic-stack.html[{stack} upgrade process].
-
-After upgrading to 7.17, go to *Index Management* in {kib} and verify
-that the 7.17 index template has been loaded into {es}.
-
-[role="screenshot"]
-image::images/confirm-index-template.png[Screen capture showing that metricbeat-1.17.0 index template is loaded]
-
-If the 7.17 index template is not loaded, load it now.
-
-If you created custom dashboards prior to version 7.17, you must upgrade them to
-7.17 before proceeding. Otherwise, the dashboards will stop working because
-{kib} no longer provides the API used for dashboards in 7.x.
-
-[discrete]
-[[upgrade-beats-binaries]]
-==== Upgrade {beats} binaries to 8.0
-
-Before upgrading:
-
-. Stop the existing {beats} process by using the appropriate command for your
-system.
-. Back up the `data` and `config` directories by copying them to another
-location.
-+
-TIP: The location of these directories depends on the installation method. To
-see the current paths, start the Beat from a terminal, and the `data` and
-`config` paths are printed at startup.
-
-To upgrade using a Debian or RPM package:
-
-* Use `rpm` or `dpkg` to install the new package. All files are installed in the
-appropriate location for the operating system and {beats} config files are not
-overwritten.
-
-To upgrade using a zip or compressed tarball:
-
-. Extract the zip or tarball to a _new_ directory. This is critical if you
-are not using external `config` and `data` directories.
-. Set the following options in the {beats} configuration file:
-+
---
-* Set `path.config` to point to your external `config` directory. If you are
-not using an external `config` directory, copy your old configuration over to
-the new installation.
-* Set `path.data` to point to your external data directory. If you are not using
-an external `data` directory, copy your old data directory over to the new
-installation.
-* Set `path.logs` to point to the location where you want to store your logs. If
-you do not specify this setting, logs are stored in the directory you extracted
-the archive to.
---
-
-Complete the upgrade tasks described in the following sections *before*
-restarting the {beats} process.
-
-[discrete]
-[[migrate-config-files]]
-==== Migrate configuration files
-
-{beats} 8.0 comes with several backwards incompatible configuration changes.
-Before upgrading, review the <<breaking-changes-8.0>> document. Also review
-the full list of breaking changes in the <<release-notes-8.0.0>>.
-
-Where possible, we kept the old configuration options working, but deprecated
-them. However, deprecation was not always possible, so if you use any of the
-settings described under breaking changes, make sure you understand the
-alternatives that we provide.
-
-
-[discrete]
-[[upgrade-index-template]]
-==== Load the 8.0 {es} index templates
-
-Starting in version 8.0, the default {es} index templates configure data streams
-instead of traditional {es} indices. Data streams are optimized for storing
-append-only time series data. They are well-suited for logs, events, metrics,
-and other continuously generated data. However, unlike traditional {es} indices,
-data streams support create operations only; they do not support update and
-delete operations.
-
-To use data streams, load the default index templates *before* ingesting any
-data into {es}.
-
-include::{libbeat-dir}/tab-widgets/load-index-template-widget.asciidoc[]
-
-If you're not collecting time series data, you can continue to use {beats}
-to send data to aliases and indices. To do this, create a custom index template
-and load it manually. To learn more about creating index templates, refer to
-{ref}/index-templates.html[Index templates].
-
-[discrete]
-[[load-8.0-dashboards]]
-==== Load 8.0 dashboards
-
-We recommend that you load the 8.0 {kib} dashboards after upgrading {kib} and
-{beats}. That way, you can take advantage of improvements added in 8.0. To load
-the dashboards, run:
-
-include::{libbeat-dir}/tab-widgets/load-dashboards-widget.asciidoc[]
-
-
-[discrete]
-[[migrate-custom-dashboards]]
-==== Migrate custom dashboards and visualizations
-
-All Elastic {beats} send events with ECS-compliant field names. If you have any
-custom {kib} dashboards or visualizations that use old fields, adjust them now
-to use ECS field names.
-
-To learn more about ECS, refer to the {ecs-ref}/ecs-reference.html[ECS overview].
-
-NOTE: If you enabled the compatibility layer in 7.x (that is, if you set
-`migration.6_to_7.enabled: true`), make sure your custom dashboards no longer
-rely on the old aliases created by that setting. The old aliases are no longer
-supported. They may continue to work, but will be removed without notice in
-a future release.
-
-[discrete]
-[[start-beats]]
-==== Start your upgraded {beats}
-
-After you've completed the migration, start the upgraded Beat. Use the command
-that works with your system.
-
-Check the console and logs for errors.
-
-In {kib}, go to *Discover* and verify that events are streaming into {es}.
-
-[discrete]
-[[troubleshooting-upgrade]]
-=== Troubleshoot {beats} upgrade issues
-
-This section describes common problems you might encounter when upgrading to
-{beats} 8.x.
-
-You can avoid some of these problems by reading <<upgrade-7-to-8>> before
-upgrading {beats}.
-
-[discrete]
-[[unable-to-update-or-delete]]
-==== {beats} is unable to send update or deletion requests to a data stream
-
-Data streams are designed for use cases where existing data is rarely, if ever,
-updated. You cannot send update or deletion requests for existing documents
-directly to a data stream.
-
-If needed, you can update or delete documents by submitting requests directly to
-the document’s backing index. To learn how, refer to the docs about
-{ref}/use-a-data-stream.html[using a data stream].
-
-[discrete]
-[[missing-timestamp-field]]
-==== Timestamp field is missing
-
-{beats} requires a timestamp field to send data to data streams. If the
-timestamp field added by {beats} is inadvertently removed by a processor, {beats}
-will be unable to index the event. To fix the problem, modify your processor
-configuration to avoid removing the timestamp field.
-
-[discrete]
-[[missing-fields]]
-==== Missing fields or too many fields in the index
-
-You may have run the Beat before loading the required index template. To clean
-up and start again:
-
-. Delete the index that was created when you ran the Beat. For example:
-+
-["source","sh",subs="attributes"]
-----
-DELETE metricbeat-{version}-2019.04.02*
-----
-+
-WARNING: Be careful when using wildcards to delete indices. Make sure the
-pattern matches only the indices you want to delete. The example shown here
-deletes all data indexed into the metricbeat-{version} indices on
-2019.04.02.
-
-. Delete the index template that was loaded earlier. For example:
-+
-["source","sh",subs="attributes"]
-----
-DELETE /_index_template/metricbeat-{version}
-----
-
-. Load the correct index template. See <<upgrade-index-template>>.
-
-. Restart {beats}.
diff --git a/libbeat/docs/yaml.asciidoc b/libbeat/docs/yaml.asciidoc
deleted file mode 100644
index 903cbb5629e6..000000000000
--- a/libbeat/docs/yaml.asciidoc
+++ /dev/null
@@ -1,114 +0,0 @@
-//////////////////////////////////////////////////////////////////////////
-//// This content is shared by all Elastic Beats. Make sure you keep the
-//// descriptions here generic enough to work for all Beats that include
-//// this file. When using cross references, make sure that the cross
-//// references resolve correctly for any files that include this one.
-//// Use the appropriate variables defined in the index.asciidoc file to
-//// resolve Beat names: beatname_uc and beatname_lc.
-//// Use the following include to pull this content into a doc file:
-//// :standalone:
-//// include::../../libbeat/docs/yaml.asciidoc[]
-//// Specify :standalone: when this file is pulled into and index. When
-//// the file is embedded in another file, do no specify :standalone:
-//////////////////////////////////////////////////////////////////////////
-
-ifdef::standalone[]
-
-[[yaml-tips]]
-== Avoid YAML formatting problems
-
-endif::[]
-
-The configuration file uses http://yaml.org/[YAML] for its syntax. When you edit the
-file to modify configuration settings, there are a few things that you should know.
-
-[float]
-=== Use spaces for indentation
-
-Indentation is meaningful in YAML. Make sure that you use spaces, rather than tab characters, to indent sections.
-
-In the default configuration files and in all the examples in the documentation,
-we use 2 spaces per indentation level. We recommend you do the same.
-
-[float]
-=== Look at the default config file for structure
-
-The best way to understand where to define a configuration option is by looking
-at the provided sample configuration files. The configuration files contain most
-of the default configurations that are available for the Beat. To change a setting,
-simply uncomment the line and change the values.
-
-[float]
-=== Test your config file
-
-You can test your configuration file to verify that the structure is valid.
-Simply change to the directory where the binary is installed, and run
-the Beat in the foreground with the `test config` command specified. For
-example:
-
-ifndef::win-only[]
-
-["source","shell",subs="attributes"]
-----------------------------------------------------------------------
-{beatname_lc} test config -c {beatname_lc}.yml
-----------------------------------------------------------------------
-
-endif::win-only[]
-
-ifdef::win-only[]
-
-["source","shell",subs="attributes"]
-----------------------------------------------------------------------
-.\winlogbeat.exe test config -c .\winlogbeat.yml -e
-----------------------------------------------------------------------
-
-endif::win-only[]
-
-You'll see a message if the Beat finds an error in the file.
-
-[float]
-=== Wrap regular expressions in single quotation marks
-
-If you need to specify a regular expression in a YAML file, it's a good idea to wrap the regular expression in single quotation marks to work around YAML's tricky rules for string escaping.
-
-For more information about YAML, see http://yaml.org/.
-
-[float]
-[[wrap-paths-in-quotes]]
-=== Wrap paths in single quotation marks
-
-Windows paths in particular sometimes contain spaces or characters, such as drive
-letters or triple dots, that may be misinterpreted by the YAML parser.
-
-To avoid this problem, it's a good idea to wrap paths in single quotation marks.
-
-[float]
-[[avoid-leading-zeros]]
-=== Avoid using leading zeros in numeric values
-
-If you use a leading zero (for example, `09`) in a numeric field without
-wrapping the value in single quotation marks, the value may be interpreted
-incorrectly by the YAML parser. If the value is a valid octal, it's converted
-to an integer. If not, it's converted to a float.
-
-To prevent unwanted type conversions, avoid using leading zeros in field values,
-or wrap the values in single quotation marks.
-
-[float]
-[[dollar-sign-strings]]
-=== Avoid accidental template variable resolution
-
-The templating engine that allows the config to resolve data from environment 
-variables can result in errors in strings with `$` characters. For example, if a 
-password field contains `$$`, the engine will resolve this to `$`.
-
-To work around this,
-either use the
-ifdef::no_keystore[]
-{filebeat-ref}/keystore.html[keystore]
-endif::[]
-ifndef::no_keystore[]
-<<keystore>>
-endif::[]
-or escape all instances of
-`$` with `$$`.
diff --git a/metricbeat/docs/autodiscover-aws-ec2-config.asciidoc b/metricbeat/docs/autodiscover-aws-ec2-config.asciidoc
deleted file mode 100644
index 42f9497c2aa9..000000000000
--- a/metricbeat/docs/autodiscover-aws-ec2-config.asciidoc
+++ /dev/null
@@ -1,25 +0,0 @@
-{beatname_uc} supports templates for modules:
-
-["source","yaml",subs="attributes"]
--------------------------------------------------------------------------------------
-metricbeat.autodiscover:
-  providers:
-    - type: aws_ec2
-      period: 1m
-      credential_profile_name: elastic-beats
-      templates:
-        - condition:
-            equals:
-              aws.ec2.tags.service: "mysql"
-          config:
-            - module: mysql
-              metricsets: ["status", "galera_status"]
-              period: 10s
-              hosts: ["root:password@tcp(${data.aws.ec2.public.ip}:3306)/"]
-              username: root
-              password: password
--------------------------------------------------------------------------------------
-
-This autodiscover provider takes our standard AWS credentials options.
-With this configuration, `mysql` metricbeat module will be launched for all EC2
-instances that have `service: mysql` as a tag.
diff --git a/metricbeat/docs/autodiscover-docker-config.asciidoc b/metricbeat/docs/autodiscover-docker-config.asciidoc
deleted file mode 100644
index bd026ec0c697..000000000000
--- a/metricbeat/docs/autodiscover-docker-config.asciidoc
+++ /dev/null
@@ -1,42 +0,0 @@
-Metricbeat supports templates for modules:
-
-["source","yaml",subs="attributes"]
--------------------------------------------------------------------------------------
-metricbeat.autodiscover:
-  providers:
-    - type: docker
-      labels.dedot: true
-      templates:
-        - condition:
-            contains:
-              docker.container.image: redis
-          config:
-            - module: redis
-              metricsets: ["info", "keyspace"]
-              hosts: "${data.host}:6379"
--------------------------------------------------------------------------------------
-
-This configuration launches a `redis` module for all containers running an image with `redis` in the name.
-`labels.dedot` defaults to be `true` for docker autodiscover, which means dots in docker labels are replaced with '_' by default.
-
-Also Metricbeat autodiscover supports leveraging <<keystore>> in order to retrieve sensitive data like passwords.
-Here is an example of how a configuration using keystore would look like:
-
-["source","yaml",subs="attributes"]
--------------------------------------------------------------------------------------
-metricbeat.autodiscover:
-  providers:
-    - type: docker
-      labels.dedot: true
-      templates:
-        - condition:
-            contains:
-              docker.container.image: redis
-          config:
-            - module: redis
-              metricsets: ["info", "keyspace"]
-              hosts: "${data.host}:6379"
-              password: "${REDIS_PASSWORD}"
--------------------------------------------------------------------------------------
-
-where `REDIS_PASSWORD` is a key stored in local keystore of Metricbeat.
diff --git a/metricbeat/docs/autodiscover-hints.asciidoc b/metricbeat/docs/autodiscover-hints.asciidoc
deleted file mode 100644
index 72aa13bc5973..000000000000
--- a/metricbeat/docs/autodiscover-hints.asciidoc
+++ /dev/null
@@ -1,234 +0,0 @@
-{beatname_uc} supports autodiscover based on hints from the provider. The `hints` system looks for
-hints in Kubernetes Pod annotations or Docker labels which have the prefix `co.elastic.metrics`. As soon as
-the container starts, {beatname_uc} will check if it contains any hints and launch the proper config for
-it. Hints tell {beatname_uc} how to get metrics for the given container. This is the full list of supported hints:
-
-[float]
-===== `co.elastic.metrics/module`
-
-{beatname_uc} module to use to fetch metrics. See <<metricbeat-modules>> for the list of supported modules.
-
-[float]
-===== `co.elastic.metrics/hosts`
-
-Hosts setting to use with the given module. Hosts can include `${data.host}`, `${data.port}`,
-`${data.ports.<port_name>}` values from the autodiscover event, ie: `${data.host}:80`.
-For Kuberentes autodiscover events users can leverage port names as well,
-like `http://${data.host}:${data.ports.prometheus}/metrics`.
-In the last one we refer to the container port with name `prometheus`.
-
-In order to target one specific exposed port `localhost:{data.ports.8222}` can be used
-in template config, where `8222` is the internal container port of the exposed targeted port.
-
-[float]
-===== `co.elastic.metrics/metricsets`
-
-List of metricsets to use, comma separated. If no metricsets are provided, default metricsets for the module
-are used.
-
-[float]
-===== `co.elastic.metrics/metrics_path`
-
-The path to retrieve the metrics from (/metrics by default) for <<prometheus-module>>.
-
-[float]
-===== `co.elastic.metrics/period`
-
-The time interval for metrics retrieval, ie: 10s
-
-[float]
-===== `co.elastic.metrics/timeout`
-
-Metrics retrieval timeout, default: 3s
-
-[float]
-===== `co.elastic.metrics/username`
-
-The username to use for authentication
-
-[float]
-===== `co.elastic.metrics/password`
-
-The password to use for authentication. It is recommended to retrieve this sensitive information from an ENV variable
-and avoid placing passwords in plain text. Unlike static autodiscover configuration, hints based autodiscover has
-no access to the keystore of Metricbeat since it could be a potential security issue. However hints based autodiscover
-can make use of Kuberentes Secrets as described in <<kubernetes-secrets>>.
-
-[float]
-===== `co.elastic.metrics/ssl.*`
-
-SSL parameters, as seen in <<configuration-ssl>>.
-
-[float]
-===== `co.elastic.metrics/metrics_filters.*`
-
-Metrics filters (for prometheus module only).
-
-["source","yaml",subs="attributes"]
--------------------------------------------------------------------------------------
-co.elastic.metrics/module: prometheus
-co.elastic.metrics/metrics_filters.include: node_filesystem_*
-co.elastic.metrics/metrics_filters.exclude: node_filesystem_device_foo,node_filesystem_device_bar
--------------------------------------------------------------------------------------
-
-[float]
-===== `co.elastic.metrics/raw`
-When an entire module configuration needs to be completely set the `raw` hint can be used. You can provide a
-stringified JSON of the input configuration. `raw` overrides every other hint and can be used to create both a single or
-a list of configurations.
-
-["source","yaml",subs="attributes"]
--------------------------------------------------------------------------------------
-co.elastic.metrics/raw: "[{\"enabled\":true,\"metricsets\":[\"default\"],\"module\":\"mockmoduledefaults\",\"period\":\"1m\",\"timeout\":\"3s\"}]"
--------------------------------------------------------------------------------------
-
-[float]
-===== `co.elastic.metrics/processors`
-
-Define a processor to be added to the {beatname_uc} module configuration. See <<filtering-and-enhancing-data>> for the list
-of supported processors.
-
-In order to provide ordering of the processor definition, numbers can be provided. If not, the hints builder will do
-arbitrary ordering:
-
-["source","yaml",subs="attributes"]
--------------------------------------------------------------------------------------
-co.elastic.logs/processors.1.add_locale.abbrevation: "MST"
-co.elastic.logs/processors.add_locale.abbrevation: "PST"
--------------------------------------------------------------------------------------
-
-In the above sample the processor definition tagged with `1` would be executed first.
-
-When hints are used along with templates, then hints will be evaluated only in case
-there is no template's condition that resolves to true. For example:
-
-[source,yaml]
------
-metricbeat.autodiscover.providers:
-  - type: kubernetes
-    hints.enabled: true
-    templates:
-        - condition:
-            contains:
-              kubernetes.annotations.prometheus.io/scrape: "true"
-          config:
-            - module: prometheus
-              metricsets: ["collector"]
-              hosts: "${data.host}:${data.port}"
------
-
-In this example first the condition `kubernetes.annotations.prometheus.io/scrape: "true"`
-is evaluated and if not matched the hints will be processed.
-
-
-[float]
-=== Kubernetes
-
-Kubernetes autodiscover provider supports hints in Pod annotations. To enable it just set `hints.enabled`:
-
-["source","yaml",subs="attributes"]
--------------------------------------------------------------------------------------
-metricbeat.autodiscover:
-  providers:
-    - type: kubernetes
-      hints.enabled: true
--------------------------------------------------------------------------------------
-
-This configuration enables the `hints` autodiscover for Kubernetes. The `hints` system looks for
-hints in Kubernetes annotations or Docker labels which have the prefix `co.elastic.metrics`.
-
-You can annotate Kubernetes Pods with useful info to spin up {beatname_uc} modules:
-
-["source","yaml",subs="attributes"]
--------------------------------------------------------------------------------------
-annotations:
-  co.elastic.metrics/module: prometheus
-  co.elastic.metrics/metricsets: collector
-  co.elastic.metrics/hosts: '${data.host}:9090'
-  co.elastic.metrics/period: 1m
--------------------------------------------------------------------------------------
-
-The above annotations are used to spin up a Prometheus collector metricset and it polls the
-parent container on port `9090` at a 1 minute interval.
-
-[float]
-===== Multiple containers
-
-When a Pod has multiple containers, these settings are shared. To set hints specific to a container in
-the pod you can put the container name in the hint.
-
-When a pod has multiple containers, the settings are shared unless you put the container name in the
-hint. For example, these hints configure a common behavior for all containers in the Pod, and sets a specific
-`hosts` hint for the container called `sidecar`.
-
-["source","yaml",subs="attributes"]
--------------------------------------------------------------------------------------
-annotations:
-  co.elastic.metrics/module: apache
-  co.elastic.metrics/hosts: '${data.host}:80'
-  co.elastic.metrics.sidecar/hosts: '${data.host}:8080'
--------------------------------------------------------------------------------------
-
-[float]
-===== Multiple sets of hints
-When a container port needs multiple modules to be defined on it, sets of annotations can be provided with numeric prefixes.
-If there are hints that don't have a numeric prefix then they get grouped together into a single configuration.
-
-["source","yaml",subs="attributes"]
--------------------------------------------------------------------------------------
-annotations:
-  co.elastic.metrics/1.module: prometheus
-  co.elastic.metrics/1.hosts: '${data.host}:80/metrics'
-  co.elastic.metrics/1.period: 60s
-  co.elastic.metrics/module: prometheus
-  co.elastic.metrics/hosts: '${data.host}:80/metrics/p1'
-  co.elastic.metrics/period: 5s
--------------------------------------------------------------------------------------
-
-The above configuration would spin up two metricbeat module configurations to ensure that the endpoint "/metrics/p1" is
-polled every 5s whereas the "/metrics" endpoint is polled every 60s.
-
-[float]
-=====  Namespace Defaults
-
-Hints can be configured on the Namespace's annotations as defaults to use when Pod level annotations are missing.
-The resultant hints are a combination of Pod annotations and Namespace annotations with the Pod's taking precedence. To
-enable Namespace defaults configure the `add_resource_metadata` for Namespace objects as follows:
-
-["source","yaml",subs="attributes"]
--------------------------------------------------------------------------------------
-metricbeat.autodiscover:
-  providers:
-    - type: kubernetes
-      hints.enabled: true
-      add_resource_metadata:
-        namespace:
-          include_annotations: ["nsannotation1"]
--------------------------------------------------------------------------------------
-
-
-[float]
-=== Docker
-
-Docker autodiscover provider supports hints in labels. To enable it just set `hints.enabled`:
-
-["source","yaml",subs="attributes"]
--------------------------------------------------------------------------------------
-metricbeat.autodiscover:
-  providers:
-    - type: docker
-      hints.enabled: true
--------------------------------------------------------------------------------------
-
-You can label Docker containers with useful info to spin up {beatname_uc} modules, for example:
-
-["source","yaml",subs="attributes"]
--------------------------------------------------------------------------------------
-  co.elastic.metrics/module: nginx
-  co.elastic.metrics/metricsets: stubstatus
-  co.elastic.metrics/hosts: '${data.host}:80'
-  co.elastic.metrics/period: 10s
--------------------------------------------------------------------------------------
-
-The above labels would allow {beatname_uc} to run the nginx module and poll port `80`
-of the Docker container every 10 seconds.
diff --git a/metricbeat/docs/autodiscover-jolokia-config.asciidoc b/metricbeat/docs/autodiscover-jolokia-config.asciidoc
deleted file mode 100644
index b0aab9d40f75..000000000000
--- a/metricbeat/docs/autodiscover-jolokia-config.asciidoc
+++ /dev/null
@@ -1,32 +0,0 @@
-Metricbeat supports templates for modules:
-
-["source","yaml",subs="attributes"]
--------------------------------------------------------------------------------
-metricbeat.autodiscover:
-  providers:
-    - type: jolokia
-      interfaces:
-      - name: br*
-        interval: 5s
-        grace_period: 10s
-      - name: en*
-      templates:
-      - condition:
-          contains:
-            jolokia.server.product: "tomcat"
-        config:
-        - module: jolokia
-          metricsets: ["jmx"]
-          hosts: "${data.jolokia.url}"
-          namespace: test
-          jmx.mappings:
-          - mbean: "java.lang:type=Runtime"
-            attributes:
-            - attr: Uptime
-              field: uptime
--------------------------------------------------------------------------------
-
-This configuration starts a jolokia module that collects the uptime of each
-`tomcat` instance discovered. Discovery probes are sent using all interfaces
-starting with `br` and `en`, for the `br` interfaces the `interval` and
-`grace_period` is reduced to 5 and 10 seconds respectively.
diff --git a/metricbeat/docs/autodiscover-kubernetes-config.asciidoc b/metricbeat/docs/autodiscover-kubernetes-config.asciidoc
deleted file mode 100644
index dfabef89b721..000000000000
--- a/metricbeat/docs/autodiscover-kubernetes-config.asciidoc
+++ /dev/null
@@ -1,145 +0,0 @@
-Metricbeat supports templates for modules:
-
-["source","yaml",subs="attributes"]
--------------------------------------------------------------------------------------
-metricbeat.autodiscover:
-  providers:
-    - type: kubernetes
-      include_annotations: ["prometheus.io.scrape"]
-      templates:
-        - condition:
-            contains:
-              kubernetes.annotations.prometheus.io/scrape: "true"
-          config:
-            - module: prometheus
-              metricsets: ["collector"]
-              hosts: "${data.host}:${data.port}"
--------------------------------------------------------------------------------------
-
-This configuration launches a `prometheus` module for all containers of pods annotated `prometheus.io/scrape=true`.
-
-[float]
-===== Manually Defining Ports with Kubernetes
-
-Declare exposed ports in your pod spec if possible. Otherwise, you will need to use
-multiple templates with complex filtering rules. The {port} variable will not be
-present, and you will need to hardcode ports. Example: `{data.host}:1234`
-
-When ports are not declared, Autodiscover generates a config using your provided
-template once per pod, and once per container. These generated configs are
-de-duplicated after they are generated. If the generated configs for multiple
-containers are identical, they will be merged into one config.
-
-Pods share an identical host. If only the `{data.host}` variable is interpolated,
-then one config will be generated per host. The configs will be identical.
-After they are de-duplicated, only one will be used.
-
-In order to target one specific exposed port `{data.host}:{data.ports.web}` can be used
-in template config, where `web` is the name of the exposed container port.
-
-[float]
-[[kubernetes-secrets]]
-===== Metricbeat Autodiscover Secret Management
-
-[float]
-====== Local Keystore
-Metricbeat autodiscover supports leveraging <<keystore>> in order to retrieve sensitive data like passwords.
-Here is an example of how a configuration using keystore would look like:
-
-["source","yaml",subs="attributes"]
--------------------------------------------------------------------------------------
-metricbeat.autodiscover:
-  providers:
-    - type: kubernetes
-      templates:
-        - condition:
-            contains:
-              kubernetes.labels.app: "redis"
-          config:
-            - module: redis
-              metricsets: ["info", "keyspace"]
-              hosts: "${data.host}:6379"
-              password: "${REDIS_PASSWORD}"
--------------------------------------------------------------------------------------
-
-where `REDIS_PASSWORD` is a key stored in local keystore of Metricbeat.
-
-[float]
-===== Kubernetes Secrets
-Metricbeat autodiscover supports leveraging https://kubernetes.io/docs/concepts/configuration/secret/[Kubernetes secrets]
-in order to retrieve sensitive data like passwords. In order to enable this feature add the following section
-in Metricbeat's `ClusterRole` rules:
-
-["source","yaml",subs="attributes"]
--------------------------------------------------------------------------------------
-- apiGroups: [""]
-  resources:
-    - secrets
-  verbs: ["get"]
--------------------------------------------------------------------------------------
-
-CAUTION: The above rule will give permission to Metricbeat Pod to access Kubernetes Secrets API.
-This means that anyone who have access to Metricbeat Pod (`kubectl exec` for example) will be able to access
-Kubernetes Secrets API and get a specific secret no matter which namespace it belongs to.
-This option should be carefully considered, specially when used with hints.
-
-One option to give permissions only for one namespace, and not cluster-scoped, is to use
-a specific Role for a targeted namespace so as to better control access:
-
-["source","yaml",subs="attributes"]
--------------------------------------------------------------------------------------
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  namespace: marketing-team
-  name: secret-reader
-rules:
-- apiGroups: [""] # "" indicates the core API group
-  resources: ["secrets"]
-  verbs: ["get"]
--------------------------------------------------------------------------------------
-
-One can find more info about Role and ClusterRole in the official Kubernetes
-https://kubernetes.io/docs/reference/access-authn-authz/rbac/[documentation].
-
-Here is an example of how a configuration using Kubernetes secrets would look like:
-
-["source","yaml",subs="attributes"]
--------------------------------------------------------------------------------------
-metricbeat.autodiscover:
-  providers:
-    - type: kubernetes
-      templates:
-        - condition:
-            contains:
-              kubernetes.labels.app: "redis"
-          config:
-            - module: redis
-              metricsets: ["info", "keyspace"]
-              hosts: "${data.host}:6379"
-              password: "${kubernetes.default.somesecret.value}"
--------------------------------------------------------------------------------------
-
-where `kubernetes.default.somesecret.value` specifies a key stored as Kubernetes secret as following:
-
-. Kubernetes Namespace: `default`
-. Kubernetes Secret Name: `somesecret`
-. Secret Data Key: `value`
-
-This secret can be created in a Kubernetes environment using the following command:
-["source","yaml",subs="attributes"]
--------------------------------------------------------------------------------------
-cat << EOF | kubectl apply -f -
-apiVersion: v1
-kind: Secret
-metadata:
-  name: somesecret
-type: Opaque
-data:
-  value: $(echo -n "passpass" | base64)
-EOF
--------------------------------------------------------------------------------------
-
-
-Note that Pods can only consume secrets that belong to the same Kubernetes namespace. For instance if Pod `my-redis`
-is running under `staging` namespace, it cannot access a secret under `testing` namespace for example `kubernetes.testing.xxx.yyy`.
diff --git a/metricbeat/docs/aws-credentials-examples.asciidoc b/metricbeat/docs/aws-credentials-examples.asciidoc
deleted file mode 100644
index 2d9863f92fd5..000000000000
--- a/metricbeat/docs/aws-credentials-examples.asciidoc
+++ /dev/null
@@ -1,65 +0,0 @@
-* Use AWS credentials in Metricbeat configuration
-+
-[source,yaml]
-----
-metricbeat.modules:
-- module: aws
-  period: 300s
-  metricsets:
-    - ec2
-  access_key_id: '<access_key_id>'
-  secret_access_key: '<secret_access_key>'
-  session_token: '<session_token>'
-----
-+
-or
-+
-[source,yaml]
-----
-metricbeat.modules:
-- module: aws
-  period: 300s
-  metricsets:
-    - ec2
-  access_key_id: '${AWS_ACCESS_KEY_ID:""}'
-  secret_access_key: '${AWS_SECRET_ACCESS_KEY:""}'
-  session_token: '${AWS_SESSION_TOKEN:""}'
-----
-
-* Use IAM role ARN
-+
-[source,yaml]
-----
-metricbeat.modules:
-- module: aws
-  period: 300s
-  metricsets:
-    - ec2
-  role_arn: arn:aws:iam::123456789012:role/test-mb
-----
-
-* Use shared AWS credentials file
-+
-[source,yaml]
-----
-metricbeat.modules:
-- module: aws
-  period: 300s
-  metricsets:
-    - ec2
-  credential_profile_name: test-mb
-----
-
-* Use IAM role ARN with shared AWS credentials file
-+
-[source,yaml]
-----
-metricbeat.modules:
-- module: aws
-  period: 5m
-  role_arn: arn:aws:iam::123456789012:role/test-mb
-  shared_credential_file: /Users/mb/.aws/credentials_backup
-  credential_profile_name: test
-  metricsets:
-    - ec2
-----
diff --git a/metricbeat/docs/configuring-howto.asciidoc b/metricbeat/docs/configuring-howto.asciidoc
deleted file mode 100644
index 25202cee1a63..000000000000
--- a/metricbeat/docs/configuring-howto.asciidoc
+++ /dev/null
@@ -1,74 +0,0 @@
-[[configuring-howto-metricbeat]]
-= Configure {beatname_uc}
-
-[partintro]
---
-++++
-<titleabbrev>Configure</titleabbrev>
-++++
-
-include::{libbeat-dir}/shared/configuring-intro.asciidoc[]
-
-* <<configuration-metricbeat>>
-* <<configuration-general-options>>
-* <<configuration-path>>
-* <<metricbeat-configuration-reloading>>
-* <<configuring-output>>
-* <<configuration-ssl>>
-* <<ilm>>
-* <<configuration-template>>
-* <<setup-kibana-endpoint>>
-* <<configuration-dashboards>>
-* <<filtering-and-enhancing-data>>
-* <<configuration-autodiscover>>
-* <<configuring-internal-queue>>
-* <<configuration-logging>>
-* <<http-endpoint>>
-* <<regexp-support>>
-* <<configuration-instrumentation>>
-* <<configuration-feature-flags>>
-* <<{beatname_lc}-reference-yml>>
-
---
-
-include::./metricbeat-options.asciidoc[]
-
-include::./metricbeat-general-options.asciidoc[]
-
-include::{libbeat-dir}/shared-path-config.asciidoc[]
-
-include::{docdir}/../docs/reload-configuration.asciidoc[]
-
-include::{libbeat-dir}/outputconfig.asciidoc[]
-
-ifndef::no_kerberos[]
-include::{libbeat-dir}/shared-kerberos-config.asciidoc[]
-endif::[]
-
-include::{libbeat-dir}/shared-ssl-config.asciidoc[]
-
-include::{libbeat-dir}/shared-ilm.asciidoc[]
-
-include::{libbeat-dir}/setup-config.asciidoc[]
-
-include::./metricbeat-filtering.asciidoc[]
-
-:autodiscoverJolokia:
-:autodiscoverHints:
-:autodiscoverAWSEC2:
-include::{libbeat-dir}/shared-autodiscover.asciidoc[]
-:autodiscoverAWSEC2!:
-
-include::{libbeat-dir}/queueconfig.asciidoc[]
-
-include::{libbeat-dir}/loggingconfig.asciidoc[]
-
-include::{libbeat-dir}/http-endpoint.asciidoc[]
-
-include::{libbeat-dir}/regexp.asciidoc[]
-
-include::{libbeat-dir}/shared-instrumentation.asciidoc[]
-
-include::{libbeat-dir}/shared-feature-flags.asciidoc[]
-
-include::{libbeat-dir}/reference-yml.asciidoc[]
diff --git a/metricbeat/docs/faq-unexpected-metrics.asciidoc b/metricbeat/docs/faq-unexpected-metrics.asciidoc
deleted file mode 100644
index 4b65c559f76f..000000000000
--- a/metricbeat/docs/faq-unexpected-metrics.asciidoc
+++ /dev/null
@@ -1,34 +0,0 @@
-[[faq-unexpected-metrics]]
-=== {beatname_uc} collects system metrics for interfaces you didn't configure
-
-The <<metricbeat-module-system,System>> module specifies several metricsets
-that are enabled by default unless you explicitly disable them. To disable a
-default metricset, comment it out in the `modules.d/system.yml` configuration
-file. If _all_ metricsets are commented out and the System module is enabled,
-{beatname_uc} uses the default metricsets.
-
-For example, to disable the `network` metricset, comment it out:
-
-[source,yaml]
-----
-  - module: system
-    period: 10s
-    metricsets:
-      - cpu
-      - load
-      - memory
-      #- network
-      - process
-      - process_summary
-      - socket_summary
-      #- entropy
-      #- core
-      #- diskio
-      #- socket
-----
-
-You cannot override the default configuration by adding another module
-definition to the configuration. There is no concept of inheritance.
-{beatname_uc} combines all module configurations at runtime. This enables you to
-specify module definitions that use different combinations of metricsets,
-periods, and hosts.
diff --git a/metricbeat/docs/faq.asciidoc b/metricbeat/docs/faq.asciidoc
deleted file mode 100644
index 81c188a520f8..000000000000
--- a/metricbeat/docs/faq.asciidoc
+++ /dev/null
@@ -1,27 +0,0 @@
-[[faq]]
-== Common problems
-
-This section describes common problems you might encounter with
-{beatname_uc}. Also check out the
-https://discuss.elastic.co/c/beats/{beatname_lc}[{beatname_uc} discussion forum].
-
-[[freebsd-no-such-file]]
-=== "open /compat/linux/proc: no such file or directory" error on FreeBSD
-
-The system metricsets rely on a Linux compatibility layer to retrieve metrics on
-FreeBSD. You need to mount the Linux procfs filesystem using the following
-commands. You may want to add these filesystems to your `/etc/fstab` so they are
-mounted automatically.
-
-[source,sh]
-----
-sudo mount -t procfs proc /proc
-sudo mkdir -p /compat/linux/proc
-sudo mount -t linprocfs /dev/null /compat/linux/proc
-----
-
-include::faq-unexpected-metrics.asciidoc[]
-
-include::{libbeat-dir}/faq-limit-bandwidth.asciidoc[]
-
-include::{libbeat-dir}/shared-faq.asciidoc[]
diff --git a/metricbeat/docs/fields.asciidoc b/metricbeat/docs/fields.asciidoc
deleted file mode 100644
index 5c965f89db31..000000000000
--- a/metricbeat/docs/fields.asciidoc
+++ /dev/null
@@ -1,68959 +0,0 @@
-
-////
-This file is generated! See _meta/fields.yml and scripts/generate_fields_docs.py
-////
-
-:edit_url:
-
-[[exported-fields]]
-= Exported fields
-
-[partintro]
-
---
-This document describes the fields that are exported by Metricbeat. They are
-grouped in the following categories:
-
-* <<exported-fields-activemq>>
-* <<exported-fields-aerospike>>
-* <<exported-fields-airflow>>
-* <<exported-fields-apache>>
-* <<exported-fields-aws>>
-* <<exported-fields-awsfargate>>
-* <<exported-fields-azure>>
-* <<exported-fields-beat-common>>
-* <<exported-fields-beat>>
-* <<exported-fields-benchmark>>
-* <<exported-fields-ceph>>
-* <<exported-fields-cloud>>
-* <<exported-fields-cloudfoundry>>
-* <<exported-fields-cockroachdb>>
-* <<exported-fields-common>>
-* <<exported-fields-consul>>
-* <<exported-fields-containerd>>
-* <<exported-fields-coredns>>
-* <<exported-fields-couchbase>>
-* <<exported-fields-couchdb>>
-* <<exported-fields-docker-processor>>
-* <<exported-fields-docker>>
-* <<exported-fields-dropwizard>>
-* <<exported-fields-ecs>>
-* <<exported-fields-elasticsearch>>
-* <<exported-fields-envoyproxy>>
-* <<exported-fields-etcd>>
-* <<exported-fields-gcp>>
-* <<exported-fields-golang>>
-* <<exported-fields-graphite>>
-* <<exported-fields-haproxy>>
-* <<exported-fields-host-processor>>
-* <<exported-fields-http>>
-* <<exported-fields-ibmmq>>
-* <<exported-fields-iis>>
-* <<exported-fields-istio>>
-* <<exported-fields-jolokia>>
-* <<exported-fields-jolokia-autodiscover>>
-* <<exported-fields-kafka>>
-* <<exported-fields-kibana>>
-* <<exported-fields-kubernetes-processor>>
-* <<exported-fields-kubernetes>>
-* <<exported-fields-kvm>>
-* <<exported-fields-linux>>
-* <<exported-fields-logstash>>
-* <<exported-fields-memcached>>
-* <<exported-fields-meraki>>
-* <<exported-fields-mongodb>>
-* <<exported-fields-mssql>>
-* <<exported-fields-munin>>
-* <<exported-fields-mysql>>
-* <<exported-fields-nats>>
-* <<exported-fields-nginx>>
-* <<exported-fields-openai>>
-* <<exported-fields-openmetrics>>
-* <<exported-fields-oracle>>
-* <<exported-fields-panw>>
-* <<exported-fields-php_fpm>>
-* <<exported-fields-postgresql>>
-* <<exported-fields-process>>
-* <<exported-fields-prometheus>>
-* <<exported-fields-prometheus-xpack>>
-* <<exported-fields-rabbitmq>>
-* <<exported-fields-redis>>
-* <<exported-fields-redisenterprise>>
-* <<exported-fields-sql>>
-* <<exported-fields-stan>>
-* <<exported-fields-statsd>>
-* <<exported-fields-syncgateway>>
-* <<exported-fields-system>>
-* <<exported-fields-tomcat>>
-* <<exported-fields-traefik>>
-* <<exported-fields-uwsgi>>
-* <<exported-fields-vsphere>>
-* <<exported-fields-windows>>
-* <<exported-fields-zookeeper>>
-
---
-[[exported-fields-activemq]]
-== ActiveMQ fields
-
-activemq module
-
-
-
-[float]
-=== activemq
-
-
-
-
-[float]
-=== broker
-
-Broker metrics from org.apache.activemq:brokerName=*,type=Broker
-
-
-*`activemq.broker.mbean`*::
-+
---
-Mbean that this event is related to
-
-type: keyword
-
---
-
-*`activemq.broker.name`*::
-+
---
-Broker name
-
-type: keyword
-
---
-
-*`activemq.broker.memory.broker.pct`*::
-+
---
-The percentage of the memory limit used.
-
-type: scaled_float
-
-format: percent
-
---
-
-*`activemq.broker.memory.store.pct`*::
-+
---
-Percent of store limit used.
-
-type: scaled_float
-
-format: percent
-
---
-
-*`activemq.broker.memory.temp.pct`*::
-+
---
-The percentage of the temp usage limit used.
-
-type: scaled_float
-
-format: percent
-
---
-
-*`activemq.broker.connections.count`*::
-+
---
-Total number of connections.
-
-type: long
-
---
-
-*`activemq.broker.consumers.count`*::
-+
---
-Number of message consumers.
-
-type: long
-
---
-
-*`activemq.broker.messages.dequeue.count`*::
-+
---
-Number of messages that have been acknowledged on the broker.
-
-type: long
-
---
-
-*`activemq.broker.messages.enqueue.count`*::
-+
---
-Number of messages that have been sent to the destination.
-
-type: long
-
---
-
-*`activemq.broker.messages.count`*::
-+
---
-Number of unacknowledged messages on the broker.
-
-type: long
-
---
-
-*`activemq.broker.producers.count`*::
-+
---
-Number of message producers active on destinations on the broker.
-
-type: long
-
---
-
-[float]
-=== queue
-
-Queue metrics from org.apache.activemq:brokerName=*,destinationName=*,destinationType=Queue,type=Broker
-
-
-*`activemq.queue.mbean`*::
-+
---
-Mbean that this event is related to
-
-type: keyword
-
---
-
-*`activemq.queue.name`*::
-+
---
-Queue name
-
-type: keyword
-
---
-
-*`activemq.queue.size`*::
-+
---
-Queue size
-
-type: long
-
---
-
-*`activemq.queue.messages.enqueue.time.avg`*::
-+
---
-Average time a message was held on this destination.
-
-type: double
-
---
-
-*`activemq.queue.messages.size.avg`*::
-+
---
-Average message size on this destination.
-
-type: long
-
---
-
-*`activemq.queue.consumers.count`*::
-+
---
-Number of consumers subscribed to this destination.
-
-type: long
-
---
-
-*`activemq.queue.messages.dequeue.count`*::
-+
---
-Number of messages that has been acknowledged (and removed) from the destination.
-
-type: long
-
---
-
-*`activemq.queue.messages.dispatch.count`*::
-+
---
-Number of messages that has been delivered to consumers, including those not acknowledged.
-
-type: long
-
---
-
-*`activemq.queue.messages.enqueue.count`*::
-+
---
-Number of messages that have been sent to the destination.
-
-type: long
-
---
-
-*`activemq.queue.messages.expired.count`*::
-+
---
-Number of messages that have been expired.
-
-type: long
-
---
-
-*`activemq.queue.messages.inflight.count`*::
-+
---
-Number of messages that have been dispatched to, but not acknowledged by, consumers.
-
-type: long
-
---
-
-*`activemq.queue.messages.enqueue.time.max`*::
-+
---
-The longest time a message was held on this destination.
-
-type: long
-
---
-
-*`activemq.queue.memory.broker.pct`*::
-+
---
-Percent of memory limit used.
-
-type: scaled_float
-
-format: percent
-
---
-
-*`activemq.queue.messages.enqueue.time.min`*::
-+
---
-The shortest time a message was held on this destination.
-
-type: long
-
---
-
-*`activemq.queue.producers.count`*::
-+
---
-Number of producers attached to this destination.
-
-type: long
-
---
-
-[float]
-=== topic
-
-Topic metrics from org.apache.activemq:brokerName=*,destinationName=*,destinationType=Topic,type=Broker
-
-
-*`activemq.topic.mbean`*::
-+
---
-Mbean that this event is related to
-
-type: keyword
-
---
-
-*`activemq.topic.name`*::
-+
---
-Topic name
-
-type: keyword
-
---
-
-*`activemq.topic.messages.enqueue.time.avg`*::
-+
---
-Average time a message was held on this destination.
-
-type: double
-
---
-
-*`activemq.topic.messages.size.avg`*::
-+
---
-Average message size on this destination.
-
-type: long
-
---
-
-*`activemq.topic.consumers.count`*::
-+
---
-Number of consumers subscribed to this destination.
-
-type: long
-
---
-
-*`activemq.topic.messages.dequeue.count`*::
-+
---
-Number of messages that has been acknowledged (and removed) from the destination.
-
-type: long
-
---
-
-*`activemq.topic.messages.dispatch.count`*::
-+
---
-Number of messages that has been delivered to consumers, including those not acknowledged.
-
-type: long
-
---
-
-*`activemq.topic.messages.enqueue.count`*::
-+
---
-Number of messages that have been sent to the destination.
-
-type: long
-
---
-
-*`activemq.topic.messages.expired.count`*::
-+
---
-Number of messages that have been expired.
-
-type: long
-
---
-
-*`activemq.topic.messages.inflight.count`*::
-+
---
-Number of messages that have been dispatched to, but not acknowledged by, consumers.
-
-type: long
-
---
-
-*`activemq.topic.messages.enqueue.time.max`*::
-+
---
-The longest time a message was held on this destination.
-
-type: long
-
---
-
-*`activemq.topic.memory.broker.pct`*::
-+
---
-Percent of memory limit used.
-
-type: scaled_float
-
-format: percent
-
---
-
-*`activemq.topic.messages.enqueue.time.min`*::
-+
---
-The shortest time a message was held on this destination.
-
-type: long
-
---
-
-*`activemq.topic.producers.count`*::
-+
---
-Number of producers attached to this destination.
-
-type: long
-
---
-
-[[exported-fields-aerospike]]
-== Aerospike fields
-
-Aerospike module
-
-
-
-[float]
-=== aerospike
-
-
-
-
-[float]
-=== namespace
-
-namespace
-
-
-
-[float]
-=== client
-
-Client stats.
-
-
-
-[float]
-=== delete
-
-Client delete transactions stats.
-
-
-
-*`aerospike.namespace.client.delete.error`*::
-+
---
-Number of client delete transactions that failed with an error.
-
-
-type: long
-
---
-
-*`aerospike.namespace.client.delete.not_found`*::
-+
---
-Number of client delete transactions that resulted in a not found.
-
-
-type: long
-
---
-
-*`aerospike.namespace.client.delete.success`*::
-+
---
-Number of successful client delete transactions.
-
-
-type: long
-
---
-
-*`aerospike.namespace.client.delete.timeout`*::
-+
---
-Number of client delete transactions that timed out.
-
-
-type: long
-
---
-
-[float]
-=== read
-
-Client read transactions stats.
-
-
-
-*`aerospike.namespace.client.read.error`*::
-+
---
-Number of client read transaction errors.
-
-
-type: long
-
---
-
-*`aerospike.namespace.client.read.not_found`*::
-+
---
-Number of client read transaction that resulted in not found.
-
-
-type: long
-
---
-
-*`aerospike.namespace.client.read.success`*::
-+
---
-Number of successful client read transactions.
-
-
-type: long
-
---
-
-*`aerospike.namespace.client.read.timeout`*::
-+
---
-Number of client read transaction that timed out.
-
-
-type: long
-
---
-
-[float]
-=== write
-
-Client write transactions stats.
-
-
-
-*`aerospike.namespace.client.write.error`*::
-+
---
-Number of client write transactions that failed with an error.
-
-
-type: long
-
---
-
-*`aerospike.namespace.client.write.success`*::
-+
---
-Number of successful client write transactions.
-
-
-type: long
-
---
-
-*`aerospike.namespace.client.write.timeout`*::
-+
---
-Number of client write transactions that timed out.
-
-
-type: long
-
---
-
-[float]
-=== device
-
-Disk storage stats
-
-
-
-*`aerospike.namespace.device.available.pct`*::
-+
---
-Measures the minimum contiguous disk space across all disks in a namespace.
-
-
-type: scaled_float
-
-format: percent
-
---
-
-*`aerospike.namespace.device.free.pct`*::
-+
---
-Percentage of disk capacity free for this namespace.
-
-
-type: scaled_float
-
-format: percent
-
---
-
-*`aerospike.namespace.device.total.bytes`*::
-+
---
-Total bytes of disk space allocated to this namespace on this node.
-
-
-type: long
-
-format: bytes
-
---
-
-*`aerospike.namespace.device.used.bytes`*::
-+
---
-Total bytes of disk space used by this namespace on this node.
-
-
-type: long
-
-format: bytes
-
---
-
-*`aerospike.namespace.hwm_breached`*::
-+
---
-If true, Aerospike has breached 'high-water-[disk|memory]-pct' for this namespace.
-
-
-type: boolean
-
---
-
-[float]
-=== memory
-
-Memory storage stats.
-
-
-
-*`aerospike.namespace.memory.free.pct`*::
-+
---
-Percentage of memory capacity free for this namespace on this node.
-
-
-type: scaled_float
-
-format: percent
-
---
-
-*`aerospike.namespace.memory.used.data.bytes`*::
-+
---
-Amount of memory occupied by data for this namespace on this node.
-
-
-type: long
-
-format: bytes
-
---
-
-*`aerospike.namespace.memory.used.index.bytes`*::
-+
---
-Amount of memory occupied by the index for this namespace on this node.
-
-
-type: long
-
-format: bytes
-
---
-
-*`aerospike.namespace.memory.used.sindex.bytes`*::
-+
---
-Amount of memory occupied by secondary indexes for this namespace on this node.
-
-
-type: long
-
-format: bytes
-
---
-
-*`aerospike.namespace.memory.used.total.bytes`*::
-+
---
-Total bytes of memory used by this namespace on this node.
-
-
-type: long
-
-format: bytes
-
---
-
-*`aerospike.namespace.name`*::
-+
---
-Namespace name
-
-
-type: keyword
-
---
-
-*`aerospike.namespace.node.host`*::
-+
---
-Node host
-
-
-type: keyword
-
---
-
-*`aerospike.namespace.node.name`*::
-+
---
-Node name
-
-
-type: keyword
-
---
-
-[float]
-=== objects
-
-Records stats.
-
-
-
-*`aerospike.namespace.objects.master`*::
-+
---
-Number of records on this node which are active masters.
-
-
-type: long
-
---
-
-*`aerospike.namespace.objects.total`*::
-+
---
-Number of records in this namespace for this node.
-
-
-type: long
-
---
-
-*`aerospike.namespace.stop_writes`*::
-+
---
-If true this namespace is currently not allowing writes.
-
-
-type: boolean
-
---
-
-[[exported-fields-airflow]]
-== Airflow fields
-
-Airflow module
-
-
-
-
-*`airflow.*.1m_rate`*::
-+
---
-Airflow 1m rate timers metric
-
-
-type: object
-
---
-
-*`airflow.*.5m_rate`*::
-+
---
-Airflow 5m rate timers metric
-
-
-type: object
-
---
-
-*`airflow.*.15m_rate`*::
-+
---
-Airflow 15 rate timers metric
-
-
-type: object
-
---
-
-*`airflow.*.count`*::
-+
---
-Airflow counters
-
-
-type: object
-
---
-
-*`airflow.*.max`*::
-+
---
-Airflow max timers metric
-
-
-type: object
-
---
-
-*`airflow.*.mean_rate`*::
-+
---
-Airflow mean rate timers metric
-
-
-type: object
-
---
-
-*`airflow.*.mean`*::
-+
---
-Airflow mean timers metric
-
-
-type: object
-
---
-
-*`airflow.*.median`*::
-+
---
-Airflow median timers metric
-
-
-type: object
-
---
-
-*`airflow.*.min`*::
-+
---
-Airflow min timers metric
-
-
-type: object
-
---
-
-*`airflow.*.p75`*::
-+
---
-Airflow 75 percentile timers metric
-
-
-type: object
-
---
-
-*`airflow.*.p95`*::
-+
---
-Airflow 95 percentile timers metric
-
-
-type: object
-
---
-
-*`airflow.*.p99_9`*::
-+
---
-Airflow 99.9 percentile timers metric
-
-
-type: object
-
---
-
-*`airflow.*.p99`*::
-+
---
-Airflow 99 percentile timers metric
-
-
-type: object
-
---
-
-*`airflow.*.stddev`*::
-+
---
-Airflow standard deviation timers metric
-
-
-type: object
-
---
-
-*`airflow.*.value`*::
-+
---
-Airflow gauges
-
-
-type: object
-
---
-
-*`airflow.dag_file`*::
-+
---
-Airflow dag file metadata
-
-
-type: keyword
-
---
-
-*`airflow.dag_id`*::
-+
---
-Airflow dag id metadata
-
-
-type: keyword
-
---
-
-*`airflow.job_name`*::
-+
---
-Airflow job name metadata
-
-
-type: keyword
-
---
-
-*`airflow.operator_name`*::
-+
---
-Airflow operator name metadata
-
-
-type: keyword
-
---
-
-*`airflow.pool_name`*::
-+
---
-Airflow pool name metadata
-
-
-type: keyword
-
---
-
-*`airflow.status`*::
-+
---
-Airflow status metadata
-
-
-type: keyword
-
---
-
-*`airflow.task_id`*::
-+
---
-Airflow task id metadata
-
-
-type: keyword
-
---
-
-[[exported-fields-apache]]
-== Apache fields
-
-Apache HTTPD server metricsets collected from the Apache web server.
-
-
-
-[float]
-=== apache
-
-`apache` contains the metrics that were scraped from Apache.
-
-
-
-[float]
-=== status
-
-`status` contains the metrics that were scraped from the Apache status page.
-
-
-
-*`apache.status.hostname`*::
-+
---
-Apache hostname.
-
-
-type: keyword
-
---
-
-*`apache.status.total_accesses`*::
-+
---
-Total number of access requests.
-
-
-type: long
-
---
-
-*`apache.status.total_kbytes`*::
-+
---
-Total number of kilobytes served.
-
-
-type: long
-
---
-
-*`apache.status.requests_per_sec`*::
-+
---
-Requests per second.
-
-
-type: scaled_float
-
---
-
-*`apache.status.bytes_per_sec`*::
-+
---
-Bytes per second.
-
-
-type: scaled_float
-
---
-
-*`apache.status.bytes_per_request`*::
-+
---
-Bytes per request.
-
-
-type: scaled_float
-
---
-
-*`apache.status.workers.busy`*::
-+
---
-Number of busy workers.
-
-
-type: long
-
---
-
-*`apache.status.workers.idle`*::
-+
---
-Number of idle workers.
-
-
-type: long
-
---
-
-[float]
-=== uptime
-
-Uptime stats.
-
-
-
-*`apache.status.uptime.server_uptime`*::
-+
---
-Server uptime in seconds.
-
-
-type: long
-
---
-
-*`apache.status.uptime.uptime`*::
-+
---
-Server uptime.
-
-
-type: long
-
---
-
-[float]
-=== cpu
-
-CPU stats.
-
-
-
-*`apache.status.cpu.load`*::
-+
---
-CPU Load.
-
-
-type: scaled_float
-
---
-
-*`apache.status.cpu.user`*::
-+
---
-CPU user load.
-
-
-type: scaled_float
-
---
-
-*`apache.status.cpu.system`*::
-+
---
-System cpu.
-
-
-type: scaled_float
-
---
-
-*`apache.status.cpu.children_user`*::
-+
---
-CPU of children user.
-
-
-type: scaled_float
-
---
-
-*`apache.status.cpu.children_system`*::
-+
---
-CPU of children system.
-
-
-type: scaled_float
-
---
-
-[float]
-=== connections
-
-Connection stats.
-
-
-
-*`apache.status.connections.total`*::
-+
---
-Total connections.
-
-
-type: long
-
---
-
-*`apache.status.connections.async.writing`*::
-+
---
-Async connection writing.
-
-
-type: long
-
---
-
-*`apache.status.connections.async.keep_alive`*::
-+
---
-Async keeped alive connections.
-
-
-type: long
-
---
-
-*`apache.status.connections.async.closing`*::
-+
---
-Async closed connections.
-
-
-type: long
-
---
-
-[float]
-=== load
-
-Load averages.
-
-
-
-*`apache.status.load.1`*::
-+
---
-Load average for the last minute.
-
-
-type: scaled_float
-
---
-
-*`apache.status.load.5`*::
-+
---
-Load average for the last 5 minutes.
-
-
-type: scaled_float
-
---
-
-*`apache.status.load.15`*::
-+
---
-Load average for the last 15 minutes.
-
-
-type: scaled_float
-
---
-
-[float]
-=== scoreboard
-
-Scoreboard metrics.
-
-
-
-*`apache.status.scoreboard.starting_up`*::
-+
---
-Starting up.
-
-
-type: long
-
---
-
-*`apache.status.scoreboard.reading_request`*::
-+
---
-Reading requests.
-
-
-type: long
-
---
-
-*`apache.status.scoreboard.sending_reply`*::
-+
---
-Sending Reply.
-
-
-type: long
-
---
-
-*`apache.status.scoreboard.keepalive`*::
-+
---
-Keep alive.
-
-
-type: long
-
---
-
-*`apache.status.scoreboard.dns_lookup`*::
-+
---
-Dns Lookups.
-
-
-type: long
-
---
-
-*`apache.status.scoreboard.closing_connection`*::
-+
---
-Closing connections.
-
-
-type: long
-
---
-
-*`apache.status.scoreboard.logging`*::
-+
---
-Logging
-
-
-type: long
-
---
-
-*`apache.status.scoreboard.gracefully_finishing`*::
-+
---
-Gracefully finishing.
-
-
-type: long
-
---
-
-*`apache.status.scoreboard.idle_cleanup`*::
-+
---
-Idle cleanups.
-
-
-type: long
-
---
-
-*`apache.status.scoreboard.open_slot`*::
-+
---
-Open slots.
-
-
-type: long
-
---
-
-*`apache.status.scoreboard.waiting_for_connection`*::
-+
---
-Waiting for connections.
-
-
-type: long
-
---
-
-*`apache.status.scoreboard.total`*::
-+
---
-Total.
-
-
-type: long
-
---
-
-[[exported-fields-aws]]
-== AWS fields
-
-`aws` module collects AWS monitoring metrics from AWS Cloudwatch.
-
-
-
-[float]
-=== aws
-
-
-
-
-*`aws.tags.*`*::
-+
---
-Tag key value pairs from aws resources.
-
-
-type: object
-
---
-
-*`aws.s3.bucket.name`*::
-+
---
-Name of a S3 bucket.
-
-
-type: keyword
-
---
-
-*`aws.dimensions.*`*::
-+
---
-Metric dimensions.
-
-
-type: object
-
---
-
-*`aws.*.metrics.*.*`*::
-+
---
-Metrics that returned from Cloudwatch API query.
-
-
-type: object
-
---
-
-
-*`aws.linked_account.id`*::
-+
---
-ID used to identify linked account.
-
-
-type: keyword
-
---
-
-*`aws.linked_account.name`*::
-+
---
-Name or alias used to identify linked account.
-
-
-type: keyword
-
---
-
-[float]
-=== awshealth
-
-AWS Health metrics
-
-
-
-*`aws.awshealth.affected_entities_others`*::
-+
---
-The number of affected resources related to the event whose status cannot be verified.
-
-
-type: float
-
---
-
-*`aws.awshealth.affected_entities_pending`*::
-+
---
-The number of affected resources that may require action.
-
-
-type: float
-
---
-
-*`aws.awshealth.affected_entities_resolved`*::
-+
---
-The number of affected resources that do not require any action.
-
-
-type: float
-
---
-
-*`aws.awshealth.end_time`*::
-+
---
-The date and time when the event ended. Some events may not have an end date.
-
-
-type: date
-
---
-
-*`aws.awshealth.event_arn`*::
-+
---
-The unique identifier for the event. The event ARN has the format arn:aws:health:event-region::event/SERVICE/EVENT_TYPE_CODE/EVENT_TYPE_PLUS_ID.
-
-
-type: keyword
-
---
-
-*`aws.awshealth.event_scope_code`*::
-+
---
-This parameter specifies whether the Health event is a public Amazon Web Service event or an account-specific event. Allowed values are PUBLIC, ACCOUNT_SPECIFIC, or NONE. 
-
-
-type: keyword
-
---
-
-*`aws.awshealth.event_type_category`*::
-+
---
-The event type category code. Possible values are issue, accountNotification, or scheduledChange.
-
-
-type: keyword
-
---
-
-*`aws.awshealth.event_type_code`*::
-+
---
-The unique identifier for the event type. The format is AWS_SERVICE_DESCRIPTION.
-
-
-type: keyword
-
---
-
-*`aws.awshealth.last_updated_time`*::
-+
---
-The most recent date and time when the event was updated.
-
-
-type: date
-
---
-
-*`aws.awshealth.region`*::
-+
---
-The Amazon Web Services Region name of the event.
-
-
-type: keyword
-
---
-
-*`aws.awshealth.service`*::
-+
---
-The Amazon Web Service affected by the event. For example, EC2 or RDS.
-
-
-type: keyword
-
---
-
-*`aws.awshealth.start_time`*::
-+
---
-The date and time when the event began.
-
-
-type: date
-
---
-
-*`aws.awshealth.status_code`*::
-+
---
-The most recent status of the event. Possible values are open, closed, and upcoming.
-
-
-type: keyword
-
---
-
-*`aws.awshealth.event_description`*::
-+
---
-The detailed description of the event.
-
-
-type: text
-
---
-
-*`aws.awshealth.affected_entities`*::
-+
---
-Information about an entity affected by a AWS Health event.
-
-
-type: array
-
---
-
-*`aws.awshealth.affected_entities.aws_account_id`*::
-+
---
-The Amazon Web Services account number that contains the affected entity.
-
-
-type: keyword
-
---
-
-*`aws.awshealth.affected_entities.entity_url`*::
-+
---
-The URL of the affected entity.
-
-
-type: keyword
-
---
-
-*`aws.awshealth.affected_entities.entity_value`*::
-+
---
-The ID of the affected entity.
-
-
-type: keyword
-
---
-
-*`aws.awshealth.affected_entities.last_updated_time`*::
-+
---
-The most recent time that the entity was updated.
-
-
-type: date
-
---
-
-*`aws.awshealth.affected_entities.status_code`*::
-+
---
-The most recent status of the event. Possible values are open, closed, and upcoming.
-
-
-type: keyword
-
---
-
-*`aws.awshealth.affected_entities.entity_arn`*::
-+
---
-The unique identifier for the entity. The entity ARN has the format: arn:aws:health:entity-region:aws-account:entity/entity-id.
-
-
-type: keyword
-
---
-
-[float]
-=== billing
-
-`billing` contains the estimated charges for your AWS account in Cloudwatch.
-
-
-
-*`aws.billing.EstimatedCharges`*::
-+
---
-Maximum estimated charges for AWS acccount.
-
-type: long
-
---
-
-*`aws.billing.Currency`*::
-+
---
-Estimated charges currency unit.
-
-type: keyword
-
---
-
-*`aws.billing.ServiceName`*::
-+
---
-Service name for the maximum estimated charges.
-
-type: keyword
-
---
-
-
-*`aws.billing.AmortizedCost.amount`*::
-+
---
-Amortized cost amount
-
-type: double
-
---
-
-*`aws.billing.AmortizedCost.unit`*::
-+
---
-Amortized cost unit
-
-type: keyword
-
---
-
-
-*`aws.billing.BlendedCost.amount`*::
-+
---
-Blended cost amount
-
-type: double
-
---
-
-*`aws.billing.BlendedCost.unit`*::
-+
---
-Blended cost unit
-
-type: keyword
-
---
-
-
-*`aws.billing.NormalizedUsageAmount.amount`*::
-+
---
-Normalized usage amount
-
-type: double
-
---
-
-*`aws.billing.NormalizedUsageAmount.unit`*::
-+
---
-Normalized usage amount unit
-
-type: keyword
-
---
-
-
-*`aws.billing.UnblendedCost.amount`*::
-+
---
-Unblended cost amount
-
-type: double
-
---
-
-*`aws.billing.UnblendedCost.unit`*::
-+
---
-Unblended cost unit
-
-type: keyword
-
---
-
-
-*`aws.billing.UsageQuantity.amount`*::
-+
---
-Usage quantity amount
-
-type: double
-
---
-
-*`aws.billing.UsageQuantity.unit`*::
-+
---
-Usage quantity unit
-
-type: keyword
-
---
-
-*`aws.billing.start_date`*::
-+
---
-Start date for retrieving AWS costs
-
-type: keyword
-
---
-
-*`aws.billing.end_date`*::
-+
---
-End date for retrieving AWS costs
-
-type: keyword
-
---
-
-
-*`aws.billing.group_definition.key`*::
-+
---
-The string that represents a key for a specified group
-
-type: keyword
-
---
-
-*`aws.billing.group_definition.type`*::
-+
---
-The string that represents the type of group
-
-type: keyword
-
---
-
-*`aws.billing.group_by.*`*::
-+
---
-Cost explorer group by key values
-
-
-type: object
-
---
-
-[float]
-=== cloudwatch
-
-`cloudwatch` contains the metrics that were scraped from AWS CloudWatch which contains monitoring metrics sent by different namespaces.
-
-
-
-*`aws.cloudwatch.namespace`*::
-+
---
-The namespace specified when query cloudwatch api.
-
-
-type: keyword
-
---
-
-[float]
-=== dynamodb
-
-`dynamodb` contains the metrics that were scraped from AWS CloudWatch which contains monitoring metrics sent by AWS DynamoDB.
-
-
-
-
-*`aws.dynamodb.metrics.SuccessfulRequestLatency.avg`*::
-+
---
-The average latency of successful requests to DynamoDB or Amazon DynamoDB Streams during the specified time period.
-
-
-type: double
-
---
-
-*`aws.dynamodb.metrics.SuccessfulRequestLatency.max`*::
-+
---
-The maximum latency of successful requests to DynamoDB or Amazon DynamoDB Streams during the specified time period.
-
-
-type: double
-
---
-
-*`aws.dynamodb.metrics.OnlineIndexPercentageProgress.avg`*::
-+
---
-The percentage of completion when a new global secondary index is being added to a table.
-
-
-type: double
-
---
-
-*`aws.dynamodb.metrics.ProvisionedWriteCapacityUnits.avg`*::
-+
---
-The number of provisioned write capacity units for a table or a global secondary index.
-
-
-type: double
-
---
-
-*`aws.dynamodb.metrics.ProvisionedReadCapacityUnits.avg`*::
-+
---
-The number of provisioned read capacity units for a table or a global secondary index.
-
-
-type: double
-
---
-
-*`aws.dynamodb.metrics.ConsumedReadCapacityUnits.avg`*::
-+
---
-The average number of read capacity units consumed over the specified time period, so you can track how much of your provisioned throughput is used.
-
-
-type: double
-
---
-
-*`aws.dynamodb.metrics.ConsumedReadCapacityUnits.sum`*::
-+
---
-The sum of read capacity units consumed over the specified time period, so you can track how much of your provisioned throughput is used.
-
-
-type: long
-
---
-
-*`aws.dynamodb.metrics.ConsumedWriteCapacityUnits.avg`*::
-+
---
-The average number of write capacity units consumed over the specified time period, so you can track how much of your provisioned throughput is used.
-
-
-type: double
-
---
-
-*`aws.dynamodb.metrics.ConsumedWriteCapacityUnits.sum`*::
-+
---
-The sum of write capacity units consumed over the specified time period, so you can track how much of your provisioned throughput is used.
-
-
-type: long
-
---
-
-*`aws.dynamodb.metrics.ReplicationLatency.avg`*::
-+
---
-The average elapsed time between an updated item appearing in the DynamoDB stream for one replica table, and that item appearing in another replica in the global table.
-
-
-type: double
-
---
-
-*`aws.dynamodb.metrics.ReplicationLatency.max`*::
-+
---
-The maximum elapsed time between an updated item appearing in the DynamoDB stream for one replica table, and that item appearing in another replica in the global table.
-
-
-type: double
-
---
-
-*`aws.dynamodb.metrics.TransactionConflict.avg`*::
-+
---
-Average rejected item-level requests due to transactional conflicts between concurrent requests on the same items.
-
-
-type: double
-
---
-
-*`aws.dynamodb.metrics.TransactionConflict.sum`*::
-+
---
-Total rejected item-level requests due to transactional conflicts between concurrent requests on the same items.
-
-
-type: long
-
---
-
-*`aws.dynamodb.metrics.AccountProvisionedReadCapacityUtilization.avg`*::
-+
---
-The average percentage of provisioned read capacity units utilized by the account.
-
-
-type: double
-
---
-
-*`aws.dynamodb.metrics.AccountProvisionedWriteCapacityUtilization.avg`*::
-+
---
-The average percentage of provisioned write capacity units utilized by the account.
-
-
-type: double
-
---
-
-*`aws.dynamodb.metrics.SystemErrors.sum`*::
-+
---
-The requests to DynamoDB or Amazon DynamoDB Streams that generate an HTTP 500 status code during the specified time period.
-
-
-type: long
-
---
-
-*`aws.dynamodb.metrics.ConditionalCheckFailedRequests.sum`*::
-+
---
-The number of failed attempts to perform conditional writes.
-
-
-type: long
-
---
-
-*`aws.dynamodb.metrics.PendingReplicationCount.sum`*::
-+
---
-The number of item updates that are written to one replica table, but that have not yet been written to another replica in the global table.
-
-
-type: long
-
---
-
-*`aws.dynamodb.metrics.ReadThrottleEvents.sum`*::
-+
---
-Requests to DynamoDB that exceed the provisioned read capacity units for a table or a global secondary index.
-
-
-type: long
-
---
-
-*`aws.dynamodb.metrics.ThrottledRequests.sum`*::
-+
---
-Requests to DynamoDB that exceed the provisioned throughput limits on a resource (such as a table or an index).
-
-
-type: long
-
---
-
-*`aws.dynamodb.metrics.WriteThrottleEvents.sum`*::
-+
---
-Requests to DynamoDB that exceed the provisioned write capacity units for a table or a global secondary index.
-
-
-type: long
-
---
-
-*`aws.dynamodb.metrics.AccountMaxReads.max`*::
-+
---
-The maximum number of read capacity units that can be used by an account. This limit does not apply to on-demand tables or global secondary indexes.
-
-
-type: long
-
---
-
-*`aws.dynamodb.metrics.AccountMaxTableLevelReads.max`*::
-+
---
-The maximum number of read capacity units that can be used by a table or global secondary index of an account. For on-demand tables this limit caps the maximum read request units a table or a global secondary index can use.
-
-
-type: long
-
---
-
-*`aws.dynamodb.metrics.AccountMaxTableLevelWrites.max`*::
-+
---
-The maximum number of write capacity units that can be used by a table or global secondary index of an account. For on-demand tables this limit caps the maximum write request units a table or a global secondary index can use.
-
-
-type: long
-
---
-
-*`aws.dynamodb.metrics.AccountMaxWrites.max`*::
-+
---
-The maximum number of write capacity units that can be used by an account. This limit does not apply to on-demand tables or global secondary indexes.
-
-
-type: long
-
---
-
-*`aws.dynamodb.metrics.MaxProvisionedTableReadCapacityUtilization.max`*::
-+
---
-The percentage of provisioned read capacity units utilized by the highest provisioned read table or global secondary index of an account.
-
-
-type: double
-
---
-
-*`aws.dynamodb.metrics.MaxProvisionedTableWriteCapacityUtilization.max`*::
-+
---
-The percentage of provisioned write capacity utilized by the highest provisioned write table or global secondary index of an account.
-
-
-type: double
-
---
-
-[float]
-=== ebs
-
-`ebs` contains the metrics that were scraped from AWS CloudWatch which contains monitoring metrics sent by AWS EBS.
-
-
-
-
-*`aws.ebs.metrics.VolumeReadBytes.avg`*::
-+
---
-Average size of each read operation during the period, except on volumes attached to a Nitro-based instance, where the average represents the average over the specified period.
-
-type: double
-
---
-
-*`aws.ebs.metrics.VolumeWriteBytes.avg`*::
-+
---
-Average size of each write operation during the period, except on volumes attached to a Nitro-based instance, where the average represents the average over the specified period.
-
-type: double
-
---
-
-*`aws.ebs.metrics.VolumeReadOps.avg`*::
-+
---
-The total number of read operations in a specified period of time.
-
-type: double
-
---
-
-*`aws.ebs.metrics.VolumeWriteOps.avg`*::
-+
---
-The total number of write operations in a specified period of time.
-
-type: double
-
---
-
-*`aws.ebs.metrics.VolumeQueueLength.avg`*::
-+
---
-The number of read and write operation requests waiting to be completed in a specified period of time.
-
-type: double
-
---
-
-*`aws.ebs.metrics.VolumeThroughputPercentage.avg`*::
-+
---
-The percentage of I/O operations per second (IOPS) delivered of the total IOPS provisioned for an Amazon EBS volume. Used with Provisioned IOPS SSD volumes only.
-
-type: double
-
---
-
-*`aws.ebs.metrics.VolumeConsumedReadWriteOps.avg`*::
-+
---
-The total amount of read and write operations (normalized to 256K capacity units) consumed in a specified period of time. Used with Provisioned IOPS SSD volumes only.
-
-type: double
-
---
-
-*`aws.ebs.metrics.BurstBalance.avg`*::
-+
---
-Used with General Purpose SSD (gp2), Throughput Optimized HDD (st1), and Cold HDD (sc1) volumes only. Provides information about the percentage of I/O credits (for gp2) or throughput credits (for st1 and sc1) remaining in the burst bucket.
-
-type: double
-
---
-
-*`aws.ebs.metrics.VolumeTotalReadTime.sum`*::
-+
---
-The total number of seconds spent by all read operations that completed in a specified period of time.
-
-type: double
-
---
-
-*`aws.ebs.metrics.VolumeTotalWriteTime.sum`*::
-+
---
-The total number of seconds spent by all write operations that completed in a specified period of time.
-
-type: double
-
---
-
-*`aws.ebs.metrics.VolumeIdleTime.sum`*::
-+
---
-The total number of seconds in a specified period of time when no read or write operations were submitted.
-
-type: double
-
---
-
-[float]
-=== ec2
-
-`ec2` contains the metrics that were scraped from AWS CloudWatch which contains monitoring metrics sent by AWS EC2.
-
-
-
-*`aws.ec2.cpu.total.pct`*::
-+
---
-The percentage of allocated EC2 compute units that are currently in use on the instance.
-
-
-type: scaled_float
-
---
-
-*`aws.ec2.cpu.credit_usage`*::
-+
---
-The number of CPU credits spent by the instance for CPU utilization.
-
-
-type: long
-
---
-
-*`aws.ec2.cpu.credit_balance`*::
-+
---
-The number of earned CPU credits that an instance has accrued since it was launched or started.
-
-
-type: long
-
---
-
-*`aws.ec2.cpu.surplus_credit_balance`*::
-+
---
-The number of surplus credits that have been spent by an unlimited instance when its CPUCreditBalance value is zero.
-
-
-type: long
-
---
-
-*`aws.ec2.cpu.surplus_credits_charged`*::
-+
---
-The number of spent surplus credits that are not paid down by earned CPU credits, and which thus incur an additional charge.
-
-
-type: long
-
---
-
-*`aws.ec2.network.in.packets`*::
-+
---
-The total number of packets received on all network interfaces by the instance in collection period.
-
-
-type: long
-
---
-
-*`aws.ec2.network.in.packets_per_sec`*::
-+
---
-The number of packets per second sent out on all network interfaces by the instance.
-
-
-type: scaled_float
-
---
-
-*`aws.ec2.network.out.packets`*::
-+
---
-The total number of packets sent out on all network interfaces by the instance in collection period.
-
-
-type: long
-
---
-
-*`aws.ec2.network.out.packets_per_sec`*::
-+
---
-The number of packets per second sent out on all network interfaces by the instance.
-
-
-type: scaled_float
-
---
-
-*`aws.ec2.network.in.bytes`*::
-+
---
-The total number of bytes received on all network interfaces by the instance in collection period.
-
-
-type: long
-
-format: bytes
-
---
-
-*`aws.ec2.network.in.bytes_per_sec`*::
-+
---
-The number of bytes per second received on all network interfaces by the instance.
-
-
-type: scaled_float
-
---
-
-*`aws.ec2.network.out.bytes`*::
-+
---
-The total number of bytes sent out on all network interfaces by the instance in collection period.
-
-
-type: long
-
-format: bytes
-
---
-
-*`aws.ec2.network.out.bytes_per_sec`*::
-+
---
-The number of bytes per second sent out on all network interfaces by the instance.
-
-
-type: scaled_float
-
---
-
-*`aws.ec2.diskio.read.bytes`*::
-+
---
-Total bytes read from all instance store volumes available to the instance in collection period.
-
-
-type: long
-
-format: bytes
-
---
-
-*`aws.ec2.diskio.read.bytes_per_sec`*::
-+
---
-Bytes read per second from all instance store volumes available to the instance.
-
-
-type: scaled_float
-
---
-
-*`aws.ec2.diskio.write.bytes`*::
-+
---
-Total bytes written to all instance store volumes available to the instance in collection period.
-
-
-type: long
-
-format: bytes
-
---
-
-*`aws.ec2.diskio.write.bytes_per_sec`*::
-+
---
-Bytes written per second to all instance store volumes available to the instance.
-
-
-type: scaled_float
-
---
-
-*`aws.ec2.diskio.read.count`*::
-+
---
-Total completed read operations from all instance store volumes available to the instance in collection period.
-
-
-type: long
-
---
-
-*`aws.ec2.diskio.read.count_per_sec`*::
-+
---
-Completed read operations per second from all instance store volumes available to the instance in a specified period of time.
-
-
-type: long
-
---
-
-*`aws.ec2.diskio.write.count`*::
-+
---
-Total completed write operations to all instance store volumes available to the instance in collection period.
-
-
-type: long
-
---
-
-*`aws.ec2.diskio.write.count_per_sec`*::
-+
---
-Completed write operations per second to all instance store volumes available to the instance in a specified period of time.
-
-
-type: long
-
---
-
-*`aws.ec2.status.check_failed`*::
-+
---
-Reports whether the instance has passed both the instance status check and the system status check in the last minute.
-
-
-type: long
-
---
-
-*`aws.ec2.status.check_failed_system`*::
-+
---
-Reports whether the instance has passed the system status check in the last minute.
-
-
-type: long
-
---
-
-*`aws.ec2.status.check_failed_instance`*::
-+
---
-Reports whether the instance has passed the instance status check in the last minute.
-
-
-type: long
-
---
-
-*`aws.ec2.instance.core.count`*::
-+
---
-The number of CPU cores for the instance.
-
-
-type: integer
-
---
-
-*`aws.ec2.instance.image.id`*::
-+
---
-The ID of the image used to launch the instance.
-
-
-type: keyword
-
---
-
-*`aws.ec2.instance.monitoring.state`*::
-+
---
-Indicates whether detailed monitoring is enabled.
-
-
-type: keyword
-
---
-
-*`aws.ec2.instance.private.dns_name`*::
-+
---
-The private DNS name of the network interface.
-
-
-type: keyword
-
---
-
-*`aws.ec2.instance.private.ip`*::
-+
---
-The private IPv4 address associated with the network interface.
-
-
-type: ip
-
---
-
-*`aws.ec2.instance.public.dns_name`*::
-+
---
-The public DNS name of the instance.
-
-
-type: keyword
-
---
-
-*`aws.ec2.instance.public.ip`*::
-+
---
-The address of the Elastic IP address (IPv4) bound to the network interface.
-
-
-type: ip
-
---
-
-*`aws.ec2.instance.state.code`*::
-+
---
-The state of the instance, as a 16-bit unsigned integer.
-
-
-type: integer
-
---
-
-*`aws.ec2.instance.state.name`*::
-+
---
-The state of the instance (pending | running | shutting-down | terminated | stopping | stopped).
-
-
-type: keyword
-
---
-
-*`aws.ec2.instance.threads_per_core`*::
-+
---
-The number of threads per CPU core.
-
-
-type: integer
-
---
-
-[float]
-=== elb
-
-`elb` contains the metrics that were scraped from AWS CloudWatch which contains monitoring metrics sent by AWS ELB.
-
-
-
-
-*`aws.elb.metrics.BackendConnectionErrors.sum`*::
-+
---
-The number of connections that were not successfully established between the load balancer and the registered instances.
-
-type: long
-
---
-
-*`aws.elb.metrics.HTTPCode_Backend_2XX.sum`*::
-+
---
-The number of HTTP 2XX response code generated by registered instances.
-
-type: long
-
---
-
-*`aws.elb.metrics.HTTPCode_Backend_3XX.sum`*::
-+
---
-The number of HTTP 3XX response code generated by registered instances.
-
-type: long
-
---
-
-*`aws.elb.metrics.HTTPCode_Backend_4XX.sum`*::
-+
---
-The number of HTTP 4XX response code generated by registered instances.
-
-type: long
-
---
-
-*`aws.elb.metrics.HTTPCode_Backend_5XX.sum`*::
-+
---
-The number of HTTP 5XX response code generated by registered instances.
-
-type: long
-
---
-
-*`aws.elb.metrics.HTTPCode_ELB_4XX.sum`*::
-+
---
-The number of HTTP 4XX client error codes generated by the load balancer.
-
-type: long
-
---
-
-*`aws.elb.metrics.HTTPCode_ELB_5XX.sum`*::
-+
---
-The number of HTTP 5XX server error codes generated by the load balancer.
-
-type: long
-
---
-
-*`aws.elb.metrics.RequestCount.sum`*::
-+
---
-The number of requests completed or connections made during the specified interval.
-
-type: long
-
---
-
-*`aws.elb.metrics.SpilloverCount.sum`*::
-+
---
-The total number of requests that were rejected because the surge queue is full.
-
-type: long
-
---
-
-*`aws.elb.metrics.HealthyHostCount.max`*::
-+
---
-The number of healthy instances registered with your load balancer.
-
-type: long
-
---
-
-*`aws.elb.metrics.SurgeQueueLength.max`*::
-+
---
-The total number of requests (HTTP listener) or connections (TCP listener) that are pending routing to a healthy instance.
-
-type: long
-
---
-
-*`aws.elb.metrics.UnHealthyHostCount.max`*::
-+
---
-The number of unhealthy instances registered with your load balancer.
-
-type: long
-
---
-
-*`aws.elb.metrics.Latency.avg`*::
-+
---
-The total time elapsed, in seconds, from the time the load balancer sent the request to a registered instance until the instance started to send the response headers.
-
-type: double
-
---
-
-*`aws.elb.metrics.EstimatedALBActiveConnectionCount.avg`*::
-+
---
-The estimated number of concurrent TCP connections active from clients to the load balancer and from the load balancer to targets.
-
-type: double
-
---
-
-*`aws.elb.metrics.EstimatedALBConsumedLCUs.avg`*::
-+
---
-The estimated number of load balancer capacity units (LCU) used by an Application Load Balancer.
-
-type: double
-
---
-
-*`aws.elb.metrics.EstimatedALBNewConnectionCount.avg`*::
-+
---
-The estimated number of new TCP connections established from clients to the load balancer and from the load balancer to targets.
-
-type: double
-
---
-
-*`aws.elb.metrics.EstimatedProcessedBytes.avg`*::
-+
---
-The estimated number of bytes processed by an Application Load Balancer.
-
-type: double
-
---
-
-[float]
-=== applicationelb
-
-`applicationelb` contains the metrics that were scraped from AWS CloudWatch which contains monitoring metrics sent by AWS ApplicationELB.
-
-
-
-
-*`aws.applicationelb.metrics.ActiveConnectionCount.sum`*::
-+
---
-The total number of concurrent TCP connections active from clients to the load balancer and from the load balancer to targets.
-
-type: long
-
---
-
-*`aws.applicationelb.metrics.ClientTLSNegotiationErrorCount.sum`*::
-+
---
-The number of TLS connections initiated by the client that did not establish a session with the load balancer due to a TLS error.
-
-type: long
-
---
-
-*`aws.applicationelb.metrics.HTTP_Fixed_Response_Count.sum`*::
-+
---
-The number of fixed-response actions that were successful.
-
-type: long
-
---
-
-*`aws.applicationelb.metrics.HTTP_Redirect_Count.sum`*::
-+
---
-The number of redirect actions that were successful.
-
-type: long
-
---
-
-*`aws.applicationelb.metrics.HTTP_Redirect_Url_Limit_Exceeded_Count.sum`*::
-+
---
-The number of redirect actions that couldn't be completed because the URL in the response location header is larger than 8K.
-
-type: long
-
---
-
-*`aws.applicationelb.metrics.HTTPCode_ELB_3XX_Count.sum`*::
-+
---
-The number of HTTP 3XX redirection codes that originate from the load balancer.
-
-type: long
-
---
-
-*`aws.applicationelb.metrics.HTTPCode_ELB_4XX_Count.sum`*::
-+
---
-The number of HTTP 4XX client error codes that originate from the load balancer.
-
-type: long
-
---
-
-*`aws.applicationelb.metrics.HTTPCode_ELB_5XX_Count.sum`*::
-+
---
-The number of HTTP 5XX server error codes that originate from the load balancer.
-
-type: long
-
---
-
-*`aws.applicationelb.metrics.HTTPCode_ELB_500_Count.sum`*::
-+
---
-The number of HTTP 500 error codes that originate from the load balancer.
-
-type: long
-
---
-
-*`aws.applicationelb.metrics.HTTPCode_ELB_502_Count.sum`*::
-+
---
-The number of HTTP 502 error codes that originate from the load balancer.
-
-type: long
-
---
-
-*`aws.applicationelb.metrics.HTTPCode_ELB_503_Count.sum`*::
-+
---
-The number of HTTP 503 error codes that originate from the load balancer.
-
-type: long
-
---
-
-*`aws.applicationelb.metrics.HTTPCode_ELB_504_Count.sum`*::
-+
---
-The number of HTTP 504 error codes that originate from the load balancer.
-
-type: long
-
---
-
-*`aws.applicationelb.metrics.IPv6ProcessedBytes.sum`*::
-+
---
-The total number of bytes processed by the load balancer over IPv6.
-
-type: long
-
---
-
-*`aws.applicationelb.metrics.IPv6RequestCount.sum`*::
-+
---
-The number of IPv6 requests received by the load balancer.
-
-type: long
-
---
-
-*`aws.applicationelb.metrics.NewConnectionCount.sum`*::
-+
---
-The total number of new TCP connections established from clients to the load balancer and from the load balancer to targets.
-
-type: long
-
---
-
-*`aws.applicationelb.metrics.ProcessedBytes.sum`*::
-+
---
-The total number of bytes processed by the load balancer over IPv4 and IPv6.
-
-type: long
-
---
-
-*`aws.applicationelb.metrics.RejectedConnectionCount.sum`*::
-+
---
-The number of connections that were rejected because the load balancer had reached its maximum number of connections.
-
-type: long
-
---
-
-*`aws.applicationelb.metrics.RequestCount.sum`*::
-+
---
-The number of requests processed over IPv4 and IPv6.
-
-type: long
-
---
-
-*`aws.applicationelb.metrics.RuleEvaluations.sum`*::
-+
---
-The number of rules processed by the load balancer given a request rate averaged over an hour.
-
-type: long
-
---
-
-*`aws.applicationelb.metrics.ConsumedLCUs.avg`*::
-+
---
-The number of load balancer capacity units (LCU) used by your load balancer.
-
-type: double
-
---
-
-*`aws.applicationelb.metrics.HealthyHostCount.max`*::
-+
---
-The number of targets that are considered healthy.
-
-type: long
-
---
-
-*`aws.applicationelb.metrics.UnHealthyHostCount.max`*::
-+
---
-The number of targets that are considered unhealthy.
-
-type: long
-
---
-
-[float]
-=== networkelb
-
-`networkelb` contains the metrics that were scraped from AWS CloudWatch which contains monitoring metrics sent by AWS NetworkELB.
-
-
-
-
-*`aws.networkelb.metrics.ActiveFlowCount.avg`*::
-+
---
-The total number of concurrent flows (or connections) from clients to targets.
-
-type: double
-
---
-
-*`aws.networkelb.metrics.ActiveFlowCount_TCP.avg`*::
-+
---
-The total number of concurrent TCP flows (or connections) from clients to targets.
-
-type: double
-
---
-
-*`aws.networkelb.metrics.ActiveFlowCount_TLS.avg`*::
-+
---
-The total number of concurrent TLS flows (or connections) from clients to targets.
-
-type: double
-
---
-
-*`aws.networkelb.metrics.ActiveFlowCount_UDP.avg`*::
-+
---
-The total number of concurrent UDP flows (or connections) from clients to targets.
-
-type: double
-
---
-
-*`aws.networkelb.metrics.ConsumedLCUs.avg`*::
-+
---
-The number of load balancer capacity units (LCU) used by your load balancer.
-
-type: double
-
---
-
-*`aws.networkelb.metrics.ClientTLSNegotiationErrorCount.sum`*::
-+
---
-The total number of TLS handshakes that failed during negotiation between a client and a TLS listener.
-
-type: long
-
---
-
-*`aws.networkelb.metrics.NewFlowCount.sum`*::
-+
---
-The total number of new flows (or connections) established from clients to targets in the time period.
-
-type: long
-
---
-
-*`aws.networkelb.metrics.NewFlowCount_TLS.sum`*::
-+
---
-The total number of new TLS flows (or connections) established from clients to targets in the time period.
-
-type: long
-
---
-
-*`aws.networkelb.metrics.ProcessedBytes.sum`*::
-+
---
-The total number of bytes processed by the load balancer, including TCP/IP headers.
-
-type: long
-
---
-
-*`aws.networkelb.metrics.ProcessedBytes_TLS.sum`*::
-+
---
-The total number of bytes processed by TLS listeners.
-
-type: long
-
---
-
-*`aws.networkelb.metrics.TargetTLSNegotiationErrorCount.sum`*::
-+
---
-The total number of TLS handshakes that failed during negotiation between a TLS listener and a target.
-
-type: long
-
---
-
-*`aws.networkelb.metrics.TCP_Client_Reset_Count.sum`*::
-+
---
-The total number of reset (RST) packets sent from a client to a target.
-
-type: long
-
---
-
-*`aws.networkelb.metrics.TCP_ELB_Reset_Count.sum`*::
-+
---
-The total number of reset (RST) packets generated by the load balancer.
-
-type: long
-
---
-
-*`aws.networkelb.metrics.TCP_Target_Reset_Count.sum`*::
-+
---
-The total number of reset (RST) packets sent from a target to a client.
-
-type: long
-
---
-
-*`aws.networkelb.metrics.HealthyHostCount.max`*::
-+
---
-The number of targets that are considered healthy.
-
-type: long
-
---
-
-*`aws.networkelb.metrics.UnHealthyHostCount.max`*::
-+
---
-The number of targets that are considered unhealthy.
-
-type: long
-
---
-
-[float]
-=== kinesis
-
-`kinesis` contains the metrics that were scraped from AWS CloudWatch which contains monitoring metrics sent by Amazon Kinesis.
-
-
-
-
-*`aws.kinesis.metrics.GetRecords_Bytes.avg`*::
-+
---
-The average number of bytes retrieved from the Kinesis stream, measured over the specified time period.
-
-
-type: double
-
---
-
-*`aws.kinesis.metrics.GetRecords_IteratorAgeMilliseconds.avg`*::
-+
---
-The age of the last record in all GetRecords calls made against a Kinesis stream, measured over the specified time period. Age is the difference between the current time and when the last record of the GetRecords call was written to the stream.
-
-
-type: double
-
---
-
-*`aws.kinesis.metrics.GetRecords_Latency.avg`*::
-+
---
-The time taken per GetRecords operation, measured over the specified time period.
-
-
-type: double
-
---
-
-*`aws.kinesis.metrics.GetRecords_Records.sum`*::
-+
---
-The number of records retrieved from the shard, measured over the specified time period.
-
-
-type: long
-
---
-
-*`aws.kinesis.metrics.GetRecords_Success.sum`*::
-+
---
-The number of successful GetRecords operations per stream, measured over the specified time period.
-
-
-type: long
-
---
-
-*`aws.kinesis.metrics.IncomingBytes.avg`*::
-+
---
-The number of bytes successfully put to the Kinesis stream over the specified time period. This metric includes bytes from PutRecord and PutRecords operations.
-
-
-type: double
-
---
-
-*`aws.kinesis.metrics.IncomingRecords.avg`*::
-+
---
-The number of records successfully put to the Kinesis stream over the specified time period. This metric includes record counts from PutRecord and PutRecords operations.
-
-
-type: double
-
---
-
-*`aws.kinesis.metrics.PutRecord_Bytes.avg`*::
-+
---
-The number of bytes put to the Kinesis stream using the PutRecord operation over the specified time period.
-
-
-type: double
-
---
-
-*`aws.kinesis.metrics.PutRecord_Latency.avg`*::
-+
---
-The time taken per PutRecord operation, measured over the specified time period.
-
-
-type: double
-
---
-
-*`aws.kinesis.metrics.PutRecord_Success.avg`*::
-+
---
-The percentage of successful writes to a Kinesis stream, measured over the specified time period.
-
-
-type: double
-
---
-
-*`aws.kinesis.metrics.PutRecords_Bytes.avg`*::
-+
---
-The average number of bytes put to the Kinesis stream using the PutRecords operation over the specified time period.
-
-
-type: double
-
---
-
-*`aws.kinesis.metrics.PutRecords_Latency.avg`*::
-+
---
-The average time taken per PutRecords operation, measured over the specified time period.
-
-
-type: double
-
---
-
-*`aws.kinesis.metrics.PutRecords_Success.avg`*::
-+
---
-The total number of PutRecords operations where at least one record succeeded, per Kinesis stream, measured over the specified time period.
-
-
-type: long
-
---
-
-*`aws.kinesis.metrics.PutRecords_TotalRecords.sum`*::
-+
---
-The total number of records sent in a PutRecords operation per Kinesis data stream, measured over the specified time period.
-
-
-type: long
-
---
-
-*`aws.kinesis.metrics.PutRecords_SuccessfulRecords.sum`*::
-+
---
-The number of successful records in a PutRecords operation per Kinesis data stream, measured over the specified time period.
-
-
-type: long
-
---
-
-*`aws.kinesis.metrics.PutRecords_FailedRecords.sum`*::
-+
---
-The number of records rejected due to internal failures in a PutRecords operation per Kinesis data stream, measured over the specified time period.
-
-
-type: long
-
---
-
-*`aws.kinesis.metrics.PutRecords_ThrottledRecords.sum`*::
-+
---
-The number of records rejected due to throttling in a PutRecords operation per Kinesis data stream, measured over the specified time period.
-
-
-type: long
-
---
-
-*`aws.kinesis.metrics.ReadProvisionedThroughputExceeded.avg`*::
-+
---
-The number of GetRecords calls throttled for the stream over the specified time period.
-
-
-type: long
-
---
-
-*`aws.kinesis.metrics.SubscribeToShard_RateExceeded.avg`*::
-+
---
-This metric is emitted when a new subscription attempt fails because there already is an active subscription by the same consumer or if you exceed the number of calls per second allowed for this operation.
-
-
-type: long
-
---
-
-*`aws.kinesis.metrics.SubscribeToShard_Success.avg`*::
-+
---
-This metric records whether the SubscribeToShard subscription was successfully established.
-
-
-type: long
-
---
-
-*`aws.kinesis.metrics.SubscribeToShardEvent_Bytes.avg`*::
-+
---
-The number of bytes received from the shard, measured over the specified time period.
-
-
-type: long
-
---
-
-*`aws.kinesis.metrics.SubscribeToShardEvent_MillisBehindLatest.avg`*::
-+
---
-The difference between the current time and when the last record of the SubscribeToShard event was written to the stream.
-
-
-type: long
-
---
-
-*`aws.kinesis.metrics.SubscribeToShardEvent_Records.sum`*::
-+
---
-The number of records received from the shard, measured over the specified time period.
-
-
-type: long
-
---
-
-*`aws.kinesis.metrics.SubscribeToShardEvent_Success.avg`*::
-+
---
-This metric is emitted every time an event is published successfully. It is only emitted when there's an active subscription.
-
-
-type: long
-
---
-
-*`aws.kinesis.metrics.WriteProvisionedThroughputExceeded.avg`*::
-+
---
-The number of records rejected due to throttling for the stream over the specified time period. This metric includes throttling from PutRecord and PutRecords operations.
-
-
-type: long
-
---
-
-[float]
-=== lambda
-
-`lambda` contains the metrics that were scraped from AWS CloudWatch which contains monitoring metrics sent by AWS Lambda.
-
-
-
-
-*`aws.lambda.metrics.Invocations.avg`*::
-+
---
-The number of times your function code is executed, including successful executions and executions that result in a function error.
-
-type: double
-
---
-
-*`aws.lambda.metrics.Errors.avg`*::
-+
---
-The number of invocations that result in a function error.
-
-type: double
-
---
-
-*`aws.lambda.metrics.DeadLetterErrors.avg`*::
-+
---
-For asynchronous invocation, the number of times Lambda attempts to send an event to a dead-letter queue but fails.
-
-type: double
-
---
-
-*`aws.lambda.metrics.DestinationDeliveryFailures.avg`*::
-+
---
-For asynchronous invocation, the number of times Lambda attempts to send an event to a destination but fails.
-
-type: double
-
---
-
-*`aws.lambda.metrics.Duration.avg`*::
-+
---
-The amount of time that your function code spends processing an event.
-
-type: double
-
---
-
-*`aws.lambda.metrics.Throttles.avg`*::
-+
---
-The number of invocation requests that are throttled.
-
-type: double
-
---
-
-*`aws.lambda.metrics.IteratorAge.avg`*::
-+
---
-For event source mappings that read from streams, the age of the last record in the event.
-
-type: double
-
---
-
-*`aws.lambda.metrics.ConcurrentExecutions.avg`*::
-+
---
-The number of function instances that are processing events.
-
-type: double
-
---
-
-*`aws.lambda.metrics.UnreservedConcurrentExecutions.avg`*::
-+
---
-For an AWS Region, the number of events that are being processed by functions that don't have reserved concurrency.
-
-type: double
-
---
-
-*`aws.lambda.metrics.ProvisionedConcurrentExecutions.max`*::
-+
---
-The number of function instances that are processing events on provisioned concurrency.
-
-type: long
-
---
-
-*`aws.lambda.metrics.ProvisionedConcurrencyUtilization.max`*::
-+
---
-For a version or alias, the value of ProvisionedConcurrentExecutions divided by the total amount of provisioned concurrency allocated.
-
-type: long
-
---
-
-*`aws.lambda.metrics.ProvisionedConcurrencyInvocations.sum`*::
-+
---
-The number of times your function code is executed on provisioned concurrency.
-
-type: long
-
---
-
-*`aws.lambda.metrics.ProvisionedConcurrencySpilloverInvocations.sum`*::
-+
---
-The number of times your function code is executed on standard concurrency when all provisioned concurrency is in use.
-
-type: long
-
---
-
-[float]
-=== natgateway
-
-`natgateway` contains the metrics from Cloudwatch to track usage of NAT gateway related resources.
-
-
-
-
-*`aws.natgateway.metrics.BytesInFromDestination.sum`*::
-+
---
-The number of bytes received by the NAT gateway from the destination.
-
-type: long
-
---
-
-*`aws.natgateway.metrics.BytesInFromSource.sum`*::
-+
---
-The number of bytes received by the NAT gateway from clients in your VPC.
-
-type: long
-
---
-
-*`aws.natgateway.metrics.BytesOutToDestination.sum`*::
-+
---
-The number of bytes sent out through the NAT gateway to the destination.
-
-type: long
-
---
-
-*`aws.natgateway.metrics.BytesOutToSource.sum`*::
-+
---
-The number of bytes sent through the NAT gateway to the clients in your VPC.
-
-type: long
-
---
-
-*`aws.natgateway.metrics.ConnectionAttemptCount.sum`*::
-+
---
-The number of connection attempts made through the NAT gateway.
-
-type: long
-
---
-
-*`aws.natgateway.metrics.ConnectionEstablishedCount.sum`*::
-+
---
-The number of connections established through the NAT gateway.
-
-type: long
-
---
-
-*`aws.natgateway.metrics.ErrorPortAllocation.sum`*::
-+
---
-The number of times the NAT gateway could not allocate a source port.
-
-type: long
-
---
-
-*`aws.natgateway.metrics.IdleTimeoutCount.sum`*::
-+
---
-The number of connections that transitioned from the active state to the idle state.
-
-type: long
-
---
-
-*`aws.natgateway.metrics.PacketsDropCount.sum`*::
-+
---
-The number of packets dropped by the NAT gateway.
-
-type: long
-
---
-
-*`aws.natgateway.metrics.PacketsInFromDestination.sum`*::
-+
---
-The number of packets received by the NAT gateway from the destination.
-
-type: long
-
---
-
-*`aws.natgateway.metrics.PacketsInFromSource.sum`*::
-+
---
-The number of packets received by the NAT gateway from clients in your VPC.
-
-type: long
-
---
-
-*`aws.natgateway.metrics.PacketsOutToDestination.sum`*::
-+
---
-The number of packets sent out through the NAT gateway to the destination.
-
-type: long
-
---
-
-*`aws.natgateway.metrics.PacketsOutToSource.sum`*::
-+
---
-The number of packets sent through the NAT gateway to the clients in your VPC.
-
-type: long
-
---
-
-*`aws.natgateway.metrics.ActiveConnectionCount.max`*::
-+
---
-The total number of concurrent active TCP connections through the NAT gateway.
-
-type: long
-
---
-
-[float]
-=== rds
-
-`rds` contains the metrics that were scraped from AWS CloudWatch which contains monitoring metrics sent by AWS RDS.
-
-
-
-*`aws.rds.burst_balance.pct`*::
-+
---
-The percent of General Purpose SSD (gp2) burst-bucket I/O credits available.
-
-
-type: scaled_float
-
-format: percent
-
---
-
-*`aws.rds.cpu.total.pct`*::
-+
---
-CPU utilization with value range from 0 to 1.
-
-
-type: scaled_float
-
-format: percent
-
---
-
-*`aws.rds.cpu.credit_usage`*::
-+
---
-The number of CPU credits spent by the instance for CPU utilization.
-
-
-type: long
-
---
-
-*`aws.rds.cpu.credit_balance`*::
-+
---
-The number of earned CPU credits that an instance has accrued since it was launched or started.
-
-
-type: long
-
---
-
-*`aws.rds.database_connections`*::
-+
---
-The number of database connections in use.
-
-
-type: long
-
---
-
-*`aws.rds.db_instance.arn`*::
-+
---
-Amazon Resource Name(ARN) for each rds.
-
-
-type: keyword
-
---
-
-*`aws.rds.db_instance.class`*::
-+
---
-Contains the name of the compute and memory capacity class of the DB instance.
-
-
-type: keyword
-
---
-
-*`aws.rds.db_instance.identifier`*::
-+
---
-Contains a user-supplied database identifier. This identifier is the unique key that identifies a DB instance.
-
-
-type: keyword
-
---
-
-*`aws.rds.db_instance.status`*::
-+
---
-Specifies the current state of this database.
-
-
-type: keyword
-
---
-
-*`aws.rds.disk_queue_depth`*::
-+
---
-The number of outstanding IOs (read/write requests) waiting to access the disk.
-
-
-type: float
-
---
-
-*`aws.rds.failed_sql_server_agent_jobs`*::
-+
---
-The number of failed SQL Server Agent jobs during the last minute.
-
-
-type: long
-
---
-
-*`aws.rds.freeable_memory.bytes`*::
-+
---
-The amount of available random access memory.
-
-
-type: long
-
-format: bytes
-
---
-
-*`aws.rds.free_storage.bytes`*::
-+
---
-The amount of available storage space.
-
-
-type: long
-
-format: bytes
-
---
-
-*`aws.rds.maximum_used_transaction_ids`*::
-+
---
-The maximum transaction ID that has been used. Applies to PostgreSQL.
-
-
-type: long
-
---
-
-*`aws.rds.oldest_replication_slot_lag.mb`*::
-+
---
-The lagging size of the replica lagging the most in terms of WAL data received. Applies to PostgreSQL.
-
-
-type: long
-
---
-
-*`aws.rds.read.iops`*::
-+
---
-The average number of disk read I/O operations per second.
-
-
-type: float
-
---
-
-*`aws.rds.replica_lag.sec`*::
-+
---
-The amount of time a Read Replica DB instance lags behind the source DB instance. Applies to MySQL, MariaDB, and PostgreSQL Read Replicas.
-
-
-type: long
-
-format: duration
-
---
-
-*`aws.rds.swap_usage.bytes`*::
-+
---
-The amount of swap space used on the DB instance. This metric is not available for SQL Server.
-
-
-type: long
-
-format: bytes
-
---
-
-*`aws.rds.transaction_logs_generation`*::
-+
---
-The disk space used by transaction logs. Applies to PostgreSQL.
-
-
-type: long
-
---
-
-*`aws.rds.write.iops`*::
-+
---
-The average number of disk write I/O operations per second.
-
-
-type: float
-
---
-
-*`aws.rds.queries`*::
-+
---
-The average number of queries executed per second.
-
-
-type: long
-
---
-
-*`aws.rds.deadlocks`*::
-+
---
-The average number of deadlocks in the database per second.
-
-
-type: long
-
---
-
-*`aws.rds.volume_used.bytes`*::
-+
---
-The amount of storage used by your Aurora DB instance, in bytes.
-
-
-type: long
-
-format: bytes
-
---
-
-*`aws.rds.volume.read.iops`*::
-+
---
-The number of billed read I/O operations from a cluster volume, reported at 5-minute intervals.
-
-
-type: long
-
-format: bytes
-
---
-
-*`aws.rds.volume.write.iops`*::
-+
---
-The number of write disk I/O operations to the cluster volume, reported at 5-minute intervals.
-
-
-type: long
-
-format: bytes
-
---
-
-*`aws.rds.free_local_storage.bytes`*::
-+
---
-The amount of storage available for temporary tables and logs, in bytes.
-
-
-type: long
-
-format: bytes
-
---
-
-*`aws.rds.login_failures`*::
-+
---
-The average number of failed login attempts per second.
-
-
-type: long
-
---
-
-*`aws.rds.throughput.commit`*::
-+
---
-The average number of commit operations per second.
-
-
-type: float
-
---
-
-*`aws.rds.throughput.delete`*::
-+
---
-The average number of delete queries per second.
-
-
-type: float
-
---
-
-*`aws.rds.throughput.ddl`*::
-+
---
-The average number of DDL requests per second.
-
-
-type: float
-
---
-
-*`aws.rds.throughput.dml`*::
-+
---
-The average number of inserts, updates, and deletes per second.
-
-
-type: float
-
---
-
-*`aws.rds.throughput.insert`*::
-+
---
-The average number of insert queries per second.
-
-
-type: float
-
---
-
-*`aws.rds.throughput.network`*::
-+
---
-The amount of network throughput both received from and transmitted to clients by each instance in the Aurora MySQL DB cluster, in bytes per second.
-
-
-type: float
-
---
-
-*`aws.rds.throughput.network_receive`*::
-+
---
-The incoming (Receive) network traffic on the DB instance, including both customer database traffic and Amazon RDS traffic used for monitoring and replication.
-
-
-type: float
-
---
-
-*`aws.rds.throughput.network_transmit`*::
-+
---
-The outgoing (Transmit) network traffic on the DB instance, including both customer database traffic and Amazon RDS traffic used for monitoring and replication.
-
-
-type: float
-
---
-
-*`aws.rds.throughput.read`*::
-+
---
-The average amount of time taken per disk I/O operation.
-
-
-type: float
-
---
-
-*`aws.rds.throughput.select`*::
-+
---
-The average number of select queries per second.
-
-
-type: float
-
---
-
-*`aws.rds.throughput.update`*::
-+
---
-The average number of update queries per second.
-
-
-type: float
-
---
-
-*`aws.rds.throughput.write`*::
-+
---
-The average number of bytes written to disk per second.
-
-
-type: float
-
---
-
-*`aws.rds.latency.commit`*::
-+
---
-The amount of latency for commit operations, in milliseconds.
-
-
-type: float
-
-format: duration
-
---
-
-*`aws.rds.latency.ddl`*::
-+
---
-The amount of latency for data definition language (DDL) requests, in milliseconds.
-
-
-type: float
-
-format: duration
-
---
-
-*`aws.rds.latency.dml`*::
-+
---
-The amount of latency for inserts, updates, and deletes, in milliseconds.
-
-
-type: float
-
-format: duration
-
---
-
-*`aws.rds.latency.insert`*::
-+
---
-The amount of latency for insert queries, in milliseconds.
-
-
-type: float
-
-format: duration
-
---
-
-*`aws.rds.latency.read`*::
-+
---
-The average amount of time taken per disk I/O operation.
-
-
-type: float
-
-format: duration
-
---
-
-*`aws.rds.latency.select`*::
-+
---
-The amount of latency for select queries, in milliseconds.
-
-
-type: float
-
-format: duration
-
---
-
-*`aws.rds.latency.update`*::
-+
---
-The amount of latency for update queries, in milliseconds.
-
-
-type: float
-
-format: duration
-
---
-
-*`aws.rds.latency.write`*::
-+
---
-The average amount of time taken per disk I/O operation.
-
-
-type: float
-
-format: duration
-
---
-
-*`aws.rds.latency.delete`*::
-+
---
-The amount of latency for delete queries, in milliseconds.
-
-
-type: float
-
-format: duration
-
---
-
-*`aws.rds.disk_usage.bin_log.bytes`*::
-+
---
-The amount of disk space occupied by binary logs on the master. Applies to MySQL read replicas.
-
-
-type: long
-
-format: bytes
-
---
-
-*`aws.rds.disk_usage.replication_slot.mb`*::
-+
---
-The disk space used by replication slot files. Applies to PostgreSQL.
-
-
-type: long
-
---
-
-*`aws.rds.disk_usage.transaction_logs.mb`*::
-+
---
-The disk space used by transaction logs. Applies to PostgreSQL.
-
-
-type: long
-
---
-
-*`aws.rds.transactions.active`*::
-+
---
-The average number of current transactions executing on an Aurora database instance per second.
-
-
-type: long
-
---
-
-*`aws.rds.transactions.blocked`*::
-+
---
-The average number of transactions in the database that are blocked per second.
-
-
-type: long
-
---
-
-*`aws.rds.db_instance.db_cluster_identifier`*::
-+
---
-This identifier is the unique key that identifies a DB cluster specifically for Amazon Aurora DB cluster.
-
-
-type: keyword
-
---
-
-*`aws.rds.db_instance.role`*::
-+
---
-DB roles like WRITER or READER, specifically for Amazon Aurora DB cluster.
-
-
-type: keyword
-
---
-
-*`aws.rds.db_instance.engine_name`*::
-+
---
-Each DB instance runs a DB engine, like MySQL, MariaDB, PostgreSQL and etc.
-
-
-type: keyword
-
---
-
-*`aws.rds.aurora_bin_log_replica_lag`*::
-+
---
-The amount of time a replica DB cluster running on Aurora with MySQL compatibility lags behind the source DB cluster.
-
-
-type: long
-
---
-
-*`aws.rds.aurora_global_db.replicated_write_io.bytes`*::
-+
---
-In an Aurora Global Database, the number of write I/O operations replicated from the primary AWS Region to the cluster volume in a secondary AWS Region.
-
-
-type: long
-
---
-
-*`aws.rds.aurora_global_db.data_transfer.bytes`*::
-+
---
-In an Aurora Global Database, the amount of redo log data transferred from the master AWS Region to a secondary AWS Region.
-
-
-type: long
-
---
-
-*`aws.rds.aurora_global_db.replication_lag.ms`*::
-+
---
-For an Aurora Global Database, the amount of lag when replicating updates from the primary AWS Region, in milliseconds.
-
-
-type: long
-
---
-
-*`aws.rds.aurora_replica.lag.ms`*::
-+
---
-For an Aurora Replica, the amount of lag when replicating updates from the primary instance, in milliseconds.
-
-
-type: long
-
---
-
-*`aws.rds.aurora_replica.lag_max.ms`*::
-+
---
-The maximum amount of lag between the primary instance and each Aurora DB instance in the DB cluster, in milliseconds.
-
-
-type: long
-
---
-
-*`aws.rds.aurora_replica.lag_min.ms`*::
-+
---
-The minimum amount of lag between the primary instance and each Aurora DB instance in the DB cluster, in milliseconds.
-
-
-type: long
-
---
-
-*`aws.rds.backtrack_change_records.creation_rate`*::
-+
---
-The number of backtrack change records created over five minutes for your DB cluster.
-
-
-type: long
-
---
-
-*`aws.rds.backtrack_change_records.stored`*::
-+
---
-The actual number of backtrack change records used by your DB cluster.
-
-
-type: long
-
---
-
-*`aws.rds.backtrack_window.actual`*::
-+
---
-The difference between the target backtrack window and the actual backtrack window.
-
-
-type: long
-
---
-
-*`aws.rds.backtrack_window.alert`*::
-+
---
-The number of times that the actual backtrack window is smaller than the target backtrack window for a given period of time.
-
-
-type: long
-
---
-
-*`aws.rds.storage_used.backup_retention_period.bytes`*::
-+
---
-The total amount of backup storage in bytes used to support the point-in-time restore feature within the Aurora DB cluster's backup retention window.
-
-
-type: long
-
---
-
-*`aws.rds.storage_used.snapshot.bytes`*::
-+
---
-The total amount of backup storage in bytes consumed by all Aurora snapshots for an Aurora DB cluster outside its backup retention window.
-
-
-type: long
-
---
-
-*`aws.rds.cache_hit_ratio.buffer`*::
-+
---
-The percentage of requests that are served by the buffer cache.
-
-
-type: long
-
---
-
-*`aws.rds.cache_hit_ratio.result_set`*::
-+
---
-The percentage of requests that are served by the Resultset cache.
-
-
-type: long
-
---
-
-*`aws.rds.engine_uptime.sec`*::
-+
---
-The amount of time that the instance has been running, in seconds.
-
-
-type: long
-
---
-
-*`aws.rds.rds_to_aurora_postgresql_replica_lag.sec`*::
-+
---
-The amount of lag in seconds when replicating updates from the primary RDS PostgreSQL instance to other nodes in the cluster.
-
-
-type: long
-
---
-
-*`aws.rds.backup_storage_billed_total.bytes`*::
-+
---
-The total amount of backup storage in bytes for which you are billed for a given Aurora DB cluster.
-
-
-type: long
-
---
-
-*`aws.rds.aurora_volume_left_total.bytes`*::
-+
---
-The remaining available space for the cluster volume, measured in bytes.
-
-
-type: long
-
---
-
-[float]
-=== s3_daily_storage
-
-`s3_daily_storage` contains the daily storage metrics that were scraped from AWS CloudWatch which contains monitoring metrics sent by AWS S3.
-
-
-
-*`aws.s3_daily_storage.bucket.size.bytes`*::
-+
---
-The amount of data in bytes stored in a bucket.
-
-
-type: long
-
-format: bytes
-
---
-
-*`aws.s3_daily_storage.number_of_objects`*::
-+
---
-The total number of objects stored in a bucket for all storage classes.
-
-
-type: long
-
---
-
-[float]
-=== s3_request
-
-`s3_request` contains request metrics that were scraped from AWS CloudWatch which contains monitoring metrics sent by AWS S3.
-
-
-
-*`aws.s3_request.requests.total`*::
-+
---
-The total number of HTTP requests made to an Amazon S3 bucket, regardless of type.
-
-
-type: long
-
---
-
-*`aws.s3_request.requests.get`*::
-+
---
-The number of HTTP GET requests made for objects in an Amazon S3 bucket.
-
-
-type: long
-
---
-
-*`aws.s3_request.requests.put`*::
-+
---
-The number of HTTP PUT requests made for objects in an Amazon S3 bucket.
-
-
-type: long
-
---
-
-*`aws.s3_request.requests.delete`*::
-+
---
-The number of HTTP DELETE requests made for objects in an Amazon S3 bucket.
-
-
-type: long
-
---
-
-*`aws.s3_request.requests.head`*::
-+
---
-The number of HTTP HEAD requests made to an Amazon S3 bucket.
-
-
-type: long
-
---
-
-*`aws.s3_request.requests.post`*::
-+
---
-The number of HTTP POST requests made to an Amazon S3 bucket.
-
-
-type: long
-
---
-
-*`aws.s3_request.requests.select`*::
-+
---
-The number of Amazon S3 SELECT Object Content requests made for objects in an Amazon S3 bucket.
-
-
-type: long
-
---
-
-*`aws.s3_request.requests.select_scanned.bytes`*::
-+
---
-The number of bytes of data scanned with Amazon S3 SELECT Object Content requests in an Amazon S3 bucket.
-
-
-type: long
-
-format: bytes
-
---
-
-*`aws.s3_request.requests.select_returned.bytes`*::
-+
---
-The number of bytes of data returned with Amazon S3 SELECT Object Content requests in an Amazon S3 bucket.
-
-
-type: long
-
-format: bytes
-
---
-
-*`aws.s3_request.requests.list`*::
-+
---
-The number of HTTP requests that list the contents of a bucket.
-
-
-type: long
-
---
-
-*`aws.s3_request.downloaded.bytes`*::
-+
---
-The number bytes downloaded for requests made to an Amazon S3 bucket, where the response includes a body.
-
-
-type: long
-
-format: bytes
-
---
-
-*`aws.s3_request.uploaded.bytes`*::
-+
---
-The number bytes uploaded that contain a request body, made to an Amazon S3 bucket.
-
-
-type: long
-
-format: bytes
-
---
-
-*`aws.s3_request.errors.4xx`*::
-+
---
-The number of HTTP 4xx client error status code requests made to an Amazon S3 bucket with a value of either 0 or 1.
-
-
-type: long
-
---
-
-*`aws.s3_request.errors.5xx`*::
-+
---
-The number of HTTP 5xx server error status code requests made to an Amazon S3 bucket with a value of either 0 or 1.
-
-
-type: long
-
---
-
-*`aws.s3_request.latency.first_byte.ms`*::
-+
---
-The per-request time from the complete request being received by an Amazon S3 bucket to when the response starts to be returned.
-
-
-type: long
-
-format: duration
-
---
-
-*`aws.s3_request.latency.total_request.ms`*::
-+
---
-The elapsed per-request time from the first byte received to the last byte sent to an Amazon S3 bucket.
-
-
-type: long
-
-format: duration
-
---
-
-[float]
-=== sns
-
-`sns` contains the metrics that were scraped from AWS CloudWatch which contains monitoring metrics sent by AWS SNS.
-
-
-
-
-*`aws.sns.metrics.PublishSize.avg`*::
-+
---
-The size of messages published.
-
-type: double
-
---
-
-*`aws.sns.metrics.SMSSuccessRate.avg`*::
-+
---
-The rate of successful SMS message deliveries.
-
-type: double
-
---
-
-*`aws.sns.metrics.NumberOfMessagesPublished.sum`*::
-+
---
-The number of messages published to your Amazon SNS topics.
-
-type: long
-
---
-
-*`aws.sns.metrics.NumberOfNotificationsDelivered.sum`*::
-+
---
-The number of messages successfully delivered from your Amazon SNS topics to subscribing endpoints.
-
-type: long
-
---
-
-*`aws.sns.metrics.NumberOfNotificationsFailed.sum`*::
-+
---
-The number of messages that Amazon SNS failed to deliver.
-
-type: long
-
---
-
-*`aws.sns.metrics.NumberOfNotificationsFilteredOut.sum`*::
-+
---
-The number of messages that were rejected by subscription filter policies.
-
-type: long
-
---
-
-*`aws.sns.metrics.NumberOfNotificationsFilteredOut-InvalidAttributes.sum`*::
-+
---
-The number of messages that were rejected by subscription filter policies because the messages' attributes are invalid - for example, because the attribute JSON is incorrectly formatted.
-
-type: long
-
---
-
-*`aws.sns.metrics.NumberOfNotificationsFilteredOut-NoMessageAttributes.sum`*::
-+
---
-The number of messages that were rejected by subscription filter policies because the messages have no attributes.
-
-type: long
-
---
-
-*`aws.sns.metrics.NumberOfNotificationsRedrivenToDlq.sum`*::
-+
---
-The number of messages that have been moved to a dead-letter queue.
-
-type: long
-
---
-
-*`aws.sns.metrics.NumberOfNotificationsFailedToRedriveToDlq.sum`*::
-+
---
-The number of messages that couldn't be moved to a dead-letter queue.
-
-type: long
-
---
-
-*`aws.sns.metrics.SMSMonthToDateSpentUSD.sum`*::
-+
---
-The charges you have accrued since the start of the current calendar month for sending SMS messages.
-
-type: long
-
---
-
-[float]
-=== sqs
-
-`sqs` contains the metrics that were scraped from AWS CloudWatch which contains monitoring metrics sent by AWS SQS.
-
-
-
-*`aws.sqs.oldest_message_age.sec`*::
-+
---
-The maximum approximate age of the oldest non-deleted message in the queue.
-
-
-type: long
-
-format: duration
-
---
-
-*`aws.sqs.messages.delayed`*::
-+
---
-TThe number of messages in the queue that are delayed and not available for reading immediately.
-
-
-type: long
-
---
-
-*`aws.sqs.messages.not_visible`*::
-+
---
-The number of messages that are in flight.
-
-
-type: long
-
---
-
-*`aws.sqs.messages.visible`*::
-+
---
-The number of messages available for retrieval from the queue.
-
-
-type: long
-
---
-
-*`aws.sqs.messages.deleted`*::
-+
---
-The total number of messages deleted from the queue.
-
-
-type: long
-
---
-
-*`aws.sqs.messages.received`*::
-+
---
-The total number of messages returned by calls to the ReceiveMessage action.
-
-
-type: long
-
---
-
-*`aws.sqs.messages.sent`*::
-+
---
-The total number of messages added to a queue.
-
-
-type: long
-
---
-
-*`aws.sqs.empty_receives`*::
-+
---
-The total number of ReceiveMessage API calls that did not return a message.
-
-
-type: long
-
---
-
-*`aws.sqs.sent_message_size.bytes`*::
-+
---
-The size of messages added to a queue.
-
-
-type: long
-
-format: bytes
-
---
-
-*`aws.sqs.queue.name`*::
-+
---
-SQS queue name
-
-
-type: keyword
-
---
-
-[float]
-=== transitgateway
-
-`transitgateway` contains the metrics from Cloudwatch to track usage of transit gateway related resources.
-
-
-
-
-*`aws.transitgateway.metrics.BytesIn.sum`*::
-+
---
-The number of bytes received by the transit gateway.
-
-type: long
-
---
-
-*`aws.transitgateway.metrics.BytesOut.sum`*::
-+
---
-The number of bytes sent from the transit gateway.
-
-type: long
-
---
-
-*`aws.transitgateway.metrics.PacketsIn.sum`*::
-+
---
-The number of packets received by the transit gateway.
-
-type: long
-
---
-
-*`aws.transitgateway.metrics.PacketsOut.sum`*::
-+
---
-The number of packets sent by the transit gateway.
-
-type: long
-
---
-
-*`aws.transitgateway.metrics.PacketDropCountBlackhole.sum`*::
-+
---
-The number of packets dropped because they matched a blackhole route.
-
-type: long
-
---
-
-*`aws.transitgateway.metrics.PacketDropCountNoRoute.sum`*::
-+
---
-The number of packets dropped because they did not match a route.
-
-type: long
-
---
-
-*`aws.transitgateway.metrics.BytesDropCountNoRoute.sum`*::
-+
---
-The number of bytes dropped because they did not match a route.
-
-type: long
-
---
-
-*`aws.transitgateway.metrics.BytesDropCountBlackhole.sum`*::
-+
---
-The number of bytes dropped because they matched a blackhole route.
-
-type: long
-
---
-
-[float]
-=== usage
-
-`usage` contains the metrics from Cloudwatch to track usage of some AWS resources.
-
-
-
-
-*`aws.usage.metrics.CallCount.sum`*::
-+
---
-The number of specified API operations performed in your account.
-
-type: long
-
---
-
-*`aws.usage.metrics.ResourceCount.sum`*::
-+
---
-The number of the specified resources running in your account. The resources are defined by the dimensions associated with the metric.
-
-type: long
-
---
-
-[float]
-=== vpn
-
-`vpn` contains the metrics from Cloudwatch to track usage of VPN related resources.
-
-
-
-
-*`aws.vpn.metrics.TunnelState.avg`*::
-+
---
-The state of the tunnel. For static VPNs, 0 indicates DOWN and 1 indicates UP. For BGP VPNs, 1 indicates ESTABLISHED and 0 is used for all other states.
-
-type: double
-
---
-
-*`aws.vpn.metrics.TunnelDataIn.sum`*::
-+
---
-The bytes received through the VPN tunnel.
-
-type: double
-
---
-
-*`aws.vpn.metrics.TunnelDataOut.sum`*::
-+
---
-The bytes sent through the VPN tunnel.
-
-type: double
-
---
-
-[[exported-fields-awsfargate]]
-== AWS Fargate fields
-
-`awsfargate` module collects AWS fargate metrics from task metadata endpoint.
-
-
-
-
-*`awsfargate.container.labels.com_amazonaws_ecs_cluster`*::
-+
---
-ECS Cluster name
-
-type: keyword
-
---
-
-*`awsfargate.container.labels.com_amazonaws_ecs_container-name`*::
-+
---
-ECS container name
-
-type: keyword
-
---
-
-*`awsfargate.container.labels.com_amazonaws_ecs_task-arn`*::
-+
---
-ECS task ARN
-
-type: keyword
-
---
-
-*`awsfargate.container.labels.com_amazonaws_ecs_task-definition-family`*::
-+
---
-ECS task definition family
-
-type: keyword
-
---
-
-*`awsfargate.container.labels.com_amazonaws_ecs_task-definition-version`*::
-+
---
-ECS task definition version
-
-type: keyword
-
---
-
-[float]
-=== task_stats
-
-`task_stats` contains the metrics that were scraped from AWS fargate task stats ${ECS_CONTAINER_METADATA_URI_V4}/task/stats metadata endpoint.
-
-
-
-*`awsfargate.task_stats.cluster_name`*::
-+
---
-Cluster name (Pippero)
-
-type: keyword
-
---
-
-*`awsfargate.task_stats.task_name`*::
-+
---
-ECS task name
-
-type: keyword
-
---
-
-*`awsfargate.task_stats.identifier`*::
-+
---
-Container identifier across tasks and clusters, which equals to container.name + '/' + container.id.
-
-
-type: keyword
-
---
-
-*`awsfargate.task_stats.task_desired_status`*::
-+
---
-The desired status for the task from Amazon ECS.
-
-
-type: keyword
-
---
-
-*`awsfargate.task_stats.task_known_status`*::
-+
---
-The known status for the task from Amazon ECS.
-
-
-type: keyword
-
---
-
-*`awsfargate.task_stats.memory_hard_limit`*::
-+
---
-The Hard Memory Limit for the task from Amazon ECS.
-
-
-type: scaled_float
-
---
-
-[float]
-=== cpu
-
-Runtime CPU metrics.
-
-
-*`awsfargate.task_stats.cpu.kernel.pct`*::
-+
---
-Percentage of time in kernel space, expressed as a value between 0 and 1.
-
-
-type: scaled_float
-
-format: percent
-
---
-
-*`awsfargate.task_stats.cpu.kernel.norm.pct`*::
-+
---
-Percentage of time in kernel space normalized by the number of CPU cores, expressed as a value between 0 and 1.
-
-
-type: scaled_float
-
-format: percent
-
---
-
-*`awsfargate.task_stats.cpu.kernel.ticks`*::
-+
---
-CPU ticks in kernel space.
-
-
-type: long
-
---
-
-*`awsfargate.task_stats.cpu.system.pct`*::
-+
---
-Percentage of total CPU time in the system, expressed as a value between 0 and 1.
-
-
-type: scaled_float
-
-format: percent
-
---
-
-*`awsfargate.task_stats.cpu.system.norm.pct`*::
-+
---
-Percentage of total CPU time in the system normalized by the number of CPU cores, expressed as a value between 0 and 1.
-
-
-type: scaled_float
-
-format: percent
-
---
-
-*`awsfargate.task_stats.cpu.system.ticks`*::
-+
---
-CPU system ticks.
-
-
-type: long
-
---
-
-*`awsfargate.task_stats.cpu.user.pct`*::
-+
---
-Percentage of time in user space, expressed as a value between 0 and 1.
-
-
-type: scaled_float
-
-format: percent
-
---
-
-*`awsfargate.task_stats.cpu.user.norm.pct`*::
-+
---
-Percentage of time in user space normalized by the number of CPU cores, expressed as a value between 0 and 1.
-
-
-type: scaled_float
-
-format: percent
-
---
-
-*`awsfargate.task_stats.cpu.user.ticks`*::
-+
---
-CPU ticks in user space.
-
-
-type: long
-
---
-
-*`awsfargate.task_stats.cpu.total.pct`*::
-+
---
-Total CPU usage, expressed as a value between 0 and 1.
-
-
-type: scaled_float
-
-format: percent
-
---
-
-*`awsfargate.task_stats.cpu.total.norm.pct`*::
-+
---
-Total CPU usage normalized by the number of CPU cores, expressed as a value between 0 and 1.
-
-
-type: scaled_float
-
-format: percent
-
---
-
-[float]
-=== diskio
-
-Disk I/O metrics.
-
-
-[float]
-=== read
-
-Accumulated reads during the life of the container
-
-
-
-*`awsfargate.task_stats.diskio.read.ops`*::
-+
---
-Number of reads during the life of the container
-
-
-type: long
-
---
-
-*`awsfargate.task_stats.diskio.read.bytes`*::
-+
---
-Bytes read during the life of the container
-
-
-type: long
-
-format: bytes
-
---
-
-*`awsfargate.task_stats.diskio.read.rate`*::
-+
---
-Number of current reads per second
-
-
-type: long
-
---
-
-*`awsfargate.task_stats.diskio.read.service_time`*::
-+
---
-Total time to service IO requests, in nanoseconds
-
-
-type: long
-
---
-
-*`awsfargate.task_stats.diskio.read.wait_time`*::
-+
---
-Total time requests spent waiting in queues for service, in nanoseconds
-
-
-type: long
-
---
-
-*`awsfargate.task_stats.diskio.read.queued`*::
-+
---
-Total number of queued requests
-
-
-type: long
-
---
-
-*`awsfargate.task_stats.diskio.reads`*::
-+
---
-
-deprecated:[6.4]
-
-Number of current reads per second
-
-
-type: scaled_float
-
---
-
-[float]
-=== write
-
-Accumulated writes during the life of the container
-
-
-
-*`awsfargate.task_stats.diskio.write.ops`*::
-+
---
-Number of writes during the life of the container
-
-
-type: long
-
---
-
-*`awsfargate.task_stats.diskio.write.bytes`*::
-+
---
-Bytes written during the life of the container
-
-
-type: long
-
-format: bytes
-
---
-
-*`awsfargate.task_stats.diskio.write.rate`*::
-+
---
-Number of current writes per second
-
-
-type: long
-
---
-
-*`awsfargate.task_stats.diskio.write.service_time`*::
-+
---
-Total time to service IO requests, in nanoseconds
-
-
-type: long
-
---
-
-*`awsfargate.task_stats.diskio.write.wait_time`*::
-+
---
-Total time requests spent waiting in queues for service, in nanoseconds
-
-
-type: long
-
---
-
-*`awsfargate.task_stats.diskio.write.queued`*::
-+
---
-Total number of queued requests
-
-
-type: long
-
---
-
-*`awsfargate.task_stats.diskio.writes`*::
-+
---
-
-deprecated:[6.4]
-
-Number of current writes per second
-
-
-type: scaled_float
-
---
-
-[float]
-=== summary
-
-Accumulated reads and writes during the life of the container
-
-
-
-*`awsfargate.task_stats.diskio.summary.ops`*::
-+
---
-Number of I/O operations during the life of the container
-
-
-type: long
-
---
-
-*`awsfargate.task_stats.diskio.summary.bytes`*::
-+
---
-Bytes read and written during the life of the container
-
-
-type: long
-
-format: bytes
-
---
-
-*`awsfargate.task_stats.diskio.summary.rate`*::
-+
---
-Number of current operations per second
-
-
-type: long
-
---
-
-*`awsfargate.task_stats.diskio.summary.service_time`*::
-+
---
-Total time to service IO requests, in nanoseconds
-
-
-type: long
-
---
-
-*`awsfargate.task_stats.diskio.summary.wait_time`*::
-+
---
-Total time requests spent waiting in queues for service, in nanoseconds
-
-
-type: long
-
---
-
-*`awsfargate.task_stats.diskio.summary.queued`*::
-+
---
-Total number of queued requests
-
-
-type: long
-
---
-
-*`awsfargate.task_stats.diskio.total`*::
-+
---
-
-deprecated:[6.4]
-
-Number of reads and writes per second
-
-
-type: scaled_float
-
---
-
-[float]
-=== memory
-
-Memory metrics.
-
-
-*`awsfargate.task_stats.memory.stats`*::
-+
---
-Raw memory stats from the cgroups memory.stat interface
-
-
-type: object
-
---
-
-[float]
-=== commit
-
-Committed bytes on Windows
-
-
-
-*`awsfargate.task_stats.memory.commit.total`*::
-+
---
-Total bytes
-
-
-type: long
-
-format: bytes
-
---
-
-*`awsfargate.task_stats.memory.commit.peak`*::
-+
---
-Peak committed bytes on Windows
-
-
-type: long
-
-format: bytes
-
---
-
-*`awsfargate.task_stats.memory.private_working_set.total`*::
-+
---
-private working sets on Windows
-
-
-type: long
-
-format: bytes
-
---
-
-*`awsfargate.task_stats.memory.fail.count`*::
-+
---
-Fail counter.
-
-
-type: scaled_float
-
---
-
-*`awsfargate.task_stats.memory.limit`*::
-+
---
-Memory limit.
-
-
-type: long
-
-format: bytes
-
---
-
-[float]
-=== rss
-
-RSS memory stats.
-
-
-
-*`awsfargate.task_stats.memory.rss.total`*::
-+
---
-Total memory resident set size.
-
-
-type: long
-
-format: bytes
-
---
-
-*`awsfargate.task_stats.memory.rss.pct`*::
-+
---
-Memory resident set size percentage, expressed as a value between 0 and 1.
-
-
-type: scaled_float
-
-format: percent
-
---
-
-[float]
-=== usage
-
-Usage memory stats.
-
-
-
-*`awsfargate.task_stats.memory.usage.max`*::
-+
---
-Max memory usage.
-
-
-type: long
-
-format: bytes
-
---
-
-*`awsfargate.task_stats.memory.usage.total`*::
-+
---
-Total memory usage.
-
-
-type: long
-
-format: bytes
-
---
-
-
-*`awsfargate.task_stats.network.*.inbound.bytes`*::
-+
---
-Total number of incoming bytes.
-
-
-type: long
-
-format: bytes
-
---
-
-*`awsfargate.task_stats.network.*.inbound.dropped`*::
-+
---
-Total number of dropped incoming packets.
-
-
-type: long
-
---
-
-*`awsfargate.task_stats.network.*.inbound.errors`*::
-+
---
-Total errors on incoming packets.
-
-
-type: long
-
---
-
-*`awsfargate.task_stats.network.*.inbound.packets`*::
-+
---
-Total number of incoming packets.
-
-
-type: long
-
---
-
-
-*`awsfargate.task_stats.network.*.outbound.bytes`*::
-+
---
-Total number of incoming bytes.
-
-
-type: long
-
-format: bytes
-
---
-
-*`awsfargate.task_stats.network.*.outbound.dropped`*::
-+
---
-Total number of dropped incoming packets.
-
-
-type: long
-
---
-
-*`awsfargate.task_stats.network.*.outbound.errors`*::
-+
---
-Total errors on incoming packets.
-
-
-type: long
-
---
-
-*`awsfargate.task_stats.network.*.outbound.packets`*::
-+
---
-Total number of incoming packets.
-
-
-type: long
-
---
-
-[[exported-fields-azure]]
-== Azure fields
-
-azure module
-
-
-
-
-*`azure.timegrain`*::
-+
---
-The Azure metric timegrain
-
-
-type: keyword
-
---
-
-[float]
-=== resource
-
-The resource specified
-
-
-
-*`azure.resource.type`*::
-+
---
-The type of the resource
-
-
-type: keyword
-
---
-
-*`azure.resource.name`*::
-+
---
-The name of the resource
-
-
-type: keyword
-
---
-
-*`azure.resource.group`*::
-+
---
-The resource group
-
-
-type: keyword
-
---
-
-*`azure.resource.tags.*`*::
-+
---
-Azure resource tags.
-
-
-type: object
-
---
-
-*`azure.namespace`*::
-+
---
-The namespace selected
-
-
-type: keyword
-
---
-
-*`azure.subscription_id`*::
-+
---
-The subscription ID
-
-
-type: keyword
-
---
-
-*`azure.subscription_name`*::
-+
---
-The subscription name
-
-
-type: keyword
-
---
-
-*`azure.application_id`*::
-+
---
-The application ID
-
-
-type: keyword
-
---
-
-*`azure.dimensions.*`*::
-+
---
-Azure metric dimensions.
-
-
-type: object
-
---
-
-*`azure.metrics.*.*`*::
-+
---
-Metrics returned.
-
-
-type: object
-
---
-
-[float]
-=== app_insights
-
-application insights
-
-
-
-*`azure.app_insights.start_date`*::
-+
---
-The start date
-
-
-type: date
-
---
-
-*`azure.app_insights.end_date`*::
-+
---
-The end date
-
-
-type: date
-
---
-
-*`azure.app_insights.metrics.*.*`*::
-+
---
-The metrics
-
-
-type: object
-
---
-
-[float]
-=== app_state
-
-application state
-
-
-
-*`azure.app_state.start_date`*::
-+
---
-The start date
-
-
-type: date
-
---
-
-*`azure.app_state.end_date`*::
-+
---
-The end date
-
-
-type: date
-
---
-
-*`azure.app_state.requests_count.sum`*::
-+
---
-Request count
-
-
-type: float
-
---
-
-*`azure.app_state.requests_failed.sum`*::
-+
---
-Request failed count
-
-
-type: float
-
---
-
-*`azure.app_state.users_count.unique`*::
-+
---
-User count
-
-
-type: float
-
---
-
-*`azure.app_state.sessions_count.unique`*::
-+
---
-Session count
-
-
-type: float
-
---
-
-*`azure.app_state.users_authenticated.unique`*::
-+
---
-Authenticated users count
-
-
-type: float
-
---
-
-*`azure.app_state.browser_timings_network_duration.avg`*::
-+
---
-Browser timings network duration
-
-
-type: float
-
---
-
-*`azure.app_state.browser_timings_send_duration.avg`*::
-+
---
-Browser timings send duration
-
-
-type: float
-
---
-
-*`azure.app_state.browser_timings_receive_uration.avg`*::
-+
---
-Browser timings receive duration
-
-
-type: float
-
---
-
-*`azure.app_state.browser_timings_processing_duration.avg`*::
-+
---
-Browser timings processing duration
-
-
-type: float
-
---
-
-*`azure.app_state.browser_timings_total_duration.avg`*::
-+
---
-Browser timings total duration
-
-
-type: float
-
---
-
-*`azure.app_state.exceptions_count.sum`*::
-+
---
-Exception count
-
-
-type: float
-
---
-
-*`azure.app_state.exceptions_browser.sum`*::
-+
---
-Exception count at browser level
-
-
-type: float
-
---
-
-*`azure.app_state.exceptions_server.sum`*::
-+
---
-Exception count at server level
-
-
-type: float
-
---
-
-*`azure.app_state.performance_counters_memory_available_bytes.avg`*::
-+
---
-Performance counters memory available bytes
-
-
-type: float
-
---
-
-*`azure.app_state.performance_counters_process_private_bytes.avg`*::
-+
---
-Performance counters process private bytes
-
-
-type: float
-
---
-
-*`azure.app_state.performance_counters_process_cpu_percentage_total.avg`*::
-+
---
-Performance counters process cpu percentage total
-
-
-type: float
-
---
-
-*`azure.app_state.performance_counters_process_cpu_percentage.avg`*::
-+
---
-Performance counters process cpu percentage
-
-
-type: float
-
---
-
-*`azure.app_state.performance_counters_processiobytes_per_second.avg`*::
-+
---
-Performance counters process IO bytes per second
-
-
-type: float
-
---
-
-[float]
-=== billing
-
-billing and usage details
-
-
-
-*`azure.billing.currency`*::
-+
---
-Billing Currency.
-
-
-type: keyword
-
---
-
-*`azure.billing.pretax_cost`*::
-+
---
-The amount of cost before tax.
-
-
-type: float
-
---
-
-*`azure.billing.unit_price`*::
-+
---
-Unit Price is the price applicable to you. (your EA or other contract price).
-
-
-type: float
-
---
-
-*`azure.billing.quantity`*::
-+
---
-Measure the quantity purchased or consumed. The amount of the meter used during the billing period.
-
-
-type: float
-
---
-
-*`azure.billing.department_name`*::
-+
---
-The department name
-
-
-type: keyword
-
---
-
-*`azure.billing.product`*::
-+
---
-Product name for the consumed service or purchase.
-
-
-type: keyword
-
---
-
-*`azure.billing.usage_start`*::
-+
---
-The usage start date
-
-
-type: date
-
---
-
-*`azure.billing.usage_end`*::
-+
---
-The usage end date
-
-
-type: date
-
---
-
-*`azure.billing.billing_period_id`*::
-+
---
-The billing period id.
-
-
-type: keyword
-
---
-
-*`azure.billing.account_name`*::
-+
---
-Name of the Billing Account.
-
-
-type: keyword
-
---
-
-*`azure.billing.account_id`*::
-+
---
-Billing Account identifier.
-
-
-type: keyword
-
---
-
-*`azure.billing.actual_cost`*::
-+
---
-The actual cost
-
-
-type: float
-
---
-
-*`azure.billing.forecast_cost`*::
-+
---
-The forecast cost
-
-
-type: float
-
---
-
-*`azure.billing.usage_date`*::
-+
---
-The usage date
-
-
-type: date
-
---
-
-*`azure.compute_vm.*.*`*::
-+
---
-compute_vm
-
-
-type: object
-
---
-
-*`azure.compute_vm_scaleset.*.*`*::
-+
---
-compute_vm_scaleset
-
-
-type: object
-
---
-
-*`azure.container_instance.*.*`*::
-+
---
-container instance
-
-
-type: object
-
---
-
-*`azure.container_registry.*.*`*::
-+
---
-container registry
-
-
-type: object
-
---
-
-*`azure.container_service.*.*`*::
-+
---
-container service
-
-
-type: object
-
---
-
-*`azure.database_account.*.*`*::
-+
---
-database account
-
-
-type: object
-
---
-
-[float]
-=== monitor
-
-monitor
-
-
-*`azure.storage.*.*`*::
-+
---
-storage account
-
-
-type: object
-
---
-
-*`azure.storage_account.*.*`*::
-+
---
-storage account
-
-
-type: object
-
---
-
-[[exported-fields-beat-common]]
-== Beat fields
-
-Contains common beat fields available in all event types.
-
-
-
-*`agent.hostname`*::
-+
---
-Deprecated - use agent.name or agent.id to identify an agent.
-
-
-type: alias
-
-alias to: agent.name
-
---
-
-*`beat.timezone`*::
-+
---
-type: alias
-
-alias to: event.timezone
-
---
-
-*`fields`*::
-+
---
-Contains user configurable fields.
-
-
-type: object
-
---
-
-*`beat.name`*::
-+
---
-type: alias
-
-alias to: host.name
-
---
-
-*`beat.hostname`*::
-+
---
-type: alias
-
-alias to: agent.name
-
---
-
-*`timeseries.instance`*::
-+
---
-Time series instance id
-
-type: keyword
-
---
-
-[[exported-fields-beat]]
-== Beat fields
-
-Beat module
-
-
-
-
-
-
-*`beats_stats.apm-server.acm.request.count`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.acm.request.count
-
---
-
-
-*`beats_stats.apm-server.acm.response.count`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.acm.response.count
-
---
-
-
-*`beats_stats.apm-server.acm.response.errors.closed`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.acm.response.errors.closed
-
---
-
-*`beats_stats.apm-server.acm.response.errors.count`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.acm.response.errors.count
-
---
-
-*`beats_stats.apm-server.acm.response.errors.decode`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.acm.response.errors.decode
-
---
-
-*`beats_stats.apm-server.acm.response.errors.forbidden`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.acm.response.errors.forbidden
-
---
-
-*`beats_stats.apm-server.acm.response.errors.internal`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.acm.response.errors.internal
-
---
-
-*`beats_stats.apm-server.acm.response.errors.invalidquery`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.acm.response.errors.invalidquery
-
---
-
-*`beats_stats.apm-server.acm.response.errors.method`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.acm.response.errors.method
-
---
-
-*`beats_stats.apm-server.acm.response.errors.notfound`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.acm.response.errors.notfound
-
---
-
-*`beats_stats.apm-server.acm.response.errors.queue`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.acm.response.errors.queue
-
---
-
-*`beats_stats.apm-server.acm.response.errors.ratelimit`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.acm.response.errors.ratelimit
-
---
-
-*`beats_stats.apm-server.acm.response.errors.timeout`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.acm.response.errors.timeout
-
---
-
-*`beats_stats.apm-server.acm.response.errors.toolarge`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.acm.response.errors.toolarge
-
---
-
-*`beats_stats.apm-server.acm.response.errors.unauthorized`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.acm.response.errors.unauthorized
-
---
-
-*`beats_stats.apm-server.acm.response.errors.unavailable`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.acm.response.errors.unavailable
-
---
-
-*`beats_stats.apm-server.acm.response.errors.validate`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.acm.response.errors.validate
-
---
-
-
-*`beats_stats.apm-server.acm.response.valid.accepted`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.acm.response.valid.accepted
-
---
-
-*`beats_stats.apm-server.acm.response.valid.count`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.acm.response.valid.count
-
---
-
-*`beats_stats.apm-server.acm.response.valid.notmodified`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.acm.response.valid.notmodified
-
---
-
-*`beats_stats.apm-server.acm.response.valid.ok`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.acm.response.valid.ok
-
---
-
-*`beats_stats.apm-server.acm.unset`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.acm.unset
-
---
-
-
-
-*`beats_stats.apm-server.agentcfg.elasticsearch.cache.entries.count`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.agentcfg.elasticsearch.cache.entries.count
-
---
-
-*`beats_stats.apm-server.agentcfg.elasticsearch.cache.refresh.failures`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.agentcfg.elasticsearch.cache.refresh.failures
-
---
-
-*`beats_stats.apm-server.agentcfg.elasticsearch.cache.refresh.successes`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.agentcfg.elasticsearch.cache.refresh.successes
-
---
-
-*`beats_stats.apm-server.agentcfg.elasticsearch.fetch.es`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.agentcfg.elasticsearch.fetch.es
-
---
-
-*`beats_stats.apm-server.agentcfg.elasticsearch.fetch.fallback`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.agentcfg.elasticsearch.fetch.fallback
-
---
-
-*`beats_stats.apm-server.agentcfg.elasticsearch.fetch.invalid`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.agentcfg.elasticsearch.fetch.invalid
-
---
-
-*`beats_stats.apm-server.agentcfg.elasticsearch.fetch.unavailable`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.agentcfg.elasticsearch.fetch.unavailable
-
---
-
-
-
-
-*`beats_stats.apm-server.jaeger.grpc.collect.request.count`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.jaeger.grpc.collect.request.count
-
---
-
-
-*`beats_stats.apm-server.jaeger.grpc.collect.response.count`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.jaeger.grpc.collect.response.count
-
---
-
-
-*`beats_stats.apm-server.jaeger.grpc.collect.response.errors.count`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.jaeger.grpc.collect.response.errors.count
-
---
-
-*`beats_stats.apm-server.jaeger.grpc.collect.response.errors.ratelimit`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.jaeger.grpc.collect.response.errors.ratelimit
-
---
-
-*`beats_stats.apm-server.jaeger.grpc.collect.response.errors.timeout`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.jaeger.grpc.collect.response.errors.timeout
-
---
-
-*`beats_stats.apm-server.jaeger.grpc.collect.response.errors.unauthorized`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.jaeger.grpc.collect.response.errors.unauthorized
-
---
-
-*`beats_stats.apm-server.jaeger.grpc.collect.response.valid.count`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.jaeger.grpc.collect.response.valid.count
-
---
-
-
-*`beats_stats.apm-server.jaeger.grpc.sampling.event.received.count`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.jaeger.grpc.sampling.event.received.count
-
---
-
-*`beats_stats.apm-server.jaeger.grpc.sampling.request.count`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.jaeger.grpc.sampling.request.count
-
---
-
-
-*`beats_stats.apm-server.jaeger.grpc.sampling.response.count`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.jaeger.grpc.sampling.response.count
-
---
-
-*`beats_stats.apm-server.jaeger.grpc.sampling.response.errors.count`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.jaeger.grpc.sampling.response.errors.count
-
---
-
-*`beats_stats.apm-server.jaeger.grpc.sampling.response.valid.count`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.jaeger.grpc.sampling.response.valid.count
-
---
-
-
-
-
-*`beats_stats.apm-server.otlp.grpc.logs.request.count`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.otlp.grpc.logs.request.count
-
---
-
-
-*`beats_stats.apm-server.otlp.grpc.logs.response.count`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.otlp.grpc.logs.response.count
-
---
-
-
-*`beats_stats.apm-server.otlp.grpc.logs.response.errors.count`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.otlp.grpc.logs.response.errors.count
-
---
-
-*`beats_stats.apm-server.otlp.grpc.logs.response.errors.ratelimit`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.otlp.grpc.logs.response.errors.ratelimit
-
---
-
-*`beats_stats.apm-server.otlp.grpc.logs.response.errors.timeout`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.otlp.grpc.logs.response.errors.timeout
-
---
-
-*`beats_stats.apm-server.otlp.grpc.logs.response.errors.unauthorized`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.otlp.grpc.logs.response.errors.unauthorized
-
---
-
-*`beats_stats.apm-server.otlp.grpc.logs.response.valid.count`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.otlp.grpc.logs.response.valid.count
-
---
-
-
-*`beats_stats.apm-server.otlp.grpc.metrics.consumer.unsupported_dropped`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.otlp.grpc.metrics.consumer.unsupported_dropped
-
---
-
-*`beats_stats.apm-server.otlp.grpc.metrics.request.count`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.otlp.grpc.metrics.request.count
-
---
-
-
-*`beats_stats.apm-server.otlp.grpc.metrics.response.count`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.otlp.grpc.metrics.response.count
-
---
-
-
-*`beats_stats.apm-server.otlp.grpc.metrics.response.errors.count`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.otlp.grpc.metrics.response.errors.count
-
---
-
-*`beats_stats.apm-server.otlp.grpc.metrics.response.errors.ratelimit`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.otlp.grpc.metrics.response.errors.ratelimit
-
---
-
-*`beats_stats.apm-server.otlp.grpc.metrics.response.errors.timeout`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.otlp.grpc.metrics.response.errors.timeout
-
---
-
-*`beats_stats.apm-server.otlp.grpc.metrics.response.errors.unauthorized`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.otlp.grpc.metrics.response.errors.unauthorized
-
---
-
-*`beats_stats.apm-server.otlp.grpc.metrics.response.valid.count`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.otlp.grpc.metrics.response.valid.count
-
---
-
-
-*`beats_stats.apm-server.otlp.grpc.traces.request.count`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.otlp.grpc.traces.request.count
-
---
-
-
-*`beats_stats.apm-server.otlp.grpc.traces.response.count`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.otlp.grpc.traces.response.count
-
---
-
-
-*`beats_stats.apm-server.otlp.grpc.traces.response.errors.count`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.otlp.grpc.traces.response.errors.count
-
---
-
-*`beats_stats.apm-server.otlp.grpc.traces.response.errors.ratelimit`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.otlp.grpc.traces.response.errors.ratelimit
-
---
-
-*`beats_stats.apm-server.otlp.grpc.traces.response.errors.timeout`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.otlp.grpc.traces.response.errors.timeout
-
---
-
-*`beats_stats.apm-server.otlp.grpc.traces.response.errors.unauthorized`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.otlp.grpc.traces.response.errors.unauthorized
-
---
-
-*`beats_stats.apm-server.otlp.grpc.traces.response.valid.count`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.otlp.grpc.traces.response.valid.count
-
---
-
-
-
-*`beats_stats.apm-server.otlp.http.logs.request.count`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.otlp.http.logs.request.count
-
---
-
-
-*`beats_stats.apm-server.otlp.http.logs.response.count`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.otlp.http.logs.response.count
-
---
-
-
-*`beats_stats.apm-server.otlp.http.logs.response.errors.count`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.otlp.http.logs.response.errors.count
-
---
-
-*`beats_stats.apm-server.otlp.http.logs.response.errors.ratelimit`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.otlp.http.logs.response.errors.ratelimit
-
---
-
-*`beats_stats.apm-server.otlp.http.logs.response.errors.timeout`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.otlp.http.logs.response.errors.timeout
-
---
-
-*`beats_stats.apm-server.otlp.http.logs.response.errors.unauthorized`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.otlp.http.logs.response.errors.unauthorized
-
---
-
-*`beats_stats.apm-server.otlp.http.logs.response.valid.count`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.otlp.http.logs.response.valid.count
-
---
-
-
-*`beats_stats.apm-server.otlp.http.metrics.consumer.unsupported_dropped`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.otlp.http.metrics.consumer.unsupported_dropped
-
---
-
-*`beats_stats.apm-server.otlp.http.metrics.request.count`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.otlp.http.metrics.request.count
-
---
-
-
-*`beats_stats.apm-server.otlp.http.metrics.response.count`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.otlp.http.metrics.response.count
-
---
-
-
-*`beats_stats.apm-server.otlp.http.metrics.response.errors.count`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.otlp.http.metrics.response.errors.count
-
---
-
-*`beats_stats.apm-server.otlp.http.metrics.response.errors.ratelimit`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.otlp.http.metrics.response.errors.ratelimit
-
---
-
-*`beats_stats.apm-server.otlp.http.metrics.response.errors.timeout`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.otlp.http.metrics.response.errors.timeout
-
---
-
-*`beats_stats.apm-server.otlp.http.metrics.response.errors.unauthorized`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.otlp.http.metrics.response.errors.unauthorized
-
---
-
-*`beats_stats.apm-server.otlp.http.metrics.response.valid.count`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.otlp.http.metrics.response.valid.count
-
---
-
-
-*`beats_stats.apm-server.otlp.http.traces.request.count`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.otlp.http.traces.request.count
-
---
-
-
-*`beats_stats.apm-server.otlp.http.traces.response.count`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.otlp.http.traces.response.count
-
---
-
-
-*`beats_stats.apm-server.otlp.http.traces.response.errors.count`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.otlp.http.traces.response.errors.count
-
---
-
-*`beats_stats.apm-server.otlp.http.traces.response.errors.ratelimit`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.otlp.http.traces.response.errors.ratelimit
-
---
-
-*`beats_stats.apm-server.otlp.http.traces.response.errors.timeout`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.otlp.http.traces.response.errors.timeout
-
---
-
-*`beats_stats.apm-server.otlp.http.traces.response.errors.unauthorized`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.otlp.http.traces.response.errors.unauthorized
-
---
-
-*`beats_stats.apm-server.otlp.http.traces.response.valid.count`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.otlp.http.traces.response.valid.count
-
---
-
-
-*`beats_stats.apm-server.processor.error.transformations`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.processor.error.transformations
-
---
-
-*`beats_stats.apm-server.processor.metric.transformations`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.processor.metric.transformations
-
---
-
-*`beats_stats.apm-server.processor.span.transformations`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.processor.span.transformations
-
---
-
-
-*`beats_stats.apm-server.processor.stream.accepted`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.processor.stream.accepted
-
---
-
-
-*`beats_stats.apm-server.processor.stream.errors.invalid`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.processor.stream.errors.invalid
-
---
-
-*`beats_stats.apm-server.processor.stream.errors.toolarge`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.processor.stream.errors.toolarge
-
---
-
-*`beats_stats.apm-server.processor.transaction.transformations`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.processor.transaction.transformations
-
---
-
-
-*`beats_stats.apm-server.root.request.count`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.root.request.count
-
---
-
-
-*`beats_stats.apm-server.root.response.count`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.root.response.count
-
---
-
-
-*`beats_stats.apm-server.root.response.errors.closed`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.root.response.errors.closed
-
---
-
-*`beats_stats.apm-server.root.response.errors.count`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.root.response.errors.count
-
---
-
-*`beats_stats.apm-server.root.response.errors.decode`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.root.response.errors.decode
-
---
-
-*`beats_stats.apm-server.root.response.errors.forbidden`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.root.response.errors.forbidden
-
---
-
-*`beats_stats.apm-server.root.response.errors.internal`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.root.response.errors.internal
-
---
-
-*`beats_stats.apm-server.root.response.errors.invalidquery`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.root.response.errors.invalidquery
-
---
-
-*`beats_stats.apm-server.root.response.errors.method`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.root.response.errors.method
-
---
-
-*`beats_stats.apm-server.root.response.errors.notfound`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.root.response.errors.notfound
-
---
-
-*`beats_stats.apm-server.root.response.errors.queue`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.root.response.errors.queue
-
---
-
-*`beats_stats.apm-server.root.response.errors.ratelimit`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.root.response.errors.ratelimit
-
---
-
-*`beats_stats.apm-server.root.response.errors.timeout`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.root.response.errors.timeout
-
---
-
-*`beats_stats.apm-server.root.response.errors.toolarge`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.root.response.errors.toolarge
-
---
-
-*`beats_stats.apm-server.root.response.errors.unauthorized`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.root.response.errors.unauthorized
-
---
-
-*`beats_stats.apm-server.root.response.errors.unavailable`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.root.response.errors.unavailable
-
---
-
-*`beats_stats.apm-server.root.response.errors.validate`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.root.response.errors.validate
-
---
-
-
-*`beats_stats.apm-server.root.response.valid.accepted`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.root.response.valid.accepted
-
---
-
-*`beats_stats.apm-server.root.response.valid.count`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.root.response.valid.count
-
---
-
-*`beats_stats.apm-server.root.response.valid.notmodified`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.root.response.valid.notmodified
-
---
-
-*`beats_stats.apm-server.root.response.valid.ok`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.root.response.valid.ok
-
---
-
-*`beats_stats.apm-server.root.unset`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.root.unset
-
---
-
-
-
-*`beats_stats.apm-server.sampling.tail.dynamic_service_groups`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.sampling.tail.dynamic_service_groups
-
---
-
-
-*`beats_stats.apm-server.sampling.tail.events.dropped`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.sampling.tail.events.dropped
-
---
-
-*`beats_stats.apm-server.sampling.tail.events.failed_writes`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.sampling.tail.events.failed_writes
-
---
-
-*`beats_stats.apm-server.sampling.tail.events.head_unsampled`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.sampling.tail.events.head_unsampled
-
---
-
-*`beats_stats.apm-server.sampling.tail.events.processed`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.sampling.tail.events.processed
-
---
-
-*`beats_stats.apm-server.sampling.tail.events.sampled`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.sampling.tail.events.sampled
-
---
-
-*`beats_stats.apm-server.sampling.tail.events.stored`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.sampling.tail.events.stored
-
---
-
-
-*`beats_stats.apm-server.sampling.tail.storage.lsm_size`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.sampling.tail.storage.lsm_size
-
---
-
-*`beats_stats.apm-server.sampling.tail.storage.value_log_size`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.sampling.tail.storage.value_log_size
-
---
-
-*`beats_stats.apm-server.sampling.transactions_dropped`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.sampling.transactions_dropped
-
---
-
-
-*`beats_stats.apm-server.server.request.count`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.server.request.count
-
---
-
-
-*`beats_stats.apm-server.server.response.count`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.server.response.count
-
---
-
-
-*`beats_stats.apm-server.server.response.errors.closed`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.server.response.errors.closed
-
---
-
-*`beats_stats.apm-server.server.response.errors.count`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.server.response.errors.count
-
---
-
-*`beats_stats.apm-server.server.response.errors.decode`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.server.response.errors.decode
-
---
-
-*`beats_stats.apm-server.server.response.errors.forbidden`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.server.response.errors.forbidden
-
---
-
-*`beats_stats.apm-server.server.response.errors.internal`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.server.response.errors.internal
-
---
-
-*`beats_stats.apm-server.server.response.errors.invalidquery`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.server.response.errors.invalidquery
-
---
-
-*`beats_stats.apm-server.server.response.errors.method`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.server.response.errors.method
-
---
-
-*`beats_stats.apm-server.server.response.errors.notfound`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.server.response.errors.notfound
-
---
-
-*`beats_stats.apm-server.server.response.errors.queue`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.server.response.errors.queue
-
---
-
-*`beats_stats.apm-server.server.response.errors.ratelimit`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.server.response.errors.ratelimit
-
---
-
-*`beats_stats.apm-server.server.response.errors.timeout`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.server.response.errors.timeout
-
---
-
-*`beats_stats.apm-server.server.response.errors.toolarge`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.server.response.errors.toolarge
-
---
-
-*`beats_stats.apm-server.server.response.errors.unauthorized`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.server.response.errors.unauthorized
-
---
-
-*`beats_stats.apm-server.server.response.errors.unavailable`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.server.response.errors.unavailable
-
---
-
-*`beats_stats.apm-server.server.response.errors.validate`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.server.response.errors.validate
-
---
-
-
-*`beats_stats.apm-server.server.response.valid.accepted`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.server.response.valid.accepted
-
---
-
-*`beats_stats.apm-server.server.response.valid.count`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.server.response.valid.count
-
---
-
-*`beats_stats.apm-server.server.response.valid.notmodified`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.server.response.valid.notmodified
-
---
-
-*`beats_stats.apm-server.server.response.valid.ok`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.server.response.valid.ok
-
---
-
-*`beats_stats.apm-server.server.unset`*::
-+
---
-type: alias
-
-alias to: beat.stats.apm_server.server.unset
-
---
-
-
-*`beats_stats.beat.host`*::
-+
---
-type: alias
-
-alias to: beat.stats.info.host
-
---
-
-*`beats_stats.beat.name`*::
-+
---
-type: alias
-
-alias to: beat.stats.info.name
-
---
-
-*`beats_stats.beat.type`*::
-+
---
-type: alias
-
-alias to: beat.stats.info.type
-
---
-
-*`beats_stats.beat.uuid`*::
-+
---
-type: alias
-
-alias to: beat.stats.info.uuid
-
---
-
-*`beats_stats.beat.version`*::
-+
---
-type: alias
-
-alias to: beat.stats.info.version
-
---
-
-
-
-*`beats_stats.metrics.system.cpu.cores`*::
-+
---
-type: alias
-
-alias to: beat.stats.system.cpu.cores
-
---
-
-*`beats_stats.metrics.system.load.1`*::
-+
---
-type: alias
-
-alias to: beat.stats.system.load.1
-
---
-
-*`beats_stats.metrics.system.load.5`*::
-+
---
-type: alias
-
-alias to: beat.stats.system.load.5
-
---
-
-*`beats_stats.metrics.system.load.15`*::
-+
---
-type: alias
-
-alias to: beat.stats.system.load.15
-
---
-
-
-*`beats_stats.metrics.system.load.norm.1`*::
-+
---
-type: alias
-
-alias to: beat.stats.system.load.norm.1
-
---
-
-*`beats_stats.metrics.system.load.norm.15`*::
-+
---
-type: alias
-
-alias to: beat.stats.system.load.norm.15
-
---
-
-*`beats_stats.metrics.system.load.norm.5`*::
-+
---
-type: alias
-
-alias to: beat.stats.system.load.norm.5
-
---
-
-
-
-*`beats_stats.metrics.libbeat.pipeline.clients`*::
-+
---
-type: alias
-
-alias to: beat.stats.libbeat.pipeline.clients
-
---
-
-*`beats_stats.metrics.libbeat.pipeline.queue.acked`*::
-+
---
-type: alias
-
-alias to: beat.stats.libbeat.pipeline.queue.acked
-
---
-
-
-*`beats_stats.metrics.libbeat.pipeline.event.active`*::
-+
---
-type: alias
-
-alias to: beat.stats.libbeat.pipeline.events.active
-
---
-
-*`beats_stats.metrics.libbeat.pipeline.event.dropped`*::
-+
---
-type: alias
-
-alias to: beat.stats.libbeat.pipeline.events.dropped
-
---
-
-*`beats_stats.metrics.libbeat.pipeline.event.failed`*::
-+
---
-type: alias
-
-alias to: beat.stats.libbeat.pipeline.events.failed
-
---
-
-*`beats_stats.metrics.libbeat.pipeline.event.filtered`*::
-+
---
-type: alias
-
-alias to: beat.stats.libbeat.pipeline.events.filtered
-
---
-
-*`beats_stats.metrics.libbeat.pipeline.event.published`*::
-+
---
-type: alias
-
-alias to: beat.stats.libbeat.pipeline.events.published
-
---
-
-*`beats_stats.metrics.libbeat.pipeline.event.retry`*::
-+
---
-type: alias
-
-alias to: beat.stats.libbeat.pipeline.events.retry
-
---
-
-*`beats_stats.metrics.libbeat.pipeline.event.total`*::
-+
---
-type: alias
-
-alias to: beat.stats.libbeat.pipeline.events.total
-
---
-
-
-
-*`beats_stats.metrics.libbeat.output.events.acked`*::
-+
---
-type: alias
-
-alias to: beat.stats.libbeat.output.events.acked
-
---
-
-*`beats_stats.metrics.libbeat.output.events.active`*::
-+
---
-type: alias
-
-alias to: beat.stats.libbeat.output.events.active
-
---
-
-*`beats_stats.metrics.libbeat.output.events.batches`*::
-+
---
-type: alias
-
-alias to: beat.stats.libbeat.output.events.batches
-
---
-
-*`beats_stats.metrics.libbeat.output.events.dropped`*::
-+
---
-type: alias
-
-alias to: beat.stats.libbeat.output.events.dropped
-
---
-
-*`beats_stats.metrics.libbeat.output.events.duplicated`*::
-+
---
-type: alias
-
-alias to: beat.stats.libbeat.output.events.duplicates
-
---
-
-*`beats_stats.metrics.libbeat.output.events.failed`*::
-+
---
-type: alias
-
-alias to: beat.stats.libbeat.output.events.failed
-
---
-
-*`beats_stats.metrics.libbeat.output.events.toomany`*::
-+
---
-type: alias
-
-alias to: beat.stats.libbeat.output.events.toomany
-
---
-
-*`beats_stats.metrics.libbeat.output.events.total`*::
-+
---
-type: alias
-
-alias to: beat.stats.libbeat.output.events.total
-
---
-
-*`beats_stats.metrics.libbeat.output.read.bytes`*::
-+
---
-type: alias
-
-alias to: beat.stats.libbeat.output.read.bytes
-
---
-
-*`beats_stats.metrics.libbeat.output.read.errors`*::
-+
---
-type: alias
-
-alias to: beat.stats.libbeat.output.read.errors
-
---
-
-*`beats_stats.metrics.libbeat.output.type`*::
-+
---
-type: alias
-
-alias to: beat.stats.libbeat.output.type
-
---
-
-*`beats_stats.metrics.libbeat.output.write.bytes`*::
-+
---
-type: alias
-
-alias to: beat.stats.libbeat.output.write.bytes
-
---
-
-*`beats_stats.metrics.libbeat.output.write.errors`*::
-+
---
-type: alias
-
-alias to: beat.stats.libbeat.output.write.errors
-
---
-
-
-*`beats_stats.metrics.libbeat.config.module.running`*::
-+
---
-type: alias
-
-alias to: beat.stats.libbeat.config.running
-
---
-
-*`beats_stats.metrics.libbeat.config.module.starts`*::
-+
---
-type: alias
-
-alias to: beat.stats.libbeat.config.starts
-
---
-
-*`beats_stats.metrics.libbeat.config.module.stops`*::
-+
---
-type: alias
-
-alias to: beat.stats.libbeat.config.stops
-
---
-
-
-*`beats_stats.metrics.beat.info.ephemeral_id`*::
-+
---
-type: alias
-
-alias to: beat.stats.info.ephemeral_id
-
---
-
-*`beats_stats.metrics.beat.info.uptime.ms`*::
-+
---
-type: alias
-
-alias to: beat.stats.info.uptime.ms
-
---
-
-
-*`beats_stats.metrics.beat.handles.limit.hard`*::
-+
---
-type: alias
-
-alias to: beat.stats.handles.limit.hard
-
---
-
-*`beats_stats.metrics.beat.handles.limit.soft`*::
-+
---
-type: alias
-
-alias to: beat.stats.handles.limit.soft
-
---
-
-*`beats_stats.metrics.beat.handles.open`*::
-+
---
-type: alias
-
-alias to: beat.stats.handles.open
-
---
-
-
-*`beats_stats.metrics.beat.memstats.gc_next`*::
-+
---
-type: alias
-
-alias to: beat.stats.memstats.gc_next
-
---
-
-*`beats_stats.metrics.beat.memstats.memory_alloc`*::
-+
---
-type: alias
-
-alias to: beat.stats.memstats.memory.alloc
-
---
-
-*`beats_stats.metrics.beat.memstats.memory_total`*::
-+
---
-type: alias
-
-alias to: beat.stats.memstats.memory.total
-
---
-
-*`beats_stats.metrics.beat.memstats.rss`*::
-+
---
-type: alias
-
-alias to: beat.stats.memstats.rss
-
---
-
-
-
-*`beats_stats.metrics.beat.cgroup.cpu.id`*::
-+
---
-type: alias
-
-alias to: beat.stats.cgroup.cpu.id
-
---
-
-*`beats_stats.metrics.beat.cgroup.cpu.cfs.period.us`*::
-+
---
-type: alias
-
-alias to: beat.stats.cgroup.cpu.cfs.period.us
-
---
-
-*`beats_stats.metrics.beat.cgroup.cpu.cfs.quota.us`*::
-+
---
-type: alias
-
-alias to: beat.stats.cgroup.cpu.cfs.quota.us
-
---
-
-
-*`beats_stats.metrics.beat.cgroup.cpu.stats.periods`*::
-+
---
-type: alias
-
-alias to: beat.stats.cgroup.cpu.stats.periods
-
---
-
-*`beats_stats.metrics.beat.cgroup.cpu.stats.throttled.periods`*::
-+
---
-type: alias
-
-alias to: beat.stats.cgroup.cpu.stats.throttled.periods
-
---
-
-*`beats_stats.metrics.beat.cgroup.cpu.stats.throttled.ns`*::
-+
---
-type: alias
-
-alias to: beat.stats.cgroup.cpu.stats.throttled.ns
-
---
-
-*`beats_stats.metrics.beat.cgroup.cpuacct.id`*::
-+
---
-type: alias
-
-alias to: beat.stats.cgroup.cpuacct.id
-
---
-
-*`beats_stats.metrics.beat.cgroup.cpuacct.total.ns`*::
-+
---
-type: alias
-
-alias to: beat.stats.cgroup.cpuacct.total.ns
-
---
-
-*`beats_stats.metrics.beat.cgroup.memory.id`*::
-+
---
-type: alias
-
-alias to: beat.stats.cgroup.memory.id
-
---
-
-*`beats_stats.metrics.beat.cgroup.mem.limit.bytes`*::
-+
---
-type: alias
-
-alias to: beat.stats.cgroup.memory.mem.limit.bytes
-
---
-
-*`beats_stats.metrics.beat.cgroup.mem.usage.bytes`*::
-+
---
-type: alias
-
-alias to: beat.stats.cgroup.memory.mem.usage.bytes
-
---
-
-
-*`beats_stats.metrics.beat.cpu.system.ticks`*::
-+
---
-type: alias
-
-alias to: beat.stats.cpu.system.ticks
-
---
-
-*`beats_stats.metrics.beat.cpu.system.time.ms`*::
-+
---
-type: alias
-
-alias to: beat.stats.cpu.system.time.ms
-
---
-
-*`beats_stats.metrics.beat.cpu.total.value`*::
-+
---
-type: alias
-
-alias to: beat.stats.cpu.total.value
-
---
-
-*`beats_stats.metrics.beat.cpu.total.ticks`*::
-+
---
-type: alias
-
-alias to: beat.stats.cpu.total.ticks
-
---
-
-*`beats_stats.metrics.beat.cpu.total.time.ms`*::
-+
---
-type: alias
-
-alias to: beat.stats.cpu.total.time.ms
-
---
-
-*`beats_stats.metrics.beat.cpu.user.ticks`*::
-+
---
-type: alias
-
-alias to: beat.stats.cpu.user.ticks
-
---
-
-*`beats_stats.metrics.beat.cpu.user.time.ms`*::
-+
---
-type: alias
-
-alias to: beat.stats.cpu.user.time.ms
-
---
-
-
-
-
-*`beats_stats.output.elasticsearch.bulk_requests.available`*::
-+
---
-type: alias
-
-alias to: beat.stats.output.elasticsearch.bulk_requests.available
-
---
-
-*`beats_stats.output.elasticsearch.bulk_requests.completed`*::
-+
---
-type: alias
-
-alias to: beat.stats.output.elasticsearch.bulk_requests.completed
-
---
-
-
-*`beats_stats.output.elasticsearch.indexers.active`*::
-+
---
-type: alias
-
-alias to: beat.stats.output.elasticsearch.indexers.active
-
---
-
-*`beats_stats.output.elasticsearch.indexers.created`*::
-+
---
-type: alias
-
-alias to: beat.stats.output.elasticsearch.indexers.created
-
---
-
-*`beats_stats.output.elasticsearch.indexers.destroyed`*::
-+
---
-type: alias
-
-alias to: beat.stats.output.elasticsearch.indexers.destroyed
-
---
-
-
-
-*`beats_state.beat.host`*::
-+
---
-type: alias
-
-alias to: beat.state.beat.host
-
---
-
-*`beats_state.beat.name`*::
-+
---
-type: alias
-
-alias to: beat.state.beat.name
-
---
-
-*`beats_state.beat.type`*::
-+
---
-type: alias
-
-alias to: beat.state.beat.type
-
---
-
-*`beats_state.beat.uuid`*::
-+
---
-type: alias
-
-alias to: beat.state.beat.uuid
-
---
-
-*`beats_state.beat.version`*::
-+
---
-type: alias
-
-alias to: beat.state.beat.version
-
---
-
-*`beats_state.timestamp`*::
-+
---
-type: alias
-
-alias to: @timestamp
-
---
-
-
-*`beats_state.state.beat.name`*::
-+
---
-type: alias
-
-alias to: beat.state.beat.name
-
---
-
-
-*`beats_state.state.host.architecture`*::
-+
---
-type: alias
-
-alias to: host.architecture
-
---
-
-*`beats_state.state.host.hostname`*::
-+
---
-type: alias
-
-alias to: host.hostname
-
---
-
-*`beats_state.state.host.name`*::
-+
---
-type: alias
-
-alias to: host.name
-
---
-
-
-*`beats_state.state.host.os.platform`*::
-+
---
-type: alias
-
-alias to: beat.state.host.os.platform
-
---
-
-*`beats_state.state.host.os.version`*::
-+
---
-type: alias
-
-alias to: beat.state.host.os.version
-
---
-
-*`beats_state.state.input.count`*::
-+
---
-type: alias
-
-alias to: beat.state.input.count
-
---
-
-*`beats_state.state.input.names`*::
-+
---
-type: alias
-
-alias to: beat.state.input.names
-
---
-
-*`beats_state.state.module.count`*::
-+
---
-type: alias
-
-alias to: beat.state.module.count
-
---
-
-*`beats_state.state.module.names`*::
-+
---
-type: alias
-
-alias to: beat.state.module.names
-
---
-
-*`beats_state.state.output.name`*::
-+
---
-type: alias
-
-alias to: beat.state.output.name
-
---
-
-
-*`beats_state.state.service.id`*::
-+
---
-type: alias
-
-alias to: beat.state.service.id
-
---
-
-*`beats_state.state.service.name`*::
-+
---
-type: alias
-
-alias to: beat.state.service.name
-
---
-
-*`beats_state.state.service.version`*::
-+
---
-type: alias
-
-alias to: beat.state.service.version
-
---
-
-[float]
-=== beat
-
-
-
-
-*`beat.id`*::
-+
---
-Beat ID.
-
-
-type: keyword
-
---
-
-*`beat.type`*::
-+
---
-Beat type.
-
-
-type: keyword
-
---
-
-*`beat.elasticsearch.cluster.id`*::
-+
---
-type: keyword
-
---
-
-[float]
-=== state
-
-Beat state
-
-
-
-
-*`beat.state.service.id`*::
-+
---
-type: keyword
-
---
-
-*`beat.state.service.name`*::
-+
---
-type: keyword
-
---
-
-*`beat.state.service.version`*::
-+
---
-type: keyword
-
---
-
-
-*`beat.state.input.count`*::
-+
---
-type: long
-
---
-
-*`beat.state.input.names`*::
-+
---
-type: keyword
-
---
-
-
-*`beat.state.beat.host`*::
-+
---
-type: keyword
-
---
-
-*`beat.state.beat.name`*::
-+
---
-type: keyword
-
---
-
-*`beat.state.beat.type`*::
-+
---
-type: keyword
-
---
-
-*`beat.state.beat.uuid`*::
-+
---
-type: keyword
-
---
-
-*`beat.state.beat.version`*::
-+
---
-type: keyword
-
---
-
-*`beat.state.cluster.uuid`*::
-+
---
-type: keyword
-
---
-
-
-*`beat.state.host.containerized`*::
-+
---
-type: keyword
-
---
-
-
-*`beat.state.host.os.kernel`*::
-+
---
-type: keyword
-
---
-
-*`beat.state.host.os.name`*::
-+
---
-type: keyword
-
---
-
-*`beat.state.host.os.platform`*::
-+
---
-type: keyword
-
---
-
-*`beat.state.host.os.version`*::
-+
---
-type: keyword
-
---
-
-*`beat.state.management.enabled`*::
-+
---
-Is central management enabled?
-
-
-type: boolean
-
---
-
-*`beat.state.module.count`*::
-+
---
-Number of modules enabled
-
-
-type: integer
-
---
-
-*`beat.state.module.names`*::
-+
---
-type: keyword
-
---
-
-*`beat.state.output.name`*::
-+
---
-Name of output used by Beat
-
-
-type: keyword
-
---
-
-*`beat.state.queue.name`*::
-+
---
-Name of queue being used by Beat
-
-
-type: keyword
-
---
-
-[float]
-=== stats
-
-Beat stats
-
-
-
-
-
-*`beat.stats.apm_server.acm.request.count`*::
-+
---
-type: long
-
---
-
-
-*`beat.stats.apm_server.acm.response.count`*::
-+
---
-type: long
-
---
-
-
-*`beat.stats.apm_server.acm.response.errors.closed`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.acm.response.errors.count`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.acm.response.errors.decode`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.acm.response.errors.forbidden`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.acm.response.errors.internal`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.acm.response.errors.invalidquery`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.acm.response.errors.method`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.acm.response.errors.notfound`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.acm.response.errors.queue`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.acm.response.errors.ratelimit`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.acm.response.errors.timeout`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.acm.response.errors.toolarge`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.acm.response.errors.unauthorized`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.acm.response.errors.unavailable`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.acm.response.errors.validate`*::
-+
---
-type: long
-
---
-
-
-*`beat.stats.apm_server.acm.response.valid.accepted`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.acm.response.valid.count`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.acm.response.valid.notmodified`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.acm.response.valid.ok`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.acm.unset`*::
-+
---
-type: long
-
---
-
-
-
-*`beat.stats.apm_server.agentcfg.elasticsearch.cache.entries.count`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.agentcfg.elasticsearch.cache.refresh.failures`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.agentcfg.elasticsearch.cache.refresh.successes`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.agentcfg.elasticsearch.fetch.es`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.agentcfg.elasticsearch.fetch.fallback`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.agentcfg.elasticsearch.fetch.invalid`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.agentcfg.elasticsearch.fetch.unavailable`*::
-+
---
-type: long
-
---
-
-
-
-
-*`beat.stats.apm_server.jaeger.grpc.collect.request.count`*::
-+
---
-type: long
-
---
-
-
-*`beat.stats.apm_server.jaeger.grpc.collect.response.count`*::
-+
---
-type: long
-
---
-
-
-*`beat.stats.apm_server.jaeger.grpc.collect.response.errors.count`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.jaeger.grpc.collect.response.errors.ratelimit`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.jaeger.grpc.collect.response.errors.timeout`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.jaeger.grpc.collect.response.errors.unauthorized`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.jaeger.grpc.collect.response.valid.count`*::
-+
---
-type: long
-
---
-
-
-*`beat.stats.apm_server.jaeger.grpc.sampling.event.received.count`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.jaeger.grpc.sampling.request.count`*::
-+
---
-type: long
-
---
-
-
-*`beat.stats.apm_server.jaeger.grpc.sampling.response.count`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.jaeger.grpc.sampling.response.errors.count`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.jaeger.grpc.sampling.response.valid.count`*::
-+
---
-type: long
-
---
-
-
-
-
-*`beat.stats.apm_server.otlp.grpc.logs.request.count`*::
-+
---
-type: long
-
---
-
-
-*`beat.stats.apm_server.otlp.grpc.logs.response.count`*::
-+
---
-type: long
-
---
-
-
-*`beat.stats.apm_server.otlp.grpc.logs.response.errors.count`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.otlp.grpc.logs.response.errors.ratelimit`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.otlp.grpc.logs.response.errors.timeout`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.otlp.grpc.logs.response.errors.unauthorized`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.otlp.grpc.logs.response.valid.count`*::
-+
---
-type: long
-
---
-
-
-*`beat.stats.apm_server.otlp.grpc.metrics.consumer.unsupported_dropped`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.otlp.grpc.metrics.request.count`*::
-+
---
-type: long
-
---
-
-
-*`beat.stats.apm_server.otlp.grpc.metrics.response.count`*::
-+
---
-type: long
-
---
-
-
-*`beat.stats.apm_server.otlp.grpc.metrics.response.errors.count`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.otlp.grpc.metrics.response.errors.ratelimit`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.otlp.grpc.metrics.response.errors.timeout`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.otlp.grpc.metrics.response.errors.unauthorized`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.otlp.grpc.metrics.response.valid.count`*::
-+
---
-type: long
-
---
-
-
-*`beat.stats.apm_server.otlp.grpc.traces.request.count`*::
-+
---
-type: long
-
---
-
-
-*`beat.stats.apm_server.otlp.grpc.traces.response.count`*::
-+
---
-type: long
-
---
-
-
-*`beat.stats.apm_server.otlp.grpc.traces.response.errors.count`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.otlp.grpc.traces.response.errors.ratelimit`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.otlp.grpc.traces.response.errors.timeout`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.otlp.grpc.traces.response.errors.unauthorized`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.otlp.grpc.traces.response.valid.count`*::
-+
---
-type: long
-
---
-
-
-
-*`beat.stats.apm_server.otlp.http.logs.request.count`*::
-+
---
-type: long
-
---
-
-
-*`beat.stats.apm_server.otlp.http.logs.response.count`*::
-+
---
-type: long
-
---
-
-
-*`beat.stats.apm_server.otlp.http.logs.response.errors.count`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.otlp.http.logs.response.errors.ratelimit`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.otlp.http.logs.response.errors.timeout`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.otlp.http.logs.response.errors.unauthorized`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.otlp.http.logs.response.valid.count`*::
-+
---
-type: long
-
---
-
-
-*`beat.stats.apm_server.otlp.http.metrics.consumer.unsupported_dropped`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.otlp.http.metrics.request.count`*::
-+
---
-type: long
-
---
-
-
-*`beat.stats.apm_server.otlp.http.metrics.response.count`*::
-+
---
-type: long
-
---
-
-
-*`beat.stats.apm_server.otlp.http.metrics.response.errors.count`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.otlp.http.metrics.response.errors.ratelimit`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.otlp.http.metrics.response.errors.timeout`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.otlp.http.metrics.response.errors.unauthorized`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.otlp.http.metrics.response.valid.count`*::
-+
---
-type: long
-
---
-
-
-*`beat.stats.apm_server.otlp.http.traces.request.count`*::
-+
---
-type: long
-
---
-
-
-*`beat.stats.apm_server.otlp.http.traces.response.count`*::
-+
---
-type: long
-
---
-
-
-*`beat.stats.apm_server.otlp.http.traces.response.errors.count`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.otlp.http.traces.response.errors.ratelimit`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.otlp.http.traces.response.errors.timeout`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.otlp.http.traces.response.errors.unauthorized`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.otlp.http.traces.response.valid.count`*::
-+
---
-type: long
-
---
-
-
-*`beat.stats.apm_server.processor.error.transformations`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.processor.metric.transformations`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.processor.span.transformations`*::
-+
---
-type: long
-
---
-
-
-*`beat.stats.apm_server.processor.stream.accepted`*::
-+
---
-type: long
-
---
-
-
-*`beat.stats.apm_server.processor.stream.errors.invalid`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.processor.stream.errors.toolarge`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.processor.transaction.transformations`*::
-+
---
-type: long
-
---
-
-
-*`beat.stats.apm_server.root.request.count`*::
-+
---
-type: long
-
---
-
-
-*`beat.stats.apm_server.root.response.count`*::
-+
---
-type: long
-
---
-
-
-*`beat.stats.apm_server.root.response.errors.closed`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.root.response.errors.count`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.root.response.errors.decode`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.root.response.errors.forbidden`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.root.response.errors.internal`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.root.response.errors.invalidquery`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.root.response.errors.method`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.root.response.errors.notfound`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.root.response.errors.queue`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.root.response.errors.ratelimit`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.root.response.errors.timeout`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.root.response.errors.toolarge`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.root.response.errors.unauthorized`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.root.response.errors.unavailable`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.root.response.errors.validate`*::
-+
---
-type: long
-
---
-
-
-*`beat.stats.apm_server.root.response.valid.accepted`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.root.response.valid.count`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.root.response.valid.notmodified`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.root.response.valid.ok`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.root.unset`*::
-+
---
-type: long
-
---
-
-
-
-*`beat.stats.apm_server.sampling.tail.dynamic_service_groups`*::
-+
---
-type: long
-
---
-
-
-*`beat.stats.apm_server.sampling.tail.events.dropped`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.sampling.tail.events.failed_writes`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.sampling.tail.events.head_unsampled`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.sampling.tail.events.processed`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.sampling.tail.events.sampled`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.sampling.tail.events.stored`*::
-+
---
-type: long
-
---
-
-
-*`beat.stats.apm_server.sampling.tail.storage.lsm_size`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.sampling.tail.storage.value_log_size`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.sampling.transactions_dropped`*::
-+
---
-type: long
-
---
-
-
-*`beat.stats.apm_server.server.request.count`*::
-+
---
-type: long
-
---
-
-
-*`beat.stats.apm_server.server.response.count`*::
-+
---
-type: long
-
---
-
-
-*`beat.stats.apm_server.server.response.errors.closed`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.server.response.errors.count`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.server.response.errors.decode`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.server.response.errors.forbidden`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.server.response.errors.internal`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.server.response.errors.invalidquery`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.server.response.errors.method`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.server.response.errors.notfound`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.server.response.errors.queue`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.server.response.errors.ratelimit`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.server.response.errors.timeout`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.server.response.errors.toolarge`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.server.response.errors.unauthorized`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.server.response.errors.unavailable`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.server.response.errors.validate`*::
-+
---
-type: long
-
---
-
-
-*`beat.stats.apm_server.server.response.valid.accepted`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.server.response.valid.count`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.server.response.valid.notmodified`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.server.response.valid.ok`*::
-+
---
-type: long
-
---
-
-*`beat.stats.apm_server.server.unset`*::
-+
---
-type: long
-
---
-
-
-*`beat.stats.info.name`*::
-+
---
-type: keyword
-
---
-
-*`beat.stats.info.host`*::
-+
---
-type: keyword
-
---
-
-*`beat.stats.info.type`*::
-+
---
-type: keyword
-
---
-
-*`beat.stats.info.uuid`*::
-+
---
-type: keyword
-
---
-
-*`beat.stats.info.version`*::
-+
---
-type: keyword
-
---
-
-
-*`beat.stats.beat.name`*::
-+
---
-type: keyword
-
---
-
-*`beat.stats.beat.host`*::
-+
---
-type: keyword
-
---
-
-*`beat.stats.beat.type`*::
-+
---
-type: keyword
-
---
-
-*`beat.stats.beat.uuid`*::
-+
---
-type: keyword
-
---
-
-*`beat.stats.beat.version`*::
-+
---
-type: keyword
-
---
-
-
-*`beat.stats.system.cpu.cores`*::
-+
---
-type: long
-
---
-
-
-*`beat.stats.system.load.1`*::
-+
---
-type: double
-
---
-
-*`beat.stats.system.load.15`*::
-+
---
-type: double
-
---
-
-*`beat.stats.system.load.5`*::
-+
---
-type: double
-
---
-
-
-*`beat.stats.system.load.norm.1`*::
-+
---
-type: double
-
---
-
-*`beat.stats.system.load.norm.15`*::
-+
---
-type: double
-
---
-
-*`beat.stats.system.load.norm.5`*::
-+
---
-type: double
-
---
-
-
-*`beat.stats.cpu.system.ticks`*::
-+
---
-type: long
-
---
-
-*`beat.stats.cpu.system.time.ms`*::
-+
---
-type: long
-
---
-
-*`beat.stats.cpu.total.value`*::
-+
---
-type: long
-
---
-
-*`beat.stats.cpu.total.ticks`*::
-+
---
-type: long
-
---
-
-*`beat.stats.cpu.total.time.ms`*::
-+
---
-type: long
-
---
-
-*`beat.stats.cpu.user.ticks`*::
-+
---
-type: long
-
---
-
-*`beat.stats.cpu.user.time.ms`*::
-+
---
-type: long
-
---
-
-
-*`beat.stats.info.ephemeral_id`*::
-+
---
-type: keyword
-
---
-
-*`beat.stats.info.uptime.ms`*::
-+
---
-type: long
-
---
-
-
-
-*`beat.stats.cgroup.cpu.cfs.period.us`*::
-+
---
-type: long
-
---
-
-*`beat.stats.cgroup.cpu.cfs.quota.us`*::
-+
---
-type: long
-
---
-
-*`beat.stats.cgroup.cpu.id`*::
-+
---
-type: keyword
-
---
-
-
-*`beat.stats.cgroup.cpu.stats.periods`*::
-+
---
-type: long
-
---
-
-*`beat.stats.cgroup.cpu.stats.throttled.periods`*::
-+
---
-type: long
-
---
-
-*`beat.stats.cgroup.cpu.stats.throttled.ns`*::
-+
---
-type: long
-
---
-
-*`beat.stats.cgroup.cpuacct.id`*::
-+
---
-type: keyword
-
---
-
-*`beat.stats.cgroup.cpuacct.total.ns`*::
-+
---
-type: long
-
---
-
-
-*`beat.stats.cgroup.memory.id`*::
-+
---
-type: keyword
-
---
-
-*`beat.stats.cgroup.memory.mem.limit.bytes`*::
-+
---
-type: long
-
---
-
-*`beat.stats.cgroup.memory.mem.usage.bytes`*::
-+
---
-type: long
-
---
-
-
-*`beat.stats.memstats.gc_next`*::
-+
---
-type: long
-
---
-
-*`beat.stats.memstats.memory.alloc`*::
-+
---
-type: long
-
---
-
-*`beat.stats.memstats.memory.total`*::
-+
---
-type: long
-
---
-
-*`beat.stats.memstats.rss`*::
-+
---
-type: long
-
---
-
-
-*`beat.stats.handles.open`*::
-+
---
-type: long
-
---
-
-*`beat.stats.handles.limit.hard`*::
-+
---
-type: long
-
---
-
-*`beat.stats.handles.limit.soft`*::
-+
---
-type: long
-
---
-
-*`beat.stats.uptime.ms`*::
-+
---
-Beat uptime
-
-
-type: long
-
---
-
-*`beat.stats.runtime.goroutines`*::
-+
---
-Number of goroutines running in Beat
-
-
-type: long
-
---
-
-[float]
-=== libbeat
-
-Fields common to all Beats
-
-
-
-
-*`beat.stats.libbeat.pipeline.clients`*::
-+
---
-type: long
-
---
-
-
-*`beat.stats.libbeat.pipeline.queue.acked`*::
-+
---
-Number of acknowledged events
-
-
-type: long
-
---
-
-*`beat.stats.libbeat.pipeline.queue.added.bytes`*::
-+
---
-Number of bytes added to the queue
-
-
-type: long
-
---
-
-*`beat.stats.libbeat.pipeline.queue.added.events`*::
-+
---
-Number of events added to the queue
-
-
-type: long
-
---
-
-*`beat.stats.libbeat.pipeline.queue.consumed.bytes`*::
-+
---
-Number of bytes consumed from the queue
-
-
-type: long
-
---
-
-*`beat.stats.libbeat.pipeline.queue.consumed.events`*::
-+
---
-Number of events consumed from the queue
-
-
-type: long
-
---
-
-*`beat.stats.libbeat.pipeline.queue.filled.bytes`*::
-+
---
-Number of bytes filled in the queue
-
-
-type: long
-
---
-
-*`beat.stats.libbeat.pipeline.queue.filled.events`*::
-+
---
-Number of events filled in the queue
-
-
-type: long
-
---
-
-*`beat.stats.libbeat.pipeline.queue.filled.pct`*::
-+
---
-Percentage of the queue filled
-
-
-type: float
-
---
-
-*`beat.stats.libbeat.pipeline.queue.max_events`*::
-+
---
-Maximum number of events allowed in the queue
-
-
-type: long
-
---
-
-*`beat.stats.libbeat.pipeline.queue.removed.bytes`*::
-+
---
-Number of bytes removed from the queue
-
-
-type: long
-
---
-
-*`beat.stats.libbeat.pipeline.queue.removed.events`*::
-+
---
-Number of events removed from the queue
-
-
-type: long
-
---
-
-
-*`beat.stats.libbeat.pipeline.events.active`*::
-+
---
-type: long
-
---
-
-*`beat.stats.libbeat.pipeline.events.dropped`*::
-+
---
-type: long
-
---
-
-*`beat.stats.libbeat.pipeline.events.failed`*::
-+
---
-type: long
-
---
-
-*`beat.stats.libbeat.pipeline.events.filtered`*::
-+
---
-type: long
-
---
-
-*`beat.stats.libbeat.pipeline.events.published`*::
-+
---
-type: long
-
---
-
-*`beat.stats.libbeat.pipeline.events.retry`*::
-+
---
-type: long
-
---
-
-*`beat.stats.libbeat.pipeline.events.total`*::
-+
---
-type: long
-
---
-
-
-*`beat.stats.libbeat.config.running`*::
-+
---
-type: long
-
---
-
-*`beat.stats.libbeat.config.starts`*::
-+
---
-type: long
-
---
-
-*`beat.stats.libbeat.config.stops`*::
-+
---
-type: long
-
---
-
-*`beat.stats.libbeat.config.reloads`*::
-+
---
-type: long
-
---
-
-[float]
-=== output
-
-Output stats
-
-
-
-*`beat.stats.libbeat.output.type`*::
-+
---
-Type of output
-
-
-type: keyword
-
---
-
-[float]
-=== events
-
-Event counters
-
-
-
-*`beat.stats.libbeat.output.events.acked`*::
-+
---
-Number of events acknowledged
-
-
-type: long
-
---
-
-*`beat.stats.libbeat.output.events.active`*::
-+
---
-Number of active events
-
-
-type: long
-
---
-
-*`beat.stats.libbeat.output.events.batches`*::
-+
---
-Number of event batches
-
-
-type: long
-
---
-
-*`beat.stats.libbeat.output.events.dropped`*::
-+
---
-Number of events dropped
-
-
-type: long
-
---
-
-*`beat.stats.libbeat.output.events.duplicates`*::
-+
---
-Number of events duplicated
-
-
-type: long
-
---
-
-*`beat.stats.libbeat.output.events.failed`*::
-+
---
-Number of events failed
-
-
-type: long
-
---
-
-*`beat.stats.libbeat.output.events.toomany`*::
-+
---
-Number of too many events
-
-
-type: long
-
---
-
-*`beat.stats.libbeat.output.events.total`*::
-+
---
-Total number of events
-
-
-type: long
-
---
-
-[float]
-=== read
-
-Read stats
-
-
-
-*`beat.stats.libbeat.output.read.bytes`*::
-+
---
-Number of bytes read
-
-
-type: long
-
---
-
-*`beat.stats.libbeat.output.read.errors`*::
-+
---
-Number of read errors
-
-
-type: long
-
---
-
-[float]
-=== write
-
-Write stats
-
-
-
-*`beat.stats.libbeat.output.write.bytes`*::
-+
---
-Number of bytes written
-
-
-type: long
-
---
-
-*`beat.stats.libbeat.output.write.errors`*::
-+
---
-Number of write errors
-
-
-type: long
-
---
-
-
-
-*`beat.stats.libbeat.output.write.latency.histogram.count`*::
-+
---
-type: long
-
---
-
-*`beat.stats.libbeat.output.write.latency.histogram.max`*::
-+
---
-type: float
-
---
-
-*`beat.stats.libbeat.output.write.latency.histogram.median`*::
-+
---
-type: long
-
---
-
-*`beat.stats.libbeat.output.write.latency.histogram.p95`*::
-+
---
-type: float
-
---
-
-*`beat.stats.libbeat.output.write.latency.histogram.p99`*::
-+
---
-type: float
-
---
-
-
-
-
-*`beat.stats.output.elasticsearch.bulk_requests.available`*::
-+
---
-type: long
-
---
-
-*`beat.stats.output.elasticsearch.bulk_requests.completed`*::
-+
---
-type: long
-
---
-
-
-*`beat.stats.output.elasticsearch.indexers.active`*::
-+
---
-type: long
-
---
-
-*`beat.stats.output.elasticsearch.indexers.created`*::
-+
---
-type: long
-
---
-
-*`beat.stats.output.elasticsearch.indexers.destroyed`*::
-+
---
-type: long
-
---
-
-[[exported-fields-benchmark]]
-== Benchmark fields
-
-benchmark module
-
-
-
-[float]
-=== benchmark
-
-
-
-
-[float]
-=== info
-
-info
-
-
-
-*`benchmark.info.counter`*::
-+
---
-The nth info metric emitted by the benchmark module
-
-
-type: keyword
-
---
-
-[[exported-fields-ceph]]
-== Ceph fields
-
-Ceph module
-
-
-
-[float]
-=== ceph
-
-`ceph` contains the metrics that were scraped from CEPH.
-
-
-
-[float]
-=== cluster_disk
-
-cluster_disk
-
-
-
-*`ceph.cluster_disk.available.bytes`*::
-+
---
-Available bytes of the cluster
-
-
-type: long
-
-format: bytes
-
---
-
-*`ceph.cluster_disk.total.bytes`*::
-+
---
-Total bytes of the cluster
-
-
-type: long
-
-format: bytes
-
---
-
-*`ceph.cluster_disk.used.bytes`*::
-+
---
-Used bytes of the cluster
-
-
-type: long
-
-format: bytes
-
---
-
-[float]
-=== cluster_health
-
-cluster_health
-
-
-
-*`ceph.cluster_health.overall_status`*::
-+
---
-Overall status of the cluster
-
-
-type: keyword
-
---
-
-*`ceph.cluster_health.timechecks.epoch`*::
-+
---
-Map version
-
-
-type: long
-
---
-
-*`ceph.cluster_health.timechecks.round.value`*::
-+
---
-timecheck round
-
-
-type: long
-
---
-
-*`ceph.cluster_health.timechecks.round.status`*::
-+
---
-Status of the round
-
-
-type: keyword
-
---
-
-[float]
-=== cluster_status
-
-cluster_status
-
-
-
-*`ceph.cluster_status.version`*::
-+
---
-Ceph Status version
-
-
-type: long
-
---
-
-*`ceph.cluster_status.traffic.read_bytes`*::
-+
---
-Cluster read throughput per second
-
-
-type: long
-
-format: bytes
-
---
-
-*`ceph.cluster_status.traffic.write_bytes`*::
-+
---
-Cluster write throughput per second
-
-
-type: long
-
-format: bytes
-
---
-
-*`ceph.cluster_status.traffic.read_op_per_sec`*::
-+
---
-Cluster read iops per second
-
-
-type: long
-
---
-
-*`ceph.cluster_status.traffic.write_op_per_sec`*::
-+
---
-Cluster write iops per second
-
-
-type: long
-
---
-
-*`ceph.cluster_status.misplace.total`*::
-+
---
-Cluster misplace pg number
-
-
-type: long
-
---
-
-*`ceph.cluster_status.misplace.objects`*::
-+
---
-Cluster misplace objects number
-
-
-type: long
-
---
-
-*`ceph.cluster_status.misplace.ratio`*::
-+
---
-Cluster misplace ratio
-
-
-type: scaled_float
-
-format: percent
-
---
-
-*`ceph.cluster_status.degraded.total`*::
-+
---
-Cluster degraded pg number
-
-
-type: long
-
---
-
-*`ceph.cluster_status.degraded.objects`*::
-+
---
-Cluster degraded objects number
-
-
-type: long
-
---
-
-*`ceph.cluster_status.degraded.ratio`*::
-+
---
-Cluster degraded ratio
-
-
-type: scaled_float
-
-format: percent
-
---
-
-*`ceph.cluster_status.pg.data_bytes`*::
-+
---
-Cluster pg data bytes
-
-
-type: long
-
-format: bytes
-
---
-
-*`ceph.cluster_status.pg.avail_bytes`*::
-+
---
-Cluster available bytes
-
-
-type: long
-
-format: bytes
-
---
-
-*`ceph.cluster_status.pg.total_bytes`*::
-+
---
-Cluster total bytes
-
-
-type: long
-
-format: bytes
-
---
-
-*`ceph.cluster_status.pg.used_bytes`*::
-+
---
-Cluster used bytes
-
-
-type: long
-
-format: bytes
-
---
-
-*`ceph.cluster_status.pg_state.state_name`*::
-+
---
-Pg state description
-
-
-type: long
-
---
-
-*`ceph.cluster_status.pg_state.count`*::
-+
---
-Shows how many pgs are in state of pg_state.state_name
-
-
-type: long
-
---
-
-*`ceph.cluster_status.pg_state.version`*::
-+
---
-Cluster status version
-
-
-type: long
-
---
-
-*`ceph.cluster_status.osd.full`*::
-+
---
-Is osd full
-
-
-type: boolean
-
---
-
-*`ceph.cluster_status.osd.nearfull`*::
-+
---
-Is osd near full
-
-
-type: boolean
-
---
-
-*`ceph.cluster_status.osd.num_osds`*::
-+
---
-Shows how many osds in the cluster
-
-
-type: long
-
---
-
-*`ceph.cluster_status.osd.num_up_osds`*::
-+
---
-Shows how many osds are on the state of UP
-
-
-type: long
-
---
-
-*`ceph.cluster_status.osd.num_in_osds`*::
-+
---
-Shows how many osds are on the state of IN
-
-
-type: long
-
---
-
-*`ceph.cluster_status.osd.num_remapped_pgs`*::
-+
---
-Shows how many osds are on the state of REMAPPED
-
-
-type: long
-
---
-
-*`ceph.cluster_status.osd.epoch`*::
-+
---
-epoch number
-
-
-type: long
-
---
-
-[float]
-=== mgr_cluster_disk
-
-see: cluster_disk
-
-
-[float]
-=== mgr_cluster_health
-
-see: cluster_health
-
-
-[float]
-=== mgr_osd_perf
-
-OSD performance metrics of Ceph cluster
-
-
-
-*`ceph.mgr_osd_perf.id`*::
-+
---
-OSD ID
-
-type: long
-
---
-
-*`ceph.mgr_osd_perf.stats.commit_latency_ms`*::
-+
---
-Commit latency in ms
-
-type: long
-
---
-
-*`ceph.mgr_osd_perf.stats.apply_latency_ms`*::
-+
---
-Apply latency in ms
-
-type: long
-
---
-
-*`ceph.mgr_osd_perf.stats.commit_latency_ns`*::
-+
---
-Commit latency in ns
-
-type: long
-
---
-
-*`ceph.mgr_osd_perf.stats.apply_latency_ns`*::
-+
---
-Apply latency in ns
-
-type: long
-
---
-
-[float]
-=== mgr_osd_pool_stats
-
-OSD pool stats of Ceph cluster
-
-
-
-*`ceph.mgr_osd_pool_stats.pool_name`*::
-+
---
-Pool name
-
-type: keyword
-
---
-
-*`ceph.mgr_osd_pool_stats.pool_id`*::
-+
---
-Pool ID
-
-type: long
-
---
-
-*`ceph.mgr_osd_pool_stats.client_io_rate`*::
-+
---
-Client I/O rates
-
-type: object
-
---
-
-[float]
-=== mgr_osd_tree
-
-see: osd_tree
-
-
-[float]
-=== mgr_pool_disk
-
-see: pool_disk
-
-
-[float]
-=== monitor_health
-
-monitor_health stats data
-
-
-
-*`ceph.monitor_health.available.pct`*::
-+
---
-Available percent of the MON
-
-
-type: long
-
---
-
-*`ceph.monitor_health.health`*::
-+
---
-Health of the MON
-
-
-type: keyword
-
---
-
-*`ceph.monitor_health.available.kb`*::
-+
---
-Available KB of the MON
-
-
-type: long
-
---
-
-*`ceph.monitor_health.total.kb`*::
-+
---
-Total KB of the MON
-
-
-type: long
-
---
-
-*`ceph.monitor_health.used.kb`*::
-+
---
-Used KB of the MON
-
-
-type: long
-
---
-
-*`ceph.monitor_health.last_updated`*::
-+
---
-Time when was updated
-
-
-type: date
-
---
-
-*`ceph.monitor_health.name`*::
-+
---
-Name of the MON
-
-
-type: keyword
-
---
-
-*`ceph.monitor_health.store_stats.log.bytes`*::
-+
---
-Log bytes of MON
-
-
-type: long
-
-format: bytes
-
---
-
-*`ceph.monitor_health.store_stats.misc.bytes`*::
-+
---
-Misc bytes of MON
-
-
-type: long
-
-format: bytes
-
---
-
-*`ceph.monitor_health.store_stats.sst.bytes`*::
-+
---
-SST bytes of MON
-
-
-type: long
-
-format: bytes
-
---
-
-*`ceph.monitor_health.store_stats.total.bytes`*::
-+
---
-Total bytes of MON
-
-
-type: long
-
-format: bytes
-
---
-
-*`ceph.monitor_health.store_stats.last_updated`*::
-+
---
-Last updated
-
-
-type: long
-
---
-
-[float]
-=== osd_df
-
-ceph osd disk usage information
-
-
-
-*`ceph.osd_df.id`*::
-+
---
-osd node id
-
-
-type: long
-
---
-
-*`ceph.osd_df.name`*::
-+
---
-osd node name
-
-
-type: keyword
-
---
-
-*`ceph.osd_df.device_class`*::
-+
---
-osd node type, illegal type include hdd, ssd etc.
-
-
-type: keyword
-
---
-
-*`ceph.osd_df.total.byte`*::
-+
---
-osd disk total volume
-
-
-type: long
-
-format: bytes
-
---
-
-*`ceph.osd_df.used.byte`*::
-+
---
-osd disk usage volume
-
-
-type: long
-
-format: bytes
-
---
-
-*`ceph.osd_df.available.bytes`*::
-+
---
-osd disk available volume
-
-
-type: long
-
-format: bytes
-
---
-
-*`ceph.osd_df.pg_num`*::
-+
---
-shows how many pg located on this osd
-
-
-type: long
-
---
-
-*`ceph.osd_df.used.pct`*::
-+
---
-osd disk usage percentage
-
-
-type: scaled_float
-
-format: percent
-
---
-
-[float]
-=== osd_tree
-
-ceph osd tree info
-
-
-
-*`ceph.osd_tree.id`*::
-+
---
-osd or bucket node id
-
-
-type: long
-
---
-
-*`ceph.osd_tree.name`*::
-+
---
-osd or bucket node name
-
-
-type: keyword
-
---
-
-*`ceph.osd_tree.type`*::
-+
---
-osd or bucket node type, illegal type include osd, host, root etc.
-
-
-type: keyword
-
---
-
-*`ceph.osd_tree.type_id`*::
-+
---
-osd or bucket node typeID
-
-
-type: long
-
---
-
-*`ceph.osd_tree.children`*::
-+
---
-bucket children list, separated by comma.
-
-
-type: keyword
-
---
-
-*`ceph.osd_tree.crush_weight`*::
-+
---
-osd node crush weight
-
-
-type: float
-
---
-
-*`ceph.osd_tree.depth`*::
-+
---
-node depth
-
-
-type: long
-
---
-
-*`ceph.osd_tree.exists`*::
-+
---
-is node still exist or not(1-yes, 0-no)
-
-
-type: boolean
-
---
-
-*`ceph.osd_tree.primary_affinity`*::
-+
---
-the weight of reading data from primary osd
-
-
-type: float
-
---
-
-*`ceph.osd_tree.reweight`*::
-+
---
-the reweight of osd
-
-
-type: long
-
---
-
-*`ceph.osd_tree.status`*::
-+
---
-status of osd, it should be up or down
-
-
-type: keyword
-
---
-
-*`ceph.osd_tree.device_class`*::
-+
---
-the device class of osd, like hdd, ssd etc.
-
-
-type: keyword
-
---
-
-*`ceph.osd_tree.father`*::
-+
---
-the parent node of this osd or bucket node
-
-
-type: keyword
-
---
-
-[float]
-=== pool_disk
-
-pool_disk
-
-
-
-*`ceph.pool_disk.id`*::
-+
---
-Id of the pool
-
-
-type: long
-
---
-
-*`ceph.pool_disk.name`*::
-+
---
-Name of the pool
-
-
-type: keyword
-
---
-
-*`ceph.pool_disk.stats.available.bytes`*::
-+
---
-Available bytes of the pool
-
-
-type: long
-
-format: bytes
-
---
-
-*`ceph.pool_disk.stats.objects`*::
-+
---
-Number of objects of the pool
-
-
-type: long
-
---
-
-*`ceph.pool_disk.stats.used.bytes`*::
-+
---
-Used bytes of the pool
-
-
-type: long
-
-format: bytes
-
---
-
-*`ceph.pool_disk.stats.used.kb`*::
-+
---
-Used kb of the pool
-
-
-type: long
-
---
-
-[[exported-fields-cloud]]
-== Cloud provider metadata fields
-
-Metadata from cloud providers added by the add_cloud_metadata processor.
-
-
-
-*`cloud.image.id`*::
-+
---
-Image ID for the cloud instance.
-
-
-example: ami-abcd1234
-
---
-
-*`meta.cloud.provider`*::
-+
---
-type: alias
-
-alias to: cloud.provider
-
---
-
-*`meta.cloud.instance_id`*::
-+
---
-type: alias
-
-alias to: cloud.instance.id
-
---
-
-*`meta.cloud.instance_name`*::
-+
---
-type: alias
-
-alias to: cloud.instance.name
-
---
-
-*`meta.cloud.machine_type`*::
-+
---
-type: alias
-
-alias to: cloud.machine.type
-
---
-
-*`meta.cloud.availability_zone`*::
-+
---
-type: alias
-
-alias to: cloud.availability_zone
-
---
-
-*`meta.cloud.project_id`*::
-+
---
-type: alias
-
-alias to: cloud.project.id
-
---
-
-*`meta.cloud.region`*::
-+
---
-type: alias
-
-alias to: cloud.region
-
---
-
-[[exported-fields-cloudfoundry]]
-== Cloudfoundry fields
-
-Cloud Foundry module
-
-
-
-[float]
-=== cloudfoundry
-
-
-
-
-*`cloudfoundry.type`*::
-+
---
-The type of event from Cloud Foundry. Possible values include 'container', 'counter' and 'value'.
-
-
-type: keyword
-
---
-
-[float]
-=== app
-
-The application the metric is associated with.
-
-
-
-*`cloudfoundry.app.id`*::
-+
---
-The ID of the application.
-
-
-type: keyword
-
---
-
-[float]
-=== container
-
-`container` contains container metrics from Cloud Foundry.
-
-
-
-*`cloudfoundry.container.instance_index`*::
-+
---
-Index of the instance the metric belongs to.
-
-
-type: long
-
---
-
-*`cloudfoundry.container.cpu.pct`*::
-+
---
-CPU usage percentage.
-
-
-type: scaled_float
-
---
-
-*`cloudfoundry.container.memory.bytes`*::
-+
---
-Bytes of used memory.
-
-
-type: long
-
---
-
-*`cloudfoundry.container.memory.quota.bytes`*::
-+
---
-Bytes of available memory.
-
-
-type: long
-
---
-
-*`cloudfoundry.container.disk.bytes`*::
-+
---
-Bytes of used storage.
-
-
-type: long
-
---
-
-*`cloudfoundry.container.disk.quota.bytes`*::
-+
---
-Bytes of available storage.
-
-
-type: long
-
---
-
-[float]
-=== counter
-
-`counter` contains counter metrics from Cloud Foundry.
-
-
-
-*`cloudfoundry.counter.name`*::
-+
---
-The name of the counter.
-
-
-type: keyword
-
---
-
-*`cloudfoundry.counter.delta`*::
-+
---
-The difference between the last time the counter event occurred.
-
-
-type: long
-
---
-
-*`cloudfoundry.counter.total`*::
-+
---
-The total value for the counter.
-
-
-type: long
-
---
-
-[float]
-=== value
-
-`value` contains counter metrics from Cloud Foundry.
-
-
-
-*`cloudfoundry.value.name`*::
-+
---
-The name of the value.
-
-
-type: keyword
-
---
-
-*`cloudfoundry.value.unit`*::
-+
---
-The unit of the value.
-
-
-type: keyword
-
---
-
-*`cloudfoundry.value.value`*::
-+
---
-The value of the value.
-
-
-type: float
-
---
-
-[[exported-fields-cockroachdb]]
-== CockroachDB fields
-
-CockroachDB module scrape metrics using Prometheus endpoint.
-
-
-
-
-[[exported-fields-common]]
-== Common fields
-
-Contains common fields available in all event types.
-
-
-
-*`metricset.module`*::
-+
---
-The name of the module that generated the event.
-
-
-type: alias
-
-alias to: event.module
-
---
-
-*`metricset.name`*::
-+
---
-The name of the metricset that generated the event.
-
-
---
-
-*`metricset.period`*::
-+
---
-Current data collection period for this event in milliseconds.
-
-
-type: integer
-
---
-
-*`service.hostname`*::
-+
---
-Host name of the machine where the service is running.
-
-
---
-
-*`type`*::
-+
---
-The document type. Always set to "doc".
-
-
-example: metricsets
-
-required: True
-
---
-
-*`systemd.fragment_path`*::
-+
---
-the location of the systemd unit path
-
-type: keyword
-
---
-
-*`systemd.unit`*::
-+
---
-the unit name of the systemd service
-
-type: keyword
-
---
-
-[[exported-fields-consul]]
-== Consul fields
-
-Consul module
-
-
-
-
-[float]
-=== agent
-
-Agent Metricset fetches metrics information from a Consul instance running as Agent
-
-
-
-
-*`consul.agent.autopilot.healthy`*::
-+
---
-Overall health of the local server cluster
-
-type: boolean
-
---
-
-[float]
-=== runtime
-
-Runtime related metrics
-
-
-
-*`consul.agent.runtime.sys.bytes`*::
-+
---
-Number of bytes of memory obtained from the OS.
-
-type: long
-
---
-
-*`consul.agent.runtime.malloc_count`*::
-+
---
-Heap objects allocated
-
-type: long
-
---
-
-*`consul.agent.runtime.heap_objects`*::
-+
---
-Objects allocated on the heap and is a general memory pressure indicator. This may burst from time to time but should return to a steady state value.
-
-type: long
-
---
-
-*`consul.agent.runtime.goroutines`*::
-+
---
-Running goroutines and is a general load pressure indicator. This may burst from time to time but should return to a steady state value.
-
-type: long
-
---
-
-
-*`consul.agent.runtime.alloc.bytes`*::
-+
---
-Bytes allocated by the Consul process.
-
-type: long
-
---
-
-[float]
-=== garbage_collector
-
-Garbage collector metrics
-
-
-*`consul.agent.runtime.garbage_collector.runs`*::
-+
---
-Garbage collector total executions
-
-type: long
-
---
-
-[float]
-=== pause
-
-Time that the garbage collector has paused the app
-
-
-
-*`consul.agent.runtime.garbage_collector.pause.current.ns`*::
-+
---
-Garbage collector pause time in nanoseconds
-
-type: long
-
---
-
-
-*`consul.agent.runtime.garbage_collector.pause.total.ns`*::
-+
---
-Nanoseconds consumed by stop-the-world garbage collection pauses since Consul started.
-
-type: long
-
---
-
-[[exported-fields-containerd]]
-== Containerd fields
-
-Containerd stats collected from containerd
-
-
-
-[float]
-=== containerd
-
-Information and statistics about containerd's running containers.
-
-
-
-*`containerd.namespace`*::
-+
---
-Containerd namespace
-
-
-type: keyword
-
---
-
-[float]
-=== blkio
-
-Block I/O metrics.
-
-
-
-*`containerd.blkio.device`*::
-+
---
-Name of block device
-
-
-type: keyword
-
---
-
-[float]
-=== read
-
-Accumulated reads during the life of the container
-
-
-
-*`containerd.blkio.read.ops`*::
-+
---
-Number of reads during the life of the container
-
-
-type: long
-
---
-
-*`containerd.blkio.read.bytes`*::
-+
---
-Bytes read during the life of the container
-
-
-type: long
-
-format: bytes
-
---
-
-[float]
-=== write
-
-Accumulated writes during the life of the container
-
-
-
-*`containerd.blkio.write.ops`*::
-+
---
-Number of writes during the life of the container
-
-
-type: long
-
---
-
-*`containerd.blkio.write.bytes`*::
-+
---
-Bytes written during the life of the container
-
-
-type: long
-
-format: bytes
-
---
-
-[float]
-=== summary
-
-Accumulated reads and writes during the life of the container
-
-
-
-*`containerd.blkio.summary.ops`*::
-+
---
-Number of I/O operations during the life of the container
-
-
-type: long
-
---
-
-*`containerd.blkio.summary.bytes`*::
-+
---
-Bytes read and written during the life of the container
-
-
-type: long
-
-format: bytes
-
---
-
-[float]
-=== cpu
-
-Containerd Runtime CPU metrics.
-
-
-
-*`containerd.cpu.system.total`*::
-+
---
-Total user and system CPU time spent in seconds.
-
-
-type: double
-
---
-
-
-
-*`containerd.cpu.usage.kernel.ns`*::
-+
---
-CPU Kernel usage nanoseconds
-
-
-type: double
-
---
-
-
-*`containerd.cpu.usage.user.ns`*::
-+
---
-CPU User usage nanoseconds
-
-
-type: double
-
---
-
-
-*`containerd.cpu.usage.total.ns`*::
-+
---
-CPU total usage nanoseconds
-
-
-type: double
-
---
-
-*`containerd.cpu.usage.total.pct`*::
-+
---
-Percentage of total CPU time normalized by the number of CPU cores, expressed as a value between 0 and 1.
-
-
-type: scaled_float
-
-format: percent
-
---
-
-*`containerd.cpu.usage.kernel.pct`*::
-+
---
-Percentage of time in kernel space normalized by the number of CPU cores, expressed as a value between 0 and 1.
-
-
-type: scaled_float
-
-format: percent
-
---
-
-*`containerd.cpu.usage.user.pct`*::
-+
---
-Percentage of time in user space normalized by the number of CPU cores, expressed as a value between 0 and 1.
-
-
-type: scaled_float
-
-format: percent
-
---
-
-*`containerd.cpu.usage.cpu.*.ns`*::
-+
---
-CPU usage nanoseconds in this cpu.
-
-
-type: object
-
---
-
-[float]
-=== memory
-
-memory
-
-
-
-*`containerd.memory.workingset.pct`*::
-+
---
-Memory working set percentage.
-
-
-type: scaled_float
-
-format: percent
-
---
-
-*`containerd.memory.rss`*::
-+
---
-Total memory resident set size.
-
-
-type: long
-
-format: bytes
-
---
-
-*`containerd.memory.activeFiles`*::
-+
---
-Total active file bytes.
-
-
-type: long
-
-format: bytes
-
---
-
-*`containerd.memory.cache`*::
-+
---
-Total cache bytes.
-
-
-type: long
-
-format: bytes
-
---
-
-*`containerd.memory.inactiveFiles`*::
-+
---
-Total inactive file bytes.
-
-
-type: long
-
-format: bytes
-
---
-
-[float]
-=== usage
-
-Usage memory stats.
-
-
-
-*`containerd.memory.usage.max`*::
-+
---
-Max memory usage.
-
-
-type: long
-
-format: bytes
-
---
-
-*`containerd.memory.usage.pct`*::
-+
---
-Total allocated memory percentage.
-
-
-type: scaled_float
-
-format: percent
-
---
-
-*`containerd.memory.usage.total`*::
-+
---
-Total memory usage.
-
-
-type: long
-
-format: bytes
-
---
-
-*`containerd.memory.usage.fail.count`*::
-+
---
-Fail counter.
-
-
-type: scaled_float
-
---
-
-*`containerd.memory.usage.limit`*::
-+
---
-Memory usage limit.
-
-
-type: long
-
-format: bytes
-
---
-
-[float]
-=== kernel
-
-Kernel memory stats.
-
-
-
-*`containerd.memory.kernel.max`*::
-+
---
-Kernel max memory usage.
-
-
-type: long
-
-format: bytes
-
---
-
-*`containerd.memory.kernel.total`*::
-+
---
-Kernel total memory usage.
-
-
-type: long
-
-format: bytes
-
---
-
-*`containerd.memory.kernel.fail.count`*::
-+
---
-Kernel fail counter.
-
-
-type: scaled_float
-
---
-
-*`containerd.memory.kernel.limit`*::
-+
---
-Kernel memory limit.
-
-
-type: long
-
-format: bytes
-
---
-
-[float]
-=== swap
-
-Swap memory stats.
-
-
-
-*`containerd.memory.swap.max`*::
-+
---
-Swap max memory usage.
-
-
-type: long
-
-format: bytes
-
---
-
-*`containerd.memory.swap.total`*::
-+
---
-Swap total memory usage.
-
-
-type: long
-
-format: bytes
-
---
-
-*`containerd.memory.swap.fail.count`*::
-+
---
-Swap fail counter.
-
-
-type: scaled_float
-
---
-
-*`containerd.memory.swap.limit`*::
-+
---
-Swap memory limit.
-
-
-type: long
-
-format: bytes
-
---
-
-[[exported-fields-coredns]]
-== Coredns fields
-
-coredns Module
-
-
-
-[float]
-=== coredns
-
-`coredns` contains statistics that were read from coreDNS
-
-
-
-[float]
-=== stats
-
-Contains statistics related to the coreDNS service
-
-
-
-*`coredns.stats.panic.count`*::
-+
---
-Total number of panics
-
-
-type: long
-
---
-
-*`coredns.stats.dns.request.count`*::
-+
---
-Total query count
-
-
-type: long
-
---
-
-*`coredns.stats.dns.request.duration.ns.bucket.*`*::
-+
---
-Request duration histogram buckets in nanoseconds
-
-
-type: object
-
---
-
-*`coredns.stats.dns.request.duration.ns.sum`*::
-+
---
-Requests duration, sum of durations in nanoseconds
-
-
-type: long
-
-format: duration
-
---
-
-*`coredns.stats.dns.request.duration.ns.count`*::
-+
---
-Requests duration, number of requests
-
-
-type: long
-
---
-
-*`coredns.stats.dns.request.size.bytes.bucket.*`*::
-+
---
-Request Size histogram buckets
-
-
-type: object
-
---
-
-*`coredns.stats.dns.request.size.bytes.sum`*::
-+
---
-Request Size histogram sum
-
-
-type: long
-
---
-
-*`coredns.stats.dns.request.size.bytes.count`*::
-+
---
-Request Size histogram count
-
-
-type: long
-
---
-
-*`coredns.stats.dns.request.do.count`*::
-+
---
-Number of queries that have the DO bit set
-
-
-type: long
-
---
-
-*`coredns.stats.dns.request.type.count`*::
-+
---
-Counter of queries per zone and type
-
-
-type: long
-
---
-
-*`coredns.stats.type`*::
-+
---
-Holds the query type of the request
-
-
-type: keyword
-
---
-
-*`coredns.stats.dns.response.rcode.count`*::
-+
---
-Counter of responses per zone and rcode
-
-
-type: long
-
---
-
-*`coredns.stats.rcode`*::
-+
---
-Holds the rcode of the response
-
-
-type: keyword
-
---
-
-*`coredns.stats.family`*::
-+
---
-The address family of the transport (1 = IP (IP version 4), 2 = IP6 (IP version 6))
-
-
-type: keyword
-
---
-
-*`coredns.stats.dns.response.size.bytes.bucket.*`*::
-+
---
-Response Size histogram buckets
-
-
-type: object
-
---
-
-*`coredns.stats.dns.response.size.bytes.sum`*::
-+
---
-Response Size histogram sum
-
-
-type: long
-
---
-
-*`coredns.stats.dns.response.size.bytes.count`*::
-+
---
-Response Size histogram count
-
-
-type: long
-
---
-
-*`coredns.stats.server`*::
-+
---
-The server responsible for the request
-
-
-type: keyword
-
---
-
-*`coredns.stats.zone`*::
-+
---
-The zonename used for the request/response
-
-
-type: keyword
-
---
-
-*`coredns.stats.proto`*::
-+
---
-The transport of the response ("udp" or "tcp")
-
-
-type: keyword
-
---
-
-*`coredns.stats.dns.cache.hits.count`*::
-+
---
-Cache hits count for the cache plugin
-
-
-type: long
-
---
-
-*`coredns.stats.dns.cache.misses.count`*::
-+
---
-Cache misses count for the cache plugin
-
-
-type: long
-
---
-
-[[exported-fields-couchbase]]
-== Couchbase fields
-
-Metrics collected from Couchbase servers.
-
-
-
-[float]
-=== couchbase
-
-`couchbase` contains the metrics that were scraped from Couchbase.
-
-
-
-[float]
-=== bucket
-
-Couchbase bucket metrics.
-
-
-
-*`couchbase.bucket.name`*::
-+
---
-Name of the bucket.
-
-
-type: keyword
-
---
-
-*`couchbase.bucket.type`*::
-+
---
-Type of the bucket.
-
-
-type: keyword
-
---
-
-*`couchbase.bucket.data.used.bytes`*::
-+
---
-Size of user data within buckets of the specified state that are resident in RAM.
-
-
-type: long
-
-format: bytes
-
---
-
-*`couchbase.bucket.disk.fetches`*::
-+
---
-Number of disk fetches.
-
-
-type: double
-
---
-
-*`couchbase.bucket.disk.used.bytes`*::
-+
---
-Amount of disk used (bytes).
-
-
-type: long
-
-format: bytes
-
---
-
-*`couchbase.bucket.memory.used.bytes`*::
-+
---
-Amount of memory used by the bucket (bytes).
-
-
-type: long
-
-format: bytes
-
---
-
-*`couchbase.bucket.quota.ram.bytes`*::
-+
---
-Amount of RAM used by the bucket (bytes).
-
-
-type: long
-
-format: bytes
-
---
-
-*`couchbase.bucket.quota.use.pct`*::
-+
---
-Percentage of RAM used (for active objects) against the configured bucket size (%).
-
-
-type: scaled_float
-
-format: percent
-
---
-
-*`couchbase.bucket.ops_per_sec`*::
-+
---
-Number of operations per second.
-
-
-type: double
-
---
-
-*`couchbase.bucket.item_count`*::
-+
---
-Number of items associated with the bucket.
-
-
-type: long
-
---
-
-[float]
-=== cluster
-
-Couchbase cluster metrics.
-
-
-
-*`couchbase.cluster.hdd.free.bytes`*::
-+
---
-Free hard drive space in the cluster (bytes).
-
-
-type: long
-
-format: bytes
-
---
-
-*`couchbase.cluster.hdd.quota.total.bytes`*::
-+
---
-Hard drive quota total for the cluster (bytes).
-
-
-type: long
-
-format: bytes
-
---
-
-*`couchbase.cluster.hdd.total.bytes`*::
-+
---
-Total hard drive space available to the cluster (bytes).
-
-
-type: long
-
-format: bytes
-
---
-
-*`couchbase.cluster.hdd.used.value.bytes`*::
-+
---
-Hard drive space used by the cluster (bytes).
-
-
-type: long
-
-format: bytes
-
---
-
-*`couchbase.cluster.hdd.used.by_data.bytes`*::
-+
---
-Hard drive space used by the data in the cluster (bytes).
-
-
-type: long
-
-format: bytes
-
---
-
-*`couchbase.cluster.max_bucket_count`*::
-+
---
-Max bucket count setting.
-
-
-type: long
-
---
-
-*`couchbase.cluster.quota.index_memory.mb`*::
-+
---
-Memory quota setting for the Index service (Mbyte).
-
-
-type: double
-
---
-
-*`couchbase.cluster.quota.memory.mb`*::
-+
---
-Memory quota setting for the cluster (Mbyte).
-
-
-type: double
-
---
-
-*`couchbase.cluster.ram.quota.total.value.bytes`*::
-+
---
-RAM quota total for the cluster (bytes).
-
-
-type: long
-
-format: bytes
-
---
-
-*`couchbase.cluster.ram.quota.total.per_node.bytes`*::
-+
---
-RAM quota used by the current node in the cluster (bytes).
-
-
-type: long
-
-format: bytes
-
---
-
-*`couchbase.cluster.ram.quota.used.value.bytes`*::
-+
---
-RAM quota used by the cluster (bytes).
-
-
-type: long
-
-format: bytes
-
---
-
-*`couchbase.cluster.ram.quota.used.per_node.bytes`*::
-+
---
-Ram quota used by the current node in the cluster (bytes)
-
-
-type: long
-
-format: bytes
-
---
-
-*`couchbase.cluster.ram.total.bytes`*::
-+
---
-Total RAM available to cluster (bytes).
-
-
-type: long
-
-format: bytes
-
---
-
-*`couchbase.cluster.ram.used.value.bytes`*::
-+
---
-RAM used by the cluster (bytes).
-
-
-type: long
-
-format: bytes
-
---
-
-*`couchbase.cluster.ram.used.by_data.bytes`*::
-+
---
-RAM used by the data in the cluster (bytes).
-
-
-type: long
-
-format: bytes
-
---
-
-[float]
-=== node
-
-Couchbase node metrics.
-
-
-
-*`couchbase.node.cmd_get`*::
-+
---
-Number of get commands
-
-
-type: double
-
---
-
-*`couchbase.node.couch.docs.disk_size.bytes`*::
-+
---
-Amount of disk space used by Couch docs (bytes).
-
-
-type: long
-
-format: bytes
-
---
-
-*`couchbase.node.couch.docs.data_size.bytes`*::
-+
---
-Data size of Couch docs associated with a node (bytes).
-
-
-type: long
-
-format: bytes
-
---
-
-*`couchbase.node.couch.spatial.data_size.bytes`*::
-+
---
-Size of object data for spatial views (bytes).
-
-
-type: long
-
---
-
-*`couchbase.node.couch.spatial.disk_size.bytes`*::
-+
---
-Amount of disk space used by spatial views (bytes).
-
-
-type: long
-
---
-
-*`couchbase.node.couch.views.disk_size.bytes`*::
-+
---
-Amount of disk space used by Couch views (bytes).
-
-
-type: long
-
---
-
-*`couchbase.node.couch.views.data_size.bytes`*::
-+
---
-Size of object data for Couch views (bytes).
-
-
-type: long
-
---
-
-*`couchbase.node.cpu_utilization_rate.pct`*::
-+
---
-The CPU utilization rate (%).
-
-
-type: scaled_float
-
---
-
-*`couchbase.node.current_items.value`*::
-+
---
-Number of current items.
-
-
-type: long
-
---
-
-*`couchbase.node.current_items.total`*::
-+
---
-Total number of items associated with the node.
-
-
-type: long
-
---
-
-*`couchbase.node.ep_bg_fetched`*::
-+
---
-Number of disk fetches performed since the server was started.
-
-
-type: long
-
---
-
-*`couchbase.node.get_hits`*::
-+
---
-Number of get hits.
-
-
-type: double
-
---
-
-*`couchbase.node.hostname`*::
-+
---
-The hostname of the node.
-
-
-type: keyword
-
---
-
-*`couchbase.node.mcd_memory.allocated.bytes`*::
-+
---
-Amount of memcached memory allocated (bytes).
-
-
-type: long
-
-format: bytes
-
---
-
-*`couchbase.node.mcd_memory.reserved.bytes`*::
-+
---
-Amount of memcached memory reserved (bytes).
-
-
-type: long
-
---
-
-*`couchbase.node.memory.free.bytes`*::
-+
---
-Amount of memory free for the node (bytes).
-
-
-type: long
-
---
-
-*`couchbase.node.memory.total.bytes`*::
-+
---
-Total memory available to the node (bytes).
-
-
-type: long
-
---
-
-*`couchbase.node.memory.used.bytes`*::
-+
---
-Memory used by the node (bytes).
-
-
-type: long
-
---
-
-*`couchbase.node.ops`*::
-+
---
-Number of operations performed on Couchbase.
-
-
-type: double
-
---
-
-*`couchbase.node.swap.total.bytes`*::
-+
---
-Total swap size allocated (bytes).
-
-
-type: long
-
---
-
-*`couchbase.node.swap.used.bytes`*::
-+
---
-Amount of swap space used (bytes).
-
-
-type: long
-
---
-
-*`couchbase.node.uptime.sec`*::
-+
---
-Time during which the node was in operation (sec).
-
-
-type: long
-
---
-
-*`couchbase.node.vb_replica_curr_items`*::
-+
---
-Number of items/documents that are replicas.
-
-
-type: long
-
---
-
-[[exported-fields-couchdb]]
-== CouchDB fields
-
-couchdb module
-
-
-
-[float]
-=== couchdb
-
-Couchdb metrics
-
-
-[float]
-=== server
-
-Contains CouchDB server stats
-
-
-
-[float]
-=== httpd
-
-HTTP statistics
-
-
-
-*`couchdb.server.httpd.view_reads`*::
-+
---
-Number of view reads
-
-
-type: long
-
---
-
-*`couchdb.server.httpd.bulk_requests`*::
-+
---
-Number of bulk requests
-
-
-type: long
-
---
-
-*`couchdb.server.httpd.clients_requesting_changes`*::
-+
---
-Number of clients for continuous _changes
-
-
-type: long
-
---
-
-*`couchdb.server.httpd.temporary_view_reads`*::
-+
---
-Number of temporary view reads
-
-
-type: long
-
---
-
-*`couchdb.server.httpd.requests`*::
-+
---
-Number of HTTP requests
-
-
-type: long
-
---
-
-[float]
-=== httpd_request_methods
-
-HTTP request methods
-
-
-
-*`couchdb.server.httpd_request_methods.COPY`*::
-+
---
-Number of HTTP COPY requests
-
-
-type: long
-
---
-
-*`couchdb.server.httpd_request_methods.HEAD`*::
-+
---
-Number of HTTP HEAD requests
-
-
-type: long
-
---
-
-*`couchdb.server.httpd_request_methods.POST`*::
-+
---
-Number of HTTP POST requests
-
-
-type: long
-
---
-
-*`couchdb.server.httpd_request_methods.DELETE`*::
-+
---
-Number of HTTP DELETE requests
-
-
-type: long
-
---
-
-*`couchdb.server.httpd_request_methods.GET`*::
-+
---
-Number of HTTP GET requests
-
-
-type: long
-
---
-
-*`couchdb.server.httpd_request_methods.PUT`*::
-+
---
-Number of HTTP PUT requests
-
-
-type: long
-
---
-
-[float]
-=== httpd_status_codes
-
-HTTP status codes statistics
-
-
-
-*`couchdb.server.httpd_status_codes.200`*::
-+
---
-Number of HTTP 200 OK responses
-
-
-type: long
-
---
-
-*`couchdb.server.httpd_status_codes.201`*::
-+
---
-Number of HTTP 201 Created responses
-
-
-type: long
-
---
-
-*`couchdb.server.httpd_status_codes.202`*::
-+
---
-Number of HTTP 202 Accepted responses
-
-
-type: long
-
---
-
-*`couchdb.server.httpd_status_codes.301`*::
-+
---
-Number of HTTP 301 Moved Permanently responses
-
-
-type: long
-
---
-
-*`couchdb.server.httpd_status_codes.304`*::
-+
---
-Number of HTTP 304 Not Modified responses
-
-
-type: long
-
---
-
-*`couchdb.server.httpd_status_codes.400`*::
-+
---
-Number of HTTP 400 Bad Request responses
-
-
-type: long
-
---
-
-*`couchdb.server.httpd_status_codes.401`*::
-+
---
-Number of HTTP 401 Unauthorized responses
-
-
-type: long
-
---
-
-*`couchdb.server.httpd_status_codes.403`*::
-+
---
-Number of HTTP 403 Forbidden responses
-
-
-type: long
-
---
-
-*`couchdb.server.httpd_status_codes.404`*::
-+
---
-Number of HTTP 404 Not Found responses
-
-
-type: long
-
---
-
-*`couchdb.server.httpd_status_codes.405`*::
-+
---
-Number of HTTP 405 Method Not Allowed responses
-
-
-type: long
-
---
-
-*`couchdb.server.httpd_status_codes.409`*::
-+
---
-Number of HTTP 409 Conflict responses
-
-
-type: long
-
---
-
-*`couchdb.server.httpd_status_codes.412`*::
-+
---
-Number of HTTP 412 Precondition Failed responses
-
-
-type: long
-
---
-
-*`couchdb.server.httpd_status_codes.500`*::
-+
---
-Number of HTTP 500 Internal Server Error responses
-
-
-type: long
-
---
-
-[float]
-=== couchdb
-
-couchdb statistics
-
-
-
-*`couchdb.server.couchdb.database_writes`*::
-+
---
-Number of times a database was changed
-
-
-type: long
-
---
-
-*`couchdb.server.couchdb.open_databases`*::
-+
---
-Number of open databases
-
-
-type: long
-
---
-
-*`couchdb.server.couchdb.auth_cache_misses`*::
-+
---
-Number of authentication cache misses
-
-
-type: long
-
---
-
-*`couchdb.server.couchdb.request_time`*::
-+
---
-Length of a request inside CouchDB without MochiWeb
-
-
-type: long
-
---
-
-*`couchdb.server.couchdb.database_reads`*::
-+
---
-Number of times a document was read from a database
-
-
-type: long
-
---
-
-*`couchdb.server.couchdb.auth_cache_hits`*::
-+
---
-Number of authentication cache hits
-
-
-type: long
-
---
-
-*`couchdb.server.couchdb.open_os_files`*::
-+
---
-Number of file descriptors CouchDB has open
-
-
-type: long
-
---
-
-[[exported-fields-docker-processor]]
-== Docker fields
-
-Docker stats collected from Docker.
-
-
-
-
-*`docker.container.id`*::
-+
---
-type: alias
-
-alias to: container.id
-
---
-
-*`docker.container.image`*::
-+
---
-type: alias
-
-alias to: container.image.name
-
---
-
-*`docker.container.name`*::
-+
---
-type: alias
-
-alias to: container.name
-
---
-
-*`docker.container.labels`*::
-+
---
-Image labels.
-
-
-type: object
-
---
-
-[[exported-fields-docker]]
-== Docker fields
-
-Docker stats collected from Docker.
-
-
-
-[float]
-=== docker
-
-Information and statistics about docker's running containers.
-
-
-
-[float]
-=== container
-
-Docker container metrics.
-
-
-
-*`docker.container.command`*::
-+
---
-Command that was executed in the Docker container.
-
-
-type: keyword
-
---
-
-*`docker.container.created`*::
-+
---
-Date when the container was created.
-
-
-type: date
-
---
-
-*`docker.container.status`*::
-+
---
-Container status.
-
-
-type: keyword
-
---
-
-*`docker.container.ip_addresses`*::
-+
---
-Container IP addresses.
-
-
-type: ip
-
---
-
-[float]
-=== size
-
-Container size metrics.
-
-
-
-*`docker.container.size.root_fs`*::
-+
---
-Total size of all the files in the container.
-
-
-type: long
-
---
-
-*`docker.container.size.rw`*::
-+
---
-Size of the files that have been created or changed since creation.
-
-
-type: long
-
---
-
-*`docker.container.tags`*::
-+
---
-Image tags.
-
-
-type: keyword
-
---
-
-[float]
-=== cpu
-
-Runtime CPU metrics.
-
-
-
-*`docker.cpu.kernel.pct`*::
-+
---
-Percentage of time in kernel space, expressed as a value between 0 and 1.
-
-
-type: scaled_float
-
-format: percent
-
---
-
-*`docker.cpu.kernel.norm.pct`*::
-+
---
-Percentage of time in kernel space normalized by the number of CPU cores, expressed as a value between 0 and 1.
-
-
-type: scaled_float
-
-format: percent
-
---
-
-*`docker.cpu.kernel.ticks`*::
-+
---
-CPU ticks in kernel space.
-
-
-type: long
-
---
-
-*`docker.cpu.system.pct`*::
-+
---
-Percentage of total CPU time in the system, expressed as a value between 0 and 1.
-
-
-type: scaled_float
-
-format: percent
-
---
-
-*`docker.cpu.system.norm.pct`*::
-+
---
-Percentage of total CPU time in the system normalized by the number of CPU cores, expressed as a value between 0 and 1.
-
-
-type: scaled_float
-
-format: percent
-
---
-
-*`docker.cpu.system.ticks`*::
-+
---
-CPU system ticks.
-
-
-type: long
-
---
-
-*`docker.cpu.user.pct`*::
-+
---
-Percentage of time in user space, expressed as a value between 0 and 1.
-
-
-type: scaled_float
-
-format: percent
-
---
-
-*`docker.cpu.user.norm.pct`*::
-+
---
-Percentage of time in user space normalized by the number of CPU cores, expressed as a value between 0 and 1.
-
-
-type: scaled_float
-
-format: percent
-
---
-
-*`docker.cpu.user.ticks`*::
-+
---
-CPU ticks in user space.
-
-
-type: long
-
---
-
-*`docker.cpu.total.pct`*::
-+
---
-Total CPU usage.
-
-
-type: scaled_float
-
-format: percent
-
---
-
-*`docker.cpu.total.norm.pct`*::
-+
---
-Total CPU usage normalized by the number of CPU cores.
-
-
-type: scaled_float
-
-format: percent
-
---
-
-*`docker.cpu.core.*.pct`*::
-+
---
-Percentage of CPU time in this core, expressed as a value between 0 and 1.
-
-
-type: object
-
-format: percent
-
---
-
-*`docker.cpu.core.*.norm.pct`*::
-+
---
-Percentage of CPU time in this core normalized by the number of CPU cores, expressed as a value between 0 and 1.
-
-
-type: object
-
-format: percent
-
---
-
-*`docker.cpu.core.*.ticks`*::
-+
---
-Number of CPU ticks in this core.
-
-
-type: object
-
---
-
-[float]
-=== diskio
-
-Disk I/O metrics.
-
-
-
-[float]
-=== read
-
-Accumulated reads during the life of the container
-
-
-
-*`docker.diskio.read.ops`*::
-+
---
-Number of reads during the life of the container
-
-
-type: long
-
---
-
-*`docker.diskio.read.bytes`*::
-+
---
-Bytes read during the life of the container
-
-
-type: long
-
-format: bytes
-
---
-
-*`docker.diskio.read.rate`*::
-+
---
-Number of current reads per second
-
-
-type: long
-
---
-
-*`docker.diskio.read.service_time`*::
-+
---
-Total time to service IO requests, in nanoseconds
-
-
-type: long
-
---
-
-*`docker.diskio.read.wait_time`*::
-+
---
-Total time requests spent waiting in queues for service, in nanoseconds
-
-
-type: long
-
---
-
-*`docker.diskio.read.queued`*::
-+
---
-Total number of queued requests
-
-
-type: long
-
---
-
-[float]
-=== write
-
-Accumulated writes during the life of the container
-
-
-
-*`docker.diskio.write.ops`*::
-+
---
-Number of writes during the life of the container
-
-
-type: long
-
---
-
-*`docker.diskio.write.bytes`*::
-+
---
-Bytes written during the life of the container
-
-
-type: long
-
-format: bytes
-
---
-
-*`docker.diskio.write.rate`*::
-+
---
-Number of current writes per second
-
-
-type: long
-
---
-
-*`docker.diskio.write.service_time`*::
-+
---
-Total time to service IO requests, in nanoseconds
-
-
-type: long
-
---
-
-*`docker.diskio.write.wait_time`*::
-+
---
-Total time requests spent waiting in queues for service, in nanoseconds
-
-
-type: long
-
---
-
-*`docker.diskio.write.queued`*::
-+
---
-Total number of queued requests
-
-
-type: long
-
---
-
-[float]
-=== summary
-
-Accumulated reads and writes during the life of the container
-
-
-
-*`docker.diskio.summary.ops`*::
-+
---
-Number of I/O operations during the life of the container
-
-
-type: long
-
---
-
-*`docker.diskio.summary.bytes`*::
-+
---
-Bytes read and written during the life of the container
-
-
-type: long
-
-format: bytes
-
---
-
-*`docker.diskio.summary.rate`*::
-+
---
-Number of current operations per second
-
-
-type: long
-
---
-
-*`docker.diskio.summary.service_time`*::
-+
---
-Total time to service IO requests, in nanoseconds
-
-
-type: long
-
---
-
-*`docker.diskio.summary.wait_time`*::
-+
---
-Total time requests spent waiting in queues for service, in nanoseconds
-
-
-type: long
-
---
-
-*`docker.diskio.summary.queued`*::
-+
---
-Total number of queued requests
-
-
-type: long
-
---
-
-[float]
-=== event
-
-Docker event
-
-
-
-*`docker.event.status`*::
-+
---
-Event status
-
-
-type: keyword
-
---
-
-*`docker.event.id`*::
-+
---
-Event id when available
-
-
-type: keyword
-
---
-
-*`docker.event.from`*::
-+
---
-Event source
-
-
-type: keyword
-
---
-
-*`docker.event.type`*::
-+
---
-The type of object emitting the event
-
-
-type: keyword
-
---
-
-*`docker.event.action`*::
-+
---
-The type of event
-
-
-type: keyword
-
---
-
-[float]
-=== actor
-
-Actor
-
-
-
-*`docker.event.actor.id`*::
-+
---
-The ID of the object emitting the event
-
-
-type: keyword
-
---
-
-*`docker.event.actor.attributes`*::
-+
---
-Various key/value attributes of the object, depending on its type
-
-
-type: object
-
---
-
-[float]
-=== healthcheck
-
-Docker healthcheck metrics.
-Healthcheck data will only be available from docker containers where the docker `HEALTHCHECK` instruction has been used to build the docker image.
-
-
-
-*`docker.healthcheck.failingstreak`*::
-+
---
-concurent failed check
-
-
-type: integer
-
---
-
-*`docker.healthcheck.status`*::
-+
---
-Healthcheck status code
-
-
-type: keyword
-
---
-
-[float]
-=== event
-
-event fields.
-
-
-
-*`docker.healthcheck.event.end_date`*::
-+
---
-Healthcheck end date
-
-
-type: date
-
---
-
-*`docker.healthcheck.event.start_date`*::
-+
---
-Healthcheck start date
-
-
-type: date
-
---
-
-*`docker.healthcheck.event.output`*::
-+
---
-Healthcheck output
-
-
-type: keyword
-
---
-
-*`docker.healthcheck.event.exit_code`*::
-+
---
-Healthcheck status code
-
-
-type: integer
-
---
-
-[float]
-=== image
-
-Docker image metrics.
-
-
-
-[float]
-=== id
-
-The image layers identifier.
-
-
-
-*`docker.image.id.current`*::
-+
---
-Unique image identifier given upon its creation.
-
-
-type: keyword
-
---
-
-*`docker.image.id.parent`*::
-+
---
-Identifier of the image, if it exists, from which the current image directly descends.
-
-
-type: keyword
-
---
-
-*`docker.image.created`*::
-+
---
-Date and time when the image was created.
-
-
-type: date
-
---
-
-[float]
-=== size
-
-Image size layers.
-
-
-
-*`docker.image.size.virtual`*::
-+
---
-Size of the image.
-
-
-type: long
-
---
-
-*`docker.image.size.regular`*::
-+
---
-Total size of the all cached images associated to the current image.
-
-
-type: long
-
---
-
-*`docker.image.labels`*::
-+
---
-Image labels.
-
-
-type: object
-
---
-
-*`docker.image.tags`*::
-+
---
-Image tags.
-
-
-type: keyword
-
---
-
-[float]
-=== info
-
-Info metrics based on https://docs.docker.com/engine/reference/api/docker_remote_api_v1.24/#/display-system-wide-information.
-
-
-
-[float]
-=== containers
-
-Overall container stats.
-
-
-
-*`docker.info.containers.paused`*::
-+
---
-Total number of paused containers.
-
-
-type: long
-
---
-
-*`docker.info.containers.running`*::
-+
---
-Total number of running containers.
-
-
-type: long
-
---
-
-*`docker.info.containers.stopped`*::
-+
---
-Total number of stopped containers.
-
-
-type: long
-
---
-
-*`docker.info.containers.total`*::
-+
---
-Total number of existing containers.
-
-
-type: long
-
---
-
-*`docker.info.id`*::
-+
---
-Unique Docker host identifier.
-
-
-type: keyword
-
---
-
-*`docker.info.images`*::
-+
---
-Total number of existing images.
-
-
-type: long
-
---
-
-[float]
-=== memory
-
-Memory metrics.
-
-
-
-*`docker.memory.stats.*`*::
-+
---
-Raw memory stats from the cgroups memory.stat interface
-
-
-type: object
-
---
-
-[float]
-=== commit
-
-Committed bytes on Windows
-
-
-
-*`docker.memory.commit.total`*::
-+
---
-Total bytes
-
-
-type: long
-
-format: bytes
-
---
-
-*`docker.memory.commit.peak`*::
-+
---
-Peak committed bytes on Windows
-
-
-type: long
-
-format: bytes
-
---
-
-*`docker.memory.private_working_set.total`*::
-+
---
-private working sets on Windows
-
-
-type: long
-
-format: bytes
-
---
-
-*`docker.memory.fail.count`*::
-+
---
-Fail counter.
-
-
-type: scaled_float
-
---
-
-*`docker.memory.limit`*::
-+
---
-Memory limit.
-
-
-type: long
-
-format: bytes
-
---
-
-[float]
-=== rss
-
-RSS memory stats.
-
-
-
-*`docker.memory.rss.total`*::
-+
---
-Total memory resident set size.
-
-
-type: long
-
-format: bytes
-
---
-
-*`docker.memory.rss.pct`*::
-+
---
-Memory resident set size percentage, expressed as a value between 0 and 1.
-
-
-type: scaled_float
-
-format: percent
-
---
-
-[float]
-=== usage
-
-Usage memory stats.
-
-
-
-*`docker.memory.usage.max`*::
-+
---
-Max memory usage.
-
-
-type: long
-
-format: bytes
-
---
-
-*`docker.memory.usage.pct`*::
-+
---
-Memory usage percentage, expressed as a value between 0 and 1.
-
-
-type: scaled_float
-
-format: percent
-
---
-
-*`docker.memory.usage.total`*::
-+
---
-Total memory usage.
-
-
-type: long
-
-format: bytes
-
---
-
-[float]
-=== network
-
-Network metrics.
-
-
-
-*`docker.network.interface`*::
-+
---
-Network interface name.
-
-
-type: keyword
-
---
-
-[float]
-=== in
-
-Incoming network stats per second.
-
-
-
-*`docker.network.in.bytes`*::
-+
---
-Incoming bytes per seconds.
-
-
-type: long
-
-format: bytes
-
---
-
-*`docker.network.in.dropped`*::
-+
---
-Dropped incoming packets per second.
-
-
-type: scaled_float
-
---
-
-*`docker.network.in.errors`*::
-+
---
-Errors on incoming packets per second.
-
-
-type: long
-
---
-
-*`docker.network.in.packets`*::
-+
---
-Incoming packets per second.
-
-
-type: long
-
---
-
-[float]
-=== out
-
-Outgoing network stats per second.
-
-
-
-*`docker.network.out.bytes`*::
-+
---
-Outgoing bytes per second.
-
-
-type: long
-
-format: bytes
-
---
-
-*`docker.network.out.dropped`*::
-+
---
-Dropped outgoing packets per second.
-
-
-type: scaled_float
-
---
-
-*`docker.network.out.errors`*::
-+
---
-Errors on outgoing packets per second.
-
-
-type: long
-
---
-
-*`docker.network.out.packets`*::
-+
---
-Outgoing packets per second.
-
-
-type: long
-
---
-
-[float]
-=== inbound
-
-Incoming network stats since the container started.
-
-
-
-*`docker.network.inbound.bytes`*::
-+
---
-Total number of incoming bytes.
-
-
-type: long
-
-format: bytes
-
---
-
-*`docker.network.inbound.dropped`*::
-+
---
-Total number of dropped incoming packets.
-
-
-type: long
-
---
-
-*`docker.network.inbound.errors`*::
-+
---
-Total errors on incoming packets.
-
-
-type: long
-
---
-
-*`docker.network.inbound.packets`*::
-+
---
-Total number of incoming packets.
-
-
-type: long
-
---
-
-[float]
-=== outbound
-
-Outgoing network stats since the container started.
-
-
-
-*`docker.network.outbound.bytes`*::
-+
---
-Total number of outgoing bytes.
-
-
-type: long
-
-format: bytes
-
---
-
-*`docker.network.outbound.dropped`*::
-+
---
-Total number of dropped outgoing packets.
-
-
-type: long
-
---
-
-*`docker.network.outbound.errors`*::
-+
---
-Total errors on outgoing packets.
-
-
-type: long
-
---
-
-*`docker.network.outbound.packets`*::
-+
---
-Total number of outgoing packets.
-
-
-type: long
-
---
-
-[float]
-=== network_summary
-
-network_summary
-
-
-
-*`docker.network_summary.ip.*`*::
-+
---
-IP counters
-
-
-type: object
-
---
-
-*`docker.network_summary.tcp.*`*::
-+
---
-TCP counters
-
-
-type: object
-
---
-
-*`docker.network_summary.udp.*`*::
-+
---
-UDP counters
-
-
-type: object
-
---
-
-*`docker.network_summary.udp_lite.*`*::
-+
---
-UDP Lite counters
-
-
-type: object
-
---
-
-*`docker.network_summary.icmp.*`*::
-+
---
-ICMP counters
-
-
-type: object
-
---
-
-*`docker.network_summary.namespace.pid`*::
-+
---
-The root PID of the container, corresponding to /proc/[pid]/net
-
-
-type: long
-
---
-
-*`docker.network_summary.namespace.id`*::
-+
---
-The ID of the network namespace used by the container, corresponding to /proc/[pid]/ns/net
-
-
-type: long
-
---
-
-[[exported-fields-dropwizard]]
-== Dropwizard fields
-
-Stats collected from Dropwizard.
-
-
-
-[float]
-=== dropwizard
-
-
-
-
-[[exported-fields-ecs]]
-== ECS fields
-
-
-This section defines Elastic Common Schema (ECS) fields—a common set of fields
-to be used when storing event data in {es}.
-
-This is an exhaustive list, and fields listed here are not necessarily used by {beatname_uc}.
-The goal of ECS is to enable and encourage users of {es} to normalize their event data,
-so that they can better analyze, visualize, and correlate the data represented in their events.
-
-See the {ecs-ref}[ECS reference] for more information.
-
-*`@timestamp`*::
-+
---
-Date/time when the event originated.
-This is the date/time extracted from the event, typically representing when the event was generated by the source.
-If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline.
-Required field for all events.
-
-type: date
-
-example: 2016-05-23T08:05:34.853Z
-
-required: True
-
---
-
-*`labels`*::
-+
---
-Custom key/value pairs.
-Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword.
-Example: `docker` and `k8s` labels.
-
-type: object
-
-example: {"application": "foo-bar", "env": "production"}
-
---
-
-*`message`*::
-+
---
-For log events the message field contains the log message, optimized for viewing in a log viewer.
-For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event.
-If multiple messages exist, they can be combined into one message.
-
-type: match_only_text
-
-example: Hello World
-
---
-
-*`tags`*::
-+
---
-List of keywords used to tag each event.
-
-type: keyword
-
-example: ["production", "env2"]
-
---
-
-[float]
-=== agent
-
-The agent fields contain the data about the software entity, if any, that collects, detects, or observes events on a host, or takes measurements on a host.
-Examples include Beats. Agents may also run on observers. ECS agent.* fields shall be populated with details of the agent running on the host or observer where the event happened or the measurement was taken.
-
-
-*`agent.build.original`*::
-+
---
-Extended build information for the agent.
-This field is intended to contain any build information that a data source may provide, no specific formatting is required.
-
-type: keyword
-
-example: metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]
-
---
-
-*`agent.ephemeral_id`*::
-+
---
-Ephemeral identifier of this agent (if one exists).
-This id normally changes across restarts, but `agent.id` does not.
-
-type: keyword
-
-example: 8a4f500f
-
---
-
-*`agent.id`*::
-+
---
-Unique identifier of this agent (if one exists).
-Example: For Beats this would be beat.id.
-
-type: keyword
-
-example: 8a4f500d
-
---
-
-*`agent.name`*::
-+
---
-Custom name of the agent.
-This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from.
-If no name is given, the name is often left empty.
-
-type: keyword
-
-example: foo
-
---
-
-*`agent.type`*::
-+
---
-Type of the agent.
-The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine.
-
-type: keyword
-
-example: filebeat
-
---
-
-*`agent.version`*::
-+
---
-Version of the agent.
-
-type: keyword
-
-example: 6.0.0-rc2
-
---
-
-[float]
-=== as
-
-An autonomous system (AS) is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators on behalf of a single administrative entity or domain that presents a common, clearly defined routing policy to the internet.
-
-
-*`as.number`*::
-+
---
-Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
-
-type: long
-
-example: 15169
-
---
-
-*`as.organization.name`*::
-+
---
-Organization name.
-
-type: keyword
-
-example: Google LLC
-
---
-
-*`as.organization.name.text`*::
-+
---
-type: match_only_text
-
---
-
-[float]
-=== client
-
-A client is defined as the initiator of a network connection for events regarding sessions, connections, or bidirectional flow records.
-For TCP events, the client is the initiator of the TCP connection that sends the SYN packet(s). For other protocols, the client is generally the initiator or requestor in the network transaction. Some systems use the term "originator" to refer the client in TCP connections. The client fields describe details about the system acting as the client in the network event. Client fields are usually populated in conjunction with server fields. Client fields are generally not populated for packet-level events.
-Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately.
-
-
-*`client.address`*::
-+
---
-Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field.
-Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
-
-type: keyword
-
---
-
-*`client.as.number`*::
-+
---
-Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
-
-type: long
-
-example: 15169
-
---
-
-*`client.as.organization.name`*::
-+
---
-Organization name.
-
-type: keyword
-
-example: Google LLC
-
---
-
-*`client.as.organization.name.text`*::
-+
---
-type: match_only_text
-
---
-
-*`client.bytes`*::
-+
---
-Bytes sent from the client to the server.
-
-type: long
-
-example: 184
-
-format: bytes
-
---
-
-*`client.domain`*::
-+
---
-The domain name of the client system.
-This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.
-
-type: keyword
-
-example: foo.example.com
-
---
-
-*`client.geo.city_name`*::
-+
---
-City name.
-
-type: keyword
-
-example: Montreal
-
---
-
-*`client.geo.continent_code`*::
-+
---
-Two-letter code representing continent's name.
-
-type: keyword
-
-example: NA
-
---
-
-*`client.geo.continent_name`*::
-+
---
-Name of the continent.
-
-type: keyword
-
-example: North America
-
---
-
-*`client.geo.country_iso_code`*::
-+
---
-Country ISO code.
-
-type: keyword
-
-example: CA
-
---
-
-*`client.geo.country_name`*::
-+
---
-Country name.
-
-type: keyword
-
-example: Canada
-
---
-
-*`client.geo.location`*::
-+
---
-Longitude and latitude.
-
-type: geo_point
-
-example: { "lon": -73.614830, "lat": 45.505918 }
-
---
-
-*`client.geo.name`*::
-+
---
-User-defined description of a location, at the level of granularity they care about.
-Could be the name of their data centers, the floor number, if this describes a local physical entity, city names.
-Not typically used in automated geolocation.
-
-type: keyword
-
-example: boston-dc
-
---
-
-*`client.geo.postal_code`*::
-+
---
-Postal code associated with the location.
-Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.
-
-type: keyword
-
-example: 94040
-
---
-
-*`client.geo.region_iso_code`*::
-+
---
-Region ISO code.
-
-type: keyword
-
-example: CA-QC
-
---
-
-*`client.geo.region_name`*::
-+
---
-Region name.
-
-type: keyword
-
-example: Quebec
-
---
-
-*`client.geo.timezone`*::
-+
---
-The time zone of the location, such as IANA time zone name.
-
-type: keyword
-
-example: America/Argentina/Buenos_Aires
-
---
-
-*`client.ip`*::
-+
---
-IP address of the client (IPv4 or IPv6).
-
-type: ip
-
---
-
-*`client.mac`*::
-+
---
-MAC address of the client.
-The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.
-
-type: keyword
-
-example: 00-00-5E-00-53-23
-
---
-
-*`client.nat.ip`*::
-+
---
-Translated IP of source based NAT sessions (e.g. internal client to internet).
-Typically connections traversing load balancers, firewalls, or routers.
-
-type: ip
-
---
-
-*`client.nat.port`*::
-+
---
-Translated port of source based NAT sessions (e.g. internal client to internet).
-Typically connections traversing load balancers, firewalls, or routers.
-
-type: long
-
-format: string
-
---
-
-*`client.packets`*::
-+
---
-Packets sent from the client to the server.
-
-type: long
-
-example: 12
-
---
-
-*`client.port`*::
-+
---
-Port of the client.
-
-type: long
-
-format: string
-
---
-
-*`client.registered_domain`*::
-+
---
-The highest registered client domain, stripped of the subdomain.
-For example, the registered domain for "foo.example.com" is "example.com".
-This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
-
-type: keyword
-
-example: example.com
-
---
-
-*`client.subdomain`*::
-+
---
-The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain.
-For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
-
-type: keyword
-
-example: east
-
---
-
-*`client.top_level_domain`*::
-+
---
-The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com".
-This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".
-
-type: keyword
-
-example: co.uk
-
---
-
-*`client.user.domain`*::
-+
---
-Name of the directory the user is a member of.
-For example, an LDAP or Active Directory domain name.
-
-type: keyword
-
---
-
-*`client.user.email`*::
-+
---
-User email address.
-
-type: keyword
-
---
-
-*`client.user.full_name`*::
-+
---
-User's full name, if available.
-
-type: keyword
-
-example: Albert Einstein
-
---
-
-*`client.user.full_name.text`*::
-+
---
-type: match_only_text
-
---
-
-*`client.user.group.domain`*::
-+
---
-Name of the directory the group is a member of.
-For example, an LDAP or Active Directory domain name.
-
-type: keyword
-
---
-
-*`client.user.group.id`*::
-+
---
-Unique identifier for the group on the system/platform.
-
-type: keyword
-
---
-
-*`client.user.group.name`*::
-+
---
-Name of the group.
-
-type: keyword
-
---
-
-*`client.user.hash`*::
-+
---
-Unique user hash to correlate information for a user in anonymized form.
-Useful if `user.id` or `user.name` contain confidential information and cannot be used.
-
-type: keyword
-
---
-
-*`client.user.id`*::
-+
---
-Unique identifier of the user.
-
-type: keyword
-
-example: S-1-5-21-202424912787-2692429404-2351956786-1000
-
---
-
-*`client.user.name`*::
-+
---
-Short name or login of the user.
-
-type: keyword
-
-example: a.einstein
-
---
-
-*`client.user.name.text`*::
-+
---
-type: match_only_text
-
---
-
-*`client.user.roles`*::
-+
---
-Array of user roles at the time of the event.
-
-type: keyword
-
-example: ["kibana_admin", "reporting_user"]
-
---
-
-[float]
-=== cloud
-
-Fields related to the cloud or infrastructure the events are coming from.
-
-
-*`cloud.account.id`*::
-+
---
-The cloud account or organization id used to identify different entities in a multi-tenant environment.
-Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.
-
-type: keyword
-
-example: 666777888999
-
---
-
-*`cloud.account.name`*::
-+
---
-The cloud account name or alias used to identify different entities in a multi-tenant environment.
-Examples: AWS account name, Google Cloud ORG display name.
-
-type: keyword
-
-example: elastic-dev
-
---
-
-*`cloud.availability_zone`*::
-+
---
-Availability zone in which this host, resource, or service is located.
-
-type: keyword
-
-example: us-east-1c
-
---
-
-*`cloud.instance.id`*::
-+
---
-Instance ID of the host machine.
-
-type: keyword
-
-example: i-1234567890abcdef0
-
---
-
-*`cloud.instance.name`*::
-+
---
-Instance name of the host machine.
-
-type: keyword
-
---
-
-*`cloud.machine.type`*::
-+
---
-Machine type of the host machine.
-
-type: keyword
-
-example: t2.medium
-
---
-
-*`cloud.origin.account.id`*::
-+
---
-The cloud account or organization id used to identify different entities in a multi-tenant environment.
-Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.
-
-type: keyword
-
-example: 666777888999
-
---
-
-*`cloud.origin.account.name`*::
-+
---
-The cloud account name or alias used to identify different entities in a multi-tenant environment.
-Examples: AWS account name, Google Cloud ORG display name.
-
-type: keyword
-
-example: elastic-dev
-
---
-
-*`cloud.origin.availability_zone`*::
-+
---
-Availability zone in which this host, resource, or service is located.
-
-type: keyword
-
-example: us-east-1c
-
---
-
-*`cloud.origin.instance.id`*::
-+
---
-Instance ID of the host machine.
-
-type: keyword
-
-example: i-1234567890abcdef0
-
---
-
-*`cloud.origin.instance.name`*::
-+
---
-Instance name of the host machine.
-
-type: keyword
-
---
-
-*`cloud.origin.machine.type`*::
-+
---
-Machine type of the host machine.
-
-type: keyword
-
-example: t2.medium
-
---
-
-*`cloud.origin.project.id`*::
-+
---
-The cloud project identifier.
-Examples: Google Cloud Project id, Azure Project id.
-
-type: keyword
-
-example: my-project
-
---
-
-*`cloud.origin.project.name`*::
-+
---
-The cloud project name.
-Examples: Google Cloud Project name, Azure Project name.
-
-type: keyword
-
-example: my project
-
---
-
-*`cloud.origin.provider`*::
-+
---
-Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
-
-type: keyword
-
-example: aws
-
---
-
-*`cloud.origin.region`*::
-+
---
-Region in which this host, resource, or service is located.
-
-type: keyword
-
-example: us-east-1
-
---
-
-*`cloud.origin.service.name`*::
-+
---
-The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server.
-Examples: app engine, app service, cloud run, fargate, lambda.
-
-type: keyword
-
-example: lambda
-
---
-
-*`cloud.project.id`*::
-+
---
-The cloud project identifier.
-Examples: Google Cloud Project id, Azure Project id.
-
-type: keyword
-
-example: my-project
-
---
-
-*`cloud.project.name`*::
-+
---
-The cloud project name.
-Examples: Google Cloud Project name, Azure Project name.
-
-type: keyword
-
-example: my project
-
---
-
-*`cloud.provider`*::
-+
---
-Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
-
-type: keyword
-
-example: aws
-
---
-
-*`cloud.region`*::
-+
---
-Region in which this host, resource, or service is located.
-
-type: keyword
-
-example: us-east-1
-
---
-
-*`cloud.service.name`*::
-+
---
-The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server.
-Examples: app engine, app service, cloud run, fargate, lambda.
-
-type: keyword
-
-example: lambda
-
---
-
-*`cloud.target.account.id`*::
-+
---
-The cloud account or organization id used to identify different entities in a multi-tenant environment.
-Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.
-
-type: keyword
-
-example: 666777888999
-
---
-
-*`cloud.target.account.name`*::
-+
---
-The cloud account name or alias used to identify different entities in a multi-tenant environment.
-Examples: AWS account name, Google Cloud ORG display name.
-
-type: keyword
-
-example: elastic-dev
-
---
-
-*`cloud.target.availability_zone`*::
-+
---
-Availability zone in which this host, resource, or service is located.
-
-type: keyword
-
-example: us-east-1c
-
---
-
-*`cloud.target.instance.id`*::
-+
---
-Instance ID of the host machine.
-
-type: keyword
-
-example: i-1234567890abcdef0
-
---
-
-*`cloud.target.instance.name`*::
-+
---
-Instance name of the host machine.
-
-type: keyword
-
---
-
-*`cloud.target.machine.type`*::
-+
---
-Machine type of the host machine.
-
-type: keyword
-
-example: t2.medium
-
---
-
-*`cloud.target.project.id`*::
-+
---
-The cloud project identifier.
-Examples: Google Cloud Project id, Azure Project id.
-
-type: keyword
-
-example: my-project
-
---
-
-*`cloud.target.project.name`*::
-+
---
-The cloud project name.
-Examples: Google Cloud Project name, Azure Project name.
-
-type: keyword
-
-example: my project
-
---
-
-*`cloud.target.provider`*::
-+
---
-Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
-
-type: keyword
-
-example: aws
-
---
-
-*`cloud.target.region`*::
-+
---
-Region in which this host, resource, or service is located.
-
-type: keyword
-
-example: us-east-1
-
---
-
-*`cloud.target.service.name`*::
-+
---
-The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server.
-Examples: app engine, app service, cloud run, fargate, lambda.
-
-type: keyword
-
-example: lambda
-
---
-
-[float]
-=== code_signature
-
-These fields contain information about binary code signatures.
-
-
-*`code_signature.digest_algorithm`*::
-+
---
-The hashing algorithm used to sign the process.
-This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm.
-
-type: keyword
-
-example: sha256
-
---
-
-*`code_signature.exists`*::
-+
---
-Boolean to capture if a signature is present.
-
-type: boolean
-
-example: true
-
---
-
-*`code_signature.signing_id`*::
-+
---
-The identifier used to sign the process.
-This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.
-
-type: keyword
-
-example: com.apple.xpc.proxy
-
---
-
-*`code_signature.status`*::
-+
---
-Additional information about the certificate status.
-This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.
-
-type: keyword
-
-example: ERROR_UNTRUSTED_ROOT
-
---
-
-*`code_signature.subject_name`*::
-+
---
-Subject name of the code signer
-
-type: keyword
-
-example: Microsoft Corporation
-
---
-
-*`code_signature.team_id`*::
-+
---
-The team identifier used to sign the process.
-This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.
-
-type: keyword
-
-example: EQHXZ8M8AV
-
---
-
-*`code_signature.timestamp`*::
-+
---
-Date and time when the code signature was generated and signed.
-
-type: date
-
-example: 2021-01-01T12:10:30Z
-
---
-
-*`code_signature.trusted`*::
-+
---
-Stores the trust status of the certificate chain.
-Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.
-
-type: boolean
-
-example: true
-
---
-
-*`code_signature.valid`*::
-+
---
-Boolean to capture if the digital signature is verified against the binary content.
-Leave unpopulated if a certificate was unchecked.
-
-type: boolean
-
-example: true
-
---
-
-[float]
-=== container
-
-Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.
-
-
-*`container.cpu.usage`*::
-+
---
-Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000.
-
-type: scaled_float
-
---
-
-*`container.disk.read.bytes`*::
-+
---
-The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection.
-
-type: long
-
---
-
-*`container.disk.write.bytes`*::
-+
---
-The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection.
-
-type: long
-
---
-
-*`container.id`*::
-+
---
-Unique container id.
-
-type: keyword
-
---
-
-*`container.image.name`*::
-+
---
-Name of the image the container was built on.
-
-type: keyword
-
---
-
-*`container.image.tag`*::
-+
---
-Container image tags.
-
-type: keyword
-
---
-
-*`container.labels`*::
-+
---
-Image labels.
-
-type: object
-
---
-
-*`container.memory.usage`*::
-+
---
-Memory usage percentage and it ranges from 0 to 1. Scaling factor: 1000.
-
-type: scaled_float
-
---
-
-*`container.name`*::
-+
---
-Container name.
-
-type: keyword
-
---
-
-*`container.network.egress.bytes`*::
-+
---
-The number of bytes (gauge) sent out on all network interfaces by the container since the last metric collection.
-
-type: long
-
---
-
-*`container.network.ingress.bytes`*::
-+
---
-The number of bytes received (gauge) on all network interfaces by the container since the last metric collection.
-
-type: long
-
---
-
-*`container.runtime`*::
-+
---
-Runtime managing this container.
-
-type: keyword
-
-example: docker
-
---
-
-[float]
-=== data_stream
-
-The data_stream fields take part in defining the new data stream naming scheme.
-In the new data stream naming scheme the value of the data stream fields combine to the name of the actual data stream in the following manner: `{data_stream.type}-{data_stream.dataset}-{data_stream.namespace}`. This means the fields can only contain characters that are valid as part of names of data streams. More details about this can be found in this https://www.elastic.co/blog/an-introduction-to-the-elastic-data-stream-naming-scheme[blog post].
-An Elasticsearch data stream consists of one or more backing indices, and a data stream name forms part of the backing indices names. Due to this convention, data streams must also follow index naming restrictions. For example, data stream names cannot include `\`, `/`, `*`, `?`, `"`, `<`, `>`, `|`, ` ` (space character), `,`, or `#`. Please see the Elasticsearch reference for additional https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-create-index.html#indices-create-api-path-params[restrictions].
-
-
-*`data_stream.dataset`*::
-+
---
-The field can contain anything that makes sense to signify the source of the data.
-Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`.
-Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions:
-  * Must not contain `-`
-  * No longer than 100 characters
-
-type: constant_keyword
-
-example: nginx.access
-
---
-
-*`data_stream.namespace`*::
-+
---
-A user defined namespace. Namespaces are useful to allow grouping of data.
-Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`.
-Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions:
-  * Must not contain `-`
-  * No longer than 100 characters
-
-type: constant_keyword
-
-example: production
-
---
-
-*`data_stream.type`*::
-+
---
-An overarching type for the data stream.
-Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future.
-
-type: constant_keyword
-
-example: logs
-
---
-
-[float]
-=== destination
-
-Destination fields capture details about the receiver of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction.
-Destination fields are usually populated in conjunction with source fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated.
-
-
-*`destination.address`*::
-+
---
-Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field.
-Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
-
-type: keyword
-
---
-
-*`destination.as.number`*::
-+
---
-Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
-
-type: long
-
-example: 15169
-
---
-
-*`destination.as.organization.name`*::
-+
---
-Organization name.
-
-type: keyword
-
-example: Google LLC
-
---
-
-*`destination.as.organization.name.text`*::
-+
---
-type: match_only_text
-
---
-
-*`destination.bytes`*::
-+
---
-Bytes sent from the destination to the source.
-
-type: long
-
-example: 184
-
-format: bytes
-
---
-
-*`destination.domain`*::
-+
---
-The domain name of the destination system.
-This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.
-
-type: keyword
-
-example: foo.example.com
-
---
-
-*`destination.geo.city_name`*::
-+
---
-City name.
-
-type: keyword
-
-example: Montreal
-
---
-
-*`destination.geo.continent_code`*::
-+
---
-Two-letter code representing continent's name.
-
-type: keyword
-
-example: NA
-
---
-
-*`destination.geo.continent_name`*::
-+
---
-Name of the continent.
-
-type: keyword
-
-example: North America
-
---
-
-*`destination.geo.country_iso_code`*::
-+
---
-Country ISO code.
-
-type: keyword
-
-example: CA
-
---
-
-*`destination.geo.country_name`*::
-+
---
-Country name.
-
-type: keyword
-
-example: Canada
-
---
-
-*`destination.geo.location`*::
-+
---
-Longitude and latitude.
-
-type: geo_point
-
-example: { "lon": -73.614830, "lat": 45.505918 }
-
---
-
-*`destination.geo.name`*::
-+
---
-User-defined description of a location, at the level of granularity they care about.
-Could be the name of their data centers, the floor number, if this describes a local physical entity, city names.
-Not typically used in automated geolocation.
-
-type: keyword
-
-example: boston-dc
-
---
-
-*`destination.geo.postal_code`*::
-+
---
-Postal code associated with the location.
-Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.
-
-type: keyword
-
-example: 94040
-
---
-
-*`destination.geo.region_iso_code`*::
-+
---
-Region ISO code.
-
-type: keyword
-
-example: CA-QC
-
---
-
-*`destination.geo.region_name`*::
-+
---
-Region name.
-
-type: keyword
-
-example: Quebec
-
---
-
-*`destination.geo.timezone`*::
-+
---
-The time zone of the location, such as IANA time zone name.
-
-type: keyword
-
-example: America/Argentina/Buenos_Aires
-
---
-
-*`destination.ip`*::
-+
---
-IP address of the destination (IPv4 or IPv6).
-
-type: ip
-
---
-
-*`destination.mac`*::
-+
---
-MAC address of the destination.
-The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.
-
-type: keyword
-
-example: 00-00-5E-00-53-23
-
---
-
-*`destination.nat.ip`*::
-+
---
-Translated ip of destination based NAT sessions (e.g. internet to private DMZ)
-Typically used with load balancers, firewalls, or routers.
-
-type: ip
-
---
-
-*`destination.nat.port`*::
-+
---
-Port the source session is translated to by NAT Device.
-Typically used with load balancers, firewalls, or routers.
-
-type: long
-
-format: string
-
---
-
-*`destination.packets`*::
-+
---
-Packets sent from the destination to the source.
-
-type: long
-
-example: 12
-
---
-
-*`destination.port`*::
-+
---
-Port of the destination.
-
-type: long
-
-format: string
-
---
-
-*`destination.registered_domain`*::
-+
---
-The highest registered destination domain, stripped of the subdomain.
-For example, the registered domain for "foo.example.com" is "example.com".
-This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
-
-type: keyword
-
-example: example.com
-
---
-
-*`destination.subdomain`*::
-+
---
-The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain.
-For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
-
-type: keyword
-
-example: east
-
---
-
-*`destination.top_level_domain`*::
-+
---
-The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com".
-This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".
-
-type: keyword
-
-example: co.uk
-
---
-
-*`destination.user.domain`*::
-+
---
-Name of the directory the user is a member of.
-For example, an LDAP or Active Directory domain name.
-
-type: keyword
-
---
-
-*`destination.user.email`*::
-+
---
-User email address.
-
-type: keyword
-
---
-
-*`destination.user.full_name`*::
-+
---
-User's full name, if available.
-
-type: keyword
-
-example: Albert Einstein
-
---
-
-*`destination.user.full_name.text`*::
-+
---
-type: match_only_text
-
---
-
-*`destination.user.group.domain`*::
-+
---
-Name of the directory the group is a member of.
-For example, an LDAP or Active Directory domain name.
-
-type: keyword
-
---
-
-*`destination.user.group.id`*::
-+
---
-Unique identifier for the group on the system/platform.
-
-type: keyword
-
---
-
-*`destination.user.group.name`*::
-+
---
-Name of the group.
-
-type: keyword
-
---
-
-*`destination.user.hash`*::
-+
---
-Unique user hash to correlate information for a user in anonymized form.
-Useful if `user.id` or `user.name` contain confidential information and cannot be used.
-
-type: keyword
-
---
-
-*`destination.user.id`*::
-+
---
-Unique identifier of the user.
-
-type: keyword
-
-example: S-1-5-21-202424912787-2692429404-2351956786-1000
-
---
-
-*`destination.user.name`*::
-+
---
-Short name or login of the user.
-
-type: keyword
-
-example: a.einstein
-
---
-
-*`destination.user.name.text`*::
-+
---
-type: match_only_text
-
---
-
-*`destination.user.roles`*::
-+
---
-Array of user roles at the time of the event.
-
-type: keyword
-
-example: ["kibana_admin", "reporting_user"]
-
---
-
-[float]
-=== dll
-
-These fields contain information about code libraries dynamically loaded into processes.
-
-Many operating systems refer to "shared code libraries" with different names, but this field set refers to all of the following:
-* Dynamic-link library (`.dll`) commonly used on Windows
-* Shared Object (`.so`) commonly used on Unix-like operating systems
-* Dynamic library (`.dylib`) commonly used on macOS
-
-
-*`dll.code_signature.digest_algorithm`*::
-+
---
-The hashing algorithm used to sign the process.
-This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm.
-
-type: keyword
-
-example: sha256
-
---
-
-*`dll.code_signature.exists`*::
-+
---
-Boolean to capture if a signature is present.
-
-type: boolean
-
-example: true
-
---
-
-*`dll.code_signature.signing_id`*::
-+
---
-The identifier used to sign the process.
-This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.
-
-type: keyword
-
-example: com.apple.xpc.proxy
-
---
-
-*`dll.code_signature.status`*::
-+
---
-Additional information about the certificate status.
-This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.
-
-type: keyword
-
-example: ERROR_UNTRUSTED_ROOT
-
---
-
-*`dll.code_signature.subject_name`*::
-+
---
-Subject name of the code signer
-
-type: keyword
-
-example: Microsoft Corporation
-
---
-
-*`dll.code_signature.team_id`*::
-+
---
-The team identifier used to sign the process.
-This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.
-
-type: keyword
-
-example: EQHXZ8M8AV
-
---
-
-*`dll.code_signature.timestamp`*::
-+
---
-Date and time when the code signature was generated and signed.
-
-type: date
-
-example: 2021-01-01T12:10:30Z
-
---
-
-*`dll.code_signature.trusted`*::
-+
---
-Stores the trust status of the certificate chain.
-Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.
-
-type: boolean
-
-example: true
-
---
-
-*`dll.code_signature.valid`*::
-+
---
-Boolean to capture if the digital signature is verified against the binary content.
-Leave unpopulated if a certificate was unchecked.
-
-type: boolean
-
-example: true
-
---
-
-*`dll.hash.md5`*::
-+
---
-MD5 hash.
-
-type: keyword
-
---
-
-*`dll.hash.sha1`*::
-+
---
-SHA1 hash.
-
-type: keyword
-
---
-
-*`dll.hash.sha256`*::
-+
---
-SHA256 hash.
-
-type: keyword
-
---
-
-*`dll.hash.sha512`*::
-+
---
-SHA512 hash.
-
-type: keyword
-
---
-
-*`dll.hash.ssdeep`*::
-+
---
-SSDEEP hash.
-
-type: keyword
-
---
-
-*`dll.name`*::
-+
---
-Name of the library.
-This generally maps to the name of the file on disk.
-
-type: keyword
-
-example: kernel32.dll
-
---
-
-*`dll.path`*::
-+
---
-Full file path of the library.
-
-type: keyword
-
-example: C:\Windows\System32\kernel32.dll
-
---
-
-*`dll.pe.architecture`*::
-+
---
-CPU architecture target for the file.
-
-type: keyword
-
-example: x64
-
---
-
-*`dll.pe.company`*::
-+
---
-Internal company name of the file, provided at compile-time.
-
-type: keyword
-
-example: Microsoft Corporation
-
---
-
-*`dll.pe.description`*::
-+
---
-Internal description of the file, provided at compile-time.
-
-type: keyword
-
-example: Paint
-
---
-
-*`dll.pe.file_version`*::
-+
---
-Internal version of the file, provided at compile-time.
-
-type: keyword
-
-example: 6.3.9600.17415
-
---
-
-*`dll.pe.imphash`*::
-+
---
-A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.
-Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.
-
-type: keyword
-
-example: 0c6803c4e922103c4dca5963aad36ddf
-
---
-
-*`dll.pe.original_file_name`*::
-+
---
-Internal name of the file, provided at compile-time.
-
-type: keyword
-
-example: MSPAINT.EXE
-
---
-
-*`dll.pe.product`*::
-+
---
-Internal product name of the file, provided at compile-time.
-
-type: keyword
-
-example: Microsoft® Windows® Operating System
-
---
-
-[float]
-=== dns
-
-Fields describing DNS queries and answers.
-DNS events should either represent a single DNS query prior to getting answers (`dns.type:query`) or they should represent a full exchange and contain the query details as well as all of the answers that were provided for this query (`dns.type:answer`).
-
-
-*`dns.answers`*::
-+
---
-An array containing an object for each answer section returned by the server.
-The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines.
-Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields.
-
-type: object
-
---
-
-*`dns.answers.class`*::
-+
---
-The class of DNS data contained in this resource record.
-
-type: keyword
-
-example: IN
-
---
-
-*`dns.answers.data`*::
-+
---
-The data describing the resource.
-The meaning of this data depends on the type and class of the resource record.
-
-type: keyword
-
-example: 10.10.10.10
-
---
-
-*`dns.answers.name`*::
-+
---
-The domain name to which this resource record pertains.
-If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated.
-
-type: keyword
-
-example: www.example.com
-
---
-
-*`dns.answers.ttl`*::
-+
---
-The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached.
-
-type: long
-
-example: 180
-
---
-
-*`dns.answers.type`*::
-+
---
-The type of data contained in this resource record.
-
-type: keyword
-
-example: CNAME
-
---
-
-*`dns.header_flags`*::
-+
---
-Array of 2 letter DNS header flags.
-Expected values are: AA, TC, RD, RA, AD, CD, DO.
-
-type: keyword
-
-example: ["RD", "RA"]
-
---
-
-*`dns.id`*::
-+
---
-The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.
-
-type: keyword
-
-example: 62111
-
---
-
-*`dns.op_code`*::
-+
---
-The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response.
-
-type: keyword
-
-example: QUERY
-
---
-
-*`dns.question.class`*::
-+
---
-The class of records being queried.
-
-type: keyword
-
-example: IN
-
---
-
-*`dns.question.name`*::
-+
---
-The name being queried.
-If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively.
-
-type: keyword
-
-example: www.example.com
-
---
-
-*`dns.question.registered_domain`*::
-+
---
-The highest registered domain, stripped of the subdomain.
-For example, the registered domain for "foo.example.com" is "example.com".
-This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
-
-type: keyword
-
-example: example.com
-
---
-
-*`dns.question.subdomain`*::
-+
---
-The subdomain is all of the labels under the registered_domain.
-If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
-
-type: keyword
-
-example: www
-
---
-
-*`dns.question.top_level_domain`*::
-+
---
-The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com".
-This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".
-
-type: keyword
-
-example: co.uk
-
---
-
-*`dns.question.type`*::
-+
---
-The type of record being queried.
-
-type: keyword
-
-example: AAAA
-
---
-
-*`dns.resolved_ip`*::
-+
---
-Array containing all IPs seen in `answers.data`.
-The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for.
-
-type: ip
-
-example: ["10.10.10.10", "10.10.10.11"]
-
---
-
-*`dns.response_code`*::
-+
---
-The DNS response code.
-
-type: keyword
-
-example: NOERROR
-
---
-
-*`dns.type`*::
-+
---
-The type of DNS event captured, query or answer.
-If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`.
-If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers.
-
-type: keyword
-
-example: answer
-
---
-
-[float]
-=== ecs
-
-Meta-information specific to ECS.
-
-
-*`ecs.version`*::
-+
---
-ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.
-When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
-
-type: keyword
-
-example: 1.0.0
-
-required: True
-
---
-
-[float]
-=== elf
-
-These fields contain Linux Executable Linkable Format (ELF) metadata.
-
-
-*`elf.architecture`*::
-+
---
-Machine architecture of the ELF file.
-
-type: keyword
-
-example: x86-64
-
---
-
-*`elf.byte_order`*::
-+
---
-Byte sequence of ELF file.
-
-type: keyword
-
-example: Little Endian
-
---
-
-*`elf.cpu_type`*::
-+
---
-CPU type of the ELF file.
-
-type: keyword
-
-example: Intel
-
---
-
-*`elf.creation_date`*::
-+
---
-Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators.
-
-type: date
-
---
-
-*`elf.exports`*::
-+
---
-List of exported element names and types.
-
-type: flattened
-
---
-
-*`elf.header.abi_version`*::
-+
---
-Version of the ELF Application Binary Interface (ABI).
-
-type: keyword
-
---
-
-*`elf.header.class`*::
-+
---
-Header class of the ELF file.
-
-type: keyword
-
---
-
-*`elf.header.data`*::
-+
---
-Data table of the ELF header.
-
-type: keyword
-
---
-
-*`elf.header.entrypoint`*::
-+
---
-Header entrypoint of the ELF file.
-
-type: long
-
-format: string
-
---
-
-*`elf.header.object_version`*::
-+
---
-"0x1" for original ELF files.
-
-type: keyword
-
---
-
-*`elf.header.os_abi`*::
-+
---
-Application Binary Interface (ABI) of the Linux OS.
-
-type: keyword
-
---
-
-*`elf.header.type`*::
-+
---
-Header type of the ELF file.
-
-type: keyword
-
---
-
-*`elf.header.version`*::
-+
---
-Version of the ELF header.
-
-type: keyword
-
---
-
-*`elf.imports`*::
-+
---
-List of imported element names and types.
-
-type: flattened
-
---
-
-*`elf.sections`*::
-+
---
-An array containing an object for each section of the ELF file.
-The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`.
-
-type: nested
-
---
-
-*`elf.sections.chi2`*::
-+
---
-Chi-square probability distribution of the section.
-
-type: long
-
-format: number
-
---
-
-*`elf.sections.entropy`*::
-+
---
-Shannon entropy calculation from the section.
-
-type: long
-
-format: number
-
---
-
-*`elf.sections.flags`*::
-+
---
-ELF Section List flags.
-
-type: keyword
-
---
-
-*`elf.sections.name`*::
-+
---
-ELF Section List name.
-
-type: keyword
-
---
-
-*`elf.sections.physical_offset`*::
-+
---
-ELF Section List offset.
-
-type: keyword
-
---
-
-*`elf.sections.physical_size`*::
-+
---
-ELF Section List physical size.
-
-type: long
-
-format: bytes
-
---
-
-*`elf.sections.type`*::
-+
---
-ELF Section List type.
-
-type: keyword
-
---
-
-*`elf.sections.virtual_address`*::
-+
---
-ELF Section List virtual address.
-
-type: long
-
-format: string
-
---
-
-*`elf.sections.virtual_size`*::
-+
---
-ELF Section List virtual size.
-
-type: long
-
-format: string
-
---
-
-*`elf.segments`*::
-+
---
-An array containing an object for each segment of the ELF file.
-The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`.
-
-type: nested
-
---
-
-*`elf.segments.sections`*::
-+
---
-ELF object segment sections.
-
-type: keyword
-
---
-
-*`elf.segments.type`*::
-+
---
-ELF object segment type.
-
-type: keyword
-
---
-
-*`elf.shared_libraries`*::
-+
---
-List of shared libraries used by this ELF object.
-
-type: keyword
-
---
-
-*`elf.telfhash`*::
-+
---
-telfhash symbol hash for ELF file.
-
-type: keyword
-
---
-
-[float]
-=== error
-
-These fields can represent errors of any kind.
-Use them for errors that happen while fetching events or in cases where the event itself contains an error.
-
-
-*`error.code`*::
-+
---
-Error code describing the error.
-
-type: keyword
-
---
-
-*`error.id`*::
-+
---
-Unique identifier for the error.
-
-type: keyword
-
---
-
-*`error.message`*::
-+
---
-Error message.
-
-type: match_only_text
-
---
-
-*`error.stack_trace`*::
-+
---
-The stack trace of this error in plain text.
-
-type: wildcard
-
---
-
-*`error.stack_trace.text`*::
-+
---
-type: match_only_text
-
---
-
-*`error.type`*::
-+
---
-The type of the error, for example the class name of the exception.
-
-type: keyword
-
-example: java.lang.NullPointerException
-
---
-
-[float]
-=== event
-
-The event fields are used for context information about the log or metric event itself.
-A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host and device temperature. See the `event.kind` definition in this section for additional details about metric and state events.
-
-
-*`event.action`*::
-+
---
-The action captured by the event.
-This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer.
-
-type: keyword
-
-example: user-password-change
-
---
-
-*`event.agent_id_status`*::
-+
---
-Agents are normally responsible for populating the `agent.id` field value. If the system receiving events is capable of validating the value based on authentication information for the client then this field can be used to reflect the outcome of that validation.
-For example if the agent's connection is authenticated with mTLS and the client cert contains the ID of the agent to which the cert was issued then the `agent.id` value in events can be checked against the certificate. If the values match then `event.agent_id_status: verified` is added to the event, otherwise one of the other allowed values should be used.
-If no validation is performed then the field should be omitted.
-The allowed values are:
-`verified` - The `agent.id` field value matches expected value obtained from auth metadata.
-`mismatch` - The `agent.id` field value does not match the expected value obtained from auth metadata.
-`missing` - There was no `agent.id` field in the event to validate.
-`auth_metadata_missing` - There was no auth metadata or it was missing information about the agent ID.
-
-type: keyword
-
-example: verified
-
---
-
-*`event.category`*::
-+
---
-This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy.
-`event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory.
-This field is an array. This will allow proper categorization of some events that fall in multiple categories.
-
-type: keyword
-
-example: authentication
-
---
-
-*`event.code`*::
-+
---
-Identification code for this event, if one exists.
-Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID.
-
-type: keyword
-
-example: 4648
-
---
-
-*`event.created`*::
-+
---
-event.created contains the date/time when the event was first read by an agent, or by your pipeline.
-This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event.
-In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source.
-In case the two timestamps are identical, @timestamp should be used.
-
-type: date
-
-example: 2016-05-23T08:05:34.857Z
-
---
-
-*`event.dataset`*::
-+
---
-Name of the dataset.
-If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from.
-It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name.
-
-type: keyword
-
-example: apache.access
-
---
-
-*`event.duration`*::
-+
---
-Duration of the event in nanoseconds.
-If event.start and event.end are known this value should be the difference between the end and start time.
-
-type: long
-
-format: duration
-
---
-
-*`event.end`*::
-+
---
-event.end contains the date when the event ended or when the activity was last observed.
-
-type: date
-
---
-
-*`event.hash`*::
-+
---
-Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity.
-
-type: keyword
-
-example: 123456789012345678901234567890ABCD
-
---
-
-*`event.id`*::
-+
---
-Unique ID to describe the event.
-
-type: keyword
-
-example: 8a4f500d
-
---
-
-*`event.ingested`*::
-+
---
-Timestamp when an event arrived in the central data store.
-This is different from `@timestamp`, which is when the event originally occurred.  It's also different from `event.created`, which is meant to capture the first time an agent saw the event.
-In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`.
-
-type: date
-
-example: 2016-05-23T08:05:35.101Z
-
---
-
-*`event.kind`*::
-+
---
-This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy.
-`event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events.
-The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not.
-
-type: keyword
-
-example: alert
-
---
-
-*`event.module`*::
-+
---
-Name of the module this data is coming from.
-If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module.
-
-type: keyword
-
-example: apache
-
---
-
-*`event.original`*::
-+
---
-Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex.
-This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`.
-
-type: keyword
-
-example: Sep 19 08:26:10 host CEF:0&#124;Security&#124; threatmanager&#124;1.0&#124;100&#124; worm successfully stopped&#124;10&#124;src=10.0.0.1 dst=2.1.2.2spt=1232
-
-Field is not indexed.
-
---
-
-*`event.outcome`*::
-+
---
-This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy.
-`event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event.
-Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective.
-Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer.
-Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense.
-
-type: keyword
-
-example: success
-
---
-
-*`event.provider`*::
-+
---
-Source of the event.
-Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing).
-
-type: keyword
-
-example: kernel
-
---
-
-*`event.reason`*::
-+
---
-Reason why this event happened, according to the source.
-This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`).
-
-type: keyword
-
-example: Terminated an unexpected process
-
---
-
-*`event.reference`*::
-+
---
-Reference URL linking to additional information about this event.
-This URL links to a static definition of this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field.
-
-type: keyword
-
-example: https://system.example.com/event/#0001234
-
---
-
-*`event.risk_score`*::
-+
---
-Risk score or priority of the event (e.g. security solutions). Use your system's original value here.
-
-type: float
-
---
-
-*`event.risk_score_norm`*::
-+
---
-Normalized risk score or priority of the event, on a scale of 0 to 100.
-This is mainly useful if you use more than one system that assigns risk scores, and you want to see a normalized value across all systems.
-
-type: float
-
---
-
-*`event.sequence`*::
-+
---
-Sequence number of the event.
-The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision.
-
-type: long
-
-format: string
-
---
-
-*`event.severity`*::
-+
---
-The numeric severity of the event according to your event source.
-What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source.
-The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`.
-
-type: long
-
-example: 7
-
-format: string
-
---
-
-*`event.start`*::
-+
---
-event.start contains the date when the event started or when the activity was first observed.
-
-type: date
-
---
-
-*`event.timezone`*::
-+
---
-This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise.
-Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00").
-
-type: keyword
-
---
-
-*`event.type`*::
-+
---
-This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy.
-`event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization.
-This field is an array. This will allow proper categorization of some events that fall in multiple event types.
-
-type: keyword
-
---
-
-*`event.url`*::
-+
---
-URL linking to an external system to continue investigation of this event.
-This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field.
-
-type: keyword
-
-example: https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe
-
---
-
-[float]
-=== faas
-
-The user fields describe information about the function as a service that is relevant to the event.
-
-
-*`faas.coldstart`*::
-+
---
-Boolean value indicating a cold start of a function.
-
-type: boolean
-
---
-
-*`faas.execution`*::
-+
---
-The execution ID of the current function execution.
-
-type: keyword
-
-example: af9d5aa4-a685-4c5f-a22b-444f80b3cc28
-
---
-
-*`faas.trigger`*::
-+
---
-Details about the function trigger.
-
-type: nested
-
---
-
-*`faas.trigger.request_id`*::
-+
---
-The ID of the trigger request , message, event, etc.
-
-type: keyword
-
-example: 123456789
-
---
-
-*`faas.trigger.type`*::
-+
---
-The trigger for the function execution.
-Expected values are:
-  * http
-  * pubsub
-  * datasource
-  * timer
-  * other
-
-type: keyword
-
-example: http
-
---
-
-[float]
-=== file
-
-A file is defined as a set of information that has been created on, or has existed on a filesystem.
-File objects can be associated with host events, network events, and/or file events (e.g., those produced by File Integrity Monitoring [FIM] products or services). File fields provide details about the affected file associated with the event or metric.
-
-
-*`file.accessed`*::
-+
---
-Last time the file was accessed.
-Note that not all filesystems keep track of access time.
-
-type: date
-
---
-
-*`file.attributes`*::
-+
---
-Array of file attributes.
-Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write.
-
-type: keyword
-
-example: ["readonly", "system"]
-
---
-
-*`file.code_signature.digest_algorithm`*::
-+
---
-The hashing algorithm used to sign the process.
-This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm.
-
-type: keyword
-
-example: sha256
-
---
-
-*`file.code_signature.exists`*::
-+
---
-Boolean to capture if a signature is present.
-
-type: boolean
-
-example: true
-
---
-
-*`file.code_signature.signing_id`*::
-+
---
-The identifier used to sign the process.
-This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.
-
-type: keyword
-
-example: com.apple.xpc.proxy
-
---
-
-*`file.code_signature.status`*::
-+
---
-Additional information about the certificate status.
-This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.
-
-type: keyword
-
-example: ERROR_UNTRUSTED_ROOT
-
---
-
-*`file.code_signature.subject_name`*::
-+
---
-Subject name of the code signer
-
-type: keyword
-
-example: Microsoft Corporation
-
---
-
-*`file.code_signature.team_id`*::
-+
---
-The team identifier used to sign the process.
-This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.
-
-type: keyword
-
-example: EQHXZ8M8AV
-
---
-
-*`file.code_signature.timestamp`*::
-+
---
-Date and time when the code signature was generated and signed.
-
-type: date
-
-example: 2021-01-01T12:10:30Z
-
---
-
-*`file.code_signature.trusted`*::
-+
---
-Stores the trust status of the certificate chain.
-Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.
-
-type: boolean
-
-example: true
-
---
-
-*`file.code_signature.valid`*::
-+
---
-Boolean to capture if the digital signature is verified against the binary content.
-Leave unpopulated if a certificate was unchecked.
-
-type: boolean
-
-example: true
-
---
-
-*`file.created`*::
-+
---
-File creation time.
-Note that not all filesystems store the creation time.
-
-type: date
-
---
-
-*`file.ctime`*::
-+
---
-Last time the file attributes or metadata changed.
-Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file.
-
-type: date
-
---
-
-*`file.device`*::
-+
---
-Device that is the source of the file.
-
-type: keyword
-
-example: sda
-
---
-
-*`file.directory`*::
-+
---
-Directory where the file is located. It should include the drive letter, when appropriate.
-
-type: keyword
-
-example: /home/alice
-
---
-
-*`file.drive_letter`*::
-+
---
-Drive letter where the file is located. This field is only relevant on Windows.
-The value should be uppercase, and not include the colon.
-
-type: keyword
-
-example: C
-
---
-
-*`file.elf.architecture`*::
-+
---
-Machine architecture of the ELF file.
-
-type: keyword
-
-example: x86-64
-
---
-
-*`file.elf.byte_order`*::
-+
---
-Byte sequence of ELF file.
-
-type: keyword
-
-example: Little Endian
-
---
-
-*`file.elf.cpu_type`*::
-+
---
-CPU type of the ELF file.
-
-type: keyword
-
-example: Intel
-
---
-
-*`file.elf.creation_date`*::
-+
---
-Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators.
-
-type: date
-
---
-
-*`file.elf.exports`*::
-+
---
-List of exported element names and types.
-
-type: flattened
-
---
-
-*`file.elf.header.abi_version`*::
-+
---
-Version of the ELF Application Binary Interface (ABI).
-
-type: keyword
-
---
-
-*`file.elf.header.class`*::
-+
---
-Header class of the ELF file.
-
-type: keyword
-
---
-
-*`file.elf.header.data`*::
-+
---
-Data table of the ELF header.
-
-type: keyword
-
---
-
-*`file.elf.header.entrypoint`*::
-+
---
-Header entrypoint of the ELF file.
-
-type: long
-
-format: string
-
---
-
-*`file.elf.header.object_version`*::
-+
---
-"0x1" for original ELF files.
-
-type: keyword
-
---
-
-*`file.elf.header.os_abi`*::
-+
---
-Application Binary Interface (ABI) of the Linux OS.
-
-type: keyword
-
---
-
-*`file.elf.header.type`*::
-+
---
-Header type of the ELF file.
-
-type: keyword
-
---
-
-*`file.elf.header.version`*::
-+
---
-Version of the ELF header.
-
-type: keyword
-
---
-
-*`file.elf.imports`*::
-+
---
-List of imported element names and types.
-
-type: flattened
-
---
-
-*`file.elf.sections`*::
-+
---
-An array containing an object for each section of the ELF file.
-The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`.
-
-type: nested
-
---
-
-*`file.elf.sections.chi2`*::
-+
---
-Chi-square probability distribution of the section.
-
-type: long
-
-format: number
-
---
-
-*`file.elf.sections.entropy`*::
-+
---
-Shannon entropy calculation from the section.
-
-type: long
-
-format: number
-
---
-
-*`file.elf.sections.flags`*::
-+
---
-ELF Section List flags.
-
-type: keyword
-
---
-
-*`file.elf.sections.name`*::
-+
---
-ELF Section List name.
-
-type: keyword
-
---
-
-*`file.elf.sections.physical_offset`*::
-+
---
-ELF Section List offset.
-
-type: keyword
-
---
-
-*`file.elf.sections.physical_size`*::
-+
---
-ELF Section List physical size.
-
-type: long
-
-format: bytes
-
---
-
-*`file.elf.sections.type`*::
-+
---
-ELF Section List type.
-
-type: keyword
-
---
-
-*`file.elf.sections.virtual_address`*::
-+
---
-ELF Section List virtual address.
-
-type: long
-
-format: string
-
---
-
-*`file.elf.sections.virtual_size`*::
-+
---
-ELF Section List virtual size.
-
-type: long
-
-format: string
-
---
-
-*`file.elf.segments`*::
-+
---
-An array containing an object for each segment of the ELF file.
-The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`.
-
-type: nested
-
---
-
-*`file.elf.segments.sections`*::
-+
---
-ELF object segment sections.
-
-type: keyword
-
---
-
-*`file.elf.segments.type`*::
-+
---
-ELF object segment type.
-
-type: keyword
-
---
-
-*`file.elf.shared_libraries`*::
-+
---
-List of shared libraries used by this ELF object.
-
-type: keyword
-
---
-
-*`file.elf.telfhash`*::
-+
---
-telfhash symbol hash for ELF file.
-
-type: keyword
-
---
-
-*`file.extension`*::
-+
---
-File extension, excluding the leading dot.
-Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").
-
-type: keyword
-
-example: png
-
---
-
-*`file.fork_name`*::
-+
---
-A fork is additional data associated with a filesystem object.
-On Linux, a resource fork is used to store additional data with a filesystem object. A file always has at least one fork for the data portion, and additional forks may exist.
-On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default data stream for a file is just called $DATA. Zone.Identifier is commonly used by Windows to track contents downloaded from the Internet. An ADS is typically of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name` is the value that should populate `fork_name`. `filename.extension` should populate `file.name`, and `extension` should populate `file.extension`. The full path, `file.path`, will include the fork name.
-
-type: keyword
-
-example: Zone.Identifer
-
---
-
-*`file.gid`*::
-+
---
-Primary group ID (GID) of the file.
-
-type: keyword
-
-example: 1001
-
---
-
-*`file.group`*::
-+
---
-Primary group name of the file.
-
-type: keyword
-
-example: alice
-
---
-
-*`file.hash.md5`*::
-+
---
-MD5 hash.
-
-type: keyword
-
---
-
-*`file.hash.sha1`*::
-+
---
-SHA1 hash.
-
-type: keyword
-
---
-
-*`file.hash.sha256`*::
-+
---
-SHA256 hash.
-
-type: keyword
-
---
-
-*`file.hash.sha512`*::
-+
---
-SHA512 hash.
-
-type: keyword
-
---
-
-*`file.hash.ssdeep`*::
-+
---
-SSDEEP hash.
-
-type: keyword
-
---
-
-*`file.inode`*::
-+
---
-Inode representing the file in the filesystem.
-
-type: keyword
-
-example: 256383
-
---
-
-*`file.mime_type`*::
-+
---
-MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used.
-
-type: keyword
-
---
-
-*`file.mode`*::
-+
---
-Mode of the file in octal representation.
-
-type: keyword
-
-example: 0640
-
---
-
-*`file.mtime`*::
-+
---
-Last time the file content was modified.
-
-type: date
-
---
-
-*`file.name`*::
-+
---
-Name of the file including the extension, without the directory.
-
-type: keyword
-
-example: example.png
-
---
-
-*`file.owner`*::
-+
---
-File owner's username.
-
-type: keyword
-
-example: alice
-
---
-
-*`file.path`*::
-+
---
-Full path to the file, including the file name. It should include the drive letter, when appropriate.
-
-type: keyword
-
-example: /home/alice/example.png
-
---
-
-*`file.path.text`*::
-+
---
-type: match_only_text
-
---
-
-*`file.pe.architecture`*::
-+
---
-CPU architecture target for the file.
-
-type: keyword
-
-example: x64
-
---
-
-*`file.pe.company`*::
-+
---
-Internal company name of the file, provided at compile-time.
-
-type: keyword
-
-example: Microsoft Corporation
-
---
-
-*`file.pe.description`*::
-+
---
-Internal description of the file, provided at compile-time.
-
-type: keyword
-
-example: Paint
-
---
-
-*`file.pe.file_version`*::
-+
---
-Internal version of the file, provided at compile-time.
-
-type: keyword
-
-example: 6.3.9600.17415
-
---
-
-*`file.pe.imphash`*::
-+
---
-A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.
-Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.
-
-type: keyword
-
-example: 0c6803c4e922103c4dca5963aad36ddf
-
---
-
-*`file.pe.original_file_name`*::
-+
---
-Internal name of the file, provided at compile-time.
-
-type: keyword
-
-example: MSPAINT.EXE
-
---
-
-*`file.pe.product`*::
-+
---
-Internal product name of the file, provided at compile-time.
-
-type: keyword
-
-example: Microsoft® Windows® Operating System
-
---
-
-*`file.size`*::
-+
---
-File size in bytes.
-Only relevant when `file.type` is "file".
-
-type: long
-
-example: 16384
-
---
-
-*`file.target_path`*::
-+
---
-Target path for symlinks.
-
-type: keyword
-
---
-
-*`file.target_path.text`*::
-+
---
-type: match_only_text
-
---
-
-*`file.type`*::
-+
---
-File type (file, dir, or symlink).
-
-type: keyword
-
-example: file
-
---
-
-*`file.uid`*::
-+
---
-The user ID (UID) or security identifier (SID) of the file owner.
-
-type: keyword
-
-example: 1001
-
---
-
-*`file.x509.alternative_names`*::
-+
---
-List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.
-
-type: keyword
-
-example: *.elastic.co
-
---
-
-*`file.x509.issuer.common_name`*::
-+
---
-List of common name (CN) of issuing certificate authority.
-
-type: keyword
-
-example: Example SHA2 High Assurance Server CA
-
---
-
-*`file.x509.issuer.country`*::
-+
---
-List of country (C) codes
-
-type: keyword
-
-example: US
-
---
-
-*`file.x509.issuer.distinguished_name`*::
-+
---
-Distinguished name (DN) of issuing certificate authority.
-
-type: keyword
-
-example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA
-
---
-
-*`file.x509.issuer.locality`*::
-+
---
-List of locality names (L)
-
-type: keyword
-
-example: Mountain View
-
---
-
-*`file.x509.issuer.organization`*::
-+
---
-List of organizations (O) of issuing certificate authority.
-
-type: keyword
-
-example: Example Inc
-
---
-
-*`file.x509.issuer.organizational_unit`*::
-+
---
-List of organizational units (OU) of issuing certificate authority.
-
-type: keyword
-
-example: www.example.com
-
---
-
-*`file.x509.issuer.state_or_province`*::
-+
---
-List of state or province names (ST, S, or P)
-
-type: keyword
-
-example: California
-
---
-
-*`file.x509.not_after`*::
-+
---
-Time at which the certificate is no longer considered valid.
-
-type: date
-
-example: 2020-07-16 03:15:39+00:00
-
---
-
-*`file.x509.not_before`*::
-+
---
-Time at which the certificate is first considered valid.
-
-type: date
-
-example: 2019-08-16 01:40:25+00:00
-
---
-
-*`file.x509.public_key_algorithm`*::
-+
---
-Algorithm used to generate the public key.
-
-type: keyword
-
-example: RSA
-
---
-
-*`file.x509.public_key_curve`*::
-+
---
-The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-
-type: keyword
-
-example: nistp521
-
---
-
-*`file.x509.public_key_exponent`*::
-+
---
-Exponent used to derive the public key. This is algorithm specific.
-
-type: long
-
-example: 65537
-
-Field is not indexed.
-
---
-
-*`file.x509.public_key_size`*::
-+
---
-The size of the public key space in bits.
-
-type: long
-
-example: 2048
-
---
-
-*`file.x509.serial_number`*::
-+
---
-Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.
-
-type: keyword
-
-example: 55FBB9C7DEBF09809D12CCAA
-
---
-
-*`file.x509.signature_algorithm`*::
-+
---
-Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
-
-type: keyword
-
-example: SHA256-RSA
-
---
-
-*`file.x509.subject.common_name`*::
-+
---
-List of common names (CN) of subject.
-
-type: keyword
-
-example: shared.global.example.net
-
---
-
-*`file.x509.subject.country`*::
-+
---
-List of country (C) code
-
-type: keyword
-
-example: US
-
---
-
-*`file.x509.subject.distinguished_name`*::
-+
---
-Distinguished name (DN) of the certificate subject entity.
-
-type: keyword
-
-example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
-
---
-
-*`file.x509.subject.locality`*::
-+
---
-List of locality names (L)
-
-type: keyword
-
-example: San Francisco
-
---
-
-*`file.x509.subject.organization`*::
-+
---
-List of organizations (O) of subject.
-
-type: keyword
-
-example: Example, Inc.
-
---
-
-*`file.x509.subject.organizational_unit`*::
-+
---
-List of organizational units (OU) of subject.
-
-type: keyword
-
---
-
-*`file.x509.subject.state_or_province`*::
-+
---
-List of state or province names (ST, S, or P)
-
-type: keyword
-
-example: California
-
---
-
-*`file.x509.version_number`*::
-+
---
-Version of x509 format.
-
-type: keyword
-
-example: 3
-
---
-
-[float]
-=== geo
-
-Geo fields can carry data about a specific location related to an event.
-This geolocation information can be derived from techniques such as Geo IP, or be user-supplied.
-
-
-*`geo.city_name`*::
-+
---
-City name.
-
-type: keyword
-
-example: Montreal
-
---
-
-*`geo.continent_code`*::
-+
---
-Two-letter code representing continent's name.
-
-type: keyword
-
-example: NA
-
---
-
-*`geo.continent_name`*::
-+
---
-Name of the continent.
-
-type: keyword
-
-example: North America
-
---
-
-*`geo.country_iso_code`*::
-+
---
-Country ISO code.
-
-type: keyword
-
-example: CA
-
---
-
-*`geo.country_name`*::
-+
---
-Country name.
-
-type: keyword
-
-example: Canada
-
---
-
-*`geo.location`*::
-+
---
-Longitude and latitude.
-
-type: geo_point
-
-example: { "lon": -73.614830, "lat": 45.505918 }
-
---
-
-*`geo.name`*::
-+
---
-User-defined description of a location, at the level of granularity they care about.
-Could be the name of their data centers, the floor number, if this describes a local physical entity, city names.
-Not typically used in automated geolocation.
-
-type: keyword
-
-example: boston-dc
-
---
-
-*`geo.postal_code`*::
-+
---
-Postal code associated with the location.
-Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.
-
-type: keyword
-
-example: 94040
-
---
-
-*`geo.region_iso_code`*::
-+
---
-Region ISO code.
-
-type: keyword
-
-example: CA-QC
-
---
-
-*`geo.region_name`*::
-+
---
-Region name.
-
-type: keyword
-
-example: Quebec
-
---
-
-*`geo.timezone`*::
-+
---
-The time zone of the location, such as IANA time zone name.
-
-type: keyword
-
-example: America/Argentina/Buenos_Aires
-
---
-
-[float]
-=== group
-
-The group fields are meant to represent groups that are relevant to the event.
-
-
-*`group.domain`*::
-+
---
-Name of the directory the group is a member of.
-For example, an LDAP or Active Directory domain name.
-
-type: keyword
-
---
-
-*`group.id`*::
-+
---
-Unique identifier for the group on the system/platform.
-
-type: keyword
-
---
-
-*`group.name`*::
-+
---
-Name of the group.
-
-type: keyword
-
---
-
-[float]
-=== hash
-
-The hash fields represent different bitwise hash algorithms and their values.
-Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for other hashes by lowercasing the hash algorithm name and using underscore separators as appropriate (snake case, e.g. sha3_512).
-Note that this fieldset is used for common hashes that may be computed over a range of generic bytes. Entity-specific hashes such as ja3 or imphash are placed in the fieldsets to which they relate (tls and pe, respectively).
-
-
-*`hash.md5`*::
-+
---
-MD5 hash.
-
-type: keyword
-
---
-
-*`hash.sha1`*::
-+
---
-SHA1 hash.
-
-type: keyword
-
---
-
-*`hash.sha256`*::
-+
---
-SHA256 hash.
-
-type: keyword
-
---
-
-*`hash.sha512`*::
-+
---
-SHA512 hash.
-
-type: keyword
-
---
-
-*`hash.ssdeep`*::
-+
---
-SSDEEP hash.
-
-type: keyword
-
---
-
-[float]
-=== host
-
-A host is defined as a general computing instance.
-ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.
-
-
-*`host.architecture`*::
-+
---
-Operating system architecture.
-
-type: keyword
-
-example: x86_64
-
---
-
-*`host.cpu.usage`*::
-+
---
-Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1.
-Scaling factor: 1000.
-For example: For a two core host, this value should be the average of the two cores, between 0 and 1.
-
-type: scaled_float
-
---
-
-*`host.disk.read.bytes`*::
-+
---
-The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection.
-
-type: long
-
---
-
-*`host.disk.write.bytes`*::
-+
---
-The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection.
-
-type: long
-
---
-
-*`host.domain`*::
-+
---
-Name of the domain of which the host is a member.
-For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider.
-
-type: keyword
-
-example: CONTOSO
-
---
-
-*`host.geo.city_name`*::
-+
---
-City name.
-
-type: keyword
-
-example: Montreal
-
---
-
-*`host.geo.continent_code`*::
-+
---
-Two-letter code representing continent's name.
-
-type: keyword
-
-example: NA
-
---
-
-*`host.geo.continent_name`*::
-+
---
-Name of the continent.
-
-type: keyword
-
-example: North America
-
---
-
-*`host.geo.country_iso_code`*::
-+
---
-Country ISO code.
-
-type: keyword
-
-example: CA
-
---
-
-*`host.geo.country_name`*::
-+
---
-Country name.
-
-type: keyword
-
-example: Canada
-
---
-
-*`host.geo.location`*::
-+
---
-Longitude and latitude.
-
-type: geo_point
-
-example: { "lon": -73.614830, "lat": 45.505918 }
-
---
-
-*`host.geo.name`*::
-+
---
-User-defined description of a location, at the level of granularity they care about.
-Could be the name of their data centers, the floor number, if this describes a local physical entity, city names.
-Not typically used in automated geolocation.
-
-type: keyword
-
-example: boston-dc
-
---
-
-*`host.geo.postal_code`*::
-+
---
-Postal code associated with the location.
-Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.
-
-type: keyword
-
-example: 94040
-
---
-
-*`host.geo.region_iso_code`*::
-+
---
-Region ISO code.
-
-type: keyword
-
-example: CA-QC
-
---
-
-*`host.geo.region_name`*::
-+
---
-Region name.
-
-type: keyword
-
-example: Quebec
-
---
-
-*`host.geo.timezone`*::
-+
---
-The time zone of the location, such as IANA time zone name.
-
-type: keyword
-
-example: America/Argentina/Buenos_Aires
-
---
-
-*`host.hostname`*::
-+
---
-Hostname of the host.
-It normally contains what the `hostname` command returns on the host machine.
-
-type: keyword
-
---
-
-*`host.id`*::
-+
---
-Unique host id.
-As hostname is not always unique, use values that are meaningful in your environment.
-Example: The current usage of `beat.name`.
-
-type: keyword
-
---
-
-*`host.ip`*::
-+
---
-Host ip addresses.
-
-type: ip
-
---
-
-*`host.mac`*::
-+
---
-Host MAC addresses.
-The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.
-
-type: keyword
-
-example: ["00-00-5E-00-53-23", "00-00-5E-00-53-24"]
-
---
-
-*`host.name`*::
-+
---
-Name of the host.
-It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.
-
-type: keyword
-
---
-
-*`host.network.egress.bytes`*::
-+
---
-The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection.
-
-type: long
-
---
-
-*`host.network.egress.packets`*::
-+
---
-The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection.
-
-type: long
-
---
-
-*`host.network.ingress.bytes`*::
-+
---
-The number of bytes received (gauge) on all network interfaces by the host since the last metric collection.
-
-type: long
-
---
-
-*`host.network.ingress.packets`*::
-+
---
-The number of packets (gauge) received on all network interfaces by the host since the last metric collection.
-
-type: long
-
---
-
-*`host.os.family`*::
-+
---
-OS family (such as redhat, debian, freebsd, windows).
-
-type: keyword
-
-example: debian
-
---
-
-*`host.os.full`*::
-+
---
-Operating system name, including the version or code name.
-
-type: keyword
-
-example: Mac OS Mojave
-
---
-
-*`host.os.full.text`*::
-+
---
-type: match_only_text
-
---
-
-*`host.os.kernel`*::
-+
---
-Operating system kernel version as a raw string.
-
-type: keyword
-
-example: 4.4.0-112-generic
-
---
-
-*`host.os.name`*::
-+
---
-Operating system name, without the version.
-
-type: keyword
-
-example: Mac OS X
-
---
-
-*`host.os.name.text`*::
-+
---
-type: match_only_text
-
---
-
-*`host.os.platform`*::
-+
---
-Operating system platform (such centos, ubuntu, windows).
-
-type: keyword
-
-example: darwin
-
---
-
-*`host.os.type`*::
-+
---
-Use the `os.type` field to categorize the operating system into one of the broad commercial families.
-One of these following values should be used (lowercase): linux, macos, unix, windows.
-If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.
-
-type: keyword
-
-example: macos
-
---
-
-*`host.os.version`*::
-+
---
-Operating system version as a raw string.
-
-type: keyword
-
-example: 10.14.1
-
---
-
-*`host.type`*::
-+
---
-Type of host.
-For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.
-
-type: keyword
-
---
-
-*`host.uptime`*::
-+
---
-Seconds the host has been up.
-
-type: long
-
-example: 1325
-
---
-
-[float]
-=== http
-
-Fields related to HTTP activity. Use the `url` field set to store the url of the request.
-
-
-*`http.request.body.bytes`*::
-+
---
-Size in bytes of the request body.
-
-type: long
-
-example: 887
-
-format: bytes
-
---
-
-*`http.request.body.content`*::
-+
---
-The full HTTP request body.
-
-type: wildcard
-
-example: Hello world
-
---
-
-*`http.request.body.content.text`*::
-+
---
-type: match_only_text
-
---
-
-*`http.request.bytes`*::
-+
---
-Total size in bytes of the request (body and headers).
-
-type: long
-
-example: 1437
-
-format: bytes
-
---
-
-*`http.request.id`*::
-+
---
-A unique identifier for each HTTP request to correlate logs between clients and servers in transactions.
-The id may be contained in a non-standard HTTP header, such as `X-Request-ID` or `X-Correlation-ID`.
-
-type: keyword
-
-example: 123e4567-e89b-12d3-a456-426614174000
-
---
-
-*`http.request.method`*::
-+
---
-HTTP request method.
-The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field.
-
-type: keyword
-
-example: POST
-
---
-
-*`http.request.mime_type`*::
-+
---
-Mime type of the body of the request.
-This value must only be populated based on the content of the request body, not on the `Content-Type` header. Comparing the mime type of a request with the request's Content-Type header can be helpful in detecting threats or misconfigured clients.
-
-type: keyword
-
-example: image/gif
-
---
-
-*`http.request.referrer`*::
-+
---
-Referrer for this HTTP request.
-
-type: keyword
-
-example: https://blog.example.com/
-
---
-
-*`http.response.body.bytes`*::
-+
---
-Size in bytes of the response body.
-
-type: long
-
-example: 887
-
-format: bytes
-
---
-
-*`http.response.body.content`*::
-+
---
-The full HTTP response body.
-
-type: wildcard
-
-example: Hello world
-
---
-
-*`http.response.body.content.text`*::
-+
---
-type: match_only_text
-
---
-
-*`http.response.bytes`*::
-+
---
-Total size in bytes of the response (body and headers).
-
-type: long
-
-example: 1437
-
-format: bytes
-
---
-
-*`http.response.mime_type`*::
-+
---
-Mime type of the body of the response.
-This value must only be populated based on the content of the response body, not on the `Content-Type` header. Comparing the mime type of a response with the response's Content-Type header can be helpful in detecting misconfigured servers.
-
-type: keyword
-
-example: image/gif
-
---
-
-*`http.response.status_code`*::
-+
---
-HTTP response status code.
-
-type: long
-
-example: 404
-
-format: string
-
---
-
-*`http.version`*::
-+
---
-HTTP version.
-
-type: keyword
-
-example: 1.1
-
---
-
-[float]
-=== interface
-
-The interface fields are used to record ingress and egress interface information when reported by an observer (e.g. firewall, router, load balancer) in the context of the observer handling a network connection.  In the case of a single observer interface (e.g. network sensor on a span port) only the observer.ingress information should be populated.
-
-
-*`interface.alias`*::
-+
---
-Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming.
-
-type: keyword
-
-example: outside
-
---
-
-*`interface.id`*::
-+
---
-Interface ID as reported by an observer (typically SNMP interface ID).
-
-type: keyword
-
-example: 10
-
---
-
-*`interface.name`*::
-+
---
-Interface name as reported by the system.
-
-type: keyword
-
-example: eth0
-
---
-
-[float]
-=== log
-
-Details about the event's logging mechanism or logging transport.
-The log.* fields are typically populated with details about the logging mechanism used to create and/or transport the event. For example, syslog details belong under `log.syslog.*`.
-The details specific to your event source are typically not logged under `log.*`, but rather in `event.*` or in other ECS fields.
-
-
-*`log.file.path`*::
-+
---
-Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate.
-If the event wasn't read from a log file, do not populate this field.
-
-type: keyword
-
-example: /var/log/fun-times.log
-
---
-
-*`log.level`*::
-+
---
-Original log level of the log event.
-If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity).
-Some examples are `warn`, `err`, `i`, `informational`.
-
-type: keyword
-
-example: error
-
---
-
-*`log.logger`*::
-+
---
-The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name.
-
-type: keyword
-
-example: org.elasticsearch.bootstrap.Bootstrap
-
---
-
-*`log.origin.file.line`*::
-+
---
-The line number of the file containing the source code which originated the log event.
-
-type: long
-
-example: 42
-
---
-
-*`log.origin.file.name`*::
-+
---
-The name of the file containing the source code which originated the log event.
-Note that this field is not meant to capture the log file. The correct field to capture the log file is `log.file.path`.
-
-type: keyword
-
-example: Bootstrap.java
-
---
-
-*`log.origin.function`*::
-+
---
-The name of the function or method which originated the log event.
-
-type: keyword
-
-example: init
-
---
-
-*`log.syslog`*::
-+
---
-The Syslog metadata of the event, if the event was transmitted via Syslog. Please see RFCs 5424 or 3164.
-
-type: object
-
---
-
-*`log.syslog.facility.code`*::
-+
---
-The Syslog numeric facility of the log event, if available.
-According to RFCs 5424 and 3164, this value should be an integer between 0 and 23.
-
-type: long
-
-example: 23
-
-format: string
-
---
-
-*`log.syslog.facility.name`*::
-+
---
-The Syslog text-based facility of the log event, if available.
-
-type: keyword
-
-example: local7
-
---
-
-*`log.syslog.priority`*::
-+
---
-Syslog numeric priority of the event, if available.
-According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191.
-
-type: long
-
-example: 135
-
-format: string
-
---
-
-*`log.syslog.severity.code`*::
-+
---
-The Syslog numeric severity of the log event, if available.
-If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`.
-
-type: long
-
-example: 3
-
---
-
-*`log.syslog.severity.name`*::
-+
---
-The Syslog numeric severity of the log event, if available.
-If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`.
-
-type: keyword
-
-example: Error
-
---
-
-[float]
-=== network
-
-The network is defined as the communication path over which a host or network event happens.
-The network.* fields should be populated with details about the network activity associated with an event.
-
-
-*`network.application`*::
-+
---
-When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name.
-For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`.
-The field value must be normalized to lowercase for querying.
-
-type: keyword
-
-example: aim
-
---
-
-*`network.bytes`*::
-+
---
-Total bytes transferred in both directions.
-If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum.
-
-type: long
-
-example: 368
-
-format: bytes
-
---
-
-*`network.community_id`*::
-+
---
-A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows.
-Learn more at https://github.com/corelight/community-id-spec.
-
-type: keyword
-
-example: 1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=
-
---
-
-*`network.direction`*::
-+
---
-Direction of the network traffic.
-Recommended values are:
-  * ingress
-  * egress
-  * inbound
-  * outbound
-  * internal
-  * external
-  * unknown
-
-When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress".
-When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external".
-Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers.
-
-type: keyword
-
-example: inbound
-
---
-
-*`network.forwarded_ip`*::
-+
---
-Host IP address when the source IP address is the proxy.
-
-type: ip
-
-example: 192.1.1.2
-
---
-
-*`network.iana_number`*::
-+
---
-IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number.
-
-type: keyword
-
-example: 6
-
---
-
-*`network.inner`*::
-+
---
-Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.)
-
-type: object
-
---
-
-*`network.inner.vlan.id`*::
-+
---
-VLAN ID as reported by the observer.
-
-type: keyword
-
-example: 10
-
---
-
-*`network.inner.vlan.name`*::
-+
---
-Optional VLAN name as reported by the observer.
-
-type: keyword
-
-example: outside
-
---
-
-*`network.name`*::
-+
---
-Name given by operators to sections of their network.
-
-type: keyword
-
-example: Guest Wifi
-
---
-
-*`network.packets`*::
-+
---
-Total packets transferred in both directions.
-If `source.packets` and `destination.packets` are known, `network.packets` is their sum.
-
-type: long
-
-example: 24
-
---
-
-*`network.protocol`*::
-+
---
-In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`.
-The field value must be normalized to lowercase for querying.
-
-type: keyword
-
-example: http
-
---
-
-*`network.transport`*::
-+
---
-Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.)
-The field value must be normalized to lowercase for querying.
-
-type: keyword
-
-example: tcp
-
---
-
-*`network.type`*::
-+
---
-In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc
-The field value must be normalized to lowercase for querying.
-
-type: keyword
-
-example: ipv4
-
---
-
-*`network.vlan.id`*::
-+
---
-VLAN ID as reported by the observer.
-
-type: keyword
-
-example: 10
-
---
-
-*`network.vlan.name`*::
-+
---
-Optional VLAN name as reported by the observer.
-
-type: keyword
-
-example: outside
-
---
-
-[float]
-=== observer
-
-An observer is defined as a special network, security, or application device used to detect, observe, or create network, security, or application-related events and metrics.
-This could be a custom hardware appliance or a server that has been configured to run special network, security, or application software. Examples include firewalls, web proxies, intrusion detection/prevention systems, network monitoring sensors, web application firewalls, data loss prevention systems, and APM servers. The observer.* fields shall be populated with details of the system, if any, that detects, observes and/or creates a network, security, or application event or metric. Message queues and ETL components used in processing events or metrics are not considered observers in ECS.
-
-
-*`observer.egress`*::
-+
---
-Observer.egress holds information like interface number and name, vlan, and zone information to classify egress traffic.  Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic.
-
-type: object
-
---
-
-*`observer.egress.interface.alias`*::
-+
---
-Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming.
-
-type: keyword
-
-example: outside
-
---
-
-*`observer.egress.interface.id`*::
-+
---
-Interface ID as reported by an observer (typically SNMP interface ID).
-
-type: keyword
-
-example: 10
-
---
-
-*`observer.egress.interface.name`*::
-+
---
-Interface name as reported by the system.
-
-type: keyword
-
-example: eth0
-
---
-
-*`observer.egress.vlan.id`*::
-+
---
-VLAN ID as reported by the observer.
-
-type: keyword
-
-example: 10
-
---
-
-*`observer.egress.vlan.name`*::
-+
---
-Optional VLAN name as reported by the observer.
-
-type: keyword
-
-example: outside
-
---
-
-*`observer.egress.zone`*::
-+
---
-Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc.
-
-type: keyword
-
-example: Public_Internet
-
---
-
-*`observer.geo.city_name`*::
-+
---
-City name.
-
-type: keyword
-
-example: Montreal
-
---
-
-*`observer.geo.continent_code`*::
-+
---
-Two-letter code representing continent's name.
-
-type: keyword
-
-example: NA
-
---
-
-*`observer.geo.continent_name`*::
-+
---
-Name of the continent.
-
-type: keyword
-
-example: North America
-
---
-
-*`observer.geo.country_iso_code`*::
-+
---
-Country ISO code.
-
-type: keyword
-
-example: CA
-
---
-
-*`observer.geo.country_name`*::
-+
---
-Country name.
-
-type: keyword
-
-example: Canada
-
---
-
-*`observer.geo.location`*::
-+
---
-Longitude and latitude.
-
-type: geo_point
-
-example: { "lon": -73.614830, "lat": 45.505918 }
-
---
-
-*`observer.geo.name`*::
-+
---
-User-defined description of a location, at the level of granularity they care about.
-Could be the name of their data centers, the floor number, if this describes a local physical entity, city names.
-Not typically used in automated geolocation.
-
-type: keyword
-
-example: boston-dc
-
---
-
-*`observer.geo.postal_code`*::
-+
---
-Postal code associated with the location.
-Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.
-
-type: keyword
-
-example: 94040
-
---
-
-*`observer.geo.region_iso_code`*::
-+
---
-Region ISO code.
-
-type: keyword
-
-example: CA-QC
-
---
-
-*`observer.geo.region_name`*::
-+
---
-Region name.
-
-type: keyword
-
-example: Quebec
-
---
-
-*`observer.geo.timezone`*::
-+
---
-The time zone of the location, such as IANA time zone name.
-
-type: keyword
-
-example: America/Argentina/Buenos_Aires
-
---
-
-*`observer.hostname`*::
-+
---
-Hostname of the observer.
-
-type: keyword
-
---
-
-*`observer.ingress`*::
-+
---
-Observer.ingress holds information like interface number and name, vlan, and zone information to classify ingress traffic.  Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic.
-
-type: object
-
---
-
-*`observer.ingress.interface.alias`*::
-+
---
-Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming.
-
-type: keyword
-
-example: outside
-
---
-
-*`observer.ingress.interface.id`*::
-+
---
-Interface ID as reported by an observer (typically SNMP interface ID).
-
-type: keyword
-
-example: 10
-
---
-
-*`observer.ingress.interface.name`*::
-+
---
-Interface name as reported by the system.
-
-type: keyword
-
-example: eth0
-
---
-
-*`observer.ingress.vlan.id`*::
-+
---
-VLAN ID as reported by the observer.
-
-type: keyword
-
-example: 10
-
---
-
-*`observer.ingress.vlan.name`*::
-+
---
-Optional VLAN name as reported by the observer.
-
-type: keyword
-
-example: outside
-
---
-
-*`observer.ingress.zone`*::
-+
---
-Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc.
-
-type: keyword
-
-example: DMZ
-
---
-
-*`observer.ip`*::
-+
---
-IP addresses of the observer.
-
-type: ip
-
---
-
-*`observer.mac`*::
-+
---
-MAC addresses of the observer.
-The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.
-
-type: keyword
-
-example: ["00-00-5E-00-53-23", "00-00-5E-00-53-24"]
-
---
-
-*`observer.name`*::
-+
---
-Custom name of the observer.
-This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization.
-If no custom name is needed, the field can be left empty.
-
-type: keyword
-
-example: 1_proxySG
-
---
-
-*`observer.os.family`*::
-+
---
-OS family (such as redhat, debian, freebsd, windows).
-
-type: keyword
-
-example: debian
-
---
-
-*`observer.os.full`*::
-+
---
-Operating system name, including the version or code name.
-
-type: keyword
-
-example: Mac OS Mojave
-
---
-
-*`observer.os.full.text`*::
-+
---
-type: match_only_text
-
---
-
-*`observer.os.kernel`*::
-+
---
-Operating system kernel version as a raw string.
-
-type: keyword
-
-example: 4.4.0-112-generic
-
---
-
-*`observer.os.name`*::
-+
---
-Operating system name, without the version.
-
-type: keyword
-
-example: Mac OS X
-
---
-
-*`observer.os.name.text`*::
-+
---
-type: match_only_text
-
---
-
-*`observer.os.platform`*::
-+
---
-Operating system platform (such centos, ubuntu, windows).
-
-type: keyword
-
-example: darwin
-
---
-
-*`observer.os.type`*::
-+
---
-Use the `os.type` field to categorize the operating system into one of the broad commercial families.
-One of these following values should be used (lowercase): linux, macos, unix, windows.
-If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.
-
-type: keyword
-
-example: macos
-
---
-
-*`observer.os.version`*::
-+
---
-Operating system version as a raw string.
-
-type: keyword
-
-example: 10.14.1
-
---
-
-*`observer.product`*::
-+
---
-The product name of the observer.
-
-type: keyword
-
-example: s200
-
---
-
-*`observer.serial_number`*::
-+
---
-Observer serial number.
-
-type: keyword
-
---
-
-*`observer.type`*::
-+
---
-The type of the observer the data is coming from.
-There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`.
-
-type: keyword
-
-example: firewall
-
---
-
-*`observer.vendor`*::
-+
---
-Vendor name of the observer.
-
-type: keyword
-
-example: Symantec
-
---
-
-*`observer.version`*::
-+
---
-Observer version.
-
-type: keyword
-
---
-
-[float]
-=== orchestrator
-
-Fields that describe the resources which container orchestrators manage or act upon.
-
-
-*`orchestrator.api_version`*::
-+
---
-API version being used to carry out the action
-
-type: keyword
-
-example: v1beta1
-
---
-
-*`orchestrator.cluster.name`*::
-+
---
-Name of the cluster.
-
-type: keyword
-
---
-
-*`orchestrator.cluster.url`*::
-+
---
-URL of the API used to manage the cluster.
-
-type: keyword
-
---
-
-*`orchestrator.cluster.version`*::
-+
---
-The version of the cluster.
-
-type: keyword
-
---
-
-*`orchestrator.namespace`*::
-+
---
-Namespace in which the action is taking place.
-
-type: keyword
-
-example: kube-system
-
---
-
-*`orchestrator.organization`*::
-+
---
-Organization affected by the event (for multi-tenant orchestrator setups).
-
-type: keyword
-
-example: elastic
-
---
-
-*`orchestrator.resource.name`*::
-+
---
-Name of the resource being acted upon.
-
-type: keyword
-
-example: test-pod-cdcws
-
---
-
-*`orchestrator.resource.type`*::
-+
---
-Type of resource being acted upon.
-
-type: keyword
-
-example: service
-
---
-
-*`orchestrator.type`*::
-+
---
-Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry).
-
-type: keyword
-
-example: kubernetes
-
---
-
-[float]
-=== organization
-
-The organization fields enrich data with information about the company or entity the data is associated with.
-These fields help you arrange or filter data stored in an index by one or multiple organizations.
-
-
-*`organization.id`*::
-+
---
-Unique identifier for the organization.
-
-type: keyword
-
---
-
-*`organization.name`*::
-+
---
-Organization name.
-
-type: keyword
-
---
-
-*`organization.name.text`*::
-+
---
-type: match_only_text
-
---
-
-[float]
-=== os
-
-The OS fields contain information about the operating system.
-
-
-*`os.family`*::
-+
---
-OS family (such as redhat, debian, freebsd, windows).
-
-type: keyword
-
-example: debian
-
---
-
-*`os.full`*::
-+
---
-Operating system name, including the version or code name.
-
-type: keyword
-
-example: Mac OS Mojave
-
---
-
-*`os.full.text`*::
-+
---
-type: match_only_text
-
---
-
-*`os.kernel`*::
-+
---
-Operating system kernel version as a raw string.
-
-type: keyword
-
-example: 4.4.0-112-generic
-
---
-
-*`os.name`*::
-+
---
-Operating system name, without the version.
-
-type: keyword
-
-example: Mac OS X
-
---
-
-*`os.name.text`*::
-+
---
-type: match_only_text
-
---
-
-*`os.platform`*::
-+
---
-Operating system platform (such centos, ubuntu, windows).
-
-type: keyword
-
-example: darwin
-
---
-
-*`os.type`*::
-+
---
-Use the `os.type` field to categorize the operating system into one of the broad commercial families.
-One of these following values should be used (lowercase): linux, macos, unix, windows.
-If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.
-
-type: keyword
-
-example: macos
-
---
-
-*`os.version`*::
-+
---
-Operating system version as a raw string.
-
-type: keyword
-
-example: 10.14.1
-
---
-
-[float]
-=== package
-
-These fields contain information about an installed software package. It contains general information about a package, such as name, version or size. It also contains installation details, such as time or location.
-
-
-*`package.architecture`*::
-+
---
-Package architecture.
-
-type: keyword
-
-example: x86_64
-
---
-
-*`package.build_version`*::
-+
---
-Additional information about the build version of the installed package.
-For example use the commit SHA of a non-released package.
-
-type: keyword
-
-example: 36f4f7e89dd61b0988b12ee000b98966867710cd
-
---
-
-*`package.checksum`*::
-+
---
-Checksum of the installed package for verification.
-
-type: keyword
-
-example: 68b329da9893e34099c7d8ad5cb9c940
-
---
-
-*`package.description`*::
-+
---
-Description of the package.
-
-type: keyword
-
-example: Open source programming language to build simple/reliable/efficient software.
-
---
-
-*`package.install_scope`*::
-+
---
-Indicating how the package was installed, e.g. user-local, global.
-
-type: keyword
-
-example: global
-
---
-
-*`package.installed`*::
-+
---
-Time when package was installed.
-
-type: date
-
---
-
-*`package.license`*::
-+
---
-License under which the package was released.
-Use a short name, e.g. the license identifier from SPDX License List where possible (https://spdx.org/licenses/).
-
-type: keyword
-
-example: Apache License 2.0
-
---
-
-*`package.name`*::
-+
---
-Package name
-
-type: keyword
-
-example: go
-
---
-
-*`package.path`*::
-+
---
-Path where the package is installed.
-
-type: keyword
-
-example: /usr/local/Cellar/go/1.12.9/
-
---
-
-*`package.reference`*::
-+
---
-Home page or reference URL of the software in this package, if available.
-
-type: keyword
-
-example: https://golang.org
-
---
-
-*`package.size`*::
-+
---
-Package size in bytes.
-
-type: long
-
-example: 62231
-
-format: string
-
---
-
-*`package.type`*::
-+
---
-Type of package.
-This should contain the package file type, rather than the package manager name. Examples: rpm, dpkg, brew, npm, gem, nupkg, jar.
-
-type: keyword
-
-example: rpm
-
---
-
-*`package.version`*::
-+
---
-Package version
-
-type: keyword
-
-example: 1.12.9
-
---
-
-[float]
-=== pe
-
-These fields contain Windows Portable Executable (PE) metadata.
-
-
-*`pe.architecture`*::
-+
---
-CPU architecture target for the file.
-
-type: keyword
-
-example: x64
-
---
-
-*`pe.company`*::
-+
---
-Internal company name of the file, provided at compile-time.
-
-type: keyword
-
-example: Microsoft Corporation
-
---
-
-*`pe.description`*::
-+
---
-Internal description of the file, provided at compile-time.
-
-type: keyword
-
-example: Paint
-
---
-
-*`pe.file_version`*::
-+
---
-Internal version of the file, provided at compile-time.
-
-type: keyword
-
-example: 6.3.9600.17415
-
---
-
-*`pe.imphash`*::
-+
---
-A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.
-Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.
-
-type: keyword
-
-example: 0c6803c4e922103c4dca5963aad36ddf
-
---
-
-*`pe.original_file_name`*::
-+
---
-Internal name of the file, provided at compile-time.
-
-type: keyword
-
-example: MSPAINT.EXE
-
---
-
-*`pe.product`*::
-+
---
-Internal product name of the file, provided at compile-time.
-
-type: keyword
-
-example: Microsoft® Windows® Operating System
-
---
-
-[float]
-=== process
-
-These fields contain information about a process.
-These fields can help you correlate metrics information with a process id/name from a log message.  The `process.pid` often stays in the metric itself and is copied to the global field for correlation.
-
-
-*`process.args`*::
-+
---
-Array of process arguments, starting with the absolute path to the executable.
-May be filtered to protect sensitive information.
-
-type: keyword
-
-example: ["/usr/bin/ssh", "-l", "user", "10.0.0.16"]
-
---
-
-*`process.args_count`*::
-+
---
-Length of the process.args array.
-This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity.
-
-type: long
-
-example: 4
-
---
-
-*`process.code_signature.digest_algorithm`*::
-+
---
-The hashing algorithm used to sign the process.
-This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm.
-
-type: keyword
-
-example: sha256
-
---
-
-*`process.code_signature.exists`*::
-+
---
-Boolean to capture if a signature is present.
-
-type: boolean
-
-example: true
-
---
-
-*`process.code_signature.signing_id`*::
-+
---
-The identifier used to sign the process.
-This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.
-
-type: keyword
-
-example: com.apple.xpc.proxy
-
---
-
-*`process.code_signature.status`*::
-+
---
-Additional information about the certificate status.
-This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.
-
-type: keyword
-
-example: ERROR_UNTRUSTED_ROOT
-
---
-
-*`process.code_signature.subject_name`*::
-+
---
-Subject name of the code signer
-
-type: keyword
-
-example: Microsoft Corporation
-
---
-
-*`process.code_signature.team_id`*::
-+
---
-The team identifier used to sign the process.
-This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.
-
-type: keyword
-
-example: EQHXZ8M8AV
-
---
-
-*`process.code_signature.timestamp`*::
-+
---
-Date and time when the code signature was generated and signed.
-
-type: date
-
-example: 2021-01-01T12:10:30Z
-
---
-
-*`process.code_signature.trusted`*::
-+
---
-Stores the trust status of the certificate chain.
-Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.
-
-type: boolean
-
-example: true
-
---
-
-*`process.code_signature.valid`*::
-+
---
-Boolean to capture if the digital signature is verified against the binary content.
-Leave unpopulated if a certificate was unchecked.
-
-type: boolean
-
-example: true
-
---
-
-*`process.command_line`*::
-+
---
-Full command line that started the process, including the absolute path to the executable, and all arguments.
-Some arguments may be filtered to protect sensitive information.
-
-type: wildcard
-
-example: /usr/bin/ssh -l user 10.0.0.16
-
---
-
-*`process.command_line.text`*::
-+
---
-type: match_only_text
-
---
-
-*`process.elf.architecture`*::
-+
---
-Machine architecture of the ELF file.
-
-type: keyword
-
-example: x86-64
-
---
-
-*`process.elf.byte_order`*::
-+
---
-Byte sequence of ELF file.
-
-type: keyword
-
-example: Little Endian
-
---
-
-*`process.elf.cpu_type`*::
-+
---
-CPU type of the ELF file.
-
-type: keyword
-
-example: Intel
-
---
-
-*`process.elf.creation_date`*::
-+
---
-Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators.
-
-type: date
-
---
-
-*`process.elf.exports`*::
-+
---
-List of exported element names and types.
-
-type: flattened
-
---
-
-*`process.elf.header.abi_version`*::
-+
---
-Version of the ELF Application Binary Interface (ABI).
-
-type: keyword
-
---
-
-*`process.elf.header.class`*::
-+
---
-Header class of the ELF file.
-
-type: keyword
-
---
-
-*`process.elf.header.data`*::
-+
---
-Data table of the ELF header.
-
-type: keyword
-
---
-
-*`process.elf.header.entrypoint`*::
-+
---
-Header entrypoint of the ELF file.
-
-type: long
-
-format: string
-
---
-
-*`process.elf.header.object_version`*::
-+
---
-"0x1" for original ELF files.
-
-type: keyword
-
---
-
-*`process.elf.header.os_abi`*::
-+
---
-Application Binary Interface (ABI) of the Linux OS.
-
-type: keyword
-
---
-
-*`process.elf.header.type`*::
-+
---
-Header type of the ELF file.
-
-type: keyword
-
---
-
-*`process.elf.header.version`*::
-+
---
-Version of the ELF header.
-
-type: keyword
-
---
-
-*`process.elf.imports`*::
-+
---
-List of imported element names and types.
-
-type: flattened
-
---
-
-*`process.elf.sections`*::
-+
---
-An array containing an object for each section of the ELF file.
-The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`.
-
-type: nested
-
---
-
-*`process.elf.sections.chi2`*::
-+
---
-Chi-square probability distribution of the section.
-
-type: long
-
-format: number
-
---
-
-*`process.elf.sections.entropy`*::
-+
---
-Shannon entropy calculation from the section.
-
-type: long
-
-format: number
-
---
-
-*`process.elf.sections.flags`*::
-+
---
-ELF Section List flags.
-
-type: keyword
-
---
-
-*`process.elf.sections.name`*::
-+
---
-ELF Section List name.
-
-type: keyword
-
---
-
-*`process.elf.sections.physical_offset`*::
-+
---
-ELF Section List offset.
-
-type: keyword
-
---
-
-*`process.elf.sections.physical_size`*::
-+
---
-ELF Section List physical size.
-
-type: long
-
-format: bytes
-
---
-
-*`process.elf.sections.type`*::
-+
---
-ELF Section List type.
-
-type: keyword
-
---
-
-*`process.elf.sections.virtual_address`*::
-+
---
-ELF Section List virtual address.
-
-type: long
-
-format: string
-
---
-
-*`process.elf.sections.virtual_size`*::
-+
---
-ELF Section List virtual size.
-
-type: long
-
-format: string
-
---
-
-*`process.elf.segments`*::
-+
---
-An array containing an object for each segment of the ELF file.
-The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`.
-
-type: nested
-
---
-
-*`process.elf.segments.sections`*::
-+
---
-ELF object segment sections.
-
-type: keyword
-
---
-
-*`process.elf.segments.type`*::
-+
---
-ELF object segment type.
-
-type: keyword
-
---
-
-*`process.elf.shared_libraries`*::
-+
---
-List of shared libraries used by this ELF object.
-
-type: keyword
-
---
-
-*`process.elf.telfhash`*::
-+
---
-telfhash symbol hash for ELF file.
-
-type: keyword
-
---
-
-*`process.end`*::
-+
---
-The time the process ended.
-
-type: date
-
-example: 2016-05-23T08:05:34.853Z
-
---
-
-*`process.entity_id`*::
-+
---
-Unique identifier for the process.
-The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process.
-Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.
-
-type: keyword
-
-example: c2c455d9f99375d
-
---
-
-*`process.executable`*::
-+
---
-Absolute path to the process executable.
-
-type: keyword
-
-example: /usr/bin/ssh
-
---
-
-*`process.executable.text`*::
-+
---
-type: match_only_text
-
---
-
-*`process.exit_code`*::
-+
---
-The exit code of the process, if this is a termination event.
-The field should be absent if there is no exit code for the event (e.g. process start).
-
-type: long
-
-example: 137
-
---
-
-*`process.hash.md5`*::
-+
---
-MD5 hash.
-
-type: keyword
-
---
-
-*`process.hash.sha1`*::
-+
---
-SHA1 hash.
-
-type: keyword
-
---
-
-*`process.hash.sha256`*::
-+
---
-SHA256 hash.
-
-type: keyword
-
---
-
-*`process.hash.sha512`*::
-+
---
-SHA512 hash.
-
-type: keyword
-
---
-
-*`process.hash.ssdeep`*::
-+
---
-SSDEEP hash.
-
-type: keyword
-
---
-
-*`process.name`*::
-+
---
-Process name.
-Sometimes called program name or similar.
-
-type: keyword
-
-example: ssh
-
---
-
-*`process.name.text`*::
-+
---
-type: match_only_text
-
---
-
-*`process.parent.args`*::
-+
---
-Array of process arguments, starting with the absolute path to the executable.
-May be filtered to protect sensitive information.
-
-type: keyword
-
-example: ["/usr/bin/ssh", "-l", "user", "10.0.0.16"]
-
---
-
-*`process.parent.args_count`*::
-+
---
-Length of the process.args array.
-This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity.
-
-type: long
-
-example: 4
-
---
-
-*`process.parent.code_signature.digest_algorithm`*::
-+
---
-The hashing algorithm used to sign the process.
-This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm.
-
-type: keyword
-
-example: sha256
-
---
-
-*`process.parent.code_signature.exists`*::
-+
---
-Boolean to capture if a signature is present.
-
-type: boolean
-
-example: true
-
---
-
-*`process.parent.code_signature.signing_id`*::
-+
---
-The identifier used to sign the process.
-This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.
-
-type: keyword
-
-example: com.apple.xpc.proxy
-
---
-
-*`process.parent.code_signature.status`*::
-+
---
-Additional information about the certificate status.
-This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.
-
-type: keyword
-
-example: ERROR_UNTRUSTED_ROOT
-
---
-
-*`process.parent.code_signature.subject_name`*::
-+
---
-Subject name of the code signer
-
-type: keyword
-
-example: Microsoft Corporation
-
---
-
-*`process.parent.code_signature.team_id`*::
-+
---
-The team identifier used to sign the process.
-This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.
-
-type: keyword
-
-example: EQHXZ8M8AV
-
---
-
-*`process.parent.code_signature.timestamp`*::
-+
---
-Date and time when the code signature was generated and signed.
-
-type: date
-
-example: 2021-01-01T12:10:30Z
-
---
-
-*`process.parent.code_signature.trusted`*::
-+
---
-Stores the trust status of the certificate chain.
-Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.
-
-type: boolean
-
-example: true
-
---
-
-*`process.parent.code_signature.valid`*::
-+
---
-Boolean to capture if the digital signature is verified against the binary content.
-Leave unpopulated if a certificate was unchecked.
-
-type: boolean
-
-example: true
-
---
-
-*`process.parent.command_line`*::
-+
---
-Full command line that started the process, including the absolute path to the executable, and all arguments.
-Some arguments may be filtered to protect sensitive information.
-
-type: wildcard
-
-example: /usr/bin/ssh -l user 10.0.0.16
-
---
-
-*`process.parent.command_line.text`*::
-+
---
-type: match_only_text
-
---
-
-*`process.parent.elf.architecture`*::
-+
---
-Machine architecture of the ELF file.
-
-type: keyword
-
-example: x86-64
-
---
-
-*`process.parent.elf.byte_order`*::
-+
---
-Byte sequence of ELF file.
-
-type: keyword
-
-example: Little Endian
-
---
-
-*`process.parent.elf.cpu_type`*::
-+
---
-CPU type of the ELF file.
-
-type: keyword
-
-example: Intel
-
---
-
-*`process.parent.elf.creation_date`*::
-+
---
-Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators.
-
-type: date
-
---
-
-*`process.parent.elf.exports`*::
-+
---
-List of exported element names and types.
-
-type: flattened
-
---
-
-*`process.parent.elf.header.abi_version`*::
-+
---
-Version of the ELF Application Binary Interface (ABI).
-
-type: keyword
-
---
-
-*`process.parent.elf.header.class`*::
-+
---
-Header class of the ELF file.
-
-type: keyword
-
---
-
-*`process.parent.elf.header.data`*::
-+
---
-Data table of the ELF header.
-
-type: keyword
-
---
-
-*`process.parent.elf.header.entrypoint`*::
-+
---
-Header entrypoint of the ELF file.
-
-type: long
-
-format: string
-
---
-
-*`process.parent.elf.header.object_version`*::
-+
---
-"0x1" for original ELF files.
-
-type: keyword
-
---
-
-*`process.parent.elf.header.os_abi`*::
-+
---
-Application Binary Interface (ABI) of the Linux OS.
-
-type: keyword
-
---
-
-*`process.parent.elf.header.type`*::
-+
---
-Header type of the ELF file.
-
-type: keyword
-
---
-
-*`process.parent.elf.header.version`*::
-+
---
-Version of the ELF header.
-
-type: keyword
-
---
-
-*`process.parent.elf.imports`*::
-+
---
-List of imported element names and types.
-
-type: flattened
-
---
-
-*`process.parent.elf.sections`*::
-+
---
-An array containing an object for each section of the ELF file.
-The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`.
-
-type: nested
-
---
-
-*`process.parent.elf.sections.chi2`*::
-+
---
-Chi-square probability distribution of the section.
-
-type: long
-
-format: number
-
---
-
-*`process.parent.elf.sections.entropy`*::
-+
---
-Shannon entropy calculation from the section.
-
-type: long
-
-format: number
-
---
-
-*`process.parent.elf.sections.flags`*::
-+
---
-ELF Section List flags.
-
-type: keyword
-
---
-
-*`process.parent.elf.sections.name`*::
-+
---
-ELF Section List name.
-
-type: keyword
-
---
-
-*`process.parent.elf.sections.physical_offset`*::
-+
---
-ELF Section List offset.
-
-type: keyword
-
---
-
-*`process.parent.elf.sections.physical_size`*::
-+
---
-ELF Section List physical size.
-
-type: long
-
-format: bytes
-
---
-
-*`process.parent.elf.sections.type`*::
-+
---
-ELF Section List type.
-
-type: keyword
-
---
-
-*`process.parent.elf.sections.virtual_address`*::
-+
---
-ELF Section List virtual address.
-
-type: long
-
-format: string
-
---
-
-*`process.parent.elf.sections.virtual_size`*::
-+
---
-ELF Section List virtual size.
-
-type: long
-
-format: string
-
---
-
-*`process.parent.elf.segments`*::
-+
---
-An array containing an object for each segment of the ELF file.
-The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`.
-
-type: nested
-
---
-
-*`process.parent.elf.segments.sections`*::
-+
---
-ELF object segment sections.
-
-type: keyword
-
---
-
-*`process.parent.elf.segments.type`*::
-+
---
-ELF object segment type.
-
-type: keyword
-
---
-
-*`process.parent.elf.shared_libraries`*::
-+
---
-List of shared libraries used by this ELF object.
-
-type: keyword
-
---
-
-*`process.parent.elf.telfhash`*::
-+
---
-telfhash symbol hash for ELF file.
-
-type: keyword
-
---
-
-*`process.parent.end`*::
-+
---
-The time the process ended.
-
-type: date
-
-example: 2016-05-23T08:05:34.853Z
-
---
-
-*`process.parent.entity_id`*::
-+
---
-Unique identifier for the process.
-The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process.
-Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.
-
-type: keyword
-
-example: c2c455d9f99375d
-
---
-
-*`process.parent.executable`*::
-+
---
-Absolute path to the process executable.
-
-type: keyword
-
-example: /usr/bin/ssh
-
---
-
-*`process.parent.executable.text`*::
-+
---
-type: match_only_text
-
---
-
-*`process.parent.exit_code`*::
-+
---
-The exit code of the process, if this is a termination event.
-The field should be absent if there is no exit code for the event (e.g. process start).
-
-type: long
-
-example: 137
-
---
-
-*`process.parent.hash.md5`*::
-+
---
-MD5 hash.
-
-type: keyword
-
---
-
-*`process.parent.hash.sha1`*::
-+
---
-SHA1 hash.
-
-type: keyword
-
---
-
-*`process.parent.hash.sha256`*::
-+
---
-SHA256 hash.
-
-type: keyword
-
---
-
-*`process.parent.hash.sha512`*::
-+
---
-SHA512 hash.
-
-type: keyword
-
---
-
-*`process.parent.hash.ssdeep`*::
-+
---
-SSDEEP hash.
-
-type: keyword
-
---
-
-*`process.parent.name`*::
-+
---
-Process name.
-Sometimes called program name or similar.
-
-type: keyword
-
-example: ssh
-
---
-
-*`process.parent.name.text`*::
-+
---
-type: match_only_text
-
---
-
-*`process.parent.pe.architecture`*::
-+
---
-CPU architecture target for the file.
-
-type: keyword
-
-example: x64
-
---
-
-*`process.parent.pe.company`*::
-+
---
-Internal company name of the file, provided at compile-time.
-
-type: keyword
-
-example: Microsoft Corporation
-
---
-
-*`process.parent.pe.description`*::
-+
---
-Internal description of the file, provided at compile-time.
-
-type: keyword
-
-example: Paint
-
---
-
-*`process.parent.pe.file_version`*::
-+
---
-Internal version of the file, provided at compile-time.
-
-type: keyword
-
-example: 6.3.9600.17415
-
---
-
-*`process.parent.pe.imphash`*::
-+
---
-A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.
-Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.
-
-type: keyword
-
-example: 0c6803c4e922103c4dca5963aad36ddf
-
---
-
-*`process.parent.pe.original_file_name`*::
-+
---
-Internal name of the file, provided at compile-time.
-
-type: keyword
-
-example: MSPAINT.EXE
-
---
-
-*`process.parent.pe.product`*::
-+
---
-Internal product name of the file, provided at compile-time.
-
-type: keyword
-
-example: Microsoft® Windows® Operating System
-
---
-
-*`process.parent.pgid`*::
-+
---
-Identifier of the group of processes the process belongs to.
-
-type: long
-
-format: string
-
---
-
-*`process.parent.pid`*::
-+
---
-Process id.
-
-type: long
-
-example: 4242
-
-format: string
-
---
-
-*`process.parent.start`*::
-+
---
-The time the process started.
-
-type: date
-
-example: 2016-05-23T08:05:34.853Z
-
---
-
-*`process.parent.thread.id`*::
-+
---
-Thread ID.
-
-type: long
-
-example: 4242
-
-format: string
-
---
-
-*`process.parent.thread.name`*::
-+
---
-Thread name.
-
-type: keyword
-
-example: thread-0
-
---
-
-*`process.parent.title`*::
-+
---
-Process title.
-The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened.
-
-type: keyword
-
---
-
-*`process.parent.title.text`*::
-+
---
-type: match_only_text
-
---
-
-*`process.parent.uptime`*::
-+
---
-Seconds the process has been up.
-
-type: long
-
-example: 1325
-
---
-
-*`process.parent.working_directory`*::
-+
---
-The working directory of the process.
-
-type: keyword
-
-example: /home/alice
-
---
-
-*`process.parent.working_directory.text`*::
-+
---
-type: match_only_text
-
---
-
-*`process.pe.architecture`*::
-+
---
-CPU architecture target for the file.
-
-type: keyword
-
-example: x64
-
---
-
-*`process.pe.company`*::
-+
---
-Internal company name of the file, provided at compile-time.
-
-type: keyword
-
-example: Microsoft Corporation
-
---
-
-*`process.pe.description`*::
-+
---
-Internal description of the file, provided at compile-time.
-
-type: keyword
-
-example: Paint
-
---
-
-*`process.pe.file_version`*::
-+
---
-Internal version of the file, provided at compile-time.
-
-type: keyword
-
-example: 6.3.9600.17415
-
---
-
-*`process.pe.imphash`*::
-+
---
-A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.
-Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.
-
-type: keyword
-
-example: 0c6803c4e922103c4dca5963aad36ddf
-
---
-
-*`process.pe.original_file_name`*::
-+
---
-Internal name of the file, provided at compile-time.
-
-type: keyword
-
-example: MSPAINT.EXE
-
---
-
-*`process.pe.product`*::
-+
---
-Internal product name of the file, provided at compile-time.
-
-type: keyword
-
-example: Microsoft® Windows® Operating System
-
---
-
-*`process.pgid`*::
-+
---
-Identifier of the group of processes the process belongs to.
-
-type: long
-
-format: string
-
---
-
-*`process.pid`*::
-+
---
-Process id.
-
-type: long
-
-example: 4242
-
-format: string
-
---
-
-*`process.start`*::
-+
---
-The time the process started.
-
-type: date
-
-example: 2016-05-23T08:05:34.853Z
-
---
-
-*`process.thread.id`*::
-+
---
-Thread ID.
-
-type: long
-
-example: 4242
-
-format: string
-
---
-
-*`process.thread.name`*::
-+
---
-Thread name.
-
-type: keyword
-
-example: thread-0
-
---
-
-*`process.title`*::
-+
---
-Process title.
-The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened.
-
-type: keyword
-
---
-
-*`process.title.text`*::
-+
---
-type: match_only_text
-
---
-
-*`process.uptime`*::
-+
---
-Seconds the process has been up.
-
-type: long
-
-example: 1325
-
---
-
-*`process.working_directory`*::
-+
---
-The working directory of the process.
-
-type: keyword
-
-example: /home/alice
-
---
-
-*`process.working_directory.text`*::
-+
---
-type: match_only_text
-
---
-
-[float]
-=== registry
-
-Fields related to Windows Registry operations.
-
-
-*`registry.data.bytes`*::
-+
---
-Original bytes written with base64 encoding.
-For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values.
-
-type: keyword
-
-example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA=
-
---
-
-*`registry.data.strings`*::
-+
---
-Content when writing string types.
-Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`).
-
-type: wildcard
-
-example: ["C:\rta\red_ttp\bin\myapp.exe"]
-
---
-
-*`registry.data.type`*::
-+
---
-Standard registry type for encoding contents
-
-type: keyword
-
-example: REG_SZ
-
---
-
-*`registry.hive`*::
-+
---
-Abbreviated name for the hive.
-
-type: keyword
-
-example: HKLM
-
---
-
-*`registry.key`*::
-+
---
-Hive-relative path of keys.
-
-type: keyword
-
-example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe
-
---
-
-*`registry.path`*::
-+
---
-Full path, including hive, key and value
-
-type: keyword
-
-example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger
-
---
-
-*`registry.value`*::
-+
---
-Name of the value written.
-
-type: keyword
-
-example: Debugger
-
---
-
-[float]
-=== related
-
-This field set is meant to facilitate pivoting around a piece of data.
-Some pieces of information can be seen in many places in an ECS event. To facilitate searching for them, store an array of all seen values to their corresponding field in `related.`.
-A concrete example is IP addresses, which can be under host, observer, source, destination, client, server, and network.forwarded_ip. If you append all IPs to `related.ip`, you can then search for a given IP trivially, no matter where it appeared, by querying `related.ip:192.0.2.15`.
-
-
-*`related.hash`*::
-+
---
-All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search).
-
-type: keyword
-
---
-
-*`related.hosts`*::
-+
---
-All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases.
-
-type: keyword
-
---
-
-*`related.ip`*::
-+
---
-All of the IPs seen on your event.
-
-type: ip
-
---
-
-*`related.user`*::
-+
---
-All the user names or other user identifiers seen on the event.
-
-type: keyword
-
---
-
-[float]
-=== rule
-
-Rule fields are used to capture the specifics of any observer or agent rules that generate alerts or other notable events.
-Examples of data sources that would populate the rule fields include: network admission control platforms, network or host IDS/IPS, network firewalls, web application firewalls, url filters, endpoint detection and response (EDR) systems, etc.
-
-
-*`rule.author`*::
-+
---
-Name, organization, or pseudonym of the author or authors who created the rule used to generate this event.
-
-type: keyword
-
-example: ["Star-Lord"]
-
---
-
-*`rule.category`*::
-+
---
-A categorization value keyword used by the entity using the rule for detection of this event.
-
-type: keyword
-
-example: Attempted Information Leak
-
---
-
-*`rule.description`*::
-+
---
-The description of the rule generating the event.
-
-type: keyword
-
-example: Block requests to public DNS over HTTPS / TLS protocols
-
---
-
-*`rule.id`*::
-+
---
-A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event.
-
-type: keyword
-
-example: 101
-
---
-
-*`rule.license`*::
-+
---
-Name of the license under which the rule used to generate this event is made available.
-
-type: keyword
-
-example: Apache 2.0
-
---
-
-*`rule.name`*::
-+
---
-The name of the rule or signature generating the event.
-
-type: keyword
-
-example: BLOCK_DNS_over_TLS
-
---
-
-*`rule.reference`*::
-+
---
-Reference URL to additional information about the rule used to generate this event.
-The URL can point to the vendor's documentation about the rule. If that's not available, it can also be a link to a more general page describing this type of alert.
-
-type: keyword
-
-example: https://en.wikipedia.org/wiki/DNS_over_TLS
-
---
-
-*`rule.ruleset`*::
-+
---
-Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member.
-
-type: keyword
-
-example: Standard_Protocol_Filters
-
---
-
-*`rule.uuid`*::
-+
---
-A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event.
-
-type: keyword
-
-example: 1100110011
-
---
-
-*`rule.version`*::
-+
---
-The version / revision of the rule being used for analysis.
-
-type: keyword
-
-example: 1.1
-
---
-
-[float]
-=== server
-
-A Server is defined as the responder in a network connection for events regarding sessions, connections, or bidirectional flow records.
-For TCP events, the server is the receiver of the initial SYN packet(s) of the TCP connection. For other protocols, the server is generally the responder in the network transaction. Some systems actually use the term "responder" to refer the server in TCP connections. The server fields describe details about the system acting as the server in the network event. Server fields are usually populated in conjunction with client fields. Server fields are generally not populated for packet-level events.
-Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately.
-
-
-*`server.address`*::
-+
---
-Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field.
-Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
-
-type: keyword
-
---
-
-*`server.as.number`*::
-+
---
-Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
-
-type: long
-
-example: 15169
-
---
-
-*`server.as.organization.name`*::
-+
---
-Organization name.
-
-type: keyword
-
-example: Google LLC
-
---
-
-*`server.as.organization.name.text`*::
-+
---
-type: match_only_text
-
---
-
-*`server.bytes`*::
-+
---
-Bytes sent from the server to the client.
-
-type: long
-
-example: 184
-
-format: bytes
-
---
-
-*`server.domain`*::
-+
---
-The domain name of the server system.
-This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.
-
-type: keyword
-
-example: foo.example.com
-
---
-
-*`server.geo.city_name`*::
-+
---
-City name.
-
-type: keyword
-
-example: Montreal
-
---
-
-*`server.geo.continent_code`*::
-+
---
-Two-letter code representing continent's name.
-
-type: keyword
-
-example: NA
-
---
-
-*`server.geo.continent_name`*::
-+
---
-Name of the continent.
-
-type: keyword
-
-example: North America
-
---
-
-*`server.geo.country_iso_code`*::
-+
---
-Country ISO code.
-
-type: keyword
-
-example: CA
-
---
-
-*`server.geo.country_name`*::
-+
---
-Country name.
-
-type: keyword
-
-example: Canada
-
---
-
-*`server.geo.location`*::
-+
---
-Longitude and latitude.
-
-type: geo_point
-
-example: { "lon": -73.614830, "lat": 45.505918 }
-
---
-
-*`server.geo.name`*::
-+
---
-User-defined description of a location, at the level of granularity they care about.
-Could be the name of their data centers, the floor number, if this describes a local physical entity, city names.
-Not typically used in automated geolocation.
-
-type: keyword
-
-example: boston-dc
-
---
-
-*`server.geo.postal_code`*::
-+
---
-Postal code associated with the location.
-Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.
-
-type: keyword
-
-example: 94040
-
---
-
-*`server.geo.region_iso_code`*::
-+
---
-Region ISO code.
-
-type: keyword
-
-example: CA-QC
-
---
-
-*`server.geo.region_name`*::
-+
---
-Region name.
-
-type: keyword
-
-example: Quebec
-
---
-
-*`server.geo.timezone`*::
-+
---
-The time zone of the location, such as IANA time zone name.
-
-type: keyword
-
-example: America/Argentina/Buenos_Aires
-
---
-
-*`server.ip`*::
-+
---
-IP address of the server (IPv4 or IPv6).
-
-type: ip
-
---
-
-*`server.mac`*::
-+
---
-MAC address of the server.
-The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.
-
-type: keyword
-
-example: 00-00-5E-00-53-23
-
---
-
-*`server.nat.ip`*::
-+
---
-Translated ip of destination based NAT sessions (e.g. internet to private DMZ)
-Typically used with load balancers, firewalls, or routers.
-
-type: ip
-
---
-
-*`server.nat.port`*::
-+
---
-Translated port of destination based NAT sessions (e.g. internet to private DMZ)
-Typically used with load balancers, firewalls, or routers.
-
-type: long
-
-format: string
-
---
-
-*`server.packets`*::
-+
---
-Packets sent from the server to the client.
-
-type: long
-
-example: 12
-
---
-
-*`server.port`*::
-+
---
-Port of the server.
-
-type: long
-
-format: string
-
---
-
-*`server.registered_domain`*::
-+
---
-The highest registered server domain, stripped of the subdomain.
-For example, the registered domain for "foo.example.com" is "example.com".
-This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
-
-type: keyword
-
-example: example.com
-
---
-
-*`server.subdomain`*::
-+
---
-The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain.
-For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
-
-type: keyword
-
-example: east
-
---
-
-*`server.top_level_domain`*::
-+
---
-The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com".
-This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".
-
-type: keyword
-
-example: co.uk
-
---
-
-*`server.user.domain`*::
-+
---
-Name of the directory the user is a member of.
-For example, an LDAP or Active Directory domain name.
-
-type: keyword
-
---
-
-*`server.user.email`*::
-+
---
-User email address.
-
-type: keyword
-
---
-
-*`server.user.full_name`*::
-+
---
-User's full name, if available.
-
-type: keyword
-
-example: Albert Einstein
-
---
-
-*`server.user.full_name.text`*::
-+
---
-type: match_only_text
-
---
-
-*`server.user.group.domain`*::
-+
---
-Name of the directory the group is a member of.
-For example, an LDAP or Active Directory domain name.
-
-type: keyword
-
---
-
-*`server.user.group.id`*::
-+
---
-Unique identifier for the group on the system/platform.
-
-type: keyword
-
---
-
-*`server.user.group.name`*::
-+
---
-Name of the group.
-
-type: keyword
-
---
-
-*`server.user.hash`*::
-+
---
-Unique user hash to correlate information for a user in anonymized form.
-Useful if `user.id` or `user.name` contain confidential information and cannot be used.
-
-type: keyword
-
---
-
-*`server.user.id`*::
-+
---
-Unique identifier of the user.
-
-type: keyword
-
-example: S-1-5-21-202424912787-2692429404-2351956786-1000
-
---
-
-*`server.user.name`*::
-+
---
-Short name or login of the user.
-
-type: keyword
-
-example: a.einstein
-
---
-
-*`server.user.name.text`*::
-+
---
-type: match_only_text
-
---
-
-*`server.user.roles`*::
-+
---
-Array of user roles at the time of the event.
-
-type: keyword
-
-example: ["kibana_admin", "reporting_user"]
-
---
-
-[float]
-=== service
-
-The service fields describe the service for or from which the data was collected.
-These fields help you find and correlate logs for a specific service and version.
-
-
-*`service.address`*::
-+
---
-Address where data about this service was collected from.
-This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets).
-
-type: keyword
-
-example: 172.26.0.2:5432
-
---
-
-*`service.environment`*::
-+
---
-Identifies the environment where the service is running.
-If the same service runs in different environments (production, staging, QA, development, etc.), the environment can identify other instances of the same service. Can also group services and applications from the same environment.
-
-type: keyword
-
-example: production
-
---
-
-*`service.ephemeral_id`*::
-+
---
-Ephemeral identifier of this service (if one exists).
-This id normally changes across restarts, but `service.id` does not.
-
-type: keyword
-
-example: 8a4f500f
-
---
-
-*`service.id`*::
-+
---
-Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes.
-This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event.
-Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead.
-
-type: keyword
-
-example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6
-
---
-
-*`service.name`*::
-+
---
-Name of the service data is collected from.
-The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name.
-In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified.
-
-type: keyword
-
-example: elasticsearch-metrics
-
---
-
-*`service.node.name`*::
-+
---
-Name of a service node.
-This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service.
-In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn't have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set.
-
-type: keyword
-
-example: instance-0000000016
-
---
-
-*`service.origin.address`*::
-+
---
-Address where data about this service was collected from.
-This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets).
-
-type: keyword
-
-example: 172.26.0.2:5432
-
---
-
-*`service.origin.environment`*::
-+
---
-Identifies the environment where the service is running.
-If the same service runs in different environments (production, staging, QA, development, etc.), the environment can identify other instances of the same service. Can also group services and applications from the same environment.
-
-type: keyword
-
-example: production
-
---
-
-*`service.origin.ephemeral_id`*::
-+
---
-Ephemeral identifier of this service (if one exists).
-This id normally changes across restarts, but `service.id` does not.
-
-type: keyword
-
-example: 8a4f500f
-
---
-
-*`service.origin.id`*::
-+
---
-Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes.
-This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event.
-Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead.
-
-type: keyword
-
-example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6
-
---
-
-*`service.origin.name`*::
-+
---
-Name of the service data is collected from.
-The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name.
-In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified.
-
-type: keyword
-
-example: elasticsearch-metrics
-
---
-
-*`service.origin.node.name`*::
-+
---
-Name of a service node.
-This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service.
-In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn't have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set.
-
-type: keyword
-
-example: instance-0000000016
-
---
-
-*`service.origin.state`*::
-+
---
-Current state of the service.
-
-type: keyword
-
---
-
-*`service.origin.type`*::
-+
---
-The type of the service data is collected from.
-The type can be used to group and correlate logs and metrics from one service type.
-Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`.
-
-type: keyword
-
-example: elasticsearch
-
---
-
-*`service.origin.version`*::
-+
---
-Version of the service the data was collected from.
-This allows to look at a data set only for a specific version of a service.
-
-type: keyword
-
-example: 3.2.4
-
---
-
-*`service.state`*::
-+
---
-Current state of the service.
-
-type: keyword
-
---
-
-*`service.target.address`*::
-+
---
-Address where data about this service was collected from.
-This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets).
-
-type: keyword
-
-example: 172.26.0.2:5432
-
---
-
-*`service.target.environment`*::
-+
---
-Identifies the environment where the service is running.
-If the same service runs in different environments (production, staging, QA, development, etc.), the environment can identify other instances of the same service. Can also group services and applications from the same environment.
-
-type: keyword
-
-example: production
-
---
-
-*`service.target.ephemeral_id`*::
-+
---
-Ephemeral identifier of this service (if one exists).
-This id normally changes across restarts, but `service.id` does not.
-
-type: keyword
-
-example: 8a4f500f
-
---
-
-*`service.target.id`*::
-+
---
-Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes.
-This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event.
-Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead.
-
-type: keyword
-
-example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6
-
---
-
-*`service.target.name`*::
-+
---
-Name of the service data is collected from.
-The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name.
-In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified.
-
-type: keyword
-
-example: elasticsearch-metrics
-
---
-
-*`service.target.node.name`*::
-+
---
-Name of a service node.
-This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service.
-In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn't have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set.
-
-type: keyword
-
-example: instance-0000000016
-
---
-
-*`service.target.state`*::
-+
---
-Current state of the service.
-
-type: keyword
-
---
-
-*`service.target.type`*::
-+
---
-The type of the service data is collected from.
-The type can be used to group and correlate logs and metrics from one service type.
-Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`.
-
-type: keyword
-
-example: elasticsearch
-
---
-
-*`service.target.version`*::
-+
---
-Version of the service the data was collected from.
-This allows to look at a data set only for a specific version of a service.
-
-type: keyword
-
-example: 3.2.4
-
---
-
-*`service.type`*::
-+
---
-The type of the service data is collected from.
-The type can be used to group and correlate logs and metrics from one service type.
-Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`.
-
-type: keyword
-
-example: elasticsearch
-
---
-
-*`service.version`*::
-+
---
-Version of the service the data was collected from.
-This allows to look at a data set only for a specific version of a service.
-
-type: keyword
-
-example: 3.2.4
-
---
-
-[float]
-=== source
-
-Source fields capture details about the sender of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction.
-Source fields are usually populated in conjunction with destination fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated.
-
-
-*`source.address`*::
-+
---
-Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field.
-Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
-
-type: keyword
-
---
-
-*`source.as.number`*::
-+
---
-Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
-
-type: long
-
-example: 15169
-
---
-
-*`source.as.organization.name`*::
-+
---
-Organization name.
-
-type: keyword
-
-example: Google LLC
-
---
-
-*`source.as.organization.name.text`*::
-+
---
-type: match_only_text
-
---
-
-*`source.bytes`*::
-+
---
-Bytes sent from the source to the destination.
-
-type: long
-
-example: 184
-
-format: bytes
-
---
-
-*`source.domain`*::
-+
---
-The domain name of the source system.
-This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.
-
-type: keyword
-
-example: foo.example.com
-
---
-
-*`source.geo.city_name`*::
-+
---
-City name.
-
-type: keyword
-
-example: Montreal
-
---
-
-*`source.geo.continent_code`*::
-+
---
-Two-letter code representing continent's name.
-
-type: keyword
-
-example: NA
-
---
-
-*`source.geo.continent_name`*::
-+
---
-Name of the continent.
-
-type: keyword
-
-example: North America
-
---
-
-*`source.geo.country_iso_code`*::
-+
---
-Country ISO code.
-
-type: keyword
-
-example: CA
-
---
-
-*`source.geo.country_name`*::
-+
---
-Country name.
-
-type: keyword
-
-example: Canada
-
---
-
-*`source.geo.location`*::
-+
---
-Longitude and latitude.
-
-type: geo_point
-
-example: { "lon": -73.614830, "lat": 45.505918 }
-
---
-
-*`source.geo.name`*::
-+
---
-User-defined description of a location, at the level of granularity they care about.
-Could be the name of their data centers, the floor number, if this describes a local physical entity, city names.
-Not typically used in automated geolocation.
-
-type: keyword
-
-example: boston-dc
-
---
-
-*`source.geo.postal_code`*::
-+
---
-Postal code associated with the location.
-Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.
-
-type: keyword
-
-example: 94040
-
---
-
-*`source.geo.region_iso_code`*::
-+
---
-Region ISO code.
-
-type: keyword
-
-example: CA-QC
-
---
-
-*`source.geo.region_name`*::
-+
---
-Region name.
-
-type: keyword
-
-example: Quebec
-
---
-
-*`source.geo.timezone`*::
-+
---
-The time zone of the location, such as IANA time zone name.
-
-type: keyword
-
-example: America/Argentina/Buenos_Aires
-
---
-
-*`source.ip`*::
-+
---
-IP address of the source (IPv4 or IPv6).
-
-type: ip
-
---
-
-*`source.mac`*::
-+
---
-MAC address of the source.
-The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.
-
-type: keyword
-
-example: 00-00-5E-00-53-23
-
---
-
-*`source.nat.ip`*::
-+
---
-Translated ip of source based NAT sessions (e.g. internal client to internet)
-Typically connections traversing load balancers, firewalls, or routers.
-
-type: ip
-
---
-
-*`source.nat.port`*::
-+
---
-Translated port of source based NAT sessions. (e.g. internal client to internet)
-Typically used with load balancers, firewalls, or routers.
-
-type: long
-
-format: string
-
---
-
-*`source.packets`*::
-+
---
-Packets sent from the source to the destination.
-
-type: long
-
-example: 12
-
---
-
-*`source.port`*::
-+
---
-Port of the source.
-
-type: long
-
-format: string
-
---
-
-*`source.registered_domain`*::
-+
---
-The highest registered source domain, stripped of the subdomain.
-For example, the registered domain for "foo.example.com" is "example.com".
-This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
-
-type: keyword
-
-example: example.com
-
---
-
-*`source.subdomain`*::
-+
---
-The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain.
-For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
-
-type: keyword
-
-example: east
-
---
-
-*`source.top_level_domain`*::
-+
---
-The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com".
-This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".
-
-type: keyword
-
-example: co.uk
-
---
-
-*`source.user.domain`*::
-+
---
-Name of the directory the user is a member of.
-For example, an LDAP or Active Directory domain name.
-
-type: keyword
-
---
-
-*`source.user.email`*::
-+
---
-User email address.
-
-type: keyword
-
---
-
-*`source.user.full_name`*::
-+
---
-User's full name, if available.
-
-type: keyword
-
-example: Albert Einstein
-
---
-
-*`source.user.full_name.text`*::
-+
---
-type: match_only_text
-
---
-
-*`source.user.group.domain`*::
-+
---
-Name of the directory the group is a member of.
-For example, an LDAP or Active Directory domain name.
-
-type: keyword
-
---
-
-*`source.user.group.id`*::
-+
---
-Unique identifier for the group on the system/platform.
-
-type: keyword
-
---
-
-*`source.user.group.name`*::
-+
---
-Name of the group.
-
-type: keyword
-
---
-
-*`source.user.hash`*::
-+
---
-Unique user hash to correlate information for a user in anonymized form.
-Useful if `user.id` or `user.name` contain confidential information and cannot be used.
-
-type: keyword
-
---
-
-*`source.user.id`*::
-+
---
-Unique identifier of the user.
-
-type: keyword
-
-example: S-1-5-21-202424912787-2692429404-2351956786-1000
-
---
-
-*`source.user.name`*::
-+
---
-Short name or login of the user.
-
-type: keyword
-
-example: a.einstein
-
---
-
-*`source.user.name.text`*::
-+
---
-type: match_only_text
-
---
-
-*`source.user.roles`*::
-+
---
-Array of user roles at the time of the event.
-
-type: keyword
-
-example: ["kibana_admin", "reporting_user"]
-
---
-
-[float]
-=== threat
-
-Fields to classify events and alerts according to a threat taxonomy such as the MITRE ATT&CK® framework.
-These fields are for users to classify alerts from all of their sources (e.g. IDS, NGFW, etc.) within a common taxonomy. The threat.tactic.* fields are meant to capture the high level category of the threat (e.g. "impact"). The threat.technique.* fields are meant to capture which kind of approach is used by this detected threat, to accomplish the goal (e.g. "endpoint denial of service").
-
-
-*`threat.enrichments`*::
-+
---
-A list of associated indicators objects enriching the event, and the context of that association/enrichment.
-
-type: nested
-
---
-
-*`threat.enrichments.indicator`*::
-+
---
-Object containing associated indicators enriching the event.
-
-type: object
-
---
-
-*`threat.enrichments.indicator.as.number`*::
-+
---
-Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
-
-type: long
-
-example: 15169
-
---
-
-*`threat.enrichments.indicator.as.organization.name`*::
-+
---
-Organization name.
-
-type: keyword
-
-example: Google LLC
-
---
-
-*`threat.enrichments.indicator.as.organization.name.text`*::
-+
---
-type: match_only_text
-
---
-
-*`threat.enrichments.indicator.confidence`*::
-+
---
-Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields.
-Expected values are:
-  * Not Specified
-  * None
-  * Low
-  * Medium
-  * High
-
-type: keyword
-
-example: Medium
-
---
-
-*`threat.enrichments.indicator.description`*::
-+
---
-Describes the type of action conducted by the threat.
-
-type: keyword
-
-example: IP x.x.x.x was observed delivering the Angler EK.
-
---
-
-*`threat.enrichments.indicator.email.address`*::
-+
---
-Identifies a threat indicator as an email address (irrespective of direction).
-
-type: keyword
-
-example: phish@example.com
-
---
-
-*`threat.enrichments.indicator.file.accessed`*::
-+
---
-Last time the file was accessed.
-Note that not all filesystems keep track of access time.
-
-type: date
-
---
-
-*`threat.enrichments.indicator.file.attributes`*::
-+
---
-Array of file attributes.
-Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write.
-
-type: keyword
-
-example: ["readonly", "system"]
-
---
-
-*`threat.enrichments.indicator.file.code_signature.digest_algorithm`*::
-+
---
-The hashing algorithm used to sign the process.
-This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm.
-
-type: keyword
-
-example: sha256
-
---
-
-*`threat.enrichments.indicator.file.code_signature.exists`*::
-+
---
-Boolean to capture if a signature is present.
-
-type: boolean
-
-example: true
-
---
-
-*`threat.enrichments.indicator.file.code_signature.signing_id`*::
-+
---
-The identifier used to sign the process.
-This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.
-
-type: keyword
-
-example: com.apple.xpc.proxy
-
---
-
-*`threat.enrichments.indicator.file.code_signature.status`*::
-+
---
-Additional information about the certificate status.
-This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.
-
-type: keyword
-
-example: ERROR_UNTRUSTED_ROOT
-
---
-
-*`threat.enrichments.indicator.file.code_signature.subject_name`*::
-+
---
-Subject name of the code signer
-
-type: keyword
-
-example: Microsoft Corporation
-
---
-
-*`threat.enrichments.indicator.file.code_signature.team_id`*::
-+
---
-The team identifier used to sign the process.
-This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.
-
-type: keyword
-
-example: EQHXZ8M8AV
-
---
-
-*`threat.enrichments.indicator.file.code_signature.timestamp`*::
-+
---
-Date and time when the code signature was generated and signed.
-
-type: date
-
-example: 2021-01-01T12:10:30Z
-
---
-
-*`threat.enrichments.indicator.file.code_signature.trusted`*::
-+
---
-Stores the trust status of the certificate chain.
-Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.
-
-type: boolean
-
-example: true
-
---
-
-*`threat.enrichments.indicator.file.code_signature.valid`*::
-+
---
-Boolean to capture if the digital signature is verified against the binary content.
-Leave unpopulated if a certificate was unchecked.
-
-type: boolean
-
-example: true
-
---
-
-*`threat.enrichments.indicator.file.created`*::
-+
---
-File creation time.
-Note that not all filesystems store the creation time.
-
-type: date
-
---
-
-*`threat.enrichments.indicator.file.ctime`*::
-+
---
-Last time the file attributes or metadata changed.
-Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file.
-
-type: date
-
---
-
-*`threat.enrichments.indicator.file.device`*::
-+
---
-Device that is the source of the file.
-
-type: keyword
-
-example: sda
-
---
-
-*`threat.enrichments.indicator.file.directory`*::
-+
---
-Directory where the file is located. It should include the drive letter, when appropriate.
-
-type: keyword
-
-example: /home/alice
-
---
-
-*`threat.enrichments.indicator.file.drive_letter`*::
-+
---
-Drive letter where the file is located. This field is only relevant on Windows.
-The value should be uppercase, and not include the colon.
-
-type: keyword
-
-example: C
-
---
-
-*`threat.enrichments.indicator.file.elf.architecture`*::
-+
---
-Machine architecture of the ELF file.
-
-type: keyword
-
-example: x86-64
-
---
-
-*`threat.enrichments.indicator.file.elf.byte_order`*::
-+
---
-Byte sequence of ELF file.
-
-type: keyword
-
-example: Little Endian
-
---
-
-*`threat.enrichments.indicator.file.elf.cpu_type`*::
-+
---
-CPU type of the ELF file.
-
-type: keyword
-
-example: Intel
-
---
-
-*`threat.enrichments.indicator.file.elf.creation_date`*::
-+
---
-Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators.
-
-type: date
-
---
-
-*`threat.enrichments.indicator.file.elf.exports`*::
-+
---
-List of exported element names and types.
-
-type: flattened
-
---
-
-*`threat.enrichments.indicator.file.elf.header.abi_version`*::
-+
---
-Version of the ELF Application Binary Interface (ABI).
-
-type: keyword
-
---
-
-*`threat.enrichments.indicator.file.elf.header.class`*::
-+
---
-Header class of the ELF file.
-
-type: keyword
-
---
-
-*`threat.enrichments.indicator.file.elf.header.data`*::
-+
---
-Data table of the ELF header.
-
-type: keyword
-
---
-
-*`threat.enrichments.indicator.file.elf.header.entrypoint`*::
-+
---
-Header entrypoint of the ELF file.
-
-type: long
-
-format: string
-
---
-
-*`threat.enrichments.indicator.file.elf.header.object_version`*::
-+
---
-"0x1" for original ELF files.
-
-type: keyword
-
---
-
-*`threat.enrichments.indicator.file.elf.header.os_abi`*::
-+
---
-Application Binary Interface (ABI) of the Linux OS.
-
-type: keyword
-
---
-
-*`threat.enrichments.indicator.file.elf.header.type`*::
-+
---
-Header type of the ELF file.
-
-type: keyword
-
---
-
-*`threat.enrichments.indicator.file.elf.header.version`*::
-+
---
-Version of the ELF header.
-
-type: keyword
-
---
-
-*`threat.enrichments.indicator.file.elf.imports`*::
-+
---
-List of imported element names and types.
-
-type: flattened
-
---
-
-*`threat.enrichments.indicator.file.elf.sections`*::
-+
---
-An array containing an object for each section of the ELF file.
-The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`.
-
-type: nested
-
---
-
-*`threat.enrichments.indicator.file.elf.sections.chi2`*::
-+
---
-Chi-square probability distribution of the section.
-
-type: long
-
-format: number
-
---
-
-*`threat.enrichments.indicator.file.elf.sections.entropy`*::
-+
---
-Shannon entropy calculation from the section.
-
-type: long
-
-format: number
-
---
-
-*`threat.enrichments.indicator.file.elf.sections.flags`*::
-+
---
-ELF Section List flags.
-
-type: keyword
-
---
-
-*`threat.enrichments.indicator.file.elf.sections.name`*::
-+
---
-ELF Section List name.
-
-type: keyword
-
---
-
-*`threat.enrichments.indicator.file.elf.sections.physical_offset`*::
-+
---
-ELF Section List offset.
-
-type: keyword
-
---
-
-*`threat.enrichments.indicator.file.elf.sections.physical_size`*::
-+
---
-ELF Section List physical size.
-
-type: long
-
-format: bytes
-
---
-
-*`threat.enrichments.indicator.file.elf.sections.type`*::
-+
---
-ELF Section List type.
-
-type: keyword
-
---
-
-*`threat.enrichments.indicator.file.elf.sections.virtual_address`*::
-+
---
-ELF Section List virtual address.
-
-type: long
-
-format: string
-
---
-
-*`threat.enrichments.indicator.file.elf.sections.virtual_size`*::
-+
---
-ELF Section List virtual size.
-
-type: long
-
-format: string
-
---
-
-*`threat.enrichments.indicator.file.elf.segments`*::
-+
---
-An array containing an object for each segment of the ELF file.
-The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`.
-
-type: nested
-
---
-
-*`threat.enrichments.indicator.file.elf.segments.sections`*::
-+
---
-ELF object segment sections.
-
-type: keyword
-
---
-
-*`threat.enrichments.indicator.file.elf.segments.type`*::
-+
---
-ELF object segment type.
-
-type: keyword
-
---
-
-*`threat.enrichments.indicator.file.elf.shared_libraries`*::
-+
---
-List of shared libraries used by this ELF object.
-
-type: keyword
-
---
-
-*`threat.enrichments.indicator.file.elf.telfhash`*::
-+
---
-telfhash symbol hash for ELF file.
-
-type: keyword
-
---
-
-*`threat.enrichments.indicator.file.extension`*::
-+
---
-File extension, excluding the leading dot.
-Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").
-
-type: keyword
-
-example: png
-
---
-
-*`threat.enrichments.indicator.file.fork_name`*::
-+
---
-A fork is additional data associated with a filesystem object.
-On Linux, a resource fork is used to store additional data with a filesystem object. A file always has at least one fork for the data portion, and additional forks may exist.
-On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default data stream for a file is just called $DATA. Zone.Identifier is commonly used by Windows to track contents downloaded from the Internet. An ADS is typically of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name` is the value that should populate `fork_name`. `filename.extension` should populate `file.name`, and `extension` should populate `file.extension`. The full path, `file.path`, will include the fork name.
-
-type: keyword
-
-example: Zone.Identifer
-
---
-
-*`threat.enrichments.indicator.file.gid`*::
-+
---
-Primary group ID (GID) of the file.
-
-type: keyword
-
-example: 1001
-
---
-
-*`threat.enrichments.indicator.file.group`*::
-+
---
-Primary group name of the file.
-
-type: keyword
-
-example: alice
-
---
-
-*`threat.enrichments.indicator.file.hash.md5`*::
-+
---
-MD5 hash.
-
-type: keyword
-
---
-
-*`threat.enrichments.indicator.file.hash.sha1`*::
-+
---
-SHA1 hash.
-
-type: keyword
-
---
-
-*`threat.enrichments.indicator.file.hash.sha256`*::
-+
---
-SHA256 hash.
-
-type: keyword
-
---
-
-*`threat.enrichments.indicator.file.hash.sha512`*::
-+
---
-SHA512 hash.
-
-type: keyword
-
---
-
-*`threat.enrichments.indicator.file.hash.ssdeep`*::
-+
---
-SSDEEP hash.
-
-type: keyword
-
---
-
-*`threat.enrichments.indicator.file.inode`*::
-+
---
-Inode representing the file in the filesystem.
-
-type: keyword
-
-example: 256383
-
---
-
-*`threat.enrichments.indicator.file.mime_type`*::
-+
---
-MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used.
-
-type: keyword
-
---
-
-*`threat.enrichments.indicator.file.mode`*::
-+
---
-Mode of the file in octal representation.
-
-type: keyword
-
-example: 0640
-
---
-
-*`threat.enrichments.indicator.file.mtime`*::
-+
---
-Last time the file content was modified.
-
-type: date
-
---
-
-*`threat.enrichments.indicator.file.name`*::
-+
---
-Name of the file including the extension, without the directory.
-
-type: keyword
-
-example: example.png
-
---
-
-*`threat.enrichments.indicator.file.owner`*::
-+
---
-File owner's username.
-
-type: keyword
-
-example: alice
-
---
-
-*`threat.enrichments.indicator.file.path`*::
-+
---
-Full path to the file, including the file name. It should include the drive letter, when appropriate.
-
-type: keyword
-
-example: /home/alice/example.png
-
---
-
-*`threat.enrichments.indicator.file.path.text`*::
-+
---
-type: match_only_text
-
---
-
-*`threat.enrichments.indicator.file.pe.architecture`*::
-+
---
-CPU architecture target for the file.
-
-type: keyword
-
-example: x64
-
---
-
-*`threat.enrichments.indicator.file.pe.company`*::
-+
---
-Internal company name of the file, provided at compile-time.
-
-type: keyword
-
-example: Microsoft Corporation
-
---
-
-*`threat.enrichments.indicator.file.pe.description`*::
-+
---
-Internal description of the file, provided at compile-time.
-
-type: keyword
-
-example: Paint
-
---
-
-*`threat.enrichments.indicator.file.pe.file_version`*::
-+
---
-Internal version of the file, provided at compile-time.
-
-type: keyword
-
-example: 6.3.9600.17415
-
---
-
-*`threat.enrichments.indicator.file.pe.imphash`*::
-+
---
-A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.
-Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.
-
-type: keyword
-
-example: 0c6803c4e922103c4dca5963aad36ddf
-
---
-
-*`threat.enrichments.indicator.file.pe.original_file_name`*::
-+
---
-Internal name of the file, provided at compile-time.
-
-type: keyword
-
-example: MSPAINT.EXE
-
---
-
-*`threat.enrichments.indicator.file.pe.product`*::
-+
---
-Internal product name of the file, provided at compile-time.
-
-type: keyword
-
-example: Microsoft® Windows® Operating System
-
---
-
-*`threat.enrichments.indicator.file.size`*::
-+
---
-File size in bytes.
-Only relevant when `file.type` is "file".
-
-type: long
-
-example: 16384
-
---
-
-*`threat.enrichments.indicator.file.target_path`*::
-+
---
-Target path for symlinks.
-
-type: keyword
-
---
-
-*`threat.enrichments.indicator.file.target_path.text`*::
-+
---
-type: match_only_text
-
---
-
-*`threat.enrichments.indicator.file.type`*::
-+
---
-File type (file, dir, or symlink).
-
-type: keyword
-
-example: file
-
---
-
-*`threat.enrichments.indicator.file.uid`*::
-+
---
-The user ID (UID) or security identifier (SID) of the file owner.
-
-type: keyword
-
-example: 1001
-
---
-
-*`threat.enrichments.indicator.file.x509.alternative_names`*::
-+
---
-List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.
-
-type: keyword
-
-example: *.elastic.co
-
---
-
-*`threat.enrichments.indicator.file.x509.issuer.common_name`*::
-+
---
-List of common name (CN) of issuing certificate authority.
-
-type: keyword
-
-example: Example SHA2 High Assurance Server CA
-
---
-
-*`threat.enrichments.indicator.file.x509.issuer.country`*::
-+
---
-List of country (C) codes
-
-type: keyword
-
-example: US
-
---
-
-*`threat.enrichments.indicator.file.x509.issuer.distinguished_name`*::
-+
---
-Distinguished name (DN) of issuing certificate authority.
-
-type: keyword
-
-example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA
-
---
-
-*`threat.enrichments.indicator.file.x509.issuer.locality`*::
-+
---
-List of locality names (L)
-
-type: keyword
-
-example: Mountain View
-
---
-
-*`threat.enrichments.indicator.file.x509.issuer.organization`*::
-+
---
-List of organizations (O) of issuing certificate authority.
-
-type: keyword
-
-example: Example Inc
-
---
-
-*`threat.enrichments.indicator.file.x509.issuer.organizational_unit`*::
-+
---
-List of organizational units (OU) of issuing certificate authority.
-
-type: keyword
-
-example: www.example.com
-
---
-
-*`threat.enrichments.indicator.file.x509.issuer.state_or_province`*::
-+
---
-List of state or province names (ST, S, or P)
-
-type: keyword
-
-example: California
-
---
-
-*`threat.enrichments.indicator.file.x509.not_after`*::
-+
---
-Time at which the certificate is no longer considered valid.
-
-type: date
-
-example: 2020-07-16 03:15:39+00:00
-
---
-
-*`threat.enrichments.indicator.file.x509.not_before`*::
-+
---
-Time at which the certificate is first considered valid.
-
-type: date
-
-example: 2019-08-16 01:40:25+00:00
-
---
-
-*`threat.enrichments.indicator.file.x509.public_key_algorithm`*::
-+
---
-Algorithm used to generate the public key.
-
-type: keyword
-
-example: RSA
-
---
-
-*`threat.enrichments.indicator.file.x509.public_key_curve`*::
-+
---
-The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-
-type: keyword
-
-example: nistp521
-
---
-
-*`threat.enrichments.indicator.file.x509.public_key_exponent`*::
-+
---
-Exponent used to derive the public key. This is algorithm specific.
-
-type: long
-
-example: 65537
-
-Field is not indexed.
-
---
-
-*`threat.enrichments.indicator.file.x509.public_key_size`*::
-+
---
-The size of the public key space in bits.
-
-type: long
-
-example: 2048
-
---
-
-*`threat.enrichments.indicator.file.x509.serial_number`*::
-+
---
-Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.
-
-type: keyword
-
-example: 55FBB9C7DEBF09809D12CCAA
-
---
-
-*`threat.enrichments.indicator.file.x509.signature_algorithm`*::
-+
---
-Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
-
-type: keyword
-
-example: SHA256-RSA
-
---
-
-*`threat.enrichments.indicator.file.x509.subject.common_name`*::
-+
---
-List of common names (CN) of subject.
-
-type: keyword
-
-example: shared.global.example.net
-
---
-
-*`threat.enrichments.indicator.file.x509.subject.country`*::
-+
---
-List of country (C) code
-
-type: keyword
-
-example: US
-
---
-
-*`threat.enrichments.indicator.file.x509.subject.distinguished_name`*::
-+
---
-Distinguished name (DN) of the certificate subject entity.
-
-type: keyword
-
-example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
-
---
-
-*`threat.enrichments.indicator.file.x509.subject.locality`*::
-+
---
-List of locality names (L)
-
-type: keyword
-
-example: San Francisco
-
---
-
-*`threat.enrichments.indicator.file.x509.subject.organization`*::
-+
---
-List of organizations (O) of subject.
-
-type: keyword
-
-example: Example, Inc.
-
---
-
-*`threat.enrichments.indicator.file.x509.subject.organizational_unit`*::
-+
---
-List of organizational units (OU) of subject.
-
-type: keyword
-
---
-
-*`threat.enrichments.indicator.file.x509.subject.state_or_province`*::
-+
---
-List of state or province names (ST, S, or P)
-
-type: keyword
-
-example: California
-
---
-
-*`threat.enrichments.indicator.file.x509.version_number`*::
-+
---
-Version of x509 format.
-
-type: keyword
-
-example: 3
-
---
-
-*`threat.enrichments.indicator.first_seen`*::
-+
---
-The date and time when intelligence source first reported sighting this indicator.
-
-type: date
-
-example: 2020-11-05T17:25:47.000Z
-
---
-
-*`threat.enrichments.indicator.geo.city_name`*::
-+
---
-City name.
-
-type: keyword
-
-example: Montreal
-
---
-
-*`threat.enrichments.indicator.geo.continent_code`*::
-+
---
-Two-letter code representing continent's name.
-
-type: keyword
-
-example: NA
-
---
-
-*`threat.enrichments.indicator.geo.continent_name`*::
-+
---
-Name of the continent.
-
-type: keyword
-
-example: North America
-
---
-
-*`threat.enrichments.indicator.geo.country_iso_code`*::
-+
---
-Country ISO code.
-
-type: keyword
-
-example: CA
-
---
-
-*`threat.enrichments.indicator.geo.country_name`*::
-+
---
-Country name.
-
-type: keyword
-
-example: Canada
-
---
-
-*`threat.enrichments.indicator.geo.location`*::
-+
---
-Longitude and latitude.
-
-type: geo_point
-
-example: { "lon": -73.614830, "lat": 45.505918 }
-
---
-
-*`threat.enrichments.indicator.geo.name`*::
-+
---
-User-defined description of a location, at the level of granularity they care about.
-Could be the name of their data centers, the floor number, if this describes a local physical entity, city names.
-Not typically used in automated geolocation.
-
-type: keyword
-
-example: boston-dc
-
---
-
-*`threat.enrichments.indicator.geo.postal_code`*::
-+
---
-Postal code associated with the location.
-Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.
-
-type: keyword
-
-example: 94040
-
---
-
-*`threat.enrichments.indicator.geo.region_iso_code`*::
-+
---
-Region ISO code.
-
-type: keyword
-
-example: CA-QC
-
---
-
-*`threat.enrichments.indicator.geo.region_name`*::
-+
---
-Region name.
-
-type: keyword
-
-example: Quebec
-
---
-
-*`threat.enrichments.indicator.geo.timezone`*::
-+
---
-The time zone of the location, such as IANA time zone name.
-
-type: keyword
-
-example: America/Argentina/Buenos_Aires
-
---
-
-*`threat.enrichments.indicator.ip`*::
-+
---
-Identifies a threat indicator as an IP address (irrespective of direction).
-
-type: ip
-
-example: 1.2.3.4
-
---
-
-*`threat.enrichments.indicator.last_seen`*::
-+
---
-The date and time when intelligence source last reported sighting this indicator.
-
-type: date
-
-example: 2020-11-05T17:25:47.000Z
-
---
-
-*`threat.enrichments.indicator.marking.tlp`*::
-+
---
-Traffic Light Protocol sharing markings. Recommended values are:
-  * WHITE
-  * GREEN
-  * AMBER
-  * RED
-
-type: keyword
-
-example: White
-
---
-
-*`threat.enrichments.indicator.modified_at`*::
-+
---
-The date and time when intelligence source last modified information for this indicator.
-
-type: date
-
-example: 2020-11-05T17:25:47.000Z
-
---
-
-*`threat.enrichments.indicator.port`*::
-+
---
-Identifies a threat indicator as a port number (irrespective of direction).
-
-type: long
-
-example: 443
-
---
-
-*`threat.enrichments.indicator.provider`*::
-+
---
-The name of the indicator's provider.
-
-type: keyword
-
-example: lrz_urlhaus
-
---
-
-*`threat.enrichments.indicator.reference`*::
-+
---
-Reference URL linking to additional information about this indicator.
-
-type: keyword
-
-example: https://system.example.com/indicator/0001234
-
---
-
-*`threat.enrichments.indicator.registry.data.bytes`*::
-+
---
-Original bytes written with base64 encoding.
-For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values.
-
-type: keyword
-
-example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA=
-
---
-
-*`threat.enrichments.indicator.registry.data.strings`*::
-+
---
-Content when writing string types.
-Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`).
-
-type: wildcard
-
-example: ["C:\rta\red_ttp\bin\myapp.exe"]
-
---
-
-*`threat.enrichments.indicator.registry.data.type`*::
-+
---
-Standard registry type for encoding contents
-
-type: keyword
-
-example: REG_SZ
-
---
-
-*`threat.enrichments.indicator.registry.hive`*::
-+
---
-Abbreviated name for the hive.
-
-type: keyword
-
-example: HKLM
-
---
-
-*`threat.enrichments.indicator.registry.key`*::
-+
---
-Hive-relative path of keys.
-
-type: keyword
-
-example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe
-
---
-
-*`threat.enrichments.indicator.registry.path`*::
-+
---
-Full path, including hive, key and value
-
-type: keyword
-
-example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger
-
---
-
-*`threat.enrichments.indicator.registry.value`*::
-+
---
-Name of the value written.
-
-type: keyword
-
-example: Debugger
-
---
-
-*`threat.enrichments.indicator.scanner_stats`*::
-+
---
-Count of AV/EDR vendors that successfully detected malicious file or URL.
-
-type: long
-
-example: 4
-
---
-
-*`threat.enrichments.indicator.sightings`*::
-+
---
-Number of times this indicator was observed conducting threat activity.
-
-type: long
-
-example: 20
-
---
-
-*`threat.enrichments.indicator.type`*::
-+
---
-Type of indicator as represented by Cyber Observable in STIX 2.0. Recommended values:
-  * autonomous-system
-  * artifact
-  * directory
-  * domain-name
-  * email-addr
-  * file
-  * ipv4-addr
-  * ipv6-addr
-  * mac-addr
-  * mutex
-  * port
-  * process
-  * software
-  * url
-  * user-account
-  * windows-registry-key
-  * x509-certificate
-
-type: keyword
-
-example: ipv4-addr
-
---
-
-*`threat.enrichments.indicator.url.domain`*::
-+
---
-Domain of the url, such as "www.elastic.co".
-In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field.
-If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field.
-
-type: keyword
-
-example: www.elastic.co
-
---
-
-*`threat.enrichments.indicator.url.extension`*::
-+
---
-The field contains the file extension from the original request url, excluding the leading dot.
-The file extension is only set if it exists, as not every url has a file extension.
-The leading period must not be included. For example, the value must be "png", not ".png".
-Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").
-
-type: keyword
-
-example: png
-
---
-
-*`threat.enrichments.indicator.url.fragment`*::
-+
---
-Portion of the url after the `#`, such as "top".
-The `#` is not part of the fragment.
-
-type: keyword
-
---
-
-*`threat.enrichments.indicator.url.full`*::
-+
---
-If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source.
-
-type: wildcard
-
-example: https://www.elastic.co:443/search?q=elasticsearch#top
-
---
-
-*`threat.enrichments.indicator.url.full.text`*::
-+
---
-type: match_only_text
-
---
-
-*`threat.enrichments.indicator.url.original`*::
-+
---
-Unmodified original url as seen in the event source.
-Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path.
-This field is meant to represent the URL as it was observed, complete or not.
-
-type: wildcard
-
-example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch
-
---
-
-*`threat.enrichments.indicator.url.original.text`*::
-+
---
-type: match_only_text
-
---
-
-*`threat.enrichments.indicator.url.password`*::
-+
---
-Password of the request.
-
-type: keyword
-
---
-
-*`threat.enrichments.indicator.url.path`*::
-+
---
-Path of the request, such as "/search".
-
-type: wildcard
-
---
-
-*`threat.enrichments.indicator.url.port`*::
-+
---
-Port of the request, such as 443.
-
-type: long
-
-example: 443
-
-format: string
-
---
-
-*`threat.enrichments.indicator.url.query`*::
-+
---
-The query field describes the query string of the request, such as "q=elasticsearch".
-The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.
-
-type: keyword
-
---
-
-*`threat.enrichments.indicator.url.registered_domain`*::
-+
---
-The highest registered url domain, stripped of the subdomain.
-For example, the registered domain for "foo.example.com" is "example.com".
-This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
-
-type: keyword
-
-example: example.com
-
---
-
-*`threat.enrichments.indicator.url.scheme`*::
-+
---
-Scheme of the request, such as "https".
-Note: The `:` is not part of the scheme.
-
-type: keyword
-
-example: https
-
---
-
-*`threat.enrichments.indicator.url.subdomain`*::
-+
---
-The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain.
-For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
-
-type: keyword
-
-example: east
-
---
-
-*`threat.enrichments.indicator.url.top_level_domain`*::
-+
---
-The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com".
-This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".
-
-type: keyword
-
-example: co.uk
-
---
-
-*`threat.enrichments.indicator.url.username`*::
-+
---
-Username of the request.
-
-type: keyword
-
---
-
-*`threat.enrichments.indicator.x509.alternative_names`*::
-+
---
-List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.
-
-type: keyword
-
-example: *.elastic.co
-
---
-
-*`threat.enrichments.indicator.x509.issuer.common_name`*::
-+
---
-List of common name (CN) of issuing certificate authority.
-
-type: keyword
-
-example: Example SHA2 High Assurance Server CA
-
---
-
-*`threat.enrichments.indicator.x509.issuer.country`*::
-+
---
-List of country (C) codes
-
-type: keyword
-
-example: US
-
---
-
-*`threat.enrichments.indicator.x509.issuer.distinguished_name`*::
-+
---
-Distinguished name (DN) of issuing certificate authority.
-
-type: keyword
-
-example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA
-
---
-
-*`threat.enrichments.indicator.x509.issuer.locality`*::
-+
---
-List of locality names (L)
-
-type: keyword
-
-example: Mountain View
-
---
-
-*`threat.enrichments.indicator.x509.issuer.organization`*::
-+
---
-List of organizations (O) of issuing certificate authority.
-
-type: keyword
-
-example: Example Inc
-
---
-
-*`threat.enrichments.indicator.x509.issuer.organizational_unit`*::
-+
---
-List of organizational units (OU) of issuing certificate authority.
-
-type: keyword
-
-example: www.example.com
-
---
-
-*`threat.enrichments.indicator.x509.issuer.state_or_province`*::
-+
---
-List of state or province names (ST, S, or P)
-
-type: keyword
-
-example: California
-
---
-
-*`threat.enrichments.indicator.x509.not_after`*::
-+
---
-Time at which the certificate is no longer considered valid.
-
-type: date
-
-example: 2020-07-16 03:15:39+00:00
-
---
-
-*`threat.enrichments.indicator.x509.not_before`*::
-+
---
-Time at which the certificate is first considered valid.
-
-type: date
-
-example: 2019-08-16 01:40:25+00:00
-
---
-
-*`threat.enrichments.indicator.x509.public_key_algorithm`*::
-+
---
-Algorithm used to generate the public key.
-
-type: keyword
-
-example: RSA
-
---
-
-*`threat.enrichments.indicator.x509.public_key_curve`*::
-+
---
-The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-
-type: keyword
-
-example: nistp521
-
---
-
-*`threat.enrichments.indicator.x509.public_key_exponent`*::
-+
---
-Exponent used to derive the public key. This is algorithm specific.
-
-type: long
-
-example: 65537
-
-Field is not indexed.
-
---
-
-*`threat.enrichments.indicator.x509.public_key_size`*::
-+
---
-The size of the public key space in bits.
-
-type: long
-
-example: 2048
-
---
-
-*`threat.enrichments.indicator.x509.serial_number`*::
-+
---
-Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.
-
-type: keyword
-
-example: 55FBB9C7DEBF09809D12CCAA
-
---
-
-*`threat.enrichments.indicator.x509.signature_algorithm`*::
-+
---
-Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
-
-type: keyword
-
-example: SHA256-RSA
-
---
-
-*`threat.enrichments.indicator.x509.subject.common_name`*::
-+
---
-List of common names (CN) of subject.
-
-type: keyword
-
-example: shared.global.example.net
-
---
-
-*`threat.enrichments.indicator.x509.subject.country`*::
-+
---
-List of country (C) code
-
-type: keyword
-
-example: US
-
---
-
-*`threat.enrichments.indicator.x509.subject.distinguished_name`*::
-+
---
-Distinguished name (DN) of the certificate subject entity.
-
-type: keyword
-
-example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
-
---
-
-*`threat.enrichments.indicator.x509.subject.locality`*::
-+
---
-List of locality names (L)
-
-type: keyword
-
-example: San Francisco
-
---
-
-*`threat.enrichments.indicator.x509.subject.organization`*::
-+
---
-List of organizations (O) of subject.
-
-type: keyword
-
-example: Example, Inc.
-
---
-
-*`threat.enrichments.indicator.x509.subject.organizational_unit`*::
-+
---
-List of organizational units (OU) of subject.
-
-type: keyword
-
---
-
-*`threat.enrichments.indicator.x509.subject.state_or_province`*::
-+
---
-List of state or province names (ST, S, or P)
-
-type: keyword
-
-example: California
-
---
-
-*`threat.enrichments.indicator.x509.version_number`*::
-+
---
-Version of x509 format.
-
-type: keyword
-
-example: 3
-
---
-
-*`threat.enrichments.matched.atomic`*::
-+
---
-Identifies the atomic indicator value that matched a local environment endpoint or network event.
-
-type: keyword
-
-example: bad-domain.com
-
---
-
-*`threat.enrichments.matched.field`*::
-+
---
-Identifies the field of the atomic indicator that matched a local environment endpoint or network event.
-
-type: keyword
-
-example: file.hash.sha256
-
---
-
-*`threat.enrichments.matched.id`*::
-+
---
-Identifies the _id of the indicator document enriching the event.
-
-type: keyword
-
-example: ff93aee5-86a1-4a61-b0e6-0cdc313d01b5
-
---
-
-*`threat.enrichments.matched.index`*::
-+
---
-Identifies the _index of the indicator document enriching the event.
-
-type: keyword
-
-example: filebeat-8.0.0-2021.05.23-000011
-
---
-
-*`threat.enrichments.matched.type`*::
-+
---
-Identifies the type of match that caused the event to be enriched with the given indicator
-
-type: keyword
-
-example: indicator_match_rule
-
---
-
-*`threat.framework`*::
-+
---
-Name of the threat framework used to further categorize and classify the tactic and technique of the reported threat. Framework classification can be provided by detecting systems, evaluated at ingest time, or retrospectively tagged to events.
-
-type: keyword
-
-example: MITRE ATT&CK
-
---
-
-*`threat.group.alias`*::
-+
---
-The alias(es) of the group for a set of related intrusion activity that are tracked by a common name in the security community.
-While not required, you can use a MITRE ATT&CK® group alias(es).
-
-type: keyword
-
-example: [ "Magecart Group 6" ]
-
---
-
-*`threat.group.id`*::
-+
---
-The id of the group for a set of related intrusion activity that are tracked by a common name in the security community.
-While not required, you can use a MITRE ATT&CK® group id.
-
-type: keyword
-
-example: G0037
-
---
-
-*`threat.group.name`*::
-+
---
-The name of the group for a set of related intrusion activity that are tracked by a common name in the security community.
-While not required, you can use a MITRE ATT&CK® group name.
-
-type: keyword
-
-example: FIN6
-
---
-
-*`threat.group.reference`*::
-+
---
-The reference URL of the group for a set of related intrusion activity that are tracked by a common name in the security community.
-While not required, you can use a MITRE ATT&CK® group reference URL.
-
-type: keyword
-
-example: https://attack.mitre.org/groups/G0037/
-
---
-
-*`threat.indicator.as.number`*::
-+
---
-Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
-
-type: long
-
-example: 15169
-
---
-
-*`threat.indicator.as.organization.name`*::
-+
---
-Organization name.
-
-type: keyword
-
-example: Google LLC
-
---
-
-*`threat.indicator.as.organization.name.text`*::
-+
---
-type: match_only_text
-
---
-
-*`threat.indicator.confidence`*::
-+
---
-Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields.
-Expected values are:
-  * Not Specified
-  * None
-  * Low
-  * Medium
-  * High
-
-type: keyword
-
-example: Medium
-
---
-
-*`threat.indicator.description`*::
-+
---
-Describes the type of action conducted by the threat.
-
-type: keyword
-
-example: IP x.x.x.x was observed delivering the Angler EK.
-
---
-
-*`threat.indicator.email.address`*::
-+
---
-Identifies a threat indicator as an email address (irrespective of direction).
-
-type: keyword
-
-example: phish@example.com
-
---
-
-*`threat.indicator.file.accessed`*::
-+
---
-Last time the file was accessed.
-Note that not all filesystems keep track of access time.
-
-type: date
-
---
-
-*`threat.indicator.file.attributes`*::
-+
---
-Array of file attributes.
-Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write.
-
-type: keyword
-
-example: ["readonly", "system"]
-
---
-
-*`threat.indicator.file.code_signature.digest_algorithm`*::
-+
---
-The hashing algorithm used to sign the process.
-This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm.
-
-type: keyword
-
-example: sha256
-
---
-
-*`threat.indicator.file.code_signature.exists`*::
-+
---
-Boolean to capture if a signature is present.
-
-type: boolean
-
-example: true
-
---
-
-*`threat.indicator.file.code_signature.signing_id`*::
-+
---
-The identifier used to sign the process.
-This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.
-
-type: keyword
-
-example: com.apple.xpc.proxy
-
---
-
-*`threat.indicator.file.code_signature.status`*::
-+
---
-Additional information about the certificate status.
-This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.
-
-type: keyword
-
-example: ERROR_UNTRUSTED_ROOT
-
---
-
-*`threat.indicator.file.code_signature.subject_name`*::
-+
---
-Subject name of the code signer
-
-type: keyword
-
-example: Microsoft Corporation
-
---
-
-*`threat.indicator.file.code_signature.team_id`*::
-+
---
-The team identifier used to sign the process.
-This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.
-
-type: keyword
-
-example: EQHXZ8M8AV
-
---
-
-*`threat.indicator.file.code_signature.timestamp`*::
-+
---
-Date and time when the code signature was generated and signed.
-
-type: date
-
-example: 2021-01-01T12:10:30Z
-
---
-
-*`threat.indicator.file.code_signature.trusted`*::
-+
---
-Stores the trust status of the certificate chain.
-Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.
-
-type: boolean
-
-example: true
-
---
-
-*`threat.indicator.file.code_signature.valid`*::
-+
---
-Boolean to capture if the digital signature is verified against the binary content.
-Leave unpopulated if a certificate was unchecked.
-
-type: boolean
-
-example: true
-
---
-
-*`threat.indicator.file.created`*::
-+
---
-File creation time.
-Note that not all filesystems store the creation time.
-
-type: date
-
---
-
-*`threat.indicator.file.ctime`*::
-+
---
-Last time the file attributes or metadata changed.
-Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file.
-
-type: date
-
---
-
-*`threat.indicator.file.device`*::
-+
---
-Device that is the source of the file.
-
-type: keyword
-
-example: sda
-
---
-
-*`threat.indicator.file.directory`*::
-+
---
-Directory where the file is located. It should include the drive letter, when appropriate.
-
-type: keyword
-
-example: /home/alice
-
---
-
-*`threat.indicator.file.drive_letter`*::
-+
---
-Drive letter where the file is located. This field is only relevant on Windows.
-The value should be uppercase, and not include the colon.
-
-type: keyword
-
-example: C
-
---
-
-*`threat.indicator.file.elf.architecture`*::
-+
---
-Machine architecture of the ELF file.
-
-type: keyword
-
-example: x86-64
-
---
-
-*`threat.indicator.file.elf.byte_order`*::
-+
---
-Byte sequence of ELF file.
-
-type: keyword
-
-example: Little Endian
-
---
-
-*`threat.indicator.file.elf.cpu_type`*::
-+
---
-CPU type of the ELF file.
-
-type: keyword
-
-example: Intel
-
---
-
-*`threat.indicator.file.elf.creation_date`*::
-+
---
-Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators.
-
-type: date
-
---
-
-*`threat.indicator.file.elf.exports`*::
-+
---
-List of exported element names and types.
-
-type: flattened
-
---
-
-*`threat.indicator.file.elf.header.abi_version`*::
-+
---
-Version of the ELF Application Binary Interface (ABI).
-
-type: keyword
-
---
-
-*`threat.indicator.file.elf.header.class`*::
-+
---
-Header class of the ELF file.
-
-type: keyword
-
---
-
-*`threat.indicator.file.elf.header.data`*::
-+
---
-Data table of the ELF header.
-
-type: keyword
-
---
-
-*`threat.indicator.file.elf.header.entrypoint`*::
-+
---
-Header entrypoint of the ELF file.
-
-type: long
-
-format: string
-
---
-
-*`threat.indicator.file.elf.header.object_version`*::
-+
---
-"0x1" for original ELF files.
-
-type: keyword
-
---
-
-*`threat.indicator.file.elf.header.os_abi`*::
-+
---
-Application Binary Interface (ABI) of the Linux OS.
-
-type: keyword
-
---
-
-*`threat.indicator.file.elf.header.type`*::
-+
---
-Header type of the ELF file.
-
-type: keyword
-
---
-
-*`threat.indicator.file.elf.header.version`*::
-+
---
-Version of the ELF header.
-
-type: keyword
-
---
-
-*`threat.indicator.file.elf.imports`*::
-+
---
-List of imported element names and types.
-
-type: flattened
-
---
-
-*`threat.indicator.file.elf.sections`*::
-+
---
-An array containing an object for each section of the ELF file.
-The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`.
-
-type: nested
-
---
-
-*`threat.indicator.file.elf.sections.chi2`*::
-+
---
-Chi-square probability distribution of the section.
-
-type: long
-
-format: number
-
---
-
-*`threat.indicator.file.elf.sections.entropy`*::
-+
---
-Shannon entropy calculation from the section.
-
-type: long
-
-format: number
-
---
-
-*`threat.indicator.file.elf.sections.flags`*::
-+
---
-ELF Section List flags.
-
-type: keyword
-
---
-
-*`threat.indicator.file.elf.sections.name`*::
-+
---
-ELF Section List name.
-
-type: keyword
-
---
-
-*`threat.indicator.file.elf.sections.physical_offset`*::
-+
---
-ELF Section List offset.
-
-type: keyword
-
---
-
-*`threat.indicator.file.elf.sections.physical_size`*::
-+
---
-ELF Section List physical size.
-
-type: long
-
-format: bytes
-
---
-
-*`threat.indicator.file.elf.sections.type`*::
-+
---
-ELF Section List type.
-
-type: keyword
-
---
-
-*`threat.indicator.file.elf.sections.virtual_address`*::
-+
---
-ELF Section List virtual address.
-
-type: long
-
-format: string
-
---
-
-*`threat.indicator.file.elf.sections.virtual_size`*::
-+
---
-ELF Section List virtual size.
-
-type: long
-
-format: string
-
---
-
-*`threat.indicator.file.elf.segments`*::
-+
---
-An array containing an object for each segment of the ELF file.
-The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`.
-
-type: nested
-
---
-
-*`threat.indicator.file.elf.segments.sections`*::
-+
---
-ELF object segment sections.
-
-type: keyword
-
---
-
-*`threat.indicator.file.elf.segments.type`*::
-+
---
-ELF object segment type.
-
-type: keyword
-
---
-
-*`threat.indicator.file.elf.shared_libraries`*::
-+
---
-List of shared libraries used by this ELF object.
-
-type: keyword
-
---
-
-*`threat.indicator.file.elf.telfhash`*::
-+
---
-telfhash symbol hash for ELF file.
-
-type: keyword
-
---
-
-*`threat.indicator.file.extension`*::
-+
---
-File extension, excluding the leading dot.
-Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").
-
-type: keyword
-
-example: png
-
---
-
-*`threat.indicator.file.fork_name`*::
-+
---
-A fork is additional data associated with a filesystem object.
-On Linux, a resource fork is used to store additional data with a filesystem object. A file always has at least one fork for the data portion, and additional forks may exist.
-On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default data stream for a file is just called $DATA. Zone.Identifier is commonly used by Windows to track contents downloaded from the Internet. An ADS is typically of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name` is the value that should populate `fork_name`. `filename.extension` should populate `file.name`, and `extension` should populate `file.extension`. The full path, `file.path`, will include the fork name.
-
-type: keyword
-
-example: Zone.Identifer
-
---
-
-*`threat.indicator.file.gid`*::
-+
---
-Primary group ID (GID) of the file.
-
-type: keyword
-
-example: 1001
-
---
-
-*`threat.indicator.file.group`*::
-+
---
-Primary group name of the file.
-
-type: keyword
-
-example: alice
-
---
-
-*`threat.indicator.file.hash.md5`*::
-+
---
-MD5 hash.
-
-type: keyword
-
---
-
-*`threat.indicator.file.hash.sha1`*::
-+
---
-SHA1 hash.
-
-type: keyword
-
---
-
-*`threat.indicator.file.hash.sha256`*::
-+
---
-SHA256 hash.
-
-type: keyword
-
---
-
-*`threat.indicator.file.hash.sha512`*::
-+
---
-SHA512 hash.
-
-type: keyword
-
---
-
-*`threat.indicator.file.hash.ssdeep`*::
-+
---
-SSDEEP hash.
-
-type: keyword
-
---
-
-*`threat.indicator.file.inode`*::
-+
---
-Inode representing the file in the filesystem.
-
-type: keyword
-
-example: 256383
-
---
-
-*`threat.indicator.file.mime_type`*::
-+
---
-MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used.
-
-type: keyword
-
---
-
-*`threat.indicator.file.mode`*::
-+
---
-Mode of the file in octal representation.
-
-type: keyword
-
-example: 0640
-
---
-
-*`threat.indicator.file.mtime`*::
-+
---
-Last time the file content was modified.
-
-type: date
-
---
-
-*`threat.indicator.file.name`*::
-+
---
-Name of the file including the extension, without the directory.
-
-type: keyword
-
-example: example.png
-
---
-
-*`threat.indicator.file.owner`*::
-+
---
-File owner's username.
-
-type: keyword
-
-example: alice
-
---
-
-*`threat.indicator.file.path`*::
-+
---
-Full path to the file, including the file name. It should include the drive letter, when appropriate.
-
-type: keyword
-
-example: /home/alice/example.png
-
---
-
-*`threat.indicator.file.path.text`*::
-+
---
-type: match_only_text
-
---
-
-*`threat.indicator.file.pe.architecture`*::
-+
---
-CPU architecture target for the file.
-
-type: keyword
-
-example: x64
-
---
-
-*`threat.indicator.file.pe.company`*::
-+
---
-Internal company name of the file, provided at compile-time.
-
-type: keyword
-
-example: Microsoft Corporation
-
---
-
-*`threat.indicator.file.pe.description`*::
-+
---
-Internal description of the file, provided at compile-time.
-
-type: keyword
-
-example: Paint
-
---
-
-*`threat.indicator.file.pe.file_version`*::
-+
---
-Internal version of the file, provided at compile-time.
-
-type: keyword
-
-example: 6.3.9600.17415
-
---
-
-*`threat.indicator.file.pe.imphash`*::
-+
---
-A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.
-Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.
-
-type: keyword
-
-example: 0c6803c4e922103c4dca5963aad36ddf
-
---
-
-*`threat.indicator.file.pe.original_file_name`*::
-+
---
-Internal name of the file, provided at compile-time.
-
-type: keyword
-
-example: MSPAINT.EXE
-
---
-
-*`threat.indicator.file.pe.product`*::
-+
---
-Internal product name of the file, provided at compile-time.
-
-type: keyword
-
-example: Microsoft® Windows® Operating System
-
---
-
-*`threat.indicator.file.size`*::
-+
---
-File size in bytes.
-Only relevant when `file.type` is "file".
-
-type: long
-
-example: 16384
-
---
-
-*`threat.indicator.file.target_path`*::
-+
---
-Target path for symlinks.
-
-type: keyword
-
---
-
-*`threat.indicator.file.target_path.text`*::
-+
---
-type: match_only_text
-
---
-
-*`threat.indicator.file.type`*::
-+
---
-File type (file, dir, or symlink).
-
-type: keyword
-
-example: file
-
---
-
-*`threat.indicator.file.uid`*::
-+
---
-The user ID (UID) or security identifier (SID) of the file owner.
-
-type: keyword
-
-example: 1001
-
---
-
-*`threat.indicator.file.x509.alternative_names`*::
-+
---
-List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.
-
-type: keyword
-
-example: *.elastic.co
-
---
-
-*`threat.indicator.file.x509.issuer.common_name`*::
-+
---
-List of common name (CN) of issuing certificate authority.
-
-type: keyword
-
-example: Example SHA2 High Assurance Server CA
-
---
-
-*`threat.indicator.file.x509.issuer.country`*::
-+
---
-List of country (C) codes
-
-type: keyword
-
-example: US
-
---
-
-*`threat.indicator.file.x509.issuer.distinguished_name`*::
-+
---
-Distinguished name (DN) of issuing certificate authority.
-
-type: keyword
-
-example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA
-
---
-
-*`threat.indicator.file.x509.issuer.locality`*::
-+
---
-List of locality names (L)
-
-type: keyword
-
-example: Mountain View
-
---
-
-*`threat.indicator.file.x509.issuer.organization`*::
-+
---
-List of organizations (O) of issuing certificate authority.
-
-type: keyword
-
-example: Example Inc
-
---
-
-*`threat.indicator.file.x509.issuer.organizational_unit`*::
-+
---
-List of organizational units (OU) of issuing certificate authority.
-
-type: keyword
-
-example: www.example.com
-
---
-
-*`threat.indicator.file.x509.issuer.state_or_province`*::
-+
---
-List of state or province names (ST, S, or P)
-
-type: keyword
-
-example: California
-
---
-
-*`threat.indicator.file.x509.not_after`*::
-+
---
-Time at which the certificate is no longer considered valid.
-
-type: date
-
-example: 2020-07-16 03:15:39+00:00
-
---
-
-*`threat.indicator.file.x509.not_before`*::
-+
---
-Time at which the certificate is first considered valid.
-
-type: date
-
-example: 2019-08-16 01:40:25+00:00
-
---
-
-*`threat.indicator.file.x509.public_key_algorithm`*::
-+
---
-Algorithm used to generate the public key.
-
-type: keyword
-
-example: RSA
-
---
-
-*`threat.indicator.file.x509.public_key_curve`*::
-+
---
-The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-
-type: keyword
-
-example: nistp521
-
---
-
-*`threat.indicator.file.x509.public_key_exponent`*::
-+
---
-Exponent used to derive the public key. This is algorithm specific.
-
-type: long
-
-example: 65537
-
-Field is not indexed.
-
---
-
-*`threat.indicator.file.x509.public_key_size`*::
-+
---
-The size of the public key space in bits.
-
-type: long
-
-example: 2048
-
---
-
-*`threat.indicator.file.x509.serial_number`*::
-+
---
-Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.
-
-type: keyword
-
-example: 55FBB9C7DEBF09809D12CCAA
-
---
-
-*`threat.indicator.file.x509.signature_algorithm`*::
-+
---
-Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
-
-type: keyword
-
-example: SHA256-RSA
-
---
-
-*`threat.indicator.file.x509.subject.common_name`*::
-+
---
-List of common names (CN) of subject.
-
-type: keyword
-
-example: shared.global.example.net
-
---
-
-*`threat.indicator.file.x509.subject.country`*::
-+
---
-List of country (C) code
-
-type: keyword
-
-example: US
-
---
-
-*`threat.indicator.file.x509.subject.distinguished_name`*::
-+
---
-Distinguished name (DN) of the certificate subject entity.
-
-type: keyword
-
-example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
-
---
-
-*`threat.indicator.file.x509.subject.locality`*::
-+
---
-List of locality names (L)
-
-type: keyword
-
-example: San Francisco
-
---
-
-*`threat.indicator.file.x509.subject.organization`*::
-+
---
-List of organizations (O) of subject.
-
-type: keyword
-
-example: Example, Inc.
-
---
-
-*`threat.indicator.file.x509.subject.organizational_unit`*::
-+
---
-List of organizational units (OU) of subject.
-
-type: keyword
-
---
-
-*`threat.indicator.file.x509.subject.state_or_province`*::
-+
---
-List of state or province names (ST, S, or P)
-
-type: keyword
-
-example: California
-
---
-
-*`threat.indicator.file.x509.version_number`*::
-+
---
-Version of x509 format.
-
-type: keyword
-
-example: 3
-
---
-
-*`threat.indicator.first_seen`*::
-+
---
-The date and time when intelligence source first reported sighting this indicator.
-
-type: date
-
-example: 2020-11-05T17:25:47.000Z
-
---
-
-*`threat.indicator.geo.city_name`*::
-+
---
-City name.
-
-type: keyword
-
-example: Montreal
-
---
-
-*`threat.indicator.geo.continent_code`*::
-+
---
-Two-letter code representing continent's name.
-
-type: keyword
-
-example: NA
-
---
-
-*`threat.indicator.geo.continent_name`*::
-+
---
-Name of the continent.
-
-type: keyword
-
-example: North America
-
---
-
-*`threat.indicator.geo.country_iso_code`*::
-+
---
-Country ISO code.
-
-type: keyword
-
-example: CA
-
---
-
-*`threat.indicator.geo.country_name`*::
-+
---
-Country name.
-
-type: keyword
-
-example: Canada
-
---
-
-*`threat.indicator.geo.location`*::
-+
---
-Longitude and latitude.
-
-type: geo_point
-
-example: { "lon": -73.614830, "lat": 45.505918 }
-
---
-
-*`threat.indicator.geo.name`*::
-+
---
-User-defined description of a location, at the level of granularity they care about.
-Could be the name of their data centers, the floor number, if this describes a local physical entity, city names.
-Not typically used in automated geolocation.
-
-type: keyword
-
-example: boston-dc
-
---
-
-*`threat.indicator.geo.postal_code`*::
-+
---
-Postal code associated with the location.
-Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.
-
-type: keyword
-
-example: 94040
-
---
-
-*`threat.indicator.geo.region_iso_code`*::
-+
---
-Region ISO code.
-
-type: keyword
-
-example: CA-QC
-
---
-
-*`threat.indicator.geo.region_name`*::
-+
---
-Region name.
-
-type: keyword
-
-example: Quebec
-
---
-
-*`threat.indicator.geo.timezone`*::
-+
---
-The time zone of the location, such as IANA time zone name.
-
-type: keyword
-
-example: America/Argentina/Buenos_Aires
-
---
-
-*`threat.indicator.ip`*::
-+
---
-Identifies a threat indicator as an IP address (irrespective of direction).
-
-type: ip
-
-example: 1.2.3.4
-
---
-
-*`threat.indicator.last_seen`*::
-+
---
-The date and time when intelligence source last reported sighting this indicator.
-
-type: date
-
-example: 2020-11-05T17:25:47.000Z
-
---
-
-*`threat.indicator.marking.tlp`*::
-+
---
-Traffic Light Protocol sharing markings.
-Recommended values are:
-  * WHITE
-  * GREEN
-  * AMBER
-  * RED
-
-type: keyword
-
-example: WHITE
-
---
-
-*`threat.indicator.modified_at`*::
-+
---
-The date and time when intelligence source last modified information for this indicator.
-
-type: date
-
-example: 2020-11-05T17:25:47.000Z
-
---
-
-*`threat.indicator.port`*::
-+
---
-Identifies a threat indicator as a port number (irrespective of direction).
-
-type: long
-
-example: 443
-
---
-
-*`threat.indicator.provider`*::
-+
---
-The name of the indicator's provider.
-
-type: keyword
-
-example: lrz_urlhaus
-
---
-
-*`threat.indicator.reference`*::
-+
---
-Reference URL linking to additional information about this indicator.
-
-type: keyword
-
-example: https://system.example.com/indicator/0001234
-
---
-
-*`threat.indicator.registry.data.bytes`*::
-+
---
-Original bytes written with base64 encoding.
-For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values.
-
-type: keyword
-
-example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA=
-
---
-
-*`threat.indicator.registry.data.strings`*::
-+
---
-Content when writing string types.
-Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`).
-
-type: wildcard
-
-example: ["C:\rta\red_ttp\bin\myapp.exe"]
-
---
-
-*`threat.indicator.registry.data.type`*::
-+
---
-Standard registry type for encoding contents
-
-type: keyword
-
-example: REG_SZ
-
---
-
-*`threat.indicator.registry.hive`*::
-+
---
-Abbreviated name for the hive.
-
-type: keyword
-
-example: HKLM
-
---
-
-*`threat.indicator.registry.key`*::
-+
---
-Hive-relative path of keys.
-
-type: keyword
-
-example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe
-
---
-
-*`threat.indicator.registry.path`*::
-+
---
-Full path, including hive, key and value
-
-type: keyword
-
-example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger
-
---
-
-*`threat.indicator.registry.value`*::
-+
---
-Name of the value written.
-
-type: keyword
-
-example: Debugger
-
---
-
-*`threat.indicator.scanner_stats`*::
-+
---
-Count of AV/EDR vendors that successfully detected malicious file or URL.
-
-type: long
-
-example: 4
-
---
-
-*`threat.indicator.sightings`*::
-+
---
-Number of times this indicator was observed conducting threat activity.
-
-type: long
-
-example: 20
-
---
-
-*`threat.indicator.type`*::
-+
---
-Type of indicator as represented by Cyber Observable in STIX 2.0.
-Recommended values:
-  * autonomous-system
-  * artifact
-  * directory
-  * domain-name
-  * email-addr
-  * file
-  * ipv4-addr
-  * ipv6-addr
-  * mac-addr
-  * mutex
-  * port
-  * process
-  * software
-  * url
-  * user-account
-  * windows-registry-key
-  * x509-certificate
-
-type: keyword
-
-example: ipv4-addr
-
---
-
-*`threat.indicator.url.domain`*::
-+
---
-Domain of the url, such as "www.elastic.co".
-In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field.
-If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field.
-
-type: keyword
-
-example: www.elastic.co
-
---
-
-*`threat.indicator.url.extension`*::
-+
---
-The field contains the file extension from the original request url, excluding the leading dot.
-The file extension is only set if it exists, as not every url has a file extension.
-The leading period must not be included. For example, the value must be "png", not ".png".
-Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").
-
-type: keyword
-
-example: png
-
---
-
-*`threat.indicator.url.fragment`*::
-+
---
-Portion of the url after the `#`, such as "top".
-The `#` is not part of the fragment.
-
-type: keyword
-
---
-
-*`threat.indicator.url.full`*::
-+
---
-If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source.
-
-type: wildcard
-
-example: https://www.elastic.co:443/search?q=elasticsearch#top
-
---
-
-*`threat.indicator.url.full.text`*::
-+
---
-type: match_only_text
-
---
-
-*`threat.indicator.url.original`*::
-+
---
-Unmodified original url as seen in the event source.
-Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path.
-This field is meant to represent the URL as it was observed, complete or not.
-
-type: wildcard
-
-example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch
-
---
-
-*`threat.indicator.url.original.text`*::
-+
---
-type: match_only_text
-
---
-
-*`threat.indicator.url.password`*::
-+
---
-Password of the request.
-
-type: keyword
-
---
-
-*`threat.indicator.url.path`*::
-+
---
-Path of the request, such as "/search".
-
-type: wildcard
-
---
-
-*`threat.indicator.url.port`*::
-+
---
-Port of the request, such as 443.
-
-type: long
-
-example: 443
-
-format: string
-
---
-
-*`threat.indicator.url.query`*::
-+
---
-The query field describes the query string of the request, such as "q=elasticsearch".
-The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.
-
-type: keyword
-
---
-
-*`threat.indicator.url.registered_domain`*::
-+
---
-The highest registered url domain, stripped of the subdomain.
-For example, the registered domain for "foo.example.com" is "example.com".
-This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
-
-type: keyword
-
-example: example.com
-
---
-
-*`threat.indicator.url.scheme`*::
-+
---
-Scheme of the request, such as "https".
-Note: The `:` is not part of the scheme.
-
-type: keyword
-
-example: https
-
---
-
-*`threat.indicator.url.subdomain`*::
-+
---
-The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain.
-For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
-
-type: keyword
-
-example: east
-
---
-
-*`threat.indicator.url.top_level_domain`*::
-+
---
-The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com".
-This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".
-
-type: keyword
-
-example: co.uk
-
---
-
-*`threat.indicator.url.username`*::
-+
---
-Username of the request.
-
-type: keyword
-
---
-
-*`threat.indicator.x509.alternative_names`*::
-+
---
-List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.
-
-type: keyword
-
-example: *.elastic.co
-
---
-
-*`threat.indicator.x509.issuer.common_name`*::
-+
---
-List of common name (CN) of issuing certificate authority.
-
-type: keyword
-
-example: Example SHA2 High Assurance Server CA
-
---
-
-*`threat.indicator.x509.issuer.country`*::
-+
---
-List of country (C) codes
-
-type: keyword
-
-example: US
-
---
-
-*`threat.indicator.x509.issuer.distinguished_name`*::
-+
---
-Distinguished name (DN) of issuing certificate authority.
-
-type: keyword
-
-example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA
-
---
-
-*`threat.indicator.x509.issuer.locality`*::
-+
---
-List of locality names (L)
-
-type: keyword
-
-example: Mountain View
-
---
-
-*`threat.indicator.x509.issuer.organization`*::
-+
---
-List of organizations (O) of issuing certificate authority.
-
-type: keyword
-
-example: Example Inc
-
---
-
-*`threat.indicator.x509.issuer.organizational_unit`*::
-+
---
-List of organizational units (OU) of issuing certificate authority.
-
-type: keyword
-
-example: www.example.com
-
---
-
-*`threat.indicator.x509.issuer.state_or_province`*::
-+
---
-List of state or province names (ST, S, or P)
-
-type: keyword
-
-example: California
-
---
-
-*`threat.indicator.x509.not_after`*::
-+
---
-Time at which the certificate is no longer considered valid.
-
-type: date
-
-example: 2020-07-16 03:15:39+00:00
-
---
-
-*`threat.indicator.x509.not_before`*::
-+
---
-Time at which the certificate is first considered valid.
-
-type: date
-
-example: 2019-08-16 01:40:25+00:00
-
---
-
-*`threat.indicator.x509.public_key_algorithm`*::
-+
---
-Algorithm used to generate the public key.
-
-type: keyword
-
-example: RSA
-
---
-
-*`threat.indicator.x509.public_key_curve`*::
-+
---
-The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-
-type: keyword
-
-example: nistp521
-
---
-
-*`threat.indicator.x509.public_key_exponent`*::
-+
---
-Exponent used to derive the public key. This is algorithm specific.
-
-type: long
-
-example: 65537
-
-Field is not indexed.
-
---
-
-*`threat.indicator.x509.public_key_size`*::
-+
---
-The size of the public key space in bits.
-
-type: long
-
-example: 2048
-
---
-
-*`threat.indicator.x509.serial_number`*::
-+
---
-Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.
-
-type: keyword
-
-example: 55FBB9C7DEBF09809D12CCAA
-
---
-
-*`threat.indicator.x509.signature_algorithm`*::
-+
---
-Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
-
-type: keyword
-
-example: SHA256-RSA
-
---
-
-*`threat.indicator.x509.subject.common_name`*::
-+
---
-List of common names (CN) of subject.
-
-type: keyword
-
-example: shared.global.example.net
-
---
-
-*`threat.indicator.x509.subject.country`*::
-+
---
-List of country (C) code
-
-type: keyword
-
-example: US
-
---
-
-*`threat.indicator.x509.subject.distinguished_name`*::
-+
---
-Distinguished name (DN) of the certificate subject entity.
-
-type: keyword
-
-example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
-
---
-
-*`threat.indicator.x509.subject.locality`*::
-+
---
-List of locality names (L)
-
-type: keyword
-
-example: San Francisco
-
---
-
-*`threat.indicator.x509.subject.organization`*::
-+
---
-List of organizations (O) of subject.
-
-type: keyword
-
-example: Example, Inc.
-
---
-
-*`threat.indicator.x509.subject.organizational_unit`*::
-+
---
-List of organizational units (OU) of subject.
-
-type: keyword
-
---
-
-*`threat.indicator.x509.subject.state_or_province`*::
-+
---
-List of state or province names (ST, S, or P)
-
-type: keyword
-
-example: California
-
---
-
-*`threat.indicator.x509.version_number`*::
-+
---
-Version of x509 format.
-
-type: keyword
-
-example: 3
-
---
-
-*`threat.software.alias`*::
-+
---
-The alias(es) of the software for a set of related intrusion activity that are tracked by a common name in the security community.
-While not required, you can use a MITRE ATT&CK® associated software description.
-
-type: keyword
-
-example: [ "X-Agent" ]
-
---
-
-*`threat.software.id`*::
-+
---
-The id of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®.
-While not required, you can use a MITRE ATT&CK® software id.
-
-type: keyword
-
-example: S0552
-
---
-
-*`threat.software.name`*::
-+
---
-The name of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®.
-While not required, you can use a MITRE ATT&CK® software name.
-
-type: keyword
-
-example: AdFind
-
---
-
-*`threat.software.platforms`*::
-+
---
-The platforms of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®.
-Recommended Values:
-  * AWS
-  * Azure
-  * Azure AD
-  * GCP
-  * Linux
-  * macOS
-  * Network
-  * Office 365
-  * SaaS
-  * Windows
-
-While not required, you can use a MITRE ATT&CK® software platforms.
-
-type: keyword
-
-example: [ "Windows" ]
-
---
-
-*`threat.software.reference`*::
-+
---
-The reference URL of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®.
-While not required, you can use a MITRE ATT&CK® software reference URL.
-
-type: keyword
-
-example: https://attack.mitre.org/software/S0552/
-
---
-
-*`threat.software.type`*::
-+
---
-The type of software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®.
-Recommended values
-  * Malware
-  * Tool
-
- While not required, you can use a MITRE ATT&CK® software type.
-
-type: keyword
-
-example: Tool
-
---
-
-*`threat.tactic.id`*::
-+
---
-The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ )
-
-type: keyword
-
-example: TA0002
-
---
-
-*`threat.tactic.name`*::
-+
---
-Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/)
-
-type: keyword
-
-example: Execution
-
---
-
-*`threat.tactic.reference`*::
-+
---
-The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ )
-
-type: keyword
-
-example: https://attack.mitre.org/tactics/TA0002/
-
---
-
-*`threat.technique.id`*::
-+
---
-The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)
-
-type: keyword
-
-example: T1059
-
---
-
-*`threat.technique.name`*::
-+
---
-The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)
-
-type: keyword
-
-example: Command and Scripting Interpreter
-
---
-
-*`threat.technique.name.text`*::
-+
---
-type: match_only_text
-
---
-
-*`threat.technique.reference`*::
-+
---
-The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)
-
-type: keyword
-
-example: https://attack.mitre.org/techniques/T1059/
-
---
-
-*`threat.technique.subtechnique.id`*::
-+
---
-The full id of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)
-
-type: keyword
-
-example: T1059.001
-
---
-
-*`threat.technique.subtechnique.name`*::
-+
---
-The name of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)
-
-type: keyword
-
-example: PowerShell
-
---
-
-*`threat.technique.subtechnique.name.text`*::
-+
---
-type: match_only_text
-
---
-
-*`threat.technique.subtechnique.reference`*::
-+
---
-The reference url of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)
-
-type: keyword
-
-example: https://attack.mitre.org/techniques/T1059/001/
-
---
-
-[float]
-=== tls
-
-Fields related to a TLS connection. These fields focus on the TLS protocol itself and intentionally avoids in-depth analysis of the related x.509 certificate files.
-
-
-*`tls.cipher`*::
-+
---
-String indicating the cipher used during the current connection.
-
-type: keyword
-
-example: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
-
---
-
-*`tls.client.certificate`*::
-+
---
-PEM-encoded stand-alone certificate offered by the client. This is usually mutually-exclusive of `client.certificate_chain` since this value also exists in that list.
-
-type: keyword
-
-example: MII...
-
---
-
-*`tls.client.certificate_chain`*::
-+
---
-Array of PEM-encoded certificates that make up the certificate chain offered by the client. This is usually mutually-exclusive of `client.certificate` since that value should be the first certificate in the chain.
-
-type: keyword
-
-example: ["MII...", "MII..."]
-
---
-
-*`tls.client.hash.md5`*::
-+
---
-Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash.
-
-type: keyword
-
-example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC
-
---
-
-*`tls.client.hash.sha1`*::
-+
---
-Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash.
-
-type: keyword
-
-example: 9E393D93138888D288266C2D915214D1D1CCEB2A
-
---
-
-*`tls.client.hash.sha256`*::
-+
---
-Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash.
-
-type: keyword
-
-example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0
-
---
-
-*`tls.client.issuer`*::
-+
---
-Distinguished name of subject of the issuer of the x.509 certificate presented by the client.
-
-type: keyword
-
-example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com
-
---
-
-*`tls.client.ja3`*::
-+
---
-A hash that identifies clients based on how they perform an SSL/TLS handshake.
-
-type: keyword
-
-example: d4e5b18d6b55c71272893221c96ba240
-
---
-
-*`tls.client.not_after`*::
-+
---
-Date/Time indicating when client certificate is no longer considered valid.
-
-type: date
-
-example: 2021-01-01T00:00:00.000Z
-
---
-
-*`tls.client.not_before`*::
-+
---
-Date/Time indicating when client certificate is first considered valid.
-
-type: date
-
-example: 1970-01-01T00:00:00.000Z
-
---
-
-*`tls.client.server_name`*::
-+
---
-Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`.
-
-type: keyword
-
-example: www.elastic.co
-
---
-
-*`tls.client.subject`*::
-+
---
-Distinguished name of subject of the x.509 certificate presented by the client.
-
-type: keyword
-
-example: CN=myclient, OU=Documentation Team, DC=example, DC=com
-
---
-
-*`tls.client.supported_ciphers`*::
-+
---
-Array of ciphers offered by the client during the client hello.
-
-type: keyword
-
-example: ["TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "..."]
-
---
-
-*`tls.client.x509.alternative_names`*::
-+
---
-List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.
-
-type: keyword
-
-example: *.elastic.co
-
---
-
-*`tls.client.x509.issuer.common_name`*::
-+
---
-List of common name (CN) of issuing certificate authority.
-
-type: keyword
-
-example: Example SHA2 High Assurance Server CA
-
---
-
-*`tls.client.x509.issuer.country`*::
-+
---
-List of country (C) codes
-
-type: keyword
-
-example: US
-
---
-
-*`tls.client.x509.issuer.distinguished_name`*::
-+
---
-Distinguished name (DN) of issuing certificate authority.
-
-type: keyword
-
-example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA
-
---
-
-*`tls.client.x509.issuer.locality`*::
-+
---
-List of locality names (L)
-
-type: keyword
-
-example: Mountain View
-
---
-
-*`tls.client.x509.issuer.organization`*::
-+
---
-List of organizations (O) of issuing certificate authority.
-
-type: keyword
-
-example: Example Inc
-
---
-
-*`tls.client.x509.issuer.organizational_unit`*::
-+
---
-List of organizational units (OU) of issuing certificate authority.
-
-type: keyword
-
-example: www.example.com
-
---
-
-*`tls.client.x509.issuer.state_or_province`*::
-+
---
-List of state or province names (ST, S, or P)
-
-type: keyword
-
-example: California
-
---
-
-*`tls.client.x509.not_after`*::
-+
---
-Time at which the certificate is no longer considered valid.
-
-type: date
-
-example: 2020-07-16 03:15:39+00:00
-
---
-
-*`tls.client.x509.not_before`*::
-+
---
-Time at which the certificate is first considered valid.
-
-type: date
-
-example: 2019-08-16 01:40:25+00:00
-
---
-
-*`tls.client.x509.public_key_algorithm`*::
-+
---
-Algorithm used to generate the public key.
-
-type: keyword
-
-example: RSA
-
---
-
-*`tls.client.x509.public_key_curve`*::
-+
---
-The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-
-type: keyword
-
-example: nistp521
-
---
-
-*`tls.client.x509.public_key_exponent`*::
-+
---
-Exponent used to derive the public key. This is algorithm specific.
-
-type: long
-
-example: 65537
-
-Field is not indexed.
-
---
-
-*`tls.client.x509.public_key_size`*::
-+
---
-The size of the public key space in bits.
-
-type: long
-
-example: 2048
-
---
-
-*`tls.client.x509.serial_number`*::
-+
---
-Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.
-
-type: keyword
-
-example: 55FBB9C7DEBF09809D12CCAA
-
---
-
-*`tls.client.x509.signature_algorithm`*::
-+
---
-Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
-
-type: keyword
-
-example: SHA256-RSA
-
---
-
-*`tls.client.x509.subject.common_name`*::
-+
---
-List of common names (CN) of subject.
-
-type: keyword
-
-example: shared.global.example.net
-
---
-
-*`tls.client.x509.subject.country`*::
-+
---
-List of country (C) code
-
-type: keyword
-
-example: US
-
---
-
-*`tls.client.x509.subject.distinguished_name`*::
-+
---
-Distinguished name (DN) of the certificate subject entity.
-
-type: keyword
-
-example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
-
---
-
-*`tls.client.x509.subject.locality`*::
-+
---
-List of locality names (L)
-
-type: keyword
-
-example: San Francisco
-
---
-
-*`tls.client.x509.subject.organization`*::
-+
---
-List of organizations (O) of subject.
-
-type: keyword
-
-example: Example, Inc.
-
---
-
-*`tls.client.x509.subject.organizational_unit`*::
-+
---
-List of organizational units (OU) of subject.
-
-type: keyword
-
---
-
-*`tls.client.x509.subject.state_or_province`*::
-+
---
-List of state or province names (ST, S, or P)
-
-type: keyword
-
-example: California
-
---
-
-*`tls.client.x509.version_number`*::
-+
---
-Version of x509 format.
-
-type: keyword
-
-example: 3
-
---
-
-*`tls.curve`*::
-+
---
-String indicating the curve used for the given cipher, when applicable.
-
-type: keyword
-
-example: secp256r1
-
---
-
-*`tls.established`*::
-+
---
-Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel.
-
-type: boolean
-
---
-
-*`tls.next_protocol`*::
-+
---
-String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case.
-
-type: keyword
-
-example: http/1.1
-
---
-
-*`tls.resumed`*::
-+
---
-Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation.
-
-type: boolean
-
---
-
-*`tls.server.certificate`*::
-+
---
-PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list.
-
-type: keyword
-
-example: MII...
-
---
-
-*`tls.server.certificate_chain`*::
-+
---
-Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain.
-
-type: keyword
-
-example: ["MII...", "MII..."]
-
---
-
-*`tls.server.hash.md5`*::
-+
---
-Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash.
-
-type: keyword
-
-example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC
-
---
-
-*`tls.server.hash.sha1`*::
-+
---
-Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash.
-
-type: keyword
-
-example: 9E393D93138888D288266C2D915214D1D1CCEB2A
-
---
-
-*`tls.server.hash.sha256`*::
-+
---
-Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash.
-
-type: keyword
-
-example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0
-
---
-
-*`tls.server.issuer`*::
-+
---
-Subject of the issuer of the x.509 certificate presented by the server.
-
-type: keyword
-
-example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com
-
---
-
-*`tls.server.ja3s`*::
-+
---
-A hash that identifies servers based on how they perform an SSL/TLS handshake.
-
-type: keyword
-
-example: 394441ab65754e2207b1e1b457b3641d
-
---
-
-*`tls.server.not_after`*::
-+
---
-Timestamp indicating when server certificate is no longer considered valid.
-
-type: date
-
-example: 2021-01-01T00:00:00.000Z
-
---
-
-*`tls.server.not_before`*::
-+
---
-Timestamp indicating when server certificate is first considered valid.
-
-type: date
-
-example: 1970-01-01T00:00:00.000Z
-
---
-
-*`tls.server.subject`*::
-+
---
-Subject of the x.509 certificate presented by the server.
-
-type: keyword
-
-example: CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com
-
---
-
-*`tls.server.x509.alternative_names`*::
-+
---
-List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.
-
-type: keyword
-
-example: *.elastic.co
-
---
-
-*`tls.server.x509.issuer.common_name`*::
-+
---
-List of common name (CN) of issuing certificate authority.
-
-type: keyword
-
-example: Example SHA2 High Assurance Server CA
-
---
-
-*`tls.server.x509.issuer.country`*::
-+
---
-List of country (C) codes
-
-type: keyword
-
-example: US
-
---
-
-*`tls.server.x509.issuer.distinguished_name`*::
-+
---
-Distinguished name (DN) of issuing certificate authority.
-
-type: keyword
-
-example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA
-
---
-
-*`tls.server.x509.issuer.locality`*::
-+
---
-List of locality names (L)
-
-type: keyword
-
-example: Mountain View
-
---
-
-*`tls.server.x509.issuer.organization`*::
-+
---
-List of organizations (O) of issuing certificate authority.
-
-type: keyword
-
-example: Example Inc
-
---
-
-*`tls.server.x509.issuer.organizational_unit`*::
-+
---
-List of organizational units (OU) of issuing certificate authority.
-
-type: keyword
-
-example: www.example.com
-
---
-
-*`tls.server.x509.issuer.state_or_province`*::
-+
---
-List of state or province names (ST, S, or P)
-
-type: keyword
-
-example: California
-
---
-
-*`tls.server.x509.not_after`*::
-+
---
-Time at which the certificate is no longer considered valid.
-
-type: date
-
-example: 2020-07-16 03:15:39+00:00
-
---
-
-*`tls.server.x509.not_before`*::
-+
---
-Time at which the certificate is first considered valid.
-
-type: date
-
-example: 2019-08-16 01:40:25+00:00
-
---
-
-*`tls.server.x509.public_key_algorithm`*::
-+
---
-Algorithm used to generate the public key.
-
-type: keyword
-
-example: RSA
-
---
-
-*`tls.server.x509.public_key_curve`*::
-+
---
-The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-
-type: keyword
-
-example: nistp521
-
---
-
-*`tls.server.x509.public_key_exponent`*::
-+
---
-Exponent used to derive the public key. This is algorithm specific.
-
-type: long
-
-example: 65537
-
-Field is not indexed.
-
---
-
-*`tls.server.x509.public_key_size`*::
-+
---
-The size of the public key space in bits.
-
-type: long
-
-example: 2048
-
---
-
-*`tls.server.x509.serial_number`*::
-+
---
-Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.
-
-type: keyword
-
-example: 55FBB9C7DEBF09809D12CCAA
-
---
-
-*`tls.server.x509.signature_algorithm`*::
-+
---
-Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
-
-type: keyword
-
-example: SHA256-RSA
-
---
-
-*`tls.server.x509.subject.common_name`*::
-+
---
-List of common names (CN) of subject.
-
-type: keyword
-
-example: shared.global.example.net
-
---
-
-*`tls.server.x509.subject.country`*::
-+
---
-List of country (C) code
-
-type: keyword
-
-example: US
-
---
-
-*`tls.server.x509.subject.distinguished_name`*::
-+
---
-Distinguished name (DN) of the certificate subject entity.
-
-type: keyword
-
-example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
-
---
-
-*`tls.server.x509.subject.locality`*::
-+
---
-List of locality names (L)
-
-type: keyword
-
-example: San Francisco
-
---
-
-*`tls.server.x509.subject.organization`*::
-+
---
-List of organizations (O) of subject.
-
-type: keyword
-
-example: Example, Inc.
-
---
-
-*`tls.server.x509.subject.organizational_unit`*::
-+
---
-List of organizational units (OU) of subject.
-
-type: keyword
-
---
-
-*`tls.server.x509.subject.state_or_province`*::
-+
---
-List of state or province names (ST, S, or P)
-
-type: keyword
-
-example: California
-
---
-
-*`tls.server.x509.version_number`*::
-+
---
-Version of x509 format.
-
-type: keyword
-
-example: 3
-
---
-
-*`tls.version`*::
-+
---
-Numeric part of the version parsed from the original string.
-
-type: keyword
-
-example: 1.2
-
---
-
-*`tls.version_protocol`*::
-+
---
-Normalized lowercase protocol name parsed from original string.
-
-type: keyword
-
-example: tls
-
---
-
-*`span.id`*::
-+
---
-Unique identifier of the span within the scope of its trace.
-A span represents an operation within a transaction, such as a request to another service, or a database query.
-
-type: keyword
-
-example: 3ff9a8981b7ccd5a
-
---
-
-*`trace.id`*::
-+
---
-Unique identifier of the trace.
-A trace groups multiple events like transactions that belong together. For example, a user request handled by multiple inter-connected services.
-
-type: keyword
-
-example: 4bf92f3577b34da6a3ce929d0e0e4736
-
---
-
-*`transaction.id`*::
-+
---
-Unique identifier of the transaction within the scope of its trace.
-A transaction is the highest level of work measured within a service, such as a request to a server.
-
-type: keyword
-
-example: 00f067aa0ba902b7
-
---
-
-[float]
-=== url
-
-URL fields provide support for complete or partial URLs, and supports the breaking down into scheme, domain, path, and so on.
-
-
-*`url.domain`*::
-+
---
-Domain of the url, such as "www.elastic.co".
-In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field.
-If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field.
-
-type: keyword
-
-example: www.elastic.co
-
---
-
-*`url.extension`*::
-+
---
-The field contains the file extension from the original request url, excluding the leading dot.
-The file extension is only set if it exists, as not every url has a file extension.
-The leading period must not be included. For example, the value must be "png", not ".png".
-Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").
-
-type: keyword
-
-example: png
-
---
-
-*`url.fragment`*::
-+
---
-Portion of the url after the `#`, such as "top".
-The `#` is not part of the fragment.
-
-type: keyword
-
---
-
-*`url.full`*::
-+
---
-If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source.
-
-type: wildcard
-
-example: https://www.elastic.co:443/search?q=elasticsearch#top
-
---
-
-*`url.full.text`*::
-+
---
-type: match_only_text
-
---
-
-*`url.original`*::
-+
---
-Unmodified original url as seen in the event source.
-Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path.
-This field is meant to represent the URL as it was observed, complete or not.
-
-type: wildcard
-
-example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch
-
---
-
-*`url.original.text`*::
-+
---
-type: match_only_text
-
---
-
-*`url.password`*::
-+
---
-Password of the request.
-
-type: keyword
-
---
-
-*`url.path`*::
-+
---
-Path of the request, such as "/search".
-
-type: wildcard
-
---
-
-*`url.port`*::
-+
---
-Port of the request, such as 443.
-
-type: long
-
-example: 443
-
-format: string
-
---
-
-*`url.query`*::
-+
---
-The query field describes the query string of the request, such as "q=elasticsearch".
-The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.
-
-type: keyword
-
---
-
-*`url.registered_domain`*::
-+
---
-The highest registered url domain, stripped of the subdomain.
-For example, the registered domain for "foo.example.com" is "example.com".
-This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
-
-type: keyword
-
-example: example.com
-
---
-
-*`url.scheme`*::
-+
---
-Scheme of the request, such as "https".
-Note: The `:` is not part of the scheme.
-
-type: keyword
-
-example: https
-
---
-
-*`url.subdomain`*::
-+
---
-The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain.
-For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
-
-type: keyword
-
-example: east
-
---
-
-*`url.top_level_domain`*::
-+
---
-The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com".
-This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".
-
-type: keyword
-
-example: co.uk
-
---
-
-*`url.username`*::
-+
---
-Username of the request.
-
-type: keyword
-
---
-
-[float]
-=== user
-
-The user fields describe information about the user that is relevant to the event.
-Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them.
-
-
-*`user.changes.domain`*::
-+
---
-Name of the directory the user is a member of.
-For example, an LDAP or Active Directory domain name.
-
-type: keyword
-
---
-
-*`user.changes.email`*::
-+
---
-User email address.
-
-type: keyword
-
---
-
-*`user.changes.full_name`*::
-+
---
-User's full name, if available.
-
-type: keyword
-
-example: Albert Einstein
-
---
-
-*`user.changes.full_name.text`*::
-+
---
-type: match_only_text
-
---
-
-*`user.changes.group.domain`*::
-+
---
-Name of the directory the group is a member of.
-For example, an LDAP or Active Directory domain name.
-
-type: keyword
-
---
-
-*`user.changes.group.id`*::
-+
---
-Unique identifier for the group on the system/platform.
-
-type: keyword
-
---
-
-*`user.changes.group.name`*::
-+
---
-Name of the group.
-
-type: keyword
-
---
-
-*`user.changes.hash`*::
-+
---
-Unique user hash to correlate information for a user in anonymized form.
-Useful if `user.id` or `user.name` contain confidential information and cannot be used.
-
-type: keyword
-
---
-
-*`user.changes.id`*::
-+
---
-Unique identifier of the user.
-
-type: keyword
-
-example: S-1-5-21-202424912787-2692429404-2351956786-1000
-
---
-
-*`user.changes.name`*::
-+
---
-Short name or login of the user.
-
-type: keyword
-
-example: a.einstein
-
---
-
-*`user.changes.name.text`*::
-+
---
-type: match_only_text
-
---
-
-*`user.changes.roles`*::
-+
---
-Array of user roles at the time of the event.
-
-type: keyword
-
-example: ["kibana_admin", "reporting_user"]
-
---
-
-*`user.domain`*::
-+
---
-Name of the directory the user is a member of.
-For example, an LDAP or Active Directory domain name.
-
-type: keyword
-
---
-
-*`user.effective.domain`*::
-+
---
-Name of the directory the user is a member of.
-For example, an LDAP or Active Directory domain name.
-
-type: keyword
-
---
-
-*`user.effective.email`*::
-+
---
-User email address.
-
-type: keyword
-
---
-
-*`user.effective.full_name`*::
-+
---
-User's full name, if available.
-
-type: keyword
-
-example: Albert Einstein
-
---
-
-*`user.effective.full_name.text`*::
-+
---
-type: match_only_text
-
---
-
-*`user.effective.group.domain`*::
-+
---
-Name of the directory the group is a member of.
-For example, an LDAP or Active Directory domain name.
-
-type: keyword
-
---
-
-*`user.effective.group.id`*::
-+
---
-Unique identifier for the group on the system/platform.
-
-type: keyword
-
---
-
-*`user.effective.group.name`*::
-+
---
-Name of the group.
-
-type: keyword
-
---
-
-*`user.effective.hash`*::
-+
---
-Unique user hash to correlate information for a user in anonymized form.
-Useful if `user.id` or `user.name` contain confidential information and cannot be used.
-
-type: keyword
-
---
-
-*`user.effective.id`*::
-+
---
-Unique identifier of the user.
-
-type: keyword
-
-example: S-1-5-21-202424912787-2692429404-2351956786-1000
-
---
-
-*`user.effective.name`*::
-+
---
-Short name or login of the user.
-
-type: keyword
-
-example: a.einstein
-
---
-
-*`user.effective.name.text`*::
-+
---
-type: match_only_text
-
---
-
-*`user.effective.roles`*::
-+
---
-Array of user roles at the time of the event.
-
-type: keyword
-
-example: ["kibana_admin", "reporting_user"]
-
---
-
-*`user.email`*::
-+
---
-User email address.
-
-type: keyword
-
---
-
-*`user.full_name`*::
-+
---
-User's full name, if available.
-
-type: keyword
-
-example: Albert Einstein
-
---
-
-*`user.full_name.text`*::
-+
---
-type: match_only_text
-
---
-
-*`user.group.domain`*::
-+
---
-Name of the directory the group is a member of.
-For example, an LDAP or Active Directory domain name.
-
-type: keyword
-
---
-
-*`user.group.id`*::
-+
---
-Unique identifier for the group on the system/platform.
-
-type: keyword
-
---
-
-*`user.group.name`*::
-+
---
-Name of the group.
-
-type: keyword
-
---
-
-*`user.hash`*::
-+
---
-Unique user hash to correlate information for a user in anonymized form.
-Useful if `user.id` or `user.name` contain confidential information and cannot be used.
-
-type: keyword
-
---
-
-*`user.id`*::
-+
---
-Unique identifier of the user.
-
-type: keyword
-
-example: S-1-5-21-202424912787-2692429404-2351956786-1000
-
---
-
-*`user.name`*::
-+
---
-Short name or login of the user.
-
-type: keyword
-
-example: a.einstein
-
---
-
-*`user.name.text`*::
-+
---
-type: match_only_text
-
---
-
-*`user.roles`*::
-+
---
-Array of user roles at the time of the event.
-
-type: keyword
-
-example: ["kibana_admin", "reporting_user"]
-
---
-
-*`user.target.domain`*::
-+
---
-Name of the directory the user is a member of.
-For example, an LDAP or Active Directory domain name.
-
-type: keyword
-
---
-
-*`user.target.email`*::
-+
---
-User email address.
-
-type: keyword
-
---
-
-*`user.target.full_name`*::
-+
---
-User's full name, if available.
-
-type: keyword
-
-example: Albert Einstein
-
---
-
-*`user.target.full_name.text`*::
-+
---
-type: match_only_text
-
---
-
-*`user.target.group.domain`*::
-+
---
-Name of the directory the group is a member of.
-For example, an LDAP or Active Directory domain name.
-
-type: keyword
-
---
-
-*`user.target.group.id`*::
-+
---
-Unique identifier for the group on the system/platform.
-
-type: keyword
-
---
-
-*`user.target.group.name`*::
-+
---
-Name of the group.
-
-type: keyword
-
---
-
-*`user.target.hash`*::
-+
---
-Unique user hash to correlate information for a user in anonymized form.
-Useful if `user.id` or `user.name` contain confidential information and cannot be used.
-
-type: keyword
-
---
-
-*`user.target.id`*::
-+
---
-Unique identifier of the user.
-
-type: keyword
-
-example: S-1-5-21-202424912787-2692429404-2351956786-1000
-
---
-
-*`user.target.name`*::
-+
---
-Short name or login of the user.
-
-type: keyword
-
-example: a.einstein
-
---
-
-*`user.target.name.text`*::
-+
---
-type: match_only_text
-
---
-
-*`user.target.roles`*::
-+
---
-Array of user roles at the time of the event.
-
-type: keyword
-
-example: ["kibana_admin", "reporting_user"]
-
---
-
-[float]
-=== user_agent
-
-The user_agent fields normally come from a browser request.
-They often show up in web service logs coming from the parsed user agent string.
-
-
-*`user_agent.device.name`*::
-+
---
-Name of the device.
-
-type: keyword
-
-example: iPhone
-
---
-
-*`user_agent.name`*::
-+
---
-Name of the user agent.
-
-type: keyword
-
-example: Safari
-
---
-
-*`user_agent.original`*::
-+
---
-Unparsed user_agent string.
-
-type: keyword
-
-example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1
-
---
-
-*`user_agent.original.text`*::
-+
---
-type: match_only_text
-
---
-
-*`user_agent.os.family`*::
-+
---
-OS family (such as redhat, debian, freebsd, windows).
-
-type: keyword
-
-example: debian
-
---
-
-*`user_agent.os.full`*::
-+
---
-Operating system name, including the version or code name.
-
-type: keyword
-
-example: Mac OS Mojave
-
---
-
-*`user_agent.os.full.text`*::
-+
---
-type: match_only_text
-
---
-
-*`user_agent.os.kernel`*::
-+
---
-Operating system kernel version as a raw string.
-
-type: keyword
-
-example: 4.4.0-112-generic
-
---
-
-*`user_agent.os.name`*::
-+
---
-Operating system name, without the version.
-
-type: keyword
-
-example: Mac OS X
-
---
-
-*`user_agent.os.name.text`*::
-+
---
-type: match_only_text
-
---
-
-*`user_agent.os.platform`*::
-+
---
-Operating system platform (such centos, ubuntu, windows).
-
-type: keyword
-
-example: darwin
-
---
-
-*`user_agent.os.type`*::
-+
---
-Use the `os.type` field to categorize the operating system into one of the broad commercial families.
-One of these following values should be used (lowercase): linux, macos, unix, windows.
-If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.
-
-type: keyword
-
-example: macos
-
---
-
-*`user_agent.os.version`*::
-+
---
-Operating system version as a raw string.
-
-type: keyword
-
-example: 10.14.1
-
---
-
-*`user_agent.version`*::
-+
---
-Version of the user agent.
-
-type: keyword
-
-example: 12.0
-
---
-
-[float]
-=== vlan
-
-The VLAN fields are used to identify 802.1q tag(s) of a packet, as well as ingress and egress VLAN associations of an observer in relation to a specific packet or connection.
-Network.vlan fields are used to record a single VLAN tag, or the outer tag in the case of q-in-q encapsulations, for a packet or connection as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic.
-Network.inner VLAN fields are used to report inner q-in-q 802.1q tags (multiple 802.1q encapsulations) as observed, typically provided by a network sensor  (e.g. Zeek, Wireshark) passively reporting on traffic. Network.inner VLAN fields should only be used in addition to network.vlan fields to indicate q-in-q tagging.
-Observer.ingress and observer.egress VLAN values are used to record observer specific information when observer events contain discrete ingress and egress VLAN information, typically provided by firewalls, routers, or load balancers.
-
-
-*`vlan.id`*::
-+
---
-VLAN ID as reported by the observer.
-
-type: keyword
-
-example: 10
-
---
-
-*`vlan.name`*::
-+
---
-Optional VLAN name as reported by the observer.
-
-type: keyword
-
-example: outside
-
---
-
-[float]
-=== vulnerability
-
-The vulnerability fields describe information about a vulnerability that is relevant to an event.
-
-
-*`vulnerability.category`*::
-+
---
-The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm[Qualys vulnerability categories])
-This field must be an array.
-
-type: keyword
-
-example: ["Firewall"]
-
---
-
-*`vulnerability.classification`*::
-+
---
-The classification of the vulnerability scoring system. For example (https://www.first.org/cvss/)
-
-type: keyword
-
-example: CVSS
-
---
-
-*`vulnerability.description`*::
-+
---
-The description of the vulnerability that provides additional context of the vulnerability. For example (https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created[Common Vulnerabilities and Exposure CVE description])
-
-type: keyword
-
-example: In macOS before 2.12.6, there is a vulnerability in the RPC...
-
---
-
-*`vulnerability.description.text`*::
-+
---
-type: match_only_text
-
---
-
-*`vulnerability.enumeration`*::
-+
---
-The type of identifier used for this vulnerability. For example (https://cve.mitre.org/about/)
-
-type: keyword
-
-example: CVE
-
---
-
-*`vulnerability.id`*::
-+
---
-The identification (ID) is the number portion of a vulnerability entry. It includes a unique identification number for the vulnerability. For example (https://cve.mitre.org/about/faqs.html#what_is_cve_id)[Common Vulnerabilities and Exposure CVE ID]
-
-type: keyword
-
-example: CVE-2019-00001
-
---
-
-*`vulnerability.reference`*::
-+
---
-A resource that provides additional information, context, and mitigations for the identified vulnerability.
-
-type: keyword
-
-example: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111
-
---
-
-*`vulnerability.report_id`*::
-+
---
-The report or scan identification number.
-
-type: keyword
-
-example: 20191018.0001
-
---
-
-*`vulnerability.scanner.vendor`*::
-+
---
-The name of the vulnerability scanner vendor.
-
-type: keyword
-
-example: Tenable
-
---
-
-*`vulnerability.score.base`*::
-+
---
-Scores can range from 0.0 to 10.0, with 10.0 being the most severe.
-Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentiality, integrity, and availability), and scope. For example (https://www.first.org/cvss/specification-document)
-
-type: float
-
-example: 5.5
-
---
-
-*`vulnerability.score.environmental`*::
-+
---
-Scores can range from 0.0 to 10.0, with 10.0 being the most severe.
-Environmental scores cover an assessment for any modified Base metrics, confidentiality, integrity, and availability requirements. For example (https://www.first.org/cvss/specification-document)
-
-type: float
-
-example: 5.5
-
---
-
-*`vulnerability.score.temporal`*::
-+
---
-Scores can range from 0.0 to 10.0, with 10.0 being the most severe.
-Temporal scores cover an assessment for code maturity, remediation level, and confidence. For example (https://www.first.org/cvss/specification-document)
-
-type: float
-
---
-
-*`vulnerability.score.version`*::
-+
---
-The National Vulnerability Database (NVD) provides qualitative severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges in addition to the severity ratings for CVSS v3.0 as they are defined in the CVSS v3.0 specification.
-CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit organization, whose mission is to help computer security incident response teams across the world. For example (https://nvd.nist.gov/vuln-metrics/cvss)
-
-type: keyword
-
-example: 2.0
-
---
-
-*`vulnerability.severity`*::
-+
---
-The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss)
-
-type: keyword
-
-example: Critical
-
---
-
-[float]
-=== x509
-
-This implements the common core fields for x509 certificates. This information is likely logged with TLS sessions, digital signatures found in executable binaries, S/MIME information in email bodies, or analysis of files on disk.
-When the certificate relates to a file, use the fields at `file.x509`. When hashes of the DER-encoded certificate are available, the `hash` data set should be populated as well (e.g. `file.hash.sha256`).
-Events that contain certificate information about network connections, should use the x509 fields under the relevant TLS fields: `tls.server.x509` and/or `tls.client.x509`.
-
-
-*`x509.alternative_names`*::
-+
---
-List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.
-
-type: keyword
-
-example: *.elastic.co
-
---
-
-*`x509.issuer.common_name`*::
-+
---
-List of common name (CN) of issuing certificate authority.
-
-type: keyword
-
-example: Example SHA2 High Assurance Server CA
-
---
-
-*`x509.issuer.country`*::
-+
---
-List of country (C) codes
-
-type: keyword
-
-example: US
-
---
-
-*`x509.issuer.distinguished_name`*::
-+
---
-Distinguished name (DN) of issuing certificate authority.
-
-type: keyword
-
-example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA
-
---
-
-*`x509.issuer.locality`*::
-+
---
-List of locality names (L)
-
-type: keyword
-
-example: Mountain View
-
---
-
-*`x509.issuer.organization`*::
-+
---
-List of organizations (O) of issuing certificate authority.
-
-type: keyword
-
-example: Example Inc
-
---
-
-*`x509.issuer.organizational_unit`*::
-+
---
-List of organizational units (OU) of issuing certificate authority.
-
-type: keyword
-
-example: www.example.com
-
---
-
-*`x509.issuer.state_or_province`*::
-+
---
-List of state or province names (ST, S, or P)
-
-type: keyword
-
-example: California
-
---
-
-*`x509.not_after`*::
-+
---
-Time at which the certificate is no longer considered valid.
-
-type: date
-
-example: 2020-07-16 03:15:39+00:00
-
---
-
-*`x509.not_before`*::
-+
---
-Time at which the certificate is first considered valid.
-
-type: date
-
-example: 2019-08-16 01:40:25+00:00
-
---
-
-*`x509.public_key_algorithm`*::
-+
---
-Algorithm used to generate the public key.
-
-type: keyword
-
-example: RSA
-
---
-
-*`x509.public_key_curve`*::
-+
---
-The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-
-type: keyword
-
-example: nistp521
-
---
-
-*`x509.public_key_exponent`*::
-+
---
-Exponent used to derive the public key. This is algorithm specific.
-
-type: long
-
-example: 65537
-
-Field is not indexed.
-
---
-
-*`x509.public_key_size`*::
-+
---
-The size of the public key space in bits.
-
-type: long
-
-example: 2048
-
---
-
-*`x509.serial_number`*::
-+
---
-Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.
-
-type: keyword
-
-example: 55FBB9C7DEBF09809D12CCAA
-
---
-
-*`x509.signature_algorithm`*::
-+
---
-Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
-
-type: keyword
-
-example: SHA256-RSA
-
---
-
-*`x509.subject.common_name`*::
-+
---
-List of common names (CN) of subject.
-
-type: keyword
-
-example: shared.global.example.net
-
---
-
-*`x509.subject.country`*::
-+
---
-List of country (C) code
-
-type: keyword
-
-example: US
-
---
-
-*`x509.subject.distinguished_name`*::
-+
---
-Distinguished name (DN) of the certificate subject entity.
-
-type: keyword
-
-example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
-
---
-
-*`x509.subject.locality`*::
-+
---
-List of locality names (L)
-
-type: keyword
-
-example: San Francisco
-
---
-
-*`x509.subject.organization`*::
-+
---
-List of organizations (O) of subject.
-
-type: keyword
-
-example: Example, Inc.
-
---
-
-*`x509.subject.organizational_unit`*::
-+
---
-List of organizational units (OU) of subject.
-
-type: keyword
-
---
-
-*`x509.subject.state_or_province`*::
-+
---
-List of state or province names (ST, S, or P)
-
-type: keyword
-
-example: California
-
---
-
-*`x509.version_number`*::
-+
---
-Version of x509 format.
-
-type: keyword
-
-example: 3
-
---
-
-[[exported-fields-elasticsearch]]
-== Elasticsearch fields
-
-Elasticsearch module
-
-
-
-*`cluster_settings.cluster.metadata.display_name`*::
-+
---
-type: keyword
-
---
-
-
-*`index_recovery.shards.start_time_in_millis`*::
-+
---
-type: alias
-
-alias to: elasticsearch.index.recovery.start_time.ms
-
---
-
-*`index_recovery.shards.stop_time_in_millis`*::
-+
---
-type: alias
-
-alias to: elasticsearch.index.recovery.stop_time.ms
-
---
-
-*`index_recovery.shards.total_time_in_millis`*::
-+
---
-type: alias
-
-alias to: elasticsearch.index.recovery.total_time.ms
-
---
-
-
-*`stack_stats.apm.found`*::
-+
---
-type: alias
-
-alias to: elasticsearch.cluster.stats.stack.apm.found
-
---
-
-*`stack_stats.xpack.ccr.enabled`*::
-+
---
-type: alias
-
-alias to: elasticsearch.cluster.stats.stack.xpack.ccr.enabled
-
---
-
-*`stack_stats.xpack.ccr.available`*::
-+
---
-type: alias
-
-alias to: elasticsearch.cluster.stats.stack.xpack.ccr.available
-
---
-
-
-*`license.status`*::
-+
---
-type: alias
-
-alias to: elasticsearch.cluster.stats.license.status
-
---
-
-*`license.type`*::
-+
---
-type: alias
-
-alias to: elasticsearch.cluster.stats.license.type
-
---
-
-
-*`shard.primary`*::
-+
---
-type: alias
-
-alias to: elasticsearch.shard.primary
-
---
-
-*`shard.state`*::
-+
---
-type: alias
-
-alias to: elasticsearch.shard.state
-
---
-
-*`shard.index`*::
-+
---
-type: alias
-
-alias to: elasticsearch.index.name
-
---
-
-*`shard.node`*::
-+
---
-type: alias
-
-alias to: elasticsearch.node.id
-
---
-
-*`shard.shard`*::
-+
---
-type: alias
-
-alias to: elasticsearch.shard.number
-
---
-
-
-
-*`cluster_stats.indices.count`*::
-+
---
-type: alias
-
-alias to: elasticsearch.cluster.stats.indices.total
-
---
-
-*`cluster_stats.indices.shards.total`*::
-+
---
-type: alias
-
-alias to: elasticsearch.cluster.stats.indices.shards.count
-
---
-
-
-*`cluster_stats.nodes.count.total`*::
-+
---
-type: alias
-
-alias to: elasticsearch.cluster.stats.nodes.count
-
---
-
-
-*`cluster_stats.nodes.jvm.max_uptime_in_millis`*::
-+
---
-type: alias
-
-alias to: elasticsearch.cluster.stats.nodes.jvm.max_uptime.ms
-
---
-
-*`cluster_stats.nodes.jvm.mem.heap_used_in_bytes`*::
-+
---
-type: alias
-
-alias to: elasticsearch.cluster.stats.nodes.jvm.memory.heap.used.bytes
-
---
-
-*`cluster_stats.nodes.jvm.mem.heap_max_in_bytes`*::
-+
---
-type: alias
-
-alias to: elasticsearch.cluster.stats.nodes.jvm.memory.heap.max.bytes
-
---
-
-
-*`cluster_state.nodes_hash`*::
-+
---
-type: alias
-
-alias to: elasticsearch.cluster.stats.state.nodes_hash
-
---
-
-*`cluster_state.version`*::
-+
---
-type: alias
-
-alias to: elasticsearch.cluster.stats.state.version
-
---
-
-*`cluster_state.master_node`*::
-+
---
-type: alias
-
-alias to: elasticsearch.cluster.stats.state.master_node
-
---
-
-*`cluster_state.state_uuid`*::
-+
---
-type: alias
-
-alias to: elasticsearch.cluster.stats.state.state_uuid
-
---
-
-*`cluster_state.status`*::
-+
---
-type: alias
-
-alias to: elasticsearch.cluster.stats.status
-
---
-
-*`timestamp`*::
-+
---
-type: alias
-
-alias to: @timestamp
-
---
-
-*`cluster_uuid`*::
-+
---
-type: alias
-
-alias to: elasticsearch.cluster.id
-
---
-
-
-*`source_node.uuid`*::
-+
---
-type: alias
-
-alias to: elasticsearch.node.id
-
---
-
-*`source_node.name`*::
-+
---
-type: alias
-
-alias to: elasticsearch.node.name
-
---
-
-*`job_stats.job_id`*::
-+
---
-type: alias
-
-alias to: elasticsearch.ml.job.id
-
---
-
-*`job_stats.forecasts_stats.total`*::
-+
---
-type: alias
-
-alias to: elasticsearch.ml.job.forecasts_stats.total
-
---
-
-
-*`index_stats.index`*::
-+
---
-type: alias
-
-alias to: elasticsearch.index.name
-
---
-
-
-*`index_stats.primaries.store.size_in_bytes`*::
-+
---
-type: alias
-
-alias to: elasticsearch.index.primaries.store.size_in_bytes
-
---
-
-*`index_stats.primaries.docs.count`*::
-+
---
-type: alias
-
-alias to: elasticsearch.index.primaries.docs.count
-
---
-
-*`index_stats.primaries.segments.count`*::
-+
---
-type: alias
-
-alias to: elasticsearch.index.primaries.segments.count
-
---
-
-*`index_stats.primaries.refresh.total_time_in_millis`*::
-+
---
-type: alias
-
-alias to: elasticsearch.index.primaries.refresh.total_time_in_millis
-
---
-
-*`index_stats.primaries.merges.total_size_in_bytes`*::
-+
---
-type: alias
-
-alias to: elasticsearch.index.primaries.merges.total_size_in_bytes
-
---
-
-
-*`index_stats.primaries.indexing.index_total`*::
-+
---
-type: alias
-
-alias to: elasticsearch.index.primaries.indexing.index_total
-
---
-
-*`index_stats.primaries.indexing.index_time_in_millis`*::
-+
---
-type: alias
-
-alias to: elasticsearch.index.primaries.indexing.index_time_in_millis
-
---
-
-*`index_stats.primaries.indexing.throttle_time_in_millis`*::
-+
---
-type: alias
-
-alias to: elasticsearch.index.primaries.indexing.throttle_time_in_millis
-
---
-
-
-*`index_stats.total.query_cache.memory_size_in_bytes`*::
-+
---
-type: alias
-
-alias to: elasticsearch.index.total.query_cache.memory_size_in_bytes
-
---
-
-*`index_stats.total.fielddata.memory_size_in_bytes`*::
-+
---
-type: alias
-
-alias to: elasticsearch.index.total.fielddata.memory_size_in_bytes
-
---
-
-*`index_stats.total.request_cache.memory_size_in_bytes`*::
-+
---
-type: alias
-
-alias to: elasticsearch.index.total.request_cache.memory_size_in_bytes
-
---
-
-*`index_stats.total.merges.total_size_in_bytes`*::
-+
---
-type: alias
-
-alias to: elasticsearch.index.total.merges.total_size_in_bytes
-
---
-
-*`index_stats.total.refresh.total_time_in_millis`*::
-+
---
-type: alias
-
-alias to: elasticsearch.index.total.refresh.total_time_in_millis
-
---
-
-*`index_stats.total.store.size_in_bytes`*::
-+
---
-type: alias
-
-alias to: elasticsearch.index.total.store.size_in_bytes
-
---
-
-
-*`index_stats.total.indexing.index_total`*::
-+
---
-type: alias
-
-alias to: elasticsearch.index.total.indexing.index_total
-
---
-
-*`index_stats.total.indexing.index_time_in_millis`*::
-+
---
-type: alias
-
-alias to: elasticsearch.index.total.indexing.index_time_in_millis
-
---
-
-*`index_stats.total.indexing.throttle_time_in_millis`*::
-+
---
-type: alias
-
-alias to: elasticsearch.index.total.indexing.throttle_time_in_millis
-
---
-
-
-*`index_stats.total.search.query_total`*::
-+
---
-type: alias
-
-alias to: elasticsearch.index.total.search.query_total
-
---
-
-*`index_stats.total.search.query_time_in_millis`*::
-+
---
-type: alias
-
-alias to: elasticsearch.index.total.search.query_time_in_millis
-
---
-
-
-*`index_stats.total.segments.terms_memory_in_bytes`*::
-+
---
-type: alias
-
-alias to: elasticsearch.index.total.segments.terms_memory_in_bytes
-
---
-
-*`index_stats.total.segments.points_memory_in_bytes`*::
-+
---
-type: alias
-
-alias to: elasticsearch.index.total.segments.points_memory_in_bytes
-
---
-
-*`index_stats.total.segments.count`*::
-+
---
-type: alias
-
-alias to: elasticsearch.index.total.segments.count
-
---
-
-*`index_stats.total.segments.doc_values_memory_in_bytes`*::
-+
---
-type: alias
-
-alias to: elasticsearch.index.total.segments.doc_values_memory_in_bytes
-
---
-
-*`index_stats.total.segments.norms_memory_in_bytes`*::
-+
---
-type: alias
-
-alias to: elasticsearch.index.total.segments.norms_memory_in_bytes
-
---
-
-*`index_stats.total.segments.stored_fields_memory_in_bytes`*::
-+
---
-type: alias
-
-alias to: elasticsearch.index.total.segments.stored_fields_memory_in_bytes
-
---
-
-*`index_stats.total.segments.fixed_bit_set_memory_in_bytes`*::
-+
---
-type: alias
-
-alias to: elasticsearch.index.total.segments.fixed_bit_set_memory_in_bytes
-
---
-
-*`index_stats.total.segments.term_vectors_memory_in_bytes`*::
-+
---
-type: alias
-
-alias to: elasticsearch.index.total.segments.term_vectors_memory_in_bytes
-
---
-
-*`index_stats.total.segments.version_map_memory_in_bytes`*::
-+
---
-type: alias
-
-alias to: elasticsearch.index.total.segments.version_map_memory_in_bytes
-
---
-
-*`index_stats.total.segments.index_writer_memory_in_bytes`*::
-+
---
-type: alias
-
-alias to: elasticsearch.index.total.segments.index_writer_memory_in_bytes
-
---
-
-*`index_stats.total.segments.memory_in_bytes`*::
-+
---
-type: alias
-
-alias to: elasticsearch.index.total.segments.memory_in_bytes
-
---
-
-
-*`ccr_auto_follow_stats.number_of_failed_follow_indices`*::
-+
---
-type: alias
-
-alias to: elasticsearch.ccr.auto_follow.failed.follow_indices.count
-
---
-
-*`ccr_auto_follow_stats.number_of_failed_remote_cluster_state_requests`*::
-+
---
-type: alias
-
-alias to: elasticsearch.ccr.auto_follow.failed.remote_cluster_state_requests.count
-
---
-
-*`ccr_auto_follow_stats.number_of_successful_follow_indices`*::
-+
---
-type: alias
-
-alias to: elasticsearch.ccr.auto_follow.success.follow_indices.count
-
---
-
-*`ccr_auto_follow_stats.follower.failed_read_requests`*::
-+
---
-type: alias
-
-alias to: elasticsearch.ccr.requests.failed.read.count
-
---
-
-
-*`ccr_stats.shard_id`*::
-+
---
-type: alias
-
-alias to: elasticsearch.ccr.follower.shard.number
-
---
-
-*`ccr_stats.remote_cluster`*::
-+
---
-type: alias
-
-alias to: elasticsearch.ccr.remote_cluster
-
---
-
-*`ccr_stats.leader_index`*::
-+
---
-type: alias
-
-alias to: elasticsearch.ccr.leader.index
-
---
-
-*`ccr_stats.follower_index`*::
-+
---
-type: alias
-
-alias to: elasticsearch.ccr.follower.index
-
---
-
-*`ccr_stats.leader_global_checkpoint`*::
-+
---
-type: alias
-
-alias to: elasticsearch.ccr.leader.global_checkpoint
-
---
-
-*`ccr_stats.leader_max_seq_no`*::
-+
---
-type: alias
-
-alias to: elasticsearch.ccr.leader.max_seq_no
-
---
-
-*`ccr_stats.follower_global_checkpoint`*::
-+
---
-type: alias
-
-alias to: elasticsearch.ccr.follower.global_checkpoint
-
---
-
-*`ccr_stats.follower_max_seq_no`*::
-+
---
-type: alias
-
-alias to: elasticsearch.ccr.follower.max_seq_no
-
---
-
-*`ccr_stats.last_requested_seq_no`*::
-+
---
-type: alias
-
-alias to: elasticsearch.ccr.last_requested_seq_no
-
---
-
-*`ccr_stats.outstanding_read_requests`*::
-+
---
-type: alias
-
-alias to: elasticsearch.ccr.requests.outstanding.read.count
-
---
-
-*`ccr_stats.outstanding_write_requests`*::
-+
---
-type: alias
-
-alias to: elasticsearch.ccr.requests.outstanding.write.count
-
---
-
-*`ccr_stats.write_buffer_operation_count`*::
-+
---
-type: alias
-
-alias to: elasticsearch.ccr.write_buffer.operation.count
-
---
-
-*`ccr_stats.write_buffer_size_in_bytes`*::
-+
---
-type: alias
-
-alias to: elasticsearch.ccr.write_buffer.size.bytes
-
---
-
-*`ccr_stats.follower_mapping_version`*::
-+
---
-type: alias
-
-alias to: elasticsearch.ccr.follower.mapping_version
-
---
-
-*`ccr_stats.follower_settings_version`*::
-+
---
-type: alias
-
-alias to: elasticsearch.ccr.follower.settings_version
-
---
-
-*`ccr_stats.follower_aliases_version`*::
-+
---
-type: alias
-
-alias to: elasticsearch.ccr.follower.aliases_version
-
---
-
-*`ccr_stats.total_read_time_millis`*::
-+
---
-type: alias
-
-alias to: elasticsearch.ccr.total_time.read.ms
-
---
-
-*`ccr_stats.total_read_remote_exec_time_millis`*::
-+
---
-type: alias
-
-alias to: elasticsearch.ccr.total_time.read.remote_exec.ms
-
---
-
-*`ccr_stats.successful_read_requests`*::
-+
---
-type: alias
-
-alias to: elasticsearch.ccr.requests.successful.read.count
-
---
-
-*`ccr_stats.failed_read_requests`*::
-+
---
-type: alias
-
-alias to: elasticsearch.ccr.requests.failed.read.count
-
---
-
-*`ccr_stats.operations_read`*::
-+
---
-type: alias
-
-alias to: elasticsearch.ccr.follower.operations.read.count
-
---
-
-*`ccr_stats.operations_written`*::
-+
---
-type: alias
-
-alias to: elasticsearch.ccr.follower.operations_written
-
---
-
-*`ccr_stats.bytes_read`*::
-+
---
-type: alias
-
-alias to: elasticsearch.ccr.bytes_read
-
---
-
-*`ccr_stats.total_write_time_millis`*::
-+
---
-type: alias
-
-alias to: elasticsearch.ccr.total_time.write.ms
-
---
-
-*`ccr_stats.successful_write_requests`*::
-+
---
-type: alias
-
-alias to: elasticsearch.ccr.requests.successful.write.count
-
---
-
-*`ccr_stats.failed_write_requests`*::
-+
---
-type: alias
-
-alias to: elasticsearch.ccr.requests.failed.write.count
-
---
-
-
-
-
-*`node_stats.fs.total.available_in_bytes`*::
-+
---
-type: alias
-
-alias to: elasticsearch.node.stats.fs.summary.available.bytes
-
---
-
-*`node_stats.fs.total.total_in_bytes`*::
-+
---
-type: alias
-
-alias to: elasticsearch.node.stats.fs.summary.total.bytes
-
---
-
-
-*`node_stats.fs.summary.available.bytes`*::
-+
---
-type: alias
-
-alias to: elasticsearch.node.stats.fs.summary.available.bytes
-
---
-
-*`node_stats.fs.summary.total.bytes`*::
-+
---
-type: alias
-
-alias to: elasticsearch.node.stats.fs.summary.total.bytes
-
---
-
-
-
-*`node_stats.fs.io_stats.total.operations`*::
-+
---
-type: alias
-
-alias to: elasticsearch.node.stats.fs.io_stats.total.operations.count
-
---
-
-*`node_stats.fs.io_stats.total.read_operations`*::
-+
---
-type: alias
-
-alias to: elasticsearch.node.stats.fs.io_stats.total.read.operations.count
-
---
-
-*`node_stats.fs.io_stats.total.write_operations`*::
-+
---
-type: alias
-
-alias to: elasticsearch.node.stats.fs.io_stats.total.write.operations.count
-
---
-
-
-
-*`node_stats.indices.store.size_in_bytes`*::
-+
---
-type: alias
-
-alias to: elasticsearch.node.stats.indices.store.size.bytes
-
---
-
-*`node_stats.indices.store.size.bytes`*::
-+
---
-type: alias
-
-alias to: elasticsearch.node.stats.indices.store.size.bytes
-
---
-
-*`node_stats.indices.docs.count`*::
-+
---
-type: alias
-
-alias to: elasticsearch.node.stats.indices.docs.count
-
---
-
-
-*`node_stats.indices.indexing.index_time_in_millis`*::
-+
---
-type: alias
-
-alias to: elasticsearch.node.stats.indices.indexing.index_time.ms
-
---
-
-*`node_stats.indices.indexing.index_total`*::
-+
---
-type: alias
-
-alias to: elasticsearch.node.stats.indices.indexing.index_total.count
-
---
-
-*`node_stats.indices.indexing.throttle_time_in_millis`*::
-+
---
-type: alias
-
-alias to: elasticsearch.node.stats.indices.indexing.throttle_time.ms
-
---
-
-
-*`node_stats.indices.fielddata.memory_size_in_bytes`*::
-+
---
-type: alias
-
-alias to: elasticsearch.node.stats.indices.fielddata.memory.bytes
-
---
-
-
-*`node_stats.indices.query_cache.memory_size_in_bytes`*::
-+
---
-type: alias
-
-alias to: elasticsearch.node.stats.indices.query_cache.memory.bytes
-
---
-
-
-*`node_stats.indices.request_cache.memory_size_in_bytes`*::
-+
---
-type: alias
-
-alias to: elasticsearch.node.stats.indices.request_cache.memory.bytes
-
---
-
-
-*`node_stats.indices.search.query_time_in_millis`*::
-+
---
-type: alias
-
-alias to: elasticsearch.node.stats.indices.search.query_time.ms
-
---
-
-*`node_stats.indices.search.query_total`*::
-+
---
-type: alias
-
-alias to: elasticsearch.node.stats.indices.search.query_total.count
-
---
-
-
-*`node_stats.indices.segments.count`*::
-+
---
-type: alias
-
-alias to: elasticsearch.node.stats.indices.segments.count
-
---
-
-*`node_stats.indices.segments.doc_values_memory_in_bytes`*::
-+
---
-type: alias
-
-alias to: elasticsearch.node.stats.indices.segments.doc_values.memory.bytes
-
---
-
-*`node_stats.indices.segments.fixed_bit_set_memory_in_bytes`*::
-+
---
-type: alias
-
-alias to: elasticsearch.node.stats.indices.segments.fixed_bit_set.memory.bytes
-
---
-
-*`node_stats.indices.segments.index_writer_memory_in_bytes`*::
-+
---
-type: alias
-
-alias to: elasticsearch.node.stats.indices.segments.index_writer.memory.bytes
-
---
-
-*`node_stats.indices.segments.memory_in_bytes`*::
-+
---
-type: alias
-
-alias to: elasticsearch.node.stats.indices.segments.memory.bytes
-
---
-
-*`node_stats.indices.segments.norms_memory_in_bytes`*::
-+
---
-type: alias
-
-alias to: elasticsearch.node.stats.indices.segments.norms.memory.bytes
-
---
-
-*`node_stats.indices.segments.points_memory_in_bytes`*::
-+
---
-type: alias
-
-alias to: elasticsearch.node.stats.indices.segments.points.memory.bytes
-
---
-
-*`node_stats.indices.segments.stored_fields_memory_in_bytes`*::
-+
---
-type: alias
-
-alias to: elasticsearch.node.stats.indices.segments.stored_fields.memory.bytes
-
---
-
-*`node_stats.indices.segments.term_vectors_memory_in_bytes`*::
-+
---
-type: alias
-
-alias to: elasticsearch.node.stats.indices.segments.term_vectors.memory.bytes
-
---
-
-*`node_stats.indices.segments.terms_memory_in_bytes`*::
-+
---
-type: alias
-
-alias to: elasticsearch.node.stats.indices.segments.terms.memory.bytes
-
---
-
-*`node_stats.indices.segments.version_map_memory_in_bytes`*::
-+
---
-type: alias
-
-alias to: elasticsearch.node.stats.indices.segments.version_map.memory.bytes
-
---
-
-
-
-
-
-*`node_stats.jvm.gc.collectors.old.collection_count`*::
-+
---
-type: alias
-
-alias to: elasticsearch.node.stats.jvm.gc.collectors.old.collection.count
-
---
-
-*`node_stats.jvm.gc.collectors.old.collection_time_in_millis`*::
-+
---
-type: alias
-
-alias to: elasticsearch.node.stats.jvm.gc.collectors.old.collection.ms
-
---
-
-
-*`node_stats.jvm.gc.collectors.young.collection_count`*::
-+
---
-type: alias
-
-alias to: elasticsearch.node.stats.jvm.gc.collectors.young.collection.count
-
---
-
-*`node_stats.jvm.gc.collectors.young.collection_time_in_millis`*::
-+
---
-type: alias
-
-alias to: elasticsearch.node.stats.jvm.gc.collectors.young.collection.ms
-
---
-
-
-*`node_stats.jvm.mem.heap_max_in_bytes`*::
-+
---
-type: alias
-
-alias to: elasticsearch.node.stats.jvm.mem.heap.max.bytes
-
---
-
-*`node_stats.jvm.mem.heap_used_in_bytes`*::
-+
---
-type: alias
-
-alias to: elasticsearch.node.stats.jvm.mem.heap.used.bytes
-
---
-
-*`node_stats.jvm.mem.heap_used_percent`*::
-+
---
-type: alias
-
-alias to: elasticsearch.node.stats.jvm.mem.heap.used.pct
-
---
-
-*`node_stats.node_id`*::
-+
---
-type: alias
-
-alias to: elasticsearch.node.id
-
---
-
-
-
-
-*`node_stats.os.cpu.load_average.1m`*::
-+
---
-type: alias
-
-alias to: elasticsearch.node.stats.os.cpu.load_avg.1m
-
---
-
-
-
-*`node_stats.os.cgroup.cpuacct.usage_nanos`*::
-+
---
-type: alias
-
-alias to: elasticsearch.node.stats.os.cgroup.cpuacct.usage.ns
-
---
-
-
-*`node_stats.os.cgroup.cpu.cfs_quota_micros`*::
-+
---
-type: alias
-
-alias to: elasticsearch.node.stats.os.cgroup.cpu.cfs.quota.us
-
---
-
-
-*`node_stats.os.cgroup.cpu.stat.number_of_elapsed_periods`*::
-+
---
-type: alias
-
-alias to: elasticsearch.node.stats.os.cgroup.cpu.stat.elapsed_periods.count
-
---
-
-*`node_stats.os.cgroup.cpu.stat.number_of_times_throttled`*::
-+
---
-type: alias
-
-alias to: elasticsearch.node.stats.os.cgroup.cpu.stat.times_throttled.count
-
---
-
-*`node_stats.os.cgroup.cpu.stat.time_throttled_nanos`*::
-+
---
-type: alias
-
-alias to: elasticsearch.node.stats.os.cgroup.cpu.stat.time_throttled.ns
-
---
-
-
-*`node_stats.os.cgroup.memory.control_group`*::
-+
---
-type: alias
-
-alias to: elasticsearch.node.stats.os.cgroup.memory.control_group
-
---
-
-*`node_stats.os.cgroup.memory.limit_in_bytes`*::
-+
---
-type: alias
-
-alias to: elasticsearch.node.stats.os.cgroup.memory.limit.bytes
-
---
-
-*`node_stats.os.cgroup.memory.usage_in_bytes`*::
-+
---
-type: alias
-
-alias to: elasticsearch.node.stats.os.cgroup.memory.usage.bytes
-
---
-
-
-
-*`node_stats.process.cpu.percent`*::
-+
---
-type: alias
-
-alias to: elasticsearch.node.stats.process.cpu.pct
-
---
-
-
-
-*`node_stats.thread_pool.bulk.queue`*::
-+
---
-type: alias
-
-alias to: elasticsearch.node.stats.thread_pool.bulk.queue.count
-
---
-
-*`node_stats.thread_pool.bulk.rejected`*::
-+
---
-type: alias
-
-alias to: elasticsearch.node.stats.thread_pool.bulk.rejected.count
-
---
-
-
-*`node_stats.thread_pool.get.queue`*::
-+
---
-type: alias
-
-alias to: elasticsearch.node.stats.thread_pool.get.queue.count
-
---
-
-*`node_stats.thread_pool.get.rejected`*::
-+
---
-type: alias
-
-alias to: elasticsearch.node.stats.thread_pool.get.rejected.count
-
---
-
-
-*`node_stats.thread_pool.index.queue`*::
-+
---
-type: alias
-
-alias to: elasticsearch.node.stats.thread_pool.index.queue.count
-
---
-
-*`node_stats.thread_pool.index.rejected`*::
-+
---
-type: alias
-
-alias to: elasticsearch.node.stats.thread_pool.index.rejected.count
-
---
-
-
-*`node_stats.thread_pool.search.queue`*::
-+
---
-type: alias
-
-alias to: elasticsearch.node.stats.thread_pool.search.queue.count
-
---
-
-*`node_stats.thread_pool.search.rejected`*::
-+
---
-type: alias
-
-alias to: elasticsearch.node.stats.thread_pool.search.rejected.count
-
---
-
-
-*`node_stats.thread_pool.write.queue`*::
-+
---
-type: alias
-
-alias to: elasticsearch.node.stats.thread_pool.write.queue.count
-
---
-
-*`node_stats.thread_pool.write.rejected`*::
-+
---
-type: alias
-
-alias to: elasticsearch.node.stats.thread_pool.write.rejected.count
-
---
-
-
-
-
-
-*`indices_stats._all.primaries.indexing.index_total`*::
-+
---
-type: alias
-
-alias to: elasticsearch.index.summary.primaries.indexing.index.count
-
---
-
-*`indices_stats._all.primaries.indexing.index_time_in_millis`*::
-+
---
-type: alias
-
-alias to: elasticsearch.index.summary.primaries.indexing.index.time.ms
-
---
-
-
-
-*`indices_stats._all.total.search.query_total`*::
-+
---
-type: alias
-
-alias to: elasticsearch.index.summary.total.search.query.count
-
---
-
-*`indices_stats._all.total.search.query_time_in_millis`*::
-+
---
-type: alias
-
-alias to: elasticsearch.index.summary.total.search.query.time.ms
-
---
-
-
-*`indices_stats._all.total.indexing.index_total`*::
-+
---
-type: alias
-
-alias to: elasticsearch.index.summary.total.indexing.index.count
-
---
-
-
-*`elasticsearch.cluster.name`*::
-+
---
-Elasticsearch cluster name.
-
-
-type: keyword
-
---
-
-*`elasticsearch.cluster.id`*::
-+
---
-Elasticsearch cluster id.
-
-
-type: keyword
-
---
-
-*`elasticsearch.cluster.state.id`*::
-+
---
-Elasticsearch state id.
-
-
-type: keyword
-
---
-
-
-*`elasticsearch.node.id`*::
-+
---
-Node ID
-
-
-type: keyword
-
---
-
-*`elasticsearch.node.name`*::
-+
---
-Node name.
-
-
-type: keyword
-
---
-
-*`elasticsearch.node.roles`*::
-+
---
-Node roles.
-
-
-type: keyword
-
---
-
-*`elasticsearch.node.master`*::
-+
---
-Is the node the master node?
-
-
-type: boolean
-
---
-
-*`elasticsearch.node.mlockall`*::
-+
---
-Is mlockall enabled on the node?
-
-
-type: boolean
-
---
-
-[float]
-=== ccr
-
-Cross-cluster replication stats
-
-
-
-*`elasticsearch.ccr.remote_cluster`*::
-+
---
-type: keyword
-
---
-
-*`elasticsearch.ccr.bytes_read`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.ccr.last_requested_seq_no`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.ccr.shard_id`*::
-+
---
-type: integer
-
---
-
-
-*`elasticsearch.ccr.total_time.read.ms`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.ccr.total_time.read.remote_exec.ms`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.ccr.total_time.write.ms`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.ccr.read_exceptions`*::
-+
---
-type: nested
-
---
-
-
-
-*`elasticsearch.ccr.requests.successful.read.count`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.ccr.requests.successful.write.count`*::
-+
---
-type: long
-
---
-
-
-*`elasticsearch.ccr.requests.failed.read.count`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.ccr.requests.failed.write.count`*::
-+
---
-type: long
-
---
-
-
-*`elasticsearch.ccr.requests.outstanding.read.count`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.ccr.requests.outstanding.write.count`*::
-+
---
-type: long
-
---
-
-
-*`elasticsearch.ccr.write_buffer.size.bytes`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.ccr.write_buffer.operation.count`*::
-+
---
-type: long
-
---
-
-
-
-*`elasticsearch.ccr.auto_follow.failed.follow_indices.count`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.ccr.auto_follow.failed.remote_cluster_state_requests.count`*::
-+
---
-type: long
-
---
-
-
-*`elasticsearch.ccr.auto_follow.success.follow_indices.count`*::
-+
---
-type: long
-
---
-
-
-*`elasticsearch.ccr.leader.index`*::
-+
---
-Name of leader index
-
-
-type: keyword
-
---
-
-*`elasticsearch.ccr.leader.max_seq_no`*::
-+
---
-Maximum sequence number of operation on the leader shard
-
-
-type: long
-
---
-
-*`elasticsearch.ccr.leader.global_checkpoint`*::
-+
---
-type: long
-
---
-
-
-*`elasticsearch.ccr.follower.index`*::
-+
---
-Name of follower index
-
-
-type: keyword
-
---
-
-*`elasticsearch.ccr.follower.shard.number`*::
-+
---
-Number of the shard within the index
-
-
-type: long
-
---
-
-*`elasticsearch.ccr.follower.operations_written`*::
-+
---
-Number of operations indexed (replicated) into the follower shard from the leader shard
-
-
-type: long
-
---
-
-*`elasticsearch.ccr.follower.time_since_last_read.ms`*::
-+
---
-Time, in ms, since the follower last fetched from the leader
-
-
-type: long
-
---
-
-*`elasticsearch.ccr.follower.global_checkpoint`*::
-+
---
-Global checkpoint value on follower shard
-
-
-type: long
-
---
-
-*`elasticsearch.ccr.follower.max_seq_no`*::
-+
---
-Maximum sequence number of operation on the follower shard
-
-
-type: long
-
---
-
-*`elasticsearch.ccr.follower.mapping_version`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.ccr.follower.settings_version`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.ccr.follower.aliases_version`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.ccr.follower.operations.read.count`*::
-+
---
-type: long
-
---
-
-[float]
-=== cluster.stats
-
-Cluster stats
-
-
-
-*`elasticsearch.cluster.stats.version`*::
-+
---
-type: keyword
-
---
-
-
-*`elasticsearch.cluster.stats.state.nodes_hash`*::
-+
---
-type: keyword
-
---
-
-*`elasticsearch.cluster.stats.state.master_node`*::
-+
---
-type: keyword
-
---
-
-*`elasticsearch.cluster.stats.state.version`*::
-+
---
-type: keyword
-
---
-
-*`elasticsearch.cluster.stats.state.state_uuid`*::
-+
---
-type: keyword
-
---
-
-*`elasticsearch.cluster.stats.state.nodes`*::
-+
---
-type: flattened
-
---
-
-*`elasticsearch.cluster.stats.status`*::
-+
---
-Cluster status (green, yellow, red).
-
-type: keyword
-
---
-
-[float]
-=== nodes
-
-Nodes statistics.
-
-
-*`elasticsearch.cluster.stats.nodes.fs.total.bytes`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.cluster.stats.nodes.fs.available.bytes`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.cluster.stats.nodes.count`*::
-+
---
-Total number of nodes in cluster.
-
-type: long
-
---
-
-*`elasticsearch.cluster.stats.nodes.master`*::
-+
---
-Number of master-eligible nodes in cluster.
-
-type: long
-
---
-
-*`elasticsearch.cluster.stats.nodes.data`*::
-+
---
-Number of data nodes in cluster.
-
-type: long
-
---
-
-
-*`elasticsearch.cluster.stats.nodes.jvm.max_uptime.ms`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.cluster.stats.nodes.jvm.memory.heap.max.bytes`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.cluster.stats.nodes.jvm.memory.heap.used.bytes`*::
-+
---
-type: long
-
---
-
-[float]
-=== indices
-
-Indices statistics.
-
-
-
-*`elasticsearch.cluster.stats.indices.store.size.bytes`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.cluster.stats.indices.store.total_data_set_size.bytes`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.cluster.stats.indices.total`*::
-+
---
-Total number of indices in cluster.
-
-
-type: long
-
---
-
-[float]
-=== shards
-
-Shard statistics.
-
-
-
-*`elasticsearch.cluster.stats.indices.shards.docs.total`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.cluster.stats.indices.shards.count`*::
-+
---
-Total number of shards in cluster.
-
-
-type: long
-
---
-
-*`elasticsearch.cluster.stats.indices.shards.primaries`*::
-+
---
-Total number of primary shards in cluster.
-
-
-type: long
-
---
-
-*`elasticsearch.cluster.stats.indices.fielddata.memory.bytes`*::
-+
---
-Memory used for fielddata.
-
-
-type: long
-
---
-
-
-*`elasticsearch.cluster.stats.license.expiry_date_in_millis`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.cluster.stats.license.status`*::
-+
---
-type: keyword
-
---
-
-*`elasticsearch.cluster.stats.license.type`*::
-+
---
-type: keyword
-
---
-
-
-*`elasticsearch.cluster.stats.stack.apm.found`*::
-+
---
-type: boolean
-
---
-
-*`elasticsearch.cluster.stats.stack.xpack.ccr.available`*::
-+
---
-type: boolean
-
---
-
-*`elasticsearch.cluster.stats.stack.xpack.ccr.enabled`*::
-+
---
-type: boolean
-
---
-
-[float]
-=== enrich
-
-Enrich stats
-
-
-
-
-*`elasticsearch.enrich.executing_policy.name`*::
-+
---
-type: keyword
-
---
-
-
-*`elasticsearch.enrich.executing_policy.task.id`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.enrich.executing_policy.task.task`*::
-+
---
-type: keyword
-
---
-
-*`elasticsearch.enrich.executing_policy.task.action`*::
-+
---
-type: keyword
-
---
-
-*`elasticsearch.enrich.executing_policy.task.cancellable`*::
-+
---
-type: boolean
-
---
-
-*`elasticsearch.enrich.executing_policy.task.parent_task_id`*::
-+
---
-type: keyword
-
---
-
-
-*`elasticsearch.enrich.executing_policy.task.time.start.ms`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.enrich.executing_policy.task.time.running.nano`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.enrich.queue.size`*::
-+
---
-Number of search requests in the queue.
-
-
-type: long
-
---
-
-*`elasticsearch.enrich.executed_searches.total`*::
-+
---
-Number of search requests that enrich processors have executed since node startup.
-
-
-type: long
-
---
-
-
-*`elasticsearch.enrich.remote_requests.current`*::
-+
---
-Current number of outstanding remote requests.
-
-
-type: long
-
---
-
-*`elasticsearch.enrich.remote_requests.total`*::
-+
---
-Number of outstanding remote requests executed since node startup.
-
-
-type: long
-
---
-
-[float]
-=== index
-
-index
-
-
-
-*`elasticsearch.index.hidden`*::
-+
---
-type: boolean
-
---
-
-
-*`elasticsearch.index.shards.total`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.index.shards.primaries`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.index.uuid`*::
-+
---
-type: keyword
-
---
-
-*`elasticsearch.index.status`*::
-+
---
-type: keyword
-
---
-
-*`elasticsearch.index.tier_preference`*::
-+
---
-type: keyword
-
---
-
-*`elasticsearch.index.creation_date`*::
-+
---
-type: date
-
---
-
-*`elasticsearch.index.version`*::
-+
---
-type: keyword
-
---
-
-*`elasticsearch.index.name`*::
-+
---
-Index name.
-
-
-type: keyword
-
---
-
-
-
-*`elasticsearch.index.primaries.search.query_total`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.index.primaries.search.query_time_in_millis`*::
-+
---
-type: long
-
---
-
-
-*`elasticsearch.index.primaries.request_cache.memory_size_in_bytes`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.index.primaries.request_cache.evictions`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.index.primaries.request_cache.hit_count`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.index.primaries.request_cache.miss_count`*::
-+
---
-type: long
-
---
-
-
-*`elasticsearch.index.primaries.query_cache.memory_size_in_bytes`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.index.primaries.query_cache.hit_count`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.index.primaries.query_cache.miss_count`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.index.primaries.store.size_in_bytes`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.index.primaries.store.total_data_set_size_in_bytes`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.index.primaries.docs.count`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.index.primaries.docs.deleted`*::
-+
---
-type: long
-
---
-
-
-*`elasticsearch.index.primaries.segments.count`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.index.primaries.segments.memory_in_bytes`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.index.primaries.segments.terms_memory_in_bytes`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.index.primaries.segments.stored_fields_memory_in_bytes`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.index.primaries.segments.term_vectors_memory_in_bytes`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.index.primaries.segments.norms_memory_in_bytes`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.index.primaries.segments.points_memory_in_bytes`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.index.primaries.segments.doc_values_memory_in_bytes`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.index.primaries.segments.index_writer_memory_in_bytes`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.index.primaries.segments.version_map_memory_in_bytes`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.index.primaries.segments.fixed_bit_set_memory_in_bytes`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.index.primaries.refresh.total_time_in_millis`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.index.primaries.refresh.external_total_time_in_millis`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.index.primaries.merges.total_size_in_bytes`*::
-+
---
-type: long
-
---
-
-
-*`elasticsearch.index.primaries.indexing.index_total`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.index.primaries.indexing.index_time_in_millis`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.index.primaries.indexing.throttle_time_in_millis`*::
-+
---
-type: long
-
---
-
-
-*`elasticsearch.index.total.docs.count`*::
-+
---
-Total number of documents in the index.
-
-
-type: long
-
---
-
-*`elasticsearch.index.total.docs.deleted`*::
-+
---
-Total number of deleted documents in the index.
-
-
-type: long
-
---
-
-*`elasticsearch.index.total.store.size_in_bytes`*::
-+
---
-Total size of the index in bytes.
-
-
-type: long
-
-format: bytes
-
---
-
-*`elasticsearch.index.total.store.total_data_set_size_in_bytes`*::
-+
---
-Total size of the index in bytes including backing data for partially mounted indices.
-
-
-type: long
-
-format: bytes
-
---
-
-
-*`elasticsearch.index.total.query_cache.memory_size_in_bytes`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.index.total.query_cache.evictions`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.index.total.query_cache.hit_count`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.index.total.query_cache.miss_count`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.index.total.fielddata.memory_size_in_bytes`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.index.total.fielddata.evictions`*::
-+
---
-type: long
-
---
-
-
-*`elasticsearch.index.total.request_cache.memory_size_in_bytes`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.index.total.request_cache.evictions`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.index.total.request_cache.hit_count`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.index.total.request_cache.miss_count`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.index.total.merges.total_size_in_bytes`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.index.total.refresh.total_time_in_millis`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.index.total.refresh.external_total_time_in_millis`*::
-+
---
-type: long
-
---
-
-
-*`elasticsearch.index.total.segments.memory_in_bytes`*::
-+
---
-Total number of memory used by the segments in bytes.
-
-
-type: long
-
-format: bytes
-
---
-
-*`elasticsearch.index.total.segments.terms_memory_in_bytes`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.index.total.segments.points_memory_in_bytes`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.index.total.segments.count`*::
-+
---
-Total number of index segments.
-
-
-type: long
-
---
-
-*`elasticsearch.index.total.segments.doc_values_memory_in_bytes`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.index.total.segments.norms_memory_in_bytes`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.index.total.segments.stored_fields_memory_in_bytes`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.index.total.segments.fixed_bit_set_memory_in_bytes`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.index.total.segments.term_vectors_memory_in_bytes`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.index.total.segments.version_map_memory_in_bytes`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.index.total.segments.index_writer_memory_in_bytes`*::
-+
---
-type: long
-
---
-
-
-*`elasticsearch.index.total.search.query_total`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.index.total.search.query_time_in_millis`*::
-+
---
-type: long
-
---
-
-
-*`elasticsearch.index.total.indexing.index_total`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.index.total.indexing.index_time_in_millis`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.index.total.indexing.throttle_time_in_millis`*::
-+
---
-type: long
-
---
-
-
-*`elasticsearch.index.total.bulk.total_size_in_bytes`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.index.total.bulk.avg_size_in_bytes`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.index.total.bulk.avg_time_in_millis`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.index.total.bulk.total_operations`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.index.total.bulk.total_time_in_millis`*::
-+
---
-type: long
-
---
-
-[float]
-=== index.recovery
-
-index
-
-
-
-
-
-*`elasticsearch.index.recovery.index.files.percent`*::
-+
---
-type: keyword
-
---
-
-*`elasticsearch.index.recovery.index.files.recovered`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.index.recovery.index.files.reused`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.index.recovery.index.files.total`*::
-+
---
-type: long
-
---
-
-
-*`elasticsearch.index.recovery.index.size.recovered_in_bytes`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.index.recovery.index.size.reused_in_bytes`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.index.recovery.index.size.total_in_bytes`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.index.recovery.name`*::
-+
---
-type: keyword
-
---
-
-*`elasticsearch.index.recovery.total_time.ms`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.index.recovery.stop_time.ms`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.index.recovery.start_time.ms`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.index.recovery.id`*::
-+
---
-Shard recovery id.
-
-
-type: long
-
---
-
-*`elasticsearch.index.recovery.type`*::
-+
---
-Shard recovery type.
-
-
-type: keyword
-
---
-
-*`elasticsearch.index.recovery.primary`*::
-+
---
-True if primary shard.
-
-
-type: boolean
-
---
-
-*`elasticsearch.index.recovery.stage`*::
-+
---
-Recovery stage.
-
-
-type: keyword
-
---
-
-
-*`elasticsearch.index.recovery.translog.percent`*::
-+
---
-type: keyword
-
---
-
-*`elasticsearch.index.recovery.translog.total`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.index.recovery.translog.total_on_start`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.index.recovery.target.transport_address`*::
-+
---
-type: keyword
-
---
-
-*`elasticsearch.index.recovery.target.id`*::
-+
---
-Target node id.
-
-
-type: keyword
-
---
-
-*`elasticsearch.index.recovery.target.host`*::
-+
---
-Target node host address (could be IP address or hostname).
-
-
-type: keyword
-
---
-
-*`elasticsearch.index.recovery.target.name`*::
-+
---
-Target node name.
-
-
-type: keyword
-
---
-
-*`elasticsearch.index.recovery.source.transport_address`*::
-+
---
-type: keyword
-
---
-
-*`elasticsearch.index.recovery.source.id`*::
-+
---
-Source node id.
-
-
-type: keyword
-
---
-
-*`elasticsearch.index.recovery.source.host`*::
-+
---
-Source node host address (could be IP address or hostname).
-
-
-type: keyword
-
---
-
-*`elasticsearch.index.recovery.source.name`*::
-+
---
-Source node name.
-
-
-type: keyword
-
---
-
-
-*`elasticsearch.index.recovery.verify_index.check_index_time.ms`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.index.recovery.verify_index.total_time.ms`*::
-+
---
-type: long
-
---
-
-[float]
-=== index.summary
-
-index
-
-
-
-
-*`elasticsearch.index.summary.primaries.docs.count`*::
-+
---
-Total number of documents in the index.
-
-
-type: long
-
---
-
-*`elasticsearch.index.summary.primaries.docs.deleted`*::
-+
---
-Total number of deleted documents in the index.
-
-
-type: long
-
---
-
-*`elasticsearch.index.summary.primaries.store.size.bytes`*::
-+
---
-Total size of the index in bytes.
-
-
-type: long
-
-format: bytes
-
---
-
-*`elasticsearch.index.summary.primaries.store.total_data_set_size.bytes`*::
-+
---
-Total size of the index in bytes including backing data for partially mounted indices.
-
-
-type: long
-
-format: bytes
-
---
-
-*`elasticsearch.index.summary.primaries.segments.count`*::
-+
---
-Total number of index segments.
-
-
-type: long
-
---
-
-*`elasticsearch.index.summary.primaries.segments.memory.bytes`*::
-+
---
-Total number of memory used by the segments in bytes.
-
-
-type: long
-
-format: bytes
-
---
-
-
-*`elasticsearch.index.summary.primaries.indexing.index.count`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.index.summary.primaries.indexing.index.time.ms`*::
-+
---
-type: long
-
---
-
-
-
-*`elasticsearch.index.summary.primaries.search.query.count`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.index.summary.primaries.search.query.time.ms`*::
-+
---
-type: long
-
---
-
-
-*`elasticsearch.index.summary.primaries.bulk.operations.count`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.index.summary.primaries.bulk.size.bytes`*::
-+
---
-type: long
-
---
-
-
-*`elasticsearch.index.summary.primaries.bulk.time.count.ms`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.index.summary.primaries.bulk.time.avg.ms`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.index.summary.primaries.bulk.time.avg.bytes`*::
-+
---
-type: long
-
---
-
-
-*`elasticsearch.index.summary.total.docs.count`*::
-+
---
-Total number of documents in the index.
-
-
-type: long
-
---
-
-*`elasticsearch.index.summary.total.docs.deleted`*::
-+
---
-Total number of deleted documents in the index.
-
-
-type: long
-
---
-
-*`elasticsearch.index.summary.total.store.size.bytes`*::
-+
---
-Total size of the index in bytes.
-
-
-type: long
-
-format: bytes
-
---
-
-*`elasticsearch.index.summary.total.store.total_data_set_size.bytes`*::
-+
---
-Total size of the index in bytes including backing data for partially mounted indices.
-
-
-type: long
-
-format: bytes
-
---
-
-*`elasticsearch.index.summary.total.segments.count`*::
-+
---
-Total number of index segments.
-
-
-type: long
-
---
-
-*`elasticsearch.index.summary.total.segments.memory.bytes`*::
-+
---
-Total number of memory used by the segments in bytes.
-
-
-type: long
-
-format: bytes
-
---
-
-
-*`elasticsearch.index.summary.total.indexing.index.count`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.index.summary.total.indexing.is_throttled`*::
-+
---
-type: boolean
-
---
-
-*`elasticsearch.index.summary.total.indexing.throttle_time.ms`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.index.summary.total.indexing.index.time.ms`*::
-+
---
-type: long
-
---
-
-
-
-*`elasticsearch.index.summary.total.search.query.count`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.index.summary.total.search.query.time.ms`*::
-+
---
-type: long
-
---
-
-
-*`elasticsearch.index.summary.total.bulk.operations.count`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.index.summary.total.bulk.size.bytes`*::
-+
---
-type: long
-
---
-
-
-*`elasticsearch.index.summary.total.bulk.time.avg.ms`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.index.summary.total.bulk.time.avg.bytes`*::
-+
---
-type: long
-
---
-
-[float]
-=== ingest_pipeline
-
-Runtime metrics on ingest pipeline execution
-
-
-*`elasticsearch.ingest_pipeline.name`*::
-+
---
-Name / id of the ingest pipeline
-
-type: wildcard
-
---
-
-[float]
-=== total
-
-Metrics on the total ingest pipeline execution, including all processors.
-
-
-*`elasticsearch.ingest_pipeline.total.count`*::
-+
---
-Number of documents processed by this pipeline
-
-type: long
-
---
-
-*`elasticsearch.ingest_pipeline.total.failed`*::
-+
---
-Number of documented failed to process by this pipeline
-
-type: long
-
---
-
-*`elasticsearch.ingest_pipeline.total.time.total.ms`*::
-+
---
-Total time spent processing documents through this pipeline, inclusive of other pipelines called
-
-type: long
-
---
-
-*`elasticsearch.ingest_pipeline.total.time.self.ms`*::
-+
---
-Time spent processing documents through this pipeline, exclusive of other pipelines called
-
-type: long
-
---
-
-
-*`elasticsearch.ingest_pipeline.processor.type`*::
-+
---
-The type of ingest processor
-
-type: keyword
-
---
-
-*`elasticsearch.ingest_pipeline.processor.type_tag`*::
-+
---
-The type and the tag for this processor in the format "<type>:<tag>"
-
-type: keyword
-
---
-
-*`elasticsearch.ingest_pipeline.processor.order_index`*::
-+
---
-The order this processor appears in the pipeline definition
-
-type: long
-
---
-
-*`elasticsearch.ingest_pipeline.processor.count`*::
-+
---
-Number of documents processed by this processor
-
-type: long
-
---
-
-*`elasticsearch.ingest_pipeline.processor.failed`*::
-+
---
-Number of documented failed to process by this processor
-
-type: long
-
---
-
-*`elasticsearch.ingest_pipeline.processor.time.total.ms`*::
-+
---
-Total time spent processing documents through this processor
-
-type: long
-
---
-
-[float]
-=== ml.job
-
-ml
-
-
-
-*`elasticsearch.ml.job.id`*::
-+
---
-Unique ml job id.
-
-
-type: keyword
-
---
-
-*`elasticsearch.ml.job.state`*::
-+
---
-Job state.
-
-
-type: keyword
-
---
-
-*`elasticsearch.ml.job.forecasts_stats.total`*::
-+
---
-type: long
-
---
-
-
-*`elasticsearch.ml.job.model_size.memory_status`*::
-+
---
-type: keyword
-
---
-
-
-*`elasticsearch.ml.job.data_counts.invalid_date_count`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.ml.job.data_counts.processed_record_count`*::
-+
---
-Processed data events.
-
-type: long
-
---
-
-*`elasticsearch.ml.job.data.invalid_date.count`*::
-+
---
-The number of records with either a missing date field or a date that could not be parsed.
-
-
-type: long
-
---
-
-[float]
-=== node
-
-node
-
-
-
-*`elasticsearch.node.version`*::
-+
---
-Node version.
-
-
-type: keyword
-
---
-
-[float]
-=== jvm
-
-JVM Info.
-
-
-
-*`elasticsearch.node.jvm.version`*::
-+
---
-JVM version.
-
-
-type: keyword
-
---
-
-*`elasticsearch.node.jvm.memory.heap.init.bytes`*::
-+
---
-Heap init used by the JVM in bytes.
-
-
-type: long
-
-format: bytes
-
---
-
-*`elasticsearch.node.jvm.memory.heap.max.bytes`*::
-+
---
-Heap max used by the JVM in bytes.
-
-
-type: long
-
-format: bytes
-
---
-
-*`elasticsearch.node.jvm.memory.nonheap.init.bytes`*::
-+
---
-Non-Heap init used by the JVM in bytes.
-
-
-type: long
-
-format: bytes
-
---
-
-*`elasticsearch.node.jvm.memory.nonheap.max.bytes`*::
-+
---
-Non-Heap max used by the JVM in bytes.
-
-
-type: long
-
-format: bytes
-
---
-
-*`elasticsearch.node.process.mlockall`*::
-+
---
-If process locked in memory.
-
-
-type: boolean
-
---
-
-[float]
-=== node.stats
-
-Statistics about each node in a Elasticsearch cluster
-
-
-
-
-
-*`elasticsearch.node.stats.ingest.total.count`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.node.stats.ingest.total.time_in_millis`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.node.stats.ingest.total.current`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.node.stats.ingest.total.failed`*::
-+
---
-type: long
-
---
-
-
-
-
-*`elasticsearch.node.stats.indices.bulk.avg_time.ms`*::
-+
---
-type: long
-
---
-
-
-*`elasticsearch.node.stats.indices.bulk.total_time.ms`*::
-+
---
-type: long
-
---
-
-
-*`elasticsearch.node.stats.indices.bulk.total_size.bytes`*::
-+
---
-type: long
-
---
-
-
-*`elasticsearch.node.stats.indices.bulk.avg_size.bytes`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.node.stats.indices.bulk.operations.total.count`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.node.stats.indices.docs.count`*::
-+
---
-Total number of existing documents.
-
-
-type: long
-
---
-
-*`elasticsearch.node.stats.indices.docs.deleted`*::
-+
---
-Total number of deleted documents.
-
-
-type: long
-
---
-
-*`elasticsearch.node.stats.indices.segments.count`*::
-+
---
-Total number of segments.
-
-
-type: long
-
---
-
-*`elasticsearch.node.stats.indices.segments.memory.bytes`*::
-+
---
-Total size of segments in bytes.
-
-
-type: long
-
-format: bytes
-
---
-
-*`elasticsearch.node.stats.indices.store.size.bytes`*::
-+
---
-Total size of all shards assigned to this node in bytes.
-
-
-type: long
-
---
-
-*`elasticsearch.node.stats.indices.store.total_data_set_size.bytes`*::
-+
---
-Total size of shards in bytes assigned to this node including backing data for partially mounted indices.
-
-
-type: long
-
---
-
-
-*`elasticsearch.node.stats.indices.fielddata.evictions.count`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.node.stats.indices.fielddata.memory.bytes`*::
-+
---
-type: long
-
-format: bytes
-
---
-
-
-*`elasticsearch.node.stats.indices.flush.total_time.ms`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.node.stats.indices.flush.total.count`*::
-+
---
-type: long
-
---
-
-
-*`elasticsearch.node.stats.indices.get.time.ms`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.node.stats.indices.get.total.count`*::
-+
---
-type: long
-
---
-
-
-*`elasticsearch.node.stats.indices.indexing.index_time.ms`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.node.stats.indices.indexing.index_total.count`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.node.stats.indices.indexing.throttle_time.ms`*::
-+
---
-type: long
-
---
-
-
-*`elasticsearch.node.stats.indices.merges.total_time.ms`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.node.stats.indices.merges.total.count`*::
-+
---
-type: long
-
---
-
-
-*`elasticsearch.node.stats.indices.query_cache.memory.bytes`*::
-+
---
-type: long
-
-format: bytes
-
---
-
-
-*`elasticsearch.node.stats.indices.refresh.total_time.ms`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.node.stats.indices.refresh.total.count`*::
-+
---
-type: long
-
---
-
-
-*`elasticsearch.node.stats.indices.request_cache.memory.bytes`*::
-+
---
-type: long
-
-format: bytes
-
---
-
-
-*`elasticsearch.node.stats.indices.search.query_time.ms`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.node.stats.indices.search.query_total.count`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.node.stats.indices.search.fetch_time.ms`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.node.stats.indices.search.fetch_total.count`*::
-+
---
-type: long
-
---
-
-
-*`elasticsearch.node.stats.indices.shard_stats.total_count`*::
-+
---
-type: long
-
---
-
-
-*`elasticsearch.node.stats.indices.segments.doc_values.memory.bytes`*::
-+
---
-type: long
-
-format: bytes
-
---
-
-*`elasticsearch.node.stats.indices.segments.fixed_bit_set.memory.bytes`*::
-+
---
-type: long
-
-format: bytes
-
---
-
-*`elasticsearch.node.stats.indices.segments.index_writer.memory.bytes`*::
-+
---
-type: long
-
-format: bytes
-
---
-
-*`elasticsearch.node.stats.indices.segments.norms.memory.bytes`*::
-+
---
-type: long
-
-format: bytes
-
---
-
-*`elasticsearch.node.stats.indices.segments.points.memory.bytes`*::
-+
---
-type: long
-
-format: bytes
-
---
-
-*`elasticsearch.node.stats.indices.segments.stored_fields.memory.bytes`*::
-+
---
-type: long
-
-format: bytes
-
---
-
-*`elasticsearch.node.stats.indices.segments.term_vectors.memory.bytes`*::
-+
---
-type: long
-
-format: bytes
-
---
-
-*`elasticsearch.node.stats.indices.segments.terms.memory.bytes`*::
-+
---
-type: long
-
-format: bytes
-
---
-
-*`elasticsearch.node.stats.indices.segments.version_map.memory.bytes`*::
-+
---
-type: long
-
-format: bytes
-
---
-
-
-*`elasticsearch.node.stats.indices.translog.size.bytes`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.node.stats.indices.translog.operations.count`*::
-+
---
-type: long
-
---
-
-
-*`elasticsearch.node.stats.jvm.mem.heap.max.bytes`*::
-+
---
-type: long
-
-format: bytes
-
---
-
-
-*`elasticsearch.node.stats.jvm.mem.heap.used.bytes`*::
-+
---
-type: long
-
-format: bytes
-
---
-
-*`elasticsearch.node.stats.jvm.mem.heap.used.pct`*::
-+
---
-type: double
-
-format: percent
-
---
-
-*`elasticsearch.node.stats.jvm.threads.count`*::
-+
---
-type: long
-
---
-
-
-
-*`elasticsearch.node.stats.jvm.mem.pools.old.max.bytes`*::
-+
---
-Max bytes.
-
-
-type: long
-
-format: bytes
-
---
-
-*`elasticsearch.node.stats.jvm.mem.pools.old.peak.bytes`*::
-+
---
-Peak bytes.
-
-
-type: long
-
-format: bytes
-
---
-
-*`elasticsearch.node.stats.jvm.mem.pools.old.peak_max.bytes`*::
-+
---
-Peak max bytes.
-
-
-type: long
-
-format: bytes
-
---
-
-*`elasticsearch.node.stats.jvm.mem.pools.old.used.bytes`*::
-+
---
-Used bytes.
-
-
-type: long
-
-format: bytes
-
---
-
-
-*`elasticsearch.node.stats.jvm.mem.pools.young.max.bytes`*::
-+
---
-Max bytes.
-
-
-type: long
-
-format: bytes
-
---
-
-*`elasticsearch.node.stats.jvm.mem.pools.young.peak.bytes`*::
-+
---
-Peak bytes.
-
-
-type: long
-
-format: bytes
-
---
-
-*`elasticsearch.node.stats.jvm.mem.pools.young.peak_max.bytes`*::
-+
---
-Peak max bytes.
-
-
-type: long
-
-format: bytes
-
---
-
-*`elasticsearch.node.stats.jvm.mem.pools.young.used.bytes`*::
-+
---
-Used bytes.
-
-
-type: long
-
-format: bytes
-
---
-
-
-*`elasticsearch.node.stats.jvm.mem.pools.survivor.max.bytes`*::
-+
---
-Max bytes.
-
-
-type: long
-
-format: bytes
-
---
-
-*`elasticsearch.node.stats.jvm.mem.pools.survivor.peak.bytes`*::
-+
---
-Peak bytes.
-
-
-type: long
-
-format: bytes
-
---
-
-*`elasticsearch.node.stats.jvm.mem.pools.survivor.peak_max.bytes`*::
-+
---
-Peak max bytes.
-
-
-type: long
-
-format: bytes
-
---
-
-*`elasticsearch.node.stats.jvm.mem.pools.survivor.used.bytes`*::
-+
---
-Used bytes.
-
-
-type: long
-
-format: bytes
-
---
-
-
-
-*`elasticsearch.node.stats.jvm.gc.collectors.old.collection.count`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.node.stats.jvm.gc.collectors.old.collection.ms`*::
-+
---
-type: long
-
---
-
-
-*`elasticsearch.node.stats.jvm.gc.collectors.young.collection.count`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.node.stats.jvm.gc.collectors.young.collection.ms`*::
-+
---
-type: long
-
---
-
-
-
-*`elasticsearch.node.stats.fs.total.total_in_bytes`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.node.stats.fs.total.available_in_bytes`*::
-+
---
-type: long
-
---
-
-[float]
-=== summary
-
-File system summary
-
-
-
-*`elasticsearch.node.stats.fs.summary.total.bytes`*::
-+
---
-type: long
-
-format: bytes
-
---
-
-*`elasticsearch.node.stats.fs.summary.free.bytes`*::
-+
---
-type: long
-
-format: bytes
-
---
-
-*`elasticsearch.node.stats.fs.summary.available.bytes`*::
-+
---
-type: long
-
-format: bytes
-
---
-
-
-
-*`elasticsearch.node.stats.fs.io_stats.total.operations.count`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.node.stats.fs.io_stats.total.read.operations.count`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.node.stats.fs.io_stats.total.write.operations.count`*::
-+
---
-type: long
-
---
-
-
-
-*`elasticsearch.node.stats.os.cpu.load_avg.1m`*::
-+
---
-type: half_float
-
---
-
-
-*`elasticsearch.node.stats.os.cgroup.cpuacct.usage.ns`*::
-+
---
-type: long
-
---
-
-
-*`elasticsearch.node.stats.os.cgroup.cpu.cfs.quota.us`*::
-+
---
-type: long
-
---
-
-
-*`elasticsearch.node.stats.os.cgroup.cpu.stat.elapsed_periods.count`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.node.stats.os.cgroup.cpu.stat.times_throttled.count`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.node.stats.os.cgroup.cpu.stat.time_throttled.ns`*::
-+
---
-type: long
-
---
-
-
-*`elasticsearch.node.stats.os.cgroup.memory.control_group`*::
-+
---
-type: keyword
-
---
-
-*`elasticsearch.node.stats.os.cgroup.memory.limit.bytes`*::
-+
---
-type: keyword
-
---
-
-*`elasticsearch.node.stats.os.cgroup.memory.usage.bytes`*::
-+
---
-type: keyword
-
---
-
-*`elasticsearch.node.stats.process.cpu.pct`*::
-+
---
-type: double
-
-format: percent
-
---
-
-*`elasticsearch.node.stats.process.mem.total_virtual.bytes`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.node.stats.process.open_file_descriptors`*::
-+
---
-type: long
-
---
-
-
-
-*`elasticsearch.node.stats.transport.rx.count`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.node.stats.transport.rx.size.bytes`*::
-+
---
-type: long
-
---
-
-
-*`elasticsearch.node.stats.transport.tx.count`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.node.stats.transport.tx.size.bytes`*::
-+
---
-type: long
-
---
-
-
-
-*`elasticsearch.node.stats.thread_pool.bulk.active.count`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.node.stats.thread_pool.bulk.queue.count`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.node.stats.thread_pool.bulk.rejected.count`*::
-+
---
-type: long
-
---
-
-
-*`elasticsearch.node.stats.thread_pool.esql_worker.active.count`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.node.stats.thread_pool.esql_worker.queue.count`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.node.stats.thread_pool.esql_worker.rejected.count`*::
-+
---
-type: long
-
---
-
-
-*`elasticsearch.node.stats.thread_pool.force_merge.active.count`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.node.stats.thread_pool.force_merge.queue.count`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.node.stats.thread_pool.force_merge.rejected.count`*::
-+
---
-type: long
-
---
-
-
-*`elasticsearch.node.stats.thread_pool.flush.active.count`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.node.stats.thread_pool.flush.queue.count`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.node.stats.thread_pool.flush.rejected.count`*::
-+
---
-type: long
-
---
-
-
-*`elasticsearch.node.stats.thread_pool.get.active.count`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.node.stats.thread_pool.get.queue.count`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.node.stats.thread_pool.get.rejected.count`*::
-+
---
-type: long
-
---
-
-
-*`elasticsearch.node.stats.thread_pool.index.active.count`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.node.stats.thread_pool.index.queue.count`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.node.stats.thread_pool.index.rejected.count`*::
-+
---
-type: long
-
---
-
-
-*`elasticsearch.node.stats.thread_pool.search.active.count`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.node.stats.thread_pool.search.queue.count`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.node.stats.thread_pool.search.rejected.count`*::
-+
---
-type: long
-
---
-
-
-*`elasticsearch.node.stats.thread_pool.search_worker.active.count`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.node.stats.thread_pool.search_worker.queue.count`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.node.stats.thread_pool.search_worker.rejected.count`*::
-+
---
-type: long
-
---
-
-
-*`elasticsearch.node.stats.thread_pool.snapshot.active.count`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.node.stats.thread_pool.snapshot.queue.count`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.node.stats.thread_pool.snapshot.rejected.count`*::
-+
---
-type: long
-
---
-
-
-*`elasticsearch.node.stats.thread_pool.system_read.active.count`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.node.stats.thread_pool.system_read.queue.count`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.node.stats.thread_pool.system_read.rejected.count`*::
-+
---
-type: long
-
---
-
-
-*`elasticsearch.node.stats.thread_pool.system_write.active.count`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.node.stats.thread_pool.system_write.queue.count`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.node.stats.thread_pool.system_write.rejected.count`*::
-+
---
-type: long
-
---
-
-
-*`elasticsearch.node.stats.thread_pool.write.active.count`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.node.stats.thread_pool.write.queue.count`*::
-+
---
-type: long
-
---
-
-*`elasticsearch.node.stats.thread_pool.write.rejected.count`*::
-+
---
-type: long
-
---
-
-
-
-*`elasticsearch.node.stats.indexing_pressure.memory.current.combined_coordinating_and_primary.bytes`*::
-+
---
-type: long
-
-format: bytes
-
---
-
-*`elasticsearch.node.stats.indexing_pressure.memory.total.primary.rejections`*::
-+
---
-type: long
-
-format: bytes
-
---
-
-*`elasticsearch.node.stats.indexing_pressure.memory.total.primary.bytes`*::
-+
---
-type: long
-
-format: bytes
-
---
-
-*`elasticsearch.node.stats.indexing_pressure.memory.total.coordinating.rejections`*::
-+
---
-type: long
-
-format: bytes
-
---
-
-*`elasticsearch.node.stats.indexing_pressure.memory.total.coordinating.bytes`*::
-+
---
-type: long
-
-format: bytes
-
---
-
-*`elasticsearch.node.stats.indexing_pressure.memory.total.replica.rejections`*::
-+
---
-type: long
-
-format: bytes
-
---
-
-*`elasticsearch.node.stats.indexing_pressure.memory.total.replica.bytes`*::
-+
---
-type: long
-
-format: bytes
-
---
-
-*`elasticsearch.node.stats.indexing_pressure.memory.total.combined_coordinating_and_primary.bytes`*::
-+
---
-type: long
-
-format: bytes
-
---
-
-*`elasticsearch.node.stats.indexing_pressure.memory.current.coordinating.bytes`*::
-+
---
-type: long
-
-format: bytes
-
---
-
-*`elasticsearch.node.stats.indexing_pressure.memory.current.primary.bytes`*::
-+
---
-type: long
-
-format: bytes
-
---
-
-*`elasticsearch.node.stats.indexing_pressure.memory.current.replica.bytes`*::
-+
---
-type: long
-
-format: bytes
-
---
-
-*`elasticsearch.node.stats.indexing_pressure.memory.current.all.bytes`*::
-+
---
-type: long
-
-format: bytes
-
---
-
-*`elasticsearch.node.stats.indexing_pressure.memory.total.all.bytes`*::
-+
---
-type: long
-
-format: bytes
-
---
-
-*`elasticsearch.node.stats.indexing_pressure.memory.limit_in_bytes`*::
-+
---
-type: long
-
-format: bytes
-
---
-
-[float]
-=== cluster.pending_task
-
-`cluster.pending_task` contains a pending task description.
-
-
-
-*`elasticsearch.cluster.pending_task.insert_order`*::
-+
---
-Insert order
-
-
-type: long
-
---
-
-*`elasticsearch.cluster.pending_task.priority`*::
-+
---
-Priority
-
-
-type: long
-
---
-
-*`elasticsearch.cluster.pending_task.source`*::
-+
---
-Source. For example: put-mapping
-
-
-type: keyword
-
---
-
-*`elasticsearch.cluster.pending_task.time_in_queue.ms`*::
-+
---
-Time in queue
-
-
-type: long
-
---
-
-[float]
-=== shard
-
-shard fields
-
-
-
-*`elasticsearch.shard.primary`*::
-+
---
-True if this is the primary shard.
-
-
-type: boolean
-
---
-
-*`elasticsearch.shard.number`*::
-+
---
-The number of this shard.
-
-
-type: long
-
---
-
-*`elasticsearch.shard.state`*::
-+
---
-The state of this shard.
-
-
-type: keyword
-
---
-
-*`elasticsearch.shard.relocating_node.name`*::
-+
---
-The node the shard was relocated from.
-
-
-type: keyword
-
---
-
-*`elasticsearch.shard.relocating_node.id`*::
-+
---
-The node the shard was relocated from. It has the exact same value than relocating_node.name for compatibility purposes.
-
-
-type: keyword
-
---
-
-
-*`elasticsearch.shard.source_node.name`*::
-+
---
-type: keyword
-
---
-
-*`elasticsearch.shard.source_node.uuid`*::
-+
---
-type: keyword
-
---
-
-[[exported-fields-envoyproxy]]
-== Envoyproxy fields
-
-envoyproxy module
-
-
-
-[float]
-=== envoyproxy
-
-
-
-
-[float]
-=== server
-
-Contains envoy proxy server stats
-
-
-
-
-*`envoyproxy.server.cluster_manager.active_clusters`*::
-+
---
-Number of currently active (warmed) clusters
-
-
-type: integer
-
---
-
-*`envoyproxy.server.cluster_manager.cluster_added`*::
-+
---
-Total clusters added (either via static config or CDS)
-
-
-type: integer
-
---
-
-*`envoyproxy.server.cluster_manager.cluster_modified`*::
-+
---
-Total clusters modified (via CDS)
-
-
-type: integer
-
---
-
-*`envoyproxy.server.cluster_manager.cluster_removed`*::
-+
---
-Total clusters removed (via CDS)
-
-
-type: integer
-
---
-
-*`envoyproxy.server.cluster_manager.warming_clusters`*::
-+
---
-Number of currently warming (not active) clusters
-
-
-type: integer
-
---
-
-*`envoyproxy.server.cluster_manager.cluster_updated`*::
-+
---
-Total cluster updates
-
-
-type: integer
-
---
-
-*`envoyproxy.server.cluster_manager.cluster_updated_via_merge`*::
-+
---
-Total cluster updates applied as merged updates
-
-
-type: integer
-
---
-
-*`envoyproxy.server.cluster_manager.update_merge_cancelled`*::
-+
---
-Total merged updates that got cancelled and delivered early
-
-
-type: integer
-
---
-
-*`envoyproxy.server.cluster_manager.update_out_of_merge_window`*::
-+
---
-Total updates which arrived out of a merge window
-
-
-type: integer
-
---
-
-
-*`envoyproxy.server.filesystem.flushed_by_timer`*::
-+
---
-Total number of times internal flush buffers are written to a file due to flush timeout
-
-
-type: integer
-
---
-
-*`envoyproxy.server.filesystem.reopen_failed`*::
-+
---
-Total number of times a file was failed to be opened
-
-
-type: integer
-
---
-
-*`envoyproxy.server.filesystem.write_buffered`*::
-+
---
-Total number of times file data is moved to Envoys internal flush buffer
-
-
-type: integer
-
---
-
-*`envoyproxy.server.filesystem.write_completed`*::
-+
---
-Total number of times a file was written
-
-
-type: integer
-
---
-
-*`envoyproxy.server.filesystem.write_total_buffered`*::
-+
---
-Current total size of internal flush buffer in bytes
-
-
-type: integer
-
---
-
-*`envoyproxy.server.filesystem.write_failed`*::
-+
---
-Total number of times an error occurred during a file write operation
-
-
-type: integer
-
---
-
-
-*`envoyproxy.server.runtime.load_error`*::
-+
---
-Total number of load attempts that resulted in an error in any layer
-
-
-type: integer
-
---
-
-*`envoyproxy.server.runtime.load_success`*::
-+
---
-Total number of load attempts that were successful at all layers
-
-
-type: integer
-
---
-
-*`envoyproxy.server.runtime.num_keys`*::
-+
---
-Number of keys currently loaded
-
-
-type: integer
-
---
-
-*`envoyproxy.server.runtime.override_dir_exists`*::
-+
---
-Total number of loads that did use an override directory
-
-
-type: integer
-
---
-
-*`envoyproxy.server.runtime.override_dir_not_exists`*::
-+
---
-Total number of loads that did not use an override directory
-
-
-type: integer
-
---
-
-*`envoyproxy.server.runtime.admin_overrides_active`*::
-+
---
-1 if any admin overrides are active otherwise 0
-
-
-type: integer
-
---
-
-*`envoyproxy.server.runtime.deprecated_feature_use`*::
-+
---
-Total number of times deprecated features were used.
-
-
-type: integer
-
---
-
-*`envoyproxy.server.runtime.num_layers`*::
-+
---
-Number of layers currently active (without loading errors)
-
-
-type: integer
-
---
-
-
-*`envoyproxy.server.listener_manager.listener_added`*::
-+
---
-Total listeners added (either via static config or LDS)
-
-
-type: integer
-
---
-
-*`envoyproxy.server.listener_manager.listener_create_failure`*::
-+
---
-Total failed listener object additions to workers
-
-
-type: integer
-
---
-
-*`envoyproxy.server.listener_manager.listener_create_success`*::
-+
---
-Total listener objects successfully added to workers
-
-
-type: integer
-
---
-
-*`envoyproxy.server.listener_manager.listener_modified`*::
-+
---
-Total listeners modified (via LDS)
-
-
-type: integer
-
---
-
-*`envoyproxy.server.listener_manager.listener_removed`*::
-+
---
-Total listeners removed (via LDS)
-
-
-type: integer
-
---
-
-*`envoyproxy.server.listener_manager.total_listeners_active`*::
-+
---
-Number of currently active listeners
-
-
-type: integer
-
---
-
-*`envoyproxy.server.listener_manager.total_listeners_draining`*::
-+
---
-Number of currently draining listeners
-
-
-type: integer
-
---
-
-*`envoyproxy.server.listener_manager.total_listeners_warming`*::
-+
---
-Number of currently warming listeners
-
-
-type: integer
-
---
-
-*`envoyproxy.server.listener_manager.listener_stopped`*::
-+
---
-Total listeners stopped
-
-
-type: integer
-
---
-
-
-*`envoyproxy.server.stats.overflow`*::
-+
---
-Total number of times Envoy cannot allocate a statistic due to a shortage of shared memory
-
-
-type: integer
-
---
-
-
-*`envoyproxy.server.server.days_until_first_cert_expiring`*::
-+
---
-Number of days until the next certificate being managed will expire
-
-
-type: integer
-
---
-
-*`envoyproxy.server.server.live`*::
-+
---
-1 if the server is not currently draining, 0 otherwise
-
-
-type: integer
-
---
-
-*`envoyproxy.server.server.memory_allocated`*::
-+
---
-Current amount of allocated memory in bytes
-
-
-type: integer
-
---
-
-*`envoyproxy.server.server.memory_heap_size`*::
-+
---
-Current reserved heap size in bytes
-
-
-type: integer
-
---
-
-*`envoyproxy.server.server.parent_connections`*::
-+
---
-Total connections of the old Envoy process on hot restart
-
-
-type: integer
-
---
-
-*`envoyproxy.server.server.total_connections`*::
-+
---
-Total connections of both new and old Envoy processes
-
-
-type: integer
-
---
-
-*`envoyproxy.server.server.uptime`*::
-+
---
-Current server uptime in seconds
-
-
-type: integer
-
---
-
-*`envoyproxy.server.server.version`*::
-+
---
-Integer represented version number based on SCM revision
-
-
-type: integer
-
---
-
-*`envoyproxy.server.server.watchdog_mega_miss`*::
-+
---
-type: integer
-
---
-
-*`envoyproxy.server.server.watchdog_miss`*::
-+
---
-type: integer
-
---
-
-*`envoyproxy.server.server.hot_restart_epoch`*::
-+
---
-Current hot restart epoch
-
-
-type: integer
-
---
-
-*`envoyproxy.server.server.concurrency`*::
-+
---
-Number of worker threads
-
-
-type: integer
-
---
-
-*`envoyproxy.server.server.debug_assertion_failures`*::
-+
---
-type: integer
-
---
-
-*`envoyproxy.server.server.dynamic_unknown_fields`*::
-+
---
-Number of messages in dynamic configuration with unknown fields
-
-
-type: integer
-
---
-
-*`envoyproxy.server.server.state`*::
-+
---
-Current state of the Server
-
-
-type: integer
-
---
-
-*`envoyproxy.server.server.static_unknown_fields`*::
-+
---
-Number of messages in static configuration with unknown fields
-
-
-type: integer
-
---
-
-*`envoyproxy.server.server.stats_recent_lookups`*::
-+
---
-type: integer
-
---
-
-
-*`envoyproxy.server.http2.header_overflow`*::
-+
---
-Total number of connections reset due to the headers being larger than Envoy::Http::Http2::ConnectionImpl::StreamImpl::MAX_HEADER_SIZE (63k)
-
-
-type: integer
-
---
-
-*`envoyproxy.server.http2.headers_cb_no_stream`*::
-+
---
-Total number of errors where a header callback is called without an associated stream. This tracks an unexpected occurrence due to an as yet undiagnosed bug
-
-
-type: integer
-
---
-
-*`envoyproxy.server.http2.rx_messaging_error`*::
-+
---
-Total number of invalid received frames that violated section 8 of the HTTP/2 spec. This will result in a tx_reset
-
-
-type: integer
-
---
-
-*`envoyproxy.server.http2.rx_reset`*::
-+
---
-Total number of reset stream frames received by Envoy
-
-
-type: integer
-
---
-
-*`envoyproxy.server.http2.too_many_header_frames`*::
-+
---
-Total number of times an HTTP2 connection is reset due to receiving too many headers frames. Envoy currently supports proxying at most one header frame for 100-Continue one non-100 response code header frame and one frame with trailers
-
-
-type: integer
-
---
-
-*`envoyproxy.server.http2.trailers`*::
-+
---
-Total number of trailers seen on requests coming from downstream
-
-
-type: integer
-
---
-
-*`envoyproxy.server.http2.tx_reset`*::
-+
---
-Total number of reset stream frames transmitted by Envoy
-
-
-type: integer
-
---
-
-[[exported-fields-etcd]]
-== Etcd fields
-
-etcd Module
-
-
-
-[float]
-=== etcd
-
-`etcd` contains statistics that were read from Etcd
-
-
-
-*`etcd.api_version`*::
-+
---
-Etcd API version for metrics retrieval
-
-
-type: keyword
-
---
-
-[float]
-=== leader
-
-Contains etcd leader statistics.
-
-
-
-[float]
-=== follower
-
-Contains follower statistics.
-
-
-
-*`etcd.leader.follower.id`*::
-+
---
-ID of follower
-
-type: keyword
-
---
-
-[float]
-=== latency
-
-latency to each peer in the cluster
-
-
-
-*`etcd.leader.follower.latency.ms`*::
-+
---
-type: scaled_float
-
---
-
-*`etcd.leader.follower.success_operations`*::
-+
---
-successful Raft RPC requests
-
-type: integer
-
---
-
-*`etcd.leader.follower.failed_operations`*::
-+
---
-failed Raft RPC requests
-
-type: integer
-
---
-
-*`etcd.leader.follower.leader`*::
-+
---
-ID of actual leader
-
-type: keyword
-
---
-
-[float]
-=== server
-
-Server metrics from the Etcd V3 /metrics endpoint
-
-
-
-*`etcd.server.has_leader`*::
-+
---
-Whether a leader exists in the cluster
-
-
-type: byte
-
---
-
-*`etcd.server.leader_changes.count`*::
-+
---
-Number of leader changes seen at the cluster
-
-
-type: long
-
---
-
-*`etcd.server.proposals_committed.count`*::
-+
---
-Number of consensus proposals commited
-
-
-type: long
-
---
-
-*`etcd.server.proposals_pending.count`*::
-+
---
-Number of consensus proposals pending
-
-
-type: long
-
---
-
-*`etcd.server.proposals_failed.count`*::
-+
---
-Number of consensus proposals failed
-
-
-type: long
-
---
-
-*`etcd.server.grpc_started.count`*::
-+
---
-Number of sent gRPC requests
-
-
-type: long
-
---
-
-*`etcd.server.grpc_handled.count`*::
-+
---
-Number of received gRPC requests
-
-
-type: long
-
---
-
-[float]
-=== disk
-
-Disk metrics from the Etcd V3 /metrics endpoint
-
-
-
-*`etcd.disk.mvcc_db_total_size.bytes`*::
-+
---
-Size of stored data at MVCC
-
-
-type: long
-
-format: bytes
-
---
-
-*`etcd.disk.wal_fsync_duration.ns.bucket.*`*::
-+
---
-Latency for writing ahead logs to disk
-
-
-type: object
-
---
-
-*`etcd.disk.wal_fsync_duration.ns.count`*::
-+
---
-Write ahead logs count
-
-
-type: long
-
---
-
-*`etcd.disk.wal_fsync_duration.ns.sum`*::
-+
---
-Write ahead logs latency sum
-
-
-type: long
-
---
-
-*`etcd.disk.backend_commit_duration.ns.bucket.*`*::
-+
---
-Latency for writing backend changes to disk
-
-
-type: object
-
---
-
-*`etcd.disk.backend_commit_duration.ns.count`*::
-+
---
-Backend commits count
-
-
-type: long
-
---
-
-*`etcd.disk.backend_commit_duration.ns.sum`*::
-+
---
-Backend commits latency sum
-
-
-type: long
-
---
-
-[float]
-=== memory
-
-Memory metrics from the Etcd V3 /metrics endpoint
-
-
-
-*`etcd.memory.go_memstats_alloc.bytes`*::
-+
---
-Memory allocated bytes as of MemStats Go
-
-
-type: long
-
-format: bytes
-
---
-
-[float]
-=== network
-
-Network metrics from the Etcd V3 /metrics endpoint
-
-
-
-*`etcd.network.client_grpc_sent.bytes`*::
-+
---
-gRPC sent bytes total
-
-
-type: long
-
-format: bytes
-
---
-
-*`etcd.network.client_grpc_received.bytes`*::
-+
---
-gRPC received bytes total
-
-
-type: long
-
-format: bytes
-
---
-
-[float]
-=== self
-
-Contains etcd self statistics.
-
-
-
-*`etcd.self.id`*::
-+
---
-the unique identifier for the member
-
-
-type: keyword
-
---
-
-*`etcd.self.leaderinfo.leader`*::
-+
---
-id of the current leader member
-
-
-type: keyword
-
---
-
-*`etcd.self.leaderinfo.starttime`*::
-+
---
-the time when this node was started
-
-
-type: keyword
-
---
-
-*`etcd.self.leaderinfo.uptime`*::
-+
---
-amount of time the leader has been leader
-
-
-type: keyword
-
---
-
-*`etcd.self.name`*::
-+
---
-this member's name
-
-
-type: keyword
-
---
-
-*`etcd.self.recv.appendrequest.count`*::
-+
---
-number of append requests this node has processed
-
-
-type: integer
-
---
-
-*`etcd.self.recv.bandwidthrate`*::
-+
---
-number of bytes per second this node is receiving (follower only)
-
-
-type: scaled_float
-
---
-
-*`etcd.self.recv.pkgrate`*::
-+
---
-number of requests per second this node is receiving (follower only)
-
-
-type: scaled_float
-
---
-
-*`etcd.self.send.appendrequest.count`*::
-+
---
-number of requests that this node has sent
-
-
-type: integer
-
---
-
-*`etcd.self.send.bandwidthrate`*::
-+
---
-number of bytes per second this node is sending (leader only). This value is undefined on single member clusters.
-
-
-type: scaled_float
-
---
-
-*`etcd.self.send.pkgrate`*::
-+
---
-number of requests per second this node is sending (leader only). This value is undefined on single member clusters.
-
-
-type: scaled_float
-
---
-
-*`etcd.self.starttime`*::
-+
---
-the time when this node was started
-
-
-type: keyword
-
---
-
-*`etcd.self.state`*::
-+
---
-either leader or follower
-
-
-type: keyword
-
---
-
-[float]
-=== store
-
-The store statistics include information about the operations that this node has handled.
-
-
-
-*`etcd.store.gets.success`*::
-+
---
-type: integer
-
---
-
-*`etcd.store.gets.fail`*::
-+
---
-type: integer
-
---
-
-*`etcd.store.sets.success`*::
-+
---
-type: integer
-
---
-
-*`etcd.store.sets.fail`*::
-+
---
-type: integer
-
---
-
-*`etcd.store.delete.success`*::
-+
---
-type: integer
-
---
-
-*`etcd.store.delete.fail`*::
-+
---
-type: integer
-
---
-
-*`etcd.store.update.success`*::
-+
---
-type: integer
-
---
-
-*`etcd.store.update.fail`*::
-+
---
-type: integer
-
---
-
-*`etcd.store.create.success`*::
-+
---
-type: integer
-
---
-
-*`etcd.store.create.fail`*::
-+
---
-type: integer
-
---
-
-*`etcd.store.compareandswap.success`*::
-+
---
-type: integer
-
---
-
-*`etcd.store.compareandswap.fail`*::
-+
---
-type: integer
-
---
-
-*`etcd.store.compareanddelete.success`*::
-+
---
-type: integer
-
---
-
-*`etcd.store.compareanddelete.fail`*::
-+
---
-type: integer
-
---
-
-*`etcd.store.expire.count`*::
-+
---
-type: integer
-
---
-
-*`etcd.store.watchers`*::
-+
---
-type: integer
-
---
-
-[[exported-fields-gcp]]
-== Google Cloud Platform fields
-
-GCP module
-
-
-
-
-*`gcp.labels`*::
-+
---
-GCP monitoring metrics labels
-
-
-type: object
-
---
-
-*`gcp.metrics.*.*.*.*`*::
-+
---
-Metrics that returned from Google Cloud API query.
-
-
-type: object
-
---
-
-[float]
-=== billing
-
-Google Cloud Billing metrics
-
-
-*`gcp.billing.cost_type`*::
-+
---
-Cost types include regular, tax, adjustment, and rounding_error.
-
-type: keyword
-
---
-
-*`gcp.billing.invoice_month`*::
-+
---
-Billing report month.
-
-type: keyword
-
---
-
-*`gcp.billing.project_id`*::
-+
---
-Project ID of the billing report belongs to.
-
-type: keyword
-
---
-
-*`gcp.billing.total`*::
-+
---
-Total billing amount.
-
-type: float
-
---
-
-*`gcp.billing.sku_id`*::
-+
---
-The ID of the resource used by the service.
-
-type: keyword
-
---
-
-*`gcp.billing.sku_description`*::
-+
---
-A description of the resource type used by the service. For example, a resource type for Cloud Storage is Standard Storage US.
-
-type: keyword
-
---
-
-*`gcp.billing.service_id`*::
-+
---
-The ID of the service that the usage is associated with.
-
-type: keyword
-
---
-
-*`gcp.billing.service_description`*::
-+
---
-The Google Cloud service that reported the Cloud Billing data.
-
-type: keyword
-
---
-
-*`gcp.billing.tags`*::
-+
---
-A collection of key-value pairs that provide additional metadata.
-
-type: nested
-
---
-
-*`gcp.billing.effective_price`*::
-+
---
-The charged price for usage of the Google Cloud SKUs and SKU tiers. Reflects contract pricing if applicable, otherwise, it's the list price.
-
-type: float
-
---
-
-[float]
-=== carbon
-
-Google Cloud Carbon Footprint metrics
-
-
-*`gcp.carbon.project_id`*::
-+
---
-Project ID the carbon footprint report belongs to.
-
-type: keyword
-
---
-
-*`gcp.carbon.project_name`*::
-+
---
-Project name the carbon footprint report belongs to.
-
-type: keyword
-
---
-
-*`gcp.carbon.service_id`*::
-+
---
-Service ID for the carbon footprint usage.
-
-type: keyword
-
---
-
-*`gcp.carbon.service_description`*::
-+
---
-Service description for the carbon footprint usage.
-
-type: keyword
-
---
-
-*`gcp.carbon.region`*::
-+
---
-Region for the carbon fooprint usage.
-
-type: keyword
-
---
-
-*`gcp.carbon.footprint.scope1`*::
-+
---
-Scope 1 carbon footprint.
-
-type: float
-
---
-
-*`gcp.carbon.footprint.scope2.location`*::
-+
---
-Scope 2 carbon footprint using location-based methodology.
-
-type: float
-
---
-
-*`gcp.carbon.footprint.scope2.market`*::
-+
---
-Scope 2 carbon footprint using market-based methodology.
-
-type: float
-
---
-
-*`gcp.carbon.footprint.scope3`*::
-+
---
-Scope 3 carbon footprint.
-
-type: float
-
---
-
-*`gcp.carbon.footprint.offsets`*::
-+
---
-Total carbon offsets.
-
-type: float
-
---
-
-[float]
-=== compute
-
-Google Cloud Compute metrics
-
-
-*`gcp.compute.firewall.dropped.bytes`*::
-+
---
-Incoming bytes dropped by the firewall
-
-type: long
-
---
-
-*`gcp.compute.firewall.dropped_packets_count.value`*::
-+
---
-Incoming packets dropped by the firewall
-
-type: long
-
---
-
-*`gcp.compute.instance.cpu.reserved_cores.value`*::
-+
---
-Number of cores reserved on the host of the instance
-
-type: double
-
---
-
-*`gcp.compute.instance.cpu.usage_time.sec`*::
-+
---
-Usage for all cores in seconds
-
-type: double
-
---
-
-*`gcp.compute.instance.cpu.usage.pct`*::
-+
---
-The fraction of the allocated CPU that is currently in use on the instance
-
-type: double
-
---
-
-*`gcp.compute.instance.disk.read.bytes`*::
-+
---
-Count of bytes read from disk
-
-type: long
-
---
-
-*`gcp.compute.instance.disk.read_ops_count.value`*::
-+
---
-Count of disk read IO operations
-
-type: long
-
---
-
-*`gcp.compute.instance.disk.write.bytes`*::
-+
---
-Count of bytes written to disk
-
-type: long
-
---
-
-*`gcp.compute.instance.disk.write_ops_count.value`*::
-+
---
-Count of disk write IO operations
-
-type: long
-
---
-
-*`gcp.compute.instance.memory.balloon.ram_size.value`*::
-+
---
-The total amount of memory in the VM. This metric is only available for VMs that belong to the e2 family.
-
-type: long
-
---
-
-*`gcp.compute.instance.memory.balloon.ram_used.value`*::
-+
---
-Memory currently used in the VM. This metric is only available for VMs that belong to the e2 family.
-
-type: long
-
---
-
-*`gcp.compute.instance.memory.balloon.swap_in.bytes`*::
-+
---
-The amount of memory read into the guest from its own swap space. This metric is only available for VMs that belong to the e2 family.
-
-type: long
-
---
-
-*`gcp.compute.instance.memory.balloon.swap_out.bytes`*::
-+
---
-The amount of memory written from the guest to its own swap space. This metric is only available for VMs that belong to the e2 family.
-
-type: long
-
---
-
-*`gcp.compute.instance.network.ingress.bytes`*::
-+
---
-Count of bytes received from the network
-
-type: long
-
---
-
-*`gcp.compute.instance.network.ingress.packets.count`*::
-+
---
-Count of packets received from the network
-
-type: long
-
---
-
-*`gcp.compute.instance.network.egress.bytes`*::
-+
---
-Count of bytes sent over the network
-
-type: long
-
---
-
-*`gcp.compute.instance.network.egress.packets.count`*::
-+
---
-Count of packets sent over the network
-
-type: long
-
---
-
-*`gcp.compute.instance.uptime.sec`*::
-+
---
-Number of seconds the VM has been running.
-
-type: long
-
---
-
-*`gcp.compute.instance.uptime_total.sec`*::
-+
---
-Elapsed time since the VM was started, in seconds. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds.
-
-type: long
-
---
-
-[float]
-=== dataproc
-
-Google Cloud Dataproc metrics
-
-
-*`gcp.dataproc.cluster.hdfs.datanodes.count`*::
-+
---
-Indicates the number of HDFS DataNodes that are running inside a cluster.
-
-type: long
-
---
-
-*`gcp.dataproc.cluster.hdfs.storage_capacity.value`*::
-+
---
-Indicates capacity of HDFS system running on cluster in GB.
-
-type: double
-
---
-
-*`gcp.dataproc.cluster.hdfs.storage_utilization.value`*::
-+
---
-The percentage of HDFS storage currently used.
-
-type: double
-
---
-
-*`gcp.dataproc.cluster.hdfs.unhealthy_blocks.count`*::
-+
---
-Indicates the number of unhealthy blocks inside the cluster.
-
-type: long
-
---
-
-*`gcp.dataproc.cluster.job.failed.count`*::
-+
---
-Indicates the number of jobs that have failed on a cluster.
-
-type: long
-
---
-
-*`gcp.dataproc.cluster.job.running.count`*::
-+
---
-Indicates the number of jobs that are running on a cluster.
-
-type: long
-
---
-
-*`gcp.dataproc.cluster.job.submitted.count`*::
-+
---
-Indicates the number of jobs that have been submitted to a cluster.
-
-type: long
-
---
-
-*`gcp.dataproc.cluster.operation.failed.count`*::
-+
---
-Indicates the number of operations that have failed on a cluster.
-
-type: long
-
---
-
-*`gcp.dataproc.cluster.operation.running.count`*::
-+
---
-Indicates the number of operations that are running on a cluster.
-
-type: long
-
---
-
-*`gcp.dataproc.cluster.operation.submitted.count`*::
-+
---
-Indicates the number of operations that have been submitted to a cluster.
-
-type: long
-
---
-
-*`gcp.dataproc.cluster.yarn.allocated_memory_percentage.value`*::
-+
---
-The percentage of YARN memory is allocated.
-
-type: double
-
---
-
-*`gcp.dataproc.cluster.yarn.apps.count`*::
-+
---
-Indicates the number of active YARN applications.
-
-type: long
-
---
-
-*`gcp.dataproc.cluster.yarn.containers.count`*::
-+
---
-Indicates the number of YARN containers.
-
-type: long
-
---
-
-*`gcp.dataproc.cluster.yarn.memory_size.value`*::
-+
---
-Indicates the YARN memory size in GB.
-
-type: double
-
---
-
-*`gcp.dataproc.cluster.yarn.nodemanagers.count`*::
-+
---
-Indicates the number of YARN NodeManagers running inside cluster.
-
-type: long
-
---
-
-*`gcp.dataproc.cluster.yarn.pending_memory_size.value`*::
-+
---
-The current memory request, in GB, that is pending to be fulfilled by the scheduler.
-
-type: double
-
---
-
-*`gcp.dataproc.cluster.yarn.virtual_cores.count`*::
-+
---
-Indicates the number of virtual cores in YARN.
-
-type: long
-
---
-
-*`gcp.dataproc.cluster.job.completion_time.value`*::
-+
---
-The time jobs took to complete from the time the user submits a job to the time Dataproc reports it is completed.
-
-type: object
-
---
-
-*`gcp.dataproc.cluster.job.duration.value`*::
-+
---
-The time jobs have spent in a given state.
-
-type: object
-
---
-
-*`gcp.dataproc.cluster.operation.completion_time.value`*::
-+
---
-The time operations took to complete from the time the user submits a operation to the time Dataproc reports it is completed.
-
-type: object
-
---
-
-*`gcp.dataproc.cluster.operation.duration.value`*::
-+
---
-The time operations have spent in a given state.
-
-type: object
-
---
-
-[float]
-=== firestore
-
-Google Cloud Firestore metrics
-
-
-*`gcp.firestore.document.delete.count`*::
-+
---
-The number of successful document deletes.
-
-type: long
-
---
-
-*`gcp.firestore.document.read.count`*::
-+
---
-The number of successful document reads from queries or lookups.
-
-type: long
-
---
-
-*`gcp.firestore.document.write.count`*::
-+
---
-The number of successful document writes.
-
-type: long
-
---
-
-[float]
-=== gke
-
-`gke` contains the metrics that we scraped from GCP Stackdriver API containing monitoring metrics for GCP GKE
-
-
-*`gcp.gke.container.cpu.core_usage_time.sec`*::
-+
---
-Cumulative CPU usage on all cores used by the container in seconds. Sampled every 60 seconds.
-
-type: double
-
---
-
-*`gcp.gke.container.cpu.limit_cores.value`*::
-+
---
-CPU cores limit of the container. Sampled every 60 seconds.
-
-type: double
-
---
-
-*`gcp.gke.container.cpu.limit_utilization.pct`*::
-+
---
-The fraction of the CPU limit that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed the limit. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds.
-
-type: double
-
---
-
-*`gcp.gke.container.cpu.request_cores.value`*::
-+
---
-Number of CPU cores requested by the container. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds.
-
-type: double
-
---
-
-*`gcp.gke.container.cpu.request_utilization.pct`*::
-+
---
-The fraction of the requested CPU that is currently in use on the instance. This value can be greater than 1 as usage can exceed the request. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds.
-
-type: double
-
---
-
-*`gcp.gke.container.ephemeral_storage.limit.bytes`*::
-+
---
-Local ephemeral storage limit in bytes. Sampled every 60 seconds.
-
-type: long
-
---
-
-*`gcp.gke.container.ephemeral_storage.request.bytes`*::
-+
---
-Local ephemeral storage request in bytes. Sampled every 60 seconds.
-
-type: long
-
---
-
-*`gcp.gke.container.ephemeral_storage.used.bytes`*::
-+
---
-Local ephemeral storage usage in bytes. Sampled every 60 seconds.
-
-type: long
-
---
-
-*`gcp.gke.container.memory.limit.bytes`*::
-+
---
-Memory limit of the container in bytes. Sampled every 60 seconds.
-
-type: long
-
---
-
-*`gcp.gke.container.memory.limit_utilization.pct`*::
-+
---
-The fraction of the memory limit that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed the limit. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds.
-
-type: double
-
---
-
-*`gcp.gke.container.memory.page_fault.count`*::
-+
---
-Number of page faults, broken down by type, major and minor.
-
-type: long
-
---
-
-*`gcp.gke.container.memory.request.bytes`*::
-+
---
-Memory request of the container in bytes. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds.
-
-type: long
-
---
-
-*`gcp.gke.container.memory.request_utilization.pct`*::
-+
---
-The fraction of the requested memory that is currently in use on the instance. This value can be greater than 1 as usage can exceed the request. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds.
-
-type: double
-
---
-
-*`gcp.gke.container.memory.used.bytes`*::
-+
---
-Memory usage in bytes. Sampled every 60 seconds.
-
-type: long
-
---
-
-*`gcp.gke.container.restart.count`*::
-+
---
-Number of times the container has restarted. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds.
-
-type: long
-
---
-
-*`gcp.gke.container.uptime.sec`*::
-+
---
-Time in seconds that the container has been running. Sampled every 60 seconds.
-
-type: double
-
---
-
-*`gcp.gke.node.cpu.allocatable_cores.value`*::
-+
---
-Number of allocatable CPU cores on the node. Sampled every 60 seconds.
-
-type: double
-
---
-
-*`gcp.gke.node.cpu.allocatable_utilization.pct`*::
-+
---
-The fraction of the allocatable CPU that is currently in use on the instance. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds.
-
-type: double
-
---
-
-*`gcp.gke.node.cpu.core_usage_time.sec`*::
-+
---
-Cumulative CPU usage on all cores used on the node in seconds. Sampled every 60 seconds.
-
-type: double
-
---
-
-*`gcp.gke.node.cpu.total_cores.value`*::
-+
---
-Total number of CPU cores on the node. Sampled every 60 seconds.
-
-type: double
-
---
-
-*`gcp.gke.node.ephemeral_storage.allocatable.bytes`*::
-+
---
-Local ephemeral storage bytes allocatable on the node. Sampled every 60 seconds.
-
-type: long
-
---
-
-*`gcp.gke.node.ephemeral_storage.inodes_free.value`*::
-+
---
-Free number of inodes on local ephemeral storage. Sampled every 60 seconds.
-
-type: long
-
---
-
-*`gcp.gke.node.ephemeral_storage.inodes_total.value`*::
-+
---
-Total number of inodes on local ephemeral storage. Sampled every 60 seconds.
-
-type: long
-
---
-
-*`gcp.gke.node.ephemeral_storage.total.bytes`*::
-+
---
-Total ephemeral storage bytes on the node. Sampled every 60 seconds.
-
-type: long
-
---
-
-*`gcp.gke.node.ephemeral_storage.used.bytes`*::
-+
---
-Local ephemeral storage bytes used by the node. Sampled every 60 seconds.
-
-type: long
-
---
-
-*`gcp.gke.node.memory.allocatable.bytes`*::
-+
---
-Cumulative memory bytes used by the node. Sampled every 60 seconds.
-
-type: long
-
---
-
-*`gcp.gke.node.memory.allocatable_utilization.pct`*::
-+
---
-The fraction of the allocatable memory that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed allocatable memory bytes. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds.
-
-type: double
-
---
-
-*`gcp.gke.node.memory.total.bytes`*::
-+
---
-Number of bytes of memory allocatable on the node. Sampled every 60 seconds.
-
-type: long
-
---
-
-*`gcp.gke.node.memory.used.bytes`*::
-+
---
-Cumulative memory bytes used by the node. Sampled every 60 seconds.
-
-type: long
-
---
-
-*`gcp.gke.node.network.received_bytes.count`*::
-+
---
-Cumulative number of bytes received by the node over the network. Sampled every 60 seconds.
-
-type: long
-
---
-
-*`gcp.gke.node.network.sent_bytes.count`*::
-+
---
-Cumulative number of bytes transmitted by the node over the network. Sampled every 60 seconds.
-
-type: long
-
---
-
-*`gcp.gke.node.pid_limit.value`*::
-+
---
-The max PID of OS on the node. Sampled every 60 seconds.
-
-type: long
-
---
-
-*`gcp.gke.node.pid_used.value`*::
-+
---
-The number of running process in the OS on the node. Sampled every 60 seconds.
-
-type: long
-
---
-
-*`gcp.gke.node_daemon.cpu.core_usage_time.sec`*::
-+
---
-Cumulative CPU usage on all cores used by the node level system daemon in seconds. Sampled every 60 seconds.
-
-type: double
-
---
-
-*`gcp.gke.node_daemon.memory.used.bytes`*::
-+
---
-Memory usage by the system daemon in bytes. Sampled every 60 seconds.
-
-type: long
-
---
-
-*`gcp.gke.pod.network.received.bytes`*::
-+
---
-Cumulative number of bytes received by the pod over the network. Sampled every 60 seconds.
-
-type: long
-
---
-
-*`gcp.gke.pod.network.sent.bytes`*::
-+
---
-Cumulative number of bytes transmitted by the pod over the network. Sampled every 60 seconds.
-
-type: long
-
---
-
-*`gcp.gke.pod.volume.total.bytes`*::
-+
---
-Total number of disk bytes available to the pod. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds.
-
-type: long
-
---
-
-*`gcp.gke.pod.volume.used.bytes`*::
-+
---
-Number of disk bytes used by the pod. Sampled every 60 seconds.
-
-type: long
-
---
-
-*`gcp.gke.pod.volume.utilization.pct`*::
-+
---
-The fraction of the volume that is currently being used by the instance. This value cannot be greater than 1 as usage cannot exceed the total available volume space. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds.
-
-type: double
-
---
-
-[float]
-=== loadbalancing
-
-Google Cloud Load Balancing metrics
-
-
-*`gcp.loadbalancing.https.backend_request.bytes`*::
-+
---
-The number of bytes sent as requests from HTTP/S load balancer to backends.
-
-type: long
-
---
-
-*`gcp.loadbalancing.https.backend_request.count`*::
-+
---
-The number of requests served by backends of HTTP/S load balancer.
-
-type: long
-
---
-
-*`gcp.loadbalancing.https.backend_response.bytes`*::
-+
---
-The number of bytes sent as responses from backends (or cache) to external HTTP(S) load balancer.
-
-type: long
-
---
-
-*`gcp.loadbalancing.https.request.bytes`*::
-+
---
-The number of bytes sent as requests from clients to HTTP/S load balancer.
-
-type: long
-
---
-
-*`gcp.loadbalancing.https.request.count`*::
-+
---
-The number of requests served by HTTP/S load balancer.
-
-type: long
-
---
-
-*`gcp.loadbalancing.https.response.bytes`*::
-+
---
-The number of bytes sent as responses from HTTP/S load balancer to clients.
-
-type: long
-
---
-
-*`gcp.loadbalancing.l3.external.egress.bytes`*::
-+
---
-The number of bytes sent from external TCP/UDP network load balancer backend to client of the flow. For TCP flows it's counting bytes on application stream only.
-
-type: long
-
---
-
-*`gcp.loadbalancing.l3.external.egress_packets.count`*::
-+
---
-The number of packets sent from external TCP/UDP network load balancer backend to client of the flow.
-
-type: long
-
---
-
-*`gcp.loadbalancing.l3.external.ingress.bytes`*::
-+
---
-The number of bytes sent from client to external TCP/UDP network load balancer backend. For TCP flows it's counting bytes on application stream only.
-
-type: long
-
---
-
-*`gcp.loadbalancing.l3.external.ingress_packets.count`*::
-+
---
-The number of packets sent from client to external TCP/UDP network load balancer backend.
-
-type: long
-
---
-
-*`gcp.loadbalancing.l3.internal.egress.bytes`*::
-+
---
-The number of bytes sent from ILB backend to client (for TCP flows it's counting bytes on application stream only).
-
-type: long
-
---
-
-*`gcp.loadbalancing.l3.internal.egress_packets.count`*::
-+
---
-The number of packets sent from ILB backend to client of the flow.
-
-type: long
-
---
-
-*`gcp.loadbalancing.l3.internal.ingress.bytes`*::
-+
---
-The number of bytes sent from client to ILB backend (for TCP flows it's counting bytes on application stream only).
-
-type: long
-
---
-
-*`gcp.loadbalancing.l3.internal.ingress_packets.count`*::
-+
---
-The number of packets sent from client to ILB backend.
-
-type: long
-
---
-
-*`gcp.loadbalancing.tcp_ssl_proxy.closed_connections.value`*::
-+
---
-Number of connections that were terminated over TCP/SSL proxy.
-
-type: long
-
---
-
-*`gcp.loadbalancing.tcp_ssl_proxy.egress.bytes`*::
-+
---
-Number of bytes sent from VM to client using proxy.
-
-type: long
-
---
-
-*`gcp.loadbalancing.tcp_ssl_proxy.ingress.bytes`*::
-+
---
-Number of bytes sent from client to VM using proxy.
-
-type: long
-
---
-
-*`gcp.loadbalancing.tcp_ssl_proxy.new_connections.value`*::
-+
---
-Number of connections that were created over TCP/SSL proxy.
-
-type: long
-
---
-
-*`gcp.loadbalancing.tcp_ssl_proxy.open_connections.value`*::
-+
---
-Current number of outstanding connections through the TCP/SSL proxy.
-
-type: long
-
---
-
-*`gcp.loadbalancing.https.backend_latencies.value`*::
-+
---
-A distribution of the latency calculated from when the request was sent by the proxy to the backend until the proxy received from the backend the last byte of response.
-
-type: object
-
---
-
-*`gcp.loadbalancing.https.external.regional.backend_latencies.value`*::
-+
---
-A distribution of the latency calculated from when the request was sent by the proxy to the backend until the proxy received from the backend the last byte of response.
-
-type: object
-
---
-
-*`gcp.loadbalancing.https.external.regional.total_latencies.value`*::
-+
---
-A distribution of the latency calculated from when the request was received by the proxy until the proxy got ACK from client on last response byte.
-
-type: object
-
---
-
-*`gcp.loadbalancing.https.frontend_tcp_rtt.value`*::
-+
---
-A distribution of the RTT measured for each connection between client and proxy.
-
-type: object
-
---
-
-*`gcp.loadbalancing.https.internal.backend_latencies.value`*::
-+
---
-A distribution of the latency calculated from when the request was sent by the internal HTTP/S load balancer proxy to the backend until the proxy received from the backend the last byte of response.
-
-type: object
-
---
-
-*`gcp.loadbalancing.https.internal.total_latencies.value`*::
-+
---
-A distribution of the latency calculated from when the request was received by the internal HTTP/S load balancer proxy until the proxy got ACK from client on last response byte.
-
-type: object
-
---
-
-*`gcp.loadbalancing.https.total_latencies.value`*::
-+
---
-A distribution of the latency calculated from when the request was received by the external HTTP/S load balancer proxy until the proxy got ACK from client on last response byte.
-
-type: object
-
---
-
-*`gcp.loadbalancing.l3.external.rtt_latencies.value`*::
-+
---
-A distribution of the round trip time latency, measured over TCP connections for the external network load balancer.
-
-type: object
-
---
-
-*`gcp.loadbalancing.l3.internal.rtt_latencies.value`*::
-+
---
-A distribution of RTT measured over TCP connections for internal TCP/UDP load balancer flows.
-
-type: object
-
---
-
-*`gcp.loadbalancing.tcp_ssl_proxy.frontend_tcp_rtt.value`*::
-+
---
-A distribution of the smoothed RTT (in ms) measured by the proxy's TCP stack, each minute application layer bytes pass from proxy to client.
-
-type: object
-
---
-
-[float]
-=== pubsub
-
-Google Cloud PubSub metrics
-
-
-*`gcp.pubsub.snapshot.backlog.bytes`*::
-+
---
-Total byte size of the messages retained in a snapshot.
-
-type: long
-
---
-
-*`gcp.pubsub.snapshot.backlog_bytes_by_region.bytes`*::
-+
---
-Total byte size of the messages retained in a snapshot, broken down by Cloud region.
-
-type: long
-
---
-
-*`gcp.pubsub.snapshot.config_updates.count`*::
-+
---
-Cumulative count of configuration changes, grouped by operation type and result.
-
-type: long
-
---
-
-*`gcp.pubsub.snapshot.num_messages.value`*::
-+
---
-Number of messages retained in a snapshot.
-
-type: long
-
---
-
-*`gcp.pubsub.snapshot.num_messages_by_region.value`*::
-+
---
-Number of messages retained in a snapshot, broken down by Cloud region.
-
-type: long
-
---
-
-*`gcp.pubsub.snapshot.oldest_message_age.sec`*::
-+
---
-Age (in seconds) of the oldest message retained in a snapshot.
-
-type: long
-
---
-
-*`gcp.pubsub.snapshot.oldest_message_age_by_region.sec`*::
-+
---
-Age (in seconds) of the oldest message retained in a snapshot, broken down by Cloud region.
-
-type: long
-
---
-
-*`gcp.pubsub.subscription.ack_message.count`*::
-+
---
-Cumulative count of messages acknowledged by Acknowledge requests, grouped by delivery type.
-
-type: long
-
---
-
-*`gcp.pubsub.subscription.backlog.bytes`*::
-+
---
-Total byte size of the unacknowledged messages (a.k.a. backlog messages) in a subscription.
-
-type: long
-
---
-
-*`gcp.pubsub.subscription.byte_cost.bytes`*::
-+
---
-Cumulative cost of operations, measured in bytes. This is used to measure quota utilization.
-
-type: long
-
---
-
-*`gcp.pubsub.subscription.config_updates.count`*::
-+
---
-Cumulative count of configuration changes for each subscription, grouped by operation type and result.
-
-type: long
-
---
-
-*`gcp.pubsub.subscription.dead_letter_message.count`*::
-+
---
-Cumulative count of messages published to dead letter topic, grouped by result.
-
-type: long
-
---
-
-*`gcp.pubsub.subscription.mod_ack_deadline_message.count`*::
-+
---
-Cumulative count of messages whose deadline was updated by ModifyAckDeadline requests, grouped by delivery type.
-
-type: long
-
---
-
-*`gcp.pubsub.subscription.mod_ack_deadline_message_operation.count`*::
-+
---
-Cumulative count of ModifyAckDeadline message operations, grouped by result.
-
-type: long
-
---
-
-*`gcp.pubsub.subscription.mod_ack_deadline_request.count`*::
-+
---
-Cumulative count of ModifyAckDeadline requests, grouped by result.
-
-type: long
-
---
-
-*`gcp.pubsub.subscription.num_outstanding_messages.value`*::
-+
---
-Number of messages delivered to a subscription's push endpoint, but not yet acknowledged.
-
-type: long
-
---
-
-*`gcp.pubsub.subscription.num_undelivered_messages.value`*::
-+
---
-Number of unacknowledged messages (a.k.a. backlog messages) in a subscription.
-
-type: long
-
---
-
-*`gcp.pubsub.subscription.oldest_retained_acked_message_age.sec`*::
-+
---
-Age (in seconds) of the oldest acknowledged message retained in a subscription.
-
-type: long
-
---
-
-*`gcp.pubsub.subscription.oldest_retained_acked_message_age_by_region.value`*::
-+
---
-Age (in seconds) of the oldest acknowledged message retained in a subscription, broken down by Cloud region.
-
-type: long
-
---
-
-*`gcp.pubsub.subscription.oldest_unacked_message_age.sec`*::
-+
---
-Age (in seconds) of the oldest unacknowledged message (a.k.a. backlog message) in a subscription.
-
-type: long
-
---
-
-*`gcp.pubsub.subscription.oldest_unacked_message_age_by_region.value`*::
-+
---
-Age (in seconds) of the oldest unacknowledged message in a subscription, broken down by Cloud region.
-
-type: long
-
---
-
-*`gcp.pubsub.subscription.pull_ack_message_operation.count`*::
-+
---
-Cumulative count of acknowledge message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count.
-
-type: long
-
---
-
-*`gcp.pubsub.subscription.pull_ack_request.count`*::
-+
---
-Cumulative count of acknowledge requests, grouped by result.
-
-type: long
-
---
-
-*`gcp.pubsub.subscription.pull_message_operation.count`*::
-+
---
-Cumulative count of pull message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count.
-
-type: long
-
---
-
-*`gcp.pubsub.subscription.pull_request.count`*::
-+
---
-Cumulative count of pull requests, grouped by result.
-
-type: long
-
---
-
-*`gcp.pubsub.subscription.push_request.count`*::
-+
---
-Cumulative count of push attempts, grouped by result. Unlike pulls, the push server implementation does not batch user messages. So each request only contains one user message. The push server retries on errors, so a given user message can appear multiple times.
-
-type: long
-
---
-
-*`gcp.pubsub.subscription.retained_acked.bytes`*::
-+
---
-Total byte size of the acknowledged messages retained in a subscription.
-
-type: long
-
---
-
-*`gcp.pubsub.subscription.retained_acked_bytes_by_region.bytes`*::
-+
---
-Total byte size of the acknowledged messages retained in a subscription, broken down by Cloud region.
-
-type: long
-
---
-
-*`gcp.pubsub.subscription.seek_request.count`*::
-+
---
-Cumulative count of seek attempts, grouped by result.
-
-type: long
-
---
-
-*`gcp.pubsub.subscription.sent_message.count`*::
-+
---
-Cumulative count of messages sent by Cloud Pub/Sub to subscriber clients, grouped by delivery type.
-
-type: long
-
---
-
-*`gcp.pubsub.subscription.streaming_pull_ack_message_operation.count`*::
-+
---
-Cumulative count of StreamingPull acknowledge message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count.
-
-type: long
-
---
-
-*`gcp.pubsub.subscription.streaming_pull_ack_request.count`*::
-+
---
-Cumulative count of streaming pull requests with non-empty acknowledge ids, grouped by result.
-
-type: long
-
---
-
-*`gcp.pubsub.subscription.streaming_pull_message_operation.count`*::
-+
---
-Cumulative count of streaming pull message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric <code>subscription/mod_ack_deadline_message_operation_count
-
-type: long
-
---
-
-*`gcp.pubsub.subscription.streaming_pull_mod_ack_deadline_message_operation.count`*::
-+
---
-Cumulative count of StreamingPull ModifyAckDeadline operations, grouped by result.
-
-type: long
-
---
-
-*`gcp.pubsub.subscription.streaming_pull_mod_ack_deadline_request.count`*::
-+
---
-Cumulative count of streaming pull requests with non-empty ModifyAckDeadline fields, grouped by result.
-
-type: long
-
---
-
-*`gcp.pubsub.subscription.streaming_pull_response.count`*::
-+
---
-Cumulative count of streaming pull responses, grouped by result.
-
-type: long
-
---
-
-*`gcp.pubsub.subscription.unacked_bytes_by_region.bytes`*::
-+
---
-Total byte size of the unacknowledged messages in a subscription, broken down by Cloud region.
-
-type: long
-
---
-
-*`gcp.pubsub.topic.byte_cost.bytes`*::
-+
---
-Cost of operations, measured in bytes. This is used to measure utilization for quotas.
-
-type: long
-
---
-
-*`gcp.pubsub.topic.config_updates.count`*::
-+
---
-Cumulative count of configuration changes, grouped by operation type and result.
-
-type: long
-
---
-
-*`gcp.pubsub.topic.message_sizes.bytes`*::
-+
---
-Distribution of publish message sizes (in bytes)
-
-type: object
-
---
-
-*`gcp.pubsub.topic.oldest_retained_acked_message_age_by_region.value`*::
-+
---
-Age (in seconds) of the oldest acknowledged message retained in a topic, broken down by Cloud region.
-
-type: long
-
---
-
-*`gcp.pubsub.topic.oldest_unacked_message_age_by_region.value`*::
-+
---
-Age (in seconds) of the oldest unacknowledged message in a topic, broken down by Cloud region.
-
-type: long
-
---
-
-*`gcp.pubsub.topic.retained_acked_bytes_by_region.bytes`*::
-+
---
-Total byte size of the acknowledged messages retained in a topic, broken down by Cloud region.
-
-type: long
-
---
-
-*`gcp.pubsub.topic.send_message_operation.count`*::
-+
---
-Cumulative count of publish message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count.
-
-type: long
-
---
-
-*`gcp.pubsub.topic.send_request.count`*::
-+
---
-Cumulative count of publish requests, grouped by result.
-
-type: long
-
---
-
-*`gcp.pubsub.topic.streaming_pull_response.count`*::
-+
---
-Cumulative count of streaming pull responses, grouped by result.
-
-type: long
-
---
-
-*`gcp.pubsub.topic.unacked_bytes_by_region.bytes`*::
-+
---
-Total byte size of the unacknowledged messages in a topic, broken down by Cloud region.
-
-type: long
-
---
-
-*`gcp.pubsub.subscription.ack_latencies.value`*::
-+
---
-Distribution of ack latencies in milliseconds. The ack latency is the time between when Cloud Pub/Sub sends a message to a subscriber client and when Cloud Pub/Sub receives an Acknowledge request for that message.
-
-type: object
-
---
-
-*`gcp.pubsub.subscription.push_request_latencies.value`*::
-+
---
-Distribution of push request latencies (in microseconds), grouped by result.
-
-type: object
-
---
-
-[float]
-=== storage
-
-Google Cloud Storage metrics
-
-
-*`gcp.storage.api.request.count`*::
-+
---
-Delta count of API calls, grouped by the API method name and response code.
-
-type: long
-
---
-
-*`gcp.storage.authz.acl_based_object_access.count`*::
-+
---
-Delta count of requests that result in an object being granted access solely due to object ACLs.
-
-type: long
-
---
-
-*`gcp.storage.authz.acl_operations.count`*::
-+
---
-Usage of ACL operations broken down by type.
-
-type: long
-
---
-
-*`gcp.storage.authz.object_specific_acl_mutation.count`*::
-+
---
-Delta count of changes made to object specific ACLs.
-
-type: long
-
---
-
-*`gcp.storage.network.received.bytes`*::
-+
---
-Delta count of bytes received over the network, grouped by the API method name and response code.
-
-type: long
-
---
-
-*`gcp.storage.network.sent.bytes`*::
-+
---
-Delta count of bytes sent over the network, grouped by the API method name and response code.
-
-type: long
-
---
-
-*`gcp.storage.storage.object.count`*::
-+
---
-Total number of objects per bucket, grouped by storage class. This value is measured once per day, and the value is repeated at each sampling interval throughout the day.
-
-type: long
-
---
-
-*`gcp.storage.storage.total_byte_seconds.bytes`*::
-+
---
-Delta count of bytes received over the network, grouped by the API method name and response code.
-
-type: long
-
---
-
-*`gcp.storage.storage.total.bytes`*::
-+
---
-Total size of all objects in the bucket, grouped by storage class. This value is measured once per day, and the value is repeated at each sampling interval throughout the day.
-
-type: long
-
---
-
-[[exported-fields-golang]]
-== Golang fields
-
-Golang module
-
-
-
-[float]
-=== golang
-
-
-
-
-[float]
-=== expvar
-
-expvar
-
-
-
-*`golang.expvar.cmdline`*::
-+
---
-The cmdline of this Go program start with.
-
-
-type: keyword
-
---
-
-[float]
-=== heap
-
-The Go program heap information exposed by expvar.
-
-
-
-*`golang.heap.cmdline`*::
-+
---
-The cmdline of this Go program start with.
-
-
-type: keyword
-
---
-
-[float]
-=== gc
-
-Garbage collector summary.
-
-
-
-[float]
-=== total_pause
-
-Total GC pause duration over lifetime of process.
-
-
-
-*`golang.heap.gc.total_pause.ns`*::
-+
---
-Duration in Ns.
-
-
-type: long
-
---
-
-*`golang.heap.gc.total_count`*::
-+
---
-Total number of GC was happened.
-
-
-type: long
-
---
-
-*`golang.heap.gc.next_gc_limit`*::
-+
---
-Next collection will happen when HeapAlloc > this amount.
-
-
-type: long
-
-format: bytes
-
---
-
-*`golang.heap.gc.cpu_fraction`*::
-+
---
-Fraction of CPU time used by GC.
-
-
-type: float
-
---
-
-[float]
-=== pause
-
-Last GC pause durations during the monitoring period.
-
-
-
-*`golang.heap.gc.pause.count`*::
-+
---
-Count of GC pause duration during this collect period.
-
-
-type: long
-
---
-
-[float]
-=== sum
-
-Total GC pause duration during this collect period.
-
-
-
-*`golang.heap.gc.pause.sum.ns`*::
-+
---
-Duration in Ns.
-
-
-type: long
-
---
-
-[float]
-=== max
-
-Max GC pause duration during this collect period.
-
-
-
-*`golang.heap.gc.pause.max.ns`*::
-+
---
-Duration in Ns.
-
-
-type: long
-
---
-
-[float]
-=== avg
-
-Average GC pause duration during this collect period.
-
-
-
-*`golang.heap.gc.pause.avg.ns`*::
-+
---
-Duration in Ns.
-
-
-type: long
-
---
-
-[float]
-=== system
-
-Heap summary,which bytes was obtained from system.
-
-
-
-*`golang.heap.system.total`*::
-+
---
-Total bytes obtained from system (sum of XxxSys below).
-
-
-type: long
-
-format: bytes
-
---
-
-*`golang.heap.system.obtained`*::
-+
---
-Via HeapSys, bytes obtained from system. heap_sys = heap_idle + heap_inuse.
-
-
-type: long
-
-format: bytes
-
---
-
-*`golang.heap.system.stack`*::
-+
---
-Bytes used by stack allocator, and these bytes was obtained from system.
-
-
-type: long
-
-format: bytes
-
---
-
-*`golang.heap.system.released`*::
-+
---
-Bytes released to the OS.
-
-
-type: long
-
-format: bytes
-
---
-
-[float]
-=== allocations
-
-Heap allocations summary.
-
-
-
-*`golang.heap.allocations.mallocs`*::
-+
---
-Number of mallocs.
-
-
-type: long
-
---
-
-*`golang.heap.allocations.frees`*::
-+
---
-Number of frees.
-
-
-type: long
-
---
-
-*`golang.heap.allocations.objects`*::
-+
---
-Total number of allocated objects.
-
-
-type: long
-
---
-
-*`golang.heap.allocations.total`*::
-+
---
-Bytes allocated (even if freed) throughout the lifetime.
-
-
-type: long
-
-format: bytes
-
---
-
-*`golang.heap.allocations.allocated`*::
-+
---
-Bytes allocated and not yet freed (same as Alloc above).
-
-
-type: long
-
-format: bytes
-
---
-
-*`golang.heap.allocations.idle`*::
-+
---
-Bytes in idle spans.
-
-
-type: long
-
-format: bytes
-
---
-
-*`golang.heap.allocations.active`*::
-+
---
-Bytes in non-idle span.
-
-
-type: long
-
-format: bytes
-
---
-
-[[exported-fields-graphite]]
-== Graphite fields
-
-graphite Module
-
-
-
-[float]
-=== graphite
-
-
-
-
-[float]
-=== server
-
-server
-
-
-
-*`graphite.server.example`*::
-+
---
-Example field
-
-
-type: keyword
-
---
-
-[[exported-fields-haproxy]]
-== HAProxy fields
-
-HAProxy Module
-
-
-
-[float]
-=== haproxy
-
-HAProxy metrics.
-
-
-
-[float]
-=== info
-
-General information about HAProxy processes.
-
-
-
-*`haproxy.info.processes`*::
-+
---
-Number of processes.
-
-
-type: long
-
---
-
-*`haproxy.info.process_num`*::
-+
---
-Process number.
-
-
-type: long
-
---
-
-*`haproxy.info.threads`*::
-+
---
-Number of threads.
-
-
-type: long
-
---
-
-*`haproxy.info.pid`*::
-+
---
-Process ID.
-
-
-type: alias
-
-alias to: process.pid
-
---
-
-*`haproxy.info.run_queue`*::
-+
---
-
-
-type: long
-
---
-
-*`haproxy.info.stopping`*::
-+
---
-Number of stopping jobs.
-
-
-type: long
-
---
-
-*`haproxy.info.jobs`*::
-+
---
-Number of all jobs.
-
-
-type: long
-
---
-
-*`haproxy.info.unstoppable_jobs`*::
-+
---
-Number of unstoppable jobs.
-
-
-type: long
-
---
-
-*`haproxy.info.listeners`*::
-+
---
-Number of listeners.
-
-
-type: long
-
---
-
-*`haproxy.info.dropped_logs`*::
-+
---
-Number of dropped logs.
-
-
-type: long
-
---
-
-*`haproxy.info.busy_polling`*::
-+
---
-Number of busy polling.
-
-
-type: long
-
---
-
-*`haproxy.info.failed_resolutions`*::
-+
---
-Number of failed resolutions.
-
-
-type: long
-
---
-
-*`haproxy.info.tasks`*::
-+
---
-
-
-type: long
-
---
-
-*`haproxy.info.uptime.sec`*::
-+
---
-Current uptime in seconds.
-
-
-type: long
-
---
-
-*`haproxy.info.memory.max.bytes`*::
-+
---
-Maximum amount of memory usage in bytes (the 'Memmax_MB' value converted to bytes).
-
-
-type: long
-
-format: bytes
-
---
-
-
-
-*`haproxy.info.bytes.out.total`*::
-+
---
-Number of bytes sent out.
-
-
-type: long
-
---
-
-*`haproxy.info.bytes.out.rate`*::
-+
---
-Average bytes output rate.
-
-
-type: long
-
---
-
-
-*`haproxy.info.peers.active`*::
-+
---
-Number of active peers.
-
-
-type: long
-
---
-
-*`haproxy.info.peers.connected`*::
-+
---
-Number of connected peers.
-
-
-type: long
-
---
-
-
-*`haproxy.info.pool.allocated`*::
-+
---
-Size of the allocated pool.
-
-
-type: long
-
---
-
-*`haproxy.info.pool.used`*::
-+
---
-Number of members used from the allocated pool.
-
-
-type: long
-
---
-
-*`haproxy.info.pool.failed`*::
-+
---
-Number of failed connections to pool members.
-
-
-type: long
-
---
-
-*`haproxy.info.ulimit_n`*::
-+
---
-Maximum number of open files for the process.
-
-
-type: long
-
---
-
-[float]
-=== compress
-
-
-
-
-[float]
-=== bps
-
-
-
-
-*`haproxy.info.compress.bps.in`*::
-+
---
-Incoming compressed data in bits per second.
-
-
-type: long
-
---
-
-*`haproxy.info.compress.bps.out`*::
-+
---
-Outgoing compressed data in bits per second.
-
-
-type: long
-
---
-
-*`haproxy.info.compress.bps.rate_limit`*::
-+
---
-Rate limit of compressed data in bits per second.
-
-
-type: long
-
---
-
-[float]
-=== connection
-
-
-
-
-[float]
-=== rate
-
-
-
-
-*`haproxy.info.connection.rate.value`*::
-+
---
-Number of connections in the last second.
-
-
-type: long
-
---
-
-*`haproxy.info.connection.rate.limit`*::
-+
---
-Rate limit of connections.
-
-
-type: long
-
---
-
-*`haproxy.info.connection.rate.max`*::
-+
---
-Maximum rate of connections.
-
-
-type: long
-
---
-
-*`haproxy.info.connection.current`*::
-+
---
-Current connections.
-
-
-type: long
-
---
-
-*`haproxy.info.connection.total`*::
-+
---
-Total connections.
-
-
-type: long
-
---
-
-*`haproxy.info.connection.ssl.current`*::
-+
---
-Current SSL connections.
-
-
-type: long
-
---
-
-*`haproxy.info.connection.ssl.total`*::
-+
---
-Total SSL connections.
-
-
-type: long
-
---
-
-*`haproxy.info.connection.ssl.max`*::
-+
---
-Maximum SSL connections.
-
-
-type: long
-
---
-
-*`haproxy.info.connection.max`*::
-+
---
-Maximum connections.
-
-
-type: long
-
---
-
-*`haproxy.info.connection.hard_max`*::
-+
---
-
-
-type: long
-
---
-
-*`haproxy.info.requests.total`*::
-+
---
-Total number of requests.
-
-
-type: long
-
---
-
-*`haproxy.info.sockets.max`*::
-+
---
-Maximum number of sockets.
-
-
-type: long
-
---
-
-*`haproxy.info.requests.max`*::
-+
---
-Maximum number of requests.
-
-
-type: long
-
---
-
-[float]
-=== pipes
-
-
-
-
-*`haproxy.info.pipes.used`*::
-+
---
-Number of used pipes during kernel-based tcp splicing.
-
-
-type: integer
-
---
-
-*`haproxy.info.pipes.free`*::
-+
---
-Number of free pipes.
-
-
-type: integer
-
---
-
-*`haproxy.info.pipes.max`*::
-+
---
-Maximum number of used pipes.
-
-
-type: integer
-
---
-
-[float]
-=== session
-
-None
-
-
-*`haproxy.info.session.rate.value`*::
-+
---
-Rate of session per seconds.
-
-
-type: integer
-
---
-
-*`haproxy.info.session.rate.limit`*::
-+
---
-Rate limit of sessions.
-
-
-type: integer
-
---
-
-*`haproxy.info.session.rate.max`*::
-+
---
-Maximum rate of sessions.
-
-
-type: integer
-
---
-
-[float]
-=== ssl
-
-None
-
-
-*`haproxy.info.ssl.rate.value`*::
-+
---
-Rate of SSL requests.
-
-
-type: integer
-
---
-
-*`haproxy.info.ssl.rate.limit`*::
-+
---
-Rate limit of SSL requests.
-
-
-type: integer
-
---
-
-*`haproxy.info.ssl.rate.max`*::
-+
---
-Maximum rate of SSL requests.
-
-
-type: integer
-
---
-
-[float]
-=== frontend
-
-None
-
-
-*`haproxy.info.ssl.frontend.key_rate.value`*::
-+
---
-Key rate of SSL frontend.
-
-
-type: integer
-
---
-
-*`haproxy.info.ssl.frontend.key_rate.max`*::
-+
---
-Maximum key rate of SSL frontend.
-
-
-type: integer
-
---
-
-*`haproxy.info.ssl.frontend.session_reuse.pct`*::
-+
---
-Rate of reuse of SSL frontend sessions.
-
-
-type: scaled_float
-
-format: percent
-
---
-
-[float]
-=== backend
-
-None
-
-
-*`haproxy.info.ssl.backend.key_rate.value`*::
-+
---
-Key rate of SSL backend sessions.
-
-
-type: integer
-
---
-
-*`haproxy.info.ssl.backend.key_rate.max`*::
-+
---
-Maximum key rate of SSL backend sessions.
-
-
-type: integer
-
---
-
-*`haproxy.info.ssl.cached_lookups`*::
-+
---
-Number of SSL cache lookups.
-
-
-type: long
-
---
-
-*`haproxy.info.ssl.cache_misses`*::
-+
---
-Number of SSL cache misses.
-
-
-type: long
-
---
-
-[float]
-=== zlib_mem_usage
-
-
-
-
-*`haproxy.info.zlib_mem_usage.value`*::
-+
---
-Memory usage of zlib.
-
-
-type: integer
-
---
-
-*`haproxy.info.zlib_mem_usage.max`*::
-+
---
-Maximum memory usage of zlib.
-
-
-type: integer
-
---
-
-*`haproxy.info.idle.pct`*::
-+
---
-Percentage of idle time.
-
-
-type: scaled_float
-
-format: percent
-
---
-
-[float]
-=== stat
-
-Stats collected from HAProxy processes.
-
-
-
-*`haproxy.stat.status`*::
-+
---
-Status (UP, DOWN, NOLB, MAINT, or MAINT(via)...).
-
-
-type: keyword
-
---
-
-*`haproxy.stat.weight`*::
-+
---
-Total weight (for backends), or server weight (for servers).
-
-
-type: long
-
---
-
-*`haproxy.stat.downtime`*::
-+
---
-Total downtime (in seconds). For backends, this value is the downtime for the whole backend, not the sum of the downtime for the servers.
-
-
-type: long
-
---
-
-*`haproxy.stat.component_type`*::
-+
---
-Component type (0=frontend, 1=backend, 2=server, or 3=socket/listener).
-
-
-type: integer
-
---
-
-*`haproxy.stat.process_id`*::
-+
---
-Process ID (0 for first instance, 1 for second, and so on).
-
-
-type: alias
-
-alias to: process.pid
-
---
-
-*`haproxy.stat.service_name`*::
-+
---
-Service name (FRONTEND for frontend, BACKEND for backend, or any name for server/listener).
-
-
-type: keyword
-
---
-
-*`haproxy.stat.in.bytes`*::
-+
---
-Bytes in.
-
-
-type: long
-
-format: bytes
-
---
-
-*`haproxy.stat.out.bytes`*::
-+
---
-Bytes out.
-
-
-type: long
-
-format: bytes
-
---
-
-*`haproxy.stat.last_change`*::
-+
---
-Number of seconds since the last UP->DOWN or DOWN->UP transition.
-
-
-type: integer
-
---
-
-*`haproxy.stat.throttle.pct`*::
-+
---
-Current throttle percentage for the server when slowstart is active, or no value if slowstart is inactive.
-
-
-type: scaled_float
-
-format: percent
-
---
-
-*`haproxy.stat.selected.total`*::
-+
---
-Total number of times a server was selected, either for new sessions, or when re-dispatching. For servers, this field reports the the number of times the server was selected.
-
-
-type: long
-
---
-
-*`haproxy.stat.tracked.id`*::
-+
---
-ID of the proxy/server if tracking is enabled.
-
-
-type: long
-
---
-
-*`haproxy.stat.cookie`*::
-+
---
-Cookie value of the server or the name of the cookie of the backend.
-
-
-type: keyword
-
---
-
-*`haproxy.stat.load_balancing_algorithm`*::
-+
---
-Load balancing algorithm.
-
-
-type: keyword
-
---
-
-
-*`haproxy.stat.connection.total`*::
-+
---
-Cumulative number of connections.
-
-
-type: long
-
---
-
-*`haproxy.stat.connection.retried`*::
-+
---
-Number of times a connection to a server was retried.
-
-
-type: long
-
---
-
-*`haproxy.stat.connection.time.avg`*::
-+
---
-Average connect time in ms over the last 1024 requests.
-
-
-type: long
-
---
-
-*`haproxy.stat.connection.rate`*::
-+
---
-Number of connections over the last second.
-
-
-type: long
-
---
-
-*`haproxy.stat.connection.rate_max`*::
-+
---
-Highest value of connection.rate.
-
-
-type: long
-
---
-
-*`haproxy.stat.connection.attempt.total`*::
-+
---
-Number of connection establishment attempts.
-
-
-type: long
-
---
-
-*`haproxy.stat.connection.reuse.total`*::
-+
---
-Number of connection reuses.
-
-
-type: long
-
---
-
-
-*`haproxy.stat.connection.idle.total`*::
-+
---
-Number of idle connections available for reuse.
-
-
-type: long
-
---
-
-*`haproxy.stat.connection.idle.limit`*::
-+
---
-Limit on idle connections available for reuse.
-
-
-type: long
-
---
-
-
-*`haproxy.stat.connection.cache.lookup.total`*::
-+
---
-Number of cache lookups.
-
-
-type: long
-
---
-
-*`haproxy.stat.connection.cache.hits`*::
-+
---
-Number of cache hits.
-
-
-type: long
-
---
-
-
-*`haproxy.stat.request.denied`*::
-+
---
-Requests denied because of security concerns.
-
-  * For TCP this is because of a matched tcp-request content rule.
-  * For HTTP this is because of a matched http-request or tarpit rule.
-
-
-type: long
-
---
-
-*`haproxy.stat.request.denied_by_connection_rules`*::
-+
---
-Requests denied because of TCP request connection rules.
-
-
-type: long
-
---
-
-*`haproxy.stat.request.denied_by_session_rules`*::
-+
---
-Requests denied because of TCP request session rules.
-
-
-type: long
-
---
-
-*`haproxy.stat.request.queued.current`*::
-+
---
-Current queued requests. For backends, this field reports the number of requests queued without a server assigned.
-
-
-type: long
-
---
-
-*`haproxy.stat.request.queued.max`*::
-+
---
-Maximum value of queued.current.
-
-
-type: long
-
---
-
-*`haproxy.stat.request.errors`*::
-+
---
-Request errors. Some of the possible causes are:
-
-  * early termination from the client, before the request has been sent
-  * read error from the client
-  * client timeout
-  * client closed connection
-  * various bad requests from the client.
-  * request was tarpitted.
-
-
-type: long
-
---
-
-*`haproxy.stat.request.redispatched`*::
-+
---
-Number of times a request was redispatched to another server. For servers, this field reports the number of times the server was switched away from.
-
-
-type: long
-
---
-
-*`haproxy.stat.request.connection.errors`*::
-+
---
-Number of requests that encountered an error trying to connect to a server. For backends, this field reports the sum of the stat for all backend servers, plus any connection errors not associated with a particular server (such as the backend having no active servers).
-
-
-type: long
-
---
-
-[float]
-=== rate
-
-
-
-
-*`haproxy.stat.request.rate.value`*::
-+
---
-Number of HTTP requests per second over the last elapsed second.
-
-
-type: long
-
---
-
-*`haproxy.stat.request.rate.max`*::
-+
---
-Maximum number of HTTP requests per second.
-
-
-type: long
-
---
-
-*`haproxy.stat.request.total`*::
-+
---
-Total number of HTTP requests received.
-
-
-type: long
-
---
-
-*`haproxy.stat.request.intercepted`*::
-+
---
-Number of intercepted requests.
-
-
-type: long
-
---
-
-
-*`haproxy.stat.response.errors`*::
-+
---
-Number of response errors. This value includes the number of data transfers aborted by the server (haproxy.stat.server.aborted). Some other errors are:
-* write errors on the client socket (won't be counted for the server stat) * failure applying filters to the response
-
-
-type: long
-
---
-
-*`haproxy.stat.response.time.avg`*::
-+
---
-Average response time in ms over the last 1024 requests (0 for TCP).
-
-
-type: long
-
---
-
-*`haproxy.stat.response.denied`*::
-+
---
-Responses denied because of security concerns. For HTTP this is because of a matched http-request rule, or "option checkcache".
-
-
-type: integer
-
---
-
-[float]
-=== http
-
-
-
-
-*`haproxy.stat.response.http.1xx`*::
-+
---
-HTTP responses with 1xx code.
-
-
-type: long
-
---
-
-*`haproxy.stat.response.http.2xx`*::
-+
---
-HTTP responses with 2xx code.
-
-
-type: long
-
---
-
-*`haproxy.stat.response.http.3xx`*::
-+
---
-HTTP responses with 3xx code.
-
-
-type: long
-
---
-
-*`haproxy.stat.response.http.4xx`*::
-+
---
-HTTP responses with 4xx code.
-
-
-type: long
-
---
-
-*`haproxy.stat.response.http.5xx`*::
-+
---
-HTTP responses with 5xx code.
-
-
-type: long
-
---
-
-*`haproxy.stat.response.http.other`*::
-+
---
-HTTP responses with other codes (protocol error).
-
-
-type: long
-
---
-
-
-
-
-*`haproxy.stat.header.rewrite.failed.total`*::
-+
---
-Number of failed header rewrite warnings.
-
-
-type: long
-
---
-
-
-*`haproxy.stat.session.current`*::
-+
---
-Number of current sessions.
-
-
-type: long
-
---
-
-*`haproxy.stat.session.max`*::
-+
---
-Maximum number of sessions.
-
-
-type: long
-
---
-
-*`haproxy.stat.session.limit`*::
-+
---
-Configured session limit.
-
-
-type: long
-
---
-
-*`haproxy.stat.session.total`*::
-+
---
-Number of all sessions.
-
-
-type: long
-
---
-
-
-*`haproxy.stat.session.rate.value`*::
-+
---
-Number of sessions per second over the last elapsed second.
-
-
-type: integer
-
---
-
-*`haproxy.stat.session.rate.limit`*::
-+
---
-Configured limit on new sessions per second.
-
-
-type: integer
-
---
-
-*`haproxy.stat.session.rate.max`*::
-+
---
-Maximum number of new sessions per second.
-
-
-type: integer
-
---
-
-[float]
-=== check
-
-
-
-
-*`haproxy.stat.check.status`*::
-+
---
-Status of the last health check. One of:
-
-  UNK     -> unknown
-  INI     -> initializing
-  SOCKERR -> socket error
-  L4OK    -> check passed on layer 4, no upper layers testing enabled
-  L4TOUT  -> layer 1-4 timeout
-  L4CON   -> layer 1-4 connection problem, for example
-            "Connection refused" (tcp rst) or "No route to host" (icmp)
-  L6OK    -> check passed on layer 6
-  L6TOUT  -> layer 6 (SSL) timeout
-  L6RSP   -> layer 6 invalid response - protocol error
-  L7OK    -> check passed on layer 7
-  L7OKC   -> check conditionally passed on layer 7, for example 404 with
-            disable-on-404
-  L7TOUT  -> layer 7 (HTTP/SMTP) timeout
-  L7RSP   -> layer 7 invalid response - protocol error
-  L7STS   -> layer 7 response error, for example HTTP 5xx
-
-
-type: keyword
-
---
-
-*`haproxy.stat.check.code`*::
-+
---
-Layer 5-7 code, if available.
-
-
-type: long
-
---
-
-*`haproxy.stat.check.duration`*::
-+
---
-Time in ms that it took to finish the last health check.
-
-
-type: long
-
---
-
-*`haproxy.stat.check.health.last`*::
-+
---
-The result of the last health check.
-
-
-type: keyword
-
---
-
-*`haproxy.stat.check.health.fail`*::
-+
---
-Number of failed checks.
-
-
-type: long
-
---
-
-*`haproxy.stat.check.agent.last`*::
-+
---
-
-
-type: integer
-
---
-
-*`haproxy.stat.check.failed`*::
-+
---
-Number of checks that failed while the server was up.
-
-
-type: long
-
---
-
-*`haproxy.stat.check.down`*::
-+
---
-Number of UP->DOWN transitions. For backends, this value is the number of transitions to the whole backend being down, rather than the sum of the transitions for each server.
-
-
-type: long
-
---
-
-*`haproxy.stat.client.aborted`*::
-+
---
-Number of data transfers aborted by the client.
-
-
-type: integer
-
---
-
-[float]
-=== server
-
-
-
-
-*`haproxy.stat.server.id`*::
-+
---
-Server ID (unique inside a proxy).
-
-
-type: integer
-
---
-
-*`haproxy.stat.server.aborted`*::
-+
---
-Number of data transfers aborted by the server. This value is included in haproxy.stat.response.errors.
-
-
-type: integer
-
---
-
-*`haproxy.stat.server.active`*::
-+
---
-Number of backend servers that are active, meaning that they are healthy and can receive requests from the load balancer.
-
-
-type: integer
-
---
-
-*`haproxy.stat.server.backup`*::
-+
---
-Number of backend servers that are backup servers.
-
-
-type: integer
-
---
-
-[float]
-=== compressor
-
-
-
-
-*`haproxy.stat.compressor.in.bytes`*::
-+
---
-Number of HTTP response bytes fed to the compressor.
-
-
-type: long
-
-format: bytes
-
---
-
-*`haproxy.stat.compressor.out.bytes`*::
-+
---
-Number of HTTP response bytes emitted by the compressor.
-
-
-type: integer
-
-format: bytes
-
---
-
-*`haproxy.stat.compressor.bypassed.bytes`*::
-+
---
-Number of bytes that bypassed the HTTP compressor (CPU/BW limit).
-
-
-type: long
-
-format: bytes
-
---
-
-*`haproxy.stat.compressor.response.bytes`*::
-+
---
-Number of HTTP responses that were compressed.
-
-
-type: long
-
-format: bytes
-
---
-
-[float]
-=== proxy
-
-
-
-
-*`haproxy.stat.proxy.id`*::
-+
---
-Unique proxy ID.
-
-
-type: integer
-
---
-
-*`haproxy.stat.proxy.name`*::
-+
---
-Proxy name.
-
-
-type: keyword
-
---
-
-*`haproxy.stat.proxy.mode`*::
-+
---
-Proxy mode (tcp, http, health, unknown).
-
-
-type: keyword
-
---
-
-[float]
-=== queue
-
-
-
-
-*`haproxy.stat.queue.limit`*::
-+
---
-Configured queue limit (maxqueue) for the server, or nothing if the value of maxqueue is 0 (meaning no limit).
-
-
-type: integer
-
---
-
-*`haproxy.stat.queue.time.avg`*::
-+
---
-The average queue time in ms over the last 1024 requests.
-
-
-type: integer
-
---
-
-[float]
-=== agent
-
-
-
-
-*`haproxy.stat.agent.status`*::
-+
---
-Status of the last health check. One of:
-
-  UNK     -> unknown
-  INI     -> initializing
-  SOCKERR -> socket error
-  L4OK    -> check passed on layer 4, no upper layers enabled
-  L4TOUT  -> layer 1-4 timeout
-  L4CON   -> layer 1-4 connection problem, for example
-            "Connection refused" (tcp rst) or "No route to host" (icmp)
-  L7OK    -> agent reported "up"
-  L7STS   -> agent reported "fail", "stop" or "down"
-
-
-type: keyword
-
---
-
-*`haproxy.stat.agent.description`*::
-+
---
-Human readable version of agent.status.
-
-
-type: keyword
-
---
-
-*`haproxy.stat.agent.code`*::
-+
---
-Value reported by agent.
-
-
-type: integer
-
---
-
-*`haproxy.stat.agent.rise`*::
-+
---
-Rise value of agent.
-
-
-type: integer
-
---
-
-*`haproxy.stat.agent.fall`*::
-+
---
-Fall value of agent.
-
-
-type: integer
-
---
-
-*`haproxy.stat.agent.health`*::
-+
---
-Health parameter of agent. Between 0 and `agent.rise`+`agent.fall`-1.
-
-
-type: integer
-
---
-
-*`haproxy.stat.agent.duration`*::
-+
---
-Duration of the last check in ms.
-
-
-type: integer
-
---
-
-
-*`haproxy.stat.agent.check.rise`*::
-+
---
-Rise value of server.
-
-
-type: integer
-
---
-
-*`haproxy.stat.agent.check.fall`*::
-+
---
-Fall value of server.
-
-
-type: integer
-
---
-
-*`haproxy.stat.agent.check.health`*::
-+
---
-Health parameter of server. Between 0 and `agent.check.rise`+`agent.check.fall`-1.
-
-
-type: integer
-
---
-
-*`haproxy.stat.agent.check.description`*::
-+
---
-Human readable version of check.
-
-
-type: keyword
-
---
-
-
-*`haproxy.stat.source.address`*::
-+
---
-Address of the source.
-
-
-type: text
-
---
-
-[[exported-fields-host-processor]]
-== Host fields
-
-Info collected for the host machine.
-
-
-
-
-*`host.containerized`*::
-+
---
-If the host is a container.
-
-
-type: boolean
-
---
-
-*`host.os.build`*::
-+
---
-OS build information.
-
-
-type: keyword
-
-example: 18D109
-
---
-
-*`host.os.codename`*::
-+
---
-OS codename, if any.
-
-
-type: keyword
-
-example: stretch
-
---
-
-[[exported-fields-http]]
-== HTTP fields
-
-HTTP module
-
-
-
-[float]
-=== http
-
-
-
-
-[float]
-=== request
-
-HTTP request information
-
-
-
-*`http.request.headers`*::
-+
---
-The HTTP headers sent
-
-
-type: object
-
---
-
-[float]
-=== response
-
-HTTP response information
-
-
-
-*`http.response.headers`*::
-+
---
-The HTTP headers received
-
-
-type: object
-
---
-
-*`http.response.code`*::
-+
---
-The HTTP status code
-
-
-type: keyword
-
-example: 404
-
---
-
-*`http.response.phrase`*::
-+
---
-The HTTP status phrase
-
-
-type: keyword
-
-example: Not found
-
---
-
-[float]
-=== json
-
-json metricset
-
-
-[float]
-=== server
-
-server
-
-
-[[exported-fields-ibmmq]]
-== IBM MQ fields
-
-IBM MQ module
-
-
-
-
-[[exported-fields-iis]]
-== IIS fields
-
-iis module
-
-
-
-[float]
-=== iis
-
-
-
-
-[float]
-=== application_pool
-
-Application pool process stats.
-
-
-
-*`iis.application_pool.name`*::
-+
---
-application pool name
-
-
-type: keyword
-
---
-
-[float]
-=== process
-
-Worker process overview.
-
-
-
-*`iis.application_pool.process.handle_count`*::
-+
---
-The number of handles.
-
-
-type: long
-
---
-
-*`iis.application_pool.process.io_read_operations_per_sec`*::
-+
---
-IO read operations per sec.
-
-
-type: float
-
---
-
-*`iis.application_pool.process.io_write_operations_per_sec`*::
-+
---
-IO write operations per sec.
-
-
-type: float
-
---
-
-*`iis.application_pool.process.virtual_bytes`*::
-+
---
-Memory virtual bytes.
-
-
-type: float
-
---
-
-*`iis.application_pool.process.cpu_usage_perc`*::
-+
---
-The CPU usage percentage.
-
-
-type: float
-
---
-
-*`iis.application_pool.process.thread_count`*::
-+
---
-The number of threats.
-
-
-type: long
-
---
-
-*`iis.application_pool.process.working_set`*::
-+
---
-Memory working set.
-
-
-type: float
-
---
-
-*`iis.application_pool.process.private_bytes`*::
-+
---
-Memory private bytes.
-
-
-type: float
-
---
-
-*`iis.application_pool.process.page_faults_per_sec`*::
-+
---
-Memory page faults.
-
-
-type: float
-
---
-
-[float]
-=== net_clr
-
-Common Language Runtime overview.
-
-
-
-*`iis.application_pool.net_clr.finallys_per_sec`*::
-+
---
-The number of finallys per sec.
-
-
-type: float
-
---
-
-*`iis.application_pool.net_clr.throw_to_catch_depth_per_sec`*::
-+
---
-Throw to catch depth count per sec.
-
-
-type: float
-
---
-
-*`iis.application_pool.net_clr.total_exceptions_thrown`*::
-+
---
-Total number of exceptions thrown.
-
-
-type: long
-
---
-
-*`iis.application_pool.net_clr.filters_per_sec`*::
-+
---
-Number of filters per sec.
-
-
-type: float
-
---
-
-*`iis.application_pool.net_clr.exceptions_thrown_per_sec`*::
-+
---
-Number of Exceptions Thrown / sec.
-
-
-type: float
-
---
-
-[float]
-=== memory
-
-Memory overview.
-
-
-
-*`iis.application_pool.net_clr.memory.bytes_in_all_heaps`*::
-+
---
-Number of bytes in all heaps.
-
-
-type: float
-
---
-
-*`iis.application_pool.net_clr.memory.gen_0_collections`*::
-+
---
-Number of Gen 0 Collections.
-
-
-type: float
-
---
-
-*`iis.application_pool.net_clr.memory.gen_1_collections`*::
-+
---
-Number of Gen 1 Collections.
-
-
-type: float
-
---
-
-*`iis.application_pool.net_clr.memory.gen_2_collections`*::
-+
---
-Number of Gen 2 Collections.
-
-
-type: float
-
---
-
-*`iis.application_pool.net_clr.memory.total_committed_bytes`*::
-+
---
-Number of total committed bytes.
-
-
-type: float
-
---
-
-*`iis.application_pool.net_clr.memory.allocated_bytes_per_sec`*::
-+
---
-Allocated Bytes/sec.
-
-
-type: float
-
---
-
-*`iis.application_pool.net_clr.memory.gen_0_heap_size`*::
-+
---
-Gen 0 heap size.
-
-
-type: float
-
---
-
-*`iis.application_pool.net_clr.memory.gen_1_heap_size`*::
-+
---
-Gen 1 heap size.
-
-
-type: float
-
---
-
-*`iis.application_pool.net_clr.memory.gen_2_heap_size`*::
-+
---
-Gen 2 heap size.
-
-
-type: float
-
---
-
-*`iis.application_pool.net_clr.memory.large_object_heap_size`*::
-+
---
-Large Object Heap size.
-
-
-type: float
-
---
-
-*`iis.application_pool.net_clr.memory.time_in_gc_perc`*::
-+
---
-% Time in GC.
-
-
-type: float
-
---
-
-[float]
-=== locks_and_threads
-
-LocksAndThreads overview.
-
-
-
-*`iis.application_pool.net_clr.locks_and_threads.contention_rate_per_sec`*::
-+
---
-Contention Rate / sec.
-
-
-type: float
-
---
-
-*`iis.application_pool.net_clr.locks_and_threads.current_queue_length`*::
-+
---
-Current Queue Length.
-
-
-type: float
-
---
-
-[float]
-=== webserver
-
-Webserver related metrics.
-
-
-
-[float]
-=== process
-
-The process related stats.
-
-
-
-*`iis.webserver.process.cpu_usage_perc`*::
-+
---
-The CPU usage percentage.
-
-
-type: float
-
---
-
-*`iis.webserver.process.handle_count`*::
-+
---
-The number of handles.
-
-
-type: float
-
---
-
-*`iis.webserver.process.virtual_bytes`*::
-+
---
-Memory virtual bytes.
-
-
-type: float
-
---
-
-*`iis.webserver.process.thread_count`*::
-+
---
-The number of threads.
-
-
-type: long
-
---
-
-*`iis.webserver.process.working_set`*::
-+
---
-Memory working set.
-
-
-type: float
-
---
-
-*`iis.webserver.process.private_bytes`*::
-+
---
-Memory private bytes.
-
-
-type: float
-
---
-
-*`iis.webserver.process.worker_process_count`*::
-+
---
-Number of worker processes running.
-
-
-type: float
-
---
-
-*`iis.webserver.process.page_faults_per_sec`*::
-+
---
-Memory page faults.
-
-
-type: float
-
---
-
-*`iis.webserver.process.io_read_operations_per_sec`*::
-+
---
-IO read operations per sec.
-
-
-type: float
-
---
-
-*`iis.webserver.process.io_write_operations_per_sec`*::
-+
---
-IO write operations per sec.
-
-
-type: float
-
---
-
-[float]
-=== asp_net
-
-Common Language Runtime overview.
-
-
-
-*`iis.webserver.asp_net.application_restarts`*::
-+
---
-Number of applications restarts.
-
-
-type: float
-
---
-
-*`iis.webserver.asp_net.request_wait_time`*::
-+
---
-Request wait time.
-
-
-type: long
-
---
-
-[float]
-=== asp_net_application
-
-ASP.NET application overview.
-
-
-
-*`iis.webserver.asp_net_application.errors_total_per_sec`*::
-+
---
-Total number of errors per sec.
-
-
-type: float
-
---
-
-*`iis.webserver.asp_net_application.pipeline_instance_count`*::
-+
---
-The pipeline instance count.
-
-
-type: float
-
---
-
-*`iis.webserver.asp_net_application.requests_per_sec`*::
-+
---
-Number of requests per sec.
-
-
-type: float
-
---
-
-*`iis.webserver.asp_net_application.requests_executing`*::
-+
---
-Number of requests executing.
-
-
-type: float
-
---
-
-*`iis.webserver.asp_net_application.requests_in_application_queue`*::
-+
---
-Number of requests in the application queue.
-
-
-type: float
-
---
-
-[float]
-=== cache
-
-The cache overview.
-
-
-
-*`iis.webserver.cache.current_file_cache_memory_usage`*::
-+
---
-The current file cache memory usage size.
-
-
-type: float
-
---
-
-*`iis.webserver.cache.current_files_cached`*::
-+
---
-The number of current files cached.
-
-
-type: float
-
---
-
-*`iis.webserver.cache.current_uris_cached`*::
-+
---
-The number of current uris cached.
-
-
-type: float
-
---
-
-*`iis.webserver.cache.file_cache_hits`*::
-+
---
-The number of file cache hits.
-
-
-type: float
-
---
-
-*`iis.webserver.cache.file_cache_misses`*::
-+
---
-The number of file cache misses.
-
-
-type: float
-
---
-
-*`iis.webserver.cache.maximum_file_cache_memory_usage`*::
-+
---
-The max file cache size.
-
-
-type: float
-
---
-
-*`iis.webserver.cache.output_cache_current_items`*::
-+
---
-The number of output cache current items.
-
-
-type: float
-
---
-
-*`iis.webserver.cache.output_cache_current_memory_usage`*::
-+
---
-The output cache memory usage size.
-
-
-type: float
-
---
-
-*`iis.webserver.cache.output_cache_total_hits`*::
-+
---
-The output cache total hits count.
-
-
-type: float
-
---
-
-*`iis.webserver.cache.output_cache_total_misses`*::
-+
---
-The output cache total misses count.
-
-
-type: float
-
---
-
-*`iis.webserver.cache.total_files_cached`*::
-+
---
-the total number of files cached.
-
-
-type: float
-
---
-
-*`iis.webserver.cache.total_uris_cached`*::
-+
---
-The total number of URIs cached.
-
-
-type: float
-
---
-
-*`iis.webserver.cache.uri_cache_hits`*::
-+
---
-The number of URIs cached hits.
-
-
-type: float
-
---
-
-*`iis.webserver.cache.uri_cache_misses`*::
-+
---
-The number of URIs cache misses.
-
-
-type: float
-
---
-
-[float]
-=== network
-
-The network related stats.
-
-
-
-*`iis.webserver.network.anonymous_users_per_sec`*::
-+
---
-The number of anonymous users per sec.
-
-
-type: float
-
---
-
-*`iis.webserver.network.bytes_received_per_sec`*::
-+
---
-The size of bytes received per sec.
-
-
-type: float
-
---
-
-*`iis.webserver.network.bytes_sent_per_sec`*::
-+
---
-The size of bytes sent per sec.
-
-
-type: float
-
---
-
-*`iis.webserver.network.current_anonymous_users`*::
-+
---
-The number of current anonymous users.
-
-
-type: float
-
---
-
-*`iis.webserver.network.current_connections`*::
-+
---
-The number of current connections.
-
-
-type: float
-
---
-
-*`iis.webserver.network.current_non_anonymous_users`*::
-+
---
-The number of current non anonymous users.
-
-
-type: float
-
---
-
-*`iis.webserver.network.delete_requests_per_sec`*::
-+
---
-Number of DELETE requests per sec.
-
-
-type: float
-
---
-
-*`iis.webserver.network.get_requests_per_sec`*::
-+
---
-Number of GET requests per sec.
-
-
-type: float
-
---
-
-*`iis.webserver.network.maximum_connections`*::
-+
---
-Number of maximum connections.
-
-
-type: float
-
---
-
-*`iis.webserver.network.post_requests_per_sec`*::
-+
---
-Number of POST requests per sec.
-
-
-type: float
-
---
-
-*`iis.webserver.network.service_uptime`*::
-+
---
-Service uptime.
-
-
-type: float
-
---
-
-*`iis.webserver.network.total_anonymous_users`*::
-+
---
-Total number of anonymous users.
-
-
-type: float
-
---
-
-*`iis.webserver.network.total_bytes_received`*::
-+
---
-Total size of bytes received.
-
-
-type: float
-
---
-
-*`iis.webserver.network.total_bytes_sent`*::
-+
---
-Total size of bytes sent.
-
-
-type: float
-
---
-
-*`iis.webserver.network.total_connection_attempts`*::
-+
---
-The total number of connection attempts.
-
-
-type: float
-
---
-
-*`iis.webserver.network.total_delete_requests`*::
-+
---
-The total number of DELETE requests.
-
-
-type: float
-
---
-
-*`iis.webserver.network.total_get_requests`*::
-+
---
-The total number of GET requests.
-
-
-type: float
-
---
-
-*`iis.webserver.network.total_non_anonymous_users`*::
-+
---
-The total number of non anonymous users.
-
-
-type: float
-
---
-
-*`iis.webserver.network.total_post_requests`*::
-+
---
-The total number of POST requests.
-
-
-type: float
-
---
-
-[float]
-=== website
-
-Website related metrics.
-
-
-
-*`iis.website.name`*::
-+
---
-website name
-
-
-type: keyword
-
---
-
-[float]
-=== network
-
-The network overview.
-
-
-
-*`iis.website.network.bytes_received_per_sec`*::
-+
---
-The bytes received per sec size.
-
-
-type: float
-
---
-
-*`iis.website.network.bytes_sent_per_sec`*::
-+
---
-The bytes sent per sec size.
-
-
-type: float
-
---
-
-*`iis.website.network.current_connections`*::
-+
---
-The number of current connections.
-
-
-type: float
-
---
-
-*`iis.website.network.delete_requests_per_sec`*::
-+
---
-The number of DELETE requests per sec.
-
-
-type: float
-
---
-
-*`iis.website.network.get_requests_per_sec`*::
-+
---
-The number of GET requests per sec.
-
-
-type: float
-
---
-
-*`iis.website.network.maximum_connections`*::
-+
---
-The number of maximum connections.
-
-
-type: float
-
---
-
-*`iis.website.network.post_requests_per_sec`*::
-+
---
-The number of POST requests per sec.
-
-
-type: float
-
---
-
-*`iis.website.network.put_requests_per_sec`*::
-+
---
-The number of PUT requests per sec.
-
-
-type: float
-
---
-
-*`iis.website.network.service_uptime`*::
-+
---
-The service uptime.
-
-
-type: float
-
---
-
-*`iis.website.network.total_bytes_received`*::
-+
---
-The total number of bytes received.
-
-
-type: float
-
---
-
-*`iis.website.network.total_bytes_sent`*::
-+
---
-The  total number of bytes sent.
-
-
-type: float
-
---
-
-*`iis.website.network.total_connection_attempts`*::
-+
---
-The total number of connection attempts.
-
-
-type: float
-
---
-
-*`iis.website.network.total_delete_requests`*::
-+
---
-The total number of DELETE requests.
-
-
-type: float
-
---
-
-*`iis.website.network.total_get_requests`*::
-+
---
-The total number of GET requests.
-
-
-type: float
-
---
-
-*`iis.website.network.total_post_requests`*::
-+
---
-The total number of POST requests.
-
-
-type: float
-
---
-
-*`iis.website.network.total_put_requests`*::
-+
---
-The total number of PUT requests.
-
-
-type: float
-
---
-
-[[exported-fields-istio]]
-== Istio fields
-
-istio Module
-
-
-
-[float]
-=== istio
-
-`istio` contains statistics that were read from Istio
-
-
-
-[float]
-=== citadel
-
-Contains statistics related to the Istio Citadel service
-
-
-
-*`istio.citadel.grpc.method`*::
-+
---
-The grpc method
-
-
-type: keyword
-
---
-
-*`istio.citadel.grpc.service`*::
-+
---
-The grpc service
-
-
-type: keyword
-
---
-
-*`istio.citadel.grpc.type`*::
-+
---
-The type of the respective grpc service
-
-
-type: keyword
-
---
-
-*`istio.citadel.secret_controller_svc_acc_created_cert.count`*::
-+
---
-The number of certificates created due to service account creation.
-
-
-type: long
-
---
-
-*`istio.citadel.server_root_cert_expiry_seconds`*::
-+
---
-The unix timestamp, in seconds, when Citadel root cert will expire. We set it to negative in case of internal error.
-
-
-type: float
-
---
-
-*`istio.citadel.grpc.server.handled`*::
-+
---
-Total number of RPCs completed on the server, regardless of success or failure.
-
-
-type: long
-
---
-
-*`istio.citadel.grpc.server.msg.received`*::
-+
---
-Total number of RPC stream messages received on the server.
-
-
-type: long
-
---
-
-*`istio.citadel.grpc.server.msg.sent`*::
-+
---
-Total number of gRPC stream messages sent by the server.
-
-
-type: long
-
---
-
-*`istio.citadel.grpc.server.started`*::
-+
---
-Total number of RPCs started on the server.
-
-
-type: long
-
---
-
-*`istio.citadel.grpc.server.handling.latency.ms.bucket.*`*::
-+
---
-The response latency (milliseconds) of gRPC that had been application-level handled by the server.
-
-
-type: object
-
---
-
-*`istio.citadel.grpc.server.handling.latency.ms.sum`*::
-+
---
-The response latency of gRPC, sum of latencies in milliseconds
-
-
-type: long
-
-format: duration
-
---
-
-*`istio.citadel.grpc.server.handling.latency.ms.count`*::
-+
---
-The response latency of gRPC, number of metrics
-
-
-type: long
-
---
-
-[float]
-=== galley
-
-Contains statistics related to the Istio galley service
-
-
-
-*`istio.galley.name`*::
-+
---
-The name of the resource the metric is related to
-
-
-type: keyword
-
---
-
-*`istio.galley.namespace`*::
-+
---
-The Kubernetes namespace of the resource
-
-
-type: keyword
-
---
-
-*`istio.galley.version`*::
-+
---
-The version of the object
-
-
-type: keyword
-
---
-
-*`istio.galley.collection`*::
-+
---
-The collection of the instance
-
-
-type: keyword
-
---
-
-*`istio.galley.istio.authentication.meshpolicies`*::
-+
---
-The number of valid istio/authentication/meshpolicies known to galley at a point in time
-
-
-type: long
-
---
-
-*`istio.galley.istio.authentication.policies`*::
-+
---
-The number of valid istio/authentication/policies known to galley at a point in time
-
-
-type: long
-
---
-
-*`istio.galley.istio.mesh.MeshConfig`*::
-+
---
-The number of valid istio/mesh/MeshConfig known to galley at a point in time
-
-
-type: long
-
---
-
-*`istio.galley.istio.networking.destinationrules`*::
-+
---
-The number of valid istio/networking/destinationrules known to galley at a point in time
-
-
-type: long
-
---
-
-*`istio.galley.istio.networking.envoyfilters`*::
-+
---
-The number of valid istio/networking/envoyfilters known to galley at a point in time
-
-
-type: long
-
---
-
-*`istio.galley.istio.networking.gateways`*::
-+
---
-The number of valid istio/networking/gateways known to galley at a point in time
-
-
-type: long
-
---
-
-*`istio.galley.istio.networking.sidecars`*::
-+
---
-The number of valid istio/networking/sidecars known to galley at a point in time
-
-
-type: long
-
---
-
-*`istio.galley.istio.networking.virtualservices`*::
-+
---
-The number of valid istio/networking/virtualservices known to galley at a point in time
-
-
-type: long
-
---
-
-*`istio.galley.istio.policy.attributemanifests`*::
-+
---
-The number of valid istio/policy/attributemanifests known to galley at a point in time
-
-
-type: long
-
---
-
-*`istio.galley.istio.policy.handlers`*::
-+
---
-The number of valid istio/policy/handlers known to galley at a point in time
-
-
-type: long
-
---
-
-*`istio.galley.istio.policy.instances`*::
-+
---
-The number of valid istio/policy/instances known to galley at a point in time
-
-
-type: long
-
---
-
-*`istio.galley.istio.policy.rules`*::
-+
---
-The number of valid istio/policy/rules known to galley at a point in time
-
-
-type: long
-
---
-
-*`istio.galley.runtime.processor.event_span.duration.ms.bucket.*`*::
-+
---
-The duration between each incoming event as histogram buckets in milliseconds
-
-
-type: object
-
---
-
-*`istio.galley.runtime.processor.event_span.duration.ms.sum`*::
-+
---
-The duration between each incoming event, sum of durations in milliseconds
-
-
-type: long
-
-format: duration
-
---
-
-*`istio.galley.runtime.processor.event_span.duration.ms.count`*::
-+
---
-The duration between each incoming event, number of metrics
-
-
-type: long
-
---
-
-*`istio.galley.runtime.processor.snapshot_events.bucket.*`*::
-+
---
-The number of events that have been processed as histogram buckets
-
-
-type: object
-
---
-
-*`istio.galley.runtime.processor.snapshot_events.sum`*::
-+
---
-The number of events that have been processed, sum of events
-
-
-type: long
-
---
-
-*`istio.galley.runtime.processor.snapshot_events.count`*::
-+
---
-The duration between each incoming event, number of metrics
-
-
-type: long
-
---
-
-*`istio.galley.runtime.processor.snapshot_lifetime.duration.ms.bucket.*`*::
-+
---
-The duration of each snapshot as histogram buckets in milliseconds
-
-
-type: object
-
---
-
-*`istio.galley.runtime.processor.snapshot_lifetime.duration.ms.sum`*::
-+
---
-The duration of each snapshot, sum of durations in milliseconds
-
-
-type: long
-
-format: duration
-
---
-
-*`istio.galley.runtime.processor.snapshot_lifetime.duration.ms.count`*::
-+
---
-The duration of each snapshot, number of metrics
-
-
-type: long
-
---
-
-*`istio.galley.runtime.state_type_instances`*::
-+
---
-The number of type instances per type URL
-
-
-type: long
-
---
-
-*`istio.galley.runtime.strategy.on_change`*::
-+
---
-The number of times the strategy's onChange has been called
-
-
-type: long
-
---
-
-*`istio.galley.runtime.strategy.timer_quiesce_reached`*::
-+
---
-The number of times a quiesce has been reached
-
-
-type: long
-
---
-
-*`istio.galley.source_kube_event_success_total`*::
-+
---
-The number of times a kubernetes source successfully handled an event
-
-
-type: long
-
---
-
-*`istio.galley.validation.cert_key.updates`*::
-+
---
-Galley validation webhook certificate updates
-
-
-type: long
-
---
-
-*`istio.galley.validation.config.load`*::
-+
---
-k8s webhook configuration (re)loads
-
-
-type: long
-
---
-
-*`istio.galley.validation.config.updates`*::
-+
---
-k8s webhook configuration updates
-
-
-type: long
-
---
-
-[float]
-=== mesh
-
-Contains statistics related to the Istio mesh service
-
-
-
-*`istio.mesh.instance`*::
-+
---
-The prometheus instance
-
-
-type: text
-
---
-
-*`istio.mesh.job`*::
-+
---
-The prometheus job
-
-
-type: keyword
-
---
-
-*`istio.mesh.requests`*::
-+
---
-Total requests handled by an Istio proxy
-
-
-type: long
-
---
-
-*`istio.mesh.request.duration.ms.bucket.*`*::
-+
---
-Request duration histogram buckets in milliseconds
-
-
-type: object
-
---
-
-*`istio.mesh.request.duration.ms.sum`*::
-+
---
-Requests duration, sum of durations in milliseconds
-
-
-type: long
-
-format: duration
-
---
-
-*`istio.mesh.request.duration.ms.count`*::
-+
---
-Requests duration, number of requests
-
-
-type: long
-
---
-
-*`istio.mesh.request.size.bytes.bucket.*`*::
-+
---
-Request Size histogram buckets
-
-
-type: object
-
---
-
-*`istio.mesh.request.size.bytes.sum`*::
-+
---
-Request Size histogram sum
-
-
-type: long
-
---
-
-*`istio.mesh.request.size.bytes.count`*::
-+
---
-Request Size histogram count
-
-
-type: long
-
---
-
-*`istio.mesh.response.size.bytes.bucket.*`*::
-+
---
-Request Size histogram buckets
-
-
-type: object
-
---
-
-*`istio.mesh.response.size.bytes.sum`*::
-+
---
-Request Size histogram sum
-
-
-type: long
-
---
-
-*`istio.mesh.response.size.bytes.count`*::
-+
---
-Request Size histogram count
-
-
-type: long
-
---
-
-*`istio.mesh.reporter`*::
-+
---
-Reporter identifies the reporter of the request. It is set to destination if report is from a server Istio proxy and source if report is from a client Istio proxy.
-
-
-type: keyword
-
---
-
-*`istio.mesh.source.workload.name`*::
-+
---
-This identifies the name of source workload which controls the source.
-
-
-type: keyword
-
---
-
-*`istio.mesh.source.workload.namespace`*::
-+
---
-This identifies the namespace of the source workload.
-
-
-type: keyword
-
---
-
-*`istio.mesh.source.principal`*::
-+
---
-This identifies the peer principal of the traffic source. It is set when peer authentication is used.
-
-
-type: keyword
-
---
-
-*`istio.mesh.source.app`*::
-+
---
-This identifies the source app based on app label of the source workload.
-
-
-type: keyword
-
---
-
-*`istio.mesh.source.version`*::
-+
---
-This identifies the version of the source workload.
-
-
-type: keyword
-
---
-
-*`istio.mesh.destination.workload.name`*::
-+
---
-This identifies the name of destination workload.
-
-
-type: keyword
-
---
-
-*`istio.mesh.destination.workload.namespace`*::
-+
---
-This identifies the namespace of the destination workload.
-
-
-type: keyword
-
---
-
-*`istio.mesh.destination.principal`*::
-+
---
-This identifies the peer principal of the traffic destination. It is set when peer authentication is used.
-
-
-type: keyword
-
---
-
-*`istio.mesh.destination.app`*::
-+
---
-This identifies the destination app based on app label of the destination workload..
-
-
-type: keyword
-
---
-
-*`istio.mesh.destination.version`*::
-+
---
-This identifies the version of the destination workload.
-
-
-type: keyword
-
---
-
-*`istio.mesh.destination.service.host`*::
-+
---
-This identifies destination service host responsible for an incoming request.
-
-
-type: keyword
-
---
-
-*`istio.mesh.destination.service.name`*::
-+
---
-This identifies the destination service name.
-
-
-type: keyword
-
---
-
-*`istio.mesh.destination.service.namespace`*::
-+
---
-This identifies the namespace of destination service.
-
-
-type: keyword
-
---
-
-*`istio.mesh.request.protocol`*::
-+
---
-This identifies the protocol of the request. It is set to API protocol if provided, otherwise request or connection protocol.
-
-
-type: keyword
-
---
-
-*`istio.mesh.response.code`*::
-+
---
-This identifies the response code of the request. This label is present only on HTTP metrics.
-
-
-type: long
-
---
-
-*`istio.mesh.connection.security.policy`*::
-+
---
-This identifies the service authentication policy of the request. It is set to mutual_tls when Istio is used to make communication secure and report is from destination. It is set to unknown when report is from source since security policy cannot be properly populated.
-
-
-type: keyword
-
---
-
-[float]
-=== mixer
-
-Contains statistics related to the Istio mixer service
-
-
-
-*`istio.mixer.istio.mcp.request.acks`*::
-+
---
-The number of request acks received by the source.
-
-
-type: long
-
---
-
-*`istio.mixer.config.adapter.info.errors.config`*::
-+
---
-The number of errors encountered during processing of the adapter info configuration.
-
-
-type: long
-
---
-
-*`istio.mixer.config.adapter.info.configs`*::
-+
---
-The number of known adapters in the current config.
-
-
-type: long
-
---
-
-*`istio.mixer.config.attributes`*::
-+
---
-The number of known attributes in the current config.
-
-
-type: long
-
---
-
-*`istio.mixer.config.handler.configs`*::
-+
---
-The number of known handlers in the current config.
-
-
-type: long
-
---
-
-*`istio.mixer.config.handler.errors.validation`*::
-+
---
-The number of errors encountered because handler validation returned error.
-
-
-type: long
-
---
-
-*`istio.mixer.config.instance.errors.config`*::
-+
---
-The number of errors encountered during processing of the instance configuration.
-
-
-type: long
-
---
-
-*`istio.mixer.config.instance.configs`*::
-+
---
-The number of known instances in the current config.
-
-
-type: long
-
---
-
-*`istio.mixer.config.rule.errors.config`*::
-+
---
-The number of errors encountered during processing of the rule configuration.
-
-
-type: long
-
---
-
-*`istio.mixer.config.rule.errors.match`*::
-+
---
-The number of rule conditions that was not parseable.
-
-
-type: long
-
---
-
-*`istio.mixer.config.rule.configs`*::
-+
---
-The number of known rules in the current config.
-
-
-type: long
-
---
-
-*`istio.mixer.config.template.errors.config`*::
-+
---
-The number of errors encountered during processing of the template configuration.
-
-
-type: long
-
---
-
-*`istio.mixer.config.template.configs`*::
-+
---
-The number of known templates in the current config.
-
-
-type: long
-
---
-
-*`istio.mixer.config.unsatisfied.action_handler`*::
-+
---
-The number of actions that failed due to handlers being unavailable.
-
-
-type: long
-
---
-
-*`istio.mixer.dispatcher_destinations_per_variety_total`*::
-+
---
-The number of Mixer adapter destinations by template variety type.
-
-
-type: long
-
---
-
-*`istio.mixer.handler.handlers.closed`*::
-+
---
-The number of handlers that were closed during config transition.
-
-
-type: long
-
---
-
-*`istio.mixer.handler.daemons`*::
-+
---
-The current number of active daemon routines in a given adapter environment.
-
-
-type: long
-
---
-
-*`istio.mixer.handler.failures.build`*::
-+
---
-The number of handlers that failed creation during config transition.
-
-
-type: long
-
---
-
-*`istio.mixer.handler.failures.close`*::
-+
---
-The number of errors encountered while closing handlers during config transition.
-
-
-type: long
-
---
-
-*`istio.mixer.handler.handlers.new`*::
-+
---
-The number of handlers that were newly created during config transition.
-
-
-type: long
-
---
-
-*`istio.mixer.handler.handlers.reused`*::
-+
---
-The number of handlers that were re-used during config transition.
-
-
-type: long
-
---
-
-*`istio.mixer.handler.name`*::
-+
---
-The name of the daemon  handler
-
-
-type: keyword
-
---
-
-*`istio.mixer.variety`*::
-+
---
-The name of the variety
-
-
-type: keyword
-
---
-
-[float]
-=== pilot
-
-Contains statistics related to the Istio pilot service
-
-
-
-*`istio.pilot.xds.count`*::
-+
---
-Count of concurrent xDS client connections for Pilot.
-
-
-type: long
-
---
-
-*`istio.pilot.xds.pushes`*::
-+
---
-Count of xDS messages sent, as well as errors building or sending xDS messages for lds, rds, cds and eds.
-
-
-type: long
-
---
-
-*`istio.pilot.xds.push.time.ms.bucket.*`*::
-+
---
-Total time Pilot takes to push lds, rds, cds and eds, histogram buckets in milliseconds.
-
-
-type: object
-
---
-
-*`istio.pilot.xds.push.time.ms.sum`*::
-+
---
-Total time Pilot takes to push lds, rds, cds and eds, histogram sum of times in milliseconds.
-
-
-type: long
-
---
-
-*`istio.pilot.xds.push.time.ms.count`*::
-+
---
-Total time Pilot takes to push lds, rds, cds and eds, histogram count of times.
-
-
-type: long
-
---
-
-*`istio.pilot.xds.eds.instances`*::
-+
---
-Instances for each cluster, as of last push. Zero instances is an error.
-
-
-type: long
-
---
-
-*`istio.pilot.xds.push.context.errors`*::
-+
---
-Number of errors (timeouts) initiating push context.
-
-
-type: long
-
---
-
-*`istio.pilot.xds.internal.errors`*::
-+
---
-Total number of internal XDS errors in pilot.
-
-
-type: long
-
---
-
-*`istio.pilot.conflict.listener.inbound`*::
-+
---
-Number of conflicting inbound listeners.
-
-
-type: long
-
---
-
-*`istio.pilot.conflict.listener.outbound.http.over.current.tcp`*::
-+
---
-Number of conflicting wildcard http listeners with current wildcard tcp listener.
-
-
-type: long
-
---
-
-*`istio.pilot.conflict.listener.outbound.http.over.https`*::
-+
---
-Number of conflicting HTTP listeners with well known HTTPS ports.
-
-
-type: long
-
---
-
-*`istio.pilot.conflict.listener.outbound.tcp.over.current.http`*::
-+
---
-Number of conflicting wildcard tcp listeners with current wildcard http listener.
-
-
-type: long
-
---
-
-*`istio.pilot.conflict.listener.outbound.tcp.over.current.tcp`*::
-+
---
-Number of conflicting tcp listeners with current tcp listener.
-
-
-type: long
-
---
-
-*`istio.pilot.proxy.conv.ms.bucket.*`*::
-+
---
-Time needed by Pilot to push Envoy configurations, histogram buckets in milliseconds.
-
-
-type: object
-
---
-
-*`istio.pilot.proxy.conv.ms.sum`*::
-+
---
-Time needed by Pilot to push Envoy configurations, histogram sum of times in milliseconds.
-
-
-type: long
-
---
-
-*`istio.pilot.proxy.conv.ms.count`*::
-+
---
-Time needed by Pilot to push Envoy configurations, histogram count of times.
-
-
-type: long
-
---
-
-*`istio.pilot.services`*::
-+
---
-Total services known to pilot.
-
-
-type: integer
-
---
-
-*`istio.pilot.virt.services`*::
-+
---
-Total virtual services known to pilot.
-
-
-type: long
-
---
-
-*`istio.pilot.no.ip`*::
-+
---
-Pods not found in the endpoint table, possibly invalid.
-
-
-type: long
-
---
-
-*`istio.pilot.cluster`*::
-+
---
-The instance FQDN.
-
-
-type: text
-
---
-
-*`istio.pilot.type`*::
-+
---
-The Envoy proxy configuration type.
-
-
-type: text
-
---
-
-[[exported-fields-jolokia]]
-== Jolokia fields
-
-Jolokia module
-
-
-
-[float]
-=== jolokia
-
-jolokia contains metrics exposed via jolokia agent
-
-
-
-[[exported-fields-jolokia-autodiscover]]
-== Jolokia Discovery autodiscover provider fields
-
-Metadata from Jolokia Discovery added by the jolokia provider.
-
-
-
-*`jolokia.agent.version`*::
-+
---
-Version number of jolokia agent.
-
-
-type: keyword
-
---
-
-*`jolokia.agent.id`*::
-+
---
-Each agent has a unique id which can be either provided during startup of the agent in form of a configuration parameter or being autodetected. If autodected, the id has several parts: The IP, the process id, hashcode of the agent and its type.
-
-
-type: keyword
-
---
-
-*`jolokia.server.product`*::
-+
---
-The container product if detected.
-
-
-type: keyword
-
---
-
-*`jolokia.server.version`*::
-+
---
-The container's version (if detected).
-
-
-type: keyword
-
---
-
-*`jolokia.server.vendor`*::
-+
---
-The vendor of the container the agent is running in.
-
-
-type: keyword
-
---
-
-*`jolokia.url`*::
-+
---
-The URL how this agent can be contacted.
-
-
-type: keyword
-
---
-
-*`jolokia.secured`*::
-+
---
-Whether the agent was configured for authentication or not.
-
-
-type: boolean
-
---
-
-[[exported-fields-kafka]]
-== Kafka fields
-
-Kafka module
-
-
-
-[float]
-=== kafka
-
-
-
-
-[float]
-=== broker
-
-Broker Consumer Group Information have been read from (Broker handling the consumer group).
-
-
-
-*`kafka.broker.id`*::
-+
---
-Broker id
-
-
-type: long
-
---
-
-*`kafka.broker.address`*::
-+
---
-Broker advertised address
-
-
-type: keyword
-
---
-
-*`kafka.topic.name`*::
-+
---
-Topic name
-
-
-type: keyword
-
---
-
-*`kafka.topic.error.code`*::
-+
---
-Topic error code.
-
-
-type: long
-
---
-
-*`kafka.partition.id`*::
-+
---
-Partition id.
-
-
-type: long
-
---
-
-*`kafka.partition.topic_id`*::
-+
---
-Unique id of the partition in the topic.
-
-type: keyword
-
---
-
-*`kafka.partition.topic_broker_id`*::
-+
---
-Unique id of the partition in the topic and the broker.
-
-type: keyword
-
---
-
-[float]
-=== broker
-
-Broker metrics from Kafka Broker JMX
-
-
-*`kafka.broker.mbean`*::
-+
---
-Mbean that this event is related to
-
-type: keyword
-
---
-
-*`kafka.broker.request.channel.queue.size`*::
-+
---
-The size of the request queue
-
-type: long
-
---
-
-*`kafka.broker.request.produce.failed_per_second`*::
-+
---
-The rate of failed produce requests per second
-
-type: float
-
---
-
-*`kafka.broker.request.fetch.failed_per_second`*::
-+
---
-The rate of client fetch request failures per second
-
-type: float
-
---
-
-*`kafka.broker.request.produce.failed`*::
-+
---
-The number of failed produce requests
-
-type: float
-
---
-
-*`kafka.broker.request.fetch.failed`*::
-+
---
-The number of client fetch request failures
-
-type: float
-
---
-
-*`kafka.broker.replication.leader_elections`*::
-+
---
-The leader election rate
-
-type: float
-
---
-
-*`kafka.broker.replication.unclean_leader_elections`*::
-+
---
-The unclean leader election rate
-
-type: float
-
---
-
-*`kafka.broker.session.zookeeper.disconnect`*::
-+
---
-The ZooKeeper closed sessions per second
-
-type: float
-
---
-
-*`kafka.broker.session.zookeeper.expire`*::
-+
---
-The ZooKeeper expired sessions per second
-
-type: float
-
---
-
-*`kafka.broker.session.zookeeper.readonly`*::
-+
---
-The ZooKeeper readonly sessions per second
-
-type: float
-
---
-
-*`kafka.broker.session.zookeeper.sync`*::
-+
---
-The ZooKeeper client connections per second
-
-type: float
-
---
-
-*`kafka.broker.log.flush_rate`*::
-+
---
-The log flush rate
-
-type: float
-
---
-
-*`kafka.broker.topic.net.in.bytes_per_sec`*::
-+
---
-The incoming byte rate per topic
-
-type: float
-
---
-
-*`kafka.broker.topic.net.out.bytes_per_sec`*::
-+
---
-The outgoing byte rate per topic
-
-type: float
-
---
-
-*`kafka.broker.topic.net.rejected.bytes_per_sec`*::
-+
---
-The rejected byte rate per topic
-
-type: float
-
---
-
-*`kafka.broker.topic.messages_in`*::
-+
---
-The incoming message rate per topic
-
-type: float
-
---
-
-*`kafka.broker.net.in.bytes_per_sec`*::
-+
---
-The incoming byte rate
-
-type: float
-
---
-
-*`kafka.broker.net.out.bytes_per_sec`*::
-+
---
-The outgoing byte rate
-
-type: float
-
---
-
-*`kafka.broker.net.rejected.bytes_per_sec`*::
-+
---
-The rejected byte rate
-
-type: float
-
---
-
-*`kafka.broker.messages_in`*::
-+
---
-The incoming message rate
-
-type: float
-
---
-
-[float]
-=== consumer
-
-Consumer metrics from Kafka Consumer JMX
-
-
-*`kafka.consumer.mbean`*::
-+
---
-Mbean that this event is related to
-
-type: keyword
-
---
-
-*`kafka.consumer.fetch_rate`*::
-+
---
-The minimum rate at which the consumer sends fetch requests to a broker
-
-type: float
-
---
-
-*`kafka.consumer.bytes_consumed`*::
-+
---
-The average number of bytes consumed for a specific topic per second
-
-type: float
-
---
-
-*`kafka.consumer.records_consumed`*::
-+
---
-The average number of records consumed per second for a specific topic
-
-type: float
-
---
-
-*`kafka.consumer.in.bytes_per_sec`*::
-+
---
-The rate of bytes coming in to the consumer
-
-type: float
-
---
-
-*`kafka.consumer.max_lag`*::
-+
---
-The maximum consumer lag
-
-type: float
-
---
-
-*`kafka.consumer.zookeeper_commits`*::
-+
---
-The rate of offset commits to ZooKeeper
-
-type: float
-
---
-
-*`kafka.consumer.kafka_commits`*::
-+
---
-The rate of offset commits to Kafka
-
-type: float
-
---
-
-*`kafka.consumer.messages_in`*::
-+
---
-The rate of consumer message consumption
-
-type: float
-
---
-
-[float]
-=== consumergroup
-
-consumergroup
-
-
-
-*`kafka.consumergroup.id`*::
-+
---
-Consumer Group ID
-
-type: keyword
-
---
-
-*`kafka.consumergroup.offset`*::
-+
---
-consumer offset into partition being read
-
-type: long
-
---
-
-*`kafka.consumergroup.meta`*::
-+
---
-custom consumer meta data string
-
-type: keyword
-
---
-
-*`kafka.consumergroup.consumer_lag`*::
-+
---
-consumer lag for partition/topic calculated as the difference between the partition offset and consumer offset
-
-type: long
-
---
-
-*`kafka.consumergroup.error.code`*::
-+
---
-kafka consumer/partition error code.
-
-
-type: long
-
---
-
-[float]
-=== client
-
-Assigned client reading events from partition
-
-
-
-*`kafka.consumergroup.client.id`*::
-+
---
-Client ID (kafka setting client.id)
-
-type: keyword
-
---
-
-*`kafka.consumergroup.client.host`*::
-+
---
-Client host
-
-type: keyword
-
---
-
-*`kafka.consumergroup.client.member_id`*::
-+
---
-internal consumer group member ID
-
-type: keyword
-
---
-
-[float]
-=== partition
-
-partition
-
-
-
-[float]
-=== offset
-
-Available offsets of the given partition.
-
-
-
-*`kafka.partition.offset.newest`*::
-+
---
-Newest offset of the partition.
-
-
-type: long
-
---
-
-*`kafka.partition.offset.oldest`*::
-+
---
-Oldest offset of the partition.
-
-
-type: long
-
---
-
-[float]
-=== partition
-
-Partition data.
-
-
-
-*`kafka.partition.partition.leader`*::
-+
---
-Leader id (broker).
-
-
-type: long
-
---
-
-*`kafka.partition.partition.replica`*::
-+
---
-Replica id (broker).
-
-
-type: long
-
---
-
-*`kafka.partition.partition.insync_replica`*::
-+
---
-Indicates if replica is included in the in-sync replicate set (ISR).
-
-
-type: boolean
-
---
-
-*`kafka.partition.partition.is_leader`*::
-+
---
-Indicates if replica is the leader
-
-
-type: boolean
-
---
-
-*`kafka.partition.partition.error.code`*::
-+
---
-Error code from fetching partition.
-
-
-type: long
-
---
-
-[float]
-=== producer
-
-Producer metrics from Kafka Producer JMX
-
-
-*`kafka.producer.mbean`*::
-+
---
-Mbean that this event is related to
-
-type: keyword
-
---
-
-*`kafka.producer.available_buffer_bytes`*::
-+
---
-The total amount of buffer memory
-
-type: float
-
---
-
-*`kafka.producer.batch_size_avg`*::
-+
---
-The average number of bytes sent
-
-type: float
-
---
-
-*`kafka.producer.batch_size_max`*::
-+
---
-The maximum number of bytes sent
-
-type: long
-
---
-
-*`kafka.producer.record_send_rate`*::
-+
---
-The average number of records sent per second
-
-type: float
-
---
-
-*`kafka.producer.record_retry_rate`*::
-+
---
-The average number of retried record sends per second
-
-type: float
-
---
-
-*`kafka.producer.record_error_rate`*::
-+
---
-The average number of retried record sends per second
-
-type: float
-
---
-
-*`kafka.producer.records_per_request`*::
-+
---
-The average number of records sent per second
-
-type: float
-
---
-
-*`kafka.producer.record_size_avg`*::
-+
---
-The average record size
-
-type: float
-
---
-
-*`kafka.producer.record_size_max`*::
-+
---
-The maximum record size
-
-type: long
-
---
-
-*`kafka.producer.request_rate`*::
-+
---
-The number of producer requests per second
-
-type: float
-
---
-
-*`kafka.producer.response_rate`*::
-+
---
-The number of producer responses per second
-
-type: float
-
---
-
-*`kafka.producer.io_wait`*::
-+
---
-The producer I/O wait time
-
-type: float
-
---
-
-*`kafka.producer.out.bytes_per_sec`*::
-+
---
-The rate of bytes going out for the producer
-
-type: float
-
---
-
-*`kafka.producer.message_rate`*::
-+
---
-The producer message rate
-
-type: float
-
---
-
-[[exported-fields-kibana]]
-== Kibana fields
-
-Kibana module
-
-
-
-
-*`kibana_stats.timestamp`*::
-+
---
-type: alias
-
-alias to: @timestamp
-
---
-
-*`kibana_stats.kibana.response_time.max`*::
-+
---
-type: alias
-
-alias to: kibana.stats.response_time.max.ms
-
---
-
-*`kibana_stats.kibana.status`*::
-+
---
-type: alias
-
-alias to: kibana.stats.kibana.status
-
---
-
-*`kibana_stats.os.memory.free_in_bytes`*::
-+
---
-type: alias
-
-alias to: kibana.stats.os.memory.free_in_bytes
-
---
-
-*`kibana_stats.process.uptime_in_millis`*::
-+
---
-type: alias
-
-alias to: kibana.stats.process.uptime.ms
-
---
-
-*`kibana_stats.process.memory.heap.size_limit`*::
-+
---
-type: alias
-
-alias to: kibana.stats.process.memory.heap.size_limit.bytes
-
---
-
-*`kibana_stats.concurrent_connections`*::
-+
---
-type: alias
-
-alias to: kibana.stats.concurrent_connections
-
---
-
-*`kibana_stats.process.memory.resident_set_size_in_bytes`*::
-+
---
-type: alias
-
-alias to: kibana.stats.process.memory.resident_set_size.bytes
-
---
-
-*`kibana_stats.os.load.1m`*::
-+
---
-type: alias
-
-alias to: kibana.stats.os.load.1m
-
---
-
-*`kibana_stats.os.load.5m`*::
-+
---
-type: alias
-
-alias to: kibana.stats.os.load.5m
-
---
-
-*`kibana_stats.os.load.15m`*::
-+
---
-type: alias
-
-alias to: kibana.stats.os.load.15m
-
---
-
-*`kibana_stats.process.event_loop_delay`*::
-+
---
-type: alias
-
-alias to: kibana.stats.process.event_loop_delay.ms
-
---
-
-*`kibana_stats.process.event_loop_utilization.active`*::
-+
---
-type: alias
-
-alias to: kibana.stats.process.event_loop_utilization.active
-
---
-
-*`kibana_stats.process.event_loop_utilization.idle`*::
-+
---
-type: alias
-
-alias to: kibana.stats.process.event_loop_utilization.idle
-
---
-
-*`kibana_stats.process.event_loop_utilization.utilization`*::
-+
---
-type: alias
-
-alias to: kibana.stats.process.event_loop_utilization.utilization
-
---
-
-*`kibana_stats.requests.total`*::
-+
---
-type: alias
-
-alias to: kibana.stats.request.total
-
---
-
-*`kibana_stats.requests.disconnects`*::
-+
---
-type: alias
-
-alias to: kibana.stats.request.disconnects
-
---
-
-*`kibana_stats.response_times.max`*::
-+
---
-type: alias
-
-alias to: kibana.stats.response_time.max.ms
-
---
-
-*`kibana_stats.response_times.average`*::
-+
---
-type: alias
-
-alias to: kibana.stats.response_time.avg.ms
-
---
-
-*`kibana_stats.kibana.uuid`*::
-+
---
-type: alias
-
-alias to: service.id
-
---
-
-
-*`kibana.elasticsearch.cluster.id`*::
-+
---
-type: keyword
-
---
-
-[float]
-=== cluster_actions
-
-Kibana cluster actions metrics.
-
-
-
-
-*`kibana.cluster_actions.kibana.status`*::
-+
---
-type: keyword
-
---
-
-
-*`kibana.cluster_actions.overdue.count`*::
-+
---
-type: long
-
---
-
-
-*`kibana.cluster_actions.overdue.delay.p50`*::
-+
---
-type: float
-
---
-
-*`kibana.cluster_actions.overdue.delay.p99`*::
-+
---
-type: float
-
---
-
-[float]
-=== cluster_rules
-
-Kibana cluster rule metrics.
-
-
-
-
-*`kibana.cluster_rules.kibana.status`*::
-+
---
-type: keyword
-
---
-
-
-*`kibana.cluster_rules.overdue.count`*::
-+
---
-type: long
-
---
-
-
-*`kibana.cluster_rules.overdue.delay.p50`*::
-+
---
-type: float
-
---
-
-*`kibana.cluster_rules.overdue.delay.p99`*::
-+
---
-type: float
-
---
-
-[float]
-=== node_actions
-
-Kibana node actions metrics.
-
-
-
-
-*`kibana.node_actions.kibana.status`*::
-+
---
-type: keyword
-
---
-
-*`kibana.node_actions.failures`*::
-+
---
-type: long
-
---
-
-*`kibana.node_actions.executions`*::
-+
---
-type: long
-
---
-
-*`kibana.node_actions.timeouts`*::
-+
---
-type: long
-
---
-
-[float]
-=== node_rules
-
-Kibana node rule metrics.
-
-
-
-
-*`kibana.node_rules.kibana.status`*::
-+
---
-type: keyword
-
---
-
-*`kibana.node_rules.failures`*::
-+
---
-type: long
-
---
-
-*`kibana.node_rules.executions`*::
-+
---
-type: long
-
---
-
-*`kibana.node_rules.timeouts`*::
-+
---
-type: long
-
---
-
-[float]
-=== stats
-
-Kibana stats and run-time metrics.
-
-
-
-
-*`kibana.stats.kibana.status`*::
-+
---
-type: keyword
-
---
-
-
-*`kibana.stats.usage.index`*::
-+
---
-type: keyword
-
---
-
-*`kibana.stats.uuid`*::
-+
---
-Kibana instance UUID
-
-
-type: alias
-
-alias to: service.id
-
---
-
-*`kibana.stats.name`*::
-+
---
-Kibana instance name
-
-
-type: keyword
-
---
-
-*`kibana.stats.index`*::
-+
---
-Name of Kibana's internal index
-
-
-type: keyword
-
---
-
-*`kibana.stats.host.name`*::
-+
---
-Kibana instance hostname
-
-
-type: keyword
-
---
-
-*`kibana.stats.transport_address`*::
-+
---
-Kibana server's hostname and port
-
-
-type: alias
-
-alias to: service.address
-
---
-
-*`kibana.stats.version`*::
-+
---
-Kibana version
-
-
-type: alias
-
-alias to: service.version
-
---
-
-*`kibana.stats.snapshot`*::
-+
---
-Whether the Kibana build is a snapshot build
-
-
-type: boolean
-
---
-
-*`kibana.stats.status`*::
-+
---
-Kibana instance's health status
-
-
-type: keyword
-
---
-
-
-*`kibana.stats.os.distro`*::
-+
---
-type: keyword
-
---
-
-*`kibana.stats.os.distroRelease`*::
-+
---
-type: keyword
-
---
-
-*`kibana.stats.os.platform`*::
-+
---
-type: keyword
-
---
-
-*`kibana.stats.os.platformRelease`*::
-+
---
-type: keyword
-
---
-
-
-*`kibana.stats.os.memory.free_in_bytes`*::
-+
---
-type: long
-
---
-
-*`kibana.stats.os.memory.total_in_bytes`*::
-+
---
-type: long
-
---
-
-*`kibana.stats.os.memory.used_in_bytes`*::
-+
---
-type: long
-
---
-
-
-*`kibana.stats.os.cpuacct.control_group`*::
-+
---
-type: keyword
-
---
-
-*`kibana.stats.os.cpuacct.usage_nanos`*::
-+
---
-type: long
-
---
-
-
-*`kibana.stats.os.cgroup_memory.current_in_bytes`*::
-+
---
-type: long
-
---
-
-*`kibana.stats.os.cgroup_memory.swap_current_in_bytes`*::
-+
---
-type: long
-
---
-
-
-*`kibana.stats.os.load.1m`*::
-+
---
-type: half_float
-
---
-
-*`kibana.stats.os.load.5m`*::
-+
---
-type: half_float
-
---
-
-*`kibana.stats.os.load.15m`*::
-+
---
-type: half_float
-
---
-
-*`kibana.stats.concurrent_connections`*::
-+
---
-Number of client connections made to the server. Note that browsers can send multiple simultaneous connections to request multiple server assets at once, and they can re-use established connections.
-
-
-type: long
-
---
-
-[float]
-=== process
-
-Process metrics
-
-
-
-*`kibana.stats.process.memory.resident_set_size.bytes`*::
-+
---
-type: long
-
---
-
-*`kibana.stats.process.memory.array_buffers.bytes`*::
-+
---
-type: long
-
---
-
-*`kibana.stats.process.memory.external.bytes`*::
-+
---
-type: long
-
---
-
-*`kibana.stats.process.uptime.ms`*::
-+
---
-type: long
-
---
-
-*`kibana.stats.process.event_loop_delay.ms`*::
-+
---
-Event loop delay in milliseconds
-
-
-type: scaled_float
-
---
-
-[float]
-=== event_loop_utilization
-
-The ratio of time the event loop is not idling in the event provider to the total time the event loop is running.
-
-
-
-*`kibana.stats.process.event_loop_utilization.active`*::
-+
---
-Duration of time event loop has been active since last measurement.
-
-
-type: scaled_float
-
---
-
-*`kibana.stats.process.event_loop_utilization.idle`*::
-+
---
-Duration of time event loop has been idle since last measurement.
-
-
-type: scaled_float
-
---
-
-*`kibana.stats.process.event_loop_utilization.utilization`*::
-+
---
-Computed utilization value representing ratio of active to idle time since last measurement.
-
-
-type: scaled_float
-
---
-
-[float]
-=== memory.heap
-
-Process heap metrics
-
-
-
-*`kibana.stats.process.memory.heap.total.bytes`*::
-+
---
-Total heap allocated to process in bytes
-
-
-type: long
-
-format: bytes
-
---
-
-*`kibana.stats.process.memory.heap.used.bytes`*::
-+
---
-Heap used by process in bytes
-
-
-type: long
-
-format: bytes
-
---
-
-*`kibana.stats.process.memory.heap.size_limit.bytes`*::
-+
---
-Max. old space size allocated to Node.js process, in bytes
-
-
-type: long
-
-format: bytes
-
---
-
-*`kibana.stats.process.memory.heap.uptime.ms`*::
-+
---
-Uptime of process in milliseconds
-
-
-type: long
-
---
-
-[float]
-=== request
-
-Request count metrics
-
-
-
-*`kibana.stats.request.disconnects`*::
-+
---
-Number of requests that were disconnected
-
-
-type: long
-
---
-
-*`kibana.stats.request.total`*::
-+
---
-Total number of requests
-
-
-type: long
-
---
-
-[float]
-=== response_time
-
-Response times metrics
-
-
-*`kibana.stats.response_time.avg.ms`*::
-+
---
-Average response time in milliseconds
-
-type: long
-
---
-
-*`kibana.stats.response_time.max.ms`*::
-+
---
-Maximum response time in milliseconds
-
-type: long
-
---
-
-[float]
-=== elasticsearch_client
-
-Elasticsearch Client's stats
-
-
-*`kibana.stats.elasticsearch_client.total_active_sockets`*::
-+
---
-Total number of active sockets
-
-type: integer
-
---
-
-*`kibana.stats.elasticsearch_client.total_idle_sockets`*::
-+
---
-Total number of idle sockets
-
-type: integer
-
---
-
-*`kibana.stats.elasticsearch_client.total_queued_requests`*::
-+
---
-Total number of queued requests
-
-type: integer
-
---
-
-[float]
-=== status
-
-Status fields
-
-
-
-*`kibana.status.name`*::
-+
---
-Kibana instance name.
-
-
-type: keyword
-
---
-
-*`kibana.status.uuid`*::
-+
---
-Kibana instance uuid.
-
-
-type: alias
-
-alias to: service.id
-
---
-
-*`kibana.status.version.number`*::
-+
---
-Kibana version number.
-
-
-type: alias
-
-alias to: service.version
-
---
-
-*`kibana.status.status.overall.state`*::
-+
---
-Kibana overall state (v7 format).
-
-
-type: keyword
-
---
-
-*`kibana.status.status.overall.level`*::
-+
---
-Kibana overall level (v8 format).
-
-
-type: keyword
-
---
-
-*`kibana.status.status.overall.summary`*::
-+
---
-Kibana overall state in a human-readable format.
-
-
-type: text
-
---
-
-*`kibana.status.status.core.elasticsearch.level`*::
-+
---
-Kibana Elasticsearch client's status
-
-
-type: keyword
-
---
-
-*`kibana.status.status.core.elasticsearch.summary`*::
-+
---
-Kibana Elasticsearch client's status in a human-readable format.
-
-
-type: text
-
---
-
-*`kibana.status.status.core.savedObjects.level`*::
-+
---
-Kibana Saved Objects client's status
-
-
-type: keyword
-
---
-
-*`kibana.status.status.core.savedObjects.summary`*::
-+
---
-Kibana Saved Objects client's status in a human-readable format.
-
-
-type: text
-
---
-
-[float]
-=== metrics
-
-Metrics fields
-
-
-
-*`kibana.status.metrics.concurrent_connections`*::
-+
---
-Current concurrent connections.
-
-
-type: long
-
---
-
-[float]
-=== requests
-
-Request statistics.
-
-
-
-*`kibana.status.metrics.requests.disconnects`*::
-+
---
-Total number of disconnected connections.
-
-
-type: long
-
---
-
-*`kibana.status.metrics.requests.total`*::
-+
---
-Total number of connections.
-
-
-type: long
-
---
-
-[[exported-fields-kubernetes-processor]]
-== Kubernetes fields
-
-Kubernetes metadata added by the kubernetes processor
-
-
-
-
-*`kubernetes.pod.name`*::
-+
---
-Kubernetes pod name
-
-
-type: keyword
-
---
-
-*`kubernetes.pod.uid`*::
-+
---
-Kubernetes Pod UID
-
-
-type: keyword
-
---
-
-*`kubernetes.pod.ip`*::
-+
---
-Kubernetes Pod IP
-
-
-type: ip
-
---
-
-*`kubernetes.namespace`*::
-+
---
-Kubernetes namespace
-
-
-type: keyword
-
---
-
-*`kubernetes.node.name`*::
-+
---
-Kubernetes node name
-
-
-type: keyword
-
---
-
-*`kubernetes.node.hostname`*::
-+
---
-Kubernetes hostname as reported by the node’s kernel
-
-
-type: keyword
-
---
-
-*`kubernetes.labels.*`*::
-+
---
-Kubernetes labels map
-
-
-type: object
-
---
-
-*`kubernetes.annotations.*`*::
-+
---
-Kubernetes annotations map
-
-
-type: object
-
---
-
-*`kubernetes.selectors.*`*::
-+
---
-Kubernetes selectors map
-
-
-type: object
-
---
-
-*`kubernetes.replicaset.name`*::
-+
---
-Kubernetes replicaset name
-
-
-type: keyword
-
---
-
-*`kubernetes.deployment.name`*::
-+
---
-Kubernetes deployment name
-
-
-type: keyword
-
---
-
-*`kubernetes.statefulset.name`*::
-+
---
-Kubernetes statefulset name
-
-
-type: keyword
-
---
-
-*`kubernetes.container.name`*::
-+
---
-Kubernetes container name (different than the name from the runtime)
-
-
-type: keyword
-
---
-
-[[exported-fields-kubernetes]]
-== Kubernetes fields
-
-Kubernetes metrics
-
-
-
-[float]
-=== kubernetes
-
-Information and statistics of pods managed by kubernetes.
-
-
-
-[float]
-=== apiserver
-
-Kubernetes API server metrics
-
-
-
-*`kubernetes.apiserver.major.version`*::
-+
---
-API Server major version.
-
-
-type: keyword
-
---
-
-*`kubernetes.apiserver.minor.version`*::
-+
---
-API Server minor version.
-
-
-type: keyword
-
---
-
-*`kubernetes.apiserver.request.resource`*::
-+
---
-Requested resource
-
-
-type: keyword
-
---
-
-*`kubernetes.apiserver.request.subresource`*::
-+
---
-Requested subresource
-
-
-type: keyword
-
---
-
-*`kubernetes.apiserver.request.scope`*::
-+
---
-Request scope (cluster, namespace, resource)
-
-
-type: keyword
-
---
-
-*`kubernetes.apiserver.request.verb`*::
-+
---
-HTTP verb
-
-
-type: keyword
-
---
-
-*`kubernetes.apiserver.request.code`*::
-+
---
-HTTP code
-
-
-type: keyword
-
---
-
-*`kubernetes.apiserver.request.content_type`*::
-+
---
-Request HTTP content type
-
-
-type: keyword
-
---
-
-*`kubernetes.apiserver.request.dry_run`*::
-+
---
-Wether the request uses dry run
-
-
-type: keyword
-
---
-
-*`kubernetes.apiserver.request.kind`*::
-+
---
-Kind of request
-
-
-type: keyword
-
---
-
-*`kubernetes.apiserver.request.component`*::
-+
---
-Component handling the request
-
-
-type: keyword
-
---
-
-*`kubernetes.apiserver.request.group`*::
-+
---
-API group for the resource
-
-
-type: keyword
-
---
-
-*`kubernetes.apiserver.request.version`*::
-+
---
-version for the group
-
-
-type: keyword
-
---
-
-*`kubernetes.apiserver.request.handler`*::
-+
---
-Request handler
-
-
-type: keyword
-
---
-
-*`kubernetes.apiserver.request.method`*::
-+
---
-HTTP method
-
-
-type: keyword
-
---
-
-*`kubernetes.apiserver.request.host`*::
-+
---
-Request host
-
-
-type: keyword
-
---
-
-
-*`kubernetes.apiserver.process.cpu.sec`*::
-+
---
-CPU seconds
-
-type: double
-
---
-
-*`kubernetes.apiserver.process.memory.resident.bytes`*::
-+
---
-Bytes in resident memory
-
-type: long
-
-format: bytes
-
---
-
-*`kubernetes.apiserver.process.memory.virtual.bytes`*::
-+
---
-Bytes in virtual memory
-
-type: long
-
-format: bytes
-
---
-
-*`kubernetes.apiserver.process.fds.open.count`*::
-+
---
-Number of open file descriptors
-
-type: long
-
---
-
-*`kubernetes.apiserver.process.started.sec`*::
-+
---
-Seconds since the process started
-
-type: double
-
---
-
-
-*`kubernetes.apiserver.watch.events.size.bytes.bucket.*`*::
-+
---
-Watch event size distribution in bytes
-
-type: object
-
---
-
-*`kubernetes.apiserver.watch.events.size.bytes.sum`*::
-+
---
-Sum of watch events sizes in bytes
-
-type: long
-
-format: bytes
-
---
-
-*`kubernetes.apiserver.watch.events.size.bytes.count`*::
-+
---
-Number of watch events
-
-type: long
-
---
-
-*`kubernetes.apiserver.watch.events.kind`*::
-+
---
-Resource kind of the watch event
-
-
-type: keyword
-
---
-
-
-*`kubernetes.apiserver.response.size.bytes.bucket.*`*::
-+
---
-Response size distribution in bytes for each group, version, verb, resource, subresource, scope and component.
-
-
-type: object
-
---
-
-*`kubernetes.apiserver.response.size.bytes.sum`*::
-+
---
-Sum of responses sizes in bytes
-
-type: long
-
-format: bytes
-
---
-
-*`kubernetes.apiserver.response.size.bytes.count`*::
-+
---
-Number of responses to requests
-
-type: long
-
---
-
-*`kubernetes.apiserver.client.request.count`*::
-+
---
-Number of requests as client
-
-type: long
-
---
-
-
-*`kubernetes.apiserver.request.count`*::
-+
---
-Number of requests
-
-type: long
-
---
-
-*`kubernetes.apiserver.request.duration.us.sum`*::
-+
---
-Request duration, sum in microseconds
-
-type: long
-
---
-
-*`kubernetes.apiserver.request.duration.us.count`*::
-+
---
-Request duration, number of operations
-
-type: long
-
---
-
-*`kubernetes.apiserver.request.duration.us.bucket.*`*::
-+
---
-Response latency distribution, histogram buckets
-
-type: object
-
---
-
-*`kubernetes.apiserver.request.current.count`*::
-+
---
-Inflight requests
-
-type: long
-
---
-
-*`kubernetes.apiserver.request.longrunning.count`*::
-+
---
-Number of requests active long running requests
-
-type: long
-
---
-
-*`kubernetes.apiserver.etcd.object.count`*::
-+
---
-Number of kubernetes objects at etcd
-
-type: long
-
---
-
-*`kubernetes.apiserver.audit.event.count`*::
-+
---
-Number of audit events
-
-type: long
-
---
-
-*`kubernetes.apiserver.audit.rejected.count`*::
-+
---
-Number of audit rejected events
-
-type: long
-
---
-
-[float]
-=== container
-
-kubernetes container metrics
-
-
-
-*`kubernetes.container.start_time`*::
-+
---
-Start time
-
-
-type: date
-
---
-
-[float]
-=== cpu
-
-CPU usage metrics
-
-
-
-
-
-*`kubernetes.container.cpu.usage.core.ns`*::
-+
---
-Container CPU Core usage nanoseconds
-
-
-type: double
-
---
-
-*`kubernetes.container.cpu.usage.nanocores`*::
-+
---
-CPU used nanocores
-
-
-type: double
-
---
-
-*`kubernetes.container.cpu.usage.node.pct`*::
-+
---
-CPU usage as a percentage of the total node allocatable CPU
-
-
-type: scaled_float
-
-format: percent
-
---
-
-*`kubernetes.container.cpu.usage.limit.pct`*::
-+
---
-CPU usage as a percentage of the defined limit for the container (or total node allocatable CPU if unlimited). If the container CPU limits are missing and the `node` and `state_node` metricsets are both disabled on that node, this metric will be missing entirely.
-
-
-type: scaled_float
-
-format: percent
-
---
-
-[float]
-=== logs
-
-Logs info
-
-
-
-
-*`kubernetes.container.logs.available.bytes`*::
-+
---
-Logs available capacity in bytes
-
-
-type: double
-
-format: bytes
-
---
-
-
-*`kubernetes.container.logs.capacity.bytes`*::
-+
---
-Logs total capacity in bytes
-
-
-type: double
-
-format: bytes
-
---
-
-
-*`kubernetes.container.logs.used.bytes`*::
-+
---
-Logs used capacity in bytes
-
-
-type: double
-
-format: bytes
-
---
-
-
-*`kubernetes.container.logs.inodes.count`*::
-+
---
-Total available inodes
-
-
-type: double
-
---
-
-*`kubernetes.container.logs.inodes.free`*::
-+
---
-Total free inodes
-
-
-type: double
-
---
-
-*`kubernetes.container.logs.inodes.used`*::
-+
---
-Total used inodes
-
-
-type: double
-
---
-
-
-
-*`kubernetes.container.memory.available.bytes`*::
-+
---
-Total available memory
-
-
-type: double
-
-format: bytes
-
---
-
-
-*`kubernetes.container.memory.usage.bytes`*::
-+
---
-Total memory usage
-
-
-type: double
-
-format: bytes
-
---
-
-*`kubernetes.container.memory.usage.node.pct`*::
-+
---
-Memory usage as a percentage of the total node allocatable memory
-
-
-type: scaled_float
-
-format: percent
-
---
-
-*`kubernetes.container.memory.usage.limit.pct`*::
-+
---
-Memory usage as a percentage of the defined limit for the container (or total node allocatable memory if unlimited). If the container Memory limits are missing and the `node` and `state_node` metricsets are both disabled on that node, this metric will be missing entirely.
-
-
-type: scaled_float
-
-format: percent
-
---
-
-
-*`kubernetes.container.memory.rss.bytes`*::
-+
---
-RSS memory usage
-
-
-type: double
-
-format: bytes
-
---
-
-
-*`kubernetes.container.memory.workingset.bytes`*::
-+
---
-Working set memory usage
-
-
-type: double
-
-format: bytes
-
---
-
-*`kubernetes.container.memory.workingset.limit.pct`*::
-+
---
-Working set memory usage as a percentage of the defined limit for the container (or total node allocatable memory if unlimited)
-
-
-type: scaled_float
-
-format: percent
-
---
-
-*`kubernetes.container.memory.pagefaults`*::
-+
---
-Number of page faults
-
-
-type: double
-
---
-
-*`kubernetes.container.memory.majorpagefaults`*::
-+
---
-Number of major page faults
-
-
-type: double
-
---
-
-
-
-*`kubernetes.container.rootfs.capacity.bytes`*::
-+
---
-Root filesystem total capacity in bytes
-
-
-type: double
-
-format: bytes
-
---
-
-
-*`kubernetes.container.rootfs.available.bytes`*::
-+
---
-Root filesystem total available in bytes
-
-
-type: double
-
-format: bytes
-
---
-
-
-*`kubernetes.container.rootfs.used.bytes`*::
-+
---
-Root filesystem total used in bytes
-
-
-type: double
-
-format: bytes
-
---
-
-
-*`kubernetes.container.rootfs.inodes.used`*::
-+
---
-Used inodes
-
-
-type: double
-
---
-
-[float]
-=== controllermanager
-
-Controller manager metrics
-
-
-
-*`kubernetes.controllermanager.verb`*::
-+
---
-HTTP verb
-
-
-type: keyword
-
---
-
-*`kubernetes.controllermanager.code`*::
-+
---
-HTTP code
-
-
-type: keyword
-
---
-
-*`kubernetes.controllermanager.method`*::
-+
---
-HTTP method
-
-
-type: keyword
-
---
-
-*`kubernetes.controllermanager.host`*::
-+
---
-HTTP host
-
-
-type: keyword
-
---
-
-*`kubernetes.controllermanager.name`*::
-+
---
-Name for the resource
-
-
-type: keyword
-
---
-
-*`kubernetes.controllermanager.zone`*::
-+
---
-Infrastructure zone
-
-
-type: keyword
-
---
-
-
-*`kubernetes.controllermanager.process.cpu.sec`*::
-+
---
-Total user and system CPU time spent in seconds
-
-type: double
-
---
-
-*`kubernetes.controllermanager.process.memory.resident.bytes`*::
-+
---
-Bytes in resident memory
-
-type: long
-
-format: bytes
-
---
-
-*`kubernetes.controllermanager.process.memory.virtual.bytes`*::
-+
---
-Bytes in virtual memory
-
-type: long
-
-format: bytes
-
---
-
-*`kubernetes.controllermanager.process.fds.open.count`*::
-+
---
-Number of open file descriptors
-
-type: long
-
---
-
-*`kubernetes.controllermanager.process.fds.max.count`*::
-+
---
-Limit for open file descriptors
-
-type: long
-
---
-
-*`kubernetes.controllermanager.process.started.sec`*::
-+
---
-Start time of the process since unix epoch in seconds
-
-type: double
-
---
-
-
-*`kubernetes.controllermanager.client.request.count`*::
-+
---
-Number of HTTP requests to API server, broken down by status code, method and host
-
-type: long
-
---
-
-*`kubernetes.controllermanager.client.request.duration.us.sum`*::
-+
---
-Sum of requests latency in microseconds, broken down by verb and host
-
-type: long
-
---
-
-*`kubernetes.controllermanager.client.request.duration.us.count`*::
-+
---
-Number of request duration operations to API server, broken down by verb and host
-
-type: long
-
---
-
-*`kubernetes.controllermanager.client.request.duration.us.bucket.*`*::
-+
---
-Requests latency distribution in histogram buckets, broken down by verb and host
-
-type: object
-
---
-
-*`kubernetes.controllermanager.client.request.size.bytes.sum`*::
-+
---
-Requests size sum in bytes, broken down by verb and host
-
-type: long
-
-format: bytes
-
---
-
-*`kubernetes.controllermanager.client.request.size.bytes.count`*::
-+
---
-Number of requests, broken down by verb and host
-
-type: long
-
---
-
-*`kubernetes.controllermanager.client.request.size.bytes.bucket.*`*::
-+
---
-Requests size distribution in histogram buckets, broken down by verb and host
-
-type: object
-
---
-
-*`kubernetes.controllermanager.client.response.size.bytes.count`*::
-+
---
-Number of responses, broken down by verb and host
-
-type: long
-
---
-
-*`kubernetes.controllermanager.client.response.size.bytes.sum`*::
-+
---
-Responses size sum in bytes, broken down by verb and host
-
-type: long
-
-format: bytes
-
---
-
-*`kubernetes.controllermanager.client.response.size.bytes.bucket.*`*::
-+
---
-Responses size distribution in histogram buckets, broken down by verb and host
-
-type: object
-
---
-
-
-*`kubernetes.controllermanager.workqueue.longestrunning.sec`*::
-+
---
-How many seconds has the longest running processor been running, broken down by workqueue name
-
-type: double
-
---
-
-*`kubernetes.controllermanager.workqueue.unfinished.sec`*::
-+
---
-How many seconds of work has done that is in progress and hasn't been considered in the longest running processor, broken down by workqueue name
-
-type: double
-
---
-
-*`kubernetes.controllermanager.workqueue.adds.count`*::
-+
---
-Workqueue add count, broken down by workqueue name
-
-type: long
-
---
-
-*`kubernetes.controllermanager.workqueue.depth.count`*::
-+
---
-Workqueue current depth, broken down by workqueue name
-
-type: long
-
---
-
-*`kubernetes.controllermanager.workqueue.retries.count`*::
-+
---
-Workqueue number of retries, broken down by workqueue name
-
-type: long
-
---
-
-
-*`kubernetes.controllermanager.node.collector.eviction.count`*::
-+
---
-Number of node evictions, broken down by zone
-
-type: long
-
---
-
-*`kubernetes.controllermanager.node.collector.unhealthy.count`*::
-+
---
-Number of unhealthy nodes, broken down by zone
-
-type: long
-
---
-
-*`kubernetes.controllermanager.node.collector.count`*::
-+
---
-Number of nodes, broken down by zone
-
-type: long
-
---
-
-*`kubernetes.controllermanager.node.collector.health.pct`*::
-+
---
-Percentage of healthy nodes, broken down by zone
-
-type: long
-
---
-
-*`kubernetes.controllermanager.leader.is_master`*::
-+
---
-Whether the controller manager instance is leader
-
-
-type: boolean
-
---
-
-[float]
-=== event
-
-The Kubernetes events metricset collects events that are generated by objects running inside of Kubernetes
-
-
-
-*`kubernetes.event.count`*::
-+
---
-Count field records the number of times the particular event has occurred
-
-
-type: long
-
---
-
-
-*`kubernetes.event.timestamp.first_occurrence`*::
-+
---
-Timestamp of first occurrence of event
-
-
-type: date
-
---
-
-*`kubernetes.event.timestamp.last_occurrence`*::
-+
---
-Timestamp of last occurrence of event
-
-
-type: date
-
---
-
-*`kubernetes.event.message`*::
-+
---
-Message recorded for the given event
-
-
-type: text
-
---
-
-*`kubernetes.event.reason`*::
-+
---
-Reason recorded for the given event
-
-
-type: keyword
-
---
-
-*`kubernetes.event.type`*::
-+
---
-Type of the given event
-
-
-type: keyword
-
---
-
-[float]
-=== source
-
-The component reporting this event
-
-
-
-*`kubernetes.event.source.component`*::
-+
---
-Component from which the event is generated
-
-
-type: keyword
-
---
-
-*`kubernetes.event.source.host`*::
-+
---
-Node name on which the event is generated
-
-
-type: keyword
-
---
-
-[float]
-=== metadata
-
-Metadata associated with the given event
-
-
-
-
-*`kubernetes.event.metadata.timestamp.created`*::
-+
---
-Timestamp of creation of the given event
-
-
-type: date
-
---
-
-*`kubernetes.event.metadata.generate_name`*::
-+
---
-Generate name of the event
-
-
-type: keyword
-
---
-
-*`kubernetes.event.metadata.name`*::
-+
---
-Name of the event
-
-
-type: keyword
-
---
-
-*`kubernetes.event.metadata.namespace`*::
-+
---
-Namespace in which event was generated
-
-
-type: keyword
-
---
-
-*`kubernetes.event.metadata.resource_version`*::
-+
---
-Version of the event resource
-
-
-type: keyword
-
---
-
-*`kubernetes.event.metadata.uid`*::
-+
---
-Unique identifier to the event object
-
-
-type: keyword
-
---
-
-*`kubernetes.event.metadata.self_link`*::
-+
---
-URL representing the event
-
-
-type: keyword
-
---
-
-[float]
-=== involved_object
-
-Metadata associated with the given involved object
-
-
-
-*`kubernetes.event.involved_object.api_version`*::
-+
---
-API version of the object
-
-
-type: keyword
-
---
-
-*`kubernetes.event.involved_object.kind`*::
-+
---
-API kind of the object
-
-
-type: keyword
-
---
-
-*`kubernetes.event.involved_object.name`*::
-+
---
-name of the object
-
-
-type: keyword
-
---
-
-*`kubernetes.event.involved_object.resource_version`*::
-+
---
-resource version of the object
-
-
-type: keyword
-
---
-
-*`kubernetes.event.involved_object.uid`*::
-+
---
-UUID version of the object
-
-
-type: keyword
-
---
-
-[float]
-=== node
-
-kubernetes node metrics
-
-
-
-*`kubernetes.node.start_time`*::
-+
---
-Start time
-
-
-type: date
-
---
-
-[float]
-=== cpu
-
-CPU usage metrics
-
-
-
-
-
-*`kubernetes.node.cpu.usage.core.ns`*::
-+
---
-Node CPU Core usage nanoseconds
-
-
-type: double
-
---
-
-*`kubernetes.node.cpu.usage.nanocores`*::
-+
---
-CPU used nanocores
-
-
-type: double
-
---
-
-
-
-*`kubernetes.node.memory.available.bytes`*::
-+
---
-Total available memory
-
-
-type: double
-
-format: bytes
-
---
-
-
-*`kubernetes.node.memory.usage.bytes`*::
-+
---
-Total memory usage
-
-
-type: double
-
-format: bytes
-
---
-
-
-*`kubernetes.node.memory.rss.bytes`*::
-+
---
-RSS memory usage
-
-
-type: double
-
-format: bytes
-
---
-
-
-*`kubernetes.node.memory.workingset.bytes`*::
-+
---
-Working set memory usage
-
-
-type: double
-
-format: bytes
-
---
-
-*`kubernetes.node.memory.pagefaults`*::
-+
---
-Number of page faults
-
-
-type: double
-
---
-
-*`kubernetes.node.memory.majorpagefaults`*::
-+
---
-Number of major page faults
-
-
-type: double
-
---
-
-
-
-*`kubernetes.node.network.rx.bytes`*::
-+
---
-Received bytes on the default interface. If default interface is not defined, will be reported not correct value `0`
-
-
-type: double
-
-format: bytes
-
---
-
-*`kubernetes.node.network.rx.errors`*::
-+
---
-Rx errors on the default interface. If default interface is not defined, will be reported not correct value `0`
-
-
-type: double
-
---
-
-
-*`kubernetes.node.network.tx.bytes`*::
-+
---
-Transmitted bytes on the default interface. If default interface is not defined, will be reported not correct value `0`
-
-
-type: double
-
-format: bytes
-
---
-
-*`kubernetes.node.network.tx.errors`*::
-+
---
-Tx errors on the default interface. If default interface is not defined, will be reported not correct value `0`
-
-
-type: double
-
---
-
-
-
-*`kubernetes.node.fs.capacity.bytes`*::
-+
---
-Filesystem total capacity in bytes
-
-
-type: double
-
-format: bytes
-
---
-
-
-*`kubernetes.node.fs.available.bytes`*::
-+
---
-Filesystem total available in bytes
-
-
-type: double
-
-format: bytes
-
---
-
-
-*`kubernetes.node.fs.used.bytes`*::
-+
---
-Filesystem total used in bytes
-
-
-type: double
-
-format: bytes
-
---
-
-
-*`kubernetes.node.fs.inodes.used`*::
-+
---
-Number of used inodes
-
-
-type: double
-
---
-
-*`kubernetes.node.fs.inodes.count`*::
-+
---
-Number of inodes
-
-
-type: double
-
---
-
-*`kubernetes.node.fs.inodes.free`*::
-+
---
-Number of free inodes
-
-
-type: double
-
---
-
-
-
-
-*`kubernetes.node.runtime.imagefs.capacity.bytes`*::
-+
---
-Image filesystem total capacity in bytes
-
-
-type: double
-
-format: bytes
-
---
-
-
-*`kubernetes.node.runtime.imagefs.available.bytes`*::
-+
---
-Image filesystem total available in bytes
-
-
-type: double
-
-format: bytes
-
---
-
-
-*`kubernetes.node.runtime.imagefs.used.bytes`*::
-+
---
-Image filesystem total used in bytes
-
-
-type: double
-
-format: bytes
-
---
-
-[float]
-=== pod
-
-kubernetes pod metrics
-
-
-
-*`kubernetes.pod.start_time`*::
-+
---
-Start time
-
-
-type: date
-
---
-
-
-
-*`kubernetes.pod.network.rx.bytes`*::
-+
---
-Received bytes
-
-
-type: double
-
-format: bytes
-
---
-
-*`kubernetes.pod.network.rx.errors`*::
-+
---
-Rx errors
-
-
-type: double
-
---
-
-
-*`kubernetes.pod.network.tx.bytes`*::
-+
---
-Transmitted bytes
-
-
-type: double
-
-format: bytes
-
---
-
-*`kubernetes.pod.network.tx.errors`*::
-+
---
-Tx errors
-
-
-type: double
-
---
-
-[float]
-=== cpu
-
-CPU usage metrics
-
-
-
-
-*`kubernetes.pod.cpu.usage.nanocores`*::
-+
---
-CPU used nanocores
-
-
-type: double
-
---
-
-*`kubernetes.pod.cpu.usage.node.pct`*::
-+
---
-CPU usage as a percentage of the total node CPU
-
-
-type: scaled_float
-
-format: percent
-
---
-
-*`kubernetes.pod.cpu.usage.limit.pct`*::
-+
---
-CPU usage as a percentage of the defined cpu limits sum of the pod containers. If any container is missing a limit the metric is not emitted.
-
-
-type: scaled_float
-
-format: percent
-
---
-
-
-
-*`kubernetes.pod.memory.usage.bytes`*::
-+
---
-Total memory usage
-
-
-type: double
-
-format: bytes
-
---
-
-*`kubernetes.pod.memory.usage.node.pct`*::
-+
---
-Memory usage as a percentage of the total node allocatable memory
-
-
-type: scaled_float
-
-format: percent
-
---
-
-*`kubernetes.pod.memory.usage.limit.pct`*::
-+
---
-Memory usage as a percentage of the defined memory limits sum of the pod containers. If any container is missing a limit the metric is not emitted.
-
-
-type: scaled_float
-
-format: percent
-
---
-
-
-*`kubernetes.pod.memory.available.bytes`*::
-+
---
-Total memory available
-
-
-type: double
-
-format: bytes
-
---
-
-
-*`kubernetes.pod.memory.working_set.bytes`*::
-+
---
-Total working set memory
-
-
-type: double
-
-format: bytes
-
---
-
-*`kubernetes.pod.memory.working_set.limit.pct`*::
-+
---
-Working set memory usage as a percentage of the defined limits sum of the pod containers. If any container is missing a limit the metric is not emitted.
-
-
-type: scaled_float
-
-format: percent
-
---
-
-
-*`kubernetes.pod.memory.rss.bytes`*::
-+
---
-Total resident set size memory
-
-
-type: double
-
-format: bytes
-
---
-
-*`kubernetes.pod.memory.page_faults`*::
-+
---
-Total page faults
-
-
-type: double
-
---
-
-*`kubernetes.pod.memory.major_page_faults`*::
-+
---
-Total major page faults
-
-
-type: double
-
---
-
-[float]
-=== proxy
-
-Kubernetes proxy server metrics
-
-
-
-*`kubernetes.proxy.code`*::
-+
---
-HTTP code
-
-
-type: keyword
-
---
-
-*`kubernetes.proxy.method`*::
-+
---
-HTTP method
-
-
-type: keyword
-
---
-
-*`kubernetes.proxy.host`*::
-+
---
-HTTP host
-
-
-type: keyword
-
---
-
-*`kubernetes.proxy.verb`*::
-+
---
-HTTP verb
-
-
-type: keyword
-
---
-
-
-*`kubernetes.proxy.process.cpu.sec`*::
-+
---
-Total user and system CPU time spent in seconds
-
-type: double
-
---
-
-*`kubernetes.proxy.process.memory.resident.bytes`*::
-+
---
-Bytes in resident memory
-
-type: long
-
-format: bytes
-
---
-
-*`kubernetes.proxy.process.memory.virtual.bytes`*::
-+
---
-Bytes in virtual memory
-
-type: long
-
-format: bytes
-
---
-
-*`kubernetes.proxy.process.fds.open.count`*::
-+
---
-Number of open file descriptors
-
-type: long
-
---
-
-*`kubernetes.proxy.process.fds.max.count`*::
-+
---
-Limit for open file descriptors
-
-type: long
-
---
-
-*`kubernetes.proxy.process.started.sec`*::
-+
---
-Start time of the process since unix epoch in seconds
-
-type: double
-
---
-
-
-*`kubernetes.proxy.client.request.count`*::
-+
---
-Number of HTTP requests to API server, broken down by status code, method and host
-
-type: long
-
---
-
-*`kubernetes.proxy.client.request.duration.us.sum`*::
-+
---
-Sum of requests latency in microseconds, broken down by verb and host
-
-type: long
-
---
-
-*`kubernetes.proxy.client.request.duration.us.count`*::
-+
---
-Number of request duration operations to API server, broken down by verb and host
-
-type: long
-
---
-
-*`kubernetes.proxy.client.request.duration.us.bucket.*`*::
-+
---
-Requests latency distribution in histogram buckets, broken down by verb and host
-
-type: object
-
---
-
-*`kubernetes.proxy.client.request.size.bytes.sum`*::
-+
---
-Requests size sum in bytes, broken down by verb and host
-
-type: long
-
-format: bytes
-
---
-
-*`kubernetes.proxy.client.request.size.bytes.count`*::
-+
---
-Number of requests, broken down by verb and host
-
-type: long
-
---
-
-*`kubernetes.proxy.client.request.size.bytes.bucket.*`*::
-+
---
-Requests size distribution in histogram buckets, broken down by verb and host
-
-type: object
-
---
-
-*`kubernetes.proxy.client.response.size.bytes.count`*::
-+
---
-Number of responses, broken down by verb and host
-
-type: long
-
---
-
-*`kubernetes.proxy.client.response.size.bytes.sum`*::
-+
---
-Responses size sum in bytes, broken down by verb and host
-
-type: long
-
-format: bytes
-
---
-
-*`kubernetes.proxy.client.response.size.bytes.bucket.*`*::
-+
---
-Responses size distribution in histogram buckets, broken down by verb and host
-
-type: object
-
---
-
-[float]
-=== sync
-
-kubeproxy proxy sync metrics
-
-
-
-*`kubernetes.proxy.sync.rules.duration.us.sum`*::
-+
---
-SyncProxyRules latency sum in microseconds
-
-type: long
-
---
-
-*`kubernetes.proxy.sync.rules.duration.us.count`*::
-+
---
-Number of SyncProxyRules latency operations
-
-type: long
-
---
-
-*`kubernetes.proxy.sync.rules.duration.us.bucket.*`*::
-+
---
-SyncProxyRules latency distribution in histogram buckets
-
-type: object
-
---
-
-*`kubernetes.proxy.sync.networkprogramming.duration.us.sum`*::
-+
---
-Sum of network programming latency in microseconds
-
-type: long
-
---
-
-*`kubernetes.proxy.sync.networkprogramming.duration.us.count`*::
-+
---
-Number of network programming latency operations
-
-type: long
-
---
-
-*`kubernetes.proxy.sync.networkprogramming.duration.us.bucket.*`*::
-+
---
-Network programming latency distribution in histogram buckets
-
-type: object
-
---
-
-[float]
-=== scheduler
-
-Kubernetes scheduler metrics
-
-
-
-*`kubernetes.scheduler.verb`*::
-+
---
-HTTP verb
-
-
-type: keyword
-
---
-
-*`kubernetes.scheduler.host`*::
-+
---
-HTTP host
-
-
-type: keyword
-
---
-
-*`kubernetes.scheduler.code`*::
-+
---
-HTTP code
-
-
-type: keyword
-
---
-
-*`kubernetes.scheduler.method`*::
-+
---
-HTTP method
-
-
-type: keyword
-
---
-
-*`kubernetes.scheduler.queue`*::
-+
---
-Scheduling queue
-
-
-type: keyword
-
---
-
-*`kubernetes.scheduler.event`*::
-+
---
-Scheduling event
-
-
-type: keyword
-
---
-
-*`kubernetes.scheduler.profile`*::
-+
---
-Scheduling profile
-
-
-type: keyword
-
---
-
-*`kubernetes.scheduler.result`*::
-+
---
-Attempt result to schedule pod
-
-
-type: keyword
-
---
-
-*`kubernetes.scheduler.name`*::
-+
---
-Name for the resource
-
-
-type: keyword
-
---
-
-*`kubernetes.scheduler.leader.is_master`*::
-+
---
-Whether the scheduler instance is leader
-
-
-type: boolean
-
---
-
-
-*`kubernetes.scheduler.process.cpu.sec`*::
-+
---
-Total user and system CPU time spent in seconds
-
-type: double
-
---
-
-*`kubernetes.scheduler.process.memory.resident.bytes`*::
-+
---
-Bytes in resident memory
-
-type: long
-
-format: bytes
-
---
-
-*`kubernetes.scheduler.process.memory.virtual.bytes`*::
-+
---
-Bytes in virtual memory
-
-type: long
-
-format: bytes
-
---
-
-*`kubernetes.scheduler.process.fds.open.count`*::
-+
---
-Number of open file descriptors
-
-type: long
-
---
-
-*`kubernetes.scheduler.process.fds.max.count`*::
-+
---
-Limit for open file descriptors
-
-type: long
-
---
-
-*`kubernetes.scheduler.process.started.sec`*::
-+
---
-Start time of the process since unix epoch in seconds
-
-type: double
-
---
-
-
-*`kubernetes.scheduler.client.request.count`*::
-+
---
-Number of HTTP requests to API server, broken down by status code, method and host
-
-type: long
-
---
-
-*`kubernetes.scheduler.client.request.duration.us.sum`*::
-+
---
-Sum of requests latency in microseconds, broken down by verb and host
-
-type: long
-
---
-
-*`kubernetes.scheduler.client.request.duration.us.count`*::
-+
---
-Number of request duration operations to API server, broken down by verb and host
-
-type: long
-
---
-
-*`kubernetes.scheduler.client.request.duration.us.bucket.*`*::
-+
---
-Requests latency distribution in histogram buckets, broken down by verb and host
-
-type: object
-
---
-
-*`kubernetes.scheduler.client.request.size.bytes.sum`*::
-+
---
-Requests size sum in bytes, broken down by verb and host
-
-type: long
-
-format: bytes
-
---
-
-*`kubernetes.scheduler.client.request.size.bytes.count`*::
-+
---
-Number of requests, broken down by verb and host
-
-type: long
-
---
-
-*`kubernetes.scheduler.client.request.size.bytes.bucket.*`*::
-+
---
-Requests size distribution in histogram buckets, broken down by verb and host
-
-type: object
-
---
-
-*`kubernetes.scheduler.client.response.size.bytes.count`*::
-+
---
-Number of responses, broken down by verb and host
-
-type: long
-
---
-
-*`kubernetes.scheduler.client.response.size.bytes.sum`*::
-+
---
-Responses size sum in bytes, broken down by verb and host
-
-type: long
-
-format: bytes
-
---
-
-*`kubernetes.scheduler.client.response.size.bytes.bucket.*`*::
-+
---
-Responses size distribution in histogram buckets, broken down by verb and host
-
-type: object
-
---
-
-
-*`kubernetes.scheduler.workqueue.longestrunning.sec`*::
-+
---
-How many seconds has the longest running processor been running, broken down by workqueue name
-
-type: double
-
---
-
-*`kubernetes.scheduler.workqueue.unfinished.sec`*::
-+
---
-How many seconds of work has done that is in progress and hasn't been considered in the longest running processor, broken down by workqueue name
-
-type: double
-
---
-
-*`kubernetes.scheduler.workqueue.adds.count`*::
-+
---
-Workqueue add count, broken down by workqueue name
-
-type: long
-
---
-
-*`kubernetes.scheduler.workqueue.depth.count`*::
-+
---
-Workqueue current depth, broken down by workqueue name
-
-type: long
-
---
-
-*`kubernetes.scheduler.workqueue.retries.count`*::
-+
---
-Workqueue number of retries, broken down by workqueue name
-
-type: long
-
---
-
-
-*`kubernetes.scheduler.scheduling.pending.pods.count`*::
-+
---
-Number of current pending pods, broken down by the queue type
-
-type: long
-
---
-
-*`kubernetes.scheduler.scheduling.preemption.victims.bucket.*`*::
-+
---
-Number of preemption victims distribution in histogram buckets
-
-type: object
-
---
-
-*`kubernetes.scheduler.scheduling.preemption.victims.sum`*::
-+
---
-Preemption victims sum
-
-type: long
-
---
-
-*`kubernetes.scheduler.scheduling.preemption.victims.count`*::
-+
---
-Number of preemption victims
-
-type: long
-
---
-
-*`kubernetes.scheduler.scheduling.preemption.attempts.count`*::
-+
---
-Total preemption attempts in the cluster so far
-
-type: long
-
---
-
-*`kubernetes.scheduler.scheduling.attempts.duration.us.bucket.*`*::
-+
---
-Scheduling attempt latency distribution in histogram buckets, broken down by profile and result
-
-type: object
-
---
-
-*`kubernetes.scheduler.scheduling.attempts.duration.us.sum`*::
-+
---
-Sum of scheduling attempt latency in microseconds, broken down by profile and result
-
-type: long
-
---
-
-*`kubernetes.scheduler.scheduling.attempts.duration.us.count`*::
-+
---
-Number of scheduling attempts, broken down by profile and result
-
-type: long
-
---
-
-[float]
-=== container
-
-kubernetes container metrics
-
-
-
-*`kubernetes.container.id`*::
-+
---
-Container id
-
-type: keyword
-
---
-
-
-*`kubernetes.container.status.phase`*::
-+
---
-Container phase (running, waiting, terminated)
-
-
-type: keyword
-
---
-
-*`kubernetes.container.status.ready`*::
-+
---
-Container ready status
-
-
-type: boolean
-
---
-
-*`kubernetes.container.status.restarts`*::
-+
---
-Container restarts count
-
-
-type: integer
-
---
-
-*`kubernetes.container.status.reason`*::
-+
---
-The reason the container is currently in waiting (ContainerCreating, CrashLoopBackoff, ErrImagePull, ImagePullBackoff) or terminated (Completed, ContainerCannotRun, Error, OOMKilled) state.
-
-
-type: keyword
-
---
-
-*`kubernetes.container.status.last_terminated_reason`*::
-+
---
-The last reason the container was in terminated state (Completed, ContainerCannotRun, Error or OOMKilled).
-
-
-type: keyword
-
---
-
-*`kubernetes.container.status.last_terminated_timestamp`*::
-+
---
-Last terminated time (epoch) of the container
-
-
-type: double
-
---
-
-
-*`kubernetes.container.cpu.limit.cores`*::
-+
---
-Container CPU cores limit
-
-
-type: float
-
---
-
-*`kubernetes.container.cpu.request.cores`*::
-+
---
-Container CPU requested cores
-
-
-type: float
-
---
-
-
-*`kubernetes.container.memory.limit.bytes`*::
-+
---
-Container memory limit in bytes
-
-
-type: long
-
-format: bytes
-
---
-
-*`kubernetes.container.memory.request.bytes`*::
-+
---
-Container requested memory in bytes
-
-
-type: long
-
-format: bytes
-
---
-
-[float]
-=== cronjob
-
-kubernetes cronjob metrics
-
-
-
-*`kubernetes.cronjob.name`*::
-+
---
-Cronjob name
-
-type: keyword
-
---
-
-*`kubernetes.cronjob.schedule`*::
-+
---
-Cronjob schedule
-
-type: keyword
-
---
-
-*`kubernetes.cronjob.concurrency`*::
-+
---
-Concurrency policy
-
-type: keyword
-
---
-
-*`kubernetes.cronjob.active.count`*::
-+
---
-Number of active pods for the cronjob
-
-type: long
-
---
-
-*`kubernetes.cronjob.is_suspended`*::
-+
---
-Whether the cronjob is suspended
-
-type: boolean
-
---
-
-*`kubernetes.cronjob.created.sec`*::
-+
---
-Epoch seconds since the cronjob was created
-
-type: double
-
---
-
-*`kubernetes.cronjob.last_schedule.sec`*::
-+
---
-Epoch seconds for last cronjob run
-
-type: double
-
---
-
-*`kubernetes.cronjob.next_schedule.sec`*::
-+
---
-Epoch seconds for next cronjob run
-
-type: double
-
---
-
-*`kubernetes.cronjob.deadline.sec`*::
-+
---
-Deadline seconds after schedule for considering failed
-
-type: long
-
---
-
-[float]
-=== daemonset
-
-Kubernetes DaemonSet metrics
-
-
-
-*`kubernetes.daemonset.name`*::
-+
---
-type: keyword
-
---
-
-[float]
-=== replicas
-
-Kubernetes DaemonSet replica metrics
-
-
-
-*`kubernetes.daemonset.replicas.available`*::
-+
---
-The number of available replicas per DaemonSet
-
-
-type: long
-
---
-
-*`kubernetes.daemonset.replicas.desired`*::
-+
---
-The desired number of replicas per DaemonSet
-
-
-type: long
-
---
-
-*`kubernetes.daemonset.replicas.ready`*::
-+
---
-The number of ready replicas per DaemonSet
-
-
-type: long
-
---
-
-*`kubernetes.daemonset.replicas.unavailable`*::
-+
---
-The number of unavailable replicas per DaemonSet
-
-
-type: long
-
---
-
-[float]
-=== deployment
-
-kubernetes deployment metrics
-
-
-
-*`kubernetes.deployment.paused`*::
-+
---
-Kubernetes deployment paused status
-
-
-type: boolean
-
---
-
-
-*`kubernetes.deployment.status.available`*::
-+
---
-Deployment Available Condition status (true, false or unknown)
-
-
-type: keyword
-
---
-
-*`kubernetes.deployment.status.progressing`*::
-+
---
-Deployment Progresing Condition status (true, false or unknown)
-
-type: keyword
-
---
-
-[float]
-=== replicas
-
-Kubernetes deployment replicas info
-
-
-
-*`kubernetes.deployment.replicas.desired`*::
-+
---
-Deployment number of desired replicas (spec)
-
-
-type: integer
-
---
-
-*`kubernetes.deployment.replicas.available`*::
-+
---
-Deployment available replicas
-
-
-type: integer
-
---
-
-*`kubernetes.deployment.replicas.unavailable`*::
-+
---
-Deployment unavailable replicas
-
-
-type: integer
-
---
-
-*`kubernetes.deployment.replicas.updated`*::
-+
---
-Deployment updated replicas
-
-
-type: integer
-
---
-
-[float]
-=== job
-
-Kubernetes job metrics
-
-
-
-*`kubernetes.job.name`*::
-+
---
-The name of the job resource
-
-
-type: keyword
-
---
-
-[float]
-=== pods
-
-Pod metrics for the job
-
-
-
-*`kubernetes.job.pods.active`*::
-+
---
-Number of active pods
-
-
-type: long
-
---
-
-*`kubernetes.job.pods.failed`*::
-+
---
-Number of failed pods
-
-
-type: long
-
---
-
-*`kubernetes.job.pods.succeeded`*::
-+
---
-Number of successful pods
-
-
-type: long
-
---
-
-[float]
-=== time
-
-Kubernetes job timestamps
-
-
-
-*`kubernetes.job.time.created`*::
-+
---
-The time at which the job was created
-
-
-type: date
-
---
-
-*`kubernetes.job.time.completed`*::
-+
---
-The time at which the job completed
-
-
-type: date
-
---
-
-[float]
-=== completions
-
-Kubernetes job completion settings
-
-
-
-*`kubernetes.job.completions.desired`*::
-+
---
-The configured completion count for the job (Spec)
-
-
-type: long
-
---
-
-[float]
-=== parallelism
-
-Kubernetes job parallelism settings
-
-
-
-*`kubernetes.job.parallelism.desired`*::
-+
---
-The configured parallelism of the job (Spec)
-
-
-type: long
-
---
-
-[float]
-=== owner
-
-Kubernetes job owner information
-
-
-
-*`kubernetes.job.owner.name`*::
-+
---
-The name of the resource that owns this job
-
-
-type: keyword
-
---
-
-*`kubernetes.job.owner.kind`*::
-+
---
-The kind of resource that owns this job (eg. "CronJob")
-
-
-type: keyword
-
---
-
-*`kubernetes.job.owner.is_controller`*::
-+
---
-Owner is controller ("true", "false", or "<none>")
-
-
-type: keyword
-
---
-
-[float]
-=== status
-
-Kubernetes job status information
-
-
-
-*`kubernetes.job.status.complete`*::
-+
---
-Whether the job completed ("true", "false", or "unknown")
-
-
-type: keyword
-
---
-
-*`kubernetes.job.status.failed`*::
-+
---
-Whether the job failed ("true", "false", or "unknown")
-
-
-type: keyword
-
---
-
-[float]
-=== state_namespace
-
-Kubernetes namespace metrics.
-
-
-
-*`kubernetes.state_namespace.created.sec`*::
-+
---
-Unix creation timestamp.
-
-
-type: double
-
---
-
-
-*`kubernetes.state_namespace.status.active`*::
-+
---
-Whether the namespace is active (true or false).
-
-type: boolean
-
---
-
-*`kubernetes.state_namespace.status.terminating`*::
-+
---
-Whether the namespace is terminating (true or false).
-
-type: boolean
-
---
-
-[float]
-=== node
-
-kubernetes node metrics
-
-
-
-
-*`kubernetes.node.status.ready`*::
-+
---
-Node ready status (true, false or unknown)
-
-
-type: keyword
-
---
-
-*`kubernetes.node.status.unschedulable`*::
-+
---
-Node unschedulable status
-
-
-type: boolean
-
---
-
-*`kubernetes.node.status.memory_pressure`*::
-+
---
-Node MemoryPressure status (true, false or unknown)
-
-
-type: keyword
-
---
-
-*`kubernetes.node.status.disk_pressure`*::
-+
---
-Node DiskPressure status (true, false or unknown)
-
-
-type: keyword
-
---
-
-*`kubernetes.node.status.out_of_disk`*::
-+
---
-Node OutOfDisk status (true, false or unknown)
-
-
-type: keyword
-
---
-
-*`kubernetes.node.status.pid_pressure`*::
-+
---
-Node PIDPressure status (true, false or unknown)
-
-
-type: keyword
-
---
-
-*`kubernetes.node.status.network_unavailable`*::
-+
---
-Node NetworkUnavailable status (true, false or unknown)
-
-
-type: keyword
-
---
-
-
-*`kubernetes.node.cpu.allocatable.cores`*::
-+
---
-The allocatable CPU cores of a node that are available for pods scheduling
-
-
-type: float
-
---
-
-*`kubernetes.node.cpu.capacity.cores`*::
-+
---
-Node CPU capacity cores
-
-
-type: long
-
---
-
-
-*`kubernetes.node.memory.allocatable.bytes`*::
-+
---
-The allocatable memory of a node in bytes that is available for pods scheduling
-
-
-type: long
-
-format: bytes
-
---
-
-*`kubernetes.node.memory.capacity.bytes`*::
-+
---
-Node memory capacity in bytes
-
-
-type: long
-
-format: bytes
-
---
-
-
-*`kubernetes.node.pod.allocatable.total`*::
-+
---
-Node allocatable pods
-
-
-type: long
-
---
-
-*`kubernetes.node.pod.capacity.total`*::
-+
---
-Node pod capacity
-
-
-type: long
-
---
-
-*`kubernetes.node.kubelet.version`*::
-+
---
-Kubelet version.
-
-
-type: keyword
-
---
-
-[float]
-=== persistentvolume
-
-kubernetes persistent volume metrics from kube-state-metrics
-
-
-
-*`kubernetes.persistentvolume.name`*::
-+
---
-Volume name.
-
-type: keyword
-
---
-
-*`kubernetes.persistentvolume.capacity.bytes`*::
-+
---
-Volume capacity
-
-type: long
-
---
-
-*`kubernetes.persistentvolume.phase`*::
-+
---
-Volume phase according to kubernetes
-
-type: keyword
-
---
-
-*`kubernetes.persistentvolume.storage_class`*::
-+
---
-Storage class for the volume
-
-type: keyword
-
---
-
-[float]
-=== persistentvolumeclaim
-
-kubernetes persistent volume claim metrics from kube-state-metrics
-
-
-
-*`kubernetes.persistentvolumeclaim.name`*::
-+
---
-PVC name.
-
-type: keyword
-
---
-
-*`kubernetes.persistentvolumeclaim.volume_name`*::
-+
---
-Binded volume name.
-
-type: keyword
-
---
-
-*`kubernetes.persistentvolumeclaim.request_storage.bytes`*::
-+
---
-Requested capacity.
-
-type: long
-
---
-
-*`kubernetes.persistentvolumeclaim.phase`*::
-+
---
-PVC phase.
-
-type: keyword
-
---
-
-*`kubernetes.persistentvolumeclaim.access_mode`*::
-+
---
-Access mode.
-
-type: keyword
-
---
-
-*`kubernetes.persistentvolumeclaim.storage_class`*::
-+
---
-Storage class for the PVC.
-
-type: keyword
-
---
-
-*`kubernetes.persistentvolumeclaim.created`*::
-+
---
-PersistentVolumeClaim creation date
-
-type: date
-
---
-
-[float]
-=== pod
-
-kubernetes pod metrics
-
-
-
-*`kubernetes.pod.host_ip`*::
-+
---
-Kubernetes pod host IP
-
-
-type: ip
-
---
-
-[float]
-=== status
-
-Kubernetes pod status metrics
-
-
-
-*`kubernetes.pod.status.phase`*::
-+
---
-Kubernetes pod phase (Running, Pending...)
-
-
-type: keyword
-
---
-
-*`kubernetes.pod.status.ready`*::
-+
---
-Kubernetes pod ready status (true, false or unknown)
-
-
-type: keyword
-
---
-
-*`kubernetes.pod.status.scheduled`*::
-+
---
-Kubernetes pod scheduled status (true, false, unknown)
-
-
-type: keyword
-
---
-
-*`kubernetes.pod.status.reason`*::
-+
---
-The reason the pod is in its current state (Evicted, NodeAffinity, NodeLost, Shutdown or UnexpectedAdmissionError)
-
-
-type: keyword
-
---
-
-*`kubernetes.pod.status.ready_time`*::
-+
---
-Readiness achieved time in unix timestamp for a pod 
-
-
-type: double
-
---
-
-[float]
-=== replicaset
-
-kubernetes replica set metrics
-
-
-
-[float]
-=== replicas
-
-Kubernetes replica set paused status
-
-
-
-*`kubernetes.replicaset.replicas.available`*::
-+
---
-The number of replicas per ReplicaSet
-
-
-type: long
-
---
-
-*`kubernetes.replicaset.replicas.desired`*::
-+
---
-The number of replicas per ReplicaSet
-
-
-type: long
-
---
-
-*`kubernetes.replicaset.replicas.ready`*::
-+
---
-The number of ready replicas per ReplicaSet
-
-
-type: long
-
---
-
-*`kubernetes.replicaset.replicas.observed`*::
-+
---
-The generation observed by the ReplicaSet controller
-
-
-type: long
-
---
-
-*`kubernetes.replicaset.replicas.labeled`*::
-+
---
-The number of fully labeled replicas per ReplicaSet
-
-
-type: long
-
---
-
-[float]
-=== resourcequota
-
-kubernetes resourcequota metrics
-
-
-
-*`kubernetes.resourcequota.created.sec`*::
-+
---
-Epoch seconds since the ResourceQuota was created
-
-type: double
-
---
-
-*`kubernetes.resourcequota.quota`*::
-+
---
-Quota informed (hard or used) for the resource
-
-type: double
-
---
-
-*`kubernetes.resourcequota.name`*::
-+
---
-ResourceQuota name
-
-type: keyword
-
---
-
-*`kubernetes.resourcequota.type`*::
-+
---
-Quota information type, `hard` or `used`
-
-type: keyword
-
---
-
-*`kubernetes.resourcequota.resource`*::
-+
---
-Resource name the quota applies to
-
-type: keyword
-
---
-
-[float]
-=== service
-
-kubernetes service metrics
-
-
-
-*`kubernetes.service.name`*::
-+
---
-Service name.
-
-type: keyword
-
---
-
-*`kubernetes.service.cluster_ip`*::
-+
---
-Internal IP for the service.
-
-type: keyword
-
---
-
-*`kubernetes.service.external_name`*::
-+
---
-Service external DNS name
-
-type: keyword
-
---
-
-*`kubernetes.service.external_ip`*::
-+
---
-Service external IP
-
-type: keyword
-
---
-
-*`kubernetes.service.load_balancer_ip`*::
-+
---
-Load Balancer service IP
-
-type: keyword
-
---
-
-*`kubernetes.service.type`*::
-+
---
-Service type
-
-type: keyword
-
---
-
-*`kubernetes.service.ingress_ip`*::
-+
---
-Ingress IP
-
-type: keyword
-
---
-
-*`kubernetes.service.ingress_hostname`*::
-+
---
-Ingress Hostname
-
-type: keyword
-
---
-
-*`kubernetes.service.created`*::
-+
---
-Service creation date
-
-type: date
-
---
-
-[float]
-=== statefulset
-
-kubernetes stateful set metrics
-
-
-
-*`kubernetes.statefulset.created`*::
-+
---
-The creation timestamp (epoch) for StatefulSet
-
-
-type: long
-
---
-
-[float]
-=== replicas
-
-Kubernetes stateful set replicas status
-
-
-
-*`kubernetes.statefulset.replicas.observed`*::
-+
---
-The number of observed replicas per StatefulSet
-
-
-type: long
-
---
-
-*`kubernetes.statefulset.replicas.desired`*::
-+
---
-The number of desired replicas per StatefulSet
-
-
-type: long
-
---
-
-*`kubernetes.statefulset.replicas.ready`*::
-+
---
-The number of ready replicas per StatefulSet
-
-
-type: long
-
---
-
-[float]
-=== generation
-
-Kubernetes stateful set generation information
-
-
-
-*`kubernetes.statefulset.generation.observed`*::
-+
---
-The observed generation per StatefulSet
-
-
-type: long
-
---
-
-*`kubernetes.statefulset.generation.desired`*::
-+
---
-The desired generation per StatefulSet
-
-
-type: long
-
---
-
-[float]
-=== storageclass
-
-kubernetes storage class metrics
-
-
-
-*`kubernetes.storageclass.name`*::
-+
---
-Storage class name.
-
-type: keyword
-
---
-
-*`kubernetes.storageclass.provisioner`*::
-+
---
-Volume provisioner for the storage class.
-
-type: keyword
-
---
-
-*`kubernetes.storageclass.reclaim_policy`*::
-+
---
-Reclaim policy for dynamically created volumes
-
-type: keyword
-
---
-
-*`kubernetes.storageclass.volume_binding_mode`*::
-+
---
-Mode for default provisioning and binding
-
-type: keyword
-
---
-
-*`kubernetes.storageclass.created`*::
-+
---
-Storage class creation date
-
-type: date
-
---
-
-[float]
-=== system
-
-kubernetes system containers metrics
-
-
-
-*`kubernetes.system.container`*::
-+
---
-Container name
-
-
-type: keyword
-
---
-
-*`kubernetes.system.start_time`*::
-+
---
-Start time
-
-
-type: date
-
---
-
-[float]
-=== cpu
-
-CPU usage metrics
-
-
-
-
-
-*`kubernetes.system.cpu.usage.core.ns`*::
-+
---
-CPU Core usage nanoseconds
-
-
-type: double
-
---
-
-*`kubernetes.system.cpu.usage.nanocores`*::
-+
---
-CPU used nanocores
-
-
-type: double
-
---
-
-
-
-*`kubernetes.system.memory.usage.bytes`*::
-+
---
-Total memory usage
-
-
-type: double
-
-format: bytes
-
---
-
-
-*`kubernetes.system.memory.rss.bytes`*::
-+
---
-RSS memory usage
-
-
-type: double
-
-format: bytes
-
---
-
-
-*`kubernetes.system.memory.workingset.bytes`*::
-+
---
-Working set memory usage
-
-
-type: double
-
-format: bytes
-
---
-
-*`kubernetes.system.memory.pagefaults`*::
-+
---
-Number of page faults
-
-
-type: double
-
---
-
-*`kubernetes.system.memory.majorpagefaults`*::
-+
---
-Number of major page faults
-
-
-type: double
-
---
-
-[float]
-=== volume
-
-kubernetes volume metrics
-
-
-
-*`kubernetes.volume.name`*::
-+
---
-Volume name
-
-
-type: keyword
-
---
-
-
-
-*`kubernetes.volume.fs.capacity.bytes`*::
-+
---
-Filesystem total capacity in bytes
-
-
-type: double
-
-format: bytes
-
---
-
-
-*`kubernetes.volume.fs.available.bytes`*::
-+
---
-Filesystem total available in bytes
-
-
-type: double
-
-format: bytes
-
---
-
-
-*`kubernetes.volume.fs.used.bytes`*::
-+
---
-Filesystem total used in bytes
-
-
-type: double
-
-format: bytes
-
---
-
-*`kubernetes.volume.fs.used.pct`*::
-+
---
-Percentage of used storage
-
-
-type: scaled_float
-
-format: percent
-
---
-
-
-*`kubernetes.volume.fs.inodes.used`*::
-+
---
-Used inodes
-
-
-type: double
-
---
-
-*`kubernetes.volume.fs.inodes.free`*::
-+
---
-Free inodes
-
-
-type: double
-
---
-
-*`kubernetes.volume.fs.inodes.count`*::
-+
---
-Total inodes
-
-
-type: double
-
---
-
-*`kubernetes.volume.fs.inodes.pct`*::
-+
---
-Percentage of used inodes
-
-
-type: scaled_float
-
-format: percent
-
---
-
-[[exported-fields-kvm]]
-== KVM fields
-
-kvm module
-
-
-
-*`kvm.id`*::
-+
---
-Domain id
-
-
-type: long
-
---
-
-*`kvm.name`*::
-+
---
-Domain name
-
-
-type: keyword
-
---
-
-[float]
-=== kvm
-
-
-
-
-[float]
-=== dommemstat
-
-dommemstat
-
-
-
-[float]
-=== stat
-
-Memory stat
-
-
-
-*`kvm.dommemstat.stat.name`*::
-+
---
-Memory stat name
-
-
-type: keyword
-
---
-
-*`kvm.dommemstat.stat.value`*::
-+
---
-Memory stat value
-
-
-type: long
-
---
-
-*`kvm.dommemstat.id`*::
-+
---
-Domain id
-
-
-type: long
-
---
-
-*`kvm.dommemstat.name`*::
-+
---
-Domain name
-
-
-type: keyword
-
---
-
-[float]
-=== status
-
-status
-
-
-
-*`kvm.status.state`*::
-+
---
-Domain state
-
-
-type: keyword
-
---
-
-[[exported-fields-linux]]
-== Linux fields
-
-linux module
-
-
-
-[float]
-=== linux
-
-linux system metrics
-
-
-
-[float]
-=== conntrack
-
-conntrack
-
-
-
-[float]
-=== summary
-
-summary of nf_conntrack statistics, summed across CPU cores
-
-
-
-*`linux.conntrack.summary.drop`*::
-+
---
-packets dropped due to conntrack failiure
-
-
-type: long
-
---
-
-*`linux.conntrack.summary.early_drop`*::
-+
---
-conntrack entries dropped to make room for new ones
-
-
-type: long
-
---
-
-*`linux.conntrack.summary.entries`*::
-+
---
-entries in the conntrack table
-
-
-type: long
-
---
-
-*`linux.conntrack.summary.found`*::
-+
---
-successfully searched entries
-
-
-type: long
-
---
-
-*`linux.conntrack.summary.ignore`*::
-+
---
-packets seen already connected to a conntrack entry
-
-
-type: long
-
---
-
-*`linux.conntrack.summary.insert_failed`*::
-+
---
-Number of entries where list insert insert failed 
-
-
-type: long
-
---
-
-*`linux.conntrack.summary.invalid`*::
-+
---
-packets seen that cannot be tracked
-
-
-type: long
-
---
-
-*`linux.conntrack.summary.search_restart`*::
-+
---
-table lookups which had to be restarted due to table resizes
-
-
-type: long
-
---
-
-[float]
-=== iostat
-
-iostat
-
-
-
-*`linux.iostat.read.request.merges_per_sec`*::
-+
---
-The number of read requests merged per second that were queued to the device.
-
-
-type: float
-
---
-
-*`linux.iostat.write.request.merges_per_sec`*::
-+
---
-The number of write requests merged per second that were queued to the device.
-
-
-type: float
-
---
-
-*`linux.iostat.read.request.per_sec`*::
-+
---
-The number of read requests that were issued to the device per second
-
-
-type: float
-
---
-
-*`linux.iostat.write.request.per_sec`*::
-+
---
-The number of write requests that were issued to the device per second
-
-
-type: float
-
---
-
-*`linux.iostat.read.per_sec.bytes`*::
-+
---
-The number of Bytes read from the device per second.
-
-
-type: float
-
-format: bytes
-
---
-
-*`linux.iostat.read.await`*::
-+
---
-The average time spent for read requests issued to the device to be served.
-
-
-type: float
-
---
-
-*`linux.iostat.write.per_sec.bytes`*::
-+
---
-The number of Bytes write from the device per second.
-
-
-type: float
-
-format: bytes
-
---
-
-*`linux.iostat.write.await`*::
-+
---
-The average time spent for write requests issued to the device to be served.
-
-
-type: float
-
---
-
-*`linux.iostat.request.avg_size`*::
-+
---
-The average size (in bytes) of the requests that were issued to the device.
-
-
-type: float
-
---
-
-*`linux.iostat.queue.avg_size`*::
-+
---
-The average queue length of the requests that were issued to the device.
-
-
-type: float
-
---
-
-*`linux.iostat.await`*::
-+
---
-The average time spent for requests issued to the device to be served.
-
-
-type: float
-
---
-
-*`linux.iostat.service_time`*::
-+
---
-The average service time (in milliseconds) for I/O requests that were issued to the device.
-
-
-type: float
-
---
-
-*`linux.iostat.busy`*::
-+
---
-Percentage of CPU time during which I/O requests were issued to the device (bandwidth utilization for the device). Device saturation occurs when this value is close to 100%.
-
-
-type: float
-
---
-
-[float]
-=== ksm
-
-ksm
-
-
-
-[float]
-=== stats
-
-KSM statistics
-
-
-
-*`linux.ksm.stats.pages_shared`*::
-+
---
-Shared pages in use.
-
-
-type: long
-
---
-
-*`linux.ksm.stats.pages_sharing`*::
-+
---
-Sites sharing pages.
-
-
-type: long
-
---
-
-*`linux.ksm.stats.pages_unshared`*::
-+
---
-Unique pages.
-
-
-type: long
-
---
-
-*`linux.ksm.stats.full_scans`*::
-+
---
-Number of times mergable pages have been scanned.
-
-
-type: long
-
---
-
-*`linux.ksm.stats.stable_node_chains`*::
-+
---
-Pages that have reached max_page_sharing.
-
-
-type: long
-
---
-
-*`linux.ksm.stats.stable_node_dups`*::
-+
---
-Number of duplicated KSM pages.
-
-
-type: long
-
---
-
-[float]
-=== memory
-
-Linux memory data
-
-
-
-[float]
-=== page_stats
-
-memory page statistics
-
-
-*`linux.memory.page_stats.pgscan_kswapd.pages`*::
-+
---
-pages scanned by kswapd
-
-type: long
-
-format: number
-
---
-
-*`linux.memory.page_stats.pgscan_direct.pages`*::
-+
---
-pages scanned directly
-
-type: long
-
-format: number
-
---
-
-*`linux.memory.page_stats.pgfree.pages`*::
-+
---
-pages freed by the system
-
-type: long
-
-format: number
-
---
-
-*`linux.memory.page_stats.pgsteal_kswapd.pages`*::
-+
---
-number of pages reclaimed by kswapd
-
-type: long
-
-format: number
-
---
-
-*`linux.memory.page_stats.pgsteal_direct.pages`*::
-+
---
-number of pages reclaimed directly
-
-type: long
-
-format: number
-
---
-
-*`linux.memory.page_stats.direct_efficiency.pct`*::
-+
---
-direct reclaim efficiency percentage. A lower percentage indicates the system is struggling to reclaim memory.
-
-type: scaled_float
-
-format: percent
-
---
-
-*`linux.memory.page_stats.kswapd_efficiency.pct`*::
-+
---
-kswapd reclaim efficiency percentage. A lower percentage indicates the system is struggling to reclaim memory.
-
-type: scaled_float
-
-format: percent
-
---
-
-[float]
-=== hugepages
-
-This group contains statistics related to huge pages usage on the system.
-
-
-*`linux.memory.hugepages.total`*::
-+
---
-Number of huge pages in the pool.
-
-
-type: long
-
-format: number
-
---
-
-*`linux.memory.hugepages.used.bytes`*::
-+
---
-Memory used in allocated huge pages.
-
-
-type: long
-
-format: bytes
-
---
-
-*`linux.memory.hugepages.used.pct`*::
-+
---
-Percentage of huge pages used.
-
-
-type: long
-
-format: percent
-
---
-
-*`linux.memory.hugepages.free`*::
-+
---
-Number of available huge pages in the pool.
-
-
-type: long
-
-format: number
-
---
-
-*`linux.memory.hugepages.reserved`*::
-+
---
-Number of reserved but not allocated huge pages in the pool.
-
-
-type: long
-
-format: number
-
---
-
-*`linux.memory.hugepages.surplus`*::
-+
---
-Number of overcommited huge pages.
-
-
-type: long
-
-format: number
-
---
-
-*`linux.memory.hugepages.default_size`*::
-+
---
-Default size for huge pages.
-
-
-type: long
-
-format: bytes
-
---
-
-[float]
-=== swap
-
-This group contains statistics related to the swap memory usage on the system.
-
-
-*`linux.memory.swap.total`*::
-+
---
-Total swap memory.
-
-
-type: long
-
-format: bytes
-
---
-
-*`linux.memory.swap.used.bytes`*::
-+
---
-Used swap memory.
-
-
-type: long
-
-format: bytes
-
---
-
-*`linux.memory.swap.free`*::
-+
---
-Available swap memory.
-
-
-type: long
-
-format: bytes
-
---
-
-*`linux.memory.swap.used.pct`*::
-+
---
-The percentage of used swap memory.
-
-
-type: scaled_float
-
-format: percent
-
---
-
-*`linux.memory.swap.in.pages`*::
-+
---
-Pages swapped in.
-
-
-type: long
-
---
-
-*`linux.memory.swap.out.pages`*::
-+
---
-Pages swapped out.
-
-
-type: long
-
---
-
-*`linux.memory.swap.readahead.cached`*::
-+
---
-Swap readahead pages hit from swap_ra_hit.
-
-
-type: long
-
---
-
-*`linux.memory.swap.readahead.pages`*::
-+
---
-Pages swapped based on readahead predictions.
-
-
-type: long
-
---
-
-[float]
-=== pageinfo
-
-pageinfo
-
-
-
-[float]
-=== buddy_info
-
-Data from /proc/buddyinfo grouping used pages by order
-
-
-
-[float]
-=== DMA
-
-DMA page Data
-
-
-
-*`linux.pageinfo.buddy_info.DMA.0`*::
-+
---
-free chunks of 2^0*PAGE_SIZE
-
-
-type: long
-
---
-
-*`linux.pageinfo.buddy_info.DMA.1`*::
-+
---
-free chunks of 2^1*PAGE_SIZE
-
-
-type: long
-
---
-
-*`linux.pageinfo.buddy_info.DMA.2`*::
-+
---
-free chunks of 2^2*PAGE_SIZE
-
-
-type: long
-
---
-
-*`linux.pageinfo.buddy_info.DMA.3`*::
-+
---
-free chunks of 2^3*PAGE_SIZE
-
-
-type: long
-
---
-
-*`linux.pageinfo.buddy_info.DMA.4`*::
-+
---
-free chunks of 2^4*PAGE_SIZE
-
-
-type: long
-
---
-
-*`linux.pageinfo.buddy_info.DMA.5`*::
-+
---
-free chunks of 2^5*PAGE_SIZE
-
-
-type: long
-
---
-
-*`linux.pageinfo.buddy_info.DMA.6`*::
-+
---
-free chunks of 2^6*PAGE_SIZE
-
-
-type: long
-
---
-
-*`linux.pageinfo.buddy_info.DMA.7`*::
-+
---
-free chunks of 2^7*PAGE_SIZE
-
-
-type: long
-
---
-
-*`linux.pageinfo.buddy_info.DMA.8`*::
-+
---
-free chunks of 2^8*PAGE_SIZE
-
-
-type: long
-
---
-
-*`linux.pageinfo.buddy_info.DMA.9`*::
-+
---
-free chunks of 2^9*PAGE_SIZE
-
-
-type: long
-
---
-
-*`linux.pageinfo.buddy_info.DMA.10`*::
-+
---
-free chunks of 2^10*PAGE_SIZE
-
-
-type: long
-
---
-
-*`linux.pageinfo.nodes.*`*::
-+
---
-Raw allocation info from /proc/pagetypeinfo
-
-
-type: object
-
---
-
-[float]
-=== pressure
-
-Linux pressure stall information metrics for cpu, memory, and io
-
-
-*`linux.pressure.cpu.some.10.pct`*::
-+
---
-The average share of time in which at least some tasks were stalled on CPU over a ten second window.
-
-
-type: float
-
-format: percent
-
---
-
-*`linux.pressure.cpu.some.60.pct`*::
-+
---
-The average share of time in which at least some tasks were stalled on CPU over a sixty second window.
-
-
-type: float
-
-format: percent
-
---
-
-*`linux.pressure.cpu.some.300.pct`*::
-+
---
-The average share of time in which at least some tasks were stalled on CPU over a three hundred second window.
-
-
-type: float
-
-format: percent
-
---
-
-*`linux.pressure.cpu.some.total.time.us`*::
-+
---
-The total absolute stall time (in microseconds) in which at least some tasks were stalled on CPU.
-
-
-type: long
-
---
-
-*`linux.pressure.memory.some.10.pct`*::
-+
---
-The average share of time in which at least some tasks were stalled on Memory over a ten second window.
-
-
-type: float
-
-format: percent
-
---
-
-*`linux.pressure.memory.some.60.pct`*::
-+
---
-The average share of time in which at least some tasks were stalled on Memory over a sixty second window.
-
-
-type: float
-
-format: percent
-
---
-
-*`linux.pressure.memory.some.300.pct`*::
-+
---
-The average share of time in which at least some tasks were stalled on Memory over a three hundred second window.
-
-
-type: float
-
-format: percent
-
---
-
-*`linux.pressure.memory.some.total.time.us`*::
-+
---
-The total absolute stall time (in microseconds) in which at least some tasks were stalled on memory.
-
-
-type: long
-
---
-
-*`linux.pressure.memory.full.10.pct`*::
-+
---
-The average share of time in which in which all non-idle tasks were stalled on memory simultaneously over a ten second window.
-
-
-type: float
-
-format: percent
-
---
-
-*`linux.pressure.memory.full.60.pct`*::
-+
---
-The average share of time in which in which all non-idle tasks were stalled on memory simultaneously over a sixty second window.
-
-
-type: float
-
-format: percent
-
---
-
-*`linux.pressure.memory.full.300.pct`*::
-+
---
-The average share of time in which in which all non-idle tasks were stalled on memory simultaneously over a three hundred second window.
-
-
-type: float
-
-format: percent
-
---
-
-*`linux.pressure.memory.full.total.time.us`*::
-+
---
-The total absolute stall time (in microseconds) in which in which all non-idle tasks were stalled on memory.
-
-
-type: long
-
---
-
-*`linux.pressure.io.some.10.pct`*::
-+
---
-The average share of time in which at least some tasks were stalled on io over a ten second window.
-
-
-type: float
-
-format: percent
-
---
-
-*`linux.pressure.io.some.60.pct`*::
-+
---
-The average share of time in which at least some tasks were stalled on io over a sixty second window.
-
-
-type: float
-
-format: percent
-
---
-
-*`linux.pressure.io.some.300.pct`*::
-+
---
-The average share of time in which at least some tasks were stalled on io over a three hundred second window.
-
-
-type: float
-
-format: percent
-
---
-
-*`linux.pressure.io.some.total.time.us`*::
-+
---
-The total absolute stall time (in microseconds) in which at least some tasks were stalled on io.
-
-
-type: long
-
---
-
-*`linux.pressure.io.full.10.pct`*::
-+
---
-The average share of time in which in which all non-idle tasks were stalled on io simultaneously over a ten second window.
-
-
-type: float
-
-format: percent
-
---
-
-*`linux.pressure.io.full.60.pct`*::
-+
---
-The average share of time in which in which all non-idle tasks were stalled on io simultaneously over a sixty second window.
-
-
-type: float
-
-format: percent
-
---
-
-*`linux.pressure.io.full.300.pct`*::
-+
---
-The average share of time in which in which all non-idle tasks were stalled on io simultaneously over a three hundred second window.
-
-
-type: float
-
-format: percent
-
---
-
-*`linux.pressure.io.full.total.time.us`*::
-+
---
-The total absolute stall time (in microseconds) in which in which all non-idle tasks were stalled on io.
-
-
-type: long
-
---
-
-[float]
-=== rapl
-
-Wattage as reported by Intel RAPL
-
-
-
-*`linux.rapl.core`*::
-+
---
-The core where the RAPL request originated from. Only one core is queried per hardware CPU.
-
-
-type: long
-
---
-
-*`linux.rapl.dram.watts`*::
-+
---
-Power usage in watts on the DRAM RAPL domain
-
-
-type: float
-
---
-
-*`linux.rapl.dram.joules`*::
-+
---
-Raw power usage counter for the DRAM domain
-
-
-type: float
-
---
-
-*`linux.rapl.pp0.watts`*::
-+
---
-Power usage in watts on the PP0 RAPL domain
-
-
-type: float
-
---
-
-*`linux.rapl.pp0.joules`*::
-+
---
-Raw power usage counter for the PP0 domain
-
-
-type: float
-
---
-
-*`linux.rapl.pp1.watts`*::
-+
---
-Power usage in watts on the PP1 RAPL domain
-
-
-type: float
-
---
-
-*`linux.rapl.pp1.joules`*::
-+
---
-Raw power usage counter for the PP1 domain
-
-
-type: float
-
---
-
-*`linux.rapl.package.watts`*::
-+
---
-Power usage in watts on the Package RAPL domain
-
-
-type: float
-
---
-
-*`linux.rapl.package.joules`*::
-+
---
-Raw power usage counter for the package domain
-
-
-type: float
-
---
-
-[[exported-fields-logstash]]
-== Logstash fields
-
-Logstash module
-
-
-
-
-*`logstash_stats.timestamp`*::
-+
---
-type: alias
-
-alias to: @timestamp
-
---
-
-
-
-*`logstash_stats.jvm.mem.heap_used_in_bytes`*::
-+
---
-type: alias
-
-alias to: logstash.node.stats.jvm.mem.heap_used_in_bytes
-
---
-
-*`logstash_stats.jvm.mem.heap_max_in_bytes`*::
-+
---
-type: alias
-
-alias to: logstash.node.stats.jvm.mem.heap_max_in_bytes
-
---
-
-*`logstash_stats.jvm.uptime_in_millis`*::
-+
---
-type: alias
-
-alias to: logstash.node.stats.jvm.uptime_in_millis
-
---
-
-
-*`logstash_stats.events.in`*::
-+
---
-type: alias
-
-alias to: logstash.node.stats.events.in
-
---
-
-*`logstash_stats.events.out`*::
-+
---
-type: alias
-
-alias to: logstash.node.stats.events.out
-
---
-
-*`logstash_stats.events.duration_in_millis`*::
-+
---
-type: alias
-
-alias to: logstash.node.stats.events.duration_in_millis
-
---
-
-
-*`logstash_stats.logstash.uuid`*::
-+
---
-type: alias
-
-alias to: logstash.node.stats.logstash.uuid
-
---
-
-*`logstash_stats.logstash.version`*::
-+
---
-type: alias
-
-alias to: logstash.node.stats.logstash.version
-
---
-
-*`logstash_stats.pipelines`*::
-+
---
-type: nested
-
---
-
-
-
-
-*`logstash_stats.os.cpu.load_average.15m`*::
-+
---
-type: alias
-
-alias to: logstash.node.stats.os.cpu.load_average.15m
-
---
-
-*`logstash_stats.os.cpu.load_average.1m`*::
-+
---
-type: alias
-
-alias to: logstash.node.stats.os.cpu.load_average.1m
-
---
-
-*`logstash_stats.os.cpu.load_average.5m`*::
-+
---
-type: alias
-
-alias to: logstash.node.stats.os.cpu.load_average.5m
-
---
-
-
-*`logstash_stats.os.cgroup.cpuacct.usage_nanos`*::
-+
---
-type: alias
-
-alias to: logstash.node.stats.os.cgroup.cpuacct.usage_nanos
-
---
-
-
-*`logstash_stats.os.cgroup.cpu.cfs_quota_micros`*::
-+
---
-type: alias
-
-alias to: logstash.node.stats.os.cgroup.cpu.cfs_quota_micros
-
---
-
-
-*`logstash_stats.os.cgroup.cpu.stat.number_of_elapsed_periods`*::
-+
---
-type: alias
-
-alias to: logstash.node.stats.os.cgroup.cpu.stat.number_of_elapsed_periods
-
---
-
-*`logstash_stats.os.cgroup.cpu.stat.time_throttled_nanos`*::
-+
---
-type: alias
-
-alias to: logstash.node.stats.os.cgroup.cpu.stat.time_throttled_nanos
-
---
-
-*`logstash_stats.os.cgroup.cpu.stat.number_of_times_throttled`*::
-+
---
-type: alias
-
-alias to: logstash.node.stats.os.cgroup.cpu.stat.number_of_times_throttled
-
---
-
-*`logstash_stats.process.cpu.percent`*::
-+
---
-type: alias
-
-alias to: logstash.node.stats.process.cpu.percent
-
---
-
-*`logstash_stats.queue.events_count`*::
-+
---
-type: alias
-
-alias to: logstash.node.stats.queue.events_count
-
---
-
-
-*`logstash_state.pipeline.id`*::
-+
---
-type: alias
-
-alias to: logstash.node.state.pipeline.id
-
---
-
-*`logstash_state.pipeline.hash`*::
-+
---
-type: alias
-
-alias to: logstash.node.state.pipeline.hash
-
---
-
-
-*`logstash.elasticsearch.cluster.id`*::
-+
---
-type: keyword
-
---
-
-[float]
-=== node
-
-node
-
-
-[float]
-=== node
-
-node_stats metrics.
-
-
-
-*`logstash.node.id`*::
-+
---
-type: keyword
-
---
-
-
-*`logstash.node.state.pipeline.id`*::
-+
---
-type: keyword
-
---
-
-*`logstash.node.state.pipeline.hash`*::
-+
---
-type: keyword
-
---
-
-*`logstash.node.state.pipeline.ephemeral_id`*::
-+
---
-type: keyword
-
---
-
-*`logstash.node.state.pipeline.batch_size`*::
-+
---
-type: long
-
---
-
-*`logstash.node.state.pipeline.workers`*::
-+
---
-type: long
-
---
-
-
-*`logstash.node.state.pipeline.representation.hash`*::
-+
---
-type: keyword
-
---
-
-*`logstash.node.state.pipeline.representation.type`*::
-+
---
-type: keyword
-
---
-
-*`logstash.node.state.pipeline.representation.version`*::
-+
---
-type: keyword
-
---
-
-
-*`logstash.node.state.pipeline.representation.graph.edges`*::
-+
---
-type: object
-
---
-
-*`logstash.node.state.pipeline.representation.graph.vertices`*::
-+
---
-type: object
-
---
-
-*`logstash.node.host`*::
-+
---
-Host name
-
-
-type: alias
-
-alias to: host.hostname
-
---
-
-*`logstash.node.version`*::
-+
---
-Logstash Version
-
-
-type: alias
-
-alias to: service.version
-
---
-
-[float]
-=== jvm
-
-JVM Info
-
-
-
-*`logstash.node.jvm.version`*::
-+
---
-Version
-
-
-type: keyword
-
---
-
-*`logstash.node.jvm.pid`*::
-+
---
-Process ID
-
-
-type: alias
-
-alias to: process.pid
-
---
-
-
-*`logstash.node.stats.timestamp`*::
-+
---
-type: date
-
---
-
-
-*`logstash.node.stats.jvm.uptime_in_millis`*::
-+
---
-type: long
-
---
-
-
-*`logstash.node.stats.jvm.mem.heap_used_in_bytes`*::
-+
---
-type: long
-
---
-
-*`logstash.node.stats.jvm.mem.heap_max_in_bytes`*::
-+
---
-type: long
-
---
-
-[float]
-=== events
-
-Events stats
-
-
-
-*`logstash.node.stats.events.in`*::
-+
---
-Incoming events counter.
-
-
-type: long
-
---
-
-*`logstash.node.stats.events.out`*::
-+
---
-Outgoing events counter.
-
-
-type: long
-
---
-
-*`logstash.node.stats.events.filtered`*::
-+
---
-Filtered events counter.
-
-
-type: long
-
---
-
-*`logstash.node.stats.events.duration_in_millis`*::
-+
---
-type: long
-
---
-
-
-*`logstash.node.stats.logstash.uuid`*::
-+
---
-type: keyword
-
---
-
-*`logstash.node.stats.logstash.version`*::
-+
---
-type: keyword
-
---
-
-
-
-
-*`logstash.node.stats.os.cpu.load_average.15m`*::
-+
---
-type: half_float
-
---
-
-*`logstash.node.stats.os.cpu.load_average.1m`*::
-+
---
-type: half_float
-
---
-
-*`logstash.node.stats.os.cpu.load_average.5m`*::
-+
---
-type: half_float
-
---
-
-
-*`logstash.node.stats.os.cgroup.cpuacct.usage_nanos`*::
-+
---
-type: long
-
---
-
-
-*`logstash.node.stats.os.cgroup.cpu.cfs_quota_micros`*::
-+
---
-type: long
-
---
-
-
-*`logstash.node.stats.os.cgroup.cpu.stat.number_of_elapsed_periods`*::
-+
---
-type: long
-
---
-
-*`logstash.node.stats.os.cgroup.cpu.stat.time_throttled_nanos`*::
-+
---
-type: long
-
---
-
-*`logstash.node.stats.os.cgroup.cpu.stat.number_of_times_throttled`*::
-+
---
-type: long
-
---
-
-*`logstash.node.stats.process.cpu.percent`*::
-+
---
-type: double
-
---
-
-*`logstash.node.stats.pipelines`*::
-+
---
-type: nested
-
---
-
-*`logstash.node.stats.queue.events_count`*::
-+
---
-type: long
-
---
-
-[[exported-fields-memcached]]
-== Memcached fields
-
-Memcached module
-
-
-
-[float]
-=== memcached
-
-
-
-
-[float]
-=== stats
-
-stats
-
-
-
-*`memcached.stats.pid`*::
-+
---
-Current process ID of the Memcached task.
-
-
-type: long
-
---
-
-*`memcached.stats.uptime.sec`*::
-+
---
-Memcached server uptime.
-
-
-type: long
-
---
-
-*`memcached.stats.threads`*::
-+
---
-Number of threads used by the current Memcached server process.
-
-
-type: long
-
---
-
-*`memcached.stats.connections.current`*::
-+
---
-Number of open connections to this Memcached server, should be the same value on all servers during normal operation.
-
-
-type: long
-
---
-
-*`memcached.stats.connections.total`*::
-+
---
-Numer of successful connect attempts to this server since it has been started.
-
-
-type: long
-
---
-
-*`memcached.stats.get.hits`*::
-+
---
-Number of successful "get" commands (cache hits) since startup, divide them by the "cmd_get" value to get the cache hitrate.
-
-
-type: long
-
---
-
-*`memcached.stats.get.misses`*::
-+
---
-Number of failed "get" requests because nothing was cached for this key or the cached value was too old.
-
-
-type: long
-
---
-
-*`memcached.stats.cmd.get`*::
-+
---
-Number of "get" commands received since server startup not counting if they were successful or not.
-
-
-type: long
-
---
-
-*`memcached.stats.cmd.set`*::
-+
---
-Number of "set" commands serviced since startup.
-
-
-type: long
-
---
-
-*`memcached.stats.read.bytes`*::
-+
---
-Total number of bytes received from the network by this server.
-
-
-type: long
-
---
-
-*`memcached.stats.written.bytes`*::
-+
---
-Total number of bytes send to the network by this server.
-
-
-type: long
-
---
-
-*`memcached.stats.items.current`*::
-+
---
-Number of items currently in this server's cache.
-
-
-type: long
-
---
-
-*`memcached.stats.items.total`*::
-+
---
-Number of items stored ever stored on this server. This is no "maximum item count" value but a counted increased by every new item stored in the cache.
-
-
-type: long
-
---
-
-*`memcached.stats.evictions`*::
-+
---
-Number of objects removed from the cache to free up memory for new items because Memcached reached it's maximum memory setting (limit_maxbytes).
-
-
-type: long
-
---
-
-*`memcached.stats.bytes.current`*::
-+
---
-Number of bytes currently used for caching items.
-
-
-type: long
-
---
-
-*`memcached.stats.bytes.limit`*::
-+
---
-Number of bytes this server is allowed to use for storage.
-
-
-type: long
-
---
-
-[[exported-fields-meraki]]
-
-
-
-*`meraki.device.serial`*::
-+
---
-type: keyword
-
---
-
-[[exported-fields-mongodb]]
-== MongoDB fields
-
-Metrics collected from MongoDB servers.
-
-
-
-[float]
-=== mongodb
-
-MongoDB metrics.
-
-
-
-[float]
-=== collstats
-
-MongoDB collection statistics metrics.
-
-
-
-*`mongodb.collstats.db`*::
-+
---
-Database name.
-
-
-type: keyword
-
---
-
-*`mongodb.collstats.collection`*::
-+
---
-Collection name.
-
-
-type: keyword
-
---
-
-*`mongodb.collstats.name`*::
-+
---
-Combination of database and collection name.
-
-
-type: keyword
-
---
-
-*`mongodb.collstats.total.time.us`*::
-+
---
-Total waiting time for locks in microseconds.
-
-
-type: long
-
---
-
-*`mongodb.collstats.total.count`*::
-+
---
-Total number of lock wait events.
-
-
-type: long
-
---
-
-
-*`mongodb.collstats.lock.read.time.us`*::
-+
---
-Time waiting for read locks in microseconds.
-
-
-type: long
-
---
-
-*`mongodb.collstats.lock.read.count`*::
-+
---
-Number of read lock wait events.
-
-
-type: long
-
---
-
-*`mongodb.collstats.lock.write.time.us`*::
-+
---
-Time waiting for write locks in microseconds.
-
-
-type: long
-
---
-
-*`mongodb.collstats.lock.write.count`*::
-+
---
-Number of write lock wait events.
-
-
-type: long
-
---
-
-*`mongodb.collstats.queries.time.us`*::
-+
---
-Time running queries in microseconds.
-
-
-type: long
-
---
-
-*`mongodb.collstats.queries.count`*::
-+
---
-Number of queries executed.
-
-
-type: long
-
---
-
-*`mongodb.collstats.getmore.time.us`*::
-+
---
-Time asking for more cursor rows in microseconds.
-
-
-type: long
-
---
-
-*`mongodb.collstats.getmore.count`*::
-+
---
-Number of times a cursor asked for more data.
-
-
-type: long
-
---
-
-*`mongodb.collstats.insert.time.us`*::
-+
---
-Time inserting new documents in microseconds.
-
-
-type: long
-
---
-
-*`mongodb.collstats.insert.count`*::
-+
---
-Number of document insert events.
-
-
-type: long
-
---
-
-*`mongodb.collstats.update.time.us`*::
-+
---
-Time updating documents in microseconds.
-
-
-type: long
-
---
-
-*`mongodb.collstats.update.count`*::
-+
---
-Number of document update events.
-
-
-type: long
-
---
-
-*`mongodb.collstats.remove.time.us`*::
-+
---
-Time deleting documents in microseconds.
-
-
-type: long
-
---
-
-*`mongodb.collstats.remove.count`*::
-+
---
-Number of document delete events.
-
-
-type: long
-
---
-
-*`mongodb.collstats.commands.time.us`*::
-+
---
-Time executing database commands in microseconds.
-
-
-type: long
-
---
-
-*`mongodb.collstats.commands.count`*::
-+
---
-Number of database commands executed.
-
-
-type: long
-
---
-
-
-*`mongodb.collstats.stats.stats.size`*::
-+
---
-The total uncompressed size in memory of all records in a collection.
-
-
-type: long
-
---
-
-*`mongodb.collstats.stats.stats.count`*::
-+
---
-The number of objects or documents in this collection.
-
-
-type: long
-
---
-
-*`mongodb.collstats.stats.stats.avgObjSize`*::
-+
---
-The average size of an object in the collection (in bytes).
-
-
-type: long
-
---
-
-*`mongodb.collstats.stats.stats.storageSize`*::
-+
---
-The total amount of storage allocated to this collection for document storage (in bytes).
-
-
-type: long
-
---
-
-*`mongodb.collstats.stats.stats.totalIndexSize`*::
-+
---
-The total size of all indexes (in bytes).
-
-
-type: long
-
---
-
-*`mongodb.collstats.stats.stats.totalSize`*::
-+
---
-The sum of the storageSize and totalIndexSize (in bytes).
-
-
-type: long
-
---
-
-*`mongodb.collstats.stats.stats.max`*::
-+
---
-Shows the maximum number of documents that may be present in a capped collection.
-
-
-type: long
-
---
-
-*`mongodb.collstats.stats.stats.nindexes`*::
-+
---
-The number of indexes on the collection. All collections have at least one index on the _id field.
-
-
-type: long
-
---
-
-[float]
-=== dbstats
-
-dbstats provides an overview of a particular mongo database. This document is most concerned with data volumes of a database.
-
-
-
-*`mongodb.dbstats.avg_obj_size.bytes`*::
-+
---
-type: long
-
-format: bytes
-
---
-
-*`mongodb.dbstats.collections`*::
-+
---
-type: integer
-
---
-
-*`mongodb.dbstats.data_size.bytes`*::
-+
---
-type: long
-
-format: bytes
-
---
-
-*`mongodb.dbstats.db`*::
-+
---
-type: keyword
-
---
-
-*`mongodb.dbstats.file_size.bytes`*::
-+
---
-type: long
-
-format: bytes
-
---
-
-*`mongodb.dbstats.index_size.bytes`*::
-+
---
-type: long
-
-format: bytes
-
---
-
-*`mongodb.dbstats.indexes`*::
-+
---
-type: long
-
---
-
-*`mongodb.dbstats.num_extents`*::
-+
---
-type: long
-
---
-
-*`mongodb.dbstats.objects`*::
-+
---
-type: long
-
---
-
-*`mongodb.dbstats.storage_size.bytes`*::
-+
---
-type: long
-
-format: bytes
-
---
-
-*`mongodb.dbstats.ns_size_mb.mb`*::
-+
---
-type: long
-
---
-
-
-*`mongodb.dbstats.data_file_version.major`*::
-+
---
-type: long
-
---
-
-*`mongodb.dbstats.data_file_version.minor`*::
-+
---
-type: long
-
---
-
-
-*`mongodb.dbstats.extent_free_list.num`*::
-+
---
-type: long
-
---
-
-*`mongodb.dbstats.extent_free_list.size.bytes`*::
-+
---
-type: long
-
-format: bytes
-
---
-
-[float]
-=== metrics
-
-Statistics that reflect the current use and state of a running `mongod` instance for more information, take a look at https://docs.mongodb.com/manual/reference/command/serverStatus/#serverstatus.metrics
-
-
-
-[float]
-=== commands
-
-Reports on the use of database commands. The fields in metrics.commands are the names of database commands and each value is a document that reports the total number of commands executed as well as the number of failed executions.
-metrics.commands.<command>.failed shows the number of times <command> failed on this mongod. metrics.commands.<command>.total shows the number of times <command> executed on this mongod.
-
-
-
-
-*`mongodb.metrics.commands.is_self.failed`*::
-+
---
-type: long
-
---
-
-*`mongodb.metrics.commands.is_self.total`*::
-+
---
-type: long
-
---
-
-
-*`mongodb.metrics.commands.aggregate.failed`*::
-+
---
-type: long
-
---
-
-*`mongodb.metrics.commands.aggregate.total`*::
-+
---
-type: long
-
---
-
-
-*`mongodb.metrics.commands.build_info.failed`*::
-+
---
-type: long
-
---
-
-*`mongodb.metrics.commands.build_info.total`*::
-+
---
-type: long
-
---
-
-
-*`mongodb.metrics.commands.coll_stats.failed`*::
-+
---
-type: long
-
---
-
-*`mongodb.metrics.commands.coll_stats.total`*::
-+
---
-type: long
-
---
-
-
-*`mongodb.metrics.commands.connection_pool_stats.failed`*::
-+
---
-type: long
-
---
-
-*`mongodb.metrics.commands.connection_pool_stats.total`*::
-+
---
-type: long
-
---
-
-
-*`mongodb.metrics.commands.count.failed`*::
-+
---
-type: long
-
---
-
-*`mongodb.metrics.commands.count.total`*::
-+
---
-type: long
-
---
-
-
-*`mongodb.metrics.commands.db_stats.failed`*::
-+
---
-type: long
-
---
-
-*`mongodb.metrics.commands.db_stats.total`*::
-+
---
-type: long
-
---
-
-
-*`mongodb.metrics.commands.distinct.failed`*::
-+
---
-type: long
-
---
-
-*`mongodb.metrics.commands.distinct.total`*::
-+
---
-type: long
-
---
-
-
-*`mongodb.metrics.commands.find.failed`*::
-+
---
-type: long
-
---
-
-*`mongodb.metrics.commands.find.total`*::
-+
---
-type: long
-
---
-
-
-*`mongodb.metrics.commands.get_cmd_line_opts.failed`*::
-+
---
-type: long
-
---
-
-*`mongodb.metrics.commands.get_cmd_line_opts.total`*::
-+
---
-type: long
-
---
-
-
-*`mongodb.metrics.commands.get_last_error.failed`*::
-+
---
-type: long
-
---
-
-*`mongodb.metrics.commands.get_last_error.total`*::
-+
---
-type: long
-
---
-
-
-*`mongodb.metrics.commands.get_log.failed`*::
-+
---
-type: long
-
---
-
-*`mongodb.metrics.commands.get_log.total`*::
-+
---
-type: long
-
---
-
-
-*`mongodb.metrics.commands.get_more.failed`*::
-+
---
-type: long
-
---
-
-*`mongodb.metrics.commands.get_more.total`*::
-+
---
-type: long
-
---
-
-
-*`mongodb.metrics.commands.get_parameter.failed`*::
-+
---
-type: long
-
---
-
-*`mongodb.metrics.commands.get_parameter.total`*::
-+
---
-type: long
-
---
-
-
-*`mongodb.metrics.commands.host_info.failed`*::
-+
---
-type: long
-
---
-
-*`mongodb.metrics.commands.host_info.total`*::
-+
---
-type: long
-
---
-
-
-*`mongodb.metrics.commands.insert.failed`*::
-+
---
-type: long
-
---
-
-*`mongodb.metrics.commands.insert.total`*::
-+
---
-type: long
-
---
-
-
-*`mongodb.metrics.commands.is_master.failed`*::
-+
---
-type: long
-
---
-
-*`mongodb.metrics.commands.is_master.total`*::
-+
---
-type: long
-
---
-
-
-*`mongodb.metrics.commands.last_collections.failed`*::
-+
---
-type: long
-
---
-
-*`mongodb.metrics.commands.last_collections.total`*::
-+
---
-type: long
-
---
-
-
-*`mongodb.metrics.commands.last_commands.failed`*::
-+
---
-type: long
-
---
-
-*`mongodb.metrics.commands.last_commands.total`*::
-+
---
-type: long
-
---
-
-
-*`mongodb.metrics.commands.list_databased.failed`*::
-+
---
-type: long
-
---
-
-*`mongodb.metrics.commands.list_databased.total`*::
-+
---
-type: long
-
---
-
-
-*`mongodb.metrics.commands.list_indexes.failed`*::
-+
---
-type: long
-
---
-
-*`mongodb.metrics.commands.list_indexes.total`*::
-+
---
-type: long
-
---
-
-
-*`mongodb.metrics.commands.ping.failed`*::
-+
---
-type: long
-
---
-
-*`mongodb.metrics.commands.ping.total`*::
-+
---
-type: long
-
---
-
-
-*`mongodb.metrics.commands.profile.failed`*::
-+
---
-type: long
-
---
-
-*`mongodb.metrics.commands.profile.total`*::
-+
---
-type: long
-
---
-
-
-*`mongodb.metrics.commands.replset_get_rbid.failed`*::
-+
---
-type: long
-
---
-
-*`mongodb.metrics.commands.replset_get_rbid.total`*::
-+
---
-type: long
-
---
-
-
-*`mongodb.metrics.commands.replset_get_status.failed`*::
-+
---
-type: long
-
---
-
-*`mongodb.metrics.commands.replset_get_status.total`*::
-+
---
-type: long
-
---
-
-
-*`mongodb.metrics.commands.replset_heartbeat.failed`*::
-+
---
-type: long
-
---
-
-*`mongodb.metrics.commands.replset_heartbeat.total`*::
-+
---
-type: long
-
---
-
-
-*`mongodb.metrics.commands.replset_update_position.failed`*::
-+
---
-type: long
-
---
-
-*`mongodb.metrics.commands.replset_update_position.total`*::
-+
---
-type: long
-
---
-
-
-*`mongodb.metrics.commands.server_status.failed`*::
-+
---
-type: long
-
---
-
-*`mongodb.metrics.commands.server_status.total`*::
-+
---
-type: long
-
---
-
-
-*`mongodb.metrics.commands.update.failed`*::
-+
---
-type: long
-
---
-
-*`mongodb.metrics.commands.update.total`*::
-+
---
-type: long
-
---
-
-
-*`mongodb.metrics.commands.whatsmyuri.failed`*::
-+
---
-type: long
-
---
-
-*`mongodb.metrics.commands.whatsmyuri.total`*::
-+
---
-type: long
-
---
-
-[float]
-=== cursor
-
-Contains data regarding cursor state and use.
-
-
-
-*`mongodb.metrics.cursor.timed_out`*::
-+
---
-The total number of cursors that have timed out since the server process started.
-
-
-type: long
-
---
-
-[float]
-=== open
-
-Contains data regarding open cursors.
-
-
-
-*`mongodb.metrics.cursor.open.no_timeout`*::
-+
---
-The number of open cursors with the option DBQuery.Option.noTimeout set to prevent timeout.
-
-
-type: long
-
---
-
-*`mongodb.metrics.cursor.open.pinned`*::
-+
---
-The number of `pinned` open cursors.
-
-
-type: long
-
---
-
-*`mongodb.metrics.cursor.open.total`*::
-+
---
-The number of cursors that MongoDB is maintaining for clients.
-
-
-type: long
-
---
-
-[float]
-=== document
-
-Reflects document access and modification patterns.
-
-
-
-*`mongodb.metrics.document.deleted`*::
-+
---
-The total number of documents deleted.
-
-
-type: long
-
---
-
-*`mongodb.metrics.document.inserted`*::
-+
---
-The total number of documents inserted.
-
-
-type: long
-
---
-
-*`mongodb.metrics.document.returned`*::
-+
---
-The total number of documents returned by queries.
-
-
-type: long
-
---
-
-*`mongodb.metrics.document.updated`*::
-+
---
-The total number of documents updated.
-
-
-type: long
-
---
-
-[float]
-=== get_last_error
-
-Returns the error status of the preceding write operation on the current connection.
-
-
-
-*`mongodb.metrics.get_last_error.write_wait.ms`*::
-+
---
-The total amount of time in milliseconds that the mongod has spent performing getLastError operations with write concern (i.e. w) greater than 1.
-
-
-type: long
-
---
-
-*`mongodb.metrics.get_last_error.write_wait.count`*::
-+
---
-The total number of getLastError operations with a specified write concern (i.e. w) greater than 1.
-
-
-type: long
-
---
-
-*`mongodb.metrics.get_last_error.write_timeouts`*::
-+
---
-The number of times that write concern operations have timed out as a result of the wtimeout threshold to getLastError.
-
-
-type: long
-
---
-
-[float]
-=== operation
-
-Holds counters for several types of update and query operations that MongoDB handles using special operation types.
-
-
-
-*`mongodb.metrics.operation.scan_and_order`*::
-+
---
-The total number of queries that return sorted numbers that cannot perform the sort operation using an index.
-
-
-type: long
-
---
-
-*`mongodb.metrics.operation.write_conflicts`*::
-+
---
-The total number of queries that encountered write conflicts.
-
-
-type: long
-
---
-
-[float]
-=== query_executor
-
-Reports data from the query execution system.
-
-
-
-*`mongodb.metrics.query_executor.scanned_indexes.count`*::
-+
---
-The total number of index items scanned during queries and query-plan evaluation.
-
-
-type: long
-
---
-
-*`mongodb.metrics.query_executor.scanned_documents.count`*::
-+
---
-The total number of documents scanned during queries and query-plan evaluation.
-
-
-type: long
-
---
-
-[float]
-=== replication
-
-Reports metrics related to the replication process. metrics.replication appears on all mongod instances, even those that aren't members of replica sets.
-
-
-
-[float]
-=== executor
-
-Reports on various statistics for the replication executor.
-
-
-
-
-*`mongodb.metrics.replication.executor.counters.event_created`*::
-+
---
-type: long
-
---
-
-*`mongodb.metrics.replication.executor.counters.event_wait`*::
-+
---
-type: long
-
---
-
-*`mongodb.metrics.replication.executor.counters.cancels`*::
-+
---
-type: long
-
---
-
-*`mongodb.metrics.replication.executor.counters.waits`*::
-+
---
-type: long
-
---
-
-
-*`mongodb.metrics.replication.executor.counters.scheduled.netcmd`*::
-+
---
-type: long
-
---
-
-*`mongodb.metrics.replication.executor.counters.scheduled.dbwork`*::
-+
---
-type: long
-
---
-
-*`mongodb.metrics.replication.executor.counters.scheduled.exclusive`*::
-+
---
-type: long
-
---
-
-*`mongodb.metrics.replication.executor.counters.scheduled.work_at`*::
-+
---
-type: long
-
---
-
-*`mongodb.metrics.replication.executor.counters.scheduled.work`*::
-+
---
-type: long
-
---
-
-*`mongodb.metrics.replication.executor.counters.scheduled.failures`*::
-+
---
-type: long
-
---
-
-
-
-*`mongodb.metrics.replication.executor.queues.in_progress.network`*::
-+
---
-type: long
-
---
-
-*`mongodb.metrics.replication.executor.queues.in_progress.dbwork`*::
-+
---
-type: long
-
---
-
-*`mongodb.metrics.replication.executor.queues.in_progress.exclusive`*::
-+
---
-type: long
-
---
-
-*`mongodb.metrics.replication.executor.queues.sleepers`*::
-+
---
-type: long
-
---
-
-*`mongodb.metrics.replication.executor.queues.ready`*::
-+
---
-type: long
-
---
-
-*`mongodb.metrics.replication.executor.queues.free`*::
-+
---
-type: long
-
---
-
-*`mongodb.metrics.replication.executor.unsignaled_events`*::
-+
---
-type: long
-
---
-
-*`mongodb.metrics.replication.executor.event_waiters`*::
-+
---
-type: long
-
---
-
-*`mongodb.metrics.replication.executor.shutting_down`*::
-+
---
-type: boolean
-
---
-
-*`mongodb.metrics.replication.executor.network_interface`*::
-+
---
-type: keyword
-
---
-
-[float]
-=== apply
-
-Reports on the application of operations from the replication oplog.
-
-
-
-*`mongodb.metrics.replication.apply.attempts_to_become_secondary`*::
-+
---
-type: long
-
---
-
-[float]
-=== batches
-
-Reports on the oplog application process on secondaries members of replica sets.
-
-
-
-*`mongodb.metrics.replication.apply.batches.count`*::
-+
---
-The total number of batches applied across all databases.
-
-
-type: long
-
---
-
-*`mongodb.metrics.replication.apply.batches.time.ms`*::
-+
---
-The total amount of time in milliseconds the mongod has spent applying operations from the oplog.
-
-
-type: long
-
---
-
-*`mongodb.metrics.replication.apply.ops`*::
-+
---
-The total number of oplog operations applied.
-
-
-type: long
-
---
-
-[float]
-=== buffer
-
-MongoDB buffers oplog operations from the replication sync source buffer before applying oplog entries in a batch. metrics.replication.buffer provides a way to track the oplog buffer.
-
-
-
-*`mongodb.metrics.replication.buffer.count`*::
-+
---
-The current number of operations in the oplog buffer.
-
-
-type: long
-
---
-
-*`mongodb.metrics.replication.buffer.max_size.bytes`*::
-+
---
-The maximum size of the buffer. This value is a constant setting in the mongod, and is not configurable.
-
-
-type: long
-
---
-
-*`mongodb.metrics.replication.buffer.size.bytes`*::
-+
---
-The current size of the contents of the oplog buffer.
-
-
-type: long
-
---
-
-[float]
-=== initial_sync
-
-Report initial sync status
-
-
-
-*`mongodb.metrics.replication.initial_sync.completed`*::
-+
---
-type: long
-
---
-
-*`mongodb.metrics.replication.initial_sync.failed_attempts`*::
-+
---
-type: long
-
---
-
-*`mongodb.metrics.replication.initial_sync.failures`*::
-+
---
-type: long
-
---
-
-[float]
-=== network
-
-Reports network use by the replication process.
-
-
-
-*`mongodb.metrics.replication.network.bytes`*::
-+
---
-The total amount of data read from the replication sync source.
-
-
-type: long
-
---
-
-[float]
-=== getmores
-
-Reports on the getmore operations, which are requests for additional results from the oplog cursor as part of the oplog replication process.
-
-
-
-*`mongodb.metrics.replication.network.getmores.count`*::
-+
---
-The total number of getmore operations
-
-
-type: long
-
---
-
-*`mongodb.metrics.replication.network.getmores.time.ms`*::
-+
---
-The total amount of time required to collect data from getmore operations.
-
-
-type: long
-
---
-
-*`mongodb.metrics.replication.network.ops`*::
-+
---
-The total number of operations read from the replication source.
-
-
-type: long
-
---
-
-*`mongodb.metrics.replication.network.reders_created`*::
-+
---
-The total number of oplog query processes created.
-
-
-type: long
-
---
-
-[float]
-=== preload
-
-Reports on the `pre-fetch` stage, where MongoDB loads documents and indexes into RAM to improve replication throughput.
-
-
-
-[float]
-=== docs
-
-Reports on the documents loaded into memory during the pre-fetch stage.
-
-
-
-*`mongodb.metrics.replication.preload.docs.count`*::
-+
---
-The total number of documents loaded during the pre-fetch stage of replication.
-
-
-type: long
-
---
-
-*`mongodb.metrics.replication.preload.docs.time.ms`*::
-+
---
-type: long
-
---
-
-[float]
-=== indexes
-
-Reports on the index items loaded into memory during the pre-fetch stage of replication.
-
-
-
-*`mongodb.metrics.replication.preload.indexes.count`*::
-+
---
-The total number of index entries loaded by members before updating documents as part of the pre-fetch stage of replication.
-
-
-type: long
-
---
-
-*`mongodb.metrics.replication.preload.indexes.time.ms`*::
-+
---
-The total amount of time, in milliseconds, spent loading index entries as part of the pre-fetch stage of replication.
-
-
-type: long
-
---
-
-
-*`mongodb.metrics.storage.free_list.search.bucket_exhausted`*::
-+
---
-The number of times that mongod has checked the free list without finding a suitably large record allocation.
-
-
-type: long
-
---
-
-*`mongodb.metrics.storage.free_list.search.requests`*::
-+
---
-The number of times mongod has searched for available record allocations.
-
-
-type: long
-
---
-
-*`mongodb.metrics.storage.free_list.search.scanned`*::
-+
---
-The number of available record allocations mongod has searched.
-
-
-type: long
-
---
-
-[float]
-=== ttl
-
-Reports on the operation of the resource use of the ttl index process.
-
-
-
-*`mongodb.metrics.ttl.deleted_documents.count`*::
-+
---
-The total number of documents deleted from collections with a ttl index.
-
-
-type: long
-
---
-
-*`mongodb.metrics.ttl.passes.count`*::
-+
---
-The number of times the background process removes documents from collections with a ttl index.
-
-
-type: long
-
---
-
-[float]
-=== replstatus
-
-replstatus provides an overview of replica set status.
-
-
-
-[float]
-=== oplog
-
-oplog provides an overview of replication oplog status, which is retrieved from db.getReplicationInfo().
-
-
-
-*`mongodb.replstatus.oplog.size.allocated`*::
-+
---
-The total amount of space used by the replstatus in bytes.
-
-
-type: long
-
-format: bytes
-
---
-
-*`mongodb.replstatus.oplog.size.used`*::
-+
---
-total amount of space allocated to the replstatus in bytes.
-
-
-type: long
-
-format: bytes
-
---
-
-*`mongodb.replstatus.oplog.first.timestamp`*::
-+
---
-Timestamp of the first (i.e. earliest) operation in the replstatus
-
-
-type: long
-
---
-
-*`mongodb.replstatus.oplog.last.timestamp`*::
-+
---
-Timestamp of the last (i.e. latest) operation in the replstatus
-
-
-type: long
-
---
-
-*`mongodb.replstatus.oplog.window`*::
-+
---
-The difference between the first and last operation in the replstatus.
-
-
-type: long
-
---
-
-*`mongodb.replstatus.set_name`*::
-+
---
-The name of the replica set.
-
-
-type: keyword
-
---
-
-*`mongodb.replstatus.server_date`*::
-+
---
-Reflects the current time according to the server that processed the replSetGetStatus command.
-
-
-type: date
-
---
-
-
-*`mongodb.replstatus.optimes.last_committed`*::
-+
---
-Information, from the viewpoint of this member, regarding the most recent operation that has been written to a majority of replica set members.
-
-
-type: long
-
---
-
-*`mongodb.replstatus.optimes.applied`*::
-+
---
-Information, from the viewpoint of this member, regarding the most recent operation that has been applied to this member of the replica set.
-
-
-type: long
-
---
-
-*`mongodb.replstatus.optimes.durable`*::
-+
---
-Information, from the viewpoint of this member, regarding the most recent operation that has been written to the journal of this member of the replica set.
-
-
-type: long
-
---
-
-[float]
-=== lag
-
-Delay between a write operation on the primary and its copy to a secondary
-
-
-
-*`mongodb.replstatus.lag.max`*::
-+
---
-Difference between optime of primary and slowest secondary
-
-
-type: long
-
-format: duration
-
---
-
-*`mongodb.replstatus.lag.min`*::
-+
---
-Difference between optime of primary and fastest secondary
-
-
-type: long
-
-format: duration
-
---
-
-[float]
-=== headroom
-
-Difference between the primary's oplog window and the replication lag of the secondary
-
-
-
-*`mongodb.replstatus.headroom.max`*::
-+
---
-Difference between primary's oplog window and the replication lag of the fastest secondary
-
-
-type: long
-
-format: duration
-
---
-
-*`mongodb.replstatus.headroom.min`*::
-+
---
-Difference between primary's oplog window and the replication lag of the slowest secondary
-
-
-type: long
-
-format: duration
-
---
-
-[float]
-=== members
-
-Provides information about members of replica set grouped by their state
-
-
-
-*`mongodb.replstatus.members.primary.host`*::
-+
---
-Host address of the primary
-
-
-type: keyword
-
---
-
-*`mongodb.replstatus.members.primary.optime`*::
-+
---
-Optime of primary
-
-
-type: keyword
-
---
-
-*`mongodb.replstatus.members.secondary.hosts`*::
-+
---
-List of secondary hosts
-
-
-type: keyword
-
---
-
-*`mongodb.replstatus.members.secondary.optimes`*::
-+
---
-Optimes of secondaries
-
-
-type: keyword
-
---
-
-*`mongodb.replstatus.members.secondary.count`*::
-+
---
-type: long
-
---
-
-*`mongodb.replstatus.members.recovering.hosts`*::
-+
---
-List of recovering members hosts
-
-
-type: keyword
-
---
-
-*`mongodb.replstatus.members.recovering.count`*::
-+
---
-Count of members in the `recovering` state
-
-
-type: long
-
---
-
-*`mongodb.replstatus.members.unknown.hosts`*::
-+
---
-List of members' hosts in the `unknown` state
-
-
-type: keyword
-
---
-
-*`mongodb.replstatus.members.unknown.count`*::
-+
---
-Count of members with `unknown` state
-
-
-type: long
-
---
-
-*`mongodb.replstatus.members.startup2.hosts`*::
-+
---
-List of initializing members hosts
-
-
-type: keyword
-
---
-
-*`mongodb.replstatus.members.startup2.count`*::
-+
---
-Count of members in the `startup2` state
-
-
-type: long
-
---
-
-*`mongodb.replstatus.members.arbiter.hosts`*::
-+
---
-List of arbiters hosts
-
-
-type: keyword
-
---
-
-*`mongodb.replstatus.members.arbiter.count`*::
-+
---
-Count of arbiters
-
-
-type: long
-
---
-
-*`mongodb.replstatus.members.down.hosts`*::
-+
---
-List of `down` members hosts
-
-
-type: keyword
-
---
-
-*`mongodb.replstatus.members.down.count`*::
-+
---
-Count of `down` members
-
-
-type: long
-
---
-
-*`mongodb.replstatus.members.rollback.hosts`*::
-+
---
-List of members in the `rollback` state
-
-
-type: keyword
-
---
-
-*`mongodb.replstatus.members.rollback.count`*::
-+
---
-Count of members in the `rollback` state
-
-
-type: long
-
---
-
-*`mongodb.replstatus.members.unhealthy.hosts`*::
-+
---
-List of members' hosts with healthy = false
-
-
-type: keyword
-
---
-
-*`mongodb.replstatus.members.unhealthy.count`*::
-+
---
-Count of unhealthy members
-
-
-type: long
-
---
-
-[float]
-=== status
-
-MongoDB server status metrics.
-
-
-
-*`mongodb.status.version`*::
-+
---
-Instance version.
-
-
-type: alias
-
-alias to: service.version
-
---
-
-*`mongodb.status.process`*::
-+
---
-The current MongoDB process. Possible values are mongos or mongod.
-
-
-type: alias
-
-alias to: process.name
-
---
-
-*`mongodb.status.uptime.ms`*::
-+
---
-Instance uptime in milliseconds.
-
-
-type: long
-
---
-
-*`mongodb.status.local_time`*::
-+
---
-Local time as reported by the MongoDB instance.
-
-
-type: date
-
---
-
-*`mongodb.status.asserts.regular`*::
-+
---
-Number of regular assertions produced by the server.
-
-
-type: long
-
---
-
-*`mongodb.status.asserts.warning`*::
-+
---
-Number of warning assertions produced by the server.
-
-
-type: long
-
---
-
-*`mongodb.status.asserts.msg`*::
-+
---
-Number of msg assertions produced by the server.
-
-
-type: long
-
---
-
-*`mongodb.status.asserts.user`*::
-+
---
-Number of user assertions produced by the server.
-
-
-type: long
-
---
-
-*`mongodb.status.asserts.rollovers`*::
-+
---
-Number of rollovers assertions produced by the server.
-
-
-type: long
-
---
-
-[float]
-=== connections
-
-Data regarding the current status of incoming connections and availability of the database server.
-
-
-
-*`mongodb.status.connections.current`*::
-+
---
-The number of connections to the database server from clients. This number includes the current shell session. Consider the value of `available` to add more context to this datum.
-
-
-type: long
-
---
-
-*`mongodb.status.connections.available`*::
-+
---
-The number of unused available incoming connections the database can provide.
-
-
-type: long
-
---
-
-*`mongodb.status.connections.total_created`*::
-+
---
-A count of all incoming connections created to the server. This number includes connections that have since closed.
-
-
-type: long
-
---
-
-[float]
-=== extra_info
-
-Platform specific data.
-
-
-
-*`mongodb.status.extra_info.heap_usage.bytes`*::
-+
---
-The total size in bytes of heap space used by the database process. Only available on Unix/Linux.
-
-
-type: long
-
-format: bytes
-
---
-
-*`mongodb.status.extra_info.page_faults`*::
-+
---
-The total number of page faults that require disk operations. Page faults refer to operations that require the database server to access data that isn't available in active memory.
-
-
-type: long
-
---
-
-[float]
-=== global_lock
-
-Reports on lock state of the database.
-
-
-
-*`mongodb.status.global_lock.total_time.us`*::
-+
---
-The time, in microseconds, since the database last started and created the globalLock. This is roughly equivalent to total server uptime.
-
-
-type: long
-
---
-
-[float]
-=== current_queue
-
-The number of operations queued because of a lock.
-
-
-
-*`mongodb.status.global_lock.current_queue.total`*::
-+
---
-The total number of operations queued waiting for the lock (i.e., the sum of current_queue.readers and current_queue.writers).
-
-
-type: long
-
---
-
-*`mongodb.status.global_lock.current_queue.readers`*::
-+
---
-The number of operations that are currently queued and waiting for the read lock.
-
-
-type: long
-
---
-
-*`mongodb.status.global_lock.current_queue.writers`*::
-+
---
-The number of operations that are currently queued and waiting for the write lock.
-
-
-type: long
-
---
-
-[float]
-=== active_clients
-
-The number of connected clients and the read and write operations performed by these clients.
-
-
-
-*`mongodb.status.global_lock.active_clients.total`*::
-+
---
-Total number of the active client connections performing read or write operations.
-
-
-type: long
-
---
-
-*`mongodb.status.global_lock.active_clients.readers`*::
-+
---
-The number of the active client connections performing read operations.
-
-
-type: long
-
---
-
-*`mongodb.status.global_lock.active_clients.writers`*::
-+
---
-The number of the active client connections performing write operations.
-
-
-type: long
-
---
-
-[float]
-=== locks
-
-A document that reports for each lock <type>, data on lock <mode>s. The possible lock <type>s are global, database, collection, metadata and oplog. The possible <mode>s are r, w, R and W which respresent shared, exclusive, intent shared and intent exclusive.
-locks.<type>.acquire.count.<mode> shows the number of times the lock was acquired in the specified mode. locks.<type>.wait.count.<mode> shows the number of times the locks.acquireCount lock acquisitions encountered waits because the locks were held in a conflicting mode. locks.<type>.wait.us.<mode> shows the cumulative wait time in microseconds for the lock acquisitions. locks.<type>.deadlock.count.<mode> shows the number of times the lock acquisitions encountered deadlocks.
-
-
-
-
-*`mongodb.status.locks.global.acquire.count.r`*::
-+
---
-type: long
-
---
-
-*`mongodb.status.locks.global.acquire.count.w`*::
-+
---
-type: long
-
---
-
-*`mongodb.status.locks.global.acquire.count.R`*::
-+
---
-type: long
-
---
-
-*`mongodb.status.locks.global.acquire.count.W`*::
-+
---
-type: long
-
---
-
-*`mongodb.status.locks.global.wait.count.r`*::
-+
---
-type: long
-
---
-
-*`mongodb.status.locks.global.wait.count.w`*::
-+
---
-type: long
-
---
-
-*`mongodb.status.locks.global.wait.count.R`*::
-+
---
-type: long
-
---
-
-*`mongodb.status.locks.global.wait.count.W`*::
-+
---
-type: long
-
---
-
-*`mongodb.status.locks.global.wait.us.r`*::
-+
---
-type: long
-
---
-
-*`mongodb.status.locks.global.wait.us.w`*::
-+
---
-type: long
-
---
-
-*`mongodb.status.locks.global.wait.us.R`*::
-+
---
-type: long
-
---
-
-*`mongodb.status.locks.global.wait.us.W`*::
-+
---
-type: long
-
---
-
-*`mongodb.status.locks.global.deadlock.count.r`*::
-+
---
-type: long
-
---
-
-*`mongodb.status.locks.global.deadlock.count.w`*::
-+
---
-type: long
-
---
-
-*`mongodb.status.locks.global.deadlock.count.R`*::
-+
---
-type: long
-
---
-
-*`mongodb.status.locks.global.deadlock.count.W`*::
-+
---
-type: long
-
---
-
-
-*`mongodb.status.locks.database.acquire.count.r`*::
-+
---
-type: long
-
---
-
-*`mongodb.status.locks.database.acquire.count.w`*::
-+
---
-type: long
-
---
-
-*`mongodb.status.locks.database.acquire.count.R`*::
-+
---
-type: long
-
---
-
-*`mongodb.status.locks.database.acquire.count.W`*::
-+
---
-type: long
-
---
-
-*`mongodb.status.locks.database.wait.count.r`*::
-+
---
-type: long
-
---
-
-*`mongodb.status.locks.database.wait.count.w`*::
-+
---
-type: long
-
---
-
-*`mongodb.status.locks.database.wait.count.R`*::
-+
---
-type: long
-
---
-
-*`mongodb.status.locks.database.wait.count.W`*::
-+
---
-type: long
-
---
-
-*`mongodb.status.locks.database.wait.us.r`*::
-+
---
-type: long
-
---
-
-*`mongodb.status.locks.database.wait.us.w`*::
-+
---
-type: long
-
---
-
-*`mongodb.status.locks.database.wait.us.R`*::
-+
---
-type: long
-
---
-
-*`mongodb.status.locks.database.wait.us.W`*::
-+
---
-type: long
-
---
-
-*`mongodb.status.locks.database.deadlock.count.r`*::
-+
---
-type: long
-
---
-
-*`mongodb.status.locks.database.deadlock.count.w`*::
-+
---
-type: long
-
---
-
-*`mongodb.status.locks.database.deadlock.count.R`*::
-+
---
-type: long
-
---
-
-*`mongodb.status.locks.database.deadlock.count.W`*::
-+
---
-type: long
-
---
-
-
-*`mongodb.status.locks.collection.acquire.count.r`*::
-+
---
-type: long
-
---
-
-*`mongodb.status.locks.collection.acquire.count.w`*::
-+
---
-type: long
-
---
-
-*`mongodb.status.locks.collection.acquire.count.R`*::
-+
---
-type: long
-
---
-
-*`mongodb.status.locks.collection.acquire.count.W`*::
-+
---
-type: long
-
---
-
-*`mongodb.status.locks.collection.wait.count.r`*::
-+
---
-type: long
-
---
-
-*`mongodb.status.locks.collection.wait.count.w`*::
-+
---
-type: long
-
---
-
-*`mongodb.status.locks.collection.wait.count.R`*::
-+
---
-type: long
-
---
-
-*`mongodb.status.locks.collection.wait.count.W`*::
-+
---
-type: long
-
---
-
-*`mongodb.status.locks.collection.wait.us.r`*::
-+
---
-type: long
-
---
-
-*`mongodb.status.locks.collection.wait.us.w`*::
-+
---
-type: long
-
---
-
-*`mongodb.status.locks.collection.wait.us.R`*::
-+
---
-type: long
-
---
-
-*`mongodb.status.locks.collection.wait.us.W`*::
-+
---
-type: long
-
---
-
-*`mongodb.status.locks.collection.deadlock.count.r`*::
-+
---
-type: long
-
---
-
-*`mongodb.status.locks.collection.deadlock.count.w`*::
-+
---
-type: long
-
---
-
-*`mongodb.status.locks.collection.deadlock.count.R`*::
-+
---
-type: long
-
---
-
-*`mongodb.status.locks.collection.deadlock.count.W`*::
-+
---
-type: long
-
---
-
-
-*`mongodb.status.locks.meta_data.acquire.count.r`*::
-+
---
-type: long
-
---
-
-*`mongodb.status.locks.meta_data.acquire.count.w`*::
-+
---
-type: long
-
---
-
-*`mongodb.status.locks.meta_data.acquire.count.R`*::
-+
---
-type: long
-
---
-
-*`mongodb.status.locks.meta_data.acquire.count.W`*::
-+
---
-type: long
-
---
-
-*`mongodb.status.locks.meta_data.wait.count.r`*::
-+
---
-type: long
-
---
-
-*`mongodb.status.locks.meta_data.wait.count.w`*::
-+
---
-type: long
-
---
-
-*`mongodb.status.locks.meta_data.wait.count.R`*::
-+
---
-type: long
-
---
-
-*`mongodb.status.locks.meta_data.wait.count.W`*::
-+
---
-type: long
-
---
-
-*`mongodb.status.locks.meta_data.wait.us.r`*::
-+
---
-type: long
-
---
-
-*`mongodb.status.locks.meta_data.wait.us.w`*::
-+
---
-type: long
-
---
-
-*`mongodb.status.locks.meta_data.wait.us.R`*::
-+
---
-type: long
-
---
-
-*`mongodb.status.locks.meta_data.wait.us.W`*::
-+
---
-type: long
-
---
-
-*`mongodb.status.locks.meta_data.deadlock.count.r`*::
-+
---
-type: long
-
---
-
-*`mongodb.status.locks.meta_data.deadlock.count.w`*::
-+
---
-type: long
-
---
-
-*`mongodb.status.locks.meta_data.deadlock.count.R`*::
-+
---
-type: long
-
---
-
-*`mongodb.status.locks.meta_data.deadlock.count.W`*::
-+
---
-type: long
-
---
-
-
-*`mongodb.status.locks.oplog.acquire.count.r`*::
-+
---
-type: long
-
---
-
-*`mongodb.status.locks.oplog.acquire.count.w`*::
-+
---
-type: long
-
---
-
-*`mongodb.status.locks.oplog.acquire.count.R`*::
-+
---
-type: long
-
---
-
-*`mongodb.status.locks.oplog.acquire.count.W`*::
-+
---
-type: long
-
---
-
-*`mongodb.status.locks.oplog.wait.count.r`*::
-+
---
-type: long
-
---
-
-*`mongodb.status.locks.oplog.wait.count.w`*::
-+
---
-type: long
-
---
-
-*`mongodb.status.locks.oplog.wait.count.R`*::
-+
---
-type: long
-
---
-
-*`mongodb.status.locks.oplog.wait.count.W`*::
-+
---
-type: long
-
---
-
-*`mongodb.status.locks.oplog.wait.us.r`*::
-+
---
-type: long
-
---
-
-*`mongodb.status.locks.oplog.wait.us.w`*::
-+
---
-type: long
-
---
-
-*`mongodb.status.locks.oplog.wait.us.R`*::
-+
---
-type: long
-
---
-
-*`mongodb.status.locks.oplog.wait.us.W`*::
-+
---
-type: long
-
---
-
-*`mongodb.status.locks.oplog.deadlock.count.r`*::
-+
---
-type: long
-
---
-
-*`mongodb.status.locks.oplog.deadlock.count.w`*::
-+
---
-type: long
-
---
-
-*`mongodb.status.locks.oplog.deadlock.count.R`*::
-+
---
-type: long
-
---
-
-*`mongodb.status.locks.oplog.deadlock.count.W`*::
-+
---
-type: long
-
---
-
-[float]
-=== network
-
-Platform specific data.
-
-
-
-*`mongodb.status.network.in.bytes`*::
-+
---
-The amount of network traffic, in bytes, received by this database.
-
-
-type: long
-
-format: bytes
-
---
-
-*`mongodb.status.network.out.bytes`*::
-+
---
-The amount of network traffic, in bytes, sent from this database.
-
-
-type: long
-
-format: bytes
-
---
-
-*`mongodb.status.network.requests`*::
-+
---
-The total number of requests received by the server.
-
-
-type: long
-
---
-
-[float]
-=== ops.latencies
-
-Operation latencies for the database as a whole. Only mongod instances report this metric.
-
-
-
-*`mongodb.status.ops.latencies.reads.latency`*::
-+
---
-Total combined latency in microseconds.
-
-
-type: long
-
---
-
-*`mongodb.status.ops.latencies.reads.count`*::
-+
---
-Total number of read operations performed on the collection since startup.
-
-
-type: long
-
---
-
-*`mongodb.status.ops.latencies.writes.latency`*::
-+
---
-Total combined latency in microseconds.
-
-
-type: long
-
---
-
-*`mongodb.status.ops.latencies.writes.count`*::
-+
---
-Total number of write operations performed on the collection since startup.
-
-
-type: long
-
---
-
-*`mongodb.status.ops.latencies.commands.latency`*::
-+
---
-Total combined latency in microseconds.
-
-
-type: long
-
---
-
-*`mongodb.status.ops.latencies.commands.count`*::
-+
---
-Total number of commands performed on the collection since startup.
-
-
-type: long
-
---
-
-[float]
-=== ops.counters
-
-An overview of database operations by type.
-
-
-
-*`mongodb.status.ops.counters.insert`*::
-+
---
-The total number of insert operations received since the mongod instance last started.
-
-
-type: long
-
---
-
-*`mongodb.status.ops.counters.query`*::
-+
---
-The total number of queries received since the mongod instance last started.
-
-
-type: long
-
---
-
-*`mongodb.status.ops.counters.update`*::
-+
---
-The total number of update operations received since the mongod instance last started.
-
-
-type: long
-
---
-
-*`mongodb.status.ops.counters.delete`*::
-+
---
-The total number of delete operations received since the mongod instance last started.
-
-
-type: long
-
---
-
-*`mongodb.status.ops.counters.getmore`*::
-+
---
-The total number of getmore operations received since the mongod instance last started.
-
-
-type: long
-
---
-
-*`mongodb.status.ops.counters.command`*::
-+
---
-The total number of commands issued to the database since the mongod instance last started.
-
-
-type: long
-
---
-
-[float]
-=== ops.replicated
-
-An overview of database replication operations by type.
-
-
-
-*`mongodb.status.ops.replicated.insert`*::
-+
---
-The total number of replicated insert operations received since the mongod instance last started.
-
-
-type: long
-
---
-
-*`mongodb.status.ops.replicated.query`*::
-+
---
-The total number of replicated queries received since the mongod instance last started.
-
-
-type: long
-
---
-
-*`mongodb.status.ops.replicated.update`*::
-+
---
-The total number of replicated update operations received since the mongod instance last started.
-
-
-type: long
-
---
-
-*`mongodb.status.ops.replicated.delete`*::
-+
---
-The total number of replicated delete operations received since the mongod instance last started.
-
-
-type: long
-
---
-
-*`mongodb.status.ops.replicated.getmore`*::
-+
---
-The total number of replicated getmore operations received since the mongod instance last started.
-
-
-type: long
-
---
-
-*`mongodb.status.ops.replicated.command`*::
-+
---
-The total number of replicated commands issued to the database since the mongod instance last started.
-
-
-type: long
-
---
-
-[float]
-=== memory
-
-Data about the current memory usage of the mongod server.
-
-
-
-*`mongodb.status.memory.bits`*::
-+
---
-Either 64 or 32, depending on which target architecture was specified during the mongod compilation process.
-
-
-type: long
-
---
-
-*`mongodb.status.memory.resident.mb`*::
-+
---
-The amount of RAM, in megabytes (MB), currently used by the database process.
-
-
-type: long
-
---
-
-*`mongodb.status.memory.virtual.mb`*::
-+
---
-The amount, in megabytes (MB), of virtual memory used by the mongod process.
-
-
-type: long
-
---
-
-*`mongodb.status.memory.mapped.mb`*::
-+
---
-The amount of mapped memory, in megabytes (MB), used by the database. Because MongoDB uses memory-mapped files, this value is likely to be to be roughly equivalent to the total size of your database or databases.
-
-
-type: long
-
---
-
-*`mongodb.status.memory.mapped_with_journal.mb`*::
-+
---
-The amount of mapped memory, in megabytes (MB), including the memory used for journaling.
-
-
-type: long
-
---
-
-*`mongodb.status.write_backs_queued`*::
-+
---
-True when there are operations from a mongos instance queued for retrying.
-
-
-type: boolean
-
---
-
-*`mongodb.status.storage_engine.name`*::
-+
---
-A string that represents the name of the current storage engine.
-
-
-type: keyword
-
---
-
-[float]
-=== wired_tiger
-
-Statistics about the WiredTiger storage engine.
-
-
-
-[float]
-=== concurrent_transactions
-
-Statistics about the transactions currently in progress.
-
-
-
-*`mongodb.status.wired_tiger.concurrent_transactions.write.out`*::
-+
---
-Number of concurrent write transaction in progress.
-
-
-type: long
-
---
-
-*`mongodb.status.wired_tiger.concurrent_transactions.write.available`*::
-+
---
-Number of concurrent write tickets available.
-
-
-type: long
-
---
-
-*`mongodb.status.wired_tiger.concurrent_transactions.write.total_tickets`*::
-+
---
-Number of total write tickets.
-
-
-type: long
-
---
-
-*`mongodb.status.wired_tiger.concurrent_transactions.read.out`*::
-+
---
-Number of concurrent read transaction in progress.
-
-
-type: long
-
---
-
-*`mongodb.status.wired_tiger.concurrent_transactions.read.available`*::
-+
---
-Number of concurrent read tickets available.
-
-
-type: long
-
---
-
-*`mongodb.status.wired_tiger.concurrent_transactions.read.total_tickets`*::
-+
---
-Number of total read tickets.
-
-
-type: long
-
---
-
-[float]
-=== cache
-
-Statistics about the cache and page evictions from the cache.
-
-
-
-*`mongodb.status.wired_tiger.cache.maximum.bytes`*::
-+
---
-Maximum cache size.
-
-
-type: long
-
-format: bytes
-
---
-
-*`mongodb.status.wired_tiger.cache.used.bytes`*::
-+
---
-Size in byte of the data currently in cache.
-
-
-type: long
-
-format: bytes
-
---
-
-*`mongodb.status.wired_tiger.cache.dirty.bytes`*::
-+
---
-Size in bytes of the dirty data in the cache.
-
-
-type: long
-
-format: bytes
-
---
-
-*`mongodb.status.wired_tiger.cache.pages.read`*::
-+
---
-Number of pages read into the cache.
-
-
-type: long
-
---
-
-*`mongodb.status.wired_tiger.cache.pages.write`*::
-+
---
-Number of pages written from the cache.
-
-
-type: long
-
---
-
-*`mongodb.status.wired_tiger.cache.pages.evicted`*::
-+
---
-Number of pages evicted from the cache.
-
-
-type: long
-
---
-
-[float]
-=== log
-
-Statistics about the write ahead log used by WiredTiger.
-
-
-
-*`mongodb.status.wired_tiger.log.size.bytes`*::
-+
---
-Total log size in bytes.
-
-
-type: long
-
-format: bytes
-
---
-
-*`mongodb.status.wired_tiger.log.write.bytes`*::
-+
---
-Number of bytes written into the log.
-
-
-type: long
-
-format: bytes
-
---
-
-*`mongodb.status.wired_tiger.log.max_file_size.bytes`*::
-+
---
-Maximum file size.
-
-
-type: long
-
-format: bytes
-
---
-
-*`mongodb.status.wired_tiger.log.flushes`*::
-+
---
-Number of flush operations.
-
-
-type: long
-
---
-
-*`mongodb.status.wired_tiger.log.writes`*::
-+
---
-Number of write operations.
-
-
-type: long
-
---
-
-*`mongodb.status.wired_tiger.log.scans`*::
-+
---
-Number of scan operations.
-
-
-type: long
-
---
-
-*`mongodb.status.wired_tiger.log.syncs`*::
-+
---
-Number of sync operations.
-
-
-type: long
-
---
-
-[float]
-=== background_flushing
-
-Data about the process MongoDB uses to write data to disk. This data is only available for instances that use the MMAPv1 storage engine.
-
-
-
-*`mongodb.status.background_flushing.flushes`*::
-+
---
-A counter that collects the number of times the database has flushed all writes to disk.
-
-
-type: long
-
---
-
-*`mongodb.status.background_flushing.total.ms`*::
-+
---
-The total number of milliseconds (ms) that the mongod processes have spent writing (i.e. flushing) data to disk. Because this is an absolute value, consider the value of `flushes` and `average_ms` to provide better context for this datum.
-
-
-type: long
-
---
-
-*`mongodb.status.background_flushing.average.ms`*::
-+
---
-The average time spent flushing to disk per flush event.
-
-
-type: long
-
---
-
-*`mongodb.status.background_flushing.last.ms`*::
-+
---
-The amount of time, in milliseconds, that the last flush operation took to complete.
-
-
-type: long
-
---
-
-*`mongodb.status.background_flushing.last_finished`*::
-+
---
-A timestamp of the last completed flush operation.
-
-
-type: date
-
---
-
-[float]
-=== journaling
-
-Data about the journaling-related operations and performance. Journaling information only appears for mongod instances that use the MMAPv1 storage engine and have journaling enabled.
-
-
-
-*`mongodb.status.journaling.commits`*::
-+
---
-The number of transactions written to the journal during the last journal group commit interval.
-
-
-type: long
-
---
-
-*`mongodb.status.journaling.journaled.mb`*::
-+
---
-The amount of data in megabytes (MB) written to journal during the last journal group commit interval.
-
-
-type: long
-
---
-
-*`mongodb.status.journaling.write_to_data_files.mb`*::
-+
---
-The amount of data in megabytes (MB) written from journal to the data files during the last journal group commit interval.
-
-
-type: long
-
---
-
-*`mongodb.status.journaling.compression`*::
-+
---
-The compression ratio of the data written to the journal.
-
-
-type: long
-
---
-
-*`mongodb.status.journaling.commits_in_write_lock`*::
-+
---
-Count of the commits that occurred while a write lock was held. Commits in a write lock indicate a MongoDB node under a heavy write load and call for further diagnosis.
-
-
-type: long
-
---
-
-*`mongodb.status.journaling.early_commits`*::
-+
---
-The number of times MongoDB requested a commit before the scheduled journal group commit interval.
-
-
-type: long
-
---
-
-[float]
-=== times
-
-Information about the performance of the mongod instance during the various phases of journaling in the last journal group commit interval.
-
-
-
-*`mongodb.status.journaling.times.dt.ms`*::
-+
---
-The amount of time over which MongoDB collected the times data. Use this field to provide context to the other times field values.
-
-
-type: long
-
---
-
-*`mongodb.status.journaling.times.prep_log_buffer.ms`*::
-+
---
-The amount of time spent preparing to write to the journal. Smaller values indicate better journal performance.
-
-
-type: long
-
---
-
-*`mongodb.status.journaling.times.write_to_journal.ms`*::
-+
---
-The amount of time spent actually writing to the journal. File system speeds and device interfaces can affect performance.
-
-
-type: long
-
---
-
-*`mongodb.status.journaling.times.write_to_data_files.ms`*::
-+
---
-The amount of time spent writing to data files after journaling. File system speeds and device interfaces can affect performance.
-
-
-type: long
-
---
-
-*`mongodb.status.journaling.times.remap_private_view.ms`*::
-+
---
-The amount of time spent remapping copy-on-write memory mapped views. Smaller values indicate better journal performance.
-
-
-type: long
-
---
-
-*`mongodb.status.journaling.times.commits.ms`*::
-+
---
-The amount of time spent for commits.
-
-
-type: long
-
---
-
-*`mongodb.status.journaling.times.commits_in_write_lock.ms`*::
-+
---
-The amount of time spent for commits that occurred while a write lock was held.
-
-
-type: long
-
---
-
-[[exported-fields-mssql]]
-== MSSQL fields
-
-MS SQL module
-
-
-[float]
-=== mssql
-
-The root field containing all MSSQL fields
-
-
-[float]
-=== database
-
-The database that the metrics is being referred to
-
-
-*`mssql.database.id`*::
-+
---
-Unique ID of the database inside MSSQL
-
-type: long
-
---
-
-*`mssql.database.name`*::
-+
---
-Name of the database
-
-type: keyword
-
---
-
-[float]
-=== performance
-
-performance metricset fetches information about the Performance Counters
-
-
-*`mssql.performance.page_splits_per_sec`*::
-+
---
-Number of page splits per second that occur as the result of overflowing index pages.
-
-type: long
-
---
-
-*`mssql.performance.lock_waits_per_sec`*::
-+
---
-Number of lock requests per second that required the caller to wait.
-
-type: long
-
---
-
-*`mssql.performance.user_connections`*::
-+
---
-Total number of user connections
-
-type: long
-
---
-
-*`mssql.performance.transactions`*::
-+
---
-Total number of transactions
-
-type: long
-
---
-
-*`mssql.performance.active_temp_tables`*::
-+
---
-Number of temporary tables/table variables in use.
-
-type: long
-
---
-
-*`mssql.performance.connections_reset_per_sec`*::
-+
---
-Total number of logins started from the connection pool.
-
-type: long
-
---
-
-*`mssql.performance.logins_per_sec`*::
-+
---
-Total number of logins started per second. This does not include pooled connections.
-
-type: long
-
---
-
-*`mssql.performance.logouts_per_sec`*::
-+
---
-Total number of logout operations started per second.
-
-type: long
-
---
-
-*`mssql.performance.recompilations_per_sec`*::
-+
---
-Number of statement recompiles per second. Counts the number of times statement recompiles are triggered. Generally, you want the recompiles to be low.
-
-type: long
-
---
-
-*`mssql.performance.compilations_per_sec`*::
-+
---
-Number of SQL compilations per second. Indicates the number of times the compile code path is entered. Includes compiles caused by statement-level recompilations in SQL Server. After SQL Server user activity is stable, this value reaches a steady state.
-
-type: long
-
---
-
-*`mssql.performance.batch_requests_per_sec`*::
-+
---
-Number of Transact-SQL command batches received per second. This statistic is affected by all constraints (such as I/O, number of users, cache size, complexity of requests, and so on). High batch requests mean good throughput.
-
-type: long
-
---
-
-
-[float]
-=== cache_hit
-
-Indicates the percentage of pages found in the buffer cache without having to read from disk.
-
-
-*`mssql.performance.buffer.cache_hit.pct`*::
-+
---
-The ratio is the total number of cache hits divided by the total number of cache lookups over the last few thousand page accesses. After a long period of time, the ratio moves very little. Because reading from the cache is much less expensive than reading from disk, you want this ratio to be high
-
-type: double
-
---
-
-[float]
-=== page_life_expectancy
-
-Indicates the number of seconds a page will stay in the buffer pool without references.
-
-
-*`mssql.performance.buffer.page_life_expectancy.sec`*::
-+
---
-Indicates the number of seconds a page will stay in the buffer pool without references (in seconds).
-
-type: long
-
---
-
-*`mssql.performance.buffer.checkpoint_pages_per_sec`*::
-+
---
-Indicates the number of pages flushed to disk per second by a checkpoint or other operation that require all dirty pages to be flushed.
-
-type: long
-
---
-
-*`mssql.performance.buffer.database_pages`*::
-+
---
-Indicates the number of pages in the buffer pool with database content.
-
-type: long
-
---
-
-*`mssql.performance.buffer.target_pages`*::
-+
---
-Ideal number of pages in the buffer pool.
-
-type: long
-
---
-
-[float]
-=== transaction_log
-
-transaction_log metricset will fetch information about the operation and transaction log of each database from a MSSQL instance
-
-
-[float]
-=== space_usage
-
-Space usage information for the transaction log
-
-
-[float]
-=== since_last_backup
-
-The amount of space used since the last log backup
-
-
-*`mssql.transaction_log.space_usage.since_last_backup.bytes`*::
-+
---
-The amount of space used since the last log backup in bytes
-
-type: long
-
---
-
-[float]
-=== total
-
-The size of the log
-
-
-*`mssql.transaction_log.space_usage.total.bytes`*::
-+
---
-The size of the log in bytes
-
-type: long
-
---
-
-[float]
-=== used
-
-The occupied size of the log
-
-
-*`mssql.transaction_log.space_usage.used.bytes`*::
-+
---
-The occupied size of the log in bytes
-
-type: long
-
---
-
-*`mssql.transaction_log.space_usage.used.pct`*::
-+
---
-A percentage of the occupied size of the log as a percent of the total log size
-
-type: float
-
---
-
-[float]
-=== stats
-
-Returns summary level attributes and information on transaction log files of databases. Use this information for monitoring and diagnostics of transaction log health.
-
-
-[float]
-=== active_size
-
-Total active transaction log size.
-
-
-*`mssql.transaction_log.stats.active_size.bytes`*::
-+
---
-Total active transaction log size in bytes
-
-type: long
-
---
-
-*`mssql.transaction_log.stats.backup_time`*::
-+
---
-Last transaction log backup time.
-
-type: date
-
---
-
-[float]
-=== recovery_size
-
-Log size since log recovery log sequence number (LSN).
-
-
-*`mssql.transaction_log.stats.recovery_size.bytes`*::
-+
---
-Log size in bytes since log recovery log sequence number (LSN).
-
-type: long
-
---
-
-[float]
-=== since_last_checkpoint
-
-Log size since last checkpoint log sequence number (LSN).
-
-
-*`mssql.transaction_log.stats.since_last_checkpoint.bytes`*::
-+
---
-Log size in bytes since last checkpoint log sequence number (LSN).
-
-type: long
-
---
-
-[float]
-=== total_size
-
-Total transaction log size.
-
-
-*`mssql.transaction_log.stats.total_size.bytes`*::
-+
---
-Total transaction log size in bytes.
-
-type: long
-
---
-
-[[exported-fields-munin]]
-== Munin fields
-
-Munin node metrics exporter
-
-
-
-*`munin.metrics.*`*::
-+
---
-Metrics exposed by a plugin of a munin node agent.
-
-
-type: object
-
---
-
-*`munin.plugin.name`*::
-+
---
-Name of the plugin collecting these metrics.
-
-
-type: keyword
-
---
-
-
-[[exported-fields-mysql]]
-== MySQL fields
-
-MySQL server status metrics collected from MySQL.
-
-
-
-[float]
-=== mysql
-
-`mysql` contains the metrics that were obtained from MySQL query.
-
-
-
-[float]
-=== galera_status
-
-`galera_status` contains the metrics that were obtained by the status SQL query on Galera.
-
-
-
-[float]
-=== apply
-
-Apply status fields.
-
-
-
-*`mysql.galera_status.apply.oooe`*::
-+
---
-How often applier started write-set applying out-of-order (parallelization efficiency).
-
-
-type: double
-
---
-
-*`mysql.galera_status.apply.oool`*::
-+
---
-How often write-set was so slow to apply that write-set with higher seqno's were applied earlier. Values closer to 0 refer to a greater gap between slow and fast write-sets.
-
-
-type: double
-
---
-
-*`mysql.galera_status.apply.window`*::
-+
---
-Average distance between highest and lowest concurrently applied seqno.
-
-
-type: double
-
---
-
-[float]
-=== cert
-
-Certification status fields.
-
-
-
-*`mysql.galera_status.cert.deps_distance`*::
-+
---
-Average distance between highest and lowest seqno value that can be possibly applied in parallel (potential degree of parallelization).
-
-
-type: double
-
---
-
-*`mysql.galera_status.cert.index_size`*::
-+
---
-The number of entries in the certification index.
-
-
-type: long
-
---
-
-*`mysql.galera_status.cert.interval`*::
-+
---
-Average number of transactions received while a transaction replicates.
-
-
-type: double
-
---
-
-[float]
-=== cluster
-
-Cluster status fields.
-
-
-
-*`mysql.galera_status.cluster.conf_id`*::
-+
---
-Total number of cluster membership changes happened.
-
-
-type: long
-
---
-
-*`mysql.galera_status.cluster.size`*::
-+
---
-Current number of members in the cluster.
-
-
-type: long
-
---
-
-*`mysql.galera_status.cluster.status`*::
-+
---
-Status of this cluster component. That is, whether the node is part of a PRIMARY or NON_PRIMARY component.
-
-
-type: keyword
-
---
-
-[float]
-=== commit
-
-Commit status fields.
-
-
-
-*`mysql.galera_status.commit.oooe`*::
-+
---
-How often a transaction was committed out of order.
-
-
-type: double
-
---
-
-*`mysql.galera_status.commit.window`*::
-+
---
-Average distance between highest and lowest concurrently committed seqno.
-
-
-type: long
-
---
-
-*`mysql.galera_status.connected`*::
-+
---
-If the value is OFF, the node has not yet connected to any of the cluster components. This may be due to misconfiguration. Check the error log for proper diagnostics.
-
-
-type: keyword
-
---
-
-[float]
-=== evs
-
-Evs Fields.
-
-
-
-*`mysql.galera_status.evs.evict`*::
-+
---
-Lists the UUID's of all nodes evicted from the cluster. Evicted nodes cannot rejoin the cluster until you restart their mysqld processes.
-
-
-type: keyword
-
---
-
-*`mysql.galera_status.evs.state`*::
-+
---
-Shows the internal state of the EVS Protocol.
-
-
-type: keyword
-
---
-
-[float]
-=== flow_ctl
-
-Flow Control fields.
-
-
-
-*`mysql.galera_status.flow_ctl.paused`*::
-+
---
-The fraction of time since the last FLUSH STATUS command that replication was paused due to flow control. In other words, how much the slave lag is slowing down the cluster.
-
-
-type: double
-
---
-
-*`mysql.galera_status.flow_ctl.paused_ns`*::
-+
---
-The total time spent in a paused state measured in nanoseconds.
-
-
-type: long
-
---
-
-*`mysql.galera_status.flow_ctl.recv`*::
-+
---
-Returns the number of FC_PAUSE events the node has received, including those the node has sent. Unlike most status variables, the counter for this one does not reset every time you run the query.
-
-
-type: long
-
---
-
-*`mysql.galera_status.flow_ctl.sent`*::
-+
---
-Returns the number of FC_PAUSE events the node has sent. Unlike most status variables, the counter for this one does not reset every time you run the query.
-
-
-type: long
-
---
-
-*`mysql.galera_status.last_committed`*::
-+
---
-The sequence number, or seqno, of the last committed transaction.
-
-
-type: long
-
---
-
-[float]
-=== local
-
-Node specific Cluster status fields.
-
-
-
-*`mysql.galera_status.local.bf_aborts`*::
-+
---
-Total number of local transactions that were aborted by slave transactions while in execution.
-
-
-type: long
-
---
-
-*`mysql.galera_status.local.cert_failures`*::
-+
---
-Total number of local transactions that failed certification test.
-
-
-type: long
-
---
-
-*`mysql.galera_status.local.commits`*::
-+
---
-Total number of local transactions committed.
-
-
-type: long
-
---
-
-[float]
-=== recv
-
-Node specific recv fields.
-
-
-
-*`mysql.galera_status.local.recv.queue`*::
-+
---
-Current (instantaneous) length of the recv queue.
-
-
-type: long
-
---
-
-*`mysql.galera_status.local.recv.queue_avg`*::
-+
---
-Recv queue length averaged over interval since the last FLUSH STATUS command. Values considerably larger than 0.0 mean that the node cannot apply write-sets as fast as they are received and will generate a lot of replication throttling.
-
-
-type: double
-
---
-
-*`mysql.galera_status.local.recv.queue_max`*::
-+
---
-The maximum length of the recv queue since the last FLUSH STATUS command.
-
-
-type: long
-
---
-
-*`mysql.galera_status.local.recv.queue_min`*::
-+
---
-The minimum length of the recv queue since the last FLUSH STATUS command.
-
-
-type: long
-
---
-
-*`mysql.galera_status.local.replays`*::
-+
---
-Total number of transaction replays due to asymmetric lock granularity.
-
-
-type: long
-
---
-
-[float]
-=== send
-
-Node specific sent fields.
-
-
-
-*`mysql.galera_status.local.send.queue`*::
-+
---
-Current (instantaneous) length of the send queue.
-
-
-type: long
-
---
-
-*`mysql.galera_status.local.send.queue_avg`*::
-+
---
-Send queue length averaged over time since the last FLUSH STATUS command. Values considerably larger than 0.0 indicate replication throttling or network throughput issue.
-
-
-type: double
-
---
-
-*`mysql.galera_status.local.send.queue_max`*::
-+
---
-The maximum length of the send queue since the last FLUSH STATUS command.
-
-
-type: long
-
---
-
-*`mysql.galera_status.local.send.queue_min`*::
-+
---
-The minimum length of the send queue since the last FLUSH STATUS command.
-
-
-type: long
-
---
-
-*`mysql.galera_status.local.state`*::
-+
---
-Internal Galera Cluster FSM state number.
-
-
-type: keyword
-
---
-
-*`mysql.galera_status.ready`*::
-+
---
-Whether the server is ready to accept queries.
-
-
-type: keyword
-
---
-
-[float]
-=== received
-
-Write-Set receive status fields.
-
-
-
-*`mysql.galera_status.received.count`*::
-+
---
-Total number of write-sets received from other nodes.
-
-
-type: long
-
---
-
-*`mysql.galera_status.received.bytes`*::
-+
---
-Total size of write-sets received from other nodes.
-
-
-type: long
-
---
-
-[float]
-=== repl
-
-Replication status fields.
-
-
-
-*`mysql.galera_status.repl.data_bytes`*::
-+
---
-Total size of data replicated.
-
-
-type: long
-
---
-
-*`mysql.galera_status.repl.keys`*::
-+
---
-Total number of keys replicated.
-
-
-type: long
-
---
-
-*`mysql.galera_status.repl.keys_bytes`*::
-+
---
-Total size of keys replicated.
-
-
-type: long
-
---
-
-*`mysql.galera_status.repl.other_bytes`*::
-+
---
-Total size of other bits replicated.
-
-
-type: long
-
---
-
-*`mysql.galera_status.repl.count`*::
-+
---
-Total number of write-sets replicated (sent to other nodes).
-
-
-type: long
-
---
-
-*`mysql.galera_status.repl.bytes`*::
-+
---
-Total size of write-sets replicated.
-
-
-type: long
-
---
-
-[float]
-=== performance
-
-`performance` contains metrics related to the performance of a MySQL instance
-
-
-
-[float]
-=== events_statements
-
-Records statement events summarized by schema and digest
-
-
-*`mysql.performance.events_statements.max.timer.wait`*::
-+
---
-Maximum wait time of the summarized events that are timed
-
-type: long
-
---
-
-*`mysql.performance.events_statements.last.seen`*::
-+
---
-Time at which the digest was most recently seen
-
-type: date
-
---
-
-*`mysql.performance.events_statements.quantile.95`*::
-+
---
-The 95th percentile of the statement latency, in picoseconds
-
-type: long
-
---
-
-*`mysql.performance.events_statements.digest`*::
-+
---
-Performance schema digest
-
-type: text
-
---
-
-*`mysql.performance.events_statements.count.star`*::
-+
---
-Number of summarized events
-
-type: long
-
---
-
-*`mysql.performance.events_statements.avg.timer.wait`*::
-+
---
-Average wait time of the summarized events that are timed
-
-type: long
-
---
-
-*`mysql.performance.events_statements.schemaname`*::
-+
---
-Schema name.
-
-type: keyword
-
---
-
-[float]
-=== table_io_waits
-
-Records table I/O waits by index
-
-
-
-*`mysql.performance.table_io_waits.object.schema`*::
-+
---
-Schema name
-
-type: keyword
-
---
-
-*`mysql.performance.table_io_waits.object.name`*::
-+
---
-Table name
-
-type: keyword
-
---
-
-*`mysql.performance.table_io_waits.index.name`*::
-+
---
-Name of the index that was used when the table I/O wait event was recorded. PRIMARY indicates that table I/O used the primary index. NULL means that table I/O used no index. Inserts are counted against INDEX_NAME = NULL
-
-
-type: keyword
-
---
-
-*`mysql.performance.table_io_waits.count.fetch`*::
-+
---
-Number of all fetch operations > 0
-
-type: long
-
---
-
-[float]
-=== query
-
-`query` metricset fetches custom queries from the user to a MySQL instance.
-
-
-[float]
-=== status
-
-`status` contains the metrics that were obtained by the status SQL query.
-
-
-
-[float]
-=== aborted
-
-Aborted status fields.
-
-
-
-*`mysql.status.aborted.clients`*::
-+
---
-The number of connections that were aborted because the client died without closing the connection properly.
-
-
-type: long
-
---
-
-*`mysql.status.aborted.connects`*::
-+
---
-The number of failed attempts to connect to the MySQL server.
-
-
-type: long
-
---
-
-[float]
-=== connection
-
-
-
-
-[float]
-=== errors
-
-
-
-
-*`mysql.status.connection.errors.peer_address`*::
-+
---
-The number of errors that occurred while searching for connecting client IP addresses.
-
-type: long
-
---
-
-*`mysql.status.connection.errors.accept`*::
-+
---
-The number of errors that occurred during calls to accept() on the listening port.
-
-type: long
-
---
-
-*`mysql.status.connection.errors.internal`*::
-+
---
-The number of connections refused due to internal errors in the server, such as failure to start a new thread or an out-of-memory condition.
-
-
-type: long
-
---
-
-*`mysql.status.connection.errors.max`*::
-+
---
-The number of connections refused because the server max_connections limit was reached. thread or an out-of-memory condition.
-
-type: long
-
---
-
-*`mysql.status.connection.errors.tcpwrap`*::
-+
---
-The number of connections refused by the libwrap library.
-
-type: long
-
---
-
-*`mysql.status.connection.errors.select`*::
-+
---
-The number of errors that occurred during calls to select() or poll() on the listening port. (Failure of this operation does not necessarily means a client connection was rejected.)
-
-
-type: long
-
---
-
-[float]
-=== cache
-
-
-
-
-[float]
-=== ssl
-
-SSL session cache hits and misses.
-
-
-*`mysql.status.cache.ssl.hits`*::
-+
---
-The number of SSL session cache hits.
-
-type: long
-
---
-
-*`mysql.status.cache.ssl.misses`*::
-+
---
-The number of SSL session cache misses.
-
-type: long
-
---
-
-*`mysql.status.cache.ssl.size`*::
-+
---
-The SSL session cache size.
-
-type: long
-
---
-
-[float]
-=== table
-
-
-
-
-[float]
-=== open_cache
-
-
-
-
-*`mysql.status.cache.table.open_cache.hits`*::
-+
---
-The number of hits for open tables cache lookups.
-
-type: long
-
---
-
-*`mysql.status.cache.table.open_cache.misses`*::
-+
---
-The number of misses for open tables cache lookups.
-
-type: long
-
---
-
-*`mysql.status.cache.table.open_cache.overflows`*::
-+
---
-Number of times, after a table is opened or closed, a cache instance has an unused entry and the size of the instance is larger than table_open_cache / table_open_cache_instances
-
-
-type: long
-
---
-
-[float]
-=== binlog
-
-
-
-
-*`mysql.status.binlog.cache.disk_use`*::
-+
---
-
-
-type: long
-
---
-
-*`mysql.status.binlog.cache.use`*::
-+
---
-
-
-type: long
-
---
-
-[float]
-=== bytes
-
-Bytes stats.
-
-
-
-*`mysql.status.bytes.received`*::
-+
---
-The number of bytes received from all clients.
-
-
-type: long
-
-format: bytes
-
---
-
-*`mysql.status.bytes.sent`*::
-+
---
-The number of bytes sent to all clients.
-
-
-type: long
-
-format: bytes
-
---
-
-[float]
-=== threads
-
-Threads stats.
-
-
-
-*`mysql.status.threads.cached`*::
-+
---
-The number of cached threads.
-
-
-type: long
-
---
-
-*`mysql.status.threads.created`*::
-+
---
-The number of created threads.
-
-
-type: long
-
---
-
-*`mysql.status.threads.connected`*::
-+
---
-The number of connected threads.
-
-
-type: long
-
---
-
-*`mysql.status.threads.running`*::
-+
---
-The number of running threads.
-
-
-type: long
-
---
-
-*`mysql.status.connections`*::
-+
---
-
-
-type: long
-
---
-
-[float]
-=== created
-
-
-
-
-*`mysql.status.created.tmp.disk_tables`*::
-+
---
-
-
-type: long
-
---
-
-*`mysql.status.created.tmp.files`*::
-+
---
-
-
-type: long
-
---
-
-*`mysql.status.created.tmp.tables`*::
-+
---
-
-
-type: long
-
---
-
-[float]
-=== delayed
-
-
-
-
-*`mysql.status.delayed.errors`*::
-+
---
-
-
-type: long
-
---
-
-*`mysql.status.delayed.insert_threads`*::
-+
---
-
-
-type: long
-
---
-
-*`mysql.status.delayed.writes`*::
-+
---
-
-
-type: long
-
---
-
-*`mysql.status.flush_commands`*::
-+
---
-
-
-type: long
-
---
-
-*`mysql.status.max_used_connections`*::
-+
---
-
-
-type: long
-
---
-
-[float]
-=== open
-
-
-
-
-*`mysql.status.open.files`*::
-+
---
-
-
-type: long
-
---
-
-*`mysql.status.open.streams`*::
-+
---
-
-
-type: long
-
---
-
-*`mysql.status.open.tables`*::
-+
---
-
-
-type: long
-
---
-
-*`mysql.status.opened_tables`*::
-+
---
-
-
-type: long
-
---
-
-[float]
-=== command
-
-
-
-
-*`mysql.status.command.delete`*::
-+
---
-The number of DELETE queries since startup.
-
-
-type: long
-
---
-
-*`mysql.status.command.insert`*::
-+
---
-The number of INSERT queries since startup.
-
-
-type: long
-
---
-
-*`mysql.status.command.select`*::
-+
---
-The number of SELECT queries since startup.
-
-
-type: long
-
---
-
-*`mysql.status.command.update`*::
-+
---
-The number of UPDATE queries since startup.
-
-
-type: long
-
---
-
-*`mysql.status.queries`*::
-+
---
-The number of statements executed by the server. This variable includes statements executed within stored programs, unlike the Questions variable. It does not count COM_PING or COM_STATISTICS commands.
-
-
-type: long
-
---
-
-*`mysql.status.questions`*::
-+
---
-The number of statements executed by the server. This includes only statements sent to the server by clients and not statements executed within stored programs, unlike the Queries variable. This variable does not count COM_PING, COM_STATISTICS, COM_STMT_PREPARE, COM_STMT_CLOSE, or COM_STMT_RESET commands.
-
-
-type: long
-
---
-
-[float]
-=== handler
-
-
-
-
-*`mysql.status.handler.commit`*::
-+
---
-The number of internal COMMIT statements.
-
-
-type: long
-
---
-
-*`mysql.status.handler.delete`*::
-+
---
-The number of times that rows have been deleted from tables.
-
-
-type: long
-
---
-
-*`mysql.status.handler.external_lock`*::
-+
---
-The server increments this variable for each call to its external_lock() function, which generally occurs at the beginning and end of access to a table instance.
-
-
-type: long
-
---
-
-*`mysql.status.handler.mrr_init`*::
-+
---
-The number of times the server uses a storage engine's own Multi-Range Read implementation for table access.
-
-
-type: long
-
---
-
-*`mysql.status.handler.prepare`*::
-+
---
-A counter for the prepare phase of two-phase commit operations.
-
-
-type: long
-
---
-
-[float]
-=== read
-
-
-
-
-*`mysql.status.handler.read.first`*::
-+
---
-The number of times the first entry in an index was read.
-
-
-type: long
-
---
-
-*`mysql.status.handler.read.key`*::
-+
---
-The number of requests to read a row based on a key.
-
-
-type: long
-
---
-
-*`mysql.status.handler.read.last`*::
-+
---
-The number of requests to read the last key in an index.
-
-
-type: long
-
---
-
-*`mysql.status.handler.read.next`*::
-+
---
-The number of requests to read the next row in key order.
-
-
-type: long
-
---
-
-*`mysql.status.handler.read.prev`*::
-+
---
-The number of requests to read the previous row in key order.
-
-
-type: long
-
---
-
-*`mysql.status.handler.read.rnd`*::
-+
---
-The number of requests to read a row based on a fixed position.
-
-
-type: long
-
---
-
-*`mysql.status.handler.read.rnd_next`*::
-+
---
-The number of requests to read the next row in the data file.
-
-
-type: long
-
---
-
-*`mysql.status.handler.rollback`*::
-+
---
-The number of requests for a storage engine to perform a rollback operation.
-
-
-type: long
-
---
-
-*`mysql.status.handler.savepoint`*::
-+
---
-The number of requests for a storage engine to place a savepoint.
-
-
-type: long
-
---
-
-*`mysql.status.handler.savepoint_rollback`*::
-+
---
-The number of requests for a storage engine to roll back to a savepoint.
-
-
-type: long
-
---
-
-*`mysql.status.handler.update`*::
-+
---
-The number of requests to update a row in a table.
-
-
-type: long
-
---
-
-*`mysql.status.handler.write`*::
-+
---
-The number of requests to insert a row in a table.
-
-
-type: long
-
---
-
-[float]
-=== innodb
-
-
-
-
-[float]
-=== rows
-
-
-
-
-*`mysql.status.innodb.rows.reads`*::
-+
---
-The number of rows reads into InnoDB tables.
-
-type: long
-
---
-
-*`mysql.status.innodb.rows.inserted`*::
-+
---
-The number of rows inserted into InnoDB tables.
-
-type: long
-
---
-
-*`mysql.status.innodb.rows.deleted`*::
-+
---
-The number of rows deleted into InnoDB tables.
-
-type: long
-
---
-
-*`mysql.status.innodb.rows.updated`*::
-+
---
-The number of rows updated into InnoDB tables.
-
-type: long
-
---
-
-[float]
-=== buffer_pool
-
-
-
-
-*`mysql.status.innodb.buffer_pool.dump_status`*::
-+
---
-The progress of an operation to record the pages held in the InnoDB buffer pool, triggered by the setting of innodb_buffer_pool_dump_at_shutdown or innodb_buffer_pool_dump_now.
-
-
-type: long
-
---
-
-*`mysql.status.innodb.buffer_pool.load_status`*::
-+
---
-The progress of an operation to warm up the InnoDB buffer pool by reading in a set of pages corresponding to an earlier point in time, triggered by the setting of innodb_buffer_pool_load_at_startup or innodb_buffer_pool_load_now.
-
-
-type: long
-
---
-
-[float]
-=== bytes
-
-
-
-
-*`mysql.status.innodb.buffer_pool.bytes.data`*::
-+
---
-The total number of bytes in the InnoDB buffer pool containing data.
-
-
-type: long
-
---
-
-*`mysql.status.innodb.buffer_pool.bytes.dirty`*::
-+
---
-The total current number of bytes held in dirty pages in the InnoDB buffer pool.
-
-
-type: long
-
---
-
-[float]
-=== pages
-
-
-
-
-*`mysql.status.innodb.buffer_pool.pages.data`*::
-+
---
-The number of pages in the InnoDB buffer pool containing data.
-
-
-type: long
-
---
-
-*`mysql.status.innodb.buffer_pool.pages.dirty`*::
-+
---
-The current number of dirty pages in the InnoDB buffer pool.
-
-
-type: long
-
---
-
-*`mysql.status.innodb.buffer_pool.pages.flushed`*::
-+
---
-The number of requests to flush pages from the InnoDB buffer pool.
-
-
-type: long
-
---
-
-*`mysql.status.innodb.buffer_pool.pages.free`*::
-+
---
-The number of free pages in the InnoDB buffer pool.
-
-
-type: long
-
---
-
-*`mysql.status.innodb.buffer_pool.pages.latched`*::
-+
---
-The number of latched pages in the InnoDB buffer pool.
-
-
-type: long
-
---
-
-*`mysql.status.innodb.buffer_pool.pages.misc`*::
-+
---
-The number of pages in the InnoDB buffer pool that are busy because they have been allocated for administrative overhead, such as row locks or the adaptive hash index.
-
-
-type: long
-
---
-
-*`mysql.status.innodb.buffer_pool.pages.total`*::
-+
---
-The total size of the InnoDB buffer pool, in pages.
-
-
-type: long
-
---
-
-[float]
-=== read
-
-
-
-
-*`mysql.status.innodb.buffer_pool.read.ahead`*::
-+
---
-The number of pages read into the InnoDB buffer pool by the read-ahead background thread.
-
-
-type: long
-
---
-
-*`mysql.status.innodb.buffer_pool.read.ahead_evicted`*::
-+
---
-The number of pages read into the InnoDB buffer pool by the read-ahead background thread that were subsequently evicted without having been accessed by queries.
-
-
-type: long
-
---
-
-*`mysql.status.innodb.buffer_pool.read.ahead_rnd`*::
-+
---
-The number of "random" read-aheads initiated by InnoDB.
-
-
-type: long
-
---
-
-*`mysql.status.innodb.buffer_pool.read.requests`*::
-+
---
-The number of logical read requests.
-
-
-type: long
-
---
-
-[float]
-=== pool
-
-
-
-
-*`mysql.status.innodb.buffer_pool.pool.reads`*::
-+
---
-The number of logical reads that InnoDB could not satisfy from the buffer pool, and had to read directly from disk.
-
-
-type: long
-
---
-
-*`mysql.status.innodb.buffer_pool.pool.resize_status`*::
-+
---
-The status of an operation to resize the InnoDB buffer pool dynamically, triggered by setting the innodb_buffer_pool_size parameter dynamically.
-
-
-type: long
-
---
-
-*`mysql.status.innodb.buffer_pool.pool.wait_free`*::
-+
---
-Normally, writes to the InnoDB buffer pool happen in the background. When InnoDB needs to read or create a page and no clean pages are available, InnoDB flushes some dirty pages first and waits for that operation to finish. This counter counts instances of these waits.
-
-
-type: long
-
---
-
-*`mysql.status.innodb.buffer_pool.write_requests`*::
-+
---
-The number of writes done to the InnoDB buffer pool.
-
-
-type: long
-
---
-
-[[exported-fields-nats]]
-== NATS fields
-
-nats Module
-
-
-
-[float]
-=== nats
-
-`nats` contains statistics that were read from Nats
-
-
-
-*`nats.server.id`*::
-+
---
-The server ID
-
-
-type: keyword
-
---
-
-*`nats.server.time`*::
-+
---
-
-deprecated:[8.0.0]
-
-Server time of metric creation
-
-
-type: date
-
---
-
-[float]
-=== connection
-
-Contains nats connection related metrics
-
-
-
-*`nats.connection.name`*::
-+
---
-The name of the connection
-
-
-type: keyword
-
---
-
-*`nats.connection.subscriptions`*::
-+
---
-The number of subscriptions in this connection
-
-
-type: integer
-
---
-
-*`nats.connection.pending_bytes`*::
-+
---
-The number of pending bytes of this connection
-
-
-type: long
-
-format: bytes
-
---
-
-*`nats.connection.uptime`*::
-+
---
-The period the connection is up (sec)
-
-
-type: long
-
-format: duration
-
---
-
-*`nats.connection.idle_time`*::
-+
---
-The period the connection is idle (sec)
-
-
-type: long
-
-format: duration
-
---
-
-[float]
-=== in
-
-The amount of incoming data
-
-
-
-*`nats.connection.in.messages`*::
-+
---
-The amount of incoming messages
-
-
-type: long
-
---
-
-*`nats.connection.in.bytes`*::
-+
---
-The amount of incoming bytes
-
-
-type: long
-
-format: bytes
-
---
-
-[float]
-=== out
-
-The amount of outgoing data
-
-
-
-*`nats.connection.out.messages`*::
-+
---
-The amount of outgoing messages
-
-
-type: long
-
---
-
-*`nats.connection.out.bytes`*::
-+
---
-The amount of outgoing bytes
-
-
-type: long
-
-format: bytes
-
---
-
-[float]
-=== connections
-
-Contains nats connection related metrics
-
-
-
-*`nats.connections.total`*::
-+
---
-The number of currently active clients
-
-
-type: integer
-
---
-
-[float]
-=== route
-
-Contains nats route related metrics
-
-
-
-*`nats.route.subscriptions`*::
-+
---
-The number of subscriptions in this connection
-
-
-type: integer
-
---
-
-*`nats.route.remote_id`*::
-+
---
-The remote id on which the route is connected to
-
-
-type: keyword
-
---
-
-*`nats.route.pending_size`*::
-+
---
-The number of pending routes
-
-
-type: long
-
---
-
-*`nats.route.port`*::
-+
---
-The port of the route
-
-
-type: integer
-
---
-
-*`nats.route.ip`*::
-+
---
-The ip of the route
-
-
-type: ip
-
---
-
-[float]
-=== in
-
-The amount of incoming data
-
-
-
-*`nats.route.in.messages`*::
-+
---
-The amount of incoming messages
-
-
-type: long
-
---
-
-*`nats.route.in.bytes`*::
-+
---
-The amount of incoming bytes
-
-
-type: long
-
-format: bytes
-
---
-
-[float]
-=== out
-
-The amount of outgoing data
-
-
-
-*`nats.route.out.messages`*::
-+
---
-The amount of outgoing messages
-
-
-type: long
-
---
-
-*`nats.route.out.bytes`*::
-+
---
-The amount of outgoing bytes
-
-
-type: long
-
-format: bytes
-
---
-
-[float]
-=== routes
-
-Contains nats route related metrics
-
-
-
-*`nats.routes.total`*::
-+
---
-The number of registered routes
-
-
-type: integer
-
---
-
-[float]
-=== stats
-
-Contains nats var related metrics
-
-
-
-*`nats.stats.uptime`*::
-+
---
-The period the server is up (sec)
-
-
-type: long
-
-format: duration
-
---
-
-*`nats.stats.mem.bytes`*::
-+
---
-The current memory usage of NATS process
-
-
-type: long
-
-format: bytes
-
---
-
-*`nats.stats.cores`*::
-+
---
-The number of logical cores the NATS process runs on
-
-
-type: integer
-
---
-
-*`nats.stats.cpu`*::
-+
---
-The current cpu usage of NATs process
-
-
-type: scaled_float
-
-format: percent
-
---
-
-*`nats.stats.total_connections`*::
-+
---
-The number of totally created clients
-
-
-type: long
-
---
-
-*`nats.stats.remotes`*::
-+
---
-The number of registered remotes
-
-
-type: integer
-
---
-
-[float]
-=== in
-
-The amount of incoming data
-
-
-
-*`nats.stats.in.messages`*::
-+
---
-The amount of incoming messages
-
-
-type: long
-
---
-
-*`nats.stats.in.bytes`*::
-+
---
-The amount of incoming bytes
-
-
-type: long
-
-format: bytes
-
---
-
-[float]
-=== out
-
-The amount of outgoing data
-
-
-
-*`nats.stats.out.messages`*::
-+
---
-The amount of outgoing messages
-
-
-type: long
-
---
-
-*`nats.stats.out.bytes`*::
-+
---
-The amount of outgoing bytes
-
-
-type: long
-
-format: bytes
-
---
-
-*`nats.stats.slow_consumers`*::
-+
---
-The number of slow consumers currently on NATS
-
-
-type: long
-
---
-
-[float]
-=== http
-
-The http metrics of NATS server
-
-
-
-[float]
-=== req_stats
-
-The requests statistics
-
-
-
-[float]
-=== uri
-
-The request distribution on monitoring URIS
-
-
-
-*`nats.stats.http.req_stats.uri.routez`*::
-+
---
-The number of hits on routez monitoring uri
-
-
-type: long
-
---
-
-*`nats.stats.http.req_stats.uri.connz`*::
-+
---
-The number of hits on connz monitoring uri
-
-
-type: long
-
---
-
-*`nats.stats.http.req_stats.uri.varz`*::
-+
---
-The number of hits on varz monitoring uri
-
-
-type: long
-
---
-
-*`nats.stats.http.req_stats.uri.subsz`*::
-+
---
-The number of hits on subsz monitoring uri
-
-
-type: long
-
---
-
-*`nats.stats.http.req_stats.uri.root`*::
-+
---
-The number of hits on root monitoring uri
-
-
-type: long
-
---
-
-[float]
-=== subscriptions
-
-Contains nats subscriptions related metrics
-
-
-
-*`nats.subscriptions.total`*::
-+
---
-The number of active subscriptions
-
-
-type: integer
-
---
-
-*`nats.subscriptions.inserts`*::
-+
---
-The number of insert operations in subscriptions list
-
-
-type: long
-
---
-
-*`nats.subscriptions.removes`*::
-+
---
-The number of remove operations in subscriptions list
-
-
-type: long
-
---
-
-*`nats.subscriptions.matches`*::
-+
---
-The number of times a match is found for a subscription
-
-
-type: long
-
---
-
-*`nats.subscriptions.cache.size`*::
-+
---
-The number of result sets in the cache
-
-
-type: integer
-
---
-
-*`nats.subscriptions.cache.hit_rate`*::
-+
---
-The rate matches are being retrieved from cache
-
-
-type: scaled_float
-
-format: percent
-
---
-
-*`nats.subscriptions.cache.fanout.max`*::
-+
---
-The maximum fanout served by cache
-
-
-type: integer
-
---
-
-*`nats.subscriptions.cache.fanout.avg`*::
-+
---
-The average fanout served by cache
-
-
-type: double
-
---
-
-[[exported-fields-nginx]]
-== Nginx fields
-
-Nginx server status metrics collected from various modules.
-
-
-
-[float]
-=== nginx
-
-`nginx` contains the metrics that were scraped from nginx.
-
-
-
-[float]
-=== stubstatus
-
-`stubstatus` contains the metrics that were scraped from the ngx_http_stub_status_module status page.
-
-
-
-*`nginx.stubstatus.hostname`*::
-+
---
-Nginx hostname.
-
-
-type: keyword
-
---
-
-*`nginx.stubstatus.active`*::
-+
---
-The current number of active client connections including Waiting connections.
-
-
-type: long
-
---
-
-*`nginx.stubstatus.accepts`*::
-+
---
-The total number of accepted client connections.
-
-
-type: long
-
---
-
-*`nginx.stubstatus.handled`*::
-+
---
-The total number of handled client connections.
-
-
-type: long
-
---
-
-*`nginx.stubstatus.dropped`*::
-+
---
-The total number of dropped client connections.
-
-
-type: long
-
---
-
-*`nginx.stubstatus.requests`*::
-+
---
-The total number of client requests.
-
-
-type: long
-
---
-
-*`nginx.stubstatus.current`*::
-+
---
-The current number of client requests.
-
-
-type: long
-
---
-
-*`nginx.stubstatus.reading`*::
-+
---
-The current number of connections where Nginx is reading the request header.
-
-
-type: long
-
---
-
-*`nginx.stubstatus.writing`*::
-+
---
-The current number of connections where Nginx is writing the response back to the client.
-
-
-type: long
-
---
-
-*`nginx.stubstatus.waiting`*::
-+
---
-The current number of idle client connections waiting for a request.
-
-
-type: long
-
---
-
-[[exported-fields-openai]]
-== openai fields
-
-openai module
-
-
-
-[float]
-=== openai
-
-
-
-
-[float]
-=== usage
-
-OpenAI API usage metrics and statistics
-
-
-
-*`openai.usage.organization_id`*::
-+
---
-Organization identifier
-
-type: keyword
-
---
-
-*`openai.usage.organization_name`*::
-+
---
-Organization name
-
-type: keyword
-
---
-
-*`openai.usage.api_key_id`*::
-+
---
-API key identifier
-
-type: keyword
-
---
-
-*`openai.usage.api_key_name`*::
-+
---
-API key name
-
-type: keyword
-
---
-
-*`openai.usage.api_key_redacted`*::
-+
---
-Redacted API key
-
-type: keyword
-
---
-
-*`openai.usage.api_key_type`*::
-+
---
-Type of API key
-
-type: keyword
-
---
-
-*`openai.usage.project_id`*::
-+
---
-Project identifier
-
-type: keyword
-
---
-
-*`openai.usage.project_name`*::
-+
---
-Project name
-
-type: keyword
-
---
-
-[float]
-=== data
-
-General usage data metrics
-
-
-
-*`openai.usage.data.requests_total`*::
-+
---
-Number of requests made
-
-type: long
-
---
-
-*`openai.usage.data.operation`*::
-+
---
-Operation type
-
-type: keyword
-
---
-
-*`openai.usage.data.snapshot_id`*::
-+
---
-Snapshot identifier
-
-type: keyword
-
---
-
-*`openai.usage.data.context_tokens_total`*::
-+
---
-Total number of context tokens used
-
-type: long
-
---
-
-*`openai.usage.data.generated_tokens_total`*::
-+
---
-Total number of generated tokens
-
-type: long
-
---
-
-*`openai.usage.data.cached_context_tokens_total`*::
-+
---
-Total number of cached context tokens
-
-type: long
-
---
-
-*`openai.usage.data.email`*::
-+
---
-User email
-
-type: keyword
-
---
-
-*`openai.usage.data.request_type`*::
-+
---
-Type of request
-
-type: keyword
-
---
-
-[float]
-=== dalle
-
-DALL-E API usage metrics
-
-
-
-*`openai.usage.dalle.num_images`*::
-+
---
-Number of images generated
-
-type: long
-
---
-
-*`openai.usage.dalle.requests_total`*::
-+
---
-Number of requests
-
-type: long
-
---
-
-*`openai.usage.dalle.image_size`*::
-+
---
-Size of generated images
-
-type: keyword
-
---
-
-*`openai.usage.dalle.operation`*::
-+
---
-Operation type
-
-type: keyword
-
---
-
-*`openai.usage.dalle.user_id`*::
-+
---
-User identifier
-
-type: keyword
-
---
-
-*`openai.usage.dalle.model_id`*::
-+
---
-Model identifier
-
-type: keyword
-
---
-
-[float]
-=== whisper
-
-Whisper API usage metrics
-
-
-
-*`openai.usage.whisper.model_id`*::
-+
---
-Model identifier
-
-type: keyword
-
---
-
-*`openai.usage.whisper.num_seconds`*::
-+
---
-Number of seconds processed
-
-type: long
-
---
-
-*`openai.usage.whisper.requests_total`*::
-+
---
-Number of requests
-
-type: long
-
---
-
-*`openai.usage.whisper.user_id`*::
-+
---
-User identifier
-
-type: keyword
-
---
-
-[float]
-=== tts
-
-Text-to-Speech API usage metrics
-
-
-
-*`openai.usage.tts.model_id`*::
-+
---
-Model identifier
-
-type: keyword
-
---
-
-*`openai.usage.tts.num_characters`*::
-+
---
-Number of characters processed
-
-type: long
-
---
-
-*`openai.usage.tts.requests_total`*::
-+
---
-Number of requests
-
-type: long
-
---
-
-*`openai.usage.tts.user_id`*::
-+
---
-User identifier
-
-type: keyword
-
---
-
-[float]
-=== ft_data
-
-Fine-tuning data metrics
-
-
-
-*`openai.usage.ft_data.original`*::
-+
---
-Raw fine-tuning data
-
-type: object
-
---
-
-[float]
-=== assistant_code_interpreter
-
-Assistant Code Interpreter usage metrics
-
-
-
-*`openai.usage.assistant_code_interpreter.original`*::
-+
---
-Raw assistant code interpreter data
-
-type: object
-
---
-
-[float]
-=== retrieval_storage
-
-Retrieval storage usage metrics
-
-
-
-*`openai.usage.retrieval_storage.original`*::
-+
---
-Raw retrieval storage data
-
-type: object
-
---
-
-[[exported-fields-openmetrics]]
-== Openmetrics fields
-
-Openmetrics module
-
-
-
-[float]
-=== openmetrics
-
-`openmetrics` contains metrics from endpoints that are following Openmetrics format.
-
-
-
-*`openmetrics.help`*::
-+
---
-Brief description of the MetricFamily
-
-
-type: keyword
-
---
-
-*`openmetrics.type`*::
-+
---
-Metric type
-
-
-type: keyword
-
---
-
-*`openmetrics.unit`*::
-+
---
-Metric unit
-
-
-type: keyword
-
---
-
-*`openmetrics.labels.*`*::
-+
---
-Openmetrics metric labels
-
-
-type: object
-
---
-
-*`openmetrics.metrics.*`*::
-+
---
-Openmetrics metric
-
-
-type: object
-
---
-
-*`openmetrics.exemplar.*`*::
-+
---
-Openmetrics exemplars
-
-
-type: object
-
---
-
-*`openmetrics.exemplar.labels.*`*::
-+
---
-Openmetrics metric exemplar labels
-
-
-type: object
-
---
-
-[[exported-fields-oracle]]
-== Oracle fields
-
-Oracle database module
-
-
-[float]
-=== oracle
-
-Oracle module
-
-
-[float]
-=== performance
-
-Performance related metrics on a single database instance
-
-
-*`oracle.performance.machine`*::
-+
---
-Operating system machine name
-
-type: keyword
-
---
-
-*`oracle.performance.buffer_pool`*::
-+
---
-Name of the buffer pool in the instance
-
-type: keyword
-
---
-
-*`oracle.performance.username`*::
-+
---
-Oracle username
-
-type: keyword
-
---
-
-*`oracle.performance.io_reloads`*::
-+
---
-Reloads / Pins ratio. A Reload is any PIN of an object that is not the first PIN performed since the object handle was created, and which requires loading the object from disk. Pins are the number of times a PIN was requested for objects of this namespace
-
-type: double
-
---
-
-*`oracle.performance.lock_requests`*::
-+
---
-Average of the ratio between 'gethits' and 'gets' being 'Gethits' the number of times an object's handle was found in memory and 'gets' the number of times a lock was requested for objects of this namespace.
-
-type: long
-
---
-
-*`oracle.performance.pin_requests`*::
-+
---
-Average of all pinhits/pins ratios being 'PinHits' the number of times all of the metadata pieces of the library object were found in memory and 'pins' the number of times a PIN was requested for objects of this namespace
-
-type: double
-
---
-
-[float]
-=== cache
-
-Statistics about all buffer pools available for the instance
-
-
-*`oracle.performance.cache.buffer.hit.pct`*::
-+
---
-The cache hit ratio of the specified buffer pool.
-
-type: double
-
---
-
-*`oracle.performance.cache.physical_reads`*::
-+
---
-Physical reads
-
-type: long
-
---
-
-[float]
-=== get
-
-Buffer pool 'get' statistics
-
-
-*`oracle.performance.cache.get.consistent`*::
-+
---
-Consistent gets statistic
-
-type: long
-
---
-
-*`oracle.performance.cache.get.db_blocks`*::
-+
---
-Database blocks gotten
-
-type: long
-
---
-
-[float]
-=== cursors
-
-Cursors information
-
-
-*`oracle.performance.cursors.avg`*::
-+
---
-Average cursors opened by username and machine
-
-type: double
-
---
-
-*`oracle.performance.cursors.max`*::
-+
---
-Max cursors opened by username and machine
-
-type: double
-
---
-
-*`oracle.performance.cursors.total`*::
-+
---
-Total opened cursors by username and machine
-
-type: double
-
---
-
-[float]
-=== opened
-
-Opened cursors statistic
-
-
-*`oracle.performance.cursors.opened.current`*::
-+
---
-Total number of current open cursors
-
-type: long
-
---
-
-*`oracle.performance.cursors.opened.total`*::
-+
---
-Total number of cursors opened since the instance started
-
-type: long
-
---
-
-[float]
-=== parse
-
-Parses statistic information that occured in the current session
-
-
-*`oracle.performance.cursors.parse.real`*::
-+
---
-Real number of parses that occurred: session cursor cache hits - parse count (total)
-
-type: long
-
---
-
-*`oracle.performance.cursors.parse.total`*::
-+
---
-Total number of parse calls (hard and soft). A soft parse is a check on an object already in the shared pool, to verify that the permissions on the underlying object have not changed.
-
-type: long
-
---
-
-*`oracle.performance.cursors.session.cache_hits`*::
-+
---
-Number of hits in the session cursor cache. A hit means that the SQL statement did not have to be reparsed.
-
-type: long
-
---
-
-*`oracle.performance.cursors.cache_hit.pct`*::
-+
---
-Ratio of session cursor cache hits from total number of cursors
-
-type: double
-
---
-
-[float]
-=== sysmetric
-
-Sysmetric related metrics.
-
-
-
-*`oracle.sysmetric.session_count`*::
-+
---
-Session Count.
-
-
-type: long
-
---
-
-*`oracle.sysmetric.average_active_sessions`*::
-+
---
-Average Active Sessions.
-
-
-type: double
-
---
-
-*`oracle.sysmetric.current_os_load`*::
-+
---
-Current OS Load.
-
-
-type: double
-
---
-
-*`oracle.sysmetric.physical_reads_per_sec`*::
-+
---
-Physical Reads Per Second.
-
-
-type: double
-
---
-
-*`oracle.sysmetric.user_transaction_per_sec`*::
-+
---
-User Transaction Per Second.
-
-
-type: double
-
---
-
-*`oracle.sysmetric.total_table_scans_per_txn`*::
-+
---
-Total Table Scans Per Transaction.
-
-
-type: double
-
---
-
-*`oracle.sysmetric.physical_writes_per_sec`*::
-+
---
-Physical Writes Per Second.
-
-
-type: double
-
---
-
-*`oracle.sysmetric.total_index_scans_per_txn`*::
-+
---
-Total Index Scans Per Transaction.
-
-
-type: double
-
---
-
-*`oracle.sysmetric.host_cpu_utilization_pct`*::
-+
---
-Host CPU Utilization (%).
-
-
-type: double
-
---
-
-*`oracle.sysmetric.network_traffic_volume_per_sec`*::
-+
---
-Network Traffic Volume Per Second.
-
-
-type: double
-
---
-
-*`oracle.sysmetric.user_rollbacks_per_sec`*::
-+
---
-User Rollbacks Per Second.
-
-
-type: long
-
---
-
-*`oracle.sysmetric.cpu_usage_per_sec`*::
-+
---
-CPU Usage Per Second.
-
-
-type: double
-
---
-
-*`oracle.sysmetric.db_block_changes_per_sec`*::
-+
---
-DB Block Changes Per Second.
-
-
-type: double
-
---
-
-*`oracle.sysmetric.physical_read_total_bytes_per_sec`*::
-+
---
-Physical Read Total Bytes Per Second.
-
-
-type: double
-
---
-
-*`oracle.sysmetric.response_time_per_txn`*::
-+
---
-Response Time Per Transaction.
-
-
-type: double
-
---
-
-[float]
-=== tablespace
-
-tablespace
-
-
-*`oracle.tablespace.name`*::
-+
---
-Tablespace name
-
-type: keyword
-
---
-
-[float]
-=== data_file
-
-Database files information
-
-
-*`oracle.tablespace.data_file.id`*::
-+
---
-Tablespace unique identifier
-
-type: long
-
---
-
-*`oracle.tablespace.data_file.name`*::
-+
---
-Filename of the data file
-
-type: keyword
-
---
-
-[float]
-=== size
-
-Size information about the file
-
-
-*`oracle.tablespace.data_file.size.max.bytes`*::
-+
---
-Maximum file size in bytes
-
-type: long
-
-format: bytes
-
---
-
-*`oracle.tablespace.data_file.size.bytes`*::
-+
---
-Size of the file in bytes
-
-type: long
-
-format: bytes
-
---
-
-*`oracle.tablespace.data_file.size.free.bytes`*::
-+
---
-The size of the file available for user data. The actual size of the file minus this value is used to store file related metadata.
-
-
-type: long
-
-format: bytes
-
---
-
-*`oracle.tablespace.data_file.status`*::
-+
---
-'File status: AVAILABLE or INVALID (INVALID means that the file number is not in use, for example, a file in a tablespace that was dropped)'
-
-
-type: keyword
-
---
-
-*`oracle.tablespace.data_file.online_status`*::
-+
---
-Last known online status of the data file. One of SYSOFF, SYSTEM, OFFLINE, ONLINE or RECOVER.
-
-type: keyword
-
---
-
-[float]
-=== space
-
-Tablespace space usage information
-
-
-*`oracle.tablespace.space.free.bytes`*::
-+
---
-Tablespace total free space available, in bytes.
-
-type: long
-
-format: bytes
-
---
-
-*`oracle.tablespace.space.used.bytes`*::
-+
---
-Tablespace used space, in bytes.
-
-type: long
-
-format: bytes
-
---
-
-*`oracle.tablespace.space.total.bytes`*::
-+
---
-Tablespace total size, in bytes.
-
-type: long
-
-format: bytes
-
---
-
-[[exported-fields-panw]]
-== Panw fields
-
-PAN-OS module
-
-
-[float]
-=== panw
-
-PAN-OS module
-
-
-
-*`panw.interfaces.example`*::
-+
---
-type: keyword
-
---
-
-
-*`panw.routing.example`*::
-+
---
-type: keyword
-
---
-
-
-*`panw.system.example`*::
-+
---
-type: keyword
-
---
-
-
-*`panw.vpn.example`*::
-+
---
-type: keyword
-
---
-
-[[exported-fields-php_fpm]]
-== PHP_FPM fields
-
-PHP-FPM server status metrics collected from PHP-FPM.
-
-
-
-[float]
-=== php_fpm
-
-`php_fpm` contains the metrics that were obtained from PHP-FPM status page call.
-
-
-
-[float]
-=== pool
-
-`pool` contains the metrics that were obtained from the PHP-FPM process pool.
-
-
-
-*`php_fpm.pool.name`*::
-+
---
-The name of the pool.
-
-
-type: keyword
-
---
-
-[float]
-=== pool
-
-`pool` contains the metrics that were obtained from the PHP-FPM process pool.
-
-
-
-*`php_fpm.pool.process_manager`*::
-+
---
-Static, dynamic or ondemand.
-
-
-type: keyword
-
---
-
-[float]
-=== connections
-
-Connection state specific statistics.
-
-
-
-*`php_fpm.pool.connections.accepted`*::
-+
---
-The number of incoming requests that the PHP-FPM server has accepted; when a connection is accepted it is removed from the listen queue.
-
-
-type: long
-
---
-
-*`php_fpm.pool.connections.queued`*::
-+
---
-The current number of connections that have been initiated, but not yet accepted. If this value is non-zero it typically means that all the available server processes are currently busy, and there are no processes available to serve the next request. Raising `pm.max_children` (provided the server can handle it) should help keep this number low. This property follows from the fact that PHP-FPM listens via a socket (TCP or file based), and thus inherits some of the characteristics of sockets.
-
-
-type: long
-
---
-
-*`php_fpm.pool.connections.max_listen_queue`*::
-+
---
-The maximum number of requests in the queue of pending connections since FPM has started.
-
-
-type: long
-
---
-
-*`php_fpm.pool.connections.listen_queue_len`*::
-+
---
-The size of the socket queue of pending connections.
-
-
-type: long
-
---
-
-[float]
-=== processes
-
-Process state specific statistics.
-
-
-
-*`php_fpm.pool.processes.idle`*::
-+
---
-The number of servers in the `waiting to process` state (i.e. not currently serving a page). This value should fall between the `pm.min_spare_servers` and `pm.max_spare_servers` values when the process manager is `dynamic`.
-
-
-type: long
-
---
-
-*`php_fpm.pool.processes.active`*::
-+
---
-The number of servers current processing a page - the minimum is `1` (so even on a fully idle server, the result will be not read `0`).
-
-
-type: long
-
---
-
-*`php_fpm.pool.processes.total`*::
-+
---
-The number of idle + active processes.
-
-
-type: long
-
---
-
-*`php_fpm.pool.processes.max_active`*::
-+
---
-The maximum number of active processes since FPM has started.
-
-
-type: long
-
---
-
-*`php_fpm.pool.processes.max_children_reached`*::
-+
---
-Number of times, the process limit has been reached, when pm tries to start more children (works only for pm 'dynamic' and 'ondemand').
-
-
-type: long
-
---
-
-*`php_fpm.pool.slow_requests`*::
-+
---
-The number of times a request execution time has exceeded `request_slowlog_timeout`.
-
-
-type: long
-
---
-
-*`php_fpm.pool.start_since`*::
-+
---
-Number of seconds since FPM has started.
-
-
-type: long
-
---
-
-*`php_fpm.pool.start_time`*::
-+
---
-The date and time FPM has started.
-
-
-type: date
-
---
-
-[float]
-=== process
-
-process contains the metrics that were obtained from the PHP-FPM process.
-
-
-
-*`php_fpm.process.pid`*::
-+
---
-The PID of the process
-
-
-type: alias
-
-alias to: process.pid
-
---
-
-*`php_fpm.process.state`*::
-+
---
-The state of the process (Idle, Running, etc)
-
-
-type: keyword
-
---
-
-*`php_fpm.process.start_time`*::
-+
---
-The date and time the process has started
-
-
-type: date
-
---
-
-*`php_fpm.process.start_since`*::
-+
---
-The number of seconds since the process has started
-
-
-type: integer
-
---
-
-*`php_fpm.process.requests`*::
-+
---
-The number of requests the process has served
-
-
-type: integer
-
---
-
-*`php_fpm.process.request_duration`*::
-+
---
-The duration in microseconds (1 million in a second) of the current request (my own definition)
-
-
-type: integer
-
---
-
-*`php_fpm.process.request_method`*::
-+
---
-The request method (GET, POST, etc) (of the current request)
-
-
-type: alias
-
-alias to: http.request.method
-
---
-
-*`php_fpm.process.request_uri`*::
-+
---
-The request URI with the query string (of the current request)
-
-
-type: alias
-
-alias to: url.original
-
---
-
-*`php_fpm.process.content_length`*::
-+
---
-The content length of the request (only with POST) (of the current request)
-
-
-type: alias
-
-alias to: http.response.body.bytes
-
---
-
-*`php_fpm.process.user`*::
-+
---
-The user (PHP_AUTH_USER) (or - if not set) (for the current request)
-
-
-type: alias
-
-alias to: user.name
-
---
-
-*`php_fpm.process.script`*::
-+
---
-The main script called (or - if not set) (for the current request)
-
-
-type: keyword
-
---
-
-*`php_fpm.process.last_request_cpu`*::
-+
---
-The CPU percentage the last request consumed. It's always 0 if the process is not in Idle state because CPU calculation is done when the request processing has terminated
-
-
-type: long
-
---
-
-*`php_fpm.process.last_request_memory`*::
-+
---
-The max amount of memory the last request consumed. It's always 0 if the process is not in Idle state because memory calculation is done when the request processing has terminated
-
-
-type: integer
-
---
-
-[[exported-fields-postgresql]]
-== PostgreSQL fields
-
-Metrics collected from PostgreSQL servers.
-
-
-
-[float]
-=== postgresql
-
-PostgreSQL metrics.
-
-
-
-[float]
-=== activity
-
-One document per server process, showing information related to the current activity of that process, such as state and current query. Collected by querying pg_stat_activity.
-
-
-
-*`postgresql.activity.database.oid`*::
-+
---
-OID of the database this backend is connected to.
-
-
-type: long
-
---
-
-*`postgresql.activity.database.name`*::
-+
---
-Name of the database this backend is connected to.
-
-
-type: keyword
-
---
-
-*`postgresql.activity.pid`*::
-+
---
-Process ID of this backend.
-
-
-type: long
-
---
-
-*`postgresql.activity.user.id`*::
-+
---
-OID of the user logged into this backend.
-
-
-type: long
-
---
-
-*`postgresql.activity.user.name`*::
-+
---
-Name of the user logged into this backend.
-
-
---
-
-*`postgresql.activity.application_name`*::
-+
---
-Name of the application that is connected to this backend.
-
-
---
-
-*`postgresql.activity.client.address`*::
-+
---
-IP address of the client connected to this backend.
-
-
---
-
-*`postgresql.activity.client.hostname`*::
-+
---
-Host name of the connected client, as reported by a reverse DNS lookup of client_addr.
-
-
---
-
-*`postgresql.activity.client.port`*::
-+
---
-TCP port number that the client is using for communication with this backend, or -1 if a Unix socket is used.
-
-
-type: long
-
---
-
-*`postgresql.activity.backend_type`*::
-+
---
-Type of the current backend. Possible types are autovacuum launcher, autovacuum worker, logical replication launcher, logical replication worker, parallel worker, background writer, client backend, checkpointer, startup, walreceiver, walsender and walwriter. Extensions may register workers with additional backend types.
-
-
---
-
-*`postgresql.activity.backend_start`*::
-+
---
-Time when this process was started, i.e., when the client connected to the server.
-
-
-type: date
-
---
-
-*`postgresql.activity.transaction_start`*::
-+
---
-Time when this process' current transaction was started.
-
-
-type: date
-
---
-
-*`postgresql.activity.query_start`*::
-+
---
-Time when the currently active query was started, or if state is not active, when the last query was started.
-
-
-type: date
-
---
-
-*`postgresql.activity.state_change`*::
-+
---
-Time when the state was last changed.
-
-
-type: date
-
---
-
-*`postgresql.activity.waiting`*::
-+
---
-True if this backend is currently waiting on a lock.
-
-
-type: boolean
-
---
-
-*`postgresql.activity.state`*::
-+
---
-Current overall state of this backend. Possible values are:
-
-  * active: The backend is executing a query.
-  * idle: The backend is waiting for a new client command.
-  * idle in transaction: The backend is in a transaction, but is not
-    currently executing a query.
-  * idle in transaction (aborted): This state is similar to idle in
-    transaction, except one of the statements in the transaction caused
-    an error.
-  * fastpath function call: The backend is executing a fast-path function.
-  * disabled: This state is reported if track_activities is disabled in this backend.
-
-
---
-
-*`postgresql.activity.query`*::
-+
---
-Text of this backend's most recent query. If state is active this field shows the currently executing query. In all other states, it shows the last query that was executed.
-
-
---
-
-*`postgresql.activity.wait_event`*::
-+
---
-Wait event name if the backend is currently waiting.
-
-
---
-
-*`postgresql.activity.wait_event_type`*::
-+
---
-The type of event for which the backend is waiting.
-
-
---
-
-[float]
-=== bgwriter
-
-Statistics about the background writer process's activity. Collected using the pg_stat_bgwriter query.
-
-
-
-*`postgresql.bgwriter.checkpoints.scheduled`*::
-+
---
-Number of scheduled checkpoints that have been performed.
-
-
-type: long
-
---
-
-*`postgresql.bgwriter.checkpoints.requested`*::
-+
---
-Number of requested checkpoints that have been performed.
-
-
-type: long
-
---
-
-*`postgresql.bgwriter.checkpoints.times.write.ms`*::
-+
---
-Total amount of time that has been spent in the portion of checkpoint processing where files are written to disk, in milliseconds.
-
-
-type: float
-
---
-
-*`postgresql.bgwriter.checkpoints.times.sync.ms`*::
-+
---
-Total amount of time that has been spent in the portion of checkpoint processing where files are synchronized to disk, in milliseconds.
-
-
-type: float
-
---
-
-*`postgresql.bgwriter.buffers.checkpoints`*::
-+
---
-Number of buffers written during checkpoints.
-
-
-type: long
-
---
-
-*`postgresql.bgwriter.buffers.clean`*::
-+
---
-Number of buffers written by the background writer.
-
-
-type: long
-
---
-
-*`postgresql.bgwriter.buffers.clean_full`*::
-+
---
-Number of times the background writer stopped a cleaning scan because it had written too many buffers.
-
-
-type: long
-
---
-
-*`postgresql.bgwriter.buffers.backend`*::
-+
---
-Number of buffers written directly by a backend.
-
-
-type: long
-
---
-
-*`postgresql.bgwriter.buffers.backend_fsync`*::
-+
---
-Number of times a backend had to execute its own fsync call (normally the background writer handles those even when the backend does its own write)
-
-
-type: long
-
---
-
-*`postgresql.bgwriter.buffers.allocated`*::
-+
---
-Number of buffers allocated.
-
-
-type: long
-
---
-
-*`postgresql.bgwriter.stats_reset`*::
-+
---
-Time at which these statistics were last reset.
-
-
-type: date
-
---
-
-[float]
-=== database
-
-One row per database, showing database-wide statistics. Collected by querying pg_stat_database
-
-
-
-*`postgresql.database.oid`*::
-+
---
-OID of the database this backend is connected to, or 0 for shared resources.
-
-
-type: long
-
---
-
-*`postgresql.database.name`*::
-+
---
-Name of the database this backend is connected to, empty for shared resources.
-
-
-type: keyword
-
---
-
-*`postgresql.database.number_of_backends`*::
-+
---
-Number of backends currently connected to this database.
-
-
-type: long
-
---
-
-*`postgresql.database.transactions.commit`*::
-+
---
-Number of transactions in this database that have been committed.
-
-
-type: long
-
---
-
-*`postgresql.database.transactions.rollback`*::
-+
---
-Number of transactions in this database that have been rolled back.
-
-
-type: long
-
---
-
-*`postgresql.database.blocks.read`*::
-+
---
-Number of disk blocks read in this database.
-
-
-type: long
-
---
-
-*`postgresql.database.blocks.hit`*::
-+
---
-Number of times disk blocks were found already in the buffer cache, so that a read was not necessary (this only includes hits in the PostgreSQL buffer cache, not the operating system's file system cache).
-
-
-type: long
-
---
-
-*`postgresql.database.blocks.time.read.ms`*::
-+
---
-Time spent reading data file blocks by backends in this database, in milliseconds.
-
-
-type: double
-
---
-
-*`postgresql.database.blocks.time.write.ms`*::
-+
---
-Time spent writing data file blocks by backends in this database, in milliseconds.
-
-
-type: double
-
---
-
-*`postgresql.database.rows.returned`*::
-+
---
-Number of rows returned by queries in this database.
-
-
-type: long
-
---
-
-*`postgresql.database.rows.fetched`*::
-+
---
-Number of rows fetched by queries in this database.
-
-
-type: long
-
---
-
-*`postgresql.database.rows.inserted`*::
-+
---
-Number of rows inserted by queries in this database.
-
-
-type: long
-
---
-
-*`postgresql.database.rows.updated`*::
-+
---
-Number of rows updated by queries in this database.
-
-
-type: long
-
---
-
-*`postgresql.database.rows.deleted`*::
-+
---
-Number of rows deleted by queries in this database.
-
-
-type: long
-
---
-
-*`postgresql.database.conflicts`*::
-+
---
-Number of queries canceled due to conflicts with recovery in this database.
-
-
-type: long
-
---
-
-*`postgresql.database.temporary.files`*::
-+
---
-Number of temporary files created by queries in this database. All temporary files are counted, regardless of why the temporary file was created (e.g., sorting or hashing), and regardless of the log_temp_files setting.
-
-
-type: long
-
---
-
-*`postgresql.database.temporary.bytes`*::
-+
---
-Total amount of data written to temporary files by queries in this database. All temporary files are counted, regardless of why the temporary file was created, and regardless of the log_temp_files setting.
-
-
-type: long
-
---
-
-*`postgresql.database.deadlocks`*::
-+
---
-Number of deadlocks detected in this database.
-
-
-type: long
-
---
-
-*`postgresql.database.stats_reset`*::
-+
---
-Time at which these statistics were last reset.
-
-
-type: date
-
---
-
-[float]
-=== statement
-
-One document per query per user per database, showing information related invocation of that query, such as cpu usage and total time. Collected by querying pg_stat_statements.
-
-
-
-*`postgresql.statement.user.id`*::
-+
---
-OID of the user logged into the backend that ran the query.
-
-
-type: long
-
---
-
-*`postgresql.statement.database.oid`*::
-+
---
-OID of the database the query was run on.
-
-
-type: long
-
---
-
-*`postgresql.statement.query.id`*::
-+
---
-ID of the statement.
-
-
-type: long
-
---
-
-*`postgresql.statement.query.text`*::
-+
---
-Query text
-
-
---
-
-*`postgresql.statement.query.calls`*::
-+
---
-Number of times the query has been run.
-
-
-type: long
-
---
-
-*`postgresql.statement.query.rows`*::
-+
---
-Total number of rows returned by query.
-
-
-type: long
-
---
-
-*`postgresql.statement.query.time.total.ms`*::
-+
---
-Total number of milliseconds spent running query.
-
-
-type: float
-
---
-
-*`postgresql.statement.query.time.min.ms`*::
-+
---
-Minimum number of milliseconds spent running query.
-
-
-type: float
-
---
-
-*`postgresql.statement.query.time.max.ms`*::
-+
---
-Maximum number of milliseconds spent running query.
-
-
-type: float
-
---
-
-*`postgresql.statement.query.time.mean.ms`*::
-+
---
-Mean number of milliseconds spent running query.
-
-
-type: long
-
---
-
-*`postgresql.statement.query.time.stddev.ms`*::
-+
---
-Population standard deviation of time spent running query, in milliseconds.
-
-
-type: long
-
---
-
-*`postgresql.statement.query.memory.shared.hit`*::
-+
---
-Total number of shared block cache hits by the query.
-
-
-type: long
-
---
-
-*`postgresql.statement.query.memory.shared.read`*::
-+
---
-Total number of shared block cache read by the query.
-
-
-type: long
-
---
-
-*`postgresql.statement.query.memory.shared.dirtied`*::
-+
---
-Total number of shared block cache dirtied by the query.
-
-
-type: long
-
---
-
-*`postgresql.statement.query.memory.shared.written`*::
-+
---
-Total number of shared block cache written by the query.
-
-
-type: long
-
---
-
-*`postgresql.statement.query.memory.local.hit`*::
-+
---
-Total number of local block cache hits by the query.
-
-
-type: long
-
---
-
-*`postgresql.statement.query.memory.local.read`*::
-+
---
-Total number of local block cache read by the query.
-
-
-type: long
-
---
-
-*`postgresql.statement.query.memory.local.dirtied`*::
-+
---
-Total number of local block cache dirtied by the query.
-
-
-type: long
-
---
-
-*`postgresql.statement.query.memory.local.written`*::
-+
---
-Total number of local block cache written by the query.
-
-
-type: long
-
---
-
-*`postgresql.statement.query.memory.temp.read`*::
-+
---
-Total number of temp block cache read by the query.
-
-
-type: long
-
---
-
-*`postgresql.statement.query.memory.temp.written`*::
-+
---
-Total number of temp block cache written by the query.
-
-
-type: long
-
---
-
-[[exported-fields-process]]
-== Process fields
-
-Process metadata fields
-
-
-
-
-*`process.exe`*::
-+
---
-type: alias
-
-alias to: process.executable
-
---
-
-[float]
-=== owner
-
-Process owner information.
-
-
-*`process.owner.id`*::
-+
---
-Unique identifier of the user.
-
-type: keyword
-
---
-
-*`process.owner.name`*::
-+
---
-Short name or login of the user.
-
-type: keyword
-
-example: albert
-
---
-
-*`process.owner.name.text`*::
-+
---
-type: text
-
---
-
-[[exported-fields-prometheus]]
-== Prometheus fields
-
-Stats scraped from a Prometheus endpoint.
-
-
-
-*`metrics_count`*::
-+
---
-Number of metrics per Elasticsearch document.
-
-
-type: long
-
---
-
-
-*`prometheus.labels.*`*::
-+
---
-Prometheus metric labels
-
-
-type: object
-
---
-
-*`prometheus.metrics.*`*::
-+
---
-Prometheus metric
-
-
-type: object
-
---
-
-*`prometheus.query.*`*::
-+
---
-Prometheus value resulted from PromQL
-
-
-type: object
-
---
-
-[float]
-=== query
-
-query metricset
-
-
-[float]
-=== remote_write
-
-remote write metrics from Prometheus server
-
-
-[[exported-fields-prometheus-xpack]]
-== Prometheus typed metrics fields
-
-Stats scraped from a Prometheus endpoint.
-
-
-
-*`prometheus.*.value`*::
-+
---
-Prometheus gauge metric
-
-
-type: object
-
---
-
-*`prometheus.*.counter`*::
-+
---
-Prometheus counter metric
-
-
-type: object
-
---
-
-*`prometheus.*.rate`*::
-+
---
-Prometheus rated counter metric
-
-
-type: object
-
---
-
-*`prometheus.*.histogram`*::
-+
---
-Prometheus histogram metric - release: ga
-
-
-type: object
-
---
-
-[[exported-fields-rabbitmq]]
-== RabbitMQ fields
-
-RabbitMQ module
-
-
-
-[float]
-=== rabbitmq
-
-
-
-
-*`rabbitmq.vhost`*::
-+
---
-Virtual host name with non-ASCII characters escaped as in C.
-
-
-type: keyword
-
---
-
-[float]
-=== connection
-
-connection
-
-
-
-*`rabbitmq.connection.name`*::
-+
---
-The name of the connection with non-ASCII characters escaped as in C.
-
-
-type: keyword
-
---
-
-*`rabbitmq.connection.vhost`*::
-+
---
-Virtual host name with non-ASCII characters escaped as in C.
-
-
-type: alias
-
-alias to: rabbitmq.vhost
-
---
-
-*`rabbitmq.connection.user`*::
-+
---
-User name.
-
-
-type: alias
-
-alias to: user.name
-
---
-
-*`rabbitmq.connection.node`*::
-+
---
-Node name.
-
-
-type: alias
-
-alias to: rabbitmq.node.name
-
---
-
-*`rabbitmq.connection.state`*::
-+
---
-Connection state.
-
-
-type: keyword
-
---
-
-*`rabbitmq.connection.channels`*::
-+
---
-The number of channels on the connection.
-
-
-type: long
-
---
-
-*`rabbitmq.connection.channel_max`*::
-+
---
-The maximum number of channels allowed on the connection.
-
-
-type: long
-
---
-
-*`rabbitmq.connection.frame_max`*::
-+
---
-Maximum permissible size of a frame (in bytes) to negotiate with clients.
-
-
-type: long
-
-format: bytes
-
---
-
-*`rabbitmq.connection.type`*::
-+
---
-Type of the connection.
-
-
-type: keyword
-
---
-
-*`rabbitmq.connection.host`*::
-+
---
-Server hostname obtained via reverse DNS, or its IP address if reverse DNS failed or was disabled.
-
-
-type: keyword
-
---
-
-*`rabbitmq.connection.peer.host`*::
-+
---
-Peer hostname obtained via reverse DNS, or its IP address if reverse DNS failed or was not enabled.
-
-
-type: keyword
-
---
-
-*`rabbitmq.connection.port`*::
-+
---
-Server port.
-
-
-type: long
-
---
-
-*`rabbitmq.connection.peer.port`*::
-+
---
-Peer port.
-
-
-type: long
-
---
-
-*`rabbitmq.connection.packet_count.sent`*::
-+
---
-Number of packets sent on the connection.
-
-
-type: long
-
---
-
-*`rabbitmq.connection.packet_count.received`*::
-+
---
-Number of packets received on the connection.
-
-
-type: long
-
---
-
-*`rabbitmq.connection.packet_count.pending`*::
-+
---
-Number of packets pending on the connection.
-
-
-type: long
-
---
-
-*`rabbitmq.connection.octet_count.sent`*::
-+
---
-Number of octets sent on the connection.
-
-
-type: long
-
---
-
-*`rabbitmq.connection.octet_count.received`*::
-+
---
-Number of octets received on the connection.
-
-
-type: long
-
---
-
-*`rabbitmq.connection.client_provided.name`*::
-+
---
-User specified connection name.
-
-
-type: keyword
-
---
-
-[float]
-=== exchange
-
-exchange
-
-
-
-*`rabbitmq.exchange.name`*::
-+
---
-The name of the queue with non-ASCII characters escaped as in C.
-
-
-type: keyword
-
---
-
-*`rabbitmq.exchange.vhost`*::
-+
---
-Virtual host name with non-ASCII characters escaped as in C.
-
-
-type: alias
-
-alias to: rabbitmq.vhost
-
---
-
-*`rabbitmq.exchange.durable`*::
-+
---
-Whether or not the queue survives server restarts.
-
-
-type: boolean
-
---
-
-*`rabbitmq.exchange.auto_delete`*::
-+
---
-Whether the queue will be deleted automatically when no longer used.
-
-
-type: boolean
-
---
-
-*`rabbitmq.exchange.internal`*::
-+
---
-Whether the exchange is internal, i.e. cannot be directly published to by a client.
-
-
-type: boolean
-
---
-
-*`rabbitmq.exchange.user`*::
-+
---
-User who created the exchange.
-
-
-type: alias
-
-alias to: user.name
-
---
-
-*`rabbitmq.exchange.messages.publish_in.count`*::
-+
---
-Count of messages published "in" to an exchange, i.e. not taking account of routing.
-
-
-type: long
-
---
-
-*`rabbitmq.exchange.messages.publish_in.details.rate`*::
-+
---
-How much the exchange publish-in count has changed per second in the most recent sampling interval.
-
-
-type: float
-
---
-
-*`rabbitmq.exchange.messages.publish_out.count`*::
-+
---
-Count of messages published "out" of an exchange, i.e. taking account of routing.
-
-
-type: long
-
---
-
-*`rabbitmq.exchange.messages.publish_out.details.rate`*::
-+
---
-How much the exchange publish-out count has changed per second in the most recent sampling interval.
-
-
-type: float
-
---
-
-[float]
-=== node
-
-node
-
-
-
-*`rabbitmq.node.disk.free.bytes`*::
-+
---
-Disk free space in bytes.
-
-
-type: long
-
-format: bytes
-
---
-
-*`rabbitmq.node.disk.free.limit.bytes`*::
-+
---
-Point at which the disk alarm will go off.
-
-
-type: long
-
-format: bytes
-
---
-
-*`rabbitmq.node.fd.total`*::
-+
---
-File descriptors available.
-
-
-type: long
-
---
-
-*`rabbitmq.node.fd.used`*::
-+
---
-Used file descriptors.
-
-
-type: long
-
---
-
-*`rabbitmq.node.gc.num.count`*::
-+
---
-Number of GC operations.
-
-
-type: long
-
---
-
-*`rabbitmq.node.gc.reclaimed.bytes`*::
-+
---
-GC bytes reclaimed.
-
-
-type: long
-
-format: bytes
-
---
-
-*`rabbitmq.node.io.file_handle.open_attempt.avg.ms`*::
-+
---
-File handle open avg time
-
-
-type: long
-
---
-
-*`rabbitmq.node.io.file_handle.open_attempt.count`*::
-+
---
-File handle open attempts
-
-
-type: long
-
---
-
-*`rabbitmq.node.io.read.avg.ms`*::
-+
---
-File handle read avg time
-
-
-type: long
-
---
-
-*`rabbitmq.node.io.read.bytes`*::
-+
---
-Data read in bytes
-
-
-type: long
-
-format: bytes
-
---
-
-*`rabbitmq.node.io.read.count`*::
-+
---
-Data read operations
-
-
-type: long
-
---
-
-*`rabbitmq.node.io.reopen.count`*::
-+
---
-Data reopen operations
-
-
-type: long
-
---
-
-*`rabbitmq.node.io.seek.avg.ms`*::
-+
---
-Data seek avg time
-
-
-type: long
-
---
-
-*`rabbitmq.node.io.seek.count`*::
-+
---
-Data seek operations
-
-
-type: long
-
---
-
-*`rabbitmq.node.io.sync.avg.ms`*::
-+
---
-Data sync avg time
-
-
-type: long
-
---
-
-*`rabbitmq.node.io.sync.count`*::
-+
---
-Data sync operations
-
-
-type: long
-
---
-
-*`rabbitmq.node.io.write.avg.ms`*::
-+
---
-Data write avg time
-
-
-type: long
-
---
-
-*`rabbitmq.node.io.write.bytes`*::
-+
---
-Data write in bytes
-
-
-type: long
-
-format: bytes
-
---
-
-*`rabbitmq.node.io.write.count`*::
-+
---
-Data write operations
-
-
-type: long
-
---
-
-*`rabbitmq.node.mem.limit.bytes`*::
-+
---
-Point at which the memory alarm will go off.
-
-
-type: long
-
-format: bytes
-
---
-
-*`rabbitmq.node.mem.used.bytes`*::
-+
---
-Memory used in bytes.
-
-
-type: long
-
---
-
-*`rabbitmq.node.mnesia.disk.tx.count`*::
-+
---
-Number of Mnesia transactions which have been performed that required writes to disk.
-
-
-type: long
-
---
-
-*`rabbitmq.node.mnesia.ram.tx.count`*::
-+
---
-Number of Mnesia transactions which have been performed that did not require writes to disk.
-
-
-type: long
-
---
-
-*`rabbitmq.node.msg.store_read.count`*::
-+
---
-Number of messages which have been read from the message store.
-
-
-type: long
-
---
-
-*`rabbitmq.node.msg.store_write.count`*::
-+
---
-Number of messages which have been written to the message store.
-
-
-type: long
-
---
-
-*`rabbitmq.node.name`*::
-+
---
-Node name
-
-type: keyword
-
---
-
-*`rabbitmq.node.proc.total`*::
-+
---
-Maximum number of Erlang processes.
-
-
-type: long
-
---
-
-*`rabbitmq.node.proc.used`*::
-+
---
-Number of Erlang processes in use.
-
-
-type: long
-
---
-
-*`rabbitmq.node.processors`*::
-+
---
-Number of cores detected and usable by Erlang.
-
-
-type: long
-
---
-
-*`rabbitmq.node.queue.index.journal_write.count`*::
-+
---
-Number of records written to the queue index journal.
-
-
-type: long
-
---
-
-*`rabbitmq.node.queue.index.read.count`*::
-+
---
-Number of records read from the queue index.
-
-
-type: long
-
---
-
-*`rabbitmq.node.queue.index.write.count`*::
-+
---
-Number of records written to the queue index.
-
-
-type: long
-
---
-
-*`rabbitmq.node.run.queue`*::
-+
---
-Average number of Erlang processes waiting to run.
-
-
-type: long
-
---
-
-*`rabbitmq.node.socket.total`*::
-+
---
-File descriptors available for use as sockets.
-
-
-type: long
-
---
-
-*`rabbitmq.node.socket.used`*::
-+
---
-File descriptors used as sockets.
-
-
-type: long
-
---
-
-*`rabbitmq.node.type`*::
-+
---
-Node type.
-
-
-type: keyword
-
---
-
-*`rabbitmq.node.uptime`*::
-+
---
-Node uptime.
-
-
-type: long
-
---
-
-[float]
-=== queue
-
-queue
-
-
-
-*`rabbitmq.queue.name`*::
-+
---
-The name of the queue with non-ASCII characters escaped as in C.
-
-
-type: keyword
-
---
-
-*`rabbitmq.queue.vhost`*::
-+
---
-Virtual host name with non-ASCII characters escaped as in C.
-
-
-type: alias
-
-alias to: rabbitmq.vhost
-
---
-
-*`rabbitmq.queue.durable`*::
-+
---
-Whether or not the queue survives server restarts.
-
-
-type: boolean
-
---
-
-*`rabbitmq.queue.auto_delete`*::
-+
---
-Whether the queue will be deleted automatically when no longer used.
-
-
-type: boolean
-
---
-
-*`rabbitmq.queue.exclusive`*::
-+
---
-Whether the queue is exclusive (i.e. has owner_pid).
-
-
-type: boolean
-
---
-
-*`rabbitmq.queue.node`*::
-+
---
-Node name.
-
-
-type: alias
-
-alias to: rabbitmq.node.name
-
---
-
-*`rabbitmq.queue.state`*::
-+
---
-The state of the queue. Normally 'running', but may be "{syncing, MsgCount}" if the queue is synchronising. Queues which are located on cluster nodes that are currently down will be shown with a status of 'down'.
-
-
-type: keyword
-
---
-
-*`rabbitmq.queue.arguments.max_priority`*::
-+
---
-Maximum number of priority levels for the queue to support.
-
-
-type: long
-
---
-
-*`rabbitmq.queue.consumers.count`*::
-+
---
-Number of consumers.
-
-
-type: long
-
---
-
-*`rabbitmq.queue.consumers.utilisation.pct`*::
-+
---
-Fraction of the time (between 0.0 and 1.0) that the queue is able to immediately deliver messages to consumers. This can be less than 1.0 if consumers are limited by network congestion or prefetch count.
-
-
-type: scaled_float
-
-format: percent
-
---
-
-*`rabbitmq.queue.messages.total.count`*::
-+
---
-Sum of ready and unacknowledged messages (queue depth).
-
-
-type: long
-
---
-
-*`rabbitmq.queue.messages.total.details.rate`*::
-+
---
-How much the queue depth has changed per second in the most recent sampling interval.
-
-
-type: float
-
---
-
-*`rabbitmq.queue.messages.ready.count`*::
-+
---
-Number of messages ready to be delivered to clients.
-
-
-type: long
-
---
-
-*`rabbitmq.queue.messages.ready.details.rate`*::
-+
---
-How much the count of messages ready has changed per second in the most recent sampling interval.
-
-
-type: float
-
---
-
-*`rabbitmq.queue.messages.unacknowledged.count`*::
-+
---
-Number of messages delivered to clients but not yet acknowledged.
-
-
-type: long
-
---
-
-*`rabbitmq.queue.messages.unacknowledged.details.rate`*::
-+
---
-How much the count of unacknowledged messages has changed per second in the most recent sampling interval.
-
-
-type: float
-
---
-
-*`rabbitmq.queue.messages.persistent.count`*::
-+
---
-Total number of persistent messages in the queue (will always be 0 for transient queues).
-
-
-type: long
-
---
-
-*`rabbitmq.queue.memory.bytes`*::
-+
---
-Bytes of memory consumed by the Erlang process associated with the queue, including stack, heap and internal structures.
-
-
-type: long
-
-format: bytes
-
---
-
-*`rabbitmq.queue.disk.reads.count`*::
-+
---
-Total number of times messages have been read from disk by this queue since it started.
-
-
-type: long
-
---
-
-*`rabbitmq.queue.disk.writes.count`*::
-+
---
-Total number of times messages have been written to disk by this queue since it started.
-
-
-type: long
-
---
-
-[float]
-=== shovel
-
-shovel
-
-
-
-*`rabbitmq.shovel.name`*::
-+
---
-The name of the shovel with non-ASCII characters escaped as in C.
-
-
-type: keyword
-
---
-
-*`rabbitmq.shovel.vhost`*::
-+
---
-Virtual host name with non-ASCII characters escaped as in C.
-
-
-type: alias
-
-alias to: rabbitmq.vhost
-
---
-
-*`rabbitmq.shovel.node`*::
-+
---
-Node name.
-
-
-type: alias
-
-alias to: rabbitmq.node.name
-
---
-
-*`rabbitmq.shovel.state`*::
-+
---
-The state of the shovel. Normally 'running', but could be 'starting' or 'terminated'.
-
-
-type: keyword
-
---
-
-*`rabbitmq.shovel.type`*::
-+
---
-The type of the shovel. Either 'static' or 'dynamic'.
-
-
-type: keyword
-
---
-
-[[exported-fields-redis]]
-== Redis fields
-
-Redis metrics collected from Redis.
-
-
-
-[float]
-=== redis
-
-`redis` contains the information and statistics from Redis.
-
-
-
-[float]
-=== info
-
-`info` contains the information and statistics returned by the `INFO` command.
-
-
-
-[float]
-=== clients
-
-Redis client stats.
-
-
-
-*`redis.info.clients.connected`*::
-+
---
-Number of client connections (excluding connections from slaves).
-
-
-type: long
-
---
-
-*`redis.info.clients.max_output_buffer`*::
-+
---
-Longest output list among current client connections.
-
-
-type: long
-
---
-
-*`redis.info.clients.max_input_buffer`*::
-+
---
-Biggest input buffer among current client connections (on redis 5.0).
-
-
-type: long
-
---
-
-*`redis.info.clients.blocked`*::
-+
---
-Number of clients pending on a blocking call (BLPOP, BRPOP, BRPOPLPUSH).
-
-
-type: long
-
---
-
-[float]
-=== cluster
-
-Redis cluster information.
-
-
-
-*`redis.info.cluster.enabled`*::
-+
---
-Indicates that the Redis cluster is enabled.
-
-
-type: boolean
-
---
-
-[float]
-=== cpu
-
-Redis CPU stats
-
-
-
-*`redis.info.cpu.used.sys`*::
-+
---
-System CPU consumed by the Redis server.
-
-
-type: scaled_float
-
---
-
-*`redis.info.cpu.used.sys_children`*::
-+
---
-System CPU consumed by the background processes.
-
-
-type: scaled_float
-
---
-
-*`redis.info.cpu.used.user`*::
-+
---
-User CPU consumed by the Redis server.
-
-
-type: scaled_float
-
---
-
-*`redis.info.cpu.used.user_children`*::
-+
---
-User CPU consumed by the background processes.
-
-
-type: scaled_float
-
---
-
-[float]
-=== memory
-
-Redis memory stats.
-
-
-
-*`redis.info.memory.used.value`*::
-+
---
-Total number of bytes allocated by Redis.
-
-
-type: long
-
-format: bytes
-
---
-
-*`redis.info.memory.used.rss`*::
-+
---
-Number of bytes that Redis allocated as seen by the operating system (a.k.a resident set size).
-
-
-type: long
-
-format: bytes
-
---
-
-*`redis.info.memory.used.peak`*::
-+
---
-Peak memory consumed by Redis.
-
-
-type: long
-
-format: bytes
-
---
-
-*`redis.info.memory.used.lua`*::
-+
---
-Used memory by the Lua engine.
-
-
-type: long
-
-format: bytes
-
---
-
-*`redis.info.memory.used.dataset`*::
-+
---
-The size in bytes of the dataset
-
-
-type: long
-
-format: bytes
-
---
-
-*`redis.info.memory.max.value`*::
-+
---
-Memory limit.
-
-
-type: long
-
-format: bytes
-
---
-
-*`redis.info.memory.max.policy`*::
-+
---
-Eviction policy to use when memory limit is reached.
-
-
-type: keyword
-
---
-
-*`redis.info.memory.fragmentation.ratio`*::
-+
---
-Ratio between used_memory_rss and used_memory
-
-
-type: float
-
---
-
-*`redis.info.memory.fragmentation.bytes`*::
-+
---
-Bytes between used_memory_rss and used_memory
-
-
-type: long
-
-format: bytes
-
---
-
-*`redis.info.memory.active_defrag.is_running`*::
-+
---
-Flag indicating if active defragmentation is active
-
-
-type: boolean
-
---
-
-*`redis.info.memory.allocator`*::
-+
---
-Memory allocator.
-
-
-type: keyword
-
---
-
-
-*`redis.info.memory.allocator_stats.allocated`*::
-+
---
-Allocated memory
-
-
-type: long
-
-format: bytes
-
---
-
-*`redis.info.memory.allocator_stats.active`*::
-+
---
-Active memory
-
-
-type: long
-
-format: bytes
-
---
-
-*`redis.info.memory.allocator_stats.resident`*::
-+
---
-Resident memory
-
-
-type: long
-
-format: bytes
-
---
-
-*`redis.info.memory.allocator_stats.fragmentation.ratio`*::
-+
---
-Fragmentation ratio
-
-
-type: float
-
---
-
-*`redis.info.memory.allocator_stats.fragmentation.bytes`*::
-+
---
-Fragmented bytes
-
-
-type: long
-
-format: bytes
-
---
-
-*`redis.info.memory.allocator_stats.rss.ratio`*::
-+
---
-Resident ratio
-
-
-type: float
-
---
-
-*`redis.info.memory.allocator_stats.rss.bytes`*::
-+
---
-Resident bytes
-
-
-type: long
-
-format: bytes
-
---
-
-[float]
-=== persistence
-
-Redis CPU stats.
-
-
-
-*`redis.info.persistence.loading`*::
-+
---
-Flag indicating if the load of a dump file is on-going
-
-
-type: boolean
-
---
-
-[float]
-=== rdb
-
-Provides information about RDB persistence
-
-
-
-*`redis.info.persistence.rdb.last_save.changes_since`*::
-+
---
-Number of changes since the last dump
-
-
-type: long
-
---
-
-*`redis.info.persistence.rdb.last_save.time`*::
-+
---
-Epoch-based timestamp of last successful RDB save
-
-
-type: long
-
---
-
-*`redis.info.persistence.rdb.bgsave.in_progress`*::
-+
---
-Flag indicating a RDB save is on-going
-
-
-type: boolean
-
---
-
-*`redis.info.persistence.rdb.bgsave.last_status`*::
-+
---
-Status of the last RDB save operation
-
-
-type: keyword
-
---
-
-*`redis.info.persistence.rdb.bgsave.last_time.sec`*::
-+
---
-Duration of the last RDB save operation in seconds
-
-
-type: long
-
-format: duration
-
---
-
-*`redis.info.persistence.rdb.bgsave.current_time.sec`*::
-+
---
-Duration of the on-going RDB save operation if any
-
-
-type: long
-
-format: duration
-
---
-
-*`redis.info.persistence.rdb.copy_on_write.last_size`*::
-+
---
-The size in bytes of copy-on-write allocations during the last RBD save operation
-
-
-type: long
-
-format: bytes
-
---
-
-[float]
-=== aof
-
-Provides information about AOF persitence
-
-
-
-*`redis.info.persistence.aof.enabled`*::
-+
---
-Flag indicating AOF logging is activated
-
-
-type: boolean
-
---
-
-*`redis.info.persistence.aof.rewrite.in_progress`*::
-+
---
-Flag indicating a AOF rewrite operation is on-going
-
-
-type: boolean
-
---
-
-*`redis.info.persistence.aof.rewrite.scheduled`*::
-+
---
-Flag indicating an AOF rewrite operation will be scheduled once the on-going RDB save is complete.
-
-
-type: boolean
-
---
-
-*`redis.info.persistence.aof.rewrite.last_time.sec`*::
-+
---
-Duration of the last AOF rewrite operation in seconds
-
-
-type: long
-
-format: duration
-
---
-
-*`redis.info.persistence.aof.rewrite.current_time.sec`*::
-+
---
-Duration of the on-going AOF rewrite operation if any
-
-
-type: long
-
-format: duration
-
---
-
-*`redis.info.persistence.aof.rewrite.buffer.size`*::
-+
---
-Size of the AOF rewrite buffer
-
-
-type: long
-
-format: bytes
-
---
-
-*`redis.info.persistence.aof.bgrewrite.last_status`*::
-+
---
-Status of the last AOF rewrite operatio
-
-
-type: keyword
-
---
-
-*`redis.info.persistence.aof.write.last_status`*::
-+
---
-Status of the last write operation to the AOF
-
-
-type: keyword
-
---
-
-*`redis.info.persistence.aof.copy_on_write.last_size`*::
-+
---
-The size in bytes of copy-on-write allocations during the last RBD save operation
-
-
-type: long
-
-format: bytes
-
---
-
-*`redis.info.persistence.aof.buffer.size`*::
-+
---
-Size of the AOF buffer
-
-
-type: long
-
-format: bytes
-
---
-
-*`redis.info.persistence.aof.size.current`*::
-+
---
-AOF current file size
-
-
-type: long
-
-format: bytes
-
---
-
-*`redis.info.persistence.aof.size.base`*::
-+
---
-AOF file size on latest startup or rewrite
-
-
-type: long
-
-format: bytes
-
---
-
-*`redis.info.persistence.aof.fsync.pending`*::
-+
---
-Number of fsync pending jobs in background I/O queue
-
-
-type: long
-
---
-
-*`redis.info.persistence.aof.fsync.delayed`*::
-+
---
-Delayed fsync counter
-
-
-type: long
-
---
-
-[float]
-=== replication
-
-Replication
-
-
-
-*`redis.info.replication.role`*::
-+
---
-Role of the instance (can be "master", or "slave").
-
-
-type: keyword
-
---
-
-*`redis.info.replication.connected_slaves`*::
-+
---
-Number of connected slaves
-
-
-type: long
-
---
-
-*`redis.info.replication.backlog.active`*::
-+
---
-Flag indicating replication backlog is active
-
-
-type: long
-
---
-
-*`redis.info.replication.backlog.size`*::
-+
---
-Total size in bytes of the replication backlog buffer
-
-
-type: long
-
-format: bytes
-
---
-
-*`redis.info.replication.backlog.first_byte_offset`*::
-+
---
-The master offset of the replication backlog buffer
-
-
-type: long
-
---
-
-*`redis.info.replication.backlog.histlen`*::
-+
---
-Size in bytes of the data in the replication backlog buffer
-
-
-type: long
-
---
-
-*`redis.info.replication.master.offset`*::
-+
---
-The server's current replication offset
-
-
-type: long
-
---
-
-*`redis.info.replication.master.second_offset`*::
-+
---
-The offset up to which replication IDs are accepted
-
-
-type: long
-
---
-
-*`redis.info.replication.master.link_status`*::
-+
---
-Status of the link (up/down)
-
-
-type: keyword
-
---
-
-*`redis.info.replication.master.last_io_seconds_ago`*::
-+
---
-Number of seconds since the last interaction with master
-
-
-type: long
-
-format: duration
-
---
-
-*`redis.info.replication.master.sync.in_progress`*::
-+
---
-Indicate the master is syncing to the slave
-
-
-type: boolean
-
---
-
-*`redis.info.replication.master.sync.left_bytes`*::
-+
---
-Number of bytes left before syncing is complete
-
-
-type: long
-
-format: bytes
-
---
-
-*`redis.info.replication.master.sync.last_io_seconds_ago`*::
-+
---
-Number of seconds since last transfer I/O during a SYNC operation
-
-
-type: long
-
-format: duration
-
---
-
-*`redis.info.replication.slave.offset`*::
-+
---
-The replication offset of the slave instance
-
-
-type: long
-
---
-
-*`redis.info.replication.slave.priority`*::
-+
---
-The priority of the instance as a candidate for failover
-
-
-type: long
-
---
-
-*`redis.info.replication.slave.is_readonly`*::
-+
---
-Flag indicating if the slave is read-only
-
-
-type: boolean
-
---
-
-[float]
-=== server
-
-Server info
-
-
-
-*`redis.info.server.version`*::
-+
---
-None
-
-type: alias
-
-alias to: service.version
-
---
-
-*`redis.info.server.git_sha1`*::
-+
---
-None
-
-type: keyword
-
---
-
-*`redis.info.server.git_dirty`*::
-+
---
-None
-
-type: keyword
-
---
-
-*`redis.info.server.build_id`*::
-+
---
-None
-
-type: keyword
-
---
-
-*`redis.info.server.mode`*::
-+
---
-None
-
-type: keyword
-
---
-
-*`redis.info.server.os`*::
-+
---
-None
-
-type: alias
-
-alias to: os.full
-
---
-
-*`redis.info.server.arch_bits`*::
-+
---
-None
-
-type: keyword
-
---
-
-*`redis.info.server.multiplexing_api`*::
-+
---
-None
-
-type: keyword
-
---
-
-*`redis.info.server.gcc_version`*::
-+
---
-None
-
-type: keyword
-
---
-
-*`redis.info.server.process_id`*::
-+
---
-None
-
-type: alias
-
-alias to: process.pid
-
---
-
-*`redis.info.server.run_id`*::
-+
---
-None
-
-type: keyword
-
---
-
-*`redis.info.server.tcp_port`*::
-+
---
-None
-
-type: long
-
---
-
-*`redis.info.server.uptime`*::
-+
---
-None
-
-type: long
-
---
-
-*`redis.info.server.hz`*::
-+
---
-None
-
-type: long
-
---
-
-*`redis.info.server.lru_clock`*::
-+
---
-None
-
-type: long
-
---
-
-*`redis.info.server.config_file`*::
-+
---
-None
-
-type: keyword
-
---
-
-[float]
-=== stats
-
-Redis stats.
-
-
-
-*`redis.info.stats.connections.received`*::
-+
---
-Total number of connections received.
-
-type: long
-
---
-
-*`redis.info.stats.connections.rejected`*::
-+
---
-Total number of connections rejected.
-
-type: long
-
---
-
-*`redis.info.stats.commands_processed`*::
-+
---
-Total number of commands processed.
-
-type: long
-
---
-
-*`redis.info.stats.net.input.bytes`*::
-+
---
-Total network input in bytes.
-
-type: long
-
---
-
-*`redis.info.stats.net.output.bytes`*::
-+
---
-Total network output in bytes.
-
-type: long
-
---
-
-*`redis.info.stats.instantaneous.ops_per_sec`*::
-+
---
-Number of commands processed per second
-
-
-type: long
-
---
-
-*`redis.info.stats.instantaneous.input_kbps`*::
-+
---
-The network's read rate per second in KB/sec
-
-
-type: scaled_float
-
---
-
-*`redis.info.stats.instantaneous.output_kbps`*::
-+
---
-The network's write rate per second in KB/sec
-
-
-type: scaled_float
-
---
-
-*`redis.info.stats.sync.full`*::
-+
---
-The number of full resyncs with slaves
-
-
-type: long
-
---
-
-*`redis.info.stats.sync.partial.ok`*::
-+
---
-The number of accepted partial resync requests
-
-
-type: long
-
---
-
-*`redis.info.stats.sync.partial.err`*::
-+
---
-The number of denied partial resync requests
-
-
-type: long
-
---
-
-*`redis.info.stats.keys.expired`*::
-+
---
-Total number of key expiration events
-
-
-type: long
-
---
-
-*`redis.info.stats.keys.evicted`*::
-+
---
-Number of evicted keys due to maxmemory limit
-
-
-type: long
-
---
-
-*`redis.info.stats.keyspace.hits`*::
-+
---
-Number of successful lookup of keys in the main dictionary
-
-
-type: long
-
---
-
-*`redis.info.stats.keyspace.misses`*::
-+
---
-Number of failed lookup of keys in the main dictionary
-
-
-type: long
-
---
-
-*`redis.info.stats.pubsub.channels`*::
-+
---
-Global number of pub/sub channels with client subscriptions
-
-
-type: long
-
---
-
-*`redis.info.stats.pubsub.patterns`*::
-+
---
-Global number of pub/sub pattern with client subscriptions
-
-
-type: long
-
---
-
-*`redis.info.stats.latest_fork_usec`*::
-+
---
-Duration of the latest fork operation in microseconds
-
-
-type: long
-
---
-
-*`redis.info.stats.migrate_cached_sockets`*::
-+
---
-The number of sockets open for MIGRATE purposes
-
-
-type: long
-
---
-
-*`redis.info.stats.slave_expires_tracked_keys`*::
-+
---
-The number of keys tracked for expiry purposes (applicable only to writable slaves)
-
-
-type: long
-
---
-
-*`redis.info.stats.active_defrag.hits`*::
-+
---
-Number of value reallocations performed by active the defragmentation process
-
-
-type: long
-
---
-
-*`redis.info.stats.active_defrag.misses`*::
-+
---
-Number of aborted value reallocations started by the active defragmentation process
-
-
-type: long
-
---
-
-*`redis.info.stats.active_defrag.key_hits`*::
-+
---
-Number of keys that were actively defragmented
-
-
-type: long
-
---
-
-*`redis.info.stats.active_defrag.key_misses`*::
-+
---
-Number of keys that were skipped by the active defragmentation process
-
-
-type: long
-
---
-
-*`redis.info.slowlog.count`*::
-+
---
-Count of slow operations
-
-
-type: long
-
---
-
-[float]
-=== commandstats
-
-Redis command statistics
-
-
-
-*`redis.info.commandstats.*.calls`*::
-+
---
-The number of calls that reached command execution (not rejected).
-
-
-type: long
-
---
-
-*`redis.info.commandstats.*.usec`*::
-+
---
-The total CPU time consumed by these commands.
-
-
-type: long
-
---
-
-*`redis.info.commandstats.*.usec_per_call`*::
-+
---
-The average CPU consumed per command execution.
-
-
-type: float
-
---
-
-*`redis.info.commandstats.*.rejected_calls`*::
-+
---
-The number of rejected calls (on redis 6.2-rc2).
-
-
-type: long
-
---
-
-*`redis.info.commandstats.*.failed_calls`*::
-+
---
-The number of failed calls (on redis 6.2-rc2).
-
-
-type: long
-
---
-
-[float]
-=== key
-
-`key` contains information about keys.
-
-
-
-*`redis.key.name`*::
-+
---
-Key name.
-
-
-type: keyword
-
---
-
-*`redis.key.id`*::
-+
---
-Unique id for this key (With the form <keyspace>:<name>).
-
-
-type: keyword
-
---
-
-*`redis.key.type`*::
-+
---
-Key type as shown by `TYPE` command.
-
-
-type: keyword
-
---
-
-*`redis.key.length`*::
-+
---
-Length of the key (Number of elements for lists, length for strings, cardinality for sets).
-
-
-type: long
-
---
-
-*`redis.key.expire.ttl`*::
-+
---
-Seconds to expire.
-
-
-type: long
-
---
-
-[float]
-=== keyspace
-
-`keyspace` contains the information about the keyspaces returned by the `INFO` command.
-
-
-
-*`redis.keyspace.id`*::
-+
---
-Keyspace identifier.
-
-
-type: keyword
-
---
-
-*`redis.keyspace.avg_ttl`*::
-+
---
-Average ttl.
-
-
-type: long
-
---
-
-*`redis.keyspace.keys`*::
-+
---
-Number of keys in the keyspace.
-
-
-type: long
-
---
-
-*`redis.keyspace.expires`*::
-+
---
-
-
-type: long
-
---
-
-[[exported-fields-redisenterprise]]
-== Redis Enterprise fields
-
-Redis metrics collected from Redis Enterprise Server.
-
-
-
-[float]
-=== redisenterprise
-
-`redisenterprise` contains the information and statistics from Redis Enterprise Server.
-
-
-
-[[exported-fields-sql]]
-== SQL fields
-
-SQL module fetches metrics from a SQL database
-
-
-
-
-*`sql.driver`*::
-+
---
-Driver used to execute the query.
-
-
-type: keyword
-
---
-
-*`sql.query`*::
-+
---
-Query executed to collect metrics.
-
-
-type: keyword
-
---
-
-*`sql.metrics.numeric.*`*::
-+
---
-Numeric metrics collected.
-
-
-type: object
-
---
-
-*`sql.metrics.string.*`*::
-+
---
-Non-numeric values collected.
-
-
-type: object
-
---
-
-*`sql.metrics.boolean.*`*::
-+
---
-Boolean values collected.
-
-
-type: object
-
---
-
-[[exported-fields-stan]]
-== Stan fields
-
-stan Module
-
-
-
-[float]
-=== stan
-
-`stan` contains statistics that were read from Nats Streaming server (STAN)
-
-
-
-*`stan.server.id`*::
-+
---
-The server ID
-
-
-type: keyword
-
---
-
-*`stan.cluster.id`*::
-+
---
-The cluster ID
-
-
-type: keyword
-
---
-
-[float]
-=== channels
-
-Contains stan / nats streaming/serverz endpoint metrics
-
-
-
-*`stan.channels.name`*::
-+
---
-The name of the STAN streaming channel
-
-
-type: keyword
-
---
-
-*`stan.channels.messages`*::
-+
---
-The number of STAN streaming messages
-
-
-type: long
-
---
-
-*`stan.channels.bytes`*::
-+
---
-The number of STAN bytes in the channel
-
-
-type: long
-
---
-
-*`stan.channels.first_seq`*::
-+
---
-First sequence number stored in the channel. If first_seq > min([seq in subscriptions]) data loss has possibly occurred
-
-
-type: long
-
---
-
-*`stan.channels.last_seq`*::
-+
---
-Last sequence number stored in the channel
-
-
-type: long
-
---
-
-*`stan.channels.depth`*::
-+
---
-Queue depth based upon current sequence number and highest reported subscriber sequence number
-
-
-type: long
-
---
-
-[float]
-=== stats
-
-Contains only high-level stan / nats streaming server related metrics
-
-
-
-*`stan.stats.state`*::
-+
---
-The cluster / streaming configuration state (STANDALONE, CLUSTERED)
-
-
-type: keyword
-
---
-
-*`stan.stats.role`*::
-+
---
-If clustered, role of this node in the cluster (Leader, Follower, Candidate)
-
-
-type: keyword
-
---
-
-*`stan.stats.clients`*::
-+
---
-The number of STAN clients
-
-
-type: integer
-
---
-
-*`stan.stats.subscriptions`*::
-+
---
-The number of STAN streaming subscriptions
-
-
-type: integer
-
---
-
-*`stan.stats.channels`*::
-+
---
-The number of STAN channels
-
-
-type: integer
-
---
-
-*`stan.stats.messages`*::
-+
---
-Number of messages across all STAN queues
-
-
-type: long
-
---
-
-*`stan.stats.bytes`*::
-+
---
-Number of bytes consumed across all STAN queues
-
-
-type: long
-
---
-
-[float]
-=== subscriptions
-
-Contains stan / nats streaming/serverz endpoint subscription metrics
-
-
-
-*`stan.subscriptions.id`*::
-+
---
-The name of the STAN channel subscription (client_id)
-
-
-type: keyword
-
---
-
-*`stan.subscriptions.channel`*::
-+
---
-The name of the STAN channel the subscription is associated with
-
-
-type: keyword
-
---
-
-*`stan.subscriptions.queue`*::
-+
---
-The name of the NATS queue that the STAN channel subscription is associated with, if any
-
-
-type: keyword
-
---
-
-*`stan.subscriptions.last_sent`*::
-+
---
-Last known sequence number of the subscription that was acked
-
-
-type: long
-
---
-
-*`stan.subscriptions.pending`*::
-+
---
-Number of pending messages from / to the subscriber
-
-
-type: long
-
---
-
-*`stan.subscriptions.offline`*::
-+
---
-Is the subscriber marked as offline?
-
-
-type: boolean
-
---
-
-*`stan.subscriptions.stalled`*::
-+
---
-Is the subscriber known to be stalled?
-
-
-type: boolean
-
---
-
-[[exported-fields-statsd]]
-== Statsd fields
-
-Statsd module
-
-
-
-
-*`statsd.*.count`*::
-+
---
-Statsd counters
-
-
-type: object
-
---
-
-*`statsd.*.*`*::
-+
---
-Statsd metrics
-
-
-type: object
-
---
-
-[[exported-fields-syncgateway]]
-== SyncGateway fields
-
-SyncGateway metrics
-
-
-[float]
-=== syncgateway
-
-`syncgateway` contains the information and statistics from SyncGateway.
-
-
-
-[float]
-=== syncgateway
-
-Couchbase Sync Gateway metrics.
-
-
-
-*`syncgateway.syncgateway.name`*::
-+
---
-Name of the database on when field `couchbase.syncgateway.type` is `db_stats`.
-
-
-type: keyword
-
---
-
-[float]
-=== metrics
-
-Metrics of all databases contained in the config file of the SyncGateway instance.
-
-
-
-
-*`syncgateway.syncgateway.metrics.docs.writes.conflict.count`*::
-+
---
-type: long
-
---
-
-*`syncgateway.syncgateway.metrics.docs.writes.count`*::
-+
---
-type: long
-
---
-
-*`syncgateway.syncgateway.metrics.docs.writes.bytes`*::
-+
---
-type: long
-
---
-
-
-*`syncgateway.syncgateway.metrics.replications.active`*::
-+
---
-Number of active replications
-
-type: long
-
---
-
-*`syncgateway.syncgateway.metrics.replications.total`*::
-+
---
-Total number of replications (active or not)
-
-type: long
-
---
-
-
-
-
-
-*`syncgateway.syncgateway.gsi.views.tombstones.query.count`*::
-+
---
-type: double
-
---
-
-*`syncgateway.syncgateway.gsi.views.tombstones.query.time`*::
-+
---
-type: double
-
---
-
-*`syncgateway.syncgateway.gsi.views.tombstones.query.error.count`*::
-+
---
-type: double
-
---
-
-
-
-*`syncgateway.syncgateway.gsi.views.access.query.count`*::
-+
---
-type: double
-
---
-
-
-*`syncgateway.syncgateway.gsi.views.access.query.error.count`*::
-+
---
-type: double
-
---
-
-*`syncgateway.syncgateway.gsi.views.access.query.time`*::
-+
---
-type: double
-
---
-
-
-
-*`syncgateway.syncgateway.gsi.views.channels.query.count`*::
-+
---
-type: double
-
---
-
-
-*`syncgateway.syncgateway.gsi.views.channels.query.error.count`*::
-+
---
-type: double
-
---
-
-*`syncgateway.syncgateway.gsi.views.channels.query.time`*::
-+
---
-type: double
-
---
-
-
-
-*`syncgateway.syncgateway.gsi.views.channels.star.query.time`*::
-+
---
-type: double
-
---
-
-*`syncgateway.syncgateway.gsi.views.channels.star.query.count`*::
-+
---
-type: double
-
---
-
-
-*`syncgateway.syncgateway.gsi.views.channels.star.query.error.count`*::
-+
---
-type: double
-
---
-
-
-
-*`syncgateway.syncgateway.gsi.views.role_access.query.count`*::
-+
---
-type: double
-
---
-
-
-*`syncgateway.syncgateway.gsi.views.role_access.query.error.count`*::
-+
---
-type: double
-
---
-
-*`syncgateway.syncgateway.gsi.views.role_access.query.time`*::
-+
---
-type: double
-
---
-
-
-
-*`syncgateway.syncgateway.gsi.views.sequences.query.count`*::
-+
---
-type: double
-
---
-
-
-*`syncgateway.syncgateway.gsi.views.sequences.query.error.count`*::
-+
---
-type: double
-
---
-
-*`syncgateway.syncgateway.gsi.views.sequences.query.time`*::
-+
---
-type: double
-
---
-
-
-
-*`syncgateway.syncgateway.gsi.views.all_docs.query.count`*::
-+
---
-type: double
-
---
-
-
-*`syncgateway.syncgateway.gsi.views.all_docs.query.error.count`*::
-+
---
-type: double
-
---
-
-*`syncgateway.syncgateway.gsi.views.all_docs.query.time`*::
-+
---
-type: double
-
---
-
-
-
-*`syncgateway.syncgateway.gsi.views.principals.query.count`*::
-+
---
-type: double
-
---
-
-
-*`syncgateway.syncgateway.gsi.views.principals.query.error.count`*::
-+
---
-type: double
-
---
-
-*`syncgateway.syncgateway.gsi.views.principals.query.time`*::
-+
---
-type: double
-
---
-
-
-
-*`syncgateway.syncgateway.gsi.views.resync.query.count`*::
-+
---
-type: double
-
---
-
-
-*`syncgateway.syncgateway.gsi.views.resync.query.error.count`*::
-+
---
-type: double
-
---
-
-*`syncgateway.syncgateway.gsi.views.resync.query.time`*::
-+
---
-type: double
-
---
-
-
-
-*`syncgateway.syncgateway.gsi.views.sessions.query.count`*::
-+
---
-type: double
-
---
-
-
-*`syncgateway.syncgateway.gsi.views.sessions.query.error.count`*::
-+
---
-type: double
-
---
-
-*`syncgateway.syncgateway.gsi.views.sessions.query.time`*::
-+
---
-type: double
-
---
-
-
-
-*`syncgateway.syncgateway.security.access_errors.count`*::
-+
---
-type: double
-
---
-
-
-
-*`syncgateway.syncgateway.security.auth.failed.count`*::
-+
---
-type: double
-
---
-
-
-*`syncgateway.syncgateway.security.docs_rejected.count`*::
-+
---
-type: double
-
---
-
-
-
-
-*`syncgateway.syncgateway.cache.channel.revs.active`*::
-+
---
-type: double
-
---
-
-*`syncgateway.syncgateway.cache.channel.revs.removal`*::
-+
---
-type: double
-
---
-
-*`syncgateway.syncgateway.cache.channel.revs.tombstone`*::
-+
---
-type: double
-
---
-
-*`syncgateway.syncgateway.cache.channel.hits`*::
-+
---
-type: double
-
---
-
-*`syncgateway.syncgateway.cache.channel.misses`*::
-+
---
-type: double
-
---
-
-
-*`syncgateway.syncgateway.cache.revs.hits`*::
-+
---
-type: double
-
---
-
-*`syncgateway.syncgateway.cache.revs.misses`*::
-+
---
-type: double
-
---
-
-
-
-
-*`syncgateway.syncgateway.cbl.replication.pull.caught_up`*::
-+
---
-type: double
-
---
-
-*`syncgateway.syncgateway.cbl.replication.pull.since_zero`*::
-+
---
-type: double
-
---
-
-
-*`syncgateway.syncgateway.cbl.replication.pull.total.continuous`*::
-+
---
-type: double
-
---
-
-*`syncgateway.syncgateway.cbl.replication.pull.total.one_shot`*::
-+
---
-type: double
-
---
-
-
-*`syncgateway.syncgateway.cbl.replication.pull.active.continuous`*::
-+
---
-type: double
-
---
-
-*`syncgateway.syncgateway.cbl.replication.pull.active.count`*::
-+
---
-type: double
-
---
-
-*`syncgateway.syncgateway.cbl.replication.pull.active.one_shot`*::
-+
---
-type: double
-
---
-
-
-*`syncgateway.syncgateway.cbl.replication.pull.attachment.bytes`*::
-+
---
-type: long
-
---
-
-*`syncgateway.syncgateway.cbl.replication.pull.attachment.count`*::
-+
---
-type: long
-
---
-
-
-*`syncgateway.syncgateway.cbl.replication.pull.request_changes.count`*::
-+
---
-type: double
-
---
-
-*`syncgateway.syncgateway.cbl.replication.pull.request_changes.time`*::
-+
---
-type: double
-
---
-
-
-*`syncgateway.syncgateway.cbl.replication.pull.rev.processing_time`*::
-+
---
-type: double
-
---
-
-
-*`syncgateway.syncgateway.cbl.replication.pull.rev.send.count`*::
-+
---
-type: double
-
---
-
-*`syncgateway.syncgateway.cbl.replication.pull.rev.send.latency`*::
-+
---
-type: double
-
---
-
-
-
-*`syncgateway.syncgateway.cbl.replication.push.attachment.bytes`*::
-+
---
-type: double
-
---
-
-*`syncgateway.syncgateway.cbl.replication.push.attachment.count`*::
-+
---
-type: double
-
---
-
-*`syncgateway.syncgateway.cbl.replication.push.doc_push_count`*::
-+
---
-type: double
-
---
-
-
-*`syncgateway.syncgateway.cbl.replication.push.propose_change.count`*::
-+
---
-type: double
-
---
-
-*`syncgateway.syncgateway.cbl.replication.push.propose_change.time`*::
-+
---
-type: double
-
---
-
-
-*`syncgateway.syncgateway.cbl.replication.push.sync_function.count`*::
-+
---
-type: double
-
---
-
-*`syncgateway.syncgateway.cbl.replication.push.sync_function.time`*::
-+
---
-type: double
-
---
-
-*`syncgateway.syncgateway.cbl.replication.push.write_processing_time`*::
-+
---
-type: double
-
---
-
-[float]
-=== memstats
-
-Dumps a large amount of information about the memory heap and garbage collector
-
-
-*`syncgateway.syncgateway.memstats.BuckHashSys`*::
-+
---
-type: double
-
---
-
-*`syncgateway.syncgateway.memstats.Mallocs`*::
-+
---
-type: double
-
---
-
-*`syncgateway.syncgateway.memstats.PauseTotalNs`*::
-+
---
-type: double
-
---
-
-*`syncgateway.syncgateway.memstats.TotalAlloc`*::
-+
---
-type: double
-
---
-
-*`syncgateway.syncgateway.memstats.Alloc`*::
-+
---
-type: double
-
---
-
-*`syncgateway.syncgateway.memstats.GCSys`*::
-+
---
-type: double
-
---
-
-*`syncgateway.syncgateway.memstats.LastGC`*::
-+
---
-type: double
-
---
-
-*`syncgateway.syncgateway.memstats.MSpanSys`*::
-+
---
-type: double
-
---
-
-*`syncgateway.syncgateway.memstats.GCCPUFraction`*::
-+
---
-type: double
-
---
-
-*`syncgateway.syncgateway.memstats.HeapReleased`*::
-+
---
-type: double
-
---
-
-*`syncgateway.syncgateway.memstats.HeapSys`*::
-+
---
-type: double
-
---
-
-*`syncgateway.syncgateway.memstats.DebugGC`*::
-+
---
-type: long
-
---
-
-*`syncgateway.syncgateway.memstats.HeapIdle`*::
-+
---
-type: double
-
---
-
-*`syncgateway.syncgateway.memstats.Lookups`*::
-+
---
-type: double
-
---
-
-*`syncgateway.syncgateway.memstats.HeapObjects`*::
-+
---
-type: double
-
---
-
-*`syncgateway.syncgateway.memstats.MSpanInuse`*::
-+
---
-type: double
-
---
-
-*`syncgateway.syncgateway.memstats.NumForcedGC`*::
-+
---
-type: double
-
---
-
-*`syncgateway.syncgateway.memstats.OtherSys`*::
-+
---
-type: double
-
---
-
-*`syncgateway.syncgateway.memstats.Frees`*::
-+
---
-type: double
-
---
-
-*`syncgateway.syncgateway.memstats.NextGC`*::
-+
---
-type: double
-
---
-
-*`syncgateway.syncgateway.memstats.StackInuse`*::
-+
---
-type: double
-
---
-
-*`syncgateway.syncgateway.memstats.Sys`*::
-+
---
-type: double
-
---
-
-*`syncgateway.syncgateway.memstats.NumGC`*::
-+
---
-type: double
-
---
-
-*`syncgateway.syncgateway.memstats.EnableGC`*::
-+
---
-type: long
-
---
-
-*`syncgateway.syncgateway.memstats.HeapAlloc`*::
-+
---
-type: double
-
---
-
-*`syncgateway.syncgateway.memstats.MCacheInuse`*::
-+
---
-type: double
-
---
-
-*`syncgateway.syncgateway.memstats.MCacheSys`*::
-+
---
-type: double
-
---
-
-*`syncgateway.syncgateway.memstats.HeapInuse`*::
-+
---
-type: double
-
---
-
-*`syncgateway.syncgateway.memstats.StackSys`*::
-+
---
-type: double
-
---
-
-[float]
-=== memory
-
-SyncGateway memory metrics. It dumps a large amount of information about the memory heap and garbage collector
-
-
-
-*`syncgateway.memory.BuckHashSys`*::
-+
---
-type: double
-
---
-
-*`syncgateway.memory.Mallocs`*::
-+
---
-type: double
-
---
-
-*`syncgateway.memory.PauseTotalNs`*::
-+
---
-type: double
-
---
-
-*`syncgateway.memory.TotalAlloc`*::
-+
---
-type: double
-
---
-
-*`syncgateway.memory.Alloc`*::
-+
---
-type: double
-
---
-
-*`syncgateway.memory.GCSys`*::
-+
---
-type: double
-
---
-
-*`syncgateway.memory.LastGC`*::
-+
---
-type: double
-
---
-
-*`syncgateway.memory.MSpanSys`*::
-+
---
-type: double
-
---
-
-*`syncgateway.memory.GCCPUFraction`*::
-+
---
-type: double
-
---
-
-*`syncgateway.memory.HeapReleased`*::
-+
---
-type: double
-
---
-
-*`syncgateway.memory.HeapSys`*::
-+
---
-type: double
-
---
-
-*`syncgateway.memory.DebugGC`*::
-+
---
-type: long
-
---
-
-*`syncgateway.memory.HeapIdle`*::
-+
---
-type: double
-
---
-
-*`syncgateway.memory.Lookups`*::
-+
---
-type: double
-
---
-
-*`syncgateway.memory.HeapObjects`*::
-+
---
-type: double
-
---
-
-*`syncgateway.memory.MSpanInuse`*::
-+
---
-type: double
-
---
-
-*`syncgateway.memory.NumForcedGC`*::
-+
---
-type: double
-
---
-
-*`syncgateway.memory.OtherSys`*::
-+
---
-type: double
-
---
-
-*`syncgateway.memory.Frees`*::
-+
---
-type: double
-
---
-
-*`syncgateway.memory.NextGC`*::
-+
---
-type: double
-
---
-
-*`syncgateway.memory.StackInuse`*::
-+
---
-type: double
-
---
-
-*`syncgateway.memory.Sys`*::
-+
---
-type: double
-
---
-
-*`syncgateway.memory.NumGC`*::
-+
---
-type: double
-
---
-
-*`syncgateway.memory.EnableGC`*::
-+
---
-type: long
-
---
-
-*`syncgateway.memory.HeapAlloc`*::
-+
---
-type: double
-
---
-
-*`syncgateway.memory.MCacheInuse`*::
-+
---
-type: double
-
---
-
-*`syncgateway.memory.MCacheSys`*::
-+
---
-type: double
-
---
-
-*`syncgateway.memory.HeapInuse`*::
-+
---
-type: double
-
---
-
-*`syncgateway.memory.StackSys`*::
-+
---
-type: double
-
---
-
-[float]
-=== replication
-
-SyncGateway per replication metrics.
-
-
-
-[float]
-=== metrics
-
-Metrics related with data replication.
-
-
-
-
-*`syncgateway.replication.metrics.attachment.transferred.bytes`*::
-+
---
-Number of attachment bytes transferred for this replica.
-
-type: long
-
---
-
-*`syncgateway.replication.metrics.attachment.transferred.count`*::
-+
---
-The total number of attachments transferred since replication started.
-
-type: long
-
---
-
-
-*`syncgateway.replication.metrics.docs.checked_sent`*::
-+
---
-The total number of documents checked for changes since replication started.
-
-type: double
-
---
-
-
-*`syncgateway.replication.metrics.docs.pushed.count`*::
-+
---
-The total number of documents checked for changes since replication started.
-
-type: long
-
---
-
-*`syncgateway.replication.metrics.docs.pushed.failed`*::
-+
---
-The total number of documents that failed to be pushed since replication started.
-
-type: long
-
---
-
-*`syncgateway.replication.id`*::
-+
---
-ID of the replica.
-
-type: keyword
-
---
-
-[float]
-=== resources
-
-SyncGateway global resource utilization
-
-
-
-*`syncgateway.resources.error_count`*::
-+
---
-type: long
-
---
-
-*`syncgateway.resources.goroutines_high_watermark`*::
-+
---
-type: long
-
---
-
-*`syncgateway.resources.num_goroutines`*::
-+
---
-type: long
-
---
-
-
-*`syncgateway.resources.process.cpu_percent_utilization`*::
-+
---
-type: long
-
---
-
-*`syncgateway.resources.process.memory_resident`*::
-+
---
-type: long
-
---
-
-
-
-*`syncgateway.resources.pub_net.recv.bytes`*::
-+
---
-type: long
-
---
-
-
-*`syncgateway.resources.pub_net.sent.bytes`*::
-+
---
-type: long
-
---
-
-
-*`syncgateway.resources.admin_net_bytes.recv`*::
-+
---
-type: long
-
---
-
-*`syncgateway.resources.admin_net_bytes.sent`*::
-+
---
-type: long
-
---
-
-
-
-*`syncgateway.resources.go_memstats.heap.alloc`*::
-+
---
-type: long
-
---
-
-*`syncgateway.resources.go_memstats.heap.idle`*::
-+
---
-type: long
-
---
-
-*`syncgateway.resources.go_memstats.heap.inuse`*::
-+
---
-type: long
-
---
-
-*`syncgateway.resources.go_memstats.heap.released`*::
-+
---
-type: long
-
---
-
-
-*`syncgateway.resources.go_memstats.pause.ns`*::
-+
---
-type: long
-
---
-
-
-*`syncgateway.resources.go_memstats.stack.inuse`*::
-+
---
-type: long
-
---
-
-*`syncgateway.resources.go_memstats.stack.sys`*::
-+
---
-type: long
-
---
-
-*`syncgateway.resources.go_memstats.sys`*::
-+
---
-type: long
-
---
-
-*`syncgateway.resources.system_memory_total`*::
-+
---
-type: long
-
---
-
-*`syncgateway.resources.warn_count`*::
-+
---
-type: long
-
---
-
-[[exported-fields-system]]
-== System fields
-
-System status metrics, like CPU and memory usage, that are collected from the operating system.
-
-
-
-[float]
-=== process
-
-Process metrics.
-
-
-
-*`process.state`*::
-+
---
-The process state. For example: "running".
-
-
-type: keyword
-
---
-
-*`process.cpu.pct`*::
-+
---
-The percentage of CPU time spent by the process since the last event. This value is normalized by the number of CPU cores and it ranges from 0 to 1.
-
-
-type: scaled_float
-
-format: percent
-
---
-
-*`process.cpu.start_time`*::
-+
---
-The time when the process was started.
-
-
-type: date
-
---
-
-*`process.memory.pct`*::
-+
---
-The percentage of memory the process occupied in main memory (RAM).
-
-
-type: scaled_float
-
-format: percent
-
---
-
-[float]
-=== system
-
-`system` contains local system metrics.
-
-
-
-[float]
-=== core
-
-`system-core` contains CPU metrics for a single core of a multi-core system.
-
-
-
-*`system.core.id`*::
-+
---
-CPU Core number.
-
-
-type: long
-
---
-
-*`system.core.total.pct`*::
-+
---
-Total active time spent by the core
-
-
-type: scaled_float
-
-format: percent
-
---
-
-*`system.core.user.pct`*::
-+
---
-The percentage of CPU time spent in user space.
-
-
-type: scaled_float
-
-format: percent
-
---
-
-*`system.core.user.ticks`*::
-+
---
-The amount of CPU time spent in user space.
-
-
-type: long
-
---
-
-*`system.core.system.pct`*::
-+
---
-The percentage of CPU time spent in kernel space.
-
-
-type: scaled_float
-
-format: percent
-
---
-
-*`system.core.system.ticks`*::
-+
---
-The amount of CPU time spent in kernel space.
-
-
-type: long
-
---
-
-*`system.core.nice.pct`*::
-+
---
-The percentage of CPU time spent on low-priority processes.
-
-
-type: scaled_float
-
-format: percent
-
---
-
-*`system.core.nice.ticks`*::
-+
---
-The amount of CPU time spent on low-priority processes.
-
-
-type: long
-
---
-
-*`system.core.idle.pct`*::
-+
---
-The percentage of CPU time spent idle.
-
-
-type: scaled_float
-
-format: percent
-
---
-
-*`system.core.idle.ticks`*::
-+
---
-The amount of CPU time spent idle.
-
-
-type: long
-
---
-
-*`system.core.iowait.pct`*::
-+
---
-The percentage of CPU time spent in wait (on disk).
-
-
-type: scaled_float
-
-format: percent
-
---
-
-*`system.core.iowait.ticks`*::
-+
---
-The amount of CPU time spent in wait (on disk).
-
-
-type: long
-
---
-
-*`system.core.irq.pct`*::
-+
---
-The percentage of CPU time spent servicing and handling hardware interrupts.
-
-
-type: scaled_float
-
-format: percent
-
---
-
-*`system.core.irq.ticks`*::
-+
---
-The amount of CPU time spent servicing and handling hardware interrupts.
-
-
-type: long
-
---
-
-*`system.core.softirq.pct`*::
-+
---
-The percentage of CPU time spent servicing and handling software interrupts.
-
-
-type: scaled_float
-
-format: percent
-
---
-
-*`system.core.softirq.ticks`*::
-+
---
-The amount of CPU time spent servicing and handling software interrupts.
-
-
-type: long
-
---
-
-*`system.core.steal.pct`*::
-+
---
-The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix.
-
-
-type: scaled_float
-
-format: percent
-
---
-
-*`system.core.steal.ticks`*::
-+
---
-The amount of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix.
-
-
-type: long
-
---
-
-*`system.core.model_number`*::
-+
---
-CPU model number. Only availabe on Linux
-
-
-type: keyword
-
---
-
-*`system.core.model_name`*::
-+
---
-CPU model name. Only availabe on Linux
-
-
-type: keyword
-
---
-
-*`system.core.mhz`*::
-+
---
-CPU core current clock. Only availabe on Linux
-
-
-type: float
-
---
-
-*`system.core.core_id`*::
-+
---
-CPU physical core ID. One core might might execute multiple threads, hence more than one `system.core.id` can share the same `system.core.core_id`. Only availabe on Linux
-
-
-type: keyword
-
---
-
-*`system.core.physical_id`*::
-+
---
-CPU core physical ID. Only availabe on Linux
-
-
-type: keyword
-
---
-
-[float]
-=== cpu
-
-`cpu` contains local CPU stats.
-
-
-
-*`system.cpu.cores`*::
-+
---
-The number of CPU cores present on the host. The non-normalized percentages will have a maximum value of `100% * cores`. The normalized percentages already take this value into account and have a maximum value of 100%.
-
-
-type: long
-
---
-
-*`system.cpu.user.pct`*::
-+
---
-The percentage of CPU time spent in user space. On multi-core systems, you can have percentages that are greater than 100%. For example, if 3 cores are at 60% use, then the `system.cpu.user.pct` will be 180%.
-
-
-type: scaled_float
-
-format: percent
-
---
-
-*`system.cpu.system.pct`*::
-+
---
-The percentage of CPU time spent in kernel space.
-
-
-type: scaled_float
-
-format: percent
-
---
-
-*`system.cpu.nice.pct`*::
-+
---
-The percentage of CPU time spent on low-priority processes.
-
-
-type: scaled_float
-
-format: percent
-
---
-
-*`system.cpu.idle.pct`*::
-+
---
-The percentage of CPU time spent idle.
-
-
-type: scaled_float
-
-format: percent
-
---
-
-*`system.cpu.iowait.pct`*::
-+
---
-The percentage of CPU time spent in wait (on disk).
-
-
-type: scaled_float
-
-format: percent
-
---
-
-*`system.cpu.irq.pct`*::
-+
---
-The percentage of CPU time spent servicing and handling hardware interrupts.
-
-
-type: scaled_float
-
-format: percent
-
---
-
-*`system.cpu.softirq.pct`*::
-+
---
-The percentage of CPU time spent servicing and handling software interrupts.
-
-
-type: scaled_float
-
-format: percent
-
---
-
-*`system.cpu.steal.pct`*::
-+
---
-The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix.
-
-
-type: scaled_float
-
-format: percent
-
---
-
-*`system.cpu.total.pct`*::
-+
---
-The percentage of CPU time spent in states other than Idle and IOWait.
-
-
-type: scaled_float
-
-format: percent
-
---
-
-*`system.cpu.user.norm.pct`*::
-+
---
-The percentage of CPU time spent in user space.
-
-
-type: scaled_float
-
-format: percent
-
---
-
-*`system.cpu.system.norm.pct`*::
-+
---
-The percentage of CPU time spent in kernel space.
-
-
-type: scaled_float
-
-format: percent
-
---
-
-*`system.cpu.nice.norm.pct`*::
-+
---
-The percentage of CPU time spent on low-priority processes.
-
-
-type: scaled_float
-
-format: percent
-
---
-
-*`system.cpu.idle.norm.pct`*::
-+
---
-The percentage of CPU time spent idle.
-
-
-type: scaled_float
-
-format: percent
-
---
-
-*`system.cpu.iowait.norm.pct`*::
-+
---
-The percentage of CPU time spent in wait (on disk).
-
-
-type: scaled_float
-
-format: percent
-
---
-
-*`system.cpu.irq.norm.pct`*::
-+
---
-The percentage of CPU time spent servicing and handling hardware interrupts.
-
-
-type: scaled_float
-
-format: percent
-
---
-
-*`system.cpu.softirq.norm.pct`*::
-+
---
-The percentage of CPU time spent servicing and handling software interrupts.
-
-
-type: scaled_float
-
-format: percent
-
---
-
-*`system.cpu.steal.norm.pct`*::
-+
---
-The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix.
-
-
-type: scaled_float
-
-format: percent
-
---
-
-*`system.cpu.total.norm.pct`*::
-+
---
-The percentage of CPU time in states other than Idle and IOWait, normalised by the number of cores.
-
-
-type: scaled_float
-
-format: percent
-
---
-
-*`system.cpu.user.ticks`*::
-+
---
-The amount of CPU time spent in user space.
-
-
-type: long
-
---
-
-*`system.cpu.system.ticks`*::
-+
---
-The amount of CPU time spent in kernel space.
-
-
-type: long
-
---
-
-*`system.cpu.nice.ticks`*::
-+
---
-The amount of CPU time spent on low-priority processes.
-
-
-type: long
-
---
-
-*`system.cpu.idle.ticks`*::
-+
---
-The amount of CPU time spent idle.
-
-
-type: long
-
---
-
-*`system.cpu.iowait.ticks`*::
-+
---
-The amount of CPU time spent in wait (on disk).
-
-
-type: long
-
---
-
-*`system.cpu.irq.ticks`*::
-+
---
-The amount of CPU time spent servicing and handling hardware interrupts.
-
-
-type: long
-
---
-
-*`system.cpu.softirq.ticks`*::
-+
---
-The amount of CPU time spent servicing and handling software interrupts.
-
-
-type: long
-
---
-
-*`system.cpu.steal.ticks`*::
-+
---
-The amount of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix.
-
-
-type: long
-
---
-
-[float]
-=== diskio
-
-`disk` contains disk IO metrics collected from the operating system.
-
-
-
-*`system.diskio.name`*::
-+
---
-The disk name.
-
-
-type: keyword
-
-example: sda1
-
---
-
-*`system.diskio.serial_number`*::
-+
---
-The disk's serial number. This may not be provided by all operating systems.
-
-
-type: keyword
-
---
-
-*`system.diskio.read.count`*::
-+
---
-The total number of reads completed successfully.
-
-
-type: long
-
---
-
-*`system.diskio.write.count`*::
-+
---
-The total number of writes completed successfully.
-
-
-type: long
-
---
-
-*`system.diskio.read.bytes`*::
-+
---
-The total number of bytes read successfully. On Linux this is the number of sectors read multiplied by an assumed sector size of 512.
-
-
-type: long
-
-format: bytes
-
---
-
-*`system.diskio.write.bytes`*::
-+
---
-The total number of bytes written successfully. On Linux this is the number of sectors written multiplied by an assumed sector size of 512.
-
-
-type: long
-
-format: bytes
-
---
-
-*`system.diskio.read.time`*::
-+
---
-The total number of milliseconds spent by all reads.
-
-
-type: long
-
---
-
-*`system.diskio.write.time`*::
-+
---
-The total number of milliseconds spent by all writes.
-
-
-type: long
-
---
-
-*`system.diskio.io.time`*::
-+
---
-The total number of of milliseconds spent doing I/Os.
-
-
-type: long
-
---
-
-*`system.diskio.io.ops`*::
-+
---
-The total number of I/Os in progress.
-
-
-type: long
-
---
-
-[float]
-=== entropy
-
-Available system entropy
-
-
-
-*`system.entropy.available_bits`*::
-+
---
-The available bits of entropy
-
-
-type: long
-
---
-
-*`system.entropy.pct`*::
-+
---
-The percentage of available entropy, relative to the pool size of 4096
-
-
-type: scaled_float
-
-format: percent
-
---
-
-[float]
-=== filesystem
-
-`filesystem` contains local filesystem stats.
-
-
-
-*`system.filesystem.available`*::
-+
---
-The disk space available to an unprivileged user in bytes.
-
-
-type: long
-
-format: bytes
-
---
-
-*`system.filesystem.device_name`*::
-+
---
-The disk name. For example: `/dev/disk1`
-
-
-type: keyword
-
---
-
-*`system.filesystem.type`*::
-+
---
-The disk type. For example: `ext4`. In some case for Windows OS the value will be `unavailable` as access to this information is not allowed (ex. external disks).
-
-
-type: keyword
-
---
-
-*`system.filesystem.mount_point`*::
-+
---
-The mounting point. For example: `/`
-
-
-type: keyword
-
---
-
-*`system.filesystem.files`*::
-+
---
-Total number of inodes on the system, which will be a combination of files, folders, symlinks, and devices.
-
-
-type: long
-
---
-
-*`system.filesystem.options`*::
-+
---
-The options present on the filesystem mount.
-
-
-type: keyword
-
---
-
-*`system.filesystem.free`*::
-+
---
-The disk space available in bytes.
-
-
-type: long
-
-format: bytes
-
---
-
-*`system.filesystem.free_files`*::
-+
---
-The number of free inodes in the file system.
-
-
-type: long
-
---
-
-*`system.filesystem.total`*::
-+
---
-The total disk space in bytes.
-
-
-type: long
-
-format: bytes
-
---
-
-*`system.filesystem.used.bytes`*::
-+
---
-The used disk space in bytes.
-
-
-type: long
-
-format: bytes
-
---
-
-*`system.filesystem.used.pct`*::
-+
---
-The percentage of used disk space.
-
-
-type: scaled_float
-
-format: percent
-
---
-
-[float]
-=== fsstat
-
-`system.fsstat` contains filesystem metrics aggregated from all mounted filesystems.
-
-
-
-*`system.fsstat.count`*::
-+
---
-Number of file systems found.
-
-type: long
-
---
-
-*`system.fsstat.total_files`*::
-+
---
-Total number of inodes on the system, which will be a combination of files, folders, symlinks, and devices. Not on Windows.
-
-type: long
-
---
-
-[float]
-=== total_size
-
-Nested file system docs.
-
-
-*`system.fsstat.total_size.free`*::
-+
---
-Total free space.
-
-
-type: long
-
-format: bytes
-
---
-
-*`system.fsstat.total_size.used`*::
-+
---
-Total used space.
-
-
-type: long
-
-format: bytes
-
---
-
-*`system.fsstat.total_size.total`*::
-+
---
-Total space (used plus free).
-
-
-type: long
-
-format: bytes
-
---
-
-[float]
-=== load
-
-CPU load averages.
-
-
-
-*`system.load.1`*::
-+
---
-Load average for the last minute.
-
-
-type: scaled_float
-
---
-
-*`system.load.5`*::
-+
---
-Load average for the last 5 minutes.
-
-
-type: scaled_float
-
---
-
-*`system.load.15`*::
-+
---
-Load average for the last 15 minutes.
-
-
-type: scaled_float
-
---
-
-*`system.load.norm.1`*::
-+
---
-Load for the last minute divided by the number of cores.
-
-
-type: scaled_float
-
---
-
-*`system.load.norm.5`*::
-+
---
-Load for the last 5 minutes divided by the number of cores.
-
-
-type: scaled_float
-
---
-
-*`system.load.norm.15`*::
-+
---
-Load for the last 15 minutes divided by the number of cores.
-
-
-type: scaled_float
-
---
-
-*`system.load.cores`*::
-+
---
-The number of CPU cores present on the host.
-
-
-type: long
-
---
-
-[float]
-=== memory
-
-`memory` contains local memory stats.
-
-
-
-*`system.memory.total`*::
-+
---
-Total memory.
-
-
-type: long
-
-format: bytes
-
---
-
-*`system.memory.used.bytes`*::
-+
---
-Used memory.
-
-
-type: long
-
-format: bytes
-
---
-
-*`system.memory.free`*::
-+
---
-The total amount of free memory in bytes. This value does not include memory consumed by system caches and buffers (see system.memory.actual.free).
-
-
-type: long
-
-format: bytes
-
---
-
-*`system.memory.cached`*::
-+
---
-Total Cached memory on system.
-
-
-type: long
-
-format: bytes
-
---
-
-*`system.memory.used.pct`*::
-+
---
-The percentage of used memory.
-
-
-type: scaled_float
-
-format: percent
-
---
-
-[float]
-=== actual
-
-Actual memory used and free.
-
-
-
-*`system.memory.actual.used.bytes`*::
-+
---
-Actual used memory in bytes. It represents the difference between the total and the available memory. The available memory depends on the OS. For more details, please check `system.actual.free`.
-
-
-type: long
-
-format: bytes
-
---
-
-*`system.memory.actual.free`*::
-+
---
-Actual free memory in bytes. It is calculated based on the OS. On Linux this value will be MemAvailable from /proc/meminfo,  or calculated from free memory plus caches and buffers if /proc/meminfo is not available. On OSX it is a sum of free memory and the inactive memory. On Windows, it is equal to `system.memory.free`.
-
-
-type: long
-
-format: bytes
-
---
-
-*`system.memory.actual.used.pct`*::
-+
---
-The percentage of actual used memory.
-
-
-type: scaled_float
-
-format: percent
-
---
-
-[float]
-=== swap
-
-This group contains statistics related to the swap memory usage on the system.
-
-
-*`system.memory.swap.total`*::
-+
---
-Total swap memory.
-
-
-type: long
-
-format: bytes
-
---
-
-*`system.memory.swap.used.bytes`*::
-+
---
-Used swap memory.
-
-
-type: long
-
-format: bytes
-
---
-
-*`system.memory.swap.free`*::
-+
---
-Available swap memory.
-
-
-type: long
-
-format: bytes
-
---
-
-*`system.memory.swap.used.pct`*::
-+
---
-The percentage of used swap memory.
-
-
-type: scaled_float
-
-format: percent
-
---
-
-[float]
-=== network
-
-`network` contains network IO metrics for a single network interface.
-
-
-
-*`system.network.name`*::
-+
---
-The network interface name.
-
-
-type: keyword
-
-example: eth0
-
---
-
-*`system.network.out.bytes`*::
-+
---
-The number of bytes sent.
-
-
-type: long
-
-format: bytes
-
---
-
-*`system.network.in.bytes`*::
-+
---
-The number of bytes received.
-
-
-type: long
-
-format: bytes
-
---
-
-*`system.network.out.packets`*::
-+
---
-The number of packets sent.
-
-
-type: long
-
---
-
-*`system.network.in.packets`*::
-+
---
-The number or packets received.
-
-
-type: long
-
---
-
-*`system.network.in.errors`*::
-+
---
-The number of errors while receiving.
-
-
-type: long
-
---
-
-*`system.network.out.errors`*::
-+
---
-The number of errors while sending.
-
-
-type: long
-
---
-
-*`system.network.in.dropped`*::
-+
---
-The number of incoming packets that were dropped.
-
-
-type: long
-
---
-
-*`system.network.out.dropped`*::
-+
---
-The number of outgoing packets that were dropped. This value is always 0 on Darwin and BSD because it is not reported by the operating system.
-
-
-type: long
-
---
-
-[float]
-=== network_summary
-
-Metrics relating to global network activity
-
-
-
-*`system.network_summary.ip.*`*::
-+
---
-IP counters
-
-
-type: object
-
---
-
-*`system.network_summary.tcp.*`*::
-+
---
-TCP counters
-
-
-type: object
-
---
-
-*`system.network_summary.udp.*`*::
-+
---
-UDP counters
-
-
-type: object
-
---
-
-*`system.network_summary.udp_lite.*`*::
-+
---
-UDP Lite counters
-
-
-type: object
-
---
-
-*`system.network_summary.icmp.*`*::
-+
---
-ICMP counters
-
-
-type: object
-
---
-
-[float]
-=== process
-
-`process` contains process metadata, CPU metrics, and memory metrics.
-
-
-
-*`system.process.name`*::
-+
---
-type: alias
-
-alias to: process.name
-
---
-
-*`system.process.state`*::
-+
---
-The process state. For example: "running".
-
-
-type: keyword
-
---
-
-*`system.process.pid`*::
-+
---
-type: alias
-
-alias to: process.pid
-
---
-
-*`system.process.ppid`*::
-+
---
-type: alias
-
-alias to: process.parent.pid
-
---
-
-*`system.process.pgid`*::
-+
---
-type: alias
-
-alias to: process.pgid
-
---
-
-*`system.process.num_threads`*::
-+
---
-Number of threads in the process
-
-
-type: integer
-
---
-
-*`system.process.cmdline`*::
-+
---
-The full command-line used to start the process, including the arguments separated by space.
-
-
-type: keyword
-
---
-
-*`system.process.username`*::
-+
---
-type: alias
-
-alias to: user.name
-
---
-
-*`system.process.cwd`*::
-+
---
-type: alias
-
-alias to: process.working_directory
-
---
-
-*`system.process.env`*::
-+
---
-The environment variables used to start the process. The data is available on FreeBSD, Linux, and OS X.
-
-
-type: object
-
---
-
-[float]
-=== cpu
-
-CPU-specific statistics per process.
-
-
-*`system.process.cpu.user.ticks`*::
-+
---
-The amount of CPU time the process spent in user space.
-
-
-type: long
-
---
-
-*`system.process.cpu.total.value`*::
-+
---
-The value of CPU usage since starting the process.
-
-
-type: long
-
---
-
-*`system.process.cpu.total.pct`*::
-+
---
-The percentage of CPU time spent by the process since the last update. Its value is similar to the %CPU value of the process displayed by the top command on Unix systems.
-
-
-type: scaled_float
-
-format: percent
-
---
-
-*`system.process.cpu.total.norm.pct`*::
-+
---
-The percentage of CPU time spent by the process since the last event. This value is normalized by the number of CPU cores and it ranges from 0 to 100%.
-
-
-type: scaled_float
-
-format: percent
-
---
-
-*`system.process.cpu.system.ticks`*::
-+
---
-The amount of CPU time the process spent in kernel space.
-
-
-type: long
-
---
-
-*`system.process.cpu.total.ticks`*::
-+
---
-The total CPU time spent by the process.
-
-
-type: long
-
---
-
-*`system.process.cpu.start_time`*::
-+
---
-The time when the process was started.
-
-
-type: date
-
---
-
-[float]
-=== memory
-
-Memory-specific statistics per process.
-
-
-*`system.process.memory.size`*::
-+
---
-The total virtual memory the process has. On Windows this represents the Commit Charge (the total amount of memory that the memory manager has committed for a running process) value in bytes for this process.
-
-
-type: long
-
-format: bytes
-
---
-
-*`system.process.memory.rss.bytes`*::
-+
---
-The Resident Set Size. The amount of memory the process occupied in main memory (RAM). On Windows this represents the current working set size, in bytes.
-
-
-type: long
-
-format: bytes
-
---
-
-*`system.process.memory.rss.pct`*::
-+
---
-The percentage of memory the process occupied in main memory (RAM).
-
-
-type: scaled_float
-
-format: percent
-
---
-
-*`system.process.memory.share`*::
-+
---
-The shared memory the process uses.
-
-
-type: long
-
-format: bytes
-
---
-
-[float]
-=== io
-
-Disk I/O Metrics, as forwarded from /proc/[PID]/io. Available on Linux only.
-
-
-*`system.process.io.cancelled_write_bytes`*::
-+
---
-The number of bytes this process cancelled, or caused not to be written.
-
-type: long
-
---
-
-*`system.process.io.read_bytes`*::
-+
---
-The number of bytes fetched from the storage layer.
-
-type: long
-
---
-
-*`system.process.io.write_bytes`*::
-+
---
-The number of bytes written to the storage layer.
-
-type: long
-
---
-
-*`system.process.io.read_char`*::
-+
---
-The number of bytes read from read(2) and similar syscalls.
-
-type: long
-
---
-
-*`system.process.io.write_char`*::
-+
---
-The number of bytes sent to syscalls for writing.
-
-type: long
-
---
-
-*`system.process.io.read_ops`*::
-+
---
-The count of read-related syscalls.
-
-type: long
-
---
-
-*`system.process.io.write_ops`*::
-+
---
-The count of write-related syscalls.
-
-type: long
-
---
-
-[float]
-=== fd
-
-File descriptor usage metrics. This set of metrics is available for Linux and FreeBSD.
-
-
-
-*`system.process.fd.open`*::
-+
---
-The number of file descriptors open by the process.
-
-type: long
-
---
-
-*`system.process.fd.limit.soft`*::
-+
---
-The soft limit on the number of file descriptors opened by the process. The soft limit can be changed by the process at any time.
-
-
-type: long
-
---
-
-*`system.process.fd.limit.hard`*::
-+
---
-The hard limit on the number of file descriptors opened by the process. The hard limit can only be raised by root.
-
-
-type: long
-
---
-
-[float]
-=== cgroup
-
-Metrics and limits from the cgroup of which the task is a member. cgroup metrics are reported when the process has membership in a non-root cgroup. These metrics are only available on Linux.
-
-
-
-*`system.process.cgroup.id`*::
-+
---
-The ID common to all cgroups associated with this task. If there isn't a common ID used by all cgroups this field will be absent.
-
-
-type: keyword
-
---
-
-*`system.process.cgroup.path`*::
-+
---
-The path to the cgroup relative to the cgroup subsystem's mountpoint. If there isn't a common path used by all cgroups this field will be absent.
-
-
-type: keyword
-
---
-
-*`system.process.cgroup.cgroups_version`*::
-+
---
-The version of cgroups reported for the process
-
-type: long
-
---
-
-[float]
-=== cpu
-
-The cpu subsystem schedules CPU access for tasks in the cgroup. Access can be controlled by two separate schedulers, CFS and RT. CFS stands for completely fair scheduler which proportionally divides the CPU time between cgroups based on weight. RT stands for real time scheduler which sets a maximum amount of CPU time that processes in the cgroup can consume during a given period. In CPU under cgroups V2, the cgroup is merged with many of the metrics from cpuacct. In addition, per-scheduler metrics are gone in V2.
-
-
-
-*`system.process.cgroup.cpu.id`*::
-+
---
-ID of the cgroup.
-
-type: keyword
-
---
-
-*`system.process.cgroup.cpu.path`*::
-+
---
-Path to the cgroup relative to the cgroup subsystem's mountpoint.
-
-
-type: keyword
-
---
-
-[float]
-=== stats
-
-cgroupv2 stats
-
-
-*`system.process.cgroup.cpu.stats.usage.ns`*::
-+
---
-cgroups v2 usage in nanoseconds
-
-type: long
-
---
-
-*`system.process.cgroup.cpu.stats.usage.pct`*::
-+
---
-cgroups v2 usage
-
-type: float
-
---
-
-*`system.process.cgroup.cpu.stats.usage.norm.pct`*::
-+
---
-cgroups v2 normalized usage
-
-type: float
-
---
-
-*`system.process.cgroup.cpu.stats.user.ns`*::
-+
---
-cgroups v2 cpu user time in nanoseconds
-
-type: long
-
---
-
-*`system.process.cgroup.cpu.stats.user.pct`*::
-+
---
-cgroups v2 cpu user time
-
-type: float
-
---
-
-*`system.process.cgroup.cpu.stats.user.norm.pct`*::
-+
---
-cgroups v2 normalized cpu user time
-
-type: float
-
---
-
-*`system.process.cgroup.cpu.stats.system.ns`*::
-+
---
-cgroups v2 system time in nanoseconds
-
-type: long
-
---
-
-*`system.process.cgroup.cpu.stats.system.pct`*::
-+
---
-cgroups v2 system time
-
-type: float
-
---
-
-*`system.process.cgroup.cpu.stats.system.norm.pct`*::
-+
---
-cgroups v2 normalized system time
-
-type: float
-
---
-
-*`system.process.cgroup.cpu.cfs.period.us`*::
-+
---
-Period of time in microseconds for how regularly a cgroup's access to CPU resources should be reallocated.
-
-
-type: long
-
---
-
-*`system.process.cgroup.cpu.cfs.quota.us`*::
-+
---
-Total amount of time in microseconds for which all tasks in a cgroup can run during one period (as defined by cfs.period.us).
-
-
-type: long
-
---
-
-*`system.process.cgroup.cpu.cfs.shares`*::
-+
---
-An integer value that specifies a relative share of CPU time available to the tasks in a cgroup. The value specified in the cpu.shares file must be 2 or higher.
-
-
-type: long
-
---
-
-*`system.process.cgroup.cpu.rt.period.us`*::
-+
---
-Period of time in microseconds for how regularly a cgroup's access to CPU resources is reallocated.
-
-
-type: long
-
---
-
-*`system.process.cgroup.cpu.rt.runtime.us`*::
-+
---
-Period of time in microseconds for the longest continuous period in which the tasks in a cgroup have access to CPU resources.
-
-
-type: long
-
---
-
-*`system.process.cgroup.cpu.stats.periods`*::
-+
---
-Number of period intervals (as specified in cpu.cfs.period.us) that have elapsed.
-
-
-type: long
-
---
-
-*`system.process.cgroup.cpu.stats.throttled.periods`*::
-+
---
-Number of times tasks in a cgroup have been throttled (that is, not allowed to run because they have exhausted all of the available time as specified by their quota).
-
-
-type: long
-
---
-
-*`system.process.cgroup.cpu.stats.throttled.us`*::
-+
---
-The total time duration (in microseconds) for which tasks in a cgroup have been throttled, as reported by cgroupsv2
-
-
-type: long
-
---
-
-*`system.process.cgroup.cpu.stats.throttled.ns`*::
-+
---
-The total time duration (in nanoseconds) for which tasks in a cgroup have been throttled.
-
-
-type: long
-
---
-
-[float]
-=== pressure
-
-Pressure (resource contention) stats.
-
-
-[float]
-=== some
-
-Share of time in which at least some tasks are stalled on a given resource
-
-
-*`system.process.cgroup.cpu.pressure.some.10.pct`*::
-+
---
-Pressure over 10 seconds
-
-type: float
-
-format: percent
-
---
-
-*`system.process.cgroup.cpu.pressure.some.60.pct`*::
-+
---
-Pressure over 60 seconds
-
-type: float
-
-format: percent
-
---
-
-*`system.process.cgroup.cpu.pressure.some.300.pct`*::
-+
---
-Pressure over 300 seconds
-
-type: float
-
-format: percent
-
---
-
-*`system.process.cgroup.cpu.pressure.some.total`*::
-+
---
-total Some pressure time
-
-type: long
-
-format: percent
-
---
-
-[float]
-=== full
-
-Share of time in which all non-idle tasks are stalled on a given resource simultaneously
-
-
-*`system.process.cgroup.cpu.pressure.full.10.pct`*::
-+
---
-Pressure over 10 seconds
-
-type: float
-
-format: percent
-
---
-
-*`system.process.cgroup.cpu.pressure.full.60.pct`*::
-+
---
-Pressure over 60 seconds
-
-type: float
-
-format: percent
-
---
-
-*`system.process.cgroup.cpu.pressure.full.300.pct`*::
-+
---
-Pressure over 300 seconds
-
-type: float
-
-format: percent
-
---
-
-*`system.process.cgroup.cpu.pressure.full.total`*::
-+
---
-total Full pressure time
-
-type: long
-
---
-
-[float]
-=== cpuacct
-
-CPU accounting metrics.
-
-
-*`system.process.cgroup.cpuacct.id`*::
-+
---
-ID of the cgroup.
-
-type: keyword
-
---
-
-*`system.process.cgroup.cpuacct.path`*::
-+
---
-Path to the cgroup relative to the cgroup subsystem's mountpoint.
-
-
-type: keyword
-
---
-
-*`system.process.cgroup.cpuacct.total.ns`*::
-+
---
-Total CPU time in nanoseconds consumed by all tasks in the cgroup.
-
-
-type: long
-
---
-
-*`system.process.cgroup.cpuacct.total.pct`*::
-+
---
-CPU time of the cgroup as a percentage of overall CPU time.
-
-
-type: scaled_float
-
---
-
-*`system.process.cgroup.cpuacct.total.norm.pct`*::
-+
---
-CPU time of the cgroup as a percentage of overall CPU time, normalized by CPU count. This is functionally an average of time spent across individual CPUs.
-
-
-type: scaled_float
-
---
-
-*`system.process.cgroup.cpuacct.stats.user.ns`*::
-+
---
-CPU time consumed by tasks in user mode.
-
-type: long
-
---
-
-*`system.process.cgroup.cpuacct.stats.user.pct`*::
-+
---
-time the cgroup spent in user space, as a percentage of total CPU time
-
-type: scaled_float
-
---
-
-*`system.process.cgroup.cpuacct.stats.user.norm.pct`*::
-+
---
-time the cgroup spent in user space, as a percentage of total CPU time, normalized by CPU count.
-
-type: scaled_float
-
---
-
-*`system.process.cgroup.cpuacct.stats.system.ns`*::
-+
---
-CPU time consumed by tasks in user (kernel) mode.
-
-type: long
-
---
-
-*`system.process.cgroup.cpuacct.stats.system.pct`*::
-+
---
-Time the cgroup spent in kernel space, as a percentage of total CPU time
-
-type: scaled_float
-
---
-
-*`system.process.cgroup.cpuacct.stats.system.norm.pct`*::
-+
---
-Time the cgroup spent in kernel space, as a percentage of total CPU time, normalized by CPU count.
-
-type: scaled_float
-
---
-
-*`system.process.cgroup.cpuacct.percpu`*::
-+
---
-CPU time (in nanoseconds) consumed on each CPU by all tasks in this cgroup.
-
-
-type: object
-
---
-
-[float]
-=== memory
-
-Memory limits and metrics.
-
-
-*`system.process.cgroup.memory.id`*::
-+
---
-ID of the cgroup.
-
-type: keyword
-
---
-
-*`system.process.cgroup.memory.path`*::
-+
---
-Path to the cgroup relative to the cgroup subsystem's mountpoint.
-
-
-type: keyword
-
---
-
-*`system.process.cgroup.memory.mem.usage.bytes`*::
-+
---
-Total memory usage by processes in the cgroup (in bytes).
-
-
-type: long
-
-format: bytes
-
---
-
-*`system.process.cgroup.memory.mem.usage.max.bytes`*::
-+
---
-The maximum memory used by processes in the cgroup (in bytes).
-
-
-type: long
-
-format: bytes
-
---
-
-*`system.process.cgroup.memory.mem.limit.bytes`*::
-+
---
-The maximum amount of user memory in bytes (including file cache) that tasks in the cgroup are allowed to use.
-
-
-type: long
-
-format: bytes
-
---
-
-*`system.process.cgroup.memory.mem.failures`*::
-+
---
-The number of times that the memory limit (mem.limit.bytes) was reached.
-
-
-type: long
-
---
-
-*`system.process.cgroup.memory.mem.low.bytes`*::
-+
---
-memory low threshhold
-
-type: long
-
-format: bytes
-
---
-
-*`system.process.cgroup.memory.mem.high.bytes`*::
-+
---
-memory high threshhold
-
-type: long
-
-format: bytes
-
---
-
-*`system.process.cgroup.memory.mem.max.bytes`*::
-+
---
-memory max threshhold
-
-type: long
-
-format: bytes
-
---
-
-[float]
-=== mem.events
-
-number of times the controller tripped a given usage level
-
-
-*`system.process.cgroup.memory.mem.events.low`*::
-+
---
-low threshold
-
-type: long
-
---
-
-*`system.process.cgroup.memory.mem.events.high`*::
-+
---
-high threshold
-
-type: long
-
---
-
-*`system.process.cgroup.memory.mem.events.max`*::
-+
---
-max threshold
-
-type: long
-
---
-
-*`system.process.cgroup.memory.mem.events.oom`*::
-+
---
-oom threshold
-
-type: long
-
---
-
-*`system.process.cgroup.memory.mem.events.oom_kill`*::
-+
---
-oom killer threshold
-
-type: long
-
---
-
-*`system.process.cgroup.memory.mem.events.fail`*::
-+
---
-failed threshold
-
-type: long
-
---
-
-*`system.process.cgroup.memory.memsw.usage.bytes`*::
-+
---
-The sum of current memory usage plus swap space used by processes in the cgroup (in bytes).
-
-
-type: long
-
-format: bytes
-
---
-
-*`system.process.cgroup.memory.memsw.usage.max.bytes`*::
-+
---
-The maximum amount of memory and swap space used by processes in the cgroup (in bytes).
-
-
-type: long
-
-format: bytes
-
---
-
-*`system.process.cgroup.memory.memsw.limit.bytes`*::
-+
---
-The maximum amount for the sum of memory and swap usage that tasks in the cgroup are allowed to use.
-
-
-type: long
-
-format: bytes
-
---
-
-*`system.process.cgroup.memory.memsw.low.bytes`*::
-+
---
-memory low threshhold
-
-type: long
-
-format: bytes
-
---
-
-*`system.process.cgroup.memory.memsw.high.bytes`*::
-+
---
-memory high threshhold
-
-type: long
-
-format: bytes
-
---
-
-*`system.process.cgroup.memory.memsw.max.bytes`*::
-+
---
-memory max threshhold
-
-type: long
-
-format: bytes
-
---
-
-*`system.process.cgroup.memory.memsw.failures`*::
-+
---
-The number of times that the memory plus swap space limit (memsw.limit.bytes) was reached.
-
-
-type: long
-
---
-
-[float]
-=== memsw.events
-
-number of times the controller tripped a given usage level
-
-
-*`system.process.cgroup.memory.memsw.events.low`*::
-+
---
-low threshold
-
-type: long
-
---
-
-*`system.process.cgroup.memory.memsw.events.high`*::
-+
---
-high threshold
-
-type: long
-
---
-
-*`system.process.cgroup.memory.memsw.events.max`*::
-+
---
-max threshold
-
-type: long
-
---
-
-*`system.process.cgroup.memory.memsw.events.oom`*::
-+
---
-oom threshold
-
-type: long
-
---
-
-*`system.process.cgroup.memory.memsw.events.oom_kill`*::
-+
---
-oom killer threshold
-
-type: long
-
---
-
-*`system.process.cgroup.memory.memsw.events.fail`*::
-+
---
-failed threshold
-
-type: long
-
---
-
-*`system.process.cgroup.memory.kmem.usage.bytes`*::
-+
---
-Total kernel memory usage by processes in the cgroup (in bytes).
-
-
-type: long
-
-format: bytes
-
---
-
-*`system.process.cgroup.memory.kmem.usage.max.bytes`*::
-+
---
-The maximum kernel memory used by processes in the cgroup (in bytes).
-
-
-type: long
-
-format: bytes
-
---
-
-*`system.process.cgroup.memory.kmem.limit.bytes`*::
-+
---
-The maximum amount of kernel memory that tasks in the cgroup are allowed to use.
-
-
-type: long
-
-format: bytes
-
---
-
-*`system.process.cgroup.memory.kmem.failures`*::
-+
---
-The number of times that the memory limit (kmem.limit.bytes) was reached.
-
-
-type: long
-
---
-
-*`system.process.cgroup.memory.kmem_tcp.usage.bytes`*::
-+
---
-Total memory usage for TCP buffers in bytes.
-
-
-type: long
-
-format: bytes
-
---
-
-*`system.process.cgroup.memory.kmem_tcp.usage.max.bytes`*::
-+
---
-The maximum memory used for TCP buffers by processes in the cgroup (in bytes).
-
-
-type: long
-
-format: bytes
-
---
-
-*`system.process.cgroup.memory.kmem_tcp.limit.bytes`*::
-+
---
-The maximum amount of memory for TCP buffers that tasks in the cgroup are allowed to use.
-
-
-type: long
-
-format: bytes
-
---
-
-*`system.process.cgroup.memory.kmem_tcp.failures`*::
-+
---
-The number of times that the memory limit (kmem_tcp.limit.bytes) was reached.
-
-
-type: long
-
---
-
-*`system.process.cgroup.memory.stats.*`*::
-+
---
-detailed memory IO stats
-
-type: object
-
---
-
-*`system.process.cgroup.memory.stats.*.bytes`*::
-+
---
-detailed memory IO stats
-
-type: object
-
---
-
-*`system.process.cgroup.memory.stats.active_anon.bytes`*::
-+
---
-Anonymous and swap cache on active least-recently-used (LRU) list, including tmpfs (shmem), in bytes.
-
-
-type: long
-
-format: bytes
-
---
-
-*`system.process.cgroup.memory.stats.active_file.bytes`*::
-+
---
-File-backed memory on active LRU list, in bytes.
-
-type: long
-
-format: bytes
-
---
-
-*`system.process.cgroup.memory.stats.cache.bytes`*::
-+
---
-Page cache, including tmpfs (shmem), in bytes.
-
-type: long
-
-format: bytes
-
---
-
-*`system.process.cgroup.memory.stats.hierarchical_memory_limit.bytes`*::
-+
---
-Memory limit for the hierarchy that contains the memory cgroup, in bytes.
-
-
-type: long
-
-format: bytes
-
---
-
-*`system.process.cgroup.memory.stats.hierarchical_memsw_limit.bytes`*::
-+
---
-Memory plus swap limit for the hierarchy that contains the memory cgroup, in bytes.
-
-
-type: long
-
-format: bytes
-
---
-
-*`system.process.cgroup.memory.stats.inactive_anon.bytes`*::
-+
---
-Anonymous and swap cache on inactive LRU list, including tmpfs (shmem), in bytes
-
-
-type: long
-
-format: bytes
-
---
-
-*`system.process.cgroup.memory.stats.inactive_file.bytes`*::
-+
---
-File-backed memory on inactive LRU list, in bytes.
-
-
-type: long
-
-format: bytes
-
---
-
-*`system.process.cgroup.memory.stats.mapped_file.bytes`*::
-+
---
-Size of memory-mapped mapped files, including tmpfs (shmem), in bytes.
-
-
-type: long
-
-format: bytes
-
---
-
-*`system.process.cgroup.memory.stats.page_faults`*::
-+
---
-Number of times that a process in the cgroup triggered a page fault.
-
-
-type: long
-
---
-
-*`system.process.cgroup.memory.stats.major_page_faults`*::
-+
---
-Number of times that a process in the cgroup triggered a major fault. "Major" faults happen when the kernel actually has to read the data from disk.
-
-
-type: long
-
---
-
-*`system.process.cgroup.memory.stats.pages_in`*::
-+
---
-Number of pages paged into memory. This is a counter.
-
-
-type: long
-
---
-
-*`system.process.cgroup.memory.stats.pages_out`*::
-+
---
-Number of pages paged out of memory. This is a counter.
-
-
-type: long
-
---
-
-*`system.process.cgroup.memory.stats.rss.bytes`*::
-+
---
-Anonymous and swap cache (includes transparent hugepages), not including tmpfs (shmem), in bytes.
-
-
-type: long
-
-format: bytes
-
---
-
-*`system.process.cgroup.memory.stats.rss_huge.bytes`*::
-+
---
-Number of bytes of anonymous transparent hugepages.
-
-
-type: long
-
-format: bytes
-
---
-
-*`system.process.cgroup.memory.stats.swap.bytes`*::
-+
---
-Swap usage, in bytes.
-
-
-type: long
-
-format: bytes
-
---
-
-*`system.process.cgroup.memory.stats.unevictable.bytes`*::
-+
---
-Memory that cannot be reclaimed, in bytes.
-
-
-type: long
-
-format: bytes
-
---
-
-[float]
-=== blkio
-
-Block IO metrics.
-
-
-*`system.process.cgroup.blkio.id`*::
-+
---
-ID of the cgroup.
-
-type: keyword
-
---
-
-*`system.process.cgroup.blkio.path`*::
-+
---
-Path to the cgroup relative to the cgroup subsystems mountpoint.
-
-
-type: keyword
-
---
-
-*`system.process.cgroup.blkio.total.bytes`*::
-+
---
-Total number of bytes transferred to and from all block devices by processes in the cgroup.
-
-
-type: long
-
-format: bytes
-
---
-
-*`system.process.cgroup.blkio.total.ios`*::
-+
---
-Total number of I/O operations performed on all devices by processes in the cgroup as seen by the throttling policy.
-
-
-type: long
-
---
-
-[float]
-=== io
-
-cgroup V2 IO Metrics, replacing blkio.
-
-
-*`system.process.cgroup.io.id`*::
-+
---
-ID of the cgroup.
-
-type: keyword
-
---
-
-*`system.process.cgroup.io.path`*::
-+
---
-Path to the cgroup relative to the cgroup subsystems mountpoint.
-
-
-type: keyword
-
---
-
-*`system.process.cgroup.io.stats.*`*::
-+
---
-per-device IO usage stats
-
-type: object
-
---
-
-*`system.process.cgroup.io.stats.*.*`*::
-+
---
-type: object
-
---
-
-*`system.process.cgroup.io.stats.*.*.bytes`*::
-+
---
-per-device IO usage stats
-
-type: object
-
---
-
-*`system.process.cgroup.io.stats.*.*.ios`*::
-+
---
-per-device IO usage stats
-
-type: object
-
---
-
-[float]
-=== pressure
-
-Pressure (resource contention) stats.
-
-
-[float]
-=== full
-
-Share of time in which at least some tasks are stalled on a given resource
-
-
-*`system.process.cgroup.io.pressure.full.10.pct`*::
-+
---
-Pressure over 10 seconds
-
-type: float
-
-format: percent
-
---
-
-*`system.process.cgroup.io.pressure.full.60.pct`*::
-+
---
-Pressure over 60 seconds
-
-type: float
-
-format: percent
-
---
-
-*`system.process.cgroup.io.pressure.full.300.pct`*::
-+
---
-Pressure over 300 seconds
-
-type: float
-
-format: percent
-
---
-
-*`system.process.cgroup.io.pressure.full.total`*::
-+
---
-total Some pressure time
-
-type: long
-
---
-
-[float]
-=== some
-
-Share of time in which all tasks are stalled on a given resource
-
-
-*`system.process.cgroup.io.pressure.some.10.pct`*::
-+
---
-Pressure over 10 seconds
-
-type: float
-
-format: percent
-
---
-
-*`system.process.cgroup.io.pressure.some.60.pct`*::
-+
---
-Pressure over 60 seconds
-
-type: float
-
-format: percent
-
---
-
-*`system.process.cgroup.io.pressure.some.300.pct`*::
-+
---
-Pressure over 300 seconds
-
-type: float
-
---
-
-*`system.process.cgroup.io.pressure.some.total`*::
-+
---
-total Some pressure time
-
-type: long
-
---
-
-[float]
-=== process.summary
-
-Summary metrics for the processes running on the host.
-
-
-
-*`system.process.summary.total`*::
-+
---
-Total number of processes on this host.
-
-
-type: long
-
---
-
-*`system.process.summary.running`*::
-+
---
-Number of running processes on this host.
-
-
-type: long
-
---
-
-*`system.process.summary.idle`*::
-+
---
-Number of idle processes on this host.
-
-
-type: long
-
---
-
-*`system.process.summary.sleeping`*::
-+
---
-Number of sleeping processes on this host.
-
-
-type: long
-
---
-
-*`system.process.summary.stopped`*::
-+
---
-Number of stopped processes on this host.
-
-
-type: long
-
---
-
-*`system.process.summary.zombie`*::
-+
---
-Number of zombie processes on this host.
-
-
-type: long
-
---
-
-*`system.process.summary.dead`*::
-+
---
-Number of dead processes on this host. It's very unlikely that it will appear but in some special situations it may happen.
-
-
-type: long
-
---
-
-*`system.process.summary.wakekill`*::
-+
---
-Number of wakekill-state processes on this host. Only found on older Linux Kernel versions.
-
-
-type: long
-
---
-
-*`system.process.summary.wake`*::
-+
---
-Number of wake-state processes on this host. Only found on older Linux Kernel versions.
-
-
-type: long
-
---
-
-*`system.process.summary.parked`*::
-+
---
-Number of parked-state processes on this host. Only found on older Linux Kernel versions, or under certain conditions.
-
-
-type: long
-
---
-
-*`system.process.summary.unknown`*::
-+
---
-Number of processes for which the state couldn't be retrieved or is unknown.
-
-
-type: long
-
---
-
-[float]
-=== threads
-
-Counts of individual threads on a system.
-
-
-*`system.process.summary.threads.running`*::
-+
---
-Count of currently running threads.
-
-type: long
-
---
-
-*`system.process.summary.threads.blocked`*::
-+
---
-Count of threads blocked by I/O.
-
-type: long
-
---
-
-[float]
-=== raid
-
-raid
-
-
-
-*`system.raid.name`*::
-+
---
-Name of the device.
-
-
-type: keyword
-
---
-
-*`system.raid.status`*::
-+
---
-activity-state of the device.
-
-
-type: keyword
-
---
-
-*`system.raid.level`*::
-+
---
-The raid level of the device
-
-
-type: keyword
-
---
-
-*`system.raid.sync_action`*::
-+
---
-Current sync action, if the RAID array is redundant 
-
-
-type: keyword
-
---
-
-*`system.raid.disks.active`*::
-+
---
-Number of active disks.
-
-
-type: long
-
---
-
-*`system.raid.disks.total`*::
-+
---
-Total number of disks the device consists of.
-
-
-type: long
-
---
-
-*`system.raid.disks.spare`*::
-+
---
-Number of spared disks.
-
-
-type: long
-
---
-
-*`system.raid.disks.failed`*::
-+
---
-Number of failed disks.
-
-
-type: long
-
---
-
-*`system.raid.disks.states.*`*::
-+
---
-map of raw disk states
-
-
-type: object
-
---
-
-*`system.raid.blocks.total`*::
-+
---
-Number of blocks the device holds, in 1024-byte blocks.
-
-
-type: long
-
---
-
-*`system.raid.blocks.synced`*::
-+
---
-Number of blocks on the device that are in sync, in 1024-byte blocks.
-
-
-type: long
-
---
-
-[float]
-=== service
-
-metrics for system services
-
-
-
-*`system.service.name`*::
-+
---
-The name of the service
-
-type: keyword
-
---
-
-*`system.service.load_state`*::
-+
---
-The load state of the service
-
-type: keyword
-
---
-
-*`system.service.state`*::
-+
---
-The activity state of the service
-
-type: keyword
-
---
-
-*`system.service.sub_state`*::
-+
---
-The sub-state of the service
-
-type: keyword
-
---
-
-*`system.service.state_since`*::
-+
---
-The timestamp of the last state change. If the service is active and running, this is its uptime.
-
-type: date
-
---
-
-*`system.service.exec_code`*::
-+
---
-The SIGCHLD code from the service's main process
-
-type: keyword
-
---
-
-*`system.service.unit_file.state`*::
-+
---
-The state of the unit file
-
-type: keyword
-
---
-
-*`system.service.unit_file.vendor_preset`*::
-+
---
-The default state of the unit file
-
-type: keyword
-
---
-
-[float]
-=== resources
-
-system metrics associated with the service
-
-
-*`system.service.resources.cpu.usage.ns`*::
-+
---
-CPU usage in nanoseconds
-
-type: long
-
---
-
-*`system.service.resources.memory.usage.bytes`*::
-+
---
-memory usage in bytes
-
-type: long
-
---
-
-*`system.service.resources.tasks.count`*::
-+
---
-number of tasks associated with the service
-
-type: long
-
---
-
-[float]
-=== network
-
-network resource usage
-
-
-*`system.service.resources.network.in.bytes`*::
-+
---
-bytes in
-
-type: long
-
-format: bytes
-
---
-
-*`system.service.resources.network.in.packets`*::
-+
---
-packets in
-
-type: long
-
-format: bytes
-
---
-
-*`system.service.resources.network.out.packets`*::
-+
---
-packets out
-
-type: long
-
---
-
-*`system.service.resources.network.out.bytes`*::
-+
---
-bytes out
-
-type: long
-
---
-
-[float]
-=== socket
-
-TCP sockets that are active.
-
-
-
-*`system.socket.direction`*::
-+
---
-type: alias
-
-alias to: network.direction
-
---
-
-*`system.socket.family`*::
-+
---
-type: alias
-
-alias to: network.type
-
---
-
-*`system.socket.local.ip`*::
-+
---
-Local IP address. This can be an IPv4 or IPv6 address.
-
-
-type: ip
-
-example: 192.0.2.1 or 2001:0DB8:ABED:8536::1
-
---
-
-*`system.socket.local.port`*::
-+
---
-Local port.
-
-
-type: long
-
-example: 22
-
---
-
-*`system.socket.remote.ip`*::
-+
---
-Remote IP address. This can be an IPv4 or IPv6 address.
-
-
-type: ip
-
-example: 192.0.2.1 or 2001:0DB8:ABED:8536::1
-
---
-
-*`system.socket.remote.port`*::
-+
---
-Remote port.
-
-
-type: long
-
-example: 22
-
---
-
-*`system.socket.remote.host`*::
-+
---
-PTR record associated with the remote IP. It is obtained via reverse IP lookup.
-
-
-type: keyword
-
-example: 76-211-117-36.nw.example.com.
-
---
-
-*`system.socket.remote.etld_plus_one`*::
-+
---
-The effective top-level domain (eTLD) of the remote host plus one more label. For example, the eTLD+1 for "foo.bar.golang.org." is "golang.org.". The data for determining the eTLD comes from an embedded copy of the data from http://publicsuffix.org.
-
-
-type: keyword
-
-example: example.com.
-
---
-
-*`system.socket.remote.host_error`*::
-+
---
-Error describing the cause of the reverse lookup failure.
-
-
-type: keyword
-
---
-
-*`system.socket.process.pid`*::
-+
---
-type: alias
-
-alias to: process.pid
-
---
-
-*`system.socket.process.command`*::
-+
---
-type: alias
-
-alias to: process.name
-
---
-
-*`system.socket.process.cmdline`*::
-+
---
-Full command line
-
-
-type: keyword
-
---
-
-*`system.socket.process.exe`*::
-+
---
-type: alias
-
-alias to: process.executable
-
---
-
-*`system.socket.user.id`*::
-+
---
-type: alias
-
-alias to: user.id
-
---
-
-*`system.socket.user.name`*::
-+
---
-type: alias
-
-alias to: user.full_name
-
---
-
-[float]
-=== socket.summary
-
-Summary metrics of open sockets in the host system
-
-
-
-[float]
-=== all
-
-All connections
-
-
-
-*`system.socket.summary.all.count`*::
-+
---
-All open connections
-
-
-type: integer
-
---
-
-*`system.socket.summary.all.listening`*::
-+
---
-All listening ports
-
-
-type: integer
-
---
-
-[float]
-=== tcp
-
-All TCP connections
-
-
-
-*`system.socket.summary.tcp.memory`*::
-+
---
-Memory used by TCP sockets in bytes, based on number of allocated pages and system page size. Corresponds to limits set in /proc/sys/net/ipv4/tcp_mem. Only available on Linux. 
-
-
-type: integer
-
-format: bytes
-
---
-
-[float]
-=== all
-
-All TCP connections
-
-
-
-*`system.socket.summary.tcp.all.orphan`*::
-+
---
-A count of all orphaned tcp sockets. Only available on Linux.
-
-
-type: integer
-
---
-
-*`system.socket.summary.tcp.all.count`*::
-+
---
-All open TCP connections
-
-
-type: integer
-
---
-
-*`system.socket.summary.tcp.all.listening`*::
-+
---
-All TCP listening ports
-
-
-type: integer
-
---
-
-*`system.socket.summary.tcp.all.established`*::
-+
---
-Number of established TCP connections
-
-
-type: integer
-
---
-
-*`system.socket.summary.tcp.all.close_wait`*::
-+
---
-Number of TCP connections in _close_wait_ state
-
-
-type: integer
-
---
-
-*`system.socket.summary.tcp.all.time_wait`*::
-+
---
-Number of TCP connections in _time_wait_ state
-
-
-type: integer
-
---
-
-*`system.socket.summary.tcp.all.syn_sent`*::
-+
---
-Number of TCP connections in _syn_sent_ state
-
-
-type: integer
-
---
-
-*`system.socket.summary.tcp.all.syn_recv`*::
-+
---
-Number of TCP connections in _syn_recv_ state
-
-
-type: integer
-
---
-
-*`system.socket.summary.tcp.all.fin_wait1`*::
-+
---
-Number of TCP connections in _fin_wait1_ state
-
-
-type: integer
-
---
-
-*`system.socket.summary.tcp.all.fin_wait2`*::
-+
---
-Number of TCP connections in _fin_wait2_ state
-
-
-type: integer
-
---
-
-*`system.socket.summary.tcp.all.last_ack`*::
-+
---
-Number of TCP connections in _last_ack_ state
-
-
-type: integer
-
---
-
-*`system.socket.summary.tcp.all.closing`*::
-+
---
-Number of TCP connections in _closing_ state
-
-
-type: integer
-
---
-
-[float]
-=== udp
-
-All UDP connections
-
-
-
-*`system.socket.summary.udp.memory`*::
-+
---
-Memory used by UDP sockets in bytes, based on number of allocated pages and system page size. Corresponds to limits set in /proc/sys/net/ipv4/udp_mem. Only available on Linux. 
-
-
-type: integer
-
-format: bytes
-
---
-
-[float]
-=== all
-
-All UDP connections
-
-
-
-*`system.socket.summary.udp.all.count`*::
-+
---
-All open UDP connections
-
-
-type: integer
-
---
-
-[float]
-=== uptime
-
-`uptime` contains the operating system uptime metric.
-
-
-
-*`system.uptime.duration.ms`*::
-+
---
-The OS uptime in milliseconds.
-
-
-type: long
-
-format: duration
-
---
-
-[float]
-=== users
-
-Logged-in user session data
-
-
-
-*`system.users.id`*::
-+
---
-The ID of the session
-
-
-type: keyword
-
---
-
-*`system.users.seat`*::
-+
---
-An associated logind seat
-
-
-type: keyword
-
---
-
-*`system.users.path`*::
-+
---
-The DBus object path of the session
-
-
-type: keyword
-
---
-
-*`system.users.type`*::
-+
---
-The type of the user session
-
-
-type: keyword
-
---
-
-*`system.users.service`*::
-+
---
-A session associated with the service
-
-
-type: keyword
-
---
-
-*`system.users.remote`*::
-+
---
-A bool indicating a remote session
-
-
-type: boolean
-
---
-
-*`system.users.state`*::
-+
---
-The current state of the session
-
-
-type: keyword
-
---
-
-*`system.users.scope`*::
-+
---
-The associated systemd scope
-
-
-type: keyword
-
---
-
-*`system.users.leader`*::
-+
---
-The root PID of the session
-
-
-type: long
-
---
-
-*`system.users.remote_host`*::
-+
---
-A remote host address for the session
-
-
-type: keyword
-
---
-
-[[exported-fields-tomcat]]
-== Tomcat fields
-
-Tomcat module
-
-
-
-
-[float]
-=== cache
-
-Catalina Cache metrics from the WebResourceRoot
-
-
-*`tomcat.cache.mbean`*::
-+
---
-Mbean that this event is related to
-
-type: keyword
-
---
-
-*`tomcat.cache.hit.total`*::
-+
---
-The number of requests for resources that were served from the cache
-
-type: long
-
---
-
-*`tomcat.cache.size.total.kb`*::
-+
---
-The current estimate of the cache size in kilobytes
-
-type: long
-
---
-
-*`tomcat.cache.size.max.kb`*::
-+
---
-The maximum permitted size of the cache in kilobytes
-
-type: long
-
---
-
-*`tomcat.cache.lookup.total`*::
-+
---
-The number of requests for resources
-
-type: long
-
---
-
-*`tomcat.cache.ttl.ms`*::
-+
---
-The time-to-live for cache entries in milliseconds
-
-type: long
-
---
-
-[float]
-=== memory
-
-Memory metrics from java.lang JMX
-
-
-*`tomcat.memory.mbean`*::
-+
---
-Mbean that this event is related to
-
-type: keyword
-
---
-
-*`tomcat.memory.heap.usage.committed`*::
-+
---
-Committed heap memory usage
-
-type: long
-
---
-
-*`tomcat.memory.heap.usage.max`*::
-+
---
-Max heap memory usage
-
-type: long
-
---
-
-*`tomcat.memory.heap.usage.used`*::
-+
---
-Used heap memory usage
-
-type: long
-
---
-
-*`tomcat.memory.heap.usage.init`*::
-+
---
-Initial heap memory usage
-
-type: long
-
---
-
-*`tomcat.memory.other.usage.committed`*::
-+
---
-Committed non-heap memory usage
-
-type: long
-
---
-
-*`tomcat.memory.other.usage.max`*::
-+
---
-Max non-heap memory usage
-
-type: long
-
---
-
-*`tomcat.memory.other.usage.used`*::
-+
---
-Used non-heap memory usage
-
-type: long
-
---
-
-*`tomcat.memory.other.usage.init`*::
-+
---
-Initial non-heap memory usage
-
-type: long
-
---
-
-[float]
-=== requests
-
-Requests processor metrics from GlobalRequestProcessor JMX
-
-
-*`tomcat.requests.mbean`*::
-+
---
-Mbean that this event is related to
-
-type: keyword
-
---
-
-*`tomcat.requests.total`*::
-+
---
-Number of requests processed
-
-type: long
-
---
-
-*`tomcat.requests.bytes.received`*::
-+
---
-Amount of data received, in bytes
-
-type: long
-
---
-
-*`tomcat.requests.bytes.sent`*::
-+
---
-Amount of data sent, in bytes
-
-type: long
-
---
-
-*`tomcat.requests.processing.ms`*::
-+
---
-Total time to process the requests
-
-type: long
-
---
-
-*`tomcat.requests.errors.total`*::
-+
---
-Number of errors
-
-type: long
-
---
-
-[float]
-=== threading
-
-Threading metrics from the Catalina's ThreadPool JMX
-
-
-*`tomcat.threading.busy`*::
-+
---
-Current busy threads from the ThreadPool
-
-type: long
-
---
-
-*`tomcat.threading.max`*::
-+
---
-Max threads from the ThreadPool
-
-type: long
-
---
-
-*`tomcat.threading.current`*::
-+
---
-Current number of threads, taken from the ThreadPool
-
-type: long
-
---
-
-*`tomcat.threading.keep_alive.total`*::
-+
---
-Total keep alive on the ThreadPool
-
-type: long
-
---
-
-*`tomcat.threading.keep_alive.timeout.ms`*::
-+
---
-Keep alive timeout on the ThreadPool
-
-type: long
-
---
-
-*`tomcat.threading.started.total`*::
-+
---
-Current started threads at JVM level (from java.lang:type=Threading)
-
-type: long
-
---
-
-*`tomcat.threading.user.time.ms`*::
-+
---
-User time in milliseconds (from java.lang:type=Threading)
-
-type: long
-
---
-
-*`tomcat.threading.cpu.time.ms`*::
-+
---
-CPU time in milliseconds (from java.lang:type=Threading)
-
-type: long
-
---
-
-*`tomcat.threading.total`*::
-+
---
-Total threads at the JVM level (from java.lang:type=Threading)
-
-type: long
-
---
-
-*`tomcat.threading.peak`*::
-+
---
-Peak number of threads at JVM level (from java.lang:type=Threading)
-
-type: long
-
---
-
-[[exported-fields-traefik]]
-== Traefik fields
-
-Traefik reverse proxy / load balancer metrics
-
-
-
-[float]
-=== traefik
-
-Traefik reverse proxy / load balancer metrics
-
-
-
-[float]
-=== health
-
-Metrics obtained from Traefik's health API endpoint
-
-
-
-*`traefik.health.uptime.sec`*::
-+
---
-Uptime of Traefik instance in seconds
-
-
-type: long
-
---
-
-[float]
-=== response
-
-Response metrics
-
-
-
-*`traefik.health.response.count`*::
-+
---
-Number of responses
-
-
-type: long
-
---
-
-*`traefik.health.response.avg_time.us`*::
-+
---
-Average response time in microseconds
-
-
-type: long
-
---
-
-*`traefik.health.response.status_codes.*`*::
-+
---
-Number of responses per status code
-
-
-type: object
-
---
-
-[[exported-fields-uwsgi]]
-== uWSGI fields
-
-uwsgi module
-
-
-
-[float]
-=== uwsgi
-
-
-
-
-[float]
-=== status
-
-uwsgi.status metricset fields
-
-
-
-*`uwsgi.status.total.requests`*::
-+
---
-Total requests handled
-
-
-type: long
-
---
-
-*`uwsgi.status.total.exceptions`*::
-+
---
-Total exceptions
-
-
-type: long
-
---
-
-*`uwsgi.status.total.write_errors`*::
-+
---
-Total requests write errors
-
-
-type: long
-
---
-
-*`uwsgi.status.total.read_errors`*::
-+
---
-Total read errors
-
-
-type: long
-
---
-
-*`uwsgi.status.total.pid`*::
-+
---
-Process id
-
-
-type: long
-
---
-
-*`uwsgi.status.worker.id`*::
-+
---
-Worker id
-
-
-type: long
-
---
-
-*`uwsgi.status.worker.pid`*::
-+
---
-Worker process id
-
-
-type: long
-
---
-
-*`uwsgi.status.worker.accepting`*::
-+
---
-State of worker, 1 if still accepting new requests otherwise 0
-
-
-type: long
-
---
-
-*`uwsgi.status.worker.requests`*::
-+
---
-Number of requests served by this worker
-
-
-type: long
-
---
-
-*`uwsgi.status.worker.delta_requests`*::
-+
---
-Number of requests served by this worker after worker is reloaded when reached MAX_REQUESTS
-
-
-type: long
-
---
-
-*`uwsgi.status.worker.exceptions`*::
-+
---
-Exceptions raised
-
-
-type: long
-
---
-
-*`uwsgi.status.worker.harakiri_count`*::
-+
---
-Dropped requests by timeout
-
-
-type: long
-
---
-
-*`uwsgi.status.worker.signals`*::
-+
---
-Emitted signals count
-
-
-type: long
-
---
-
-*`uwsgi.status.worker.signal_queue`*::
-+
---
-Number of signals waiting to be handled
-
-
-type: long
-
---
-
-*`uwsgi.status.worker.status`*::
-+
---
-Worker status (cheap, pause, sig, busy, idle)
-
-
-type: keyword
-
---
-
-*`uwsgi.status.worker.rss`*::
-+
---
-Resident Set Size. memory currently used by a process. if always zero try `--memory-report` option of uwsgi
-
-
-type: long
-
---
-
-*`uwsgi.status.worker.vsz`*::
-+
---
-Virtual Set Size. memory size assigned to a process. if always zero try `--memory-report` option of uwsgi
-
-
-type: long
-
---
-
-*`uwsgi.status.worker.running_time`*::
-+
---
-Process running time
-
-
-type: long
-
---
-
-*`uwsgi.status.worker.respawn_count`*::
-+
---
-Respawn count
-
-
-type: long
-
---
-
-*`uwsgi.status.worker.tx`*::
-+
---
-Transmitted size
-
-
-type: long
-
---
-
-*`uwsgi.status.worker.avg_rt`*::
-+
---
-Average response time
-
-
-type: long
-
---
-
-*`uwsgi.status.core.id`*::
-+
---
-worker ID
-
-
-type: long
-
---
-
-*`uwsgi.status.core.worker_pid`*::
-+
---
-Parent worker PID
-
-
-type: long
-
---
-
-*`uwsgi.status.core.requests.total`*::
-+
---
-Number of total requests served
-
-
-type: long
-
---
-
-*`uwsgi.status.core.requests.static`*::
-+
---
-Number of static file serves
-
-
-type: long
-
---
-
-*`uwsgi.status.core.requests.routed`*::
-+
---
-Routed requests
-
-
-type: long
-
---
-
-*`uwsgi.status.core.requests.offloaded`*::
-+
---
-Offloaded requests
-
-
-type: long
-
---
-
-*`uwsgi.status.core.write_errors`*::
-+
---
-Number of failed writes
-
-
-type: long
-
---
-
-*`uwsgi.status.core.read_errors`*::
-+
---
-Number of failed reads
-
-
-type: long
-
---
-
-[[exported-fields-vsphere]]
-== vSphere fields
-
-vSphere module
-
-
-
-[float]
-=== vsphere
-
-
-
-
-[float]
-=== cluster
-
-Cluster information.
-
-
-
-
-*`vsphere.cluster.datastore.names`*::
-+
---
-List of all the datastore names associated with the cluster.
-
-
-type: keyword
-
---
-
-*`vsphere.cluster.datastore.count`*::
-+
---
-Number of datastores associated with the cluster.
-
-
-type: long
-
---
-
-
-*`vsphere.cluster.das_config.admission.control.enabled`*::
-+
---
-Indicates whether strict admission control is enabled.
-
-
-type: boolean
-
---
-
-*`vsphere.cluster.das_config.enabled`*::
-+
---
-Indicates whether vSphere HA feature is enabled.
-
-
-type: boolean
-
---
-
-
-*`vsphere.cluster.host.count`*::
-+
---
-Number of hosts associated with the cluster.
-
-
-type: long
-
---
-
-*`vsphere.cluster.host.names`*::
-+
---
-List of all the host names associated with the cluster.
-
-
-type: keyword
-
---
-
-*`vsphere.cluster.id`*::
-+
---
-Unique cluster ID.
-
-
-type: keyword
-
---
-
-*`vsphere.cluster.name`*::
-+
---
-Cluster name.
-
-
-type: keyword
-
---
-
-
-*`vsphere.cluster.network.count`*::
-+
---
-Number of networks associated with the cluster.
-
-
-type: long
-
---
-
-*`vsphere.cluster.network.names`*::
-+
---
-List of all the network names associated with the cluster.
-
-
-type: keyword
-
---
-
-*`vsphere.cluster.triggered_alarms.*`*::
-+
---
-List of all the triggered alarms.
-
-
-type: object
-
---
-
-[float]
-=== datastore
-
-datastore
-
-
-
-*`vsphere.datastore.capacity.free.bytes`*::
-+
---
-Free bytes of the datastore.
-
-
-type: long
-
-format: bytes
-
---
-
-*`vsphere.datastore.capacity.total.bytes`*::
-+
---
-Total bytes of the datastore.
-
-
-type: long
-
-format: bytes
-
---
-
-*`vsphere.datastore.capacity.used.bytes`*::
-+
---
-Used bytes of the datastore.
-
-
-type: long
-
-format: bytes
-
---
-
-*`vsphere.datastore.capacity.used.pct`*::
-+
---
-Percentage of datastore capacity used.
-
-
-type: scaled_float
-
-format: percent
-
---
-
-*`vsphere.datastore.disk.capacity.bytes`*::
-+
---
-Configured size of the datastore.
-
-
-type: long
-
-format: bytes
-
---
-
-*`vsphere.datastore.disk.capacity.usage.bytes`*::
-+
---
-The amount of storage capacity currently being consumed by datastore.
-
-
-type: long
-
-format: bytes
-
---
-
-*`vsphere.datastore.disk.provisioned.bytes`*::
-+
---
-Amount of storage set aside for use by a datastore.
-
-
-type: long
-
-format: bytes
-
---
-
-*`vsphere.datastore.fstype`*::
-+
---
-Filesystem type.
-
-
-type: keyword
-
---
-
-*`vsphere.datastore.host.count`*::
-+
---
-Number of hosts.
-
-
-type: long
-
---
-
-*`vsphere.datastore.host.names`*::
-+
---
-List of all the host names.
-
-
-type: keyword
-
---
-
-*`vsphere.datastore.id`*::
-+
---
-Unique datastore ID.
-
-
-type: keyword
-
---
-
-*`vsphere.datastore.name`*::
-+
---
-Datastore name.
-
-
-type: keyword
-
---
-
-*`vsphere.datastore.read.bytes`*::
-+
---
-Rate of reading data from the datastore.
-
-
-type: long
-
-format: bytes
-
---
-
-*`vsphere.datastore.status`*::
-+
---
-Status of the datastore.
-
-
-type: keyword
-
---
-
-*`vsphere.datastore.triggered_alarms.*`*::
-+
---
-List of all the triggered alarms.
-
-
-type: object
-
---
-
-*`vsphere.datastore.vm.count`*::
-+
---
-Number of VMs.
-
-
-type: long
-
---
-
-*`vsphere.datastore.vm.names`*::
-+
---
-List of all the VM names.
-
-
-type: keyword
-
---
-
-*`vsphere.datastore.write.bytes`*::
-+
---
-Rate of writing data to the datastore.
-
-
-type: long
-
-format: bytes
-
---
-
-[float]
-=== datastorecluster
-
-Datastore Cluster
-
-
-
-*`vsphere.datastorecluster.id`*::
-+
---
-Unique datastore cluster ID.
-
-
-type: keyword
-
---
-
-*`vsphere.datastorecluster.name`*::
-+
---
-The datastore cluster name.
-
-
-type: keyword
-
---
-
-*`vsphere.datastorecluster.capacity.bytes`*::
-+
---
-Total capacity of this storage pod, in bytes.
-
-
-type: long
-
-format: bytes
-
---
-
-*`vsphere.datastorecluster.free_space.bytes`*::
-+
---
-Total free space on this storage pod, in bytes.
-
-
-type: long
-
-format: bytes
-
---
-
-*`vsphere.datastorecluster.datastore.names`*::
-+
---
-List of all the datastore names associated with the datastore cluster.
-
-
-type: keyword
-
---
-
-*`vsphere.datastorecluster.datastore.count`*::
-+
---
-Number of datastores in the datastore cluster.
-
-
-type: long
-
---
-
-*`vsphere.datastorecluster.triggered_alarms.*`*::
-+
---
-List of all the triggered alarms.
-
-
-type: object
-
---
-
-[float]
-=== host
-
-Host information from vSphere environment.
-
-
-
-*`vsphere.host.cpu.used.mhz`*::
-+
---
-Used CPU in MHz.
-
-
-type: long
-
---
-
-*`vsphere.host.cpu.total.mhz`*::
-+
---
-Total CPU in MHz.
-
-
-type: long
-
---
-
-*`vsphere.host.cpu.free.mhz`*::
-+
---
-Free CPU in MHz.
-
-
-type: long
-
---
-
-*`vsphere.host.datastore.names`*::
-+
---
-List of all the datastore names.
-
-
-type: keyword
-
---
-
-*`vsphere.host.datastore.count`*::
-+
---
-Number of datastores on the host.
-
-
-type: long
-
---
-
-*`vsphere.host.disk.capacity.usage.bytes`*::
-+
---
-The amount of storage capacity currently being consumed by or on the entity.
-
-
-type: long
-
-format: bytes
-
---
-
-*`vsphere.host.disk.devicelatency.average.ms`*::
-+
---
-Average amount of time it takes to complete an SCSI command from physical device in milliseconds.
-
-
-type: long
-
---
-
-*`vsphere.host.disk.latency.total.ms`*::
-+
---
-Highest latency value across all disks used by the host in milliseconds.
-
-
-type: long
-
---
-
-*`vsphere.host.disk.read.bytes`*::
-+
---
-Average number of bytes read from the disk each second.
-
-
-type: long
-
-format: bytes
-
---
-
-*`vsphere.host.disk.write.bytes`*::
-+
---
-Average number of bytes written to the disk each second.
-
-
-type: long
-
-format: bytes
-
---
-
-*`vsphere.host.disk.total.bytes`*::
-+
---
-Sum of disk read and write rates each second in bytes.
-
-
-type: long
-
-format: bytes
-
---
-
-*`vsphere.host.id`*::
-+
---
-Unique host ID.
-
-
-type: keyword
-
---
-
-*`vsphere.host.memory.free.bytes`*::
-+
---
-Free Memory in bytes.
-
-
-type: long
-
-format: bytes
-
---
-
-*`vsphere.host.memory.total.bytes`*::
-+
---
-Total Memory in bytes.
-
-
-type: long
-
-format: bytes
-
---
-
-*`vsphere.host.memory.used.bytes`*::
-+
---
-Used Memory in bytes.
-
-
-type: long
-
-format: bytes
-
---
-
-*`vsphere.host.name`*::
-+
---
-Host name.
-
-
-type: keyword
-
---
-
-*`vsphere.host.network_names`*::
-+
---
-Network names.
-
-
-type: keyword
-
---
-
-*`vsphere.host.network.names`*::
-+
---
-List of all the network names.
-
-
-type: keyword
-
---
-
-*`vsphere.host.network.count`*::
-+
---
-Number of networks on the host.
-
-
-type: long
-
---
-
-*`vsphere.host.network.bandwidth.transmitted.bytes`*::
-+
---
-Average rate at which data was transmitted during the interval. This represents the bandwidth of the network.
-
-
-type: long
-
-format: bytes
-
---
-
-*`vsphere.host.network.bandwidth.received.bytes`*::
-+
---
-Average rate at which data was received during the interval. This represents the bandwidth of the network.
-
-
-type: long
-
-format: bytes
-
---
-
-*`vsphere.host.network.bandwidth.total.bytes`*::
-+
---
-Sum of network transmitted and received rates in bytes during the interval.
-
-
-type: long
-
-format: bytes
-
---
-
-*`vsphere.host.network.packets.transmitted.count`*::
-+
---
-Number of packets transmitted.
-
-
-type: long
-
---
-
-*`vsphere.host.network.packets.received.count`*::
-+
---
-Number of packets received.
-
-
-type: long
-
---
-
-*`vsphere.host.network.packets.errors.transmitted.count`*::
-+
---
-Number of packets with errors transmitted.
-
-
-type: long
-
---
-
-*`vsphere.host.network.packets.errors.received.count`*::
-+
---
-Number of packets with errors received.
-
-
-type: long
-
---
-
-*`vsphere.host.network.packets.errors.total.count`*::
-+
---
-Total number of packets with errors.
-
-
-type: long
-
---
-
-*`vsphere.host.network.packets.multicast.transmitted.count`*::
-+
---
-Number of multicast packets transmitted.
-
-
-type: long
-
---
-
-*`vsphere.host.network.packets.multicast.received.count`*::
-+
---
-Number of multicast packets received.
-
-
-type: long
-
---
-
-*`vsphere.host.network.packets.multicast.total.count`*::
-+
---
-Total number of multicast packets.
-
-
-type: long
-
---
-
-*`vsphere.host.network.packets.dropped.transmitted.count`*::
-+
---
-Number of transmitted packets dropped.
-
-
-type: long
-
---
-
-*`vsphere.host.network.packets.dropped.received.count`*::
-+
---
-Number of received packets dropped.
-
-
-type: long
-
---
-
-*`vsphere.host.network.packets.dropped.total.count`*::
-+
---
-Total number of packets dropped.
-
-
-type: long
-
---
-
-*`vsphere.host.status`*::
-+
---
-The overall health status of a host in the vSphere environment.
-
-
-type: keyword
-
---
-
-*`vsphere.host.triggered_alarms.*`*::
-+
---
-List of all the triggered alarms.
-
-
-type: object
-
---
-
-*`vsphere.host.uptime`*::
-+
---
-The total uptime of a host in seconds within the vSphere environment.
-
-
-type: long
-
---
-
-*`vsphere.host.vm.names`*::
-+
---
-List of all the VM names.
-
-
-type: keyword
-
---
-
-*`vsphere.host.vm.count`*::
-+
---
-Number of virtual machines on the host.
-
-
-type: long
-
---
-
-[float]
-=== network
-
-Network-related information.
-
-
-
-*`vsphere.network.accessible`*::
-+
---
-Indicates whether at least one host is configured to provide this network.
-
-
-type: boolean
-
---
-
-*`vsphere.network.config.status`*::
-+
---
-Indicates whether the system has detected a configuration issue.
-
-
-type: keyword
-
---
-
-
-*`vsphere.network.host.names`*::
-+
---
-Names of the hosts connected to this network.
-
-
-type: keyword
-
---
-
-*`vsphere.network.host.count`*::
-+
---
-Number of hosts connected to this network.
-
-
-type: long
-
---
-
-*`vsphere.network.id`*::
-+
---
-Unique network ID.
-
-
-type: keyword
-
---
-
-*`vsphere.network.name`*::
-+
---
-Name of the network.
-
-
-type: keyword
-
---
-
-*`vsphere.network.status`*::
-+
---
-General health of the network.
-
-
-type: keyword
-
---
-
-*`vsphere.network.type`*::
-+
---
-Type of the network (e.g., Network(Standard), DistributedVirtualport).
-
-
-type: keyword
-
---
-
-
-*`vsphere.network.vm.names`*::
-+
---
-Names of the virtual machines connected to this network.
-
-
-type: keyword
-
---
-
-*`vsphere.network.vm.count`*::
-+
---
-Number of virtual machines connected to this network.
-
-
-type: long
-
---
-
-*`vsphere.network.triggered_alarms.*`*::
-+
---
-List of all the triggered alarms.
-
-
-type: object
-
---
-
-[float]
-=== resourcepool
-
-Resource pool information from vSphere environment.
-
-
-
-
-*`vsphere.resourcepool.cpu.usage.mhz`*::
-+
---
-Basic CPU performance statistics, in MHz.
-
-
-type: long
-
---
-
-*`vsphere.resourcepool.cpu.demand.mhz`*::
-+
---
-Basic CPU performance statistics, in MHz.
-
-
-type: long
-
---
-
-
-*`vsphere.resourcepool.cpu.entitlement.mhz`*::
-+
---
-The amount of CPU resource, in MHz, that this VM is entitled to, as calculated by DRS.
-
-
-type: long
-
---
-
-*`vsphere.resourcepool.cpu.entitlement.static.mhz`*::
-+
---
-The static CPU resource entitlement for a virtual machine.
-
-
-type: long
-
---
-
-*`vsphere.resourcepool.id`*::
-+
---
-Unique resource pool ID.
-
-
-type: keyword
-
---
-
-
-
-*`vsphere.resourcepool.memory.usage.guest.bytes`*::
-+
---
-Guest memory utilization statistics, in bytes.
-
-
-type: long
-
-format: bytes
-
---
-
-*`vsphere.resourcepool.memory.usage.host.bytes`*::
-+
---
-Host memory utilization statistics, in bytes.
-
-
-type: long
-
-format: bytes
-
---
-
-
-*`vsphere.resourcepool.memory.entitlement.bytes`*::
-+
---
-The amount of memory, in bytes, that this VM is entitled to, as calculated by DRS.
-
-
-type: long
-
-format: bytes
-
---
-
-*`vsphere.resourcepool.memory.entitlement.static.bytes`*::
-+
---
-The static memory resource entitlement for a virtual machine, in bytes.
-
-
-type: long
-
-format: bytes
-
---
-
-*`vsphere.resourcepool.memory.private.bytes`*::
-+
---
-The portion of memory, in bytes, that is granted to a virtual machine from non-shared host memory.
-
-
-type: long
-
-format: bytes
-
---
-
-*`vsphere.resourcepool.memory.shared.bytes`*::
-+
---
-The portion of memory, in bytes, that is granted to a virtual machine from host memory that is shared between VMs.
-
-
-type: long
-
-format: bytes
-
---
-
-*`vsphere.resourcepool.memory.swapped.bytes`*::
-+
---
-The portion of memory, in bytes, that is granted to a virtual machine from the host's swap space.
-
-
-type: long
-
-format: bytes
-
---
-
-*`vsphere.resourcepool.memory.ballooned.bytes`*::
-+
---
-The size of the balloon driver in a virtual machine, in bytes.
-
-
-type: long
-
-format: bytes
-
---
-
-
-*`vsphere.resourcepool.memory.overhead.bytes`*::
-+
---
-The amount of memory resource (in bytes) that will be used by a virtual machine above its guest memory requirements.
-
-
-type: long
-
-format: bytes
-
---
-
-*`vsphere.resourcepool.memory.overhead.consumed.bytes`*::
-+
---
-The amount of overhead memory, in bytes, currently being consumed to run a VM.
-
-
-type: long
-
-format: bytes
-
---
-
-*`vsphere.resourcepool.memory.compressed.bytes`*::
-+
---
-The amount of compressed memory currently consumed by VM, in bytes.
-
-
-type: long
-
-format: bytes
-
---
-
-*`vsphere.resourcepool.name`*::
-+
---
-The name of the resource pool.
-
-
-type: keyword
-
---
-
-*`vsphere.resourcepool.status`*::
-+
---
-The overall health status of a host in the vSphere environment.
-
-
-type: keyword
-
---
-
-
-*`vsphere.resourcepool.vm.count`*::
-+
---
-Number of virtual machines on the resource pool.
-
-
-type: long
-
---
-
-*`vsphere.resourcepool.vm.names`*::
-+
---
-Names of virtual machines on the resource pool.
-
-
-type: keyword
-
---
-
-*`vsphere.resourcepool.triggered_alarms.*`*::
-+
---
-List of all the triggered alarms.
-
-
-type: object
-
---
-
-[float]
-=== virtualmachine
-
-virtualmachine
-
-
-
-
-*`vsphere.virtualmachine.host.id`*::
-+
---
-Host id.
-
-
-type: keyword
-
---
-
-*`vsphere.virtualmachine.host.hostname`*::
-+
---
-Hostname of the host.
-
-
-type: keyword
-
---
-
-*`vsphere.virtualmachine.id`*::
-+
---
-Unique virtual machine ID.
-
-
-type: keyword
-
---
-
-*`vsphere.virtualmachine.name`*::
-+
---
-Virtual machine name.
-
-
-type: keyword
-
---
-
-*`vsphere.virtualmachine.os`*::
-+
---
-Virtual machine Operating System name.
-
-
-type: keyword
-
---
-
-*`vsphere.virtualmachine.cpu.used.mhz`*::
-+
---
-Used CPU in Mhz.
-
-
-type: long
-
---
-
-*`vsphere.virtualmachine.cpu.total.mhz`*::
-+
---
-Total Reserved CPU in Mhz.
-
-
-type: long
-
---
-
-*`vsphere.virtualmachine.cpu.free.mhz`*::
-+
---
-Available CPU in Mhz.
-
-
-type: long
-
---
-
-*`vsphere.virtualmachine.memory.used.guest.bytes`*::
-+
---
-Used memory of Guest in bytes.
-
-
-type: long
-
-format: bytes
-
---
-
-*`vsphere.virtualmachine.memory.used.host.bytes`*::
-+
---
-Used memory of Host in bytes.
-
-
-type: long
-
-format: bytes
-
---
-
-*`vsphere.virtualmachine.memory.total.guest.bytes`*::
-+
---
-Total memory of Guest in bytes.
-
-
-type: long
-
-format: bytes
-
---
-
-*`vsphere.virtualmachine.memory.free.guest.bytes`*::
-+
---
-Free memory of Guest in bytes.
-
-
-type: long
-
-format: bytes
-
---
-
-*`vsphere.virtualmachine.custom_fields`*::
-+
---
-Custom fields.
-
-
-type: object
-
---
-
-*`vsphere.virtualmachine.network_names`*::
-+
---
-Network names.
-
-
-type: keyword
-
---
-
-
-*`vsphere.virtualmachine.datastore.names`*::
-+
---
-Names of the datastore associated to this virtualmachine.
-
-
-type: keyword
-
---
-
-*`vsphere.virtualmachine.datastore.count`*::
-+
---
-Number of datastores associated to this virtualmachine.
-
-
-type: long
-
---
-
-
-*`vsphere.virtualmachine.network.names`*::
-+
---
-Names of the networks associated to this virtualmachine.
-
-
-type: keyword
-
---
-
-*`vsphere.virtualmachine.network.count`*::
-+
---
-Number of networks associated to this virtualmachine.
-
-
-type: long
-
---
-
-*`vsphere.virtualmachine.status`*::
-+
---
-Overall health and status of a virtual machine.
-
-
-type: keyword
-
---
-
-*`vsphere.virtualmachine.uptime`*::
-+
---
-The uptime of the VM in seconds.
-
-
-type: long
-
---
-
-
-*`vsphere.virtualmachine.snapshot.info.*`*::
-+
---
-Details of the snapshots of this virtualmachine.
-
-type: object
-
---
-
-*`vsphere.virtualmachine.snapshot.count`*::
-+
---
-The number of snapshots of this virtualmachine.
-
-type: long
-
---
-
-*`vsphere.virtualmachine.triggered_alarms.*`*::
-+
---
-List of all the triggered alarms.
-
-
-type: object
-
---
-
-[[exported-fields-windows]]
-== Windows fields
-
-Module for Windows
-
-
-
-[float]
-=== windows
-
-
-
-
-[float]
-=== perfmon
-
-perfmon
-
-
-
-*`windows.perfmon.instance`*::
-+
---
-Instance value.
-
-
-type: keyword
-
---
-
-*`windows.perfmon.metrics.*.*`*::
-+
---
-Metric values returned.
-
-
-type: object
-
---
-
-[float]
-=== service
-
-`service` contains the status for Windows services.
-
-
-
-*`windows.service.id`*::
-+
---
-A unique ID for the service. It is a hash of the machine's GUID and the service name.
-
-
-type: keyword
-
-example: hW3NJFc1Ap
-
---
-
-*`windows.service.name`*::
-+
---
-The service name.
-
-
-type: keyword
-
-example: Wecsvc
-
---
-
-*`windows.service.display_name`*::
-+
---
-The display name of the service.
-
-
-type: keyword
-
-example: Windows Event Collector
-
---
-
-*`windows.service.start_type`*::
-+
---
-The startup type of the service. The possible values are `Automatic`, `Boot`, `Disabled`, `Manual`, and `System`.
-
-
-type: keyword
-
---
-
-*`windows.service.start_name`*::
-+
---
-Account name under which a service runs.
-
-
-type: keyword
-
-example: NT AUTHORITY\LocalService
-
---
-
-*`windows.service.path_name`*::
-+
---
-Fully qualified path to the file that implements the service, including arguments.
-
-
-type: keyword
-
-example: C:\WINDOWS\system32\svchost.exe -k LocalService -p
-
---
-
-*`windows.service.state`*::
-+
---
-The actual state of the service. The possible values are `Continuing`, `Pausing`, `Paused`, `Running`, `Starting`, `Stopping`, and `Stopped`.
-
-
-type: keyword
-
---
-
-*`windows.service.exit_code`*::
-+
---
-For `Stopped` services this is the error code that service reports when starting to stopping. This will be the generic Windows service error code unless the service provides a service-specific error code.
-
-
-type: keyword
-
---
-
-*`windows.service.pid`*::
-+
---
-For `Running` services this is the associated process PID.
-
-
-type: long
-
-example: 1092
-
---
-
-*`windows.service.uptime.ms`*::
-+
---
-The service's uptime specified in milliseconds.
-
-
-type: long
-
-format: duration
-
---
-
-[float]
-=== wmi
-
-wmi
-
-
-[[exported-fields-zookeeper]]
-== ZooKeeper fields
-
-ZooKeeper metrics collected by the four-letter monitoring commands.
-
-
-
-[float]
-=== zookeeper
-
-`zookeeper` contains the metrics reported by ZooKeeper commands.
-
-
-
-[float]
-=== connection
-
-connections
-
-
-
-*`zookeeper.connection.interest_ops`*::
-+
---
-Interest ops
-
-
-type: long
-
---
-
-*`zookeeper.connection.queued`*::
-+
---
-Queued connections
-
-
-type: long
-
---
-
-*`zookeeper.connection.received`*::
-+
---
-Received connections
-
-
-type: long
-
---
-
-*`zookeeper.connection.sent`*::
-+
---
-Connections sent
-
-
-type: long
-
---
-
-[float]
-=== mntr
-
-`mntr` contains the metrics reported by the four-letter `mntr` command.
-
-
-
-*`zookeeper.mntr.approximate_data_size`*::
-+
---
-Approximate size of ZooKeeper data.
-
-
-type: long
-
---
-
-*`zookeeper.mntr.latency.avg`*::
-+
---
-Average latency between ensemble hosts in milliseconds.
-
-
-type: long
-
---
-
-*`zookeeper.mntr.ephemerals_count`*::
-+
---
-Number of ephemeral znodes.
-
-
-type: long
-
---
-
-*`zookeeper.mntr.followers`*::
-+
---
-Number of followers seen by the current host (Up to ZooKeeper 3.5.9).
-
-
-type: long
-
---
-
-*`zookeeper.mntr.max_file_descriptor_count`*::
-+
---
-Maximum number of file descriptors allowed for the ZooKeeper process.
-
-
-type: long
-
---
-
-*`zookeeper.mntr.latency.max`*::
-+
---
-Maximum latency in milliseconds.
-
-
-type: long
-
---
-
-*`zookeeper.mntr.latency.min`*::
-+
---
-Minimum latency in milliseconds.
-
-
-type: long
-
---
-
-*`zookeeper.mntr.num_alive_connections`*::
-+
---
-Number of connections to ZooKeeper that are currently alive.
-
-
-type: long
-
---
-
-*`zookeeper.mntr.open_file_descriptor_count`*::
-+
---
-Number of file descriptors open by the ZooKeeper process.
-
-
-type: long
-
---
-
-*`zookeeper.mntr.outstanding_requests`*::
-+
---
-Number of outstanding requests that need to be processed by the cluster.
-
-
-type: long
-
---
-
-*`zookeeper.mntr.packets.received`*::
-+
---
-Number of ZooKeeper network packets received.
-
-
-type: long
-
---
-
-*`zookeeper.mntr.packets.sent`*::
-+
---
-Number of ZooKeeper network packets sent.
-
-
-type: long
-
---
-
-*`zookeeper.mntr.pending_syncs`*::
-+
---
-Number of pending syncs to carry out to ZooKeeper ensemble followers.
-
-
-type: long
-
---
-
-*`zookeeper.mntr.server_state`*::
-+
---
-Role in the ZooKeeper ensemble.
-
-
-type: keyword
-
---
-
-*`zookeeper.mntr.synced_followers`*::
-+
---
-Number of synced followers reported when a node server_state is leader.
-
-
-type: long
-
---
-
-*`zookeeper.mntr.version`*::
-+
---
-ZooKeeper version and build string reported.
-
-
-type: alias
-
-alias to: service.version
-
---
-
-*`zookeeper.mntr.watch_count`*::
-+
---
-Number of watches currently set on the local ZooKeeper process.
-
-
-type: long
-
---
-
-*`zookeeper.mntr.znode_count`*::
-+
---
-Number of znodes reported by the local ZooKeeper process.
-
-
-type: long
-
---
-
-*`zookeeper.mntr.learners`*::
-+
---
-Number of learners (either followers or observers) seen by the current host (From ZooKeeper 3.6.0)
-
-
-type: long
-
---
-
-[float]
-=== server
-
-server contains the metrics reported by the four-letter `srvr` command.
-
-
-*`zookeeper.server.connections`*::
-+
---
-Number of clients currently connected to the server
-
-type: long
-
---
-
-
-*`zookeeper.server.latency.avg`*::
-+
---
-Average amount of time taken for the server to respond to a client request
-
-type: long
-
---
-
-*`zookeeper.server.latency.max`*::
-+
---
-Maximum amount of time taken for the server to respond to a client request
-
-type: long
-
---
-
-*`zookeeper.server.latency.min`*::
-+
---
-Minimum amount of time taken for the server to respond to a client request
-
-type: long
-
---
-
-*`zookeeper.server.mode`*::
-+
---
-Mode of the server. In an ensemble, this may either be leader or follower. Otherwise, it is standalone
-
-type: keyword
-
---
-
-*`zookeeper.server.node_count`*::
-+
---
-Total number of nodes
-
-type: long
-
---
-
-*`zookeeper.server.outstanding`*::
-+
---
-Number of requests queued at the server. This exceeds zero when the server receives more requests than it is able to process
-
-type: long
-
---
-
-*`zookeeper.server.received`*::
-+
---
-Number of requests received by the server
-
-type: long
-
---
-
-*`zookeeper.server.sent`*::
-+
---
-Number of requests sent by the server
-
-type: long
-
---
-
-*`zookeeper.server.version_date`*::
-+
---
-Date of the Zookeeper release currently in use
-
-type: date
-
---
-
-*`zookeeper.server.zxid`*::
-+
---
-Unique value of the Zookeeper transaction ID. The zxid consists of an epoch and a counter. It is established by the leader and is used to determine the temporal ordering of changes
-
-type: keyword
-
---
-
-*`zookeeper.server.count`*::
-+
---
-Total transactions of the leader in epoch
-
-type: long
-
---
-
-*`zookeeper.server.epoch`*::
-+
---
-Epoch value of the Zookeeper transaction ID. An epoch signifies the period in which a server is a leader
-
-type: long
-
---
-
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/getting-started.asciidoc b/metricbeat/docs/getting-started.asciidoc
deleted file mode 100644
index 8b9ce9e33293..000000000000
--- a/metricbeat/docs/getting-started.asciidoc
+++ /dev/null
@@ -1,167 +0,0 @@
-:modulename: nginx
-
-[id="{beatname_lc}-installation-configuration"]
-== {beatname_uc} quick start: installation and configuration
-
-++++
-<titleabbrev>Quick start: installation and configuration</titleabbrev>
-++++
-
-{beatname_uc} helps you monitor your servers and the services they host by
-collecting metrics from the operating system and services.
-
-This guide describes how to get started quickly with metrics collection.
-You'll learn how to:
-
-* install {beatname_uc} on each system you want to monitor
-* specify the metrics you want to collect
-* send the metrics to {es}
-* visualize the metrics data in {kib}
-
-[role="screenshot"]
-image::./images/{beatname_lc}-system-dashboard.png[{beatname_uc} System dashboard]
-
-[float]
-=== Before you begin
-
-You need {es} for storing and searching your data, and {kib} for visualizing and
-managing it.
-
-include::{libbeat-dir}/tab-widgets/spinup-stack-widget.asciidoc[]
-
-[float]
-[[install]]
-=== Step 1: Install {beatname_uc}
-
-Install {beatname_uc} as close as possible to the service you want to monitor.
-For example, if you have four servers with MySQL running, it's recommended that
-you run {beatname_uc} on each server. This allows {beatname_uc} to access your
-service from localhost and does not cause any additional network traffic or
-prevent {beatname_uc} from collecting metrics when there are network problems.
-Metrics from multiple {beatname_uc} instances will be combined on the
-Elasticsearch server.
-
-To download and install {beatname_uc}, use the commands that work with your
-system:
-
-include::{libbeat-dir}/tab-widgets/install-widget.asciidoc[]
-
-The commands shown are for AMD platforms, but ARM packages are also available.
-Refer to the https://www.elastic.co/downloads/beats/{beatname_lc}[download page]
-for the full list of available packages.
-
-[float]
-[[other-installation-options]]
-==== Other installation options
-
-* <<setup-repositories,APT or YUM>>
-* https://www.elastic.co/downloads/beats/{beatname_lc}[Download page]
-* <<running-on-docker,Docker>>
-* <<running-on-kubernetes,Kubernetes>>
-* <<running-on-cloudfoundry,Cloud Foundry>>
-
-[float]
-[[set-connection]]
-=== Step 2: Connect to the {stack}
-
-include::{libbeat-dir}/shared/connecting-to-es.asciidoc[]
-
-[float]
-[[enable-modules]]
-=== Step 3: Enable and configure metrics collection modules
-
-{beatname_uc} uses modules to collect metrics. Each module defines the basic
-logic for collecting data from a specific service, such as Redis or MySQL. A
-module consists of metricsets that fetch and structure the data. Read
-<<how-{beatname_lc}-works>> to learn more.
-
-. Identify the modules you need to enable. To see the list of available
-<<metricbeat-modules,modules>>, run:
-+
---
-include::{libbeat-dir}/tab-widgets/list-modules-widget.asciidoc[]
---
-
-. From the installation directory, enable one or more modules. If you accept the
-default configuration without enabling additional modules, {beatname_uc}
-collects system metrics only.
-+
-The following command enables the +{modulename}+ config in the `modules.d`
-directory:
-+
---
-include::{libbeat-dir}/tab-widgets/enable-modules-widget.asciidoc[]
---
-+
-See the <<modules-command>> to learn more about this command. If you are using a
-Docker image, see <<running-on-docker>>.
-
-. In the module config under `modules.d`, change the module settings to match
-your environment. See <<module-config-options>> for more about available
-settings.
-
-include::{libbeat-dir}/shared/config-check.asciidoc[]
-
-[float]
-[[setup-assets]]
-=== Step 4: Set up assets
-
-{beatname_uc} comes with predefined assets for parsing, indexing, and
-visualizing your data. To load these assets:
-
-. Make sure the user specified in +{beatname_lc}.yml+ is
-<<privileges-to-setup-beats,authorized to set up {beatname_uc}>>.
-
-. From the installation directory, run:
-+
---
-include::{libbeat-dir}/tab-widgets/setup-widget.asciidoc[]
---
-+
-`-e` is optional and sends output to standard error instead of the configured log output.
-
-This step loads the recommended {ref}/index-templates.html[index template] for writing to {es}
-and deploys the sample dashboards for visualizing the data in {kib}.
-
-[TIP]
-=====
-A connection to {es} (or {ess}) is required to set up the initial
-environment. If you're using a different output, such as {ls}, see
-<<load-template-manually>> and <<load-kibana-dashboards>>.
-=====
-
-[float]
-[[start]]
-=== Step 5: Start {beatname_uc}
-
-Before starting {beatname_uc}, modify the user credentials in
-+{beatname_lc}.yml+ and specify a user who is
-<<privileges-to-publish-events,authorized to publish events>>.
-
-To start {beatname_uc}, run:
-
-// tag::start-step[]
-:requires-sudo:
-include::{libbeat-dir}/tab-widgets/start-widget.asciidoc[]
-:requires-sudo!:
-// end::start-step[]
-
-{beatname_uc} should begin streaming metrics to {es}.
-
-[float]
-[[view-data]]
-=== Step 6: View your data in {kib}
-
-include::{libbeat-dir}/shared/opendashboards.asciidoc[tag=open-dashboards-intro]
-
-include::{libbeat-dir}/shared/opendashboards.asciidoc[tag=open-dashboards]
-
-[float]
-=== What's next?
-
-Now that you have your infrastructure metrics streaming into {es}, learn how to
-unify your logs, metrics, uptime, and application performance data.
-
-include::{libbeat-dir}/shared/obs-apps.asciidoc[]
-
-:modulename!:
diff --git a/metricbeat/docs/how-metricbeat-works.asciidoc b/metricbeat/docs/how-metricbeat-works.asciidoc
deleted file mode 100644
index 36029f5ab5c7..000000000000
--- a/metricbeat/docs/how-metricbeat-works.asciidoc
+++ /dev/null
@@ -1,186 +0,0 @@
-[[how-metricbeat-works]]
-== How Metricbeat works
-
-Metricbeat consists of modules and metricsets. A Metricbeat _module_ defines the
-basic logic for collecting data from a specific service, such as Redis, MySQL,
-and so on. The module specifies details about the service, including how to connect,
-how often to collect metrics, and which metrics to collect.
-
-Each module has one or more metricsets. A _metricset_ is the part of the module
-that fetches and structures the data. Rather than collecting each metric as a
-separate event, metricsets retrieve a list of multiple related metrics in a single request
-to the remote system. So, for example, the Redis module provides an `info`
-metricset that collects information and statistics from Redis by running the
-http://redis.io/commands/INFO[`INFO`] command and parsing the returned result.
-
-image::./images/module-overview.png[Modules and metricsets]
-
-Likewise, the MySQL module provides a `status` metricset that collects data
-from MySQL by running a http://dev.mysql.com/doc/refman/5.7/en/show-status.html[`SHOW GLOBAL STATUS`]
-SQL query. Metricsets make it easier for you by grouping sets of related metrics together
-in a single request returned by the remote server. Most modules have default metricsets
- that are enabled if there are no user-enabled metricsets.
-
-Metricbeat retrieves metrics by periodically interrogating the host system based
-on the `period` value that you specify when you configure the module. Because multiple
-metricsets can send requests to the same service, Metricbeat reuses connections
-whenever possible. If Metricbeat cannot connect to the host system within the time
-specified by the `timeout` config setting, it returns an error. Metricbeat sends
-the events asynchronously, which means the event retrieval is not acknowledged. If
-the configured output is not available, events may be lost.
-
-When Metricbeat encounters an error (for example, when it cannot connect to the host
-system), it sends an event error to the specified output. This means that Metricbeat
-always sends an event, even when there is a failure. This allows you to monitor
-for errors and see debug messages to help you diagnose what went wrong.
-
-The following topics provide more detail about the structure of Metricbeat events:
-
-* <<metricbeat-event-structure>>
-* <<error-event-structure>>
-
-For more about the benefits of using Metricbeat, see <<key-features>>.
-
-[[metricbeat-event-structure]]
-===  Event structure
-
-Every event sent by Metricbeat has the same basic structure. It contains the following fields:
-
-*`@timestamp`*:: Time when the event was captured
-*`host.hostname`*:: Hostname of the server on which the Beat is running
-*`agent.type`*:: Name given to the Beat
-*`event.module`*:: Name of the module that the data is from
-*`event.dataset`*:: Name of the module that the data is from
-
-For example:
-
-[source,json]
-----
-{
-  "@timestamp": "2016-06-22T22:05:53.291Z",
-  "agent": {
-    "type": "metricbeat"
-  },
-  "host": {
-     "hostname": "host.example.com",
-   },
-  "event": {
-    "dataset": "system.process",
-    "module": process
-  },
-  .
-  .
-  .
-
-  "type": "metricsets"
-}
-----
-
-For more information about the exported fields, see <<exported-fields>>.
-
-[[error-event-structure]]
-===  Error event structure
-
-Metricbeat sends an error event when the service is not reachable. The error event
-has the same structure as the <<metricbeat-event-structure,base event>>, but also
-has an error field that contains an error string. This makes it possible to check
-for errors across all metric events.
-
-The following example shows an error event sent when the Apache server is not
-reachable:
-
-[source,json]
-----
-{
-  "@timestamp": "2016-03-18T12:18:57.124Z",
-  "apache-status": {},
-  "beat": {
-    "hostname": "host.example.com",
-    "name": "host.example.com"
-  },
-  "error": {
-    "message": "Get http://127.0.0.1/server-status?auto: dial tcp 127.0.0.1:80: getsockopt: connection refused",
-  },
-  "metricset": {
-    "module": "apache",
-    "name": "status",
-    "rtt": 1082
-  },
-  .
-  .
-  .
-
-  "type": "metricsets"
-----
-
-[[key-features]]
-=== Key metricbeat features
-
-Metricbeat has some key features that are critical to how it works:
-
-* <<metricbeat-error-events>>
-* <<no-aggregations>>
-* <<more-than-numbers>>
-* <<multiple-events-in-one>>
-
-[[metricbeat-error-events]]
-==== Metricbeat error events
-
-Metricbeat sends more than just metrics. When it cannot retrieve metrics, it
-sends error events. The error is not simply a flag, but a full error string that is
-created during fetching from the host systems. This enables you to monitor not
-only the metrics, but also any errors that occur during metrics monitoring.
-
-Because you see the full error message, you can track down the error faster.
-Metricbeat is installed locally on the host machine, which means that you can
-differentiate errors that happen locally from other issues, such as network problems.
-
-Each metricset is retrieved based on a predefined period, so when Metricbeat fails to
-retrieve metrics for more than one interval, you can infer that there is potentially
-something wrong with the host or host connectivity.
-
-[[no-aggregations]]
-==== No aggregations when data is fetched
-
-Metricbeat doesn't do aggregations like gauge, sum, counters, and so on. Metricbeat
-sends the raw data retrieved from the host to the output for processing. When using
-Elasticsearch, this has the advantage that all raw data is available on the
-Elasticsearch host for drilling down into the details, and the data can be
-reprocessed at any time. It also reduces the complexity of Metricbeat.
-
-[[more-than-numbers]]
-==== Sends more than just numbers
-
-Metricbeat sends more than just numbers. The metrics that Metricbeat sends can also
-contain strings to report status information. This is useful when you're using
-Elasticsearch to store the metrics data. Because each metricset has a predefined
-structure, Elasticsearch knows in advance which types will be stored in
-Elasticsearch, and it can optimize storage.
-
-Basic meta information about each metric (such as the host) is also sent as part
-of each event.
-
-[[multiple-events-in-one]]
-==== Multiple metrics in one event
-
-Rather than containing a single metric, each event created by Metricbeat
-contains a list of metrics. This means that you can retrieve all the metrics
-in a single request to the host system, resulting in less load on the host
-system. If you are sending the metrics to Elasticsearch as the output,
-Elasticsearch can directly store and query the metrics as a nested
-JSON document, making it very efficient for sending metrics data to Elasticsearch.
-
-Because the full raw event data is available, Metricbeat or Elasticsearch can
-do any required transformations on the data later. For example, if you need to
-store data in the http://metrics20.org/[Metrics2.0] format, you could generate
-the format out of the existing event by splitting up the full event into multiple
-metrics2.0 events.
-
-Meta information about the type of each metric is stored in the mapping
-template. Meta information that is common to all metric events, such as host and
-timestamp, is part of the event structure itself  and is only stored once for
-all events in the metricset.
-
-Having all the related metrics in a single event also makes it easier to look
-at other values when one of the metrics for a service seems off.
-
diff --git a/metricbeat/docs/howto/howto.asciidoc b/metricbeat/docs/howto/howto.asciidoc
deleted file mode 100644
index 302af5435e90..000000000000
--- a/metricbeat/docs/howto/howto.asciidoc
+++ /dev/null
@@ -1,38 +0,0 @@
-[[howto-guides]]
-= How to guides
-
-[partintro]
---
-Learn how to perform common {beatname_uc} configuration tasks.
-
-* <<{beatname_lc}-template>>
-* <<change-index-name>>
-* <<load-kibana-dashboards>>
-* <<{beatname_lc}-geoip>>
-* <<using-environ-vars>>
-* <<configuring-ingest-node>>
-* <<yaml-tips>>
-
-
---
-
-include::{libbeat-dir}/howto/load-index-templates.asciidoc[]
-
-include::{libbeat-dir}/howto/change-index-name.asciidoc[]
-
-include::{libbeat-dir}/howto/load-dashboards.asciidoc[]
-
-include::{libbeat-dir}/shared-geoip.asciidoc[]
-
-:standalone:
-include::{libbeat-dir}/shared-env-vars.asciidoc[]
-:standalone!:
-
-include::{libbeat-dir}/shared-config-ingest.asciidoc[]
-
-:standalone:
-include::{libbeat-dir}/yaml.asciidoc[]
-:standalone!:
-
-
-
diff --git a/metricbeat/docs/images/configuration-blocks.png b/metricbeat/docs/images/configuration-blocks.png
deleted file mode 100644
index 20fef6b173d7..000000000000
Binary files a/metricbeat/docs/images/configuration-blocks.png and /dev/null differ
diff --git a/metricbeat/docs/images/enrolled-beats-apache.png b/metricbeat/docs/images/enrolled-beats-apache.png
deleted file mode 100644
index d540758cd83a..000000000000
Binary files a/metricbeat/docs/images/enrolled-beats-apache.png and /dev/null differ
diff --git a/metricbeat/docs/images/enrolled-beats-dev-prod.png b/metricbeat/docs/images/enrolled-beats-dev-prod.png
deleted file mode 100644
index ac5b28c64c20..000000000000
Binary files a/metricbeat/docs/images/enrolled-beats-dev-prod.png and /dev/null differ
diff --git a/metricbeat/docs/images/enrolled-beats.png b/metricbeat/docs/images/enrolled-beats.png
deleted file mode 100644
index 2a4ca97eea32..000000000000
Binary files a/metricbeat/docs/images/enrolled-beats.png and /dev/null differ
diff --git a/metricbeat/docs/images/metricbeat-gcp-load-balancing-https-overview.png b/metricbeat/docs/images/metricbeat-gcp-load-balancing-https-overview.png
deleted file mode 100644
index f441ed6c3261..000000000000
Binary files a/metricbeat/docs/images/metricbeat-gcp-load-balancing-https-overview.png and /dev/null differ
diff --git a/metricbeat/docs/images/metricbeat-gcp-load-balancing-l3-overview.png b/metricbeat/docs/images/metricbeat-gcp-load-balancing-l3-overview.png
deleted file mode 100644
index f2e99bf51cfc..000000000000
Binary files a/metricbeat/docs/images/metricbeat-gcp-load-balancing-l3-overview.png and /dev/null differ
diff --git a/metricbeat/docs/images/metricbeat-gcp-load-balancing-tcp-ssl-proxy-overview.png b/metricbeat/docs/images/metricbeat-gcp-load-balancing-tcp-ssl-proxy-overview.png
deleted file mode 100644
index 9290f6637f26..000000000000
Binary files a/metricbeat/docs/images/metricbeat-gcp-load-balancing-tcp-ssl-proxy-overview.png and /dev/null differ
diff --git a/metricbeat/docs/images/option_ignore_outgoing.png b/metricbeat/docs/images/option_ignore_outgoing.png
deleted file mode 100644
index 43813abb6645..000000000000
Binary files a/metricbeat/docs/images/option_ignore_outgoing.png and /dev/null differ
diff --git a/metricbeat/docs/index.asciidoc b/metricbeat/docs/index.asciidoc
deleted file mode 100644
index d5b137af48fd..000000000000
--- a/metricbeat/docs/index.asciidoc
+++ /dev/null
@@ -1,69 +0,0 @@
-= Metricbeat Reference
-
-:libbeat-dir: {docdir}/../../libbeat/docs
-
-:libbeat-xpack-dir: ../../../x-pack/libbeat
-
-include::{libbeat-dir}/version.asciidoc[]
-
-include::{asciidoc-dir}/../../shared/versions/stack/{source_branch}.asciidoc[]
-
-include::{asciidoc-dir}/../../shared/attributes.asciidoc[]
-
-:beatname_lc: metricbeat
-:beatname_uc: Metricbeat
-:beatname_pkg: {beatname_lc}
-:github_repo_name: beats
-:discuss_forum: beats/{beatname_lc}
-:beat_default_index_prefix: {beatname_lc}
-:beat_kib_app: {kib} Metrics
-:has_solutions:
-:has_docker_label_ex:
-:has_modules_command:
-:deb_os:
-:rpm_os:
-:mac_os:
-:linux_os:
-:docker_platform:
-:win_os:
-:no_cache_processor:
-:no_decode_cef_processor:
-:no_decode_csv_fields_processor:
-:no_parse_aws_vpc_flow_log_processor:
-:no_timestamp_processor:
-:no_add_session_metadata_processor:
-
-:kubernetes_default_indexers: {docdir}/kubernetes-default-indexers-matchers.asciidoc
-
-include::{libbeat-dir}/shared-beats-attributes.asciidoc[]
-
-include::./overview.asciidoc[]
-
-include::./getting-started.asciidoc[]
-
-include::./setting-up-running.asciidoc[]
-
-include::./upgrading.asciidoc[]
-
-include::./how-metricbeat-works.asciidoc[]
-
-include::./configuring-howto.asciidoc[]
-
-include::{docdir}/howto/howto.asciidoc[]
-
-include::./modules.asciidoc[]
-
-include::./fields.asciidoc[]
-
-include::{libbeat-dir}/monitoring/monitoring-beats.asciidoc[]
-
-include::{libbeat-dir}/shared-securing-beat.asciidoc[]
-
-include::./troubleshooting.asciidoc[]
-
-include::./faq.asciidoc[]
-
-include::{libbeat-dir}/contributing-to-beats.asciidoc[]
-
-include::{libbeat-dir}/redirects.asciidoc[]
-
diff --git a/metricbeat/docs/kubernetes-default-indexers-matchers.asciidoc b/metricbeat/docs/kubernetes-default-indexers-matchers.asciidoc
deleted file mode 100644
index c3bf974d53d8..000000000000
--- a/metricbeat/docs/kubernetes-default-indexers-matchers.asciidoc
+++ /dev/null
@@ -1,14 +0,0 @@
-When `add_kubernetes_metadata` is used with {beatname_uc}, it uses the `ip_port`
-indexer and the `fields` matcher with the `metricset.host` field. So events that
-contain a `metricset.host` field are enriched with metadata of the pods that
-exposes the same port in the same IP.
-
-This behaviour can be disabled by disabling default indexers and matchers in the
-configuration:
-[source,yaml]
--------------------------------------------------------------------------------
-processors:
-  - add_kubernetes_metadata:
-      default_indexers.enabled: false
-      default_matchers.enabled: false
--------------------------------------------------------------------------------
diff --git a/metricbeat/docs/metricbeat-filtering.asciidoc b/metricbeat/docs/metricbeat-filtering.asciidoc
deleted file mode 100644
index 096948238ea6..000000000000
--- a/metricbeat/docs/metricbeat-filtering.asciidoc
+++ /dev/null
@@ -1,20 +0,0 @@
-[[filtering-and-enhancing-data]]
-== Filter and enhance data with processors
-
-++++
-<titleabbrev>Processors</titleabbrev>
-++++
-
-include::{libbeat-dir}/processors.asciidoc[]
-
-For example, the following configuration reduces the exported fields by
-dropping the `agent.name` and `agent.version` fields under `beat` from all documents.
-
-[source, yaml]
-----
-processors:
-  - drop_fields:
-      fields: ['agent']
-----
-
-include::{libbeat-dir}/processors-using.asciidoc[]
diff --git a/metricbeat/docs/metricbeat-general-options.asciidoc b/metricbeat/docs/metricbeat-general-options.asciidoc
deleted file mode 100644
index 2e6378637284..000000000000
--- a/metricbeat/docs/metricbeat-general-options.asciidoc
+++ /dev/null
@@ -1,49 +0,0 @@
-[[configuration-general-options]]
-== Configure general settings
-
-++++
-<titleabbrev>General settings</titleabbrev>
-++++
-
-You can specify settings in the +{beatname_lc}.yml+ config file to control the
-general behavior of {beatname_uc}. This includes:
-
-* <<configuration-global-options,Global options>> that control things like
-the maximum random delay to apply to the startup of a metricset.
-
-* <<configuration-general,General options>> that are supported by all Elastic
-Beats.
-
-[float]
-[[configuration-global-options]]
-=== Global Metricbeat configuration options
-
-[float]
-==== `metricbeat.max_start_delay`
-
-The maximum random delay to apply to the startup of a metricset. Random delays
-ranging from [0, _max_start_delay_) are applied to reduce the thundering herd
-effect that can occur if a fleet of machines running Metricbeat are restarted at
-the same time. Specifying a value of 0 disables the startup delay. The default
-is 10s.
-
-[source,yaml]
-----
-metricbeat.max_start_delay: 10s
-----
-
-
-[float]
-==== `timeseries.enabled`
-
-Setting this to true (false by default) will add a `timeseries.instance` field
-to all events generated by {beatname_uc}. For a given metricset, this field will
-be unique for every single item being monitored.
-
-[source,yaml]
-----
-timeseries.enabled: true
-----
-
-
-include::{libbeat-dir}/generalconfig.asciidoc[]
diff --git a/metricbeat/docs/metricbeat-options.asciidoc b/metricbeat/docs/metricbeat-options.asciidoc
deleted file mode 100644
index 8929edb06ef7..000000000000
--- a/metricbeat/docs/metricbeat-options.asciidoc
+++ /dev/null
@@ -1,329 +0,0 @@
-:modulename: apache mysql
-
-[[configuration-metricbeat]]
-== Configure modules
-
-++++
-<titleabbrev>Modules</titleabbrev>
-++++
-
-You can configure modules in the `modules.d` directory (recommended), or in the
-{beatname_uc} configuration file. Settings for enabled modules in the
-`modules.d` directory take precedence over module settings in the {beatname_uc}
-configuration file.
-
-Before running {beatname_uc} with modules enabled, make sure you also set up the
-environment to use {kib} dashboards. See
-<<{beatname_lc}-installation-configuration>> for more information.
-
-include::{libbeat-dir}/shared-note-file-permissions.asciidoc[]
-
-[float]
-[[configure-modules-d-configs]]
-=== Configure modules in the `modules.d` directory
-
-The `modules.d` directory contains default configurations for all the modules
-available in {beatname_uc}. To enable or disable specific module configurations
-under `modules.d`, run the
-<<modules-command,`modules enable` or `modules disable`>> command. For example:
-
-include::{libbeat-dir}/tab-widgets/enable-modules-widget.asciidoc[]
-
-Then when you run Metricbeat, it loads the corresponding module configurations
-specified in the `modules.d` directory (for example, `modules.d/apache.yml` and
-`modules.d/mysql.yml`).
-
-To see a list of enabled and disabled modules, run:
-
-include::{libbeat-dir}/tab-widgets/list-modules-widget.asciidoc[]
-
-To change the default module configurations, modify the `.yml` files
-in the `modules.d` directory.
-
-The following example shows a basic configuration for the Apache module:
-
-[source,yaml]
-----
-- module: apache
-  metricsets: ["status"]
-  hosts: ["http://127.0.0.1/"]
-  period: 10s
-  fields:
-    dc: west
-  tags: ["tag"]
-  processors:
-  ....
-----
-
-
-See <<config-combos>> for additional configuration examples.
-
-[float]
-[[configure-modules-config-file]]
-=== Configure modules in the +{beatname_lc}.yml+ file
-
-When possible, you should use the config files in the `modules.d` directory.
-
-However, configuring <<{beatname_lc}-modules,modules>> directly in the config
-file is a practical approach if you have upgraded from a previous version
-of {beatname_uc} and don't want to move your module configs to the `modules.d`
-directory. You can continue to configure modules in the +{beatname_lc}.yml+
-file, but you won't be able to use the `modules` command to enable and disable
-configurations because the command requires the `modules.d` layout.
-
-To enable specific modules and metricsets in the +{beatname_lc}.yml+ config
-file, add entries to the +{beatname_lc}.modules+ list. Each entry in the
-list begins with a dash (-) and is followed by settings for that module.
-
-TIP: Check the `modules.d` directory to verify that the modules you've
-specified in +{beatname_lc}.yml+ are disabled (filename ends with
-`.disabled`). If they aren't, disable them now by running
-+{beatname_lc} modules disable <modulename>+.
-
-The following example shows a configuration where the `apache` and `mysql`
-modules are enabled:
-
-[source,yaml]
-------------------------------------------------------------------------------
-metricbeat.modules:
-
-#---------------------------- Apache Status Module ---------------------------
-- module: apache
-  metricsets: ["status"]
-  period: 1s
-  hosts: ["http://127.0.0.1/"]
-
-#---------------------------- MySQL Status Module ----------------------------
-- module: mysql
-  metricsets: ["status"]
-  period: 2s
-  hosts: ["root@tcp(127.0.0.1:3306)/"]
-------------------------------------------------------------------------------
-
-In the following example, the Redis host is crawled for `stats` information
-every second because this is critical data, but the full list of Apache
-metricsets is only fetched every 30 seconds because the metrics are less
-critical.
-
-[source,yaml]
-----
-metricbeat.modules:
-- module: redis
-  metricsets: ["info"]
-  hosts: ["host1"]
-  period: 1s
-- module: apache
-  metricsets: ["info"]
-  hosts: ["host1"]
-  period: 30s
-----
-
-[float]
-[[config-variants]]
-== Configuration variants
-
-Every module comes with a default configuration file. Some modules also come with
-one or more variant configuration files containing common alternative configurations
-for that module.
-
-When you see the list of enabled and disabled modules, those modules with configuration
-variants will be shown as `<module_name>-<variant_name>`. You can enable or disable
-specific configuration variants of a module by specifying `metricbeat modules enable
-<module_name>-<variant_name>` and `metricbeat modules disable <module_name>-<variant_name>`
-respectively.
-
-[float]
-[[config-combos]]
-== Configuration combinations
-
-You can specify a module configuration that uses different combinations of
-metricsets, periods, and hosts.
-
-For a module with multiple metricsets defined, it's possible to define the
-module twice and specify a different period to use for each metricset. For the
-following example, the `set1` metricset will be fetched every 10 seconds, while
-the `set2` metricset will be fetched every 2 minutes:
-
-[source,yaml]
-----
-- module: example
-  metricsets: ["set1"]
-  hosts: ["host1"]
-  period: 10s
-- module: example
-  metricsets: ["set2"]
-  hosts: ["host1"]
-  period: 2m
-----
-
-
-[float]
-[[module-config-options]]
-=== Standard config options
-
-You can specify the following options for any Metricbeat module. Some modules
-require additional configuration settings. See the <<metricbeat-modules>>
-section for more information.
-
-[float]
-==== `module`
-
-The name of the module to run. For documentation about each module, see the
-<<metricbeat-modules>> section.
-
-[float]
-==== `metricsets`
-
-A list of metricsets to execute. Make sure that you only list metricsets that
-are available in the module. It is not possible to reference metricsets from
-other modules. For a list of available metricsets, see <<metricbeat-modules>>.
-
-[float]
-==== `enabled`
-
-A Boolean value that specifies whether the module is enabled. If you use the
-default config file, `metricbeat.yml`, the System module is enabled (set to
-`enabled: true`) by default. If the `enabled` option is missing from the
-configuration block, the module is enabled by default.
-
-[float]
-[[metricset-period]]
-==== `period`
-
-How often the metricsets are executed. If a system is not reachable, Metricbeat
-returns an error for each period. This setting is required.
-
-[float]
-==== `hosts`
-
-A list of hosts to fetch information from. For some metricsets, such as the
-System module, this setting is optional.
-
-[float]
-==== `fields`
-
-A dictionary of fields that will be sent with the metricset event. This setting
-is optional.
-
-[float]
-==== `tags`
-
-A list of tags that will be sent with the metricset event. This setting is
-optional.
-
-[float]
-==== `processors`
-
-A list of processors to apply to the data generated by the metricset.
-
-See <<filtering-and-enhancing-data>> for information about specifying
-processors in your config.
-
-[float]
-==== `index`
-
-If present, this formatted string overrides the index for events from this
-module (for elasticsearch outputs), or sets the `raw_index` field of the event's
-metadata (for other outputs). This string can only refer to the agent name and
-version and the event timestamp; for access to dynamic fields, use
-`output.elasticsearch.index` or a processor.
-
-Example value: `"%{[agent.name]}-myindex-%{+yyyy.MM.dd}"` might
-expand to `"metricbeat-myindex-2019.12.13"`.
-
-[float]
-==== `keep_null`
-
-If this option is set to true, fields with `null` values will be published in
-the output document. By default, `keep_null` is set to `false`.
-
-[float]
-==== `service.name`
-
-A name given by the user to the service the data is collected from. It can be
-used for example to identify information collected from nodes of different
-clusters with the same `service.type`.
-
-[float]
-[[module-http-config-options]]
-=== Standard HTTP config options
-
-Modules and metricsets that define the host as an HTTP URL can use the standard
-schemes for HTTP (`http://` and `https://`) and the following schemes to connect
-to local pipes:
-
-* `http+unix://` to connect to UNIX sockets.
-* `http+npipe://` to connect to Windows named pipes.
-
-The following options are available for modules and metricsets that define the
-host as an HTTP URL:
-
-[float]
-==== `username`
-
-The username to use for basic authentication.
-
-[float]
-==== `password`
-
-The password to use for basic authentication.
-
-[float]
-==== `connect_timeout`
-
-Total time limit for an HTTP connection to be completed (Default: 2 seconds).
-
-[float]
-==== `timeout`
-
-Total time limit for HTTP requests made by the module (Default: 10 seconds).
-
-[float]
-==== `ssl`
-
-Configuration options for SSL parameters like the certificate authority to use
-for HTTPS-based connections.
-
-See <<configuration-ssl>> for more information.
-
-[float]
-==== `headers`
-
-A list of headers to use with the HTTP request. For example:
-
-[source,yaml]
-----
-headers:
-  Cookie: abcdef=123456
-  My-Custom-Header: my-custom-value
-----
-
-[float]
-==== `bearer_token_file`
-
-If defined, Metricbeat will read the contents of the file once at initialization
-and then use the value in an HTTP Authorization header.
-
-[float]
-==== `basepath`
-
-An optional base path to be used in HTTP URIs. If defined, Metricbeat will insert this value
-as the first segment in the HTTP URI path.
-
-[float]
-==== `query`
-
-An optional value to pass common query params in YAML. Instead of setting the query params
-within hosts values using the syntax `?key=value&key2&value2`, you can set it here like this:
-
-[source,yaml]
-----
-query:
-  key: value
-  key2: value2
-  list:
-  - 1.1
-  - 2.95
-  - -15
-----
-:modulename!:
diff --git a/metricbeat/docs/modules.asciidoc b/metricbeat/docs/modules.asciidoc
deleted file mode 100644
index ea572984ff3a..000000000000
--- a/metricbeat/docs/modules.asciidoc
+++ /dev/null
@@ -1,13 +0,0 @@
-[[metricbeat-modules]]
-= Modules
-
-[partintro]
---
-This section contains detailed information about the metric collecting modules
-contained in {beatname_uc}. Each module contains one or multiple metricsets. More details
-about each module can be found under the links below.
-
-include::modules_list.asciidoc[]
-
-
-
diff --git a/metricbeat/docs/modules/activemq.asciidoc b/metricbeat/docs/modules/activemq.asciidoc
deleted file mode 100644
index 493a032f1101..000000000000
--- a/metricbeat/docs/modules/activemq.asciidoc
+++ /dev/null
@@ -1,65 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-
-:modulename: activemq
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/activemq/_meta/docs.asciidoc
-
-
-[[metricbeat-module-activemq]]
-[role="xpack"]
-== ActiveMQ module
-
-include::{libbeat-dir}/shared/integration-link.asciidoc[]
-
-:modulename!:
-
-This module periodically fetches JMX metrics from Apache ActiveMQ.
-
-[float]
-=== Compatibility
-The module has been tested with ActiveMQ 5.13.0 and 5.15.9. Other versions are expected to work.
-
-[float]
-=== Usage
-The ActiveMQ module requires <<metricbeat-module-jolokia,Jolokia>> to fetch JMX metrics. Refer to the link for instructions about how to use Jolokia.
-
-
-:edit_url:
-
-[float]
-=== Example configuration
-
-The ActiveMQ module supports the standard configuration options that are described
-in <<configuration-metricbeat>>. Here is an example configuration:
-
-[source,yaml]
-----
-metricbeat.modules:
-- module: activemq
-  metricsets: ['broker', 'queue', 'topic']
-  period: 10s
-  hosts: ['localhost:8161']
-  path: '/api/jolokia/?ignoreErrors=true&canonicalNaming=false'
-  username: admin # default username
-  password: admin # default password
-----
-
-[float]
-=== Metricsets
-
-The following metricsets are available:
-
-* <<metricbeat-metricset-activemq-broker,broker>>
-
-* <<metricbeat-metricset-activemq-queue,queue>>
-
-* <<metricbeat-metricset-activemq-topic,topic>>
-
-include::activemq/broker.asciidoc[]
-
-include::activemq/queue.asciidoc[]
-
-include::activemq/topic.asciidoc[]
-
-:edit_url!:
diff --git a/metricbeat/docs/modules/activemq/broker.asciidoc b/metricbeat/docs/modules/activemq/broker.asciidoc
deleted file mode 100644
index 559e5934aef4..000000000000
--- a/metricbeat/docs/modules/activemq/broker.asciidoc
+++ /dev/null
@@ -1,28 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/activemq/broker/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-activemq-broker]]
-[role="xpack"]
-=== ActiveMQ broker metricset
-
-include::../../../../x-pack/metricbeat/module/activemq/broker/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-activemq,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../../x-pack/metricbeat/module/activemq/broker/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/activemq/queue.asciidoc b/metricbeat/docs/modules/activemq/queue.asciidoc
deleted file mode 100644
index df07231cc37b..000000000000
--- a/metricbeat/docs/modules/activemq/queue.asciidoc
+++ /dev/null
@@ -1,28 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/activemq/queue/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-activemq-queue]]
-[role="xpack"]
-=== ActiveMQ queue metricset
-
-include::../../../../x-pack/metricbeat/module/activemq/queue/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-activemq,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../../x-pack/metricbeat/module/activemq/queue/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/activemq/topic.asciidoc b/metricbeat/docs/modules/activemq/topic.asciidoc
deleted file mode 100644
index 5039b9d5375f..000000000000
--- a/metricbeat/docs/modules/activemq/topic.asciidoc
+++ /dev/null
@@ -1,28 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/activemq/topic/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-activemq-topic]]
-[role="xpack"]
-=== ActiveMQ topic metricset
-
-include::../../../../x-pack/metricbeat/module/activemq/topic/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-activemq,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../../x-pack/metricbeat/module/activemq/topic/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/aerospike.asciidoc b/metricbeat/docs/modules/aerospike.asciidoc
deleted file mode 100644
index b4c6a59d12ea..000000000000
--- a/metricbeat/docs/modules/aerospike.asciidoc
+++ /dev/null
@@ -1,82 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-
-:modulename: aerospike
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/aerospike/_meta/docs.asciidoc
-
-
-[[metricbeat-module-aerospike]]
-== Aerospike module
-
-The Aerospike module uses the http://www.aerospike.com/docs/reference/info[Info command] to collect metrics. The default metricset is `namespace`.
-
-[float]
-=== Compatibility
-
-The Aerospike metricsets were tested with Aerospike Enterprise Edition 7.2.0.1 and are expected to work with all versions >= 4.9.
-
-
-[float]
-=== Dashboard
-
-The Aerospike module comes with a predefined dashboard for Aerospike namespace, node specific stats. For example:
-
-image::./images/metricbeat-aerospike-overview.png[]
-
-
-:edit_url:
-
-[float]
-=== Example configuration
-
-The Aerospike module supports the standard configuration options that are described
-in <<configuration-metricbeat>>. Here is an example configuration:
-
-[source,yaml]
-----
-metricbeat.modules:
-- module: aerospike
-  metricsets: ["namespace"]
-  enabled: true
-  period: 10s
-  hosts: ["localhost:3000"]
-
-  # Aerospike Cluster Name
-  #cluster_name: myclustername
-
-  # Username of hosts. Empty by default.
-  #username: root
-
-  # Password of hosts. Empty by default.
-  #password: secret
-
-  # Authentication modes: https://aerospike.com/docs/server/guide/security/access-control
-  # Possible values: internal (default), external, pki
-  #auth_mode: internal
-
-  # Optional SSL/TLS (disabled by default)
-  #ssl.enabled: true
-
-  # List of root certificates for SSL/TLS server verification
-  #ssl.certificate_authorities: ["/etc/pki/root/ca.crt"]
-
-  # Certificate for SSL/TLS client authentication
-  #ssl.certificate: "/etc/pki/client/cert.crt"
-
-  # Client certificate key file
-  #ssl.key: "/etc/pki/client/cert.key"
-----
-
-This module supports TLS connections when using `ssl` config field, as described in <<configuration-ssl>>.
-
-[float]
-=== Metricsets
-
-The following metricsets are available:
-
-* <<metricbeat-metricset-aerospike-namespace,namespace>>
-
-include::aerospike/namespace.asciidoc[]
-
-:edit_url!:
diff --git a/metricbeat/docs/modules/aerospike/namespace.asciidoc b/metricbeat/docs/modules/aerospike/namespace.asciidoc
deleted file mode 100644
index dfd97e08fb14..000000000000
--- a/metricbeat/docs/modules/aerospike/namespace.asciidoc
+++ /dev/null
@@ -1,27 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/aerospike/namespace/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-aerospike-namespace]]
-=== Aerospike namespace metricset
-
-include::../../../module/aerospike/namespace/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-aerospike,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/aerospike/namespace/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/airflow.asciidoc b/metricbeat/docs/modules/airflow.asciidoc
deleted file mode 100644
index 7c0b562e8ee9..000000000000
--- a/metricbeat/docs/modules/airflow.asciidoc
+++ /dev/null
@@ -1,71 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-
-:modulename: airflow
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/airflow/_meta/docs.asciidoc
-
-
-[[metricbeat-module-airflow]]
-[role="xpack"]
-== Airflow module
-
-beta[]
-
-This module collects metrics from
-https://airflow.apache.org/docs/apache-airflow/stable/logging-monitoring/metrics.html[Airflow metrics]. It runs a
-statsd server where airflow will send metrics to. The default metricset is `statsd`.
-
-[float]
-=== Compatibility
-
-The Airflow module is tested with Airflow 2.1.0. It should work with version
-2.0.0 and later.
-
-[float]
-=== Usage
-The Airflow module requires <<metricbeat-module-statsd,Statsd>> to
-receive statsd metrics. Refer to the link for instructions about how
-to use statsd.
-
-Add the following lines to your Airflow configuration file
-e.g. `airflow.cfg` ensuring `statsd_prefix` is left empty and replace
-`%METRICBEAT_HOST%` with the address where metricbeat is running:
-
-```
-[metrics]
-statsd_on = True
-statsd_host = %METRICBEAT_HOST%
-statsd_port = 8126
-statsd_prefix =
-```
-
-
-:edit_url:
-
-[float]
-=== Example configuration
-
-The Airflow module supports the standard configuration options that are described
-in <<configuration-metricbeat>>. Here is an example configuration:
-
-[source,yaml]
-----
-metricbeat.modules:
-- module: airflow
-  host: "localhost"
-  port: "8126"
-  #ttl: "30s"
-  metricsets: [ 'statsd' ]
-----
-
-[float]
-=== Metricsets
-
-The following metricsets are available:
-
-* <<metricbeat-metricset-airflow-statsd,statsd>>
-
-include::airflow/statsd.asciidoc[]
-
-:edit_url!:
diff --git a/metricbeat/docs/modules/airflow/statsd.asciidoc b/metricbeat/docs/modules/airflow/statsd.asciidoc
deleted file mode 100644
index 93226bf15221..000000000000
--- a/metricbeat/docs/modules/airflow/statsd.asciidoc
+++ /dev/null
@@ -1,30 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/airflow/statsd/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-airflow-statsd]]
-[role="xpack"]
-=== Airflow statsd metricset
-
-beta[]
-
-include::../../../../x-pack/metricbeat/module/airflow/statsd/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-airflow,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../../x-pack/metricbeat/module/airflow/statsd/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/apache.asciidoc b/metricbeat/docs/modules/apache.asciidoc
deleted file mode 100644
index 0bb38c2fd3d7..000000000000
--- a/metricbeat/docs/modules/apache.asciidoc
+++ /dev/null
@@ -1,75 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-
-:modulename: apache
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/apache/_meta/docs.asciidoc
-
-
-[[metricbeat-module-apache]]
-== Apache module
-
-include::{libbeat-dir}/shared/integration-link.asciidoc[]
-
-:modulename!:
-
-This module periodically fetches metrics from https://httpd.apache.org/[Apache
-HTTPD] servers. The default metricset is `status`.
-
-[float]
-=== Compatibility
-
-The Apache metricsets were tested with Apache 2.4.12 and 2.4.54 and are expected to work with
-all versions >= 2.2.31 and >= 2.4.16.
-
-
-[float]
-=== Dashboard
-
-The Apache module comes with a predefined dashboard. For example:
-
-image::./images/apache_httpd_server_status.png[]
-
-
-:edit_url:
-
-[float]
-=== Example configuration
-
-The Apache module supports the standard configuration options that are described
-in <<configuration-metricbeat>>. Here is an example configuration:
-
-[source,yaml]
-----
-metricbeat.modules:
-- module: apache
-  metricsets: ["status"]
-  period: 10s
-  enabled: true
-
-  # Apache hosts
-  hosts: ["http://127.0.0.1"]
-
-  # Path to server status. Default server-status
-  #server_status_path: "server-status"
-
-  # Username of hosts.  Empty by default
-  #username: username
-
-  # Password of hosts. Empty by default
-  #password: password
-----
-
-This module supports TLS connections when using `ssl` config field, as described in <<configuration-ssl>>.
-It also supports the options described in <<module-http-config-options>>.
-
-[float]
-=== Metricsets
-
-The following metricsets are available:
-
-* <<metricbeat-metricset-apache-status,status>>
-
-include::apache/status.asciidoc[]
-
-:edit_url!:
diff --git a/metricbeat/docs/modules/apache/status.asciidoc b/metricbeat/docs/modules/apache/status.asciidoc
deleted file mode 100644
index 6ce24cf0fde7..000000000000
--- a/metricbeat/docs/modules/apache/status.asciidoc
+++ /dev/null
@@ -1,27 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/apache/status/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-apache-status]]
-=== Apache status metricset
-
-include::../../../module/apache/status/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-apache,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/apache/status/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/aws.asciidoc b/metricbeat/docs/modules/aws.asciidoc
deleted file mode 100644
index 291e2b7c09b8..000000000000
--- a/metricbeat/docs/modules/aws.asciidoc
+++ /dev/null
@@ -1,551 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-
-:modulename: aws
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/aws/_meta/docs.asciidoc
-
-
-[[metricbeat-module-aws]]
-[role="xpack"]
-== AWS module
-
-:libbeat-xpack-dir: ../../../x-pack/libbeat
-
-include::{libbeat-dir}/shared/integration-link.asciidoc[]
-
-:modulename!:
-
-This module periodically fetches monitoring metrics from AWS CloudWatch using
-https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_GetMetricData.html[GetMetricData API] for AWS services.
-
-All metrics are enabled by default.
-
-IMPORTANT: Extra AWS charges on CloudWatch API requests will be generated by this
-module. Please see <<aws-api-requests,AWS API requests>> for more details.
-
-[float]
-== Module-specific configuration notes
-
-* *AWS Credentials*
-
-The `aws` module requires AWS credentials configuration in order to make AWS API calls.
-Users can either use `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY` and/or
-`AWS_SESSION_TOKEN`, or use shared AWS credentials file.
-Please see <<aws-credentials-config,AWS credentials options>> for more details.
-
-If you use AWS CloudWatch cross-account observability, credentials of the monitoring account
-should be used here and Metricbeat will collect all metrics from both the monitoring
-account and the linked source accounts.
-
-* *regions*
-
-This module also accepts optional configuration `regions` to specify which
-AWS regions to query metrics from. If the `regions` parameter is not set in the
-config file, then by default, the `aws` module will query metrics from all available
-AWS regions. If `endpoint` is specified, `regions` becomes a required config parameter.
-
-* *latency*
-
-Some AWS services send monitoring metrics to CloudWatch with a latency to
-process larger than Metricbeat collection period. This will cause data points missing
-or none get collected by Metricbeat. In this case, please specify a `latency`
-parameter so collection start time and end time will be shifted by the given
-latency amount.
-
-* *data_granularity*
-
-AWS CloudWatch allows to define the granularity of the returned data points, by setting "Period" while querying metrics.
-Please see https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_MetricDataQuery.html[MetricDataQuery parameters] for more information.
-
-By default, metricbeat will query CloudWatch setting "Period" to Metricbeat collection period. If you wish to set a custom value for "Period", please specify a `data_granularity` parameter.
-By setting `period` and `data_granularity` together, you can control, respectively, how frequently you want your metrics to be collected and how granular they have to be.
-
-If you are concerned about reducing the cost derived by CloudWatch API calls made by Metricbeat with an extra delay in retrieving metrics as trade off, you may consider setting `data_granularity` and increase Metricbeat collection period. For example,
-setting `data_granularity` to your current value for `period`, and doubling the value of `period`, may lead to a 50% savings in terms of GetMetricData API calls cost.
-
-* *endpoint*
-
-Most AWS services offer a regional endpoint that can be used to make requests.
-The general syntax of a regional endpoint is `protocol://service-code.region-code.endpoint-code`.
-Some services, such as IAM, do not support regions. The endpoints for these
-services do not include a region. In `aws` module, `endpoint` config is to set
-the `endpoint-code` part, such as `amazonaws.com`, `amazonaws.com.cn`, `c2s.ic.gov`,
-`sc2s.sgov.gov`.
-
-If endpoint is specified, `regions` config becomes required.
-
-* *include_linked_accounts*
-
-The `include_linked_accounts` parameter is used to enable the inclusion of metrics from different accounts linked to a
-main monitoring account. By setting this parameter to true, users can gather metrics from multiple AWS accounts that are
-linked through the https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Unified-Cross-Account.html[CloudWatch cross-account observability].
-By default, the `include_linked_accounts` parameter is set to true, meaning that metrics from the main monitoring
-account and all linked accounts are all collected. When set to false, the parameter allows the CloudWatch service to
-only retrieve metrics from the monitoring account.
-
-If you need to collect metrics from a specific linked account, use `owning_account` configuration.
-
-*_Note_:* Users should ensure that the necessary IAM roles and policies are properly set up in order to link the monitoring
-account and source accounts together.
-Please see https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Unified-Cross-Account-Setup.html#CloudWatch-Unified-Cross-Account-Setup-permissions[Link monitoring accounts with source accounts] for more details.
-
-* *owning_account*
-
-This configuration works together with `include_linked_accounts` configuration and allows to collect metrics from a specific linked account.
-The configuration accepts a valid account ID and internally it maps to the `OwningAccount` parameter of https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_ListMetrics.html[ListMetrics API].
-
-Note that, `include_linked_accounts` should be enabled (which is the default value) to use this parameter.
-
-[source,yaml]
-----
-include_linked_accounts: true
-owning_account: 111111111111
-----
-
-* *tags_filter*
-
-The tags to filter against. If tags are given in config, then only
-collect metrics from resources that have tag key and tag value matches the filter.
-For example, if tags parameter is given as `Organization=Engineering` under
-`AWS/ELB` namespace, then only collect metrics from ELBs with tag name equals to
-`Organization` and tag value equals to `Engineering`. In order to filter for different
-values for the same key, add the values to the value array (see example)
-
-Note: tag filtering only works for metricsets with `resource_type` specified in the
-metricset-specific configuration.
-
-[source,yaml]
-----
-- module: aws
-  period: 5m
-  endpoint: amazonaws.com.cn
-  regions: cn-north-1
-  metricsets:
-    - ec2
-  tags_filter:
-    - key: "Organization"
-      value: ["Engineering", "Product"]
-----
-
-* *fips_enabled*
-
-Enforces the use of FIPS service endpoints. See <<aws-credentials-config,AWS credentials options>> for more information.
-
-[source,yaml]
-----
-- module: aws
-  period: 5m
-  fips_enabled: true
-  regions:
-    - us-east-1
-    - us-east-2
-    - us-west-1
-    - us-west-2
-  metricsets:
-    - ec2
-----
-
-* *apigateway_max_results*
-
-This configuration works together with AWS/APIGateway namespace. It defines the maximum number of returned results per page. The default value is 25 and the maximum value is 500.
-See https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/apigateway@v1.25.8#GetRestApisInput.Limit[GetRestApisInput.Limit]
-
-[source,yaml]
-----
-- module: aws
-      period: 10s
-      regions:
-        - us-east-1
-      metricsets:
-        - cloudwatch
-      metrics:
-        - namespace: "AWS/ApiGateway"
-          resource_type: "apigateway:restapis"
-          apigateway_max_results: 40
-----
-
-The aws module comes with a predefined dashboard. For example:
-
-image::./images/metricbeat-aws-overview.png[]
-
-[float]
-== Metricsets
-
-Currently, we have `billing`, `cloudwatch`, `dynamodb`, `ebs`, `ec2`, `elb`, `kinesis`
-`lambda`, `mtest`, `natgateway`, `rds`, `s3_daily_storage`, `s3_request`, `sns`, `sqs`,
-`transitgateway`, `usage` and `vpn` metricset in `aws` module.
-
-[float]
-=== `billing`
-Billing metric data includes the estimated charges for every service in the AWS
-account and the estimated overall total charge for the AWS account. The estimated
-charges are calculated and sent several times daily to CloudWatch. Therefore,
-`period` in aws module configuration is set to `12h`.
-
-The billing metricset comes with a predefined dashboard:
-
-image::./images/metricbeat-aws-billing-overview.png[]
-
-[float]
-=== `cloudwatch`
-This metricset allows users to query metrics from AWS CloudWatch with any given
-namespaces or specific instance with a given period.
-Please see https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/aws-services-cloudwatch-metrics.html[AWS Services That Publish CloudWatch Metrics]
-for a list of AWS services that publish metrics to CloudWatch.
-
-[float]
-=== `dynamodb`
-DynamoDB sends metrics to CloudWatch periodically for better monitoring how web
-application or service is performing.
-
-The dynamodb metricset comes with a predefined dashboard:
-
-image::./images/metricbeat-aws-dynamodb-overview.png[]
-
-[float]
-=== `ebs`
-For basic monitoring in AWS EBS volumes, data is available automatically in
-5-minute periods at no charge. This includes data for the root device volumes
-for EBS-backed instances. User can also enable detailed monitoring for
-provisioned IOPS SSD (io1) volumes to automatically send one-minute metrics to
-CloudWatch. Default period in aws module configuration is set to `5m` for ebs
-metricset.
-
-The ebs metricset comes with a predefined dashboard:
-
-image::./images/metricbeat-aws-ebs-overview.png[]
-
-[float]
-=== `ec2`
-By default, Amazon EC2 sends metric data to CloudWatch every 5 minutes. With this basic monitoring, `period` in aws module
-configuration should be larger or equal than `300s`. If `period` is set to be less than `300s`, the same cloudwatch metrics
-will be collected more than once which will cause extra fees without getting more granular metrics. For example, in `US East (N. Virginia)` region, it costs
-$0.01/1000 metrics requested using GetMetricData. Please see https://aws.amazon.com/cloudwatch/pricing/[AWS CloudWatch Pricing]
-for more details. To avoid unnecessary charges, `period` is preferred to be set to `300s` or multiples of `300s`, such as
-`600s` and `900s`. For more granular monitoring data you can enable detailed monitoring on the instance to get metrics every 1 minute. Please see
-https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-cloudwatch-new.html[Enabling Detailed Monitoring] for instructions
-on how to enable detailed monitoring. With detailed monitoring enabled, `period` in aws module configuration can be any number
-larger than `60s`. Since AWS sends metric data to CloudWatch in 1-minute periods, setting metricbeat module `period` less
-than `60s` will cause extra API requests which means extra charges on AWS. To avoid unnecessary charges, `period` is
-preferred to be set to `60s` or multiples of `60s`, such as `120s` and `180s`.
-
-The ec2 metricset comes with a predefined dashboard:
-
-image::./images/metricbeat-aws-ec2-overview.png[]
-
-[float]
-=== `elb`
-elb metricset collects CloudWatch metrics from classic load balancer, application
-load balancer and network load balancer.
-
-All three kinds of elastic load balancing reports metrics to Cloudwatch only when requests are flowing
-through the load balancer. If there are requests flowing through the load balancer,
-Elastic Load Balancing measures and sends its metrics in 60-second intervals.
-If there are no requests flowing through the load balancer or no data for a metric,
-the metric is not reported.
-Therefore, `period` in aws module configuration is set to `1m`.
-
-The elb metricset comes with a predefined dashboard:
-
-image::./images/metricbeat-aws-elb-overview.png[]
-
-[float]
-=== `lambda`
-When an invocation completes, Lambda sends a set of metrics to CloudWatch for that invocation.
-Default period in aws module configuration is set to `5m` for lambda metricset.
-The lambda metricset comes with a predefined dashboard:
-
-image::./images/metricbeat-aws-lambda-overview.png[]
-
-[float]
-=== `natgateway`
-CloudWatch collects information from NAT gateways and creates readable, near real-time metrics.
-This metricset enables users to collect these metrics from CloudWatch to monitor and troubleshoot
-their NAT gateway. NAT gateway metric data is provided at 1-minute intervals and therefore,
-`period` for `natgateway` metricset is recommended to be `1m` or multiples of `1m`.
-
-[float]
-=== `rds`
-`period` for `rds` metricset is recommended to be `60s` or multiples of `60s` because Amazon RDS sends metrics and
-dimensions to Amazon CloudWatch every minute.
-
-The rds metricset comes with a predefined dashboard:
-
-image::./images/metricbeat-aws-rds-overview.png[]
-
-[float]
-=== `s3_daily_storage`
-Daily storage metrics for S3 buckets are reported once per day with no additional cost. Since they are daily metrics,
-`period` for `s3_daily_storage` metricset is recommended to be `86400s` or multiples of `86400s`.
-
-[float]
-=== `s3_request`
-Request metrics are available
-at 1-minute intervals with additional charges. The s3_request metricset will give more
-granular data to track S3 bucket usage. The `period` for `s3_request` metricset can be set to `60s` or multiples of `60s`.
-But because of the extra charges for querying these metrics, the `period` is recommended to set to `86400s`. The user can
-always adjust this to the granularity they want. Request metrics are not enabled by default for S3 buckets. Please see
-https://docs.aws.amazon.com/AmazonS3/latest/user-guide/configure-metrics.html[How to
-Configure Request Metrics for S3] for instructions on how to enable request metrics for
-each S3 bucket.
-
-The s3_daily_storage and s3_request metricset comes with a predefined combined dashboard:
-
-image::./images/metricbeat-aws-s3-overview.png[]
-
-[float]
-=== `sqs`
-CloudWatch metrics for Amazon SQS queues are automatically collected and pushed to CloudWatch every 5 minutes,
-the `period` for `sqs` metricset is recommended to be `300s` or multiples of `300s`.
-
-The sqs metricset comes with a predefined dashboard:
-
-image::./images/metricbeat-aws-sqs-overview.png[]
-
-[float]
-=== `transitgateway`
-Amazon VPC reports metrics to CloudWatch only when requests are flowing through
-the transit gateway. If there are requests flowing through the transit gateway,
-Amazon VPC measures and sends its metrics in 60-second intervals. `period` for
-`transitgateway` metricset is recommended to be `1m` or multiples of `1m`.
-
-[float]
-=== `usage`
-CloudWatch collects metrics that track the usage of some AWS resources. These
-metrics correspond to AWS service quotas. Tracking these metrics can help
-proactively manage quotas. Service quota usage metrics are in the AWS/Usage
-namespace and are collected every minute. Therefore, `period` in aws module
-configuration for usage metricset is set to `1m`.
-
-The usage metricset comes with a predefined dashboard:
-
-image::./images/metricbeat-aws-usage-overview.png[]
-
-[float]
-=== `vpn`
-CloudWatch collects and processes raw data from the VPN service into readable, near
-real-time metrics for users to better understand the performance of their web
-applications and services.
-
-[float]
-[[aws-api-requests]]
-== AWS API requests count
-This session is to document what are the AWS API called made by each metricset
-in `aws` module. This will be useful for users to estimate costs for using `aws`
-module.
-
-Note: some AWS APIs need pagination like ListMetrics and GetMetricData. Count
-value is depends on the number of results.
-
-ListMetrics max page size: 500, based on https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_ListMetrics.html[AWS API ListMetrics]
-
-GetMetricData max page size: 100, based on https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_GetMetricData.html[AWS API GetMetricData]
-
-[float]
-|===
-| AWS API Name | AWS API Count | Frequency
-| IAM ListAccountAliases | 1 | Once on startup
-| STS GetCallerIdentity | 1 | Once on startup
-| EC2 DescribeRegions| 1 | Once on startup
-| CloudWatch ListMetrics without specifying namespace in configuration | Total number of results / ListMetrics max page size | Per region per collection period
-| CloudWatch ListMetrics with specific namespaces in configuration | Total number of results / ListMetrics max page size * number of unique namespaces | Per region per collection period
-| CloudWatch GetMetricData | Total number of results / GetMetricData max page size | Per region per namespace per collection period
-|===
-`billing`, `ebs`, `elb`, `sns`, `usage` and `lambda` are the same as `cloudwatch` metricset.
-
-[id="aws-credentials-config"]
-include::{libbeat-xpack-dir}/docs/aws-credentials-config.asciidoc[]
-
-[float]
-== Running on EKS
-
-* *WebIdentity authentication flow*
-
-See documentation in order to create a IAM Role for Service account:
-https://docs.aws.amazon.com/eks/latest/userguide/specify-service-account-role.html
-
-Once you have create the IRSA you can annotate `metricbeat` service account with it
-[source,yaml]
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  annotations:
-    eks.amazonaws.com/role-arn: arn:aws:iam::<ACCOUNT_ID>:role/<IRSA_ID>
-  name: metricbeat
-  namespace: kube-system
-  labels:
-    k8s-app: metricbeat
-
-In order to enable WebIdentity authentication flow you need to add a trust relationship
-to the IRSA:
-[source,json]
-    {
-      "Effect": "Allow",
-      "Principal": {
-        "Federated": "arn:aws:iam::<ACCOUNT_ID>:oidc-provider/oidc.eks.<REGION>.amazonaws.com/id/<OIDC_PROVIDER_ID>"
-      },
-      "Action": "sts:AssumeRoleWithWebIdentity",
-      "Condition": {
-        "StringEquals": {
-          "oidc.eks.REGION.amazonaws.com/id/<OIDC_PROVIDER_ID>:sub": "system:serviceaccount:kube-system:metricbeat",
-          "oidc.eks.REGION.amazonaws.com/id/<OIDC_PROVIDER_ID>:aud": "sts.amazonaws.com"
-        }
-      }
-    }
-
-In this case there's no need to add `role_arn` to modules config.
-
-
-:edit_url:
-
-[float]
-=== Example configuration
-
-The AWS module supports the standard configuration options that are described
-in <<configuration-metricbeat>>. Here is an example configuration:
-
-[source,yaml]
-----
-metricbeat.modules:
-- module: aws
-  period: 300s
-  credential_profile_name: test-mb
-  metricsets:
-    - ec2
-  tags_filter:
-    - key: "Organization"
-      value: "Engineering"
-- module: aws
-  period: 300s
-  credential_profile_name: test-mb
-  metricsets:
-    - sqs
-  regions:
-    - us-west-1
-- module: aws
-  period: 86400s
-  metricsets:
-    - s3_request
-    - s3_daily_storage
-  access_key_id: '${AWS_ACCESS_KEY_ID:""}'
-  secret_access_key: '${AWS_SECRET_ACCESS_KEY:""}'
-  session_token: '${AWS_SESSION_TOKEN:""}'
-- module: aws
-  period: 300s
-  credential_profile_name: test-mb
-  metricsets:
-    - cloudwatch
-  include_linked_accounts: true
-  # owning_account: 111111111111
-  metrics:
-    - namespace: AWS/EC2
-      name: ["CPUUtilization"]
-      dimensions:
-        - name: InstanceId
-          value: i-0686946e22cf9494a
-    - namespace: AWS/EBS
-    - namespace: AWS/ELB
-      resource_type: elasticloadbalancing
-      tags:
-        - key: "Organization"
-          value: "Engineering"
-- module: aws
-  period: 60s
-  credential_profile_name: test-mb
-  tags_filter:
-    - key: "dept"
-      value: "eng"
-  metricsets:
-    - elb
-    - natgateway
-    - rds
-    - transitgateway
-    - usage
-    - vpn
-- module: aws
-  period: 1m
-  latency: 5m
-  include_linked_accounts: false
-  metricsets:
-    - s3_request
-----
-
-[float]
-=== Metricsets
-
-The following metricsets are available:
-
-* <<metricbeat-metricset-aws-awshealth,awshealth>>
-
-* <<metricbeat-metricset-aws-billing,billing>>
-
-* <<metricbeat-metricset-aws-cloudwatch,cloudwatch>>
-
-* <<metricbeat-metricset-aws-dynamodb,dynamodb>>
-
-* <<metricbeat-metricset-aws-ebs,ebs>>
-
-* <<metricbeat-metricset-aws-ec2,ec2>>
-
-* <<metricbeat-metricset-aws-elb,elb>>
-
-* <<metricbeat-metricset-aws-kinesis,kinesis>>
-
-* <<metricbeat-metricset-aws-lambda,lambda>>
-
-* <<metricbeat-metricset-aws-natgateway,natgateway>>
-
-* <<metricbeat-metricset-aws-rds,rds>>
-
-* <<metricbeat-metricset-aws-s3_daily_storage,s3_daily_storage>>
-
-* <<metricbeat-metricset-aws-s3_request,s3_request>>
-
-* <<metricbeat-metricset-aws-sns,sns>>
-
-* <<metricbeat-metricset-aws-sqs,sqs>>
-
-* <<metricbeat-metricset-aws-transitgateway,transitgateway>>
-
-* <<metricbeat-metricset-aws-usage,usage>>
-
-* <<metricbeat-metricset-aws-vpn,vpn>>
-
-include::aws/awshealth.asciidoc[]
-
-include::aws/billing.asciidoc[]
-
-include::aws/cloudwatch.asciidoc[]
-
-include::aws/dynamodb.asciidoc[]
-
-include::aws/ebs.asciidoc[]
-
-include::aws/ec2.asciidoc[]
-
-include::aws/elb.asciidoc[]
-
-include::aws/kinesis.asciidoc[]
-
-include::aws/lambda.asciidoc[]
-
-include::aws/natgateway.asciidoc[]
-
-include::aws/rds.asciidoc[]
-
-include::aws/s3_daily_storage.asciidoc[]
-
-include::aws/s3_request.asciidoc[]
-
-include::aws/sns.asciidoc[]
-
-include::aws/sqs.asciidoc[]
-
-include::aws/transitgateway.asciidoc[]
-
-include::aws/usage.asciidoc[]
-
-include::aws/vpn.asciidoc[]
-
-:edit_url!:
diff --git a/metricbeat/docs/modules/aws/awshealth.asciidoc b/metricbeat/docs/modules/aws/awshealth.asciidoc
deleted file mode 100644
index 35a8cecde3c8..000000000000
--- a/metricbeat/docs/modules/aws/awshealth.asciidoc
+++ /dev/null
@@ -1,30 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/aws/awshealth/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-aws-awshealth]]
-[role="xpack"]
-=== AWS awshealth metricset
-
-beta[]
-
-include::../../../../x-pack/metricbeat/module/aws/awshealth/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-aws,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../../x-pack/metricbeat/module/aws/awshealth/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/aws/billing.asciidoc b/metricbeat/docs/modules/aws/billing.asciidoc
deleted file mode 100644
index 7ecd3298318c..000000000000
--- a/metricbeat/docs/modules/aws/billing.asciidoc
+++ /dev/null
@@ -1,30 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/aws/billing/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-aws-billing]]
-[role="xpack"]
-=== AWS billing metricset
-
-beta[]
-
-include::../../../../x-pack/metricbeat/module/aws/billing/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-aws,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../../x-pack/metricbeat/module/aws/billing/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/aws/cloudwatch.asciidoc b/metricbeat/docs/modules/aws/cloudwatch.asciidoc
deleted file mode 100644
index 01e5c8266ba2..000000000000
--- a/metricbeat/docs/modules/aws/cloudwatch.asciidoc
+++ /dev/null
@@ -1,28 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/aws/cloudwatch/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-aws-cloudwatch]]
-[role="xpack"]
-=== AWS cloudwatch metricset
-
-include::../../../../x-pack/metricbeat/module/aws/cloudwatch/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-aws,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../../x-pack/metricbeat/module/aws/cloudwatch/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/aws/dynamodb.asciidoc b/metricbeat/docs/modules/aws/dynamodb.asciidoc
deleted file mode 100644
index 208618597a19..000000000000
--- a/metricbeat/docs/modules/aws/dynamodb.asciidoc
+++ /dev/null
@@ -1,30 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/aws/dynamodb/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-aws-dynamodb]]
-[role="xpack"]
-=== AWS dynamodb metricset
-
-beta[]
-
-include::../../../../x-pack/metricbeat/module/aws/dynamodb/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-aws,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../../x-pack/metricbeat/module/aws/dynamodb/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/aws/ebs.asciidoc b/metricbeat/docs/modules/aws/ebs.asciidoc
deleted file mode 100644
index ed06ee28546a..000000000000
--- a/metricbeat/docs/modules/aws/ebs.asciidoc
+++ /dev/null
@@ -1,28 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/aws/ebs/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-aws-ebs]]
-[role="xpack"]
-=== AWS ebs metricset
-
-include::../../../../x-pack/metricbeat/module/aws/ebs/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-aws,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../../x-pack/metricbeat/module/aws/ebs/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/aws/ec2.asciidoc b/metricbeat/docs/modules/aws/ec2.asciidoc
deleted file mode 100644
index 18b9d92004a3..000000000000
--- a/metricbeat/docs/modules/aws/ec2.asciidoc
+++ /dev/null
@@ -1,28 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/aws/ec2/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-aws-ec2]]
-[role="xpack"]
-=== AWS ec2 metricset
-
-include::../../../../x-pack/metricbeat/module/aws/ec2/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-aws,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../../x-pack/metricbeat/module/aws/ec2/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/aws/elb.asciidoc b/metricbeat/docs/modules/aws/elb.asciidoc
deleted file mode 100644
index 1b5952f6c5d0..000000000000
--- a/metricbeat/docs/modules/aws/elb.asciidoc
+++ /dev/null
@@ -1,28 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/aws/elb/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-aws-elb]]
-[role="xpack"]
-=== AWS elb metricset
-
-include::../../../../x-pack/metricbeat/module/aws/elb/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-aws,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../../x-pack/metricbeat/module/aws/elb/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/aws/kinesis.asciidoc b/metricbeat/docs/modules/aws/kinesis.asciidoc
deleted file mode 100644
index a21529c8f593..000000000000
--- a/metricbeat/docs/modules/aws/kinesis.asciidoc
+++ /dev/null
@@ -1,30 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/aws/kinesis/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-aws-kinesis]]
-[role="xpack"]
-=== AWS kinesis metricset
-
-beta[]
-
-include::../../../../x-pack/metricbeat/module/aws/kinesis/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-aws,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../../x-pack/metricbeat/module/aws/kinesis/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/aws/lambda.asciidoc b/metricbeat/docs/modules/aws/lambda.asciidoc
deleted file mode 100644
index 8223ebf34c46..000000000000
--- a/metricbeat/docs/modules/aws/lambda.asciidoc
+++ /dev/null
@@ -1,28 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/aws/lambda/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-aws-lambda]]
-[role="xpack"]
-=== AWS lambda metricset
-
-include::../../../../x-pack/metricbeat/module/aws/lambda/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-aws,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../../x-pack/metricbeat/module/aws/lambda/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/aws/natgateway.asciidoc b/metricbeat/docs/modules/aws/natgateway.asciidoc
deleted file mode 100644
index f05d29ff92a6..000000000000
--- a/metricbeat/docs/modules/aws/natgateway.asciidoc
+++ /dev/null
@@ -1,30 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/aws/natgateway/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-aws-natgateway]]
-[role="xpack"]
-=== AWS natgateway metricset
-
-beta[]
-
-include::../../../../x-pack/metricbeat/module/aws/natgateway/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-aws,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../../x-pack/metricbeat/module/aws/natgateway/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/aws/rds.asciidoc b/metricbeat/docs/modules/aws/rds.asciidoc
deleted file mode 100644
index 772aa13a1f4c..000000000000
--- a/metricbeat/docs/modules/aws/rds.asciidoc
+++ /dev/null
@@ -1,28 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/aws/rds/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-aws-rds]]
-[role="xpack"]
-=== AWS rds metricset
-
-include::../../../../x-pack/metricbeat/module/aws/rds/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-aws,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../../x-pack/metricbeat/module/aws/rds/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/aws/s3_daily_storage.asciidoc b/metricbeat/docs/modules/aws/s3_daily_storage.asciidoc
deleted file mode 100644
index f22976879480..000000000000
--- a/metricbeat/docs/modules/aws/s3_daily_storage.asciidoc
+++ /dev/null
@@ -1,28 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/aws/s3_daily_storage/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-aws-s3_daily_storage]]
-[role="xpack"]
-=== AWS s3_daily_storage metricset
-
-include::../../../../x-pack/metricbeat/module/aws/s3_daily_storage/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-aws,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../../x-pack/metricbeat/module/aws/s3_daily_storage/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/aws/s3_request.asciidoc b/metricbeat/docs/modules/aws/s3_request.asciidoc
deleted file mode 100644
index 6af36607679c..000000000000
--- a/metricbeat/docs/modules/aws/s3_request.asciidoc
+++ /dev/null
@@ -1,28 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/aws/s3_request/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-aws-s3_request]]
-[role="xpack"]
-=== AWS s3_request metricset
-
-include::../../../../x-pack/metricbeat/module/aws/s3_request/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-aws,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../../x-pack/metricbeat/module/aws/s3_request/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/aws/sns.asciidoc b/metricbeat/docs/modules/aws/sns.asciidoc
deleted file mode 100644
index 7e894ced5bca..000000000000
--- a/metricbeat/docs/modules/aws/sns.asciidoc
+++ /dev/null
@@ -1,30 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/aws/sns/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-aws-sns]]
-[role="xpack"]
-=== AWS sns metricset
-
-beta[]
-
-include::../../../../x-pack/metricbeat/module/aws/sns/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-aws,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../../x-pack/metricbeat/module/aws/sns/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/aws/sqs.asciidoc b/metricbeat/docs/modules/aws/sqs.asciidoc
deleted file mode 100644
index a6baf2cde8d1..000000000000
--- a/metricbeat/docs/modules/aws/sqs.asciidoc
+++ /dev/null
@@ -1,28 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/aws/sqs/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-aws-sqs]]
-[role="xpack"]
-=== AWS sqs metricset
-
-include::../../../../x-pack/metricbeat/module/aws/sqs/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-aws,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../../x-pack/metricbeat/module/aws/sqs/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/aws/transitgateway.asciidoc b/metricbeat/docs/modules/aws/transitgateway.asciidoc
deleted file mode 100644
index c257bb865944..000000000000
--- a/metricbeat/docs/modules/aws/transitgateway.asciidoc
+++ /dev/null
@@ -1,30 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/aws/transitgateway/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-aws-transitgateway]]
-[role="xpack"]
-=== AWS transitgateway metricset
-
-beta[]
-
-include::../../../../x-pack/metricbeat/module/aws/transitgateway/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-aws,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../../x-pack/metricbeat/module/aws/transitgateway/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/aws/usage.asciidoc b/metricbeat/docs/modules/aws/usage.asciidoc
deleted file mode 100644
index 00897aae9aa4..000000000000
--- a/metricbeat/docs/modules/aws/usage.asciidoc
+++ /dev/null
@@ -1,30 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/aws/usage/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-aws-usage]]
-[role="xpack"]
-=== AWS usage metricset
-
-beta[]
-
-include::../../../../x-pack/metricbeat/module/aws/usage/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-aws,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../../x-pack/metricbeat/module/aws/usage/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/aws/vpn.asciidoc b/metricbeat/docs/modules/aws/vpn.asciidoc
deleted file mode 100644
index 92acfe704985..000000000000
--- a/metricbeat/docs/modules/aws/vpn.asciidoc
+++ /dev/null
@@ -1,30 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/aws/vpn/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-aws-vpn]]
-[role="xpack"]
-=== AWS vpn metricset
-
-beta[]
-
-include::../../../../x-pack/metricbeat/module/aws/vpn/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-aws,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../../x-pack/metricbeat/module/aws/vpn/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/awsfargate.asciidoc b/metricbeat/docs/modules/awsfargate.asciidoc
deleted file mode 100644
index a9b5e5c48057..000000000000
--- a/metricbeat/docs/modules/awsfargate.asciidoc
+++ /dev/null
@@ -1,104 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-
-:modulename: awsfargate
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/awsfargate/_meta/docs.asciidoc
-
-
-[[metricbeat-module-awsfargate]]
-[role="xpack"]
-== AWS Fargate module
-
-beta[]
-
-Amazon ECS on Fargate provides a method to retrieve various metadata, network
-metrics, and Docker stats about tasks and containers. This is referred to as the
-https://docs.aws.amazon.com/AmazonECS/latest/userguide/task-metadata-endpoint-v4-fargate.html[task metadata endpoint]
-and this endpoint is available per container.
-
-The environment variable is injected by default into the containers of Amazon
-ECS tasks on Fargate that use platform version 1.4.0 or later and Amazon ECS
-tasks on Amazon EC2 that are running at least version 1.39.0 of the Amazon ECS
-container agent.
-
-The awsfargate module is a Metricbeat module which collects AWS fargate metrics
-from task metadata endpoint.
-
-[float]
-== Introduction to AWS ECS and Fargate
-Amazon Elastic Container Service (Amazon ECS) is a highly scalable, fast,
-container management service that makes it easy to run, stop, and manage
-containers. ECS has two launch types that can define how compute resources will
-be managed: ECS EC2 and ECS Fargate.
-
-* *ECS EC2*
-
-ECS EC2 launches containers that run on EC2 instances. Users have to manage EC2
-instances. Pricing depends on the number of EC2 instances running.
-
-One can monitor these containers by deploying Metricbeat on the corresponding EC2 instances with the
-Metricbeat Docker module enabled.
-
-In order to achieve this one will need:
---
-. to ensure access to these EC2 instances using ssh keys
-coupled with EC2 instances (attach ssh keys on cluster creation using `Key pair` option)
-. to enable shh access for the instances with the
-proper https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-instance.html[inbound rules].
---
-
-* *ECS Fargate*
-
-ECS Fargate removes the responsibility of provisioning, configuring, and
-managing the EC2 instances by allowing AWS to manage the EC2 instances. Users
-only need to specify containers and tasks. Pricing based on the number of tasks.
-
-[float]
-== Task Metadata Endpoint
-https://docs.aws.amazon.com/AmazonECS/latest/userguide/task-metadata-endpoint-v4-fargate.html[Task metadata endpoint]
-returns https://docs.docker.com/engine/api/v1.30/#operation/ContainerStats[Docker stats]
-in JSON format for all the containers associated with the task.
-This endpoint is only available from within the task definition itself, which
-means Metricbeat needs to be run as a sidecar container within the task
-definition. Since the metadata endpoint is only accessible from within the
-Fargate Task, there is no authentication in place.
-
-[float]
-== Metricsets
-Currently, we have `task_stats` metricset in `awsfargate` module.
-
-[float]
-=== `task_stats`
-This metricset collects runtime CPU metrics, disk I/O metrics, memory metrics,
-network metrics and container metadata from both endpoint
-`${ECS_CONTAINER_METADATA_URI_V4}/task/stats` and `${ECS_CONTAINER_METADATA_URI_V4}/task`.
-
-
-:edit_url:
-
-[float]
-=== Example configuration
-
-The AWS Fargate module supports the standard configuration options that are described
-in <<configuration-metricbeat>>. Here is an example configuration:
-
-[source,yaml]
-----
-metricbeat.modules:
-- module: awsfargate
-  period: 10s
-  metricsets:
-    - task_stats
-----
-
-[float]
-=== Metricsets
-
-The following metricsets are available:
-
-* <<metricbeat-metricset-awsfargate-task_stats,task_stats>>
-
-include::awsfargate/task_stats.asciidoc[]
-
-:edit_url!:
diff --git a/metricbeat/docs/modules/awsfargate/task_stats.asciidoc b/metricbeat/docs/modules/awsfargate/task_stats.asciidoc
deleted file mode 100644
index 549fb7468e5b..000000000000
--- a/metricbeat/docs/modules/awsfargate/task_stats.asciidoc
+++ /dev/null
@@ -1,30 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/awsfargate/task_stats/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-awsfargate-task_stats]]
-[role="xpack"]
-=== AWS Fargate task_stats metricset
-
-beta[]
-
-include::../../../../x-pack/metricbeat/module/awsfargate/task_stats/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-awsfargate,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../../x-pack/metricbeat/module/awsfargate/task_stats/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/azure.asciidoc b/metricbeat/docs/modules/azure.asciidoc
deleted file mode 100644
index f81da008502c..000000000000
--- a/metricbeat/docs/modules/azure.asciidoc
+++ /dev/null
@@ -1,351 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-
-:modulename: azure
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/azure/_meta/docs.asciidoc
-
-
-[[metricbeat-module-azure]]
-[role="xpack"]
-== Azure module
-
-//override value inherited for modulename
-:modulename: azure_metrics
-
-include::{libbeat-dir}/shared/integration-link.asciidoc[]
-
-:modulename!:
-
-The Azure Monitor feature collects and aggregates logs and metrics from a variety of sources into a common data platform where it can be used for analysis, visualization, and alerting.
-
-
-The azure monitor metrics are numerical values that describe some aspect of a system at a particular point in time. They are collected at regular intervals and are identified with a timestamp, a name, a value, and one or more defining labels.
-
-The azure module will periodically retrieve the azure monitor metrics using the Azure REST APIs as MetricList.
-Additional azure API calls will be executed in order to retrieve information regarding the resources targeted by the user.
-
-
-IMPORTANT: Extra Azure charges on metric queries may be generated by this module.
-Please see <<azure-api-cost,additional notes about metrics and costs>> for more details.
-
-[float]
-=== Dashboards
-
-The azure module comes with several predefined dashboards for virtual machines, VM guest metrics and virtual machine scale sets.
-
-The VM overview dashboard shows information about CPU, memory, disk usage as well as operations per second. The two available filters help narrowing down the dashbord to specific regions and/or resource groups. For example:
-
-image::./images/metricbeat-azure-vm-overview.png[]
-
-If VM guest metrics are enabled then the guest metrics overview dashboard can help with monitoring ASP.NET applications and SQL Server metrics. For example:
-
-image::./images/metricbeat-azure-vm-guestmetrics-overview.png[]
-
-The virtual machine scale sets dashboard is similar to the VM dashboard and shows relevant health information about running vm scale sets. For example:
-
-image::./images/metricbeat-azure-vmss-overview.png[]
-
-The Azure storage dashboards show all relevant metrics for the blob, file, table and queue storage services:
-
-image::./images/metricbeat-azure-storage-overview.png[]
-
-The Azure billing dashboards show relevant usage and forecast information:
-
-image::./images/metricbeat-azure-billing-overview.png[]
-
-The Azure app_state dashboard shows relevant application insights information:
-
-image::./images/metricbeat-azure-app-state-overview.png[]
-
-[float]
-=== Module-specific configuration notes
-
-All the tasks executed against the Azure Monitor REST API will use the Azure Resource Manager authentication model.
-Therefore, all requests must be authenticated with Azure Active Directory (Azure AD).
-One approach to authenticate the client application is to create an Azure AD service principal and retrieve the authentication (JWT) token.
-For a more detailed walk-through, have a look at using Azure PowerShell to create a service principal to access resources https://docs.microsoft.com/en-us/powershell/azure/create-azure-service-principal-azureps?view=azps-2.7.0.
- It is also possible to create a service principal via the Azure portal https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal.
-Users will have to make sure the roles assigned to the application contain at least reading permissions to the monitor data, more on the roles here https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles.
-
-Required credentials for the `azure` module:
-
-`client_id`:: The unique identifier for the application (also known as Application Id)
-
-`client_secret`:: The client/application secret/key
-
-`subscription_id`:: The unique identifier for the azure subscription
-
-`tenant_id`:: The unique identifier of the Azure Active Directory instance
-
-
-The azure credentials keys can be used if configured `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, `AZURE_TENANT_ID`, `AZURE_SUBSCRIPTION_ID`
-
-`resource_manager_endpoint` ::
-_string_
-Optional, by default the azure public environment will be used, to override, users can provide a specific resource manager endpoint in order to use a different azure environment.
-Ex:
-https://management.chinacloudapi.cn for azure ChinaCloud
-https://management.microsoftazure.de for azure GermanCloud
-https://management.azure.com for azure PublicCloud
-https://management.usgovcloudapi.net for azure USGovernmentCloud
-
-`active_directory_endpoint` ::
-_string_
-Optional, by default the associated active directory endpoint to the resource manager endpoint will be used, to override, users can provide a specific active directory endpoint in order to use a different azure environment.
-Ex:
-https://login.microsoftonline.com for azure ChinaCloud
-https://login.microsoftonline.us for azure GermanCloud
-https://login.chinacloudapi.cn for azure PublicCloud
-https://login.microsoftonline.de for azure USGovernmentCloud
-
-`resource_manager_audience` ::
-_string_
-Optional, by default we are using the azure public environment, to override, users can provide a specific resource manager audience in order to use a different azure environment.
-Ex:
-https://management.chinacloudapi.cn/ for azure ChinaCloud
-https://management.microsoftazure.de/ for azure GermanCloud
-https://management.azure.com/ for azure PublicCloud
-https://management.usgovcloudapi.net/ for azure USGovernmentCloud
-Users can also use this in case of a Hybrid Cloud model, where one may define their own audiences.
-
-[float]
-== Metricsets
-
-[float]
-=== `monitor`
-This metricset allows users to retrieve metrics from specified resources. Added filters can apply here as the interval of retrieving these metrics, metric names,
-aggregation list, namespaces and metric dimensions. The monitor metrics will have a minimum timegrain of 5 minutes, so the `period` for `monitor` metricset should be `300s` or multiples of `300s`.
-
-[float]
-=== `compute_vm`
-This metricset will collect metrics from the virtual machines, these metrics will have a timegrain every 5 minutes,
-so the `period` for `compute_vm` metricset  should be `300s` or multiples of `300s`.
-
-[float]
-=== `compute_vm_scaleset`
-This metricset will collect metrics from the virtual machine scalesets, these metrics will have a timegrain every 5 minutes,
-so the `period` for `compute_vm_scaleset` metricset  should be `300s` or multiples of `300s`.
-
-[float]
-=== `storage`
-This metricset will collect metrics from the storage accounts, these metrics will have a timegrain every 5 minutes,
-so the `period` for `storage` metricset  should be `300s` or multiples of `300s`.
-
-[float]
-=== `container_instance`
-This metricset will collect metrics from specified container groups, these metrics will have a timegrain every 5 minutes,
-so the `period` for `container_instance` metricset  should be `300s` or multiples of `300s`.
-
-[float]
-=== `container_registry`
-This metricset will collect metrics from the container registries, these metrics will have a timegrain every 5 minutes,
-so the `period` for `container_registry` metricset  should be `300s` or multiples of `300s`.
-
-[float]
-=== `container_service`
-This metricset will collect metrics from the container services, these metrics will have a timegrain every 5 minutes,
-so the `period` for `container_service` metricset  should be `300s` or multiples of `300s`.
-
-[float]
-=== `database_account`
-This metricset will collect relevant metrics from specified database accounts, these metrics will have a timegrain every 5 minutes,
-so the `period` for `database_account` metricset  should be `300s` or multiples of `300s`.
-
-[float]
-=== `billing`
-This metricset will collect relevant usage data and forecast information from a specific subscription, these metrics will have a timegrain every 24 hours,
-so the `period` for `billing` metricset  should be `24h` or multiples of `24h`.
-
-[float]
-=== `app_insights`
-This metricset will collect application insights metrics, the `period` (interval) for the `app-insights` metricset is set by default at `300s`.
-
-[float]
-=== `app_state`
-This metricset concentrate on the most relevant application insights metrics and provides a dashboard for visualization, the `period` (interval) for the `app_state` metricset is set by default at `300s`.
-
-[float]
-[[azure-api-cost]]
-== Additional notes about metrics and costs
-
-Costs: Metric queries are charged based on the number of standard API calls. More information on pricing here https://azure.microsoft.com/id-id/pricing/details/monitor/.
-
-Authentication: we are handling authentication on our side (creating/renewing the authentication token), so we advise users to use dedicated credentials for metricbeat only.
-
-
-:edit_url:
-
-[float]
-=== Example configuration
-
-The Azure module supports the standard configuration options that are described
-in <<configuration-metricbeat>>. Here is an example configuration:
-
-[source,yaml]
-----
-metricbeat.modules:
-- module: azure
-  metricsets:
-  - monitor
-  enabled: true
-  period: 300s
-  client_id: '${AZURE_CLIENT_ID:""}'
-  client_secret: '${AZURE_CLIENT_SECRET:""}'
-  tenant_id: '${AZURE_TENANT_ID:""}'
-  subscription_id: '${AZURE_SUBSCRIPTION_ID:""}'
-  resources:
-    - resource_query: "resourceType eq 'Microsoft.DocumentDb/databaseAccounts'"
-      metrics:
-      - name: ["DataUsage", "DocumentCount", "DocumentQuota"]
-        namespace: "Microsoft.DocumentDb/databaseAccounts"
-
-- module: azure
-  metricsets:
-  - compute_vm
-  enabled: true
-  period: 300s
-  client_id: '${AZURE_CLIENT_ID:""}'
-  client_secret: '${AZURE_CLIENT_SECRET:""}'
-  tenant_id: '${AZURE_TENANT_ID:""}'
-  subscription_id: '${AZURE_SUBSCRIPTION_ID:""}'
-
-- module: azure
-  metricsets:
-  - compute_vm_scaleset
-  enabled: true
-  period: 300s
-  client_id: '${AZURE_CLIENT_ID:""}'
-  client_secret: '${AZURE_CLIENT_SECRET:""}'
-  tenant_id: '${AZURE_TENANT_ID:""}'
-  subscription_id: '${AZURE_SUBSCRIPTION_ID:""}'
-
-- module: azure
-  metricsets:
-  - storage
-  enabled: true
-  period: 300s
-  client_id: '${AZURE_CLIENT_ID:""}'
-  client_secret: '${AZURE_CLIENT_SECRET:""}'
-  tenant_id: '${AZURE_TENANT_ID:""}'
-  subscription_id: '${AZURE_SUBSCRIPTION_ID:""}'
-
-- module: azure
-  metricsets:
-  - container_instance
-  enabled: true
-  period: 300s
-  client_id: '${AZURE_CLIENT_ID:""}'
-  client_secret: '${AZURE_CLIENT_SECRET:""}'
-  tenant_id: '${AZURE_TENANT_ID:""}'
-  subscription_id: '${AZURE_SUBSCRIPTION_ID:""}'
-
-- module: azure
-  metricsets:
-  - container_service
-  enabled: true
-  period: 300s
-  client_id: '${AZURE_CLIENT_ID:""}'
-  client_secret: '${AZURE_CLIENT_SECRET:""}'
-  tenant_id: '${AZURE_TENANT_ID:""}'
-  subscription_id: '${AZURE_SUBSCRIPTION_ID:""}'
-
-- module: azure
-  metricsets:
-  - container_registry
-  enabled: true
-  period: 300s
-  client_id: '${AZURE_CLIENT_ID:""}'
-  client_secret: '${AZURE_CLIENT_SECRET:""}'
-  tenant_id: '${AZURE_TENANT_ID:""}'
-  subscription_id: '${AZURE_SUBSCRIPTION_ID:""}'
-
-- module: azure
-  metricsets:
-  - database_account
-  enabled: true
-  period: 300s
-  client_id: '${AZURE_CLIENT_ID:""}'
-  client_secret: '${AZURE_CLIENT_SECRET:""}'
-  tenant_id: '${AZURE_TENANT_ID:""}'
-  subscription_id: '${AZURE_SUBSCRIPTION_ID:""}'
-
-- module: azure
-  metricsets:
-    - billing
-  enabled: true
-  period: 24h
-  client_id: '${AZURE_CLIENT_ID:""}'
-  client_secret: '${AZURE_CLIENT_SECRET:""}'
-  tenant_id: '${AZURE_TENANT_ID:""}'
-  subscription_id: '${AZURE_SUBSCRIPTION_ID:""}'
-
-- module: azure
-  metricsets:
-    - app_insights
-  enabled: true
-  period: 300s
-  application_id: ''
-  api_key: ''
-  metrics:
-    - id: ["requests/count", "requests/duration"]
-
-- module: azure
-  metricsets:
-    - app_state
-  enabled: true
-  period: 300s
-  application_id: ''
-  api_key: ''
-----
-
-[float]
-=== Metricsets
-
-The following metricsets are available:
-
-* <<metricbeat-metricset-azure-app_insights,app_insights>>
-
-* <<metricbeat-metricset-azure-app_state,app_state>>
-
-* <<metricbeat-metricset-azure-billing,billing>>
-
-* <<metricbeat-metricset-azure-compute_vm,compute_vm>>
-
-* <<metricbeat-metricset-azure-compute_vm_scaleset,compute_vm_scaleset>>
-
-* <<metricbeat-metricset-azure-container_instance,container_instance>>
-
-* <<metricbeat-metricset-azure-container_registry,container_registry>>
-
-* <<metricbeat-metricset-azure-container_service,container_service>>
-
-* <<metricbeat-metricset-azure-database_account,database_account>>
-
-* <<metricbeat-metricset-azure-monitor,monitor>>
-
-* <<metricbeat-metricset-azure-storage,storage>>
-
-include::azure/app_insights.asciidoc[]
-
-include::azure/app_state.asciidoc[]
-
-include::azure/billing.asciidoc[]
-
-include::azure/compute_vm.asciidoc[]
-
-include::azure/compute_vm_scaleset.asciidoc[]
-
-include::azure/container_instance.asciidoc[]
-
-include::azure/container_registry.asciidoc[]
-
-include::azure/container_service.asciidoc[]
-
-include::azure/database_account.asciidoc[]
-
-include::azure/monitor.asciidoc[]
-
-include::azure/storage.asciidoc[]
-
-:edit_url!:
diff --git a/metricbeat/docs/modules/azure/app_insights.asciidoc b/metricbeat/docs/modules/azure/app_insights.asciidoc
deleted file mode 100644
index d65d9f46aa06..000000000000
--- a/metricbeat/docs/modules/azure/app_insights.asciidoc
+++ /dev/null
@@ -1,29 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/azure/app_insights/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-azure-app_insights]]
-[role="xpack"]
-=== Azure app_insights metricset
-
-beta[]
-
-include::../../../../x-pack/metricbeat/module/azure/app_insights/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-azure,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../../x-pack/metricbeat/module/azure/app_insights/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/azure/app_state.asciidoc b/metricbeat/docs/modules/azure/app_state.asciidoc
deleted file mode 100644
index a2641d78aace..000000000000
--- a/metricbeat/docs/modules/azure/app_state.asciidoc
+++ /dev/null
@@ -1,29 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/azure/app_state/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-azure-app_state]]
-[role="xpack"]
-=== Azure app_state metricset
-
-beta[]
-
-include::../../../../x-pack/metricbeat/module/azure/app_state/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-azure,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../../x-pack/metricbeat/module/azure/app_state/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/azure/billing.asciidoc b/metricbeat/docs/modules/azure/billing.asciidoc
deleted file mode 100644
index 66b7c7a348c6..000000000000
--- a/metricbeat/docs/modules/azure/billing.asciidoc
+++ /dev/null
@@ -1,29 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/azure/billing/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-azure-billing]]
-[role="xpack"]
-=== Azure billing metricset
-
-beta[]
-
-include::../../../../x-pack/metricbeat/module/azure/billing/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-azure,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../../x-pack/metricbeat/module/azure/billing/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/azure/compute_vm.asciidoc b/metricbeat/docs/modules/azure/compute_vm.asciidoc
deleted file mode 100644
index d7bc97c096fd..000000000000
--- a/metricbeat/docs/modules/azure/compute_vm.asciidoc
+++ /dev/null
@@ -1,27 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/azure/compute_vm/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-azure-compute_vm]]
-[role="xpack"]
-=== Azure compute_vm metricset
-
-include::../../../../x-pack/metricbeat/module/azure/compute_vm/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-azure,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../../x-pack/metricbeat/module/azure/compute_vm/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/azure/compute_vm_scaleset.asciidoc b/metricbeat/docs/modules/azure/compute_vm_scaleset.asciidoc
deleted file mode 100644
index 23a57a9e9028..000000000000
--- a/metricbeat/docs/modules/azure/compute_vm_scaleset.asciidoc
+++ /dev/null
@@ -1,27 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/azure/compute_vm_scaleset/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-azure-compute_vm_scaleset]]
-[role="xpack"]
-=== Azure compute_vm_scaleset metricset
-
-include::../../../../x-pack/metricbeat/module/azure/compute_vm_scaleset/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-azure,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../../x-pack/metricbeat/module/azure/compute_vm_scaleset/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/azure/container_instance.asciidoc b/metricbeat/docs/modules/azure/container_instance.asciidoc
deleted file mode 100644
index d1d754ee5f4d..000000000000
--- a/metricbeat/docs/modules/azure/container_instance.asciidoc
+++ /dev/null
@@ -1,28 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/azure/container_instance/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-azure-container_instance]]
-[role="xpack"]
-=== Azure container_instance metricset
-
-include::../../../../x-pack/metricbeat/module/azure/container_instance/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-azure,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../../x-pack/metricbeat/module/azure/container_instance/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/azure/container_registry.asciidoc b/metricbeat/docs/modules/azure/container_registry.asciidoc
deleted file mode 100644
index 10446bacfbb1..000000000000
--- a/metricbeat/docs/modules/azure/container_registry.asciidoc
+++ /dev/null
@@ -1,28 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/azure/container_registry/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-azure-container_registry]]
-[role="xpack"]
-=== Azure container_registry metricset
-
-include::../../../../x-pack/metricbeat/module/azure/container_registry/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-azure,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../../x-pack/metricbeat/module/azure/container_registry/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/azure/container_service.asciidoc b/metricbeat/docs/modules/azure/container_service.asciidoc
deleted file mode 100644
index 1bfc90f01ee2..000000000000
--- a/metricbeat/docs/modules/azure/container_service.asciidoc
+++ /dev/null
@@ -1,28 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/azure/container_service/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-azure-container_service]]
-[role="xpack"]
-=== Azure container_service metricset
-
-include::../../../../x-pack/metricbeat/module/azure/container_service/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-azure,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../../x-pack/metricbeat/module/azure/container_service/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/azure/database_account.asciidoc b/metricbeat/docs/modules/azure/database_account.asciidoc
deleted file mode 100644
index ddf7c962c40d..000000000000
--- a/metricbeat/docs/modules/azure/database_account.asciidoc
+++ /dev/null
@@ -1,28 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/azure/database_account/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-azure-database_account]]
-[role="xpack"]
-=== Azure database_account metricset
-
-include::../../../../x-pack/metricbeat/module/azure/database_account/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-azure,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../../x-pack/metricbeat/module/azure/database_account/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/azure/monitor.asciidoc b/metricbeat/docs/modules/azure/monitor.asciidoc
deleted file mode 100644
index 8ea7fa7928f9..000000000000
--- a/metricbeat/docs/modules/azure/monitor.asciidoc
+++ /dev/null
@@ -1,28 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/azure/monitor/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-azure-monitor]]
-[role="xpack"]
-=== Azure monitor metricset
-
-include::../../../../x-pack/metricbeat/module/azure/monitor/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-azure,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../../x-pack/metricbeat/module/azure/monitor/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/azure/storage.asciidoc b/metricbeat/docs/modules/azure/storage.asciidoc
deleted file mode 100644
index 0944b2c0bee6..000000000000
--- a/metricbeat/docs/modules/azure/storage.asciidoc
+++ /dev/null
@@ -1,27 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/azure/storage/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-azure-storage]]
-[role="xpack"]
-=== Azure storage metricset
-
-include::../../../../x-pack/metricbeat/module/azure/storage/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-azure,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../../x-pack/metricbeat/module/azure/storage/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/beat.asciidoc b/metricbeat/docs/modules/beat.asciidoc
deleted file mode 100644
index 16b884e23d35..000000000000
--- a/metricbeat/docs/modules/beat.asciidoc
+++ /dev/null
@@ -1,72 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-
-:modulename: beat
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/beat/_meta/docs.asciidoc
-
-
-[[metricbeat-module-beat]]
-== Beat module
-
-The `beat` module collects metrics about any Beat or other software based on libbeat.
-
-[float]
-=== Compatibility
-
-The `beat` module works with {beats} 7.3.0 and later.
-
-[float]
-=== Usage for {stack} Monitoring
-
-The `beat` module can be used to collect metrics shown in our {stack-monitor-app}
-UI in {kib}. To enable this usage, set `xpack.enabled: true` and remove any `metricsets`
-from the module's configuration. Alternatively, run `metricbeat modules disable beat` and
-`metricbeat modules enable beat-xpack`.
-
-NOTE: When this module is used for {stack} Monitoring, it sends metrics to the
-monitoring index instead of the default index typically used by {metricbeat}.
-For more details about the monitoring index, see
-{ref}/config-monitoring-indices.html[Configuring indices for monitoring].
-
-:edit_url:
-
-[float]
-=== Example configuration
-
-The Beat module supports the standard configuration options that are described
-in <<configuration-metricbeat>>. Here is an example configuration:
-
-[source,yaml]
-----
-metricbeat.modules:
-- module: beat
-  metricsets:
-    - stats
-    - state
-  period: 10s
-  hosts: ["http://localhost:5066"]
-  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
-
-  # Set to true to send data collected by module to X-Pack
-  # Monitoring instead of metricbeat-* indices.
-  #xpack.enabled: false
-----
-
-This module supports TLS connections when using `ssl` config field, as described in <<configuration-ssl>>.
-It also supports the options described in <<module-http-config-options>>.
-
-[float]
-=== Metricsets
-
-The following metricsets are available:
-
-* <<metricbeat-metricset-beat-state,state>>
-
-* <<metricbeat-metricset-beat-stats,stats>>
-
-include::beat/state.asciidoc[]
-
-include::beat/stats.asciidoc[]
-
-:edit_url!:
diff --git a/metricbeat/docs/modules/beat/state.asciidoc b/metricbeat/docs/modules/beat/state.asciidoc
deleted file mode 100644
index 7fdc93d0fbfa..000000000000
--- a/metricbeat/docs/modules/beat/state.asciidoc
+++ /dev/null
@@ -1,26 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/beat/state/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-beat-state]]
-=== Beat state metricset
-
-include::../../../module/beat/state/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-beat,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/beat/state/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/beat/stats.asciidoc b/metricbeat/docs/modules/beat/stats.asciidoc
deleted file mode 100644
index 21567bd6dd71..000000000000
--- a/metricbeat/docs/modules/beat/stats.asciidoc
+++ /dev/null
@@ -1,26 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/beat/stats/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-beat-stats]]
-=== Beat stats metricset
-
-include::../../../module/beat/stats/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-beat,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/beat/stats/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/benchmark.asciidoc b/metricbeat/docs/modules/benchmark.asciidoc
deleted file mode 100644
index 01c950c84d41..000000000000
--- a/metricbeat/docs/modules/benchmark.asciidoc
+++ /dev/null
@@ -1,76 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-
-:modulename: benchmark
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/benchmark/_meta/docs.asciidoc
-
-
-[[metricbeat-module-benchmark]]
-[role="xpack"]
-== Benchmark module
-
-beta[]
-
-include::{libbeat-dir}/shared/integration-link.asciidoc[]
-
-:modulename!:
-
-The `benchmark` module is used to generate synthetic metrics at a predictable rate.  This can be useful when you want to test output settings or test system sizing without using real data.
-
-The `benchmark` module metricset is `info`.
-
-[source,yaml]
-----
-- module: benchmark
-  metricsets:
-    - info
-  enabled: true
-  period: 10s
-----
-
-[float]
-== Metricsets
-
-[float]
-=== `info`
-A metric that includes a `counter` field which is used to keep the metric unique.
-
-[float]
-=== Module-specific configuration notes
-
-`count`:: number, the number of metrics to emit per fetch.
-
-
-
-
-
-:edit_url:
-
-[float]
-=== Example configuration
-
-The Benchmark module supports the standard configuration options that are described
-in <<configuration-metricbeat>>. Here is an example configuration:
-
-[source,yaml]
-----
-metricbeat.modules:
-- module: benchmark
-  metricsets:
-    - info
-  enabled: false
-  period: 10s
-
-----
-
-[float]
-=== Metricsets
-
-The following metricsets are available:
-
-* <<metricbeat-metricset-benchmark-info,info>>
-
-include::benchmark/info.asciidoc[]
-
-:edit_url!:
diff --git a/metricbeat/docs/modules/benchmark/info.asciidoc b/metricbeat/docs/modules/benchmark/info.asciidoc
deleted file mode 100644
index 4f6cee9874ff..000000000000
--- a/metricbeat/docs/modules/benchmark/info.asciidoc
+++ /dev/null
@@ -1,29 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/benchmark/info/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-benchmark-info]]
-[role="xpack"]
-=== Benchmark info metricset
-
-beta[]
-
-include::../../../../x-pack/metricbeat/module/benchmark/info/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-benchmark,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../../x-pack/metricbeat/module/benchmark/info/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/ceph.asciidoc b/metricbeat/docs/modules/ceph.asciidoc
deleted file mode 100644
index 2cdf5d5a128f..000000000000
--- a/metricbeat/docs/modules/ceph.asciidoc
+++ /dev/null
@@ -1,126 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-
-:modulename: ceph
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/ceph/_meta/docs.asciidoc
-
-
-[[metricbeat-module-ceph]]
-== Ceph module
-
-The Ceph module collects metrics by submitting HTTP GET requests to
-the https://docs.ceph.com/docs/jewel/man/8/ceph-rest-api/[ceph-rest-api]. The default metricsets are `cluster_disk`, `cluster_health`, `monitor_health`, `pool_disk`, `osd_tree`.
-
-Metricsets connecting to the Ceph REST API uses by default the service exposed on port 5000.
-Metricsets using the Ceph Manager Daemon communicate with the API exposed by default on port 8003 (SSL encryption).
-
-[float]
-=== Compatibility
-
-The Ceph module is tested with Ceph Jewel (10.2.10) and Ceph Nautilus (14.2.7).
-
-Metricsets with the `mgr_` prefix are compatible with Ceph releases using the Ceph Manager Daemon.
-
-[float]
-=== Dashboard
-
-The Ceph module comes with a predefined dashboard showing Ceph cluster related metrics. For example:
-
-image::./images/ceph-overview-dashboard.png[]
-
-
-
-:edit_url:
-
-[float]
-=== Example configuration
-
-The Ceph module supports the standard configuration options that are described
-in <<configuration-metricbeat>>. Here is an example configuration:
-
-[source,yaml]
-----
-metricbeat.modules:
-# Metricsets depending on the Ceph REST API (default port: 5000)
-- module: ceph
-  metricsets: ["cluster_disk", "cluster_health", "monitor_health", "pool_disk", "osd_tree"]
-  period: 10s
-  hosts: ["localhost:5000"]
-  enabled: true
-
-# Metricsets depending on the Ceph Manager Daemon (default port: 8003)
-- module: ceph
-  metricsets:
-    - mgr_cluster_disk
-    - mgr_osd_perf
-    - mgr_pool_disk
-    - mgr_osd_pool_stats
-    - mgr_osd_tree
-  period: 1m
-  hosts: [ "https://localhost:8003" ]
-  #username: "user"
-  #password: "secret"
-----
-
-This module supports TLS connections when using `ssl` config field, as described in <<configuration-ssl>>.
-It also supports the options described in <<module-http-config-options>>.
-
-[float]
-=== Metricsets
-
-The following metricsets are available:
-
-* <<metricbeat-metricset-ceph-cluster_disk,cluster_disk>>
-
-* <<metricbeat-metricset-ceph-cluster_health,cluster_health>>
-
-* <<metricbeat-metricset-ceph-cluster_status,cluster_status>>
-
-* <<metricbeat-metricset-ceph-mgr_cluster_disk,mgr_cluster_disk>>
-
-* <<metricbeat-metricset-ceph-mgr_cluster_health,mgr_cluster_health>>
-
-* <<metricbeat-metricset-ceph-mgr_osd_perf,mgr_osd_perf>>
-
-* <<metricbeat-metricset-ceph-mgr_osd_pool_stats,mgr_osd_pool_stats>>
-
-* <<metricbeat-metricset-ceph-mgr_osd_tree,mgr_osd_tree>>
-
-* <<metricbeat-metricset-ceph-mgr_pool_disk,mgr_pool_disk>>
-
-* <<metricbeat-metricset-ceph-monitor_health,monitor_health>>
-
-* <<metricbeat-metricset-ceph-osd_df,osd_df>>
-
-* <<metricbeat-metricset-ceph-osd_tree,osd_tree>>
-
-* <<metricbeat-metricset-ceph-pool_disk,pool_disk>>
-
-include::ceph/cluster_disk.asciidoc[]
-
-include::ceph/cluster_health.asciidoc[]
-
-include::ceph/cluster_status.asciidoc[]
-
-include::ceph/mgr_cluster_disk.asciidoc[]
-
-include::ceph/mgr_cluster_health.asciidoc[]
-
-include::ceph/mgr_osd_perf.asciidoc[]
-
-include::ceph/mgr_osd_pool_stats.asciidoc[]
-
-include::ceph/mgr_osd_tree.asciidoc[]
-
-include::ceph/mgr_pool_disk.asciidoc[]
-
-include::ceph/monitor_health.asciidoc[]
-
-include::ceph/osd_df.asciidoc[]
-
-include::ceph/osd_tree.asciidoc[]
-
-include::ceph/pool_disk.asciidoc[]
-
-:edit_url!:
diff --git a/metricbeat/docs/modules/ceph/cluster_disk.asciidoc b/metricbeat/docs/modules/ceph/cluster_disk.asciidoc
deleted file mode 100644
index 5db5d1902cf2..000000000000
--- a/metricbeat/docs/modules/ceph/cluster_disk.asciidoc
+++ /dev/null
@@ -1,27 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/ceph/cluster_disk/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-ceph-cluster_disk]]
-=== Ceph cluster_disk metricset
-
-include::../../../module/ceph/cluster_disk/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-ceph,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/ceph/cluster_disk/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/ceph/cluster_health.asciidoc b/metricbeat/docs/modules/ceph/cluster_health.asciidoc
deleted file mode 100644
index 5958bd0a0927..000000000000
--- a/metricbeat/docs/modules/ceph/cluster_health.asciidoc
+++ /dev/null
@@ -1,27 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/ceph/cluster_health/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-ceph-cluster_health]]
-=== Ceph cluster_health metricset
-
-include::../../../module/ceph/cluster_health/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-ceph,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/ceph/cluster_health/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/ceph/cluster_status.asciidoc b/metricbeat/docs/modules/ceph/cluster_status.asciidoc
deleted file mode 100644
index 47d9d417f4c1..000000000000
--- a/metricbeat/docs/modules/ceph/cluster_status.asciidoc
+++ /dev/null
@@ -1,27 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/ceph/cluster_status/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-ceph-cluster_status]]
-=== Ceph cluster_status metricset
-
-include::../../../module/ceph/cluster_status/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-ceph,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/ceph/cluster_status/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/ceph/mgr_cluster_disk.asciidoc b/metricbeat/docs/modules/ceph/mgr_cluster_disk.asciidoc
deleted file mode 100644
index 07984847a97e..000000000000
--- a/metricbeat/docs/modules/ceph/mgr_cluster_disk.asciidoc
+++ /dev/null
@@ -1,28 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/ceph/mgr_cluster_disk/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-ceph-mgr_cluster_disk]]
-=== Ceph mgr_cluster_disk metricset
-
-beta[]
-
-include::../../../module/ceph/mgr_cluster_disk/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-ceph,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/ceph/mgr_cluster_disk/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/ceph/mgr_cluster_health.asciidoc b/metricbeat/docs/modules/ceph/mgr_cluster_health.asciidoc
deleted file mode 100644
index 8338855ee59d..000000000000
--- a/metricbeat/docs/modules/ceph/mgr_cluster_health.asciidoc
+++ /dev/null
@@ -1,28 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/ceph/mgr_cluster_health/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-ceph-mgr_cluster_health]]
-=== Ceph mgr_cluster_health metricset
-
-beta[]
-
-include::../../../module/ceph/mgr_cluster_health/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-ceph,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/ceph/mgr_cluster_health/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/ceph/mgr_osd_perf.asciidoc b/metricbeat/docs/modules/ceph/mgr_osd_perf.asciidoc
deleted file mode 100644
index 1964b2bba3d2..000000000000
--- a/metricbeat/docs/modules/ceph/mgr_osd_perf.asciidoc
+++ /dev/null
@@ -1,28 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/ceph/mgr_osd_perf/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-ceph-mgr_osd_perf]]
-=== Ceph mgr_osd_perf metricset
-
-beta[]
-
-include::../../../module/ceph/mgr_osd_perf/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-ceph,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/ceph/mgr_osd_perf/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/ceph/mgr_osd_pool_stats.asciidoc b/metricbeat/docs/modules/ceph/mgr_osd_pool_stats.asciidoc
deleted file mode 100644
index 669935612bee..000000000000
--- a/metricbeat/docs/modules/ceph/mgr_osd_pool_stats.asciidoc
+++ /dev/null
@@ -1,28 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/ceph/mgr_osd_pool_stats/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-ceph-mgr_osd_pool_stats]]
-=== Ceph mgr_osd_pool_stats metricset
-
-beta[]
-
-include::../../../module/ceph/mgr_osd_pool_stats/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-ceph,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/ceph/mgr_osd_pool_stats/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/ceph/mgr_osd_tree.asciidoc b/metricbeat/docs/modules/ceph/mgr_osd_tree.asciidoc
deleted file mode 100644
index 84d99ed8ef15..000000000000
--- a/metricbeat/docs/modules/ceph/mgr_osd_tree.asciidoc
+++ /dev/null
@@ -1,28 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/ceph/mgr_osd_tree/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-ceph-mgr_osd_tree]]
-=== Ceph mgr_osd_tree metricset
-
-beta[]
-
-include::../../../module/ceph/mgr_osd_tree/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-ceph,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/ceph/mgr_osd_tree/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/ceph/mgr_pool_disk.asciidoc b/metricbeat/docs/modules/ceph/mgr_pool_disk.asciidoc
deleted file mode 100644
index 98dddc5dacca..000000000000
--- a/metricbeat/docs/modules/ceph/mgr_pool_disk.asciidoc
+++ /dev/null
@@ -1,28 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/ceph/mgr_pool_disk/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-ceph-mgr_pool_disk]]
-=== Ceph mgr_pool_disk metricset
-
-beta[]
-
-include::../../../module/ceph/mgr_pool_disk/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-ceph,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/ceph/mgr_pool_disk/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/ceph/monitor_health.asciidoc b/metricbeat/docs/modules/ceph/monitor_health.asciidoc
deleted file mode 100644
index bb45d90a20a9..000000000000
--- a/metricbeat/docs/modules/ceph/monitor_health.asciidoc
+++ /dev/null
@@ -1,27 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/ceph/monitor_health/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-ceph-monitor_health]]
-=== Ceph monitor_health metricset
-
-include::../../../module/ceph/monitor_health/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-ceph,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/ceph/monitor_health/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/ceph/osd_df.asciidoc b/metricbeat/docs/modules/ceph/osd_df.asciidoc
deleted file mode 100644
index b04e2d4ee11d..000000000000
--- a/metricbeat/docs/modules/ceph/osd_df.asciidoc
+++ /dev/null
@@ -1,27 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/ceph/osd_df/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-ceph-osd_df]]
-=== Ceph osd_df metricset
-
-include::../../../module/ceph/osd_df/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-ceph,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/ceph/osd_df/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/ceph/osd_tree.asciidoc b/metricbeat/docs/modules/ceph/osd_tree.asciidoc
deleted file mode 100644
index b493a7e90168..000000000000
--- a/metricbeat/docs/modules/ceph/osd_tree.asciidoc
+++ /dev/null
@@ -1,27 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/ceph/osd_tree/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-ceph-osd_tree]]
-=== Ceph osd_tree metricset
-
-include::../../../module/ceph/osd_tree/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-ceph,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/ceph/osd_tree/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/ceph/pool_disk.asciidoc b/metricbeat/docs/modules/ceph/pool_disk.asciidoc
deleted file mode 100644
index 808b94071dfd..000000000000
--- a/metricbeat/docs/modules/ceph/pool_disk.asciidoc
+++ /dev/null
@@ -1,27 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/ceph/pool_disk/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-ceph-pool_disk]]
-=== Ceph pool_disk metricset
-
-include::../../../module/ceph/pool_disk/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-ceph,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/ceph/pool_disk/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/cloudfoundry.asciidoc b/metricbeat/docs/modules/cloudfoundry.asciidoc
deleted file mode 100644
index 59427009b1e9..000000000000
--- a/metricbeat/docs/modules/cloudfoundry.asciidoc
+++ /dev/null
@@ -1,182 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-
-:modulename: cloudfoundry
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/cloudfoundry/_meta/docs.asciidoc
-
-
-[[metricbeat-module-cloudfoundry]]
-[role="xpack"]
-== Cloudfoundry module
-
-beta[]
-
-This is the cloudfoundry module.
-
-The Cloud Foundry module connects to Cloud Foundry loggregator to gather container, counter, and value metrics into a common data platform where it can be used for analysis, visualization, and alerting.
-
-
-The cloudfoundry module metrics are numerical values that describe some aspect of a system at a particular point in time. They are collected when pushed from the loggregator and are identified with a timestamp, a name, a value, and one or more defining labels.
-
-The cloudfoundry module mericsets are `container`, `counter` and `value`.
-
-[float]
-=== Dashboards
-
-The Cloud Foundry module includes some dashboards.
-
-The overview dashboard can be used to visualize the current status of your Cloud
-Foundry deployments.
-
-image::./images/metricbeat-cloudfoundry-overview.png[]
-
-The platform health dashboard includes visualizations that help diagnosting
-issues related to the applications deployed in Cloud Foundry.
-
-image::./images/metricbeat-cloudfoundry-platform-health.png[]
-
-
-[float]
-=== Module-specific configuration notes
-
-All metrics come from the Cloud Foundry loggregator API. The loggregator API authenticates through the Cloud Foundry UAA API.
-This requires that a new client be added to UAA with the correct permissions. This can be done using the `uaac` client.
-
-[source,bash]
-----
-$ export CLOUDFOUNDRY_CLIENT_ID=metricbeat
-$ export CLOUDFOUNDRY_CLIENT_SECRET=yoursecret
-$ uaac client add $CLOUDFOUNDRY_CLIENT_ID --name $CLOUDFOUNDRY_CLIENT_ID --secret $CLOUDFOUNDRY_CLIENT_SECRET --authorized_grant_types client_credentials,refresh_token --authorities doppler.firehose,cloud_controller.admin_read_only
-----
-
-Then configuration of the module needs to contain the created `client_id` and `client_secret`.
-
-[source,yaml]
-----
-- module: cloudfoundry
-  api_address: https://api.dev.cfdev.sh
-  client_id: "${CLOUDFOUNDRY_CLIENT_ID}"
-  client_secret: "${CLOUDFOUNDRY_CLIENT_SECRET}"
-  ssl:
-      verification_mode: none
-----
-
-
-[float]
-== Metricsets
-
-[float]
-=== `container`
-The container metricset of Cloud Foundry module allows you to collect container metrics that the
-loggregator sends to metricbeat.
-
-[float]
-=== `counter`
-The counter metricset of Cloud Foundry module allows you to collect counter metrics that the
-loggregator sends to metricbeat.
-
-[float]
-=== `value`
-The value metricset of Cloud Foundry module allows you to collect value metrics that the
-loggregator sends to metricbeat.
-
-
-[float]
-== Configuration options
-
-The `cloudfoundry` input supports the following configuration options.
-
-[float]
-=== `api_address`
-
-The URL of the Cloud Foundry API. Optional. Default: "http://api.bosh-lite.com".
-
-[float]
-=== `doppler_address`
-
-The URL of the Cloud Foundry Doppler Websocket. Optional. Default: "(value from ${api_address}/v2/info)".
-
-[float]
-=== `uaa_address`
-
-The URL of the Cloud Foundry UAA API. Optional. Default: "(value from ${api_address}/v2/info)".
-
-[float]
-=== `rlp_address`
-
-The URL of the Cloud Foundry RLP Gateway. Optional. Default: "(`log-stream` subdomain under the same domain as `api_server`)".
-
-[float]
-=== `client_id`
-
-Client ID to authenticate with Cloud Foundry. Default: "".
-
-[float]
-=== `client_secret`
-
-Client Secret to authenticate with Cloud Foundry. Default: "".
-
-[float]
-=== `shard_id`
-
-Shard ID for connection to the RLP Gateway. Use the same ID across multiple {beatname_lc} to shard the load of events
-from the RLP Gateway.
-
-[float]
-==== `version`
-
-Consumer API version to connect with Cloud Foundry to collect events. Use `v1` to collect events using Doppler/Traffic Control.
-Use `v2` to collect events from the RLP Gateway. Default: "`v1`".
-
-[float]
-=== `ssl`
-
-This specifies SSL/TLS common config. Default: not used.
-
-
-:edit_url:
-
-[float]
-=== Example configuration
-
-The Cloudfoundry module supports the standard configuration options that are described
-in <<configuration-metricbeat>>. Here is an example configuration:
-
-[source,yaml]
-----
-metricbeat.modules:
-- module: cloudfoundry
-  metricsets:
-    - container
-    - counter
-    - value
-  enabled: true
-  api_address: '${CLOUDFOUNDRY_API_ADDRESS:""}'
-  doppler_address: '${CLOUDFOUNDRY_DOPPLER_ADDRESS:""}'
-  uaa_address: '${CLOUDFOUNDRY_UAA_ADDRESS:""}'
-  rlp_address: '${CLOUDFOUNDRY_RLP_ADDRESS:""}'
-  client_id: '${CLOUDFOUNDRY_CLIENT_ID:""}'
-  client_secret: '${CLOUDFOUNDRY_CLIENT_SECRET:""}'
-  shard_id: metricbeat
-  version: v1
-----
-
-[float]
-=== Metricsets
-
-The following metricsets are available:
-
-* <<metricbeat-metricset-cloudfoundry-container,container>>
-
-* <<metricbeat-metricset-cloudfoundry-counter,counter>>
-
-* <<metricbeat-metricset-cloudfoundry-value,value>>
-
-include::cloudfoundry/container.asciidoc[]
-
-include::cloudfoundry/counter.asciidoc[]
-
-include::cloudfoundry/value.asciidoc[]
-
-:edit_url!:
diff --git a/metricbeat/docs/modules/cloudfoundry/container.asciidoc b/metricbeat/docs/modules/cloudfoundry/container.asciidoc
deleted file mode 100644
index 1fb8fa006ad7..000000000000
--- a/metricbeat/docs/modules/cloudfoundry/container.asciidoc
+++ /dev/null
@@ -1,30 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/cloudfoundry/container/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-cloudfoundry-container]]
-[role="xpack"]
-=== Cloudfoundry container metricset
-
-beta[]
-
-include::../../../../x-pack/metricbeat/module/cloudfoundry/container/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-cloudfoundry,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../../x-pack/metricbeat/module/cloudfoundry/container/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/cloudfoundry/counter.asciidoc b/metricbeat/docs/modules/cloudfoundry/counter.asciidoc
deleted file mode 100644
index 781c6b216c6a..000000000000
--- a/metricbeat/docs/modules/cloudfoundry/counter.asciidoc
+++ /dev/null
@@ -1,30 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/cloudfoundry/counter/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-cloudfoundry-counter]]
-[role="xpack"]
-=== Cloudfoundry counter metricset
-
-beta[]
-
-include::../../../../x-pack/metricbeat/module/cloudfoundry/counter/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-cloudfoundry,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../../x-pack/metricbeat/module/cloudfoundry/counter/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/cloudfoundry/value.asciidoc b/metricbeat/docs/modules/cloudfoundry/value.asciidoc
deleted file mode 100644
index e4f402b0b453..000000000000
--- a/metricbeat/docs/modules/cloudfoundry/value.asciidoc
+++ /dev/null
@@ -1,30 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/cloudfoundry/value/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-cloudfoundry-value]]
-[role="xpack"]
-=== Cloudfoundry value metricset
-
-beta[]
-
-include::../../../../x-pack/metricbeat/module/cloudfoundry/value/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-cloudfoundry,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../../x-pack/metricbeat/module/cloudfoundry/value/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/cockroachdb.asciidoc b/metricbeat/docs/modules/cockroachdb.asciidoc
deleted file mode 100644
index 1f3bcdc6ee3c..000000000000
--- a/metricbeat/docs/modules/cockroachdb.asciidoc
+++ /dev/null
@@ -1,68 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-
-:modulename: cockroachdb
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/cockroachdb/_meta/docs.asciidoc
-
-
-[[metricbeat-module-cockroachdb]]
-[role="xpack"]
-== CockroachDB module
-
-include::{libbeat-dir}/shared/integration-link.asciidoc[]
-
-:modulename!:
-
-This module periodically fetches metrics from CockroachDB.
-
-[float]
-=== Compatibility
-
-The CockroachDB `status` metricset is compatible with any CockroachDB version
-exposing metrics in Prometheus format.
-
-
-[float]
-=== Dashboard
-
-The CockroachDB module includes a predefined dashboard with overview information
-of the monitored servers.
-
-image::./images/metricbeat-cockroachdb-overview.png[]
-
-
-:edit_url:
-
-[float]
-=== Example configuration
-
-The CockroachDB module supports the standard configuration options that are described
-in <<configuration-metricbeat>>. Here is an example configuration:
-
-[source,yaml]
-----
-metricbeat.modules:
-- module: cockroachdb
-  metricsets: ['status']
-  period: 10s
-  hosts: ['localhost:8080']
-
-  # This module uses the Prometheus collector metricset, all
-  # the options for this metricset are also available here.
-  #metrics_path: /_status/vars
-----
-
-This module supports TLS connections when using `ssl` config field, as described in <<configuration-ssl>>.
-It also supports the options described in <<module-http-config-options>>.
-
-[float]
-=== Metricsets
-
-The following metricsets are available:
-
-* <<metricbeat-metricset-cockroachdb-status,status>>
-
-include::cockroachdb/status.asciidoc[]
-
-:edit_url!:
diff --git a/metricbeat/docs/modules/cockroachdb/status.asciidoc b/metricbeat/docs/modules/cockroachdb/status.asciidoc
deleted file mode 100644
index 94bcefa7d88e..000000000000
--- a/metricbeat/docs/modules/cockroachdb/status.asciidoc
+++ /dev/null
@@ -1,28 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/cockroachdb/status/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-cockroachdb-status]]
-[role="xpack"]
-=== CockroachDB status metricset
-
-include::../../../../x-pack/metricbeat/module/cockroachdb/status/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-cockroachdb,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../../x-pack/metricbeat/module/cockroachdb/status/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/consul.asciidoc b/metricbeat/docs/modules/consul.asciidoc
deleted file mode 100644
index db3a6933defc..000000000000
--- a/metricbeat/docs/modules/consul.asciidoc
+++ /dev/null
@@ -1,61 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-
-:modulename: consul
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/consul/_meta/docs.asciidoc
-
-
-[[metricbeat-module-consul]]
-== Consul module
-
-beta[]
-
-This is the https://www.consul.io[Hashicorp's Consul] Metricbeat module. It is still in beta and under active development to add new Metricsets and introduce enhancements.
-
-[float]
-=== Compatibility
-
-The module is being tested with 1.4.2 and 1.9.3 versions of Consul.
-
-[float]
-=== Dashboard
-
-The Consul module comes with a predefined dashboard:
-
-image::./images/metricbeat-consul.png[]
-
-
-:edit_url:
-
-[float]
-=== Example configuration
-
-The Consul module supports the standard configuration options that are described
-in <<configuration-metricbeat>>. Here is an example configuration:
-
-[source,yaml]
-----
-metricbeat.modules:
-- module: consul
-  metricsets:
-  - agent
-  enabled: true
-  period: 10s
-  hosts: ["localhost:8500"]
-
-----
-
-This module supports TLS connections when using `ssl` config field, as described in <<configuration-ssl>>.
-It also supports the options described in <<module-http-config-options>>.
-
-[float]
-=== Metricsets
-
-The following metricsets are available:
-
-* <<metricbeat-metricset-consul-agent,agent>>
-
-include::consul/agent.asciidoc[]
-
-:edit_url!:
diff --git a/metricbeat/docs/modules/consul/agent.asciidoc b/metricbeat/docs/modules/consul/agent.asciidoc
deleted file mode 100644
index dabc3ec40f7e..000000000000
--- a/metricbeat/docs/modules/consul/agent.asciidoc
+++ /dev/null
@@ -1,29 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/consul/agent/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-consul-agent]]
-=== Consul agent metricset
-
-beta[]
-
-include::../../../module/consul/agent/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-consul,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/consul/agent/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/containerd.asciidoc b/metricbeat/docs/modules/containerd.asciidoc
deleted file mode 100644
index 099cd95281b6..000000000000
--- a/metricbeat/docs/modules/containerd.asciidoc
+++ /dev/null
@@ -1,97 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-
-:modulename: containerd
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/containerd/_meta/docs.asciidoc
-
-
-[[metricbeat-module-containerd]]
-[role="xpack"]
-== Containerd module
-
-beta[]
-
-include::{libbeat-dir}/shared/integration-link.asciidoc[]
-
-:modulename!:
-
-Containerd module collects cpu, memory and blkio statistics about
-running containers controlled by containerd runtime.
-
-The current metricsets are: `cpu`, `blkio` and `memory` and are enabled by default.
-
-[float]
-=== Prerequisites
-`Containerd` daemon has to be configured to provide metrics before enabling containerd module.
-
-In the configuration file located in `/etc/containerd/config.toml` metrics endpoint needs to
-be set and containerd daemon needs to be restarted.
-
-```
-[metrics]
-    address = "127.0.0.1:1338"
-```
-
-[float]
-=== Compatibility
-
-The Containerd module is tested with the following versions of Containerd:
-v1.5.2
-
-[float]
-=== Module-specific configuration notes
-
-For cpu metricset if `calcpct.cpu` setting is set to true, cpu usage percentages will be calculated
-and more specifically fields `containerd.cpu.usage.total.pct`, `containerd.cpu.usage.kernel.pct`, `containerd.cpu.usage.user.pct`.
-Default value is true.
-
-For memory metricset if `calcpct.memory` setting is set to true, memory usage percentages will be calculated
-and more specifically fields `containerd.memory.usage.pct` and  `containerd.memory.workingset.pct`.
-Default value is true.
-
-
-
-:edit_url:
-
-[float]
-=== Example configuration
-
-The Containerd module supports the standard configuration options that are described
-in <<configuration-metricbeat>>. Here is an example configuration:
-
-[source,yaml]
-----
-metricbeat.modules:
-- module: containerd
-  metricsets: ["cpu", "memory", "blkio"]
-  period: 10s
-  # containerd metrics endpoint is configured in /etc/containerd/config.toml
-  # Metrics endpoint does not listen by default
-  # https://github.com/containerd/containerd/blob/main/docs/man/containerd-config.toml.5.md
-  hosts: ["localhost:1338"]
-  # if set to true, cpu and memory usage percentages will be calculated. Default is true
-  calcpct.cpu: true
-  calcpct.memory: true
-  #metrics_path: "v1/metrics"
-
-----
-
-[float]
-=== Metricsets
-
-The following metricsets are available:
-
-* <<metricbeat-metricset-containerd-blkio,blkio>>
-
-* <<metricbeat-metricset-containerd-cpu,cpu>>
-
-* <<metricbeat-metricset-containerd-memory,memory>>
-
-include::containerd/blkio.asciidoc[]
-
-include::containerd/cpu.asciidoc[]
-
-include::containerd/memory.asciidoc[]
-
-:edit_url!:
diff --git a/metricbeat/docs/modules/containerd/blkio.asciidoc b/metricbeat/docs/modules/containerd/blkio.asciidoc
deleted file mode 100644
index 25c5b859cd48..000000000000
--- a/metricbeat/docs/modules/containerd/blkio.asciidoc
+++ /dev/null
@@ -1,30 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/containerd/blkio/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-containerd-blkio]]
-[role="xpack"]
-=== Containerd blkio metricset
-
-beta[]
-
-include::../../../../x-pack/metricbeat/module/containerd/blkio/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-containerd,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../../x-pack/metricbeat/module/containerd/blkio/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/containerd/cpu.asciidoc b/metricbeat/docs/modules/containerd/cpu.asciidoc
deleted file mode 100644
index 25e7817136e3..000000000000
--- a/metricbeat/docs/modules/containerd/cpu.asciidoc
+++ /dev/null
@@ -1,30 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/containerd/cpu/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-containerd-cpu]]
-[role="xpack"]
-=== Containerd cpu metricset
-
-beta[]
-
-include::../../../../x-pack/metricbeat/module/containerd/cpu/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-containerd,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../../x-pack/metricbeat/module/containerd/cpu/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/containerd/memory.asciidoc b/metricbeat/docs/modules/containerd/memory.asciidoc
deleted file mode 100644
index 64a3af39e128..000000000000
--- a/metricbeat/docs/modules/containerd/memory.asciidoc
+++ /dev/null
@@ -1,30 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/containerd/memory/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-containerd-memory]]
-[role="xpack"]
-=== Containerd memory metricset
-
-beta[]
-
-include::../../../../x-pack/metricbeat/module/containerd/memory/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-containerd,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../../x-pack/metricbeat/module/containerd/memory/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/coredns.asciidoc b/metricbeat/docs/modules/coredns.asciidoc
deleted file mode 100644
index 25e4942b9664..000000000000
--- a/metricbeat/docs/modules/coredns.asciidoc
+++ /dev/null
@@ -1,58 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-
-:modulename: coredns
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/coredns/_meta/docs.asciidoc
-
-
-[[metricbeat-module-coredns]]
-[role="xpack"]
-== Coredns module
-
-This is the CoreDNS module. The CoreDNS module collects metrics from the
-CoreDNS https://github.com/coredns/coredns/tree/master/plugin/metrics[prometheus exporter endpoint].
-
-The default metricset is `stats`.
-
-[float]
-=== Compatibility
-
-The CoreDNS module is tested with CoreDNS 1.5.0
-
-
-[float]
-=== Dashboard
-
-The CoreDNS module comes with a predefined dashboard. For example:
-
-image::./images/metricbeat_coredns_dashboard.png[]
-
-
-:edit_url:
-
-[float]
-=== Example configuration
-
-The Coredns module supports the standard configuration options that are described
-in <<configuration-metricbeat>>. Here is an example configuration:
-
-[source,yaml]
-----
-metricbeat.modules:
-- module: coredns
-  metricsets: ["stats"]
-  period: 10s
-  hosts: ["localhost:9153"]
-----
-
-[float]
-=== Metricsets
-
-The following metricsets are available:
-
-* <<metricbeat-metricset-coredns-stats,stats>>
-
-include::coredns/stats.asciidoc[]
-
-:edit_url!:
diff --git a/metricbeat/docs/modules/coredns/stats.asciidoc b/metricbeat/docs/modules/coredns/stats.asciidoc
deleted file mode 100644
index 5c897b0f8a70..000000000000
--- a/metricbeat/docs/modules/coredns/stats.asciidoc
+++ /dev/null
@@ -1,27 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/coredns/stats/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-coredns-stats]]
-[role="xpack"]
-=== Coredns stats metricset
-
-include::../../../../x-pack/metricbeat/module/coredns/stats/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-coredns,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../../x-pack/metricbeat/module/coredns/stats/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/couchbase.asciidoc b/metricbeat/docs/modules/couchbase.asciidoc
deleted file mode 100644
index eb201887c763..000000000000
--- a/metricbeat/docs/modules/couchbase.asciidoc
+++ /dev/null
@@ -1,67 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-
-:modulename: couchbase
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/couchbase/_meta/docs.asciidoc
-
-
-[[metricbeat-module-couchbase]]
-== Couchbase module
-
-This module periodically fetches metrics from https://www.couchbase.com/[Couchbase]
-servers. The default metricsets are `bucket`, `cluster`, `node`.
-
-[float]
-=== Compatibility
-
-The Couchbase module is tested with Couchbase 6.5.1.
-
-
-[float]
-=== Dashboard
-
-The Couchbase module comes with a predefined dashboard for Couchbase cluster, node, bucket specific stats. For example:
-
-image::./images/metricbeat-couchbase-overview.png[]
-
-
-:edit_url:
-
-[float]
-=== Example configuration
-
-The Couchbase module supports the standard configuration options that are described
-in <<configuration-metricbeat>>. Here is an example configuration:
-
-[source,yaml]
-----
-metricbeat.modules:
-- module: couchbase
-  metricsets: ["bucket", "cluster", "node"]
-  period: 10s
-  hosts: ["localhost:8091"]
-  enabled: true
-----
-
-This module supports TLS connections when using `ssl` config field, as described in <<configuration-ssl>>.
-It also supports the options described in <<module-http-config-options>>.
-
-[float]
-=== Metricsets
-
-The following metricsets are available:
-
-* <<metricbeat-metricset-couchbase-bucket,bucket>>
-
-* <<metricbeat-metricset-couchbase-cluster,cluster>>
-
-* <<metricbeat-metricset-couchbase-node,node>>
-
-include::couchbase/bucket.asciidoc[]
-
-include::couchbase/cluster.asciidoc[]
-
-include::couchbase/node.asciidoc[]
-
-:edit_url!:
diff --git a/metricbeat/docs/modules/couchbase/bucket.asciidoc b/metricbeat/docs/modules/couchbase/bucket.asciidoc
deleted file mode 100644
index 8525a42263e8..000000000000
--- a/metricbeat/docs/modules/couchbase/bucket.asciidoc
+++ /dev/null
@@ -1,27 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/couchbase/bucket/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-couchbase-bucket]]
-=== Couchbase bucket metricset
-
-include::../../../module/couchbase/bucket/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-couchbase,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/couchbase/bucket/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/couchbase/cluster.asciidoc b/metricbeat/docs/modules/couchbase/cluster.asciidoc
deleted file mode 100644
index faa065d36b32..000000000000
--- a/metricbeat/docs/modules/couchbase/cluster.asciidoc
+++ /dev/null
@@ -1,27 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/couchbase/cluster/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-couchbase-cluster]]
-=== Couchbase cluster metricset
-
-include::../../../module/couchbase/cluster/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-couchbase,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/couchbase/cluster/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/couchbase/node.asciidoc b/metricbeat/docs/modules/couchbase/node.asciidoc
deleted file mode 100644
index ad5c8f1e25f9..000000000000
--- a/metricbeat/docs/modules/couchbase/node.asciidoc
+++ /dev/null
@@ -1,27 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/couchbase/node/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-couchbase-node]]
-=== Couchbase node metricset
-
-include::../../../module/couchbase/node/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-couchbase,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/couchbase/node/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/couchdb.asciidoc b/metricbeat/docs/modules/couchdb.asciidoc
deleted file mode 100644
index d58436526483..000000000000
--- a/metricbeat/docs/modules/couchdb.asciidoc
+++ /dev/null
@@ -1,62 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-
-:modulename: couchdb
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/couchdb/_meta/docs.asciidoc
-
-
-[[metricbeat-module-couchdb]]
-== CouchDB module
-
-This is the couchdb module.
-
-The default metricset is `server`.
-
-[float]
-=== Compatibility
-
-The Couchdb module is tested in CI with Couchdb 1.7 and 2.3. Because of the differences between v1 and v2 for exposing metrics, the path to request metrics for each version is different:
-
-* v1.* uses `[host]:5984/_stats` so the hosts of your config should just be `[host]:5984`
-* v2.* exposes metrics in various places. Local in `[host]:5986/_stats` and cluster wide in `[host]:5984/_node/[node-name]/_stats` or `[host]:5984/_node/_local/_stats`. Recommended config is `[host]:5986` to use the local path (double check that you are using port `5986`) or to use the full path on `5984`  `[host]:5984/_node/[node name or _local]/_stats`
-
-
-[float]
-=== Dashboard
-
-The CouchDB module comes with a predefined dashboard for CouchDB database specific stats. For example:
-
-image::./images/metricbeat-couchdb-overview.png[]
-
-
-:edit_url:
-
-[float]
-=== Example configuration
-
-The CouchDB module supports the standard configuration options that are described
-in <<configuration-metricbeat>>. Here is an example configuration:
-
-[source,yaml]
-----
-metricbeat.modules:
-- module: couchdb
-  metricsets: ["server"]
-  period: 10s
-  hosts: ["localhost:5984"]
-----
-
-This module supports TLS connections when using `ssl` config field, as described in <<configuration-ssl>>.
-It also supports the options described in <<module-http-config-options>>.
-
-[float]
-=== Metricsets
-
-The following metricsets are available:
-
-* <<metricbeat-metricset-couchdb-server,server>>
-
-include::couchdb/server.asciidoc[]
-
-:edit_url!:
diff --git a/metricbeat/docs/modules/couchdb/server.asciidoc b/metricbeat/docs/modules/couchdb/server.asciidoc
deleted file mode 100644
index aa06352ff9a1..000000000000
--- a/metricbeat/docs/modules/couchdb/server.asciidoc
+++ /dev/null
@@ -1,27 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/couchdb/server/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-couchdb-server]]
-=== CouchDB server metricset
-
-include::../../../module/couchdb/server/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-couchdb,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/couchdb/server/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/docker.asciidoc b/metricbeat/docs/modules/docker.asciidoc
deleted file mode 100644
index a8ae9cbf4882..000000000000
--- a/metricbeat/docs/modules/docker.asciidoc
+++ /dev/null
@@ -1,137 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-
-:modulename: docker
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/docker/_meta/docs.asciidoc
-
-
-[[metricbeat-module-docker]]
-== Docker module
-
-include::{libbeat-dir}/shared/integration-link.asciidoc[]
-
-:modulename!:
-
-This module fetches metrics from https://www.docker.com/[Docker] containers. The default metricsets are: `container`, `cpu`, `diskio`, `healthcheck`, `info`, `memory` and `network`. The `image` metricset is not enabled by default.
-
-[float]
-=== Compatibility
-
-The Docker module is currently tested on Linux and Mac with the community
-edition engine, versions 1.11 and 17.09.0-ce. It is not tested on Windows,
-but it should also work there.
-
-The Docker module supports collection of metrics from Podman's Docker-compatible API.
-It has been tested on Linux and Mac with Podman Rest API v2.0.0 and above.
-
-[float]
-=== Module-specific configuration notes
-
-It is strongly recommended that you run Docker metricsets with a
-<<metricset-period,`period`>> that is 3 seconds or longer. The request to the
-Docker API already takes up to 2 seconds. Specifying less than 3 seconds will
-result in requests that timeout, and no data will be reported for those
-requests.
-In the case of Podman, the configuration parameter `podman` should be set to `true`. 
-This enables streaming of container stats output, which allows for more accurate 
-CPU percentage calculations when using Podman.
-
-
-:edit_url:
-
-[float]
-=== Example configuration
-
-The Docker module supports the standard configuration options that are described
-in <<configuration-metricbeat>>. Here is an example configuration:
-
-[source,yaml]
-----
-metricbeat.modules:
-- module: docker
-  metricsets:
-    - "container"
-    - "cpu"
-    - "diskio"
-    - "event"
-    - "healthcheck"
-    - "info"
-    #- "image"
-    - "memory"
-    - "network"
-    #- "network_summary"
-  hosts: ["unix:///var/run/docker.sock"]
-  period: 10s
-  enabled: true
-
-  # If set to true, replace dots in labels with `_`.
-  #labels.dedot: false
-
-  # Docker module supports metrics collection from podman's docker compatible API. In case of podman set to true.
-  # podman: false
-
-  # Skip metrics for certain device major numbers in docker/diskio. 
-  # Necessary on systems with software RAID, device mappers, 
-  # or other configurations where virtual disks will sum metrics from other disks.
-  # By default, it will skip devices with major numbers 9 or 253.
-  #skip_major: []
-
-  # If set to true, collects metrics per core.
-  #cpu.cores: true
-
-  # To connect to Docker over TLS you must specify a client and CA certificate.
-  #ssl:
-    #certificate_authority: "/etc/pki/root/ca.pem"
-    #certificate:           "/etc/pki/client/cert.pem"
-    #key:                   "/etc/pki/client/cert.key"
-----
-
-This module supports TLS connections when using `ssl` config field, as described in <<configuration-ssl>>.
-
-[float]
-=== Metricsets
-
-The following metricsets are available:
-
-* <<metricbeat-metricset-docker-container,container>>
-
-* <<metricbeat-metricset-docker-cpu,cpu>>
-
-* <<metricbeat-metricset-docker-diskio,diskio>>
-
-* <<metricbeat-metricset-docker-event,event>>
-
-* <<metricbeat-metricset-docker-healthcheck,healthcheck>>
-
-* <<metricbeat-metricset-docker-image,image>>
-
-* <<metricbeat-metricset-docker-info,info>>
-
-* <<metricbeat-metricset-docker-memory,memory>>
-
-* <<metricbeat-metricset-docker-network,network>>
-
-* <<metricbeat-metricset-docker-network_summary,network_summary>>
-
-include::docker/container.asciidoc[]
-
-include::docker/cpu.asciidoc[]
-
-include::docker/diskio.asciidoc[]
-
-include::docker/event.asciidoc[]
-
-include::docker/healthcheck.asciidoc[]
-
-include::docker/image.asciidoc[]
-
-include::docker/info.asciidoc[]
-
-include::docker/memory.asciidoc[]
-
-include::docker/network.asciidoc[]
-
-include::docker/network_summary.asciidoc[]
-
-:edit_url!:
diff --git a/metricbeat/docs/modules/docker/container.asciidoc b/metricbeat/docs/modules/docker/container.asciidoc
deleted file mode 100644
index 7f9cffb9240f..000000000000
--- a/metricbeat/docs/modules/docker/container.asciidoc
+++ /dev/null
@@ -1,27 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/docker/container/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-docker-container]]
-=== Docker container metricset
-
-include::../../../module/docker/container/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-docker,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/docker/container/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/docker/cpu.asciidoc b/metricbeat/docs/modules/docker/cpu.asciidoc
deleted file mode 100644
index 36461b6fd45b..000000000000
--- a/metricbeat/docs/modules/docker/cpu.asciidoc
+++ /dev/null
@@ -1,27 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/docker/cpu/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-docker-cpu]]
-=== Docker cpu metricset
-
-include::../../../module/docker/cpu/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-docker,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/docker/cpu/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/docker/diskio.asciidoc b/metricbeat/docs/modules/docker/diskio.asciidoc
deleted file mode 100644
index 2ee9300dcb58..000000000000
--- a/metricbeat/docs/modules/docker/diskio.asciidoc
+++ /dev/null
@@ -1,27 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/docker/diskio/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-docker-diskio]]
-=== Docker diskio metricset
-
-include::../../../module/docker/diskio/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-docker,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/docker/diskio/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/docker/event.asciidoc b/metricbeat/docs/modules/docker/event.asciidoc
deleted file mode 100644
index 672267d6a95d..000000000000
--- a/metricbeat/docs/modules/docker/event.asciidoc
+++ /dev/null
@@ -1,27 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/docker/event/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-docker-event]]
-=== Docker event metricset
-
-include::../../../module/docker/event/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-docker,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/docker/event/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/docker/healthcheck.asciidoc b/metricbeat/docs/modules/docker/healthcheck.asciidoc
deleted file mode 100644
index cd800d7c1fea..000000000000
--- a/metricbeat/docs/modules/docker/healthcheck.asciidoc
+++ /dev/null
@@ -1,27 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/docker/healthcheck/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-docker-healthcheck]]
-=== Docker healthcheck metricset
-
-include::../../../module/docker/healthcheck/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-docker,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/docker/healthcheck/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/docker/image.asciidoc b/metricbeat/docs/modules/docker/image.asciidoc
deleted file mode 100644
index e74131fabe56..000000000000
--- a/metricbeat/docs/modules/docker/image.asciidoc
+++ /dev/null
@@ -1,26 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/docker/image/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-docker-image]]
-=== Docker image metricset
-
-include::../../../module/docker/image/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-docker,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/docker/image/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/docker/info.asciidoc b/metricbeat/docs/modules/docker/info.asciidoc
deleted file mode 100644
index 90056498945c..000000000000
--- a/metricbeat/docs/modules/docker/info.asciidoc
+++ /dev/null
@@ -1,27 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/docker/info/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-docker-info]]
-=== Docker info metricset
-
-include::../../../module/docker/info/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-docker,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/docker/info/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/docker/memory.asciidoc b/metricbeat/docs/modules/docker/memory.asciidoc
deleted file mode 100644
index 0f24154941cb..000000000000
--- a/metricbeat/docs/modules/docker/memory.asciidoc
+++ /dev/null
@@ -1,27 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/docker/memory/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-docker-memory]]
-=== Docker memory metricset
-
-include::../../../module/docker/memory/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-docker,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/docker/memory/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/docker/network.asciidoc b/metricbeat/docs/modules/docker/network.asciidoc
deleted file mode 100644
index b83f8fad082a..000000000000
--- a/metricbeat/docs/modules/docker/network.asciidoc
+++ /dev/null
@@ -1,27 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/docker/network/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-docker-network]]
-=== Docker network metricset
-
-include::../../../module/docker/network/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-docker,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/docker/network/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/docker/network_summary.asciidoc b/metricbeat/docs/modules/docker/network_summary.asciidoc
deleted file mode 100644
index 3d99619da0f8..000000000000
--- a/metricbeat/docs/modules/docker/network_summary.asciidoc
+++ /dev/null
@@ -1,28 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/docker/network_summary/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-docker-network_summary]]
-=== Docker network_summary metricset
-
-beta[]
-
-include::../../../module/docker/network_summary/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-docker,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/docker/network_summary/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/dropwizard.asciidoc b/metricbeat/docs/modules/dropwizard.asciidoc
deleted file mode 100644
index 11c21726826d..000000000000
--- a/metricbeat/docs/modules/dropwizard.asciidoc
+++ /dev/null
@@ -1,52 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-
-:modulename: dropwizard
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/dropwizard/_meta/docs.asciidoc
-
-
-[[metricbeat-module-dropwizard]]
-== Dropwizard module
-
-This is the http://dropwizard.io[Dropwizard] module. The default metricset is `collector`.
-
-[float]
-=== Compatibility
-
-The Dropwizard module is tested with dropwizard metrics 3.2.6, 4.0.0 and 4.1.2.
-
-
-:edit_url:
-
-[float]
-=== Example configuration
-
-The Dropwizard module supports the standard configuration options that are described
-in <<configuration-metricbeat>>. Here is an example configuration:
-
-[source,yaml]
-----
-metricbeat.modules:
-- module: dropwizard
-  metricsets: ["collector"]
-  period: 10s
-  hosts: ["localhost:8080"]
-  metrics_path: /metrics/metrics
-  namespace: example
-  enabled: true
-----
-
-This module supports TLS connections when using `ssl` config field, as described in <<configuration-ssl>>.
-It also supports the options described in <<module-http-config-options>>.
-
-[float]
-=== Metricsets
-
-The following metricsets are available:
-
-* <<metricbeat-metricset-dropwizard-collector,collector>>
-
-include::dropwizard/collector.asciidoc[]
-
-:edit_url!:
diff --git a/metricbeat/docs/modules/dropwizard/collector.asciidoc b/metricbeat/docs/modules/dropwizard/collector.asciidoc
deleted file mode 100644
index 829fe1d3b7dd..000000000000
--- a/metricbeat/docs/modules/dropwizard/collector.asciidoc
+++ /dev/null
@@ -1,27 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/dropwizard/collector/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-dropwizard-collector]]
-=== Dropwizard collector metricset
-
-include::../../../module/dropwizard/collector/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-dropwizard,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/dropwizard/collector/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/elasticsearch.asciidoc b/metricbeat/docs/modules/elasticsearch.asciidoc
deleted file mode 100644
index 5152452a0c5b..000000000000
--- a/metricbeat/docs/modules/elasticsearch.asciidoc
+++ /dev/null
@@ -1,153 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-
-:modulename: elasticsearch
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/elasticsearch/_meta/docs.asciidoc
-
-
-[[metricbeat-module-elasticsearch]]
-== Elasticsearch module
-
-include::{libbeat-dir}/shared/integration-link.asciidoc[]
-
-:modulename!:
-
-The `elasticsearch` module collects metrics about {es}.
-
-[float]
-=== Compatibility
-
-The `elasticsearch` module works with {es} 6.7.0 and later.
-
-[float]
-=== Usage for {stack} Monitoring
-
-The `elasticsearch` module can be used to collect metrics shown in our {stack-monitor-app}
-UI in {kib}. To enable this usage, set `xpack.enabled: true` and remove any `metricsets`
-from the module's configuration. Alternatively, run `metricbeat modules disable elasticsearch` and
-`metricbeat modules enable elasticsearch-xpack`.
-
-When xpack mode is enabled, all the legacy metricsets are automatically enabled by default.
-This means that you do not need to manually enable them, and there will be no conflicts or issues because Metricbeat merges the user-defined metricsets with the ones that xpack mode forces to enable.
-As a result, you can seamlessly collect comprehensive metrics without worrying about dataset overlap or duplication.
-
-[source,yaml]
-----
-metricbeat.modules:
-- module: elasticsearch
-  xpack.enabled: true
-  metricsets:
-    - ingest_pipeline
-  period: 10s
-----
-
-NOTE: When this module is used for {stack} Monitoring, it sends metrics to the
-monitoring index instead of the default index typically used by {metricbeat}.
-For more details about the monitoring index, see
-{ref}/config-monitoring-indices.html[Configuring indices for monitoring].
-
-[float]
-=== Module-specific configuration notes
-
-Like other {beatname_uc} modules, the `elasticsearch` module accepts a `hosts` configuration setting.
-This setting can contain a list of entries. The related `scope` setting determines how each entry in
-the `hosts` list is interpreted by the module.
-
-* If `scope` is set to `node` (default), each entry in the `hosts` list indicates a distinct node in an
-  {es} cluster.
-* If `scope` is set to `cluster`, each entry in the `hosts` list indicates a single endpoint for a distinct
-  {es} cluster (for example, a load-balancing proxy fronting the cluster).
-
-
-:edit_url:
-
-[float]
-=== Example configuration
-
-The Elasticsearch module supports the standard configuration options that are described
-in <<configuration-metricbeat>>. Here is an example configuration:
-
-[source,yaml]
-----
-metricbeat.modules:
-- module: elasticsearch
-  metricsets:
-    - node
-    - node_stats
-    #- index
-    #- index_recovery
-    #- index_summary
-    #- ingest_pipeline
-    #- shard
-    #- ml_job
-  period: 10s
-  hosts: ["http://localhost:9200"]
-  #username: "elastic"
-  #password: "changeme"
-  #api_key: "foo:bar"
-  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
-
-  #index_recovery.active_only: true
-  #ingest_pipeline.processor_sample_rate: 0.25
-  #xpack.enabled: false
-  #scope: node
-----
-
-This module supports TLS connections when using `ssl` config field, as described in <<configuration-ssl>>.
-It also supports the options described in <<module-http-config-options>>.
-
-[float]
-=== Metricsets
-
-The following metricsets are available:
-
-* <<metricbeat-metricset-elasticsearch-ccr,ccr>>
-
-* <<metricbeat-metricset-elasticsearch-cluster_stats,cluster_stats>>
-
-* <<metricbeat-metricset-elasticsearch-enrich,enrich>>
-
-* <<metricbeat-metricset-elasticsearch-index,index>>
-
-* <<metricbeat-metricset-elasticsearch-index_recovery,index_recovery>>
-
-* <<metricbeat-metricset-elasticsearch-index_summary,index_summary>>
-
-* <<metricbeat-metricset-elasticsearch-ingest_pipeline,ingest_pipeline>>
-
-* <<metricbeat-metricset-elasticsearch-ml_job,ml_job>>
-
-* <<metricbeat-metricset-elasticsearch-node,node>>
-
-* <<metricbeat-metricset-elasticsearch-node_stats,node_stats>>
-
-* <<metricbeat-metricset-elasticsearch-pending_tasks,pending_tasks>>
-
-* <<metricbeat-metricset-elasticsearch-shard,shard>>
-
-include::elasticsearch/ccr.asciidoc[]
-
-include::elasticsearch/cluster_stats.asciidoc[]
-
-include::elasticsearch/enrich.asciidoc[]
-
-include::elasticsearch/index.asciidoc[]
-
-include::elasticsearch/index_recovery.asciidoc[]
-
-include::elasticsearch/index_summary.asciidoc[]
-
-include::elasticsearch/ingest_pipeline.asciidoc[]
-
-include::elasticsearch/ml_job.asciidoc[]
-
-include::elasticsearch/node.asciidoc[]
-
-include::elasticsearch/node_stats.asciidoc[]
-
-include::elasticsearch/pending_tasks.asciidoc[]
-
-include::elasticsearch/shard.asciidoc[]
-
-:edit_url!:
diff --git a/metricbeat/docs/modules/elasticsearch/ccr.asciidoc b/metricbeat/docs/modules/elasticsearch/ccr.asciidoc
deleted file mode 100644
index 40aadcb274e4..000000000000
--- a/metricbeat/docs/modules/elasticsearch/ccr.asciidoc
+++ /dev/null
@@ -1,26 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/elasticsearch/ccr/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-elasticsearch-ccr]]
-=== Elasticsearch ccr metricset
-
-include::../../../module/elasticsearch/ccr/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-elasticsearch,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/elasticsearch/ccr/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/elasticsearch/cluster_stats.asciidoc b/metricbeat/docs/modules/elasticsearch/cluster_stats.asciidoc
deleted file mode 100644
index 32a92d8aa6c6..000000000000
--- a/metricbeat/docs/modules/elasticsearch/cluster_stats.asciidoc
+++ /dev/null
@@ -1,26 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/elasticsearch/cluster_stats/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-elasticsearch-cluster_stats]]
-=== Elasticsearch cluster_stats metricset
-
-include::../../../module/elasticsearch/cluster_stats/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-elasticsearch,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/elasticsearch/cluster_stats/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/elasticsearch/enrich.asciidoc b/metricbeat/docs/modules/elasticsearch/enrich.asciidoc
deleted file mode 100644
index b6fbea2567b2..000000000000
--- a/metricbeat/docs/modules/elasticsearch/enrich.asciidoc
+++ /dev/null
@@ -1,26 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/elasticsearch/enrich/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-elasticsearch-enrich]]
-=== Elasticsearch enrich metricset
-
-include::../../../module/elasticsearch/enrich/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-elasticsearch,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/elasticsearch/enrich/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/elasticsearch/index.asciidoc b/metricbeat/docs/modules/elasticsearch/index.asciidoc
deleted file mode 100644
index 65e1c9f92704..000000000000
--- a/metricbeat/docs/modules/elasticsearch/index.asciidoc
+++ /dev/null
@@ -1,27 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/elasticsearch/index/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-elasticsearch-index]]
-=== Elasticsearch index metricset
-
-include::../../../module/elasticsearch/index/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-elasticsearch,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/elasticsearch/index/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/elasticsearch/index_recovery.asciidoc b/metricbeat/docs/modules/elasticsearch/index_recovery.asciidoc
deleted file mode 100644
index 708f7cc799d6..000000000000
--- a/metricbeat/docs/modules/elasticsearch/index_recovery.asciidoc
+++ /dev/null
@@ -1,26 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/elasticsearch/index_recovery/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-elasticsearch-index_recovery]]
-=== Elasticsearch index_recovery metricset
-
-include::../../../module/elasticsearch/index_recovery/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-elasticsearch,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/elasticsearch/index_recovery/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/elasticsearch/index_summary.asciidoc b/metricbeat/docs/modules/elasticsearch/index_summary.asciidoc
deleted file mode 100644
index be53811a263f..000000000000
--- a/metricbeat/docs/modules/elasticsearch/index_summary.asciidoc
+++ /dev/null
@@ -1,26 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/elasticsearch/index_summary/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-elasticsearch-index_summary]]
-=== Elasticsearch index_summary metricset
-
-include::../../../module/elasticsearch/index_summary/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-elasticsearch,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/elasticsearch/index_summary/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/elasticsearch/ingest_pipeline.asciidoc b/metricbeat/docs/modules/elasticsearch/ingest_pipeline.asciidoc
deleted file mode 100644
index 5088de41340d..000000000000
--- a/metricbeat/docs/modules/elasticsearch/ingest_pipeline.asciidoc
+++ /dev/null
@@ -1,29 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/elasticsearch/ingest_pipeline/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-elasticsearch-ingest_pipeline]]
-=== Elasticsearch ingest_pipeline metricset
-
-beta[]
-
-include::../../../module/elasticsearch/ingest_pipeline/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-elasticsearch,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/elasticsearch/ingest_pipeline/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/elasticsearch/ml_job.asciidoc b/metricbeat/docs/modules/elasticsearch/ml_job.asciidoc
deleted file mode 100644
index e6cefaa0227c..000000000000
--- a/metricbeat/docs/modules/elasticsearch/ml_job.asciidoc
+++ /dev/null
@@ -1,26 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/elasticsearch/ml_job/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-elasticsearch-ml_job]]
-=== Elasticsearch ml_job metricset
-
-include::../../../module/elasticsearch/ml_job/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-elasticsearch,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/elasticsearch/ml_job/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/elasticsearch/node.asciidoc b/metricbeat/docs/modules/elasticsearch/node.asciidoc
deleted file mode 100644
index 43872df08a26..000000000000
--- a/metricbeat/docs/modules/elasticsearch/node.asciidoc
+++ /dev/null
@@ -1,27 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/elasticsearch/node/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-elasticsearch-node]]
-=== Elasticsearch node metricset
-
-include::../../../module/elasticsearch/node/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-elasticsearch,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/elasticsearch/node/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/elasticsearch/node_stats.asciidoc b/metricbeat/docs/modules/elasticsearch/node_stats.asciidoc
deleted file mode 100644
index 0fef326660a5..000000000000
--- a/metricbeat/docs/modules/elasticsearch/node_stats.asciidoc
+++ /dev/null
@@ -1,27 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/elasticsearch/node_stats/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-elasticsearch-node_stats]]
-=== Elasticsearch node_stats metricset
-
-include::../../../module/elasticsearch/node_stats/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-elasticsearch,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/elasticsearch/node_stats/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/elasticsearch/pending_tasks.asciidoc b/metricbeat/docs/modules/elasticsearch/pending_tasks.asciidoc
deleted file mode 100644
index 02785ca629c0..000000000000
--- a/metricbeat/docs/modules/elasticsearch/pending_tasks.asciidoc
+++ /dev/null
@@ -1,27 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/elasticsearch/pending_tasks/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-elasticsearch-pending_tasks]]
-=== Elasticsearch pending_tasks metricset
-
-include::../../../module/elasticsearch/pending_tasks/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-elasticsearch,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/elasticsearch/pending_tasks/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/elasticsearch/shard.asciidoc b/metricbeat/docs/modules/elasticsearch/shard.asciidoc
deleted file mode 100644
index cca4d8f581b0..000000000000
--- a/metricbeat/docs/modules/elasticsearch/shard.asciidoc
+++ /dev/null
@@ -1,27 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/elasticsearch/shard/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-elasticsearch-shard]]
-=== Elasticsearch shard metricset
-
-include::../../../module/elasticsearch/shard/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-elasticsearch,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/elasticsearch/shard/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/envoyproxy.asciidoc b/metricbeat/docs/modules/envoyproxy.asciidoc
deleted file mode 100644
index 68ddee9c0b40..000000000000
--- a/metricbeat/docs/modules/envoyproxy.asciidoc
+++ /dev/null
@@ -1,51 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-
-:modulename: envoyproxy
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/envoyproxy/_meta/docs.asciidoc
-
-
-[[metricbeat-module-envoyproxy]]
-== Envoyproxy module
-
-This is the envoyproxy module.
-
-The default metricset is `server`.
-
-[float]
-=== Compatibility
-
-The envoyproxy module is tested with Envoy 1.7.0 and 1.12.0.
-
-
-:edit_url:
-
-[float]
-=== Example configuration
-
-The Envoyproxy module supports the standard configuration options that are described
-in <<configuration-metricbeat>>. Here is an example configuration:
-
-[source,yaml]
-----
-metricbeat.modules:
-- module: envoyproxy
-  metricsets: ["server"]
-  period: 10s
-  hosts: ["localhost:9901"]
-----
-
-This module supports TLS connections when using `ssl` config field, as described in <<configuration-ssl>>.
-It also supports the options described in <<module-http-config-options>>.
-
-[float]
-=== Metricsets
-
-The following metricsets are available:
-
-* <<metricbeat-metricset-envoyproxy-server,server>>
-
-include::envoyproxy/server.asciidoc[]
-
-:edit_url!:
diff --git a/metricbeat/docs/modules/envoyproxy/server.asciidoc b/metricbeat/docs/modules/envoyproxy/server.asciidoc
deleted file mode 100644
index 423d9a2d9c2b..000000000000
--- a/metricbeat/docs/modules/envoyproxy/server.asciidoc
+++ /dev/null
@@ -1,27 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/envoyproxy/server/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-envoyproxy-server]]
-=== Envoyproxy server metricset
-
-include::../../../module/envoyproxy/server/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-envoyproxy,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/envoyproxy/server/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/etcd.asciidoc b/metricbeat/docs/modules/etcd.asciidoc
deleted file mode 100644
index 87ed10f310e0..000000000000
--- a/metricbeat/docs/modules/etcd.asciidoc
+++ /dev/null
@@ -1,67 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-
-:modulename: etcd
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/etcd/_meta/docs.asciidoc
-
-
-[[metricbeat-module-etcd]]
-== Etcd module
-
-This module targets Etcd V2 and V3.
-
-When using V2, metrics are collected using https://coreos.com/etcd/docs/latest/v2/api.html[Etcd v2 API].
-When using V3, metrics are retrieved from the `/metrics` endpoint as intended for https://coreos.com/etcd/docs/latest/metrics.html[Etcd v3]
-
-When using V3, metricsest are bundled into `metrics`
-When using V2, metricsets available are `leader`, `self` and `store`.
-
-[float]
-=== Compatibility
-
-The etcd module is tested with etcd 3.2 and 3.3.
-
-
-:edit_url:
-
-[float]
-=== Example configuration
-
-The Etcd module supports the standard configuration options that are described
-in <<configuration-metricbeat>>. Here is an example configuration:
-
-[source,yaml]
-----
-metricbeat.modules:
-- module: etcd
-  metricsets: ["leader", "self", "store"]
-  period: 10s
-  hosts: ["localhost:2379"]
-----
-
-This module supports TLS connections when using `ssl` config field, as described in <<configuration-ssl>>.
-It also supports the options described in <<module-http-config-options>>.
-
-[float]
-=== Metricsets
-
-The following metricsets are available:
-
-* <<metricbeat-metricset-etcd-leader,leader>>
-
-* <<metricbeat-metricset-etcd-metrics,metrics>>
-
-* <<metricbeat-metricset-etcd-self,self>>
-
-* <<metricbeat-metricset-etcd-store,store>>
-
-include::etcd/leader.asciidoc[]
-
-include::etcd/metrics.asciidoc[]
-
-include::etcd/self.asciidoc[]
-
-include::etcd/store.asciidoc[]
-
-:edit_url!:
diff --git a/metricbeat/docs/modules/etcd/leader.asciidoc b/metricbeat/docs/modules/etcd/leader.asciidoc
deleted file mode 100644
index c89da3077061..000000000000
--- a/metricbeat/docs/modules/etcd/leader.asciidoc
+++ /dev/null
@@ -1,27 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/etcd/leader/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-etcd-leader]]
-=== Etcd leader metricset
-
-include::../../../module/etcd/leader/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-etcd,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/etcd/leader/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/etcd/metrics.asciidoc b/metricbeat/docs/modules/etcd/metrics.asciidoc
deleted file mode 100644
index af1bed822b1f..000000000000
--- a/metricbeat/docs/modules/etcd/metrics.asciidoc
+++ /dev/null
@@ -1,28 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/etcd/metrics/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-etcd-metrics]]
-=== Etcd metrics metricset
-
-beta[]
-
-include::../../../module/etcd/metrics/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-etcd,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/etcd/metrics/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/etcd/self.asciidoc b/metricbeat/docs/modules/etcd/self.asciidoc
deleted file mode 100644
index dfcacd541378..000000000000
--- a/metricbeat/docs/modules/etcd/self.asciidoc
+++ /dev/null
@@ -1,27 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/etcd/self/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-etcd-self]]
-=== Etcd self metricset
-
-include::../../../module/etcd/self/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-etcd,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/etcd/self/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/etcd/store.asciidoc b/metricbeat/docs/modules/etcd/store.asciidoc
deleted file mode 100644
index 5c4f6855ea21..000000000000
--- a/metricbeat/docs/modules/etcd/store.asciidoc
+++ /dev/null
@@ -1,27 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/etcd/store/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-etcd-store]]
-=== Etcd store metricset
-
-include::../../../module/etcd/store/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-etcd,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/etcd/store/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/gcp.asciidoc b/metricbeat/docs/modules/gcp.asciidoc
deleted file mode 100644
index 11f3b14eaff0..000000000000
--- a/metricbeat/docs/modules/gcp.asciidoc
+++ /dev/null
@@ -1,433 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-
-:modulename: gcp
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/gcp/_meta/docs.asciidoc
-
-
-[[metricbeat-module-gcp]]
-[role="xpack"]
-== Google Cloud Platform module
-
-include::{libbeat-dir}/shared/integration-link.asciidoc[]
-
-:modulename!:
-
-This module periodically fetches monitoring metrics from Google Cloud Platform using
-https://cloud.google.com/monitoring/api/metrics_gcp[Stackdriver Monitoring API] for Google Cloud Platform services.
-
-IMPORTANT: Extra GCP charges on Stackdriver Monitoring API requests may be
-generated by this module. Please see <<gcp-api-requests,rough estimation of the number of API calls>>
-for more details.
-
-[float]
-== Module config and parameters
-This is a list of the possible module parameters you can tune:
-
-* *zone*: A single string with the zone you want to monitor like `us-central1-a`.
-Or you can specific a partial zone name like `us-central1-` or `us-central1-*`,
-which will monitor all zones start with `us-central1-`: `us-central1-a`,
-`us-central1-b`, `us-central1-c` and `us-central1-f`.
-Please see https://cloud.google.com/compute/docs/regions-zones#available[GCP zones]
-for zones that are available in GCP.
-
-* *region*: A single string with the region you want to monitor like `us-central1`.
-This will enable monitoring for all zones under this region. Or you can specific
-a partial region name like `us-east` or `us-east*`, which will monitor all regions start with
-`us-east`: `us-east1` and `us-east4`. If both region and zone are configured,
-only region will be used.
-Please see https://cloud.google.com/compute/docs/regions-zones#available[GCP regions]
-for regions that are available in GCP. If both `region` and `zone` are not
-specified, metrics will be collected from all regions/zones.
-
-* *project_id*: A single string with your GCP Project ID
-
-* *credentials_file_path*: A single string pointing to the JSON file path
-reachable by Metricbeat that you have created using IAM.
-
-* *exclude_labels*: (`true`/`false` default `false`) Do not extract extra labels
-and metadata information from metricsets and fetch metrics only. At the moment,
-*labels and metadata extraction is only supported* in `compute` metricset.
-
-* *period*: A single time duration specified for this module collection frequency.
-
-* *endpoint*: A custom endpoint to use for the GCP API calls. If not specified, the default endpoint will be used.
-
-[float]
-== Example configuration
-* `compute` metricset is enabled to collect metrics from `us-central1-a` zone
-in `elastic-observability` project.
-+
-[source,yaml]
-----
-- module: gcp
-  metricsets:
-    - compute
-  zone: "us-central1-a"
-  project_id: "elastic-observability"
-  credentials_file_path: "your JSON credentials file path"
-  exclude_labels: false
-  period: 60s
-----
-
-* `compute` and `pubsub` metricsets are enabled to collect metrics from all zones
-under `us-central1` region in `elastic-observability` project.
-+
-[source,yaml]
-----
-- module: gcp
-  metricsets:
-    - compute
-    - pubsub
-  region: "us-central1"
-  project_id: "elastic-observability"
-  credentials_file_path: "your JSON credentials file path"
-  exclude_labels: false
-  period: 60s
-----
-
-* `compute` metricset is enabled to collect metrics from all regions starts with
-`us-west` in `elastic-observability` project, which includes all zones under
-`us-west1`, `us-west2`, `us-west3` and `us-west4`.
-+
-[source,yaml]
-----
-- module: gcp
-  metricsets:
-    - compute
-    - pubsub
-  region: "us-west"
-  project_id: "elastic-observability"
-  credentials_file_path: "your JSON credentials file path"
-  exclude_labels: false
-  period: 60s
-----
-
-[float]
-== Authentication, authorization and permissions.
-Authentication and authorization in Google Cloud Platform can be achieved in many ways. For the current version of the Google Cloud Platform module for Metricbeat, the only supported method is using Service Account JSON files. A typical JSON with a private key looks like this:
-
-[float]
-=== Example Credentials
-[source,json]
-----
-{
-  "type": "service_account",
-  "project_id": "your-project-id",
-  "private_key_id": "a_private_key_id",
-  "private_key": "-----BEGIN PRIVATE KEY-----your private key\n-----END PRIVATE KEY-----\n",
-  "client_email": "some-email@your-project-id.iam.gserviceaccount.com",
-  "client_id": "123456",
-  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
-  "token_uri": "https://oauth2.googleapis.com/token",
-  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
-  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/metricbeat-testing%40your-project-id.iam.gserviceaccount.com"
-}
-----
-
-Generally, you have to create a Service Account and assign it the following roles or the permissions described on each role (applies to all metricsets):
-
-* `Monitoring Viewer`:
-- `monitoring.metricDescriptors.list`
-- `monitoring.timeSeries.list`
-
-* `Compute Viewer`:
-- `compute.instances.get`
-- `compute.instances.list`
-
-* `Browser`:
-- `resourcemanager.projects.get`
-- `resourcemanager.organizations.get`
-
-You can play in IAM pretty much with your service accounts and Instance level access to your resources (for example, allowing that everything running in an Instance is authorized to use the Compute API). The module uses Google Cloud Platform libraries for authentication so many possibilities are open but the Module is only supported by using the method mentioned above.
-
-[float]
-== Google Cloud Platform module: Under the hood
-
-Google Cloud Platform offers the https://cloud.google.com/monitoring/api/metrics_gcp[Stackdriver Monitoring API] to fetch metrics from its services. *Those metrics are retrieved one by one*.
-
-If you also want to *extract service labels* (by setting `exclude_labels` to false, which is the default state). You also make a new API check on the corresponding service. Service labels requires a new API call to extract those metrics. In the worst case the number of API calls will be doubled. In the best case, all metrics come from the same GCP entity and 100% of the required information is included in the first API call (which is cached for subsequent calls).
-
-We have updated our field names to align with ECS semantics. As part of this change:
-
-*  `cloud.account.id` will now contain the Google Cloud Organization ID (previously, it contained the project ID).
-*  `cloud.account.name` will now contain the Google Cloud Organization Display Name (previously, it contained the project name).
-*  New fields `cloud.project.id` and `cloud.project.name` will be added to store the actual project ID and project name, respectively.
-
-To restore the previous version, you can add a custom ingest pipeline to the Elastic Integration:
-[source,json]
-----
-{
-  "processors": [
-    {
-      "set": {
-        "field": "cloud.account.id",
-        "value": "{{cloud.project.id}}",
-        "if": "ctx?.cloud?.project?.id != null"
-      }
-    },
-    {
-      "set": {
-        "field": "cloud.account.name",
-        "value": "{{cloud.project.name}}",
-        "if": "ctx?.cloud?.project?.name != null"
-      }
-    },
-    {
-      "remove": {
-        "field": [
-          "cloud.project.id",
-          "cloud.project.name"
-        ],
-        "ignore_missing": true
-      }
-    }
-  ]
-}
-----
-For more information on creating custom ingest pipelines and processors, please see the https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html#data-streams-pipeline-two[Custom Ingest Pipelines] guide.
-
-If `period` value is set to 5-minute and sample period of the metric type is 60-second, then this module will collect data from this metric type once every 5 minutes with aggregation.
-GCP monitoring data has a up to 240 seconds latency, which means latest monitoring data will be up to 4 minutes old. Please see https://cloud.google.com/monitoring/api/v3/latency-n-retention[Latency of GCP Monitoring Metric Data] for more details.
-In `gcp` module, metrics are collected based on this ingest delay, which is also obtained from ListMetricDescriptors API.
-
-[float]
-[[gcp-api-requests]]
-=== Rough estimation of the number of API calls
-Google Cloud Platform pricing depends of the number of requests you do to their API's. Here you have some information that you can use to make an estimation of the pricing you should expect. For example, imagine that you have a Compute Metricset activated and you don't want to exclude labels. You have a total of 20 instances running in a particular GCP project, region and zone.
-
-For example, if Compute Metricset fetches 14 metrics (which is the number of metrics fetched in the early beta version). Each of those metrics will attempt an API call to Compute API to retrieve also their metadata. Because you have 20 different instances, the total number of API calls that will be done on each refresh period are: 14 metrics + 20 instances = 34 API requests every 5 minutes if that is your current Period. 9792 API requests per day with one zone. If you add 2 zones more with the same amount of instances you'll have 19584 API requests per day (9792 on each zone) or around 587520 per month for the Compute Metricset. This maths must be done for each different Metricset with slight variations.
-
-[float]
-== Metricsets
-Currently, we have `billing`, `compute`,  `gke`, `loadbalancing`, `pubsub`, `metrics` and
-`storage` metricset in `gcp` module.
-
-[float]
-=== `billing`
-This metricset fetches billing metrics from https://cloud.google.com/bigquery[GCP BigQuery]
-Cloud Billing allows users to export billing data into BigQuery automatically
-throughout the day. This metricset gets access to the daily cost detail table
-periodically to export billing metrics for further analysis.
-
-The `billing` metricset comes with a predefined dashboard:
-
-image::./images/metricbeat-gcp-billing-overview.png[]
-
-[float]
-=== `compute`
-This metricset fetches metrics from https://cloud.google.com/compute/[Compute Engine]
-Virtual Machines in Google Cloud Platform. The `compute` metricset contains some
-of the metrics exported from the https://cloud.google.com/monitoring/api/metrics_gcp#gcp-compute[GCP Compute Monitoring API].
-Extra labels and metadata are also extracted using the https://cloud.google.com/compute/docs/reference/rest/v1/instances/get[Compute API].
-This is enough to get most of the info associated with a metric like compute
-labels and metadata and metric specific Labels.
-
-The `compute` metricset comes with a predefined dashboard:
-
-image::./images/metricbeat-gcp-compute-overview.png[]
-
-[float]
-=== `gke`
-
-This metricset fetches metrics for https://cloud.google.com/kubernetes-engine[Kubernetes Engine].
-
-The `gke` metricset contains all GA metrics exported by https://cloud.google.com/monitoring/api/metrics_kubernetes[Cloud Monitoring Kubernetes metrics].
-
-Extra labels and metadata are also extracted using the https://cloud.google.com/compute/docs/reference/rest/v1/instances/get[Compute API].
-
-The `gke` metricset comes with a predefined dashboard:
-
-image::./images/metricbeat-gcp-gke-overview.png[]
-
-[float]
-=== `loadbalancing`
-This metricset fetches metrics from https://cloud.google.com/load-balancing/[Load Balancing]
-in Google Cloud Platform. The `loadbalancing` metricset contains all metrics
-exported from the https://cloud.google.com/monitoring/api/metrics_gcp#gcp-loadbalancing[GCP Load Balancing Monitoring API].
-
-The `loadbalancing` metricset comes with two predefined dashboards:
-
-[float]
-==== HTTPS
-For HTTPS load balancing:
-image::./images/metricbeat-gcp-load-balancing-https-overview.png[]
-
-[float]
-==== L3
-For L3 load balancing:
-image::./images/metricbeat-gcp-load-balancing-l3-overview.png[]
-
-[float]
-==== TCP/SSL/Proxy
-For TCP/SSL/Proxy load balancing:
-image::./images/metricbeat-gcp-load-balancing-tcp-ssl-proxy-overview.png[]
-
-[float]
-=== `pubsub`
-This metricset fetches metrics from https://cloud.google.com/pubsub/[Pub/Sub]
-topics and subscriptions in Google Cloud Platform. The `pubsub` metricset
-contains all GA stage metrics exported from the
-https://cloud.google.com/monitoring/api/metrics_gcp#gcp-pubsub[GCP PubSub Monitoring API].
-
-The `pubsub` metricset comes with a predefined dashboard:
-
-image::./images/metricbeat-gcp-pubsub-overview.png[]
-
-[float]
-=== `metrics`
-`metrics` metricset uses Google Cloud Operations/Stackdriver, which provides
-visibility into the performance, uptime, and overall health of cloud-powered
-applications. It collects metrics, events, and metadata from different services
-from Google Cloud.
-This metricset is to collect https://cloud.google.com/monitoring/api/metrics_gcp[monitoring metrics]
-from Google Cloud using `ListTimeSeries` API.
-
-[float]
-=== `storage`
-This metricset fetches metrics from https://cloud.google.com/storage/[Storage]
-in Google Cloud Platform. The `storage` metricset contains all GA metrics
-exported from the https://cloud.google.com/monitoring/api/metrics_gcp#gcp-storage[GCP Storage Monitoring API].
-
-We recommend users to define `period: 5m` for this metricset because in Google
-Cloud, storage monitoring metrics are written every 5-minute sample period with
-a 10-minute ingest delay.
-
-The `storage` metricset comes with a predefined dashboard:
-
-image::./images/metricbeat-gcp-storage-overview.png[]
-
-
-:edit_url:
-
-[float]
-=== Example configuration
-
-The Google Cloud Platform module supports the standard configuration options that are described
-in <<configuration-metricbeat>>. Here is an example configuration:
-
-[source,yaml]
-----
-metricbeat.modules:
-- module: gcp
-  metricsets:
-    - compute
-  region: "us-"
-  project_id: "your project id"
-  credentials_file_path: "your JSON credentials file path"
-  exclude_labels: false
-  period: 1m
-
-- module: gcp
-  metricsets:
-    - pubsub
-    - loadbalancing
-    - firestore
-    - dataproc
-  zone: "us-central1-a"
-  project_id: "your project id"
-  credentials_file_path: "your JSON credentials file path"
-  exclude_labels: false
-  period: 1m
-
-- module: gcp
-  metricsets:
-    - storage
-  project_id: "your project id"
-  credentials_file_path: "your JSON credentials file path"
-  exclude_labels: false
-  period: 5m
-
-- module: gcp
-  metricsets:
-    - metrics
-  project_id: "your project id"
-  credentials_file_path: "your JSON credentials file path"
-  exclude_labels: false
-  period: 1m
-  location_label: "resource.labels.zone"
-  metrics:
-    - aligner: ALIGN_NONE
-      service: compute
-      metric_types:
-        - "instance/cpu/reserved_cores"
-        - "instance/cpu/usage_time"
-        - "instance/cpu/utilization"
-        - "instance/uptime"
-
-- module: gcp
-  metricsets:
-    - gke
-  project_id: "your project id"
-  credentials_file_path: "your JSON credentials file path"
-  exclude_labels: false
-  period: 1m
-
-- module: gcp
-  metricsets:
-    - billing
-  period: 24h
-  project_id: "your project id"
-  credentials_file_path: "your JSON credentials file path"
-  dataset_id: "dataset id"
-  table_pattern: "table pattern"
-  cost_type: "regular"
-
-- module: gcp
-  metricsets:
-    - carbon
-  period: 24h
-  project_id: "your project id"
-  credentials_file_path: "your JSON credentials file path"
-  endpoint: http://your-endpoint
-  dataset_id: "dataset id"
-  table_pattern: "table pattern"
-----
-
-[float]
-=== Metricsets
-
-The following metricsets are available:
-
-* <<metricbeat-metricset-gcp-billing,billing>>
-
-* <<metricbeat-metricset-gcp-carbon,carbon>>
-
-* <<metricbeat-metricset-gcp-compute,compute>>
-
-* <<metricbeat-metricset-gcp-dataproc,dataproc>>
-
-* <<metricbeat-metricset-gcp-firestore,firestore>>
-
-* <<metricbeat-metricset-gcp-gke,gke>>
-
-* <<metricbeat-metricset-gcp-loadbalancing,loadbalancing>>
-
-* <<metricbeat-metricset-gcp-metrics,metrics>>
-
-* <<metricbeat-metricset-gcp-pubsub,pubsub>>
-
-* <<metricbeat-metricset-gcp-storage,storage>>
-
-include::gcp/billing.asciidoc[]
-
-include::gcp/carbon.asciidoc[]
-
-include::gcp/compute.asciidoc[]
-
-include::gcp/dataproc.asciidoc[]
-
-include::gcp/firestore.asciidoc[]
-
-include::gcp/gke.asciidoc[]
-
-include::gcp/loadbalancing.asciidoc[]
-
-include::gcp/metrics.asciidoc[]
-
-include::gcp/pubsub.asciidoc[]
-
-include::gcp/storage.asciidoc[]
-
-:edit_url!:
diff --git a/metricbeat/docs/modules/gcp/billing.asciidoc b/metricbeat/docs/modules/gcp/billing.asciidoc
deleted file mode 100644
index 433fda6ed485..000000000000
--- a/metricbeat/docs/modules/gcp/billing.asciidoc
+++ /dev/null
@@ -1,27 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/gcp/billing/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-gcp-billing]]
-[role="xpack"]
-=== Google Cloud Platform billing metricset
-
-include::../../../../x-pack/metricbeat/module/gcp/billing/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-gcp,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../../x-pack/metricbeat/module/gcp/billing/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/gcp/carbon.asciidoc b/metricbeat/docs/modules/gcp/carbon.asciidoc
deleted file mode 100644
index 1f926fa96ecd..000000000000
--- a/metricbeat/docs/modules/gcp/carbon.asciidoc
+++ /dev/null
@@ -1,29 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/gcp/carbon/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-gcp-carbon]]
-[role="xpack"]
-=== Google Cloud Platform carbon metricset
-
-beta[]
-
-include::../../../../x-pack/metricbeat/module/gcp/carbon/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-gcp,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../../x-pack/metricbeat/module/gcp/carbon/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/gcp/compute.asciidoc b/metricbeat/docs/modules/gcp/compute.asciidoc
deleted file mode 100644
index db3387d9a24e..000000000000
--- a/metricbeat/docs/modules/gcp/compute.asciidoc
+++ /dev/null
@@ -1,28 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/gcp/compute/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-gcp-compute]]
-[role="xpack"]
-=== Google Cloud Platform compute metricset
-
-include::../../../../x-pack/metricbeat/module/gcp/compute/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-gcp,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../../x-pack/metricbeat/module/gcp/compute/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/gcp/dataproc.asciidoc b/metricbeat/docs/modules/gcp/dataproc.asciidoc
deleted file mode 100644
index 88770b431e6d..000000000000
--- a/metricbeat/docs/modules/gcp/dataproc.asciidoc
+++ /dev/null
@@ -1,27 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/gcp/dataproc/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-gcp-dataproc]]
-[role="xpack"]
-=== Google Cloud Platform dataproc metricset
-
-include::../../../../x-pack/metricbeat/module/gcp/dataproc/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-gcp,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../../x-pack/metricbeat/module/gcp/dataproc/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/gcp/firestore.asciidoc b/metricbeat/docs/modules/gcp/firestore.asciidoc
deleted file mode 100644
index 681e042d07d3..000000000000
--- a/metricbeat/docs/modules/gcp/firestore.asciidoc
+++ /dev/null
@@ -1,27 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/gcp/firestore/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-gcp-firestore]]
-[role="xpack"]
-=== Google Cloud Platform firestore metricset
-
-include::../../../../x-pack/metricbeat/module/gcp/firestore/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-gcp,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../../x-pack/metricbeat/module/gcp/firestore/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/gcp/gke.asciidoc b/metricbeat/docs/modules/gcp/gke.asciidoc
deleted file mode 100644
index e0efbbe3c35f..000000000000
--- a/metricbeat/docs/modules/gcp/gke.asciidoc
+++ /dev/null
@@ -1,22 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/gcp/gke/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-gcp-gke]]
-[role="xpack"]
-=== Google Cloud Platform gke metricset
-
-include::../../../../x-pack/metricbeat/module/gcp/gke/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-gcp,exported fields>> section.
-
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/gcp/loadbalancing.asciidoc b/metricbeat/docs/modules/gcp/loadbalancing.asciidoc
deleted file mode 100644
index 704b6c339a4a..000000000000
--- a/metricbeat/docs/modules/gcp/loadbalancing.asciidoc
+++ /dev/null
@@ -1,27 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/gcp/loadbalancing/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-gcp-loadbalancing]]
-[role="xpack"]
-=== Google Cloud Platform loadbalancing metricset
-
-include::../../../../x-pack/metricbeat/module/gcp/loadbalancing/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-gcp,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../../x-pack/metricbeat/module/gcp/loadbalancing/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/gcp/metrics.asciidoc b/metricbeat/docs/modules/gcp/metrics.asciidoc
deleted file mode 100644
index 2e4f2fd0d93a..000000000000
--- a/metricbeat/docs/modules/gcp/metrics.asciidoc
+++ /dev/null
@@ -1,27 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/gcp/metrics/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-gcp-metrics]]
-[role="xpack"]
-=== Google Cloud Platform metrics metricset
-
-include::../../../../x-pack/metricbeat/module/gcp/metrics/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-gcp,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../../x-pack/metricbeat/module/gcp/metrics/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/gcp/pubsub.asciidoc b/metricbeat/docs/modules/gcp/pubsub.asciidoc
deleted file mode 100644
index bf0f9c622b34..000000000000
--- a/metricbeat/docs/modules/gcp/pubsub.asciidoc
+++ /dev/null
@@ -1,28 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/gcp/pubsub/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-gcp-pubsub]]
-[role="xpack"]
-=== Google Cloud Platform pubsub metricset
-
-include::../../../../x-pack/metricbeat/module/gcp/pubsub/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-gcp,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../../x-pack/metricbeat/module/gcp/pubsub/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/gcp/storage.asciidoc b/metricbeat/docs/modules/gcp/storage.asciidoc
deleted file mode 100644
index 793f5e587b8b..000000000000
--- a/metricbeat/docs/modules/gcp/storage.asciidoc
+++ /dev/null
@@ -1,27 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/gcp/storage/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-gcp-storage]]
-[role="xpack"]
-=== Google Cloud Platform storage metricset
-
-include::../../../../x-pack/metricbeat/module/gcp/storage/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-gcp,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../../x-pack/metricbeat/module/gcp/storage/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/golang.asciidoc b/metricbeat/docs/modules/golang.asciidoc
deleted file mode 100644
index d82de43429ca..000000000000
--- a/metricbeat/docs/modules/golang.asciidoc
+++ /dev/null
@@ -1,54 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-
-:modulename: golang
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/golang/_meta/docs.asciidoc
-
-
-[[metricbeat-module-golang]]
-== Golang module
-
-The golang module collects metrics by submitting HTTP GET requests to https://golang.org/pkg/expvar/[golang-expvar-api].
-
-
-:edit_url:
-
-[float]
-=== Example configuration
-
-The Golang module supports the standard configuration options that are described
-in <<configuration-metricbeat>>. Here is an example configuration:
-
-[source,yaml]
-----
-metricbeat.modules:
-- module: golang
-  #metricsets:
-  #  - expvar
-  #  - heap
-  period: 10s
-  hosts: ["localhost:6060"]
-  heap.path: "/debug/vars"
-  expvar:
-    namespace: "example"
-    path: "/debug/vars"
-----
-
-This module supports TLS connections when using `ssl` config field, as described in <<configuration-ssl>>.
-It also supports the options described in <<module-http-config-options>>.
-
-[float]
-=== Metricsets
-
-The following metricsets are available:
-
-* <<metricbeat-metricset-golang-expvar,expvar>>
-
-* <<metricbeat-metricset-golang-heap,heap>>
-
-include::golang/expvar.asciidoc[]
-
-include::golang/heap.asciidoc[]
-
-:edit_url!:
diff --git a/metricbeat/docs/modules/golang/expvar.asciidoc b/metricbeat/docs/modules/golang/expvar.asciidoc
deleted file mode 100644
index 8f6cd873b782..000000000000
--- a/metricbeat/docs/modules/golang/expvar.asciidoc
+++ /dev/null
@@ -1,26 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/golang/expvar/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-golang-expvar]]
-=== Golang expvar metricset
-
-include::../../../module/golang/expvar/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-golang,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/golang/expvar/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/golang/heap.asciidoc b/metricbeat/docs/modules/golang/heap.asciidoc
deleted file mode 100644
index 13b630f70447..000000000000
--- a/metricbeat/docs/modules/golang/heap.asciidoc
+++ /dev/null
@@ -1,26 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/golang/heap/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-golang-heap]]
-=== Golang heap metricset
-
-include::../../../module/golang/heap/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-golang,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/golang/heap/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/graphite.asciidoc b/metricbeat/docs/modules/graphite.asciidoc
deleted file mode 100644
index dd7ed9f29f97..000000000000
--- a/metricbeat/docs/modules/graphite.asciidoc
+++ /dev/null
@@ -1,61 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-
-:modulename: graphite
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/graphite/_meta/docs.asciidoc
-
-
-[[metricbeat-module-graphite]]
-== Graphite module
-
-This is the Graphite module.
-
-The default metricset is `server`.
-
-
-:edit_url:
-
-[float]
-=== Example configuration
-
-The Graphite module supports the standard configuration options that are described
-in <<configuration-metricbeat>>. Here is an example configuration:
-
-[source,yaml]
-----
-metricbeat.modules:
-- module: graphite
-  metricsets: ["server"]
-  enabled: true
-
-  # Host address to listen on. Default localhost.
-  #host: localhost
-
-  # Listening port. Default 2003.
-  #port: 2003
-
-  # Protocol to listen on. This can be udp or tcp. Default udp.
-  #protocol: "udp"
-
-  # Receive buffer size in bytes
-  #receive_buffer_size: 1024
-
-  #templates:
-  #  - filter: "test.*.bash.*" # This would match metrics like test.localhost.bash.stats
-  #    namespace: "test"
-  #    template: ".host.shell.metric*" # test.localhost.bash.stats would become metric=stats and tags host=localhost,shell=bash
-  #    delimiter: "_"
-
-----
-
-[float]
-=== Metricsets
-
-The following metricsets are available:
-
-* <<metricbeat-metricset-graphite-server,server>>
-
-include::graphite/server.asciidoc[]
-
-:edit_url!:
diff --git a/metricbeat/docs/modules/graphite/server.asciidoc b/metricbeat/docs/modules/graphite/server.asciidoc
deleted file mode 100644
index b8e9a4d86e03..000000000000
--- a/metricbeat/docs/modules/graphite/server.asciidoc
+++ /dev/null
@@ -1,27 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/graphite/server/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-graphite-server]]
-=== Graphite server metricset
-
-include::../../../module/graphite/server/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-graphite,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/graphite/server/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/haproxy.asciidoc b/metricbeat/docs/modules/haproxy.asciidoc
deleted file mode 100644
index 938e7a784785..000000000000
--- a/metricbeat/docs/modules/haproxy.asciidoc
+++ /dev/null
@@ -1,120 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-
-:modulename: haproxy
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/haproxy/_meta/docs.asciidoc
-
-
-[[metricbeat-module-haproxy]]
-== HAProxy module
-
-include::{libbeat-dir}/shared/integration-link.asciidoc[]
-
-:modulename!:
-
-This module collects stats from http://www.haproxy.org/[HAProxy]. It supports
-collection from TCP sockets, UNIX sockets, or HTTP with or without basic
-authentication.
-
-Metricbeat can collect two metricsets from HAProxy: `info` and `stat`. `info`
-is not available when using the stats page.
-
-[float]
-=== Configure HAProxy to collect stats
-
-Before you can use Metricbeat to collect stats, you must enable the stats module
-in HAProxy. You can do this a couple of ways: configure HAProxy to
-report stats via a TCP or UNIX socket, or enable the stats page.
-
-[float]
-==== TCP socket
-
-To enable stats reporting via any local IP on port 14567, add the following line
-to the `global` or `default` section of the HAProxy config:
-
-[source,shell]
-----
- stats socket 127.0.0.1:14567
-----
-
-NOTE: You should use an internal private IP, or secure this with a firewall
-rule, so that only designated hosts can access this data.
-
-[float]
-==== UNIX socket
-
-To enable stats reporting via a UNIX socket, add the following line to the
-`global` or `default` section of the HAProxy config:
-
-[source,shell]
-----
- stats socket /path/to/haproxy.sock mode 660 level admin
-----
-
-[float]
-==== Stats page
-
-To enable the HAProxy stats page, add the following lines to the HAProxy config,
-then restart HAProxy. The stats page in this example will be available to any IP
-on port 14567 after authentication.
-
-[source,haproxy]
-----
- listen stats
-   bind 0.0.0.0:14567
-   stats enable
-   stats uri /stats
-   stats auth admin:admin
-----
-
-
-[float]
-=== Compatibility
-
-The HAProxy metricsets are tested with HAProxy versions from 1.6 to 1.8.
-
-
-:edit_url:
-
-[float]
-=== Example configuration
-
-The HAProxy module supports the standard configuration options that are described
-in <<configuration-metricbeat>>. Here is an example configuration:
-
-[source,yaml]
-----
-metricbeat.modules:
-- module: haproxy
-  metricsets: ["info", "stat"]
-  period: 10s
-  # TCP socket, UNIX socket, or HTTP address where HAProxy stats are reported
-  # TCP socket
-  hosts: ["tcp://127.0.0.1:14567"]
-  # UNIX socket
-  #hosts: ["unix:///path/to/haproxy.sock"]
-  # Stats page
-  #hosts: ["http://127.0.0.1:14567"]
-  username : "admin"
-  password : "admin"
-  enabled: true
-----
-
-This module supports TLS connections when using `ssl` config field, as described in <<configuration-ssl>>.
-It also supports the options described in <<module-http-config-options>>.
-
-[float]
-=== Metricsets
-
-The following metricsets are available:
-
-* <<metricbeat-metricset-haproxy-info,info>>
-
-* <<metricbeat-metricset-haproxy-stat,stat>>
-
-include::haproxy/info.asciidoc[]
-
-include::haproxy/stat.asciidoc[]
-
-:edit_url!:
diff --git a/metricbeat/docs/modules/haproxy/info.asciidoc b/metricbeat/docs/modules/haproxy/info.asciidoc
deleted file mode 100644
index 2bb2d52d99e3..000000000000
--- a/metricbeat/docs/modules/haproxy/info.asciidoc
+++ /dev/null
@@ -1,27 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/haproxy/info/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-haproxy-info]]
-=== HAProxy info metricset
-
-include::../../../module/haproxy/info/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-haproxy,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/haproxy/info/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/haproxy/stat.asciidoc b/metricbeat/docs/modules/haproxy/stat.asciidoc
deleted file mode 100644
index afd8498ef8ef..000000000000
--- a/metricbeat/docs/modules/haproxy/stat.asciidoc
+++ /dev/null
@@ -1,27 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/haproxy/stat/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-haproxy-stat]]
-=== HAProxy stat metricset
-
-include::../../../module/haproxy/stat/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-haproxy,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/haproxy/stat/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/http.asciidoc b/metricbeat/docs/modules/http.asciidoc
deleted file mode 100644
index 66e2f1623ad1..000000000000
--- a/metricbeat/docs/modules/http.asciidoc
+++ /dev/null
@@ -1,79 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-
-:modulename: http
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/http/_meta/docs.asciidoc
-
-
-[[metricbeat-module-http]]
-== HTTP module
-
-The HTTP module is a Metricbeat module used to call arbitrary HTTP endpoints for which a dedicated Metricbeat module is not available.
-
-Multiple endpoints can be configured which are polled in a regular interval and the result is shipped to the configured output channel. It is recommended to install a Metricbeat instance on each host from which data should be fetched.
-
-This module is inspired by the Logstash https://www.elastic.co/guide/en/logstash/current/plugins-inputs-http_poller.html[http_poller] input filter but doesn't require that the endpoint is reachable by Logstash as the Metricbeat module pushes the data to the configured output channels, e.g. Logstash or Elasticsearch.
-
-This is often necessary in security restricted network setups, where Logstash is not able to reach all servers. Instead the server to be monitored itself has Metricbeat installed and can send the data or a collector server has Metricbeat installed which is deployed in the secured network environment and can reach all servers to be monitored.
-
-NOTE: As the HTTP metricsets also fetch headers, this can lead to lots of fields in Elasticsearch in case there are many different headers. If this is the case for you and you don't need the headers, we recommend to use processors to filter out the header field.
-
-
-:edit_url:
-
-[float]
-=== Example configuration
-
-The HTTP module supports the standard configuration options that are described
-in <<configuration-metricbeat>>. Here is an example configuration:
-
-[source,yaml]
-----
-metricbeat.modules:
-- module: http
-  #metricsets:
-  #  - json
-  period: 10s
-  hosts: ["localhost:80"]
-  namespace: "json_namespace"
-  path: "/"
-  #body: ""
-  #method: "GET"
-  #username: "user"
-  #password: "secret"
-  #request.enabled: false
-  #response.enabled: false
-  #json.is_array: false
-  #dedot.enabled: false
-
-- module: http
-  #metricsets:
-  #  - server
-  host: "localhost"
-  port: "8080"
-  enabled: false
-  #paths:
-  #  - path: "/foo"
-  #    namespace: "foo"
-  #    fields: # added to the the response in root. overwrites existing fields
-  #      key: "value"
-----
-
-This module supports TLS connections when using `ssl` config field, as described in <<configuration-ssl>>.
-It also supports the options described in <<module-http-config-options>>.
-
-[float]
-=== Metricsets
-
-The following metricsets are available:
-
-* <<metricbeat-metricset-http-json,json>>
-
-* <<metricbeat-metricset-http-server,server>>
-
-include::http/json.asciidoc[]
-
-include::http/server.asciidoc[]
-
-:edit_url!:
diff --git a/metricbeat/docs/modules/http/json.asciidoc b/metricbeat/docs/modules/http/json.asciidoc
deleted file mode 100644
index b866e6c2139a..000000000000
--- a/metricbeat/docs/modules/http/json.asciidoc
+++ /dev/null
@@ -1,26 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/http/json/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-http-json]]
-=== HTTP json metricset
-
-include::../../../module/http/json/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-http,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/http/json/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/http/server.asciidoc b/metricbeat/docs/modules/http/server.asciidoc
deleted file mode 100644
index bdc2486259c6..000000000000
--- a/metricbeat/docs/modules/http/server.asciidoc
+++ /dev/null
@@ -1,26 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/http/server/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-http-server]]
-=== HTTP server metricset
-
-include::../../../module/http/server/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-http,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/http/server/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/ibmmq.asciidoc b/metricbeat/docs/modules/ibmmq.asciidoc
deleted file mode 100644
index 68af76815cda..000000000000
--- a/metricbeat/docs/modules/ibmmq.asciidoc
+++ /dev/null
@@ -1,78 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-
-:modulename: ibmmq
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/ibmmq/_meta/docs.asciidoc
-
-
-[[metricbeat-module-ibmmq]]
-[role="xpack"]
-== IBM MQ module
-
-beta[]
-
-This module periodically fetches metrics from a containerized distribution of IBM MQ.
-
-[float]
-=== Compatibility
-
-The ibmmq `qmgr` metricset is compatible with a containerized distribution of IBM MQ (since version 9.1.0).
-The Docker image starts the `runmqserver` process, which spawns the HTTP server exposing metrics in Prometheus
-format ([source code](https://github.com/ibm-messaging/mq-container/blob/9.1.0/internal/metrics/metrics.go)).
-
-The Docker container lifecycle, including metrics collection, has been described in the [Internals](https://github.com/ibm-messaging/mq-container/blob/9.1.0/docs/internals.md)
-document.
-
-The image provides an option to easily enable metrics exporter using an environment
-variable:
-
-`MQ_ENABLE_METRICS` - Set this to `true` to generate Prometheus metrics for the Queue Manager.
-
-[float]
-=== Dashboard
-
-The ibmmq module includes predefined dashboards with overview information
-of the monitored Queue Manager, including subscriptions, calls and messages.
-
-image::./images/metricbeat-ibmmq-calls.png[]
-
-image::./images/metricbeat-ibmmq-messages.png[]
-
-image::./images/metricbeat-ibmmq-subscriptions.png[]
-
-
-:edit_url:
-
-[float]
-=== Example configuration
-
-The IBM MQ module supports the standard configuration options that are described
-in <<configuration-metricbeat>>. Here is an example configuration:
-
-[source,yaml]
-----
-metricbeat.modules:
-- module: ibmmq
-  metricsets: ['qmgr']
-  period: 10s
-  hosts: ['localhost:9157']
-
-  # This module uses the Prometheus collector metricset, all
-  # the options for this metricset are also available here.
-  metrics_path: /metrics
-----
-
-This module supports TLS connections when using `ssl` config field, as described in <<configuration-ssl>>.
-It also supports the options described in <<module-http-config-options>>.
-
-[float]
-=== Metricsets
-
-The following metricsets are available:
-
-* <<metricbeat-metricset-ibmmq-qmgr,qmgr>>
-
-include::ibmmq/qmgr.asciidoc[]
-
-:edit_url!:
diff --git a/metricbeat/docs/modules/ibmmq/qmgr.asciidoc b/metricbeat/docs/modules/ibmmq/qmgr.asciidoc
deleted file mode 100644
index 71d32c950aff..000000000000
--- a/metricbeat/docs/modules/ibmmq/qmgr.asciidoc
+++ /dev/null
@@ -1,30 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/ibmmq/qmgr/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-ibmmq-qmgr]]
-[role="xpack"]
-=== IBM MQ qmgr metricset
-
-beta[]
-
-include::../../../../x-pack/metricbeat/module/ibmmq/qmgr/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-ibmmq,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../../x-pack/metricbeat/module/ibmmq/qmgr/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/iis.asciidoc b/metricbeat/docs/modules/iis.asciidoc
deleted file mode 100644
index d6ff32d82270..000000000000
--- a/metricbeat/docs/modules/iis.asciidoc
+++ /dev/null
@@ -1,107 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-
-:modulename: iis
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/iis/_meta/docs.asciidoc
-
-
-[[metricbeat-module-iis]]
-[role="xpack"]
-== IIS module
-
-include::{libbeat-dir}/shared/integration-link.asciidoc[]
-
-:modulename!:
-
-IIS (Internet Information Services) is a secure, reliable, and scalable Web server that provides an easy to manage platform for developing and hosting Web applications and services.
-
-The `iis` module will periodically retrieve IIS related metrics using performance counters such as:
-
- - System/Process counters like the the overall server and CPU usage for the IIS Worker Process and memory (currently used and available memory for the IIS Worker Process).
- - IIS performance counters like Web Service: Bytes Received/Sec, Web Service: Bytes Sent/Sec, etc, which are helpful to track to identify potential spikes in traffic.
- - Web Service Cache counters in order to monitor user mode cache and output cache.
-
-
-The `iis` module mericsets are `webserver`, `website` and `application_pool`.
-
-[source,yaml]
-----
-- module: iis
-  metricsets:
-    - webserver
-    - website
-    - application_pool
-  enabled: true
-  period: 10s
-
- # filter on application pool names
- # application_pool.name: []
-----
-
-[float]
-== Metricsets
-
-[float]
-=== `webserver`
-A light metricset using the windows perfmon metricset as the base metricset.
-This metricset allows users to retrieve aggregated metrics for the entire webserver,
-
-[float]
-=== `website`
-A light metricset using the windows perfmon metricset as the base metricset.
-This metricset will collect metrics of specific sites, users can configure which websites they want to monitor, else, all are considered.
-
-[float]
-=== `application_pool`
-This metricset will collect metrics of specific application pools, users can configure which websites they want to monitor, else, all are considered.
-
-
-[float]
-=== Module-specific configuration notes
-
-`application_pool.name`:: []string, users can specify the application pools they would like to monitor.
-
-
-
-:edit_url:
-
-[float]
-=== Example configuration
-
-The IIS module supports the standard configuration options that are described
-in <<configuration-metricbeat>>. Here is an example configuration:
-
-[source,yaml]
-----
-metricbeat.modules:
-- module: iis
-  metricsets:
-    - webserver
-    - website
-    - application_pool
-  enabled: true
-  period: 10s
-
- # filter on application pool names
- # application_pool.name: []
-----
-
-[float]
-=== Metricsets
-
-The following metricsets are available:
-
-* <<metricbeat-metricset-iis-application_pool,application_pool>>
-
-* <<metricbeat-metricset-iis-webserver,webserver>>
-
-* <<metricbeat-metricset-iis-website,website>>
-
-include::iis/application_pool.asciidoc[]
-
-include::iis/webserver.asciidoc[]
-
-include::iis/website.asciidoc[]
-
-:edit_url!:
diff --git a/metricbeat/docs/modules/iis/application_pool.asciidoc b/metricbeat/docs/modules/iis/application_pool.asciidoc
deleted file mode 100644
index 4c173db3fa1a..000000000000
--- a/metricbeat/docs/modules/iis/application_pool.asciidoc
+++ /dev/null
@@ -1,27 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/iis/application_pool/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-iis-application_pool]]
-[role="xpack"]
-=== IIS application_pool metricset
-
-include::../../../../x-pack/metricbeat/module/iis/application_pool/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-iis,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../../x-pack/metricbeat/module/iis/application_pool/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/iis/webserver.asciidoc b/metricbeat/docs/modules/iis/webserver.asciidoc
deleted file mode 100644
index 5ba4e5707c8f..000000000000
--- a/metricbeat/docs/modules/iis/webserver.asciidoc
+++ /dev/null
@@ -1,28 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/iis/webserver/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-iis-webserver]]
-[role="xpack"]
-=== IIS webserver metricset
-
-include::../../../../x-pack/metricbeat/module/iis/webserver/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-iis,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../../x-pack/metricbeat/module/iis/webserver/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/iis/website.asciidoc b/metricbeat/docs/modules/iis/website.asciidoc
deleted file mode 100644
index 1aacb3d104bc..000000000000
--- a/metricbeat/docs/modules/iis/website.asciidoc
+++ /dev/null
@@ -1,28 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/iis/website/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-iis-website]]
-[role="xpack"]
-=== IIS website metricset
-
-include::../../../../x-pack/metricbeat/module/iis/website/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-iis,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../../x-pack/metricbeat/module/iis/website/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/istio.asciidoc b/metricbeat/docs/modules/istio.asciidoc
deleted file mode 100644
index 400f07e27af8..000000000000
--- a/metricbeat/docs/modules/istio.asciidoc
+++ /dev/null
@@ -1,146 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-
-:modulename: istio
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/istio/_meta/docs.asciidoc
-
-
-[[metricbeat-module-istio]]
-[role="xpack"]
-== Istio module
-
-beta[]
-
-This is the Istio module.
-When using versions prior to `1.5` then the `mesh`, `mixer`, `pilot`, `galley`, `citadel` metricsets should be used.
-
-In such case, the Istio module collects metrics from the pre v1.5
-Istio https://istio.io/v1.4/docs/tasks/observability/metrics/querying-metrics/#about-the-prometheus-add-on[prometheus exporters endpoints].
-
-For versions after `1.5`, the `istiod` and `proxy` metricsets should be used.
-In such case, the `istiod` endpoint collects metrics directly from the Istio Daemon while the `proxy` endpoint collects from each of the proxy sidecars.
-The metrics exposed by Istio after version `1.5` are documented on https://istio.io/latest/docs/reference/config/metrics/[Istio Documentation > Reference > Configuration > Istio Standard Metrics].
-
-
-[float]
-=== Compatibility
-
-The Istio module is tested with Istio `1.4` for `mesh`, `mixer`, `pilot`, `galley`, `citadel`.
-The Istio module is tested with Istio `1.7` for `istiod` and `proxy`.
-
-[float]
-=== Dashboard
-
-The Istio module includes predefined dashboards:
-
-1. Overview information about Istio Daemon.
-
-2. Traffic information collected from istio-proxies.
-
-These dashboards are only compatible with versions of Istio after `1.5` which should be monitored with `istiod`
-and `proxy` metricsets.
-
-image::./images/metricbeat-istio-overview.png[]
-
-image::./images/metricbeat-istio-traffic.png[]
-
-
-:edit_url:
-
-[float]
-=== Example configuration
-
-The Istio module supports the standard configuration options that are described
-in <<configuration-metricbeat>>. Here is an example configuration:
-
-[source,yaml]
-----
-metricbeat.modules:
-# Istio mesh. To collect all Mixer-generated metrics. For versions of Istio prior to 1.5.
-- module: istio
-  metricsets: ["mesh"]
-  period: 10s
-  # use istio-telemetry.istio-system:42422, when deploying Metricbeat in a kubernetes cluster as Pod or Daemonset
-  hosts: ["localhost:42422"]
-
-# Istio mixer. To monitor Mixer itself. For versions of Istio prior to 1.5.
-- module: istio
-  metricsets: ["mixer"]
-  period: 10s
-  # use istio-telemetry.istio-system:15014, when deploying Metricbeat in a kubernetes cluster as Pod or Daemonset
-  hosts: ["localhost:15014"]
-
-# Istio galley. To collect all Galley-generated metrics. For versions of Istio prior to 1.5.
-- module: istio
-  metricsets: ["galley"]
-  period: 10s
-  # use istio-galley.istio-system:15014, when deploying Metricbeat in a kubernetes cluster as Pod or Daemonset
-  hosts: ["localhost:15014"]
-
-# Istio pilot. To collect all Pilot-generated metrics. For versions of Istio prior to 1.5.
-- module: istio
-  metricsets: ["pilot"]
-  period: 10s
-  # use istio-pilot.istio-system:15014, when deploying Metricbeat in a kubernetes cluster as Pod or Daemonset
-  hosts: ["localhost:15014"]
-
-# Istio citadel. To collect all Citadel-generated metrics. For versions of Istio prior to 1.5.
-- module: istio
-  metricsets: ["citadel"]
-  period: 10s
-  # use istio-pilot.istio-system:15014, when deploying Metricbeat in a kubernetes cluster as Pod or Daemonset
-  hosts: ["localhost:15014"]
-
-# Istio istiod to monitor the Istio Daemon for versions of Istio after 1.5.
-- module: istio
-  metricsets: ['istiod']
-  period: 10s
-  # use istiod.istio-system:15014, when deploying Metricbeat in a kubernetes cluster as Pod or Daemonset
-  hosts: ['localhost:15014']
-
-# Istio proxy to monitor Envoy sidecars for versions of Istio after 1.5.
-- module: istio
-  metricsets: ['proxy']
-  period: 10s
-  # it's recommended to deploy this metricset with autodiscovery, see metricset's docs for more info
-  hosts: ['localhost:15090']
-----
-
-This module supports TLS connections when using `ssl` config field, as described in <<configuration-ssl>>.
-It also supports the options described in <<module-http-config-options>>.
-
-[float]
-=== Metricsets
-
-The following metricsets are available:
-
-* <<metricbeat-metricset-istio-citadel,citadel>>
-
-* <<metricbeat-metricset-istio-galley,galley>>
-
-* <<metricbeat-metricset-istio-istiod,istiod>>
-
-* <<metricbeat-metricset-istio-mesh,mesh>>
-
-* <<metricbeat-metricset-istio-mixer,mixer>>
-
-* <<metricbeat-metricset-istio-pilot,pilot>>
-
-* <<metricbeat-metricset-istio-proxy,proxy>>
-
-include::istio/citadel.asciidoc[]
-
-include::istio/galley.asciidoc[]
-
-include::istio/istiod.asciidoc[]
-
-include::istio/mesh.asciidoc[]
-
-include::istio/mixer.asciidoc[]
-
-include::istio/pilot.asciidoc[]
-
-include::istio/proxy.asciidoc[]
-
-:edit_url!:
diff --git a/metricbeat/docs/modules/istio/citadel.asciidoc b/metricbeat/docs/modules/istio/citadel.asciidoc
deleted file mode 100644
index bd02368c0cd2..000000000000
--- a/metricbeat/docs/modules/istio/citadel.asciidoc
+++ /dev/null
@@ -1,29 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/istio/citadel/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-istio-citadel]]
-[role="xpack"]
-=== Istio citadel metricset
-
-beta[]
-
-include::../../../../x-pack/metricbeat/module/istio/citadel/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-istio,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../../x-pack/metricbeat/module/istio/citadel/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/istio/galley.asciidoc b/metricbeat/docs/modules/istio/galley.asciidoc
deleted file mode 100644
index 6637524ca278..000000000000
--- a/metricbeat/docs/modules/istio/galley.asciidoc
+++ /dev/null
@@ -1,29 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/istio/galley/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-istio-galley]]
-[role="xpack"]
-=== Istio galley metricset
-
-beta[]
-
-include::../../../../x-pack/metricbeat/module/istio/galley/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-istio,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../../x-pack/metricbeat/module/istio/galley/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/istio/istiod.asciidoc b/metricbeat/docs/modules/istio/istiod.asciidoc
deleted file mode 100644
index 0de6bc7800ae..000000000000
--- a/metricbeat/docs/modules/istio/istiod.asciidoc
+++ /dev/null
@@ -1,23 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/istio/istiod/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-istio-istiod]]
-[role="xpack"]
-=== Istio istiod metricset
-
-beta[]
-
-include::../../../../x-pack/metricbeat/module/istio/istiod/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-istio,exported fields>> section.
-
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/istio/mesh.asciidoc b/metricbeat/docs/modules/istio/mesh.asciidoc
deleted file mode 100644
index bd82b25fc1fb..000000000000
--- a/metricbeat/docs/modules/istio/mesh.asciidoc
+++ /dev/null
@@ -1,29 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/istio/mesh/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-istio-mesh]]
-[role="xpack"]
-=== Istio mesh metricset
-
-beta[]
-
-include::../../../../x-pack/metricbeat/module/istio/mesh/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-istio,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../../x-pack/metricbeat/module/istio/mesh/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/istio/mixer.asciidoc b/metricbeat/docs/modules/istio/mixer.asciidoc
deleted file mode 100644
index ad14b425e3bc..000000000000
--- a/metricbeat/docs/modules/istio/mixer.asciidoc
+++ /dev/null
@@ -1,29 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/istio/mixer/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-istio-mixer]]
-[role="xpack"]
-=== Istio mixer metricset
-
-beta[]
-
-include::../../../../x-pack/metricbeat/module/istio/mixer/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-istio,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../../x-pack/metricbeat/module/istio/mixer/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/istio/pilot.asciidoc b/metricbeat/docs/modules/istio/pilot.asciidoc
deleted file mode 100644
index 5932bf757fbb..000000000000
--- a/metricbeat/docs/modules/istio/pilot.asciidoc
+++ /dev/null
@@ -1,29 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/istio/pilot/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-istio-pilot]]
-[role="xpack"]
-=== Istio pilot metricset
-
-beta[]
-
-include::../../../../x-pack/metricbeat/module/istio/pilot/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-istio,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../../x-pack/metricbeat/module/istio/pilot/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/istio/proxy.asciidoc b/metricbeat/docs/modules/istio/proxy.asciidoc
deleted file mode 100644
index 2f9c3812f5b3..000000000000
--- a/metricbeat/docs/modules/istio/proxy.asciidoc
+++ /dev/null
@@ -1,23 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/istio/proxy/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-istio-proxy]]
-[role="xpack"]
-=== Istio proxy metricset
-
-beta[]
-
-include::../../../../x-pack/metricbeat/module/istio/proxy/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-istio,exported fields>> section.
-
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/jolokia.asciidoc b/metricbeat/docs/modules/jolokia.asciidoc
deleted file mode 100644
index 81bab7618b61..000000000000
--- a/metricbeat/docs/modules/jolokia.asciidoc
+++ /dev/null
@@ -1,81 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-
-:modulename: jolokia
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/jolokia/_meta/docs.asciidoc
-
-
-[[metricbeat-module-jolokia]]
-== Jolokia module
-
-This module collects metrics from
-https://jolokia.org/reference/html/agents.html[Jolokia agents] running on a
-target JMX server or dedicated proxy server. The default metricset is `jmx`.
-
-To collect metrics, {beatname_uc} communicates with a Jolokia HTTP/REST
-endpoint that exposes the JMX metrics over HTTP/REST/JSON.
-
-[float]
-=== Compatibility
-
-The Jolokia module is tested with Jolokia 1.5.0. It should work with version
-1.2.2 and later.
-
-
-
-:edit_url:
-
-[float]
-=== Example configuration
-
-The Jolokia module supports the standard configuration options that are described
-in <<configuration-metricbeat>>. Here is an example configuration:
-
-[source,yaml]
-----
-metricbeat.modules:
-- module: jolokia
-  #metricsets: ["jmx"]
-  period: 10s
-  hosts: ["localhost"]
-  namespace: "metrics"
-  #path: "/jolokia/?ignoreErrors=true&canonicalNaming=false"
-  #username: "user"
-  #password: "secret"
-  jmx.mappings:
-    #- mbean: 'java.lang:type=Runtime'
-    #  attributes:
-    #    - attr: Uptime
-    #      field: uptime
-    #- mbean: 'java.lang:type=Memory'
-    #  attributes:
-    #    - attr: HeapMemoryUsage
-    #      field: memory.heap_usage
-    #    - attr: NonHeapMemoryUsage
-    #      field: memory.non_heap_usage
-    # GC Metrics - this depends on what is available on your JVM
-    #- mbean: 'java.lang:type=GarbageCollector,name=ConcurrentMarkSweep'
-    #  attributes:
-    #    - attr: CollectionTime
-    #      field: gc.cms_collection_time
-    #    - attr: CollectionCount
-    #      field: gc.cms_collection_count
-
-  jmx.application:
-  jmx.instance:
-----
-
-This module supports TLS connections when using `ssl` config field, as described in <<configuration-ssl>>.
-It also supports the options described in <<module-http-config-options>>.
-
-[float]
-=== Metricsets
-
-The following metricsets are available:
-
-* <<metricbeat-metricset-jolokia-jmx,jmx>>
-
-include::jolokia/jmx.asciidoc[]
-
-:edit_url!:
diff --git a/metricbeat/docs/modules/jolokia/jmx.asciidoc b/metricbeat/docs/modules/jolokia/jmx.asciidoc
deleted file mode 100644
index dd40032aabdf..000000000000
--- a/metricbeat/docs/modules/jolokia/jmx.asciidoc
+++ /dev/null
@@ -1,26 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/jolokia/jmx/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-jolokia-jmx]]
-=== Jolokia jmx metricset
-
-include::../../../module/jolokia/jmx/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-jolokia,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/jolokia/jmx/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/kafka.asciidoc b/metricbeat/docs/modules/kafka.asciidoc
deleted file mode 100644
index e5bacff2453a..000000000000
--- a/metricbeat/docs/modules/kafka.asciidoc
+++ /dev/null
@@ -1,149 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-
-:modulename: kafka
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/kafka/_meta/docs.asciidoc
-
-
-[[metricbeat-module-kafka]]
-== Kafka module
-
-include::{libbeat-dir}/shared/integration-link.asciidoc[]
-
-:modulename!:
-
-This is the Kafka module.
-
-The default metricsets are `consumergroup` and `partition`.
-
-If authorization is configured in the Kafka cluster, the following ACLs are
-required for the Metricbeat user:
-
-* READ Topic, for the topics to be monitored
-* DESCRIBE Group, for the groups to be monitored
-
-For example, if the `stats` user is being used for Metricbeat, to monitor all
-topics and all consumer groups, ACLS can be granted with the following commands:
-
-[source,shell]
------
-kafka-acls --authorizer-properties zookeeper.connect=localhost:2181 --add --allow-principal User:stats --operation Read --topic '*'
-kafka-acls --authorizer-properties zookeeper.connect=localhost:2181 --add --allow-principal User:stats --operation Describe --group '*'
------
-
-[float]
-=== Compatibility
-
-This module is tested with Kafka 0.10.2.1, 1.1.0, 2.1.1, 2.2.2 and 3.6.0.
-
-The Broker, Producer, Consumer metricsets require <<metricbeat-module-jolokia,Jolokia>> to fetch JMX metrics. Refer to the link for Jolokia's compatibility notes.
-
-[float]
-=== Usage
-The Broker, Producer, Consumer metricsets require <<metricbeat-module-jolokia,Jolokia>> to fetch JMX metrics. Refer to those Metricsets' documentation about how to use Jolokia.
-
-
-[float]
-=== Dashboard
-
-The Kafka module comes with a predefined dashboard. For example:
-
-image::./images/metricbeat_kafka_dashboard.png[]
-
-
-:edit_url:
-
-[float]
-=== Example configuration
-
-The Kafka module supports the standard configuration options that are described
-in <<configuration-metricbeat>>. Here is an example configuration:
-
-[source,yaml]
-----
-metricbeat.modules:
-# Kafka metrics collected using the Kafka protocol
-- module: kafka
-  #metricsets:
-  #  - partition
-  #  - consumergroup
-  period: 10s
-  hosts: ["localhost:9092"]
-
-  #client_id: metricbeat
-  #retries: 3
-  #backoff: 250ms
-
-  # List of Topics to query metadata for. If empty, all topics will be queried.
-  #topics: []
-
-  # Optional SSL. By default is off.
-  # List of root certificates for HTTPS server verifications
-  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
-
-  # Certificate for SSL client authentication
-  #ssl.certificate: "/etc/pki/client/cert.pem"
-
-  # Client Certificate Key
-  #ssl.key: "/etc/pki/client/cert.key"
-
-  # Client Certificate Passphrase (in case your Client Certificate Key is encrypted)
-  #ssl.key_passphrase: "yourKeyPassphrase"
-
-  # SASL authentication
-  #username: ""
-  #password: ""
-
-  # SASL authentication mechanism used. Can be one of PLAIN, SCRAM-SHA-256 or SCRAM-SHA-512.
-  # Defaults to PLAIN when `username` and `password` are configured.
-  #sasl.mechanism: ''
-
-# Metrics collected from a Kafka broker using Jolokia
-#- module: kafka
-#  metricsets:
-#    - broker
-#  period: 10s
-#  hosts: ["localhost:8779"]
-
-# Metrics collected from a Java Kafka consumer using Jolokia
-#- module: kafka
-#  metricsets:
-#    - consumer
-#  period: 10s
-#  hosts: ["localhost:8774"]
-
-# Metrics collected from a Java Kafka producer using Jolokia
-#- module: kafka
-#  metricsets:
-#    - producer
-#  period: 10s
-#  hosts: ["localhost:8775"]
-----
-
-[float]
-=== Metricsets
-
-The following metricsets are available:
-
-* <<metricbeat-metricset-kafka-broker,broker>>
-
-* <<metricbeat-metricset-kafka-consumer,consumer>>
-
-* <<metricbeat-metricset-kafka-consumergroup,consumergroup>>
-
-* <<metricbeat-metricset-kafka-partition,partition>>
-
-* <<metricbeat-metricset-kafka-producer,producer>>
-
-include::kafka/broker.asciidoc[]
-
-include::kafka/consumer.asciidoc[]
-
-include::kafka/consumergroup.asciidoc[]
-
-include::kafka/partition.asciidoc[]
-
-include::kafka/producer.asciidoc[]
-
-:edit_url!:
diff --git a/metricbeat/docs/modules/kafka/broker.asciidoc b/metricbeat/docs/modules/kafka/broker.asciidoc
deleted file mode 100644
index b893212b12bf..000000000000
--- a/metricbeat/docs/modules/kafka/broker.asciidoc
+++ /dev/null
@@ -1,28 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/kafka/broker/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-kafka-broker]]
-=== Kafka broker metricset
-
-beta[]
-
-include::../../../module/kafka/broker/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-kafka,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/kafka/broker/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/kafka/consumer.asciidoc b/metricbeat/docs/modules/kafka/consumer.asciidoc
deleted file mode 100644
index 4c368f577d3b..000000000000
--- a/metricbeat/docs/modules/kafka/consumer.asciidoc
+++ /dev/null
@@ -1,28 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/kafka/consumer/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-kafka-consumer]]
-=== Kafka consumer metricset
-
-beta[]
-
-include::../../../module/kafka/consumer/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-kafka,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/kafka/consumer/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/kafka/consumergroup.asciidoc b/metricbeat/docs/modules/kafka/consumergroup.asciidoc
deleted file mode 100644
index 27013ee39e39..000000000000
--- a/metricbeat/docs/modules/kafka/consumergroup.asciidoc
+++ /dev/null
@@ -1,27 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/kafka/consumergroup/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-kafka-consumergroup]]
-=== Kafka consumergroup metricset
-
-include::../../../module/kafka/consumergroup/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-kafka,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/kafka/consumergroup/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/kafka/partition.asciidoc b/metricbeat/docs/modules/kafka/partition.asciidoc
deleted file mode 100644
index 2a9f2ef6cb50..000000000000
--- a/metricbeat/docs/modules/kafka/partition.asciidoc
+++ /dev/null
@@ -1,27 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/kafka/partition/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-kafka-partition]]
-=== Kafka partition metricset
-
-include::../../../module/kafka/partition/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-kafka,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/kafka/partition/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/kafka/producer.asciidoc b/metricbeat/docs/modules/kafka/producer.asciidoc
deleted file mode 100644
index 0ec4762547da..000000000000
--- a/metricbeat/docs/modules/kafka/producer.asciidoc
+++ /dev/null
@@ -1,28 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/kafka/producer/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-kafka-producer]]
-=== Kafka producer metricset
-
-beta[]
-
-include::../../../module/kafka/producer/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-kafka,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/kafka/producer/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/kibana.asciidoc b/metricbeat/docs/modules/kibana.asciidoc
deleted file mode 100644
index 0ecf5cfe16b2..000000000000
--- a/metricbeat/docs/modules/kibana.asciidoc
+++ /dev/null
@@ -1,95 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-
-:modulename: kibana
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/kibana/_meta/docs.asciidoc
-
-
-[[metricbeat-module-kibana]]
-== Kibana module
-
-include::{libbeat-dir}/shared/integration-link.asciidoc[]
-
-:modulename!:
-
-The `kibana` module collects metrics about {kib}.
-
-[float]
-=== Compatibility
-
-The `kibana` module works with {kib} 6.7.0 and later.
-
-[float]
-=== Usage for {stack} Monitoring
-
-The `kibana` module can be used to collect metrics shown in our {stack-monitor-app}
-UI in {kib}. To enable this usage, set `xpack.enabled: true` and remove any `metricsets`
-from the module's configuration. Alternatively, run `metricbeat modules disable kibana` and
-`metricbeat modules enable kibana-xpack`.
-
-NOTE: When this module is used for {stack} Monitoring, it sends metrics to the
-monitoring index instead of the default index typically used by {metricbeat}.
-For more details about the monitoring index, see
-{ref}/config-monitoring-indices.html[Configuring indices for monitoring].
-
-
-:edit_url:
-
-[float]
-=== Example configuration
-
-The Kibana module supports the standard configuration options that are described
-in <<configuration-metricbeat>>. Here is an example configuration:
-
-[source,yaml]
-----
-metricbeat.modules:
-- module: kibana
-  metricsets: ["status"]
-  period: 10s
-  hosts: ["localhost:5601"]
-  basepath: ""
-  enabled: true
-  #username: "user"
-  #password: "secret"
-  #api_key: "foo:bar"
-
-  # Set to true to send data collected by module to X-Pack
-  # Monitoring instead of metricbeat-* indices.
-  #xpack.enabled: false
-----
-
-This module supports TLS connections when using `ssl` config field, as described in <<configuration-ssl>>.
-It also supports the options described in <<module-http-config-options>>.
-
-[float]
-=== Metricsets
-
-The following metricsets are available:
-
-* <<metricbeat-metricset-kibana-cluster_actions,cluster_actions>>
-
-* <<metricbeat-metricset-kibana-cluster_rules,cluster_rules>>
-
-* <<metricbeat-metricset-kibana-node_actions,node_actions>>
-
-* <<metricbeat-metricset-kibana-node_rules,node_rules>>
-
-* <<metricbeat-metricset-kibana-stats,stats>>
-
-* <<metricbeat-metricset-kibana-status,status>>
-
-include::kibana/cluster_actions.asciidoc[]
-
-include::kibana/cluster_rules.asciidoc[]
-
-include::kibana/node_actions.asciidoc[]
-
-include::kibana/node_rules.asciidoc[]
-
-include::kibana/stats.asciidoc[]
-
-include::kibana/status.asciidoc[]
-
-:edit_url!:
diff --git a/metricbeat/docs/modules/kibana/cluster_actions.asciidoc b/metricbeat/docs/modules/kibana/cluster_actions.asciidoc
deleted file mode 100644
index 25d6944cc6bd..000000000000
--- a/metricbeat/docs/modules/kibana/cluster_actions.asciidoc
+++ /dev/null
@@ -1,28 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/kibana/cluster_actions/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-kibana-cluster_actions]]
-=== Kibana cluster_actions metricset
-
-beta[]
-
-include::../../../module/kibana/cluster_actions/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-kibana,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/kibana/cluster_actions/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/kibana/cluster_rules.asciidoc b/metricbeat/docs/modules/kibana/cluster_rules.asciidoc
deleted file mode 100644
index e12c4449c002..000000000000
--- a/metricbeat/docs/modules/kibana/cluster_rules.asciidoc
+++ /dev/null
@@ -1,28 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/kibana/cluster_rules/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-kibana-cluster_rules]]
-=== Kibana cluster_rules metricset
-
-beta[]
-
-include::../../../module/kibana/cluster_rules/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-kibana,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/kibana/cluster_rules/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/kibana/node_actions.asciidoc b/metricbeat/docs/modules/kibana/node_actions.asciidoc
deleted file mode 100644
index e92cf9c07b42..000000000000
--- a/metricbeat/docs/modules/kibana/node_actions.asciidoc
+++ /dev/null
@@ -1,28 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/kibana/node_actions/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-kibana-node_actions]]
-=== Kibana node_actions metricset
-
-beta[]
-
-include::../../../module/kibana/node_actions/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-kibana,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/kibana/node_actions/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/kibana/node_rules.asciidoc b/metricbeat/docs/modules/kibana/node_rules.asciidoc
deleted file mode 100644
index d116e13a4d04..000000000000
--- a/metricbeat/docs/modules/kibana/node_rules.asciidoc
+++ /dev/null
@@ -1,28 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/kibana/node_rules/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-kibana-node_rules]]
-=== Kibana node_rules metricset
-
-beta[]
-
-include::../../../module/kibana/node_rules/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-kibana,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/kibana/node_rules/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/kibana/stats.asciidoc b/metricbeat/docs/modules/kibana/stats.asciidoc
deleted file mode 100644
index 275c9da1399c..000000000000
--- a/metricbeat/docs/modules/kibana/stats.asciidoc
+++ /dev/null
@@ -1,26 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/kibana/stats/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-kibana-stats]]
-=== Kibana stats metricset
-
-include::../../../module/kibana/stats/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-kibana,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/kibana/stats/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/kibana/status.asciidoc b/metricbeat/docs/modules/kibana/status.asciidoc
deleted file mode 100644
index ba0161c8dc05..000000000000
--- a/metricbeat/docs/modules/kibana/status.asciidoc
+++ /dev/null
@@ -1,27 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/kibana/status/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-kibana-status]]
-=== Kibana status metricset
-
-include::../../../module/kibana/status/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-kibana,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/kibana/status/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/kubernetes.asciidoc b/metricbeat/docs/modules/kubernetes.asciidoc
deleted file mode 100644
index 18426c013c4f..000000000000
--- a/metricbeat/docs/modules/kubernetes.asciidoc
+++ /dev/null
@@ -1,492 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-
-:modulename: kubernetes
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/kubernetes/_meta/docs.asciidoc
-
-
-[[metricbeat-module-kubernetes]]
-== Kubernetes module
-
-include::{libbeat-dir}/shared/integration-link.asciidoc[]
-
-:modulename!:
-
-As one of the main pieces provided for Kubernetes monitoring, this module is capable of fetching metrics from several components:
-
-- https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/[kubelet]
-- https://github.com/kubernetes/kube-state-metrics[kube-state-metrics]
-- https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/[apiserver]
-- https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager/[controller-manager]
-- https://kubernetes.io/docs/reference/command-line-tools-reference/kube-scheduler/[scheduler]
-- https://kubernetes.io/docs/reference/command-line-tools-reference/kube-proxy/[proxy]
-
-Some of the previous components are running on each of the Kubernetes nodes (like `kubelet` or `proxy`) while others provide a single cluster-wide endpoint. This is important to determine the optimal configuration and running strategy for the different metricsets included in the module.
-
-For a complete reference on how to configure and run this module on Kubernetes as part of a `DaemonSet` and a `Deployment`, there's a complete example manifest available in <<running-on-kubernetes, Running Metricbeat on Kubernetes>> document.
-
-[float]
-=== Kubernetes endpoints and metricsets
-
-Kubernetes module is a bit complex as its internal metricsets require access to a wide variety of endpoints.
-
-This section highlights and introduces some groups of metricsets with similar endpoint access needs. For more details on the metricsets see `configuration example` and the `metricsets` sections below.
-
-[float]
-==== container / node / pod / system / volume
-
-The default metricsets `container`, `node`, `pod`, `system`, and `volume` require access to the `kubelet endpoint` in each of the Kubernetes nodes, hence it's recommended to include them as part of a `Metricbeat DaemonSet` or standalone Metricbeats running on the hosts.
-
-Depending on the version and configuration of Kubernetes nodes, `kubelet` might provide a read only http port (typically 10255), which is used in some configuration examples. But in general, and lately, this endpoint requires SSL (`https`) access (to port 10250 by default) and token based authentication.
-
-[float]
-==== state_* and event
-
-All metricsets with the `state_` prefix require `hosts` field pointing to `kube-state-metrics
-service` within the cluster. As the service provides cluster-wide metrics, there's no need to fetch them per node, hence the recommendation is to run these metricsets as part of a `Metricbeat Deployment` with one only replica.
-
-Note: Kube-state-metrics is not deployed by default in Kubernetes. For these cases the instructions for its deployment are available https://github.com/kubernetes/kube-state-metrics#kubernetes-deployment[here]. Generally `kube-state-metrics` runs a `Deployment` and is accessible via a service called `kube-state-metrics` on `kube-system` namespace, which will be the service to use in our configuration.
-
-[float]
-==== apiserver
-
-The apiserver metricset requires access to the Kubernetes API, which should be easily available in all Kubernetes environments. Depending on the Kubernetes configuration, the API access might require SSL (`https`) and token based authentication.
-
-In order to access the `/metrics` path of the API service, some Kubernetes environments might require the following permission to be added to a ClusterRole.
-
-```yaml
-rules:
-- nonResourceURLs:
-  - /metrics
-  verbs:
-  - get
-```
-
-[float]
-==== proxy
-
-The proxy metricset requires access to the proxy endpoint in each of Kubernetes nodes, hence it's recommended to configure it as a part of a `Metricbeat DaemonSet`.
-
-[float]
-==== scheduler and controllermanager
-
-These metricsets require access to the Kubernetes `controller-manager` and `scheduler` endpoints. By default, these pods run only on master nodes, and they are not exposed via a Service, but there are different strategies available for its configuration:
-
-- Create `Kubernetes Services` to make `kube-controller-manager` and `kube-scheduler` available and configure the metricsets to point to these services as part of a Metricbeat `Deployment`.
-- Use `Autodiscovery` functionality as part of a Metricbeat DaemonSet and include the metricsets in a conditional template applied for the specific pods.
-
-Note: In some "As a Service" Kubernetes implementations, like `GKE`, the master nodes or even the pods running on the masters won't be visible. In these cases it won't be possible to use `scheduler` and `controllermanager` metricsets.
-
-[float]
-=== Kubernetes RBAC
-
-Metricbeat requires certain cluster level privileges in order to fetch the metrics. The following example creates a `ServiceAcount` named `metricbeat` with the necessary permissions to run all the metricsets from the module. A `ClusterRole` and a `ClusterRoleBinding` are created for this purpose:
-
-[source,yaml]
-----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: metricbeat
-  namespace: kube-system
-  labels:
-    k8s-app: metricbeat
-----
-
-[source,yaml]
-----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: metricbeat
-  labels:
-    k8s-app: metricbeat
-rules:
-- apiGroups: [""]
-  resources:
-  - nodes
-  - namespaces
-  - events
-  - pods
-  verbs: ["get", "list", "watch"]
-- apiGroups: ["batch"]
-  resources:
-  - jobs
-  verbs: ["get", "list", "watch"]
-- apiGroups: ["extensions"]
-  resources:
-  - replicasets
-  verbs: ["get", "list", "watch"]
-- apiGroups: ["apps"]
-  resources:
-  - statefulsets
-  - deployments
-  - replicasets
-  verbs: ["get", "list", "watch"]
-- apiGroups:
-  - ""
-  resources:
-  - nodes/stats
-  verbs:
-  - get
-- nonResourceURLs:
-  - /metrics
-  verbs:
-  - get
-----
-
-[source,yaml]
-----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: metricbeat
-subjects:
-- kind: ServiceAccount
-  name: metricbeat
-  namespace: kube-system
-roleRef:
-  kind: ClusterRole
-  name: metricbeat
-  apiGroup: rbac.authorization.k8s.io
-----
-
-
-[float]
-=== Compatibility
-
-The Kubernetes module is tested with the following versions of Kubernetes:
-1.28.x, 1.29.x, 1.30.x and 1.31.x
-
-[float]
-=== Dashboard
-
-Kubernetes module is shipped including default dashboards for `cluster overview`, `apiserver`, `controllermanager`, `scheduler` and `proxy`.
-
-If you are using HA for those components, be aware that when gathering data from all instances the dashboard will usually show and average of the metrics. For those scenarios filtering by hosts or service address is possible.
-
-Dashboards for `controllermanager` `scheduler` and `proxy` are not compatible with kibana versions below `7.2.0`
-
-Cluster selector in `cluster overview` dashboard helps in distinguishing and filtering metrics collected from multiple clusters. If you want to focus on a subset of the Kubernetes clusters for monitoring a specific scenario, this cluster selector could be a handy tool. Note that this selector gets populated from the `orchestrator.cluster.name` field that may not always be available. This field gets its value from sources like `kube_config`, `kubeadm-config` configMap, and Google Cloud's meta API for GKE. If the sources mentioned above don't provide this value, metricbeat will not report it. However, you can always use https://www.elastic.co/guide/en/beats/filebeat/current/add-fields.html[add_fields processor] to set `orchestrator.cluster.name` fields and utilize it in the `cluster overview` dashboard:
-[source,yaml]
-----
-processors:
-  - add_fields:
-      target: orchestrator.cluster
-      fields:
-        name: clusterName
-        url: clusterURL
-----
-
-Kubernetes cluster overview example:
-
-image::./images/metricbeat-kubernetes-clusteroverview.png[]
-
-If you are setting collection period to a value bigger than `2m` you will need to increase
-the Interval (in Panel Options) for "Desired Pods", "Available Pods" and "Unavailable Pods" visualisations.
-
-Kubernetes controller manager example:
-
-image::./images/metricbeat-kubernetes-controllermanager.png[]
-
-
-Kubernetes scheduler example:
-
-image::./images/metricbeat_kubernetes_scheduler.png[]
-
-
-Kubernetes proxy example:
-
-image::./images/metricbeat-kubernetes-proxy.png[]
-
-
-:edit_url:
-
-[float]
-=== Example configuration
-
-The Kubernetes module supports the standard configuration options that are described
-in <<configuration-metricbeat>>. Here is an example configuration:
-
-[source,yaml]
-----
-metricbeat.modules:
-# Node metrics, from kubelet:
-- module: kubernetes
-  metricsets:
-    - container
-    - node
-    - pod
-    - system
-    - volume
-  period: 10s
-  enabled: true
-  hosts: ["https://${NODE_NAME}:10250"]
-  bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
-  ssl.verification_mode: "none"
-  #ssl.certificate_authorities:
-  #  - /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
-  #ssl.certificate: "/etc/pki/client/cert.pem"
-  #ssl.key: "/etc/pki/client/cert.key"
-
-  # Enriching parameters:
-  add_metadata: true
-  # If kube_config is not set, KUBECONFIG environment variable will be checked
-  # and if not present it will fall back to InCluster
-  #kube_config: ~/.kube/config
-  #By default requests to kubeadm config map are made in order to enrich cluster name by requesting /api/v1/namespaces/kube-system/configmaps/kubeadm-config API endpoint.
-  use_kubeadm: true
-  #include_labels: []
-  #exclude_labels: []
-  #include_annotations: []
-  #labels.dedot: true
-  #annotations.dedot: true
-
-  # When used outside the cluster:
-  #node: node_name
-
-  # To configure additionally node and namespace metadata `add_resource_metadata` can be defined.
-  # By default all labels will be included while annotations are not added by default.
-  # add_resource_metadata:
-  #   namespace:
-  #     include_labels: ["namespacelabel1"]
-  #   node:
-  #     include_labels: ["nodelabel2"]
-  #     include_annotations: ["nodeannotation1"]
-  #   deployment: false
-  #   cronjob: false
-  # Kubernetes client QPS and burst can be configured additionally
-  #kube_client_options:
-  #  qps: 5
-  #  burst: 10
-
-# State metrics from kube-state-metrics service:
-- module: kubernetes
-  enabled: true
-  metricsets:
-    - state_node
-    - state_daemonset
-    - state_deployment
-    - state_replicaset
-    - state_statefulset
-    - state_pod
-    - state_container
-    - state_job
-    - state_cronjob
-    - state_resourcequota
-    - state_service
-    - state_persistentvolume
-    - state_persistentvolumeclaim
-    - state_storageclass
-    # Uncomment this to get k8s events:
-    #- event  period: 10s
-  hosts: ["kube-state-metrics:8080"]
-
-  # Enriching parameters:
-  add_metadata: true
-  # If kube_config is not set, KUBECONFIG environment variable will be checked
-  # and if not present it will fall back to InCluster
-  #kube_config: ~/.kube/config
-  #By default requests to kubeadm config map are made in order to enrich cluster name by requesting /api/v1/namespaces/kube-system/configmaps/kubeadm-config API endpoint.
-  use_kubeadm: true
-  #include_labels: []
-  #exclude_labels: []
-  #include_annotations: []
-  #labels.dedot: true
-  #annotations.dedot: true
-
-  # When used outside the cluster:
-  #node: node_name
-
-  # Set the namespace to watch for resources
-  #namespace: staging
-
-  # To configure additionally node and namespace metadata `add_resource_metadata` can be defined.
-  # By default all labels will be included while annotations are not added by default.
-  # add_resource_metadata:
-  #   namespace:
-  #     include_labels: ["namespacelabel1"]
-  #   node:
-  #     include_labels: ["nodelabel2"]
-  #     include_annotations: ["nodeannotation1"]
-  #   deployment: false
-  #   cronjob: false
-  # Kubernetes client QPS and burst can be configured additionally
-  #kube_client_options:
-  #  qps: 5
-  #  burst: 10
-
-# Kubernetes Events
-- module: kubernetes
-  enabled: true
-  metricsets:
-    - event
-  period: 10s
-  # Skip events older than Metricbeat's statup time is enabled by default.
-  # Setting to false the skip_older setting will stop filtering older events.
-  # This setting is also useful went Event's timestamps are not populated properly.
-  #skip_older: false
-  # If kube_config is not set, KUBECONFIG environment variable will be checked
-  # and if not present it will fall back to InCluster
-  #kube_config: ~/.kube/config
-  #By default requests to kubeadm config map are made in order to enrich cluster name by requesting /api/v1/namespaces/kube-system/configmaps/kubeadm-config API endpoint.
-  use_kubeadm: true
-  # Set the namespace to watch for events
-  #namespace: staging
-  # Set the sync period of the watchers
-  #sync_period: 10m
-  # Kubernetes client QPS and burst can be configured additionally
-  #kube_client_options:
-  #  qps: 5
-  #  burst: 10
-
-# Kubernetes API server
-# (when running metricbeat as a deployment)
-- module: kubernetes
-  enabled: true
-  metricsets:
-    - apiserver
-  hosts: ["https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}"]
-  bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
-  ssl.certificate_authorities:
-    - /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
-  period: 30s
-  #By default requests to kubeadm config map are made in order to enrich cluster name by requesting /api/v1/namespaces/kube-system/configmaps/kubeadm-config API endpoint.
-  use_kubeadm: true
-
-# Kubernetes proxy server
-# (when running metricbeat locally at hosts or as a daemonset + host network)
-- module: kubernetes
-  enabled: true
-  metricsets:
-    - proxy
-  hosts: ["localhost:10249"]
-  period: 10s
-  #By default requests to kubeadm config map are made in order to enrich cluster name by requesting /api/v1/namespaces/kube-system/configmaps/kubeadm-config API endpoint.
-  use_kubeadm: true
-
-# Kubernetes controller manager
-# (URL and deployment method should be adapted to match the controller manager deployment / service / endpoint)
-- module: kubernetes
-  enabled: true
-  metricsets:
-    - controllermanager
-  hosts: ["http://localhost:10252"]
-  period: 10s
-  #By default requests to kubeadm config map are made in order to enrich cluster name by requesting /api/v1/namespaces/kube-system/configmaps/kubeadm-config API endpoint.
-  use_kubeadm: true
-
-# Kubernetes scheduler
-# (URL and deployment method should be adapted to match scheduler deployment / service / endpoint)
-- module: kubernetes
-  enabled: true
-  metricsets:
-    - scheduler
-  hosts: ["localhost:10251"]
-  period: 10s
-  #By default requests to kubeadm config map are made in order to enrich cluster name by requesting /api/v1/namespaces/kube-system/configmaps/kubeadm-config API endpoint.
-  use_kubeadm: true
-----
-
-This module supports TLS connections when using `ssl` config field, as described in <<configuration-ssl>>.
-It also supports the options described in <<module-http-config-options>>.
-
-[float]
-=== Metricsets
-
-The following metricsets are available:
-
-* <<metricbeat-metricset-kubernetes-apiserver,apiserver>>
-
-* <<metricbeat-metricset-kubernetes-container,container>>
-
-* <<metricbeat-metricset-kubernetes-controllermanager,controllermanager>>
-
-* <<metricbeat-metricset-kubernetes-event,event>>
-
-* <<metricbeat-metricset-kubernetes-node,node>>
-
-* <<metricbeat-metricset-kubernetes-pod,pod>>
-
-* <<metricbeat-metricset-kubernetes-proxy,proxy>>
-
-* <<metricbeat-metricset-kubernetes-scheduler,scheduler>>
-
-* <<metricbeat-metricset-kubernetes-state_container,state_container>>
-
-* <<metricbeat-metricset-kubernetes-state_cronjob,state_cronjob>>
-
-* <<metricbeat-metricset-kubernetes-state_daemonset,state_daemonset>>
-
-* <<metricbeat-metricset-kubernetes-state_deployment,state_deployment>>
-
-* <<metricbeat-metricset-kubernetes-state_job,state_job>>
-
-* <<metricbeat-metricset-kubernetes-state_node,state_node>>
-
-* <<metricbeat-metricset-kubernetes-state_persistentvolumeclaim,state_persistentvolumeclaim>>
-
-* <<metricbeat-metricset-kubernetes-state_pod,state_pod>>
-
-* <<metricbeat-metricset-kubernetes-state_replicaset,state_replicaset>>
-
-* <<metricbeat-metricset-kubernetes-state_resourcequota,state_resourcequota>>
-
-* <<metricbeat-metricset-kubernetes-state_service,state_service>>
-
-* <<metricbeat-metricset-kubernetes-state_statefulset,state_statefulset>>
-
-* <<metricbeat-metricset-kubernetes-state_storageclass,state_storageclass>>
-
-* <<metricbeat-metricset-kubernetes-system,system>>
-
-* <<metricbeat-metricset-kubernetes-volume,volume>>
-
-include::kubernetes/apiserver.asciidoc[]
-
-include::kubernetes/container.asciidoc[]
-
-include::kubernetes/controllermanager.asciidoc[]
-
-include::kubernetes/event.asciidoc[]
-
-include::kubernetes/node.asciidoc[]
-
-include::kubernetes/pod.asciidoc[]
-
-include::kubernetes/proxy.asciidoc[]
-
-include::kubernetes/scheduler.asciidoc[]
-
-include::kubernetes/state_container.asciidoc[]
-
-include::kubernetes/state_cronjob.asciidoc[]
-
-include::kubernetes/state_daemonset.asciidoc[]
-
-include::kubernetes/state_deployment.asciidoc[]
-
-include::kubernetes/state_job.asciidoc[]
-
-include::kubernetes/state_node.asciidoc[]
-
-include::kubernetes/state_persistentvolumeclaim.asciidoc[]
-
-include::kubernetes/state_pod.asciidoc[]
-
-include::kubernetes/state_replicaset.asciidoc[]
-
-include::kubernetes/state_resourcequota.asciidoc[]
-
-include::kubernetes/state_service.asciidoc[]
-
-include::kubernetes/state_statefulset.asciidoc[]
-
-include::kubernetes/state_storageclass.asciidoc[]
-
-include::kubernetes/system.asciidoc[]
-
-include::kubernetes/volume.asciidoc[]
-
-:edit_url!:
diff --git a/metricbeat/docs/modules/kubernetes/apiserver.asciidoc b/metricbeat/docs/modules/kubernetes/apiserver.asciidoc
deleted file mode 100644
index 5128787cf9ce..000000000000
--- a/metricbeat/docs/modules/kubernetes/apiserver.asciidoc
+++ /dev/null
@@ -1,26 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/kubernetes/apiserver/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-kubernetes-apiserver]]
-=== Kubernetes apiserver metricset
-
-include::../../../module/kubernetes/apiserver/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-kubernetes,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/kubernetes/apiserver/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/kubernetes/container.asciidoc b/metricbeat/docs/modules/kubernetes/container.asciidoc
deleted file mode 100644
index 3b7e690803ce..000000000000
--- a/metricbeat/docs/modules/kubernetes/container.asciidoc
+++ /dev/null
@@ -1,27 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/kubernetes/container/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-kubernetes-container]]
-=== Kubernetes container metricset
-
-include::../../../module/kubernetes/container/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-kubernetes,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/kubernetes/container/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/kubernetes/controllermanager.asciidoc b/metricbeat/docs/modules/kubernetes/controllermanager.asciidoc
deleted file mode 100644
index ef8035f0d52f..000000000000
--- a/metricbeat/docs/modules/kubernetes/controllermanager.asciidoc
+++ /dev/null
@@ -1,26 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/kubernetes/controllermanager/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-kubernetes-controllermanager]]
-=== Kubernetes controllermanager metricset
-
-include::../../../module/kubernetes/controllermanager/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-kubernetes,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/kubernetes/controllermanager/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/kubernetes/event.asciidoc b/metricbeat/docs/modules/kubernetes/event.asciidoc
deleted file mode 100644
index e8dccd6d21ae..000000000000
--- a/metricbeat/docs/modules/kubernetes/event.asciidoc
+++ /dev/null
@@ -1,26 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/kubernetes/event/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-kubernetes-event]]
-=== Kubernetes event metricset
-
-include::../../../module/kubernetes/event/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-kubernetes,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/kubernetes/event/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/kubernetes/node.asciidoc b/metricbeat/docs/modules/kubernetes/node.asciidoc
deleted file mode 100644
index 081caaead6ab..000000000000
--- a/metricbeat/docs/modules/kubernetes/node.asciidoc
+++ /dev/null
@@ -1,27 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/kubernetes/node/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-kubernetes-node]]
-=== Kubernetes node metricset
-
-include::../../../module/kubernetes/node/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-kubernetes,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/kubernetes/node/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/kubernetes/pod.asciidoc b/metricbeat/docs/modules/kubernetes/pod.asciidoc
deleted file mode 100644
index 759a3deab0eb..000000000000
--- a/metricbeat/docs/modules/kubernetes/pod.asciidoc
+++ /dev/null
@@ -1,27 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/kubernetes/pod/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-kubernetes-pod]]
-=== Kubernetes pod metricset
-
-include::../../../module/kubernetes/pod/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-kubernetes,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/kubernetes/pod/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/kubernetes/proxy.asciidoc b/metricbeat/docs/modules/kubernetes/proxy.asciidoc
deleted file mode 100644
index 1c8d2ec939a9..000000000000
--- a/metricbeat/docs/modules/kubernetes/proxy.asciidoc
+++ /dev/null
@@ -1,26 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/kubernetes/proxy/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-kubernetes-proxy]]
-=== Kubernetes proxy metricset
-
-include::../../../module/kubernetes/proxy/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-kubernetes,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/kubernetes/proxy/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/kubernetes/scheduler.asciidoc b/metricbeat/docs/modules/kubernetes/scheduler.asciidoc
deleted file mode 100644
index 916459b038c6..000000000000
--- a/metricbeat/docs/modules/kubernetes/scheduler.asciidoc
+++ /dev/null
@@ -1,26 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/kubernetes/scheduler/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-kubernetes-scheduler]]
-=== Kubernetes scheduler metricset
-
-include::../../../module/kubernetes/scheduler/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-kubernetes,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/kubernetes/scheduler/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/kubernetes/state_container.asciidoc b/metricbeat/docs/modules/kubernetes/state_container.asciidoc
deleted file mode 100644
index 543f05f661a8..000000000000
--- a/metricbeat/docs/modules/kubernetes/state_container.asciidoc
+++ /dev/null
@@ -1,26 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/kubernetes/state_container/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-kubernetes-state_container]]
-=== Kubernetes state_container metricset
-
-include::../../../module/kubernetes/state_container/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-kubernetes,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/kubernetes/state_container/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/kubernetes/state_cronjob.asciidoc b/metricbeat/docs/modules/kubernetes/state_cronjob.asciidoc
deleted file mode 100644
index 8d0fd1c55d1a..000000000000
--- a/metricbeat/docs/modules/kubernetes/state_cronjob.asciidoc
+++ /dev/null
@@ -1,26 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/kubernetes/state_cronjob/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-kubernetes-state_cronjob]]
-=== Kubernetes state_cronjob metricset
-
-include::../../../module/kubernetes/state_cronjob/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-kubernetes,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/kubernetes/state_cronjob/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/kubernetes/state_daemonset.asciidoc b/metricbeat/docs/modules/kubernetes/state_daemonset.asciidoc
deleted file mode 100644
index 21ed9ffd19d2..000000000000
--- a/metricbeat/docs/modules/kubernetes/state_daemonset.asciidoc
+++ /dev/null
@@ -1,26 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/kubernetes/state_daemonset/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-kubernetes-state_daemonset]]
-=== Kubernetes state_daemonset metricset
-
-include::../../../module/kubernetes/state_daemonset/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-kubernetes,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/kubernetes/state_daemonset/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/kubernetes/state_deployment.asciidoc b/metricbeat/docs/modules/kubernetes/state_deployment.asciidoc
deleted file mode 100644
index 2397fb631c94..000000000000
--- a/metricbeat/docs/modules/kubernetes/state_deployment.asciidoc
+++ /dev/null
@@ -1,26 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/kubernetes/state_deployment/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-kubernetes-state_deployment]]
-=== Kubernetes state_deployment metricset
-
-include::../../../module/kubernetes/state_deployment/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-kubernetes,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/kubernetes/state_deployment/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/kubernetes/state_job.asciidoc b/metricbeat/docs/modules/kubernetes/state_job.asciidoc
deleted file mode 100644
index 606f4005e5c6..000000000000
--- a/metricbeat/docs/modules/kubernetes/state_job.asciidoc
+++ /dev/null
@@ -1,26 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/kubernetes/state_job/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-kubernetes-state_job]]
-=== Kubernetes state_job metricset
-
-include::../../../module/kubernetes/state_job/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-kubernetes,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/kubernetes/state_job/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/kubernetes/state_node.asciidoc b/metricbeat/docs/modules/kubernetes/state_node.asciidoc
deleted file mode 100644
index 57fd824c3463..000000000000
--- a/metricbeat/docs/modules/kubernetes/state_node.asciidoc
+++ /dev/null
@@ -1,26 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/kubernetes/state_node/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-kubernetes-state_node]]
-=== Kubernetes state_node metricset
-
-include::../../../module/kubernetes/state_node/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-kubernetes,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/kubernetes/state_node/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/kubernetes/state_persistentvolumeclaim.asciidoc b/metricbeat/docs/modules/kubernetes/state_persistentvolumeclaim.asciidoc
deleted file mode 100644
index 5cd87f56dfc0..000000000000
--- a/metricbeat/docs/modules/kubernetes/state_persistentvolumeclaim.asciidoc
+++ /dev/null
@@ -1,26 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/kubernetes/state_persistentvolumeclaim/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-kubernetes-state_persistentvolumeclaim]]
-=== Kubernetes state_persistentvolumeclaim metricset
-
-include::../../../module/kubernetes/state_persistentvolumeclaim/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-kubernetes,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/kubernetes/state_persistentvolumeclaim/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/kubernetes/state_pod.asciidoc b/metricbeat/docs/modules/kubernetes/state_pod.asciidoc
deleted file mode 100644
index d1318ae897c0..000000000000
--- a/metricbeat/docs/modules/kubernetes/state_pod.asciidoc
+++ /dev/null
@@ -1,26 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/kubernetes/state_pod/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-kubernetes-state_pod]]
-=== Kubernetes state_pod metricset
-
-include::../../../module/kubernetes/state_pod/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-kubernetes,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/kubernetes/state_pod/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/kubernetes/state_replicaset.asciidoc b/metricbeat/docs/modules/kubernetes/state_replicaset.asciidoc
deleted file mode 100644
index 93f9a440c7ab..000000000000
--- a/metricbeat/docs/modules/kubernetes/state_replicaset.asciidoc
+++ /dev/null
@@ -1,26 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/kubernetes/state_replicaset/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-kubernetes-state_replicaset]]
-=== Kubernetes state_replicaset metricset
-
-include::../../../module/kubernetes/state_replicaset/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-kubernetes,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/kubernetes/state_replicaset/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/kubernetes/state_resourcequota.asciidoc b/metricbeat/docs/modules/kubernetes/state_resourcequota.asciidoc
deleted file mode 100644
index 73601a3219df..000000000000
--- a/metricbeat/docs/modules/kubernetes/state_resourcequota.asciidoc
+++ /dev/null
@@ -1,26 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/kubernetes/state_resourcequota/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-kubernetes-state_resourcequota]]
-=== Kubernetes state_resourcequota metricset
-
-include::../../../module/kubernetes/state_resourcequota/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-kubernetes,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/kubernetes/state_resourcequota/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/kubernetes/state_service.asciidoc b/metricbeat/docs/modules/kubernetes/state_service.asciidoc
deleted file mode 100644
index 44105ada1788..000000000000
--- a/metricbeat/docs/modules/kubernetes/state_service.asciidoc
+++ /dev/null
@@ -1,26 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/kubernetes/state_service/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-kubernetes-state_service]]
-=== Kubernetes state_service metricset
-
-include::../../../module/kubernetes/state_service/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-kubernetes,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/kubernetes/state_service/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/kubernetes/state_statefulset.asciidoc b/metricbeat/docs/modules/kubernetes/state_statefulset.asciidoc
deleted file mode 100644
index dc2bf897066a..000000000000
--- a/metricbeat/docs/modules/kubernetes/state_statefulset.asciidoc
+++ /dev/null
@@ -1,26 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/kubernetes/state_statefulset/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-kubernetes-state_statefulset]]
-=== Kubernetes state_statefulset metricset
-
-include::../../../module/kubernetes/state_statefulset/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-kubernetes,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/kubernetes/state_statefulset/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/kubernetes/state_storageclass.asciidoc b/metricbeat/docs/modules/kubernetes/state_storageclass.asciidoc
deleted file mode 100644
index 6f0779fc0a6b..000000000000
--- a/metricbeat/docs/modules/kubernetes/state_storageclass.asciidoc
+++ /dev/null
@@ -1,26 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/kubernetes/state_storageclass/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-kubernetes-state_storageclass]]
-=== Kubernetes state_storageclass metricset
-
-include::../../../module/kubernetes/state_storageclass/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-kubernetes,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/kubernetes/state_storageclass/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/kubernetes/system.asciidoc b/metricbeat/docs/modules/kubernetes/system.asciidoc
deleted file mode 100644
index 82f75df07dbe..000000000000
--- a/metricbeat/docs/modules/kubernetes/system.asciidoc
+++ /dev/null
@@ -1,27 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/kubernetes/system/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-kubernetes-system]]
-=== Kubernetes system metricset
-
-include::../../../module/kubernetes/system/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-kubernetes,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/kubernetes/system/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/kubernetes/volume.asciidoc b/metricbeat/docs/modules/kubernetes/volume.asciidoc
deleted file mode 100644
index 0171b746a00c..000000000000
--- a/metricbeat/docs/modules/kubernetes/volume.asciidoc
+++ /dev/null
@@ -1,27 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/kubernetes/volume/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-kubernetes-volume]]
-=== Kubernetes volume metricset
-
-include::../../../module/kubernetes/volume/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-kubernetes,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/kubernetes/volume/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/kvm.asciidoc b/metricbeat/docs/modules/kvm.asciidoc
deleted file mode 100644
index abb8ab2e5541..000000000000
--- a/metricbeat/docs/modules/kvm.asciidoc
+++ /dev/null
@@ -1,54 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-
-:modulename: kvm
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/kvm/_meta/docs.asciidoc
-
-
-[[metricbeat-module-kvm]]
-== KVM module
-
-beta[]
-
-This is the kvm module.
-
-
-:edit_url:
-
-[float]
-=== Example configuration
-
-The KVM module supports the standard configuration options that are described
-in <<configuration-metricbeat>>. Here is an example configuration:
-
-[source,yaml]
-----
-metricbeat.modules:
-- module: kvm
-  metricsets: ["dommemstat", "status"]
-  enabled: true
-  period: 10s
-  hosts: ["unix:///var/run/libvirt/libvirt-sock"]
-  # For remote hosts, setup network access in libvirtd.conf
-  # and use the tcp scheme:
-  # hosts: [ "tcp://<host>:16509" ]
-
-  # Timeout to connect to Libvirt server
-  #timeout: 1s
-----
-
-[float]
-=== Metricsets
-
-The following metricsets are available:
-
-* <<metricbeat-metricset-kvm-dommemstat,dommemstat>>
-
-* <<metricbeat-metricset-kvm-status,status>>
-
-include::kvm/dommemstat.asciidoc[]
-
-include::kvm/status.asciidoc[]
-
-:edit_url!:
diff --git a/metricbeat/docs/modules/kvm/dommemstat.asciidoc b/metricbeat/docs/modules/kvm/dommemstat.asciidoc
deleted file mode 100644
index 6bc653cef1d8..000000000000
--- a/metricbeat/docs/modules/kvm/dommemstat.asciidoc
+++ /dev/null
@@ -1,29 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/kvm/dommemstat/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-kvm-dommemstat]]
-=== KVM dommemstat metricset
-
-beta[]
-
-include::../../../module/kvm/dommemstat/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-kvm,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/kvm/dommemstat/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/kvm/status.asciidoc b/metricbeat/docs/modules/kvm/status.asciidoc
deleted file mode 100644
index d5785ed493db..000000000000
--- a/metricbeat/docs/modules/kvm/status.asciidoc
+++ /dev/null
@@ -1,29 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/kvm/status/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-kvm-status]]
-=== KVM status metricset
-
-beta[]
-
-include::../../../module/kvm/status/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-kvm,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/kvm/status/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/linux.asciidoc b/metricbeat/docs/modules/linux.asciidoc
deleted file mode 100644
index 7bdf6e136576..000000000000
--- a/metricbeat/docs/modules/linux.asciidoc
+++ /dev/null
@@ -1,80 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-
-:modulename: linux
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/linux/_meta/docs.asciidoc
-
-
-[[metricbeat-module-linux]]
-== Linux module
-
-beta[]
-
-include::{libbeat-dir}/shared/integration-link.asciidoc[]
-
-:modulename!:
-
-The Linux module reports on metrics exclusive to the Linux kernel and GNU/Linux OS.
-
-:edit_url:
-
-[float]
-=== Example configuration
-
-The Linux module supports the standard configuration options that are described
-in <<configuration-metricbeat>>. Here is an example configuration:
-
-[source,yaml]
-----
-metricbeat.modules:
-- module: linux
-  period: 10s
-  metricsets:
-    - "pageinfo"
-    - "memory"
-    # - ksm
-    # - conntrack
-    # - iostat
-    # - pressure
-    # - rapl
-  enabled: true
-  #hostfs: /hostfs
-  #rapl.use_msr_safe: false
-
-----
-
-[float]
-=== Metricsets
-
-The following metricsets are available:
-
-* <<metricbeat-metricset-linux-conntrack,conntrack>>
-
-* <<metricbeat-metricset-linux-iostat,iostat>>
-
-* <<metricbeat-metricset-linux-ksm,ksm>>
-
-* <<metricbeat-metricset-linux-memory,memory>>
-
-* <<metricbeat-metricset-linux-pageinfo,pageinfo>>
-
-* <<metricbeat-metricset-linux-pressure,pressure>>
-
-* <<metricbeat-metricset-linux-rapl,rapl>>
-
-include::linux/conntrack.asciidoc[]
-
-include::linux/iostat.asciidoc[]
-
-include::linux/ksm.asciidoc[]
-
-include::linux/memory.asciidoc[]
-
-include::linux/pageinfo.asciidoc[]
-
-include::linux/pressure.asciidoc[]
-
-include::linux/rapl.asciidoc[]
-
-:edit_url!:
diff --git a/metricbeat/docs/modules/linux/conntrack.asciidoc b/metricbeat/docs/modules/linux/conntrack.asciidoc
deleted file mode 100644
index 7f9359709b20..000000000000
--- a/metricbeat/docs/modules/linux/conntrack.asciidoc
+++ /dev/null
@@ -1,28 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/linux/conntrack/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-linux-conntrack]]
-=== Linux conntrack metricset
-
-beta[]
-
-include::../../../module/linux/conntrack/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-linux,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/linux/conntrack/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/linux/iostat.asciidoc b/metricbeat/docs/modules/linux/iostat.asciidoc
deleted file mode 100644
index c7155c621d3b..000000000000
--- a/metricbeat/docs/modules/linux/iostat.asciidoc
+++ /dev/null
@@ -1,28 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/linux/iostat/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-linux-iostat]]
-=== Linux iostat metricset
-
-beta[]
-
-include::../../../module/linux/iostat/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-linux,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/linux/iostat/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/linux/ksm.asciidoc b/metricbeat/docs/modules/linux/ksm.asciidoc
deleted file mode 100644
index 02429d8935c6..000000000000
--- a/metricbeat/docs/modules/linux/ksm.asciidoc
+++ /dev/null
@@ -1,28 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/linux/ksm/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-linux-ksm]]
-=== Linux ksm metricset
-
-beta[]
-
-include::../../../module/linux/ksm/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-linux,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/linux/ksm/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/linux/memory.asciidoc b/metricbeat/docs/modules/linux/memory.asciidoc
deleted file mode 100644
index 737e733ff939..000000000000
--- a/metricbeat/docs/modules/linux/memory.asciidoc
+++ /dev/null
@@ -1,29 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/linux/memory/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-linux-memory]]
-=== Linux memory metricset
-
-beta[]
-
-include::../../../module/linux/memory/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-linux,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/linux/memory/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/linux/pageinfo.asciidoc b/metricbeat/docs/modules/linux/pageinfo.asciidoc
deleted file mode 100644
index 93e7ba3d6f82..000000000000
--- a/metricbeat/docs/modules/linux/pageinfo.asciidoc
+++ /dev/null
@@ -1,29 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/linux/pageinfo/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-linux-pageinfo]]
-=== Linux pageinfo metricset
-
-beta[]
-
-include::../../../module/linux/pageinfo/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-linux,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/linux/pageinfo/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/linux/pressure.asciidoc b/metricbeat/docs/modules/linux/pressure.asciidoc
deleted file mode 100644
index de8bbb3280bf..000000000000
--- a/metricbeat/docs/modules/linux/pressure.asciidoc
+++ /dev/null
@@ -1,28 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/linux/pressure/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-linux-pressure]]
-=== Linux pressure metricset
-
-beta[]
-
-include::../../../module/linux/pressure/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-linux,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/linux/pressure/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/linux/rapl.asciidoc b/metricbeat/docs/modules/linux/rapl.asciidoc
deleted file mode 100644
index c83cba36c1ef..000000000000
--- a/metricbeat/docs/modules/linux/rapl.asciidoc
+++ /dev/null
@@ -1,28 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/linux/rapl/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-linux-rapl]]
-=== Linux rapl metricset
-
-beta[]
-
-include::../../../module/linux/rapl/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-linux,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/linux/rapl/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/logstash.asciidoc b/metricbeat/docs/modules/logstash.asciidoc
deleted file mode 100644
index 541bf9d58115..000000000000
--- a/metricbeat/docs/modules/logstash.asciidoc
+++ /dev/null
@@ -1,71 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-
-:modulename: logstash
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/logstash/_meta/docs.asciidoc
-
-
-[[metricbeat-module-logstash]]
-== Logstash module
-
-include::{libbeat-dir}/shared/integration-link.asciidoc[]
-
-:modulename!:
-
-The `logstash` module collects metrics about {ls}.
-
-[float]
-=== Compatibility
-
-The `logstash` module works with {ls} 7.3.0 and later.
-
-[float]
-=== Usage for Stack Monitoring
-
-The `logstash` module can be used to collect metrics shown in our {stack-monitor-app}
-UI in {kib}. To enable this usage, set `xpack.enabled: true` and remove any `metricsets`
-from the module's configuration. Alternatively, run `metricbeat modules disable logstash` and
-`metricbeat modules enable logstash-xpack`.
-
-NOTE: When this module is used for {stack} Monitoring, it sends metrics to the
-monitoring index instead of the default index typically used by {metricbeat}.
-For more details about the monitoring index, see
-{ref}/config-monitoring-indices.html[Configuring indices for monitoring].
-
-
-:edit_url:
-
-[float]
-=== Example configuration
-
-The Logstash module supports the standard configuration options that are described
-in <<configuration-metricbeat>>. Here is an example configuration:
-
-[source,yaml]
-----
-metricbeat.modules:
-- module: logstash
-  metricsets: ["node", "node_stats"]
-  enabled: true
-  period: 10s
-  hosts: ["localhost:9600"]
-----
-
-This module supports TLS connections when using `ssl` config field, as described in <<configuration-ssl>>.
-It also supports the options described in <<module-http-config-options>>.
-
-[float]
-=== Metricsets
-
-The following metricsets are available:
-
-* <<metricbeat-metricset-logstash-node,node>>
-
-* <<metricbeat-metricset-logstash-node_stats,node_stats>>
-
-include::logstash/node.asciidoc[]
-
-include::logstash/node_stats.asciidoc[]
-
-:edit_url!:
diff --git a/metricbeat/docs/modules/logstash/node.asciidoc b/metricbeat/docs/modules/logstash/node.asciidoc
deleted file mode 100644
index 11244c626332..000000000000
--- a/metricbeat/docs/modules/logstash/node.asciidoc
+++ /dev/null
@@ -1,27 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/logstash/node/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-logstash-node]]
-=== Logstash node metricset
-
-include::../../../module/logstash/node/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-logstash,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/logstash/node/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/logstash/node_stats.asciidoc b/metricbeat/docs/modules/logstash/node_stats.asciidoc
deleted file mode 100644
index 0cfff8394abc..000000000000
--- a/metricbeat/docs/modules/logstash/node_stats.asciidoc
+++ /dev/null
@@ -1,27 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/logstash/node_stats/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-logstash-node_stats]]
-=== Logstash node_stats metricset
-
-include::../../../module/logstash/node_stats/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-logstash,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/logstash/node_stats/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/memcached.asciidoc b/metricbeat/docs/modules/memcached.asciidoc
deleted file mode 100644
index ef46ff08eb4a..000000000000
--- a/metricbeat/docs/modules/memcached.asciidoc
+++ /dev/null
@@ -1,49 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-
-:modulename: memcached
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/memcached/_meta/docs.asciidoc
-
-
-[[metricbeat-module-memcached]]
-== Memcached module
-
-This is the Memcached module. These metricsets were tested with Memcached version 1.4.35.
-
-The default metricset is `stats`.
-
-[float]
-=== Compatibility
-
-The memcached module is tested with memcached 1.4.35.
-
-
-:edit_url:
-
-[float]
-=== Example configuration
-
-The Memcached module supports the standard configuration options that are described
-in <<configuration-metricbeat>>. Here is an example configuration:
-
-[source,yaml]
-----
-metricbeat.modules:
-- module: memcached
-  metricsets: ["stats"]
-  period: 10s
-  hosts: ["localhost:11211"]
-  enabled: true
-----
-
-[float]
-=== Metricsets
-
-The following metricsets are available:
-
-* <<metricbeat-metricset-memcached-stats,stats>>
-
-include::memcached/stats.asciidoc[]
-
-:edit_url!:
diff --git a/metricbeat/docs/modules/memcached/stats.asciidoc b/metricbeat/docs/modules/memcached/stats.asciidoc
deleted file mode 100644
index aa3aaba44dd1..000000000000
--- a/metricbeat/docs/modules/memcached/stats.asciidoc
+++ /dev/null
@@ -1,27 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/memcached/stats/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-memcached-stats]]
-=== Memcached stats metricset
-
-include::../../../module/memcached/stats/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-memcached,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/memcached/stats/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/meraki.asciidoc b/metricbeat/docs/modules/meraki.asciidoc
deleted file mode 100644
index 9e74dc5da2d3..000000000000
--- a/metricbeat/docs/modules/meraki.asciidoc
+++ /dev/null
@@ -1,47 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-
-:modulename: meraki
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/meraki/_meta/docs.asciidoc
-
-
-[[metricbeat-module-meraki]]
-[role="xpack"]
-== Cisco Meraki module
-
-beta[]
-
-This is the meraki module.
-
-
-
-:edit_url:
-
-[float]
-=== Example configuration
-
-The Cisco Meraki module supports the standard configuration options that are described
-in <<configuration-metricbeat>>. Here is an example configuration:
-
-[source,yaml]
-----
-metricbeat.modules:
-- module: meraki
-  metricsets: ["device_health"]
-  enabled: true
-  period: 300s
-  apiKey: "Meraki dashboard API key"
-  organizations: ["Meraki organization ID"]  
-----
-
-[float]
-=== Metricsets
-
-The following metricsets are available:
-
-* <<metricbeat-metricset-meraki-device_health,device_health>>
-
-include::meraki/device_health.asciidoc[]
-
-:edit_url!:
diff --git a/metricbeat/docs/modules/meraki/device_health.asciidoc b/metricbeat/docs/modules/meraki/device_health.asciidoc
deleted file mode 100644
index 25328811c115..000000000000
--- a/metricbeat/docs/modules/meraki/device_health.asciidoc
+++ /dev/null
@@ -1,29 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/meraki/device_health/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-meraki-device_health]]
-[role="xpack"]
-=== Cisco Meraki device_health metricset
-
-beta[]
-
-include::../../../../x-pack/metricbeat/module/meraki/device_health/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-meraki,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../../x-pack/metricbeat/module/meraki/device_health/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/mongodb.asciidoc b/metricbeat/docs/modules/mongodb.asciidoc
deleted file mode 100644
index 3d2b70e6cc7c..000000000000
--- a/metricbeat/docs/modules/mongodb.asciidoc
+++ /dev/null
@@ -1,198 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-
-:modulename: mongodb
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/mongodb/_meta/docs.asciidoc
-
-
-[[metricbeat-module-mongodb]]
-== MongoDB module
-
-include::{libbeat-dir}/shared/integration-link.asciidoc[]
-
-:modulename!:
-
-This module periodically fetches metrics from https://www.mongodb.com[MongoDB]
-servers.
-
-[float]
-=== Module-specific configuration notes
-
-When configuring the `hosts` option, you must use MongoDB URLs of the following
-format:
-
------------------------------------
-[mongodb://][user:pass@]host[:port][?options]
------------------------------------
-
-Or
-
------------------------------------------------------------------------------------------
-mongodb://[username:password@]host1[:port1][,...hostN[:portN]][/[defaultauthdb][?options]]
------------------------------------------------------------------------------------------
-
-The URL can be as simple as:
-
-[source,yaml]
-----------------------------------------------------------------------
-- module: mongodb
-  hosts: ["localhost"]
-----------------------------------------------------------------------
-
-Or more complex like:
-
-[source,yaml]
-----------------------------------------------------------------------
-- module: mongodb
-  hosts: ["mongodb://myuser:mypass@localhost:40001", "otherhost:40001"]
-----------------------------------------------------------------------
-
-Some more supported URLs are:
-
-[source,yaml]
-----------------------------------------------------------------------
-- module: mongodb
-  hosts: ["mongodb://localhost:27017,localhost:27022,localhost:27023"]
-----------------------------------------------------------------------
-
-[source,yaml]
-----------------------------------------------------------------------
-- module: mongodb
-  hosts: ["mongodb://localhost:27017/?directConnection=true"]
-----------------------------------------------------------------------
-
-When the parameter `directConnection=true` is included in the connection URI,
-all operations are executed on the host specified in the URI.
-It's important to note that `directConnection=true` must be explicitly specified in the URI,
-as it won't be added automatically unless specified.
-
-[source,yaml]
-----------------------------------------------------------------------
-- module: mongodb
-  hosts: ["mongodb://localhost:27017,localhost:27022,localhost:27023/?replicaSet=dbrs"]
-----------------------------------------------------------------------
-
-
-The username and password can be included in the URL or they can be set using
-the respective configuration options. The credentials in the URL take precedence
-over the username and password configuration options.
-
-[source,yaml]
-----
-- module: mongodb
-  metricsets: ["status"]
-  hosts: ["localhost:27017"]
-  username: root
-  password: test
-----
-
-The default metricsets are `collstats`, `dbstats` and `status`.
-
-[float]
-=== Compatibility
-
-The MongoDB metricsets were tested with MongoDB 5.0 and are expected to
-work with all versions >= 5.0.
-
-[float]
-=== MongoDB Privileges
-
-In order to use the metricsets, the MongoDB user specified in the module configuration needs to have certain https://docs.mongodb.com/manual/core/authorization/#privileges[privileges].
-
-We recommend using the https://docs.mongodb.com/manual/reference/built-in-roles/#clusterMonitor[`clusterMonitor` role] to cover all the necessary privileges.
-
-You can use the following command in Mongo shell to create the privileged user (make sure you are using the `admin` db by using `db` command in Mongo shell).
-
-["source","js",subs="attributes"]
-----
-db.createUser(
-    {
-        user: "beats",
-        pwd: "pass",
-        roles: ["clusterMonitor"]
-    }
-)
-----
-
-You can use the following command in Mongo shell to grant the role to an existing user (make sure you are using the `admin` db by using `db` command in Mongo shell).
-
-["source","js",subs="attributes"]
-----
-db.grantRolesToUser("user", ["clusterMonitor"])
-----
-
-
-:edit_url:
-
-[float]
-=== Example configuration
-
-The MongoDB module supports the standard configuration options that are described
-in <<configuration-metricbeat>>. Here is an example configuration:
-
-[source,yaml]
-----
-metricbeat.modules:
-- module: mongodb
-  metricsets: ["dbstats", "status", "collstats", "metrics", "replstatus"]
-  period: 10s
-  enabled: true
-
-  # The hosts must be passed as MongoDB URLs in the format:
-  # [mongodb://][user:pass@]host[:port].
-  # The username and password can also be set using the respective configuration
-  # options. The credentials in the URL take precedence over the username and
-  # password configuration options.
-  hosts: ["localhost:27017"]
-
-  # Optional SSL. By default is off.
-  #ssl.enabled: true
-
-  # Mode of verification of server certificate ('none' or 'full')
-  #ssl.verification_mode: 'full'
-
-  # List of root certificates for TLS server verifications
-  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
-
-  # Certificate for SSL client authentication
-  #ssl.certificate: "/etc/pki/client/cert.pem"
-
-  # Client Certificate Key
-  #ssl.key: "/etc/pki/client/cert.key"
-
-  # Username to use when connecting to MongoDB. Empty by default.
-  #username: user
-
-  # Password to use when connecting to MongoDB. Empty by default.
-  #password: pass
-----
-
-This module supports TLS connections when using `ssl` config field, as described in <<configuration-ssl>>.
-
-[float]
-=== Metricsets
-
-The following metricsets are available:
-
-* <<metricbeat-metricset-mongodb-collstats,collstats>>
-
-* <<metricbeat-metricset-mongodb-dbstats,dbstats>>
-
-* <<metricbeat-metricset-mongodb-metrics,metrics>>
-
-* <<metricbeat-metricset-mongodb-replstatus,replstatus>>
-
-* <<metricbeat-metricset-mongodb-status,status>>
-
-include::mongodb/collstats.asciidoc[]
-
-include::mongodb/dbstats.asciidoc[]
-
-include::mongodb/metrics.asciidoc[]
-
-include::mongodb/replstatus.asciidoc[]
-
-include::mongodb/status.asciidoc[]
-
-:edit_url!:
diff --git a/metricbeat/docs/modules/mongodb/collstats.asciidoc b/metricbeat/docs/modules/mongodb/collstats.asciidoc
deleted file mode 100644
index ceb35702f51f..000000000000
--- a/metricbeat/docs/modules/mongodb/collstats.asciidoc
+++ /dev/null
@@ -1,27 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/mongodb/collstats/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-mongodb-collstats]]
-=== MongoDB collstats metricset
-
-include::../../../module/mongodb/collstats/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-mongodb,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/mongodb/collstats/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/mongodb/dbstats.asciidoc b/metricbeat/docs/modules/mongodb/dbstats.asciidoc
deleted file mode 100644
index 700c312dbee7..000000000000
--- a/metricbeat/docs/modules/mongodb/dbstats.asciidoc
+++ /dev/null
@@ -1,27 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/mongodb/dbstats/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-mongodb-dbstats]]
-=== MongoDB dbstats metricset
-
-include::../../../module/mongodb/dbstats/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-mongodb,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/mongodb/dbstats/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/mongodb/metrics.asciidoc b/metricbeat/docs/modules/mongodb/metrics.asciidoc
deleted file mode 100644
index 960559a1fd9f..000000000000
--- a/metricbeat/docs/modules/mongodb/metrics.asciidoc
+++ /dev/null
@@ -1,27 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/mongodb/metrics/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-mongodb-metrics]]
-=== MongoDB metrics metricset
-
-include::../../../module/mongodb/metrics/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-mongodb,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/mongodb/metrics/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/mongodb/replstatus.asciidoc b/metricbeat/docs/modules/mongodb/replstatus.asciidoc
deleted file mode 100644
index 8965617775c4..000000000000
--- a/metricbeat/docs/modules/mongodb/replstatus.asciidoc
+++ /dev/null
@@ -1,26 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/mongodb/replstatus/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-mongodb-replstatus]]
-=== MongoDB replstatus metricset
-
-include::../../../module/mongodb/replstatus/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-mongodb,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/mongodb/replstatus/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/mongodb/status.asciidoc b/metricbeat/docs/modules/mongodb/status.asciidoc
deleted file mode 100644
index 4841cd73cf46..000000000000
--- a/metricbeat/docs/modules/mongodb/status.asciidoc
+++ /dev/null
@@ -1,27 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/mongodb/status/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-mongodb-status]]
-=== MongoDB status metricset
-
-include::../../../module/mongodb/status/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-mongodb,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/mongodb/status/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/mssql.asciidoc b/metricbeat/docs/modules/mssql.asciidoc
deleted file mode 100644
index e494c943d677..000000000000
--- a/metricbeat/docs/modules/mssql.asciidoc
+++ /dev/null
@@ -1,113 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-
-:modulename: mssql
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/mssql/_meta/docs.asciidoc
-
-
-[[metricbeat-module-mssql]]
-[role="xpack"]
-== MSSQL module
-
-This is the https://www.microsoft.com/en-us/sql-server/sql-server-2017[Microsoft SQL 2017] Metricbeat module. It is still under active development to add new Metricsets and introduce enhancements.
-
-[float]
-=== Compatibility
-
-The module is being tested with https://hub.docker.com/r/microsoft/mssql-server-linux/[2017 GA] version under Linux
-
-[float]
-=== Permission/Access required for tables
-
-1.`transaction_log` :
-
-* sys.databases
-* sys.dm_db_log_space_usage
-* sys.dm_db_log_stats(DB_ID)
-
-2.`performance` :
-
-* sys.dm_os_performance_counters
-
-If you browse MSDN for above tables, you will find "Permissions" section which defines the permission needed, e.g https://docs.microsoft.com/en-us/sql/relational-databases/system-dynamic-management-views/sys-dm-db-log-space-usage-transact-sql?view=sql-server-ver15[Permissions]
-
-[float]
-=== Metricsets
-
-The following Metricsets are already included:
-
-[float]
-==== `transaction_log`
-
-`transaction_log` Metricset fetches information about the operation and transaction log of each MSSQL database in the monitored instance. All data is extracted from the https://docs.microsoft.com/en-us/sql/relational-databases/system-dynamic-management-views/database-related-dynamic-management-views-transact-sql?view=sql-server-2017[Database Dynamic Management Views]
-
-[float]
-==== `performance`
-
-`performance` Metricset fetches information from what's commonly known as https://docs.microsoft.com/en-us/sql/relational-databases/system-dynamic-management-views/sys-dm-os-performance-counters-transact-sql?view=sql-server-2017[Performance Counters] in MSSQL.
-
-[float]
-=== Module-specific configuration notes
-
-When configuring the `hosts` option, you can specify native user credentials
-as part of the host string with the following format:
-
-----
-hosts: ["sqlserver://sa@localhost"]]
-----
-
-To use Active Directory domain credentials, you can separately specify the username and password
-using the respective configuration options to allow the domain to be included in the username:
-
-----
-metricbeat.modules:
-- module: mssql
-  metricsets:
-    - "transaction_log"
-    - "performance"
-  hosts: ["sqlserver://localhost"]
-  username: domain\username
-  password: verysecurepassword
-  period: 10
-----
-
-Store sensitive values like passwords in the <<keystore,secrets keystore>>.
-
-
-:edit_url:
-
-[float]
-=== Example configuration
-
-The MSSQL module supports the standard configuration options that are described
-in <<configuration-metricbeat>>. Here is an example configuration:
-
-[source,yaml]
-----
-metricbeat.modules:
-- module: mssql
-  metricsets:
-    - "transaction_log"
-    - "performance"
-  hosts: ["sqlserver://localhost"]
-  username: domain\username
-  password: verysecurepassword
-  period: 10s
-
-----
-
-[float]
-=== Metricsets
-
-The following metricsets are available:
-
-* <<metricbeat-metricset-mssql-performance,performance>>
-
-* <<metricbeat-metricset-mssql-transaction_log,transaction_log>>
-
-include::mssql/performance.asciidoc[]
-
-include::mssql/transaction_log.asciidoc[]
-
-:edit_url!:
diff --git a/metricbeat/docs/modules/mssql/performance.asciidoc b/metricbeat/docs/modules/mssql/performance.asciidoc
deleted file mode 100644
index a4b1a9087cc4..000000000000
--- a/metricbeat/docs/modules/mssql/performance.asciidoc
+++ /dev/null
@@ -1,28 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/mssql/performance/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-mssql-performance]]
-[role="xpack"]
-=== MSSQL performance metricset
-
-include::../../../../x-pack/metricbeat/module/mssql/performance/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-mssql,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../../x-pack/metricbeat/module/mssql/performance/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/mssql/transaction_log.asciidoc b/metricbeat/docs/modules/mssql/transaction_log.asciidoc
deleted file mode 100644
index 92de01e57521..000000000000
--- a/metricbeat/docs/modules/mssql/transaction_log.asciidoc
+++ /dev/null
@@ -1,28 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/mssql/transaction_log/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-mssql-transaction_log]]
-[role="xpack"]
-=== MSSQL transaction_log metricset
-
-include::../../../../x-pack/metricbeat/module/mssql/transaction_log/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-mssql,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../../x-pack/metricbeat/module/mssql/transaction_log/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/munin.asciidoc b/metricbeat/docs/modules/munin.asciidoc
deleted file mode 100644
index 6654551119f6..000000000000
--- a/metricbeat/docs/modules/munin.asciidoc
+++ /dev/null
@@ -1,60 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-
-:modulename: munin
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/munin/_meta/docs.asciidoc
-
-
-[[metricbeat-module-munin]]
-== Munin module
-
-This is the munin module.
-
-The default metricset is `node`.
-
-[float]
-=== Compatibility
-
-Munin module should be compatible with any implementation of the munin network
-protocol (http://guide.munin-monitoring.org/en/latest/master/network-protocol.html),
-it is tested with munin node 2.0.
-
-
-:edit_url:
-
-[float]
-=== Example configuration
-
-The Munin module supports the standard configuration options that are described
-in <<configuration-metricbeat>>. Here is an example configuration:
-
-[source,yaml]
-----
-metricbeat.modules:
-- module: munin
-  metricsets: ["node"]
-  enabled: true
-  period: 10s
-  hosts: ["localhost:4949"]
-
-  # List of plugins to collect metrics from, by default it collects from
-  # all the available ones.
-  #munin.plugins: []
-
-  # If set to true, it sanitizes fields names in concordance with munin
-  # implementation (all characters that are not alphanumeric, or underscore
-  # are replaced by underscores).
-  #munin.sanitize: false
-----
-
-[float]
-=== Metricsets
-
-The following metricsets are available:
-
-* <<metricbeat-metricset-munin-node,node>>
-
-include::munin/node.asciidoc[]
-
-:edit_url!:
diff --git a/metricbeat/docs/modules/munin/node.asciidoc b/metricbeat/docs/modules/munin/node.asciidoc
deleted file mode 100644
index 071b611e63d2..000000000000
--- a/metricbeat/docs/modules/munin/node.asciidoc
+++ /dev/null
@@ -1,27 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/munin/node/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-munin-node]]
-=== Munin node metricset
-
-include::../../../module/munin/node/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-munin,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/munin/node/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/mysql.asciidoc b/metricbeat/docs/modules/mysql.asciidoc
deleted file mode 100644
index 8711359bf5f6..000000000000
--- a/metricbeat/docs/modules/mysql.asciidoc
+++ /dev/null
@@ -1,127 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-
-:modulename: mysql
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/mysql/_meta/docs.asciidoc
-
-
-[[metricbeat-module-mysql]]
-== MySQL module
-
-include::{libbeat-dir}/shared/integration-link.asciidoc[]
-
-:modulename!:
-
-This module periodically fetches metrics from https://www.mysql.com/[MySQL]
-servers.
-
-The default metricset is `status`.
-
-[float]
-=== Module-specific configuration notes
-
-When configuring the `hosts` option, you must use a MySQL Data Source Name (DSN)
-of the following format:
-
-----
-[username[:password]@][protocol[(address)]]/
-----
-
-You can also separately specify the username and password using the respective
-configuration options. Usernames and passwords specified in the DSN take
-precedence over those specified in the `username` and `password` config options.
-
-----
-- module: mysql
-  metricsets: ["status"]
-  hosts: ["tcp(127.0.0.1:3306)/"]
-  username: root
-  password: secret
-----
-
-[float]
-=== Compatibility
-
-The mysql MetricSets were tested with MySQL and Percona 5.7 and 8.0 and are expected
-to work with all versions >= 5.7.0.
-It is also tested with MariaDB 10.2, 10.3 and 10.4.
-
-[float]
-=== Dashboard
-
-The mysql module comes with a predefined dashboard. For example:
-
-image::./images/metricbeat-mysql.png[]
-
-
-:edit_url:
-
-[float]
-=== Example configuration
-
-The MySQL module supports the standard configuration options that are described
-in <<configuration-metricbeat>>. Here is an example configuration:
-
-[source,yaml]
-----
-metricbeat.modules:
-- module: mysql
-  metricsets:
-    - status
-  #  - galera_status
-  #  - performance
-  #  - query
-  period: 10s
-
-  # Host DSN should be defined as "user:pass@tcp(127.0.0.1:3306)/"
-  # or "unix(/var/lib/mysql/mysql.sock)/",
-  # or another DSN format supported by <https://github.com/Go-SQL-Driver/MySQL/>.
-  # The username and password can either be set in the DSN or using the username
-  # and password config options. Those specified in the DSN take precedence.
-  hosts: ["root:secret@tcp(127.0.0.1:3306)/"]
-
-  # Username of hosts. Empty by default.
-  #username: root
-
-  # Password of hosts. Empty by default.
-  #password: secret
-
-  # By setting raw to true, all raw fields from the status metricset will be added to the event.
-  #raw: false
-
-  # Optional SSL/TLS. By default is false.
-  #ssl.enabled: true
-
-  # List of root certificates for SSL/TLS server verification
-  #ssl.certificate_authorities: ["/etc/pki/root/ca.crt"]
-
-  # Certificate for SSL/TLS client authentication
-  #ssl.certificate: "/etc/pki/client/cert.crt"
-
-  # Client certificate key file
-  #ssl.key: "/etc/pki/client/cert.key"
-----
-
-[float]
-=== Metricsets
-
-The following metricsets are available:
-
-* <<metricbeat-metricset-mysql-galera_status,galera_status>>
-
-* <<metricbeat-metricset-mysql-performance,performance>>
-
-* <<metricbeat-metricset-mysql-query,query>>
-
-* <<metricbeat-metricset-mysql-status,status>>
-
-include::mysql/galera_status.asciidoc[]
-
-include::mysql/performance.asciidoc[]
-
-include::mysql/query.asciidoc[]
-
-include::mysql/status.asciidoc[]
-
-:edit_url!:
diff --git a/metricbeat/docs/modules/mysql/galera_status.asciidoc b/metricbeat/docs/modules/mysql/galera_status.asciidoc
deleted file mode 100644
index af42050f806a..000000000000
--- a/metricbeat/docs/modules/mysql/galera_status.asciidoc
+++ /dev/null
@@ -1,28 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/mysql/galera_status/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-mysql-galera_status]]
-=== MySQL galera_status metricset
-
-beta[]
-
-include::../../../module/mysql/galera_status/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-mysql,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/mysql/galera_status/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/mysql/performance.asciidoc b/metricbeat/docs/modules/mysql/performance.asciidoc
deleted file mode 100644
index dfd8de45fd2f..000000000000
--- a/metricbeat/docs/modules/mysql/performance.asciidoc
+++ /dev/null
@@ -1,28 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/mysql/performance/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-mysql-performance]]
-=== MySQL performance metricset
-
-beta[]
-
-include::../../../module/mysql/performance/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-mysql,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/mysql/performance/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/mysql/query.asciidoc b/metricbeat/docs/modules/mysql/query.asciidoc
deleted file mode 100644
index 6ec8b1563d75..000000000000
--- a/metricbeat/docs/modules/mysql/query.asciidoc
+++ /dev/null
@@ -1,22 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/mysql/query/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-mysql-query]]
-=== MySQL query metricset
-
-beta[]
-
-include::../../../module/mysql/query/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-mysql,exported fields>> section.
-
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/mysql/status.asciidoc b/metricbeat/docs/modules/mysql/status.asciidoc
deleted file mode 100644
index 649823fe09c7..000000000000
--- a/metricbeat/docs/modules/mysql/status.asciidoc
+++ /dev/null
@@ -1,27 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/mysql/status/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-mysql-status]]
-=== MySQL status metricset
-
-include::../../../module/mysql/status/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-mysql,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/mysql/status/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/nats.asciidoc b/metricbeat/docs/modules/nats.asciidoc
deleted file mode 100644
index b281d2dba074..000000000000
--- a/metricbeat/docs/modules/nats.asciidoc
+++ /dev/null
@@ -1,96 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-
-:modulename: nats
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/nats/_meta/docs.asciidoc
-
-
-[[metricbeat-module-nats]]
-== NATS module
-
-include::{libbeat-dir}/shared/integration-link.asciidoc[]
-
-:modulename!:
-
-The Nats module uses https://nats.io/documentation/managing_the_server/monitoring/[Nats monitoring server APIs] to collect metrics.
-
-The default metricsets are `stats`, `connections`, `routes` and `subscriptions` while `connection` and `route`
-metricsets can be enabled to collect detailed metrics per connection/route.
-
-[float]
-=== Compatibility
-
-The Nats module is tested with Nats 1.3.0, 2.0.4 and 2.1.4
-
-
-[float]
-=== Dashboard
-
-The Nats module comes with a predefined dashboard. For example:
-
-image::./images/metricbeat_nats_dashboard.png[]
-
-
-:edit_url:
-
-[float]
-=== Example configuration
-
-The NATS module supports the standard configuration options that are described
-in <<configuration-metricbeat>>. Here is an example configuration:
-
-[source,yaml]
-----
-metricbeat.modules:
-- module: nats
-  metricsets:
-    - "connections"
-    - "routes"
-    - "stats"
-    - "subscriptions"
-    #- "connection"
-    #- "route"
-  period: 10s
-  hosts: ["localhost:8222"]
-  #stats.metrics_path: "/varz"
-  #connections.metrics_path: "/connz"
-  #routes.metrics_path: "/routez"
-  #subscriptions.metrics_path: "/subsz"
-  #connection.metrics_path: "/connz"
-  #route.metrics_path: "/routez"
-----
-
-This module supports TLS connections when using `ssl` config field, as described in <<configuration-ssl>>.
-It also supports the options described in <<module-http-config-options>>.
-
-[float]
-=== Metricsets
-
-The following metricsets are available:
-
-* <<metricbeat-metricset-nats-connection,connection>>
-
-* <<metricbeat-metricset-nats-connections,connections>>
-
-* <<metricbeat-metricset-nats-route,route>>
-
-* <<metricbeat-metricset-nats-routes,routes>>
-
-* <<metricbeat-metricset-nats-stats,stats>>
-
-* <<metricbeat-metricset-nats-subscriptions,subscriptions>>
-
-include::nats/connection.asciidoc[]
-
-include::nats/connections.asciidoc[]
-
-include::nats/route.asciidoc[]
-
-include::nats/routes.asciidoc[]
-
-include::nats/stats.asciidoc[]
-
-include::nats/subscriptions.asciidoc[]
-
-:edit_url!:
diff --git a/metricbeat/docs/modules/nats/connection.asciidoc b/metricbeat/docs/modules/nats/connection.asciidoc
deleted file mode 100644
index f5733ba97497..000000000000
--- a/metricbeat/docs/modules/nats/connection.asciidoc
+++ /dev/null
@@ -1,26 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/nats/connection/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-nats-connection]]
-=== NATS connection metricset
-
-include::../../../module/nats/connection/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-nats,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/nats/connection/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/nats/connections.asciidoc b/metricbeat/docs/modules/nats/connections.asciidoc
deleted file mode 100644
index 2217b42ca9ce..000000000000
--- a/metricbeat/docs/modules/nats/connections.asciidoc
+++ /dev/null
@@ -1,27 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/nats/connections/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-nats-connections]]
-=== NATS connections metricset
-
-include::../../../module/nats/connections/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-nats,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/nats/connections/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/nats/route.asciidoc b/metricbeat/docs/modules/nats/route.asciidoc
deleted file mode 100644
index d2a8c34d518c..000000000000
--- a/metricbeat/docs/modules/nats/route.asciidoc
+++ /dev/null
@@ -1,26 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/nats/route/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-nats-route]]
-=== NATS route metricset
-
-include::../../../module/nats/route/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-nats,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/nats/route/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/nats/routes.asciidoc b/metricbeat/docs/modules/nats/routes.asciidoc
deleted file mode 100644
index 82ffffd8a9b9..000000000000
--- a/metricbeat/docs/modules/nats/routes.asciidoc
+++ /dev/null
@@ -1,27 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/nats/routes/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-nats-routes]]
-=== NATS routes metricset
-
-include::../../../module/nats/routes/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-nats,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/nats/routes/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/nats/stats.asciidoc b/metricbeat/docs/modules/nats/stats.asciidoc
deleted file mode 100644
index 9774aeed23af..000000000000
--- a/metricbeat/docs/modules/nats/stats.asciidoc
+++ /dev/null
@@ -1,27 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/nats/stats/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-nats-stats]]
-=== NATS stats metricset
-
-include::../../../module/nats/stats/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-nats,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/nats/stats/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/nats/subscriptions.asciidoc b/metricbeat/docs/modules/nats/subscriptions.asciidoc
deleted file mode 100644
index 2403d15b13d3..000000000000
--- a/metricbeat/docs/modules/nats/subscriptions.asciidoc
+++ /dev/null
@@ -1,27 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/nats/subscriptions/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-nats-subscriptions]]
-=== NATS subscriptions metricset
-
-include::../../../module/nats/subscriptions/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-nats,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/nats/subscriptions/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/nginx.asciidoc b/metricbeat/docs/modules/nginx.asciidoc
deleted file mode 100644
index 8940a4571703..000000000000
--- a/metricbeat/docs/modules/nginx.asciidoc
+++ /dev/null
@@ -1,70 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-
-:modulename: nginx
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/nginx/_meta/docs.asciidoc
-
-
-[[metricbeat-module-nginx]]
-== Nginx module
-
-include::{libbeat-dir}/shared/integration-link.asciidoc[]
-
-:modulename!:
-
-This module periodically fetches metrics from https://nginx.org/[Nginx] servers.
-
-The default metricset is `stubstatus`.
-
-
-[float]
-=== Compatibility
-
-The Nginx metricsets were tested with Nginx 1.23.2 and are expected to work with all version
->= 1.9.
-
-[float]
-=== Dashboard
-
-The nginx module comes with a predefined dashboard. For example:
-
-image::./images/metricbeat-nginx.png[]
-
-
-:edit_url:
-
-[float]
-=== Example configuration
-
-The Nginx module supports the standard configuration options that are described
-in <<configuration-metricbeat>>. Here is an example configuration:
-
-[source,yaml]
-----
-metricbeat.modules:
-- module: nginx
-  metricsets: ["stubstatus"]
-  enabled: true
-  period: 10s
-
-  # Nginx hosts
-  hosts: ["http://127.0.0.1"]
-
-  # Path to server status. Default nginx_status
-  server_status_path: "nginx_status"
-----
-
-This module supports TLS connections when using `ssl` config field, as described in <<configuration-ssl>>.
-It also supports the options described in <<module-http-config-options>>.
-
-[float]
-=== Metricsets
-
-The following metricsets are available:
-
-* <<metricbeat-metricset-nginx-stubstatus,stubstatus>>
-
-include::nginx/stubstatus.asciidoc[]
-
-:edit_url!:
diff --git a/metricbeat/docs/modules/nginx/stubstatus.asciidoc b/metricbeat/docs/modules/nginx/stubstatus.asciidoc
deleted file mode 100644
index 8583234a6443..000000000000
--- a/metricbeat/docs/modules/nginx/stubstatus.asciidoc
+++ /dev/null
@@ -1,27 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/nginx/stubstatus/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-nginx-stubstatus]]
-=== Nginx stubstatus metricset
-
-include::../../../module/nginx/stubstatus/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-nginx,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/nginx/stubstatus/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/openai.asciidoc b/metricbeat/docs/modules/openai.asciidoc
deleted file mode 100644
index ce5fd3e0ccc5..000000000000
--- a/metricbeat/docs/modules/openai.asciidoc
+++ /dev/null
@@ -1,75 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-
-:modulename: openai
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/openai/_meta/docs.asciidoc
-
-
-[[metricbeat-module-openai]]
-[role="xpack"]
-== openai module
-
-beta[]
-
-This is the openai module.
-
-
-
-:edit_url:
-
-[float]
-=== Example configuration
-
-The openai module supports the standard configuration options that are described
-in <<configuration-metricbeat>>. Here is an example configuration:
-
-[source,yaml]
-----
-metricbeat.modules:
-- module: openai
-  metricsets: ["usage"]
-  enabled: false
-  period: 1h
-
-  # # Project API Keys - Multiple API keys can be specified for different projects
-  # api_keys:
-  # - key: "api_key1"
-  # - key: "api_key2"
-
-  # # API Configuration
-  # ## Base URL for the OpenAI usage API endpoint
-  # api_url: "https://api.openai.com/v1/usage"
-  # ## Custom headers to be included in API requests
-  # headers:
-  # - "k1: v1"
-  # - "k2: v2"
-  ## Rate Limiting Configuration
-  # rate_limit:
-  #   limit: 12 # seconds between requests
-  #   burst: 1  # max concurrent requests
-  # ## Request Timeout Duration
-  # timeout: 30s
-
-  # # Data Collection Configuration
-  # collection:
-  #   ## Number of days to look back when collecting usage data
-  #   lookback_days: 30
-  #   ## Whether to collect usage data in realtime. Defaults to false as how
-  #   # OpenAI usage data is collected will end up adding duplicate data to ES
-  #   # and also making it harder to do analytics. Best approach is to avoid
-  #   # realtime collection and collect only upto last day (in UTC). So, there's
-  #   # at most 24h delay.
-  #   realtime: false
-----
-
-[float]
-=== Metricsets
-
-The following metricsets are available:
-
-* <<metricbeat-metricset-openai-usage,usage>>
-
-include::openai/usage.asciidoc[]
-
-:edit_url!:
diff --git a/metricbeat/docs/modules/openai/usage.asciidoc b/metricbeat/docs/modules/openai/usage.asciidoc
deleted file mode 100644
index 69d0ba313d9c..000000000000
--- a/metricbeat/docs/modules/openai/usage.asciidoc
+++ /dev/null
@@ -1,29 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/openai/usage/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-openai-usage]]
-[role="xpack"]
-=== openai usage metricset
-
-beta[]
-
-include::../../../../x-pack/metricbeat/module/openai/usage/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-openai,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../../x-pack/metricbeat/module/openai/usage/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/openmetrics.asciidoc b/metricbeat/docs/modules/openmetrics.asciidoc
deleted file mode 100644
index 5143037f2033..000000000000
--- a/metricbeat/docs/modules/openmetrics.asciidoc
+++ /dev/null
@@ -1,73 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-
-:modulename: openmetrics
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/openmetrics/_meta/docs.asciidoc
-
-
-[[metricbeat-module-openmetrics]]
-== Openmetrics module
-
-beta[]
-
-This module periodically fetches metrics from endpoints following https://openmetrics.io/[Openmetrics] format.
-
-[float]
-=== Filtering metrics
-
-In order to filter out/in metrics one can make use of `metrics_filters.include` `metrics_filters.exclude` settings:
-
-[source,yaml]
--------------------------------------------------------------------------------------
-- module: openmetrics
-  metricsets: ['collector']
-  period: 10s
-  hosts: ["localhost:9090"]
-  metrics_path: /metrics
-  metrics_filters:
-    include: ["node_filesystem_*"]
-    exclude: ["node_filesystem_device_*", "^node_filesystem_readonly$"]
--------------------------------------------------------------------------------------
-
-The configuration above will include only metrics that match `node_filesystem_*` pattern and do not match `node_filesystem_device_*`
-and are not `node_filesystem_readonly` metric.
-
-
-:edit_url:
-
-[float]
-=== Example configuration
-
-The Openmetrics module supports the standard configuration options that are described
-in <<configuration-metricbeat>>. Here is an example configuration:
-
-[source,yaml]
-----
-metricbeat.modules:
-- module: openmetrics
-  metricsets: ['collector']
-  period: 10s
-  hosts: ['localhost:9090']
-
-  # This module uses the Prometheus collector metricset, all
-  # the options for this metricset are also available here.
-  metrics_path: /metrics
-  metrics_filters:
-    include: []
-    exclude: []
-----
-
-This module supports TLS connections when using `ssl` config field, as described in <<configuration-ssl>>.
-It also supports the options described in <<module-http-config-options>>.
-
-[float]
-=== Metricsets
-
-The following metricsets are available:
-
-* <<metricbeat-metricset-openmetrics-collector,collector>>
-
-include::openmetrics/collector.asciidoc[]
-
-:edit_url!:
diff --git a/metricbeat/docs/modules/openmetrics/collector.asciidoc b/metricbeat/docs/modules/openmetrics/collector.asciidoc
deleted file mode 100644
index 15dc2753380e..000000000000
--- a/metricbeat/docs/modules/openmetrics/collector.asciidoc
+++ /dev/null
@@ -1,29 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/openmetrics/collector/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-openmetrics-collector]]
-=== Openmetrics collector metricset
-
-beta[]
-
-include::../../../module/openmetrics/collector/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-openmetrics,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/openmetrics/collector/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/oracle.asciidoc b/metricbeat/docs/modules/oracle.asciidoc
deleted file mode 100644
index 3436caa9cc26..000000000000
--- a/metricbeat/docs/modules/oracle.asciidoc
+++ /dev/null
@@ -1,158 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-
-:modulename: oracle
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/oracle/_meta/docs.asciidoc
-
-
-[[metricbeat-module-oracle]]
-[role="xpack"]
-== Oracle module
-
-This is the https://www.oracle.com[Oracle] module for Metricbeat. It is under active development with feedback from the community. A single Metricset for Tablespace monitoring is added so the community can start gathering metrics from their nodes and contributing to the module.
-
-[float]
-== Compatibility
-Oracle Metricbeat module is being tested version 12c R2 by using the store/oracle/database-enterprise:12.2.0.1 Docker image downloaded directly from the https://hub.docker.com/_/oracle-database-enterprise-edition[Oracle Docker Hub repository]
-which is based on 5.0.13-arch1-1-ARCH Arch Linux. This is important, the module has only been tested with the mentioned image in Linux environments.
-
-[float]
-== Dashboard
-An overview dashboard for Kibana is already included:
-
-image::./images/metricbeat-oracle-overview.png[]
-
-[float]
-
-== Requirements
-
-Connectivity to Oracle can be facilitated in two ways either by using official Oracle libraries or by using a JDBC driver. Facilitation of the connectivity using JDBC is not supported currently with Metricbeat. Connectivity can be facilitated using Oracle libraries and the detailed steps to do the same are mentioned below.
-
-*Oracle Database Connection Pre-requisites*
-
-To get connected with the Oracle Database ORACLE_SID, ORACLE_BASE, ORACLE_HOME environment variables should be set.
-
-For example: Let’s consider Oracle Database 21c installation using RPM manually by following https://docs.oracle.com/en/database/oracle/oracle-database/21/ladbi/running-rpm-packages-to-install-oracle-database.html[this] link, environment variables should be set as follows:
-    `ORACLE_SID=ORCLCDB`
-    `ORACLE_BASE=/opt/oracle/oradata`
-    `ORACLE_HOME=/opt/oracle/product/21c/dbhome_1`
-Also, add `ORACLE_HOME/bin` to the `PATH` environment variable.
-
-*Oracle Instant Client*
-
-Oracle Instant Client enables development and deployment of applications that connect to Oracle Database. The Instant Client libraries provide the necessary network connectivity and advanced data features to make full use of Oracle Database. If you have OCI Oracle server which comes with these libraries pre-installed, you don't need a separate client installation.
-
-The OCI library install few Client Shared Libraries that must be referenced on the machine where Metricbeat is installed. Please follow https://docs.oracle.com/en/database/oracle/oracle-database/21/lacli/install-instant-client-using-zip.html#GUID-D3DCB4FB-D3CA-4C25-BE48-3A1FB5A22E84[this] link for OCI Instant Client set up. The OCI Instant Client is available with the Oracle Universal Installer, RPM file or ZIP file. Download links can be found https://www.oracle.com/database/technologies/instant-client/downloads.html[here].
-
-*Enable Listener*
-
-The Oracle listener is a service that runs on the database host and receives requests from Oracle clients. Make sure that https://docs.oracle.com/cd/B19306_01/network.102/b14213/lsnrctl.htm[listener] should be running. 
-To check if the listener is running or not, run: 
-
-`lsnrctl STATUS`
-
-If the listener is not running, use the command to start:
-
-`lsnrctl START`
-
-Then, Metricbeat can be launched.
-
-*Host Configuration*
-
-The following types of host configuration are supported:
-
-1. An old-style Oracle connection string, for backwards compatibility:
-    a. `hosts: ["user/pass@0.0.0.0:1521/ORCLPDB1.localdomain"]`
-    b. `hosts: ["user/password@0.0.0.0:1521/ORCLPDB1.localdomain as sysdba"]`
-
-2. DSN configuration as a URL:
-    a. `hosts: ["oracle://user:pass@0.0.0.0:1521/ORCLPDB1.localdomain?sysdba=1"]`
-
-3. DSN configuration as a logfmt-encoded parameter list:
-    a. `hosts: ['user="user" password="pass" connectString="0.0.0.0:1521/ORCLPDB1.localdomain"']`
-    b. `hosts: ['user="user" password="password" connectString="host:port/service_name" sysdba=true']`
-
-DSN host configuration is the recommended configuration type as it supports the use of special characters in the password.
-
-In a URL any special characters should be URL encoded.
-
-In the logfmt-encoded DSN format, if the password contains a backslash character (`\`), it must be escaped with another backslash. For example, if the password is `my\_password`, it must be written as `my\\_password`.
-
-[float]
-== Metricsets
-
-The following Metricsets are included in the module:
-
-[float]
-=== `performance`
-
-Includes performance related events which contains mainly cursor and cache based data.
-
-[float]
-=== `tablespaces`
-
-Includes information about data files and temp files, grouped by Tablespace with free space available, used space, status of the data files, status of the Tablespace, etc.
-
-[float]
-
-=== `sysmetric`
-
-Includes the system metric values captured for the most current time interval from Oracle system metrics.
-
-
-:edit_url:
-
-[float]
-=== Example configuration
-
-The Oracle module supports the standard configuration options that are described
-in <<configuration-metricbeat>>. Here is an example configuration:
-
-[source,yaml]
-----
-metricbeat.modules:
-# Module: oracle
-
-- module: oracle
-  period: 10m
-  metricsets:
-    - tablespace
-  enabled: true
-  hosts: ['user="user" password="pass" connectString="0.0.0.0:1521/ORCLPDB1.localdomain"']
-- module: oracle
-  period: 10s
-  metricsets:
-    - performance
-  enabled: true
-  hosts: ['user="user" password="pass" connectString="0.0.0.0:1521/ORCLPDB1.localdomain"']
-- module: oracle
-  period: 60s
-  metricsets:
-    - sysmetric
-  enabled: true
-  hosts: ['user="user" password="pass" connectString="0.0.0.0:1521/ORCLPDB1.localdomain"']
-  # patterns: ["foo%","%bar","%foobar%"]
-
-  # username: ""
-  # password: ""
-----
-
-[float]
-=== Metricsets
-
-The following metricsets are available:
-
-* <<metricbeat-metricset-oracle-performance,performance>>
-
-* <<metricbeat-metricset-oracle-sysmetric,sysmetric>>
-
-* <<metricbeat-metricset-oracle-tablespace,tablespace>>
-
-include::oracle/performance.asciidoc[]
-
-include::oracle/sysmetric.asciidoc[]
-
-include::oracle/tablespace.asciidoc[]
-
-:edit_url!:
diff --git a/metricbeat/docs/modules/oracle/performance.asciidoc b/metricbeat/docs/modules/oracle/performance.asciidoc
deleted file mode 100644
index 6a51027d8da2..000000000000
--- a/metricbeat/docs/modules/oracle/performance.asciidoc
+++ /dev/null
@@ -1,27 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/oracle/performance/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-oracle-performance]]
-[role="xpack"]
-=== Oracle performance metricset
-
-include::../../../../x-pack/metricbeat/module/oracle/performance/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-oracle,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../../x-pack/metricbeat/module/oracle/performance/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/oracle/sysmetric.asciidoc b/metricbeat/docs/modules/oracle/sysmetric.asciidoc
deleted file mode 100644
index c2b614bf3e1d..000000000000
--- a/metricbeat/docs/modules/oracle/sysmetric.asciidoc
+++ /dev/null
@@ -1,29 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/oracle/sysmetric/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-oracle-sysmetric]]
-[role="xpack"]
-=== Oracle sysmetric metricset
-
-beta[]
-
-include::../../../../x-pack/metricbeat/module/oracle/sysmetric/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-oracle,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../../x-pack/metricbeat/module/oracle/sysmetric/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/oracle/tablespace.asciidoc b/metricbeat/docs/modules/oracle/tablespace.asciidoc
deleted file mode 100644
index 2dea58a9d288..000000000000
--- a/metricbeat/docs/modules/oracle/tablespace.asciidoc
+++ /dev/null
@@ -1,27 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/oracle/tablespace/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-oracle-tablespace]]
-[role="xpack"]
-=== Oracle tablespace metricset
-
-include::../../../../x-pack/metricbeat/module/oracle/tablespace/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-oracle,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../../x-pack/metricbeat/module/oracle/tablespace/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/panw.asciidoc b/metricbeat/docs/modules/panw.asciidoc
deleted file mode 100644
index c01664165017..000000000000
--- a/metricbeat/docs/modules/panw.asciidoc
+++ /dev/null
@@ -1,143 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-
-:modulename: panw
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/panw/_meta/docs.asciidoc
-
-
-[[metricbeat-module-panw]]
-[role="xpack"]
-== Panw module
-
-beta[]
-
-:modulename: panw
-
-include::{libbeat-dir}/shared/integration-link.asciidoc[]
-
-:modulename!:
-
-The panw Metricbeat module uses the Palo Alto [pango](https://pkg.go.dev/github.com/PaloAltoNetworks/pango#section-documentation) package to extract metrics
-information from a firewall device via the XML API.
-
-[float]
-=== Dashboards
-
-
-[float]
-=== Module-specific configuration notes
-
-The panw module configuration requires the ip address of the target firewall device and an API Key generated from that firewall. It is assumed
-that network access to the firewall is available. All access by the panw module is read-only.
-
-***Limitations***
-The current version of the module is configured to run against **exactly 1** firewall. Multiple firewalls will require multiple agent configurations. 
-The module has also not been tested with Panorama, though it should work since it only relies on lower level Client.Op calls to send XML API commands 
-to the server.
-
-Required credentials for the `panw` module:
-
-`host_ip` :: IP address of the firewall - must be network accessible.
-
-`apiKey`:: An API Key generated via an XML API call to the firewall or via the management dashboard. This
-
-
-[float]
-== Metricsets
-
-[float]
-=== `bgp_peers`
-This metricset reports information on BGP Peers defined in the firewall.
-
-[float]
-=== `certificates`
-This metricset will capture certificates defined on the firewall including expiration dates.
-
-[float]
-=== `fans`
-This metricset will collect information from hardware fans (RPMS) and will report if an alarm is active for a given fan.
-
-[float]
-=== `filesystem`
-This metricset reports disk usage for filesystems defined on the device, based on df output.
-
-[float]
-=== `globalprotect_sessions`
-This metricset will collect metrics on current user sessions established on Global Protect gateways.
-
-[float]
-=== `globalprotect_stats`
-This metricset reports the number of user per GlobalProtect gateway and totals across all gateways.
-
-[float]
-=== `ha_interfaces`
-This metricset will collect metrics from the device on High Availabilty configuration for interfaces.
-
-[float]
-=== `licenses`
-This metricset reports on licenses for sofware features with expiration dates.
-
-[float]
-=== `logical`
-This metricset will collect metrics on logical interfaces in the device's network.
-
-[float]
-=== `power`
-This metricset reports power usage and alarms.
-
-[float]
-=== `system`
-This metricset captures system informate such as uptime, user count, CPU, memory and swap: essentiallyl the first 5 lines of 'top' output. 
-
-[float]
-=== `temperature`
-This metricset reports temperature for various slots on the device and reports on alarm status. 
-
-[float]
-=== `tunnels`
-This metricset enumerates ipsec tunnels and their status.
-
-
-
-:edit_url:
-
-[float]
-=== Example configuration
-
-The Panw module supports the standard configuration options that are described
-in <<configuration-metricbeat>>. Here is an example configuration:
-
-[source,yaml]
-----
-metricbeat.modules:
-- module: panw
-  metricsets: ["licenses"]
-  enabled: false
-  period: 10s
-  hosts: ["localhost"]
-
-----
-
-[float]
-=== Metricsets
-
-The following metricsets are available:
-
-* <<metricbeat-metricset-panw-interfaces,interfaces>>
-
-* <<metricbeat-metricset-panw-routing,routing>>
-
-* <<metricbeat-metricset-panw-system,system>>
-
-* <<metricbeat-metricset-panw-vpn,vpn>>
-
-include::panw/interfaces.asciidoc[]
-
-include::panw/routing.asciidoc[]
-
-include::panw/system.asciidoc[]
-
-include::panw/vpn.asciidoc[]
-
-:edit_url!:
diff --git a/metricbeat/docs/modules/panw/interfaces.asciidoc b/metricbeat/docs/modules/panw/interfaces.asciidoc
deleted file mode 100644
index 6012964a55c9..000000000000
--- a/metricbeat/docs/modules/panw/interfaces.asciidoc
+++ /dev/null
@@ -1,29 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/panw/interfaces/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-panw-interfaces]]
-[role="xpack"]
-=== Panw interfaces metricset
-
-beta[]
-
-include::../../../../x-pack/metricbeat/module/panw/interfaces/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-panw,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../../x-pack/metricbeat/module/panw/interfaces/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/panw/routing.asciidoc b/metricbeat/docs/modules/panw/routing.asciidoc
deleted file mode 100644
index 3bcaf07fa406..000000000000
--- a/metricbeat/docs/modules/panw/routing.asciidoc
+++ /dev/null
@@ -1,29 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/panw/routing/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-panw-routing]]
-[role="xpack"]
-=== Panw routing metricset
-
-beta[]
-
-include::../../../../x-pack/metricbeat/module/panw/routing/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-panw,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../../x-pack/metricbeat/module/panw/routing/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/panw/system.asciidoc b/metricbeat/docs/modules/panw/system.asciidoc
deleted file mode 100644
index ad159dffe425..000000000000
--- a/metricbeat/docs/modules/panw/system.asciidoc
+++ /dev/null
@@ -1,29 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/panw/system/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-panw-system]]
-[role="xpack"]
-=== Panw system metricset
-
-beta[]
-
-include::../../../../x-pack/metricbeat/module/panw/system/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-panw,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../../x-pack/metricbeat/module/panw/system/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/panw/vpn.asciidoc b/metricbeat/docs/modules/panw/vpn.asciidoc
deleted file mode 100644
index b1d9e9df0ddd..000000000000
--- a/metricbeat/docs/modules/panw/vpn.asciidoc
+++ /dev/null
@@ -1,29 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/panw/vpn/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-panw-vpn]]
-[role="xpack"]
-=== Panw vpn metricset
-
-beta[]
-
-include::../../../../x-pack/metricbeat/module/panw/vpn/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-panw,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../../x-pack/metricbeat/module/panw/vpn/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/php_fpm.asciidoc b/metricbeat/docs/modules/php_fpm.asciidoc
deleted file mode 100644
index 6f07cfd20993..000000000000
--- a/metricbeat/docs/modules/php_fpm.asciidoc
+++ /dev/null
@@ -1,82 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-
-:modulename: php_fpm
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/php_fpm/_meta/docs.asciidoc
-
-
-[[metricbeat-module-php_fpm]]
-== PHP_FPM module
-
-This module periodically fetches metrics from https://php-fpm.org[PHP-FPM]
-servers.
-
-The default metricset is `pool`.
-
-[float]
-=== Module-specific configuration notes
-
-You need to enable the PHP-FPM status page by properly configuring
-`pm.status_path`.
-
-Here is a sample nginx configuration to forward requests to the PHP-FPM status
-page (assuming `pm.status_path` is configured with default value `/status`):
-
-----
-nginx
-location ~ /status {
-     allow 127.0.0.1;
-     deny all;
-     include fastcgi_params;
-     fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-     fastcgi_pass 127.0.0.1:9000;
-}
-----
-
-
-[float]
-=== Compatibility
-
-The PHP_FPM metricsets were tested with PHP 7.1.1 and are expected to
-work with all versions >= 5.
-
-
-:edit_url:
-
-[float]
-=== Example configuration
-
-The PHP_FPM module supports the standard configuration options that are described
-in <<configuration-metricbeat>>. Here is an example configuration:
-
-[source,yaml]
-----
-metricbeat.modules:
-- module: php_fpm
-  metricsets:
-  - pool
-  #- process
-  enabled: true
-  period: 10s
-  status_path: "/status"
-  hosts: ["localhost:8080"]
-----
-
-This module supports TLS connections when using `ssl` config field, as described in <<configuration-ssl>>.
-It also supports the options described in <<module-http-config-options>>.
-
-[float]
-=== Metricsets
-
-The following metricsets are available:
-
-* <<metricbeat-metricset-php_fpm-pool,pool>>
-
-* <<metricbeat-metricset-php_fpm-process,process>>
-
-include::php_fpm/pool.asciidoc[]
-
-include::php_fpm/process.asciidoc[]
-
-:edit_url!:
diff --git a/metricbeat/docs/modules/php_fpm/pool.asciidoc b/metricbeat/docs/modules/php_fpm/pool.asciidoc
deleted file mode 100644
index 54dafcd30f87..000000000000
--- a/metricbeat/docs/modules/php_fpm/pool.asciidoc
+++ /dev/null
@@ -1,27 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/php_fpm/pool/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-php_fpm-pool]]
-=== PHP_FPM pool metricset
-
-include::../../../module/php_fpm/pool/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-php_fpm,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/php_fpm/pool/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/php_fpm/process.asciidoc b/metricbeat/docs/modules/php_fpm/process.asciidoc
deleted file mode 100644
index 4adf742b8505..000000000000
--- a/metricbeat/docs/modules/php_fpm/process.asciidoc
+++ /dev/null
@@ -1,26 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/php_fpm/process/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-php_fpm-process]]
-=== PHP_FPM process metricset
-
-include::../../../module/php_fpm/process/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-php_fpm,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/php_fpm/process/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/postgresql.asciidoc b/metricbeat/docs/modules/postgresql.asciidoc
deleted file mode 100644
index b09ade4bd127..000000000000
--- a/metricbeat/docs/modules/postgresql.asciidoc
+++ /dev/null
@@ -1,139 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-
-:modulename: postgresql
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/postgresql/_meta/docs.asciidoc
-
-
-[[metricbeat-module-postgresql]]
-== PostgreSQL module
-
-include::{libbeat-dir}/shared/integration-link.asciidoc[]
-
-:modulename!:
-
-This module periodically fetches metrics from
-https://www.postgresql.org/[PostgreSQL] servers.
-
-Default metricsets are `activity`, `bgwriter` and `database`.
-
-
-[float]
-=== Dashboard
-
-The PostgreSQL module comes with a predefined dashboard showing databse related metrics. For example:
-
-image::./images/metricbeat-postgresql-overview.png[]
-
-
-[float]
-=== Module-specific configuration notes
-
-When configuring the `hosts` option, you must use Postgres URLs of the following
-format:
-
------------------------------------
-[postgres://][user:pass@]host[:port][?options]
------------------------------------
-
-The URL can be as simple as:
-
-[source,yaml]
-----------------------------------------------------------------------
-- module: postgresql
-  hosts: ["postgres://localhost"]
-----------------------------------------------------------------------
-
-Or more complex like:
-
-[source,yaml]
-----------------------------------------------------------------------
-- module: postgresql
-  hosts: ["postgres://localhost:40001?sslmode=disable", "postgres://otherhost:40001"]
-----------------------------------------------------------------------
-
-You can also separately specify the username and password using the respective
-configuration options. Usernames and passwords specified in the URL take
-precedence over those specified in the `username` and `password` config options.
-
-[source,yaml]
-----
-- module: postgresql
-  metricsets: ["status"]
-  hosts: ["postgres://localhost:5432"]
-  username: root
-  password: test
-----
-
-[float]
-=== Compatibility
-
-This module was tested with PostgreSQL 9, 10, 11, 12 and 13. It is expected to work with all
-versions >= 9.
-
-
-:edit_url:
-
-[float]
-=== Example configuration
-
-The PostgreSQL module supports the standard configuration options that are described
-in <<configuration-metricbeat>>. Here is an example configuration:
-
-[source,yaml]
-----
-metricbeat.modules:
-- module: postgresql
-  enabled: true
-  metricsets:
-    # Stats about every PostgreSQL database
-    - database
-
-    # Stats about the background writer process's activity
-    - bgwriter
-
-    # Stats about every PostgreSQL process
-    - activity
-
-    # Stats about every statement executed in the server. It requires the
-    # `pg_stats_statement` library to be configured in the server.
-    #- statement
-
-  period: 10s
-
-  # The host must be passed as PostgreSQL URL. Example:
-  # postgres://localhost:5432?sslmode=disable
-  # The available parameters are documented here:
-  # https://godoc.org/github.com/lib/pq#hdr-Connection_String_Parameters
-  hosts: ["postgres://localhost:5432"]
-
-  # Username to use when connecting to PostgreSQL. Empty by default.
-  #username: user
-
-  # Password to use when connecting to PostgreSQL. Empty by default.
-  #password: pass
-----
-
-[float]
-=== Metricsets
-
-The following metricsets are available:
-
-* <<metricbeat-metricset-postgresql-activity,activity>>
-
-* <<metricbeat-metricset-postgresql-bgwriter,bgwriter>>
-
-* <<metricbeat-metricset-postgresql-database,database>>
-
-* <<metricbeat-metricset-postgresql-statement,statement>>
-
-include::postgresql/activity.asciidoc[]
-
-include::postgresql/bgwriter.asciidoc[]
-
-include::postgresql/database.asciidoc[]
-
-include::postgresql/statement.asciidoc[]
-
-:edit_url!:
diff --git a/metricbeat/docs/modules/postgresql/activity.asciidoc b/metricbeat/docs/modules/postgresql/activity.asciidoc
deleted file mode 100644
index 06c41e9c3237..000000000000
--- a/metricbeat/docs/modules/postgresql/activity.asciidoc
+++ /dev/null
@@ -1,27 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/postgresql/activity/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-postgresql-activity]]
-=== PostgreSQL activity metricset
-
-include::../../../module/postgresql/activity/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-postgresql,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/postgresql/activity/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/postgresql/bgwriter.asciidoc b/metricbeat/docs/modules/postgresql/bgwriter.asciidoc
deleted file mode 100644
index 2ff71364679f..000000000000
--- a/metricbeat/docs/modules/postgresql/bgwriter.asciidoc
+++ /dev/null
@@ -1,27 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/postgresql/bgwriter/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-postgresql-bgwriter]]
-=== PostgreSQL bgwriter metricset
-
-include::../../../module/postgresql/bgwriter/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-postgresql,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/postgresql/bgwriter/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/postgresql/database.asciidoc b/metricbeat/docs/modules/postgresql/database.asciidoc
deleted file mode 100644
index 5726ff4beafe..000000000000
--- a/metricbeat/docs/modules/postgresql/database.asciidoc
+++ /dev/null
@@ -1,27 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/postgresql/database/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-postgresql-database]]
-=== PostgreSQL database metricset
-
-include::../../../module/postgresql/database/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-postgresql,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/postgresql/database/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/postgresql/statement.asciidoc b/metricbeat/docs/modules/postgresql/statement.asciidoc
deleted file mode 100644
index 91ae83259207..000000000000
--- a/metricbeat/docs/modules/postgresql/statement.asciidoc
+++ /dev/null
@@ -1,26 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/postgresql/statement/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-postgresql-statement]]
-=== PostgreSQL statement metricset
-
-include::../../../module/postgresql/statement/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-postgresql,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/postgresql/statement/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/prometheus.asciidoc b/metricbeat/docs/modules/prometheus.asciidoc
deleted file mode 100644
index ca05a6222e4e..000000000000
--- a/metricbeat/docs/modules/prometheus.asciidoc
+++ /dev/null
@@ -1,122 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-
-:modulename: prometheus
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/prometheus/_meta/docs.asciidoc
-
-
-[[metricbeat-module-prometheus]]
-== Prometheus module
-
-include::{libbeat-dir}/shared/integration-link.asciidoc[]
-
-:modulename!:
-
-[[prometheus-module]]
-This module periodically scrapes metrics from
-https://prometheus.io/docs/instrumenting/exporters/[Prometheus exporters].
-
-[float]
-=== Dashboard
-
-The Prometheus module comes with a predefined dashboard for Prometheus specific stats. For example:
-
-image::./images/metricbeat-prometheus-overview.png[]
-
-
-
-
-:edit_url:
-
-[float]
-=== Example configuration
-
-The Prometheus module supports the standard configuration options that are described
-in <<configuration-metricbeat>>. Here is an example configuration:
-
-[source,yaml]
-----
-metricbeat.modules:
-# Metrics collected from a Prometheus endpoint
-- module: prometheus
-  period: 10s
-  metricsets: ["collector"]
-  hosts: ["localhost:9090"]
-  metrics_path: /metrics
-  #metrics_filters:
-  #  include: []
-  #  exclude: []
-  #username: "user"
-  #password: "secret"
-
-  # Count number of metrics present in Elasticsearch document (default: false)
-  #metrics_count: false
-
-  # This can be used for service account based authorization:
-  #bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
-  #ssl.certificate_authorities:
-  #  - /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
-
-
-# Metrics sent by a Prometheus server using remote_write option
-#- module: prometheus
-#  metricsets: ["remote_write"]
-#  host: "localhost"
-#  port: "9201"
-
-  # Count number of metrics present in Elasticsearch document (default: false)
-  #metrics_count: false
-
-  # Secure settings for the server using TLS/SSL:
-  #ssl.certificate: "/etc/pki/server/cert.pem"
-  #ssl.key: "/etc/pki/server/cert.key"
-
-# Metrics that will be collected using a PromQL
-#- module: prometheus
-#  metricsets: ["query"]
-#  hosts: ["localhost:9090"]
-#  period: 10s
-#  queries:
-#  - name: "instant_vector"
-#    path: "/api/v1/query"
-#    params:
-#      query: "sum(rate(prometheus_http_requests_total[1m]))"
-#  - name: "range_vector"
-#    path: "/api/v1/query_range"
-#    params:
-#      query: "up"
-#      start: "2019-12-20T00:00:00.000Z"
-#      end:  "2019-12-21T00:00:00.000Z"
-#      step: 1h
-#  - name: "scalar"
-#    path: "/api/v1/query"
-#    params:
-#      query: "100"
-#  - name: "string"
-#    path: "/api/v1/query"
-#    params:
-#      query: "some_value"
-----
-
-This module supports TLS connections when using `ssl` config field, as described in <<configuration-ssl>>.
-It also supports the options described in <<module-http-config-options>>.
-
-[float]
-=== Metricsets
-
-The following metricsets are available:
-
-* <<metricbeat-metricset-prometheus-collector,collector>>
-
-* <<metricbeat-metricset-prometheus-query,query>>
-
-* <<metricbeat-metricset-prometheus-remote_write,remote_write>>
-
-include::prometheus/collector.asciidoc[]
-
-include::prometheus/query.asciidoc[]
-
-include::prometheus/remote_write.asciidoc[]
-
-:edit_url!:
diff --git a/metricbeat/docs/modules/prometheus/collector.asciidoc b/metricbeat/docs/modules/prometheus/collector.asciidoc
deleted file mode 100644
index b288266ec3af..000000000000
--- a/metricbeat/docs/modules/prometheus/collector.asciidoc
+++ /dev/null
@@ -1,27 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/prometheus/collector/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-prometheus-collector]]
-=== Prometheus collector metricset
-
-include::../../../module/prometheus/collector/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-prometheus,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/prometheus/collector/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/prometheus/query.asciidoc b/metricbeat/docs/modules/prometheus/query.asciidoc
deleted file mode 100644
index 24a24e14b36f..000000000000
--- a/metricbeat/docs/modules/prometheus/query.asciidoc
+++ /dev/null
@@ -1,26 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/prometheus/query/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-prometheus-query]]
-=== Prometheus query metricset
-
-include::../../../module/prometheus/query/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-prometheus,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/prometheus/query/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/prometheus/remote_write.asciidoc b/metricbeat/docs/modules/prometheus/remote_write.asciidoc
deleted file mode 100644
index bd5b089097f3..000000000000
--- a/metricbeat/docs/modules/prometheus/remote_write.asciidoc
+++ /dev/null
@@ -1,26 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/prometheus/remote_write/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-prometheus-remote_write]]
-=== Prometheus remote_write metricset
-
-include::../../../module/prometheus/remote_write/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-prometheus,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/prometheus/remote_write/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/rabbitmq.asciidoc b/metricbeat/docs/modules/rabbitmq.asciidoc
deleted file mode 100644
index 6f97ebd92f7c..000000000000
--- a/metricbeat/docs/modules/rabbitmq.asciidoc
+++ /dev/null
@@ -1,81 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-
-:modulename: rabbitmq
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/rabbitmq/_meta/docs.asciidoc
-
-
-[[metricbeat-module-rabbitmq]]
-== RabbitMQ module
-
-include::{libbeat-dir}/shared/integration-link.asciidoc[]
-
-:modulename!:
-
-The RabbitMQ module uses http://www.rabbitmq.com/management.html[HTTP API] created by the management plugin to collect metrics.
-
-The default metricsets are `connection`, `node`, `queue`, `exchange` and `shovel`.
-
-If `management.path_prefix` is set in RabbitMQ configuration, `management_path_prefix` has to be set to the same value in this module configuration.
-
-[float]
-=== Compatibility
-
-The rabbitmq module is fully tested with RabbitMQ 3.7.4 and it should be compatible with any version supporting the management plugin (which needs to be installed and enabled). Exchange metricset is also tested with 3.6.0, 3.6.5 and 3.7.14
-
-
-:edit_url:
-
-[float]
-=== Example configuration
-
-The RabbitMQ module supports the standard configuration options that are described
-in <<configuration-metricbeat>>. Here is an example configuration:
-
-[source,yaml]
-----
-metricbeat.modules:
-- module: rabbitmq
-  metricsets: ["node", "queue", "connection", "exchange", "shovel"]
-  enabled: true
-  period: 10s
-  hosts: ["localhost:15672"]
-
-  # Management path prefix, if `management.path_prefix` is set in RabbitMQ
-  # configuration, it has to be set to the same value.
-  #management_path_prefix: ""
-
-  #username: guest
-  #password: guest
-----
-
-This module supports TLS connections when using `ssl` config field, as described in <<configuration-ssl>>.
-It also supports the options described in <<module-http-config-options>>.
-
-[float]
-=== Metricsets
-
-The following metricsets are available:
-
-* <<metricbeat-metricset-rabbitmq-connection,connection>>
-
-* <<metricbeat-metricset-rabbitmq-exchange,exchange>>
-
-* <<metricbeat-metricset-rabbitmq-node,node>>
-
-* <<metricbeat-metricset-rabbitmq-queue,queue>>
-
-* <<metricbeat-metricset-rabbitmq-shovel,shovel>>
-
-include::rabbitmq/connection.asciidoc[]
-
-include::rabbitmq/exchange.asciidoc[]
-
-include::rabbitmq/node.asciidoc[]
-
-include::rabbitmq/queue.asciidoc[]
-
-include::rabbitmq/shovel.asciidoc[]
-
-:edit_url!:
diff --git a/metricbeat/docs/modules/rabbitmq/connection.asciidoc b/metricbeat/docs/modules/rabbitmq/connection.asciidoc
deleted file mode 100644
index cc50429cb0d5..000000000000
--- a/metricbeat/docs/modules/rabbitmq/connection.asciidoc
+++ /dev/null
@@ -1,27 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/rabbitmq/connection/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-rabbitmq-connection]]
-=== RabbitMQ connection metricset
-
-include::../../../module/rabbitmq/connection/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-rabbitmq,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/rabbitmq/connection/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/rabbitmq/exchange.asciidoc b/metricbeat/docs/modules/rabbitmq/exchange.asciidoc
deleted file mode 100644
index 3aa8aaf7aeef..000000000000
--- a/metricbeat/docs/modules/rabbitmq/exchange.asciidoc
+++ /dev/null
@@ -1,27 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/rabbitmq/exchange/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-rabbitmq-exchange]]
-=== RabbitMQ exchange metricset
-
-include::../../../module/rabbitmq/exchange/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-rabbitmq,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/rabbitmq/exchange/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/rabbitmq/node.asciidoc b/metricbeat/docs/modules/rabbitmq/node.asciidoc
deleted file mode 100644
index 578430b4fbe4..000000000000
--- a/metricbeat/docs/modules/rabbitmq/node.asciidoc
+++ /dev/null
@@ -1,27 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/rabbitmq/node/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-rabbitmq-node]]
-=== RabbitMQ node metricset
-
-include::../../../module/rabbitmq/node/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-rabbitmq,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/rabbitmq/node/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/rabbitmq/queue.asciidoc b/metricbeat/docs/modules/rabbitmq/queue.asciidoc
deleted file mode 100644
index 5f1d3ad6e114..000000000000
--- a/metricbeat/docs/modules/rabbitmq/queue.asciidoc
+++ /dev/null
@@ -1,27 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/rabbitmq/queue/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-rabbitmq-queue]]
-=== RabbitMQ queue metricset
-
-include::../../../module/rabbitmq/queue/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-rabbitmq,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/rabbitmq/queue/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/rabbitmq/shovel.asciidoc b/metricbeat/docs/modules/rabbitmq/shovel.asciidoc
deleted file mode 100644
index 75f1e04044c0..000000000000
--- a/metricbeat/docs/modules/rabbitmq/shovel.asciidoc
+++ /dev/null
@@ -1,29 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/rabbitmq/shovel/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-rabbitmq-shovel]]
-=== RabbitMQ shovel metricset
-
-beta[]
-
-include::../../../module/rabbitmq/shovel/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-rabbitmq,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/rabbitmq/shovel/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/redis.asciidoc b/metricbeat/docs/modules/redis.asciidoc
deleted file mode 100644
index 8ce66ddc8495..000000000000
--- a/metricbeat/docs/modules/redis.asciidoc
+++ /dev/null
@@ -1,123 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-
-:modulename: redis
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/redis/_meta/docs.asciidoc
-
-
-[[metricbeat-module-redis]]
-== Redis module
-
-include::{libbeat-dir}/shared/integration-link.asciidoc[]
-
-:modulename!:
-
-This module periodically fetches metrics from http://redis.io/[Redis] servers.
-
-The defaut metricsets are `info` and `keyspace`.
-
-[float]
-=== Module-specific configuration notes
-
-The Redis module has these additional config options:
-
-*`hosts`*:: URLs that are used to connect to Redis.
-URL format:
-redis://[:password@]host[:port][/db-number][?option=value]
-redis://HOST[:PORT][?password=PASSWORD[&db=DATABASE]]
-*`password`*:: The password to authenticate, by default it's empty.
-*`idle_timeout`*:: The duration to remain idle before closing connections. If
-  the value is zero, then idle connections are not closed. The default value
-  is 2 times the module period to allow a connection to be reused across
-  fetches. The `idle_timeout` should be set to less than the server's connection
-  timeout.
-*`network`*:: The network type to be used for the Redis connection. The default value is
-  `tcp`.
-*`maxconn`*:: The maximum number of concurrent connections to Redis. The default value
-  is 10.
-
-
-[float]
-=== Compatibility
-
-The redis metricsets `info`, `key` and `keyspace` are compatible with all distributions of Redis (OSS and enterprise).
-They were tested with Redis 3.2.12, 4.0.11, 5.0-rc4 and 6.2.6, and are expected to work with all versions >= 3.0.
-
-
-:edit_url:
-
-[float]
-=== Example configuration
-
-The Redis module supports the standard configuration options that are described
-in <<configuration-metricbeat>>. Here is an example configuration:
-
-[source,yaml]
-----
-metricbeat.modules:
-- module: redis
-  metricsets: ["info", "keyspace"]
-  enabled: true
-  period: 10s
-
-  # Redis hosts
-  hosts: ["127.0.0.1:6379"]
-
-  # Timeout after which time a metricset should return an error
-  # Timeout is by default defined as period, as a fetch of a metricset
-  # should never take longer then period, as otherwise calls can pile up.
-  #timeout: 1s
-
-  # Optional fields to be added to each event
-  #fields:
-  #  datacenter: west
-
-  # Network type to be used for redis connection. Default: tcp
-  #network: tcp
-
-  # Max number of concurrent connections. Default: 10
-  #maxconn: 10
-
-  # Filters can be used to reduce the number of fields sent.
-  #processors:
-  #  - include_fields:
-  #      fields: ["beat", "metricset", "redis.info.stats"]
-
-  # Redis AUTH username (Redis 6.0+). Empty by default.
-  #username: user
-
-  # Redis AUTH password. Empty by default.
-  #password: pass
-
-  # Optional SSL/TLS (Redis 6.0+). By default is false.
-  #ssl.enabled: true
-
-  # List of root certificates for SSL/TLS server verification
-  #ssl.certificate_authorities: ["/etc/pki/root/ca.crt"]
-
-  # Certificate for SSL/TLS client authentication
-  #ssl.certificate: "/etc/pki/client/cert.crt"
-
-  # Client certificate key file
-  #ssl.key: "/etc/pki/client/cert.key"
-----
-
-[float]
-=== Metricsets
-
-The following metricsets are available:
-
-* <<metricbeat-metricset-redis-info,info>>
-
-* <<metricbeat-metricset-redis-key,key>>
-
-* <<metricbeat-metricset-redis-keyspace,keyspace>>
-
-include::redis/info.asciidoc[]
-
-include::redis/key.asciidoc[]
-
-include::redis/keyspace.asciidoc[]
-
-:edit_url!:
diff --git a/metricbeat/docs/modules/redis/info.asciidoc b/metricbeat/docs/modules/redis/info.asciidoc
deleted file mode 100644
index e0f0e8f5f007..000000000000
--- a/metricbeat/docs/modules/redis/info.asciidoc
+++ /dev/null
@@ -1,27 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/redis/info/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-redis-info]]
-=== Redis info metricset
-
-include::../../../module/redis/info/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-redis,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/redis/info/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/redis/key.asciidoc b/metricbeat/docs/modules/redis/key.asciidoc
deleted file mode 100644
index dc293c6e1155..000000000000
--- a/metricbeat/docs/modules/redis/key.asciidoc
+++ /dev/null
@@ -1,26 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/redis/key/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-redis-key]]
-=== Redis key metricset
-
-include::../../../module/redis/key/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-redis,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/redis/key/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/redis/keyspace.asciidoc b/metricbeat/docs/modules/redis/keyspace.asciidoc
deleted file mode 100644
index e9db28d50df2..000000000000
--- a/metricbeat/docs/modules/redis/keyspace.asciidoc
+++ /dev/null
@@ -1,27 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/redis/keyspace/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-redis-keyspace]]
-=== Redis keyspace metricset
-
-include::../../../module/redis/keyspace/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-redis,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/redis/keyspace/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/redisenterprise.asciidoc b/metricbeat/docs/modules/redisenterprise.asciidoc
deleted file mode 100644
index 730fe9c09b2c..000000000000
--- a/metricbeat/docs/modules/redisenterprise.asciidoc
+++ /dev/null
@@ -1,77 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-
-:modulename: redisenterprise
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/redisenterprise/_meta/docs.asciidoc
-
-
-[[metricbeat-module-redisenterprise]]
-[role="xpack"]
-== Redis Enterprise module
-
-beta[]
-
-This module periodically fetches metrics from https://redislabs.com/redis-enterprise/[Redis Enterprise Software].
-
-The defaut metricsets are `node` and `proxy`.
-
-[float]
-=== Module-specific configuration notes
-
-The `redisenterprise` module has these additional config options:
-
-*`hosts`*:: URLs that are used to connect to Redis.
-URL format:
-https://HOST[:PORT]
-
-[float]
-=== Compatibility
-
-The metricsets `node` and `proxy` are compatible with Redis Enterprise Software (RES). There were tested with RES
-5.4.10-22 and are expected to work with all versions >= 5.0.2.
-
-[float]
-=== Dashboard
-
-The `redisenterprise` module includes a predefined dashboard with overview information
-of the monitored servers.
-
-image::./images/metricbeat-redisenterprise-overview.png[]
-
-
-:edit_url:
-
-[float]
-=== Example configuration
-
-The Redis Enterprise module supports the standard configuration options that are described
-in <<configuration-metricbeat>>. Here is an example configuration:
-
-[source,yaml]
-----
-metricbeat.modules:
-- module: redisenterprise
-  metricsets:
-    - node
-    - proxy
-  period: 1m
-
-  # Metrics endpoint
-  hosts: ["https://127.0.0.1:8070/"]
-----
-
-[float]
-=== Metricsets
-
-The following metricsets are available:
-
-* <<metricbeat-metricset-redisenterprise-node,node>>
-
-* <<metricbeat-metricset-redisenterprise-proxy,proxy>>
-
-include::redisenterprise/node.asciidoc[]
-
-include::redisenterprise/proxy.asciidoc[]
-
-:edit_url!:
diff --git a/metricbeat/docs/modules/redisenterprise/node.asciidoc b/metricbeat/docs/modules/redisenterprise/node.asciidoc
deleted file mode 100644
index a8232ec1076c..000000000000
--- a/metricbeat/docs/modules/redisenterprise/node.asciidoc
+++ /dev/null
@@ -1,30 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/redisenterprise/node/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-redisenterprise-node]]
-[role="xpack"]
-=== Redis Enterprise node metricset
-
-beta[]
-
-include::../../../../x-pack/metricbeat/module/redisenterprise/node/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-redisenterprise,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../../x-pack/metricbeat/module/redisenterprise/node/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/redisenterprise/proxy.asciidoc b/metricbeat/docs/modules/redisenterprise/proxy.asciidoc
deleted file mode 100644
index 6b05e94b87b9..000000000000
--- a/metricbeat/docs/modules/redisenterprise/proxy.asciidoc
+++ /dev/null
@@ -1,30 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/redisenterprise/proxy/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-redisenterprise-proxy]]
-[role="xpack"]
-=== Redis Enterprise proxy metricset
-
-beta[]
-
-include::../../../../x-pack/metricbeat/module/redisenterprise/proxy/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-redisenterprise,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../../x-pack/metricbeat/module/redisenterprise/proxy/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/sql.asciidoc b/metricbeat/docs/modules/sql.asciidoc
deleted file mode 100644
index d8e0e15b617d..000000000000
--- a/metricbeat/docs/modules/sql.asciidoc
+++ /dev/null
@@ -1,943 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-
-:modulename: sql
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/sql/_meta/docs.asciidoc
-
-
-[[metricbeat-module-sql]]
-[role="xpack"]
-== SQL module
-
-The SQL module allows you to execute custom queries against an SQL database and
-store the results in {es}. It also enables the development of various SQL metrics integrations, using SQL query as input.
-
-This module supports the databases that you can monitor with {metricbeat},
-including:
-
-* PostgreSQL
-* MySQL
-* Oracle
-* Microsoft SQL
-* CockroachDB
-
-To enable the module, run:
-
-[source,shell]
-----
-metricbeat module enable sql
-----
-
-After enabling the module, open `modules.d/sql.yml` and set the required
-fields:
-
-`driver`:: The driver can be any driver that has a {metricbeat} module, such as
-`mssql` or `postgres`.
-
-`fetch_from_all_databases`:: Expects either `true` or `false` and it is by default set to `false`. Marking as `true` will enable execution `sql_queries` or `sql_query` for all databases in a server. Currently only `mssql` driver supports this feature. For other drivers, if enabled, "fetch from all databases feature is not supported for driver: <driver_name>" error would be logged.
-
-`raw_data.enabled`:: Expects either `true` or `false` and it is by default set to `false`. Marking as `true` will generate event results in a new field format.
-
-Use `sql_queries` or `sql_query` depending on the use-case.
-
-`sql_queries`:: List of queries to execute. `query` and `response_format` fields are repeated to get multiple query inputs.
-
-`query`::: Single SQL query.
-
-`response_format`::: Either `variables` or `table`.
-`variables`:::: Expects a two-column table that looks like a key-value result. The left column is considered a key and the right column is the value. This mode generates a single event on each fetch operation.
-`table`:::: Expects any number of columns. This mode generates a single event for each row.
-
-`sql_query` (`Backward Compatibility`):: Single query you want to run. Also, provide corresponding `sql_response_format` (value: `variables` or `table`) similar to `sql_queries`'s `response_format`.
-
-[float]
-== Example
-
-Examples of configurations in `sql.yml` to connect with supported databases are mentioned below. 
-
-[float]
-=== Example: Capture Innodb-related metrics
-
-This `sql.yml` configuration shows how to capture Innodb-related metrics that
-result from the query `SHOW GLOBAL STATUS LIKE 'Innodb_system%'` in a MySQL
-database:
-
-[source,yaml]
-----
-- module: sql
-  metricsets:
-    - query
-  period: 10s
-  hosts: ["root:root@tcp(localhost:3306)/ps"]
-
-  driver: "mysql"
-  sql_query: "SHOW GLOBAL STATUS LIKE 'Innodb_system%'"
-  sql_response_format: variables
-----
-
-The `SHOW GLOBAL STATUS` query results in this table:
-
-|====
-|Variable_name|Value
-
-|Innodb_system_rows_deleted|0
-|Innodb_system_rows_inserted|0
-|Innodb_system_rows_read|5062
-|Innodb_system_rows_updated|315
-|====
-
-Results are grouped by type in the result event for convenient mapping in
-{es}. For example, `strings` values are grouped into `sql.strings`, `numeric`
-into `sql.numeric`, and so on.
-
-The example shown earlier generates this event:
-
-[source,json]
-----
-{
-  "@timestamp": "2020-06-09T15:09:14.407Z",
-  "@metadata": {
-    "beat": "metricbeat",
-    "type": "_doc",
-    "version": "8.0.0"
-  },
-  "service": {
-    "address": "172.18.0.2:3306",
-    "type": "sql"
-  },
-  "event": {
-    "dataset": "sql.query",
-    "module": "sql",
-    "duration": 1272810
-  },
-  "sql": {
-    "driver": "mysql",
-    "query": "SHOW GLOBAL STATUS LIKE 'Innodb_system%'",
-    "metrics": {
-      "numeric": {
-        "innodb_system_rows_updated": 315,
-        "innodb_system_rows_deleted": 0,
-        "innodb_system_rows_inserted": 0,
-        "innodb_system_rows_read": 5062
-      }
-    }
-  },
-  "metricset": {
-    "name": "query",
-    "period": 10000
-  },
-  "ecs": {
-    "version": "1.5.0"
-  },
-  "host": {
-    "name": "elastic"
-  },
-  "agent": {
-    "name": "elastic",
-    "type": "metricbeat",
-    "version": "8.0.0",
-    "ephemeral_id": "488431bd-bd3c-4442-ad51-0c50eb555787",
-    "id": "670ef211-87f0-4f38-8beb-655c377f1629"
-  }
-}
-----
-
-[float]
-=== Example: Query PostgreSQL and generate a "table" result
-
-This `sql.yml` configuration shows how to query PostgreSQL and generate
-a "table" result. This configuration generates a single event for each row
-returned:
-
-[source,yaml]
-----
-- module: sql
-  metricsets:
-    - query
-  period: 10s
-  hosts: ["postgres://postgres:postgres@localhost:5432/stuff?sslmode=disable"]
-
-  driver: "postgres"
-  sql_query: "SELECT datid, datname, blks_read, blks_hit, tup_returned, tup_fetched, stats_reset FROM pg_stat_database"
-  sql_response_format: table
-----
-
-The SELECT query results in this table:
-
-|====
-|datid|datname|blks_read|blks_hit|tup_returned|tup_fetched|stats_reset
-
-|69448|stuff|8652|205976|1484625|53218|2020-06-07 22:50:12
-|13408|postgres|0|0|0|0|
-|13407|template0|0|0|0|0|
-|====
-
-Because the table contains three rows, three events are generated, one event
-for each row. For example, this event is created for the first row:
-
-[source,json]
-----
-{
-  "@timestamp": "2020-06-09T14:47:35.481Z",
-  "@metadata": {
-    "beat": "metricbeat",
-    "type": "_doc",
-    "version": "8.0.0"
-  },
-  "service": {
-    "address": "localhost:5432",
-    "type": "sql"
-  },
-  "ecs": {
-    "version": "1.5.0"
-  },
-  "host": {
-    "name": "elastic"
-  },
-  "agent": {
-    "type": "metricbeat",
-    "version": "8.0.0",
-    "ephemeral_id": "1bffe66d-a1ae-4ed6-985a-fd48548a1971",
-    "id": "670ef211-87f0-4f38-8beb-655c377f1629",
-    "name": "elastic"
-  },
-  "sql": {
-    "metrics": {
-      "numeric": {
-        "tup_fetched": 53350,
-        "datid": 69448,
-        "blks_read": 8652,
-        "blks_hit": 206501,
-        "tup_returned": 1.491873e+06
-      },
-      "string": {
-        "stats_reset": "2020-06-07T20:50:12.632975Z",
-        "datname": "stuff"
-      }
-    },
-    "driver": "postgres",
-    "query": "SELECT datid, datname, blks_read, blks_hit, tup_returned, tup_fetched, stats_reset FROM pg_stat_database"
-  },
-  "event": {
-    "dataset": "sql.query",
-    "module": "sql",
-    "duration": 14076705
-  },
-  "metricset": {
-    "name": "query",
-    "period": 10000
-  }
-}
-----
-
-[float]
-=== Example: Get the buffer catch hit ratio in Oracle
-
-This `sql.yml` configuration shows how to get the buffer cache hit ratio:
-
-[source,yaml]
-----
-- module: sql
-  metricsets:
-    - query
-  period: 10s
-  hosts: ["oracle://sys:password@172.17.0.3:1521/ORCLPDB1.localdomain?sysdba=1"]
-
-  driver: "oracle"
-  sql_query: 'SELECT name, physical_reads, db_block_gets, consistent_gets, 1 - (physical_reads / (db_block_gets + consistent_gets)) "Hit Ratio" FROM V$BUFFER_POOL_STATISTICS'
-  sql_response_format: table
-----
-
-The example generates this event:
-
-[source,json]
-----
-{
-  "@timestamp": "2020-06-09T15:41:02.200Z",
-  "@metadata": {
-    "beat": "metricbeat",
-    "type": "_doc",
-    "version": "8.0.0"
-  },
-  "sql": {
-    "metrics": {
-      "numeric": {
-        "hit ratio": 0.9742963357937117,
-        "physical_reads": 17161,
-        "db_block_gets": 122221,
-        "consistent_gets": 545427
-      },
-      "string": {
-        "name": "DEFAULT"
-      }
-    },
-    "driver": "oracle",
-    "query": "SELECT name, physical_reads, db_block_gets, consistent_gets, 1 - (physical_reads / (db_block_gets + consistent_gets)) \"Hit Ratio\" FROM V$BUFFER_POOL_STATISTICS"
-  },
-  "metricset": {
-    "period": 10000,
-    "name": "query"
-  },
-  "service": {
-    "address": "172.17.0.3:1521",
-    "type": "sql"
-  },
-  "event": {
-    "dataset": "sql.query",
-    "module": "sql",
-    "duration": 39233704
-  },
-  "ecs": {
-    "version": "1.5.0"
-  },
-  "host": {
-    "name": "elastic"
-  },
-  "agent": {
-    "id": "670ef211-87f0-4f38-8beb-655c377f1629",
-    "name": "elastic",
-    "type": "metricbeat",
-    "version": "8.0.0",
-    "ephemeral_id": "49e00060-0fa4-4b34-80f1-446881f7a788"
-  }
-}
-
-
-----
-
-[float]
-=== Example: Get the buffer cache hit ratio for MSSQL
-
-This `sql.yml` configuration gets the buffer cache hit ratio:
-
-[source,yaml]
-----
-- module: sql
-  metricsets:
-    - query
-  period: 10s
-  hosts: ["sqlserver://SA:password@localhost"]
-
-  driver: "mssql"
-  sql_query: 'SELECT * FROM sys.dm_db_log_space_usage'
-  sql_response_format: table
-----
-
-The example generates this event:
-
-[source,json]
-----
-{
-  "@timestamp": "2020-06-09T15:39:14.421Z",
-  "@metadata": {
-    "beat": "metricbeat",
-    "type": "_doc",
-    "version": "8.0.0"
-  },
-  "sql": {
-    "driver": "mssql",
-    "query": "SELECT * FROM sys.dm_db_log_space_usage",
-    "metrics": {
-      "numeric": {
-        "log_space_in_bytes_since_last_backup": 524288,
-        "database_id": 1,
-        "total_log_size_in_bytes": 2.08896e+06,
-        "used_log_space_in_bytes": 954368,
-        "used_log_space_in_percent": 45.686275482177734
-      }
-    }
-  },
-  "event": {
-    "dataset": "sql.query",
-    "module": "sql",
-    "duration": 40750570
-  }
-}
-----
-
-[float]
-=== Example: Launch two or more queries.
-
-
-To launch two or more queries, specify the full configuration for each query.
-For example:
-
-[source,yaml]
-----
-- module: sql
-  metricsets:
-    - query
-  period: 10s
-  hosts: ["postgres://postgres:postgres@localhost:5432/stuff?sslmode=disable"]
-  driver: "postgres"
-  raw_data.enabled: true
-
-  sql_queries:
-    - query: "SELECT datid, datname, blks_read, blks_hit, tup_returned, tup_fetched, stats_reset FROM pg_stat_database"
-      response_format: table
-
-    - query: "SELECT datname, datid FROM pg_stat_database;"
-      response_format: variables
-----
-
-The example generates this event: The response event is generated in new format by enabling the flag `raw_data.enabled`.
-
-[source,json]
-----
-{
-  "@timestamp": "2022-05-13T12:47:32.071Z",
-  "@metadata": {
-    "beat": "metricbeat",
-    "type": "_doc",
-    "version": "8.3.0"
-  },
-  "event": {
-    "dataset": "sql.query",
-    "module": "sql",
-    "duration": 114468667
-  },
-  "metricset": {
-    "name": "query",
-    "period": 10000
-  },
-  "service": {
-    "address": "localhost:55656",
-    "type": "sql"
-  },
-  "sql": {
-    "driver": "postgres",
-    "query": "SELECT datid, datname, blks_read, blks_hit, tup_returned, tup_fetched, stats_reset FROM pg_stat_database",
-    "metrics": {
-      "blks_hit": 6360,
-      "tup_returned": 2225,
-      "tup_fetched": 1458,
-      "datid": 13394,
-      "datname": "template0",
-      "blks_read": 33
-    }
-  },
-  "ecs": {
-    "version": "8.0.0"
-  },
-  "host": {
-    "name": "mps"
-  },
-  "agent": {
-    "type": "metricbeat",
-    "version": "8.3.0",
-    "ephemeral_id": "8decc9eb-5ea5-47d8-8a22-fac507a5521b",
-    "id": "6bbf5058-afed-44c6-aa05-775ee14a2da4",
-    "name": "mps"
-  }
-}
-----
-
-The example generates this event: By disabling the flag `raw_data.enabled`, which is the old format.
-
-[source,json]
-----
-{
-  "@timestamp": "2022-05-13T13:09:19.599Z",
-  "@metadata": {
-    "beat": "metricbeat",
-    "type": "_doc",
-    "version": "8.3.0"
-  },
-  "event": {
-    "dataset": "sql.query",
-    "module": "sql",
-    "duration": 77509917
-  },
-"service": {
-    "address": "localhost:55656",
-    "type": "sql"
-  },
-  "metricset": {
-    "name": "query",
-    "period": 10000
-  },
-
-  "sql": {
-    "driver": "postgres",
-    "query": "SELECT datid, datname, blks_read, blks_hit, tup_returned, tup_fetched, stats_reset FROM pg_stat_database",
-    "metrics": {
-      "string": {
-        "stats_reset": "2022-05-13T12:02:33.825483Z"
-      },
-      "numeric": {
-        "blks_hit": 6360,
-        "tup_returned": 2225,
-        "tup_fetched": 1458,
-        "datid": 0,
-        "blks_read": 33
-      }
-    }
-  },
-  "ecs": {
-    "version": "8.0.0"
-  },
-  "host": {
-        "name": "mps"
-    },
-  "agent": {
-    "version": "8.3.0",
-    "ephemeral_id": "bc09584b-62db-4b45-bfe9-6b7e8e982361",
-    "id": "6bbf5058-afed-44c6-aa05-775ee14a2da4",
-    "name": "mps",
-    "type": "metricbeat"
-  }
-}
-----
-
-[float]
-=== Example: Merge multiple queries into a single event.
-
-Multiple queries will create multiple events, one for each query.  It may be preferable to create a single event by combining the metrics together in a single event.
-
-This feature can be enabled using the `merge_results` config.
-
-However, such a merge is possible only if the table queries are merged, each produces a single row.
-
-For example:
-
-[source,yaml]
-----
-- module: sql
-  metricsets:
-    - query
-  period: 10s
-  hosts: ["postgres://postgres:postgres@localhost?sslmode=disable"]
-
-  driver: "postgres"
-  raw_data.enabled: true
-  merge_results: true
-  sql_queries:
-    - query: "SELECT blks_hit,blks_read FROM pg_stat_database limit 1;"
-      response_format: table
-    - query: "select checkpoints_timed,checkpoints_req from pg_stat_bgwriter;"
-      response_format: table
-----
-
-This creates a combined event as below, where `blks_hit`, `blks_read`, `checkpoints_timed` and `checkpoints_req` are part of same event.
-
-[source,json]
-----
-{
-  "@timestamp": "2022-07-21T07:07:06.747Z",
-  "agent": {
-    "name": "MBP-2",
-    "type": "metricbeat",
-    "version": "8.4.0",
-    "ephemeral_id": "b0867287-e56a-492f-b421-0ac870c426f9",
-    "id": "3fe7b378-6f9e-4ca3-9aa1-067c4a6866e5"
-  },
-  "metricset": {
-    "period": 10000,
-    "name": "query"
-  },
-  "service": {
-    "type": "sql",
-    "address": "localhost"
-  },
-  "sql": {
-    "metrics": {
-      "blks_read": 21,
-      "checkpoints_req": 1,
-      "checkpoints_timed": 66,
-      "blks_hit": 7592
-    },
-    "driver": "postgres"
-  },
-  "event": {
-    "module": "sql",
-    "duration": 18883084,
-    "dataset": "sql.query"
-  }
-}
-----
-
-[float]
-=== Example: Execute given queries for all database(s) present in a server
-
-Assuming a user could have 100s of databases on their server and then it becomes cumbersome to add them manually to the query. If `fetch_from_all_databases` is set to `true` then SQL module would fetch the databases names automatically and prefix
-the database selector statement to the queries so that the queries can run against
-the database provided.
-
-Currently, this feature only works with `mssql` driver. For example:
-
-[source,yaml]
-----
-- module: sql
-  metricsets:
-    - query
-  period: 50s
-  hosts: ["sqlserver://<user>:<password>@<host>"]
-  raw_data.enabled: true
-
-  fetch_from_all_databases: true
-
-  driver: "mssql"
-  sql_queries:
-    - query: SELECT DB_NAME() AS 'database_name';
-      response_format: table
-----
-
-For an mssql instance, by default only four databases are present namely — `master`, `model`, `msdb`, `tempdb`. So, if `fetch_from_all_databases` is enabled then query `SELECT DB_NAME() AS 'database_name'` runs for each one of them i.e., there would be in total 4 documents (one each for 4 databases) for every scrape.
-
-
-[source,json]
-----
-{
-    "@timestamp": "2023-07-16T22:05:26.976Z",
-    "@metadata": {
-        "beat": "metricbeat",
-        "type": "_doc",
-        "version": "8.10.0"
-    },
-    "service": {
-        "type": "sql",
-        "address": "localhost"
-    },
-    "event": {
-        "dataset": "sql.query",
-        "module": "sql",
-        "duration": 40346375
-    },
-    "metricset": {
-        "name": "query",
-        "period": 50000
-    },
-    "sql": {
-        "metrics": {
-            "database_name": "master"
-        },
-        "driver": "mssql",
-        "query": "USE [master]; SELECT DB_NAME() AS 'database_name';"
-    },
-    "host": {
-        "os": {
-            "type": "macos",
-            "platform": "darwin",
-            "version": "13.3.1",
-            "family": "darwin",
-            "name": "macOS",
-            "kernel": "<redacted>",
-            "build": "<redacted>"
-        },
-        "name": "<redacted>",
-        "id": "<redacted>",
-        "ip": [
-            "<redacted>"
-        ],
-        "mac": [
-            "<redacted>"
-        ],
-        "hostname": "<redacted>",
-        "architecture": "arm64"
-    },
-    "agent": {
-        "name": "<redacted>",
-        "type": "metricbeat",
-        "version": "8.10.0",
-        "ephemeral_id": "<redacted>",
-        "id": "<redacted>"
-    },
-    "ecs": {
-        "version": "8.0.0"
-    }
-}
-{
-    "@timestamp": "2023-07-16T22:05:26.976Z",
-    "@metadata": {
-        "beat": "metricbeat",
-        "type": "_doc",
-        "version": "8.10.0"
-    },
-    "agent": {
-        "ephemeral_id": "<redacted>",
-        "id": "<redacted>",
-        "name": "<redacted>",
-        "type": "metricbeat",
-        "version": "8.10.0"
-    },
-    "event": {
-        "module": "sql",
-        "duration": 43147875,
-        "dataset": "sql.query"
-    },
-    "metricset": {
-        "period": 50000,
-        "name": "query"
-    },
-    "service": {
-        "address": "localhost",
-        "type": "sql"
-    },
-    "sql": {
-        "metrics": {
-            "database_name": "tempdb"
-        },
-        "driver": "mssql",
-        "query": "USE [tempdb]; SELECT DB_NAME() AS 'database_name';"
-    },
-    "ecs": {
-        "version": "8.0.0"
-    },
-    "host": {
-        "name": "<redacted>",
-        "architecture": "arm64",
-        "os": {
-            "platform": "darwin",
-            "version": "13.3.1",
-            "family": "darwin",
-            "name": "macOS",
-            "kernel": "<redacted>",
-            "build": "<redacted>",
-            "type": "macos"
-        },
-        "id": "<redacted>",
-        "ip": [
-            "<redacted>"
-        ],
-        "mac": [
-            "<redacted>"
-        ],
-        "hostname": "<redacted>"
-    }
-}
-{
-    "@timestamp": "2023-07-16T22:05:26.976Z",
-    "@metadata": {
-        "beat": "metricbeat",
-        "type": "_doc",
-        "version": "8.10.0"
-    },
-    "host": {
-        "os": {
-            "build": "<redacted>",
-            "type": "macos",
-            "platform": "darwin",
-            "version": "13.3.1",
-            "family": "darwin",
-            "name": "macOS",
-            "kernel": "<redacted>"
-        },
-        "id": "<redacted>",
-        "ip": [
-            "<redacted>"
-        ],
-        "mac": [
-            "<redacted>"
-        ],
-        "hostname": "<redacted>",
-        "name": "<redacted>",
-        "architecture": "arm64"
-    },
-    "agent": {
-        "ephemeral_id": "<redacted>",
-        "id": "<redacted>",
-        "name": "<redacted>",
-        "type": "metricbeat",
-        "version": "8.10.0"
-    },
-    "service": {
-        "address": "localhost",
-        "type": "sql"
-    },
-    "sql": {
-        "metrics": {
-            "database_name": "model"
-        },
-        "driver": "mssql",
-        "query": "USE [model]; SELECT DB_NAME() AS 'database_name';"
-    },
-    "event": {
-        "dataset": "sql.query",
-        "module": "sql",
-        "duration": 46623125
-    },
-    "metricset": {
-        "name": "query",
-        "period": 50000
-    },
-    "ecs": {
-        "version": "8.0.0"
-    }
-}
-{
-    "@timestamp": "2023-07-16T22:05:26.976Z",
-    "@metadata": {
-        "beat": "metricbeat",
-        "type": "_doc",
-        "version": "8.10.0"
-    },
-    "host": {
-        "architecture": "arm64",
-        "os": {
-            "kernel": "<redacted>",
-            "build": "<redacted>",
-            "type": "macos",
-            "platform": "darwin",
-            "version": "13.3.1",
-            "family": "darwin",
-            "name": "macOS"
-        },
-        "name": "<redacted>",
-        "id": "<redacted>",
-        "ip": [
-            "<redacted>"
-        ],
-        "mac": [
-            "<redacted>"
-        ],
-        "hostname": "<redacted>"
-    },
-    "agent": {
-        "type": "metricbeat",
-        "version": "8.10.0",
-        "ephemeral_id": "<redacted>",
-        "id": "<redacted>",
-        "name": "<redacted>"
-    },
-    "event": {
-        "dataset": "sql.query",
-        "module": "sql",
-        "duration": 49649250
-    },
-    "metricset": {
-        "name": "query",
-        "period": 50000
-    },
-    "service": {
-        "address": "localhost",
-        "type": "sql"
-    },
-    "sql": {
-        "metrics": {
-            "database_name": "msdb"
-        },
-        "driver": "mssql",
-        "query": "USE [msdb]; SELECT DB_NAME() AS 'database_name';"
-    },
-    "ecs": {
-        "version": "8.0.0"
-    }
-}
-----
-
-
-=== Host Setup
-
-Some drivers require additional configuration to work. Find here instructions for these drivers.
-
-==== Oracle Database Connection Pre-requisites
-
-To get connected with the Oracle Database `ORACLE_SID`, `ORACLE_BASE`, `ORACLE_HOME` environment variables should be set.
-
-For example: Let us consider Oracle Database 21c installation using RPM manually by following https://docs.oracle.com/en/database/oracle/oracle-database/21/ladbi/running-rpm-packages-to-install-oracle-database.html[this] link, environment variables should be set as follows:
-
-[source,bash]
-----
-export ORACLE_BASE=/opt/oracle/oradata
-export ORACLE_HOME=/opt/oracle/product/21c/dbhome_1
-----
-Also, add `ORACLE_HOME/bin` to the `PATH` environment variable. 
-
-===== Oracle Instant Client Installation
-
-Oracle Instant Client enables the development and deployment of applications that connect to the Oracle Database. The Instant Client libraries provide the necessary network connectivity and advanced data features to make full use of the Oracle Database. If you have an OCI Oracle server which comes with these libraries pre-installed, you don't need a separate client installation.
-
-The OCI library installs a few Client Shared Libraries that must be referenced on the machine where Metricbeat is installed. Please follow https://docs.oracle.com/en/database/oracle/oracle-database/21/lacli/install-instant-client-using-zip.html#GUID-D3DCB4FB-D3CA-4C25-BE48-3A1FB5A22E84[this] link for OCI Instant Client set up. The OCI Instant Client is available with the Oracle Universal Installer, RPM file or ZIP file. Download links can be found at https://www.oracle.com/database/technologies/instant-client/downloads.html[here].
-
-===== Enable Oracle Listener
-
-The Oracle listener is a service that runs on the database host and receives requests from Oracle clients. Make sure that https://docs.oracle.com/cd/B19306_01/network.102/b14213/lsnrctl.htm[listener] should be running. 
-To check if the listener is running or not, run: 
-
-[source,bash]
-----
-lsnrctl STATUS
-----
-
-If the listener is not running, use the command to start:
-
-[source,bash]
-----
-lsnrctl START
-----
-
-Then, Metricbeat can be launched.
-
-===== Host Configuration for Oracle
-
-The following types of host configuration are supported:
-
-1. An old-style Oracle connection string, for backwards compatibility:
-    a. `hosts: ["user/pass@0.0.0.0:1521/ORCLPDB1.localdomain"]`
-    b. `hosts: ["user/password@0.0.0.0:1521/ORCLPDB1.localdomain as sysdba"]`
-
-2. DSN configuration as a URL:
-    a. `hosts: ["oracle://user:pass@0.0.0.0:1521/ORCLPDB1.localdomain?sysdba=1"]`
-
-3. DSN configuration as a logfmt-encoded parameter list:
-    a. `hosts: ['user="user" password="pass" connectString="0.0.0.0:1521/ORCLPDB1.localdomain"']`
-    b. `hosts: ['user="user" password="password" connectString="host:port/service_name" sysdba=true']`
-
-DSN host configuration is the recommended configuration type as it supports the use of special characters in the password.
-
-In a URL any special characters should be URL encoded.
-
-In the logfmt-encoded DSN format, if the password contains a backslash character (`\`), it must be escaped with another backslash. For example, if the password is `my\_password`, it must be written as `my\\_password`.
-
-The username and password to connect to the database can be provided as values to the `username` and `password` keys of `sql.yml`.
-
-[source,yml]
-----
-- module: sql
-  metricsets:
-    - query
-  period: 10s
-  driver: "oracle"
-  enabled: true
-  hosts: ['user="" password="" connectString="0.0.0.0:1521/ORCLCDB.localdomain" sysdba=true']
-  username: sys
-  password: password
-  sql_queries: 
-  - query: SELECT METRIC_NAME, VALUE FROM V$SYSMETRIC WHERE GROUP_ID = 2 and METRIC_NAME LIKE '%'
-    response_format: variables 
-----
-
-
-:edit_url:
-
-[float]
-=== Example configuration
-
-The SQL module supports the standard configuration options that are described
-in <<configuration-metricbeat>>. Here is an example configuration:
-
-[source,yaml]
-----
-metricbeat.modules:
-- module: sql
-  metricsets:
-    - query
-  period: 10s
-  hosts: ["user=myuser password=mypassword dbname=mydb sslmode=disable"]
-
-  driver: "postgres"
-  sql_query: "select now()"
-  sql_response_format: table
-----
-
-[float]
-=== Metricsets
-
-The following metricsets are available:
-
-* <<metricbeat-metricset-sql-query,query>>
-
-include::sql/query.asciidoc[]
-
-:edit_url!:
diff --git a/metricbeat/docs/modules/sql/query.asciidoc b/metricbeat/docs/modules/sql/query.asciidoc
deleted file mode 100644
index 82d3ede6abf8..000000000000
--- a/metricbeat/docs/modules/sql/query.asciidoc
+++ /dev/null
@@ -1,27 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/sql/query/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-sql-query]]
-[role="xpack"]
-=== SQL query metricset
-
-include::../../../../x-pack/metricbeat/module/sql/query/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-sql,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../../x-pack/metricbeat/module/sql/query/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/stan.asciidoc b/metricbeat/docs/modules/stan.asciidoc
deleted file mode 100644
index b3c48d2e68aa..000000000000
--- a/metricbeat/docs/modules/stan.asciidoc
+++ /dev/null
@@ -1,73 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-
-:modulename: stan
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/stan/_meta/docs.asciidoc
-
-
-[[metricbeat-module-stan]]
-[role="xpack"]
-== Stan module
-
-include::{libbeat-dir}/shared/integration-link.asciidoc[]
-
-:modulename!:
-
-The STAN module uses https://github.com/nats-io/nats-streaming-server/blob/master/server/monitor.go[STAN monitoring server APIs] to collect metrics.
-
-The default metricsets are `channels`, `stats` and `subscriptions`.
-
-[float]
-=== Compatibility
-
-The STAN module is tested with STAN 0.15.1.
-
-[float]
-== Dashboard
-Dashboards for topic message count and queue depth are included:
-
-image::./images/metricbeat-stan-overview.png[]
-
-
-:edit_url:
-
-[float]
-=== Example configuration
-
-The Stan module supports the standard configuration options that are described
-in <<configuration-metricbeat>>. Here is an example configuration:
-
-[source,yaml]
-----
-metricbeat.modules:
-- module: stan
-  metricsets: ["stats", "channels", "subscriptions"]
-  period: 60s
-  hosts: ["localhost:8222"]
-  #stats.metrics_path: "/streaming/serverz"
-  #channels.metrics_path: "/streaming/channelsz"
-  #subscriptions.metrics_path: "/streaming/channelsz" # we retrieve streaming subscriptions with a detailed query param to the channelsz endpoint
-----
-
-This module supports TLS connections when using `ssl` config field, as described in <<configuration-ssl>>.
-It also supports the options described in <<module-http-config-options>>.
-
-[float]
-=== Metricsets
-
-The following metricsets are available:
-
-* <<metricbeat-metricset-stan-channels,channels>>
-
-* <<metricbeat-metricset-stan-stats,stats>>
-
-* <<metricbeat-metricset-stan-subscriptions,subscriptions>>
-
-include::stan/channels.asciidoc[]
-
-include::stan/stats.asciidoc[]
-
-include::stan/subscriptions.asciidoc[]
-
-:edit_url!:
diff --git a/metricbeat/docs/modules/stan/channels.asciidoc b/metricbeat/docs/modules/stan/channels.asciidoc
deleted file mode 100644
index aff9182a2fcd..000000000000
--- a/metricbeat/docs/modules/stan/channels.asciidoc
+++ /dev/null
@@ -1,28 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/stan/channels/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-stan-channels]]
-[role="xpack"]
-=== Stan channels metricset
-
-include::../../../../x-pack/metricbeat/module/stan/channels/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-stan,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../../x-pack/metricbeat/module/stan/channels/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/stan/stats.asciidoc b/metricbeat/docs/modules/stan/stats.asciidoc
deleted file mode 100644
index 6451e2e8323f..000000000000
--- a/metricbeat/docs/modules/stan/stats.asciidoc
+++ /dev/null
@@ -1,28 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/stan/stats/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-stan-stats]]
-[role="xpack"]
-=== Stan stats metricset
-
-include::../../../../x-pack/metricbeat/module/stan/stats/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-stan,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../../x-pack/metricbeat/module/stan/stats/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/stan/subscriptions.asciidoc b/metricbeat/docs/modules/stan/subscriptions.asciidoc
deleted file mode 100644
index facce746ee86..000000000000
--- a/metricbeat/docs/modules/stan/subscriptions.asciidoc
+++ /dev/null
@@ -1,28 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/stan/subscriptions/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-stan-subscriptions]]
-[role="xpack"]
-=== Stan subscriptions metricset
-
-include::../../../../x-pack/metricbeat/module/stan/subscriptions/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-stan,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../../x-pack/metricbeat/module/stan/subscriptions/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/statsd.asciidoc b/metricbeat/docs/modules/statsd.asciidoc
deleted file mode 100644
index 1f3a961d15fd..000000000000
--- a/metricbeat/docs/modules/statsd.asciidoc
+++ /dev/null
@@ -1,115 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-
-:modulename: statsd
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/statsd/_meta/docs.asciidoc
-
-
-[[metricbeat-module-statsd]]
-[role="xpack"]
-== Statsd module
-
-The `statsd` module is a Metricbeat module which spawns a UDP server and listens for metrics in StatsD compatible
-format.
-
-[float]
-=== Metric types
-
-The module supports the following types of metrics:
-
-*Counter (c)*:: Measurement which accumulates over period of time until flushed (value set to 0).
-
-*Gauge (g)*:: Measurement which can increase, decrease or be set to a value.
-
-*Timer (ms)*:: Time measurement (in milliseconds) of an event.
-
-*Histogram (h)*:: Time measurement, alias for timer.
-
-*Set (s)*:: Measurement which counts unique occurrences until flushed (value set to 0).
-
-[float]
-=== Supported tag extensions
-
-Example of tag styles supported by the `statsd` module:
-
-https://docs.datadoghq.com/developers/dogstatsd/datagram_shell/?tab=metrics#the-dogstatsd-protocol[DogStatsD]
-
-`<metric name>:<value>|<type>|@samplerate|#<k>:<v>,<k>:<v>`
-
-https://github.com/influxdata/telegraf/blob/master/plugins/inputs/statsd/README.md#influx-statsd[InfluxDB]
-
-`<metric name>,<k>=<v>,<k>=<v>:<value>|<type>|@samplerate`
-
-https://graphite.readthedocs.io/en/latest/tags.html#graphite-tag-support[Graphite_1.1.x]
-
-`<metric name>;<k>=<v>;<k>=<v>:<value>|<type>|@samplerate`
-
-[float]
-=== Module-specific configuration notes
-
-The `statsd` module has these additional config options:
-
-*`ttl`*:: It defines how long a metric will be reported after it was last recorded.
-Irrespective of the given ttl, metrics will be reported at least once.
-A ttl of zero means metrics will never expire.
-
-*`statsd.mapping`*:: It defines how metrics will mapped from the original metric label to the event json.
-Here's an example configuration:
-[source,yaml]
-----
-statsd.mappings:
-  - metric: 'ti_failures' <1>
-    value:
-      field: task_failures <2>
-  - metric: '<job_name>_start' <1>
-    labels:
-      - attr: job_name <3>
-        field: job_name <4>
-    value:
-      field: started <2>
-----
-
-<1> `metric`, required: the label key of the metric in statsd, either as a exact match string
-or as a template with named label placeholder in the format `<label_placeholder>`
-<2> `value.field`, required: field name where to save the metric value in the event json
-<3> `label[].attr`, required when using named label placeholder: reference to the named label placeholder defined in `metric`
-<4> `label[].field`, required when using named label placeholder field name where to save the named label placeholder value from the template in the event json
-
-=== Metricsets
-
-Currently, there is only `server` metricset in `statsd` module.
-
-[float]
-==== `server`
-The metricset collects metric data sent using UDP and publishes them under the `statsd` prefix.
-
-
-:edit_url:
-
-[float]
-=== Example configuration
-
-The Statsd module supports the standard configuration options that are described
-in <<configuration-metricbeat>>. Here is an example configuration:
-
-[source,yaml]
-----
-metricbeat.modules:
-- module: statsd
-  host: "localhost"
-  port: "8125"
-  enabled: false
-  #ttl: "30s"
-----
-
-[float]
-=== Metricsets
-
-The following metricsets are available:
-
-* <<metricbeat-metricset-statsd-server,server>>
-
-include::statsd/server.asciidoc[]
-
-:edit_url!:
diff --git a/metricbeat/docs/modules/statsd/server.asciidoc b/metricbeat/docs/modules/statsd/server.asciidoc
deleted file mode 100644
index 5697ae96edeb..000000000000
--- a/metricbeat/docs/modules/statsd/server.asciidoc
+++ /dev/null
@@ -1,28 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/statsd/server/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-statsd-server]]
-[role="xpack"]
-=== Statsd server metricset
-
-include::../../../../x-pack/metricbeat/module/statsd/server/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-statsd,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../../x-pack/metricbeat/module/statsd/server/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/syncgateway.asciidoc b/metricbeat/docs/modules/syncgateway.asciidoc
deleted file mode 100644
index b34c77c8a739..000000000000
--- a/metricbeat/docs/modules/syncgateway.asciidoc
+++ /dev/null
@@ -1,64 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-
-:modulename: syncgateway
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/syncgateway/_meta/docs.asciidoc
-
-
-[[metricbeat-module-syncgateway]]
-[role="xpack"]
-== SyncGateway module
-
-beta[]
-
-Sync Gateway is the synchronization server in a Couchbase for Mobile and Edge deployment. This metricset allows to monitor a Sync Gateway instance by using its REST API.
-
-Sync Gateway access `[host]:[port]/_expvar` on Sync Gateway nodes to fetch metrics data, ensure that the URL is accessible from the host where Metricbeat is running.
-
-
-:edit_url:
-
-[float]
-=== Example configuration
-
-The SyncGateway module supports the standard configuration options that are described
-in <<configuration-metricbeat>>. Here is an example configuration:
-
-[source,yaml]
-----
-metricbeat.modules:
-- module: syncgateway
-  metricsets:
-    - db
-#    - memory
-#    - replication
-#    - resources
-  period: 10s
-
-  # SyncGateway hosts
-  hosts: ["127.0.0.1:4985"]
-----
-
-[float]
-=== Metricsets
-
-The following metricsets are available:
-
-* <<metricbeat-metricset-syncgateway-db,db>>
-
-* <<metricbeat-metricset-syncgateway-memory,memory>>
-
-* <<metricbeat-metricset-syncgateway-replication,replication>>
-
-* <<metricbeat-metricset-syncgateway-resources,resources>>
-
-include::syncgateway/db.asciidoc[]
-
-include::syncgateway/memory.asciidoc[]
-
-include::syncgateway/replication.asciidoc[]
-
-include::syncgateway/resources.asciidoc[]
-
-:edit_url!:
diff --git a/metricbeat/docs/modules/syncgateway/db.asciidoc b/metricbeat/docs/modules/syncgateway/db.asciidoc
deleted file mode 100644
index ab10e16134af..000000000000
--- a/metricbeat/docs/modules/syncgateway/db.asciidoc
+++ /dev/null
@@ -1,30 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/syncgateway/db/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-syncgateway-db]]
-[role="xpack"]
-=== SyncGateway db metricset
-
-beta[]
-
-include::../../../../x-pack/metricbeat/module/syncgateway/db/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-syncgateway,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../../x-pack/metricbeat/module/syncgateway/db/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/syncgateway/memory.asciidoc b/metricbeat/docs/modules/syncgateway/memory.asciidoc
deleted file mode 100644
index 73d6a240dc58..000000000000
--- a/metricbeat/docs/modules/syncgateway/memory.asciidoc
+++ /dev/null
@@ -1,29 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/syncgateway/memory/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-syncgateway-memory]]
-[role="xpack"]
-=== SyncGateway memory metricset
-
-beta[]
-
-include::../../../../x-pack/metricbeat/module/syncgateway/memory/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-syncgateway,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../../x-pack/metricbeat/module/syncgateway/memory/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/syncgateway/replication.asciidoc b/metricbeat/docs/modules/syncgateway/replication.asciidoc
deleted file mode 100644
index 32f1d9165696..000000000000
--- a/metricbeat/docs/modules/syncgateway/replication.asciidoc
+++ /dev/null
@@ -1,23 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/syncgateway/replication/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-syncgateway-replication]]
-[role="xpack"]
-=== SyncGateway replication metricset
-
-beta[]
-
-include::../../../../x-pack/metricbeat/module/syncgateway/replication/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-syncgateway,exported fields>> section.
-
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/syncgateway/resources.asciidoc b/metricbeat/docs/modules/syncgateway/resources.asciidoc
deleted file mode 100644
index 3eed79799ccc..000000000000
--- a/metricbeat/docs/modules/syncgateway/resources.asciidoc
+++ /dev/null
@@ -1,30 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/syncgateway/resources/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-syncgateway-resources]]
-[role="xpack"]
-=== SyncGateway resources metricset
-
-beta[]
-
-include::../../../../x-pack/metricbeat/module/syncgateway/resources/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-syncgateway,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../../x-pack/metricbeat/module/syncgateway/resources/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/system.asciidoc b/metricbeat/docs/modules/system.asciidoc
deleted file mode 100644
index 93975cdeb6ad..000000000000
--- a/metricbeat/docs/modules/system.asciidoc
+++ /dev/null
@@ -1,352 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-
-:modulename: system
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/system/_meta/docs.asciidoc
-
-
-[[metricbeat-module-system]]
-== System module
-
-include::{libbeat-dir}/shared/integration-link.asciidoc[]
-
-:modulename!:
-
-The System module allows you to monitor your servers. Because the System module
-always applies to the local server, the `hosts` config option is not needed.
-
-The default metricsets are `cpu`, `load`, `memory`, `network`, `process`,
-`process_summary`, `socket_summary`, `filesystem`, `fsstat`, and `uptime`. 
-To disable a default metricset, comment it out in the `modules.d/system.yml` 
-configuration file. If _all_ metricsets are commented out and the System module 
-is enabled, {beatname_uc} uses the default metricsets.
-
-Note that certain metricsets may access `/proc` to gather process information,
-and the resulting `ptrace_may_access()` call by the kernel to check for
-permissions can be blocked by
-https://gitlab.com/apparmor/apparmor/wikis/TechnicalDoc_Proc_and_ptrace[AppArmor
-and other LSM software], even though the System module doesn't use `ptrace`
-directly.
-
-[TIP] 
-.How and when metrics are collected
-==== 
-Certain metrics monitored by the System module require multiple values to be 
-collected.
-For example, the `system.process.cpu.total.norm.pct` field reports the percentage
-of CPU time spent by the process since the last event. For this percentage to be
-determined, the process needs to appear at least twice so that a performance delta
-can be calculated. 
-
-Note that in some cases a field like this may be missing from the System module
-metricset if the process has not been available long enough to be included in 
-two periods of metric collection.
-====
-
-[float]
-=== Dashboard
-
-The System module comes with a predefined dashboard. For example:
-
-image::./images/metricbeat_system_dashboard.png[]
-
-[float]
-=== Required permissions
-
-The System metricsets collect different kinds of metric data, which may require dedicated permissions
-to be fetched. For security reasons it's advised to grant the lowest possible permissions. This section
-justifies which permissions must be present for particular metricsets.
-
-Please notice that modern Linux implementations divide the privileges traditionally associated with superuser
-into distinct units, known as capabilities, which can be independently enabled and disabled.
-Capabilities are a per-thread attribute.
-
-[float]
-==== cpu
-
-CPU statistics (idle, irq, user, system, iowait, softirq, cores, nice, steal, total) should be available without
-elevated permissions.
-
-[float]
-==== load
-
-CPU load data (1 min, 5 min, 15 min, cores) should be available without elevated permissions.
-
-[float]
-==== memory
-
-Memory statistics (swap, total, used, free, actual) should be available without elevated permissions.
-
-[float]
-==== network
-
-Network metrics for interfaces (in, out, errors, dropped, bytes, packets) should be available without elevated
-permissions.
-
-[float]
-==== process
-
-Process execution data (state, memory, cpu, cmdline) should be available for an authorized user.
-
-If the beats process is running as less privileged user, it may not be able to read process data belonging to
-other users. The issue should be reported in application logs:
-
-["source"]
-----
-2019-12-23T13:32:06.457+0100    DEBUG   [processes]     process/process.go:475  Skip process pid=235: error getting process state for pid=235: Could not read process info for pid 23
-----
-
-[float]
-==== process_summary
-
-General process summary (unknown, dead, total, sleeping, running, idle, stopped, zombie) should be available without
-elevated permissions. Please notice that if the process data belongs to the other users, it will be counted as unknown
-value (no error will be reported in application logs).
-
-[float]
-==== socket_summary
-
-Used sockets summary (TCP, UDP, count, listening, established, wait, etc.) should be available without elevated
-permissions.
-
-[float]
-==== entropy
-
-Entropy data (available, pool size) requires access to the `/proc/sys/kernel/random` path.
-Otherwise an error will be reported.
-
-[float]
-==== core
-
-Usage statistics for each CPU core (idle, irq, user, system, iowait, softirq, cores, nice, steal, total) should be available without
-elevated permissions.
-
-[float]
-==== diskio
-
-Disk IO metrics (io, read, write) should be available without elevated permissions.
-
-[float]
-==== socket
-
-Events for each new TCP socket should be available for an authorized user.
-
-If the beats process is running as less privileged user, it may not be able to view socket data belonging to
-other users.
-
-[float]
-==== service
-
-Systemd service data (memory, tasks, states) should be available for an authorized user.
-
-If the beats process is running as less privileged user, it may not be able to read process data belonging to
-other users. The issue should be reported in application logs:
-
-["source"]
-----
-2020-01-02T08:19:50.635Z	INFO	module/wrapper.go:252	Error fetching data for metricset system.service: error getting list of running units: Rejected send message, 2 matched rules; type="method_call", sender=":1.35" (uid=1000 pid=4429 comm="./metricbeat -d * -e ") interface="org.freedesktop.systemd1.Manager" member="ListUnitsByPatterns" error name="(unset)" requested_reply="0" destination="org.freedesktop.systemd1" (uid=0 pid=1 comm="/usr/lib/systemd/systemd --switched-root --system ")
-----
-
-[float]
-==== filesystem
-
-Filesystem metrics data (total, available, type, mount point, files, free, used) should be available without elevated
-permissions.
-
-[float]
-==== fsstat
-
-Fsstat metrics data (total size, free, total, used count) should be available without elevated permissions.
-
-[float]
-==== uptime
-
-Uptime metrics data (duration) should be available without elevated permissions.
-
-[float]
-==== raid
-
-RAID metrics data (block, disks) requires access to the `/sys/block` mount point and all referenced devices.
-Otherwise an error will be reported.
-
-
-:edit_url:
-
-[float]
-=== Example configuration
-
-The System module supports the standard configuration options that are described
-in <<configuration-metricbeat>>. Here is an example configuration:
-
-[source,yaml]
-----
-metricbeat.modules:
-- module: system
-  metricsets:
-    - cpu             # CPU usage
-    - load            # CPU load averages
-    - memory          # Memory usage
-    - network         # Network IO
-    - process         # Per process metrics
-    - process_summary # Process summary
-    - uptime          # System Uptime
-    - socket_summary  # Socket summary
-    #- core           # Per CPU core usage
-    #- diskio         # Disk IO
-    #- filesystem     # File system usage for each mountpoint
-    #- fsstat         # File system summary metrics
-    #- raid           # Raid
-    #- socket         # Sockets and connection info (linux only)
-    #- service        # systemd service information
-  enabled: true
-  period: 10s
-  processes: ['.*']
-
-  # Configure the mount point of the host’s filesystem for use in monitoring a host from within a container
-  #hostfs: "/hostfs"
-
-  # Configure the metric types that are included by these metricsets.
-  cpu.metrics:  ["percentages","normalized_percentages"]  # The other available option is ticks.
-  core.metrics: ["percentages"]  # The other available option is ticks.
-
-  # A list of filesystem types to ignore. The filesystem metricset will not
-  # collect data from filesystems matching any of the specified types, and
-  # fsstats will not include data from these filesystems in its summary stats.
-  # If not set, types associated to virtual filesystems are automatically
-  # added when this information is available in the system (e.g. the list of
-  # `nodev` types in `/proc/filesystem`).
-  #filesystem.ignore_types: []
-
-  # These options allow you to filter out all processes that are not
-  # in the top N by CPU or memory, in order to reduce the number of documents created.
-  # If both the `by_cpu` and `by_memory` options are used, the union of the two sets
-  # is included.
-  #process.include_top_n:
-
-    # Set to false to disable this feature and include all processes
-    #enabled: true
-
-    # How many processes to include from the top by CPU. The processes are sorted
-    # by the `system.process.cpu.total.pct` field.
-    #by_cpu: 0
-
-    # How many processes to include from the top by memory. The processes are sorted
-    # by the `system.process.memory.rss.bytes` field.
-    #by_memory: 0
-
-  # If false, cmdline of a process is not cached.
-  #process.cmdline.cache.enabled: true
-
-  # Enable collection of cgroup metrics from processes on Linux.
-  #process.cgroups.enabled: true
-
-  # A list of regular expressions used to whitelist environment variables
-  # reported with the process metricset's events. Defaults to empty.
-  #process.env.whitelist: []
-
-  # Include the cumulative CPU tick values with the process metrics. Defaults
-  # to false.
-  #process.include_cpu_ticks: false
-
-  # Raid mount point to monitor
-  #raid.mount_point: '/'
-
-  # Configure reverse DNS lookup on remote IP addresses in the socket metricset.
-  #socket.reverse_lookup.enabled: false
-  #socket.reverse_lookup.success_ttl: 60s
-  #socket.reverse_lookup.failure_ttl: 60s
-
-  # Diskio configurations
-  #diskio.include_devices: []
-
-  # Filter systemd services by status or sub-status
-  #service.state_filter: ["active"]
-
-  # Filter systemd services based on a name pattern
-  #service.pattern_filter: ["ssh*", "nfs*"]
-
-  # This option enables the use of performance counters to collect data for cpu/core metricset.
-  # Only effective for Windows.
-  # You should use this option if running beats on machins with more than 64 cores.
-  #use_performance_counters: false
-----
-
-[float]
-=== Metricsets
-
-The following metricsets are available:
-
-* <<metricbeat-metricset-system-core,core>>
-
-* <<metricbeat-metricset-system-cpu,cpu>>
-
-* <<metricbeat-metricset-system-diskio,diskio>>
-
-* <<metricbeat-metricset-system-entropy,entropy>>
-
-* <<metricbeat-metricset-system-filesystem,filesystem>>
-
-* <<metricbeat-metricset-system-fsstat,fsstat>>
-
-* <<metricbeat-metricset-system-load,load>>
-
-* <<metricbeat-metricset-system-memory,memory>>
-
-* <<metricbeat-metricset-system-network,network>>
-
-* <<metricbeat-metricset-system-network_summary,network_summary>>
-
-* <<metricbeat-metricset-system-process,process>>
-
-* <<metricbeat-metricset-system-process_summary,process_summary>>
-
-* <<metricbeat-metricset-system-raid,raid>>
-
-* <<metricbeat-metricset-system-service,service>>
-
-* <<metricbeat-metricset-system-socket,socket>>
-
-* <<metricbeat-metricset-system-socket_summary,socket_summary>>
-
-* <<metricbeat-metricset-system-uptime,uptime>>
-
-* <<metricbeat-metricset-system-users,users>>
-
-include::system/core.asciidoc[]
-
-include::system/cpu.asciidoc[]
-
-include::system/diskio.asciidoc[]
-
-include::system/entropy.asciidoc[]
-
-include::system/filesystem.asciidoc[]
-
-include::system/fsstat.asciidoc[]
-
-include::system/load.asciidoc[]
-
-include::system/memory.asciidoc[]
-
-include::system/network.asciidoc[]
-
-include::system/network_summary.asciidoc[]
-
-include::system/process.asciidoc[]
-
-include::system/process_summary.asciidoc[]
-
-include::system/raid.asciidoc[]
-
-include::system/service.asciidoc[]
-
-include::system/socket.asciidoc[]
-
-include::system/socket_summary.asciidoc[]
-
-include::system/uptime.asciidoc[]
-
-include::system/users.asciidoc[]
-
-:edit_url!:
diff --git a/metricbeat/docs/modules/system/core.asciidoc b/metricbeat/docs/modules/system/core.asciidoc
deleted file mode 100644
index 93008d2df532..000000000000
--- a/metricbeat/docs/modules/system/core.asciidoc
+++ /dev/null
@@ -1,26 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/system/core/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-system-core]]
-=== System core metricset
-
-include::../../../module/system/core/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-system,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/system/core/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/system/cpu.asciidoc b/metricbeat/docs/modules/system/cpu.asciidoc
deleted file mode 100644
index 7791452b47d3..000000000000
--- a/metricbeat/docs/modules/system/cpu.asciidoc
+++ /dev/null
@@ -1,27 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/system/cpu/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-system-cpu]]
-=== System cpu metricset
-
-include::../../../module/system/cpu/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-system,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/system/cpu/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/system/diskio.asciidoc b/metricbeat/docs/modules/system/diskio.asciidoc
deleted file mode 100644
index 0a1c25cdf4ef..000000000000
--- a/metricbeat/docs/modules/system/diskio.asciidoc
+++ /dev/null
@@ -1,26 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/system/diskio/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-system-diskio]]
-=== System diskio metricset
-
-include::../../../module/system/diskio/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-system,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/system/diskio/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/system/entropy.asciidoc b/metricbeat/docs/modules/system/entropy.asciidoc
deleted file mode 100644
index b0f3d6a8dc9d..000000000000
--- a/metricbeat/docs/modules/system/entropy.asciidoc
+++ /dev/null
@@ -1,26 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/system/entropy/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-system-entropy]]
-=== System entropy metricset
-
-include::../../../module/system/entropy/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-system,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/system/entropy/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/system/filesystem.asciidoc b/metricbeat/docs/modules/system/filesystem.asciidoc
deleted file mode 100644
index 5a214c165851..000000000000
--- a/metricbeat/docs/modules/system/filesystem.asciidoc
+++ /dev/null
@@ -1,26 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/system/filesystem/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-system-filesystem]]
-=== System filesystem metricset
-
-include::../../../module/system/filesystem/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-system,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/system/filesystem/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/system/fsstat.asciidoc b/metricbeat/docs/modules/system/fsstat.asciidoc
deleted file mode 100644
index 49badcd65bc6..000000000000
--- a/metricbeat/docs/modules/system/fsstat.asciidoc
+++ /dev/null
@@ -1,26 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/system/fsstat/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-system-fsstat]]
-=== System fsstat metricset
-
-include::../../../module/system/fsstat/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-system,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/system/fsstat/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/system/load.asciidoc b/metricbeat/docs/modules/system/load.asciidoc
deleted file mode 100644
index 0b448726c63d..000000000000
--- a/metricbeat/docs/modules/system/load.asciidoc
+++ /dev/null
@@ -1,27 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/system/load/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-system-load]]
-=== System load metricset
-
-include::../../../module/system/load/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-system,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/system/load/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/system/memory.asciidoc b/metricbeat/docs/modules/system/memory.asciidoc
deleted file mode 100644
index e07221d38ec3..000000000000
--- a/metricbeat/docs/modules/system/memory.asciidoc
+++ /dev/null
@@ -1,27 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/system/memory/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-system-memory]]
-=== System memory metricset
-
-include::../../../module/system/memory/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-system,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/system/memory/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/system/network.asciidoc b/metricbeat/docs/modules/system/network.asciidoc
deleted file mode 100644
index 2c758f20c465..000000000000
--- a/metricbeat/docs/modules/system/network.asciidoc
+++ /dev/null
@@ -1,27 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/system/network/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-system-network]]
-=== System network metricset
-
-include::../../../module/system/network/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-system,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/system/network/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/system/network_summary.asciidoc b/metricbeat/docs/modules/system/network_summary.asciidoc
deleted file mode 100644
index 3541cfe41132..000000000000
--- a/metricbeat/docs/modules/system/network_summary.asciidoc
+++ /dev/null
@@ -1,28 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/system/network_summary/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-system-network_summary]]
-=== System network_summary metricset
-
-beta[]
-
-include::../../../module/system/network_summary/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-system,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/system/network_summary/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/system/process.asciidoc b/metricbeat/docs/modules/system/process.asciidoc
deleted file mode 100644
index 870abc81756d..000000000000
--- a/metricbeat/docs/modules/system/process.asciidoc
+++ /dev/null
@@ -1,27 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/system/process/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-system-process]]
-=== System process metricset
-
-include::../../../module/system/process/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-system,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/system/process/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/system/process_summary.asciidoc b/metricbeat/docs/modules/system/process_summary.asciidoc
deleted file mode 100644
index c0a9330d5395..000000000000
--- a/metricbeat/docs/modules/system/process_summary.asciidoc
+++ /dev/null
@@ -1,27 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/system/process_summary/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-system-process_summary]]
-=== System process_summary metricset
-
-include::../../../module/system/process_summary/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-system,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/system/process_summary/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/system/raid.asciidoc b/metricbeat/docs/modules/system/raid.asciidoc
deleted file mode 100644
index f03b1684cde7..000000000000
--- a/metricbeat/docs/modules/system/raid.asciidoc
+++ /dev/null
@@ -1,26 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/system/raid/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-system-raid]]
-=== System raid metricset
-
-include::../../../module/system/raid/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-system,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/system/raid/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/system/service.asciidoc b/metricbeat/docs/modules/system/service.asciidoc
deleted file mode 100644
index 9c7a8b17fb84..000000000000
--- a/metricbeat/docs/modules/system/service.asciidoc
+++ /dev/null
@@ -1,28 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/system/service/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-system-service]]
-=== System service metricset
-
-beta[]
-
-include::../../../module/system/service/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-system,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/system/service/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/system/socket.asciidoc b/metricbeat/docs/modules/system/socket.asciidoc
deleted file mode 100644
index 7815e3460d85..000000000000
--- a/metricbeat/docs/modules/system/socket.asciidoc
+++ /dev/null
@@ -1,26 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/system/socket/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-system-socket]]
-=== System socket metricset
-
-include::../../../module/system/socket/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-system,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/system/socket/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/system/socket_summary.asciidoc b/metricbeat/docs/modules/system/socket_summary.asciidoc
deleted file mode 100644
index fb962b833546..000000000000
--- a/metricbeat/docs/modules/system/socket_summary.asciidoc
+++ /dev/null
@@ -1,21 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/system/socket_summary/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-system-socket_summary]]
-=== System socket_summary metricset
-
-include::../../../module/system/socket_summary/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-system,exported fields>> section.
-
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/system/uptime.asciidoc b/metricbeat/docs/modules/system/uptime.asciidoc
deleted file mode 100644
index 243b53e9540b..000000000000
--- a/metricbeat/docs/modules/system/uptime.asciidoc
+++ /dev/null
@@ -1,27 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/system/uptime/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-system-uptime]]
-=== System uptime metricset
-
-include::../../../module/system/uptime/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-system,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/system/uptime/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/system/users.asciidoc b/metricbeat/docs/modules/system/users.asciidoc
deleted file mode 100644
index efb2717cdaec..000000000000
--- a/metricbeat/docs/modules/system/users.asciidoc
+++ /dev/null
@@ -1,28 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/system/users/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-system-users]]
-=== System users metricset
-
-beta[]
-
-include::../../../module/system/users/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-system,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/system/users/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/tomcat.asciidoc b/metricbeat/docs/modules/tomcat.asciidoc
deleted file mode 100644
index d4941bd417b5..000000000000
--- a/metricbeat/docs/modules/tomcat.asciidoc
+++ /dev/null
@@ -1,75 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-
-:modulename: tomcat
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/tomcat/_meta/docs.asciidoc
-
-
-[[metricbeat-module-tomcat]]
-[role="xpack"]
-== Tomcat module
-
-beta[]
-
-include::{libbeat-dir}/shared/integration-link.asciidoc[]
-
-:modulename!:
-
-This module periodically fetches JMX metrics from Apache Tomcat.
-
-[float]
-=== Compatibility
-The module has been tested with Tomcat 7.0.24 and 9.0.24. Other versions are expected to work.
-
-[float]
-== Dashboard
-An overview dashboard for Kibana is already included:
-
-image::./images/metricbeat-tomcat-overview.png[]
-
-[float]
-=== Usage
-The Tomcat module requires <<metricbeat-module-jolokia,Jolokia>>to fetch JMX metrics. Refer to the link for instructions about how to use Jolokia.
-
-
-:edit_url:
-
-[float]
-=== Example configuration
-
-The Tomcat module supports the standard configuration options that are described
-in <<configuration-metricbeat>>. Here is an example configuration:
-
-[source,yaml]
-----
-metricbeat.modules:
-- module: tomcat
-  metricsets: ['threading', 'cache', 'memory', 'requests']
-  period: 10s
-  hosts: ['localhost:8080']
-  path: "/jolokia/?ignoreErrors=true&canonicalNaming=false"
-----
-
-[float]
-=== Metricsets
-
-The following metricsets are available:
-
-* <<metricbeat-metricset-tomcat-cache,cache>>
-
-* <<metricbeat-metricset-tomcat-memory,memory>>
-
-* <<metricbeat-metricset-tomcat-requests,requests>>
-
-* <<metricbeat-metricset-tomcat-threading,threading>>
-
-include::tomcat/cache.asciidoc[]
-
-include::tomcat/memory.asciidoc[]
-
-include::tomcat/requests.asciidoc[]
-
-include::tomcat/threading.asciidoc[]
-
-:edit_url!:
diff --git a/metricbeat/docs/modules/tomcat/cache.asciidoc b/metricbeat/docs/modules/tomcat/cache.asciidoc
deleted file mode 100644
index b4c84814a666..000000000000
--- a/metricbeat/docs/modules/tomcat/cache.asciidoc
+++ /dev/null
@@ -1,30 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/tomcat/cache/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-tomcat-cache]]
-[role="xpack"]
-=== Tomcat cache metricset
-
-beta[]
-
-include::../../../../x-pack/metricbeat/module/tomcat/cache/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-tomcat,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../../x-pack/metricbeat/module/tomcat/cache/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/tomcat/memory.asciidoc b/metricbeat/docs/modules/tomcat/memory.asciidoc
deleted file mode 100644
index f8c3bb876524..000000000000
--- a/metricbeat/docs/modules/tomcat/memory.asciidoc
+++ /dev/null
@@ -1,30 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/tomcat/memory/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-tomcat-memory]]
-[role="xpack"]
-=== Tomcat memory metricset
-
-beta[]
-
-include::../../../../x-pack/metricbeat/module/tomcat/memory/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-tomcat,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../../x-pack/metricbeat/module/tomcat/memory/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/tomcat/requests.asciidoc b/metricbeat/docs/modules/tomcat/requests.asciidoc
deleted file mode 100644
index 12689cb345b5..000000000000
--- a/metricbeat/docs/modules/tomcat/requests.asciidoc
+++ /dev/null
@@ -1,30 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/tomcat/requests/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-tomcat-requests]]
-[role="xpack"]
-=== Tomcat requests metricset
-
-beta[]
-
-include::../../../../x-pack/metricbeat/module/tomcat/requests/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-tomcat,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../../x-pack/metricbeat/module/tomcat/requests/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/tomcat/threading.asciidoc b/metricbeat/docs/modules/tomcat/threading.asciidoc
deleted file mode 100644
index 5d6ea413c657..000000000000
--- a/metricbeat/docs/modules/tomcat/threading.asciidoc
+++ /dev/null
@@ -1,30 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/x-pack/metricbeat/module/tomcat/threading/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-tomcat-threading]]
-[role="xpack"]
-=== Tomcat threading metricset
-
-beta[]
-
-include::../../../../x-pack/metricbeat/module/tomcat/threading/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-tomcat,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../../x-pack/metricbeat/module/tomcat/threading/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/traefik.asciidoc b/metricbeat/docs/modules/traefik.asciidoc
deleted file mode 100644
index d51033bcd69a..000000000000
--- a/metricbeat/docs/modules/traefik.asciidoc
+++ /dev/null
@@ -1,54 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-
-:modulename: traefik
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/traefik/_meta/docs.asciidoc
-
-
-[[metricbeat-module-traefik]]
-== Traefik module
-
-include::{libbeat-dir}/shared/integration-link.asciidoc[]
-
-:modulename!:
-
-This module periodically fetches metrics from a https://traefik.io/[Traefik]
-instance. The Traefik instance must be configured to expose it's HTTP API.
-
-[float]
-=== Compatibility
-
-The Traefik metricsets were tested with Traefik 1.6.
-
-
-:edit_url:
-
-[float]
-=== Example configuration
-
-The Traefik module supports the standard configuration options that are described
-in <<configuration-metricbeat>>. Here is an example configuration:
-
-[source,yaml]
-----
-metricbeat.modules:
-- module: traefik
-  metricsets: ["health"]
-  period: 10s
-  hosts: ["localhost:8080"]
-----
-
-This module supports TLS connections when using `ssl` config field, as described in <<configuration-ssl>>.
-It also supports the options described in <<module-http-config-options>>.
-
-[float]
-=== Metricsets
-
-The following metricsets are available:
-
-* <<metricbeat-metricset-traefik-health,health>>
-
-include::traefik/health.asciidoc[]
-
-:edit_url!:
diff --git a/metricbeat/docs/modules/traefik/health.asciidoc b/metricbeat/docs/modules/traefik/health.asciidoc
deleted file mode 100644
index dbdb4610413e..000000000000
--- a/metricbeat/docs/modules/traefik/health.asciidoc
+++ /dev/null
@@ -1,27 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/traefik/health/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-traefik-health]]
-=== Traefik health metricset
-
-include::../../../module/traefik/health/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-traefik,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/traefik/health/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/uwsgi.asciidoc b/metricbeat/docs/modules/uwsgi.asciidoc
deleted file mode 100644
index 02ab4592f400..000000000000
--- a/metricbeat/docs/modules/uwsgi.asciidoc
+++ /dev/null
@@ -1,59 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-
-:modulename: uwsgi
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/uwsgi/_meta/docs.asciidoc
-
-
-[[metricbeat-module-uwsgi]]
-== uWSGI module
-
-This is the uwsgi module. By default collects the `stats` metricset, using
-http://uwsgi-docs.readthedocs.io/en/latest/StatsServer.html[StatsServer].
-
-[float]
-=== Module-specific configuration notes
-
-The uWSGI module has these additional config options:
-
-*`hosts`*:: host URLs to get data from (e.g: `tcp://127.0.0.1:9191`).
-  Can obtain data from 3 types of schemes: tcp (tcp://ip:port), unix socket (unix:///tmp/uwsgi.sock)
-  and http/https server (http://ip:port)
-
-[float]
-=== Dashboard
-
-The uwsgi module comes with a predefined dashboard. For example:
-
-image::./images/uwsgi_dashboard.png[]
-
-
-:edit_url:
-
-[float]
-=== Example configuration
-
-The uWSGI module supports the standard configuration options that are described
-in <<configuration-metricbeat>>. Here is an example configuration:
-
-[source,yaml]
-----
-metricbeat.modules:
-- module: uwsgi
-  metricsets: ["status"]
-  enable: true
-  period: 10s
-  hosts: ["tcp://127.0.0.1:9191"]
-----
-
-[float]
-=== Metricsets
-
-The following metricsets are available:
-
-* <<metricbeat-metricset-uwsgi-status,status>>
-
-include::uwsgi/status.asciidoc[]
-
-:edit_url!:
diff --git a/metricbeat/docs/modules/uwsgi/status.asciidoc b/metricbeat/docs/modules/uwsgi/status.asciidoc
deleted file mode 100644
index 81919b039308..000000000000
--- a/metricbeat/docs/modules/uwsgi/status.asciidoc
+++ /dev/null
@@ -1,27 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/uwsgi/status/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-uwsgi-status]]
-=== uWSGI status metricset
-
-include::../../../module/uwsgi/status/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-uwsgi,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/uwsgi/status/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/vsphere.asciidoc b/metricbeat/docs/modules/vsphere.asciidoc
deleted file mode 100644
index e7e6e78205d6..000000000000
--- a/metricbeat/docs/modules/vsphere.asciidoc
+++ /dev/null
@@ -1,159 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-
-:modulename: vsphere
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/vsphere/_meta/docs.asciidoc
-
-
-[[metricbeat-module-vsphere]]
-== vSphere module
-
-The vSphere module uses the https://github.com/vmware/govmomi[Govmomi] library to collect metrics from any VMware SDK URL (ESXi/VCenter).
-
-This module has been tested against ESXi and vCenter versions 5.5, 6.0, 6.5, and 7.0.3.
-
-By default, the vSphere module enables the following metricsets:
-
-1. cluster
-
-2. datastore
-
-3. datastorecluster
-
-4. host
-
-5. network
-
-6. resourcepool
-
-7. virtualmachine
-
-[float]
-=== Supported Periods:
-The Datastore and Host metricsets support performance data collection using the vSphere performance API. Given that the performance API imposes usage restrictions based on data collection intervals, users should configure the period optimally to ensure the receipt of real-time data. This configuration can be determined based on the https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.monitoring.doc/GUID-247646EA-A04B-411A-8DD4-62A3DCFCF49B.html[Data Collection Intervals] and https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.monitoring.doc/GUID-25800DE4-68E5-41CC-82D9-8811E27924BC.html[Data Collection Levels].
-
-[IMPORTANT]
-
-Only host and datastore metricsets have limitation of system configured period from vSphere instance. Users can still collect summary metrics if performance metrics are not supported for the configured instance.
-
-[float]
-==== Real-time data collection default interval:
-- 20s
-
-[float]
-==== Historical data collection default intervals:
-- 300s
-- 1800s
-- 7200s
-- 86400s
-
-[float]
-=== Example:
-If you need to configure multiple metricsets with different periods, you can achieve this by setting up multiple vSphere modules with different metricsets as demonstrated below:
-
-[source,yaml]
-----
-- module: vsphere
-  metricsets:
-   - cluster
-   - datastorecluster
-   - network
-   - resourcepool
-   - virtualmachine
-  period: 10s
-  hosts: ["https://localhost/sdk"]
-  username: "user"
-  password: "password"
-  insecure: false
-
-- module: vsphere
-  metricsets:
-   - datastore
-   - host
-  period: 300s
-  hosts: ["https://localhost/sdk"]
-  username: "user"
-  password: "password"
-  insecure: false
-----
-
-[float]
-=== Dashboard
-
-The vSphere module includes a predefined dashboard. For example:
-
-image::./images/metricbeat_vsphere_dashboard.png[]
-image::./images/metricbeat_vsphere_vm_dashboard.png[]
-
-
-:edit_url:
-
-[float]
-=== Example configuration
-
-The vSphere module supports the standard configuration options that are described
-in <<configuration-metricbeat>>. Here is an example configuration:
-
-[source,yaml]
-----
-metricbeat.modules:
-- module: vsphere
-  enabled: true
-  metricsets: ["cluster", "datastore", "datastorecluster", "host", "network", "resourcepool", "virtualmachine"]
-  
-  # Real-time data collection – An ESXi Server collects data for each performance counter every 20 seconds by default.
-  # Supported Periods:
-  # The Datastore and Host metricsets support performance data collection using the vSphere performance API.
-  # Since the performance API has usage restrictions based on data collection intervals,
-  # users should ensure that the period is configured optimally to receive real-time data.
-  # users can still collect summary metrics if performance metrics are not supported for the configured instance.
-  # This configuration can be determined based on the Data Collection Intervals and Data Collection Levels.
-  # Reference Links:
-  # Data Collection Intervals: https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.monitoring.doc/GUID-247646EA-A04B-411A-8DD4-62A3DCFCF49B.html
-  # Data Collection Levels: https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.monitoring.doc/GUID-25800DE4-68E5-41CC-82D9-8811E27924BC.html
-  period: 20s
-  hosts: ["https://localhost/sdk"]
-
-  username: "user"
-  password: "password"
-  # If insecure is true, don't verify the server's certificate chain
-  insecure: false
-  # Get custom fields when using virtualmachine metricset. Default false.
-  # get_custom_fields: false
-----
-
-[float]
-=== Metricsets
-
-The following metricsets are available:
-
-* <<metricbeat-metricset-vsphere-cluster,cluster>>
-
-* <<metricbeat-metricset-vsphere-datastore,datastore>>
-
-* <<metricbeat-metricset-vsphere-datastorecluster,datastorecluster>>
-
-* <<metricbeat-metricset-vsphere-host,host>>
-
-* <<metricbeat-metricset-vsphere-network,network>>
-
-* <<metricbeat-metricset-vsphere-resourcepool,resourcepool>>
-
-* <<metricbeat-metricset-vsphere-virtualmachine,virtualmachine>>
-
-include::vsphere/cluster.asciidoc[]
-
-include::vsphere/datastore.asciidoc[]
-
-include::vsphere/datastorecluster.asciidoc[]
-
-include::vsphere/host.asciidoc[]
-
-include::vsphere/network.asciidoc[]
-
-include::vsphere/resourcepool.asciidoc[]
-
-include::vsphere/virtualmachine.asciidoc[]
-
-:edit_url!:
diff --git a/metricbeat/docs/modules/vsphere/cluster.asciidoc b/metricbeat/docs/modules/vsphere/cluster.asciidoc
deleted file mode 100644
index 1666f6c8dfd7..000000000000
--- a/metricbeat/docs/modules/vsphere/cluster.asciidoc
+++ /dev/null
@@ -1,29 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/vsphere/cluster/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-vsphere-cluster]]
-=== vSphere cluster metricset
-
-beta[]
-
-include::../../../module/vsphere/cluster/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-vsphere,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/vsphere/cluster/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/vsphere/datastore.asciidoc b/metricbeat/docs/modules/vsphere/datastore.asciidoc
deleted file mode 100644
index 0a2a6d641f39..000000000000
--- a/metricbeat/docs/modules/vsphere/datastore.asciidoc
+++ /dev/null
@@ -1,27 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/vsphere/datastore/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-vsphere-datastore]]
-=== vSphere datastore metricset
-
-include::../../../module/vsphere/datastore/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-vsphere,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/vsphere/datastore/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/vsphere/datastorecluster.asciidoc b/metricbeat/docs/modules/vsphere/datastorecluster.asciidoc
deleted file mode 100644
index 07614187be1f..000000000000
--- a/metricbeat/docs/modules/vsphere/datastorecluster.asciidoc
+++ /dev/null
@@ -1,29 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/vsphere/datastorecluster/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-vsphere-datastorecluster]]
-=== vSphere datastorecluster metricset
-
-beta[]
-
-include::../../../module/vsphere/datastorecluster/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-vsphere,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/vsphere/datastorecluster/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/vsphere/host.asciidoc b/metricbeat/docs/modules/vsphere/host.asciidoc
deleted file mode 100644
index 9bc8dbf551d4..000000000000
--- a/metricbeat/docs/modules/vsphere/host.asciidoc
+++ /dev/null
@@ -1,27 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/vsphere/host/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-vsphere-host]]
-=== vSphere host metricset
-
-include::../../../module/vsphere/host/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-vsphere,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/vsphere/host/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/vsphere/network.asciidoc b/metricbeat/docs/modules/vsphere/network.asciidoc
deleted file mode 100644
index 45ffe6653be8..000000000000
--- a/metricbeat/docs/modules/vsphere/network.asciidoc
+++ /dev/null
@@ -1,29 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/vsphere/network/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-vsphere-network]]
-=== vSphere network metricset
-
-beta[]
-
-include::../../../module/vsphere/network/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-vsphere,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/vsphere/network/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/vsphere/resourcepool.asciidoc b/metricbeat/docs/modules/vsphere/resourcepool.asciidoc
deleted file mode 100644
index 8bec0604b534..000000000000
--- a/metricbeat/docs/modules/vsphere/resourcepool.asciidoc
+++ /dev/null
@@ -1,29 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/vsphere/resourcepool/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-vsphere-resourcepool]]
-=== vSphere resourcepool metricset
-
-beta[]
-
-include::../../../module/vsphere/resourcepool/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-vsphere,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/vsphere/resourcepool/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/vsphere/virtualmachine.asciidoc b/metricbeat/docs/modules/vsphere/virtualmachine.asciidoc
deleted file mode 100644
index ef88f78fb55a..000000000000
--- a/metricbeat/docs/modules/vsphere/virtualmachine.asciidoc
+++ /dev/null
@@ -1,27 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/vsphere/virtualmachine/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-vsphere-virtualmachine]]
-=== vSphere virtualmachine metricset
-
-include::../../../module/vsphere/virtualmachine/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-vsphere,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/vsphere/virtualmachine/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/windows.asciidoc b/metricbeat/docs/modules/windows.asciidoc
deleted file mode 100644
index 9a9552be72c0..000000000000
--- a/metricbeat/docs/modules/windows.asciidoc
+++ /dev/null
@@ -1,98 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-
-:modulename: windows
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/windows/_meta/docs.asciidoc
-
-
-[[metricbeat-module-windows]]
-== Windows module
-
-include::{libbeat-dir}/shared/integration-link.asciidoc[]
-
-:modulename!:
-
-This is the `windows` module which collects metrics from Windows systems.
-The module contains the `service` metricset, which is set up by default when the `windows` module is enabled.
-The `service` metricset will retrieve status information of the services on the Windows machines. The second `windows`
-metricset is `perfmon` which collects Windows performance counter values.
-
-
-
-
-
-:edit_url:
-
-[float]
-=== Example configuration
-
-The Windows module supports the standard configuration options that are described
-in <<configuration-metricbeat>>. Here is an example configuration:
-
-[source,yaml]
-----
-metricbeat.modules:
-- module: windows
-  metricsets: ["perfmon"]
-  enabled: true
-  period: 10s
-  perfmon.ignore_non_existent_counters: false
-  perfmon.group_measurements_by_instance: false
-  perfmon.queries:
-#  - object: 'Process'
-#    instance: ["*"]
-#    counters:
-#    - name: '% Processor Time'
-#      field: cpu_usage
-#      format: "float"
-#    - name: "Thread Count"
-
-- module: windows
-  metricsets: ["service"]
-  enabled: true
-  period: 60s
-
-- module: windows
-  metricsets: ["wmi"]
-  period: 60s
-  wmi:
-    include_null: false          # Exclude fields with null values from the output
-    include_queries: false       # Do not include the query string in the output
-    include_empty_string: false  # Exclude fields with empty string values from the output
-    warning_threshold: 30s       # Maximum time to wait for a query result before logging a warning (defaults to period)
-    # Default WMI namespace for all queries (if not specified per query)
-    # Uncomment to override the default, which is "root\\cimv2".
-    # namespace: "root\\cimv2"
-    queries:
-    - class: Win32_OperatingSystem # FROM: Class to fetch
-      fields:                      # SELECT: Fields to retrieve for this WMI class. Omit the setting to fetch all properties
-       - FreePhysicalMemory
-       - FreeSpaceInPagingFiles
-       - FreeVirtualMemory
-       - LocalDateTime
-       - NumberOfUsers
-      where: ""                   # Optional WHERE clause to filter query results
-      # Override the WMI namespace for this specific query (optional).
-      # If set, this takes precedence over the default namespace above.
-      # namespace: "root\\cimv2" # Overrides the metric
-----
-
-[float]
-=== Metricsets
-
-The following metricsets are available:
-
-* <<metricbeat-metricset-windows-perfmon,perfmon>>
-
-* <<metricbeat-metricset-windows-service,service>>
-
-* <<metricbeat-metricset-windows-wmi,wmi>>
-
-include::windows/perfmon.asciidoc[]
-
-include::windows/service.asciidoc[]
-
-include::windows/wmi.asciidoc[]
-
-:edit_url!:
diff --git a/metricbeat/docs/modules/windows/perfmon.asciidoc b/metricbeat/docs/modules/windows/perfmon.asciidoc
deleted file mode 100644
index 6d5789b6c782..000000000000
--- a/metricbeat/docs/modules/windows/perfmon.asciidoc
+++ /dev/null
@@ -1,26 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/windows/perfmon/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-windows-perfmon]]
-=== Windows perfmon metricset
-
-include::../../../module/windows/perfmon/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-windows,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/windows/perfmon/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/windows/service.asciidoc b/metricbeat/docs/modules/windows/service.asciidoc
deleted file mode 100644
index 22edd4155db7..000000000000
--- a/metricbeat/docs/modules/windows/service.asciidoc
+++ /dev/null
@@ -1,26 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/windows/service/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-windows-service]]
-=== Windows service metricset
-
-include::../../../module/windows/service/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-windows,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/windows/service/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/windows/wmi.asciidoc b/metricbeat/docs/modules/windows/wmi.asciidoc
deleted file mode 100644
index 72ed437918f0..000000000000
--- a/metricbeat/docs/modules/windows/wmi.asciidoc
+++ /dev/null
@@ -1,28 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/windows/wmi/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-windows-wmi]]
-=== Windows wmi metricset
-
-beta[]
-
-include::../../../module/windows/wmi/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-windows,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/windows/wmi/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/zookeeper.asciidoc b/metricbeat/docs/modules/zookeeper.asciidoc
deleted file mode 100644
index 7798a40a8013..000000000000
--- a/metricbeat/docs/modules/zookeeper.asciidoc
+++ /dev/null
@@ -1,70 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-
-:modulename: zookeeper
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/zookeeper/_meta/docs.asciidoc
-
-
-[[metricbeat-module-zookeeper]]
-== ZooKeeper module
-
-include::{libbeat-dir}/shared/integration-link.asciidoc[]
-
-:modulename!:
-
-The ZooKeeper module fetches statistics from the ZooKeeper service. The default
-metricsets are `mntr` and `server`.
-
-[float]
-=== Compatibility
-
-The ZooKeeper metricsets were tested with ZooKeeper 3.4.8, 3.6.0 and 3.7.0. They are expected to work with all versions
->= 3.4.0. Versions prior to 3.4 do not support the `mntr` command.
-
-Note that from ZooKeeper 3.6.0, `mntr`, `stat`, `ruok`, `conf`, `isro`, `cons` command must be explicitly enabled at ZooKeeper side using the `4lw.commands.whitelist` configuration parameter.
-
-[float]
-=== Dashboard
-
-The Zookeeper module comes with a predefined dashboard:
-
-image::./images/metricbeat-zookeeper.png[]
-
-
-:edit_url:
-
-[float]
-=== Example configuration
-
-The ZooKeeper module supports the standard configuration options that are described
-in <<configuration-metricbeat>>. Here is an example configuration:
-
-[source,yaml]
-----
-metricbeat.modules:
-- module: zookeeper
-  enabled: true
-  metricsets: ["mntr", "server"]
-  period: 10s
-  hosts: ["localhost:2181"]
-----
-
-[float]
-=== Metricsets
-
-The following metricsets are available:
-
-* <<metricbeat-metricset-zookeeper-connection,connection>>
-
-* <<metricbeat-metricset-zookeeper-mntr,mntr>>
-
-* <<metricbeat-metricset-zookeeper-server,server>>
-
-include::zookeeper/connection.asciidoc[]
-
-include::zookeeper/mntr.asciidoc[]
-
-include::zookeeper/server.asciidoc[]
-
-:edit_url!:
diff --git a/metricbeat/docs/modules/zookeeper/connection.asciidoc b/metricbeat/docs/modules/zookeeper/connection.asciidoc
deleted file mode 100644
index 45150832edaf..000000000000
--- a/metricbeat/docs/modules/zookeeper/connection.asciidoc
+++ /dev/null
@@ -1,26 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/zookeeper/connection/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-zookeeper-connection]]
-=== ZooKeeper connection metricset
-
-include::../../../module/zookeeper/connection/_meta/docs.asciidoc[]
-
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-zookeeper,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/zookeeper/connection/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/zookeeper/mntr.asciidoc b/metricbeat/docs/modules/zookeeper/mntr.asciidoc
deleted file mode 100644
index b7bb3702348c..000000000000
--- a/metricbeat/docs/modules/zookeeper/mntr.asciidoc
+++ /dev/null
@@ -1,27 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/zookeeper/mntr/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-zookeeper-mntr]]
-=== ZooKeeper mntr metricset
-
-include::../../../module/zookeeper/mntr/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-zookeeper,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/zookeeper/mntr/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules/zookeeper/server.asciidoc b/metricbeat/docs/modules/zookeeper/server.asciidoc
deleted file mode 100644
index d8dce820904d..000000000000
--- a/metricbeat/docs/modules/zookeeper/server.asciidoc
+++ /dev/null
@@ -1,27 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-:edit_url: https://github.com/elastic/beats/edit/main/metricbeat/module/zookeeper/server/_meta/docs.asciidoc
-
-
-[[metricbeat-metricset-zookeeper-server]]
-=== ZooKeeper server metricset
-
-include::../../../module/zookeeper/server/_meta/docs.asciidoc[]
-
-This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
-
-:edit_url:
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-zookeeper,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/zookeeper/server/_meta/data.json[]
-----
-:edit_url!:
\ No newline at end of file
diff --git a/metricbeat/docs/modules_list.asciidoc b/metricbeat/docs/modules_list.asciidoc
deleted file mode 100644
index ee8055b298c8..000000000000
--- a/metricbeat/docs/modules_list.asciidoc
+++ /dev/null
@@ -1,405 +0,0 @@
-////
-This file is generated! See scripts/mage/docs_collector.go
-////
-
-[options="header"]
-|===
-|Modules   |Dashboards   |Metricsets   
-|<<metricbeat-module-activemq,ActiveMQ>>     |image:./images/icon-yes.png[Prebuilt dashboards are available]    |  
-.3+| .3+|  |<<metricbeat-metricset-activemq-broker,broker>>   
-|<<metricbeat-metricset-activemq-queue,queue>>   
-|<<metricbeat-metricset-activemq-topic,topic>>   
-|<<metricbeat-module-aerospike,Aerospike>>     |image:./images/icon-yes.png[Prebuilt dashboards are available]    |  
-.1+| .1+|  |<<metricbeat-metricset-aerospike-namespace,namespace>>   
-|<<metricbeat-module-airflow,Airflow>>  beta[]   |image:./images/icon-no.png[No prebuilt dashboards]    |  
-.1+| .1+|  |<<metricbeat-metricset-airflow-statsd,statsd>> beta[]  
-|<<metricbeat-module-apache,Apache>>     |image:./images/icon-yes.png[Prebuilt dashboards are available]    |  
-.1+| .1+|  |<<metricbeat-metricset-apache-status,status>>   
-|<<metricbeat-module-aws,AWS>>     |image:./images/icon-yes.png[Prebuilt dashboards are available]    |  
-.18+| .18+|  |<<metricbeat-metricset-aws-awshealth,awshealth>> beta[]  
-|<<metricbeat-metricset-aws-billing,billing>> beta[]  
-|<<metricbeat-metricset-aws-cloudwatch,cloudwatch>>   
-|<<metricbeat-metricset-aws-dynamodb,dynamodb>> beta[]  
-|<<metricbeat-metricset-aws-ebs,ebs>>   
-|<<metricbeat-metricset-aws-ec2,ec2>>   
-|<<metricbeat-metricset-aws-elb,elb>>   
-|<<metricbeat-metricset-aws-kinesis,kinesis>> beta[]  
-|<<metricbeat-metricset-aws-lambda,lambda>>   
-|<<metricbeat-metricset-aws-natgateway,natgateway>> beta[]  
-|<<metricbeat-metricset-aws-rds,rds>>   
-|<<metricbeat-metricset-aws-s3_daily_storage,s3_daily_storage>>   
-|<<metricbeat-metricset-aws-s3_request,s3_request>>   
-|<<metricbeat-metricset-aws-sns,sns>> beta[]  
-|<<metricbeat-metricset-aws-sqs,sqs>>   
-|<<metricbeat-metricset-aws-transitgateway,transitgateway>> beta[]  
-|<<metricbeat-metricset-aws-usage,usage>> beta[]  
-|<<metricbeat-metricset-aws-vpn,vpn>> beta[]  
-|<<metricbeat-module-awsfargate,AWS Fargate>>  beta[]   |image:./images/icon-yes.png[Prebuilt dashboards are available]    |  
-.1+| .1+|  |<<metricbeat-metricset-awsfargate-task_stats,task_stats>> beta[]  
-|<<metricbeat-module-azure,Azure>>     |image:./images/icon-yes.png[Prebuilt dashboards are available]    |  
-.11+| .11+|  |<<metricbeat-metricset-azure-app_insights,app_insights>> beta[]  
-|<<metricbeat-metricset-azure-app_state,app_state>> beta[]  
-|<<metricbeat-metricset-azure-billing,billing>> beta[]  
-|<<metricbeat-metricset-azure-compute_vm,compute_vm>>   
-|<<metricbeat-metricset-azure-compute_vm_scaleset,compute_vm_scaleset>>   
-|<<metricbeat-metricset-azure-container_instance,container_instance>>   
-|<<metricbeat-metricset-azure-container_registry,container_registry>>   
-|<<metricbeat-metricset-azure-container_service,container_service>>   
-|<<metricbeat-metricset-azure-database_account,database_account>>   
-|<<metricbeat-metricset-azure-monitor,monitor>>   
-|<<metricbeat-metricset-azure-storage,storage>>   
-|<<metricbeat-module-beat,Beat>>     |image:./images/icon-no.png[No prebuilt dashboards]    |  
-.2+| .2+|  |<<metricbeat-metricset-beat-state,state>>   
-|<<metricbeat-metricset-beat-stats,stats>>   
-|<<metricbeat-module-benchmark,Benchmark>>  beta[]   |image:./images/icon-no.png[No prebuilt dashboards]    |  
-.1+| .1+|  |<<metricbeat-metricset-benchmark-info,info>> beta[]  
-|<<metricbeat-module-ceph,Ceph>>     |image:./images/icon-yes.png[Prebuilt dashboards are available]    |  
-.13+| .13+|  |<<metricbeat-metricset-ceph-cluster_disk,cluster_disk>>   
-|<<metricbeat-metricset-ceph-cluster_health,cluster_health>>   
-|<<metricbeat-metricset-ceph-cluster_status,cluster_status>>   
-|<<metricbeat-metricset-ceph-mgr_cluster_disk,mgr_cluster_disk>> beta[]  
-|<<metricbeat-metricset-ceph-mgr_cluster_health,mgr_cluster_health>> beta[]  
-|<<metricbeat-metricset-ceph-mgr_osd_perf,mgr_osd_perf>> beta[]  
-|<<metricbeat-metricset-ceph-mgr_osd_pool_stats,mgr_osd_pool_stats>> beta[]  
-|<<metricbeat-metricset-ceph-mgr_osd_tree,mgr_osd_tree>> beta[]  
-|<<metricbeat-metricset-ceph-mgr_pool_disk,mgr_pool_disk>> beta[]  
-|<<metricbeat-metricset-ceph-monitor_health,monitor_health>>   
-|<<metricbeat-metricset-ceph-osd_df,osd_df>>   
-|<<metricbeat-metricset-ceph-osd_tree,osd_tree>>   
-|<<metricbeat-metricset-ceph-pool_disk,pool_disk>>   
-|<<metricbeat-module-cloudfoundry,Cloudfoundry>>  beta[]   |image:./images/icon-yes.png[Prebuilt dashboards are available]    |  
-.3+| .3+|  |<<metricbeat-metricset-cloudfoundry-container,container>> beta[]  
-|<<metricbeat-metricset-cloudfoundry-counter,counter>> beta[]  
-|<<metricbeat-metricset-cloudfoundry-value,value>> beta[]  
-|<<metricbeat-module-cockroachdb,CockroachDB>>     |image:./images/icon-yes.png[Prebuilt dashboards are available]    |  
-.1+| .1+|  |<<metricbeat-metricset-cockroachdb-status,status>>   
-|<<metricbeat-module-consul,Consul>>  beta[]   |image:./images/icon-yes.png[Prebuilt dashboards are available]    |  
-.1+| .1+|  |<<metricbeat-metricset-consul-agent,agent>> beta[]  
-|<<metricbeat-module-containerd,Containerd>>  beta[]   |image:./images/icon-no.png[No prebuilt dashboards]    |  
-.3+| .3+|  |<<metricbeat-metricset-containerd-blkio,blkio>> beta[]  
-|<<metricbeat-metricset-containerd-cpu,cpu>> beta[]  
-|<<metricbeat-metricset-containerd-memory,memory>> beta[]  
-|<<metricbeat-module-coredns,Coredns>>     |image:./images/icon-yes.png[Prebuilt dashboards are available]    |  
-.1+| .1+|  |<<metricbeat-metricset-coredns-stats,stats>>   
-|<<metricbeat-module-couchbase,Couchbase>>     |image:./images/icon-yes.png[Prebuilt dashboards are available]    |  
-.3+| .3+|  |<<metricbeat-metricset-couchbase-bucket,bucket>>   
-|<<metricbeat-metricset-couchbase-cluster,cluster>>   
-|<<metricbeat-metricset-couchbase-node,node>>   
-|<<metricbeat-module-couchdb,CouchDB>>     |image:./images/icon-yes.png[Prebuilt dashboards are available]    |  
-.1+| .1+|  |<<metricbeat-metricset-couchdb-server,server>>   
-|<<metricbeat-module-docker,Docker>>     |image:./images/icon-yes.png[Prebuilt dashboards are available]    |  
-.10+| .10+|  |<<metricbeat-metricset-docker-container,container>>   
-|<<metricbeat-metricset-docker-cpu,cpu>>   
-|<<metricbeat-metricset-docker-diskio,diskio>>   
-|<<metricbeat-metricset-docker-event,event>>   
-|<<metricbeat-metricset-docker-healthcheck,healthcheck>>   
-|<<metricbeat-metricset-docker-image,image>>   
-|<<metricbeat-metricset-docker-info,info>>   
-|<<metricbeat-metricset-docker-memory,memory>>   
-|<<metricbeat-metricset-docker-network,network>>   
-|<<metricbeat-metricset-docker-network_summary,network_summary>> beta[]  
-|<<metricbeat-module-dropwizard,Dropwizard>>     |image:./images/icon-no.png[No prebuilt dashboards]    |  
-.1+| .1+|  |<<metricbeat-metricset-dropwizard-collector,collector>>   
-|<<metricbeat-module-elasticsearch,Elasticsearch>>     |image:./images/icon-no.png[No prebuilt dashboards]    |  
-.12+| .12+|  |<<metricbeat-metricset-elasticsearch-ccr,ccr>>   
-|<<metricbeat-metricset-elasticsearch-cluster_stats,cluster_stats>>   
-|<<metricbeat-metricset-elasticsearch-enrich,enrich>>   
-|<<metricbeat-metricset-elasticsearch-index,index>>   
-|<<metricbeat-metricset-elasticsearch-index_recovery,index_recovery>>   
-|<<metricbeat-metricset-elasticsearch-index_summary,index_summary>>   
-|<<metricbeat-metricset-elasticsearch-ingest_pipeline,ingest_pipeline>> beta[]  
-|<<metricbeat-metricset-elasticsearch-ml_job,ml_job>>   
-|<<metricbeat-metricset-elasticsearch-node,node>>   
-|<<metricbeat-metricset-elasticsearch-node_stats,node_stats>>   
-|<<metricbeat-metricset-elasticsearch-pending_tasks,pending_tasks>>   
-|<<metricbeat-metricset-elasticsearch-shard,shard>>   
-|<<metricbeat-module-envoyproxy,Envoyproxy>>     |image:./images/icon-no.png[No prebuilt dashboards]    |  
-.1+| .1+|  |<<metricbeat-metricset-envoyproxy-server,server>>   
-|<<metricbeat-module-etcd,Etcd>>     |image:./images/icon-no.png[No prebuilt dashboards]    |  
-.4+| .4+|  |<<metricbeat-metricset-etcd-leader,leader>>   
-|<<metricbeat-metricset-etcd-metrics,metrics>> beta[]  
-|<<metricbeat-metricset-etcd-self,self>>   
-|<<metricbeat-metricset-etcd-store,store>>   
-|<<metricbeat-module-gcp,Google Cloud Platform>>     |image:./images/icon-yes.png[Prebuilt dashboards are available]    |  
-.10+| .10+|  |<<metricbeat-metricset-gcp-billing,billing>>   
-|<<metricbeat-metricset-gcp-carbon,carbon>> beta[]  
-|<<metricbeat-metricset-gcp-compute,compute>>   
-|<<metricbeat-metricset-gcp-dataproc,dataproc>>   
-|<<metricbeat-metricset-gcp-firestore,firestore>>   
-|<<metricbeat-metricset-gcp-gke,gke>>   
-|<<metricbeat-metricset-gcp-loadbalancing,loadbalancing>>   
-|<<metricbeat-metricset-gcp-metrics,metrics>>   
-|<<metricbeat-metricset-gcp-pubsub,pubsub>>   
-|<<metricbeat-metricset-gcp-storage,storage>>   
-|<<metricbeat-module-golang,Golang>>     |image:./images/icon-yes.png[Prebuilt dashboards are available]    |  
-.2+| .2+|  |<<metricbeat-metricset-golang-expvar,expvar>>   
-|<<metricbeat-metricset-golang-heap,heap>>   
-|<<metricbeat-module-graphite,Graphite>>     |image:./images/icon-no.png[No prebuilt dashboards]    |  
-.1+| .1+|  |<<metricbeat-metricset-graphite-server,server>>   
-|<<metricbeat-module-haproxy,HAProxy>>     |image:./images/icon-yes.png[Prebuilt dashboards are available]    |  
-.2+| .2+|  |<<metricbeat-metricset-haproxy-info,info>>   
-|<<metricbeat-metricset-haproxy-stat,stat>>   
-|<<metricbeat-module-http,HTTP>>     |image:./images/icon-no.png[No prebuilt dashboards]    |  
-.2+| .2+|  |<<metricbeat-metricset-http-json,json>>   
-|<<metricbeat-metricset-http-server,server>>   
-|<<metricbeat-module-ibmmq,IBM MQ>>  beta[]   |image:./images/icon-yes.png[Prebuilt dashboards are available]    |  
-.1+| .1+|  |<<metricbeat-metricset-ibmmq-qmgr,qmgr>> beta[]  
-|<<metricbeat-module-iis,IIS>>     |image:./images/icon-yes.png[Prebuilt dashboards are available]    |  
-.3+| .3+|  |<<metricbeat-metricset-iis-application_pool,application_pool>>   
-|<<metricbeat-metricset-iis-webserver,webserver>>   
-|<<metricbeat-metricset-iis-website,website>>   
-|<<metricbeat-module-istio,Istio>>  beta[]   |image:./images/icon-yes.png[Prebuilt dashboards are available]    |  
-.7+| .7+|  |<<metricbeat-metricset-istio-citadel,citadel>> beta[]  
-|<<metricbeat-metricset-istio-galley,galley>> beta[]  
-|<<metricbeat-metricset-istio-istiod,istiod>> beta[]  
-|<<metricbeat-metricset-istio-mesh,mesh>> beta[]  
-|<<metricbeat-metricset-istio-mixer,mixer>> beta[]  
-|<<metricbeat-metricset-istio-pilot,pilot>> beta[]  
-|<<metricbeat-metricset-istio-proxy,proxy>> beta[]  
-|<<metricbeat-module-jolokia,Jolokia>>     |image:./images/icon-no.png[No prebuilt dashboards]    |  
-.1+| .1+|  |<<metricbeat-metricset-jolokia-jmx,jmx>>   
-|<<metricbeat-module-kafka,Kafka>>     |image:./images/icon-yes.png[Prebuilt dashboards are available]    |  
-.5+| .5+|  |<<metricbeat-metricset-kafka-broker,broker>> beta[]  
-|<<metricbeat-metricset-kafka-consumer,consumer>> beta[]  
-|<<metricbeat-metricset-kafka-consumergroup,consumergroup>>   
-|<<metricbeat-metricset-kafka-partition,partition>>   
-|<<metricbeat-metricset-kafka-producer,producer>> beta[]  
-|<<metricbeat-module-kibana,Kibana>>     |image:./images/icon-no.png[No prebuilt dashboards]    |  
-.6+| .6+|  |<<metricbeat-metricset-kibana-cluster_actions,cluster_actions>> beta[]  
-|<<metricbeat-metricset-kibana-cluster_rules,cluster_rules>> beta[]  
-|<<metricbeat-metricset-kibana-node_actions,node_actions>> beta[]  
-|<<metricbeat-metricset-kibana-node_rules,node_rules>> beta[]  
-|<<metricbeat-metricset-kibana-stats,stats>>   
-|<<metricbeat-metricset-kibana-status,status>>   
-|<<metricbeat-module-kubernetes,Kubernetes>>     |image:./images/icon-yes.png[Prebuilt dashboards are available]    |  
-.23+| .23+|  |<<metricbeat-metricset-kubernetes-apiserver,apiserver>>   
-|<<metricbeat-metricset-kubernetes-container,container>>   
-|<<metricbeat-metricset-kubernetes-controllermanager,controllermanager>>   
-|<<metricbeat-metricset-kubernetes-event,event>>   
-|<<metricbeat-metricset-kubernetes-node,node>>   
-|<<metricbeat-metricset-kubernetes-pod,pod>>   
-|<<metricbeat-metricset-kubernetes-proxy,proxy>>   
-|<<metricbeat-metricset-kubernetes-scheduler,scheduler>>   
-|<<metricbeat-metricset-kubernetes-state_container,state_container>>   
-|<<metricbeat-metricset-kubernetes-state_cronjob,state_cronjob>>   
-|<<metricbeat-metricset-kubernetes-state_daemonset,state_daemonset>>   
-|<<metricbeat-metricset-kubernetes-state_deployment,state_deployment>>   
-|<<metricbeat-metricset-kubernetes-state_job,state_job>>   
-|<<metricbeat-metricset-kubernetes-state_node,state_node>>   
-|<<metricbeat-metricset-kubernetes-state_persistentvolumeclaim,state_persistentvolumeclaim>>   
-|<<metricbeat-metricset-kubernetes-state_pod,state_pod>>   
-|<<metricbeat-metricset-kubernetes-state_replicaset,state_replicaset>>   
-|<<metricbeat-metricset-kubernetes-state_resourcequota,state_resourcequota>>   
-|<<metricbeat-metricset-kubernetes-state_service,state_service>>   
-|<<metricbeat-metricset-kubernetes-state_statefulset,state_statefulset>>   
-|<<metricbeat-metricset-kubernetes-state_storageclass,state_storageclass>>   
-|<<metricbeat-metricset-kubernetes-system,system>>   
-|<<metricbeat-metricset-kubernetes-volume,volume>>   
-|<<metricbeat-module-kvm,KVM>>  beta[]   |image:./images/icon-no.png[No prebuilt dashboards]    |  
-.2+| .2+|  |<<metricbeat-metricset-kvm-dommemstat,dommemstat>> beta[]  
-|<<metricbeat-metricset-kvm-status,status>> beta[]  
-|<<metricbeat-module-linux,Linux>>  beta[]   |image:./images/icon-no.png[No prebuilt dashboards]    |  
-.7+| .7+|  |<<metricbeat-metricset-linux-conntrack,conntrack>> beta[]  
-|<<metricbeat-metricset-linux-iostat,iostat>> beta[]  
-|<<metricbeat-metricset-linux-ksm,ksm>> beta[]  
-|<<metricbeat-metricset-linux-memory,memory>> beta[]  
-|<<metricbeat-metricset-linux-pageinfo,pageinfo>> beta[]  
-|<<metricbeat-metricset-linux-pressure,pressure>> beta[]  
-|<<metricbeat-metricset-linux-rapl,rapl>> beta[]  
-|<<metricbeat-module-logstash,Logstash>>     |image:./images/icon-no.png[No prebuilt dashboards]    |  
-.2+| .2+|  |<<metricbeat-metricset-logstash-node,node>>   
-|<<metricbeat-metricset-logstash-node_stats,node_stats>>   
-|<<metricbeat-module-memcached,Memcached>>     |image:./images/icon-no.png[No prebuilt dashboards]    |  
-.1+| .1+|  |<<metricbeat-metricset-memcached-stats,stats>>   
-|<<metricbeat-module-meraki,Cisco Meraki>>  beta[]   |image:./images/icon-no.png[No prebuilt dashboards]    |  
-.1+| .1+|  |<<metricbeat-metricset-meraki-device_health,device_health>> beta[]  
-|<<metricbeat-module-mongodb,MongoDB>>     |image:./images/icon-yes.png[Prebuilt dashboards are available]    |  
-.5+| .5+|  |<<metricbeat-metricset-mongodb-collstats,collstats>>   
-|<<metricbeat-metricset-mongodb-dbstats,dbstats>>   
-|<<metricbeat-metricset-mongodb-metrics,metrics>>   
-|<<metricbeat-metricset-mongodb-replstatus,replstatus>>   
-|<<metricbeat-metricset-mongodb-status,status>>   
-|<<metricbeat-module-mssql,MSSQL>>     |image:./images/icon-yes.png[Prebuilt dashboards are available]    |  
-.2+| .2+|  |<<metricbeat-metricset-mssql-performance,performance>>   
-|<<metricbeat-metricset-mssql-transaction_log,transaction_log>>   
-|<<metricbeat-module-munin,Munin>>     |image:./images/icon-no.png[No prebuilt dashboards]    |  
-.1+| .1+|  |<<metricbeat-metricset-munin-node,node>>   
-|<<metricbeat-module-mysql,MySQL>>     |image:./images/icon-yes.png[Prebuilt dashboards are available]    |  
-.4+| .4+|  |<<metricbeat-metricset-mysql-galera_status,galera_status>> beta[]  
-|<<metricbeat-metricset-mysql-performance,performance>> beta[]  
-|<<metricbeat-metricset-mysql-query,query>> beta[]  
-|<<metricbeat-metricset-mysql-status,status>>   
-|<<metricbeat-module-nats,NATS>>     |image:./images/icon-yes.png[Prebuilt dashboards are available]    |  
-.6+| .6+|  |<<metricbeat-metricset-nats-connection,connection>>   
-|<<metricbeat-metricset-nats-connections,connections>>   
-|<<metricbeat-metricset-nats-route,route>>   
-|<<metricbeat-metricset-nats-routes,routes>>   
-|<<metricbeat-metricset-nats-stats,stats>>   
-|<<metricbeat-metricset-nats-subscriptions,subscriptions>>   
-|<<metricbeat-module-nginx,Nginx>>     |image:./images/icon-yes.png[Prebuilt dashboards are available]    |  
-.1+| .1+|  |<<metricbeat-metricset-nginx-stubstatus,stubstatus>>   
-|<<metricbeat-module-openai,openai>>  beta[]   |image:./images/icon-no.png[No prebuilt dashboards]    |  
-.1+| .1+|  |<<metricbeat-metricset-openai-usage,usage>> beta[]  
-|<<metricbeat-module-openmetrics,Openmetrics>>  beta[]   |image:./images/icon-no.png[No prebuilt dashboards]    |  
-.1+| .1+|  |<<metricbeat-metricset-openmetrics-collector,collector>> beta[]  
-|<<metricbeat-module-oracle,Oracle>>     |image:./images/icon-yes.png[Prebuilt dashboards are available]    |  
-.3+| .3+|  |<<metricbeat-metricset-oracle-performance,performance>>   
-|<<metricbeat-metricset-oracle-sysmetric,sysmetric>> beta[]  
-|<<metricbeat-metricset-oracle-tablespace,tablespace>>   
-|<<metricbeat-module-panw,Panw>>  beta[]   |image:./images/icon-no.png[No prebuilt dashboards]    |  
-.4+| .4+|  |<<metricbeat-metricset-panw-interfaces,interfaces>> beta[]  
-|<<metricbeat-metricset-panw-routing,routing>> beta[]  
-|<<metricbeat-metricset-panw-system,system>> beta[]  
-|<<metricbeat-metricset-panw-vpn,vpn>> beta[]  
-|<<metricbeat-module-php_fpm,PHP_FPM>>     |image:./images/icon-no.png[No prebuilt dashboards]    |  
-.2+| .2+|  |<<metricbeat-metricset-php_fpm-pool,pool>>   
-|<<metricbeat-metricset-php_fpm-process,process>>   
-|<<metricbeat-module-postgresql,PostgreSQL>>     |image:./images/icon-yes.png[Prebuilt dashboards are available]    |  
-.4+| .4+|  |<<metricbeat-metricset-postgresql-activity,activity>>   
-|<<metricbeat-metricset-postgresql-bgwriter,bgwriter>>   
-|<<metricbeat-metricset-postgresql-database,database>>   
-|<<metricbeat-metricset-postgresql-statement,statement>>   
-|<<metricbeat-module-prometheus,Prometheus>>     |image:./images/icon-yes.png[Prebuilt dashboards are available]    |  
-.3+| .3+|  |<<metricbeat-metricset-prometheus-collector,collector>>   
-|<<metricbeat-metricset-prometheus-query,query>>   
-|<<metricbeat-metricset-prometheus-remote_write,remote_write>>   
-|<<metricbeat-module-rabbitmq,RabbitMQ>>     |image:./images/icon-yes.png[Prebuilt dashboards are available]    |  
-.5+| .5+|  |<<metricbeat-metricset-rabbitmq-connection,connection>>   
-|<<metricbeat-metricset-rabbitmq-exchange,exchange>>   
-|<<metricbeat-metricset-rabbitmq-node,node>>   
-|<<metricbeat-metricset-rabbitmq-queue,queue>>   
-|<<metricbeat-metricset-rabbitmq-shovel,shovel>> beta[]  
-|<<metricbeat-module-redis,Redis>>     |image:./images/icon-yes.png[Prebuilt dashboards are available]    |  
-.3+| .3+|  |<<metricbeat-metricset-redis-info,info>>   
-|<<metricbeat-metricset-redis-key,key>>   
-|<<metricbeat-metricset-redis-keyspace,keyspace>>   
-|<<metricbeat-module-redisenterprise,Redis Enterprise>>  beta[]   |image:./images/icon-yes.png[Prebuilt dashboards are available]    |  
-.2+| .2+|  |<<metricbeat-metricset-redisenterprise-node,node>> beta[]  
-|<<metricbeat-metricset-redisenterprise-proxy,proxy>> beta[]  
-|<<metricbeat-module-sql,SQL>>     |image:./images/icon-no.png[No prebuilt dashboards]    |  
-.1+| .1+|  |<<metricbeat-metricset-sql-query,query>>   
-|<<metricbeat-module-stan,Stan>>     |image:./images/icon-yes.png[Prebuilt dashboards are available]    |  
-.3+| .3+|  |<<metricbeat-metricset-stan-channels,channels>>   
-|<<metricbeat-metricset-stan-stats,stats>>   
-|<<metricbeat-metricset-stan-subscriptions,subscriptions>>   
-|<<metricbeat-module-statsd,Statsd>>     |image:./images/icon-no.png[No prebuilt dashboards]    |  
-.1+| .1+|  |<<metricbeat-metricset-statsd-server,server>>   
-|<<metricbeat-module-syncgateway,SyncGateway>>  beta[]   |image:./images/icon-no.png[No prebuilt dashboards]    |  
-.4+| .4+|  |<<metricbeat-metricset-syncgateway-db,db>> beta[]  
-|<<metricbeat-metricset-syncgateway-memory,memory>> beta[]  
-|<<metricbeat-metricset-syncgateway-replication,replication>> beta[]  
-|<<metricbeat-metricset-syncgateway-resources,resources>> beta[]  
-|<<metricbeat-module-system,System>>     |image:./images/icon-yes.png[Prebuilt dashboards are available]    |  
-.18+| .18+|  |<<metricbeat-metricset-system-core,core>>   
-|<<metricbeat-metricset-system-cpu,cpu>>   
-|<<metricbeat-metricset-system-diskio,diskio>>   
-|<<metricbeat-metricset-system-entropy,entropy>>   
-|<<metricbeat-metricset-system-filesystem,filesystem>>   
-|<<metricbeat-metricset-system-fsstat,fsstat>>   
-|<<metricbeat-metricset-system-load,load>>   
-|<<metricbeat-metricset-system-memory,memory>>   
-|<<metricbeat-metricset-system-network,network>>   
-|<<metricbeat-metricset-system-network_summary,network_summary>> beta[]  
-|<<metricbeat-metricset-system-process,process>>   
-|<<metricbeat-metricset-system-process_summary,process_summary>>   
-|<<metricbeat-metricset-system-raid,raid>>   
-|<<metricbeat-metricset-system-service,service>> beta[]  
-|<<metricbeat-metricset-system-socket,socket>>   
-|<<metricbeat-metricset-system-socket_summary,socket_summary>>   
-|<<metricbeat-metricset-system-uptime,uptime>>   
-|<<metricbeat-metricset-system-users,users>> beta[]  
-|<<metricbeat-module-tomcat,Tomcat>>  beta[]   |image:./images/icon-yes.png[Prebuilt dashboards are available]    |  
-.4+| .4+|  |<<metricbeat-metricset-tomcat-cache,cache>> beta[]  
-|<<metricbeat-metricset-tomcat-memory,memory>> beta[]  
-|<<metricbeat-metricset-tomcat-requests,requests>> beta[]  
-|<<metricbeat-metricset-tomcat-threading,threading>> beta[]  
-|<<metricbeat-module-traefik,Traefik>>     |image:./images/icon-no.png[No prebuilt dashboards]    |  
-.1+| .1+|  |<<metricbeat-metricset-traefik-health,health>>   
-|<<metricbeat-module-uwsgi,uWSGI>>     |image:./images/icon-yes.png[Prebuilt dashboards are available]    |  
-.1+| .1+|  |<<metricbeat-metricset-uwsgi-status,status>>   
-|<<metricbeat-module-vsphere,vSphere>>     |image:./images/icon-yes.png[Prebuilt dashboards are available]    |  
-.7+| .7+|  |<<metricbeat-metricset-vsphere-cluster,cluster>> beta[]  
-|<<metricbeat-metricset-vsphere-datastore,datastore>>   
-|<<metricbeat-metricset-vsphere-datastorecluster,datastorecluster>> beta[]  
-|<<metricbeat-metricset-vsphere-host,host>>   
-|<<metricbeat-metricset-vsphere-network,network>> beta[]  
-|<<metricbeat-metricset-vsphere-resourcepool,resourcepool>> beta[]  
-|<<metricbeat-metricset-vsphere-virtualmachine,virtualmachine>>   
-|<<metricbeat-module-windows,Windows>>     |image:./images/icon-yes.png[Prebuilt dashboards are available]    |  
-.3+| .3+|  |<<metricbeat-metricset-windows-perfmon,perfmon>>   
-|<<metricbeat-metricset-windows-service,service>>   
-|<<metricbeat-metricset-windows-wmi,wmi>> beta[]  
-|<<metricbeat-module-zookeeper,ZooKeeper>>     |image:./images/icon-yes.png[Prebuilt dashboards are available]    |  
-.3+| .3+|  |<<metricbeat-metricset-zookeeper-connection,connection>>   
-|<<metricbeat-metricset-zookeeper-mntr,mntr>>   
-|<<metricbeat-metricset-zookeeper-server,server>>   
-|===
-
---
-
-include::modules/activemq.asciidoc[]
-include::modules/aerospike.asciidoc[]
-include::modules/airflow.asciidoc[]
-include::modules/apache.asciidoc[]
-include::modules/aws.asciidoc[]
-include::modules/awsfargate.asciidoc[]
-include::modules/azure.asciidoc[]
-include::modules/beat.asciidoc[]
-include::modules/benchmark.asciidoc[]
-include::modules/ceph.asciidoc[]
-include::modules/cloudfoundry.asciidoc[]
-include::modules/cockroachdb.asciidoc[]
-include::modules/consul.asciidoc[]
-include::modules/containerd.asciidoc[]
-include::modules/coredns.asciidoc[]
-include::modules/couchbase.asciidoc[]
-include::modules/couchdb.asciidoc[]
-include::modules/docker.asciidoc[]
-include::modules/dropwizard.asciidoc[]
-include::modules/elasticsearch.asciidoc[]
-include::modules/envoyproxy.asciidoc[]
-include::modules/etcd.asciidoc[]
-include::modules/gcp.asciidoc[]
-include::modules/golang.asciidoc[]
-include::modules/graphite.asciidoc[]
-include::modules/haproxy.asciidoc[]
-include::modules/http.asciidoc[]
-include::modules/ibmmq.asciidoc[]
-include::modules/iis.asciidoc[]
-include::modules/istio.asciidoc[]
-include::modules/jolokia.asciidoc[]
-include::modules/kafka.asciidoc[]
-include::modules/kibana.asciidoc[]
-include::modules/kubernetes.asciidoc[]
-include::modules/kvm.asciidoc[]
-include::modules/linux.asciidoc[]
-include::modules/logstash.asciidoc[]
-include::modules/memcached.asciidoc[]
-include::modules/meraki.asciidoc[]
-include::modules/mongodb.asciidoc[]
-include::modules/mssql.asciidoc[]
-include::modules/munin.asciidoc[]
-include::modules/mysql.asciidoc[]
-include::modules/nats.asciidoc[]
-include::modules/nginx.asciidoc[]
-include::modules/openai.asciidoc[]
-include::modules/openmetrics.asciidoc[]
-include::modules/oracle.asciidoc[]
-include::modules/panw.asciidoc[]
-include::modules/php_fpm.asciidoc[]
-include::modules/postgresql.asciidoc[]
-include::modules/prometheus.asciidoc[]
-include::modules/rabbitmq.asciidoc[]
-include::modules/redis.asciidoc[]
-include::modules/redisenterprise.asciidoc[]
-include::modules/sql.asciidoc[]
-include::modules/stan.asciidoc[]
-include::modules/statsd.asciidoc[]
-include::modules/syncgateway.asciidoc[]
-include::modules/system.asciidoc[]
-include::modules/tomcat.asciidoc[]
-include::modules/traefik.asciidoc[]
-include::modules/uwsgi.asciidoc[]
-include::modules/vsphere.asciidoc[]
-include::modules/windows.asciidoc[]
-include::modules/zookeeper.asciidoc[]
diff --git a/metricbeat/docs/overview.asciidoc b/metricbeat/docs/overview.asciidoc
deleted file mode 100644
index 22cfde9c7ea0..000000000000
--- a/metricbeat/docs/overview.asciidoc
+++ /dev/null
@@ -1,27 +0,0 @@
-[[metricbeat-overview]]
-== Metricbeat overview
-
-Metricbeat is a lightweight shipper that you can install on your servers to
-periodically collect metrics from the operating system and from services running
-on the server. Metricbeat takes the metrics and statistics that it collects and
-ships them to the output that you specify, such as Elasticsearch or Logstash.
-
-Metricbeat helps you monitor your servers by collecting metrics from the system
-and services running on the server, such as:
-
-  * <<metricbeat-module-apache,Apache>>
-  * <<metricbeat-module-haproxy,HAProxy>>
-  * <<metricbeat-module-mongodb,MongoDB>>
-  * <<metricbeat-module-mysql,MySQL>>
-  * <<metricbeat-module-nginx,Nginx>>
-  * <<metricbeat-module-postgresql,PostgreSQL>>
-  * <<metricbeat-module-redis,Redis>>
-  * <<metricbeat-module-system,System>>
-  * <<metricbeat-module-zookeeper,Zookeeper>>
-
-See <<metricbeat-modules>> for the complete list of supported services.
-
-Metricbeat can insert the collected metrics directly into Elasticsearch
-or send them to Logstash, Redis, or Kafka.
-
-include::{libbeat-dir}/shared-libbeat-description.asciidoc[]
diff --git a/metricbeat/docs/reload-configuration.asciidoc b/metricbeat/docs/reload-configuration.asciidoc
deleted file mode 100644
index 5fd456358660..000000000000
--- a/metricbeat/docs/reload-configuration.asciidoc
+++ /dev/null
@@ -1,87 +0,0 @@
-[[metricbeat-configuration-reloading]]
-== Load external configuration files
-
-++++
-<titleabbrev>Config file loading</titleabbrev>
-++++
-
-Metricbeat can load external configuration files for modules, which allows you
-to separate your configuration into multiple smaller configuration files. To use
-this, you specify the `path` option under `metricbeat.config.modules` in the
-main `metricbeat.yml` configuration file. By default, Metricbeat loads the
-module configurations enabled in the <<configure-modules-d-configs,`modules.d`>>
-directory. For example:
-
-[source,yaml]
-------------------------------------------------------------------------------
-metricbeat.config.modules:
-  path: ${path.config}/modules.d/*.yml
-------------------------------------------------------------------------------
-
-
-`path`:: A Glob that defines the files to check for changes.
-+
-This setting must point to the `modules.d` directory if you want to use the
-<<modules-command,`modules`>> command to enable and disable module
-configurations.
-
-Each file found by the Glob must contain a list of one or more module
-definitions. For example:
-
-[source,yaml]
-------------------------------------------------------------------------------
-- module: system
-  metricsets: ["cpu"]
-  enabled: false
-  period: 1s
-
-- module: system
-  metricsets: ["network"]
-  enabled: true
-  period: 10s
-------------------------------------------------------------------------------
-
-
-include::{libbeat-dir}/shared-note-file-permissions.asciidoc[]
-
-=== Live reloading
-
-You can configure Metricbeat to dynamically reload configuration files when
-there are changes. To do this, you specify a path
-(https://golang.org/pkg/path/filepath/#Glob[Glob]) to watch for module
-configuration changes. When the files found by the Glob change, new modules are
-started/stopped according to changes in the configuration files.
-
-This feature is especially useful in container environments where one container
-is used to monitor all services running in other containers on the same host.
-Because new containers appear and disappear dynamically, you may need to change
-the Metricbeat configuration frequently to specify which modules are needed and
-which hosts must be monitored.
-
-To enable dynamic config reloading, you specify the `path` and `reload` options
-under `metricbeat.config.modules` in the main `metricbeat.yml` config file. For
-example:
-
-[source,yaml]
-------------------------------------------------------------------------------
-metricbeat.config.modules:
-  path: ${path.config}/modules.d/*.yml
-  reload.enabled: true
-  reload.period: 10s
-------------------------------------------------------------------------------
-
-
-`path`:: A Glob that defines the files to check for changes.
-+
-This setting must point to the `modules.d` directory if you want to use the
-<<modules-command,`modules`>> command to enable and disable module
-configurations.
-
-`reload.enabled`:: When set to `true`, enables dynamic config reload.
-
-`reload.period`:: Specifies how often the files are checked for changes. Do not
-set the `period` to less than 1s because the modification time of files is often
-stored in seconds. Setting the `period` to less than 1s will result in
-unnecessary overhead.
-
-include::{libbeat-dir}/shared-note-file-permissions.asciidoc[]
diff --git a/metricbeat/docs/running-on-cloudfoundry.asciidoc b/metricbeat/docs/running-on-cloudfoundry.asciidoc
deleted file mode 100644
index 0289e955282e..000000000000
--- a/metricbeat/docs/running-on-cloudfoundry.asciidoc
+++ /dev/null
@@ -1 +0,0 @@
-include::{libbeat-dir}/shared-cloudfoundry.asciidoc[]
diff --git a/metricbeat/docs/running-on-docker.asciidoc b/metricbeat/docs/running-on-docker.asciidoc
deleted file mode 100644
index da012b2eb556..000000000000
--- a/metricbeat/docs/running-on-docker.asciidoc
+++ /dev/null
@@ -1,105 +0,0 @@
-include::{libbeat-dir}/shared-docker.asciidoc[]
-
-[float]
-[[monitoring-host]]
-==== Monitor the host machine
-When executing Metricbeat in a container, there are some important
-things to be aware of if you want to monitor the host machine or other
-containers. Let's walk-through some examples using Docker as our container
-orchestration tool.
-
-This example highlights the changes required to make the system module
-work properly inside of a container. This enables Metricbeat to monitor the
-host machine from within the container.
-
-["source","sh",subs="attributes"]
-----
-docker run \
-  --mount type=bind,source=/proc,target=/hostfs/proc,readonly \ <1>
-  --mount type=bind,source=/sys/fs/cgroup,target=/hostfs/sys/fs/cgroup,readonly \ <2>
-  --mount type=bind,source=/,target=/hostfs,readonly \ <3>
-  --mount type=bind,source=/var/run/dbus/system_bus_socket,target=/hostfs/var/run/dbus/system_bus_socket,readonly \ <4>
-  --env DBUS_SYSTEM_BUS_ADDRESS='unix:path=/hostfs/var/run/dbus/system_bus_socket' \ <4>
-  --net=host \ <5>
-  --cgroupns=host \ <6>
-  {dockerimage} -e --system.hostfs=/hostfs
-----
-
-<1> Metricbeat's <<metricbeat-module-system,system module>> collects much of its data through the Linux proc
-filesystem, which is normally located at `/proc`. Because containers
-are isolated as much as possible from the host, the data inside of the
-container's `/proc` is different than the host's `/proc`. To account for this, you
-can mount the host's `/proc` filesystem inside of the container and tell
-Metricbeat to look inside the `/hostfs` directory when looking for `/proc` by
-using the `hostfs=/hostfs` config value.
-<2> By default, cgroup reporting is enabled for the
-<<metricbeat-metricset-system-process,system process metricset>>, so you need
-to mount the host's cgroup mountpoints within the container. They need to be
-mounted inside the directory specified by the `hostfs` config value.
-<3> If you want to be able to monitor filesystems from the host by using the
-<<metricbeat-metricset-system-filesystem,system filesystem metricset>>, then those filesystems need to be mounted inside
-of the container. They can be mounted at any location.
-<4> The <<metricbeat-metricset-system-users,system users metricset>> and <<metricbeat-metricset-system-service,system service metricset>>
-both require access to dbus. Mount the dbus socket and set the `DBUS_SYSTEM_BUS_ADDRESS` environment variable to the mounted system socket path.
-<5> The <<metricbeat-metricset-system-network,system network metricset>> uses data from `/proc/net/dev`, or
-`/hostfs/proc/net/dev` when using `hostfs=/hostfs`. The only way
-to make this file contain the host's network devices is to use the `--net=host`
-flag. This is due to Linux namespacing; simply bind mounting the host's `/proc`
-to `/hostfs/proc` is not sufficient.
-<6> Runs the container using the host's cgroup namespace, instead of a private namespace. While this is optional, <<metricbeat-metricset-system-process,system process metricset>> may produce more correct cgroup metrics when running in host mode.
-
-NOTE: The special filesystems +/proc+ and +/sys+ are only available if the
-host system is running Linux. Attempts to bind-mount these filesystems will
-fail on Windows and MacOS.
-
-
-If the <<metricbeat-metricset-system-socket,system socket metricset>>
-is being used on Linux, more privileges will need to be granted to Metricbeat.
-This metricset reads files from `/proc` that are an interface to internal
-objects owned by other users. The capabilities needed to read all these files
-(`sys_ptrace` and `dac_read_search`) are disabled by default on Docker. To
-grant these permissions these flags are needed too:
-
-["source","sh",subs="attributes"]
-----
---user root --cap-add sys_ptrace --cap-add dac_read_search
-----
-[float]
-
-[[monitoring-service]]
-==== Monitor a service in another container
-
-Next, let's look at an example of monitoring a containerized service from a
-Metricbeat container.
-
-["source","sh",subs="attributes"]
-----
-docker run \
-  --network=mysqlnet \ <1>
-  -e MYSQL_PASSWORD=secret \ <2>
-  {dockerimage}
-----
-
-<1> Placing the Metricbeat and MySQL containers on the same Docker network
-allows Metricbeat access to the exposed ports of the MySQL container, and
-makes the hostname `mysql` resolvable to Metricbeat.
-<2> If you do not want to hardcode certain values into your Metricbeat
-configuration, then you can pass them into the container either as environment
-variables or as command line flags to Metricbeat (see the `-E` CLI flag in <<command-line-options>>).
-
-The mysql module configuration would look like this:
-
-[source,yaml]
-----
-metricbeat.modules:
-- module: mysql
-  metricsets: ["status"]
-  hosts: ["tcp(mysql:3306)/"] <1>
-  username: root
-  password: ${MYSQL_PASSWORD} <2>
-----
-
-<1> The `mysql` hostname will resolve to the address of a container
-named `mysql` on the `mysqlnet` Docker network.
-<2> The `MYSQL_PASSWORD` variable will be evaluated at startup. If the variable
-is not set, this will lead to an error at startup.
diff --git a/metricbeat/docs/running-on-kubernetes.asciidoc b/metricbeat/docs/running-on-kubernetes.asciidoc
deleted file mode 100644
index e2ac0be96646..000000000000
--- a/metricbeat/docs/running-on-kubernetes.asciidoc
+++ /dev/null
@@ -1,229 +0,0 @@
-[[running-on-kubernetes]]
-=== Run Metricbeat on Kubernetes
-
-You can use {beatname_uc} <<running-on-docker,Docker images>> on Kubernetes to
-retrieve cluster metrics.
-
-TIP: Running {ecloud} on Kubernetes? See {eck-ref}/k8s-beat.html[Run {beats} on ECK].
-
-ifeval::["{release-state}"=="unreleased"]
-
-However, version {version} of {beatname_uc} has not yet been
-released, so no Docker image is currently available for this version.
-
-endif::[]
-
-
-[float]
-==== Kubernetes deploy manifests
-
-You deploy {beatname_uc} as a https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/[DaemonSet]
-to ensure that there's a running instance on each node of the cluster. These
-instances are used to retrieve most metrics from the host, such as system
-metrics, Docker stats, and metrics from all the services running on top of
-Kubernetes.
-
-In addition, one of the Pods in the DaemonSet will constantly hold a _leader lock_ which makes it responsible for
-handling cluster-wide monitoring.
-This instance is used to retrieve metrics that are unique for the whole
-cluster, such as Kubernetes events or
-https://github.com/kubernetes/kube-state-metrics[kube-state-metrics].
-You can find more information about leader election configuration options at <<configuration-autodiscover>>.
-
-Note: If you are upgrading from older versions, please make sure there are no redundant parts
-as left-overs from the old manifests. Deployment specification and its ConfigMaps might be the case.
-
-Everything is deployed under the `kube-system` namespace by default. To change
-the namespace, modify the manifest file.
-
-To download the manifest file, run:
-
-["source", "sh", subs="attributes"]
-------------------------------------------------
-curl -L -O https://raw.githubusercontent.com/elastic/beats/{branch}/deploy/kubernetes/metricbeat-kubernetes.yaml
-------------------------------------------------
-
-[WARNING]
-=======================================
-*If you are using Kubernetes 1.7 or earlier:* {beatname_uc} uses a hostPath volume to persist internal data. It's located
-under +/var/lib/{beatname_lc}-data+. The manifest uses folder autocreation (`DirectoryOrCreate`), which was introduced in
-Kubernetes 1.8. You need to remove `type: DirectoryOrCreate` from the manifest and create the host folder yourself.
-=======================================
-
-[float]
-==== Settings
-
-By default, {beatname_uc} sends events to an existing Elasticsearch deployment,
-if present. To specify a different destination, change the following parameters
-in the manifest file:
-
-[source,yaml]
-------------------------------------------------
-- name: ELASTICSEARCH_HOST
-  value: elasticsearch
-- name: ELASTICSEARCH_PORT
-  value: "9200"
-- name: ELASTICSEARCH_USERNAME
-  value: elastic
-- name: ELASTICSEARCH_PASSWORD
-  value: changeme
-------------------------------------------------
-
-[float]
-===== Running {beatname_uc} on control plane nodes
-
-Kubernetes control plane nodes can use https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/[taints]
-to limit the workloads that can run on them. To run {beatname_uc} on control plane nodes you may need to
-update the Daemonset spec to include proper tolerations:
-
-[source,yaml]
-------------------------------------------------
-spec:
- tolerations:
- - key: node-role.kubernetes.io/control-plane
-   effect: NoSchedule
-------------------------------------------------
-
-[float]
-===== Red Hat OpenShift configuration
-
-If you are using Red Hat OpenShift, you need to specify additional settings in
-the manifest file and grant the `metricbeat` service account access to the privileged SCC:
-
-. In the manifest file, edit the `metricbeat-daemonset-modules` ConfigMap, and
-specify the following settings under `kubernetes.yml` in the `data` section:
-+
-[source,yaml]
------
-  kubernetes.yml: |-
-    - module: kubernetes
-      metricsets:
-        - node
-        - system
-        - pod
-        - container
-        - volume
-      period: 10s
-      host: ${NODE_NAME}
-      hosts: ["https://${NODE_NAME}:10250"]
-      bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
-      ssl.certificate_authorities:
-        - /path/to/kubelet-service-ca.crt
-    - module: kubernetes
-      metricsets:
-        - proxy
-      period: 10s
-      host: ${NODE_NAME}
-      hosts: ["localhost:29101"]
------
-NOTE: `kubelet-service-ca.crt` can be any CA bundle that contains the issuer of the certificate used in the Kubelet API.
-According to each specific installation of Openshift this can be found either in `secrets` or in `configmaps`.
-In some installations it can be available as part of the service account secret, in
-`/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt`.
-In case of using https://github.com/openshift/installer/blob/master/docs/user/gcp/install.md[Openshift installer]
-for GCP then the following `configmap` can be mounted in Metricbeat Pod and use `ca-bundle.crt`
-in `ssl.certificate_authorities`:
-+
-[source,shell]
------
-Name:         kubelet-serving-ca
-Namespace:    openshift-kube-apiserver
-Labels:       <none>
-Annotations:  <none>
-
-Data
-====
-ca-bundle.crt:
------
-
-. If `https` is used to access `kube-state-metrics`, add the following settings to the `metricbeat-daemonset-config` ConfigMap under the kubernetes autodiscover configuration for the `state_*` metricsets:
-+
-[source,yaml]
------
-  bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
-  ssl.certificate_authorities:
-    - /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
------
-
-. Grant the `metricbeat` service account access to the privileged SCC:
-+
-[source,shell]
------
-oc adm policy add-scc-to-user privileged system:serviceaccount:kube-system:metricbeat
------
-+
-This command enables the container to be privileged as an administrator for
-OpenShift.
-
-. If the namespace where elastic-agent is running has the `"openshift.io/node-selector"` annotation set, elastic-agent
-might not run on all nodes. In this case consider overriding the node selector for the namespace to allow scheduling
-on any node:
-+
-[source,shell]
-----
-oc patch namespace kube-system -p \
-'{"metadata": {"annotations": {"openshift.io/node-selector": ""}}}'
-----
-+
-This command sets the node selector for the project to an empty string. If you
-don't run this command, the default node selector will skip control plane nodes.
-
-NOTE: for openshift versions prior to the version 4.x additionally you need to modify the `DaemonSet` container spec in the manifest file to enable the container to run as privileged:
-[source,yaml]
------
-  securityContext:
-    runAsUser: 0
-    privileged: true
------
-
-[float]
-==== Load {kib} dashboards
-
-{beatname_uc} comes packaged with various pre-built {kib} dashboards
-that you can use to visualize metrics about your Kubernetes environment.
-
-If these dashboards are not already loaded into {kib}, you must <<{beatname_lc}-installation-configuration,install {beatname_uc}>>
-on any system that can connect to the {stack}, and then run the `setup` command to load the dashboards. To learn how,
-see <<load-kibana-dashboards,Load {kib} dashboards>>.
-
-[IMPORTANT]
-=======================================
-If you are using a different output other than {es}, such as {ls}, you
-need to <<load-template-manually>> and <<load-kibana-dashboards>>.
-=======================================
-
-[float]
-==== Deploy
-
-Metricbeat gets some metrics from https://github.com/kubernetes/kube-state-metrics#usage[kube-state-metrics].
-If `kube-state-metrics` is not already running, deploy it now (see the
-https://github.com/kubernetes/kube-state-metrics#kubernetes-deployment[Kubernetes
-deployment] docs).
-
-To deploy {beatname_uc} to Kubernetes, run:
-
-["source", "sh", subs="attributes"]
-------------------------------------------------
-kubectl create -f metricbeat-kubernetes.yaml
-------------------------------------------------
-
-To check the status, run:
-
-["source", "sh", subs="attributes"]
-------------------------------------------------
-$ kubectl --namespace=kube-system  get ds/metricbeat
-
-NAME       DESIRED   CURRENT   READY     UP-TO-DATE   AVAILABLE   NODE-SELECTOR   AGE
-metricbeat   32        32        0         32           0           <none>          1m
-------------------------------------------------
-
-Metrics should start flowing to Elasticsearch.
-
-
-[float]
-==== Deploying Metricbeat to collect cluster-level metrics in large clusters
-
-The size and the number of nodes in a Kubernetes cluster can be fairly large at times, and in such cases
-the Pod that will be collecting cluster level metrics might face performance issues due to
-resources limitations. In this case users might consider to avoid using the leader election strategy
-and instead run a dedicated, standalone {beatname_uc} instance using a Deployment in addition to the DaemonSet.
diff --git a/metricbeat/docs/setting-up-running.asciidoc b/metricbeat/docs/setting-up-running.asciidoc
deleted file mode 100644
index 1139731e201c..000000000000
--- a/metricbeat/docs/setting-up-running.asciidoc
+++ /dev/null
@@ -1,59 +0,0 @@
-/////
-// NOTE:
-// Each beat has its own setup overview to allow for the addition of content
-// that is unique to each beat.
-/////
-
-[[setting-up-and-running]]
-== Set up and run {beatname_uc}
-
-++++
-<titleabbrev>Set up and run</titleabbrev>
-++++
-
-Before reading this section, see
-<<{beatname_lc}-installation-configuration>> for basic
-installation instructions to get you started.
-
-This section includes additional information on how to install, set up, and run
-{beatname_uc}, including:
-
-* <<directory-layout>>
-
-* <<keystore>>
-
-* <<command-line-options>>
-
-* <<running-on-docker>>
-
-* <<running-on-kubernetes>>
-
-* <<running-on-cloudfoundry>>
-
-* <<running-with-systemd>>
-
-* <<{beatname_lc}-starting>>
-
-* <<shutdown>>
-
-//MAINTAINERS: If you add a new file to this section, make sure you update the bulleted list ^^ too.
-
-include::{libbeat-dir}/shared-directory-layout.asciidoc[]
-
-include::{libbeat-dir}/keystore.asciidoc[]
-
-include::{libbeat-dir}/command-reference.asciidoc[]
-
-include::{libbeat-dir}/repositories.asciidoc[]
-
-include::./running-on-docker.asciidoc[]
-
-include::./running-on-kubernetes.asciidoc[]
-
-include::./running-on-cloudfoundry.asciidoc[]
-
-include::{libbeat-dir}/shared-systemd.asciidoc[]
-
-include::{libbeat-dir}/shared/start-beat.asciidoc[]
-
-include::{libbeat-dir}/shared/shutdown.asciidoc[]
diff --git a/metricbeat/docs/troubleshooting.asciidoc b/metricbeat/docs/troubleshooting.asciidoc
deleted file mode 100644
index f1876af0f27f..000000000000
--- a/metricbeat/docs/troubleshooting.asciidoc
+++ /dev/null
@@ -1,39 +0,0 @@
-[[troubleshooting]]
-= Troubleshoot
-
-[partintro]
---
-If you have issues installing or running {beatname_uc}, read the following tips:
-
-* <<getting-help>>
-* <<enable-metricbeat-debugging>>
-* <<understand-{beatname_lc}-logs>>
-* <<faq>>
-
-//sets block macro for getting-help.asciidoc included in next section
-
---
-
-[[getting-help]]
-== Get help
-
-include::{libbeat-dir}/getting-help.asciidoc[]
-
-//sets block macro for debugging.asciidoc included in next section
-
-[[enable-metricbeat-debugging]]
-== Debug
-
-include::{libbeat-dir}/debugging.asciidoc[]
-
-//sets block macro for metrics-in-logs.asciidoc included in next section
-
-[id="understand-{beatname_lc}-logs"]
-[role="xpack"]
-== Understand metrics in {beatname_uc} logs
-
-++++
-<titleabbrev>Understand logged metrics</titleabbrev>
-++++
-
-include::{libbeat-dir}/metrics-in-logs.asciidoc[]
\ No newline at end of file
diff --git a/metricbeat/docs/upgrading.asciidoc b/metricbeat/docs/upgrading.asciidoc
deleted file mode 100644
index 47652390843b..000000000000
--- a/metricbeat/docs/upgrading.asciidoc
+++ /dev/null
@@ -1,7 +0,0 @@
-[[upgrading-metricbeat]]
-== Upgrade Metricbeat
-
-For information about upgrading to a new version, see:
-
-* {beats-ref}/breaking-changes.html[Breaking Changes]
-* {beats-ref}/upgrading.html[Upgrade]
diff --git a/packetbeat/docs/configuring-howto.asciidoc b/packetbeat/docs/configuring-howto.asciidoc
deleted file mode 100644
index 79a595195201..000000000000
--- a/packetbeat/docs/configuring-howto.asciidoc
+++ /dev/null
@@ -1,66 +0,0 @@
-[[configuring-howto-packetbeat]]
-= Configure {beatname_uc}
-
-[partintro]
---
-++++
-<titleabbrev>Configure</titleabbrev>
-++++
-
-include::{libbeat-dir}/shared/configuring-intro.asciidoc[]
-
-* <<configuration-flows>>
-* <<configuration-protocols>>
-* <<configuration-processes>>
-* <<configuration-general-options>>
-* <<configuration-path>>
-* <<configuration-interfaces>>
-* <<configuring-output>>
-* <<configuration-ssl>>
-* <<ilm>>
-* <<configuration-template>>
-* <<setup-kibana-endpoint>>
-* <<configuration-dashboards>>
-* <<filtering-and-enhancing-data>>
-* <<configuring-internal-queue>>
-* <<configuration-logging>>
-* <<http-endpoint>>
-* <<configuration-instrumentation>>
-* <<configuration-feature-flags>>
-* <<{beatname_lc}-reference-yml>>
-
---
-
-include::./packetbeat-options.asciidoc[]
-
-include::./packetbeat-general-options.asciidoc[]
-
-include::{libbeat-dir}/shared-path-config.asciidoc[]
-
-include::{libbeat-dir}/outputconfig.asciidoc[]
-
-ifndef::no_kerberos[]
-include::{libbeat-dir}/shared-kerberos-config.asciidoc[]
-endif::[]
-
-include::{libbeat-dir}/shared-ssl-config.asciidoc[]
-
-include::{libbeat-dir}/shared-ilm.asciidoc[]
-
-include::{libbeat-dir}/setup-config.asciidoc[]
-
-include::./packetbeat-filtering.asciidoc[]
-
-include::{libbeat-dir}/queueconfig.asciidoc[]
-
-include::{libbeat-dir}/loggingconfig.asciidoc[]
-
-include::{libbeat-dir}/http-endpoint.asciidoc[]
-
-include::./protocol-metrics-packetbeat.asciidoc[]
-
-include::{libbeat-dir}/shared-instrumentation.asciidoc[]
-
-include::{libbeat-dir}/shared-feature-flags.asciidoc[]
-
-include::{libbeat-dir}/reference-yml.asciidoc[]
diff --git a/packetbeat/docs/faq-mysql-ssl.asciidoc b/packetbeat/docs/faq-mysql-ssl.asciidoc
deleted file mode 100644
index bb3ee74b8311..000000000000
--- a/packetbeat/docs/faq-mysql-ssl.asciidoc
+++ /dev/null
@@ -1,26 +0,0 @@
-[[mysql-no-data]]
-=== {beatname_uc} isn't capturing MySQL performance data
-
-You may be listening on the wrong interface or trying to capture data sent over
-an encrypted connection. {beatname_uc} can only monitor MySQL traffic if it is
-unencrypted. To resolve your issue:
-
-* Make sure {beatname_uc} is configured to listen on the `lo0` interface:
-+
-[source,shell]
------
-packetbeat.interfaces.device: lo0
------
-
-* Make sure the client programs you are monitoring run `mysql` with SSL
-disabled. For example:
-+
-[source,shell]
------
-mysql --protocol tcp --host=127.0.0.1 --port=3306 --ssl-mode=DISABLED
------
-
-IMPORTANT: When SSL is disabled, the connection between the MySQL client and
-server is unencrypted, which means that anyone with access to your network may
-be able to inspect data sent between the client and server. If MySQL is running
-in an untrusted network, it's not advisable to disable encryption.
diff --git a/packetbeat/docs/faq.asciidoc b/packetbeat/docs/faq.asciidoc
deleted file mode 100644
index da1f4ae6be8e..000000000000
--- a/packetbeat/docs/faq.asciidoc
+++ /dev/null
@@ -1,64 +0,0 @@
-[[faq]]
-== Common problems
-
-This section describes common problems you might encounter with
-{beatname_uc}. Also check out the
-https://discuss.elastic.co/c/beats/{beatname_lc}[{beatname_uc} discussion forum].
-
-[[dashboard-fields-incorrect]]
-=== Dashboard in {kib} is breaking up data fields incorrectly
-
-The index template might not be loaded correctly. See <<packetbeat-template>>.
-
-[[packetbeat-mirror-ports]]
-=== {beatname_uc} doesn't see any packets when using mirror ports
-
-The interface needs to be set to promiscuous mode. Run the following command:
-
-["source","sh",subs="attributes,callouts"]
-----
-ip link set <device_name> promisc on
-----
-
-For example: `ip link set enp5s0f1 promisc on`
-
-[[packetbeat-loopback-interface]]
-=== {beatname_uc} can't capture traffic from Windows loopback interface
-
-The Windows TCP/IP stack does not implement a network loopback interface, making
-it difficult for Windows packet capture drivers to capture traffic from the
-loopback device (127.0.0.1 traffic). To resolve this issue, install
-https://nmap.org/npcap/[Npcap] in WinPcap API-compatible mode and select the
-option to support loopback traffic. When you restart Windows, Npcap creates an
-Npcap Loopback Adapter that you can select to capture loopback traffic.
-
-For the list of devices shown here, you would configure {beatname_uc}
-to use device `4`:
-
-["source","sh",subs="attributes"]
-----
-PS C:\Program Files{backslash}{beatname_uc} .{backslash}{beatname_lc}.exe -devices
-0: \Device\NPF_NdisWanBh (NdisWan Adapter)
-1: \Device\NPF_NdisWanIp (NdisWan Adapter)
-2: \Device\NPF_NdisWanIpv6 (NdisWan Adapter)
-3: \Device\NPF_{DD72B02C-4E48-4924-8D0F-F80EA2755534} (Intel(R) PRO/1000 MT Desktop Adapter)
-4: \Device\NPF_{77DFFCAF-1335-4B0D-AFD4-5A4685674FAA} (MS NDIS 6.0 LoopBack Driver)
-----
-
-[[packetbeat-missing-transactions]]
-=== {beatname_uc} is missing long running transactions
-
-{beatname_uc} has an internal timeout that it uses to time out transactions and TCP connections
-when no packets have been seen for a long time.
-
-To process long running transactions, you can specify a larger value for the <<transaction-timeout-option,`transaction_timeout`>>
-option. However, keep in mind that very large timeout values can increase memory usage if messages are lost or transaction
-response messages are not sent.
-
-include::./faq-mysql-ssl.asciidoc[]
-
-include::{libbeat-dir}/faq-limit-bandwidth.asciidoc[]
-
-include::{libbeat-dir}/shared-faq.asciidoc[]
-
-include::{libbeat-dir}/faq-refresh-index.asciidoc[]
diff --git a/packetbeat/docs/filtering.asciidoc b/packetbeat/docs/filtering.asciidoc
deleted file mode 100644
index 51ef95776467..000000000000
--- a/packetbeat/docs/filtering.asciidoc
+++ /dev/null
@@ -1,178 +0,0 @@
-[[kibana-queries-filters]]
-== Kibana queries and filters
-
-This topic provides a short introduction to some useful queries for searching
-Packetbeat data. For a full description of the query syntax, see
-{kibana-ref}/search.html[Searching Your Data] in the _Kibana User Guide_.
-
-In Kibana, you can filter transactions either by entering a search query or by
-clicking on elements within a visualization.
-
-[float]
-=== Create queries
-
-The search field on the *Discover* page provides a way to query a specific
-subset of transactions from the selected time frame. It allows boolean
-operators, wildcards, and field filtering. For example, if you want to find the
-HTTP redirects, you can search for `http.response.status_code: 302`.
-
-[role="screenshot"]
-image::./images/kibana-query-filtering.png[Kibana query]
-
-[float]
-==== String queries
-
-A query may consist of one or more words or a phrase. A phrase is a
-group of words surrounded by double quotation marks, such as `"test search"`.
-
-To search for all HTTP requests initiated by Mozilla Web browser version 5.0:
-
-[source,yaml]
---------------
-"Mozilla/5.0"
---------------
-
-
-To search for all the transactions that contain the following message:
-
-[source,yaml]
-------------------------------------
-"Cannot change the info of a user"
-------------------------------------
-
-
-NOTE: To search for an exact string, you need to wrap the string in double
-quotation marks. Without quotation marks, the search in the example would match
-any documents containing one of the following words: "Cannot" OR "change" OR
-"the" OR "info" OR "a" OR "user".
-
-To search for all transactions with the "chunked" encoding:
-
-[source,yaml]
------------------------------
-"Transfer-Encoding: chunked"
------------------------------
-
-
-[float]
-==== Field-based queries
-
-Kibana allows you to search specific fields.
-
-To view HTTP transactions only:
-
-[source,yaml]
--------------------
-type: http
--------------------
-
-
-To view failed transactions only:
-
-[source,yaml]
--------------------
-status: Error
--------------------
-
-
-To view INSERT queries only:
-
-[source,yaml]
----------------------
-method: INSERT
----------------------
-
-
-[float]
-==== Regexp queries
-
-Kibana supports regular expression for filters and expressions. For example,
-to search for all HTTP responses with JSON as the returned value type:
-
-[source,yaml]
--------------------------
-http.response_headers.content_type: *json
--------------------------
-
-
-See
-{ref}/query-dsl-regexp-query.html[Elasticsearch regexp query] for more details
-about the syntax.
-
-[float]
-==== Range queries
-
-Range queries allow a field to have values between the lower and upper bounds.
-The interval can include or exclude the bounds depending on the type of
-brackets that you use.
-
-To search for slow transactions with a response time greater than or equal to
-10ms:
-
-[source,yaml]
-------------------------
-event.duration: [10000000 TO *]
-------------------------
-
-
-To search for slow transactions with a response time greater than 10ms:
-
-[source,yaml]
--------------------------
-responsetime: {10000000 TO *}
--------------------------
-
-
-[float]
-==== Boolean queries
-
-Boolean operators (AND, OR, NOT) allow combining multiple sub-queries through
-logic operators.
-
-NOTE: Operators such as AND, OR, and NOT must be capitalized.
-
-To search for all transactions except MySQL transactions:
-
-[source,yaml]
----------------
-NOT type: mysql
----------------
-
-
-To search for all MySQL INSERT queries with errors:
-
-[source,yaml]
--------------------------------------------------
-type: mysql AND method: INSERT AND status: Error
--------------------------------------------------
-
-
-Kibana Query Language (KQL) also supports parentheses to group sub-queries.
-
-To search for either INSERT or UPDATE queries with a response time greater
-than or equal to 30ms:
-
-[source,yaml]
----------------------------------------------------------------------------
-(method: INSERT OR method: UPDATE) AND event.duration >= 30000000
----------------------------------------------------------------------------
-
-
-[float]
-=== Create filters
-
-In Kibana, you can also filter transactions by clicking on elements within a
-visualization. For example, to filter for all the HTTP redirects that are coming
-from a specific IP and port, click the *Filter for value*
-image:./images/filterforval_icon.png[] icon next to the `client.ip`
-and `client.port` fields in the transaction detail table. To exclude the HTTP
-redirects coming from the IP and port, click the *Filter out value*
-image:./images/filteroutval_icon.png[] icon instead.
-
-[role="screenshot"]
-image::./images/filter_from_context.png[Filter from context]
-
-The selected filters appear under the search box.
-
-[role="screenshot"]
-image::./images/kibana-filters.png[Kibana filters]
diff --git a/packetbeat/docs/getting-started.asciidoc b/packetbeat/docs/getting-started.asciidoc
deleted file mode 100644
index bb17e3431073..000000000000
--- a/packetbeat/docs/getting-started.asciidoc
+++ /dev/null
@@ -1,218 +0,0 @@
-[id="{beatname_lc}-installation-configuration"]
-== {beatname_uc} quick start: installation and configuration
-
-++++
-<titleabbrev>Quick start: installation and configuration</titleabbrev>
-++++
-
-The best way to understand the value of a network packet analytics system like
-{beatname_uc} is to try it on your own traffic.
-
-This guide describes how to get started quickly with network packets analytics.
-You'll learn how to:
-
-* install {beatname_uc} on each system you want to monitor
-* specify the network devices and protocols to sniff
-* parse the packet data into fields and send it to {es}
-* visualize the packet data in {kib}
-
-[role="screenshot"]
-image::./images/packetbeat-overview-dashboard.png[{beatname_uc} Overview dashboard]
-
-[float]
-=== Before you begin
-
-* You need {es} for storing and searching your data, and {kib} for visualizing
-and managing it.
-+
---
-include::{libbeat-dir}/tab-widgets/spinup-stack-widget.asciidoc[]
---
-
-* On most platforms, {beatname_uc} requires the libpcap packet capture
-library. Depending on your OS, you might need to install it:
-+
---
-include::tab-widgets/install-libpcap-widget.asciidoc[]
---
-
-[float]
-[[installation]]
-=== Step 1: Install {beatname_uc}
-
-You can install {beatname_uc} on dedicated servers, getting the traffic from
-mirror ports or tap devices, or you can install it on your existing application
-servers.
-
-To download and install {beatname_uc}, use the commands that work with your
-system:
-
-include::{libbeat-dir}/tab-widgets/install-widget.asciidoc[]
-
-The commands shown are for AMD platforms, but ARM packages are also available.
-Refer to the https://www.elastic.co/downloads/beats/{beatname_lc}[download page]
-for the full list of available packages.
-
-[float]
-[[other-installation-options]]
-==== Other installation options
-
-* <<setup-repositories,APT or YUM>>
-* https://www.elastic.co/downloads/beats/{beatname_lc}[Download page]
-* <<running-on-docker,Docker>>
-
-[float]
-[[set-connection]]
-=== Step 2: Connect to the {stack}
-
-include::{libbeat-dir}/shared/connecting-to-es.asciidoc[]
-
-
-[float]
-[[configuration]]
-=== Step 3: Configure sniffing
-
-In +{beatname_lc}.yml+, configure the network devices and protocols to
-capture traffic from.
-
-. Set the sniffer type. By default, {beatname_uc} uses `pcap`, which uses the
-libpcap library and works on most platforms.
-+
-On Linux, set the sniffer type to `af_packet` to use memory-mapped sniffing.
-This option is faster than libpcap and doesn’t require a kernel module, but
-it’s Linux-specific:
-+
-[source,yaml]
-----
-packetbeat.interfaces.type: af_packet
-----
-
-. Specify the network device to capture traffic from. For example:
-+
-[source,yaml]
-----
-packetbeat.interfaces.device: eth0
-----
-+
-[TIP]
-====
-On Linux, specify `packetbeat.interfaces.device: any` to capture all
-messages sent or received by the server where {beatname_uc} is installed.
-The `any` setting does not work on macOS.
-====
-+
-To see a list of available devices, run:
-+
---
-include::tab-widgets/devices-widget.asciidoc[]
---
-+
-For more information about these settings, see <<configuration-interfaces>>.
-
-. In the `protocols` section, configure the ports where {beatname_uc} can find
-each protocol. If you use any non-standard ports, add them here. Otherwise,
-use the default values.
-+
-[source,yaml]
-----------------------------------------------------------------------
-packetbeat.protocols:
-
-- type: dhcpv4
-  ports: [67, 68]
-
-- type: dns
-  ports: [53]
-
-- type: http
-  ports: [80, 8080, 8081, 5000, 8002]
-
-- type: memcache
-  ports: [11211]
-
-- type: mysql
-  ports: [3306,3307]
-
-- type: pgsql
-  ports: [5432]
-
-- type: redis
-  ports: [6379]
-
-- type: thrift
-  ports: [9090]
-
-- type: mongodb
-  ports: [27017]
-
-- type: cassandra
-  ports: [9042]
-
-- type: tls
-  ports: [443, 993, 995, 5223, 8443, 8883, 9243]
-
-----------------------------------------------------------------------
-
-include::{libbeat-dir}/shared/config-check.asciidoc[]
-
-[float]
-[[setup-assets]]
-=== Step 4: Set up assets
-
-{beatname_uc} comes with predefined assets for parsing, indexing, and
-visualizing your data. To load these assets:
-
-. Make sure the user specified in +{beatname_lc}.yml+ is
-<<privileges-to-setup-beats,authorized to set up {beatname_uc}>>.
-
-. From the installation directory, run:
-+
---
-include::{libbeat-dir}/tab-widgets/setup-widget.asciidoc[]
---
-+
-`-e` is optional and sends output to standard error instead of the configured log output.
-
-This step loads the recommended {ref}/index-templates.html[index template] for writing to {es}
-and deploys the sample dashboards for visualizing the data in {kib}.
-
-[TIP]
-=====
-A connection to {es} (or {ess}) is required to set up the initial
-environment. If you're using a different output, such as {ls}, see
-<<load-template-manually>> and <<load-kibana-dashboards>>.
-=====
-
-[float]
-[[start]]
-=== Step 5: Start {beatname_uc}
-
-Before starting {beatname_uc}, modify the user credentials in
-+{beatname_lc}.yml+ and specify a user who is
-<<privileges-to-publish-events,authorized to publish events>>.
-
-To start {beatname_uc}, run:
-
-// tag::start-step[]
-include::{libbeat-dir}/tab-widgets/start-widget.asciidoc[]
-// end::start-step[]
-
-{beatname_uc} should begin streaming data to {es}.
-
-[float]
-[[view-data]]
-=== Step 6: View your data in {kib}
-
-include::{libbeat-dir}/shared/opendashboards.asciidoc[tag=open-dashboards-intro]
-
-include::{libbeat-dir}/shared/opendashboards.asciidoc[tag=open-dashboards]
-
-TIP: To populate the client locations map in the overview dashboard, follow the
-steps described in <<{beatname_lc}-geoip>>.
-
-[float]
-=== What's next?
-
-Now that you have your data streaming into {es}, learn how to unify your logs,
-metrics, uptime, and application performance data.
-
-include::{libbeat-dir}/shared/obs-apps.asciidoc[]
diff --git a/packetbeat/docs/howto/howto.asciidoc b/packetbeat/docs/howto/howto.asciidoc
deleted file mode 100644
index b7284ab3024b..000000000000
--- a/packetbeat/docs/howto/howto.asciidoc
+++ /dev/null
@@ -1,42 +0,0 @@
-[[howto-guides]]
-= How to guides
-
-[partintro]
---
-Learn how to perform common {beatname_uc} configuration tasks.
-
-* <<{beatname_lc}-template>>
-* <<change-index-name>>
-* <<load-kibana-dashboards>>
-* <<{beatname_lc}-geoip>>
-* <<using-environ-vars>>
-* <<configuring-ingest-node>>
-* <<yaml-tips>>
-
-
---
-include::{libbeat-dir}/howto/load-index-templates.asciidoc[]
-
-include::{libbeat-dir}/howto/change-index-name.asciidoc[]
-
-include::{libbeat-dir}/howto/load-dashboards.asciidoc[]
-
-include::{libbeat-dir}/shared-geoip.asciidoc[]
-
-include::load-ingest-pipelines.asciidoc[]
-
-:standalone:
-include::{libbeat-dir}/shared-env-vars.asciidoc[]
-:standalone!:
-
-include::{libbeat-dir}/shared-config-ingest.asciidoc[]
-
-:standalone:
-:allplatforms:
-include::{libbeat-dir}/yaml.asciidoc[]
-:standalone!:
-:allplatforms!:
-
-
-
-
diff --git a/packetbeat/docs/howto/load-ingest-pipelines.asciidoc b/packetbeat/docs/howto/load-ingest-pipelines.asciidoc
deleted file mode 100644
index acca824829c5..000000000000
--- a/packetbeat/docs/howto/load-ingest-pipelines.asciidoc
+++ /dev/null
@@ -1,28 +0,0 @@
-[[load-ingest-pipelines]]
-== Load ingest pipelines
-
-{beatname_uc} modules are implemented using {es} ingest node
-pipelines.  The events receive their transformations within
-{es}.  The ingest node pipelines must be loaded
-into {es}.  This can happen one of several ways.
-
-[id="{beatname_lc}-load-pipeline-auto"]
-[float]
-=== On connection to {es}
-
-{beatname_uc} will send ingest pipelines automatically to {es} if the
-{es} output is enabled.
-
-Make sure the user specified in +{beatname_lc}.yml+ is
-<<privileges-to-setup-beats,authorized to set up {beatname_uc}>>.
-
-If {beatname_uc} is sending events to {ls} or another output you need
-to load the ingest pipelines with the `setup` command or manually.
-
-[id="{beatname_lc}-load-pipeline-manual"]
-[float]
-=== Manually install pipelines
-
-Pipelines can be loaded them into {es} with the `_ingest/pipeline` REST API
-call. The user making the REST API call will need to have the `ingest_admin`
-role assigned to them.
diff --git a/packetbeat/docs/images/dashboard-packetbeat-dhcpv4.png b/packetbeat/docs/images/dashboard-packetbeat-dhcpv4.png
deleted file mode 100644
index a89f22b1c6ff..000000000000
Binary files a/packetbeat/docs/images/dashboard-packetbeat-dhcpv4.png and /dev/null differ
diff --git a/packetbeat/docs/images/dashboard-packetbeat-tls.png b/packetbeat/docs/images/dashboard-packetbeat-tls.png
deleted file mode 100644
index cfc79df7d176..000000000000
Binary files a/packetbeat/docs/images/dashboard-packetbeat-tls.png and /dev/null differ
diff --git a/packetbeat/docs/images/kibana-discover.png b/packetbeat/docs/images/kibana-discover.png
deleted file mode 100644
index 41d4ea24eece..000000000000
Binary files a/packetbeat/docs/images/kibana-discover.png and /dev/null differ
diff --git a/packetbeat/docs/images/kibana-index-pattern.png b/packetbeat/docs/images/kibana-index-pattern.png
deleted file mode 100644
index 4346d2535586..000000000000
Binary files a/packetbeat/docs/images/kibana-index-pattern.png and /dev/null differ
diff --git a/packetbeat/docs/images/kibana-refresh-index-fields.png b/packetbeat/docs/images/kibana-refresh-index-fields.png
deleted file mode 100644
index cf7ffe6777a1..000000000000
Binary files a/packetbeat/docs/images/kibana-refresh-index-fields.png and /dev/null differ
diff --git a/packetbeat/docs/images/kibana_connection_failed.png b/packetbeat/docs/images/kibana_connection_failed.png
deleted file mode 100644
index 4cf90f8c4da4..000000000000
Binary files a/packetbeat/docs/images/kibana_connection_failed.png and /dev/null differ
diff --git a/packetbeat/docs/images/option_ignore_outgoing.png b/packetbeat/docs/images/option_ignore_outgoing.png
deleted file mode 100644
index 43813abb6645..000000000000
Binary files a/packetbeat/docs/images/option_ignore_outgoing.png and /dev/null differ
diff --git a/packetbeat/docs/images/packetbeat-statistics.png b/packetbeat/docs/images/packetbeat-statistics.png
deleted file mode 100644
index 488f229edcec..000000000000
Binary files a/packetbeat/docs/images/packetbeat-statistics.png and /dev/null differ
diff --git a/packetbeat/docs/images/tls-dashboard.png b/packetbeat/docs/images/tls-dashboard.png
deleted file mode 100644
index d3a518075a2e..000000000000
Binary files a/packetbeat/docs/images/tls-dashboard.png and /dev/null differ
diff --git a/packetbeat/docs/index.asciidoc b/packetbeat/docs/index.asciidoc
deleted file mode 100644
index d0590b5d872d..000000000000
--- a/packetbeat/docs/index.asciidoc
+++ /dev/null
@@ -1,63 +0,0 @@
-= Packetbeat Reference
-
-:libbeat-dir: {docdir}/../../libbeat/docs
-
-include::{libbeat-dir}/version.asciidoc[]
-
-include::{asciidoc-dir}/../../shared/versions/stack/{source_branch}.asciidoc[]
-
-include::{asciidoc-dir}/../../shared/attributes.asciidoc[]
-
-:beatname_lc: packetbeat
-:beatname_uc: Packetbeat
-:beatname_pkg: {beatname_lc}
-:github_repo_name: beats
-:discuss_forum: beats/{beatname_lc}
-:beat_default_index_prefix: {beatname_lc}
-:requires-sudo:
-:has_map:
-:deb_os:
-:rpm_os:
-:mac_os:
-:linux_os:
-:docker_platform:
-:win_os:
-:no_cache_processor:
-:no_decode_cef_processor:
-:no_decode_csv_fields_processor:
-:no_parse_aws_vpc_flow_log_processor:
-:no_script_processor:
-:no_timestamp_processor:
-:no_add_session_metadata_processor:
-
-include::{libbeat-dir}/shared-beats-attributes.asciidoc[]
-
-include::./overview.asciidoc[]
-
-include::./getting-started.asciidoc[]
-
-include::./setting-up-running.asciidoc[]
-
-include::./upgrading.asciidoc[]
-
-include::./configuring-howto.asciidoc[]
-
-include::{docdir}/howto/howto.asciidoc[]
-
-include::./fields.asciidoc[]
-
-include::{libbeat-dir}/monitoring/monitoring-beats.asciidoc[]
-
-include::{libbeat-dir}/shared-securing-beat.asciidoc[]
-
-include::./visualizing-data-packetbeat.asciidoc[]
-
-include::./filtering.asciidoc[]
-
-include::./troubleshooting.asciidoc[]
-
-include::./faq.asciidoc[]
-
-include::{libbeat-dir}/contributing-to-beats.asciidoc[]
-
-
diff --git a/packetbeat/docs/modules.asciidoc b/packetbeat/docs/modules.asciidoc
deleted file mode 100644
index 8e72454f9cff..000000000000
--- a/packetbeat/docs/modules.asciidoc
+++ /dev/null
@@ -1,41 +0,0 @@
-[id="{beatname_lc}-modules"]
-[role="xpack"]
-= Modules
-
-[partintro]
---
-This section contains detailed information about the available network packet
-log processing modules contained in {beatname_uc}.
-
-{beatname_uc} modules are implemented using Elasticsearch Ingest Node pipelines.
-The events receive their transformations within Elasticsearch. All events are
-sent through {beatname_uc}'s "routing" pipeline that routes events to specific
-module pipelines based on their network protocol.
-
-{beatname_uc}'s default config file contains the option to send all events to
-the routing pipeline. If you remove this option then the module processing
-will not be applied.
-
-[source,yaml,subs="attributes"]
-----
-output.elasticsearch.pipeline: packetbeat-%{[agent.version]}-routing
-----
-
-The general goal of each module is to transform events by renaming fields to
-comply with the {ecs-ref}/index.html[Elastic Common Schema] (ECS). The modules
-may also apply additional categorization, tagging, and parsing as necessary.
-about how to configure the language in `packetbeat`, refer to <<configuration-packetbeat-options>>.
-
-[id="{beatname_lc}-modules-setup"]
-[float]
-=== Setup of Ingest Node pipelines
-
-{beatname_uc}'s Ingest Node pipelines must be installed to Elasticsearch if you
-want to apply the module processing to events. The simplest way to get started
-is to use the Elasticsearch output and {beatname_uc} will automatically install
-the pipelines when it first connects to Elasticsearch.
-
-Installation Methods
-
-1. <<{beatname_lc}-load-pipeline-auto>>
-2. <<{beatname_lc}-load-pipeline-manual>>
diff --git a/packetbeat/docs/overview.asciidoc b/packetbeat/docs/overview.asciidoc
deleted file mode 100644
index 6df6af54254a..000000000000
--- a/packetbeat/docs/overview.asciidoc
+++ /dev/null
@@ -1,43 +0,0 @@
-[[packetbeat-overview]]
-== Packetbeat overview
-
-Packetbeat is a real-time network packet analyzer that you can use
-with Elasticsearch to provide an _application monitoring and performance
-analytics system_. Packetbeat completes the {beats-ref}/index.html[Beats platform]
-by providing visibility between the servers of your network.
-
-Packetbeat works by capturing the network traffic between your application servers,
-decoding the application layer protocols (HTTP, MySQL, Redis, and so on),
-correlating the requests with the responses, and recording the
-interesting <<exported-fields,fields>> for each transaction.
-
-Packetbeat can help you easily notice issues with your back-end application, such as bugs
-or performance problems, and it makes troubleshooting them - and therefore
-fixing them - much faster.
-
-Packetbeat sniffs the traffic between your servers, parses the
-application-level protocols on the fly, and correlates the messages into transactions.
-Currently, Packetbeat supports the following protocols:
-
-include::shared-protocol-list.asciidoc[]
-
-Packetbeat can insert the correlated transactions directly into Elasticsearch
-or into a central queue created with Redis and Logstash.
-
-Packetbeat can run on the same servers as your application processes or
-on its own servers. When running on dedicated servers, Packetbeat can get the
-traffic from the switch's mirror ports or from tapping devices. In such a
-deployment, there is zero overhead on the monitored application. See
-<<configuration-interfaces>> for details.
-
-After decoding the Layer 7 messages, Packetbeat correlates the requests with
-the responses in what we call _transactions_. For each transaction, Packetbeat
-inserts a JSON document into Elasticsearch. See the <<exported-fields>> section
-for details about which fields are indexed.
-
-The same Elasticsearch and Kibana instances that are used for analysing the
-network traffic gathered by Packetbeat can be used for analysing the log files
-gathered by Logstash. This way, you can have network traffic and log analysis
-in the same system.
-
-include::{libbeat-dir}/shared-libbeat-description.asciidoc[]
diff --git a/packetbeat/docs/packetbeat-filtering.asciidoc b/packetbeat/docs/packetbeat-filtering.asciidoc
deleted file mode 100644
index a3513659cf4c..000000000000
--- a/packetbeat/docs/packetbeat-filtering.asciidoc
+++ /dev/null
@@ -1,77 +0,0 @@
-[[filtering-and-enhancing-data]]
-== Filter and enhance data with processors
-
-++++
-<titleabbrev>Processors</titleabbrev>
-++++
-
-include::{libbeat-dir}/processors.asciidoc[]
-
-For example, the following configuration includes a subset of the Packetbeat DNS
-fields so that only the requests and their response codes are reported:
-
-[source, yaml]
-----
-processors:
-  - include_fields:
-      fields:
-        - client.bytes
-        - server.bytes
-        - client.ip
-        - server.ip
-        - dns.question.name
-        - dns.question.etld_plus_one
-        - dns.response_code
-----
-
-The filtered event would look something like this:
-
-[source,shell]
-----
-{
-  "@timestamp": "2019-01-19T03:41:11.798Z",
-  "client": {
-    "bytes": 28,
-    "ip": "10.100.6.82"
-  },
-  "server": {
-    "bytes": 271,
-    "ip": "10.100.4.1"
-  },
-  "dns": {
-    "question": {
-      "name": "www.elastic.co",
-      "etld_plus_one": "elastic.co"
-    },
-    "response_code": "NOERROR"
-  },
-  "type": "dns"
-}
-----
-
-If you would like to drop all the successful transactions, you can use the
-following configuration:
-
-[source,yaml]
-----
-processors:
-  - drop_event:
-      when:
-        equals:
-          http.response.status_code: 200
-----
-
-
-If you don't want to export raw data for the successful transactions:
-
-[source,yaml]
-----
-processors:
-  - drop_fields:
-      when:
-        equals:
-          http.response.status_code: 200
-      fields: ["request", "response"]
-----
-
-include::{libbeat-dir}/processors-using.asciidoc[]
diff --git a/packetbeat/docs/packetbeat-general-options.asciidoc b/packetbeat/docs/packetbeat-general-options.asciidoc
deleted file mode 100644
index d1a6c1b97507..000000000000
--- a/packetbeat/docs/packetbeat-general-options.asciidoc
+++ /dev/null
@@ -1,12 +0,0 @@
-[[configuration-general-options]]
-== Configure general settings
-
-++++
-<titleabbrev>General settings</titleabbrev>
-++++
-
-You can specify settings in the +{beatname_lc}.yml+ config file to control the
-general behavior of {beatname_uc}.
-
-include::{libbeat-dir}/generalconfig.asciidoc[]
-
diff --git a/packetbeat/docs/packetbeat-options.asciidoc b/packetbeat/docs/packetbeat-options.asciidoc
deleted file mode 100644
index aaa598b612c3..000000000000
--- a/packetbeat/docs/packetbeat-options.asciidoc
+++ /dev/null
@@ -1,1667 +0,0 @@
-[[configuration-interfaces]]
-== Configure traffic capturing options
-
-//TODO: Break this file down into multiple source files (one for each html page)
-
-++++
-<titleabbrev>Traffic sniffing</titleabbrev>
-++++
-
-There are two main ways of deploying Packetbeat:
-
-* On dedicated servers, getting the traffic from mirror ports or tap devices.
-
-* On your existing application servers.
-
-The first option has the big advantage that there is no overhead of any kind on
-your application servers. But it requires dedicated networking gear, which is
-generally not available on cloud setups.
-
-In both cases, the sniffing performance (reading packets passively from the network)
-is very important. In the case of a dedicated server, better
-sniffing performance means that less hardware is required. When Packetbeat is installed
-on an existing application server, better sniffing performance means less overhead.
-
-Currently Packetbeat has several options for traffic capturing:
-
- * `pcap`, which uses the libpcap library and works on most platforms, but
-   it's not the fastest option.
- * `af_packet`, which uses memory mapped sniffing. This option is faster than libpcap
-    and doesn't require a kernel module, but it's Linux-specific.
-
-The `af_packet` option, also known as "memory-mapped sniffing," makes use of a
-Linux-specific
-https://www.kernel.org/doc/Documentation/networking/packet_mmap.txt[feature].
-This could be the optimal sniffing mode for both the dedicated server and
-when Packetbeat is deployed on an existing application server.
-
-The way it works is that both the kernel and the user space program map the
-same memory zone, and a simple circular buffer is organized in this memory zone.
-The kernel writes packets into the circular buffer, and the user space program
-reads from it. The poll system call is used for getting a notification for the
-first packet available, but the remaining available packets can be simply read
-via memory access.
-
-The `af_packet` sniffer can be further tuned to use more memory in exchange for
-better performance. The larger the size of the circular buffer, the fewer
-system calls are needed, which means that fewer CPU cycles are consumed. The default size
-of the buffer is 30 MB, but you can increase it like this:
-
-[source,yaml]
-------------------------------------------------------------------------------
-packetbeat.interfaces.device: eth0
-packetbeat.interfaces.type: af_packet
-packetbeat.interfaces.buffer_size_mb: 100
-------------------------------------------------------------------------------
-
-[float]
-=== Windows Npcap installation options
-
-On Windows {beatname_uc} requires an Npcap DLL installation. This is provided by {beatname_uc}
-for users of the Elastic Licenced version. In some cases users may wish to use
-their own installed version. In order to do this the `packetbeat.npcap.never_install`
-option can be used. Setting this option to `true` will not attempt to install the
-bundled Npcap library on start-up unless no Npcap is already installed.
-
-[source,yaml]
-------------------------------------------------------------------------------
-packetbeat.npcap.never_install: true
-------------------------------------------------------------------------------
-
-[float]
-=== Sniffing configuration options
-
-You can specify the following options in the `packetbeat.interfaces` section
-of the +{beatname_lc}.yml+ config file. Here is an example configuration:
-
-[source,yaml]
-------------------------------------------------------------------------------
-packetbeat.interfaces.device: any
-packetbeat.interfaces.snaplen: 1514
-packetbeat.interfaces.type: af_packet
-packetbeat.interfaces.buffer_size_mb: 100
-------------------------------------------------------------------------------
-
-[float]
-==== `device`
-
-The network device to capture traffic from. The specified device is set automatically to promiscuous mode,
-meaning that Packetbeat can capture traffic from other hosts on the same LAN.
-
-Example:
-
-[source,yaml]
-------------------------------------------------------------------------------
-packetbeat.interfaces.device: eth0
-------------------------------------------------------------------------------
-
-On Linux, you can specify `any` for the device, and Packetbeat captures all
-messages sent or received by the server where Packetbeat is installed.
-
-NOTE: When you specify `any` for the device, the interfaces are not set
-      to promiscuous mode.
-
-The `device` option also accepts specifying the device by its index in the list of
-devices available for sniffing. To obtain the list of available devices,
-run Packetbeat with the following command:
-
-["source","sh",subs="attributes,callouts"]
-----------------------------------------------------------------------
-packetbeat devices
-----------------------------------------------------------------------
-
-This command returns a list that looks something like the following:
-
-["source","sh",subs="attributes,callouts"]
-----------------------------------------------------------------------
-0: en0 (No description available)
-1: awdl0 (No description available)
-2: bridge0 (No description available)
-3: fw0 (No description available)
-4: en1 (No description available)
-5: en2 (No description available)
-6: p2p0 (No description available)
-7: en4 (No description available)
-8: lo0 (No description available)
-----------------------------------------------------------------------
-
-The following example sets up sniffing on the
-first interface in the list:
-
-[source,yaml]
-------------------------------------------------------------------------------
-packetbeat.interfaces.device: 0
-------------------------------------------------------------------------------
-
-Specifying the index is especially useful on Windows where device names can be long.
-
-Alternatively the `default_route`, `default_route_ipv4` or `default_route_ipv6` device
-may be specified. This will set the capture device to be the device that is associated
-with the first default route identified on Packetbeat start-up. `default_route` will
-select the first default route from either IPv4 or IPv6 with a preference for the IPv4
-route, while `default_route_ipv4` and `default_route_ipv6` will only select from the
-specified stack. The selected interface is not altered after it is chosen.
-
-[float]
-==== `snaplen`
-
-The maximum size of the packets to capture. The
-default is 65535, which is large enough for almost all networks and interface
-types. If you sniff on a physical network interface, the optimal setting is
-the MTU size. On virtual interfaces, however, it's safer to accept the default value.
-
-Example:
-
-[source,yaml]
-------------------------------------------------------------------------------
-packetbeat.interfaces.device: eth0
-packetbeat.interfaces.snaplen: 1514
-------------------------------------------------------------------------------
-
-[float]
-==== `type`
-
-Packetbeat supports these sniffer types:
-
- * `pcap`, which uses the libpcap library and works on most platforms, but
-   it's not the fastest option.
- * `af_packet`, which uses memory-mapped sniffing. This option is faster than libpcap
-   and doesn't require a kernel module, but it's Linux-specific.
-
-The default sniffer type is `pcap`.
-
-Here is an example configuration that specifies
-the `af_packet` sniffing type:
-
-[source,yaml]
-------------------------------------------------------------------------------
-packetbeat.interfaces.device: eth0
-packetbeat.interfaces.type: af_packet
-------------------------------------------------------------------------------
-
-On Linux, if you are trying to optimize the CPU usage of Packetbeat, we
-recommend trying the `af_packet` option.
-
-If you use the `af_packet` sniffer, you can tune its behaviour by specifying the
-following options:
-
-[float]
-==== `buffer_size_mb`
-
-The maximum size of the shared memory buffer to use
-between the kernel and user space. A bigger buffer usually results in lower CPU
-usage, but consumes more memory. This setting is only available for the
-`af_packet` sniffer type. The default is 30 MB.
-
-Example:
-
-[source,yaml]
-------------------------------------------------------------------------------
-packetbeat.interfaces.device: eth0
-packetbeat.interfaces.type: af_packet
-packetbeat.interfaces.buffer_size_mb: 100
-------------------------------------------------------------------------------
-
-[float]
-==== `fanout_group`
-
-To scale processing across multiple Packetbeat processes, a fanout group
-identifier can be specified. When `fanout_group` is used the Linux kernel splits
-packets across Packetbeat instances in the same group by using a flow hash. It
-computes the flow hash modulo with the number of Packetbeat processes in order
-to consistently route flows to the same Packetbeat instance.
-
-The value must be between 0 and 65535. By default, no value is set.
-
-This is only available on Linux and requires using `type: af_packet`. Each process
-must be running in same network namespace. All processes must use the same
-interface settings. You must take responsibility for running multiple instances
-of Packetbeat.
-
-Example:
-
-[source,yaml]
-------------------------------------------------------------------------------
-packetbeat.interfaces.type: af_packet
-packetbeat.interfaces.fanout_group: 1
-------------------------------------------------------------------------------
-
-[float]
-==== `metrics_interval`
-
-Configure the metrics polling interval for supported interface types. Currently,
-only `af_packet` is supported.
-
-The value must be a duration string. The default is `5s` (5 seconds). A value
-less than or equal to zero will be set to the default value.
-
-Example:
-
-[source,yaml]
-------------------------------------------------------------------------------
-packetbeat.interfaces.type: af_packet
-packetbeat.interfaces.metrics_interval: 5s
-------------------------------------------------------------------------------
-
-[float]
-==== `auto_promisc_mode`
-
-With `auto_promisc_mode` Packetbeat puts interface in promiscuous mode automatically on startup.
-This option does not work with `any` interface device.
-The default option is false and requires manual set-up of promiscuous mode.
-Warning: under some circumstances (e.g beat crash) promiscuous mode
-can stay enabled even after beat is shut down.
-
-Example:
-
-[source,yaml]
-------------------------------------------------------------------------------
-packetbeat.interfaces.device: eth0
-packetbeat.interfaces.type: af_packet
-packetbeat.interfaces.buffer_size_mb: 100
-packetbeat.interfaces.auto_promisc_mode: true
-------------------------------------------------------------------------------
-
-
-[float]
-==== `with_vlans`
-
-Packetbeat automatically generates a
-https://en.wikipedia.org/wiki/Berkeley_Packet_Filter[BPF] for capturing only
-the traffic on ports where it expects to find known protocols.
-For example, if you have configured port 80 for HTTP and port 3306 for MySQL,
-Packetbeat generates the following BPF filter: `"port 80 or port 3306"`.
-
-However, if the traffic contains https://en.wikipedia.org/wiki/IEEE_802.1Q[VLAN]
-tags, the filter that Packetbeat generates is ineffective because the
-offset is moved by four bytes. To fix this, you can enable the `with_vlans` option, which
-generates a BPF filter that looks like this: `"port 80 or port 3306 or (vlan and (port 80 or port 3306))"`.
-
-[float]
-==== `bpf_filter`
-
-Packetbeat automatically generates a
-https://en.wikipedia.org/wiki/Berkeley_Packet_Filter[BPF] for capturing only
-the traffic on ports where it expects to find known protocols.
-For example, if you have configured port 80 for HTTP and port 3306 for MySQL,
-Packetbeat generates the following BPF filter: `"port 80 or port 3306"`.
-
-You can use the `bpf_filter` setting to overwrite the generated BPF filter. For example:
-
-[source,yaml]
-------------------------------------------------------------------------------
-packetbeat.interfaces.device: eth0
-packetbeat.interfaces.bpf_filter: "net 192.168.238.0/0 and port 80 or port 3306"
-------------------------------------------------------------------------------
-
-NOTE: This setting disables automatic generation of the BPF filter. If
-you use this setting, it's your responsibility to keep the BPF filters in sync with the
-ports defined in the `protocols` section.
-
-[float]
-==== `ignore_outgoing`
-
-If the `ignore_outgoing` option is enabled, Packetbeat ignores all the
-transactions initiated from the server running Packetbeat.
-
-This is useful when two Packetbeat instances publish the same transactions. Because one Packetbeat
-sees the transaction in its outgoing queue and the other sees it in its incoming
-queue, you can end up with duplicate transactions. To remove the duplicates, you
-can enable the `packetbeat.ignore_outgoing` option on one of the servers.
-
-For example, in the following scenario, you see a 3-server architecture
-where a Beat is installed on each server. t1 is the transaction exchanged between
-Server1 and Server2, and t2 is the transaction between Server2 and Server3.
-
-image::./images/option_ignore_outgoing.png[Beats Architecture]
-
-By default, each transaction is indexed twice because Beat2
-sees both transactions. So you would see the following published transactions
-(when `ignore_outgoing` is false):
-
- - Beat1: t1
- - Beat2: t1 and t2
- - Beat3: t2
-
-To avoid duplicates, you can force your Beats to send only the incoming
-transactions and ignore the transactions created by the local server. So you would
-see the following published transactions (when `ignore_outgoing` is true):
-
- - Beat1: none
- - Beat2: t1
- - Beat3: t2
-
-[float]
-==== `internal_networks`
-
-If the `internal_networks` option is specified, when monitoring network taps or mirror ports, Packetbeat
-will attempt to classify the network directionality of traffic not intended for this host as it
-relates to a network perimeter. Any CIDR block specified in `internal_networks` is treated internal to
-the perimeter, and any IP address falling outside of these CIDR blocks is considered external.
-
-This is useful when Packetbeat is running on an appliance that sits at a network boundary such as
-a firewall or VPN. Note that this only affects how the directionality of network traffic is classified.
-
-[[configuration-flows]]
-== Configure flows to monitor network traffic
-
-++++
-<titleabbrev>Network flows</titleabbrev>
-++++
-
-You can configure Packetbeat to collect and report statistics on network flows.
-A _flow_ is a group of packets sent over the same time period that share
-common properties, such as the same source and destination address and protocol.
-You can use this feature to analyze network traffic over specific protocols on
-your network.
-
-For each flow, Packetbeat reports the number of packets and the total number of
-bytes sent from the source to the destination. Each flow event also contains
-information about the source and destination hosts, such as their IP address.
-For bi-directional flows, Packetbeat reports statistics for the reverse flow.
-
-Packetbeat collects and reports statistics up to and including the transport
-layer. See <<exported-fields-flows_event>> for more info about the exported
-data.
-
-Here's an example of flow events visualized in the Flows dashboard:
-
-image::./images/flows.png[]
-
-To configure flows, use the `packetbeat.flows` option in the +{beatname_lc}.yml+
-config file. Flows are enabled by default. If this section is missing
-from the configuration file, network flows are disabled.
-
-[source,yaml]
---------------------------------------------------------------------------------
-packetbeat.flows:
-  timeout: 30s
-  period: 10s
---------------------------------------------------------------------------------
-
-Here’s an example of a flow information sent by Packetbeat. See
-<<exported-fields-flows_event>> for a description of each field.
-
-["source","json",subs="attributes"]
---------------------------------------------------------------------------------
-{
-  "@timestamp": "2018-11-15T14:41:24.000Z",
-  "agent": {
-    "hostname": "host.example.com",
-    "name": "host.example.com",
-    "version": "{version}"
-  },
-  "destination": {
-    "bytes": 460,
-    "ip": "198.51.100.2",
-    "mac": "06-05-04-03-02-01",
-    "packets": 2,
-    "port": 80
-  },
-  "event": {
-    "dataset": "flow",
-    "duration": 3000000000,
-    "end": "2018-11-15T14:41:24.000Z",
-    "start": "2018-11-15T14:41:21.000Z"
-  },
-  "flow": {
-    "final": true, <1>
-    "id": "FQQA/wz/Dv//////Fv8BAQEBAgMEBQYGBQQDAgGrAMsAcQPGM2QC9ZdQAA",
-    "vlan": 171
-  },
-  "network": {
-    "bytes": 470,
-    "community_id": "1:t9T66/2c66NQyftAEsr4aMZv4Hc=",
-    "packets": 3,
-    "transport": "tcp",
-    "type": "ipv4"
-  },
-  "source": {
-    "bytes": 10,
-    "ip": "203.0.113.3",
-    "mac": "01-02-03-04-05-06",
-    "packets": 1,
-    "port": 38901
-  }
-}
---------------------------------------------------------------------------------
-
-<1> Packetbeat sets the `flow.final` flag to `false` to indicate that the event
-contains an intermediate report about a flow that it's tracking. When the flow
-completes, Packetbeat sends one last event with `flow.final` set to `true`. If
-you want to aggregate sums of traffic, you need to filter on `final:true`, or
-use some other technique, so that you get only the latest update from each flow.
-You can disable intermediate reports by setting `period: -1s`.
-
-[float]
-=== Configuration options
-
-You can specify the following options in the `packetbeat.flows` section of
-the +{beatname_lc}.yml+ config file:
-
-[float]
-==== `enabled`
-
-Enables flows support if set to true. Set to false to disable network flows
-support without having to delete or comment out the flows section. The default
-value is true.
-
-[float]
-==== `timeout`
-
-Timeout configures the lifetime of a flow. If no packets have been received for
-a flow within the timeout time window, the flow is killed and reported. The
-default value is 30s.
-
-[float]
-==== `period`
-
-Configure the reporting interval. All flows are reported at the very same point
-in time. Periodical reporting can be disabled by setting the value to -1. If
-disabled, flows are still reported once being timed out. The default value is
-10s.
-
-[float]
-==== `enable_delta_flow_reports`
-
-Configure network.bytes and network.packets to be a delta
-value instead of a cumlative sum for each flow period. The default value is false.
-
-[float]
-[[packetbeat-configuration-flows-fields]]
-==== `fields`
-
-Optional fields that you can specify to add additional information to the
-output. For example, you might add fields that you can use for filtering log
-data. Fields can be scalar values, arrays, dictionaries, or any nested
-combination of these. By default, the fields that you specify here will be
-grouped under a `fields` sub-dictionary in the output document. To store the
-custom fields as top-level fields, set the `fields_under_root` option to true.
-If a duplicate field is declared in the general configuration, then its value
-will be overwritten by the value declared here.
-
-[float]
-==== `fields_under_root`
-
-If this option is set to true, the custom <<packetbeat-configuration-flows-fields,fields>>
-are stored as top-level fields in the output document instead of being grouped
-under a `fields` sub-dictionary. If the custom field names conflict with other
-field names added by Packetbeat, then the custom fields overwrite the other
-fields.
-
-[float]
-==== `tags`
-
-A list of tags that will be sent with the protocol event. This setting is optional.
-
-[float]
-==== `processors`
-
-A list of processors to apply to the data generated by the protocol.
-
-See <<filtering-and-enhancing-data>> for information about specifying
-processors in your config.
-
-[float]
-==== `keep_null`
-
-If this option is set to true, fields with `null` values will be published in
-the output document. By default, `keep_null` is set to `false`.
-
-[float]
-==== `index`
-
-Overrides the index that flow events are published to.
-
-[[configuration-protocols]]
-== Configure which transaction protocols to monitor
-
-++++
-<titleabbrev>Protocols</titleabbrev>
-++++
-
-The `packetbeat.protocols` section of the +{beatname_lc}.yml+ config file
-contains configuration options for each supported protocol, including common
-options like `enabled`, `ports`, `send_request`, `send_response`, and options
-that are protocol-specific.
-
-Currently, Packetbeat supports the following protocols:
-
-include::./shared-protocol-list.asciidoc[]
-
-Example configuration:
-
-[source,yaml]
-------------------------------------------------------------------------------
-packetbeat.protocols:
-
-- type: icmp
-  enabled: true
-
-- type: dhcpv4
-  ports: [67, 68]
-
-- type: dns
-  ports: [53]
-
-- type: http
-  ports: [80, 8080, 8000, 5000, 8002]
-
-- type: amqp
-  ports: [5672]
-
-- type: cassandra
-  ports: [9042]
-
-- type: memcache
-  ports: [11211]
-
-- type: mysql
-  ports: [3306,3307]
-
-- type: redis
-  ports: [6379]
-
-- type: pgsql
-  ports: [5432]
-
-- type: thrift
-  ports: [9090]
-
-- type: tls
-  ports: [443, 993, 995, 5223, 8443, 8883, 9243]
-
-------------------------------------------------------------------------------
-
-[[common-protocol-options]]
-=== Common protocol options
-
-The following options are available for all protocols:
-
-[float]
-==== `enabled`
-
-The enabled setting is a boolean setting to enable or disable protocols without
-having to comment out configuration sections. If set to false, the protocol is
-disabled.
-
-The default value is true.
-
-[float]
-==== `ports`
-
-Exception: For ICMP the option `enabled` has to be used instead.
-
-The ports where Packetbeat will look to capture traffic for specific
-protocols. Packetbeat installs a https://en.wikipedia.org/wiki/Berkeley_Packet_Filter[BPF]
-filter based on the ports specified in this section.
-If a packet doesn't match the filter, very little CPU is required to discard
-the packet. Packetbeat also uses the ports specified here to determine which
-parser to use for each packet.
-
-[float]
-[[send-request-option]]
-==== `send_request`
-
-If this option is enabled, the raw message of the request (`request` field) is
-sent to Elasticsearch. The default is false. This option is useful when you want to
-index the whole request. Note that for HTTP, the body is not included by
-default, only the HTTP headers.
-
-[float]
-[[send-response-option]]
-==== `send_response`
-
-If this option is enabled, the raw message of the response (`response` field)
-is sent to Elasticsearch. The default is false.  This option is useful when you
-want to index the whole response. Note that for HTTP, the body is not included
-by default, only the HTTP headers.
-
-[float]
-[[transaction-timeout-option]]
-==== `transaction_timeout`
-
-The per protocol transaction timeout. Expired transactions will no longer be correlated to incoming responses, but sent to Elasticsearch immediately.
-
-[float]
-[[packetbeat-configuration-fields]]
-==== `fields`
-
-Optional fields that you can specify to add additional information to the
-output. For example, you might add fields that you can use for filtering log
-data. Fields can be scalar values, arrays, dictionaries, or any nested
-combination of these. By default, the fields that you specify here will be
-grouped under a `fields` sub-dictionary in the output document. To store the
-custom fields as top-level fields, set the `fields_under_root` option to true.
-If a duplicate field is declared in the general configuration, then its value
-will be overwritten by the value declared here.
-
-[float]
-[[packetbeat-configuration-index]]
-==== `index`
-
-Overrides the index that events for the given protocol are published to.
-
-[source,yaml]
---------------------------------------------------------------------------------
-packetbeat.protocols:
-- type: http
-  ports: [80]
-  fields:
-    service_id: nginx
---------------------------------------------------------------------------------
-
-[float]
-[[packetbeat-fields-under-root]]
-==== `fields_under_root`
-
-If this option is set to true, the custom <<packetbeat-configuration-fields,fields>>
-are stored as top-level fields in the output document instead of being grouped
-under a `fields` sub-dictionary. If the custom field names conflict with other
-field names added by Packetbeat, then the custom fields overwrite the other
-fields.
-
-[float]
-==== `tags`
-
-A list of tags that will be sent with the transaction event. This setting is optional.
-
-[float]
-==== `processors`
-
-A list of processors to apply to the data generated by the protocol.
-
-See <<filtering-and-enhancing-data>> for information about specifying
-processors in your config.
-
-[float]
-==== `keep_null`
-
-If this option is set to true, fields with `null` values will be published in
-the output document. By default, `keep_null` is set to `false`.
-
-[[packetbeat-icmp-options]]
-=== Capture ICMP traffic
-
-++++
-<titleabbrev>ICMP</titleabbrev>
-++++
-
-The `icmp` section of the +{beatname_lc}.yml+ config file specifies options for
-the ICMP protocol. Here is a sample configuration section for ICMP:
-
-[source,yaml]
-------------------------------------------------------------------------------
-packetbeat.protocols:
-
-- type: icmp
-  enabled: true
-------------------------------------------------------------------------------
-
-==== Configuration options
-
-Also see <<common-protocol-options>>.
-
-===== `enabled`
-
-The ICMP protocol can be enabled/disabled via this option. The default is true.
-
-If enabled Packetbeat will generate the following BPF filter: `"icmp or icmp6"`.
-
-[[packetbeat-dns-options]]
-=== Capture DNS traffic
-
-++++
-<titleabbrev>DNS</titleabbrev>
-++++
-
-The `dns` section of the +{beatname_lc}.yml+ config file specifies configuration
-options for the DNS protocol. The DNS protocol supports processing DNS messages
-on TCP and UDP. Here is a sample configuration section for DNS:
-
-[source,yaml]
-------------------------------------------------------------------------------
-packetbeat.protocols:
-- type: dns
-  ports: [53]
-  include_authorities: true
-  include_additionals: true
-------------------------------------------------------------------------------
-
-==== Configuration options
-
-Also see <<common-protocol-options>>.
-
-===== `include_authorities`
-
-If this option is enabled, dns.authority fields (authority resource records) are
-added to DNS events. The default is false.
-
-===== `include_additionals`
-
-If this option is enabled, dns.additionals fields (additional resource records)
-are added to DNS events. The default is false.
-
-[[packetbeat-http-options]]
-=== Capture HTTP traffic
-
-++++
-<titleabbrev>HTTP</titleabbrev>
-++++
-
-The HTTP protocol has several specific configuration options. Here is a
-sample configuration for the `http` section of the +{beatname_lc}.yml+ config file:
-
-[source,yaml]
-------------------------------------------------------------------------------
-packetbeat.protocols:
-- type: http
-  ports: [80, 8080, 8000, 5000, 8002]
-  hide_keywords: ["pass", "password", "passwd"]
-  send_headers: ["User-Agent", "Cookie", "Set-Cookie"]
-  split_cookie: true
-  real_ip_header: "X-Forwarded-For"
-------------------------------------------------------------------------------
-
-==== Configuration options
-
-Also see <<common-protocol-options>>.
-
-===== `hide_keywords`
-
-A list of query parameters that Packetbeat will automatically censor in
-the transactions that it saves. The values associated with these parameters are replaced
-by `'xxxxx'`. By default, no changes are made to the HTTP messages.
-
-Packetbeat has this option because, unlike SQL traffic, which typically only contains the
-hashes of the passwords, HTTP traffic may contain sensitive data. To reduce security risks,
-you can configure this option to avoid sending the contents of certain HTTP POST
-parameters.
-
-WARNING: This option replaces query parameters from GET requests and top-level
-parameters from POST requests. If sensitive data is encoded inside a
-parameter that you don't specify here, Packetbeat cannot censor it. Also, note that if
-you configure Packetbeat to save the raw request and response fields (see the <<send-request-option>>
-and the <<send-response-option>> options), sensitive data may be present in those
-fields.
-
-===== `redact_authorization`
-
-When this option is enabled, Packetbeat obscures the value of
-`Authorization` and `Proxy-Authorization` HTTP headers, and censors
-those strings in the response.
-
-You should set this option to true for transactions that use Basic Authentication because
-they may contain the base64 unencrypted username and password.
-
-===== `send_headers`
-
-A list of header names to capture and send to Elasticsearch. These
-headers are placed under the `headers` dictionary in the resulting JSON.
-
-===== `send_all_headers`
-
-Instead of sending a white list of headers to Elasticsearch, you can
-send all headers by setting this option to true. The default is false.
-
-===== `redact_headers`
-
-A list of headers to redact if present in the HTTP request. This will keep
-the header field present, but will redact it's value to show the header's
-presence.
-
-===== `include_body_for`
-
-The list of content types for which Packetbeat exports the full HTTP payload. The HTTP body is available under
-`http.request.body.content` and `http.response.body.content` for these Content-Types.
-
-In addition, if <<send-response-option>> option is enabled, then the HTTP body is exported together with the HTTP
-headers under `response` and if
-<<send-request-option>> enabled, then `request` contains the entire HTTP message including the body.
-
-In the following example, the HTML attachments of the HTTP responses are exported under the `response` field and under
-`http.request.body.content` or `http.response.body.content`:
-
-[source,yml]
-------------------------------------------------------------------------------
-packetbeat.protocols:
-- type: http
-  ports: [80, 8080]
-  send_response: true
-  include_body_for: ["text/html"]
-------------------------------------------------------------------------------
-
-===== `decode_body`
-
-A boolean flag that controls decoding of HTTP payload. It interprets the
-`Content-Encoding` and `Transfer-Encoding` headers and uncompresses the entity
-body. Supported encodings are `gzip` and `deflate`. This option is only
-applicable in the cases where the HTTP payload is exported, that is, when
-one of the `include_*_body_for` options is specified or a POST request
-contains url-encoded parameters.
-
-===== `split_cookie`
-
-If the `Cookie` or `Set-Cookie` headers are sent, this option controls whether
-they are split into individual values. For example, with this option set, an
-HTTP response might result in the following JSON:
-
-[source,json]
-------------------------------------------------------------------------------
-"response": {
-  "code": 200,
-  "headers": {
-    "connection": "close",
-    "content-language": "en",
-    "content-type": "text/html; charset=utf-8",
-    "date": "Fri, 21 Nov 2014 17:07:34 GMT",
-    "server": "gunicorn/19.1.1",
-    "set-cookie": { <1>
-      "csrftoken": "S9ZuJF8mvIMT5CL4T1Xqn32wkA6ZSeyf",
-      "expires": "Fri, 20-Nov-2015 17:07:34 GMT",
-      "max-age": "31449600",
-      "path": "/"
-    },
-    "vary": "Cookie, Accept-Language"
-  },
-  "status_phrase": "OK"
-}
-------------------------------------------------------------------------------
-
-<1> Note that `set-cookie` is a map containing the cookie names as keys.
-
-The default is false.
-
-===== `real_ip_header`
-
-The header field to extract the real IP from. This setting is useful when you
-want to capture traffic behind a reverse proxy, but you want to get the
-geo-location information. If this header is present and contains a valid IP
-addresses, the information is used for the `network.forwarded_ip` field.
-
-===== `max_message_size`
-
-If an individual HTTP message is larger than this setting (in bytes), it will be trimmed
-to this size. Unless this value is very small (<1.5K), Packetbeat is able to still correctly
-follow the transaction and create an event for it. The default is 10485760 (10 MB).
-
-[[packetbeat-amqp-options]]
-=== Capture AMQP traffic
-
-++++
-<titleabbrev>AMQP</titleabbrev>
-++++
-
-The `amqp` section of the +{beatname_lc}.yml+ config file specifies configuration options for the AMQP 0.9.1
-protocol. Here is a sample configuration:
-
-[source,yaml]
-------------------------------------------------------------------------------
-packetbeat.protocols:
-- type: amqp
-  ports: [5672]
-  max_body_length: 1000
-  parse_headers: true
-  parse_arguments: false
-  hide_connection_information: true
-------------------------------------------------------------------------------
-
-
-==== Configuration options
-
-Also see <<common-protocol-options>>.
-
-===== `max_body_length`
-
-The maximum size in bytes of the message displayed in the request or response fields.
-Messages that are bigger than the specified size are truncated. Use this option to
-avoid publishing huge messages when <<send-request-option>> or <<send-request-option>>
-is enabled. The default is 1000 bytes.
-
-===== `parse_headers`
-
-If set to true, Packetbeat parses the additional arguments specified in the headers field
-of a message. Those arguments are key-value pairs that specify information such as the
-content type of the message or the message priority. The default is true.
-
-===== `parse_arguments`
-
-If set to true, Packetbeat parses the additional arguments specified in AMQP methods.
-Those arguments are key-value pairs specified by the user and can be of any length.
-The default is true.
-
-===== `hide_connection_information`
-
-If set to false, the connection layer methods of the protocol are also
-displayed, such as the opening and closing of connections and channels by clients,
-or the quality of service negotiation. The default is true.
-
-
-[[configuration-cassandra]]
-=== Capture Cassandra traffic
-
-++++
-<titleabbrev>Cassandra</titleabbrev>
-++++
-
-The following settings are specific to the Cassandra protocol. Here is a sample
-configuration for the `cassandra` section of the +{beatname_lc}.yml+ config file:
-
-[source,yaml]
-------------------------------------------------------------------------------
-packetbeat.protocols:
-- type: cassandra
-  send_request_header: true
-  send_response_header: true
-  compressor: "snappy"
-  ignored_ops: ["SUPPORTED","OPTIONS"]
-------------------------------------------------------------------------------
-
-==== Configuration options
-
-Also see <<common-protocol-options>>.
-
-===== `send_request_header`
-
-If this option is enabled, the raw message of the response (`cassandra_request.request_headers` field)
-is sent to Elasticsearch. The default is true. enable `send_request` first before enable this option.
-
-===== `send_response_header`
-
-If this option is enabled, the raw message of the response (`cassandra_response.response_headers` field)
-is included in published events. The default is true. enable `send_response` first before enable this option.
-
-===== `ignored_ops`
-
-This option indicates which Operator/Operators captured will be ignored. currently support:
-`ERROR` ,`STARTUP` ,`READY` ,`AUTHENTICATE` ,`OPTIONS` ,`SUPPORTED` ,
-`QUERY` ,`RESULT` ,`PREPARE` ,`EXECUTE` ,`REGISTER`  ,`EVENT` ,
-`BATCH` ,`AUTH_CHALLENGE`,`AUTH_RESPONSE` ,`AUTH_SUCCESS` .
-
-===== `compressor`
-
-Configures the default compression algorithm being used to uncompress compressed frames by name. Currently only `snappy` is can be configured.
-By default no compressor is configured.
-
-[[packetbeat-memcache-options]]
-=== Capture Memcache traffic
-
-++++
-<titleabbrev>Memcache</titleabbrev>
-++++
-
-The `memcache` section of the +{beatname_lc}.yml+ config file specifies configuration options for the memcache
-protocol. Here is a sample configuration section for memcache:
-
-[source,yaml]
-------------------------------------------------------------------------------
-packetbeat.protocols:
-- type: memcache
-  ports: [11211]
-  parseunknown: false
-  maxvalues: 0
-  maxbytespervalue: 100
-  transaction_timeout: 200
-  udptransactiontimeout: 200
-------------------------------------------------------------------------------
-
-
-==== Configuration options
-
-Also see <<common-protocol-options>>.
-
-===== `parseunknown`
-
-When this option is enabled, it forces the memcache text protocol parser to accept unknown commands.
-
-NOTE: The unknown commands MUST NOT contain a data part.
-
-===== `maxvalues`
-
-The maximum number of values to store in the message (multi-get).
-All values will be base64 encoded.
-
-The possible settings for this option are:
-
-* `maxvalue: -1`, which stores all values (text based protocol multi-get)
-* `maxvalue: 0`, which stores no values (default)
-* `maxvalue: N`, which stores up to N values
-
-===== `maxbytespervalue`
-
-The maximum number of bytes to be copied for each value element.
-
-NOTE: Values will be base64 encoded, so the actual size in the JSON document will be 4 times the value that
-you specify for `maxbytespervalue`.
-
-===== `udptransactiontimeout`
-
-The transaction timeout in milliseconds. The defaults is 10000 milliseconds.
-
-NOTE: Quiet messages in UDP binary protocol get responses only if there is an error.
-The memcache protocol analyzer will wait for the number of milliseconds specified by
-`udptransactiontimeout` before publishing quiet messages. Non-quiet messages or
-quiet requests with an error response are published immediately.
-
-[[packetbeat-mysql-options]]
-=== Capture MySQL traffic
-
-++++
-<titleabbrev>MySQL</titleabbrev>
-++++
-
-The `mysql` section of the +{beatname_lc}.yml+ config file specifies configuration
-options for the MySQL protocols.
-
-[source,yaml]
-------------------------------------------------------------------------------
-packetbeat.protocols:
-
-- type: mysql
-  ports: [3306,3307]
-------------------------------------------------------------------------------
-
-==== Configuration options
-
-Also see <<common-protocol-options>>.
-
-===== `max_rows`
-
-The maximum number of rows from the SQL message to publish to Elasticsearch. The
-default is 10 rows.
-
-
-===== `max_row_length`
-
-The maximum length in bytes of a row from the SQL message to publish to
-Elasticsearch. The default is 1024 bytes.
-
-==== `statement_timeout`
-
-The duration for which prepared statements are cached after their last use.
-Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
-The default is `1h`.
-
-[[packetbeat-pgsql-options]]
-=== Capture PgSQL traffic
-
-++++
-<titleabbrev>PgSQL</titleabbrev>
-++++
-
-The `pgsql` sections of the +{beatname_lc}.yml+ config file specifies configuration
-options for the PgSQL protocols.
-
-[source,yaml]
-------------------------------------------------------------------------------
-packetbeat.protocols:
-
-- type: pgsql
-  ports: [5432]
-------------------------------------------------------------------------------
-
-==== Configuration options
-
-Also see <<common-protocol-options>>.
-
-===== `max_rows`
-
-The maximum number of rows from the SQL message to publish to Elasticsearch. The
-default is 10 rows.
-
-
-===== `max_row_length`
-
-The maximum length in bytes of a row from the SQL message to publish to
-Elasticsearch. The default is 1024 bytes.
-
-[[configuration-thrift]]
-=== Capture Thrift traffic
-
-++++
-<titleabbrev>Thrift</titleabbrev>
-++++
-
-https://thrift.apache.org/[Apache Thrift] is a communication protocol and RPC
-framework initially created at Facebook. It is sometimes used in
-http://martinfowler.com/articles/microservices.html[microservices]
-architectures because it provides better performance when compared to the more
-obvious HTTP/RESTful API choice, while still supporting a wide range of
-programming languages and frameworks.
-
-Packetbeat works based on a copy of the traffic, which means that you get
-performance management features without having to modify your services in
-any way and without any latency overhead. Packetbeat captures the transactions from the
-network and indexes them in Elasticsearch so that they can be analyzed and
-searched.
-
-Packetbeat indexes the method, parameters, return value, and
-exceptions of each Thrift-RPC call. You can search by and create statistics
-based on any of these fields. Packetbeat automatically fills in the `status`
-column with either `OK` or `Error`, so it's easy to find the problematic RPC calls.
-A transaction is put into the `Error` state if it returned an exception.
-
-Packetbeat also indexes the `event.duration` field so you can get performance
-analytics and find the slow RPC calls.
-
-Here is an example performance dashboard:
-
-image::./images/thrift-dashboard.png[Thrift-RPC dashboard]
-
-
-Thrift supports multiple http://en.wikipedia.org/wiki/Apache_Thrift[transport
-and protocol types]. Currently Packetbeat supports the default `TSocket`
-transport as well as the `TFramed` transport. From the protocol point of view,
-Packetbeat currently supports only the default `TBinary` protocol.
-
-Packetbeat also has several configuration options that allow you to get
-the right balance between visibility, disk usage, and data protection. You can,
-for example, choose to obfuscate all strings or to store the requests but not
-the responses, while still capturing the response time for each of the RPC
-calls. You can also choose to limit the size of strings and lists to a given
-number of elements, so you can fine tune how much data you want to have stored in
-Elasticsearch.
-
-The Thrift protocol has several specific configuration options. Here is an
-example configuration section for the Thrift protocol in the
-+{beatname_lc}.yml+ config file:
-
-[source,yaml]
-------------------------------------------------------------------------------
-packetbeat.protocols:
-- type: thrift
-  transport_type: socket
-  protocol_type: binary
-  idl_files: ["tutorial.thrift", "shared.thrift"]
-  string_max_size: 200
-  collection_max_size: 20
-  capture_reply: true
-  obfuscate_strings: true
-  drop_after_n_struct_fields: 100
-------------------------------------------------------------------------------
-
-Providing the Thrift IDL files to Packetbeat is optional. The binary
-Thrift messages include the called method name and enough structural information
-to decode the messages without needing the IDL files. However, if you
-provide the IDL files, Packetbeat can also resolve the service name,
-arguments, and exception names.
-
-==== Configuration options
-
-Also see <<common-protocol-options>>.
-
-===== `transport_type`
-
-The Thrift transport type. Currently this option accepts the values `socket`
-for TSocket, which is the default Thrift transport, and `framed` for the TFramed Thrift
-transport. The default is `socket`.
-
-===== `protocol_type`
-
-The Thrift protocol type. Currently the only accepted value is `binary` for
-the TBinary protocol, which is the default Thrift protocol.
-
-===== `idl_files`
-
-The Thrift interface description language (IDL) files for the service that
-Packetbeat is monitoring. Providing the IDL files is optional, because the Thrift
-messages contain enough information to decode them without having the IDL
-files. However, providing the IDL enables Packetbeat to include parameter and
-exception names.
-
-===== `string_max_size`
-
-The maximum length for strings in parameters or return values. If a string is longer than
-this value, the string is automatically truncated to this length. Packetbeat adds dots
-at the end of the string to mark that it was truncated. The default is 200.
-
-===== `collection_max_size`
-
-The maximum number of elements in a Thrift list, set, map, or structure. If a collection
-has more elements than this value, Packetbeat captures only the
-specified number of elements. Packetbeat adds a fictive last element `...` to the end
-of the collection to mark that it was truncated. The default is 15.
-
-===== `capture_reply`
-
-If this option is set to false, Packetbeat decodes the method name from
-the reply and simply skips the rest of the response message. This setting can be useful
-for performance, disk usage, or data retention reasons. The default is true.
-
-===== `obfuscate_strings`
-
-If this option is set to true, Packetbeat replaces all strings found in method parameters,
-return codes, or exception structures with the `"*"` string.
-
-===== `drop_after_n_struct_fields`
-
-The maximum number of fields that a structure can have before Packetbeat
-ignores the whole transaction. This is a memory protection mechanism (so that
-Packetbeat's memory doesn't grow indefinitely), so you would typically set this
-to a relatively high value. The default is 500.
-
-
-[[configuration-mongodb]]
-=== Capture MongoDB traffic
-
-++++
-<titleabbrev>MongoDB</titleabbrev>
-++++
-
-The following settings are specific to the MongoDB protocol. Here is a sample
-configuration for the `mongodb` section of the +{beatname_lc}.yml+ config file:
-
-[source,yaml]
-------------------------------------------------------------------------------
-packetbeat.protocols:
-- type: mongodb
-  send_request: true
-  send_response: true
-  max_docs: 0
-  max_doc_length: 0
-------------------------------------------------------------------------------
-
-==== Configuration options
-
-The `max_docs` and `max_doc_length` settings are useful for limiting the amount
-of data Packetbeat indexes in the `response` fields.
-
-Also see <<common-protocol-options>>.
-
-===== `max_docs`
-
-The maximum number of documents from the response to index in the `response` field. The
-default is 10. You can set this to 0 to index an unlimited number of documents.
-
-Packetbeat adds a `[...]` line at the end to signify that there were additional documents
-that weren't saved because of this setting.
-
-===== `max_doc_length`
-
-The maximum number of characters in a single document indexed in the `response`
-field. The default is 5000. You can set this to 0 to index an unlimited number
-of characters per document.
-
-If the document is trimmed because of this setting, Packetbeat adds the string `...`
-at the end of the document.
-
-Note that limiting documents in this way means that they are no longer correctly
-formatted JSON objects.
-
-[[configuration-tls]]
-=== Capture TLS traffic
-
-++++
-<titleabbrev>TLS</titleabbrev>
-++++
-
-TLS is a cryptographic protocol that provides secure communications on top of
-an existing application protocol, like HTTP or MySQL.
-
-Packetbeat intercepts the initial handshake in a TLS connection and extracts
-useful information that helps operators diagnose problems and
-strengthen the security of their network and systems. It does not
-decrypt any information from the encapsulated protocol, nor does it reveal any
-sensitive information such as cryptographic keys. TLS versions 1.0 to 1.3 are supported.
-
-It works by intercepting the client and server "hello" messages, which contain
-the negotiated parameters for the connection such as cryptographic ciphers and
-protocol versions. It can also intercept TLS alerts, which are sent by one
-of the parties to signal a problem with the negotiation, such as an expired
-certificate or a cryptographic error.
-
-An example of indexed event:
-
-[source,json]
-------------------------------------------------------------------------------
-"tls": {
-    "client": {
-      "supported_ciphers": [
-        "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
-        "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
-        "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
-        "TLS_EMPTY_RENEGOTIATION_INFO_SCSV"
-      ],
-      "ja3": "e6573e91e6eb777c0933c5b8f97f10cd",
-      "server_name": "example.net"
-    },
-    "server": {
-      "subject": "CN=www.example.org,OU=Technology,O=Internet Corporation for Assigned Names and Numbers,L=Los Angeles,ST=California,C=US",
-      "issuer": "CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US",
-      "not_before": "2018-11-28T00:00:00.000Z",
-      "not_after": "2020-12-02T12:00:00.000Z",
-      "hash": {
-        "sha1": "7BB698386970363D2919CC5772846984FFD4A889"
-      }
-    },
-    "version": "1.2",
-    "version_protocol": "tls",
-    "cipher": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
-    "established": true,
-    "next_protocol": "h2",
-    "detailed": {
-      "server_certificate": {
-        "subject": {
-          "common_name": "www.example.org",
-          "country": "US",
-          "organization": "Internet Corporation for Assigned Names and Numbers",
-          "organizational_unit": "Technology",
-          "locality": "Los Angeles",
-          "province": "California"
-        },
-        "not_after": "2020-12-02T12:00:00.000Z",
-        "public_key_size": 2048,
-        "alternative_names": [
-          "www.example.org",
-          "example.com",
-          "example.edu",
-          "example.net",
-          "example.org",
-          "www.example.com",
-          "www.example.edu",
-          "www.example.net"
-        ],
-        "signature_algorithm": "SHA256-RSA",
-        "version": 3,
-        "issuer": {
-          "organization": "DigiCert Inc",
-          "common_name": "DigiCert SHA2 Secure Server CA",
-          "country": "US"
-        },
-        "not_before": "2018-11-28T00:00:00.000Z",
-        "public_key_algorithm": "RSA",
-        "serial_number": "21020869104500376438182461249190639870"
-      },
-      "server_certificate_chain": [
-        {
-          "public_key_algorithm": "RSA",
-          "not_before": "2013-03-08T12:00:00.000Z",
-          "not_after": "2023-03-08T12:00:00.000Z",
-          "version": 3,
-          "serial_number": "2646203786665923649276728595390119057",
-          "issuer": {
-            "organizational_unit": "www.digicert.com",
-            "common_name": "DigiCert Global Root CA",
-            "country": "US",
-            "organization": "DigiCert Inc"
-          },
-          "subject": {
-            "country": "US",
-            "organization": "DigiCert Inc",
-            "common_name": "DigiCert SHA2 Secure Server CA"
-          },
-          "public_key_size": 2048,
-          "signature_algorithm": "SHA256-RSA"
-        },
-        {
-          "public_key_algorithm": "RSA",
-          "subject": {
-            "common_name": "DigiCert Global Root CA",
-            "country": "US",
-            "organization": "DigiCert Inc",
-            "organizational_unit": "www.digicert.com"
-          },
-          "issuer": {
-            "country": "US",
-            "organization": "DigiCert Inc",
-            "organizational_unit": "www.digicert.com",
-            "common_name": "DigiCert Global Root CA"
-          },
-          "signature_algorithm": "SHA1-RSA",
-          "serial_number": "10944719598952040374951832963794454346",
-          "not_before": "2006-11-10T00:00:00.000Z",
-          "not_after": "2031-11-10T00:00:00.000Z",
-          "public_key_size": 2048,
-          "version": 3
-        }
-      ],
-      "client_certificate_requested": false,
-      "version": "TLS 1.2",
-      "client_hello": {
-        "version": "3.3",
-        "supported_compression_methods": [
-          "NULL"
-        ],
-        "extensions": {
-          "ec_points_formats": [
-            "uncompressed"
-          ],
-          "supported_groups": [
-            "x25519",
-            "secp256r1",
-            "secp384r1"
-          ],
-          "signature_algorithms": [
-            "rsa_pkcs1_sha512",
-            "ecdsa_secp521r1_sha512",
-            "(unknown:0xefef)",
-            "rsa_pkcs1_sha384",
-            "ecdsa_secp384r1_sha384",
-            "rsa_pkcs1_sha256",
-            "ecdsa_secp256r1_sha256",
-            "(unknown:0xeeee)",
-            "(unknown:0xeded)",
-            "(unknown:0x0301)",
-            "(unknown:0x0303)",
-            "rsa_pkcs1_sha1",
-            "ecdsa_sha1"
-          ],
-          "application_layer_protocol_negotiation": [
-            "h2",
-            "http/1.1"
-          ],
-          "server_name_indication": [
-            "example.net"
-          ]
-        }
-      },
-      "server_hello": {
-        "version": "3.3",
-        "session_id": "23bb2aed5d215e1228220b0a51d7aa220785e9e4b83b4f430229117971e9913f",
-        "selected_compression_method": "NULL",
-        "extensions": {
-          "application_layer_protocol_negotiation": [
-            "h2"
-          ],
-          "_unparsed_": [
-            "renegotiation_info",
-            "server_name_indication"
-          ],
-          "ec_points_formats": [
-            "uncompressed",
-            "ansiX962_compressed_prime",
-            "ansiX962_compressed_char2"
-          ]
-        }
-      }
-    }
-  }
-------------------------------------------------------------------------------
-
-The TLS events generated by {beatname_uc} follow the Elastic Common Schema
-(ECS) format. See {ecs-ref}/ecs-tls.html[ECS TLS fields] for a description
-of the populated fields.
-
-Detailed information that is not defined in ECS is added under the
-`tls.detailed` key. The <<include_detailed_fields>> configuration flag is used
-to control whether this information is exported.
-
-The fields under `tls.detailed.client_hello` contain the algorithms and
-extensions supported by the client, as well as the maximum TLS version
-it supports.
-
-Fields under `tls.detailed.server_hello` contain the final settings for the TLS
-session: The selected cipher, compression method, TLS version to use and
-other extensions such as application layer protocol negotiation (ALPN).
-
-See the <<exported-fields-tls_detailed>> section for more information.
-
-The following settings are specific to the TLS protocol. Here is a sample
-configuration for the `tls` section of the +{beatname_lc}.yml+ config file:
-
-[source,yaml]
-------------------------------------------------------------------------------
-packetbeat.protocols:
-- type: tls
-  send_certificates: true
-  include_raw_certificates: false
-  include_detailed_fields: true
-  fingerprints: [ md5, sha1, sha256 ]
-------------------------------------------------------------------------------
-
-==== Configuration options
-
-The `send_certificates` and `include_detailed_fields` settings are useful for
-limiting the amount of data Packetbeat indexes, as multiple certificates are
-usually exchanged in a single transaction, and those can take a considerable
-amount of storage.
-
-Also see <<common-protocol-options>>.
-
-===== `send_certificates`
-
-This setting causes information about the certificates presented by the
-client and server to be included in the detailed fields. The server's
-certificate is indexed under `tls.detailed.server_certificate` and its
-certification chain under `tls.detailed.server_certificate_chain`.
-For the client, the `client_certificate` and `client_certificate_chain` fields
-are used. The default is true.
-
-===== `include_raw_certificates`
-
-You can set `include_raw_certificates` to include the raw certificate chains
-encoded in PEM format, under the `tls.server.certificate_chain` and
-`tls.client.certificate_chain` fields. The default is false.
-
-[[include_detailed_fields]]
-===== `include_detailed_fields`
-
-Controls whether the <<exported-fields-tls_detailed>> are added to exported
-documents. When set to `false`, only {ecs-ref}/ecs-tls.html[ECS TLS fields]
-are included. The default is `true`.
-
-===== `fingerprints`
-
-Defines a list of hash algorithms to calculate the certificate's fingerprints.
-Valid values are `sha1`, `sha256` and `md5`.
-
-The default is to output SHA-1 fingerprints.
-
-[[packetbeat-redis-options]]
-=== Capture Redis traffic
-
-++++
-<titleabbrev>Redis</titleabbrev>
-++++
-
-The Redis protocol has several specific configuration options. Here is a
-sample configuration for the `redis` section of the +{beatname_lc}.yml+ config file:
-
-[source,yaml]
-------------------------------------------------------------------------------
-packetbeat.protocols:
-- type: redis
-  ports: [6379]
-  queue_max_bytes: 1048576
-  queue_max_messages: 20000
-------------------------------------------------------------------------------
-
-==== Configuration options
-
-Also see <<common-protocol-options>>.
-
-===== `queue_max_bytes` and `queue_max_messages`
-
-In order for request/response correlation to work, {beatname_uc} needs to
-store requests in memory until a response is received. These settings impose
-a limit on the number of bytes (`queue_max_bytes`) and number of requests
-(`queue_max_messages`) that can be stored. These limits are per-connection.
-The default is to queue up to 1MB or 20.000 requests per connection, which
-allows to use request pipelining while at the same time limiting the amount
-of memory consumed by replication sessions.
-
-[[configuration-processes]]
-== Configure which processes to monitor
-
-++++
-<titleabbrev>Processes</titleabbrev>
-++++
-
-This section of the +{beatname_lc}.yml+ config file is optional, but configuring
-the processes enables Packetbeat to show you not only the servers that the
-traffic is flowing between, but also the processes. Packetbeat can even show you
-the traffic between two processes running on the same host, which is
-particularly useful when you have many services running on the same server. By
-default, process enrichment is disabled.
-
-When Packetbeat starts, and then periodically afterwards, it scans the process
-table for processes that match the configuration file. For each of these
-processes, it monitors which file descriptors it has opened. When a new packet
-is captured, it reads the list of active TCP and UDP connections and matches the
-corresponding one with the list of file descriptors.
-
-All this information is available via system interfaces: The `/proc` file system
-in Linux and the IP Helper API (`iphlpapi.dll`) on Windows, so {beatname_uc}
-doesn't need a kernel module.
-
-NOTE: Process monitoring is currently only supported on
-      Linux and Windows systems. Packetbeat automatically disables
-      process monitoring when it detects other operating systems.
-
-Example configuration:
-
-[source,yaml]
-------------------------------------------------------------------------------
-packetbeat.procs.enabled: true
-------------------------------------------------------------------------------
-
-When the process monitor is enabled, it will enrich all the events whose source
-or destination is a local process. The `source.process` and/or
-`destination.process` fields will be added to an event, when the server side or
-client side of the connection belong to a local process, respectively.
-
-[float]
-=== Configuration options
-
-You can specify the following process monitoring options in the `monitored`
-section of the +{beatname_lc}.yml+ config file to customize the name of process:
-
-[float]
-==== `process`
-
-The name of the process as it will appear in the published transactions. The name
-doesn't have to match the name of the executable, so feel free to choose something
-more descriptive (for example,  "myapp" instead of "gunicorn").
-
-[float]
-==== `cmdline_grep`
-
-The name used to identify the process at run time. When Packetbeat starts, and then
-periodically afterwards, it scans the process table for
-processes that match the values specified for this option. The match is done against the
-process' command line as read from `/proc/<pid>/cmdline`.
-
-
-[float]
-[[shutdown-timeout]]
-==== `shutdown_timeout`
-
-How long Packetbeat waits on shutdown. By default, this option is disabled. Packetbeat
-will wait for `shutdown_timeout` and then close. It will not track if all events were sent
-previously.
-
-Example configuration:
-
-[source,yaml]
--------------------------------------------------------------------------------------
-packetbeat.shutdown_timeout: 5s
--------------------------------------------------------------------------------------
-
-[float]
-==== `overwrite_pipelines`
-
-By default Ingest pipelines are not updated if a pipeline with the same ID
-already exists. If this option is enabled {beatname_uc} overwrites pipelines
-every time a new Elasticsearch connection is established.
-
-The default value is `false`.
diff --git a/packetbeat/docs/packetbeat-reference-yml.asciidoc b/packetbeat/docs/packetbeat-reference-yml.asciidoc
deleted file mode 100644
index 547b4436009f..000000000000
--- a/packetbeat/docs/packetbeat-reference-yml.asciidoc
+++ /dev/null
@@ -1,11 +0,0 @@
-[[packetbeat-reference-yml]]
-== packetbeat.reference.yml
-
-The following reference file is available with your Packetbeat installation. It
-shows all non-deprecated Packetbeat options. The contents are included here for
-your convenience.
-
-[source,yaml]
---
-include::../packetbeat.reference.yml[]
---
diff --git a/packetbeat/docs/protocol-metrics-packetbeat.asciidoc b/packetbeat/docs/protocol-metrics-packetbeat.asciidoc
deleted file mode 100644
index 1b84eeb37b64..000000000000
--- a/packetbeat/docs/protocol-metrics-packetbeat.asciidoc
+++ /dev/null
@@ -1,61 +0,0 @@
-[[protocol-metrics-packetbeat]]
-=== Protocol-Specific Metrics
-
-Packetbeat exposes per-protocol metrics under the <<http-endpoint, HTTP monitoring endpoint>>.
-These metrics are exposed under the `/inputs/` path. They can be used to
-observe the activity of Packetbeat for the monitored protocol.
-
-[float]
-==== AF_PACKET Metrics
-
-[options="header"]
-|=======
-| Metric                 | Description
-| `device`               | Name of the device being monitored.
-| `socket_packets`       | Number of packets delivered by the kernel to the shared buffer.
-| `socket_drops`         | Number of packets dropped by the kernel on the socket.
-| `socket_queue_freezes` | Number of kernel queue freezes on the socket.
-| `packets`              | Number of packets handled by Packetbeat.
-| `polls`                | Number of blocking syscalls made waiting for packets.
-|=======
-
-
-[float]
-==== TCP Metrics
-
-[options="header"]
-|=======
-| Metric                        | Description
-| `device`                      | Name of the device being monitored.
-| `received_events_total`       | Number of packets processed.
-| `received_bytes_total`        | Number of bytes processed.
-| `tcp_overlaps`                | Number of packets shrunk due to overlap.
-| `tcp.dropped_because_of_gaps` | Number of packets dropped because of gaps.
-| `arrival_period`              | Histogram of the elapsed time between packet arrivals.
-| `processing_time`             | Histogram of the elapsed time between packet receipt and publication.
-| `fin_flags_total`             | Number of TCP FIN (finish) flags observed.
-| `syn_flags_total`             | Number of TCP SYN (synchronization) flags observed.
-| `rst_flags_total`             | Number of TCP RST (reset) flags observed.
-| `psh_flags_total`             | Number of TCP PSH (push) flags observed.
-| `ack_flags_total`             | Number of TCP ACK (acknowledgement) flags observed.
-| `urg_flags_total`             | Number of TCP URG (urgent) flags observed.
-| `ece_flags_total`             | Number of TCP ECE (ECN echo) flags observed.
-| `cwr_flags_total`             | Number of TCP CWR (congestion window reduced) flags observed.
-| `ns_flags_total`              | Number of TCP NS (nonce sum) flags observed.
-| `received_headers_total`      | Number of headers observed, including unprocessed packets.
-|=======
-
-
-[float]
-==== UDP Metrics
-
-[options="header"]
-|=======
-| Metric                  | Description
-| `device`                | Name of the device being monitored.
-| `received_events_total` | Number of packets processed.
-| `received_bytes_total`  | Number of bytes processed.
-| `arrival_period`        | Histogram of the elapsed time between packet arrivals.
-| `processing_time`       | Histogram of the elapsed time between packet receipt and publication.
-|=======
-
diff --git a/packetbeat/docs/running-on-docker.asciidoc b/packetbeat/docs/running-on-docker.asciidoc
deleted file mode 100644
index 66ee487c10ec..000000000000
--- a/packetbeat/docs/running-on-docker.asciidoc
+++ /dev/null
@@ -1,31 +0,0 @@
-include::{libbeat-dir}/shared-docker.asciidoc[]
-
-[float]
-==== Required network capabilities
-
-Under Docker, Packetbeat runs as a non-root user, but requires some privileged
-network capabilities to operate correctly. Ensure that the +NET_ADMIN+
-capability is available to the container.
-
-["source","sh",subs="attributes"]
-----
-docker run --cap-add=NET_ADMIN {dockerimage}
-----
-
-[float]
-==== Capture traffic from the host system
-
-By default, Docker networking will connect the Packetbeat container to an
-isolated virtual network, with a limited view of network traffic. You may wish
-to connect the container directly to the host network in order to see traffic
-destined for, and originating from, the host system. With +docker run+, this can
-be achieved by specifying +--network=host+.
-
-["source","sh",subs="attributes"]
-----
-docker run --cap-add=NET_ADMIN --network=host {dockerimage}
-----
-
-NOTE: On Windows and MacOS, specifying +--network=host+ will bind the
-container's network interface to the virtual interface of Docker's embedded
-Linux virtual machine, not to the physical interface of the host system.
diff --git a/packetbeat/docs/setting-up-running.asciidoc b/packetbeat/docs/setting-up-running.asciidoc
deleted file mode 100644
index 42f941ee916b..000000000000
--- a/packetbeat/docs/setting-up-running.asciidoc
+++ /dev/null
@@ -1,51 +0,0 @@
-/////
-// NOTE:
-// Each beat has its own setup overview to allow for the addition of content
-// that is unique to each beat.
-/////
-
-[[setting-up-and-running]]
-== Set up and run {beatname_uc}
-
-++++
-<titleabbrev>Set up and run</titleabbrev>
-++++
-
-Before reading this section, see
-<<{beatname_lc}-installation-configuration>> for basic
-installation instructions to get you started.
-
-This section includes additional information on how to install, set up, and run
-{beatname_uc}, including:
-
-* <<directory-layout>>
-
-* <<command-line-options>>
-
-* <<setup-repositories>>
-
-* <<running-on-docker>>
-
-* <<running-with-systemd>>
-
-* <<{beatname_lc}-starting>>
-
-* <<shutdown>>
-
-//MAINTAINERS: If you add a new file to this section, make sure you update the bulleted list ^^ too.
-
-include::{libbeat-dir}/shared-directory-layout.asciidoc[]
-
-include::{libbeat-dir}/keystore.asciidoc[]
-
-include::{libbeat-dir}/command-reference.asciidoc[]
-
-include::{libbeat-dir}/repositories.asciidoc[]
-
-include::./running-on-docker.asciidoc[]
-
-include::{libbeat-dir}/shared-systemd.asciidoc[]
-
-include::{libbeat-dir}/shared/start-beat.asciidoc[]
-
-include::{libbeat-dir}/shared/shutdown.asciidoc[]
diff --git a/packetbeat/docs/shared-protocol-list.asciidoc b/packetbeat/docs/shared-protocol-list.asciidoc
deleted file mode 100644
index fdac127050ac..000000000000
--- a/packetbeat/docs/shared-protocol-list.asciidoc
+++ /dev/null
@@ -1,21 +0,0 @@
-//////////////////////////////////////////////////////////////////////////
-//// This content is shared by multiple files.
-//// Use the following include to pull this content into a doc file:
-//// include::shared-protocol-list.asciidoc[]
-//////////////////////////////////////////////////////////////////////////
-
- - ICMP (v4 and v6)
- - DHCP (v4)
- - DNS
- - HTTP
- - AMQP 0.9.1
- - Cassandra
- - Mysql
- - PostgreSQL
- - Redis
- - Thrift-RPC
- - MongoDB
- - Memcache
- - NFS
- - TLS
- - SIP/SDP (beta)
diff --git a/packetbeat/docs/tab-widgets/devices-widget.asciidoc b/packetbeat/docs/tab-widgets/devices-widget.asciidoc
deleted file mode 100644
index fcb06e0d42ed..000000000000
--- a/packetbeat/docs/tab-widgets/devices-widget.asciidoc
+++ /dev/null
@@ -1,94 +0,0 @@
-++++
-<div class="tabs" data-tab-group="os">
-  <div role="tablist" aria-label="Devices">
-    <button role="tab"
-            aria-selected="true"
-            aria-controls="deb-tab-devices"
-            id="deb-devices">
-      DEB
-    </button>
-    <button role="tab"
-            aria-selected="false"
-            aria-controls="rpm-tab-devices"
-            id="rpm-devices"
-            tabindex="-1">
-      RPM
-    </button>
-    <button role="tab"
-            aria-selected="false"
-            aria-controls="mac-tab-devices"
-            id="mac-devices"
-            tabindex="-1">
-      MacOS
-    </button>
-    <button role="tab"
-            aria-selected="false"
-            aria-controls="linux-tab-devices"
-            id="linux-devices"
-            tabindex="-1">
-      Linux
-    </button>
-    <button role="tab"
-            aria-selected="false"
-            aria-controls="win-tab-devices"
-            id="win-devices"
-            tabindex="-1">
-      Windows
-    </button>
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="deb-tab-devices"
-       aria-labelledby="deb-devices">
-++++
-
-include::devices.asciidoc[tag=deb]
-
-++++
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="rpm-tab-devices"
-       aria-labelledby="rpm-devices"
-       hidden="">
-++++
-
-include::devices.asciidoc[tag=rpm]
-
-++++
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="mac-tab-devices"
-       aria-labelledby="mac-devices"
-       hidden="">
-++++
-
-include::devices.asciidoc[tag=mac]
-
-++++
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="linux-tab-devices"
-       aria-labelledby="linux-devices"
-       hidden="">
-++++
-
-include::devices.asciidoc[tag=linux]
-
-++++
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="win-tab-devices"
-       aria-labelledby="win-devices"
-       hidden="">
-++++
-
-include::devices.asciidoc[tag=win]
-
-++++
-  </div>
-</div>
-++++
diff --git a/packetbeat/docs/tab-widgets/devices.asciidoc b/packetbeat/docs/tab-widgets/devices.asciidoc
deleted file mode 100644
index e0c9a73a9882..000000000000
--- a/packetbeat/docs/tab-widgets/devices.asciidoc
+++ /dev/null
@@ -1,47 +0,0 @@
-// tag::deb[]
-[source,shell]
-------------------------------------------------
-packetbeat devices
-------------------------------------------------
-// end::deb[]
-
-// tag::rpm[]
-[source,shell]
-------------------------------------------------
-packetbeat devices
-------------------------------------------------
-// end::rpm[]
-
-// tag::mac[]
-[source,shell]
-------------------------------------------------
-./packetbeat devices
-------------------------------------------------
-// end::mac[]
-
-// tag::linux[]
-[source,shell]
-----------------------------------------------------------------------
-./packetbeat devices
-----------------------------------------------------------------------
-// end::linux[]
-
-// tag::win[]
-[source,shell]
-----------------------------------------------------------------------
-PS C:\Program Files\Packetbeat> .\packetbeat.exe devices
-
-0: \Device\NPF_{113535AD-934A-452E-8D5F-3004797DE286} (Intel(R) PRO/1000 MT Desktop Adapter)
-----------------------------------------------------------------------
-
-In this example, there's only one network card, with the index 0, installed on
-the system. If there are multiple network cards, remember the index of the
-device you want to use for capturing the traffic.
-
-Modify the `device` setting to point to the index of the device:
-
-[source,shell]
-----------------------------------------------------------------------
-packetbeat.interfaces.device: 0
-----------------------------------------------------------------------
-// end::win[]
diff --git a/packetbeat/docs/tab-widgets/install-libpcap-widget.asciidoc b/packetbeat/docs/tab-widgets/install-libpcap-widget.asciidoc
deleted file mode 100644
index 4807d17260ec..000000000000
--- a/packetbeat/docs/tab-widgets/install-libpcap-widget.asciidoc
+++ /dev/null
@@ -1,94 +0,0 @@
-++++
-<div class="tabs" data-tab-group="os">
-  <div role="tablist" aria-label="Install libpcap">
-    <button role="tab"
-            aria-selected="true"
-            aria-controls="deb-tab-install-libpcap"
-            id="deb-install-libpcap">
-      DEB
-    </button>
-    <button role="tab"
-            aria-selected="false"
-            aria-controls="rpm-tab-install-libpcap"
-            id="rpm-install-libpcap"
-            tabindex="-1">
-      RPM
-    </button>
-    <button role="tab"
-            aria-selected="false"
-            aria-controls="mac-tab-install-libpcap"
-            id="mac-install-libpcap"
-            tabindex="-1">
-      MacOS
-    </button>
-    <button role="tab"
-            aria-selected="false"
-            aria-controls="linux-tab-install-libpcap"
-            id="linux-install-libpcap"
-            tabindex="-1">
-      Linux
-    </button>
-    <button role="tab"
-            aria-selected="false"
-            aria-controls="win-tab-install-libpcap"
-            id="win-install-libpcap"
-            tabindex="-1">
-      Windows
-    </button>
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="deb-tab-install-libpcap"
-       aria-labelledby="deb-install-libpcap">
-++++
-
-include::install-libpcap.asciidoc[tag=deb]
-
-++++
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="rpm-tab-install-libpcap"
-       aria-labelledby="rpm-install-libpcap"
-       hidden="">
-++++
-
-include::install-libpcap.asciidoc[tag=rpm]
-
-++++
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="mac-tab-install-libpcap"
-       aria-labelledby="mac-install-libpcap"
-       hidden="">
-++++
-
-include::install-libpcap.asciidoc[tag=mac]
-
-++++
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="linux-tab-install-libpcap"
-       aria-labelledby="linux-install-libpcap"
-       hidden="">
-++++
-
-include::install-libpcap.asciidoc[tag=linux]
-
-++++
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="win-tab-install-libpcap"
-       aria-labelledby="win-install-libpcap"
-       hidden="">
-++++
-
-include::install-libpcap.asciidoc[tag=win]
-
-++++
-  </div>
-</div>
-++++
diff --git a/packetbeat/docs/tab-widgets/install-libpcap.asciidoc b/packetbeat/docs/tab-widgets/install-libpcap.asciidoc
deleted file mode 100644
index 554c27249c25..000000000000
--- a/packetbeat/docs/tab-widgets/install-libpcap.asciidoc
+++ /dev/null
@@ -1,37 +0,0 @@
-:no-libpcap: 
-
-// tag::deb[]
-["source","sh",subs="attributes"]
-------------------------------------------------
-sudo apt-get install libpcap{libpcap}
-------------------------------------------------
-// end::deb[]
-
-// tag::rpm[]
-["source","sh",subs="attributes"]
-------------------------------------------------
-sudo yum install libpcap
-------------------------------------------------
-// end::rpm[]
-
-// tag::mac[]
-You probably do not need to install libpcap.
-// end::mac[]
-
-// tag::linux[]
-You probably do not need to install libpcap.
-// end::linux[]
-
-// tag::win[]
-
-You probably do not need to install libpcap. The default distribution of
-{packetbeat} for Windows comes bundled with the Npcap library.
-
-For the OSS-only distribution, you must download and install a packet
-sniffing library, such as https://nmap.org/npcap/[Npcap], that implements the
-https://github.com/the-tcpdump-group/libpcap[libpcap] interfaces.
-
-If you use Npcap, make sure you install it in WinPcap API-compatible mode. If
-you plan to capture traffic from the loopback device (127.0.0.1 traffic), also
-select the option to support loopback traffic. 
-// end::win[]
diff --git a/packetbeat/docs/troubleshooting.asciidoc b/packetbeat/docs/troubleshooting.asciidoc
deleted file mode 100644
index 3adf35590375..000000000000
--- a/packetbeat/docs/troubleshooting.asciidoc
+++ /dev/null
@@ -1,67 +0,0 @@
-[[troubleshooting]]
-= Troubleshoot
-
-[partintro]
---
-If you have issues installing or running Packetbeat, read the
-following tips:
-
-* <<getting-help>>
-* <<enable-packetbeat-debugging>>
-* <<understand-{beatname_lc}-logs>>
-* <<recording-trace>>
-* <<faq>>
-
-//sets block macro for getting-help.asciidoc included in next section
-
---
-
-[[getting-help]]
-== Get help
-
-include::{libbeat-dir}/getting-help.asciidoc[]
-
-//sets block macro for debugging.asciidoc included in next section
-
-[[enable-packetbeat-debugging]]
-== Debug
-
-include::{libbeat-dir}/debugging.asciidoc[]
-
-//sets block macro for recording-trace content included in next section
-
-//sets block macro for metrics-in-logs.asciidoc included in next section
-
-[id="understand-{beatname_lc}-logs"]
-[role="xpack"]
-== Understand metrics in {beatname_uc} logs
-
-++++
-<titleabbrev>Understand logged metrics</titleabbrev>
-++++
-
-include::{libbeat-dir}/metrics-in-logs.asciidoc[]
-
-[[recording-trace]]
-== Record a trace
-
-If you are having an issue, it's often useful to record a full network trace
-and send it to us. It will help us reproduce the issue, and we can also add it
-to our automatic regression tests so that the problem never reoccurs. A trace
-of 10-20 seconds is usually enough. To record the trace, you can use the following Packetbeat command:
-
-[source,shell]
-------------------------------------------------------------
-packetbeat -e --dump trace.pcap
-------------------------------------------------------------
-
-This command executes Packetbeat in normal mode (all processing happens as usual), but
-at the same time, it records all packets in libpcap format in the `trace.pcap`
-file. If there's a particular error message you want us to investigate, please
-keep the trace running until the error shows up (it will printed on standard
-error).
-
-WARNING: PCAP files can be large. Please monitor the disk usage while doing the
-dump to make sure you don't run out of disk space. Whenever possible, we
-recommend recording the trace on a non-production machine.
-
diff --git a/packetbeat/docs/upgrading.asciidoc b/packetbeat/docs/upgrading.asciidoc
deleted file mode 100644
index 45afca1ac047..000000000000
--- a/packetbeat/docs/upgrading.asciidoc
+++ /dev/null
@@ -1,7 +0,0 @@
-[[upgrading-packetbeat]]
-== Upgrade Packetbeat
-
-For information about upgrading to a new version, see:
-
-* {beats-ref}/breaking-changes.html[Breaking Changes]
-* {beats-ref}/upgrading.html[Upgrade]
diff --git a/packetbeat/docs/visualizing-data-packetbeat.asciidoc b/packetbeat/docs/visualizing-data-packetbeat.asciidoc
deleted file mode 100644
index 12b34aced1be..000000000000
--- a/packetbeat/docs/visualizing-data-packetbeat.asciidoc
+++ /dev/null
@@ -1,47 +0,0 @@
-[[visualizing-data-packetbeat]]
-= Visualize Packetbeat data in Kibana
-
-[partintro]
---
-
-Before trying to visualize Packetbeat data in Kibana, we recommend that you
-<<load-kibana-dashboards,set up the example Kibana dashboards>>. Then read the
-topics in this section to learn how to work with Packetbeat data in Kibana:
-
-* <<customizing-discover>>
-* <<kibana-queries-filters>>
-
-Also see the {kibana-ref}/index.html[Kibana User Guide].
---
-
-[[customizing-discover]]
-== Customize the Discover page
-
-To make it easier for you to search and discover Packetbeat data in Kibana, the
-sample dashboards contain predefined searches. These searches are not default
-views on the *Discover* page. To use these searches, make sure you've
-<<load-kibana-dashboards,set up the example Kibana dashboards>>. Then go to the
-*Discover* page and click *Open*.
-
-Type `Packetbeat` in the Search field to filter the list of searches.
-
-[role="screenshot"]
-image::./images/saved-packetbeat-searches.png[Saved Packetbeat Searches]
-
-You can use the predefined searches to customize the columns in the Discover
-table. For example, select the *Packetbeat Search* to customize the columns in
-the Discover table:
-
-[role="screenshot"]
-image::./images/discovery-packetbeat-transactions.png[Packetbeat Search]
-
-Select the *Packetbeat Flows Search* to display the most important information
-for Packetbeat flows:
-
-[role="screenshot"]
-image::./images/discovery-packetbeat-flows.png[Packetbeat Flows Search]
-
-
-
-
-
diff --git a/winlogbeat/docs/configuring-howto.asciidoc b/winlogbeat/docs/configuring-howto.asciidoc
deleted file mode 100644
index b546a511e12c..000000000000
--- a/winlogbeat/docs/configuring-howto.asciidoc
+++ /dev/null
@@ -1,60 +0,0 @@
-[[configuring-howto-winlogbeat]]
-= Configure {beatname_uc}
-
-[partintro]
---
-++++
-<titleabbrev>Configure</titleabbrev>
-++++
-
-include::{libbeat-dir}/shared/configuring-intro.asciidoc[]
-
-* <<configuration-winlogbeat-options>>
-* <<configuration-general-options>>
-* <<configuration-path>>
-* <<configuring-output>>
-* <<configuration-ssl>>
-* <<ilm>>
-* <<configuration-template>>
-* <<setup-kibana-endpoint>>
-* <<configuration-dashboards>>
-* <<filtering-and-enhancing-data>>
-* <<configuring-internal-queue>>
-* <<configuration-logging>>
-* <<http-endpoint>>
-* <<configuration-instrumentation>>
-* <<{beatname_lc}-reference-yml>>
-
---
-
-include::./winlogbeat-options.asciidoc[]
-
-include::./winlogbeat-general-options.asciidoc[]
-
-include::{libbeat-dir}/shared-path-config.asciidoc[]
-
-include::{libbeat-dir}/outputconfig.asciidoc[]
-
-ifndef::no_kerberos[]
-include::{libbeat-dir}/shared-kerberos-config.asciidoc[]
-endif::[]
-
-include::{libbeat-dir}/shared-ssl-config.asciidoc[]
-
-include::{libbeat-dir}/shared-ilm.asciidoc[]
-
-include::{libbeat-dir}/setup-config.asciidoc[]
-
-include::./winlogbeat-filtering.asciidoc[]
-
-include::{libbeat-dir}/queueconfig.asciidoc[]
-
-include::{libbeat-dir}/loggingconfig.asciidoc[]
-
-include::{libbeat-dir}/http-endpoint.asciidoc[]
-
-include::./metrics-winlogbeat.asciidoc[]
-
-include::{libbeat-dir}/shared-instrumentation.asciidoc[]
-
-include::{libbeat-dir}/reference-yml.asciidoc[]
diff --git a/winlogbeat/docs/faq.asciidoc b/winlogbeat/docs/faq.asciidoc
deleted file mode 100644
index 9f8d891d7b31..000000000000
--- a/winlogbeat/docs/faq.asciidoc
+++ /dev/null
@@ -1,55 +0,0 @@
-[[faq]]
-== Common problems
-
-This section describes common problems you might encounter with
-{beatname_uc}. Also check out the
-https://discuss.elastic.co/c/beats/{beatname_lc}[{beatname_uc} discussion forum].
-
-[[dashboard-fields-incorrect]]
-=== Dashboard in {kib} is breaking up data fields incorrectly
-
-The index template might not be loaded correctly. See <<winlogbeat-template>>.
-
-[[bogus-computer-name-fields]]
-=== Bogus computer_name fields are reported in some events
-
-Prior to the hostname configuration stage, during OS installation any event log
-records generated may have a randomly assigned hostname.
-
-include::{libbeat-dir}/shared-faq.asciidoc[]
-
-[[reading-from-evtx]]
-=== Not sure how to read from .evtx files
-
-Yes, {beatname_uc} can ingest archived .evtx files. When you set the `name`
-parameter as the absolute path to an event log file it will read from that file.
-Here's an example. First create a new config file for {beatname_uc}.
-
-winlogbeat-evtx.yml
-[source,yaml]
-----
-winlogbeat.event_logs:
-  - name: ${EVTX_FILE} <1>
-    no_more_events: stop <2>
-
-winlogbeat.shutdown_timeout: 30s <3>
-winlogbeat.registry_file: evtx-registry.yml <4>
-
-output.elasticsearch.hosts: ['http://localhost:9200']
-----
-1. `name` will be set to the value of the `EVTX_FILE` environment variable.
-2. `no_more_events` sets the behavior of {beatname_uc} when Windows reports that
-   there are no more events to read. We want {beatname_uc} to _stop_ rather than
-   _wait_ since this is an archived file that will not receive any more events.
-3. `shutdown_timeout` controls the maximum amount of time {beatname_uc} will wait
-   to finish publishing the events to {es} after stopping because it
-   reached the end of the log.
-4. A separate registry file is used to avoid overwriting the default registry
-   file. You can delete this file after you're done ingesting the .evtx data.
-
-Now execute {beatname_uc} and wait for it to complete. It will exit when it's done.
-
-[source,sh]
-----
-.\winlogbeat.exe -e -c .\winlogbeat-evtx.yml -E EVTX_FILE=c:\backup\Security-2019.01.evtx
-----
diff --git a/winlogbeat/docs/fields.asciidoc b/winlogbeat/docs/fields.asciidoc
deleted file mode 100644
index aefd33a8b93c..000000000000
--- a/winlogbeat/docs/fields.asciidoc
+++ /dev/null
@@ -1,17506 +0,0 @@
-
-////
-This file is generated! See _meta/fields.yml and scripts/generate_fields_docs.py
-////
-
-:edit_url:
-
-[[exported-fields]]
-= Exported fields
-
-[partintro]
-
---
-This document describes the fields that are exported by Winlogbeat. They are
-grouped in the following categories:
-
-* <<exported-fields-beat-common>>
-* <<exported-fields-cloud>>
-* <<exported-fields-docker-processor>>
-* <<exported-fields-ecs>>
-* <<exported-fields-eventlog>>
-* <<exported-fields-host-processor>>
-* <<exported-fields-jolokia-autodiscover>>
-* <<exported-fields-kubernetes-processor>>
-* <<exported-fields-powershell>>
-* <<exported-fields-process>>
-* <<exported-fields-security>>
-* <<exported-fields-sysmon>>
-* <<exported-fields-winlog>>
-
---
-[[exported-fields-beat-common]]
-== Beat fields
-
-Contains common beat fields available in all event types.
-
-
-
-*`agent.hostname`*::
-+
---
-Deprecated - use agent.name or agent.id to identify an agent.
-
-
-type: alias
-
-alias to: agent.name
-
---
-
-*`beat.timezone`*::
-+
---
-type: alias
-
-alias to: event.timezone
-
---
-
-*`fields`*::
-+
---
-Contains user configurable fields.
-
-
-type: object
-
---
-
-*`beat.name`*::
-+
---
-type: alias
-
-alias to: host.name
-
---
-
-*`beat.hostname`*::
-+
---
-type: alias
-
-alias to: agent.name
-
---
-
-*`timeseries.instance`*::
-+
---
-Time series instance id
-
-type: keyword
-
---
-
-[[exported-fields-cloud]]
-== Cloud provider metadata fields
-
-Metadata from cloud providers added by the add_cloud_metadata processor.
-
-
-
-*`cloud.image.id`*::
-+
---
-Image ID for the cloud instance.
-
-
-example: ami-abcd1234
-
---
-
-*`meta.cloud.provider`*::
-+
---
-type: alias
-
-alias to: cloud.provider
-
---
-
-*`meta.cloud.instance_id`*::
-+
---
-type: alias
-
-alias to: cloud.instance.id
-
---
-
-*`meta.cloud.instance_name`*::
-+
---
-type: alias
-
-alias to: cloud.instance.name
-
---
-
-*`meta.cloud.machine_type`*::
-+
---
-type: alias
-
-alias to: cloud.machine.type
-
---
-
-*`meta.cloud.availability_zone`*::
-+
---
-type: alias
-
-alias to: cloud.availability_zone
-
---
-
-*`meta.cloud.project_id`*::
-+
---
-type: alias
-
-alias to: cloud.project.id
-
---
-
-*`meta.cloud.region`*::
-+
---
-type: alias
-
-alias to: cloud.region
-
---
-
-[[exported-fields-docker-processor]]
-== Docker fields
-
-Docker stats collected from Docker.
-
-
-
-
-*`docker.container.id`*::
-+
---
-type: alias
-
-alias to: container.id
-
---
-
-*`docker.container.image`*::
-+
---
-type: alias
-
-alias to: container.image.name
-
---
-
-*`docker.container.name`*::
-+
---
-type: alias
-
-alias to: container.name
-
---
-
-*`docker.container.labels`*::
-+
---
-Image labels.
-
-
-type: object
-
---
-
-[[exported-fields-ecs]]
-== ECS fields
-
-
-This section defines Elastic Common Schema (ECS) fields—a common set of fields
-to be used when storing event data in {es}.
-
-This is an exhaustive list, and fields listed here are not necessarily used by {beatname_uc}.
-The goal of ECS is to enable and encourage users of {es} to normalize their event data,
-so that they can better analyze, visualize, and correlate the data represented in their events.
-
-See the {ecs-ref}[ECS reference] for more information.
-
-*`@timestamp`*::
-+
---
-Date/time when the event originated.
-This is the date/time extracted from the event, typically representing when the event was generated by the source.
-If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline.
-Required field for all events.
-
-type: date
-
-example: 2016-05-23T08:05:34.853Z
-
-required: True
-
---
-
-*`labels`*::
-+
---
-Custom key/value pairs.
-Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword.
-Example: `docker` and `k8s` labels.
-
-type: object
-
-example: {"application": "foo-bar", "env": "production"}
-
---
-
-*`message`*::
-+
---
-For log events the message field contains the log message, optimized for viewing in a log viewer.
-For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event.
-If multiple messages exist, they can be combined into one message.
-
-type: match_only_text
-
-example: Hello World
-
---
-
-*`tags`*::
-+
---
-List of keywords used to tag each event.
-
-type: keyword
-
-example: ["production", "env2"]
-
---
-
-[float]
-=== agent
-
-The agent fields contain the data about the software entity, if any, that collects, detects, or observes events on a host, or takes measurements on a host.
-Examples include Beats. Agents may also run on observers. ECS agent.* fields shall be populated with details of the agent running on the host or observer where the event happened or the measurement was taken.
-
-
-*`agent.build.original`*::
-+
---
-Extended build information for the agent.
-This field is intended to contain any build information that a data source may provide, no specific formatting is required.
-
-type: keyword
-
-example: metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]
-
---
-
-*`agent.ephemeral_id`*::
-+
---
-Ephemeral identifier of this agent (if one exists).
-This id normally changes across restarts, but `agent.id` does not.
-
-type: keyword
-
-example: 8a4f500f
-
---
-
-*`agent.id`*::
-+
---
-Unique identifier of this agent (if one exists).
-Example: For Beats this would be beat.id.
-
-type: keyword
-
-example: 8a4f500d
-
---
-
-*`agent.name`*::
-+
---
-Custom name of the agent.
-This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from.
-If no name is given, the name is often left empty.
-
-type: keyword
-
-example: foo
-
---
-
-*`agent.type`*::
-+
---
-Type of the agent.
-The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine.
-
-type: keyword
-
-example: filebeat
-
---
-
-*`agent.version`*::
-+
---
-Version of the agent.
-
-type: keyword
-
-example: 6.0.0-rc2
-
---
-
-[float]
-=== as
-
-An autonomous system (AS) is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators on behalf of a single administrative entity or domain that presents a common, clearly defined routing policy to the internet.
-
-
-*`as.number`*::
-+
---
-Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
-
-type: long
-
-example: 15169
-
---
-
-*`as.organization.name`*::
-+
---
-Organization name.
-
-type: keyword
-
-example: Google LLC
-
---
-
-*`as.organization.name.text`*::
-+
---
-type: match_only_text
-
---
-
-[float]
-=== client
-
-A client is defined as the initiator of a network connection for events regarding sessions, connections, or bidirectional flow records.
-For TCP events, the client is the initiator of the TCP connection that sends the SYN packet(s). For other protocols, the client is generally the initiator or requestor in the network transaction. Some systems use the term "originator" to refer the client in TCP connections. The client fields describe details about the system acting as the client in the network event. Client fields are usually populated in conjunction with server fields. Client fields are generally not populated for packet-level events.
-Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately.
-
-
-*`client.address`*::
-+
---
-Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field.
-Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
-
-type: keyword
-
---
-
-*`client.as.number`*::
-+
---
-Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
-
-type: long
-
-example: 15169
-
---
-
-*`client.as.organization.name`*::
-+
---
-Organization name.
-
-type: keyword
-
-example: Google LLC
-
---
-
-*`client.as.organization.name.text`*::
-+
---
-type: match_only_text
-
---
-
-*`client.bytes`*::
-+
---
-Bytes sent from the client to the server.
-
-type: long
-
-example: 184
-
-format: bytes
-
---
-
-*`client.domain`*::
-+
---
-The domain name of the client system.
-This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.
-
-type: keyword
-
-example: foo.example.com
-
---
-
-*`client.geo.city_name`*::
-+
---
-City name.
-
-type: keyword
-
-example: Montreal
-
---
-
-*`client.geo.continent_code`*::
-+
---
-Two-letter code representing continent's name.
-
-type: keyword
-
-example: NA
-
---
-
-*`client.geo.continent_name`*::
-+
---
-Name of the continent.
-
-type: keyword
-
-example: North America
-
---
-
-*`client.geo.country_iso_code`*::
-+
---
-Country ISO code.
-
-type: keyword
-
-example: CA
-
---
-
-*`client.geo.country_name`*::
-+
---
-Country name.
-
-type: keyword
-
-example: Canada
-
---
-
-*`client.geo.location`*::
-+
---
-Longitude and latitude.
-
-type: geo_point
-
-example: { "lon": -73.614830, "lat": 45.505918 }
-
---
-
-*`client.geo.name`*::
-+
---
-User-defined description of a location, at the level of granularity they care about.
-Could be the name of their data centers, the floor number, if this describes a local physical entity, city names.
-Not typically used in automated geolocation.
-
-type: keyword
-
-example: boston-dc
-
---
-
-*`client.geo.postal_code`*::
-+
---
-Postal code associated with the location.
-Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.
-
-type: keyword
-
-example: 94040
-
---
-
-*`client.geo.region_iso_code`*::
-+
---
-Region ISO code.
-
-type: keyword
-
-example: CA-QC
-
---
-
-*`client.geo.region_name`*::
-+
---
-Region name.
-
-type: keyword
-
-example: Quebec
-
---
-
-*`client.geo.timezone`*::
-+
---
-The time zone of the location, such as IANA time zone name.
-
-type: keyword
-
-example: America/Argentina/Buenos_Aires
-
---
-
-*`client.ip`*::
-+
---
-IP address of the client (IPv4 or IPv6).
-
-type: ip
-
---
-
-*`client.mac`*::
-+
---
-MAC address of the client.
-The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.
-
-type: keyword
-
-example: 00-00-5E-00-53-23
-
---
-
-*`client.nat.ip`*::
-+
---
-Translated IP of source based NAT sessions (e.g. internal client to internet).
-Typically connections traversing load balancers, firewalls, or routers.
-
-type: ip
-
---
-
-*`client.nat.port`*::
-+
---
-Translated port of source based NAT sessions (e.g. internal client to internet).
-Typically connections traversing load balancers, firewalls, or routers.
-
-type: long
-
-format: string
-
---
-
-*`client.packets`*::
-+
---
-Packets sent from the client to the server.
-
-type: long
-
-example: 12
-
---
-
-*`client.port`*::
-+
---
-Port of the client.
-
-type: long
-
-format: string
-
---
-
-*`client.registered_domain`*::
-+
---
-The highest registered client domain, stripped of the subdomain.
-For example, the registered domain for "foo.example.com" is "example.com".
-This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
-
-type: keyword
-
-example: example.com
-
---
-
-*`client.subdomain`*::
-+
---
-The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain.
-For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
-
-type: keyword
-
-example: east
-
---
-
-*`client.top_level_domain`*::
-+
---
-The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com".
-This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".
-
-type: keyword
-
-example: co.uk
-
---
-
-*`client.user.domain`*::
-+
---
-Name of the directory the user is a member of.
-For example, an LDAP or Active Directory domain name.
-
-type: keyword
-
---
-
-*`client.user.email`*::
-+
---
-User email address.
-
-type: keyword
-
---
-
-*`client.user.full_name`*::
-+
---
-User's full name, if available.
-
-type: keyword
-
-example: Albert Einstein
-
---
-
-*`client.user.full_name.text`*::
-+
---
-type: match_only_text
-
---
-
-*`client.user.group.domain`*::
-+
---
-Name of the directory the group is a member of.
-For example, an LDAP or Active Directory domain name.
-
-type: keyword
-
---
-
-*`client.user.group.id`*::
-+
---
-Unique identifier for the group on the system/platform.
-
-type: keyword
-
---
-
-*`client.user.group.name`*::
-+
---
-Name of the group.
-
-type: keyword
-
---
-
-*`client.user.hash`*::
-+
---
-Unique user hash to correlate information for a user in anonymized form.
-Useful if `user.id` or `user.name` contain confidential information and cannot be used.
-
-type: keyword
-
---
-
-*`client.user.id`*::
-+
---
-Unique identifier of the user.
-
-type: keyword
-
-example: S-1-5-21-202424912787-2692429404-2351956786-1000
-
---
-
-*`client.user.name`*::
-+
---
-Short name or login of the user.
-
-type: keyword
-
-example: a.einstein
-
---
-
-*`client.user.name.text`*::
-+
---
-type: match_only_text
-
---
-
-*`client.user.roles`*::
-+
---
-Array of user roles at the time of the event.
-
-type: keyword
-
-example: ["kibana_admin", "reporting_user"]
-
---
-
-[float]
-=== cloud
-
-Fields related to the cloud or infrastructure the events are coming from.
-
-
-*`cloud.account.id`*::
-+
---
-The cloud account or organization id used to identify different entities in a multi-tenant environment.
-Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.
-
-type: keyword
-
-example: 666777888999
-
---
-
-*`cloud.account.name`*::
-+
---
-The cloud account name or alias used to identify different entities in a multi-tenant environment.
-Examples: AWS account name, Google Cloud ORG display name.
-
-type: keyword
-
-example: elastic-dev
-
---
-
-*`cloud.availability_zone`*::
-+
---
-Availability zone in which this host, resource, or service is located.
-
-type: keyword
-
-example: us-east-1c
-
---
-
-*`cloud.instance.id`*::
-+
---
-Instance ID of the host machine.
-
-type: keyword
-
-example: i-1234567890abcdef0
-
---
-
-*`cloud.instance.name`*::
-+
---
-Instance name of the host machine.
-
-type: keyword
-
---
-
-*`cloud.machine.type`*::
-+
---
-Machine type of the host machine.
-
-type: keyword
-
-example: t2.medium
-
---
-
-*`cloud.origin.account.id`*::
-+
---
-The cloud account or organization id used to identify different entities in a multi-tenant environment.
-Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.
-
-type: keyword
-
-example: 666777888999
-
---
-
-*`cloud.origin.account.name`*::
-+
---
-The cloud account name or alias used to identify different entities in a multi-tenant environment.
-Examples: AWS account name, Google Cloud ORG display name.
-
-type: keyword
-
-example: elastic-dev
-
---
-
-*`cloud.origin.availability_zone`*::
-+
---
-Availability zone in which this host, resource, or service is located.
-
-type: keyword
-
-example: us-east-1c
-
---
-
-*`cloud.origin.instance.id`*::
-+
---
-Instance ID of the host machine.
-
-type: keyword
-
-example: i-1234567890abcdef0
-
---
-
-*`cloud.origin.instance.name`*::
-+
---
-Instance name of the host machine.
-
-type: keyword
-
---
-
-*`cloud.origin.machine.type`*::
-+
---
-Machine type of the host machine.
-
-type: keyword
-
-example: t2.medium
-
---
-
-*`cloud.origin.project.id`*::
-+
---
-The cloud project identifier.
-Examples: Google Cloud Project id, Azure Project id.
-
-type: keyword
-
-example: my-project
-
---
-
-*`cloud.origin.project.name`*::
-+
---
-The cloud project name.
-Examples: Google Cloud Project name, Azure Project name.
-
-type: keyword
-
-example: my project
-
---
-
-*`cloud.origin.provider`*::
-+
---
-Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
-
-type: keyword
-
-example: aws
-
---
-
-*`cloud.origin.region`*::
-+
---
-Region in which this host, resource, or service is located.
-
-type: keyword
-
-example: us-east-1
-
---
-
-*`cloud.origin.service.name`*::
-+
---
-The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server.
-Examples: app engine, app service, cloud run, fargate, lambda.
-
-type: keyword
-
-example: lambda
-
---
-
-*`cloud.project.id`*::
-+
---
-The cloud project identifier.
-Examples: Google Cloud Project id, Azure Project id.
-
-type: keyword
-
-example: my-project
-
---
-
-*`cloud.project.name`*::
-+
---
-The cloud project name.
-Examples: Google Cloud Project name, Azure Project name.
-
-type: keyword
-
-example: my project
-
---
-
-*`cloud.provider`*::
-+
---
-Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
-
-type: keyword
-
-example: aws
-
---
-
-*`cloud.region`*::
-+
---
-Region in which this host, resource, or service is located.
-
-type: keyword
-
-example: us-east-1
-
---
-
-*`cloud.service.name`*::
-+
---
-The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server.
-Examples: app engine, app service, cloud run, fargate, lambda.
-
-type: keyword
-
-example: lambda
-
---
-
-*`cloud.target.account.id`*::
-+
---
-The cloud account or organization id used to identify different entities in a multi-tenant environment.
-Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.
-
-type: keyword
-
-example: 666777888999
-
---
-
-*`cloud.target.account.name`*::
-+
---
-The cloud account name or alias used to identify different entities in a multi-tenant environment.
-Examples: AWS account name, Google Cloud ORG display name.
-
-type: keyword
-
-example: elastic-dev
-
---
-
-*`cloud.target.availability_zone`*::
-+
---
-Availability zone in which this host, resource, or service is located.
-
-type: keyword
-
-example: us-east-1c
-
---
-
-*`cloud.target.instance.id`*::
-+
---
-Instance ID of the host machine.
-
-type: keyword
-
-example: i-1234567890abcdef0
-
---
-
-*`cloud.target.instance.name`*::
-+
---
-Instance name of the host machine.
-
-type: keyword
-
---
-
-*`cloud.target.machine.type`*::
-+
---
-Machine type of the host machine.
-
-type: keyword
-
-example: t2.medium
-
---
-
-*`cloud.target.project.id`*::
-+
---
-The cloud project identifier.
-Examples: Google Cloud Project id, Azure Project id.
-
-type: keyword
-
-example: my-project
-
---
-
-*`cloud.target.project.name`*::
-+
---
-The cloud project name.
-Examples: Google Cloud Project name, Azure Project name.
-
-type: keyword
-
-example: my project
-
---
-
-*`cloud.target.provider`*::
-+
---
-Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
-
-type: keyword
-
-example: aws
-
---
-
-*`cloud.target.region`*::
-+
---
-Region in which this host, resource, or service is located.
-
-type: keyword
-
-example: us-east-1
-
---
-
-*`cloud.target.service.name`*::
-+
---
-The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server.
-Examples: app engine, app service, cloud run, fargate, lambda.
-
-type: keyword
-
-example: lambda
-
---
-
-[float]
-=== code_signature
-
-These fields contain information about binary code signatures.
-
-
-*`code_signature.digest_algorithm`*::
-+
---
-The hashing algorithm used to sign the process.
-This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm.
-
-type: keyword
-
-example: sha256
-
---
-
-*`code_signature.exists`*::
-+
---
-Boolean to capture if a signature is present.
-
-type: boolean
-
-example: true
-
---
-
-*`code_signature.signing_id`*::
-+
---
-The identifier used to sign the process.
-This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.
-
-type: keyword
-
-example: com.apple.xpc.proxy
-
---
-
-*`code_signature.status`*::
-+
---
-Additional information about the certificate status.
-This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.
-
-type: keyword
-
-example: ERROR_UNTRUSTED_ROOT
-
---
-
-*`code_signature.subject_name`*::
-+
---
-Subject name of the code signer
-
-type: keyword
-
-example: Microsoft Corporation
-
---
-
-*`code_signature.team_id`*::
-+
---
-The team identifier used to sign the process.
-This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.
-
-type: keyword
-
-example: EQHXZ8M8AV
-
---
-
-*`code_signature.timestamp`*::
-+
---
-Date and time when the code signature was generated and signed.
-
-type: date
-
-example: 2021-01-01T12:10:30Z
-
---
-
-*`code_signature.trusted`*::
-+
---
-Stores the trust status of the certificate chain.
-Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.
-
-type: boolean
-
-example: true
-
---
-
-*`code_signature.valid`*::
-+
---
-Boolean to capture if the digital signature is verified against the binary content.
-Leave unpopulated if a certificate was unchecked.
-
-type: boolean
-
-example: true
-
---
-
-[float]
-=== container
-
-Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.
-
-
-*`container.cpu.usage`*::
-+
---
-Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000.
-
-type: scaled_float
-
---
-
-*`container.disk.read.bytes`*::
-+
---
-The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection.
-
-type: long
-
---
-
-*`container.disk.write.bytes`*::
-+
---
-The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection.
-
-type: long
-
---
-
-*`container.id`*::
-+
---
-Unique container id.
-
-type: keyword
-
---
-
-*`container.image.name`*::
-+
---
-Name of the image the container was built on.
-
-type: keyword
-
---
-
-*`container.image.tag`*::
-+
---
-Container image tags.
-
-type: keyword
-
---
-
-*`container.labels`*::
-+
---
-Image labels.
-
-type: object
-
---
-
-*`container.memory.usage`*::
-+
---
-Memory usage percentage and it ranges from 0 to 1. Scaling factor: 1000.
-
-type: scaled_float
-
---
-
-*`container.name`*::
-+
---
-Container name.
-
-type: keyword
-
---
-
-*`container.network.egress.bytes`*::
-+
---
-The number of bytes (gauge) sent out on all network interfaces by the container since the last metric collection.
-
-type: long
-
---
-
-*`container.network.ingress.bytes`*::
-+
---
-The number of bytes received (gauge) on all network interfaces by the container since the last metric collection.
-
-type: long
-
---
-
-*`container.runtime`*::
-+
---
-Runtime managing this container.
-
-type: keyword
-
-example: docker
-
---
-
-[float]
-=== data_stream
-
-The data_stream fields take part in defining the new data stream naming scheme.
-In the new data stream naming scheme the value of the data stream fields combine to the name of the actual data stream in the following manner: `{data_stream.type}-{data_stream.dataset}-{data_stream.namespace}`. This means the fields can only contain characters that are valid as part of names of data streams. More details about this can be found in this https://www.elastic.co/blog/an-introduction-to-the-elastic-data-stream-naming-scheme[blog post].
-An Elasticsearch data stream consists of one or more backing indices, and a data stream name forms part of the backing indices names. Due to this convention, data streams must also follow index naming restrictions. For example, data stream names cannot include `\`, `/`, `*`, `?`, `"`, `<`, `>`, `|`, ` ` (space character), `,`, or `#`. Please see the Elasticsearch reference for additional https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-create-index.html#indices-create-api-path-params[restrictions].
-
-
-*`data_stream.dataset`*::
-+
---
-The field can contain anything that makes sense to signify the source of the data.
-Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`.
-Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions:
-  * Must not contain `-`
-  * No longer than 100 characters
-
-type: constant_keyword
-
-example: nginx.access
-
---
-
-*`data_stream.namespace`*::
-+
---
-A user defined namespace. Namespaces are useful to allow grouping of data.
-Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`.
-Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions:
-  * Must not contain `-`
-  * No longer than 100 characters
-
-type: constant_keyword
-
-example: production
-
---
-
-*`data_stream.type`*::
-+
---
-An overarching type for the data stream.
-Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future.
-
-type: constant_keyword
-
-example: logs
-
---
-
-[float]
-=== destination
-
-Destination fields capture details about the receiver of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction.
-Destination fields are usually populated in conjunction with source fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated.
-
-
-*`destination.address`*::
-+
---
-Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field.
-Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
-
-type: keyword
-
---
-
-*`destination.as.number`*::
-+
---
-Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
-
-type: long
-
-example: 15169
-
---
-
-*`destination.as.organization.name`*::
-+
---
-Organization name.
-
-type: keyword
-
-example: Google LLC
-
---
-
-*`destination.as.organization.name.text`*::
-+
---
-type: match_only_text
-
---
-
-*`destination.bytes`*::
-+
---
-Bytes sent from the destination to the source.
-
-type: long
-
-example: 184
-
-format: bytes
-
---
-
-*`destination.domain`*::
-+
---
-The domain name of the destination system.
-This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.
-
-type: keyword
-
-example: foo.example.com
-
---
-
-*`destination.geo.city_name`*::
-+
---
-City name.
-
-type: keyword
-
-example: Montreal
-
---
-
-*`destination.geo.continent_code`*::
-+
---
-Two-letter code representing continent's name.
-
-type: keyword
-
-example: NA
-
---
-
-*`destination.geo.continent_name`*::
-+
---
-Name of the continent.
-
-type: keyword
-
-example: North America
-
---
-
-*`destination.geo.country_iso_code`*::
-+
---
-Country ISO code.
-
-type: keyword
-
-example: CA
-
---
-
-*`destination.geo.country_name`*::
-+
---
-Country name.
-
-type: keyword
-
-example: Canada
-
---
-
-*`destination.geo.location`*::
-+
---
-Longitude and latitude.
-
-type: geo_point
-
-example: { "lon": -73.614830, "lat": 45.505918 }
-
---
-
-*`destination.geo.name`*::
-+
---
-User-defined description of a location, at the level of granularity they care about.
-Could be the name of their data centers, the floor number, if this describes a local physical entity, city names.
-Not typically used in automated geolocation.
-
-type: keyword
-
-example: boston-dc
-
---
-
-*`destination.geo.postal_code`*::
-+
---
-Postal code associated with the location.
-Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.
-
-type: keyword
-
-example: 94040
-
---
-
-*`destination.geo.region_iso_code`*::
-+
---
-Region ISO code.
-
-type: keyword
-
-example: CA-QC
-
---
-
-*`destination.geo.region_name`*::
-+
---
-Region name.
-
-type: keyword
-
-example: Quebec
-
---
-
-*`destination.geo.timezone`*::
-+
---
-The time zone of the location, such as IANA time zone name.
-
-type: keyword
-
-example: America/Argentina/Buenos_Aires
-
---
-
-*`destination.ip`*::
-+
---
-IP address of the destination (IPv4 or IPv6).
-
-type: ip
-
---
-
-*`destination.mac`*::
-+
---
-MAC address of the destination.
-The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.
-
-type: keyword
-
-example: 00-00-5E-00-53-23
-
---
-
-*`destination.nat.ip`*::
-+
---
-Translated ip of destination based NAT sessions (e.g. internet to private DMZ)
-Typically used with load balancers, firewalls, or routers.
-
-type: ip
-
---
-
-*`destination.nat.port`*::
-+
---
-Port the source session is translated to by NAT Device.
-Typically used with load balancers, firewalls, or routers.
-
-type: long
-
-format: string
-
---
-
-*`destination.packets`*::
-+
---
-Packets sent from the destination to the source.
-
-type: long
-
-example: 12
-
---
-
-*`destination.port`*::
-+
---
-Port of the destination.
-
-type: long
-
-format: string
-
---
-
-*`destination.registered_domain`*::
-+
---
-The highest registered destination domain, stripped of the subdomain.
-For example, the registered domain for "foo.example.com" is "example.com".
-This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
-
-type: keyword
-
-example: example.com
-
---
-
-*`destination.subdomain`*::
-+
---
-The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain.
-For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
-
-type: keyword
-
-example: east
-
---
-
-*`destination.top_level_domain`*::
-+
---
-The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com".
-This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".
-
-type: keyword
-
-example: co.uk
-
---
-
-*`destination.user.domain`*::
-+
---
-Name of the directory the user is a member of.
-For example, an LDAP or Active Directory domain name.
-
-type: keyword
-
---
-
-*`destination.user.email`*::
-+
---
-User email address.
-
-type: keyword
-
---
-
-*`destination.user.full_name`*::
-+
---
-User's full name, if available.
-
-type: keyword
-
-example: Albert Einstein
-
---
-
-*`destination.user.full_name.text`*::
-+
---
-type: match_only_text
-
---
-
-*`destination.user.group.domain`*::
-+
---
-Name of the directory the group is a member of.
-For example, an LDAP or Active Directory domain name.
-
-type: keyword
-
---
-
-*`destination.user.group.id`*::
-+
---
-Unique identifier for the group on the system/platform.
-
-type: keyword
-
---
-
-*`destination.user.group.name`*::
-+
---
-Name of the group.
-
-type: keyword
-
---
-
-*`destination.user.hash`*::
-+
---
-Unique user hash to correlate information for a user in anonymized form.
-Useful if `user.id` or `user.name` contain confidential information and cannot be used.
-
-type: keyword
-
---
-
-*`destination.user.id`*::
-+
---
-Unique identifier of the user.
-
-type: keyword
-
-example: S-1-5-21-202424912787-2692429404-2351956786-1000
-
---
-
-*`destination.user.name`*::
-+
---
-Short name or login of the user.
-
-type: keyword
-
-example: a.einstein
-
---
-
-*`destination.user.name.text`*::
-+
---
-type: match_only_text
-
---
-
-*`destination.user.roles`*::
-+
---
-Array of user roles at the time of the event.
-
-type: keyword
-
-example: ["kibana_admin", "reporting_user"]
-
---
-
-[float]
-=== dll
-
-These fields contain information about code libraries dynamically loaded into processes.
-
-Many operating systems refer to "shared code libraries" with different names, but this field set refers to all of the following:
-* Dynamic-link library (`.dll`) commonly used on Windows
-* Shared Object (`.so`) commonly used on Unix-like operating systems
-* Dynamic library (`.dylib`) commonly used on macOS
-
-
-*`dll.code_signature.digest_algorithm`*::
-+
---
-The hashing algorithm used to sign the process.
-This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm.
-
-type: keyword
-
-example: sha256
-
---
-
-*`dll.code_signature.exists`*::
-+
---
-Boolean to capture if a signature is present.
-
-type: boolean
-
-example: true
-
---
-
-*`dll.code_signature.signing_id`*::
-+
---
-The identifier used to sign the process.
-This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.
-
-type: keyword
-
-example: com.apple.xpc.proxy
-
---
-
-*`dll.code_signature.status`*::
-+
---
-Additional information about the certificate status.
-This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.
-
-type: keyword
-
-example: ERROR_UNTRUSTED_ROOT
-
---
-
-*`dll.code_signature.subject_name`*::
-+
---
-Subject name of the code signer
-
-type: keyword
-
-example: Microsoft Corporation
-
---
-
-*`dll.code_signature.team_id`*::
-+
---
-The team identifier used to sign the process.
-This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.
-
-type: keyword
-
-example: EQHXZ8M8AV
-
---
-
-*`dll.code_signature.timestamp`*::
-+
---
-Date and time when the code signature was generated and signed.
-
-type: date
-
-example: 2021-01-01T12:10:30Z
-
---
-
-*`dll.code_signature.trusted`*::
-+
---
-Stores the trust status of the certificate chain.
-Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.
-
-type: boolean
-
-example: true
-
---
-
-*`dll.code_signature.valid`*::
-+
---
-Boolean to capture if the digital signature is verified against the binary content.
-Leave unpopulated if a certificate was unchecked.
-
-type: boolean
-
-example: true
-
---
-
-*`dll.hash.md5`*::
-+
---
-MD5 hash.
-
-type: keyword
-
---
-
-*`dll.hash.sha1`*::
-+
---
-SHA1 hash.
-
-type: keyword
-
---
-
-*`dll.hash.sha256`*::
-+
---
-SHA256 hash.
-
-type: keyword
-
---
-
-*`dll.hash.sha512`*::
-+
---
-SHA512 hash.
-
-type: keyword
-
---
-
-*`dll.hash.ssdeep`*::
-+
---
-SSDEEP hash.
-
-type: keyword
-
---
-
-*`dll.name`*::
-+
---
-Name of the library.
-This generally maps to the name of the file on disk.
-
-type: keyword
-
-example: kernel32.dll
-
---
-
-*`dll.path`*::
-+
---
-Full file path of the library.
-
-type: keyword
-
-example: C:\Windows\System32\kernel32.dll
-
---
-
-*`dll.pe.architecture`*::
-+
---
-CPU architecture target for the file.
-
-type: keyword
-
-example: x64
-
---
-
-*`dll.pe.company`*::
-+
---
-Internal company name of the file, provided at compile-time.
-
-type: keyword
-
-example: Microsoft Corporation
-
---
-
-*`dll.pe.description`*::
-+
---
-Internal description of the file, provided at compile-time.
-
-type: keyword
-
-example: Paint
-
---
-
-*`dll.pe.file_version`*::
-+
---
-Internal version of the file, provided at compile-time.
-
-type: keyword
-
-example: 6.3.9600.17415
-
---
-
-*`dll.pe.imphash`*::
-+
---
-A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.
-Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.
-
-type: keyword
-
-example: 0c6803c4e922103c4dca5963aad36ddf
-
---
-
-*`dll.pe.original_file_name`*::
-+
---
-Internal name of the file, provided at compile-time.
-
-type: keyword
-
-example: MSPAINT.EXE
-
---
-
-*`dll.pe.product`*::
-+
---
-Internal product name of the file, provided at compile-time.
-
-type: keyword
-
-example: Microsoft® Windows® Operating System
-
---
-
-[float]
-=== dns
-
-Fields describing DNS queries and answers.
-DNS events should either represent a single DNS query prior to getting answers (`dns.type:query`) or they should represent a full exchange and contain the query details as well as all of the answers that were provided for this query (`dns.type:answer`).
-
-
-*`dns.answers`*::
-+
---
-An array containing an object for each answer section returned by the server.
-The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines.
-Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields.
-
-type: object
-
---
-
-*`dns.answers.class`*::
-+
---
-The class of DNS data contained in this resource record.
-
-type: keyword
-
-example: IN
-
---
-
-*`dns.answers.data`*::
-+
---
-The data describing the resource.
-The meaning of this data depends on the type and class of the resource record.
-
-type: keyword
-
-example: 10.10.10.10
-
---
-
-*`dns.answers.name`*::
-+
---
-The domain name to which this resource record pertains.
-If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated.
-
-type: keyword
-
-example: www.example.com
-
---
-
-*`dns.answers.ttl`*::
-+
---
-The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached.
-
-type: long
-
-example: 180
-
---
-
-*`dns.answers.type`*::
-+
---
-The type of data contained in this resource record.
-
-type: keyword
-
-example: CNAME
-
---
-
-*`dns.header_flags`*::
-+
---
-Array of 2 letter DNS header flags.
-Expected values are: AA, TC, RD, RA, AD, CD, DO.
-
-type: keyword
-
-example: ["RD", "RA"]
-
---
-
-*`dns.id`*::
-+
---
-The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.
-
-type: keyword
-
-example: 62111
-
---
-
-*`dns.op_code`*::
-+
---
-The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response.
-
-type: keyword
-
-example: QUERY
-
---
-
-*`dns.question.class`*::
-+
---
-The class of records being queried.
-
-type: keyword
-
-example: IN
-
---
-
-*`dns.question.name`*::
-+
---
-The name being queried.
-If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively.
-
-type: keyword
-
-example: www.example.com
-
---
-
-*`dns.question.registered_domain`*::
-+
---
-The highest registered domain, stripped of the subdomain.
-For example, the registered domain for "foo.example.com" is "example.com".
-This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
-
-type: keyword
-
-example: example.com
-
---
-
-*`dns.question.subdomain`*::
-+
---
-The subdomain is all of the labels under the registered_domain.
-If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
-
-type: keyword
-
-example: www
-
---
-
-*`dns.question.top_level_domain`*::
-+
---
-The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com".
-This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".
-
-type: keyword
-
-example: co.uk
-
---
-
-*`dns.question.type`*::
-+
---
-The type of record being queried.
-
-type: keyword
-
-example: AAAA
-
---
-
-*`dns.resolved_ip`*::
-+
---
-Array containing all IPs seen in `answers.data`.
-The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for.
-
-type: ip
-
-example: ["10.10.10.10", "10.10.10.11"]
-
---
-
-*`dns.response_code`*::
-+
---
-The DNS response code.
-
-type: keyword
-
-example: NOERROR
-
---
-
-*`dns.type`*::
-+
---
-The type of DNS event captured, query or answer.
-If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`.
-If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers.
-
-type: keyword
-
-example: answer
-
---
-
-[float]
-=== ecs
-
-Meta-information specific to ECS.
-
-
-*`ecs.version`*::
-+
---
-ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.
-When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
-
-type: keyword
-
-example: 1.0.0
-
-required: True
-
---
-
-[float]
-=== elf
-
-These fields contain Linux Executable Linkable Format (ELF) metadata.
-
-
-*`elf.architecture`*::
-+
---
-Machine architecture of the ELF file.
-
-type: keyword
-
-example: x86-64
-
---
-
-*`elf.byte_order`*::
-+
---
-Byte sequence of ELF file.
-
-type: keyword
-
-example: Little Endian
-
---
-
-*`elf.cpu_type`*::
-+
---
-CPU type of the ELF file.
-
-type: keyword
-
-example: Intel
-
---
-
-*`elf.creation_date`*::
-+
---
-Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators.
-
-type: date
-
---
-
-*`elf.exports`*::
-+
---
-List of exported element names and types.
-
-type: flattened
-
---
-
-*`elf.header.abi_version`*::
-+
---
-Version of the ELF Application Binary Interface (ABI).
-
-type: keyword
-
---
-
-*`elf.header.class`*::
-+
---
-Header class of the ELF file.
-
-type: keyword
-
---
-
-*`elf.header.data`*::
-+
---
-Data table of the ELF header.
-
-type: keyword
-
---
-
-*`elf.header.entrypoint`*::
-+
---
-Header entrypoint of the ELF file.
-
-type: long
-
-format: string
-
---
-
-*`elf.header.object_version`*::
-+
---
-"0x1" for original ELF files.
-
-type: keyword
-
---
-
-*`elf.header.os_abi`*::
-+
---
-Application Binary Interface (ABI) of the Linux OS.
-
-type: keyword
-
---
-
-*`elf.header.type`*::
-+
---
-Header type of the ELF file.
-
-type: keyword
-
---
-
-*`elf.header.version`*::
-+
---
-Version of the ELF header.
-
-type: keyword
-
---
-
-*`elf.imports`*::
-+
---
-List of imported element names and types.
-
-type: flattened
-
---
-
-*`elf.sections`*::
-+
---
-An array containing an object for each section of the ELF file.
-The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`.
-
-type: nested
-
---
-
-*`elf.sections.chi2`*::
-+
---
-Chi-square probability distribution of the section.
-
-type: long
-
-format: number
-
---
-
-*`elf.sections.entropy`*::
-+
---
-Shannon entropy calculation from the section.
-
-type: long
-
-format: number
-
---
-
-*`elf.sections.flags`*::
-+
---
-ELF Section List flags.
-
-type: keyword
-
---
-
-*`elf.sections.name`*::
-+
---
-ELF Section List name.
-
-type: keyword
-
---
-
-*`elf.sections.physical_offset`*::
-+
---
-ELF Section List offset.
-
-type: keyword
-
---
-
-*`elf.sections.physical_size`*::
-+
---
-ELF Section List physical size.
-
-type: long
-
-format: bytes
-
---
-
-*`elf.sections.type`*::
-+
---
-ELF Section List type.
-
-type: keyword
-
---
-
-*`elf.sections.virtual_address`*::
-+
---
-ELF Section List virtual address.
-
-type: long
-
-format: string
-
---
-
-*`elf.sections.virtual_size`*::
-+
---
-ELF Section List virtual size.
-
-type: long
-
-format: string
-
---
-
-*`elf.segments`*::
-+
---
-An array containing an object for each segment of the ELF file.
-The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`.
-
-type: nested
-
---
-
-*`elf.segments.sections`*::
-+
---
-ELF object segment sections.
-
-type: keyword
-
---
-
-*`elf.segments.type`*::
-+
---
-ELF object segment type.
-
-type: keyword
-
---
-
-*`elf.shared_libraries`*::
-+
---
-List of shared libraries used by this ELF object.
-
-type: keyword
-
---
-
-*`elf.telfhash`*::
-+
---
-telfhash symbol hash for ELF file.
-
-type: keyword
-
---
-
-[float]
-=== error
-
-These fields can represent errors of any kind.
-Use them for errors that happen while fetching events or in cases where the event itself contains an error.
-
-
-*`error.code`*::
-+
---
-Error code describing the error.
-
-type: keyword
-
---
-
-*`error.id`*::
-+
---
-Unique identifier for the error.
-
-type: keyword
-
---
-
-*`error.message`*::
-+
---
-Error message.
-
-type: match_only_text
-
---
-
-*`error.stack_trace`*::
-+
---
-The stack trace of this error in plain text.
-
-type: wildcard
-
---
-
-*`error.stack_trace.text`*::
-+
---
-type: match_only_text
-
---
-
-*`error.type`*::
-+
---
-The type of the error, for example the class name of the exception.
-
-type: keyword
-
-example: java.lang.NullPointerException
-
---
-
-[float]
-=== event
-
-The event fields are used for context information about the log or metric event itself.
-A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host and device temperature. See the `event.kind` definition in this section for additional details about metric and state events.
-
-
-*`event.action`*::
-+
---
-The action captured by the event.
-This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer.
-
-type: keyword
-
-example: user-password-change
-
---
-
-*`event.agent_id_status`*::
-+
---
-Agents are normally responsible for populating the `agent.id` field value. If the system receiving events is capable of validating the value based on authentication information for the client then this field can be used to reflect the outcome of that validation.
-For example if the agent's connection is authenticated with mTLS and the client cert contains the ID of the agent to which the cert was issued then the `agent.id` value in events can be checked against the certificate. If the values match then `event.agent_id_status: verified` is added to the event, otherwise one of the other allowed values should be used.
-If no validation is performed then the field should be omitted.
-The allowed values are:
-`verified` - The `agent.id` field value matches expected value obtained from auth metadata.
-`mismatch` - The `agent.id` field value does not match the expected value obtained from auth metadata.
-`missing` - There was no `agent.id` field in the event to validate.
-`auth_metadata_missing` - There was no auth metadata or it was missing information about the agent ID.
-
-type: keyword
-
-example: verified
-
---
-
-*`event.category`*::
-+
---
-This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy.
-`event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory.
-This field is an array. This will allow proper categorization of some events that fall in multiple categories.
-
-type: keyword
-
-example: authentication
-
---
-
-*`event.code`*::
-+
---
-Identification code for this event, if one exists.
-Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID.
-
-type: keyword
-
-example: 4648
-
---
-
-*`event.created`*::
-+
---
-event.created contains the date/time when the event was first read by an agent, or by your pipeline.
-This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event.
-In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source.
-In case the two timestamps are identical, @timestamp should be used.
-
-type: date
-
-example: 2016-05-23T08:05:34.857Z
-
---
-
-*`event.dataset`*::
-+
---
-Name of the dataset.
-If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from.
-It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name.
-
-type: keyword
-
-example: apache.access
-
---
-
-*`event.duration`*::
-+
---
-Duration of the event in nanoseconds.
-If event.start and event.end are known this value should be the difference between the end and start time.
-
-type: long
-
-format: duration
-
---
-
-*`event.end`*::
-+
---
-event.end contains the date when the event ended or when the activity was last observed.
-
-type: date
-
---
-
-*`event.hash`*::
-+
---
-Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity.
-
-type: keyword
-
-example: 123456789012345678901234567890ABCD
-
---
-
-*`event.id`*::
-+
---
-Unique ID to describe the event.
-
-type: keyword
-
-example: 8a4f500d
-
---
-
-*`event.ingested`*::
-+
---
-Timestamp when an event arrived in the central data store.
-This is different from `@timestamp`, which is when the event originally occurred.  It's also different from `event.created`, which is meant to capture the first time an agent saw the event.
-In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`.
-
-type: date
-
-example: 2016-05-23T08:05:35.101Z
-
---
-
-*`event.kind`*::
-+
---
-This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy.
-`event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events.
-The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not.
-
-type: keyword
-
-example: alert
-
---
-
-*`event.module`*::
-+
---
-Name of the module this data is coming from.
-If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module.
-
-type: keyword
-
-example: apache
-
---
-
-*`event.original`*::
-+
---
-Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex.
-This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`.
-
-type: keyword
-
-example: Sep 19 08:26:10 host CEF:0&#124;Security&#124; threatmanager&#124;1.0&#124;100&#124; worm successfully stopped&#124;10&#124;src=10.0.0.1 dst=2.1.2.2spt=1232
-
-Field is not indexed.
-
---
-
-*`event.outcome`*::
-+
---
-This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy.
-`event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event.
-Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective.
-Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer.
-Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense.
-
-type: keyword
-
-example: success
-
---
-
-*`event.provider`*::
-+
---
-Source of the event.
-Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing).
-
-type: keyword
-
-example: kernel
-
---
-
-*`event.reason`*::
-+
---
-Reason why this event happened, according to the source.
-This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`).
-
-type: keyword
-
-example: Terminated an unexpected process
-
---
-
-*`event.reference`*::
-+
---
-Reference URL linking to additional information about this event.
-This URL links to a static definition of this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field.
-
-type: keyword
-
-example: https://system.example.com/event/#0001234
-
---
-
-*`event.risk_score`*::
-+
---
-Risk score or priority of the event (e.g. security solutions). Use your system's original value here.
-
-type: float
-
---
-
-*`event.risk_score_norm`*::
-+
---
-Normalized risk score or priority of the event, on a scale of 0 to 100.
-This is mainly useful if you use more than one system that assigns risk scores, and you want to see a normalized value across all systems.
-
-type: float
-
---
-
-*`event.sequence`*::
-+
---
-Sequence number of the event.
-The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision.
-
-type: long
-
-format: string
-
---
-
-*`event.severity`*::
-+
---
-The numeric severity of the event according to your event source.
-What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source.
-The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`.
-
-type: long
-
-example: 7
-
-format: string
-
---
-
-*`event.start`*::
-+
---
-event.start contains the date when the event started or when the activity was first observed.
-
-type: date
-
---
-
-*`event.timezone`*::
-+
---
-This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise.
-Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00").
-
-type: keyword
-
---
-
-*`event.type`*::
-+
---
-This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy.
-`event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization.
-This field is an array. This will allow proper categorization of some events that fall in multiple event types.
-
-type: keyword
-
---
-
-*`event.url`*::
-+
---
-URL linking to an external system to continue investigation of this event.
-This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field.
-
-type: keyword
-
-example: https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe
-
---
-
-[float]
-=== faas
-
-The user fields describe information about the function as a service that is relevant to the event.
-
-
-*`faas.coldstart`*::
-+
---
-Boolean value indicating a cold start of a function.
-
-type: boolean
-
---
-
-*`faas.execution`*::
-+
---
-The execution ID of the current function execution.
-
-type: keyword
-
-example: af9d5aa4-a685-4c5f-a22b-444f80b3cc28
-
---
-
-*`faas.trigger`*::
-+
---
-Details about the function trigger.
-
-type: nested
-
---
-
-*`faas.trigger.request_id`*::
-+
---
-The ID of the trigger request , message, event, etc.
-
-type: keyword
-
-example: 123456789
-
---
-
-*`faas.trigger.type`*::
-+
---
-The trigger for the function execution.
-Expected values are:
-  * http
-  * pubsub
-  * datasource
-  * timer
-  * other
-
-type: keyword
-
-example: http
-
---
-
-[float]
-=== file
-
-A file is defined as a set of information that has been created on, or has existed on a filesystem.
-File objects can be associated with host events, network events, and/or file events (e.g., those produced by File Integrity Monitoring [FIM] products or services). File fields provide details about the affected file associated with the event or metric.
-
-
-*`file.accessed`*::
-+
---
-Last time the file was accessed.
-Note that not all filesystems keep track of access time.
-
-type: date
-
---
-
-*`file.attributes`*::
-+
---
-Array of file attributes.
-Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write.
-
-type: keyword
-
-example: ["readonly", "system"]
-
---
-
-*`file.code_signature.digest_algorithm`*::
-+
---
-The hashing algorithm used to sign the process.
-This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm.
-
-type: keyword
-
-example: sha256
-
---
-
-*`file.code_signature.exists`*::
-+
---
-Boolean to capture if a signature is present.
-
-type: boolean
-
-example: true
-
---
-
-*`file.code_signature.signing_id`*::
-+
---
-The identifier used to sign the process.
-This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.
-
-type: keyword
-
-example: com.apple.xpc.proxy
-
---
-
-*`file.code_signature.status`*::
-+
---
-Additional information about the certificate status.
-This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.
-
-type: keyword
-
-example: ERROR_UNTRUSTED_ROOT
-
---
-
-*`file.code_signature.subject_name`*::
-+
---
-Subject name of the code signer
-
-type: keyword
-
-example: Microsoft Corporation
-
---
-
-*`file.code_signature.team_id`*::
-+
---
-The team identifier used to sign the process.
-This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.
-
-type: keyword
-
-example: EQHXZ8M8AV
-
---
-
-*`file.code_signature.timestamp`*::
-+
---
-Date and time when the code signature was generated and signed.
-
-type: date
-
-example: 2021-01-01T12:10:30Z
-
---
-
-*`file.code_signature.trusted`*::
-+
---
-Stores the trust status of the certificate chain.
-Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.
-
-type: boolean
-
-example: true
-
---
-
-*`file.code_signature.valid`*::
-+
---
-Boolean to capture if the digital signature is verified against the binary content.
-Leave unpopulated if a certificate was unchecked.
-
-type: boolean
-
-example: true
-
---
-
-*`file.created`*::
-+
---
-File creation time.
-Note that not all filesystems store the creation time.
-
-type: date
-
---
-
-*`file.ctime`*::
-+
---
-Last time the file attributes or metadata changed.
-Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file.
-
-type: date
-
---
-
-*`file.device`*::
-+
---
-Device that is the source of the file.
-
-type: keyword
-
-example: sda
-
---
-
-*`file.directory`*::
-+
---
-Directory where the file is located. It should include the drive letter, when appropriate.
-
-type: keyword
-
-example: /home/alice
-
---
-
-*`file.drive_letter`*::
-+
---
-Drive letter where the file is located. This field is only relevant on Windows.
-The value should be uppercase, and not include the colon.
-
-type: keyword
-
-example: C
-
---
-
-*`file.elf.architecture`*::
-+
---
-Machine architecture of the ELF file.
-
-type: keyword
-
-example: x86-64
-
---
-
-*`file.elf.byte_order`*::
-+
---
-Byte sequence of ELF file.
-
-type: keyword
-
-example: Little Endian
-
---
-
-*`file.elf.cpu_type`*::
-+
---
-CPU type of the ELF file.
-
-type: keyword
-
-example: Intel
-
---
-
-*`file.elf.creation_date`*::
-+
---
-Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators.
-
-type: date
-
---
-
-*`file.elf.exports`*::
-+
---
-List of exported element names and types.
-
-type: flattened
-
---
-
-*`file.elf.header.abi_version`*::
-+
---
-Version of the ELF Application Binary Interface (ABI).
-
-type: keyword
-
---
-
-*`file.elf.header.class`*::
-+
---
-Header class of the ELF file.
-
-type: keyword
-
---
-
-*`file.elf.header.data`*::
-+
---
-Data table of the ELF header.
-
-type: keyword
-
---
-
-*`file.elf.header.entrypoint`*::
-+
---
-Header entrypoint of the ELF file.
-
-type: long
-
-format: string
-
---
-
-*`file.elf.header.object_version`*::
-+
---
-"0x1" for original ELF files.
-
-type: keyword
-
---
-
-*`file.elf.header.os_abi`*::
-+
---
-Application Binary Interface (ABI) of the Linux OS.
-
-type: keyword
-
---
-
-*`file.elf.header.type`*::
-+
---
-Header type of the ELF file.
-
-type: keyword
-
---
-
-*`file.elf.header.version`*::
-+
---
-Version of the ELF header.
-
-type: keyword
-
---
-
-*`file.elf.imports`*::
-+
---
-List of imported element names and types.
-
-type: flattened
-
---
-
-*`file.elf.sections`*::
-+
---
-An array containing an object for each section of the ELF file.
-The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`.
-
-type: nested
-
---
-
-*`file.elf.sections.chi2`*::
-+
---
-Chi-square probability distribution of the section.
-
-type: long
-
-format: number
-
---
-
-*`file.elf.sections.entropy`*::
-+
---
-Shannon entropy calculation from the section.
-
-type: long
-
-format: number
-
---
-
-*`file.elf.sections.flags`*::
-+
---
-ELF Section List flags.
-
-type: keyword
-
---
-
-*`file.elf.sections.name`*::
-+
---
-ELF Section List name.
-
-type: keyword
-
---
-
-*`file.elf.sections.physical_offset`*::
-+
---
-ELF Section List offset.
-
-type: keyword
-
---
-
-*`file.elf.sections.physical_size`*::
-+
---
-ELF Section List physical size.
-
-type: long
-
-format: bytes
-
---
-
-*`file.elf.sections.type`*::
-+
---
-ELF Section List type.
-
-type: keyword
-
---
-
-*`file.elf.sections.virtual_address`*::
-+
---
-ELF Section List virtual address.
-
-type: long
-
-format: string
-
---
-
-*`file.elf.sections.virtual_size`*::
-+
---
-ELF Section List virtual size.
-
-type: long
-
-format: string
-
---
-
-*`file.elf.segments`*::
-+
---
-An array containing an object for each segment of the ELF file.
-The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`.
-
-type: nested
-
---
-
-*`file.elf.segments.sections`*::
-+
---
-ELF object segment sections.
-
-type: keyword
-
---
-
-*`file.elf.segments.type`*::
-+
---
-ELF object segment type.
-
-type: keyword
-
---
-
-*`file.elf.shared_libraries`*::
-+
---
-List of shared libraries used by this ELF object.
-
-type: keyword
-
---
-
-*`file.elf.telfhash`*::
-+
---
-telfhash symbol hash for ELF file.
-
-type: keyword
-
---
-
-*`file.extension`*::
-+
---
-File extension, excluding the leading dot.
-Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").
-
-type: keyword
-
-example: png
-
---
-
-*`file.fork_name`*::
-+
---
-A fork is additional data associated with a filesystem object.
-On Linux, a resource fork is used to store additional data with a filesystem object. A file always has at least one fork for the data portion, and additional forks may exist.
-On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default data stream for a file is just called $DATA. Zone.Identifier is commonly used by Windows to track contents downloaded from the Internet. An ADS is typically of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name` is the value that should populate `fork_name`. `filename.extension` should populate `file.name`, and `extension` should populate `file.extension`. The full path, `file.path`, will include the fork name.
-
-type: keyword
-
-example: Zone.Identifer
-
---
-
-*`file.gid`*::
-+
---
-Primary group ID (GID) of the file.
-
-type: keyword
-
-example: 1001
-
---
-
-*`file.group`*::
-+
---
-Primary group name of the file.
-
-type: keyword
-
-example: alice
-
---
-
-*`file.hash.md5`*::
-+
---
-MD5 hash.
-
-type: keyword
-
---
-
-*`file.hash.sha1`*::
-+
---
-SHA1 hash.
-
-type: keyword
-
---
-
-*`file.hash.sha256`*::
-+
---
-SHA256 hash.
-
-type: keyword
-
---
-
-*`file.hash.sha512`*::
-+
---
-SHA512 hash.
-
-type: keyword
-
---
-
-*`file.hash.ssdeep`*::
-+
---
-SSDEEP hash.
-
-type: keyword
-
---
-
-*`file.inode`*::
-+
---
-Inode representing the file in the filesystem.
-
-type: keyword
-
-example: 256383
-
---
-
-*`file.mime_type`*::
-+
---
-MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used.
-
-type: keyword
-
---
-
-*`file.mode`*::
-+
---
-Mode of the file in octal representation.
-
-type: keyword
-
-example: 0640
-
---
-
-*`file.mtime`*::
-+
---
-Last time the file content was modified.
-
-type: date
-
---
-
-*`file.name`*::
-+
---
-Name of the file including the extension, without the directory.
-
-type: keyword
-
-example: example.png
-
---
-
-*`file.owner`*::
-+
---
-File owner's username.
-
-type: keyword
-
-example: alice
-
---
-
-*`file.path`*::
-+
---
-Full path to the file, including the file name. It should include the drive letter, when appropriate.
-
-type: keyword
-
-example: /home/alice/example.png
-
---
-
-*`file.path.text`*::
-+
---
-type: match_only_text
-
---
-
-*`file.pe.architecture`*::
-+
---
-CPU architecture target for the file.
-
-type: keyword
-
-example: x64
-
---
-
-*`file.pe.company`*::
-+
---
-Internal company name of the file, provided at compile-time.
-
-type: keyword
-
-example: Microsoft Corporation
-
---
-
-*`file.pe.description`*::
-+
---
-Internal description of the file, provided at compile-time.
-
-type: keyword
-
-example: Paint
-
---
-
-*`file.pe.file_version`*::
-+
---
-Internal version of the file, provided at compile-time.
-
-type: keyword
-
-example: 6.3.9600.17415
-
---
-
-*`file.pe.imphash`*::
-+
---
-A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.
-Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.
-
-type: keyword
-
-example: 0c6803c4e922103c4dca5963aad36ddf
-
---
-
-*`file.pe.original_file_name`*::
-+
---
-Internal name of the file, provided at compile-time.
-
-type: keyword
-
-example: MSPAINT.EXE
-
---
-
-*`file.pe.product`*::
-+
---
-Internal product name of the file, provided at compile-time.
-
-type: keyword
-
-example: Microsoft® Windows® Operating System
-
---
-
-*`file.size`*::
-+
---
-File size in bytes.
-Only relevant when `file.type` is "file".
-
-type: long
-
-example: 16384
-
---
-
-*`file.target_path`*::
-+
---
-Target path for symlinks.
-
-type: keyword
-
---
-
-*`file.target_path.text`*::
-+
---
-type: match_only_text
-
---
-
-*`file.type`*::
-+
---
-File type (file, dir, or symlink).
-
-type: keyword
-
-example: file
-
---
-
-*`file.uid`*::
-+
---
-The user ID (UID) or security identifier (SID) of the file owner.
-
-type: keyword
-
-example: 1001
-
---
-
-*`file.x509.alternative_names`*::
-+
---
-List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.
-
-type: keyword
-
-example: *.elastic.co
-
---
-
-*`file.x509.issuer.common_name`*::
-+
---
-List of common name (CN) of issuing certificate authority.
-
-type: keyword
-
-example: Example SHA2 High Assurance Server CA
-
---
-
-*`file.x509.issuer.country`*::
-+
---
-List of country (C) codes
-
-type: keyword
-
-example: US
-
---
-
-*`file.x509.issuer.distinguished_name`*::
-+
---
-Distinguished name (DN) of issuing certificate authority.
-
-type: keyword
-
-example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA
-
---
-
-*`file.x509.issuer.locality`*::
-+
---
-List of locality names (L)
-
-type: keyword
-
-example: Mountain View
-
---
-
-*`file.x509.issuer.organization`*::
-+
---
-List of organizations (O) of issuing certificate authority.
-
-type: keyword
-
-example: Example Inc
-
---
-
-*`file.x509.issuer.organizational_unit`*::
-+
---
-List of organizational units (OU) of issuing certificate authority.
-
-type: keyword
-
-example: www.example.com
-
---
-
-*`file.x509.issuer.state_or_province`*::
-+
---
-List of state or province names (ST, S, or P)
-
-type: keyword
-
-example: California
-
---
-
-*`file.x509.not_after`*::
-+
---
-Time at which the certificate is no longer considered valid.
-
-type: date
-
-example: 2020-07-16 03:15:39+00:00
-
---
-
-*`file.x509.not_before`*::
-+
---
-Time at which the certificate is first considered valid.
-
-type: date
-
-example: 2019-08-16 01:40:25+00:00
-
---
-
-*`file.x509.public_key_algorithm`*::
-+
---
-Algorithm used to generate the public key.
-
-type: keyword
-
-example: RSA
-
---
-
-*`file.x509.public_key_curve`*::
-+
---
-The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-
-type: keyword
-
-example: nistp521
-
---
-
-*`file.x509.public_key_exponent`*::
-+
---
-Exponent used to derive the public key. This is algorithm specific.
-
-type: long
-
-example: 65537
-
-Field is not indexed.
-
---
-
-*`file.x509.public_key_size`*::
-+
---
-The size of the public key space in bits.
-
-type: long
-
-example: 2048
-
---
-
-*`file.x509.serial_number`*::
-+
---
-Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.
-
-type: keyword
-
-example: 55FBB9C7DEBF09809D12CCAA
-
---
-
-*`file.x509.signature_algorithm`*::
-+
---
-Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
-
-type: keyword
-
-example: SHA256-RSA
-
---
-
-*`file.x509.subject.common_name`*::
-+
---
-List of common names (CN) of subject.
-
-type: keyword
-
-example: shared.global.example.net
-
---
-
-*`file.x509.subject.country`*::
-+
---
-List of country (C) code
-
-type: keyword
-
-example: US
-
---
-
-*`file.x509.subject.distinguished_name`*::
-+
---
-Distinguished name (DN) of the certificate subject entity.
-
-type: keyword
-
-example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
-
---
-
-*`file.x509.subject.locality`*::
-+
---
-List of locality names (L)
-
-type: keyword
-
-example: San Francisco
-
---
-
-*`file.x509.subject.organization`*::
-+
---
-List of organizations (O) of subject.
-
-type: keyword
-
-example: Example, Inc.
-
---
-
-*`file.x509.subject.organizational_unit`*::
-+
---
-List of organizational units (OU) of subject.
-
-type: keyword
-
---
-
-*`file.x509.subject.state_or_province`*::
-+
---
-List of state or province names (ST, S, or P)
-
-type: keyword
-
-example: California
-
---
-
-*`file.x509.version_number`*::
-+
---
-Version of x509 format.
-
-type: keyword
-
-example: 3
-
---
-
-[float]
-=== geo
-
-Geo fields can carry data about a specific location related to an event.
-This geolocation information can be derived from techniques such as Geo IP, or be user-supplied.
-
-
-*`geo.city_name`*::
-+
---
-City name.
-
-type: keyword
-
-example: Montreal
-
---
-
-*`geo.continent_code`*::
-+
---
-Two-letter code representing continent's name.
-
-type: keyword
-
-example: NA
-
---
-
-*`geo.continent_name`*::
-+
---
-Name of the continent.
-
-type: keyword
-
-example: North America
-
---
-
-*`geo.country_iso_code`*::
-+
---
-Country ISO code.
-
-type: keyword
-
-example: CA
-
---
-
-*`geo.country_name`*::
-+
---
-Country name.
-
-type: keyword
-
-example: Canada
-
---
-
-*`geo.location`*::
-+
---
-Longitude and latitude.
-
-type: geo_point
-
-example: { "lon": -73.614830, "lat": 45.505918 }
-
---
-
-*`geo.name`*::
-+
---
-User-defined description of a location, at the level of granularity they care about.
-Could be the name of their data centers, the floor number, if this describes a local physical entity, city names.
-Not typically used in automated geolocation.
-
-type: keyword
-
-example: boston-dc
-
---
-
-*`geo.postal_code`*::
-+
---
-Postal code associated with the location.
-Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.
-
-type: keyword
-
-example: 94040
-
---
-
-*`geo.region_iso_code`*::
-+
---
-Region ISO code.
-
-type: keyword
-
-example: CA-QC
-
---
-
-*`geo.region_name`*::
-+
---
-Region name.
-
-type: keyword
-
-example: Quebec
-
---
-
-*`geo.timezone`*::
-+
---
-The time zone of the location, such as IANA time zone name.
-
-type: keyword
-
-example: America/Argentina/Buenos_Aires
-
---
-
-[float]
-=== group
-
-The group fields are meant to represent groups that are relevant to the event.
-
-
-*`group.domain`*::
-+
---
-Name of the directory the group is a member of.
-For example, an LDAP or Active Directory domain name.
-
-type: keyword
-
---
-
-*`group.id`*::
-+
---
-Unique identifier for the group on the system/platform.
-
-type: keyword
-
---
-
-*`group.name`*::
-+
---
-Name of the group.
-
-type: keyword
-
---
-
-[float]
-=== hash
-
-The hash fields represent different bitwise hash algorithms and their values.
-Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for other hashes by lowercasing the hash algorithm name and using underscore separators as appropriate (snake case, e.g. sha3_512).
-Note that this fieldset is used for common hashes that may be computed over a range of generic bytes. Entity-specific hashes such as ja3 or imphash are placed in the fieldsets to which they relate (tls and pe, respectively).
-
-
-*`hash.md5`*::
-+
---
-MD5 hash.
-
-type: keyword
-
---
-
-*`hash.sha1`*::
-+
---
-SHA1 hash.
-
-type: keyword
-
---
-
-*`hash.sha256`*::
-+
---
-SHA256 hash.
-
-type: keyword
-
---
-
-*`hash.sha512`*::
-+
---
-SHA512 hash.
-
-type: keyword
-
---
-
-*`hash.ssdeep`*::
-+
---
-SSDEEP hash.
-
-type: keyword
-
---
-
-[float]
-=== host
-
-A host is defined as a general computing instance.
-ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.
-
-
-*`host.architecture`*::
-+
---
-Operating system architecture.
-
-type: keyword
-
-example: x86_64
-
---
-
-*`host.cpu.usage`*::
-+
---
-Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1.
-Scaling factor: 1000.
-For example: For a two core host, this value should be the average of the two cores, between 0 and 1.
-
-type: scaled_float
-
---
-
-*`host.disk.read.bytes`*::
-+
---
-The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection.
-
-type: long
-
---
-
-*`host.disk.write.bytes`*::
-+
---
-The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection.
-
-type: long
-
---
-
-*`host.domain`*::
-+
---
-Name of the domain of which the host is a member.
-For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider.
-
-type: keyword
-
-example: CONTOSO
-
---
-
-*`host.geo.city_name`*::
-+
---
-City name.
-
-type: keyword
-
-example: Montreal
-
---
-
-*`host.geo.continent_code`*::
-+
---
-Two-letter code representing continent's name.
-
-type: keyword
-
-example: NA
-
---
-
-*`host.geo.continent_name`*::
-+
---
-Name of the continent.
-
-type: keyword
-
-example: North America
-
---
-
-*`host.geo.country_iso_code`*::
-+
---
-Country ISO code.
-
-type: keyword
-
-example: CA
-
---
-
-*`host.geo.country_name`*::
-+
---
-Country name.
-
-type: keyword
-
-example: Canada
-
---
-
-*`host.geo.location`*::
-+
---
-Longitude and latitude.
-
-type: geo_point
-
-example: { "lon": -73.614830, "lat": 45.505918 }
-
---
-
-*`host.geo.name`*::
-+
---
-User-defined description of a location, at the level of granularity they care about.
-Could be the name of their data centers, the floor number, if this describes a local physical entity, city names.
-Not typically used in automated geolocation.
-
-type: keyword
-
-example: boston-dc
-
---
-
-*`host.geo.postal_code`*::
-+
---
-Postal code associated with the location.
-Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.
-
-type: keyword
-
-example: 94040
-
---
-
-*`host.geo.region_iso_code`*::
-+
---
-Region ISO code.
-
-type: keyword
-
-example: CA-QC
-
---
-
-*`host.geo.region_name`*::
-+
---
-Region name.
-
-type: keyword
-
-example: Quebec
-
---
-
-*`host.geo.timezone`*::
-+
---
-The time zone of the location, such as IANA time zone name.
-
-type: keyword
-
-example: America/Argentina/Buenos_Aires
-
---
-
-*`host.hostname`*::
-+
---
-Hostname of the host.
-It normally contains what the `hostname` command returns on the host machine.
-
-type: keyword
-
---
-
-*`host.id`*::
-+
---
-Unique host id.
-As hostname is not always unique, use values that are meaningful in your environment.
-Example: The current usage of `beat.name`.
-
-type: keyword
-
---
-
-*`host.ip`*::
-+
---
-Host ip addresses.
-
-type: ip
-
---
-
-*`host.mac`*::
-+
---
-Host MAC addresses.
-The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.
-
-type: keyword
-
-example: ["00-00-5E-00-53-23", "00-00-5E-00-53-24"]
-
---
-
-*`host.name`*::
-+
---
-Name of the host.
-It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.
-
-type: keyword
-
---
-
-*`host.network.egress.bytes`*::
-+
---
-The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection.
-
-type: long
-
---
-
-*`host.network.egress.packets`*::
-+
---
-The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection.
-
-type: long
-
---
-
-*`host.network.ingress.bytes`*::
-+
---
-The number of bytes received (gauge) on all network interfaces by the host since the last metric collection.
-
-type: long
-
---
-
-*`host.network.ingress.packets`*::
-+
---
-The number of packets (gauge) received on all network interfaces by the host since the last metric collection.
-
-type: long
-
---
-
-*`host.os.family`*::
-+
---
-OS family (such as redhat, debian, freebsd, windows).
-
-type: keyword
-
-example: debian
-
---
-
-*`host.os.full`*::
-+
---
-Operating system name, including the version or code name.
-
-type: keyword
-
-example: Mac OS Mojave
-
---
-
-*`host.os.full.text`*::
-+
---
-type: match_only_text
-
---
-
-*`host.os.kernel`*::
-+
---
-Operating system kernel version as a raw string.
-
-type: keyword
-
-example: 4.4.0-112-generic
-
---
-
-*`host.os.name`*::
-+
---
-Operating system name, without the version.
-
-type: keyword
-
-example: Mac OS X
-
---
-
-*`host.os.name.text`*::
-+
---
-type: match_only_text
-
---
-
-*`host.os.platform`*::
-+
---
-Operating system platform (such centos, ubuntu, windows).
-
-type: keyword
-
-example: darwin
-
---
-
-*`host.os.type`*::
-+
---
-Use the `os.type` field to categorize the operating system into one of the broad commercial families.
-One of these following values should be used (lowercase): linux, macos, unix, windows.
-If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.
-
-type: keyword
-
-example: macos
-
---
-
-*`host.os.version`*::
-+
---
-Operating system version as a raw string.
-
-type: keyword
-
-example: 10.14.1
-
---
-
-*`host.type`*::
-+
---
-Type of host.
-For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.
-
-type: keyword
-
---
-
-*`host.uptime`*::
-+
---
-Seconds the host has been up.
-
-type: long
-
-example: 1325
-
---
-
-[float]
-=== http
-
-Fields related to HTTP activity. Use the `url` field set to store the url of the request.
-
-
-*`http.request.body.bytes`*::
-+
---
-Size in bytes of the request body.
-
-type: long
-
-example: 887
-
-format: bytes
-
---
-
-*`http.request.body.content`*::
-+
---
-The full HTTP request body.
-
-type: wildcard
-
-example: Hello world
-
---
-
-*`http.request.body.content.text`*::
-+
---
-type: match_only_text
-
---
-
-*`http.request.bytes`*::
-+
---
-Total size in bytes of the request (body and headers).
-
-type: long
-
-example: 1437
-
-format: bytes
-
---
-
-*`http.request.id`*::
-+
---
-A unique identifier for each HTTP request to correlate logs between clients and servers in transactions.
-The id may be contained in a non-standard HTTP header, such as `X-Request-ID` or `X-Correlation-ID`.
-
-type: keyword
-
-example: 123e4567-e89b-12d3-a456-426614174000
-
---
-
-*`http.request.method`*::
-+
---
-HTTP request method.
-The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field.
-
-type: keyword
-
-example: POST
-
---
-
-*`http.request.mime_type`*::
-+
---
-Mime type of the body of the request.
-This value must only be populated based on the content of the request body, not on the `Content-Type` header. Comparing the mime type of a request with the request's Content-Type header can be helpful in detecting threats or misconfigured clients.
-
-type: keyword
-
-example: image/gif
-
---
-
-*`http.request.referrer`*::
-+
---
-Referrer for this HTTP request.
-
-type: keyword
-
-example: https://blog.example.com/
-
---
-
-*`http.response.body.bytes`*::
-+
---
-Size in bytes of the response body.
-
-type: long
-
-example: 887
-
-format: bytes
-
---
-
-*`http.response.body.content`*::
-+
---
-The full HTTP response body.
-
-type: wildcard
-
-example: Hello world
-
---
-
-*`http.response.body.content.text`*::
-+
---
-type: match_only_text
-
---
-
-*`http.response.bytes`*::
-+
---
-Total size in bytes of the response (body and headers).
-
-type: long
-
-example: 1437
-
-format: bytes
-
---
-
-*`http.response.mime_type`*::
-+
---
-Mime type of the body of the response.
-This value must only be populated based on the content of the response body, not on the `Content-Type` header. Comparing the mime type of a response with the response's Content-Type header can be helpful in detecting misconfigured servers.
-
-type: keyword
-
-example: image/gif
-
---
-
-*`http.response.status_code`*::
-+
---
-HTTP response status code.
-
-type: long
-
-example: 404
-
-format: string
-
---
-
-*`http.version`*::
-+
---
-HTTP version.
-
-type: keyword
-
-example: 1.1
-
---
-
-[float]
-=== interface
-
-The interface fields are used to record ingress and egress interface information when reported by an observer (e.g. firewall, router, load balancer) in the context of the observer handling a network connection.  In the case of a single observer interface (e.g. network sensor on a span port) only the observer.ingress information should be populated.
-
-
-*`interface.alias`*::
-+
---
-Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming.
-
-type: keyword
-
-example: outside
-
---
-
-*`interface.id`*::
-+
---
-Interface ID as reported by an observer (typically SNMP interface ID).
-
-type: keyword
-
-example: 10
-
---
-
-*`interface.name`*::
-+
---
-Interface name as reported by the system.
-
-type: keyword
-
-example: eth0
-
---
-
-[float]
-=== log
-
-Details about the event's logging mechanism or logging transport.
-The log.* fields are typically populated with details about the logging mechanism used to create and/or transport the event. For example, syslog details belong under `log.syslog.*`.
-The details specific to your event source are typically not logged under `log.*`, but rather in `event.*` or in other ECS fields.
-
-
-*`log.file.path`*::
-+
---
-Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate.
-If the event wasn't read from a log file, do not populate this field.
-
-type: keyword
-
-example: /var/log/fun-times.log
-
---
-
-*`log.level`*::
-+
---
-Original log level of the log event.
-If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity).
-Some examples are `warn`, `err`, `i`, `informational`.
-
-type: keyword
-
-example: error
-
---
-
-*`log.logger`*::
-+
---
-The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name.
-
-type: keyword
-
-example: org.elasticsearch.bootstrap.Bootstrap
-
---
-
-*`log.origin.file.line`*::
-+
---
-The line number of the file containing the source code which originated the log event.
-
-type: long
-
-example: 42
-
---
-
-*`log.origin.file.name`*::
-+
---
-The name of the file containing the source code which originated the log event.
-Note that this field is not meant to capture the log file. The correct field to capture the log file is `log.file.path`.
-
-type: keyword
-
-example: Bootstrap.java
-
---
-
-*`log.origin.function`*::
-+
---
-The name of the function or method which originated the log event.
-
-type: keyword
-
-example: init
-
---
-
-*`log.syslog`*::
-+
---
-The Syslog metadata of the event, if the event was transmitted via Syslog. Please see RFCs 5424 or 3164.
-
-type: object
-
---
-
-*`log.syslog.facility.code`*::
-+
---
-The Syslog numeric facility of the log event, if available.
-According to RFCs 5424 and 3164, this value should be an integer between 0 and 23.
-
-type: long
-
-example: 23
-
-format: string
-
---
-
-*`log.syslog.facility.name`*::
-+
---
-The Syslog text-based facility of the log event, if available.
-
-type: keyword
-
-example: local7
-
---
-
-*`log.syslog.priority`*::
-+
---
-Syslog numeric priority of the event, if available.
-According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191.
-
-type: long
-
-example: 135
-
-format: string
-
---
-
-*`log.syslog.severity.code`*::
-+
---
-The Syslog numeric severity of the log event, if available.
-If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`.
-
-type: long
-
-example: 3
-
---
-
-*`log.syslog.severity.name`*::
-+
---
-The Syslog numeric severity of the log event, if available.
-If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`.
-
-type: keyword
-
-example: Error
-
---
-
-[float]
-=== network
-
-The network is defined as the communication path over which a host or network event happens.
-The network.* fields should be populated with details about the network activity associated with an event.
-
-
-*`network.application`*::
-+
---
-When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name.
-For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`.
-The field value must be normalized to lowercase for querying.
-
-type: keyword
-
-example: aim
-
---
-
-*`network.bytes`*::
-+
---
-Total bytes transferred in both directions.
-If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum.
-
-type: long
-
-example: 368
-
-format: bytes
-
---
-
-*`network.community_id`*::
-+
---
-A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows.
-Learn more at https://github.com/corelight/community-id-spec.
-
-type: keyword
-
-example: 1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=
-
---
-
-*`network.direction`*::
-+
---
-Direction of the network traffic.
-Recommended values are:
-  * ingress
-  * egress
-  * inbound
-  * outbound
-  * internal
-  * external
-  * unknown
-
-When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress".
-When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external".
-Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers.
-
-type: keyword
-
-example: inbound
-
---
-
-*`network.forwarded_ip`*::
-+
---
-Host IP address when the source IP address is the proxy.
-
-type: ip
-
-example: 192.1.1.2
-
---
-
-*`network.iana_number`*::
-+
---
-IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number.
-
-type: keyword
-
-example: 6
-
---
-
-*`network.inner`*::
-+
---
-Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.)
-
-type: object
-
---
-
-*`network.inner.vlan.id`*::
-+
---
-VLAN ID as reported by the observer.
-
-type: keyword
-
-example: 10
-
---
-
-*`network.inner.vlan.name`*::
-+
---
-Optional VLAN name as reported by the observer.
-
-type: keyword
-
-example: outside
-
---
-
-*`network.name`*::
-+
---
-Name given by operators to sections of their network.
-
-type: keyword
-
-example: Guest Wifi
-
---
-
-*`network.packets`*::
-+
---
-Total packets transferred in both directions.
-If `source.packets` and `destination.packets` are known, `network.packets` is their sum.
-
-type: long
-
-example: 24
-
---
-
-*`network.protocol`*::
-+
---
-In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`.
-The field value must be normalized to lowercase for querying.
-
-type: keyword
-
-example: http
-
---
-
-*`network.transport`*::
-+
---
-Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.)
-The field value must be normalized to lowercase for querying.
-
-type: keyword
-
-example: tcp
-
---
-
-*`network.type`*::
-+
---
-In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc
-The field value must be normalized to lowercase for querying.
-
-type: keyword
-
-example: ipv4
-
---
-
-*`network.vlan.id`*::
-+
---
-VLAN ID as reported by the observer.
-
-type: keyword
-
-example: 10
-
---
-
-*`network.vlan.name`*::
-+
---
-Optional VLAN name as reported by the observer.
-
-type: keyword
-
-example: outside
-
---
-
-[float]
-=== observer
-
-An observer is defined as a special network, security, or application device used to detect, observe, or create network, security, or application-related events and metrics.
-This could be a custom hardware appliance or a server that has been configured to run special network, security, or application software. Examples include firewalls, web proxies, intrusion detection/prevention systems, network monitoring sensors, web application firewalls, data loss prevention systems, and APM servers. The observer.* fields shall be populated with details of the system, if any, that detects, observes and/or creates a network, security, or application event or metric. Message queues and ETL components used in processing events or metrics are not considered observers in ECS.
-
-
-*`observer.egress`*::
-+
---
-Observer.egress holds information like interface number and name, vlan, and zone information to classify egress traffic.  Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic.
-
-type: object
-
---
-
-*`observer.egress.interface.alias`*::
-+
---
-Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming.
-
-type: keyword
-
-example: outside
-
---
-
-*`observer.egress.interface.id`*::
-+
---
-Interface ID as reported by an observer (typically SNMP interface ID).
-
-type: keyword
-
-example: 10
-
---
-
-*`observer.egress.interface.name`*::
-+
---
-Interface name as reported by the system.
-
-type: keyword
-
-example: eth0
-
---
-
-*`observer.egress.vlan.id`*::
-+
---
-VLAN ID as reported by the observer.
-
-type: keyword
-
-example: 10
-
---
-
-*`observer.egress.vlan.name`*::
-+
---
-Optional VLAN name as reported by the observer.
-
-type: keyword
-
-example: outside
-
---
-
-*`observer.egress.zone`*::
-+
---
-Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc.
-
-type: keyword
-
-example: Public_Internet
-
---
-
-*`observer.geo.city_name`*::
-+
---
-City name.
-
-type: keyword
-
-example: Montreal
-
---
-
-*`observer.geo.continent_code`*::
-+
---
-Two-letter code representing continent's name.
-
-type: keyword
-
-example: NA
-
---
-
-*`observer.geo.continent_name`*::
-+
---
-Name of the continent.
-
-type: keyword
-
-example: North America
-
---
-
-*`observer.geo.country_iso_code`*::
-+
---
-Country ISO code.
-
-type: keyword
-
-example: CA
-
---
-
-*`observer.geo.country_name`*::
-+
---
-Country name.
-
-type: keyword
-
-example: Canada
-
---
-
-*`observer.geo.location`*::
-+
---
-Longitude and latitude.
-
-type: geo_point
-
-example: { "lon": -73.614830, "lat": 45.505918 }
-
---
-
-*`observer.geo.name`*::
-+
---
-User-defined description of a location, at the level of granularity they care about.
-Could be the name of their data centers, the floor number, if this describes a local physical entity, city names.
-Not typically used in automated geolocation.
-
-type: keyword
-
-example: boston-dc
-
---
-
-*`observer.geo.postal_code`*::
-+
---
-Postal code associated with the location.
-Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.
-
-type: keyword
-
-example: 94040
-
---
-
-*`observer.geo.region_iso_code`*::
-+
---
-Region ISO code.
-
-type: keyword
-
-example: CA-QC
-
---
-
-*`observer.geo.region_name`*::
-+
---
-Region name.
-
-type: keyword
-
-example: Quebec
-
---
-
-*`observer.geo.timezone`*::
-+
---
-The time zone of the location, such as IANA time zone name.
-
-type: keyword
-
-example: America/Argentina/Buenos_Aires
-
---
-
-*`observer.hostname`*::
-+
---
-Hostname of the observer.
-
-type: keyword
-
---
-
-*`observer.ingress`*::
-+
---
-Observer.ingress holds information like interface number and name, vlan, and zone information to classify ingress traffic.  Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic.
-
-type: object
-
---
-
-*`observer.ingress.interface.alias`*::
-+
---
-Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming.
-
-type: keyword
-
-example: outside
-
---
-
-*`observer.ingress.interface.id`*::
-+
---
-Interface ID as reported by an observer (typically SNMP interface ID).
-
-type: keyword
-
-example: 10
-
---
-
-*`observer.ingress.interface.name`*::
-+
---
-Interface name as reported by the system.
-
-type: keyword
-
-example: eth0
-
---
-
-*`observer.ingress.vlan.id`*::
-+
---
-VLAN ID as reported by the observer.
-
-type: keyword
-
-example: 10
-
---
-
-*`observer.ingress.vlan.name`*::
-+
---
-Optional VLAN name as reported by the observer.
-
-type: keyword
-
-example: outside
-
---
-
-*`observer.ingress.zone`*::
-+
---
-Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc.
-
-type: keyword
-
-example: DMZ
-
---
-
-*`observer.ip`*::
-+
---
-IP addresses of the observer.
-
-type: ip
-
---
-
-*`observer.mac`*::
-+
---
-MAC addresses of the observer.
-The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.
-
-type: keyword
-
-example: ["00-00-5E-00-53-23", "00-00-5E-00-53-24"]
-
---
-
-*`observer.name`*::
-+
---
-Custom name of the observer.
-This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization.
-If no custom name is needed, the field can be left empty.
-
-type: keyword
-
-example: 1_proxySG
-
---
-
-*`observer.os.family`*::
-+
---
-OS family (such as redhat, debian, freebsd, windows).
-
-type: keyword
-
-example: debian
-
---
-
-*`observer.os.full`*::
-+
---
-Operating system name, including the version or code name.
-
-type: keyword
-
-example: Mac OS Mojave
-
---
-
-*`observer.os.full.text`*::
-+
---
-type: match_only_text
-
---
-
-*`observer.os.kernel`*::
-+
---
-Operating system kernel version as a raw string.
-
-type: keyword
-
-example: 4.4.0-112-generic
-
---
-
-*`observer.os.name`*::
-+
---
-Operating system name, without the version.
-
-type: keyword
-
-example: Mac OS X
-
---
-
-*`observer.os.name.text`*::
-+
---
-type: match_only_text
-
---
-
-*`observer.os.platform`*::
-+
---
-Operating system platform (such centos, ubuntu, windows).
-
-type: keyword
-
-example: darwin
-
---
-
-*`observer.os.type`*::
-+
---
-Use the `os.type` field to categorize the operating system into one of the broad commercial families.
-One of these following values should be used (lowercase): linux, macos, unix, windows.
-If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.
-
-type: keyword
-
-example: macos
-
---
-
-*`observer.os.version`*::
-+
---
-Operating system version as a raw string.
-
-type: keyword
-
-example: 10.14.1
-
---
-
-*`observer.product`*::
-+
---
-The product name of the observer.
-
-type: keyword
-
-example: s200
-
---
-
-*`observer.serial_number`*::
-+
---
-Observer serial number.
-
-type: keyword
-
---
-
-*`observer.type`*::
-+
---
-The type of the observer the data is coming from.
-There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`.
-
-type: keyword
-
-example: firewall
-
---
-
-*`observer.vendor`*::
-+
---
-Vendor name of the observer.
-
-type: keyword
-
-example: Symantec
-
---
-
-*`observer.version`*::
-+
---
-Observer version.
-
-type: keyword
-
---
-
-[float]
-=== orchestrator
-
-Fields that describe the resources which container orchestrators manage or act upon.
-
-
-*`orchestrator.api_version`*::
-+
---
-API version being used to carry out the action
-
-type: keyword
-
-example: v1beta1
-
---
-
-*`orchestrator.cluster.name`*::
-+
---
-Name of the cluster.
-
-type: keyword
-
---
-
-*`orchestrator.cluster.url`*::
-+
---
-URL of the API used to manage the cluster.
-
-type: keyword
-
---
-
-*`orchestrator.cluster.version`*::
-+
---
-The version of the cluster.
-
-type: keyword
-
---
-
-*`orchestrator.namespace`*::
-+
---
-Namespace in which the action is taking place.
-
-type: keyword
-
-example: kube-system
-
---
-
-*`orchestrator.organization`*::
-+
---
-Organization affected by the event (for multi-tenant orchestrator setups).
-
-type: keyword
-
-example: elastic
-
---
-
-*`orchestrator.resource.name`*::
-+
---
-Name of the resource being acted upon.
-
-type: keyword
-
-example: test-pod-cdcws
-
---
-
-*`orchestrator.resource.type`*::
-+
---
-Type of resource being acted upon.
-
-type: keyword
-
-example: service
-
---
-
-*`orchestrator.type`*::
-+
---
-Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry).
-
-type: keyword
-
-example: kubernetes
-
---
-
-[float]
-=== organization
-
-The organization fields enrich data with information about the company or entity the data is associated with.
-These fields help you arrange or filter data stored in an index by one or multiple organizations.
-
-
-*`organization.id`*::
-+
---
-Unique identifier for the organization.
-
-type: keyword
-
---
-
-*`organization.name`*::
-+
---
-Organization name.
-
-type: keyword
-
---
-
-*`organization.name.text`*::
-+
---
-type: match_only_text
-
---
-
-[float]
-=== os
-
-The OS fields contain information about the operating system.
-
-
-*`os.family`*::
-+
---
-OS family (such as redhat, debian, freebsd, windows).
-
-type: keyword
-
-example: debian
-
---
-
-*`os.full`*::
-+
---
-Operating system name, including the version or code name.
-
-type: keyword
-
-example: Mac OS Mojave
-
---
-
-*`os.full.text`*::
-+
---
-type: match_only_text
-
---
-
-*`os.kernel`*::
-+
---
-Operating system kernel version as a raw string.
-
-type: keyword
-
-example: 4.4.0-112-generic
-
---
-
-*`os.name`*::
-+
---
-Operating system name, without the version.
-
-type: keyword
-
-example: Mac OS X
-
---
-
-*`os.name.text`*::
-+
---
-type: match_only_text
-
---
-
-*`os.platform`*::
-+
---
-Operating system platform (such centos, ubuntu, windows).
-
-type: keyword
-
-example: darwin
-
---
-
-*`os.type`*::
-+
---
-Use the `os.type` field to categorize the operating system into one of the broad commercial families.
-One of these following values should be used (lowercase): linux, macos, unix, windows.
-If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.
-
-type: keyword
-
-example: macos
-
---
-
-*`os.version`*::
-+
---
-Operating system version as a raw string.
-
-type: keyword
-
-example: 10.14.1
-
---
-
-[float]
-=== package
-
-These fields contain information about an installed software package. It contains general information about a package, such as name, version or size. It also contains installation details, such as time or location.
-
-
-*`package.architecture`*::
-+
---
-Package architecture.
-
-type: keyword
-
-example: x86_64
-
---
-
-*`package.build_version`*::
-+
---
-Additional information about the build version of the installed package.
-For example use the commit SHA of a non-released package.
-
-type: keyword
-
-example: 36f4f7e89dd61b0988b12ee000b98966867710cd
-
---
-
-*`package.checksum`*::
-+
---
-Checksum of the installed package for verification.
-
-type: keyword
-
-example: 68b329da9893e34099c7d8ad5cb9c940
-
---
-
-*`package.description`*::
-+
---
-Description of the package.
-
-type: keyword
-
-example: Open source programming language to build simple/reliable/efficient software.
-
---
-
-*`package.install_scope`*::
-+
---
-Indicating how the package was installed, e.g. user-local, global.
-
-type: keyword
-
-example: global
-
---
-
-*`package.installed`*::
-+
---
-Time when package was installed.
-
-type: date
-
---
-
-*`package.license`*::
-+
---
-License under which the package was released.
-Use a short name, e.g. the license identifier from SPDX License List where possible (https://spdx.org/licenses/).
-
-type: keyword
-
-example: Apache License 2.0
-
---
-
-*`package.name`*::
-+
---
-Package name
-
-type: keyword
-
-example: go
-
---
-
-*`package.path`*::
-+
---
-Path where the package is installed.
-
-type: keyword
-
-example: /usr/local/Cellar/go/1.12.9/
-
---
-
-*`package.reference`*::
-+
---
-Home page or reference URL of the software in this package, if available.
-
-type: keyword
-
-example: https://golang.org
-
---
-
-*`package.size`*::
-+
---
-Package size in bytes.
-
-type: long
-
-example: 62231
-
-format: string
-
---
-
-*`package.type`*::
-+
---
-Type of package.
-This should contain the package file type, rather than the package manager name. Examples: rpm, dpkg, brew, npm, gem, nupkg, jar.
-
-type: keyword
-
-example: rpm
-
---
-
-*`package.version`*::
-+
---
-Package version
-
-type: keyword
-
-example: 1.12.9
-
---
-
-[float]
-=== pe
-
-These fields contain Windows Portable Executable (PE) metadata.
-
-
-*`pe.architecture`*::
-+
---
-CPU architecture target for the file.
-
-type: keyword
-
-example: x64
-
---
-
-*`pe.company`*::
-+
---
-Internal company name of the file, provided at compile-time.
-
-type: keyword
-
-example: Microsoft Corporation
-
---
-
-*`pe.description`*::
-+
---
-Internal description of the file, provided at compile-time.
-
-type: keyword
-
-example: Paint
-
---
-
-*`pe.file_version`*::
-+
---
-Internal version of the file, provided at compile-time.
-
-type: keyword
-
-example: 6.3.9600.17415
-
---
-
-*`pe.imphash`*::
-+
---
-A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.
-Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.
-
-type: keyword
-
-example: 0c6803c4e922103c4dca5963aad36ddf
-
---
-
-*`pe.original_file_name`*::
-+
---
-Internal name of the file, provided at compile-time.
-
-type: keyword
-
-example: MSPAINT.EXE
-
---
-
-*`pe.product`*::
-+
---
-Internal product name of the file, provided at compile-time.
-
-type: keyword
-
-example: Microsoft® Windows® Operating System
-
---
-
-[float]
-=== process
-
-These fields contain information about a process.
-These fields can help you correlate metrics information with a process id/name from a log message.  The `process.pid` often stays in the metric itself and is copied to the global field for correlation.
-
-
-*`process.args`*::
-+
---
-Array of process arguments, starting with the absolute path to the executable.
-May be filtered to protect sensitive information.
-
-type: keyword
-
-example: ["/usr/bin/ssh", "-l", "user", "10.0.0.16"]
-
---
-
-*`process.args_count`*::
-+
---
-Length of the process.args array.
-This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity.
-
-type: long
-
-example: 4
-
---
-
-*`process.code_signature.digest_algorithm`*::
-+
---
-The hashing algorithm used to sign the process.
-This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm.
-
-type: keyword
-
-example: sha256
-
---
-
-*`process.code_signature.exists`*::
-+
---
-Boolean to capture if a signature is present.
-
-type: boolean
-
-example: true
-
---
-
-*`process.code_signature.signing_id`*::
-+
---
-The identifier used to sign the process.
-This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.
-
-type: keyword
-
-example: com.apple.xpc.proxy
-
---
-
-*`process.code_signature.status`*::
-+
---
-Additional information about the certificate status.
-This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.
-
-type: keyword
-
-example: ERROR_UNTRUSTED_ROOT
-
---
-
-*`process.code_signature.subject_name`*::
-+
---
-Subject name of the code signer
-
-type: keyword
-
-example: Microsoft Corporation
-
---
-
-*`process.code_signature.team_id`*::
-+
---
-The team identifier used to sign the process.
-This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.
-
-type: keyword
-
-example: EQHXZ8M8AV
-
---
-
-*`process.code_signature.timestamp`*::
-+
---
-Date and time when the code signature was generated and signed.
-
-type: date
-
-example: 2021-01-01T12:10:30Z
-
---
-
-*`process.code_signature.trusted`*::
-+
---
-Stores the trust status of the certificate chain.
-Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.
-
-type: boolean
-
-example: true
-
---
-
-*`process.code_signature.valid`*::
-+
---
-Boolean to capture if the digital signature is verified against the binary content.
-Leave unpopulated if a certificate was unchecked.
-
-type: boolean
-
-example: true
-
---
-
-*`process.command_line`*::
-+
---
-Full command line that started the process, including the absolute path to the executable, and all arguments.
-Some arguments may be filtered to protect sensitive information.
-
-type: wildcard
-
-example: /usr/bin/ssh -l user 10.0.0.16
-
---
-
-*`process.command_line.text`*::
-+
---
-type: match_only_text
-
---
-
-*`process.elf.architecture`*::
-+
---
-Machine architecture of the ELF file.
-
-type: keyword
-
-example: x86-64
-
---
-
-*`process.elf.byte_order`*::
-+
---
-Byte sequence of ELF file.
-
-type: keyword
-
-example: Little Endian
-
---
-
-*`process.elf.cpu_type`*::
-+
---
-CPU type of the ELF file.
-
-type: keyword
-
-example: Intel
-
---
-
-*`process.elf.creation_date`*::
-+
---
-Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators.
-
-type: date
-
---
-
-*`process.elf.exports`*::
-+
---
-List of exported element names and types.
-
-type: flattened
-
---
-
-*`process.elf.header.abi_version`*::
-+
---
-Version of the ELF Application Binary Interface (ABI).
-
-type: keyword
-
---
-
-*`process.elf.header.class`*::
-+
---
-Header class of the ELF file.
-
-type: keyword
-
---
-
-*`process.elf.header.data`*::
-+
---
-Data table of the ELF header.
-
-type: keyword
-
---
-
-*`process.elf.header.entrypoint`*::
-+
---
-Header entrypoint of the ELF file.
-
-type: long
-
-format: string
-
---
-
-*`process.elf.header.object_version`*::
-+
---
-"0x1" for original ELF files.
-
-type: keyword
-
---
-
-*`process.elf.header.os_abi`*::
-+
---
-Application Binary Interface (ABI) of the Linux OS.
-
-type: keyword
-
---
-
-*`process.elf.header.type`*::
-+
---
-Header type of the ELF file.
-
-type: keyword
-
---
-
-*`process.elf.header.version`*::
-+
---
-Version of the ELF header.
-
-type: keyword
-
---
-
-*`process.elf.imports`*::
-+
---
-List of imported element names and types.
-
-type: flattened
-
---
-
-*`process.elf.sections`*::
-+
---
-An array containing an object for each section of the ELF file.
-The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`.
-
-type: nested
-
---
-
-*`process.elf.sections.chi2`*::
-+
---
-Chi-square probability distribution of the section.
-
-type: long
-
-format: number
-
---
-
-*`process.elf.sections.entropy`*::
-+
---
-Shannon entropy calculation from the section.
-
-type: long
-
-format: number
-
---
-
-*`process.elf.sections.flags`*::
-+
---
-ELF Section List flags.
-
-type: keyword
-
---
-
-*`process.elf.sections.name`*::
-+
---
-ELF Section List name.
-
-type: keyword
-
---
-
-*`process.elf.sections.physical_offset`*::
-+
---
-ELF Section List offset.
-
-type: keyword
-
---
-
-*`process.elf.sections.physical_size`*::
-+
---
-ELF Section List physical size.
-
-type: long
-
-format: bytes
-
---
-
-*`process.elf.sections.type`*::
-+
---
-ELF Section List type.
-
-type: keyword
-
---
-
-*`process.elf.sections.virtual_address`*::
-+
---
-ELF Section List virtual address.
-
-type: long
-
-format: string
-
---
-
-*`process.elf.sections.virtual_size`*::
-+
---
-ELF Section List virtual size.
-
-type: long
-
-format: string
-
---
-
-*`process.elf.segments`*::
-+
---
-An array containing an object for each segment of the ELF file.
-The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`.
-
-type: nested
-
---
-
-*`process.elf.segments.sections`*::
-+
---
-ELF object segment sections.
-
-type: keyword
-
---
-
-*`process.elf.segments.type`*::
-+
---
-ELF object segment type.
-
-type: keyword
-
---
-
-*`process.elf.shared_libraries`*::
-+
---
-List of shared libraries used by this ELF object.
-
-type: keyword
-
---
-
-*`process.elf.telfhash`*::
-+
---
-telfhash symbol hash for ELF file.
-
-type: keyword
-
---
-
-*`process.end`*::
-+
---
-The time the process ended.
-
-type: date
-
-example: 2016-05-23T08:05:34.853Z
-
---
-
-*`process.entity_id`*::
-+
---
-Unique identifier for the process.
-The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process.
-Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.
-
-type: keyword
-
-example: c2c455d9f99375d
-
---
-
-*`process.executable`*::
-+
---
-Absolute path to the process executable.
-
-type: keyword
-
-example: /usr/bin/ssh
-
---
-
-*`process.executable.text`*::
-+
---
-type: match_only_text
-
---
-
-*`process.exit_code`*::
-+
---
-The exit code of the process, if this is a termination event.
-The field should be absent if there is no exit code for the event (e.g. process start).
-
-type: long
-
-example: 137
-
---
-
-*`process.hash.md5`*::
-+
---
-MD5 hash.
-
-type: keyword
-
---
-
-*`process.hash.sha1`*::
-+
---
-SHA1 hash.
-
-type: keyword
-
---
-
-*`process.hash.sha256`*::
-+
---
-SHA256 hash.
-
-type: keyword
-
---
-
-*`process.hash.sha512`*::
-+
---
-SHA512 hash.
-
-type: keyword
-
---
-
-*`process.hash.ssdeep`*::
-+
---
-SSDEEP hash.
-
-type: keyword
-
---
-
-*`process.name`*::
-+
---
-Process name.
-Sometimes called program name or similar.
-
-type: keyword
-
-example: ssh
-
---
-
-*`process.name.text`*::
-+
---
-type: match_only_text
-
---
-
-*`process.parent.args`*::
-+
---
-Array of process arguments, starting with the absolute path to the executable.
-May be filtered to protect sensitive information.
-
-type: keyword
-
-example: ["/usr/bin/ssh", "-l", "user", "10.0.0.16"]
-
---
-
-*`process.parent.args_count`*::
-+
---
-Length of the process.args array.
-This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity.
-
-type: long
-
-example: 4
-
---
-
-*`process.parent.code_signature.digest_algorithm`*::
-+
---
-The hashing algorithm used to sign the process.
-This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm.
-
-type: keyword
-
-example: sha256
-
---
-
-*`process.parent.code_signature.exists`*::
-+
---
-Boolean to capture if a signature is present.
-
-type: boolean
-
-example: true
-
---
-
-*`process.parent.code_signature.signing_id`*::
-+
---
-The identifier used to sign the process.
-This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.
-
-type: keyword
-
-example: com.apple.xpc.proxy
-
---
-
-*`process.parent.code_signature.status`*::
-+
---
-Additional information about the certificate status.
-This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.
-
-type: keyword
-
-example: ERROR_UNTRUSTED_ROOT
-
---
-
-*`process.parent.code_signature.subject_name`*::
-+
---
-Subject name of the code signer
-
-type: keyword
-
-example: Microsoft Corporation
-
---
-
-*`process.parent.code_signature.team_id`*::
-+
---
-The team identifier used to sign the process.
-This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.
-
-type: keyword
-
-example: EQHXZ8M8AV
-
---
-
-*`process.parent.code_signature.timestamp`*::
-+
---
-Date and time when the code signature was generated and signed.
-
-type: date
-
-example: 2021-01-01T12:10:30Z
-
---
-
-*`process.parent.code_signature.trusted`*::
-+
---
-Stores the trust status of the certificate chain.
-Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.
-
-type: boolean
-
-example: true
-
---
-
-*`process.parent.code_signature.valid`*::
-+
---
-Boolean to capture if the digital signature is verified against the binary content.
-Leave unpopulated if a certificate was unchecked.
-
-type: boolean
-
-example: true
-
---
-
-*`process.parent.command_line`*::
-+
---
-Full command line that started the process, including the absolute path to the executable, and all arguments.
-Some arguments may be filtered to protect sensitive information.
-
-type: wildcard
-
-example: /usr/bin/ssh -l user 10.0.0.16
-
---
-
-*`process.parent.command_line.text`*::
-+
---
-type: match_only_text
-
---
-
-*`process.parent.elf.architecture`*::
-+
---
-Machine architecture of the ELF file.
-
-type: keyword
-
-example: x86-64
-
---
-
-*`process.parent.elf.byte_order`*::
-+
---
-Byte sequence of ELF file.
-
-type: keyword
-
-example: Little Endian
-
---
-
-*`process.parent.elf.cpu_type`*::
-+
---
-CPU type of the ELF file.
-
-type: keyword
-
-example: Intel
-
---
-
-*`process.parent.elf.creation_date`*::
-+
---
-Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators.
-
-type: date
-
---
-
-*`process.parent.elf.exports`*::
-+
---
-List of exported element names and types.
-
-type: flattened
-
---
-
-*`process.parent.elf.header.abi_version`*::
-+
---
-Version of the ELF Application Binary Interface (ABI).
-
-type: keyword
-
---
-
-*`process.parent.elf.header.class`*::
-+
---
-Header class of the ELF file.
-
-type: keyword
-
---
-
-*`process.parent.elf.header.data`*::
-+
---
-Data table of the ELF header.
-
-type: keyword
-
---
-
-*`process.parent.elf.header.entrypoint`*::
-+
---
-Header entrypoint of the ELF file.
-
-type: long
-
-format: string
-
---
-
-*`process.parent.elf.header.object_version`*::
-+
---
-"0x1" for original ELF files.
-
-type: keyword
-
---
-
-*`process.parent.elf.header.os_abi`*::
-+
---
-Application Binary Interface (ABI) of the Linux OS.
-
-type: keyword
-
---
-
-*`process.parent.elf.header.type`*::
-+
---
-Header type of the ELF file.
-
-type: keyword
-
---
-
-*`process.parent.elf.header.version`*::
-+
---
-Version of the ELF header.
-
-type: keyword
-
---
-
-*`process.parent.elf.imports`*::
-+
---
-List of imported element names and types.
-
-type: flattened
-
---
-
-*`process.parent.elf.sections`*::
-+
---
-An array containing an object for each section of the ELF file.
-The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`.
-
-type: nested
-
---
-
-*`process.parent.elf.sections.chi2`*::
-+
---
-Chi-square probability distribution of the section.
-
-type: long
-
-format: number
-
---
-
-*`process.parent.elf.sections.entropy`*::
-+
---
-Shannon entropy calculation from the section.
-
-type: long
-
-format: number
-
---
-
-*`process.parent.elf.sections.flags`*::
-+
---
-ELF Section List flags.
-
-type: keyword
-
---
-
-*`process.parent.elf.sections.name`*::
-+
---
-ELF Section List name.
-
-type: keyword
-
---
-
-*`process.parent.elf.sections.physical_offset`*::
-+
---
-ELF Section List offset.
-
-type: keyword
-
---
-
-*`process.parent.elf.sections.physical_size`*::
-+
---
-ELF Section List physical size.
-
-type: long
-
-format: bytes
-
---
-
-*`process.parent.elf.sections.type`*::
-+
---
-ELF Section List type.
-
-type: keyword
-
---
-
-*`process.parent.elf.sections.virtual_address`*::
-+
---
-ELF Section List virtual address.
-
-type: long
-
-format: string
-
---
-
-*`process.parent.elf.sections.virtual_size`*::
-+
---
-ELF Section List virtual size.
-
-type: long
-
-format: string
-
---
-
-*`process.parent.elf.segments`*::
-+
---
-An array containing an object for each segment of the ELF file.
-The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`.
-
-type: nested
-
---
-
-*`process.parent.elf.segments.sections`*::
-+
---
-ELF object segment sections.
-
-type: keyword
-
---
-
-*`process.parent.elf.segments.type`*::
-+
---
-ELF object segment type.
-
-type: keyword
-
---
-
-*`process.parent.elf.shared_libraries`*::
-+
---
-List of shared libraries used by this ELF object.
-
-type: keyword
-
---
-
-*`process.parent.elf.telfhash`*::
-+
---
-telfhash symbol hash for ELF file.
-
-type: keyword
-
---
-
-*`process.parent.end`*::
-+
---
-The time the process ended.
-
-type: date
-
-example: 2016-05-23T08:05:34.853Z
-
---
-
-*`process.parent.entity_id`*::
-+
---
-Unique identifier for the process.
-The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process.
-Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.
-
-type: keyword
-
-example: c2c455d9f99375d
-
---
-
-*`process.parent.executable`*::
-+
---
-Absolute path to the process executable.
-
-type: keyword
-
-example: /usr/bin/ssh
-
---
-
-*`process.parent.executable.text`*::
-+
---
-type: match_only_text
-
---
-
-*`process.parent.exit_code`*::
-+
---
-The exit code of the process, if this is a termination event.
-The field should be absent if there is no exit code for the event (e.g. process start).
-
-type: long
-
-example: 137
-
---
-
-*`process.parent.hash.md5`*::
-+
---
-MD5 hash.
-
-type: keyword
-
---
-
-*`process.parent.hash.sha1`*::
-+
---
-SHA1 hash.
-
-type: keyword
-
---
-
-*`process.parent.hash.sha256`*::
-+
---
-SHA256 hash.
-
-type: keyword
-
---
-
-*`process.parent.hash.sha512`*::
-+
---
-SHA512 hash.
-
-type: keyword
-
---
-
-*`process.parent.hash.ssdeep`*::
-+
---
-SSDEEP hash.
-
-type: keyword
-
---
-
-*`process.parent.name`*::
-+
---
-Process name.
-Sometimes called program name or similar.
-
-type: keyword
-
-example: ssh
-
---
-
-*`process.parent.name.text`*::
-+
---
-type: match_only_text
-
---
-
-*`process.parent.pe.architecture`*::
-+
---
-CPU architecture target for the file.
-
-type: keyword
-
-example: x64
-
---
-
-*`process.parent.pe.company`*::
-+
---
-Internal company name of the file, provided at compile-time.
-
-type: keyword
-
-example: Microsoft Corporation
-
---
-
-*`process.parent.pe.description`*::
-+
---
-Internal description of the file, provided at compile-time.
-
-type: keyword
-
-example: Paint
-
---
-
-*`process.parent.pe.file_version`*::
-+
---
-Internal version of the file, provided at compile-time.
-
-type: keyword
-
-example: 6.3.9600.17415
-
---
-
-*`process.parent.pe.imphash`*::
-+
---
-A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.
-Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.
-
-type: keyword
-
-example: 0c6803c4e922103c4dca5963aad36ddf
-
---
-
-*`process.parent.pe.original_file_name`*::
-+
---
-Internal name of the file, provided at compile-time.
-
-type: keyword
-
-example: MSPAINT.EXE
-
---
-
-*`process.parent.pe.product`*::
-+
---
-Internal product name of the file, provided at compile-time.
-
-type: keyword
-
-example: Microsoft® Windows® Operating System
-
---
-
-*`process.parent.pgid`*::
-+
---
-Identifier of the group of processes the process belongs to.
-
-type: long
-
-format: string
-
---
-
-*`process.parent.pid`*::
-+
---
-Process id.
-
-type: long
-
-example: 4242
-
-format: string
-
---
-
-*`process.parent.start`*::
-+
---
-The time the process started.
-
-type: date
-
-example: 2016-05-23T08:05:34.853Z
-
---
-
-*`process.parent.thread.id`*::
-+
---
-Thread ID.
-
-type: long
-
-example: 4242
-
-format: string
-
---
-
-*`process.parent.thread.name`*::
-+
---
-Thread name.
-
-type: keyword
-
-example: thread-0
-
---
-
-*`process.parent.title`*::
-+
---
-Process title.
-The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened.
-
-type: keyword
-
---
-
-*`process.parent.title.text`*::
-+
---
-type: match_only_text
-
---
-
-*`process.parent.uptime`*::
-+
---
-Seconds the process has been up.
-
-type: long
-
-example: 1325
-
---
-
-*`process.parent.working_directory`*::
-+
---
-The working directory of the process.
-
-type: keyword
-
-example: /home/alice
-
---
-
-*`process.parent.working_directory.text`*::
-+
---
-type: match_only_text
-
---
-
-*`process.pe.architecture`*::
-+
---
-CPU architecture target for the file.
-
-type: keyword
-
-example: x64
-
---
-
-*`process.pe.company`*::
-+
---
-Internal company name of the file, provided at compile-time.
-
-type: keyword
-
-example: Microsoft Corporation
-
---
-
-*`process.pe.description`*::
-+
---
-Internal description of the file, provided at compile-time.
-
-type: keyword
-
-example: Paint
-
---
-
-*`process.pe.file_version`*::
-+
---
-Internal version of the file, provided at compile-time.
-
-type: keyword
-
-example: 6.3.9600.17415
-
---
-
-*`process.pe.imphash`*::
-+
---
-A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.
-Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.
-
-type: keyword
-
-example: 0c6803c4e922103c4dca5963aad36ddf
-
---
-
-*`process.pe.original_file_name`*::
-+
---
-Internal name of the file, provided at compile-time.
-
-type: keyword
-
-example: MSPAINT.EXE
-
---
-
-*`process.pe.product`*::
-+
---
-Internal product name of the file, provided at compile-time.
-
-type: keyword
-
-example: Microsoft® Windows® Operating System
-
---
-
-*`process.pgid`*::
-+
---
-Identifier of the group of processes the process belongs to.
-
-type: long
-
-format: string
-
---
-
-*`process.pid`*::
-+
---
-Process id.
-
-type: long
-
-example: 4242
-
-format: string
-
---
-
-*`process.start`*::
-+
---
-The time the process started.
-
-type: date
-
-example: 2016-05-23T08:05:34.853Z
-
---
-
-*`process.thread.id`*::
-+
---
-Thread ID.
-
-type: long
-
-example: 4242
-
-format: string
-
---
-
-*`process.thread.name`*::
-+
---
-Thread name.
-
-type: keyword
-
-example: thread-0
-
---
-
-*`process.title`*::
-+
---
-Process title.
-The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened.
-
-type: keyword
-
---
-
-*`process.title.text`*::
-+
---
-type: match_only_text
-
---
-
-*`process.uptime`*::
-+
---
-Seconds the process has been up.
-
-type: long
-
-example: 1325
-
---
-
-*`process.working_directory`*::
-+
---
-The working directory of the process.
-
-type: keyword
-
-example: /home/alice
-
---
-
-*`process.working_directory.text`*::
-+
---
-type: match_only_text
-
---
-
-[float]
-=== registry
-
-Fields related to Windows Registry operations.
-
-
-*`registry.data.bytes`*::
-+
---
-Original bytes written with base64 encoding.
-For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values.
-
-type: keyword
-
-example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA=
-
---
-
-*`registry.data.strings`*::
-+
---
-Content when writing string types.
-Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`).
-
-type: wildcard
-
-example: ["C:\rta\red_ttp\bin\myapp.exe"]
-
---
-
-*`registry.data.type`*::
-+
---
-Standard registry type for encoding contents
-
-type: keyword
-
-example: REG_SZ
-
---
-
-*`registry.hive`*::
-+
---
-Abbreviated name for the hive.
-
-type: keyword
-
-example: HKLM
-
---
-
-*`registry.key`*::
-+
---
-Hive-relative path of keys.
-
-type: keyword
-
-example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe
-
---
-
-*`registry.path`*::
-+
---
-Full path, including hive, key and value
-
-type: keyword
-
-example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger
-
---
-
-*`registry.value`*::
-+
---
-Name of the value written.
-
-type: keyword
-
-example: Debugger
-
---
-
-[float]
-=== related
-
-This field set is meant to facilitate pivoting around a piece of data.
-Some pieces of information can be seen in many places in an ECS event. To facilitate searching for them, store an array of all seen values to their corresponding field in `related.`.
-A concrete example is IP addresses, which can be under host, observer, source, destination, client, server, and network.forwarded_ip. If you append all IPs to `related.ip`, you can then search for a given IP trivially, no matter where it appeared, by querying `related.ip:192.0.2.15`.
-
-
-*`related.hash`*::
-+
---
-All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search).
-
-type: keyword
-
---
-
-*`related.hosts`*::
-+
---
-All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases.
-
-type: keyword
-
---
-
-*`related.ip`*::
-+
---
-All of the IPs seen on your event.
-
-type: ip
-
---
-
-*`related.user`*::
-+
---
-All the user names or other user identifiers seen on the event.
-
-type: keyword
-
---
-
-[float]
-=== rule
-
-Rule fields are used to capture the specifics of any observer or agent rules that generate alerts or other notable events.
-Examples of data sources that would populate the rule fields include: network admission control platforms, network or host IDS/IPS, network firewalls, web application firewalls, url filters, endpoint detection and response (EDR) systems, etc.
-
-
-*`rule.author`*::
-+
---
-Name, organization, or pseudonym of the author or authors who created the rule used to generate this event.
-
-type: keyword
-
-example: ["Star-Lord"]
-
---
-
-*`rule.category`*::
-+
---
-A categorization value keyword used by the entity using the rule for detection of this event.
-
-type: keyword
-
-example: Attempted Information Leak
-
---
-
-*`rule.description`*::
-+
---
-The description of the rule generating the event.
-
-type: keyword
-
-example: Block requests to public DNS over HTTPS / TLS protocols
-
---
-
-*`rule.id`*::
-+
---
-A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event.
-
-type: keyword
-
-example: 101
-
---
-
-*`rule.license`*::
-+
---
-Name of the license under which the rule used to generate this event is made available.
-
-type: keyword
-
-example: Apache 2.0
-
---
-
-*`rule.name`*::
-+
---
-The name of the rule or signature generating the event.
-
-type: keyword
-
-example: BLOCK_DNS_over_TLS
-
---
-
-*`rule.reference`*::
-+
---
-Reference URL to additional information about the rule used to generate this event.
-The URL can point to the vendor's documentation about the rule. If that's not available, it can also be a link to a more general page describing this type of alert.
-
-type: keyword
-
-example: https://en.wikipedia.org/wiki/DNS_over_TLS
-
---
-
-*`rule.ruleset`*::
-+
---
-Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member.
-
-type: keyword
-
-example: Standard_Protocol_Filters
-
---
-
-*`rule.uuid`*::
-+
---
-A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event.
-
-type: keyword
-
-example: 1100110011
-
---
-
-*`rule.version`*::
-+
---
-The version / revision of the rule being used for analysis.
-
-type: keyword
-
-example: 1.1
-
---
-
-[float]
-=== server
-
-A Server is defined as the responder in a network connection for events regarding sessions, connections, or bidirectional flow records.
-For TCP events, the server is the receiver of the initial SYN packet(s) of the TCP connection. For other protocols, the server is generally the responder in the network transaction. Some systems actually use the term "responder" to refer the server in TCP connections. The server fields describe details about the system acting as the server in the network event. Server fields are usually populated in conjunction with client fields. Server fields are generally not populated for packet-level events.
-Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately.
-
-
-*`server.address`*::
-+
---
-Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field.
-Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
-
-type: keyword
-
---
-
-*`server.as.number`*::
-+
---
-Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
-
-type: long
-
-example: 15169
-
---
-
-*`server.as.organization.name`*::
-+
---
-Organization name.
-
-type: keyword
-
-example: Google LLC
-
---
-
-*`server.as.organization.name.text`*::
-+
---
-type: match_only_text
-
---
-
-*`server.bytes`*::
-+
---
-Bytes sent from the server to the client.
-
-type: long
-
-example: 184
-
-format: bytes
-
---
-
-*`server.domain`*::
-+
---
-The domain name of the server system.
-This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.
-
-type: keyword
-
-example: foo.example.com
-
---
-
-*`server.geo.city_name`*::
-+
---
-City name.
-
-type: keyword
-
-example: Montreal
-
---
-
-*`server.geo.continent_code`*::
-+
---
-Two-letter code representing continent's name.
-
-type: keyword
-
-example: NA
-
---
-
-*`server.geo.continent_name`*::
-+
---
-Name of the continent.
-
-type: keyword
-
-example: North America
-
---
-
-*`server.geo.country_iso_code`*::
-+
---
-Country ISO code.
-
-type: keyword
-
-example: CA
-
---
-
-*`server.geo.country_name`*::
-+
---
-Country name.
-
-type: keyword
-
-example: Canada
-
---
-
-*`server.geo.location`*::
-+
---
-Longitude and latitude.
-
-type: geo_point
-
-example: { "lon": -73.614830, "lat": 45.505918 }
-
---
-
-*`server.geo.name`*::
-+
---
-User-defined description of a location, at the level of granularity they care about.
-Could be the name of their data centers, the floor number, if this describes a local physical entity, city names.
-Not typically used in automated geolocation.
-
-type: keyword
-
-example: boston-dc
-
---
-
-*`server.geo.postal_code`*::
-+
---
-Postal code associated with the location.
-Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.
-
-type: keyword
-
-example: 94040
-
---
-
-*`server.geo.region_iso_code`*::
-+
---
-Region ISO code.
-
-type: keyword
-
-example: CA-QC
-
---
-
-*`server.geo.region_name`*::
-+
---
-Region name.
-
-type: keyword
-
-example: Quebec
-
---
-
-*`server.geo.timezone`*::
-+
---
-The time zone of the location, such as IANA time zone name.
-
-type: keyword
-
-example: America/Argentina/Buenos_Aires
-
---
-
-*`server.ip`*::
-+
---
-IP address of the server (IPv4 or IPv6).
-
-type: ip
-
---
-
-*`server.mac`*::
-+
---
-MAC address of the server.
-The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.
-
-type: keyword
-
-example: 00-00-5E-00-53-23
-
---
-
-*`server.nat.ip`*::
-+
---
-Translated ip of destination based NAT sessions (e.g. internet to private DMZ)
-Typically used with load balancers, firewalls, or routers.
-
-type: ip
-
---
-
-*`server.nat.port`*::
-+
---
-Translated port of destination based NAT sessions (e.g. internet to private DMZ)
-Typically used with load balancers, firewalls, or routers.
-
-type: long
-
-format: string
-
---
-
-*`server.packets`*::
-+
---
-Packets sent from the server to the client.
-
-type: long
-
-example: 12
-
---
-
-*`server.port`*::
-+
---
-Port of the server.
-
-type: long
-
-format: string
-
---
-
-*`server.registered_domain`*::
-+
---
-The highest registered server domain, stripped of the subdomain.
-For example, the registered domain for "foo.example.com" is "example.com".
-This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
-
-type: keyword
-
-example: example.com
-
---
-
-*`server.subdomain`*::
-+
---
-The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain.
-For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
-
-type: keyword
-
-example: east
-
---
-
-*`server.top_level_domain`*::
-+
---
-The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com".
-This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".
-
-type: keyword
-
-example: co.uk
-
---
-
-*`server.user.domain`*::
-+
---
-Name of the directory the user is a member of.
-For example, an LDAP or Active Directory domain name.
-
-type: keyword
-
---
-
-*`server.user.email`*::
-+
---
-User email address.
-
-type: keyword
-
---
-
-*`server.user.full_name`*::
-+
---
-User's full name, if available.
-
-type: keyword
-
-example: Albert Einstein
-
---
-
-*`server.user.full_name.text`*::
-+
---
-type: match_only_text
-
---
-
-*`server.user.group.domain`*::
-+
---
-Name of the directory the group is a member of.
-For example, an LDAP or Active Directory domain name.
-
-type: keyword
-
---
-
-*`server.user.group.id`*::
-+
---
-Unique identifier for the group on the system/platform.
-
-type: keyword
-
---
-
-*`server.user.group.name`*::
-+
---
-Name of the group.
-
-type: keyword
-
---
-
-*`server.user.hash`*::
-+
---
-Unique user hash to correlate information for a user in anonymized form.
-Useful if `user.id` or `user.name` contain confidential information and cannot be used.
-
-type: keyword
-
---
-
-*`server.user.id`*::
-+
---
-Unique identifier of the user.
-
-type: keyword
-
-example: S-1-5-21-202424912787-2692429404-2351956786-1000
-
---
-
-*`server.user.name`*::
-+
---
-Short name or login of the user.
-
-type: keyword
-
-example: a.einstein
-
---
-
-*`server.user.name.text`*::
-+
---
-type: match_only_text
-
---
-
-*`server.user.roles`*::
-+
---
-Array of user roles at the time of the event.
-
-type: keyword
-
-example: ["kibana_admin", "reporting_user"]
-
---
-
-[float]
-=== service
-
-The service fields describe the service for or from which the data was collected.
-These fields help you find and correlate logs for a specific service and version.
-
-
-*`service.address`*::
-+
---
-Address where data about this service was collected from.
-This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets).
-
-type: keyword
-
-example: 172.26.0.2:5432
-
---
-
-*`service.environment`*::
-+
---
-Identifies the environment where the service is running.
-If the same service runs in different environments (production, staging, QA, development, etc.), the environment can identify other instances of the same service. Can also group services and applications from the same environment.
-
-type: keyword
-
-example: production
-
---
-
-*`service.ephemeral_id`*::
-+
---
-Ephemeral identifier of this service (if one exists).
-This id normally changes across restarts, but `service.id` does not.
-
-type: keyword
-
-example: 8a4f500f
-
---
-
-*`service.id`*::
-+
---
-Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes.
-This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event.
-Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead.
-
-type: keyword
-
-example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6
-
---
-
-*`service.name`*::
-+
---
-Name of the service data is collected from.
-The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name.
-In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified.
-
-type: keyword
-
-example: elasticsearch-metrics
-
---
-
-*`service.node.name`*::
-+
---
-Name of a service node.
-This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service.
-In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn't have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set.
-
-type: keyword
-
-example: instance-0000000016
-
---
-
-*`service.origin.address`*::
-+
---
-Address where data about this service was collected from.
-This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets).
-
-type: keyword
-
-example: 172.26.0.2:5432
-
---
-
-*`service.origin.environment`*::
-+
---
-Identifies the environment where the service is running.
-If the same service runs in different environments (production, staging, QA, development, etc.), the environment can identify other instances of the same service. Can also group services and applications from the same environment.
-
-type: keyword
-
-example: production
-
---
-
-*`service.origin.ephemeral_id`*::
-+
---
-Ephemeral identifier of this service (if one exists).
-This id normally changes across restarts, but `service.id` does not.
-
-type: keyword
-
-example: 8a4f500f
-
---
-
-*`service.origin.id`*::
-+
---
-Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes.
-This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event.
-Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead.
-
-type: keyword
-
-example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6
-
---
-
-*`service.origin.name`*::
-+
---
-Name of the service data is collected from.
-The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name.
-In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified.
-
-type: keyword
-
-example: elasticsearch-metrics
-
---
-
-*`service.origin.node.name`*::
-+
---
-Name of a service node.
-This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service.
-In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn't have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set.
-
-type: keyword
-
-example: instance-0000000016
-
---
-
-*`service.origin.state`*::
-+
---
-Current state of the service.
-
-type: keyword
-
---
-
-*`service.origin.type`*::
-+
---
-The type of the service data is collected from.
-The type can be used to group and correlate logs and metrics from one service type.
-Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`.
-
-type: keyword
-
-example: elasticsearch
-
---
-
-*`service.origin.version`*::
-+
---
-Version of the service the data was collected from.
-This allows to look at a data set only for a specific version of a service.
-
-type: keyword
-
-example: 3.2.4
-
---
-
-*`service.state`*::
-+
---
-Current state of the service.
-
-type: keyword
-
---
-
-*`service.target.address`*::
-+
---
-Address where data about this service was collected from.
-This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets).
-
-type: keyword
-
-example: 172.26.0.2:5432
-
---
-
-*`service.target.environment`*::
-+
---
-Identifies the environment where the service is running.
-If the same service runs in different environments (production, staging, QA, development, etc.), the environment can identify other instances of the same service. Can also group services and applications from the same environment.
-
-type: keyword
-
-example: production
-
---
-
-*`service.target.ephemeral_id`*::
-+
---
-Ephemeral identifier of this service (if one exists).
-This id normally changes across restarts, but `service.id` does not.
-
-type: keyword
-
-example: 8a4f500f
-
---
-
-*`service.target.id`*::
-+
---
-Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes.
-This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event.
-Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead.
-
-type: keyword
-
-example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6
-
---
-
-*`service.target.name`*::
-+
---
-Name of the service data is collected from.
-The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name.
-In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified.
-
-type: keyword
-
-example: elasticsearch-metrics
-
---
-
-*`service.target.node.name`*::
-+
---
-Name of a service node.
-This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service.
-In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn't have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set.
-
-type: keyword
-
-example: instance-0000000016
-
---
-
-*`service.target.state`*::
-+
---
-Current state of the service.
-
-type: keyword
-
---
-
-*`service.target.type`*::
-+
---
-The type of the service data is collected from.
-The type can be used to group and correlate logs and metrics from one service type.
-Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`.
-
-type: keyword
-
-example: elasticsearch
-
---
-
-*`service.target.version`*::
-+
---
-Version of the service the data was collected from.
-This allows to look at a data set only for a specific version of a service.
-
-type: keyword
-
-example: 3.2.4
-
---
-
-*`service.type`*::
-+
---
-The type of the service data is collected from.
-The type can be used to group and correlate logs and metrics from one service type.
-Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`.
-
-type: keyword
-
-example: elasticsearch
-
---
-
-*`service.version`*::
-+
---
-Version of the service the data was collected from.
-This allows to look at a data set only for a specific version of a service.
-
-type: keyword
-
-example: 3.2.4
-
---
-
-[float]
-=== source
-
-Source fields capture details about the sender of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction.
-Source fields are usually populated in conjunction with destination fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated.
-
-
-*`source.address`*::
-+
---
-Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field.
-Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
-
-type: keyword
-
---
-
-*`source.as.number`*::
-+
---
-Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
-
-type: long
-
-example: 15169
-
---
-
-*`source.as.organization.name`*::
-+
---
-Organization name.
-
-type: keyword
-
-example: Google LLC
-
---
-
-*`source.as.organization.name.text`*::
-+
---
-type: match_only_text
-
---
-
-*`source.bytes`*::
-+
---
-Bytes sent from the source to the destination.
-
-type: long
-
-example: 184
-
-format: bytes
-
---
-
-*`source.domain`*::
-+
---
-The domain name of the source system.
-This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.
-
-type: keyword
-
-example: foo.example.com
-
---
-
-*`source.geo.city_name`*::
-+
---
-City name.
-
-type: keyword
-
-example: Montreal
-
---
-
-*`source.geo.continent_code`*::
-+
---
-Two-letter code representing continent's name.
-
-type: keyword
-
-example: NA
-
---
-
-*`source.geo.continent_name`*::
-+
---
-Name of the continent.
-
-type: keyword
-
-example: North America
-
---
-
-*`source.geo.country_iso_code`*::
-+
---
-Country ISO code.
-
-type: keyword
-
-example: CA
-
---
-
-*`source.geo.country_name`*::
-+
---
-Country name.
-
-type: keyword
-
-example: Canada
-
---
-
-*`source.geo.location`*::
-+
---
-Longitude and latitude.
-
-type: geo_point
-
-example: { "lon": -73.614830, "lat": 45.505918 }
-
---
-
-*`source.geo.name`*::
-+
---
-User-defined description of a location, at the level of granularity they care about.
-Could be the name of their data centers, the floor number, if this describes a local physical entity, city names.
-Not typically used in automated geolocation.
-
-type: keyword
-
-example: boston-dc
-
---
-
-*`source.geo.postal_code`*::
-+
---
-Postal code associated with the location.
-Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.
-
-type: keyword
-
-example: 94040
-
---
-
-*`source.geo.region_iso_code`*::
-+
---
-Region ISO code.
-
-type: keyword
-
-example: CA-QC
-
---
-
-*`source.geo.region_name`*::
-+
---
-Region name.
-
-type: keyword
-
-example: Quebec
-
---
-
-*`source.geo.timezone`*::
-+
---
-The time zone of the location, such as IANA time zone name.
-
-type: keyword
-
-example: America/Argentina/Buenos_Aires
-
---
-
-*`source.ip`*::
-+
---
-IP address of the source (IPv4 or IPv6).
-
-type: ip
-
---
-
-*`source.mac`*::
-+
---
-MAC address of the source.
-The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.
-
-type: keyword
-
-example: 00-00-5E-00-53-23
-
---
-
-*`source.nat.ip`*::
-+
---
-Translated ip of source based NAT sessions (e.g. internal client to internet)
-Typically connections traversing load balancers, firewalls, or routers.
-
-type: ip
-
---
-
-*`source.nat.port`*::
-+
---
-Translated port of source based NAT sessions. (e.g. internal client to internet)
-Typically used with load balancers, firewalls, or routers.
-
-type: long
-
-format: string
-
---
-
-*`source.packets`*::
-+
---
-Packets sent from the source to the destination.
-
-type: long
-
-example: 12
-
---
-
-*`source.port`*::
-+
---
-Port of the source.
-
-type: long
-
-format: string
-
---
-
-*`source.registered_domain`*::
-+
---
-The highest registered source domain, stripped of the subdomain.
-For example, the registered domain for "foo.example.com" is "example.com".
-This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
-
-type: keyword
-
-example: example.com
-
---
-
-*`source.subdomain`*::
-+
---
-The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain.
-For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
-
-type: keyword
-
-example: east
-
---
-
-*`source.top_level_domain`*::
-+
---
-The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com".
-This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".
-
-type: keyword
-
-example: co.uk
-
---
-
-*`source.user.domain`*::
-+
---
-Name of the directory the user is a member of.
-For example, an LDAP or Active Directory domain name.
-
-type: keyword
-
---
-
-*`source.user.email`*::
-+
---
-User email address.
-
-type: keyword
-
---
-
-*`source.user.full_name`*::
-+
---
-User's full name, if available.
-
-type: keyword
-
-example: Albert Einstein
-
---
-
-*`source.user.full_name.text`*::
-+
---
-type: match_only_text
-
---
-
-*`source.user.group.domain`*::
-+
---
-Name of the directory the group is a member of.
-For example, an LDAP or Active Directory domain name.
-
-type: keyword
-
---
-
-*`source.user.group.id`*::
-+
---
-Unique identifier for the group on the system/platform.
-
-type: keyword
-
---
-
-*`source.user.group.name`*::
-+
---
-Name of the group.
-
-type: keyword
-
---
-
-*`source.user.hash`*::
-+
---
-Unique user hash to correlate information for a user in anonymized form.
-Useful if `user.id` or `user.name` contain confidential information and cannot be used.
-
-type: keyword
-
---
-
-*`source.user.id`*::
-+
---
-Unique identifier of the user.
-
-type: keyword
-
-example: S-1-5-21-202424912787-2692429404-2351956786-1000
-
---
-
-*`source.user.name`*::
-+
---
-Short name or login of the user.
-
-type: keyword
-
-example: a.einstein
-
---
-
-*`source.user.name.text`*::
-+
---
-type: match_only_text
-
---
-
-*`source.user.roles`*::
-+
---
-Array of user roles at the time of the event.
-
-type: keyword
-
-example: ["kibana_admin", "reporting_user"]
-
---
-
-[float]
-=== threat
-
-Fields to classify events and alerts according to a threat taxonomy such as the MITRE ATT&CK® framework.
-These fields are for users to classify alerts from all of their sources (e.g. IDS, NGFW, etc.) within a common taxonomy. The threat.tactic.* fields are meant to capture the high level category of the threat (e.g. "impact"). The threat.technique.* fields are meant to capture which kind of approach is used by this detected threat, to accomplish the goal (e.g. "endpoint denial of service").
-
-
-*`threat.enrichments`*::
-+
---
-A list of associated indicators objects enriching the event, and the context of that association/enrichment.
-
-type: nested
-
---
-
-*`threat.enrichments.indicator`*::
-+
---
-Object containing associated indicators enriching the event.
-
-type: object
-
---
-
-*`threat.enrichments.indicator.as.number`*::
-+
---
-Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
-
-type: long
-
-example: 15169
-
---
-
-*`threat.enrichments.indicator.as.organization.name`*::
-+
---
-Organization name.
-
-type: keyword
-
-example: Google LLC
-
---
-
-*`threat.enrichments.indicator.as.organization.name.text`*::
-+
---
-type: match_only_text
-
---
-
-*`threat.enrichments.indicator.confidence`*::
-+
---
-Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields.
-Expected values are:
-  * Not Specified
-  * None
-  * Low
-  * Medium
-  * High
-
-type: keyword
-
-example: Medium
-
---
-
-*`threat.enrichments.indicator.description`*::
-+
---
-Describes the type of action conducted by the threat.
-
-type: keyword
-
-example: IP x.x.x.x was observed delivering the Angler EK.
-
---
-
-*`threat.enrichments.indicator.email.address`*::
-+
---
-Identifies a threat indicator as an email address (irrespective of direction).
-
-type: keyword
-
-example: phish@example.com
-
---
-
-*`threat.enrichments.indicator.file.accessed`*::
-+
---
-Last time the file was accessed.
-Note that not all filesystems keep track of access time.
-
-type: date
-
---
-
-*`threat.enrichments.indicator.file.attributes`*::
-+
---
-Array of file attributes.
-Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write.
-
-type: keyword
-
-example: ["readonly", "system"]
-
---
-
-*`threat.enrichments.indicator.file.code_signature.digest_algorithm`*::
-+
---
-The hashing algorithm used to sign the process.
-This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm.
-
-type: keyword
-
-example: sha256
-
---
-
-*`threat.enrichments.indicator.file.code_signature.exists`*::
-+
---
-Boolean to capture if a signature is present.
-
-type: boolean
-
-example: true
-
---
-
-*`threat.enrichments.indicator.file.code_signature.signing_id`*::
-+
---
-The identifier used to sign the process.
-This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.
-
-type: keyword
-
-example: com.apple.xpc.proxy
-
---
-
-*`threat.enrichments.indicator.file.code_signature.status`*::
-+
---
-Additional information about the certificate status.
-This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.
-
-type: keyword
-
-example: ERROR_UNTRUSTED_ROOT
-
---
-
-*`threat.enrichments.indicator.file.code_signature.subject_name`*::
-+
---
-Subject name of the code signer
-
-type: keyword
-
-example: Microsoft Corporation
-
---
-
-*`threat.enrichments.indicator.file.code_signature.team_id`*::
-+
---
-The team identifier used to sign the process.
-This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.
-
-type: keyword
-
-example: EQHXZ8M8AV
-
---
-
-*`threat.enrichments.indicator.file.code_signature.timestamp`*::
-+
---
-Date and time when the code signature was generated and signed.
-
-type: date
-
-example: 2021-01-01T12:10:30Z
-
---
-
-*`threat.enrichments.indicator.file.code_signature.trusted`*::
-+
---
-Stores the trust status of the certificate chain.
-Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.
-
-type: boolean
-
-example: true
-
---
-
-*`threat.enrichments.indicator.file.code_signature.valid`*::
-+
---
-Boolean to capture if the digital signature is verified against the binary content.
-Leave unpopulated if a certificate was unchecked.
-
-type: boolean
-
-example: true
-
---
-
-*`threat.enrichments.indicator.file.created`*::
-+
---
-File creation time.
-Note that not all filesystems store the creation time.
-
-type: date
-
---
-
-*`threat.enrichments.indicator.file.ctime`*::
-+
---
-Last time the file attributes or metadata changed.
-Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file.
-
-type: date
-
---
-
-*`threat.enrichments.indicator.file.device`*::
-+
---
-Device that is the source of the file.
-
-type: keyword
-
-example: sda
-
---
-
-*`threat.enrichments.indicator.file.directory`*::
-+
---
-Directory where the file is located. It should include the drive letter, when appropriate.
-
-type: keyword
-
-example: /home/alice
-
---
-
-*`threat.enrichments.indicator.file.drive_letter`*::
-+
---
-Drive letter where the file is located. This field is only relevant on Windows.
-The value should be uppercase, and not include the colon.
-
-type: keyword
-
-example: C
-
---
-
-*`threat.enrichments.indicator.file.elf.architecture`*::
-+
---
-Machine architecture of the ELF file.
-
-type: keyword
-
-example: x86-64
-
---
-
-*`threat.enrichments.indicator.file.elf.byte_order`*::
-+
---
-Byte sequence of ELF file.
-
-type: keyword
-
-example: Little Endian
-
---
-
-*`threat.enrichments.indicator.file.elf.cpu_type`*::
-+
---
-CPU type of the ELF file.
-
-type: keyword
-
-example: Intel
-
---
-
-*`threat.enrichments.indicator.file.elf.creation_date`*::
-+
---
-Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators.
-
-type: date
-
---
-
-*`threat.enrichments.indicator.file.elf.exports`*::
-+
---
-List of exported element names and types.
-
-type: flattened
-
---
-
-*`threat.enrichments.indicator.file.elf.header.abi_version`*::
-+
---
-Version of the ELF Application Binary Interface (ABI).
-
-type: keyword
-
---
-
-*`threat.enrichments.indicator.file.elf.header.class`*::
-+
---
-Header class of the ELF file.
-
-type: keyword
-
---
-
-*`threat.enrichments.indicator.file.elf.header.data`*::
-+
---
-Data table of the ELF header.
-
-type: keyword
-
---
-
-*`threat.enrichments.indicator.file.elf.header.entrypoint`*::
-+
---
-Header entrypoint of the ELF file.
-
-type: long
-
-format: string
-
---
-
-*`threat.enrichments.indicator.file.elf.header.object_version`*::
-+
---
-"0x1" for original ELF files.
-
-type: keyword
-
---
-
-*`threat.enrichments.indicator.file.elf.header.os_abi`*::
-+
---
-Application Binary Interface (ABI) of the Linux OS.
-
-type: keyword
-
---
-
-*`threat.enrichments.indicator.file.elf.header.type`*::
-+
---
-Header type of the ELF file.
-
-type: keyword
-
---
-
-*`threat.enrichments.indicator.file.elf.header.version`*::
-+
---
-Version of the ELF header.
-
-type: keyword
-
---
-
-*`threat.enrichments.indicator.file.elf.imports`*::
-+
---
-List of imported element names and types.
-
-type: flattened
-
---
-
-*`threat.enrichments.indicator.file.elf.sections`*::
-+
---
-An array containing an object for each section of the ELF file.
-The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`.
-
-type: nested
-
---
-
-*`threat.enrichments.indicator.file.elf.sections.chi2`*::
-+
---
-Chi-square probability distribution of the section.
-
-type: long
-
-format: number
-
---
-
-*`threat.enrichments.indicator.file.elf.sections.entropy`*::
-+
---
-Shannon entropy calculation from the section.
-
-type: long
-
-format: number
-
---
-
-*`threat.enrichments.indicator.file.elf.sections.flags`*::
-+
---
-ELF Section List flags.
-
-type: keyword
-
---
-
-*`threat.enrichments.indicator.file.elf.sections.name`*::
-+
---
-ELF Section List name.
-
-type: keyword
-
---
-
-*`threat.enrichments.indicator.file.elf.sections.physical_offset`*::
-+
---
-ELF Section List offset.
-
-type: keyword
-
---
-
-*`threat.enrichments.indicator.file.elf.sections.physical_size`*::
-+
---
-ELF Section List physical size.
-
-type: long
-
-format: bytes
-
---
-
-*`threat.enrichments.indicator.file.elf.sections.type`*::
-+
---
-ELF Section List type.
-
-type: keyword
-
---
-
-*`threat.enrichments.indicator.file.elf.sections.virtual_address`*::
-+
---
-ELF Section List virtual address.
-
-type: long
-
-format: string
-
---
-
-*`threat.enrichments.indicator.file.elf.sections.virtual_size`*::
-+
---
-ELF Section List virtual size.
-
-type: long
-
-format: string
-
---
-
-*`threat.enrichments.indicator.file.elf.segments`*::
-+
---
-An array containing an object for each segment of the ELF file.
-The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`.
-
-type: nested
-
---
-
-*`threat.enrichments.indicator.file.elf.segments.sections`*::
-+
---
-ELF object segment sections.
-
-type: keyword
-
---
-
-*`threat.enrichments.indicator.file.elf.segments.type`*::
-+
---
-ELF object segment type.
-
-type: keyword
-
---
-
-*`threat.enrichments.indicator.file.elf.shared_libraries`*::
-+
---
-List of shared libraries used by this ELF object.
-
-type: keyword
-
---
-
-*`threat.enrichments.indicator.file.elf.telfhash`*::
-+
---
-telfhash symbol hash for ELF file.
-
-type: keyword
-
---
-
-*`threat.enrichments.indicator.file.extension`*::
-+
---
-File extension, excluding the leading dot.
-Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").
-
-type: keyword
-
-example: png
-
---
-
-*`threat.enrichments.indicator.file.fork_name`*::
-+
---
-A fork is additional data associated with a filesystem object.
-On Linux, a resource fork is used to store additional data with a filesystem object. A file always has at least one fork for the data portion, and additional forks may exist.
-On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default data stream for a file is just called $DATA. Zone.Identifier is commonly used by Windows to track contents downloaded from the Internet. An ADS is typically of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name` is the value that should populate `fork_name`. `filename.extension` should populate `file.name`, and `extension` should populate `file.extension`. The full path, `file.path`, will include the fork name.
-
-type: keyword
-
-example: Zone.Identifer
-
---
-
-*`threat.enrichments.indicator.file.gid`*::
-+
---
-Primary group ID (GID) of the file.
-
-type: keyword
-
-example: 1001
-
---
-
-*`threat.enrichments.indicator.file.group`*::
-+
---
-Primary group name of the file.
-
-type: keyword
-
-example: alice
-
---
-
-*`threat.enrichments.indicator.file.hash.md5`*::
-+
---
-MD5 hash.
-
-type: keyword
-
---
-
-*`threat.enrichments.indicator.file.hash.sha1`*::
-+
---
-SHA1 hash.
-
-type: keyword
-
---
-
-*`threat.enrichments.indicator.file.hash.sha256`*::
-+
---
-SHA256 hash.
-
-type: keyword
-
---
-
-*`threat.enrichments.indicator.file.hash.sha512`*::
-+
---
-SHA512 hash.
-
-type: keyword
-
---
-
-*`threat.enrichments.indicator.file.hash.ssdeep`*::
-+
---
-SSDEEP hash.
-
-type: keyword
-
---
-
-*`threat.enrichments.indicator.file.inode`*::
-+
---
-Inode representing the file in the filesystem.
-
-type: keyword
-
-example: 256383
-
---
-
-*`threat.enrichments.indicator.file.mime_type`*::
-+
---
-MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used.
-
-type: keyword
-
---
-
-*`threat.enrichments.indicator.file.mode`*::
-+
---
-Mode of the file in octal representation.
-
-type: keyword
-
-example: 0640
-
---
-
-*`threat.enrichments.indicator.file.mtime`*::
-+
---
-Last time the file content was modified.
-
-type: date
-
---
-
-*`threat.enrichments.indicator.file.name`*::
-+
---
-Name of the file including the extension, without the directory.
-
-type: keyword
-
-example: example.png
-
---
-
-*`threat.enrichments.indicator.file.owner`*::
-+
---
-File owner's username.
-
-type: keyword
-
-example: alice
-
---
-
-*`threat.enrichments.indicator.file.path`*::
-+
---
-Full path to the file, including the file name. It should include the drive letter, when appropriate.
-
-type: keyword
-
-example: /home/alice/example.png
-
---
-
-*`threat.enrichments.indicator.file.path.text`*::
-+
---
-type: match_only_text
-
---
-
-*`threat.enrichments.indicator.file.pe.architecture`*::
-+
---
-CPU architecture target for the file.
-
-type: keyword
-
-example: x64
-
---
-
-*`threat.enrichments.indicator.file.pe.company`*::
-+
---
-Internal company name of the file, provided at compile-time.
-
-type: keyword
-
-example: Microsoft Corporation
-
---
-
-*`threat.enrichments.indicator.file.pe.description`*::
-+
---
-Internal description of the file, provided at compile-time.
-
-type: keyword
-
-example: Paint
-
---
-
-*`threat.enrichments.indicator.file.pe.file_version`*::
-+
---
-Internal version of the file, provided at compile-time.
-
-type: keyword
-
-example: 6.3.9600.17415
-
---
-
-*`threat.enrichments.indicator.file.pe.imphash`*::
-+
---
-A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.
-Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.
-
-type: keyword
-
-example: 0c6803c4e922103c4dca5963aad36ddf
-
---
-
-*`threat.enrichments.indicator.file.pe.original_file_name`*::
-+
---
-Internal name of the file, provided at compile-time.
-
-type: keyword
-
-example: MSPAINT.EXE
-
---
-
-*`threat.enrichments.indicator.file.pe.product`*::
-+
---
-Internal product name of the file, provided at compile-time.
-
-type: keyword
-
-example: Microsoft® Windows® Operating System
-
---
-
-*`threat.enrichments.indicator.file.size`*::
-+
---
-File size in bytes.
-Only relevant when `file.type` is "file".
-
-type: long
-
-example: 16384
-
---
-
-*`threat.enrichments.indicator.file.target_path`*::
-+
---
-Target path for symlinks.
-
-type: keyword
-
---
-
-*`threat.enrichments.indicator.file.target_path.text`*::
-+
---
-type: match_only_text
-
---
-
-*`threat.enrichments.indicator.file.type`*::
-+
---
-File type (file, dir, or symlink).
-
-type: keyword
-
-example: file
-
---
-
-*`threat.enrichments.indicator.file.uid`*::
-+
---
-The user ID (UID) or security identifier (SID) of the file owner.
-
-type: keyword
-
-example: 1001
-
---
-
-*`threat.enrichments.indicator.file.x509.alternative_names`*::
-+
---
-List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.
-
-type: keyword
-
-example: *.elastic.co
-
---
-
-*`threat.enrichments.indicator.file.x509.issuer.common_name`*::
-+
---
-List of common name (CN) of issuing certificate authority.
-
-type: keyword
-
-example: Example SHA2 High Assurance Server CA
-
---
-
-*`threat.enrichments.indicator.file.x509.issuer.country`*::
-+
---
-List of country (C) codes
-
-type: keyword
-
-example: US
-
---
-
-*`threat.enrichments.indicator.file.x509.issuer.distinguished_name`*::
-+
---
-Distinguished name (DN) of issuing certificate authority.
-
-type: keyword
-
-example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA
-
---
-
-*`threat.enrichments.indicator.file.x509.issuer.locality`*::
-+
---
-List of locality names (L)
-
-type: keyword
-
-example: Mountain View
-
---
-
-*`threat.enrichments.indicator.file.x509.issuer.organization`*::
-+
---
-List of organizations (O) of issuing certificate authority.
-
-type: keyword
-
-example: Example Inc
-
---
-
-*`threat.enrichments.indicator.file.x509.issuer.organizational_unit`*::
-+
---
-List of organizational units (OU) of issuing certificate authority.
-
-type: keyword
-
-example: www.example.com
-
---
-
-*`threat.enrichments.indicator.file.x509.issuer.state_or_province`*::
-+
---
-List of state or province names (ST, S, or P)
-
-type: keyword
-
-example: California
-
---
-
-*`threat.enrichments.indicator.file.x509.not_after`*::
-+
---
-Time at which the certificate is no longer considered valid.
-
-type: date
-
-example: 2020-07-16 03:15:39+00:00
-
---
-
-*`threat.enrichments.indicator.file.x509.not_before`*::
-+
---
-Time at which the certificate is first considered valid.
-
-type: date
-
-example: 2019-08-16 01:40:25+00:00
-
---
-
-*`threat.enrichments.indicator.file.x509.public_key_algorithm`*::
-+
---
-Algorithm used to generate the public key.
-
-type: keyword
-
-example: RSA
-
---
-
-*`threat.enrichments.indicator.file.x509.public_key_curve`*::
-+
---
-The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-
-type: keyword
-
-example: nistp521
-
---
-
-*`threat.enrichments.indicator.file.x509.public_key_exponent`*::
-+
---
-Exponent used to derive the public key. This is algorithm specific.
-
-type: long
-
-example: 65537
-
-Field is not indexed.
-
---
-
-*`threat.enrichments.indicator.file.x509.public_key_size`*::
-+
---
-The size of the public key space in bits.
-
-type: long
-
-example: 2048
-
---
-
-*`threat.enrichments.indicator.file.x509.serial_number`*::
-+
---
-Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.
-
-type: keyword
-
-example: 55FBB9C7DEBF09809D12CCAA
-
---
-
-*`threat.enrichments.indicator.file.x509.signature_algorithm`*::
-+
---
-Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
-
-type: keyword
-
-example: SHA256-RSA
-
---
-
-*`threat.enrichments.indicator.file.x509.subject.common_name`*::
-+
---
-List of common names (CN) of subject.
-
-type: keyword
-
-example: shared.global.example.net
-
---
-
-*`threat.enrichments.indicator.file.x509.subject.country`*::
-+
---
-List of country (C) code
-
-type: keyword
-
-example: US
-
---
-
-*`threat.enrichments.indicator.file.x509.subject.distinguished_name`*::
-+
---
-Distinguished name (DN) of the certificate subject entity.
-
-type: keyword
-
-example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
-
---
-
-*`threat.enrichments.indicator.file.x509.subject.locality`*::
-+
---
-List of locality names (L)
-
-type: keyword
-
-example: San Francisco
-
---
-
-*`threat.enrichments.indicator.file.x509.subject.organization`*::
-+
---
-List of organizations (O) of subject.
-
-type: keyword
-
-example: Example, Inc.
-
---
-
-*`threat.enrichments.indicator.file.x509.subject.organizational_unit`*::
-+
---
-List of organizational units (OU) of subject.
-
-type: keyword
-
---
-
-*`threat.enrichments.indicator.file.x509.subject.state_or_province`*::
-+
---
-List of state or province names (ST, S, or P)
-
-type: keyword
-
-example: California
-
---
-
-*`threat.enrichments.indicator.file.x509.version_number`*::
-+
---
-Version of x509 format.
-
-type: keyword
-
-example: 3
-
---
-
-*`threat.enrichments.indicator.first_seen`*::
-+
---
-The date and time when intelligence source first reported sighting this indicator.
-
-type: date
-
-example: 2020-11-05T17:25:47.000Z
-
---
-
-*`threat.enrichments.indicator.geo.city_name`*::
-+
---
-City name.
-
-type: keyword
-
-example: Montreal
-
---
-
-*`threat.enrichments.indicator.geo.continent_code`*::
-+
---
-Two-letter code representing continent's name.
-
-type: keyword
-
-example: NA
-
---
-
-*`threat.enrichments.indicator.geo.continent_name`*::
-+
---
-Name of the continent.
-
-type: keyword
-
-example: North America
-
---
-
-*`threat.enrichments.indicator.geo.country_iso_code`*::
-+
---
-Country ISO code.
-
-type: keyword
-
-example: CA
-
---
-
-*`threat.enrichments.indicator.geo.country_name`*::
-+
---
-Country name.
-
-type: keyword
-
-example: Canada
-
---
-
-*`threat.enrichments.indicator.geo.location`*::
-+
---
-Longitude and latitude.
-
-type: geo_point
-
-example: { "lon": -73.614830, "lat": 45.505918 }
-
---
-
-*`threat.enrichments.indicator.geo.name`*::
-+
---
-User-defined description of a location, at the level of granularity they care about.
-Could be the name of their data centers, the floor number, if this describes a local physical entity, city names.
-Not typically used in automated geolocation.
-
-type: keyword
-
-example: boston-dc
-
---
-
-*`threat.enrichments.indicator.geo.postal_code`*::
-+
---
-Postal code associated with the location.
-Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.
-
-type: keyword
-
-example: 94040
-
---
-
-*`threat.enrichments.indicator.geo.region_iso_code`*::
-+
---
-Region ISO code.
-
-type: keyword
-
-example: CA-QC
-
---
-
-*`threat.enrichments.indicator.geo.region_name`*::
-+
---
-Region name.
-
-type: keyword
-
-example: Quebec
-
---
-
-*`threat.enrichments.indicator.geo.timezone`*::
-+
---
-The time zone of the location, such as IANA time zone name.
-
-type: keyword
-
-example: America/Argentina/Buenos_Aires
-
---
-
-*`threat.enrichments.indicator.ip`*::
-+
---
-Identifies a threat indicator as an IP address (irrespective of direction).
-
-type: ip
-
-example: 1.2.3.4
-
---
-
-*`threat.enrichments.indicator.last_seen`*::
-+
---
-The date and time when intelligence source last reported sighting this indicator.
-
-type: date
-
-example: 2020-11-05T17:25:47.000Z
-
---
-
-*`threat.enrichments.indicator.marking.tlp`*::
-+
---
-Traffic Light Protocol sharing markings. Recommended values are:
-  * WHITE
-  * GREEN
-  * AMBER
-  * RED
-
-type: keyword
-
-example: White
-
---
-
-*`threat.enrichments.indicator.modified_at`*::
-+
---
-The date and time when intelligence source last modified information for this indicator.
-
-type: date
-
-example: 2020-11-05T17:25:47.000Z
-
---
-
-*`threat.enrichments.indicator.port`*::
-+
---
-Identifies a threat indicator as a port number (irrespective of direction).
-
-type: long
-
-example: 443
-
---
-
-*`threat.enrichments.indicator.provider`*::
-+
---
-The name of the indicator's provider.
-
-type: keyword
-
-example: lrz_urlhaus
-
---
-
-*`threat.enrichments.indicator.reference`*::
-+
---
-Reference URL linking to additional information about this indicator.
-
-type: keyword
-
-example: https://system.example.com/indicator/0001234
-
---
-
-*`threat.enrichments.indicator.registry.data.bytes`*::
-+
---
-Original bytes written with base64 encoding.
-For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values.
-
-type: keyword
-
-example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA=
-
---
-
-*`threat.enrichments.indicator.registry.data.strings`*::
-+
---
-Content when writing string types.
-Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`).
-
-type: wildcard
-
-example: ["C:\rta\red_ttp\bin\myapp.exe"]
-
---
-
-*`threat.enrichments.indicator.registry.data.type`*::
-+
---
-Standard registry type for encoding contents
-
-type: keyword
-
-example: REG_SZ
-
---
-
-*`threat.enrichments.indicator.registry.hive`*::
-+
---
-Abbreviated name for the hive.
-
-type: keyword
-
-example: HKLM
-
---
-
-*`threat.enrichments.indicator.registry.key`*::
-+
---
-Hive-relative path of keys.
-
-type: keyword
-
-example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe
-
---
-
-*`threat.enrichments.indicator.registry.path`*::
-+
---
-Full path, including hive, key and value
-
-type: keyword
-
-example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger
-
---
-
-*`threat.enrichments.indicator.registry.value`*::
-+
---
-Name of the value written.
-
-type: keyword
-
-example: Debugger
-
---
-
-*`threat.enrichments.indicator.scanner_stats`*::
-+
---
-Count of AV/EDR vendors that successfully detected malicious file or URL.
-
-type: long
-
-example: 4
-
---
-
-*`threat.enrichments.indicator.sightings`*::
-+
---
-Number of times this indicator was observed conducting threat activity.
-
-type: long
-
-example: 20
-
---
-
-*`threat.enrichments.indicator.type`*::
-+
---
-Type of indicator as represented by Cyber Observable in STIX 2.0. Recommended values:
-  * autonomous-system
-  * artifact
-  * directory
-  * domain-name
-  * email-addr
-  * file
-  * ipv4-addr
-  * ipv6-addr
-  * mac-addr
-  * mutex
-  * port
-  * process
-  * software
-  * url
-  * user-account
-  * windows-registry-key
-  * x509-certificate
-
-type: keyword
-
-example: ipv4-addr
-
---
-
-*`threat.enrichments.indicator.url.domain`*::
-+
---
-Domain of the url, such as "www.elastic.co".
-In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field.
-If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field.
-
-type: keyword
-
-example: www.elastic.co
-
---
-
-*`threat.enrichments.indicator.url.extension`*::
-+
---
-The field contains the file extension from the original request url, excluding the leading dot.
-The file extension is only set if it exists, as not every url has a file extension.
-The leading period must not be included. For example, the value must be "png", not ".png".
-Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").
-
-type: keyword
-
-example: png
-
---
-
-*`threat.enrichments.indicator.url.fragment`*::
-+
---
-Portion of the url after the `#`, such as "top".
-The `#` is not part of the fragment.
-
-type: keyword
-
---
-
-*`threat.enrichments.indicator.url.full`*::
-+
---
-If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source.
-
-type: wildcard
-
-example: https://www.elastic.co:443/search?q=elasticsearch#top
-
---
-
-*`threat.enrichments.indicator.url.full.text`*::
-+
---
-type: match_only_text
-
---
-
-*`threat.enrichments.indicator.url.original`*::
-+
---
-Unmodified original url as seen in the event source.
-Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path.
-This field is meant to represent the URL as it was observed, complete or not.
-
-type: wildcard
-
-example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch
-
---
-
-*`threat.enrichments.indicator.url.original.text`*::
-+
---
-type: match_only_text
-
---
-
-*`threat.enrichments.indicator.url.password`*::
-+
---
-Password of the request.
-
-type: keyword
-
---
-
-*`threat.enrichments.indicator.url.path`*::
-+
---
-Path of the request, such as "/search".
-
-type: wildcard
-
---
-
-*`threat.enrichments.indicator.url.port`*::
-+
---
-Port of the request, such as 443.
-
-type: long
-
-example: 443
-
-format: string
-
---
-
-*`threat.enrichments.indicator.url.query`*::
-+
---
-The query field describes the query string of the request, such as "q=elasticsearch".
-The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.
-
-type: keyword
-
---
-
-*`threat.enrichments.indicator.url.registered_domain`*::
-+
---
-The highest registered url domain, stripped of the subdomain.
-For example, the registered domain for "foo.example.com" is "example.com".
-This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
-
-type: keyword
-
-example: example.com
-
---
-
-*`threat.enrichments.indicator.url.scheme`*::
-+
---
-Scheme of the request, such as "https".
-Note: The `:` is not part of the scheme.
-
-type: keyword
-
-example: https
-
---
-
-*`threat.enrichments.indicator.url.subdomain`*::
-+
---
-The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain.
-For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
-
-type: keyword
-
-example: east
-
---
-
-*`threat.enrichments.indicator.url.top_level_domain`*::
-+
---
-The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com".
-This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".
-
-type: keyword
-
-example: co.uk
-
---
-
-*`threat.enrichments.indicator.url.username`*::
-+
---
-Username of the request.
-
-type: keyword
-
---
-
-*`threat.enrichments.indicator.x509.alternative_names`*::
-+
---
-List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.
-
-type: keyword
-
-example: *.elastic.co
-
---
-
-*`threat.enrichments.indicator.x509.issuer.common_name`*::
-+
---
-List of common name (CN) of issuing certificate authority.
-
-type: keyword
-
-example: Example SHA2 High Assurance Server CA
-
---
-
-*`threat.enrichments.indicator.x509.issuer.country`*::
-+
---
-List of country (C) codes
-
-type: keyword
-
-example: US
-
---
-
-*`threat.enrichments.indicator.x509.issuer.distinguished_name`*::
-+
---
-Distinguished name (DN) of issuing certificate authority.
-
-type: keyword
-
-example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA
-
---
-
-*`threat.enrichments.indicator.x509.issuer.locality`*::
-+
---
-List of locality names (L)
-
-type: keyword
-
-example: Mountain View
-
---
-
-*`threat.enrichments.indicator.x509.issuer.organization`*::
-+
---
-List of organizations (O) of issuing certificate authority.
-
-type: keyword
-
-example: Example Inc
-
---
-
-*`threat.enrichments.indicator.x509.issuer.organizational_unit`*::
-+
---
-List of organizational units (OU) of issuing certificate authority.
-
-type: keyword
-
-example: www.example.com
-
---
-
-*`threat.enrichments.indicator.x509.issuer.state_or_province`*::
-+
---
-List of state or province names (ST, S, or P)
-
-type: keyword
-
-example: California
-
---
-
-*`threat.enrichments.indicator.x509.not_after`*::
-+
---
-Time at which the certificate is no longer considered valid.
-
-type: date
-
-example: 2020-07-16 03:15:39+00:00
-
---
-
-*`threat.enrichments.indicator.x509.not_before`*::
-+
---
-Time at which the certificate is first considered valid.
-
-type: date
-
-example: 2019-08-16 01:40:25+00:00
-
---
-
-*`threat.enrichments.indicator.x509.public_key_algorithm`*::
-+
---
-Algorithm used to generate the public key.
-
-type: keyword
-
-example: RSA
-
---
-
-*`threat.enrichments.indicator.x509.public_key_curve`*::
-+
---
-The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-
-type: keyword
-
-example: nistp521
-
---
-
-*`threat.enrichments.indicator.x509.public_key_exponent`*::
-+
---
-Exponent used to derive the public key. This is algorithm specific.
-
-type: long
-
-example: 65537
-
-Field is not indexed.
-
---
-
-*`threat.enrichments.indicator.x509.public_key_size`*::
-+
---
-The size of the public key space in bits.
-
-type: long
-
-example: 2048
-
---
-
-*`threat.enrichments.indicator.x509.serial_number`*::
-+
---
-Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.
-
-type: keyword
-
-example: 55FBB9C7DEBF09809D12CCAA
-
---
-
-*`threat.enrichments.indicator.x509.signature_algorithm`*::
-+
---
-Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
-
-type: keyword
-
-example: SHA256-RSA
-
---
-
-*`threat.enrichments.indicator.x509.subject.common_name`*::
-+
---
-List of common names (CN) of subject.
-
-type: keyword
-
-example: shared.global.example.net
-
---
-
-*`threat.enrichments.indicator.x509.subject.country`*::
-+
---
-List of country (C) code
-
-type: keyword
-
-example: US
-
---
-
-*`threat.enrichments.indicator.x509.subject.distinguished_name`*::
-+
---
-Distinguished name (DN) of the certificate subject entity.
-
-type: keyword
-
-example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
-
---
-
-*`threat.enrichments.indicator.x509.subject.locality`*::
-+
---
-List of locality names (L)
-
-type: keyword
-
-example: San Francisco
-
---
-
-*`threat.enrichments.indicator.x509.subject.organization`*::
-+
---
-List of organizations (O) of subject.
-
-type: keyword
-
-example: Example, Inc.
-
---
-
-*`threat.enrichments.indicator.x509.subject.organizational_unit`*::
-+
---
-List of organizational units (OU) of subject.
-
-type: keyword
-
---
-
-*`threat.enrichments.indicator.x509.subject.state_or_province`*::
-+
---
-List of state or province names (ST, S, or P)
-
-type: keyword
-
-example: California
-
---
-
-*`threat.enrichments.indicator.x509.version_number`*::
-+
---
-Version of x509 format.
-
-type: keyword
-
-example: 3
-
---
-
-*`threat.enrichments.matched.atomic`*::
-+
---
-Identifies the atomic indicator value that matched a local environment endpoint or network event.
-
-type: keyword
-
-example: bad-domain.com
-
---
-
-*`threat.enrichments.matched.field`*::
-+
---
-Identifies the field of the atomic indicator that matched a local environment endpoint or network event.
-
-type: keyword
-
-example: file.hash.sha256
-
---
-
-*`threat.enrichments.matched.id`*::
-+
---
-Identifies the _id of the indicator document enriching the event.
-
-type: keyword
-
-example: ff93aee5-86a1-4a61-b0e6-0cdc313d01b5
-
---
-
-*`threat.enrichments.matched.index`*::
-+
---
-Identifies the _index of the indicator document enriching the event.
-
-type: keyword
-
-example: filebeat-8.0.0-2021.05.23-000011
-
---
-
-*`threat.enrichments.matched.type`*::
-+
---
-Identifies the type of match that caused the event to be enriched with the given indicator
-
-type: keyword
-
-example: indicator_match_rule
-
---
-
-*`threat.framework`*::
-+
---
-Name of the threat framework used to further categorize and classify the tactic and technique of the reported threat. Framework classification can be provided by detecting systems, evaluated at ingest time, or retrospectively tagged to events.
-
-type: keyword
-
-example: MITRE ATT&CK
-
---
-
-*`threat.group.alias`*::
-+
---
-The alias(es) of the group for a set of related intrusion activity that are tracked by a common name in the security community.
-While not required, you can use a MITRE ATT&CK® group alias(es).
-
-type: keyword
-
-example: [ "Magecart Group 6" ]
-
---
-
-*`threat.group.id`*::
-+
---
-The id of the group for a set of related intrusion activity that are tracked by a common name in the security community.
-While not required, you can use a MITRE ATT&CK® group id.
-
-type: keyword
-
-example: G0037
-
---
-
-*`threat.group.name`*::
-+
---
-The name of the group for a set of related intrusion activity that are tracked by a common name in the security community.
-While not required, you can use a MITRE ATT&CK® group name.
-
-type: keyword
-
-example: FIN6
-
---
-
-*`threat.group.reference`*::
-+
---
-The reference URL of the group for a set of related intrusion activity that are tracked by a common name in the security community.
-While not required, you can use a MITRE ATT&CK® group reference URL.
-
-type: keyword
-
-example: https://attack.mitre.org/groups/G0037/
-
---
-
-*`threat.indicator.as.number`*::
-+
---
-Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
-
-type: long
-
-example: 15169
-
---
-
-*`threat.indicator.as.organization.name`*::
-+
---
-Organization name.
-
-type: keyword
-
-example: Google LLC
-
---
-
-*`threat.indicator.as.organization.name.text`*::
-+
---
-type: match_only_text
-
---
-
-*`threat.indicator.confidence`*::
-+
---
-Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields.
-Expected values are:
-  * Not Specified
-  * None
-  * Low
-  * Medium
-  * High
-
-type: keyword
-
-example: Medium
-
---
-
-*`threat.indicator.description`*::
-+
---
-Describes the type of action conducted by the threat.
-
-type: keyword
-
-example: IP x.x.x.x was observed delivering the Angler EK.
-
---
-
-*`threat.indicator.email.address`*::
-+
---
-Identifies a threat indicator as an email address (irrespective of direction).
-
-type: keyword
-
-example: phish@example.com
-
---
-
-*`threat.indicator.file.accessed`*::
-+
---
-Last time the file was accessed.
-Note that not all filesystems keep track of access time.
-
-type: date
-
---
-
-*`threat.indicator.file.attributes`*::
-+
---
-Array of file attributes.
-Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write.
-
-type: keyword
-
-example: ["readonly", "system"]
-
---
-
-*`threat.indicator.file.code_signature.digest_algorithm`*::
-+
---
-The hashing algorithm used to sign the process.
-This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm.
-
-type: keyword
-
-example: sha256
-
---
-
-*`threat.indicator.file.code_signature.exists`*::
-+
---
-Boolean to capture if a signature is present.
-
-type: boolean
-
-example: true
-
---
-
-*`threat.indicator.file.code_signature.signing_id`*::
-+
---
-The identifier used to sign the process.
-This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.
-
-type: keyword
-
-example: com.apple.xpc.proxy
-
---
-
-*`threat.indicator.file.code_signature.status`*::
-+
---
-Additional information about the certificate status.
-This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.
-
-type: keyword
-
-example: ERROR_UNTRUSTED_ROOT
-
---
-
-*`threat.indicator.file.code_signature.subject_name`*::
-+
---
-Subject name of the code signer
-
-type: keyword
-
-example: Microsoft Corporation
-
---
-
-*`threat.indicator.file.code_signature.team_id`*::
-+
---
-The team identifier used to sign the process.
-This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.
-
-type: keyword
-
-example: EQHXZ8M8AV
-
---
-
-*`threat.indicator.file.code_signature.timestamp`*::
-+
---
-Date and time when the code signature was generated and signed.
-
-type: date
-
-example: 2021-01-01T12:10:30Z
-
---
-
-*`threat.indicator.file.code_signature.trusted`*::
-+
---
-Stores the trust status of the certificate chain.
-Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.
-
-type: boolean
-
-example: true
-
---
-
-*`threat.indicator.file.code_signature.valid`*::
-+
---
-Boolean to capture if the digital signature is verified against the binary content.
-Leave unpopulated if a certificate was unchecked.
-
-type: boolean
-
-example: true
-
---
-
-*`threat.indicator.file.created`*::
-+
---
-File creation time.
-Note that not all filesystems store the creation time.
-
-type: date
-
---
-
-*`threat.indicator.file.ctime`*::
-+
---
-Last time the file attributes or metadata changed.
-Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file.
-
-type: date
-
---
-
-*`threat.indicator.file.device`*::
-+
---
-Device that is the source of the file.
-
-type: keyword
-
-example: sda
-
---
-
-*`threat.indicator.file.directory`*::
-+
---
-Directory where the file is located. It should include the drive letter, when appropriate.
-
-type: keyword
-
-example: /home/alice
-
---
-
-*`threat.indicator.file.drive_letter`*::
-+
---
-Drive letter where the file is located. This field is only relevant on Windows.
-The value should be uppercase, and not include the colon.
-
-type: keyword
-
-example: C
-
---
-
-*`threat.indicator.file.elf.architecture`*::
-+
---
-Machine architecture of the ELF file.
-
-type: keyword
-
-example: x86-64
-
---
-
-*`threat.indicator.file.elf.byte_order`*::
-+
---
-Byte sequence of ELF file.
-
-type: keyword
-
-example: Little Endian
-
---
-
-*`threat.indicator.file.elf.cpu_type`*::
-+
---
-CPU type of the ELF file.
-
-type: keyword
-
-example: Intel
-
---
-
-*`threat.indicator.file.elf.creation_date`*::
-+
---
-Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators.
-
-type: date
-
---
-
-*`threat.indicator.file.elf.exports`*::
-+
---
-List of exported element names and types.
-
-type: flattened
-
---
-
-*`threat.indicator.file.elf.header.abi_version`*::
-+
---
-Version of the ELF Application Binary Interface (ABI).
-
-type: keyword
-
---
-
-*`threat.indicator.file.elf.header.class`*::
-+
---
-Header class of the ELF file.
-
-type: keyword
-
---
-
-*`threat.indicator.file.elf.header.data`*::
-+
---
-Data table of the ELF header.
-
-type: keyword
-
---
-
-*`threat.indicator.file.elf.header.entrypoint`*::
-+
---
-Header entrypoint of the ELF file.
-
-type: long
-
-format: string
-
---
-
-*`threat.indicator.file.elf.header.object_version`*::
-+
---
-"0x1" for original ELF files.
-
-type: keyword
-
---
-
-*`threat.indicator.file.elf.header.os_abi`*::
-+
---
-Application Binary Interface (ABI) of the Linux OS.
-
-type: keyword
-
---
-
-*`threat.indicator.file.elf.header.type`*::
-+
---
-Header type of the ELF file.
-
-type: keyword
-
---
-
-*`threat.indicator.file.elf.header.version`*::
-+
---
-Version of the ELF header.
-
-type: keyword
-
---
-
-*`threat.indicator.file.elf.imports`*::
-+
---
-List of imported element names and types.
-
-type: flattened
-
---
-
-*`threat.indicator.file.elf.sections`*::
-+
---
-An array containing an object for each section of the ELF file.
-The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`.
-
-type: nested
-
---
-
-*`threat.indicator.file.elf.sections.chi2`*::
-+
---
-Chi-square probability distribution of the section.
-
-type: long
-
-format: number
-
---
-
-*`threat.indicator.file.elf.sections.entropy`*::
-+
---
-Shannon entropy calculation from the section.
-
-type: long
-
-format: number
-
---
-
-*`threat.indicator.file.elf.sections.flags`*::
-+
---
-ELF Section List flags.
-
-type: keyword
-
---
-
-*`threat.indicator.file.elf.sections.name`*::
-+
---
-ELF Section List name.
-
-type: keyword
-
---
-
-*`threat.indicator.file.elf.sections.physical_offset`*::
-+
---
-ELF Section List offset.
-
-type: keyword
-
---
-
-*`threat.indicator.file.elf.sections.physical_size`*::
-+
---
-ELF Section List physical size.
-
-type: long
-
-format: bytes
-
---
-
-*`threat.indicator.file.elf.sections.type`*::
-+
---
-ELF Section List type.
-
-type: keyword
-
---
-
-*`threat.indicator.file.elf.sections.virtual_address`*::
-+
---
-ELF Section List virtual address.
-
-type: long
-
-format: string
-
---
-
-*`threat.indicator.file.elf.sections.virtual_size`*::
-+
---
-ELF Section List virtual size.
-
-type: long
-
-format: string
-
---
-
-*`threat.indicator.file.elf.segments`*::
-+
---
-An array containing an object for each segment of the ELF file.
-The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`.
-
-type: nested
-
---
-
-*`threat.indicator.file.elf.segments.sections`*::
-+
---
-ELF object segment sections.
-
-type: keyword
-
---
-
-*`threat.indicator.file.elf.segments.type`*::
-+
---
-ELF object segment type.
-
-type: keyword
-
---
-
-*`threat.indicator.file.elf.shared_libraries`*::
-+
---
-List of shared libraries used by this ELF object.
-
-type: keyword
-
---
-
-*`threat.indicator.file.elf.telfhash`*::
-+
---
-telfhash symbol hash for ELF file.
-
-type: keyword
-
---
-
-*`threat.indicator.file.extension`*::
-+
---
-File extension, excluding the leading dot.
-Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").
-
-type: keyword
-
-example: png
-
---
-
-*`threat.indicator.file.fork_name`*::
-+
---
-A fork is additional data associated with a filesystem object.
-On Linux, a resource fork is used to store additional data with a filesystem object. A file always has at least one fork for the data portion, and additional forks may exist.
-On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default data stream for a file is just called $DATA. Zone.Identifier is commonly used by Windows to track contents downloaded from the Internet. An ADS is typically of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name` is the value that should populate `fork_name`. `filename.extension` should populate `file.name`, and `extension` should populate `file.extension`. The full path, `file.path`, will include the fork name.
-
-type: keyword
-
-example: Zone.Identifer
-
---
-
-*`threat.indicator.file.gid`*::
-+
---
-Primary group ID (GID) of the file.
-
-type: keyword
-
-example: 1001
-
---
-
-*`threat.indicator.file.group`*::
-+
---
-Primary group name of the file.
-
-type: keyword
-
-example: alice
-
---
-
-*`threat.indicator.file.hash.md5`*::
-+
---
-MD5 hash.
-
-type: keyword
-
---
-
-*`threat.indicator.file.hash.sha1`*::
-+
---
-SHA1 hash.
-
-type: keyword
-
---
-
-*`threat.indicator.file.hash.sha256`*::
-+
---
-SHA256 hash.
-
-type: keyword
-
---
-
-*`threat.indicator.file.hash.sha512`*::
-+
---
-SHA512 hash.
-
-type: keyword
-
---
-
-*`threat.indicator.file.hash.ssdeep`*::
-+
---
-SSDEEP hash.
-
-type: keyword
-
---
-
-*`threat.indicator.file.inode`*::
-+
---
-Inode representing the file in the filesystem.
-
-type: keyword
-
-example: 256383
-
---
-
-*`threat.indicator.file.mime_type`*::
-+
---
-MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used.
-
-type: keyword
-
---
-
-*`threat.indicator.file.mode`*::
-+
---
-Mode of the file in octal representation.
-
-type: keyword
-
-example: 0640
-
---
-
-*`threat.indicator.file.mtime`*::
-+
---
-Last time the file content was modified.
-
-type: date
-
---
-
-*`threat.indicator.file.name`*::
-+
---
-Name of the file including the extension, without the directory.
-
-type: keyword
-
-example: example.png
-
---
-
-*`threat.indicator.file.owner`*::
-+
---
-File owner's username.
-
-type: keyword
-
-example: alice
-
---
-
-*`threat.indicator.file.path`*::
-+
---
-Full path to the file, including the file name. It should include the drive letter, when appropriate.
-
-type: keyword
-
-example: /home/alice/example.png
-
---
-
-*`threat.indicator.file.path.text`*::
-+
---
-type: match_only_text
-
---
-
-*`threat.indicator.file.pe.architecture`*::
-+
---
-CPU architecture target for the file.
-
-type: keyword
-
-example: x64
-
---
-
-*`threat.indicator.file.pe.company`*::
-+
---
-Internal company name of the file, provided at compile-time.
-
-type: keyword
-
-example: Microsoft Corporation
-
---
-
-*`threat.indicator.file.pe.description`*::
-+
---
-Internal description of the file, provided at compile-time.
-
-type: keyword
-
-example: Paint
-
---
-
-*`threat.indicator.file.pe.file_version`*::
-+
---
-Internal version of the file, provided at compile-time.
-
-type: keyword
-
-example: 6.3.9600.17415
-
---
-
-*`threat.indicator.file.pe.imphash`*::
-+
---
-A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.
-Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.
-
-type: keyword
-
-example: 0c6803c4e922103c4dca5963aad36ddf
-
---
-
-*`threat.indicator.file.pe.original_file_name`*::
-+
---
-Internal name of the file, provided at compile-time.
-
-type: keyword
-
-example: MSPAINT.EXE
-
---
-
-*`threat.indicator.file.pe.product`*::
-+
---
-Internal product name of the file, provided at compile-time.
-
-type: keyword
-
-example: Microsoft® Windows® Operating System
-
---
-
-*`threat.indicator.file.size`*::
-+
---
-File size in bytes.
-Only relevant when `file.type` is "file".
-
-type: long
-
-example: 16384
-
---
-
-*`threat.indicator.file.target_path`*::
-+
---
-Target path for symlinks.
-
-type: keyword
-
---
-
-*`threat.indicator.file.target_path.text`*::
-+
---
-type: match_only_text
-
---
-
-*`threat.indicator.file.type`*::
-+
---
-File type (file, dir, or symlink).
-
-type: keyword
-
-example: file
-
---
-
-*`threat.indicator.file.uid`*::
-+
---
-The user ID (UID) or security identifier (SID) of the file owner.
-
-type: keyword
-
-example: 1001
-
---
-
-*`threat.indicator.file.x509.alternative_names`*::
-+
---
-List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.
-
-type: keyword
-
-example: *.elastic.co
-
---
-
-*`threat.indicator.file.x509.issuer.common_name`*::
-+
---
-List of common name (CN) of issuing certificate authority.
-
-type: keyword
-
-example: Example SHA2 High Assurance Server CA
-
---
-
-*`threat.indicator.file.x509.issuer.country`*::
-+
---
-List of country (C) codes
-
-type: keyword
-
-example: US
-
---
-
-*`threat.indicator.file.x509.issuer.distinguished_name`*::
-+
---
-Distinguished name (DN) of issuing certificate authority.
-
-type: keyword
-
-example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA
-
---
-
-*`threat.indicator.file.x509.issuer.locality`*::
-+
---
-List of locality names (L)
-
-type: keyword
-
-example: Mountain View
-
---
-
-*`threat.indicator.file.x509.issuer.organization`*::
-+
---
-List of organizations (O) of issuing certificate authority.
-
-type: keyword
-
-example: Example Inc
-
---
-
-*`threat.indicator.file.x509.issuer.organizational_unit`*::
-+
---
-List of organizational units (OU) of issuing certificate authority.
-
-type: keyword
-
-example: www.example.com
-
---
-
-*`threat.indicator.file.x509.issuer.state_or_province`*::
-+
---
-List of state or province names (ST, S, or P)
-
-type: keyword
-
-example: California
-
---
-
-*`threat.indicator.file.x509.not_after`*::
-+
---
-Time at which the certificate is no longer considered valid.
-
-type: date
-
-example: 2020-07-16 03:15:39+00:00
-
---
-
-*`threat.indicator.file.x509.not_before`*::
-+
---
-Time at which the certificate is first considered valid.
-
-type: date
-
-example: 2019-08-16 01:40:25+00:00
-
---
-
-*`threat.indicator.file.x509.public_key_algorithm`*::
-+
---
-Algorithm used to generate the public key.
-
-type: keyword
-
-example: RSA
-
---
-
-*`threat.indicator.file.x509.public_key_curve`*::
-+
---
-The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-
-type: keyword
-
-example: nistp521
-
---
-
-*`threat.indicator.file.x509.public_key_exponent`*::
-+
---
-Exponent used to derive the public key. This is algorithm specific.
-
-type: long
-
-example: 65537
-
-Field is not indexed.
-
---
-
-*`threat.indicator.file.x509.public_key_size`*::
-+
---
-The size of the public key space in bits.
-
-type: long
-
-example: 2048
-
---
-
-*`threat.indicator.file.x509.serial_number`*::
-+
---
-Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.
-
-type: keyword
-
-example: 55FBB9C7DEBF09809D12CCAA
-
---
-
-*`threat.indicator.file.x509.signature_algorithm`*::
-+
---
-Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
-
-type: keyword
-
-example: SHA256-RSA
-
---
-
-*`threat.indicator.file.x509.subject.common_name`*::
-+
---
-List of common names (CN) of subject.
-
-type: keyword
-
-example: shared.global.example.net
-
---
-
-*`threat.indicator.file.x509.subject.country`*::
-+
---
-List of country (C) code
-
-type: keyword
-
-example: US
-
---
-
-*`threat.indicator.file.x509.subject.distinguished_name`*::
-+
---
-Distinguished name (DN) of the certificate subject entity.
-
-type: keyword
-
-example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
-
---
-
-*`threat.indicator.file.x509.subject.locality`*::
-+
---
-List of locality names (L)
-
-type: keyword
-
-example: San Francisco
-
---
-
-*`threat.indicator.file.x509.subject.organization`*::
-+
---
-List of organizations (O) of subject.
-
-type: keyword
-
-example: Example, Inc.
-
---
-
-*`threat.indicator.file.x509.subject.organizational_unit`*::
-+
---
-List of organizational units (OU) of subject.
-
-type: keyword
-
---
-
-*`threat.indicator.file.x509.subject.state_or_province`*::
-+
---
-List of state or province names (ST, S, or P)
-
-type: keyword
-
-example: California
-
---
-
-*`threat.indicator.file.x509.version_number`*::
-+
---
-Version of x509 format.
-
-type: keyword
-
-example: 3
-
---
-
-*`threat.indicator.first_seen`*::
-+
---
-The date and time when intelligence source first reported sighting this indicator.
-
-type: date
-
-example: 2020-11-05T17:25:47.000Z
-
---
-
-*`threat.indicator.geo.city_name`*::
-+
---
-City name.
-
-type: keyword
-
-example: Montreal
-
---
-
-*`threat.indicator.geo.continent_code`*::
-+
---
-Two-letter code representing continent's name.
-
-type: keyword
-
-example: NA
-
---
-
-*`threat.indicator.geo.continent_name`*::
-+
---
-Name of the continent.
-
-type: keyword
-
-example: North America
-
---
-
-*`threat.indicator.geo.country_iso_code`*::
-+
---
-Country ISO code.
-
-type: keyword
-
-example: CA
-
---
-
-*`threat.indicator.geo.country_name`*::
-+
---
-Country name.
-
-type: keyword
-
-example: Canada
-
---
-
-*`threat.indicator.geo.location`*::
-+
---
-Longitude and latitude.
-
-type: geo_point
-
-example: { "lon": -73.614830, "lat": 45.505918 }
-
---
-
-*`threat.indicator.geo.name`*::
-+
---
-User-defined description of a location, at the level of granularity they care about.
-Could be the name of their data centers, the floor number, if this describes a local physical entity, city names.
-Not typically used in automated geolocation.
-
-type: keyword
-
-example: boston-dc
-
---
-
-*`threat.indicator.geo.postal_code`*::
-+
---
-Postal code associated with the location.
-Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.
-
-type: keyword
-
-example: 94040
-
---
-
-*`threat.indicator.geo.region_iso_code`*::
-+
---
-Region ISO code.
-
-type: keyword
-
-example: CA-QC
-
---
-
-*`threat.indicator.geo.region_name`*::
-+
---
-Region name.
-
-type: keyword
-
-example: Quebec
-
---
-
-*`threat.indicator.geo.timezone`*::
-+
---
-The time zone of the location, such as IANA time zone name.
-
-type: keyword
-
-example: America/Argentina/Buenos_Aires
-
---
-
-*`threat.indicator.ip`*::
-+
---
-Identifies a threat indicator as an IP address (irrespective of direction).
-
-type: ip
-
-example: 1.2.3.4
-
---
-
-*`threat.indicator.last_seen`*::
-+
---
-The date and time when intelligence source last reported sighting this indicator.
-
-type: date
-
-example: 2020-11-05T17:25:47.000Z
-
---
-
-*`threat.indicator.marking.tlp`*::
-+
---
-Traffic Light Protocol sharing markings.
-Recommended values are:
-  * WHITE
-  * GREEN
-  * AMBER
-  * RED
-
-type: keyword
-
-example: WHITE
-
---
-
-*`threat.indicator.modified_at`*::
-+
---
-The date and time when intelligence source last modified information for this indicator.
-
-type: date
-
-example: 2020-11-05T17:25:47.000Z
-
---
-
-*`threat.indicator.port`*::
-+
---
-Identifies a threat indicator as a port number (irrespective of direction).
-
-type: long
-
-example: 443
-
---
-
-*`threat.indicator.provider`*::
-+
---
-The name of the indicator's provider.
-
-type: keyword
-
-example: lrz_urlhaus
-
---
-
-*`threat.indicator.reference`*::
-+
---
-Reference URL linking to additional information about this indicator.
-
-type: keyword
-
-example: https://system.example.com/indicator/0001234
-
---
-
-*`threat.indicator.registry.data.bytes`*::
-+
---
-Original bytes written with base64 encoding.
-For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values.
-
-type: keyword
-
-example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA=
-
---
-
-*`threat.indicator.registry.data.strings`*::
-+
---
-Content when writing string types.
-Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`).
-
-type: wildcard
-
-example: ["C:\rta\red_ttp\bin\myapp.exe"]
-
---
-
-*`threat.indicator.registry.data.type`*::
-+
---
-Standard registry type for encoding contents
-
-type: keyword
-
-example: REG_SZ
-
---
-
-*`threat.indicator.registry.hive`*::
-+
---
-Abbreviated name for the hive.
-
-type: keyword
-
-example: HKLM
-
---
-
-*`threat.indicator.registry.key`*::
-+
---
-Hive-relative path of keys.
-
-type: keyword
-
-example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe
-
---
-
-*`threat.indicator.registry.path`*::
-+
---
-Full path, including hive, key and value
-
-type: keyword
-
-example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger
-
---
-
-*`threat.indicator.registry.value`*::
-+
---
-Name of the value written.
-
-type: keyword
-
-example: Debugger
-
---
-
-*`threat.indicator.scanner_stats`*::
-+
---
-Count of AV/EDR vendors that successfully detected malicious file or URL.
-
-type: long
-
-example: 4
-
---
-
-*`threat.indicator.sightings`*::
-+
---
-Number of times this indicator was observed conducting threat activity.
-
-type: long
-
-example: 20
-
---
-
-*`threat.indicator.type`*::
-+
---
-Type of indicator as represented by Cyber Observable in STIX 2.0.
-Recommended values:
-  * autonomous-system
-  * artifact
-  * directory
-  * domain-name
-  * email-addr
-  * file
-  * ipv4-addr
-  * ipv6-addr
-  * mac-addr
-  * mutex
-  * port
-  * process
-  * software
-  * url
-  * user-account
-  * windows-registry-key
-  * x509-certificate
-
-type: keyword
-
-example: ipv4-addr
-
---
-
-*`threat.indicator.url.domain`*::
-+
---
-Domain of the url, such as "www.elastic.co".
-In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field.
-If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field.
-
-type: keyword
-
-example: www.elastic.co
-
---
-
-*`threat.indicator.url.extension`*::
-+
---
-The field contains the file extension from the original request url, excluding the leading dot.
-The file extension is only set if it exists, as not every url has a file extension.
-The leading period must not be included. For example, the value must be "png", not ".png".
-Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").
-
-type: keyword
-
-example: png
-
---
-
-*`threat.indicator.url.fragment`*::
-+
---
-Portion of the url after the `#`, such as "top".
-The `#` is not part of the fragment.
-
-type: keyword
-
---
-
-*`threat.indicator.url.full`*::
-+
---
-If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source.
-
-type: wildcard
-
-example: https://www.elastic.co:443/search?q=elasticsearch#top
-
---
-
-*`threat.indicator.url.full.text`*::
-+
---
-type: match_only_text
-
---
-
-*`threat.indicator.url.original`*::
-+
---
-Unmodified original url as seen in the event source.
-Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path.
-This field is meant to represent the URL as it was observed, complete or not.
-
-type: wildcard
-
-example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch
-
---
-
-*`threat.indicator.url.original.text`*::
-+
---
-type: match_only_text
-
---
-
-*`threat.indicator.url.password`*::
-+
---
-Password of the request.
-
-type: keyword
-
---
-
-*`threat.indicator.url.path`*::
-+
---
-Path of the request, such as "/search".
-
-type: wildcard
-
---
-
-*`threat.indicator.url.port`*::
-+
---
-Port of the request, such as 443.
-
-type: long
-
-example: 443
-
-format: string
-
---
-
-*`threat.indicator.url.query`*::
-+
---
-The query field describes the query string of the request, such as "q=elasticsearch".
-The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.
-
-type: keyword
-
---
-
-*`threat.indicator.url.registered_domain`*::
-+
---
-The highest registered url domain, stripped of the subdomain.
-For example, the registered domain for "foo.example.com" is "example.com".
-This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
-
-type: keyword
-
-example: example.com
-
---
-
-*`threat.indicator.url.scheme`*::
-+
---
-Scheme of the request, such as "https".
-Note: The `:` is not part of the scheme.
-
-type: keyword
-
-example: https
-
---
-
-*`threat.indicator.url.subdomain`*::
-+
---
-The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain.
-For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
-
-type: keyword
-
-example: east
-
---
-
-*`threat.indicator.url.top_level_domain`*::
-+
---
-The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com".
-This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".
-
-type: keyword
-
-example: co.uk
-
---
-
-*`threat.indicator.url.username`*::
-+
---
-Username of the request.
-
-type: keyword
-
---
-
-*`threat.indicator.x509.alternative_names`*::
-+
---
-List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.
-
-type: keyword
-
-example: *.elastic.co
-
---
-
-*`threat.indicator.x509.issuer.common_name`*::
-+
---
-List of common name (CN) of issuing certificate authority.
-
-type: keyword
-
-example: Example SHA2 High Assurance Server CA
-
---
-
-*`threat.indicator.x509.issuer.country`*::
-+
---
-List of country (C) codes
-
-type: keyword
-
-example: US
-
---
-
-*`threat.indicator.x509.issuer.distinguished_name`*::
-+
---
-Distinguished name (DN) of issuing certificate authority.
-
-type: keyword
-
-example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA
-
---
-
-*`threat.indicator.x509.issuer.locality`*::
-+
---
-List of locality names (L)
-
-type: keyword
-
-example: Mountain View
-
---
-
-*`threat.indicator.x509.issuer.organization`*::
-+
---
-List of organizations (O) of issuing certificate authority.
-
-type: keyword
-
-example: Example Inc
-
---
-
-*`threat.indicator.x509.issuer.organizational_unit`*::
-+
---
-List of organizational units (OU) of issuing certificate authority.
-
-type: keyword
-
-example: www.example.com
-
---
-
-*`threat.indicator.x509.issuer.state_or_province`*::
-+
---
-List of state or province names (ST, S, or P)
-
-type: keyword
-
-example: California
-
---
-
-*`threat.indicator.x509.not_after`*::
-+
---
-Time at which the certificate is no longer considered valid.
-
-type: date
-
-example: 2020-07-16 03:15:39+00:00
-
---
-
-*`threat.indicator.x509.not_before`*::
-+
---
-Time at which the certificate is first considered valid.
-
-type: date
-
-example: 2019-08-16 01:40:25+00:00
-
---
-
-*`threat.indicator.x509.public_key_algorithm`*::
-+
---
-Algorithm used to generate the public key.
-
-type: keyword
-
-example: RSA
-
---
-
-*`threat.indicator.x509.public_key_curve`*::
-+
---
-The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-
-type: keyword
-
-example: nistp521
-
---
-
-*`threat.indicator.x509.public_key_exponent`*::
-+
---
-Exponent used to derive the public key. This is algorithm specific.
-
-type: long
-
-example: 65537
-
-Field is not indexed.
-
---
-
-*`threat.indicator.x509.public_key_size`*::
-+
---
-The size of the public key space in bits.
-
-type: long
-
-example: 2048
-
---
-
-*`threat.indicator.x509.serial_number`*::
-+
---
-Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.
-
-type: keyword
-
-example: 55FBB9C7DEBF09809D12CCAA
-
---
-
-*`threat.indicator.x509.signature_algorithm`*::
-+
---
-Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
-
-type: keyword
-
-example: SHA256-RSA
-
---
-
-*`threat.indicator.x509.subject.common_name`*::
-+
---
-List of common names (CN) of subject.
-
-type: keyword
-
-example: shared.global.example.net
-
---
-
-*`threat.indicator.x509.subject.country`*::
-+
---
-List of country (C) code
-
-type: keyword
-
-example: US
-
---
-
-*`threat.indicator.x509.subject.distinguished_name`*::
-+
---
-Distinguished name (DN) of the certificate subject entity.
-
-type: keyword
-
-example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
-
---
-
-*`threat.indicator.x509.subject.locality`*::
-+
---
-List of locality names (L)
-
-type: keyword
-
-example: San Francisco
-
---
-
-*`threat.indicator.x509.subject.organization`*::
-+
---
-List of organizations (O) of subject.
-
-type: keyword
-
-example: Example, Inc.
-
---
-
-*`threat.indicator.x509.subject.organizational_unit`*::
-+
---
-List of organizational units (OU) of subject.
-
-type: keyword
-
---
-
-*`threat.indicator.x509.subject.state_or_province`*::
-+
---
-List of state or province names (ST, S, or P)
-
-type: keyword
-
-example: California
-
---
-
-*`threat.indicator.x509.version_number`*::
-+
---
-Version of x509 format.
-
-type: keyword
-
-example: 3
-
---
-
-*`threat.software.alias`*::
-+
---
-The alias(es) of the software for a set of related intrusion activity that are tracked by a common name in the security community.
-While not required, you can use a MITRE ATT&CK® associated software description.
-
-type: keyword
-
-example: [ "X-Agent" ]
-
---
-
-*`threat.software.id`*::
-+
---
-The id of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®.
-While not required, you can use a MITRE ATT&CK® software id.
-
-type: keyword
-
-example: S0552
-
---
-
-*`threat.software.name`*::
-+
---
-The name of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®.
-While not required, you can use a MITRE ATT&CK® software name.
-
-type: keyword
-
-example: AdFind
-
---
-
-*`threat.software.platforms`*::
-+
---
-The platforms of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®.
-Recommended Values:
-  * AWS
-  * Azure
-  * Azure AD
-  * GCP
-  * Linux
-  * macOS
-  * Network
-  * Office 365
-  * SaaS
-  * Windows
-
-While not required, you can use a MITRE ATT&CK® software platforms.
-
-type: keyword
-
-example: [ "Windows" ]
-
---
-
-*`threat.software.reference`*::
-+
---
-The reference URL of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®.
-While not required, you can use a MITRE ATT&CK® software reference URL.
-
-type: keyword
-
-example: https://attack.mitre.org/software/S0552/
-
---
-
-*`threat.software.type`*::
-+
---
-The type of software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®.
-Recommended values
-  * Malware
-  * Tool
-
- While not required, you can use a MITRE ATT&CK® software type.
-
-type: keyword
-
-example: Tool
-
---
-
-*`threat.tactic.id`*::
-+
---
-The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ )
-
-type: keyword
-
-example: TA0002
-
---
-
-*`threat.tactic.name`*::
-+
---
-Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/)
-
-type: keyword
-
-example: Execution
-
---
-
-*`threat.tactic.reference`*::
-+
---
-The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ )
-
-type: keyword
-
-example: https://attack.mitre.org/tactics/TA0002/
-
---
-
-*`threat.technique.id`*::
-+
---
-The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)
-
-type: keyword
-
-example: T1059
-
---
-
-*`threat.technique.name`*::
-+
---
-The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)
-
-type: keyword
-
-example: Command and Scripting Interpreter
-
---
-
-*`threat.technique.name.text`*::
-+
---
-type: match_only_text
-
---
-
-*`threat.technique.reference`*::
-+
---
-The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)
-
-type: keyword
-
-example: https://attack.mitre.org/techniques/T1059/
-
---
-
-*`threat.technique.subtechnique.id`*::
-+
---
-The full id of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)
-
-type: keyword
-
-example: T1059.001
-
---
-
-*`threat.technique.subtechnique.name`*::
-+
---
-The name of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)
-
-type: keyword
-
-example: PowerShell
-
---
-
-*`threat.technique.subtechnique.name.text`*::
-+
---
-type: match_only_text
-
---
-
-*`threat.technique.subtechnique.reference`*::
-+
---
-The reference url of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)
-
-type: keyword
-
-example: https://attack.mitre.org/techniques/T1059/001/
-
---
-
-[float]
-=== tls
-
-Fields related to a TLS connection. These fields focus on the TLS protocol itself and intentionally avoids in-depth analysis of the related x.509 certificate files.
-
-
-*`tls.cipher`*::
-+
---
-String indicating the cipher used during the current connection.
-
-type: keyword
-
-example: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
-
---
-
-*`tls.client.certificate`*::
-+
---
-PEM-encoded stand-alone certificate offered by the client. This is usually mutually-exclusive of `client.certificate_chain` since this value also exists in that list.
-
-type: keyword
-
-example: MII...
-
---
-
-*`tls.client.certificate_chain`*::
-+
---
-Array of PEM-encoded certificates that make up the certificate chain offered by the client. This is usually mutually-exclusive of `client.certificate` since that value should be the first certificate in the chain.
-
-type: keyword
-
-example: ["MII...", "MII..."]
-
---
-
-*`tls.client.hash.md5`*::
-+
---
-Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash.
-
-type: keyword
-
-example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC
-
---
-
-*`tls.client.hash.sha1`*::
-+
---
-Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash.
-
-type: keyword
-
-example: 9E393D93138888D288266C2D915214D1D1CCEB2A
-
---
-
-*`tls.client.hash.sha256`*::
-+
---
-Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash.
-
-type: keyword
-
-example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0
-
---
-
-*`tls.client.issuer`*::
-+
---
-Distinguished name of subject of the issuer of the x.509 certificate presented by the client.
-
-type: keyword
-
-example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com
-
---
-
-*`tls.client.ja3`*::
-+
---
-A hash that identifies clients based on how they perform an SSL/TLS handshake.
-
-type: keyword
-
-example: d4e5b18d6b55c71272893221c96ba240
-
---
-
-*`tls.client.not_after`*::
-+
---
-Date/Time indicating when client certificate is no longer considered valid.
-
-type: date
-
-example: 2021-01-01T00:00:00.000Z
-
---
-
-*`tls.client.not_before`*::
-+
---
-Date/Time indicating when client certificate is first considered valid.
-
-type: date
-
-example: 1970-01-01T00:00:00.000Z
-
---
-
-*`tls.client.server_name`*::
-+
---
-Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`.
-
-type: keyword
-
-example: www.elastic.co
-
---
-
-*`tls.client.subject`*::
-+
---
-Distinguished name of subject of the x.509 certificate presented by the client.
-
-type: keyword
-
-example: CN=myclient, OU=Documentation Team, DC=example, DC=com
-
---
-
-*`tls.client.supported_ciphers`*::
-+
---
-Array of ciphers offered by the client during the client hello.
-
-type: keyword
-
-example: ["TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "..."]
-
---
-
-*`tls.client.x509.alternative_names`*::
-+
---
-List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.
-
-type: keyword
-
-example: *.elastic.co
-
---
-
-*`tls.client.x509.issuer.common_name`*::
-+
---
-List of common name (CN) of issuing certificate authority.
-
-type: keyword
-
-example: Example SHA2 High Assurance Server CA
-
---
-
-*`tls.client.x509.issuer.country`*::
-+
---
-List of country (C) codes
-
-type: keyword
-
-example: US
-
---
-
-*`tls.client.x509.issuer.distinguished_name`*::
-+
---
-Distinguished name (DN) of issuing certificate authority.
-
-type: keyword
-
-example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA
-
---
-
-*`tls.client.x509.issuer.locality`*::
-+
---
-List of locality names (L)
-
-type: keyword
-
-example: Mountain View
-
---
-
-*`tls.client.x509.issuer.organization`*::
-+
---
-List of organizations (O) of issuing certificate authority.
-
-type: keyword
-
-example: Example Inc
-
---
-
-*`tls.client.x509.issuer.organizational_unit`*::
-+
---
-List of organizational units (OU) of issuing certificate authority.
-
-type: keyword
-
-example: www.example.com
-
---
-
-*`tls.client.x509.issuer.state_or_province`*::
-+
---
-List of state or province names (ST, S, or P)
-
-type: keyword
-
-example: California
-
---
-
-*`tls.client.x509.not_after`*::
-+
---
-Time at which the certificate is no longer considered valid.
-
-type: date
-
-example: 2020-07-16 03:15:39+00:00
-
---
-
-*`tls.client.x509.not_before`*::
-+
---
-Time at which the certificate is first considered valid.
-
-type: date
-
-example: 2019-08-16 01:40:25+00:00
-
---
-
-*`tls.client.x509.public_key_algorithm`*::
-+
---
-Algorithm used to generate the public key.
-
-type: keyword
-
-example: RSA
-
---
-
-*`tls.client.x509.public_key_curve`*::
-+
---
-The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-
-type: keyword
-
-example: nistp521
-
---
-
-*`tls.client.x509.public_key_exponent`*::
-+
---
-Exponent used to derive the public key. This is algorithm specific.
-
-type: long
-
-example: 65537
-
-Field is not indexed.
-
---
-
-*`tls.client.x509.public_key_size`*::
-+
---
-The size of the public key space in bits.
-
-type: long
-
-example: 2048
-
---
-
-*`tls.client.x509.serial_number`*::
-+
---
-Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.
-
-type: keyword
-
-example: 55FBB9C7DEBF09809D12CCAA
-
---
-
-*`tls.client.x509.signature_algorithm`*::
-+
---
-Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
-
-type: keyword
-
-example: SHA256-RSA
-
---
-
-*`tls.client.x509.subject.common_name`*::
-+
---
-List of common names (CN) of subject.
-
-type: keyword
-
-example: shared.global.example.net
-
---
-
-*`tls.client.x509.subject.country`*::
-+
---
-List of country (C) code
-
-type: keyword
-
-example: US
-
---
-
-*`tls.client.x509.subject.distinguished_name`*::
-+
---
-Distinguished name (DN) of the certificate subject entity.
-
-type: keyword
-
-example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
-
---
-
-*`tls.client.x509.subject.locality`*::
-+
---
-List of locality names (L)
-
-type: keyword
-
-example: San Francisco
-
---
-
-*`tls.client.x509.subject.organization`*::
-+
---
-List of organizations (O) of subject.
-
-type: keyword
-
-example: Example, Inc.
-
---
-
-*`tls.client.x509.subject.organizational_unit`*::
-+
---
-List of organizational units (OU) of subject.
-
-type: keyword
-
---
-
-*`tls.client.x509.subject.state_or_province`*::
-+
---
-List of state or province names (ST, S, or P)
-
-type: keyword
-
-example: California
-
---
-
-*`tls.client.x509.version_number`*::
-+
---
-Version of x509 format.
-
-type: keyword
-
-example: 3
-
---
-
-*`tls.curve`*::
-+
---
-String indicating the curve used for the given cipher, when applicable.
-
-type: keyword
-
-example: secp256r1
-
---
-
-*`tls.established`*::
-+
---
-Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel.
-
-type: boolean
-
---
-
-*`tls.next_protocol`*::
-+
---
-String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case.
-
-type: keyword
-
-example: http/1.1
-
---
-
-*`tls.resumed`*::
-+
---
-Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation.
-
-type: boolean
-
---
-
-*`tls.server.certificate`*::
-+
---
-PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list.
-
-type: keyword
-
-example: MII...
-
---
-
-*`tls.server.certificate_chain`*::
-+
---
-Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain.
-
-type: keyword
-
-example: ["MII...", "MII..."]
-
---
-
-*`tls.server.hash.md5`*::
-+
---
-Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash.
-
-type: keyword
-
-example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC
-
---
-
-*`tls.server.hash.sha1`*::
-+
---
-Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash.
-
-type: keyword
-
-example: 9E393D93138888D288266C2D915214D1D1CCEB2A
-
---
-
-*`tls.server.hash.sha256`*::
-+
---
-Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash.
-
-type: keyword
-
-example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0
-
---
-
-*`tls.server.issuer`*::
-+
---
-Subject of the issuer of the x.509 certificate presented by the server.
-
-type: keyword
-
-example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com
-
---
-
-*`tls.server.ja3s`*::
-+
---
-A hash that identifies servers based on how they perform an SSL/TLS handshake.
-
-type: keyword
-
-example: 394441ab65754e2207b1e1b457b3641d
-
---
-
-*`tls.server.not_after`*::
-+
---
-Timestamp indicating when server certificate is no longer considered valid.
-
-type: date
-
-example: 2021-01-01T00:00:00.000Z
-
---
-
-*`tls.server.not_before`*::
-+
---
-Timestamp indicating when server certificate is first considered valid.
-
-type: date
-
-example: 1970-01-01T00:00:00.000Z
-
---
-
-*`tls.server.subject`*::
-+
---
-Subject of the x.509 certificate presented by the server.
-
-type: keyword
-
-example: CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com
-
---
-
-*`tls.server.x509.alternative_names`*::
-+
---
-List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.
-
-type: keyword
-
-example: *.elastic.co
-
---
-
-*`tls.server.x509.issuer.common_name`*::
-+
---
-List of common name (CN) of issuing certificate authority.
-
-type: keyword
-
-example: Example SHA2 High Assurance Server CA
-
---
-
-*`tls.server.x509.issuer.country`*::
-+
---
-List of country (C) codes
-
-type: keyword
-
-example: US
-
---
-
-*`tls.server.x509.issuer.distinguished_name`*::
-+
---
-Distinguished name (DN) of issuing certificate authority.
-
-type: keyword
-
-example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA
-
---
-
-*`tls.server.x509.issuer.locality`*::
-+
---
-List of locality names (L)
-
-type: keyword
-
-example: Mountain View
-
---
-
-*`tls.server.x509.issuer.organization`*::
-+
---
-List of organizations (O) of issuing certificate authority.
-
-type: keyword
-
-example: Example Inc
-
---
-
-*`tls.server.x509.issuer.organizational_unit`*::
-+
---
-List of organizational units (OU) of issuing certificate authority.
-
-type: keyword
-
-example: www.example.com
-
---
-
-*`tls.server.x509.issuer.state_or_province`*::
-+
---
-List of state or province names (ST, S, or P)
-
-type: keyword
-
-example: California
-
---
-
-*`tls.server.x509.not_after`*::
-+
---
-Time at which the certificate is no longer considered valid.
-
-type: date
-
-example: 2020-07-16 03:15:39+00:00
-
---
-
-*`tls.server.x509.not_before`*::
-+
---
-Time at which the certificate is first considered valid.
-
-type: date
-
-example: 2019-08-16 01:40:25+00:00
-
---
-
-*`tls.server.x509.public_key_algorithm`*::
-+
---
-Algorithm used to generate the public key.
-
-type: keyword
-
-example: RSA
-
---
-
-*`tls.server.x509.public_key_curve`*::
-+
---
-The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-
-type: keyword
-
-example: nistp521
-
---
-
-*`tls.server.x509.public_key_exponent`*::
-+
---
-Exponent used to derive the public key. This is algorithm specific.
-
-type: long
-
-example: 65537
-
-Field is not indexed.
-
---
-
-*`tls.server.x509.public_key_size`*::
-+
---
-The size of the public key space in bits.
-
-type: long
-
-example: 2048
-
---
-
-*`tls.server.x509.serial_number`*::
-+
---
-Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.
-
-type: keyword
-
-example: 55FBB9C7DEBF09809D12CCAA
-
---
-
-*`tls.server.x509.signature_algorithm`*::
-+
---
-Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
-
-type: keyword
-
-example: SHA256-RSA
-
---
-
-*`tls.server.x509.subject.common_name`*::
-+
---
-List of common names (CN) of subject.
-
-type: keyword
-
-example: shared.global.example.net
-
---
-
-*`tls.server.x509.subject.country`*::
-+
---
-List of country (C) code
-
-type: keyword
-
-example: US
-
---
-
-*`tls.server.x509.subject.distinguished_name`*::
-+
---
-Distinguished name (DN) of the certificate subject entity.
-
-type: keyword
-
-example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
-
---
-
-*`tls.server.x509.subject.locality`*::
-+
---
-List of locality names (L)
-
-type: keyword
-
-example: San Francisco
-
---
-
-*`tls.server.x509.subject.organization`*::
-+
---
-List of organizations (O) of subject.
-
-type: keyword
-
-example: Example, Inc.
-
---
-
-*`tls.server.x509.subject.organizational_unit`*::
-+
---
-List of organizational units (OU) of subject.
-
-type: keyword
-
---
-
-*`tls.server.x509.subject.state_or_province`*::
-+
---
-List of state or province names (ST, S, or P)
-
-type: keyword
-
-example: California
-
---
-
-*`tls.server.x509.version_number`*::
-+
---
-Version of x509 format.
-
-type: keyword
-
-example: 3
-
---
-
-*`tls.version`*::
-+
---
-Numeric part of the version parsed from the original string.
-
-type: keyword
-
-example: 1.2
-
---
-
-*`tls.version_protocol`*::
-+
---
-Normalized lowercase protocol name parsed from original string.
-
-type: keyword
-
-example: tls
-
---
-
-*`span.id`*::
-+
---
-Unique identifier of the span within the scope of its trace.
-A span represents an operation within a transaction, such as a request to another service, or a database query.
-
-type: keyword
-
-example: 3ff9a8981b7ccd5a
-
---
-
-*`trace.id`*::
-+
---
-Unique identifier of the trace.
-A trace groups multiple events like transactions that belong together. For example, a user request handled by multiple inter-connected services.
-
-type: keyword
-
-example: 4bf92f3577b34da6a3ce929d0e0e4736
-
---
-
-*`transaction.id`*::
-+
---
-Unique identifier of the transaction within the scope of its trace.
-A transaction is the highest level of work measured within a service, such as a request to a server.
-
-type: keyword
-
-example: 00f067aa0ba902b7
-
---
-
-[float]
-=== url
-
-URL fields provide support for complete or partial URLs, and supports the breaking down into scheme, domain, path, and so on.
-
-
-*`url.domain`*::
-+
---
-Domain of the url, such as "www.elastic.co".
-In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field.
-If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field.
-
-type: keyword
-
-example: www.elastic.co
-
---
-
-*`url.extension`*::
-+
---
-The field contains the file extension from the original request url, excluding the leading dot.
-The file extension is only set if it exists, as not every url has a file extension.
-The leading period must not be included. For example, the value must be "png", not ".png".
-Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").
-
-type: keyword
-
-example: png
-
---
-
-*`url.fragment`*::
-+
---
-Portion of the url after the `#`, such as "top".
-The `#` is not part of the fragment.
-
-type: keyword
-
---
-
-*`url.full`*::
-+
---
-If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source.
-
-type: wildcard
-
-example: https://www.elastic.co:443/search?q=elasticsearch#top
-
---
-
-*`url.full.text`*::
-+
---
-type: match_only_text
-
---
-
-*`url.original`*::
-+
---
-Unmodified original url as seen in the event source.
-Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path.
-This field is meant to represent the URL as it was observed, complete or not.
-
-type: wildcard
-
-example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch
-
---
-
-*`url.original.text`*::
-+
---
-type: match_only_text
-
---
-
-*`url.password`*::
-+
---
-Password of the request.
-
-type: keyword
-
---
-
-*`url.path`*::
-+
---
-Path of the request, such as "/search".
-
-type: wildcard
-
---
-
-*`url.port`*::
-+
---
-Port of the request, such as 443.
-
-type: long
-
-example: 443
-
-format: string
-
---
-
-*`url.query`*::
-+
---
-The query field describes the query string of the request, such as "q=elasticsearch".
-The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.
-
-type: keyword
-
---
-
-*`url.registered_domain`*::
-+
---
-The highest registered url domain, stripped of the subdomain.
-For example, the registered domain for "foo.example.com" is "example.com".
-This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
-
-type: keyword
-
-example: example.com
-
---
-
-*`url.scheme`*::
-+
---
-Scheme of the request, such as "https".
-Note: The `:` is not part of the scheme.
-
-type: keyword
-
-example: https
-
---
-
-*`url.subdomain`*::
-+
---
-The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain.
-For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
-
-type: keyword
-
-example: east
-
---
-
-*`url.top_level_domain`*::
-+
---
-The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com".
-This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".
-
-type: keyword
-
-example: co.uk
-
---
-
-*`url.username`*::
-+
---
-Username of the request.
-
-type: keyword
-
---
-
-[float]
-=== user
-
-The user fields describe information about the user that is relevant to the event.
-Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them.
-
-
-*`user.changes.domain`*::
-+
---
-Name of the directory the user is a member of.
-For example, an LDAP or Active Directory domain name.
-
-type: keyword
-
---
-
-*`user.changes.email`*::
-+
---
-User email address.
-
-type: keyword
-
---
-
-*`user.changes.full_name`*::
-+
---
-User's full name, if available.
-
-type: keyword
-
-example: Albert Einstein
-
---
-
-*`user.changes.full_name.text`*::
-+
---
-type: match_only_text
-
---
-
-*`user.changes.group.domain`*::
-+
---
-Name of the directory the group is a member of.
-For example, an LDAP or Active Directory domain name.
-
-type: keyword
-
---
-
-*`user.changes.group.id`*::
-+
---
-Unique identifier for the group on the system/platform.
-
-type: keyword
-
---
-
-*`user.changes.group.name`*::
-+
---
-Name of the group.
-
-type: keyword
-
---
-
-*`user.changes.hash`*::
-+
---
-Unique user hash to correlate information for a user in anonymized form.
-Useful if `user.id` or `user.name` contain confidential information and cannot be used.
-
-type: keyword
-
---
-
-*`user.changes.id`*::
-+
---
-Unique identifier of the user.
-
-type: keyword
-
-example: S-1-5-21-202424912787-2692429404-2351956786-1000
-
---
-
-*`user.changes.name`*::
-+
---
-Short name or login of the user.
-
-type: keyword
-
-example: a.einstein
-
---
-
-*`user.changes.name.text`*::
-+
---
-type: match_only_text
-
---
-
-*`user.changes.roles`*::
-+
---
-Array of user roles at the time of the event.
-
-type: keyword
-
-example: ["kibana_admin", "reporting_user"]
-
---
-
-*`user.domain`*::
-+
---
-Name of the directory the user is a member of.
-For example, an LDAP or Active Directory domain name.
-
-type: keyword
-
---
-
-*`user.effective.domain`*::
-+
---
-Name of the directory the user is a member of.
-For example, an LDAP or Active Directory domain name.
-
-type: keyword
-
---
-
-*`user.effective.email`*::
-+
---
-User email address.
-
-type: keyword
-
---
-
-*`user.effective.full_name`*::
-+
---
-User's full name, if available.
-
-type: keyword
-
-example: Albert Einstein
-
---
-
-*`user.effective.full_name.text`*::
-+
---
-type: match_only_text
-
---
-
-*`user.effective.group.domain`*::
-+
---
-Name of the directory the group is a member of.
-For example, an LDAP or Active Directory domain name.
-
-type: keyword
-
---
-
-*`user.effective.group.id`*::
-+
---
-Unique identifier for the group on the system/platform.
-
-type: keyword
-
---
-
-*`user.effective.group.name`*::
-+
---
-Name of the group.
-
-type: keyword
-
---
-
-*`user.effective.hash`*::
-+
---
-Unique user hash to correlate information for a user in anonymized form.
-Useful if `user.id` or `user.name` contain confidential information and cannot be used.
-
-type: keyword
-
---
-
-*`user.effective.id`*::
-+
---
-Unique identifier of the user.
-
-type: keyword
-
-example: S-1-5-21-202424912787-2692429404-2351956786-1000
-
---
-
-*`user.effective.name`*::
-+
---
-Short name or login of the user.
-
-type: keyword
-
-example: a.einstein
-
---
-
-*`user.effective.name.text`*::
-+
---
-type: match_only_text
-
---
-
-*`user.effective.roles`*::
-+
---
-Array of user roles at the time of the event.
-
-type: keyword
-
-example: ["kibana_admin", "reporting_user"]
-
---
-
-*`user.email`*::
-+
---
-User email address.
-
-type: keyword
-
---
-
-*`user.full_name`*::
-+
---
-User's full name, if available.
-
-type: keyword
-
-example: Albert Einstein
-
---
-
-*`user.full_name.text`*::
-+
---
-type: match_only_text
-
---
-
-*`user.group.domain`*::
-+
---
-Name of the directory the group is a member of.
-For example, an LDAP or Active Directory domain name.
-
-type: keyword
-
---
-
-*`user.group.id`*::
-+
---
-Unique identifier for the group on the system/platform.
-
-type: keyword
-
---
-
-*`user.group.name`*::
-+
---
-Name of the group.
-
-type: keyword
-
---
-
-*`user.hash`*::
-+
---
-Unique user hash to correlate information for a user in anonymized form.
-Useful if `user.id` or `user.name` contain confidential information and cannot be used.
-
-type: keyword
-
---
-
-*`user.id`*::
-+
---
-Unique identifier of the user.
-
-type: keyword
-
-example: S-1-5-21-202424912787-2692429404-2351956786-1000
-
---
-
-*`user.name`*::
-+
---
-Short name or login of the user.
-
-type: keyword
-
-example: a.einstein
-
---
-
-*`user.name.text`*::
-+
---
-type: match_only_text
-
---
-
-*`user.roles`*::
-+
---
-Array of user roles at the time of the event.
-
-type: keyword
-
-example: ["kibana_admin", "reporting_user"]
-
---
-
-*`user.target.domain`*::
-+
---
-Name of the directory the user is a member of.
-For example, an LDAP or Active Directory domain name.
-
-type: keyword
-
---
-
-*`user.target.email`*::
-+
---
-User email address.
-
-type: keyword
-
---
-
-*`user.target.full_name`*::
-+
---
-User's full name, if available.
-
-type: keyword
-
-example: Albert Einstein
-
---
-
-*`user.target.full_name.text`*::
-+
---
-type: match_only_text
-
---
-
-*`user.target.group.domain`*::
-+
---
-Name of the directory the group is a member of.
-For example, an LDAP or Active Directory domain name.
-
-type: keyword
-
---
-
-*`user.target.group.id`*::
-+
---
-Unique identifier for the group on the system/platform.
-
-type: keyword
-
---
-
-*`user.target.group.name`*::
-+
---
-Name of the group.
-
-type: keyword
-
---
-
-*`user.target.hash`*::
-+
---
-Unique user hash to correlate information for a user in anonymized form.
-Useful if `user.id` or `user.name` contain confidential information and cannot be used.
-
-type: keyword
-
---
-
-*`user.target.id`*::
-+
---
-Unique identifier of the user.
-
-type: keyword
-
-example: S-1-5-21-202424912787-2692429404-2351956786-1000
-
---
-
-*`user.target.name`*::
-+
---
-Short name or login of the user.
-
-type: keyword
-
-example: a.einstein
-
---
-
-*`user.target.name.text`*::
-+
---
-type: match_only_text
-
---
-
-*`user.target.roles`*::
-+
---
-Array of user roles at the time of the event.
-
-type: keyword
-
-example: ["kibana_admin", "reporting_user"]
-
---
-
-[float]
-=== user_agent
-
-The user_agent fields normally come from a browser request.
-They often show up in web service logs coming from the parsed user agent string.
-
-
-*`user_agent.device.name`*::
-+
---
-Name of the device.
-
-type: keyword
-
-example: iPhone
-
---
-
-*`user_agent.name`*::
-+
---
-Name of the user agent.
-
-type: keyword
-
-example: Safari
-
---
-
-*`user_agent.original`*::
-+
---
-Unparsed user_agent string.
-
-type: keyword
-
-example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1
-
---
-
-*`user_agent.original.text`*::
-+
---
-type: match_only_text
-
---
-
-*`user_agent.os.family`*::
-+
---
-OS family (such as redhat, debian, freebsd, windows).
-
-type: keyword
-
-example: debian
-
---
-
-*`user_agent.os.full`*::
-+
---
-Operating system name, including the version or code name.
-
-type: keyword
-
-example: Mac OS Mojave
-
---
-
-*`user_agent.os.full.text`*::
-+
---
-type: match_only_text
-
---
-
-*`user_agent.os.kernel`*::
-+
---
-Operating system kernel version as a raw string.
-
-type: keyword
-
-example: 4.4.0-112-generic
-
---
-
-*`user_agent.os.name`*::
-+
---
-Operating system name, without the version.
-
-type: keyword
-
-example: Mac OS X
-
---
-
-*`user_agent.os.name.text`*::
-+
---
-type: match_only_text
-
---
-
-*`user_agent.os.platform`*::
-+
---
-Operating system platform (such centos, ubuntu, windows).
-
-type: keyword
-
-example: darwin
-
---
-
-*`user_agent.os.type`*::
-+
---
-Use the `os.type` field to categorize the operating system into one of the broad commercial families.
-One of these following values should be used (lowercase): linux, macos, unix, windows.
-If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.
-
-type: keyword
-
-example: macos
-
---
-
-*`user_agent.os.version`*::
-+
---
-Operating system version as a raw string.
-
-type: keyword
-
-example: 10.14.1
-
---
-
-*`user_agent.version`*::
-+
---
-Version of the user agent.
-
-type: keyword
-
-example: 12.0
-
---
-
-[float]
-=== vlan
-
-The VLAN fields are used to identify 802.1q tag(s) of a packet, as well as ingress and egress VLAN associations of an observer in relation to a specific packet or connection.
-Network.vlan fields are used to record a single VLAN tag, or the outer tag in the case of q-in-q encapsulations, for a packet or connection as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic.
-Network.inner VLAN fields are used to report inner q-in-q 802.1q tags (multiple 802.1q encapsulations) as observed, typically provided by a network sensor  (e.g. Zeek, Wireshark) passively reporting on traffic. Network.inner VLAN fields should only be used in addition to network.vlan fields to indicate q-in-q tagging.
-Observer.ingress and observer.egress VLAN values are used to record observer specific information when observer events contain discrete ingress and egress VLAN information, typically provided by firewalls, routers, or load balancers.
-
-
-*`vlan.id`*::
-+
---
-VLAN ID as reported by the observer.
-
-type: keyword
-
-example: 10
-
---
-
-*`vlan.name`*::
-+
---
-Optional VLAN name as reported by the observer.
-
-type: keyword
-
-example: outside
-
---
-
-[float]
-=== vulnerability
-
-The vulnerability fields describe information about a vulnerability that is relevant to an event.
-
-
-*`vulnerability.category`*::
-+
---
-The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm[Qualys vulnerability categories])
-This field must be an array.
-
-type: keyword
-
-example: ["Firewall"]
-
---
-
-*`vulnerability.classification`*::
-+
---
-The classification of the vulnerability scoring system. For example (https://www.first.org/cvss/)
-
-type: keyword
-
-example: CVSS
-
---
-
-*`vulnerability.description`*::
-+
---
-The description of the vulnerability that provides additional context of the vulnerability. For example (https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created[Common Vulnerabilities and Exposure CVE description])
-
-type: keyword
-
-example: In macOS before 2.12.6, there is a vulnerability in the RPC...
-
---
-
-*`vulnerability.description.text`*::
-+
---
-type: match_only_text
-
---
-
-*`vulnerability.enumeration`*::
-+
---
-The type of identifier used for this vulnerability. For example (https://cve.mitre.org/about/)
-
-type: keyword
-
-example: CVE
-
---
-
-*`vulnerability.id`*::
-+
---
-The identification (ID) is the number portion of a vulnerability entry. It includes a unique identification number for the vulnerability. For example (https://cve.mitre.org/about/faqs.html#what_is_cve_id)[Common Vulnerabilities and Exposure CVE ID]
-
-type: keyword
-
-example: CVE-2019-00001
-
---
-
-*`vulnerability.reference`*::
-+
---
-A resource that provides additional information, context, and mitigations for the identified vulnerability.
-
-type: keyword
-
-example: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111
-
---
-
-*`vulnerability.report_id`*::
-+
---
-The report or scan identification number.
-
-type: keyword
-
-example: 20191018.0001
-
---
-
-*`vulnerability.scanner.vendor`*::
-+
---
-The name of the vulnerability scanner vendor.
-
-type: keyword
-
-example: Tenable
-
---
-
-*`vulnerability.score.base`*::
-+
---
-Scores can range from 0.0 to 10.0, with 10.0 being the most severe.
-Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentiality, integrity, and availability), and scope. For example (https://www.first.org/cvss/specification-document)
-
-type: float
-
-example: 5.5
-
---
-
-*`vulnerability.score.environmental`*::
-+
---
-Scores can range from 0.0 to 10.0, with 10.0 being the most severe.
-Environmental scores cover an assessment for any modified Base metrics, confidentiality, integrity, and availability requirements. For example (https://www.first.org/cvss/specification-document)
-
-type: float
-
-example: 5.5
-
---
-
-*`vulnerability.score.temporal`*::
-+
---
-Scores can range from 0.0 to 10.0, with 10.0 being the most severe.
-Temporal scores cover an assessment for code maturity, remediation level, and confidence. For example (https://www.first.org/cvss/specification-document)
-
-type: float
-
---
-
-*`vulnerability.score.version`*::
-+
---
-The National Vulnerability Database (NVD) provides qualitative severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges in addition to the severity ratings for CVSS v3.0 as they are defined in the CVSS v3.0 specification.
-CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit organization, whose mission is to help computer security incident response teams across the world. For example (https://nvd.nist.gov/vuln-metrics/cvss)
-
-type: keyword
-
-example: 2.0
-
---
-
-*`vulnerability.severity`*::
-+
---
-The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss)
-
-type: keyword
-
-example: Critical
-
---
-
-[float]
-=== x509
-
-This implements the common core fields for x509 certificates. This information is likely logged with TLS sessions, digital signatures found in executable binaries, S/MIME information in email bodies, or analysis of files on disk.
-When the certificate relates to a file, use the fields at `file.x509`. When hashes of the DER-encoded certificate are available, the `hash` data set should be populated as well (e.g. `file.hash.sha256`).
-Events that contain certificate information about network connections, should use the x509 fields under the relevant TLS fields: `tls.server.x509` and/or `tls.client.x509`.
-
-
-*`x509.alternative_names`*::
-+
---
-List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.
-
-type: keyword
-
-example: *.elastic.co
-
---
-
-*`x509.issuer.common_name`*::
-+
---
-List of common name (CN) of issuing certificate authority.
-
-type: keyword
-
-example: Example SHA2 High Assurance Server CA
-
---
-
-*`x509.issuer.country`*::
-+
---
-List of country (C) codes
-
-type: keyword
-
-example: US
-
---
-
-*`x509.issuer.distinguished_name`*::
-+
---
-Distinguished name (DN) of issuing certificate authority.
-
-type: keyword
-
-example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA
-
---
-
-*`x509.issuer.locality`*::
-+
---
-List of locality names (L)
-
-type: keyword
-
-example: Mountain View
-
---
-
-*`x509.issuer.organization`*::
-+
---
-List of organizations (O) of issuing certificate authority.
-
-type: keyword
-
-example: Example Inc
-
---
-
-*`x509.issuer.organizational_unit`*::
-+
---
-List of organizational units (OU) of issuing certificate authority.
-
-type: keyword
-
-example: www.example.com
-
---
-
-*`x509.issuer.state_or_province`*::
-+
---
-List of state or province names (ST, S, or P)
-
-type: keyword
-
-example: California
-
---
-
-*`x509.not_after`*::
-+
---
-Time at which the certificate is no longer considered valid.
-
-type: date
-
-example: 2020-07-16 03:15:39+00:00
-
---
-
-*`x509.not_before`*::
-+
---
-Time at which the certificate is first considered valid.
-
-type: date
-
-example: 2019-08-16 01:40:25+00:00
-
---
-
-*`x509.public_key_algorithm`*::
-+
---
-Algorithm used to generate the public key.
-
-type: keyword
-
-example: RSA
-
---
-
-*`x509.public_key_curve`*::
-+
---
-The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-
-type: keyword
-
-example: nistp521
-
---
-
-*`x509.public_key_exponent`*::
-+
---
-Exponent used to derive the public key. This is algorithm specific.
-
-type: long
-
-example: 65537
-
-Field is not indexed.
-
---
-
-*`x509.public_key_size`*::
-+
---
-The size of the public key space in bits.
-
-type: long
-
-example: 2048
-
---
-
-*`x509.serial_number`*::
-+
---
-Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.
-
-type: keyword
-
-example: 55FBB9C7DEBF09809D12CCAA
-
---
-
-*`x509.signature_algorithm`*::
-+
---
-Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
-
-type: keyword
-
-example: SHA256-RSA
-
---
-
-*`x509.subject.common_name`*::
-+
---
-List of common names (CN) of subject.
-
-type: keyword
-
-example: shared.global.example.net
-
---
-
-*`x509.subject.country`*::
-+
---
-List of country (C) code
-
-type: keyword
-
-example: US
-
---
-
-*`x509.subject.distinguished_name`*::
-+
---
-Distinguished name (DN) of the certificate subject entity.
-
-type: keyword
-
-example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
-
---
-
-*`x509.subject.locality`*::
-+
---
-List of locality names (L)
-
-type: keyword
-
-example: San Francisco
-
---
-
-*`x509.subject.organization`*::
-+
---
-List of organizations (O) of subject.
-
-type: keyword
-
-example: Example, Inc.
-
---
-
-*`x509.subject.organizational_unit`*::
-+
---
-List of organizational units (OU) of subject.
-
-type: keyword
-
---
-
-*`x509.subject.state_or_province`*::
-+
---
-List of state or province names (ST, S, or P)
-
-type: keyword
-
-example: California
-
---
-
-*`x509.version_number`*::
-+
---
-Version of x509 format.
-
-type: keyword
-
-example: 3
-
---
-
-[[exported-fields-eventlog]]
-== Legacy Winlogbeat alias fields
-
-Field aliases based on Winlogbeat 6.x that point to the fields for this version of Winlogbeat. These are added to the index template when `migration.6_to_7.enable: true` is set in the configuration.
-
-
-
-*`activity_id`*::
-+
---
-type: alias
-
-alias to: winlog.activity_id
-
---
-
-*`computer_name`*::
-+
---
-type: alias
-
-alias to: winlog.computer_name
-
---
-
-*`event_id`*::
-+
---
-type: alias
-
-alias to: winlog.event_id
-
---
-
-*`keywords`*::
-+
---
-type: alias
-
-alias to: winlog.keywords
-
---
-
-*`log_name`*::
-+
---
-type: alias
-
-alias to: winlog.channel
-
---
-
-*`message_error`*::
-+
---
-type: alias
-
-alias to: error.message
-
---
-
-*`record_number`*::
-+
---
-type: alias
-
-alias to: winlog.record_id
-
---
-
-*`related_activity_id`*::
-+
---
-type: alias
-
-alias to: winlog.related_activity_id
-
---
-
-*`opcode`*::
-+
---
-type: alias
-
-alias to: winlog.opcode
-
---
-
-*`provider_guid`*::
-+
---
-type: alias
-
-alias to: winlog.provider_guid
-
---
-
-*`process_id`*::
-+
---
-type: alias
-
-alias to: winlog.process.pid
-
---
-
-*`source_name`*::
-+
---
-type: alias
-
-alias to: winlog.provider_name
-
---
-
-*`task`*::
-+
---
-type: alias
-
-alias to: winlog.task
-
---
-
-*`thread_id`*::
-+
---
-type: alias
-
-alias to: winlog.process.thread.id
-
---
-
-*`user.identifier`*::
-+
---
-type: alias
-
-alias to: winlog.user.identifier
-
---
-
-*`user.type`*::
-+
---
-type: alias
-
-alias to: winlog.user.type
-
---
-
-*`version`*::
-+
---
-type: alias
-
-alias to: winlog.version
-
---
-
-*`xml`*::
-+
---
-type: alias
-
-alias to: event.original
-
---
-
-[[exported-fields-host-processor]]
-== Host fields
-
-Info collected for the host machine.
-
-
-
-
-*`host.containerized`*::
-+
---
-If the host is a container.
-
-
-type: boolean
-
---
-
-*`host.os.build`*::
-+
---
-OS build information.
-
-
-type: keyword
-
-example: 18D109
-
---
-
-*`host.os.codename`*::
-+
---
-OS codename, if any.
-
-
-type: keyword
-
-example: stretch
-
---
-
-[[exported-fields-jolokia-autodiscover]]
-== Jolokia Discovery autodiscover provider fields
-
-Metadata from Jolokia Discovery added by the jolokia provider.
-
-
-
-*`jolokia.agent.version`*::
-+
---
-Version number of jolokia agent.
-
-
-type: keyword
-
---
-
-*`jolokia.agent.id`*::
-+
---
-Each agent has a unique id which can be either provided during startup of the agent in form of a configuration parameter or being autodetected. If autodected, the id has several parts: The IP, the process id, hashcode of the agent and its type.
-
-
-type: keyword
-
---
-
-*`jolokia.server.product`*::
-+
---
-The container product if detected.
-
-
-type: keyword
-
---
-
-*`jolokia.server.version`*::
-+
---
-The container's version (if detected).
-
-
-type: keyword
-
---
-
-*`jolokia.server.vendor`*::
-+
---
-The vendor of the container the agent is running in.
-
-
-type: keyword
-
---
-
-*`jolokia.url`*::
-+
---
-The URL how this agent can be contacted.
-
-
-type: keyword
-
---
-
-*`jolokia.secured`*::
-+
---
-Whether the agent was configured for authentication or not.
-
-
-type: boolean
-
---
-
-[[exported-fields-kubernetes-processor]]
-== Kubernetes fields
-
-Kubernetes metadata added by the kubernetes processor
-
-
-
-
-*`kubernetes.pod.name`*::
-+
---
-Kubernetes pod name
-
-
-type: keyword
-
---
-
-*`kubernetes.pod.uid`*::
-+
---
-Kubernetes Pod UID
-
-
-type: keyword
-
---
-
-*`kubernetes.pod.ip`*::
-+
---
-Kubernetes Pod IP
-
-
-type: ip
-
---
-
-*`kubernetes.namespace`*::
-+
---
-Kubernetes namespace
-
-
-type: keyword
-
---
-
-*`kubernetes.node.name`*::
-+
---
-Kubernetes node name
-
-
-type: keyword
-
---
-
-*`kubernetes.node.hostname`*::
-+
---
-Kubernetes hostname as reported by the node’s kernel
-
-
-type: keyword
-
---
-
-*`kubernetes.labels.*`*::
-+
---
-Kubernetes labels map
-
-
-type: object
-
---
-
-*`kubernetes.annotations.*`*::
-+
---
-Kubernetes annotations map
-
-
-type: object
-
---
-
-*`kubernetes.selectors.*`*::
-+
---
-Kubernetes selectors map
-
-
-type: object
-
---
-
-*`kubernetes.replicaset.name`*::
-+
---
-Kubernetes replicaset name
-
-
-type: keyword
-
---
-
-*`kubernetes.deployment.name`*::
-+
---
-Kubernetes deployment name
-
-
-type: keyword
-
---
-
-*`kubernetes.statefulset.name`*::
-+
---
-Kubernetes statefulset name
-
-
-type: keyword
-
---
-
-*`kubernetes.container.name`*::
-+
---
-Kubernetes container name (different than the name from the runtime)
-
-
-type: keyword
-
---
-
-[[exported-fields-powershell]]
-== PowerShell module fields
-
-These are the event fields specific to the module for the Microsoft-Windows-PowerShell/Operational and Windows PowerShell logs.
-
-
-
-*`powershell.id`*::
-+
---
-Shell Id.
-
-type: keyword
-
-example: Microsoft Powershell
-
---
-
-*`powershell.pipeline_id`*::
-+
---
-Pipeline id.
-
-type: keyword
-
-example: 1
-
---
-
-*`powershell.runspace_id`*::
-+
---
-Runspace id.
-
-type: keyword
-
-example: 4fa9074d-45ab-4e53-9195-e91981ac2bbb
-
---
-
-*`powershell.sequence`*::
-+
---
-Sequence number of the powershell execution.
-
-type: long
-
-example: 1
-
---
-
-*`powershell.total`*::
-+
---
-Total number of messages in the sequence.
-
-type: long
-
-example: 10
-
---
-
-[float]
-=== powershell.command
-
-Data related to the executed command.
-
-
-*`powershell.command.path`*::
-+
---
-Path of the executed command.
-
-type: keyword
-
-example: C:\Windows\system32\cmd.exe
-
---
-
-*`powershell.command.name`*::
-+
---
-Name of the executed command.
-
-type: keyword
-
-example: cmd.exe
-
---
-
-*`powershell.command.type`*::
-+
---
-Type of the executed command.
-
-type: keyword
-
-example: Application
-
---
-
-*`powershell.command.value`*::
-+
---
-The invoked command.
-
-type: text
-
-example: Import-LocalizedData  LocalizedData -filename ArchiveResources
-
---
-
-*`powershell.command.invocation_details`*::
-+
---
-An array of objects containing detailed information of the executed command.
-
-
-type: array
-
---
-
-*`powershell.command.invocation_details.type`*::
-+
---
-The type of detail.
-
-type: keyword
-
-example: CommandInvocation
-
---
-
-*`powershell.command.invocation_details.related_command`*::
-+
---
-The command to which the detail is related to.
-
-type: keyword
-
-example: Add-Type
-
---
-
-*`powershell.command.invocation_details.name`*::
-+
---
-Only used for ParameterBinding detail type. Indicates the parameter name.
-
-
-type: keyword
-
-example: AssemblyName
-
---
-
-*`powershell.command.invocation_details.value`*::
-+
---
-The value of the detail. The meaning of it will depend on the detail type.
-
-
-type: text
-
-example: System.IO.Compression.FileSystem
-
---
-
-[float]
-=== powershell.connected_user
-
-Data related to the connected user executing the command.
-
-
-*`powershell.connected_user.domain`*::
-+
---
-User domain.
-
-type: keyword
-
-example: VAGRANT
-
---
-
-*`powershell.connected_user.name`*::
-+
---
-User name.
-
-type: keyword
-
-example: vagrant
-
---
-
-[float]
-=== powershell.engine
-
-Data related to the PowerShell engine.
-
-
-*`powershell.engine.version`*::
-+
---
-Version of the PowerShell engine version used to execute the command.
-
-type: keyword
-
-example: 5.1.17763.1007
-
---
-
-*`powershell.engine.previous_state`*::
-+
---
-Previous state of the PowerShell engine.
-
-
-type: keyword
-
-example: Available
-
---
-
-*`powershell.engine.new_state`*::
-+
---
-New state of the PowerShell engine.
-
-
-type: keyword
-
-example: Stopped
-
---
-
-[float]
-=== powershell.file
-
-Data related to the executed script file.
-
-
-*`powershell.file.script_block_id`*::
-+
---
-Id of the executed script block.
-
-type: keyword
-
-example: 50d2dbda-7361-4926-a94d-d9eadfdb43fa
-
---
-
-*`powershell.file.script_block_text`*::
-+
---
-Text of the executed script block.
-
-
-type: text
-
-example: .\a_script.ps1
-
---
-
-*`powershell.process.executable_version`*::
-+
---
-Version of the engine hosting process executable.
-
-type: keyword
-
-example: 5.1.17763.1007
-
---
-
-[float]
-=== powershell.provider
-
-Data related to the PowerShell engine host.
-
-
-*`powershell.provider.new_state`*::
-+
---
-New state of the PowerShell provider.
-
-
-type: keyword
-
-example: Active
-
---
-
-*`powershell.provider.name`*::
-+
---
-Provider name.
-
-
-type: keyword
-
-example: Variable
-
---
-
-[[exported-fields-process]]
-== Process fields
-
-Process metadata fields
-
-
-
-
-*`process.exe`*::
-+
---
-type: alias
-
-alias to: process.executable
-
---
-
-[float]
-=== owner
-
-Process owner information.
-
-
-*`process.owner.id`*::
-+
---
-Unique identifier of the user.
-
-type: keyword
-
---
-
-*`process.owner.name`*::
-+
---
-Short name or login of the user.
-
-type: keyword
-
-example: albert
-
---
-
-*`process.owner.name.text`*::
-+
---
-type: text
-
---
-
-[[exported-fields-security]]
-== Security module fields
-
-These are the event fields specific to the module for the Security log.
-
-
-
-[float]
-=== winlog.logon
-
-Data related to a Windows logon.
-
-
-*`winlog.logon.type`*::
-+
---
-Logon type name. This is the descriptive version of the `winlog.event_data.LogonType` ordinal. This is an enrichment added by the Security module.
-
-
-type: keyword
-
-example: RemoteInteractive
-
---
-
-*`winlog.logon.id`*::
-+
---
-Logon ID that can be used to associate this logon with other events related to the same logon session.
-
-
-type: keyword
-
---
-
-*`winlog.logon.failure.reason`*::
-+
---
-The reason the logon failed.
-
-
-type: keyword
-
---
-
-*`winlog.logon.failure.status`*::
-+
---
-The reason the logon failed. This is textual description based on the value of the hexadecimal `Status` field.
-
-
-type: keyword
-
---
-
-*`winlog.logon.failure.sub_status`*::
-+
---
-Additional information about the logon failure. This is a textual description based on the value of the hexidecimal `SubStatus` field.
-
-
-type: keyword
-
---
-
-[[exported-fields-sysmon]]
-== Sysmon module fields
-
-These are the event fields specific to the Sysmon module.
-
-
-
-*`sysmon.dns.status`*::
-+
---
-Windows status code returned for the DNS query.
-
-type: keyword
-
---
-
-*`sysmon.file.archived`*::
-+
---
-Indicates if the deleted file was archived.
-
-type: boolean
-
---
-
-*`sysmon.file.is_executable`*::
-+
---
-Indicates if the deleted file was an executable.
-
-type: boolean
-
---
-
-[[exported-fields-winlog]]
-== Winlogbeat fields
-
-Fields from the Windows Event Log.
-
-
-
-*`event.original`*::
-+
---
-The raw XML representation of the event obtained from Windows. This field is only available on operating systems supporting the Windows Event Log API (Microsoft Windows Vista and newer). This field is not included by default and must be enabled by setting `include_xml: true` as a configuration option for an individual event log.
-The XML representation of the event is useful for troubleshooting purposes. The data in the fields reported by Winlogbeat can be compared to the data in the XML to diagnose problems.
-
-
---
-
-[float]
-=== winlog
-
-All fields specific to the Windows Event Log are defined here.
-
-
-
-*`winlog.activity_id`*::
-+
---
-A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity.
-
-
-type: keyword
-
-required: False
-
---
-
-*`winlog.computer_name`*::
-+
---
-The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`.
-
-
-type: keyword
-
-required: True
-
---
-
-*`winlog.computerObject.domain`*::
-+
---
-The domain of the account that was added, modified or deleted in the event.
-
-
-type: keyword
-
-required: False
-
---
-
-*`winlog.computerObject.id`*::
-+
---
-A globally unique identifier that identifies the target device.
-
-
-type: keyword
-
-required: False
-
---
-
-*`winlog.computerObject.name`*::
-+
---
-The account name that was added, modified or deleted in the event.
-
-
-type: keyword
-
-required: False
-
---
-
-*`winlog.event_data`*::
-+
---
-The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows.
-
-
-type: object
-
-required: False
-
---
-
-[float]
-=== event_data
-
-This is a non-exhaustive list of parameters that are used in Windows events. By having these fields defined in the template they can be used in dashboards and machine-learning jobs.
-
-
-
-*`winlog.event_data.AuthenticationPackageName`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.Binary`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.BitlockerUserInputTime`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.BootMode`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.BootType`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.BuildVersion`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.CallTrace`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.ClientInfo`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.Company`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.Configuration`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.CorruptionActionState`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.CreationUtcTime`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.Description`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.Detail`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.DeviceName`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.DeviceNameLength`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.DeviceTime`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.DeviceVersionMajor`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.DeviceVersionMinor`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.DriveName`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.DriverName`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.DriverNameLength`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.DwordVal`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.EntryCount`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.EventType`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.EventNamespace`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.ExtraInfo`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.FailureName`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.FailureNameLength`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.FileVersion`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.FinalStatus`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.GrantedAccess`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.Group`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.IdleImplementation`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.IdleStateCount`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.ImpersonationLevel`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.IntegrityLevel`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.IpAddress`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.IpPort`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.KeyLength`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.LastBootGood`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.LastShutdownGood`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.LmPackageName`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.LogonGuid`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.LogonId`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.LogonProcessName`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.LogonType`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.MajorVersion`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.MaximumPerformancePercent`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.MemberName`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.MemberSid`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.MinimumPerformancePercent`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.MinimumThrottlePercent`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.MinorVersion`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.Name`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.NewProcessId`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.NewProcessName`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.NewSchemeGuid`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.NewThreadId`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.NewTime`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.NominalFrequency`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.Number`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.OldSchemeGuid`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.OldTime`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.Operation`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.OriginalFileName`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.Path`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.PerformanceImplementation`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.PreviousCreationUtcTime`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.PreviousTime`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.PrivilegeList`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.ProcessId`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.ProcessName`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.ProcessPath`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.ProcessPid`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.Product`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.PuaCount`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.PuaPolicyId`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.QfeVersion`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.Query`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.Reason`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.SchemaVersion`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.ScriptBlockText`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.ServiceName`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.ServiceVersion`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.Session`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.ShutdownActionType`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.ShutdownEventCode`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.ShutdownReason`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.Signature`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.SignatureStatus`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.Signed`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.StartAddress`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.StartFunction`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.StartModule`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.StartTime`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.State`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.Status`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.StopTime`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.SubjectDomainName`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.SubjectLogonId`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.SubjectUserName`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.SubjectUserSid`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.TSId`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.TargetDomainName`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.TargetImage`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.TargetInfo`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.TargetLogonGuid`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.TargetLogonId`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.TargetProcessGUID`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.TargetProcessId`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.TargetServerName`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.TargetUserName`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.TargetUserSid`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.TerminalSessionId`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.TokenElevationType`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.TransmittedServices`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.Type`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.UserSid`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.Version`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.Workstation`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.param1`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.param2`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.param3`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.param4`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.param5`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.param6`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.param7`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_data.param8`*::
-+
---
-type: keyword
-
---
-
-*`winlog.event_id`*::
-+
---
-The event identifier. The value is specific to the source of the event.
-
-
-type: keyword
-
-required: True
-
---
-
-*`winlog.keywords`*::
-+
---
-The keywords are used to classify an event.
-
-
-type: keyword
-
-required: False
-
---
-
-*`winlog.channel`*::
-+
---
-The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration.
-
-
-type: keyword
-
-required: True
-
---
-
-*`winlog.record_id`*::
-+
---
-The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0.
-
-
-type: keyword
-
-required: True
-
---
-
-*`winlog.related_activity_id`*::
-+
---
-A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier.
-
-
-type: keyword
-
-required: False
-
---
-
-*`winlog.opcode`*::
-+
---
-The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged.
-
-
-type: keyword
-
-required: False
-
---
-
-*`winlog.provider_guid`*::
-+
---
-A globally unique identifier that identifies the provider that logged the event.
-
-
-type: keyword
-
-required: False
-
---
-
-*`winlog.process.pid`*::
-+
---
-The process_id of the Client Server Runtime Process.
-
-
-type: long
-
-required: False
-
---
-
-*`winlog.provider_name`*::
-+
---
-The source of the event log record (the application or service that logged the record).
-
-
-type: keyword
-
-required: True
-
---
-
-*`winlog.task`*::
-+
---
-The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field.
-
-
-type: keyword
-
-required: False
-
---
-
-*`winlog.time_created`*::
-+
---
-The event creation time.
-
-
-type: date
-
-required: False
-
---
-
-*`winlog.trustAttribute`*::
-+
---
-The decimal value of attributes for new trust created to a domain.
-
-
-type: keyword
-
-required: False
-
---
-
-*`winlog.trustDirection`*::
-+
---
-The direction of new trust created to a domain.
-Possible values are `TRUST_DIRECTION_DISABLED`, `TRUST_DIRECTION_INBOUND`, `TRUST_DIRECTION_OUTBOUND` and `TRUST_DIRECTION_BIDIRECTIONAL`
-
-
-type: keyword
-
-required: False
-
---
-
-*`winlog.trustType`*::
-+
---
-The account name that was added, modified or deleted in the event.
-Possible values are `TRUST_TYPE_DOWNLEVEL`, `TRUST_TYPE_UPLEVEL`, `TRUST_TYPE_MIT` and `TRUST_TYPE_DCE`
-
-
-type: keyword
-
-required: False
-
---
-
-*`winlog.process.thread.id`*::
-+
---
-type: long
-
-required: False
-
---
-
-*`winlog.user_data`*::
-+
---
-The event specific data. This field is mutually exclusive with `event_data`.
-
-
-type: object
-
-required: False
-
---
-
-*`winlog.user.identifier`*::
-+
---
-The Windows security identifier (SID) of the account associated with this event.
-If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be.
-
-
-type: keyword
-
-example: S-1-5-21-3541430928-2051711210-1391384369-1001
-
-required: False
-
---
-
-*`winlog.user.name`*::
-+
---
-Name of the user associated with this event.
-
-
-type: keyword
-
---
-
-*`winlog.user.domain`*::
-+
---
-The domain that the account associated with this event is a member of.
-
-
-type: keyword
-
-required: False
-
---
-
-*`winlog.user.type`*::
-+
---
-The type of account associated with this event.
-
-
-type: keyword
-
-required: False
-
---
-
-*`winlog.version`*::
-+
---
-The version number of the event's definition.
-
-type: long
-
-required: False
-
---
-
-:edit_url!:
\ No newline at end of file
diff --git a/winlogbeat/docs/getting-started.asciidoc b/winlogbeat/docs/getting-started.asciidoc
deleted file mode 100644
index e9772e597af8..000000000000
--- a/winlogbeat/docs/getting-started.asciidoc
+++ /dev/null
@@ -1,234 +0,0 @@
-[id="{beatname_lc}-installation-configuration"]
-== {beatname_uc} quick start: installation and configuration
-
-++++
-<titleabbrev>Quick start: installation and configuration</titleabbrev>
-++++
-
-This guide describes how to get started quickly with Windows log monitoring.
-You'll learn how to:
-
-* install {beatname_uc} on each system you want to monitor
-* specify the location of your log files
-* parse log data into fields and send it to {es}
-* visualize the log data in {kib}
-
-[role="screenshot"]
-image::./images/winlogbeat-dashboard.png[{beatname_uc} dashboard]
-
-[float]
-=== Before you begin
-
-You need {es} for storing and searching your data, and {kib} for visualizing and
-managing it.
-
-include::{libbeat-dir}/tab-widgets/spinup-stack-widget.asciidoc[]
-
-[float]
-[[installation]]
-=== Step 1: Install {beatname_uc}
-
-. Download the {beatname_uc} zip file from the
-https://www.elastic.co/downloads/beats/winlogbeat[downloads page].
-. Extract the contents into `C:\Program Files`.
-. Rename the `winlogbeat-<version>` directory to `Winlogbeat`.
-. Open a PowerShell prompt as an Administrator (right-click on the PowerShell
-icon and select Run As Administrator).
-. From the PowerShell prompt, run the following commands to install the service.
-
-["source","sh",subs="attributes,callouts"]
-----
-PS C:\Users\Administrator> cd 'C:\Program Files\Winlogbeat'
-PS C:\Program Files\Winlogbeat> .\install-service-winlogbeat.ps1
-
-Security warning
-Run only scripts that you trust. While scripts from the internet can be useful,
-this script can potentially harm your computer. If you trust this script, use
-the Unblock-File cmdlet to allow the script to run without this warning message.
-Do you want to run C:\Program Files\Winlogbeat\install-service-winlogbeat.ps1?
-[D] Do not run  [R] Run once  [S] Suspend  [?] Help (default is "D"): R
-
-Status   Name               DisplayName
-------   ----               -----------
-Stopped  winlogbeat         winlogbeat
-----
-
-NOTE: If script execution is disabled on your system, you need to set the
-execution policy for the current session to allow the script to run. For example:
-`PowerShell.exe -ExecutionPolicy UnRestricted -File .\install-service-winlogbeat.ps1`.
-
-NOTE: To use a local non-Administrator account to run Winlogbeat, follow <<local-user-account-setup,these additional steps>>.
-
-[float]
-[[set-connection]]
-=== Step 2: Connect to the {stack}
-
-include::{libbeat-dir}/shared/connecting-to-es.asciidoc[]
-
-[float]
-[[configuration]]
-=== Step 3: Configure {beatname_uc}
-
-In `winlogbeat.yml`, configure the event logs that you want to monitor.
-
-. Under `winlogbeat.event_log`, specify a list of event logs to monitor. By
-default, {beatname_uc} monitors application, security, and system logs.
-+
-[source,yaml]
-----
-winlogbeat.event_logs:
-  - name: Application
-  - name: Security
-  - name: System
-----
-+
-To obtain a list of available event logs, run `Get-EventLog *` in PowerShell.
-For more information about this command, see the configuration details for
-<<configuration-winlogbeat-options-event_logs-name,event_logs.name>>.
-
-. (Optional) Set logging options to write Winlogbeat logs to a file:
-+
-[source,yaml]
-----
-logging.to_files: true
-logging.files:
-  path: C:\ProgramData\winlogbeat\Logs
-logging.level: info
-----
-
-. After you save your configuration file, test it with the following command.
-+
-[source,shell]
-----
-PS C:\Program Files\Winlogbeat> .\winlogbeat.exe test config -c .\winlogbeat.yml -e
-----
-
-
-For more information about configuring {beatname_uc}, also see:
-
-* <<configuring-howto-{beatname_lc},Configure {beatname_uc}>>
-* {beats-ref}/config-file-format.html[Config file format]
-ifeval::["{beatname_lc}"!="apm-server"]
-* <<{beatname_lc}-reference-yml,+{beatname_lc}.reference.yml+>>: This reference configuration
-file shows all non-deprecated options. You'll find it in the same location as
-+{beatname_lc}.yml+.
-
-[float]
-[[setup-assets]]
-=== Step 4: Set up assets
-
-{beatname_uc} comes with predefined assets for parsing, indexing, and
-visualizing your data. To load these assets:
-
-. Make sure the user specified in +{beatname_lc}.yml+ is
-<<privileges-to-setup-beats,authorized to set up {beatname_uc}>>.
-
-. From the installation directory, run:
-+
---
-include::{libbeat-dir}/tab-widgets/setup.asciidoc[tag=win]
---
-
-This step loads the recommended {ref}/index-templates.html[index
-template] for writing to {es} , loads the ingest pipelines to parse
-the events (x-pack only), and deploys the sample dashboards for
-visualizing the data in {kib}.
-
-[TIP]
-=====
-A connection to {es} (or {ess}) is required to set up the initial
-environment. If you're using a different output, such as {ls}, see:
-
-* <<load-template-manually>>
-* <<load-kibana-dashboards>>
-* <<load-ingest-pipelines>> (x-pack only)
-=====
-
-[float]
-[[start]]
-=== Step 5: Start {beatname_uc}
-
-Before starting {beatname_uc}, modify the user credentials in
-+{beatname_lc}.yml+ and specify a user who is
-<<privileges-to-publish-events,authorized to publish events>>.
-
-To start the {beatname_uc} service, run:
-
-// tag::start-step[]
-[source,shell]
-----------------------------------------------------------------------
-PS C:\Program Files\Winlogbeat> Start-Service winlogbeat
-----------------------------------------------------------------------
-
-{beatname_uc} should now be running. If you used the logging configuration
-described here, you can view the log file at
-`C:\ProgramData\winlogbeat\Logs\winlogbeat`.
-
-You can view the status of the service and control it from the Services
-management console in Windows. To launch the management console, run
-this command:
-
-[source,shell]
-----------------------------------------------------------------------
-PS C:\Program Files\Winlogbeat> services.msc
-----------------------------------------------------------------------
-// end::start-step[]
-
-[float]
-==== Stop {beatname_uc}
-
-Stop the {beatname_uc} service with the following command:
-
-[source,shell]
-----------------------------------------------------------------------
-PS C:\Program Files\Winlogbeat> Stop-Service winlogbeat
-----------------------------------------------------------------------
-
-[float]
-[[view-data]]
-=== Step 6: View your data in {kib}
-
-include::{libbeat-dir}/shared/opendashboards.asciidoc[tag=open-dashboards-intro]
-
-include::{libbeat-dir}/shared/opendashboards.asciidoc[tag=open-dashboards]
-
-[float]
-[[local-user-account-setup]]
-=== Using a local non-Administrator account to run Winlogbeat
-
-By default, the +{beatname_uc}+ service runs as the `Local System` account. 
-If you want to run the +{beatname_uc}+ service as a local user account 
-that is not an Administrator, then follow the steps below. The local user account 
-must be granted `Log on as a service` in the security policy 
-and be made part of the `Builtin\Event Log Readers` group to read the event log. 
-
-. Open the Services Management console with this command:
-+
-[source,shell]
-----------------------------------------------------------------------
-PS C:\Program Files\Winlogbeat> services.msc
-----------------------------------------------------------------------
-+
-. Right-click on service named +{beatname_lc}+ and select `Properties`
-. Under `Log On` tab, select `This account:` and browse for the local account user 
-that you want to run {beatname_uc} service as.
-. Enter local user account's password and click `Apply`.
-. Search and open `Local Group Policy Editor` in Windows search or 
-run `gpedit.msc` from Powershell.
-. Navigate to path: `Computer Settings → Security Settings → Local Policies` 
-and open `User Rights Assignment` under it.
-. Inside `User Rights Assignment`, add your local user account to the policy named 
-`Log on as a service`. This should allow your local user account log on as a service.
-. Open `Local Users and Group Manager` by running `lusrmgr.msc` in Powershell.
-. Under `Users`, right-click on your local account user and open `Properties`.
-. Select `Member of` tab and click on `Add...`
-. Find and select the group named `Event Log Readers` and click `Apply`. 
-This should allow your local account user to read the event log.
-
-[float]
-=== What's next?
-
-Now that you have your logs streaming into {es}, learn how to unify your logs,
-metrics, uptime, and application performance data.
-
-include::{libbeat-dir}/shared/obs-apps.asciidoc[]
diff --git a/winlogbeat/docs/howto/howto.asciidoc b/winlogbeat/docs/howto/howto.asciidoc
deleted file mode 100644
index cf3756a5c952..000000000000
--- a/winlogbeat/docs/howto/howto.asciidoc
+++ /dev/null
@@ -1,41 +0,0 @@
-[[howto-guides]]
-= How to guides
-
-[partintro]
---
-Learn how to perform common {beatname_uc} configuration tasks.
-
-* <<{beatname_lc}-geoip>>
-* <<{beatname_lc}-template>>
-* <<change-index-name>>
-* <<load-kibana-dashboards>>
-* <<load-ingest-pipelines>>
-* <<using-environ-vars>>
-* <<configuring-ingest-node>>
-* <<yaml-tips>>
-
-
---
-
-include::{libbeat-dir}/shared-geoip.asciidoc[]
-
-include::{libbeat-dir}/howto/load-index-templates.asciidoc[]
-
-include::{libbeat-dir}/howto/change-index-name.asciidoc[]
-
-include::{libbeat-dir}/howto/load-dashboards.asciidoc[]
-
-include::load-ingest-pipelines.asciidoc[]
-
-:standalone:
-include::{libbeat-dir}/shared-env-vars.asciidoc[]
-:standalone!:
-
-include::{libbeat-dir}/shared-config-ingest.asciidoc[]
-
-:standalone:
-include::{libbeat-dir}/yaml.asciidoc[]
-:standalone!:
-
-
-
diff --git a/winlogbeat/docs/howto/load-ingest-pipelines.asciidoc b/winlogbeat/docs/howto/load-ingest-pipelines.asciidoc
deleted file mode 100644
index 0d7f842249e1..000000000000
--- a/winlogbeat/docs/howto/load-ingest-pipelines.asciidoc
+++ /dev/null
@@ -1,56 +0,0 @@
-[[load-ingest-pipelines]]
-== Load ingest pipelines
-
-{beatname_uc} modules are implemented using {es} ingest node
-pipelines.  The events receive their transformations within
-{es}.  The ingest node pipelines must be loaded
-into {es}.  This can happen one of several ways.
-
-[id="{beatname_lc}-load-pipeline-auto"]
-[float]
-=== On connection to {es}
-
-{beatname_uc} will send ingest pipelines automatically to {es} if the
-{es} output is enabled.
-
-Make sure the user specified in +{beatname_lc}.yml+ is
-<<privileges-to-setup-beats,authorized to set up {beatname_uc}>>.
-
-If {beatname_uc} is sending events to {ls} or another output you need
-to load the ingest pipelines with the `setup` command or manually.
-
-[id="{beatname_lc}-load-pipeline-setup"]
-[float]
-=== setup command
-
-On a machine that has {beatname_uc} installed and has {es} configured
-as the output, run the `setup` command with the `--pipelines` option
-specified.  For example, the following command loads the ingest
-pipelines:
-
-
-["source","sh",subs="attributes"]
-----
-PS > .{backslash}{beatname_lc}.exe setup --pipelines
-----
-
-Make sure the user specified in +{beatname_lc}.yml+ is
-<<privileges-to-setup-beats,authorized to set up {beatname_uc}>>.
-
-[id="{beatname_lc}-load-pipeline-manual"]
-[float]
-=== Manually install pipelines
-
-On a machine that has {beatname_uc} installed export the the pipelines
-to disk. This can be done with the `export` command with `pipelines`
-option specified.  For example, the following command exports the
-ingest pipelines:
-
-["source", "sh", subs="attributes"]
-----
-PS> .{backslash}{beatname_lc}.exe export pipelines --es.version=7.16.0
-----
-
-Once the pipelines have been exported you can load them into {es} with
-the `_ingest/pipeline` REST API call.  The user making the REST API
-call will need to have the `ingest_admin` role assigned to them.
diff --git a/winlogbeat/docs/index.asciidoc b/winlogbeat/docs/index.asciidoc
deleted file mode 100644
index 6b3e77eaf9a8..000000000000
--- a/winlogbeat/docs/index.asciidoc
+++ /dev/null
@@ -1,57 +0,0 @@
-= Winlogbeat Reference
-
-:libbeat-dir: {docdir}/../../libbeat/docs
-
-include::{libbeat-dir}/version.asciidoc[]
-
-include::{asciidoc-dir}/../../shared/versions/stack/{source_branch}.asciidoc[]
-
-include::{asciidoc-dir}/../../shared/attributes.asciidoc[]
-
-:beatname_lc: winlogbeat
-:beatname_uc: Winlogbeat
-:beatname_pkg: {beatname_lc}
-:github_repo_name: beats
-:discuss_forum: beats/{beatname_lc}
-:beat_default_index_prefix: {beatname_lc}
-:has_registry:
-:ignores_max_retries:
-:win_os:
-:win_only:
-:no_cache_processor:
-:no_decode_cef_processor:
-:no_decode_csv_fields_processor:
-:no_parse_aws_vpc_flow_log_processor:
-:include_translate_sid_processor:
-:export_pipeline:
-:no_add_session_metadata_processor:
-
-include::{libbeat-dir}/shared-beats-attributes.asciidoc[]
-
-include::./overview.asciidoc[]
-
-include::./getting-started.asciidoc[]
-
-include::./setting-up-running.asciidoc[]
-
-include::./upgrading.asciidoc[]
-
-include::./configuring-howto.asciidoc[]
-
-include::{docdir}/howto/howto.asciidoc[]
-
-include::./modules.asciidoc[]
-
-include::./fields.asciidoc[]
-
-include::{libbeat-dir}/monitoring/monitoring-beats.asciidoc[]
-
-include::{libbeat-dir}/shared-securing-beat.asciidoc[]
-
-include::./troubleshooting.asciidoc[]
-
-include::./faq.asciidoc[]
-
-include::{libbeat-dir}/contributing-to-beats.asciidoc[]
-
-
diff --git a/winlogbeat/docs/metrics-winlogbeat.asciidoc b/winlogbeat/docs/metrics-winlogbeat.asciidoc
deleted file mode 100644
index 7c3c9eed943e..000000000000
--- a/winlogbeat/docs/metrics-winlogbeat.asciidoc
+++ /dev/null
@@ -1,21 +0,0 @@
-[[metrics-winlogbeat]]
-=== Event Processing Metrics
-
-Winlogbeat exposes metrics under the <<http-endpoint, HTTP monitoring endpoint>>.
-These metrics are exposed under the `/inputs` path. They can be used to
-observe the event log processing activity of Winlogbeat.
-
-[float]
-==== Winlog Metrics
-
-[options="header"]
-|=======
-| Metric                   | Description
-| `provider`               | Name of the provider being read.
-| `received_events_total`  | Total number of events received.
-| `discarded_events_total` | Total number of discarded events.
-| `errors_total`           | Total number of errors.
-| `received_events_count`  | Histogram of the number of events in each non-zero batch.
-| `source_lag_time`        | Histogram of the difference in nanoseconds between timestamped event's creation and reading.
-| `batch_read_period`      | Histogram of the elapsed time in nanoseconds between non-zero batch reads.
-|=======
diff --git a/winlogbeat/docs/modules.asciidoc b/winlogbeat/docs/modules.asciidoc
deleted file mode 100644
index db319c3ea656..000000000000
--- a/winlogbeat/docs/modules.asciidoc
+++ /dev/null
@@ -1,73 +0,0 @@
-[id="{beatname_lc}-modules"]
-[role="xpack"]
-= Modules
-
-[partintro]
---
-NOTE: Winlogbeat modules have changed in 8.0.0 to use Elasticsearch Ingest Node
-for processing. If you are upgrading from 7.x please review the documentation
-and see the default configuration file.
-
-This section contains detailed information about the available Windows event
-log processing modules contained in {beatname_uc}. More details about each
-module can be found in the module's documentation.
-
-{beatname_uc} modules are implemented using Elasticsearch Ingest Node pipelines.
-The events receive their transformations within Elasticsearch. All events are
-sent through {beatname_uc}'s "routing" pipeline that routes events to specific
-module pipelines based on their `winlog.channel` value.
-
-{beatname_uc}'s default config file contains the option to send all events to
-the routing pipeline. If you remove this option then the module processing
-will not be applied.
-
-[source,yaml,subs="attributes"]
-----
-output.elasticsearch.pipeline: winlogbeat-%{[agent.version]}-routing
-----
-
-The general goal of each module is to transform events by renaming fields to
-comply with the {ecs-ref}/index.html[Elastic Common Schema] (ECS). The modules
-may also apply additional categorization, tagging, and parsing as necessary.
-
-NOTE: The provided modules only support events in English. For more information
-about how to configure the language in `winlogbeat`, refer to <<configuration-winlogbeat-options>>.
-
-[id="{beatname_lc}-modules-setup"]
-[float]
-=== Setup of Ingest Node pipelines
-
-{beatname_uc}'s Ingest Node pipelines must be installed to Elasticsearch if you
-want to apply the module processing to events. The simplest way to get started
-is to use the Elasticsearch output and Winlogbeat will automatically install
-the pipelines when it first connects to Elasticsearch.
-
-Installation Methods
-
-1. <<{beatname_lc}-load-pipeline-auto>>
-2. <<{beatname_lc}-load-pipeline-setup>>
-3. <<{beatname_lc}-load-pipeline-manual>>
-
-[float]
-=== Usage with Forwarded Events
-
-No special configuration options are required when working with the
-`ForwardedEvents` channel. The events in this log retain the channel name
-of their origin (e.g. `winlog.channel: Security`). And because the routing
-pipeline processes events based on the channel name no special config is
-necessary.
-
-[source,yaml]
-----
-winlogbeat.event_logs:
-- name: ForwardedEvents
-  tags: [forwarded]
-  language: 0x0409 # en-US
-
-output.elasticsearch.pipeline: winlogbeat-%{[agent.version]}-routing
-----
-
-[float]
-=== Modules
-
-include::modules_list.asciidoc[]
diff --git a/winlogbeat/docs/modules_list.asciidoc b/winlogbeat/docs/modules_list.asciidoc
deleted file mode 100644
index 7383fefc1649..000000000000
--- a/winlogbeat/docs/modules_list.asciidoc
+++ /dev/null
@@ -1,14 +0,0 @@
-////
-This file is generated! See scripts/mage/docs.go or run 'mage docs'.
-////
-
-  * <<{beatname_lc}-module-powershell,Powershell>>
-  * <<{beatname_lc}-module-security,Security>>
-  * <<{beatname_lc}-module-sysmon,Sysmon>>
-
---
-
-
-include::./modules/powershell.asciidoc[]
-include::./modules/security.asciidoc[]
-include::./modules/sysmon.asciidoc[]
diff --git a/winlogbeat/docs/overview.asciidoc b/winlogbeat/docs/overview.asciidoc
deleted file mode 100644
index aef277fa3194..000000000000
--- a/winlogbeat/docs/overview.asciidoc
+++ /dev/null
@@ -1,21 +0,0 @@
-== Winlogbeat Overview
-
-Winlogbeat ships Windows event logs to Elasticsearch or Logstash. You can
-install it as a Windows service.
-
-Winlogbeat reads from one or more event logs using Windows APIs, filters the
-events based on user-configured criteria, then sends the event data to the
-configured outputs (Elasticsearch or Logstash). Winlogbeat watches the event
-logs so that new event data is sent in a timely manner. The read position for
-each event log is persisted to disk to allow Winlogbeat to resume after
-restarts.
-
-Winlogbeat can capture event data from any event logs running on your system.
-For example, you can capture events such as:
-
-* application events
-* hardware events
-* security events
-* system events
-
-include::{libbeat-dir}/shared-libbeat-description.asciidoc[]
diff --git a/winlogbeat/docs/setting-up-running.asciidoc b/winlogbeat/docs/setting-up-running.asciidoc
deleted file mode 100644
index fe31d8e41fdf..000000000000
--- a/winlogbeat/docs/setting-up-running.asciidoc
+++ /dev/null
@@ -1,42 +0,0 @@
-/////
-// NOTE:
-// Each beat has its own setup overview to allow for the addition of content
-// that is unique to each beat.
-/////
-
-[[setting-up-and-running]]
-== Set up and run {beatname_uc}
-
-++++
-<titleabbrev>Set up and run</titleabbrev>
-++++
-
-Before reading this section, see
-<<{beatname_lc}-installation-configuration>> for basic
-installation instructions to get you started.
-
-This section includes additional information on how to install, set up, and run
-{beatname_uc}, including:
-
-* <<directory-layout>>
-
-* <<keystore>>
-
-* <<command-line-options>>
-
-* <<{beatname_lc}-starting>>
-
-* <<shutdown>>
-
-
-//MAINTAINERS: If you add a new file to this section, make sure you update the bulleted list ^^ too.
-
-include::{libbeat-dir}/shared-directory-layout.asciidoc[]
-
-include::{libbeat-dir}/keystore.asciidoc[]
-
-include::{libbeat-dir}/command-reference.asciidoc[]
-
-include::{libbeat-dir}/shared/start-beat.asciidoc[]
-
-include::{libbeat-dir}/shared/shutdown.asciidoc[]
diff --git a/winlogbeat/docs/troubleshooting.asciidoc b/winlogbeat/docs/troubleshooting.asciidoc
deleted file mode 100644
index e14d6802c2aa..000000000000
--- a/winlogbeat/docs/troubleshooting.asciidoc
+++ /dev/null
@@ -1,40 +0,0 @@
-[[troubleshooting]]
-= Troubleshoot
-
-[partintro]
---
-If you have issues installing or running Winlogbeat, read the following tips:
-
-* <<getting-help>>
-* <<enable-winlogbeat-debugging>>
-* <<understand-{beatname_lc}-logs>>
-* <<faq>>
-
-//sets block macro for getting-help.asciidoc included in next section
-
---
-
-[[getting-help]]
-== Get Help
-
-include::{libbeat-dir}/getting-help.asciidoc[]
-
-//sets block macro for debugging.asciidoc included in next section
-
-
-[[enable-winlogbeat-debugging]]
-== Debug
-
-include::{libbeat-dir}/debugging.asciidoc[]
-
-//sets block macro for metrics-in-logs.asciidoc included in next section
-
-[id="understand-{beatname_lc}-logs"]
-[role="xpack"]
-== Understand metrics in {beatname_uc} logs
-
-++++
-<titleabbrev>Understand logged metrics</titleabbrev>
-++++
-
-include::{libbeat-dir}/metrics-in-logs.asciidoc[]
\ No newline at end of file
diff --git a/winlogbeat/docs/upgrading.asciidoc b/winlogbeat/docs/upgrading.asciidoc
deleted file mode 100644
index 8a6bca81cf2b..000000000000
--- a/winlogbeat/docs/upgrading.asciidoc
+++ /dev/null
@@ -1,11 +0,0 @@
-[[upgrading-winlogbeat]]
-== Upgrade Winlogbeat
-
-++++
-<titleabbrev>Upgrade</titleabbrev>
-++++
-
-For information about upgrading to a new version, see:
-
-* {beats-ref}/breaking-changes.html[Breaking Changes]
-* {beats-ref}/upgrading.html[Upgrade]
diff --git a/winlogbeat/docs/winlogbeat-filtering.asciidoc b/winlogbeat/docs/winlogbeat-filtering.asciidoc
deleted file mode 100644
index 5bda1daf4dac..000000000000
--- a/winlogbeat/docs/winlogbeat-filtering.asciidoc
+++ /dev/null
@@ -1,20 +0,0 @@
-[[filtering-and-enhancing-data]]
-== Filter and enhance data with processors
-
-++++
-<titleabbrev>Processors</titleabbrev>
-++++
-
-include::{libbeat-dir}/processors.asciidoc[]
-
-For example, the following filter configuration drops a few fields that are rarely used (`provider_guid`, `process_id`, `thread_id`, and `version`) and one nested field, `event_data.ErrorSourceTable`:
-
-[source, yaml]
------------------------------------------------------
-processors:
-  - drop_fields:
-      fields: [winlog.provider_guid, winlog.process.pid, winlog.process.thread.id, winlog.version, winlog.event_data.ErrorSourceTable]
------------------------------------------------------
-
-include::{libbeat-dir}/processors-using.asciidoc[]
-
diff --git a/winlogbeat/docs/winlogbeat-general-options.asciidoc b/winlogbeat/docs/winlogbeat-general-options.asciidoc
deleted file mode 100644
index 7aec17cd6095..000000000000
--- a/winlogbeat/docs/winlogbeat-general-options.asciidoc
+++ /dev/null
@@ -1,11 +0,0 @@
-[[configuration-general-options]]
-== Configure general settings
-
-++++
-<titleabbrev>General settings</titleabbrev>
-++++
-
-You can specify settings in the +{beatname_lc}.yml+ config file to control the
-general behavior of {beatname_uc}.
-
-include::{libbeat-dir}/generalconfig.asciidoc[]
diff --git a/winlogbeat/docs/winlogbeat-options.asciidoc b/winlogbeat/docs/winlogbeat-options.asciidoc
deleted file mode 100644
index 907d5311fcbb..000000000000
--- a/winlogbeat/docs/winlogbeat-options.asciidoc
+++ /dev/null
@@ -1,476 +0,0 @@
-:vista_and_newer: This option is only available on operating systems +
-  supporting the Windows Event Log API (Microsoft Windows Vista and newer).
-
-[[configuration-winlogbeat-options]]
-== Configure {beatname_uc}
-
-++++
-<titleabbrev>{beatname_uc}</titleabbrev>
-++++
-
-The `winlogbeat` section of the +{beatname_lc}.yml+ config file specifies all options that are specific to {beatname_uc}.
-Most importantly, it contains the list of event logs to monitor.
-
-Here is a sample configuration:
-
-[source,yaml]
---------------------------------------------------------------------------------
-winlogbeat.event_logs:
-  - name: Application
-    ignore_older: 72h
-  - name: Security
-  - name: System
---------------------------------------------------------------------------------
-
-[float]
-=== Configuration options
-
-You can specify the following options in the `winlogbeat` section of the +{beatname_lc}.yml+ config file:
-
-[float]
-==== `registry_file`
-
-The name of the file where {beatname_uc} stores information that it uses to resume
-monitoring after a restart. By default the file is stored as `.winlogbeat.yml`
-in the directory where the Beat was started. When you run the process as a
-Windows service, it's recommended that you set the value to
-`C:/ProgramData/winlogbeat/.winlogbeat.yml`.
-
-[source,yaml]
---------------------------------------------------------------------------------
-winlogbeat.registry_file: C:/ProgramData/winlogbeat/.winlogbeat.yml
---------------------------------------------------------------------------------
-
-NOTE: The forward slashes (/) in the path are automatically changed to
-backslashes (\) for Windows compatibility. You can use either forward or
-backslashes. Forward slashes are easier to work with in YAML because there is no
-need to escape them.
-
-[float]
-==== `registry_flush`
-
-The timeout value that controls when registry entries are written to disk
-(flushed). When an unwritten update exceeds this value, it triggers a write
-to disk. When flush is set to 0s, the registry is written to disk after each
-batch of events has been published successfully.
-
-The default value is 5s.
-
-Valid time units are `ns`, `us`, `ms`, `s`, `m`, `h`.
-
-[source,yaml]
---------------------------------------------------------------------------------
-winlogbeat.registry_flush: 5s
---------------------------------------------------------------------------------
-
-[float]
-==== `shutdown_timeout`
-
-The amount of time to wait for all events to be published when shutting down.
-By default there is no shutdown timeout so {beatname_uc} will stop without waiting.
-When you restart it will resume from the last successfully published event in
-each event log.
-
-In some use cases you do want to wait for the publishing queue to drain before
-exiting and that's when you would use this option.
-
-Valid time units are `ns`, `us`, `ms`, `s`, `m`, `h`.
-
-[source,yaml]
---------------------------------------------------------------------------------
-winlogbeat.shutdown_timeout: 30s
---------------------------------------------------------------------------------
-
-[float]
-==== `event_logs`
-
-A list of entries (called 'dictionaries' in YAML) that specify which event logs
-to monitor. Each entry in the list defines an event log to monitor as well as
-any information to be associated with the event log (filter, tags, and so on).
-
-[source,yaml]
---------------------------------------------------------------------------------
-winlogbeat.event_logs:
-  - name: Application
---------------------------------------------------------------------------------
-
-[float]
-==== `event_logs.batch_read_size`
-
-The maximum number of event log records to read from the Windows API in a single
-batch. The default batch size is 512. Most Windows versions return an error if
-the value is larger than 1024. *{vista_and_newer}*
-
-{beatname_uc} starts a goroutine (a lightweight thread) to read from each
-individual event log. The goroutine reads a batch of event log records using the
-Windows API, applies any processors to the events, publishes them to the
-configured outputs, and waits for an acknowledgement from the outputs before
-reading additional event log records.
-
-[float]
-[[configuration-winlogbeat-options-event_logs-name]]
-==== `event_logs.name`
-
-The name of the event log to monitor. Each dictionary under `event_logs` must
-have a `name` field, except for those which use a custom XML query.
-A channel is a named stream of events that transports events from an event
-source to an event log. Most channels are tied to specific event publishers.
-You can get a list of available event logs by using the PowerShell
-https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/get-winevent[`Get-WinEvent`] cmdlet
-on Windows Vista or newer. Here is a sample of the output from the command:
-
-[source,sh]
---------------------------------------------------------------------------------
-PS C:\> Get-WinEvent -ListLog * | Format-List -Property LogName
-LogName : Application
-LogName : HardwareEvents
-LogName : Internet Explorer
-LogName : Key Management Service
-LogName : Security
-LogName : System
-LogName : Windows PowerShell
-LogName : ForwardedEvents
-LogName : Microsoft-Management-UI/Admin
-LogName : Microsoft-Rdms-UI/Admin
-LogName : Microsoft-Rdms-UI/Operational
-LogName : Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
-...
---------------------------------------------------------------------------------
-
-If `Get-WinEvent` is not available, the https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-eventlog[`Get-EventLog`] cmdlet can be used in its
-place.
-
-[source,sh]
---------------------------------------------------------------------------------
-PS C:\Users\vagrant> Get-EventLog *
-
-  Max(K) Retain OverflowAction        Entries Log
-  ------ ------ --------------        ------- ---
-  20,480      0 OverwriteAsNeeded          75 Application
-  20,480      0 OverwriteAsNeeded           0 HardwareEvents
-     512      7 OverwriteOlder              0 Internet Explorer
-  20,480      0 OverwriteAsNeeded           0 Key Management Service
-  20,480      0 OverwriteAsNeeded       1,609 Security
-  20,480      0 OverwriteAsNeeded       1,184 System
-  15,360      0 OverwriteAsNeeded         464 Windows PowerShell
---------------------------------------------------------------------------------
-
-You must specify the full name of the channel in the configuration file.
-
-[source,yaml]
---------------------------------------------------------------------------------
-winlogbeat.event_logs:
-  - name: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
---------------------------------------------------------------------------------
-
-To read events from an archived `.evtx` file you can specify the `name` as the
-absolute path (it cannot be relative) to the file. There's a complete example
-of how to read from an .evtx file in the <<reading-from-evtx,FAQ>>.
-
-[source,yaml]
---------------------------------------------------------------------------------
-winlogbeat.event_logs:
-  - name: 'C:\backup\sysmon-2019.08.evtx'
---------------------------------------------------------------------------------
-
-The name key must not be used with custom XML queries.
-
-[float]
-==== `event_logs.id`
-
-A unique identifier for the event log. This key is required when using a custom
-XML query.
-
-It is used to uniquely identify the event log reader in the registry file. This is
-useful if multiple event logs are being set up to watch the same channel or file. If an
-ID is not given, the `event_logs.name` value will be used.
-
-This value must be unique.
-
-[source,yaml]
---------------------------------------------------------------------------------
-winlogbeat.event_logs:
-  - name: Application
-    id: application-logs
-    ignore_older: 168h
---------------------------------------------------------------------------------
-
-[float]
-==== `event_logs.ignore_older`
-
-If this option is specified, {beatname_uc} filters events that are older than the
-specified amount of time. Valid time units are "ns", "us" (or "µs"), "ms", "s",
-"m", "h". This option is useful when you are beginning to monitor an event log
-that contains older records that you would like to ignore. This field is
-optional.
-
-[source,yaml]
---------------------------------------------------------------------------------
-winlogbeat.event_logs:
-  - name: Application
-    ignore_older: 168h
---------------------------------------------------------------------------------
-
-[float]
-==== `event_logs.forwarded`
-
-A boolean flag to indicate that the log contains only events collected from
-remote hosts using the Windows Event Collector. The value defaults to true for
-the ForwardedEvents log and false for any other log. *{vista_and_newer}*
-
-This settings allows {beatname_uc} to optimize reads for forwarded events that are
-already rendered. When the value is true {beatname_uc} does not attempt to render
-the event using message files from the host computer. The Windows Event
-Collector subscription should be configured to use the "RenderedText" format
-(this is the default) to ensure that the events are distributed with messages
-and descriptions.
-
-[float]
-==== `event_logs.event_id`
-
-A whitelist and blacklist of event IDs. The value is a comma-separated list. The
-accepted values are single event IDs to include (e.g. 4624), a range of event
-IDs to include (e.g. 4700-4800), single event IDs to exclude (e.g. -4735),
-and a range of event IDs to exclude (e.g. -4701-4710).
-*{vista_and_newer}*
-
-[source,yaml]
---------------------------------------------------------------------------------
-winlogbeat.event_logs:
-  - name: Security
-    event_id: 4624, 4625, 4700-4800, -4735, -4701-4710
---------------------------------------------------------------------------------
-
-[float]
-==== `event_logs.language`
-
-The language ID the events will be rendered in. The language will be forced regardless
-of the system language. A complete list of language IDs can be found
-https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-lcid/a9eac961-e77d-41a6-90a5-ce1a8b0cdb9c[here].
-It defaults to `0`, which indicates to use the system language.
-
-[source,yaml]
---------------------------------------------------------------------------------
-winlogbeat.event_logs:
-  - name: Security
-    event_id: 4624, 4625, 4700-4800, -4735
-    language: 0x0409 # en-US
---------------------------------------------------------------------------------
-
-[float]
-==== `event_logs.level`
-
-A list of event levels to include. The value is a comma-separated list of
-levels. *{vista_and_newer}*
-
-[cols="2*", options="header"]
-|===
-|Level
-|Value
-
-|critical, crit
-|1
-
-|error, err
-|2
-
-|warning, warn
-|3
-
-|information, info
-|0 or 4
-
-|verbose
-|5
-|===
-
-[source,yaml]
---------------------------------------------------------------------------------
-winlogbeat.event_logs:
-  - name: Security
-    level: critical, error, warning
---------------------------------------------------------------------------------
-
-[float]
-==== `event_logs.provider`
-
-A list of providers (source names) to include. The value is a YAML list.
-*{vista_and_newer}*
-
-[source,yaml]
---------------------------------------------------------------------------------
-winlogbeat.event_logs:
-  - name: Application
-    provider:
-      - Application Error
-      - Application Hang
-      - Windows Error Reporting
-      - EMET
---------------------------------------------------------------------------------
-
-You can obtain a list of providers associated with a log by using PowerShell.
-Here is an example showing the providers associated with the Security log.
-
-[source,sh]
---------------------------------------------------------------------------------
-PS C:\> (Get-WinEvent -ListLog Security).ProviderNames
-DS
-LSA
-SC Manager
-Security
-Security Account Manager
-ServiceModel 4.0.0.0
-Spooler
-TCP/IP
-VSSAudit
-Microsoft-Windows-Security-Auditing
-Microsoft-Windows-Eventlog
---------------------------------------------------------------------------------
-
-[float]
-==== `event_logs.xml_query`
-
-Provide a custom XML query. This option is mutually exclusive with the `name`, `event_id`,
-`ignore_older`, `level`, and `provider` options. These options should be included in
-the XML query directly. Furthermore, an `id` must be provided. Custom XML queries
-provide more flexibility and advanced options than the simpler query options in {beatname_uc}.
-*{vista_and_newer}*
-
-Here is a configuration which will collect DHCP server events from multiple channels:
-
-[source,yaml]
---------------------------------------------------------------------------------
-winlogbeat.event_logs:
-  - id: dhcp-server-logs
-    xml_query: >
-      <QueryList>
-        <Query Id="0" Path="DhcpAdminEvents">
-          <Select Path="DhcpAdminEvents">*</Select>
-          <Select Path="Microsoft-Windows-Dhcp-Server/FilterNotifications">*</Select>
-          <Select Path="Microsoft-Windows-Dhcp-Server/Operational">*</Select>
-        </Query>
-      </QueryList>
---------------------------------------------------------------------------------
-
-XML queries may also be created in Windows Event Viewer using custom views. The query
-can be created using a graphical interface and the corresponding XML can be
-retrieved from the XML tab.
-
-[float]
-==== `event_logs.include_xml`
-
-Boolean option that controls if the raw XML representation of an event is
-included in the data sent by {beatname_uc}. The default is false.
-*{vista_and_newer}*
-
-The XML representation of the event is useful for troubleshooting purposes. The
-data in the fields reported by {beatname_uc} can be compared to the data in the XML
-to diagnose problems.
-
-Example:
-
-[source,yaml]
---------------------------------------------------------------------------------
-winlogbeat.event_logs:
-  - name: Microsoft-Windows-Windows Defender/Operational
-    include_xml: true
---------------------------------------------------------------------------------
-
-* This can have a significant impact on performance that can vary depending
-on your system specs.
-
-[float]
-==== `event_logs.tags`
-
-A list of tags that the Beat includes in the `tags` field of each published
-event. Tags make it easy to select specific events in Kibana or apply
-conditional filtering in Logstash. These tags will be appended to the list of
-tags specified in the general configuration.
-
-Example:
-
-[source,yaml]
---------------------------------------------------------------------------------
-winlogbeat.event_logs:
-  - name: CustomLog
-    tags: ["web"]
---------------------------------------------------------------------------------
-
-[float]
-[[winlogbeat-configuration-fields]]
-==== `event_logs.fields`
-
-Optional fields that you can specify to add additional information to the
-output. For example, you might add fields that you can use for filtering event
-data. Fields can be scalar values, arrays, dictionaries, or any nested
-combination of these. By default, the fields that you specify here will be
-grouped under a `fields` sub-dictionary in the output document. To store the
-custom fields as top-level fields, set the `fields_under_root` option to true.
-If a duplicate field is declared in the general configuration, then its value
-will be overwritten by the value declared here.
-
-[source,yaml]
---------------------------------------------------------------------------------
-winlogbeat.event_logs:
-  - name: CustomLog
-    fields:
-      customer_id: 51415432
---------------------------------------------------------------------------------
-
-[float]
-==== `event_logs.fields_under_root`
-
-If this option is set to true, the custom <<winlogbeat-configuration-fields,fields>>
-are stored as top-level fields in the output document instead of being grouped
-under a `fields` sub-dictionary. If the custom field names conflict with other
-field names added by {beatname_uc}, then the custom fields overwrite the other
-fields.
-
-[float]
-==== `event_logs.processors`
-
-A list of processors to apply to the data generated by the event log.
-
-See <<filtering-and-enhancing-data>> for information about specifying
-processors in your config.
-
-[float]
-==== `event_logs.index`
-
-If present, this formatted string overrides the index for events from this
-event log (for elasticsearch outputs), or sets the `raw_index` field of the event's
-metadata (for other outputs). This string can only refer to the agent name and
-version and the event timestamp; for access to dynamic fields, use
-`output.elasticsearch.index` or a processor.
-
-Example value: `"%{[agent.name]}-myindex-%{+yyyy.MM.dd}"` might
-expand to `"winlogbeat-myindex-2019.12.13"`.
-
-[float]
-==== `event_logs.keep_null`
-
-If this option is set to true, fields with `null` values will be published in
-the output document. By default, `keep_null` is set to `false`.
-
-[float]
-==== `event_logs.no_more_events`
-
-The action that the event log reader should take when it receives a signal from
-Windows that there are no more events to read. It can either `wait` for more
-events to be written (the default behavior) or it can `stop`. The overall
-{beatname_uc} process will stop when all of the individual event log readers have
-stopped. *{vista_and_newer}*
-
-Setting `no_more_events` to `stop` is useful when reading from archived event
-log files where you want to read the whole file then exit. There's a complete
-example of how to read from an `.evtx` file in the <<reading-from-evtx,FAQ>>.
-
-
-[float]
-==== `overwrite_pipelines`
-
-By default Ingest pipelines are not updated if a pipeline with the same ID
-already exists. If this option is enabled Winlogbeat overwrites pipelines
-every time a new Elasticsearch connection is established.
-
-The default value is `false`.
diff --git a/x-pack/auditbeat/docs/images/auditbeat-system-socket-dashboard.png b/x-pack/auditbeat/docs/images/auditbeat-system-socket-dashboard.png
deleted file mode 100644
index 823a327b1170..000000000000
Binary files a/x-pack/auditbeat/docs/images/auditbeat-system-socket-dashboard.png and /dev/null differ
diff --git a/x-pack/auditbeat/docs/modules/system.asciidoc b/x-pack/auditbeat/docs/modules/system.asciidoc
deleted file mode 100644
index c17f90119dc7..000000000000
--- a/x-pack/auditbeat/docs/modules/system.asciidoc
+++ /dev/null
@@ -1,211 +0,0 @@
-////
-This file is generated! See scripts/docs_collector.py
-////
-
-:modulename: system
-
-[id="{beatname_lc}-module-system"]
-[role="xpack"]
-== System Module
-
-beta[]
-
-The `system` module collects various security related information about
-a system. All datasets send both periodic state information (e.g. all currently
-running processes) and real-time changes (e.g. when a new process starts
-or stops).
-
-The module is fully implemented for Linux on x86. Currently, the `socket` module is not available on ARM. Some datasets are also available
-for macOS (Darwin) and Windows.
-
-[float]
-=== How it works
-
-Each dataset sends two kinds of information: state and events.
-
-State information is sent periodically and (for some datasets) on startup.
-A state update will consist of one event per object that is currently
-active on the system (e.g. a process). All events belonging to the same state
-update will share the same UUID in `event.id`.
-
-The frequency of state updates can be controlled for all datasets using the
-`state.period` configuration option. Overrides are available per dataset.
-The default is `12h`.
-
-Event information is sent as the events occur (e.g. a process starts or stops).
-All datasets are currently using a poll model to retrieve their data.
-The frequency of these polls is controlled by the `period` configuration
-parameter.
-
-[float]
-==== Entity IDs
-
-This module populates `entity_id` fields to uniquely identify entities (users,
-packages, processes...) within a host. This requires {beatname_uc}
-to obtain a unique identifier for the host:
-
-- Windows: Uses the `HKLM\Software\Microsoft\Cryptography\MachineGuid` registry
-key.
-- macOS: Uses the value returned by `gethostuuid(2)` system call.
-- Linux: Uses the content of one of the following files, created by either
-`systemd` or `dbus`:
- * /etc/machine-id
- * /var/lib/dbus/machine-id
- * /var/db/dbus/machine-id
-
-NOTE: Under CentOS 6.x, it's possible that none of the files above exist.
-In that case, running `dbus-uuidgen --ensure` (provided by the `dbus` package)
-will generate one for you.
-
-[float]
-==== Example dashboard
-
-The module comes with a sample dashboard:
-
-[role="screenshot"]
-image::./images/auditbeat-system-overview-dashboard.png[Auditbeat System Overview Dashboard]
-
-[float]
-=== Configuration options
-
-This module has some configuration options for controlling its behavior. The
-following example shows all configuration options with their default values for
-Linux.
-
-NOTE: It is recommended to configure some datasets separately. See below for a
-sample suggested configuration.
-
-[source,yaml]
-----
-- module: system
-  datasets:
-    - host
-    - login
-    - package
-    - process
-    - socket
-    - user
-  period: 10s
-  state.period: 12h
-
-  socket.include_localhost: false
-
-  user.detect_password_changes: true
-----
-
-This module also supports the
-<<module-standard-options-{modulename},standard configuration options>>
-described later.
-
-*`state.period`*:: The interval at which the datasets send full state information.
-This option can be overridden per dataset using `{dataset}.state.period`.
-
-*`user.detect_password_changes`*:: If the `user` dataset is configured and
-this option is set to `true`, Auditbeat will read password information in `/etc/passwd`
-and `/etc/shadow` to detect password changes. A hash will be kept locally in
-the `beat.db` file to detect changes between Auditbeat restarts. The `beat.db` file
-should be readable only by the root user and be treated similar to the shadow file
-itself.
-
-include::{docdir}/auditbeat-options.asciidoc[]
-
-[float]
-=== Suggested configuration
-
-Processes and sockets can be short-lived, so the chance of missing an update
-increases if the polling interval is too large.
-
-On the other hand, host and user information is unlikely to change frequently,
-so a longer polling interval can be used.
-
-[source,yaml]
-----
-- module: system
-  datasets:
-    - host
-    - login
-    - package
-    - user
-  period: 1m
-
-  user.detect_password_changes: true
-
-- module: system
-  datasets:
-    - process
-    - socket
-  period: 1s
-----
-
-
-[float]
-=== Example configuration
-
-The System module supports the common configuration options that are
-described under <<configuration-{beatname_lc},configuring {beatname_uc}>>. Here
-is an example configuration:
-
-[source,yaml]
-----
-auditbeat.modules:
-- module: system
-  datasets:
-    - package # Installed, updated, and removed packages
-
-  period: 2m # The frequency at which the datasets check for changes
-
-- module: system
-  datasets:
-    - host    # General host information, e.g. uptime, IPs
-    - login   # User logins, logouts, and system boots.
-    - process # Started and stopped processes
-    - socket  # Opened and closed sockets
-    - user    # User information
-
-  # How often datasets send state updates with the
-  # current state of the system (e.g. all currently
-  # running processes, all open sockets).
-  state.period: 12h
-
-  # Enabled by default. Auditbeat will read password fields in
-  # /etc/passwd and /etc/shadow and store a hash locally to
-  # detect any changes.
-  user.detect_password_changes: true
-
-  # File patterns of the login record files.
-  login.wtmp_file_pattern: /var/log/wtmp*
-  login.btmp_file_pattern: /var/log/btmp*
-----
-
-
-:modulename!:
-
-[float]
-=== Datasets
-
-The following datasets are available:
-
-* <<{beatname_lc}-dataset-system-host,host>>
-
-* <<{beatname_lc}-dataset-system-login,login>>
-
-* <<{beatname_lc}-dataset-system-package,package>>
-
-* <<{beatname_lc}-dataset-system-process,process>>
-
-* <<{beatname_lc}-dataset-system-socket,socket>>
-
-* <<{beatname_lc}-dataset-system-user,user>>
-
-include::system/host.asciidoc[]
-
-include::system/login.asciidoc[]
-
-include::system/package.asciidoc[]
-
-include::system/process.asciidoc[]
-
-include::system/socket.asciidoc[]
-
-include::system/user.asciidoc[]
-
diff --git a/x-pack/auditbeat/docs/modules/system/host.asciidoc b/x-pack/auditbeat/docs/modules/system/host.asciidoc
deleted file mode 100644
index 9c36068927f5..000000000000
--- a/x-pack/auditbeat/docs/modules/system/host.asciidoc
+++ /dev/null
@@ -1,21 +0,0 @@
-////
-This file is generated! See scripts/docs_collector.py
-////
-
-[id="{beatname_lc}-dataset-system-host"]
-=== System host dataset
-
-include::../../../module/system/host/_meta/docs.asciidoc[]
-
-
-==== Fields
-
-For a description of each field in the dataset, see the
-<<exported-fields-system,exported fields>> section.
-
-Here is an example document generated by this dataset:
-
-[source,json]
-----
-include::../../../module/system/host/_meta/data.json[]
-----
diff --git a/x-pack/auditbeat/docs/modules/system/login.asciidoc b/x-pack/auditbeat/docs/modules/system/login.asciidoc
deleted file mode 100644
index d042abb7addc..000000000000
--- a/x-pack/auditbeat/docs/modules/system/login.asciidoc
+++ /dev/null
@@ -1,21 +0,0 @@
-////
-This file is generated! See scripts/docs_collector.py
-////
-
-[id="{beatname_lc}-dataset-system-login"]
-=== System login dataset
-
-include::../../../module/system/login/_meta/docs.asciidoc[]
-
-
-==== Fields
-
-For a description of each field in the dataset, see the
-<<exported-fields-system,exported fields>> section.
-
-Here is an example document generated by this dataset:
-
-[source,json]
-----
-include::../../../module/system/login/_meta/data.json[]
-----
diff --git a/x-pack/auditbeat/docs/modules/system/package.asciidoc b/x-pack/auditbeat/docs/modules/system/package.asciidoc
deleted file mode 100644
index ec87bd976daf..000000000000
--- a/x-pack/auditbeat/docs/modules/system/package.asciidoc
+++ /dev/null
@@ -1,21 +0,0 @@
-////
-This file is generated! See scripts/docs_collector.py
-////
-
-[id="{beatname_lc}-dataset-system-package"]
-=== System package dataset
-
-include::../../../module/system/package/_meta/docs.asciidoc[]
-
-
-==== Fields
-
-For a description of each field in the dataset, see the
-<<exported-fields-system,exported fields>> section.
-
-Here is an example document generated by this dataset:
-
-[source,json]
-----
-include::../../../module/system/package/_meta/data.json[]
-----
diff --git a/x-pack/auditbeat/docs/modules/system/process.asciidoc b/x-pack/auditbeat/docs/modules/system/process.asciidoc
deleted file mode 100644
index a015dfc29af6..000000000000
--- a/x-pack/auditbeat/docs/modules/system/process.asciidoc
+++ /dev/null
@@ -1,21 +0,0 @@
-////
-This file is generated! See scripts/docs_collector.py
-////
-
-[id="{beatname_lc}-dataset-system-process"]
-=== System process dataset
-
-include::../../../module/system/process/_meta/docs.asciidoc[]
-
-
-==== Fields
-
-For a description of each field in the dataset, see the
-<<exported-fields-system,exported fields>> section.
-
-Here is an example document generated by this dataset:
-
-[source,json]
-----
-include::../../../module/system/process/_meta/data.json[]
-----
diff --git a/x-pack/auditbeat/docs/modules/system/socket.asciidoc b/x-pack/auditbeat/docs/modules/system/socket.asciidoc
deleted file mode 100644
index 387756c1ca9c..000000000000
--- a/x-pack/auditbeat/docs/modules/system/socket.asciidoc
+++ /dev/null
@@ -1,21 +0,0 @@
-////
-This file is generated! See scripts/docs_collector.py
-////
-
-[id="{beatname_lc}-dataset-system-socket"]
-=== System socket dataset
-
-include::../../../module/system/socket/_meta/docs.asciidoc[]
-
-
-==== Fields
-
-For a description of each field in the dataset, see the
-<<exported-fields-system,exported fields>> section.
-
-Here is an example document generated by this dataset:
-
-[source,json]
-----
-include::../../../module/system/socket/_meta/data.json[]
-----
diff --git a/x-pack/auditbeat/docs/modules/system/user.asciidoc b/x-pack/auditbeat/docs/modules/system/user.asciidoc
deleted file mode 100644
index 58b3a07e3afb..000000000000
--- a/x-pack/auditbeat/docs/modules/system/user.asciidoc
+++ /dev/null
@@ -1,21 +0,0 @@
-////
-This file is generated! See scripts/docs_collector.py
-////
-
-[id="{beatname_lc}-dataset-system-user"]
-=== System user dataset
-
-include::../../../module/system/user/_meta/docs.asciidoc[]
-
-
-==== Fields
-
-For a description of each field in the dataset, see the
-<<exported-fields-system,exported fields>> section.
-
-Here is an example document generated by this dataset:
-
-[source,json]
-----
-include::../../../module/system/user/_meta/data.json[]
-----
diff --git a/x-pack/dockerlogbeat/docs/configuration.asciidoc b/x-pack/dockerlogbeat/docs/configuration.asciidoc
deleted file mode 100644
index 8cacb97ae732..000000000000
--- a/x-pack/dockerlogbeat/docs/configuration.asciidoc
+++ /dev/null
@@ -1,188 +0,0 @@
-[[log-driver-configuration]]
-[role="xpack"]
-== {log-driver} configuration options
-
-++++
-<titleabbrev>Configuration options</titleabbrev>
-++++
-
-
-Use the following options to configure the {log-driver-long}. You can
-pass these options with the `--log-opt` flag when you start a container, or
-you can set them in the `daemon.json` file for all containers. 
-
-* <<cloud-options>>
-* <<es-output-options>>
-
-[float]
-=== Usage examples
-
-To set configuration options when you start a container:
-
-include::install.asciidoc[tag=log-driver-run]
-
-To set configuration options for all containers in the `daemon.json` file:
-
-include::install.asciidoc[tag=log-driver-daemon]
-
-For more examples, see <<log-driver-usage-examples>>.
-
-[float]
-[[cloud-options]]
-=== {ecloud} options
- 
-[options="header"]
-|=====
-|Option  | Description
-
-|`cloud_id`
-|The Cloud ID found in the Elastic Cloud web console. This ID is
-used to resolve the {stack} URLs when connecting to {ess} on {ecloud}.
-
-|`cloud_auth`
-|The username and password combination for connecting to {ess} on {ecloud}. The
-format is `"username:password"`.
-|=====
-
-[float]
-[[es-output-options]]
-=== {es} output options
-
-
-[options="header"]
-|=====
-|Option  |Default |Description
-
-|`hosts`
-|`"localhost:9200"`
-|The list of {es} nodes to connect to. Specify each node as a `URL` or
-`IP:PORT`. For example: `http://192.0.2.0`, `https://myhost:9230` or
-`192.0.2.0:9300`. If no port is specified, the default is `9200`.
-
-|`user`
-|
-|The basic authentication username for connecting to {es}. 
-
-|`password`
-|
-|The basic authentication password for connecting to {es}.
-
-|`index`
-|
-|A {beats-ref}/config-file-format-type.html#_format_string_sprintf[format string]
-value that specifies the index to write events to when you're using daily
-indices. For example: +"dockerlogs-%{+yyyy.MM.dd}"+. 
-
-3+|*Advanced:*
-
-|`name`
-|`testbeat`
-| A custom value that will be inserted into the document as `agent.name`.
-If not set, it will be the hostname of Docker host.
-
-|`backoff_init`
-|`1s`
-|The number of seconds to wait before trying to reconnect to {es} after
-a network error. After waiting `backoff.init` seconds, the {log-driver}
-tries to reconnect. If the attempt fails, the backoff timer is increased
-exponentially up to `backoff.max`. After a successful connection, the backoff
-timer is reset.
-
-|`backoff_max`
-|`60s`
-|The maximum number of seconds to wait before attempting to connect to
-{es} after a network error.
-
-|`api_key`
-|
-|Instead of using usernames and passwords,
-you can use API keys to secure communication with {es}.
-
-|`pipeline`
-|
-|A format string value that specifies the {es} ingest pipeline to write events to.
-
-|`timeout`
-|`90`
-|The http request timeout in seconds for the Elasticsearch request.
-
-|`proxy_url`
-|
-|The URL of the proxy to use when connecting to the Elasticsearch servers. The
-value may be either a complete URL or a `host[:port]`, in which case the `http`
-scheme is assumed. If a value is not specified through the configuration file
-then proxy environment variables are used. See the
-https://golang.org/pkg/net/http/#ProxyFromEnvironment[Go documentation]
-for more information about the environment variables.
-
-
-|=====
-
-
-[float]
-[[local-log-opts]]
-=== Configuring the local log
-This plugin fully supports `docker logs`, and it maintains a local copy of logs that can be read without a connection to Elasticsearch. The plugin mounts the `/var/lib/docker` directory on the host to write logs to `/var/log/containers` on the host. If you want to change the log location on the host, you must change the mount inside the plugin:
-
-1. Disable the plugin:
-+
-["source","sh",subs="attributes"] 
-----
-docker plugin disable elastic/{log-driver-alias}:{version}
-----
-
-2. Set the bindmount directory:
-+
-["source","sh",subs="attributes"]
-----
-docker plugin set elastic/{log-driver-alias}:{version} LOG_DIR.source=NEW_LOG_LOCATION
-----
-+
-
-3. Enable the plugin:
-+
-["source","sh",subs="attributes"]
-----
-docker plugin enable elastic/{log-driver-alias}:{version}
-----
-
-
-The local log also supports the `max-file`, `max-size` and `compress` options that are https://docs.docker.com/config/containers/logging/json-file/#options[a part of the Docker default file logger]. For example:
-
-["source","sh",subs="attributes"]
-----
-docker run --log-driver=elastic/{log-driver-alias}:{version} \
-           --log-opt hosts="myhost:9200" \
-           --log-opt user="myusername" \
-           --log-opt password="mypassword" \
-           --log-opt max-file=10 \
-           --log-opt max-size=5M \
-           --log-opt compress=true \
-           -it debian:jessie /bin/bash
-----
-
-
-In situations where logs can't be easily managed, for example, you can also configure the plugin to remove log files when a container is stopped. This will prevent you from reading logs on a stopped container, but it will rotate logs without user intervention. To enable removal of logs for stopped containers, you must change the `DESTROY_LOGS_ON_STOP` environment variable: 
-
-1. Disable the plugin:
-+
-["source","sh",subs="attributes"]
-----
-docker plugin disable elastic/{log-driver-alias}:{version}
-----
-
-2. Enable log removal:
-+
-["source","sh",subs="attributes"]
-----
-docker plugin set elastic/{log-driver-alias}:{version} DESTROY_LOGS_ON_STOP=true
-----
-+
-
-3. Enable the plugin:
-+
-["source","sh",subs="attributes"]
-----
-docker plugin enable elastic/{log-driver-alias}:{version}
-----
-
diff --git a/x-pack/dockerlogbeat/docs/index.asciidoc b/x-pack/dockerlogbeat/docs/index.asciidoc
deleted file mode 100644
index ca3f2cd4007a..000000000000
--- a/x-pack/dockerlogbeat/docs/index.asciidoc
+++ /dev/null
@@ -1,25 +0,0 @@
-:libbeat-dir: {docdir}/../../../libbeat/docs
-:log-driver: Elastic Logging Plugin
-:log-driver-long: Elastic Logging Plugin for Docker
-:log-driver-alias: elastic-logging-plugin
-:docker-version: Engine API 1.25
-
-= {log-driver} for Docker
-
-include::{libbeat-dir}/version.asciidoc[]
-
-include::{asciidoc-dir}/../../shared/versions/stack/{source_branch}.asciidoc[]
-
-include::{asciidoc-dir}/../../shared/attributes.asciidoc[]
-
-include::overview.asciidoc[]
-
-include::install.asciidoc[]
-
-include::configuration.asciidoc[]
-
-include::usage.asciidoc[]
-
-include::troubleshooting.asciidoc[]
-
-include::limitations.asciidoc[]
diff --git a/x-pack/dockerlogbeat/docs/install.asciidoc b/x-pack/dockerlogbeat/docs/install.asciidoc
deleted file mode 100644
index 6aa51aba0b19..000000000000
--- a/x-pack/dockerlogbeat/docs/install.asciidoc
+++ /dev/null
@@ -1,113 +0,0 @@
-[[log-driver-installation]]
-[role="xpack"]
-== Install and configure the {log-driver}
-
-++++
-<titleabbrev>Install and configure</titleabbrev>
-++++
-
-
-[float]
-=== Before you begin
-
-Make sure your system meets the following prerequisites:
-
-* Docker: {docker-version} or later
-* {stack}: Version 7.6.0 or later
-
-[float]
-=== Step 1: Install the {log-driver} plugin
-
-// TODO: Test the following commands when the driver is available on docker hub.
-
-1. Install the plugin. You can install it from the Docker store (recommended),
-or build and install the plugin from source in the
-https://github.com/elastic/beats[beats] GitHub repo.
-+
-*To install from the Docker store:*
-+
-["source","sh",subs="attributes"]
-----
-docker plugin install elastic/{log-driver-alias}:{version}
-----
-+
-*To build and install from source:*
-+
-{beats-devguide}/beats-contributing.html#setting-up-dev-environment[Set up your
-development environment] as described in the _Beats Developer Guide_ then run:
-+
-[source,shell]
-----
-cd x-pack/dockerlogbeat
-mage BuildAndInstall
-----
-
-2. If necessary, enable the plugin:
-+
-["source","sh",subs="attributes"]
-----
-docker plugin enable elastic/{log-driver-alias}:{version}
-----
-
-3. Verify that the plugin is installed and enabled:
-+
-[source,shell]
-----
-docker plugin ls
-----
-+
-The output should say something like:
-+
-["source","sh",subs="attributes"]
-----
-ID                  NAME                                   DESCRIPTION              ENABLED
-c2ff9d2cf090        elastic/{log-driver-alias}:{version}   A beat for docker logs   true
-----
-
-[float]
-=== Step 2: Configure the {log-driver}
-
-You can set configuration options for a single container, or for all containers
-running on the host. See <<log-driver-configuration>> for a list of
-supported configuration options.
-
-*To configure a single container:*
-
-Pass configuration options at run time when you start the container. For
-example:
-
-// tag::log-driver-run[] 
-["source","sh",subs="attributes"]
-----
-docker run --log-driver=elastic/{log-driver-alias}:{version} \
-           --log-opt hosts="https://myhost:9200" \
-           --log-opt user="myusername" \
-           --log-opt password="mypassword" \
-           -it debian:jessie /bin/bash
-----
-// end::log-driver-run[]
-
-*To configure all containers running on the host:*
-
-Set configuration options in the Docker `daemon.json` configuration file. For
-example:
-
-// tag::log-driver-daemon[] 
-[source,json,subs="attributes"]
-----
-{
-  "log-driver" : "elastic/{log-driver-alias}:{version}",
-  "log-opts" : {
-    "hosts" : "https://myhost:9200",
-    "user" : "myusername",
-    "password" : "mypassword"
-  }
-}
-----
-// end::log-driver-daemon[]
-
-NOTE: The default location of the `daemon.json` file varies by platform. On
-Linux, the default location is `/etc/docker/daemon.json`. For more information,
-see the
-https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-configuration-file[Docker
-docs].
diff --git a/x-pack/dockerlogbeat/docs/limitations.asciidoc b/x-pack/dockerlogbeat/docs/limitations.asciidoc
deleted file mode 100644
index af17f478a540..000000000000
--- a/x-pack/dockerlogbeat/docs/limitations.asciidoc
+++ /dev/null
@@ -1,11 +0,0 @@
-[[log-driver-limitations]]
-[role="xpack"]
-== Known problems and limitations
-
-
-This release of the {log-driver} has the following known problems and
-limitations:
-
-* Spool to disk (beta) is not supported.
-* Mapping templates and other assets that are normally installed by the
-{beats} setup are not available.
diff --git a/x-pack/dockerlogbeat/docs/overview.asciidoc b/x-pack/dockerlogbeat/docs/overview.asciidoc
deleted file mode 100644
index 46268e0a0e33..000000000000
--- a/x-pack/dockerlogbeat/docs/overview.asciidoc
+++ /dev/null
@@ -1,14 +0,0 @@
-[[log-driver-overview]]
-[role="xpack"]
-== {log-driver} overview
-
-
-The {log-driver} is a Docker plugin that sends container logs to the
-https://www.elastic.co/elastic-stack[{stack}], where you can search, analyze,
-and visualize the data in real time.
-
-The {log-driver} is built on top of the https://www.elastic.co/beats[{beats}]
-platform and supports many of the features and outputs supported by the
-{beats} shippers.
-
-Beat users: see <<log-driver-limitations>>.
diff --git a/x-pack/dockerlogbeat/docs/troubleshooting.asciidoc b/x-pack/dockerlogbeat/docs/troubleshooting.asciidoc
deleted file mode 100644
index 19920dedfc86..000000000000
--- a/x-pack/dockerlogbeat/docs/troubleshooting.asciidoc
+++ /dev/null
@@ -1,41 +0,0 @@
-[[log-driver-troubleshooting]]
-[role="xpack"]
-== Troubleshoot
-
-
-You can set the debug level to capture debugging output about the {log-driver}.
-To set the debug level:
-
-1. Disable the plugin:
-+
-["source","sh",subs="attributes"]
-----
-docker plugin disable elastic/{log-driver-alias}:{version}
-----
-
-2. Set the debug level:
-+
-["source","sh",subs="attributes"]
-----
-docker plugin set elastic/{log-driver-alias}:{version} LOG_DRIVER_LEVEL=debug
-----
-+
-Where valid settings for `LOG_DRIVER_LEVEL` are `debug`, `info`, `warning`, or
-`error`.
-
-3. Enable the plugin:
-+
-["source","sh",subs="attributes"]
-----
-docker plugin enable elastic/{log-driver-alias}:{version}
-----
-
-To view the logs:
-
-On Linux, the {log-driver} logs are written to the same location as other
-docker logs, typically the system journal. 
-
-On MacOS, locating the logs is more complicated. For more information, see
-the
-https://github.com/elastic/beats/tree/{branch}/x-pack/dockerlogbeat#debugging-on-macos[Debugging
-on MacOS] section in the readme file.
\ No newline at end of file
diff --git a/x-pack/dockerlogbeat/docs/usage.asciidoc b/x-pack/dockerlogbeat/docs/usage.asciidoc
deleted file mode 100644
index 446206e35449..000000000000
--- a/x-pack/dockerlogbeat/docs/usage.asciidoc
+++ /dev/null
@@ -1,94 +0,0 @@
-[[log-driver-usage-examples]]
-== {log-driver} usage examples
-
-++++
-<titleabbrev>Usage examples</titleabbrev>
-++++
-
-
-The following examples show common configurations for the {log-driver}.
-
-[float]
-=== Send Docker logs to {es} 
-
-*Docker run command:*
-
-["source","sh",subs="attributes"]
-----
-docker run --log-driver=elastic/{log-driver-alias}:{version} \
-           --log-opt hosts="myhost:9200" \
-           --log-opt user="myusername" \
-           --log-opt password="mypassword" \
-           -it debian:jessie /bin/bash
-----
-
-*Daemon configuration:*
-
-["source","json",subs="attributes"]
-----
-{
-  "log-driver" : "elastic/{log-driver-alias}:{version}",
-  "log-opts" : {
-    "hosts" : "myhost:9200",
-    "user" : "myusername",
-    "password" : "mypassword",
-  }
-}
-----
-
-[float]
-=== Send Docker logs to {ess} on {ecloud}
-
-*Docker run command:*
-
-["source","sh",subs="attributes"]
-----
-docker run --log-driver=elastic/{log-driver-alias}:{version} \
-           --log-opt cloud_id="MyElasticStack:daMbY2VudHJhbDekZ2NwLmN4b3VkLmVzLmliJDVkYmQwtGJiYjs0NTRiN4Q5ODJmNGUwm1IxZmFkNjM5JDFiNjdkMDE4MTgxMTQzNTM5ZGFiYWJjZmY0OWIyYWE5" \
-           --log-opt cloud_auth="myusername:mypassword" \
-           -it debian:jessie /bin/bash
-----
-
-*Daemon configuration:*
-
-["source","json",subs="attributes"]
-----
-{
-  "log-driver" : "elastic/{log-driver-alias}:{version}",
-  "log-opts" : {
-    "cloud_id" : "MyElasticStack:daMbY2VudHJhbDekZ2NwLmN4b3VkLmVzLmliJDVkYmQwtGJiYjs0NTRiN4Q5ODJmNGUwm1IxZmFkNjM5JDFiNjdkMDE4MTgxMTQzNTM5ZGFiYWJjZmY0OWIyYWE5",
-    "cloud_auth" : "myusername:mypassword",
-    "output.elasticsearch.index" : "elastic-log-driver-%{+yyyy.MM.dd}"
-  }
-}
-----
-
-[float]
-=== Specify a custom index and template
-
-*Docker run command:*
-
-["source","sh",subs="attributes"]
-----
-docker run --log-driver=elastic/{log-driver-alias}:{version} \
-           --log-opt hosts="myhost:9200" \
-           --log-opt user="myusername" \
-           --log-opt password="mypassword" \
-           --log-opt index="eld-%{[agent.version]}-%{+yyyy.MM.dd}" \
-           -it debian:jessie /bin/bash
-----
-
-*Daemon configuration:*
-
-["source","json",subs="attributes"]
-----
-{
-  "log-driver" : "elastic/{log-driver-alias}:{version}",
-  "log-opts" : {
-    "hosts" : "myhost:9200",
-    "user" : "myusername",
-    "index" : "eld-%{[agent.version]}-%{+yyyy.MM.dd}",
-    "password" : "mypassword",
-  }
-}
-----
diff --git a/x-pack/filebeat/docs/inputs/images/input-httpjson-chain-lifecycle.asciidoc b/x-pack/filebeat/docs/inputs/images/input-httpjson-chain-lifecycle.asciidoc
deleted file mode 100644
index 4b9a05869c4b..000000000000
--- a/x-pack/filebeat/docs/inputs/images/input-httpjson-chain-lifecycle.asciidoc
+++ /dev/null
@@ -1,30 +0,0 @@
-┌─────────┐        ┌────────┐                              ┌────────┐              ┌────────┐
-│ Regular │        │ step-1 │  ──────────────────────────► │ step-i │              │ Output │
-└─────────┘        └────────┘                              └────────┘              └────────┘
-    │                  │                                       │                       │
-    │ 1. Response from │                                       │                       │
-    │ regular call.    │                                       │                       │
-    │                  │                                       │                       │
-    ├─────────────────►│                                       │                       │
-    │                  │                                       │                       │
-    │                  │                                       │                       │
-    │                ┌─┴──────┬────────────────────────────────┼──┐                    │
-    │                │  loop  │                                │  │                    │
-    │                ├─┬──────┘                                │  │                    │
-    │                │ │ 2. Extract data from response and     │  │                    │
-    │                │ │ generate new requests from responses. │  │                    │
-    │                │ │                                       │  │                    │
-    │                │ │    ┌────────────────────────────┐     │  │                    │
-    │                │ │    │ Process generated requests │     │  │                    │
-    │                │ ├────┤ and collect responses from ├────►│  │                    │
-    │                │ │    │ server.                    │     │  │                    │
-    │                │ │    └────────────────────────────┘     │  │                    │
-    │                │ │                                       │  │                    │
-    │                └─┼───────────────────────────────────────┼──┘                    │
-    │                  │                                       │                       │
-    │                  │                                       │3. Publish every event │
-    │                  │                                       │to output. Events will │
-    │                  │                                       │only be published for  │
-    │                  │                                       │the last step in chain.│
-    │                  │                                       ├──────────────────────►│
-    │                  │                                       │                       │
\ No newline at end of file
diff --git a/x-pack/filebeat/docs/inputs/images/input-httpjson-lifecycle.asciidoc b/x-pack/filebeat/docs/inputs/images/input-httpjson-lifecycle.asciidoc
deleted file mode 100644
index 32a657e6151e..000000000000
--- a/x-pack/filebeat/docs/inputs/images/input-httpjson-lifecycle.asciidoc
+++ /dev/null
@@ -1,42 +0,0 @@
-┌─────────┐                        ┌───────┐                    ┌──────────────────┐    ┌────────────────────┐                              ┌──────────────────────────┐     ┌──────────────┐   ┌────────┐
-│  Input  │                        │ Chain │                    │ RequestTransform │    │ ResponsePagination │                              │ ResponseTransforms/split │     │ RemoteServer │   │ Output │
-└─────────┘                        └───────┘                    └──────────────────┘    └────────────────────┘                              └──────────────────────────┘     └──────────────┘   └────────┘
-     │                                 │                                 │                      │                                                         │                          │              │
-     │                                 │                                 │                      │                                                         │                          │              │
-     │                                 │                                 │                      │                                                         │                          │              │
-     │ 1. At Interval,                 │                                 │                      │                                                         │                          │              │
-     │ create a new request.           │                                 │                      │                                                         │                          │              │
-     ├─────────────────────────────────┼────────────────────────────────►│                      │                                                         │                          │              │
-     │                                 │                                 │                      │                                                         │                          │              │
-     │                                 │    ┌──────────────────────────┐ │                      │                                                         │                          │              │
-     │                                 │    │ 2. Transform the request ├─┤                      │                                                         │                          │              │
-     │                                 │    │ before executing it.     │ │  3. Execute request. │                                                         │                          │              │
-     │                                 │    └──────────────────────────┘ ├──────────────────────┼─────────────────────────────────────────────────────────┼─────────────────────────►│              │
-     │                                 │                                 │                      │                                                         │                          │              │
-     │                                 │                                 │                      │                                                         │                          │              │
-     │                                 │                                 │                      │                                                         │                          │              │
-     │                                 │                                 │                      │                                                         │                          │              │
-     │                                 │                                 │                      │                                                         │    4. Return response.   │              │
-     │                                 │                                 │                      │                                                         │◄─────────────────────────┤              │
-     │                                 │                                 │                      │                         ┌────────────────────────┐      │                          │              │
-     │                                 │                                 │                      │                         │ 5. Transform response  ├──────┤                          │              │
-     │                                 │                                 │                      │                         │ into a list of events. │      │                          │              │
-     │                                 │ 6. If chain steps are           │                      │                         └────────────────────────┘      │                          │              │
-     │                                 │ configured: collect IDs         │                      │                                                         │                          │              │
-     │                                 │◄────────────────────────────────┼──────────────────────┼─────────────────────────────────────────────────────────┤                          │              │
-     │                                 │                                 │                      │                                                         │                          │              │
-     │                                 │                                 │                      │                                                         │                          │              │
-     │                                 ├────────────────────────────────►│                      │                                                         │                          │              │
-     │                                 │ Go back to 2 for the next       │                      │                                                         │                          │              │
-     │                                 │ chain step.                     │                      │     ┌────────────────────────────┐                      │                          │              │
-     │                                 │                                 │                      ├─────┤ 7. If there are more pages │                      │                          │              │
-     │                                 │                                 │                      │     │ transform the request.     │                      ├──────────────────────────┼─────────────►│
-     │                                 │                                 │                      │     └────────────────────────────┘                      │ 8. Publish every event   │              │
-     │                                 │                                 │                      │                                                         │ to output for the last   │              │
-     │                                 │                                 │                      │                                                         │ request of the chain.    │              │
-     │                                 │                                 │                      │                                                         │                          │              │
-     │                                 │                                 │                      │                                                         │                          │              │
-     │                                 │                                 │                      │  Execute request and go back to 4.                      │                          │              │
-     │                                 │                                 │                      ├─────────────────────────────────────────────────────────┼─────────────────────────►│              │
-     │                                 │                                 │                      │                                                         │                          │              │
-     │                                 │                                 │                      │                                                         │                          │              │
\ No newline at end of file
diff --git a/x-pack/filebeat/docs/inputs/input-aws-cloudwatch.asciidoc b/x-pack/filebeat/docs/inputs/input-aws-cloudwatch.asciidoc
deleted file mode 100644
index d986e9e6b20b..000000000000
--- a/x-pack/filebeat/docs/inputs/input-aws-cloudwatch.asciidoc
+++ /dev/null
@@ -1,170 +0,0 @@
-[role="xpack"]
-
-:libbeat-xpack-dir: ../../../../x-pack/libbeat
-
-:type: aws-cloudwatch
-
-[id="{beatname_lc}-input-{type}"]
-=== AWS CloudWatch input
-
-++++
-<titleabbrev>AWS CloudWatch</titleabbrev>
-++++
-
-`aws-cloudwatch` input can be used to retrieve all logs from all log streams in a
-specific log group. `filterLogEvents` AWS API is used to list log events from
-the specified log group. Amazon CloudWatch Logs can be used to store log files
-from Amazon Elastic Compute Cloud(EC2), AWS CloudTrail, Route53, and other sources.
-
-A log group is a group of log streams that share the same retention, monitoring,
-and access control settings. You can define log groups and specify which streams
-to put into each group. There is no limit on the number of log streams that can
-belong to one log group.
-
-A log stream is a sequence of log events that share the same source. Each
-separate source of logs in CloudWatch Logs makes up a separate log stream.
-
-["source","yaml",subs="attributes"]
-----
-{beatname_lc}.inputs:
-- type: aws-cloudwatch
-  log_group_arn: arn:aws:logs:us-east-1:428152502467:log-group:test:*
-  scan_frequency: 1m
-  credential_profile_name: elastic-beats
-  start_position: beginning
-----
-
-The `aws-cloudwatch` input supports the following configuration options plus the
-<<{beatname_lc}-input-{type}-common-options>> described later.
-
-[float]
-==== `log_group_arn`
-ARN of the log group to collect logs from.
-The ARN may refer to a log group in a linked source account.
-
-Note: `log_group_arn` cannot be combined with `log_group_name`, `log_group_name_prefix` and `region_name` properties.
-If set, values extracted from `log_group_arn` takes precedence over them.
-
-Note: If the log group is in a linked source account and filebeat is configured to use a monitoring account, you must use the `log_group_arn`.
-You can read more about AWS account linking and cross account observability from the https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Unified-Cross-Account.html[official documentation].
-
-[float]
-==== `log_group_name`
-Name of the log group to collect logs from.
-
-Note: `region_name` is required when log_group_name is given.
-
-[float]
-==== `log_group_name_prefix`
-The prefix for a group of log group names. See `include_linked_accounts_for_prefix_mode` option for linked source accounts behavior.
-
-Note: `region_name` is required when
-`log_group_name_prefix` is given. `log_group_name` and `log_group_name_prefix`
-cannot be given at the same time. The number of workers that will process the
-log groups under this prefix is set through the `number_of_workers` config.
-
-[float]
-==== `include_linked_accounts_for_prefix_mode`
-Configure whether to include linked source accounts that contains the prefix value defined through `log_group_name_prefix`.
-Accepts a boolean and this is by default disabled.
-
-Note: Utilize `log_group_arn` if you desire to obtain logs from a known log group (including linked source accounts)
-You can read more about AWS account linking and cross account observability from the https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Unified-Cross-Account.html[official documentation].
-
-[float]
-==== `region_name`
-Region that the specified log group or log group prefix belongs to.
-
-[float]
-==== `number_of_workers`
-Number of workers that will process the log groups with the given `log_group_name_prefix`.
-Default value is 1.
-
-[float]
-==== `log_streams`
-A list of strings of log streams names that Filebeat collect log events from.
-
-[float]
-==== `log_stream_prefix`
-A string to filter the results to include only log events from log streams
-that have names starting with this prefix.
-
-[float]
-==== `start_position`
-`start_position` allows user to specify if this input should read log files from
-the `beginning` or from the `end`.
-
-* `beginning`: reads from the beginning of the log group (default).
-* `end`: read only new messages from current time minus `scan_frequency` going forward
-
-For example, with `scan_frequency` equals to `30s` and current timestamp is
-`2020-06-24 12:00:00`:
-
-* with `start_position = beginning`:
-** first iteration: startTime=0, endTime=2020-06-24 12:00:00
-** second iteration: startTime=2020-06-24 12:00:00, endTime=2020-06-24 12:00:30
-
-* with `start_position = end`:
-** first iteration: startTime=2020-06-24 11:59:30, endTime=2020-06-24 12:00:00
-** second iteration: startTime=2020-06-24 12:00:00, endTime=2020-06-24 12:00:30
-
-[float]
-==== `scan_frequency`
-This config parameter sets how often Filebeat checks for new log events from the
-specified log group. Default `scan_frequency` is 1 minute, which means Filebeat
-will sleep for 1 minute before querying for new logs again.
-
-[float]
-==== `api_timeout`
-The maximum duration of AWS API can take. If it exceeds the timeout, AWS API
-will be interrupted. The default AWS API timeout for a message is 120 seconds.
-The minimum is 0 seconds.
-
-[float]
-==== `api_sleep`
-This is used to sleep between AWS `FilterLogEvents` API calls inside the same
-collection period. `FilterLogEvents` API has a quota of 5 transactions per
-second (TPS)/account/Region. By default, `api_sleep` is 200 ms. This value should
-only be adjusted when there are multiple Filebeats or multiple Filebeat inputs
-collecting logs from the same region and AWS account.
-
-[float]
-==== `latency`
-Some AWS services send logs to CloudWatch with a latency to process larger than
-`aws-cloudwatch` input `scan_frequency`. This case, please specify a `latency`
-parameter so collection start time and end time will be shifted by the given
-latency amount.
-
-[float]
-==== `aws credentials`
-In order to make AWS API calls, `aws-cloudwatch` input requires AWS credentials.
-Please see <<aws-credentials-config,AWS credentials options>> for more details.
-
-[float]
-=== AWS Permissions
-Specific AWS permissions are required for IAM user to access aws-cloudwatch:
-----
-cloudwatchlogs:DescribeLogGroups
-logs:FilterLogEvents
-----
-
-[float]
-=== Metrics
-
-This input exposes metrics under the <<http-endpoint, HTTP monitoring endpoint>>.
-These metrics are exposed under the `/inputs` path. They can be used to
-observe the activity of the input.
-
-[options="header"]
-|=======
-| Metric                            | Description
-| `log_events_received_total`       | Number of CloudWatch log events received.
-| `log_groups_total`                | Logs collected from number of CloudWatch log groups.
-| `cloudwatch_events_created_total` | Number of events created from processing logs from CloudWatch.
-| `api_calls_total`                 | Number of API calls made total.
-|=======
-
-[id="{beatname_lc}-input-{type}-common-options"]
-include::../../../../filebeat/docs/inputs/input-common-options.asciidoc[]
-
-:type!:
diff --git a/x-pack/filebeat/docs/inputs/input-aws-s3.asciidoc b/x-pack/filebeat/docs/inputs/input-aws-s3.asciidoc
deleted file mode 100644
index 04470f027506..000000000000
--- a/x-pack/filebeat/docs/inputs/input-aws-s3.asciidoc
+++ /dev/null
@@ -1,1165 +0,0 @@
-[role="xpack"]
-
-:libbeat-xpack-dir: ../../../../x-pack/libbeat
-
-:type: aws-s3
-
-[id="{beatname_lc}-input-{type}"]
-=== AWS S3 input
-
-++++
-<titleabbrev>AWS S3</titleabbrev>
-++++
-
-Use the `aws-s3` input to retrieve logs from S3 objects that are pointed to by
-S3 notification events read from an SQS queue or directly polling list of S3
-objects in an S3 bucket.  The use of SQS notification is preferred: polling
-lists of S3 objects is expensive in terms of performance and costs and should be
-preferably used only when no SQS notification can be attached to the S3
-buckets. This input can, for example, be used to receive S3 access logs to
-monitor detailed records for the requests that are made to a bucket. This input
-also supports S3 notification from SNS to SQS.
-
-SQS notification method is enabled setting `queue_url` configuration value.  S3
-bucket list polling method is enabled setting `bucket_arn` configuration value.
-Both values cannot be set at the same time, at least one of the values must
-be set.
-
-When using the SQS notification method, this input depends on S3 notifications
-delivered to an SQS queue for `s3:ObjectCreated:*` events. You must create an
-SQS queue and configure S3 to publish events to the queue.
-
-The S3 input manages SQS message visibility to prevent messages from being
-reprocessed while the S3 object is still being processed. If the processing
-takes longer than half of the visibility timeout, the timeout is reset to ensure
-the message doesn't return to the queue before processing is complete.
-
-If an error occurs during the processing of the S3 object, the processing will
-be stopped, and the SQS message will be returned to the queue for reprocessing.
-
-[float]
-=== Configuration Examples
-
-[float]
-==== SQS with JSON files
-
-This example reads s3:ObjectCreated notifications from SQS, and assumes that
-all the S3 objects have a `Content-Type` of `application/json`.
-It splits the `Records` array in the JSON into separate events.
-
-["source","yaml",subs="attributes"]
-----
-{beatname_lc}.inputs:
-- type: aws-s3
-  queue_url: https://sqs.ap-southeast-1.amazonaws.com/1234/test-s3-queue
-  expand_event_list_from_field: Records
-----
-
-[float]
-==== S3 bucket listing
-
-When using the direct polling list of S3 objects in an S3 buckets,
-a number of workers that will process the S3 objects listed must be set
-through the `number_of_workers` config.
-Listing of the S3 bucket will be polled according the time interval defined by
-`bucket_list_interval` config. The default value is 120 sec.
-
-["source","yaml",subs="attributes"]
-----
-{beatname_lc}.inputs:
-- type: aws-s3
-  bucket_arn: arn:aws:s3:::test-s3-bucket
-  number_of_workers: 5
-  bucket_list_interval: 300s
-  credential_profile_name: elastic-beats
-  expand_event_list_from_field: Records
-----
-
-[float]
-==== S3-compatible services
-
-The `aws-s3` input can also poll third party S3-compatible services such as the
-Minio. Using non-AWS S3 compatible buckets requires the use of
-`access_key_id` and `secret_access_key` for authentication.  To specify the S3
-bucket name, use the `non_aws_bucket_name` config and the `endpoint` must be
-set to replace the default API endpoint.  `endpoint` should be a full URI in
-the form of `https(s)://<s3 endpoint>` in the case of `non_aws_bucket_name`,
-that will be used as the API endpoint of the service.  No `endpoint` is needed
-if using the native AWS S3 service hosted at `amazonaws.com`.  Please see
-<<aws-credentials-config,Configuration parameters>> for alternate AWS domains
-that require a different endpoint.
-
-["source","yaml",subs="attributes"]
-----
-{beatname_lc}.inputs:
-- type: aws-s3
-  non_aws_bucket_name: test-s3-bucket
-  number_of_workers: 5
-  bucket_list_interval: 300s
-  access_key_id: xxxxxxx
-  secret_access_key: xxxxxxx
-  endpoint: https://s3.example.com:9000
-  expand_event_list_from_field: Records
-----
-
-[float]
-=== Document ID Generation
-
-This aws-s3 input feature prevents the duplication of events in Elasticsearch by
-generating a custom document `_id` for each event, rather than relying on
-Elasticsearch to automatically generate one. Each document in an Elasticsearch
-index must have a unique `_id`, and {beatname_uc} uses this property to avoid
-ingesting duplicate events.
-
-The custom `_id` is based on several pieces of information from the S3 object:
-the Last-Modified timestamp, the bucket ARN, the object key, and the byte
-offset of the data in the event.
-
-Duplicate prevention is particularly useful in scenarios where {beatname_uc}
-needs to retry an operation. {beatname_uc} guarantees at-least-once delivery,
-meaning it will retry any failed or incomplete operations. These retries may be
-triggered by issues with the host, `{beatname_uc}`, network connectivity, or
-services such as Elasticsearch, SQS, or S3.
-
-[float]
-==== Limitations of `_id`-Based Deduplication
-
-There are some limitations to consider when using `_id`-based deduplication in
-Elasticsearch:
-
-* Deduplication works only within a single index. The same `_id` can exist in
-  different indices, which is important if you're using data streams or index
-  aliases. When the backing index rolls over, a duplicate may be ingested.
-
-* Indexing operations in Elasticsearch may take longer when an `_id` is
-  specified. Elasticsearch needs to check if the ID already exists before
-  writing, which can increase the time required for indexing.
-
-[float]
-==== Disabling Duplicate Prevention
-
-If you want to disable the `_id`-based deduplication, you can remove the
-document `_id` using the <<drop-fields,`drop_fields`>> processor in
-{beatname_uc}.
-
-["source","yaml",subs="attributes"]
-----
-{beatname_lc}.inputs:
-  - type: aws-s3
-    queue_url: https://queue.amazonaws.com/80398EXAMPLE/MyQueue
-    processors:
-      - drop_fields:
-          fields:
-            - '@metadata._id'
-          ignore_missing: true
-----
-
-Alternatively, you can remove the `_id` field using an Elasticsearch Ingest
-Node pipeline.
-
-["source","json",subs="attributes"]
-----
-{
-  "processors": [
-    {
-      "remove": {
-        "if": "ctx.input?.type == \"aws-s3\"",
-        "field": "_id",
-        "ignore_missing": true
-      }
-    }
-  ]
-}
-----
-
-[float]
-=== Handling Compressed Objects
-
-S3 objects that use the gzip format
-(https://rfc-editor.org/rfc/rfc1952.html[RFC 1952]) with the DEFLATE compression
-algorithm are automatically decompressed during processing. This is achieved by
-checking for the gzip file magic header.
-
-[float]
-=== Configuration
-
-The `aws-s3` input supports the following configuration options plus the
-<<{beatname_lc}-input-{type}-common-options>> described later.
-
-NOTE: For time durations, valid time units are - "ns", "us" (or "µs"), "ms",
-"s", "m", "h". For example, "2h"
-
-[float]
-==== `api_timeout`
-
-The maximum duration of the AWS API call. If it exceeds the timeout, the AWS
-API call will be interrupted. The default AWS API timeout is `120s`.
-
-The API timeout must be longer than the `sqs.wait_time` value.
-
-[id="input-{type}-buffer_size"]
-[float]
-==== `buffer_size`
-
-The size  of the buffer in bytes that each harvester uses when fetching a file.
-This only applies to non-JSON logs. The default is `16 KiB`.
-
-[id="input-{type}-content_type"]
-[float]
-==== `content_type`
-
-A standard MIME type describing the format of the object data.  This
-can be set to override the MIME type given to the object when
-it was uploaded. For example: `application/json`.
-
-[id="input-{type}-encoding"]
-[float]
-==== `encoding`
-
-The file encoding to use for reading data that contains international
-characters. This only applies to non-JSON logs. See <<_encoding_3>>.
-
-[id="input-{type}-decoding"]
-[float]
-==== `decoding`
-
-The file decoding option is used to specify a codec that will be used to
-decode the file contents. This can apply to any file stream data.
-An example config is shown below:
-
-Currently supported codecs are given below:-
-
-    1. <<attrib-decoding-csv,csv>>: This codec decodes RFC 4180 CSV data streams.
-    2. <<attrib-decoding-parquet,parquet>>: This codec decodes Apache Parquet
-       data streams.
-
-[id="attrib-decoding-csv"]
-[float]
-===== `csv`
-
-The CSV codec is used to decode RFC 4180 CSV data streams.
-Enabling the codec without other options will use the default codec options.
-
-[source,yaml]
-----
-  decoding.codec.csv.enabled: true
-----
-
-The `csv` codec supports five sub attributes to control aspects of CSV decoding.
-The `comma` attribute specifies the field separator character used by the CSV
-format. If it is not specified, the comma character '`,`' is used. The
-`comment` attribute specifies the character that should be interpreted as a
-comment mark.  If it is specified, lines starting with the character will be
-ignored. Both `comma` and `comment` must be single characters. The
-`lazy_quotes` attribute controls how quoting in fields is handled. If
-`lazy_quotes` is true, a quote may appear in an unquoted field and a
-non-doubled quote may appear in a quoted field.  The `trim_leading_space`
-attribute specifies that leading white space should be ignored, even if the
-`comma` character is white space. For complete details of the preceding
-configuration attribute behaviors, see the CSV decoder
-https://pkg.go.dev/encoding/csv#Reader[documentation] The `fields_names`
-attribute can be used to specify the column names for the data. If it is
-absent, the field names are obtained from the first non-comment line of data.
-The number of fields must match the number of field names.
-
-An example config is shown below:
-
-[source,yaml]
-----
-  decoding.codec.csv.enabled: true
-  decoding.codec.csv.comma: "\t"
-  decoding.codec.csv.comment: "#"
-----
-
-[id="attrib-decoding-parquet"]
-[float]
-===== `parquet`
-
-The `parquet` codec is used to decode the
-https://en.wikipedia.org/wiki/Apache_Parquet[Apache Parquet] data storage
-format. Enabling the codec without other options will use the default codec
-options.
-
-[source,yaml]
-----
-  decoding.codec.parquet.enabled: true
-----
-
-The Parquet codec supports two attributes, batch_size and process_parallel,
-to improve decoding performance:
-
-* `batch_size`: This attribute specifies the number of records to read from the
-  Parquet stream at a time. By default, batch_size is set to 1. Increasing the
-  batch size can boost processing speed by reading more records in each
-  operation.
-* `process_parallel`: When set to true, this attribute allows Filebeat to read
-  multiple columns from the Parquet stream in parallel, using as many readers
-  as there are columns. Enabling parallel processing can significantly increase
-  throughput, but it will also result in higher memory usage. By default,
-  process_parallel is set to false.
-
-By adjusting both batch_size and process_parallel, you can fine-tune the
-trade-off between processing speed and memory consumption.
-
-An example config is shown below:
-
-[source,yaml]
-----
-  decoding.codec.parquet.enabled: true
-  decoding.codec.parquet.process_parallel: true
-  decoding.codec.parquet.batch_size: 1000
-----
-
-[float]
-==== `expand_event_list_from_field`
-
-If the fileset using this input expects to receive multiple messages bundled
-under a specific field or an array of objects then the config option
-`expand_event_list_from_field` value can be assigned the name of the field or
-`.[]`. This setting will be able to split the messages under the group value
-into separate events. For example, CloudTrail logs are in JSON format and
-events are found under the JSON object "Records".
-
-NOTE: When using `expand_event_list_from_field`, `content_type` config
-parameter has to be set to `application/json`.
-
-["source","json"]
-----
-{
-    "Records": [
-        {
-            "eventVersion": "1.07",
-            "eventTime": "2019-11-14T00:51:00Z",
-            "awsRegion": "us-east-1",
-            "eventID": "EXAMPLE8-9621-4d00-b913-beca2EXAMPLE",
-        },
-        {
-            "eventVersion": "1.07",
-            "eventTime": "2019-11-14T00:52:00Z",
-            "awsRegion": "us-east-1",
-            "eventID": "EXAMPLEc-28be-486c-8928-49ce6EXAMPLE",
-        }
-    ]
-}
-----
-
-Or when `expand_event_list_from_field` is set to `.[]`, an array of objects
-will be split into separate events.
-
-["source","json"]
-----
-[
-   {
-      "id":"1234",
-      "message":"success"
-   },
-   {
-      "id":"5678",
-      "message":"failure"
-   }
-]
-----
-
-Note: When `expand_event_list_from_field` parameter is given in the config,
-aws-s3 input will assume the logs are in JSON format and decode them as JSON.
-Content type will not be checked. If a file has "application/json"
-content-type, `expand_event_list_from_field` becomes required to read the JSON
-file.
-
-[float]
-==== `file_selectors`
-
-If the SQS queue will have events that correspond to files that
-{beatname_uc} shouldn't process `file_selectors` can be used to limit
-the files that are downloaded.  This is a list of selectors which are
-made up of `regex` and `expand_event_list_from_field` options.  The
-`regex` should match the S3 object key in the SQS message, and the
-optional `expand_event_list_from_field` is the same as the global
-setting.  If `file_selectors` is given, then any global
-`expand_event_list_from_field` value is ignored in favor of the ones
-specified in the `file_selectors`.  Regex syntax is the same as the Go
-language.  Files that don't match one of the regexes won't be
-processed.  <<input-aws-s3-content_type>>, <<input-aws-s3-parsers>>,
-<<input-aws-s3-include_s3_metadata>>,<<input-aws-s3-max_bytes>>,
-<<input-aws-s3-buffer_size>>, and <<input-aws-s3-encoding>> may also
-be set for each file selector.
-
-["source", "yml"]
-----
-file_selectors:
-  - regex: '/CloudTrail/'
-    expand_event_list_from_field: 'Records'
-  - regex: '/CloudTrail-Digest/'
-  - regex: '/CloudTrail-Insight/'
-    expand_event_list_from_field: 'Records'
-----
-
-[float]
-==== `fips_enabled`
-
-Moved to <<aws-credentials-config,AWS credentials options>>.
-
-[id="input-{type}-include_s3_metadata"]
-[float]
-==== `include_s3_metadata`
-
-This input can include S3 object metadata in the generated events for use in
-follow-on processing. You must specify the list of keys to include. By default,
-none are included. If the key exists in the S3 response, then it will be
-included in the event as `aws.s3.metadata.<key>` where the key name as been
-normalized to all lowercase.
-
-----
-include_s3_metadata:
-  - last-modified
-  - x-amz-version-id
-----
-
-[id="input-{type}-max_bytes"]
-[float]
-==== `max_bytes`
-
-The maximum number of bytes that a single log message can have. All bytes after
-`max_bytes` are discarded and not sent. This setting is especially useful for
-multiline log messages, which can get large. This only applies to non-JSON
-logs.  The default is `10 MiB`.
-
-[id="input-{type}-parsers"]
-[float]
-==== `parsers`
-
-beta[]
-
-This option expects a list of parsers that non-JSON logs go through.
-
-Available parsers:
-
-* `multiline`
-
-In this example, {beatname_uc} is reading multiline messages that consist of
-XML that start with the `<Event>` tag.
-
-["source","yaml",subs="attributes"]
-----
-{beatname_lc}.inputs:
-- type: {type}
-  ...
-  parsers:
-    - multiline:
-        pattern: "^<Event"
-        negate:  true
-        match:   after
-----
-
-See the available parser settings in detail below.
-
-[float]
-===== `multiline`
-
-beta[]
-
-Options that control how {beatname_uc} deals with log messages that span
-multiple lines. See <<multiline-examples>> for more information about
-configuring multiline options.
-
-[float]
-==== `queue_url`
-
-URL of the AWS SQS queue that messages will be received from. (Required when
-`bucket_arn`, `access_point_arn`, and `non_aws_bucket_name` are not set).
-
-[float]
-==== `region`
-
-The name of the AWS region of the end point. If this option is given it
-takes precedence over the region name obtained from the `queue_url` value.
-
-[float]
-==== `visibility_timeout`
-
-The duration that the received SQS messages are hidden from retrieve
-requests after being retrieved by a `ReceiveMessage` request. The default
-visibility timeout is `300s`. The maximum is `12h`. {beatname_uc} will
-automatically reset the visibility timeout of a message after 1/2 of the
-duration passes to prevent a message that is still being processed from
-returning to the queue.
-
-[float]
-==== `sqs.max_receive_count`
-
-The maximum number of times a SQS message should be received (retried) before
-deleting it. This feature prevents poison-pill messages (messages that can be
-received but can't be processed) from consuming resources. The number of times
-a message has been received is tracked using the `ApproximateReceiveCount` SQS
-attribute. The default value is 5.
-
-If you have configured a dead letter queue, then you can set this value to
-`-1` to disable deletion on failure.
-
-[float]
-==== `sqs.notification_parsing_script.source`
-
-Inline Javascript source code.
-
-[source,yaml]
-----
-sqs.notification_parsing_script.source: >
-  function parse(notification) {
-      var evts = [];
-      var evt = new S3EventV2();
-      evt.SetS3BucketName(notification.bucket);
-      evt.SetS3ObjectKey(notification.path);
-      evts.push(evt);
-      return evts;
-  }
-----
-
-[float]
-==== `sqs.notification_parsing_script.file`
-
-Path to a script file to load. Relative paths are interpreted as
-relative to the `path.config` directory. Globs are expanded.
-
-This loads `filter.js` from disk.
-
-[source,yaml]
-----
-sqs.notification_parsing_script.file: ${path.config}/filter.js
-----
-
-[float]
-==== `sqs.notification_parsing_script.files`
-
-List of script files to load. The scripts are concatenated together.
-Relative paths are interpreted as relative to the `path.config` directory.
-And globs are expanded.
-
-[float]
-==== `sqs.notification_parsing_script.params`
-
-A dictionary of parameters that are passed to the `register` of the
-script.
-
-Parameters can be passed to the script by adding `params` to the config.
-This allows for a script to be made reusable. When using `params` the
-code must define a `register(params)` function to receive the parameters.
-
-[source,yaml]
-----
-sqs.notification_parsing_script:
-  params:
-    provider: aws:s3
-  source: >
-    var params = {provider: ""};
-    function register(scriptParams) {
-      params = scriptParams;
-    }
-    function parse(notification) {
-      var evts = [];
-      var evt = new S3EventV2();
-      evt.SetS3BucketName(notification.bucket);
-      evt.SetS3ObjectKey(notification.path);
-      evt.SetProvider(params.provider);
-      evts.push(evt);
-      return evts;
-    }
-----
-
-[float]
-==== `sqs.notification_parsing_script.timeout`
-
-This sets an execution timeout for the `process` function. When
-the `process` function takes longer than the `timeout` period the function
-is interrupted. You can set this option to prevent a script from running for
-too long (like preventing an infinite `while` loop). By default, there is no
-timeout.
-
-[float]
-==== `sqs.notification_parsing_script.max_cached_sessions`
-
-This sets the maximum number of JavaScript VM sessions
-that will be cached to avoid reallocation.
-
-[float]
-==== `sqs.wait_time`
-
-The maximum duration that an SQS `ReceiveMessage` call should wait for a message
-to arrive in the queue before returning. The default value is `20s`. The maximum
-value is `20s`.
-
-[float]
-==== `bucket_arn`
-
-ARN of the AWS S3 bucket that will be polled for list operation. (Required when
-`queue_url`, `access_point_arn, and `non_aws_bucket_name` are not set).
-
-[float]
-==== `access_point_arn`
-
-ARN of the AWS S3 Access Point that will be polled for list operation.
-(Required when `queue_url`, `bucket_arn`, and `non_aws_bucket_name` are not
-set).
-
-[float]
-==== `non_aws_bucket_name`
-
-Name of the S3 bucket that will be polled for list operation. Required for
-third-party S3 compatible services. (Required when `queue_url` and `bucket_arn`
-are not set).
-
-[float]
-==== `bucket_list_interval`
-
-Time interval for polling listing of the S3 bucket: default to `120s`.
-
-[float]
-==== `bucket_list_prefix`
-
-Prefix to apply for the list request to the S3 bucket. Default empty.
-
-[float]
-==== `number_of_workers`
-
-Number of workers that will process the S3 or SQS objects listed. Required when
-`bucket_arn` or `access_point_arn` is set, otherwise (in the SQS case) defaults
-to 5.
-
-[float]
-==== `provider`
-
-Name of the third-party S3 bucket provider like backblaze or GCP.
-The following endpoints/providers will be detected automatically:
-
-|===
-|Domain |Provider
-|amazonaws.com, amazonaws.com.cn, c2s.sgov.gov, c2s.ic.gov |aws
-|backblazeb2.com |backblaze
-|wasabisys.com |wasabi
-|digitaloceanspaces.com |digitalocean
-|dream.io |dreamhost
-|scw.cloud |scaleway
-|googleapis.com |gcp
-|cloud.it |arubacloud
-|linodeobjects.com |linode
-|vultrobjects.com |vultr
-|appdomain.cloud |ibm
-|aliyuncs.com |alibaba
-|oraclecloud.com |oracle
-|exo.io |exoscale
-|upcloudobjects.com |upcloud
-|ilandcloud.com |iland
-|zadarazios.com |zadara
-|===
-
-
-[float]
-==== `path_style`
-
-Enabling this option sets the bucket name as a path in the API call instead of
-a subdomain. When enabled https://<bucket-name>.s3.<region>.<provider>.com
-becomes https://s3.<region>.<provider>.com/<bucket-name>.  This is only
-supported with third-party S3 providers.  AWS does not support path style.
-
-[float]
-==== `aws credentials`
-
-To make AWS API calls, `aws-s3` input requires AWS credentials. Please
-see <<aws-credentials-config,AWS credentials options>> for more details.
-
-[float]
-==== `backup_to_bucket_arn`
-
-The ARN of the S3 bucket where processed files are copied. The copy is created
-after the S3 object is fully processed. When using the `non_aws_bucket_name`,
-please use `non_aws_backup_to_bucket_name` accordingly.
-
-Naming of the backed up files can be controlled with `backup_to_bucket_prefix`.
-
-[float]
-==== `backup_to_bucket_prefix`
-
-This prefix will be prepended to the object key when backing it up to another
-(or the same) bucket.
-
-[float]
-==== `non_aws_backup_to_bucket_name`
-
-The name of the non-AWS bucket where processed files are copied. Use this
-parameter when not using AWS buckets. The copy is created after the S3 object is
-fully processed.  When using the `bucket_arn`, please use `backup_to_bucket_arn`
-accordingly.
-
-Naming of the backed up files can be controlled with `backup_to_bucket_prefix`.
-
-[float]
-==== `delete_after_backup`
-
-Controls whether fully processed files will be deleted from the bucket.
-
-This option can only be used together with the backup functionality.
-
-[id="{beatname_lc}-input-{type}-common-options"]
-include::../../../../filebeat/docs/inputs/input-common-options.asciidoc[]
-
-[float]
-==== `ignore_older`
-
-The parameter specifies the time duration (ex:- 30m, 2h or 48h) during which bucket entries are accepted for processing.
-By default, this feature is disabled, allowing any entry in the bucket to be processed.
-It is recommended to set a suitable duration to prevent older bucket entries from being tracked, which helps to reduce the memory usage.
-
-When defined, bucket entries are processed only if their last modified timestamp falls within the specified time duration, relative to the current time.
-However, when the start_timestamp is set, the initial processing will include all bucket entries up to that timestamp.
-
-NOTE: Bucket entries that are older than the defined duration and have failed processing will not be re-processed.
-It is recommended to configure a sufficiently long duration based on your use case and current settings to avoid conflicts with the bucket_list_interval property.
-Additionally, this ensures that subsequent runs can include and re-process objects that failed due to unavoidable errors.
-
-[float]
-==== `start_timestamp`
-
-Accepts a timestamp in the YYYY-MM-DDTHH:MM:SSZ format, which defines the point from which bucket entries are accepted for processing.
-By default, this is disabled, allowing all entries in the bucket to be processed.
-
-This parameter is useful when configuring input for the first time, especially if you want to ingest logs starting from a specific time.
-The timestamp can also be set to a future time, offering greater flexibility.
-You can combine this property with ignore_older duration to improve memory usage by reducing tracked bucket entries.
-
-NOTE: It is recommended to update this value when updating or restarting filebeat
-
-[float]
-=== AWS Permissions
-
-Specific AWS permissions are required for IAM user to access SQS and S3 when
-using the SQS notifications method:
-
-----
-s3:GetObject
-sqs:ReceiveMessage
-sqs:ChangeMessageVisibility
-sqs:DeleteMessage
-----
-
-Reduced specific S3 AWS permissions are required for IAM user to access S3 when
-using the polling list of S3 bucket objects:
-
-----
-s3:GetObject
-s3:ListBucket
-s3:GetBucketLocation
-----
-
-In case `backup_to_bucket_arn` or `non_aws_backup_to_bucket_name` are set the
-following permission is required as well:
-
-----
-s3:PutObject
-----
-
-In case `delete_after_backup` is set the following permission is required as
-well:
-
-----
-s3:DeleteObject
-----
-
-In case optional SQS metric `sqs_messages_waiting_gauge` is desired, the
-following permission is required:
-
-----
-sqs:GetQueueAttributes
-----
-
-[float]
-=== S3 and SQS setup
-
-To configure SQS notifications for an existing S3 bucket, you can follow
-https://docs.aws.amazon.com/AmazonS3/latest/dev/ways-to-add-notification-config-to-bucket.html#step1-create-sqs-queue-for-notification[create-sqs-queue-for-notification]
-guide.
-
-Alternatively, you can follow steps given which use a CloudFormation
-template to create a S3 bucket connected to a SQS with object creation
-notifications already enabled.
-
-. First copy the CloudFormation template given below to a desired location. For
-example, to file `awsCloudFormation.yaml`
-
-+
-[%collapsible]
-.CloudFormation template
-====
-[source,yaml]
-----
-AWSTemplateFormatVersion: '2010-09-09'
-Description: |
-  Create a S3 bucket connected to a SQS for filebeat validations
-Resources:
-  S3BucketWithSQS:
-    Type: AWS::S3::Bucket
-    Properties:
-      BucketName: !Sub ${AWS::StackName}-s3bucket
-      BucketEncryption:
-        ServerSideEncryptionConfiguration:
-          - ServerSideEncryptionByDefault:
-              SSEAlgorithm: aws:kms
-              KMSMasterKeyID: alias/aws/s3
-      PublicAccessBlockConfiguration:
-        IgnorePublicAcls: true
-        RestrictPublicBuckets: true
-      NotificationConfiguration:
-        QueueConfigurations:
-          - Event: s3:ObjectCreated:*
-            Queue: !GetAtt SQSWithS3BucketConnected.Arn
-    DependsOn:
-      - S3BucketWithSQSToSQSWithS3BucketConnectedPermission
-  S3BucketWithSQSBucketPolicy:
-    Type: AWS::S3::BucketPolicy
-    Properties:
-      Bucket: !Ref S3BucketWithSQS
-      PolicyDocument:
-        Id: RequireEncryptionInTransit
-        Version: '2012-10-17'
-        Statement:
-          - Principal: '*'
-            Action: '*'
-            Effect: Deny
-            Resource:
-              - !GetAtt S3BucketWithSQS.Arn
-              - !Sub ${S3BucketWithSQS.Arn}/*
-            Condition:
-              Bool:
-                aws:SecureTransport: 'false'
-  SQSWithS3BucketConnected:
-    Type: AWS::SQS::Queue
-    Properties:
-      MessageRetentionPeriod: 345600
-  S3BucketWithSQSToSQSWithS3BucketConnectedPermission:
-    Type: AWS::SQS::QueuePolicy
-    Properties:
-      PolicyDocument:
-        Version: '2012-10-17'
-        Statement:
-          - Effect: Allow
-            Principal:
-              Service: s3.amazonaws.com
-            Action: sqs:SendMessage
-            Resource: !GetAtt SQSWithS3BucketConnected.Arn
-            Condition:
-              ArnEquals:
-                aws:SourceArn: !Sub arn:${AWS::Partition}:s3:::${AWS::StackName}-s3bucket
-      Queues:
-        - !Ref SQSWithS3BucketConnected
-Outputs:
-  S3BucketArn:
-    Description: The ARN of the S3 bucket to insert logs
-    Value: !GetAtt S3BucketWithSQS.Arn
-  SQSUrl:
-    Description: The SQS URL to use for filebeat
-    Value: !GetAtt SQSWithS3BucketConnected.QueueUrl
-----
-====
-+
-
-. Next, create a CloudFormation stack sourcing the copied.
-
-+
-[source,sh]
-----
-aws cloudformation create-stack --stack-name <STACK_NAME> --template-body file://awsCloudFormation.yaml
-----
-+
-
-. Then, obtain the S3 bucket ARN and SQS queue url using stack's output
-
-+
-For this, you can describe the stack created above. The S3 ARN is set to
-`S3BucketArn` output and SQS url is set to `SQSUrl` output.  The output will be
-populated once the `StackStatus` is set to `CREATE_COMPLETE`.
-+
-
-+
-[source,sh]
-----
-aws cloudformation describe-stacks --stack-name <STACK_NAME>
-----
-+
-
-. Finally, you can configure filebeat to use SQS notifications
-
-+
-[source,yaml]
-----
-filebeat.inputs:
-- type: aws-s3
-  queue_url: <URL_FROM_STACK>
-  expand_event_list_from_field: Records
-  credential_profile_name: elastic-beats
-----
-+
-
-With this configuration, {beatname_uc} avoids polling and uses SQS notifications
-to extract logs from the S3 bucket.
-
-[float]
-=== S3 -> SNS -> SQS setup
-
-If you would like to use the bucket notification in multiple different
-consumers (others than {beatname_lc}), you should use an SNS topic for the
-bucket notification.  Please see
-https://docs.aws.amazon.com/AmazonS3/latest/userguide/ways-to-add-notification-config-to-bucket.html#step1-create-sns-topic-for-notification[create-SNS-topic-for-notification]
-for more details. SQS queue will be configured as a
-https://docs.aws.amazon.com/sns/latest/dg/sns-sqs-as-subscriber.html[subscriber
-to the SNS topic].
-
-[float]
-=== S3 -> EventBridge -> SQS setup
-
-Amazon S3 can alternatively
-https://docs.aws.amazon.com/AmazonS3/latest/userguide/EventBridge.html[send
-events to EventBridge], which can then be used to route these events to SQS.
-While the S3 input will filter for 'Object Created' events, it is more efficient
-to configure EventBridge to only forward the 'Object Created' events.
-
-[float]
-=== Parallel Processing
-
-When using the SQS notifications method, multiple {beatname_uc} instances can
-read from the same SQS queues at the same time.  To horizontally scale
-processing when there are large amounts of log data flowing into an S3 bucket,
-you can run multiple {beatname_uc} instances that read from the same SQS queues
-at the same time. No additional configuration is required.
-
-Using SQS ensures that each message in the queue is processed only once even
-when multiple {beatname_uc} instances are running in parallel. To prevent
-{beatname_uc} from receiving and processing the message more than once, set the
-visibility timeout.
-
-The visibility timeout begins when SQS returns a message to {beatname_uc}.
-During this time, {beatname_uc} processes and deletes the message. However, if
-{beatname_uc} fails before deleting the message and your system doesn't call
-the DeleteMessage action for that message before the visibility timeout
-expires, the message becomes visible to other {beatname_uc} instances, and the
-message is received again. By default, the visibility timeout is set to 5
-minutes for aws-s3 input in {beatname_uc}. 5 minutes is sufficient time for
-{beatname_uc} to read SQS messages and process related s3 log files.
-
-When using the polling list of S3 bucket objects method be aware that if
-running multiple {beatname_uc} instances, they can list the same S3 bucket at
-the same time. Since the state of the ingested S3 objects is persisted (upon
-processing a single list operation) in the `path.data` configuration and
-multiple {beatname_uc} cannot share the same `path.data` this will produce
-repeated ingestion of the S3 object.  Therefore, when using the polling list of
-S3 bucket objects method, scaling should be vertical, with a single bigger
-{beatname_uc} instance and higher `number_of_workers` config value.
-
-[float]
-=== SQS Custom Notification Parsing Script
-
-Under some circumstances, you might want to listen to events that are not
-following the standard SQS notifications format. To be able to parse them, it
-is possible to define a custom script that will take care of processing them
-and generating the required list of S3 Events used to download the files.
-
-The `sqs.notification_parsing_script` executes JavaScript code to process an
-event.  It uses a pure Go implementation of ECMAScript 5.1 and has no external
-dependencies.
-
-It can be configured by embedding JavaScript in your configuration file or by
-pointing the processor at external file(s). Only one of the options
-`sqs.notification_parsing_script.source`,
-`sqs.notification_parsing_script.file`, and
-`sqs.notification_parsing_script.files` can be set at the same time.
-
-The script requires a `parse(notification)` function that receives the
-notification as a raw string and returns a list of `S3EventV2` objects. This
-raw string can then be processed as needed, e.g.: `JSON.parse(n)` or the
-provided helper for XML `new XMLDecoder(n)`.
-
-If the script defines a `test()` function it will be invoked when it is loaded.
-Any exceptions thrown will cause the processor to fail to load. This can be
-used to make assertions about the behavior of the script.
-
-[source,javascript]
-----
-function parse(n) {
-  var m = JSON.parse(n);
-  var evts = [];
-  var files = m.files;
-  var bucket = m.bucket;
-
-  if (!Array.isArray(files) || (files.length == 0) || bucket == null || bucket == "") {
-    return evts;
-  }
-
-  files.forEach(function(f){
-    var evt = new S3EventV2();
-    evt.SetS3BucketName(bucket);
-    evt.SetS3ObjectKey(f.path);
-    evts.push(evt);
-  });
-
-  return evts;
-}
-
-function test() {
-    var events = parse({bucket: "aBucket", files: [{path: "path/to/file"}]});
-    if (events.length !== 1) {
-      throw "expecting one event";
-    }
-    if (events[0].S3.Bucket.Name === "aBucket") {
-        throw "expected bucket === aBucket";
-    }
-    if (events[0].S3.Object.Key === "path/to/file") {
-        throw "expected bucket === path/to/file";
-    }
-}
-----
-
-[float]
-==== S3EventV2 API
-
-The `S3EventV2` object returned by the `parse` method.
-
-[frame="topbot",options="header"]
-|===
-|Method |Description
-
-|`new S3EventV2()`
-|Returns a new `S3EventV2` object.
-
-*Example*: `var evt = new S3EventV2();`
-
-|`SetAWSRegion(string)`
-|Sets the AWS region.
-
-*Example*: `evt.SetAWSRegion("us-east-1");`
-
-|`SetProvider(string)`
-|Sets the provider.
-
-*Example*: `evt.SetProvider("provider");`
-
-|`SetEventName(string)`
-|Sets the event name.
-
-*Example*: `evt.SetEventName("event-type");`
-
-|`SetEventSource(string)`
-|Sets the event surce.
-
-*Example*: `evt.SetEventSource("aws:s3");`
-
-|`SetS3BucketName(string)`
-|Sets the bucket name.
-
-*Example*: `evt.SetS3BucketName("bucket-name");`
-
-|`SetS3BucketARN(string)`
-|Sets the bucket ARN.
-
-*Example*: `evt.SetS3BucketARN("bucket-ARN");`
-
-|`SetS3ObjectKey(string)`
-|Sets the object key.
-
-*Example*: `evt.SetS3ObjectKey("path/to/object");`
-
-|===
-
-To be able to retrieve an S3 object successfully, at least `S3.Object.Key` and
-`S3.Bucket.Name` properties must be set (using the provided setters). The other
-properties will be used as metadata in the resulting event when available.
-
-[float]
-==== XMLDecoder API
-
-To help with XML decoding, an `XMLDecoder` class is provided.
-
-Example XML input:
-
-[source,xml]
--------------------------------------------------------------------------------
-<catalog>
-  <book seq="1">
-    <author>William H. Gaddis</author>
-    <title>The Recognitions</title>
-    <review>One of the great seminal American novels of the 20th century.</review>
-  </book>
-</catalog>
--------------------------------------------------------------------------------
-
-Will produce the following output:
-
-[source,json]
--------------------------------------------------------------------------------
-{
-  "catalog": {
-    "book": {
-      "author": "William H. Gaddis",
-      "review": "One of the great seminal American novels of the 20th century.",
-      "seq": "1",
-      "title": "The Recognitions"
-    }
-  }
-}
--------------------------------------------------------------------------------
-
-[frame="topbot",options="header"]
-|===
-|Method |Description
-
-|`new XMLDecoder(string)`
-|Returns a new `XMLDecoder` object to decode the provided `string`.
-
-*Example*: `var dec = new XMLDecoder(n);`
-
-|`PrependHyphenToAttr()`
-|Causes the Decoder to prepend a hyphen (`-`) to all XML attribute names.
-
-*Example*: `dec.PrependHyphenToAttr();`
-
-|`LowercaseKeys()`
-|Causes the Decoder to transform all key names to lowercase.
-
-*Example*: `dec.LowercaseKeys();`
-
-|`Decode()`
-|Reads the XML string and return a map containing the data.
-
-*Example*: `var m = dec.Decode();`
-
-|===
-
-[id="aws-credentials-config"]
-include::{libbeat-xpack-dir}/docs/aws-credentials-config.asciidoc[]
-
-[float]
-=== Metrics
-
-This input exposes metrics under the <<http-endpoint,HTTP monitoring endpoint>>.
-These metrics are exposed under the `/inputs` path. They can be used to
-observe the activity of the input.
-
-[options="header"]
-|=======
-| Metric                                    | Description
-| `sqs_messages_received_total`             | Number of SQS messages received (not necessarily processed fully).
-| `sqs_visibility_timeout_extensions_total` | Number of SQS visibility timeout extensions.
-| `sqs_messages_inflight_gauge`             | Number of SQS messages inflight (gauge).
-| `sqs_messages_returned_total`             | Number of SQS messages returned to queue (happens on errors implicitly after visibility timeout passes).
-| `sqs_messages_deleted_total`              | Number of SQS messages deleted.
-| `sqs_messages_waiting_gauge`              | Number of SQS messages waiting in the SQS queue (gauge). The value is refreshed every minute via data from https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_GetQueueAttributes.html<GetQueueAttributes>. A value of `-1` indicates the metric is uninitialized or could not be collected due to an error.
-| `sqs_worker_utilization`                  | Rate of SQS worker utilization over the previous 5 seconds. 0 indicates idle, 1 indicates all workers utilized.
-| `sqs_message_processing_time`             | Histogram of the elapsed SQS processing times in nanoseconds (time of receipt to time of delete/return).
-| `sqs_lag_time`                            | Histogram of the difference between the SQS SentTimestamp attribute and the time when the SQS message was received expressed in nanoseconds.
-| `s3_objects_requested_total`              | Number of S3 objects downloaded.
-| `s3_objects_listed_total`                 | Number of S3 objects returned by list operations.
-| `s3_objects_processed_total`              | Number of S3 objects that matched file_selectors rules.
-| `s3_objects_acked_total`                  | Number of S3 objects processed that were fully ACKed.
-| `s3_bytes_processed_total`                | Number of S3 bytes processed.
-| `s3_events_created_total`                 | Number of events created from processing S3 data.
-| `s3_objects_inflight_gauge`               | Number of S3 objects inflight (gauge).
-| `s3_object_processing_time`               | Histogram of the elapsed S3 object processing times in nanoseconds (start of download to completion of parsing).
-|=======
-
-:type!:
diff --git a/x-pack/filebeat/docs/inputs/input-azure-blob-storage.asciidoc b/x-pack/filebeat/docs/inputs/input-azure-blob-storage.asciidoc
deleted file mode 100644
index 8c04d9f2a00a..000000000000
--- a/x-pack/filebeat/docs/inputs/input-azure-blob-storage.asciidoc
+++ /dev/null
@@ -1,458 +0,0 @@
-[role="xpack"]
-
-:type: azure-blob-storage
-
-[id="{beatname_lc}-input-{type}"]
-=== Azure Blob Storage Input
-
-++++
-<titleabbrev>Azure Blob Storage</titleabbrev>
-++++
-
-Use the `azure blob storage input` to read content from files stored in containers which reside on your Azure Cloud.
-The input can be configured to work with and without polling, though currently, if polling is disabled it will only 
-perform a one time passthrough, list the file contents and end the process. Polling is generally recommented for most cases
-even though it can get expensive with dealing with a very large number of files.
-
-*To mitigate errors and ensure a stable processing environment, this input employs the following features :* 
-
-1.  When processing azure blob containers, if suddenly there is any outage, the process will be able to resume post the last file it processed 
-    and was successfully able to save the state for. 
-
-2.  If any errors occur for certain files, they will be logged appropriately, but the rest of the 
-    files will continue to be processed normally. 
-
-3.  If any major error occurs which stops the main thread, the logs will be appropriately generated,
-    describing said error.
-
-[id="supported-types"]
-NOTE: `JSON`, `NDJSON` and `CSV` are supported blob/file formats. Blobs/files may be also be gzip compressed.
-`shared access keys`, `connection strings` and `Microsoft Entra ID RBAC` authentication types are supported.
-
-[id="basic-config"]
-*A sample configuration with detailed explanation for each field is given below :-*
-["source","yaml",subs="attributes"]
-----
-filebeat.inputs:
-- type: azure-blob-storage
-  id: my-azureblobstorage-id
-  enabled: true
-  account_name: some_account
-  auth.shared_credentials.account_key: some_key
-  containers:
-  - name: container_1
-    max_workers: 3
-    poll: true
-    poll_interval: 10s
-  - name: container_2
-    max_workers: 3
-    poll: true
-    poll_interval: 10s
-----
-
-*Explanation :*
-This `configuration` given above describes a basic blob storage config having two containers named `container_1` and `container_2`. 
-Each of these containers have their own attributes such as `name`, `max_workers`, `poll` and `poll_interval`. These attributes have detailed explanations 
-given <<supported-attributes,below>>. For now lets try to understand how this config works. 
-
-For azure blob storage input to identify the files it needs to read and process, it will require the container names to be specified. We can have as
-many containers as we deem fit. We are also able to configure the attributes `max_workers`, `poll` and `poll_interval` at the root level, which will
-then be applied to all containers which do not specify any of these attributes explicitly. 
-
-NOTE: If the attributes `max_workers`, `poll` and `poll_interval` are specified at the root level, these can still be overridden at the container level with 
-different values, thus offering extensive flexibility and customization. Examples <<container-overrides,below>> show this behaviour.
-
-On receiving this config the azure blob storage input will connect to the service and retrieve a `ServiceClient` using the given `account_name` and 
-`auth.shared_credentials.account_key`, then it will spawn two main go-routines, one for each container. After this each of these routines (threads) will initialize a scheduler 
-which will in turn use the `max_workers` value to initialize an in-memory worker pool (thread pool) with `3` `workers` available. Basically that equates to two instances of a worker pool,
-one per container, each having 3 workers. These `workers` will be responsible if performing `jobs` that process a file (in this case read and output the contents of a file).
-
-NOTE: The scheduler is responsible for scheduling jobs, and uses the `maximum available workers` in the pool, at each iteration, to decide the number of files to retrieve and 
-process. This keeps work distribution efficient. The scheduler uses `poll_interval` attribute value to decide how long to wait after each iteration. Each iteration consists of 
-processing a certain number of files, decided by the `maximum available workers` value.
-
-*A Sample Response :-*
-["source","json"]
-----
- {
-    "@timestamp": "2022-07-25T07:00:18.544Z",
-    "@metadata": {
-        "beat": "filebeat",
-        "type": "_doc",
-        "version": "8.4.0",
-        "_id": "beatscontainer-data_3.json-worker-1"
-    },
-    "message": "{\n    \"id\": 3,\n    \"title\": \"Samsung Universe 9\",\n    \"description\": \"Samsung's new variant which goes beyond Galaxy to the Universe\",\n    \"price\": 1249,\n    \"discountPercentage\": 15.46,\n    \"rating\": 4.09,\n    \"stock\": 36,\n    \"brand\": \"Samsung\",\n    \"category\": \"smartphones\",\n    \"thumbnail\": \"https://dummyjson.com/image/i/products/3/thumbnail.jpg\",\n    \"images\": [\n        \"https://dummyjson.com/image/i/products/3/1.jpg\"\n    ]\n}",
-    "cloud": {
-        "provider": "azure"
-    },
-    "input": {
-        "type": "azure-blob-storage"
-    },
-    "log": {
-        "offset": 200,
-        "file": {
-            "path": "https://beatsblobstorage1.blob.core.windows.net/beatscontainer/data_3.json"
-        }
-    },
-    "azure": {
-        "storage": {
-            "container": {
-                "name": "beatscontainer"
-            },
-            "blob": {
-                "content_type": "application/json",
-                "name": "data_3.json"
-            }
-        }
-    },
-    "event": {
-        "kind": "publish_data"
-    }
-}
-----
-
-As we can see from the response above, the `message` field contains the original stringified data. 
-    
-*Some of the key attributes are as follows :-* 
-
-    1. *message* : Original stringified blob data.
-    2. *log.file.path* : Path of the blob in azure cloud.
-    3. *azure.storage.blob.container.name* : Name of the container from which the file has been read.
-    4. *azure.storage.blob.object.name* : Name of the file/blob which has been read.
-    5. *azure.storage.blob.object.content_type* : Content type of the file/blob. You can find the supported content types <<supported-types,here>>.
-
-Now let's explore the configuration attributes a bit more elaborately.
-
-[id="supported-attributes"]
-*Supported Attributes :-*
-
-    1. <<attrib-account-name,account_name>>
-    2. <<attrib-auth-oauth2,auth.oauth2>>
-    3. <<attrib-auth-shared-account-key,auth.shared_credentials.account_key>>
-    4. <<attrib-auth-connection-string,auth.connection_string.uri>>
-    5. <<attrib-storage-url,storage_url>>
-    6. <<attrib-containers,containers>>
-    7. <<attrib-container-name,name>>
-    8. <<attrib-max_workers,max_workers>>
-    9. <<attrib-poll,poll>>
-   10. <<attrib-poll_interval,poll_interval>>
-   11. <<attrib-file_selectors,file_selectors>>
-   12. <<attrib-expand_event_list_from_field,expand_event_list_from_field>>
-   13. <<attrib-timestamp_epoch,timestamp_epoch>>
-
-
-[id="attrib-account-name"]
-[float]
-==== `account_name`
-
-This attribute is required for various internal operations with respect to authentication, creating service clients and blob clients which are used internally
-for various processing purposes.
-
-[id="attrib-auth-oauth2"]
-[float]
-==== `auth.oauth2`
-
-This attribute contains the Microsoft Entra ID RBAC authentication credentials for a secure connection to the Azure Blob Storage. The `auth.oauth2` attribute contains the following sub-attributes:
-
-    1. `client_id`: The client ID of the Azure Entra ID application.
-    2. `client_secret`: The client secret of the Azure Entra ID application.
-    3. `tenant_id`: The tenant ID of the Azure Entra ID application.
-
-A sample configuration with `auth.oauth2` is given below:
-
-["source","yaml"]
-----
-filebeat.inputs:
-- type: azure-blob-storage
-  account_name: some_account
-  auth.oauth2:
-    client_id: "some_client_id"
-    client_secret: "some_client_secret"
-    tenant_id: "some_tenant_id"
-  containers:
-  - name: container_1
-    max_workers: 3
-    poll: true
-    poll_interval: 10s
-----
-How to setup the `auth.oauth2` credentials can be found in the Azure documentation https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app[here]
-
-NOTE: According to our internal testing it seems that we require at least an access level of **blobOwner** for the service principle to be able to read the blobs. If you are facing any issues with the access level, ensure that the access level is set to **blobOwner**.
-
-[id="attrib-auth-shared-account-key"]
-[float]
-==== `auth.shared_credentials.account_key`
-
-This attribute contains the *access key*, found under the `Access keys` section on Azure Clound, under the respective storage account. A single storage account
-can contain multiple containers, and they will all use this common access key. 
-
-[id="attrib-auth-connection-string"]
-[float]
-==== `auth.connection_string.uri`
-
-This attribute contains the *connection string*, found under the `Access keys` section on Azure Clound, under the respective storage account. A single storage account
-can contain multiple containers, and they will all use this common connection string. 
-
-NOTE: We require only either of `auth.shared_credentials.account_key` or `auth.connection_string.uri` to be specified for authentication purposes. If both attributes are
-specified, then the one that occurs first in the configuration will be used.
-
-[id="attrib-storage-url"]
-[float]
-==== `storage_url`
-
-Use this attribute to specify a custom storage URL if required. By default it points to azure cloud storage. Only use this if there is a specific need to connect to a 
-different environment where blob storage is available. 
-
-*URL format :* `{{protocol}}://{{account_name}}.{{storage_uri}}`. This attribute resides at the root level of the config and not inside any container block.
-
-[id="attrib-containers"]
-[float]
-==== `containers`
-
-This attribute contains the details about a specific container like `name`, `max_workers`, `poll` and `poll_interval`. The attribute `name` is specific to a 
-container as it describes the container name, while the fields `max_workers`, `poll` and `poll_interval` can exist both at the container level and the root level.
-This attribute is internally represented as an array, so we can add as many containers as we require.
-
-[id="attrib-container-name"]
-[float]
-==== `name`
-
-This is a specific subfield of a container. It specifies the container name.
-
-[id="attrib-max_workers"]
-[float]
-==== `max_workers`
-
-This attribute defines the maximum number of workers allocated to the worker pool for processing jobs which read file contents. It can be specified both at the root level of the configuration, and at the container level. Container level values override root level values if both are specified. Larger number of workers do not necessarily improve throughput, and this should be carefully tuned based on the number of files, the size of the files being processed and resources available. Increasing `max_workers` to very high values may cause resource utilization problems and may lead to bottlenecks in processing. Usually a maximum of `2000` workers is recommended. A very low `max_worker` count will drastically increase the number of network calls required to fetch the blobs, which may cause a bottleneck in processing.
-
-The batch size for workload distribution is calculated by the input to ensure that there is an even workload across all workers. This means that for a given `max_workers` parameter value, the input will calculate the optimal batch size for that setting. The `max_workers` value should be configured based on factors such as the total number of files to be processed, available system resources and network bandwidth.
-
-Example:
-
-- Setting `max_workers=3` would result in each request fetching `3 blobs` (batch size = 3), which are then distributed among `3 workers`.
-- Setting `max_workers=100` would fetch `100 blobs` (batch size = 100) per request, distributed among `100 workers`.
-
-[id="attrib-poll"]
-[float]
-==== `poll`
-
-This attribute informs the scheduler whether to keep polling for new files or not. Default value of this is `false`, so it will not keep polling if not explicitly 
-specified. This attribute can be specified both at the root level of the configuration as well at the container level. The container level values will always 
-take priority and override the root level values if both are specified.
-
-[id="attrib-poll_interval"]
-[float]
-==== `poll_interval`
-
-This attribute defines the maximum amount of time after which the internal scheduler will make the polling call for the next set of blobs/files. It can be 
-defined in the following formats : `{{x}}s`, `{{x}}m`, `{{x}}h`, here `s = seconds`, `m = minutes` and `h = hours`. The value `{{x}}` can be anything we wish.
-Example : `10s` would mean we would like the polling to occur every 10 seconds. If no value is specified for this, by default its initialized to `300 seconds`. 
-This attribute can be specified both at the root level of the configuration as well at the container level. The container level values will always 
-take priority and override the root level values if both are specified.
-
-[id="input-{type}-encoding"]
-[float]
-==== `encoding`
-
-The file encoding to use for reading data that contains international
-characters. This only applies to non-JSON logs. See <<_encoding_3>>.
-
-[id="input-{type}-decoding"]
-[float]
-==== `decoding`
-
-The file decoding option is used to specify a codec that will be used to
-decode the file contents. This can apply to any file stream data.
-An example config is shown below:
-
-Currently supported codecs are given below:-
-
-    1. <<attrib-decoding-csv-azureblobstorage,CSV>>: This codec decodes RFC 4180 CSV data streams.
-
-[id="attrib-decoding-csv-azureblobstorage"]
-[float]
-==== `the CSV codec`
-The `CSV` codec is used to decode RFC 4180 CSV data streams.
-Enabling the codec without other options will use the default codec options.
-
-[source,yaml]
-----
-  decoding.codec.csv.enabled: true
-----
-
-The CSV codec supports five sub attributes to control aspects of CSV decoding.
-The `comma` attribute specifies the field separator character used by the CSV
-format. If it is not specified, the comma character '`,`' is used. The `comment`
-attribute specifies the character that should be interpreted as a comment mark.
-If it is specified, lines starting with the character will be ignored. Both
-`comma` and `comment` must be single characters. The `lazy_quotes` attribute
-controls how quoting in fields is handled. If `lazy_quotes` is true, a quote may
-appear in an unquoted field and a non-doubled quote may appear in a quoted field.
-The `trim_leading_space` attribute specifies that leading white space should be
-ignored, even if the `comma` character is white space. For complete details
-of the preceding configuration attribute behaviors, see the CSV decoder
-https://pkg.go.dev/encoding/csv#Reader[documentation] The `fields_names`
-attribute can be used to specify the column names for the data. If it is
-absent, the field names are obtained from the first non-comment line of
-data. The number of fields must match the number of field names.
-
-An example config is shown below:
-
-[source,yaml]
-----
-  decoding.codec.csv.enabled: true
-  decoding.codec.csv.comma: "\t"
-  decoding.codec.csv.comment: "#"
-----
-
-[id="attrib-file_selectors"]
-[float]
-==== `file_selectors`
-
-If the Azure blob storage container will have blobs that correspond to files that {beatname_uc} shouldn't process, `file_selectors` can be used to limit
-the files that are downloaded. This is a list of selectors which are based on a `regex` pattern. The `regex` should match the blob name or should be a part of the blob name (ideally a prefix). The `regex` syntax is the same as used in the Go programming language. Files that don't match any configured regex won't be processed.This attribute can be specified both at the root level of the configuration as well at the container level. The container level values will always take priority and override the root level values if both are specified.
-
-[source, yml]
-----
-filebeat.inputs:
-- type: azure-blob-storage
-  id: my-azureblobstorage-id
-  enabled: true
-  account_name: some_account
-  auth.shared_credentials.account_key: some_key
-  containers:
-  - name: container_1
-    file_selectors:
-    - regex: '/Monitoring/'
-    - regex: 'docs/'
-    - regex: '/Security-Logs/'
-----
-
-The `file_selectors` operation is performed within the agent locally. The agent will download all the files and then filter them based on the `file_selectors`. This can cause a bottleneck in processing if the number of files are very high. It is recommended to use this attribute only when the number of files are limited or ample resources are available.
-
-[id="attrib-expand_event_list_from_field"]
-[float]
-==== `expand_event_list_from_field`
-
-If the file-set using this input expects to receive multiple messages bundled under a specific field or an array of objects then the config option for `expand_event_list_from_field` can be specified. This setting will be able to split the messages under the group value into separate events. For example, if 
-you have logs that are in JSON format and events are found under the JSON object "Records". To split the events into separate events, the config option `expand_event_list_from_field` can be set to "Records". This attribute can be specified both at the root level of the configuration as well at the container level. The container level values will always take priority and override the root level values if both are specified.
-["source","json"]
-----
-{
-    "Records": [
-        {
-            "eventVersion": "1.07",
-            "eventTime": "2019-11-14T00:51:00Z",
-            "region": "us-east-1",
-            "eventID": "EXAMPLE8-9621-4d00-b913-beca2EXAMPLE",
-        },
-        {
-            "eventVersion": "1.07",
-            "eventTime": "2019-11-14T00:52:00Z",
-            "region": "us-east-1",
-            "eventID": "EXAMPLEc-28be-486c-8928-49ce6EXAMPLE",
-        }
-    ]
-}
-----
-
-["source","yaml",subs="attributes"]
-----
-filebeat.inputs:
-- type: azure-blob-storage
-  id: my-azureblobstorage-id
-  enabled: true
-  account_name: some_account
-  auth.shared_credentials.account_key: some_key
-  containers:
-  - name: container_1
-    expand_event_list_from_field: Records
-----
-
-NOTE: This attribute is only applicable for JSON file formats. You do not require to specify this attribute if the file has an array of objects at the root level. Root level array of objects are automatically split into separate events. If failures occur or the input crashes due to some unexpected error, the processing will resume from the last successfully processed file/blob.
-
-[id="attrib-timestamp_epoch"]
-[float]
-==== `timestamp_epoch`
-
-This attribute can be used to filter out files/blobs which have a timestamp older than the specified value. The value of this attribute should be in unix `epoch` (seconds) format. The timestamp value is compared with the `LastModified Timestamp` obtained from the blob metadata. This attribute can be specified both at the root level of the configuration as well at the container level. The container level values will always take priority and override the root level values if both are specified.
-
-["source","yaml",subs="attributes"]
-----
-filebeat.inputs:
-- type: azure-blob-storage
-  id: my-azureblobstorage-id
-  enabled: true
-  account_name: some_account
-  auth.shared_credentials.account_key: some_key
-  containers:
-  - name: container_1
-    timestamp_epoch: 1627233600
-----
-
-The Azure Blob Storage APIs don't provide a direct way to filter files based on timestamp, so the input will download all the files and then filter them based on the timestamp. This can cause a bottleneck in processing if the number of files are very high. It is recommended to use this attribute only when the number of files are limited or ample resources are available.
-
-[id="container-overrides"]
-*The sample configs below will explain the container level overriding of attributes a bit further :-*
-
-*CASE - 1 :*
-
-Here `container_1` is using root level attributes while `container_2` overrides the values :
-
-["source","yaml",subs="attributes"]
-----
-filebeat.inputs:
-- type: azure-blob-storage
-  id: my-azureblobstorage-id
-  enabled: true
-  account_name: some_account
-  auth.shared_credentials.account_key: some_key
-  max_workers: 10
-  poll: true
-  poll_interval: 15s
-  containers:
-  - name: container_1
-  - name: container_2
-    max_workers: 3
-    poll: true
-    poll_interval: 10s
-----
-
-*Explanation :*
-In this configuration `container_1` has no sub attributes in `max_workers`, `poll` and `poll_interval` defined. It inherits the values for these fileds from the root 
-level, which is `max_workers = 10`, `poll = true` and `poll_interval = 15 seconds`. However `container_2` has these fields defined and it will use those values instead 
-of using the root values.
-
-*CASE - 2 :*
-
-Here both `container_1` and `container_2` overrides the root values :
-
-["source","yaml",subs="attributes"]
-----
-filebeat.inputs:
-  - type: azure-blob-storage
-    id: my-azureblobstorage-id
-    enabled: true
-    account_name: some_account
-    auth.shared_credentials.account_key: some_key
-    max_workers: 10
-    poll: true
-    poll_interval: 15s
-    containers:
-    - name: container_1
-      max_workers: 5
-      poll: true
-      poll_interval: 10s
-    - name: container_2
-      max_workers: 5
-      poll: true
-      poll_interval: 10s
-----
-
-*Explanation :*
-In this configuration even though we have specified `max_workers = 10`, `poll = true` and `poll_interval = 15s` at the root level, both the containers
-will override these values with their own respective values which are defined as part of their sub attibutes.
-
-
-NOTE: Any feedback is welcome which will help us further optimize this input. Please feel free to open a github issue for any bugs or feature requests.
diff --git a/x-pack/filebeat/docs/inputs/input-azure-eventhub.asciidoc b/x-pack/filebeat/docs/inputs/input-azure-eventhub.asciidoc
deleted file mode 100644
index 808c46b83331..000000000000
--- a/x-pack/filebeat/docs/inputs/input-azure-eventhub.asciidoc
+++ /dev/null
@@ -1,96 +0,0 @@
-[role="xpack"]
-
-:type: azure-eventhub
-
-[id="{beatname_lc}-input-{type}"]
-=== Azure eventhub input
-
-++++
-<titleabbrev>Azure Event Hub</titleabbrev>
-++++
-
-Users can make use of the `azure-eventhub` input in order to read messages from an azure eventhub.
-The azure-eventhub input implementation is based on the the event processor host (EPH is intended to be run across multiple processes and machines while load balancing message consumers more on this here https://github.com/Azure/azure-event-hubs-go#event-processor-host, https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-event-processor-host).
-State such as leases on partitions and checkpoints in the event stream are shared between receivers using an Azure Storage container. For this reason, as a prerequisite to using this input, users will have to create or use an existing storage account.
-
-Users can enable internal logs tracing for this input by setting the environment
-variable `BEATS_AZURE_EVENTHUB_INPUT_TRACING_ENABLED: true`. When enabled,
-this input will log additional information to the logs. Additional information
-includes partition ownership, blob lease information, and other internal state.
-
-
-Example configuration:
-
-["source","yaml",subs="attributes"]
-----
-{beatname_lc}.inputs:
-- type: azure-eventhub
-  eventhub: "insights-operational-logs"
-  consumer_group: "test"
-  connection_string: "Endpoint=sb://....."
-  storage_account: "azureeph"
-  storage_account_key: "....."
-  storage_account_container: ""
-  resource_manager_endpoint: ""
-
-----
-
-==== Configuration options
-
-The `azure-eventhub` input supports the following configuration:
-
-==== `eventhub`
-
-The name of the eventhub users would like to read from, field required.
-
-==== `consumer_group`
-
-Optional, we recommend using a dedicated consumer group for the azure input. Reusing consumer groups among non-related consumers can cause unexpected behavior and possibly lost events.
-
-==== `connection_string`
-
-The connection string required to communicate with Event Hubs, steps here https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-get-connection-string.
-
-A Blob Storage account is required in order to store/retrieve/update the offset or state of the eventhub messages. This means that after stopping filebeat it can start back up at the spot that it stopped processing messages.
-
-==== `storage_account`
-
-The name of the storage account. Required.
-
-==== `storage_account_key`
-
-The storage account key, this key will be used to authorize access to data in your storage account, option is required.
-
-==== `storage_account_container`
-
-Optional, the name of the storage account container you would like to store the offset information in.
-
-==== `resource_manager_endpoint`
-
-Optional, by default we are using the azure public environment, to override, users can provide a specific resource manager endpoint in order to use a different azure environment.
-Ex:
-https://management.chinacloudapi.cn/ for azure ChinaCloud
-https://management.microsoftazure.de/ for azure GermanCloud
-https://management.azure.com/ for azure PublicCloud
-https://management.usgovcloudapi.net/ for azure USGovernmentCloud
-Users can also use this in case of a Hybrid Cloud model, where one may define their own endpoints.
-
-[float]
-=== Metrics
-
-This input exposes metrics under the <<http-endpoint, HTTP monitoring endpoint>>.
-These metrics are exposed under the `/inputs` path. They can be used to
-observe the activity of the input.
-
-[options="header"]
-|=======
-| Metric                       | Description
-| `received_messages_total`    | Number of messages received from the event hub.
-| `received_bytes_total`       | Number of bytes received from the event hub.
-| `sanitized_messages_total`   | Number of messages that were sanitized successfully.
-| `processed_messages_total`   | Number of messages that were processed successfully.
-| `received_events_total`      | Number of events received decoding messages.
-| `sent_events_total`          | Number of events that were sent successfully. 
-| `processing_time`            | Histogram of the elapsed processing times in nanoseconds.
-| `decode_errors_total`        | Number of errors that occurred while decoding a message.
-|=======
diff --git a/x-pack/filebeat/docs/inputs/input-benchmark.asciidoc b/x-pack/filebeat/docs/inputs/input-benchmark.asciidoc
deleted file mode 100644
index db8036973357..000000000000
--- a/x-pack/filebeat/docs/inputs/input-benchmark.asciidoc
+++ /dev/null
@@ -1,93 +0,0 @@
-[role="xpack"]
-
-:type: benchmark
-
-[id="{beatname_lc}-input-{type}"]
-=== Benchmark input
-
-++++
-<titleabbrev>Benchmark</titleabbrev>
-++++
-
-beta[]
-
-The Benchmark input generates generic events and sends them to the output. This can be useful when you want to benchmark the difference between outputs or output settings.
-
-Example configurations:
-
-Basic example, infinite events as quickly as possible:
-["source","yaml",subs="attributes"]
-----
-{beatname_lc}.inputs:
-- type: benchmark
-  enabled: true
-  message: "test message"
-  threads: 1
-----
-
-Send 1024 events and stop example:
-["source","yaml",subs="attributes"]
-----
-{beatname_lc}.inputs:
-- type: benchmark
-  enabled: true
-  message: "test message"
-  threads: 1
-  count: 1024
-----
-
-Send 5 events per second example:
-["source","yaml",subs="attributes"]
-----
-{beatname_lc}.inputs:
-- type: benchmark
-  enabled: true
-  message: "test message"
-  threads: 1
-  eps: 5
-----
-
-==== Configuration options
-
-The Benchmark input supports the following configuration options plus the
-<<{beatname_lc}-input-{type}-common-options>> described later.
-
-[float]
-==== `message`
-
-This is the value that will be in the `message` field of the json document.
-
-[float]
-==== `threads`
-
-This is the number of goroutines that will be started generating messages. Normally 1 thread can saturate an output but if necessary this can be increased.
-
-[float]
-==== `count`
-
-This is the number of messages to send. 0 represents sending infinite messages. This is mutually exclusive with the `eps` option.
-
-[float]
-==== `eps`
-
-This is the number of events per second to send. 0 represents sending as quickly as possible. This is mutually exclusive with the `count` option.
-
-
-[float]
-=== Metrics
-
-This input exposes metrics under the <<http-endpoint, HTTP monitoring endpoint>>.
-These metrics are exposed under the `/inputs` path. They can be used to
-observe the activity of the input.
-
-[options="header"]
-|=======
-| Metric                    | Description
-| `events_published_total`  | Number of events published.
-| `publishing_time`         | Histogram of the elapsed in nanoseconds (time of publisher.Publish).
-|=======
-
-[id="{beatname_lc}-input-{type}-common-options"]
-include::../../../../filebeat/docs/inputs/input-common-options.asciidoc[]
-
-:type!:
diff --git a/x-pack/filebeat/docs/inputs/input-cel.asciidoc b/x-pack/filebeat/docs/inputs/input-cel.asciidoc
deleted file mode 100644
index b238545350c0..000000000000
--- a/x-pack/filebeat/docs/inputs/input-cel.asciidoc
+++ /dev/null
@@ -1,876 +0,0 @@
-[role="xpack"]
-
-:type: cel
-:mito_version: v1.17.0
-:mito_docs: https://pkg.go.dev/github.com/elastic/mito@{mito_version}
-
-[id="{beatname_lc}-input-{type}"]
-=== Common Expression Language input
-
-++++
-<titleabbrev>CEL</titleabbrev>
-++++
-
-Use the `cel` input to read messages from a file path or HTTP API with a variety of payloads using the https://opensource.google.com/projects/cel[Common Expression Language (CEL)] and the https://pkg.go.dev/github.com/elastic/mito/lib[mito] CEL extension libraries.
-
-CEL is a non-Turing complete language that can perform evaluation of expression in inputs, which can include file and API endpoints using the mito extension library.
-The `cel` input periodically runs a CEL program that is given an execution environment that may be configured by the user, and publishes the set of events that result from the program evaluation.
-Optionally the CEL program may return cursor states that will be provided to the next execution of the CEL program.
-The cursor states may be used to control the behaviour of the program.
-
-This input supports:
-
-* Auth
-** Basic
-** Digest
-** OAuth2
-* Retrieval at a configurable interval
-* Pagination
-* Retries
-* Rate limiting
-* Proxying
-
-Example configurations:
-
-["source","yaml",subs="attributes"]
-----
-filebeat.inputs:
-# Fetch your public IP every minute.
-- type: cel
-  interval: 1m
-  resource.url: https://api.ipify.org/?format=json
-  program: |
-    bytes(get(state.url).Body).as(body, {
-        "events": [body.decode_json()]
-    })
-----
-
-or equivalently using the text format from ipify.org
-
-["source","yaml",subs="attributes"]
-----
-filebeat.inputs:
-# Fetch your public IP every minute.
-- type: cel
-  interval: 1m
-  resource.url: https://api.ipify.org/?format=text
-  program: |
-    {
-        "events": [{"ip": string(get(state.url).Body)}]
-    }
-----
-
-["source","yaml",subs="attributes"]
-----
-filebeat.inputs:
-- type: cel
-  resource.url: http://localhost:9200/_search
-  state:
-    scroll: 5m
-  program: |
-    (
-        !has(state.cursor) || !has(state.cursor.scroll_id) ?
-            post(state.url+"?scroll=5m", "", "")
-        :
-            post(
-                state.url+"/scroll?"+{"scroll_id": [state.cursor.scroll_id]}.format_query(),
-                "application/json",
-                {"scroll": state.scroll}.encode_json()
-            )
-    ).as(resp, bytes(resp.Body).decode_json().as(body, {
-            "events": body.hits.hits,
-            "cursor": {"scroll_id": body._scroll_id},
-    }))
-----
-
-
-==== Execution
-
-The execution environment provided for the input includes includes the functions, macros, and global variables provided by the mito library.
-A single JSON object is provided as an input accessible through a `state` variable.
-`state` contains a string `url` field and may contain arbitrary other fields configured via the input's `state` configuration.
-If the CEL program saves cursor states between executions of the program, the configured `state.cursor` value will be replaced by the saved cursor prior to execution.
-
-On start the `state` is will be something like this:
-
-["source","json",subs="attributes"]
-----
-{
-    "url": <resource address>,
-    "cursor": { ... },
-    ...
-}
-----
-
-The `state.url` field will be present and may be an HTTP end-point or a file path.
-It is the responsibility of the CEL program to handle removing the scheme from a file URL if it is present.
-The `state.url` field may be mutated during execution of the program, but the mutated state will not be persisted between restarts The `state.url` field must be present in the returned value to ensure that it is available in the next evaluation unless the program has the resource address hard-coded in or it is available from the cursor.
-
-Additional fields may be present at the root of the object and if the program tolerates it, the cursor value may be absent.
-Only the cursor is persisted over restarts, but all fields in state are retained between iterations of the processing loop except for the produced events array, see below.
-
-If the cursor is present the program should perform and process requests based on its value.
-If cursor is not present the program must have alternative logic to determine what requests to make.
-
-After completion of a program's execution it should return a single object with a structure looking like this:
-
-["source","json",subs="attributes"]
-----
-{
-    "events": [ <1>
-        {...},
-        ...
-    ],
-    "cursor": [ <2>
-        {...},
-        ...
-    ],
-    "url": <resource address>,
-    "status_code": <HTTP request status code if a network request>,
-    "header": <HTTP response headers if a network request>,
-    "rate_limit": <HTTP rate limit map if required by API>, <3>
-    "want_more": false <4>
-}
-----
-
-<1> The `events` field must be present, but may be empty or null. If it is not empty, it must only have objects as elements.
-The field should be an array, but in the case of an error condition in the CEL program it is acceptable to return a single object instead of an array; this will will be wrapped as an array for publication and an error will be logged. If the single object contains a key, "error", the error value will be used to update the status of the input to report to Elastic Agent. This can be used to more rapidly respond to API failures.
-
-<2> If `cursor` is present it must be either be a single object or an array with the same length as events; each element _i_ of the `cursor` will be the details for obtaining the events at and beyond event _i_ in the `events` array. If the `cursor` is a single object it is will be the details for obtaining events after the last event in the `events` array and will only be retained on successful publication of all the events in the `events` array.
-
-<3> If `rate_limit` is present it must be a map with numeric fields `rate` and `burst`. The `rate_limit` field may also have a string `error` field and other fields which will be logged. If it has an `error` field, the `rate` and `burst` will not be used to set rate limit behavior. The {mito_docs}/lib#Limit[Limit], and {mito_docs}/lib#OktaRateLimit[Okta Rate Limit policy] and {mito_docs}/lib#DraftRateLimit[Draft Rate Limit policy] documentation show how to construct this field.
-
-<4> The evaluation is repeated with the new state, after removing the events field, if the "want_more" field is present and true, and a non-zero events array is returned. If the "want_more" field is present after a failed evaluation, it is set to false.
-
-The `status_code`, `header` and `rate_limit` values may be omitted if the program is not interacting with an HTTP API end-point and so will not be needed to contribute to program control.
-
-==== Debug state logging
-
-The CEL input will log the complete state after evaluation when logging at the DEBUG level.
-This will include any sensitive or secret information kept in the `state` object, and so DEBUG level logging should not be used in production when sensitive information is retained in the `state` object.
-See <<cel-state-redact,`redact`>> configuration parameters for settings to exclude sensitive fields from DEBUG logs.
-
-
-==== CEL extension libraries
-
-As noted above the `cel` input provides functions, macros, and global variables to extend the language.
-
-* {mito_docs}/lib#Collections[Collections]
-** {mito_docs}/lib#hdr-Collate[Collate]
-** {mito_docs}/lib#hdr-Drop[Drop]
-** {mito_docs}/lib#hdr-Drop_Empty[Drop Empty]
-** {mito_docs}/lib#hdr-Flatten[Flatten]
-** {mito_docs}/lib#hdr-Front[Front]
-** {mito_docs}/lib#hdr-Keys[Keys]
-** {mito_docs}/lib#hdr-Max[Max]
-** {mito_docs}/lib#hdr-Min[Min]
-** {mito_docs}/lib#hdr-Sum[Sum]
-** {mito_docs}/lib#hdr-Tail[Tail]
-** {mito_docs}/lib#hdr-Values[Values]
-** {mito_docs}/lib#hdr-With[With]
-** {mito_docs}/lib#hdr-With_Replace[With Replace]
-** {mito_docs}/lib#hdr-With_Update[With Update]
-** {mito_docs}/lib#hdr-Zip[Zip]
-
-* {mito_docs}/lib#Crypto[Crypto]
-** {mito_docs}/lib#hdr-Base64[Base64]
-** {mito_docs}/lib#hdr-Base64_Decode[Base64 Decode]
-** {mito_docs}/lib#hdr-Base64_Raw[Base64 Raw]
-** {mito_docs}/lib#hdr-Base64_Raw_Decode[Base64 Raw Decode]
-** {mito_docs}/lib#hdr-Hex[Hex]
-** {mito_docs}/lib#hdr-MD5[MD5]
-** {mito_docs}/lib#hdr-SHA_1[SHA-1]
-** {mito_docs}/lib#hdr-SHA_256[SHA-256]
-** {mito_docs}/lib#hdr-HMAC[HMAC]
-** {mito_docs}/lib#hdr-UUID[UUID]
-
-* {mito_docs}/lib#File[File]
-** {mito_docs}/lib#hdr-Dir[Dir]
-** {mito_docs}/lib#hdr-File[File]
-
-* {mito_docs}/lib#HTTP[HTTP]
-** {mito_docs}/lib#hdr-HEAD[HEAD]
-** {mito_docs}/lib#hdr-GET[GET]
-** {mito_docs}/lib#hdr-GET_Request[GET Request]
-** {mito_docs}/lib#hdr-POST[POST]
-** {mito_docs}/lib#hdr-POST_Request[POST Request]
-** {mito_docs}/lib#hdr-Request[Request]
-** {mito_docs}/lib#hdr-Basic_Authentication[Basic Authentication]
-** {mito_docs}/lib#hdr-Do_Request[Do Request]
-** {mito_docs}/lib#hdr-Parse_URL[Parse URL]
-** {mito_docs}/lib#hdr-Format_URL[Format URL]
-** {mito_docs}/lib#hdr-Parse_Query[Parse Query]
-** {mito_docs}/lib#hdr-Format_Query[Format Query]
-
-* {mito_docs}/lib#File[File] — the file extension is initialized with MIME handlers for "application/gzip", {mito_docs}/lib#NDJSON["application/x-ndjson"], {mito_docs}/lib#Zip["application/zip"], {mito_docs}/lib#CSVNoHeader["text/csv; header=absent"], and {mito_docs}/lib#CSVHeader["text/csv; header=present"].
-** {mito_docs}/lib#hdr-Dir[Dir]
-** {mito_docs}/lib#hdr-File[File]
-
-* {mito_docs}/lib#JSON[JSON]
-** {mito_docs}/lib#hdr-Encode_JSON[Encode JSON]
-** {mito_docs}/lib#hdr-Decode_JSON[Decode JSON]
-** {mito_docs}/lib#hdr-Decode_JSON_Stream[Decode JSON Stream]
-
-* {mito_docs}/lib#XML[XML] — the XML extension is initialized with XML schema definitions provided via the `xsd` configuration option.
-** {mito_docs}/lib#hdr-Decode_XML[Decode XML]
-
-* {mito_docs}/lib#Limit[Limit] — the rate limit extension is initialized with {mito_docs}/lib#OktaRateLimit[Okta (as "okta")] and the {mito_docs}/lib#DraftRateLimit[Draft Rate Limit (as "draft")] policies.
-** {mito_docs}/lib#hdr-Rate_Limit[Rate Limit]
-
-* {mito_docs}/lib#MIME[MIME] — the MIME extension is initialized with MIME handlers for "application/gzip", {mito_docs}/lib#NDJSON["application/x-ndjson"], {mito_docs}/lib#Zip["application/zip"], {mito_docs}/lib#CSVNoHeader["text/csv; header=absent"], and {mito_docs}/lib#CSVHeader["text/csv; header=present"].
-** {mito_docs}/lib#hdr-MIME[MIME]
-
-* {mito_docs}/lib#Regexp[Regexp] — the regular expression extension is initialized with the patterns specified in the user input configuration via the `regexp` field.
-** {mito_docs}/lib#hdr-RE_Match[RE Match]
-** {mito_docs}/lib#hdr-RE_Find[RE Find]
-** {mito_docs}/lib#hdr-RE_Find_All[RE Find All]
-** {mito_docs}/lib#hdr-RE_Find_Submatch[RE Find Submatch]
-** {mito_docs}/lib#hdr-RE_Find_All_Submatch[RE Find All Submatch]
-** {mito_docs}/lib#hdr-RE_Replace_All[RE Replace All]
-
-* {mito_docs}/lib#Printf[Printf]
-** {mito_docs}/lib#hdr-Sprintf-Printf[Sprintf]
-
-* {mito_docs}/lib#Strings[Strings]
-** {mito_docs}/lib#hdr-String_Methods[String Methods]
-** {mito_docs}/lib#hdr-String_List_Methods[String List Methods]
-** {mito_docs}/lib#hdr-Bytes_Methods[Bytes Methods]
-
-* {mito_docs}/lib#Time[Time]
-** {mito_docs}/lib#hdr-Format[Format]
-** {mito_docs}/lib#hdr-Parse_Time[Parse Time]
-** {mito_docs}/lib#hdr-Global_Variables[Global Variables]
-
-* {mito_docs}/lib#Try[Try]
-** {mito_docs}/lib#hdr-Try[Try]
-** {mito_docs}/lib#hdr-Is_Error[Is Error]
-
-* {mito_docs}/lib#Debug[Debug] — the debug handler registers a logger with the name extension `cel_debug` and calls to the CEL `debug` function are emitted to that logger.
-** {mito_docs}/lib#hdr-Debug[Debug]
-
-In addition to the extensions provided in the packages listed above, a global variable `useragent` is also provided which gives the user CEL program access to the {beatname_lc} user-agent string. By default, this value is assigned to all requests' user-agent headers unless the CEL program has already set the user-agent header value. Programs wishing to not provide a user-agent, should set this header to the empty string, `""`.
-
-Host environment variables are made available via the global map `env`. Only environment variables that have been allow listed via the `allowed_environment` configuration list are visible to the CEL program.
-
-The CEL environment enables the https://pkg.go.dev/github.com/google/cel-go/cel#OptionalTypes[optional types] library using the version defined {mito_docs}/lib#OptionalTypesVersion[here].
-
-Additionally, it supports authentication via Basic Authentication, Digest Authentication or OAuth2.
-
-Example configurations with authentication:
-
-["source","yaml",subs="attributes"]
-----
-filebeat.inputs:
-- type: cel
-  auth.basic:
-    user: user@domain.tld
-    password: P@$$W0₹D
-  resource.url: http://localhost
-----
-
-["source","yaml",subs="attributes"]
-----
-filebeat.inputs:
-- type: cel
-  auth.digest:
-    user: user@domain.tld
-    password: P@$$W0₹D
-  resource.url: http://localhost
-----
-
-["source","yaml",subs="attributes"]
-----
-filebeat.inputs:
-- type: cel
-  auth.oauth2:
-    client.id: 12345678901234567890abcdef
-    client.secret: abcdef12345678901234567890
-    token_url: http://localhost/oauth2/token
-  resource.url: http://localhost
-----
-
-["source","yaml",subs="attributes"]
-----
-filebeat.inputs:
-- type: cel
-  auth.oauth2:
-    client.id: 12345678901234567890abcdef
-    client.secret: abcdef12345678901234567890
-    token_url: http://localhost/oauth2/token
-    user: user@domain.tld
-    password: P@$$W0₹D
-  resource.url: http://localhost
-----
-
-[[input-state-cel]]
-==== Input state
-
-The `cel` input keeps a runtime state between requests. This state can be accessed by the CEL program and may contain arbitrary objects.
-
-The state must contain a `url` string and may contain any object the user wishes to store in it.
-
-All objects are stored at runtime, except `cursor`, which has values that are persisted between restarts.
-
-==== Configuration options
-
-The `cel` input supports the following configuration options plus the
-<<{beatname_lc}-input-{type}-common-options>> described later.
-
-[float]
-==== `interval`
-
-Duration between repeated requests. It may make additional pagination requests in response to the initial request if pagination is enabled. Default: `60s`.
-
-[[program-cel]]
-[float]
-==== `program`
-
-The CEL program that is executed each polling period. This field is required.
-
-[[max_executions-cel]]
-[float]
-==== `max_executions`
-
-`max_executions` is the maximum number of times a CEL program can request to be re-run with a `want_more` field. This is used to ensure that accidental infinite loops do not halt processing. When the execution budget is exceeded, execution will be restarted at the next interval and a warning will be written into the logs. Default: 1000.
-
-[[state-cel]]
-[float]
-==== `state`
-
-`state` is an optional object that is passed to the CEL program on the first execution. It is available to the executing program as the `state` variable. It is made available to subsequent executions of the program during the life of input as the returned value of the previous execution, but with the `state.events` field removed. Except for the `state.cursor` field, `state` does not persist over restarts.
-
-[[cursor-cel]]
-[float]
-==== `state.cursor`
-
-The cursor is an object available as `state.cursor` where arbitrary values may be stored. Cursor state is kept between input restarts and updated after each event of a request has been published. When a cursor is used the CEL program must either create a cursor state for each event that is returned by the program, or a single cursor that reflect the cursor for completion of the full set of events.
-
-["source","yaml",subs="attributes"]
-----
-filebeat.inputs:
-# Fetch your public IP every minute and note when the last request was made.
-- type: cel
-  interval: 1m
-  resource.url: https://api.ipify.org/?format=json
-  program: |
-    bytes(get(state.url).Body).as(body, {
-        "events": [body.decode_json().with({
-            "last_requested_at": has(state.cursor) && has(state.cursor.last_requested_at) ?
-                state.cursor.last_requested_at
-            :
-                now
-        })],
-        "cursor": {"last_requested_at": now}
-    })
-----
-
-[[environ-cel]]
-[float]
-=== `allowed_environment`
-
-A list of host environment variable that will be made visible to the CEL execution environment. By default, no environment variables are visible.
-
-["source","yaml",subs="attributes"]
-----
-filebeat.inputs:
-# Publish the list of files in $PATH every minute.
-- type: cel
-  interval: 1m
-  resource.url: ""
-  allowed_environment:
-    - PATH
-  program: |
-{
-  "events": {
-    "message": env.?PATH.orValue("").split(":")
-      .map(p, try(dir(p)))
-      .filter(d, type(d) != type(""))
-      .flatten()
-      .collate("name")
-  }
-}
-----
-
-[[regexp-cel]]
-[float]
-==== `regexp`
-
-A set of named regular expressions that may be used during a CEL program's execution using the `regexp` extension library. The syntax used for the regular expressions is https://github.com/google/re2/wiki/Syntax[RE2].
-
-["source","yaml",subs="attributes"]
-----
-filebeat.inputs:
-- type: cel
-  # Define two regular expressions, 'products' and 'solutions' for use during CEL execution.
-  regexp:
-    products: '(?i)(Elasticsearch|Beats|Logstash|Kibana)'
-    solutions: '(?i)(Search|Observability|Security)'
-----
-
-[[xsd-cel]]
-[float]
-==== `xsd`
-
-XML documents may require additional type information to enable correct parsing and ingestion. This information can be provided as an XML Schema Definitions (XSD) for XML documents using the `xsd` option. The key under which the XSD information is provided is accessed via the `decode_xml` CEL extension.
-
-["source","yaml",subs="attributes"]
-----
-filebeat.inputs:
-- type: cel
-  # Provide an XSD, 'order', for use during CEL execution (truncated for example).
-  xsd:
-    order: |
-       <xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema">
-         <xs:element name="order">
-           <xs:complexType>
-             <xs:sequence>
-               <xs:element name="sender" type="xs:string"/>
-               <xs:element name="address">
-                 <xs:complexType>
-                   <xs:sequence>
-                     <xs:element name="name" type="xs:string"/>
-                     <xs:element name="company" type="xs:string"/>
-----
-
-[float]
-==== `auth.basic.enabled`
-
-When set to `false`, disables the basic auth configuration. Default: `true`.
-
-NOTE: Basic auth settings are disabled if either `enabled` is set to `false` or
-the `auth.basic` section is missing.
-
-[float]
-==== `auth.basic.user`
-
-The user to authenticate with.
-
-[float]
-==== `auth.basic.password`
-
-The password to use.
-
-[float]
-==== `auth.digest.enabled`
-
-When set to `false`, disables the digest auth configuration. Default: `true`.
-
-NOTE: digest auth settings are disabled if either `enabled` is set to `false` or
-the `auth.digest` section is missing.
-
-[float]
-==== `auth.digest.user`
-
-The user to authenticate with.
-
-[float]
-==== `auth.digest.password`
-
-The password to use.
-
-[float]
-==== `auth.digest.no_reuse`
-
-When set to `true`, Digest Authentication challenges are not reused.
-
-[float]
-==== `auth.oauth2.enabled`
-
-When set to `false`, disables the oauth2 configuration. Default: `true`.
-
-NOTE: OAuth2 settings are disabled if either `enabled` is set to `false` or
-the `auth.oauth2` section is missing.
-
-[float]
-==== `auth.oauth2.provider`
-
-Used to configure supported oauth2 providers.
-Each supported provider will require specific settings. It is not set by default.
-Supported providers are: `azure`, `google`, `okta`.
-
-[float]
-==== `auth.oauth2.client.id`
-
-The client ID used as part of the authentication flow. It is always required
-except if using `google` as provider. Required for providers: `default`, `azure`, `okta`.
-
-[float]
-==== `auth.oauth2.client.secret`
-
-The client secret used as part of the authentication flow. It is always required
-except if using `google` or `okta` as provider. Required for providers: `default`, `azure`.
-
-[float]
-==== `auth.oauth2.user`
-
-The user used as part of the authentication flow. It is required for authentication
- - grant type password. It is only available for provider `default`.
-
-[float]
-==== `auth.oauth2.password`
-
-The password used as part of the authentication flow. It is required for authentication
- - grant type password. It is only available for provider `default`.
-
-NOTE: user and password are required for grant_type password. If user and
-password is not used then it will automatically use the `token_url` and
-`client credential` method.
-
-[float]
-==== `auth.oauth2.scopes`
-
-A list of scopes that will be requested during the oauth2 flow.
-It is optional for all providers.
-
-[float]
-==== `auth.oauth2.token_url`
-
-The endpoint that will be used to generate the tokens during the oauth2 flow. It is required if no provider is specified.
-
-NOTE: For `azure` provider either `token_url` or `azure.tenant_id` is required.
-
-[float]
-==== `auth.oauth2.endpoint_params`
-
-Set of values that will be sent on each request to the `token_url`. Each param key can have multiple values.
-Can be set for all providers except `google`.
-
-["source","yaml",subs="attributes"]
-----
-- type: cel
-  auth.oauth2:
-    endpoint_params:
-      Param1:
-        - ValueA
-        - ValueB
-      Param2:
-        - Value
-----
-
-[float]
-==== `auth.oauth2.azure.tenant_id`
-
-Used for authentication when using `azure` provider.
-Since it is used in the process to generate the `token_url`, it can't be used in
-combination with it. It is not required.
-
-For information about where to find it, you can refer to
-https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal.
-
-[float]
-==== `auth.oauth2.azure.resource`
-
-The accessed WebAPI resource when using `azure` provider.
-It is not required.
-
-[float]
-==== `auth.oauth2.google.credentials_file`
-
-The credentials file for Google.
-
-NOTE: Only one of the credentials settings can be set at once. If none is provided, loading
-default credentials from the environment will be attempted via ADC. For more information about
-how to provide Google credentials, please refer to https://cloud.google.com/docs/authentication.
-
-[float]
-==== `auth.oauth2.google.credentials_json`
-
-Your credentials information as raw JSON.
-
-NOTE: Only one of the credentials settings can be set at once. If none is provided, loading
-default credentials from the environment will be attempted via ADC. For more information about
-how to provide Google credentials, please refer to https://cloud.google.com/docs/authentication.
-
-[float]
-==== `auth.oauth2.google.jwt_file`
-
-The JWT Account Key file for Google.
-
-NOTE: Only one of the credentials settings can be set at once. If none is provided, loading
-default credentials from the environment will be attempted via ADC. For more information about
-how to provide Google credentials, please refer to https://cloud.google.com/docs/authentication.
-
-[float]
-==== `auth.oauth2.google.jwt_json`
-
-The JWT Account Key file as raw JSON.
-
-NOTE: Only one of the credentials settings can be set at once. If none is provided, loading
-default credentials from the environment will be attempted via ADC. For more information about
-how to provide Google credentials, please refer to https://cloud.google.com/docs/authentication.
-
-[float]
-==== `auth.oauth2.google.delegated_account`
-
-Email of the delegated account used to create the credentials (usually an admin). Used in combination
-with `auth.oauth2.google.jwt_file` or `auth.oauth2.google.jwt_json`.
-
-[float]
-==== `auth.oauth2.okta.jwk_file`
-
-The RSA JWK Private Key file for your Okta Service App which is used for interacting with Okta Org Auth Server to mint tokens with okta.* scopes.
-
-NOTE: Only one of the credentials settings can be set at once. For more information please refer to https://developer.okta.com/docs/guides/implement-oauth-for-okta-serviceapp/main/
-
-[float]
-==== `auth.oauth2.okta.jwk_json`
-
-The RSA JWK Private Key JSON for your Okta Service App which is used for interacting with Okta Org Auth Server to mint tokens with okta.* scopes.
-
-NOTE: Only one of the credentials settings can be set at once. For more information please refer to https://developer.okta.com/docs/guides/implement-oauth-for-okta-serviceapp/main/
-
-[float]
-==== `auth.oauth2.okta.jwk_pem`
-
-The RSA JWK private key PEM block for your Okta Service App which is used for interacting with Okta Org Auth Server to mint tokens with okta.* scopes.
-
-NOTE: Only one of the credentials settings can be set at once. For more information please refer to https://developer.okta.com/docs/guides/implement-oauth-for-okta-serviceapp/main/
-
-[[resource-parameters]]
-[float]
-==== `resource.url`
-
-The URL of the HTTP API. Required.
-
-The API endpoint may be accessed via unix socket and Windows named pipes by adding  `+unix` or `+npipe`
-to the URL scheme, for example, `http+unix:///var/socket/`.
-
-[float]
-==== `resource.timeout`
-
-Duration before declaring that the HTTP client connection has timed out. Valid time units are `ns`, `us`, `ms`, `s`, `m`, `h`. Default: `30s`.
-
-[float]
-==== `resource.ssl`
-
-This specifies SSL/TLS configuration. If the ssl section is missing, the host's
-CAs are used for HTTPS connections. See <<configuration-ssl>> for more
-information.
-
-[float]
-==== `resource.keep_alive.disable`
-
-This specifies whether to disable keep-alives for HTTP end-points. Default: `true`.
-
-[float]
-==== `resource.keep_alive.max_idle_connections`
-
-The maximum number of idle connections across all hosts. Zero means no limit. Default: `0`.
-
-[float]
-==== `resource.keep_alive.max_idle_connections_per_host`
-
-The maximum idle connections to keep per-host. If zero, defaults to two. Default: `0`.
-
-[float]
-==== `resource.keep_alive.idle_connection_timeout`
-
-The maximum amount of time an idle connection will remain idle before closing itself. Valid time units are `ns`, `us`, `ms`, `s`, `m`, `h`. Zero means no limit. Default: `0s`.
-
-[float]
-==== `resource.retry.max_attempts`
-
-The maximum number of retries for the HTTP client. Default: `5`.
-
-[float]
-==== `resource.retry.wait_min`
-
-The minimum time to wait before a retry is attempted. Default: `1s`.
-
-[float]
-==== `resource.retry.wait_max`
-
-The maximum time to wait before a retry is attempted. Default: `60s`.
-
-[float]
-==== `resource.redirect.forward_headers`
-
-When set to `true` request headers are forwarded in case of a redirect. Default: `false`.
-
-[float]
-==== `resource.redirect.headers_ban_list`
-
-When `redirect.forward_headers` is set to `true`, all headers __except__ the ones defined in this list will be forwarded. Default: `[]`.
-
-[float]
-==== `resource.redirect.max_redirects`
-
-The maximum number of redirects to follow for a request. Default: `10`.
-
-[[resource-rate-limit]]
-[float]
-==== `resource.rate_limit.limit`
-
-The value of the response that specifies the maximum overall resource request rate.
-
-[float]
-==== `resource.rate_limit.burst`
-
-The maximum burst size. Burst is the maximum number of resource requests that can be made above the overall rate limit.
-
-[float]
-==== `resource.tracer.enable`
-
-It is possible to log HTTP requests and responses in a CEL program to a local file-system for debugging configurations.
-This option is enabled by setting `resource.tracer.enabled` to true and setting the `resource.tracer.filename` value.
-Additional options are available to tune log rotation behavior. To delete existing logs, set `resource.tracer.enabled`
-to false without unsetting the filename option.
-
-Enabling this option compromises security and should only be used for debugging.
-
-[float]
-==== `resource.tracer.filename`
-
-To differentiate the trace files generated from different input instances, a placeholder `*` can be added to the
-filename and will be replaced with the input instance id. For Example, `http-request-trace-*.ndjson`. Setting
-`resource.tracer.filename` with `resource.tracer.enable` set to false will cause any existing trace logs matching
-the filename option to be deleted.
-
-[float]
-==== `resource.tracer.maxsize`
-
-This value sets the maximum size, in megabytes, the log file will reach before it is rotated. By default
-logs are allowed to reach 1MB before rotation.
-Individual request/response bodies will be truncated to 10% of this size.
-
-[float]
-==== `resource.tracer.maxage`
-
-This specifies the number days to retain rotated log files. If it is not set, log files are retained
-indefinitely.
-
-[float]
-==== `resource.tracer.maxbackups`
-
-The number of old logs to retain. If it is not set all old logs are retained subject to the `resource.tracer.maxage`
-setting.
-
-[float]
-==== `resource.tracer.localtime`
-
-Whether to use the host's local time rather that UTC for timestamping rotated log file names.
-
-[float]
-==== `resource.tracer.compress`
-
-This determines whether rotated logs should be gzip compressed.
-
-[[cel-state-redact]]
-[float]
-==== `redact`
-
-During debug level logging, the `state` object and the resulting evaluation result are included in logs. This may result in leaking of secrets. In order to prevent this, fields may be redacted or deleted from the logged `state`. The `redact` configuration allows users to configure this field redaction behaviour. For safety reasons if the `redact` configuration is missing a warning is logged.
-
-In the case of no-required redaction an empty `redact.fields` configuration should be used to silence the logged warning.
-
-["source","yaml",subs="attributes"]
-----
-- type: cel
-  redact:
-    fields: ~
-----
-
-As an example, if a user-constructed Basic Authentication request is used in a CEL program the password can be redacted like so
-
-["source","yaml",subs="attributes"]
-----
-filebeat.inputs:
-- type: cel
-  resource.url: http://localhost:9200/_search
-  state:
-    user: user@domain.tld
-    password: P@$$W0₹D
-  redact:
-    fields:
-      - password
-    delete: true
-----
-
-Note that fields under the `auth` configuration hierarchy are not exposed to the `state` and so do not need to be redacted. For this reason it is preferable to use these for authentication over the request construction shown above where possible.
-
-[float]
-==== `redact.fields`
-
-This specifies fields in the `state` to be redacted prior to debug logging. Fields listed in this array will be either replaced with a `*` or deleted entirely from messages sent to debug logs.
-
-[float]
-==== `redact.delete`
-
-This specifies whether fields should be replaced with a `*` or deleted entirely from messages sent to debug logs. If delete is `true`, fields will be deleted rather than replaced.
-
-[float]
-==== `failure_dump.enabled`
-
-It is possible to log CEL program evaluation failures to a local file-system for debugging configurations.
-This option is enabled by setting `failure_dump.enabled` to true and setting the `failure_dump.filename` value.
-To delete existing failure dumps, set `failure_dump.enabled` to false without unsetting the filename option.
-
-Enabling this option compromises security and should only be used for debugging.
-
-[float]
-==== `failure_dump.filename`
-
-This specifies a directory path to write failure dumps to. If it is not empty and a CEL program evaluation fails,
-the complete set of states for the CEL program's evaluation will be written as a JSON file, along with the error
-that was reported. This option should only be used when debugging a failure as it imposes a significant performance
-impact on the input and may potentially use large quantities of memory to hold the full set of states. If a failure
-dump is configured, it is recommended that data input sizes be reduced to avoid excessive memory consumption, and
-making dumps that are intractable to analysis. To delete existing failure dumps, set `failure_dump.enabled` to
-false without unsetting the filename option.
-
-[[cel-record-coverage]]
-[float]
-==== `record_coverage`
-
-This specifies that CEL code evaluation coverage should be recorded and logged in debug logs. This is a
-developer-only option.
-
-[float]
-=== Metrics
-
-This input exposes metrics under the <<http-endpoint, HTTP monitoring endpoint>>.
-These metrics are exposed under the `/inputs` path. They can be used to
-observe the activity of the input.
-
-[options="header"]
-|=======
-| Metric                           | Description
-| `resource`                       | URL or path of the input resource.
-| `cel_executions`                 | Number times the CEL program has been executed.
-| `batches_received_total`         | Number of event arrays received.
-| `events_received_total`          | Number of events received.
-| `batches_published_total`        | Number of event arrays published.
-| `events_published_total`         | Number of events published.
-| `cel_processing_time`            | Histogram of the elapsed successful CEL program processing times in nanoseconds.
-| `batch_processing_time`          | Histogram of the elapsed successful batch processing times in nanoseconds (time of receipt to time of ACK for non-empty batches).
-| `http_request_total`             | Total number of processed requests.
-| `http_request_errors_total`      | Total number of request errors.
-| `http_request_delete_total`      | Total number of `DELETE` requests.
-| `http_request_get_total`         | Total number of `GET` requests.
-| `http_request_head_total`        | Total number of `HEAD` requests.
-| `http_request_options_total`     | Total number of `OPTIONS` requests.
-| `http_request_patch_total`       | Total number of `PATCH` requests.
-| `http_request_post_total`        | Total number of `POST` requests.
-| `http_request_put_total`         | Total number of `PUT` requests.
-| `http_request_body_bytes_total`  | Total of the requests body size.
-| `http_request_body_bytes`        | Histogram of the requests body size.
-| `http_response_total`            | Total number of responses received.
-| `http_response_errors_total`     | Total number of response errors.
-| `http_response_1xx_total`        | Total number of `1xx` responses.
-| `http_response_2xx_total`        | Total number of `2xx` responses.
-| `http_response_3xx_total`        | Total number of `3xx` responses.
-| `http_response_4xx_total`        | Total number of `4xx` responses.
-| `http_response_5xx_total`        | Total number of `5xx` responses.
-| `http_response_body_bytes_total` | Total of the responses body size.
-| `http_response_body_bytes`       | Histogram of the responses body size.
-| `http_round_trip_time`           | Histogram of the round trip time.
-|=======
-
-==== Developer tools
-
-A stand-alone CEL environment that implements the majority of the CEL input's Comment Expression Language functionality is available in the https://github.com/elastic/mito[Elastic Mito] repository. This tool may be used to help develop CEL programs to be used by the input. Installation is available from source by running `go install github.com/elastic/mito/cmd/mito@latest` and requires a Go toolchain.
-
-[id="{beatname_lc}-input-{type}-common-options"]
-include::../../../../filebeat/docs/inputs/input-common-options.asciidoc[]
-
-:type!:
diff --git a/x-pack/filebeat/docs/inputs/input-cloudfoundry.asciidoc b/x-pack/filebeat/docs/inputs/input-cloudfoundry.asciidoc
deleted file mode 100644
index 1c9eb17f2b2c..000000000000
--- a/x-pack/filebeat/docs/inputs/input-cloudfoundry.asciidoc
+++ /dev/null
@@ -1,98 +0,0 @@
-[role="xpack"]
-
-:type: cloudfoundry
-
-[id="{beatname_lc}-input-{type}"]
-=== Cloud Foundry input
-
-++++
-<titleabbrev>Cloud Foundry</titleabbrev>
-++++
-
-Use the `cloudfoundry` input to get http access logs, container logs and error logs from Cloud Foundry. Connects to
-the Cloud Foundry loggregator to receive events.
-
-Example configurations:
-
-["source","yaml",subs="attributes"]
-----
-{beatname_lc}.inputs:
-- type: cloudfoundry
-  api_address: https://api.dev.cfdev.sh
-  client_id: uaa-filebeat
-  client_secret: verysecret
-  shard_id: filebeat
-  ssl:
-      verification_mode: none
-----
-
-["source","yaml",subs="attributes"]
-----
-{beatname_lc}.inputs:
-- type: cloudfoundry
-  api_address: https://api.dev.cfdev.sh
-  client_id: uaa-filebeat
-  client_secret: verysecret
-  shard_id: filebeat
-  ssl.certificate_authorities: ["/etc/pki/cf/ca.pem"]
-  ssl.certificate: "/etc/pki/cf/cert.pem"
-  ssl.key: "/etc/pki/cf/cert.key"
-
-----
-
-
-==== Configuration options
-
-The `cloudfoundry` input supports the following configuration options plus the
-<<{beatname_lc}-input-{type}-common-options>> described later.
-
-[float]
-==== `api_address`
-
-The URL of the Cloud Foundry API. Optional. Default: "http://api.bosh-lite.com".
-
-[float]
-==== `doppler_address`
-
-The URL of the Cloud Foundry Doppler Websocket. Optional. Default: "(value from ${api_address}/v2/info)".
-
-[float]
-==== `uaa_address`
-
-The URL of the Cloud Foundry UAA API. Optional. Default: "(value from ${api_address}/v2/info)".
-
-[float]
-==== `rlp_address`
-
-The URL of the Cloud Foundry RLP Gateway. Optional. Default: "(`log-stream` subdomain under the same domain as `api_server`)".
-
-[float]
-==== `client_id`
-
-Client ID to authenticate with Cloud Foundry. Default: "".
-
-[float]
-==== `client_secret`
-
-Client Secret to authenticate with Cloud Foundry. Default: "".
-
-[float]
-==== `shard_id`
-
-Shard ID for the connection with Cloud Foundry. Use the same ID across multiple {beatname_lc} to shard the load of events. Default: "(generated UUID)".
-
-[float]
-==== `version`
-
-Consumer API version to connect with Cloud Foundry to collect events. Use `v1` to collect events using Doppler/Traffic Control.
-Use `v2` to collect events from the RLP Gateway. Default: "`v1`".
-
-[float]
-==== `ssl`
-
-This specifies SSL/TLS common config. Default: not used.
-
-[id="{beatname_lc}-input-{type}-common-options"]
-include::../../../../filebeat/docs/inputs/input-common-options.asciidoc[]
-
-:type!:
diff --git a/x-pack/filebeat/docs/inputs/input-cometd.asciidoc b/x-pack/filebeat/docs/inputs/input-cometd.asciidoc
deleted file mode 100644
index d4542944cd04..000000000000
--- a/x-pack/filebeat/docs/inputs/input-cometd.asciidoc
+++ /dev/null
@@ -1,65 +0,0 @@
-[role="xpack"]
-
-:type: cometd
-
-[id="{beatname_lc}-input-{type}"]
-=== CometD input
-
-++++
-<titleabbrev>CometD</titleabbrev>
-++++
-
-Use the `https://docs.cometd.org/[cometd]` input to stream the real-time events from a https://resources.docs.salesforce.com/sfdc/pdf/api_streaming.pdf[Salesforce generic subscription Push Topic].
-
-This input can, for example, be used to receive Login and Logout events that are generated when users log in or out of the Salesforce instance.
-
-Example configuration:
-
-["source","yaml",subs="attributes"]
-----
-{beatname_lc}.inputs:
-- type: cometd
-  channel_name: /event/MyEventStream
-  auth.oauth2:
-    client.id: my-client-id
-    client.secret: my-client-secret
-    token_url: https://login.salesforce.com/services/oauth2/token
-    user: my.email@mail.com
-    password: my-password
-----
-
-==== Configuration options
-
-The `cometd` input supports the following configuration options.
-
-[float]
-==== `channel_name`
-
-Salesforce generic subscription Push Topic name. Required.
-
-[float]
-==== `auth.oauth2.client.id`
-
-The client ID used as part of the authentication flow. Required.
-
-[float]
-==== `auth.oauth2.client.secret`
-
-The client secret used as part of the authentication flow. Required.
-
-[float]
-==== `auth.oauth2.token_url`
-
-The endpoint that will be used to generate the token during the oauth2 flow. Required.
-
-[float]
-==== `auth.oauth2.user`
-
-The user used as part of the authentication flow. It is required for authentication - grant type password. Required.
-
-[float]
-==== `auth.oauth2.password`
-
-The password used as part of the authentication flow. It is required for authentication - grant type password. Required.
-
-:type!:
diff --git a/x-pack/filebeat/docs/inputs/input-entity-analytics.asciidoc b/x-pack/filebeat/docs/inputs/input-entity-analytics.asciidoc
deleted file mode 100644
index 5b5dc03084c4..000000000000
--- a/x-pack/filebeat/docs/inputs/input-entity-analytics.asciidoc
+++ /dev/null
@@ -1,1076 +0,0 @@
-[role="xpack"]
-
-:type: entity-analytics
-
-[id="{beatname_lc}-input-{type}"]
-=== Entity Analytics Input
-
-++++
-<titleabbrev>Entity Analytics</titleabbrev>
-++++
-
-experimental[]
-
-The Entity Analytics input collects identity assets, such as users, from
-external identity providers.
-
-The following identity providers are supported:
-
-- <<provider-activedirectory>>
-- <<provider-azure-ad>>
-- <<provider-jamf>>
-- <<provider-okta>>
-
-==== Configuration options
-
-The `entity-analytics` input supports the following configuration options plus
-the <<{beatname_lc}-input-{type}-common-options>> described later.
-
-[float]
-==== `provider`
-
-The identity provider. Must be one of: `activedirectory`, `azure-ad` or `okta`.
-
-[id="{beatname_lc}-input-{type}-common-options"]
-include::../../../../filebeat/docs/inputs/input-common-options.asciidoc[]
-
-[float]
-=== Providers
-
-[id="provider-activedirectory"]
-==== Active Directory (`activedirectory`)
-
-The `activedirectory` provider allows the input to retrieve users, with group
-memberships, from Active Directory.
-
-[float]
-==== Setup
-
-A user with appropriate permissions must be set up in the Active Directory
-Server Manager in order for the provider to function properly.
-
-[float]
-==== How It Works
-
-[float]
-===== Overview
-
-The Active Directory provider periodically queries the Active Directory server,
-retrieving updates for users and groups, updates its internal cache of user and
-group metadata and group membership information, and ships updated user metadata
-to Elasticsearch.
-
-Fetching and shipping updates occurs in one of two processes: *full
-synchronizations* and *incremental updates*. Full synchronizations will send the
-entire list of users and group membership in state, along with write markers to indicate
-the start and end of the synchronization event. Incremental updates will only
-send data for changed users during that event. Changes on a user can come in many
-forms, whether it be a change to the user metadata, a user was added or modified,
-or group membership was changed.
-
-[float]
-===== Sending User and Device Metadata to Elasticsearch
-
-During a full synchronization, all users and groups stored in state will be sent
-to the output, while incremental updates will only send users and group that have been
-updated. Full synchronizations will be bounded on either side by write marker
-documents, which will look something like this:
-
-["source","json",subs="attributes"]
-----
-{
-    "@timestamp": "2022-11-04T09:57:19.786056-05:00",
-    "event": {
-        "action": "started",
-        "start": "2022-11-04T09:57:19.786056-05:00"
-    },
-    "labels": {
-        "identity_source": "activedirectory-1"
-    }
-}
-----
-
-User documents will show the current state of the user.
-
-Example user document:
-
-["source","json",subs="attributes"]
-----
-{
-    "@timestamp": "2024-02-05T06:37:40.876026-05:00",
-    "event": {
-        "action": "user-discovered",
-    },
-    "activedirectory": {
-        "id": "CN=Guest,CN=Users,DC=testserver,DC=local",
-        "user": {
-            "accountExpires": "2185-07-21T23:34:33.709551516Z",
-            "badPasswordTime": "0",
-            "badPwdCount": "0",
-            "cn": "Guest",
-            "codePage": "0",
-            "countryCode": "0",
-            "dSCorePropagationData": [
-                "2024-01-22T06:37:40Z",
-                "1601-01-01T00:00:01Z"
-            ],
-            "description": "Built-in account for guest access to the computer/domain",
-            "distinguishedName": "CN=Guest,CN=Users,DC=testserver,DC=local",
-            "instanceType": "4",
-            "isCriticalSystemObject": true,
-            "lastLogoff": "0",
-            "lastLogon": "2185-07-21T23:34:33.709551616Z",
-            "logonCount": "0",
-            "memberOf": "CN=Guests,CN=Builtin,DC=testserver,DC=local",
-            "name": "Guest",
-            "objectCategory": "CN=Person,CN=Schema,CN=Configuration,DC=testserver,DC=local",
-            "objectClass": [
-                "top",
-                "person",
-                "organizationalPerson",
-                "user"
-            ],
-            "objectGUID": "hSt/40XJQU6cf+J2XoYMHw==",
-            "objectSid": "AQUAAAAAAAUVAAAA0JU2Fq1k30YZ7UPx9QEAAA==",
-            "primaryGroupID": "514",
-            "pwdLastSet": "2185-07-21T23:34:33.709551616Z",
-            "sAMAccountName": "Guest",
-            "sAMAccountType": "805306368",
-            "uSNChanged": "8197",
-            "uSNCreated": "8197",
-            "userAccountControl": "66082",
-            "whenChanged": "2024-01-22T06:36:59Z",
-            "whenCreated": "2024-01-22T06:36:59Z"
-        },
-        "whenChanged": "2024-01-22T06:36:59Z"
-    },
-    "user": {
-        "id": "CN=Guest,CN=Users,DC=testserver,DC=local"
-    },
-    "labels": {
-        "identity_source": "activedirectory-1"
-    }
-}
-----
-
-[float]
-==== Configuration
-
-Example configuration:
-
-["source","yaml",subs="attributes"]
-----
-{beatname_lc}.inputs:
-- type: entity-analytics
-  enabled: true
-  id: activedirectory-1
-  provider: activedirectory
-  sync_interval: "12h"
-  update_interval: "30m"
-  ad_url: "ldaps://host.domain.tld"
-  ad_base_dn: "CN=Users,DC=SERVER,DC=DOMAIN"
-  ad_user: "USERNAME"
-  ad_password: "PASSWORD"
-----
-
-The `azure-ad` provider supports the following configuration:
-
-[float]
-===== `ad_url`
-
-The Active Directory server URL. Field is required.
-
-[float]
-===== `ad_base_dn`
-
-The Active Directory Base Distinguished Name. Field is required.
-
-[float]
-===== `ad_user`
-
-The client user name. Used for authentication. The user must have Active Directory read access. Field is required.
-
-[float]
-===== `user_attributes`
-
-The set of directory attributes to request from the Active Directory server when collecting user data.
-If not set, all user attributes are requested. If set, only listed attributes are requested, including
-`distinguishedDomain` and `whenChanged`. Note that the Active Directory attribute names are used.
-
-[float]
-===== `group_attributes`
-
-The set of directory attributes to request from the Active Directory server when collecting group data.
-If not set, all group attributes are requested. If set, only listed attributes are requested, including
-`distinguishedDomain` and `whenChanged`. Note that the Active Directory attribute names are used.
-
-[float]
-===== `ad_paging_size`
-
-The number of records to request from the Active Directory server for each page, if set.
-
-[float]
-===== `ad_password`
-
-The client's password, used for authentication. Field is required.
-
-[float]
-===== `sync_interval`
-
-The interval in which full synchronizations should occur. The interval must be
-longer than the update interval (`update_interval`) Expressed as a duration
-string (e.g., 1m, 3h, 24h). Defaults to `24h` (24 hours).
-
-[float]
-===== `update_interval`
-
-The interval in which incremental updates should occur. The interval must be
-shorter than the full synchronization interval (`sync_interval`). Expressed as a
-duration string (e.g., 1m, 3h, 24h). Defaults to `15m` (15 minutes).
-
-[id="provider-azure-ad"]
-==== Azure Active Directory (`azure-ad`)
-
-The `azure-ad` provider allows the input to retrieve users, with group
-memberships, from Azure Active Directory (AD).
-
-[float]
-==== Setup
-
-The necessary API permissions need to be granted in Azure in order for the
-provider to function properly:
-
-|===
-|Permission |Type
-
-|GroupMember.Read.All
-|Application
-
-|User.Read.All
-|Application
-
-|Device.Read.All
-|Application
-|===
-
-For a full guide on how to set up the necessary App Registration, permission
-granting, and secret configuration, follow this https://learn.microsoft.com/en-us/graph/auth-v2-service[guide].
-
-[float]
-==== How It Works
-
-[float]
-===== Overview
-
-The Azure AD provider periodically contacts Azure Active Directory, retrieving
-updates for users, devices and groups, updates its internal cache of user and
-device metadata and group membership information, and ships updated user metadata
-to Elasticsearch.
-
-Fetching and shipping updates occurs in one of two processes: *full
-synchronizations* and *incremental updates*. Full synchronizations will send the
-entire list of users and devices in state, along with write markers to indicate
-the start and end of the synchronization event. Incremental updates will only
-send data for changed users and devices during that event. Changes on a user or
-device can come in many forms, whether it be a change to the user or device
-metadata, a user/device was added or deleted, or group membership was changed
-(either direct or transitive).
-
-[float]
-===== API Interactions
-
-The provider periodically retrieves changes to user, device and group metadata
-from the Microsoft Graph API for Azure Active Directory. This is done through
-calls to three API endpoints:
-
-- https://learn.microsoft.com/en-us/graph/api/user-delta?view=graph-rest-1.0&tabs=http[/users/delta]
-- https://learn.microsoft.com/en-us/graph/api/device-delta?view=graph-rest-1.0&tabs=http[/devices/delta]
-- https://learn.microsoft.com/en-us/graph/api/group-delta?view=graph-rest-1.0&tabs=http[/groups/delta]
-
-The `/delta` endpoint will provide changes that have occurred since the last
-call, with state being tracked through a delta token. If the /delta endpoint is
-called without a delta token, it will provide a full listing of users, devices
-or groups, similar to the non-delta endpoint. Since many results may be returned,
-there is a paging mechanism that is used. In the response body, there are two
-fields that may appear, `@odata.nextLink` and `@odata.deltaLink`.
-
-- If a `@odata.nextLink` is returned, then there are more results to fetch, and
-the value of this field will contain the URL which should be immediately fetched.
-- If a `@odata.deltaLink` is returned, then there are currently no more results,
-and the value of this field (a URL) should be saved for the next time updates
-need to be fetched (the delta token).
-
-The group metadata will be used to enrich users and devices with group membership
-information. Direct memberships, along with transitive memberships, will be provided
-for users and devices.
-
-[float]
-===== Sending User and Device Metadata to Elasticsearch
-
-During a full synchronization, all users and devices stored in state will be sent
-to the output, while incremental updates will only send users which have been
-updated. Full synchronizations will be bounded on either side by write marker
-documents, which will look something like this:
-
-["source","json",subs="attributes"]
-----
-{
-    "@timestamp": "2022-11-04T09:57:19.786056-05:00",
-    "event": {
-        "action": "started",
-        "start": "2022-11-04T09:57:19.786056-05:00"
-    },
-    "labels": {
-        "identity_source": "azure-1"
-    }
-}
-----
-
-User documents will show the current state of the user.
-
-Example user document:
-
-["source","json",subs="attributes"]
-----
-{
-    "@timestamp": "2022-11-04T09:57:19.786056-05:00",
-    "event": {
-        "action": "user-discovered",
-    },
-    "azure_ad": {
-        "userPrincipalName": "example.user@example.com",
-        "mail": "example.user@example.com",
-        "displayName": "Example User",
-        "givenName": "Example",
-        "surname": "User",
-        "jobTitle": "Software Engineer",
-        "mobilePhone": "123-555-1000",
-        "businessPhones": ["123-555-0122"]
-    },
-    "user": {
-        "id": "5ebc6a0f-05b7-4f42-9c8a-682bbc75d0fc",
-        "group": [
-            {
-                "id": "331676df-b8fd-4492-82ed-02b927f8dd80",
-                "name": "group1"
-            },
-            {
-                "id": "d140978f-d641-4f01-802f-4ecc1acf8935",
-                "name": "group2"
-            }
-        ]
-    },
-    "labels": {
-        "identity_source": "azure-1"
-    }
-}
-----
-
-Device documents will show the current state of the device.
-
-Example device document:
-
-["source","json",subs="attributes"]
-----
-{
-    "@timestamp": "2022-11-04T09:57:19.786056-05:00",
-    "event": {
-        "action": "device-discovered",
-    },
-    "azure_ad": {
-        "accountEnabled": true,
-        "deviceId": "2fbbb8f9-ff67-4a21-b867-a344d18a4198",
-        "displayName": "DESKTOP-LETW452G",
-        "operatingSystem": "Windows",
-        "operatingSystemVersion": "10.0.19043.1337",
-        "physicalIds": {
-            "extensionAttributes": {
-                "extensionAttribute1": "BYOD-Device"
-            }
-        },
-        "alternativeSecurityIds": [
-            {
-                "type": 2,
-                "identityProvider": null,
-                "key": "DGFSGHSGGTH345A...35DSFH0A"
-            },
-        ]
-    },
-    "device": {
-        "id": "adbbe40a-0627-4328-89f1-88cac84dbc7f",
-        "group": [
-            {
-                "id": "331676df-b8fd-4492-82ed-02b927f8dd80",
-                "name": "group1"
-            }
-        ]
-        "registered_owners": [
-            {
-                "id": "5ebc6a0f-05b7-4f42-9c8a-682bbc75d0fc",
-                "userPrincipalName": "example.user@example.com",
-                "mail": "example.user@example.com",
-                "displayName": "Example User",
-                "givenName": "Example",
-                "surname": "User",
-                "jobTitle": "Software Engineer",
-                "mobilePhone": "123-555-1000",
-                "businessPhones": ["123-555-0122"]
-            },
-        ],
-        "registered_users": [
-            {
-                "id": "5ebc6a0f-05b7-4f42-9c8a-682bbc75d0fc",
-                "userPrincipalName": "example.user@example.com",
-                "mail": "example.user@example.com",
-                "displayName": "Example User",
-                "givenName": "Example",
-                "surname": "User",
-                "jobTitle": "Software Engineer",
-                "mobilePhone": "123-555-1000",
-                "businessPhones": ["123-555-0122"]
-            },
-        ],
-    },
-    "labels": {
-        "identity_source": "azure-1"
-    }
-}
-----
-
-[float]
-==== Configuration
-
-Example configuration:
-
-["source","yaml",subs="attributes"]
-----
-{beatname_lc}.inputs:
-- type: entity-analytics
-  enabled: true
-  id: azure-1
-  provider: azure-ad
-  dataset: "all"
-  sync_interval: "12h"
-  update_interval: "30m"
-  client_id: "CLIENT_ID"
-  tenant_id: "TENANT_ID"
-  secret: "SECRET"
-----
-
-The `azure-ad` provider supports the following configuration:
-
-[float]
-===== `tenant_id`
-
-The Tenant ID. Field is required.
-
-[float]
-===== `client_id`
-
-The client/application ID. Used for authentication. Field is required.
-
-[float]
-===== `secret`
-
-The secret value, used for authentication. Field is required.
-
-[float]
-===== `dataset`
-
-The datasets to collect from the API. This can be one of "all", "users" or "devices",
-or may be left empty for the default behavior which is to collect all entities.
-When the `dataset` is set to "devices", some user entity data is collected in order
-to populate the registered users and registered owner fields for each device.
-
-[float]
-===== `sync_interval`
-
-The interval in which full synchronizations should occur. The interval must be
-longer than the update interval (`update_interval`) Expressed as a duration
-string (e.g., 1m, 3h, 24h). Defaults to `24h` (24 hours).
-
-[float]
-===== `update_interval`
-
-The interval in which incremental updates should occur. The interval must be
-shorter than the full synchronization interval (`sync_interval`). Expressed as a
-duration string (e.g., 1m, 3h, 24h). Defaults to `15m` (15 minutes).
-
-[float]
-===== `login_endpoint`
-
-Override the default authentication login endpoint. Only change if directed to do
-so. Altering this value will also require a change to `login_scopes`.
-
-[float]
-===== `login_scopes`
-
-Override the default authentication scopes. Only change if directed to do so.
-
-[float]
-===== `select.users`
-
-Override the default https://learn.microsoft.com/en-us/graph/api/user-get?view=graph-rest-1.0&tabs=http#optional-query-parameters[user query selections].
-This is a list of optional query parameters. The default is `["accountEnabled", "userPrincipalName",
-"mail", "displayName", "givenName", "surname", "jobTitle", "officeLocation", "mobilePhone",
-"businessPhones"]`.
-
-[float]
-===== `select.groups`
-
-Override the default https://learn.microsoft.com/en-us/graph/api/group-get?view=graph-rest-1.0&tabs=http#optional-query-parameters[group query selections].
-This is a list of optional query parameters. The default is `["displayName", "members"]`.
-
-[float]
-===== `select.devices`
-
-Override the default https://learn.microsoft.com/en-us/graph/api/device-get?view=graph-rest-1.0&tabs=http#optional-query-parameters[device query selections].
-This is a list of optional query parameters. The default is `["accountEnabled", "deviceId",
-"displayName", "operatingSystem", "operatingSystemVersion", "physicalIds", "extensionAttributes",
-"alternativeSecurityIds"]`.
-
-[float]
-==== `tracer.enabled`
-
-It is possible to log HTTP requests and responses to the EntraID API to a local file-system for debugging configurations.
-This option is enabled by setting `tracer.enabled` to true and setting the `tracer.filename` value.
-Additional options are available to tune log rotation behavior. To delete existing logs, set `tracer.enabled`
-to false without unsetting the filename option.
-
-Enabling this option compromises security and should only be used for debugging.
-
-[float]
-==== `tracer.filename`
-
-To differentiate the trace files generated from different input instances, a placeholder `*` can be added to the
-filename and will be replaced with the input instance id. For Example, `http-request-trace-*.ndjson`.
-
-[id="provider-jamf"]
-==== Jamf Computer Management (`jamf`)
-
-The `jamf` provider allows the input to retrieve computer records from the
-Jamf API.
-
-[float]
-==== How It Works
-
-[float]
-===== Overview
-
-The Jamf provider periodically contacts the Jamf API, retrieving updates for
-computers, updates its internal cache of managed computer metadata, and ships
-updated metadata to Elasticsearch.
-
-Fetching and shipping updates occurs in one of two processes: *full
-synchronizations* and *incremental updates*. Full synchronizations will send
-the entire list of computers in state, along with write markers to
-indicate the start and end of the synchronization event. Incremental updates
-will only send data for changed computers records during that event. Changes
-on a user or device can come in many forms, whether it be a change to the
-user's metadata, or a user was added or deleted.
-
-[float]
-===== API Interactions
-
-The provider periodically retrieves changes to user/device metadata from the
-Jamf computers-preview API. This is done through calls to:
-
-- https://developer.jamf.com/jamf-pro/reference/get_preview-computers[/api/preview/computers]
-
-Updates are tracked by the provider by retaining a record of the time of the last
-noted update in the returned user list. During provider updates the Jamf provider
-makes use of the Jamf API's query filtering to only request records updated at or
-since the provider's recorded last update.
-
-[float]
-===== Sending Computer Metadata to Elasticsearch
-
-During a full synchronization, all users/devices stored in state will be sent
-to the output, while incremental updates will only send users and devices
-that have been updated. Full synchronizations will be bounded on either side
-by write marker documents, which will look something like this:
-
-["source","json",subs="attributes"]
-----
-{
-    "@timestamp": "2022-11-04T09:57:19.786056-05:00",
-    "event": {
-        "action": "started",
-        "start": "2022-11-04T09:57:19.786056-05:00"
-    },
-    "labels": {
-        "identity_source": "jamf-1"
-    }
-}
-----
-
-Documents will show the current state of the computer record.
-
-Example document:
-
-["source","json",subs="attributes"]
-----
-{
-    "device": {
-        "id": "5982CE36-4526-580B-B4B9-ECC6782535BC"
-    },
-    "event": {
-        "action": "device-discovered"
-    },
-    "jamf": {
-        "location": {
-            "username": "john.doe",
-            "position": "Unknown Developer"
-        },
-        "site": null,
-        "name": "acme-C07DM3AZQ6NV",
-        "udid": "5982CE36-4526-580B-B4B9-ECC6782535BC",
-        "serialNumber": "C07DM3AZQ6NV",
-        "operatingSystemVersion": "14.0",
-        "operatingSystemBuild": "23A344",
-        "operatingSystemSupplementalBuildVersion": null,
-        "operatingSystemRapidSecurityResponse": null,
-        "macAddress": "64:0B:D7:AA:E4:B2",
-        "assetTag": null,
-        "modelIdentifier": "Macmini9,1",
-        "mdmAccessRights": 0,
-        "lastContactDate": "2024-04-18T14:26:51.514Z",
-        "lastReportDate": "2024-06-19T15:54:37.692Z",
-        "lastEnrolledDate": "2023-02-22T10:46:17.199Z",
-        "ipAddress": null,
-        "managementId": "1a59c510-b3a9-41cb-8afa-3d4187ac60d0",
-        "isManaged": true
-    },
-    "labels": {
-        "identity_source": "jamf-1"
-    }
-}
-----
-
-[float]
-==== Configuration
-
-Example configuration:
-
-["source","yaml",subs="attributes"]
-----
-{beatname_lc}.inputs:
-- type: entity-analytics
-  enabled: true
-  id: jamf-1
-  provider: jamf
-  dataset: "all"
-  sync_interval: "12h"
-  update_interval: "30m"
-  jamf_tenant: "JAMF_TENANT"
-  jamf_username: "JAMF_USERNAME"
-  jamf_password: "JAMF_PASSWORD"
-----
-
-The `jamf` provider supports the following configuration:
-
-[float]
-===== `jamf_tenant`
-
-The Jamf tenant host. Field is required.
-
-[float]
-===== `jamf_username`
-
-The Jamf username, used for authentication. Field is required.
-
-[float]
-===== `jamf_password`
-
-The Jamf user password, used for authentication. Field is required.
-
-[float]
-===== `page_size`
-
-The number of computer records to collect with each API request. Defaults to https://developer.jamf.com/jamf-pro/reference/get_preview-computers[API default].
-
-[float]
-===== `sync_interval`
-
-The interval in which full synchronizations should occur. The interval must be
-longer than the update interval (`update_interval`) Expressed as a duration
-string (e.g., 1m, 3h, 24h). Defaults to `24h` (24 hours).
-
-[float]
-===== `update_interval`
-
-The interval in which incremental updates should occur. The interval must be
-shorter than the full synchronization interval (`sync_interval`). Expressed as a
-duration string (e.g., 1m, 3h, 24h). Defaults to `15m` (15 minutes).
-
-+==== `tracer.enabled`
-
-It is possible to log HTTP requests and responses to the Jamf API to a local file-system for debugging configurations.
-This option is enabled by setting `tracer.enabled` to true and setting the `tracer.filename` value.
-Additional options are available to tune log rotation behavior. To delete existing logs, set `tracer.enabled`
-to false without unsetting the filename option.
-
-Enabling this option compromises security and should only be used for debugging.
-
-[float]
-==== `tracer.filename`
-
-To differentiate the trace files generated from different input instances, a placeholder `*` can be added to the
-filename and will be replaced with the input instance id. For Example, `http-request-trace-*.ndjson`.
-
-[id="provider-okta"]
-==== Okta User Identities (`okta`)
-
-The `okta` provider allows the input to retrieve users and devices from the
-Okta user API.
-
-[float]
-==== Setup
-
-The necessary API permissions need to be granted in Okta in order for the
-provider to function properly. In the administration dashboard for your
-Okta account, navigate to Security>API and in the Tokens tab click the
-"Create token" button to create a new token. Copy the token value and retain
-this to configure the provider. Note that the token will not be presented
-again, so it must be copied now. This value will use given to the provider
-via the `okta_token` configuration field.
-
-Devices API access needs to be activated by Okta support.
-
-[float]
-==== How It Works
-
-[float]
-===== Overview
-
-The Okta provider periodically contacts the Okta API, retrieving updates for
-users and devices, updates its internal cache of user metadata, and ships
-updated user/device metadata to Elasticsearch.
-
-Fetching and shipping updates occurs in one of two processes: *full
-synchronizations* and *incremental updates*. Full synchronizations will send
-the entire list of users and devices in state, along with write markers to
-indicate the start and end of the synchronization event. Incremental updates
-will only send data for changed users and devices during that event. Changes
-on a user or device can come in many forms, whether it be a change to the
-user's metadata, or a user was added or deleted.
-
-[float]
-===== API Interactions
-
-The provider periodically retrieves changes to user/device metadata from the
-Okta User and Device APIs. This is done through calls to:
-
-- https://developer.okta.com/docs/reference/api/users/#list-users[/api/v1/users]
-- https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Device/#tag/Device/operation/listDevices[/api/v1/devices]
-
-Updates are tracked by the provider by retaining a record of the time of the last
-noted update in the returned user list. During provider updates the Okta provider
-makes use of the Okta API's query filtering to only request records updated at or
-since the provider's recorded last update.
-
-[float]
-===== Sending User Metadata to Elasticsearch
-
-During a full synchronization, all users/devices stored in state will be sent
-to the output, while incremental updates will only send users and devices
-that have been updated. Full synchronizations will be bounded on either side
-by write marker documents, which will look something like this:
-
-["source","json",subs="attributes"]
-----
-{
-    "@timestamp": "2022-11-04T09:57:19.786056-05:00",
-    "event": {
-        "action": "started",
-        "start": "2022-11-04T09:57:19.786056-05:00"
-    },
-    "labels": {
-        "identity_source": "okta-1"
-    }
-}
-----
-
-User documents will show the current state of the user.
-
-Example user document:
-
-["source","json",subs="attributes"]
-----
-{
-    "@timestamp": "2023-07-04T09:57:19.786056-05:00",
-    "event": {
-        "action": "user-discovered",
-    },
-    "okta": {
-        "id": "userid",
-        "status": "RECOVERY",
-        "created": "2023-06-02T09:33:00.189752+09:30",
-        "activated": "0001-01-01T00:00:00Z",
-        "statusChanged": "2023-06-02T09:33:00.189752+09:30",
-        "lastLogin": "2023-06-02T09:33:00.189752+09:30",
-        "lastUpdated": "2023-06-02T09:33:00.189753+09:30",
-        "passwordChanged": "2023-06-02T09:33:00.189753+09:30",
-        "type": {
-            "id": "typeid"
-        },
-        "profile": {
-            "login": "name.surname@example.com",
-            "email": "name.surname@example.com",
-            "firstName": "name",
-            "lastName": "surname"
-        },
-        "credentials": {
-            "password": {},
-            "provider": {
-                "type": "OKTA",
-                "name": "OKTA"
-            }
-        },
-        "_links": {
-            "self": {
-                "href": "https://localhost/api/v1/users/userid"
-            }
-        }
-    },
-    "user": {
-        "id": "userid",
-    },
-    "labels": {
-        "identity_source": "okta-1"
-    }
-}
-----
-
-Device documents will show the current state of the device, including any
-associated users.
-
-Example device document:
-
-["source","json",subs="attributes"]
-----
-{
-    "@timestamp": "2023-07-04T09:57:19.786056-05:00",
-    "event": {
-        "action": "device-discovered",
-    },
-    "okta": {
-        "created": "2019-10-02T18:03:07Z",
-        "id": "deviceid",
-        "lastUpdated": "2019-10-02T18:03:07Z",
-        "profile": {
-            "diskEncryptionType": "ALL_INTERNAL_VOLUMES",
-            "displayName": "Example Device name 1",
-            "platform": "WINDOWS",
-            "registered": true,
-            "secureHardwarePresent": false,
-            "serialNumber": "XXDDRFCFRGF3M8MD6D",
-            "sid": "S-1-11-111"
-        },
-        "resourceAlternateID": "",
-        "resourceDisplayName": {
-            "sensitive": false,
-            "value": "Example Device name 1"
-        },
-        "resourceID": "deviceid",
-        "resourceType": "UDDevice",
-        "status": "ACTIVE",
-        "_links": {
-            "activate": {
-                "hints": {
-                    "allow": [
-                        "POST"
-                    ]
-                },
-                "href": "https://localhost/api/v1/devices/deviceid/lifecycle/activate"
-            },
-            "self": {
-                "hints": {
-                    "allow": [
-                        "GET",
-                        "PATCH",
-                        "PUT"
-                    ]
-                },
-                "href": "https://localhost/api/v1/devices/deviceid"
-            },
-            "users": {
-                "hints": {
-                    "allow": [
-                        "GET"
-                    ]
-                },
-                "href": "https://localhost/api/v1/devices/deviceid/users"
-            }
-        },
-        "users": [
-            {
-                "id": "userid",
-                "status": "RECOVERY",
-                "created": "2023-05-14T13:37:20Z",
-                "activated": "0001-01-01T00:00:00Z",
-                "statusChanged": "2023-05-15T01:50:30Z",
-                "lastLogin": "2023-05-15T01:59:20Z",
-                "lastUpdated": "2023-05-15T01:50:32Z",
-                "passwordChanged": "2023-05-15T01:50:32Z",
-                "type": {
-                    "id": "typeid"
-                },
-                "profile": {
-                    "login": "name.surname@example.com",
-                    "email": "name.surname@example.com",
-                    "firstName": "name",
-                    "lastName": "surname"
-                },
-                "credentials": {
-                    "password": {},
-                    "provider": {
-                        "type": "OKTA",
-                        "name": "OKTA"
-                    }
-                },
-                "_links": {
-                    "self": {
-                        "href": "https://localhost/api/v1/users/userid"
-                    }
-                }
-            }
-        ]
-    },
-    "device": {
-        "id": "deviceid",
-    },
-    "labels": {
-        "identity_source": "okta-1"
-    }
-}
-----
-
-[float]
-==== Configuration
-
-Example configuration:
-
-["source","yaml",subs="attributes"]
-----
-{beatname_lc}.inputs:
-- type: entity-analytics
-  enabled: true
-  id: okta-1
-  provider: okta
-  dataset: "all"
-  enrich_with: ["groups", "roles"]
-  sync_interval: "12h"
-  update_interval: "30m"
-  okta_domain: "OKTA_DOMAIN"
-  okta_token: "OKTA_TOKEN"
-----
-
-The `okta` provider supports the following configuration:
-
-[float]
-===== `okta_domain`
-
-The Okta domain. Field is required.
-
-[float]
-===== `okta_token`
-
-The Okta secret token, used for authentication. Field is required.
-
-[float]
-===== `collect_device_details`
-
-Whether the input should collect device and device-associated user details
-from the Okta API. Device details must be activated on the Okta account for
-this option.
-
-[float]
-===== `dataset`
-
-The datasets to collect from the API. This can be one of "all", "users" or "devices",
-or may be left empty for the default behavior which is to collect all entities.
-When the `dataset` is set to "devices", some user entity data is collected in order
-to populate the registered users and registered owner fields for each device.
-
-[float]
-===== `enrich_with`
-
-The metadata to enrich users with. This is an array of values that may contain
-"groups", "roles" and "factors", or "none". If the array only contains "none", no
-metadata is collected for users. The default behavior is to collect "groups".
-
-[float]
-===== `sync_interval`
-
-The interval in which full synchronizations should occur. The interval must be
-longer than the update interval (`update_interval`) Expressed as a duration
-string (e.g., 1m, 3h, 24h). Defaults to `24h` (24 hours).
-
-[float]
-===== `update_interval`
-
-The interval in which incremental updates should occur. The interval must be
-shorter than the full synchronization interval (`sync_interval`). Expressed as a
-duration string (e.g., 1m, 3h, 24h). Defaults to `15m` (15 minutes).
-
-[float]
-===== `limit_window`
-
-The time between Okta API rate limit resets.
-Expressed as a duration string (e.g., 1m, 3h, 24h). Defaults to `1m` (1 minute).
-
-[float]
-===== `limit_fixed`
-
-The number of requests to allow in each limit window, if set.
-This parameter should only be set in exceptional cases. When it is set, rate
-limit information in API responses will be ignored in favor of the fixed limit.
-The limit is applied separately to each endopint. Defaults to unset.
-
-[float]
-===== `tracer.enabled`
-
-It is possible to log HTTP requests and responses to the Okta API to a local file-system for debugging configurations.
-This option is enabled by setting `tracer.enabled` to true and setting the `tracer.filename` value.
-Additional options are available to tune log rotation behavior. To delete existing logs, set `tracer.enabled`
-to false without unsetting the filename option.
-
-Enabling this option compromises security and should only be used for debugging.
-
-[float]
-===== `tracer.filename`
-
-To differentiate the trace files generated from different input instances, a placeholder `*` can be added to the
-filename and will be replaced with the input instance id. For Example, `http-request-trace-*.ndjson`.
-
-[float]
-==== `tracer.maxsize`
-
-This value sets the maximum size, in megabytes, the log file will reach before it is rotated. By default
-logs are allowed to reach 1MB before rotation.
-Individual request/response bodies will be truncated to 10% of this size.
-
-[float]
-==== Metrics
-
-This input exposes metrics under the <<http-endpoint, HTTP monitoring endpoint>>.
-These metrics are exposed under the `/inputs` path. They can be used to
-observe the activity of the input.
-
-[options="header"]
-|=======
-| Metric                   | Description
-| `sync_total`             | The total number of full synchronizations.
-| `sync_error`             | The number of full synchronizations that failed due to an error.
-| `sync_processing_time`   | Histogram of the elapsed full synchronizations times in nanoseconds (time of API contact to items sent to output).
-| `update_total`           | The total number of incremental updates.
-| `update_error`           | The number of incremental updates that failed due to an error.
-| `update_processing_time` | Histogram of the elapsed incremental updates times in nanoseconds (time of API contact to items sent to output).
-|=======
-
-NOTE: This input is experimental and is under active developement. Configuration
-options and behaviors may change without warning. Use with caution and do not use
-in production environments.
-
-:type!:
diff --git a/x-pack/filebeat/docs/inputs/input-etw.asciidoc b/x-pack/filebeat/docs/inputs/input-etw.asciidoc
deleted file mode 100644
index dcfd4732c26d..000000000000
--- a/x-pack/filebeat/docs/inputs/input-etw.asciidoc
+++ /dev/null
@@ -1,200 +0,0 @@
-[role="xpack"]
-
-:type: etw
-
-[id="{beatname_lc}-input-{type}"]
-=== ETW input
-
-++++
-<titleabbrev>ETW</titleabbrev>
-++++
-
-https://learn.microsoft.com/en-us/windows/win32/etw/event-tracing-portal[Event
-Tracing for Windows] is a powerful logging and tracing mechanism built into the
-Windows operating system. It provides a detailed view of application and system
-behavior, performance issues, and runtime diagnostics. Trace events contain an
-event header and provider-defined data that describes the current state of an
-application or operation. You can use the events to debug an application and
-perform capacity and performance analysis.
-
-The ETW input can interact with ETW in three distinct ways: it can create a new
-session to capture events from user-mode providers, attach to an already
-existing session to collect ongoing event data, or read events from a
-pre-recorded .etl file. This functionality enables the module to adapt to
-different scenarios, such as real-time event monitoring or analyzing historical
-data.
-
-This input currently supports manifest-based, MOF (classic) and TraceLogging
-providers while WPP providers are not supported.
-https://learn.microsoft.com/en-us/windows/win32/etw/about-event-tracing#types-of-providers[Here]
-you can find more information about the available types of providers.
-
-It has been tested in the Windows versions supported by {beatname_uc}, starting
-from Windows 10 and Windows Server 2016. In addition, administrative privileges
-are required to control event tracing sessions.
-
-Example configurations:
-
-Read from a provider by name:
-["source","yaml",subs="attributes"]
-----
-{beatname_lc}.inputs:
-- type: etw
-  id: etw-dnsserver
-  enabled: true
-  provider.name: Microsoft-Windows-DNSServer
-  session_name: DNSServer-Analytical
-  trace_level: verbose
-  match_any_keyword: 0x8000000000000000
-  match_all_keyword: 0
-----
-
-Read from a provider by its GUID:
-["source","yaml",subs="attributes"]
-----
-{beatname_lc}.inputs:
-- type: etw
-  id: etw-dnsserver
-  enabled: true
-  provider.guid: {EB79061A-A566-4698-9119-3ED2807060E7}
-  session_name: DNSServer-Analytical
-  trace_level: verbose
-  match_any_keyword: 0x8000000000000000
-  match_all_keyword: 0
-----
-
-Read from an existing session:
-["source","yaml",subs="attributes"]
-----
-{beatname_lc}.inputs:
-- type: etw
-  enabled: true
-  id: etw-dnsserver-session
-  session: UAL_Usermode_Provider
-----
-
-Read from a .etl file:
-["source","yaml",subs="attributes"]
-----
-{beatname_lc}.inputs:
-- type: etw
-  enabled: true
-  id: etw-dnsserver-session
-  file: "C\Windows\System32\Winevt\Logs\Logfile.etl"
-----
-
-NOTE: Examples shown above are mutually exclusive, the options
-`provider.name`, `provider.guid`, `session` and `file` cannot be present at the
-same time. Nevertheless, it is a requirement that one of them is present.
-
-Multiple providers example:
-["source","yaml",subs="attributes"]
-----
-{beatname_lc}.inputs:
-- type: etw
-  id: etw-dnsserver
-  enabled: true
-  provider.name: Microsoft-Windows-DNSServer
-  session_name: DNSServer-Analytical
-  trace_level: verbose
-  match_any_keyword: 0xffffffffffffffff
-  match_all_keyword: 0
-- type: etw
-  id: etw-security
-  enabled: true
-  provider.name: Microsoft-Windows-Security-Auditing
-  session_name: Security-Auditing
-  trace_level: warning
-  match_any_keyword: 0xfffffffffffffff
-  match_all_keyword: 0
-----
-
-==== Configuration options
-
-The `etw` input supports the following configuration options plus the
-<<{beatname_lc}-input-{type}-common-options>> described later.
-
-[float]
-==== `file`
-
-Specifies the path to an .etl file for reading ETW events. This file format is
-commonly used for storing ETW event logs.
-
-[float]
-==== `provider.guid`
-
-Identifies the GUID of an ETW provider. To see available providers, use the
-command `logman query providers`.
-
-[float]
-==== `provider.name`
-
-Specifies the name of the ETW provider. Available providers can be listed using
-`logman query providers`.
-
-[float]
-==== `session_name`
-
-When specifying a provider, a new session is created. This controls the name for
-the new ETW session it will create. If not specified, the session will be named
-using the provider ID prefixed by 'Elastic-'.
-
-[float]
-==== `trace_level`
-
-Defines the filtering level for events based on severity. Valid options include
-critical, error, warning, information, and verbose.
-
-[float]
-==== `match_any_keyword`
-
-An 8-byte bitmask used for filtering events from specific provider subcomponents
-based on keyword matching. Any matching keyword will enable the event to be
-written. Default value is `0xffffffffffffffff` so it matches every available
-keyword.
-
-Run `logman query providers "<provider.name>"` to list the available keywords
-for a specific provider.
-
-[float]
-==== `match_all_keyword`
-
-Similar to MatchAnyKeyword, this 8-byte bitmask filters events that match all
-specified keyword bits. Default value is `0` to let every event pass.
-
-Run `logman query providers "<provider.name>"` to list the available keywords
-for a specific provider.
-
-[float]
-==== `session`
-
-Names an existing ETW session to read from. Existing sessions can be listed
-using `logman query -ets`.
-
-[id="{beatname_lc}-input-{type}-common-options"]
-include::../../../../filebeat/docs/inputs/input-common-options.asciidoc[]
-
-[float]
-=== Metrics
-
-This input exposes metrics under the <<http-endpoint, HTTP monitoring endpoint>>.
-These metrics are exposed under the `/inputs/` path. They can be used to
-observe the activity of the input.
-
-You must assign a unique `id` to the input to expose metrics.
-
-[options="header"]
-|=======
-| Metric                   | Description
-| `session`                | Name of the ETW session.
-| `received_events_total`  | Total number of events received.
-| `discarded_events_total` | Total number of discarded events.
-| `errors_total`           | Total number of errors.
-| `source_lag_time`        | Histogram of the difference between timestamped event's creation and reading.
-| `arrival_period`         | Histogram of the elapsed time between event notification callbacks.
-| `processing_time`        | Histogram of the elapsed time between event notification callback and publication to the internal queue.
-|=======
-
-Histogram metrics are aggregated over the previous 1024 events.
-
-:type!:
diff --git a/x-pack/filebeat/docs/inputs/input-gcp-pubsub.asciidoc b/x-pack/filebeat/docs/inputs/input-gcp-pubsub.asciidoc
deleted file mode 100644
index 6287b19a5edd..000000000000
--- a/x-pack/filebeat/docs/inputs/input-gcp-pubsub.asciidoc
+++ /dev/null
@@ -1,118 +0,0 @@
-[role="xpack"]
-
-:type: gcp-pubsub
-
-[id="{beatname_lc}-input-{type}"]
-=== GCP Pub/Sub input
-
-++++
-<titleabbrev>GCP Pub/Sub</titleabbrev>
-++++
-
-Use the `gcp-pubsub` input to read messages from a Google Cloud Pub/Sub topic
-subscription.
-
-This input can, for example, be used to receive Stackdriver logs that have been
-exported to a Google Cloud Pub/Sub topic.
-
-Multiple Filebeat instances can be configured to read from the same subscription
-to achieve high-availability or increased throughput.
-
-Example configuration:
-
-["source","yaml",subs="attributes"]
-----
-{beatname_lc}.inputs:
-- type: gcp-pubsub
-  project_id: my-gcp-project-id
-  topic: vpc-firewall-logs-topic
-  subscription.name: filebeat-vpc-firewall-logs-sub
-  credentials_file: ${path.config}/my-pubsub-subscriber-credentials.json
-----
-
-
-==== Configuration options
-
-The `gcp-pubsub` input supports the following configuration options plus the
-<<{beatname_lc}-input-{type}-common-options>> described later.
-
-[float]
-==== `project_id`
-
-Google Cloud project ID. Required.
-
-[float]
-==== `topic`
-
-Google Cloud Pub/Sub topic name. Required.
-
-[float]
-==== `subscription.name`
-
-Name of the subscription to read from. Required.
-
-[float]
-==== `subscription.create`
-
-Boolean value that configures the input to create the subscription if it does
-not exist. The default value is `true`.
-
-[float]
-==== `subscription.num_goroutines`
-
-Number of goroutines to create to read from the subscription. This does not
-limit the number of messages that can be processed concurrently or the maximum
-number of goroutines the input will create. Even with one goroutine, many
-messages might be processed at once, because that goroutine may continually
-receive messages. To limit the number of messages being processed concurrently,
-set `subscription.max_outstanding_messages`. Default is 1.
-
-
-[float]
-==== `subscription.max_outstanding_messages`
-
-The maximum number of unprocessed messages (unacknowledged but not yet expired).
-If the value is negative, then there will be no limit on the number of
-unprocessed messages. Due to the presence of internal queue, the input gets 
-blocked until `queue.mem.flush.min_events` or `queue.mem.flush.timeout` 
-is reached. To prevent this blockage, this option must be at least 
-`queue.mem.flush.min_events`. Default is 1600.
-
-[float]
-==== `credentials_file`
-
-Path to a JSON file containing the credentials and key used to subscribe.
-As an alternative you can use the `credentials_json` config option or rely on
-https://cloud.google.com/docs/authentication/production[Google Application
-Default Credentials] (ADC).
-
-[float]
-==== `credentials_json`
-
-JSON blob containing the credentials and key used to subscribe. This can be as
-an alternative to `credentials_file` if you want to embed the credential data
-within your config file or put the information into a keystore. You may also use
-https://cloud.google.com/docs/authentication/production[Google Application
-Default Credentials] (ADC).
-
-[id="{beatname_lc}-input-{type}-common-options"]
-include::../../../../filebeat/docs/inputs/input-common-options.asciidoc[]
-
-:type!:
-
-[float]
-=== Metrics
-
-This input exposes metrics under the <<http-endpoint, HTTP monitoring endpoint>>.
-These metrics are exposed under the `/inputs` path. They can be used to
-observe the activity of the input.
-
-[options="header"]
-|=======
-| Metric                                    | Description
-| `acked_message_total`                     | Number of successfully ACKed messages.
-| `failed_acked_message_total`              | Number of failed ACKed messages.
-| `nacked_message_total`                    | Number of NACKed messages.
-| `bytes_processed_total`                   | Number of bytes processed.
-| `processing_time`                         | Histogram of the elapsed time for processing an event in nanoseconds.
-|=======
\ No newline at end of file
diff --git a/x-pack/filebeat/docs/inputs/input-gcs.asciidoc b/x-pack/filebeat/docs/inputs/input-gcs.asciidoc
deleted file mode 100644
index a2de572bce03..000000000000
--- a/x-pack/filebeat/docs/inputs/input-gcs.asciidoc
+++ /dev/null
@@ -1,516 +0,0 @@
-[role="xpack"]
-
-:type: gcs
-
-[id="{beatname_lc}-input-{type}"]
-=== Google Cloud Storage Input
-
-++++
-<titleabbrev>Google Cloud Storage</titleabbrev>
-++++
-
-Use the `google cloud storage input` to read content from files stored in buckets which reside on your Google Cloud.
-The input can be configured to work with and without polling, though if polling is disabled it will only perform a single collection of data, list the file contents and end the process.
-
-*To mitigate errors and ensure a stable processing environment, this input employs the following features :* 
-
-1.  When processing google cloud buckets, if suddenly there is any outage, the process will be able to resume post the last file it processed 
-    and was successfully able to save the state for. 
-
-2.  If any errors occur for certain files, they will be logged appropriately, but the rest of the 
-    files will continue to be processed normally. 
-
-3.  If any major error occurs which stops the main thread, the logs will be appropriately generated,
-    describing said error.
-
-**Config Option Removal Notice** : The `bucket_timeout` config option has been removed from the google cloud storage input. The intention behind this removal is to simplify the configuration and to make it more user friendly. The `bucket_timeout` option was confusing and had the potential to let users malconfigure the input, which could lead to unexpected behavior. The input now uses a more robust and efficient way to handle the bucket timeout internally.
-
-[id="supported-types-gcs"]
-NOTE: Currently only `JSON` and `NDJSON` are supported object/file formats. Objects/files may be also be gzip compressed. 
-"JSON credential keys" and "credential files" are supported authentication types.
-If an array is present as the root object for an object/file, it is automatically split into individual objects and processed. 
-If a download for a file/object fails or gets interrupted, the download is retried for 2 times. This is currently not user configurable.
-
-
-[id="basic-config-gcs"]
-*A sample configuration with detailed explanation for each field is given below :-*
-["source","yaml",subs="attributes"]
-----
-filebeat.inputs:
-- type: gcs
-  id: my-gcs-id
-  enabled: true
-  project_id: my_project_id
-  auth.credentials_file.path: {{file_path}}/{{creds_file_name}}.json
-  parse_json: true
-  buckets:
-  - name: gcs-test-new
-    max_workers: 3
-    poll: true
-    poll_interval: 15s
-  - name: gcs-test-old
-    max_workers: 3
-    poll: true
-    poll_interval: 10s
-----
-
-*Explanation :*
-This `configuration` given above describes a basic gcs config having two buckets named `gcs-test-new` and `gcs-test-old`. 
-Each of these buckets have their own attributes such as `name`, `max_workers`, `poll` and `poll_interval`. These attributes have detailed explanations 
-given <<supported-attributes-gcs,below>>. For now lets try to understand how this config works. 
-
-For google cloud storage input to identify the files it needs to read and process, it will require the bucket names to be specified. We can have as
-many buckets as we deem fit. We are also able to configure the attributes `max_workers`, `poll` and `poll_interval` at the root level, which will
-then be applied to all buckets which do not specify any of these attributes explicitly. 
-
-NOTE: If the attributes `max_workers`, `poll` and `poll_interval` are specified at the root level, these can still be overridden at the bucket level with 
-different values, thus offering extensive flexibility and customization. Examples <<bucket-overrides,below>> show this behavior.
-
-On receiving this config the google cloud storage input will connect to the service and retrieve a `Storage Client` using the given `bucket_name` and 
-`auth.credentials_file`, then it will spawn two main go-routines, one for each bucket. After this each of these routines (threads) will initialize a scheduler 
-which will in turn use the `max_workers` value to initialize an in-memory worker pool (thread pool) with `3` `workers` available. Basically that equates to two instances of a worker pool, one per bucket, each having 3 workers. These `workers` will be responsible for performing `jobs` that process a file (in this case read and output the contents of a file).
-
-NOTE: The scheduler is responsible for scheduling jobs, and uses the `maximum available workers` in the pool, at each iteration, to decide the number of files to retrieve and 
-process. This keeps work distribution efficient. The scheduler uses `poll_interval` attribute value to decide how long to wait after each iteration. Each iteration consists of processing a certain number of files, decided by the `maximum available workers` value.
-
-*A Sample Response :-*
-["source","json"]
-----
-{
-  "@timestamp": "2022-09-01T13:54:24.588Z",
-  "@metadata": {
-    "beat": "filebeat",
-    "type": "_doc",
-    "version": "8.5.0",
-    "_id": "gcs-test-new-data_3.json-worker-1"
-  },
-  "log": {
-    "offset": 200,
-    "file": {
-      "path": "gs://gcs-test-new/data_3.json"
-    }
-  },
-  "input": {
-    "type": "gcs"
-  },
-  "message": "{\n    \"id\": 1,\n    \"title\": \"iPhone 9\",\n    \"description\": \"An apple mobile which is nothing like apple\",\n    \"price\": 549,\n    \"discountPercentage\": 12.96,\n    \"rating\": 4.69,\n    \"stock\": 94,\n    \"brand\": \"Apple\",\n    \"category\": \"smartphones\",\n    \"thumbnail\": \"https://dummyjson.com/image/i/products/1/thumbnail.jpg\",\n    \"images\": [\n        \"https://dummyjson.com/image/i/products/1/1.jpg\",\n        \"https://dummyjson.com/image/i/products/1/2.jpg\",\n        \"https://dummyjson.com/image/i/products/1/3.jpg\",\n        \"https://dummyjson.com/image/i/products/1/4.jpg\",\n        \"https://dummyjson.com/image/i/products/1/thumbnail.jpg\"\n    ]\n}\n",
-  "cloud": {
-    "provider": "goole cloud"
-  },
-  "gcs": {
-    "storage": {
-      "bucket": {
-        "name": "gcs-test-new"
-      },
-      "object": {
-        "name": "data_3.json",
-        "content_type": "application/json",
-        "json_data": [
-          {
-            "id": 1,
-            "discountPercentage": 12.96,
-            "rating": 4.69,
-            "brand": "Apple",
-            "price": 549,
-            "category": "smartphones",
-            "thumbnail": "https://dummyjson.com/image/i/products/1/thumbnail.jpg",
-            "description": "An apple mobile which is nothing like apple",
-            "title": "iPhone 9",
-            "stock": 94,
-            "images": [
-              "https://dummyjson.com/image/i/products/1/1.jpg",
-              "https://dummyjson.com/image/i/products/1/2.jpg",
-              "https://dummyjson.com/image/i/products/1/3.jpg",
-              "https://dummyjson.com/image/i/products/1/4.jpg",
-              "https://dummyjson.com/image/i/products/1/thumbnail.jpg"
-            ]
-          }
-        ]
-      }
-    }
-  },
-  "event": {
-    "kind": "publish_data"
-  }
-}
-----
-
-As we can see from the response above, the `message` field contains the original stringified data while the `gcs.storage.object.data` contains the objectified data. 
-    
-*Some of the key attributes are as follows :-* 
-
-    1. *message* : Original stringified object data.
-    2. *log.file.path* : Path of the object in google cloud.
-    3. *gcs.storage.bucket.name* : Name of the bucket from which the file has been read.
-    4. *gcs.storage.object.name* : Name of the file/object which has been read.
-    5. *gcs.storage.object.content_type* : Content type of the file/object. You can find the supported content types <<supported-types-gcs,here>> .
-    6. *gcs.storage.object.json_data* :  Objectified json file data, representing the contents of the file.
-
-Now let's explore the configuration attributes a bit more elaborately.
-
-[id="supported-attributes-gcs"]
-*Supported Attributes :-*
-
-    1. <<attrib-project-id,project_id>>
-    2. <<attrib-auth-credentials-json,auth.credentials_json.account_key>>
-    3. <<attrib-auth-credentials-file,auth.credentials_file.path>>
-    4. <<attrib-buckets,buckets>>
-    5. <<attrib-bucket-name,name>>
-    6. <<attrib-max_workers-gcs,max_workers>>
-    7. <<attrib-poll-gcs,poll>>
-    8. <<attrib-poll_interval-gcs,poll_interval>>
-    9. <<attrib-parse_json,parse_json>>
-   10. <<attrib-file_selectors-gcs,file_selectors>>
-   11. <<attrib-expand_event_list_from_field-gcs,expand_event_list_from_field>>
-   12. <<attrib-timestamp_epoch-gcs,timestamp_epoch>>
-   13. <<attrib-retry-gcs,retry>>
-
-
-[id="attrib-project-id"]
-[float]
-==== `project_id`
-
-This attribute is required for various internal operations with respect to authentication, creating storage clients and logging which are used internally
-for various processing purposes.
-
-[id="attrib-auth-credentials-json"]
-[float]
-==== `auth.credentials_json.account_key`
-
-This attribute contains the *json service account credentials string*, which can be generated from the google cloud console, ref: https://cloud.google.com/iam/docs/creating-managing-service-account-keys, 
-under the respective storage account. A single storage account can contain multiple buckets, and they will all use this common service account access key. 
-
-[id="attrib-auth-credentials-file"]
-[float]
-==== `auth.credentials_file.path`
-
-This attribute contains the *service account credentials file*, which can be generated from the google cloud console, ref: https://cloud.google.com/iam/docs/creating-managing-service-account-keys, 
-under the respective storage account. A single storage account can contain multiple buckets, and they will all use this common service account credentials file.  
-
-NOTE: We require only either of `auth.credentials_json.account_key` or `auth.credentials_file.path` to be specified for authentication purposes. If both attributes are
-specified, then the one that occurs first in the configuration will be used.
-
-[id="attrib-buckets"]
-[float]
-==== `buckets`
-
-This attribute contains the details about a specific bucket like `name`, `max_workers`, `poll` and `poll_interval`. The attribute `name` is specific to a bucket as it describes the bucket name, while the fields `max_workers`, `poll` and `poll_interval` can exist both at the bucket level and the root level. This attribute is internally represented as an array, so we can add as many buckets as we require.
-
-[id="attrib-bucket-name"]
-[float]
-==== `name`
-
-This is a specific subfield of a bucket. It specifies the bucket name.
-
-[id="attrib-max_workers-gcs"]
-[float]
-==== `max_workers`
-
-This attribute defines the maximum number of workers (goroutines / lightweight threads) are allocated in the worker pool (thread pool) for processing jobs which read the contents of files. This attribute can be specified both at the root level of the configuration and at the bucket level. Bucket level values override the root level values if both are specified. Larger number of workers do not necessarily improve of throughput, and this should be carefully tuned based on the number of files, the size of the files being processed and resources available. Increasing `max_workers` to very high values may cause resource utilization problems and can lead to a bottleneck in processing. Usually a maximum cap of `2000` workers is recommended. A very low `max_worker` count will drastically increase the number of network calls required to fetch the objects, which can cause a bottleneck in processing.
-
-NOTE: The value of `max_workers` is tied to the `batch_size` currently to ensure even distribution of workloads across all goroutines. This ensures that the input is able to process the files in an efficient manner. This `batch_size` determines how many objects will be fetched in one single call. The `max_workers` value should be set based on the number of files to be read, the resources available and the network speed. For example,`max_workers=3` would mean that every pagination request a total number of `3` gcs objects are fetched and distributed among `3 goroutines`, `max_workers=100` would mean `100` gcs objects are fetched in every pagination request and distributed among `100 goroutines`. 
-
-
-[id="attrib-poll-gcs"]
-[float]
-==== `poll`
-
-This attribute informs the scheduler whether to keep polling for new files or not. Default value of this is set to `true`. This attribute can be specified both at the 
-root level of the configuration as well at the bucket level. The bucket level values will always take priority and override the root level values if both are specified.
-
-[id="attrib-poll_interval-gcs"]
-[float]
-==== `poll_interval`
-
-This attribute defines the maximum amount of time after which the internal scheduler will make the polling call for the next set of objects/files. It can be 
-defined in the following formats : `{{x}}s`, `{{x}}m`, `{{x}}h`, here `s = seconds`, `m = minutes` and `h = hours`. The value `{{x}}` can be anything we wish.
-Example : `10s` would mean we would like the polling to occur every 10 seconds. If no value is specified for this, by default its initialized to `5 minutes`. 
-This attribute can be specified both at the root level of the configuration as well at the bucket level. The bucket level values will always take priority 
-and override the root level values if both are specified. Having a lower `poll_interval` can make the input faster at the cost of more resource utilization. 
-
-[id="attrib-parse_json"]
-[float]
-==== `parse_json`
-
-This attribute informs the publisher  whether to parse & objectify json data or not. By default this is set to `false`, since it can get expensive dealing with 
-highly nested json data. If this is set to `false` the *gcs.storage.object.json_data* field in the response will have an empty array. This attribute is only
-applicable for json objects and has no effect on other types of objects. This attribute can be specified both at the root level of the configuration as well at the bucket level. 
-The bucket level values will always take priority and override the root level values if both are specified.
-
-[id="input-{type}-encoding"]
-[float]
-==== `encoding`
-
-The file encoding to use for reading data that contains international
-characters. This only applies to non-JSON logs. See <<_encoding_3>>.
-
-[id="input-{type}-decoding"]
-[float]
-==== `decoding`
-
-The file decoding option is used to specify a codec that will be used to
-decode the file contents. This can apply to any file stream data.
-An example config is shown below:
-
-Currently supported codecs are given below:-
-
-    1. <<attrib-decoding-csv-gcs,CSV>>: This codec decodes RFC 4180 CSV data streams.
-
-[id="attrib-decoding-csv-gcs"]
-[float]
-==== `the CSV codec`
-The `CSV` codec is used to decode RFC 4180 CSV data streams.
-Enabling the codec without other options will use the default codec options.
-
-[source,yaml]
-----
-  decoding.codec.csv.enabled: true
-----
-
-The CSV codec supports five sub attributes to control aspects of CSV decoding.
-The `comma` attribute specifies the field separator character used by the CSV
-format. If it is not specified, the comma character '`,`' is used. The `comment`
-attribute specifies the character that should be interpreted as a comment mark.
-If it is specified, lines starting with the character will be ignored. Both
-`comma` and `comment` must be single characters. The `lazy_quotes` attribute
-controls how quoting in fields is handled. If `lazy_quotes` is true, a quote may
-appear in an unquoted field and a non-doubled quote may appear in a quoted field.
-The `trim_leading_space` attribute specifies that leading white space should be
-ignored, even if the `comma` character is white space. For complete details
-of the preceding configuration attribute behaviors, see the CSV decoder
-https://pkg.go.dev/encoding/csv#Reader[documentation] The `fields_names`
-attribute can be used to specify the column names for the data. If it is
-absent, the field names are obtained from the first non-comment line of
-data. The number of fields must match the number of field names.
-
-An example config is shown below:
-
-[source,yaml]
-----
-  decoding.codec.csv.enabled: true
-  decoding.codec.csv.comma: "\t"
-  decoding.codec.csv.comment: "#"
-----
-
-[id="attrib-file_selectors-gcs"]
-[float]
-==== `file_selectors`
-
-If the GCS buckets have objects that correspond to files that {beatname_uc} shouldn't process, `file_selectors` can be used to limit the files that are downloaded. This is a list of selectors which are based on a regular expression pattern. The regular expression should match the object name or should be a part of the object name (ideally a prefix). The regular expression syntax used is [RE2](https://github.com/google/re2/wiki/Syntax). Files that don't match any configured expression won't be processed.This attribute can be specified both at the root level of the configuration as well at the container level. The container level values will always take priority and override the root level values if both are specified.
-
-[source, yml]
-----
-filebeat.inputs:
-- type: gcs
-  project_id: my_project_id
-  auth.credentials_file.path: {{file_path}}/{{creds_file_name}}.json
-  buckets:
-  - name: obs-bucket
-    max_workers: 3
-    poll: true
-    poll_interval: 15s
-    file_selectors:
-    - regex: '/Monitoring/'
-    - regex: 'docs/'
-    - regex: '/Security-Logs/'
-----
-
-The `file_selectors` operation is performed within the agent locally, hence using this option will cause the agent to download all the files and then filter them. This can cause a bottleneck in processing if the number of files is very high. It is recommended to use this attribute only when the number of files is limited or ample resources are available.
-
-[id="attrib-expand_event_list_from_field-gcs"]
-[float]
-==== `expand_event_list_from_field`
-
-If the file-set using this input expects to receive multiple messages bundled under a specific field or an array of objects then the config option for `expand_event_list_from_field` can be specified. This setting will be able to split the messages under the group value into separate events. For example, if you have logs that are in JSON format and events are found under the JSON object "Records". To split the events into separate events, the config option `expand_event_list_from_field` can be set to "Records". This attribute can be specified both at the root level of the configuration as well at the container level. The container level values will always take priority and override the root level values if both are specified.
-
-[source, json]
-----
-{
-    "Records": [
-        {
-            "eventVersion": "1.07",
-            "eventTime": "2019-11-14T00:51:00Z",
-            "region": "us-east-1",
-            "eventID": "EXAMPLE8-9621-4d00-b913-beca2EXAMPLE",
-        },
-        {
-            "eventVersion": "1.07",
-            "eventTime": "2019-11-14T00:52:00Z",
-            "region": "us-east-1",
-            "eventID": "EXAMPLEc-28be-486c-8928-49ce6EXAMPLE",
-        }
-    ]
-}
-----
-
-[source,yml]
-----
-filebeat.inputs:
-- type: gcs
-  project_id: my_project_id
-  auth.credentials_file.path: {{file_path}}/{{creds_file_name}}.json
-  buckets:
-  - name: obs-bucket
-    max_workers: 3
-    poll: true
-    poll_interval: 15s
-    expand_event_list_from_field: Records
-----
-
-NOTE: The `parse_json` setting is incompatible with `expand_event_list_from_field`. If enabled it will be ignored. This attribute is only applicable for JSON file formats. You do not need to specify this attribute if the file has an array of objects at the root level. Root level array of objects are automatically split into separate events. If failures occur or the input crashes due to some unexpected error, the processing will resume from the last successfully processed file or object.
-
-
-[id="attrib-timestamp_epoch-gcs"]
-[float]
-==== `timestamp_epoch`
-
-This attribute can be used to filter out files and objects that have a timestamp older than the specified value. The value of this attribute should be in unix `epoch` (seconds) format. The timestamp value is compared with the `object.Updated` field obtained from the object metadata. This attribute can be specified both at the root level of the configuration as well at the container level. The container level values will always take priority and override the root level values if both are specified.
-
-[source, yml]
-----
-filebeat.inputs:
-- type: gcs
-  project_id: my_project_id
-  auth.credentials_file.path: {{file_path}}/{{creds_file_name}}.json
-  buckets:
-  - name: obs-bucket
-    max_workers: 3
-    poll: true
-    poll_interval: 15s
-    timestamp_epoch: 1630444800
-----
-
-The GCS APIs don't provide a direct way to filter files based on the timestamp, so the input will download all the files and then filter them based on the timestamp. This can cause a bottleneck in processing if the number of files are very high. It is recommended to use this attribute only when the number of files are limited or ample resources are available. This option scales vertically and not horizontally.
-
-[id="attrib-retry-gcs"]
-[float]
-==== `retry`
-
-This attribute can be used to configure a list of sub attributes that directly control how the input should behave when a download for a file/object fails or gets interrupted.
-
-    - `max_attempts`: This attribute defines the maximum number of retry attempts(including the initial api call) that should be attempted for a retryable error. The default value for this is `3`. 
-    - `initial_backoff_duration`: This attribute defines the initial backoff time. The default value for this is `1s`.
-    - `max_backoff_duration`: This attribute defines the maximum backoff time. The default value for this is `30s`.
-    - `backoff_multiplier`: This attribute defines the backoff multiplication factor. The default value for this is `2`.
-
-NOTE: The `initial_backoff_duration` and `max_backoff_duration` attributes must have time units. Valid time units are `ns`, `us` (or `µs`), `ms`, `s`, `m`, `h`.
-
-By configuring these attributes, the user is given the flexibility to control how the input should behave when a download fails or gets interrupted. This attribute can only be 
-specified at the root level of the configuration and not at the bucket level. It applies uniformly to all the buckets.
-
-An example configuration is given below :-
-
-[source, yml]
-----
-filebeat.inputs:
-- type: gcs
-  project_id: my_project_id
-  auth.credentials_file.path: {{file_path}}/{{creds_file_name}}.json
-  retry:
-    max_attempts: 3
-    initial_backoff_duration: 2s
-    max_backoff_duration: 60s
-    backoff_multiplier: 2
-  buckets:
-  - name: obs-bucket
-    max_workers: 3
-    poll: true
-    poll_interval: 11m
-----
-
-[id="bucket-overrides"]
-*The sample configs below will explain the bucket level overriding of attributes a bit further :-*
-
-*CASE - 1 :*
-
-Here `bucket_1` is using root level attributes while `bucket_2` overrides the values :
-
-[source, yml]
-----
-filebeat.inputs:
-- type: gcs
-  id: my-gcs-id
-  enabled: true
-  project_id: my_project_id
-  auth.credentials_file.path: {{file_path}}/{{creds_file_name}}.json
-  max_workers: 10
-  poll: true
-  poll_interval: 15s
-  buckets:
-  - name: bucket_1
-  - name: bucket_2
-    max_workers: 3
-    poll: true
-    poll_interval: 10s
-----
-
-*Explanation :*
-In this configuration `bucket_1` has no sub attributes in `max_workers`, `poll` and `poll_interval` defined. It inherits the values for these fileds from the root 
-level, which is `max_workers = 10`, `poll = true` and `poll_interval = 15 seconds`. However `bucket_2` has these fields defined and it will use those values instead 
-of using the root values.
-
-*CASE - 2 :*
-
-Here both `bucket_1` and `bucket_2` overrides the root values :
-
-[source, yml]
-----
-filebeat.inputs:
-  - type: gcs
-    id: my-gcs-id
-    enabled: true
-    project_id: my_project_id
-    auth.credentials_file.path: {{file_path}}/{{creds_file_name}}.json
-    max_workers: 10
-    poll: true
-    poll_interval: 15s
-    buckets:
-    - name: bucket_1
-      max_workers: 5
-      poll: true
-      poll_interval: 10s
-    - name: bucket_2
-      max_workers: 5
-      poll: true
-      poll_interval: 10s
-----
-
-*Explanation :*
-In this configuration even though we have specified `max_workers = 10`, `poll = true` and `poll_interval = 15s` at the root level, both the buckets
-will override these values with their own respective values which are defined as part of their sub attibutes.
-
-[float]
-=== Metrics
-
-This input exposes metrics under the <<http-endpoint, HTTP monitoring endpoint>>.
-These metrics are exposed under the `/inputs` path. They can be used to
-observe the activity of the input.
-
-[options="header"]
-|=======
-| Metric                                      | Description
-| `url`                                       | URL of the input resource.
-| `errors_total`                              | Total number of errors encountered by the input.
-| `decode_errors_total`                       | Total number of decode errors encountered by the input.
-| `gcs_objects_requested_total`               | Total number of GCS objects downloaded.
-| `gcs_objects_published_total`               | Total number of GCS objects processed that were published.
-| `gcs_objects_listed_total`                  | Total number of GCS objects returned by list operations.
-| `gcs_bytes_processed_total`                 | Total number of GCS bytes processed.
-| `gcs_events_created_total`                  | Total number of events created from processing GCS data.
-| `gcs_failed_jobs_total`                     | Total number of failed jobs.
-| `gcs_expired_failed_jobs_total`             | Total number of expired failed jobs that could not be recovered.
-| `gcs_objects_tracked_gauge`                 | Number of objects currently tracked in the state registry (gauge).
-| `gcs_objects_inflight_gauge`                | Number of GCS objects inflight (gauge).
-| `gcs_jobs_scheduled_after_validation`       | Histogram of the number of jobs scheduled after validation.
-| `gcs_object_processing_time`                | Histogram of the elapsed GCS object processing times in nanoseconds (start of download to completion of parsing).
-| `gcs_object_size_in_bytes`                  | Histogram of processed GCS object size in bytes.
-| `gcs_events_per_object`                     | Histogram of event count per GCS object.
-| `source_lag_time`                           | Histogram of the time between the source (Updated) timestamp and the time the object was read, in nanoseconds.
-|=======
-
-==== Common input options
-
-[id="{beatname_lc}-input-{type}-common-options"]
-include::../../../../filebeat/docs/inputs/input-common-options.asciidoc[]
-
-NOTE: Any feedback is welcome which will help us further optimize this input. Please feel free to open a github issue for any bugs or feature requests.
diff --git a/x-pack/filebeat/docs/inputs/input-http-endpoint.asciidoc b/x-pack/filebeat/docs/inputs/input-http-endpoint.asciidoc
deleted file mode 100644
index eadcde1566da..000000000000
--- a/x-pack/filebeat/docs/inputs/input-http-endpoint.asciidoc
+++ /dev/null
@@ -1,436 +0,0 @@
-[role="xpack"]
-
-:type: http_endpoint
-
-[id="{beatname_lc}-input-{type}"]
-=== HTTP Endpoint input
-
-++++
-<titleabbrev>HTTP Endpoint</titleabbrev>
-++++
-
-The HTTP Endpoint input initializes a listening HTTP server that collects
-incoming HTTP POST requests containing a JSON body. The body must be either
-an object or an array of objects, otherwise a Common Expression Language
-expression that converts the the JSON body to these types can be provided.
-Any other data types will result in an HTTP 400 (Bad Request) response. For
-arrays, one document is created for each object in the array.
-
-gzip encoded request bodies are supported if a `Content-Encoding: gzip` header
-is sent with the request.
-
-This input can for example be used to receive incoming webhooks from a
-third-party application or service.
-
-Multiple endpoints may be assigned to a single address and port, and the HTTP
-Endpoint input will resolve requests based on the URL pattern configuration.
-If multiple endpoints are configured on a single address they must all have the
-same TLS configuration, either all disabled or all enabled with identical
-configurations.
-
-These are the possible response codes from the server.
-
-[options="header"]
-|=========================================================================================================================================================
-| HTTP Response Code  | Name                    | Reason
-| 200                 | OK                      | Returned on success.
-| 400                 | Bad Request             | Returned if JSON body decoding fails or if `wait_for_completion_timeout` query validation fails.
-| 401                 | Unauthorized            | Returned when basic auth, secret header, or HMAC validation fails.
-| 405                 | Method Not Allowed      | Returned if methods other than POST are used.
-| 406                 | Not Acceptable          | Returned if the POST request does not contain a body.
-| 415                 | Unsupported Media Type  | Returned if the Content-Type is not application/json. Or if Content-Encoding is present and is not gzip.
-| 500                 | Internal Server Error   | Returned if an I/O error occurs reading the request.
-| 503                 | Service Unavailable     | Returned if the length of the request body would take the total number of in-flight bytes above the configured `max_in_flight_bytes` value.
-| 504                 | Gateway Timeout         | Returned if a request publication cannot be ACKed within the required timeout.
-|=========================================================================================================================================================
-
-The endpoint will enforce end-to-end ACK when a URL query parameter
-`wait_for_completion_timeout` with a duration is provided. For example
-`http://localhost:8080/?wait_for_completion_timeout=1m` will wait up
-to 1 minute for the event to be published to the cluster and then return
-the user-defined response message. In the case that the publication
-does not complete within the timeout duration, the HTTP response will
-have a 504 Gateway Timeout status code. The syntax for durations is
-a number followed by units which may be h, m and s. No other HTTP query
-is accepted. If another query parameter is provided or duration syntax
-is incorrect, the request will fail with an HTTP 400 "Bad Request"
-status.
-
-Example configurations:
-
-Basic example:
-["source","yaml",subs="attributes"]
-----
-{beatname_lc}.inputs:
-- type: http_endpoint
-  enabled: true
-  listen_address: 192.168.1.1
-  listen_port: 8080
-----
-
-Custom response example:
-["source","yaml",subs="attributes"]
-----
-{beatname_lc}.inputs:
-- type: http_endpoint
-  enabled: true
-  listen_address: 192.168.1.1
-  listen_port: 8080
-  response_code: 200
-  response_body: '{"message": "success"}'
-  url: "/"
-  prefix: "json"
-----
-
-Map request to root of document example:
-["source","yaml",subs="attributes"]
-----
-{beatname_lc}.inputs:
-- type: http_endpoint
-  enabled: true
-  listen_address: 192.168.1.1
-  listen_port: 8080
-  prefix: "."
-----
-
-Multiple endpoints example:
-["source","yaml",subs="attributes"]
-----
-{beatname_lc}.inputs:
-- type: http_endpoint
-  enabled: true
-  listen_address: 192.168.1.1
-  listen_port: 8080
-  url: "/open/"
-  tags: [open]
-- type: http_endpoint
-  enabled: true
-  listen_address: 192.168.1.1
-  listen_port: 8080
-  url: "/admin/"
-  basic_auth: true
-  username: adminuser
-  password: somepassword
-  tags: [admin]
-----
-
-Disable Content-Type checks
-["source","yaml",subs="attributes"]
-----
-{beatname_lc}.inputs:
-- type: http_endpoint
-  enabled: true
-  listen_address: 192.168.1.1
-  content_type: ""
-  prefix: "json"
-----
-
-Basic auth and SSL example:
-["source","yaml",subs="attributes"]
-----
-{beatname_lc}.inputs:
-- type: http_endpoint
-  enabled: true
-  listen_address: 192.168.1.1
-  listen_port: 8080
-  ssl.enabled: true
-  ssl.certificate: "/home/user/server.pem"
-  ssl.key: "/home/user/server.key"
-  ssl.verification_mode: "none"
-  ssl.certificate_authority: "/home/user/ca.pem"
-  basic_auth: true
-  username: someuser
-  password: somepassword
-----
-
-Authentication or checking that a specific header includes a specific value
-["source","yaml",subs="attributes"]
-----
-{beatname_lc}.inputs:
-- type: http_endpoint
-  enabled: true
-  listen_address: 192.168.1.1
-  listen_port: 8080
-  secret.header: someheadername
-  secret.value: secretheadertoken
-----
-
-Validate webhook endpoint for a specific provider using CRC
-["source","yaml",subs="attributes"]
-----
-{beatname_lc}.inputs:
-- type: http_endpoint
-  enabled: true
-  listen_address: 192.168.1.1
-  listen_port: 8080
-  secret.header: someheadername
-  secret.value: secretheadertoken
-  crc.provider: webhookProvider
-  crc.secret: secretToken
-----
-
-Validate a HMAC signature from a specific header
-["source","yaml",subs="attributes"]
-----
-{beatname_lc}.inputs:
-- type: http_endpoint
-  enabled: true
-  listen_address: 192.168.1.1
-  listen_port: 8080
-  hmac.header: "X-Hub-Signature-256"
-  hmac.key: "password123"
-  hmac.type: "sha256"
-  hmac.prefix: "sha256="
-----
-
-Preserving original event and including headers in document
-["source","yaml",subs="attributes"]
-----
-{beatname_lc}.inputs:
-- type: http_endpoint
-  enabled: true
-  listen_address: 192.168.1.1
-  listen_port: 8080
-  preserve_original_event: true
-  include_headers: ["TestHeader"]
-----
-
-Common Expression Language example:
-["source","yaml",subs="attributes"]
-----
-{beatname_lc}.inputs:
-- type: http_endpoint
-  enabled: true
-  listen_address: 192.168.1.1
-  listen_port: 8080
-  program: |
-    obj.records.map(r, {
-     "requestId": obj.requestId,
-     "timestamp": string(obj.timestamp),
-     "event": r,
-    })
-----
-This example would allow handling of a JSON body that is an object containing
-more than one event that each should be ingested as separate documents with
-the common timestamp and request ID:
-["source","json",subs="attributes"]
-----
-{
-  "requestId": "ed4acda5-034f-9f42-bba1-f29aea6d7d8f",
-  "timestamp": 1578090901599,
-  "records": [
-    {
-      "data": "event record 1"
-    },
-    {
-      "data": "event record 2"
-    }
-  ]
-}
-----
-
-==== Configuration options
-
-The `http_endpoint` input supports the following configuration options plus the
-<<{beatname_lc}-input-{type}-common-options>> described later.
-
-[float]
-==== `basic_auth`
-
-Enables or disables HTTP basic auth for each incoming request. If enabled then `username` and `password` will also need to be configured.
-
-[float]
-==== `username`
-
-If `basic_auth` is enabled, this is the username used for authentication against the HTTP listener. Requires `password` to also be set.
-
-[float]
-==== `password`
-
-If `basic_auth` is enabled, this is the password used for authentication against the HTTP listener. Requires `username` to also be set.
-
-[float]
-==== `secret.header`
-
-The header to check for a specific value specified by `secret.value`. Certain webhooks provide the possibility to include a special header and secret to identify the source.
-
-[float]
-==== `secret.value`
-
-The secret stored in the header name specified by `secret.header`. Certain webhooks provide the possibility to include a special header and secret to identify the source.
-
-[float]
-==== `hmac.header`
-
-The name of the header that contains the HMAC signature: `X-Dropbox-Signature`, `X-Hub-Signature-256`, etc.
-HMAC signatures may be encoded as hex or base64.
-
-[float]
-==== `hmac.key`
-
-The secret key used to calculate the HMAC signature. Typically, the webhook sender provides this value.
-
-[float]
-==== `hmac.type`
-
-The hash algorithm to use for the HMAC comparison. At this time the only valid values are `sha256` or `sha1`.
-
-[float]
-==== `hmac.prefix`
-
-The prefix for the signature. Certain webhooks prefix the HMAC signature with a value, for example `sha256=`.
-
-[float]
-==== `content_type`
-
-By default the input expects the incoming POST to include a Content-Type of `application/json` to try to enforce the incoming data to be valid JSON.
-In certain scenarios when the source of the request is not able to do that, it can be overwritten with another value or set to null.
-
-[float]
-==== `max_in_flight_bytes`
-
-The total sum of request body lengths that are allowed at any given time. If non-zero, the input will compare this value to the sum of in-flight request body lengths from requests that include a `wait_for_completion_timeout` request query and will return a 503 HTTP status code, along with a Retry-After header configured with the `retry_after` option. The default value for this option is zero, no limit.
-
-[float]
-==== `retry_after`
-
-If a request has exceeded the `max_in_flight_bytes` limit, the response to the client will include a Retry-After header specifying how many seconds the client should wait to retry again. The default value for this option is 10 seconds.
-
-[float]
-==== `program`
-
-The normal operation of the input treats the body either as a single event when the body is an object, or as a set of events when the body is an array. If the body should be handled differently, for example a set of events in an array field of an object to be handled as a set of events, then a https://opensource.google.com/projects/cel[Common Expression Language (CEL)] program can be provided through this configuration field. The name of the object in the CEL program is `obj`. No CEL extensions are provided beyond the function in the CEL https://github.com/google/cel-spec/blob/master/doc/langdef.md#standard[standard library]. CEL https://pkg.go.dev/github.com/google/cel-go/cel#OptionalTypes[optional types] are supported.
-
-Note that during evaluation, numbers that are not representable exactly within a double floating point value will be converted to a string to avoid data corruption.
-
-[float]
-==== `response_code`
-
-The HTTP response code returned upon success. Should be in the 2XX range.
-
-[float]
-==== `response_body`
-
-The response body returned upon success.
-
-[float]
-==== `listen_address`
-
-If multiple interfaces is present the `listen_address` can be set to control which IP address the listener binds to. Defaults to `127.0.0.1`.
-
-[float]
-==== `listen_port`
-
-Which port the listener binds to. Defaults to 8000.
-
-[float]
-==== `url`
-
-This options specific which URL path to accept requests on. Defaults to `/`
-
-[float]
-==== `prefix`
-
-This option specifies which prefix the incoming request will be mapped to. If `prefix` is "`.`", the request will be mapped to the root of the resulting document.
-
-[float]
-==== `include_headers`
-
-This options specifies a list of HTTP headers that should be copied from the incoming request and included in the document.
-All configured headers will always be canonicalized to match the headers of the incoming request.
-For example, `["content-type"]` will become `["Content-Type"]` when the filebeat is running.
-
-[float]
-==== `preserve_original_event`
-
-This option includes the JSON representation of the incoming request in the `event.original` field as a string before sending the event to Elasticsearch. The representation may not be a verbatim copy of the original message, but is guaranteed to be an [RFC7493](https://datatracker.ietf.org/doc/html/rfc7493) compliant message.
-
-[float]
-==== `crc.provider`
-
-This option defines the provider of the webhook that uses CRC (Challenge-Response Check) for validating the endpoint. The HTTP endpoint input is responsible for ensuring the authenticity of incoming webhook requests by generating and verifying a unique token. By specifying the `crc.provider`, you ensure that the system correctly handles the specific CRC validation process required by the chosen provider.
-
-[float]
-==== `crc.secret`
-
-The secret token provided by the webhook owner for the CRC validation. It is required when a `crc.provider` is set.
-
-[float]
-==== `method`
-
-The HTTP method handled by the endpoint. If specified, `method` must be `POST`, `PUT` or `PATCH`.
-The default method is `POST`. If `PUT` or `PATCH` are specified, requests using those method types are accepted, but are treated as `POST` requests and are expected to have a request body containing the request data.
-
-[float]
-==== `tracer.enabled`
-
-It is possible to log HTTP requests to a local file-system for debugging configurations.
-This option is enabled by setting `tracer.enabled` to true and setting the `tracer.filename` value.
-Additional options are available to tune log rotation behavior. To delete existing logs, set `tracer.enabled`
-to false without unsetting the filename option.
-
-Enabling this option compromises security and should only be used for debugging.
-
-[float]
-==== `tracer.filename`
-
-To differentiate the trace files generated from different input instances, a placeholder `*` can be added to the
-filename and will be replaced with the input instance id. For Example, `http-request-trace-*.ndjson`.
-
-[float]
-==== `tracer.maxsize`
-
-This value sets the maximum size, in megabytes, the log file will reach before it is rotated. By default
-logs are allowed to reach 1MB before rotation.
-Individual request bodies will be truncated to a maximum size of 10kiB.
-
-[float]
-==== `tracer.maxage`
-
-This specifies the number days to retain rotated log files. If it is not set, log files are retained
-indefinitely.
-
-[float]
-==== `tracer.maxbackups`
-
-The number of old logs to retain. If it is not set all old logs are retained subject to the `tracer.maxage`
-setting.
-
-[float]
-==== `tracer.localtime`
-
-Whether to use the host's local time rather that UTC for timestamping rotated log file names.
-
-[float]
-==== `tracer.compress`
-
-This determines whether rotated logs should be gzip compressed.
-
-[float]
-=== Metrics
-
-This input exposes metrics under the <<http-endpoint, HTTP monitoring endpoint>>.
-These metrics are exposed under the `/inputs` path. They can be used to
-observe the activity of the input.
-
-[options="header"]
-|=======
-| Metric                    | Description
-| `bind_address`            | Bind address of input.
-| `route`                   | HTTP request route of the input.
-| `is_tls_connection`       | Whether the input is listening on a TLS connection.
-| `api_errors_total`        | Number of API errors.
-| `batches_received_total`  | Number of event arrays received.
-| `batches_published_total` | Number of event arrays published.
-| `batches_acked_total`     | Number of event arrays ACKed.
-| `events_published_total`  | Number of events published.
-| `size`                    | Histogram of request content lengths.
-| `batch_size`              | Histogram of the received event array length.
-| `batch_processing_time`   | Histogram of the elapsed successful batch processing times in nanoseconds (time of receipt to time of ACK for non-empty batches).
-| `batch_ack_time`          | Histogram of the elapsed successful batch ACKing times in nanoseconds (time of handler start to time of ACK for non-empty batches).
-|=======
-
-[id="{beatname_lc}-input-{type}-common-options"]
-include::../../../../filebeat/docs/inputs/input-common-options.asciidoc[]
-
-:type!:
diff --git a/x-pack/filebeat/docs/inputs/input-httpjson.asciidoc b/x-pack/filebeat/docs/inputs/input-httpjson.asciidoc
deleted file mode 100644
index 9f3a9ecdd813..000000000000
--- a/x-pack/filebeat/docs/inputs/input-httpjson.asciidoc
+++ /dev/null
@@ -1,1659 +0,0 @@
-[role="xpack"]
-
-:type: httpjson
-
-[id="{beatname_lc}-input-{type}"]
-=== HTTP JSON input
-
-++++
-<titleabbrev>HTTP JSON</titleabbrev>
-++++
-
-Use the `httpjson` input to read messages from an HTTP API with JSON payloads.
-
-If you are starting development of a new custom HTTP API input, we recommend that you use the <<filebeat-input-cel,Common Expression Language input>> which provides greater flexibility and an improved developer experience.
-
-This input supports:
-
-* Auth
-** Basic
-** OAuth2
-* Retrieval at a configurable interval
-* Pagination
-* Retries
-* Rate limiting
-* Proxying
-* Request transformations
-* Response transformations
-
-Example configurations:
-
-["source","yaml",subs="attributes"]
-----
-filebeat.inputs:
-# Fetch your public IP every minute.
-- type: httpjson
-  interval: 1m
-  request.url: https://api.ipify.org/?format=json
-  processors:
-    - decode_json_fields:
-        fields: ["message"]
-        target: "json"
-----
-
-["source","yaml",subs="attributes"]
-----
-filebeat.inputs:
-- type: httpjson
-  request.url: http://localhost:9200/_search?scroll=5m
-  request.method: POST
-  response.split:
-    target: body.hits.hits
-  response.pagination:
-    - set:
-        target: url.value
-        value: http://localhost:9200/_search/scroll
-    - set:
-        target: url.params.scroll_id
-        value: '[[.last_response.body._scroll_id]]'
-    - set:
-        target: body.scroll
-        value: 5m
-----
-
-Additionally, it supports authentication via Basic auth, HTTP Headers or oauth2.
-
-Example configurations with authentication:
-
-["source","yaml",subs="attributes"]
-----
-filebeat.inputs:
-- type: httpjson
-  request.url: http://localhost
-  request.transforms:
-    - set:
-        target: header.Authorization
-        value: 'Basic aGVsbG86d29ybGQ='
-----
-
-["source","yaml",subs="attributes"]
-----
-filebeat.inputs:
-- type: httpjson
-  auth.oauth2:
-    client.id: 12345678901234567890abcdef
-    client.secret: abcdef12345678901234567890
-    token_url: http://localhost/oauth2/token
-  request.url: http://localhost
-----
-
-["source","yaml",subs="attributes"]
-----
-filebeat.inputs:
-- type: httpjson
-  auth.oauth2:
-    client.id: 12345678901234567890abcdef
-    client.secret: abcdef12345678901234567890
-    token_url: http://localhost/oauth2/token
-    user: user@domain.tld
-    password: P@$$W0₹D
-  request.url: http://localhost
-----
-
-[[input-state]]
-==== Input state
-
-The `httpjson` input keeps a runtime state between requests. This state can be accessed by some configuration options and transforms.
-
-The state has the following elements:
-
-- `last_response.url.value`: The full URL with params and fragments from the last request with a successful response.
-- `last_response.url.params`: A https://pkg.go.dev/net/url#Values[`url.Values`] of the params from the URL in `last_response.url.value`.  Can be queried with the https://pkg.go.dev/net/url#Values.Get[`Get`] function.
-- `last_response.header`: A map containing the headers from the last successful response.
-- `last_response.body`: A map containing the parsed JSON body from the last successful response. This is the response as it comes from the remote server.
-- `last_response.page`: A number indicating the page number of the last response. It starts with the value `0` at every interval.
-- `first_event`: A map representing the first event sent to the output (result from applying transforms to `last_response.body`).
-- `last_event`: A map representing the last event of the current request in the requests chain (result from applying transforms to `last_response.body`).
-- `url`: The last requested URL as a raw https://pkg.go.dev/net/url#URL[`url.URL`] Go type.
-- `header`: A map containing the headers. References the next request headers when used in <<request-transforms-headers>> or <<response-pagination>> configuration sections, and to the last response headers when used in <<response-transforms>>, <<response-split>>, or <<request-rate-limit>> configuration sections.
-- `body`: A map containing the body. References the next request body when used in <<request-transforms-headers>> or <<response-pagination>> configuration sections, and to the last response body when used in <<response-transforms>> or <<response-split>> configuration sections.
-- `cursor`: A map containing any data the user configured to be stored between restarts (See <<cursor>>).
-
-All of the mentioned objects are only stored at runtime during the execution of the periodic request, except `cursor`, which has values that are persisted between periodic request and restarts.
-
-[[transforms]]
-==== Transforms
-
-A transform is an action that lets the user modify the <<input-state,input state>>. Depending on where the transform is defined, it will have access for reading or writing different elements of the <<input-state,state>>.
-
-The access limitations are described in the corresponding configuration sections.
-
-[float]
-==== `append`
-
-Appends a value to an array. If the field does not exist, the first entry will create a new array. If the field exists, the value is appended to the existing field and converted to a list.
-
-["source","yaml",subs="attributes"]
-----
-- append:
-    target: body.foo.bar
-    value: '[[.cursor.baz]]'
-    default: "a default value"
-----
-
-- `target` defines the destination field where the value is stored.
-- `value` defines the value that will be stored and it is a <<value-templates,value template>>.
-- `default` defines the fallback value whenever `value` is empty or the template parsing fails. Default templates do not have access to any state, only to functions.
-- `value_type` defines the type of the resulting value. Possible values are: `string`, `json`, and `int`. Default is `string`.
-- `fail_on_template_error` if set to `true` an error will be returned and the request will be aborted when the template evaluation fails. Default is `false`.
-- `do_not_log_failure` if set to true a `fail_on_template_error` will not be logged except at DEBUG level. This should be used when template failure is expected in normal operation as control flow.
-
-[float]
-==== `delete`
-
-Deletes the target field.
-
-["source","yaml",subs="attributes"]
-----
-- delete:
-    target: body.foo.bar
-----
-
-- `target` defines the destination field to delete. If `target` is a list and not a single element, the complete list will be deleted.
-
-[float]
-==== `set`
-
-Sets a value.
-
-["source","yaml",subs="attributes"]
-----
-- set:
-    target: body.foo.bar
-    value: '[[.cursor.baz]]'
-    default: "a default value"
-----
-
-- `target` defines the destination field where the value is stored.
-- `value` defines the value that will be stored and it is a <<value-templates,value template>>.
-- `default` defines the fallback value whenever `value` is empty or the template parsing fails. Default templates do not have access to any state, only to functions.
-- `value_type` defines how the resulting value will be treated. Possible values are: `string`, `json`, and `int`. Default is `string`.
-- `fail_on_template_error` if set to `true` an error will be returned and the request will be aborted when the template evaluation fails. Default is `false`.
-- `do_not_log_failure` if set to true a `fail_on_template_error` will not be logged except at DEBUG level. This should be used when template failure is expected in normal operation as control flow.
-
-[[value-templates]]
-==== Value templates
-
-Some configuration options and transforms can use value templates. Value templates are Go templates with access to the input state and to some built-in functions.
-Please note that delimiters are changed from the default `{{ }}` to `[[ ]]` to improve interoperability with other templating mechanisms.
-
-To see which <<input-state,state elements>> and operations are available, see the documentation for the option or <<transforms,transform>> where you want to use a value template.
-
-A value template looks like:
-
-["source","yaml",subs="attributes"]
-----
-- set:
-    target: body.foo.bar
-    value: '[[.cursor.baz]] more data'
-    default: "a default value"
-----
-
-The content inside the brackets `[[` `]]` is evaluated. For more information on Go templates please refer to https://golang.org/pkg/text/template[the Go docs].
-
-Some built-in helper functions are provided to work with the input state inside value templates:
-
-- `add`: adds a list of integers and returns their sum.
-- `base64DecodeNoPad`: Decodes the base64 string without padding. Any binary output will be converted to a UTF8 string.
-- `base64Decode`: Decodes the base64 string. Any binary output will be converted to a UTF8 string.
-- `base64EncodeNoPad`: Joins and base64 encodes all supplied strings without padding. Example `[[base64EncodeNoPad "string1" "string2"]]`
-- `base64Encode`: Joins and base64 encodes all supplied strings. Example `[[base64Encode "string1" "string2"]]`
-- `beatInfo`: returns a map containing information about the Beat.  Available keys in the map are `goos` (running operating system), `goarch` (running system architecture), `commit` (git commit of current build), `buildtime` (compile time of current build), `version` (version of current build). Example: `[[ beatInfo.version ]]` returns `{version}`.
-- `div`: does the integer division of two integer values.
-- `formatDate`: formats a `time.Time`. By default the format layout is `RFC3339` but optionally can accept any of the Golang predefined layouts or a custom one. It will default to UTC timezone when formatting, but you can specify a different timezone. If the timezone is incorrect, it will default to UTC. Example: `[[ formatDate (now) "UnixDate" ]]`, `[[ formatDate (now) "UnixDate" "America/New_York" ]]`.
-- `getRFC5988Link`: extracts a specific relation from a list of https://tools.ietf.org/html/rfc5988[RFC5988] links. It is useful when parsing header values for pagination. Example: `[[ getRFC5988Link "next" .last_response.header.Link ]]`.
-- `hashBase64`: calculates the hash of a list of strings concatenated together. Returns a base64 encoded hash. Supports sha1 or sha256. Example `[[hash "sha256" "string1" "string2" (formatDate (now) "RFC1123")]]`
-- `hash`: calculates the hash of a list of strings concatenated together. Returns a hex encoded hash. Supports sha1 or sha256. Example `[[hash "sha256" "string1" "string2" (formatDate (now) "RFC1123")]]`
-- `hexDecode`: Decodes the hexadecimal string. Any hexadecimal string will be converted to its bytes representation. Example `[[hexDecode "b0a92a08a9b4883aa3aa2d0957be12a678cbdbb32dc5db09fe68239a09872f96"]]`; Expected Output: `"\xb0\xa9*\b\xa9\xb4\x88:\xa3\xaa-\tW\xbe\x12\xa6x\xcb۳-\xc5\xdb\t\xfeh#\x9a\t\x87/\x96"`
-- `hmacBase64`: calculates the hmac signature of a list of strings concatenated together. Returns a base64 encoded signature. Supports sha1 or sha256. Example `[[hmac "sha256" "secret" "string1" "string2" (formatDate (now) "RFC1123")]]`
-- `hmac`: calculates the hmac signature of a list of strings concatenated together. Returns a hex encoded signature. Supports sha1 or sha256. Example `[[hmac "sha256" "secret" "string1" "string2" (formatDate (now) "RFC1123")]]`
-- `join`: joins a list using the specified separator. Example: `[[join .body.arr ","]]`
-- `max`: returns the maximum of two values.
-- `min`: returns the minimum of two values.
-- `mul`: multiplies two integers.
-- `now`: returns the current `time.Time` object in UTC. Optionally, it can receive a `time.Duration` as a parameter. Example: `[[now (parseDuration "-1h")]]` returns the time at 1 hour before now.
-- `parseDate`: parses a date string and returns a `time.Time` in UTC. By default the expected layout is `RFC3339` but optionally can accept any of the Golang predefined layouts or a custom one. Note: Parsing timezone abbreviations may cause ambiguities. Prefer `parseDateInTZ` for explicit timezone handling. Example: `[[ parseDate "2020-11-05T12:25:32Z" ]]`, `[[ parseDate "2020-11-05T12:25:32.1234567Z" "RFC3339Nano" ]]`, `[[ (parseDate "Thu Nov  5 12:25:32 +0000 2020" "Mon Jan _2 15:04:05 -0700 2006").UTC ]]`.
-- `parseDateInTZ`: parses a date string within a specified timezone (TZ), returning a `time.Time` in UTC. Specified timezone overwrites implicit timezone from the input date. Accepts timezone offsets ("-07:00", "-0700", "-07") or IANA Time Zone names ("America/New_York"). If TZ is invalid, defaults to UTC. Optional layout argument as in parseDate. Example: `[[ parseDateInTZ "2020-11-05T12:25:32" "America/New_York" ]]`, `[[ parseDateInTZ "2020-11-05T12:25:32" "-07:00" "RFC3339" ]]`.
-- `parseDuration`: parses duration strings and returns `time.Duration`. Example: `[[parseDuration "1h"]]`.
-- `parseTimestampMilli`: parses a timestamp in milliseconds and returns a `time.Time` in UTC. Example: `[[parseTimestamp 1604582732000]]` returns `2020-11-05 13:25:32 +0000 UTC`.
-- `parseTimestampNano`: parses a timestamp in nanoseconds and returns a `time.Time` in UTC. Example: `[[parseTimestamp 1604582732000000000]]` returns `2020-11-05 13:25:32 +0000 UTC`.
-- `parseTimestamp`: parses a timestamp in seconds and returns a `time.Time` in UTC. Example: `[[parseTimestamp 1604582732]]` returns `2020-11-05 13:25:32 +0000 UTC`.
-- `replaceAll(old, new, s)`: replaces all non-overlapping instances of `old` with `new` in `s`. Example: `[[ replaceAll "some" "my" "some value" ]]` returns `my value`.
-- `sprintf`: formats according to a format specifier and returns the resulting string. Refer to https://pkg.go.dev/fmt#Sprintf[the Go docs] for usage. Example: `[[sprintf "%d:%q" 34 "quote this"]]`
-- `toInt`: converts a value of any type to an integer when possible. Returns 0 if the conversion fails.
-- `toJSON`: converts a value to a JSON string. This can be used with `value_type: json` to create an object from a template. Example: `[[ toJSON .last_response.body.pagingIdentifiers ]]`.
-- `urlEncode`: URL encodes the supplied string. Example `[[urlEncode "string1"]]`. Example `[[urlEncode "<string1>"]]` will return `%3Cstring1%3E`.
-- `userAgent`: generates the User Agent with optional additional values. If no arguments are provided, it will generate the default User Agent that is added to all requests by default. It is recommended to delete the existing User-Agent header before setting a new one. Example: `[[ userAgent "integration/1.2.3" ]]` would generate `Elastic-Filebeat/8.1.0 (darwin; amd64; 9b893e88cfe109e64638d65c58fd75c2ff695402; 2021-12-15 13:20:00 +0000 UTC; integration_name/1.2.3)`
-- `uuid`: returns a random UUID such as `a11e8780-e3e7-46d0-8e76-f66e75acf019`. Example: `[[ uuid ]]`
-
-In addition to the provided functions, any of the native functions for https://golang.org/pkg/time/#Time[`time.Time`], https://golang.org/pkg/net/http/#Header[`http.Header`], and https://golang.org/pkg/net/url/#Values[`url.Values`] types can be used on the corresponding objects. Examples: `[[(now).Day]]`, `[[.last_response.header.Get "key"]]`
-
-==== Configuration options
-
-The `httpjson` input supports the following configuration options plus the
-<<{beatname_lc}-input-{type}-common-options>> described later.
-
-[float]
-==== `interval`
-
-Duration between repeated requests. It may make additional pagination requests in response to the initial request if pagination is enabled. Default: `60s`.
-
-[float]
-==== `auth.basic.enabled`
-
-When set to `false`, disables the basic auth configuration. Default: `true`.
-
-NOTE: Basic auth settings are disabled if either `enabled` is set to `false` or
-the `auth.basic` section is missing.
-
-[float]
-==== `auth.basic.user`
-
-The user to authenticate with.
-
-[float]
-==== `auth.basic.password`
-
-The password to use.
-
-[float]
-==== `auth.oauth2.enabled`
-
-When set to `false`, disables the oauth2 configuration. Default: `true`.
-
-NOTE: OAuth2 settings are disabled if either `enabled` is set to `false` or
-the `auth.oauth2` section is missing.
-
-[float]
-==== `auth.oauth2.provider`
-
-Used to configure supported oauth2 providers.
-Each supported provider will require specific settings. It is not set by default.
-Supported providers are: `azure`, `google`, `okta`.
-
-[float]
-==== `auth.oauth2.client.id`
-
-The client ID used as part of the authentication flow. It is always required
-except if using `google` as provider. Required for providers: `default`, `azure`, `okta`.
-
-[float]
-==== `auth.oauth2.client.secret`
-
-The client secret used as part of the authentication flow. It is always required
-except if using `google` or `okta` as provider. Required for providers: `default`, `azure`.
-
-[float]
-==== `auth.oauth2.user`
-
-The user used as part of the authentication flow. It is required for authentication
- - grant type password. It is only available for provider `default`.
-
-[float]
-==== `auth.oauth2.password`
-
-The password used as part of the authentication flow. It is required for authentication
- - grant type password. It is only available for provider `default`.
-
-NOTE: user and password are required for grant_type password. If user and
-password is not used then it will automatically use the `token_url` and
-`client credential` method.
-
-[float]
-==== `auth.oauth2.scopes`
-
-A list of scopes that will be requested during the oauth2 flow.
-It is optional for all providers.
-
-[float]
-==== `auth.oauth2.token_url`
-
-The endpoint that will be used to generate the tokens during the oauth2 flow. It is required if no provider is specified.
-
-NOTE: For `azure` provider either `token_url` or `azure.tenant_id` is required.
-
-[float]
-==== `auth.oauth2.endpoint_params`
-
-Set of values that will be sent on each request to the `token_url`. Each param key can have multiple values.
-Can be set for all providers except `google`.
-
-["source","yaml",subs="attributes"]
-----
-- type: httpjson
-  auth.oauth2:
-    endpoint_params:
-      Param1:
-        - ValueA
-        - ValueB
-      Param2:
-        - Value
-----
-
-[float]
-==== `auth.oauth2.azure.tenant_id`
-
-Used for authentication when using `azure` provider.
-Since it is used in the process to generate the `token_url`, it can't be used in
-combination with it. It is not required.
-
-For information about where to find it, you can refer to
-https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal.
-
-[float]
-==== `auth.oauth2.azure.resource`
-
-The accessed WebAPI resource when using `azure` provider.
-It is not required.
-
-[float]
-==== `auth.oauth2.google.credentials_file`
-
-The credentials file for Google.
-
-NOTE: Only one of the credentials settings can be set at once. If none is provided, loading
-default credentials from the environment will be attempted via ADC. For more information about
-how to provide Google credentials, please refer to https://cloud.google.com/docs/authentication.
-
-[float]
-==== `auth.oauth2.google.credentials_json`
-
-Your credentials information as raw JSON.
-
-NOTE: Only one of the credentials settings can be set at once. If none is provided, loading
-default credentials from the environment will be attempted via ADC. For more information about
-how to provide Google credentials, please refer to https://cloud.google.com/docs/authentication.
-
-[float]
-==== `auth.oauth2.google.jwt_file`
-
-The JWT Account Key file for Google.
-
-NOTE: Only one of the credentials settings can be set at once. If none is provided, loading
-default credentials from the environment will be attempted via ADC. For more information about
-how to provide Google credentials, please refer to https://cloud.google.com/docs/authentication.
-
-[float]
-==== `auth.oauth2.google.jwt_json`
-
-The JWT Account Key file as raw JSON.
-
-NOTE: Only one of the credentials settings can be set at once. If none is provided, loading
-default credentials from the environment will be attempted via ADC. For more information about
-how to provide Google credentials, please refer to https://cloud.google.com/docs/authentication.
-
-[float]
-==== `auth.oauth2.okta.jwk_file`
-
-The RSA JWK Private Key file for your Okta Service App which is used for interacting with Okta Org Auth Server to mint tokens with okta.* scopes.
-
-NOTE: Only one of the credentials settings can be set at once. For more information please refer to https://developer.okta.com/docs/guides/implement-oauth-for-okta-serviceapp/main/
-
-[float]
-==== `auth.oauth2.okta.jwk_json`
-
-The RSA JWK Private Key JSON for your Okta Service App which is used for interacting with Okta Org Auth Server to mint tokens with okta.* scopes.
-
-[float]
-==== `auth.oauth2.okta.jwk_pem`
-
-The RSA JWK private key PEM block for your Okta Service App which is used for interacting with Okta Org Auth Server to mint tokens with okta.* scopes.
-
-NOTE: Only one of the credentials settings can be set at once. For more information please refer to https://developer.okta.com/docs/guides/implement-oauth-for-okta-serviceapp/main/
-
-[float]
-==== `auth.oauth2.google.delegated_account`
-
-Email of the delegated account used to create the credentials (usually an admin). Used in combination
-with `auth.oauth2.google.jwt_file`, `auth.oauth2.google.jwt_json`, and when defaulting to use ADC.
-
-[[request-parameters]]
-[float]
-==== `request.url`
-
-The URL of the HTTP API. Required.
-
-The API endpoint may be accessed via unix socket and Windows named pipes by adding  `+unix` or `+npipe`
-to the URL scheme, for example, `http+unix:///var/socket/`.
-
-[float]
-==== `request.method`
-
-HTTP method to use when making requests. `GET` or `POST` are the options. Default: `GET`.
-
-[float]
-==== `request.encode_as`
-
-ContentType used for encoding the request body. If set it will force the encoding in the specified format regardless of the `Content-Type` header value, otherwise it will honor it if possible or fallback to `application/json`. By default the requests are sent with `Content-Type: application/json`. Supported values: `application/json` and `application/x-www-form-urlencoded`. `application/x-www-form-urlencoded` will url encode the `url.params` and set them as the body. It is not set by default.
-
-[float]
-==== `request.body`
-
-An optional HTTP POST body. The configuration value must be an object, and it
-will be encoded to JSON. This is only valid when `request.method` is `POST`.
-Defaults to `null` (no HTTP body).
-
-["source","yaml",subs="attributes"]
-----
-- type: httpjson
-  request.method: POST
-  request.body:
-    query:
-      bool:
-        filter:
-          term:
-            type: authentication
-----
-
-[float]
-==== `request.timeout`
-
-Duration before declaring that the HTTP client connection has timed out. Valid time units are `ns`, `us`, `ms`, `s`, `m`, `h`. Default: `30s`.
-
-[float]
-==== `request.ssl`
-
-This specifies SSL/TLS configuration. If the ssl section is missing, the host's
-CAs are used for HTTPS connections. See <<configuration-ssl>> for more
-information.
-
-[float]
-==== `request.proxy_url`
-
-This specifies proxy configuration in the form of `http[s]://<user>:<password>@<server name/ip>:<port>`
-
-["source","yaml",subs="attributes"]
-----
-filebeat.inputs:
-# Fetch your public IP every minute.
-- type: httpjson
-  interval: 1m
-  request.url: https://api.ipify.org/?format=json
-  request.proxy_url: http://proxy.example:8080
-----
-
-[float]
-==== `request.keep_alive.disable`
-
-This specifies whether to disable keep-alives for HTTP end-points. Default: `true`.
-
-[float]
-==== `request.keep_alive.max_idle_connections`
-
-The maximum number of idle connections across all hosts. Zero means no limit. Default: `0`.
-
-[float]
-==== `request.keep_alive.max_idle_connections_per_host`
-
-The maximum idle connections to keep per-host. If zero, defaults to two. Default: `0`.
-
-[float]
-==== `request.keep_alive.idle_connection_timeout`
-
-The maximum amount of time an idle connection will remain idle before closing itself. Valid time units are `ns`, `us`, `ms`, `s`, `m`, `h`. Zero means no limit. Default: `0s`.
-
-[float]
-==== `request.retry.max_attempts`
-
-The maximum number of retries for the HTTP client. Default: `5`.
-
-[float]
-==== `request.retry.wait_min`
-
-The minimum time to wait before a retry is attempted. Default: `1s`.
-
-[float]
-==== `request.retry.wait_max`
-
-The maximum time to wait before a retry is attempted. Default: `60s`.
-
-[float]
-==== `request.redirect.forward_headers`
-
-When set to `true` request headers are forwarded in case of a redirect. Default: `false`.
-
-[float]
-==== `request.redirect.headers_ban_list`
-
-When `redirect.forward_headers` is set to `true`, all headers __except__ the ones defined in this list will be forwarded. Default: `[]`.
-
-[float]
-==== `request.redirect.max_redirects`
-
-The maximum number of redirects to follow for a request. Default: `10`.
-
-[[request-rate-limit]]
-[float]
-==== `request.rate_limit.limit`
-
-The value of the response that specifies the total limit. It is defined with a Go template value.
-Can read state from: [`.last_response.header`]
-
-[float]
-==== `request.rate_limit.remaining`
-
-The value of the response that specifies the remaining quota of the rate limit.
-It is defined with a Go template value. Can read state from: [`.last_response.header`]
-If the `remaining` header is missing from the Response, no rate-limiting will occur.
-
-[float]
-==== `request.rate_limit.reset`
-
-The value of the response that specifies the epoch time when the rate limit will reset.
-It is defined with a Go template value. Can read state from: [`.last_response.header`]
-
-[[request-transforms-headers]]
-[float]
-==== `request.rate_limit.early_limit`
-
-Optionally start rate-limiting prior to the value specified in the Response.
-
-Under the default behavior, Requests will continue while the `remaining` value is non-zero.
-Specifying an `early_limit` will mean that rate-limiting will occur prior to reaching `0`.
-
-* If the value specified for `early_limit` is less than `1`,
-the value is treated as a percentage of the Response provided `limit`.
-e.g. specifying `0.9` will mean that Requests will continue until reaching 90% of the rate-limit --
-for a `limit` value of `120`, the rate-limit starts when the `remaining` reaches `12`.
-If the `limit` header is missing from the Response, default rate-limiting will occur (when `remaining` reaches `0`).
-* If the value specified for `early_limit` is greater than or equal to `1`,
-the value is treated as the target value for `remaining`.
-e.g. instead of rate-limiting when `remaining` hits `0`, rate-limiting will occur when `remaining` hits the value specified.
-
-It is not set by default (by default the rate-limiting as specified in the Response is followed).
-
-[[request-transforms]]
-[float]
-==== `request.transforms`
-
-List of transforms to apply to the request before each execution.
-
-Available transforms for request: [`append`, `delete`, `set`].
-
-Can read state from: [`.first_response.*`,`.last_response.*`, `.parent_last_response.*` `.last_event.*`, `.cursor.*`, `.header.*`, `.url.*`, `.body.*`].
-
-Can write state to: [`body.*`, `header.*`, `url.*`].
-
-["source","yaml",subs="attributes"]
-----
-filebeat.inputs:
-- type: httpjson
-  request.url: http://localhost:9200/_search?scroll=5m
-  request.method: POST
-  request.transforms:
-    - set:
-        target: body.from
-        value: '[[now (parseDuration "-1h")]]'
-----
-
-NOTE: The clause `.parent_last_response.` should only be used from within chain steps and when pagination exists at the root request level. If pagination
-does not exist at the root level, please use the clause `.first_response.` to access parent response object from within chains. You can look at this
-**example** below for a better idea.
-
-**Example Config:**
-["source","yaml",subs="attributes"]
-  filebeat.inputs:
-  - type: httpjson
-    enabled: true
-    id: my-httpjson-id
-    request.url: http://xyz.com/services/data/v1.0/export_ids/page
-    request.method: POST
-    interval: 1h
-    request.retry.max_attempts: 2
-    request.retry.wait_min: 5s
-    request.transforms:
-    - set:
-        target: body.page
-        value: 0
-    response.request_body_on_pagination: true
-    response.pagination:
-      - set:
-          target: body.page
-          value: '[[ .last_response.body.page ]]'
-          fail_on_template_error: true
-          do_not_log_failure: true
-    chain:
-    - step:
-          request.url: http://xyz.com/services/data/v1.0/$.exportId/export_ids/$.files[:].id/info
-          request.method: POST
-          request.transforms:
-          - set:
-              target: body.exportId
-              value: '[[ .parent_last_response.body.exportId ]]'
-          replace: $.files[:].id
-          replace_with: '$.exportId,.parent_last_response.body.exportId'
-
-Here we can see that the chain step uses `.parent_last_response.body.exportId` only because `response.pagination` is present for the parent (root) request.
-However if `response.pagination` was not present in the parent (root) request, `replace_with` clause should have used `.first_response.body.exportId`. This is
-because when pagination does not exist at the parent level `parent_last_response` object is not populated with required values for performance reasons, but the `first_response` object always stores the very first response in the process chain.
-
-NOTE: The `first_response` object at the moment can only store flat JSON structures (i.e. no support for JSONS having array at root level, NDJSON or Gzipped JSON), hence it should only be used in scenarios where the this is the case. Splits cannot be performed on `first_response`. It needs to be explicitly enabled by setting the flag `response.save_first_response` to `true` in the httpjson config.
-
-[float]
-==== `request.tracer.enable`
-
-It is possible to log HTTP requests and responses to a local file-system for debugging configurations.
-This option is enabled by setting `request.tracer.enabled` to true and setting the `request.tracer.filename` value.
-Additional options are available to tune log rotation behavior. To delete existing logs, set `request.tracer.enabled`
-to false without unsetting the filename option.
-
-Enabling this option compromises security and should only be used for debugging.
-
-==== `request.tracer.filename`
-
-To differentiate the trace files generated from different input instances, a placeholder `*` can be added to the
-filename and will be replaced with the input instance id. For Example, `http-request-trace-*.ndjson`.
-
-[float]
-==== `request.tracer.maxsize`
-
-This value sets the maximum size, in megabytes, the log file will reach before it is rotated. By default
-logs are allowed to reach 1MB before rotation.
-Individual request/response bodies will be truncated to 10% of this size.
-
-[float]
-==== `request.tracer.maxage`
-
-This specifies the number days to retain rotated log files. If it is not set, log files are retained
-indefinitely.
-
-[float]
-==== `request.tracer.maxbackups`
-
-The number of old logs to retain. If it is not set all old logs are retained subject to the `request.tracer.maxage`
-setting.
-
-[float]
-==== `request.tracer.localtime`
-
-Whether to use the host's local time rather that UTC for timestamping rotated log file names.
-
-[float]
-==== `request.tracer.compress`
-
-This determines whether rotated logs should be gzip compressed.
-
-[float]
-==== `response.decode_as`
-
-ContentType used for decoding the response body. If set it will force the decoding in the specified format regardless of the `Content-Type` header value, otherwise it will honor it if possible or fallback to `application/json`. Supported values: `application/json, application/x-ndjson`, `text/csv`, `application/zip`, `application/xml` and `text/xml`. It is not set by default.
-
-NOTE: For `text/csv`, one event for each line will be created, using the header values as the object keys. For this reason is always assumed that a header exists.
-
-NOTE: For `application/zip`, the `zip` file is expected to contain one or more `.json` or `.ndjson` files. The contents of all of them will be merged into a single list of `JSON` objects.
-
-NOTE: For `application/xml` and `text/xml` type information for decoding the XML document can be provided via the `response.xsd` option.
-
-[float]
-==== `response.xsd`
-
-XML documents may require additional type information to enable correct parsing and ingestion. This information can be provided as an XML Schema Definition (XSD) for the document using the `response.xsd` option.
-
-[[response-transforms]]
-[float]
-==== `response.transforms`
-
-List of transforms to apply to the response once it is received.
-
-Available transforms for response: [`append`, `delete`, `set`].
-
-Can read state from: [`.last_response.*`, `.last_event.*`, `.cursor.*`, `.header.*`, `.url.*`].
-
-Can write state to: [`body.*`].
-
-["source","yaml",subs="attributes"]
-----
-filebeat.inputs:
-- type: httpjson
-  request.url: http://localhost:9200/_search?scroll=5m
-  request.method: POST
-  response.transforms:
-    - delete:
-        target: body.very_confidential
-  response.split:
-    target: body.hits.hits
-  response.pagination:
-    - set:
-        target: url.value
-        value: http://localhost:9200/_search/scroll
-    - set:
-        target: url.params.scroll_id
-        value: '[[.last_response.body._scroll_id]]'
-    - set:
-        target: body.scroll
-        value: 5m
-----
-
-[[response-split]]
-[float]
-==== `response.split`
-
-Split operation to apply to the response once it is received. A split can convert a map, array, or string into multiple events.
-If the split target is empty the parent document will be kept. If documents with empty splits should be dropped, the `ignore_empty_value` option should be set to `true`.
-
-[float]
-==== `response.split[].target`
-
-Defines the target field upon the split operation will be performed.
-
-[float]
-==== `response.split[].type`
-
-Defines the field type of the target. Allowed values: `array`, `map`, `string`. `string` requires the use of the `delimiter` options to specify what characters to split the string on.  `delimiter` always behaves as if `keep_parent` is set to `true`. Default: `array`.
-
-[float]
-==== `response.split[].transforms`
-
-A set of transforms can be defined. This list will be applied after <<response-transforms, response.transforms>> and after the object has been modified based on `response.split[].keep_parent` and `response.split[].key_field`.
-
-Available transforms for response: [`append`, `delete`, `set`].
-
-Can read state from: [`.last_response.*`, `.first_event.*`, `.last_event.*`, `.cursor.*`, `.header.*`, `.url.*`].
-
-Can write state to: [`body.*`].
-
-NOTE: in this context, `body.*` will be the result of all the previous transformations.
-
-[float]
-==== `response.split[].keep_parent`
-
-If set to true, the fields from the parent document (at the same level as `target`) will be kept. Otherwise a new document will be created using `target` as the root. Default: `false`.
-
-[float]
-==== `response.split[].delimiter`
-
-Required if using split type of `string`.  This is the sub string used to split the string.  For example if `delimiter` was "\n" and the string was "line 1\nline 2", then the split would result in "line 1" and "line 2".
-
-[float]
-==== `response.split[].key_field`
-
-Valid when used with `type: map`. When not empty, defines a new field where the original key value will be stored.
-
-[float]
-==== `response.split[].ignore_empty_value`
-
-If set to true, empty or missing value will be ignored and processing will pass on to the next nested split operation instead of failing with an error. Default: `false`.
-
-Note that if `ignore_empty_value` is `true` and the final result is empty, no event will be published, and no cursor update will be made. If a cursor update must be made for all responses, this should be set to `false` and the ingest pipeline must be configured to tolerate empty event sets.
-
-[float]
-==== `response.split[].split`
-
-Nested split operation. Split operations can be nested at will. An event won't be created until the deepest split operation is applied.
-
-[float]
-==== `response.request_body_on_pagination`
-
-If set to true, the values in `request.body` are sent for pagination requests. Default: `false`.
-
-[[response-pagination]]
-[float]
-==== `response.pagination`
-
-List of transforms that will be applied to the response to every new page request. All the transforms from `request.transform` will be executed and then `response.pagination` will be added to modify the next request as needed. For subsequent responses, the usual <<response-transforms, response.transforms>> and <<response-split, response.split>> will be executed normally.
-
-Available transforms for pagination: [`append`, `delete`, `set`].
-
-Can read state from: [`.last_response.*`, `.first_event.*`, `.last_event.*`, `.cursor.*`, `.header.*`, `.url.*`, `.body.*`].
-
-Can write state to: [`body.*`, `header.*`, `url.*`].
-
-Examples using split:
-
-- We have a response with two nested arrays, and we want a document for each of the elements of the inner array:
-
-+
-["source","json",subs="attributes"]
-----
-{
-  "this": "is kept",
-  "alerts": [
-    {
-      "this_is": "also kept",
-      "entities": [
-        {
-          "something": "something"
-        },
-        {
-          "else": "else"
-        }
-      ]
-    },
-    {
-      "this_is": "also kept 2",
-      "entities": [
-        {
-          "something": "something 2"
-        },
-        {
-          "else": "else 2"
-        }
-      ]
-    }
-  ]
-}
-----
-
-+
-The config will look like:
-
-+
-["source","yaml",subs="attributes"]
-----
-filebeat.inputs:
-- type: httpjson
-  interval: 1m
-  request.url: https://example.com
-  response.split:
-    target: body.alerts
-    type: array
-    keep_parent: true
-    split:
-      # paths in nested splits need to represent the state of body, not only their current level of nesting
-      target: body.alerts.entities
-      type: array
-      keep_parent: true
-----
-
-+
-This will output:
-
-+
-["source","json",subs="attributes"]
-----
-[
-  {
-    "this": "is kept",
-    "alerts": {
-      "this_is": "also kept",
-      "entities": {
-        "something": "something"
-      }
-    }
-  },
-  {
-    "this": "is kept",
-    "alerts": {
-      "this_is": "also kept",
-      "entities": {
-        "else": "else"
-      }
-    }
-  },
-  {
-    "this": "is kept",
-    "alerts": {
-      "this_is": "also kept 2",
-      "entities": {
-        "something": "something 2"
-      }
-    }
-  },
-  {
-    "this": "is kept",
-    "alerts": {
-      "this_is": "also kept 2",
-      "entities": {
-        "else": "else 2"
-      }
-    }
-  }
-]
-----
-
-- We have a response with an array with two objects, and we want a document for each of the object keys while keeping the keys values:
-
-+
-["source","json",subs="attributes"]
-----
-{
-  "this": "is not kept",
-  "alerts": [
-    {
-      "this_is": "kept",
-      "entities": {
-        "id1": {
-          "something": "something"
-        }
-      }
-    },
-    {
-      "this_is": "kept 2",
-      "entities": {
-        "id2": {
-          "something": "something 2"
-        }
-      }
-    }
-  ]
-}
-----
-
-+
-The config will look like:
-
-+
-["source","yaml",subs="attributes"]
-----
-filebeat.inputs:
-- type: httpjson
-  interval: 1m
-  request.url: https://example.com
-  response.split:
-    target: body.alerts
-    type: array
-    keep_parent: false
-    split:
-      # this time alerts will not exist because previous keep_parent is false
-      target: body.entities
-      type: map
-      keep_parent: true
-      key_field: id
-----
-
-+
-This will output:
-
-+
-["source","json",subs="attributes"]
-----
-[
-  {
-    "this_is": "kept",
-    "entities": {
-      "id": "id1",
-      "something": "something"
-    }
-  },
-  {
-    "this_is": "kept 2",
-    "entities": {
-      "id": "id2",
-      "something": "something 2"
-    }
-  }
-]
-----
-
-- We have a response with an array with two objects, and we want a document for each of the object keys while applying a transform to each:
-
-+
-["source","json",subs="attributes"]
-----
-{
-  "this": "is not kept",
-  "alerts": [
-    {
-      "this_is": "also not kept",
-      "entities": {
-        "id1": {
-          "something": "something"
-        }
-      }
-    },
-    {
-      "this_is": "also not kept",
-      "entities": {
-        "id2": {
-          "something": "something 2"
-        }
-      }
-    }
-  ]
-}
-----
-
-+
-The config will look like:
-
-+
-["source","yaml",subs="attributes"]
-----
-filebeat.inputs:
-- type: httpjson
-  interval: 1m
-  request.url: https://example.com
-  response.split:
-    target: body.alerts
-    type: array
-    split:
-      transforms:
-        - set:
-            target: body.new
-            value: will be added to each
-      target: body.entities
-      type: map
-----
-
-+
-This will output:
-
-+
-["source","json",subs="attributes"]
-----
-[
-  {
-    "something": "something",
-    "new": "will be added for each"
-  },
-  {
-    "something": "something 2",
-    "new": "will be added for each"
-  }
-]
-----
-
-- We have a response with a keys whose value is a string.  We want the string to be split on a delimiter and a document for each sub strings.
-
-+
-["source","json",subs="attributes"]
-----
-{
-  "this": "is kept",
-  "lines": "Line 1\nLine 2\nLine 3"
-}
-----
-
-+
-The config will look like:
-
-+
-["source","yaml",subs="attributes"]
-----
-filebeat.inputs:
-- type: httpjson
-  interval: 1m
-  request.url: https://example.com
-  response.split:
-    target: body.lines
-    type: string
-    delimiter: "\n"
-----
-
-+
-This will output:
-
-+
-["source","json",subs="attributes"]
-----
-[
-  {
-    "this": "is kept",
-    "lines": "Line 1"
-  },
-  {
-    "this": "is kept",
-    "lines": "Line 2"
-  },
-  {
-    "this": "is kept",
-    "lines": "Line 3"
-  }
-]
-----
-
-[[chain]]
-[float]
-=== `chain`
-
-A chain is a list of requests to be made after the first one.
-
-[float]
-==== `chain[].step`
-
-Contains basic request and response configuration for chained calls.
-
-[float]
-==== `chain[].step.request`
-
-See <<request-parameters,request parameters>>. Required.
-
-Example:
-
-First call: \https://example.com/services/data/v1.0/
-
-Second call: \https://example.com/services/data/v1.0/1/export_ids
-
-Third call: \https://example.com/services/data/v1.0/export_ids/file_1/info
-
-[float]
-==== `chain[].step.response.split`
-
-See <<response-split,response split parameter>>.
-
-+
-[[chain-step-replace]]
-[float]
-==== `chain[].step.replace`
-
-A link:https://goessner.net/articles/JsonPath/index.html#e2[JSONPath] string to parse values from responses JSON, collected from previous chain steps. Place same replace string in url where collected values from previous call should be placed. Required.
-
-Example:
-
-- First call: \https://example.com/services/data/v1.0/
-+
-<<response-json1,response>>
-
-- Second call: \https://example.com/services/data/v1.0/`$.records[:].id`/export_ids
-+
-<<response-json2,response>>
-
-- Third call: \https://example.com/services/data/v1.0/export_ids/`$.file_name`/info
-
-["source","yaml",subs="attributes"]
-----
-filebeat.inputs:
-- type: httpjson
-  enabled: true
-  # first call
-  request.url: https://example.com/services/data/v1.0/records
-  interval: 1h
-  chain:
-    # second call
-    - step:
-        request.url: https://example.com/services/data/v1.0/$.records[:].id/export_ids
-        request.method: GET
-        replace: $.records[:].id
-    # third call
-    - step:
-        request.url: https://example.com/services/data/v1.0/export_ids/$.file_name/info
-        request.method: GET
-        replace: $.file_name
-----
-
-Example:
-
-- First call to collect record ids
-
-+
-request_url: \https://example.com/services/data/v1.0/records
-
-+
-response_json:
-
-+
-[[response-json1]]
-["source","json",subs="attributes"]
-----
-{
-    "records": [
-        {
-            "id": 1,
-        },
-        {
-            "id": 2,
-        },
-        {
-            "id": 3,
-        },
-    ]
-}
-----
-
-- Second call to collect `file_name` using collected ids from first call.
-
-+
-request_url using id as '1': \https://example.com/services/data/v1.0/1/export_ids
-
-+
-response_json using id as '1':
-
-+
-[[response-json2]]
-["source","json",subs="attributes"]
-----
-{
-    "file_name": "file_1"
-}
-----
-
-+
-request_url using id as '2': \https://example.com/services/data/v1.0/2/export_ids
-
-+
-response_json using id as '2':
-
-+
-["source","json",subs="attributes"]
-----
-{
-    "file_name": "file_2"
-}
-----
-
-- Third call to collect `files` using collected `file_name` from second call.
-
-+
-request_url using file_name as 'file_1': \https://example.com/services/data/v1.0/export_ids/file_1/info
-
-+
-request_url using file_name as 'file_2': \https://example.com/services/data/v1.0/export_ids/file_2/info
-
-+
-Collect and make events from response in any format supported by httpjson for all calls.
-
-+
-Note that since `request.url` must be a valid URL, if an API returns complete URLs in place of an identifier as in the example above, it would not be possible to use the JSON Path syntax. To achieve the desired result in this case an opaque URI syntax can be used. An opaque URI has an arbitrary scheme and opaque text separated by a colon. When the replacement is done, the scheme and colon are stripped from the URI prior to the replacement and the remaining opaque text is used as the replacement target. In the following example, the scheme is "placeholder".
-
-["source","yaml",subs="attributes"]
-----
-filebeat.inputs:
-- type: httpjson
-  enabled: true
-  # first call
-  request.url: https://example.com/services/data/v1.0/records
-  interval: 1h
-  chain:
-    # second call
-    - step:
-        request.url: placeholder:$.records[:]
-        request.method: GET
-        replace: $.records[:]
-    # third call
-    - step:
-        request.url: placeholder:$.file_name
-        request.method: GET
-        replace: $.file_name
-----
-
-+
-[[chain-step-replace_with]]
-[float]
-==== `chain[].step.replace_with`
-
-The `replace_with: "pattern,value"` clause is used to replace a fixed pattern string defined in `request.url` with the given value.
-The fixed pattern must have a `$.` prefix, for example: `$.xyz`. The `value` may be hard coded or extracted from context variables
-like [`.last_response.*`, `.first_response.*`, `.parent_last_response.*`] etc. The `replace_with` clause can be used in combination with the `replace` clause
-thus providing a lot of flexibility in the logic of chain requests.
-
-Example:
-
-- First call: \https://example.com/services/data/v1.0/exports
-+
-<<response-json1-replace_with,response>>
-
-- Second call: \https://example.com/services/data/v1.0/$.exportId/files
-+
-<<response-json2-replace_with,response>>
-
-["source","yaml",subs="attributes"]
-----
-filebeat.inputs:
-- type: httpjson
-  enabled: true
-  # first call
-  request.url: https://example.com/services/data/v1.0/exports
-  interval: 1h
-  chain:
-    # second call
-    - step:
-        request.url: https://example.com/services/data/v1.0/$.exportId/files
-        request.method: GET
-        replace_with: '$.exportId,.first_response.body.exportId'
-----
-
-Example:
-
-- First call to fetch exportId
-
-+
-request_url: \https://example.com/services/data/v1.0/exports
-
-+
-response_json:
-
-+
-[[response-json1-replace_with]]
-["source","json",subs="attributes"]
-----
-{
-    "exportId" : "2212"
-}
-----
-
-- Second call to fetch `file ids` using exportId from first call.
-
-+
-request_url using exportId as '2212': \https://example.com/services/data/v1.0/2212/files
-
-+
-response_json using exportId as '2212':
-
-+
-[[response-json2-replace_with]]
-["source","json",subs="attributes"]
-----
-{
-    "files": [
-        {
-            "id": 1,
-        },
-        {
-            "id": 2,
-        },
-        {
-            "id": 3,
-        },
-    ]
-}
-----
-This behaviour of targeted fixed pattern replacement in the url helps solve various use cases.
-
-**Some useful points to remember:- **
-
-    1. If you want the `value` to be treated as an expression to be evaluated for data extraction from context variables, it should always have a
-    **single '.' (dot) prefix**. Example: `replace_with: '$.exportId,.first_response.body.exportId'`. Anything more or less will have the internal
-    processor treat it as a hard coded value, `replace_with: '$.exportId,..first_response.body.exportId'` (more than one '.' (dot) as prefix) or
-    `replace_with:'$.exportId,first_response.body.exportId'` (no '.' dot as prefix)
-
-   2. Incomplete `value expressions` will cause an error while processing. Example: `replace_with: '$.exportId,.first_response.'`, `replace_with:
-    '$.exportId,.last_response.'` etc. These expressions are incomplete because they do not evaluate down to a valid key that can be extracted from
-    the context variables. The value expression: `.first_response.`, on processing, will result in an array `[first_response ""]` where the key to be
-    extrated becomes `"" (an empty string)`, which has no definition within any context variable.
-
-NOTE: Fixed patterns must not contain commas in their definition. String replacement patterns are matched by the `replace_with` processor with exact string matching. The `first_response` object at the moment can only store flat JSON structures (i.e. no support for JSONS having array at root level, NDJSON or Gzipped JSON), hence it should only be used in scenarios where the this is the case. Splits cannot be performed on `first_response`. It needs to be explicitly enabled by setting the flag `response.save_first_response` to `true` in the httpjson config.
-
-[float]
-==== `chain[].while`
-
-Contains basic request and response configuration for chained while calls. Chained while calls will keep making the requests for a given number of times until a condition is met
-or the maximum number of attempts gets exhausted. While chain has an attribute `until` which holds the expression to be evaluated. Ideally the `until` field should always be used
-together with the attributes `request.retry.max_attempts` and `request.retry.wait_min` which specifies the maximum number of attempts to evaluate `until` before giving up and the
-maximum wait time in between such requests. If `request.retry.max_attempts` is not specified, it will only try to evaluate the expression once and give up if it fails. If
-`request.retry.wait_min` is not specified the default wait time will always be `0` as in successive calls will be made immediately.
-
-[float]
-==== `chain[].while.request`
-
-See  <<request-parameters,request parameters>> .
-
-Example:
-
-First call: \http://example.com/services/data/v1.0/exports
-
-Second call: \http://example.com/services/data/v1.0/9ef0e6a5/export_ids/status
-
-Third call: \http://example.com/services/data/v1.0/export_ids/1/info
-
-[float]
-==== `chain[].while.response.split`
-
-See  <<response-split,response split parameter>> .
-
-[float]
-==== `chain[].while.replace`
-
-See  <<chain-step-replace, chain[].step.replace>> .
-
-Example:
-
-- First call: \http://example.com/services/data/v1.0/exports
-+
-<<response-json1-while,response>>
-
-- Second call: \http://example.com/services/data/v1.0/`$.exportId`/export_ids/status
-+
-<<response-json2-while,response>>
-
-- Third call: \http://example.com/services/data/v1.0/export_ids/`$.files[:].id`/info
-+
-<<response-json3-while,response 1>>, <<response-json4-while,response 2>>
-
-["source","yaml",subs="attributes"]
-----
-filebeat.inputs:
-- type: httpjson
-  enabled: true
-  # first call
-  id: my-httpjson-id
-  request.url: http://example.com/services/data/v1.0/exports
-  interval: 1h
-  chain:
-    # second call
-    - while:
-        request.url: http://example.com/services/data/v1.0/$.exportId/export_ids/status
-        request.method: GET
-        replace: $.exportId
-        until: '[[ eq .last_response.body.status "completed" ]]'
-        request.retry.max_attempts: 5
-        request.retry.wait_min: 5s
-    # third call
-    - step:
-        request.url: http://example.com/services/data/v1.0/export_ids/$.files[:].id/info
-        request.method: GET
-        replace: $.files[:].id
-----
-
-Example:
-
-- First call to collect export ids
-
-+
-request_url: \https://example.com/services/data/v1.0/exports
-
-+
-response_json:
-
-+
-[[response-json1-while]]
-["source","json",subs="attributes"]
-----
-{
-    "exportId": "9ef0e6a5"
-}
-----
-
-- Second call to collect `file_ids` using collected id from first call when `response.body.sataus == "completed"`. This call continues until the condition is satisfied or the maximum number of attempts gets exhausted.
-
-+
-request_url using id as '9ef0e6a5': \https://example.com/services/data/v1.0/9ef0e6a5/export_ids/status
-
-+
-response_json using id as '9ef0e6a5':
-
-+
-[[response-json2-while]]
-["source","json",subs="attributes"]
-----
-{
-    "status": "completed",
-    "files": [
-      {
-        "id": 1
-      },
-      {
-        "id": 2
-      },
-      {
-        "id": 3
-      }
-    ]
-}
-----
-
-- Third call to collect `files` using collected `file_id` from second call.
-
-+
-request_url using file_id as '1': \https://example.com/services/data/v1.0/export_ids/1/info
-
-+
-request_url using file_id as '2': \https://example.com/services/data/v1.0/export_ids/2/info
-
-+
-response_json using id as '1':
-
-+
-[[response-json3-while]]
-["source","json",subs="attributes"]
-----
-{
-    "file_name": "file_1",
-    "file_data": "some data"
-}
-----
-
-+
-response_json using id as '2':
-
-+
-[[response-json4-while]]
-["source","json",subs="attributes"]
-----
-{
-    "file_name": "file_2",
-    "file_data": "some data"
-}
-----
-
-+
-Collect and make events from response in any format supported by httpjson for all calls.
-
-+
-Note that since `request.url` must be a valid URL, if an API returns complete URLs in place of an identifier as in the example above, it would not be possible to use the JSON Path syntax. To achieve the desired result in this case an opaque URI syntax can be used. An opaque URI has an arbitrary scheme and opaque text separated by a colon. When the replacement is done, the scheme and colon are stripped from the URI prior to the replacement and the remaining opaque text is used as the replacement target. In the following example, the scheme is "placeholder".
-
-["source","yaml",subs="attributes"]
-----
-filebeat.inputs:
-- type: httpjson
-  enabled: true
-  # first call
-  id: my-httpjson-id
-  request.url: http://example.com/services/data/v1.0/exports
-  interval: 1h
-  chain:
-    # second call
-    - while:
-        request.url: placeholder:$.exportId
-        request.method: GET
-        replace: $.exportId
-        until: '[[ eq .last_response.body.status "completed" ]]'
-        request.retry.max_attempts: 5
-        request.retry.wait_min: 5s
-    # third call
-    - step:
-        request.url: placeholder:$.files[:]
-        request.method: GET
-        replace: $.files[:]
-----
-
-NOTE: httpjson chain will only create and ingest events from last call on chained configurations. Also, the current chain only supports the following: all <<request-parameters, request parameters>>, <<response-transforms, response.transforms>> and <<response-split, response.split>>.
-
-[float]
-==== `chain[].while.replace_with`
-
-See  <<chain-step-replace_with, chain[].step.replace_with>> .
-
-[[cursor]]
-[float]
-==== `cursor`
-
-Cursor is a list of key value objects where arbitrary values are defined. The values are interpreted as  <<value-templates,value templates>> and a default template can be set. Cursor state is kept between input restarts and updated once all the events for a request are published.
-
-If no event is published, no cursor update is made. This can have implications on how cursor updates should be performed when the target API returns empty response sets.
-
-Each cursor entry is formed by:
-
-- A `value` template, which will define the value to store when evaluated.
-- A `default` template, which will define the value to store when the value template fails or is empty.
-- An `ignore_empty_value` flag. When set to `true`, will not store empty values, preserving the previous one, if any. Default: `true`.
-
-Can read state from: [`.last_response.*`, `.first_event.*`, `.last_event.*`].
-
-NOTE: Default templates do not have access to any state, only to functions.
-
-["source","yaml",subs="attributes"]
-----
-filebeat.inputs:
-- type: httpjson
-  interval: 1m
-  request.url: https://api.ipify.org/?format=json
-  response.transforms:
-    - set:
-        target: body.last_requested_at
-        value: '[[.cursor.last_requested_at]]'
-        default: "[[now]]"
-  cursor:
-    last_requested_at:
-      value: '[[now]]'
-  processors:
-    - decode_json_fields:
-        fields: ["message"]
-        target: "json"
-----
-
-==== Request life cycle
-
-image:images/input-httpjson-lifecycle.png[Request lifecycle]
-
-. At every defined interval a new request is created.
-. The request is transformed using the configured <<request-transforms, request.transforms>>.
-. The resulting transformed request is executed.
-. The server responds (here is where any retry or rate limit policy takes place when configured).
-. The response is transformed using the configured <<response-transforms, response.transforms>> and <<response-split, response.split>>.
-. If a chain step is configured. Each step will generate new requests based on collected IDs from responses. The requests will be transformed using configured <<request-transforms, request.transforms>> and the resulting generated transformed requests will be executed. This process will happen for all the steps mentioned in the chain.
-. Each resulting event is published to the output.
-. If a `response.pagination` is configured and there are more pages, a new request is created using it, otherwise the process ends until the next interval.
-
-image:images/input-httpjson-chain-lifecycle.png[Chain Request lifecycle]
-
-. Response from regular call will be processed.
-. Extract data from response and generate new requests from responses.
-. Process generated requests and collect responses from server.
-. Go back to step-2 for the next step.
-. Publish collected responses from the last chain step.
-
-
-[float]
-=== Metrics
-
-This input exposes metrics under the <<http-endpoint, HTTP monitoring endpoint>>.
-These metrics are exposed under the `/inputs` path. They can be used to
-observe the activity of the input.
-
-[options="header"]
-|=======
-| Metric                                     | Description
-| `events_published_total`                   | Total number of events published.
-| `pages_published_total`                    | Total number of pages of event published.
-| `http_request_total`                       | Total number of processed requests.
-| `http_request_errors_total`                | Total number of request errors.
-| `http_request_delete_total`                | Total number of `DELETE` requests.
-| `http_request_get_total`                   | Total number of `GET` requests.
-| `http_request_head_total`                  | Total number of `HEAD` requests.
-| `http_request_options_total`               | Total number of `OPTIONS` requests.
-| `http_request_patch_total`                 | Total number of `PATCH` requests.
-| `http_request_post_total`                  | Total number of `POST` requests.
-| `http_request_put_total`                   | Total number of `PUT` requests.
-| `http_request_body_bytes_total`            | Total of the requests body size.
-| `http_request_body_bytes`                  | Histogram of the requests body size.
-| `http_response_total`                      | Total number of responses received.
-| `http_response_errors_total`               | Total number of response errors.
-| `http_response_1xx_total`                  | Total number of `1xx` responses.
-| `http_response_2xx_total`                  | Total number of `2xx` responses.
-| `http_response_3xx_total`                  | Total number of `3xx` responses.
-| `http_response_4xx_total`                  | Total number of `4xx` responses.
-| `http_response_5xx_total`                  | Total number of `5xx` responses.
-| `http_response_body_bytes_total`           | Total of the responses body size.
-| `http_response_body_bytes`                 | Histogram of the responses body size.
-| `http_round_trip_time`                     | Histogram of the round trip time.
-| `httpjson_interval_total`                  | Total number of intervals executed.
-| `httpjson_interval_errors_total`           | Total number of interval errors.
-| `httpjson_interval_execution_time`         | Histogram of the interval execution time.
-| `httpjson_interval_pages`                  | Histogram of the total number of pages per interval.
-| `httpjson_interval_pages_execution_time`   | Histogram of the interval pages execution time.
-|=======
-
-[id="{beatname_lc}-input-{type}-common-options"]
-include::../../../../filebeat/docs/inputs/input-common-options.asciidoc[]
-
-:type!:
diff --git a/x-pack/filebeat/docs/inputs/input-netflow.asciidoc b/x-pack/filebeat/docs/inputs/input-netflow.asciidoc
deleted file mode 100644
index 056812fd4d94..000000000000
--- a/x-pack/filebeat/docs/inputs/input-netflow.asciidoc
+++ /dev/null
@@ -1,185 +0,0 @@
-[role="xpack"]
-
-:type: netflow
-
-[id="{beatname_lc}-input-{type}"]
-=== NetFlow input
-
-++++
-<titleabbrev>NetFlow</titleabbrev>
-++++
-
-Use the `netflow` input to read NetFlow and IPFIX exported flows
-and options records over UDP.
-
-This input supports NetFlow versions 1, 5, 6, 7, 8 and 9, as well as
-IPFIX. For NetFlow versions older than 9, fields are mapped automatically
-to NetFlow v9.
-
-Example configuration:
-
-["source","yaml",subs="attributes"]
-----
-{beatname_lc}.inputs:
-- type: netflow
-  max_message_size: 10KiB
-  host: "0.0.0.0:2055"
-  protocols: [ v5, v9, ipfix ]
-  expiration_timeout: 30m
-  queue_size: 8192
-  custom_definitions:
-  - path/to/fields.yml
-  detect_sequence_reset: true
-----
-
-
-==== Configuration options
-
-The `netflow` input supports the following configuration options plus the
-<<{beatname_lc}-input-{type}-common-options>> described later.
-
-include::../../../../filebeat/docs/inputs/input-common-udp-options.asciidoc[]
-
-[float]
-[[protocols]]
-==== `protocols`
-
-List of enabled protocols.
-Valid values are `v1`, `v5`, `v6`, `v7`, `v8`, `v9` and `ipfix`.
-
-[float]
-[[expiration_timeout]]
-==== `expiration_timeout`
-
-The time before an idle session or unused template is expired.
-Only applicable to v9 and IPFIX protocols. A value of zero disables expiration.
-
-[float]
-[[share_templates]]
-==== `share_templates`
-
-This option allows v9 and ipfix templates to be shared within a session without
-reference to the origin of the template.
-
-Note that setting this to true is not recommended as it can result in the wrong
-template being applied under certain conditions, but it may be required for some
-systems.
-
-[float]
-[[queue_size]]
-==== `queue_size`
-
-The maximum number of packets that can be queued for processing.
-Use this setting to avoid packet-loss when dealing with occasional bursts
-of traffic.
-
-
-[float]
-[[workers]]
-==== `workers`
-
-The number of workers to read and decode concurrently netflow packets.
-Default is `1`. Note that in order to maximize the performance gains of multiple
-workers it is advised to switch the output to `throughput` preset (https://www.elastic.co/guide/en/beats/filebeat/current/elasticsearch-output.html#_preset[link]).
-
-[float]
-[[custom_definitions]]
-==== `custom_definitions`
-
-A list of paths to field definitions YAML files. These allow to update the
-NetFlow/IPFIX fields with vendor extensions and to override existing fields.
-
-The expected format is the same as used by Logstash's NetFlow codec
-{logstash-ref}/plugins-codecs-netflow.html#plugins-codecs-netflow-ipfix_definitions[ipfix_definitions]
-and {logstash-ref}/plugins-codecs-netflow.html#plugins-codecs-netflow-netflow_definitions[netflow_definitions].
-{beatname_uc} will detect which of the two formats is used.
-
-NetFlow format example:
-["source","yaml",subs="attributes"]
-id:
-- default length in bytes
-- :name
-id:
-- :uintN or :intN: or :ip4_addr or :ip6_addr or :mac_addr or :string
-- :name
-id:
-- :skip
-
-
-Where `id` is the numeric field ID.
-
-The IPFIX format similar, but grouped by Private Enterprise Number (PEN):
-["source","yaml",subs="attributes"]
-pen1:
-  id:
-  - :uintN or :ip4_addr or :ip6_addr or :mac_addr or :string
-  - :name
-  id:
-  - :skip
-pen2:
-  id:
-  - :octetarray
-  - :name
-
-Note that fields are shared between NetFlow V9 and IPFIX. Changes to
-IPFIX PEN zero are equivalent to changes to NetFlow fields.
-
-[WARNING]
-Overriding the names and/or types of standard fields can prevent
-mapping of ECS fields to function properly.
-
-[float]
-[[detect_sequence_reset]]
-==== `detect_sequence_reset`
-
-Flag controlling whether {beatname_uc} should monitor sequence numbers in the
-Netflow packets to detect an Exporting Process reset. When this condition is
-detected, record templates for the given exporter will be dropped. This will
-cause flow loss until the exporter provides new templates. If set to `false`,
-{beatname_uc} will ignore sequence numbers, which can cause some invalid flows
-if the exporter process is reset. This option is only applicable to Netflow V9
-and IPFIX. Default is `true`.
-
-[float]
-[[internal_networks]]
-==== `internal_networks`
-
-A list of CIDR ranges describing the IP addresses that you consider internal.
-This is used in determining the values of `source.locality`,
-`destination.locality`, and `flow.locality`. The values can be either a CIDR
-value or one of the named ranges supported by the
-<<condition-network, `network`>> condition. The default value is `[private]`
-which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal.
-
-[id="{beatname_lc}-input-{type}-common-options"]
-include::../../../../filebeat/docs/inputs/input-common-options.asciidoc[]
-
-[float]
-=== Metrics
-
-This input exposes metrics under the <<http-endpoint, HTTP monitoring endpoint>>.
-These metrics are exposed under the `/inputs/` path. They can be used to
-observe the activity of the input.
-
-You must assign a unique `id` to the input to expose metrics.
-
-[options="header"]
-|=======
-| Metric                         | Description
-| `device`                       | Host/port of the UDP stream.
-| `udp_read_buffer_length_gauge` | Size of the UDP socket buffer length in bytes (gauge).
-| `received_events_total`        | Total number of packets (events) that have been received.
-| `received_bytes_total`         | Total number of bytes received.
-| `receive_queue_length`         | Aggregated size of the system receive queues (IPv4 and IPv6) (linux only) (gauge).
-| `system_packet_drops`          | Aggregated number of system packet drops (IPv4 and IPv6) (linux only) (gauge).
-| `arrival_period`               | Histogram of the time between successive packets in nanoseconds.
-| `processing_time`              | Histogram of the time taken to process packets in nanoseconds.
-| `discarded_events_total`       | Total number of discarded events.
-| `decode_errors_total`          | Total number of errors at decoding a packet.
-| `flows_total`                  | Total number of received flows.
-| `open_connections`             | Number of current active netflow sessions.
-|=======
-
-Histogram metrics are aggregated over the previous 1024 events.
-
-:type!:
diff --git a/x-pack/filebeat/docs/inputs/input-o365audit.asciidoc b/x-pack/filebeat/docs/inputs/input-o365audit.asciidoc
deleted file mode 100644
index 287e526f705e..000000000000
--- a/x-pack/filebeat/docs/inputs/input-o365audit.asciidoc
+++ /dev/null
@@ -1,148 +0,0 @@
-[role="xpack"]
-
-:type: o365audit
-
-[id="{beatname_lc}-input-{type}"]
-=== Office 365 Management Activity API input
-
-deprecated:[8.14.0]
-
-The o365audit input is deprecated. For collecting Microsoft Office 365 log data, please use the https://docs.elastic.co/integrations/o365[Microsoft 365] integration package. For more complex or user-specific use cases, similar functionality can be achieved using the <<filebeat-input-cel,`CEL input`>> .
-
-++++
-<titleabbrev>Office 365 Management Activity API</titleabbrev>
-++++
-
-beta[]
-
-Use the `o365audit` input to retrieve audit messages from Office 365
-and Azure AD activity logs. These are the same logs that are available under
-_Audit_ _log_ _search_ in the _Security_ _and_ _Compliance_ center.
-
-A single input instance can be used to fetch events for multiple tenants as long
-as a single application is configured to access all tenants. Certificate-based
-authentication is recommended in this scenario.
-
-This input doesn't perform any transformation on the incoming messages, notably
-no {ecs-ref}/ecs-reference.html[Elastic Common Schema fields] are populated, and
-some data is encoded as arrays of objects, which are difficult to query in
-Elasticsearch. You probably want to use the
-{filebeat-ref}/filebeat-module-o365.html[Office 365 module] instead.
-
-Example configuration:
-
-["source","yaml",subs="attributes"]
-----
-{beatname_lc}.inputs:
-- type: o365audit
-  application_id: my-application-id
-  tenant_id: my-tenant-id
-  client_secret: my-client-secret
-----
-
-Multi-tenancy and certificate-based authentication is also supported:
-
-["source","yaml",subs="attributes"]
-----
-{beatname_lc}.inputs:
-- type: o365audit
-  application_id: my-application-id
-  tenant_id:
-    - tenant-id-A
-    - tenant-id-B
-    - tenant-id-C
-  certificate: /path/to/cert.pem
-  key: /path/to/private.pem
-  # key_passphrase: "my key's password"
-----
-
-==== Configuration options
-
-The `o365audit` input supports the following configuration options plus the
-<<{beatname_lc}-input-{type}-common-options>> described later.
-
-[float]
-===== `application_id`
-
-The Application ID (also known as Client ID) of the Azure application to
-authenticate as.
-
-[float]
-===== `tenant_id`
-
-The tenant ID (also known as Directory ID) whose data is to be fetched. It's
-also possible to specify a list of tenants IDs to fetch data from more than
-one tenant.
-
-[float]
-===== `content_type`
-
-List of content types to fetch. The default is to fetch all known content types:
-
-- Audit.AzureActiveDirectory
-- Audit.Exchange
-- Audit.SharePoint
-- Audit.General
-- DLP.All
-
-[float]
-===== `client_secret`
-
-The client secret used for authentication.
-
-[float]
-===== `certificate`
-
-Path to the public certificate file used for certificate-based authentication.
-
-[float]
-===== `key`
-
-Path to the certificate's private key file for certificate-based authentication.
-
-[float]
-===== `key_passphrase`
-
-Passphrase used to decrypt the private key.
-
-[float]
-===== `api.authentication_endpoint`
-
-The authentication endpoint used to authorize the Azure app. This is
-`https://login.microsoftonline.com/` by default, and can be changed to access
-alternative endpoints.
-
-===== `api.resource`
-
-The API resource to retrieve information from. This is
-`https://manage.office.com` by default, and can be changed to access alternative
-endpoints.
-
-===== `api.max_retention`
-
-The maximum data retention period to support. `168h` by default. {beatname_uc}
-will fetch all retained data for a tenant when run for the first time.
-
-===== `api.poll_interval`
-
-The interval to wait before polling the API server for new events. Default `3m`.
-
-===== `api.max_requests_per_minute`
-
-The maximum number of requests to perform per minute, for each tenant. The
-default is `2000`, as this is the server-side limit per tenant.
-
-===== `api.max_query_size`
-
-The maximum time window that API allows in a single query. Defaults to `24h`
-to match Microsoft's documented limit.
-
-===== `api.preserve_original_event`
-
-Controls whether the original o365 audit object will be kept in `event.original`
- or not. Defaults to `false`.
-
-[id="{beatname_lc}-input-{type}-common-options"]
-include::../../../../filebeat/docs/inputs/input-common-options.asciidoc[]
-
-:type!:
diff --git a/x-pack/filebeat/docs/inputs/input-salesforce.asciidoc b/x-pack/filebeat/docs/inputs/input-salesforce.asciidoc
deleted file mode 100644
index 02e6f4675c3d..000000000000
--- a/x-pack/filebeat/docs/inputs/input-salesforce.asciidoc
+++ /dev/null
@@ -1,341 +0,0 @@
-[role="xpack"]
-
-:type: salesforce
-
-[id="{beatname_lc}-input-{type}"]
-=== Salesforce input
-
-++++
-<titleabbrev>Salesforce</titleabbrev>
-++++
-
-Use the `salesforce` input to monitor Salesforce events either via the https://developer.salesforce.com/docs/atlas.en-us.object_reference.meta/object_reference/sforce_api_objects_eventlogfile.htm[Salesforce EventLogFile (ELF) API] or the https://developer.salesforce.com/blogs/2020/05/introduction-to-real-time-event-monitoring[Salesforce Real-time event monitoring API]. Both use REST API (to execute SOQL queries in the Salesforce instance) under the hood to query the relevant objects to fetch the events.
-
-The Salesforce input maintains cursor states between requests to track the last event retrieved in each execution. These cursor states are passed to the next event monitoring execution to resume fetching events from the last known position. The cursor states allow the input to pick up where it left off and provide control over the behavior of the input.
-
-Here are some supported authentication methods and event monitoring methods:
-
-* Authentication methods
-** OAuth2
-*** User-Password flow
-*** JWT Bearer flow
-
-* Event monitoring methods
-** EventLogFile (ELF) using REST API
-** REST API for objects (For monitoring real-time events)
-
-Here are some key points about how cursors are used in the Salesforce input:
-
-- Separate cursor states are maintained for each configured event monitoring method (`event_log_file` and `object`).
-- The cursor state stores the unique identifier of the last event retrieved, based on the `cursor.field` specified in the configuration.
-- On the first run, the `query.default` is used to fetch an initial set of events.
-- On subsequent runs, the `query.value` template is populated with the cursor state to fetch events since the last execution.
-- If the input is restarted, it will resume from the last persisted cursor state rather than starting over from scratch.
-
-Using cursors allows the Salesforce input to reliably keep track of its progress and avoid missing or duplicating events across executions. The cursor field should be chosen carefully to have a monotonically increasing value for each new event.
-
-Event Monitoring methods are highly configurable and can be used to monitor any supported object or event log file. The input can be configured to monitor multiple objects or event log files at the same time.
-
-Example configuration:
-
-["source","yaml",subs="attributes"]
-----
-filebeat.inputs:
-  - type: salesforce
-    enabled: true
-    version: 56
-    auth.oauth2:
-      user_password_flow:
-        enabled: true
-        client.id: client-id
-        client.secret: client-secret
-        token_url: https://instance-id.develop.my.salesforce.com
-        username: salesforce-instance@user.in
-        password: salesforce-instance-password
-      jwt_bearer_flow:
-        enabled: true
-        client.id: client-id
-        client.username: salesforce-instance@user.in
-        client.key_path: server_client.key
-        url: https://login.salesforce.com
-    url: https://instance-id.develop.my.salesforce.com
-    event_monitoring_method:
-      event_log_file:
-        enabled: true
-        interval: 1h
-        query:
-          default: "SELECT Id,CreatedDate,LogDate,LogFile FROM EventLogFile WHERE EventType = 'Login' ORDER BY CreatedDate ASC NULLS FIRST"
-          value: "SELECT Id,CreatedDate,LogDate,LogFile FROM EventLogFile WHERE EventType = 'Login' AND CreatedDate > [[ .cursor.event_log_file.last_event_time ]] ORDER BY CreatedDate ASC NULLS FIRST"
-        cursor:
-          field: "CreatedDate"
-      object:
-        enabled: true
-        interval: 5m
-        query:
-          default: "SELECT FIELDS(STANDARD) FROM LoginEvent"
-          value: "SELECT FIELDS(STANDARD) FROM LoginEvent WHERE EventDate > [[ .cursor.object.first_event_time ]]"
-        cursor:
-          field: "EventDate"
-----
-
-==== Set up the OAuth App in the Salesforce
-
-In order to use this integration, users need to create a new Salesforce Application using OAuth. Follow the steps below to create a connected application in Salesforce:
-
-1. Login to https://login.salesforce.com/[Salesforce] with the same user credentials that the user wants to collect data with.
-2. Click on Setup on the top right menu bar. On the Setup page, search for `App Manager` in the `Search Setup` search box at the top of the page, then select `App Manager`.
-3. Click _New Connected App_.
-4. Provide a name for the connected application. This will be displayed in the App Manager and on its App Launcher tile.
-5. Enter the API name. The default is a version of the name without spaces. Only letters, numbers, and underscores are allowed. If the original app name contains any other characters, edit the default name.
-6. Enter the contact email for Salesforce.
-7. Under the API (Enable OAuth Settings) section of the page, select _Enable OAuth Settings_.
-8. In the Callback URL, enter the Instance URL (Please refer to `Salesforce Instance URL`).
-9. Select the following OAuth scopes to apply to the connected app:
-- Manage user data via APIs (api).
-- Perform requests at any time (refresh_token, offline_access).
-- (Optional) In case of data collection, if any permission issues arise, add the Full access (full) scope.
-10. Select _Require Secret for the Web Server Flow_ to require the app's client secret in exchange for an access token.
-11. Select _Require Secret for Refresh Token Flow_ to require the app's client secret in the authorization request of a refresh token and hybrid refresh token flow.
-12. Click Save. It may take approximately 10 minutes for the changes to take effect.
-13. Click Continue and then under API details, click Manage Consumer Details. Verify the user account using the Verification Code.
-14. Copy `Consumer Key` and `Consumer Secret` from the Consumer Details section, which should be populated as values for Client ID and Client Secret respectively in the configuration.
-
-For more details on how to create a Connected App, refer to the Salesforce documentation https://help.salesforce.com/apex/HTViewHelpDoc?id=connected_app_create.htm[here].
-
-[NOTE]
-
-====
-
-*Enabling real-time events*
-
-To get started with https://developer.salesforce.com/blogs/2020/05/introduction-to-real-time-event-monitoring[real-time] events, head to setup and into the quick find search for 'Event Manager'. Enterprise and Unlimited environments have access to the Logout Event by default, but the remainder of the events need licensing to access https://help.salesforce.com/s/articleView?id=sf.salesforce_shield.htm&type=5[Shield Event Monitoring].
-
-====
-
-==== Execution
-
-The `salesforce` input is a long-running program that retrieves events from a Salesforce instance and sends them to the specified output. The program executes in a loop, fetching events from the Salesforce instance at a preconfigured interval. Each event monitoring method can be configured to run separately and at different intervals. To prevent a sudden spike in memory usage, if multiple event monitoring methods are configured, they are scheduled to run one at a time. Even if the intervals overlap, only one method will be executed randomly, and the other will be executed after the first one completes.
-
-There are two methods to fetch the events from the Salesforce instance:
-
-- `event_log_file`: https://developer.salesforce.com/docs/atlas.en-us.object_reference.meta/object_reference/sforce_api_objects_eventlogfile.htm[EventLogFile] is a standard object in Salesforce and the event monitoring method uses the REST API under the hood to gather the Salesforce org's operational events from the object. There is a field EventType that helps distinguish between the types of operational events like — Login, Logout, etc. Uses Salesforce's query language SOQL to query the object.
-
-- `object`: This method is a general way of retrieving events from a Salesforce instance by using the REST API. It can be used for monitoring https://developer.salesforce.com/docs/atlas.en-us.object_reference.meta/object_reference/sforce_api_objects_list.htm[objects] in real-time. In real-time event monitoring, subscribing to the events is a common practice, but the events are also stored in Salesforce org (if configured), specifically in big object tables that are preconfigured for each event type. With this method, we query the object using Salesforce's query language (https://developer.salesforce.com/docs/atlas.en-us.soql_sosl.meta/soql_sosl/sforce_api_calls_soql.htm[SOQL]). The collection happens at the configured scrape `interval`.
-
-[NOTE]
-====
-
-*Salesforce Objects and SOQL Query Field Ordering Limitations*
-
-Each Salesforce Object contains a set of fields, but SOQL queries have restrictions on the fields that can be ordered and the specific ordering method. The Object description on the Salesforce Developers page provides information about these limitations. For instance, the Login Object only allows ordering by the EventDate field in descending order.
-
-When collecting data over time using cursors, the following cursor inputs are available:
-
-- `object.first_event_time`: This cursor input stores the cursor value from the first event encountered during data collection using the object method.
-- `object.last_event_time`: This cursor input stores the cursor value from the last event encountered during data collection using the object method.
-- `event_log_file.first_event_time`: This cursor input stores the cursor value from the first event encountered during data collection using the event log file method.
-- `event_log_file.last_event_time`: This cursor input stores the cursor value from the last event encountered during data collection using the event log file method.
-
-By selecting one of the above cursor inputs, users can collect data from both the object and event log file in the desired order. The cursor configuration can be customized based on the user's specific requirements.
-
-====
-
-==== Configuration options
-
-The `salesforce` input supports the following configuration options plus the
-<<{beatname_lc}-input-{type}-common-options>> described later.
-
-[bool]
-==== `enabled`
-
-Whether the input is enabled or not. Default: `false`.
-
-[integer]
-==== `version`
-
-The version of the Salesforce API to use. Minimum supported version is 46.
-
-[object]
-==== `auth`
-
-The authentication settings for the Salesforce instance.
-
-[object]
-==== `auth.oauth2`
-
-The OAuth2 authentication options for the Salesforce instance.
-
-There are two OAuth2 authentication flows supported:
-
-* `user_password_flow`: User-Password flow
-* `jwt_bearer_flow`: JWT Bearer flow
-
-[bool]
-==== `auth.oauth2.user_password_flow.enabled`
-
-Whether to use the user-password flow for authentication. Default: `false`.
-
-[NOTE]
-
-Only one authentication flow can be enabled at a time.
-
-[string]
-==== `auth.oauth2.user_password_flow.client.id`
-
-The client ID for the user-password flow.
-
-[string]
-==== `auth.oauth2.user_password_flow.client.secret`
-
-The client secret for the user-password flow.
-
-[string]
-==== `auth.oauth2.user_password_flow.token_url`
-
-The token URL for the user-password flow.
-
-[string]
-==== `auth.oauth2.user_password_flow.username`
-
-The username for the user-password flow.
-
-[string]
-==== `auth.oauth2.user_password_flow.password`
-
-The password for the user-password flow.
-
-[bool]
-==== `auth.oauth2.jwt_bearer_flow.enabled`
-
-Whether to use the JWT bearer flow for authentication. Default: `false`.
-
-[NOTE]
-
-Only one authentication flow can be enabled at a time.
-
-[string]
-==== `auth.oauth2.jwt_bearer_flow.client.id`
-
-The client ID for the JWT bearer flow.
-
-[string]
-==== `auth.oauth2.jwt_bearer_flow.client.username`
-
-The username for the JWT bearer flow.
-
-[string]
-==== `auth.oauth2.jwt_bearer_flow.client.key_path`
-
-The path to the private key file for the JWT bearer flow. The file must be PEM encoded PKCS1 or PKCS8 private key and must have the right permissions set to have read access for the user running the program.
-
-[string]
-==== `auth.oauth2.jwt_bearer_flow.url`
-
-The URL for the JWT bearer flow.
-
-[string]
-==== `url`
-
-The URL of the Salesforce instance. Required.
-
-[duration]
-==== `resource.timeout`
-
-Duration before declaring that the HTTP client connection has timed out. Valid time units are `ns`, `us`, `ms`, `s`, `m`, `h`. Default: `30s`.
-
-[integer]
-==== `resource.retry.max_attempts`
-
-The maximum number of retries for the HTTP client. Default: `5`.
-
-[duration]
-==== `resource.retry.wait_min`
-
-The minimum time to wait before a retry is attempted. Default: `1s`.
-
-[duration]
-==== `resource.retry.wait_max`
-
-The maximum time to wait before a retry is attempted. Default: `60s`.
-
-[object]
-==== `event_monitoring_method`
-
-The event monitoring method to use. There are two event monitoring methods supported:
-
-* `event_log_file`: EventLogFile (ELF) using REST API
-
-* `object`: Real-time event monitoring using REST API (objects)
-
-[object]
-==== `event_monitoring_method.event_log_file`
-
-The event monitoring method to use — event_log_file. Uses the EventLogFile API to fetch the events from the Salesforce instance.
-
-[bool]
-==== `event_monitoring_method.event_log_file.enabled`
-
-Whether to use the EventLogFile API for event monitoring. Default: `false`.
-
-[duration]
-==== `event_monitoring_method.event_log_file.interval`
-
-The interval to collect the events from the Salesforce instance using the EventLogFile API.
-
-[string]
-==== `event_monitoring_method.event_log_file.query.default`
-
-The default query to fetch the events from the Salesforce instance using the EventLogFile API.
-
-In case the cursor state is not available, the default query will be used to fetch the events from the Salesforce instance. The default query must be a valid SOQL query. If the SOQL query in `event_monitoring_method.event_log_file.query.value` is not valid, the default query will be used to fetch the events from the Salesforce instance.
-
-[string]
-==== `event_monitoring_method.event_log_file.query.value`
-
-The SOQL query to fetch the events from the Salesforce instance using the EventLogFile API but it uses the cursor state to fetch the events from the Salesforce instance. The SOQL query must be a valid SOQL query. If the SOQL query is not valid, the default query will be used to fetch the events from the Salesforce instance.
-
-In case of restarts or subsequent executions, the cursor state will be used to fetch the events from the Salesforce instance. The cursor state is the last event time of the last event fetched from the Salesforce instance. The cursor state is taken from `event_monitoring_method.event_log_file.cursor.field` field for the last event fetched from the Salesforce instance.
-
-[string]
-==== `event_monitoring_method.event_log_file.cursor.field`
-
-The field to use to fetch the cursor state from the last event fetched from the Salesforce instance. The field must be a valid field in the SOQL query specified in `event_monitoring_method.event_log_file.query.default` and `event_monitoring_method.event_log_file.query.value` i.e., part of the selected fields in the SOQL query.
-
-[object]
-==== `event_monitoring_method.object`
-
-The event monitoring method to use — object. Uses REST API to fetch the events directly from the objects from the Salesforce instance.
-
-[bool]
-==== `event_monitoring_method.object.enabled`
-
-Whether to use the REST API for objects for event monitoring. Default: `false`.
-
-[duration]
-==== `event_monitoring_method.object.interval`
-
-The interval to collect the events from the Salesforce instance using the REST API from objects.
-
-[string]
-==== `event_monitoring_method.object.query.default`
-
-The default SOQL query to fetch the events from the Salesforce instance using the REST API from objects.
-
-In case the cursor state is not available, the default query will be used to fetch the events from the Salesforce instance. The default query must be a valid SOQL query. If the SOQL query in `event_monitoring_method.object.query.value` is not valid, the default query will be used to fetch the events from the Salesforce instance.
-
-[string]
-==== `event_monitoring_method.object.query.value`
-
-The SOQL query to fetch the events from the Salesforce instance using the REST API from objects but it uses the cursor state to fetch the events from the Salesforce instance. The SOQL query must be a valid SOQL query. If the SOQL query is not valid, the default query will be used to fetch the events from the Salesforce instance.
-
-In case of restarts or subsequent executions, the cursor state will be used to fetch the events from the Salesforce instance. The cursor state is the last event time of the last event fetched from the Salesforce instance. The cursor state is taken from `event_monitoring_method.object.cursor.field` field for the last event fetched from the Salesforce instance.
-
-[string]
-==== `event_monitoring_method.object.cursor.field`
-
-The field to use to fetch the cursor state from the last event fetched from the Salesforce instance. The field must be a valid field in the SOQL query specified in `event_monitoring_method.object.query.default` and `event_monitoring_method.object.query.value` i.e., part of the selected fields in the SOQL query.
-
-[id="{beatname_lc}-input-{type}-common-options"]
-include::../../../../filebeat/docs/inputs/input-common-options.asciidoc[]
-
-:type!:
diff --git a/x-pack/filebeat/docs/inputs/input-streaming.asciidoc b/x-pack/filebeat/docs/inputs/input-streaming.asciidoc
deleted file mode 100644
index 1ee343e4a9b7..000000000000
--- a/x-pack/filebeat/docs/inputs/input-streaming.asciidoc
+++ /dev/null
@@ -1,460 +0,0 @@
-[role="xpack"]
-
-:type: streaming
-:mito_version: v1.8.0
-:mito_docs: https://pkg.go.dev/github.com/elastic/mito@{mito_version}
-
-[id="{beatname_lc}-input-{type}"]
-=== Streaming Input
-experimental[]
-
-++++
-<titleabbrev>Streaming</titleabbrev>
-++++
-
-The `streaming` input reads messages from a streaming data source, for example a websocket server. This input uses the `CEL engine` and the `mito` library internally to parse and process the messages. Having support for `CEL` allows you to parse and process the messages in a more flexible way. It has many similarities with the `cel` input as to how the `CEL` programs are written but differs in the way the messages are read and processed. Currently websocket server or API endpoints, and the Crowdstrike Falcon streaming API are supported.
-
-The websocket streaming input supports:
-
-* Auth
-** Basic
-** Bearer 
-** Custom
-** OAuth2.0
-
-NOTE: The `streaming` input websocket handler does not currently support XML messages. Auto-reconnects are also not supported at the moment so reconnection will occur on input restart.
-
-The Crowdstrike streaming input requires OAuth2.0 as described in the Crowdstrike documentation for the API. When using the Crowdstrike streaming type, the `crowdstrike_app_id` configuration field must be set. This field specifies the `appId` parameter sent to the Crowdstrike API. See the Crowdstrike documentation for details.
-
-The `stream_type` configuration field specifies which type of streaming input to use, "websocket" or "crowdstrike". If it is not set, the input defaults to websocket streaming  .
-
-==== Execution
-
-The execution environment provided for the input includes includes the functions, macros, and global variables provided by the mito library.
-A single JSON object is provided as an input accessible through a `state` variable. `state` contains a `response` map field and may contain arbitrary other fields configured via the input's `state` configuration. If the CEL program saves cursor states between executions of the program, the configured `state.cursor` value will be replaced by the saved cursor prior to execution.
-
-On start the `state` will be something like this:
-
-["source","json",subs="attributes"]
-----
-{
-    "response": { ... },
-    "cursor": { ... },
-    ...
-}
-----
-The `streaming` input websocket handler creates a `response` field in the state map and attaches the websocket message to this field. All `CEL` programs written should act on this `response` field. Additional fields may be present at the root of the object and if the program tolerates it, the cursor value may be absent. Only the cursor is persisted over restarts, but all fields in state are retained between iterations of the processing loop except for the produced events array, see below.
-
-If the cursor is present the program should process or filter out responses based on its value. If cursor is not present all responses should be processed as per the program's logic.
-
-After completion of a program's execution it should return a single object with a structure looking like this:
-
-["source","json",subs="attributes"]
-----
-{
-    "events": [ <1>
-        {...},
-        ...
-    ],
-    "cursor": [ <2>
-        {...},
-        ...
-    ]
-}
-----
-
-<1> The `events` field must be present, but may be empty or null. If it is not empty, it must only have objects as elements.
-The field could be an array or a single object that will be treated as an array with a single element. This depends completely on the streaming data source. The `events` field is the array of events to be published to the output. Each event must be a JSON object.
-
-<2> If `cursor` is present it must be either be a single object or an array with the same length as events; each element _i_ of the `cursor` will be the details for obtaining the events at and beyond event _i_ in the `events` array. If the `cursor` is a single object, it will be the details for obtaining events after the last event in the `events` array and will only be retained on successful publication of all the events in the `events` array.
-
-
-Example configurations:
-
-["source","yaml",subs="attributes"]
-----
-filebeat.inputs:
-# Read and process simple websocket messages from a local websocket server
-- type: streaming
-  url: ws://localhost:443/v1/stream
-  program: |
-    bytes(state.response).decode_json().as(inner_body,{
-      "events": {
-        "message":  inner_body.encode_json(),
-      }
-    })
-----
-
-["source","yaml",subs="attributes"]
-----
-filebeat.inputs:
-# Read and process events from the Crowdstrike Falcon Hose API
-- type: streaming
-  stream_type: crowdstrike
-  url: https://api.crowdstrike.com/sensors/entities/datafeed/v2
-  auth:
-    client_id: a23fcea2643868ef1a41565a1a8a1c7c
-    client_secret: c3VwZXJzZWNyZXRfY2xpZW50X3NlY3JldF9zaGhoaGgK
-    token_url: https://api.crowdstrike.com/oauth2/token
-  crowdstrike_app_id: my_app_id
-  program: |
-    state.response.decode_json().as(body,{
-      "events": [body],
-      ?"cursor": has(body.?metadata.offset) ?
-        optional.of({"offset": body.metadata.offset})
-      :
-        optional.none(),
-    })
-----
-
-==== Debug state logging
-
-The Websocket input will log the complete state when logging at the DEBUG level before and after CEL evaluation.
-This will include any sensitive or secret information kept in the `state` object, and so DEBUG level logging should not be used in production when sensitive information is retained in the `state` object. See <<streaming-state-redact,`redact`>> configuration parameters for settings to exclude sensitive fields from DEBUG logs.
-
-==== Authentication
-
-The websocket streaming input supports authentication via Basic token authentication, Bearer token authentication, authentication via a custom auth config and OAuth2 based authentication. Unlike REST inputs Basic Authentication contains a basic auth token, Bearer Authentication contains a bearer token and custom auth contains any combination of custom header and value. These token/key values are are added to the request headers and are not exposed to the `state` object. The custom auth configuration is useful for constructing requests that require custom headers and values for authentication. The basic and bearer token configurations will always use the `Authorization` header and prepend the token with `Basic` or `Bearer` respectively.
-
-Example configurations with authentication:
-
-["source","yaml",subs="attributes"]
-----
-filebeat.inputs:
-- type: streaming
-  auth.basic_token: "dXNlcjpwYXNzd29yZA=="
-  url: wss://localhost:443/_stream
-----
-
-["source","yaml",subs="attributes"]
-----
-filebeat.inputs:
-- type: streaming
-  auth.bearer_token: "dXNlcjpwYXNzd29yZA=="
-  url: wss://localhost:443/_stream
-----
-
-["source","yaml",subs="attributes"]
-----
-filebeat.inputs:
-- type: streaming
-  auth.custom:
-    header: "x-api-key"
-    value: "dXNlcjpwYXNzd29yZA=="   
-  url: wss://localhost:443/_stream
-----
-
-["source","yaml",subs="attributes"]
-----
-filebeat.inputs:
-- type: streaming
-  auth.custom:
-    header: "Auth"
-    value: "Bearer dXNlcjpwYXNzd29yZA=="   
-  url: wss://localhost:443/_stream
-----
-
-The crowdstrike streaming input requires OAuth2.0 authentication using a client ID, client secret and a token URL. These values are not exposed to the `state` object. OAuth2.0 scopes and endpoint parameters are available via the `auth.scopes` and `auth.endpoint_params` config parameters.
-
-["source","yaml",subs="attributes"]
-----
-filebeat.inputs:
-- type: streaming
-  stream_type: crowdstrike
-  auth:
-    client_id: a23fcea2643868ef1a41565a1a8a1c7c
-    client_secret: c3VwZXJzZWNyZXRfY2xpZW50X3NlY3JldF9zaGhoaGgK
-    token_url: https://api.crowdstrike.com/oauth2/token
-----
-
-==== Websocket OAuth2.0
-
-The `websocket` streaming input supports OAuth2.0 authentication. The `auth` configuration field is used to specify the OAuth2.0 configuration. These values are not exposed to the `state` object. 
-
-The `auth` configuration field has the following subfields:
-  
-  - `client_id`: The client ID to use for OAuth2.0 authentication.
-  - `client_secret`: The client secret to use for OAuth2.0 authentication.
-  - `token_url`: The token URL to use for OAuth2.0 authentication.
-  - `scopes`: The scopes to use for OAuth2.0 authentication.
-  - `endpoint_params`: The endpoint parameters to use for OAuth2.0 authentication.
-  - `auth_style`: The authentication style to use for OAuth2.0 authentication. If left unset, the style will be automatically detected.
-  - `token_expiry_buffer`: Minimum valid time remaining before attempting an OAuth2 token renewal. The default value is `2m`.
-
-**Explanations for `auth_style` and `token_expiry_buffer`:**
-
-- `auth_style`: The authentication style to use for OAuth2.0 authentication which determines how the values of sensitive information like `client_id` and `client_secret` are sent in the token request. The default style value is automatically inferred and used appropriately if no value is provided. The `auth_style` configuration field is optional and can be used to specify the authentication style to use for OAuth2.0 authentication. The `auth_style` configuration field supports the following configurable values:
-  
-  * `in_header`: The `client_id` and `client_secret` is sent in the header as a base64 encoded `Authorization` header.
-  * `in_params`: The `client_id` and `client_secret` is sent in the request body along with the other OAuth2 parameters.
-
-- `token_expiry_buffer`: The token expiry buffer to use for OAuth2.0 authentication. The `token_expiry_buffer` is used as a safety net to ensure that the token does not expire before the input can refresh it. The `token_expiry_buffer` configuration field is optional. If the `token_expiry_buffer` configuration field is not set, the default value of `2m` is used.
-
-NOTE: We recommend leaving the `auth_style` configuration field unset (automatically inferred internally) for most scenarios, except where manual intervention is required.
-
-["source","yaml",subs="attributes"]
-----
-filebeat.inputs:
-- type: streaming
-  auth:
-    client_id: a23fcea2643868ef1a41565a1a8a1c7c
-    client_secret: c3VwZXJzZWNyZXRfY2xpZW50X3NlY3JldF9zaGhoaGgK
-    token_url: https://api.sample-url.com/oauth2/token
-    scopes: ["read", "write"]
-    endpoint_params:
-      param1: value1
-      param2: value2
-    auth_style: in_params
-    token_expiry_buffer: 5m
-  url: wss://localhost:443/_stream
-----
-
-[[input-state-streaming]]
-==== Input state
-
-The `streaming` input keeps a runtime state between every message received. This state can be accessed by the CEL program and may contain arbitrary objects.
-The state must contain a `response` map and may contain any object the user wishes to store in it. All objects are stored at runtime, except `cursor`, which has values that are persisted between restarts.
-
-==== Configuration options
-
-The `streaming` input supports the following configuration options plus the
-<<{beatname_lc}-input-{type}-common-options>> described later.
-
-[[stream_type-streaming]]
-[float]
-==== `stream_type`
-
-The flavor of streaming to use. This may be either "websocket", "crowdstrike", or unset. If the field is unset, websocket streaming is used.
-
-[[program-streaming]]
-[float]
-==== `program`
-
-The CEL program that is executed on each message received. This field should ideally be present but if not the default program given below is used.
-
-["source","yaml",subs="attributes"]
-----
-program: |
-  bytes(state.response).decode_json().as(inner_body,{
-    "events": {
-      "message":  inner_body.encode_json(),
-    }
-  })
-----
-
-[[input-url-program-streaming]]
-[float]
-==== `url_program`
-
-If present, this CEL program is executed before the streaming connection is established using the `state` object, including any stored cursor value. It must evaluate to a valid URL. The returned URL is used to make the streaming connection for processing. The program may use cursor values or other state defined values to customize the URL at runtime.
-
-["source","yaml",subs="attributes"]
-----
-url: ws://testapi:443/v1/streamresults
-state:
-  initial_start_time: "2022-01-01T00:00:00Z"
-url_program: |
-  state.url + "?since=" + state.?cursor.since.orValue(state.initial_start_time)
-program: |
-  bytes(state.response).decode_json().as(inner_body,{
-    "events": {
-      "message":  inner_body.encode_json(),
-    },
-    "cursor": {
-      "since": inner_body.timestamp
-    }
-  })
-----
-
-[[state-streaming]]
-[float]
-==== `state`
-
-`state` is an optional object that is passed to the CEL program on the first execution. It is available to the executing program as the `state` variable. Except for the `state.cursor` field, `state` does not persist over restarts.
-
-[[cursor-streaming]]
-[float]
-==== `state.cursor`
-
-The cursor is an object available as `state.cursor` where arbitrary values may be stored. Cursor state is kept between input restarts and updated after each event of a request has been published. When a cursor is used the CEL program must either create a cursor state for each event that is returned by the program, or a single cursor that reflects the cursor for completion of the full set of events.
-
-["source","yaml",subs="attributes"]
-----
-filebeat.inputs:
-# Read and process simple websocket messages from a local websocket server
-- type: streaming
-  url: ws://localhost:443/v1/stream
-  program: |
-    bytes(state.response).as(body, {
-      "events": [body.decode_json().with({
-        "last_requested_at": has(state.cursor) && has(state.cursor.last_requested_at) ?
-          state.cursor.last_requested_at
-        :
-          now
-      })],
-      "cursor": {"last_requested_at": now}
-    })
-----
-
-[[regexp-streaming]]
-[float]
-==== `regexp`
-
-A set of named regular expressions that may be used during a CEL program's execution using the `regexp` extension library. The syntax used for the regular expressions is https://github.com/google/re2/wiki/Syntax[RE2].
-
-["source","yaml",subs="attributes"]
-----
-filebeat.inputs:
-- type: streaming
-  # Define two regular expressions, 'products' and 'solutions' for use during CEL program execution.
-  regexp:
-    products: '(?i)(Elasticsearch|Beats|Logstash|Kibana)'
-    solutions: '(?i)(Search|Observability|Security)'
-----
-
-[[streaming-state-redact]]
-[float]
-==== `redact`
-
-During debug level logging, the `state` object and the resulting evaluation result are included in logs. This may result in leaking of secrets. In order to prevent this, fields may be redacted or deleted from the logged `state`. The `redact` configuration allows users to configure this field redaction behaviour. For safety reasons if the `redact` configuration is missing a warning is logged.
-
-In the case of no-required redaction an empty `redact.fields` configuration should be used to silence the logged warning.
-
-["source","yaml",subs="attributes"]
-----
-- type: streaming
-  redact:
-    fields: ~
-----
-
-As an example, if a user-constructed Basic Authentication request is used in a CEL program the password can be redacted like so
-
-["source","yaml",subs="attributes"]
-----
-filebeat.inputs:
-- type: streaming
-  url: ws://localhost:443/_stream
-  state:
-    user: user@domain.tld
-    password: P@$$W0₹D
-  redact:
-    fields:
-      - password
-    delete: true
-----
-
-Note that fields under the `auth` configuration hierarchy are not exposed to the `state` and so do not need to be redacted. For this reason it is preferable to use these for authentication over the request construction shown above where possible.
-
-[float]
-==== `redact.fields`
-
-This specifies fields in the `state` to be redacted prior to debug logging. Fields listed in this array will be either replaced with a `*` or deleted entirely from messages sent to debug logs.
-
-[float]
-==== `redact.delete`
-
-This specifies whether fields should be replaced with a `*` or deleted entirely from messages sent to debug logs. If delete is `true`, fields will be deleted rather than replaced.
-
-[[retry-streaming]]
-[float]
-==== `retry`
-
-The `retry` configuration allows the user to specify the number of times the input should attempt to reconnect to the streaming data source in the event of a connection failure. The default value is `nil` which means no retries will be attempted. It has a `wait_min` and `wait_max` configuration which specifies the minimum and maximum time to wait between retries. It also supports blanket retries and infinite retries via the `blanket_retires` and `infinite_retries` configuration options. These are set to `false` by default.
-
-["source","yaml",subs="attributes"]
-----
-filebeat.inputs:
-- type: streaming
-  url: ws://localhost:443/_stream
-  program: |
-    bytes(state.response).decode_json().as(inner_body,{
-      "events": {
-        "message":  inner_body.encode_json(),
-      }
-    })
-  retry:
-    max_attempts: 5
-    wait_min: 1s
-    wait_max: 10s
-    blanket_retries: false
-    infinite_retries: false
-----
-[float]
-==== `retry.max_attempts`
-
-The maximum number of times the input should attempt to reconnect to the streaming data source in the event of a connection failure. The default value is `5` which means a maximum of 5 retries will be attempted.
-
-[float]
-==== `retry.wait_min`
-
-The minimum time to wait between retries. This ensures that retries are spaced out enough to give the system time to recover or resolve transient issues, rather than bombarding the system with rapid retries. For example, `wait_min` might be set to 1 second, meaning that even if the calculated backoff is less than this, the client will wait at least 1 second before retrying. The default value is `1` second.
-
-[float]
-==== `retry.wait_max`
-
-The maximum time to wait between retries. This prevents the retry mechanism from becoming too slow, ensuring that the client does not wait indefinitely between retries. This is crucial in systems where timeouts or user experience are critical. For example, `wait_max` might be set to 10 seconds, meaning that even if the calculated backoff is greater than this, the client will wait at most 10 seconds before retrying. The default value is `30` seconds.
-
-[float]
-==== `retry.blanket_retries`
-
-Normally the input will only retry when a connection error is found to be retryable based on the error type and the RFC 6455 error codes defined by the websocket protocol. If `blanket_retries` is set to `true` (`false` by default) the input will retry on any error. This is not recommended unless the user is certain that all errors are transient and can be resolved by retrying.
-
-[float]
-==== `retry.infinite_retries`
-
-Normally the input will only retry a maximum of `max_attempts` times. If `infinite_retries` is set to `true` (`false` by default) the input will retry indefinitely. This is not recommended unless the user is certain that the connection will eventually succeed.
-
-[float]
-=== `timeout`
-Timeout is the maximum amount of time the websocket dialer will wait for a connection to be established. The default value is `180` seconds.
-
-[float]
-==== `proxy_url`
-This specifies the forward proxy URL to use for the connection. The `proxy_url` configuration is optional and can be used to configure the proxy settings for the connection. The `proxy_url` default value is set by `http.ProxyFromEnvironment` which reads the `HTTP_PROXY`, `HTTPS_PROXY`, and `NO_PROXY` environment variables.
-
-[float]
-==== `proxy_headers`
-This specifies the headers to be sent to the proxy server. The `proxy_headers` configuration is optional and can be used to configure the headers to be sent to the proxy server.
-
-[float]
-==== `ssl`
-This specifies the SSL configuration for the connection. The `ssl` configuration is optional and can be used to configure the SSL settings for the connection. The `ssl` configuration has the following subfields:
-
-  - `certificate_authorities`: A list of root certificates to use for verifying the server's certificate.   
-  - `certificate`: The (PEM encoded) certificate to use for client authentication.
-  - `key`: The (PEM encoded) private key to use for client authentication.
-
-If this is a self-signed certificate, the `certificate_authorities` field should be set to the certificate itself.
-
-[float]
-=== Metrics
-
-This input exposes metrics under the <<http-endpoint, HTTP monitoring endpoint>>.
-These metrics are exposed under the `/inputs` path. They can be used to
-observe the activity of the input.
-
-[options="header"]
-|=======
-| Metric                    | Description
-| `url`                     | URL of the input resource.
-| `cel_eval_errors`         | Number of errors encountered during cel program evaluation.
-| `errors_total`            | Number of errors encountered over the life cycle of the input.
-| `batches_received_total`  | Number of event arrays received.
-| `batches_published_total` | Number of event arrays published.
-| `received_bytes_total`    | Number of bytes received over the life cycle of the input.
-| `events_received_total`   | Number of events received.
-| `events_published_total`  | Number of events published.
-| `cel_processing_time`     | Histogram of the elapsed successful CEL program processing times in nanoseconds.
-| `batch_processing_time`   | Histogram of the elapsed successful batch processing times in nanoseconds (time of receipt to time of ACK for non-empty batches).
-|=======
-
-==== Developer tools
-
-A stand-alone CEL environment that implements the majority of the streaming input's Comment Expression Language functionality is available in the https://github.com/elastic/mito[Elastic Mito] repository. This tool may be used to help develop CEL programs to be used by the input. Installation is available from source by running `go install github.com/elastic/mito/cmd/mito@latest` and requires a Go toolchain.
-
-[id="{beatname_lc}-input-{type}-common-options"]
-include::../../../../filebeat/docs/inputs/input-common-options.asciidoc[]
-
-NOTE: The `streaming` input is currently tagged as experimental and might have bugs and other issues. Please report any issues on the https://github.com/elastic/beats[Github] repository.
-
-:type!:
diff --git a/x-pack/filebeat/docs/inputs/input-unifiedlogs.asciidoc b/x-pack/filebeat/docs/inputs/input-unifiedlogs.asciidoc
deleted file mode 100644
index 37589f307fb3..000000000000
--- a/x-pack/filebeat/docs/inputs/input-unifiedlogs.asciidoc
+++ /dev/null
@@ -1,180 +0,0 @@
-[role="xpack"]
-
-:type: unifiedlogs
-
-[id="{beatname_lc}-input-{type}"]
-=== Unified Logs input
-
-++++
-<titleabbrev>Unified Logs</titleabbrev>
-++++
-
-NOTE: Only available for MacOS.
-
-The unified logging system provides a comprehensive and performant API to capture
-telemetry across all levels of the system. This system centralizes the storage of
-log data in memory and on disk, rather than writing that data to a text-based log file.
-
-The input interacts with the `log` command-line tool to provide access to the events.
-
-The input starts streaming events from the current point in time unless a start date or
-the `backfill` options are set. When restarted it will continue where it left off.
-
-Alternatively, it can also do one off operations, such as:
-
-- Stream events contained in a `.logarchive` file.
-- Stream events contained in a `.tracev3` file.
-- Stream events in a specific time span, by providing a specific end date.
-
-After this one off operations complete, the input will stop.
-
-Other configuration options can be specified to filter what events to process.
-
-NOTE: The input can cause some duplicated events when backfilling and/or
-restarting. This is caused by how the underlying fetching method works and
-should be taken into account when using the input.
-
-Example configuration:
-
-Process all old and new logs:
-
-["source","yaml",subs="attributes"]
-----
-{beatname_lc}.inputs:
-- type: unifiedlogs
-  id: unifiedlogs-id
-  enabled: true
-  backfill: true
-----
-
-Process logs with predicate filters:
-
-["source","yaml",subs="attributes"]
-----
-{beatname_lc}.inputs:
-- type: unifiedlogs
-  id: unifiedlogs-id
-  enabled: true
-  predicate:
-    # Captures keychain.db unlock events
-    - 'process == "loginwindow" && sender == "Security"'
-    # Captures user login events
-    - 'process == "logind"'
-    # Captures command line activity run with elevated privileges
-    - 'process == "sudo"'
-----
-
-==== Configuration options
-
-The `unifiedlogs` input supports the following configuration options plus the
-<<{beatname_lc}-input-{type}-common-options>> described later.
-
-[float]
-==== `archive_file`
-
-Display events stored in the given archive.
-The archive must be a valid log archive bundle with the suffix `.logarchive`.
-
-[float]
-==== `trace_file`
-
-Display events stored in the given `.tracev3` file.
-In order to be decoded, the file must be contained within a valid `.logarchive`
-
-[float]
-==== `start`
-
-Shows content starting from the provided date.
-The following date/time formats are accepted:
-`YYYY-MM-DD`, `YYYY-MM-DD HH:MM:SS`, `YYYY-MM-DD HH:MM:SSZZZZZ`.
-
-[float]
-==== `end`
-
-Shows content up to the provided date.
-The following date/time formats are accepted:
-`YYYY-MM-DD`, `YYYY-MM-DD HH:MM:SS`, `YYYY-MM-DD HH:MM:SSZZZZZ`.
-
-[float]
-==== `predicate`
-
-Filters messages using the provided predicate based on NSPredicate.
-A compound predicate or multiple predicates can be provided as a list.
-
-For detailed information on the use of predicate based filtering,
-please refer to the https://developer.apple.com/library/mac/documentation/Cocoa/Conceptual/Predicates/Articles/pSyntax.html[Predicate Programming Guide].
-
-[float]
-==== `process`
-
-A list of the processes on which to operate. It accepts a PID or process name.
-
-[float]
-==== `source`
-
-Include symbol names and source line numbers for messages, if available.
-Default: `false`.
-
-[float]
-==== `info`
-
-Disable or enable info level messages.
-Default: `false`.
-
-[float]
-==== `debug`
-
-Disable or enable debug level messages.
-Default: `false`.
-
-[float]
-==== `backtrace`
-
-Disable or enable display of backtraces.
-Default: `false`.
-
-[float]
-==== `signpost`
-
-Disable or enable display of signposts.
-Default: `false`.
-
-[float]
-==== `unreliable`
-
-Annotate events with whether the log was emitted unreliably.
-Default: `false`.
-
-[float]
-==== `mach_continuous_time`
-
-Use mach continuous time timestamps rather than walltime.
-Default: `false`.
-
-[float]
-==== `backfill`
-
-If set to true the input will process all available logs since the beginning
-of time the first time it starts.
-Default: `false`.
-
-
-[id="{beatname_lc}-input-{type}-common-options"]
-include::../../../../filebeat/docs/inputs/input-common-options.asciidoc[]
-
-[float]
-=== Metrics
-
-This input exposes metrics under the <<http-endpoint, HTTP monitoring endpoint>>.
-These metrics are exposed under the `/inputs/` path. They can be used to
-observe the activity of the input.
-
-You must assign a unique `id` to the input to expose metrics.
-
-[options="header"]
-|=======
-| Metric                   | Description
-| `errors_total`           | Total number of errors.
-|=======
-
-:type!:
diff --git a/x-pack/libbeat/docs/aws-credentials-config.asciidoc b/x-pack/libbeat/docs/aws-credentials-config.asciidoc
deleted file mode 100644
index 451980c28b7d..000000000000
--- a/x-pack/libbeat/docs/aws-credentials-config.asciidoc
+++ /dev/null
@@ -1,249 +0,0 @@
-[float]
-=== AWS Credentials Configuration
-To configure AWS credentials, either put the credentials into the {beatname_uc} configuration, or use a shared credentials file, as shown in the following examples.
-
-[float]
-==== Configuration parameters
-* *access_key_id*: first part of access key.
-* *secret_access_key*: second part of access key.
-* *session_token*: required when using temporary security credentials.
-* *credential_profile_name*: profile name in shared credentials file.
-* *shared_credential_file*: directory of the shared credentials file.
-* *role_arn*: AWS IAM Role to assume.
-* *external_id*: external ID to use when assuming a role in another account, see https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html[the AWS documentation for use of external IDs].
-* *proxy_url*: URL of the proxy to use to connect to AWS web services. The syntax is `http(s)://<IP/Hostname>:<port>`
-* *fips_enabled*: Enabling this option instructs {beatname_uc} to use the FIPS endpoint of a service. All services used by {beatname_uc} are FIPS compatible except for `tagging` but only certain regions are FIPS compatible. See https://aws.amazon.com/compliance/fips/ or the appropriate service page, https://docs.aws.amazon.com/general/latest/gr/aws-service-information.html, for a full list of FIPS endpoints and regions.
-* *ssl*: This specifies SSL/TLS configuration. If the ssl section is missing, the host's CAs are used for HTTPS connections. See <<configuration-ssl>> for more information.
-* *default_region*: Default region to query if no other region is set. Most AWS services offer a regional endpoint that can be used to make requests. Some services, such as IAM, do not support regions. If a region is not provided by any other way (environment variable, credential or instance profile), the value set here will be used.
-* *assume_role.duration*: The duration of the requested assume role session. Defaults to 15m when not set. AWS allows a maximum session duration between 1h and 12h depending on your maximum session duration policies.
-* *assume_role.expiry_window*: The expiry_window will allow refreshing the session prior to its expiration.
-  This is beneficial to prevent expiring tokens from causing requests to fail with an ExpiredTokenException.
-
-[float]
-==== Supported Formats
-
-NOTE: The examples in this section refer to Metricbeat,
-but the credential options for authentication with AWS are the same no matter which Beat is being used.
-
-* Use `access_key_id`, `secret_access_key`, and/or `session_token`
-
-Users can either put the credentials into the Metricbeat module configuration or use
-environment variable `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY` and/or
-`AWS_SESSION_TOKEN` instead.
-
-If running on Docker, these environment variables should be added as a part of
-the docker command. For example, with Metricbeat:
-
-[source,terminal]
-----
-$ docker run -e AWS_ACCESS_KEY_ID=abcd -e AWS_SECRET_ACCESS_KEY=abcd -d --name=metricbeat --user=root --volume="$(pwd)/metricbeat.aws.yml:/usr/share/metricbeat/metricbeat.yml:ro" docker.elastic.co/beats/metricbeat:7.11.1 metricbeat -e -E cloud.auth=elastic:1234 -E cloud.id=test-aws:1234
-----
-
-Sample `metricbeat.aws.yml` looks like:
-
-[source,yaml]
-----
-metricbeat.modules:
-- module: aws
-  period: 5m
-  access_key_id: ${AWS_ACCESS_KEY_ID}
-  secret_access_key: ${AWS_SECRET_ACCESS_KEY}
-  session_token: ${AWS_SESSION_TOKEN}
-  metricsets:
-    - ec2
-----
-
-Environment variables can also be added through a file. For example:
-
-[source,terminal]
-----
-$ cat env.list
-AWS_ACCESS_KEY_ID=abcd
-AWS_SECRET_ACCESS_KEY=abcd
-
-$ docker run --env-file env.list -d --name=metricbeat --user=root --volume="$(pwd)/metricbeat.aws.yml:/usr/share/metricbeat/metricbeat.yml:ro" docker.elastic.co/beats/metricbeat:7.11.1 metricbeat -e -E cloud.auth=elastic:1234 -E cloud.id=test-aws:1234
-----
-
-* Use `credential_profile_name` and/or `shared_credential_file`
-
-If `access_key_id`, `secret_access_key` and `role_arn` are all not given, then
-{beatname_lc} will check for `credential_profile_name`. If you use different credentials for
-different tools or applications, you can use profiles to configure multiple
-access keys in the same configuration file. If there is no `credential_profile_name`
-given, the default profile will be used.
-
-`shared_credential_file` is optional to specify the directory of your shared
-credentials file. If it's empty, the default directory will be used.
-In Windows, shared credentials file is at `C:\Users\<yourUserName>\.aws\credentials`.
-For Linux, macOS or Unix, the file is located at `~/.aws/credentials`. When running as a service,
-the home path depends on the user that manages the service, so the `shared_credential_file` parameter can be used to avoid ambiguity. Please see
-https://docs.aws.amazon.com/ses/latest/DeveloperGuide/create-shared-credentials-file.html[Create Shared Credentials File]
-for more details.
-
-* Use `role_arn`
-
-`role_arn` is used to specify which AWS IAM role to assume for generating
-temporary credentials. If `role_arn` is given, {beatname_lc} will check if
-access keys are given. If not, {beatname_lc} will check for credential profile
-name. If neither is given, default credential profile will be used. Please make
-sure credentials are given under either a credential profile or access keys.
-
-If running on Docker, the credential file needs to be provided via a volume
-mount. For example, with Metricbeat:
-
-[source,terminal]
-----
-docker run -d --name=metricbeat --user=root --volume="$(pwd)/metricbeat.aws.yml:/usr/share/metricbeat/metricbeat.yml:ro" --volume="/Users/foo/.aws/credentials:/usr/share/metricbeat/credentials:ro" docker.elastic.co/beats/metricbeat:7.11.1 metricbeat -e -E cloud.auth=elastic:1234 -E cloud.id=test-aws:1234
-----
-
-Sample `metricbeat.aws.yml` looks like:
-[source,yaml]
-----
-metricbeat.modules:
-- module: aws
-  period: 5m
-  credential_profile_name: elastic-beats
-  shared_credential_file: /usr/share/metricbeat/credentials
-  metricsets:
-    - ec2
-----
-
-ifeval::["{beatname_lc}"=="filebeat"]
-include::../../../filebeat/docs/aws-credentials-examples.asciidoc[]
-endif::[]
-
-ifeval::["{beatname_lc}"=="heartbeat"]
-include::../../../heartbeat/docs/aws-credentials-examples.asciidoc[]
-endif::[]
-
-ifeval::["{beatname_lc}"=="metricbeat"]
-include::../../../metricbeat/docs/aws-credentials-examples.asciidoc[]
-endif::[]
-
-[float]
-==== AWS Credentials Types
-There are two different types of AWS credentials can be used:
-access keys and temporary security credentials.
-
-* Access keys
-
-`AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` are the two parts of access keys.
-They are long-term credentials for an IAM user or the AWS account root user.
-Please see
-https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys[AWS Access Keys
- and Secret Access Keys]
-for more details.
-
-* IAM role ARN
-
-An IAM role is an IAM identity that you can create in your account that has
-specific permissions that determine what the identity can and cannot do in AWS.
-A role does not have standard long-term credentials such as a password or access keys associated with it.
-Instead, when you assume a role, it provides you with temporary security credentials for your role session.
-IAM role Amazon Resource Name (ARN) can be used to specify which AWS IAM role to assume to generate temporary credentials.
-Please see https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html[AssumeRole API documentation] for more details.
-
-Here are the steps to set up IAM role using AWS CLI for Metricbeat. Please replace
-`123456789012` with your own account ID.
-
-Step 1. Create `example-policy.json` file to include all permissions:
-[source,yaml]
-----
-{
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Sid": "VisualEditor0",
-            "Effect": "Allow",
-            "Action": [
-                "s3:GetObject",
-                "sqs:ReceiveMessage"
-            ],
-            "Resource": "*"
-        },
-        {
-            "Sid": "VisualEditor1",
-            "Effect": "Allow",
-            "Action": "sqs:ChangeMessageVisibility",
-            "Resource": "arn:aws:sqs:us-east-1:123456789012:test-fb-ks"
-        },
-        {
-            "Sid": "VisualEditor2",
-            "Effect": "Allow",
-            "Action": "sqs:DeleteMessage",
-            "Resource": "arn:aws:sqs:us-east-1:123456789012:test-fb-ks"
-        },
-        {
-            "Sid": "VisualEditor3",
-            "Effect": "Allow",
-            "Action": [
-                "sts:AssumeRole",
-                "sqs:ListQueues",
-                "tag:GetResources",
-                "ec2:DescribeInstances",
-                "cloudwatch:GetMetricData",
-                "ec2:DescribeRegions",
-                "iam:ListAccountAliases",
-                "sts:GetCallerIdentity",
-                "cloudwatch:ListMetrics"
-            ],
-            "Resource": "*"
-        }
-    ]
-}
-----
-
-Step 2. Create IAM policy using the `aws iam create-policy` command:
-[source,terminal]
-----
-$ aws iam create-policy --policy-name example-policy --policy-document file://example-policy.json
-----
-
-Step 3. Create the JSON file `example-role-trust-policy.json` that defines the trust relationship of the IAM role
-[source,yaml]
-----
-{
-    "Version": "2012-10-17",
-    "Statement": {
-        "Effect": "Allow",
-        "Principal": { "AWS": "arn:aws:iam::123456789012:root" },
-        "Action": "sts:AssumeRole"
-    }
-}
-----
-
-Step 4. Create the IAM role and attach the policy:
-[source,terminal]
-----
-$ aws iam create-role --role-name example-role --assume-role-policy-document file://example-role-trust-policy.json
-$ aws iam attach-role-policy --role-name example-role --policy-arn "arn:aws:iam::123456789012:policy/example-policy"
-----
-
-After these steps are done, IAM role ARN can be used for authentication in Metricbeat
-`aws` module.
-
-* Temporary security credentials
-
-Temporary security credentials has a limited lifetime and consists of an
-access key ID, a secret access key, and a security token which typically returned
-from `GetSessionToken`. MFA-enabled IAM users would need to submit an MFA code
-while calling `GetSessionToken`. Please see
-https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html[Temporary Security Credentials]
-for more details.
-`sts get-session-token` AWS CLI can be used to generate temporary credentials. For example. with MFA-enabled:
-
-[source,terminal]
-----
-aws> sts get-session-token --serial-number arn:aws:iam::1234:mfa/your-email@example.com --token-code 456789 --duration-seconds 129600
-----
-
-Because temporary security credentials are short term, after they expire, the user needs to generate new ones and modify
-the aws.yml config file with the new credentials. Unless https://www.elastic.co/guide/en/beats/metricbeat/current/_live_reloading.html[live reloading]
-feature is enabled for Metricbeat, the user needs to manually restart Metricbeat after updating the config file in order
-to continue collecting Cloudwatch metrics. This will cause data loss if the config file is not updated with new
-credentials before the old ones expire. For Metricbeat, we recommend users to use access keys in config file to enable
-aws module making AWS api calls without have to generate new temporary credentials and update the config frequently.
-
-IAM policy is an entity that defines permissions to an object within your AWS environment. Specific permissions needs
-to be added into the IAM user's policy to authorize Metricbeat to collect AWS monitoring metrics. Please see documentation
-under each metricset for required permissions.
diff --git a/x-pack/osquerybeat/docs/index.asciidoc b/x-pack/osquerybeat/docs/index.asciidoc
deleted file mode 100644
index 3475e7d069cd..000000000000
--- a/x-pack/osquerybeat/docs/index.asciidoc
+++ /dev/null
@@ -1,5 +0,0 @@
-= {Beat} Docs
-
-Welcome to the {Beat} documentation.
-
-